6 * Kazunori MIYAZAWA @USAGI
7 * Kunihiro Ishiguro <kunihiro@ipinfusion.com>
9 * YOSHIFUJI Hideaki @USAGI
10 * Split up af-specific functions
11 * Derek Atkins <derek@ihtfp.com>
12 * Add UDP Encapsulation
16 #include <linux/workqueue.h>
18 #include <linux/pfkeyv2.h>
19 #include <linux/ipsec.h>
20 #include <linux/module.h>
21 #include <linux/cache.h>
22 #include <linux/audit.h>
23 #include <asm/uaccess.h>
25 #include "xfrm_hash.h"
28 EXPORT_SYMBOL(xfrm_nl);
30 u32 sysctl_xfrm_aevent_etime __read_mostly = XFRM_AE_ETIME;
31 EXPORT_SYMBOL(sysctl_xfrm_aevent_etime);
33 u32 sysctl_xfrm_aevent_rseqth __read_mostly = XFRM_AE_SEQT_SIZE;
34 EXPORT_SYMBOL(sysctl_xfrm_aevent_rseqth);
36 u32 sysctl_xfrm_acq_expires __read_mostly = 30;
38 /* Each xfrm_state may be linked to two tables:
40 1. Hash table by (spi,daddr,ah/esp) to find SA by SPI. (input,ctl)
41 2. Hash table by (daddr,family,reqid) to find what SAs exist for given
42 destination/tunnel endpoint. (output)
45 static DEFINE_SPINLOCK(xfrm_state_lock);
47 static unsigned int xfrm_state_hashmax __read_mostly = 1 * 1024 * 1024;
48 static unsigned int xfrm_state_genid;
50 static struct xfrm_state_afinfo *xfrm_state_get_afinfo(unsigned int family);
51 static void xfrm_state_put_afinfo(struct xfrm_state_afinfo *afinfo);
53 #ifdef CONFIG_AUDITSYSCALL
54 static void xfrm_audit_state_replay(struct xfrm_state *x,
55 struct sk_buff *skb, __be32 net_seq);
57 #define xfrm_audit_state_replay(x, s, sq) do { ; } while (0)
58 #endif /* CONFIG_AUDITSYSCALL */
60 static inline unsigned int xfrm_dst_hash(struct net *net,
61 xfrm_address_t *daddr,
62 xfrm_address_t *saddr,
64 unsigned short family)
66 return __xfrm_dst_hash(daddr, saddr, reqid, family, net->xfrm.state_hmask);
69 static inline unsigned int xfrm_src_hash(struct net *net,
70 xfrm_address_t *daddr,
71 xfrm_address_t *saddr,
72 unsigned short family)
74 return __xfrm_src_hash(daddr, saddr, family, net->xfrm.state_hmask);
77 static inline unsigned int
78 xfrm_spi_hash(struct net *net, xfrm_address_t *daddr, __be32 spi, u8 proto, unsigned short family)
80 return __xfrm_spi_hash(daddr, spi, proto, family, net->xfrm.state_hmask);
83 static void xfrm_hash_transfer(struct hlist_head *list,
84 struct hlist_head *ndsttable,
85 struct hlist_head *nsrctable,
86 struct hlist_head *nspitable,
87 unsigned int nhashmask)
89 struct hlist_node *entry, *tmp;
92 hlist_for_each_entry_safe(x, entry, tmp, list, bydst) {
95 h = __xfrm_dst_hash(&x->id.daddr, &x->props.saddr,
96 x->props.reqid, x->props.family,
98 hlist_add_head(&x->bydst, ndsttable+h);
100 h = __xfrm_src_hash(&x->id.daddr, &x->props.saddr,
103 hlist_add_head(&x->bysrc, nsrctable+h);
106 h = __xfrm_spi_hash(&x->id.daddr, x->id.spi,
107 x->id.proto, x->props.family,
109 hlist_add_head(&x->byspi, nspitable+h);
114 static unsigned long xfrm_hash_new_size(unsigned int state_hmask)
116 return ((state_hmask + 1) << 1) * sizeof(struct hlist_head);
119 static DEFINE_MUTEX(hash_resize_mutex);
121 static void xfrm_hash_resize(struct work_struct *work)
123 struct net *net = container_of(work, struct net, xfrm.state_hash_work);
124 struct hlist_head *ndst, *nsrc, *nspi, *odst, *osrc, *ospi;
125 unsigned long nsize, osize;
126 unsigned int nhashmask, ohashmask;
129 mutex_lock(&hash_resize_mutex);
131 nsize = xfrm_hash_new_size(net->xfrm.state_hmask);
132 ndst = xfrm_hash_alloc(nsize);
135 nsrc = xfrm_hash_alloc(nsize);
137 xfrm_hash_free(ndst, nsize);
140 nspi = xfrm_hash_alloc(nsize);
142 xfrm_hash_free(ndst, nsize);
143 xfrm_hash_free(nsrc, nsize);
147 spin_lock_bh(&xfrm_state_lock);
149 nhashmask = (nsize / sizeof(struct hlist_head)) - 1U;
150 for (i = net->xfrm.state_hmask; i >= 0; i--)
151 xfrm_hash_transfer(net->xfrm.state_bydst+i, ndst, nsrc, nspi,
154 odst = net->xfrm.state_bydst;
155 osrc = net->xfrm.state_bysrc;
156 ospi = net->xfrm.state_byspi;
157 ohashmask = net->xfrm.state_hmask;
159 net->xfrm.state_bydst = ndst;
160 net->xfrm.state_bysrc = nsrc;
161 net->xfrm.state_byspi = nspi;
162 net->xfrm.state_hmask = nhashmask;
164 spin_unlock_bh(&xfrm_state_lock);
166 osize = (ohashmask + 1) * sizeof(struct hlist_head);
167 xfrm_hash_free(odst, osize);
168 xfrm_hash_free(osrc, osize);
169 xfrm_hash_free(ospi, osize);
172 mutex_unlock(&hash_resize_mutex);
175 static DEFINE_RWLOCK(xfrm_state_afinfo_lock);
176 static struct xfrm_state_afinfo *xfrm_state_afinfo[NPROTO];
178 static DEFINE_SPINLOCK(xfrm_state_gc_lock);
180 int __xfrm_state_delete(struct xfrm_state *x);
182 int km_query(struct xfrm_state *x, struct xfrm_tmpl *t, struct xfrm_policy *pol);
183 void km_state_expired(struct xfrm_state *x, int hard, u32 pid);
185 static struct xfrm_state_afinfo *xfrm_state_lock_afinfo(unsigned int family)
187 struct xfrm_state_afinfo *afinfo;
188 if (unlikely(family >= NPROTO))
190 write_lock_bh(&xfrm_state_afinfo_lock);
191 afinfo = xfrm_state_afinfo[family];
192 if (unlikely(!afinfo))
193 write_unlock_bh(&xfrm_state_afinfo_lock);
197 static void xfrm_state_unlock_afinfo(struct xfrm_state_afinfo *afinfo)
198 __releases(xfrm_state_afinfo_lock)
200 write_unlock_bh(&xfrm_state_afinfo_lock);
203 int xfrm_register_type(const struct xfrm_type *type, unsigned short family)
205 struct xfrm_state_afinfo *afinfo = xfrm_state_lock_afinfo(family);
206 const struct xfrm_type **typemap;
209 if (unlikely(afinfo == NULL))
210 return -EAFNOSUPPORT;
211 typemap = afinfo->type_map;
213 if (likely(typemap[type->proto] == NULL))
214 typemap[type->proto] = type;
217 xfrm_state_unlock_afinfo(afinfo);
220 EXPORT_SYMBOL(xfrm_register_type);
222 int xfrm_unregister_type(const struct xfrm_type *type, unsigned short family)
224 struct xfrm_state_afinfo *afinfo = xfrm_state_lock_afinfo(family);
225 const struct xfrm_type **typemap;
228 if (unlikely(afinfo == NULL))
229 return -EAFNOSUPPORT;
230 typemap = afinfo->type_map;
232 if (unlikely(typemap[type->proto] != type))
235 typemap[type->proto] = NULL;
236 xfrm_state_unlock_afinfo(afinfo);
239 EXPORT_SYMBOL(xfrm_unregister_type);
241 static const struct xfrm_type *xfrm_get_type(u8 proto, unsigned short family)
243 struct xfrm_state_afinfo *afinfo;
244 const struct xfrm_type **typemap;
245 const struct xfrm_type *type;
