6 * Kazunori MIYAZAWA @USAGI
7 * Kunihiro Ishiguro <kunihiro@ipinfusion.com>
9 * YOSHIFUJI Hideaki @USAGI
10 * Split up af-specific functions
11 * Derek Atkins <derek@ihtfp.com>
12 * Add UDP Encapsulation
16 #include <linux/workqueue.h>
18 #include <linux/pfkeyv2.h>
19 #include <linux/ipsec.h>
20 #include <linux/module.h>
21 #include <linux/cache.h>
22 #include <linux/audit.h>
23 #include <asm/uaccess.h>
25 #include "xfrm_hash.h"
28 EXPORT_SYMBOL(xfrm_nl);
30 u32 sysctl_xfrm_aevent_etime __read_mostly = XFRM_AE_ETIME;
31 EXPORT_SYMBOL(sysctl_xfrm_aevent_etime);
33 u32 sysctl_xfrm_aevent_rseqth __read_mostly = XFRM_AE_SEQT_SIZE;
34 EXPORT_SYMBOL(sysctl_xfrm_aevent_rseqth);
36 u32 sysctl_xfrm_acq_expires __read_mostly = 30;
38 /* Each xfrm_state may be linked to two tables:
40 1. Hash table by (spi,daddr,ah/esp) to find SA by SPI. (input,ctl)
41 2. Hash table by (daddr,family,reqid) to find what SAs exist for given
42 destination/tunnel endpoint. (output)
45 static DEFINE_SPINLOCK(xfrm_state_lock);
47 static unsigned int xfrm_state_hashmax __read_mostly = 1 * 1024 * 1024;
48 static unsigned int xfrm_state_genid;
50 static struct xfrm_state_afinfo *xfrm_state_get_afinfo(unsigned int family);
51 static void xfrm_state_put_afinfo(struct xfrm_state_afinfo *afinfo);
53 #ifdef CONFIG_AUDITSYSCALL
54 static void xfrm_audit_state_replay(struct xfrm_state *x,
55 struct sk_buff *skb, __be32 net_seq);
57 #define xfrm_audit_state_replay(x, s, sq) do { ; } while (0)
58 #endif /* CONFIG_AUDITSYSCALL */
60 static inline unsigned int xfrm_dst_hash(struct net *net,
61 xfrm_address_t *daddr,
62 xfrm_address_t *saddr,
64 unsigned short family)
66 return __xfrm_dst_hash(daddr, saddr, reqid, family, net->xfrm.state_hmask);
69 static inline unsigned int xfrm_src_hash(struct net *net,
70 xfrm_address_t *daddr,
71 xfrm_address_t *saddr,
72 unsigned short family)
74 return __xfrm_src_hash(daddr, saddr, family, net->xfrm.state_hmask);
77 static inline unsigned int
78 xfrm_spi_hash(struct net *net, xfrm_address_t *daddr, __be32 spi, u8 proto, unsigned short family)
80 return __xfrm_spi_hash(daddr, spi, proto, family, net->xfrm.state_hmask);
83 static void xfrm_hash_transfer(struct hlist_head *list,
84 struct hlist_head *ndsttable,
85 struct hlist_head *nsrctable,
86 struct hlist_head *nspitable,
87 unsigned int nhashmask)
89 struct hlist_node *entry, *tmp;
92 hlist_for_each_entry_safe(x, entry, tmp, list, bydst) {
95 h = __xfrm_dst_hash(&x->id.daddr, &x->props.saddr,
96 x->props.reqid, x->props.family,
98 hlist_add_head(&x->bydst, ndsttable+h);
100 h = __xfrm_src_hash(&x->id.daddr, &x->props.saddr,
103 hlist_add_head(&x->bysrc, nsrctable+h);
106 h = __xfrm_spi_hash(&x->id.daddr, x->id.spi,
107 x->id.proto, x->props.family,
109 hlist_add_head(&x->byspi, nspitable+h);
114 static unsigned long xfrm_hash_new_size(unsigned int state_hmask)
116 return ((state_hmask + 1) << 1) * sizeof(struct hlist_head);
119 static DEFINE_MUTEX(hash_resize_mutex);
121 static void xfrm_hash_resize(struct work_struct *work)
123 struct net *net = container_of(work, struct net, xfrm.state_hash_work);
124 struct hlist_head *ndst, *nsrc, *nspi, *odst, *osrc, *ospi;
125 unsigned long nsize, osize;
126 unsigned int nhashmask, ohashmask;
129 mutex_lock(&hash_resize_mutex);
131 nsize = xfrm_hash_new_size(net->xfrm.state_hmask);
132 ndst = xfrm_hash_alloc(nsize);
135 nsrc = xfrm_hash_alloc(nsize);
137 xfrm_hash_free(ndst, nsize);
140 nspi = xfrm_hash_alloc(nsize);
142 xfrm_hash_free(ndst, nsize);
143 xfrm_hash_free(nsrc, nsize);
147 spin_lock_bh(&xfrm_state_lock);
149 nhashmask = (nsize / sizeof(struct hlist_head)) - 1U;
150 for (i = net->xfrm.state_hmask; i >= 0; i--)
151 xfrm_hash_transfer(net->xfrm.state_bydst+i, ndst, nsrc, nspi,
154 odst = net->xfrm.state_bydst;
155 osrc = net->xfrm.state_bysrc;
156 ospi = net->xfrm.state_byspi;
157 ohashmask = net->xfrm.state_hmask;
159 net->xfrm.state_bydst = ndst;
160 net->xfrm.state_bysrc = nsrc;
161 net->xfrm.state_byspi = nspi;
162 net->xfrm.state_hmask = nhashmask;
164 spin_unlock_bh(&xfrm_state_lock);
166 osize = (ohashmask + 1) * sizeof(struct hlist_head);
167 xfrm_hash_free(odst, osize);
168 xfrm_hash_free(osrc, osize);
169 xfrm_hash_free(ospi, osize);
172 mutex_unlock(&hash_resize_mutex);
175 static DEFINE_RWLOCK(xfrm_state_afinfo_lock);
176 static struct xfrm_state_afinfo *xfrm_state_afinfo[NPROTO];
178 static DEFINE_SPINLOCK(xfrm_state_gc_lock);
180 int __xfrm_state_delete(struct xfrm_state *x);
182 int km_query(struct xfrm_state *x, struct xfrm_tmpl *t, struct xfrm_policy *pol);
183 void km_state_expired(struct xfrm_state *x, int hard, u32 pid);
185 static struct xfrm_state_afinfo *xfrm_state_lock_afinfo(unsigned int family)
187 struct xfrm_state_afinfo *afinfo;
188 if (unlikely(family >= NPROTO))
190 write_lock_bh(&xfrm_state_afinfo_lock);
191 afinfo = xfrm_state_afinfo[family];
192 if (unlikely(!afinfo))
193 write_unlock_bh(&xfrm_state_afinfo_lock);
197 static void xfrm_state_unlock_afinfo(struct xfrm_state_afinfo *afinfo)
198 __releases(xfrm_state_afinfo_lock)
200 write_unlock_bh(&xfrm_state_afinfo_lock);
203 int xfrm_register_type(const struct xfrm_type *type, unsigned short family)
205 struct xfrm_state_afinfo *afinfo = xfrm_state_lock_afinfo(family);
206 const struct xfrm_type **typemap;
209 if (unlikely(afinfo == NULL))
210 return -EAFNOSUPPORT;
211 typemap = afinfo->type_map;
213 if (likely(typemap[type->proto] == NULL))
214 typemap[type->proto] = type;
217 xfrm_state_unlock_afinfo(afinfo);
220 EXPORT_SYMBOL(xfrm_register_type);
222 int xfrm_unregister_type(const struct xfrm_type *type, unsigned short family)
224 struct xfrm_state_afinfo *afinfo = xfrm_state_lock_afinfo(family);
225 const struct xfrm_type **typemap;
228 if (unlikely(afinfo == NULL))
229 return -EAFNOSUPPORT;
230 typemap = afinfo->type_map;
232 if (unlikely(typemap[type->proto] != type))
235 typemap[type->proto] = NULL;
236 xfrm_state_unlock_afinfo(afinfo);
239 EXPORT_SYMBOL(xfrm_unregister_type);
241 static const struct xfrm_type *xfrm_get_type(u8 proto, unsigned short family)
243 struct xfrm_state_afinfo *afinfo;
244 const struct xfrm_type **typemap;
245 const struct xfrm_type *type;
246 int modload_attempted = 0;
