6 * Kazunori MIYAZAWA @USAGI
7 * Kunihiro Ishiguro <kunihiro@ipinfusion.com>
9 * YOSHIFUJI Hideaki @USAGI
10 * Split up af-specific functions
11 * Derek Atkins <derek@ihtfp.com>
12 * Add UDP Encapsulation
16 #include <linux/workqueue.h>
18 #include <linux/pfkeyv2.h>
19 #include <linux/ipsec.h>
20 #include <linux/module.h>
21 #include <linux/cache.h>
22 #include <linux/audit.h>
23 #include <asm/uaccess.h>
25 #include "xfrm_hash.h"
28 EXPORT_SYMBOL(xfrm_nl);
30 u32 sysctl_xfrm_aevent_etime __read_mostly = XFRM_AE_ETIME;
31 EXPORT_SYMBOL(sysctl_xfrm_aevent_etime);
33 u32 sysctl_xfrm_aevent_rseqth __read_mostly = XFRM_AE_SEQT_SIZE;
34 EXPORT_SYMBOL(sysctl_xfrm_aevent_rseqth);
36 u32 sysctl_xfrm_acq_expires __read_mostly = 30;
38 /* Each xfrm_state may be linked to two tables:
40 1. Hash table by (spi,daddr,ah/esp) to find SA by SPI. (input,ctl)
41 2. Hash table by (daddr,family,reqid) to find what SAs exist for given
42 destination/tunnel endpoint. (output)
45 static DEFINE_SPINLOCK(xfrm_state_lock);
47 static unsigned int xfrm_state_hashmax __read_mostly = 1 * 1024 * 1024;
48 static unsigned int xfrm_state_genid;
50 static struct xfrm_state_afinfo *xfrm_state_get_afinfo(unsigned int family);
51 static void xfrm_state_put_afinfo(struct xfrm_state_afinfo *afinfo);
53 #ifdef CONFIG_AUDITSYSCALL
54 static void xfrm_audit_state_replay(struct xfrm_state *x,
55 struct sk_buff *skb, __be32 net_seq);
57 #define xfrm_audit_state_replay(x, s, sq) do { ; } while (0)
58 #endif /* CONFIG_AUDITSYSCALL */
60 static inline unsigned int xfrm_dst_hash(xfrm_address_t *daddr,
61 xfrm_address_t *saddr,
63 unsigned short family)
65 return __xfrm_dst_hash(daddr, saddr, reqid, family, init_net.xfrm.state_hmask);
68 static inline unsigned int xfrm_src_hash(xfrm_address_t *daddr,
69 xfrm_address_t *saddr,
70 unsigned short family)
72 return __xfrm_src_hash(daddr, saddr, family, init_net.xfrm.state_hmask);
75 static inline unsigned int
76 xfrm_spi_hash(xfrm_address_t *daddr, __be32 spi, u8 proto, unsigned short family)
78 return __xfrm_spi_hash(daddr, spi, proto, family, init_net.xfrm.state_hmask);
81 static void xfrm_hash_transfer(struct hlist_head *list,
82 struct hlist_head *ndsttable,
83 struct hlist_head *nsrctable,
84 struct hlist_head *nspitable,
85 unsigned int nhashmask)
87 struct hlist_node *entry, *tmp;
90 hlist_for_each_entry_safe(x, entry, tmp, list, bydst) {
93 h = __xfrm_dst_hash(&x->id.daddr, &x->props.saddr,
94 x->props.reqid, x->props.family,
96 hlist_add_head(&x->bydst, ndsttable+h);
98 h = __xfrm_src_hash(&x->id.daddr, &x->props.saddr,
101 hlist_add_head(&x->bysrc, nsrctable+h);
104 h = __xfrm_spi_hash(&x->id.daddr, x->id.spi,
105 x->id.proto, x->props.family,
107 hlist_add_head(&x->byspi, nspitable+h);
112 static unsigned long xfrm_hash_new_size(unsigned int state_hmask)
114 return ((state_hmask + 1) << 1) * sizeof(struct hlist_head);
117 static DEFINE_MUTEX(hash_resize_mutex);
119 static void xfrm_hash_resize(struct work_struct *work)
121 struct net *net = container_of(work, struct net, xfrm.state_hash_work);
122 struct hlist_head *ndst, *nsrc, *nspi, *odst, *osrc, *ospi;
123 unsigned long nsize, osize;
124 unsigned int nhashmask, ohashmask;
127 mutex_lock(&hash_resize_mutex);
129 nsize = xfrm_hash_new_size(net->xfrm.state_hmask);
130 ndst = xfrm_hash_alloc(nsize);
133 nsrc = xfrm_hash_alloc(nsize);
135 xfrm_hash_free(ndst, nsize);
138 nspi = xfrm_hash_alloc(nsize);
140 xfrm_hash_free(ndst, nsize);
141 xfrm_hash_free(nsrc, nsize);
145 spin_lock_bh(&xfrm_state_lock);
147 nhashmask = (nsize / sizeof(struct hlist_head)) - 1U;
148 for (i = net->xfrm.state_hmask; i >= 0; i--)
149 xfrm_hash_transfer(net->xfrm.state_bydst+i, ndst, nsrc, nspi,
152 odst = net->xfrm.state_bydst;
153 osrc = net->xfrm.state_bysrc;
154 ospi = net->xfrm.state_byspi;
155 ohashmask = net->xfrm.state_hmask;
157 net->xfrm.state_bydst = ndst;
158 net->xfrm.state_bysrc = nsrc;
159 net->xfrm.state_byspi = nspi;
160 net->xfrm.state_hmask = nhashmask;
162 spin_unlock_bh(&xfrm_state_lock);
164 osize = (ohashmask + 1) * sizeof(struct hlist_head);
165 xfrm_hash_free(odst, osize);
166 xfrm_hash_free(osrc, osize);
167 xfrm_hash_free(ospi, osize);
170 mutex_unlock(&hash_resize_mutex);
173 DECLARE_WAIT_QUEUE_HEAD(km_waitq);
174 EXPORT_SYMBOL(km_waitq);
176 static DEFINE_RWLOCK(xfrm_state_afinfo_lock);
177 static struct xfrm_state_afinfo *xfrm_state_afinfo[NPROTO];
179 static DEFINE_SPINLOCK(xfrm_state_gc_lock);
181 int __xfrm_state_delete(struct xfrm_state *x);
183 int km_query(struct xfrm_state *x, struct xfrm_tmpl *t, struct xfrm_policy *pol);
184 void km_state_expired(struct xfrm_state *x, int hard, u32 pid);
186 static struct xfrm_state_afinfo *xfrm_state_lock_afinfo(unsigned int family)
188 struct xfrm_state_afinfo *afinfo;
189 if (unlikely(family >= NPROTO))
191 write_lock_bh(&xfrm_state_afinfo_lock);
192 afinfo = xfrm_state_afinfo[family];
193 if (unlikely(!afinfo))
194 write_unlock_bh(&xfrm_state_afinfo_lock);
198 static void xfrm_state_unlock_afinfo(struct xfrm_state_afinfo *afinfo)
199 __releases(xfrm_state_afinfo_lock)
201 write_unlock_bh(&xfrm_state_afinfo_lock);
204 int xfrm_register_type(const struct xfrm_type *type, unsigned short family)
206 struct xfrm_state_afinfo *afinfo = xfrm_state_lock_afinfo(family);
207 const struct xfrm_type **typemap;
210 if (unlikely(afinfo == NULL))
211 return -EAFNOSUPPORT;
212 typemap = afinfo->type_map;
214 if (likely(typemap[type->proto] == NULL))
215 typemap[type->proto] = type;
218 xfrm_state_unlock_afinfo(afinfo);
221 EXPORT_SYMBOL(xfrm_register_type);
223 int xfrm_unregister_type(const struct xfrm_type *type, unsigned short family)
225 struct xfrm_state_afinfo *afinfo = xfrm_state_lock_afinfo(family);
226 const struct xfrm_type **typemap;
229 if (unlikely(afinfo == NULL))
230 return -EAFNOSUPPORT;
231 typemap = afinfo->type_map;
233 if (unlikely(typemap[type->proto] != type))
236 typemap[type->proto] = NULL;
237 xfrm_state_unlock_afinfo(afinfo);
240 EXPORT_SYMBOL(xfrm_unregister_type);
242 static const struct xfrm_type *xfrm_get_type(u8 proto, unsigned short family)
244 struct xfrm_state_afinfo *afinfo;
245 const struct xfrm_type **typemap;