246 int modload_attempted = 0;
249 afinfo = xfrm_state_get_afinfo(family);
250 if (unlikely(afinfo == NULL))
252 typemap = afinfo->type_map;
254 type = typemap[proto];
255 if (unlikely(type && !try_module_get(type->owner)))
257 if (!type && !modload_attempted) {
258 xfrm_state_put_afinfo(afinfo);
259 request_module("xfrm-type-%d-%d", family, proto);
260 modload_attempted = 1;
264 xfrm_state_put_afinfo(afinfo);
268 static void xfrm_put_type(const struct xfrm_type *type)
270 module_put(type->owner);
273 int xfrm_register_mode(struct xfrm_mode *mode, int family)
275 struct xfrm_state_afinfo *afinfo;
276 struct xfrm_mode **modemap;
279 if (unlikely(mode->encap >= XFRM_MODE_MAX))
282 afinfo = xfrm_state_lock_afinfo(family);
283 if (unlikely(afinfo == NULL))
284 return -EAFNOSUPPORT;
287 modemap = afinfo->mode_map;
288 if (modemap[mode->encap])
292 if (!try_module_get(afinfo->owner))
295 mode->afinfo = afinfo;
296 modemap[mode->encap] = mode;
300 xfrm_state_unlock_afinfo(afinfo);
303 EXPORT_SYMBOL(xfrm_register_mode);
305 int xfrm_unregister_mode(struct xfrm_mode *mode, int family)
307 struct xfrm_state_afinfo *afinfo;
308 struct xfrm_mode **modemap;
311 if (unlikely(mode->encap >= XFRM_MODE_MAX))
314 afinfo = xfrm_state_lock_afinfo(family);
315 if (unlikely(afinfo == NULL))
316 return -EAFNOSUPPORT;
319 modemap = afinfo->mode_map;
320 if (likely(modemap[mode->encap] == mode)) {
321 modemap[mode->encap] = NULL;
322 module_put(mode->afinfo->owner);
326 xfrm_state_unlock_afinfo(afinfo);
329 EXPORT_SYMBOL(xfrm_unregister_mode);
331 static struct xfrm_mode *xfrm_get_mode(unsigned int encap, int family)
333 struct xfrm_state_afinfo *afinfo;
334 struct xfrm_mode *mode;
335 int modload_attempted = 0;
337 if (unlikely(encap >= XFRM_MODE_MAX))
341 afinfo = xfrm_state_get_afinfo(family);
342 if (unlikely(afinfo == NULL))
345 mode = afinfo->mode_map[encap];
346 if (unlikely(mode && !try_module_get(mode->owner)))
348 if (!mode && !modload_attempted) {
349 xfrm_state_put_afinfo(afinfo);
350 request_module("xfrm-mode-%d-%d", family, encap);
351 modload_attempted = 1;
355 xfrm_state_put_afinfo(afinfo);
359 static void xfrm_put_mode(struct xfrm_mode *mode)
361 module_put(mode->owner);
364 static void xfrm_state_gc_destroy(struct xfrm_state *x)
366 del_timer_sync(&x->timer);
367 del_timer_sync(&x->rtimer);
374 xfrm_put_mode(x->inner_mode);
375 if (x->inner_mode_iaf)
376 xfrm_put_mode(x->inner_mode_iaf);
378 xfrm_put_mode(x->outer_mode);
380 x->type->destructor(x);
381 xfrm_put_type(x->type);
383 security_xfrm_state_free(x);
387 static void xfrm_state_gc_task(struct work_struct *work)
389 struct net *net = container_of(work, struct net, xfrm.state_gc_work);
390 struct xfrm_state *x;
391 struct hlist_node *entry, *tmp;
392 struct hlist_head gc_list;
394 spin_lock_bh(&xfrm_state_gc_lock);
395 hlist_move_list(&net->xfrm.state_gc_list, &gc_list);
396 spin_unlock_bh(&xfrm_state_gc_lock);
398 hlist_for_each_entry_safe(x, entry, tmp, &gc_list, gclist)
399 xfrm_state_gc_destroy(x);
401 wake_up(&net->xfrm.km_waitq);
404 static inline unsigned long make_jiffies(long secs)
406 if (secs >= (MAX_SCHEDULE_TIMEOUT-1)/HZ)
407 return MAX_SCHEDULE_TIMEOUT-1;
412 static void xfrm_timer_handler(unsigned long data)
414 struct xfrm_state *x = (struct xfrm_state*)data;
415 unsigned long now = get_seconds();
416 long next = LONG_MAX;
421 if (x->km.state == XFRM_STATE_DEAD)
423 if (x->km.state == XFRM_STATE_EXPIRED)
425 if (x->lft.hard_add_expires_seconds) {
426 long tmo = x->lft.hard_add_expires_seconds +
427 x->curlft.add_time - now;
433 if (x->lft.hard_use_expires_seconds) {
434 long tmo = x->lft.hard_use_expires_seconds +
435 (x->curlft.use_time ? : now) - now;
443 if (x->lft.soft_add_expires_seconds) {
444 long tmo = x->lft.soft_add_expires_seconds +
445 x->curlft.add_time - now;
451 if (x->lft.soft_use_expires_seconds) {
452 long tmo = x->lft.soft_use_expires_seconds +
453 (x->curlft.use_time ? : now) - now;
462 km_state_expired(x, 0, 0);
464 if (next != LONG_MAX)
465 mod_timer(&x->timer, jiffies + make_jiffies(next));
470 if (x->km.state == XFRM_STATE_ACQ && x->id.spi == 0) {
471 x->km.state = XFRM_STATE_EXPIRED;
472 wake_up(&init_net.xfrm.km_waitq);
477 err = __xfrm_state_delete(x);
478 if (!err && x->id.spi)
479 km_state_expired(x, 1, 0);
481 xfrm_audit_state_delete(x, err ? 0 : 1,
482 audit_get_loginuid(current),
483 audit_get_sessionid(current), 0);
486 spin_unlock(&x->lock);
489 static void xfrm_replay_timer_handler(unsigned long data);
491 struct xfrm_state *xfrm_state_alloc(struct net *net)
493 struct xfrm_state *x;
495 x = kzalloc(sizeof(struct xfrm_state), GFP_ATOMIC);
498 write_pnet(&x->xs_net, net);
499 atomic_set(&x->refcnt, 1);
500 atomic_set(&x->tunnel_users, 0);
501 INIT_LIST_HEAD(&x->km.all);
502 INIT_HLIST_NODE(&x->bydst);
503 INIT_HLIST_NODE(&x->bysrc);
504 INIT_HLIST_NODE(&x->byspi);
505 setup_timer(&x->timer, xfrm_timer_handler, (unsigned long)x);
506 setup_timer(&x->rtimer, xfrm_replay_timer_handler,
508 x->curlft.add_time = get_seconds();
509 x->lft.soft_byte_limit = XFRM_INF;
510 x->lft.soft_packet_limit = XFRM_INF;
511 x->lft.hard_byte_limit = XFRM_INF;
512 x->lft.hard_packet_limit = XFRM_INF;
513 x->replay_maxage = 0;
514 x->replay_maxdiff = 0;
515 x->inner_mode = NULL;
516 x->inner_mode_iaf = NULL;
517 spin_lock_init(&x->lock);
521 EXPORT_SYMBOL(xfrm_state_alloc);
523 void __xfrm_state_destroy(struct xfrm_state *x)
525 WARN_ON(x->km.state != XFRM_STATE_DEAD);
527 spin_lock_bh(&xfrm_state_gc_lock);
528 hlist_add_head(&x->gclist, &init_net.xfrm.state_gc_list);
529 spin_unlock_bh(&xfrm_state_gc_lock);
530 schedule_work(&init_net.xfrm.state_gc_work);
532 EXPORT_SYMBOL(__xfrm_state_destroy);
534 int __xfrm_state_delete(struct xfrm_state *x)
538 if (x->km.state != XFRM_STATE_DEAD) {
539 x->km.state = XFRM_STATE_DEAD;
540 spin_lock(&xfrm_state_lock);
541 list_del(&x->km.all);
542 hlist_del(&x->bydst);
543 hlist_del(&x->bysrc);
545 hlist_del(&x->byspi);
546 init_net.xfrm.state_num--;
547 spin_unlock(&xfrm_state_lock);
549 /* All xfrm_state objects are created by xfrm_state_alloc.
550 * The xfrm_state_alloc call gives a reference, and that
551 * is what we are dropping here.
