1 /* SPDX-License-Identifier: GPL-2.0 */ 2 #ifndef _NET_XFRM_H 3 #define _NET_XFRM_H 4 5 #include <linux/compiler.h> 6 #include <linux/xfrm.h> 7 #include <linux/spinlock.h> 8 #include <linux/list.h> 9 #include <linux/skbuff.h> 10 #include <linux/socket.h> 11 #include <linux/pfkeyv2.h> 12 #include <linux/ipsec.h> 13 #include <linux/in6.h> 14 #include <linux/mutex.h> 15 #include <linux/audit.h> 16 #include <linux/slab.h> 17 #include <linux/refcount.h> 18 #include <linux/sockptr.h> 19 20 #include <net/sock.h> 21 #include <net/dst.h> 22 #include <net/ip.h> 23 #include <net/route.h> 24 #include <net/ipv6.h> 25 #include <net/ip6_fib.h> 26 #include <net/flow.h> 27 #include <net/gro_cells.h> 28 29 #include <linux/interrupt.h> 30 31 #ifdef CONFIG_XFRM_STATISTICS 32 #include <net/snmp.h> 33 #endif 34 35 #define XFRM_PROTO_ESP 50 36 #define XFRM_PROTO_AH 51 37 #define XFRM_PROTO_COMP 108 38 #define XFRM_PROTO_IPIP 4 39 #define XFRM_PROTO_IPV6 41 40 #define XFRM_PROTO_ROUTING IPPROTO_ROUTING 41 #define XFRM_PROTO_DSTOPTS IPPROTO_DSTOPTS 42 43 #define XFRM_ALIGN4(len) (((len) + 3) & ~3) 44 #define XFRM_ALIGN8(len) (((len) + 7) & ~7) 45 #define MODULE_ALIAS_XFRM_MODE(family, encap) \ 46 MODULE_ALIAS("xfrm-mode-" __stringify(family) "-" __stringify(encap)) 47 #define MODULE_ALIAS_XFRM_TYPE(family, proto) \ 48 MODULE_ALIAS("xfrm-type-" __stringify(family) "-" __stringify(proto)) 49 #define MODULE_ALIAS_XFRM_OFFLOAD_TYPE(family, proto) \ 50 MODULE_ALIAS("xfrm-offload-" __stringify(family) "-" __stringify(proto)) 51 52 #ifdef CONFIG_XFRM_STATISTICS 53 #define XFRM_INC_STATS(net, field) SNMP_INC_STATS((net)->mib.xfrm_statistics, field) 54 #else 55 #define XFRM_INC_STATS(net, field) ((void)(net)) 56 #endif 57 58 59 /* Organization of SPD aka "XFRM rules" 60 ------------------------------------ 61 62 Basic objects: 63 - policy rule, struct xfrm_policy (=SPD entry) 64 - bundle of transformations, struct dst_entry == struct xfrm_dst (=SA bundle) 65 - instance of a transformer, struct xfrm_state (=SA) 66 - template to clone xfrm_state, struct xfrm_tmpl 67 68 SPD is plain linear list of xfrm_policy rules, ordered by priority. 69 (To be compatible with existing pfkeyv2 implementations, 70 many rules with priority of 0x7fffffff are allowed to exist and 71 such rules are ordered in an unpredictable way, thanks to bsd folks.) 72 73 Lookup is plain linear search until the first match with selector. 74 75 If "action" is "block", then we prohibit the flow, otherwise: 76 if "xfrms_nr" is zero, the flow passes untransformed. Otherwise, 77 policy entry has list of up to XFRM_MAX_DEPTH transformations, 78 described by templates xfrm_tmpl. Each template is resolved 79 to a complete xfrm_state (see below) and we pack bundle of transformations 80 to a dst_entry returned to requestor. 81 82 dst -. xfrm .-> xfrm_state #1 83 |---. child .-> dst -. xfrm .-> xfrm_state #2 84 |---. child .-> dst -. xfrm .-> xfrm_state #3 85 |---. child .-> NULL 86 87 Bundles are cached at xrfm_policy struct (field ->bundles). 88 89 90 Resolution of xrfm_tmpl 91 ----------------------- 92 Template contains: 93 1. ->mode Mode: transport or tunnel 94 2. ->id.proto Protocol: AH/ESP/IPCOMP 95 3. ->id.daddr Remote tunnel endpoint, ignored for transport mode. 96 Q: allow to resolve security gateway? 97 4. ->id.spi If not zero, static SPI. 98 5. ->saddr Local tunnel endpoint, ignored for transport mode. 99 6. ->algos List of allowed algos. Plain bitmask now. 100 Q: ealgos, aalgos, calgos. What a mess... 101 7. ->share Sharing mode. 102 Q: how to implement private sharing mode? To add struct sock* to 103 flow id? 104 105 Having this template we search through SAD searching for entries 106 with appropriate mode/proto/algo, permitted by selector. 107 If no appropriate entry found, it is requested from key manager. 108 109 PROBLEMS: 110 Q: How to find all the bundles referring to a physical path for 111 PMTU discovery? Seems, dst should contain list of all parents... 112 and enter to infinite locking hierarchy disaster. 113 No! It is easier, we will not search for them, let them find us. 114 We add genid to each dst plus pointer to genid of raw IP route, 115 pmtu disc will update pmtu on raw IP route and increase its genid. 116 dst_check() will see this for top level and trigger resyncing 117 metrics. Plus, it will be made via sk->sk_dst_cache. Solved. 118 */ 119 120 struct xfrm_state_walk { 121 struct list_head all; 122 u8 state; 123 u8 dying; 124 u8 proto; 125 u32 seq; 126 struct xfrm_address_filter *filter; 127 }; 128 129 enum { 130 XFRM_DEV_OFFLOAD_IN = 1, 131 XFRM_DEV_OFFLOAD_OUT, 132 XFRM_DEV_OFFLOAD_FWD, 133 }; 134 135 enum { 136 XFRM_DEV_OFFLOAD_UNSPECIFIED, 137 XFRM_DEV_OFFLOAD_CRYPTO, 138 XFRM_DEV_OFFLOAD_PACKET, 139 }; 140 141 enum { 142 XFRM_DEV_OFFLOAD_FLAG_ACQ = 1, 143 }; 144 145 struct xfrm_dev_offload { 146 struct net_device *dev; 147 netdevice_tracker dev_tracker; 148 struct net_device *real_dev; 149 unsigned long offload_handle; 150 u8 dir : 2; 151 u8 type : 2; 152 u8 flags : 2; 153 }; 154 155 struct xfrm_mode { 156 u8 encap; 157 u8 family; 158 u8 flags; 159 }; 160 161 /* Flags for xfrm_mode. */ 162 enum { 163 XFRM_MODE_FLAG_TUNNEL = 1, 164 }; 165 166 enum xfrm_replay_mode { 167 XFRM_REPLAY_MODE_LEGACY, 168 XFRM_REPLAY_MODE_BMP, 169 XFRM_REPLAY_MODE_ESN, 170 }; 171 172 /* Full description of state of transformer. */ 173 struct xfrm_state { 174 possible_net_t xs_net; 175 union { 176 struct hlist_node gclist; 177 struct hlist_node bydst; 178 }; 179 union { 180 struct hlist_node dev_gclist; 181 struct hlist_node bysrc; 182 }; 183 struct hlist_node byspi; 184 struct hlist_node byseq; 185 186 refcount_t refcnt; 187 spinlock_t lock; 188 189 struct xfrm_id id; 190 struct xfrm_selector sel; 191 struct xfrm_mark mark; 192 u32 if_id; 193 u32 tfcpad; 194 195 u32 genid; 196 197 /* Key manager bits */ 198 struct xfrm_state_walk km; 199 200 /* Parameters of this state. */ 201 struct { 202 u32 reqid; 203 u8 mode; 204 u8 replay_window; 205 u8 aalgo, ealgo, calgo; 206 u8 flags; 207 u16 family; 208 xfrm_address_t saddr; 209 int header_len; 210 int trailer_len; 211 u32 extra_flags; 212 struct xfrm_mark smark; 213 } props; 214 215 struct xfrm_lifetime_cfg lft; 216 217 /* Data for transformer */ 218 struct xfrm_algo_auth *aalg; 219 struct xfrm_algo *ealg; 220 struct xfrm_algo *calg; 221 struct xfrm_algo_aead *aead; 222 const char *geniv; 223 224 /* mapping change rate limiting */ 225 __be16 new_mapping_sport; 226 u32 new_mapping; /* seconds */ 227 u32 mapping_maxage; /* seconds for input SA */ 228 229 /* Data for encapsulator */ 230 struct xfrm_encap_tmpl *encap; 231 struct sock __rcu *encap_sk; 232 233 /* Data for care-of address */ 234 xfrm_address_t *coaddr; 235 236 /* IPComp needs an IPIP tunnel for handling uncompressed packets */ 237 struct xfrm_state *tunnel; 238 239 /* If a tunnel, number of users + 1 */ 240 atomic_t tunnel_users; 241 242 /* State for replay detection */ 243 struct xfrm_replay_state replay; 244 struct xfrm_replay_state_esn *replay_esn; 245 246 /* Replay detection state at the time we sent the last notification */ 247 struct xfrm_replay_state preplay; 248 struct xfrm_replay_state_esn *preplay_esn; 249 250 /* replay detection mode */ 251 enum xfrm_replay_mode repl_mode; 252 /* internal flag that only holds state for delayed aevent at the 253 * moment 254 */ 255 u32 xflags; 256 257 /* Replay detection notification settings */ 258 u32 replay_maxage; 259 u32 replay_maxdiff; 260 261 /* Replay detection notification timer */ 262 struct timer_list rtimer; 263 264 /* Statistics */ 265 struct xfrm_stats stats; 266 267 struct xfrm_lifetime_cur curlft; 268 struct hrtimer mtimer; 269 270 struct xfrm_dev_offload xso; 271 272 /* used to fix curlft->add_time when changing date */ 273 long saved_tmo; 274 275 /* Last used time */ 276 time64_t lastused; 277 278 struct page_frag xfrag; 279 280 /* Reference to data common to all the instances of this 281 * transformer. */ 282 const struct xfrm_type *type; 283 struct xfrm_mode inner_mode; 284 struct xfrm_mode inner_mode_iaf; 285 struct xfrm_mode outer_mode; 286 287 const struct xfrm_type_offload *type_offload; 288 289 /* Security context */ 290 struct xfrm_sec_ctx *security; 291 