1 /* xfrm_user.c: User interface to configure xfrm engine. 2 * 3 * Copyright (C) 2002 David S. Miller (davem@redhat.com) 4 * 5 * Changes: 6 * Mitsuru KANDA @USAGI 7 * Kazunori MIYAZAWA @USAGI 8 * Kunihiro Ishiguro <kunihiro@ipinfusion.com> 9 * IPv6 support 10 * 11 */ 12 13 #include <linux/crypto.h> 14 #include <linux/module.h> 15 #include <linux/kernel.h> 16 #include <linux/types.h> 17 #include <linux/slab.h> 18 #include <linux/socket.h> 19 #include <linux/string.h> 20 #include <linux/net.h> 21 #include <linux/skbuff.h> 22 #include <linux/pfkeyv2.h> 23 #include <linux/ipsec.h> 24 #include <linux/init.h> 25 #include <linux/security.h> 26 #include <net/sock.h> 27 #include <net/xfrm.h> 28 #include <net/netlink.h> 29 #include <net/ah.h> 30 #include <asm/uaccess.h> 31 #if IS_ENABLED(CONFIG_IPV6) 32 #include <linux/in6.h> 33 #endif 34 35 static inline int aead_len(struct xfrm_algo_aead *alg) 36 { 37 return sizeof(*alg) + ((alg->alg_key_len + 7) / 8); 38 } 39 40 static int verify_one_alg(struct nlattr **attrs, enum xfrm_attr_type_t type) 41 { 42 struct nlattr *rt = attrs[type]; 43 struct xfrm_algo *algp; 44 45 if (!rt) 46 return 0; 47 48 algp = nla_data(rt); 49 if (nla_len(rt) < xfrm_alg_len(algp)) 50 return -EINVAL; 51 52 switch (type) { 53 case XFRMA_ALG_AUTH: 54 case XFRMA_ALG_CRYPT: 55 case XFRMA_ALG_COMP: 56 break; 57 58 default: 59 return -EINVAL; 60 } 61 62 algp->alg_name[CRYPTO_MAX_ALG_NAME - 1] = '\0'; 63 return 0; 64 } 65 66 static int verify_auth_trunc(struct nlattr **attrs) 67 { 68 struct nlattr *rt = attrs[XFRMA_ALG_AUTH_TRUNC]; 69 struct xfrm_algo_auth *algp; 70 71 if (!rt) 72 return 0; 73 74 algp = nla_data(rt); 75 if (nla_len(rt) < xfrm_alg_auth_len(algp)) 76 return -EINVAL; 77 78 algp->alg_name[CRYPTO_MAX_ALG_NAME - 1] = '\0'; 79 return 0; 80 } 81 82 static int verify_aead(struct nlattr **attrs) 83 { 84 struct nlattr *rt = attrs[XFRMA_ALG_AEAD]; 85 struct xfrm_algo_aead *algp; 86 87 if (!rt) 88 return 0; 89 90 algp = nla_data(rt); 91 if (nla_len(rt) < aead_len(algp)) 92 return -EINVAL; 93 94 algp->alg_name[CRYPTO_MAX_ALG_NAME - 1] = '\0'; 95 return 0; 96 } 97 98 static void verify_one_addr(struct nlattr **attrs, enum xfrm_attr_type_t type, 99 xfrm_address_t **addrp) 100 { 101 struct nlattr *rt = attrs[type]; 102 103 if (rt && addrp) 104 *addrp = nla_data(rt); 105 } 106 107 static inline int verify_sec_ctx_len(struct nlattr **attrs) 108 { 109 struct nlattr *rt = attrs[XFRMA_SEC_CTX]; 110 struct xfrm_user_sec_ctx *uctx; 111 112 if (!rt) 113 return 0; 114 115 uctx = nla_data(rt); 116 if (uctx->len != (sizeof(struct xfrm_user_sec_ctx) + uctx->ctx_len)) 117 return -EINVAL; 118 119 return 0; 120 } 121 122 static inline int verify_replay(struct xfrm_usersa_info *p, 123 struct nlattr **attrs) 124 { 125 struct nlattr *rt = attrs[XFRMA_REPLAY_ESN_VAL]; 126 struct xfrm_replay_state_esn *rs; 127 128 if (p->flags & XFRM_STATE_ESN) { 129 if (!rt) 130 return -EINVAL; 131 132 rs = nla_data(rt); 133 134 if (rs->bmp_len > XFRMA_REPLAY_ESN_MAX / sizeof(rs->bmp[0]) / 8) 135 return -EINVAL; 136 137 if (nla_len(rt) < xfrm_replay_state_esn_len(rs) && 138 nla_len(rt) != sizeof(*rs)) 139 return -EINVAL; 140 } 141 142 if (!rt) 143 return 0; 144 145 if (p->id.proto != IPPROTO_ESP) 146 return -EINVAL; 147 148 if (p->replay_window != 0) 149 return -EINVAL; 150 151 return 0; 152 } 153 154 static int verify_newsa_info(struct xfrm_usersa_info *p, 155 struct nlattr **attrs) 156 { 157 int err; 158 159 err = -EINVAL; 160 switch (p->family) { 161 case AF_INET: 162 break; 163 164 case AF_INET6: 165 #if IS_ENABLED(CONFIG_IPV6) 166 break; 167 #else 168 err = -EAFNOSUPPORT; 169 goto out; 170 #endif 171 172 default: 173 goto out; 174 } 175 176 err = -EINVAL; 177 switch (p->id.proto) { 178 case IPPROTO_AH: 179 if ((!attrs[XFRMA_ALG_AUTH] && 180 !attrs[XFRMA_ALG_AUTH_TRUNC]) || 181 attrs[XFRMA_ALG_AEAD] || 182 attrs[XFRMA_ALG_CRYPT] || 183 attrs[XFRMA_ALG_COMP] || 184 attrs[XFRMA_TFCPAD]) 185 goto out; 186 break; 187 188 case IPPROTO_ESP: 189 if (attrs[XFRMA_ALG_COMP]) 190 goto out; 191 if (!attrs[XFRMA_ALG_AUTH] && 192 !attrs[XFRMA_ALG_AUTH_TRUNC] && 193 !attrs[XFRMA_ALG_CRYPT] && 194 !attrs[XFRMA_ALG_AEAD]) 195 goto out; 196 if ((attrs[XFRMA_ALG_AUTH] || 197 attrs[XFRMA_ALG_AUTH_TRUNC] || 198 attrs[XFRMA_ALG_CRYPT]) && 199 attrs[XFRMA_ALG_AEAD]) 200 goto out; 201 if (attrs[XFRMA_TFCPAD] && 202 p->mode != XFRM_MODE_TUNNEL) 203 goto out; 204 break; 205 206 case IPPROTO_COMP: 207 if (!attrs[XFRMA_ALG_COMP] || 208 attrs[XFRMA_ALG_AEAD] || 209 attrs[XFRMA_ALG_AUTH] || 210 attrs[XFRMA_ALG_AUTH_TRUNC] || 211 attrs[XFRMA_ALG_CRYPT] || 212 attrs[XFRMA_TFCPAD]) 213 goto out; 214 break; 215 216 #if IS_ENABLED(CONFIG_IPV6) 217 case IPPROTO_DSTOPTS: 218 case IPPROTO_ROUTING: 219 if (attrs[XFRMA_ALG_COMP] || 220 attrs[XFRMA_ALG_AUTH] || 221 attrs[XFRMA_ALG_AUTH_TRUNC] || 222 attrs[XFRMA_ALG_AEAD] || 223 attrs[XFRMA_ALG_CRYPT] || 224 attrs[XFRMA_ENCAP] || 225 attrs[XFRMA_SEC_CTX] || 226 attrs[XFRMA_TFCPAD] || 227 !attrs[XFRMA_COADDR]) 228 goto out; 229 break; 230 #endif 231 232 default: 233 goto out; 234 } 235 236 if ((err = verify_aead(attrs))) 237 goto out; 238 if ((err = verify_auth_trunc(attrs))) 239 goto out; 240 if ((err = verify_one_alg(attrs, XFRMA_ALG_AUTH))) 241 goto out; 242 if ((err = verify_one_alg(attrs, XFRMA_ALG_CRYPT))) 243 goto out; 244 if ((err = verify_one_alg(attrs, XFRMA_ALG_COMP))) 245 goto out; 246 if ((err = verify_sec_ctx_len(attrs))) 247 goto out; 248 if ((err = verify_replay(p, attrs))) 249 goto out; 250 251 err = -EINVAL; 252 switch (p->mode) { 253 case XFRM_MODE_TRANSPORT: 254 case XFRM_MODE_TUNNEL: 255 case XFRM_MODE_ROUTEOPTIMIZATION: 256 case XFRM_MODE_BEET: 257 break; 258 259 default: 260 goto out; 261 } 262 263 err = 0; 264 265 out: 266 return err; 267 } 268 269 static int attach_one_algo(struct xfrm_algo **algpp, u8 *props, 270 struct xfrm_algo_desc *(*get_byname)(const char *, int), 271 struct nlattr *rta) 272 { 273 struct xfrm_algo *p, *ualg; 274 struct xfrm_algo_desc *algo; 275 276 if (!rta) 277 return 0; 278 279 ualg = nla_data(rta); 280 281 algo = get_byname(ualg->alg_name, 1); 282 if (!algo) 283 return -ENOSYS; 284 *props = algo->desc.sadb_alg_id; 285 286 p = kmemdup(ualg, xfrm_alg_len(ualg), GFP_KERNEL); 287 if (!p) 288 return -ENOMEM; 289 290 strcpy(p->alg_name, algo->name); 291 *algpp = p; 292 return 0; 293 } 294 295 static int attach_auth(struct xfrm_algo_auth **algpp, u8 *props, 296 struct nlattr *rta) 297 { 298 struct xfrm_algo *ualg; 299 struct xfrm_algo_auth *p; 300 struct xfrm_algo_desc *algo; 301 302 if (!rta) 303 return 0; 304 305 ualg = nla_data(rta); 306 307 algo = xfrm_aalg_get_byname(ualg->alg_name, 1); 308 if (!algo) 309 return -ENOSYS; 310 *props = algo->desc.sadb_alg_id; 311 312 p = kmalloc(sizeof(*p) + (ualg->alg_key_len + 7) / 8, GFP_KERNEL); 313 if (!p) 314 return -ENOMEM; 315 316 strcpy(p->alg_name, algo->name); 317 p->alg_key_len = ualg->alg_key_len; 318 p->alg_trunc_len = algo->uinfo.auth.icv_truncbits; 319 memcpy(p->alg_key, ualg->alg_key, (ualg->alg_key_len + 7) / 8); 320 321 *algpp = p; 322 return 0; 323 } 324 325 static int attach_auth_trunc(struct xfrm_algo_auth **algpp, u8 *props, 326 struct nlattr *rta) 327 { 328 struct xfrm_algo_auth *p, *ualg; 329 struct xfrm_algo_desc *algo; 330 331 if (!rta) 332 return 0; 333 334 ualg = nla_data(rta); 335 336 algo = xfrm_aalg_get_byname(ualg->alg_name, 1); 337 if (!algo) 338 return -ENOSYS; 339 if ((ualg->alg_trunc_len / 8) > MAX_AH_AUTH_LEN || 340 ualg->alg_trunc_len > algo->uinfo.auth.icv_fullbits) 341 return -EINVAL; 342 *props = algo->desc.sadb_alg_id; 343 344 p = kmemdup(ualg, xfrm_alg_auth_len(ualg), GFP_KERNEL); 345 if (!p) 346 return -ENOMEM; 347 348 strcpy(p->alg_name, algo->name); 349 if (!p->alg_trunc_len) 350 p->alg_trunc_len = algo->uinfo.auth.icv_truncbits; 351 352 *algpp = p; 353 return 0; 354 } 355 356 static int attach_aead(struct xfrm_algo_aead **algpp, u8 *props, 357 struct nlattr *rta) 358 { 359 struct xfrm_algo_aead *p, *ualg; 360 struct xfrm_algo_desc *algo; 361 362 if (!rta) 363 return 0; 364 365 ualg = nla_data(rta); 366 367 algo = xfrm_aead_get_byname(ualg->alg_name, ualg->alg_icv_len, 1); 368 if (!algo) 369 return -ENOSYS; 370 *props = algo->desc.sadb_alg_id; 371 372 p = kmemdup(ualg, aead_len(ualg), GFP_KERNEL); 373 if (!p) 374 return -ENOMEM; 375 376 strcpy(p->alg_name, algo->name); 377 *algpp = p; 378 return 0; 379 } 380 381 static inline int xfrm_replay_verify_len(struct xfrm_replay_state_esn *replay_esn, 382 struct nlattr *rp) 383 { 384 struct xfrm_replay_state_esn *up; 385 int ulen; 386 387 if (!replay_esn || !rp) 388 return 0; 389 390 up = nla_data(rp); 391 ulen = xfrm_replay_state_esn_len(up); 392 393 if (nla_len(rp) < ulen || xfrm_replay_state_esn_len(replay_esn) != ulen) 394 return -EINVAL; 395 396 return 0; 397 } 398 399 static int xfrm_alloc_replay_state_esn(struct xfrm_replay_state_esn **replay_esn, 400 struct xfrm_replay_state_esn **preplay_esn, 401 struct nlattr *rta) 402 { 403 struct xfrm_replay_state_esn *p, *pp, *up; 404 int klen, ulen; 405 406 if (!rta) 407 return 0; 408 409 up = nla_data(rta); 410 klen = xfrm_replay_state_esn_len(up); 411 ulen = nla_len(rta) >= klen ? klen : sizeof(*up); 412 413 p = kzalloc(klen, GFP_KERNEL); 414 if (!p) 415 return -ENOMEM; 416 417 pp = kzalloc(klen, GFP_KERNEL); 418 if (!pp) { 419 kfree(p); 420 return -ENOMEM; 421 } 422 423 memcpy(p, up, ulen); 424 memcpy(pp, up, ulen); 425 426 *replay_esn = p; 427 *preplay_esn = pp; 428 429 return 0; 430 } 431 432 static inline int xfrm_user_sec_ctx_size(struct xfrm_sec_ctx *xfrm_ctx) 433 { 434 int len = 0; 435 436 if (xfrm_ctx) { 437 len += sizeof(struct xfrm_user_sec_ctx); 438 len += xfrm_ctx->ctx_len; 439 } 440 return len; 441 } 442 443 static void copy_from_user_state(struct xfrm_state *x, struct xfrm_usersa_info *p) 444 { 445 memcpy(&x->id, &p->id, sizeof(x->id)); 446 memcpy(&x->sel, &p->sel, sizeof(x->sel)); 447 memcpy(&x->lft, &p->lft, sizeof(x->lft)); 448 x->props.mode = p->mode; 449 x->props.replay_window = p->replay_window; 450 x->props.reqid = p->reqid; 451 x->props.family = p->family; 452 memcpy(&x->props.saddr, &p->saddr, sizeof(x->props.saddr)); 453 x->props.flags = p->flags; 454 455 if (!x->sel.family && !