1 /* xfrm_user.c: User interface to configure xfrm engine. 2 * 3 * Copyright (C) 2002 David S. Miller (davem@redhat.com) 4 * 5 * Changes: 6 * Mitsuru KANDA @USAGI 7 * Kazunori MIYAZAWA @USAGI 8 * Kunihiro Ishiguro <kunihiro@ipinfusion.com> 9 * IPv6 support 10 * 11 */ 12 13 #include <linux/crypto.h> 14 #include <linux/module.h> 15 #include <linux/kernel.h> 16 #include <linux/types.h> 17 #include <linux/slab.h> 18 #include <linux/socket.h> 19 #include <linux/string.h> 20 #include <linux/net.h> 21 #include <linux/skbuff.h> 22 #include <linux/pfkeyv2.h> 23 #include <linux/ipsec.h> 24 #include <linux/init.h> 25 #include <linux/security.h> 26 #include <net/sock.h> 27 #include <net/xfrm.h> 28 #include <net/netlink.h> 29 #include <net/ah.h> 30 #include <asm/uaccess.h> 31 #if IS_ENABLED(CONFIG_IPV6) 32 #include <linux/in6.h> 33 #endif 34 35 static inline int aead_len(struct xfrm_algo_aead *alg) 36 { 37 return sizeof(*alg) + ((alg->alg_key_len + 7) / 8); 38 } 39 40 static int verify_one_alg(struct nlattr **attrs, enum xfrm_attr_type_t type) 41 { 42 struct nlattr *rt = attrs[type]; 43 struct xfrm_algo *algp; 44 45 if (!rt) 46 return 0; 47 48 algp = nla_data(rt); 49 if (nla_len(rt) < xfrm_alg_len(algp)) 50 return -EINVAL; 51 52 switch (type) { 53 case XFRMA_ALG_AUTH: 54 case XFRMA_ALG_CRYPT: 55 case XFRMA_ALG_COMP: 56 break; 57 58 default: 59 return -EINVAL; 60 } 61 62 algp->alg_name[CRYPTO_MAX_ALG_NAME - 1] = '\0'; 63 return 0; 64 } 65 66 static int verify_auth_trunc(struct nlattr **attrs) 67 { 68 struct nlattr *rt = attrs[XFRMA_ALG_AUTH_TRUNC]; 69 struct xfrm_algo_auth *algp; 70 71 if (!rt) 72 return 0; 73 74 algp = nla_data(rt); 75 if (nla_len(rt) < xfrm_alg_auth_len(algp)) 76 return -EINVAL; 77 78 algp->alg_name[CRYPTO_MAX_ALG_NAME - 1] = '\0'; 79 return 0; 80 } 81 82 static int verify_aead(struct nlattr **attrs) 83 { 84 struct nlattr *rt = attrs[XFRMA_ALG_AEAD]; 85 struct xfrm_algo_aead *algp; 86 87 if (!rt) 88 return 0; 89 90 algp = nla_data(rt); 91 if (nla_len(rt) < aead_len(algp)) 92 return -EINVAL; 93 94 algp->alg_name[CRYPTO_MAX_ALG_NAME - 1] = '\0'; 95 return 0; 96 } 97 98 static void verify_one_addr(struct nlattr **attrs, enum xfrm_attr_type_t type, 99 xfrm_address_t **addrp) 100 { 101 struct nlattr *rt = attrs[type]; 102 103 if (rt && addrp) 104 *addrp = nla_data(rt); 105 } 106 107 static inline int verify_sec_ctx_len(struct nlattr **attrs) 108 { 109 struct nlattr *rt = attrs[XFRMA_SEC_CTX]; 110 struct xfrm_user_sec_ctx *uctx; 111 112 if (!rt) 113 return 0; 114 115 uctx = nla_data(rt); 116 if (uctx->len != (sizeof(struct xfrm_user_sec_ctx) + uctx->ctx_len)) 117 return -EINVAL; 118 119 return 0; 120 } 121 122 static inline int verify_replay(struct xfrm_usersa_info *p, 123 struct nlattr **attrs) 124 { 125 struct nlattr *rt = attrs[XFRMA_REPLAY_ESN_VAL]; 126 127 if ((p->flags & XFRM_STATE_ESN) && !rt) 128 return -EINVAL; 129 130 if (!rt) 131 return 0; 132 133 if (p->id.proto != IPPROTO_ESP) 134 return -EINVAL; 135 136 if (p->replay_window != 0) 137 return -EINVAL; 138 139 return 0; 140 } 141 142 static int verify_newsa_info(struct xfrm_usersa_info *p, 143 struct nlattr **attrs) 144 { 145 int err; 146 147 err = -EINVAL; 148 switch (p->family) { 149 case AF_INET: 150 break; 151 152 case AF_INET6: 153 #if IS_ENABLED(CONFIG_IPV6) 154 break; 155 #else 156 err = -EAFNOSUPPORT; 157 goto out; 158 #endif 159 160 default: 161 goto out; 162 } 163 164 err = -EINVAL; 165 switch (p->id.proto) { 166 case IPPROTO_AH: 167 if ((!attrs[XFRMA_ALG_AUTH] && 168 !attrs[XFRMA_ALG_AUTH_TRUNC]) || 169 attrs[XFRMA_ALG_AEAD] || 170 attrs[XFRMA_ALG_CRYPT] || 171 attrs[XFRMA_ALG_COMP] || 172 attrs[XFRMA_TFCPAD]) 173 goto out; 174 break; 175 176 case IPPROTO_ESP: 177 if (attrs[XFRMA_ALG_COMP]) 178 goto out; 179 if (!attrs[XFRMA_ALG_AUTH] && 180 !attrs[XFRMA_ALG_AUTH_TRUNC] && 181 !attrs[XFRMA_ALG_CRYPT] && 182 !attrs[XFRMA_ALG_AEAD]) 183 goto out; 184 if ((attrs[XFRMA_ALG_AUTH] || 185 attrs[XFRMA_ALG_AUTH_TRUNC] || 186 attrs[XFRMA_ALG_CRYPT]) && 187 attrs[XFRMA_ALG_AEAD]) 188 goto out; 189 if (attrs[XFRMA_TFCPAD] && 190 p->mode != XFRM_MODE_TUNNEL) 191 goto out; 192 break; 193 194 case IPPROTO_COMP: 195 if (!attrs[XFRMA_ALG_COMP] || 196 attrs[XFRMA_ALG_AEAD] || 197 attrs[XFRMA_ALG_AUTH] || 198 attrs[XFRMA_ALG_AUTH_TRUNC] || 199 attrs[XFRMA_ALG_CRYPT] || 200 attrs[XFRMA_TFCPAD]) 201 goto out; 202 break; 203 204 #if IS_ENABLED(CONFIG_IPV6) 205 case IPPROTO_DSTOPTS: 206 case IPPROTO_ROUTING: 207 if (attrs[XFRMA_ALG_COMP] || 208 attrs[XFRMA_ALG_AUTH] || 209 attrs[XFRMA_ALG_AUTH_TRUNC] || 210 attrs[XFRMA_ALG_AEAD] || 211 attrs[XFRMA_ALG_CRYPT] || 212 attrs[XFRMA_ENCAP] || 213 attrs[XFRMA_SEC_CTX] || 214 attrs[XFRMA_TFCPAD] || 215 !attrs[XFRMA_COADDR]) 216 goto out; 217 break; 218 #endif 219 220 default: 221 goto out; 222 } 223 224 if ((err = verify_aead(attrs))) 225 goto out; 226 if ((err = verify_auth_trunc(attrs))) 227 goto out; 228 if ((err = verify_one_alg(attrs, XFRMA_ALG_AUTH))) 229 goto out; 230 if ((err = verify_one_alg(attrs, XFRMA_ALG_CRYPT))) 231 goto out; 232 if ((err = verify_one_alg(attrs, XFRMA_ALG_COMP))) 233 goto out; 234 if ((err = verify_sec_ctx_len(attrs))) 235 goto out; 236 if ((err = verify_replay(p, attrs))) 237 goto out; 238 239 err = -EINVAL; 240 switch (p->mode) { 241 case XFRM_MODE_TRANSPORT: 242 case XFRM_MODE_TUNNEL: 243 case XFRM_MODE_ROUTEOPTIMIZATION: 244 case XFRM_MODE_BEET: 245 break; 246 247 default: 248 goto out; 249 } 250 251 err = 0; 252 253 out: 254 return err; 255 } 256 257 static int attach_one_algo(struct xfrm_algo **algpp, u8 *props, 258 struct xfrm_algo_desc *(*get_byname)(const char *, int), 259 struct nlattr *rta) 260 { 261 struct xfrm_algo *p, *ualg; 262 struct xfrm_algo_desc *algo; 263 264 if (!rta) 265 return 0; 266 267 ualg = nla_data(rta); 268 269 algo = get_byname(ualg->alg_name, 1); 270 if (!algo) 271 return -ENOSYS; 272 *props = algo->desc.sadb_alg_id; 273 274 p = kmemdup(ualg, xfrm_alg_len(ualg), GFP_KERNEL); 275 if (!p) 276 return -ENOMEM; 277 278 strcpy(p->alg_name, algo->name); 279 *algpp = p; 280 return 0; 281 } 282 283 static int attach_auth(struct xfrm_algo_auth **algpp, u8 *props, 284 struct nlattr *rta) 285 { 286 struct xfrm_algo *ualg; 287 struct xfrm_algo_auth *p; 288 struct xfrm_algo_desc *algo; 289 290 if (!rta) 291 return 0; 292 293 ualg = nla_data(rta); 294 295 algo = xfrm_aalg_get_byname(ualg->alg_name, 1); 296 if (!algo) 297 return -ENOSYS; 298 *props = algo->desc.sadb_alg_id; 299 300 p = kmalloc(sizeof(*p) + (ualg->alg_key_len + 7) / 8, GFP_KERNEL); 301 if (!p) 302 return -ENOMEM; 303 304 strcpy(p->alg_name, algo->name); 305 p->alg_key_len = ualg->alg_key_len; 306 p->alg_trunc_len = algo->uinfo.auth.icv_truncbits; 307 memcpy(p->alg_key, ualg->alg_key, (ualg->alg_key_len + 7) / 8); 308 309 *algpp = p; 310 return 0; 311 } 312 313 static int attach_auth_trunc(struct xfrm_algo_auth **algpp, u8 *props, 314 struct nlattr *rta) 315 { 316 struct xfrm_algo_auth *p, *ualg; 317 struct xfrm_algo_desc *algo; 318 319 if (!rta) 320 return 0; 321 322 ualg = nla_data(rta); 323 324 algo = xfrm_aalg_get_byname(ualg->alg_name, 1); 325 if (!algo) 326 return -ENOSYS; 327 if ((ualg->alg_trunc_len / 8) > MAX_AH_AUTH_LEN || 328 ualg->alg_trunc_len > algo->uinfo.auth.icv_fullbits) 329 return -EINVAL; 330 *props = algo->desc.sadb_alg_id; 331 332 p = kmemdup(ualg, xfrm_alg_auth_len(ualg), GFP_KERNEL); 333 if (!p) 334 return -ENOMEM; 335 336 strcpy(p->alg_name, algo->name); 337 if (!p->alg_trunc_len) 338 p->alg_trunc_len = algo->uinfo.auth.icv_truncbits; 339 340 *algpp = p; 341 return 0; 342 } 343 344 static int attach_aead(struct xfrm_algo_aead **algpp, u8 *props, 345 struct nlattr *rta) 346 { 347 struct xfrm_algo_aead *p, *ualg; 348 struct xfrm_algo_desc *algo; 349 350 if (!rta) 351 return 0; 352 353 ualg = nla_data(rta); 354 355 algo = xfrm_aead_get_byname(ualg->alg_name, ualg->alg_icv_len, 1); 356 if (!algo) 357 return -ENOSYS; 358 *props = algo->desc.sadb_alg_id; 359 360 p = kmemdup(ualg, aead_len(ualg), GFP_KERNEL); 361 if (!p) 362 return -ENOMEM; 363 364 strcpy(p->alg_name, algo->name); 365 *algpp = p; 366 return 0; 367 } 368 369 static inline int xfrm_replay_verify_len(struct xfrm_replay_state_esn *replay_esn, 370 struct nlattr *rp) 371 { 372 struct xfrm_replay_state_esn *up; 373 374 if (!replay_esn || !rp) 375 return 0; 376 377 up = nla_data(rp); 378 379 if (xfrm_replay_state_esn_len(replay_esn) != 380 xfrm_replay_state_esn_len(up)) 381 return -EINVAL; 382 383 return 0; 384 } 385 386 static int xfrm_alloc_replay_state_esn(struct xfrm_replay_state_esn **replay_esn, 387 struct xfrm_replay_state_esn **preplay_esn, 388 struct nlattr *rta) 389 { 390 struct xfrm_replay_state_esn *p, *pp, *up; 391 392 if (!rta) 393 return 0; 394 395 up = nla_data(rta); 396 397 p = kmemdup(up, xfrm_replay_state_esn_len(up), GFP_KERNEL); 398 if (!p) 399 return -ENOMEM; 400 401 pp = kmemdup(up, xfrm_replay_state_esn_len(up), GFP_KERNEL); 402 if (!pp) { 403 kfree(p); 404 return -ENOMEM; 405 } 406 407 *replay_esn = p; 408 *preplay_esn = pp; 409 410 return 0; 411 } 412 413 static inline int xfrm_user_sec_ctx_size(struct xfrm_sec_ctx *xfrm_ctx) 414 { 415 int len = 0; 416 417 if (xfrm_ctx) { 418 len += sizeof(struct xfrm_user_sec_ctx); 419 len += xfrm_ctx->ctx_len; 420 } 421 return len; 422 } 423 424 static void copy_from_user_state(struct xfrm_state *x, struct xfrm_usersa_info *p) 425 { 426 memcpy(&x->id, &p->id, sizeof(x->id)); 427 memcpy(&x->sel, &p->sel, sizeof(x->sel)); 428 memcpy(&x->lft, &p->lft, sizeof(x->lft)); 429 x->props.mode = p->mode; 430 x->props.replay_window = p->replay_window; 431 x->props.reqid = p->reqid; 432 x->props.family = p->family; 433 memcpy(&x->props.saddr, &p->saddr, sizeof(x->props.saddr)); 434 x->props.flags = p->flags; 435 436 if (!x->sel.family && !