1 /* xfrm_user.c: User interface to configure xfrm engine. 2 * 3 * Copyright (C) 2002 David S. Miller (davem@redhat.com) 4 * 5 * Changes: 6 * Mitsuru KANDA @USAGI 7 * Kazunori MIYAZAWA @USAGI 8 * Kunihiro Ishiguro <kunihiro@ipinfusion.com> 9 * IPv6 support 10 * 11 */ 12 13 #include <linux/crypto.h> 14 #include <linux/module.h> 15 #include <linux/kernel.h> 16 #include <linux/types.h> 17 #include <linux/slab.h> 18 #include <linux/socket.h> 19 #include <linux/string.h> 20 #include <linux/net.h> 21 #include <linux/skbuff.h> 22 #include <linux/rtnetlink.h> 23 #include <linux/pfkeyv2.h> 24 #include <linux/ipsec.h> 25 #include <linux/init.h> 26 #include <linux/security.h> 27 #include <net/sock.h> 28 #include <net/xfrm.h> 29 #include <net/netlink.h> 30 #include <asm/uaccess.h> 31 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE) 32 #include <linux/in6.h> 33 #endif 34 #include <linux/audit.h> 35 36 static int verify_one_alg(struct rtattr **xfrma, enum xfrm_attr_type_t type) 37 { 38 struct rtattr *rt = xfrma[type - 1]; 39 struct xfrm_algo *algp; 40 int len; 41 42 if (!rt) 43 return 0; 44 45 len = (rt->rta_len - sizeof(*rt)) - sizeof(*algp); 46 if (len < 0) 47 return -EINVAL; 48 49 algp = RTA_DATA(rt); 50 51 len -= (algp->alg_key_len + 7U) / 8; 52 if (len < 0) 53 return -EINVAL; 54 55 switch (type) { 56 case XFRMA_ALG_AUTH: 57 if (!algp->alg_key_len && 58 strcmp(algp->alg_name, "digest_null") != 0) 59 return -EINVAL; 60 break; 61 62 case XFRMA_ALG_CRYPT: 63 if (!algp->alg_key_len && 64 strcmp(algp->alg_name, "cipher_null") != 0) 65 return -EINVAL; 66 break; 67 68 case XFRMA_ALG_COMP: 69 /* Zero length keys are legal. */ 70 break; 71 72 default: 73 return -EINVAL; 74 } 75 76 algp->alg_name[CRYPTO_MAX_ALG_NAME - 1] = '\0'; 77 return 0; 78 } 79 80 static int verify_encap_tmpl(struct rtattr **xfrma) 81 { 82 struct rtattr *rt = xfrma[XFRMA_ENCAP - 1]; 83 struct xfrm_encap_tmpl *encap; 84 85 if (!rt) 86 return 0; 87 88 if ((rt->rta_len - sizeof(*rt)) < sizeof(*encap)) 89 return -EINVAL; 90 91 return 0; 92 } 93 94 static int verify_one_addr(struct rtattr **xfrma, enum xfrm_attr_type_t type, 95 xfrm_address_t **addrp) 96 { 97 struct rtattr *rt = xfrma[type - 1]; 98 99 if (!rt) 100 return 0; 101 102 if ((rt->rta_len - sizeof(*rt)) < sizeof(**addrp)) 103 return -EINVAL; 104 105 if (addrp) 106 *addrp = RTA_DATA(rt); 107 108 return 0; 109 } 110 111 static inline int verify_sec_ctx_len(struct rtattr **xfrma) 112 { 113 struct rtattr *rt = xfrma[XFRMA_SEC_CTX - 1]; 114 struct xfrm_user_sec_ctx *uctx; 115 int len = 0; 116 117 if (!rt) 118 return 0; 119 120 if (rt->rta_len < sizeof(*uctx)) 121 return -EINVAL; 122 123 uctx = RTA_DATA(rt); 124 125 len += sizeof(struct xfrm_user_sec_ctx); 126 len += uctx->ctx_len; 127 128 if (uctx->len != len) 129 return -EINVAL; 130 131 return 0; 132 } 133 134 135 static int verify_newsa_info(struct xfrm_usersa_info *p, 136 struct rtattr **xfrma) 137 { 138 int err; 139 140 err = -EINVAL; 141 switch (p->family) { 142 case AF_INET: 143 break; 144 145 case AF_INET6: 146 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE) 147 break; 148 #else 149 err = -EAFNOSUPPORT; 150 goto out; 151 #endif 152 153 default: 154 goto out; 155 } 156 157 err = -EINVAL; 158 switch (p->id.proto) { 159 case IPPROTO_AH: 160 if (!xfrma[XFRMA_ALG_AUTH-1] || 161 xfrma[XFRMA_ALG_CRYPT-1] || 162 xfrma[XFRMA_ALG_COMP-1]) 163 goto out; 164 break; 165 166 case IPPROTO_ESP: 167 if ((!xfrma[XFRMA_ALG_AUTH-1] && 168 !xfrma[XFRMA_ALG_CRYPT-1]) || 169 xfrma[XFRMA_ALG_COMP-1]) 170 goto out; 171 break; 172 173 case IPPROTO_COMP: 174 if (!xfrma[XFRMA_ALG_COMP-1] || 175 xfrma[XFRMA_ALG_AUTH-1] || 176 xfrma[XFRMA_ALG_CRYPT-1]) 177 goto out; 178 break; 179 180 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE) 181 case IPPROTO_DSTOPTS: 182 case IPPROTO_ROUTING: 183 if (xfrma[XFRMA_ALG_COMP-1] || 184 xfrma[XFRMA_ALG_AUTH-1] || 185 xfrma[XFRMA_ALG_CRYPT-1] || 186 xfrma[XFRMA_ENCAP-1] || 187 xfrma[XFRMA_SEC_CTX-1] || 188 !xfrma[XFRMA_COADDR-1]) 189 goto out; 190 break; 191 #endif 192 193 default: 194 goto out; 195 } 196 197 if ((err = verify_one_alg(xfrma, XFRMA_ALG_AUTH))) 198 goto out; 199 if ((err = verify_one_alg(xfrma, XFRMA_ALG_CRYPT))) 200 goto out; 201 if ((err = verify_one_alg(xfrma, XFRMA_ALG_COMP))) 202 goto out; 203 if ((err = verify_encap_tmpl(xfrma))) 204 goto out; 205 if ((err = verify_sec_ctx_len(xfrma))) 206 goto out; 207 if ((err = verify_one_addr(xfrma, XFRMA_COADDR, NULL))) 208 goto out; 209 210 err = -EINVAL; 211 switch (p->mode) { 212 case XFRM_MODE_TRANSPORT: 213 case XFRM_MODE_TUNNEL: 214 case XFRM_MODE_ROUTEOPTIMIZATION: 215 case XFRM_MODE_BEET: 216 break; 217 218 default: 219 goto out; 220 } 221 222 err = 0; 223 224 out: 225 return err; 226 } 227 228 static int attach_one_algo(struct xfrm_algo **algpp, u8 *props, 229 struct xfrm_algo_desc *(*get_byname)(char *, int), 230 struct rtattr *u_arg) 231 { 232 struct rtattr *rta = u_arg; 233 struct xfrm_algo *p, *ualg; 234 struct xfrm_algo_desc *algo; 235 int len; 236 237 if (!rta) 238 return 0; 239 240 ualg = RTA_DATA(rta); 241 242 algo = get_byname(ualg->alg_name, 1); 243 if (!algo) 244 return -ENOSYS; 245 *props = algo->desc.sadb_alg_id; 246 247 len = sizeof(*ualg) + (ualg->alg_key_len + 7U) / 8; 248 p = kmemdup(ualg, len, GFP_KERNEL); 249 if (!p) 250 return -ENOMEM; 251 252 strcpy(p->alg_name, algo->name); 253 *algpp = p; 254 return 0; 255 } 256 257 static int attach_encap_tmpl(struct xfrm_encap_tmpl **encapp, struct rtattr *u_arg) 258 { 259 struct rtattr *rta = u_arg; 260 struct xfrm_encap_tmpl *p, *uencap; 261 262 if (!rta) 263 return 0; 264 265 uencap = RTA_DATA(rta); 266 p = kmemdup(uencap, sizeof(*p), GFP_KERNEL); 267 if (!p) 268 return -ENOMEM; 269 270 *encapp = p; 271 return 0; 272 } 273 274 275 static inline int xfrm_user_sec_ctx_size(struct xfrm_sec_ctx *xfrm_ctx) 276 { 277 int len = 0; 278 279 if (xfrm_ctx) { 280 len += sizeof(struct xfrm_user_sec_ctx); 281 len += xfrm_ctx->ctx_len; 282 } 283 return len; 284 } 285 286 static int attach_sec_ctx(struct xfrm_state *x, struct rtattr *u_arg) 287 { 288 struct xfrm_user_sec_ctx *uctx; 289 290 if (!u_arg) 291 return 0; 292 293 uctx = RTA_DATA(u_arg); 294 return security_xfrm_state_alloc(x, uctx); 295 } 296 297 static int attach_one_addr(xfrm_address_t **addrpp, struct rtattr *u_arg) 298 { 299 struct rtattr *rta = u_arg; 300 xfrm_address_t *p, *uaddrp; 301 302 if (!rta) 303 return 0; 304 305 uaddrp = RTA_DATA(rta); 306 p = kmemdup(uaddrp, sizeof(*p), GFP_KERNEL); 307 if (!p) 308 return -ENOMEM; 309 310 *addrpp = p; 311 return 0; 312 } 313 314 static void copy_from_user_state(struct xfrm_state *x, struct xfrm_usersa_info *p) 315 { 316 memcpy(&x->id, &p->id, sizeof(x->id)); 317 memcpy(&x->sel, &p->sel, sizeof(x->sel)); 318 memcpy(&x->lft, &p->lft, sizeof(x->lft)); 319 x->props.mode = p->mode; 320 x->props.replay_window = p->replay_window; 321 x->props.reqid = p->reqid; 322 x->props.family = p->family; 323 memcpy(&x->props.saddr, &p->saddr, sizeof(x->props.saddr)); 324 x->props.flags = p->flags; 325 326 /* 327 * Set inner address family if the KM left it as zero. 328 * See comment in validate_tmpl. 329 */ 330 if (!x->sel.family) 331 x->sel.family = p->family; 332 } 333 334 /* 335 * someday when pfkey also has support, we could have the code 336 * somehow made shareable and move it to xfrm_state.c - JHS 337 * 338 */ 339 static int xfrm_update_ae_params(struct xfrm_state *x, struct rtattr **xfrma) 340 { 341 int err = - EINVAL; 342 struct rtattr *rp = xfrma[XFRMA_REPLAY_VAL-1]; 343 struct rtattr *lt = xfrma[XFRMA_LTIME_VAL-1]; 344 struct rtattr *et = xfrma[XFRMA_ETIMER_THRESH-1]; 345 struct rtattr *rt = xfrma[XFRMA_REPLAY_THRESH-1]; 346 347 if (rp) { 348 struct xfrm_replay_state *replay; 349 if (RTA_PAYLOAD(rp) < sizeof(*replay)) 350 goto error; 351 replay = RTA_DATA(rp); 352 memcpy(&x->replay, replay, sizeof(*replay)); 353 memcpy(&x->preplay, replay, sizeof(*replay)); 354 } 355 356 if (lt) { 357 struct xfrm_lifetime_cur *ltime; 358 if (RTA_PAYLOAD(lt) < sizeof(*ltime)) 359 goto error; 360 ltime = RTA_DATA(lt); 361 x->curlft.bytes = ltime->bytes; 362 x->curlft.packets = ltime->packets; 363 x->curlft.add_time = ltime->add_time; 364 x->curlft.use_time = ltime->use_time; 365 } 366 367 if (et) { 368 