1 /* 2 * xfrm_state.c 3 * 4 * Changes: 5 * Mitsuru KANDA @USAGI 6 * Kazunori MIYAZAWA @USAGI 7 * Kunihiro Ishiguro <kunihiro@ipinfusion.com> 8 * IPv6 support 9 * YOSHIFUJI Hideaki @USAGI 10 * Split up af-specific functions 11 * Derek Atkins <derek@ihtfp.com> 12 * Add UDP Encapsulation 13 * 14 */ 15 16 #include <linux/workqueue.h> 17 #include <net/xfrm.h> 18 #include <linux/pfkeyv2.h> 19 #include <linux/ipsec.h> 20 #include <linux/module.h> 21 #include <linux/cache.h> 22 #include <linux/audit.h> 23 #include <asm/uaccess.h> 24 25 #include "xfrm_hash.h" 26 27 struct sock *xfrm_nl; 28 EXPORT_SYMBOL(xfrm_nl); 29 30 u32 sysctl_xfrm_aevent_etime __read_mostly = XFRM_AE_ETIME; 31 EXPORT_SYMBOL(sysctl_xfrm_aevent_etime); 32 33 u32 sysctl_xfrm_aevent_rseqth __read_mostly = XFRM_AE_SEQT_SIZE; 34 EXPORT_SYMBOL(sysctl_xfrm_aevent_rseqth); 35 36 u32 sysctl_xfrm_acq_expires __read_mostly = 30; 37 38 /* Each xfrm_state may be linked to two tables: 39 40 1. Hash table by (spi,daddr,ah/esp) to find SA by SPI. (input,ctl) 41 2. Hash table by (daddr,family,reqid) to find what SAs exist for given 42 destination/tunnel endpoint. (output) 43 */ 44 45 static DEFINE_SPINLOCK(xfrm_state_lock); 46 47 /* Hash table to find appropriate SA towards given target (endpoint 48 * of tunnel or destination of transport mode) allowed by selector. 49 * 50 * Main use is finding SA after policy selected tunnel or transport mode. 51 * Also, it can be used by ah/esp icmp error handler to find offending SA. 52 */ 53 static struct hlist_head *xfrm_state_bydst __read_mostly; 54 static struct hlist_head *xfrm_state_bysrc __read_mostly; 55 static struct hlist_head *xfrm_state_byspi __read_mostly; 56 static unsigned int xfrm_state_hmask __read_mostly; 57 static unsigned int xfrm_state_hashmax __read_mostly = 1 * 1024 * 1024; 58 static unsigned int xfrm_state_num; 59 static unsigned int xfrm_state_genid; 60 61 static struct xfrm_state_afinfo *xfrm_state_get_afinfo(unsigned int family); 62 static void xfrm_state_put_afinfo(struct xfrm_state_afinfo *afinfo); 63 64 #ifdef CONFIG_AUDITSYSCALL 65 static void xfrm_audit_state_replay(struct xfrm_state *x, 66 struct sk_buff *skb, __be32 net_seq); 67 #else 68 #define xfrm_audit_state_replay(x, s, sq) do { ; } while (0) 69 #endif /* CONFIG_AUDITSYSCALL */ 70 71 static inline unsigned int xfrm_dst_hash(xfrm_address_t *daddr, 72 xfrm_address_t *saddr, 73 u32 reqid, 74 unsigned short family) 75 { 76 return __xfrm_dst_hash(daddr, saddr, reqid, family, xfrm_state_hmask); 77 } 78 79 static inline unsigned int xfrm_src_hash(xfrm_address_t *daddr, 80 xfrm_address_t *saddr, 81 unsigned short family) 82 { 83 return __xfrm_src_hash(daddr, saddr, family, xfrm_state_hmask); 84 } 85 86 static inline unsigned int 87 xfrm_spi_hash(xfrm_address_t *daddr, __be32 spi, u8 proto, unsigned short family) 88 { 89 return __xfrm_spi_hash(daddr, spi, proto, family, xfrm_state_hmask); 90 } 91 92 static void xfrm_hash_transfer(struct hlist_head *list, 93 struct hlist_head *ndsttable, 94 struct hlist_head *nsrctable, 95 struct hlist_head *nspitable, 96 unsigned int nhashmask) 97 { 98 struct hlist_node *entry, *tmp; 99 struct xfrm_state *x; 100 101 hlist_for_each_entry_safe(x, entry, tmp, list, bydst) { 102 unsigned int h; 103 104 h = __xfrm_dst_hash(&x->id.daddr, &x->props.saddr, 105 x->props.reqid, x->props.family, 106 nhashmask); 107 hlist_add_head(&x->bydst, ndsttable+h); 108 109 h = __xfrm_src_hash(&x->id.daddr, &x->props.saddr, 110 x->props.family, 111 nhashmask); 112 hlist_add_head(&x->bysrc, nsrctable+h); 113 114 if (x->id.spi) { 115 h = __xfrm_spi_hash(&x->id.daddr, x->id.spi, 116 x->id.proto, x->props.family, 117 nhashmask); 118 hlist_add_head(&x->byspi, nspitable+h); 119 } 120 } 121 } 122 123 static unsigned long xfrm_hash_new_size(void) 124 { 125 return ((xfrm_state_hmask + 1) << 1) * 126 sizeof(struct hlist_head); 127 } 128 129 static DEFINE_MUTEX(hash_resize_mutex); 130 131 static void xfrm_hash_resize(struct work_struct *__unused) 132 { 133 struct hlist_head *ndst, *nsrc, *nspi, *odst, *osrc, *ospi; 134 unsigned long nsize, osize; 135 unsigned int nhashmask, ohashmask; 136 int i; 137 138 mutex_lock(&hash_resize_mutex); 139 140 nsize = xfrm_hash_new_size(); 141 ndst = xfrm_hash_alloc(nsize); 142 if (!ndst) 143 goto out_unlock; 144 nsrc = xfrm_hash_alloc(nsize); 145 if (!nsrc) { 146 xfrm_hash_free(ndst, nsize); 147 goto out_unlock; 148 } 149 nspi = xfrm_hash_alloc(nsize); 150 if (!nspi) { 151 xfrm_hash_free(ndst, nsize); 152 xfrm_hash_free(nsrc, nsize); 153 goto out_unlock; 154 } 155 156 spin_lock_bh(&xfrm_state_lock); 157 158 nhashmask = (nsize / sizeof(struct hlist_head)) - 1U; 159 for (i = xfrm_state_hmask; i >= 0; i--) 160 xfrm_hash_transfer(xfrm_state_bydst+i, ndst, nsrc, nspi, 161 nhashmask); 162 163 odst = xfrm_state_bydst; 164 osrc = xfrm_state_bysrc; 165 ospi = xfrm_state_byspi; 166 ohashmask = xfrm_state_hmask; 167 168 xfrm_state_bydst = ndst; 169 xfrm_state_bysrc = nsrc; 170 xfrm_state_byspi = nspi; 171 xfrm_state_hmask = nhashmask; 172 173 spin_unlock_bh(&xfrm_state_lock); 174 175 osize = (ohashmask + 1) * sizeof(struct hlist_head); 176 xfrm_hash_free(odst, osize); 177 xfrm_hash_free(osrc, osize); 178 xfrm_hash_free(ospi, osize); 179 180 out_unlock: 181 mutex_unlock(&hash_resize_mutex); 182 } 183 184 static DECLARE_WORK(xfrm_hash_work, xfrm_hash_resize); 185 186 DECLARE_WAIT_QUEUE_HEAD(km_waitq); 187 EXPORT_SYMBOL(km_waitq); 188 189 static DEFINE_RWLOCK(xfrm_state_afinfo_lock); 190 static struct xfrm_state_afinfo *xfrm_state_afinfo[NPROTO]; 191 192 static struct work_struct xfrm_state_gc_work; 193 static HLIST_HEAD(xfrm_state_gc_list); 194 static DEFINE_SPINLOCK(xfrm_state_gc_lock); 195 196 int __xfrm_state_delete(struct xfrm_state *x); 197 198 int km_query(struct xfrm_state *x, struct xfrm_tmpl *t, struct xfrm_policy *pol); 199 void km_state_expired(struct xfrm_state *x, int hard, u32 pid); 200 201 static struct xfrm_state_afinfo *xfrm_state_lock_afinfo(unsigned int family) 202 { 203 struct xfrm_state_afinfo *afinfo; 204 if (unlikely(family >= NPROTO)) 205 return NULL; 206 write_lock_bh(&xfrm_state_afinfo_lock); 207 afinfo = xfrm_state_afinfo[family]; 208 if (unlikely(!afinfo)) 209 write_unlock_bh(&xfrm_state_afinfo_lock); 210 return afinfo; 211 } 212 213 static void xfrm_state_unlock_afinfo(struct xfrm_state_afinfo *afinfo) 214 __releases(xfrm_state_afinfo_lock) 215 { 216 write_unlock_bh(&xfrm_state_afinfo_lock); 217 } 218 219 int xfrm_register_type(const struct xfrm_type *type, unsigned short family) 220 { 221 struct xfrm_state_afinfo *afinfo = xfrm_state_lock_afinfo(family); 222 const struct xfrm_type **typemap; 223 int err = 0; 224 225 if (unlikely(afinfo == NULL)) 226 return -EAFNOSUPPORT; 227 typemap = afinfo->type_map; 228 229 if (likely(typemap[type->proto] == NULL)) 230 typemap[type->proto] = type; 231 else 232 err = -EEXIST; 233 xfrm_state_unlock_afinfo(afinfo); 234 return err; 235 } 236 EXPORT_SYMBOL(xfrm_register_type); 237 238 int xfrm_unregister_type(const struct xfrm_type *type, unsigned short family) 239 { 240 struct xfrm_state_afinfo *afinfo = xfrm_state_lock_afinfo(family); 241 const struct xfrm_type **typemap; 242 int err = 0; 243 244 if (unlikely(afinfo == NULL)) 245 return -EAFNOSUPPORT; 246 typemap = afinfo->type_map; 247 248 if (unlikely(typemap[type->proto] != type)) 249 err = -ENOENT; 250 else 251 