(p->flags & XFRM_STATE_AF_UNSPEC)) 437 x->sel.family = p->family; 438 } 439 440 /* 441 * someday when pfkey also has support, we could have the code 442 * somehow made shareable and move it to xfrm_state.c - JHS 443 * 444 */ 445 static void xfrm_update_ae_params(struct xfrm_state *x, struct nlattr **attrs) 446 { 447 struct nlattr *rp = attrs[XFRMA_REPLAY_VAL]; 448 struct nlattr *re = attrs[XFRMA_REPLAY_ESN_VAL]; 449 struct nlattr *lt = attrs[XFRMA_LTIME_VAL]; 450 struct nlattr *et = attrs[XFRMA_ETIMER_THRESH]; 451 struct nlattr *rt = attrs[XFRMA_REPLAY_THRESH]; 452 453 if (re) { 454 struct xfrm_replay_state_esn *replay_esn; 455 replay_esn = nla_data(re); 456 memcpy(x->replay_esn, replay_esn, 457 xfrm_replay_state_esn_len(replay_esn)); 458 memcpy(x->preplay_esn, replay_esn, 459 xfrm_replay_state_esn_len(replay_esn)); 460 } 461 462 if (rp) { 463 struct xfrm_replay_state *replay; 464 replay = nla_data(rp); 465 memcpy(&x->replay, replay, sizeof(*replay)); 466 memcpy(&x->preplay, replay, sizeof(*replay)); 467 } 468 469 if (lt) { 470 struct xfrm_lifetime_cur *ltime; 471 ltime = nla_data(lt); 472 x->curlft.bytes = ltime->bytes; 473 x->curlft.packets = ltime->packets; 474 x->curlft.add_time = ltime->add_time; 475 x->curlft.use_time = ltime->use_time; 476 } 477 478 if (et) 479 x->replay_maxage = nla_get_u32(et); 480 481 if (rt) 482 x->replay_maxdiff = nla_get_u32(rt); 483 } 484 485 static struct xfrm_state *xfrm_state_construct(struct net *net, 486 struct xfrm_usersa_info *p, 487 struct nlattr **attrs, 488 int *errp) 489 { 490 struct xfrm_state *x = xfrm_state_alloc(net); 491 int err = -ENOMEM; 492 493 if (!x) 494 goto error_no_put; 495 496 copy_from_user_state(x, p); 497 498 if ((err = attach_aead(&x->aead, &x->props.ealgo, 499 attrs[XFRMA_ALG_AEAD]))) 500 goto error; 501 if ((err = attach_auth_trunc(&x->aalg, &x->props.aalgo, 502 attrs[XFRMA_ALG_AUTH_TRUNC]))) 503 goto error; 504 if (!x->props.aalgo) { 505 if ((err = attach_auth(&x->aalg, &x->props.aalgo, 506 attrs[XFRMA_ALG_AUTH]))) 507 goto error; 508 } 509 if ((err = attach_one_algo(&x->ealg, &x->props.ealgo, 510 xfrm_ealg_get_byname, 511 attrs[XFRMA_ALG_CRYPT]))) 512 goto error; 513 if ((err = attach_one_algo(&x->calg, &x->props.calgo, 514 xfrm_calg_get_byname, 515 attrs[XFRMA_ALG_COMP]))) 516 goto error; 517 518 if (attrs[XFRMA_ENCAP]) { 519 x->encap = kmemdup(nla_data(attrs[XFRMA_ENCAP]), 520 sizeof(*x->encap), GFP_KERNEL); 521 if (x->encap == NULL) 522 goto error; 523 } 524 525 if (attrs[XFRMA_TFCPAD]) 526 x->tfcpad = nla_get_u32(attrs[XFRMA_TFCPAD]); 527 528 if (attrs[XFRMA_COADDR]) { 529 x->coaddr = kmemdup(nla_data(attrs[XFRMA_COADDR]), 530 sizeof(*x->coaddr), GFP_KERNEL); 531 if (x->coaddr == NULL) 532 goto error; 533 } 534 535 xfrm_mark_get(attrs, &x->mark); 536 537 err = __xfrm_init_state(x, false); 538 if (err) 539 goto error; 540 541 if (attrs[XFRMA_SEC_CTX] && 542 security_xfrm_state_alloc(x, nla_data(attrs[XFRMA_SEC_CTX]))) 543 goto error; 544 545 if ((err = xfrm_alloc_replay_state_esn(&x->replay_esn, &x->preplay_esn, 546 attrs[XFRMA_REPLAY_ESN_VAL]))) 547 goto error; 548 549 x->km.seq = p->seq; 550 x->replay_maxdiff = net->xfrm.sysctl_aevent_rseqth; 551 /* sysctl_xfrm_aevent_etime is in 100ms units */ 552 x->replay_maxage = (net->xfrm.sysctl_aevent_etime*HZ)/XFRM_AE_ETH_M; 553 554 if ((err = xfrm_init_replay(x))) 555 goto error; 556 557 /* override default values from above */ 558 xfrm_update_ae_params(x, attrs); 559 560 return x; 561 562 error: 563 x->km.state = XFRM_STATE_DEAD; 564 xfrm_state_put(x); 565 error_no_put: 566 *errp = err; 567 return NULL; 568 } 569 570 static int xfrm_add_sa(struct sk_buff *skb, struct nlmsghdr *nlh, 571 struct nlattr **attrs) 572 { 573 struct net *net = sock_net(skb->sk); 574 struct xfrm_usersa_info *p = nlmsg_data(nlh); 575 struct xfrm_state *x; 576 int err; 577 struct km_event c; 578 uid_t loginuid = audit_get_loginuid(current); 579 u32 sessionid = audit_get_sessionid(current); 580 u32 sid; 581 582 err = verify_newsa_info(p, attrs); 583 if (err) 584 return err; 585 586 x = xfrm_state_construct(net, p, attrs, &err); 587 if (!x) 588 return err; 589 590 xfrm_state_hold(x); 591 if (nlh->nlmsg_type == XFRM_MSG_NEWSA) 592 err = xfrm_state_add(x); 593 else 594 err = xfrm_state_update(x); 595 596 security_task_getsecid(current, &sid); 597 xfrm_audit_state_add(x, err ? 0 : 1, loginuid, sessionid, sid); 598 599 if (err < 0) { 600 x->km.state = XFRM_STATE_DEAD; 601 __xfrm_state_put(x); 602 goto out; 603 } 604 605 c.seq = nlh->nlmsg_seq; 606 c.pid = nlh->nlmsg_pid; 607 c.event = nlh->nlmsg_type; 608 609 km_state_notify(x, &c); 610 out: 611 xfrm_state_put(x); 612 return err; 613 } 614 615 static struct xfrm_state *xfrm_user_state_lookup(struct net *net, 616 struct xfrm_usersa_id *p, 617 struct nlattr **attrs, 618 int *errp) 619 { 620 struct xfrm_state *x = NULL; 621 struct xfrm_mark m; 622 int err; 623 u32 mark = xfrm_mark_get(attrs, &m); 624 625 if (xfrm_id_proto_match(p->proto, IPSEC_PROTO_ANY)) { 626 err = -ESRCH; 627 x = xfrm_state_lookup(net, mark, &p->daddr, p->spi, p->proto, p->family); 628 } else { 629 xfrm_address_t *saddr = NULL; 630 631 verify_one_addr(attrs, XFRMA_SRCADDR, &saddr); 632 if (!saddr) { 633 err = -EINVAL; 634 goto out; 635 } 636 637 err = -ESRCH; 638 x = xfrm_state_lookup_byaddr(net, mark, 639 &p->daddr, saddr, 640 p->proto, p->family); 641 } 642 643 out: 644 if (!x && errp) 645 *errp = err; 646 return x; 647 } 648 649 static int xfrm_del_sa(struct sk_buff *skb, struct nlmsghdr *nlh, 650 struct nlattr **attrs) 651 { 652 struct net *net = sock_net(skb->sk); 653 struct xfrm_state *x; 654 int err = -ESRCH; 655 struct km_event c; 656 struct xfrm_usersa_id *p = nlmsg_data(nlh); 657 uid_t loginuid = audit_get_loginuid(current); 658 u32 sessionid = audit_get_sessionid(current); 659 u32 sid; 660 661 x = xfrm_user_state_lookup(net, p, attrs, &err); 662 if (x == NULL) 663 return err; 664 665 if ((err = security_xfrm_state_delete(x)) != 0) 666 goto out; 667 668 if (xfrm_state_kern(x)) { 669 err = -EPERM; 670 goto out; 671 } 672 673 err = xfrm_state_delete(x); 674 675 if (err < 0) 676 goto out; 677 678 c.seq = nlh->nlmsg_seq; 679 c.pid = nlh->nlmsg_pid; 680 c.event = nlh->nlmsg_type; 681 km_state_notify(x, &c); 682 683 out: 684 security_task_getsecid(current, &sid); 685 xfrm_audit_state_delete(x, err ? 0 : 1, loginuid, sessionid, sid); 686 xfrm_state_put(x); 687 return err; 688 } 689 690 static void copy_to_user_state(struct xfrm_state *x, struct xfrm_usersa_info *p) 691 { 692 memset(p, 0, sizeof(*p)); 693 memcpy(&p->id, &x->id, sizeof(p->id)); 694 memcpy(&p->sel, &x->sel, sizeof(p->sel)); 695 memcpy(&p->lft, &x->lft, sizeof(p->lft)); 696 memcpy(&p->curlft, &x->curlft, sizeof(p->curlft)); 697 memcpy(&p->stats, &x->stats, sizeof(p->stats)); 698 memcpy(&p->saddr, &x->props.saddr, sizeof(p->saddr)); 699 p->mode = x->props.mode; 700 p->replay_window = x->props.replay_window; 701 p->reqid = x->props.reqid; 702 p->family = x->props.family; 703 p->flags = x->props.flags; 704 p->seq = x->km.seq; 705 } 706 707 struct xfrm_dump_info { 708 struct sk_buff *in_skb; 709 struct sk_buff *out_skb; 710 u32 nlmsg_seq; 711 u16 nlmsg_flags; 712 }; 713 714 static int copy_sec_ctx(struct xfrm_sec_ctx *s, struct sk_buff *skb) 715 { 716 struct xfrm_user_sec_ctx *uctx; 717 struct nlattr *attr; 718 int ctx_size = sizeof(*uctx) + s->ctx_len; 719 720 attr = nla_reserve(skb, XFRMA_SEC_CTX, ctx_size); 721 if (attr == NULL) 722 return -EMSGSIZE; 723 724 uctx = nla_data(attr); 725 uctx->exttype = XFRMA_SEC_CTX; 726 uctx->len = ctx_size; 727 uctx->ctx_doi = s->ctx_doi; 728 uctx->ctx_alg = s->ctx_alg; 729 uctx->ctx_len = s->ctx_len; 730 memcpy(uctx + 1, s->ctx_str, s->ctx_len); 731 732 return 0; 733 } 734 735 static int copy_to_user_auth(struct xfrm_algo_auth *auth, struct sk_buff *skb) 736 { 737 struct xfrm_algo *algo; 738 struct nlattr *nla; 739 740 nla = nla_reserve(skb, XFRMA_ALG_AUTH, 741 sizeof(*algo) + (auth->alg_key_len + 7) / 8); 742 if (!nla) 743 return -EMSGSIZE; 744 745 algo = nla_data(nla); 746 strncpy(algo->alg_name, auth->alg_name, sizeof(algo->alg_name)); 747 memcpy(algo->alg_key, auth->alg_key, (auth->alg_key_len + 7) / 8); 748 algo->alg_key_len = auth->alg_key_len; 749 750 return 0; 751 } 752 753 /* Don't change this without updating xfrm_sa_len! */ 754 static int copy_to_user_state_extra(struct xfrm_state *x, 755 struct xfrm_usersa_info *p, 756 struct sk_buff *skb) 757 { 758 int ret = 0; 759 760 copy_to_user_state(x, p); 761 762 if (x->coaddr) { 763 ret = nla_put(skb, XFRMA_COADDR, sizeof(*x->coaddr), x->coaddr); 764 if (ret) 765 goto out; 766 } 767 if (x->lastused) { 768 ret = nla_put_u64(skb, XFRMA_LASTUSED, x->lastused); 769 if (ret) 770 goto out; 771 } 772 if (x->aead) { 773 ret = nla_put(skb, XFRMA_ALG_AEAD, aead_len(x->aead), x->aead); 774 if (ret) 775 goto out; 776 } 777 if (x->aalg) { 778 ret = copy_to_user_auth(x->aalg, skb); 779 if (!ret) 780 ret = nla_put(skb, XFRMA_ALG_AUTH_TRUNC, 781 xfrm_alg_auth_len(x->aalg), x->aalg); 782 if (ret) 783 goto out; 784 } 785 if (x->ealg) { 786 ret = nla_put(skb, XFRMA_ALG_CRYPT, xfrm_alg_len(x->ealg), x->ealg); 787 if (ret) 788 goto out; 789 } 790 if (x->calg) { 791 ret = nla_put(skb, XFRMA_ALG_COMP, sizeof(*(x->calg)), x->calg); 792 if (ret) 793 goto out; 794 } 795 if (x->encap) { 796 ret = nla_put(skb, XFRMA_ENCAP, sizeof(*x->encap), x->encap); 797 if (ret) 798 goto out; 799 } 800 if (x->tfcpad) { 801 ret = nla_put_u32(skb, XFRMA_TFCPAD, x->tfcpad); 802 if (ret) 803 goto out; 804 } 805 ret = xfrm_mark_put(skb, &x->mark); 806 if (ret) 807 goto out; 808 if (x->replay_esn) { 809 ret = nla_put(skb, XFRMA_REPLAY_ESN_VAL, 810 xfrm_replay_state_esn_len(x->replay_esn), 811 x->replay_esn); 812 if (ret) 813 goto out; 814 } 815 if (x->security) 816 ret = copy_sec_ctx(x->security, skb); 817 out: 818 return ret; 819 } 820 821 static int dump_one_state(struct xfrm_state *x, int count, void *ptr) 822 { 823 struct xfrm_dump_info *sp = ptr; 824 struct sk_buff *in_skb = sp->in_skb; 825 struct sk_buff *skb = sp->out_skb; 826 struct xfrm_usersa_info *p; 827 struct nlmsghdr *nlh; 828 int err; 829 830 nlh = nlmsg_put(skb, NETLINK_CB(in_skb).pid, sp->nlmsg_seq, 831 XFRM_MSG_NEWSA, sizeof(*p), sp->nlmsg_flags); 832 if (nlh == NULL) 833 return -EMSGSIZE; 834 835 p = nlmsg_data(nlh); 836 837 err = copy_to_user_state_extra(x, p, skb); 838 if (err) { 839 nlmsg_cancel(skb, nlh); 840 return err; 841 } 842 nlmsg_end(skb, nlh); 