6 * Kazunori MIYAZAWA @USAGI
7 * Kunihiro Ishiguro <kunihiro@ipinfusion.com>
9 * YOSHIFUJI Hideaki @USAGI
10 * Split up af-specific functions
11 * Derek Atkins <derek@ihtfp.com>
12 * Add UDP Encapsulation
16 #include <linux/workqueue.h>
18 #include <linux/pfkeyv2.h>
19 #include <linux/ipsec.h>
20 #include <linux/module.h>
21 #include <linux/cache.h>
22 #include <linux/audit.h>
23 #include <asm/uaccess.h>
25 #include "xfrm_hash.h"
28 EXPORT_SYMBOL(xfrm_nl);
30 u32 sysctl_xfrm_aevent_etime __read_mostly = XFRM_AE_ETIME;
31 EXPORT_SYMBOL(sysctl_xfrm_aevent_etime);
33 u32 sysctl_xfrm_aevent_rseqth __read_mostly = XFRM_AE_SEQT_SIZE;
34 EXPORT_SYMBOL(sysctl_xfrm_aevent_rseqth);
36 u32 sysctl_xfrm_acq_expires __read_mostly = 30;
38 /* Each xfrm_state may be linked to two tables:
40 1. Hash table by (spi,daddr,ah/esp) to find SA by SPI. (input,ctl)
41 2. Hash table by (daddr,family,reqid) to find what SAs exist for given
42 destination/tunnel endpoint. (output)
45 static DEFINE_SPINLOCK(xfrm_state_lock);
47 static unsigned int xfrm_state_hashmax __read_mostly = 1 * 1024 * 1024;
48 static unsigned int xfrm_state_genid;
50 static struct xfrm_state_afinfo *xfrm_state_get_afinfo(unsigned int family);
51 static void xfrm_state_put_afinfo(struct xfrm_state_afinfo *afinfo);
53 #ifdef CONFIG_AUDITSYSCALL
54 static void xfrm_audit_state_replay(struct xfrm_state *x,
55 struct sk_buff *skb, __be32 net_seq);
57 #define xfrm_audit_state_replay(x, s, sq) do { ; } while (0)
58 #endif /* CONFIG_AUDITSYSCALL */
60 static inline unsigned int xfrm_dst_hash(xfrm_address_t *daddr,
61 xfrm_address_t *saddr,
63 unsigned short family)
65 return __xfrm_dst_hash(daddr, saddr, reqid, family, init_net.xfrm.state_hmask);
68 static inline unsigned int xfrm_src_hash(xfrm_address_t *daddr,
69 xfrm_address_t *saddr,
70 unsigned short family)
72 return __xfrm_src_hash(daddr, saddr, family, init_net.xfrm.state_hmask);
75 static inline unsigned int
76 xfrm_spi_hash(xfrm_address_t *daddr, __be32 spi, u8 proto, unsigned short family)
78 return __xfrm_spi_hash(daddr, spi, proto, family, init_net.xfrm.state_hmask);
81 static void xfrm_hash_transfer(struct hlist_head *list,
82 struct hlist_head *ndsttable,
83 struct hlist_head *nsrctable,
84 struct hlist_head *nspitable,
85 unsigned int nhashmask)
87 struct hlist_node *entry, *tmp;
90 hlist_for_each_entry_safe(x, entry, tmp, list, bydst) {
93 h = __xfrm_dst_hash(&x->id.daddr, &x->props.saddr,
94 x->props.reqid, x->props.family,
96 hlist_add_head(&x->bydst, ndsttable+h);
98 h = __xfrm_src_hash(&x->id.daddr, &x->props.saddr,
101 hlist_add_head(&x->bysrc, nsrctable+h);
104 h = __xfrm_spi_hash(&x->id.daddr, x->id.spi,
105 x->id.proto, x->props.family,
107 hlist_add_head(&x->byspi, nspitable+h);
112 static unsigned long xfrm_hash_new_size(void)
114 return ((init_net.xfrm.state_hmask + 1) << 1) *
115 sizeof(struct hlist_head);
118 static DEFINE_MUTEX(hash_resize_mutex);
120 static void xfrm_hash_resize(struct work_struct *__unused)
122 struct hlist_head *ndst, *nsrc, *nspi, *odst, *osrc, *ospi;
123 unsigned long nsize, osize;
124 unsigned int nhashmask, ohashmask;
127 mutex_lock(&hash_resize_mutex);
129 nsize = xfrm_hash_new_size();
130 ndst = xfrm_hash_alloc(nsize);
133 nsrc = xfrm_hash_alloc(nsize);
135 xfrm_hash_free(ndst, nsize);
138 nspi = xfrm_hash_alloc(nsize);
140 xfrm_hash_free(ndst, nsize);
141 xfrm_hash_free(nsrc, nsize);
145 spin_lock_bh(&xfrm_state_lock);
147 nhashmask = (nsize / sizeof(struct hlist_head)) - 1U;
148 for (i = init_net.xfrm.state_hmask; i >= 0; i--)
149 xfrm_hash_transfer(init_net.xfrm.state_bydst+i, ndst, nsrc, nspi,
152 odst = init_net.xfrm.state_bydst;
153 osrc = init_net.xfrm.state_bysrc;
154 ospi = init_net.xfrm.state_byspi;
155 ohashmask = init_net.xfrm.state_hmask;
157 init_net.xfrm.state_bydst = ndst;
158 init_net.xfrm.state_bysrc = nsrc;
159 init_net.xfrm.state_byspi = nspi;
160 init_net.xfrm.state_hmask = nhashmask;
162 spin_unlock_bh(&xfrm_state_lock);
164 osize = (ohashmask + 1) * sizeof(struct hlist_head);
165 xfrm_hash_free(odst, osize);
166 xfrm_hash_free(osrc, osize);
167 xfrm_hash_free(ospi, osize);
170 mutex_unlock(&hash_resize_mutex);
173 static DECLARE_WORK(xfrm_hash_work, xfrm_hash_resize);
175 DECLARE_WAIT_QUEUE_HEAD(km_waitq);
176 EXPORT_SYMBOL(km_waitq);
178 static DEFINE_RWLOCK(xfrm_state_afinfo_lock);
179 static struct xfrm_state_afinfo *xfrm_state_afinfo[NPROTO];
181 static struct work_struct xfrm_state_gc_work;
182 static HLIST_HEAD(xfrm_state_gc_list);
183 static DEFINE_SPINLOCK(xfrm_state_gc_lock);
185 int __xfrm_state_delete(struct xfrm_state *x);
187 int km_query(struct xfrm_state *x, struct xfrm_tmpl *t, struct xfrm_policy *pol);
188 void km_state_expired(struct xfrm_state *x, int hard, u32 pid);
190 static struct xfrm_state_afinfo *xfrm_state_lock_afinfo(unsigned int family)
192 struct xfrm_state_afinfo *afinfo;
193 if (unlikely(family >= NPROTO))
195 write_lock_bh(&xfrm_state_afinfo_lock);
196 afinfo = xfrm_state_afinfo[family];
197 if (unlikely(!afinfo))
198 write_unlock_bh(&xfrm_state_afinfo_lock);
202 static void xfrm_state_unlock_afinfo(struct xfrm_state_afinfo *afinfo)
203 __releases(xfrm_state_afinfo_lock)
205 write_unlock_bh(&xfrm_state_afinfo_lock);
208 int xfrm_register_type(const struct xfrm_type *type, unsigned short family)
210 struct xfrm_state_afinfo *afinfo = xfrm_state_lock_afinfo(family);
211 const struct xfrm_type **typemap;
214 if (unlikely(afinfo == NULL))
215 return -EAFNOSUPPORT;
216 typemap = afinfo->type_map;
218 if (likely(typemap[type->proto] == NULL))
219 typemap[type->proto] = type;
