1 /* xfrm_user.c: User interface to configure xfrm engine. 2 * 3 * Copyright (C) 2002 David S. Miller (davem@redhat.com) 4 * 5 * Changes: 6 * Mitsuru KANDA @USAGI 7 * Kazunori MIYAZAWA @USAGI 8 * Kunihiro Ishiguro <kunihiro@ipinfusion.com> 9 * IPv6 support 10 * 11 */ 12 13 #include <linux/crypto.h> 14 #include <linux/module.h> 15 #include <linux/kernel.h> 16 #include <linux/types.h> 17 #include <linux/slab.h> 18 #include <linux/socket.h> 19 #include <linux/string.h> 20 #include <linux/net.h> 21 #include <linux/skbuff.h> 22 #include <linux/rtnetlink.h> 23 #include <linux/pfkeyv2.h> 24 #include <linux/ipsec.h> 25 #include <linux/init.h> 26 #include <linux/security.h> 27 #include <net/sock.h> 28 #include <net/xfrm.h> 29 #include <net/netlink.h> 30 #include <asm/uaccess.h> 31 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE) 32 #include <linux/in6.h> 33 #endif 34 #include <linux/audit.h> 35 36 static int verify_one_alg(struct rtattr **xfrma, enum xfrm_attr_type_t type) 37 { 38 struct rtattr *rt = xfrma[type - 1]; 39 struct xfrm_algo *algp; 40 int len; 41 42 if (!rt) 43 return 0; 44 45 len = (rt->rta_len - sizeof(*rt)) - sizeof(*algp); 46 if (len < 0) 47 return -EINVAL; 48 49 algp = RTA_DATA(rt); 50 51 len -= (algp->alg_key_len + 7U) / 8; 52 if (len < 0) 53 return -EINVAL; 54 55 switch (type) { 56 case XFRMA_ALG_AUTH: 57 if (!algp->alg_key_len && 58 strcmp(algp->alg_name, "digest_null") != 0) 59 return -EINVAL; 60 break; 61 62 case XFRMA_ALG_CRYPT: 63 if (!algp->alg_key_len && 64 strcmp(algp->alg_name, "cipher_null") != 0) 65 return -EINVAL; 66 break; 67 68 case XFRMA_ALG_COMP: 69 /* Zero length keys are legal. */ 70 break; 71 72 default: 73 return -EINVAL; 74 } 75 76 algp->alg_name[CRYPTO_MAX_ALG_NAME - 1] = '\0'; 77 return 0; 78 } 79 80 static int verify_encap_tmpl(struct rtattr **xfrma) 81 { 82 struct rtattr *rt = xfrma[XFRMA_ENCAP - 1]; 83 struct xfrm_encap_tmpl *encap; 84 85 if (!rt) 86 return 0; 87 88 if ((rt->rta_len - sizeof(*rt)) < sizeof(*encap)) 89 return -EINVAL; 90 91 return 0; 92 } 93 94 static int verify_one_addr(struct rtattr **xfrma, enum xfrm_attr_type_t type, 95 xfrm_address_t **addrp) 96 { 97 struct rtattr *rt = xfrma[type - 1]; 98 99 if (!rt) 100 return 0; 101 102 if ((rt->rta_len - sizeof(*rt)) < sizeof(**addrp)) 103 return -EINVAL; 104 105 if (addrp) 106 *addrp = RTA_DATA(rt); 107 108 return 0; 109 } 110 111 static inline int verify_sec_ctx_len(struct rtattr **xfrma) 112 { 113 struct rtattr *rt = xfrma[XFRMA_SEC_CTX - 1]; 114 struct xfrm_user_sec_ctx *uctx; 115 int len = 0; 116 117 if (!rt) 118 return 0; 119 120 if (rt->rta_len < sizeof(*uctx)) 121 return -EINVAL; 122 123 uctx = RTA_DATA(rt); 124 125 len += sizeof(struct xfrm_user_sec_ctx); 126 len += uctx->ctx_len; 127 128 if (uctx->len != len) 129 return -EINVAL; 130 131 return 0; 132 } 133 134 135 static int verify_newsa_info(struct xfrm_usersa_info *p, 136 struct rtattr **xfrma) 137 { 138 int err; 139 140 err = -EINVAL; 141 switch (p->family) { 142 case AF_INET: 143 break; 144 145 case AF_INET6: 146 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE) 147 break; 148 #else 149 err = -EAFNOSUPPORT; 150 goto out; 151 #endif 152 153 default: 154 goto out; 155 } 156 157 err = -EINVAL; 158 switch (p->id.proto) { 159 case IPPROTO_AH: 160 if (!xfrma[XFRMA_ALG_AUTH-1] || 161 xfrma[XFRMA_ALG_CRYPT-1] || 162 xfrma[XFRMA_ALG_COMP-1]) 163 goto out; 164 break; 165 166 case IPPROTO_ESP: 167 if ((!xfrma[XFRMA_ALG_AUTH-1] && 168 !xfrma[XFRMA_ALG_CRYPT-1]) || 169 xfrma[XFRMA_ALG_COMP-1]) 170 goto out; 171 break; 172 173 case IPPROTO_COMP: 174 if (!xfrma[XFRMA_ALG_COMP-1] || 175 xfrma[XFRMA_ALG_AUTH-1] || 176 xfrma[XFRMA_ALG_CRYPT-1]) 177 goto out; 178 break; 179 180 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE) 181 case IPPROTO_DSTOPTS: 182 case IPPROTO_ROUTING: 183 if (xfrma[XFRMA_ALG_COMP-1] || 184 xfrma[XFRMA_ALG_AUTH-1] || 185 xfrma[XFRMA_ALG_CRYPT-1] || 186 xfrma[XFRMA_ENCAP-1] || 187 xfrma[XFRMA_SEC_CTX-1] || 188 !xfrma[XFRMA_COADDR-1]) 189 goto out; 190 break; 191 #endif 192 193 default: 194 goto out; 195 } 196 197 if ((err = verify_one_alg(xfrma, XFRMA_ALG_AUTH))) 198 goto out; 199 if ((err = verify_one_alg(xfrma, XFRMA_ALG_CRYPT))) 200 goto out; 201 if ((err = verify_one_alg(xfrma, XFRMA_ALG_COMP))) 202 goto out; 203 if ((err = verify_encap_tmpl(xfrma))) 204 goto out; 205 if ((err = verify_sec_ctx_len(xfrma))) 206 goto out; 207 if ((err = verify_one_addr(xfrma, XFRMA_COADDR, NULL))) 208 goto out; 209 210 err = -EINVAL; 211 switch (p->mode) { 212 case XFRM_MODE_TRANSPORT: 213 case XFRM_MODE_TUNNEL: 214 case XFRM_MODE_ROUTEOPTIMIZATION: 215 case XFRM_MODE_BEET: 216 break; 217 218 default: 219 goto out; 220 } 221 222 err = 0; 223 224 out: 225 return err; 226 } 227 228 static int attach_one_algo(struct xfrm_algo **algpp, u8 *props, 229 struct xfrm_algo_desc *(*get_byname)(char *, int), 230 struct rtattr *u_arg) 231 { 232 struct rtattr *rta = u_arg; 233 struct xfrm_algo *p, *ualg; 234 struct xfrm_algo_desc *algo; 235 int len; 236 237 if (!rta) 238 return 0; 239 240 ualg = RTA_DATA(rta); 241 242 algo = get_byname(ualg->alg_name, 1); 243 if (!algo) 244 return -ENOSYS; 245 *props = algo->desc.sadb_alg_id; 246 247 len = sizeof(*ualg) + (ualg->alg_key_len + 7U) / 8; 248 p = kmemdup(ualg, len, GFP_KERNEL); 249 if (!p) 250 return -ENOMEM; 251 252 strcpy(p->alg_name, algo->name); 253 *algpp = p; 254 return 0; 255 } 256 257 static int attach_encap_tmpl(struct xfrm_encap_tmpl **encapp, struct rtattr *u_arg) 258 { 259 struct rtattr *rta = u_arg; 260 struct xfrm_encap_tmpl *p, *uencap; 261 262 if (!rta) 263 return 0; 264 265 uencap = RTA_DATA(rta); 266 p = kmemdup(uencap, sizeof(*p), GFP_KERNEL); 267 if (!p) 268 return -ENOMEM; 269 270 *encapp = p; 271 return 0; 272 } 273 274 275 static inline int xfrm_user_sec_ctx_size(struct xfrm_sec_ctx *xfrm_ctx) 276 { 277 int len = 0; 278 279 if (xfrm_ctx) { 280 len += sizeof(struct xfrm_user_sec_ctx); 281 len += xfrm_ctx->ctx_len; 282 } 283 return len; 284 } 285 286 static int attach_sec_ctx(struct xfrm_state *x, struct rtattr *u_arg) 287 { 288 struct xfrm_user_sec_ctx *uctx; 289 290 if (!u_arg) 291 return 0; 292 293 uctx = RTA_DATA(u_arg); 294 return security_xfrm_state_alloc(x, uctx); 295 } 296 297 static int attach_one_addr(xfrm_address_t **addrpp, struct rtattr *u_arg) 298 { 299 struct rtattr *rta = u_arg; 300 xfrm_address_t *p, *uaddrp; 301 302 if (!rta) 303 return 0; 304 305 uaddrp = RTA_DATA(rta); 306 p = kmemdup(uaddrp, sizeof(*p), GFP_KERNEL); 307 if (!p) 308 return -ENOMEM; 309 310 *addrpp = p; 311 return 0; 312 } 313 314 static void copy_from_user_state(struct xfrm_state *x, struct xfrm_usersa_info *p) 315 { 316 memcpy(&x->id, &p->id, sizeof(x->id)); 317 memcpy(&x->sel, &p->sel, sizeof(x->sel)); 318 memcpy(&x->lft, &p->lft, sizeof(x->lft)); 319 x->props.mode = p->mode; 320 x->props.replay_window = p->replay_window; 321 x->props.reqid = p->reqid; 322 x->props.family = p->family; 323 memcpy(&x->props.saddr, &p->saddr, sizeof(x->props.saddr)); 324 x->props.flags = p->flags; 325 326 /* 327 * Set inner address family if the KM left it as zero. 328 * See comment in validate_tmpl. 329 */ 330 if (!x->sel.family) 331 x->sel.family = p->family; 332 } 333 334 /* 335 * someday when pfkey also has support, we could have the code 336 * somehow made shareable and move it to xfrm_state.c - JHS 337 * 338 */ 339 static int xfrm_update_ae_params(struct xfrm_state *x, struct rtattr **xfrma) 340 { 341 int err = - EINVAL; 342 struct rtattr *rp = xfrma[XFRMA_REPLAY_VAL-1]; 343 struct rtattr *lt = xfrma[XFRMA_LTIME_VAL-1]; 344 struct rtattr *et = xfrma[XFRMA_ETIMER_THRESH-1]; 345 struct rtattr *rt = xfrma[XFRMA_REPLAY_THRESH-1]; 346 347 if (rp) { 348 struct xfrm_replay_state *replay; 349 if (RTA_PAYLOAD(rp) < sizeof(*replay)) 350 goto error; 351 replay = RTA_DATA(rp); 352 memcpy(&x->replay, replay, sizeof(*replay)); 353 memcpy(&x->preplay, replay, sizeof(*replay)); 354 } 355 356 if (lt) { 357 struct xfrm_lifetime_cur *ltime; 358 if (RTA_PAYLOAD(lt) < sizeof(*ltime)) 359 goto error; 360 ltime = RTA_DATA(lt); 361 x->curlft.bytes = ltime->bytes; 362 x->curlft.packets = ltime->packets; 363 x->curlft.add_time = ltime->add_time; 364 x->curlft.use_time = ltime->use_time; 365 } 366 367 if (et) { 368 if (RTA_PAYLOAD(et) < sizeof(u32)) 369 goto error; 370 x->replay_maxage = *(u32*)RTA_DATA(et); 371 } 372 373 if (rt) { 374 if (RTA_PAYLOAD(rt) < sizeof(u32)) 