typemap[type->proto] = NULL; 252 xfrm_state_unlock_afinfo(afinfo); 253 return err; 254 } 255 EXPORT_SYMBOL(xfrm_unregister_type); 256 257 static const struct xfrm_type *xfrm_get_type(u8 proto, unsigned short family) 258 { 259 struct xfrm_state_afinfo *afinfo; 260 const struct xfrm_type **typemap; 261 const struct xfrm_type *type; 262 int modload_attempted = 0; 263 264 retry: 265 afinfo = xfrm_state_get_afinfo(family); 266 if (unlikely(afinfo == NULL)) 267 return NULL; 268 typemap = afinfo->type_map; 269 270 type = typemap[proto]; 271 if (unlikely(type && !try_module_get(type->owner))) 272 type = NULL; 273 if (!type && !modload_attempted) { 274 xfrm_state_put_afinfo(afinfo); 275 request_module("xfrm-type-%d-%d", family, proto); 276 modload_attempted = 1; 277 goto retry; 278 } 279 280 xfrm_state_put_afinfo(afinfo); 281 return type; 282 } 283 284 static void xfrm_put_type(const struct xfrm_type *type) 285 { 286 module_put(type->owner); 287 } 288 289 int xfrm_register_mode(struct xfrm_mode *mode, int family) 290 { 291 struct xfrm_state_afinfo *afinfo; 292 struct xfrm_mode **modemap; 293 int err; 294 295 if (unlikely(mode->encap >= XFRM_MODE_MAX)) 296 return -EINVAL; 297 298 afinfo = xfrm_state_lock_afinfo(family); 299 if (unlikely(afinfo == NULL)) 300 return -EAFNOSUPPORT; 301 302 err = -EEXIST; 303 modemap = afinfo->mode_map; 304 if (modemap[mode->encap]) 305 goto out; 306 307 err = -ENOENT; 308 if (!try_module_get(afinfo->owner)) 309 goto out; 310 311 mode->afinfo = afinfo; 312 modemap[mode->encap] = mode; 313 err = 0; 314 315 out: 316 xfrm_state_unlock_afinfo(afinfo); 317 return err; 318 } 319 EXPORT_SYMBOL(xfrm_register_mode); 320 321 int xfrm_unregister_mode(struct xfrm_mode *mode, int family) 322 { 323 struct xfrm_state_afinfo *afinfo; 324 struct xfrm_mode **modemap; 325 int err; 326 327 if (unlikely(mode->encap >= XFRM_MODE_MAX)) 328 return -EINVAL; 329 330 afinfo = xfrm_state_lock_afinfo(family); 331 if (unlikely(afinfo == NULL)) 332 return -EAFNOSUPPORT; 333 334 err = -ENOENT; 335 modemap = afinfo->mode_map; 336 if (likely(modemap[mode->encap] == mode)) { 337 modemap[mode->encap] = NULL; 338 module_put(mode->afinfo->owner); 339 err = 0; 340 } 341 342 xfrm_state_unlock_afinfo(afinfo); 343 return err; 344 } 345 EXPORT_SYMBOL(xfrm_unregister_mode); 346 347 static struct xfrm_mode *xfrm_get_mode(unsigned int encap, int family) 348 { 349 struct xfrm_state_afinfo *afinfo; 350 struct xfrm_mode *mode; 351 int modload_attempted = 0; 352 353 if (unlikely(encap >= XFRM_MODE_MAX)) 354 return NULL; 355 356 retry: 357 afinfo = xfrm_state_get_afinfo(family); 358 if (unlikely(afinfo == NULL)) 359 return NULL; 360 361 mode = afinfo->mode_map[encap]; 362 if (unlikely(mode && !try_module_get(mode->owner))) 363 mode = NULL; 364 if (!mode && !modload_attempted) { 365 xfrm_state_put_afinfo(afinfo); 366 request_module("xfrm-mode-%d-%d", family, encap); 367 modload_attempted = 1; 368 goto retry; 369 } 370 371 xfrm_state_put_afinfo(afinfo); 372 return mode; 373 } 374 375 static void xfrm_put_mode(struct xfrm_mode *mode) 376 { 377 module_put(mode->owner); 378 } 379 380 static void xfrm_state_gc_destroy(struct xfrm_state *x) 381 { 382 del_timer_sync(&x->timer); 383 del_timer_sync(&x->rtimer); 384 kfree(x->aalg); 385 kfree(x->ealg); 386 kfree(x->calg); 387 kfree(x->encap); 388 kfree(x->coaddr); 389 if (x->inner_mode) 390 xfrm_put_mode(x->inner_mode); 391 if (x->inner_mode_iaf) 392 xfrm_put_mode(x->inner_mode_iaf); 393 if (x->outer_mode) 394 xfrm_put_mode(x->outer_mode); 395 if (x->type) { 396 x->type->destructor(x); 397 xfrm_put_type(x->type); 398 } 399 security_xfrm_state_free(x); 400 kfree(x); 401 } 402 403 static void xfrm_state_gc_task(struct work_struct *data) 404 { 405 struct xfrm_state *x; 406 struct hlist_node *entry, *tmp; 407 struct hlist_head gc_list; 408 409 spin_lock_bh(&xfrm_state_gc_lock); 410 gc_list.first = xfrm_state_gc_list.first; 411 INIT_HLIST_HEAD(&xfrm_state_gc_list); 412 spin_unlock_bh(&xfrm_state_gc_lock); 413 414 hlist_for_each_entry_safe(x, entry, tmp, &gc_list, bydst) 415 xfrm_state_gc_destroy(x); 416 417 wake_up(&km_waitq); 418 } 419 420 static inline unsigned long make_jiffies(long secs) 421 { 422 if (secs >= (MAX_SCHEDULE_TIMEOUT-1)/HZ) 423 return MAX_SCHEDULE_TIMEOUT-1; 424 else 425 return secs*HZ; 426 } 427 428 static void xfrm_timer_handler(unsigned long data) 429 { 430 struct xfrm_state *x = (struct xfrm_state*)data; 431 unsigned long now = get_seconds(); 432 long next = LONG_MAX; 433 int warn = 0; 434 int err = 0; 435 436 spin_lock(&x->lock); 437 if (x->km.state == XFRM_STATE_DEAD) 438 goto out; 439 if (x->km.state == XFRM_STATE_EXPIRED) 440 goto expired; 441 if (x->lft.hard_add_expires_seconds) { 442 long tmo = x->lft.hard_add_expires_seconds + 443 x->curlft.add_time - now; 444 if (tmo <= 0) 445 goto expired; 446 if (tmo < next) 447 next = tmo; 448 } 449 if (x->lft.hard_use_expires_seconds) { 450 long tmo = x->lft.hard_use_expires_seconds + 451 (x->curlft.use_time ? : now) - now; 452 if (tmo <= 0) 453 goto expired; 454 if (tmo < next) 455 next = tmo; 456 } 457 if (x->km.dying) 458 goto resched; 459 if (x->lft.soft_add_expires_seconds) { 460 long tmo = x->lft.soft_add_expires_seconds + 461 x->curlft.add_time - now; 462 if (tmo <= 0) 463 warn = 1; 464 else if (tmo < next) 465 next = tmo; 466 } 467 if (x->lft.soft_use_expires_seconds) { 468 long tmo = x->lft.soft_use_expires_seconds + 469 (x->curlft.use_time ? : now) - now; 470 if (tmo <= 0) 471 warn = 1; 472 else if (tmo < next) 473 next = tmo; 474 } 475 476 x->km.dying = warn; 477 if (warn) 478 km_state_expired(x, 0, 0); 479 resched: 480 if (next != LONG_MAX) 481 mod_timer(&x->timer, jiffies + make_jiffies(next)); 482 483 goto out; 484 485 expired: 486 if (x->km.state == XFRM_STATE_ACQ && x->id.spi == 0) { 487 x->km.state = XFRM_STATE_EXPIRED; 488 wake_up(&km_waitq); 489 next = 2; 490 goto resched; 491 } 492 493 err = __xfrm_state_delete(x); 494 if (!err && x->id.spi) 495 km_state_expired(x, 1, 0); 496 497 xfrm_audit_state_delete(x, err ? 0 : 1, 498 audit_get_loginuid(current), 0); 499 500 out: 501 spin_unlock(&x->lock); 502 } 503 504 static void xfrm_replay_timer_handler(unsigned long data); 505 506 struct xfrm_state *xfrm_state_alloc(void) 507 { 508 struct xfrm_state *x; 509 510 x = kzalloc(sizeof(struct xfrm_state), GFP_ATOMIC); 511 512 if (x) { 513 atomic_set(&x->refcnt, 1); 514 atomic_set(&x->tunnel_users, 0); 515 INIT_HLIST_NODE(&x->bydst); 516 INIT_HLIST_NODE(&x->bysrc); 517 INIT_HLIST_NODE(&x->byspi); 518 setup_timer(&x->timer, xfrm_timer_handler, (unsigned long)x); 519 setup_timer(&x->rtimer, xfrm_replay_timer_handler, 520 (unsigned long)x); 521 x->curlft.add_time = get_seconds(); 522 x->lft.soft_byte_limit = XFRM_INF; 523 x->lft.soft_packet_limit = XFRM_INF; 524 x->lft.hard_byte_limit = XFRM_INF; 525 x->lft.hard_packet_limit = XFRM_INF; 526 x->replay_maxage = 0; 527 x->replay_maxdiff = 0; 528 x->inner_mode = NULL; 529 x->inner_mode_iaf = NULL; 530 spin_lock_init(&x->lock); 531 } 532 return x; 533 } 534 EXPORT_SYMBOL(xfrm_state_alloc); 535 536 void __xfrm_state_destroy(struct xfrm_state *x) 537 { 538 BUG_TRAP(x->km.state == XFRM_STATE_DEAD); 539 540 spin_lock_bh(&xfrm_state_gc_lock); 541 hlist_add_head(&x->bydst, &xfrm_state_gc_list); 542 spin_unlock_bh(&xfrm_state_gc_lock); 543 schedule_work(&xfrm_state_gc_work); 544 } 545 EXPORT_SYMBOL(__xfrm_state_destroy); 546 547 int __xfrm_state_delete(struct xfrm_state *x) 548 { 549 int err = -ESRCH; 550 551 if (x->km.state != XFRM_STATE_DEAD) { 552 x->km.state = XFRM_STATE_DEAD; 553 spin_lock(&xfrm_state_lock); 554 hlist_del(&x->bydst); 555 hlist_del(&x->bysrc); 556 if (x->id.spi) 557 hlist_del(&x->byspi); 558 xfrm_state_num--; 559 spin_unlock(&xfrm_state_lock); 560 561 /* All xfrm_state objects are created by xfrm_state_alloc. 