843 return 0; 844 } 845 846 static int xfrm_dump_sa_done(struct netlink_callback *cb) 847 { 848 struct xfrm_state_walk *walk = (struct xfrm_state_walk *) &cb->args[1]; 849 xfrm_state_walk_done(walk); 850 return 0; 851 } 852 853 static int xfrm_dump_sa(struct sk_buff *skb, struct netlink_callback *cb) 854 { 855 struct net *net = sock_net(skb->sk); 856 struct xfrm_state_walk *walk = (struct xfrm_state_walk *) &cb->args[1]; 857 struct xfrm_dump_info info; 858 859 BUILD_BUG_ON(sizeof(struct xfrm_state_walk) > 860 sizeof(cb->args) - sizeof(cb->args[0])); 861 862 info.in_skb = cb->skb; 863 info.out_skb = skb; 864 info.nlmsg_seq = cb->nlh->nlmsg_seq; 865 info.nlmsg_flags = NLM_F_MULTI; 866 867 if (!cb->args[0]) { 868 cb->args[0] = 1; 869 xfrm_state_walk_init(walk, 0); 870 } 871 872 (void) xfrm_state_walk(net, walk, dump_one_state, &info); 873 874 return skb->len; 875 } 876 877 static struct sk_buff *xfrm_state_netlink(struct sk_buff *in_skb, 878 struct xfrm_state *x, u32 seq) 879 { 880 struct xfrm_dump_info info; 881 struct sk_buff *skb; 882 int err; 883 884 skb = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_ATOMIC); 885 if (!skb) 886 return ERR_PTR(-ENOMEM); 887 888 info.in_skb = in_skb; 889 info.out_skb = skb; 890 info.nlmsg_seq = seq; 891 info.nlmsg_flags = 0; 892 893 err = dump_one_state(x, 0, &info); 894 if (err) { 895 kfree_skb(skb); 896 return ERR_PTR(err); 897 } 898 899 return skb; 900 } 901 902 static inline size_t xfrm_spdinfo_msgsize(void) 903 { 904 return NLMSG_ALIGN(4) 905 + nla_total_size(sizeof(struct xfrmu_spdinfo)) 906 + nla_total_size(sizeof(struct xfrmu_spdhinfo)); 907 } 908 909 static int build_spdinfo(struct sk_buff *skb, struct net *net, 910 u32 pid, u32 seq, u32 flags) 911 { 912 struct xfrmk_spdinfo si; 913 struct xfrmu_spdinfo spc; 914 struct xfrmu_spdhinfo sph; 915 struct nlmsghdr *nlh; 916 int err; 917 u32 *f; 918 919 nlh = nlmsg_put(skb, pid, seq, XFRM_MSG_NEWSPDINFO, sizeof(u32), 0); 920 if (nlh == NULL) /* shouldn't really happen ... */ 921 return -EMSGSIZE; 922 923 f = nlmsg_data(nlh); 924 *f = flags; 925 xfrm_spd_getinfo(net, &si); 926 spc.incnt = si.incnt; 927 spc.outcnt = si.outcnt; 928 spc.fwdcnt = si.fwdcnt; 929 spc.inscnt = si.inscnt; 930 spc.outscnt = si.outscnt; 931 spc.fwdscnt = si.fwdscnt; 932 sph.spdhcnt = si.spdhcnt; 933 sph.spdhmcnt = si.spdhmcnt; 934 935 err = nla_put(skb, XFRMA_SPD_INFO, sizeof(spc), &spc); 936 if (!err) 937 err = nla_put(skb, XFRMA_SPD_HINFO, sizeof(sph), &sph); 938 if (err) { 939 nlmsg_cancel(skb, nlh); 940 return err; 941 } 942 943 return nlmsg_end(skb, nlh); 944 } 945 946 static int xfrm_get_spdinfo(struct sk_buff *skb, struct nlmsghdr *nlh, 947 struct nlattr **attrs) 948 { 949 struct net *net = sock_net(skb->sk); 950 struct sk_buff *r_skb; 951 u32 *flags = nlmsg_data(nlh); 952 u32 spid = NETLINK_CB(skb).pid; 953 u32 seq = nlh->nlmsg_seq; 954 955 r_skb = nlmsg_new(xfrm_spdinfo_msgsize(), GFP_ATOMIC); 956 if (r_skb == NULL) 957 return -ENOMEM; 958 959 if (build_spdinfo(r_skb, net, spid, seq, *flags) < 0) 960 BUG(); 961 962 return nlmsg_unicast(net->xfrm.nlsk, r_skb, spid); 963 } 964 965 static inline size_t xfrm_sadinfo_msgsize(void) 966 { 967 return NLMSG_ALIGN(4) 968 + nla_total_size(sizeof(struct xfrmu_sadhinfo)) 969 + nla_total_size(4); /* XFRMA_SAD_CNT */ 970 } 971 972 static int build_sadinfo(struct sk_buff *skb, struct net *net, 973 u32 pid, u32 seq, u32 flags) 974 { 975 struct xfrmk_sadinfo si; 976 struct xfrmu_sadhinfo sh; 977 struct nlmsghdr *nlh; 978 int err; 979 u32 *f; 980 981 nlh = nlmsg_put(skb, pid, seq, XFRM_MSG_NEWSADINFO, sizeof(u32), 0); 982 if (nlh == NULL) /* shouldn't really happen ... */ 983 return -EMSGSIZE; 984 985 f = nlmsg_data(nlh); 986 *f = flags; 987 xfrm_sad_getinfo(net, &si); 988 989 sh.sadhmcnt = si.sadhmcnt; 990 sh.sadhcnt = si.sadhcnt; 991 992 err = nla_put_u32(skb, XFRMA_SAD_CNT, si.sadcnt); 993 if (!err) 994 err = nla_put(skb, XFRMA_SAD_HINFO, sizeof(sh), &sh); 995 if (err) { 996 nlmsg_cancel(skb, nlh); 997 return err; 998 } 999 1000 return nlmsg_end(skb, nlh); 1001 } 1002 1003 static int xfrm_get_sadinfo(struct sk_buff *skb, struct nlmsghdr *nlh, 1004 struct nlattr **attrs) 1005 { 1006 struct net *net = sock_net(skb->sk); 1007 struct sk_buff *r_skb; 1008 u32 *flags = nlmsg_data(nlh); 1009 u32 spid = NETLINK_CB(skb).pid; 1010 u32 seq = nlh->nlmsg_seq; 1011 1012 r_skb = nlmsg_new(xfrm_sadinfo_msgsize(), GFP_ATOMIC); 1013 if (r_skb == NULL) 1014 return -ENOMEM; 1015 1016 if (build_sadinfo(r_skb, net, spid, seq, *flags) < 0) 1017 BUG(); 1018 1019 return nlmsg_unicast(net->xfrm.nlsk, r_skb, spid); 1020 } 1021 1022 static int xfrm_get_sa(struct sk_buff *skb, struct nlmsghdr *nlh, 1023 struct nlattr **attrs) 1024 { 1025 struct net *net = sock_net(skb->sk); 1026 struct xfrm_usersa_id *p = nlmsg_data(nlh); 1027 struct xfrm_state *x; 1028 struct sk_buff *resp_skb; 1029 int err = -ESRCH; 1030 1031 x = xfrm_user_state_lookup(net, p, attrs, &err); 1032 if (x == NULL) 1033 goto out_noput; 1034 1035 resp_skb = xfrm_state_netlink(skb, x, nlh->nlmsg_seq); 1036 if (IS_ERR(resp_skb)) { 1037 err = PTR_ERR(resp_skb); 1038 } else { 1039 err = nlmsg_unicast(net->xfrm.nlsk, resp_skb, NETLINK_CB(skb).pid); 1040 } 1041 xfrm_state_put(x); 1042 out_noput: 1043 return err; 1044 } 1045 1046 static int verify_userspi_info(struct xfrm_userspi_info *p) 1047 { 1048 switch (p->info.id.proto) { 1049 case IPPROTO_AH: 1050 case IPPROTO_ESP: 1051 break; 1052 1053 case IPPROTO_COMP: 1054 /* IPCOMP spi is 16-bits. */ 1055 if (p->max >= 0x10000) 1056 return -EINVAL; 1057 break; 1058 1059 default: 1060 return -EINVAL; 1061 } 1062 1063 if (p->min > p->max) 1064 return -EINVAL; 1065 1066 return 0; 1067 } 1068 1069 static int xfrm_alloc_userspi(struct sk_buff *skb, struct nlmsghdr *nlh, 1070 struct nlattr **attrs) 1071 { 1072 struct net *net = sock_net(skb->sk); 1073 struct xfrm_state *x; 1074 struct xfrm_userspi_info *p; 1075 struct sk_buff *resp_skb; 1076 xfrm_address_t *daddr; 1077 int family; 1078 int err; 1079 u32 mark; 1080 struct xfrm_mark m; 1081 1082 p = nlmsg_data(nlh); 1083 err = verify_userspi_info(p); 1084 if (err) 1085 goto out_noput; 1086 1087 family = p->info.family; 1088 daddr = &p->info.id.daddr; 1089 1090 x = NULL; 1091 1092 mark = xfrm_mark_get(attrs, &m); 1093 if (p->info.seq) { 1094 x = xfrm_find_acq_byseq(net, mark, p->info.seq); 1095 if (x && xfrm_addr_cmp(&x->id.daddr, daddr, family)) { 1096 xfrm_state_put(x); 1097 x = NULL; 1098 } 1099 } 1100 1101 if (!x) 1102 x = xfrm_find_acq(net, &m, p->info.mode, p->info.reqid, 1103 p->info.id.proto, daddr, 1104 &p->info.saddr, 1, 1105 family); 1106 err = -ENOENT; 1107 if (x == NULL) 1108 goto out_noput; 1109 1110 err = xfrm_alloc_spi(x, p->min, p->max); 1111 if (err) 1112 goto out; 1113 1114 resp_skb = xfrm_state_netlink(skb, x, nlh->nlmsg_seq); 1115 if (IS_ERR(resp_skb)) { 1116 err = PTR_ERR(resp_skb); 1117 goto out; 1118 } 1119 1120 err = nlmsg_unicast(net->xfrm.nlsk, resp_skb, NETLINK_CB(skb).pid); 1121 1122 out: 1123 xfrm_state_put(x); 1124 out_noput: 1125 return err; 1126 } 1127 1128 static int verify_policy_dir(u8 dir) 1129 { 1130 switch (dir) { 1131 case XFRM_POLICY_IN: 1132 case XFRM_POLICY_OUT: 1133 case XFRM_POLICY_FWD: 1134 break; 1135 1136 default: 1137 return -EINVAL; 1138 } 1139 1140 return 0; 1141 } 1142 1143 static int verify_policy_type(u8 type) 1144 { 1145 switch (type) { 1146 case XFRM_POLICY_TYPE_MAIN: 1147 #ifdef CONFIG_XFRM_SUB_POLICY 1148 case XFRM_POLICY_TYPE_SUB: 1149 #endif 1150 break; 1151 1152 default: 1153 return -EINVAL; 1154 } 1155 1156 return 0; 1157 } 1158 1159 static int verify_newpolicy_info(struct xfrm_userpolicy_info *p) 1160 { 1161 switch (p->share) { 1162 case XFRM_SHARE_ANY: 1163 case XFRM_SHARE_SESSION: 1164 case XFRM_SHARE_USER: 1165 case XFRM_SHARE_UNIQUE: 1166 break; 1167 1168 default: 1169 return -EINVAL; 1170 } 1171 1172 switch (p->action) { 1173 case XFRM_POLICY_ALLOW: 1174 case XFRM_POLICY_BLOCK: 1175 break; 1176 1177 default: 1178 return -EINVAL; 1179 } 1180 1181 switch (p->sel.family) { 1182 case AF_INET: 1183 break; 1184 1185 case AF_INET6: 1186 #if IS_ENABLED(CONFIG_IPV6) 1187 break; 1188 #else 1189 return -EAFNOSUPPORT; 1190 #endif 1191 1192 default: 1193 return -EINVAL; 1194 } 1195 1196 return verify_policy_dir(p->dir); 1197 } 1198 1199 static int copy_from_user_sec_ctx(struct xfrm_policy *pol, struct nlattr **attrs) 1200 { 1201 struct nlattr *rt = attrs[XFRMA_SEC_CTX]; 1202 struct xfrm_user_sec_ctx *uctx; 1203 1204 if (!rt) 1205 return 0; 1206 1207 uctx = nla_data(rt); 1208 return security_xfrm_policy_alloc(&pol->security, uctx); 1209 } 1210 1211 static void copy_templates(struct xfrm_policy *xp, struct xfrm_user_tmpl *ut, 1212 int nr) 1213 { 1214 int i; 1215 1216 xp->xfrm_nr = nr; 1217 for (i = 0; i < nr; i++, ut++) { 1218 struct xfrm_tmpl *t = &xp->xfrm_vec[i]; 1219 1220 memcpy(&t->id, &ut->id, sizeof(struct xfrm_id)); 1221 memcpy(&t->saddr, &ut->saddr, 1222 sizeof(xfrm_address_t)); 1223 t->reqid = ut->reqid; 1224 t->mode = ut->mode; 1225 t->share = ut->share; 1226 t->optional = ut->optional; 1227 t->aalgos = ut->aalgos; 1228 t->ealgos = ut->ealgos; 1229 t->calgos = ut->calgos; 1230 /* If all masks are ~0, then we allow all algorithms. */ 1231 t->allalgs = !