if (RTA_PAYLOAD(et) < sizeof(u32)) 369 goto error; 370 x->replay_maxage = *(u32*)RTA_DATA(et); 371 } 372 373 if (rt) { 374 if (RTA_PAYLOAD(rt) < sizeof(u32)) 375 goto error; 376 x->replay_maxdiff = *(u32*)RTA_DATA(rt); 377 } 378 379 return 0; 380 error: 381 return err; 382 } 383 384 static struct xfrm_state *xfrm_state_construct(struct xfrm_usersa_info *p, 385 struct rtattr **xfrma, 386 int *errp) 387 { 388 struct xfrm_state *x = xfrm_state_alloc(); 389 int err = -ENOMEM; 390 391 if (!x) 392 goto error_no_put; 393 394 copy_from_user_state(x, p); 395 396 if ((err = attach_one_algo(&x->aalg, &x->props.aalgo, 397 xfrm_aalg_get_byname, 398 xfrma[XFRMA_ALG_AUTH-1]))) 399 goto error; 400 if ((err = attach_one_algo(&x->ealg, &x->props.ealgo, 401 xfrm_ealg_get_byname, 402 xfrma[XFRMA_ALG_CRYPT-1]))) 403 goto error; 404 if ((err = attach_one_algo(&x->calg, &x->props.calgo, 405 xfrm_calg_get_byname, 406 xfrma[XFRMA_ALG_COMP-1]))) 407 goto error; 408 if ((err = attach_encap_tmpl(&x->encap, xfrma[XFRMA_ENCAP-1]))) 409 goto error; 410 if ((err = attach_one_addr(&x->coaddr, xfrma[XFRMA_COADDR-1]))) 411 goto error; 412 err = xfrm_init_state(x); 413 if (err) 414 goto error; 415 416 if ((err = attach_sec_ctx(x, xfrma[XFRMA_SEC_CTX-1]))) 417 goto error; 418 419 x->km.seq = p->seq; 420 x->replay_maxdiff = sysctl_xfrm_aevent_rseqth; 421 /* sysctl_xfrm_aevent_etime is in 100ms units */ 422 x->replay_maxage = (sysctl_xfrm_aevent_etime*HZ)/XFRM_AE_ETH_M; 423 x->preplay.bitmap = 0; 424 x->preplay.seq = x->replay.seq+x->replay_maxdiff; 425 x->preplay.oseq = x->replay.oseq +x->replay_maxdiff; 426 427 /* override default values from above */ 428 429 err = xfrm_update_ae_params(x, (struct rtattr **)xfrma); 430 if (err < 0) 431 goto error; 432 433 return x; 434 435 error: 436 x->km.state = XFRM_STATE_DEAD; 437 xfrm_state_put(x); 438 error_no_put: 439 *errp = err; 440 return NULL; 441 } 442 443 static int xfrm_add_sa(struct sk_buff *skb, struct nlmsghdr *nlh, 444 struct rtattr **xfrma) 445 { 446 struct xfrm_usersa_info *p = nlmsg_data(nlh); 447 struct xfrm_state *x; 448 int err; 449 struct km_event c; 450 451 err = verify_newsa_info(p, xfrma); 452 if (err) 453 return err; 454 455 x = xfrm_state_construct(p, xfrma, &err); 456 if (!x) 457 return err; 458 459 xfrm_state_hold(x); 460 if (nlh->nlmsg_type == XFRM_MSG_NEWSA) 461 err = xfrm_state_add(x); 462 else 463 err = xfrm_state_update(x); 464 465 xfrm_audit_log(NETLINK_CB(skb).loginuid, NETLINK_CB(skb).sid, 466 AUDIT_MAC_IPSEC_ADDSA, err ? 0 : 1, NULL, x); 467 468 if (err < 0) { 469 x->km.state = XFRM_STATE_DEAD; 470 __xfrm_state_put(x); 471 goto out; 472 } 473 474 c.seq = nlh->nlmsg_seq; 475 c.pid = nlh->nlmsg_pid; 476 c.event = nlh->nlmsg_type; 477 478 km_state_notify(x, &c); 479 out: 480 xfrm_state_put(x); 481 return err; 482 } 483 484 static struct xfrm_state *xfrm_user_state_lookup(struct xfrm_usersa_id *p, 485 struct rtattr **xfrma, 486 int *errp) 487 { 488 struct xfrm_state *x = NULL; 489 int err; 490 491 if (xfrm_id_proto_match(p->proto, IPSEC_PROTO_ANY)) { 492 err = -ESRCH; 493 x = xfrm_state_lookup(&p->daddr, p->spi, p->proto, p->family); 494 } else { 495 xfrm_address_t *saddr = NULL; 496 497 err = verify_one_addr(xfrma, XFRMA_SRCADDR, &saddr); 498 if (err) 499 goto out; 500 501 if (!saddr) { 502 err = -EINVAL; 503 goto out; 504 } 505 506 err = -ESRCH; 507 x = xfrm_state_lookup_byaddr(&p->daddr, saddr, p->proto, 508 p->family); 509 } 510 511 out: 512 if (!x && errp) 513 *errp = err; 514 return x; 515 } 516 517 static int xfrm_del_sa(struct sk_buff *skb, struct nlmsghdr *nlh, 518 struct rtattr **xfrma) 519 { 520 struct xfrm_state *x; 521 int err = -ESRCH; 522 struct km_event c; 523 struct xfrm_usersa_id *p = nlmsg_data(nlh); 524 525 x = xfrm_user_state_lookup(p, xfrma, &err); 526 if (x == NULL) 527 return err; 528 529 if ((err = security_xfrm_state_delete(x)) != 0) 530 goto out; 531 532 if (xfrm_state_kern(x)) { 533 err = -EPERM; 534 goto out; 535 } 536 537 err = xfrm_state_delete(x); 538 539 if (err < 0) 540 goto out; 541 542 c.seq = nlh->nlmsg_seq; 543 c.pid = nlh->nlmsg_pid; 544 c.event = nlh->nlmsg_type; 545 km_state_notify(x, &c); 546 547 out: 548 xfrm_audit_log(NETLINK_CB(skb).loginuid, NETLINK_CB(skb).sid, 549 AUDIT_MAC_IPSEC_DELSA, err ? 0 : 1, NULL, x); 550 xfrm_state_put(x); 551 return err; 552 } 553 554 static void copy_to_user_state(struct xfrm_state *x, struct xfrm_usersa_info *p) 555 { 556 memcpy(&p->id, &x->id, sizeof(p->id)); 557 memcpy(&p->sel, &x->sel, sizeof(p->sel)); 558 memcpy(&p->lft, &x->lft, sizeof(p->lft)); 559 memcpy(&p->curlft, &x->curlft, sizeof(p->curlft)); 560 memcpy(&p->stats, &x->stats, sizeof(p->stats)); 561 memcpy(&p->saddr, &x->props.saddr, sizeof(p->saddr)); 562 p->mode = x->props.mode; 563 p->replay_window = x->props.replay_window; 564 p->reqid = x->props.reqid; 565 p->family = x->props.family; 566 p->flags = x->props.flags; 567 p->seq = x->km.seq; 568 } 569 570 struct xfrm_dump_info { 571 struct sk_buff *in_skb; 572 struct sk_buff *out_skb; 573 u32 nlmsg_seq; 574 u16 nlmsg_flags; 575 int start_idx; 576 int this_idx; 577 }; 578 579 static int copy_sec_ctx(struct xfrm_sec_ctx *s, struct sk_buff *skb) 580 { 581 int ctx_size = sizeof(struct xfrm_sec_ctx) + s->ctx_len; 582 struct xfrm_user_sec_ctx *uctx; 583 struct nlattr *attr; 584 585 attr = nla_reserve(skb, XFRMA_SEC_CTX, ctx_size); 586 if (attr == NULL) 587 return -EMSGSIZE; 588 589 uctx = nla_data(attr); 590 uctx->exttype = XFRMA_SEC_CTX; 591 uctx->len = ctx_size; 592 uctx->ctx_doi = s->ctx_doi; 593 uctx->ctx_alg = s->ctx_alg; 594 uctx->ctx_len = s->ctx_len; 595 memcpy(uctx + 1, s->ctx_str, s->ctx_len); 596 597 return 0; 598 } 599 600 static int dump_one_state(struct xfrm_state *x, int count, void *ptr) 601 { 602 struct xfrm_dump_info *sp = ptr; 603 struct sk_buff *in_skb = sp->in_skb; 604 struct sk_buff *skb = sp->out_skb; 605 struct xfrm_usersa_info *p; 606 struct nlmsghdr *nlh; 607 608 if (sp->this_idx < sp->start_idx) 609 goto out; 610 611 nlh = nlmsg_put(skb, NETLINK_CB(in_skb).pid, sp->nlmsg_seq, 612 XFRM_MSG_NEWSA, sizeof(*p), sp->nlmsg_flags); 613 if (nlh == NULL) 614 return -EMSGSIZE; 615 616 p = nlmsg_data(nlh); 617 copy_to_user_state(x, p); 618 619 if (x->aalg) 620 NLA_PUT(skb, XFRMA_ALG_AUTH, 621 sizeof(*(x->aalg))+(x->aalg->alg_key_len+7)/8, x->aalg); 622 if (x->ealg) 623 NLA_PUT(skb, XFRMA_ALG_CRYPT, 624 sizeof(*(x->ealg))+(x->ealg->alg_key_len+7)/8, x->ealg); 625 if (x->calg) 626 NLA_PUT(skb, XFRMA_ALG_COMP, sizeof(*(x->calg)), x->calg); 627 628 if (x->encap) 629 NLA_PUT(skb, XFRMA_ENCAP, sizeof(*x->encap), x->encap); 630 631 if (x->security && copy_sec_ctx(x->security, skb) < 0) 632 goto nla_put_failure; 633 634 if (x->coaddr) 635 NLA_PUT(skb, XFRMA_COADDR, sizeof(*x->coaddr), x->coaddr); 636 637 if (x->lastused) 638 NLA_PUT_U64(skb, XFRMA_LASTUSED, x->lastused); 639 640 nlmsg_end(skb, nlh); 641 out: 642 sp->this_idx++; 643 return 0; 644 645 nla_put_failure: 646 nlmsg_cancel(skb, nlh); 647 return -EMSGSIZE; 648 } 649 650 static int xfrm_dump_sa(struct sk_buff *skb, struct netlink_callback *cb) 651 { 652 struct xfrm_dump_info info; 653 654 info.in_skb = cb->skb; 655 info.out_skb = skb; 656 info.nlmsg_seq = cb->nlh->nlmsg_seq; 657 info.nlmsg_flags = NLM_F_MULTI; 658 info.this_idx = 0; 659 info.start_idx = cb->args[0]; 660 (void) xfrm_state_walk(0, dump_one_state, &info); 661 cb->args[0] = info.this_idx; 662 663 return skb->len; 664 } 665 666 static struct sk_buff *xfrm_state_netlink(struct sk_buff *in_skb, 667 struct xfrm_state *x, u32 seq) 668 { 669 struct xfrm_dump_info info; 670 struct sk_buff *skb; 671 672 skb = alloc_skb(NLMSG_GOODSIZE, GFP_ATOMIC); 673 if (!skb) 674 return ERR_PTR(-ENOMEM); 675 676 info.in_skb = in_skb; 677 info.out_skb = skb; 678 info.nlmsg_seq = seq; 679 info.nlmsg_flags = 0; 680 info.this_idx = info.start_idx = 0; 681 682 if (dump_one_state(x, 0, &info)) { 683 kfree_skb(skb); 684 return NULL; 685 } 686 687 return skb; 688 } 689 690 static int build_spdinfo(struct sk_buff *skb, u32 pid, u32 seq, u32 flags) 691 { 692 struct xfrmk_spdinfo si; 693 struct xfrmu_spdinfo spc; 694 struct xfrmu_spdhinfo sph; 695 struct nlmsghdr *nlh; 696 u32 *f; 697 698 nlh = nlmsg_put(skb, pid, seq, XFRM_MSG_NEWSPDINFO, sizeof(u32), 0); 699 if (nlh == NULL) /* shouldnt really happen ... */ 700 return -EMSGSIZE; 701 702 f = nlmsg_data(nlh); 703 *f = flags; 704 xfrm_spd_getinfo(&si); 705 spc.incnt = si.incnt; 706 spc.outcnt = si.outcnt; 707 spc.fwdcnt = si.fwdcnt; 708 spc.inscnt = si.inscnt; 709 spc.outscnt = si.outscnt; 710 spc.fwdscnt = si.fwdscnt; 711 sph.spdhcnt = si.spdhcnt; 712 sph.spdhmcnt = si.spdhmcnt; 713 714 NLA_PUT(skb, XFRMA_SPD_INFO, sizeof(spc), &spc); 715 NLA_PUT(skb, XFRMA_SPD_HINFO, sizeof(sph), &sph); 716 717 return nlmsg_end(skb, nlh); 718 719 nla_put_failure: 720 nlmsg_cancel(skb, nlh); 721 return -EMSGSIZE; 722 } 723 724 static int xfrm_get_spdinfo(struct sk_buff *skb, struct nlmsghdr *nlh, 725 struct rtattr **xfrma) 726 { 727 struct sk_buff *r_skb; 728 u32 *flags = nlmsg_data(nlh); 729 u32 spid = NETLINK_CB(skb).pid; 730 u32 seq = nlh->nlmsg_seq; 731 int len = NLMSG_LENGTH(sizeof(u32)); 732 733 len += RTA_SPACE(sizeof(struct xfrmu_spdinfo)); 734 len += RTA_SPACE(sizeof(struct xfrmu_spdhinfo)); 735 736 r_skb = alloc_skb(len, GFP_ATOMIC); 737 if (r_skb == NULL) 738 return -ENOMEM; 739 740 if (build_spdinfo(r_skb, spid, seq, *flags) < 0) 741 BUG(); 742 743 return nlmsg_unicast(xfrm_nl, r_skb, spid); 744 } 745 746 static int build_sadinfo(struct sk_buff *skb, u32 pid, u32 seq, u32 flags) 747 { 748 struct xfrmk_sadinfo si; 749 struct xfrmu_sadhinfo sh; 750 struct nlmsghdr *nlh; 751 u32 *f; 752 753 nlh = nlmsg_put(skb, pid, seq, XFRM_MSG_NEWSADINFO, sizeof(u32), 0); 754 if (nlh == NULL) /* shouldnt really happen ... */ 755 return -EMSGSIZE; 756 757 f = nlmsg_data(nlh); 758 *f = flags; 759 xfrm_sad_getinfo(&si); 760 761 sh.sadhmcnt = si.sadhmcnt; 762 sh.sadhcnt = si.sadhcnt; 763 764 NLA_PUT_U32(skb, XFRMA_SAD_CNT, si.sadcnt); 765 NLA_PUT(skb, XFRMA_SAD_HINFO, sizeof(sh), &sh); 766 767 return nlmsg_end(skb, nlh); 768 769 nla_put_failure: 770 nlmsg_cancel(skb, nlh); 771 return -EMSGSIZE; 772 } 773 774 static int xfrm_get_sadinfo(struct sk_buff *skb, struct nlmsghdr *nlh, 775 struct rtattr **xfrma) 776 { 777 struct sk_buff *r_skb; 778 u32 *flags = nlmsg_data(nlh); 779 u32 spid = NETLINK_CB(skb).pid; 780 u32 seq = nlh->nlmsg_seq; 781 int len = NLMSG_LENGTH(sizeof(u32)); 782 783 len += RTA_SPACE(sizeof(struct xfrmu_sadhinfo)); 784 len += RTA_SPACE(sizeof(u32)); 785 786 r_skb = alloc_skb(len, GFP_ATOMIC); 787 788 if (r_skb == NULL) 789 return -ENOMEM; 790 791 if (build_sadinfo(r_skb, spid, seq, *flags) < 0) 792 BUG(); 793 794 return nlmsg_unicast(xfrm_nl, r_skb, spid); 795 } 796 797 static int xfrm_get_sa(struct sk_buff *skb, struct nlmsghdr *nlh, 798 struct rtattr **xfrma) 799 { 800 struct xfrm_usersa_id *p = nlmsg_data(nlh); 801 struct xfrm_state *x; 802 struct sk_buff *resp_skb; 803 int err = -ESRCH; 804 805 x = xfrm_user_state_lookup(p, xfrma, &err); 806 if (x == NULL) 807 goto out_noput; 808 809 resp_skb = xfrm_state_netlink(skb, x, nlh->nlmsg_seq); 810 if (IS_ERR(resp_skb)) { 811 err = PTR_ERR(resp_skb); 812 } else { 813 err = nlmsg_unicast(xfrm_nl, resp_skb, NETLINK_CB(skb).pid); 814 } 815 xfrm_state_put(x); 816 out_noput: 817 return err; 818 } 819 820 static int verify_userspi_info(struct xfrm_userspi_info *p) 821 { 822 switch (p->info.id.proto) { 823 case IPPROTO_AH: 824 case IPPROTO_ESP: 825 break; 826 827 case IPPROTO_COMP: 828 /* IPCOMP spi is 16-bits. */ 829 if (p->max >= 0x10000) 830 return -EINVAL; 831 break; 832 833 default: 834 return -EINVAL; 835 } 836 837 if (p->min > p->max) 838 return -EINVAL; 839 840 return 0; 841 } 842 843 static int xfrm_alloc_userspi(struct sk_buff *skb, struct nlmsghdr *nlh, 844 struct rtattr **xfrma) 845 { 846 struct xfrm_state *x; 847 struct xfrm_userspi_info *p; 848 struct sk_buff *resp_skb; 849 xfrm_address_t *daddr; 850 int family; 851 int err; 852 853 p = nlmsg_data(nlh); 854 err = verify_userspi_info(p); 855 if (err) 856 goto out_noput; 857 858 family = p->info.family; 859 daddr = &p->info.id.daddr; 860 861 x = NULL; 862 if (p->info.seq) { 863 x = xfrm_find_acq_byseq(p->info.seq); 864 if (x && xfrm_addr_cmp(&x->id.daddr, daddr, family)) { 865 xfrm_state_put(x); 866 x = NULL; 867 } 868 } 869 870 if (!x) 871 x = xfrm_find_acq(p->info.mode, p->info.reqid, 872 p->info.id.proto, daddr, 873 &p->info.saddr, 1, 874 family); 875 err = -ENOENT; 876 if (x == NULL) 877 goto out_noput; 878 879 resp_skb = ERR_PTR(-ENOENT); 880 881 spin_lock_bh(&x->lock); 882 if (x->km.state != XFRM_STATE_DEAD) { 883 xfrm_alloc_spi(x, htonl(p->min), htonl(p->max)); 884 if (x->id.spi) 885 resp_skb = xfrm_state_netlink(skb, x, nlh->nlmsg_seq); 886 } 887 spin_unlock_bh(&x->lock); 888 889 if (IS_ERR(resp_skb)) { 890 err = PTR_ERR(resp_skb); 891 goto out; 892 } 893 894 err = nlmsg_unicast(xfrm_nl, resp_skb, NETLINK_CB(skb).pid); 895 896 out: 897 xfrm_state_put(x); 898 out_noput: 899 return err; 900 } 901 902 static int verify_policy_dir(u8 dir) 903 { 904 switch (dir) { 905 case XFRM_POLICY_IN: 906 case XFRM_POLICY_OUT: 907 case XFRM_POLICY_FWD: 908 break; 909 910 default: 911 return -EINVAL; 912 } 913 914 return 0; 915 } 916 917 static int verify_policy_type(u8 type) 918 { 919 switch (type) { 920 case XFRM_POLICY_TYPE_MAIN: 921 #ifdef CONFIG_XFRM_SUB_POLICY 922 case XFRM_POLICY_TYPE_SUB: 923 #endif 924 break; 925 926 default: 927 return -EINVAL; 928 } 929 930 return 0; 931 } 932 933 static int verify_newpolicy_info(struct xfrm_userpolicy_info *p) 934 { 935 switch (p->share) { 936 case XFRM_SHARE_ANY: 937 case XFRM_SHARE_SESSION: 938 case XFRM_SHARE_USER: 939 case XFRM_SHARE_UNIQUE: 940 break; 941 942 default: 943 return -EINVAL; 944 } 945 946 switch (p->action) { 947 case XFRM_POLICY_ALLOW: 948 case XFRM_POLICY_BLOCK: 949 break; 950 951 default: 952 return -EINVAL; 953 } 954 955 switch (p->sel.family) { 956 case AF_INET: 957 break; 958 959 case AF_INET6: 960 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE) 961 break; 962 #else 963 return -EAFNOSUPPORT; 964 #endif 965 966 default: 967 return -EINVAL; 968 } 969 970 return verify_policy_dir(p->dir); 971 } 972 973 static int copy_from_user_sec_ctx(struct xfrm_policy *pol, struct rtattr **xfrma) 974 { 975 struct rtattr *rt = xfrma[XFRMA_SEC_CTX-1]; 976 struct xfrm_user_sec_ctx *uctx; 977 978 if (!rt) 979 return 0; 980 981 uctx = RTA_DATA(rt); 982 return security_xfrm_policy_alloc(pol, uctx); 983 } 984 985 static void copy_templates(struct xfrm_policy *xp, struct xfrm_user_tmpl *ut, 986 int nr) 987 { 988 int i; 989 990 xp->xfrm_nr = nr; 991 for (i = 0; i < nr; i++, ut++) { 992 struct xfrm_tmpl *t = &xp->xfrm_vec[i]; 993 994 memcpy(&t->id, &ut->id, sizeof(struct xfrm_id)); 995 memcpy(&t->saddr, &ut->saddr, 996 sizeof(xfrm_address_t)); 997 t->reqid = ut->reqid; 998 t->mode = ut->mode; 999 t->share = ut->share; 1000 t->optional = ut->optional; 1001 t->aalgos = ut->aalgos; 1002 t->ealgos = ut->ealgos; 1003 t->calgos = ut->calgos; 1004 t->encap_family = ut->family; 1005 } 1006 } 1007 1008 static int validate_tmpl(int nr, struct xfrm_user_tmpl *ut, u16 family) 1009 { 1010 int i; 1011 1012 if (nr > XFRM_MAX_DEPTH) 1013 return -EINVAL; 1014 1015 for (i = 0; i < nr; i++) { 1016 /* We never validated the ut->family value, so many 1017 * applications simply leave it at zero. The check was 1018 * never made and ut->family was ignored because all 1019 * templates could be assumed to have the same family as 1020 * the policy itself. Now that we will have ipv4-in-ipv6 1021 * and ipv6-in-ipv4 tunnels, this is no longer true. 1022 */ 1023 if (!ut[i].family) 1024 ut[i].family = family; 1025 1026 switch (ut[i].family) { 1027 case AF_INET: 1028 break; 1029 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE) 1030 case AF_INET6: 1031 break; 1032 #endif 1033 default: 1034 return -EINVAL; 1035 } 1036 } 1037 1038 return 0; 1039 } 1040 1041 static int copy_from_user_tmpl(struct xfrm_policy *pol, struct rtattr **xfrma) 1042 { 1043 struct rtattr *rt = xfrma[XFRMA_TMPL-1]; 1044 1045 if (!rt) { 1046 pol->xfrm_nr = 0; 1047 } else { 1048 struct xfrm_user_tmpl *utmpl = RTA_DATA(rt); 1049 int nr = (rt->rta_len - sizeof(*rt)) / sizeof(*utmpl); 1050 int err; 1051 1052 err = validate_tmpl(nr, utmpl, pol->family); 1053 if (err) 1054 return err; 1055 1056 copy_templates(pol, RTA_DATA(rt), nr); 1057 } 1058 return 0; 1059 } 1060 1061 static int copy_from_user_policy_type(u8 *tp, struct rtattr **xfrma) 