562 * The xfrm_state_alloc call gives a reference, and that 563 * is what we are dropping here. 564 */ 565 xfrm_state_put(x); 566 err = 0; 567 } 568 569 return err; 570 } 571 EXPORT_SYMBOL(__xfrm_state_delete); 572 573 int xfrm_state_delete(struct xfrm_state *x) 574 { 575 int err; 576 577 spin_lock_bh(&x->lock); 578 err = __xfrm_state_delete(x); 579 spin_unlock_bh(&x->lock); 580 581 return err; 582 } 583 EXPORT_SYMBOL(xfrm_state_delete); 584 585 #ifdef CONFIG_SECURITY_NETWORK_XFRM 586 static inline int 587 xfrm_state_flush_secctx_check(u8 proto, struct xfrm_audit *audit_info) 588 { 589 int i, err = 0; 590 591 for (i = 0; i <= xfrm_state_hmask; i++) { 592 struct hlist_node *entry; 593 struct xfrm_state *x; 594 595 hlist_for_each_entry(x, entry, xfrm_state_bydst+i, bydst) { 596 if (xfrm_id_proto_match(x->id.proto, proto) && 597 (err = security_xfrm_state_delete(x)) != 0) { 598 xfrm_audit_state_delete(x, 0, 599 audit_info->loginuid, 600 audit_info->secid); 601 return err; 602 } 603 } 604 } 605 606 return err; 607 } 608 #else 609 static inline int 610 xfrm_state_flush_secctx_check(u8 proto, struct xfrm_audit *audit_info) 611 { 612 return 0; 613 } 614 #endif 615 616 int xfrm_state_flush(u8 proto, struct xfrm_audit *audit_info) 617 { 618 int i, err = 0; 619 620 spin_lock_bh(&xfrm_state_lock); 621 err = xfrm_state_flush_secctx_check(proto, audit_info); 622 if (err) 623 goto out; 624 625 for (i = 0; i <= xfrm_state_hmask; i++) { 626 struct hlist_node *entry; 627 struct xfrm_state *x; 628 restart: 629 hlist_for_each_entry(x, entry, xfrm_state_bydst+i, bydst) { 630 if (!xfrm_state_kern(x) && 631 xfrm_id_proto_match(x->id.proto, proto)) { 632 xfrm_state_hold(x); 633 spin_unlock_bh(&xfrm_state_lock); 634 635 err = xfrm_state_delete(x); 636 xfrm_audit_state_delete(x, err ? 0 : 1, 637 audit_info->loginuid, 638 audit_info->secid); 639 xfrm_state_put(x); 640 641 spin_lock_bh(&xfrm_state_lock); 642 goto restart; 643 } 644 } 645 } 646 err = 0; 647 648 out: 649 spin_unlock_bh(&xfrm_state_lock); 650 wake_up(&km_waitq); 651 return err; 652 } 653 EXPORT_SYMBOL(xfrm_state_flush); 654 655 void xfrm_sad_getinfo(struct xfrmk_sadinfo *si) 656 { 657 spin_lock_bh(&xfrm_state_lock); 658 si->sadcnt = xfrm_state_num; 659 si->sadhcnt = xfrm_state_hmask; 660 si->sadhmcnt = xfrm_state_hashmax; 661 spin_unlock_bh(&xfrm_state_lock); 662 } 663 EXPORT_SYMBOL(xfrm_sad_getinfo); 664 665 static int 666 xfrm_init_tempsel(struct xfrm_state *x, struct flowi *fl, 667 struct xfrm_tmpl *tmpl, 668 xfrm_address_t *daddr, xfrm_address_t *saddr, 669 unsigned short family) 670 { 671 struct xfrm_state_afinfo *afinfo = xfrm_state_get_afinfo(family); 672 if (!afinfo) 673 return -1; 674 afinfo->init_tempsel(x, fl, tmpl, daddr, saddr); 675 xfrm_state_put_afinfo(afinfo); 676 return 0; 677 } 678 679 static struct xfrm_state *__xfrm_state_lookup(xfrm_address_t *daddr, __be32 spi, u8 proto, unsigned short family) 680 { 681 unsigned int h = xfrm_spi_hash(daddr, spi, proto, family); 682 struct xfrm_state *x; 683 struct hlist_node *entry; 684 685 hlist_for_each_entry(x, entry, xfrm_state_byspi+h, byspi) { 686 if (x->props.family != family || 687 x->id.spi != spi || 688 x->id.proto != proto) 689 continue; 690 691 switch (family) { 692 case AF_INET: 693 if (x->id.daddr.a4 != daddr->a4) 694 continue; 695 break; 696 case AF_INET6: 697 if (!ipv6_addr_equal((struct in6_addr *)daddr, 698 (struct in6_addr *) 699 x->id.daddr.a6)) 700 continue; 701 break; 702 } 703 704 xfrm_state_hold(x); 705 return x; 706 } 707 708 return NULL; 709 } 710 711 static struct xfrm_state *__xfrm_state_lookup_byaddr(xfrm_address_t *daddr, xfrm_address_t *saddr, u8 proto, unsigned short family) 712 { 713 unsigned int h = xfrm_src_hash(daddr, saddr, family); 714 struct xfrm_state *x; 715 struct hlist_node *entry; 716 717 hlist_for_each_entry(x, entry, xfrm_state_bysrc+h, bysrc) { 718 if (x->props.family != family || 719 x->id.proto != proto) 720 continue; 721 722 switch (family) { 723 case AF_INET: 724 if (x->id.daddr.a4 != daddr->a4 || 725 x->props.saddr.a4 != saddr->a4) 726 continue; 727 break; 728 case AF_INET6: 729 if (!ipv6_addr_equal((struct in6_addr *)daddr, 730 (struct in6_addr *) 731 x->id.daddr.a6) || 732 !ipv6_addr_equal((struct in6_addr *)saddr, 733 (struct in6_addr *) 734 x->props.saddr.a6)) 735 continue; 736 break; 737 } 738 739 xfrm_state_hold(x); 740 return x; 741 } 742 743 return NULL; 744 } 745 746 static inline struct xfrm_state * 747 __xfrm_state_locate(struct xfrm_state *x, int use_spi, int family) 748 { 749 if (use_spi) 750 return __xfrm_state_lookup(&x->id.daddr, x->id.spi, 751 x->id.proto, family); 752 else 753 return __xfrm_state_lookup_byaddr(&x->id.daddr, 754 &x->props.saddr, 755 x->id.proto, family); 756 } 757 758 static void xfrm_hash_grow_check(int have_hash_collision) 759 { 760 if (have_hash_collision && 761 (xfrm_state_hmask + 1) < xfrm_state_hashmax && 762 xfrm_state_num > xfrm_state_hmask) 763 schedule_work(&xfrm_hash_work); 764 } 765 766 struct xfrm_state * 767 xfrm_state_find(xfrm_address_t *daddr, xfrm_address_t *saddr, 768 struct flowi *fl, struct xfrm_tmpl *tmpl, 769 struct xfrm_policy *pol, int *err, 770 unsigned short family) 771 { 772 unsigned int h; 773 struct hlist_node *entry; 774 struct xfrm_state *x, *x0; 775 int acquire_in_progress = 0; 776 int error = 0; 777 struct xfrm_state *best = NULL; 778 779 spin_lock_bh(&xfrm_state_lock); 780 h = xfrm_dst_hash(daddr, saddr, tmpl->reqid, family); 781 hlist_for_each_entry(x, entry, xfrm_state_bydst+h, bydst) { 782 if (x->props.family == family && 783 x->props.reqid == tmpl->reqid && 784 !(x->props.flags & XFRM_STATE_WILDRECV) && 785 xfrm_state_addr_check(x, daddr, saddr, family) && 786 tmpl->mode == x->props.mode && 787 tmpl->id.proto == x->id.proto && 788 (tmpl->id.spi == x->id.spi || !tmpl->id.spi)) { 789 /* Resolution logic: 790 1. There is a valid state with matching selector. 791 Done. 792 2. Valid state with inappropriate selector. Skip. 793 794 Entering area of "sysdeps". 795 796 3. If state is not valid, selector is temporary, 797 it selects only session which triggered 798 previous resolution. Key manager will do 799 something to install a state with proper 800 selector. 