375 goto error; 376 x->replay_maxdiff = *(u32*)RTA_DATA(rt); 377 } 378 379 return 0; 380 error: 381 return err; 382 } 383 384 static struct xfrm_state *xfrm_state_construct(struct xfrm_usersa_info *p, 385 struct rtattr **xfrma, 386 int *errp) 387 { 388 struct xfrm_state *x = xfrm_state_alloc(); 389 int err = -ENOMEM; 390 391 if (!x) 392 goto error_no_put; 393 394 copy_from_user_state(x, p); 395 396 if ((err = attach_one_algo(&x->aalg, &x->props.aalgo, 397 xfrm_aalg_get_byname, 398 xfrma[XFRMA_ALG_AUTH-1]))) 399 goto error; 400 if ((err = attach_one_algo(&x->ealg, &x->props.ealgo, 401 xfrm_ealg_get_byname, 402 xfrma[XFRMA_ALG_CRYPT-1]))) 403 goto error; 404 if ((err = attach_one_algo(&x->calg, &x->props.calgo, 405 xfrm_calg_get_byname, 406 xfrma[XFRMA_ALG_COMP-1]))) 407 goto error; 408 if ((err = attach_encap_tmpl(&x->encap, xfrma[XFRMA_ENCAP-1]))) 409 goto error; 410 if ((err = attach_one_addr(&x->coaddr, xfrma[XFRMA_COADDR-1]))) 411 goto error; 412 err = xfrm_init_state(x); 413 if (err) 414 goto error; 415 416 if ((err = attach_sec_ctx(x, xfrma[XFRMA_SEC_CTX-1]))) 417 goto error; 418 419 x->km.seq = p->seq; 420 x->replay_maxdiff = sysctl_xfrm_aevent_rseqth; 421 /* sysctl_xfrm_aevent_etime is in 100ms units */ 422 x->replay_maxage = (sysctl_xfrm_aevent_etime*HZ)/XFRM_AE_ETH_M; 423 x->preplay.bitmap = 0; 424 x->preplay.seq = x->replay.seq+x->replay_maxdiff; 425 x->preplay.oseq = x->replay.oseq +x->replay_maxdiff; 426 427 /* override default values from above */ 428 429 err = xfrm_update_ae_params(x, (struct rtattr **)xfrma); 430 if (err < 0) 431 goto error; 432 433 return x; 434 435 error: 436 x->km.state = XFRM_STATE_DEAD; 437 xfrm_state_put(x); 438 error_no_put: 439 *errp = err; 440 return NULL; 441 } 442 443 static int xfrm_add_sa(struct sk_buff *skb, struct nlmsghdr *nlh, 444 struct rtattr **xfrma) 445 { 446 struct xfrm_usersa_info *p = nlmsg_data(nlh); 447 struct xfrm_state *x; 448 int err; 449 struct km_event c; 450 451 err = verify_newsa_info(p, xfrma); 452 if (err) 453 return err; 454 455 x = xfrm_state_construct(p, xfrma, &err); 456 if (!x) 457 return err; 458 459 xfrm_state_hold(x); 460 if (nlh->nlmsg_type == XFRM_MSG_NEWSA) 461 err = xfrm_state_add(x); 462 else 463 err = xfrm_state_update(x); 464 465 xfrm_audit_log(NETLINK_CB(skb).loginuid, NETLINK_CB(skb).sid, 466 AUDIT_MAC_IPSEC_ADDSA, err ? 0 : 1, NULL, x); 467 468 if (err < 0) { 469 x->km.state = XFRM_STATE_DEAD; 470 __xfrm_state_put(x); 471 goto out; 472 } 473 474 c.seq = nlh->nlmsg_seq; 475 c.pid = nlh->nlmsg_pid; 476 c.event = nlh->nlmsg_type; 477 478 km_state_notify(x, &c); 479 out: 480 xfrm_state_put(x); 481 return err; 482 } 483 484 static struct xfrm_state *xfrm_user_state_lookup(struct xfrm_usersa_id *p, 485 struct rtattr **xfrma, 486 int *errp) 487 { 488 struct xfrm_state *x = NULL; 489 int err; 490 491 if (xfrm_id_proto_match(p->proto, IPSEC_PROTO_ANY)) { 492 err = -ESRCH; 493 x = xfrm_state_lookup(&p->daddr, p->spi, p->proto, p->family); 494 } else { 495 xfrm_address_t *saddr = NULL; 496 497 err = verify_one_addr(xfrma, XFRMA_SRCADDR, &saddr); 498 if (err) 499 goto out; 500 501 if (!saddr) { 502 err = -EINVAL; 503 goto out; 504 } 505 506 err = -ESRCH; 507 x = xfrm_state_lookup_byaddr(&p->daddr, saddr, p->proto, 508 p->family); 509 } 510 511 out: 512 if (!x && errp) 513 *errp = err; 514 return x; 515 } 516 517 static int xfrm_del_sa(struct sk_buff *skb, struct nlmsghdr *nlh, 518 struct rtattr **xfrma) 519 { 520 struct xfrm_state *x; 521 int err = -ESRCH; 522 struct km_event c; 523 struct xfrm_usersa_id *p = nlmsg_data(nlh); 524 525 x = xfrm_user_state_lookup(p, xfrma, &err); 526 if (x == NULL) 527 return err; 528 529 if ((err = security_xfrm_state_delete(x)) != 0) 530 goto out; 531 532 if (xfrm_state_kern(x)) { 533 err = -EPERM; 534 goto out; 535 } 536 537 err = xfrm_state_delete(x); 538 539 if (err < 0) 540 goto out; 541 542 c.seq = nlh->nlmsg_seq; 543 c.pid = nlh->nlmsg_pid; 544 c.event = nlh->nlmsg_type; 545 km_state_notify(x, &c); 546 547 out: 548 xfrm_audit_log(NETLINK_CB(skb).loginuid, NETLINK_CB(skb).sid, 549 AUDIT_MAC_IPSEC_DELSA, err ? 0 : 1, NULL, x); 550 xfrm_state_put(x); 551 return err; 552 } 553 554 static void copy_to_user_state(struct xfrm_state *x, struct xfrm_usersa_info *p) 555 { 556 memcpy(&p->id, &x->id, sizeof(p->id)); 557 memcpy(&p->sel, &x->sel, sizeof(p->sel)); 558 memcpy(&p->lft, &x->lft, sizeof(p->lft)); 559 memcpy(&p->curlft, &x->curlft, sizeof(p->curlft)); 560 memcpy(&p->stats, &x->stats, sizeof(p->stats)); 561 memcpy(&p->saddr, &x->props.saddr, sizeof(p->saddr)); 562 p->mode = x->props.mode; 563 p->replay_window = x->props.replay_window; 564 p->reqid = x->props.reqid; 565 p->family = x->props.family; 566 p->flags = x->props.flags; 567 p->seq = x->km.seq; 568 } 569 570 struct xfrm_dump_info { 571 struct sk_buff *in_skb; 572 struct sk_buff *out_skb; 573 u32 nlmsg_seq; 574 u16 nlmsg_flags; 575 int start_idx; 576 int this_idx; 577 }; 578 579 static int dump_one_state(struct xfrm_state *x, int count, void *ptr) 580 { 581 struct xfrm_dump_info *sp = ptr; 582 struct sk_buff *in_skb = sp->in_skb; 583 struct sk_buff *skb = sp->out_skb; 584 struct xfrm_usersa_info *p; 585 struct nlmsghdr *nlh; 586 587 if (sp->this_idx < sp->start_idx) 588 goto out; 589 590 nlh = nlmsg_put(skb, NETLINK_CB(in_skb).pid, sp->nlmsg_seq, 591 XFRM_MSG_NEWSA, sizeof(*p), sp->nlmsg_flags); 592 if (nlh == NULL) 593 return -EMSGSIZE; 594 595 p = nlmsg_data(nlh); 596 copy_to_user_state(x, p); 597 598 if (x->aalg) 599 RTA_PUT(skb, XFRMA_ALG_AUTH, 600 sizeof(*(x->aalg))+(x->aalg->alg_key_len+7)/8, x->aalg); 601 if (x->ealg) 602 RTA_PUT(skb, XFRMA_ALG_CRYPT, 603 sizeof(*(x->ealg))+(x->ealg->alg_key_len+7)/8, x->ealg); 604 if (x->calg) 605 RTA_PUT(skb, XFRMA_ALG_COMP, sizeof(*(x->calg)), x->calg); 606 607 if (x->encap) 608 RTA_PUT(skb, XFRMA_ENCAP, sizeof(*x->encap), x->encap); 609 610 if (x->security) { 611 int ctx_size = sizeof(struct xfrm_sec_ctx) + 612 x->security->ctx_len; 613 struct rtattr *rt = __RTA_PUT(skb, XFRMA_SEC_CTX, ctx_size); 614 struct xfrm_user_sec_ctx *uctx = RTA_DATA(rt); 615 616 uctx->exttype = XFRMA_SEC_CTX; 617 uctx->len = ctx_size; 618 uctx->ctx_doi = x->security->ctx_doi; 619 uctx->ctx_alg = x->security->ctx_alg; 620 uctx->ctx_len = x->security->ctx_len; 621 memcpy(uctx + 1, x->security->ctx_str, x->security->ctx_len); 622 } 623 624 if (x->coaddr) 625 RTA_PUT(skb, XFRMA_COADDR, sizeof(*x->coaddr), x->coaddr); 626 627 if (x->lastused) 628 RTA_PUT(skb, XFRMA_LASTUSED, sizeof(x->lastused), &x->lastused); 629 630 nlmsg_end(skb, nlh); 631 out: 632 sp->this_idx++; 633 return 0; 634 635 rtattr_failure: 636 nlmsg_cancel(skb, nlh); 637 return -EMSGSIZE; 638 } 639 640 static int xfrm_dump_sa(struct sk_buff *skb, struct netlink_callback *cb) 641 { 642 struct xfrm_dump_info info; 643 644 info.in_skb = cb->skb; 645 info.out_skb = skb; 646 info.nlmsg_seq = cb->nlh->nlmsg_seq; 647 info.nlmsg_flags = NLM_F_MULTI; 648 info.this_idx = 0; 649 info.start_idx = cb->args[0]; 650 (void) xfrm_state_walk(0, dump_one_state, &info); 651 cb->args[0] = info.this_idx; 652 653 return skb->len; 654 } 655 656 static struct sk_buff *xfrm_state_netlink(struct sk_buff *in_skb, 657 struct xfrm_state *x, u32 seq) 658 { 659 struct xfrm_dump_info info; 660 struct sk_buff *skb; 661 662 skb = alloc_skb(NLMSG_GOODSIZE, GFP_ATOMIC); 663 if (!skb) 664 return ERR_PTR(-ENOMEM); 665 666 info.in_skb = in_skb; 667 info.out_skb = skb; 668 info.nlmsg_seq = seq; 669 info.nlmsg_flags = 0; 670 info.this_idx = info.start_idx = 0; 671 672 if (dump_one_state(x, 0, &info)) { 673 kfree_skb(skb); 674 return NULL; 675 } 676 677 return skb; 678 } 679 680 static int build_spdinfo(struct sk_buff *skb, u32 pid, u32 seq, u32 flags) 681 { 682 struct xfrmk_spdinfo si; 683 struct xfrmu_spdinfo spc; 684 struct xfrmu_spdhinfo sph; 685 struct nlmsghdr *nlh; 686 u32 *f; 687 688 nlh = nlmsg_put(skb, pid, seq, XFRM_MSG_NEWSPDINFO, sizeof(u32), 0); 689 if (nlh == NULL) /* shouldnt really happen ... */ 690 return -EMSGSIZE; 691 692 f = nlmsg_data(nlh); 693 *f = flags; 694 xfrm_spd_getinfo(&si); 695 spc.incnt = si.incnt; 696 spc.outcnt = si.outcnt; 697 spc.fwdcnt = si.fwdcnt; 698 spc.inscnt = si.inscnt; 699 spc.outscnt = si.outscnt; 700 spc.fwdscnt = si.fwdscnt; 701 sph.spdhcnt = si.spdhcnt; 702 sph.spdhmcnt = si.spdhmcnt; 703 704 NLA_PUT(skb, XFRMA_SPD_INFO, sizeof(spc), &spc); 705 NLA_PUT(skb, XFRMA_SPD_HINFO, sizeof(sph), &sph); 