6 * Kazunori MIYAZAWA @USAGI
7 * Kunihiro Ishiguro <kunihiro@ipinfusion.com>
9 * YOSHIFUJI Hideaki @USAGI
10 * Split up af-specific functions
11 * Derek Atkins <derek@ihtfp.com>
12 * Add UDP Encapsulation
16 #include <linux/workqueue.h>
18 #include <linux/pfkeyv2.h>
19 #include <linux/ipsec.h>
20 #include <linux/module.h>
21 #include <linux/cache.h>
22 #include <linux/audit.h>
23 #include <asm/uaccess.h>
25 #include "xfrm_hash.h"
28 EXPORT_SYMBOL(xfrm_nl);
30 u32 sysctl_xfrm_aevent_etime __read_mostly = XFRM_AE_ETIME;
31 EXPORT_SYMBOL(sysctl_xfrm_aevent_etime);
33 u32 sysctl_xfrm_aevent_rseqth __read_mostly = XFRM_AE_SEQT_SIZE;
34 EXPORT_SYMBOL(sysctl_xfrm_aevent_rseqth);
36 u32 sysctl_xfrm_acq_expires __read_mostly = 30;
38 /* Each xfrm_state may be linked to two tables:
40 1. Hash table by (spi,daddr,ah/esp) to find SA by SPI. (input,ctl)
41 2. Hash table by (daddr,family,reqid) to find what SAs exist for given
42 destination/tunnel endpoint. (output)
45 static DEFINE_SPINLOCK(xfrm_state_lock);
47 static unsigned int xfrm_state_hashmax __read_mostly = 1 * 1024 * 1024;
48 static unsigned int xfrm_state_genid;
50 static struct xfrm_state_afinfo *xfrm_state_get_afinfo(unsigned int family);
51 static void xfrm_state_put_afinfo(struct xfrm_state_afinfo *afinfo);
53 #ifdef CONFIG_AUDITSYSCALL
54 static void xfrm_audit_state_replay(struct xfrm_state *x,
55 struct sk_buff *skb, __be32 net_seq);
57 #define xfrm_audit_state_replay(x, s, sq) do { ; } while (0)
58 #endif /* CONFIG_AUDITSYSCALL */
60 static inline unsigned int xfrm_dst_hash(xfrm_address_t *daddr,
61 xfrm_address_t *saddr,
63 unsigned short family)
65 return __xfrm_dst_hash(daddr, saddr, reqid, family, init_net.xfrm.state_hmask);
68 static inline unsigned int xfrm_src_hash(xfrm_address_t *daddr,
69 xfrm_address_t *saddr,
70 unsigned short family)
72 return __xfrm_src_hash(daddr, saddr, family, init_net.xfrm.state_hmask);
75 static inline unsigned int
76 xfrm_spi_hash(xfrm_address_t *daddr, __be32 spi, u8 proto, unsigned short family)
78 return __xfrm_spi_hash(daddr, spi, proto, family, init_net.xfrm.state_hmask);
81 static void xfrm_hash_transfer(struct hlist_head *list,
82 struct hlist_head *ndsttable,
83 struct hlist_head *nsrctable,
84 struct hlist_head *nspitable,
85 unsigned int nhashmask)
87 struct hlist_node *entry, *tmp;
90 hlist_for_each_entry_safe(x, entry, tmp, list, bydst) {
93 h = __xfrm_dst_hash(&x->id.daddr, &x->props.saddr,
94 x->props.reqid, x->props.family,
96 hlist_add_head(&x->bydst, ndsttable+h);
98 h = __xfrm_src_hash(&x->id.daddr, &x->props.saddr,
101 hlist_add_head(&x->bysrc, nsrctable+h);
104 h = __xfrm_spi_hash(&x->id.daddr, x->id.spi,
105 x->id.proto, x->props.family,
107 hlist_add_head(&x->byspi, nspitable+h);
112 static unsigned long xfrm_hash_new_size(unsigned int state_hmask)
114 return ((state_hmask + 1) << 1) * sizeof(struct hlist_head);
117 static DEFINE_MUTEX(hash_resize_mutex);
119 static void xfrm_hash_resize(struct work_struct *work)
121 struct net *net = container_of(work, struct net, xfrm.state_hash_work);
122 struct hlist_head *ndst, *nsrc, *nspi, *odst, *osrc, *ospi;
123 unsigned long nsize, osize;
124 unsigned int nhashmask, ohashmask;
127 mutex_lock(&hash_resize_mutex);
129 nsize = xfrm_hash_new_size(net->xfrm.state_hmask);
130 ndst = xfrm_hash_alloc(nsize);
133 nsrc = xfrm_hash_alloc(nsize);
135 xfrm_hash_free(ndst, nsize);
138 nspi = xfrm_hash_alloc(nsize);
140 xfrm_hash_free(ndst, nsize);
141 xfrm_hash_free(nsrc, nsize);
145 spin_lock_bh(&xfrm_state_lock);
147 nhashmask = (nsize / sizeof(struct hlist_head)) - 1U;
148 for (i = net->xfrm.state_hmask; i >= 0; i--)
149 xfrm_hash_transfer(net->xfrm.state_bydst+i, ndst, nsrc, nspi,
152 odst = net->xfrm.state_bydst;
153 osrc = net->xfrm.state_bysrc;
154 ospi = net->xfrm.state_byspi;
155 ohashmask = net->xfrm.state_hmask;
157 net->xfrm.state_bydst = ndst;
158 net->xfrm.state_bysrc = nsrc;
159 net->xfrm.state_byspi = nspi;
160 net->xfrm.state_hmask = nhashmask;
162 spin_unlock_bh(&xfrm_state_lock);
164 osize = (ohashmask + 1) * sizeof(struct hlist_head);
165 xfrm_hash_free(odst, osize);
166 xfrm_hash_free(osrc, osize);
167 xfrm_hash_free(ospi, osize);
170 mutex_unlock(&hash_resize_mutex);
173 DECLARE_WAIT_QUEUE_HEAD(km_waitq);
174 EXPORT_SYMBOL(km_waitq);
176 static DEFINE_RWLOCK(xfrm_state_afinfo_lock);
177 static struct xfrm_state_afinfo *xfrm_state_afinfo[NPROTO];
179 static struct work_struct xfrm_state_gc_work;
180 static HLIST_HEAD(xfrm_state_gc_list);
181 static DEFINE_SPINLOCK(xfrm_state_gc_lock);
183 int __xfrm_state_delete(struct xfrm_state *x);
185 int km_query(struct xfrm_state *x, struct xfrm_tmpl *t, struct xfrm_policy *pol);
186 void km_state_expired(struct xfrm_state *x, int hard, u32 pid);
188 static struct xfrm_state_afinfo *xfrm_state_lock_afinfo(unsigned int family)
190 struct xfrm_state_afinfo *afinfo;
191 if (unlikely(family >= NPROTO))
193 write_lock_bh(&xfrm_state_afinfo_lock);
194 afinfo = xfrm_state_afinfo[family];
195 if (unlikely(!afinfo))
196 write_unlock_bh(&xfrm_state_afinfo_lock);
200 static void xfrm_state_unlock_afinfo(struct xfrm_state_afinfo *afinfo)
201 __releases(xfrm_state_afinfo_lock)
203 write_unlock_bh(&xfrm_state_afinfo_lock);
206 int xfrm_register_type(const struct xfrm_type *type, unsigned short family)
208 struct xfrm_state_afinfo *afinfo = xfrm_state_lock_afinfo(family);
209 const struct xfrm_type **typemap;
212 if (unlikely(afinfo == NULL))
213 return -EAFNOSUPPORT;
214 typemap = afinfo->type_map;
216 if (likely(typemap[type->proto] == NULL))
217 typemap[type->proto] = type;
220 xfrm_state_unlock_afinfo(afinfo);
223 EXPORT_SYMBOL(xfrm_register_type);
225 int xfrm_unregister_type(const struct xfrm_type *type, unsigned short family)
227 struct xfrm_state_afinfo *afinfo = xfrm_state_lock_afinfo(family);
228 const struct xfrm_type **typemap;
231 if (unlikely(afinfo == NULL))
232 return -EAFNOSUPPORT;
233 typemap = afinfo->type_map;
235 if (unlikely(typemap[type->proto] != type))
238 typemap[type->proto] = NULL;
239 xfrm_state_unlock_afinfo(afinfo);
242 EXPORT_SYMBOL(xfrm_unregister_type);