(p->flags & XFRM_STATE_AF_UNSPEC)) 456 x->sel.family = p->family; 457 } 458 459 /* 460 * someday when pfkey also has support, we could have the code 461 * somehow made shareable and move it to xfrm_state.c - JHS 462 * 463 */ 464 static void xfrm_update_ae_params(struct xfrm_state *x, struct nlattr **attrs) 465 { 466 struct nlattr *rp = attrs[XFRMA_REPLAY_VAL]; 467 struct nlattr *re = attrs[XFRMA_REPLAY_ESN_VAL]; 468 struct nlattr *lt = attrs[XFRMA_LTIME_VAL]; 469 struct nlattr *et = attrs[XFRMA_ETIMER_THRESH]; 470 struct nlattr *rt = attrs[XFRMA_REPLAY_THRESH]; 471 472 if (re) { 473 struct xfrm_replay_state_esn *replay_esn; 474 replay_esn = nla_data(re); 475 memcpy(x->replay_esn, replay_esn, 476 xfrm_replay_state_esn_len(replay_esn)); 477 memcpy(x->preplay_esn, replay_esn, 478 xfrm_replay_state_esn_len(replay_esn)); 479 } 480 481 if (rp) { 482 struct xfrm_replay_state *replay; 483 replay = nla_data(rp); 484 memcpy(&x->replay, replay, sizeof(*replay)); 485 memcpy(&x->preplay, replay, sizeof(*replay)); 486 } 487 488 if (lt) { 489 struct xfrm_lifetime_cur *ltime; 490 ltime = nla_data(lt); 491 x->curlft.bytes = ltime->bytes; 492 x->curlft.packets = ltime->packets; 493 x->curlft.add_time = ltime->add_time; 494 x->curlft.use_time = ltime->use_time; 495 } 496 497 if (et) 498 x->replay_maxage = nla_get_u32(et); 499 500 if (rt) 501 x->replay_maxdiff = nla_get_u32(rt); 502 } 503 504 static struct xfrm_state *xfrm_state_construct(struct net *net, 505 struct xfrm_usersa_info *p, 506 struct nlattr **attrs, 507 int *errp) 508 { 509 struct xfrm_state *x = xfrm_state_alloc(net); 510 int err = -ENOMEM; 511 512 if (!x) 513 goto error_no_put; 514 515 copy_from_user_state(x, p); 516 517 if ((err = attach_aead(&x->aead, &x->props.ealgo, 518 attrs[XFRMA_ALG_AEAD]))) 519 goto error; 520 if ((err = attach_auth_trunc(&x->aalg, &x->props.aalgo, 521 attrs[XFRMA_ALG_AUTH_TRUNC]))) 522 goto error; 523 if (!x->props.aalgo) { 524 if ((err = attach_auth(&x->aalg, &x->props.aalgo, 525 attrs[XFRMA_ALG_AUTH]))) 526 goto error; 527 } 528 if ((err = attach_one_algo(&x->ealg, &x->props.ealgo, 529 xfrm_ealg_get_byname, 530 attrs[XFRMA_ALG_CRYPT]))) 531 goto error; 532 if ((err = attach_one_algo(&x->calg, &x->props.calgo, 533 xfrm_calg_get_byname, 534 attrs[XFRMA_ALG_COMP]))) 535 goto error; 536 537 if (attrs[XFRMA_ENCAP]) { 538 x->encap = kmemdup(nla_data(attrs[XFRMA_ENCAP]), 539 sizeof(*x->encap), GFP_KERNEL); 540 if (x->encap == NULL) 541 goto error; 542 } 543 544 if (attrs[XFRMA_TFCPAD]) 545 x->tfcpad = nla_get_u32(attrs[XFRMA_TFCPAD]); 546 547 if (attrs[XFRMA_COADDR]) { 548 x->coaddr = kmemdup(nla_data(attrs[XFRMA_COADDR]), 549 sizeof(*x->coaddr), GFP_KERNEL); 550 if (x->coaddr == NULL) 551 goto error; 552 } 553 554 xfrm_mark_get(attrs, &x->mark); 555 556 err = __xfrm_init_state(x, false); 557 if (err) 558 goto error; 559 560 if (attrs[XFRMA_SEC_CTX] && 561 security_xfrm_state_alloc(x, nla_data(attrs[XFRMA_SEC_CTX]))) 562 goto error; 563 564 if ((err = xfrm_alloc_replay_state_esn(&x->replay_esn, &x->preplay_esn, 565 attrs[XFRMA_REPLAY_ESN_VAL]))) 566 goto error; 567 568 x->km.seq = p->seq; 569 x->replay_maxdiff = net->xfrm.sysctl_aevent_rseqth; 570 /* sysctl_xfrm_aevent_etime is in 100ms units */ 571 x->replay_maxage = (net->xfrm.sysctl_aevent_etime*HZ)/XFRM_AE_ETH_M; 572 573 if ((err = xfrm_init_replay(x))) 574 goto error; 575 576 /* override default values from above */ 577 xfrm_update_ae_params(x, attrs); 578 579 return x; 580 581 error: 582 x->km.state = XFRM_STATE_DEAD; 583 xfrm_state_put(x); 584 error_no_put: 585 *errp = err; 586 return NULL; 587 } 588 589 static int xfrm_add_sa(struct sk_buff *skb, struct nlmsghdr *nlh, 590 struct nlattr **attrs) 591 { 592 struct net *net = sock_net(skb->sk); 593 struct xfrm_usersa_info *p = nlmsg_data(nlh); 594 struct xfrm_state *x; 595 int err; 596 struct km_event c; 597 uid_t loginuid = audit_get_loginuid(current); 598 u32 sessionid = audit_get_sessionid(current); 599 u32 sid; 600 601 err = verify_newsa_info(p, attrs); 602 if (err) 603 return err; 604 605 x = xfrm_state_construct(net, p, attrs, &err); 606 if (!x) 607 return err; 608 609 xfrm_state_hold(x); 610 if (nlh->nlmsg_type == XFRM_MSG_NEWSA) 611 err = xfrm_state_add(x); 612 else 613 err = xfrm_state_update(x); 614 615 security_task_getsecid(current, &sid); 616 xfrm_audit_state_add(x, err ? 0 : 1, loginuid, sessionid, sid); 617 618 if (err < 0) { 619 x->km.state = XFRM_STATE_DEAD; 620 __xfrm_state_put(x); 621 goto out; 622 } 623 624 c.seq = nlh->nlmsg_seq; 625 c.pid = nlh->nlmsg_pid; 626 c.event = nlh->nlmsg_type; 627 628 km_state_notify(x, &c); 629 out: 630 xfrm_state_put(x); 631 return err; 632 } 633 634 static struct xfrm_state *xfrm_user_state_lookup(struct net *net, 635 struct xfrm_usersa_id *p, 636 struct nlattr **attrs, 637 int *errp) 638 { 639 struct xfrm_state *x = NULL; 640 struct xfrm_mark m; 641 int err; 642 u32 mark = xfrm_mark_get(attrs, &m); 643 644 if (xfrm_id_proto_match(p->proto, IPSEC_PROTO_ANY)) { 645 err = -ESRCH; 646 x = xfrm_state_lookup(net, mark, &p->daddr, p->spi, p->proto, p->family); 647 } else { 648 xfrm_address_t *saddr = NULL; 649 650 verify_one_addr(attrs, XFRMA_SRCADDR, &saddr); 651 if (!saddr) { 652 err = -EINVAL; 653 goto out; 654 } 655 656 err = -ESRCH; 657 x = xfrm_state_lookup_byaddr(net, mark, 658 &p->daddr, saddr, 659 p->proto, p->family); 660 } 661 662 out: 663 if (!x && errp) 664 *errp = err; 665 return x; 666 } 667 668 static int xfrm_del_sa(struct sk_buff *skb, struct nlmsghdr *nlh, 669 struct nlattr **attrs) 670 { 671 struct net *net = sock_net(skb->sk); 672 struct xfrm_state *x; 673 int err = -ESRCH; 674 struct km_event c; 675 struct xfrm_usersa_id *p = nlmsg_data(nlh); 676 uid_t loginuid = audit_get_loginuid(current); 677 u32 sessionid = audit_get_sessionid(current); 678 u32 sid; 679 680 x = xfrm_user_state_lookup(net, p, attrs, &err); 681 if (x == NULL) 682 return err; 683 684 if ((err = security_xfrm_state_delete(x)) != 0) 685 goto out; 686 687 if (xfrm_state_kern(x)) { 688 err = -EPERM; 689 goto out; 690 } 691 692 err = xfrm_state_delete(x); 693 694 if (err < 0) 695 goto out; 696 697 c.seq = nlh->nlmsg_seq; 698 c.pid = nlh->nlmsg_pid; 699 c.event = nlh->nlmsg_type; 700 km_state_notify(x, &c); 701 702 out: 703 security_task_getsecid(current, &sid); 704 xfrm_audit_state_delete(x, err ? 0 : 1, loginuid, sessionid, sid); 705 xfrm_state_put(x); 706 return err; 707 } 708 709 static void copy_to_user_state(struct xfrm_state *x, struct xfrm_usersa_info *p) 710 { 711 memset(p, 0, sizeof(*p)); 712 memcpy(&p->id, &x->id, sizeof(p->id)); 713 memcpy(&p->sel, &x->sel, sizeof(p->sel)); 714 memcpy(&p->lft, &x->lft, sizeof(p->lft)); 715 memcpy(&p->curlft, &x->curlft, sizeof(p->curlft)); 716 memcpy(&p->stats, &x->stats, sizeof(p->stats)); 717 memcpy(&p->saddr, &x->props.saddr, sizeof(p->saddr)); 718 p->mode = x->props.mode; 719 p->replay_window = x->props.replay_window; 720 p->reqid = x->props.reqid; 721 p->family = x->props.family; 722 p->flags = x->props.flags; 723 p->seq = x->km.seq; 724 } 725 726 struct xfrm_dump_info { 727 struct sk_buff *in_skb; 728 struct sk_buff *out_skb; 729 u32 nlmsg_seq; 730 u16 nlmsg_flags; 731 }; 732 733 static int copy_sec_ctx(struct xfrm_sec_ctx *s, struct sk_buff *skb) 734 { 735 struct xfrm_user_sec_ctx *uctx; 736 struct nlattr *attr; 737 int ctx_size = sizeof(*uctx) + s->ctx_len; 738 739 attr = nla_reserve(skb, XFRMA_SEC_CTX, ctx_size); 740 if (attr == NULL) 741 return -EMSGSIZE; 742 743 uctx = nla_data(attr); 744 uctx->exttype = XFRMA_SEC_CTX; 745 uctx->len = ctx_size; 746 uctx->ctx_doi = s->ctx_doi; 747 uctx->ctx_alg = s->ctx_alg; 748 uctx->ctx_len = s->ctx_len; 749 memcpy(uctx + 1, s->ctx_str, s->ctx_len); 750 751 return 0; 752 } 753 754 static int copy_to_user_auth(struct xfrm_algo_auth *auth, struct sk_buff *skb) 755 { 756 struct xfrm_algo *algo; 757 struct nlattr *nla; 758 759 nla = nla_reserve(skb, XFRMA_ALG_AUTH, 760 sizeof(*algo) + (auth->alg_key_len + 7) / 8); 761 if (!nla) 762 return -EMSGSIZE; 763 764 algo = nla_data(nla); 765 strncpy(algo->alg_name, auth->alg_name, sizeof(algo->alg_name)); 766 memcpy(algo->alg_key, auth->alg_key, (auth->alg_key_len + 7) / 8); 767 algo->alg_key_len = auth->alg_key_len; 768 769 return 0; 770 } 771 772 /* Don't change this without updating xfrm_sa_len! */ 773 static int copy_to_user_state_extra(struct xfrm_state *x, 774 struct xfrm_usersa_info *p, 775 struct sk_buff *skb) 776 { 777 int ret = 0; 778 779 copy_to_user_state(x, p); 780 781 if (x->coaddr) { 782 ret = nla_put(skb, XFRMA_COADDR, sizeof(*x->coaddr), x->coaddr); 783 if (ret) 784 goto out; 785 } 786 if (x->lastused) { 787 ret = nla_put_u64(skb, XFRMA_LASTUSED, x->lastused); 788 if (ret) 789 goto out; 790 } 791 if (x->aead) { 792 ret = nla_put(skb, XFRMA_ALG_AEAD, aead_len(x->aead), x->aead); 793 if (ret) 794 goto out; 795 } 796 if (x->aalg) { 797 ret = copy_to_user_auth(x->aalg, skb); 798 if (!ret) 799 ret = nla_put(skb, XFRMA_ALG_AUTH_TRUNC, 800 xfrm_alg_auth_len(x->aalg), x->aalg); 801 if (ret) 802 goto out; 803 } 804 if (x->ealg) { 805 ret = nla_put(skb, XFRMA_ALG_CRYPT, xfrm_alg_len(x->ealg), x->ealg); 806 if (ret) 807 goto out; 808 } 809 if (x->calg) { 810 ret = nla_put(skb, XFRMA_ALG_COMP, sizeof(*(x->calg)), x->calg); 811 if (ret) 812 goto out; 813 } 814 if (x->encap) { 815 ret = nla_put(skb, XFRMA_ENCAP, sizeof(*x->encap), x->encap); 816 if (ret) 817 goto out; 818 } 819 if (x->tfcpad) { 820 ret = nla_put_u32(skb, XFRMA_TFCPAD, x->tfcpad); 821 if (ret) 822 goto out; 823 } 824 ret = xfrm_mark_put(skb, &x->mark); 825 if (ret) 826 goto out; 827 if (x->replay_esn) { 828 ret = nla_put(skb, XFRMA_REPLAY_ESN_VAL, 829 xfrm_replay_state_esn_len(x->replay_esn), 830 x->replay_esn); 831 if (ret) 832 goto out; 833 } 834 if (x->security) 835 ret = copy_sec_ctx(x->security, skb); 836 out: 837 return ret; 838 } 839 840 static int dump_one_state(struct xfrm_state *x, int count, void *ptr) 841 { 842 struct xfrm_dump_info *sp = ptr; 843 struct sk_buff *in_skb = sp->in_skb; 844 struct sk_buff *skb = sp->out_skb; 845 struct xfrm_usersa_info *p; 846 struct nlmsghdr *nlh; 847 int err; 848 849 nlh = nlmsg_put(skb, NETLINK_CB(in_skb).pid, sp->nlmsg_seq, 850 XFRM_MSG_NEWSA, sizeof(*p), sp->nlmsg_flags); 851 if (nlh == NULL) 852 return -EMSGSIZE; 853 854 p = nlmsg_data(nlh); 855 856 err = copy_to_user_state_extra(x, p, skb); 857 if (err) { 858 nlmsg_cancel(skb, nlh); 859 return err; 860 } 861 nlmsg_end(skb, nlh); 862 return 0; 863 } 864 865 static int xfrm_dump_sa_done(struct netlink_callback *cb) 866 { 867 struct xfrm_state_walk *walk = (struct xfrm_state_walk *) &cb->args[1]; 868 xfrm_state_walk_done(walk); 869 return 0; 870 } 871 872 static int xfrm_dump_sa(struct sk_buff *skb, struct netlink_callback *cb) 873 { 874 struct net *net = sock_net(skb->sk); 875 struct xfrm_state_walk *walk = (struct xfrm_state_walk *) &cb->args[1]; 876 struct xfrm_dump_info info; 877 878 BUILD_BUG_ON(sizeof(struct xfrm_state_walk) > 879 sizeof(cb->args) - sizeof(cb->args[0])); 880 881 info.in_skb = cb->skb; 882 info.out_skb = skb; 883 info.nlmsg_seq = cb->nlh->nlmsg_seq; 884 info.nlmsg_flags = NLM_F_MULTI; 885 886 if (!cb->args[0]) { 887 cb->args[0] = 1; 888 xfrm_state_walk_init(walk, 0); 889 } 890 891 (void) xfrm_state_walk(net, walk, dump_one_state, &info); 892 893 return skb->len; 894 } 895 896 static struct sk_buff *xfrm_state_netlink(struct sk_buff *in_skb, 897 struct xfrm_state *x, u32 seq) 898 { 899 struct xfrm_dump_info info; 900 struct sk_buff *skb; 901 int err; 902 903 skb = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_ATOMIC); 904 if (!skb) 905 return ERR_PTR(-ENOMEM); 906 907 info.in_skb = in_skb; 908 info.out_skb = skb; 909 info.nlmsg_seq = seq; 910 info.nlmsg_flags = 0; 911 912 err = dump_one_state(x, 0, &info); 913 if (err) { 914 kfree_skb(skb); 915 return ERR_PTR(err); 916 } 917 918 return skb; 919 } 920 921 static inline size_t xfrm_spdinfo_msgsize(void) 922 { 923 return NLMSG_ALIGN(4) 924 + nla_total_size(sizeof(struct xfrmu_spdinfo)) 925 + nla_total_size(sizeof(struct xfrmu_spdhinfo)); 926 } 927 928 static int build_spdinfo(struct sk_buff *skb, struct net *net, 929 u32 pid, u32 seq, u32 flags) 930 { 931 struct xfrmk_spdinfo si; 932 struct xfrmu_spdinfo spc; 933 struct xfrmu_spdhinfo sph; 934 struct nlmsghdr *nlh; 935 int err; 936 u32 *f; 937 938 nlh = nlmsg_put(skb, pid, seq, XFRM_MSG_NEWSPDINFO, sizeof(u32), 0); 939 if (nlh == NULL) /* shouldn't really happen ... */ 940 return -EMSGSIZE; 941 942 f = nlmsg_data(nlh); 943 *f = flags; 944 xfrm_spd_getinfo(net, &si); 945 spc.incnt = si.incnt; 946 spc.outcnt = si.outcnt; 947 spc.fwdcnt = si.fwdcnt; 948 spc.inscnt = si.inscnt; 949 spc.outscnt = si.outscnt; 950 spc.fwdscnt = si.fwdscnt; 951 sph.spdhcnt = si.spdhcnt; 952 sph.spdhmcnt = si.spdhmcnt; 953 954 err = nla_put(skb, XFRMA_SPD_INFO, sizeof(spc), &spc); 955 if (!err) 956 err = nla_put(skb, XFRMA_SPD_HINFO, sizeof(sph), &sph); 957 if (err) { 958 nlmsg_cancel(skb, nlh); 959 return err; 960 } 961 962 return nlmsg_end(skb, nlh); 963 } 964 965 static int xfrm_get_spdinfo(struct sk_buff *skb, struct nlmsghdr *nlh, 966 struct nlattr **attrs) 967 { 968 struct net *net = sock_net(skb->sk); 969 struct sk_buff *r_skb; 970 u32 *flags = nlmsg_data(nlh); 971 u32 spid = NETLINK_CB(skb).pid; 972 u32 seq = nlh->nlmsg_seq; 973 974 r_skb = nlmsg_new(xfrm_spdinfo_msgsize(), GFP_ATOMIC); 975 if (r_skb == NULL) 976 return -ENOMEM; 977 978 if (build_spdinfo(r_skb, net, spid, seq, *flags) < 0) 979 BUG(); 980 981 return nlmsg_unicast(net->xfrm.nlsk, r_skb, spid); 982 } 983 984 static inline size_t xfrm_sadinfo_msgsize(void) 985 { 986 return NLMSG_ALIGN(4) 987 + nla_total_size(sizeof(struct xfrmu_sadhinfo)) 988 + nla_total_size(4); /* XFRMA_SAD_CNT */ 989 } 990 991 static int build_sadinfo(struct sk_buff *skb, struct net *net, 992 u32 pid, u32 seq, u32 flags) 993 { 994 struct xfrmk_sadinfo si; 995 struct xfrmu_sadhinfo sh; 996 struct nlmsghdr *nlh; 997 int err; 998 u32 *f; 999 1000 nlh = nlmsg_put(skb, pid, seq, XFRM_MSG_NEWSADINFO, sizeof(u32), 0); 1001 if (nlh == NULL) /* shouldn't really happen ... */ 1002 return -EMSGSIZE; 1003 1004 f = nlmsg_data(nlh); 1005 *f = flags; 1006 xfrm_sad_getinfo(net, &si); 1007 1008 sh.sadhmcnt = si.sadhmcnt; 1009 sh.sadhcnt = si.sadhcnt; 1010 1011 err = nla_put_u32(skb, XFRMA_SAD_CNT, si.sadcnt); 1012 if (!err) 1013 err = nla_put(skb, XFRMA_SAD_HINFO, sizeof(sh), &sh); 1014 if (err) { 1015 nlmsg_cancel(skb, nlh); 1016 return err; 1017 } 1018 1019 return nlmsg_end(skb, nlh); 1020 } 1021 1022 static int xfrm_get_sadinfo(struct sk_buff *skb, struct nlmsghdr *nlh, 1023 struct nlattr **attrs) 1024 { 1025 struct net *net = sock_net(skb->sk); 1026 struct sk_buff *r_skb; 1027 u32 *flags = nlmsg_data(nlh); 1028 u32 spid = NETLINK_CB(skb).pid; 1029 u32 seq = nlh->nlmsg_seq; 1030 1031 r_skb = nlmsg_new(xfrm_sadinfo_msgsize(), GFP_ATOMIC); 1032 if (r_skb == NULL) 1033 return -ENOMEM; 1034 1035 if (build_sadinfo(r_skb, net, spid, seq, *flags) < 0) 1036 BUG(); 1037 1038 return nlmsg_unicast(net->xfrm.nlsk, r_skb, spid); 1039 } 1040 1041 static int xfrm_get_sa(struct sk_buff *skb, struct nlmsghdr *nlh, 1042 struct nlattr **attrs) 1043 { 1044 struct net *net = sock_net(skb->sk); 1045 struct xfrm_usersa_id *p = nlmsg_data(nlh); 1046 struct xfrm_state *x; 1047 struct sk_buff *resp_skb; 1048 int err = -ESRCH; 1049 1050 x = xfrm_user_state_lookup(net, p, attrs, &err); 1051 if (x == NULL) 1052 goto out_noput; 1053 1054 resp_skb = xfrm_state_netlink(skb, x, nlh->nlmsg_seq); 1055 if (IS_ERR(resp_skb)) { 1056 err = PTR_ERR(resp_skb); 1057 } else { 1058 err = nlmsg_unicast(net->xfrm.nlsk, resp_skb, NETLINK_CB(skb).pid); 1059 } 1060 xfrm_state_put(x); 1061 out_noput: 1062 return err; 1063 } 1064 1065 static int verify_userspi_info(struct xfrm_userspi_info *p) 1066 { 1067 switch (p->info.id.proto) { 1068 case IPPROTO_AH: 1069 case IPPROTO_ESP: 1070 break; 1071 1072 case IPPROTO_COMP: 1073 /* IPCOMP spi is 16-bits. */ 1074 if (p->max >= 0x10000) 1075 return -EINVAL; 1076 break; 1077 1078 default: 1079 return -EINVAL; 1080 } 1081 1082 if (p->min > p->max) 1083 return -EINVAL; 1084 1085 return 0; 1086 } 1087 1088 static int xfrm_alloc_userspi(struct sk_buff *skb, struct nlmsghdr *nlh, 1089 struct nlattr **attrs) 1090 { 1091 struct net *net = sock_net(skb->sk); 1092 struct xfrm_state *x; 1093 struct xfrm_userspi_info *p; 1094 struct sk_buff *resp_skb; 1095 xfrm_address_t *daddr; 1096 int family; 1097 int err; 1098 u32 mark; 1099 struct xfrm_mark m; 1100 1101 p = nlmsg_data(nlh); 1102 err = verify_userspi_info(p); 1103 if (err) 1104 goto out_noput; 1105 1106 family = p->info.family; 1107 daddr = &p->info.id.daddr; 1108 1109 x = NULL; 1110 1111 mark = xfrm_mark_get(attrs, &m); 1112 if (p->info.seq) { 1113 x = xfrm_find_acq_byseq(net, mark, p->info.seq); 1114 if (x && xfrm_addr_cmp(&x->id.daddr, daddr, family)) { 1115 xfrm_state_put(x); 1116 x = NULL; 1117 } 1118 } 1119 1120 if (!x) 1121 x = xfrm_find_acq(net, &m, p->info.mode, p->info.reqid, 1122 p->info.id.proto, daddr, 1123 &p->info.saddr, 1, 1124 family); 1125 err = -ENOENT; 1126 if (x == NULL) 1127 goto out_noput; 1128 1129 err = xfrm_alloc_spi(x, p->min, p->max); 1130 if (err) 1131 goto out; 1132 1133 resp_skb = xfrm_state_netlink(skb, x, nlh->nlmsg_seq); 1134 if (IS_ERR(resp_skb)) { 1135 err = PTR_ERR(resp_skb); 1136 goto out; 1137 } 1138 1139 err = nlmsg_unicast(net->xfrm.nlsk, resp_skb, NETLINK_CB(skb).pid); 1140 1141 out: 1142 xfrm_state_put(x); 1143 out_noput: 1144 return err; 1145 } 1146 1147 static int verify_policy_dir(u8 dir) 1148 { 1149 switch (dir) { 1150 case XFRM_POLICY_IN: 1151 case XFRM_POLICY_OUT: 1152 case XFRM_POLICY_FWD: 1153 break; 1154 1155 default: 1156 return -EINVAL; 1157 } 1158 1159 return 0; 1160 } 1161 1162 static int verify_policy_type(u8 type) 1163 { 1164 switch (type) { 1165 case XFRM_POLICY_TYPE_MAIN: 1166 #ifdef CONFIG_XFRM_SUB_POLICY 1167 case XFRM_POLICY_TYPE_SUB: 1168 #endif 1169 break; 1170 1171 default: 1172 return -EINVAL; 1173 } 1174 1175 return 0; 1176 } 1177 1178 static int verify_newpolicy_info(struct xfrm_userpolicy_info *p) 1179 { 1180 switch (p->share) { 1181 case XFRM_SHARE_ANY: 1182 case XFRM_SHARE_SESSION: 1183 case XFRM_SHARE_USER: 1184 case XFRM_SHARE_UNIQUE: 1185 break; 1186 1187 default: 1188 return -EINVAL; 1189 } 1190 1191 switch (p->action) { 1192 case XFRM_POLICY_ALLOW: 1193 case XFRM_POLICY_BLOCK: 1194 break; 1195 1196 default: 1197 return -EINVAL; 1198 } 1199 1200 switch (p->sel.family) { 1201 case AF_INET: 1202 break; 1203 1204 case AF_INET6: 1205 #if IS_ENABLED(CONFIG_IPV6) 1206 break; 1207 #else 1208 return -EAFNOSUPPORT; 1209 #endif 1210 1211 default: 1212 return -EINVAL; 1213 } 1214 1215 return verify_policy_dir(p->dir); 1216 } 1217 1218 static int copy_from_user_sec_ctx(struct xfrm_policy *pol, struct nlattr **attrs) 1219 { 1220 struct nlattr *rt = attrs[XFRMA_SEC_CTX]; 1221 struct xfrm_user_sec_ctx *uctx; 1222 1223 if (!rt) 1224 return 0; 1225 1226 uctx = nla_data(rt); 1227 return security_xfrm_policy_alloc(&pol->security, uctx); 1228 } 1229 1230 static void copy_templates(struct xfrm_policy *xp, struct xfrm_user_tmpl *ut, 1231 int nr) 1232 { 1233 int i; 1234 1235 xp->xfrm_nr = nr; 1236 for (i = 0; i < nr; i++, ut++) { 1237 struct xfrm_tmpl *t = &xp->xfrm_vec[i]; 1238 1239 memcpy(&t->id, &ut->id, sizeof(struct xfrm_id)); 1240 memcpy(&t->saddr, &ut->saddr, 1241 sizeof(xfrm_address_t)); 1242 t->reqid = ut->reqid; 1243 t->mode = ut->mode; 1244 t->share = ut->share; 1245 t->optional = ut->optional; 1246 t->aalgos = ut->aalgos; 1247 t->ealgos = ut->ealgos; 1248 t->calgos = ut->calgos; 1249 /* If all masks are ~0, then we allow all algorithms. */ 1250 t->allalgs = !