]> git.proxmox.com Git - mirror_ubuntu-artful-kernel.git/blame_incremental - net/xfrm/xfrm_state.c
projects / mirror_ubuntu-artful-kernel.git / blame_incremental
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (non-incremental) | history | HEAD
netns xfrm: propagate netns into bydst/bysrc/byspi hash functions
[mirror_ubuntu-artful-kernel.git] / net / xfrm / xfrm_state.c
... / ...
CommitLineData
1/*
2 * xfrm_state.c
3 *
4 * Changes:
5 * Mitsuru KANDA @USAGI
6 * Kazunori MIYAZAWA @USAGI
7 * Kunihiro Ishiguro <kunihiro@ipinfusion.com>
8 * IPv6 support
9 * YOSHIFUJI Hideaki @USAGI
10 * Split up af-specific functions
11 * Derek Atkins <derek@ihtfp.com>
12 * Add UDP Encapsulation
13 *
14 */
15
16#include <linux/workqueue.h>
17#include <net/xfrm.h>
18#include <linux/pfkeyv2.h>
19#include <linux/ipsec.h>
20#include <linux/module.h>
21#include <linux/cache.h>
22#include <linux/audit.h>
23#include <asm/uaccess.h>
24
25#include "xfrm_hash.h"
26
27struct sock *xfrm_nl;
28EXPORT_SYMBOL(xfrm_nl);
29
30u32 sysctl_xfrm_aevent_etime __read_mostly = XFRM_AE_ETIME;
31EXPORT_SYMBOL(sysctl_xfrm_aevent_etime);
32
33u32 sysctl_xfrm_aevent_rseqth __read_mostly = XFRM_AE_SEQT_SIZE;
34EXPORT_SYMBOL(sysctl_xfrm_aevent_rseqth);
35
36u32 sysctl_xfrm_acq_expires __read_mostly = 30;
37
38/* Each xfrm_state may be linked to two tables:
39
40 1. Hash table by (spi,daddr,ah/esp) to find SA by SPI. (input,ctl)
41 2. Hash table by (daddr,family,reqid) to find what SAs exist for given
42 destination/tunnel endpoint. (output)
43 */
44
45static DEFINE_SPINLOCK(xfrm_state_lock);
46
47static unsigned int xfrm_state_hashmax __read_mostly = 1 * 1024 * 1024;
48static unsigned int xfrm_state_genid;
49
50static struct xfrm_state_afinfo *xfrm_state_get_afinfo(unsigned int family);
51static void xfrm_state_put_afinfo(struct xfrm_state_afinfo *afinfo);
52
53#ifdef CONFIG_AUDITSYSCALL
54static void xfrm_audit_state_replay(struct xfrm_state *x,
55 struct sk_buff *skb, __be32 net_seq);
56#else
57#define xfrm_audit_state_replay(x, s, sq) do { ; } while (0)
58#endif /* CONFIG_AUDITSYSCALL */
59
60static inline unsigned int xfrm_dst_hash(struct net *net,
61 xfrm_address_t *daddr,
62 xfrm_address_t *saddr,
63 u32 reqid,
64 unsigned short family)
65{
66 return __xfrm_dst_hash(daddr, saddr, reqid, family, net->xfrm.state_hmask);
67}
68
69static inline unsigned int xfrm_src_hash(struct net *net,
70 xfrm_address_t *daddr,
71 xfrm_address_t *saddr,
72 unsigned short family)
73{
74 return __xfrm_src_hash(daddr, saddr, family, net->xfrm.state_hmask);
75}
76
77static inline unsigned int
78xfrm_spi_hash(struct net *net, xfrm_address_t *daddr, __be32 spi, u8 proto, unsigned short family)
79{
80 return __xfrm_spi_hash(daddr, spi, proto, family, net->xfrm.state_hmask);
81}
82
83static void xfrm_hash_transfer(struct hlist_head *list,
84 struct hlist_head *ndsttable,
85 struct hlist_head *nsrctable,
86 struct hlist_head *nspitable,
87 unsigned int nhashmask)
88{
89 struct hlist_node *entry, *tmp;
90 struct xfrm_state *x;
91
92 hlist_for_each_entry_safe(x, entry, tmp, list, bydst) {
93 unsigned int h;
94
95 h = __xfrm_dst_hash(&x->id.daddr, &x->props.saddr,
96 x->props.reqid, x->props.family,
97 nhashmask);
98 hlist_add_head(&x->bydst, ndsttable+h);
99
100 h = __xfrm_src_hash(&x->id.daddr, &x->props.saddr,
101 x->props.family,
102 nhashmask);
103 hlist_add_head(&x->bysrc, nsrctable+h);
104
105 if (x->id.spi) {
106 h = __xfrm_spi_hash(&x->id.daddr, x->id.spi,
107 x->id.proto, x->props.family,
108 nhashmask);
109 hlist_add_head(&x->byspi, nspitable+h);
110 }
111 }
112}
113
114static unsigned long xfrm_hash_new_size(unsigned int state_hmask)
115{
116 return ((state_hmask + 1) << 1) * sizeof(struct hlist_head);
117}
118
119static DEFINE_MUTEX(hash_resize_mutex);
120
121static void xfrm_hash_resize(struct work_struct *work)
122{
123 struct net *net = container_of(work, struct net, xfrm.state_hash_work);
124 struct hlist_head *ndst, *nsrc, *nspi, *odst, *osrc, *ospi;
125 unsigned long nsize, osize;
126 unsigned int nhashmask, ohashmask;
127 int i;
128
129 mutex_lock(&hash_resize_mutex);
130
131 nsize = xfrm_hash_new_size(net->xfrm.state_hmask);
132 ndst = xfrm_hash_alloc(nsize);
133 if (!ndst)
134 goto out_unlock;
135 nsrc = xfrm_hash_alloc(nsize);
136 if (!nsrc) {
137 xfrm_hash_free(ndst, nsize);
138 goto out_unlock;
139 }
140 nspi = xfrm_hash_alloc(nsize);
141 if (!nspi) {
142 xfrm_hash_free(ndst, nsize);
143 xfrm_hash_free(nsrc, nsize);
144 goto out_unlock;
145 }
146
147 spin_lock_bh(&xfrm_state_lock);
148
149 nhashmask = (nsize / sizeof(struct hlist_head)) - 1U;
150 for (i = net->xfrm.state_hmask; i >= 0; i--)
151 xfrm_hash_transfer(net->xfrm.state_bydst+i, ndst, nsrc, nspi,
152 nhashmask);
153
154 odst = net->xfrm.state_bydst;
155 osrc = net->xfrm.state_bysrc;
156 ospi = net->xfrm.state_byspi;
157 ohashmask = net->xfrm.state_hmask;
158
159 net->xfrm.state_bydst = ndst;
160 net->xfrm.state_bysrc = nsrc;
161 net->xfrm.state_byspi = nspi;
162 net->xfrm.state_hmask = nhashmask;
163
164 spin_unlock_bh(&xfrm_state_lock);
165
166 osize = (ohashmask + 1) * sizeof(struct hlist_head);
167 xfrm_hash_free(odst, osize);
168 xfrm_hash_free(osrc, osize);
169 xfrm_hash_free(ospi, osize);
170
171out_unlock:
172 mutex_unlock(&hash_resize_mutex);
173}
174
175static DEFINE_RWLOCK(xfrm_state_afinfo_lock);
176static struct xfrm_state_afinfo *xfrm_state_afinfo[NPROTO];
177
178static DEFINE_SPINLOCK(xfrm_state_gc_lock);
179
180int __xfrm_state_delete(struct xfrm_state *x);
181
182int km_query(struct xfrm_state *x, struct xfrm_tmpl *t, struct xfrm_policy *pol);
183void km_state_expired(struct xfrm_state *x, int hard, u32 pid);
184
185static struct xfrm_state_afinfo *xfrm_state_lock_afinfo(unsigned int family)
186{
187 struct xfrm_state_afinfo *afinfo;
188 if (unlikely(family >= NPROTO))
189 return NULL;
190 write_lock_bh(&xfrm_state_afinfo_lock);
191 afinfo = xfrm_state_afinfo[family];
192 if (unlikely(!afinfo))
193 write_unlock_bh(&xfrm_state_afinfo_lock);
194 return afinfo;
195}
196
197static void xfrm_state_unlock_afinfo(struct xfrm_state_afinfo *afinfo)
198 __releases(xfrm_state_afinfo_lock)
199{
200 write_unlock_bh(&xfrm_state_afinfo_lock);
201}
202
203int xfrm_register_type(const struct xfrm_type *type, unsigned short family)
204{
205 struct xfrm_state_afinfo *afinfo = xfrm_state_lock_afinfo(family);
206 const struct xfrm_type **typemap;
207 int err = 0;
208
209 if (unlikely(afinfo == NULL))
210 return -EAFNOSUPPORT;
211 typemap = afinfo->type_map;
212
213 if (likely(typemap[type->proto] == NULL))
214 typemap[type->proto] = type;
215 else
216 err = -EEXIST;
217 xfrm_state_unlock_afinfo(afinfo);
218 return err;
219}
220EXPORT_SYMBOL(xfrm_register_type);
221
222int xfrm_unregister_type(const struct xfrm_type *type, unsigned short family)
223{
224 struct xfrm_state_afinfo *afinfo = xfrm_state_lock_afinfo(family);
225 const struct xfrm_type **typemap;
226 int err = 0;
227
228 if (unlikely(afinfo == NULL))
229 return -EAFNOSUPPORT;
230 typemap = afinfo->type_map;
231
232 if (unlikely(typemap[type->proto] != type))
233 err = -ENOENT;
234 else
235 typemap[type->proto] = NULL;
236 xfrm_state_unlock_afinfo(afinfo);
237 return err;
238}
239EXPORT_SYMBOL(xfrm_unregister_type);
240
241static const struct xfrm_type *xfrm_get_type(u8 proto, unsigned short family)
242{
243 struct xfrm_state_afinfo *afinfo;
244 const struct xfrm_type **typemap;
245 const struct xfrm_type *type;
246 int modload_attempted = 0;
247
248retry:
249 afinfo = xfrm_state_get_afinfo(family);
250 if (unlikely(afinfo == NULL))
251 return NULL;
252 typemap = afinfo->type_map;