244 static const struct xfrm_type *xfrm_get_type(u8 proto, unsigned short family)
246 struct xfrm_state_afinfo *afinfo;
247 const struct xfrm_type **typemap;
248 const struct xfrm_type *type;
249 int modload_attempted = 0;
252 afinfo = xfrm_state_get_afinfo(family);
253 if (unlikely(afinfo == NULL))
255 typemap = afinfo->type_map;
257 type = typemap[proto];
258 if (unlikely(type && !try_module_get(type->owner)))
260 if (!type && !modload_attempted) {
261 xfrm_state_put_afinfo(afinfo);
262 request_module("xfrm-type-%d-%d", family, proto);
263 modload_attempted = 1;
267 xfrm_state_put_afinfo(afinfo);
271 static void xfrm_put_type(const struct xfrm_type *type)
273 module_put(type->owner);
276 int xfrm_register_mode(struct xfrm_mode *mode, int family)
278 struct xfrm_state_afinfo *afinfo;
279 struct xfrm_mode **modemap;
282 if (unlikely(mode->encap >= XFRM_MODE_MAX))
285 afinfo = xfrm_state_lock_afinfo(family);
286 if (unlikely(afinfo == NULL))
287 return -EAFNOSUPPORT;
290 modemap = afinfo->mode_map;
291 if (modemap[mode->encap])
295 if (!try_module_get(afinfo->owner))
298 mode->afinfo = afinfo;
299 modemap[mode->encap] = mode;
303 xfrm_state_unlock_afinfo(afinfo);
306 EXPORT_SYMBOL(xfrm_register_mode);
308 int xfrm_unregister_mode(struct xfrm_mode *mode, int family)
310 struct xfrm_state_afinfo *afinfo;
311 struct xfrm_mode **modemap;
314 if (unlikely(mode->encap >= XFRM_MODE_MAX))
317 afinfo = xfrm_state_lock_afinfo(family);
318 if (unlikely(afinfo == NULL))
319 return -EAFNOSUPPORT;
322 modemap = afinfo->mode_map;
323 if (likely(modemap[mode->encap] == mode)) {
324 modemap[mode->encap] = NULL;
325 module_put(mode->afinfo->owner);
329 xfrm_state_unlock_afinfo(afinfo);
332 EXPORT_SYMBOL(xfrm_unregister_mode);
334 static struct xfrm_mode *xfrm_get_mode(unsigned int encap, int family)
336 struct xfrm_state_afinfo *afinfo;
337 struct xfrm_mode *mode;
338 int modload_attempted = 0;
340 if (unlikely(encap >= XFRM_MODE_MAX))
344 afinfo = xfrm_state_get_afinfo(family);
345 if (unlikely(afinfo == NULL))
348 mode = afinfo->mode_map[encap];
349 if (unlikely(mode && !try_module_get(mode->owner)))
351 if (!mode && !modload_attempted) {
352 xfrm_state_put_afinfo(afinfo);
353 request_module("xfrm-mode-%d-%d", family, encap);
354 modload_attempted = 1;
358 xfrm_state_put_afinfo(afinfo);
362 static void xfrm_put_mode(struct xfrm_mode *mode)
364 module_put(mode->owner);
367 static void xfrm_state_gc_destroy(struct xfrm_state *x)
369 del_timer_sync(&x->timer);
370 del_timer_sync(&x->rtimer);
377 xfrm_put_mode(x->inner_mode);
378 if (x->inner_mode_iaf)
379 xfrm_put_mode(x->inner_mode_iaf);
381 xfrm_put_mode(x->outer_mode);
383 x->type->destructor(x);
384 xfrm_put_type(x->type);
386 security_xfrm_state_free(x);
390 static void xfrm_state_gc_task(struct work_struct *data)
392 struct xfrm_state *x;
393 struct hlist_node *entry, *tmp;
394 struct hlist_head gc_list;
396 spin_lock_bh(&xfrm_state_gc_lock);
397 hlist_move_list(&xfrm_state_gc_list, &gc_list);
398 spin_unlock_bh(&xfrm_state_gc_lock);
400 hlist_for_each_entry_safe(x, entry, tmp, &gc_list, gclist)
401 xfrm_state_gc_destroy(x);
406 static inline unsigned long make_jiffies(long secs)
408 if (secs >= (MAX_SCHEDULE_TIMEOUT-1)/HZ)
409 return MAX_SCHEDULE_TIMEOUT-1;
414 static void xfrm_timer_handler(unsigned long data)
416 struct xfrm_state *x = (struct xfrm_state*)data;
417 unsigned long now = get_seconds();
418 long next = LONG_MAX;
423 if (x->km.state == XFRM_STATE_DEAD)
425 if (x->km.state == XFRM_STATE_EXPIRED)
427 if (x->lft.hard_add_expires_seconds) {
428 long tmo = x->lft.hard_add_expires_seconds +
429 x->curlft.add_time - now;
435 if (x->lft.hard_use_expires_seconds) {
436 long tmo = x->lft.hard_use_expires_seconds +
437 (x->curlft.use_time ? : now) - now;
445 if (x->lft.soft_add_expires_seconds) {
446 long tmo = x->lft.soft_add_expires_seconds +
447 x->curlft.add_time - now;
453 if (x->lft.soft_use_expires_seconds) {
454 long tmo = x->lft.soft_use_expires_seconds +
455 (x->curlft.use_time ? : now) - now;
464 km_state_expired(x, 0, 0);
466 if (next != LONG_MAX)
467 mod_timer(&x->timer, jiffies + make_jiffies(next));
472 if (x->km.state == XFRM_STATE_ACQ && x->id.spi == 0) {
473 x->km.state = XFRM_STATE_EXPIRED;
479 err = __xfrm_state_delete(x);
480 if (!err && x->id.spi)
481 km_state_expired(x, 1, 0);
483 xfrm_audit_state_delete(x, err ? 0 : 1,
484 audit_get_loginuid(current),
485 audit_get_sessionid(current), 0);
488 spin_unlock(&x->lock);
491 static void xfrm_replay_timer_handler(unsigned long data);
493 struct xfrm_state *xfrm_state_alloc(struct net *net)
495 struct xfrm_state *x;
497 x = kzalloc(sizeof(struct xfrm_state), GFP_ATOMIC);
500 write_pnet(&x->xs_net, net);
501 atomic_set(&x->refcnt, 1);
502 atomic_set(&x->tunnel_users, 0);
503 INIT_LIST_HEAD(&x->km.all);
504 INIT_HLIST_NODE(&x->bydst);
505 INIT_HLIST_NODE(&x->bysrc);
506 INIT_HLIST_NODE(&x->byspi);
507 setup_timer(&x->timer, xfrm_timer_handler, (unsigned long)x);
508 setup_timer(&x->rtimer, xfrm_replay_timer_handler,
510 x->curlft.add_time = get_seconds();
511 x->lft.soft_byte_limit = XFRM_INF;
512 x->lft.soft_packet_limit = XFRM_INF;
513 x->lft.hard_byte_limit = XFRM_INF;
514 x->lft.hard_packet_limit = XFRM_INF;
515 x->replay_maxage = 0;
516 x->replay_maxdiff = 0;
517 x->inner_mode = NULL;
518 x->inner_mode_iaf = NULL;
519 spin_lock_init(&x->lock);
523 EXPORT_SYMBOL(xfrm_state_alloc);
525 void __xfrm_state_destroy(struct xfrm_state *x)
527 WARN_ON(x->km.state != XFRM_STATE_DEAD);
529 spin_lock_bh(&xfrm_state_gc_lock);
530 hlist_add_head(&x->gclist, &xfrm_state_gc_list);
531 spin_unlock_bh(&xfrm_state_gc_lock);
532 schedule_work(&xfrm_state_gc_work);
534 EXPORT_SYMBOL(__xfrm_state_destroy);
536 int __xfrm_state_delete(struct xfrm_state *x)
540 if (x->km.state != XFRM_STATE_DEAD) {
541 x->km.state = XFRM_STATE_DEAD;
542 spin_lock(&xfrm_state_lock);
543 list_del(&x->km.all);
544 hlist_del(&x->bydst);
545 hlist_del(&x->bysrc);
547 hlist_del(&x->byspi);
548 init_net.xfrm.state_num--;
549 spin_unlock(&xfrm_state_lock);
551 /* All xfrm_state objects are created by xfrm_state_alloc.