~(t->aalgos & t->ealgos & t->calgos); 1251 t->encap_family = ut->family; 1252 } 1253 } 1254 1255 static int validate_tmpl(int nr, struct xfrm_user_tmpl *ut, u16 family) 1256 { 1257 int i; 1258 1259 if (nr > XFRM_MAX_DEPTH) 1260 return -EINVAL; 1261 1262 for (i = 0; i < nr; i++) { 1263 /* We never validated the ut->family value, so many 1264 * applications simply leave it at zero. The check was 1265 * never made and ut->family was ignored because all 1266 * templates could be assumed to have the same family as 1267 * the policy itself. Now that we will have ipv4-in-ipv6 1268 * and ipv6-in-ipv4 tunnels, this is no longer true. 1269 */ 1270 if (!ut[i].family) 1271 ut[i].family = family; 1272 1273 switch (ut[i].family) { 1274 case AF_INET: 1275 break; 1276 #if IS_ENABLED(CONFIG_IPV6) 1277 case AF_INET6: 1278 break; 1279 #endif 1280 default: 1281 return -EINVAL; 1282 } 1283 } 1284 1285 return 0; 1286 } 1287 1288 static int copy_from_user_tmpl(struct xfrm_policy *pol, struct nlattr **attrs) 1289 { 1290 struct nlattr *rt = attrs[XFRMA_TMPL]; 1291 1292 if (!rt) { 1293 pol->xfrm_nr = 0; 1294 } else { 1295 struct xfrm_user_tmpl *utmpl = nla_data(rt); 1296 int nr = nla_len(rt) / sizeof(*utmpl); 1297 int err; 1298 1299 err = validate_tmpl(nr, utmpl, pol->family); 1300 if (err) 1301 return err; 1302 1303 copy_templates(pol, utmpl, nr); 1304 } 1305 return 0; 1306 } 1307 1308 static int copy_from_user_policy_type(u8 *tp, struct nlattr **attrs) 1309 { 1310 struct nlattr *rt = attrs[XFRMA_POLICY_TYPE]; 1311 struct xfrm_userpolicy_type *upt; 1312 u8 type = XFRM_POLICY_TYPE_MAIN; 1313 int err; 1314 1315 if (rt) { 1316 upt = nla_data(rt); 1317 type = upt->type; 1318 } 1319 1320 err = verify_policy_type(type); 1321 if (err) 1322 return err; 1323 1324 *tp = type; 1325 return 0; 1326 } 1327 1328 static void copy_from_user_policy(struct xfrm_policy *xp, struct xfrm_userpolicy_info *p) 1329 { 1330 xp->priority = p->priority; 1331 xp->index = p->index; 1332 memcpy(&xp->selector, &p->sel, sizeof(xp->selector)); 1333 memcpy(&xp->lft, &p->lft, sizeof(xp->lft)); 1334 xp->action = p->action; 1335 xp->flags = p->flags; 1336 xp->family = p->sel.family; 1337 /* XXX xp->share = p->share; */ 1338 } 1339 1340 static void copy_to_user_policy(struct xfrm_policy *xp, struct xfrm_userpolicy_info *p, int dir) 1341 { 1342 memset(p, 0, sizeof(*p)); 1343 memcpy(&p->sel, &xp->selector, sizeof(p->sel)); 1344 memcpy(&p->lft, &xp->lft, sizeof(p->lft)); 1345 memcpy(&p->curlft, &xp->curlft, sizeof(p->curlft)); 1346 p->priority = xp->priority; 1347 p->index = xp->index; 1348 p->sel.family = xp->family; 1349 p->dir = dir; 1350 p->action = xp->action; 1351 p->flags = xp->flags; 1352 p->share = XFRM_SHARE_ANY; /* XXX xp->share */ 1353 } 1354 1355 static struct xfrm_policy *xfrm_policy_construct(struct net *net, struct xfrm_userpolicy_info *p, struct nlattr **attrs, int *errp) 1356 { 1357 struct xfrm_policy *xp = xfrm_policy_alloc(net, GFP_KERNEL); 1358 int err; 1359 1360 if (!xp) { 1361 *errp = -ENOMEM; 1362 return NULL; 1363 } 1364 1365 copy_from_user_policy(xp, p); 1366 1367 err = copy_from_user_policy_type(&xp->type, attrs); 1368 if (err) 1369 goto error; 1370 1371 if (!(err = copy_from_user_tmpl(xp, attrs))) 1372 err = copy_from_user_sec_ctx(xp, attrs); 1373 if (err) 1374 goto error; 1375 1376 xfrm_mark_get(attrs, &xp->mark); 1377 1378 return xp; 1379 error: 1380 *errp = err; 1381 xp->walk.dead = 1; 1382 xfrm_policy_destroy(xp); 1383 return NULL; 1384 } 1385 1386 static int xfrm_add_policy(struct sk_buff *skb, struct nlmsghdr *nlh, 1387 struct nlattr **attrs) 1388 { 1389 struct net *net = sock_net(skb->sk); 1390 struct xfrm_userpolicy_info *p = nlmsg_data(nlh); 1391 struct xfrm_policy *xp; 1392 struct km_event c; 1393 int err; 1394 int excl; 1395 uid_t loginuid = audit_get_loginuid(current); 1396 u32 sessionid = audit_get_sessionid(current); 1397 u32 sid; 1398 1399 err = verify_newpolicy_info(p); 1400 if (err) 1401 return err; 1402 err = verify_sec_ctx_len(attrs); 1403 if (err) 1404 return err; 1405 1406 xp = xfrm_policy_construct(net, p, attrs, &err); 1407 if (!xp) 1408 return err; 1409 1410 /* shouldn't excl be based on nlh flags?? 1411 * Aha! this is anti-netlink really i.e more pfkey derived 1412 * in netlink excl is a flag and you wouldnt need 1413 * a type XFRM_MSG_UPDPOLICY - JHS */ 1414 excl = nlh->nlmsg_type == XFRM_MSG_NEWPOLICY; 1415 err = xfrm_policy_insert(p->dir, xp, excl); 1416 security_task_getsecid(current, &sid); 1417 xfrm_audit_policy_add(xp, err ? 0 : 1, loginuid, sessionid, sid); 1418 1419 if (err) { 1420 security_xfrm_policy_free(xp->security); 1421 kfree(xp); 1422 return err; 1423 } 1424 1425 c.event = nlh->nlmsg_type; 1426 c.seq = nlh->nlmsg_seq; 1427 c.pid = nlh->nlmsg_pid; 1428 km_policy_notify(xp, p->dir, &c); 1429 1430 xfrm_pol_put(xp); 1431 1432 return 0; 1433 } 1434 1435 static int copy_to_user_tmpl(struct xfrm_policy *xp, struct sk_buff *skb) 1436 { 1437 struct xfrm_user_tmpl vec[XFRM_MAX_DEPTH]; 1438 int i; 1439 1440 if (xp->xfrm_nr == 0) 1441 return 0; 1442 1443 for (i = 0; i < xp->xfrm_nr; i++) { 1444 struct xfrm_user_tmpl *up = &vec[i]; 1445 struct xfrm_tmpl *kp = &xp->xfrm_vec[i]; 1446 1447 memset(up, 0, sizeof(*up)); 1448 memcpy(&up->id, &kp->id, sizeof(up->id)); 1449 up->family = kp->encap_family; 1450 memcpy(&up->saddr, &kp->saddr, sizeof(up->saddr)); 1451 up->reqid = kp->reqid; 1452 up->mode = kp->mode; 1453 up->share = kp->share; 1454 up->optional = kp->optional; 1455 up->aalgos = kp->aalgos; 1456 up->ealgos = kp->ealgos; 1457 up->calgos = kp->calgos; 1458 } 1459 1460 return nla_put(skb, XFRMA_TMPL, 1461 sizeof(struct xfrm_user_tmpl) * xp->xfrm_nr, vec); 1462 } 1463 1464 static inline int copy_to_user_state_sec_ctx(struct xfrm_state *x, struct sk_buff *skb) 1465 { 1466 if (x->security) { 1467 return copy_sec_ctx(x->security, skb); 1468 } 1469 return 0; 1470 } 1471 1472 static inline int copy_to_user_sec_ctx(struct xfrm_policy *xp, struct sk_buff *skb) 1473 { 1474 if (xp->security) 1475 return copy_sec_ctx(xp->security, skb); 1476 return 0; 1477 } 1478 static inline size_t userpolicy_type_attrsize(void) 1479 { 1480 #ifdef CONFIG_XFRM_SUB_POLICY 1481 return nla_total_size(sizeof(struct xfrm_userpolicy_type)); 1482 #else 1483 return 0; 1484 #endif 1485 } 1486 1487 #ifdef CONFIG_XFRM_SUB_POLICY 1488 static int copy_to_user_policy_type(u8 type, struct sk_buff *skb) 1489 { 1490 struct xfrm_userpolicy_type upt = { 1491 .type = type, 1492 }; 1493 1494 return nla_put(skb, XFRMA_POLICY_TYPE, sizeof(upt), &upt); 1495 } 1496 1497 #else 1498 static inline int copy_to_user_policy_type(u8 type, struct sk_buff *skb) 1499 { 1500 return 0; 1501 } 1502 #endif 1503 1504 static int dump_one_policy(struct xfrm_policy *xp, int dir, int count, void *ptr) 1505 { 1506 struct xfrm_dump_info *sp = ptr; 1507 struct xfrm_userpolicy_info *p; 1508 struct sk_buff *in_skb = sp->in_skb; 1509 struct sk_buff *skb = sp->out_skb; 1510 struct nlmsghdr *nlh; 1511 int err; 1512 1513 nlh = nlmsg_put(skb, NETLINK_CB(in_skb).pid, sp->nlmsg_seq, 1514 XFRM_MSG_NEWPOLICY, sizeof(*p), sp->nlmsg_flags); 1515 if (nlh == NULL) 1516 return -EMSGSIZE; 1517 1518 p = nlmsg_data(nlh); 1519 copy_to_user_policy(xp, p, dir); 1520 err = copy_to_user_tmpl(xp, skb); 1521 if (!err) 1522 err = copy_to_user_sec_ctx(xp, skb); 1523 if (!err) 1524 err = copy_to_user_policy_type(xp->type, skb); 1525 if (!err) 1526 err = xfrm_mark_put(skb, &xp->mark); 1527 if (err) { 1528 nlmsg_cancel(skb, nlh); 1529 return err; 1530 } 1531 nlmsg_end(skb, nlh); 1532 return 0; 1533 } 1534 1535 static int xfrm_dump_policy_done(struct netlink_callback *cb) 1536 { 1537 struct xfrm_policy_walk *walk = (struct xfrm_policy_walk *) &cb->args[1]; 1538 1539 xfrm_policy_walk_done(walk); 1540 return 0; 1541 } 1542 1543 static int xfrm_dump_policy(struct sk_buff *skb, struct netlink_callback *cb) 1544 { 1545 struct net *net = sock_net(skb->sk); 1546 struct xfrm_policy_walk *walk = (struct xfrm_policy_walk *) &cb->args[1]; 1547 struct xfrm_dump_info info; 1548 1549 BUILD_BUG_ON(sizeof(struct xfrm_policy_walk) > 1550 sizeof(cb->args) - sizeof(cb->args[0])); 1551 1552 info.in_skb = cb->skb; 1553 info.out_skb = skb; 1554 info.nlmsg_seq = cb->nlh->nlmsg_seq; 1555 info.nlmsg_flags = NLM_F_MULTI; 1556 1557 if (!cb->args[0]) { 1558 cb->args[0] = 1; 1559 xfrm_policy_walk_init(walk, XFRM_POLICY_TYPE_ANY); 1560 } 1561 1562 (void) xfrm_policy_walk(net, walk, dump_one_policy, &info); 1563 1564 return skb->len; 1565 } 1566 1567 static struct sk_buff *xfrm_policy_netlink(struct sk_buff *in_skb, 1568 struct xfrm_policy *xp, 1569 int dir, u32 seq) 1570 { 1571 struct xfrm_dump_info info; 1572 struct sk_buff *skb; 1573 int err; 1574 1575 skb = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL); 1576 if (!skb) 1577 return ERR_PTR(-ENOMEM); 1578 1579 info.in_skb = in_skb; 1580 info.out_skb = skb; 1581 info.nlmsg_seq = seq; 1582 info.nlmsg_flags = 0; 1583 1584 err = dump_one_policy(xp, dir, 0, &info); 1585 if (err) { 1586 kfree_skb(skb); 1587 return ERR_PTR(err); 1588 } 1589 1590 return skb; 1591 } 1592 1593 static int xfrm_get_policy(struct sk_buff *skb, struct nlmsghdr *nlh, 1594 struct nlattr **attrs) 1595 { 1596 struct net *net = sock_net(skb->sk); 1597 struct xfrm_policy *xp; 1598 struct xfrm_userpolicy_id *p; 1599 u8 type = XFRM_POLICY_TYPE_MAIN; 1600 int err; 1601 struct km_event c; 1602 int delete; 1603 struct xfrm_mark m; 1604 u32 mark = xfrm_mark_get(attrs, &m); 1605 1606 p = nlmsg_data(nlh); 1607 delete = nlh->nlmsg_type == XFRM_MSG_DELPOLICY; 1608 1609 err = copy_from_user_policy_type(&type, attrs); 1610 if (err) 1611 return err; 1612 1613 err = verify_policy_dir(p->dir); 1614 if (err) 1615 return err; 1616 1617 if (p->index) 1618 xp = xfrm_policy_byid(net, mark, type, p->dir, p->index, delete, &err); 1619 else { 1620 struct nlattr *rt = attrs[XFRMA_SEC_CTX]; 1621 struct xfrm_sec_ctx *ctx; 1622 1623 err = verify_sec_ctx_len(attrs); 1624 if (err) 1625 return err; 1626 1627 ctx = NULL; 1628 if (rt) { 1629 struct xfrm_user_sec_ctx *uctx = nla_data(rt); 1630 1631 err = security_xfrm_policy_alloc(&ctx, uctx); 1632 if (err) 1633 return err; 1634 } 1635 xp = xfrm_policy_bysel_ctx(net, mark, type, p->dir, &p->sel, 1636 ctx, delete, &err); 1637 security_xfrm_policy_free(ctx); 1638 } 1639 if (xp == NULL) 1640 return -ENOENT; 1641 1642 if (!delete) { 1643 struct sk_buff *resp_skb; 1644 1645 resp_skb = xfrm_policy_netlink(skb, xp, p->dir, nlh->nlmsg_seq); 1646 if (IS_ERR(resp_skb)) { 1647 err = PTR_ERR(resp_skb); 1648 } else { 1649 err = nlmsg_unicast(net->xfrm.nlsk, resp_skb, 1650 NETLINK_CB(skb).pid); 1651 } 1652 } else { 1653 uid_t loginuid = audit_get_loginuid(current); 1654 u32 sessionid = audit_get_sessionid(current); 1655 u32 sid; 1656 1657 security_task_getsecid(current, &sid); 1658 xfrm_audit_policy_delete(xp, err ? 