253
254 type = typemap[proto];
255 if (unlikely(type && !try_module_get(type->owner)))
256 type = NULL;
257 if (!type && !modload_attempted) {
258 xfrm_state_put_afinfo(afinfo);
259 request_module("xfrm-type-%d-%d", family, proto);
260 modload_attempted = 1;
261 goto retry;
262 }
263
264 xfrm_state_put_afinfo(afinfo);
265 return type;
266}
267
268static void xfrm_put_type(const struct xfrm_type *type)
269{
270 module_put(type->owner);
271}
272
273int xfrm_register_mode(struct xfrm_mode *mode, int family)
274{
275 struct xfrm_state_afinfo *afinfo;
276 struct xfrm_mode **modemap;
277 int err;
278
279 if (unlikely(mode->encap >= XFRM_MODE_MAX))
280 return -EINVAL;
281
282 afinfo = xfrm_state_lock_afinfo(family);
283 if (unlikely(afinfo == NULL))
284 return -EAFNOSUPPORT;
285
286 err = -EEXIST;
287 modemap = afinfo->mode_map;
288 if (modemap[mode->encap])
289 goto out;
290
291 err = -ENOENT;
292 if (!try_module_get(afinfo->owner))
293 goto out;
294
295 mode->afinfo = afinfo;
296 modemap[mode->encap] = mode;
297 err = 0;
298
299out:
300 xfrm_state_unlock_afinfo(afinfo);
301 return err;
302}
303EXPORT_SYMBOL(xfrm_register_mode);
304
305int xfrm_unregister_mode(struct xfrm_mode *mode, int family)
306{
307 struct xfrm_state_afinfo *afinfo;
308 struct xfrm_mode **modemap;
309 int err;
310
311 if (unlikely(mode->encap >= XFRM_MODE_MAX))
312 return -EINVAL;
313
314 afinfo = xfrm_state_lock_afinfo(family);
315 if (unlikely(afinfo == NULL))
316 return -EAFNOSUPPORT;
317
318 err = -ENOENT;
319 modemap = afinfo->mode_map;
320 if (likely(modemap[mode->encap] == mode)) {
321 modemap[mode->encap] = NULL;
322 module_put(mode->afinfo->owner);
323 err = 0;
324 }
325
326 xfrm_state_unlock_afinfo(afinfo);
327 return err;
328}
329EXPORT_SYMBOL(xfrm_unregister_mode);
330
331static struct xfrm_mode *xfrm_get_mode(unsigned int encap, int family)
332{
333 struct xfrm_state_afinfo *afinfo;
334 struct xfrm_mode *mode;
335 int modload_attempted = 0;
336
337 if (unlikely(encap >= XFRM_MODE_MAX))
338 return NULL;
339
340retry:
341 afinfo = xfrm_state_get_afinfo(family);
342 if (unlikely(afinfo == NULL))
343 return NULL;
344
345 mode = afinfo->mode_map[encap];
346 if (unlikely(mode && !try_module_get(mode->owner)))
347 mode = NULL;
348 if (!mode && !modload_attempted) {
349 xfrm_state_put_afinfo(afinfo);
350 request_module("xfrm-mode-%d-%d", family, encap);
351 modload_attempted = 1;
352 goto retry;
353 }
354
355 xfrm_state_put_afinfo(afinfo);
356 return mode;
357}
358
359static void xfrm_put_mode(struct xfrm_mode *mode)
360{
361 module_put(mode->owner);
362}
363
364static void xfrm_state_gc_destroy(struct xfrm_state *x)
365{
366 del_timer_sync(&x->timer);
367 del_timer_sync(&x->rtimer);
368 kfree(x->aalg);
369 kfree(x->ealg);
370 kfree(x->calg);
371 kfree(x->encap);
372 kfree(x->coaddr);
373 if (x->inner_mode)
374 xfrm_put_mode(x->inner_mode);
375 if (x->inner_mode_iaf)
376 xfrm_put_mode(x->inner_mode_iaf);
377 if (x->outer_mode)
378 xfrm_put_mode(x->outer_mode);
379 if (x->type) {
380 x->type->destructor(x);
381 xfrm_put_type(x->type);
382 }
383 security_xfrm_state_free(x);
384 kfree(x);
385}
386
387static void xfrm_state_gc_task(struct work_struct *work)
388{
389 struct net *net = container_of(work, struct net, xfrm.state_gc_work);
390 struct xfrm_state *x;
391 struct hlist_node *entry, *tmp;
392 struct hlist_head gc_list;
393
394 spin_lock_bh(&xfrm_state_gc_lock);
395 hlist_move_list(&net->xfrm.state_gc_list, &gc_list);
396 spin_unlock_bh(&xfrm_state_gc_lock);
397
398 hlist_for_each_entry_safe(x, entry, tmp, &gc_list, gclist)
399 xfrm_state_gc_destroy(x);
400
401 wake_up(&net->xfrm.km_waitq);
402}
403
404static inline unsigned long make_jiffies(long secs)
405{
406 if (secs >= (MAX_SCHEDULE_TIMEOUT-1)/HZ)
407 return MAX_SCHEDULE_TIMEOUT-1;
408 else
409 return secs*HZ;
410}
411
412static void xfrm_timer_handler(unsigned long data)
413{
414 struct xfrm_state *x = (struct xfrm_state*)data;
415 unsigned long now = get_seconds();
416 long next = LONG_MAX;
417 int warn = 0;
418 int err = 0;
419
420 spin_lock(&x->lock);
421 if (x->km.state == XFRM_STATE_DEAD)
422 goto out;
423 if (x->km.state == XFRM_STATE_EXPIRED)
424 goto expired;
425 if (x->lft.hard_add_expires_seconds) {
426 long tmo = x->lft.hard_add_expires_seconds +
427 x->curlft.add_time - now;
428 if (tmo <= 0)
429 goto expired;
430 if (tmo < next)
431 next = tmo;
432 }
433 if (x->lft.hard_use_expires_seconds) {
434 long tmo = x->lft.hard_use_expires_seconds +
435 (x->curlft.use_time ? : now) - now;
436 if (tmo <= 0)
437 goto expired;
438 if (tmo < next)
439 next = tmo;
440 }
441 if (x->km.dying)
442 goto resched;
443 if (x->lft.soft_add_expires_seconds) {
444 long tmo = x->lft.soft_add_expires_seconds +
445 x->curlft.add_time - now;
446 if (tmo <= 0)
447 warn = 1;
448 else if (tmo < next)
449 next = tmo;
450 }
451 if (x->lft.soft_use_expires_seconds) {
452 long tmo = x->lft.soft_use_expires_seconds +
453 (x->curlft.use_time ? : now) - now;
454 if (tmo <= 0)
455 warn = 1;
456 else if (tmo < next)
457 next = tmo;
458 }
459
460 x->km.dying = warn;
461 if (warn)
462 km_state_expired(x, 0, 0);
463resched:
464 if (next != LONG_MAX)
465 mod_timer(&x->timer, jiffies + make_jiffies(next));
466
467 goto out;
468
469expired:
470 if (x->km.state == XFRM_STATE_ACQ && x->id.spi == 0) {
471 x->km.state = XFRM_STATE_EXPIRED;
472 wake_up(&init_net.xfrm.km_waitq);
473 next = 2;
474 goto resched;
475 }
476
477 err = __xfrm_state_delete(x);
478 if (!err && x->id.spi)
479 km_state_expired(x, 1, 0);
480
481 xfrm_audit_state_delete(x, err ? 0 : 1,
482 audit_get_loginuid(current),
483 audit_get_sessionid(current), 0);
484
485out:
486 spin_unlock(&x->lock);
487}
488
489static void xfrm_replay_timer_handler(unsigned long data);
490
491struct xfrm_state *xfrm_state_alloc(struct net *net)
492{
493 struct xfrm_state *x;
494
495 x = kzalloc(sizeof(struct xfrm_state), GFP_ATOMIC);
496
497 if (x) {
498 write_pnet(&x->xs_net, net);
499 atomic_set(&x->refcnt, 1);
500 atomic_set(&x->tunnel_users, 0);
501 INIT_LIST_HEAD(&x->km.all);
502 INIT_HLIST_NODE(&x->bydst);
503 INIT_HLIST_NODE(&x->bysrc);
504 INIT_HLIST_NODE(&x->byspi);
505 setup_timer(&x->timer, xfrm_timer_handler, (unsigned long)x);
506 setup_timer(&x->rtimer, xfrm_replay_timer_handler,
507 (unsigned long)x);
508 x->curlft.add_time = get_seconds();
509 x->lft.soft_byte_limit = XFRM_INF;
510 x->lft.soft_packet_limit = XFRM_INF;
511 x->lft.hard_byte_limit = XFRM_INF;
512 x->lft.hard_packet_limit = XFRM_INF;
513 x->replay_maxage = 0;
514 x->replay_maxdiff = 0;
515 x->inner_mode = NULL;
516 x->inner_mode_iaf = NULL;
517 spin_lock_init(&x->lock);
518 }
519 return x;
520}
521EXPORT_SYMBOL(xfrm_state_alloc);
522
523void __xfrm_state_destroy(struct xfrm_state *x)
524{
525 WARN_ON(x->km.state != XFRM_STATE_DEAD);
526
527 spin_lock_bh(&xfrm_state_gc_lock);
528 hlist_add_head(&x->gclist, &init_net.xfrm.state_gc_list);
529 spin_unlock_bh(&xfrm_state_gc_lock);
530 schedule_work(&init_net.xfrm.state_gc_work);
531}
532EXPORT_SYMBOL(__xfrm_state_destroy);
533
534int __xfrm_state_delete(struct xfrm_state *x)
535{
536 int err = -ESRCH;
537
538 if (x->km.state != XFRM_STATE_DEAD) {
539 x->km.state = XFRM_STATE_DEAD;
540 spin_lock(&xfrm_state_lock);
541 list_del(&x->km.all);
542 hlist_del(&x->bydst);
543 hlist_del(&x->bysrc);
544 if (x->id.spi)
545 hlist_del(&x->byspi);
546 init_net.xfrm.state_num--;
547 spin_unlock(&xfrm_state_lock);
548
549 /* All xfrm_state objects are created by xfrm_state_alloc.
550 * The xfrm_state_alloc call gives a reference, and that
551 * is what we are dropping here.