292 /* Private data of this transformer, format is opaque, 293 * interpreted by xfrm_type methods. */ 294 void *data; 295 }; 296 297 static inline struct net *xs_net(struct xfrm_state *x) 298 { 299 return read_pnet(&x->xs_net); 300 } 301 302 /* xflags - make enum if more show up */ 303 #define XFRM_TIME_DEFER 1 304 #define XFRM_SOFT_EXPIRE 2 305 306 enum { 307 XFRM_STATE_VOID, 308 XFRM_STATE_ACQ, 309 XFRM_STATE_VALID, 310 XFRM_STATE_ERROR, 311 XFRM_STATE_EXPIRED, 312 XFRM_STATE_DEAD 313 }; 314 315 /* callback structure passed from either netlink or pfkey */ 316 struct km_event { 317 union { 318 u32 hard; 319 u32 proto; 320 u32 byid; 321 u32 aevent; 322 u32 type; 323 } data; 324 325 u32 seq; 326 u32 portid; 327 u32 event; 328 struct net *net; 329 }; 330 331 struct xfrm_if_decode_session_result { 332 struct net *net; 333 u32 if_id; 334 }; 335 336 struct xfrm_if_cb { 337 bool (*decode_session)(struct sk_buff *skb, 338 unsigned short family, 339 struct xfrm_if_decode_session_result *res); 340 }; 341 342 void xfrm_if_register_cb(const struct xfrm_if_cb *ifcb); 343 void xfrm_if_unregister_cb(void); 344 345 struct xfrm_dst_lookup_params { 346 struct net *net; 347 int tos; 348 int oif; 349 xfrm_address_t *saddr; 350 xfrm_address_t *daddr; 351 u32 mark; 352 __u8 ipproto; 353 union flowi_uli uli; 354 }; 355 356 struct net_device; 357 struct xfrm_type; 358 struct xfrm_dst; 359 struct xfrm_policy_afinfo { 360 struct dst_ops *dst_ops; 361 struct dst_entry *(*dst_lookup)(const struct xfrm_dst_lookup_params *params); 362 int (*get_saddr)(xfrm_address_t *saddr, 363 const struct xfrm_dst_lookup_params *params); 364 int (*fill_dst)(struct xfrm_dst *xdst, 365 struct net_device *dev, 366 const struct flowi *fl); 367 struct dst_entry *(*blackhole_route)(struct net *net, struct dst_entry *orig); 368 }; 369 370 int xfrm_policy_register_afinfo(const struct xfrm_policy_afinfo *afinfo, int family); 371 void xfrm_policy_unregister_afinfo(const struct xfrm_policy_afinfo *afinfo); 372 void km_policy_notify(struct xfrm_policy *xp, int dir, 373 const struct km_event *c); 374 void km_state_notify(struct xfrm_state *x, const struct km_event *c); 375 376 struct xfrm_tmpl; 377 int km_query(struct xfrm_state *x, struct xfrm_tmpl *t, 378 struct xfrm_policy *pol); 379 void km_state_expired(struct xfrm_state *x, int hard, u32 portid); 380 int __xfrm_state_delete(struct xfrm_state *x); 381 382 struct xfrm_state_afinfo { 383 u8 family; 384 u8 proto; 385 386 const struct xfrm_type_offload *type_offload_esp; 387 388 const struct xfrm_type *type_esp; 389 const struct xfrm_type *type_ipip; 390 const struct xfrm_type *type_ipip6; 391 const struct xfrm_type *type_comp; 392 const struct xfrm_type *type_ah; 393 const struct xfrm_type *type_routing; 394 const struct xfrm_type *type_dstopts; 395 396 int (*output)(struct net *net, struct sock *sk, struct sk_buff *skb); 397 int (*transport_finish)(struct sk_buff *skb, 398 int async); 399 void (*local_error)(struct sk_buff *skb, u32 mtu); 400 }; 401 402 int xfrm_state_register_afinfo(struct xfrm_state_afinfo *afinfo); 403 int xfrm_state_unregister_afinfo(struct xfrm_state_afinfo *afinfo); 404 struct xfrm_state_afinfo *xfrm_state_get_afinfo(unsigned int family); 405 struct xfrm_state_afinfo *xfrm_state_afinfo_get_rcu(unsigned int family); 406 407 struct xfrm_input_afinfo { 408 u8 family; 409 bool is_ipip; 410 int (*callback)(struct sk_buff *skb, u8 protocol, 411 int err); 412 }; 413 414 int xfrm_input_register_afinfo(const struct xfrm_input_afinfo *afinfo); 415 int xfrm_input_unregister_afinfo(const struct xfrm_input_afinfo *afinfo); 416 417 void xfrm_flush_gc(void); 418 void xfrm_state_delete_tunnel(struct xfrm_state *x); 419 420 struct xfrm_type { 421 struct module *owner; 422 u8 proto; 423 u8 flags; 424 #define XFRM_TYPE_NON_FRAGMENT 1 425 #define XFRM_TYPE_REPLAY_PROT 2 426 #define XFRM_TYPE_LOCAL_COADDR 4 427 #define XFRM_TYPE_REMOTE_COADDR 8 428 429 int (*init_state)(struct xfrm_state *x, 430 struct netlink_ext_ack *extack); 431 void (*destructor)(struct xfrm_state *); 432 int (*input)(struct xfrm_state *, struct sk_buff *skb); 433 int (*output)(struct xfrm_state *, struct sk_buff *pskb); 434 int (*reject)(struct xfrm_state *, struct sk_buff *, 435 const struct flowi *); 436 }; 437 438 int xfrm_register_type(const struct xfrm_type *type, unsigned short family); 439 void xfrm_unregister_type(const struct xfrm_type *type, unsigned short family); 440 441 struct xfrm_type_offload { 442 struct module *owner; 443 u8 proto; 444 void (*encap)(struct xfrm_state *, struct sk_buff *pskb); 445 int (*input_tail)(struct xfrm_state *x, struct sk_buff *skb); 446 int (*xmit)(struct xfrm_state *, struct sk_buff *pskb, netdev_features_t features); 447 }; 448 449 int xfrm_register_type_offload(const struct xfrm_type_offload *type, unsigned short family); 450 void xfrm_unregister_type_offload(const struct xfrm_type_offload *type, unsigned short family); 451 452 static inline int xfrm_af2proto(unsigned int family) 453 { 454 switch(family) { 455 case AF_INET: 456 return IPPROTO_IPIP; 457 case AF_INET6: 458 return IPPROTO_IPV6; 459 default: 460 return 0; 461 } 462 } 463 464 static inline const struct xfrm_mode *xfrm_ip2inner_mode(struct xfrm_state *x, int ipproto) 465 { 466 if ((ipproto == IPPROTO_IPIP && x->props.family == AF_INET) || 467 (ipproto == IPPROTO_IPV6 && x->props.family == AF_INET6)) 468 return &x->inner_mode; 469 else 470 return &x->inner_mode_iaf; 471 } 472 473 struct xfrm_tmpl { 474 /* id in template is interpreted as: 475 * daddr - destination of tunnel, may be zero for transport mode. 476 * spi - zero to acquire spi. Not zero if spi is static, then 477 * daddr must be fixed too. 478 * proto - AH/ESP/IPCOMP 479 */ 480 struct xfrm_id id; 481 482 /* Source address of tunnel. Ignored, if it is not a tunnel. */ 483 xfrm_address_t saddr; 484 485 unsigned short encap_family; 486 487 u32 reqid; 488 489 /* Mode: transport, tunnel etc. */ 490 u8 mode; 491 492 /* Sharing mode: unique, this session only, this user only etc. */ 493 u8 share; 494 495 /* May skip this transfomration if no SA is found */ 496 u8 optional; 497 498 /* Skip aalgos/ealgos/calgos checks. */ 499 u8 allalgs; 500 501 /* Bit mask of algos allowed for acquisition */ 502 u32 aalgos; 503 u32 ealgos; 504 u32 calgos; 505 }; 506 507 #define XFRM_MAX_DEPTH 6 508 #define XFRM_MAX_OFFLOAD_DEPTH 1 509 510 struct xfrm_policy_walk_entry { 511 struct list_head all; 512 u8 dead; 513 }; 514 515 struct xfrm_policy_walk { 516 struct xfrm_policy_walk_entry walk; 517 u8 type; 518 u32 seq; 519 }; 520 521 struct xfrm_policy_queue { 522 struct sk_buff_head hold_queue; 523 struct timer_list hold_timer; 524 unsigned long timeout; 525 }; 526 527 struct xfrm_policy { 528 possible_net_t xp_net; 529 struct hlist_node bydst; 530 struct hlist_node byidx; 531 532 /* This lock only affects elements except for entry. */ 533 rwlock_t lock; 534 refcount_t refcnt; 535 u32 pos; 536 struct timer_list timer; 537 538 atomic_t genid; 539 u32 priority; 540 u32 index; 541 u32 if_id; 542 struct xfrm_mark mark; 543 struct xfrm_selector selector; 544 struct xfrm_lifetime_cfg lft; 545 struct xfrm_lifetime_cur curlft; 546 struct xfrm_policy_walk_entry walk; 547 struct xfrm_policy_queue polq; 548 bool bydst_reinsert; 549 u8 type; 550 u8 action; 551 u8 flags; 552 u8 xfrm_nr; 553 u16 family; 554 struct xfrm_sec_ctx *security; 555 struct xfrm_tmpl xfrm_vec[XFRM_MAX_DEPTH]; 556 struct hlist_node bydst_inexact_list; 557 struct rcu_head rcu; 558 559 struct xfrm_dev_offload xdo; 560 }; 561 562 static inline struct net *xp_net(const struct xfrm_policy *xp) 563 { 564 return read_pnet(&xp->xp_net); 565 } 566 567 struct xfrm_kmaddress { 568 xfrm_address_t local; 569 xfrm_address_t remote; 570 u32 reserved; 571 u16 family; 572 }; 573 574 struct xfrm_migrate { 575 xfrm_address_t old_daddr; 576 xfrm_address_t old_saddr; 577 xfrm_address_t new_daddr; 578 xfrm_address_t new_saddr; 579 u8 proto; 580 u8 mode; 581 u16 reserved; 582 u32 reqid; 583 u16 old_family; 584 u16 new_family; 585 }; 586 587 #define XFRM_KM_TIMEOUT 30 588 /* what happened */ 589 #define XFRM_REPLAY_UPDATE XFRM_AE_CR 590 #define XFRM_REPLAY_TIMEOUT XFRM_AE_CE 591 592 /* default aevent timeout in