0 : 1, loginuid, sessionid, 1659 sid); 1660 1661 if (err != 0) 1662 goto out; 1663 1664 c.data.byid = p->index; 1665 c.event = nlh->nlmsg_type; 1666 c.seq = nlh->nlmsg_seq; 1667 c.pid = nlh->nlmsg_pid; 1668 km_policy_notify(xp, p->dir, &c); 1669 } 1670 1671 out: 1672 xfrm_pol_put(xp); 1673 return err; 1674 } 1675 1676 static int xfrm_flush_sa(struct sk_buff *skb, struct nlmsghdr *nlh, 1677 struct nlattr **attrs) 1678 { 1679 struct net *net = sock_net(skb->sk); 1680 struct km_event c; 1681 struct xfrm_usersa_flush *p = nlmsg_data(nlh); 1682 struct xfrm_audit audit_info; 1683 int err; 1684 1685 audit_info.loginuid = audit_get_loginuid(current); 1686 audit_info.sessionid = audit_get_sessionid(current); 1687 security_task_getsecid(current, &audit_info.secid); 1688 err = xfrm_state_flush(net, p->proto, &audit_info); 1689 if (err) { 1690 if (err == -ESRCH) /* empty table */ 1691 return 0; 1692 return err; 1693 } 1694 c.data.proto = p->proto; 1695 c.event = nlh->nlmsg_type; 1696 c.seq = nlh->nlmsg_seq; 1697 c.pid = nlh->nlmsg_pid; 1698 c.net = net; 1699 km_state_notify(NULL, &c); 1700 1701 return 0; 1702 } 1703 1704 static inline size_t xfrm_aevent_msgsize(struct xfrm_state *x) 1705 { 1706 size_t replay_size = x->replay_esn ? 1707 xfrm_replay_state_esn_len(x->replay_esn) : 1708 sizeof(struct xfrm_replay_state); 1709 1710 return NLMSG_ALIGN(sizeof(struct xfrm_aevent_id)) 1711 + nla_total_size(replay_size) 1712 + nla_total_size(sizeof(struct xfrm_lifetime_cur)) 1713 + nla_total_size(sizeof(struct xfrm_mark)) 1714 + nla_total_size(4) /* XFRM_AE_RTHR */ 1715 + nla_total_size(4); /* XFRM_AE_ETHR */ 1716 } 1717 1718 static int build_aevent(struct sk_buff *skb, struct xfrm_state *x, const struct km_event *c) 1719 { 1720 struct xfrm_aevent_id *id; 1721 struct nlmsghdr *nlh; 1722 int err; 1723 1724 nlh = nlmsg_put(skb, c->pid, c->seq, XFRM_MSG_NEWAE, sizeof(*id), 0); 1725 if (nlh == NULL) 1726 return -EMSGSIZE; 1727 1728 id = nlmsg_data(nlh); 1729 memcpy(&id->sa_id.daddr, &x->id.daddr,sizeof(x->id.daddr)); 1730 id->sa_id.spi = x->id.spi; 1731 id->sa_id.family = x->props.family; 1732 id->sa_id.proto = x->id.proto; 1733 memcpy(&id->saddr, &x->props.saddr,sizeof(x->props.saddr)); 1734 id->reqid = x->props.reqid; 1735 id->flags = c->data.aevent; 1736 1737 if (x->replay_esn) { 1738 err = nla_put(skb, XFRMA_REPLAY_ESN_VAL, 1739 xfrm_replay_state_esn_len(x->replay_esn), 1740 x->replay_esn); 1741 } else { 1742 err = nla_put(skb, XFRMA_REPLAY_VAL, sizeof(x->replay), 1743 &x->replay); 1744 } 1745 if (err) 1746 goto out_cancel; 1747 err = nla_put(skb, XFRMA_LTIME_VAL, sizeof(x->curlft), &x->curlft); 1748 if (err) 1749 goto out_cancel; 1750 1751 if (id->flags & XFRM_AE_RTHR) { 1752 err = nla_put_u32(skb, XFRMA_REPLAY_THRESH, x->replay_maxdiff); 1753 if (err) 1754 goto out_cancel; 1755 } 1756 if (id->flags & XFRM_AE_ETHR) { 1757 err = nla_put_u32(skb, XFRMA_ETIMER_THRESH, 1758 x->replay_maxage * 10 / HZ); 1759 if (err) 1760 goto out_cancel; 1761 } 1762 err = xfrm_mark_put(skb, &x->mark); 1763 if (err) 1764 goto out_cancel; 1765 1766 return nlmsg_end(skb, nlh); 1767 1768 out_cancel: 1769 nlmsg_cancel(skb, nlh); 1770 return err; 1771 } 1772 1773 static int xfrm_get_ae(struct sk_buff *skb, struct nlmsghdr *nlh, 1774 struct nlattr **attrs) 1775 { 1776 struct net *net = sock_net(skb->sk); 1777 struct xfrm_state *x; 1778 struct sk_buff *r_skb; 1779 int err; 1780 struct km_event c; 1781 u32 mark; 1782 struct xfrm_mark m; 1783 struct xfrm_aevent_id *p = nlmsg_data(nlh); 1784 struct xfrm_usersa_id *id = &p->sa_id; 1785 1786 mark = xfrm_mark_get(attrs, &m); 1787 1788 x = xfrm_state_lookup(net, mark, &id->daddr, id->spi, id->proto, id->family); 1789 if (x == NULL) 1790 return -ESRCH; 1791 1792 r_skb = nlmsg_new(xfrm_aevent_msgsize(x), GFP_ATOMIC); 1793 if (r_skb == NULL) { 1794 xfrm_state_put(x); 1795 return -ENOMEM; 1796 } 1797 1798 /* 1799 * XXX: is this lock really needed - none of the other 1800 * gets lock (the concern is things getting updated 1801 * while we are still reading) - jhs 1802 */ 1803 spin_lock_bh(&x->lock); 1804 c.data.aevent = p->flags; 1805 c.seq = nlh->nlmsg_seq; 1806 c.pid = nlh->nlmsg_pid; 1807 1808 if (build_aevent(r_skb, x, &c) < 0) 1809 BUG(); 1810 err = nlmsg_unicast(net->xfrm.nlsk, r_skb, NETLINK_CB(skb).pid); 1811 spin_unlock_bh(&x->lock); 1812 xfrm_state_put(x); 1813 return err; 1814 } 1815 1816 static int xfrm_new_ae(struct sk_buff *skb, struct nlmsghdr *nlh, 1817 struct nlattr **attrs) 1818 { 1819 struct net *net = sock_net(skb->sk); 1820 struct xfrm_state *x; 1821 struct km_event c; 1822 int err = - EINVAL; 1823 u32 mark = 0; 1824 struct xfrm_mark m; 1825 struct xfrm_aevent_id *p = nlmsg_data(nlh); 1826 struct nlattr *rp = attrs[XFRMA_REPLAY_VAL]; 1827 struct nlattr *re = attrs[XFRMA_REPLAY_ESN_VAL]; 1828 struct nlattr *lt = attrs[XFRMA_LTIME_VAL]; 1829 1830 if (!lt && !rp && !re) 1831 return err; 1832 1833 /* pedantic mode - thou shalt sayeth replaceth */ 1834 if (!(nlh->nlmsg_flags&NLM_F_REPLACE)) 1835 return err; 1836 1837 mark = xfrm_mark_get(attrs, &m); 1838 1839 x = xfrm_state_lookup(net, mark, &p->sa_id.daddr, p->sa_id.spi, p->sa_id.proto, p->sa_id.family); 1840 if (x == NULL) 1841 return -ESRCH; 1842 1843 if (x->km.state != XFRM_STATE_VALID) 1844 goto out; 1845 1846 err = xfrm_replay_verify_len(x->replay_esn, rp); 1847 if (err) 1848 goto out; 1849 1850 spin_lock_bh(&x->lock); 1851 xfrm_update_ae_params(x, attrs); 1852 spin_unlock_bh(&x->lock); 1853 1854 c.event = nlh->nlmsg_type; 1855 c.seq = nlh->nlmsg_seq; 1856 c.pid = nlh->nlmsg_pid; 1857 c.data.aevent = XFRM_AE_CU; 1858 km_state_notify(x, &c); 1859 err = 0; 1860 out: 1861 xfrm_state_put(x); 1862 return err; 1863 } 1864 1865 static int xfrm_flush_policy(struct sk_buff *skb, struct nlmsghdr *nlh, 1866 struct nlattr **attrs) 1867 { 1868 struct net *net = sock_net(skb->sk); 1869 struct km_event c; 1870 u8 type = XFRM_POLICY_TYPE_MAIN; 1871 int err; 1872 struct xfrm_audit audit_info; 1873 1874 err = copy_from_user_policy_type(&type, attrs); 1875 if (err) 1876 return err; 1877 1878 audit_info.loginuid = audit_get_loginuid(current); 1879 audit_info.sessionid = audit_get_sessionid(current); 1880 security_task_getsecid(current, &audit_info.secid); 1881 err = xfrm_policy_flush(net, type, &audit_info); 1882 if (err) { 1883 if (err == -ESRCH) /* empty table */ 1884 return 0; 1885 return err; 1886 } 1887 1888 c.data.type = type; 1889 c.event = nlh->nlmsg_type; 1890 c.seq = nlh->nlmsg_seq; 1891 c.pid = nlh->nlmsg_pid; 1892 c.net = net; 1893 km_policy_notify(NULL, 0, &c); 1894 return 0; 1895 } 1896 1897 static int xfrm_add_pol_expire(struct sk_buff *skb, struct nlmsghdr *nlh, 1898 struct nlattr **attrs) 1899 { 1900 struct net *net = sock_net(skb->sk); 1901 struct xfrm_policy *xp; 1902 struct xfrm_user_polexpire *up = nlmsg_data(nlh); 1903 struct xfrm_userpolicy_info *p = &up->pol; 1904 u8 type = XFRM_POLICY_TYPE_MAIN; 1905 int err = -ENOENT; 1906 struct xfrm_mark m; 1907 u32 mark = xfrm_mark_get(attrs, &m); 1908 1909 err = copy_from_user_policy_type(&type, attrs); 1910 if (err) 1911 return err; 1912 1913 err = verify_policy_dir(p->dir); 1914 if (err) 1915 return err; 1916 1917 if (p->index) 1918 xp = xfrm_policy_byid(net, mark, type, p->dir, p->index, 0, &err); 1919 else { 1920 struct nlattr *rt = attrs[XFRMA_SEC_CTX]; 1921 struct xfrm_sec_ctx *ctx; 1922 1923 err = verify_sec_ctx_len(attrs); 1924 if (err) 1925 return err; 1926 1927 ctx = NULL; 1928 if (rt) { 1929 struct xfrm_user_sec_ctx *uctx = nla_data(rt); 1930 1931 err = security_xfrm_policy_alloc(&ctx, uctx); 1932 if (err) 1933 return err; 1934 } 1935 xp = xfrm_policy_bysel_ctx(net, mark, type, p->dir, 1936 &p->sel, ctx, 0, &err); 1937 security_xfrm_policy_free(ctx); 1938 } 1939 if (xp == NULL) 1940 return -ENOENT; 1941 1942 if (unlikely(xp->walk.dead)) 1943 goto out; 1944 1945 err = 0; 1946 if (up->hard) { 1947 uid_t loginuid = audit_get_loginuid(current); 1948 u32 sessionid = audit_get_sessionid(current); 1949 u32 sid; 1950 1951 security_task_getsecid(current, &sid); 1952 xfrm_policy_delete(xp, p->dir); 1953 xfrm_audit_policy_delete(xp, 1, loginuid, sessionid, sid); 1954 1955 } else { 1956 // reset the timers here? 1957 WARN(1, "Dont know what to do with soft policy expire\n"); 1958 } 1959 km_policy_expired(xp, p->dir, up->hard, current->pid); 1960 1961 out: 1962 xfrm_pol_put(xp); 1963 return err; 1964 } 1965 1966 static int xfrm_add_sa_expire(struct sk_buff *skb, struct nlmsghdr *nlh, 1967 struct nlattr **attrs) 1968 { 1969 struct net *net = sock_net(skb->sk); 1970 struct xfrm_state *x; 1971 int err; 1972 struct xfrm_user_expire *ue = nlmsg_data(nlh); 1973 struct xfrm_usersa_info *p = &ue->state; 1974 struct xfrm_mark m; 1975 u32 mark = xfrm_mark_get(attrs, &m); 1976 1977 x = xfrm_state_lookup(net, mark, &p->id.daddr, p->id.spi, p->id.proto, p->family); 1978 1979 err = -ENOENT; 1980 if (x == NULL) 1981 return err; 1982 1983 spin_lock_bh(&x->lock); 1984 err = -EINVAL; 1985 if (x->km.state != XFRM_STATE_VALID) 1986 goto out; 1987 km_state_expired(x, ue->hard, current->pid); 1988 1989 if (ue->hard) { 1990 uid_t loginuid = audit_get_loginuid(current); 1991 u32 sessionid = audit_get_sessionid(current); 1992 u32 sid; 1993 1994 security_task_getsecid(current, &sid); 1995 __xfrm_state_delete(x); 1996 xfrm_audit_state_delete(x, 1, loginuid, sessionid, sid); 1997 } 1998 err = 0; 1999 out: 2000 spin_unlock_bh(&x->lock); 2001 xfrm_state_put(x); 2002 return err; 2003 } 2004 2005 static int xfrm_add_acquire(struct sk_buff *skb, struct nlmsghdr *nlh, 2006 struct nlattr **attrs) 2007 { 2008 struct net *net = sock_net(skb->sk); 2009 struct xfrm_policy *xp; 2010 struct xfrm_user_tmpl *ut; 2011 int i; 2012 struct nlattr *rt = attrs[XFRMA_TMPL]; 2013 struct xfrm_mark mark; 2014 2015 struct xfrm_user_acquire *ua = nlmsg_data(nlh); 2016 struct xfrm_state *x = xfrm_state_alloc(net); 2017 int err = -ENOMEM; 2018 2019 if (!x) 2020 goto nomem; 2021 2022 xfrm_mark_get(attrs, &mark); 2023 2024 err = verify_newpolicy_info(&ua->policy); 2025 if (err) 2026 goto bad_policy; 2027 2028 /* build an XP */ 2029 xp = xfrm_policy_construct(net, &ua->policy, attrs, &err); 2030 if (!xp) 2031 goto free_state; 2032 2033 memcpy(&x->id, &ua->id, sizeof(ua->id)); 2034 memcpy(&x->props.saddr, &ua->saddr, sizeof(ua->saddr)); 2035 memcpy(&x->sel, &ua->sel, sizeof(ua->sel)); 2036 xp->mark.m = x->mark.m = mark.m; 2037 xp->mark.v = x->mark.v = mark.v; 2038 ut = nla_data(rt); 2039 /* extract the templates and for each call km_key */ 2040 for (i = 0; i < xp->xfrm_nr; i++, ut++) { 2041 struct xfrm_tmpl *t = &xp->xfrm_vec[i]; 2042 memcpy(&x->id, &t->id, sizeof(x->id)); 2043 x->props.mode = t->mode; 2044 x->props.reqid = t->reqid; 2045 x->props.family = ut->family; 2046 t->aalgos = ua->aalgos; 2047 t->ealgos = ua->ealgos; 2048 t->calgos = ua->calgos; 2049 err = km_query(x, t, xp); 2050 2051 } 2052 2053 kfree(x); 2054 kfree(xp); 2055 2056 return 0; 2057 2058 bad_policy: 2059 WARN(1, "BAD policy passed\n"); 2060 free_state: 2061 kfree(x); 2062 nomem: 2063 return err; 2064 } 2065 2066 #ifdef CONFIG_XFRM_MIGRATE 2067 static int copy_from_user_migrate(struct xfrm_migrate *ma, 2068 struct xfrm_kmaddress *k, 2069 struct nlattr **attrs, int *num) 2070 { 2071 struct nlattr *rt = attrs[XFRMA_MIGRATE]; 2072 struct xfrm_user_migrate *um; 2073 int i, num_migrate; 2074 2075 if (k != NULL) { 2076 struct xfrm_user_kmaddress *uk; 2077 2078 uk = nla_data(attrs[XFRMA_KMADDRESS]); 2079 memcpy(&k->local, &uk->local, sizeof(k->local)); 2080 memcpy(&k->remote, &uk->remote, sizeof(k->remote)); 2081 k->family = uk->family; 2082 k->reserved = uk->reserved; 2083 } 2084 2085 um = nla_data(rt); 2086 num_migrate = nla_len(rt) / sizeof(*um); 2087 2088 if (num_migrate <= 0 || num_migrate > XFRM_MAX_DEPTH) 2089 return -EINVAL; 2090 2091 for (i = 0; i < num_migrate; i++, um++, ma++) { 2092 memcpy(&ma->old_daddr, &um->old_daddr, sizeof(ma->old_daddr)); 2093 memcpy(&ma->old_saddr, &um->old_saddr, sizeof(ma->old_saddr)); 2094 memcpy(&ma->new_daddr, &um->new_daddr, sizeof(ma->new_daddr)); 2095 memcpy(&ma->new_saddr, &um->new_saddr, sizeof(ma->new_saddr)); 2096 2097 ma->proto = um->proto; 2098 ma->mode = um->mode; 2099 ma->reqid = um->reqid; 2100 2101 ma->old_family = um->old_family; 2102 ma->new_family = um->new_family; 2103 } 2104 2105 *num = i; 2106 return 0; 2107 } 2108 2109 static int xfrm_do_migrate(struct sk_buff *skb, struct nlmsghdr *nlh, 2110 struct nlattr **attrs) 2111 { 2112 struct xfrm_userpolicy_id *pi = nlmsg_data(nlh); 2113 struct xfrm_migrate m[XFRM_MAX_DEPTH]; 2114 struct xfrm_kmaddress km, *kmp; 2115 u8 type; 2116 int err; 2117 int n = 0; 2118 2119 if (attrs[XFRMA_MIGRATE] == NULL) 2120 return -EINVAL; 2121 2122 kmp = attrs[XFRMA_KMADDRESS] ? &km : NULL; 2123 2124 err = copy_from_user_policy_type(&type, attrs); 2125 if (err) 2126 return err; 2127 2128 err = copy_from_user_migrate((struct xfrm_migrate *)m, kmp, attrs, &n); 2129 if (err) 2130 return err; 2131 2132 if (!n) 2133 return 0; 2134 2135 xfrm_migrate(&pi->sel, pi->dir, type, m, n, kmp); 2136 2137 return 0; 2138 } 2139 #else 2140 static int xfrm_do_migrate(struct sk_buff *skb, struct nlmsghdr *nlh, 2141 struct nlattr **attrs) 2142 { 2143 return -ENOPROTOOPT; 2144 } 2145 #endif 2146 2147 #ifdef CONFIG_XFRM_MIGRATE 2148 static int copy_to_user_migrate(const struct xfrm_migrate *m, struct sk_buff *skb) 2149 { 2150 struct xfrm_user_migrate um; 2151 2152 memset(&um, 0, sizeof(um)); 2153 um.proto = m->proto; 2154 um.mode = m->mode; 2155 um.reqid = m->reqid; 2156 um.old_family = m->old_family; 2157 memcpy(&um.old_daddr, &m->old_daddr, sizeof(um.old_daddr)); 2158 memcpy(&um.old_saddr, &m->old_saddr, sizeof(um.old_saddr)); 2159 um.new_family = m->new_family; 2160 memcpy(&um.new_daddr, &m->new_daddr, sizeof(um.new_daddr)); 2161 memcpy(&um.new_saddr, &m->new_saddr, sizeof(um.new_saddr)); 2162 2163 return nla_put(skb, XFRMA_MIGRATE, sizeof(um), &um); 2164 } 2165 2166 static int copy_to_user_kmaddress(const struct xfrm_kmaddress *k, struct sk_buff *skb) 2167 { 2168 struct xfrm_user_kmaddress uk; 2169 2170 memset(&uk, 0, sizeof(uk)); 2171 uk.family = k->family; 2172 uk.reserved = k->reserved; 2173 memcpy(&uk.local, &k->local, sizeof(uk.local)); 2174 memcpy(&uk.remote, &k->remote, sizeof(uk.remote)); 2175 2176 return nla_put(skb, XFRMA_KMADDRESS, sizeof(uk), &uk); 2177 } 2178 2179 static inline size_t xfrm_migrate_msgsize(int num_migrate, int with_kma) 2180 { 2181 return NLMSG_ALIGN(sizeof(struct xfrm_userpolicy_id)) 2182 + (with_kma ? nla_total_size(sizeof(struct xfrm_kmaddress)) : 0) 2183 + nla_total_size(sizeof(struct xfrm_user_migrate) * num_migrate) 2184 + userpolicy_type_attrsize(); 2185 } 2186 2187 static int build_migrate(struct sk_buff *skb, const struct xfrm_migrate *m, 2188 int num_migrate, const struct xfrm_kmaddress *k, 2189 const struct xfrm_selector *sel, u8 dir, u8 type) 2190 { 2191 const struct xfrm_migrate *mp; 2192 struct xfrm_userpolicy_id *pol_id; 2193 struct nlmsghdr *nlh; 2194 int i, err; 2195 2196 nlh = nlmsg_put(skb, 0, 0, XFRM_MSG_MIGRATE, sizeof(*pol_id), 0); 2197 if (nlh == NULL) 2198 return -EMSGSIZE; 2199 2200 pol_id = nlmsg_data(nlh); 2201 /* copy data from selector, dir, and type to the pol_id */ 2202 memset(pol_id, 0, sizeof(*pol_id)); 2203 memcpy(&pol_id->sel, sel, sizeof(pol_id->sel)); 2204 pol_id->dir = dir; 2205 2206 if (k != NULL) { 2207 err = copy_to_user_kmaddress(k, skb); 2208 if (err) 2209 goto out_cancel; 2210 } 2211 err = copy_to_user_policy_type(type, skb); 2212 if (err) 2213 goto out_cancel; 2214 for (i = 0, mp = m ; i < num_migrate; i++, mp++) { 2215 err = copy_to_user_migrate(mp, skb); 2216 if (err) 2217 goto out_cancel; 2218 } 2219 2220 return nlmsg_end(skb, nlh); 2221 2222 out_cancel: 2223 nlmsg_cancel(skb, nlh); 2224 return err; 2225 } 2226 2227 static int xfrm_send_migrate(const struct xfrm_selector *sel, u8 dir, u8 type, 2228 const struct xfrm_migrate *m, int num_migrate, 2229 const struct xfrm_kmaddress *k) 2230 { 2231 struct net *net = &init_net; 2232 struct sk_buff *skb; 2233 2234 skb = nlmsg_new(xfrm_migrate_msgsize(num_migrate, !!k), GFP_ATOMIC); 2235 if (skb == NULL) 2236 return -ENOMEM; 2237 2238 /* build migrate */ 2239 if (build_migrate(skb, m, num_migrate, k, sel, dir, type) < 0) 2240 BUG(); 2241 2242 return nlmsg_multicast(net->xfrm.nlsk, skb, 0, XFRMNLGRP_MIGRATE, GFP_ATOMIC); 2243 } 2244 #else 2245 static int xfrm_send_migrate(const struct xfrm_selector *sel, u8 dir, u8 type, 2246 const struct xfrm_migrate *m, int num_migrate, 2247 const struct xfrm_kmaddress *k) 2248 { 2249 return -ENOPROTOOPT; 2250 } 2251 #endif 2252 2253 #define XMSGSIZE(type) sizeof(struct type) 2254 2255 static const int xfrm_msg_min[XFRM_NR_MSGTYPES] = { 2256 [XFRM_MSG_NEWSA - XFRM_MSG_BASE] = XMSGSIZE(xfrm_usersa_info), 2257 [XFRM_MSG_DELSA - XFRM_MSG_BASE] = XMSGSIZE(xfrm_usersa_id), 2258 [XFRM_MSG_GETSA - XFRM_MSG_BASE] = XMSGSIZE(xfrm_usersa_id), 2259 [XFRM_MSG_NEWPOLICY - XFRM_MSG_BASE] = XMSGSIZE(xfrm_userpolicy_info), 2260 [XFRM_MSG_DELPOLICY - XFRM_MSG_BASE] = XMSGSIZE(xfrm_userpolicy_id), 2261 [XFRM_MSG_GETPOLICY - XFRM_MSG_BASE] = XMSGSIZE(xfrm_userpolicy_id), 2262 [XFRM_MSG_ALLOCSPI - XFRM_MSG_BASE] = XMSGSIZE(xfrm_userspi_info), 2263 [XFRM_MSG_ACQUIRE - XFRM_MSG_BASE] = XMSGSIZE(xfrm_user_acquire), 2264 [XFRM_MSG_EXPIRE - XFRM_MSG_BASE] = XMSGSIZE(xfrm_user_expire), 2265 [XFRM_MSG_UPDPOLICY - XFRM_MSG_BASE] = XMSGSIZE(xfrm_userpolicy_info), 2266 [XFRM_MSG_UPDSA - XFRM_MSG_BASE] = XMSGSIZE(xfrm_usersa_info), 2267 [XFRM_MSG_POLEXPIRE - XFRM_MSG_BASE] = XMSGSIZE(xfrm_user_polexpire), 2268 [XFRM_MSG_FLUSHSA - XFRM_MSG_BASE] = XMSGSIZE(xfrm_usersa_flush), 2269 [XFRM_MSG_FLUSHPOLICY - XFRM_MSG_BASE] = 0, 2270 [XFRM_MSG_NEWAE - XFRM_MSG_BASE] = XMSGSIZE(xfrm_aevent_id), 2271 [XFRM_MSG_GETAE - XFRM_MSG_BASE] = XMSGSIZE(xfrm_aevent_id), 2272 [XFRM_MSG_REPORT - XFRM_MSG_BASE] = XMSGSIZE(xfrm_user_report), 2273 [XFRM_MSG_MIGRATE - XFRM_MSG_BASE] = XMSGSIZE(xfrm_userpolicy_id), 2274 [XFRM_MSG_GETSADINFO - XFRM_MSG_BASE] = sizeof(u32), 2275 [XFRM_MSG_GETSPDINFO - XFRM_MSG_BASE] = sizeof(u32), 2276 }; 2277 2278 #undef XMSGSIZE 2279 2280 static const struct nla_policy xfrma_policy[XFRMA_MAX+1] = { 2281 [XFRMA_SA] = { .len = sizeof(struct xfrm_usersa_info)}, 2282 [XFRMA_POLICY] = { .len = sizeof(struct xfrm_userpolicy_info)}, 2283 [XFRMA_LASTUSED] = { .type = NLA_U64}, 2284 [XFRMA_ALG_AUTH_TRUNC] = { .len = sizeof(struct xfrm_algo_auth)}, 2285 [XFRMA_ALG_AEAD] = { .len = sizeof(struct xfrm_algo_aead) }, 2286 [XFRMA_ALG_AUTH] = { .len = sizeof(struct xfrm_algo) }, 2287 [XFRMA_ALG_CRYPT] = { .len = sizeof(struct xfrm_algo) }, 2288 [XFRMA_ALG_COMP] = { .len = sizeof(struct xfrm_algo) }, 2289 [XFRMA_ENCAP] = { .len = sizeof(struct xfrm_encap_tmpl) }, 2290 [XFRMA_TMPL] = { .len = sizeof(struct xfrm_user_tmpl) }, 2291 [XFRMA_SEC_CTX] = { .len = sizeof(struct xfrm_sec_ctx) }, 2292 [XFRMA_LTIME_VAL] = { .len = sizeof(struct xfrm_lifetime_cur) }, 2293 [XFRMA_REPLAY_VAL] = { .len = sizeof(struct xfrm_replay_state) }, 2294 [XFRMA_REPLAY_THRESH] = { .type = NLA_U32 }, 2295 [XFRMA_ETIMER_THRESH] = { .type = NLA_U32 }, 2296 [XFRMA_SRCADDR] = { .len = sizeof(xfrm_address_t) }, 2297 [XFRMA_COADDR] = { .len = sizeof(xfrm_address_t) }, 2298 [XFRMA_POLICY_TYPE] = { .len = sizeof(struct xfrm_userpolicy_type)}, 2299 [XFRMA_MIGRATE] = { .len = sizeof(struct xfrm_user_migrate) }, 2300 [XFRMA_KMADDRESS] = { .len = sizeof(struct xfrm_user_kmaddress) }, 2301 [XFRMA_MARK] = { .len = sizeof(struct xfrm_mark) }, 2302 [XFRMA_TFCPAD] = { .type = NLA_U32 }, 2303 [XFRMA_REPLAY_ESN_VAL] = { .len = sizeof(struct xfrm_replay_state_esn) }, 2304 }; 2305 2306 static struct xfrm_link { 2307 int (*doit)(struct sk_buff *, struct nlmsghdr *, struct nlattr **); 2308 int (*dump)(struct sk_buff *, struct netlink_callback *); 2309 int (*done)(struct netlink_callback *); 2310 } xfrm_dispatch[XFRM_NR_MSGTYPES] = { 2311 [XFRM_MSG_NEWSA - XFRM_MSG_BASE] = { .doit = xfrm_add_sa }, 2312 [XFRM_MSG_DELSA - XFRM_MSG_BASE] = { .doit = xfrm_del_sa }, 2313 [XFRM_MSG_GETSA - XFRM_MSG_BASE] = { .doit = xfrm_get_sa, 2314 .dump = xfrm_dump_sa, 2315 .done = xfrm_dump_sa_done }, 2316 [XFRM_MSG_NEWPOLICY - XFRM_MSG_BASE] = { .doit = xfrm_add_policy }, 2317 [XFRM_MSG_DELPOLICY - XFRM_MSG_BASE] = { .doit = xfrm_get_policy }, 2318 [XFRM_MSG_GETPOLICY - XFRM_MSG_BASE] = { .doit = xfrm_get_policy, 2319 .dump = xfrm_dump_policy, 2320 .done = xfrm_dump_policy_done }, 2321 [XFRM_MSG_ALLOCSPI - XFRM_MSG_BASE] = { .doit = xfrm_alloc_userspi }, 2322 [XFRM_MSG_ACQUIRE - XFRM_MSG_BASE] = { .doit = xfrm_add_acquire }, 2323 [XFRM_MSG_EXPIRE - XFRM_MSG_BASE] = { .doit = xfrm_add_sa_expire }, 2324 [XFRM_MSG_UPDPOLICY - XFRM_MSG_BASE] = { .doit = xfrm_add_policy }, 2325 [XFRM_MSG_UPDSA - XFRM_MSG_BASE] = { .doit = xfrm_add_sa }, 2326 [XFRM_MSG_POLEXPIRE - XFRM_MSG_BASE] = { .doit = xfrm_add_pol_expire}, 2327 [XFRM_MSG_FLUSHSA - XFRM_MSG_BASE] = { .doit = xfrm_flush_sa }, 2328 [XFRM_MSG_FLUSHPOLICY - XFRM_MSG_BASE] = { .doit = xfrm_flush_policy }, 2329 [XFRM_MSG_NEWAE - XFRM_MSG_BASE] = { .doit = xfrm_new_ae }, 2330 [XFRM_MSG_GETAE - XFRM_MSG_BASE] = { .doit = xfrm_get_ae }, 2331 [XFRM_MSG_MIGRATE - XFRM_MSG_BASE] = { .doit = xfrm_do_migrate }, 2332 [XFRM_MSG_GETSADINFO - XFRM_MSG_BASE] = { .doit = xfrm_get_sadinfo }, 2333 [XFRM_MSG_GETSPDINFO - XFRM_MSG_BASE] = { .doit = xfrm_get_spdinfo }, 2334 }; 2335 2336 static int xfrm_user_rcv_msg(struct sk_buff *skb, struct nlmsghdr *nlh) 2337 { 2338 struct net *net = sock_net(skb->sk); 2339 struct nlattr *attrs[XFRMA_MAX+1]; 2340 struct xfrm_link *link; 2341 int type, err; 2342 2343 type = nlh->nlmsg_type; 2344 if (type > XFRM_MSG_MAX) 2345 return -EINVAL; 2346 2347 type -= XFRM_MSG_BASE; 2348 link = &xfrm_dispatch[type]; 2349 2350 /* All operations require privileges, even GET */ 2351 if (!capable(CAP_NET_ADMIN)) 2352 return -EPERM; 2353 2354 if ((type == (XFRM_MSG_GETSA - XFRM_MSG_BASE) || 2355 type == (XFRM_MSG_GETPOLICY - XFRM_MSG_BASE)) && 2356 (nlh->nlmsg_flags & NLM_F_DUMP)) { 2357 if (link->dump == NULL) 2358 return -EINVAL; 2359 2360 { 2361 struct netlink_dump_control c = { 2362 .dump = link->dump, 2363 .done = link->done, 2364 }; 2365 return netlink_dump_start(net->xfrm.nlsk, skb, nlh, &c); 2366 } 2367 } 2368 2369 err = nlmsg_parse(nlh, xfrm_msg_min[type], attrs, XFRMA_MAX, 2370 xfrma_policy); 2371 if (err < 0) 2372 return err; 2373 2374 if (link->doit == NULL) 2375 return -EINVAL; 2376 2377 return link->doit(skb, nlh, attrs); 2378 } 2379 2380 static void xfrm_netlink_rcv(struct sk_buff *skb) 2381 { 2382 mutex_lock(&xfrm_cfg_mutex); 2383 netlink_rcv_skb(skb, &xfrm_user_rcv_msg); 2384 mutex_unlock(&xfrm_cfg_mutex); 2385 } 2386 2387 static inline size_t xfrm_expire_msgsize(void) 2388 { 2389 return NLMSG_ALIGN(sizeof(struct xfrm_user_expire)) 2390 + nla_total_size(sizeof(struct xfrm_mark)); 2391 } 2392 2393 static int build_expire(struct sk_buff *skb, struct xfrm_state *x, const struct km_event *c) 2394 { 2395 struct xfrm_user_expire *ue; 2396 struct nlmsghdr *nlh; 2397 int err; 2398 2399 nlh = nlmsg_put(skb, c->pid, 0, XFRM_MSG_EXPIRE, sizeof(*ue), 0); 2400 if (nlh == NULL) 2401 return -EMSGSIZE; 2402 2403 ue = nlmsg_data(nlh); 2404 copy_to_user_state(x, &ue->state); 2405 ue->hard = (c->data.hard != 0) ? 1 : 0; 2406 2407 err = xfrm_mark_put(skb, &x->mark); 2408 if (err) 2409 return err; 2410 2411 return nlmsg_end(skb, nlh); 2412 } 2413 2414 static int xfrm_exp_state_notify(struct xfrm_state *x, const struct km_event *c) 2415 { 2416 struct net *net = xs_net(x); 2417 struct sk_buff *skb; 2418 2419 skb = nlmsg_new(xfrm_expire_msgsize(), GFP_ATOMIC); 2420 if (skb == NULL) 2421 return -ENOMEM; 2422 2423 if (build_expire(skb, x, c) < 0) { 2424 kfree_skb(skb); 2425 return -EMSGSIZE; 2426 } 2427 2428 return nlmsg_multicast(net->xfrm.nlsk, skb, 0, XFRMNLGRP_EXPIRE, GFP_ATOMIC); 2429 } 2430 2431 static int xfrm_aevent_state_notify(struct xfrm_state *x, const struct km_event *c) 2432 { 2433 struct net *net = xs_net(x); 2434 struct sk_buff *skb; 2435 2436 skb = nlmsg_new(xfrm_aevent_msgsize(x), GFP_ATOMIC); 2437 if (skb == NULL) 2438 return -ENOMEM; 2439 2440 if (build_aevent(skb, x, c) < 0) 2441 BUG(); 2442 2443 return nlmsg_multicast(net->xfrm.nlsk, skb, 0, XFRMNLGRP_AEVENTS, GFP_ATOMIC); 2444 } 2445 2446 static int xfrm_notify_sa_flush(const struct km_event *c) 2447 { 2448 struct net *net = c->net; 2449 struct xfrm_usersa_flush *p; 2450 struct nlmsghdr *nlh; 2451 struct sk_buff *skb; 2452 int len = NLMSG_ALIGN(sizeof(struct xfrm_usersa_flush)); 2453 2454 skb = nlmsg_new(len, GFP_ATOMIC); 2455 if (skb == NULL) 2456 return -ENOMEM; 2457 2458 nlh = nlmsg_put(skb, c->pid, c->seq, XFRM_MSG_FLUSHSA, sizeof(*p), 0); 2459 if (nlh == NULL) { 2460 kfree_skb(skb); 2461 return -EMSGSIZE; 2462 } 2463 2464 p = nlmsg_data(nlh); 2465 p->proto = c->data.proto; 2466 2467 nlmsg_end(skb, nlh); 2468 2469 return nlmsg_multicast(net->xfrm.nlsk, skb, 0, XFRMNLGRP_SA, GFP_ATOMIC); 2470 } 2471 2472 static inline size_t xfrm_sa_len(struct xfrm_state *x) 2473 { 2474 size_t l = 0; 2475 if (x->aead) 2476 l += nla_total_size(aead_len(x->aead)); 2477 if (x->aalg) { 2478 l += nla_total_size(sizeof(struct xfrm_algo) + 2479 (x->aalg->alg_key_len + 7) / 8); 2480 l += nla_total_size(xfrm_alg_auth_len(x->aalg)); 2481 } 2482 if (x->ealg) 2483 l += nla_total_size(xfrm_alg_len(x->ealg)); 2484 if (x->calg) 2485 l += nla_total_size(sizeof(*x->calg)); 2486 if (x->encap) 2487 l += nla_total_size(sizeof(*x->encap)); 2488 if (x->tfcpad) 2489 l += nla_total_size(sizeof(x->tfcpad)); 2490 if (x->replay_esn) 2491 l += nla_total_size(xfrm_replay_state_esn_len(x->replay_esn)); 2492 if (x->security) 2493 l += nla_total_size(sizeof(struct xfrm_user_sec_ctx) + 2494 x->security->ctx_len); 2495 if (x->coaddr) 2496 l += nla_total_size(sizeof(*x->coaddr)); 2497 2498 /* Must count x->lastused as it may become non-zero behind our back. */ 2499 l += nla_total_size(sizeof(u64)); 2500 2501 return l; 2502 } 2503 2504 static int xfrm_notify_sa(struct xfrm_state *x, const struct km_event *c) 2505 { 2506 struct net *net = xs_net(x); 2507 struct xfrm_usersa_info *p; 2508 struct xfrm_usersa_id *id; 2509 struct nlmsghdr *nlh; 2510 struct sk_buff *skb; 2511 int len = xfrm_sa_len(x); 2512 int headlen, err; 2513 2514 headlen = sizeof(*p); 2515 if (c->event == XFRM_MSG_DELSA) { 2516 len += nla_total_size(headlen); 2517 headlen = sizeof(*id); 2518 len += nla_total_size(sizeof(struct xfrm_mark)); 2519 } 2520 len += NLMSG_ALIGN(headlen); 2521 2522 skb = nlmsg_new(len, GFP_ATOMIC); 2523 if (skb == NULL) 2524 return -ENOMEM; 2525 2526 nlh = nlmsg_put(skb, c->pid, c->seq, c->event, headlen, 0); 2527 err = -EMSGSIZE; 2528 if (nlh == NULL) 2529 goto out_free_skb; 2530 2531 p = nlmsg_data(nlh); 2532 if (c->event == XFRM_MSG_DELSA) { 2533 struct nlattr *attr; 2534 2535 id = nlmsg_data(nlh); 2536 memcpy(&id->daddr, &x->id.daddr, sizeof(id->daddr)); 2537 id->spi = x->id.spi; 2538 id->family = x->props.family; 2539 id->proto = x->id.proto; 2540 2541 attr = nla_reserve(skb, XFRMA_SA, sizeof(*p)); 2542 err = -EMSGSIZE; 2543 if (attr == NULL) 2544 goto out_free_skb; 2545 2546 p = nla_data(attr); 2547 } 2548 err = copy_to_user_state_extra(x, p, skb); 2549 if (err) 2550 goto out_free_skb; 2551 2552 nlmsg_end(skb, nlh); 2553 2554 return nlmsg_multicast(net->xfrm.nlsk, skb, 0, XFRMNLGRP_SA, GFP_ATOMIC); 2555 2556 out_free_skb: 2557 kfree_skb(skb); 2558 return err; 2559 } 2560 2561 static int xfrm_send_state_notify(struct xfrm_state *x, const struct km_event *c) 2562 { 2563 2564 switch (c->event) { 2565 case XFRM_MSG_EXPIRE: 2566 return xfrm_exp_state_notify(x, c); 2567 case XFRM_MSG_NEWAE: 2568 return xfrm_aevent_state_notify(x, c); 2569 case XFRM_MSG_DELSA: 2570 case XFRM_MSG_UPDSA: 2571 case XFRM_MSG_NEWSA: 2572 return xfrm_notify_sa(x, c); 2573 case XFRM_MSG_FLUSHSA: 2574 return xfrm_notify_sa_flush(c); 2575 default: 2576 printk(KERN_NOTICE "xfrm_user: Unknown SA event %d\n", 2577 c->event); 2578 break; 2579 } 2580 2581 return 0; 2582 2583 } 2584 2585 static inline size_t xfrm_acquire_msgsize(struct xfrm_state *x, 2586 struct xfrm_policy *xp) 2587 { 2588 return NLMSG_ALIGN(sizeof(struct xfrm_user_acquire)) 2589 + nla_total_size(sizeof(struct xfrm_user_tmpl) * xp->xfrm_nr) 2590 + nla_total_size(sizeof(struct xfrm_mark)) 2591 + nla_total_size(xfrm_user_sec_ctx_size(x->security)) 2592 + userpolicy_type_attrsize(); 2593 } 2594 2595 static int build_acquire(struct sk_buff *skb, struct xfrm_state *x, 2596 struct xfrm_tmpl *xt, struct xfrm_policy *xp, 2597 int dir) 2598 { 2599 __u32 seq = xfrm_get_acqseq(); 2600 struct xfrm_user_acquire *ua; 2601 struct nlmsghdr *nlh; 2602 int err; 2603 2604 nlh = nlmsg_put(skb, 0, 0, XFRM_MSG_ACQUIRE, sizeof(*ua), 0); 2605 if (nlh == NULL) 2606 return -EMSGSIZE; 2607 2608 ua = nlmsg_data(nlh); 2609 memcpy(&ua->id, &x->id, sizeof(ua->id)); 2610 memcpy(&ua->saddr, &x->props.saddr, sizeof(ua->saddr)); 2611 memcpy(&ua->sel, &x->sel, sizeof(ua->sel)); 2612 copy_to_user_policy(xp, &ua->policy, dir); 2613 ua->aalgos = xt->aalgos; 2614 ua->ealgos = xt->ealgos; 2615 ua->calgos = xt->calgos; 2616 ua->seq = x->km.seq = seq; 2617 2618 err = copy_to_user_tmpl(xp, skb); 2619 if (!err) 2620 err = copy_to_user_state_sec_ctx(x, skb); 2621 if (!err) 2622 err = copy_to_user_policy_type(xp->type, skb); 2623 if (!err) 2624 err = xfrm_mark_put(skb, &xp->mark); 2625 if (err) { 2626 nlmsg_cancel(skb, nlh); 2627 return err; 2628 } 2629 2630 return nlmsg_end(skb, nlh); 2631 } 2632 2633 static int xfrm_send_acquire(struct xfrm_state *x, struct xfrm_tmpl *xt, 2634 struct xfrm_policy *xp, int dir) 2635 { 2636 struct net *net = xs_net(x); 2637 struct sk_buff *skb; 2638 2639 skb = nlmsg_new(xfrm_acquire_msgsize(x, xp), GFP_ATOMIC); 2640 if (skb == NULL) 2641 return -ENOMEM; 2642 2643 if (build_acquire(skb, x, xt, xp, dir) < 0) 2644 BUG(); 2645 2646 return nlmsg_multicast(net->xfrm.nlsk, skb, 0, XFRMNLGRP_ACQUIRE, GFP_ATOMIC); 2647 } 2648 2649 /* User gives us xfrm_user_policy_info followed by an array of 0 2650 * or more templates. 