552 */
553 xfrm_state_put(x);
554 err = 0;
555 }
556
557 return err;
558}
559EXPORT_SYMBOL(__xfrm_state_delete);
560
561int xfrm_state_delete(struct xfrm_state *x)
562{
563 int err;
564
565 spin_lock_bh(&x->lock);
566 err = __xfrm_state_delete(x);
567 spin_unlock_bh(&x->lock);
568
569 return err;
570}
571EXPORT_SYMBOL(xfrm_state_delete);
572
573#ifdef CONFIG_SECURITY_NETWORK_XFRM
574static inline int
575xfrm_state_flush_secctx_check(u8 proto, struct xfrm_audit *audit_info)
576{
577 int i, err = 0;
578
579 for (i = 0; i <= init_net.xfrm.state_hmask; i++) {
580 struct hlist_node *entry;
581 struct xfrm_state *x;
582
583 hlist_for_each_entry(x, entry, init_net.xfrm.state_bydst+i, bydst) {
584 if (xfrm_id_proto_match(x->id.proto, proto) &&
585 (err = security_xfrm_state_delete(x)) != 0) {
586 xfrm_audit_state_delete(x, 0,
587 audit_info->loginuid,
588 audit_info->sessionid,
589 audit_info->secid);
590 return err;
591 }
592 }
593 }
594
595 return err;
596}
597#else
598static inline int
599xfrm_state_flush_secctx_check(u8 proto, struct xfrm_audit *audit_info)
600{
601 return 0;
602}
603#endif
604
605int xfrm_state_flush(u8 proto, struct xfrm_audit *audit_info)
606{
607 int i, err = 0;
608
609 spin_lock_bh(&xfrm_state_lock);
610 err = xfrm_state_flush_secctx_check(proto, audit_info);
611 if (err)
612 goto out;
613
614 for (i = 0; i <= init_net.xfrm.state_hmask; i++) {
615 struct hlist_node *entry;
616 struct xfrm_state *x;
617restart:
618 hlist_for_each_entry(x, entry, init_net.xfrm.state_bydst+i, bydst) {
619 if (!xfrm_state_kern(x) &&
620 xfrm_id_proto_match(x->id.proto, proto)) {
621 xfrm_state_hold(x);
622 spin_unlock_bh(&xfrm_state_lock);
623
624 err = xfrm_state_delete(x);
625 xfrm_audit_state_delete(x, err ? 0 : 1,
626 audit_info->loginuid,
627 audit_info->sessionid,
628 audit_info->secid);
629 xfrm_state_put(x);
630
631 spin_lock_bh(&xfrm_state_lock);
632 goto restart;
633 }
634 }
635 }
636 err = 0;
637
638out:
639 spin_unlock_bh(&xfrm_state_lock);
640 wake_up(&init_net.xfrm.km_waitq);
641 return err;
642}
643EXPORT_SYMBOL(xfrm_state_flush);
644
645void xfrm_sad_getinfo(struct xfrmk_sadinfo *si)
646{
647 spin_lock_bh(&xfrm_state_lock);
648 si->sadcnt = init_net.xfrm.state_num;
649 si->sadhcnt = init_net.xfrm.state_hmask;
650 si->sadhmcnt = xfrm_state_hashmax;
651 spin_unlock_bh(&xfrm_state_lock);
652}
653EXPORT_SYMBOL(xfrm_sad_getinfo);
654
655static int
656xfrm_init_tempsel(struct xfrm_state *x, struct flowi *fl,
657 struct xfrm_tmpl *tmpl,
658 xfrm_address_t *daddr, xfrm_address_t *saddr,
659 unsigned short family)
660{
661 struct xfrm_state_afinfo *afinfo = xfrm_state_get_afinfo(family);
662 if (!afinfo)
663 return -1;
664 afinfo->init_tempsel(x, fl, tmpl, daddr, saddr);
665 xfrm_state_put_afinfo(afinfo);
666 return 0;
667}
668
669static struct xfrm_state *__xfrm_state_lookup(xfrm_address_t *daddr, __be32 spi, u8 proto, unsigned short family)
670{
671 unsigned int h = xfrm_spi_hash(&init_net, daddr, spi, proto, family);
672 struct xfrm_state *x;
673 struct hlist_node *entry;
674
675 hlist_for_each_entry(x, entry, init_net.xfrm.state_byspi+h, byspi) {
676 if (x->props.family != family ||
677 x->id.spi != spi ||
678 x->id.proto != proto)
679 continue;
680
681 switch (family) {
682 case AF_INET:
683 if (x->id.daddr.a4 != daddr->a4)
684 continue;
685 break;
686 case AF_INET6:
687 if (!ipv6_addr_equal((struct in6_addr *)daddr,
688 (struct in6_addr *)
689 x->id.daddr.a6))
690 continue;
691 break;
692 }
693
694 xfrm_state_hold(x);
695 return x;
696 }
697
698 return NULL;
699}
700
701static struct xfrm_state *__xfrm_state_lookup_byaddr(xfrm_address_t *daddr, xfrm_address_t *saddr, u8 proto, unsigned short family)
702{
703 unsigned int h = xfrm_src_hash(&init_net, daddr, saddr, family);
704 struct xfrm_state *x;
705 struct hlist_node *entry;
706
707 hlist_for_each_entry(x, entry, init_net.xfrm.state_bysrc+h, bysrc) {
708 if (x->props.family != family ||
709 x->id.proto != proto)
710 continue;
711
712 switch (family) {
713 case AF_INET:
714 if (x->id.daddr.a4 != daddr->a4 ||
715 x->props.saddr.a4 != saddr->a4)
716 continue;
717 break;
718 case AF_INET6:
719 if (!ipv6_addr_equal((struct in6_addr *)daddr,
720 (struct in6_addr *)
721 x->id.daddr.a6) ||
722 !ipv6_addr_equal((struct in6_addr *)saddr,
723 (struct in6_addr *)
724 x->props.saddr.a6))
725 continue;
726 break;
727 }
728
729 xfrm_state_hold(x);
730 return x;
731 }
732
733 return NULL;
734}
735
736static inline struct xfrm_state *
737__xfrm_state_locate(struct xfrm_state *x, int use_spi, int family)
738{
739 if (use_spi)
740 return __xfrm_state_lookup(&x->id.daddr, x->id.spi,
741 x->id.proto, family);
742 else
743 return __xfrm_state_lookup_byaddr(&x->id.daddr,
744 &x->props.saddr,
745 x->id.proto, family);
746}
747
748static void xfrm_hash_grow_check(int have_hash_collision)
749{
750 if (have_hash_collision &&
751 (init_net.xfrm.state_hmask + 1) < xfrm_state_hashmax &&
752 init_net.xfrm.state_num > init_net.xfrm.state_hmask)
753 schedule_work(&init_net.xfrm.state_hash_work);
754}
755
756struct xfrm_state *
757xfrm_state_find(xfrm_address_t *daddr, xfrm_address_t *saddr,
758 struct flowi *fl, struct xfrm_tmpl *tmpl,
759 struct xfrm_policy *pol, int *err,
760 unsigned short family)
761{
762 unsigned int h;
763 struct hlist_node *entry;
764 struct xfrm_state *x, *x0, *to_put;
765 int acquire_in_progress = 0;
766 int error = 0;
767 struct xfrm_state *best = NULL;
768
769 to_put = NULL;
770
771 spin_lock_bh(&xfrm_state_lock);
772 h = xfrm_dst_hash(&init_net, daddr, saddr, tmpl->reqid, family);
773 hlist_for_each_entry(x, entry, init_net.xfrm.state_bydst+h, bydst) {
774 if (x->props.family == family &&
775 x->props.reqid == tmpl->reqid &&
776 !(x->props.flags & XFRM_STATE_WILDRECV) &&
777 xfrm_state_addr_check(x, daddr, saddr, family) &&
778 tmpl->mode == x->props.mode &&
779 tmpl->id.proto == x->id.proto &&
780 (tmpl->id.spi == x->id.spi || !tmpl->id.spi)) {
781 /* Resolution logic:
782 1. There is a valid state with matching selector.
783 Done.
784 2. Valid state with inappropriate selector. Skip.
785
786 Entering area of "sysdeps".
787
788 3. If state is not valid, selector is temporary,
789 it selects only session which triggered
790 previous resolution. Key manager will do
791 something to install a state with proper
792 selector.