units of 100ms */ 593 #define XFRM_AE_ETIME 10 594 /* Async Event timer multiplier */ 595 #define XFRM_AE_ETH_M 10 596 /* default seq threshold size */ 597 #define XFRM_AE_SEQT_SIZE 2 598 599 struct xfrm_mgr { 600 struct list_head list; 601 int (*notify)(struct xfrm_state *x, const struct km_event *c); 602 int (*acquire)(struct xfrm_state *x, struct xfrm_tmpl *, struct xfrm_policy *xp); 603 struct xfrm_policy *(*compile_policy)(struct sock *sk, int opt, u8 *data, int len, int *dir); 604 int (*new_mapping)(struct xfrm_state *x, xfrm_address_t *ipaddr, __be16 sport); 605 int (*notify_policy)(struct xfrm_policy *x, int dir, const struct km_event *c); 606 int (*report)(struct net *net, u8 proto, struct xfrm_selector *sel, xfrm_address_t *addr); 607 int (*migrate)(const struct xfrm_selector *sel, 608 u8 dir, u8 type, 609 const struct xfrm_migrate *m, 610 int num_bundles, 611 const struct xfrm_kmaddress *k, 612 const struct xfrm_encap_tmpl *encap); 613 bool (*is_alive)(const struct km_event *c); 614 }; 615 616 void xfrm_register_km(struct xfrm_mgr *km); 617 void xfrm_unregister_km(struct xfrm_mgr *km); 618 619 struct xfrm_tunnel_skb_cb { 620 union { 621 struct inet_skb_parm h4; 622 struct inet6_skb_parm h6; 623 } header; 624 625 union { 626 struct ip_tunnel *ip4; 627 struct ip6_tnl *ip6; 628 } tunnel; 629 }; 630 631 #define XFRM_TUNNEL_SKB_CB(__skb) ((struct xfrm_tunnel_skb_cb *)&((__skb)->cb[0])) 632 633 /* 634 * This structure is used for the duration where packets are being 635 * transformed by IPsec. As soon as the packet leaves IPsec the 636 * area beyond the generic IP part may be overwritten. 637 */ 638 struct xfrm_skb_cb { 639 struct xfrm_tunnel_skb_cb header; 640 641 /* Sequence number for replay protection. */ 642 union { 643 struct { 644 __u32 low; 645 __u32 hi; 646 } output; 647 struct { 648 __be32 low; 649 __be32 hi; 650 } input; 651 } seq; 652 }; 653 654 #define XFRM_SKB_CB(__skb) ((struct xfrm_skb_cb *)&((__skb)->cb[0])) 655 656 /* 657 * This structure is used by the afinfo prepare_input/prepare_output functions 658 * to transmit header information to the mode input/output functions. 659 */ 660 struct xfrm_mode_skb_cb { 661 struct xfrm_tunnel_skb_cb header; 662 663 /* Copied from header for IPv4, always set to zero and DF for IPv6. */ 664 __be16 id; 665 __be16 frag_off; 666 667 /* IP header length (excluding options or extension headers). */ 668 u8 ihl; 669 670 /* TOS for IPv4, class for IPv6. */ 671 u8 tos; 672 673 /* TTL for IPv4, hop limitfor IPv6. */ 674 u8 ttl; 675 676 /* Protocol for IPv4, NH for IPv6. */ 677 u8 protocol; 678 679 /* Option length for IPv4, zero for IPv6. */ 680 u8 optlen; 681 682 /* Used by IPv6 only, zero for IPv4. */ 683 u8 flow_lbl[3]; 684 }; 685 686 #define XFRM_MODE_SKB_CB(__skb) ((struct xfrm_mode_skb_cb *)&((__skb)->cb[0])) 687 688 /* 689 * This structure is used by the input processing to locate the SPI and 690 * related information. 691 */ 692 struct xfrm_spi_skb_cb { 693 struct xfrm_tunnel_skb_cb header; 694 695 unsigned int daddroff; 696 unsigned int family; 697 __be32 seq; 698 }; 699 700 #define XFRM_SPI_SKB_CB(__skb) ((struct xfrm_spi_skb_cb *)&((__skb)->cb[0])) 701 702 #ifdef CONFIG_AUDITSYSCALL 703 static inline struct audit_buffer *xfrm_audit_start(const char *op) 704 { 705 struct audit_buffer *audit_buf = NULL; 706 707 if (audit_enabled == AUDIT_OFF) 708 return NULL; 709 audit_buf = audit_log_start(audit_context(), GFP_ATOMIC, 710 AUDIT_MAC_IPSEC_EVENT); 711 if (audit_buf == NULL) 712 return NULL; 713 audit_log_format(audit_buf, "op=%s", op); 714 return audit_buf; 715 } 716 717 static inline void xfrm_audit_helper_usrinfo(bool task_valid, 718 struct audit_buffer *audit_buf) 719 { 720 const unsigned int auid = from_kuid(&init_user_ns, task_valid ? 721 audit_get_loginuid(current) : 722 INVALID_UID); 723 const unsigned int ses = task_valid ? audit_get_sessionid(current) : 724 AUDIT_SID_UNSET; 725 726 audit_log_format(audit_buf, " auid=%u ses=%u", auid, ses); 727 audit_log_task_context(audit_buf); 728 } 729 730 void xfrm_audit_policy_add(struct xfrm_policy *xp, int result, bool task_valid); 731 void xfrm_audit_policy_delete(struct xfrm_policy *xp, int result, 732 bool task_valid); 733 void xfrm_audit_state_add(struct xfrm_state *x, int result, bool task_valid); 734 void xfrm_audit_state_delete(struct xfrm_state *x, int result, bool task_valid); 735 void xfrm_audit_state_replay_overflow(struct xfrm_state *x, 736 struct sk_buff *skb); 737 void xfrm_audit_state_replay(struct xfrm_state *x, struct sk_buff *skb, 738 __be32 net_seq); 739 void xfrm_audit_state_notfound_simple(struct sk_buff *skb, u16 family); 740 void xfrm_audit_state_notfound(struct sk_buff *skb, u16 family, __be32 net_spi, 741 __be32 net_seq); 742 void xfrm_audit_state_icvfail(struct xfrm_state *x, struct sk_buff *skb, 743 u8 proto); 744 #else 745 746 static inline void xfrm_audit_policy_add(struct xfrm_policy *xp, int result, 747 bool task_valid) 748 { 749 } 750 751 static inline void xfrm_audit_policy_delete(struct xfrm_policy *xp, int result, 752 bool task_valid) 753 { 754 } 755 756 static inline void xfrm_audit_state_add(struct xfrm_state *x, int result, 757 bool task_valid) 758 { 759 } 760 761 static inline void xfrm_audit_state_delete(struct xfrm_state *x, int result, 762 bool task_valid) 763 { 764 } 765 766 static inline void xfrm_audit_state_replay_overflow(struct xfrm_state *x, 767 struct sk_buff *skb) 768 { 769 } 770 771 static inline void xfrm_audit_state_replay(struct xfrm_state *x, 772 struct sk_buff *skb, __be32 net_seq) 773 { 774 } 775 776 static inline void xfrm_audit_state_notfound_simple(struct sk_buff *skb, 777 u16 family) 778 { 779 } 780 781 static inline void xfrm_audit_state_notfound(struct sk_buff *skb, u16 family, 782 __be32 net_spi, __be32 net_seq) 783 { 784 } 785 786 static inline void xfrm_audit_state_icvfail(struct xfrm_state *x, 787 struct sk_buff *skb, u8 proto) 788 { 789 } 790 #endif /* CONFIG_AUDITSYSCALL */ 791 792 static inline void xfrm_pol_hold(struct xfrm_policy *policy) 793 { 794 if (likely(policy != NULL)) 795 refcount_inc(&policy->refcnt); 796 } 797 798 void xfrm_policy_destroy(struct xfrm_policy *policy); 799 800 static inline void xfrm_pol_put(struct xfrm_policy *policy) 801 { 802 if (refcount_dec_and_test(&policy->refcnt)) 803 xfrm_policy_destroy(policy); 804 } 805 806 static inline void xfrm_pols_put(struct xfrm_policy **pols, int npols) 807 { 808 int i; 809 for (i = npols - 1; i >= 0; --i) 810 xfrm_pol_put(pols[i]); 811 } 812 813 void __xfrm_state_destroy(struct xfrm_state *, bool); 814 815 static inline void __xfrm_state_put(struct xfrm_state *x) 816 { 817 refcount_dec(&x->refcnt); 818 } 819 820 static inline void xfrm_state_put(struct xfrm_state *x) 821 { 822 if (refcount_dec_and_test(&x->refcnt)) 823 __xfrm_state_destroy(x, false); 824 } 825 826 static inline void xfrm_state_put_sync(struct xfrm_state *x) 827 { 828 if (refcount_dec_and_test(&x->refcnt)) 829 __xfrm_state_destroy(x, true); 830 } 831 832 static inline void xfrm_state_hold(struct xfrm_state *x) 833 { 834 refcount_inc(&x->refcnt); 835 } 836 837 static inline bool addr_match(const void *token1, const void *token2, 838 unsigned int prefixlen) 839 { 840 const __be32 *a1 = token1; 841 const __be32 *a2 = token2; 842 unsigned int pdw; 843 unsigned int pbi; 844 845 pdw = prefixlen >> 5; /* num of whole u32 in prefix */ 846 pbi = prefixlen & 0x1f; /* num of bits in incomplete u32 in prefix */ 847 848 if (pdw) 849 if (memcmp(a1, a2, pdw << 2)) 850 return false; 851 852 if (pbi) { 853 __be32 mask; 854 855 mask = htonl((0xffffffff) << (32 - pbi)); 856 857 if ((a1[pdw] ^ a2[pdw]) & mask) 858 return false; 859 } 860 861 return true; 862 } 863 864 static inline bool addr4_match(__be32 a1, __be32 a2, u8 prefixlen) 865 { 866 /* C99 6.5.7 (3): u32 << 32 is undefined behaviour */ 867 if (sizeof(long) == 4 && prefixlen == 0) 868 return true; 869 return !