222 xfrm_state_unlock_afinfo(afinfo);
225 EXPORT_SYMBOL(xfrm_register_type);
227 int xfrm_unregister_type(const struct xfrm_type *type, unsigned short family)
229 struct xfrm_state_afinfo *afinfo = xfrm_state_lock_afinfo(family);
230 const struct xfrm_type **typemap;
233 if (unlikely(afinfo == NULL))
234 return -EAFNOSUPPORT;
235 typemap = afinfo->type_map;
237 if (unlikely(typemap[type->proto] != type))
240 typemap[type->proto] = NULL;
241 xfrm_state_unlock_afinfo(afinfo);
244 EXPORT_SYMBOL(xfrm_unregister_type);
246 static const struct xfrm_type *xfrm_get_type(u8 proto, unsigned short family)
248 struct xfrm_state_afinfo *afinfo;
249 const struct xfrm_type **typemap;
250 const struct xfrm_type *type;
251 int modload_attempted = 0;
254 afinfo = xfrm_state_get_afinfo(family);
255 if (unlikely(afinfo == NULL))
257 typemap = afinfo->type_map;
259 type = typemap[proto];
260 if (unlikely(type && !try_module_get(type->owner)))
262 if (!type && !modload_attempted) {
263 xfrm_state_put_afinfo(afinfo);
264 request_module("xfrm-type-%d-%d", family, proto);
265 modload_attempted = 1;
269 xfrm_state_put_afinfo(afinfo);
273 static void xfrm_put_type(const struct xfrm_type *type)
275 module_put(type->owner);
278 int xfrm_register_mode(struct xfrm_mode *mode, int family)
280 struct xfrm_state_afinfo *afinfo;
281 struct xfrm_mode **modemap;
284 if (unlikely(mode->encap >= XFRM_MODE_MAX))
287 afinfo = xfrm_state_lock_afinfo(family);
288 if (unlikely(afinfo == NULL))
289 return -EAFNOSUPPORT;
292 modemap = afinfo->mode_map;
293 if (modemap[mode->encap])
297 if (!try_module_get(afinfo->owner))
300 mode->afinfo = afinfo;
301 modemap[mode->encap] = mode;
305 xfrm_state_unlock_afinfo(afinfo);
308 EXPORT_SYMBOL(xfrm_register_mode);
310 int xfrm_unregister_mode(struct xfrm_mode *mode, int family)
312 struct xfrm_state_afinfo *afinfo;
313 struct xfrm_mode **modemap;
316 if (unlikely(mode->encap >= XFRM_MODE_MAX))
319 afinfo = xfrm_state_lock_afinfo(family);
320 if (unlikely(afinfo == NULL))
321 return -EAFNOSUPPORT;
324 modemap = afinfo->mode_map;
325 if (likely(modemap[mode->encap] == mode)) {
326 modemap[mode->encap] = NULL;
327 module_put(mode->afinfo->owner);
331 xfrm_state_unlock_afinfo(afinfo);
334 EXPORT_SYMBOL(xfrm_unregister_mode);
336 static struct xfrm_mode *xfrm_get_mode(unsigned int encap, int family)
338 struct xfrm_state_afinfo *afinfo;
339 struct xfrm_mode *mode;
340 int modload_attempted = 0;
342 if (unlikely(encap >= XFRM_MODE_MAX))
346 afinfo = xfrm_state_get_afinfo(family);
347 if (unlikely(afinfo == NULL))
350 mode = afinfo->mode_map[encap];
351 if (unlikely(mode && !try_module_get(mode->owner)))
353 if (!mode && !modload_attempted) {
354 xfrm_state_put_afinfo(afinfo);
355 request_module("xfrm-mode-%d-%d", family, encap);
356 modload_attempted = 1;
360 xfrm_state_put_afinfo(afinfo);
364 static void xfrm_put_mode(struct xfrm_mode *mode)
366 module_put(mode->owner);
369 static void xfrm_state_gc_destroy(struct xfrm_state *x)
371 del_timer_sync(&x->timer);
372 del_timer_sync(&x->rtimer);
379 xfrm_put_mode(x->inner_mode);
380 if (x->inner_mode_iaf)
381 xfrm_put_mode(x->inner_mode_iaf);
383 xfrm_put_mode(x->outer_mode);
385 x->type->destructor(x);
386 xfrm_put_type(x->type);
388 security_xfrm_state_free(x);
392 static void xfrm_state_gc_task(struct work_struct *data)
394 struct xfrm_state *x;
395 struct hlist_node *entry, *tmp;
396 struct hlist_head gc_list;
398 spin_lock_bh(&xfrm_state_gc_lock);
399 hlist_move_list(&xfrm_state_gc_list, &gc_list);
400 spin_unlock_bh(&xfrm_state_gc_lock);
402 hlist_for_each_entry_safe(x, entry, tmp, &gc_list, gclist)
403 xfrm_state_gc_destroy(x);
408 static inline unsigned long make_jiffies(long secs)
410 if (secs >= (MAX_SCHEDULE_TIMEOUT-1)/HZ)
411 return MAX_SCHEDULE_TIMEOUT-1;
416 static void xfrm_timer_handler(unsigned long data)
418 struct xfrm_state *x = (struct xfrm_state*)data;
419 unsigned long now = get_seconds();
420 long next = LONG_MAX;
425 if (x->km.state == XFRM_STATE_DEAD)
427 if (x->km.state == XFRM_STATE_EXPIRED)
429 if (x->lft.hard_add_expires_seconds) {
430 long tmo = x->lft.hard_add_expires_seconds +
431 x->curlft.add_time - now;
437 if (x->lft.hard_use_expires_seconds) {
438 long tmo = x->lft.hard_use_expires_seconds +
439 (x->curlft.use_time ? : now) - now;
447 if (x->lft.soft_add_expires_seconds) {
448 long tmo = x->lft.soft_add_expires_seconds +
449 x->curlft.add_time - now;
455 if (x->lft.soft_use_expires_seconds) {
456 long tmo = x->lft.soft_use_expires_seconds +
457 (x->curlft.use_time ? : now) - now;
466 km_state_expired(x, 0, 0);
468 if (next != LONG_MAX)
469 mod_timer(&x->timer, jiffies + make_jiffies(next));
474 if (x->km.state == XFRM_STATE_ACQ && x->id.spi == 0) {
475 x->km.state = XFRM_STATE_EXPIRED;
481 err = __xfrm_state_delete(x);
482 if (!err && x->id.spi)
483 km_state_expired(x, 1, 0);
485 xfrm_audit_state_delete(x, err ? 0 : 1,
486 audit_get_loginuid(current),
487 audit_get_sessionid(current), 0);
490 spin_unlock(&x->lock);
493 static void xfrm_replay_timer_handler(unsigned long data);
495 struct xfrm_state *xfrm_state_alloc(struct net *net)
497 struct xfrm_state *x;
499 x = kzalloc(sizeof(struct xfrm_state), GFP_ATOMIC);
502 write_pnet(&x->xs_net, net);
503 atomic_set(&x->refcnt, 1);
504 atomic_set(&x->tunnel_users, 0);
505 INIT_LIST_HEAD(&x->km.all);
506 INIT_HLIST_NODE(&x->bydst);
507 INIT_HLIST_NODE(&x->bysrc);
508 INIT_HLIST_NODE(&x->byspi);
509 setup_timer(&x->timer, xfrm_timer_handler, (unsigned long)x);
510 setup_timer(&x->rtimer, xfrm_replay_timer_handler,
512 x->curlft.add_time = get_seconds();
513 x->lft.soft_byte_limit = XFRM_INF;