793 */
794 if (x->km.state == XFRM_STATE_VALID) {
795 if ((x->sel.family && !xfrm_selector_match(&x->sel, fl, x->sel.family)) ||
796 !security_xfrm_state_pol_flow_match(x, pol, fl))
797 continue;
798 if (!best ||
799 best->km.dying > x->km.dying ||
800 (best->km.dying == x->km.dying &&
801 best->curlft.add_time < x->curlft.add_time))
802 best = x;
803 } else if (x->km.state == XFRM_STATE_ACQ) {
804 acquire_in_progress = 1;
805 } else if (x->km.state == XFRM_STATE_ERROR ||
806 x->km.state == XFRM_STATE_EXPIRED) {
807 if (xfrm_selector_match(&x->sel, fl, x->sel.family) &&
808 security_xfrm_state_pol_flow_match(x, pol, fl))
809 error = -ESRCH;
810 }
811 }
812 }
813
814 x = best;
815 if (!x && !error && !acquire_in_progress) {
816 if (tmpl->id.spi &&
817 (x0 = __xfrm_state_lookup(daddr, tmpl->id.spi,
818 tmpl->id.proto, family)) != NULL) {
819 to_put = x0;
820 error = -EEXIST;
821 goto out;
822 }
823 x = xfrm_state_alloc(&init_net);
824 if (x == NULL) {
825 error = -ENOMEM;
826 goto out;
827 }
828 /* Initialize temporary selector matching only
829 * to current session. */
830 xfrm_init_tempsel(x, fl, tmpl, daddr, saddr, family);
831
832 error = security_xfrm_state_alloc_acquire(x, pol->security, fl->secid);
833 if (error) {
834 x->km.state = XFRM_STATE_DEAD;
835 to_put = x;
836 x = NULL;
837 goto out;
838 }
839
840 if (km_query(x, tmpl, pol) == 0) {
841 x->km.state = XFRM_STATE_ACQ;
842 list_add(&x->km.all, &init_net.xfrm.state_all);
843 hlist_add_head(&x->bydst, init_net.xfrm.state_bydst+h);
844 h = xfrm_src_hash(&init_net, daddr, saddr, family);
845 hlist_add_head(&x->bysrc, init_net.xfrm.state_bysrc+h);
846 if (x->id.spi) {
847 h = xfrm_spi_hash(&init_net, &x->id.daddr, x->id.spi, x->id.proto, family);
848 hlist_add_head(&x->byspi, init_net.xfrm.state_byspi+h);
849 }
850 x->lft.hard_add_expires_seconds = sysctl_xfrm_acq_expires;
851 x->timer.expires = jiffies + sysctl_xfrm_acq_expires*HZ;
852 add_timer(&x->timer);
853 init_net.xfrm.state_num++;
854 xfrm_hash_grow_check(x->bydst.next != NULL);
855 } else {
856 x->km.state = XFRM_STATE_DEAD;
857 to_put = x;
858 x = NULL;
859 error = -ESRCH;
860 }
861 }
862out:
863 if (x)
864 xfrm_state_hold(x);
865 else
866 *err = acquire_in_progress ? -EAGAIN : error;
867 spin_unlock_bh(&xfrm_state_lock);
868 if (to_put)
869 xfrm_state_put(to_put);
870 return x;
871}
872
873struct xfrm_state *
874xfrm_stateonly_find(xfrm_address_t *daddr, xfrm_address_t *saddr,
875 unsigned short family, u8 mode, u8 proto, u32 reqid)
876{
877 unsigned int h;
878 struct xfrm_state *rx = NULL, *x = NULL;
879 struct hlist_node *entry;
880
881 spin_lock(&xfrm_state_lock);
882 h = xfrm_dst_hash(&init_net, daddr, saddr, reqid, family);
883 hlist_for_each_entry(x, entry, init_net.xfrm.state_bydst+h, bydst) {
884 if (x->props.family == family &&
885 x->props.reqid == reqid &&
886 !(x->props.flags & XFRM_STATE_WILDRECV) &&
887 xfrm_state_addr_check(x, daddr, saddr, family) &&
888 mode == x->props.mode &&
889 proto == x->id.proto &&
890 x->km.state == XFRM_STATE_VALID) {
891 rx = x;
892 break;
893 }
894 }
895
896 if (rx)
897 xfrm_state_hold(rx);
898 spin_unlock(&xfrm_state_lock);
899
900
901 return rx;
902}
903EXPORT_SYMBOL(xfrm_stateonly_find);
904
905static void __xfrm_state_insert(struct xfrm_state *x)
906{
907 unsigned int h;
908
909 x->genid = ++xfrm_state_genid;
910
911 list_add(&x->km.all, &init_net.xfrm.state_all);
912
913 h = xfrm_dst_hash(&init_net, &x->id.daddr, &x->props.saddr,
914 x->props.reqid, x->props.family);
915 hlist_add_head(&x->bydst, init_net.xfrm.state_bydst+h);
916
917 h = xfrm_src_hash(&init_net, &x->id.daddr, &x->props.saddr, x->props.family);
918 hlist_add_head(&x->bysrc, init_net.xfrm.state_bysrc+h);
919
920 if (x->id.spi) {
921 h = xfrm_spi_hash(&init_net, &x->id.daddr, x->id.spi, x->id.proto,
922 x->props.family);
923
924 hlist_add_head(&x->byspi, init_net.xfrm.state_byspi+h);
925 }
926
927 mod_timer(&x->timer, jiffies + HZ);
928 if (x->replay_maxage)
929 mod_timer(&x->rtimer, jiffies + x->replay_maxage);
930
931 wake_up(&init_net.xfrm.km_waitq);
932
933 init_net.xfrm.state_num++;
934
935 xfrm_hash_grow_check(x->bydst.next != NULL);
936}
937
938/* xfrm_state_lock is held */
939static void __xfrm_state_bump_genids(struct xfrm_state *xnew)
940{
941 unsigned short family = xnew->props.family;
942 u32 reqid = xnew->props.reqid;
943 struct xfrm_state *x;
944 struct hlist_node *entry;
945 unsigned int h;
946
947 h = xfrm_dst_hash(&init_net, &xnew->id.daddr, &xnew->props.saddr, reqid, family);
948 hlist_for_each_entry(x, entry, init_net.xfrm.state_bydst+h, bydst) {
949 if (x->props.family == family &&
950 x->props.reqid == reqid &&
951 !xfrm_addr_cmp(&x->id.daddr, &xnew->id.daddr, family) &&
952 !xfrm_addr_cmp(&x->props.saddr, &xnew->props.saddr, family))
953 x->genid = xfrm_state_genid;
954 }
955}
956
957void xfrm_state_insert(struct xfrm_state *x)
958{
959 spin_lock_bh(&xfrm_state_lock);
960 __xfrm_state_bump_genids(x);
961 __xfrm_state_insert(x);
962 spin_unlock_bh(&xfrm_state_lock);
963}
964EXPORT_SYMBOL(xfrm_state_insert);
965
966/* xfrm_state_lock is held */
967static struct xfrm_state *__find_acq_core(unsigned short family, u8 mode, u32 reqid, u8 proto, xfrm_address_t *daddr, xfrm_address_t *saddr, int create)
968{
969 unsigned int h = xfrm_dst_hash(&init_net, daddr, saddr, reqid, family);
970 struct hlist_node *entry;
971 struct xfrm_state *x;
972
973 hlist_for_each_entry(x, entry, init_net.xfrm.state_bydst+h, bydst) {
974 if (x->props.reqid != reqid ||
975 x->props.mode != mode ||
976 x->props.family != family ||
977 x->km.state != XFRM_STATE_ACQ ||
978 x->id.spi != 0 ||
979 x->id.proto != proto)
980 continue;
981
982 switch (family) {
983 case AF_INET:
984 if (x->id.daddr.a4 != daddr->a4 ||
985 x->props.saddr.a4 != saddr->a4)
986 continue;
987 break;
988 case AF_INET6:
989 if (!ipv6_addr_equal((struct in6_addr *)x->id.daddr.a6,
990 (struct in6_addr *)daddr) ||
991 !ipv6_addr_equal((struct in6_addr *)
992 x->props.saddr.a6,
993 (struct in6_addr *)saddr))
994 continue;
995 break;
996 }
997
998 xfrm_state_hold(x);
999 return x;
1000 }
1001
1002 if (!create)
1003 return NULL;
1004
1005 x = xfrm_state_alloc(&init_net);
1006 if (likely(x)) {
1007 switch (family) {
1008 case AF_INET:
1009 x->sel.daddr.a4 = daddr->a4;
1010 x->sel.saddr.a4 = saddr->a4;
1011 x->sel.prefixlen_d = 32;
1012 x->sel.prefixlen_s = 32;
1013 x->props.saddr.a4 = saddr->a4;
1014 x->id.daddr.a4 = daddr->a4;
1015 break;
1016
1017 case AF_INET6:
1018 ipv6_addr_copy((struct in6_addr *)x->sel.daddr.a6,
1019 (struct in6_addr *)daddr);
1020 ipv6_addr_copy((struct in6_addr *)x->sel.saddr.a6,
1021 (struct in6_addr *)saddr);
1022 x->sel.prefixlen_d = 128;
1023 x->sel.prefixlen_s = 128;
1024 ipv6_addr_copy((struct in6_addr *)x->props.saddr.a6,
1025 (struct in6_addr *)saddr);
1026 ipv6_addr_copy((struct in6_addr *)x->id.daddr.a6,
1027 (struct in6_addr *)daddr);
1028 break;
1029 }
1030
1031 x->km.state = XFRM_STATE_ACQ;
1032 x->id.proto = proto;
1033 x->props.family = family;
1034 x->props.mode = mode;
1035 x->props.reqid = reqid;
1036 x->lft.hard_add_expires_seconds = sysctl_xfrm_acq_expires;
1037 xfrm_state_hold(x);
1038 x->timer.expires = jiffies + sysctl_xfrm_acq_expires*HZ;
1039 add_timer(&x->timer);
1040 list_add(&x->km.all, &init_net.xfrm.state_all);
1041 hlist_add_head(&x->bydst, init_net.xfrm.state_bydst+h);
1042 h = xfrm_src_hash(&init_net, daddr, saddr, family);
1043 hlist_add_head(&x->bysrc, init_net.xfrm.state_bysrc+h);
1044
1045 init_net.xfrm.state_num++;
1046
1047 xfrm_hash_grow_check(x->bydst.next != NULL);
1048 }
1049
1050 return x;
1051}
1052
1053static struct xfrm_state *__xfrm_find_acq_byseq(u32 seq);
1054
1055int xfrm_state_add(struct xfrm_state *x)
1056{
1057 struct xfrm_state *x1, *to_put;
1058 int family;
1059 int err;
1060 int use_spi = xfrm_id_proto_match(x->id.proto, IPSEC_PROTO_ANY);
1061
1062 family = x->props.family;
1063
1064 to_put = NULL;
1065
1066 spin_lock_bh(&xfrm_state_lock);