706 707 return nlmsg_end(skb, nlh); 708 709 nla_put_failure: 710 nlmsg_cancel(skb, nlh); 711 return -EMSGSIZE; 712 } 713 714 static int xfrm_get_spdinfo(struct sk_buff *skb, struct nlmsghdr *nlh, 715 struct rtattr **xfrma) 716 { 717 struct sk_buff *r_skb; 718 u32 *flags = nlmsg_data(nlh); 719 u32 spid = NETLINK_CB(skb).pid; 720 u32 seq = nlh->nlmsg_seq; 721 int len = NLMSG_LENGTH(sizeof(u32)); 722 723 len += RTA_SPACE(sizeof(struct xfrmu_spdinfo)); 724 len += RTA_SPACE(sizeof(struct xfrmu_spdhinfo)); 725 726 r_skb = alloc_skb(len, GFP_ATOMIC); 727 if (r_skb == NULL) 728 return -ENOMEM; 729 730 if (build_spdinfo(r_skb, spid, seq, *flags) < 0) 731 BUG(); 732 733 return nlmsg_unicast(xfrm_nl, r_skb, spid); 734 } 735 736 static int build_sadinfo(struct sk_buff *skb, u32 pid, u32 seq, u32 flags) 737 { 738 struct xfrmk_sadinfo si; 739 struct xfrmu_sadhinfo sh; 740 struct nlmsghdr *nlh; 741 u32 *f; 742 743 nlh = nlmsg_put(skb, pid, seq, XFRM_MSG_NEWSADINFO, sizeof(u32), 0); 744 if (nlh == NULL) /* shouldnt really happen ... */ 745 return -EMSGSIZE; 746 747 f = nlmsg_data(nlh); 748 *f = flags; 749 xfrm_sad_getinfo(&si); 750 751 sh.sadhmcnt = si.sadhmcnt; 752 sh.sadhcnt = si.sadhcnt; 753 754 NLA_PUT_U32(skb, XFRMA_SAD_CNT, si.sadcnt); 755 NLA_PUT(skb, XFRMA_SAD_HINFO, sizeof(sh), &sh); 756 757 return nlmsg_end(skb, nlh); 758 759 nla_put_failure: 760 nlmsg_cancel(skb, nlh); 761 return -EMSGSIZE; 762 } 763 764 static int xfrm_get_sadinfo(struct sk_buff *skb, struct nlmsghdr *nlh, 765 struct rtattr **xfrma) 766 { 767 struct sk_buff *r_skb; 768 u32 *flags = nlmsg_data(nlh); 769 u32 spid = NETLINK_CB(skb).pid; 770 u32 seq = nlh->nlmsg_seq; 771 int len = NLMSG_LENGTH(sizeof(u32)); 772 773 len += RTA_SPACE(sizeof(struct xfrmu_sadhinfo)); 774 len += RTA_SPACE(sizeof(u32)); 775 776 r_skb = alloc_skb(len, GFP_ATOMIC); 777 778 if (r_skb == NULL) 779 return -ENOMEM; 780 781 if (build_sadinfo(r_skb, spid, seq, *flags) < 0) 782 BUG(); 783 784 return nlmsg_unicast(xfrm_nl, r_skb, spid); 785 } 786 787 static int xfrm_get_sa(struct sk_buff *skb, struct nlmsghdr *nlh, 788 struct rtattr **xfrma) 789 { 790 struct xfrm_usersa_id *p = nlmsg_data(nlh); 791 struct xfrm_state *x; 792 struct sk_buff *resp_skb; 793 int err = -ESRCH; 794 795 x = xfrm_user_state_lookup(p, xfrma, &err); 796 if (x == NULL) 797 goto out_noput; 798 799 resp_skb = xfrm_state_netlink(skb, x, nlh->nlmsg_seq); 800 if (IS_ERR(resp_skb)) { 801 err = PTR_ERR(resp_skb); 802 } else { 803 err = netlink_unicast(xfrm_nl, resp_skb, 804 NETLINK_CB(skb).pid, MSG_DONTWAIT); 805 } 806 xfrm_state_put(x); 807 out_noput: 808 return err; 809 } 810 811 static int verify_userspi_info(struct xfrm_userspi_info *p) 812 { 813 switch (p->info.id.proto) { 814 case IPPROTO_AH: 815 case IPPROTO_ESP: 816 break; 817 818 case IPPROTO_COMP: 819 /* IPCOMP spi is 16-bits. */ 820 if (p->max >= 0x10000) 821 return -EINVAL; 822 break; 823 824 default: 825 return -EINVAL; 826 } 827 828 if (p->min > p->max) 829 return -EINVAL; 830 831 return 0; 832 } 833 834 static int xfrm_alloc_userspi(struct sk_buff *skb, struct nlmsghdr *nlh, 835 struct rtattr **xfrma) 836 { 837 struct xfrm_state *x; 838 struct xfrm_userspi_info *p; 839 struct sk_buff *resp_skb; 840 xfrm_address_t *daddr; 841 int family; 842 int err; 843 844 p = nlmsg_data(nlh); 845 err = verify_userspi_info(p); 846 if (err) 847 goto out_noput; 848 849 family = p->info.family; 850 daddr = &p->info.id.daddr; 851 852 x = NULL; 853 if (p->info.seq) { 854 x = xfrm_find_acq_byseq(p->info.seq); 855 if (x && xfrm_addr_cmp(&x->id.daddr, daddr, family)) { 856 xfrm_state_put(x); 857 x = NULL; 858 } 859 } 860 861 if (!x) 862 x = xfrm_find_acq(p->info.mode, p->info.reqid, 863 p->info.id.proto, daddr, 864 &p->info.saddr, 1, 865 family); 866 err = -ENOENT; 867 if (x == NULL) 868 goto out_noput; 869 870 resp_skb = ERR_PTR(-ENOENT); 871 872 spin_lock_bh(&x->lock); 873 if (x->km.state != XFRM_STATE_DEAD) { 874 xfrm_alloc_spi(x, htonl(p->min), htonl(p->max)); 875 if (x->id.spi) 876 resp_skb = xfrm_state_netlink(skb, x, nlh->nlmsg_seq); 877 } 878 spin_unlock_bh(&x->lock); 879 880 if (IS_ERR(resp_skb)) { 881 err = PTR_ERR(resp_skb); 882 goto out; 883 } 884 885 err = netlink_unicast(xfrm_nl, resp_skb, 886 NETLINK_CB(skb).pid, MSG_DONTWAIT); 887 888 out: 889 xfrm_state_put(x); 890 out_noput: 891 return err; 892 } 893 894 static int verify_policy_dir(u8 dir) 895 { 896 switch (dir) { 897 case XFRM_POLICY_IN: 898 case XFRM_POLICY_OUT: 899 case XFRM_POLICY_FWD: 900 break; 901 902 default: 903 return -EINVAL; 904 } 905 906 return 0; 907 } 908 909 static int verify_policy_type(u8 type) 910 { 911 switch (type) { 912 case XFRM_POLICY_TYPE_MAIN: 913 #ifdef CONFIG_XFRM_SUB_POLICY 914 case XFRM_POLICY_TYPE_SUB: 915 #endif 916 break; 917 918 default: 919 return -EINVAL; 920 } 921 922 return 0; 923 } 924 925 static int verify_newpolicy_info(struct xfrm_userpolicy_info *p) 926 { 927 switch (p->share) { 928 case XFRM_SHARE_ANY: 929 case XFRM_SHARE_SESSION: 930 case XFRM_SHARE_USER: 931 case XFRM_SHARE_UNIQUE: 932 break; 933 934 default: 935 return -EINVAL; 936 } 937 938 switch (p->action) { 939 case XFRM_POLICY_ALLOW: 940 case XFRM_POLICY_BLOCK: 941 break; 942 943 default: 944 return -EINVAL; 945 } 946 947 switch (p->sel.family) { 948 case AF_INET: 949 break; 950 951 case AF_INET6: 952 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE) 953 break; 954 #else 955 return -EAFNOSUPPORT; 956 #endif 957 958 default: 959 return -EINVAL; 960 } 961 962 return verify_policy_dir(p->dir); 963 } 964 965 static int copy_from_user_sec_ctx(struct xfrm_policy *pol, struct rtattr **xfrma) 966 { 967 struct rtattr *rt = xfrma[XFRMA_SEC_CTX-1]; 968 struct xfrm_user_sec_ctx *uctx; 969 970 if (!rt) 971 return 0; 972 973 uctx = RTA_DATA(rt); 974 return security_xfrm_policy_alloc(pol, uctx); 975 } 976 977 static void copy_templates(struct xfrm_policy *xp, struct xfrm_user_tmpl *ut, 978 int nr) 979 { 980 int i; 981 982 xp->xfrm_nr = nr; 983 for (i = 0; i < nr; i++, ut++) { 984 struct xfrm_tmpl *t = &xp->xfrm_vec[i]; 985 986 memcpy(&t->id, &ut->id, sizeof(struct xfrm_id)); 987 memcpy(&t->saddr, &ut->saddr, 988 sizeof(xfrm_address_t)); 989 t->reqid = ut->reqid; 990 t->mode = ut->mode; 991 t->share = ut->share; 992 t->optional = ut->optional; 993 t->aalgos = ut->aalgos; 994 t->ealgos = ut->ealgos; 995 t->calgos = ut->calgos; 996 t->encap_family = ut->family; 997 } 998 } 999 1000 static int validate_tmpl(int nr, struct xfrm_user_tmpl *ut, u16 family) 1001 { 1002 int i; 1003 1004 if (nr > XFRM_MAX_DEPTH) 1005 return -EINVAL; 1006 1007 for (i = 0; i < nr; i++) { 1008 /* We never validated the ut->family value, so many 1009 * applications simply leave it at zero. The check was 1010 * never made and ut->family was ignored because all 1011 * templates could be assumed to have the same family as 1012 * the policy itself. Now that we will have ipv4-in-ipv6 1013 * and ipv6-in-ipv4 tunnels, this is no longer true. 1014 */ 1015 if (!ut[i].family) 1016 ut[i].family = family; 1017 1018 switch (ut[i].family) { 1019 case AF_INET: 1020 break; 1021 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE) 1022 case AF_INET6: 1023 break; 1024 #endif 1025 default: 1026 return -EINVAL; 1027 } 1028 } 1029 1030 return 0; 1031 } 1032 1033 static int copy_from_user_tmpl(struct xfrm_policy *pol, struct rtattr **xfrma) 1034 { 1035 struct rtattr *rt = xfrma[XFRMA_TMPL-1]; 1036 1037 if (!rt) { 1038 pol->xfrm_nr = 0; 1039 } else { 1040 struct xfrm_user_tmpl *utmpl = RTA_DATA(rt); 1041 int nr = (rt->rta_len - sizeof(*rt)) / sizeof(*utmpl); 1042 int err; 1043 1044 err = validate_tmpl(nr, utmpl, pol->family); 1045 if (err) 1046 return err; 1047 1048 copy_templates(pol, RTA_DATA(rt), nr); 1049 } 1050 return 0; 1051 } 1052 1053 static int copy_from_user_policy_type(u8 *tp, struct rtattr **xfrma) 1054 { 1055 struct rtattr *rt = xfrma[XFRMA_POLICY_TYPE-1]; 1056 struct xfrm_userpolicy_type *upt; 1057 u8 type = XFRM_POLICY_TYPE_MAIN; 1058 int err; 1059 1060 if (rt) { 1061 if (rt->rta_len < sizeof(*upt)) 1062 return -EINVAL; 1063 1064 upt = RTA_DATA(rt); 1065 type = upt->type; 1066 } 1067 1068 err = verify_policy_type(type); 1069 if (err) 1070 return err; 1071 1072 *tp = type; 1073 return 0; 1074 } 1075 1076 static void copy_from_user_policy(struct xfrm_policy *xp, struct xfrm_userpolicy_info *p) 1077 { 1078 xp->priority = p->priority; 1079 xp->index = p->index; 1080 memcpy(&xp->selector, &p->sel, sizeof(xp->selector)); 1081 memcpy(&xp->lft, &p->lft, sizeof(xp->lft)); 1082 xp->action = p->action; 1083 xp->flags = p->flags; 1084 xp->family = p->sel.family; 1085 /* XXX xp->share = p->share; */ 1086 } 1087 1088 static void copy_to_user_policy(struct xfrm_policy *xp, struct xfrm_userpolicy_info *p, int dir) 1089 { 1090 memcpy(&p->sel, &xp->selector, sizeof(p->sel)); 1091 memcpy(&p->lft, &xp->lft, sizeof(p->lft)); 1092 memcpy(&p->curlft, &xp->curlft, sizeof(p->curlft)); 1093 p->priority = xp->priority; 1094 p->index = xp->index; 1095 p->sel.family = xp->family; 1096 p->dir = dir; 1097 p->action = xp->action; 1098 p->flags = xp->flags; 1099 p->share = XFRM_SHARE_ANY; /* XXX xp->share */ 1100 } 1101 1102 static struct xfrm_policy *xfrm_policy_construct(struct xfrm_userpolicy_info *p, struct rtattr **xfrma, int *errp) 1103 { 1104 struct xfrm_policy *xp = xfrm_policy_alloc(GFP_KERNEL); 1105 int err; 1106 1107 if (!xp) { 1108 *errp = -ENOMEM; 1109 return NULL; 1110 } 1111 1112 copy_from_user_policy(xp, p); 1113 1114 err = copy_from_user_policy_type(&xp->type, xfrma); 1115 if (err) 1116 goto error; 1117 1118 if (!