559 EXPORT_SYMBOL(__xfrm_state_delete);
561 int xfrm_state_delete(struct xfrm_state *x)
565 spin_lock_bh(&x->lock);
566 err = __xfrm_state_delete(x);
567 spin_unlock_bh(&x->lock);
571 EXPORT_SYMBOL(xfrm_state_delete);
573 #ifdef CONFIG_SECURITY_NETWORK_XFRM
575 xfrm_state_flush_secctx_check(u8 proto, struct xfrm_audit *audit_info)
579 for (i = 0; i <= init_net.xfrm.state_hmask; i++) {
580 struct hlist_node *entry;
581 struct xfrm_state *x;
583 hlist_for_each_entry(x, entry, init_net.xfrm.state_bydst+i, bydst) {
584 if (xfrm_id_proto_match(x->id.proto, proto) &&
585 (err = security_xfrm_state_delete(x)) != 0) {
586 xfrm_audit_state_delete(x, 0,
587 audit_info->loginuid,
588 audit_info->sessionid,
599 xfrm_state_flush_secctx_check(u8 proto, struct xfrm_audit *audit_info)
605 int xfrm_state_flush(u8 proto, struct xfrm_audit *audit_info)
609 spin_lock_bh(&xfrm_state_lock);
610 err = xfrm_state_flush_secctx_check(proto, audit_info);
614 for (i = 0; i <= init_net.xfrm.state_hmask; i++) {
615 struct hlist_node *entry;
616 struct xfrm_state *x;
618 hlist_for_each_entry(x, entry, init_net.xfrm.state_bydst+i, bydst) {
619 if (!xfrm_state_kern(x) &&
620 xfrm_id_proto_match(x->id.proto, proto)) {
622 spin_unlock_bh(&xfrm_state_lock);
624 err = xfrm_state_delete(x);
625 xfrm_audit_state_delete(x, err ? 0 : 1,
626 audit_info->loginuid,
627 audit_info->sessionid,
631 spin_lock_bh(&xfrm_state_lock);
639 spin_unlock_bh(&xfrm_state_lock);
640 wake_up(&init_net.xfrm.km_waitq);
643 EXPORT_SYMBOL(xfrm_state_flush);
645 void xfrm_sad_getinfo(struct xfrmk_sadinfo *si)
647 spin_lock_bh(&xfrm_state_lock);
648 si->sadcnt = init_net.xfrm.state_num;
649 si->sadhcnt = init_net.xfrm.state_hmask;
650 si->sadhmcnt = xfrm_state_hashmax;
651 spin_unlock_bh(&xfrm_state_lock);
653 EXPORT_SYMBOL(xfrm_sad_getinfo);
656 xfrm_init_tempsel(struct xfrm_state *x, struct flowi *fl,
657 struct xfrm_tmpl *tmpl,
658 xfrm_address_t *daddr, xfrm_address_t *saddr,
659 unsigned short family)
661 struct xfrm_state_afinfo *afinfo = xfrm_state_get_afinfo(family);
664 afinfo->init_tempsel(x, fl, tmpl, daddr, saddr);
665 xfrm_state_put_afinfo(afinfo);
669 static struct xfrm_state *__xfrm_state_lookup(xfrm_address_t *daddr, __be32 spi, u8 proto, unsigned short family)
671 unsigned int h = xfrm_spi_hash(&init_net, daddr, spi, proto, family);
672 struct xfrm_state *x;
673 struct hlist_node *entry;
675 hlist_for_each_entry(x, entry, init_net.xfrm.state_byspi+h, byspi) {
676 if (x->props.family != family ||
678 x->id.proto != proto)
683 if (x->id.daddr.a4 != daddr->a4)
687 if (!ipv6_addr_equal((struct in6_addr *)daddr,
701 static struct xfrm_state *__xfrm_state_lookup_byaddr(xfrm_address_t *daddr, xfrm_address_t *saddr, u8 proto, unsigned short family)
703 unsigned int h = xfrm_src_hash(&init_net, daddr, saddr, family);
704 struct xfrm_state *x;
705 struct hlist_node *entry;
707 hlist_for_each_entry(x, entry, init_net.xfrm.state_bysrc+h, bysrc) {
708 if (x->props.family != family ||
709 x->id.proto != proto)
714 if (x->id.daddr.a4 != daddr->a4 ||
715 x->props.saddr.a4 != saddr->a4)
719 if (!ipv6_addr_equal((struct in6_addr *)daddr,
722 !ipv6_addr_equal((struct in6_addr *)saddr,
736 static inline struct xfrm_state *
737 __xfrm_state_locate(struct xfrm_state *x, int use_spi, int family)
740 return __xfrm_state_lookup(&x->id.daddr, x->id.spi,
741 x->id.proto, family);
743 return __xfrm_state_lookup_byaddr(&x->id.daddr,
745 x->id.proto, family);
748 static void xfrm_hash_grow_check(int have_hash_collision)
750 if (have_hash_collision &&
751 (init_net.xfrm.state_hmask + 1) < xfrm_state_hashmax &&
752 init_net.xfrm.state_num > init_net.xfrm.state_hmask)
753 schedule_work(&init_net.xfrm.state_hash_work);
757 xfrm_state_find(xfrm_address_t *daddr, xfrm_address_t *saddr,
758 struct flowi *fl, struct xfrm_tmpl *tmpl,
759 struct xfrm_policy *pol, int *err,
760 unsigned short family)
763 struct hlist_node *entry;
764 struct xfrm_state *x, *x0, *to_put;
765 int acquire_in_progress = 0;
767 struct xfrm_state *best = NULL;
771 spin_lock_bh(&xfrm_state_lock);
772 h = xfrm_dst_hash(&init_net, daddr, saddr, tmpl->reqid, family);
773 hlist_for_each_entry(x, entry, init_net.xfrm.state_bydst+h, bydst) {
774 if (x->props.family == family &&
775 x->props.reqid == tmpl->reqid &&
776 !(x->props.flags & XFRM_STATE_WILDRECV) &&
777 xfrm_state_addr_check(x, daddr, saddr, family) &&
778 tmpl->mode == x->props.mode &&
779 tmpl->id.proto == x->id.proto &&
780 (tmpl->id.spi == x->id.spi || !tmpl->id.spi)) {
782 1. There is a valid state with matching selector.
784 2. Valid state with inappropriate selector. Skip.