246 const struct xfrm_type *type;
247 int modload_attempted = 0;
250 afinfo = xfrm_state_get_afinfo(family);
251 if (unlikely(afinfo == NULL))
253 typemap = afinfo->type_map;
255 type = typemap[proto];
256 if (unlikely(type && !try_module_get(type->owner)))
258 if (!type && !modload_attempted) {
259 xfrm_state_put_afinfo(afinfo);
260 request_module("xfrm-type-%d-%d", family, proto);
261 modload_attempted = 1;
265 xfrm_state_put_afinfo(afinfo);
269 static void xfrm_put_type(const struct xfrm_type *type)
271 module_put(type->owner);
274 int xfrm_register_mode(struct xfrm_mode *mode, int family)
276 struct xfrm_state_afinfo *afinfo;
277 struct xfrm_mode **modemap;
280 if (unlikely(mode->encap >= XFRM_MODE_MAX))
283 afinfo = xfrm_state_lock_afinfo(family);
284 if (unlikely(afinfo == NULL))
285 return -EAFNOSUPPORT;
288 modemap = afinfo->mode_map;
289 if (modemap[mode->encap])
293 if (!try_module_get(afinfo->owner))
296 mode->afinfo = afinfo;
297 modemap[mode->encap] = mode;
301 xfrm_state_unlock_afinfo(afinfo);
304 EXPORT_SYMBOL(xfrm_register_mode);
306 int xfrm_unregister_mode(struct xfrm_mode *mode, int family)
308 struct xfrm_state_afinfo *afinfo;
309 struct xfrm_mode **modemap;
312 if (unlikely(mode->encap >= XFRM_MODE_MAX))
315 afinfo = xfrm_state_lock_afinfo(family);
316 if (unlikely(afinfo == NULL))
317 return -EAFNOSUPPORT;
320 modemap = afinfo->mode_map;
321 if (likely(modemap[mode->encap] == mode)) {
322 modemap[mode->encap] = NULL;
323 module_put(mode->afinfo->owner);
327 xfrm_state_unlock_afinfo(afinfo);
330 EXPORT_SYMBOL(xfrm_unregister_mode);
332 static struct xfrm_mode *xfrm_get_mode(unsigned int encap, int family)
334 struct xfrm_state_afinfo *afinfo;
335 struct xfrm_mode *mode;
336 int modload_attempted = 0;
338 if (unlikely(encap >= XFRM_MODE_MAX))
342 afinfo = xfrm_state_get_afinfo(family);
343 if (unlikely(afinfo == NULL))
346 mode = afinfo->mode_map[encap];
347 if (unlikely(mode && !try_module_get(mode->owner)))
349 if (!mode && !modload_attempted) {
350 xfrm_state_put_afinfo(afinfo);
351 request_module("xfrm-mode-%d-%d", family, encap);
352 modload_attempted = 1;
356 xfrm_state_put_afinfo(afinfo);
360 static void xfrm_put_mode(struct xfrm_mode *mode)
362 module_put(mode->owner);
365 static void xfrm_state_gc_destroy(struct xfrm_state *x)
367 del_timer_sync(&x->timer);
368 del_timer_sync(&x->rtimer);
375 xfrm_put_mode(x->inner_mode);
376 if (x->inner_mode_iaf)
377 xfrm_put_mode(x->inner_mode_iaf);
379 xfrm_put_mode(x->outer_mode);
381 x->type->destructor(x);
382 xfrm_put_type(x->type);
384 security_xfrm_state_free(x);
388 static void xfrm_state_gc_task(struct work_struct *work)
390 struct net *net = container_of(work, struct net, xfrm.state_gc_work);
391 struct xfrm_state *x;
392 struct hlist_node *entry, *tmp;
393 struct hlist_head gc_list;
395 spin_lock_bh(&xfrm_state_gc_lock);
396 hlist_move_list(&net->xfrm.state_gc_list, &gc_list);
397 spin_unlock_bh(&xfrm_state_gc_lock);
399 hlist_for_each_entry_safe(x, entry, tmp, &gc_list, gclist)
400 xfrm_state_gc_destroy(x);
405 static inline unsigned long make_jiffies(long secs)
407 if (secs >= (MAX_SCHEDULE_TIMEOUT-1)/HZ)
408 return MAX_SCHEDULE_TIMEOUT-1;
413 static void xfrm_timer_handler(unsigned long data)
415 struct xfrm_state *x = (struct xfrm_state*)data;
416 unsigned long now = get_seconds();
417 long next = LONG_MAX;
422 if (x->km.state == XFRM_STATE_DEAD)
424 if (x->km.state == XFRM_STATE_EXPIRED)
426 if (x->lft.hard_add_expires_seconds) {
427 long tmo = x->lft.hard_add_expires_seconds +
428 x->curlft.add_time - now;
434 if (x->lft.hard_use_expires_seconds) {
435 long tmo = x->lft.hard_use_expires_seconds +
436 (x->curlft.use_time ? : now) - now;
444 if (x->lft.soft_add_expires_seconds) {
445 long tmo = x->lft.soft_add_expires_seconds +
446 x->curlft.add_time - now;
452 if (x->lft.soft_use_expires_seconds) {
453 long tmo = x->lft.soft_use_expires_seconds +
454 (x->curlft.use_time ? : now) - now;
463 km_state_expired(x, 0, 0);
465 if (next != LONG_MAX)
466 mod_timer(&x->timer, jiffies + make_jiffies(next));
471 if (x->km.state == XFRM_STATE_ACQ && x->id.spi == 0) {
472 x->km.state = XFRM_STATE_EXPIRED;
478 err = __xfrm_state_delete(x);
479 if (!err && x->id.spi)
480 km_state_expired(x, 1, 0);
482 xfrm_audit_state_delete(x, err ? 0 : 1,
483 audit_get_loginuid(current),
484 audit_get_sessionid(current), 0);
487 spin_unlock(&x->lock);
490 static void xfrm_replay_timer_handler(unsigned long data);
492 struct xfrm_state *xfrm_state_alloc(struct net *net)
494 struct xfrm_state *x;
496 x = kzalloc(sizeof(struct xfrm_state), GFP_ATOMIC);
499 write_pnet(&x->xs_net, net);
500 atomic_set(&x->refcnt, 1);
501 atomic_set(&x->tunnel_users, 0);
502 INIT_LIST_HEAD(&x->km.all);
503 INIT_HLIST_NODE(&x->bydst);
504 INIT_HLIST_NODE(&x->bysrc);
505 INIT_HLIST_NODE(&x->byspi);
506 setup_timer(&x->timer, xfrm_timer_handler, (unsigned long)x);
507 setup_timer(&x->rtimer, xfrm_replay_timer_handler,
509 x->curlft.add_time = get_seconds();
510 x->lft.soft_byte_limit = XFRM_INF;
511 x->lft.soft_packet_limit = XFRM_INF;
512 x->lft.hard_byte_limit = XFRM_INF;
513 x->lft.hard_packet_limit = XFRM_INF;
514 x->replay_maxage = 0;
515 x->replay_maxdiff = 0;
516 x->inner_mode = NULL;
517 x->inner_mode_iaf = NULL;
518 spin_lock_init(&x->lock);
522 EXPORT_SYMBOL(xfrm_state_alloc);
524 void __xfrm_state_destroy(struct xfrm_state *x)
526 WARN_ON(x->km.state != XFRM_STATE_DEAD);
528 spin_lock_bh(&xfrm_state_gc_lock);
529 hlist_add_head(&x->gclist, &init_net.xfrm.state_gc_list);
530 spin_unlock_bh(&xfrm_state_gc_lock);
531 schedule_work(&init_net.xfrm.state_gc_work);
533 EXPORT_SYMBOL(__xfrm_state_destroy);
535 int __xfrm_state_delete(struct xfrm_state *x)
539 if (x->km.state != XFRM_STATE_DEAD) {
540 x->km.state = XFRM_STATE_DEAD;
541 spin_lock(&xfrm_state_lock);
542 list_del(&x->km.all);
543 hlist_del(&x->bydst);
544 hlist_del(&x->bysrc);
546 hlist_del(&x->byspi);
547 init_net.xfrm.state_num--;
548 spin_unlock(&xfrm_state_lock);
550 /* All xfrm_state objects are created by xfrm_state_alloc.
551 * The xfrm_state_alloc call gives a reference, and that
552 * is what we are dropping here.