249 afinfo = xfrm_state_get_afinfo(family);
250 if (unlikely(afinfo == NULL))
252 typemap = afinfo->type_map;
254 type = typemap[proto];
255 if (unlikely(type && !try_module_get(type->owner)))
257 if (!type && !modload_attempted) {
258 xfrm_state_put_afinfo(afinfo);
259 request_module("xfrm-type-%d-%d", family, proto);
260 modload_attempted = 1;
264 xfrm_state_put_afinfo(afinfo);
268 static void xfrm_put_type(const struct xfrm_type *type)
270 module_put(type->owner);
273 int xfrm_register_mode(struct xfrm_mode *mode, int family)
275 struct xfrm_state_afinfo *afinfo;
276 struct xfrm_mode **modemap;
279 if (unlikely(mode->encap >= XFRM_MODE_MAX))
282 afinfo = xfrm_state_lock_afinfo(family);
283 if (unlikely(afinfo == NULL))
284 return -EAFNOSUPPORT;
287 modemap = afinfo->mode_map;
288 if (modemap[mode->encap])
292 if (!try_module_get(afinfo->owner))
295 mode->afinfo = afinfo;
296 modemap[mode->encap] = mode;
300 xfrm_state_unlock_afinfo(afinfo);
303 EXPORT_SYMBOL(xfrm_register_mode);
305 int xfrm_unregister_mode(struct xfrm_mode *mode, int family)
307 struct xfrm_state_afinfo *afinfo;
308 struct xfrm_mode **modemap;
311 if (unlikely(mode->encap >= XFRM_MODE_MAX))
314 afinfo = xfrm_state_lock_afinfo(family);
315 if (unlikely(afinfo == NULL))
316 return -EAFNOSUPPORT;
319 modemap = afinfo->mode_map;
320 if (likely(modemap[mode->encap] == mode)) {
321 modemap[mode->encap] = NULL;
322 module_put(mode->afinfo->owner);
326 xfrm_state_unlock_afinfo(afinfo);
329 EXPORT_SYMBOL(xfrm_unregister_mode);
331 static struct xfrm_mode *xfrm_get_mode(unsigned int encap, int family)
333 struct xfrm_state_afinfo *afinfo;
334 struct xfrm_mode *mode;
335 int modload_attempted = 0;
337 if (unlikely(encap >= XFRM_MODE_MAX))
341 afinfo = xfrm_state_get_afinfo(family);
342 if (unlikely(afinfo == NULL))
345 mode = afinfo->mode_map[encap];
346 if (unlikely(mode && !try_module_get(mode->owner)))
348 if (!mode && !modload_attempted) {
349 xfrm_state_put_afinfo(afinfo);
350 request_module("xfrm-mode-%d-%d", family, encap);
351 modload_attempted = 1;
355 xfrm_state_put_afinfo(afinfo);
359 static void xfrm_put_mode(struct xfrm_mode *mode)
361 module_put(mode->owner);
364 static void xfrm_state_gc_destroy(struct xfrm_state *x)
366 del_timer_sync(&x->timer);
367 del_timer_sync(&x->rtimer);
374 xfrm_put_mode(x->inner_mode);
375 if (x->inner_mode_iaf)
376 xfrm_put_mode(x->inner_mode_iaf);
378 xfrm_put_mode(x->outer_mode);
380 x->type->destructor(x);
381 xfrm_put_type(x->type);
383 security_xfrm_state_free(x);
387 static void xfrm_state_gc_task(struct work_struct *work)
389 struct net *net = container_of(work, struct net, xfrm.state_gc_work);
390 struct xfrm_state *x;
391 struct hlist_node *entry, *tmp;
392 struct hlist_head gc_list;
394 spin_lock_bh(&xfrm_state_gc_lock);
395 hlist_move_list(&net->xfrm.state_gc_list, &gc_list);
396 spin_unlock_bh(&xfrm_state_gc_lock);
398 hlist_for_each_entry_safe(x, entry, tmp, &gc_list, gclist)
399 xfrm_state_gc_destroy(x);
401 wake_up(&net->xfrm.km_waitq);
404 static inline unsigned long make_jiffies(long secs)
406 if (secs >= (MAX_SCHEDULE_TIMEOUT-1)/HZ)
407 return MAX_SCHEDULE_TIMEOUT-1;
412 static void xfrm_timer_handler(unsigned long data)
414 struct xfrm_state *x = (struct xfrm_state*)data;
415 struct net *net = xs_net(x);
416 unsigned long now = get_seconds();
417 long next = LONG_MAX;
422 if (x->km.state == XFRM_STATE_DEAD)
424 if (x->km.state == XFRM_STATE_EXPIRED)
426 if (x->lft.hard_add_expires_seconds) {
427 long tmo = x->lft.hard_add_expires_seconds +
428 x->curlft.add_time - now;
434 if (x->lft.hard_use_expires_seconds) {
435 long tmo = x->lft.hard_use_expires_seconds +
436 (x->curlft.use_time ? : now) - now;
444 if (x->lft.soft_add_expires_seconds) {
445 long tmo = x->lft.soft_add_expires_seconds +
446 x->curlft.add_time - now;
452 if (x->lft.soft_use_expires_seconds) {
453 long tmo = x->lft.soft_use_expires_seconds +
454 (x->curlft.use_time ? : now) - now;
463 km_state_expired(x, 0, 0);
465 if (next != LONG_MAX)
466 mod_timer(&x->timer, jiffies + make_jiffies(next));
471 if (x->km.state == XFRM_STATE_ACQ && x->id.spi == 0) {
472 x->km.state = XFRM_STATE_EXPIRED;
473 wake_up(&net->xfrm.km_waitq);
478 err = __xfrm_state_delete(x);
479 if (!err && x->id.spi)
480 km_state_expired(x, 1, 0);
482 xfrm_audit_state_delete(x, err ? 0 : 1,
483 audit_get_loginuid(current),
484 audit_get_sessionid(current), 0);
487 spin_unlock(&x->lock);
490 static void xfrm_replay_timer_handler(unsigned long data);
492 struct xfrm_state *xfrm_state_alloc(struct net *net)
494 struct xfrm_state *x;
496 x = kzalloc(sizeof(struct xfrm_state), GFP_ATOMIC);
499 write_pnet(&x->xs_net, net);
500 atomic_set(&x->refcnt, 1);
501 atomic_set(&x->tunnel_users, 0);
502 INIT_LIST_HEAD(&x->km.all);
503 INIT_HLIST_NODE(&x->bydst);
504 INIT_HLIST_NODE(&x->bysrc);
505 INIT_HLIST_NODE(&x->byspi);
506 setup_timer(&x->timer, xfrm_timer_handler, (unsigned long)x);
507 setup_timer(&x->rtimer, xfrm_replay_timer_handler,
509 x->curlft.add_time = get_seconds();
510 x->lft.soft_byte_limit = XFRM_INF;
511 x->lft.soft_packet_limit = XFRM_INF;
512 x->lft.hard_byte_limit = XFRM_INF;
513 x->lft.hard_packet_limit = XFRM_INF;
514 x->replay_maxage = 0;
515 x->replay_maxdiff = 0;
516 x->inner_mode = NULL;
517 x->inner_mode_iaf = NULL;
518 spin_lock_init(&x->lock);
522 EXPORT_SYMBOL(xfrm_state_alloc);
524 void __xfrm_state_destroy(struct xfrm_state *x)
526 struct net *net = xs_net(x);
528 WARN_ON(x->km.state != XFRM_STATE_DEAD);
530 spin_lock_bh(&xfrm_state_gc_lock);
531 hlist_add_head(&x->gclist, &net->xfrm.state_gc_list);
532 spin_unlock_bh(&xfrm_state_gc_lock);
533 schedule_work(&net->xfrm.state_gc_work);
535 EXPORT_SYMBOL(__xfrm_state_destroy);
537 int __xfrm_state_delete(struct xfrm_state *x)
539 struct net *net = xs_net(x);
542 if (x->km.state != XFRM_STATE_DEAD) {
543 x->km.state = XFRM_STATE_DEAD;
544 spin_lock(&xfrm_state_lock);
545 list_del(&x->km.all);
546 hlist_del(&x->bydst);
547 hlist_del(&x->bysrc);
549 hlist_del(&x->byspi);
550 net->xfrm.state_num--;
551 spin_unlock(&xfrm_state_lock);
553 /* All xfrm_state objects are created by xfrm_state_alloc.
554 * The xfrm_state_alloc call gives a reference, and that
555 * is what we are dropping here.