786 Entering area of "sysdeps".
788 3. If state is not valid, selector is temporary,
789 it selects only session which triggered
790 previous resolution. Key manager will do
791 something to install a state with proper
794 if (x->km.state == XFRM_STATE_VALID) {
795 if ((x->sel.family && !xfrm_selector_match(&x->sel, fl, x->sel.family)) ||
796 !security_xfrm_state_pol_flow_match(x, pol, fl))
799 best->km.dying > x->km.dying ||
800 (best->km.dying == x->km.dying &&
801 best->curlft.add_time < x->curlft.add_time))
803 } else if (x->km.state == XFRM_STATE_ACQ) {
804 acquire_in_progress = 1;
805 } else if (x->km.state == XFRM_STATE_ERROR ||
806 x->km.state == XFRM_STATE_EXPIRED) {
807 if (xfrm_selector_match(&x->sel, fl, x->sel.family) &&
808 security_xfrm_state_pol_flow_match(x, pol, fl))
815 if (!x && !error && !acquire_in_progress) {
817 (x0 = __xfrm_state_lookup(daddr, tmpl->id.spi,
818 tmpl->id.proto, family)) != NULL) {
823 x = xfrm_state_alloc(&init_net);
828 /* Initialize temporary selector matching only
829 * to current session. */
830 xfrm_init_tempsel(x, fl, tmpl, daddr, saddr, family);
832 error = security_xfrm_state_alloc_acquire(x, pol->security, fl->secid);
834 x->km.state = XFRM_STATE_DEAD;
840 if (km_query(x, tmpl, pol) == 0) {
841 x->km.state = XFRM_STATE_ACQ;
842 list_add(&x->km.all, &init_net.xfrm.state_all);
843 hlist_add_head(&x->bydst, init_net.xfrm.state_bydst+h);
844 h = xfrm_src_hash(&init_net, daddr, saddr, family);
845 hlist_add_head(&x->bysrc, init_net.xfrm.state_bysrc+h);
847 h = xfrm_spi_hash(&init_net, &x->id.daddr, x->id.spi, x->id.proto, family);
848 hlist_add_head(&x->byspi, init_net.xfrm.state_byspi+h);
850 x->lft.hard_add_expires_seconds = sysctl_xfrm_acq_expires;
851 x->timer.expires = jiffies + sysctl_xfrm_acq_expires*HZ;
852 add_timer(&x->timer);
853 init_net.xfrm.state_num++;
854 xfrm_hash_grow_check(x->bydst.next != NULL);
856 x->km.state = XFRM_STATE_DEAD;
866 *err = acquire_in_progress ? -EAGAIN : error;
867 spin_unlock_bh(&xfrm_state_lock);
869 xfrm_state_put(to_put);
874 xfrm_stateonly_find(xfrm_address_t *daddr, xfrm_address_t *saddr,
875 unsigned short family, u8 mode, u8 proto, u32 reqid)
878 struct xfrm_state *rx = NULL, *x = NULL;
879 struct hlist_node *entry;
881 spin_lock(&xfrm_state_lock);
882 h = xfrm_dst_hash(&init_net, daddr, saddr, reqid, family);
883 hlist_for_each_entry(x, entry, init_net.xfrm.state_bydst+h, bydst) {
884 if (x->props.family == family &&
885 x->props.reqid == reqid &&
886 !(x->props.flags & XFRM_STATE_WILDRECV) &&
887 xfrm_state_addr_check(x, daddr, saddr, family) &&
888 mode == x->props.mode &&
889 proto == x->id.proto &&
890 x->km.state == XFRM_STATE_VALID) {
898 spin_unlock(&xfrm_state_lock);
903 EXPORT_SYMBOL(xfrm_stateonly_find);
905 static void __xfrm_state_insert(struct xfrm_state *x)
909 x->genid = ++xfrm_state_genid;
911 list_add(&x->km.all, &init_net.xfrm.state_all);
913 h = xfrm_dst_hash(&init_net, &x->id.daddr, &x->props.saddr,
914 x->props.reqid, x->props.family);
915 hlist_add_head(&x->bydst, init_net.xfrm.state_bydst+h);
917 h = xfrm_src_hash(&init_net, &x->id.daddr, &x->props.saddr, x->props.family);
918 hlist_add_head(&x->bysrc, init_net.xfrm.state_bysrc+h);
921 h = xfrm_spi_hash(&init_net, &x->id.daddr, x->id.spi, x->id.proto,
924 hlist_add_head(&x->byspi, init_net.xfrm.state_byspi+h);
927 mod_timer(&x->timer, jiffies + HZ);
928 if (x->replay_maxage)
929 mod_timer(&x->rtimer, jiffies + x->replay_maxage);
931 wake_up(&init_net.xfrm.km_waitq);
933 init_net.xfrm.state_num++;
935 xfrm_hash_grow_check(x->bydst.next != NULL);
938 /* xfrm_state_lock is held */
939 static void __xfrm_state_bump_genids(struct xfrm_state *xnew)
941 unsigned short family = xnew->props.family;
942 u32 reqid = xnew->props.reqid;
943 struct xfrm_state *x;
944 struct hlist_node *entry;
947 h = xfrm_dst_hash(&init_net, &xnew->id.daddr, &xnew->props.saddr, reqid, family);
948 hlist_for_each_entry(x, entry, init_net.xfrm.state_bydst+h, bydst) {
949 if (x->props.family == family &&
950 x->props.reqid == reqid &&
951 !xfrm_addr_cmp(&x->id.daddr, &xnew->id.daddr, family) &&
952 !xfrm_addr_cmp(&x->props.saddr, &xnew->props.saddr, family))
953 x->genid = xfrm_state_genid;
957 void xfrm_state_insert(struct xfrm_state *x)
959 spin_lock_bh(&xfrm_state_lock);
960 __xfrm_state_bump_genids(x);
961 __xfrm_state_insert(x);
962 spin_unlock_bh(&xfrm_state_lock);
964 EXPORT_SYMBOL(xfrm_state_insert);
966 /* xfrm_state_lock is held */
967 static struct xfrm_state *__find_acq_core(unsigned short family, u8 mode, u32 reqid, u8 proto, xfrm_address_t *daddr, xfrm_address_t *saddr, int create)
969 unsigned int h = xfrm_dst_hash(&init_net, daddr, saddr, reqid, family);
970 struct hlist_node *entry;
971 struct xfrm_state *x;
973 hlist_for_each_entry(x, entry, init_net.xfrm.state_bydst+h, bydst) {
974 if (x->props.reqid != reqid ||
975 x->props.mode != mode ||
976 x->props.family != family ||
977 x->km.state != XFRM_STATE_ACQ ||
979 x->id.proto != proto)
984 if (x->id.daddr.a4 != daddr->a4 ||
985 x->props.saddr.a4 != saddr->a4)
989 if (!ipv6_addr_equal((struct in6_addr *)x->id.daddr.a6,
990 (struct in6_addr *)daddr) ||
991 !ipv6_addr_equal((struct in6_addr *)
993 (struct in6_addr *)saddr))
1005 x = xfrm_state_alloc(&init_net);
1009 x->sel.daddr.a4 = daddr->a4;
1010 x->sel.saddr.a4 = saddr->a4;
1011 x->sel.prefixlen_d = 32;
1012 x->sel.prefixlen_s = 32;
1013 x->props.saddr.a4 = saddr->a4;
1014 x->id.daddr.a4 = daddr->a4;
1018 ipv6_addr_copy((struct in6_addr *)x->sel.daddr.a6,
1019 (struct in6_addr *)daddr);
1020 ipv6_addr_copy((struct in6_addr *)x->sel.saddr.a6,
1021 (struct in6_addr *)saddr);
1022 x->sel.prefixlen_d = 128;
1023 x->sel.prefixlen_s = 128;
1024 ipv6_addr_copy((struct in6_addr *)x->props.saddr.a6,
1025 (struct in6_addr *)saddr);
1026 ipv6_addr_copy((struct in6_addr *)x->id.daddr.a6,
1027 (struct in6_addr *)daddr);
1031 x->km.state = XFRM_STATE_ACQ;
1032 x->id.proto = proto;
1033 x->props.family = family;
1034 x->props.mode = mode;
1035 x->props.reqid = reqid;
1036 x->lft.hard_add_expires_seconds = sysctl_xfrm_acq_expires;
1038 x->timer.expires = jiffies + sysctl_xfrm_acq_expires*HZ;
1039 add_timer(&x->timer);
1040 list_add(&x->km.all, &init_net.xfrm.state_all);
1041 hlist_add_head(&x->bydst, init_net.xfrm.state_bydst+h);