((a1 ^ a2) & htonl(~0UL << (32 - prefixlen))); 870 } 871 872 static __inline__ 873 __be16 xfrm_flowi_sport(const struct flowi *fl, const union flowi_uli *uli) 874 { 875 __be16 port; 876 switch(fl->flowi_proto) { 877 case IPPROTO_TCP: 878 case IPPROTO_UDP: 879 case IPPROTO_UDPLITE: 880 case IPPROTO_SCTP: 881 port = uli->ports.sport; 882 break; 883 case IPPROTO_ICMP: 884 case IPPROTO_ICMPV6: 885 port = htons(uli->icmpt.type); 886 break; 887 case IPPROTO_MH: 888 port = htons(uli->mht.type); 889 break; 890 case IPPROTO_GRE: 891 port = htons(ntohl(uli->gre_key) >> 16); 892 break; 893 default: 894 port = 0; /*XXX*/ 895 } 896 return port; 897 } 898 899 static __inline__ 900 __be16 xfrm_flowi_dport(const struct flowi *fl, const union flowi_uli *uli) 901 { 902 __be16 port; 903 switch(fl->flowi_proto) { 904 case IPPROTO_TCP: 905 case IPPROTO_UDP: 906 case IPPROTO_UDPLITE: 907 case IPPROTO_SCTP: 908 port = uli->ports.dport; 909 break; 910 case IPPROTO_ICMP: 911 case IPPROTO_ICMPV6: 912 port = htons(uli->icmpt.code); 913 break; 914 case IPPROTO_GRE: 915 port = htons(ntohl(uli->gre_key) & 0xffff); 916 break; 917 default: 918 port = 0; /*XXX*/ 919 } 920 return port; 921 } 922 923 bool xfrm_selector_match(const struct xfrm_selector *sel, 924 const struct flowi *fl, unsigned short family); 925 926 #ifdef CONFIG_SECURITY_NETWORK_XFRM 927 /* If neither has a context --> match 928 * Otherwise, both must have a context and the sids, doi, alg must match 929 */ 930 static inline bool xfrm_sec_ctx_match(struct xfrm_sec_ctx *s1, struct xfrm_sec_ctx *s2) 931 { 932 return ((!s1 && !s2) || 933 (s1 && s2 && 934 (s1->ctx_sid == s2->ctx_sid) && 935 (s1->ctx_doi == s2->ctx_doi) && 936 (s1->ctx_alg == s2->ctx_alg))); 937 } 938 #else 939 static inline bool xfrm_sec_ctx_match(struct xfrm_sec_ctx *s1, struct xfrm_sec_ctx *s2) 940 { 941 return true; 942 } 943 #endif 944 945 /* A struct encoding bundle of transformations to apply to some set of flow. 946 * 947 * xdst->child points to the next element of bundle. 948 * dst->xfrm points to an instanse of transformer. 949 * 950 * Due to unfortunate limitations of current routing cache, which we 951 * have no time to fix, it mirrors struct rtable and bound to the same 952 * routing key, including saddr,daddr. However, we can have many of 953 * bundles differing by session id. All the bundles grow from a parent 954 * policy rule. 955 */ 956 struct xfrm_dst { 957 union { 958 struct dst_entry dst; 959 struct rtable rt; 960 struct rt6_info rt6; 961 } u; 962 struct dst_entry *route; 963 struct dst_entry *child; 964 struct dst_entry *path; 965 struct xfrm_policy *pols[XFRM_POLICY_TYPE_MAX]; 966 int num_pols, num_xfrms; 967 u32 xfrm_genid; 968 u32 policy_genid; 969 u32 route_mtu_cached; 970 u32 child_mtu_cached; 971 u32 route_cookie; 972 u32 path_cookie; 973 }; 974 975 static inline struct dst_entry *xfrm_dst_path(const struct dst_entry *dst) 976 { 977 #ifdef CONFIG_XFRM 978 if (dst->xfrm || (dst->flags & DST_XFRM_QUEUE)) { 979 const struct xfrm_dst *xdst = (const struct xfrm_dst *) dst; 980 981 return xdst->path; 982 } 983 #endif 984 return (struct dst_entry *) dst; 985 } 986 987 static inline struct dst_entry *xfrm_dst_child(const struct dst_entry *dst) 988 { 989 #ifdef CONFIG_XFRM 990 if (dst->xfrm || (dst->flags & DST_XFRM_QUEUE)) { 991 struct xfrm_dst *xdst = (struct xfrm_dst *) dst; 992 return xdst->child; 993 } 994 #endif 995 return NULL; 996 } 997 998 #ifdef CONFIG_XFRM 999 static inline void xfrm_dst_set_child(struct xfrm_dst *xdst, struct dst_entry *child) 1000 { 1001 xdst->child = child; 1002 } 1003 1004 static inline void xfrm_dst_destroy(struct xfrm_dst *xdst) 1005 { 1006 xfrm_pols_put(xdst->pols, xdst->num_pols); 1007 dst_release(xdst->route); 1008 if (likely(xdst->u.dst.xfrm)) 1009 xfrm_state_put(xdst->u.dst.xfrm); 1010 } 1011 #endif 1012 1013 void xfrm_dst_ifdown(struct dst_entry *dst, struct net_device *dev); 1014 1015 struct xfrm_if_parms { 1016 int link; /* ifindex of underlying L2 interface */ 1017 u32 if_id; /* interface identifyer */ 1018 bool collect_md; 1019 }; 1020 1021 struct xfrm_if { 1022 struct xfrm_if __rcu *next; /* next interface in list */ 1023 struct net_device *dev; /* virtual device associated with interface */ 1024 struct net *net; /* netns for packet i/o */ 1025 struct xfrm_if_parms p; /* interface parms */ 1026 1027 struct gro_cells gro_cells; 1028 }; 1029 1030 struct xfrm_offload { 1031 /* Output sequence number for replay protection on offloading. */ 1032 struct { 1033 __u32 low; 1034 __u32 hi; 1035 } seq; 1036 1037 __u32 flags; 1038 #define SA_DELETE_REQ 1 1039 #define CRYPTO_DONE 2 1040 #define CRYPTO_NEXT_DONE 4 1041 #define CRYPTO_FALLBACK 8 1042 #define XFRM_GSO_SEGMENT 16 1043 #define XFRM_GRO 32 1044 /* 64 is free */ 1045 #define XFRM_DEV_RESUME 128 1046 #define XFRM_XMIT 256 1047 1048 __u32 status; 1049 #define CRYPTO_SUCCESS 1 1050 #define CRYPTO_GENERIC_ERROR 2 1051 #define CRYPTO_TRANSPORT_AH_AUTH_FAILED 4 1052 #define CRYPTO_TRANSPORT_ESP_AUTH_FAILED 8 1053 #define CRYPTO_TUNNEL_AH_AUTH_FAILED 16 1054 #define CRYPTO_TUNNEL_ESP_AUTH_FAILED 32 1055 #define CRYPTO_INVALID_PACKET_SYNTAX 64 1056 #define CRYPTO_INVALID_PROTOCOL 128 1057 1058 /* Used to keep whole l2 header for transport mode GRO */ 1059 __u32 orig_mac_len; 1060 1061 __u8 proto; 1062 __u8 inner_ipproto; 1063 }; 1064 1065 struct sec_path { 1066 int len; 1067 int olen; 1068 int verified_cnt; 1069 1070 struct xfrm_state *xvec[XFRM_MAX_DEPTH]; 1071 struct xfrm_offload ovec[XFRM_MAX_OFFLOAD_DEPTH]; 1072 }; 1073 1074 struct sec_path *secpath_set(struct sk_buff *skb); 1075 1076 static inline void 1077 secpath_reset(struct sk_buff *skb) 1078 { 1079 #ifdef CONFIG_XFRM 1080 skb_ext_del(skb, SKB_EXT_SEC_PATH); 1081 #endif 1082 } 1083 1084 static inline int 1085 xfrm_addr_any(const xfrm_address_t *addr, unsigned short family) 1086 { 1087 switch (family) { 1088 case AF_INET: 1089 return addr->a4 == 0; 1090 case AF_INET6: 1091 return ipv6_addr_any(&addr->in6); 1092 } 1093 return 0; 1094 } 1095 1096 static inline int 1097 __xfrm4_state_addr_cmp(const struct xfrm_tmpl *tmpl, const struct xfrm_state *x) 1098 { 1099 return (tmpl->saddr.a4 && 1100 tmpl->saddr.a4 != x->props.saddr.a4); 1101 } 1102 1103 static inline int 1104 __xfrm6_state_addr_cmp(const struct xfrm_tmpl *tmpl, const struct xfrm_state *x) 1105 { 1106 return (!ipv6_addr_any((struct in6_addr*)&tmpl->saddr) && 1107 !ipv6_addr_equal((struct in6_addr *)&tmpl->saddr, (struct in6_addr*)&x->props.saddr)); 1108 } 1109 1110 static inline int 1111 xfrm_state_addr_cmp(const struct xfrm_tmpl *tmpl, const struct xfrm_state *x, unsigned short family) 1112 { 1113 switch (family) { 1114 case AF_INET: 1115 return __xfrm4_state_addr_cmp(tmpl, x); 1116 case AF_INET6: 1117 return __xfrm6_state_addr_cmp(tmpl, x); 1118 } 1119 return !0; 1120 } 1121 1122 #ifdef CONFIG_XFRM 1123 static inline struct xfrm_state *xfrm_input_state(struct sk_buff *skb) 1124 { 1125 struct sec_path *sp = skb_sec_path(skb); 1126 1127 return sp->xvec[sp->len - 1]; 1128 } 1129 #endif 1130 1131 static inline struct xfrm_offload *xfrm_offload(struct sk_buff *skb) 1132 { 1133 #ifdef CONFIG_XFRM 1134 struct sec_path *sp = skb_sec_path(skb); 1135 1136 if (!sp || !sp->olen || sp->len != sp->olen) 1137 return NULL; 1138 1139 return &sp->ovec[sp->olen - 1]; 1140 #else 1141 return NULL; 1142 #endif 1143 } 1144 1145 #ifdef CONFIG_XFRM 1146 int __xfrm_policy_check(struct sock *, int dir, struct sk_buff *skb, 1147 unsigned short family); 1148 1149 static inline bool __xfrm_check_nopolicy(struct net *net, struct sk_buff *skb, 1150 int dir) 1151 { 1152 if (!net->xfrm.policy_count[dir] && !secpath_exists(skb)) 1153 return net->xfrm.policy_default[dir] == XFRM_USERPOLICY_ACCEPT; 1154 1155 return false; 1156 } 1157 1158 static inline bool __xfrm_check_dev_nopolicy(struct sk_buff *skb, 1159 int dir, unsigned short family) 1160 { 1161 if (dir != XFRM_POLICY_OUT && family == AF_INET) { 1162 /* same dst may be used for traffic originating from 1163 * devices with different policy settings. 