801 */ 802 if (x->km.state == XFRM_STATE_VALID) { 803 if ((x->sel.family && !xfrm_selector_match(&x->sel, fl, x->sel.family)) || 804 !security_xfrm_state_pol_flow_match(x, pol, fl)) 805 continue; 806 if (!best || 807 best->km.dying > x->km.dying || 808 (best->km.dying == x->km.dying && 809 best->curlft.add_time < x->curlft.add_time)) 810 best = x; 811 } else if (x->km.state == XFRM_STATE_ACQ) { 812 acquire_in_progress = 1; 813 } else if (x->km.state == XFRM_STATE_ERROR || 814 x->km.state == XFRM_STATE_EXPIRED) { 815 if (xfrm_selector_match(&x->sel, fl, x->sel.family) && 816 security_xfrm_state_pol_flow_match(x, pol, fl)) 817 error = -ESRCH; 818 } 819 } 820 } 821 822 x = best; 823 if (!x && !error && !acquire_in_progress) { 824 if (tmpl->id.spi && 825 (x0 = __xfrm_state_lookup(daddr, tmpl->id.spi, 826 tmpl->id.proto, family)) != NULL) { 827 xfrm_state_put(x0); 828 error = -EEXIST; 829 goto out; 830 } 831 x = xfrm_state_alloc(); 832 if (x == NULL) { 833 error = -ENOMEM; 834 goto out; 835 } 836 /* Initialize temporary selector matching only 837 * to current session. */ 838 xfrm_init_tempsel(x, fl, tmpl, daddr, saddr, family); 839 840 error = security_xfrm_state_alloc_acquire(x, pol->security, fl->secid); 841 if (error) { 842 x->km.state = XFRM_STATE_DEAD; 843 xfrm_state_put(x); 844 x = NULL; 845 goto out; 846 } 847 848 if (km_query(x, tmpl, pol) == 0) { 849 x->km.state = XFRM_STATE_ACQ; 850 hlist_add_head(&x->bydst, xfrm_state_bydst+h); 851 h = xfrm_src_hash(daddr, saddr, family); 852 hlist_add_head(&x->bysrc, xfrm_state_bysrc+h); 853 if (x->id.spi) { 854 h = xfrm_spi_hash(&x->id.daddr, x->id.spi, x->id.proto, family); 855 hlist_add_head(&x->byspi, xfrm_state_byspi+h); 856 } 857 x->lft.hard_add_expires_seconds = sysctl_xfrm_acq_expires; 858 x->timer.expires = jiffies + sysctl_xfrm_acq_expires*HZ; 859 add_timer(&x->timer); 860 xfrm_state_num++; 861 xfrm_hash_grow_check(x->bydst.next != NULL); 862 } else { 863 x->km.state = XFRM_STATE_DEAD; 864 xfrm_state_put(x); 865 x = NULL; 866 error = -ESRCH; 867 } 868 } 869 out: 870 if (x) 871 xfrm_state_hold(x); 872 else 873 *err = acquire_in_progress ? -EAGAIN : error; 874 spin_unlock_bh(&xfrm_state_lock); 875 return x; 876 } 877 878 struct xfrm_state * 879 xfrm_stateonly_find(xfrm_address_t *daddr, xfrm_address_t *saddr, 880 unsigned short family, u8 mode, u8 proto, u32 reqid) 881 { 882 unsigned int h; 883 struct xfrm_state *rx = NULL, *x = NULL; 884 struct hlist_node *entry; 885 886 spin_lock(&xfrm_state_lock); 887 h = xfrm_dst_hash(daddr, saddr, reqid, family); 888 hlist_for_each_entry(x, entry, xfrm_state_bydst+h, bydst) { 889 if (x->props.family == family && 890 x->props.reqid == reqid && 891 !(x->props.flags & XFRM_STATE_WILDRECV) && 892 xfrm_state_addr_check(x, daddr, saddr, family) && 893 mode == x->props.mode && 894 proto == x->id.proto && 895 x->km.state == XFRM_STATE_VALID) { 896 rx = x; 897 break; 898 } 899 } 900 901 if (rx) 902 xfrm_state_hold(rx); 903 spin_unlock(&xfrm_state_lock); 904 905 906 return rx; 907 } 908 EXPORT_SYMBOL(xfrm_stateonly_find); 909 910 static void __xfrm_state_insert(struct xfrm_state *x) 911 { 912 unsigned int h; 913 914 x->genid = ++xfrm_state_genid; 915 916 h = xfrm_dst_hash(&x->id.daddr, &x->props.saddr, 917 x->props.reqid, x->props.family); 918 hlist_add_head(&x->bydst, xfrm_state_bydst+h); 919 920 h = xfrm_src_hash(&x->id.daddr, &x->props.saddr, x->props.family); 921 hlist_add_head(&x->bysrc, xfrm_state_bysrc+h); 922 923 if (x->id.spi) { 924 h = xfrm_spi_hash(&x->id.daddr, x->id.spi, x->id.proto, 925 x->props.family); 926 927 hlist_add_head(&x->byspi, xfrm_state_byspi+h); 928 } 929 930 mod_timer(&x->timer, jiffies + HZ); 931 if (x->replay_maxage) 932 mod_timer(&x->rtimer, jiffies + x->replay_maxage); 933 934 wake_up(&km_waitq); 935 936 xfrm_state_num++; 937 938 xfrm_hash_grow_check(x->bydst.next != NULL); 939 } 940 941 /* xfrm_state_lock is held */ 942 static void __xfrm_state_bump_genids(struct xfrm_state *xnew) 943 { 944 unsigned short family = xnew->props.family; 945 u32 reqid = xnew->props.reqid; 946 struct xfrm_state *x; 947 struct hlist_node *entry; 948 unsigned int h; 949 950 h = xfrm_dst_hash(&xnew->id.daddr, &xnew->props.saddr, reqid, family); 951 hlist_for_each_entry(x, entry, xfrm_state_bydst+h, bydst) { 952 if (x->props.family == family && 953 x->props.reqid == reqid && 954 !xfrm_addr_cmp(&x->id.daddr, &xnew->id.daddr, family) && 955 !xfrm_addr_cmp(&x->props.saddr, &xnew->props.saddr, family)) 956 x->genid = xfrm_state_genid; 957 } 958 } 959 960 void xfrm_state_insert(struct xfrm_state *x) 961 { 962 spin_lock_bh(&xfrm_state_lock); 963 __xfrm_state_bump_genids(x); 964 __xfrm_state_insert(x); 965 spin_unlock_bh(&xfrm_state_lock); 966 } 967 EXPORT_SYMBOL(xfrm_state_insert); 968 969 /* xfrm_state_lock is held */ 970 static struct xfrm_state *__find_acq_core(unsigned short family, u8 mode, u32 reqid, u8 proto, xfrm_address_t *daddr, xfrm_address_t *saddr, int create) 971 { 972 unsigned int h = xfrm_dst_hash(daddr, saddr, reqid, family); 973 struct hlist_node *entry; 974 struct xfrm_state *x; 975 976 hlist_for_each_entry(x, entry, xfrm_state_bydst+h, bydst) { 977 if (x->props.reqid != reqid || 978 x->props.mode != mode || 979 x->props.family != family || 980 x->km.state != XFRM_STATE_ACQ || 981 x->id.spi != 0 || 982 x->id.proto != proto) 983 continue; 984 985 switch (family) { 986 case AF_INET: 987 if (x->id.daddr.a4 != daddr->a4 || 988 x->props.saddr.a4 != saddr->a4) 989 continue; 990 break; 991 case AF_INET6: 992 if (!ipv6_addr_equal((struct in6_addr *)x->id.daddr.a6, 993 (struct in6_addr *)daddr) || 994 !ipv6_addr_equal((struct in6_addr *) 995 x->props.saddr.a6, 996 (struct in6_addr *)saddr)) 997 continue; 998 break; 999 } 1000 1001 xfrm_state_hold(x); 1002 return x; 1003 } 1004 1005 if (!create) 1006 return NULL; 1007 1008 x = xfrm_state_alloc(); 1009 if (likely(x)) { 1010 switch (family) { 1011 case AF_INET: 1012 x->sel.daddr.a4 = daddr->a4; 1013 x->sel.saddr.a4 = saddr->a4; 1014 x->sel.prefixlen_d = 32; 1015 x->sel.prefixlen_s = 32; 1016 x->props.saddr.a4 = saddr->a4; 1017 x->id.daddr.a4 = daddr->a4; 1018 break; 1019 1020 case AF_INET6: 1021 ipv6_addr_copy((struct in6_addr *)x->sel.daddr.a6, 1022 (struct in6_addr *)daddr); 1023 ipv6_addr_copy((struct in6_addr *)x->sel.saddr.a6, 1024 (struct in6_addr *)saddr); 1025 x->sel.prefixlen_d = 128; 1026 x->sel.prefixlen_s = 128; 1027 ipv6_addr_copy((struct in6_addr *)x->props.saddr.a6, 1028 (struct in6_addr *)saddr); 1029 ipv6_addr_copy((struct in6_addr *)x->id.daddr.a6, 1030 (struct in6_addr *)daddr); 1031 break; 1032 } 1033 1034 x->km.state = XFRM_STATE_ACQ; 1035 x->id.proto = proto; 1036 x->props.family = family; 1037 x->props.mode = mode; 1038 x->props.reqid = reqid; 1039 x->lft.hard_add_expires_seconds = sysctl_xfrm_acq_expires; 1040 xfrm_state_hold(x); 1041 x->timer.expires = jiffies + sysctl_xfrm_acq_expires*HZ; 1042 add_timer(&x->timer); 1043 hlist_add_head(&x->bydst, xfrm_state_bydst+h); 1044 h = xfrm_src_hash(daddr, saddr, family); 1045 hlist_add_head(&x->bysrc, xfrm_state_bysrc+h); 1046 1047 xfrm_state_num++; 1048 1049 xfrm_hash_grow_check(x->bydst.next != NULL); 1050 } 1051 1052 return x; 1053 } 1054 1055 static struct xfrm_state *__xfrm_find_acq_byseq(u32 seq); 1056 1057 int xfrm_state_add(struct xfrm_state *x) 1058 { 1059 struct xfrm_state *x1; 1060 int family; 1061 int err; 1062 int use_spi = xfrm_id_proto_match(x->id.proto, IPSEC_PROTO_ANY); 1063 1064 family = x->props.family; 1065 1066 spin_lock_bh(&xfrm_state_lock); 1067 1068 x1 = __xfrm_state_locate(x, use_spi, family); 1069 if (x1) { 1070 xfrm_state_put(x1); 1071 x1 = NULL; 1072 err = -EEXIST; 1073 goto out; 1074 } 1075 1076 if (use_spi && x->km.seq) { 1077 x1 = __xfrm_find_acq_byseq(x->km.seq); 1078 if (x1 && ((x1->id.proto != x->id.proto) || 1079 xfrm_addr_cmp(&x1->id.daddr, &x->id.daddr, family))) { 1080 xfrm_state_put(x1); 1081 x1 = NULL; 1082 } 1083 } 1084 1085 if (use_spi && !x1) 1086 x1 = __find_acq_core(family, x->props.mode, x->props.reqid, 1087 x->id.proto, 1088 &x->id.daddr, &x->props.saddr, 0); 1089 1090 __xfrm_state_bump_genids(x); 1091 __xfrm_state_insert(x); 1092 err = 0; 1093 1094 out: 1095 spin_unlock_bh(&xfrm_state_lock); 1096 1097 if (x1) { 1098 xfrm_state_delete(x1); 1099 xfrm_state_put(x1); 1100 } 1101 1102 return err; 1103 } 1104 EXPORT_SYMBOL(xfrm_state_add); 1105 1106 #ifdef CONFIG_XFRM_MIGRATE 1107 static struct xfrm_state *xfrm_state_clone(struct xfrm_state *orig, int *errp) 1108 { 1109 int err = -ENOMEM; 1110 struct xfrm_state *x = xfrm_state_alloc(); 1111 if (!x) 1112 goto error; 1113 1114 memcpy(&x->id, &orig->id, sizeof(x->id)); 1115 memcpy(&x->sel, &orig->sel, sizeof(x->sel)); 1116 memcpy(&x->lft, &orig->lft, sizeof(x->lft)); 1117 x->props.mode = orig->props.mode; 1118 x->props.replay_window = orig->props.replay_window; 1119 x->props.reqid = orig->props.reqid; 1120 x->props.family = orig->props.family; 1121 x->props.saddr = orig->props.saddr; 1122 1123 if (orig->aalg) { 1124 x->aalg = xfrm_algo_clone(orig->aalg); 1125 if (!x->aalg) 1126 goto error; 1127 } 1128 x->props.aalgo = orig->props.aalgo; 1129 1130 if (orig->ealg) { 1131 x->ealg = xfrm_algo_clone(orig->ealg); 1132 if (!x->ealg) 1133 goto error; 1134 } 1135 x->props.ealgo = orig->props.ealgo; 1136 1137 if (orig->calg) { 1138 x->calg = xfrm_algo_clone(orig->calg); 1139 if (!x->calg) 1140 goto error; 1141 } 1142 x->props.calgo = orig->props.calgo; 1143 1144 if (orig->encap) { 1145 x->encap = kmemdup(orig->encap, sizeof(*x->encap), GFP_KERNEL); 1146 if (!x->encap) 1147 goto error; 1148 } 1149 1150 if (orig->coaddr) { 1151 x->coaddr = kmemdup(orig->coaddr, sizeof(*x->coaddr), 1152 GFP_KERNEL); 1153 if (!x->coaddr) 1154 goto error; 1155 } 1156 1157 err = xfrm_init_state(x); 1158 if (err) 1159 goto error; 1160 1161 x->props.flags = orig->props.flags; 1162 1163 x->curlft.add_time = orig->curlft.add_time; 1164 x->km.state = orig->km.state; 1165 x->km.seq = orig->km.seq; 1166 1167 return x; 1168 1169 error: 1170 if (errp) 1171 *errp = err; 1172 if (x) { 1173 kfree(x->aalg); 1174 kfree(x->ealg); 1175 kfree(x->calg); 1176 kfree(x->encap); 1177 kfree(x->coaddr); 1178 } 1179 kfree(x); 1180 return NULL; 1181 } 1182 1183 /* xfrm_state_lock is held */ 1184 struct xfrm_state * xfrm_migrate_state_find(struct xfrm_migrate *m) 1185 { 1186 unsigned int h; 1187 struct xfrm_state *x; 1188 struct hlist_node *entry; 1189 1190 if (m->reqid) { 1191 h = xfrm_dst_hash(&m->old_daddr, &m->old_saddr, 1192 m->reqid, m->old_family); 1193 hlist_for_each_entry(x, entry, xfrm_state_bydst+h, bydst) { 1194 if (x->props.mode != m->mode || 1195 x->id.proto != m->proto) 1196 continue; 1197 if (m->reqid && x->props.reqid != m->reqid) 1198 continue; 1199 if (xfrm_addr_cmp(&x->id.daddr, &m->old_daddr, 1200 m->old_family) || 1201 xfrm_addr_cmp(&x->props.saddr, &m->old_saddr, 1202 m->old_family)) 1203 continue; 1204 xfrm_state_hold(x); 1205 return x; 1206 } 1207 } else { 1208 h = xfrm_src_hash(&m->old_daddr, &m->old_saddr, 1209 m->old_family); 1210 hlist_for_each_entry(x, entry, xfrm_state_bysrc+h, bysrc) { 1211 if (x->props.mode != m->mode || 1212 x->id.proto != m->proto) 1213 continue; 1214 if (xfrm_addr_cmp(&x->id.daddr, &m->old_daddr, 1215 m->old_family) || 1216 xfrm_addr_cmp(&x->props.saddr, &m->old_saddr, 1217 m->old_family)) 1218 continue; 1219 xfrm_state_hold(x); 1220 return x; 1221 } 1222 } 1223 1224 return NULL; 1225 } 1226 EXPORT_SYMBOL(xfrm_migrate_state_find); 1227 1228 struct xfrm_state * xfrm_state_migrate(struct xfrm_state *x, 1229 struct xfrm_migrate *m) 1230 { 1231 struct xfrm_state *xc; 1232 int err; 1233 1234 xc = xfrm_state_clone(x, &err); 1235 if (!xc) 1236 return NULL; 1237 1238 memcpy(&xc->id.daddr, &m->new_daddr, sizeof(xc->id.daddr)); 1239 memcpy(&xc->props.saddr, &m->new_saddr, sizeof(xc->props.saddr)); 1240 1241 /* add state */ 1242 if (!xfrm_addr_cmp(&x->id.daddr, &m->new_daddr, m->new_family)) { 1243 /* a care is needed when the destination address of the 1244 state is to be updated as it is a part of triplet */ 1245 xfrm_state_insert(xc); 1246 } else { 1247 if ((err = xfrm_state_add(xc)) < 0) 1248 goto error; 1249 } 1250 1251 return xc; 1252 error: 1253 kfree(xc); 1254 return NULL; 1255 } 1256 EXPORT_SYMBOL(xfrm_state_migrate); 1257 #endif 1258 1259 int xfrm_state_update(struct xfrm_state *x) 1260 { 1261 struct xfrm_state *x1; 1262 int err; 1263 int use_spi = xfrm_id_proto_match(x->id.proto, IPSEC_PROTO_ANY); 1264 1265 spin_lock_bh(&xfrm_state_lock); 1266 x1 = __xfrm_state_locate(x, use_spi, x->props.family); 1267 1268 err = -ESRCH; 1269 if (!x1) 1270 goto out; 1271 1272 if (xfrm_state_kern(x1)) { 1273 xfrm_state_put(x1); 1274 err = -EEXIST; 1275 goto out; 1276 } 1277 1278 if (x1->km.state == XFRM_STATE_ACQ) { 1279 __xfrm_state_insert(x); 1280 x = NULL; 1281 } 1282 err = 0; 1283 1284 out: 1285 spin_unlock_bh(&xfrm_state_lock); 1286 1287 if (err) 1288 return err; 1289 1290 if (!x) { 1291 xfrm_state_delete(x1); 1292 xfrm_state_put(x1); 1293 return 0; 1294 } 1295 1296 err = -EINVAL; 1297 spin_lock_bh(&x1->lock); 1298 if (likely(x1->km.state == XFRM_STATE_VALID)) { 1299 if (x->encap && x1->encap) 1300 memcpy(x1->encap, x->encap, sizeof(*x1->encap)); 1301 if (x->coaddr && x1->coaddr) { 1302 memcpy(x1->coaddr, x->coaddr, sizeof(*x1->coaddr)); 1303 } 1304 if (!use_spi && memcmp(&x1->sel, &x->sel, sizeof(x1->sel))) 1305 memcpy(&x1->sel, &x->sel, sizeof(x1->sel)); 1306 memcpy(&x1->lft, &x->lft, sizeof(x1->lft)); 1307 x1->km.dying = 0; 1308 1309 mod_timer(&x1->timer, jiffies + HZ); 1310 if (x1->curlft.use_time) 1311 xfrm_state_check_expire(x1); 1312 1313 err = 0; 1314 } 1315 spin_unlock_bh(&x1->lock); 1316 1317 xfrm_state_put(x1); 1318 1319 return err; 1320 } 1321 EXPORT_SYMBOL(xfrm_state_update); 1322 1323 int xfrm_state_check_expire(struct xfrm_state *x) 1324 { 1325 if (!x->curlft.use_time) 1326 x->curlft.use_time = get_seconds(); 1327 1328 if (x->km.state != XFRM_STATE_VALID) 1329 return -EINVAL; 1330 1331 if (x->curlft.bytes >= x->lft.hard_byte_limit || 1332 x->curlft.packets >= x->lft.hard_packet_limit) { 1333 x->km.state = XFRM_STATE_EXPIRED; 1334 mod_timer(&x->timer, jiffies); 1335 return -EINVAL; 1336 } 1337 1338 if (!x->km.dying && 1339 (x->curlft.bytes >= x->lft.soft_byte_limit || 1340 x->curlft.packets >= x->lft.soft_packet_limit)) { 1341 x->km.dying = 1; 1342 km_state_expired(x, 0, 0); 1343 } 1344 return 0; 1345 } 1346 EXPORT_SYMBOL(xfrm_state_check_expire); 1347 1348 struct xfrm_state * 1349 xfrm_state_lookup(xfrm_address_t *daddr, __be32 spi, u8 proto, 1350 unsigned short family) 1351 { 1352 struct xfrm_state *x; 1353 1354 spin_lock_bh(&xfrm_state_lock); 1355 x = __xfrm_state_lookup(daddr, spi, proto, family); 1356 spin_unlock_bh(&xfrm_state_lock); 1357 return x; 1358 } 1359 EXPORT_SYMBOL(xfrm_state_lookup); 1360 1361 struct xfrm_state * 1362 xfrm_state_lookup_byaddr(xfrm_address_t *daddr, xfrm_address_t *saddr, 1363 u8 proto, unsigned short family) 1364 { 1365 struct xfrm_state *x; 1366 1367 spin_lock_bh(&xfrm_state_lock); 1368 x = __xfrm_state_lookup_byaddr(daddr, saddr, proto, family); 1369 spin_unlock_bh(&xfrm_state_lock); 1370 return x; 1371 } 1372 EXPORT_SYMBOL(xfrm_state_lookup_byaddr); 1373 1374 struct xfrm_state * 1375 xfrm_find_acq(u8 mode, u32 reqid, u8 proto, 1376 xfrm_address_t *daddr, xfrm_address_t *saddr, 1377 int create, unsigned short family) 1378 { 1379 struct xfrm_state *x; 1380 1381 spin_lock_bh(&xfrm_state_lock); 1382 x = __find_acq_core(family, mode, reqid, proto, daddr, saddr, create); 1383 spin_unlock_bh(&xfrm_state_lock); 1384 1385 return x; 1386 } 1387 EXPORT_SYMBOL(xfrm_find_acq); 1388 1389 #ifdef CONFIG_XFRM_SUB_POLICY 1390 int 1391 xfrm_tmpl_sort(struct xfrm_tmpl **dst, struct xfrm_tmpl **src, int n, 1392 unsigned short family) 1393 { 1394 int err = 0; 1395 struct xfrm_state_afinfo *afinfo = xfrm_state_get_afinfo(family); 1396 if (!afinfo) 1397 return -EAFNOSUPPORT; 1398 1399 spin_lock_bh(&xfrm_state_lock); 1400 if (afinfo->tmpl_sort) 1401 err = afinfo->tmpl_sort(dst, src, n); 1402 spin_unlock_bh(&xfrm_state_lock); 1403 xfrm_state_put_afinfo(afinfo); 1404 return err; 1405 } 1406 EXPORT_SYMBOL(xfrm_tmpl_sort); 1407 1408 int 1409 xfrm_state_sort(struct xfrm_state **dst, struct xfrm_state **src, int n, 1410 unsigned short family) 1411 { 1412 int err = 0; 1413 struct xfrm_state_afinfo *afinfo = xfrm_state_get_afinfo(family); 1414 if (!afinfo) 1415 return -EAFNOSUPPORT; 1416 1417 spin_lock_bh(&xfrm_state_lock); 1418 if (afinfo->state_sort) 1419 err = afinfo->state_sort(dst, src, n); 1420 spin_unlock_bh(&xfrm_state_lock); 1421 xfrm_state_put_afinfo(afinfo); 1422 return err; 1423 } 1424 EXPORT_SYMBOL(xfrm_state_sort); 1425 #endif 1426 1427 /* Silly enough, but I'm lazy to build resolution list */ 1428 1429 static struct xfrm_state *__xfrm_find_acq_byseq(u32 seq) 1430 { 1431 int i; 1432 1433 for (i = 0; i <= xfrm_state_hmask; i++) { 1434 struct hlist_node *entry; 1435 struct xfrm_state *x; 1436 1437 hlist_for_each_entry(x, entry, xfrm_state_bydst+i, bydst) { 1438 if (x->km.seq == seq && 1439 x->km.state == XFRM_STATE_ACQ) { 1440 xfrm_state_hold(x); 1441 return x; 1442 } 1443 } 1444 } 1445 return NULL; 1446 } 1447 1448 struct xfrm_state *xfrm_find_acq_byseq(u32 seq) 1449 { 1450 struct xfrm_state *x; 1451 1452 spin_lock_bh(&xfrm_state_lock); 1453 x = __xfrm_find_acq_byseq(seq); 1454 spin_unlock_bh(&xfrm_state_lock); 1455 return x; 1456 } 1457 EXPORT_SYMBOL(xfrm_find_acq_byseq); 1458 1459 u32 xfrm_get_acqseq(void) 1460 { 1461 u32 res; 1462 static u32 acqseq; 1463 static DEFINE_SPINLOCK(acqseq_lock); 1464 1465 spin_lock_bh(&acqseq_lock); 1466 res = (++acqseq ? : ++acqseq); 1467 spin_unlock_bh(&acqseq_lock); 1468 return res; 1469 } 1470 EXPORT_SYMBOL(xfrm_get_acqseq); 1471 1472 int xfrm_alloc_spi(struct xfrm_state *x, u32 low, u32 high) 1473 { 1474 unsigned int h; 1475 struct xfrm_state *x0; 1476 int err = -ENOENT; 1477 __be32 minspi = htonl(low); 1478 __be32 maxspi = htonl(high); 1479 1480 spin_lock_bh(&x->lock); 1481 if (x->km.state == XFRM_STATE_DEAD) 1482 goto unlock; 1483 1484 err = 0; 1485 if (x->id.spi) 1486 goto unlock; 1487 1488 err = -ENOENT; 1489 1490 if (minspi == maxspi) { 1491 x0 = xfrm_state_lookup(&x->id.daddr, minspi, x->id.proto, x->props.family); 1492 if (x0) { 1493 xfrm_state_put(x0); 1494 goto unlock; 1495 } 1496 x->id.spi = minspi; 1497 } else { 1498 u32 spi = 0; 1499 for (h=0; h<high-low+1; h++) { 1500 spi = low + net_random()%(high-low+1); 1501 x0 = xfrm_state_lookup(&x->id.daddr, htonl(spi), x->id.proto, x->props.family); 1502 if (x0 == NULL) { 1503 x->id.spi = htonl(spi); 1504 break; 1505 } 1506 xfrm_state_put(x0); 1507 } 1508 } 1509 if (x->id.spi) { 1510 spin_lock_bh(&xfrm_state_lock); 1511 h = xfrm_spi_hash(&x->id.daddr, x->id.spi, x->id.proto, x->props.family); 1512 hlist_add_head(&x->byspi, xfrm_state_byspi+h); 1513 spin_unlock_bh(&xfrm_state_lock); 1514 1515 err = 0; 1516 } 1517 1518 unlock: 1519 spin_unlock_bh(&x->lock); 1520 1521 return err; 1522 } 1523 EXPORT_SYMBOL(xfrm_alloc_spi); 1524 1525 int xfrm_state_walk(u8 proto, int (*func)(struct xfrm_state *, int, void*), 1526 void *data) 1527 { 1528 int i; 1529 struct xfrm_state *x, *last = NULL; 1530 struct hlist_node *entry; 1531 int count = 0; 1532 int err = 0; 1533 1534 spin_lock_bh(&xfrm_state_lock); 1535 for (i = 0; i <= xfrm_state_hmask; i++) { 1536 hlist_for_each_entry(x, entry, xfrm_state_bydst+i, bydst) { 1537 if (!xfrm_id_proto_match(x->id.proto, proto)) 1538 continue; 1539 if (last) { 1540 err = func(last, count, data); 1541 if (err) 1542 goto out; 1543 } 1544 last = x; 1545 count++; 1546 } 1547 } 1548 if (count == 0) { 1549 err = -ENOENT; 1550 goto out; 1551 } 1552 err = func(last, 0, data); 1553 out: 1554 spin_unlock_bh(&xfrm_state_lock); 1555 return err; 1556 } 1557 EXPORT_SYMBOL(xfrm_state_walk); 1558 1559 1560 void xfrm_replay_notify(struct xfrm_state *x, int event) 1561 { 1562 struct km_event c; 1563 /* we send notify messages in case 1564 * 1. we updated on of the sequence numbers, and the seqno difference 1565 * is at least x->replay_maxdiff, in this case we also update the 1566 * timeout of our timer function 1567 * 2. if x->replay_maxage has elapsed since last update, 1568 * and there were changes 1569 * 1570 * The state structure must be locked! 1571 */ 1572 1573 switch (event) { 1574 case XFRM_REPLAY_UPDATE: 1575 if (x->replay_maxdiff && 1576 (x->replay.seq - x->preplay.seq < x->replay_maxdiff) && 1577 (x->replay.oseq - x->preplay.oseq < x->replay_maxdiff)) { 1578 if (x->xflags & XFRM_TIME_DEFER) 1579 event = XFRM_REPLAY_TIMEOUT; 1580 else 1581 return; 1582 } 1583 1584 break; 1585 1586 case XFRM_REPLAY_TIMEOUT: 1587 if ((x->replay.seq == x->preplay.seq) && 1588 (x->replay.bitmap == x->preplay.bitmap) && 1589 (x->replay.oseq == x->preplay.oseq)) { 1590 x->xflags |= XFRM_TIME_DEFER; 1591 return; 1592 } 1593 1594 break; 1595 } 1596 1597 memcpy(&x->preplay, &x->replay, sizeof(struct xfrm_replay_state)); 1598 c.event = XFRM_MSG_NEWAE; 1599 c.data.aevent = event; 1600 km_state_notify(x, &c); 1601 1602 if (x->replay_maxage && 1603 !mod_timer(&x->rtimer, jiffies + x->replay_maxage)) 1604 x->xflags &= ~XFRM_TIME_DEFER; 1605 } 1606 1607 static void xfrm_replay_timer_handler(unsigned long data) 1608 { 1609 struct xfrm_state *x = (struct xfrm_state*)data; 1610 1611 spin_lock(&x->lock); 1612 1613 if (x->km.state == XFRM_STATE_VALID) { 1614 if (xfrm_aevent_is_on()) 1615 xfrm_replay_notify(x, XFRM_REPLAY_TIMEOUT); 1616 else 1617 x->xflags |= XFRM_TIME_DEFER; 1618 } 1619 1620 spin_unlock(&x->lock); 1621 } 1622 1623 int xfrm_replay_check(struct xfrm_state *x, 1624 struct sk_buff *skb, __be32 net_seq) 1625 { 1626 u32 diff; 1627 u32 seq = ntohl(net_seq); 1628 1629 if (unlikely(seq == 0)) 1630 goto err; 1631 1632 if (likely(seq > x->replay.seq)) 1633 return 0; 1634 1635 diff = x->replay.seq - seq; 1636 if (diff >= min_t(unsigned int, x->props.replay_window, 1637 sizeof(x->replay.bitmap) * 8)) { 1638 x->stats.replay_window++; 1639 goto err; 1640 } 1641 1642 if (x->replay.bitmap & (1U << diff)) { 1643 x->stats.replay++; 1644 goto err; 1645 } 1646 return 0; 1647 1648 err: 1649 xfrm_audit_state_replay(x, skb, net_seq); 1650 return -EINVAL; 1651 } 1652 1653 void xfrm_replay_advance(struct xfrm_state *x, __be32 net_seq) 1654 { 1655 u32 diff; 1656 u32 seq = ntohl(net_seq); 1657 1658 if (seq > x->replay.seq) { 1659 diff = seq - x->replay.seq; 1660 if (diff < x->props.replay_window) 1661 x->replay.bitmap = ((x->replay.bitmap) << diff) | 1; 1662 else 1663 x->replay.bitmap = 1; 1664 x->replay.seq = seq; 1665 } else { 1666 diff = x->replay.seq - seq; 1667 x->replay.bitmap |= (1U << diff); 1668 } 1669 1670 if (xfrm_aevent_is_on()) 1671 xfrm_replay_notify(x, XFRM_REPLAY_UPDATE); 1672 } 1673 1674 static LIST_HEAD(xfrm_km_list); 1675 static DEFINE_RWLOCK(xfrm_km_lock); 