514 x->lft.soft_packet_limit = XFRM_INF;
515 x->lft.hard_byte_limit = XFRM_INF;
516 x->lft.hard_packet_limit = XFRM_INF;
517 x->replay_maxage = 0;
518 x->replay_maxdiff = 0;
519 x->inner_mode = NULL;
520 x->inner_mode_iaf = NULL;
521 spin_lock_init(&x->lock);
525 EXPORT_SYMBOL(xfrm_state_alloc);
527 void __xfrm_state_destroy(struct xfrm_state *x)
529 WARN_ON(x->km.state != XFRM_STATE_DEAD);
531 spin_lock_bh(&xfrm_state_gc_lock);
532 hlist_add_head(&x->gclist, &xfrm_state_gc_list);
533 spin_unlock_bh(&xfrm_state_gc_lock);
534 schedule_work(&xfrm_state_gc_work);
536 EXPORT_SYMBOL(__xfrm_state_destroy);
538 int __xfrm_state_delete(struct xfrm_state *x)
542 if (x->km.state != XFRM_STATE_DEAD) {
543 x->km.state = XFRM_STATE_DEAD;
544 spin_lock(&xfrm_state_lock);
545 list_del(&x->km.all);
546 hlist_del(&x->bydst);
547 hlist_del(&x->bysrc);
549 hlist_del(&x->byspi);
550 init_net.xfrm.state_num--;
551 spin_unlock(&xfrm_state_lock);
553 /* All xfrm_state objects are created by xfrm_state_alloc.
554 * The xfrm_state_alloc call gives a reference, and that
555 * is what we are dropping here.
563 EXPORT_SYMBOL(__xfrm_state_delete);
565 int xfrm_state_delete(struct xfrm_state *x)
569 spin_lock_bh(&x->lock);
570 err = __xfrm_state_delete(x);
571 spin_unlock_bh(&x->lock);
575 EXPORT_SYMBOL(xfrm_state_delete);
577 #ifdef CONFIG_SECURITY_NETWORK_XFRM
579 xfrm_state_flush_secctx_check(u8 proto, struct xfrm_audit *audit_info)
583 for (i = 0; i <= init_net.xfrm.state_hmask; i++) {
584 struct hlist_node *entry;
585 struct xfrm_state *x;
587 hlist_for_each_entry(x, entry, init_net.xfrm.state_bydst+i, bydst) {
588 if (xfrm_id_proto_match(x->id.proto, proto) &&
589 (err = security_xfrm_state_delete(x)) != 0) {
590 xfrm_audit_state_delete(x, 0,
591 audit_info->loginuid,
592 audit_info->sessionid,
603 xfrm_state_flush_secctx_check(u8 proto, struct xfrm_audit *audit_info)
609 int xfrm_state_flush(u8 proto, struct xfrm_audit *audit_info)
613 spin_lock_bh(&xfrm_state_lock);
614 err = xfrm_state_flush_secctx_check(proto, audit_info);
618 for (i = 0; i <= init_net.xfrm.state_hmask; i++) {
619 struct hlist_node *entry;
620 struct xfrm_state *x;
622 hlist_for_each_entry(x, entry, init_net.xfrm.state_bydst+i, bydst) {
623 if (!xfrm_state_kern(x) &&
624 xfrm_id_proto_match(x->id.proto, proto)) {
626 spin_unlock_bh(&xfrm_state_lock);
628 err = xfrm_state_delete(x);
629 xfrm_audit_state_delete(x, err ? 0 : 1,
630 audit_info->loginuid,
631 audit_info->sessionid,
635 spin_lock_bh(&xfrm_state_lock);
643 spin_unlock_bh(&xfrm_state_lock);
647 EXPORT_SYMBOL(xfrm_state_flush);
649 void xfrm_sad_getinfo(struct xfrmk_sadinfo *si)
651 spin_lock_bh(&xfrm_state_lock);
652 si->sadcnt = init_net.xfrm.state_num;
653 si->sadhcnt = init_net.xfrm.state_hmask;
654 si->sadhmcnt = xfrm_state_hashmax;
655 spin_unlock_bh(&xfrm_state_lock);
657 EXPORT_SYMBOL(xfrm_sad_getinfo);
660 xfrm_init_tempsel(struct xfrm_state *x, struct flowi *fl,
661 struct xfrm_tmpl *tmpl,
662 xfrm_address_t *daddr, xfrm_address_t *saddr,
663 unsigned short family)
665 struct xfrm_state_afinfo *afinfo = xfrm_state_get_afinfo(family);
668 afinfo->init_tempsel(x, fl, tmpl, daddr, saddr);
669 xfrm_state_put_afinfo(afinfo);
673 static struct xfrm_state *__xfrm_state_lookup(xfrm_address_t *daddr, __be32 spi, u8 proto, unsigned short family)
675 unsigned int h = xfrm_spi_hash(daddr, spi, proto, family);
676 struct xfrm_state *x;
677 struct hlist_node *entry;
679 hlist_for_each_entry(x, entry, init_net.xfrm.state_byspi+h, byspi) {
680 if (x->props.family != family ||
682 x->id.proto != proto)
687 if (x->id.daddr.a4 != daddr->a4)
691 if (!ipv6_addr_equal((struct in6_addr *)daddr,
705 static struct xfrm_state *__xfrm_state_lookup_byaddr(xfrm_address_t *daddr, xfrm_address_t *saddr, u8 proto, unsigned short family)
707 unsigned int h = xfrm_src_hash(daddr, saddr, family);
708 struct xfrm_state *x;
709 struct hlist_node *entry;
711 hlist_for_each_entry(x, entry, init_net.xfrm.state_bysrc+h, bysrc) {
712 if (x->props.family != family ||
713 x->id.proto != proto)
718 if (x->id.daddr.a4 != daddr->a4 ||
719 x->props.saddr.a4 != saddr->a4)
723 if (!ipv6_addr_equal((struct in6_addr *)daddr,
726 !ipv6_addr_equal((struct in6_addr *)saddr,
740 static inline struct xfrm_state *
741 __xfrm_state_locate(struct xfrm_state *x, int use_spi, int family)
744 return __xfrm_state_lookup(&x->id.daddr, x->id.spi,
745 x->id.proto, family);
747 return __xfrm_state_lookup_byaddr(&x->id.daddr,
749 x->id.proto, family);
752 static void xfrm_hash_grow_check(int have_hash_collision)
754 if (have_hash_collision &&
755 (init_net.xfrm.state_hmask + 1) < xfrm_state_hashmax &&
756 init_net.xfrm.state_num > init_net.xfrm.state_hmask)
757 schedule_work(&xfrm_hash_work);
761 xfrm_state_find(xfrm_address_t *daddr, xfrm_address_t *saddr,
762 struct flowi *fl, struct xfrm_tmpl *tmpl,
763 struct xfrm_policy *pol, int *err,
764 unsigned short family)
767 struct hlist_node *entry;
768 struct xfrm_state *x, *x0, *to_put;
769 int acquire_in_progress = 0;
771 struct xfrm_state *best = NULL;
775 spin_lock_bh(&xfrm_state_lock);
776 h = xfrm_dst_hash(daddr, saddr, tmpl->reqid, family);
777 hlist_for_each_entry(x, entry, init_net.xfrm.state_bydst+h, bydst) {
778 if (x->props.family == family &&
779 x->props.reqid == tmpl->reqid &&
780 !(x->props.flags & XFRM_STATE_WILDRECV) &&
781 xfrm_state_addr_check(x, daddr, saddr, family) &&
782 tmpl->mode == x->props.mode &&
783 tmpl->id.proto == x->id.proto &&
784 (tmpl->id.spi == x->id.spi || !tmpl->id.spi)) {
786 1. There is a valid state with matching selector.