1062 { 1063 struct rtattr *rt = xfrma[XFRMA_POLICY_TYPE-1]; 1064 struct xfrm_userpolicy_type *upt; 1065 u8 type = XFRM_POLICY_TYPE_MAIN; 1066 int err; 1067 1068 if (rt) { 1069 if (rt->rta_len < sizeof(*upt)) 1070 return -EINVAL; 1071 1072 upt = RTA_DATA(rt); 1073 type = upt->type; 1074 } 1075 1076 err = verify_policy_type(type); 1077 if (err) 1078 return err; 1079 1080 *tp = type; 1081 return 0; 1082 } 1083 1084 static void copy_from_user_policy(struct xfrm_policy *xp, struct xfrm_userpolicy_info *p) 1085 { 1086 xp->priority = p->priority; 1087 xp->index = p->index; 1088 memcpy(&xp->selector, &p->sel, sizeof(xp->selector)); 1089 memcpy(&xp->lft, &p->lft, sizeof(xp->lft)); 1090 xp->action = p->action; 1091 xp->flags = p->flags; 1092 xp->family = p->sel.family; 1093 /* XXX xp->share = p->share; */ 1094 } 1095 1096 static void copy_to_user_policy(struct xfrm_policy *xp, struct xfrm_userpolicy_info *p, int dir) 1097 { 1098 memcpy(&p->sel, &xp->selector, sizeof(p->sel)); 1099 memcpy(&p->lft, &xp->lft, sizeof(p->lft)); 1100 memcpy(&p->curlft, &xp->curlft, sizeof(p->curlft)); 1101 p->priority = xp->priority; 1102 p->index = xp->index; 1103 p->sel.family = xp->family; 1104 p->dir = dir; 1105 p->action = xp->action; 1106 p->flags = xp->flags; 1107 p->share = XFRM_SHARE_ANY; /* XXX xp->share */ 1108 } 1109 1110 static struct xfrm_policy *xfrm_policy_construct(struct xfrm_userpolicy_info *p, struct rtattr **xfrma, int *errp) 1111 { 1112 struct xfrm_policy *xp = xfrm_policy_alloc(GFP_KERNEL); 1113 int err; 1114 1115 if (!xp) { 1116 *errp = -ENOMEM; 1117 return NULL; 1118 } 1119 1120 copy_from_user_policy(xp, p); 1121 1122 err = copy_from_user_policy_type(&xp->type, xfrma); 1123 if (err) 1124 goto error; 1125 1126 if (!(err = copy_from_user_tmpl(xp, xfrma))) 1127 err = copy_from_user_sec_ctx(xp, xfrma); 1128 if (err) 1129 goto error; 1130 1131 return xp; 1132 error: 1133 *errp = err; 1134 kfree(xp); 1135 return NULL; 1136 } 1137 1138 static int xfrm_add_policy(struct sk_buff *skb, struct nlmsghdr *nlh, 1139 struct rtattr **xfrma) 1140 { 1141 struct xfrm_userpolicy_info *p = nlmsg_data(nlh); 1142 struct xfrm_policy *xp; 1143 struct km_event c; 1144 int err; 1145 int excl; 1146 1147 err = verify_newpolicy_info(p); 1148 if (err) 1149 return err; 1150 err = verify_sec_ctx_len(xfrma); 1151 if (err) 1152 return err; 1153 1154 xp = xfrm_policy_construct(p, xfrma, &err); 1155 if (!xp) 1156 return err; 1157 1158 /* shouldnt excl be based on nlh flags?? 1159 * Aha! this is anti-netlink really i.e more pfkey derived 1160 * in netlink excl is a flag and you wouldnt need 1161 * a type XFRM_MSG_UPDPOLICY - JHS */ 1162 excl = nlh->nlmsg_type == XFRM_MSG_NEWPOLICY; 1163 err = xfrm_policy_insert(p->dir, xp, excl); 1164 xfrm_audit_log(NETLINK_CB(skb).loginuid, NETLINK_CB(skb).sid, 1165 AUDIT_MAC_IPSEC_DELSPD, err ? 0 : 1, xp, NULL); 1166 1167 if (err) { 1168 security_xfrm_policy_free(xp); 1169 kfree(xp); 1170 return err; 1171 } 1172 1173 c.event = nlh->nlmsg_type; 1174 c.seq = nlh->nlmsg_seq; 1175 c.pid = nlh->nlmsg_pid; 1176 km_policy_notify(xp, p->dir, &c); 1177 1178 xfrm_pol_put(xp); 1179 1180 return 0; 1181 } 1182 1183 static int copy_to_user_tmpl(struct xfrm_policy *xp, struct sk_buff *skb) 1184 { 1185 struct xfrm_user_tmpl vec[XFRM_MAX_DEPTH]; 1186 int i; 1187 1188 if (xp->xfrm_nr == 0) 1189 return 0; 1190 1191 for (i = 0; i < xp->xfrm_nr; i++) { 1192 struct xfrm_user_tmpl *up = &vec[i]; 1193 struct xfrm_tmpl *kp = &xp->xfrm_vec[i]; 1194 1195 memcpy(&up->id, &kp->id, sizeof(up->id)); 1196 up->family = kp->encap_family; 1197 memcpy(&up->saddr, &kp->saddr, sizeof(up->saddr)); 1198 up->reqid = kp->reqid; 1199 up->mode = kp->mode; 1200 up->share = kp->share; 1201 up->optional = kp->optional; 1202 up->aalgos = kp->aalgos; 1203 up->ealgos = kp->ealgos; 1204 up->calgos = kp->calgos; 1205 } 1206 1207 return nla_put(skb, XFRMA_TMPL, 1208 sizeof(struct xfrm_user_tmpl) * xp->xfrm_nr, vec); 1209 } 1210 1211 static inline int copy_to_user_state_sec_ctx(struct xfrm_state *x, struct sk_buff *skb) 1212 { 1213 if (x->security) { 1214 return copy_sec_ctx(x->security, skb); 1215 } 1216 return 0; 1217 } 1218 1219 static inline int copy_to_user_sec_ctx(struct xfrm_policy *xp, struct sk_buff *skb) 1220 { 1221 if (xp->security) { 1222 return copy_sec_ctx(xp->security, skb); 1223 } 1224 return 0; 1225 } 1226 1227 #ifdef CONFIG_XFRM_SUB_POLICY 1228 static int copy_to_user_policy_type(u8 type, struct sk_buff *skb) 1229 { 1230 struct xfrm_userpolicy_type upt = { 1231 .type = type, 1232 }; 1233 1234 return nla_put(skb, XFRMA_POLICY_TYPE, sizeof(upt), &upt); 1235 } 1236 1237 #else 1238 static inline int copy_to_user_policy_type(u8 type, struct sk_buff *skb) 1239 { 1240 return 0; 1241 } 1242 #endif 1243 1244 static int dump_one_policy(struct xfrm_policy *xp, int dir, int count, void *ptr) 1245 { 1246 struct xfrm_dump_info *sp = ptr; 1247 struct xfrm_userpolicy_info *p; 1248 struct sk_buff *in_skb = sp->in_skb; 1249 struct sk_buff *skb = sp->out_skb; 1250 struct nlmsghdr *nlh; 1251 1252 if (sp->this_idx < sp->start_idx) 1253 goto out; 1254 1255 nlh = nlmsg_put(skb, NETLINK_CB(in_skb).pid, sp->nlmsg_seq, 1256 XFRM_MSG_NEWPOLICY, sizeof(*p), sp->nlmsg_flags); 1257 if (nlh == NULL) 1258 return -EMSGSIZE; 1259 1260 p = nlmsg_data(nlh); 1261 copy_to_user_policy(xp, p, dir); 1262 if (copy_to_user_tmpl(xp, skb) < 0) 1263 goto nlmsg_failure; 1264 if (copy_to_user_sec_ctx(xp, skb)) 1265 goto nlmsg_failure; 1266 if (copy_to_user_policy_type(xp->type, skb) < 0) 1267 goto nlmsg_failure; 1268 1269 nlmsg_end(skb, nlh); 1270 out: 1271 sp->this_idx++; 1272 return 0; 1273 1274 nlmsg_failure: 1275 nlmsg_cancel(skb, nlh); 1276 return -EMSGSIZE; 1277 } 1278 1279 static int xfrm_dump_policy(struct sk_buff *skb, struct netlink_callback *cb) 1280 { 1281 struct xfrm_dump_info info; 1282 1283 info.in_skb = cb->skb; 1284 info.out_skb = skb; 1285 info.nlmsg_seq = cb->nlh->nlmsg_seq; 1286 info.nlmsg_flags = NLM_F_MULTI; 1287 info.this_idx = 0; 1288 info.start_idx = cb->args[0]; 1289 (void) xfrm_policy_walk(XFRM_POLICY_TYPE_MAIN, dump_one_policy, &info); 1290 #ifdef CONFIG_XFRM_SUB_POLICY 1291 (void) xfrm_policy_walk(XFRM_POLICY_TYPE_SUB, dump_one_policy, &info); 1292 #endif 1293 cb->args[0] = info.this_idx; 1294 1295 return skb->len; 1296 } 1297 1298 static struct sk_buff *xfrm_policy_netlink(struct sk_buff *in_skb, 1299 struct xfrm_policy *xp, 1300 int dir, u32 seq) 1301 { 1302 struct xfrm_dump_info info; 1303 struct sk_buff *skb; 1304 1305 skb = alloc_skb(NLMSG_GOODSIZE, GFP_KERNEL); 1306 if (!skb) 1307 return ERR_PTR(-ENOMEM); 1308 1309 info.in_skb = in_skb; 1310 info.out_skb = skb; 1311 info.nlmsg_seq = seq; 1312 info.nlmsg_flags = 0; 1313 info.this_idx = info.start_idx = 0; 1314 1315 if (dump_one_policy(xp, dir, 0, &info) < 0) { 1316 kfree_skb(skb); 1317 return NULL; 1318 } 1319 1320 return skb; 1321 } 1322 1323 static int xfrm_get_policy(struct sk_buff *skb, struct nlmsghdr *nlh, 1324 struct rtattr **xfrma) 1325 { 1326 struct xfrm_policy *xp; 1327 struct xfrm_userpolicy_id *p; 1328 u8 type = XFRM_POLICY_TYPE_MAIN; 1329 int err; 1330 struct km_event c; 1331 int delete; 1332 1333 p = nlmsg_data(nlh); 1334 delete = nlh->nlmsg_type == XFRM_MSG_DELPOLICY; 1335 1336 err = copy_from_user_policy_type(&type, xfrma); 1337 if (err) 1338 return err; 1339 1340 err = verify_policy_dir(p->dir); 1341 if (err) 1342 return err; 1343 1344 if (p->index) 1345 xp = xfrm_policy_byid(type, p->dir, p->index, delete, &err); 1346 else { 1347 struct rtattr *rt = xfrma[XFRMA_SEC_CTX-1]; 1348 struct xfrm_policy tmp; 1349 1350 err = verify_sec_ctx_len(xfrma); 1351 if (err) 1352 return err; 1353 1354 memset(&tmp, 0, sizeof(struct xfrm_policy)); 1355 if (rt) { 1356 struct xfrm_user_sec_ctx *uctx = RTA_DATA(rt); 1357 1358 if ((err = security_xfrm_policy_alloc(&tmp, uctx))) 1359 return err; 1360 } 1361 xp = xfrm_policy_bysel_ctx(type, p->dir, &p->sel, tmp.security, 1362 delete, &err); 1363 security_xfrm_policy_free(&tmp); 1364 } 1365 if (xp == NULL) 1366 return -ENOENT; 1367 1368 if (!delete) { 1369 struct sk_buff *resp_skb; 1370 1371 resp_skb = xfrm_policy_netlink(skb, xp, p->dir, nlh->nlmsg_seq); 1372 if (IS_ERR(resp_skb)) { 1373 err = PTR_ERR(resp_skb); 1374 } else { 1375 err = nlmsg_unicast(xfrm_nl, resp_skb, 1376 NETLINK_CB(skb).pid); 1377 } 1378 } else { 1379 xfrm_audit_log(NETLINK_CB(skb).loginuid, NETLINK_CB(skb).sid, 1380 AUDIT_MAC_IPSEC_DELSPD, err ? 