1676 1677 void km_policy_notify(struct xfrm_policy *xp, int dir, struct km_event *c) 1678 { 1679 struct xfrm_mgr *km; 1680 1681 read_lock(&xfrm_km_lock); 1682 list_for_each_entry(km, &xfrm_km_list, list) 1683 if (km->notify_policy) 1684 km->notify_policy(xp, dir, c); 1685 read_unlock(&xfrm_km_lock); 1686 } 1687 1688 void km_state_notify(struct xfrm_state *x, struct km_event *c) 1689 { 1690 struct xfrm_mgr *km; 1691 read_lock(&xfrm_km_lock); 1692 list_for_each_entry(km, &xfrm_km_list, list) 1693 if (km->notify) 1694 km->notify(x, c); 1695 read_unlock(&xfrm_km_lock); 1696 } 1697 1698 EXPORT_SYMBOL(km_policy_notify); 1699 EXPORT_SYMBOL(km_state_notify); 1700 1701 void km_state_expired(struct xfrm_state *x, int hard, u32 pid) 1702 { 1703 struct km_event c; 1704 1705 c.data.hard = hard; 1706 c.pid = pid; 1707 c.event = XFRM_MSG_EXPIRE; 1708 km_state_notify(x, &c); 1709 1710 if (hard) 1711 wake_up(&km_waitq); 1712 } 1713 1714 EXPORT_SYMBOL(km_state_expired); 1715 /* 1716 * We send to all registered managers regardless of failure 1717 * We are happy with one success 1718 */ 1719 int km_query(struct xfrm_state *x, struct xfrm_tmpl *t, struct xfrm_policy *pol) 1720 { 1721 int err = -EINVAL, acqret; 1722 struct xfrm_mgr *km; 1723 1724 read_lock(&xfrm_km_lock); 1725 list_for_each_entry(km, &xfrm_km_list, list) { 1726 acqret = km->acquire(x, t, pol, XFRM_POLICY_OUT); 1727 if (!acqret) 1728 err = acqret; 1729 } 1730 read_unlock(&xfrm_km_lock); 1731 return err; 1732 } 1733 EXPORT_SYMBOL(km_query); 1734 1735 int km_new_mapping(struct xfrm_state *x, xfrm_address_t *ipaddr, __be16 sport) 1736 { 1737 int err = -EINVAL; 1738 struct xfrm_mgr *km; 1739 1740 read_lock(&xfrm_km_lock); 1741 list_for_each_entry(km, &xfrm_km_list, list) { 1742 if (km->new_mapping) 1743 err = km->new_mapping(x, ipaddr, sport); 1744 if (!err) 1745 break; 1746 } 1747 read_unlock(&xfrm_km_lock); 1748 return err; 1749 } 1750 EXPORT_SYMBOL(km_new_mapping); 1751 1752 void km_policy_expired(struct xfrm_policy *pol, int dir, int hard, u32 pid) 1753 { 1754 struct km_event c; 1755 1756 c.data.hard = hard; 1757 c.pid = pid; 1758 c.event = XFRM_MSG_POLEXPIRE; 1759 km_policy_notify(pol, dir, &c); 1760 1761 if (hard) 1762 wake_up(&km_waitq); 1763 } 1764 EXPORT_SYMBOL(km_policy_expired); 1765 1766 #ifdef CONFIG_XFRM_MIGRATE 1767 int km_migrate(struct xfrm_selector *sel, u8 dir, u8 type, 1768 struct xfrm_migrate *m, int num_migrate) 1769 { 1770 int err = -EINVAL; 1771 int ret; 1772 struct xfrm_mgr *km; 1773 1774 read_lock(&xfrm_km_lock); 1775 list_for_each_entry(km, &xfrm_km_list, list) { 1776 if (km->migrate) { 1777 ret = km->migrate(sel, dir, type, m, num_migrate); 1778 if (!ret) 1779 err = ret; 1780 } 1781 } 1782 read_unlock(&xfrm_km_lock); 1783 return err; 1784 } 1785 EXPORT_SYMBOL(km_migrate); 1786 #endif 1787 1788 int km_report(u8 proto, struct xfrm_selector *sel, xfrm_address_t *addr) 1789 { 1790 int err = -EINVAL; 1791 int ret; 1792 struct xfrm_mgr *km; 1793 1794 read_lock(&xfrm_km_lock); 1795 list_for_each_entry(km, &xfrm_km_list, list) { 1796 if (km->report) { 1797 ret = km->report(proto, sel, addr); 1798 if (!ret) 1799 err = ret; 1800 } 1801 } 1802 read_unlock(&xfrm_km_lock); 1803 return err; 1804 } 1805 EXPORT_SYMBOL(km_report); 1806 1807 int xfrm_user_policy(struct sock *sk, int optname, u8 __user *optval, int optlen) 1808 { 1809 int err; 1810 u8 *data; 1811 struct xfrm_mgr *km; 1812 struct xfrm_policy *pol = NULL; 1813 1814 if (optlen <= 0 || optlen > PAGE_SIZE) 1815 return -EMSGSIZE; 1816 1817 data = kmalloc(optlen, GFP_KERNEL); 1818 if (!data) 1819 return -ENOMEM; 1820 1821 err = -EFAULT; 1822 if (copy_from_user(data, optval, optlen)) 1823 goto out; 1824 1825 err = -EINVAL; 1826 read_lock(&xfrm_km_lock); 1827 list_for_each_entry(km, &xfrm_km_list, list) { 1828 pol = km->compile_policy(sk, optname, data, 1829 optlen, &err); 1830 if (err >= 0) 1831 break; 1832 } 1833 read_unlock(&xfrm_km_lock); 1834 1835 if (err >= 0) { 1836 xfrm_sk_policy_insert(sk, err, pol); 1837 xfrm_pol_put(pol); 1838 err = 0; 1839 } 1840 1841 out: 1842 kfree(data); 1843 return err; 1844 } 1845 EXPORT_SYMBOL(xfrm_user_policy); 1846 1847 int xfrm_register_km(struct xfrm_mgr *km) 1848 { 1849 write_lock_bh(&xfrm_km_lock); 1850 list_add_tail(&km->list, &xfrm_km_list); 1851 write_unlock_bh(&xfrm_km_lock); 1852 return 0; 1853 } 1854 EXPORT_SYMBOL(xfrm_register_km); 1855 1856 int xfrm_unregister_km(struct xfrm_mgr *km) 1857 { 1858 write_lock_bh(&xfrm_km_lock); 1859 list_del(&km->list); 1860 write_unlock_bh(&xfrm_km_lock); 1861 return 0; 1862 } 1863 EXPORT_SYMBOL(xfrm_unregister_km); 1864 1865 int xfrm_state_register_afinfo(struct xfrm_state_afinfo *afinfo) 1866 { 1867 int err = 0; 1868 if (unlikely(afinfo == NULL)) 1869 return -EINVAL; 1870 if (unlikely(afinfo->family >= NPROTO)) 1871 return -EAFNOSUPPORT; 1872 write_lock_bh(&xfrm_state_afinfo_lock); 1873 if (unlikely(xfrm_state_afinfo[afinfo->family] != NULL)) 1874 err = -ENOBUFS; 1875 else 1876 xfrm_state_afinfo[afinfo->family] = afinfo; 1877 write_unlock_bh(&xfrm_state_afinfo_lock); 1878 return err; 1879 } 1880 EXPORT_SYMBOL(xfrm_state_register_afinfo); 1881 1882 int xfrm_state_unregister_afinfo(struct xfrm_state_afinfo *afinfo) 1883 { 1884 int err = 0; 1885 if (unlikely(afinfo == NULL)) 1886 return -EINVAL; 1887 if (unlikely(afinfo->family >= NPROTO)) 1888 return -EAFNOSUPPORT; 1889 write_lock_bh(&xfrm_state_afinfo_lock); 1890 if (likely(xfrm_state_afinfo[afinfo->family] != NULL)) { 1891 if (unlikely(xfrm_state_afinfo[afinfo->family] != afinfo)) 1892 err = -EINVAL; 1893 else 1894 xfrm_state_afinfo[afinfo->family] = NULL; 1895 } 1896 write_unlock_bh(&xfrm_state_afinfo_lock); 1897 return err; 1898 } 1899 EXPORT_SYMBOL(xfrm_state_unregister_afinfo); 1900 1901 static struct xfrm_state_afinfo *xfrm_state_get_afinfo(unsigned int family) 1902 { 1903 struct xfrm_state_afinfo *afinfo; 1904 if (unlikely(family >= NPROTO)) 1905 return NULL; 1906 read_lock(&xfrm_state_afinfo_lock); 1907 afinfo = xfrm_state_afinfo[family]; 1908 if (unlikely(!afinfo)) 1909 read_unlock(&xfrm_state_afinfo_lock); 1910 return afinfo; 1911 } 1912 1913 static void xfrm_state_put_afinfo(struct xfrm_state_afinfo *afinfo) 1914 __releases(xfrm_state_afinfo_lock) 1915 { 1916 read_unlock(&xfrm_state_afinfo_lock); 1917 } 1918 1919 /* Temporarily located here until net/xfrm/xfrm_tunnel.c is created */ 1920 void xfrm_state_delete_tunnel(struct xfrm_state *x) 1921 { 1922 if (x->tunnel) { 1923 struct xfrm_state *t = x->tunnel; 1924 1925 if (atomic_read(&t->tunnel_users) == 2) 1926 xfrm_state_delete(t); 1927 atomic_dec(&t->tunnel_users); 1928 xfrm_state_put(t); 1929 x->tunnel = NULL; 1930 } 1931 } 1932 EXPORT_SYMBOL(xfrm_state_delete_tunnel); 1933 1934 int xfrm_state_mtu(struct xfrm_state *x, int mtu) 1935 { 1936 int res; 1937 1938 spin_lock_bh(&x->lock); 1939 if (x->km.state == XFRM_STATE_VALID && 1940 x->type && x->type->get_mtu) 1941 res = x->type->get_mtu(x, mtu); 1942 else 1943 res = mtu - x->props.header_len; 1944 spin_unlock_bh(&x->lock); 1945 return res; 1946 } 1947 1948 int xfrm_init_state(struct xfrm_state *x) 1949 { 1950 struct xfrm_state_afinfo *afinfo; 1951 struct xfrm_mode *inner_mode; 1952 int family = x->props.family; 1953 int err; 1954 1955 err = -EAFNOSUPPORT; 1956 afinfo = xfrm_state_get_afinfo(family); 1957 if (!afinfo) 1958 goto error; 1959 1960 err = 0; 1961 if (afinfo->init_flags) 1962 err = afinfo->init_flags(x); 1963 1964 xfrm_state_put_afinfo(afinfo); 1965 1966 if (err) 1967 goto error; 1968 1969 err = -EPROTONOSUPPORT; 1970 1971 if (x->sel.family != AF_UNSPEC) { 1972 inner_mode = xfrm_get_mode(x->props.mode, x->sel.family); 1973 if (inner_mode == NULL) 1974 goto error; 1975 1976 if (!