(err = copy_from_user_tmpl(xp, xfrma))) 1119 err = copy_from_user_sec_ctx(xp, xfrma); 1120 if (err) 1121 goto error; 1122 1123 return xp; 1124 error: 1125 *errp = err; 1126 kfree(xp); 1127 return NULL; 1128 } 1129 1130 static int xfrm_add_policy(struct sk_buff *skb, struct nlmsghdr *nlh, 1131 struct rtattr **xfrma) 1132 { 1133 struct xfrm_userpolicy_info *p = nlmsg_data(nlh); 1134 struct xfrm_policy *xp; 1135 struct km_event c; 1136 int err; 1137 int excl; 1138 1139 err = verify_newpolicy_info(p); 1140 if (err) 1141 return err; 1142 err = verify_sec_ctx_len(xfrma); 1143 if (err) 1144 return err; 1145 1146 xp = xfrm_policy_construct(p, xfrma, &err); 1147 if (!xp) 1148 return err; 1149 1150 /* shouldnt excl be based on nlh flags?? 1151 * Aha! this is anti-netlink really i.e more pfkey derived 1152 * in netlink excl is a flag and you wouldnt need 1153 * a type XFRM_MSG_UPDPOLICY - JHS */ 1154 excl = nlh->nlmsg_type == XFRM_MSG_NEWPOLICY; 1155 err = xfrm_policy_insert(p->dir, xp, excl); 1156 xfrm_audit_log(NETLINK_CB(skb).loginuid, NETLINK_CB(skb).sid, 1157 AUDIT_MAC_IPSEC_DELSPD, err ? 0 : 1, xp, NULL); 1158 1159 if (err) { 1160 security_xfrm_policy_free(xp); 1161 kfree(xp); 1162 return err; 1163 } 1164 1165 c.event = nlh->nlmsg_type; 1166 c.seq = nlh->nlmsg_seq; 1167 c.pid = nlh->nlmsg_pid; 1168 km_policy_notify(xp, p->dir, &c); 1169 1170 xfrm_pol_put(xp); 1171 1172 return 0; 1173 } 1174 1175 static int copy_to_user_tmpl(struct xfrm_policy *xp, struct sk_buff *skb) 1176 { 1177 struct xfrm_user_tmpl vec[XFRM_MAX_DEPTH]; 1178 int i; 1179 1180 if (xp->xfrm_nr == 0) 1181 return 0; 1182 1183 for (i = 0; i < xp->xfrm_nr; i++) { 1184 struct xfrm_user_tmpl *up = &vec[i]; 1185 struct xfrm_tmpl *kp = &xp->xfrm_vec[i]; 1186 1187 memcpy(&up->id, &kp->id, sizeof(up->id)); 1188 up->family = kp->encap_family; 1189 memcpy(&up->saddr, &kp->saddr, sizeof(up->saddr)); 1190 up->reqid = kp->reqid; 1191 up->mode = kp->mode; 1192 up->share = kp->share; 1193 up->optional = kp->optional; 1194 up->aalgos = kp->aalgos; 1195 up->ealgos = kp->ealgos; 1196 up->calgos = kp->calgos; 1197 } 1198 RTA_PUT(skb, XFRMA_TMPL, 1199 (sizeof(struct xfrm_user_tmpl) * xp->xfrm_nr), 1200 vec); 1201 1202 return 0; 1203 1204 rtattr_failure: 1205 return -1; 1206 } 1207 1208 static int copy_sec_ctx(struct xfrm_sec_ctx *s, struct sk_buff *skb) 1209 { 1210 int ctx_size = sizeof(struct xfrm_sec_ctx) + s->ctx_len; 1211 struct rtattr *rt = __RTA_PUT(skb, XFRMA_SEC_CTX, ctx_size); 1212 struct xfrm_user_sec_ctx *uctx = RTA_DATA(rt); 1213 1214 uctx->exttype = XFRMA_SEC_CTX; 1215 uctx->len = ctx_size; 1216 uctx->ctx_doi = s->ctx_doi; 1217 uctx->ctx_alg = s->ctx_alg; 1218 uctx->ctx_len = s->ctx_len; 1219 memcpy(uctx + 1, s->ctx_str, s->ctx_len); 1220 return 0; 1221 1222 rtattr_failure: 1223 return -1; 1224 } 1225 1226 static inline int copy_to_user_state_sec_ctx(struct xfrm_state *x, struct sk_buff *skb) 1227 { 1228 if (x->security) { 1229 return copy_sec_ctx(x->security, skb); 1230 } 1231 return 0; 1232 } 1233 1234 static inline int copy_to_user_sec_ctx(struct xfrm_policy *xp, struct sk_buff *skb) 1235 { 1236 if (xp->security) { 1237 return copy_sec_ctx(xp->security, skb); 1238 } 1239 return 0; 1240 } 1241 1242 #ifdef CONFIG_XFRM_SUB_POLICY 1243 static int copy_to_user_policy_type(u8 type, struct sk_buff *skb) 1244 { 1245 struct xfrm_userpolicy_type upt; 1246 1247 memset(&upt, 0, sizeof(upt)); 1248 upt.type = type; 1249 1250 RTA_PUT(skb, XFRMA_POLICY_TYPE, sizeof(upt), &upt); 1251 1252 return 0; 1253 1254 rtattr_failure: 1255 return -1; 1256 } 1257 1258 #else 1259 static inline int copy_to_user_policy_type(u8 type, struct sk_buff *skb) 1260 { 1261 return 0; 1262 } 1263 #endif 1264 1265 static int dump_one_policy(struct xfrm_policy *xp, int dir, int count, void *ptr) 1266 { 1267 struct xfrm_dump_info *sp = ptr; 1268 struct xfrm_userpolicy_info *p; 1269 struct sk_buff *in_skb = sp->in_skb; 1270 struct sk_buff *skb = sp->out_skb; 1271 struct nlmsghdr *nlh; 1272 1273 if (sp->this_idx < sp->start_idx) 1274 goto out; 1275 1276 nlh = nlmsg_put(skb, NETLINK_CB(in_skb).pid, sp->nlmsg_seq, 1277 XFRM_MSG_NEWPOLICY, sizeof(*p), sp->nlmsg_flags); 1278 if (nlh == NULL) 1279 return -EMSGSIZE; 1280 1281 p = nlmsg_data(nlh); 1282 copy_to_user_policy(xp, p, dir); 1283 if (copy_to_user_tmpl(xp, skb) < 0) 1284 goto nlmsg_failure; 1285 if (copy_to_user_sec_ctx(xp, skb)) 1286 goto nlmsg_failure; 1287 if (copy_to_user_policy_type(xp->type, skb) < 0) 1288 goto nlmsg_failure; 1289 1290 nlmsg_end(skb, nlh); 1291 out: 1292 sp->this_idx++; 1293 return 0; 1294 1295 nlmsg_failure: 1296 nlmsg_cancel(skb, nlh); 1297 return -EMSGSIZE; 1298 } 1299 1300 static int xfrm_dump_policy(struct sk_buff *skb, struct netlink_callback *cb) 1301 { 1302 struct xfrm_dump_info info; 1303 1304 info.in_skb = cb->skb; 1305 info.out_skb = skb; 1306 info.nlmsg_seq = cb->nlh->nlmsg_seq; 1307 info.nlmsg_flags = NLM_F_MULTI; 1308 info.this_idx = 0; 1309 info.start_idx = cb->args[0]; 1310 (void) xfrm_policy_walk(XFRM_POLICY_TYPE_MAIN, dump_one_policy, &info); 1311 #ifdef CONFIG_XFRM_SUB_POLICY 1312 (void) xfrm_policy_walk(XFRM_POLICY_TYPE_SUB, dump_one_policy, &info); 1313 #endif 1314 cb->args[0] = info.this_idx; 1315 1316 return skb->len; 1317 } 1318 1319 static struct sk_buff *xfrm_policy_netlink(struct sk_buff *in_skb, 1320 struct xfrm_policy *xp, 1321 int dir, u32 seq) 1322 { 1323 struct xfrm_dump_info info; 1324 struct sk_buff *skb; 1325 1326 skb = alloc_skb(NLMSG_GOODSIZE, GFP_KERNEL); 1327 if (!skb) 1328 return ERR_PTR(-ENOMEM); 1329 1330 info.in_skb = in_skb; 1331 info.out_skb = skb; 1332 info.nlmsg_seq = seq; 1333 info.nlmsg_flags = 0; 1334 info.this_idx = info.start_idx = 0; 1335 1336 if (dump_one_policy(xp, dir, 0, &info) < 0) { 1337 kfree_skb(skb); 1338 return NULL; 1339 } 1340 1341 return skb; 1342 } 1343 1344 static int xfrm_get_policy(struct sk_buff *skb, struct nlmsghdr *nlh, 1345 struct rtattr **xfrma) 1346 { 1347 struct xfrm_policy *xp; 1348 struct xfrm_userpolicy_id *p; 1349 u8 type = XFRM_POLICY_TYPE_MAIN; 1350 int err; 1351 struct km_event c; 1352 int delete; 1353 1354 p = nlmsg_data(nlh); 1355 delete = nlh->nlmsg_type == XFRM_MSG_DELPOLICY; 1356 1357 err = copy_from_user_policy_type(&type, xfrma); 1358 if (err) 1359 return err; 1360 1361 err = verify_policy_dir(p->dir); 1362 if (err) 1363 return err; 1364 1365 if (p->index) 1366 xp = xfrm_policy_byid(type, p->dir, p->index, delete, &err); 1367 else { 1368 struct rtattr *rt = xfrma[XFRMA_SEC_CTX-1]; 1369 struct xfrm_policy tmp; 1370 1371 err = verify_sec_ctx_len(xfrma); 1372 if (err) 1373 return err; 1374 1375 memset(&tmp, 0, sizeof(struct xfrm_policy)); 1376 if (rt) { 1377 struct xfrm_user_sec_ctx *uctx = RTA_DATA(rt); 1378 1379 if ((err = security_xfrm_policy_alloc(&tmp, uctx))) 1380 return err; 1381 } 1382 xp = xfrm_policy_bysel_ctx(type, p->dir, &p->sel, tmp.security, 1383 delete, &err); 1384 security_xfrm_policy_free(&tmp); 1385 } 1386 if (xp == NULL) 1387 return -ENOENT; 1388 1389 if (!delete) { 1390 struct sk_buff *resp_skb; 1391 1392 resp_skb = xfrm_policy_netlink(skb, xp, p->dir, nlh->nlmsg_seq); 1393 if (IS_ERR(resp_skb)) { 1394 err = PTR_ERR(resp_skb); 1395 } else { 1396 err = netlink_unicast(xfrm_nl, resp_skb, 1397 NETLINK_CB(skb).pid, 1398 MSG_DONTWAIT); 1399 } 1400 } else { 1401 xfrm_audit_log(NETLINK_CB(skb).loginuid, NETLINK_CB(skb).sid, 1402 AUDIT_MAC_IPSEC_DELSPD, err ? 