1164 */ 1165 return IPCB(skb)->flags & IPSKB_NOPOLICY; 1166 } 1167 return skb_dst(skb) && (skb_dst(skb)->flags & DST_NOPOLICY); 1168 } 1169 1170 static inline int __xfrm_policy_check2(struct sock *sk, int dir, 1171 struct sk_buff *skb, 1172 unsigned int family, int reverse) 1173 { 1174 struct net *net = dev_net(skb->dev); 1175 int ndir = dir | (reverse ? XFRM_POLICY_MASK + 1 : 0); 1176 struct xfrm_offload *xo = xfrm_offload(skb); 1177 struct xfrm_state *x; 1178 1179 if (sk && sk->sk_policy[XFRM_POLICY_IN]) 1180 return __xfrm_policy_check(sk, ndir, skb, family); 1181 1182 if (xo) { 1183 x = xfrm_input_state(skb); 1184 if (x->xso.type == XFRM_DEV_OFFLOAD_PACKET) 1185 return (xo->flags & CRYPTO_DONE) && 1186 (xo->status & CRYPTO_SUCCESS); 1187 } 1188 1189 return __xfrm_check_nopolicy(net, skb, dir) || 1190 __xfrm_check_dev_nopolicy(skb, dir, family) || 1191 __xfrm_policy_check(sk, ndir, skb, family); 1192 } 1193 1194 static inline int xfrm_policy_check(struct sock *sk, int dir, struct sk_buff *skb, unsigned short family) 1195 { 1196 return __xfrm_policy_check2(sk, dir, skb, family, 0); 1197 } 1198 1199 static inline int xfrm4_policy_check(struct sock *sk, int dir, struct sk_buff *skb) 1200 { 1201 return xfrm_policy_check(sk, dir, skb, AF_INET); 1202 } 1203 1204 static inline int xfrm6_policy_check(struct sock *sk, int dir, struct sk_buff *skb) 1205 { 1206 return xfrm_policy_check(sk, dir, skb, AF_INET6); 1207 } 1208 1209 static inline int xfrm4_policy_check_reverse(struct sock *sk, int dir, 1210 struct sk_buff *skb) 1211 { 1212 return __xfrm_policy_check2(sk, dir, skb, AF_INET, 1); 1213 } 1214 1215 static inline int xfrm6_policy_check_reverse(struct sock *sk, int dir, 1216 struct sk_buff *skb) 1217 { 1218 return __xfrm_policy_check2(sk, dir, skb, AF_INET6, 1); 1219 } 1220 1221 int __xfrm_decode_session(struct sk_buff *skb, struct flowi *fl, 1222 unsigned int family, int reverse); 1223 1224 static inline int xfrm_decode_session(struct sk_buff *skb, struct flowi *fl, 1225 unsigned int family) 1226 { 1227 return __xfrm_decode_session(skb, fl, family, 0); 1228 } 1229 1230 static inline int xfrm_decode_session_reverse(struct sk_buff *skb, 1231 struct flowi *fl, 1232 unsigned int family) 1233 { 1234 return __xfrm_decode_session(skb, fl, family, 1); 1235 } 1236 1237 int __xfrm_route_forward(struct sk_buff *skb, unsigned short family); 1238 1239 static inline int xfrm_route_forward(struct sk_buff *skb, unsigned short family) 1240 { 1241 struct net *net = dev_net(skb->dev); 1242 1243 if (!net->xfrm.policy_count[XFRM_POLICY_OUT] && 1244 net->xfrm.policy_default[XFRM_POLICY_OUT] == XFRM_USERPOLICY_ACCEPT) 1245 return true; 1246 1247 return (skb_dst(skb)->flags & DST_NOXFRM) || 1248 __xfrm_route_forward(skb, family); 1249 } 1250 1251 static inline int xfrm4_route_forward(struct sk_buff *skb) 1252 { 1253 return xfrm_route_forward(skb, AF_INET); 1254 } 1255 1256 static inline int xfrm6_route_forward(struct sk_buff *skb) 1257 { 1258 return xfrm_route_forward(skb, AF_INET6); 1259 } 1260 1261 int __xfrm_sk_clone_policy(struct sock *sk, const struct sock *osk); 1262 1263 static inline int xfrm_sk_clone_policy(struct sock *sk, const struct sock *osk) 1264 { 1265 if (!sk_fullsock(osk)) 1266 return 0; 1267 sk->sk_policy[0] = NULL; 1268 sk->sk_policy[1] = NULL; 1269 if (unlikely(osk->sk_policy[0] || osk->sk_policy[1])) 1270 return __xfrm_sk_clone_policy(sk, osk); 1271 return 0; 1272 } 1273 1274 int xfrm_policy_delete(struct xfrm_policy *pol, int dir); 1275 1276 static inline void xfrm_sk_free_policy(struct sock *sk) 1277 { 1278 struct xfrm_policy *pol; 1279 1280 pol = rcu_dereference_protected(sk->sk_policy[0], 1); 1281 if (unlikely(pol != NULL)) { 1282 xfrm_policy_delete(pol, XFRM_POLICY_MAX); 1283 sk->sk_policy[0] = NULL; 1284 } 1285 pol = rcu_dereference_protected(sk->sk_policy[1], 1); 1286 if (unlikely(pol != NULL)) { 1287 xfrm_policy_delete(pol, XFRM_POLICY_MAX+1); 1288 sk->sk_policy[1] = NULL; 1289 } 1290 } 1291 1292 #else 1293 1294 static inline void xfrm_sk_free_policy(struct sock *sk) {} 1295 static inline int xfrm_sk_clone_policy(struct sock *sk, const struct sock *osk) { return 0; } 1296 static inline int xfrm6_route_forward(struct sk_buff *skb) { return 1; } 1297 static inline int xfrm4_route_forward(struct sk_buff *skb) { return 1; } 1298 static inline int xfrm6_policy_check(struct sock *sk, int dir, struct sk_buff *skb) 1299 { 1300 return 1; 1301 } 1302 static inline int xfrm4_policy_check(struct sock *sk, int dir, struct sk_buff *skb) 1303 { 1304 return 1; 1305 } 1306 static inline int xfrm_policy_check(struct sock *sk, int dir, struct sk_buff *skb, unsigned short family) 1307 { 1308 return 1; 1309 } 1310 static inline int xfrm_decode_session_reverse(struct sk_buff *skb, 1311 struct flowi *fl, 1312 unsigned int family) 1313 { 1314 return -ENOSYS; 1315 } 1316 static inline int xfrm4_policy_check_reverse(struct sock *sk, int dir, 1317 struct sk_buff *skb) 1318 { 1319 return 1; 1320 } 1321 static inline int xfrm6_policy_check_reverse(struct sock *sk, int dir, 1322 struct sk_buff *skb) 1323 { 1324 return 1; 1325 } 1326 #endif 1327 1328 static __inline__ 1329 xfrm_address_t *xfrm_flowi_daddr(const struct flowi *fl, unsigned short family) 1330 { 1331 switch (family){ 1332 case AF_INET: 1333 return (xfrm_address_t *)&fl->u.ip4.daddr; 1334 case AF_INET6: 1335 return (xfrm_address_t *)&fl->u.ip6.daddr; 1336 } 1337 return NULL; 1338 } 1339 1340 static __inline__ 1341 xfrm_address_t *xfrm_flowi_saddr(const struct flowi *fl, unsigned short family) 1342 { 1343 switch (family){ 1344 case AF_INET: 1345 return (xfrm_address_t *)&fl->u.ip4.saddr; 1346 case AF_INET6: 1347 return (xfrm_address_t *)&fl->u.ip6.saddr; 1348 } 1349 return NULL; 1350 } 1351 1352 static __inline__ 1353 void xfrm_flowi_addr_get(const struct flowi *fl, 1354 xfrm_address_t *saddr, xfrm_address_t *daddr, 1355 unsigned short family) 1356 { 1357 switch(family) { 1358 case AF_INET: 1359 memcpy(&saddr->a4, &fl->u.ip4.saddr, sizeof(saddr->a4)); 1360 memcpy(&daddr->a4, &fl->u.ip4.daddr, sizeof(daddr->a4)); 1361 break; 1362 case AF_INET6: 1363 saddr->in6 = fl->u.ip6.saddr; 1364 daddr->in6 = fl->u.ip6.daddr; 1365 break; 1366 } 1367 } 1368 1369 static __inline__ int 1370 __xfrm4_state_addr_check(const struct xfrm_state *x, 1371 const xfrm_address_t *daddr, const xfrm_address_t *saddr) 1372 { 1373 if (daddr->a4 == x->id.daddr.a4 && 1374 (saddr->a4 == x->props.saddr.a4 || !saddr->a4 || !x->props.saddr.a4)) 1375 return 1; 1376 return 0; 1377 } 1378 1379 static __inline__ int 1380 __xfrm6_state_addr_check(const struct xfrm_state *x, 1381 const xfrm_address_t *daddr, const xfrm_address_t *saddr) 1382 { 1383 if (ipv6_addr_equal((struct in6_addr *)daddr, (struct in6_addr *)&x->id.daddr) && 1384 (ipv6_addr_equal((struct in6_addr *)saddr, (struct in6_addr *)&x->props.saddr) || 1385 ipv6_addr_any((struct in6_addr *)saddr) || 1386 ipv6_addr_any((struct in6_addr *)&x->props.saddr))) 1387 return 1; 1388 return 0; 1389 } 1390 1391 static __inline__ int 1392 xfrm_state_addr_check(const struct xfrm_state *x, 1393 const xfrm_address_t *daddr, const xfrm_address_t *saddr, 1394 unsigned short family) 1395 { 1396 switch (family) { 1397 case AF_INET: 1398 return __xfrm4_state_addr_check(x, daddr, saddr); 1399 case AF_INET6: 1400 return __xfrm6_state_addr_check(x, daddr, saddr); 1401 } 1402 return 0; 1403 } 1404 1405 static __inline__ int 1406 xfrm_state_addr_flow_check(const struct xfrm_state *x, const struct flowi *fl, 1407 unsigned short family) 1408 { 1409 switch (family) { 1410 case AF_INET: 1411 return __xfrm4_state_addr_check(x, 1412 (const xfrm_address_t *)&fl->u.ip4.daddr, 1413 (const xfrm_address_t *)&fl->u.ip4.saddr); 1414 case AF_INET6: 1415 return __xfrm6_state_addr_check(x, 1416 (const xfrm_address_t *)&fl->u.ip6.daddr, 1417 (const xfrm_address_t *)&fl->u.ip6.saddr); 1418 } 1419 return 0; 1420 } 1421 1422 static inline int xfrm_state_kern(const struct xfrm_state *x) 1423 { 1424 return atomic_read(&x->tunnel_users); 1425 } 1426 1427 static inline bool xfrm_id_proto_valid(u8 proto) 1428 { 1429 switch (proto) { 1430 case IPPROTO_AH: 1431 case IPPROTO_ESP: 1432 case IPPROTO_COMP: 1433 #if IS_ENABLED(CONFIG_IPV6) 1434 case IPPROTO_ROUTING: 1435 case IPPROTO_DSTOPTS: 1436 #endif 1437 return true; 1438 default: 1439 return false; 1440 } 1441 } 1442 1443 /* IPSEC_PROTO_ANY only matches 3 IPsec protocols, 0 could match all. */ 1444 static inline int xfrm_id_proto_match(u8 proto, u8 userproto) 1445 { 1446 return (!userproto || proto == userproto || 1447 (userproto == IPSEC_PROTO_ANY && (proto == IPPROTO_AH || 1448 proto == IPPROTO_ESP || 1449 proto == IPPROTO_COMP))); 1450 } 1451 1452 /* 1453 * xfrm algorithm information 1454 */ 1455 struct xfrm_algo_aead_info { 1456 char *geniv; 1457 u16 icv_truncbits; 1458 }; 1459 1460 struct xfrm_algo_auth_info { 1461 u16 icv_truncbits; 1462 u16 icv_fullbits; 1463 }; 1464 1465 struct xfrm_algo_encr_info { 1466 char *geniv; 1467 u16 blockbits; 1468 u16 defkeybits; 1469 }; 1470 1471 struct xfrm_algo_comp_info { 1472 u16 threshold; 1473 }; 1474 1475 struct xfrm_algo_desc { 1476 char *name; 1477 char *compat; 1478 u8 available:1; 1479 u8 pfkey_supported:1; 1480 union { 1481 struct xfrm_algo_aead_info aead; 1482 struct xfrm_algo_auth_info auth; 1483 struct xfrm_algo_encr_info encr; 1484 struct xfrm_algo_comp_info comp; 1485 } uinfo; 1486 struct sadb_alg desc; 1487 }; 1488 1489 /* XFRM protocol handlers. */ 1490 struct xfrm4_protocol { 1491 int (*handler)(struct sk_buff *skb); 1492 int (*input_handler)(struct sk_buff *skb, int nexthdr, __be32 spi, 1493 int encap_type); 1494 int (*cb_handler)(struct sk_buff *skb, int err); 1495 int (*err_handler)(struct sk_buff *skb, u32 info); 1496 1497 struct xfrm4_protocol __rcu *next; 1498 int priority; 1499 }; 1500 1501 struct xfrm6_protocol { 1502 int (*handler)(struct sk_buff *skb); 1503 int (*input_handler)(struct sk_buff *skb, int nexthdr, __be32 spi, 1504 int encap_type); 1505 int (*cb_handler)(struct sk_buff *skb, int err); 1506 int (*err_handler)(struct sk_buff *skb, struct inet6_skb_parm *opt, 1507 u8 type, u8 code, int offset, __be32 info); 1508 1509 struct xfrm6_protocol __rcu *next; 1510 int priority; 1511 }; 1512 1513 /* XFRM tunnel handlers. */ 1514 struct xfrm_tunnel { 1515 int (*handler)(struct sk_buff *skb); 1516 int (*cb_handler)(struct sk_buff *skb, int err); 1517 int (*err_handler)(struct sk_buff *skb, u32 info); 1518 1519 struct xfrm_tunnel __rcu *next; 1520 int priority; 1521 }; 1522 1523 struct xfrm6_tunnel { 1524 int (*handler)(struct sk_buff *skb); 1525 int (*cb_handler)(struct sk_buff *skb, int err); 1526 int (*err_handler)(struct sk_buff *skb, struct inet6_skb_parm *opt, 1527 u8 type, u8 code, int offset, __be32 info); 1528 struct xfrm6_tunnel __rcu *next; 1529 int priority; 1530 }; 1531 1532 void xfrm_init(void); 1533 void xfrm4_init(void); 1534 int xfrm_state_init(struct net *net); 1535 void xfrm_state_fini(struct net *net); 1536 void xfrm4_state_init(void); 1537 void xfrm4_protocol_init(void); 1538 #ifdef CONFIG_XFRM 1539 int xfrm6_init(void); 1540 void xfrm6_fini(void); 1541 int xfrm6_state_init(void); 1542 void xfrm6_state_fini(void); 1543 int xfrm6_protocol_init(void); 1544 void xfrm6_protocol_fini(void); 1545 #else 1546 static inline int xfrm6_init(void) 1547 { 1548 return 0; 1549 } 1550 static inline void xfrm6_fini(void) 1551 { 1552 ; 1553 } 1554 #endif 1555 1556 #ifdef CONFIG_XFRM_STATISTICS 1557 int xfrm_proc_init(struct net *net); 1558 void xfrm_proc_fini(struct net *net); 1559 #endif 1560 1561 int xfrm_sysctl_init(struct net *net); 1562 #ifdef CONFIG_SYSCTL 1563 void xfrm_sysctl_fini(struct net *net); 1564 #else 1565 static inline void xfrm_sysctl_fini(struct net *net) 1566 { 1567 } 1568 #endif 1569 1570 void xfrm_state_walk_init(struct xfrm_state_walk *walk, u8 proto, 1571 struct xfrm_address_filter *filter); 1572 int xfrm_state_walk(struct net *net, struct xfrm_state_walk *walk, 1573 int (*func)(struct xfrm_state *, int, void*), void *); 1574 void xfrm_state_walk_done(struct xfrm_state_walk *walk, struct net *net); 1575 struct xfrm_state *xfrm_state_alloc(struct net *net); 1576 void xfrm_state_free(struct xfrm_state *x); 1577 struct xfrm_state *xfrm_state_find(const xfrm_address_t *daddr, 1578 const xfrm_address_t *saddr, 1579 const struct flowi *fl, 1580 struct xfrm_tmpl *tmpl, 1581 struct xfrm_policy *pol, int *err, 1582 unsigned short family, u32 if_id); 1583 struct xfrm_state *xfrm_stateonly_find(struct net *net, u32 mark, u32 if_id, 1584 xfrm_address_t *daddr, 1585 xfrm_address_t *saddr, 1586 unsigned short family, 1587 u8 mode, u8 proto, u32 reqid); 1588 struct xfrm_state *xfrm_state_lookup_byspi(struct net *net, __be32 spi, 1589 unsigned short family); 1590 int xfrm_state_check_expire(struct xfrm_state *x); 1591 #ifdef CONFIG_XFRM_OFFLOAD 1592 static inline void xfrm_dev_state_update_curlft(struct xfrm_state *x) 1593 { 1594 struct xfrm_dev_offload *xdo = &x->xso; 1595 struct net_device *dev = READ_ONCE(xdo->dev); 1596 1597 if (x->xso.type != XFRM_DEV_OFFLOAD_PACKET) 1598 return; 1599 1600 if (dev && dev->xfrmdev_ops && 1601 dev->xfrmdev_ops->xdo_dev_state_update_curlft) 1602 dev->xfrmdev_ops->xdo_dev_state_update_curlft(x); 1603 1604 } 1605 #else 1606 static inline void xfrm_dev_state_update_curlft(struct xfrm_state *x) {} 1607 #endif 1608 void xfrm_state_insert(struct xfrm_state *x); 1609 int xfrm_state_add(struct xfrm_state *x); 1610 int xfrm_state_update(struct xfrm_state *x); 1611 struct xfrm_state *xfrm_state_lookup(struct net *net, u32 mark, 1612 const xfrm_address_t *daddr, __be32 spi, 1613 u8 proto, unsigned short family); 1614 struct xfrm_state *xfrm_state_lookup_byaddr(struct net *net, u32 mark, 1615 const xfrm_address_t *daddr, 1616 const xfrm_address_t *saddr, 1617 u8 proto, 1618 unsigned short family); 1619 #ifdef CONFIG_XFRM_SUB_POLICY 1620 void xfrm_tmpl_sort(struct xfrm_tmpl **dst, struct xfrm_tmpl **src, int n, 1621 unsigned short family); 1622 void xfrm_state_sort(struct xfrm_state **dst, struct xfrm_state **src, int n, 1623 unsigned short family); 1624 #else 1625 static inline void xfrm_tmpl_sort(struct xfrm_tmpl **d, struct xfrm_tmpl **s, 1626 int n, unsigned short family) 1627 { 1628 } 1629 1630 static inline void xfrm_state_sort(struct xfrm_state **d, struct xfrm_state **s, 1631 int n, unsigned short family) 1632 { 1633 } 1634 #endif 1635 1636 struct xfrmk_sadinfo { 1637 u32 sadhcnt; /* current hash bkts */ 1638 u32 sadhmcnt; /* max allowed hash bkts */ 1639 u32 sadcnt; /* current running count */ 1640 }; 1641 1642 struct xfrmk_spdinfo { 1643 u32 incnt; 1644 u32 outcnt; 1645 u32 fwdcnt; 1646 u32 inscnt; 1647 u32 outscnt; 1648 u32 fwdscnt; 1649 u32 spdhcnt; 1650 u32 spdhmcnt; 1651 }; 1652 1653 struct xfrm_state *xfrm_find_acq_byseq(struct net *net, u32 mark, u32 seq); 1654 int xfrm_state_delete(struct xfrm_state *x); 1655 int xfrm_state_flush(struct net *net, u8 proto, bool task_valid, bool sync); 1656 int xfrm_dev_state_flush(struct net *net, struct net_device *dev, bool task_valid); 1657 int xfrm_dev_policy_flush(struct net *net, struct net_device *dev, 1658 bool task_valid); 1659 void xfrm_sad_getinfo(struct net *net, struct xfrmk_sadinfo *si); 1660 void xfrm_spd_getinfo(struct net *net, struct xfrmk_spdinfo *si); 1661 u32 xfrm_replay_seqhi(struct xfrm_state *x, __be32 net_seq); 1662 int xfrm_init_replay(struct xfrm_state *x, struct netlink_ext_ack *extack); 1663 u32 xfrm_state_mtu(struct xfrm_state *x, int mtu); 1664 int __xfrm_init_state(struct xfrm_state *x, bool init_replay, bool offload, 1665 struct netlink_ext_ack *extack); 1666 int xfrm_init_state(struct xfrm_state *x); 1667 int xfrm_input(struct sk_buff *skb, int nexthdr, __be32 spi, int encap_type); 1668 int xfrm_input_resume(struct sk_buff *skb, int nexthdr); 1669 int xfrm_trans_queue_net(struct net *net, struct sk_buff *skb, 1670 int (*finish)(struct net *, struct sock *, 1671 struct sk_buff *)); 1672 int xfrm_trans_queue(struct sk_buff *skb, 1673 int (*finish)(struct net *, struct sock *, 1674 struct sk_buff *)); 1675 int xfrm_output_resume(struct sock *sk, struct sk_buff *skb, int err); 1676 int xfrm_output(struct sock *sk, struct sk_buff *skb); 1677 1678 #if IS_ENABLED(CONFIG_NET_PKTGEN) 1679 int pktgen_xfrm_outer_mode_output(struct xfrm_state *x, struct sk_buff *skb); 1680 #endif 1681 1682 void xfrm_local_error(struct sk_buff *skb, int mtu); 1683 int xfrm4_extract_input(struct xfrm_state *x, struct sk_buff *skb); 1684 int xfrm4_rcv_encap(struct sk_buff *skb, int nexthdr, __be32 spi, 1685 int encap_type); 1686 int xfrm4_transport_finish(struct sk_buff *skb, int async); 1687 int xfrm4_rcv(struct sk_buff *skb); 1688 1689 static inline int xfrm4_rcv_spi(struct sk_buff *skb, int nexthdr, __be32 spi) 1690 { 1691 XFRM_TUNNEL_SKB_CB(skb)->tunnel.ip4 = NULL; 1692 XFRM_SPI_SKB_CB(skb)->family = AF_INET; 1693 XFRM_SPI_SKB_CB(skb)->daddroff = offsetof(struct iphdr, daddr); 1694 return