0 : 1, xp, NULL); 1381 1382 if (err != 0) 1383 goto out; 1384 1385 c.data.byid = p->index; 1386 c.event = nlh->nlmsg_type; 1387 c.seq = nlh->nlmsg_seq; 1388 c.pid = nlh->nlmsg_pid; 1389 km_policy_notify(xp, p->dir, &c); 1390 } 1391 1392 out: 1393 xfrm_pol_put(xp); 1394 return err; 1395 } 1396 1397 static int xfrm_flush_sa(struct sk_buff *skb, struct nlmsghdr *nlh, 1398 struct rtattr **xfrma) 1399 { 1400 struct km_event c; 1401 struct xfrm_usersa_flush *p = nlmsg_data(nlh); 1402 struct xfrm_audit audit_info; 1403 int err; 1404 1405 audit_info.loginuid = NETLINK_CB(skb).loginuid; 1406 audit_info.secid = NETLINK_CB(skb).sid; 1407 err = xfrm_state_flush(p->proto, &audit_info); 1408 if (err) 1409 return err; 1410 c.data.proto = p->proto; 1411 c.event = nlh->nlmsg_type; 1412 c.seq = nlh->nlmsg_seq; 1413 c.pid = nlh->nlmsg_pid; 1414 km_state_notify(NULL, &c); 1415 1416 return 0; 1417 } 1418 1419 1420 static int build_aevent(struct sk_buff *skb, struct xfrm_state *x, struct km_event *c) 1421 { 1422 struct xfrm_aevent_id *id; 1423 struct nlmsghdr *nlh; 1424 1425 nlh = nlmsg_put(skb, c->pid, c->seq, XFRM_MSG_NEWAE, sizeof(*id), 0); 1426 if (nlh == NULL) 1427 return -EMSGSIZE; 1428 1429 id = nlmsg_data(nlh); 1430 memcpy(&id->sa_id.daddr, &x->id.daddr,sizeof(x->id.daddr)); 1431 id->sa_id.spi = x->id.spi; 1432 id->sa_id.family = x->props.family; 1433 id->sa_id.proto = x->id.proto; 1434 memcpy(&id->saddr, &x->props.saddr,sizeof(x->props.saddr)); 1435 id->reqid = x->props.reqid; 1436 id->flags = c->data.aevent; 1437 1438 NLA_PUT(skb, XFRMA_REPLAY_VAL, sizeof(x->replay), &x->replay); 1439 NLA_PUT(skb, XFRMA_LTIME_VAL, sizeof(x->curlft), &x->curlft); 1440 1441 if (id->flags & XFRM_AE_RTHR) 1442 NLA_PUT_U32(skb, XFRMA_REPLAY_THRESH, x->replay_maxdiff); 1443 1444 if (id->flags & XFRM_AE_ETHR) 1445 NLA_PUT_U32(skb, XFRMA_ETIMER_THRESH, 1446 x->replay_maxage * 10 / HZ); 1447 1448 return nlmsg_end(skb, nlh); 1449 1450 nla_put_failure: 1451 nlmsg_cancel(skb, nlh); 1452 return -EMSGSIZE; 1453 } 1454 1455 static int xfrm_get_ae(struct sk_buff *skb, struct nlmsghdr *nlh, 1456 struct rtattr **xfrma) 1457 { 1458 struct xfrm_state *x; 1459 struct sk_buff *r_skb; 1460 int err; 1461 struct km_event c; 1462 struct xfrm_aevent_id *p = nlmsg_data(nlh); 1463 int len = NLMSG_LENGTH(sizeof(struct xfrm_aevent_id)); 1464 struct xfrm_usersa_id *id = &p->sa_id; 1465 1466 len += RTA_SPACE(sizeof(struct xfrm_replay_state)); 1467 len += RTA_SPACE(sizeof(struct xfrm_lifetime_cur)); 1468 1469 if (p->flags&XFRM_AE_RTHR) 1470 len+=RTA_SPACE(sizeof(u32)); 1471 1472 if (p->flags&XFRM_AE_ETHR) 1473 len+=RTA_SPACE(sizeof(u32)); 1474 1475 r_skb = alloc_skb(len, GFP_ATOMIC); 1476 if (r_skb == NULL) 1477 return -ENOMEM; 1478 1479 x = xfrm_state_lookup(&id->daddr, id->spi, id->proto, id->family); 1480 if (x == NULL) { 1481 kfree_skb(r_skb); 1482 return -ESRCH; 1483 } 1484 1485 /* 1486 * XXX: is this lock really needed - none of the other 1487 * gets lock (the concern is things getting updated 1488 * while we are still reading) - jhs 1489 */ 1490 spin_lock_bh(&x->lock); 1491 c.data.aevent = p->flags; 1492 c.seq = nlh->nlmsg_seq; 1493 c.pid = nlh->nlmsg_pid; 1494 1495 if (build_aevent(r_skb, x, &c) < 0) 1496 BUG(); 1497 err = nlmsg_unicast(xfrm_nl, r_skb, NETLINK_CB(skb).pid); 1498 spin_unlock_bh(&x->lock); 1499 xfrm_state_put(x); 1500 return err; 1501 } 1502 1503 static int xfrm_new_ae(struct sk_buff *skb, struct nlmsghdr *nlh, 1504 struct rtattr **xfrma) 1505 { 1506 struct xfrm_state *x; 1507 struct km_event c; 1508 int err = - EINVAL; 1509 struct xfrm_aevent_id *p = nlmsg_data(nlh); 1510 struct rtattr *rp = xfrma[XFRMA_REPLAY_VAL-1]; 1511 struct rtattr *lt = xfrma[XFRMA_LTIME_VAL-1]; 1512 1513 if (!lt && !rp) 1514 return err; 1515 1516 /* pedantic mode - thou shalt sayeth replaceth */ 1517 if (!(nlh->nlmsg_flags&NLM_F_REPLACE)) 1518 return err; 1519 1520 x = xfrm_state_lookup(&p->sa_id.daddr, p->sa_id.spi, p->sa_id.proto, p->sa_id.family); 1521 if (x == NULL) 1522 return -ESRCH; 1523 1524 if (x->km.state != XFRM_STATE_VALID) 1525 goto out; 1526 1527 spin_lock_bh(&x->lock); 1528 err = xfrm_update_ae_params(x, xfrma); 1529 spin_unlock_bh(&x->lock); 1530 if (err < 0) 1531 goto out; 1532 1533 c.event = nlh->nlmsg_type; 1534 c.seq = nlh->nlmsg_seq; 1535 c.pid = nlh->nlmsg_pid; 1536 c.data.aevent = XFRM_AE_CU; 1537 km_state_notify(x, &c); 1538 err = 0; 1539 out: 1540 xfrm_state_put(x); 1541 return err; 1542 } 1543 1544 static int xfrm_flush_policy(struct sk_buff *skb, struct nlmsghdr *nlh, 1545 struct rtattr **xfrma) 1546 { 1547 struct km_event c; 1548 u8 type = XFRM_POLICY_TYPE_MAIN; 1549 int err; 1550 struct xfrm_audit audit_info; 1551 1552 err = copy_from_user_policy_type(&type, xfrma); 1553 if (err) 1554 return err; 1555 1556 audit_info.loginuid = NETLINK_CB(skb).loginuid; 1557 audit_info.secid = NETLINK_CB(skb).sid; 1558 err = xfrm_policy_flush(type, &audit_info); 1559 if (err) 1560 return err; 1561 c.data.type = type; 1562 c.event = nlh->nlmsg_type; 1563 c.seq = nlh->nlmsg_seq; 1564 c.pid = nlh->nlmsg_pid; 1565 km_policy_notify(NULL, 0, &c); 1566 return 0; 1567 } 1568 1569 static int xfrm_add_pol_expire(struct sk_buff *skb, struct nlmsghdr *nlh, 1570 struct rtattr **xfrma) 1571 { 1572 struct xfrm_policy *xp; 1573 struct xfrm_user_polexpire *up = nlmsg_data(nlh); 1574 struct xfrm_userpolicy_info *p = &up->pol; 1575 u8 type = XFRM_POLICY_TYPE_MAIN; 1576 int err = -ENOENT; 1577 1578 err = copy_from_user_policy_type(&type, xfrma); 1579 if (err) 1580 return err; 1581 1582 if (p->index) 1583 xp = xfrm_policy_byid(type, p->dir, p->index, 0, &err); 1584 else { 1585 struct rtattr *rt = xfrma[XFRMA_SEC_CTX-1]; 1586 struct xfrm_policy tmp; 1587 1588 err = verify_sec_ctx_len(xfrma); 1589 if (err) 1590 return err; 1591 1592 memset(&tmp, 0, sizeof(struct xfrm_policy)); 1593 if (rt) { 1594 struct xfrm_user_sec_ctx *uctx = RTA_DATA(rt); 1595 1596 if ((err = security_xfrm_policy_alloc(&tmp, uctx))) 1597 return err; 1598 } 1599 xp = xfrm_policy_bysel_ctx(type, p->dir, &p->sel, tmp.security, 1600 0, &err); 1601 security_xfrm_policy_free(&tmp); 1602 } 1603 1604 if (xp == NULL) 1605 return -ENOENT; 1606 read_lock(&xp->lock); 1607 if (xp->dead) { 1608 read_unlock(&xp->lock); 1609 goto out; 1610 } 1611 1612 read_unlock(&xp->lock); 1613 err = 0; 1614 if (up->hard) { 1615 xfrm_policy_delete(xp, p->dir); 1616 xfrm_audit_log(NETLINK_CB(skb).loginuid, NETLINK_CB(skb).sid, 1617 AUDIT_MAC_IPSEC_DELSPD, 1, xp, NULL); 1618 1619 } else { 1620 // reset the timers here? 1621 printk("Dont know what to do with soft policy expire\n"); 1622 } 1623 km_policy_expired(xp, p->dir, up->hard, current->pid); 1624 1625 out: 1626 xfrm_pol_put(xp); 1627 return err; 1628 } 1629 1630 static int xfrm_add_sa_expire(struct sk_buff *skb, struct nlmsghdr *nlh, 1631 struct rtattr **xfrma) 1632 { 1633 struct xfrm_state *x; 1634 int err; 1635 struct xfrm_user_expire *ue = nlmsg_data(nlh); 1636 struct xfrm_usersa_info *p = &ue->state; 1637 1638 x = xfrm_state_lookup(&p->id.daddr, p->id.spi, p->id.proto, p->family); 1639 1640 err = -ENOENT; 1641 if (x == NULL) 1642 return err; 1643 1644 spin_lock_bh(&x->lock); 1645 err = -EINVAL; 1646 if (x->km.state != XFRM_STATE_VALID) 1647 goto out; 1648 km_state_expired(x, ue->hard, current->pid); 1649 1650 if (ue->hard) { 1651 __xfrm_state_delete(x); 1652 xfrm_audit_log(NETLINK_CB(skb).loginuid, NETLINK_CB(skb).sid, 1653 AUDIT_MAC_IPSEC_DELSA, 1, NULL, x); 1654 } 1655 err = 0; 1656 out: 1657 spin_unlock_bh(&x->lock); 1658 xfrm_state_put(x); 1659 return err; 1660 } 1661 1662 static int xfrm_add_acquire(struct sk_buff *skb, struct nlmsghdr *nlh, 1663 struct rtattr **xfrma) 1664 { 1665 struct xfrm_policy *xp; 1666 struct xfrm_user_tmpl *ut; 1667 int i; 1668 struct rtattr *rt = xfrma[XFRMA_TMPL-1]; 1669 1670 struct xfrm_user_acquire *ua = nlmsg_data(nlh); 1671 struct xfrm_state *x = xfrm_state_alloc(); 1672 int err = -ENOMEM; 1673 1674 if (!x) 1675 return err; 1676 1677 err = verify_newpolicy_info(&ua->policy); 1678 if (err) { 1679 printk("BAD policy passed\n"); 1680 kfree(x); 1681 return err; 