560 EXPORT_SYMBOL(__xfrm_state_delete);
562 int xfrm_state_delete(struct xfrm_state *x)
566 spin_lock_bh(&x->lock);
567 err = __xfrm_state_delete(x);
568 spin_unlock_bh(&x->lock);
572 EXPORT_SYMBOL(xfrm_state_delete);
574 #ifdef CONFIG_SECURITY_NETWORK_XFRM
576 xfrm_state_flush_secctx_check(u8 proto, struct xfrm_audit *audit_info)
580 for (i = 0; i <= init_net.xfrm.state_hmask; i++) {
581 struct hlist_node *entry;
582 struct xfrm_state *x;
584 hlist_for_each_entry(x, entry, init_net.xfrm.state_bydst+i, bydst) {
585 if (xfrm_id_proto_match(x->id.proto, proto) &&
586 (err = security_xfrm_state_delete(x)) != 0) {
587 xfrm_audit_state_delete(x, 0,
588 audit_info->loginuid,
589 audit_info->sessionid,
600 xfrm_state_flush_secctx_check(u8 proto, struct xfrm_audit *audit_info)
606 int xfrm_state_flush(u8 proto, struct xfrm_audit *audit_info)
610 spin_lock_bh(&xfrm_state_lock);
611 err = xfrm_state_flush_secctx_check(proto, audit_info);
615 for (i = 0; i <= init_net.xfrm.state_hmask; i++) {
616 struct hlist_node *entry;
617 struct xfrm_state *x;
619 hlist_for_each_entry(x, entry, init_net.xfrm.state_bydst+i, bydst) {
620 if (!xfrm_state_kern(x) &&
621 xfrm_id_proto_match(x->id.proto, proto)) {
623 spin_unlock_bh(&xfrm_state_lock);
625 err = xfrm_state_delete(x);
626 xfrm_audit_state_delete(x, err ? 0 : 1,
627 audit_info->loginuid,
628 audit_info->sessionid,
632 spin_lock_bh(&xfrm_state_lock);
640 spin_unlock_bh(&xfrm_state_lock);
644 EXPORT_SYMBOL(xfrm_state_flush);
646 void xfrm_sad_getinfo(struct xfrmk_sadinfo *si)
648 spin_lock_bh(&xfrm_state_lock);
649 si->sadcnt = init_net.xfrm.state_num;
650 si->sadhcnt = init_net.xfrm.state_hmask;
651 si->sadhmcnt = xfrm_state_hashmax;
652 spin_unlock_bh(&xfrm_state_lock);
654 EXPORT_SYMBOL(xfrm_sad_getinfo);
657 xfrm_init_tempsel(struct xfrm_state *x, struct flowi *fl,
658 struct xfrm_tmpl *tmpl,
659 xfrm_address_t *daddr, xfrm_address_t *saddr,
660 unsigned short family)
662 struct xfrm_state_afinfo *afinfo = xfrm_state_get_afinfo(family);
665 afinfo->init_tempsel(x, fl, tmpl, daddr, saddr);
666 xfrm_state_put_afinfo(afinfo);
670 static struct xfrm_state *__xfrm_state_lookup(xfrm_address_t *daddr, __be32 spi, u8 proto, unsigned short family)
672 unsigned int h = xfrm_spi_hash(daddr, spi, proto, family);
673 struct xfrm_state *x;
674 struct hlist_node *entry;
676 hlist_for_each_entry(x, entry, init_net.xfrm.state_byspi+h, byspi) {
677 if (x->props.family != family ||
679 x->id.proto != proto)
684 if (x->id.daddr.a4 != daddr->a4)
688 if (!ipv6_addr_equal((struct in6_addr *)daddr,
702 static struct xfrm_state *__xfrm_state_lookup_byaddr(xfrm_address_t *daddr, xfrm_address_t *saddr, u8 proto, unsigned short family)
704 unsigned int h = xfrm_src_hash(daddr, saddr, family);
705 struct xfrm_state *x;
706 struct hlist_node *entry;
708 hlist_for_each_entry(x, entry, init_net.xfrm.state_bysrc+h, bysrc) {
709 if (x->props.family != family ||
710 x->id.proto != proto)
715 if (x->id.daddr.a4 != daddr->a4 ||
716 x->props.saddr.a4 != saddr->a4)
720 if (!ipv6_addr_equal((struct in6_addr *)daddr,
723 !ipv6_addr_equal((struct in6_addr *)saddr,
737 static inline struct xfrm_state *
738 __xfrm_state_locate(struct xfrm_state *x, int use_spi, int family)
741 return __xfrm_state_lookup(&x->id.daddr, x->id.spi,
742 x->id.proto, family);
744 return __xfrm_state_lookup_byaddr(&x->id.daddr,
746 x->id.proto, family);
749 static void xfrm_hash_grow_check(int have_hash_collision)
751 if (have_hash_collision &&
752 (init_net.xfrm.state_hmask + 1) < xfrm_state_hashmax &&
753 init_net.xfrm.state_num > init_net.xfrm.state_hmask)
754 schedule_work(&init_net.xfrm.state_hash_work);
758 xfrm_state_find(xfrm_address_t *daddr, xfrm_address_t *saddr,
759 struct flowi *fl, struct xfrm_tmpl *tmpl,
760 struct xfrm_policy *pol, int *err,
761 unsigned short family)
764 struct hlist_node *entry;
765 struct xfrm_state *x, *x0, *to_put;
766 int acquire_in_progress = 0;
768 struct xfrm_state *best = NULL;
772 spin_lock_bh(&xfrm_state_lock);
773 h = xfrm_dst_hash(daddr, saddr, tmpl->reqid, family);
774 hlist_for_each_entry(x, entry, init_net.xfrm.state_bydst+h, bydst) {
775 if (x->props.family == family &&
776 x->props.reqid == tmpl->reqid &&
777 !(x->props.flags & XFRM_STATE_WILDRECV) &&
778 xfrm_state_addr_check(x, daddr, saddr, family) &&
779 tmpl->mode == x->props.mode &&
780 tmpl->id.proto == x->id.proto &&
781 (tmpl->id.spi == x->id.spi || !tmpl->id.spi)) {
783 1. There is a valid state with matching selector.
785 2. Valid state with inappropriate selector. Skip.