xfrm_input(skb, nexthdr, spi, 0); 1695 } 1696 1697 int xfrm4_output(struct net *net, struct sock *sk, struct sk_buff *skb); 1698 int xfrm4_protocol_register(struct xfrm4_protocol *handler, unsigned char protocol); 1699 int xfrm4_protocol_deregister(struct xfrm4_protocol *handler, unsigned char protocol); 1700 int xfrm4_tunnel_register(struct xfrm_tunnel *handler, unsigned short family); 1701 int xfrm4_tunnel_deregister(struct xfrm_tunnel *handler, unsigned short family); 1702 void xfrm4_local_error(struct sk_buff *skb, u32 mtu); 1703 int xfrm6_extract_input(struct xfrm_state *x, struct sk_buff *skb); 1704 int xfrm6_rcv_spi(struct sk_buff *skb, int nexthdr, __be32 spi, 1705 struct ip6_tnl *t); 1706 int xfrm6_rcv_encap(struct sk_buff *skb, int nexthdr, __be32 spi, 1707 int encap_type); 1708 int xfrm6_transport_finish(struct sk_buff *skb, int async); 1709 int xfrm6_rcv_tnl(struct sk_buff *skb, struct ip6_tnl *t); 1710 int xfrm6_rcv(struct sk_buff *skb); 1711 int xfrm6_input_addr(struct sk_buff *skb, xfrm_address_t *daddr, 1712 xfrm_address_t *saddr, u8 proto); 1713 void xfrm6_local_error(struct sk_buff *skb, u32 mtu); 1714 int xfrm6_protocol_register(struct xfrm6_protocol *handler, unsigned char protocol); 1715 int xfrm6_protocol_deregister(struct xfrm6_protocol *handler, unsigned char protocol); 1716 int xfrm6_tunnel_register(struct xfrm6_tunnel *handler, unsigned short family); 1717 int xfrm6_tunnel_deregister(struct xfrm6_tunnel *handler, unsigned short family); 1718 __be32 xfrm6_tunnel_alloc_spi(struct net *net, xfrm_address_t *saddr); 1719 __be32 xfrm6_tunnel_spi_lookup(struct net *net, const xfrm_address_t *saddr); 1720 int xfrm6_output(struct net *net, struct sock *sk, struct sk_buff *skb); 1721 1722 #ifdef CONFIG_XFRM 1723 void xfrm6_local_rxpmtu(struct sk_buff *skb, u32 mtu); 1724 int xfrm4_udp_encap_rcv(struct sock *sk, struct sk_buff *skb); 1725 int xfrm6_udp_encap_rcv(struct sock *sk, struct sk_buff *skb); 1726 int xfrm_user_policy(struct sock *sk, int optname, sockptr_t optval, 1727 int optlen); 1728 #else 1729 static inline int xfrm_user_policy(struct sock *sk, int optname, 1730 sockptr_t optval, int optlen) 1731 { 1732 return -ENOPROTOOPT; 1733 } 1734 #endif 1735 1736 struct dst_entry *__xfrm_dst_lookup(int family, const struct xfrm_dst_lookup_params *params); 1737 1738 struct xfrm_policy *xfrm_policy_alloc(struct net *net, gfp_t gfp); 1739 1740 void xfrm_policy_walk_init(struct xfrm_policy_walk *walk, u8 type); 1741 int xfrm_policy_walk(struct net *net, struct xfrm_policy_walk *walk, 1742 int (*func)(struct xfrm_policy *, int, int, void*), 1743 void *); 1744 void xfrm_policy_walk_done(struct xfrm_policy_walk *walk, struct net *net); 1745 int xfrm_policy_insert(int dir, struct xfrm_policy *policy, int excl); 1746 struct xfrm_policy *xfrm_policy_bysel_ctx(struct net *net, 1747 const struct xfrm_mark *mark, 1748 u32 if_id, u8 type, int dir, 1749 struct xfrm_selector *sel, 1750 struct xfrm_sec_ctx *ctx, int delete, 1751 int *err); 1752 struct xfrm_policy *xfrm_policy_byid(struct net *net, 1753 const struct xfrm_mark *mark, u32 if_id, 1754 u8 type, int dir, u32 id, int delete, 1755 int *err); 1756 int xfrm_policy_flush(struct net *net, u8 type, bool task_valid); 1757 void xfrm_policy_hash_rebuild(struct net *net); 1758 u32 xfrm_get_acqseq(void); 1759 int verify_spi_info(u8 proto, u32 min, u32 max, struct netlink_ext_ack *extack); 1760 int xfrm_alloc_spi(struct xfrm_state *x, u32 minspi, u32 maxspi, 1761 struct netlink_ext_ack *extack); 1762 struct xfrm_state *xfrm_find_acq(struct net *net, const struct xfrm_mark *mark, 1763 u8 mode, u32 reqid, u32 if_id, u8 proto, 1764 const xfrm_address_t *daddr, 1765 const xfrm_address_t *saddr, int create, 1766 unsigned short family); 1767 int xfrm_sk_policy_insert(struct sock *sk, int dir, struct xfrm_policy *pol); 1768 1769 #ifdef CONFIG_XFRM_MIGRATE 1770 int km_migrate(const struct xfrm_selector *sel, u8 dir, u8 type, 1771 const struct xfrm_migrate *m, int num_bundles, 1772 const struct xfrm_kmaddress *k, 1773 const struct xfrm_encap_tmpl *encap); 1774 struct xfrm_state *xfrm_migrate_state_find(struct xfrm_migrate *m, struct net *net, 1775 u32 if_id); 1776 struct xfrm_state *xfrm_state_migrate(struct xfrm_state *x, 1777 struct xfrm_migrate *m, 1778 struct xfrm_encap_tmpl *encap); 1779 int xfrm_migrate(const struct xfrm_selector *sel, u8 dir, u8 type, 1780 struct xfrm_migrate *m, int num_bundles, 1781 struct xfrm_kmaddress *k, struct net *net, 1782 struct xfrm_encap_tmpl *encap, u32 if_id, 1783 struct netlink_ext_ack *extack); 1784 #endif 1785 1786 int km_new_mapping(struct xfrm_state *x, xfrm_address_t *ipaddr, __be16 sport); 1787 void km_policy_expired(struct xfrm_policy *pol, int dir, int hard, u32 portid); 1788 int km_report(struct net *net, u8 proto, struct xfrm_selector *sel, 1789 xfrm_address_t *addr); 1790 1791 void xfrm_input_init(void); 1792 int xfrm_parse_spi(struct sk_buff *skb, u8 nexthdr, __be32 *spi, __be32 *seq); 1793 1794 void xfrm_probe_algs(void); 1795 int xfrm_count_pfkey_auth_supported(void); 1796 int xfrm_count_pfkey_enc_supported(void); 1797 struct xfrm_algo_desc *xfrm_aalg_get_byidx(unsigned int idx); 1798 struct xfrm_algo_desc *xfrm_ealg_get_byidx(unsigned int idx); 1799 struct xfrm_algo_desc *xfrm_aalg_get_byid(int alg_id); 1800 struct xfrm_algo_desc *xfrm_ealg_get_byid(int alg_id); 1801 struct xfrm_algo_desc *xfrm_calg_get_byid(int alg_id); 1802 struct xfrm_algo_desc *xfrm_aalg_get_byname(const char *name, int probe); 1803 struct xfrm_algo_desc *xfrm_ealg_get_byname(const char *name, int probe); 1804 struct xfrm_algo_desc *xfrm_calg_get_byname(const char *name, int probe); 1805 struct xfrm_algo_desc *xfrm_aead_get_byname(const char *name, int icv_len, 1806 int probe); 1807 1808 static inline bool xfrm6_addr_equal(const xfrm_address_t *a, 1809 const xfrm_address_t *b) 1810 { 1811 return ipv6_addr_equal((const struct in6_addr *)a, 1812 (const struct in6_addr *)b); 1813 } 1814 1815 static inline bool xfrm_addr_equal(const xfrm_address_t *a, 1816 const xfrm_address_t *b, 1817 sa_family_t family) 1818 { 1819 switch (family) { 1820 default: 1821 case AF_INET: 1822 return ((__force u32)a->a4 ^ (__force u32)b->a4) == 0; 1823 case AF_INET6: 1824 return xfrm6_addr_equal(a, b); 1825 } 1826 } 1827 1828 static inline int xfrm_policy_id2dir(u32 index) 1829 { 1830 return index & 7; 1831 } 1832 1833 #ifdef CONFIG_XFRM 1834 void xfrm_replay_advance(struct xfrm_state *x, __be32 net_seq); 1835 int xfrm_replay_check(struct xfrm_state *x, struct sk_buff *skb, __be32 net_seq); 1836 void xfrm_replay_notify(struct xfrm_state *x, int event); 1837 int xfrm_replay_overflow(struct xfrm_state *x, struct sk_buff *skb); 1838 int xfrm_replay_recheck(struct xfrm_state *x, struct sk_buff *skb, __be32 net_seq); 1839 1840 static inline int xfrm_aevent_is_on(struct net *net) 1841 { 1842 struct sock *nlsk; 1843 int ret = 0; 1844 1845 rcu_read_lock(); 1846 nlsk = rcu_dereference(net->xfrm.nlsk); 1847 if (nlsk) 1848 ret = netlink_has_listeners(nlsk, XFRMNLGRP_AEVENTS); 1849 rcu_read_unlock(); 1850 return ret; 1851 } 1852 1853 static inline int xfrm_acquire_is_on(struct net *net) 1854 { 1855 struct sock *nlsk; 1856 int ret = 0; 1857 1858 rcu_read_lock(); 1859 nlsk = rcu_dereference(net->xfrm.nlsk); 1860 if (nlsk) 1861 ret = netlink_has_listeners(nlsk, XFRMNLGRP_ACQUIRE); 1862 rcu_read_unlock(); 1863 1864 return ret; 1865 } 1866 #endif 1867 1868 static inline unsigned int aead_len(struct xfrm_algo_aead *alg) 1869 { 1870 return sizeof(*alg) + ((alg->alg_key_len + 7) / 8); 1871 } 1872 1873 static inline unsigned int xfrm_alg_len(const struct xfrm_algo *alg) 1874 { 1875 return sizeof(*alg) + ((alg->alg_key_len + 7) / 8); 1876 } 1877 1878 static inline unsigned int xfrm_alg_auth_len(const struct xfrm_algo_auth *alg) 1879 { 1880 return sizeof(*alg) + ((alg->alg_key_len + 7) / 8); 1881 } 1882 1883 static inline unsigned int xfrm_replay_state_esn_len(struct xfrm_replay_state_esn *replay_esn) 1884 { 1885 return sizeof(*replay_esn) + replay_esn->bmp_len * sizeof(__u32); 1886 } 1887 1888 #ifdef CONFIG_XFRM_MIGRATE 1889 static inline int xfrm_replay_clone(struct xfrm_state *x, 1890 struct xfrm_state *orig) 1891 { 1892 1893 x->replay_esn = kmemdup(orig->replay_esn, 1894 xfrm_replay_state_esn_len(orig->replay_esn), 1895 GFP_KERNEL); 1896 if (!x->replay_esn) 1897 return -ENOMEM; 1898 x->preplay_esn = kmemdup(orig->preplay_esn, 1899 xfrm_replay_state_esn_len(orig->preplay_esn), 1900 GFP_KERNEL); 1901 if (!x->preplay_esn) 1902 return -ENOMEM; 1903 1904 return 0; 1905 } 1906 1907 static inline struct xfrm_algo_aead *xfrm_algo_aead_clone(struct xfrm_algo_aead *orig) 1908 { 1909 return kmemdup(orig, aead_len(orig), GFP_KERNEL); 1910 } 1911 1912 1913 static inline struct xfrm_algo *xfrm_algo_clone(struct xfrm_algo *orig) 1914 { 1915 return kmemdup(orig, xfrm_alg_len(orig), GFP_KERNEL); 1916 } 1917 1918 static inline struct xfrm_algo_auth *xfrm_algo_auth_clone(struct xfrm_algo_auth *orig) 1919 { 1920 return kmemdup(orig, xfrm_alg_auth_len(orig), GFP_KERNEL); 1921 } 1922 1923 static inline void xfrm_states_put(struct xfrm_state **states, int n) 1924 { 1925 int i; 1926 for (i = 0; i < n; i++) 1927 xfrm_state_put(*(states + i)); 1928 } 1929 1930 static inline void xfrm_states_delete(struct xfrm_state **states, int n) 1931 { 1932 int i; 1933 for (i = 0; i < n; i++) 1934 xfrm_state_delete(*(states + i)); 1935 } 1936 #endif 1937 1938 void __init xfrm_dev_init(void); 1939 1940 #ifdef CONFIG_XFRM_OFFLOAD 1941 void xfrm_dev_resume(struct sk_buff *skb); 1942 void xfrm_dev_backlog(struct softnet_data *sd); 1943 struct sk_buff *validate_xmit_xfrm(struct sk_buff *skb, netdev_features_t features, bool *again); 1944 int xfrm_dev_state_add(struct net *net, struct xfrm_state *x, 1945 struct xfrm_user_offload *xuo, 1946 struct netlink_ext_ack *extack); 1947 int xfrm_dev_policy_add(struct net *net, struct xfrm_policy *xp, 1948 struct xfrm_user_offload *xuo, u8 dir, 1949 struct netlink_ext_ack *extack); 1950 bool xfrm_dev_offload_ok(struct sk_buff *skb, struct xfrm_state *x); 1951 void xfrm_dev_state_delete(struct xfrm_state *x); 1952 void xfrm_dev_state_free(struct xfrm_state *x); 1953 1954 static inline void xfrm_dev_state_advance_esn(struct xfrm_state *x) 1955 { 1956 struct xfrm_dev_offload *xso = &x->xso; 1957 struct net_device *dev = READ_ONCE(xso->dev); 1958 1959 if (dev && dev->xfrmdev_ops->xdo_dev_state_advance_esn) 1960 dev->xfrmdev_ops->xdo_dev_state_advance_esn(x); 1961 } 1962 1963 static inline bool xfrm_dst_offload_ok(struct dst_entry *dst) 1964 { 1965 struct xfrm_state *x = dst->xfrm; 1966 struct xfrm_dst *xdst; 1967 1968 if (!x || !x->type_offload) 1969 return false; 1970 1971 xdst = (struct xfrm_dst *) dst; 1972 if (!x->xso.offload_handle && !xdst->child->xfrm) 1973 return true; 1974 if (x->xso.offload_handle && (x->xso.dev == xfrm_dst_path(dst)->dev) && 1975 !xdst->child->xfrm) 1976 return true; 1977 1978 return false; 1979 } 1980 1981 static inline void xfrm_dev_policy_delete(struct xfrm_policy *x) 1982 { 1983 struct xfrm_dev_offload *xdo = &x->xdo; 1984 struct net_device *dev = xdo->dev; 1985 1986 if (dev && dev->xfrmdev_ops && dev->xfrmdev_ops->xdo_dev_policy_delete) 1987 dev->xfrmdev_ops->xdo_dev_policy_delete(x); 1988 } 1989 1990 static inline void xfrm_dev_policy_free(struct xfrm_policy *x) 1991 { 1992 struct xfrm_dev_offload *xdo = &x->xdo; 1993 struct net_device *dev = xdo->dev; 1994 1995 if (dev && dev->xfrmdev_ops) { 1996 if (dev->xfrmdev_ops->xdo_dev_policy_free) 1997 dev->xfrmdev_ops->xdo_dev_policy_free(x); 1998 xdo->dev = NULL; 1999 netdev_put(dev, &xdo->dev_tracker); 2000 } 2001 } 2002 #else 2003 static inline void xfrm_dev_resume(struct sk_buff *skb) 2004 { 2005 } 2006 2007 static inline void xfrm_dev_backlog(struct softnet_data *sd) 2008 { 2009 } 2010 2011 static inline struct sk_buff *validate_xmit_xfrm(struct sk_buff *skb, netdev_features_t features, bool *again) 2012 { 2013 return skb; 2014 } 2015 2016 static inline int xfrm_dev_state_add(struct net *net, struct xfrm_state *x, struct xfrm_user_offload *xuo, struct netlink_ext_ack *extack) 2017 { 2018 return 0; 2019 } 2020 2021 static inline void xfrm_dev_state_delete(struct xfrm_state *x) 2022 { 2023 } 2024 2025 static inline void xfrm_dev_state_free(struct xfrm_state *x) 2026 { 2027 } 2028 2029 static inline int xfrm_dev_policy_add(struct net *net, struct xfrm_policy *xp, 2030 struct xfrm_user_offload *xuo, u8 dir, 2031 struct netlink_ext_ack *extack) 2032 { 2033 return 0; 2034 } 2035 2036 static inline void xfrm_dev_policy_delete(struct xfrm_policy *x) 2037 { 2038 } 2039 2040 static inline void xfrm_dev_policy_free(struct xfrm_policy *x) 2041 { 2042 } 2043 2044 static inline bool xfrm_dev_offload_ok(struct sk_buff *skb, struct xfrm_state *x) 2045 { 2046 return false; 2047 } 2048 2049 static inline void xfrm_dev_state_advance_esn(struct xfrm_state *x) 2050 { 2051 } 2052 2053 static inline bool xfrm_dst_offload_ok(struct dst_entry *dst) 2054 { 2055 return false; 2056 } 2057 #endif 2058 2059 static inline int xfrm_mark_get(struct nlattr **attrs, struct xfrm_mark *m) 2060 { 2061 if (attrs[XFRMA_MARK]) 2062 memcpy(m, nla_data(attrs[XFRMA_MARK]), sizeof(struct xfrm_mark)); 2063 else 2064 m->v = m->m = 0; 2065 2066 return m->v & m->m; 2067 } 2068 2069 static inline int xfrm_mark_put(struct sk_buff *skb, const struct xfrm_mark *m) 2070 { 2071 int ret = 0; 2072 2073 if (m->m | m->v) 2074 ret = nla_put(skb, XFRMA_MARK, sizeof(struct xfrm_mark), m); 2075 return ret; 2076 } 2077 2078 static inline __u32 xfrm_smark_get(__u32 mark, struct xfrm_state *x) 2079 { 2080 struct xfrm_mark *m = &x->props.smark; 2081 2082 return (m->v & m->m) | (mark & ~m->m); 2083 } 2084 2085 static inline int xfrm_if_id_put(struct sk_buff *skb, __u32 if_id) 2086 { 2087 int ret = 0; 2088 2089 if (if_id) 2090 ret = nla_put_u32(skb, XFRMA_IF_ID, if_id); 2091 return ret; 2092 } 2093 2094 static inline int xfrm_tunnel_check(struct sk_buff *skb, struct xfrm_state *x, 2095 unsigned int family) 2096 { 2097 bool tunnel = false; 2098 2099 switch(family) { 2100 case AF_INET: 2101 if (XFRM_TUNNEL_SKB_CB(skb)->tunnel.ip4) 2102 tunnel = true; 2103 break; 2104 case AF_INET6: 2105 if (XFRM_TUNNEL_SKB_CB(skb)->tunnel.ip6) 2106 tunnel = true; 2107 break; 2108 } 2109 if (tunnel && !(x->outer_mode.flags & XFRM_MODE_FLAG_TUNNEL)) 2110 return -EINVAL; 2111 2112 return 0; 2113 } 2114 2115 extern const int xfrm_msg_min[XFRM_NR_MSGTYPES]; 2116 extern const struct nla_policy xfrma_policy[XFRMA_MAX+1]; 2117 2118 struct xfrm_translator { 2119 /* Allocate frag_list and put compat translation there */ 2120 int (*alloc_compat)(struct sk_buff *skb, const struct nlmsghdr *src); 2121 2122 /* Allocate nlmsg with 64-bit translaton of received 32-bit message */ 2123 struct nlmsghdr *(*rcv_msg_compat)(const struct nlmsghdr *nlh, 2124 int maxtype, const struct nla_policy *policy, 2125 struct netlink_ext_ack *extack); 2126 2127 /* Translate 32-bit user_policy from sockptr */ 2128 int (*xlate_user_policy_sockptr)(u8 **pdata32, int optlen); 2129 2130 struct module *owner; 2131 }; 2132 2133 #if IS_ENABLED(CONFIG_XFRM_USER_COMPAT) 2134 extern int xfrm_register_translator(struct xfrm_translator *xtr); 2135 extern int xfrm_unregister_translator(struct xfrm_translator *xtr); 2136 extern struct xfrm_translator *xfrm_get_translator(void); 2137 extern void xfrm_put_translator(struct xfrm_translator *xtr); 2138 #else 2139 static inline struct xfrm_translator *xfrm_get_translator(void) 2140 { 2141 return NULL; 2142 } 2143 static inline void xfrm_put_translator(struct xfrm_translator *xtr) 2144 { 2145 } 2146 #endif 2147 2148 #if IS_ENABLED(CONFIG_IPV6) 2149 static inline bool xfrm6_local_dontfrag(const struct sock *sk) 2150 { 2151 int proto; 2152 2153 if (!sk || sk->sk_family != AF_INET6) 2154 return false; 2155 2156 proto = sk->sk_protocol; 2157 if (proto == IPPROTO_UDP || proto == IPPROTO_RAW) 2158 return inet6_sk(sk)->dontfrag; 2159 2160 return false; 2161 } 2162 #endif 2163 2164 #if (IS_BUILTIN(CONFIG_XFRM_INTERFACE) && IS_ENABLED(CONFIG_DEBUG_INFO_BTF)) || \ 2165 (IS_MODULE(CONFIG_XFRM_INTERFACE) && IS_ENABLED(CONFIG_DEBUG_INFO_BTF_MODULES)) 2166 2167 extern struct metadata_dst __percpu *xfrm_bpf_md_dst; 2168 2169 int register_xfrm_interface_bpf(void); 2170 2171 #else 2172 2173 static inline int register_xfrm_interface_bpf(void) 2174 { 2175 return 0; 2176 } 2177 2178 #endif 2179 2180 #endif /* _NET_XFRM_H */ 2181