788 2. Valid state with inappropriate selector. Skip.
790 Entering area of "sysdeps".
792 3. If state is not valid, selector is temporary,
793 it selects only session which triggered
794 previous resolution. Key manager will do
795 something to install a state with proper
798 if (x->km.state == XFRM_STATE_VALID) {
799 if ((x->sel.family && !xfrm_selector_match(&x->sel, fl, x->sel.family)) ||
800 !security_xfrm_state_pol_flow_match(x, pol, fl))
803 best->km.dying > x->km.dying ||
804 (best->km.dying == x->km.dying &&
805 best->curlft.add_time < x->curlft.add_time))
807 } else if (x->km.state == XFRM_STATE_ACQ) {
808 acquire_in_progress = 1;
809 } else if (x->km.state == XFRM_STATE_ERROR ||
810 x->km.state == XFRM_STATE_EXPIRED) {
811 if (xfrm_selector_match(&x->sel, fl, x->sel.family) &&
812 security_xfrm_state_pol_flow_match(x, pol, fl))
819 if (!x && !error && !acquire_in_progress) {
821 (x0 = __xfrm_state_lookup(daddr, tmpl->id.spi,
822 tmpl->id.proto, family)) != NULL) {
827 x = xfrm_state_alloc(&init_net);
832 /* Initialize temporary selector matching only
833 * to current session. */
834 xfrm_init_tempsel(x, fl, tmpl, daddr, saddr, family);
836 error = security_xfrm_state_alloc_acquire(x, pol->security, fl->secid);
838 x->km.state = XFRM_STATE_DEAD;
844 if (km_query(x, tmpl, pol) == 0) {
845 x->km.state = XFRM_STATE_ACQ;
846 list_add(&x->km.all, &init_net.xfrm.state_all);
847 hlist_add_head(&x->bydst, init_net.xfrm.state_bydst+h);
848 h = xfrm_src_hash(daddr, saddr, family);
849 hlist_add_head(&x->bysrc, init_net.xfrm.state_bysrc+h);
851 h = xfrm_spi_hash(&x->id.daddr, x->id.spi, x->id.proto, family);
852 hlist_add_head(&x->byspi, init_net.xfrm.state_byspi+h);
854 x->lft.hard_add_expires_seconds = sysctl_xfrm_acq_expires;
855 x->timer.expires = jiffies + sysctl_xfrm_acq_expires*HZ;
856 add_timer(&x->timer);
857 init_net.xfrm.state_num++;
858 xfrm_hash_grow_check(x->bydst.next != NULL);
860 x->km.state = XFRM_STATE_DEAD;
870 *err = acquire_in_progress ? -EAGAIN : error;
871 spin_unlock_bh(&xfrm_state_lock);
873 xfrm_state_put(to_put);
878 xfrm_stateonly_find(xfrm_address_t *daddr, xfrm_address_t *saddr,
879 unsigned short family, u8 mode, u8 proto, u32 reqid)
882 struct xfrm_state *rx = NULL, *x = NULL;
883 struct hlist_node *entry;
885 spin_lock(&xfrm_state_lock);
886 h = xfrm_dst_hash(daddr, saddr, reqid, family);
887 hlist_for_each_entry(x, entry, init_net.xfrm.state_bydst+h, bydst) {
888 if (x->props.family == family &&
889 x->props.reqid == reqid &&
890 !(x->props.flags & XFRM_STATE_WILDRECV) &&
891 xfrm_state_addr_check(x, daddr, saddr, family) &&
892 mode == x->props.mode &&
893 proto == x->id.proto &&
894 x->km.state == XFRM_STATE_VALID) {
902 spin_unlock(&xfrm_state_lock);
907 EXPORT_SYMBOL(xfrm_stateonly_find);
909 static void __xfrm_state_insert(struct xfrm_state *x)
913 x->genid = ++xfrm_state_genid;
915 list_add(&x->km.all, &init_net.xfrm.state_all);
917 h = xfrm_dst_hash(&x->id.daddr, &x->props.saddr,
918 x->props.reqid, x->props.family);
919 hlist_add_head(&x->bydst, init_net.xfrm.state_bydst+h);
921 h = xfrm_src_hash(&x->id.daddr, &x->props.saddr, x->props.family);
922 hlist_add_head(&x->bysrc, init_net.xfrm.state_bysrc+h);
925 h = xfrm_spi_hash(&x->id.daddr, x->id.spi, x->id.proto,
928 hlist_add_head(&x->byspi, init_net.xfrm.state_byspi+h);
931 mod_timer(&x->timer, jiffies + HZ);
932 if (x->replay_maxage)
933 mod_timer(&x->rtimer, jiffies + x->replay_maxage);
937 init_net.xfrm.state_num++;
939 xfrm_hash_grow_check(x->bydst.next != NULL);
942 /* xfrm_state_lock is held */
943 static void __xfrm_state_bump_genids(struct xfrm_state *xnew)
945 unsigned short family = xnew->props.family;
946 u32 reqid = xnew->props.reqid;
947 struct xfrm_state *x;
948 struct hlist_node *entry;
951 h = xfrm_dst_hash(&xnew->id.daddr, &xnew->props.saddr, reqid, family);
952 hlist_for_each_entry(x, entry, init_net.xfrm.state_bydst+h, bydst) {
953 if (x->props.family == family &&
954 x->props.reqid == reqid &&
955 !xfrm_addr_cmp(&x->id.daddr, &xnew->id.daddr, family) &&
956 !xfrm_addr_cmp(&x->props.saddr, &xnew->props.saddr, family))
957 x->genid = xfrm_state_genid;
961 void xfrm_state_insert(struct xfrm_state *x)
963 spin_lock_bh(&xfrm_state_lock);
964 __xfrm_state_bump_genids(x);
965 __xfrm_state_insert(x);
966 spin_unlock_bh(&xfrm_state_lock);
968 EXPORT_SYMBOL(xfrm_state_insert);
970 /* xfrm_state_lock is held */
971 static struct xfrm_state *__find_acq_core(unsigned short family, u8 mode, u32 reqid, u8 proto, xfrm_address_t *daddr, xfrm_address_t *saddr, int create)
973 unsigned int h = xfrm_dst_hash(daddr, saddr, reqid, family);
974 struct hlist_node *entry;
975 struct xfrm_state *x;
977 hlist_for_each_entry(x, entry, init_net.xfrm.state_bydst+h, bydst) {
978 if (x->props.reqid != reqid ||
979 x->props.mode != mode ||
980 x->props.family != family ||
981 x->km.state != XFRM_STATE_ACQ ||
983 x->id.proto != proto)
988 if (x->id.daddr.a4 != daddr->a4 ||