787 Entering area of "sysdeps".
789 3. If state is not valid, selector is temporary,
790 it selects only session which triggered
791 previous resolution. Key manager will do
792 something to install a state with proper
795 if (x->km.state == XFRM_STATE_VALID) {
796 if ((x->sel.family && !xfrm_selector_match(&x->sel, fl, x->sel.family)) ||
797 !security_xfrm_state_pol_flow_match(x, pol, fl))
800 best->km.dying > x->km.dying ||
801 (best->km.dying == x->km.dying &&
802 best->curlft.add_time < x->curlft.add_time))
804 } else if (x->km.state == XFRM_STATE_ACQ) {
805 acquire_in_progress = 1;
806 } else if (x->km.state == XFRM_STATE_ERROR ||
807 x->km.state == XFRM_STATE_EXPIRED) {
808 if (xfrm_selector_match(&x->sel, fl, x->sel.family) &&
809 security_xfrm_state_pol_flow_match(x, pol, fl))
816 if (!x && !error && !acquire_in_progress) {
818 (x0 = __xfrm_state_lookup(daddr, tmpl->id.spi,
819 tmpl->id.proto, family)) != NULL) {
824 x = xfrm_state_alloc(&init_net);
829 /* Initialize temporary selector matching only
830 * to current session. */
831 xfrm_init_tempsel(x, fl, tmpl, daddr, saddr, family);
833 error = security_xfrm_state_alloc_acquire(x, pol->security, fl->secid);
835 x->km.state = XFRM_STATE_DEAD;
841 if (km_query(x, tmpl, pol) == 0) {
842 x->km.state = XFRM_STATE_ACQ;
843 list_add(&x->km.all, &init_net.xfrm.state_all);
844 hlist_add_head(&x->bydst, init_net.xfrm.state_bydst+h);
845 h = xfrm_src_hash(daddr, saddr, family);
846 hlist_add_head(&x->bysrc, init_net.xfrm.state_bysrc+h);
848 h = xfrm_spi_hash(&x->id.daddr, x->id.spi, x->id.proto, family);
849 hlist_add_head(&x->byspi, init_net.xfrm.state_byspi+h);
851 x->lft.hard_add_expires_seconds = sysctl_xfrm_acq_expires;
852 x->timer.expires = jiffies + sysctl_xfrm_acq_expires*HZ;
853 add_timer(&x->timer);
854 init_net.xfrm.state_num++;
855 xfrm_hash_grow_check(x->bydst.next != NULL);
857 x->km.state = XFRM_STATE_DEAD;
867 *err = acquire_in_progress ? -EAGAIN : error;
868 spin_unlock_bh(&xfrm_state_lock);
870 xfrm_state_put(to_put);
875 xfrm_stateonly_find(xfrm_address_t *daddr, xfrm_address_t *saddr,
876 unsigned short family, u8 mode, u8 proto, u32 reqid)
879 struct xfrm_state *rx = NULL, *x = NULL;
880 struct hlist_node *entry;
882 spin_lock(&xfrm_state_lock);
883 h = xfrm_dst_hash(daddr, saddr, reqid, family);
884 hlist_for_each_entry(x, entry, init_net.xfrm.state_bydst+h, bydst) {
885 if (x->props.family == family &&
886 x->props.reqid == reqid &&
887 !(x->props.flags & XFRM_STATE_WILDRECV) &&
888 xfrm_state_addr_check(x, daddr, saddr, family) &&
889 mode == x->props.mode &&
890 proto == x->id.proto &&
891 x->km.state == XFRM_STATE_VALID) {
899 spin_unlock(&xfrm_state_lock);
904 EXPORT_SYMBOL(xfrm_stateonly_find);
906 static void __xfrm_state_insert(struct xfrm_state *x)
910 x->genid = ++xfrm_state_genid;
912 list_add(&x->km.all, &init_net.xfrm.state_all);
914 h = xfrm_dst_hash(&x->id.daddr, &x->props.saddr,
915 x->props.reqid, x->props.family);
916 hlist_add_head(&x->bydst, init_net.xfrm.state_bydst+h);
918 h = xfrm_src_hash(&x->id.daddr, &x->props.saddr, x->props.family);
919 hlist_add_head(&x->bysrc, init_net.xfrm.state_bysrc+h);
922 h = xfrm_spi_hash(&x->id.daddr, x->id.spi, x->id.proto,
925 hlist_add_head(&x->byspi, init_net.xfrm.state_byspi+h);
928 mod_timer(&x->timer, jiffies + HZ);
929 if (x->replay_maxage)
930 mod_timer(&x->rtimer, jiffies + x->replay_maxage);
934 init_net.xfrm.state_num++;
936 xfrm_hash_grow_check(x->bydst.next != NULL);
939 /* xfrm_state_lock is held */
940 static void __xfrm_state_bump_genids(struct xfrm_state *xnew)
942 unsigned short family = xnew->props.family;
943 u32 reqid = xnew->props.reqid;
944 struct xfrm_state *x;
945 struct hlist_node *entry;
948 h = xfrm_dst_hash(&xnew->id.daddr, &xnew->props.saddr, reqid, family);
949 hlist_for_each_entry(x, entry, init_net.xfrm.state_bydst+h, bydst) {
950 if (x->props.family == family &&
951 x->props.reqid == reqid &&
952 !xfrm_addr_cmp(&x->id.daddr, &xnew->id.daddr, family) &&
953 !xfrm_addr_cmp(&x->props.saddr, &xnew->props.saddr, family))
954 x->genid = xfrm_state_genid;
958 void xfrm_state_insert(struct xfrm_state *x)
960 spin_lock_bh(&xfrm_state_lock);
961 __xfrm_state_bump_genids(x);
962 __xfrm_state_insert(x);
963 spin_unlock_bh(&xfrm_state_lock);
965 EXPORT_SYMBOL(xfrm_state_insert);
967 /* xfrm_state_lock is held */
968 static struct xfrm_state *__find_acq_core(unsigned short family, u8 mode, u32 reqid, u8 proto, xfrm_address_t *daddr, xfrm_address_t *saddr, int create)
970 unsigned int h = xfrm_dst_hash(daddr, saddr, reqid, family);
971 struct hlist_node *entry;
972 struct xfrm_state *x;
974 hlist_for_each_entry(x, entry, init_net.xfrm.state_bydst+h, bydst) {
975 if (x->props.reqid != reqid ||
976 x->props.mode != mode ||
977 x->props.family != family ||
978 x->km.state != XFRM_STATE_ACQ ||
980 x->id.proto != proto)
985 if (x->id.daddr.a4 != daddr->a4 ||
986 x->props.saddr.a4 != saddr->a4)
990 if (!ipv6_addr_equal((struct in6_addr *)x->id.daddr.a6,
991 (struct in6_addr *)daddr) ||
992 !ipv6_addr_equal((struct in6_addr *)
994 (struct in6_addr *)saddr))
1006 x = xfrm_state_alloc(&init_net);
1010 x->sel.daddr.a4 = daddr->a4;
1011 x->sel.saddr.a4 = saddr->a4;
1012 x->sel.prefixlen_d = 32;
1013 x->sel.prefixlen_s = 32;
1014 x->props.saddr.a4 = saddr->a4;
1015 x->id.daddr.a4 = daddr->a4;
1019 ipv6_addr_copy((struct in6_addr *)x->sel.daddr.a6,
1020 (struct in6_addr *)daddr);
1021 ipv6_addr_copy((struct in6_addr *)x->sel.saddr.a6,
1022 (struct in6_addr *)saddr);
1023 x->sel.prefixlen_d = 128;
1024 x->sel.prefixlen_s = 128;
1025 ipv6_addr_copy((struct in6_addr *)x->props.saddr.a6,
1026 (struct in6_addr *)saddr);
1027 ipv6_addr_copy((struct in6_addr *)x->id.daddr.a6,
1028 (struct in6_addr *)daddr);
1032 x->km.state = XFRM_STATE_ACQ;
1033 x->id.proto = proto;
1034 x->props.family = family;
1035 x->props.mode = mode;
1036 x->props.reqid = reqid;
1037 x->lft.hard_add_expires_seconds = sysctl_xfrm_acq_expires;
1039 x->timer.expires = jiffies + sysctl_xfrm_acq_expires*HZ;
1040 add_timer(&x->timer);
1041 list_add(&x->km.all, &init_net.xfrm.state_all);
1042 hlist_add_head(&x->bydst, init_net.xfrm.state_bydst+h);
1043 h = xfrm_src_hash(daddr, saddr, family);