~(t->aalgos & t->ealgos & t->calgos); 1232 t->encap_family = ut->family; 1233 } 1234 } 1235 1236 static int validate_tmpl(int nr, struct xfrm_user_tmpl *ut, u16 family) 1237 { 1238 int i; 1239 1240 if (nr > XFRM_MAX_DEPTH) 1241 return -EINVAL; 1242 1243 for (i = 0; i < nr; i++) { 1244 /* We never validated the ut->family value, so many 1245 * applications simply leave it at zero. The check was 1246 * never made and ut->family was ignored because all 1247 * templates could be assumed to have the same family as 1248 * the policy itself. Now that we will have ipv4-in-ipv6 1249 * and ipv6-in-ipv4 tunnels, this is no longer true. 1250 */ 1251 if (!ut[i].family) 1252 ut[i].family = family; 1253 1254 switch (ut[i].family) { 1255 case AF_INET: 1256 break; 1257 #if IS_ENABLED(CONFIG_IPV6) 1258 case AF_INET6: 1259 break; 1260 #endif 1261 default: 1262 return -EINVAL; 1263 } 1264 } 1265 1266 return 0; 1267 } 1268 1269 static int copy_from_user_tmpl(struct xfrm_policy *pol, struct nlattr **attrs) 1270 { 1271 struct nlattr *rt = attrs[XFRMA_TMPL]; 1272 1273 if (!rt) { 1274 pol->xfrm_nr = 0; 1275 } else { 1276 struct xfrm_user_tmpl *utmpl = nla_data(rt); 1277 int nr = nla_len(rt) / sizeof(*utmpl); 1278 int err; 1279 1280 err = validate_tmpl(nr, utmpl, pol->family); 1281 if (err) 1282 return err; 1283 1284 copy_templates(pol, utmpl, nr); 1285 } 1286 return 0; 1287 } 1288 1289 static int copy_from_user_policy_type(u8 *tp, struct nlattr **attrs) 1290 { 1291 struct nlattr *rt = attrs[XFRMA_POLICY_TYPE]; 1292 struct xfrm_userpolicy_type *upt; 1293 u8 type = XFRM_POLICY_TYPE_MAIN; 1294 int err; 1295 1296 if (rt) { 1297 upt = nla_data(rt); 1298 type = upt->type; 1299 } 1300 1301 err = verify_policy_type(type); 1302 if (err) 1303 return err; 1304 1305 *tp = type; 1306 return 0; 1307 } 1308 1309 static void copy_from_user_policy(struct xfrm_policy *xp, struct xfrm_userpolicy_info *p) 1310 { 1311 xp->priority = p->priority; 1312 xp->index = p->index; 1313 memcpy(&xp->selector, &p->sel, sizeof(xp->selector)); 1314 memcpy(&xp->lft, &p->lft, sizeof(xp->lft)); 1315 xp->action = p->action; 1316 xp->flags = p->flags; 1317 xp->family = p->sel.family; 1318 /* XXX xp->share = p->share; */ 1319 } 1320 1321 static void copy_to_user_policy(struct xfrm_policy *xp, struct xfrm_userpolicy_info *p, int dir) 1322 { 1323 memset(p, 0, sizeof(*p)); 1324 memcpy(&p->sel, &xp->selector, sizeof(p->sel)); 1325 memcpy(&p->lft, &xp->lft, sizeof(p->lft)); 1326 memcpy(&p->curlft, &xp->curlft, sizeof(p->curlft)); 1327 p->priority = xp->priority; 1328 p->index = xp->index; 1329 p->sel.family = xp->family; 1330 p->dir = dir; 1331 p->action = xp->action; 1332 p->flags = xp->flags; 1333 p->share = XFRM_SHARE_ANY; /* XXX xp->share */ 1334 } 1335 1336 static struct xfrm_policy *xfrm_policy_construct(struct net *net, struct xfrm_userpolicy_info *p, struct nlattr **attrs, int *errp) 1337 { 1338 struct xfrm_policy *xp = xfrm_policy_alloc(net, GFP_KERNEL); 1339 int err; 1340 1341 if (!xp) { 1342 *errp = -ENOMEM; 1343 return NULL; 1344 } 1345 1346 copy_from_user_policy(xp, p); 1347 1348 err = copy_from_user_policy_type(&xp->type, attrs); 1349 if (err) 1350 goto error; 1351 1352 if (!(err = copy_from_user_tmpl(xp, attrs))) 1353 err = copy_from_user_sec_ctx(xp, attrs); 1354 if (err) 1355 goto error; 1356 1357 xfrm_mark_get(attrs, &xp->mark); 1358 1359 return xp; 1360 error: 1361 *errp = err; 1362 xp->walk.dead = 1; 1363 xfrm_policy_destroy(xp); 1364 return NULL; 1365 } 1366 1367 static int xfrm_add_policy(struct sk_buff *skb, struct nlmsghdr *nlh, 1368 struct nlattr **attrs) 1369 { 1370 struct net *net = sock_net(skb->sk); 1371 struct xfrm_userpolicy_info *p = nlmsg_data(nlh); 1372 struct xfrm_policy *xp; 1373 struct km_event c; 1374 int err; 1375 int excl; 1376 uid_t loginuid = audit_get_loginuid(current); 1377 u32 sessionid = audit_get_sessionid(current); 1378 u32 sid; 1379 1380 err = verify_newpolicy_info(p); 1381 if (err) 1382 return err; 1383 err = verify_sec_ctx_len(attrs); 1384 if (err) 1385 return err; 1386 1387 xp = xfrm_policy_construct(net, p, attrs, &err); 1388 if (!xp) 1389 return err; 1390 1391 /* shouldn't excl be based on nlh flags?? 1392 * Aha! this is anti-netlink really i.e more pfkey derived 1393 * in netlink excl is a flag and you wouldnt need 1394 * a type XFRM_MSG_UPDPOLICY - JHS */ 1395 excl = nlh->nlmsg_type == XFRM_MSG_NEWPOLICY; 1396 err = xfrm_policy_insert(p->dir, xp, excl); 1397 security_task_getsecid(current, &sid); 1398 xfrm_audit_policy_add(xp, err ? 0 : 1, loginuid, sessionid, sid); 1399 1400 if (err) { 1401 security_xfrm_policy_free(xp->security); 1402 kfree(xp); 1403 return err; 1404 } 1405 1406 c.event = nlh->nlmsg_type; 1407 c.seq = nlh->nlmsg_seq; 1408 c.pid = nlh->nlmsg_pid; 1409 km_policy_notify(xp, p->dir, &c); 1410 1411 xfrm_pol_put(xp); 1412 1413 return 0; 1414 } 1415 1416 static int copy_to_user_tmpl(struct xfrm_policy *xp, struct sk_buff *skb) 1417 { 1418 struct xfrm_user_tmpl vec[XFRM_MAX_DEPTH]; 1419 int i; 1420 1421 if (xp->xfrm_nr == 0) 1422 return 0; 1423 1424 for (i = 0; i < xp->xfrm_nr; i++) { 1425 struct xfrm_user_tmpl *up = &vec[i]; 1426 struct xfrm_tmpl *kp = &xp->xfrm_vec[i]; 1427 1428 memcpy(&up->id, &kp->id, sizeof(up->id)); 1429 up->family = kp->encap_family; 1430 memcpy(&up->saddr, &kp->saddr, sizeof(up->saddr)); 1431 up->reqid = kp->reqid; 1432 up->mode = kp->mode; 1433 up->share = kp->share; 1434 up->optional = kp->optional; 1435 up->aalgos = kp->aalgos; 1436 up->ealgos = kp->ealgos; 1437 up->calgos = kp->calgos; 1438 } 1439 1440 return nla_put(skb, XFRMA_TMPL, 1441 sizeof(struct xfrm_user_tmpl) * xp->xfrm_nr, vec); 1442 } 1443 1444 static inline int copy_to_user_state_sec_ctx(struct xfrm_state *x, struct sk_buff *skb) 1445 { 1446 if (x->security) { 1447 return copy_sec_ctx(x->security, skb); 1448 } 1449 return 0; 1450 } 1451 1452 static inline int copy_to_user_sec_ctx(struct xfrm_policy *xp, struct sk_buff *skb) 1453 { 1454 if (xp->security) 1455 return copy_sec_ctx(xp->security, skb); 1456 return 0; 1457 } 1458 static inline size_t userpolicy_type_attrsize(void) 1459 { 1460 #ifdef CONFIG_XFRM_SUB_POLICY 1461 return nla_total_size(sizeof(struct xfrm_userpolicy_type)); 1462 #else 1463 return 0; 1464 #endif 1465 } 1466 1467 #ifdef CONFIG_XFRM_SUB_POLICY 1468 static int copy_to_user_policy_type(u8 type, struct sk_buff *skb) 1469 { 1470 struct xfrm_userpolicy_type upt = { 1471 .type = type, 1472 }; 1473 1474 return nla_put(skb, XFRMA_POLICY_TYPE, sizeof(upt), &upt); 1475 } 1476 1477 #else 1478 static inline int copy_to_user_policy_type(u8 type, struct sk_buff *skb) 1479 { 1480 return 0; 1481 } 1482 #endif 1483 1484 static int dump_one_policy(struct xfrm_policy *xp, int dir, int count, void *ptr) 1485 { 1486 struct xfrm_dump_info *sp = ptr; 1487 struct xfrm_userpolicy_info *p; 1488 struct sk_buff *in_skb = sp->in_skb; 1489 struct sk_buff *skb = sp->out_skb; 1490 struct nlmsghdr *nlh; 1491 int err; 1492 1493 nlh = nlmsg_put(skb, NETLINK_CB(in_skb).pid, sp->nlmsg_seq, 1494 XFRM_MSG_NEWPOLICY, sizeof(*p), sp->nlmsg_flags); 1495 if (nlh == NULL) 1496 return -EMSGSIZE; 1497 1498 p = nlmsg_data(nlh); 1499 copy_to_user_policy(xp, p, dir); 1500 err = copy_to_user_tmpl(xp, skb); 1501 if (!err) 1502 err = copy_to_user_sec_ctx(xp, skb); 1503 if (!err) 1504 err = copy_to_user_policy_type(xp->type, skb); 1505 if (!err) 1506 err = xfrm_mark_put(skb, &xp->mark); 1507 if (err) { 1508 nlmsg_cancel(skb, nlh); 1509 return err; 1510 } 1511 nlmsg_end(skb, nlh); 1512 return 0; 1513 } 1514 1515 static int xfrm_dump_policy_done(struct netlink_callback *cb) 1516 { 1517 struct xfrm_policy_walk *walk = (struct xfrm_policy_walk *) &cb->args[1]; 1518 1519 xfrm_policy_walk_done(walk); 1520 return 0; 1521 } 1522 1523 static int xfrm_dump_policy(struct sk_buff *skb, struct netlink_callback *cb) 1524 { 1525 struct net *net = sock_net(skb->sk); 1526 struct xfrm_policy_walk *walk = (struct xfrm_policy_walk *) &cb->args[1]; 1527 struct xfrm_dump_info info; 1528 1529 BUILD_BUG_ON(sizeof(struct xfrm_policy_walk) > 1530 sizeof(cb->args) - sizeof(cb->args[0])); 1531 1532 info.in_skb = cb->skb; 1533 info.out_skb = skb; 1534 info.nlmsg_seq = cb->nlh->nlmsg_seq; 1535 info.nlmsg_flags = NLM_F_MULTI; 1536 1537 if (!cb->args[0]) { 1538 cb->args[0] = 1; 1539 xfrm_policy_walk_init(walk, XFRM_POLICY_TYPE_ANY); 1540 } 1541 1542 (void) xfrm_policy_walk(net, walk, dump_one_policy, &info); 1543 1544 return skb->len; 1545 } 1546 1547 static struct sk_buff *xfrm_policy_netlink(struct sk_buff *in_skb, 1548 struct xfrm_policy *xp, 1549 int dir, u32 seq) 1550 { 1551 struct xfrm_dump_info info; 1552 struct sk_buff *skb; 1553 int err; 1554 1555 skb = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL); 1556 if (!skb) 1557 return ERR_PTR(-ENOMEM); 1558 1559 info.in_skb = in_skb; 1560 info.out_skb = skb; 1561 info.nlmsg_seq = seq; 1562 info.nlmsg_flags = 0; 1563 1564 err = dump_one_policy(xp, dir, 0, &info); 1565 if (err) { 1566 kfree_skb(skb); 1567 return ERR_PTR(err); 1568 } 1569 1570 return skb; 1571 } 1572 1573 static int xfrm_get_policy(struct sk_buff *skb, struct nlmsghdr *nlh, 1574 struct nlattr **attrs) 1575 { 1576 struct net *net = sock_net(skb->sk); 1577 struct xfrm_policy *xp; 1578 struct xfrm_userpolicy_id *p; 1579 u8 type = XFRM_POLICY_TYPE_MAIN; 1580 int err; 1581 struct km_event c; 1582 int delete; 1583 struct xfrm_mark m; 1584 u32 mark = xfrm_mark_get(attrs, &m); 1585 1586 p = nlmsg_data(nlh); 1587 delete = nlh->nlmsg_type == XFRM_MSG_DELPOLICY; 1588 1589 err = copy_from_user_policy_type(&type, attrs); 1590 if (err) 1591 return err; 1592 1593 err = verify_policy_dir(p->dir); 1594 if (err) 1595 return err; 1596 1597 if (p->index) 1598 xp = xfrm_policy_byid(net, mark, type, p->dir, p->index, delete, &err); 1599 else { 1600 struct nlattr *rt = attrs[XFRMA_SEC_CTX]; 1601 struct xfrm_sec_ctx *ctx; 1602 1603 err = verify_sec_ctx_len(attrs); 1604 if (err) 1605 return err; 1606 1607 ctx = NULL; 1608 if (rt) { 1609 struct xfrm_user_sec_ctx *uctx = nla_data(rt); 1610 1611 err = security_xfrm_policy_alloc(&ctx, uctx); 1612 if (err) 1613 return err; 1614 } 1615 xp = xfrm_policy_bysel_ctx(net, mark, type, p->dir, &p->sel, 1616 ctx, delete, &err); 1617 security_xfrm_policy_free(ctx); 1618 } 1619 if (xp == NULL) 1620 return -ENOENT; 1621 1622 if (!delete) { 1623 struct sk_buff *resp_skb; 1624 1625 resp_skb = xfrm_policy_netlink(skb, xp, p->dir, nlh->nlmsg_seq); 1626 if (IS_ERR(resp_skb)) { 1627 err = PTR_ERR(resp_skb); 1628 } else { 1629 err = nlmsg_unicast(net->xfrm.nlsk, resp_skb, 1630 NETLINK_CB(skb).pid); 1631 } 1632 } else { 1633 uid_t loginuid = audit_get_loginuid(current); 1634 u32 sessionid = audit_get_sessionid(current); 1635 u32 sid; 1636 1637 security_task_getsecid(current, &sid); 1638 xfrm_audit_policy_delete(xp, err ? 