0 : 1, xp, NULL); 1403 1404 if (err != 0) 1405 goto out; 1406 1407 c.data.byid = p->index; 1408 c.event = nlh->nlmsg_type; 1409 c.seq = nlh->nlmsg_seq; 1410 c.pid = nlh->nlmsg_pid; 1411 km_policy_notify(xp, p->dir, &c); 1412 } 1413 1414 out: 1415 xfrm_pol_put(xp); 1416 return err; 1417 } 1418 1419 static int xfrm_flush_sa(struct sk_buff *skb, struct nlmsghdr *nlh, 1420 struct rtattr **xfrma) 1421 { 1422 struct km_event c; 1423 struct xfrm_usersa_flush *p = nlmsg_data(nlh); 1424 struct xfrm_audit audit_info; 1425 int err; 1426 1427 audit_info.loginuid = NETLINK_CB(skb).loginuid; 1428 audit_info.secid = NETLINK_CB(skb).sid; 1429 err = xfrm_state_flush(p->proto, &audit_info); 1430 if (err) 1431 return err; 1432 c.data.proto = p->proto; 1433 c.event = nlh->nlmsg_type; 1434 c.seq = nlh->nlmsg_seq; 1435 c.pid = nlh->nlmsg_pid; 1436 km_state_notify(NULL, &c); 1437 1438 return 0; 1439 } 1440 1441 1442 static int build_aevent(struct sk_buff *skb, struct xfrm_state *x, struct km_event *c) 1443 { 1444 struct xfrm_aevent_id *id; 1445 struct nlmsghdr *nlh; 1446 struct xfrm_lifetime_cur ltime; 1447 1448 nlh = nlmsg_put(skb, c->pid, c->seq, XFRM_MSG_NEWAE, sizeof(*id), 0); 1449 if (nlh == NULL) 1450 return -EMSGSIZE; 1451 1452 id = nlmsg_data(nlh); 1453 memcpy(&id->sa_id.daddr, &x->id.daddr,sizeof(x->id.daddr)); 1454 id->sa_id.spi = x->id.spi; 1455 id->sa_id.family = x->props.family; 1456 id->sa_id.proto = x->id.proto; 1457 memcpy(&id->saddr, &x->props.saddr,sizeof(x->props.saddr)); 1458 id->reqid = x->props.reqid; 1459 id->flags = c->data.aevent; 1460 1461 RTA_PUT(skb, XFRMA_REPLAY_VAL, sizeof(x->replay), &x->replay); 1462 1463 ltime.bytes = x->curlft.bytes; 1464 ltime.packets = x->curlft.packets; 1465 ltime.add_time = x->curlft.add_time; 1466 ltime.use_time = x->curlft.use_time; 1467 1468 RTA_PUT(skb, XFRMA_LTIME_VAL, sizeof(struct xfrm_lifetime_cur), <ime); 1469 1470 if (id->flags&XFRM_AE_RTHR) { 1471 RTA_PUT(skb,XFRMA_REPLAY_THRESH,sizeof(u32),&x->replay_maxdiff); 1472 } 1473 1474 if (id->flags&XFRM_AE_ETHR) { 1475 u32 etimer = x->replay_maxage*10/HZ; 1476 RTA_PUT(skb,XFRMA_ETIMER_THRESH,sizeof(u32),&etimer); 1477 } 1478 1479 return nlmsg_end(skb, nlh); 1480 1481 rtattr_failure: 1482 nlmsg_cancel(skb, nlh); 1483 return -EMSGSIZE; 1484 } 1485 1486 static int xfrm_get_ae(struct sk_buff *skb, struct nlmsghdr *nlh, 1487 struct rtattr **xfrma) 1488 { 1489 struct xfrm_state *x; 1490 struct sk_buff *r_skb; 1491 int err; 1492 struct km_event c; 1493 struct xfrm_aevent_id *p = nlmsg_data(nlh); 1494 int len = NLMSG_LENGTH(sizeof(struct xfrm_aevent_id)); 1495 struct xfrm_usersa_id *id = &p->sa_id; 1496 1497 len += RTA_SPACE(sizeof(struct xfrm_replay_state)); 1498 len += RTA_SPACE(sizeof(struct xfrm_lifetime_cur)); 1499 1500 if (p->flags&XFRM_AE_RTHR) 1501 len+=RTA_SPACE(sizeof(u32)); 1502 1503 if (p->flags&XFRM_AE_ETHR) 1504 len+=RTA_SPACE(sizeof(u32)); 1505 1506 r_skb = alloc_skb(len, GFP_ATOMIC); 1507 if (r_skb == NULL) 1508 return -ENOMEM; 1509 1510 x = xfrm_state_lookup(&id->daddr, id->spi, id->proto, id->family); 1511 if (x == NULL) { 1512 kfree_skb(r_skb); 1513 return -ESRCH; 1514 } 1515 1516 /* 1517 * XXX: is this lock really needed - none of the other 1518 * gets lock (the concern is things getting updated 1519 * while we are still reading) - jhs 1520 */ 1521 spin_lock_bh(&x->lock); 1522 c.data.aevent = p->flags; 1523 c.seq = nlh->nlmsg_seq; 1524 c.pid = nlh->nlmsg_pid; 1525 1526 if (build_aevent(r_skb, x, &c) < 0) 1527 BUG(); 1528 err = netlink_unicast(xfrm_nl, r_skb, 1529 NETLINK_CB(skb).pid, MSG_DONTWAIT); 1530 spin_unlock_bh(&x->lock); 1531 xfrm_state_put(x); 1532 return err; 1533 } 1534 1535 static int xfrm_new_ae(struct sk_buff *skb, struct nlmsghdr *nlh, 1536 struct rtattr **xfrma) 1537 { 1538 struct xfrm_state *x; 1539 struct km_event c; 1540 int err = - EINVAL; 1541 struct xfrm_aevent_id *p = nlmsg_data(nlh); 1542 struct rtattr *rp = xfrma[XFRMA_REPLAY_VAL-1]; 1543 struct rtattr *lt = xfrma[XFRMA_LTIME_VAL-1]; 1544 1545 if (!lt && !rp) 1546 return err; 1547 1548 /* pedantic mode - thou shalt sayeth replaceth */ 1549 if (!(nlh->nlmsg_flags&NLM_F_REPLACE)) 1550 return err; 1551 1552 x = xfrm_state_lookup(&p->sa_id.daddr, p->sa_id.spi, p->sa_id.proto, p->sa_id.family); 1553 if (x == NULL) 1554 return -ESRCH; 1555 1556 if (x->km.state != XFRM_STATE_VALID) 1557 goto out; 1558 1559 spin_lock_bh(&x->lock); 1560 err = xfrm_update_ae_params(x, xfrma); 1561 spin_unlock_bh(&x->lock); 1562 if (err < 0) 1563 goto out; 1564 1565 c.event = nlh->nlmsg_type; 1566 c.seq = nlh->nlmsg_seq; 1567 c.pid = nlh->nlmsg_pid; 1568 c.data.aevent = XFRM_AE_CU; 1569 km_state_notify(x, &c); 1570 err = 0; 1571 out: 1572 xfrm_state_put(x); 1573 return err; 1574 } 1575 1576 static int xfrm_flush_policy(struct sk_buff *skb, struct nlmsghdr *nlh, 1577 struct rtattr **xfrma) 1578 { 1579 struct km_event c; 1580 u8 type = XFRM_POLICY_TYPE_MAIN; 1581 int err; 1582 struct xfrm_audit audit_info; 1583 1584 err = copy_from_user_policy_type(&type, xfrma); 1585 if (err) 1586 return err; 1587 1588 audit_info.loginuid = NETLINK_CB(skb).loginuid; 1589 audit_info.secid = NETLINK_CB(skb).sid; 1590 err = xfrm_policy_flush(type, &audit_info); 1591 if (err) 1592 return err; 1593 c.data.type = type; 1594 c.event = nlh->nlmsg_type; 1595 c.seq = nlh->nlmsg_seq; 1596 c.pid = nlh->nlmsg_pid; 1597 km_policy_notify(NULL, 0, &c); 1598 return 0; 1599 } 1600 1601 static int xfrm_add_pol_expire(struct sk_buff *skb, struct nlmsghdr *nlh, 1602 struct rtattr **xfrma) 1603 { 1604 struct xfrm_policy *xp; 1605 struct xfrm_user_polexpire *up = nlmsg_data(nlh); 1606 struct xfrm_userpolicy_info *p = &up->pol; 1607 u8 type = XFRM_POLICY_TYPE_MAIN; 1608 int err = -ENOENT; 1609 1610 err = copy_from_user_policy_type(&type, xfrma); 1611 if (err) 1612 return err; 1613 1614 if (p->index) 1615 xp = xfrm_policy_byid(type, p->dir, p->index, 0, &err); 1616 else { 1617 struct rtattr *rt = xfrma[XFRMA_SEC_CTX-1]; 1618 struct xfrm_policy tmp; 1619 1620 err = verify_sec_ctx_len(xfrma); 1621 if (err) 1622 return err; 1623 1624 memset(&tmp, 0, sizeof(struct xfrm_policy)); 1625 if (rt) { 1626 struct xfrm_user_sec_ctx *uctx = RTA_DATA(rt); 1627 1628 if ((err = security_xfrm_policy_alloc(&tmp, uctx))) 1629 return err; 1630 } 1631 xp = xfrm_policy_bysel_ctx(type, p->dir, &p->sel, tmp.security, 1632 0, &err); 1633 security_xfrm_policy_free(&tmp); 1634 } 1635 1636 if (xp == NULL) 1637 return -ENOENT; 1638 read_lock(&xp->lock); 1639 if (xp->dead) { 1640 read_unlock(&xp->lock); 1641 goto out; 1642 } 1643 1644 read_unlock(&xp->lock); 1645 err = 0; 1646 if (up->hard) { 1647 xfrm_policy_delete(xp, p->dir); 1648 xfrm_audit_log(NETLINK_CB(skb).loginuid, NETLINK_CB(skb).sid, 1649 AUDIT_MAC_IPSEC_DELSPD, 1, xp, NULL); 1650 1651 } else { 1652 // reset the timers here? 1653 printk("Dont know what to do with soft policy expire\n"); 1654 } 1655 km_policy_expired(xp, p->dir, up->hard, current->pid); 1656 1657 out: 1658 xfrm_pol_put(xp); 1659 return err; 1660 } 1661 1662 static int xfrm_add_sa_expire(struct sk_buff *skb, struct nlmsghdr *nlh, 1663 struct rtattr **xfrma) 1664 { 1665 struct xfrm_state *x; 1666 int err; 1667 struct xfrm_user_expire *ue = nlmsg_data(nlh); 1668 struct xfrm_usersa_info *p = &ue->state; 1669 1670 x = xfrm_state_lookup(&p->id.daddr, p->id.spi, p->id.proto, p->family); 1671 1672 err = -ENOENT; 1673 if (x == NULL) 1674 return err; 1675 1676 spin_lock_bh(&x->lock); 1677 err = -EINVAL; 1678 if (x->km.state != XFRM_STATE_VALID) 1679 goto out; 1680 km_state_expired(x, ue->hard, current->pid); 1681 1682 if (ue->hard) { 1683 __xfrm_state_delete(x); 1684 xfrm_audit_log(NETLINK_CB(skb).loginuid, NETLINK_CB(skb).sid, 1685 AUDIT_MAC_IPSEC_DELSA, 1, NULL, x); 1686 } 1687 err = 0; 1688 out: 1689 spin_unlock_bh(&x->lock); 1690 xfrm_state_put(x); 1691 return err; 1692 } 1693 1694 static int xfrm_add_acquire(struct sk_buff *skb, struct nlmsghdr *nlh, 1695 struct rtattr **xfrma) 1696 { 1697 struct xfrm_policy *xp; 1698 struct xfrm_user_tmpl *ut; 1699 int i; 1700 struct rtattr *rt = xfrma[XFRMA_TMPL-1]; 1701 1702 struct xfrm_user_acquire *ua = nlmsg_data(nlh); 1703 struct xfrm_state *x = xfrm_state_alloc(); 1704 int err = -ENOMEM; 1705 1706 if (!x) 1707 return err; 1708 1709 err = verify_newpolicy_info(&ua->policy); 1710 if (err) { 