1044 hlist_add_head(&x->bysrc, init_net.xfrm.state_bysrc+h);
1046 init_net.xfrm.state_num++;
1048 xfrm_hash_grow_check(x->bydst.next != NULL);
1054 static struct xfrm_state *__xfrm_find_acq_byseq(u32 seq);
1056 int xfrm_state_add(struct xfrm_state *x)
1058 struct xfrm_state *x1, *to_put;
1061 int use_spi = xfrm_id_proto_match(x->id.proto, IPSEC_PROTO_ANY);
1063 family = x->props.family;
1067 spin_lock_bh(&xfrm_state_lock);
1069 x1 = __xfrm_state_locate(x, use_spi, family);
1077 if (use_spi && x->km.seq) {
1078 x1 = __xfrm_find_acq_byseq(x->km.seq);
1079 if (x1 && ((x1->id.proto != x->id.proto) ||
1080 xfrm_addr_cmp(&x1->id.daddr, &x->id.daddr, family))) {
1087 x1 = __find_acq_core(family, x->props.mode, x->props.reqid,
1089 &x->id.daddr, &x->props.saddr, 0);
1091 __xfrm_state_bump_genids(x);
1092 __xfrm_state_insert(x);
1096 spin_unlock_bh(&xfrm_state_lock);
1099 xfrm_state_delete(x1);
1104 xfrm_state_put(to_put);
1108 EXPORT_SYMBOL(xfrm_state_add);
1110 #ifdef CONFIG_XFRM_MIGRATE
1111 static struct xfrm_state *xfrm_state_clone(struct xfrm_state *orig, int *errp)
1114 struct xfrm_state *x = xfrm_state_alloc(&init_net);
1118 memcpy(&x->id, &orig->id, sizeof(x->id));
1119 memcpy(&x->sel, &orig->sel, sizeof(x->sel));
1120 memcpy(&x->lft, &orig->lft, sizeof(x->lft));
1121 x->props.mode = orig->props.mode;
1122 x->props.replay_window = orig->props.replay_window;
1123 x->props.reqid = orig->props.reqid;
1124 x->props.family = orig->props.family;
1125 x->props.saddr = orig->props.saddr;
1128 x->aalg = xfrm_algo_clone(orig->aalg);
1132 x->props.aalgo = orig->props.aalgo;
1135 x->ealg = xfrm_algo_clone(orig->ealg);
1139 x->props.ealgo = orig->props.ealgo;
1142 x->calg = xfrm_algo_clone(orig->calg);
1146 x->props.calgo = orig->props.calgo;
1149 x->encap = kmemdup(orig->encap, sizeof(*x->encap), GFP_KERNEL);
1155 x->coaddr = kmemdup(orig->coaddr, sizeof(*x->coaddr),
1161 err = xfrm_init_state(x);
1165 x->props.flags = orig->props.flags;
1167 x->curlft.add_time = orig->curlft.add_time;
1168 x->km.state = orig->km.state;
1169 x->km.seq = orig->km.seq;
1187 /* xfrm_state_lock is held */
1188 struct xfrm_state * xfrm_migrate_state_find(struct xfrm_migrate *m)
1191 struct xfrm_state *x;
1192 struct hlist_node *entry;
1195 h = xfrm_dst_hash(&m->old_daddr, &m->old_saddr,
1196 m->reqid, m->old_family);
1197 hlist_for_each_entry(x, entry, init_net.xfrm.state_bydst+h, bydst) {
1198 if (x->props.mode != m->mode ||
1199 x->id.proto != m->proto)
1201 if (m->reqid && x->props.reqid != m->reqid)
1203 if (xfrm_addr_cmp(&x->id.daddr, &m->old_daddr,
1205 xfrm_addr_cmp(&x->props.saddr, &m->old_saddr,
1212 h = xfrm_src_hash(&m->old_daddr, &m->old_saddr,
1214 hlist_for_each_entry(x, entry, init_net.xfrm.state_bysrc+h, bysrc) {
1215 if (x->props.mode != m->mode ||
1216 x->id.proto != m->proto)
1218 if (xfrm_addr_cmp(&x->id.daddr, &m->old_daddr,
1220 xfrm_addr_cmp(&x->props.saddr, &m->old_saddr,
1230 EXPORT_SYMBOL(xfrm_migrate_state_find);
1232 struct xfrm_state * xfrm_state_migrate(struct xfrm_state *x,
1233 struct xfrm_migrate *m)
1235 struct xfrm_state *xc;
1238 xc = xfrm_state_clone(x, &err);
1242 memcpy(&xc->id.daddr, &m->new_daddr, sizeof(xc->id.daddr));
1243 memcpy(&xc->props.saddr, &m->new_saddr, sizeof(xc->props.saddr));
1246 if (!xfrm_addr_cmp(&x->id.daddr, &m->new_daddr, m->new_family)) {
1247 /* a care is needed when the destination address of the
1248 state is to be updated as it is a part of triplet */
1249 xfrm_state_insert(xc);
1251 if ((err = xfrm_state_add(xc)) < 0)
1260 EXPORT_SYMBOL(xfrm_state_migrate);
1263 int xfrm_state_update(struct xfrm_state *x)
1265 struct xfrm_state *x1, *to_put;
1267 int use_spi = xfrm_id_proto_match(x->id.proto, IPSEC_PROTO_ANY);
1271 spin_lock_bh(&xfrm_state_lock);
1272 x1 = __xfrm_state_locate(x, use_spi, x->props.family);
1278 if (xfrm_state_kern(x1)) {
1284 if (x1->km.state == XFRM_STATE_ACQ) {
1285 __xfrm_state_insert(x);
1291 spin_unlock_bh(&xfrm_state_lock);
1294 xfrm_state_put(to_put);
1300 xfrm_state_delete(x1);
1306 spin_lock_bh(&x1->lock);
1307 if (likely(x1->km.state == XFRM_STATE_VALID)) {
1308 if (x->encap && x1->encap)
1309 memcpy(x1->encap, x->encap, sizeof(*x1->encap));
1310 if (x->coaddr && x1->coaddr) {
1311 memcpy(x1->coaddr, x->coaddr, sizeof(*x1->coaddr));
1313 if (!use_spi && memcmp(&x1->sel, &x->sel, sizeof(x1->sel)))
1314 memcpy(&x1->sel, &x->sel, sizeof(x1->sel));
1315 memcpy(&x1->lft, &x->lft, sizeof(x1->lft));
1318 mod_timer(&x1->timer, jiffies + HZ);
1319 if (x1->curlft.use_time)
1320 xfrm_state_check_expire(x1);
1324 spin_unlock_bh(&x1->lock);
1330 EXPORT_SYMBOL(xfrm_state_update);
1332 int xfrm_state_check_expire(struct xfrm_state *x)
1334 if (!x->curlft.use_time)
1335 x->curlft.use_time = get_seconds();
1337 if (x->km.state != XFRM_STATE_VALID)
1340 if (x->curlft.bytes >= x->lft.hard_byte_limit ||
1341 x->curlft.packets >= x->lft.hard_packet_limit) {
1342 x->km.state = XFRM_STATE_EXPIRED;
1343 mod_timer(&x->timer, jiffies);
1348 (x->curlft.bytes >= x->lft.soft_byte_limit ||
1349 x->curlft.packets >= x->lft.soft_packet_limit)) {
1351 km_state_expired(x, 0, 0);
1355 EXPORT_SYMBOL(xfrm_state_check_expire);
1358 xfrm_state_lookup(xfrm_address_t *daddr, __be32 spi, u8 proto,
1359 unsigned short family)
1361 struct xfrm_state *x;
1363 spin_lock_bh(&xfrm_state_lock);
1364 x = __xfrm_state_lookup(daddr, spi, proto, family);
1365 spin_unlock_bh(&xfrm_state_lock);
1368 EXPORT_SYMBOL(xfrm_state_lookup);
1371 xfrm_state_lookup_byaddr(xfrm_address_t *daddr, xfrm_address_t *saddr,
1372 u8 proto, unsigned short family)
1374 struct xfrm_state *x;
1376 spin_lock_bh(&xfrm_state_lock);
1377 x = __xfrm_state_lookup_byaddr(daddr, saddr, proto, family);
1378 spin_unlock_bh(&xfrm_state_lock);
1381 EXPORT_SYMBOL(xfrm_state_lookup_byaddr);
1384 xfrm_find_acq(u8 mode, u32 reqid, u8 proto,
1385 xfrm_address_t *daddr, xfrm_address_t *saddr,
1386 int create, unsigned short family)
1388 struct xfrm_state *x;
1390 spin_lock_bh(&xfrm_state_lock);
1391 x = __find_acq_core(family, mode, reqid, proto, daddr, saddr, create);
1392 spin_unlock_bh(&xfrm_state_lock);
1396 EXPORT_SYMBOL(xfrm_find_acq);
1398 #ifdef CONFIG_XFRM_SUB_POLICY
1400 xfrm_tmpl_sort(struct xfrm_tmpl **dst, struct xfrm_tmpl **src, int n,