563 EXPORT_SYMBOL(__xfrm_state_delete);
565 int xfrm_state_delete(struct xfrm_state *x)
569 spin_lock_bh(&x->lock);
570 err = __xfrm_state_delete(x);
571 spin_unlock_bh(&x->lock);
575 EXPORT_SYMBOL(xfrm_state_delete);
577 #ifdef CONFIG_SECURITY_NETWORK_XFRM
579 xfrm_state_flush_secctx_check(struct net *net, u8 proto, struct xfrm_audit *audit_info)
583 for (i = 0; i <= net->xfrm.state_hmask; i++) {
584 struct hlist_node *entry;
585 struct xfrm_state *x;
587 hlist_for_each_entry(x, entry, net->xfrm.state_bydst+i, bydst) {
588 if (xfrm_id_proto_match(x->id.proto, proto) &&
589 (err = security_xfrm_state_delete(x)) != 0) {
590 xfrm_audit_state_delete(x, 0,
591 audit_info->loginuid,
592 audit_info->sessionid,
603 xfrm_state_flush_secctx_check(struct net *net, u8 proto, struct xfrm_audit *audit_info)
609 int xfrm_state_flush(struct net *net, u8 proto, struct xfrm_audit *audit_info)
613 spin_lock_bh(&xfrm_state_lock);
614 err = xfrm_state_flush_secctx_check(net, proto, audit_info);
618 for (i = 0; i <= net->xfrm.state_hmask; i++) {
619 struct hlist_node *entry;
620 struct xfrm_state *x;
622 hlist_for_each_entry(x, entry, net->xfrm.state_bydst+i, bydst) {
623 if (!xfrm_state_kern(x) &&
624 xfrm_id_proto_match(x->id.proto, proto)) {
626 spin_unlock_bh(&xfrm_state_lock);
628 err = xfrm_state_delete(x);
629 xfrm_audit_state_delete(x, err ? 0 : 1,
630 audit_info->loginuid,
631 audit_info->sessionid,
635 spin_lock_bh(&xfrm_state_lock);
643 spin_unlock_bh(&xfrm_state_lock);
644 wake_up(&net->xfrm.km_waitq);
647 EXPORT_SYMBOL(xfrm_state_flush);
649 void xfrm_sad_getinfo(struct xfrmk_sadinfo *si)
651 spin_lock_bh(&xfrm_state_lock);
652 si->sadcnt = init_net.xfrm.state_num;
653 si->sadhcnt = init_net.xfrm.state_hmask;
654 si->sadhmcnt = xfrm_state_hashmax;
655 spin_unlock_bh(&xfrm_state_lock);
657 EXPORT_SYMBOL(xfrm_sad_getinfo);
660 xfrm_init_tempsel(struct xfrm_state *x, struct flowi *fl,
661 struct xfrm_tmpl *tmpl,
662 xfrm_address_t *daddr, xfrm_address_t *saddr,
663 unsigned short family)
665 struct xfrm_state_afinfo *afinfo = xfrm_state_get_afinfo(family);
668 afinfo->init_tempsel(x, fl, tmpl, daddr, saddr);
669 xfrm_state_put_afinfo(afinfo);
673 static struct xfrm_state *__xfrm_state_lookup(xfrm_address_t *daddr, __be32 spi, u8 proto, unsigned short family)
675 unsigned int h = xfrm_spi_hash(&init_net, daddr, spi, proto, family);
676 struct xfrm_state *x;
677 struct hlist_node *entry;
679 hlist_for_each_entry(x, entry, init_net.xfrm.state_byspi+h, byspi) {
680 if (x->props.family != family ||
682 x->id.proto != proto)
687 if (x->id.daddr.a4 != daddr->a4)
691 if (!ipv6_addr_equal((struct in6_addr *)daddr,
705 static struct xfrm_state *__xfrm_state_lookup_byaddr(xfrm_address_t *daddr, xfrm_address_t *saddr, u8 proto, unsigned short family)
707 unsigned int h = xfrm_src_hash(&init_net, daddr, saddr, family);
708 struct xfrm_state *x;
709 struct hlist_node *entry;
711 hlist_for_each_entry(x, entry, init_net.xfrm.state_bysrc+h, bysrc) {
712 if (x->props.family != family ||
713 x->id.proto != proto)
718 if (x->id.daddr.a4 != daddr->a4 ||
719 x->props.saddr.a4 != saddr->a4)
723 if (!ipv6_addr_equal((struct in6_addr *)daddr,
726 !ipv6_addr_equal((struct in6_addr *)saddr,
740 static inline struct xfrm_state *
741 __xfrm_state_locate(struct xfrm_state *x, int use_spi, int family)
744 return __xfrm_state_lookup(&x->id.daddr, x->id.spi,
745 x->id.proto, family);
747 return __xfrm_state_lookup_byaddr(&x->id.daddr,
749 x->id.proto, family);
752 static void xfrm_hash_grow_check(struct net *net, int have_hash_collision)
754 if (have_hash_collision &&
755 (net->xfrm.state_hmask + 1) < xfrm_state_hashmax &&
756 net->xfrm.state_num > net->xfrm.state_hmask)
757 schedule_work(&net->xfrm.state_hash_work);
761 xfrm_state_find(xfrm_address_t *daddr, xfrm_address_t *saddr,
762 struct flowi *fl, struct xfrm_tmpl *tmpl,
763 struct xfrm_policy *pol, int *err,
764 unsigned short family)
767 struct hlist_node *entry;
768 struct xfrm_state *x, *x0, *to_put;
769 int acquire_in_progress = 0;
771 struct xfrm_state *best = NULL;
775 spin_lock_bh(&xfrm_state_lock);
776 h = xfrm_dst_hash(&init_net, daddr, saddr, tmpl->reqid, family);
777 hlist_for_each_entry(x, entry, init_net.xfrm.state_bydst+h, bydst) {
778 if (x->props.family == family &&
779 x->props.reqid == tmpl->reqid &&
780 !(x->props.flags & XFRM_STATE_WILDRECV) &&
781 xfrm_state_addr_check(x, daddr, saddr, family) &&
782 tmpl->mode == x->props.mode &&
783 tmpl->id.proto == x->id.proto &&
784 (tmpl->id.spi == x->id.spi || !tmpl->id.spi)) {
786 1. There is a valid state with matching selector.
788 2. Valid state with inappropriate selector. Skip.