1711 printk("BAD policy passed\n"); 1712 kfree(x); 1713 return err; 1714 } 1715 1716 /* build an XP */ 1717 xp = xfrm_policy_construct(&ua->policy, (struct rtattr **) xfrma, &err); 1718 if (!xp) { 1719 kfree(x); 1720 return err; 1721 } 1722 1723 memcpy(&x->id, &ua->id, sizeof(ua->id)); 1724 memcpy(&x->props.saddr, &ua->saddr, sizeof(ua->saddr)); 1725 memcpy(&x->sel, &ua->sel, sizeof(ua->sel)); 1726 1727 ut = RTA_DATA(rt); 1728 /* extract the templates and for each call km_key */ 1729 for (i = 0; i < xp->xfrm_nr; i++, ut++) { 1730 struct xfrm_tmpl *t = &xp->xfrm_vec[i]; 1731 memcpy(&x->id, &t->id, sizeof(x->id)); 1732 x->props.mode = t->mode; 1733 x->props.reqid = t->reqid; 1734 x->props.family = ut->family; 1735 t->aalgos = ua->aalgos; 1736 t->ealgos = ua->ealgos; 1737 t->calgos = ua->calgos; 1738 err = km_query(x, t, xp); 1739 1740 } 1741 1742 kfree(x); 1743 kfree(xp); 1744 1745 return 0; 1746 } 1747 1748 #ifdef CONFIG_XFRM_MIGRATE 1749 static int verify_user_migrate(struct rtattr **xfrma) 1750 { 1751 struct rtattr *rt = xfrma[XFRMA_MIGRATE-1]; 1752 struct xfrm_user_migrate *um; 1753 1754 if (!rt) 1755 return -EINVAL; 1756 1757 if ((rt->rta_len - sizeof(*rt)) < sizeof(*um)) 1758 return -EINVAL; 1759 1760 return 0; 1761 } 1762 1763 static int copy_from_user_migrate(struct xfrm_migrate *ma, 1764 struct rtattr **xfrma, int *num) 1765 { 1766 struct rtattr *rt = xfrma[XFRMA_MIGRATE-1]; 1767 struct xfrm_user_migrate *um; 1768 int i, num_migrate; 1769 1770 um = RTA_DATA(rt); 1771 num_migrate = (rt->rta_len - sizeof(*rt)) / sizeof(*um); 1772 1773 if (num_migrate <= 0 || num_migrate > XFRM_MAX_DEPTH) 1774 return -EINVAL; 1775 1776 for (i = 0; i < num_migrate; i++, um++, ma++) { 1777 memcpy(&ma->old_daddr, &um->old_daddr, sizeof(ma->old_daddr)); 1778 memcpy(&ma->old_saddr, &um->old_saddr, sizeof(ma->old_saddr)); 1779 memcpy(&ma->new_daddr, &um->new_daddr, sizeof(ma->new_daddr)); 1780 memcpy(&ma->new_saddr, &um->new_saddr, sizeof(ma->new_saddr)); 1781 1782 ma->proto = um->proto; 1783 ma->mode = um->mode; 1784 ma->reqid = um->reqid; 1785 1786 ma->old_family = um->old_family; 1787 ma->new_family = um->new_family; 1788 } 1789 1790 *num = i; 1791 return 0; 1792 } 1793 1794 static int xfrm_do_migrate(struct sk_buff *skb, struct nlmsghdr *nlh, 1795 struct rtattr **xfrma) 1796 { 1797 struct xfrm_userpolicy_id *pi = nlmsg_data(nlh); 1798 struct xfrm_migrate m[XFRM_MAX_DEPTH]; 1799 u8 type; 1800 int err; 1801 int n = 0; 1802 1803 err = verify_user_migrate((struct rtattr **)xfrma); 1804 if (err) 1805 return err; 1806 1807 err = copy_from_user_policy_type(&type, (struct rtattr **)xfrma); 1808 if (err) 1809 return err; 1810 1811 err = copy_from_user_migrate((struct xfrm_migrate *)m, 1812 (struct rtattr **)xfrma, &n); 1813 if (err) 1814 return err; 1815 1816 if (!n) 1817 return 0; 1818 1819 xfrm_migrate(&pi->sel, pi->dir, type, m, n); 1820 1821 return 0; 1822 } 1823 #else 1824 static int xfrm_do_migrate(struct sk_buff *skb, struct nlmsghdr *nlh, 1825 struct rtattr **xfrma) 1826 { 1827 return -ENOPROTOOPT; 1828 } 1829 #endif 1830 1831 #ifdef CONFIG_XFRM_MIGRATE 1832 static int copy_to_user_migrate(struct xfrm_migrate *m, struct sk_buff *skb) 1833 { 1834 struct xfrm_user_migrate um; 1835 1836 memset(&um, 0, sizeof(um)); 1837 um.proto = m->proto; 1838 um.mode = m->mode; 1839 um.reqid = m->reqid; 1840 um.old_family = m->old_family; 1841 memcpy(&um.old_daddr, &m->old_daddr, sizeof(um.old_daddr)); 1842 memcpy(&um.old_saddr, &m->old_saddr, sizeof(um.old_saddr)); 1843 um.new_family = m->new_family; 1844 memcpy(&um.new_daddr, &m->new_daddr, sizeof(um.new_daddr)); 1845 memcpy(&um.new_saddr, &m->new_saddr, sizeof(um.new_saddr)); 1846 1847 RTA_PUT(skb, XFRMA_MIGRATE, sizeof(um), &um); 1848 return 0; 1849 1850 rtattr_failure: 1851 return -1; 1852 } 1853 1854 static int build_migrate(struct sk_buff *skb, struct xfrm_migrate *m, 1855 int num_migrate, struct xfrm_selector *sel, 1856 u8 dir, u8 type) 1857 { 1858 struct xfrm_migrate *mp; 1859 struct xfrm_userpolicy_id *pol_id; 1860 struct nlmsghdr *nlh; 1861 int i; 1862 1863 nlh = nlmsg_put(skb, 0, 0, XFRM_MSG_MIGRATE, sizeof(*pol_id), 0); 1864 if (nlh == NULL) 1865 return -EMSGSIZE; 1866 1867 pol_id = nlmsg_data(nlh); 1868 /* copy data from selector, dir, and type to the pol_id */ 1869 memset(pol_id, 0, sizeof(*pol_id)); 1870 memcpy(&pol_id->sel, sel, sizeof(pol_id->sel)); 1871 pol_id->dir = dir; 1872 1873 if (copy_to_user_policy_type(type, skb) < 0) 1874 goto nlmsg_failure; 1875 1876 for (i = 0, mp = m ; i < num_migrate; i++, mp++) { 1877 if (copy_to_user_migrate(mp, skb) < 0) 1878 goto nlmsg_failure; 1879 } 1880 1881 return nlmsg_end(skb, nlh); 1882 nlmsg_failure: 1883 nlmsg_cancel(skb, nlh); 1884 return -EMSGSIZE; 1885 } 1886 1887 static int xfrm_send_migrate(struct xfrm_selector *sel, u8 dir, u8 type, 1888 struct xfrm_migrate *m, int num_migrate) 1889 { 1890 struct sk_buff *skb; 1891 size_t len; 1892 1893 len = RTA_SPACE(sizeof(struct xfrm_user_migrate) * num_migrate); 1894 len += NLMSG_SPACE(sizeof(struct xfrm_userpolicy_id)); 1895 #ifdef CONFIG_XFRM_SUB_POLICY 1896 len += RTA_SPACE(sizeof(struct xfrm_userpolicy_type)); 1897 #endif 1898 skb = alloc_skb(len, GFP_ATOMIC); 1899 if (skb == NULL) 1900 return -ENOMEM; 1901 1902 /* build migrate */ 1903 if (build_migrate(skb, m, num_migrate, sel, dir, type) < 0) 1904 BUG(); 1905 1906 NETLINK_CB(skb).dst_group = XFRMNLGRP_MIGRATE; 1907 return netlink_broadcast(xfrm_nl, skb, 0, XFRMNLGRP_MIGRATE, 1908 GFP_ATOMIC); 1909 } 1910 #else 1911 static int xfrm_send_migrate(struct xfrm_selector *sel, u8 dir, u8 type, 1912 struct xfrm_migrate *m, int num_migrate) 1913 { 1914 return -ENOPROTOOPT; 1915 } 1916 #endif 1917 1918 #define XMSGSIZE(type) NLMSG_LENGTH(sizeof(struct type)) 1919 1920 static const int xfrm_msg_min[XFRM_NR_MSGTYPES] = { 1921 [XFRM_MSG_NEWSA - XFRM_MSG_BASE] = XMSGSIZE(xfrm_usersa_info), 1922 [XFRM_MSG_DELSA - XFRM_MSG_BASE] = XMSGSIZE(xfrm_usersa_id), 1923 [XFRM_MSG_GETSA - XFRM_MSG_BASE] = XMSGSIZE(xfrm_usersa_id), 1924 [XFRM_MSG_NEWPOLICY - XFRM_MSG_BASE] = XMSGSIZE(xfrm_userpolicy_info), 1925 [XFRM_MSG_DELPOLICY - XFRM_MSG_BASE] = XMSGSIZE(xfrm_userpolicy_id), 1926 [XFRM_MSG_GETPOLICY - XFRM_MSG_BASE] = XMSGSIZE(xfrm_userpolicy_id), 1927 [XFRM_MSG_ALLOCSPI - XFRM_MSG_BASE] = XMSGSIZE(xfrm_userspi_info), 1928 [XFRM_MSG_ACQUIRE - XFRM_MSG_BASE] = XMSGSIZE(xfrm_user_acquire), 1929 [XFRM_MSG_EXPIRE - XFRM_MSG_BASE] = XMSGSIZE(xfrm_user_expire), 1930 [XFRM_MSG_UPDPOLICY - XFRM_MSG_BASE] = XMSGSIZE(xfrm_userpolicy_info), 1931 [XFRM_MSG_UPDSA - XFRM_MSG_BASE] = XMSGSIZE(xfrm_usersa_info), 1932 [XFRM_MSG_POLEXPIRE - XFRM_MSG_BASE] = XMSGSIZE(xfrm_user_polexpire), 1933 [XFRM_MSG_FLUSHSA - XFRM_MSG_BASE] = XMSGSIZE(xfrm_usersa_flush), 1934 [XFRM_MSG_FLUSHPOLICY - XFRM_MSG_BASE] = NLMSG_LENGTH(0), 1935 [XFRM_MSG_NEWAE - XFRM_MSG_BASE] = XMSGSIZE(xfrm_aevent_id), 1936 [XFRM_MSG_GETAE - XFRM_MSG_BASE] = XMSGSIZE(xfrm_aevent_id), 1937 [XFRM_MSG_REPORT - XFRM_MSG_BASE] = XMSGSIZE(xfrm_user_report), 1938 [XFRM_MSG_MIGRATE - XFRM_MSG_BASE] = XMSGSIZE(xfrm_userpolicy_id), 1939 [XFRM_MSG_GETSADINFO - XFRM_MSG_BASE] = NLMSG_LENGTH(sizeof(u32)), 1940 [XFRM_MSG_GETSPDINFO - XFRM_MSG_BASE] = NLMSG_LENGTH(sizeof(u32)), 1941 }; 1942 1943 #undef XMSGSIZE 1944 1945 static struct xfrm_link { 1946 int (*doit)(struct sk_buff *, struct nlmsghdr *, struct rtattr **); 1947 int (*dump)(struct sk_buff *, struct netlink_callback *); 1948 } xfrm_dispatch[XFRM_NR_MSGTYPES] = { 1949 [XFRM_MSG_NEWSA - XFRM_MSG_BASE] = { .doit = xfrm_add_sa }, 1950 [XFRM_MSG_DELSA - XFRM_MSG_BASE] = { .doit = xfrm_del_sa }, 1951 [XFRM_MSG_GETSA - XFRM_MSG_BASE] = { .doit = xfrm_get_sa, 1952 .dump = xfrm_dump_sa }, 1953 [XFRM_MSG_NEWPOLICY - XFRM_MSG_BASE] = { .doit = xfrm_add_policy }, 1954 [XFRM_MSG_DELPOLICY - XFRM_MSG_BASE] = { .doit = xfrm_get_policy }, 1955 [XFRM_MSG_GETPOLICY - XFRM_MSG_BASE] = { .doit = xfrm_get_policy, 1956 .dump = xfrm_dump_policy }, 1957 [XFRM_MSG_ALLOCSPI - XFRM_MSG_BASE] = { .doit = xfrm_alloc_userspi }, 1958 [XFRM_MSG_ACQUIRE - XFRM_MSG_BASE] = { .doit = xfrm_add_acquire }, 1959 [XFRM_MSG_EXPIRE - XFRM_MSG_BASE] = { .doit = xfrm_add_sa_expire }, 1960 [XFRM_MSG_UPDPOLICY - XFRM_MSG_BASE] = { .doit = xfrm_add_policy }, 1961 [XFRM_MSG_UPDSA - XFRM_MSG_BASE] = { .doit = xfrm_add_sa }, 1962 [XFRM_MSG_POLEXPIRE - XFRM_MSG_BASE] = { .doit = xfrm_add_pol_expire}, 1963 [XFRM_MSG_FLUSHSA - XFRM_MSG_BASE] = { .doit = xfrm_flush_sa }, 1964 [XFRM_MSG_FLUSHPOLICY - XFRM_MSG_BASE] = { .doit = xfrm_flush_policy }, 1965 [XFRM_MSG_NEWAE - XFRM_MSG_BASE] = { .doit = xfrm_new_ae }, 1966 [XFRM_MSG_GETAE - XFRM_MSG_BASE] = { .doit = xfrm_get_ae }, 1967 [XFRM_MSG_MIGRATE - XFRM_MSG_BASE] = { .doit = xfrm_do_migrate }, 1968 [XFRM_MSG_GETSADINFO - XFRM_MSG_BASE] = { .doit = xfrm_get_sadinfo }, 1969 [XFRM_MSG_GETSPDINFO - XFRM_MSG_BASE] = { .doit = xfrm_get_spdinfo }, 1970 }; 1971 1972 static int xfrm_user_rcv_msg(struct sk_buff *skb, struct nlmsghdr *nlh) 1973 { 1974 struct rtattr *xfrma[XFRMA_MAX]; 1975 struct xfrm_link *link; 1976 int type, min_len; 1977 1978 type = nlh->nlmsg_type; 1979 if (type > XFRM_MSG_MAX) 1980 return -EINVAL; 1981 1982 type -= XFRM_MSG_BASE; 1983 link = &xfrm_dispatch[type]; 1984 1985 /* All operations require privileges, even GET */ 1986 if (security_netlink_recv(skb, CAP_NET_ADMIN)) 1987 return -EPERM; 1988 1989 if ((type == (XFRM_MSG_GETSA - XFRM_MSG_BASE) || 1990 type == (XFRM_MSG_GETPOLICY - XFRM_MSG_BASE)) && 1991 (nlh->nlmsg_flags & NLM_F_DUMP)) { 1992 if (link->dump == NULL) 1993 return -EINVAL; 1994 1995 return netlink_dump_start(xfrm_nl, skb, nlh, link->dump, NULL); 1996 } 1997 1998 memset(xfrma, 0, sizeof(xfrma)); 1999 2000 if (nlh->nlmsg_len < (min_len = xfrm_msg_min[type])) 2001 return -EINVAL; 2002 2003 if (nlh->nlmsg_len > min_len) { 2004 int attrlen = nlh->nlmsg_len - NLMSG_ALIGN(min_len); 2005 struct rtattr *attr = (void *) nlh + NLMSG_ALIGN(min_len); 2006 2007 while (RTA_OK(attr, attrlen)) { 2008 unsigned short flavor = attr->rta_type; 2009 if (flavor) { 2010 if (flavor > XFRMA_MAX) 2011 return -EINVAL; 2012 xfrma[flavor - 1] = attr; 2013 } 2014 attr = RTA_NEXT(attr, attrlen); 2015 } 2016 } 2017 2018 if (link->doit == NULL) 2019 return -EINVAL; 2020 2021 return link->doit(skb, nlh, xfrma); 2022 } 2023 2024 static void xfrm_netlink_rcv(struct sock *sk, int len) 2025 { 2026 unsigned int qlen = 0; 2027 2028 do { 2029 mutex_lock(&xfrm_cfg_mutex); 2030 netlink_run_queue(sk, &qlen, &xfrm_user_rcv_msg); 2031 mutex_unlock(&xfrm_cfg_mutex); 2032 2033 } while (qlen); 2034 } 2035 2036 static int build_expire(struct sk_buff *skb, struct xfrm_state *x, struct km_event *c) 2037 { 2038 struct xfrm_user_expire *ue; 2039 struct nlmsghdr *nlh; 2040 2041 nlh = nlmsg_put(skb, c->pid, 0, XFRM_MSG_EXPIRE, sizeof(*ue), 0); 2042 if (nlh == NULL) 2043 return -EMSGSIZE; 2044 2045 ue = nlmsg_data(nlh); 2046 copy_to_user_state(x, &ue->state); 2047 ue->hard = (c->data.hard != 0) ? 1 : 0; 2048 2049 return nlmsg_end(skb, nlh); 2050 } 2051 2052 static int xfrm_exp_state_notify(struct xfrm_state *x, struct km_event *c) 2053 { 2054 struct sk_buff *skb; 2055 int len = NLMSG_LENGTH(sizeof(struct xfrm_user_expire)); 2056 2057 skb = alloc_skb(len, GFP_ATOMIC); 2058 if (skb == NULL) 2059 return -ENOMEM; 2060 2061 if (build_expire(skb, x, c) < 0) 2062 BUG(); 2063 2064 NETLINK_CB(skb).dst_group = XFRMNLGRP_EXPIRE; 2065 return netlink_broadcast(xfrm_nl, skb, 0, XFRMNLGRP_EXPIRE, GFP_ATOMIC); 2066 } 2067 2068 static int xfrm_aevent_state_notify(struct xfrm_state *x, struct km_event *c) 2069 { 2070 struct sk_buff *skb; 2071 int len = NLMSG_LENGTH(sizeof(struct xfrm_aevent_id)); 2072 2073 len += RTA_SPACE(sizeof(struct xfrm_replay_state)); 2074 len += RTA_SPACE(sizeof(struct xfrm_lifetime_cur)); 2075 skb = alloc_skb(len, GFP_ATOMIC); 2076 if (skb == NULL) 2077 return -ENOMEM; 2078 2079 if (build_aevent(skb, x, c) < 0) 2080 BUG(); 2081 2082 NETLINK_CB(skb).dst_group = XFRMNLGRP_AEVENTS; 2083 return netlink_broadcast(xfrm_nl, skb, 0, XFRMNLGRP_AEVENTS, GFP_ATOMIC); 2084 } 2085 2086 static int xfrm_notify_sa_flush(struct km_event *c) 2087 { 2088 struct xfrm_usersa_flush *p; 2089 struct nlmsghdr *nlh; 2090 struct sk_buff *skb; 2091 int len = NLMSG_LENGTH(sizeof(struct xfrm_usersa_flush)); 2092 2093 skb = alloc_skb(len, GFP_ATOMIC); 2094 if (skb == NULL) 2095 return -ENOMEM; 2096 2097 nlh = nlmsg_put(skb, c->pid, c->seq, XFRM_MSG_FLUSHSA, sizeof(*p), 0); 2098 if (nlh == NULL) { 2099 kfree_skb(skb); 2100 return -EMSGSIZE; 2101 } 2102 2103 p = nlmsg_data(nlh); 2104 p->proto = c->data.proto; 2105 2106 nlmsg_end(skb, nlh); 2107 2108 NETLINK_CB(skb).dst_group = XFRMNLGRP_SA; 2109 return netlink_broadcast(xfrm_nl, skb, 0, XFRMNLGRP_SA, GFP_ATOMIC); 2110 } 2111 2112 static inline int xfrm_sa_len(struct xfrm_state *x) 2113 { 2114 int l = 0; 2115 if (x->aalg) 2116 l += RTA_SPACE(sizeof(*x->aalg) + (x->aalg->alg_key_len+7)/8); 2117 if (x->ealg) 2118 l += RTA_SPACE(sizeof(*x->ealg) + (x->ealg->alg_key_len+7)/8); 2119 if (x->calg) 2120 l += RTA_SPACE(sizeof(*x->calg)); 2121 if (x->encap) 2122 l += RTA_SPACE(sizeof(*x->encap)); 2123 2124 return l; 2125 } 2126 2127 static int xfrm_notify_sa(struct xfrm_state *x, struct km_event *c) 2128 { 2129 struct xfrm_usersa_info *p; 2130 struct xfrm_usersa_id *id; 2131 struct nlmsghdr *nlh; 2132 struct sk_buff *skb; 2133 int len = xfrm_sa_len(x); 2134 int headlen; 2135 2136 headlen = sizeof(*p); 2137 if (c->event == XFRM_MSG_DELSA) { 2138 len += RTA_SPACE(headlen); 2139 headlen = sizeof(*id); 2140 } 2141 len += NLMSG_SPACE(headlen); 2142 2143 skb = alloc_skb(len, GFP_ATOMIC); 2144 if (skb == NULL) 2145 return -ENOMEM; 2146 2147 nlh = nlmsg_put(skb, c->pid, c->seq, c->event, headlen, 0); 2148 if (nlh == NULL) 2149 goto nlmsg_failure; 2150 2151 p = nlmsg_data(nlh); 2152 if (c->event == XFRM_MSG_DELSA) { 2153 id = nlmsg_data(nlh); 2154 memcpy(&id->daddr, &x->id.daddr, sizeof(id->daddr)); 2155 id->spi = x->id.spi; 2156 id->family = x->props.family; 2157 id->proto = x->id.proto; 2158 2159 p = RTA_DATA(__RTA_PUT(skb, XFRMA_SA, sizeof(*p))); 2160 } 2161 2162 copy_to_user_state(x, p); 2163 2164 if (x->aalg) 2165 RTA_PUT(skb, XFRMA_ALG_AUTH, 2166 sizeof(*(x->aalg))+(x->aalg->alg_key_len+7)/8, x->aalg); 2167 if (x->ealg) 2168 RTA_PUT(skb, XFRMA_ALG_CRYPT, 2169 sizeof(*(x->ealg))+(x->ealg->alg_key_len+7)/8, x->ealg); 2170 if (x->calg) 2171 RTA_PUT(skb, XFRMA_ALG_COMP, sizeof(*(x->calg)), x->calg); 2172 2173 if (x->encap) 2174 RTA_PUT(skb, XFRMA_ENCAP, sizeof(*x->encap), x->encap); 2175 2176 nlmsg_end(skb, nlh); 2177 2178 NETLINK_CB(skb).dst_group = XFRMNLGRP_SA; 2179 return netlink_broadcast(xfrm_nl, skb, 0, XFRMNLGRP_SA, GFP_ATOMIC); 2180 2181 nlmsg_failure: 2182 rtattr_failure: 2183 kfree_skb(skb); 2184 return -1; 2185 } 2186 2187 static int xfrm_send_state_notify(struct xfrm_state *x, struct km_event *c) 2188 { 2189 2190 switch (c->event) { 2191 case XFRM_MSG_EXPIRE: 2192 return xfrm_exp_state_notify(x, c); 2193 case XFRM_MSG_NEWAE: 2194 return xfrm_aevent_state_notify(x, c); 2195 case XFRM_MSG_DELSA: 2196 case XFRM_MSG_UPDSA: 2197 case XFRM_MSG_NEWSA: 2198 return xfrm_notify_sa(x, c); 2199 case XFRM_MSG_FLUSHSA: 2200 return xfrm_notify_sa_flush(c); 2201 default: 2202 printk("xfrm_user: Unknown SA event %d\n", c->event); 2203 break; 2204 } 2205 2206 return 0; 2207 2208 } 2209 2210 static int build_acquire(struct sk_buff *skb, struct xfrm_state *x, 2211 struct xfrm_tmpl *xt, struct xfrm_policy *xp, 2212 int dir) 2213 { 2214 struct xfrm_user_acquire *ua; 2215 struct nlmsghdr *nlh; 2216 __u32 seq = xfrm_get_acqseq(); 2217 2218 nlh = nlmsg_put(skb, 0, 0, XFRM_MSG_ACQUIRE, sizeof(*ua), 0); 2219 if (nlh == NULL) 2220 return -EMSGSIZE; 2221 2222 ua = nlmsg_data(nlh); 2223 memcpy(&ua->id, &x->id, sizeof(ua->id)); 2224 memcpy(&ua->saddr, &x->props.saddr, sizeof(ua->saddr)); 2225 memcpy(&ua->sel, &x->sel, sizeof(ua->sel)); 2226 copy_to_user_policy(xp, &ua->policy, dir); 2227 ua->aalgos = xt->aalgos; 2228 ua->ealgos = xt->ealgos; 2229 ua->calgos = xt->calgos; 2230 ua->seq = x->km.seq = seq; 2231 2232 if (copy_to_user_tmpl(xp, skb) < 0) 2233 goto nlmsg_failure; 2234 if (copy_to_user_state_sec_ctx(x, skb)) 2235 goto nlmsg_failure; 2236 if (copy_to_user_policy_type(xp->type, skb) < 0) 2237 goto nlmsg_failure; 2238 2239 return nlmsg_end(skb, nlh); 2240 2241 nlmsg_failure: 2242 nlmsg_cancel(skb, nlh); 2243 return -EMSGSIZE; 2244 } 2245 2246 static int xfrm_send_acquire(struct xfrm_state *x, struct xfrm_tmpl *xt, 2247 struct xfrm_policy *xp, int dir) 2248 { 2249 struct sk_buff *skb; 2250 size_t len; 2251 2252 len = RTA_SPACE(sizeof(struct xfrm_user_tmpl) * xp->xfrm_nr); 2253 len += NLMSG_SPACE(sizeof(struct xfrm_user_acquire)); 2254 len += RTA_SPACE(xfrm_user_sec_ctx_size(x->security)); 2255 #ifdef CONFIG_XFRM_SUB_POLICY 2256 len += RTA_SPACE(sizeof(struct xfrm_userpolicy_type)); 2257 #endif 2258 skb = alloc_skb(len, GFP_ATOMIC); 2259 if (skb == NULL) 2260 return -ENOMEM; 2261 2262 if (build_acquire(skb, x, xt, xp, dir) < 0) 2263 BUG(); 2264 2265 NETLINK_CB(skb).dst_group = XFRMNLGRP_ACQUIRE; 2266 return netlink_broadcast(xfrm_nl, skb, 0, XFRMNLGRP_ACQUIRE, GFP_ATOMIC); 2267 } 2268 2269 /* User gives us xfrm_user_policy_info followed by an array of 0 2270 * or more templates. 