1067
1068 x1 = __xfrm_state_locate(x, use_spi, family);
1069 if (x1) {
1070 to_put = x1;
1071 x1 = NULL;
1072 err = -EEXIST;
1073 goto out;
1074 }
1075
1076 if (use_spi && x->km.seq) {
1077 x1 = __xfrm_find_acq_byseq(x->km.seq);
1078 if (x1 && ((x1->id.proto != x->id.proto) ||
1079 xfrm_addr_cmp(&x1->id.daddr, &x->id.daddr, family))) {
1080 to_put = x1;
1081 x1 = NULL;
1082 }
1083 }
1084
1085 if (use_spi && !x1)
1086 x1 = __find_acq_core(family, x->props.mode, x->props.reqid,
1087 x->id.proto,
1088 &x->id.daddr, &x->props.saddr, 0);
1089
1090 __xfrm_state_bump_genids(x);
1091 __xfrm_state_insert(x);
1092 err = 0;
1093
1094out:
1095 spin_unlock_bh(&xfrm_state_lock);
1096
1097 if (x1) {
1098 xfrm_state_delete(x1);
1099 xfrm_state_put(x1);
1100 }
1101
1102 if (to_put)
1103 xfrm_state_put(to_put);
1104
1105 return err;
1106}
1107EXPORT_SYMBOL(xfrm_state_add);
1108
1109#ifdef CONFIG_XFRM_MIGRATE
1110static struct xfrm_state *xfrm_state_clone(struct xfrm_state *orig, int *errp)
1111{
1112 int err = -ENOMEM;
1113 struct xfrm_state *x = xfrm_state_alloc(&init_net);
1114 if (!x)
1115 goto error;
1116
1117 memcpy(&x->id, &orig->id, sizeof(x->id));
1118 memcpy(&x->sel, &orig->sel, sizeof(x->sel));
1119 memcpy(&x->lft, &orig->lft, sizeof(x->lft));
1120 x->props.mode = orig->props.mode;
1121 x->props.replay_window = orig->props.replay_window;
1122 x->props.reqid = orig->props.reqid;
1123 x->props.family = orig->props.family;
1124 x->props.saddr = orig->props.saddr;
1125
1126 if (orig->aalg) {
1127 x->aalg = xfrm_algo_clone(orig->aalg);
1128 if (!x->aalg)
1129 goto error;
1130 }
1131 x->props.aalgo = orig->props.aalgo;
1132
1133 if (orig->ealg) {
1134 x->ealg = xfrm_algo_clone(orig->ealg);
1135 if (!x->ealg)
1136 goto error;
1137 }
1138 x->props.ealgo = orig->props.ealgo;
1139
1140 if (orig->calg) {
1141 x->calg = xfrm_algo_clone(orig->calg);
1142 if (!x->calg)
1143 goto error;
1144 }
1145 x->props.calgo = orig->props.calgo;
1146
1147 if (orig->encap) {
1148 x->encap = kmemdup(orig->encap, sizeof(*x->encap), GFP_KERNEL);
1149 if (!x->encap)
1150 goto error;
1151 }
1152
1153 if (orig->coaddr) {
1154 x->coaddr = kmemdup(orig->coaddr, sizeof(*x->coaddr),
1155 GFP_KERNEL);
1156 if (!x->coaddr)
1157 goto error;
1158 }
1159
1160 err = xfrm_init_state(x);
1161 if (err)
1162 goto error;
1163
1164 x->props.flags = orig->props.flags;
1165
1166 x->curlft.add_time = orig->curlft.add_time;
1167 x->km.state = orig->km.state;
1168 x->km.seq = orig->km.seq;
1169
1170 return x;
1171
1172 error:
1173 if (errp)
1174 *errp = err;
1175 if (x) {
1176 kfree(x->aalg);
1177 kfree(x->ealg);
1178 kfree(x->calg);
1179 kfree(x->encap);
1180 kfree(x->coaddr);
1181 }
1182 kfree(x);
1183 return NULL;
1184}
1185
1186/* xfrm_state_lock is held */
1187struct xfrm_state * xfrm_migrate_state_find(struct xfrm_migrate *m)
1188{
1189 unsigned int h;
1190 struct xfrm_state *x;
1191 struct hlist_node *entry;
1192
1193 if (m->reqid) {
1194 h = xfrm_dst_hash(&init_net, &m->old_daddr, &m->old_saddr,
1195 m->reqid, m->old_family);
1196 hlist_for_each_entry(x, entry, init_net.xfrm.state_bydst+h, bydst) {
1197 if (x->props.mode != m->mode ||
1198 x->id.proto != m->proto)
1199 continue;
1200 if (m->reqid && x->props.reqid != m->reqid)
1201 continue;
1202 if (xfrm_addr_cmp(&x->id.daddr, &m->old_daddr,
1203 m->old_family) ||
1204 xfrm_addr_cmp(&x->props.saddr, &m->old_saddr,
1205 m->old_family))
1206 continue;
1207 xfrm_state_hold(x);
1208 return x;
1209 }
1210 } else {
1211 h = xfrm_src_hash(&init_net, &m->old_daddr, &m->old_saddr,
1212 m->old_family);
1213 hlist_for_each_entry(x, entry, init_net.xfrm.state_bysrc+h, bysrc) {
1214 if (x->props.mode != m->mode ||
1215 x->id.proto != m->proto)
1216 continue;
1217 if (xfrm_addr_cmp(&x->id.daddr, &m->old_daddr,
1218 m->old_family) ||
1219 xfrm_addr_cmp(&x->props.saddr, &m->old_saddr,
1220 m->old_family))
1221 continue;
1222 xfrm_state_hold(x);
1223 return x;
1224 }
1225 }
1226
1227 return NULL;
1228}
1229EXPORT_SYMBOL(xfrm_migrate_state_find);
1230
1231struct xfrm_state * xfrm_state_migrate(struct xfrm_state *x,
1232 struct xfrm_migrate *m)
1233{
1234 struct xfrm_state *xc;
1235 int err;
1236
1237 xc = xfrm_state_clone(x, &err);
1238 if (!xc)
1239 return NULL;
1240
1241 memcpy(&xc->id.daddr, &m->new_daddr, sizeof(xc->id.daddr));
1242 memcpy(&xc->props.saddr, &m->new_saddr, sizeof(xc->props.saddr));
1243
1244 /* add state */
1245 if (!xfrm_addr_cmp(&x->id.daddr, &m->new_daddr, m->new_family)) {
1246 /* a care is needed when the destination address of the
1247 state is to be updated as it is a part of triplet */
1248 xfrm_state_insert(xc);
1249 } else {
1250 if ((err = xfrm_state_add(xc)) < 0)
1251 goto error;
1252 }
1253
1254 return xc;
1255error:
1256 kfree(xc);
1257 return NULL;
1258}
1259EXPORT_SYMBOL(xfrm_state_migrate);
1260#endif
1261
1262int xfrm_state_update(struct xfrm_state *x)
1263{
1264 struct xfrm_state *x1, *to_put;
1265 int err;
1266 int use_spi = xfrm_id_proto_match(x->id.proto, IPSEC_PROTO_ANY);
1267
1268 to_put = NULL;
1269
1270 spin_lock_bh(&xfrm_state_lock);
1271 x1 = __xfrm_state_locate(x, use_spi, x->props.family);
1272
1273 err = -ESRCH;
1274 if (!x1)
1275 goto out;
1276
1277 if (xfrm_state_kern(x1)) {
1278 to_put = x1;
1279 err = -EEXIST;
1280 goto out;
1281 }
1282
1283 if (x1->km.state == XFRM_STATE_ACQ) {
1284 __xfrm_state_insert(x);
1285 x = NULL;
1286 }
1287 err = 0;
1288
1289out:
1290 spin_unlock_bh(&xfrm_state_lock);
1291
1292 if (to_put)
1293 xfrm_state_put(to_put);
1294
1295 if (err)
1296 return err;
1297
1298 if (!x) {
1299 xfrm_state_delete(x1);
1300 xfrm_state_put(x1);
1301 return 0;
1302 }
1303
1304 err = -EINVAL;
1305 spin_lock_bh(&x1->lock);
1306 if (likely(x1->km.state == XFRM_STATE_VALID)) {
1307 if (x->encap && x1->encap)
1308 memcpy(x1->encap, x->encap, sizeof(*x1->encap));
1309 if (x->coaddr && x1->coaddr) {
1310 memcpy(x1->coaddr, x->coaddr, sizeof(*x1->coaddr));
1311 }
1312 if (!use_spi && memcmp(&x1->sel, &x->sel, sizeof(x1->sel)))
1313 memcpy(&x1->sel, &x->sel, sizeof(x1->sel));
1314 memcpy(&x1->lft, &x->lft, sizeof(x1->lft));
1315 x1->km.dying = 0;
1316
1317 mod_timer(&x1->timer, jiffies + HZ);
1318 if (x1->curlft.use_time)
1319 xfrm_state_check_expire(x1);
1320
1321 err = 0;
1322 }
1323 spin_unlock_bh(&x1->lock);
1324
1325 xfrm_state_put(x1);
1326
1327 return err;
1328}
1329EXPORT_SYMBOL(xfrm_state_update);
1330
1331int xfrm_state_check_expire(struct xfrm_state *x)
1332{
1333 if (!x->curlft.use_time)
1334 x->curlft.use_time = get_seconds();
1335
1336 if (x->km.state != XFRM_STATE_VALID)
1337 return -EINVAL;
1338
1339 if (x->curlft.bytes >= x->lft.hard_byte_limit ||
1340 x->curlft.packets >= x->lft.hard_packet_limit) {
1341 x->km.state = XFRM_STATE_EXPIRED;
1342 mod_timer(&x->timer, jiffies);
1343 return -EINVAL;
1344 }
1345
1346 if (!x->km.dying &&
1347 (x->curlft.bytes >= x->lft.soft_byte_limit ||
1348 x->curlft.packets >= x->lft.soft_packet_limit)) {
1349 x->km.dying = 1;
1350 km_state_expired(x, 0, 0);
1351 }
1352 return 0;
1353}
1354EXPORT_SYMBOL(xfrm_state_check_expire);
1355
1356struct xfrm_state *
1357xfrm_state_lookup(xfrm_address_t *daddr, __be32 spi, u8 proto,
1358 unsigned short family)
1359{
1360 struct xfrm_state *x;
1361
1362 spin_lock_bh(&xfrm_state_lock);
1363 x = __xfrm_state_lookup(daddr, spi, proto, family);
1364 spin_unlock_bh(&xfrm_state_lock);
1365 return x;
1366}
1367EXPORT_SYMBOL(xfrm_state_lookup);
1368
1369struct xfrm_state *
1370xfrm_state_lookup_byaddr(xfrm_address_t *daddr, xfrm_address_t *saddr,
1371 u8 proto, unsigned short family)
1372{
1373 struct xfrm_state *x;
1374
1375 spin_lock_bh(&xfrm_state_lock);
1376 x = __xfrm_state_lookup_byaddr(daddr, saddr, proto, family);
1377 spin_unlock_bh(&xfrm_state_lock);
1378 return x;
1379}
1380EXPORT_SYMBOL(xfrm_state_lookup_byaddr);
1381
1382struct xfrm_state *
1383xfrm_find_acq(u8 mode, u32 reqid, u8 proto,
1384 xfrm_address_t *daddr, xfrm_address_t *saddr,