1042 h = xfrm_src_hash(&init_net, daddr, saddr, family);
1043 hlist_add_head(&x->bysrc, init_net.xfrm.state_bysrc+h);
1045 init_net.xfrm.state_num++;
1047 xfrm_hash_grow_check(x->bydst.next != NULL);
1053 static struct xfrm_state *__xfrm_find_acq_byseq(u32 seq);
1055 int xfrm_state_add(struct xfrm_state *x)
1057 struct xfrm_state *x1, *to_put;
1060 int use_spi = xfrm_id_proto_match(x->id.proto, IPSEC_PROTO_ANY);
1062 family = x->props.family;
1066 spin_lock_bh(&xfrm_state_lock);
1068 x1 = __xfrm_state_locate(x, use_spi, family);
1076 if (use_spi && x->km.seq) {
1077 x1 = __xfrm_find_acq_byseq(x->km.seq);
1078 if (x1 && ((x1->id.proto != x->id.proto) ||
1079 xfrm_addr_cmp(&x1->id.daddr, &x->id.daddr, family))) {
1086 x1 = __find_acq_core(family, x->props.mode, x->props.reqid,
1088 &x->id.daddr, &x->props.saddr, 0);
1090 __xfrm_state_bump_genids(x);
1091 __xfrm_state_insert(x);
1095 spin_unlock_bh(&xfrm_state_lock);
1098 xfrm_state_delete(x1);
1103 xfrm_state_put(to_put);
1107 EXPORT_SYMBOL(xfrm_state_add);
1109 #ifdef CONFIG_XFRM_MIGRATE
1110 static struct xfrm_state *xfrm_state_clone(struct xfrm_state *orig, int *errp)
1113 struct xfrm_state *x = xfrm_state_alloc(&init_net);
1117 memcpy(&x->id, &orig->id, sizeof(x->id));
1118 memcpy(&x->sel, &orig->sel, sizeof(x->sel));
1119 memcpy(&x->lft, &orig->lft, sizeof(x->lft));
1120 x->props.mode = orig->props.mode;
1121 x->props.replay_window = orig->props.replay_window;
1122 x->props.reqid = orig->props.reqid;
1123 x->props.family = orig->props.family;
1124 x->props.saddr = orig->props.saddr;
1127 x->aalg = xfrm_algo_clone(orig->aalg);
1131 x->props.aalgo = orig->props.aalgo;
1134 x->ealg = xfrm_algo_clone(orig->ealg);
1138 x->props.ealgo = orig->props.ealgo;
1141 x->calg = xfrm_algo_clone(orig->calg);
1145 x->props.calgo = orig->props.calgo;
1148 x->encap = kmemdup(orig->encap, sizeof(*x->encap), GFP_KERNEL);
1154 x->coaddr = kmemdup(orig->coaddr, sizeof(*x->coaddr),
1160 err = xfrm_init_state(x);
1164 x->props.flags = orig->props.flags;
1166 x->curlft.add_time = orig->curlft.add_time;
1167 x->km.state = orig->km.state;
1168 x->km.seq = orig->km.seq;
1186 /* xfrm_state_lock is held */
1187 struct xfrm_state * xfrm_migrate_state_find(struct xfrm_migrate *m)
1190 struct xfrm_state *x;
1191 struct hlist_node *entry;
1194 h = xfrm_dst_hash(&init_net, &m->old_daddr, &m->old_saddr,
1195 m->reqid, m->old_family);
1196 hlist_for_each_entry(x, entry, init_net.xfrm.state_bydst+h, bydst) {
1197 if (x->props.mode != m->mode ||
1198 x->id.proto != m->proto)
1200 if (m->reqid && x->props.reqid != m->reqid)
1202 if (xfrm_addr_cmp(&x->id.daddr, &m->old_daddr,
1204 xfrm_addr_cmp(&x->props.saddr, &m->old_saddr,
1211 h = xfrm_src_hash(&init_net, &m->old_daddr, &m->old_saddr,
1213 hlist_for_each_entry(x, entry, init_net.xfrm.state_bysrc+h, bysrc) {
1214 if (x->props.mode != m->mode ||
1215 x->id.proto != m->proto)
1217 if (xfrm_addr_cmp(&x->id.daddr, &m->old_daddr,
1219 xfrm_addr_cmp(&x->props.saddr, &m->old_saddr,
1229 EXPORT_SYMBOL(xfrm_migrate_state_find);
1231 struct xfrm_state * xfrm_state_migrate(struct xfrm_state *x,
1232 struct xfrm_migrate *m)
1234 struct xfrm_state *xc;
1237 xc = xfrm_state_clone(x, &err);
1241 memcpy(&xc->id.daddr, &m->new_daddr, sizeof(xc->id.daddr));
1242 memcpy(&xc->props.saddr, &m->new_saddr, sizeof(xc->props.saddr));
1245 if (!xfrm_addr_cmp(&x->id.daddr, &m->new_daddr, m->new_family)) {
1246 /* a care is needed when the destination address of the
1247 state is to be updated as it is a part of triplet */
1248 xfrm_state_insert(xc);
1250 if ((err = xfrm_state_add(xc)) < 0)
1259 EXPORT_SYMBOL(xfrm_state_migrate);
1262 int xfrm_state_update(struct xfrm_state *x)
1264 struct xfrm_state *x1, *to_put;
1266 int use_spi = xfrm_id_proto_match(x->id.proto, IPSEC_PROTO_ANY);
1270 spin_lock_bh(&xfrm_state_lock);
1271 x1 = __xfrm_state_locate(x, use_spi, x->props.family);
1277 if (xfrm_state_kern(x1)) {
1283 if (x1->km.state == XFRM_STATE_ACQ) {
1284 __xfrm_state_insert(x);
1290 spin_unlock_bh(&xfrm_state_lock);
1293 xfrm_state_put(to_put);
1299 xfrm_state_delete(x1);
1305 spin_lock_bh(&x1->lock);
1306 if (likely(x1->km.state == XFRM_STATE_VALID)) {
1307 if (x->encap && x1->encap)
1308 memcpy(x1->encap, x->encap, sizeof(*x1->encap));
1309 if (x->coaddr && x1->coaddr) {
1310 memcpy(x1->coaddr, x->coaddr, sizeof(*x1->coaddr));
1312 if (!use_spi && memcmp(&x1->sel, &x->sel, sizeof(x1->sel)))
1313 memcpy(&x1->sel, &x->sel, sizeof(x1->sel));
1314 memcpy(&x1->lft, &x->lft, sizeof(x1->lft));
1317 mod_timer(&x1->timer, jiffies + HZ);
1318 if (x1->curlft.use_time)
1319 xfrm_state_check_expire(x1);
1323 spin_unlock_bh(&x1->lock);
1329 EXPORT_SYMBOL(xfrm_state_update);
1331 int xfrm_state_check_expire(struct xfrm_state *x)
1333 if (!x->curlft.use_time)
1334 x->curlft.use_time = get_seconds();
1336 if (x->km.state != XFRM_STATE_VALID)
1339 if (x->curlft.bytes >= x->lft.hard_byte_limit ||
1340 x->curlft.packets >= x->lft.hard_packet_limit) {
1341 x->km.state = XFRM_STATE_EXPIRED;
1342 mod_timer(&x->timer, jiffies);
1347 (x->curlft.bytes >= x->lft.soft_byte_limit ||
1348 x->curlft.packets >= x->lft.soft_packet_limit)) {
1350 km_state_expired(x, 0, 0);
1354 EXPORT_SYMBOL(xfrm_state_check_expire);
1357 xfrm_state_lookup(xfrm_address_t *daddr, __be32 spi, u8 proto,
1358 unsigned short family)
1360 struct xfrm_state *x;
1362 spin_lock_bh(&xfrm_state_lock);
1363 x = __xfrm_state_lookup(daddr, spi, proto, family);
1364 spin_unlock_bh(&xfrm_state_lock);
1367 EXPORT_SYMBOL(xfrm_state_lookup);
1370 xfrm_state_lookup_byaddr(xfrm_address_t *daddr, xfrm_address_t *saddr,
1371 u8 proto, unsigned short family)
1373 struct xfrm_state *x;
1375 spin_lock_bh(&xfrm_state_lock);
1376 x = __xfrm_state_lookup_byaddr(daddr, saddr, proto, family);
1377 spin_unlock_bh(&xfrm_state_lock);
1380 EXPORT_SYMBOL(xfrm_state_lookup_byaddr);
1383 xfrm_find_acq(u8 mode, u32 reqid, u8 proto,
1384 xfrm_address_t *daddr, xfrm_address_t *saddr,
1385 int create, unsigned short family)
1387 struct xfrm_state *x;
1389 spin_lock_bh(&xfrm_state_lock);
1390 x = __find_acq_core(family, mode, reqid, proto, daddr, saddr, create);
1391 spin_unlock_bh(&xfrm_state_lock);
1395 EXPORT_SYMBOL(xfrm_find_acq);
1397 #ifdef CONFIG_XFRM_SUB_POLICY