989 x->props.saddr.a4 != saddr->a4)
993 if (!ipv6_addr_equal((struct in6_addr *)x->id.daddr.a6,
994 (struct in6_addr *)daddr) ||
995 !ipv6_addr_equal((struct in6_addr *)
997 (struct in6_addr *)saddr))
1009 x = xfrm_state_alloc(&init_net);
1013 x->sel.daddr.a4 = daddr->a4;
1014 x->sel.saddr.a4 = saddr->a4;
1015 x->sel.prefixlen_d = 32;
1016 x->sel.prefixlen_s = 32;
1017 x->props.saddr.a4 = saddr->a4;
1018 x->id.daddr.a4 = daddr->a4;
1022 ipv6_addr_copy((struct in6_addr *)x->sel.daddr.a6,
1023 (struct in6_addr *)daddr);
1024 ipv6_addr_copy((struct in6_addr *)x->sel.saddr.a6,
1025 (struct in6_addr *)saddr);
1026 x->sel.prefixlen_d = 128;
1027 x->sel.prefixlen_s = 128;
1028 ipv6_addr_copy((struct in6_addr *)x->props.saddr.a6,
1029 (struct in6_addr *)saddr);
1030 ipv6_addr_copy((struct in6_addr *)x->id.daddr.a6,
1031 (struct in6_addr *)daddr);
1035 x->km.state = XFRM_STATE_ACQ;
1036 x->id.proto = proto;
1037 x->props.family = family;
1038 x->props.mode = mode;
1039 x->props.reqid = reqid;
1040 x->lft.hard_add_expires_seconds = sysctl_xfrm_acq_expires;
1042 x->timer.expires = jiffies + sysctl_xfrm_acq_expires*HZ;
1043 add_timer(&x->timer);
1044 list_add(&x->km.all, &init_net.xfrm.state_all);
1045 hlist_add_head(&x->bydst, init_net.xfrm.state_bydst+h);
1046 h = xfrm_src_hash(daddr, saddr, family);
1047 hlist_add_head(&x->bysrc, init_net.xfrm.state_bysrc+h);
1049 init_net.xfrm.state_num++;
1051 xfrm_hash_grow_check(x->bydst.next != NULL);
1057 static struct xfrm_state *__xfrm_find_acq_byseq(u32 seq);
1059 int xfrm_state_add(struct xfrm_state *x)
1061 struct xfrm_state *x1, *to_put;
1064 int use_spi = xfrm_id_proto_match(x->id.proto, IPSEC_PROTO_ANY);
1066 family = x->props.family;
1070 spin_lock_bh(&xfrm_state_lock);
1072 x1 = __xfrm_state_locate(x, use_spi, family);
1080 if (use_spi && x->km.seq) {
1081 x1 = __xfrm_find_acq_byseq(x->km.seq);
1082 if (x1 && ((x1->id.proto != x->id.proto) ||
1083 xfrm_addr_cmp(&x1->id.daddr, &x->id.daddr, family))) {
1090 x1 = __find_acq_core(family, x->props.mode, x->props.reqid,
1092 &x->id.daddr, &x->props.saddr, 0);
1094 __xfrm_state_bump_genids(x);
1095 __xfrm_state_insert(x);
1099 spin_unlock_bh(&xfrm_state_lock);
1102 xfrm_state_delete(x1);
1107 xfrm_state_put(to_put);
1111 EXPORT_SYMBOL(xfrm_state_add);
1113 #ifdef CONFIG_XFRM_MIGRATE
1114 static struct xfrm_state *xfrm_state_clone(struct xfrm_state *orig, int *errp)
1117 struct xfrm_state *x = xfrm_state_alloc(&init_net);
1121 memcpy(&x->id, &orig->id, sizeof(x->id));
1122 memcpy(&x->sel, &orig->sel, sizeof(x->sel));
1123 memcpy(&x->lft, &orig->lft, sizeof(x->lft));
1124 x->props.mode = orig->props.mode;
1125 x->props.replay_window = orig->props.replay_window;
1126 x->props.reqid = orig->props.reqid;
1127 x->props.family = orig->props.family;
1128 x->props.saddr = orig->props.saddr;
1131 x->aalg = xfrm_algo_clone(orig->aalg);
1135 x->props.aalgo = orig->props.aalgo;
1138 x->ealg = xfrm_algo_clone(orig->ealg);
1142 x->props.ealgo = orig->props.ealgo;
1145 x->calg = xfrm_algo_clone(orig->calg);
1149 x->props.calgo = orig->props.calgo;
1152 x->encap = kmemdup(orig->encap, sizeof(*x->encap), GFP_KERNEL);
1158 x->coaddr = kmemdup(orig->coaddr, sizeof(*x->coaddr),
1164 err = xfrm_init_state(x);
1168 x->props.flags = orig->props.flags;
1170 x->curlft.add_time = orig->curlft.add_time;
1171 x->km.state = orig->km.state;
1172 x->km.seq = orig->km.seq;
1190 /* xfrm_state_lock is held */
1191 struct xfrm_state * xfrm_migrate_state_find(struct xfrm_migrate *m)
1194 struct xfrm_state *x;
1195 struct hlist_node *entry;
1198 h = xfrm_dst_hash(&m->old_daddr, &m->old_saddr,
1199 m->reqid, m->old_family);
1200 hlist_for_each_entry(x, entry, init_net.xfrm.state_bydst+h, bydst) {
1201 if (x->props.mode != m->mode ||
1202 x->id.proto != m->proto)
1204 if (m->reqid && x->props.reqid != m->reqid)
1206 if (xfrm_addr_cmp(&x->id.daddr, &m->old_daddr,
1208 xfrm_addr_cmp(&x->props.saddr, &m->old_saddr,
1215 h = xfrm_src_hash(&m->old_daddr, &m->old_saddr,
1217 hlist_for_each_entry(x, entry, init_net.xfrm.state_bysrc+h, bysrc) {
1218 if (x->props.mode != m->mode ||
1219 x->id.proto != m->proto)
1221 if (xfrm_addr_cmp(&x->id.daddr, &m->old_daddr,
1223 xfrm_addr_cmp(&x->props.saddr, &m->old_saddr,
1233 EXPORT_SYMBOL(xfrm_migrate_state_find);
1235 struct xfrm_state * xfrm_state_migrate(struct xfrm_state *x,
1236 struct xfrm_migrate *m)
1238 struct xfrm_state *xc;
1241 xc = xfrm_state_clone(x, &err);
1245 memcpy(&xc->id.daddr, &m->new_daddr, sizeof(xc->id.daddr));
1246 memcpy(&xc->props.saddr, &m->new_saddr, sizeof(xc->props.saddr));
1249 if (!xfrm_addr_cmp(&x->id.daddr, &m->new_daddr, m->new_family)) {
1250 /* a care is needed when the destination address of the
1251 state is to be updated as it is a part of triplet */
1252 xfrm_state_insert(xc);
1254 if ((err = xfrm_state_add(xc)) < 0)
1263 EXPORT_SYMBOL(xfrm_state_migrate);
1266 int xfrm_state_update(struct xfrm_state *x)