790 Entering area of "sysdeps".
792 3. If state is not valid, selector is temporary,
793 it selects only session which triggered
794 previous resolution. Key manager will do
795 something to install a state with proper
798 if (x->km.state == XFRM_STATE_VALID) {
799 if ((x->sel.family && !xfrm_selector_match(&x->sel, fl, x->sel.family)) ||
800 !security_xfrm_state_pol_flow_match(x, pol, fl))
803 best->km.dying > x->km.dying ||
804 (best->km.dying == x->km.dying &&
805 best->curlft.add_time < x->curlft.add_time))
807 } else if (x->km.state == XFRM_STATE_ACQ) {
808 acquire_in_progress = 1;
809 } else if (x->km.state == XFRM_STATE_ERROR ||
810 x->km.state == XFRM_STATE_EXPIRED) {
811 if (xfrm_selector_match(&x->sel, fl, x->sel.family) &&
812 security_xfrm_state_pol_flow_match(x, pol, fl))
819 if (!x && !error && !acquire_in_progress) {
821 (x0 = __xfrm_state_lookup(daddr, tmpl->id.spi,
822 tmpl->id.proto, family)) != NULL) {
827 x = xfrm_state_alloc(&init_net);
832 /* Initialize temporary selector matching only
833 * to current session. */
834 xfrm_init_tempsel(x, fl, tmpl, daddr, saddr, family);
836 error = security_xfrm_state_alloc_acquire(x, pol->security, fl->secid);
838 x->km.state = XFRM_STATE_DEAD;
844 if (km_query(x, tmpl, pol) == 0) {
845 x->km.state = XFRM_STATE_ACQ;
846 list_add(&x->km.all, &init_net.xfrm.state_all);
847 hlist_add_head(&x->bydst, init_net.xfrm.state_bydst+h);
848 h = xfrm_src_hash(&init_net, daddr, saddr, family);
849 hlist_add_head(&x->bysrc, init_net.xfrm.state_bysrc+h);
851 h = xfrm_spi_hash(&init_net, &x->id.daddr, x->id.spi, x->id.proto, family);
852 hlist_add_head(&x->byspi, init_net.xfrm.state_byspi+h);
854 x->lft.hard_add_expires_seconds = sysctl_xfrm_acq_expires;
855 x->timer.expires = jiffies + sysctl_xfrm_acq_expires*HZ;
856 add_timer(&x->timer);
857 init_net.xfrm.state_num++;
858 xfrm_hash_grow_check(&init_net, x->bydst.next != NULL);
860 x->km.state = XFRM_STATE_DEAD;
870 *err = acquire_in_progress ? -EAGAIN : error;
871 spin_unlock_bh(&xfrm_state_lock);
873 xfrm_state_put(to_put);
878 xfrm_stateonly_find(xfrm_address_t *daddr, xfrm_address_t *saddr,
879 unsigned short family, u8 mode, u8 proto, u32 reqid)
882 struct xfrm_state *rx = NULL, *x = NULL;
883 struct hlist_node *entry;
885 spin_lock(&xfrm_state_lock);
886 h = xfrm_dst_hash(&init_net, daddr, saddr, reqid, family);
887 hlist_for_each_entry(x, entry, init_net.xfrm.state_bydst+h, bydst) {
888 if (x->props.family == family &&
889 x->props.reqid == reqid &&
890 !(x->props.flags & XFRM_STATE_WILDRECV) &&
891 xfrm_state_addr_check(x, daddr, saddr, family) &&
892 mode == x->props.mode &&
893 proto == x->id.proto &&
894 x->km.state == XFRM_STATE_VALID) {
902 spin_unlock(&xfrm_state_lock);
907 EXPORT_SYMBOL(xfrm_stateonly_find);
909 static void __xfrm_state_insert(struct xfrm_state *x)
911 struct net *net = xs_net(x);
914 x->genid = ++xfrm_state_genid;
916 list_add(&x->km.all, &net->xfrm.state_all);
918 h = xfrm_dst_hash(net, &x->id.daddr, &x->props.saddr,
919 x->props.reqid, x->props.family);
920 hlist_add_head(&x->bydst, net->xfrm.state_bydst+h);
922 h = xfrm_src_hash(net, &x->id.daddr, &x->props.saddr, x->props.family);
923 hlist_add_head(&x->bysrc, net->xfrm.state_bysrc+h);
926 h = xfrm_spi_hash(net, &x->id.daddr, x->id.spi, x->id.proto,
929 hlist_add_head(&x->byspi, net->xfrm.state_byspi+h);
932 mod_timer(&x->timer, jiffies + HZ);
933 if (x->replay_maxage)
934 mod_timer(&x->rtimer, jiffies + x->replay_maxage);
936 wake_up(&net->xfrm.km_waitq);
938 net->xfrm.state_num++;
940 xfrm_hash_grow_check(net, x->bydst.next != NULL);
943 /* xfrm_state_lock is held */
944 static void __xfrm_state_bump_genids(struct xfrm_state *xnew)
946 struct net *net = xs_net(xnew);
947 unsigned short family = xnew->props.family;
948 u32 reqid = xnew->props.reqid;
949 struct xfrm_state *x;
950 struct hlist_node *entry;
953 h = xfrm_dst_hash(net, &xnew->id.daddr, &xnew->props.saddr, reqid, family);
954 hlist_for_each_entry(x, entry, net->xfrm.state_bydst+h, bydst) {
955 if (x->props.family == family &&
956 x->props.reqid == reqid &&
957 !xfrm_addr_cmp(&x->id.daddr, &xnew->id.daddr, family) &&
958 !xfrm_addr_cmp(&x->props.saddr, &xnew->props.saddr, family))
959 x->genid = xfrm_state_genid;
963 void xfrm_state_insert(struct xfrm_state *x)
965 spin_lock_bh(&xfrm_state_lock);
966 __xfrm_state_bump_genids(x);
967 __xfrm_state_insert(x);
968 spin_unlock_bh(&xfrm_state_lock);
970 EXPORT_SYMBOL(xfrm_state_insert);
972 /* xfrm_state_lock is held */
973 static struct xfrm_state *__find_acq_core(unsigned short family, u8 mode, u32 reqid, u8 proto, xfrm_address_t *daddr, xfrm_address_t *saddr, int create)
975 unsigned int h = xfrm_dst_hash(&init_net, daddr, saddr, reqid, family);
976 struct hlist_node *entry;
977 struct xfrm_state *x;
979 hlist_for_each_entry(x, entry, init_net.xfrm.state_bydst+h, bydst) {
980 if (x->props.reqid != reqid ||
981 x->props.mode != mode ||
982 x->props.family != family ||
983 x->km.state != XFRM_STATE_ACQ ||
985 x->id.proto != proto)
990 if (x->id.daddr.a4 != daddr->a4 ||
991 x->props.saddr.a4 != saddr->a4)
995 if (!ipv6_addr_equal((struct in6_addr *)x->id.daddr.a6,
996 (struct in6_addr *)daddr) ||
997 !ipv6_addr_equal((struct in6_addr *)
999 (struct in6_addr *)saddr))
1011 x = xfrm_state_alloc(&init_net);
1015 x->sel.daddr.a4 = daddr->a4;
1016 x->sel.saddr.a4 = saddr->a4;
1017 x->sel.prefixlen_d = 32;
1018 x->sel.prefixlen_s = 32;
1019 x->props.saddr.a4 = saddr->a4;
1020 x->id.daddr.a4 = daddr->a4;
1024 ipv6_addr_copy((struct in6_addr *)x->sel.daddr.a6,
1025 (struct in6_addr *)daddr);
1026 ipv6_addr_copy((struct in6_addr *)x->sel.saddr.a6,
1027 (struct in6_addr *)saddr);
1028 x->sel.prefixlen_d = 128;
1029 x->sel.prefixlen_s = 128;
1030 ipv6_addr_copy((struct in6_addr *)x->props.saddr.a6,
1031 (struct in6_addr *)saddr);
1032 ipv6_addr_copy((struct in6_addr *)x->id.daddr.a6,
1033 (struct in6_addr *)daddr);
1037 x->km.state = XFRM_STATE_ACQ;
1038 x->id.proto = proto;
1039 x->props.family = family;
1040 x->props.mode = mode;
1041 x->props.reqid = reqid;
1042 x->lft.hard_add_expires_seconds = sysctl_xfrm_acq_expires;
1044 x->timer.expires = jiffies + sysctl_xfrm_acq_expires*HZ;
1045 add_timer(&x->timer);
1046 list_add(&x->km.all, &init_net.xfrm.state_all);
1047 hlist_add_head(&x->bydst, init_net.xfrm.state_bydst+h);