1399 xfrm_tmpl_sort(struct xfrm_tmpl **dst, struct xfrm_tmpl **src, int n,
1400 unsigned short family)
1403 struct xfrm_state_afinfo *afinfo = xfrm_state_get_afinfo(family);
1405 return -EAFNOSUPPORT;
1407 spin_lock_bh(&xfrm_state_lock);
1408 if (afinfo->tmpl_sort)
1409 err = afinfo->tmpl_sort(dst, src, n);
1410 spin_unlock_bh(&xfrm_state_lock);
1411 xfrm_state_put_afinfo(afinfo);
1414 EXPORT_SYMBOL(xfrm_tmpl_sort);
1417 xfrm_state_sort(struct xfrm_state **dst, struct xfrm_state **src, int n,
1418 unsigned short family)
1421 struct xfrm_state_afinfo *afinfo = xfrm_state_get_afinfo(family);
1423 return -EAFNOSUPPORT;
1425 spin_lock_bh(&xfrm_state_lock);
1426 if (afinfo->state_sort)
1427 err = afinfo->state_sort(dst, src, n);
1428 spin_unlock_bh(&xfrm_state_lock);
1429 xfrm_state_put_afinfo(afinfo);
1432 EXPORT_SYMBOL(xfrm_state_sort);
1435 /* Silly enough, but I'm lazy to build resolution list */
1437 static struct xfrm_state *__xfrm_find_acq_byseq(u32 seq)
1441 for (i = 0; i <= init_net.xfrm.state_hmask; i++) {
1442 struct hlist_node *entry;
1443 struct xfrm_state *x;
1445 hlist_for_each_entry(x, entry, init_net.xfrm.state_bydst+i, bydst) {
1446 if (x->km.seq == seq &&
1447 x->km.state == XFRM_STATE_ACQ) {
1456 struct xfrm_state *xfrm_find_acq_byseq(u32 seq)
1458 struct xfrm_state *x;
1460 spin_lock_bh(&xfrm_state_lock);
1461 x = __xfrm_find_acq_byseq(seq);
1462 spin_unlock_bh(&xfrm_state_lock);
1465 EXPORT_SYMBOL(xfrm_find_acq_byseq);
1467 u32 xfrm_get_acqseq(void)
1471 static DEFINE_SPINLOCK(acqseq_lock);
1473 spin_lock_bh(&acqseq_lock);
1474 res = (++acqseq ? : ++acqseq);
1475 spin_unlock_bh(&acqseq_lock);
1478 EXPORT_SYMBOL(xfrm_get_acqseq);
1480 int xfrm_alloc_spi(struct xfrm_state *x, u32 low, u32 high)
1483 struct xfrm_state *x0;
1485 __be32 minspi = htonl(low);
1486 __be32 maxspi = htonl(high);
1488 spin_lock_bh(&x->lock);
1489 if (x->km.state == XFRM_STATE_DEAD)
1498 if (minspi == maxspi) {
1499 x0 = xfrm_state_lookup(&x->id.daddr, minspi, x->id.proto, x->props.family);
1507 for (h=0; h<high-low+1; h++) {
1508 spi = low + net_random()%(high-low+1);
1509 x0 = xfrm_state_lookup(&x->id.daddr, htonl(spi), x->id.proto, x->props.family);
1511 x->id.spi = htonl(spi);
1518 spin_lock_bh(&xfrm_state_lock);
1519 h = xfrm_spi_hash(&init_net, &x->id.daddr, x->id.spi, x->id.proto, x->props.family);
1520 hlist_add_head(&x->byspi, init_net.xfrm.state_byspi+h);
1521 spin_unlock_bh(&xfrm_state_lock);
1527 spin_unlock_bh(&x->lock);
1531 EXPORT_SYMBOL(xfrm_alloc_spi);
1533 int xfrm_state_walk(struct xfrm_state_walk *walk,
1534 int (*func)(struct xfrm_state *, int, void*),
1537 struct xfrm_state *state;
1538 struct xfrm_state_walk *x;
1541 if (walk->seq != 0 && list_empty(&walk->all))
1544 spin_lock_bh(&xfrm_state_lock);
1545 if (list_empty(&walk->all))
1546 x = list_first_entry(&init_net.xfrm.state_all, struct xfrm_state_walk, all);
1548 x = list_entry(&walk->all, struct xfrm_state_walk, all);
1549 list_for_each_entry_from(x, &init_net.xfrm.state_all, all) {
1550 if (x->state == XFRM_STATE_DEAD)
1552 state = container_of(x, struct xfrm_state, km);
1553 if (!xfrm_id_proto_match(state->id.proto, walk->proto))
1555 err = func(state, walk->seq, data);
1557 list_move_tail(&walk->all, &x->all);
1562 if (walk->seq == 0) {
1566 list_del_init(&walk->all);
1568 spin_unlock_bh(&xfrm_state_lock);
1571 EXPORT_SYMBOL(xfrm_state_walk);
1573 void xfrm_state_walk_init(struct xfrm_state_walk *walk, u8 proto)
1575 INIT_LIST_HEAD(&walk->all);
1576 walk->proto = proto;
1577 walk->state = XFRM_STATE_DEAD;
1580 EXPORT_SYMBOL(xfrm_state_walk_init);
1582 void xfrm_state_walk_done(struct xfrm_state_walk *walk)
1584 if (list_empty(&walk->all))
1587 spin_lock_bh(&xfrm_state_lock);
1588 list_del(&walk->all);
1589 spin_lock_bh(&xfrm_state_lock);
1591 EXPORT_SYMBOL(xfrm_state_walk_done);
1594 void xfrm_replay_notify(struct xfrm_state *x, int event)
1597 /* we send notify messages in case
1598 * 1. we updated on of the sequence numbers, and the seqno difference
1599 * is at least x->replay_maxdiff, in this case we also update the
1600 * timeout of our timer function
1601 * 2. if x->replay_maxage has elapsed since last update,
1602 * and there were changes
1604 * The state structure must be locked!
1608 case XFRM_REPLAY_UPDATE:
1609 if (x->replay_maxdiff &&
1610 (x->replay.seq - x->preplay.seq < x->replay_maxdiff) &&
1611 (x->replay.oseq - x->preplay.oseq < x->replay_maxdiff)) {
1612 if (x->xflags & XFRM_TIME_DEFER)
1613 event = XFRM_REPLAY_TIMEOUT;
1620 case XFRM_REPLAY_TIMEOUT:
1621 if ((x->replay.seq == x->preplay.seq) &&
1622 (x->replay.bitmap == x->preplay.bitmap) &&
1623 (x->replay.oseq == x->preplay.oseq)) {
1624 x->xflags |= XFRM_TIME_DEFER;
1631 memcpy(&x->preplay, &x->replay, sizeof(struct xfrm_replay_state));
1632 c.event = XFRM_MSG_NEWAE;
1633 c.data.aevent = event;
1634 km_state_notify(x, &c);
1636 if (x->replay_maxage &&
1637 !mod_timer(&x->rtimer, jiffies + x->replay_maxage))
1638 x->xflags &= ~XFRM_TIME_DEFER;
1641 static void xfrm_replay_timer_handler(unsigned long data)
1643 struct xfrm_state *x = (struct xfrm_state*)data;
1645 spin_lock(&x->lock);
1647 if (x->km.state == XFRM_STATE_VALID) {
1648 if (xfrm_aevent_is_on())
1649 xfrm_replay_notify(x, XFRM_REPLAY_TIMEOUT);
1651 x->xflags |= XFRM_TIME_DEFER;
1654 spin_unlock(&x->lock);
1657 int xfrm_replay_check(struct xfrm_state *x,
1658 struct sk_buff *skb, __be32 net_seq)
1661 u32 seq = ntohl(net_seq);
1663 if (unlikely(seq == 0))
1666 if (likely(seq > x->replay.seq))
1669 diff = x->replay.seq - seq;
1670 if (diff >= min_t(unsigned int, x->props.replay_window,
1671 sizeof(x->replay.bitmap) * 8)) {
1672 x->stats.replay_window++;
1676 if (x->replay.bitmap & (1U << diff)) {
1683 xfrm_audit_state_replay(x, skb, net_seq);
1687 void xfrm_replay_advance(struct xfrm_state *x, __be32 net_seq)
1690 u32 seq = ntohl(net_seq);
1692 if (seq > x->replay.seq) {
1693 diff = seq - x->replay.seq;
1694 if (diff < x->props.replay_window)
1695 x->replay.bitmap = ((x->replay.bitmap) << diff) | 1;
1697 x->replay.bitmap = 1;
1698 x->replay.seq = seq;
1700 diff = x->replay.seq - seq;
1701 x->replay.bitmap |= (1U << diff);
1704 if (xfrm_aevent_is_on())
1705 xfrm_replay_notify(x, XFRM_REPLAY_UPDATE);
1708 static LIST_HEAD(xfrm_km_list);
1709 static DEFINE_RWLOCK(xfrm_km_lock);