1268 struct xfrm_state *x1, *to_put;
1270 int use_spi = xfrm_id_proto_match(x->id.proto, IPSEC_PROTO_ANY);
1274 spin_lock_bh(&xfrm_state_lock);
1275 x1 = __xfrm_state_locate(x, use_spi, x->props.family);
1281 if (xfrm_state_kern(x1)) {
1287 if (x1->km.state == XFRM_STATE_ACQ) {
1288 __xfrm_state_insert(x);
1294 spin_unlock_bh(&xfrm_state_lock);
1297 xfrm_state_put(to_put);
1303 xfrm_state_delete(x1);
1309 spin_lock_bh(&x1->lock);
1310 if (likely(x1->km.state == XFRM_STATE_VALID)) {
1311 if (x->encap && x1->encap)
1312 memcpy(x1->encap, x->encap, sizeof(*x1->encap));
1313 if (x->coaddr && x1->coaddr) {
1314 memcpy(x1->coaddr, x->coaddr, sizeof(*x1->coaddr));
1316 if (!use_spi && memcmp(&x1->sel, &x->sel, sizeof(x1->sel)))
1317 memcpy(&x1->sel, &x->sel, sizeof(x1->sel));
1318 memcpy(&x1->lft, &x->lft, sizeof(x1->lft));
1321 mod_timer(&x1->timer, jiffies + HZ);
1322 if (x1->curlft.use_time)
1323 xfrm_state_check_expire(x1);
1327 spin_unlock_bh(&x1->lock);
1333 EXPORT_SYMBOL(xfrm_state_update);
1335 int xfrm_state_check_expire(struct xfrm_state *x)
1337 if (!x->curlft.use_time)
1338 x->curlft.use_time = get_seconds();
1340 if (x->km.state != XFRM_STATE_VALID)
1343 if (x->curlft.bytes >= x->lft.hard_byte_limit ||
1344 x->curlft.packets >= x->lft.hard_packet_limit) {
1345 x->km.state = XFRM_STATE_EXPIRED;
1346 mod_timer(&x->timer, jiffies);
1351 (x->curlft.bytes >= x->lft.soft_byte_limit ||
1352 x->curlft.packets >= x->lft.soft_packet_limit)) {
1354 km_state_expired(x, 0, 0);
1358 EXPORT_SYMBOL(xfrm_state_check_expire);
1361 xfrm_state_lookup(xfrm_address_t *daddr, __be32 spi, u8 proto,
1362 unsigned short family)
1364 struct xfrm_state *x;
1366 spin_lock_bh(&xfrm_state_lock);
1367 x = __xfrm_state_lookup(daddr, spi, proto, family);
1368 spin_unlock_bh(&xfrm_state_lock);
1371 EXPORT_SYMBOL(xfrm_state_lookup);
1374 xfrm_state_lookup_byaddr(xfrm_address_t *daddr, xfrm_address_t *saddr,
1375 u8 proto, unsigned short family)
1377 struct xfrm_state *x;
1379 spin_lock_bh(&xfrm_state_lock);
1380 x = __xfrm_state_lookup_byaddr(daddr, saddr, proto, family);
1381 spin_unlock_bh(&xfrm_state_lock);
1384 EXPORT_SYMBOL(xfrm_state_lookup_byaddr);
1387 xfrm_find_acq(u8 mode, u32 reqid, u8 proto,
1388 xfrm_address_t *daddr, xfrm_address_t *saddr,
1389 int create, unsigned short family)
1391 struct xfrm_state *x;
1393 spin_lock_bh(&xfrm_state_lock);
1394 x = __find_acq_core(family, mode, reqid, proto, daddr, saddr, create);
1395 spin_unlock_bh(&xfrm_state_lock);
1399 EXPORT_SYMBOL(xfrm_find_acq);
1401 #ifdef CONFIG_XFRM_SUB_POLICY
1403 xfrm_tmpl_sort(struct xfrm_tmpl **dst, struct xfrm_tmpl **src, int n,
1404 unsigned short family)
1407 struct xfrm_state_afinfo *afinfo = xfrm_state_get_afinfo(family);
1409 return -EAFNOSUPPORT;
1411 spin_lock_bh(&xfrm_state_lock);
1412 if (afinfo->tmpl_sort)
1413 err = afinfo->tmpl_sort(dst, src, n);
1414 spin_unlock_bh(&xfrm_state_lock);
1415 xfrm_state_put_afinfo(afinfo);
1418 EXPORT_SYMBOL(xfrm_tmpl_sort);
1421 xfrm_state_sort(struct xfrm_state **dst, struct xfrm_state **src, int n,
1422 unsigned short family)
1425 struct xfrm_state_afinfo *afinfo = xfrm_state_get_afinfo(family);
1427 return -EAFNOSUPPORT;
1429 spin_lock_bh(&xfrm_state_lock);
1430 if (afinfo->state_sort)
1431 err = afinfo->state_sort(dst, src, n);
1432 spin_unlock_bh(&xfrm_state_lock);
1433 xfrm_state_put_afinfo(afinfo);
1436 EXPORT_SYMBOL(xfrm_state_sort);
1439 /* Silly enough, but I'm lazy to build resolution list */
1441 static struct xfrm_state *__xfrm_find_acq_byseq(u32 seq)
1445 for (i = 0; i <= init_net.xfrm.state_hmask; i++) {
1446 struct hlist_node *entry;
1447 struct xfrm_state *x;
1449 hlist_for_each_entry(x, entry, init_net.xfrm.state_bydst+i, bydst) {
1450 if (x->km.seq == seq &&
1451 x->km.state == XFRM_STATE_ACQ) {
1460 struct xfrm_state *xfrm_find_acq_byseq(u32 seq)
1462 struct xfrm_state *x;
1464 spin_lock_bh(&xfrm_state_lock);
1465 x = __xfrm_find_acq_byseq(seq);
1466 spin_unlock_bh(&xfrm_state_lock);
1469 EXPORT_SYMBOL(xfrm_find_acq_byseq);
1471 u32 xfrm_get_acqseq(void)
1475 static DEFINE_SPINLOCK(acqseq_lock);
1477 spin_lock_bh(&acqseq_lock);
1478 res = (++acqseq ? : ++acqseq);
1479 spin_unlock_bh(&acqseq_lock);
1482 EXPORT_SYMBOL(xfrm_get_acqseq);
1484 int xfrm_alloc_spi(struct xfrm_state *x, u32 low, u32 high)
1487 struct xfrm_state *x0;
1489 __be32 minspi = htonl(low);
1490 __be32 maxspi = htonl(high);
1492 spin_lock_bh(&x->lock);
1493 if (x->km.state == XFRM_STATE_DEAD)
1502 if (minspi == maxspi) {
1503 x0 = xfrm_state_lookup(&x->id.daddr, minspi, x->id.proto, x->props.family);
1511 for (h=0; h<high-low+1; h++) {
1512 spi = low + net_random()%(high-low+1);
1513 x0 = xfrm_state_lookup(&x->id.daddr, htonl(spi), x->id.proto, x->props.family);
1515 x->id.spi = htonl(spi);
1522 spin_lock_bh(&xfrm_state_lock);
1523 h = xfrm_spi_hash(&x->id.daddr, x->id.spi, x->id.proto, x->props.family);
1524 hlist_add_head(&x->byspi, init_net.xfrm.state_byspi+h);