552 * The xfrm_state_alloc call gives a reference, and that
553 * is what we are dropping here.
561 EXPORT_SYMBOL(__xfrm_state_delete);
563 int xfrm_state_delete(struct xfrm_state *x)
567 spin_lock_bh(&x->lock);
568 err = __xfrm_state_delete(x);
569 spin_unlock_bh(&x->lock);
573 EXPORT_SYMBOL(xfrm_state_delete);
575 #ifdef CONFIG_SECURITY_NETWORK_XFRM
577 xfrm_state_flush_secctx_check(u8 proto, struct xfrm_audit *audit_info)
581 for (i = 0; i <= init_net.xfrm.state_hmask; i++) {
582 struct hlist_node *entry;
583 struct xfrm_state *x;
585 hlist_for_each_entry(x, entry, init_net.xfrm.state_bydst+i, bydst) {
586 if (xfrm_id_proto_match(x->id.proto, proto) &&
587 (err = security_xfrm_state_delete(x)) != 0) {
588 xfrm_audit_state_delete(x, 0,
589 audit_info->loginuid,
590 audit_info->sessionid,
601 xfrm_state_flush_secctx_check(u8 proto, struct xfrm_audit *audit_info)
607 int xfrm_state_flush(u8 proto, struct xfrm_audit *audit_info)
611 spin_lock_bh(&xfrm_state_lock);
612 err = xfrm_state_flush_secctx_check(proto, audit_info);
616 for (i = 0; i <= init_net.xfrm.state_hmask; i++) {
617 struct hlist_node *entry;
618 struct xfrm_state *x;
620 hlist_for_each_entry(x, entry, init_net.xfrm.state_bydst+i, bydst) {
621 if (!xfrm_state_kern(x) &&
622 xfrm_id_proto_match(x->id.proto, proto)) {
624 spin_unlock_bh(&xfrm_state_lock);
626 err = xfrm_state_delete(x);
627 xfrm_audit_state_delete(x, err ? 0 : 1,
628 audit_info->loginuid,
629 audit_info->sessionid,
633 spin_lock_bh(&xfrm_state_lock);
641 spin_unlock_bh(&xfrm_state_lock);
645 EXPORT_SYMBOL(xfrm_state_flush);
647 void xfrm_sad_getinfo(struct xfrmk_sadinfo *si)
649 spin_lock_bh(&xfrm_state_lock);
650 si->sadcnt = init_net.xfrm.state_num;
651 si->sadhcnt = init_net.xfrm.state_hmask;
652 si->sadhmcnt = xfrm_state_hashmax;
653 spin_unlock_bh(&xfrm_state_lock);
655 EXPORT_SYMBOL(xfrm_sad_getinfo);
658 xfrm_init_tempsel(struct xfrm_state *x, struct flowi *fl,
659 struct xfrm_tmpl *tmpl,
660 xfrm_address_t *daddr, xfrm_address_t *saddr,
661 unsigned short family)
663 struct xfrm_state_afinfo *afinfo = xfrm_state_get_afinfo(family);
666 afinfo->init_tempsel(x, fl, tmpl, daddr, saddr);
667 xfrm_state_put_afinfo(afinfo);
671 static struct xfrm_state *__xfrm_state_lookup(xfrm_address_t *daddr, __be32 spi, u8 proto, unsigned short family)
673 unsigned int h = xfrm_spi_hash(daddr, spi, proto, family);
674 struct xfrm_state *x;
675 struct hlist_node *entry;
677 hlist_for_each_entry(x, entry, init_net.xfrm.state_byspi+h, byspi) {
678 if (x->props.family != family ||
680 x->id.proto != proto)
685 if (x->id.daddr.a4 != daddr->a4)
689 if (!ipv6_addr_equal((struct in6_addr *)daddr,
703 static struct xfrm_state *__xfrm_state_lookup_byaddr(xfrm_address_t *daddr, xfrm_address_t *saddr, u8 proto, unsigned short family)
705 unsigned int h = xfrm_src_hash(daddr, saddr, family);
706 struct xfrm_state *x;
707 struct hlist_node *entry;
709 hlist_for_each_entry(x, entry, init_net.xfrm.state_bysrc+h, bysrc) {
710 if (x->props.family != family ||
711 x->id.proto != proto)
716 if (x->id.daddr.a4 != daddr->a4 ||
717 x->props.saddr.a4 != saddr->a4)
721 if (!ipv6_addr_equal((struct in6_addr *)daddr,
724 !ipv6_addr_equal((struct in6_addr *)saddr,
738 static inline struct xfrm_state *
739 __xfrm_state_locate(struct xfrm_state *x, int use_spi, int family)
742 return __xfrm_state_lookup(&x->id.daddr, x->id.spi,
743 x->id.proto, family);
745 return __xfrm_state_lookup_byaddr(&x->id.daddr,
747 x->id.proto, family);
750 static void xfrm_hash_grow_check(int have_hash_collision)
752 if (have_hash_collision &&
753 (init_net.xfrm.state_hmask + 1) < xfrm_state_hashmax &&
754 init_net.xfrm.state_num > init_net.xfrm.state_hmask)
755 schedule_work(&init_net.xfrm.state_hash_work);
759 xfrm_state_find(xfrm_address_t *daddr, xfrm_address_t *saddr,
760 struct flowi *fl, struct xfrm_tmpl *tmpl,
761 struct xfrm_policy *pol, int *err,
762 unsigned short family)
765 struct hlist_node *entry;
766 struct xfrm_state *x, *x0, *to_put;
767 int acquire_in_progress = 0;
769 struct xfrm_state *best = NULL;
773 spin_lock_bh(&xfrm_state_lock);
774 h = xfrm_dst_hash(daddr, saddr, tmpl->reqid, family);
775 hlist_for_each_entry(x, entry, init_net.xfrm.state_bydst+h, bydst) {
776 if (x->props.family == family &&
777 x->props.reqid == tmpl->reqid &&
778 !(x->props.flags & XFRM_STATE_WILDRECV) &&
779 xfrm_state_addr_check(x, daddr, saddr, family) &&
780 tmpl->mode == x->props.mode &&
781 tmpl->id.proto == x->id.proto &&
782 (tmpl->id.spi == x->id.spi || !tmpl->id.spi)) {
784 1. There is a valid state with matching selector.
786 2. Valid state with inappropriate selector. Skip.