0 : 1, loginuid, sessionid, 1639 sid); 1640 1641 if (err != 0) 1642 goto out; 1643 1644 c.data.byid = p->index; 1645 c.event = nlh->nlmsg_type; 1646 c.seq = nlh->nlmsg_seq; 1647 c.pid = nlh->nlmsg_pid; 1648 km_policy_notify(xp, p->dir, &c); 1649 } 1650 1651 out: 1652 xfrm_pol_put(xp); 1653 return err; 1654 } 1655 1656 static int xfrm_flush_sa(struct sk_buff *skb, struct nlmsghdr *nlh, 1657 struct nlattr **attrs) 1658 { 1659 struct net *net = sock_net(skb->sk); 1660 struct km_event c; 1661 struct xfrm_usersa_flush *p = nlmsg_data(nlh); 1662 struct xfrm_audit audit_info; 1663 int err; 1664 1665 audit_info.loginuid = audit_get_loginuid(current); 1666 audit_info.sessionid = audit_get_sessionid(current); 1667 security_task_getsecid(current, &audit_info.secid); 1668 err = xfrm_state_flush(net, p->proto, &audit_info); 1669 if (err) { 1670 if (err == -ESRCH) /* empty table */ 1671 return 0; 1672 return err; 1673 } 1674 c.data.proto = p->proto; 1675 c.event = nlh->nlmsg_type; 1676 c.seq = nlh->nlmsg_seq; 1677 c.pid = nlh->nlmsg_pid; 1678 c.net = net; 1679 km_state_notify(NULL, &c); 1680 1681 return 0; 1682 } 1683 1684 static inline size_t xfrm_aevent_msgsize(struct xfrm_state *x) 1685 { 1686 size_t replay_size = x->replay_esn ? 1687 xfrm_replay_state_esn_len(x->replay_esn) : 1688 sizeof(struct xfrm_replay_state); 1689 1690 return NLMSG_ALIGN(sizeof(struct xfrm_aevent_id)) 1691 + nla_total_size(replay_size) 1692 + nla_total_size(sizeof(struct xfrm_lifetime_cur)) 1693 + nla_total_size(sizeof(struct xfrm_mark)) 1694 + nla_total_size(4) /* XFRM_AE_RTHR */ 1695 + nla_total_size(4); /* XFRM_AE_ETHR */ 1696 } 1697 1698 static int build_aevent(struct sk_buff *skb, struct xfrm_state *x, const struct km_event *c) 1699 { 1700 struct xfrm_aevent_id *id; 1701 struct nlmsghdr *nlh; 1702 int err; 1703 1704 nlh = nlmsg_put(skb, c->pid, c->seq, XFRM_MSG_NEWAE, sizeof(*id), 0); 1705 if (nlh == NULL) 1706 return -EMSGSIZE; 1707 1708 id = nlmsg_data(nlh); 1709 memcpy(&id->sa_id.daddr, &x->id.daddr,sizeof(x->id.daddr)); 1710 id->sa_id.spi = x->id.spi; 1711 id->sa_id.family = x->props.family; 1712 id->sa_id.proto = x->id.proto; 1713 memcpy(&id->saddr, &x->props.saddr,sizeof(x->props.saddr)); 1714 id->reqid = x->props.reqid; 1715 id->flags = c->data.aevent; 1716 1717 if (x->replay_esn) { 1718 err = nla_put(skb, XFRMA_REPLAY_ESN_VAL, 1719 xfrm_replay_state_esn_len(x->replay_esn), 1720 x->replay_esn); 1721 } else { 1722 err = nla_put(skb, XFRMA_REPLAY_VAL, sizeof(x->replay), 1723 &x->replay); 1724 } 1725 if (err) 1726 goto out_cancel; 1727 err = nla_put(skb, XFRMA_LTIME_VAL, sizeof(x->curlft), &x->curlft); 1728 if (err) 1729 goto out_cancel; 1730 1731 if (id->flags & XFRM_AE_RTHR) { 1732 err = nla_put_u32(skb, XFRMA_REPLAY_THRESH, x->replay_maxdiff); 1733 if (err) 1734 goto out_cancel; 1735 } 1736 if (id->flags & XFRM_AE_ETHR) { 1737 err = nla_put_u32(skb, XFRMA_ETIMER_THRESH, 1738 x->replay_maxage * 10 / HZ); 1739 if (err) 1740 goto out_cancel; 1741 } 1742 err = xfrm_mark_put(skb, &x->mark); 1743 if (err) 1744 goto out_cancel; 1745 1746 return nlmsg_end(skb, nlh); 1747 1748 out_cancel: 1749 nlmsg_cancel(skb, nlh); 1750 return err; 1751 } 1752 1753 static int xfrm_get_ae(struct sk_buff *skb, struct nlmsghdr *nlh, 1754 struct nlattr **attrs) 1755 { 1756 struct net *net = sock_net(skb->sk); 1757 struct xfrm_state *x; 1758 struct sk_buff *r_skb; 1759 int err; 1760 struct km_event c; 1761 u32 mark; 1762 struct xfrm_mark m; 1763 struct xfrm_aevent_id *p = nlmsg_data(nlh); 1764 struct xfrm_usersa_id *id = &p->sa_id; 1765 1766 mark = xfrm_mark_get(attrs, &m); 1767 1768 x = xfrm_state_lookup(net, mark, &id->daddr, id->spi, id->proto, id->family); 1769 if (x == NULL) 1770 return -ESRCH; 1771 1772 r_skb = nlmsg_new(xfrm_aevent_msgsize(x), GFP_ATOMIC); 1773 if (r_skb == NULL) { 1774 xfrm_state_put(x); 1775 return -ENOMEM; 1776 } 1777 1778 /* 1779 * XXX: is this lock really needed - none of the other 1780 * gets lock (the concern is things getting updated 1781 * while we are still reading) - jhs 1782 */ 1783 spin_lock_bh(&x->lock); 1784 c.data.aevent = p->flags; 1785 c.seq = nlh->nlmsg_seq; 1786 c.pid = nlh->nlmsg_pid; 1787 1788 if (build_aevent(r_skb, x, &c) < 0) 1789 BUG(); 1790 err = nlmsg_unicast(net->xfrm.nlsk, r_skb, NETLINK_CB(skb).pid); 1791 spin_unlock_bh(&x->lock); 1792 xfrm_state_put(x); 1793 return err; 1794 } 1795 1796 static int xfrm_new_ae(struct sk_buff *skb, struct nlmsghdr *nlh, 1797 struct nlattr **attrs) 1798 { 1799 struct net *net = sock_net(skb->sk); 1800 struct xfrm_state *x; 1801 struct km_event c; 1802 int err = - EINVAL; 1803 u32 mark = 0; 1804 struct xfrm_mark m; 1805 struct xfrm_aevent_id *p = nlmsg_data(nlh); 1806 struct nlattr *rp = attrs[XFRMA_REPLAY_VAL]; 1807 struct nlattr *re = attrs[XFRMA_REPLAY_ESN_VAL]; 1808 struct nlattr *lt = attrs[XFRMA_LTIME_VAL]; 1809 1810 if (!lt && !rp && !re) 1811 return err; 1812 1813 /* pedantic mode - thou shalt sayeth replaceth */ 1814 if (!(nlh->nlmsg_flags&NLM_F_REPLACE)) 1815 return err; 1816 1817 mark = xfrm_mark_get(attrs, &m); 1818 1819 x = xfrm_state_lookup(net, mark, &p->sa_id.daddr, p->sa_id.spi, p->sa_id.proto, p->sa_id.family); 1820 if (x == NULL) 1821 return -ESRCH; 1822 1823 if (x->km.state != XFRM_STATE_VALID) 1824 goto out; 1825 1826 err = xfrm_replay_verify_len(x->replay_esn, rp); 1827 if (err) 1828 goto out; 1829 1830 spin_lock_bh(&x->lock); 1831 xfrm_update_ae_params(x, attrs); 1832 spin_unlock_bh(&x->lock); 1833 1834 c.event = nlh->nlmsg_type; 1835 c.seq = nlh->nlmsg_seq; 1836 c.pid = nlh->nlmsg_pid; 1837 c.data.aevent = XFRM_AE_CU; 1838 km_state_notify(x, &c); 1839 err = 0; 1840 out: 1841 xfrm_state_put(x); 1842 return err; 1843 } 1844 1845 static int xfrm_flush_policy(struct sk_buff *skb, struct nlmsghdr *nlh, 1846 struct nlattr **attrs) 1847 { 1848 struct net *net = sock_net(skb->sk); 1849 struct km_event c; 1850 u8 type = XFRM_POLICY_TYPE_MAIN; 1851 int err; 1852 struct xfrm_audit audit_info; 1853 1854 err = copy_from_user_policy_type(&type, attrs); 1855 if (err) 1856 return err; 1857 1858 audit_info.loginuid = audit_get_loginuid(current); 1859 audit_info.sessionid = audit_get_sessionid(current); 1860 security_task_getsecid(current, &audit_info.secid); 1861 err = xfrm_policy_flush(net, type, &audit_info); 1862 if (err) { 1863 if (err == -ESRCH) /* empty table */ 1864 return 0; 1865 return err; 1866 } 1867 1868 c.data.type = type; 1869 c.event = nlh->nlmsg_type; 1870 c.seq = nlh->nlmsg_seq; 1871 c.pid = nlh->nlmsg_pid; 1872 c.net = net; 1873 km_policy_notify(NULL, 0, &c); 1874 return 0; 1875 } 1876 1877 static int xfrm_add_pol_expire(struct sk_buff *skb, struct nlmsghdr *nlh, 1878 struct nlattr **attrs) 1879 { 1880 struct net *net = sock_net(skb->sk); 1881 struct xfrm_policy *xp; 1882 struct xfrm_user_polexpire *up = nlmsg_data(nlh); 1883 struct xfrm_userpolicy_info *p = &up->pol; 1884 u8 type = XFRM_POLICY_TYPE_MAIN; 1885 int err = -ENOENT; 1886 struct xfrm_mark m; 1887 u32 mark = xfrm_mark_get(attrs, &m); 1888 1889 err = copy_from_user_policy_type(&type, attrs); 1890 if (err) 1891 return err; 1892 1893 err = verify_policy_dir(p->dir); 1894 if (err) 1895 return err; 1896 1897 if (p->index) 1898 xp = xfrm_policy_byid(net, mark, type, p->dir, p->index, 0, &err); 1899 else { 1900 struct nlattr *rt = attrs[XFRMA_SEC_CTX]; 1901 struct xfrm_sec_ctx *ctx; 1902 1903 err = verify_sec_ctx_len(attrs); 1904 if (err) 1905 return err; 1906 1907 ctx = NULL; 1908 if (rt) { 1909 struct xfrm_user_sec_ctx *uctx = nla_data(rt); 1910 1911 err = security_xfrm_policy_alloc(&ctx, uctx); 1912 if (err) 1913 return err; 1914 } 1915 xp = xfrm_policy_bysel_ctx(net, mark, type, p->dir, 1916 &p->sel, ctx, 0, &err); 1917 security_xfrm_policy_free(ctx); 1918 } 1919 if (xp == NULL) 1920 return -ENOENT; 1921 1922 if (unlikely(xp->walk.dead)) 1923 goto out; 1924 1925 err = 0; 1926 if (up->hard) { 1927 uid_t loginuid = audit_get_loginuid(current); 1928 u32 sessionid = audit_get_sessionid(current); 1929 u32 sid; 1930 1931 security_task_getsecid(current, &sid); 1932 xfrm_policy_delete(xp, p->dir); 1933 xfrm_audit_policy_delete(xp, 1, loginuid, sessionid, sid); 1934 1935 } else { 1936 // reset the timers here? 1937 WARN(1, "Dont know what to do with soft policy expire\n"); 1938 } 1939 km_policy_expired(xp, p->dir, up->hard, current->pid); 1940 1941 out: 1942 xfrm_pol_put(xp); 1943 return err; 1944 } 1945 1946 static int xfrm_add_sa_expire(struct sk_buff *skb, struct nlmsghdr *nlh, 1947 struct nlattr **attrs) 1948 { 1949 struct net *net = sock_net(skb->sk); 1950 struct xfrm_state *x; 1951 int err; 1952 struct xfrm_user_expire *ue = nlmsg_data(nlh); 1953 struct xfrm_usersa_info *p = &ue->state; 1954 struct xfrm_mark m; 1955 u32 mark = xfrm_mark_get(attrs, &m); 1956 1957 x = xfrm_state_lookup(net, mark, &p->id.daddr, p->id.spi, p->id.proto, p->family); 1958 1959 err = -ENOENT; 1960 if (x == NULL) 1961 return err; 1962 1963 spin_lock_bh(&x->lock); 1964 err = -EINVAL; 1965 if (x->km.state != XFRM_STATE_VALID) 1966 goto out; 1967 km_state_expired(x, ue->hard, current->pid); 1968 1969 if (ue->hard) { 1970 uid_t loginuid = audit_get_loginuid(current); 1971 u32 sessionid = audit_get_sessionid(current); 1972 u32 sid; 1973 1974 security_task_getsecid(current, &sid); 1975 __xfrm_state_delete(x); 1976 xfrm_audit_state_delete(x, 1, loginuid, sessionid, sid); 1977 } 1978 err = 0; 1979 out: 1980 spin_unlock_bh(&x->lock); 1981 xfrm_state_put(x); 1982 return err; 1983 } 1984 1985 static int xfrm_add_acquire(struct sk_buff *skb, struct nlmsghdr *nlh, 1986 struct nlattr **attrs) 1987 { 1988 struct net *net = sock_net(skb->sk); 1989 struct xfrm_policy *xp; 1990 struct xfrm_user_tmpl *ut; 1991 int i; 1992 struct nlattr *rt = attrs[XFRMA_TMPL]; 1993 struct xfrm_mark mark; 1994 1995 struct xfrm_user_acquire *ua = nlmsg_data(nlh); 1996 struct xfrm_state *x = xfrm_state_alloc(net); 1997 int err = -ENOMEM; 1998 1999 if (!x) 2000 goto nomem; 2001 2002 xfrm_mark_get(attrs, &mark); 2003 2004 err = verify_newpolicy_info(&ua->policy); 2005 if (err) 2006 goto bad_policy; 2007 2008 /* build an XP */ 2009 xp = xfrm_policy_construct(net, &ua->policy, attrs, &err); 2010 if (!xp) 2011 goto free_state; 2012 2013 memcpy(&x->id, &ua->id, sizeof(ua->id)); 2014 memcpy(&x->props.saddr, &ua->saddr, sizeof(ua->saddr)); 