1711 void km_policy_notify(struct xfrm_policy *xp, int dir, struct km_event *c)
1713 struct xfrm_mgr *km;
1715 read_lock(&xfrm_km_lock);
1716 list_for_each_entry(km, &xfrm_km_list, list)
1717 if (km->notify_policy)
1718 km->notify_policy(xp, dir, c);
1719 read_unlock(&xfrm_km_lock);
1722 void km_state_notify(struct xfrm_state *x, struct km_event *c)
1724 struct xfrm_mgr *km;
1725 read_lock(&xfrm_km_lock);
1726 list_for_each_entry(km, &xfrm_km_list, list)
1729 read_unlock(&xfrm_km_lock);
1732 EXPORT_SYMBOL(km_policy_notify);
1733 EXPORT_SYMBOL(km_state_notify);
1735 void km_state_expired(struct xfrm_state *x, int hard, u32 pid)
1741 c.event = XFRM_MSG_EXPIRE;
1742 km_state_notify(x, &c);
1745 wake_up(&init_net.xfrm.km_waitq);
1748 EXPORT_SYMBOL(km_state_expired);
1750 * We send to all registered managers regardless of failure
1751 * We are happy with one success
1753 int km_query(struct xfrm_state *x, struct xfrm_tmpl *t, struct xfrm_policy *pol)
1755 int err = -EINVAL, acqret;
1756 struct xfrm_mgr *km;
1758 read_lock(&xfrm_km_lock);
1759 list_for_each_entry(km, &xfrm_km_list, list) {
1760 acqret = km->acquire(x, t, pol, XFRM_POLICY_OUT);
1764 read_unlock(&xfrm_km_lock);
1767 EXPORT_SYMBOL(km_query);
1769 int km_new_mapping(struct xfrm_state *x, xfrm_address_t *ipaddr, __be16 sport)
1772 struct xfrm_mgr *km;
1774 read_lock(&xfrm_km_lock);
1775 list_for_each_entry(km, &xfrm_km_list, list) {
1776 if (km->new_mapping)
1777 err = km->new_mapping(x, ipaddr, sport);
1781 read_unlock(&xfrm_km_lock);
1784 EXPORT_SYMBOL(km_new_mapping);
1786 void km_policy_expired(struct xfrm_policy *pol, int dir, int hard, u32 pid)
1792 c.event = XFRM_MSG_POLEXPIRE;
1793 km_policy_notify(pol, dir, &c);
1796 wake_up(&init_net.xfrm.km_waitq);
1798 EXPORT_SYMBOL(km_policy_expired);
1800 #ifdef CONFIG_XFRM_MIGRATE
1801 int km_migrate(struct xfrm_selector *sel, u8 dir, u8 type,
1802 struct xfrm_migrate *m, int num_migrate,
1803 struct xfrm_kmaddress *k)
1807 struct xfrm_mgr *km;
1809 read_lock(&xfrm_km_lock);
1810 list_for_each_entry(km, &xfrm_km_list, list) {
1812 ret = km->migrate(sel, dir, type, m, num_migrate, k);
1817 read_unlock(&xfrm_km_lock);
1820 EXPORT_SYMBOL(km_migrate);
1823 int km_report(u8 proto, struct xfrm_selector *sel, xfrm_address_t *addr)
1827 struct xfrm_mgr *km;
1829 read_lock(&xfrm_km_lock);
1830 list_for_each_entry(km, &xfrm_km_list, list) {
1832 ret = km->report(proto, sel, addr);
1837 read_unlock(&xfrm_km_lock);
1840 EXPORT_SYMBOL(km_report);
1842 int xfrm_user_policy(struct sock *sk, int optname, u8 __user *optval, int optlen)
1846 struct xfrm_mgr *km;
1847 struct xfrm_policy *pol = NULL;
1849 if (optlen <= 0 || optlen > PAGE_SIZE)
1852 data = kmalloc(optlen, GFP_KERNEL);
1857 if (copy_from_user(data, optval, optlen))
1861 read_lock(&xfrm_km_lock);
1862 list_for_each_entry(km, &xfrm_km_list, list) {
1863 pol = km->compile_policy(sk, optname, data,
1868 read_unlock(&xfrm_km_lock);
1871 xfrm_sk_policy_insert(sk, err, pol);
1880 EXPORT_SYMBOL(xfrm_user_policy);
1882 int xfrm_register_km(struct xfrm_mgr *km)
1884 write_lock_bh(&xfrm_km_lock);
1885 list_add_tail(&km->list, &xfrm_km_list);
1886 write_unlock_bh(&xfrm_km_lock);
1889 EXPORT_SYMBOL(xfrm_register_km);
1891 int xfrm_unregister_km(struct xfrm_mgr *km)
1893 write_lock_bh(&xfrm_km_lock);
1894 list_del(&km->list);
1895 write_unlock_bh(&xfrm_km_lock);
1898 EXPORT_SYMBOL(xfrm_unregister_km);
1900 int xfrm_state_register_afinfo(struct xfrm_state_afinfo *afinfo)
1903 if (unlikely(afinfo == NULL))
1905 if (unlikely(afinfo->family >= NPROTO))
1906 return -EAFNOSUPPORT;
1907 write_lock_bh(&xfrm_state_afinfo_lock);
1908 if (unlikely(xfrm_state_afinfo[afinfo->family] != NULL))
1911 xfrm_state_afinfo[afinfo->family] = afinfo;
1912 write_unlock_bh(&xfrm_state_afinfo_lock);
1915 EXPORT_SYMBOL(xfrm_state_register_afinfo);
1917 int xfrm_state_unregister_afinfo(struct xfrm_state_afinfo *afinfo)
1920 if (unlikely(afinfo == NULL))
1922 if (unlikely(afinfo->family >= NPROTO))
1923 return -EAFNOSUPPORT;
1924 write_lock_bh(&xfrm_state_afinfo_lock);
1925 if (likely(xfrm_state_afinfo[afinfo->family] != NULL)) {
1926 if (unlikely(xfrm_state_afinfo[afinfo->family] != afinfo))
1929 xfrm_state_afinfo[afinfo->family] = NULL;
1931 write_unlock_bh(&xfrm_state_afinfo_lock);
1934 EXPORT_SYMBOL(xfrm_state_unregister_afinfo);
1936 static struct xfrm_state_afinfo *xfrm_state_get_afinfo(unsigned int family)
1938 struct xfrm_state_afinfo *afinfo;
1939 if (unlikely(family >= NPROTO))
1941 read_lock(&xfrm_state_afinfo_lock);
1942 afinfo = xfrm_state_afinfo[family];
1943 if (unlikely(!afinfo))
1944 read_unlock(&xfrm_state_afinfo_lock);
1948 static void xfrm_state_put_afinfo(struct xfrm_state_afinfo *afinfo)
1949 __releases(xfrm_state_afinfo_lock)
1951 read_unlock(&xfrm_state_afinfo_lock);
1954 /* Temporarily located here until net/xfrm/xfrm_tunnel.c is created */
1955 void xfrm_state_delete_tunnel(struct xfrm_state *x)
1958 struct xfrm_state *t = x->tunnel;
1960 if (atomic_read(&t->tunnel_users) == 2)
1961 xfrm_state_delete(t);
1962 atomic_dec(&t->tunnel_users);
1967 EXPORT_SYMBOL(xfrm_state_delete_tunnel);
1969 int xfrm_state_mtu(struct xfrm_state *x, int mtu)
1973 spin_lock_bh(&x->lock);
1974 if (x->km.state == XFRM_STATE_VALID &&
1975 x->type && x->type->get_mtu)
1976 res = x->type->get_mtu(x, mtu);
1978 res = mtu - x->props.header_len;
1979 spin_unlock_bh(&x->lock);
1983 int xfrm_init_state(struct xfrm_state *x)
1985 struct xfrm_state_afinfo *afinfo;
1986 struct xfrm_mode *inner_mode;
1987 int family = x->props.family;
1990 err = -EAFNOSUPPORT;
1991 afinfo = xfrm_state_get_afinfo(family);
1996 if (afinfo->init_flags)
1997 err = afinfo->init_flags(x);
1999 xfrm_state_put_afinfo(afinfo);
2004 err = -EPROTONOSUPPORT;
2006 if (x->sel.family != AF_UNSPEC) {
2007 inner_mode = xfrm_get_mode(x->props.mode, x->sel.family);
2008 if (inner_mode == NULL)
2011 if (!(inner_mode->flags & XFRM_MODE_FLAG_TUNNEL) &&
2012 family != x->sel.family) {
2013 xfrm_put_mode(inner_mode);
2017 x->inner_mode = inner_mode;
2019 struct xfrm_mode *inner_mode_iaf;
2021 inner_mode = xfrm_get_mode(x->props.mode, AF_INET);
2022 if (inner_mode == NULL)
2025 if (!(inner_mode->flags & XFRM_MODE_FLAG_TUNNEL)) {
2026 xfrm_put_mode(inner_mode);