1401 unsigned short family)
1404 struct xfrm_state_afinfo *afinfo = xfrm_state_get_afinfo(family);
1406 return -EAFNOSUPPORT;
1408 spin_lock_bh(&xfrm_state_lock);
1409 if (afinfo->tmpl_sort)
1410 err = afinfo->tmpl_sort(dst, src, n);
1411 spin_unlock_bh(&xfrm_state_lock);
1412 xfrm_state_put_afinfo(afinfo);
1415 EXPORT_SYMBOL(xfrm_tmpl_sort);
1418 xfrm_state_sort(struct xfrm_state **dst, struct xfrm_state **src, int n,
1419 unsigned short family)
1422 struct xfrm_state_afinfo *afinfo = xfrm_state_get_afinfo(family);
1424 return -EAFNOSUPPORT;
1426 spin_lock_bh(&xfrm_state_lock);
1427 if (afinfo->state_sort)
1428 err = afinfo->state_sort(dst, src, n);
1429 spin_unlock_bh(&xfrm_state_lock);
1430 xfrm_state_put_afinfo(afinfo);
1433 EXPORT_SYMBOL(xfrm_state_sort);
1436 /* Silly enough, but I'm lazy to build resolution list */
1438 static struct xfrm_state *__xfrm_find_acq_byseq(u32 seq)
1442 for (i = 0; i <= init_net.xfrm.state_hmask; i++) {
1443 struct hlist_node *entry;
1444 struct xfrm_state *x;
1446 hlist_for_each_entry(x, entry, init_net.xfrm.state_bydst+i, bydst) {
1447 if (x->km.seq == seq &&
1448 x->km.state == XFRM_STATE_ACQ) {
1457 struct xfrm_state *xfrm_find_acq_byseq(u32 seq)
1459 struct xfrm_state *x;
1461 spin_lock_bh(&xfrm_state_lock);
1462 x = __xfrm_find_acq_byseq(seq);
1463 spin_unlock_bh(&xfrm_state_lock);
1466 EXPORT_SYMBOL(xfrm_find_acq_byseq);
1468 u32 xfrm_get_acqseq(void)
1472 static DEFINE_SPINLOCK(acqseq_lock);
1474 spin_lock_bh(&acqseq_lock);
1475 res = (++acqseq ? : ++acqseq);
1476 spin_unlock_bh(&acqseq_lock);
1479 EXPORT_SYMBOL(xfrm_get_acqseq);
1481 int xfrm_alloc_spi(struct xfrm_state *x, u32 low, u32 high)
1484 struct xfrm_state *x0;
1486 __be32 minspi = htonl(low);
1487 __be32 maxspi = htonl(high);
1489 spin_lock_bh(&x->lock);
1490 if (x->km.state == XFRM_STATE_DEAD)
1499 if (minspi == maxspi) {
1500 x0 = xfrm_state_lookup(&x->id.daddr, minspi, x->id.proto, x->props.family);
1508 for (h=0; h<high-low+1; h++) {
1509 spi = low + net_random()%(high-low+1);
1510 x0 = xfrm_state_lookup(&x->id.daddr, htonl(spi), x->id.proto, x->props.family);
1512 x->id.spi = htonl(spi);
1519 spin_lock_bh(&xfrm_state_lock);
1520 h = xfrm_spi_hash(&x->id.daddr, x->id.spi, x->id.proto, x->props.family);
1521 hlist_add_head(&x->byspi, init_net.xfrm.state_byspi+h);
1522 spin_unlock_bh(&xfrm_state_lock);
1528 spin_unlock_bh(&x->lock);
1532 EXPORT_SYMBOL(xfrm_alloc_spi);
1534 int xfrm_state_walk(struct xfrm_state_walk *walk,
1535 int (*func)(struct xfrm_state *, int, void*),
1538 struct xfrm_state *state;
1539 struct xfrm_state_walk *x;
1542 if (walk->seq != 0 && list_empty(&walk->all))
1545 spin_lock_bh(&xfrm_state_lock);
1546 if (list_empty(&walk->all))
1547 x = list_first_entry(&init_net.xfrm.state_all, struct xfrm_state_walk, all);
1549 x = list_entry(&walk->all, struct xfrm_state_walk, all);
1550 list_for_each_entry_from(x, &init_net.xfrm.state_all, all) {
1551 if (x->state == XFRM_STATE_DEAD)
1553 state = container_of(x, struct xfrm_state, km);
1554 if (!xfrm_id_proto_match(state->id.proto, walk->proto))
1556 err = func(state, walk->seq, data);
1558 list_move_tail(&walk->all, &x->all);
1563 if (walk->seq == 0) {
1567 list_del_init(&walk->all);
1569 spin_unlock_bh(&xfrm_state_lock);
1572 EXPORT_SYMBOL(xfrm_state_walk);
1574 void xfrm_state_walk_init(struct xfrm_state_walk *walk, u8 proto)
1576 INIT_LIST_HEAD(&walk->all);
1577 walk->proto = proto;
1578 walk->state = XFRM_STATE_DEAD;
1581 EXPORT_SYMBOL(xfrm_state_walk_init);
1583 void xfrm_state_walk_done(struct xfrm_state_walk *walk)
1585 if (list_empty(&walk->all))
1588 spin_lock_bh(&xfrm_state_lock);
1589 list_del(&walk->all);
1590 spin_lock_bh(&xfrm_state_lock);
1592 EXPORT_SYMBOL(xfrm_state_walk_done);
1595 void xfrm_replay_notify(struct xfrm_state *x, int event)
1598 /* we send notify messages in case
1599 * 1. we updated on of the sequence numbers, and the seqno difference
1600 * is at least x->replay_maxdiff, in this case we also update the
1601 * timeout of our timer function
1602 * 2. if x->replay_maxage has elapsed since last update,
1603 * and there were changes
1605 * The state structure must be locked!
1609 case XFRM_REPLAY_UPDATE:
1610 if (x->replay_maxdiff &&
1611 (x->replay.seq - x->preplay.seq < x->replay_maxdiff) &&
1612 (x->replay.oseq - x->preplay.oseq < x->replay_maxdiff)) {
1613 if (x->xflags & XFRM_TIME_DEFER)
1614 event = XFRM_REPLAY_TIMEOUT;
1621 case XFRM_REPLAY_TIMEOUT:
1622 if ((x->replay.seq == x->preplay.seq) &&
1623 (x->replay.bitmap == x->preplay.bitmap) &&
1624 (x->replay.oseq == x->preplay.oseq)) {
1625 x->xflags |= XFRM_TIME_DEFER;
1632 memcpy(&x->preplay, &x->replay, sizeof(struct xfrm_replay_state));
1633 c.event = XFRM_MSG_NEWAE;
1634 c.data.aevent = event;
1635 km_state_notify(x, &c);
1637 if (x->replay_maxage &&
1638 !mod_timer(&x->rtimer, jiffies + x->replay_maxage))
1639 x->xflags &= ~XFRM_TIME_DEFER;
1642 static void xfrm_replay_timer_handler(unsigned long data)
1644 struct xfrm_state *x = (struct xfrm_state*)data;
1646 spin_lock(&x->lock);
1648 if (x->km.state == XFRM_STATE_VALID) {
1649 if (xfrm_aevent_is_on())
1650 xfrm_replay_notify(x, XFRM_REPLAY_TIMEOUT);
1652 x->xflags |= XFRM_TIME_DEFER;
1655 spin_unlock(&x->lock);
1658 int xfrm_replay_check(struct xfrm_state *x,
1659 struct sk_buff *skb, __be32 net_seq)
1662 u32 seq = ntohl(net_seq);
1664 if (unlikely(seq == 0))
1667 if (likely(seq > x->replay.seq))
1670 diff = x->replay.seq - seq;
1671 if (diff >= min_t(unsigned int, x->props.replay_window,
1672 sizeof(x->replay.bitmap) * 8)) {
1673 x->stats.replay_window++;
1677 if (x->replay.bitmap & (1U << diff)) {
1684 xfrm_audit_state_replay(x, skb, net_seq);
1688 void xfrm_replay_advance(struct xfrm_state *x, __be32 net_seq)
1691 u32 seq = ntohl(net_seq);
1693 if (seq > x->replay.seq) {
1694 diff = seq - x->replay.seq;
1695 if (diff < x->props.replay_window)
1696 x->replay.bitmap = ((x->replay.bitmap) << diff) | 1;
1698 x->replay.bitmap = 1;
1699 x->replay.seq = seq;
1701 diff = x->replay.seq - seq;
1702 x->replay.bitmap |= (1U << diff);
1705 if (xfrm_aevent_is_on())
1706 xfrm_replay_notify(x, XFRM_REPLAY_UPDATE);
1709 static LIST_HEAD(xfrm_km_list);
1710 static DEFINE_RWLOCK(xfrm_km_lock);