1385 int create, unsigned short family)
1386{
1387 struct xfrm_state *x;
1388
1389 spin_lock_bh(&xfrm_state_lock);
1390 x = __find_acq_core(family, mode, reqid, proto, daddr, saddr, create);
1391 spin_unlock_bh(&xfrm_state_lock);
1392
1393 return x;
1394}
1395EXPORT_SYMBOL(xfrm_find_acq);
1396
1397#ifdef CONFIG_XFRM_SUB_POLICY
1398int
1399xfrm_tmpl_sort(struct xfrm_tmpl **dst, struct xfrm_tmpl **src, int n,
1400 unsigned short family)
1401{
1402 int err = 0;
1403 struct xfrm_state_afinfo *afinfo = xfrm_state_get_afinfo(family);
1404 if (!afinfo)
1405 return -EAFNOSUPPORT;
1406
1407 spin_lock_bh(&xfrm_state_lock);
1408 if (afinfo->tmpl_sort)
1409 err = afinfo->tmpl_sort(dst, src, n);
1410 spin_unlock_bh(&xfrm_state_lock);
1411 xfrm_state_put_afinfo(afinfo);
1412 return err;
1413}
1414EXPORT_SYMBOL(xfrm_tmpl_sort);
1415
1416int
1417xfrm_state_sort(struct xfrm_state **dst, struct xfrm_state **src, int n,
1418 unsigned short family)
1419{
1420 int err = 0;
1421 struct xfrm_state_afinfo *afinfo = xfrm_state_get_afinfo(family);
1422 if (!afinfo)
1423 return -EAFNOSUPPORT;
1424
1425 spin_lock_bh(&xfrm_state_lock);
1426 if (afinfo->state_sort)
1427 err = afinfo->state_sort(dst, src, n);
1428 spin_unlock_bh(&xfrm_state_lock);
1429 xfrm_state_put_afinfo(afinfo);
1430 return err;
1431}
1432EXPORT_SYMBOL(xfrm_state_sort);
1433#endif
1434
1435/* Silly enough, but I'm lazy to build resolution list */
1436
1437static struct xfrm_state *__xfrm_find_acq_byseq(u32 seq)
1438{
1439 int i;
1440
1441 for (i = 0; i <= init_net.xfrm.state_hmask; i++) {
1442 struct hlist_node *entry;
1443 struct xfrm_state *x;
1444
1445 hlist_for_each_entry(x, entry, init_net.xfrm.state_bydst+i, bydst) {
1446 if (x->km.seq == seq &&
1447 x->km.state == XFRM_STATE_ACQ) {
1448 xfrm_state_hold(x);
1449 return x;
1450 }
1451 }
1452 }
1453 return NULL;
1454}
1455
1456struct xfrm_state *xfrm_find_acq_byseq(u32 seq)
1457{
1458 struct xfrm_state *x;
1459
1460 spin_lock_bh(&xfrm_state_lock);
1461 x = __xfrm_find_acq_byseq(seq);
1462 spin_unlock_bh(&xfrm_state_lock);
1463 return x;
1464}
1465EXPORT_SYMBOL(xfrm_find_acq_byseq);
1466
1467u32 xfrm_get_acqseq(void)
1468{
1469 u32 res;
1470 static u32 acqseq;
1471 static DEFINE_SPINLOCK(acqseq_lock);
1472
1473 spin_lock_bh(&acqseq_lock);
1474 res = (++acqseq ? : ++acqseq);
1475 spin_unlock_bh(&acqseq_lock);
1476 return res;
1477}
1478EXPORT_SYMBOL(xfrm_get_acqseq);
1479
1480int xfrm_alloc_spi(struct xfrm_state *x, u32 low, u32 high)
1481{
1482 unsigned int h;
1483 struct xfrm_state *x0;
1484 int err = -ENOENT;
1485 __be32 minspi = htonl(low);
1486 __be32 maxspi = htonl(high);
1487
1488 spin_lock_bh(&x->lock);
1489 if (x->km.state == XFRM_STATE_DEAD)
1490 goto unlock;
1491
1492 err = 0;
1493 if (x->id.spi)
1494 goto unlock;
1495
1496 err = -ENOENT;
1497
1498 if (minspi == maxspi) {
1499 x0 = xfrm_state_lookup(&x->id.daddr, minspi, x->id.proto, x->props.family);
1500 if (x0) {
1501 xfrm_state_put(x0);
1502 goto unlock;
1503 }
1504 x->id.spi = minspi;
1505 } else {
1506 u32 spi = 0;
1507 for (h=0; h<high-low+1; h++) {
1508 spi = low + net_random()%(high-low+1);
1509 x0 = xfrm_state_lookup(&x->id.daddr, htonl(spi), x->id.proto, x->props.family);
1510 if (x0 == NULL) {
1511 x->id.spi = htonl(spi);
1512 break;
1513 }
1514 xfrm_state_put(x0);
1515 }
1516 }
1517 if (x->id.spi) {
1518 spin_lock_bh(&xfrm_state_lock);
1519 h = xfrm_spi_hash(&init_net, &x->id.daddr, x->id.spi, x->id.proto, x->props.family);
1520 hlist_add_head(&x->byspi, init_net.xfrm.state_byspi+h);
1521 spin_unlock_bh(&xfrm_state_lock);
1522
1523 err = 0;
1524 }
1525
1526unlock:
1527 spin_unlock_bh(&x->lock);
1528
1529 return err;
1530}
1531EXPORT_SYMBOL(xfrm_alloc_spi);
1532
1533int xfrm_state_walk(struct xfrm_state_walk *walk,
1534 int (*func)(struct xfrm_state *, int, void*),
1535 void *data)
1536{
1537 struct xfrm_state *state;
1538 struct xfrm_state_walk *x;
1539 int err = 0;
1540
1541 if (walk->seq != 0 && list_empty(&walk->all))
1542 return 0;
1543
1544 spin_lock_bh(&xfrm_state_lock);
1545 if (list_empty(&walk->all))
1546 x = list_first_entry(&init_net.xfrm.state_all, struct xfrm_state_walk, all);
1547 else
1548 x = list_entry(&walk->all, struct xfrm_state_walk, all);
1549 list_for_each_entry_from(x, &init_net.xfrm.state_all, all) {
1550 if (x->state == XFRM_STATE_DEAD)
1551 continue;
1552 state = container_of(x, struct xfrm_state, km);
1553 if (!xfrm_id_proto_match(state->id.proto, walk->proto))
1554 continue;
1555 err = func(state, walk->seq, data);
1556 if (err) {
1557 list_move_tail(&walk->all, &x->all);
1558 goto out;
1559 }
1560 walk->seq++;
1561 }
1562 if (walk->seq == 0) {
1563 err = -ENOENT;
1564 goto out;
1565 }
1566 list_del_init(&walk->all);
1567out:
1568 spin_unlock_bh(&xfrm_state_lock);
1569 return err;
1570}
1571EXPORT_SYMBOL(xfrm_state_walk);
1572
1573void xfrm_state_walk_init(struct xfrm_state_walk *walk, u8 proto)
1574{
1575 INIT_LIST_HEAD(&walk->all);
1576 walk->proto = proto;
1577 walk->state = XFRM_STATE_DEAD;
1578 walk->seq = 0;
1579}
1580EXPORT_SYMBOL(xfrm_state_walk_init);
1581
1582void xfrm_state_walk_done(struct xfrm_state_walk *walk)
1583{
1584 if (list_empty(&walk->all))
1585 return;
1586
1587 spin_lock_bh(&xfrm_state_lock);
1588 list_del(&walk->all);
1589 spin_lock_bh(&xfrm_state_lock);
1590}
1591EXPORT_SYMBOL(xfrm_state_walk_done);
1592
1593
1594void xfrm_replay_notify(struct xfrm_state *x, int event)
1595{
1596 struct km_event c;
1597 /* we send notify messages in case
1598 * 1. we updated on of the sequence numbers, and the seqno difference
1599 * is at least x->replay_maxdiff, in this case we also update the
1600 * timeout of our timer function
1601 * 2. if x->replay_maxage has elapsed since last update,
1602 * and there were changes
1603 *
1604 * The state structure must be locked!
1605 */
1606
1607 switch (event) {
1608 case XFRM_REPLAY_UPDATE:
1609 if (x->replay_maxdiff &&
1610 (x->replay.seq - x->preplay.seq < x->replay_maxdiff) &&
1611 (x->replay.oseq - x->preplay.oseq < x->replay_maxdiff)) {
1612 if (x->xflags & XFRM_TIME_DEFER)
1613 event = XFRM_REPLAY_TIMEOUT;
1614 else
1615 return;
1616 }
1617
1618 break;
1619
1620 case XFRM_REPLAY_TIMEOUT:
1621 if ((x->replay.seq == x->preplay.seq) &&
1622 (x->replay.bitmap == x->preplay.bitmap) &&
1623 (x->replay.oseq == x->preplay.oseq)) {
1624 x->xflags |= XFRM_TIME_DEFER;
1625 return;
1626 }
1627
1628 break;
1629 }
1630
1631 memcpy(&x->preplay, &x->replay, sizeof(struct xfrm_replay_state));
1632 c.event = XFRM_MSG_NEWAE;
1633 c.data.aevent = event;
1634 km_state_notify(x, &c);
1635
1636 if (x->replay_maxage &&
1637 !mod_timer(&x->rtimer, jiffies + x->replay_maxage))
1638 x->xflags &= ~XFRM_TIME_DEFER;
1639}
1640
1641static void xfrm_replay_timer_handler(unsigned long data)
1642{
1643 struct xfrm_state *x = (struct xfrm_state*)data;
1644
1645 spin_lock(&x->lock);
1646
1647 if (x->km.state == XFRM_STATE_VALID) {
1648 if (xfrm_aevent_is_on())
1649 xfrm_replay_notify(x, XFRM_REPLAY_TIMEOUT);
1650 else
1651 x->xflags |= XFRM_TIME_DEFER;
1652 }
1653
1654 spin_unlock(&x->lock);
1655}
1656
1657int xfrm_replay_check(struct xfrm_state *x,
1658 struct sk_buff *skb, __be32 net_seq)
1659{
1660 u32 diff;
1661 u32 seq = ntohl(net_seq);
1662
1663 if (unlikely(seq == 0))
1664 goto err;
1665
1666 if (likely(seq > x->replay.seq))
1667 return 0;
1668
1669 diff = x->replay.seq - seq;
1670 if (diff >= min_t(unsigned int, x->props.replay_window,
1671 sizeof(x->replay.bitmap) * 8)) {
1672 x->stats.replay_window++;
1673 goto err;
1674 }
1675
1676 if (x->replay.bitmap & (1U << diff)) {
1677 x->stats.replay++;
1678 goto err;
1679 }
1680 return 0;
1681
1682err:
1683 xfrm_audit_state_replay(x, skb, net_seq);
1684 return -EINVAL;
1685}
1686
1687void xfrm_replay_advance(struct xfrm_state *x, __be32 net_seq)
1688{
1689 u32 diff;
1690 u32 seq = ntohl(net_seq);
1691
1692 if (seq > x->replay.seq) {
1693 diff = seq - x->replay.seq;
1694 if (diff < x->props.replay_window)