2015 memcpy(&x->sel, &ua->sel, sizeof(ua->sel)); 2016 xp->mark.m = x->mark.m = mark.m; 2017 xp->mark.v = x->mark.v = mark.v; 2018 ut = nla_data(rt); 2019 /* extract the templates and for each call km_key */ 2020 for (i = 0; i < xp->xfrm_nr; i++, ut++) { 2021 struct xfrm_tmpl *t = &xp->xfrm_vec[i]; 2022 memcpy(&x->id, &t->id, sizeof(x->id)); 2023 x->props.mode = t->mode; 2024 x->props.reqid = t->reqid; 2025 x->props.family = ut->family; 2026 t->aalgos = ua->aalgos; 2027 t->ealgos = ua->ealgos; 2028 t->calgos = ua->calgos; 2029 err = km_query(x, t, xp); 2030 2031 } 2032 2033 kfree(x); 2034 kfree(xp); 2035 2036 return 0; 2037 2038 bad_policy: 2039 WARN(1, "BAD policy passed\n"); 2040 free_state: 2041 kfree(x); 2042 nomem: 2043 return err; 2044 } 2045 2046 #ifdef CONFIG_XFRM_MIGRATE 2047 static int copy_from_user_migrate(struct xfrm_migrate *ma, 2048 struct xfrm_kmaddress *k, 2049 struct nlattr **attrs, int *num) 2050 { 2051 struct nlattr *rt = attrs[XFRMA_MIGRATE]; 2052 struct xfrm_user_migrate *um; 2053 int i, num_migrate; 2054 2055 if (k != NULL) { 2056 struct xfrm_user_kmaddress *uk; 2057 2058 uk = nla_data(attrs[XFRMA_KMADDRESS]); 2059 memcpy(&k->local, &uk->local, sizeof(k->local)); 2060 memcpy(&k->remote, &uk->remote, sizeof(k->remote)); 2061 k->family = uk->family; 2062 k->reserved = uk->reserved; 2063 } 2064 2065 um = nla_data(rt); 2066 num_migrate = nla_len(rt) / sizeof(*um); 2067 2068 if (num_migrate <= 0 || num_migrate > XFRM_MAX_DEPTH) 2069 return -EINVAL; 2070 2071 for (i = 0; i < num_migrate; i++, um++, ma++) { 2072 memcpy(&ma->old_daddr, &um->old_daddr, sizeof(ma->old_daddr)); 2073 memcpy(&ma->old_saddr, &um->old_saddr, sizeof(ma->old_saddr)); 2074 memcpy(&ma->new_daddr, &um->new_daddr, sizeof(ma->new_daddr)); 2075 memcpy(&ma->new_saddr, &um->new_saddr, sizeof(ma->new_saddr)); 2076 2077 ma->proto = um->proto; 2078 ma->mode = um->mode; 2079 ma->reqid = um->reqid; 2080 2081 ma->old_family = um->old_family; 2082 ma->new_family = um->new_family; 2083 } 2084 2085 *num = i; 2086 return 0; 2087 } 2088 2089 static int xfrm_do_migrate(struct sk_buff *skb, struct nlmsghdr *nlh, 2090 struct nlattr **attrs) 2091 { 2092 struct xfrm_userpolicy_id *pi = nlmsg_data(nlh); 2093 struct xfrm_migrate m[XFRM_MAX_DEPTH]; 2094 struct xfrm_kmaddress km, *kmp; 2095 u8 type; 2096 int err; 2097 int n = 0; 2098 2099 if (attrs[XFRMA_MIGRATE] == NULL) 2100 return -EINVAL; 2101 2102 kmp = attrs[XFRMA_KMADDRESS] ? &km : NULL; 2103 2104 err = copy_from_user_policy_type(&type, attrs); 2105 if (err) 2106 return err; 2107 2108 err = copy_from_user_migrate((struct xfrm_migrate *)m, kmp, attrs, &n); 2109 if (err) 2110 return err; 2111 2112 if (!n) 2113 return 0; 2114 2115 xfrm_migrate(&pi->sel, pi->dir, type, m, n, kmp); 2116 2117 return 0; 2118 } 2119 #else 2120 static int xfrm_do_migrate(struct sk_buff *skb, struct nlmsghdr *nlh, 2121 struct nlattr **attrs) 2122 { 2123 return -ENOPROTOOPT; 2124 } 2125 #endif 2126 2127 #ifdef CONFIG_XFRM_MIGRATE 2128 static int copy_to_user_migrate(const struct xfrm_migrate *m, struct sk_buff *skb) 2129 { 2130 struct xfrm_user_migrate um; 2131 2132 memset(&um, 0, sizeof(um)); 2133 um.proto = m->proto; 2134 um.mode = m->mode; 2135 um.reqid = m->reqid; 2136 um.old_family = m->old_family; 2137 memcpy(&um.old_daddr, &m->old_daddr, sizeof(um.old_daddr)); 2138 memcpy(&um.old_saddr, &m->old_saddr, sizeof(um.old_saddr)); 2139 um.new_family = m->new_family; 2140 memcpy(&um.new_daddr, &m->new_daddr, sizeof(um.new_daddr)); 2141 memcpy(&um.new_saddr, &m->new_saddr, sizeof(um.new_saddr)); 2142 2143 return nla_put(skb, XFRMA_MIGRATE, sizeof(um), &um); 2144 } 2145 2146 static int copy_to_user_kmaddress(const struct xfrm_kmaddress *k, struct sk_buff *skb) 2147 { 2148 struct xfrm_user_kmaddress uk; 2149 2150 memset(&uk, 0, sizeof(uk)); 2151 uk.family = k->family; 2152 uk.reserved = k->reserved; 2153 memcpy(&uk.local, &k->local, sizeof(uk.local)); 2154 memcpy(&uk.remote, &k->remote, sizeof(uk.remote)); 2155 2156 return nla_put(skb, XFRMA_KMADDRESS, sizeof(uk), &uk); 2157 } 2158 2159 static inline size_t xfrm_migrate_msgsize(int num_migrate, int with_kma) 2160 { 2161 return NLMSG_ALIGN(sizeof(struct xfrm_userpolicy_id)) 2162 + (with_kma ? nla_total_size(sizeof(struct xfrm_kmaddress)) : 0) 2163 + nla_total_size(sizeof(struct xfrm_user_migrate) * num_migrate) 2164 + userpolicy_type_attrsize(); 2165 } 2166 2167 static int build_migrate(struct sk_buff *skb, const struct xfrm_migrate *m, 2168 int num_migrate, const struct xfrm_kmaddress *k, 2169 const struct xfrm_selector *sel, u8 dir, u8 type) 2170 { 2171 const struct xfrm_migrate *mp; 2172 struct xfrm_userpolicy_id *pol_id; 2173 struct nlmsghdr *nlh; 2174 int i, err; 2175 2176 nlh = nlmsg_put(skb, 0, 0, XFRM_MSG_MIGRATE, sizeof(*pol_id), 0); 2177 if (nlh == NULL) 2178 return -EMSGSIZE; 2179 2180 pol_id = nlmsg_data(nlh); 2181 /* copy data from selector, dir, and type to the pol_id */ 2182 memset(pol_id, 0, sizeof(*pol_id)); 2183 memcpy(&pol_id->sel, sel, sizeof(pol_id->sel)); 2184 pol_id->dir = dir; 2185 2186 if (k != NULL) { 2187 err = copy_to_user_kmaddress(k, skb); 2188 if (err) 2189 goto out_cancel; 2190 } 2191 err = copy_to_user_policy_type(type, skb); 2192 if (err) 2193 goto out_cancel; 2194 for (i = 0, mp = m ; i < num_migrate; i++, mp++) { 2195 err = copy_to_user_migrate(mp, skb); 2196 if (err) 2197 goto out_cancel; 2198 } 2199 2200 return nlmsg_end(skb, nlh); 2201 2202 out_cancel: 2203 nlmsg_cancel(skb, nlh); 2204 return err; 2205 } 2206 2207 static int xfrm_send_migrate(const struct xfrm_selector *sel, u8 dir, u8 type, 2208 const struct xfrm_migrate *m, int num_migrate, 2209 const struct xfrm_kmaddress *k) 2210 { 2211 struct net *net = &init_net; 2212 struct sk_buff *skb; 2213 2214 skb = nlmsg_new(xfrm_migrate_msgsize(num_migrate, !!k), GFP_ATOMIC); 2215 if (skb == NULL) 2216 return -ENOMEM; 2217 2218 /* build migrate */ 2219 if (build_migrate(skb, m, num_migrate, k, sel, dir, type) < 0) 2220 BUG(); 2221 2222 return nlmsg_multicast(net->xfrm.nlsk, skb, 0, XFRMNLGRP_MIGRATE, GFP_ATOMIC); 2223 } 2224 #else 2225 static int xfrm_send_migrate(const struct xfrm_selector *sel, u8 dir, u8 type, 2226 const struct xfrm_migrate *m, int num_migrate, 2227 const struct xfrm_kmaddress *k) 2228 { 2229 return -ENOPROTOOPT; 2230 } 2231 #endif 2232 2233 #define XMSGSIZE(type) sizeof(struct type) 2234 2235 static const int xfrm_msg_min[XFRM_NR_MSGTYPES] = { 2236 [XFRM_MSG_NEWSA - XFRM_MSG_BASE] = XMSGSIZE(xfrm_usersa_info), 2237 [XFRM_MSG_DELSA - XFRM_MSG_BASE] = XMSGSIZE(xfrm_usersa_id), 2238 [XFRM_MSG_GETSA - XFRM_MSG_BASE] = XMSGSIZE(xfrm_usersa_id), 2239 [XFRM_MSG_NEWPOLICY - XFRM_MSG_BASE] = XMSGSIZE(xfrm_userpolicy_info), 2240 [XFRM_MSG_DELPOLICY - XFRM_MSG_BASE] = XMSGSIZE(xfrm_userpolicy_id), 2241 [XFRM_MSG_GETPOLICY - XFRM_MSG_BASE] = XMSGSIZE(xfrm_userpolicy_id), 2242 [XFRM_MSG_ALLOCSPI - XFRM_MSG_BASE] = XMSGSIZE(xfrm_userspi_info), 2243 [XFRM_MSG_ACQUIRE - XFRM_MSG_BASE] = XMSGSIZE(xfrm_user_acquire), 2244 [XFRM_MSG_EXPIRE - XFRM_MSG_BASE] = XMSGSIZE(xfrm_user_expire), 2245 [XFRM_MSG_UPDPOLICY - XFRM_MSG_BASE] = XMSGSIZE(xfrm_userpolicy_info), 2246 [XFRM_MSG_UPDSA - XFRM_MSG_BASE] = XMSGSIZE(xfrm_usersa_info), 2247 [XFRM_MSG_POLEXPIRE - XFRM_MSG_BASE] = XMSGSIZE(xfrm_user_polexpire), 2248 [XFRM_MSG_FLUSHSA - XFRM_MSG_BASE] = XMSGSIZE(xfrm_usersa_flush), 2249 [XFRM_MSG_FLUSHPOLICY - XFRM_MSG_BASE] = 0, 2250 [XFRM_MSG_NEWAE - XFRM_MSG_BASE] = XMSGSIZE(xfrm_aevent_id), 2251 [XFRM_MSG_GETAE - XFRM_MSG_BASE] = XMSGSIZE(xfrm_aevent_id), 2252 [XFRM_MSG_REPORT - XFRM_MSG_BASE] = XMSGSIZE(xfrm_user_report), 2253 [XFRM_MSG_MIGRATE - XFRM_MSG_BASE] = XMSGSIZE(xfrm_userpolicy_id), 2254 [XFRM_MSG_GETSADINFO - XFRM_MSG_BASE] = sizeof(u32), 2255 [XFRM_MSG_GETSPDINFO - XFRM_MSG_BASE] = sizeof(u32), 2256 }; 2257 2258 #undef XMSGSIZE 2259 2260 static const struct nla_policy xfrma_policy[XFRMA_MAX+1] = { 2261 [XFRMA_SA] = { .len = sizeof(struct xfrm_usersa_info)}, 2262 [XFRMA_POLICY] = { .len = sizeof(struct xfrm_userpolicy_info)}, 2263 [XFRMA_LASTUSED] = { .type = NLA_U64}, 2264 [XFRMA_ALG_AUTH_TRUNC] = { .len = sizeof(struct xfrm_algo_auth)}, 2265 [XFRMA_ALG_AEAD] = { .len = sizeof(struct xfrm_algo_aead) }, 2266 [XFRMA_ALG_AUTH] = { .len = sizeof(struct xfrm_algo) }, 2267 [XFRMA_ALG_CRYPT] = { .len = sizeof(struct xfrm_algo) }, 2268 [XFRMA_ALG_COMP] = { .len = sizeof(struct xfrm_algo) }, 2269 [XFRMA_ENCAP] = { .len = sizeof(struct xfrm_encap_tmpl) }, 2270 [XFRMA_TMPL] = { .len = sizeof(struct xfrm_user_tmpl) }, 2271 [XFRMA_SEC_CTX] = { .len = sizeof(struct xfrm_sec_ctx) }, 2272 [XFRMA_LTIME_VAL] = { .len = sizeof(struct xfrm_lifetime_cur) }, 2273 [XFRMA_REPLAY_VAL] = { .len = sizeof(struct xfrm_replay_state) }, 2274 [XFRMA_REPLAY_THRESH] = { .type = NLA_U32 }, 2275 [XFRMA_ETIMER_THRESH] = { .type = NLA_U32 }, 2276 [XFRMA_SRCADDR] = { .len = sizeof(xfrm_address_t) }, 2277 [XFRMA_COADDR] = { .len = sizeof(xfrm_address_t) }, 2278 [XFRMA_POLICY_TYPE] = { .len = sizeof(struct xfrm_userpolicy_type)}, 2279 [XFRMA_MIGRATE] = { .len = sizeof(struct xfrm_user_migrate) }, 2280 [XFRMA_KMADDRESS] = { .len = sizeof(struct xfrm_user_kmaddress) }, 2281 [XFRMA_MARK] = { .len = sizeof(struct xfrm_mark) }, 2282 [XFRMA_TFCPAD] = { .type = NLA_U32 }, 2283 [XFRMA_REPLAY_ESN_VAL] = { .len = sizeof(struct xfrm_replay_state_esn) }, 2284 }; 2285 2286 static struct xfrm_link { 2287 int (*doit)(struct sk_buff *, struct nlmsghdr *, struct nlattr **); 2288 int (*dump)(struct sk_buff *, struct netlink_callback *); 2289 int (*done)(struct netlink_callback *); 2290 } xfrm_dispatch[XFRM_NR_MSGTYPES] = { 2291 [XFRM_MSG_NEWSA - XFRM_MSG_BASE] = { .doit = xfrm_add_sa }, 2292 [XFRM_MSG_DELSA - XFRM_MSG_BASE] = { .doit = xfrm_del_sa }, 2293 [XFRM_MSG_GETSA - XFRM_MSG_BASE] = { .doit = xfrm_get_sa, 2294 .dump = xfrm_dump_sa, 2295 .done = xfrm_dump_sa_done }, 2296 [XFRM_MSG_NEWPOLICY - XFRM_MSG_BASE] = { .doit = xfrm_add_policy }, 2297 [XFRM_MSG_DELPOLICY - XFRM_MSG_BASE] = { .doit = xfrm_get_policy }, 2298 [XFRM_MSG_GETPOLICY - XFRM_MSG_BASE] = { .doit = xfrm_get_policy, 2299 .dump = xfrm_dump_policy, 2300 .done = xfrm_dump_policy_done }, 2301 [XFRM_MSG_ALLOCSPI - XFRM_MSG_BASE] = { .doit = xfrm_alloc_userspi }, 2302 [XFRM_MSG_ACQUIRE - XFRM_MSG_BASE] = { .doit = xfrm_add_acquire }, 2303 [XFRM_MSG_EXPIRE - XFRM_MSG_BASE] = { .doit = xfrm_add_sa_expire }, 2304 [XFRM_MSG_UPDPOLICY - XFRM_MSG_BASE] = { .doit = xfrm_add_policy }, 2305 [XFRM_MSG_UPDSA - XFRM_MSG_BASE] = { .doit = xfrm_add_sa }, 2306 [XFRM_MSG_POLEXPIRE - XFRM_MSG_BASE] = { .doit = xfrm_add_pol_expire}, 2307 [XFRM_MSG_FLUSHSA - XFRM_MSG_BASE] = { .doit = xfrm_flush_sa }, 2308 [XFRM_MSG_FLUSHPOLICY - XFRM_MSG_BASE] = { .doit = xfrm_flush_policy }, 2309 [XFRM_MSG_NEWAE - XFRM_MSG_BASE] = { .doit = xfrm_new_ae }, 2310 [XFRM_MSG_GETAE - XFRM_MSG_BASE] = { .doit = xfrm_get_ae }, 2311 [XFRM_MSG_MIGRATE - XFRM_MSG_BASE] = { .doit = xfrm_do_migrate }, 2312 [XFRM_MSG_GETSADINFO - XFRM_MSG_BASE] = { .doit = xfrm_get_sadinfo }, 2313 [XFRM_MSG_GETSPDINFO - XFRM_MSG_BASE] = { .doit = xfrm_get_spdinfo }, 2314 }; 2315 2316 static int xfrm_user_rcv_msg(struct sk_buff *skb, struct nlmsghdr *nlh) 2317 { 2318 struct net *net = sock_net(skb->sk); 2319 struct nlattr *attrs[XFRMA_MAX+1]; 2320 struct xfrm_link *link; 2321 int type, err; 2322 2323 type = nlh->nlmsg_type; 2324 if (type > XFRM_MSG_MAX) 2325 return -EINVAL; 2326 2327 type -= XFRM_MSG_BASE; 2328 link = &xfrm_dispatch[type]; 2329 2330 /* All operations require privileges, even GET */ 2331 if (!capable(CAP_NET_ADMIN)) 2332 return -EPERM; 2333 2334 if ((type == (XFRM_MSG_GETSA - XFRM_MSG_BASE) || 2335 type == (XFRM_MSG_GETPOLICY - XFRM_MSG_BASE)) && 2336 (nlh->nlmsg_flags & NLM_F_DUMP)) { 2337 if (link->dump == NULL) 2338 return -EINVAL; 2339 2340 { 2341 struct netlink_dump_control c = { 2342 .dump = link->dump, 2343 .done = link->done, 2344 }; 2345 return netlink_dump_start(net->xfrm.nlsk, skb, nlh, &c); 2346 } 2347 } 2348 2349 err = nlmsg_parse(nlh, xfrm_msg_min[type], attrs, XFRMA_MAX, 2350 xfrma_policy); 2351 if (err < 0) 2352 return err; 2353 2354 if (link->doit == NULL) 2355 return -EINVAL; 2356 2357 return link->doit(skb, nlh, attrs); 2358 } 2359 2360 static void xfrm_netlink_rcv(struct sk_buff *skb) 2361 { 2362 mutex_lock(&xfrm_cfg_mutex); 2363 netlink_rcv_skb(skb, &xfrm_user_rcv_msg); 2364 mutex_unlock(&xfrm_cfg_mutex); 2365 } 2366 2367 static inline size_t xfrm_expire_msgsize(void) 2368 { 2369 return NLMSG_ALIGN(sizeof(struct xfrm_user_expire)) 2370 + nla_total_size(sizeof(struct xfrm_mark)); 2371 } 2372 2373 static int build_expire(struct sk_buff *skb, struct xfrm_state *x, const struct km_event *c) 2374 { 2375 struct xfrm_user_expire *ue; 2376 struct nlmsghdr *nlh; 2377 int err; 2378 2379 nlh = nlmsg_put(skb, c->pid, 0, XFRM_MSG_EXPIRE, sizeof(*ue), 0); 2380 if (nlh == NULL) 2381 return -EMSGSIZE; 2382 2383 ue = nlmsg_data(nlh); 2384 copy_to_user_state(x, &ue->state); 2385 ue->hard = (c->data.hard != 0) ? 1 : 0; 2386 2387 err = xfrm_mark_put(skb, &x->mark); 2388 if (err) 2389 return err; 2390 2391 return nlmsg_end(skb, nlh); 2392 } 2393 2394 static int xfrm_exp_state_notify(struct xfrm_state *x, const struct km_event *c) 2395 { 2396 struct net *net = xs_net(x); 2397 struct sk_buff *skb; 2398 2399 skb = nlmsg_new(xfrm_expire_msgsize(), GFP_ATOMIC); 2400 if (skb == NULL) 2401 return -ENOMEM; 2402 2403 if (build_expire(skb, x, c) < 0) { 2404 kfree_skb(skb); 2405 return -EMSGSIZE; 2406 } 2407 2408 return nlmsg_multicast(net->xfrm.nlsk, skb, 0, XFRMNLGRP_EXPIRE, GFP_ATOMIC); 2409 } 2410 2411 static int xfrm_aevent_state_notify(struct xfrm_state *x, const struct km_event *c) 2412 { 2413 struct net *net = xs_net(x); 2414 struct sk_buff *skb; 2415 2416 skb = nlmsg_new(xfrm_aevent_msgsize(x), GFP_ATOMIC); 2417 if (skb == NULL) 2418 return -ENOMEM; 2419 2420 if (build_aevent(skb, x, c) < 0) 2421 BUG(); 2422 2423 return nlmsg_multicast(net->xfrm.nlsk, skb, 0, XFRMNLGRP_AEVENTS, GFP_ATOMIC); 2424 } 2425 2426 static int xfrm_notify_sa_flush(const struct km_event *c) 2427 { 2428 struct net *net = c->net; 2429 struct xfrm_usersa_flush *p; 2430 struct nlmsghdr *nlh; 2431 struct sk_buff *skb; 2432 int len = NLMSG_ALIGN(sizeof(struct xfrm_usersa_flush)); 2433 2434 skb = nlmsg_new(len, GFP_ATOMIC); 2435 if (skb == NULL) 2436 return -ENOMEM; 2437 2438 nlh = nlmsg_put(skb, c->pid, c->seq, XFRM_MSG_FLUSHSA, sizeof(*p), 0); 2439 if (nlh == NULL) { 2440 kfree_skb(skb); 2441 return -EMSGSIZE; 2442 } 2443 2444 p = nlmsg_data(nlh); 2445 p->proto = c->data.proto; 2446 2447 nlmsg_end(skb, nlh); 2448 2449 return nlmsg_multicast(net->xfrm.nlsk, skb, 0, XFRMNLGRP_SA, GFP_ATOMIC); 2450 } 2451 2452 static inline size_t xfrm_sa_len(struct xfrm_state *x) 2453 { 2454 size_t l = 0; 2455 if (x->aead) 2456 l += nla_total_size(aead_len(x->aead)); 2457 if (x->aalg) { 2458 l += nla_total_size(sizeof(struct xfrm_algo) + 2459 (x->aalg->alg_key_len + 7) / 8); 2460 l += nla_total_size(xfrm_alg_auth_len(x->aalg)); 2461 } 2462 if (x->ealg) 2463 l += nla_total_size(xfrm_alg_len(x->ealg)); 2464 if (x->calg) 2465 l += nla_total_size(sizeof(*x->calg)); 2466 if (x->encap) 2467 l += nla_total_size(sizeof(*x->encap)); 2468 if (x->tfcpad) 2469 l += nla_total_size(sizeof(x->tfcpad)); 2470 if (x->replay_esn) 2471 l += nla_total_size(xfrm_replay_state_esn_len(x->replay_esn)); 2472 if (x->security) 2473 l += nla_total_size(sizeof(struct xfrm_user_sec_ctx) + 2474 x->security->ctx_len); 2475 if (x->coaddr) 2476 l += nla_total_size(sizeof(*x->coaddr)); 2477 2478 /* Must count x->lastused as it may become non-zero behind our back. */ 2479 l += nla_total_size(sizeof(u64)); 2480 2481 return l; 2482 } 2483 2484 static int xfrm_notify_sa(struct xfrm_state *x, const struct km_event *c) 2485 { 2486 struct net *net = xs_net(x); 2487 struct xfrm_usersa_info *p; 2488 struct xfrm_usersa_id *id; 2489 struct nlmsghdr *nlh; 2490 struct sk_buff *skb; 2491 int len = xfrm_sa_len(x); 2492 int headlen, err; 2493 2494 headlen = sizeof(*p); 2495 if (c->event == XFRM_MSG_DELSA) { 2496 len += nla_total_size(headlen); 2497 headlen = sizeof(*id); 2498 len += nla_total_size(sizeof(struct xfrm_mark)); 2499 } 2500 len += NLMSG_ALIGN(headlen); 2501 2502 skb = nlmsg_new(len, GFP_ATOMIC); 2503 if (skb == NULL) 2504 return -ENOMEM; 2505 2506 nlh = nlmsg_put(skb, c->pid, c->seq, c->event, headlen, 0); 2507 err = -EMSGSIZE; 2508 if (nlh == NULL) 2509 goto out_free_skb; 2510 2511 p = nlmsg_data(nlh); 2512 if (c->event == XFRM_MSG_DELSA) { 2513 struct nlattr *attr; 2514 2515 id = nlmsg_data(nlh); 2516 memcpy(&id->daddr, &x->id.daddr, sizeof(id->daddr)); 2517 id->spi = x->id.spi; 2518 id->family = x->props.family; 2519 id->proto = x->id.proto; 2520 2521 attr = nla_reserve(skb, XFRMA_SA, sizeof(*p)); 2522 err = -EMSGSIZE; 2523 if (attr == NULL) 2524 goto out_free_skb; 2525 2526 p = nla_data(attr); 2527 } 2528 err = copy_to_user_state_extra(x, p, skb); 2529 if (err) 2530 goto out_free_skb; 2531 2532 nlmsg_end(skb, nlh); 2533 2534 return nlmsg_multicast(net->xfrm.nlsk, skb, 0, XFRMNLGRP_SA, GFP_ATOMIC); 2535 2536 out_free_skb: 2537 kfree_skb(skb); 2538 return err; 2539 } 2540 2541 static int xfrm_send_state_notify(struct xfrm_state *x, const struct km_event *c) 2542 { 2543 2544 switch (c->event) { 2545 case XFRM_MSG_EXPIRE: 2546 return xfrm_exp_state_notify(x, c); 2547 case XFRM_MSG_NEWAE: 2548 return xfrm_aevent_state_notify(x, c); 2549 case XFRM_MSG_DELSA: 2550 case XFRM_MSG_UPDSA: 2551 case XFRM_MSG_NEWSA: 2552 return xfrm_notify_sa(x, c); 2553 case XFRM_MSG_FLUSHSA: 2554 return xfrm_notify_sa_flush(c); 2555 default: 2556 printk(KERN_NOTICE "xfrm_user: Unknown SA event %d\n", 2557 c->event); 2558 break; 2559 } 2560 2561 return 0; 2562 2563 } 2564 2565 static inline size_t xfrm_acquire_msgsize(struct xfrm_state *x, 2566 struct xfrm_policy *xp) 2567 { 2568 return NLMSG_ALIGN(sizeof(struct xfrm_user_acquire)) 2569 + nla_total_size(sizeof(struct xfrm_user_tmpl) * xp->xfrm_nr) 2570 + nla_total_size(sizeof(struct xfrm_mark)) 2571 + nla_total_size(xfrm_user_sec_ctx_size(x->security)) 2572 + userpolicy_type_attrsize(); 2573 } 2574 2575 static int build_acquire(struct sk_buff *skb, struct xfrm_state *x, 2576 struct xfrm_tmpl *xt, struct xfrm_policy *xp, 2577 int dir) 2578 { 2579 __u32 seq = xfrm_get_acqseq(); 2580 struct xfrm_user_acquire *ua; 2581 struct nlmsghdr *nlh; 2582 int err; 2583 2584 nlh = nlmsg_put(skb, 0, 0, XFRM_MSG_ACQUIRE, sizeof(*ua), 0); 2585 if (nlh == NULL) 2586 return -EMSGSIZE; 2587 2588 ua = nlmsg_data(nlh); 2589 memcpy(&ua->id, &x->id, sizeof(ua->id)); 2590 memcpy(&ua->saddr, &x->props.saddr, sizeof(ua->saddr)); 2591 memcpy(&ua->sel, &x->sel, sizeof(ua->sel)); 2592 copy_to_user_policy(xp, &ua->policy, dir); 2593 ua->aalgos = xt->aalgos; 2594 ua->ealgos = xt->ealgos; 2595 ua->calgos = xt->calgos; 2596 ua->seq = x->km.seq = seq; 2597 2598 err = copy_to_user_tmpl(xp, skb); 2599 if (!err) 2600 err = copy_to_user_state_sec_ctx(x, skb); 2601 if (!err) 2602 err = copy_to_user_policy_type(xp->type, skb); 2603 if (!err) 2604 err = xfrm_mark_put(skb, &xp->mark); 2605 if (err) { 2606 nlmsg_cancel(skb, nlh); 2607 return err; 2608 } 2609 2610 return nlmsg_end(skb, nlh); 2611 } 2612 2613 static int xfrm_send_acquire(struct xfrm_state *x, struct xfrm_tmpl *xt, 2614 struct xfrm_policy *xp, int dir) 2615 { 2616 struct net *net = xs_net(x); 2617 struct sk_buff *skb; 2618 2619 skb = nlmsg_new(xfrm_acquire_msgsize(x, xp), GFP_ATOMIC); 2620 if (skb == NULL) 2621 return -ENOMEM; 2622 2623 if (build_acquire(skb, x, xt, xp, dir) < 0) 2624 BUG(); 2625 2626 return nlmsg_multicast(net->xfrm.nlsk, skb, 0, XFRMNLGRP_ACQUIRE, GFP_ATOMIC); 2627 } 2628 2629 /* User gives us xfrm_user_policy_info followed by an array of 0 2630 * or more templates. 