788 Entering area of "sysdeps".
790 3. If state is not valid, selector is temporary,
791 it selects only session which triggered
792 previous resolution. Key manager will do
793 something to install a state with proper
796 if (x->km.state == XFRM_STATE_VALID) {
797 if ((x->sel.family && !xfrm_selector_match(&x->sel, fl, x->sel.family)) ||
798 !security_xfrm_state_pol_flow_match(x, pol, fl))
801 best->km.dying > x->km.dying ||
802 (best->km.dying == x->km.dying &&
803 best->curlft.add_time < x->curlft.add_time))
805 } else if (x->km.state == XFRM_STATE_ACQ) {
806 acquire_in_progress = 1;
807 } else if (x->km.state == XFRM_STATE_ERROR ||
808 x->km.state == XFRM_STATE_EXPIRED) {
809 if (xfrm_selector_match(&x->sel, fl, x->sel.family) &&
810 security_xfrm_state_pol_flow_match(x, pol, fl))
817 if (!x && !error && !acquire_in_progress) {
819 (x0 = __xfrm_state_lookup(daddr, tmpl->id.spi,
820 tmpl->id.proto, family)) != NULL) {
825 x = xfrm_state_alloc(&init_net);
830 /* Initialize temporary selector matching only
831 * to current session. */
832 xfrm_init_tempsel(x, fl, tmpl, daddr, saddr, family);
834 error = security_xfrm_state_alloc_acquire(x, pol->security, fl->secid);
836 x->km.state = XFRM_STATE_DEAD;
842 if (km_query(x, tmpl, pol) == 0) {
843 x->km.state = XFRM_STATE_ACQ;
844 list_add(&x->km.all, &init_net.xfrm.state_all);
845 hlist_add_head(&x->bydst, init_net.xfrm.state_bydst+h);
846 h = xfrm_src_hash(daddr, saddr, family);
847 hlist_add_head(&x->bysrc, init_net.xfrm.state_bysrc+h);
849 h = xfrm_spi_hash(&x->id.daddr, x->id.spi, x->id.proto, family);
850 hlist_add_head(&x->byspi, init_net.xfrm.state_byspi+h);
852 x->lft.hard_add_expires_seconds = sysctl_xfrm_acq_expires;
853 x->timer.expires = jiffies + sysctl_xfrm_acq_expires*HZ;
854 add_timer(&x->timer);
855 init_net.xfrm.state_num++;
856 xfrm_hash_grow_check(x->bydst.next != NULL);
858 x->km.state = XFRM_STATE_DEAD;
868 *err = acquire_in_progress ? -EAGAIN : error;
869 spin_unlock_bh(&xfrm_state_lock);
871 xfrm_state_put(to_put);
876 xfrm_stateonly_find(xfrm_address_t *daddr, xfrm_address_t *saddr,
877 unsigned short family, u8 mode, u8 proto, u32 reqid)
880 struct xfrm_state *rx = NULL, *x = NULL;
881 struct hlist_node *entry;
883 spin_lock(&xfrm_state_lock);
884 h = xfrm_dst_hash(daddr, saddr, reqid, family);
885 hlist_for_each_entry(x, entry, init_net.xfrm.state_bydst+h, bydst) {
886 if (x->props.family == family &&
887 x->props.reqid == reqid &&
888 !(x->props.flags & XFRM_STATE_WILDRECV) &&
889 xfrm_state_addr_check(x, daddr, saddr, family) &&
890 mode == x->props.mode &&
891 proto == x->id.proto &&
892 x->km.state == XFRM_STATE_VALID) {
900 spin_unlock(&xfrm_state_lock);
905 EXPORT_SYMBOL(xfrm_stateonly_find);
907 static void __xfrm_state_insert(struct xfrm_state *x)
911 x->genid = ++xfrm_state_genid;
913 list_add(&x->km.all, &init_net.xfrm.state_all);
915 h = xfrm_dst_hash(&x->id.daddr, &x->props.saddr,
916 x->props.reqid, x->props.family);
917 hlist_add_head(&x->bydst, init_net.xfrm.state_bydst+h);
919 h = xfrm_src_hash(&x->id.daddr, &x->props.saddr, x->props.family);
920 hlist_add_head(&x->bysrc, init_net.xfrm.state_bysrc+h);
923 h = xfrm_spi_hash(&x->id.daddr, x->id.spi, x->id.proto,
926 hlist_add_head(&x->byspi, init_net.xfrm.state_byspi+h);
929 mod_timer(&x->timer, jiffies + HZ);
930 if (x->replay_maxage)
931 mod_timer(&x->rtimer, jiffies + x->replay_maxage);
935 init_net.xfrm.state_num++;
937 xfrm_hash_grow_check(x->bydst.next != NULL);
940 /* xfrm_state_lock is held */
941 static void __xfrm_state_bump_genids(struct xfrm_state *xnew)
943 unsigned short family = xnew->props.family;
944 u32 reqid = xnew->props.reqid;
945 struct xfrm_state *x;
946 struct hlist_node *entry;
949 h = xfrm_dst_hash(&xnew->id.daddr, &xnew->props.saddr, reqid, family);
950 hlist_for_each_entry(x, entry, init_net.xfrm.state_bydst+h, bydst) {
951 if (x->props.family == family &&
952 x->props.reqid == reqid &&
953 !xfrm_addr_cmp(&x->id.daddr, &xnew->id.daddr, family) &&
954 !xfrm_addr_cmp(&x->props.saddr, &xnew->props.saddr, family))
955 x->genid = xfrm_state_genid;
959 void xfrm_state_insert(struct xfrm_state *x)
961 spin_lock_bh(&xfrm_state_lock);
962 __xfrm_state_bump_genids(x);
963 __xfrm_state_insert(x);
964 spin_unlock_bh(&xfrm_state_lock);
966 EXPORT_SYMBOL(xfrm_state_insert);
968 /* xfrm_state_lock is held */
969 static struct xfrm_state *__find_acq_core(unsigned short family, u8 mode, u32 reqid, u8 proto, xfrm_address_t *daddr, xfrm_address_t *saddr, int create)
971 unsigned int h = xfrm_dst_hash(daddr, saddr, reqid, family);
972 struct hlist_node *entry;
973 struct xfrm_state *x;
975 hlist_for_each_entry(x, entry, init_net.xfrm.state_bydst+h, bydst) {
976 if (x->props.reqid != reqid ||
977 x->props.mode != mode ||
978 x->props.family != family ||
979 x->km.state != XFRM_STATE_ACQ ||
981 x->id.proto != proto)
986 if (x->id.daddr.a4 != daddr->a4 ||
987 x->props.saddr.a4 != saddr->a4)
991 if (!ipv6_addr_equal((struct in6_addr *)x->id.daddr.a6,
992 (struct in6_addr *)daddr) ||
993 !ipv6_addr_equal((struct in6_addr *)
995 (struct in6_addr *)saddr))
1007 x = xfrm_state_alloc(&init_net);
1011 x->sel.daddr.a4 = daddr->a4;
1012 x->sel.saddr.a4 = saddr->a4;
1013 x->sel.prefixlen_d = 32;
1014 x->sel.prefixlen_s = 32;
1015 x->props.saddr.a4 = saddr->a4;
1016 x->id.daddr.a4 = daddr->a4;
1020 ipv6_addr_copy((struct in6_addr *)x->sel.daddr.a6,
1021 (struct in6_addr *)daddr);
1022 ipv6_addr_copy((struct in6_addr *)x->sel.saddr.a6,
1023 (struct in6_addr *)saddr);
1024 x->sel.prefixlen_d = 128;
1025 x->sel.prefixlen_s = 128;
1026 ipv6_addr_copy((struct in6_addr *)x->props.saddr.a6,
1027 (struct in6_addr *)saddr);
1028 ipv6_addr_copy((struct in6_addr *)x->id.daddr.a6,
1029 (struct in6_addr *)daddr);
1033 x->km.state = XFRM_STATE_ACQ;
1034 x->id.proto = proto;
1035 x->props.family = family;
1036 x->props.mode = mode;
1037 x->props.reqid = reqid;
1038 x->lft.hard_add_expires_seconds = sysctl_xfrm_acq_expires;
1040 x->timer.expires = jiffies + sysctl_xfrm_acq_expires*HZ;
1041 add_timer(&x->timer);
1042 list_add(&x->km.all, &init_net.xfrm.state_all);
1043 hlist_add_head(&x->bydst, init_net.xfrm.state_bydst+h);
1044 h = xfrm_src_hash(daddr, saddr, family);