1525 spin_unlock_bh(&xfrm_state_lock);
1531 spin_unlock_bh(&x->lock);
1535 EXPORT_SYMBOL(xfrm_alloc_spi);
1537 int xfrm_state_walk(struct xfrm_state_walk *walk,
1538 int (*func)(struct xfrm_state *, int, void*),
1541 struct xfrm_state *state;
1542 struct xfrm_state_walk *x;
1545 if (walk->seq != 0 && list_empty(&walk->all))
1548 spin_lock_bh(&xfrm_state_lock);
1549 if (list_empty(&walk->all))
1550 x = list_first_entry(&init_net.xfrm.state_all, struct xfrm_state_walk, all);
1552 x = list_entry(&walk->all, struct xfrm_state_walk, all);
1553 list_for_each_entry_from(x, &init_net.xfrm.state_all, all) {
1554 if (x->state == XFRM_STATE_DEAD)
1556 state = container_of(x, struct xfrm_state, km);
1557 if (!xfrm_id_proto_match(state->id.proto, walk->proto))
1559 err = func(state, walk->seq, data);
1561 list_move_tail(&walk->all, &x->all);
1566 if (walk->seq == 0) {
1570 list_del_init(&walk->all);
1572 spin_unlock_bh(&xfrm_state_lock);
1575 EXPORT_SYMBOL(xfrm_state_walk);
1577 void xfrm_state_walk_init(struct xfrm_state_walk *walk, u8 proto)
1579 INIT_LIST_HEAD(&walk->all);
1580 walk->proto = proto;
1581 walk->state = XFRM_STATE_DEAD;
1584 EXPORT_SYMBOL(xfrm_state_walk_init);
1586 void xfrm_state_walk_done(struct xfrm_state_walk *walk)
1588 if (list_empty(&walk->all))
1591 spin_lock_bh(&xfrm_state_lock);
1592 list_del(&walk->all);
1593 spin_lock_bh(&xfrm_state_lock);
1595 EXPORT_SYMBOL(xfrm_state_walk_done);
1598 void xfrm_replay_notify(struct xfrm_state *x, int event)
1601 /* we send notify messages in case
1602 * 1. we updated on of the sequence numbers, and the seqno difference
1603 * is at least x->replay_maxdiff, in this case we also update the
1604 * timeout of our timer function
1605 * 2. if x->replay_maxage has elapsed since last update,
1606 * and there were changes
1608 * The state structure must be locked!
1612 case XFRM_REPLAY_UPDATE:
1613 if (x->replay_maxdiff &&
1614 (x->replay.seq - x->preplay.seq < x->replay_maxdiff) &&
1615 (x->replay.oseq - x->preplay.oseq < x->replay_maxdiff)) {
1616 if (x->xflags & XFRM_TIME_DEFER)
1617 event = XFRM_REPLAY_TIMEOUT;
1624 case XFRM_REPLAY_TIMEOUT:
1625 if ((x->replay.seq == x->preplay.seq) &&
1626 (x->replay.bitmap == x->preplay.bitmap) &&
1627 (x->replay.oseq == x->preplay.oseq)) {
1628 x->xflags |= XFRM_TIME_DEFER;
1635 memcpy(&x->preplay, &x->replay, sizeof(struct xfrm_replay_state));
1636 c.event = XFRM_MSG_NEWAE;
1637 c.data.aevent = event;
1638 km_state_notify(x, &c);
1640 if (x->replay_maxage &&
1641 !mod_timer(&x->rtimer, jiffies + x->replay_maxage))
1642 x->xflags &= ~XFRM_TIME_DEFER;
1645 static void xfrm_replay_timer_handler(unsigned long data)
1647 struct xfrm_state *x = (struct xfrm_state*)data;
1649 spin_lock(&x->lock);
1651 if (x->km.state == XFRM_STATE_VALID) {
1652 if (xfrm_aevent_is_on())
1653 xfrm_replay_notify(x, XFRM_REPLAY_TIMEOUT);
1655 x->xflags |= XFRM_TIME_DEFER;
1658 spin_unlock(&x->lock);
1661 int xfrm_replay_check(struct xfrm_state *x,
1662 struct sk_buff *skb, __be32 net_seq)
1665 u32 seq = ntohl(net_seq);
1667 if (unlikely(seq == 0))
1670 if (likely(seq > x->replay.seq))
1673 diff = x->replay.seq - seq;
1674 if (diff >= min_t(unsigned int, x->props.replay_window,
1675 sizeof(x->replay.bitmap) * 8)) {
1676 x->stats.replay_window++;
1680 if (x->replay.bitmap & (1U << diff)) {
1687 xfrm_audit_state_replay(x, skb, net_seq);
1691 void xfrm_replay_advance(struct xfrm_state *x, __be32 net_seq)
1694 u32 seq = ntohl(net_seq);
1696 if (seq > x->replay.seq) {
1697 diff = seq - x->replay.seq;
1698 if (diff < x->props.replay_window)
1699 x->replay.bitmap = ((x->replay.bitmap) << diff) | 1;
1701 x->replay.bitmap = 1;
1702 x->replay.seq = seq;
1704 diff = x->replay.seq - seq;
1705 x->replay.bitmap |= (1U << diff);
1708 if (xfrm_aevent_is_on())
1709 xfrm_replay_notify(x, XFRM_REPLAY_UPDATE);
1712 static LIST_HEAD(xfrm_km_list);
1713 static DEFINE_RWLOCK(xfrm_km_lock);
1715 void km_policy_notify(struct xfrm_policy *xp, int dir, struct km_event *c)
1717 struct xfrm_mgr *km;
1719 read_lock(&xfrm_km_lock);
1720 list_for_each_entry(km, &xfrm_km_list, list)
1721 if (km->notify_policy)
1722 km->notify_policy(xp, dir, c);
1723 read_unlock(&xfrm_km_lock);
1726 void km_state_notify(struct xfrm_state *x, struct km_event *c)
1728 struct xfrm_mgr *km;
1729 read_lock(&xfrm_km_lock);
1730 list_for_each_entry(km, &xfrm_km_list, list)
1733 read_unlock(&xfrm_km_lock);
1736 EXPORT_SYMBOL(km_policy_notify);
1737 EXPORT_SYMBOL(km_state_notify);
1739 void km_state_expired(struct xfrm_state *x, int hard, u32 pid)
1745 c.event = XFRM_MSG_EXPIRE;
1746 km_state_notify(x, &c);
1752 EXPORT_SYMBOL(km_state_expired);
1754 * We send to all registered managers regardless of failure
1755 * We are happy with one success
1757 int km_query(struct xfrm_state *x, struct xfrm_tmpl *t, struct xfrm_policy *pol)
1759 int err = -EINVAL, acqret;
1760 struct xfrm_mgr *km;
1762 read_lock(&xfrm_km_lock);
1763 list_for_each_entry(km, &xfrm_km_list, list) {