2631 */ 2632 static struct xfrm_policy *xfrm_compile_policy(struct sock *sk, int opt, 2633 u8 *data, int len, int *dir) 2634 { 2635 struct net *net = sock_net(sk); 2636 struct xfrm_userpolicy_info *p = (struct xfrm_userpolicy_info *)data; 2637 struct xfrm_user_tmpl *ut = (struct xfrm_user_tmpl *) (p + 1); 2638 struct xfrm_policy *xp; 2639 int nr; 2640 2641 switch (sk->sk_family) { 2642 case AF_INET: 2643 if (opt != IP_XFRM_POLICY) { 2644 *dir = -EOPNOTSUPP; 2645 return NULL; 2646 } 2647 break; 2648 #if IS_ENABLED(CONFIG_IPV6) 2649 case AF_INET6: 2650 if (opt != IPV6_XFRM_POLICY) { 2651 *dir = -EOPNOTSUPP; 2652 return NULL; 2653 } 2654 break; 2655 #endif 2656 default: 2657 *dir = -EINVAL; 2658 return NULL; 2659 } 2660 2661 *dir = -EINVAL; 2662 2663 if (len < sizeof(*p) || 2664 verify_newpolicy_info(p)) 2665 return NULL; 2666 2667 nr = ((len - sizeof(*p)) / sizeof(*ut)); 2668 if (validate_tmpl(nr, ut, p->sel.family)) 2669 return NULL; 2670 2671 if (p->dir > XFRM_POLICY_OUT) 2672 return NULL; 2673 2674 xp = xfrm_policy_alloc(net, GFP_ATOMIC); 2675 if (xp == NULL) { 2676 *dir = -ENOBUFS; 2677 return NULL; 2678 } 2679 2680 copy_from_user_policy(xp, p); 2681 xp->type = XFRM_POLICY_TYPE_MAIN; 2682 copy_templates(xp, ut, nr); 2683 2684 *dir = p->dir; 2685 2686 return xp; 2687 } 2688 2689 static inline size_t xfrm_polexpire_msgsize(struct xfrm_policy *xp) 2690 { 2691 return NLMSG_ALIGN(sizeof(struct xfrm_user_polexpire)) 2692 + nla_total_size(sizeof(struct xfrm_user_tmpl) * xp->xfrm_nr) 2693 + nla_total_size(xfrm_user_sec_ctx_size(xp->security)) 2694 + nla_total_size(sizeof(struct xfrm_mark)) 2695 + userpolicy_type_attrsize(); 2696 } 2697 2698 static int build_polexpire(struct sk_buff *skb, struct xfrm_policy *xp, 2699 int dir, const struct km_event *c) 2700 { 2701 struct xfrm_user_polexpire *upe; 2702 int hard = c->data.hard; 2703 struct nlmsghdr *nlh; 2704 int err; 2705 2706 nlh = nlmsg_put(skb, c->pid, 0, XFRM_MSG_POLEXPIRE, sizeof(*upe), 0); 2707 if (nlh == NULL) 2708 return -EMSGSIZE; 2709 2710 upe = nlmsg_data(nlh); 2711 copy_to_user_policy(xp, &upe->pol, dir); 2712 err = copy_to_user_tmpl(xp, skb); 2713 if (!err) 2714 err = copy_to_user_sec_ctx(xp, skb); 2715 if (!err) 2716 err = copy_to_user_policy_type(xp->type, skb); 2717 if (!err) 2718 err = xfrm_mark_put(skb, &xp->mark); 2719 if (err) { 2720 nlmsg_cancel(skb, nlh); 2721 return err; 2722 } 2723 upe->hard = !!hard; 2724 2725 return nlmsg_end(skb, nlh); 2726 } 2727 2728 static int xfrm_exp_policy_notify(struct xfrm_policy *xp, int dir, const struct km_event *c) 2729 { 2730 struct net *net = xp_net(xp); 2731 struct sk_buff *skb; 2732 2733 skb = nlmsg_new(xfrm_polexpire_msgsize(xp), GFP_ATOMIC); 2734 if (skb == NULL) 2735 return -ENOMEM; 2736 2737 if (build_polexpire(skb, xp, dir, c) < 0) 2738 BUG(); 2739 2740 return nlmsg_multicast(net->xfrm.nlsk, skb, 0, XFRMNLGRP_EXPIRE, GFP_ATOMIC); 2741 } 2742 2743 static int xfrm_notify_policy(struct xfrm_policy *xp, int dir, const struct km_event *c) 2744 { 2745 int len = nla_total_size(sizeof(struct xfrm_user_tmpl) * xp->xfrm_nr); 2746 struct net *net = xp_net(xp); 2747 struct xfrm_userpolicy_info *p; 2748 struct xfrm_userpolicy_id *id; 2749 struct nlmsghdr *nlh; 2750 struct sk_buff *skb; 2751 int headlen, err; 2752 2753 headlen = sizeof(*p); 2754 if (c->event == XFRM_MSG_DELPOLICY) { 2755 len += nla_total_size(headlen); 2756 headlen = sizeof(*id); 2757 } 2758 len += userpolicy_type_attrsize(); 2759 len += nla_total_size(sizeof(struct xfrm_mark)); 2760 len += NLMSG_ALIGN(headlen); 2761 2762 skb = nlmsg_new(len, GFP_ATOMIC); 2763 if (skb == NULL) 2764 return -ENOMEM; 2765 2766 nlh = nlmsg_put(skb, c->pid, c->seq, c->event, headlen, 0); 2767 err = -EMSGSIZE; 2768 if (nlh == NULL) 2769 goto out_free_skb; 2770 2771 p = nlmsg_data(nlh); 2772 if (c->event == XFRM_MSG_DELPOLICY) { 2773 struct nlattr *attr; 2774 2775 id = nlmsg_data(nlh); 2776 memset(id, 0, sizeof(*id)); 2777 id->dir = dir; 2778 if (c->data.byid) 2779 id->index = xp->index; 2780 else 2781 memcpy(&id->sel, &xp->selector, sizeof(id->sel)); 2782 2783 attr = nla_reserve(skb, XFRMA_POLICY, sizeof(*p)); 2784 err = -EMSGSIZE; 2785 if (attr == NULL) 2786 goto out_free_skb; 2787 2788 p = nla_data(attr); 2789 } 2790 2791 copy_to_user_policy(xp, p, dir); 2792 err = copy_to_user_tmpl(xp, skb); 2793 if (!err) 2794 err = copy_to_user_policy_type(xp->type, skb); 2795 if (!err) 2796 err = xfrm_mark_put(skb, &xp->mark); 2797 if (err) 2798 goto out_free_skb; 2799 2800 nlmsg_end(skb, nlh); 2801 2802 return nlmsg_multicast(net->xfrm.nlsk, skb, 0, XFRMNLGRP_POLICY, GFP_ATOMIC); 2803 2804 out_free_skb: 2805 kfree_skb(skb); 2806 return err; 2807 } 2808 2809 static int xfrm_notify_policy_flush(const struct km_event *c) 2810 { 2811 struct net *net = c->net; 2812 struct nlmsghdr *nlh; 2813 struct sk_buff *skb; 2814 int err; 2815 2816 skb = nlmsg_new(userpolicy_type_attrsize(), GFP_ATOMIC); 2817 if (skb == NULL) 2818 return -ENOMEM; 2819 2820 nlh = nlmsg_put(skb, c->pid, c->seq, XFRM_MSG_FLUSHPOLICY, 0, 0); 2821 err = -EMSGSIZE; 2822 if (nlh == NULL) 2823 goto out_free_skb; 2824 err = copy_to_user_policy_type(c->data.type, skb); 2825 if (err) 2826 goto out_free_skb; 2827 2828 nlmsg_end(skb, nlh); 2829 2830 return nlmsg_multicast(net->xfrm.nlsk, skb, 0, XFRMNLGRP_POLICY, GFP_ATOMIC); 2831 2832 out_free_skb: 2833 kfree_skb(skb); 2834 return err; 2835 } 2836 2837 static int xfrm_send_policy_notify(struct xfrm_policy *xp, int dir, const struct km_event *c) 2838 { 2839 2840 switch (c->event) { 2841 case XFRM_MSG_NEWPOLICY: 2842 case XFRM_MSG_UPDPOLICY: 2843 case XFRM_MSG_DELPOLICY: 2844 return xfrm_notify_policy(xp, dir, c); 2845 case XFRM_MSG_FLUSHPOLICY: 2846 return xfrm_notify_policy_flush(c); 2847 case XFRM_MSG_POLEXPIRE: 2848 return xfrm_exp_policy_notify(xp, dir, c); 2849 default: 2850 printk(KERN_NOTICE "xfrm_user: Unknown Policy event %d\n", 2851 c->event); 2852 } 2853 2854 return 0; 2855 2856 } 2857 2858 static inline size_t xfrm_report_msgsize(void) 2859 { 2860 return NLMSG_ALIGN(sizeof(struct xfrm_user_report)); 2861 } 2862 2863 static int build_report(struct sk_buff *skb, u8 proto, 2864 struct xfrm_selector *sel, xfrm_address_t *addr) 2865 { 2866 struct xfrm_user_report *ur; 2867 struct nlmsghdr *nlh; 2868 2869 nlh = nlmsg_put(skb, 0, 0, XFRM_MSG_REPORT, sizeof(*ur), 0); 2870 if (nlh == NULL) 2871 return -EMSGSIZE; 2872 2873 ur = nlmsg_data(nlh); 2874 ur->proto = proto; 2875 memcpy(&ur->sel, sel, sizeof(ur->sel)); 2876 2877 if (addr) { 2878 int err = nla_put(skb, XFRMA_COADDR, sizeof(*addr), addr); 2879 if (err) { 2880 nlmsg_cancel(skb, nlh); 2881 return err; 2882 } 2883 } 2884 return nlmsg_end(skb, nlh); 2885 } 2886 2887 static int xfrm_send_report(struct net *net, u8 proto, 2888 struct xfrm_selector *sel, xfrm_address_t *addr) 2889 { 2890 struct sk_buff *skb; 2891 2892 skb = nlmsg_new(xfrm_report_msgsize(), GFP_ATOMIC); 2893 if (skb == NULL) 2894 return -ENOMEM; 2895 2896 if (build_report(skb, proto, sel, addr) < 0) 2897 BUG(); 2898 2899 return nlmsg_multicast(net->xfrm.nlsk, skb, 0, XFRMNLGRP_REPORT, GFP_ATOMIC); 2900 } 2901 2902 static inline size_t xfrm_mapping_msgsize(void) 2903 { 2904 return NLMSG_ALIGN(sizeof(struct xfrm_user_mapping)); 2905 } 2906 2907 static int build_mapping(struct sk_buff *skb, struct xfrm_state *x, 2908 xfrm_address_t *new_saddr, __be16 new_sport) 2909 { 2910 struct xfrm_user_mapping *um; 2911 struct nlmsghdr *nlh; 2912 2913 nlh = nlmsg_put(skb, 0, 0, XFRM_MSG_MAPPING, sizeof(*um), 0); 2914 if (nlh == NULL) 2915 return -EMSGSIZE; 2916 2917 um = nlmsg_data(nlh); 2918 2919 memcpy(&um->id.daddr, &x->id.daddr, sizeof(um->id.daddr)); 2920 um->id.spi = x->id.spi; 2921 um->id.family = x->props.family; 2922 um->id.proto = x->id.proto; 2923 memcpy(&um->new_saddr, new_saddr, sizeof(um->new_saddr)); 2924 memcpy(&um->old_saddr, &x->props.saddr, sizeof(um->old_saddr)); 2925 um->new_sport = new_sport; 2926 um->old_sport = x->encap->encap_sport; 2927 um->reqid = x->props.reqid; 2928 2929 return nlmsg_end(skb, nlh); 2930 } 2931 2932 static int xfrm_send_mapping(struct xfrm_state *x, xfrm_address_t *ipaddr, 2933 __be16 sport) 2934 { 2935 struct net *net = xs_net(x); 2936 struct sk_buff *skb; 2937 2938 if (x->id.proto != IPPROTO_ESP) 2939 return -EINVAL; 2940 2941 if (!x->encap) 2942 return -EINVAL; 2943 2944 skb = nlmsg_new(xfrm_mapping_msgsize(), GFP_ATOMIC); 2945 if (skb == NULL) 2946 return -ENOMEM; 2947 2948 if (build_mapping(skb, x, ipaddr, sport) < 0) 2949 BUG(); 2950 2951 return nlmsg_multicast(net->xfrm.nlsk, skb, 0, XFRMNLGRP_MAPPING, GFP_ATOMIC); 2952 } 2953 2954 static struct xfrm_mgr netlink_mgr = { 2955 .id = "netlink", 2956 .notify = xfrm_send_state_notify, 2957 .acquire = xfrm_send_acquire, 2958 .compile_policy = xfrm_compile_policy, 2959 .notify_policy = xfrm_send_policy_notify, 2960 .report = xfrm_send_report, 2961 .migrate = xfrm_send_migrate, 2962 .new_mapping = xfrm_send_mapping, 2963 }; 2964 2965 static int __net_init xfrm_user_net_init(struct net *net) 2966 { 2967 struct sock *nlsk; 2968 struct netlink_kernel_cfg cfg = { 2969 .groups = XFRMNLGRP_MAX, 2970 .input = xfrm_netlink_rcv, 2971 }; 2972 2973 nlsk = netlink_kernel_create(net, NETLINK_XFRM, THIS_MODULE, &cfg); 2974 if (nlsk == NULL) 2975 return -ENOMEM; 2976 net->xfrm.nlsk_stash = nlsk; /* Don't set to NULL */ 2977 rcu_assign_pointer(net->xfrm.nlsk, nlsk); 2978 return 0; 2979 } 2980 2981 static void __net_exit xfrm_user_net_exit(struct list_head *net_exit_list) 2982 { 2983 struct net *net; 2984 list_for_each_entry(net, net_exit_list, exit_list) 2985 RCU_INIT_POINTER(net->xfrm.nlsk, NULL); 2986 synchronize_net(); 2987 list_for_each_entry(net, net_exit_list, exit_list) 2988 netlink_kernel_release(net->xfrm.nlsk_stash); 2989 } 2990 2991 static struct pernet_operations xfrm_user_net_ops = { 2992 .init = xfrm_user_net_init, 2993 .exit_batch = xfrm_user_net_exit, 2994 }; 2995 2996 static int __init xfrm_user_init(void) 2997 { 2998 int rv; 2999 3000 printk(KERN_INFO "Initializing XFRM netlink socket\n"); 3001 3002 rv = register_pernet_subsys(&xfrm_user_net_ops); 3003 if (rv < 0) 3004 return rv; 3005 rv = xfrm_register_km(&netlink_mgr); 3006 if (rv < 0) 3007 unregister_pernet_subsys(&xfrm_user_net_ops); 3008 return rv; 3009 } 3010 3011 static void __exit xfrm_user_exit(void) 3012 { 3013 xfrm_unregister_km(&netlink_mgr); 3014 unregister_pernet_subsys(&xfrm_user_net_ops); 3015 } 3016 3017 module_init(xfrm_user_init); 3018 module_exit(xfrm_user_exit); 3019 MODULE_LICENSE("GPL"); 3020 MODULE_ALIAS_NET_PF_PROTO(PF_NETLINK, NETLINK_XFRM); 3021 3022