1712 void km_policy_notify(struct xfrm_policy *xp, int dir, struct km_event *c)
1714 struct xfrm_mgr *km;
1716 read_lock(&xfrm_km_lock);
1717 list_for_each_entry(km, &xfrm_km_list, list)
1718 if (km->notify_policy)
1719 km->notify_policy(xp, dir, c);
1720 read_unlock(&xfrm_km_lock);
1723 void km_state_notify(struct xfrm_state *x, struct km_event *c)
1725 struct xfrm_mgr *km;
1726 read_lock(&xfrm_km_lock);
1727 list_for_each_entry(km, &xfrm_km_list, list)
1730 read_unlock(&xfrm_km_lock);
1733 EXPORT_SYMBOL(km_policy_notify);
1734 EXPORT_SYMBOL(km_state_notify);
1736 void km_state_expired(struct xfrm_state *x, int hard, u32 pid)
1742 c.event = XFRM_MSG_EXPIRE;
1743 km_state_notify(x, &c);
1749 EXPORT_SYMBOL(km_state_expired);
1751 * We send to all registered managers regardless of failure
1752 * We are happy with one success
1754 int km_query(struct xfrm_state *x, struct xfrm_tmpl *t, struct xfrm_policy *pol)
1756 int err = -EINVAL, acqret;
1757 struct xfrm_mgr *km;
1759 read_lock(&xfrm_km_lock);
1760 list_for_each_entry(km, &xfrm_km_list, list) {
1761 acqret = km->acquire(x, t, pol, XFRM_POLICY_OUT);
1765 read_unlock(&xfrm_km_lock);
1768 EXPORT_SYMBOL(km_query);
1770 int km_new_mapping(struct xfrm_state *x, xfrm_address_t *ipaddr, __be16 sport)
1773 struct xfrm_mgr *km;
1775 read_lock(&xfrm_km_lock);
1776 list_for_each_entry(km, &xfrm_km_list, list) {
1777 if (km->new_mapping)
1778 err = km->new_mapping(x, ipaddr, sport);
1782 read_unlock(&xfrm_km_lock);
1785 EXPORT_SYMBOL(km_new_mapping);
1787 void km_policy_expired(struct xfrm_policy *pol, int dir, int hard, u32 pid)
1793 c.event = XFRM_MSG_POLEXPIRE;
1794 km_policy_notify(pol, dir, &c);
1799 EXPORT_SYMBOL(km_policy_expired);
1801 #ifdef CONFIG_XFRM_MIGRATE
1802 int km_migrate(struct xfrm_selector *sel, u8 dir, u8 type,
1803 struct xfrm_migrate *m, int num_migrate,
1804 struct xfrm_kmaddress *k)
1808 struct xfrm_mgr *km;
1810 read_lock(&xfrm_km_lock);
1811 list_for_each_entry(km, &xfrm_km_list, list) {
1813 ret = km->migrate(sel, dir, type, m, num_migrate, k);
1818 read_unlock(&xfrm_km_lock);
1821 EXPORT_SYMBOL(km_migrate);
1824 int km_report(u8 proto, struct xfrm_selector *sel, xfrm_address_t *addr)
1828 struct xfrm_mgr *km;
1830 read_lock(&xfrm_km_lock);
1831 list_for_each_entry(km, &xfrm_km_list, list) {
1833 ret = km->report(proto, sel, addr);
1838 read_unlock(&xfrm_km_lock);
1841 EXPORT_SYMBOL(km_report);
1843 int xfrm_user_policy(struct sock *sk, int optname, u8 __user *optval, int optlen)
1847 struct xfrm_mgr *km;
1848 struct xfrm_policy *pol = NULL;
1850 if (optlen <= 0 || optlen > PAGE_SIZE)
1853 data = kmalloc(optlen, GFP_KERNEL);
1858 if (copy_from_user(data, optval, optlen))
1862 read_lock(&xfrm_km_lock);
1863 list_for_each_entry(km, &xfrm_km_list, list) {
1864 pol = km->compile_policy(sk, optname, data,
1869 read_unlock(&xfrm_km_lock);
1872 xfrm_sk_policy_insert(sk, err, pol);
1881 EXPORT_SYMBOL(xfrm_user_policy);
1883 int xfrm_register_km(struct xfrm_mgr *km)
1885 write_lock_bh(&xfrm_km_lock);
1886 list_add_tail(&km->list, &xfrm_km_list);
1887 write_unlock_bh(&xfrm_km_lock);
1890 EXPORT_SYMBOL(xfrm_register_km);
1892 int xfrm_unregister_km(struct xfrm_mgr *km)
1894 write_lock_bh(&xfrm_km_lock);
1895 list_del(&km->list);
1896 write_unlock_bh(&xfrm_km_lock);
1899 EXPORT_SYMBOL(xfrm_unregister_km);
1901 int xfrm_state_register_afinfo(struct xfrm_state_afinfo *afinfo)
1904 if (unlikely(afinfo == NULL))
1906 if (unlikely(afinfo->family >= NPROTO))
1907 return -EAFNOSUPPORT;
1908 write_lock_bh(&xfrm_state_afinfo_lock);
1909 if (unlikely(xfrm_state_afinfo[afinfo->family] != NULL))
1912 xfrm_state_afinfo[afinfo->family] = afinfo;
1913 write_unlock_bh(&xfrm_state_afinfo_lock);
1916 EXPORT_SYMBOL(xfrm_state_register_afinfo);
1918 int xfrm_state_unregister_afinfo(struct xfrm_state_afinfo *afinfo)
1921 if (unlikely(afinfo == NULL))
1923 if (unlikely(afinfo->family >= NPROTO))
1924 return -EAFNOSUPPORT;
1925 write_lock_bh(&xfrm_state_afinfo_lock);
1926 if (likely(xfrm_state_afinfo[afinfo->family] != NULL)) {
1927 if (unlikely(xfrm_state_afinfo[afinfo->family] != afinfo))
1930 xfrm_state_afinfo[afinfo->family] = NULL;
1932 write_unlock_bh(&xfrm_state_afinfo_lock);
1935 EXPORT_SYMBOL(xfrm_state_unregister_afinfo);
1937 static struct xfrm_state_afinfo *xfrm_state_get_afinfo(unsigned int family)
1939 struct xfrm_state_afinfo *afinfo;
1940 if (unlikely(family >= NPROTO))
1942 read_lock(&xfrm_state_afinfo_lock);
1943 afinfo = xfrm_state_afinfo[family];
1944 if (unlikely(!afinfo))
1945 read_unlock(&xfrm_state_afinfo_lock);
1949 static void xfrm_state_put_afinfo(struct xfrm_state_afinfo *afinfo)
1950 __releases(xfrm_state_afinfo_lock)
1952 read_unlock(&xfrm_state_afinfo_lock);
1955 /* Temporarily located here until net/xfrm/xfrm_tunnel.c is created */
1956 void xfrm_state_delete_tunnel(struct xfrm_state *x)
1959 struct xfrm_state *t = x->tunnel;
1961 if (atomic_read(&t->tunnel_users) == 2)
1962 xfrm_state_delete(t);
1963 atomic_dec(&t->tunnel_users);
1968 EXPORT_SYMBOL(xfrm_state_delete_tunnel);
1970 int xfrm_state_mtu(struct xfrm_state *x, int mtu)
1974 spin_lock_bh(&x->lock);
1975 if (x->km.state == XFRM_STATE_VALID &&
1976 x->type && x->type->get_mtu)
1977 res = x->type->get_mtu(x, mtu);
1979 res = mtu - x->props.header_len;
1980 spin_unlock_bh(&x->lock);
1984 int xfrm_init_state(struct xfrm_state *x)
1986 struct xfrm_state_afinfo *afinfo;
1987 struct xfrm_mode *inner_mode;
1988 int family = x->props.family;
1991 err = -EAFNOSUPPORT;
1992 afinfo = xfrm_state_get_afinfo(family);
1997 if (afinfo->init_flags)
1998 err = afinfo->init_flags(x);
2000 xfrm_state_put_afinfo(afinfo);
2005 err = -EPROTONOSUPPORT;
2007 if (x->sel.family != AF_UNSPEC) {
2008 inner_mode = xfrm_get_mode(x->props.mode, x->sel.family);
2009 if (inner_mode == NULL)
2012 if (!(inner_mode->flags & XFRM_MODE_FLAG_TUNNEL) &&
2013 family != x->sel.family) {
2014 xfrm_put_mode(inner_mode);
2018 x->inner_mode = inner_mode;
2020 struct xfrm_mode *inner_mode_iaf;
2022 inner_mode = xfrm_get_mode(x->props.mode, AF_INET);
2023 if (inner_mode == NULL)
2026 if (!(inner_mode->flags & XFRM_MODE_FLAG_TUNNEL)) {
2027 xfrm_put_mode(inner_mode);
2031 inner_mode_iaf = xfrm_get_mode(x->props.mode, AF_INET6);