1045 hlist_add_head(&x->bysrc, init_net.xfrm.state_bysrc+h);
1047 init_net.xfrm.state_num++;
1049 xfrm_hash_grow_check(x->bydst.next != NULL);
1055 static struct xfrm_state *__xfrm_find_acq_byseq(u32 seq);
1057 int xfrm_state_add(struct xfrm_state *x)
1059 struct xfrm_state *x1, *to_put;
1062 int use_spi = xfrm_id_proto_match(x->id.proto, IPSEC_PROTO_ANY);
1064 family = x->props.family;
1068 spin_lock_bh(&xfrm_state_lock);
1070 x1 = __xfrm_state_locate(x, use_spi, family);
1078 if (use_spi && x->km.seq) {
1079 x1 = __xfrm_find_acq_byseq(x->km.seq);
1080 if (x1 && ((x1->id.proto != x->id.proto) ||
1081 xfrm_addr_cmp(&x1->id.daddr, &x->id.daddr, family))) {
1088 x1 = __find_acq_core(family, x->props.mode, x->props.reqid,
1090 &x->id.daddr, &x->props.saddr, 0);
1092 __xfrm_state_bump_genids(x);
1093 __xfrm_state_insert(x);
1097 spin_unlock_bh(&xfrm_state_lock);
1100 xfrm_state_delete(x1);
1105 xfrm_state_put(to_put);
1109 EXPORT_SYMBOL(xfrm_state_add);
1111 #ifdef CONFIG_XFRM_MIGRATE
1112 static struct xfrm_state *xfrm_state_clone(struct xfrm_state *orig, int *errp)
1115 struct xfrm_state *x = xfrm_state_alloc(&init_net);
1119 memcpy(&x->id, &orig->id, sizeof(x->id));
1120 memcpy(&x->sel, &orig->sel, sizeof(x->sel));
1121 memcpy(&x->lft, &orig->lft, sizeof(x->lft));
1122 x->props.mode = orig->props.mode;
1123 x->props.replay_window = orig->props.replay_window;
1124 x->props.reqid = orig->props.reqid;
1125 x->props.family = orig->props.family;
1126 x->props.saddr = orig->props.saddr;
1129 x->aalg = xfrm_algo_clone(orig->aalg);
1133 x->props.aalgo = orig->props.aalgo;
1136 x->ealg = xfrm_algo_clone(orig->ealg);
1140 x->props.ealgo = orig->props.ealgo;
1143 x->calg = xfrm_algo_clone(orig->calg);
1147 x->props.calgo = orig->props.calgo;
1150 x->encap = kmemdup(orig->encap, sizeof(*x->encap), GFP_KERNEL);
1156 x->coaddr = kmemdup(orig->coaddr, sizeof(*x->coaddr),
1162 err = xfrm_init_state(x);
1166 x->props.flags = orig->props.flags;
1168 x->curlft.add_time = orig->curlft.add_time;
1169 x->km.state = orig->km.state;
1170 x->km.seq = orig->km.seq;
1188 /* xfrm_state_lock is held */
1189 struct xfrm_state * xfrm_migrate_state_find(struct xfrm_migrate *m)
1192 struct xfrm_state *x;
1193 struct hlist_node *entry;
1196 h = xfrm_dst_hash(&m->old_daddr, &m->old_saddr,
1197 m->reqid, m->old_family);
1198 hlist_for_each_entry(x, entry, init_net.xfrm.state_bydst+h, bydst) {
1199 if (x->props.mode != m->mode ||
1200 x->id.proto != m->proto)
1202 if (m->reqid && x->props.reqid != m->reqid)
1204 if (xfrm_addr_cmp(&x->id.daddr, &m->old_daddr,
1206 xfrm_addr_cmp(&x->props.saddr, &m->old_saddr,
1213 h = xfrm_src_hash(&m->old_daddr, &m->old_saddr,
1215 hlist_for_each_entry(x, entry, init_net.xfrm.state_bysrc+h, bysrc) {
1216 if (x->props.mode != m->mode ||
1217 x->id.proto != m->proto)
1219 if (xfrm_addr_cmp(&x->id.daddr, &m->old_daddr,
1221 xfrm_addr_cmp(&x->props.saddr, &m->old_saddr,
1231 EXPORT_SYMBOL(xfrm_migrate_state_find);
1233 struct xfrm_state * xfrm_state_migrate(struct xfrm_state *x,
1234 struct xfrm_migrate *m)
1236 struct xfrm_state *xc;
1239 xc = xfrm_state_clone(x, &err);
1243 memcpy(&xc->id.daddr, &m->new_daddr, sizeof(xc->id.daddr));
1244 memcpy(&xc->props.saddr, &m->new_saddr, sizeof(xc->props.saddr));
1247 if (!xfrm_addr_cmp(&x->id.daddr, &m->new_daddr, m->new_family)) {
1248 /* a care is needed when the destination address of the
1249 state is to be updated as it is a part of triplet */
1250 xfrm_state_insert(xc);
1252 if ((err = xfrm_state_add(xc)) < 0)
1261 EXPORT_SYMBOL(xfrm_state_migrate);
1264 int xfrm_state_update(struct xfrm_state *x)
1266 struct xfrm_state *x1, *to_put;
1268 int use_spi = xfrm_id_proto_match(x->id.proto, IPSEC_PROTO_ANY);
1272 spin_lock_bh(&xfrm_state_lock);
1273 x1 = __xfrm_state_locate(x, use_spi, x->props.family);
1279 if (xfrm_state_kern(x1)) {
1285 if (x1->km.state == XFRM_STATE_ACQ) {
1286 __xfrm_state_insert(x);
1292 spin_unlock_bh(&xfrm_state_lock);
1295 xfrm_state_put(to_put);
1301 xfrm_state_delete(x1);
1307 spin_lock_bh(&x1->lock);
1308 if (likely(x1->km.state == XFRM_STATE_VALID)) {
1309 if (x->encap && x1->encap)
1310 memcpy(x1->encap, x->encap, sizeof(*x1->encap));
1311 if (x->coaddr && x1->coaddr) {
1312 memcpy(x1->coaddr, x->coaddr, sizeof(*x1->coaddr));
1314 if (!use_spi && memcmp(&x1->sel, &x->sel, sizeof(x1->sel)))
1315 memcpy(&x1->sel, &x->sel, sizeof(x1->sel));
1316 memcpy(&x1->lft, &x->lft, sizeof(x1->lft));
1319 mod_timer(&x1->timer, jiffies + HZ);
1320 if (x1->curlft.use_time)
1321 xfrm_state_check_expire(x1);
1325 spin_unlock_bh(&x1->lock);
1331 EXPORT_SYMBOL(xfrm_state_update);
1333 int xfrm_state_check_expire(struct xfrm_state *x)
1335 if (!x->curlft.use_time)
1336 x->curlft.use_time = get_seconds();
1338 if (x->km.state != XFRM_STATE_VALID)
1341 if (x->curlft.bytes >= x->lft.hard_byte_limit ||
1342 x->curlft.packets >= x->lft.hard_packet_limit) {
1343 x->km.state = XFRM_STATE_EXPIRED;
1344 mod_timer(&x->timer, jiffies);
1349 (x->curlft.bytes >= x->lft.soft_byte_limit ||
1350 x->curlft.packets >= x->lft.soft_packet_limit)) {
1352 km_state_expired(x, 0, 0);
1356 EXPORT_SYMBOL(xfrm_state_check_expire);
1359 xfrm_state_lookup(xfrm_address_t *daddr, __be32 spi, u8 proto,
1360 unsigned short family)
1362 struct xfrm_state *x;
1364 spin_lock_bh(&xfrm_state_lock);
1365 x = __xfrm_state_lookup(daddr, spi, proto, family);
1366 spin_unlock_bh(&xfrm_state_lock);
1369 EXPORT_SYMBOL(xfrm_state_lookup);
1372 xfrm_state_lookup_byaddr(xfrm_address_t *daddr, xfrm_address_t *saddr,
1373 u8 proto, unsigned short family)
1375 struct xfrm_state *x;
1377 spin_lock_bh(&xfrm_state_lock);
1378 x = __xfrm_state_lookup_byaddr(daddr, saddr, proto, family);
1379 spin_unlock_bh(&xfrm_state_lock);
1382 EXPORT_SYMBOL(xfrm_state_lookup_byaddr);
1385 xfrm_find_acq(u8 mode, u32 reqid, u8 proto,
1386 xfrm_address_t *daddr, xfrm_address_t *saddr,
1387 int create, unsigned short family)
1389 struct xfrm_state *x;
1391 spin_lock_bh(&xfrm_state_lock);
1392 x = __find_acq_core(family, mode, reqid, proto, daddr, saddr, create);
1393 spin_unlock_bh(&xfrm_state_lock);
1397 EXPORT_SYMBOL(xfrm_find_acq);
1399 #ifdef CONFIG_XFRM_SUB_POLICY