2651 */ 2652 static struct xfrm_policy *xfrm_compile_policy(struct sock *sk, int opt, 2653 u8 *data, int len, int *dir) 2654 { 2655 struct net *net = sock_net(sk); 2656 struct xfrm_userpolicy_info *p = (struct xfrm_userpolicy_info *)data; 2657 struct xfrm_user_tmpl *ut = (struct xfrm_user_tmpl *) (p + 1); 2658 struct xfrm_policy *xp; 2659 int nr; 2660 2661 switch (sk->sk_family) { 2662 case AF_INET: 2663 if (opt != IP_XFRM_POLICY) { 2664 *dir = -EOPNOTSUPP; 2665 return NULL; 2666 } 2667 break; 2668 #if IS_ENABLED(CONFIG_IPV6) 2669 case AF_INET6: 2670 if (opt != IPV6_XFRM_POLICY) { 2671 *dir = -EOPNOTSUPP; 2672 return NULL; 2673 } 2674 break; 2675 #endif 2676 default: 2677 *dir = -EINVAL; 2678 return NULL; 2679 } 2680 2681 *dir = -EINVAL; 2682 2683 if (len < sizeof(*p) || 2684 verify_newpolicy_info(p)) 2685 return NULL; 2686 2687 nr = ((len - sizeof(*p)) / sizeof(*ut)); 2688 if (validate_tmpl(nr, ut, p->sel.family)) 2689 return NULL; 2690 2691 if (p->dir > XFRM_POLICY_OUT) 2692 return NULL; 2693 2694 xp = xfrm_policy_alloc(net, GFP_ATOMIC); 2695 if (xp == NULL) { 2696 *dir = -ENOBUFS; 2697 return NULL; 2698 } 2699 2700 copy_from_user_policy(xp, p); 2701 xp->type = XFRM_POLICY_TYPE_MAIN; 2702 copy_templates(xp, ut, nr); 2703 2704 *dir = p->dir; 2705 2706 return xp; 2707 } 2708 2709 static inline size_t xfrm_polexpire_msgsize(struct xfrm_policy *xp) 2710 { 2711 return NLMSG_ALIGN(sizeof(struct xfrm_user_polexpire)) 2712 + nla_total_size(sizeof(struct xfrm_user_tmpl) * xp->xfrm_nr) 2713 + nla_total_size(xfrm_user_sec_ctx_size(xp->security)) 2714 + nla_total_size(sizeof(struct xfrm_mark)) 2715 + userpolicy_type_attrsize(); 2716 } 2717 2718 static int build_polexpire(struct sk_buff *skb, struct xfrm_policy *xp, 2719 int dir, const struct km_event *c) 2720 { 2721 struct xfrm_user_polexpire *upe; 2722 int hard = c->data.hard; 2723 struct nlmsghdr *nlh; 2724 int err; 2725 2726 nlh = nlmsg_put(skb, c->pid, 0, XFRM_MSG_POLEXPIRE, sizeof(*upe), 0); 2727 if (nlh == NULL) 2728 return -EMSGSIZE; 2729 2730 upe = nlmsg_data(nlh); 2731 copy_to_user_policy(xp, &upe->pol, dir); 2732 err = copy_to_user_tmpl(xp, skb); 2733 if (!err) 2734 err = copy_to_user_sec_ctx(xp, skb); 2735 if (!err) 2736 err = copy_to_user_policy_type(xp->type, skb); 2737 if (!err) 2738 err = xfrm_mark_put(skb, &xp->mark); 2739 if (err) { 2740 nlmsg_cancel(skb, nlh); 2741 return err; 2742 } 2743 upe->hard = !!hard; 2744 2745 return nlmsg_end(skb, nlh); 2746 } 2747 2748 static int xfrm_exp_policy_notify(struct xfrm_policy *xp, int dir, const struct km_event *c) 2749 { 2750 struct net *net = xp_net(xp); 2751 struct sk_buff *skb; 2752 2753 skb = nlmsg_new(xfrm_polexpire_msgsize(xp), GFP_ATOMIC); 2754 if (skb == NULL) 2755 return -ENOMEM; 2756 2757 if (build_polexpire(skb, xp, dir, c) < 0) 2758 BUG(); 2759 2760 return nlmsg_multicast(net->xfrm.nlsk, skb, 0, XFRMNLGRP_EXPIRE, GFP_ATOMIC); 2761 } 2762 2763 static int xfrm_notify_policy(struct xfrm_policy *xp, int dir, const struct km_event *c) 2764 { 2765 int len = nla_total_size(sizeof(struct xfrm_user_tmpl) * xp->xfrm_nr); 2766 struct net *net = xp_net(xp); 2767 struct xfrm_userpolicy_info *p; 2768 struct xfrm_userpolicy_id *id; 2769 struct nlmsghdr *nlh; 2770 struct sk_buff *skb; 2771 int headlen, err; 2772 2773 headlen = sizeof(*p); 2774 if (c->event == XFRM_MSG_DELPOLICY) { 2775 len += nla_total_size(headlen); 2776 headlen = sizeof(*id); 2777 } 2778 len += userpolicy_type_attrsize(); 2779 len += nla_total_size(sizeof(struct xfrm_mark)); 2780 len += NLMSG_ALIGN(headlen); 2781 2782 skb = nlmsg_new(len, GFP_ATOMIC); 2783 if (skb == NULL) 2784 return -ENOMEM; 2785 2786 nlh = nlmsg_put(skb, c->pid, c->seq, c->event, headlen, 0); 2787 err = -EMSGSIZE; 2788 if (nlh == NULL) 2789 goto out_free_skb; 2790 2791 p = nlmsg_data(nlh); 2792 if (c->event == XFRM_MSG_DELPOLICY) { 2793 struct nlattr *attr; 2794 2795 id = nlmsg_data(nlh); 2796 memset(id, 0, sizeof(*id)); 2797 id->dir = dir; 2798 if (c->data.byid) 2799 id->index = xp->index; 2800 else 2801 memcpy(&id->sel, &xp->selector, sizeof(id->sel)); 2802 2803 attr = nla_reserve(skb, XFRMA_POLICY, sizeof(*p)); 2804 err = -EMSGSIZE; 2805 if (attr == NULL) 2806 goto out_free_skb; 2807 2808 p = nla_data(attr); 2809 } 2810 2811 copy_to_user_policy(xp, p, dir); 2812 err = copy_to_user_tmpl(xp, skb); 2813 if (!err) 2814 err = copy_to_user_policy_type(xp->type, skb); 2815 if (!err) 2816 err = xfrm_mark_put(skb, &xp->mark); 2817 if (err) 2818 goto out_free_skb; 2819 2820 nlmsg_end(skb, nlh); 2821 2822 return nlmsg_multicast(net->xfrm.nlsk, skb, 0, XFRMNLGRP_POLICY, GFP_ATOMIC); 2823 2824 out_free_skb: 2825 kfree_skb(skb); 2826 return err; 2827 } 2828 2829 static int xfrm_notify_policy_flush(const struct km_event *c) 2830 { 2831 struct net *net = c->net; 2832 struct nlmsghdr *nlh; 2833 struct sk_buff *skb; 2834 int err; 2835 2836 skb = nlmsg_new(userpolicy_type_attrsize(), GFP_ATOMIC); 2837 if (skb == NULL) 2838 return -ENOMEM; 2839 2840 nlh = nlmsg_put(skb, c->pid, c->seq, XFRM_MSG_FLUSHPOLICY, 0, 0); 2841 err = -EMSGSIZE; 2842 if (nlh == NULL) 2843 goto out_free_skb; 2844 err = copy_to_user_policy_type(c->data.type, skb); 2845 if (err) 2846 goto out_free_skb; 2847 2848 nlmsg_end(skb, nlh); 2849 2850 return nlmsg_multicast(net->xfrm.nlsk, skb, 0, XFRMNLGRP_POLICY, GFP_ATOMIC); 2851 2852 out_free_skb: 2853 kfree_skb(skb); 2854 return err; 2855 } 2856 2857 static int xfrm_send_policy_notify(struct xfrm_policy *xp, int dir, const struct km_event *c) 2858 { 2859 2860 switch (c->event) { 2861 case XFRM_MSG_NEWPOLICY: 2862 case XFRM_MSG_UPDPOLICY: 2863 case XFRM_MSG_DELPOLICY: 2864 return xfrm_notify_policy(xp, dir, c); 2865 case XFRM_MSG_FLUSHPOLICY: 2866 return xfrm_notify_policy_flush(c); 2867 case XFRM_MSG_POLEXPIRE: 2868 return xfrm_exp_policy_notify(xp, dir, c); 2869 default: 2870 printk(KERN_NOTICE "xfrm_user: Unknown Policy event %d\n", 2871 c->event); 2872 } 2873 2874 return 0; 2875 2876 } 2877 2878 static inline size_t xfrm_report_msgsize(void) 2879 { 2880 return NLMSG_ALIGN(sizeof(struct xfrm_user_report)); 2881 } 2882 2883 static int build_report(struct sk_buff *skb, u8 proto, 2884 struct xfrm_selector *sel, xfrm_address_t *addr) 2885 { 2886 struct xfrm_user_report *ur; 2887 struct nlmsghdr *nlh; 2888 2889 nlh = nlmsg_put(skb, 0, 0, XFRM_MSG_REPORT, sizeof(*ur), 0); 2890 if (nlh == NULL) 2891 return -EMSGSIZE; 2892 2893 ur = nlmsg_data(nlh); 2894 ur->proto = proto; 2895 memcpy(&ur->sel, sel, sizeof(ur->sel)); 2896 2897 if (addr) { 2898 int err = nla_put(skb, XFRMA_COADDR, sizeof(*addr), addr); 2899 if (err) { 2900 nlmsg_cancel(skb, nlh); 2901 return err; 2902 } 2903 } 2904 return nlmsg_end(skb, nlh); 2905 } 2906 2907 static int xfrm_send_report(struct net *net, u8 proto, 2908 struct xfrm_selector *sel, xfrm_address_t *addr) 2909 { 2910 struct sk_buff *skb; 2911 2912 skb = nlmsg_new(xfrm_report_msgsize(), GFP_ATOMIC); 2913 if (skb == NULL) 2914 return -ENOMEM; 2915 2916 if (build_report(skb, proto, sel, addr) < 0) 2917 BUG(); 2918 2919 return nlmsg_multicast(net->xfrm.nlsk, skb, 0, XFRMNLGRP_REPORT, GFP_ATOMIC); 2920 } 2921 2922 static inline size_t xfrm_mapping_msgsize(void) 2923 { 2924 return NLMSG_ALIGN(sizeof(struct xfrm_user_mapping)); 2925 } 2926 2927 static int build_mapping(struct sk_buff *skb, struct xfrm_state *x, 2928 xfrm_address_t *new_saddr, __be16 new_sport) 2929 { 2930 struct xfrm_user_mapping *um; 2931 struct nlmsghdr *nlh; 2932 2933 nlh = nlmsg_put(skb, 0, 0, XFRM_MSG_MAPPING, sizeof(*um), 0); 2934 if (nlh == NULL) 2935 return -EMSGSIZE; 2936 2937 um = nlmsg_data(nlh); 2938 2939 memcpy(&um->id.daddr, &x->id.daddr, sizeof(um->id.daddr)); 2940 um->id.spi = x->id.spi; 2941 um->id.family = x->props.family; 2942 um->id.proto = x->id.proto; 2943 memcpy(&um->new_saddr, new_saddr, sizeof(um->new_saddr)); 2944 memcpy(&um->old_saddr, &x->props.saddr, sizeof(um->old_saddr)); 2945 um->new_sport = new_sport; 2946 um->old_sport = x->encap->encap_sport; 2947 um->reqid = x->props.reqid; 2948 2949 return nlmsg_end(skb, nlh); 2950 } 2951 2952 static int xfrm_send_mapping(struct xfrm_state *x, xfrm_address_t *ipaddr, 2953 __be16 sport) 2954 { 2955 struct net *net = xs_net(x); 2956 struct sk_buff *skb; 2957 2958 if (x->id.proto != IPPROTO_ESP) 2959 return -EINVAL; 2960 2961 if (!x->encap) 2962 return -EINVAL; 2963 2964 skb = nlmsg_new(xfrm_mapping_msgsize(), GFP_ATOMIC); 2965 if (skb == NULL) 2966 return -ENOMEM; 2967 2968 if (build_mapping(skb, x, ipaddr, sport) < 0) 2969 BUG(); 2970 2971 return nlmsg_multicast(net->xfrm.nlsk, skb, 0, XFRMNLGRP_MAPPING, GFP_ATOMIC); 2972 } 2973 2974 static struct xfrm_mgr netlink_mgr = { 2975 .id = "netlink", 2976 .notify = xfrm_send_state_notify, 2977 .acquire = xfrm_send_acquire, 2978 .compile_policy = xfrm_compile_policy, 2979 .notify_policy = xfrm_send_policy_notify, 2980 .report = xfrm_send_report, 2981 .migrate = xfrm_send_migrate, 2982 .new_mapping = xfrm_send_mapping, 2983 }; 2984 2985 static int __net_init xfrm_user_net_init(struct net *net) 2986 { 2987 struct sock *nlsk; 2988 struct netlink_kernel_cfg cfg = { 2989 .groups = XFRMNLGRP_MAX, 2990 .input = xfrm_netlink_rcv, 2991 }; 2992 2993 nlsk = netlink_kernel_create(net, NETLINK_XFRM, THIS_MODULE, &cfg); 2994 if (nlsk == NULL) 2995 return -ENOMEM; 2996 net->xfrm.nlsk_stash = nlsk; /* Don't set to NULL */ 2997 rcu_assign_pointer(net->xfrm.nlsk, nlsk); 2998 return 0; 2999 } 3000 3001 static void __net_exit xfrm_user_net_exit(struct list_head *net_exit_list) 3002 { 3003 struct net *net; 3004 list_for_each_entry(net, net_exit_list, exit_list) 3005 RCU_INIT_POINTER(net->xfrm.nlsk, NULL); 3006 synchronize_net(); 3007 list_for_each_entry(net, net_exit_list, exit_list) 3008 netlink_kernel_release(net->xfrm.nlsk_stash); 3009 } 3010 3011 static struct pernet_operations xfrm_user_net_ops = { 3012 .init = xfrm_user_net_init, 3013 .exit_batch = xfrm_user_net_exit, 3014 }; 3015 3016 static int __init xfrm_user_init(void) 3017 { 3018 int rv; 3019 3020 printk(KERN_INFO "Initializing XFRM netlink socket\n"); 3021 3022 rv = register_pernet_subsys(&xfrm_user_net_ops); 3023 if (rv < 0) 3024 return rv; 3025 rv = xfrm_register_km(&netlink_mgr); 3026 if (rv < 0) 3027 unregister_pernet_subsys(&xfrm_user_net_ops); 3028 return rv; 3029 } 3030 3031 static void __exit xfrm_user_exit(void) 3032 { 3033 xfrm_unregister_km(&netlink_mgr); 3034 unregister_pernet_subsys(&xfrm_user_net_ops); 3035 } 3036 3037 module_init(xfrm_user_init); 3038 module_exit(xfrm_user_exit); 3039 MODULE_LICENSE("GPL"); 3040 MODULE_ALIAS_NET_PF_PROTO(PF_NETLINK, NETLINK_XFRM); 3041 3042