2030 inner_mode_iaf = xfrm_get_mode(x->props.mode, AF_INET6);
2031 if (inner_mode_iaf == NULL)
2034 if (!(inner_mode_iaf->flags & XFRM_MODE_FLAG_TUNNEL)) {
2035 xfrm_put_mode(inner_mode_iaf);
2039 if (x->props.family == AF_INET) {
2040 x->inner_mode = inner_mode;
2041 x->inner_mode_iaf = inner_mode_iaf;
2043 x->inner_mode = inner_mode_iaf;
2044 x->inner_mode_iaf = inner_mode;
2048 x->type = xfrm_get_type(x->id.proto, family);
2049 if (x->type == NULL)
2052 err = x->type->init_state(x);
2056 x->outer_mode = xfrm_get_mode(x->props.mode, family);
2057 if (x->outer_mode == NULL)
2060 x->km.state = XFRM_STATE_VALID;
2066 EXPORT_SYMBOL(xfrm_init_state);
2068 int __net_init xfrm_state_init(struct net *net)
2072 INIT_LIST_HEAD(&net->xfrm.state_all);
2074 sz = sizeof(struct hlist_head) * 8;
2076 net->xfrm.state_bydst = xfrm_hash_alloc(sz);
2077 if (!net->xfrm.state_bydst)
2079 net->xfrm.state_bysrc = xfrm_hash_alloc(sz);
2080 if (!net->xfrm.state_bysrc)
2082 net->xfrm.state_byspi = xfrm_hash_alloc(sz);
2083 if (!net->xfrm.state_byspi)
2085 net->xfrm.state_hmask = ((sz / sizeof(struct hlist_head)) - 1);
2087 net->xfrm.state_num = 0;
2088 INIT_WORK(&net->xfrm.state_hash_work, xfrm_hash_resize);
2089 INIT_HLIST_HEAD(&net->xfrm.state_gc_list);
2090 INIT_WORK(&net->xfrm.state_gc_work, xfrm_state_gc_task);
2091 init_waitqueue_head(&net->xfrm.km_waitq);
2095 xfrm_hash_free(net->xfrm.state_bysrc, sz);
2097 xfrm_hash_free(net->xfrm.state_bydst, sz);
2102 void xfrm_state_fini(struct net *net)
2106 WARN_ON(!list_empty(&net->xfrm.state_all));
2108 sz = (net->xfrm.state_hmask + 1) * sizeof(struct hlist_head);
2109 WARN_ON(!hlist_empty(net->xfrm.state_byspi));
2110 xfrm_hash_free(net->xfrm.state_byspi, sz);
2111 WARN_ON(!hlist_empty(net->xfrm.state_bysrc));
2112 xfrm_hash_free(net->xfrm.state_bysrc, sz);
2113 WARN_ON(!hlist_empty(net->xfrm.state_bydst));
2114 xfrm_hash_free(net->xfrm.state_bydst, sz);
2117 #ifdef CONFIG_AUDITSYSCALL
2118 static void xfrm_audit_helper_sainfo(struct xfrm_state *x,
2119 struct audit_buffer *audit_buf)
2121 struct xfrm_sec_ctx *ctx = x->security;
2122 u32 spi = ntohl(x->id.spi);
2125 audit_log_format(audit_buf, " sec_alg=%u sec_doi=%u sec_obj=%s",
2126 ctx->ctx_alg, ctx->ctx_doi, ctx->ctx_str);
2128 switch(x->props.family) {
2130 audit_log_format(audit_buf, " src=%pI4 dst=%pI4",
2131 &x->props.saddr.a4, &x->id.daddr.a4);
2134 audit_log_format(audit_buf, " src=%pI6 dst=%pI6",
2135 x->props.saddr.a6, x->id.daddr.a6);
2139 audit_log_format(audit_buf, " spi=%u(0x%x)", spi, spi);
2142 static void xfrm_audit_helper_pktinfo(struct sk_buff *skb, u16 family,
2143 struct audit_buffer *audit_buf)
2146 struct ipv6hdr *iph6;
2151 audit_log_format(audit_buf, " src=%pI4 dst=%pI4",
2152 &iph4->saddr, &iph4->daddr);
2155 iph6 = ipv6_hdr(skb);
2156 audit_log_format(audit_buf,
2157 " src=%pI6 dst=%pI6 flowlbl=0x%x%02x%02x",
2158 &iph6->saddr,&iph6->daddr,
2159 iph6->flow_lbl[0] & 0x0f,
2166 void xfrm_audit_state_add(struct xfrm_state *x, int result,
2167 uid_t auid, u32 sessionid, u32 secid)
2169 struct audit_buffer *audit_buf;
2171 audit_buf = xfrm_audit_start("SAD-add");
2172 if (audit_buf == NULL)
2174 xfrm_audit_helper_usrinfo(auid, sessionid, secid, audit_buf);
2175 xfrm_audit_helper_sainfo(x, audit_buf);
2176 audit_log_format(audit_buf, " res=%u", result);
2177 audit_log_end(audit_buf);
2179 EXPORT_SYMBOL_GPL(xfrm_audit_state_add);
2181 void xfrm_audit_state_delete(struct xfrm_state *x, int result,
2182 uid_t auid, u32 sessionid, u32 secid)
2184 struct audit_buffer *audit_buf;
2186 audit_buf = xfrm_audit_start("SAD-delete");
2187 if (audit_buf == NULL)
2189 xfrm_audit_helper_usrinfo(auid, sessionid, secid, audit_buf);
2190 xfrm_audit_helper_sainfo(x, audit_buf);
2191 audit_log_format(audit_buf, " res=%u", result);
2192 audit_log_end(audit_buf);
2194 EXPORT_SYMBOL_GPL(xfrm_audit_state_delete);
2196 void xfrm_audit_state_replay_overflow(struct xfrm_state *x,
2197 struct sk_buff *skb)
2199 struct audit_buffer *audit_buf;
2202 audit_buf = xfrm_audit_start("SA-replay-overflow");
2203 if (audit_buf == NULL)
2205 xfrm_audit_helper_pktinfo(skb, x->props.family, audit_buf);
2206 /* don't record the sequence number because it's inherent in this kind
2207 * of audit message */
2208 spi = ntohl(x->id.spi);
2209 audit_log_format(audit_buf, " spi=%u(0x%x)", spi, spi);
2210 audit_log_end(audit_buf);
2212 EXPORT_SYMBOL_GPL(xfrm_audit_state_replay_overflow);
2214 static void xfrm_audit_state_replay(struct xfrm_state *x,
2215 struct sk_buff *skb, __be32 net_seq)
2217 struct audit_buffer *audit_buf;
2220 audit_buf = xfrm_audit_start("SA-replayed-pkt");
2221 if (audit_buf == NULL)
2223 xfrm_audit_helper_pktinfo(skb, x->props.family, audit_buf);
2224 spi = ntohl(x->id.spi);
2225 audit_log_format(audit_buf, " spi=%u(0x%x) seqno=%u",
2226 spi, spi, ntohl(net_seq));
2227 audit_log_end(audit_buf);
2230 void xfrm_audit_state_notfound_simple(struct sk_buff *skb, u16 family)
2232 struct audit_buffer *audit_buf;
2234 audit_buf = xfrm_audit_start("SA-notfound");
2235 if (audit_buf == NULL)
2237 xfrm_audit_helper_pktinfo(skb, family, audit_buf);
2238 audit_log_end(audit_buf);
2240 EXPORT_SYMBOL_GPL(xfrm_audit_state_notfound_simple);
2242 void xfrm_audit_state_notfound(struct sk_buff *skb, u16 family,
2243 __be32 net_spi, __be32 net_seq)
2245 struct audit_buffer *audit_buf;
2248 audit_buf = xfrm_audit_start("SA-notfound");
2249 if (audit_buf == NULL)
2251 xfrm_audit_helper_pktinfo(skb, family, audit_buf);
2252 spi = ntohl(net_spi);
2253 audit_log_format(audit_buf, " spi=%u(0x%x) seqno=%u",
2254 spi, spi, ntohl(net_seq));
2255 audit_log_end(audit_buf);
2257 EXPORT_SYMBOL_GPL(xfrm_audit_state_notfound);
2259 void xfrm_audit_state_icvfail(struct xfrm_state *x,
2260 struct sk_buff *skb, u8 proto)
2262 struct audit_buffer *audit_buf;
2266 audit_buf = xfrm_audit_start("SA-icv-failure");
2267 if (audit_buf == NULL)
2269 xfrm_audit_helper_pktinfo(skb, x->props.family, audit_buf);
2270 if (xfrm_parse_spi(skb, proto, &net_spi, &net_seq) == 0) {
2271 u32 spi = ntohl(net_spi);
2272 audit_log_format(audit_buf, " spi=%u(0x%x) seqno=%u",
2273 spi, spi, ntohl(net_seq));
2275 audit_log_end(audit_buf);
2277 EXPORT_SYMBOL_GPL(xfrm_audit_state_icvfail);
2278 #endif /* CONFIG_AUDITSYSCALL */
projects / linux-2.6-omap-h63xx.git / blob