1682 } 1683 1684 /* build an XP */ 1685 xp = xfrm_policy_construct(&ua->policy, (struct rtattr **) xfrma, &err); 1686 if (!xp) { 1687 kfree(x); 1688 return err; 1689 } 1690 1691 memcpy(&x->id, &ua->id, sizeof(ua->id)); 1692 memcpy(&x->props.saddr, &ua->saddr, sizeof(ua->saddr)); 1693 memcpy(&x->sel, &ua->sel, sizeof(ua->sel)); 1694 1695 ut = RTA_DATA(rt); 1696 /* extract the templates and for each call km_key */ 1697 for (i = 0; i < xp->xfrm_nr; i++, ut++) { 1698 struct xfrm_tmpl *t = &xp->xfrm_vec[i]; 1699 memcpy(&x->id, &t->id, sizeof(x->id)); 1700 x->props.mode = t->mode; 1701 x->props.reqid = t->reqid; 1702 x->props.family = ut->family; 1703 t->aalgos = ua->aalgos; 1704 t->ealgos = ua->ealgos; 1705 t->calgos = ua->calgos; 1706 err = km_query(x, t, xp); 1707 1708 } 1709 1710 kfree(x); 1711 kfree(xp); 1712 1713 return 0; 1714 } 1715 1716 #ifdef CONFIG_XFRM_MIGRATE 1717 static int verify_user_migrate(struct rtattr **xfrma) 1718 { 1719 struct rtattr *rt = xfrma[XFRMA_MIGRATE-1]; 1720 struct xfrm_user_migrate *um; 1721 1722 if (!rt) 1723 return -EINVAL; 1724 1725 if ((rt->rta_len - sizeof(*rt)) < sizeof(*um)) 1726 return -EINVAL; 1727 1728 return 0; 1729 } 1730 1731 static int copy_from_user_migrate(struct xfrm_migrate *ma, 1732 struct rtattr **xfrma, int *num) 1733 { 1734 struct rtattr *rt = xfrma[XFRMA_MIGRATE-1]; 1735 struct xfrm_user_migrate *um; 1736 int i, num_migrate; 1737 1738 um = RTA_DATA(rt); 1739 num_migrate = (rt->rta_len - sizeof(*rt)) / sizeof(*um); 1740 1741 if (num_migrate <= 0 || num_migrate > XFRM_MAX_DEPTH) 1742 return -EINVAL; 1743 1744 for (i = 0; i < num_migrate; i++, um++, ma++) { 1745 memcpy(&ma->old_daddr, &um->old_daddr, sizeof(ma->old_daddr)); 1746 memcpy(&ma->old_saddr, &um->old_saddr, sizeof(ma->old_saddr)); 1747 memcpy(&ma->new_daddr, &um->new_daddr, sizeof(ma->new_daddr)); 1748 memcpy(&ma->new_saddr, &um->new_saddr, sizeof(ma->new_saddr)); 1749 1750 ma->proto = um->proto; 1751 ma->mode = um->mode; 1752 ma->reqid = um->reqid; 1753 1754 ma->old_family = um->old_family; 1755 ma->new_family = um->new_family; 1756 } 1757 1758 *num = i; 1759 return 0; 1760 } 1761 1762 static int xfrm_do_migrate(struct sk_buff *skb, struct nlmsghdr *nlh, 1763 struct rtattr **xfrma) 1764 { 1765 struct xfrm_userpolicy_id *pi = nlmsg_data(nlh); 1766 struct xfrm_migrate m[XFRM_MAX_DEPTH]; 1767 u8 type; 1768 int err; 1769 int n = 0; 1770 1771 err = verify_user_migrate((struct rtattr **)xfrma); 1772 if (err) 1773 return err; 1774 1775 err = copy_from_user_policy_type(&type, (struct rtattr **)xfrma); 1776 if (err) 1777 return err; 1778 1779 err = copy_from_user_migrate((struct xfrm_migrate *)m, 1780 (struct rtattr **)xfrma, &n); 1781 if (err) 1782 return err; 1783 1784 if (!n) 1785 return 0; 1786 1787 xfrm_migrate(&pi->sel, pi->dir, type, m, n); 1788 1789 return 0; 1790 } 1791 #else 1792 static int xfrm_do_migrate(struct sk_buff *skb, struct nlmsghdr *nlh, 1793 struct rtattr **xfrma) 1794 { 1795 return -ENOPROTOOPT; 1796 } 1797 #endif 1798 1799 #ifdef CONFIG_XFRM_MIGRATE 1800 static int copy_to_user_migrate(struct xfrm_migrate *m, struct sk_buff *skb) 1801 { 1802 struct xfrm_user_migrate um; 1803 1804 memset(&um, 0, sizeof(um)); 1805 um.proto = m->proto; 1806 um.mode = m->mode; 1807 um.reqid = m->reqid; 1808 um.old_family = m->old_family; 1809 memcpy(&um.old_daddr, &m->old_daddr, sizeof(um.old_daddr)); 1810 memcpy(&um.old_saddr, &m->old_saddr, sizeof(um.old_saddr)); 1811 um.new_family = m->new_family; 1812 memcpy(&um.new_daddr, &m->new_daddr, sizeof(um.new_daddr)); 1813 memcpy(&um.new_saddr, &m->new_saddr, sizeof(um.new_saddr)); 1814 1815 return nla_put(skb, XFRMA_MIGRATE, sizeof(um), &um); 1816 } 1817 1818 static int build_migrate(struct sk_buff *skb, struct xfrm_migrate *m, 1819 int num_migrate, struct xfrm_selector *sel, 1820 u8 dir, u8 type) 1821 { 1822 struct xfrm_migrate *mp; 1823 struct xfrm_userpolicy_id *pol_id; 1824 struct nlmsghdr *nlh; 1825 int i; 1826 1827 nlh = nlmsg_put(skb, 0, 0, XFRM_MSG_MIGRATE, sizeof(*pol_id), 0); 1828 if (nlh == NULL) 1829 return -EMSGSIZE; 1830 1831 pol_id = nlmsg_data(nlh); 1832 /* copy data from selector, dir, and type to the pol_id */ 1833 memset(pol_id, 0, sizeof(*pol_id)); 1834 memcpy(&pol_id->sel, sel, sizeof(pol_id->sel)); 1835 pol_id->dir = dir; 1836 1837 if (copy_to_user_policy_type(type, skb) < 0) 1838 goto nlmsg_failure; 1839 1840 for (i = 0, mp = m ; i < num_migrate; i++, mp++) { 1841 if (copy_to_user_migrate(mp, skb) < 0) 1842 goto nlmsg_failure; 1843 } 1844 1845 return nlmsg_end(skb, nlh); 1846 nlmsg_failure: 1847 nlmsg_cancel(skb, nlh); 1848 return -EMSGSIZE; 1849 } 1850 1851 static int xfrm_send_migrate(struct xfrm_selector *sel, u8 dir, u8 type, 1852 struct xfrm_migrate *m, int num_migrate) 1853 { 1854 struct sk_buff *skb; 1855 size_t len; 1856 1857 len = RTA_SPACE(sizeof(struct xfrm_user_migrate) * num_migrate); 1858 len += NLMSG_SPACE(sizeof(struct xfrm_userpolicy_id)); 1859 #ifdef CONFIG_XFRM_SUB_POLICY 1860 len += RTA_SPACE(sizeof(struct xfrm_userpolicy_type)); 1861 #endif 1862 skb = alloc_skb(len, GFP_ATOMIC); 1863 if (skb == NULL) 1864 return -ENOMEM; 1865 1866 /* build migrate */ 1867 if (build_migrate(skb, m, num_migrate, sel, dir, type) < 0) 1868 BUG(); 1869 1870 return nlmsg_multicast(xfrm_nl, skb, 0, XFRMNLGRP_MIGRATE, GFP_ATOMIC); 1871 } 1872 #else 1873 static int xfrm_send_migrate(struct xfrm_selector *sel, u8 dir, u8 type, 1874 struct xfrm_migrate *m, int num_migrate) 1875 { 1876 return -ENOPROTOOPT; 1877 } 1878 #endif 1879 1880 #define XMSGSIZE(type) NLMSG_LENGTH(sizeof(struct type)) 1881 1882 static const int xfrm_msg_min[XFRM_NR_MSGTYPES] = { 1883 [XFRM_MSG_NEWSA - XFRM_MSG_BASE] = XMSGSIZE(xfrm_usersa_info), 1884 [XFRM_MSG_DELSA - XFRM_MSG_BASE] = XMSGSIZE(xfrm_usersa_id), 1885 [XFRM_MSG_GETSA - XFRM_MSG_BASE] = XMSGSIZE(xfrm_usersa_id), 1886 [XFRM_MSG_NEWPOLICY - XFRM_MSG_BASE] = XMSGSIZE(xfrm_userpolicy_info), 1887 [XFRM_MSG_DELPOLICY - XFRM_MSG_BASE] = XMSGSIZE(xfrm_userpolicy_id), 1888 [XFRM_MSG_GETPOLICY - XFRM_MSG_BASE] = XMSGSIZE(xfrm_userpolicy_id), 1889 [XFRM_MSG_ALLOCSPI - XFRM_MSG_BASE] = XMSGSIZE(xfrm_userspi_info), 1890 [XFRM_MSG_ACQUIRE - XFRM_MSG_BASE] = XMSGSIZE(xfrm_user_acquire), 1891 [XFRM_MSG_EXPIRE - XFRM_MSG_BASE] = XMSGSIZE(xfrm_user_expire), 1892 [XFRM_MSG_UPDPOLICY - XFRM_MSG_BASE] = XMSGSIZE(xfrm_userpolicy_info), 1893 [XFRM_MSG_UPDSA - XFRM_MSG_BASE] = XMSGSIZE(xfrm_usersa_info), 1894 [XFRM_MSG_POLEXPIRE - XFRM_MSG_BASE] = XMSGSIZE(xfrm_user_polexpire), 1895 [XFRM_MSG_FLUSHSA - XFRM_MSG_BASE] = XMSGSIZE(xfrm_usersa_flush), 1896 [XFRM_MSG_FLUSHPOLICY - XFRM_MSG_BASE] = NLMSG_LENGTH(0), 1897 [XFRM_MSG_NEWAE - XFRM_MSG_BASE] = XMSGSIZE(xfrm_aevent_id), 1898 [XFRM_MSG_GETAE - XFRM_MSG_BASE] = XMSGSIZE(xfrm_aevent_id), 1899 [XFRM_MSG_REPORT - XFRM_MSG_BASE] = XMSGSIZE(xfrm_user_report), 1900 [XFRM_MSG_MIGRATE - XFRM_MSG_BASE] = XMSGSIZE(xfrm_userpolicy_id), 1901 [XFRM_MSG_GETSADINFO - XFRM_MSG_BASE] = NLMSG_LENGTH(sizeof(u32)), 1902 [XFRM_MSG_GETSPDINFO - XFRM_MSG_BASE] = NLMSG_LENGTH(sizeof(u32)), 1903 }; 1904 1905 #undef XMSGSIZE 1906 1907 static struct xfrm_link { 1908 int (*doit)(struct sk_buff *, struct nlmsghdr *, struct rtattr **); 1909 int (*dump)(struct sk_buff *, struct netlink_callback *); 1910 } xfrm_dispatch[XFRM_NR_MSGTYPES] = { 1911 [XFRM_MSG_NEWSA - XFRM_MSG_BASE] = { .doit = xfrm_add_sa }, 1912 [XFRM_MSG_DELSA - XFRM_MSG_BASE] = { .doit = xfrm_del_sa }, 1913 [XFRM_MSG_GETSA - XFRM_MSG_BASE] = { .doit = xfrm_get_sa, 1914 .dump = xfrm_dump_sa }, 1915 [XFRM_MSG_NEWPOLICY - XFRM_MSG_BASE] = { .doit = xfrm_add_policy }, 1916 [XFRM_MSG_DELPOLICY - XFRM_MSG_BASE] = { .doit = xfrm_get_policy }, 1917 [XFRM_MSG_GETPOLICY - XFRM_MSG_BASE] = { .doit = xfrm_get_policy, 1918 .dump = xfrm_dump_policy }, 1919 [XFRM_MSG_ALLOCSPI - XFRM_MSG_BASE] = { .doit = xfrm_alloc_userspi }, 1920 [XFRM_MSG_ACQUIRE - XFRM_MSG_BASE] = { .doit = xfrm_add_acquire }, 1921 [XFRM_MSG_EXPIRE - XFRM_MSG_BASE] = { .doit = xfrm_add_sa_expire }, 1922 [XFRM_MSG_UPDPOLICY - XFRM_MSG_BASE] = { .doit = xfrm_add_policy }, 1923 [XFRM_MSG_UPDSA - XFRM_MSG_BASE] = { .doit = xfrm_add_sa }, 1924 [XFRM_MSG_POLEXPIRE - XFRM_MSG_BASE] = { .doit = xfrm_add_pol_expire}, 1925 [XFRM_MSG_FLUSHSA - XFRM_MSG_BASE] = { .doit = xfrm_flush_sa }, 1926 [XFRM_MSG_FLUSHPOLICY - XFRM_MSG_BASE] = { .doit = xfrm_flush_policy }, 1927 [XFRM_MSG_NEWAE - XFRM_MSG_BASE] = { .doit = xfrm_new_ae }, 1928 [XFRM_MSG_GETAE - XFRM_MSG_BASE] = { .doit = xfrm_get_ae }, 1929 [XFRM_MSG_MIGRATE - XFRM_MSG_BASE] = { .doit = xfrm_do_migrate }, 1930 [XFRM_MSG_GETSADINFO - XFRM_MSG_BASE] = { .doit = xfrm_get_sadinfo }, 1931 [XFRM_MSG_GETSPDINFO - XFRM_MSG_BASE] = { .doit = xfrm_get_spdinfo }, 1932 }; 1933 1934 static int xfrm_user_rcv_msg(struct sk_buff *skb, struct nlmsghdr *nlh) 1935 { 1936 struct rtattr *xfrma[XFRMA_MAX]; 1937 struct xfrm_link *link; 1938 int type, min_len; 1939 1940 type = nlh->nlmsg_type; 1941 if (type > XFRM_MSG_MAX) 1942 return -EINVAL; 1943 1944 type -= XFRM_MSG_BASE; 1945 link = &xfrm_dispatch[type]; 1946 1947 /* All operations require privileges, even GET */ 1948 if (security_netlink_recv(skb, CAP_NET_ADMIN)) 1949 return -EPERM; 1950 1951 if ((type == (XFRM_MSG_GETSA - XFRM_MSG_BASE) || 1952 type == (XFRM_MSG_GETPOLICY - XFRM_MSG_BASE)) && 1953 (nlh->nlmsg_flags & NLM_F_DUMP)) { 1954 if (link->dump == NULL) 1955 return -EINVAL; 1956 1957 return netlink_dump_start(xfrm_nl, skb, nlh, link->dump, NULL); 1958 } 1959 1960 memset(xfrma, 0, sizeof(xfrma)); 1961 1962 if (nlh->nlmsg_len < (min_len = xfrm_msg_min[type])) 1963 return -EINVAL; 1964 1965 if (nlh->nlmsg_len > min_len) { 1966 int attrlen = nlh->nlmsg_len - NLMSG_ALIGN(min_len); 1967 struct rtattr *attr = (void *) nlh + NLMSG_ALIGN(min_len); 1968 1969 while (RTA_OK(attr, attrlen)) { 1970 unsigned short flavor = attr->rta_type; 1971 if (flavor) { 1972 if (flavor > XFRMA_MAX) 1973 return -EINVAL; 1974 xfrma[flavor - 1] = attr; 1975 } 1976 attr = RTA_NEXT(attr, attrlen); 1977 } 1978 } 1979 1980 if (link->doit == NULL) 1981 return -EINVAL; 1982 1983 return link->doit(skb, nlh, xfrma); 1984 } 1985 1986 static void xfrm_netlink_rcv(struct sock *sk, int len) 1987 { 1988 unsigned int qlen = 0; 1989 1990 do { 1991 mutex_lock(&xfrm_cfg_mutex); 1992 netlink_run_queue(sk, &qlen, &xfrm_user_rcv_msg); 1993 mutex_unlock(&xfrm_cfg_mutex); 1994 1995 } while (qlen); 1996 } 1997 1998 static int build_expire(struct sk_buff *skb, struct xfrm_state *x, struct km_event *c) 1999 { 2000 struct xfrm_user_expire *ue; 2001 struct nlmsghdr *nlh; 2002 2003 nlh = nlmsg_put(skb, c->pid, 0, XFRM_MSG_EXPIRE, sizeof(*ue), 0); 2004 if (nlh == NULL) 2005 return -EMSGSIZE; 2006 2007 ue = nlmsg_data(nlh); 2008 copy_to_user_state(x, &ue->state); 2009 ue->hard = (c->data.hard != 0) ? 1 : 0; 2010 2011 return nlmsg_end(skb, nlh); 2012 } 2013 2014 static int xfrm_exp_state_notify(struct xfrm_state *x, struct km_event *c) 2015 { 2016 struct sk_buff *skb; 2017 int len = NLMSG_LENGTH(sizeof(struct xfrm_user_expire)); 2018 2019 skb = alloc_skb(len, GFP_ATOMIC); 2020 if (skb == NULL) 2021 return -ENOMEM; 2022 2023 if (build_expire(skb, x, c) < 0) 2024 BUG(); 2025 2026 return nlmsg_multicast(xfrm_nl, skb, 0, XFRMNLGRP_EXPIRE, GFP_ATOMIC); 2027 } 2028 2029 static int xfrm_aevent_state_notify(struct xfrm_state *x, struct km_event *c) 2030 { 2031 struct sk_buff *skb; 2032 int len = NLMSG_LENGTH(sizeof(struct xfrm_aevent_id)); 2033 2034 len += RTA_SPACE(sizeof(struct xfrm_replay_state)); 2035 len += RTA_SPACE(sizeof(struct xfrm_lifetime_cur)); 2036 skb = alloc_skb(len, GFP_ATOMIC); 2037 if (skb == NULL) 2038 return -ENOMEM; 2039 2040 if (build_aevent(skb, x, c) < 0) 2041 BUG(); 2042 2043 return nlmsg_multicast(xfrm_nl, skb, 0, XFRMNLGRP_AEVENTS, GFP_ATOMIC); 2044 } 2045 2046 static int xfrm_notify_sa_flush(struct km_event *c) 2047 { 2048 struct xfrm_usersa_flush *p; 2049 struct nlmsghdr *nlh; 2050 struct sk_buff *skb; 2051 int len = NLMSG_LENGTH(sizeof(struct xfrm_usersa_flush)); 2052 2053 skb = alloc_skb(len, GFP_ATOMIC); 2054 if (skb == NULL) 2055 return -ENOMEM; 2056 2057 nlh = nlmsg_put(skb, c->pid, c->seq, XFRM_MSG_FLUSHSA, sizeof(*p), 0); 2058 if (nlh == NULL) { 2059 kfree_skb(skb); 2060 return -EMSGSIZE; 2061 } 2062 2063 p = nlmsg_data(nlh); 2064 p->proto = c->data.proto; 2065 2066 nlmsg_end(skb, nlh); 2067 2068 return nlmsg_multicast(xfrm_nl, skb, 0, XFRMNLGRP_SA, GFP_ATOMIC); 2069 } 2070 2071 static inline int xfrm_sa_len(struct xfrm_state *x) 2072 { 2073 int l = 0; 2074 if (x->aalg) 2075 l += RTA_SPACE(sizeof(*x->aalg) + (x->aalg->alg_key_len+7)/8); 2076 if (x->ealg) 2077 l += RTA_SPACE(sizeof(*x->ealg) + (x->ealg->alg_key_len+7)/8); 2078 if (x->calg) 2079 l += RTA_SPACE(sizeof(*x->calg)); 2080 if (x->encap) 2081 l += RTA_SPACE(sizeof(*x->encap)); 2082 2083 return l; 2084 } 2085 2086 static int xfrm_notify_sa(struct xfrm_state *x, struct km_event *c) 2087 { 2088 struct xfrm_usersa_info *p; 2089 struct xfrm_usersa_id *id; 2090 struct nlmsghdr *nlh; 2091 struct sk_buff *skb; 2092 int len = xfrm_sa_len(x); 2093 int headlen; 2094 2095 headlen = sizeof(*p); 2096 if (c->event == XFRM_MSG_DELSA) { 2097 len += RTA_SPACE(headlen); 2098 headlen = sizeof(*id); 2099 } 2100 len += NLMSG_SPACE(headlen); 2101 2102 skb = alloc_skb(len, GFP_ATOMIC); 2103 if (skb == NULL) 2104 return -ENOMEM; 2105 2106 nlh = nlmsg_put(skb, c->pid, c->seq, c->event, headlen, 0); 2107 if (nlh == NULL) 2108 goto nla_put_failure; 2109 2110 p = nlmsg_data(nlh); 2111 if (c->event == XFRM_MSG_DELSA) { 2112 struct nlattr *attr; 2113 2114 id = nlmsg_data(nlh); 2115 memcpy(&id->daddr, &x->id.daddr, sizeof(id->daddr)); 2116 id->spi = x->id.spi; 2117 id->family = x->props.family; 2118 id->proto = x->id.proto; 2119 2120 attr = nla_reserve(skb, XFRMA_SA, sizeof(*p)); 2121 if (attr == NULL) 2122 goto nla_put_failure; 2123 2124 p = nla_data(attr); 2125 } 2126 2127 copy_to_user_state(x, p); 2128 2129 if (x->aalg) 2130 NLA_PUT(skb, XFRMA_ALG_AUTH, 2131 sizeof(*(x->aalg))+(x->aalg->alg_key_len+7)/8, x->aalg); 2132 if (x->ealg) 2133 NLA_PUT(skb, XFRMA_ALG_CRYPT, 2134 sizeof(*(x->ealg))+(x->ealg->alg_key_len+7)/8, x->ealg); 2135 if (x->calg) 2136 NLA_PUT(skb, XFRMA_ALG_COMP, sizeof(*(x->calg)), x->calg); 2137 2138 if (x->encap) 2139 NLA_PUT(skb, XFRMA_ENCAP, sizeof(*x->encap), x->encap); 2140 2141 nlmsg_end(skb, nlh); 2142 2143 return nlmsg_multicast(xfrm_nl, skb, 0, XFRMNLGRP_SA, GFP_ATOMIC); 2144 2145 nla_put_failure: 2146 kfree_skb(skb); 2147 return -1; 2148 } 2149 2150 static int xfrm_send_state_notify(struct xfrm_state *x, struct km_event *c) 2151 { 2152 2153 switch (c->event) { 2154 case XFRM_MSG_EXPIRE: 2155 return xfrm_exp_state_notify(x, c); 2156 case XFRM_MSG_NEWAE: 2157 return xfrm_aevent_state_notify(x, c); 2158 case XFRM_MSG_DELSA: 2159 case XFRM_MSG_UPDSA: 2160 case XFRM_MSG_NEWSA: 2161 return xfrm_notify_sa(x, c); 2162 case XFRM_MSG_FLUSHSA: 2163 return xfrm_notify_sa_flush(c); 2164 default: 2165 printk("xfrm_user: Unknown SA event %d\n", c->event); 2166 break; 2167 } 2168 2169 return 0; 2170 2171 } 2172 2173 static int build_acquire(struct sk_buff *skb, struct xfrm_state *x, 2174 struct xfrm_tmpl *xt, struct xfrm_policy *xp, 2175 int dir) 2176 { 2177 struct xfrm_user_acquire *ua; 2178 struct nlmsghdr *nlh; 2179 __u32 seq = xfrm_get_acqseq(); 2180 2181 nlh = nlmsg_put(skb, 0, 0, XFRM_MSG_ACQUIRE, sizeof(*ua), 0); 2182 if (nlh == NULL) 2183 return -EMSGSIZE; 2184 2185 ua = nlmsg_data(nlh); 2186 memcpy(&ua->id, &x->id, sizeof(ua->id)); 2187 memcpy(&ua->saddr, &x->props.saddr, sizeof(ua->saddr)); 2188 memcpy(&ua->sel, &x->sel, sizeof(ua->sel)); 2189 copy_to_user_policy(xp, &ua->policy, dir); 2190 ua->aalgos = xt->aalgos; 2191 ua->ealgos = xt->ealgos; 2192 ua->calgos = xt->calgos; 2193 ua->seq = x->km.seq = seq; 2194 2195 if (copy_to_user_tmpl(xp, skb) < 0) 2196 goto nlmsg_failure; 2197 if (copy_to_user_state_sec_ctx(x, skb)) 2198 goto nlmsg_failure; 2199 if (copy_to_user_policy_type(xp->type, skb) < 0) 2200 goto nlmsg_failure; 2201 2202 return nlmsg_end(skb, nlh); 2203 2204 nlmsg_failure: 2205 nlmsg_cancel(skb, nlh); 2206 return -EMSGSIZE; 2207 } 2208 2209 static int xfrm_send_acquire(struct xfrm_state *x, struct xfrm_tmpl *xt, 2210 struct xfrm_policy *xp, int dir) 2211 { 2212 struct sk_buff *skb; 2213 size_t len; 2214 2215 len = RTA_SPACE(sizeof(struct xfrm_user_tmpl) * xp->xfrm_nr); 2216 len += NLMSG_SPACE(sizeof(struct xfrm_user_acquire)); 2217 len += RTA_SPACE(xfrm_user_sec_ctx_size(x->security)); 2218 #ifdef CONFIG_XFRM_SUB_POLICY 2219 len += RTA_SPACE(sizeof(struct xfrm_userpolicy_type)); 2220 #endif 2221 skb = alloc_skb(len, GFP_ATOMIC); 2222 if (skb == NULL) 2223 return -ENOMEM; 2224 2225 if (build_acquire(skb, x, xt, xp, dir) < 0) 2226 BUG(); 2227 2228 return nlmsg_multicast(xfrm_nl, skb, 0, XFRMNLGRP_ACQUIRE, GFP_ATOMIC); 2229 } 2230 2231 /* User gives us xfrm_user_policy_info followed by an array of 0 2232 * or more templates. 