1048 h = xfrm_src_hash(&init_net, daddr, saddr, family);
1049 hlist_add_head(&x->bysrc, init_net.xfrm.state_bysrc+h);
1051 init_net.xfrm.state_num++;
1053 xfrm_hash_grow_check(&init_net, x->bydst.next != NULL);
1059 static struct xfrm_state *__xfrm_find_acq_byseq(u32 seq);
1061 int xfrm_state_add(struct xfrm_state *x)
1063 struct xfrm_state *x1, *to_put;
1066 int use_spi = xfrm_id_proto_match(x->id.proto, IPSEC_PROTO_ANY);
1068 family = x->props.family;
1072 spin_lock_bh(&xfrm_state_lock);
1074 x1 = __xfrm_state_locate(x, use_spi, family);
1082 if (use_spi && x->km.seq) {
1083 x1 = __xfrm_find_acq_byseq(x->km.seq);
1084 if (x1 && ((x1->id.proto != x->id.proto) ||
1085 xfrm_addr_cmp(&x1->id.daddr, &x->id.daddr, family))) {
1092 x1 = __find_acq_core(family, x->props.mode, x->props.reqid,
1094 &x->id.daddr, &x->props.saddr, 0);
1096 __xfrm_state_bump_genids(x);
1097 __xfrm_state_insert(x);
1101 spin_unlock_bh(&xfrm_state_lock);
1104 xfrm_state_delete(x1);
1109 xfrm_state_put(to_put);
1113 EXPORT_SYMBOL(xfrm_state_add);
1115 #ifdef CONFIG_XFRM_MIGRATE
1116 static struct xfrm_state *xfrm_state_clone(struct xfrm_state *orig, int *errp)
1118 struct net *net = xs_net(orig);
1120 struct xfrm_state *x = xfrm_state_alloc(net);
1124 memcpy(&x->id, &orig->id, sizeof(x->id));
1125 memcpy(&x->sel, &orig->sel, sizeof(x->sel));
1126 memcpy(&x->lft, &orig->lft, sizeof(x->lft));
1127 x->props.mode = orig->props.mode;
1128 x->props.replay_window = orig->props.replay_window;
1129 x->props.reqid = orig->props.reqid;
1130 x->props.family = orig->props.family;
1131 x->props.saddr = orig->props.saddr;
1134 x->aalg = xfrm_algo_clone(orig->aalg);
1138 x->props.aalgo = orig->props.aalgo;
1141 x->ealg = xfrm_algo_clone(orig->ealg);
1145 x->props.ealgo = orig->props.ealgo;
1148 x->calg = xfrm_algo_clone(orig->calg);
1152 x->props.calgo = orig->props.calgo;
1155 x->encap = kmemdup(orig->encap, sizeof(*x->encap), GFP_KERNEL);
1161 x->coaddr = kmemdup(orig->coaddr, sizeof(*x->coaddr),
1167 err = xfrm_init_state(x);
1171 x->props.flags = orig->props.flags;
1173 x->curlft.add_time = orig->curlft.add_time;
1174 x->km.state = orig->km.state;
1175 x->km.seq = orig->km.seq;
1193 /* xfrm_state_lock is held */
1194 struct xfrm_state * xfrm_migrate_state_find(struct xfrm_migrate *m)
1197 struct xfrm_state *x;
1198 struct hlist_node *entry;
1201 h = xfrm_dst_hash(&init_net, &m->old_daddr, &m->old_saddr,
1202 m->reqid, m->old_family);
1203 hlist_for_each_entry(x, entry, init_net.xfrm.state_bydst+h, bydst) {
1204 if (x->props.mode != m->mode ||
1205 x->id.proto != m->proto)
1207 if (m->reqid && x->props.reqid != m->reqid)
1209 if (xfrm_addr_cmp(&x->id.daddr, &m->old_daddr,
1211 xfrm_addr_cmp(&x->props.saddr, &m->old_saddr,
1218 h = xfrm_src_hash(&init_net, &m->old_daddr, &m->old_saddr,
1220 hlist_for_each_entry(x, entry, init_net.xfrm.state_bysrc+h, bysrc) {
1221 if (x->props.mode != m->mode ||
1222 x->id.proto != m->proto)
1224 if (xfrm_addr_cmp(&x->id.daddr, &m->old_daddr,
1226 xfrm_addr_cmp(&x->props.saddr, &m->old_saddr,
1236 EXPORT_SYMBOL(xfrm_migrate_state_find);
1238 struct xfrm_state * xfrm_state_migrate(struct xfrm_state *x,
1239 struct xfrm_migrate *m)
1241 struct xfrm_state *xc;
1244 xc = xfrm_state_clone(x, &err);
1248 memcpy(&xc->id.daddr, &m->new_daddr, sizeof(xc->id.daddr));
1249 memcpy(&xc->props.saddr, &m->new_saddr, sizeof(xc->props.saddr));
1252 if (!xfrm_addr_cmp(&x->id.daddr, &m->new_daddr, m->new_family)) {
1253 /* a care is needed when the destination address of the
1254 state is to be updated as it is a part of triplet */
1255 xfrm_state_insert(xc);
1257 if ((err = xfrm_state_add(xc)) < 0)
1266 EXPORT_SYMBOL(xfrm_state_migrate);
1269 int xfrm_state_update(struct xfrm_state *x)
1271 struct xfrm_state *x1, *to_put;
1273 int use_spi = xfrm_id_proto_match(x->id.proto, IPSEC_PROTO_ANY);
1277 spin_lock_bh(&xfrm_state_lock);
1278 x1 = __xfrm_state_locate(x, use_spi, x->props.family);
1284 if (xfrm_state_kern(x1)) {
1290 if (x1->km.state == XFRM_STATE_ACQ) {
1291 __xfrm_state_insert(x);
1297 spin_unlock_bh(&xfrm_state_lock);
1300 xfrm_state_put(to_put);
1306 xfrm_state_delete(x1);
1312 spin_lock_bh(&x1->lock);
1313 if (likely(x1->km.state == XFRM_STATE_VALID)) {
1314 if (x->encap && x1->encap)
1315 memcpy(x1->encap, x->encap, sizeof(*x1->encap));
1316 if (x->coaddr && x1->coaddr) {
1317 memcpy(x1->coaddr, x->coaddr, sizeof(*x1->coaddr));
1319 if (!use_spi && memcmp(&x1->sel, &x->sel, sizeof(x1->sel)))
1320 memcpy(&x1->sel, &x->sel, sizeof(x1->sel));
1321 memcpy(&x1->lft, &x->lft, sizeof(x1->lft));
1324 mod_timer(&x1->timer, jiffies + HZ);
1325 if (x1->curlft.use_time)
1326 xfrm_state_check_expire(x1);
1330 spin_unlock_bh(&x1->lock);
1336 EXPORT_SYMBOL(xfrm_state_update);
1338 int xfrm_state_check_expire(struct xfrm_state *x)
1340 if (!x->curlft.use_time)
1341 x->curlft.use_time = get_seconds();
1343 if (x->km.state != XFRM_STATE_VALID)
1346 if (x->curlft.bytes >= x->lft.hard_byte_limit ||
1347 x->curlft.packets >= x->lft.hard_packet_limit) {
1348 x->km.state = XFRM_STATE_EXPIRED;
1349 mod_timer(&x->timer, jiffies);
1354 (x->curlft.bytes >= x->lft.soft_byte_limit ||
1355 x->curlft.packets >= x->lft.soft_packet_limit)) {
1357 km_state_expired(x, 0, 0);
1361 EXPORT_SYMBOL(xfrm_state_check_expire);
1364 xfrm_state_lookup(xfrm_address_t *daddr, __be32 spi, u8 proto,
1365 unsigned short family)
1367 struct xfrm_state *x;
1369 spin_lock_bh(&xfrm_state_lock);
1370 x = __xfrm_state_lookup(daddr, spi, proto, family);
1371 spin_unlock_bh(&xfrm_state_lock);
1374 EXPORT_SYMBOL(xfrm_state_lookup);
1377 xfrm_state_lookup_byaddr(xfrm_address_t *daddr, xfrm_address_t *saddr,
1378 u8 proto, unsigned short family)
1380 struct xfrm_state *x;
1382 spin_lock_bh(&xfrm_state_lock);
1383 x = __xfrm_state_lookup_byaddr(daddr, saddr, proto, family);
1384 spin_unlock_bh(&xfrm_state_lock);
1387 EXPORT_SYMBOL(xfrm_state_lookup_byaddr);
1390 xfrm_find_acq(u8 mode, u32 reqid, u8 proto,
1391 xfrm_address_t *daddr, xfrm_address_t *saddr,
1392 int create, unsigned short family)
1394 struct xfrm_state *x;
1396 spin_lock_bh(&xfrm_state_lock);
1397 x = __find_acq_core(family, mode, reqid, proto, daddr, saddr, create);
1398 spin_unlock_bh(&xfrm_state_lock);
1402 EXPORT_SYMBOL(xfrm_find_acq);
1404 #ifdef CONFIG_XFRM_SUB_POLICY