1401 xfrm_tmpl_sort(struct xfrm_tmpl **dst, struct xfrm_tmpl **src, int n,
1402 unsigned short family)
1405 struct xfrm_state_afinfo *afinfo = xfrm_state_get_afinfo(family);
1407 return -EAFNOSUPPORT;
1409 spin_lock_bh(&xfrm_state_lock);
1410 if (afinfo->tmpl_sort)
1411 err = afinfo->tmpl_sort(dst, src, n);
1412 spin_unlock_bh(&xfrm_state_lock);
1413 xfrm_state_put_afinfo(afinfo);
1416 EXPORT_SYMBOL(xfrm_tmpl_sort);
1419 xfrm_state_sort(struct xfrm_state **dst, struct xfrm_state **src, int n,
1420 unsigned short family)
1423 struct xfrm_state_afinfo *afinfo = xfrm_state_get_afinfo(family);
1425 return -EAFNOSUPPORT;
1427 spin_lock_bh(&xfrm_state_lock);
1428 if (afinfo->state_sort)
1429 err = afinfo->state_sort(dst, src, n);
1430 spin_unlock_bh(&xfrm_state_lock);
1431 xfrm_state_put_afinfo(afinfo);
1434 EXPORT_SYMBOL(xfrm_state_sort);
1437 /* Silly enough, but I'm lazy to build resolution list */
1439 static struct xfrm_state *__xfrm_find_acq_byseq(u32 seq)
1443 for (i = 0; i <= init_net.xfrm.state_hmask; i++) {
1444 struct hlist_node *entry;
1445 struct xfrm_state *x;
1447 hlist_for_each_entry(x, entry, init_net.xfrm.state_bydst+i, bydst) {
1448 if (x->km.seq == seq &&
1449 x->km.state == XFRM_STATE_ACQ) {
1458 struct xfrm_state *xfrm_find_acq_byseq(u32 seq)
1460 struct xfrm_state *x;
1462 spin_lock_bh(&xfrm_state_lock);
1463 x = __xfrm_find_acq_byseq(seq);
1464 spin_unlock_bh(&xfrm_state_lock);
1467 EXPORT_SYMBOL(xfrm_find_acq_byseq);
1469 u32 xfrm_get_acqseq(void)
1473 static DEFINE_SPINLOCK(acqseq_lock);
1475 spin_lock_bh(&acqseq_lock);
1476 res = (++acqseq ? : ++acqseq);
1477 spin_unlock_bh(&acqseq_lock);
1480 EXPORT_SYMBOL(xfrm_get_acqseq);
1482 int xfrm_alloc_spi(struct xfrm_state *x, u32 low, u32 high)
1485 struct xfrm_state *x0;
1487 __be32 minspi = htonl(low);
1488 __be32 maxspi = htonl(high);
1490 spin_lock_bh(&x->lock);
1491 if (x->km.state == XFRM_STATE_DEAD)
1500 if (minspi == maxspi) {
1501 x0 = xfrm_state_lookup(&x->id.daddr, minspi, x->id.proto, x->props.family);
1509 for (h=0; h<high-low+1; h++) {
1510 spi = low + net_random()%(high-low+1);
1511 x0 = xfrm_state_lookup(&x->id.daddr, htonl(spi), x->id.proto, x->props.family);
1513 x->id.spi = htonl(spi);
1520 spin_lock_bh(&xfrm_state_lock);
1521 h = xfrm_spi_hash(&x->id.daddr, x->id.spi, x->id.proto, x->props.family);
1522 hlist_add_head(&x->byspi, init_net.xfrm.state_byspi+h);
1523 spin_unlock_bh(&xfrm_state_lock);
1529 spin_unlock_bh(&x->lock);
1533 EXPORT_SYMBOL(xfrm_alloc_spi);
1535 int xfrm_state_walk(struct xfrm_state_walk *walk,
1536 int (*func)(struct xfrm_state *, int, void*),
1539 struct xfrm_state *state;
1540 struct xfrm_state_walk *x;
1543 if (walk->seq != 0 && list_empty(&walk->all))
1546 spin_lock_bh(&xfrm_state_lock);
1547 if (list_empty(&walk->all))
1548 x = list_first_entry(&init_net.xfrm.state_all, struct xfrm_state_walk, all);
1550 x = list_entry(&walk->all, struct xfrm_state_walk, all);
1551 list_for_each_entry_from(x, &init_net.xfrm.state_all, all) {
1552 if (x->state == XFRM_STATE_DEAD)
1554 state = container_of(x, struct xfrm_state, km);
1555 if (!xfrm_id_proto_match(state->id.proto, walk->proto))
1557 err = func(state, walk->seq, data);
1559 list_move_tail(&walk->all, &x->all);
1564 if (walk->seq == 0) {
1568 list_del_init(&walk->all);
1570 spin_unlock_bh(&xfrm_state_lock);
1573 EXPORT_SYMBOL(xfrm_state_walk);
1575 void xfrm_state_walk_init(struct xfrm_state_walk *walk, u8 proto)
1577 INIT_LIST_HEAD(&walk->all);
1578 walk->proto = proto;
1579 walk->state = XFRM_STATE_DEAD;
1582 EXPORT_SYMBOL(xfrm_state_walk_init);
1584 void xfrm_state_walk_done(struct xfrm_state_walk *walk)
1586 if (list_empty(&walk->all))
1589 spin_lock_bh(&xfrm_state_lock);
1590 list_del(&walk->all);
1591 spin_lock_bh(&xfrm_state_lock);
1593 EXPORT_SYMBOL(xfrm_state_walk_done);
1596 void xfrm_replay_notify(struct xfrm_state *x, int event)
1599 /* we send notify messages in case
1600 * 1. we updated on of the sequence numbers, and the seqno difference
1601 * is at least x->replay_maxdiff, in this case we also update the
1602 * timeout of our timer function
1603 * 2. if x->replay_maxage has elapsed since last update,
1604 * and there were changes
1606 * The state structure must be locked!
1610 case XFRM_REPLAY_UPDATE:
1611 if (x->replay_maxdiff &&
1612 (x->replay.seq - x->preplay.seq < x->replay_maxdiff) &&
1613 (x->replay.oseq - x->preplay.oseq < x->replay_maxdiff)) {
1614 if (x->xflags & XFRM_TIME_DEFER)
1615 event = XFRM_REPLAY_TIMEOUT;
1622 case XFRM_REPLAY_TIMEOUT:
1623 if ((x->replay.seq == x->preplay.seq) &&
1624 (x->replay.bitmap == x->preplay.bitmap) &&
1625 (x->replay.oseq == x->preplay.oseq)) {
1626 x->xflags |= XFRM_TIME_DEFER;
1633 memcpy(&x->preplay, &x->replay, sizeof(struct xfrm_replay_state));
1634 c.event = XFRM_MSG_NEWAE;
1635 c.data.aevent = event;
1636 km_state_notify(x, &c);
1638 if (x->replay_maxage &&
1639 !mod_timer(&x->rtimer, jiffies + x->replay_maxage))
1640 x->xflags &= ~XFRM_TIME_DEFER;
1643 static void xfrm_replay_timer_handler(unsigned long data)
1645 struct xfrm_state *x = (struct xfrm_state*)data;
1647 spin_lock(&x->lock);
1649 if (x->km.state == XFRM_STATE_VALID) {
1650 if (xfrm_aevent_is_on())
1651 xfrm_replay_notify(x, XFRM_REPLAY_TIMEOUT);
1653 x->xflags |= XFRM_TIME_DEFER;
1656 spin_unlock(&x->lock);
1659 int xfrm_replay_check(struct xfrm_state *x,
1660 struct sk_buff *skb, __be32 net_seq)
1663 u32 seq = ntohl(net_seq);
1665 if (unlikely(seq == 0))
1668 if (likely(seq > x->replay.seq))
1671 diff = x->replay.seq - seq;
1672 if (diff >= min_t(unsigned int, x->props.replay_window,
1673 sizeof(x->replay.bitmap) * 8)) {
1674 x->stats.replay_window++;
1678 if (x->replay.bitmap & (1U << diff)) {
1685 xfrm_audit_state_replay(x, skb, net_seq);
1689 void xfrm_replay_advance(struct xfrm_state *x, __be32 net_seq)
1692 u32 seq = ntohl(net_seq);
1694 if (seq > x->replay.seq) {
1695 diff = seq - x->replay.seq;
1696 if (diff < x->props.replay_window)
1697 x->replay.bitmap = ((x->replay.bitmap) << diff) | 1;
1699 x->replay.bitmap = 1;
1700 x->replay.seq = seq;
1702 diff = x->replay.seq - seq;
1703 x->replay.bitmap |= (1U << diff);
1706 if (xfrm_aevent_is_on())
1707 xfrm_replay_notify(x, XFRM_REPLAY_UPDATE);
1710 static LIST_HEAD(xfrm_km_list);