1695 x->replay.bitmap = ((x->replay.bitmap) << diff) | 1;
1696 else
1697 x->replay.bitmap = 1;
1698 x->replay.seq = seq;
1699 } else {
1700 diff = x->replay.seq - seq;
1701 x->replay.bitmap |= (1U << diff);
1702 }
1703
1704 if (xfrm_aevent_is_on())
1705 xfrm_replay_notify(x, XFRM_REPLAY_UPDATE);
1706}
1707
1708static LIST_HEAD(xfrm_km_list);
1709static DEFINE_RWLOCK(xfrm_km_lock);
1710
1711void km_policy_notify(struct xfrm_policy *xp, int dir, struct km_event *c)
1712{
1713 struct xfrm_mgr *km;
1714
1715 read_lock(&xfrm_km_lock);
1716 list_for_each_entry(km, &xfrm_km_list, list)
1717 if (km->notify_policy)
1718 km->notify_policy(xp, dir, c);
1719 read_unlock(&xfrm_km_lock);
1720}
1721
1722void km_state_notify(struct xfrm_state *x, struct km_event *c)
1723{
1724 struct xfrm_mgr *km;
1725 read_lock(&xfrm_km_lock);
1726 list_for_each_entry(km, &xfrm_km_list, list)
1727 if (km->notify)
1728 km->notify(x, c);
1729 read_unlock(&xfrm_km_lock);
1730}
1731
1732EXPORT_SYMBOL(km_policy_notify);
1733EXPORT_SYMBOL(km_state_notify);
1734
1735void km_state_expired(struct xfrm_state *x, int hard, u32 pid)
1736{
1737 struct km_event c;
1738
1739 c.data.hard = hard;
1740 c.pid = pid;
1741 c.event = XFRM_MSG_EXPIRE;
1742 km_state_notify(x, &c);
1743
1744 if (hard)
1745 wake_up(&init_net.xfrm.km_waitq);
1746}
1747
1748EXPORT_SYMBOL(km_state_expired);
1749/*
1750 * We send to all registered managers regardless of failure
1751 * We are happy with one success
1752*/
1753int km_query(struct xfrm_state *x, struct xfrm_tmpl *t, struct xfrm_policy *pol)
1754{
1755 int err = -EINVAL, acqret;
1756 struct xfrm_mgr *km;
1757
1758 read_lock(&xfrm_km_lock);
1759 list_for_each_entry(km, &xfrm_km_list, list) {
1760 acqret = km->acquire(x, t, pol, XFRM_POLICY_OUT);
1761 if (!acqret)
1762 err = acqret;
1763 }
1764 read_unlock(&xfrm_km_lock);
1765 return err;
1766}
1767EXPORT_SYMBOL(km_query);
1768
1769int km_new_mapping(struct xfrm_state *x, xfrm_address_t *ipaddr, __be16 sport)
1770{
1771 int err = -EINVAL;
1772 struct xfrm_mgr *km;
1773
1774 read_lock(&xfrm_km_lock);
1775 list_for_each_entry(km, &xfrm_km_list, list) {
1776 if (km->new_mapping)
1777 err = km->new_mapping(x, ipaddr, sport);
1778 if (!err)
1779 break;
1780 }
1781 read_unlock(&xfrm_km_lock);
1782 return err;
1783}
1784EXPORT_SYMBOL(km_new_mapping);
1785
1786void km_policy_expired(struct xfrm_policy *pol, int dir, int hard, u32 pid)
1787{
1788 struct km_event c;
1789
1790 c.data.hard = hard;
1791 c.pid = pid;
1792 c.event = XFRM_MSG_POLEXPIRE;
1793 km_policy_notify(pol, dir, &c);
1794
1795 if (hard)
1796 wake_up(&init_net.xfrm.km_waitq);
1797}
1798EXPORT_SYMBOL(km_policy_expired);
1799
1800#ifdef CONFIG_XFRM_MIGRATE
1801int km_migrate(struct xfrm_selector *sel, u8 dir, u8 type,
1802 struct xfrm_migrate *m, int num_migrate,
1803 struct xfrm_kmaddress *k)
1804{
1805 int err = -EINVAL;
1806 int ret;
1807 struct xfrm_mgr *km;
1808
1809 read_lock(&xfrm_km_lock);
1810 list_for_each_entry(km, &xfrm_km_list, list) {
1811 if (km->migrate) {
1812 ret = km->migrate(sel, dir, type, m, num_migrate, k);
1813 if (!ret)
1814 err = ret;
1815 }
1816 }
1817 read_unlock(&xfrm_km_lock);
1818 return err;
1819}
1820EXPORT_SYMBOL(km_migrate);
1821#endif
1822
1823int km_report(u8 proto, struct xfrm_selector *sel, xfrm_address_t *addr)
1824{
1825 int err = -EINVAL;
1826 int ret;
1827 struct xfrm_mgr *km;
1828
1829 read_lock(&xfrm_km_lock);
1830 list_for_each_entry(km, &xfrm_km_list, list) {
1831 if (km->report) {
1832 ret = km->report(proto, sel, addr);
1833 if (!ret)
1834 err = ret;
1835 }
1836 }
1837 read_unlock(&xfrm_km_lock);
1838 return err;
1839}
1840EXPORT_SYMBOL(km_report);
1841
1842int xfrm_user_policy(struct sock *sk, int optname, u8 __user *optval, int optlen)
1843{
1844 int err;
1845 u8 *data;
1846 struct xfrm_mgr *km;
1847 struct xfrm_policy *pol = NULL;
1848
1849 if (optlen <= 0 || optlen > PAGE_SIZE)
1850 return -EMSGSIZE;
1851
1852 data = kmalloc(optlen, GFP_KERNEL);
1853 if (!data)
1854 return -ENOMEM;
1855
1856 err = -EFAULT;
1857 if (copy_from_user(data, optval, optlen))
1858 goto out;
1859
1860 err = -EINVAL;
1861 read_lock(&xfrm_km_lock);
1862 list_for_each_entry(km, &xfrm_km_list, list) {
1863 pol = km->compile_policy(sk, optname, data,
1864 optlen, &err);
1865 if (err >= 0)
1866 break;
1867 }
1868 read_unlock(&xfrm_km_lock);
1869
1870 if (err >= 0) {
1871 xfrm_sk_policy_insert(sk, err, pol);
1872 xfrm_pol_put(pol);
1873 err = 0;
1874 }
1875
1876out:
1877 kfree(data);
1878 return err;
1879}
1880EXPORT_SYMBOL(xfrm_user_policy);
1881
1882int xfrm_register_km(struct xfrm_mgr *km)
1883{
1884 write_lock_bh(&xfrm_km_lock);
1885 list_add_tail(&km->list, &xfrm_km_list);
1886 write_unlock_bh(&xfrm_km_lock);
1887 return 0;
1888}
1889EXPORT_SYMBOL(xfrm_register_km);
1890
1891int xfrm_unregister_km(struct xfrm_mgr *km)
1892{
1893 write_lock_bh(&xfrm_km_lock);
1894 list_del(&km->list);
1895 write_unlock_bh(&xfrm_km_lock);
1896 return 0;
1897}
1898EXPORT_SYMBOL(xfrm_unregister_km);
1899
1900int xfrm_state_register_afinfo(struct xfrm_state_afinfo *afinfo)
1901{
1902 int err = 0;
1903 if (unlikely(afinfo == NULL))
1904 return -EINVAL;
1905 if (unlikely(afinfo->family >= NPROTO))
1906 return -EAFNOSUPPORT;
1907 write_lock_bh(&xfrm_state_afinfo_lock);
1908 if (unlikely(xfrm_state_afinfo[afinfo->family] != NULL))
1909 err = -ENOBUFS;
1910 else
1911 xfrm_state_afinfo[afinfo->family] = afinfo;
1912 write_unlock_bh(&xfrm_state_afinfo_lock);
1913 return err;
1914}
1915EXPORT_SYMBOL(xfrm_state_register_afinfo);
1916
1917int xfrm_state_unregister_afinfo(struct xfrm_state_afinfo *afinfo)
1918{
1919 int err = 0;
1920 if (unlikely(afinfo == NULL))
1921 return -EINVAL;
1922 if (unlikely(afinfo->family >= NPROTO))
1923 return -EAFNOSUPPORT;
1924 write_lock_bh(&xfrm_state_afinfo_lock);
1925 if (likely(xfrm_state_afinfo[afinfo->family] != NULL)) {
1926 if (unlikely(xfrm_state_afinfo[afinfo->family] != afinfo))
1927 err = -EINVAL;
1928 else
1929 xfrm_state_afinfo[afinfo->family] = NULL;
1930 }
1931 write_unlock_bh(&xfrm_state_afinfo_lock);
1932 return err;
1933}
1934EXPORT_SYMBOL(xfrm_state_unregister_afinfo);
1935
1936static struct xfrm_state_afinfo *xfrm_state_get_afinfo(unsigned int family)
1937{
1938 struct xfrm_state_afinfo *afinfo;
1939 if (unlikely(family >= NPROTO))
1940 return NULL;
1941 read_lock(&xfrm_state_afinfo_lock);
1942 afinfo = xfrm_state_afinfo[family];
1943 if (unlikely(!afinfo))
1944 read_unlock(&xfrm_state_afinfo_lock);
1945 return afinfo;
1946}
1947
1948static void xfrm_state_put_afinfo(struct xfrm_state_afinfo *afinfo)
1949 __releases(xfrm_state_afinfo_lock)
1950{
1951 read_unlock(&xfrm_state_afinfo_lock);
1952}
1953
1954/* Temporarily located here until net/xfrm/xfrm_tunnel.c is created */
1955void xfrm_state_delete_tunnel(struct xfrm_state *x)
1956{
1957 if (x->tunnel) {
1958 struct xfrm_state *t = x->tunnel;
1959
1960 if (atomic_read(&t->tunnel_users) == 2)
1961 xfrm_state_delete(t);
1962 atomic_dec(&t->tunnel_users);
1963 xfrm_state_put(t);
1964 x->tunnel = NULL;
1965 }
1966}
1967EXPORT_SYMBOL(xfrm_state_delete_tunnel);
1968
1969int xfrm_state_mtu(struct xfrm_state *x, int mtu)
1970{
1971 int res;
1972
1973 spin_lock_bh(&x->lock);
1974 if (x->km.state == XFRM_STATE_VALID &&
1975 x->type && x->type->get_mtu)
1976 res = x->type->get_mtu(x, mtu);
1977 else
1978 res = mtu - x->props.header_len;
1979 spin_unlock_bh(&x->lock);
1980 return res;
1981}
1982
1983int xfrm_init_state(struct xfrm_state *x)
1984{
1985 struct xfrm_state_afinfo *afinfo;
1986 struct xfrm_mode *inner_mode;
1987 int family = x->props.family;
1988 int err;
1989
1990 err = -EAFNOSUPPORT;
1991 afinfo = xfrm_state_get_afinfo(family);
1992 if (!afinfo)
1993 goto error;
1994
1995 err = 0;
1996 if (afinfo->init_flags)
1997 err = afinfo->init_flags(x);
1998
1999 xfrm_state_put_afinfo(afinfo);
2000
2001 if (err)
2002 goto error;
2003
2004 err = -EPROTONOSUPPORT;
2005
2006 if (x->sel.family != AF_UNSPEC) {
2007 inner_mode = xfrm_get_mode(x->props.mode, x->sel.family);