1406 xfrm_tmpl_sort(struct xfrm_tmpl **dst, struct xfrm_tmpl **src, int n,
1407 unsigned short family)
1410 struct xfrm_state_afinfo *afinfo = xfrm_state_get_afinfo(family);
1412 return -EAFNOSUPPORT;
1414 spin_lock_bh(&xfrm_state_lock);
1415 if (afinfo->tmpl_sort)
1416 err = afinfo->tmpl_sort(dst, src, n);
1417 spin_unlock_bh(&xfrm_state_lock);
1418 xfrm_state_put_afinfo(afinfo);
1421 EXPORT_SYMBOL(xfrm_tmpl_sort);
1424 xfrm_state_sort(struct xfrm_state **dst, struct xfrm_state **src, int n,
1425 unsigned short family)
1428 struct xfrm_state_afinfo *afinfo = xfrm_state_get_afinfo(family);
1430 return -EAFNOSUPPORT;
1432 spin_lock_bh(&xfrm_state_lock);
1433 if (afinfo->state_sort)
1434 err = afinfo->state_sort(dst, src, n);
1435 spin_unlock_bh(&xfrm_state_lock);
1436 xfrm_state_put_afinfo(afinfo);
1439 EXPORT_SYMBOL(xfrm_state_sort);
1442 /* Silly enough, but I'm lazy to build resolution list */
1444 static struct xfrm_state *__xfrm_find_acq_byseq(u32 seq)
1448 for (i = 0; i <= init_net.xfrm.state_hmask; i++) {
1449 struct hlist_node *entry;
1450 struct xfrm_state *x;
1452 hlist_for_each_entry(x, entry, init_net.xfrm.state_bydst+i, bydst) {
1453 if (x->km.seq == seq &&
1454 x->km.state == XFRM_STATE_ACQ) {
1463 struct xfrm_state *xfrm_find_acq_byseq(u32 seq)
1465 struct xfrm_state *x;
1467 spin_lock_bh(&xfrm_state_lock);
1468 x = __xfrm_find_acq_byseq(seq);
1469 spin_unlock_bh(&xfrm_state_lock);
1472 EXPORT_SYMBOL(xfrm_find_acq_byseq);
1474 u32 xfrm_get_acqseq(void)
1478 static DEFINE_SPINLOCK(acqseq_lock);
1480 spin_lock_bh(&acqseq_lock);
1481 res = (++acqseq ? : ++acqseq);
1482 spin_unlock_bh(&acqseq_lock);
1485 EXPORT_SYMBOL(xfrm_get_acqseq);
1487 int xfrm_alloc_spi(struct xfrm_state *x, u32 low, u32 high)
1490 struct xfrm_state *x0;
1492 __be32 minspi = htonl(low);
1493 __be32 maxspi = htonl(high);
1495 spin_lock_bh(&x->lock);
1496 if (x->km.state == XFRM_STATE_DEAD)
1505 if (minspi == maxspi) {
1506 x0 = xfrm_state_lookup(&x->id.daddr, minspi, x->id.proto, x->props.family);
1514 for (h=0; h<high-low+1; h++) {
1515 spi = low + net_random()%(high-low+1);
1516 x0 = xfrm_state_lookup(&x->id.daddr, htonl(spi), x->id.proto, x->props.family);
1518 x->id.spi = htonl(spi);
1525 spin_lock_bh(&xfrm_state_lock);
1526 h = xfrm_spi_hash(&init_net, &x->id.daddr, x->id.spi, x->id.proto, x->props.family);
1527 hlist_add_head(&x->byspi, init_net.xfrm.state_byspi+h);
1528 spin_unlock_bh(&xfrm_state_lock);
1534 spin_unlock_bh(&x->lock);
1538 EXPORT_SYMBOL(xfrm_alloc_spi);
1540 int xfrm_state_walk(struct xfrm_state_walk *walk,
1541 int (*func)(struct xfrm_state *, int, void*),
1544 struct xfrm_state *state;
1545 struct xfrm_state_walk *x;
1548 if (walk->seq != 0 && list_empty(&walk->all))
1551 spin_lock_bh(&xfrm_state_lock);
1552 if (list_empty(&walk->all))
1553 x = list_first_entry(&init_net.xfrm.state_all, struct xfrm_state_walk, all);
1555 x = list_entry(&walk->all, struct xfrm_state_walk, all);
1556 list_for_each_entry_from(x, &init_net.xfrm.state_all, all) {
1557 if (x->state == XFRM_STATE_DEAD)
1559 state = container_of(x, struct xfrm_state, km);
1560 if (!xfrm_id_proto_match(state->id.proto, walk->proto))
1562 err = func(state, walk->seq, data);
1564 list_move_tail(&walk->all, &x->all);
1569 if (walk->seq == 0) {
1573 list_del_init(&walk->all);
1575 spin_unlock_bh(&xfrm_state_lock);
1578 EXPORT_SYMBOL(xfrm_state_walk);
1580 void xfrm_state_walk_init(struct xfrm_state_walk *walk, u8 proto)
1582 INIT_LIST_HEAD(&walk->all);
1583 walk->proto = proto;
1584 walk->state = XFRM_STATE_DEAD;
1587 EXPORT_SYMBOL(xfrm_state_walk_init);
1589 void xfrm_state_walk_done(struct xfrm_state_walk *walk)
1591 if (list_empty(&walk->all))
1594 spin_lock_bh(&xfrm_state_lock);
1595 list_del(&walk->all);
1596 spin_lock_bh(&xfrm_state_lock);
1598 EXPORT_SYMBOL(xfrm_state_walk_done);
1601 void xfrm_replay_notify(struct xfrm_state *x, int event)
1604 /* we send notify messages in case
1605 * 1. we updated on of the sequence numbers, and the seqno difference
1606 * is at least x->replay_maxdiff, in this case we also update the
1607 * timeout of our timer function
1608 * 2. if x->replay_maxage has elapsed since last update,
1609 * and there were changes
1611 * The state structure must be locked!
1615 case XFRM_REPLAY_UPDATE:
1616 if (x->replay_maxdiff &&
1617 (x->replay.seq - x->preplay.seq < x->replay_maxdiff) &&
1618 (x->replay.oseq - x->preplay.oseq < x->replay_maxdiff)) {
1619 if (x->xflags & XFRM_TIME_DEFER)
1620 event = XFRM_REPLAY_TIMEOUT;
1627 case XFRM_REPLAY_TIMEOUT:
1628 if ((x->replay.seq == x->preplay.seq) &&
1629 (x->replay.bitmap == x->preplay.bitmap) &&
1630 (x->replay.oseq == x->preplay.oseq)) {
1631 x->xflags |= XFRM_TIME_DEFER;
1638 memcpy(&x->preplay, &x->replay, sizeof(struct xfrm_replay_state));
1639 c.event = XFRM_MSG_NEWAE;
1640 c.data.aevent = event;
1641 km_state_notify(x, &c);
1643 if (x->replay_maxage &&
1644 !mod_timer(&x->rtimer, jiffies + x->replay_maxage))
1645 x->xflags &= ~XFRM_TIME_DEFER;
1648 static void xfrm_replay_timer_handler(unsigned long data)
1650 struct xfrm_state *x = (struct xfrm_state*)data;
1652 spin_lock(&x->lock);
1654 if (x->km.state == XFRM_STATE_VALID) {
1655 if (xfrm_aevent_is_on())
1656 xfrm_replay_notify(x, XFRM_REPLAY_TIMEOUT);
1658 x->xflags |= XFRM_TIME_DEFER;
1661 spin_unlock(&x->lock);
1664 int xfrm_replay_check(struct xfrm_state *x,
1665 struct sk_buff *skb, __be32 net_seq)
1668 u32 seq = ntohl(net_seq);
1670 if (unlikely(seq == 0))
1673 if (likely(seq > x->replay.seq))
1676 diff = x->replay.seq - seq;
1677 if (diff >= min_t(unsigned int, x->props.replay_window,
1678 sizeof(x->replay.bitmap) * 8)) {
1679 x->stats.replay_window++;
1683 if (x->replay.bitmap & (1U << diff)) {
1690 xfrm_audit_state_replay(x, skb, net_seq);
1694 void xfrm_replay_advance(struct xfrm_state *x, __be32 net_seq)
1697 u32 seq = ntohl(net_seq);
1699 if (seq > x->replay.seq) {
1700 diff = seq - x->replay.seq;
1701 if (diff < x->props.replay_window)
1702 x->replay.bitmap = ((x->replay.bitmap) << diff) | 1;
1704 x->replay.bitmap = 1;
1705 x->replay.seq = seq;
1707 diff = x->replay.seq - seq;
1708 x->replay.bitmap |= (1U << diff);
1711 if (xfrm_aevent_is_on())
1712 xfrm_replay_notify(x, XFRM_REPLAY_UPDATE);
1715 static LIST_HEAD(xfrm_km_list);
1716 static DEFINE_RWLOCK(xfrm_km_lock);