1711 static DEFINE_RWLOCK(xfrm_km_lock);
1713 void km_policy_notify(struct xfrm_policy *xp, int dir, struct km_event *c)
1715 struct xfrm_mgr *km;
1717 read_lock(&xfrm_km_lock);
1718 list_for_each_entry(km, &xfrm_km_list, list)
1719 if (km->notify_policy)
1720 km->notify_policy(xp, dir, c);
1721 read_unlock(&xfrm_km_lock);
1724 void km_state_notify(struct xfrm_state *x, struct km_event *c)
1726 struct xfrm_mgr *km;
1727 read_lock(&xfrm_km_lock);
1728 list_for_each_entry(km, &xfrm_km_list, list)
1731 read_unlock(&xfrm_km_lock);
1734 EXPORT_SYMBOL(km_policy_notify);
1735 EXPORT_SYMBOL(km_state_notify);
1737 void km_state_expired(struct xfrm_state *x, int hard, u32 pid)
1743 c.event = XFRM_MSG_EXPIRE;
1744 km_state_notify(x, &c);
1750 EXPORT_SYMBOL(km_state_expired);
1752 * We send to all registered managers regardless of failure
1753 * We are happy with one success
1755 int km_query(struct xfrm_state *x, struct xfrm_tmpl *t, struct xfrm_policy *pol)
1757 int err = -EINVAL, acqret;
1758 struct xfrm_mgr *km;
1760 read_lock(&xfrm_km_lock);
1761 list_for_each_entry(km, &xfrm_km_list, list) {
1762 acqret = km->acquire(x, t, pol, XFRM_POLICY_OUT);
1766 read_unlock(&xfrm_km_lock);
1769 EXPORT_SYMBOL(km_query);
1771 int km_new_mapping(struct xfrm_state *x, xfrm_address_t *ipaddr, __be16 sport)
1774 struct xfrm_mgr *km;
1776 read_lock(&xfrm_km_lock);
1777 list_for_each_entry(km, &xfrm_km_list, list) {
1778 if (km->new_mapping)
1779 err = km->new_mapping(x, ipaddr, sport);
1783 read_unlock(&xfrm_km_lock);
1786 EXPORT_SYMBOL(km_new_mapping);
1788 void km_policy_expired(struct xfrm_policy *pol, int dir, int hard, u32 pid)
1794 c.event = XFRM_MSG_POLEXPIRE;
1795 km_policy_notify(pol, dir, &c);
1800 EXPORT_SYMBOL(km_policy_expired);
1802 #ifdef CONFIG_XFRM_MIGRATE
1803 int km_migrate(struct xfrm_selector *sel, u8 dir, u8 type,
1804 struct xfrm_migrate *m, int num_migrate,
1805 struct xfrm_kmaddress *k)
1809 struct xfrm_mgr *km;
1811 read_lock(&xfrm_km_lock);
1812 list_for_each_entry(km, &xfrm_km_list, list) {
1814 ret = km->migrate(sel, dir, type, m, num_migrate, k);
1819 read_unlock(&xfrm_km_lock);
1822 EXPORT_SYMBOL(km_migrate);
1825 int km_report(u8 proto, struct xfrm_selector *sel, xfrm_address_t *addr)
1829 struct xfrm_mgr *km;
1831 read_lock(&xfrm_km_lock);
1832 list_for_each_entry(km, &xfrm_km_list, list) {
1834 ret = km->report(proto, sel, addr);
1839 read_unlock(&xfrm_km_lock);
1842 EXPORT_SYMBOL(km_report);
1844 int xfrm_user_policy(struct sock *sk, int optname, u8 __user *optval, int optlen)
1848 struct xfrm_mgr *km;
1849 struct xfrm_policy *pol = NULL;
1851 if (optlen <= 0 || optlen > PAGE_SIZE)
1854 data = kmalloc(optlen, GFP_KERNEL);
1859 if (copy_from_user(data, optval, optlen))
1863 read_lock(&xfrm_km_lock);
1864 list_for_each_entry(km, &xfrm_km_list, list) {
1865 pol = km->compile_policy(sk, optname, data,
1870 read_unlock(&xfrm_km_lock);
1873 xfrm_sk_policy_insert(sk, err, pol);
1882 EXPORT_SYMBOL(xfrm_user_policy);
1884 int xfrm_register_km(struct xfrm_mgr *km)
1886 write_lock_bh(&xfrm_km_lock);
1887 list_add_tail(&km->list, &xfrm_km_list);
1888 write_unlock_bh(&xfrm_km_lock);
1891 EXPORT_SYMBOL(xfrm_register_km);
1893 int xfrm_unregister_km(struct xfrm_mgr *km)
1895 write_lock_bh(&xfrm_km_lock);
1896 list_del(&km->list);
1897 write_unlock_bh(&xfrm_km_lock);
1900 EXPORT_SYMBOL(xfrm_unregister_km);
1902 int xfrm_state_register_afinfo(struct xfrm_state_afinfo *afinfo)
1905 if (unlikely(afinfo == NULL))
1907 if (unlikely(afinfo->family >= NPROTO))
1908 return -EAFNOSUPPORT;
1909 write_lock_bh(&xfrm_state_afinfo_lock);
1910 if (unlikely(xfrm_state_afinfo[afinfo->family] != NULL))
1913 xfrm_state_afinfo[afinfo->family] = afinfo;
1914 write_unlock_bh(&xfrm_state_afinfo_lock);
1917 EXPORT_SYMBOL(xfrm_state_register_afinfo);
1919 int xfrm_state_unregister_afinfo(struct xfrm_state_afinfo *afinfo)
1922 if (unlikely(afinfo == NULL))
1924 if (unlikely(afinfo->family >= NPROTO))
1925 return -EAFNOSUPPORT;
1926 write_lock_bh(&xfrm_state_afinfo_lock);
1927 if (likely(xfrm_state_afinfo[afinfo->family] != NULL)) {
1928 if (unlikely(xfrm_state_afinfo[afinfo->family] != afinfo))
1931 xfrm_state_afinfo[afinfo->family] = NULL;
1933 write_unlock_bh(&xfrm_state_afinfo_lock);
1936 EXPORT_SYMBOL(xfrm_state_unregister_afinfo);
1938 static struct xfrm_state_afinfo *xfrm_state_get_afinfo(unsigned int family)
1940 struct xfrm_state_afinfo *afinfo;
1941 if (unlikely(family >= NPROTO))
1943 read_lock(&xfrm_state_afinfo_lock);
1944 afinfo = xfrm_state_afinfo[family];
1945 if (unlikely(!afinfo))
1946 read_unlock(&xfrm_state_afinfo_lock);
1950 static void xfrm_state_put_afinfo(struct xfrm_state_afinfo *afinfo)
1951 __releases(xfrm_state_afinfo_lock)
1953 read_unlock(&xfrm_state_afinfo_lock);
1956 /* Temporarily located here until net/xfrm/xfrm_tunnel.c is created */
1957 void xfrm_state_delete_tunnel(struct xfrm_state *x)
1960 struct xfrm_state *t = x->tunnel;
1962 if (atomic_read(&t->tunnel_users) == 2)
1963 xfrm_state_delete(t);
1964 atomic_dec(&t->tunnel_users);
1969 EXPORT_SYMBOL(xfrm_state_delete_tunnel);
1971 int xfrm_state_mtu(struct xfrm_state *x, int mtu)
1975 spin_lock_bh(&x->lock);
1976 if (x->km.state == XFRM_STATE_VALID &&
1977 x->type && x->type->get_mtu)
1978 res = x->type->get_mtu(x, mtu);
1980 res = mtu - x->props.header_len;
1981 spin_unlock_bh(&x->lock);
1985 int xfrm_init_state(struct xfrm_state *x)
1987 struct xfrm_state_afinfo *afinfo;
1988 struct xfrm_mode *inner_mode;
1989 int family = x->props.family;
1992 err = -EAFNOSUPPORT;
1993 afinfo = xfrm_state_get_afinfo(family);
1998 if (afinfo->init_flags)
1999 err = afinfo->init_flags(x);
2001 xfrm_state_put_afinfo(afinfo);
2006 err = -EPROTONOSUPPORT;
2008 if (x->sel.family != AF_UNSPEC) {
2009 inner_mode = xfrm_get_mode(x->props.mode, x->sel.family);
2010 if (inner_mode == NULL)
2013 if (!(inner_mode->flags & XFRM_MODE_FLAG_TUNNEL) &&
2014 family != x->sel.family) {
2015 xfrm_put_mode(inner_mode);
2019 x->inner_mode = inner_mode;
2021 struct xfrm_mode *inner_mode_iaf;
2023 inner_mode = xfrm_get_mode(x->props.mode, AF_INET);
2024 if (inner_mode == NULL)
2027 if (!(inner_mode->flags & XFRM_MODE_FLAG_TUNNEL)) {
2028 xfrm_put_mode(inner_mode);