2008 if (inner_mode == NULL)
2009 goto error;
2010
2011 if (!(inner_mode->flags & XFRM_MODE_FLAG_TUNNEL) &&
2012 family != x->sel.family) {
2013 xfrm_put_mode(inner_mode);
2014 goto error;
2015 }
2016
2017 x->inner_mode = inner_mode;
2018 } else {
2019 struct xfrm_mode *inner_mode_iaf;
2020
2021 inner_mode = xfrm_get_mode(x->props.mode, AF_INET);
2022 if (inner_mode == NULL)
2023 goto error;
2024
2025 if (!(inner_mode->flags & XFRM_MODE_FLAG_TUNNEL)) {
2026 xfrm_put_mode(inner_mode);
2027 goto error;
2028 }
2029
2030 inner_mode_iaf = xfrm_get_mode(x->props.mode, AF_INET6);
2031 if (inner_mode_iaf == NULL)
2032 goto error;
2033
2034 if (!(inner_mode_iaf->flags & XFRM_MODE_FLAG_TUNNEL)) {
2035 xfrm_put_mode(inner_mode_iaf);
2036 goto error;
2037 }
2038
2039 if (x->props.family == AF_INET) {
2040 x->inner_mode = inner_mode;
2041 x->inner_mode_iaf = inner_mode_iaf;
2042 } else {
2043 x->inner_mode = inner_mode_iaf;
2044 x->inner_mode_iaf = inner_mode;
2045 }
2046 }
2047
2048 x->type = xfrm_get_type(x->id.proto, family);
2049 if (x->type == NULL)
2050 goto error;
2051
2052 err = x->type->init_state(x);
2053 if (err)
2054 goto error;
2055
2056 x->outer_mode = xfrm_get_mode(x->props.mode, family);
2057 if (x->outer_mode == NULL)
2058 goto error;
2059
2060 x->km.state = XFRM_STATE_VALID;
2061
2062error:
2063 return err;
2064}
2065
2066EXPORT_SYMBOL(xfrm_init_state);
2067
2068int __net_init xfrm_state_init(struct net *net)
2069{
2070 unsigned int sz;
2071
2072 INIT_LIST_HEAD(&net->xfrm.state_all);
2073
2074 sz = sizeof(struct hlist_head) * 8;
2075
2076 net->xfrm.state_bydst = xfrm_hash_alloc(sz);
2077 if (!net->xfrm.state_bydst)
2078 goto out_bydst;
2079 net->xfrm.state_bysrc = xfrm_hash_alloc(sz);
2080 if (!net->xfrm.state_bysrc)
2081 goto out_bysrc;
2082 net->xfrm.state_byspi = xfrm_hash_alloc(sz);
2083 if (!net->xfrm.state_byspi)
2084 goto out_byspi;
2085 net->xfrm.state_hmask = ((sz / sizeof(struct hlist_head)) - 1);
2086
2087 net->xfrm.state_num = 0;
2088 INIT_WORK(&net->xfrm.state_hash_work, xfrm_hash_resize);
2089 INIT_HLIST_HEAD(&net->xfrm.state_gc_list);
2090 INIT_WORK(&net->xfrm.state_gc_work, xfrm_state_gc_task);
2091 init_waitqueue_head(&net->xfrm.km_waitq);
2092 return 0;
2093
2094out_byspi:
2095 xfrm_hash_free(net->xfrm.state_bysrc, sz);
2096out_bysrc:
2097 xfrm_hash_free(net->xfrm.state_bydst, sz);
2098out_bydst:
2099 return -ENOMEM;
2100}
2101
2102void xfrm_state_fini(struct net *net)
2103{
2104 unsigned int sz;
2105
2106 WARN_ON(!list_empty(&net->xfrm.state_all));
2107
2108 sz = (net->xfrm.state_hmask + 1) * sizeof(struct hlist_head);
2109 WARN_ON(!hlist_empty(net->xfrm.state_byspi));
2110 xfrm_hash_free(net->xfrm.state_byspi, sz);
2111 WARN_ON(!hlist_empty(net->xfrm.state_bysrc));
2112 xfrm_hash_free(net->xfrm.state_bysrc, sz);
2113 WARN_ON(!hlist_empty(net->xfrm.state_bydst));
2114 xfrm_hash_free(net->xfrm.state_bydst, sz);
2115}
2116
2117#ifdef CONFIG_AUDITSYSCALL
2118static void xfrm_audit_helper_sainfo(struct xfrm_state *x,
2119 struct audit_buffer *audit_buf)
2120{
2121 struct xfrm_sec_ctx *ctx = x->security;
2122 u32 spi = ntohl(x->id.spi);
2123
2124 if (ctx)
2125 audit_log_format(audit_buf, " sec_alg=%u sec_doi=%u sec_obj=%s",
2126 ctx->ctx_alg, ctx->ctx_doi, ctx->ctx_str);
2127
2128 switch(x->props.family) {
2129 case AF_INET:
2130 audit_log_format(audit_buf, " src=%pI4 dst=%pI4",
2131 &x->props.saddr.a4, &x->id.daddr.a4);
2132 break;
2133 case AF_INET6:
2134 audit_log_format(audit_buf, " src=%pI6 dst=%pI6",
2135 x->props.saddr.a6, x->id.daddr.a6);
2136 break;
2137 }
2138
2139 audit_log_format(audit_buf, " spi=%u(0x%x)", spi, spi);
2140}
2141
2142static void xfrm_audit_helper_pktinfo(struct sk_buff *skb, u16 family,
2143 struct audit_buffer *audit_buf)
2144{
2145 struct iphdr *iph4;
2146 struct ipv6hdr *iph6;
2147
2148 switch (family) {
2149 case AF_INET:
2150 iph4 = ip_hdr(skb);
2151 audit_log_format(audit_buf, " src=%pI4 dst=%pI4",
2152 &iph4->saddr, &iph4->daddr);
2153 break;
2154 case AF_INET6:
2155 iph6 = ipv6_hdr(skb);
2156 audit_log_format(audit_buf,
2157 " src=%pI6 dst=%pI6 flowlbl=0x%x%02x%02x",
2158 &iph6->saddr,&iph6->daddr,
2159 iph6->flow_lbl[0] & 0x0f,
2160 iph6->flow_lbl[1],
2161 iph6->flow_lbl[2]);
2162 break;
2163 }
2164}
2165
2166void xfrm_audit_state_add(struct xfrm_state *x, int result,
2167 uid_t auid, u32 sessionid, u32 secid)
2168{
2169 struct audit_buffer *audit_buf;
2170
2171 audit_buf = xfrm_audit_start("SAD-add");
2172 if (audit_buf == NULL)
2173 return;
2174 xfrm_audit_helper_usrinfo(auid, sessionid, secid, audit_buf);
2175 xfrm_audit_helper_sainfo(x, audit_buf);
2176 audit_log_format(audit_buf, " res=%u", result);
2177 audit_log_end(audit_buf);
2178}
2179EXPORT_SYMBOL_GPL(xfrm_audit_state_add);
2180
2181void xfrm_audit_state_delete(struct xfrm_state *x, int result,
2182 uid_t auid, u32 sessionid, u32 secid)
2183{
2184 struct audit_buffer *audit_buf;
2185
2186 audit_buf = xfrm_audit_start("SAD-delete");
2187 if (audit_buf == NULL)
2188 return;
2189 xfrm_audit_helper_usrinfo(auid, sessionid, secid, audit_buf);
2190 xfrm_audit_helper_sainfo(x, audit_buf);
2191 audit_log_format(audit_buf, " res=%u", result);
2192 audit_log_end(audit_buf);
2193}
2194EXPORT_SYMBOL_GPL(xfrm_audit_state_delete);
2195
2196void xfrm_audit_state_replay_overflow(struct xfrm_state *x,
2197 struct sk_buff *skb)
2198{
2199 struct audit_buffer *audit_buf;
2200 u32 spi;
2201
2202 audit_buf = xfrm_audit_start("SA-replay-overflow");
2203 if (audit_buf == NULL)
2204 return;
2205 xfrm_audit_helper_pktinfo(skb, x->props.family, audit_buf);
2206 /* don't record the sequence number because it's inherent in this kind
2207 * of audit message */
2208 spi = ntohl(x->id.spi);
2209 audit_log_format(audit_buf, " spi=%u(0x%x)", spi, spi);
2210 audit_log_end(audit_buf);
2211}
2212EXPORT_SYMBOL_GPL(xfrm_audit_state_replay_overflow);
2213
2214static void xfrm_audit_state_replay(struct xfrm_state *x,
2215 struct sk_buff *skb, __be32 net_seq)
2216{
2217 struct audit_buffer *audit_buf;
2218 u32 spi;
2219
2220 audit_buf = xfrm_audit_start("SA-replayed-pkt");
2221 if (audit_buf == NULL)
2222 return;
2223 xfrm_audit_helper_pktinfo(skb, x->props.family, audit_buf);
2224 spi = ntohl(x->id.spi);
2225 audit_log_format(audit_buf, " spi=%u(0x%x) seqno=%u",
2226 spi, spi, ntohl(net_seq));
2227 audit_log_end(audit_buf);
2228}
2229
2230void xfrm_audit_state_notfound_simple(struct sk_buff *skb, u16 family)
2231{
2232 struct audit_buffer *audit_buf;
2233
2234 audit_buf = xfrm_audit_start("SA-notfound");
2235 if (audit_buf == NULL)
2236 return;
2237 xfrm_audit_helper_pktinfo(skb, family, audit_buf);
2238 audit_log_end(audit_buf);
2239}
2240EXPORT_SYMBOL_GPL(xfrm_audit_state_notfound_simple);
2241
2242void xfrm_audit_state_notfound(struct sk_buff *skb, u16 family,
2243 __be32 net_spi, __be32 net_seq)
2244{
2245 struct audit_buffer *audit_buf;
2246 u32 spi;
2247
2248 audit_buf = xfrm_audit_start("SA-notfound");
2249 if (audit_buf == NULL)
2250 return;
2251 xfrm_audit_helper_pktinfo(skb, family, audit_buf);
2252 spi = ntohl(net_spi);
2253 audit_log_format(audit_buf, " spi=%u(0x%x) seqno=%u",
2254 spi, spi, ntohl(net_seq));
2255 audit_log_end(audit_buf);
2256}
2257EXPORT_SYMBOL_GPL(xfrm_audit_state_notfound);
2258
2259void xfrm_audit_state_icvfail(struct xfrm_state *x,
2260 struct sk_buff *skb, u8 proto)
2261{
2262 struct audit_buffer *audit_buf;
2263 __be32 net_spi;
2264 __be32 net_seq;
2265
2266 audit_buf = xfrm_audit_start("SA-icv-failure");
2267 if (audit_buf == NULL)
2268 return;
2269 xfrm_audit_helper_pktinfo(skb, x->props.family, audit_buf);
2270 if (xfrm_parse_spi(skb, proto, &net_spi, &net_seq) == 0) {
2271 u32 spi = ntohl(net_spi);
2272 audit_log_format(audit_buf, " spi=%u(0x%x) seqno=%u",
2273 spi, spi, ntohl(net_seq));
2274 }
2275 audit_log_end(audit_buf);
2276}
2277EXPORT_SYMBOL_GPL(xfrm_audit_state_icvfail);
2278#endif /* CONFIG_AUDITSYSCALL */
Ubuntu Artful kernel mirror