1718 void km_policy_notify(struct xfrm_policy *xp, int dir, struct km_event *c)
1720 struct xfrm_mgr *km;
1722 read_lock(&xfrm_km_lock);
1723 list_for_each_entry(km, &xfrm_km_list, list)
1724 if (km->notify_policy)
1725 km->notify_policy(xp, dir, c);
1726 read_unlock(&xfrm_km_lock);
1729 void km_state_notify(struct xfrm_state *x, struct km_event *c)
1731 struct xfrm_mgr *km;
1732 read_lock(&xfrm_km_lock);
1733 list_for_each_entry(km, &xfrm_km_list, list)
1736 read_unlock(&xfrm_km_lock);
1739 EXPORT_SYMBOL(km_policy_notify);
1740 EXPORT_SYMBOL(km_state_notify);
1742 void km_state_expired(struct xfrm_state *x, int hard, u32 pid)
1744 struct net *net = xs_net(x);
1749 c.event = XFRM_MSG_EXPIRE;
1750 km_state_notify(x, &c);
1753 wake_up(&net->xfrm.km_waitq);
1756 EXPORT_SYMBOL(km_state_expired);
1758 * We send to all registered managers regardless of failure
1759 * We are happy with one success
1761 int km_query(struct xfrm_state *x, struct xfrm_tmpl *t, struct xfrm_policy *pol)
1763 int err = -EINVAL, acqret;
1764 struct xfrm_mgr *km;
1766 read_lock(&xfrm_km_lock);
1767 list_for_each_entry(km, &xfrm_km_list, list) {
1768 acqret = km->acquire(x, t, pol, XFRM_POLICY_OUT);
1772 read_unlock(&xfrm_km_lock);
1775 EXPORT_SYMBOL(km_query);
1777 int km_new_mapping(struct xfrm_state *x, xfrm_address_t *ipaddr, __be16 sport)
1780 struct xfrm_mgr *km;
1782 read_lock(&xfrm_km_lock);
1783 list_for_each_entry(km, &xfrm_km_list, list) {
1784 if (km->new_mapping)
1785 err = km->new_mapping(x, ipaddr, sport);
1789 read_unlock(&xfrm_km_lock);
1792 EXPORT_SYMBOL(km_new_mapping);
1794 void km_policy_expired(struct xfrm_policy *pol, int dir, int hard, u32 pid)
1796 struct net *net = xp_net(pol);
1801 c.event = XFRM_MSG_POLEXPIRE;
1802 km_policy_notify(pol, dir, &c);
1805 wake_up(&net->xfrm.km_waitq);
1807 EXPORT_SYMBOL(km_policy_expired);
1809 #ifdef CONFIG_XFRM_MIGRATE
1810 int km_migrate(struct xfrm_selector *sel, u8 dir, u8 type,
1811 struct xfrm_migrate *m, int num_migrate,
1812 struct xfrm_kmaddress *k)
1816 struct xfrm_mgr *km;
1818 read_lock(&xfrm_km_lock);
1819 list_for_each_entry(km, &xfrm_km_list, list) {
1821 ret = km->migrate(sel, dir, type, m, num_migrate, k);
1826 read_unlock(&xfrm_km_lock);
1829 EXPORT_SYMBOL(km_migrate);
1832 int km_report(u8 proto, struct xfrm_selector *sel, xfrm_address_t *addr)
1836 struct xfrm_mgr *km;
1838 read_lock(&xfrm_km_lock);
1839 list_for_each_entry(km, &xfrm_km_list, list) {
1841 ret = km->report(proto, sel, addr);
1846 read_unlock(&xfrm_km_lock);
1849 EXPORT_SYMBOL(km_report);
1851 int xfrm_user_policy(struct sock *sk, int optname, u8 __user *optval, int optlen)
1855 struct xfrm_mgr *km;
1856 struct xfrm_policy *pol = NULL;
1858 if (optlen <= 0 || optlen > PAGE_SIZE)
1861 data = kmalloc(optlen, GFP_KERNEL);
1866 if (copy_from_user(data, optval, optlen))
1870 read_lock(&xfrm_km_lock);
1871 list_for_each_entry(km, &xfrm_km_list, list) {
1872 pol = km->compile_policy(sk, optname, data,
1877 read_unlock(&xfrm_km_lock);
1880 xfrm_sk_policy_insert(sk, err, pol);
1889 EXPORT_SYMBOL(xfrm_user_policy);
1891 int xfrm_register_km(struct xfrm_mgr *km)
1893 write_lock_bh(&xfrm_km_lock);
1894 list_add_tail(&km->list, &xfrm_km_list);
1895 write_unlock_bh(&xfrm_km_lock);
1898 EXPORT_SYMBOL(xfrm_register_km);
1900 int xfrm_unregister_km(struct xfrm_mgr *km)
1902 write_lock_bh(&xfrm_km_lock);
1903 list_del(&km->list);
1904 write_unlock_bh(&xfrm_km_lock);
1907 EXPORT_SYMBOL(xfrm_unregister_km);
1909 int xfrm_state_register_afinfo(struct xfrm_state_afinfo *afinfo)
1912 if (unlikely(afinfo == NULL))
1914 if (unlikely(afinfo->family >= NPROTO))
1915 return -EAFNOSUPPORT;
1916 write_lock_bh(&xfrm_state_afinfo_lock);
1917 if (unlikely(xfrm_state_afinfo[afinfo->family] != NULL))
1920 xfrm_state_afinfo[afinfo->family] = afinfo;
1921 write_unlock_bh(&xfrm_state_afinfo_lock);
1924 EXPORT_SYMBOL(xfrm_state_register_afinfo);
1926 int xfrm_state_unregister_afinfo(struct xfrm_state_afinfo *afinfo)
1929 if (unlikely(afinfo == NULL))
1931 if (unlikely(afinfo->family >= NPROTO))
1932 return -EAFNOSUPPORT;
1933 write_lock_bh(&xfrm_state_afinfo_lock);
1934 if (likely(xfrm_state_afinfo[afinfo->family] != NULL)) {
1935 if (unlikely(xfrm_state_afinfo[afinfo->family] != afinfo))
1938 xfrm_state_afinfo[afinfo->family] = NULL;
1940 write_unlock_bh(&xfrm_state_afinfo_lock);
1943 EXPORT_SYMBOL(xfrm_state_unregister_afinfo);
1945 static struct xfrm_state_afinfo *xfrm_state_get_afinfo(unsigned int family)
1947 struct xfrm_state_afinfo *afinfo;
1948 if (unlikely(family >= NPROTO))
1950 read_lock(&xfrm_state_afinfo_lock);
1951 afinfo = xfrm_state_afinfo[family];
1952 if (unlikely(!afinfo))
1953 read_unlock(&xfrm_state_afinfo_lock);
1957 static void xfrm_state_put_afinfo(struct xfrm_state_afinfo *afinfo)
1958 __releases(xfrm_state_afinfo_lock)
1960 read_unlock(&xfrm_state_afinfo_lock);
1963 /* Temporarily located here until net/xfrm/xfrm_tunnel.c is created */
1964 void xfrm_state_delete_tunnel(struct xfrm_state *x)
1967 struct xfrm_state *t = x->tunnel;
1969 if (atomic_read(&t->tunnel_users) == 2)
1970 xfrm_state_delete(t);
1971 atomic_dec(&t->tunnel_users);
1976 EXPORT_SYMBOL(xfrm_state_delete_tunnel);
1978 int xfrm_state_mtu(struct xfrm_state *x, int mtu)
1982 spin_lock_bh(&x->lock);
1983 if (x->km.state == XFRM_STATE_VALID &&
1984 x->type && x->type->get_mtu)
1985 res = x->type->get_mtu(x, mtu);
1987 res = mtu - x->props.header_len;
1988 spin_unlock_bh(&x->lock);
1992 int xfrm_init_state(struct xfrm_state *x)
1994 struct xfrm_state_afinfo *afinfo;
1995 struct xfrm_mode *inner_mode;
1996 int family = x->props.family;
1999 err = -EAFNOSUPPORT;
2000 afinfo = xfrm_state_get_afinfo(family);
2005 if (afinfo->init_flags)
2006 err = afinfo->init_flags(x);
2008 xfrm_state_put_afinfo(afinfo);
2013 err = -EPROTONOSUPPORT;
2015 if (x->sel.family != AF_UNSPEC) {
2016 inner_mode = xfrm_get_mode(x->props.mode, x->sel.family);
2017 if (inner_mode == NULL)
2020 if (!(inner_mode->flags & XFRM_MODE_FLAG_TUNNEL) &&
2021 family != x->sel.family) {
2022 xfrm_put_mode(inner_mode);
2026 x->inner_mode = inner_mode;
2028 struct xfrm_mode *inner_mode_iaf;
2030 inner_mode = xfrm_get_mode(x->props.mode, AF_INET);
2031 if (inner_mode == NULL)
2034 if (!(inner_mode->flags & XFRM_MODE_FLAG_TUNNEL)) {
2035 xfrm_put_mode(inner_mode);