2032 inner_mode_iaf = xfrm_get_mode(x->props.mode, AF_INET6);
2033 if (inner_mode_iaf == NULL)
2036 if (!(inner_mode_iaf->flags & XFRM_MODE_FLAG_TUNNEL)) {
2037 xfrm_put_mode(inner_mode_iaf);
2041 if (x->props.family == AF_INET) {
2042 x->inner_mode = inner_mode;
2043 x->inner_mode_iaf = inner_mode_iaf;
2045 x->inner_mode = inner_mode_iaf;
2046 x->inner_mode_iaf = inner_mode;
2050 x->type = xfrm_get_type(x->id.proto, family);
2051 if (x->type == NULL)
2054 err = x->type->init_state(x);
2058 x->outer_mode = xfrm_get_mode(x->props.mode, family);
2059 if (x->outer_mode == NULL)
2062 x->km.state = XFRM_STATE_VALID;
2068 EXPORT_SYMBOL(xfrm_init_state);
2070 int __net_init xfrm_state_init(struct net *net)
2074 INIT_LIST_HEAD(&net->xfrm.state_all);
2076 sz = sizeof(struct hlist_head) * 8;
2078 net->xfrm.state_bydst = xfrm_hash_alloc(sz);
2079 if (!net->xfrm.state_bydst)
2081 net->xfrm.state_bysrc = xfrm_hash_alloc(sz);
2082 if (!net->xfrm.state_bysrc)
2084 net->xfrm.state_byspi = xfrm_hash_alloc(sz);
2085 if (!net->xfrm.state_byspi)
2087 net->xfrm.state_hmask = ((sz / sizeof(struct hlist_head)) - 1);
2089 net->xfrm.state_num = 0;
2090 INIT_WORK(&net->xfrm.state_hash_work, xfrm_hash_resize);
2091 INIT_WORK(&xfrm_state_gc_work, xfrm_state_gc_task);
2095 xfrm_hash_free(net->xfrm.state_bysrc, sz);
2097 xfrm_hash_free(net->xfrm.state_bydst, sz);
2102 void xfrm_state_fini(struct net *net)
2106 WARN_ON(!list_empty(&net->xfrm.state_all));
2108 sz = (net->xfrm.state_hmask + 1) * sizeof(struct hlist_head);
2109 WARN_ON(!hlist_empty(net->xfrm.state_byspi));
2110 xfrm_hash_free(net->xfrm.state_byspi, sz);
2111 WARN_ON(!hlist_empty(net->xfrm.state_bysrc));
2112 xfrm_hash_free(net->xfrm.state_bysrc, sz);
2113 WARN_ON(!hlist_empty(net->xfrm.state_bydst));
2114 xfrm_hash_free(net->xfrm.state_bydst, sz);
2117 #ifdef CONFIG_AUDITSYSCALL
2118 static void xfrm_audit_helper_sainfo(struct xfrm_state *x,
2119 struct audit_buffer *audit_buf)
2121 struct xfrm_sec_ctx *ctx = x->security;
2122 u32 spi = ntohl(x->id.spi);
2125 audit_log_format(audit_buf, " sec_alg=%u sec_doi=%u sec_obj=%s",
2126 ctx->ctx_alg, ctx->ctx_doi, ctx->ctx_str);
2128 switch(x->props.family) {
2130 audit_log_format(audit_buf, " src=%pI4 dst=%pI4",
2131 &x->props.saddr.a4, &x->id.daddr.a4);
2134 audit_log_format(audit_buf, " src=%pI6 dst=%pI6",
2135 x->props.saddr.a6, x->id.daddr.a6);
2139 audit_log_format(audit_buf, " spi=%u(0x%x)", spi, spi);
2142 static void xfrm_audit_helper_pktinfo(struct sk_buff *skb, u16 family,
2143 struct audit_buffer *audit_buf)
2146 struct ipv6hdr *iph6;
2151 audit_log_format(audit_buf, " src=%pI4 dst=%pI4",
2152 &iph4->saddr, &iph4->daddr);
2155 iph6 = ipv6_hdr(skb);
2156 audit_log_format(audit_buf,
2157 " src=%pI6 dst=%pI6 flowlbl=0x%x%02x%02x",
2158 &iph6->saddr,&iph6->daddr,
2159 iph6->flow_lbl[0] & 0x0f,
2166 void xfrm_audit_state_add(struct xfrm_state *x, int result,
2167 uid_t auid, u32 sessionid, u32 secid)
2169 struct audit_buffer *audit_buf;
2171 audit_buf = xfrm_audit_start("SAD-add");
2172 if (audit_buf == NULL)
2174 xfrm_audit_helper_usrinfo(auid, sessionid, secid, audit_buf);
2175 xfrm_audit_helper_sainfo(x, audit_buf);
2176 audit_log_format(audit_buf, " res=%u", result);
2177 audit_log_end(audit_buf);
2179 EXPORT_SYMBOL_GPL(xfrm_audit_state_add);
2181 void xfrm_audit_state_delete(struct xfrm_state *x, int result,
2182 uid_t auid, u32 sessionid, u32 secid)
2184 struct audit_buffer *audit_buf;
2186 audit_buf = xfrm_audit_start("SAD-delete");
2187 if (audit_buf == NULL)
2189 xfrm_audit_helper_usrinfo(auid, sessionid, secid, audit_buf);
2190 xfrm_audit_helper_sainfo(x, audit_buf);
2191 audit_log_format(audit_buf, " res=%u", result);
2192 audit_log_end(audit_buf);
2194 EXPORT_SYMBOL_GPL(xfrm_audit_state_delete);
2196 void xfrm_audit_state_replay_overflow(struct xfrm_state *x,
2197 struct sk_buff *skb)
2199 struct audit_buffer *audit_buf;
2202 audit_buf = xfrm_audit_start("SA-replay-overflow");
2203 if (audit_buf == NULL)
2205 xfrm_audit_helper_pktinfo(skb, x->props.family, audit_buf);
2206 /* don't record the sequence number because it's inherent in this kind
2207 * of audit message */
2208 spi = ntohl(x->id.spi);
2209 audit_log_format(audit_buf, " spi=%u(0x%x)", spi, spi);
2210 audit_log_end(audit_buf);
2212 EXPORT_SYMBOL_GPL(xfrm_audit_state_replay_overflow);
2214 static void xfrm_audit_state_replay(struct xfrm_state *x,
2215 struct sk_buff *skb, __be32 net_seq)
2217 struct audit_buffer *audit_buf;
2220 audit_buf = xfrm_audit_start("SA-replayed-pkt");
2221 if (audit_buf == NULL)
2223 xfrm_audit_helper_pktinfo(skb, x->props.family, audit_buf);
2224 spi = ntohl(x->id.spi);
2225 audit_log_format(audit_buf, " spi=%u(0x%x) seqno=%u",
2226 spi, spi, ntohl(net_seq));
2227 audit_log_end(audit_buf);
2230 void xfrm_audit_state_notfound_simple(struct sk_buff *skb, u16 family)
2232 struct audit_buffer *audit_buf;
2234 audit_buf = xfrm_audit_start("SA-notfound");
2235 if (audit_buf == NULL)
2237 xfrm_audit_helper_pktinfo(skb, family, audit_buf);
2238 audit_log_end(audit_buf);
2240 EXPORT_SYMBOL_GPL(xfrm_audit_state_notfound_simple);
2242 void xfrm_audit_state_notfound(struct sk_buff *skb, u16 family,
2243 __be32 net_spi, __be32 net_seq)
2245 struct audit_buffer *audit_buf;
2248 audit_buf = xfrm_audit_start("SA-notfound");
2249 if (audit_buf == NULL)
2251 xfrm_audit_helper_pktinfo(skb, family, audit_buf);
2252 spi = ntohl(net_spi);
2253 audit_log_format(audit_buf, " spi=%u(0x%x) seqno=%u",
2254 spi, spi, ntohl(net_seq));
2255 audit_log_end(audit_buf);
2257 EXPORT_SYMBOL_GPL(xfrm_audit_state_notfound);
2259 void xfrm_audit_state_icvfail(struct xfrm_state *x,
2260 struct sk_buff *skb, u8 proto)
2262 struct audit_buffer *audit_buf;
2266 audit_buf = xfrm_audit_start("SA-icv-failure");
2267 if (audit_buf == NULL)
2269 xfrm_audit_helper_pktinfo(skb, x->props.family, audit_buf);
2270 if (xfrm_parse_spi(skb, proto, &net_spi, &net_seq) == 0) {
2271 u32 spi = ntohl(net_spi);
2272 audit_log_format(audit_buf, " spi=%u(0x%x) seqno=%u",
2273 spi, spi, ntohl(net_seq));
2275 audit_log_end(audit_buf);
2277 EXPORT_SYMBOL_GPL(xfrm_audit_state_icvfail);
2278 #endif /* CONFIG_AUDITSYSCALL */
projects / linux-2.6-omap-h63xx.git / blob