2271 */ 2272 static struct xfrm_policy *xfrm_compile_policy(struct sock *sk, int opt, 2273 u8 *data, int len, int *dir) 2274 { 2275 struct xfrm_userpolicy_info *p = (struct xfrm_userpolicy_info *)data; 2276 struct xfrm_user_tmpl *ut = (struct xfrm_user_tmpl *) (p + 1); 2277 struct xfrm_policy *xp; 2278 int nr; 2279 2280 switch (sk->sk_family) { 2281 case AF_INET: 2282 if (opt != IP_XFRM_POLICY) { 2283 *dir = -EOPNOTSUPP; 2284 return NULL; 2285 } 2286 break; 2287 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE) 2288 case AF_INET6: 2289 if (opt != IPV6_XFRM_POLICY) { 2290 *dir = -EOPNOTSUPP; 2291 return NULL; 2292 } 2293 break; 2294 #endif 2295 default: 2296 *dir = -EINVAL; 2297 return NULL; 2298 } 2299 2300 *dir = -EINVAL; 2301 2302 if (len < sizeof(*p) || 2303 verify_newpolicy_info(p)) 2304 return NULL; 2305 2306 nr = ((len - sizeof(*p)) / sizeof(*ut)); 2307 if (validate_tmpl(nr, ut, p->sel.family)) 2308 return NULL; 2309 2310 if (p->dir > XFRM_POLICY_OUT) 2311 return NULL; 2312 2313 xp = xfrm_policy_alloc(GFP_KERNEL); 2314 if (xp == NULL) { 2315 *dir = -ENOBUFS; 2316 return NULL; 2317 } 2318 2319 copy_from_user_policy(xp, p); 2320 xp->type = XFRM_POLICY_TYPE_MAIN; 2321 copy_templates(xp, ut, nr); 2322 2323 *dir = p->dir; 2324 2325 return xp; 2326 } 2327 2328 static int build_polexpire(struct sk_buff *skb, struct xfrm_policy *xp, 2329 int dir, struct km_event *c) 2330 { 2331 struct xfrm_user_polexpire *upe; 2332 struct nlmsghdr *nlh; 2333 int hard = c->data.hard; 2334 2335 nlh = nlmsg_put(skb, c->pid, 0, XFRM_MSG_POLEXPIRE, sizeof(*upe), 0); 2336 if (nlh == NULL) 2337 return -EMSGSIZE; 2338 2339 upe = nlmsg_data(nlh); 2340 copy_to_user_policy(xp, &upe->pol, dir); 2341 if (copy_to_user_tmpl(xp, skb) < 0) 2342 goto nlmsg_failure; 2343 if (copy_to_user_sec_ctx(xp, skb)) 2344 goto nlmsg_failure; 2345 if (copy_to_user_policy_type(xp->type, skb) < 0) 2346 goto nlmsg_failure; 2347 upe->hard = !!hard; 2348 2349 return nlmsg_end(skb, nlh); 2350 2351 nlmsg_failure: 2352 nlmsg_cancel(skb, nlh); 2353 return -EMSGSIZE; 2354 } 2355 2356 static int xfrm_exp_policy_notify(struct xfrm_policy *xp, int dir, struct km_event *c) 2357 { 2358 struct sk_buff *skb; 2359 size_t len; 2360 2361 len = RTA_SPACE(sizeof(struct xfrm_user_tmpl) * xp->xfrm_nr); 2362 len += NLMSG_SPACE(sizeof(struct xfrm_user_polexpire)); 2363 len += RTA_SPACE(xfrm_user_sec_ctx_size(xp->security)); 2364 #ifdef CONFIG_XFRM_SUB_POLICY 2365 len += RTA_SPACE(sizeof(struct xfrm_userpolicy_type)); 2366 #endif 2367 skb = alloc_skb(len, GFP_ATOMIC); 2368 if (skb == NULL) 2369 return -ENOMEM; 2370 2371 if (build_polexpire(skb, xp, dir, c) < 0) 2372 BUG(); 2373 2374 NETLINK_CB(skb).dst_group = XFRMNLGRP_EXPIRE; 2375 return netlink_broadcast(xfrm_nl, skb, 0, XFRMNLGRP_EXPIRE, GFP_ATOMIC); 2376 } 2377 2378 static int xfrm_notify_policy(struct xfrm_policy *xp, int dir, struct km_event *c) 2379 { 2380 struct xfrm_userpolicy_info *p; 2381 struct xfrm_userpolicy_id *id; 2382 struct nlmsghdr *nlh; 2383 struct sk_buff *skb; 2384 int len = RTA_SPACE(sizeof(struct xfrm_user_tmpl) * xp->xfrm_nr); 2385 int headlen; 2386 2387 headlen = sizeof(*p); 2388 if (c->event == XFRM_MSG_DELPOLICY) { 2389 len += RTA_SPACE(headlen); 2390 headlen = sizeof(*id); 2391 } 2392 #ifdef CONFIG_XFRM_SUB_POLICY 2393 len += RTA_SPACE(sizeof(struct xfrm_userpolicy_type)); 2394 #endif 2395 len += NLMSG_SPACE(headlen); 2396 2397 skb = alloc_skb(len, GFP_ATOMIC); 2398 if (skb == NULL) 2399 return -ENOMEM; 2400 2401 nlh = nlmsg_put(skb, c->pid, c->seq, c->event, headlen, 0); 2402 if (nlh == NULL) 2403 goto nlmsg_failure; 2404 2405 p = nlmsg_data(nlh); 2406 if (c->event == XFRM_MSG_DELPOLICY) { 2407 id = nlmsg_data(nlh); 2408 memset(id, 0, sizeof(*id)); 2409 id->dir = dir; 2410 if (c->data.byid) 2411 id->index = xp->index; 2412 else 2413 memcpy(&id->sel, &xp->selector, sizeof(id->sel)); 2414 2415 p = RTA_DATA(__RTA_PUT(skb, XFRMA_POLICY, sizeof(*p))); 2416 } 2417 2418 copy_to_user_policy(xp, p, dir); 2419 if (copy_to_user_tmpl(xp, skb) < 0) 2420 goto nlmsg_failure; 2421 if (copy_to_user_policy_type(xp->type, skb) < 0) 2422 goto nlmsg_failure; 2423 2424 nlmsg_end(skb, nlh); 2425 2426 NETLINK_CB(skb).dst_group = XFRMNLGRP_POLICY; 2427 return netlink_broadcast(xfrm_nl, skb, 0, XFRMNLGRP_POLICY, GFP_ATOMIC); 2428 2429 nlmsg_failure: 2430 rtattr_failure: 2431 kfree_skb(skb); 2432 return -1; 2433 } 2434 2435 static int xfrm_notify_policy_flush(struct km_event *c) 2436 { 2437 struct nlmsghdr *nlh; 2438 struct sk_buff *skb; 2439 int len = 0; 2440 #ifdef CONFIG_XFRM_SUB_POLICY 2441 len += RTA_SPACE(sizeof(struct xfrm_userpolicy_type)); 2442 #endif 2443 len += NLMSG_LENGTH(0); 2444 2445 skb = alloc_skb(len, GFP_ATOMIC); 2446 if (skb == NULL) 2447 return -ENOMEM; 2448 2449 nlh = nlmsg_put(skb, c->pid, c->seq, XFRM_MSG_FLUSHPOLICY, 0, 0); 2450 if (nlh == NULL) 2451 goto nlmsg_failure; 2452 if (copy_to_user_policy_type(c->data.type, skb) < 0) 2453 goto nlmsg_failure; 2454 2455 nlmsg_end(skb, nlh); 2456 2457 NETLINK_CB(skb).dst_group = XFRMNLGRP_POLICY; 2458 return netlink_broadcast(xfrm_nl, skb, 0, XFRMNLGRP_POLICY, GFP_ATOMIC); 2459 2460 nlmsg_failure: 2461 kfree_skb(skb); 2462 return -1; 2463 } 2464 2465 static int xfrm_send_policy_notify(struct xfrm_policy *xp, int dir, struct km_event *c) 2466 { 2467 2468 switch (c->event) { 2469 case XFRM_MSG_NEWPOLICY: 2470 case XFRM_MSG_UPDPOLICY: 2471 case XFRM_MSG_DELPOLICY: 2472 return xfrm_notify_policy(xp, dir, c); 2473 case XFRM_MSG_FLUSHPOLICY: 2474 return xfrm_notify_policy_flush(c); 2475 case XFRM_MSG_POLEXPIRE: 2476 return xfrm_exp_policy_notify(xp, dir, c); 2477 default: 2478 printk("xfrm_user: Unknown Policy event %d\n", c->event); 2479 } 2480 2481 return 0; 2482 2483 } 2484 2485 static int build_report(struct sk_buff *skb, u8 proto, 2486 struct xfrm_selector *sel, xfrm_address_t *addr) 2487 { 2488 struct xfrm_user_report *ur; 2489 struct nlmsghdr *nlh; 2490 2491 nlh = nlmsg_put(skb, 0, 0, XFRM_MSG_REPORT, sizeof(*ur), 0); 2492 if (nlh == NULL) 2493 return -EMSGSIZE; 2494 2495 ur = nlmsg_data(nlh); 2496 ur->proto = proto; 2497 memcpy(&ur->sel, sel, sizeof(ur->sel)); 2498 2499 if (addr) 2500 RTA_PUT(skb, XFRMA_COADDR, sizeof(*addr), addr); 2501 2502 return nlmsg_end(skb, nlh); 2503 2504 rtattr_failure: 2505 nlmsg_cancel(skb, nlh); 2506 return -EMSGSIZE; 2507 } 2508 2509 static int xfrm_send_report(u8 proto, struct xfrm_selector *sel, 2510 xfrm_address_t *addr) 2511 { 2512 struct sk_buff *skb; 2513 size_t len; 2514 2515 len = NLMSG_ALIGN(NLMSG_LENGTH(sizeof(struct xfrm_user_report))); 2516 skb = alloc_skb(len, GFP_ATOMIC); 2517 if (skb == NULL) 2518 return -ENOMEM; 2519 2520 if (build_report(skb, proto, sel, addr) < 0) 2521 BUG(); 2522 2523 NETLINK_CB(skb).dst_group = XFRMNLGRP_REPORT; 2524 return netlink_broadcast(xfrm_nl, skb, 0, XFRMNLGRP_REPORT, GFP_ATOMIC); 2525 } 2526 2527 static struct xfrm_mgr netlink_mgr = { 2528 .id = "netlink", 2529 .notify = xfrm_send_state_notify, 2530 .acquire = xfrm_send_acquire, 2531 .compile_policy = xfrm_compile_policy, 2532 .notify_policy = xfrm_send_policy_notify, 2533 .report = xfrm_send_report, 2534 .migrate = xfrm_send_migrate, 2535 }; 2536 2537 static int __init xfrm_user_init(void) 2538 { 2539 struct sock *nlsk; 2540 2541 printk(KERN_INFO "Initializing XFRM netlink socket\n"); 2542 2543 nlsk = netlink_kernel_create(NETLINK_XFRM, XFRMNLGRP_MAX, 2544 xfrm_netlink_rcv, NULL, THIS_MODULE); 2545 if (nlsk == NULL) 2546 return -ENOMEM; 2547 rcu_assign_pointer(xfrm_nl, nlsk); 2548 2549 xfrm_register_km(&netlink_mgr); 2550 2551 return 0; 2552 } 2553 2554 static void __exit xfrm_user_exit(void) 2555 { 2556 struct sock *nlsk = xfrm_nl; 2557 2558 xfrm_unregister_km(&netlink_mgr); 2559 rcu_assign_pointer(xfrm_nl, NULL); 2560 synchronize_rcu(); 2561 sock_release(nlsk->sk_socket); 2562 } 2563 2564 module_init(xfrm_user_init); 2565 module_exit(xfrm_user_exit); 2566 MODULE_LICENSE("GPL"); 2567 MODULE_ALIAS_NET_PF_PROTO(PF_NETLINK, NETLINK_XFRM); 2568 2569