(inner_mode->flags & XFRM_MODE_FLAG_TUNNEL) && 1977 family != x->sel.family) { 1978 xfrm_put_mode(inner_mode); 1979 goto error; 1980 } 1981 1982 x->inner_mode = inner_mode; 1983 } else { 1984 struct xfrm_mode *inner_mode_iaf; 1985 1986 inner_mode = xfrm_get_mode(x->props.mode, AF_INET); 1987 if (inner_mode == NULL) 1988 goto error; 1989 1990 if (!(inner_mode->flags & XFRM_MODE_FLAG_TUNNEL)) { 1991 xfrm_put_mode(inner_mode); 1992 goto error; 1993 } 1994 1995 inner_mode_iaf = xfrm_get_mode(x->props.mode, AF_INET6); 1996 if (inner_mode_iaf == NULL) 1997 goto error; 1998 1999 if (!(inner_mode_iaf->flags & XFRM_MODE_FLAG_TUNNEL)) { 2000 xfrm_put_mode(inner_mode_iaf); 2001 goto error; 2002 } 2003 2004 if (x->props.family == AF_INET) { 2005 x->inner_mode = inner_mode; 2006 x->inner_mode_iaf = inner_mode_iaf; 2007 } else { 2008 x->inner_mode = inner_mode_iaf; 2009 x->inner_mode_iaf = inner_mode; 2010 } 2011 } 2012 2013 x->type = xfrm_get_type(x->id.proto, family); 2014 if (x->type == NULL) 2015 goto error; 2016 2017 err = x->type->init_state(x); 2018 if (err) 2019 goto error; 2020 2021 x->outer_mode = xfrm_get_mode(x->props.mode, family); 2022 if (x->outer_mode == NULL) 2023 goto error; 2024 2025 x->km.state = XFRM_STATE_VALID; 2026 2027 error: 2028 return err; 2029 } 2030 2031 EXPORT_SYMBOL(xfrm_init_state); 2032 2033 void __init xfrm_state_init(void) 2034 { 2035 unsigned int sz; 2036 2037 sz = sizeof(struct hlist_head) * 8; 2038 2039 xfrm_state_bydst = xfrm_hash_alloc(sz); 2040 xfrm_state_bysrc = xfrm_hash_alloc(sz); 2041 xfrm_state_byspi = xfrm_hash_alloc(sz); 2042 if (!xfrm_state_bydst || !xfrm_state_bysrc || !xfrm_state_byspi) 2043 panic("XFRM: Cannot allocate bydst/bysrc/byspi hashes."); 2044 xfrm_state_hmask = ((sz / sizeof(struct hlist_head)) - 1); 2045 2046 INIT_WORK(&xfrm_state_gc_work, xfrm_state_gc_task); 2047 } 2048 2049 #ifdef CONFIG_AUDITSYSCALL 2050 static void xfrm_audit_helper_sainfo(struct xfrm_state *x, 2051 struct audit_buffer *audit_buf) 2052 { 2053 struct xfrm_sec_ctx *ctx = x->security; 2054 u32 spi = ntohl(x->id.spi); 2055 2056 if (ctx) 2057 audit_log_format(audit_buf, " sec_alg=%u sec_doi=%u sec_obj=%s", 2058 ctx->ctx_alg, ctx->ctx_doi, ctx->ctx_str); 2059 2060 switch(x->props.family) { 2061 case AF_INET: 2062 audit_log_format(audit_buf, 2063 " src=" NIPQUAD_FMT " dst=" NIPQUAD_FMT, 2064 NIPQUAD(x->props.saddr.a4), 2065 NIPQUAD(x->id.daddr.a4)); 2066 break; 2067 case AF_INET6: 2068 audit_log_format(audit_buf, 2069 " src=" NIP6_FMT " dst=" NIP6_FMT, 2070 NIP6(*(struct in6_addr *)x->props.saddr.a6), 2071 NIP6(*(struct in6_addr *)x->id.daddr.a6)); 2072 break; 2073 } 2074 2075 audit_log_format(audit_buf, " spi=%u(0x%x)", spi, spi); 2076 } 2077 2078 static void xfrm_audit_helper_pktinfo(struct sk_buff *skb, u16 family, 2079 struct audit_buffer *audit_buf) 2080 { 2081 struct iphdr *iph4; 2082 struct ipv6hdr *iph6; 2083 2084 switch (family) { 2085 case AF_INET: 2086 iph4 = ip_hdr(skb); 2087 audit_log_format(audit_buf, 2088 " src=" NIPQUAD_FMT " dst=" NIPQUAD_FMT, 2089 NIPQUAD(iph4->saddr), 2090 NIPQUAD(iph4->daddr)); 2091 break; 2092 case AF_INET6: 2093 iph6 = ipv6_hdr(skb); 2094 audit_log_format(audit_buf, 2095 " src=" NIP6_FMT " dst=" NIP6_FMT 2096 " flowlbl=0x%x%x%x", 2097 NIP6(iph6->saddr), 2098 NIP6(iph6->daddr), 2099 iph6->flow_lbl[0] & 0x0f, 2100 iph6->flow_lbl[1], 2101 iph6->flow_lbl[2]); 2102 break; 2103 } 2104 } 2105 2106 void xfrm_audit_state_add(struct xfrm_state *x, int result, 2107 u32 auid, u32 secid) 2108 { 2109 struct audit_buffer *audit_buf; 2110 2111 audit_buf = xfrm_audit_start("SAD-add"); 2112 if (audit_buf == NULL) 2113 return; 2114 xfrm_audit_helper_usrinfo(auid, secid, audit_buf); 2115 xfrm_audit_helper_sainfo(x, audit_buf); 2116 audit_log_format(audit_buf, " res=%u", result); 2117 audit_log_end(audit_buf); 2118 } 2119 EXPORT_SYMBOL_GPL(xfrm_audit_state_add); 2120 2121 void xfrm_audit_state_delete(struct xfrm_state *x, int result, 2122 u32 auid, u32 secid) 2123 { 2124 struct audit_buffer *audit_buf; 2125 2126 audit_buf = xfrm_audit_start("SAD-delete"); 2127 if (audit_buf == NULL) 2128 return; 2129 xfrm_audit_helper_usrinfo(auid, secid, audit_buf); 2130 xfrm_audit_helper_sainfo(x, audit_buf); 2131 audit_log_format(audit_buf, " res=%u", result); 2132 audit_log_end(audit_buf); 2133 } 2134 EXPORT_SYMBOL_GPL(xfrm_audit_state_delete); 2135 2136 void xfrm_audit_state_replay_overflow(struct xfrm_state *x, 2137 struct sk_buff *skb) 2138 { 2139 struct audit_buffer *audit_buf; 2140 u32 spi; 2141 2142 audit_buf = xfrm_audit_start("SA-replay-overflow"); 2143 if (audit_buf == NULL) 2144 return; 2145 xfrm_audit_helper_pktinfo(skb, x->props.family, audit_buf); 2146 /* don't record the sequence number because it's inherent in this kind 2147 * of audit message */ 2148 spi = ntohl(x->id.spi); 2149 audit_log_format(audit_buf, " spi=%u(0x%x)", spi, spi); 2150 audit_log_end(audit_buf); 2151 } 2152 EXPORT_SYMBOL_GPL(xfrm_audit_state_replay_overflow); 2153 2154 static void xfrm_audit_state_replay(struct xfrm_state *x, 2155 struct sk_buff *skb, __be32 net_seq) 2156 { 2157 struct audit_buffer *audit_buf; 2158 u32 spi; 2159 2160 audit_buf = xfrm_audit_start("SA-replayed-pkt"); 2161 if (audit_buf == NULL) 2162 return; 2163 xfrm_audit_helper_pktinfo(skb, x->props.family, audit_buf); 2164 spi = ntohl(x->id.spi); 2165 audit_log_format(audit_buf, " spi=%u(0x%x) seqno=%u", 2166 spi, spi, ntohl(net_seq)); 2167 audit_log_end(audit_buf); 2168 } 2169 2170 void xfrm_audit_state_notfound_simple(struct sk_buff *skb, u16 family) 2171 { 2172 struct audit_buffer *audit_buf; 2173 2174 audit_buf = xfrm_audit_start("SA-notfound"); 2175 if (audit_buf == NULL) 2176 return; 2177 xfrm_audit_helper_pktinfo(skb, family, audit_buf); 2178 audit_log_end(audit_buf); 2179 } 2180 EXPORT_SYMBOL_GPL(xfrm_audit_state_notfound_simple); 2181 2182 void xfrm_audit_state_notfound(struct sk_buff *skb, u16 family, 2183 __be32 net_spi, __be32 net_seq) 2184 { 2185 struct audit_buffer *audit_buf; 2186 u32 spi; 2187 2188 audit_buf = xfrm_audit_start("SA-notfound"); 2189 if (audit_buf == NULL) 2190 return; 2191 xfrm_audit_helper_pktinfo(skb, family, audit_buf); 2192 spi = ntohl(net_spi); 2193 audit_log_format(audit_buf, " spi=%u(0x%x) seqno=%u", 2194 spi, spi, ntohl(net_seq)); 2195 audit_log_end(audit_buf); 2196 } 2197 EXPORT_SYMBOL_GPL(xfrm_audit_state_notfound); 2198 2199 void xfrm_audit_state_icvfail(struct xfrm_state *x, 2200 struct sk_buff *skb, u8 proto) 2201 { 2202 struct audit_buffer *audit_buf; 2203 __be32 net_spi; 2204 __be32 net_seq; 2205 2206 audit_buf = xfrm_audit_start("SA-icv-failure"); 2207 if (audit_buf == NULL) 2208 return; 2209 xfrm_audit_helper_pktinfo(skb, x->props.family, audit_buf); 2210 if (xfrm_parse_spi(skb, proto, &net_spi, &net_seq) == 0) { 2211 u32 spi = ntohl(net_spi); 2212 audit_log_format(audit_buf, " spi=%u(0x%x) seqno=%u", 2213 spi, spi, ntohl(net_seq)); 2214 } 2215 audit_log_end(audit_buf); 2216 } 2217 EXPORT_SYMBOL_GPL(xfrm_audit_state_icvfail); 2218 #endif /* CONFIG_AUDITSYSCALL */ 2219