2233 */ 2234 static struct xfrm_policy *xfrm_compile_policy(struct sock *sk, int opt, 2235 u8 *data, int len, int *dir) 2236 { 2237 struct xfrm_userpolicy_info *p = (struct xfrm_userpolicy_info *)data; 2238 struct xfrm_user_tmpl *ut = (struct xfrm_user_tmpl *) (p + 1); 2239 struct xfrm_policy *xp; 2240 int nr; 2241 2242 switch (sk->sk_family) { 2243 case AF_INET: 2244 if (opt != IP_XFRM_POLICY) { 2245 *dir = -EOPNOTSUPP; 2246 return NULL; 2247 } 2248 break; 2249 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE) 2250 case AF_INET6: 2251 if (opt != IPV6_XFRM_POLICY) { 2252 *dir = -EOPNOTSUPP; 2253 return NULL; 2254 } 2255 break; 2256 #endif 2257 default: 2258 *dir = -EINVAL; 2259 return NULL; 2260 } 2261 2262 *dir = -EINVAL; 2263 2264 if (len < sizeof(*p) || 2265 verify_newpolicy_info(p)) 2266 return NULL; 2267 2268 nr = ((len - sizeof(*p)) / sizeof(*ut)); 2269 if (validate_tmpl(nr, ut, p->sel.family)) 2270 return NULL; 2271 2272 if (p->dir > XFRM_POLICY_OUT) 2273 return NULL; 2274 2275 xp = xfrm_policy_alloc(GFP_KERNEL); 2276 if (xp == NULL) { 2277 *dir = -ENOBUFS; 2278 return NULL; 2279 } 2280 2281 copy_from_user_policy(xp, p); 2282 xp->type = XFRM_POLICY_TYPE_MAIN; 2283 copy_templates(xp, ut, nr); 2284 2285 *dir = p->dir; 2286 2287 return xp; 2288 } 2289 2290 static int build_polexpire(struct sk_buff *skb, struct xfrm_policy *xp, 2291 int dir, struct km_event *c) 2292 { 2293 struct xfrm_user_polexpire *upe; 2294 struct nlmsghdr *nlh; 2295 int hard = c->data.hard; 2296 2297 nlh = nlmsg_put(skb, c->pid, 0, XFRM_MSG_POLEXPIRE, sizeof(*upe), 0); 2298 if (nlh == NULL) 2299 return -EMSGSIZE; 2300 2301 upe = nlmsg_data(nlh); 2302 copy_to_user_policy(xp, &upe->pol, dir); 2303 if (copy_to_user_tmpl(xp, skb) < 0) 2304 goto nlmsg_failure; 2305 if (copy_to_user_sec_ctx(xp, skb)) 2306 goto nlmsg_failure; 2307 if (copy_to_user_policy_type(xp->type, skb) < 0) 2308 goto nlmsg_failure; 2309 upe->hard = !!hard; 2310 2311 return nlmsg_end(skb, nlh); 2312 2313 nlmsg_failure: 2314 nlmsg_cancel(skb, nlh); 2315 return -EMSGSIZE; 2316 } 2317 2318 static int xfrm_exp_policy_notify(struct xfrm_policy *xp, int dir, struct km_event *c) 2319 { 2320 struct sk_buff *skb; 2321 size_t len; 2322 2323 len = RTA_SPACE(sizeof(struct xfrm_user_tmpl) * xp->xfrm_nr); 2324 len += NLMSG_SPACE(sizeof(struct xfrm_user_polexpire)); 2325 len += RTA_SPACE(xfrm_user_sec_ctx_size(xp->security)); 2326 #ifdef CONFIG_XFRM_SUB_POLICY 2327 len += RTA_SPACE(sizeof(struct xfrm_userpolicy_type)); 2328 #endif 2329 skb = alloc_skb(len, GFP_ATOMIC); 2330 if (skb == NULL) 2331 return -ENOMEM; 2332 2333 if (build_polexpire(skb, xp, dir, c) < 0) 2334 BUG(); 2335 2336 return nlmsg_multicast(xfrm_nl, skb, 0, XFRMNLGRP_EXPIRE, GFP_ATOMIC); 2337 } 2338 2339 static int xfrm_notify_policy(struct xfrm_policy *xp, int dir, struct km_event *c) 2340 { 2341 struct xfrm_userpolicy_info *p; 2342 struct xfrm_userpolicy_id *id; 2343 struct nlmsghdr *nlh; 2344 struct sk_buff *skb; 2345 int len = RTA_SPACE(sizeof(struct xfrm_user_tmpl) * xp->xfrm_nr); 2346 int headlen; 2347 2348 headlen = sizeof(*p); 2349 if (c->event == XFRM_MSG_DELPOLICY) { 2350 len += RTA_SPACE(headlen); 2351 headlen = sizeof(*id); 2352 } 2353 #ifdef CONFIG_XFRM_SUB_POLICY 2354 len += RTA_SPACE(sizeof(struct xfrm_userpolicy_type)); 2355 #endif 2356 len += NLMSG_SPACE(headlen); 2357 2358 skb = alloc_skb(len, GFP_ATOMIC); 2359 if (skb == NULL) 2360 return -ENOMEM; 2361 2362 nlh = nlmsg_put(skb, c->pid, c->seq, c->event, headlen, 0); 2363 if (nlh == NULL) 2364 goto nlmsg_failure; 2365 2366 p = nlmsg_data(nlh); 2367 if (c->event == XFRM_MSG_DELPOLICY) { 2368 struct nlattr *attr; 2369 2370 id = nlmsg_data(nlh); 2371 memset(id, 0, sizeof(*id)); 2372 id->dir = dir; 2373 if (c->data.byid) 2374 id->index = xp->index; 2375 else 2376 memcpy(&id->sel, &xp->selector, sizeof(id->sel)); 2377 2378 attr = nla_reserve(skb, XFRMA_POLICY, sizeof(*p)); 2379 if (attr == NULL) 2380 goto nlmsg_failure; 2381 2382 p = nla_data(attr); 2383 } 2384 2385 copy_to_user_policy(xp, p, dir); 2386 if (copy_to_user_tmpl(xp, skb) < 0) 2387 goto nlmsg_failure; 2388 if (copy_to_user_policy_type(xp->type, skb) < 0) 2389 goto nlmsg_failure; 2390 2391 nlmsg_end(skb, nlh); 2392 2393 return nlmsg_multicast(xfrm_nl, skb, 0, XFRMNLGRP_POLICY, GFP_ATOMIC); 2394 2395 nlmsg_failure: 2396 kfree_skb(skb); 2397 return -1; 2398 } 2399 2400 static int xfrm_notify_policy_flush(struct km_event *c) 2401 { 2402 struct nlmsghdr *nlh; 2403 struct sk_buff *skb; 2404 int len = 0; 2405 #ifdef CONFIG_XFRM_SUB_POLICY 2406 len += RTA_SPACE(sizeof(struct xfrm_userpolicy_type)); 2407 #endif 2408 len += NLMSG_LENGTH(0); 2409 2410 skb = alloc_skb(len, GFP_ATOMIC); 2411 if (skb == NULL) 2412 return -ENOMEM; 2413 2414 nlh = nlmsg_put(skb, c->pid, c->seq, XFRM_MSG_FLUSHPOLICY, 0, 0); 2415 if (nlh == NULL) 2416 goto nlmsg_failure; 2417 if (copy_to_user_policy_type(c->data.type, skb) < 0) 2418 goto nlmsg_failure; 2419 2420 nlmsg_end(skb, nlh); 2421 2422 return nlmsg_multicast(xfrm_nl, skb, 0, XFRMNLGRP_POLICY, GFP_ATOMIC); 2423 2424 nlmsg_failure: 2425 kfree_skb(skb); 2426 return -1; 2427 } 2428 2429 static int xfrm_send_policy_notify(struct xfrm_policy *xp, int dir, struct km_event *c) 2430 { 2431 2432 switch (c->event) { 2433 case XFRM_MSG_NEWPOLICY: 2434 case XFRM_MSG_UPDPOLICY: 2435 case XFRM_MSG_DELPOLICY: 2436 return xfrm_notify_policy(xp, dir, c); 2437 case XFRM_MSG_FLUSHPOLICY: 2438 return xfrm_notify_policy_flush(c); 2439 case XFRM_MSG_POLEXPIRE: 2440 return xfrm_exp_policy_notify(xp, dir, c); 2441 default: 2442 printk("xfrm_user: Unknown Policy event %d\n", c->event); 2443 } 2444 2445 return 0; 2446 2447 } 2448 2449 static int build_report(struct sk_buff *skb, u8 proto, 2450 struct xfrm_selector *sel, xfrm_address_t *addr) 2451 { 2452 struct xfrm_user_report *ur; 2453 struct nlmsghdr *nlh; 2454 2455 nlh = nlmsg_put(skb, 0, 0, XFRM_MSG_REPORT, sizeof(*ur), 0); 2456 if (nlh == NULL) 2457 return -EMSGSIZE; 2458 2459 ur = nlmsg_data(nlh); 2460 ur->proto = proto; 2461 memcpy(&ur->sel, sel, sizeof(ur->sel)); 2462 2463 if (addr) 2464 NLA_PUT(skb, XFRMA_COADDR, sizeof(*addr), addr); 2465 2466 return nlmsg_end(skb, nlh); 2467 2468 nla_put_failure: 2469 nlmsg_cancel(skb, nlh); 2470 return -EMSGSIZE; 2471 } 2472 2473 static int xfrm_send_report(u8 proto, struct xfrm_selector *sel, 2474 xfrm_address_t *addr) 2475 { 2476 struct sk_buff *skb; 2477 size_t len; 2478 2479 len = NLMSG_ALIGN(NLMSG_LENGTH(sizeof(struct xfrm_user_report))); 2480 skb = alloc_skb(len, GFP_ATOMIC); 2481 if (skb == NULL) 2482 return -ENOMEM; 2483 2484 if (build_report(skb, proto, sel, addr) < 0) 2485 BUG(); 2486 2487 return nlmsg_multicast(xfrm_nl, skb, 0, XFRMNLGRP_REPORT, GFP_ATOMIC); 2488 } 2489 2490 static struct xfrm_mgr netlink_mgr = { 2491 .id = "netlink", 2492 .notify = xfrm_send_state_notify, 2493 .acquire = xfrm_send_acquire, 2494 .compile_policy = xfrm_compile_policy, 2495 .notify_policy = xfrm_send_policy_notify, 2496 .report = xfrm_send_report, 2497 .migrate = xfrm_send_migrate, 2498 }; 2499 2500 static int __init xfrm_user_init(void) 2501 { 2502 struct sock *nlsk; 2503 2504 printk(KERN_INFO "Initializing XFRM netlink socket\n"); 2505 2506 nlsk = netlink_kernel_create(NETLINK_XFRM, XFRMNLGRP_MAX, 2507 xfrm_netlink_rcv, NULL, THIS_MODULE); 2508 if (nlsk == NULL) 2509 return -ENOMEM; 2510 rcu_assign_pointer(xfrm_nl, nlsk); 2511 2512 xfrm_register_km(&netlink_mgr); 2513 2514 return 0; 2515 } 2516 2517 static void __exit xfrm_user_exit(void) 2518 { 2519 struct sock *nlsk = xfrm_nl; 2520 2521 xfrm_unregister_km(&netlink_mgr); 2522 rcu_assign_pointer(xfrm_nl, NULL); 2523 synchronize_rcu(); 2524 sock_release(nlsk->sk_socket); 2525 } 2526 2527 module_init(xfrm_user_init); 2528 module_exit(xfrm_user_exit); 2529 MODULE_LICENSE("GPL"); 2530 MODULE_ALIAS_NET_PF_PROTO(PF_NETLINK, NETLINK_XFRM); 2531 2532