2039 inner_mode_iaf = xfrm_get_mode(x->props.mode, AF_INET6);
2040 if (inner_mode_iaf == NULL)
2043 if (!(inner_mode_iaf->flags & XFRM_MODE_FLAG_TUNNEL)) {
2044 xfrm_put_mode(inner_mode_iaf);
2048 if (x->props.family == AF_INET) {
2049 x->inner_mode = inner_mode;
2050 x->inner_mode_iaf = inner_mode_iaf;
2052 x->inner_mode = inner_mode_iaf;
2053 x->inner_mode_iaf = inner_mode;
2057 x->type = xfrm_get_type(x->id.proto, family);
2058 if (x->type == NULL)
2061 err = x->type->init_state(x);
2065 x->outer_mode = xfrm_get_mode(x->props.mode, family);
2066 if (x->outer_mode == NULL)
2069 x->km.state = XFRM_STATE_VALID;
2075 EXPORT_SYMBOL(xfrm_init_state);
2077 int __net_init xfrm_state_init(struct net *net)
2081 INIT_LIST_HEAD(&net->xfrm.state_all);
2083 sz = sizeof(struct hlist_head) * 8;
2085 net->xfrm.state_bydst = xfrm_hash_alloc(sz);
2086 if (!net->xfrm.state_bydst)
2088 net->xfrm.state_bysrc = xfrm_hash_alloc(sz);
2089 if (!net->xfrm.state_bysrc)
2091 net->xfrm.state_byspi = xfrm_hash_alloc(sz);
2092 if (!net->xfrm.state_byspi)
2094 net->xfrm.state_hmask = ((sz / sizeof(struct hlist_head)) - 1);
2096 net->xfrm.state_num = 0;
2097 INIT_WORK(&net->xfrm.state_hash_work, xfrm_hash_resize);
2098 INIT_HLIST_HEAD(&net->xfrm.state_gc_list);
2099 INIT_WORK(&net->xfrm.state_gc_work, xfrm_state_gc_task);
2100 init_waitqueue_head(&net->xfrm.km_waitq);
2104 xfrm_hash_free(net->xfrm.state_bysrc, sz);
2106 xfrm_hash_free(net->xfrm.state_bydst, sz);
2111 void xfrm_state_fini(struct net *net)
2115 WARN_ON(!list_empty(&net->xfrm.state_all));
2117 sz = (net->xfrm.state_hmask + 1) * sizeof(struct hlist_head);
2118 WARN_ON(!hlist_empty(net->xfrm.state_byspi));
2119 xfrm_hash_free(net->xfrm.state_byspi, sz);
2120 WARN_ON(!hlist_empty(net->xfrm.state_bysrc));
2121 xfrm_hash_free(net->xfrm.state_bysrc, sz);
2122 WARN_ON(!hlist_empty(net->xfrm.state_bydst));
2123 xfrm_hash_free(net->xfrm.state_bydst, sz);
2126 #ifdef CONFIG_AUDITSYSCALL
2127 static void xfrm_audit_helper_sainfo(struct xfrm_state *x,
2128 struct audit_buffer *audit_buf)
2130 struct xfrm_sec_ctx *ctx = x->security;
2131 u32 spi = ntohl(x->id.spi);
2134 audit_log_format(audit_buf, " sec_alg=%u sec_doi=%u sec_obj=%s",
2135 ctx->ctx_alg, ctx->ctx_doi, ctx->ctx_str);
2137 switch(x->props.family) {
2139 audit_log_format(audit_buf, " src=%pI4 dst=%pI4",
2140 &x->props.saddr.a4, &x->id.daddr.a4);
2143 audit_log_format(audit_buf, " src=%pI6 dst=%pI6",
2144 x->props.saddr.a6, x->id.daddr.a6);
2148 audit_log_format(audit_buf, " spi=%u(0x%x)", spi, spi);
2151 static void xfrm_audit_helper_pktinfo(struct sk_buff *skb, u16 family,
2152 struct audit_buffer *audit_buf)
2155 struct ipv6hdr *iph6;
2160 audit_log_format(audit_buf, " src=%pI4 dst=%pI4",
2161 &iph4->saddr, &iph4->daddr);
2164 iph6 = ipv6_hdr(skb);
2165 audit_log_format(audit_buf,
2166 " src=%pI6 dst=%pI6 flowlbl=0x%x%02x%02x",
2167 &iph6->saddr,&iph6->daddr,
2168 iph6->flow_lbl[0] & 0x0f,
2175 void xfrm_audit_state_add(struct xfrm_state *x, int result,
2176 uid_t auid, u32 sessionid, u32 secid)
2178 struct audit_buffer *audit_buf;
2180 audit_buf = xfrm_audit_start("SAD-add");
2181 if (audit_buf == NULL)
2183 xfrm_audit_helper_usrinfo(auid, sessionid, secid, audit_buf);
2184 xfrm_audit_helper_sainfo(x, audit_buf);
2185 audit_log_format(audit_buf, " res=%u", result);
2186 audit_log_end(audit_buf);
2188 EXPORT_SYMBOL_GPL(xfrm_audit_state_add);
2190 void xfrm_audit_state_delete(struct xfrm_state *x, int result,
2191 uid_t auid, u32 sessionid, u32 secid)
2193 struct audit_buffer *audit_buf;
2195 audit_buf = xfrm_audit_start("SAD-delete");
2196 if (audit_buf == NULL)
2198 xfrm_audit_helper_usrinfo(auid, sessionid, secid, audit_buf);
2199 xfrm_audit_helper_sainfo(x, audit_buf);
2200 audit_log_format(audit_buf, " res=%u", result);
2201 audit_log_end(audit_buf);
2203 EXPORT_SYMBOL_GPL(xfrm_audit_state_delete);
2205 void xfrm_audit_state_replay_overflow(struct xfrm_state *x,
2206 struct sk_buff *skb)
2208 struct audit_buffer *audit_buf;
2211 audit_buf = xfrm_audit_start("SA-replay-overflow");
2212 if (audit_buf == NULL)
2214 xfrm_audit_helper_pktinfo(skb, x->props.family, audit_buf);
2215 /* don't record the sequence number because it's inherent in this kind
2216 * of audit message */
2217 spi = ntohl(x->id.spi);
2218 audit_log_format(audit_buf, " spi=%u(0x%x)", spi, spi);
2219 audit_log_end(audit_buf);
2221 EXPORT_SYMBOL_GPL(xfrm_audit_state_replay_overflow);
2223 static void xfrm_audit_state_replay(struct xfrm_state *x,
2224 struct sk_buff *skb, __be32 net_seq)
2226 struct audit_buffer *audit_buf;
2229 audit_buf = xfrm_audit_start("SA-replayed-pkt");
2230 if (audit_buf == NULL)
2232 xfrm_audit_helper_pktinfo(skb, x->props.family, audit_buf);
2233 spi = ntohl(x->id.spi);
2234 audit_log_format(audit_buf, " spi=%u(0x%x) seqno=%u",
2235 spi, spi, ntohl(net_seq));
2236 audit_log_end(audit_buf);
2239 void xfrm_audit_state_notfound_simple(struct sk_buff *skb, u16 family)
2241 struct audit_buffer *audit_buf;
2243 audit_buf = xfrm_audit_start("SA-notfound");
2244 if (audit_buf == NULL)
2246 xfrm_audit_helper_pktinfo(skb, family, audit_buf);
2247 audit_log_end(audit_buf);
2249 EXPORT_SYMBOL_GPL(xfrm_audit_state_notfound_simple);
2251 void xfrm_audit_state_notfound(struct sk_buff *skb, u16 family,
2252 __be32 net_spi, __be32 net_seq)
2254 struct audit_buffer *audit_buf;
2257 audit_buf = xfrm_audit_start("SA-notfound");
2258 if (audit_buf == NULL)
2260 xfrm_audit_helper_pktinfo(skb, family, audit_buf);
2261 spi = ntohl(net_spi);
2262 audit_log_format(audit_buf, " spi=%u(0x%x) seqno=%u",
2263 spi, spi, ntohl(net_seq));
2264 audit_log_end(audit_buf);
2266 EXPORT_SYMBOL_GPL(xfrm_audit_state_notfound);
2268 void xfrm_audit_state_icvfail(struct xfrm_state *x,
2269 struct sk_buff *skb, u8 proto)
2271 struct audit_buffer *audit_buf;
2275 audit_buf = xfrm_audit_start("SA-icv-failure");
2276 if (audit_buf == NULL)
2278 xfrm_audit_helper_pktinfo(skb, x->props.family, audit_buf);
2279 if (xfrm_parse_spi(skb, proto, &net_spi, &net_seq) == 0) {
2280 u32 spi = ntohl(net_spi);
2281 audit_log_format(audit_buf, " spi=%u(0x%x) seqno=%u",
2282 spi, spi, ntohl(net_seq));
2284 audit_log_end(audit_buf);
2286 EXPORT_SYMBOL_GPL(xfrm_audit_state_icvfail);
2287 #endif /* CONFIG_AUDITSYSCALL */
projects / linux-2.6-omap-h63xx.git / blob