2032 if (inner_mode_iaf == NULL)
2035 if (!(inner_mode_iaf->flags & XFRM_MODE_FLAG_TUNNEL)) {
2036 xfrm_put_mode(inner_mode_iaf);
2040 if (x->props.family == AF_INET) {
2041 x->inner_mode = inner_mode;
2042 x->inner_mode_iaf = inner_mode_iaf;
2044 x->inner_mode = inner_mode_iaf;
2045 x->inner_mode_iaf = inner_mode;
2049 x->type = xfrm_get_type(x->id.proto, family);
2050 if (x->type == NULL)
2053 err = x->type->init_state(x);
2057 x->outer_mode = xfrm_get_mode(x->props.mode, family);
2058 if (x->outer_mode == NULL)
2061 x->km.state = XFRM_STATE_VALID;
2067 EXPORT_SYMBOL(xfrm_init_state);
2069 int __net_init xfrm_state_init(struct net *net)
2073 INIT_LIST_HEAD(&net->xfrm.state_all);
2075 sz = sizeof(struct hlist_head) * 8;
2077 net->xfrm.state_bydst = xfrm_hash_alloc(sz);
2078 if (!net->xfrm.state_bydst)
2080 net->xfrm.state_bysrc = xfrm_hash_alloc(sz);
2081 if (!net->xfrm.state_bysrc)
2083 net->xfrm.state_byspi = xfrm_hash_alloc(sz);
2084 if (!net->xfrm.state_byspi)
2086 net->xfrm.state_hmask = ((sz / sizeof(struct hlist_head)) - 1);
2088 net->xfrm.state_num = 0;
2089 INIT_WORK(&net->xfrm.state_hash_work, xfrm_hash_resize);
2090 INIT_HLIST_HEAD(&net->xfrm.state_gc_list);
2091 INIT_WORK(&net->xfrm.state_gc_work, xfrm_state_gc_task);
2095 xfrm_hash_free(net->xfrm.state_bysrc, sz);
2097 xfrm_hash_free(net->xfrm.state_bydst, sz);
2102 void xfrm_state_fini(struct net *net)
2106 WARN_ON(!list_empty(&net->xfrm.state_all));
2108 sz = (net->xfrm.state_hmask + 1) * sizeof(struct hlist_head);
2109 WARN_ON(!hlist_empty(net->xfrm.state_byspi));
2110 xfrm_hash_free(net->xfrm.state_byspi, sz);
2111 WARN_ON(!hlist_empty(net->xfrm.state_bysrc));
2112 xfrm_hash_free(net->xfrm.state_bysrc, sz);
2113 WARN_ON(!hlist_empty(net->xfrm.state_bydst));
2114 xfrm_hash_free(net->xfrm.state_bydst, sz);
2117 #ifdef CONFIG_AUDITSYSCALL
2118 static void xfrm_audit_helper_sainfo(struct xfrm_state *x,
2119 struct audit_buffer *audit_buf)
2121 struct xfrm_sec_ctx *ctx = x->security;
2122 u32 spi = ntohl(x->id.spi);
2125 audit_log_format(audit_buf, " sec_alg=%u sec_doi=%u sec_obj=%s",
2126 ctx->ctx_alg, ctx->ctx_doi, ctx->ctx_str);
2128 switch(x->props.family) {
2130 audit_log_format(audit_buf, " src=%pI4 dst=%pI4",
2131 &x->props.saddr.a4, &x->id.daddr.a4);
2134 audit_log_format(audit_buf, " src=%pI6 dst=%pI6",
2135 x->props.saddr.a6, x->id.daddr.a6);
2139 audit_log_format(audit_buf, " spi=%u(0x%x)", spi, spi);
2142 static void xfrm_audit_helper_pktinfo(struct sk_buff *skb, u16 family,
2143 struct audit_buffer *audit_buf)
2146 struct ipv6hdr *iph6;
2151 audit_log_format(audit_buf, " src=%pI4 dst=%pI4",
2152 &iph4->saddr, &iph4->daddr);
2155 iph6 = ipv6_hdr(skb);
2156 audit_log_format(audit_buf,
2157 " src=%pI6 dst=%pI6 flowlbl=0x%x%02x%02x",
2158 &iph6->saddr,&iph6->daddr,
2159 iph6->flow_lbl[0] & 0x0f,
2166 void xfrm_audit_state_add(struct xfrm_state *x, int result,
2167 uid_t auid, u32 sessionid, u32 secid)
2169 struct audit_buffer *audit_buf;
2171 audit_buf = xfrm_audit_start("SAD-add");
2172 if (audit_buf == NULL)
2174 xfrm_audit_helper_usrinfo(auid, sessionid, secid, audit_buf);
2175 xfrm_audit_helper_sainfo(x, audit_buf);
2176 audit_log_format(audit_buf, " res=%u", result);
2177 audit_log_end(audit_buf);
2179 EXPORT_SYMBOL_GPL(xfrm_audit_state_add);
2181 void xfrm_audit_state_delete(struct xfrm_state *x, int result,
2182 uid_t auid, u32 sessionid, u32 secid)
2184 struct audit_buffer *audit_buf;
2186 audit_buf = xfrm_audit_start("SAD-delete");
2187 if (audit_buf == NULL)
2189 xfrm_audit_helper_usrinfo(auid, sessionid, secid, audit_buf);
2190 xfrm_audit_helper_sainfo(x, audit_buf);
2191 audit_log_format(audit_buf, " res=%u", result);
2192 audit_log_end(audit_buf);
2194 EXPORT_SYMBOL_GPL(xfrm_audit_state_delete);
2196 void xfrm_audit_state_replay_overflow(struct xfrm_state *x,
2197 struct sk_buff *skb)
2199 struct audit_buffer *audit_buf;
2202 audit_buf = xfrm_audit_start("SA-replay-overflow");
2203 if (audit_buf == NULL)
2205 xfrm_audit_helper_pktinfo(skb, x->props.family, audit_buf);
2206 /* don't record the sequence number because it's inherent in this kind
2207 * of audit message */
2208 spi = ntohl(x->id.spi);
2209 audit_log_format(audit_buf, " spi=%u(0x%x)", spi, spi);
2210 audit_log_end(audit_buf);
2212 EXPORT_SYMBOL_GPL(xfrm_audit_state_replay_overflow);
2214 static void xfrm_audit_state_replay(struct xfrm_state *x,
2215 struct sk_buff *skb, __be32 net_seq)
2217 struct audit_buffer *audit_buf;
2220 audit_buf = xfrm_audit_start("SA-replayed-pkt");
2221 if (audit_buf == NULL)
2223 xfrm_audit_helper_pktinfo(skb, x->props.family, audit_buf);
2224 spi = ntohl(x->id.spi);
2225 audit_log_format(audit_buf, " spi=%u(0x%x) seqno=%u",
2226 spi, spi, ntohl(net_seq));
2227 audit_log_end(audit_buf);
2230 void xfrm_audit_state_notfound_simple(struct sk_buff *skb, u16 family)
2232 struct audit_buffer *audit_buf;
2234 audit_buf = xfrm_audit_start("SA-notfound");
2235 if (audit_buf == NULL)
2237 xfrm_audit_helper_pktinfo(skb, family, audit_buf);
2238 audit_log_end(audit_buf);
2240 EXPORT_SYMBOL_GPL(xfrm_audit_state_notfound_simple);
2242 void xfrm_audit_state_notfound(struct sk_buff *skb, u16 family,
2243 __be32 net_spi, __be32 net_seq)
2245 struct audit_buffer *audit_buf;
2248 audit_buf = xfrm_audit_start("SA-notfound");
2249 if (audit_buf == NULL)
2251 xfrm_audit_helper_pktinfo(skb, family, audit_buf);
2252 spi = ntohl(net_spi);
2253 audit_log_format(audit_buf, " spi=%u(0x%x) seqno=%u",
2254 spi, spi, ntohl(net_seq));
2255 audit_log_end(audit_buf);
2257 EXPORT_SYMBOL_GPL(xfrm_audit_state_notfound);
2259 void xfrm_audit_state_icvfail(struct xfrm_state *x,
2260 struct sk_buff *skb, u8 proto)
2262 struct audit_buffer *audit_buf;
2266 audit_buf = xfrm_audit_start("SA-icv-failure");
2267 if (audit_buf == NULL)
2269 xfrm_audit_helper_pktinfo(skb, x->props.family, audit_buf);
2270 if (xfrm_parse_spi(skb, proto, &net_spi, &net_seq) == 0) {
2271 u32 spi = ntohl(net_spi);
2272 audit_log_format(audit_buf, " spi=%u(0x%x) seqno=%u",
2273 spi, spi, ntohl(net_seq));
2275 audit_log_end(audit_buf);
2277 EXPORT_SYMBOL_GPL(xfrm_audit_state_icvfail);
2278 #endif /* CONFIG_AUDITSYSCALL */
projects / linux-2.6-omap-h63xx.git / blob