1764 acqret = km->acquire(x, t, pol, XFRM_POLICY_OUT);
1768 read_unlock(&xfrm_km_lock);
1771 EXPORT_SYMBOL(km_query);
1773 int km_new_mapping(struct xfrm_state *x, xfrm_address_t *ipaddr, __be16 sport)
1776 struct xfrm_mgr *km;
1778 read_lock(&xfrm_km_lock);
1779 list_for_each_entry(km, &xfrm_km_list, list) {
1780 if (km->new_mapping)
1781 err = km->new_mapping(x, ipaddr, sport);
1785 read_unlock(&xfrm_km_lock);
1788 EXPORT_SYMBOL(km_new_mapping);
1790 void km_policy_expired(struct xfrm_policy *pol, int dir, int hard, u32 pid)
1796 c.event = XFRM_MSG_POLEXPIRE;
1797 km_policy_notify(pol, dir, &c);
1802 EXPORT_SYMBOL(km_policy_expired);
1804 #ifdef CONFIG_XFRM_MIGRATE
1805 int km_migrate(struct xfrm_selector *sel, u8 dir, u8 type,
1806 struct xfrm_migrate *m, int num_migrate,
1807 struct xfrm_kmaddress *k)
1811 struct xfrm_mgr *km;
1813 read_lock(&xfrm_km_lock);
1814 list_for_each_entry(km, &xfrm_km_list, list) {
1816 ret = km->migrate(sel, dir, type, m, num_migrate, k);
1821 read_unlock(&xfrm_km_lock);
1824 EXPORT_SYMBOL(km_migrate);
1827 int km_report(u8 proto, struct xfrm_selector *sel, xfrm_address_t *addr)
1831 struct xfrm_mgr *km;
1833 read_lock(&xfrm_km_lock);
1834 list_for_each_entry(km, &xfrm_km_list, list) {
1836 ret = km->report(proto, sel, addr);
1841 read_unlock(&xfrm_km_lock);
1844 EXPORT_SYMBOL(km_report);
1846 int xfrm_user_policy(struct sock *sk, int optname, u8 __user *optval, int optlen)
1850 struct xfrm_mgr *km;
1851 struct xfrm_policy *pol = NULL;
1853 if (optlen <= 0 || optlen > PAGE_SIZE)
1856 data = kmalloc(optlen, GFP_KERNEL);
1861 if (copy_from_user(data, optval, optlen))
1865 read_lock(&xfrm_km_lock);
1866 list_for_each_entry(km, &xfrm_km_list, list) {
1867 pol = km->compile_policy(sk, optname, data,
1872 read_unlock(&xfrm_km_lock);
1875 xfrm_sk_policy_insert(sk, err, pol);
1884 EXPORT_SYMBOL(xfrm_user_policy);
1886 int xfrm_register_km(struct xfrm_mgr *km)
1888 write_lock_bh(&xfrm_km_lock);
1889 list_add_tail(&km->list, &xfrm_km_list);
1890 write_unlock_bh(&xfrm_km_lock);
1893 EXPORT_SYMBOL(xfrm_register_km);
1895 int xfrm_unregister_km(struct xfrm_mgr *km)
1897 write_lock_bh(&xfrm_km_lock);
1898 list_del(&km->list);
1899 write_unlock_bh(&xfrm_km_lock);
1902 EXPORT_SYMBOL(xfrm_unregister_km);
1904 int xfrm_state_register_afinfo(struct xfrm_state_afinfo *afinfo)
1907 if (unlikely(afinfo == NULL))
1909 if (unlikely(afinfo->family >= NPROTO))
1910 return -EAFNOSUPPORT;
1911 write_lock_bh(&xfrm_state_afinfo_lock);
1912 if (unlikely(xfrm_state_afinfo[afinfo->family] != NULL))
1915 xfrm_state_afinfo[afinfo->family] = afinfo;
1916 write_unlock_bh(&xfrm_state_afinfo_lock);
1919 EXPORT_SYMBOL(xfrm_state_register_afinfo);
1921 int xfrm_state_unregister_afinfo(struct xfrm_state_afinfo *afinfo)
1924 if (unlikely(afinfo == NULL))
1926 if (unlikely(afinfo->family >= NPROTO))
1927 return -EAFNOSUPPORT;
1928 write_lock_bh(&xfrm_state_afinfo_lock);
1929 if (likely(xfrm_state_afinfo[afinfo->family] != NULL)) {
1930 if (unlikely(xfrm_state_afinfo[afinfo->family] != afinfo))
1933 xfrm_state_afinfo[afinfo->family] = NULL;
1935 write_unlock_bh(&xfrm_state_afinfo_lock);
1938 EXPORT_SYMBOL(xfrm_state_unregister_afinfo);
1940 static struct xfrm_state_afinfo *xfrm_state_get_afinfo(unsigned int family)
1942 struct xfrm_state_afinfo *afinfo;
1943 if (unlikely(family >= NPROTO))
1945 read_lock(&xfrm_state_afinfo_lock);
1946 afinfo = xfrm_state_afinfo[family];
1947 if (unlikely(!afinfo))
1948 read_unlock(&xfrm_state_afinfo_lock);
1952 static void xfrm_state_put_afinfo(struct xfrm_state_afinfo *afinfo)
1953 __releases(xfrm_state_afinfo_lock)
1955 read_unlock(&xfrm_state_afinfo_lock);
1958 /* Temporarily located here until net/xfrm/xfrm_tunnel.c is created */
1959 void xfrm_state_delete_tunnel(struct xfrm_state *x)
1962 struct xfrm_state *t = x->tunnel;
1964 if (atomic_read(&t->tunnel_users) == 2)
1965 xfrm_state_delete(t);
1966 atomic_dec(&t->tunnel_users);
1971 EXPORT_SYMBOL(xfrm_state_delete_tunnel);
1973 int xfrm_state_mtu(struct xfrm_state *x, int mtu)
1977 spin_lock_bh(&x->lock);
1978 if (x->km.state == XFRM_STATE_VALID &&
1979 x->type && x->type->get_mtu)
1980 res = x->type->get_mtu(x, mtu);
1982 res = mtu - x->props.header_len;
1983 spin_unlock_bh(&x->lock);
1987 int xfrm_init_state(struct xfrm_state *x)
1989 struct xfrm_state_afinfo *afinfo;
1990 struct xfrm_mode *inner_mode;
1991 int family = x->props.family;
1994 err = -EAFNOSUPPORT;
1995 afinfo = xfrm_state_get_afinfo(family);
2000 if (afinfo->init_flags)
2001 err = afinfo->init_flags(x);
2003 xfrm_state_put_afinfo(afinfo);
2008 err = -EPROTONOSUPPORT;
2010 if (x->sel.family != AF_UNSPEC) {
2011 inner_mode = xfrm_get_mode(x->props.mode, x->sel.family);
2012 if (inner_mode == NULL)
2015 if (!(inner_mode->flags & XFRM_MODE_FLAG_TUNNEL) &&
2016 family != x->sel.family) {
2017 xfrm_put_mode(inner_mode);
2021 x->inner_mode = inner_mode;
2023 struct xfrm_mode *inner_mode_iaf;
2025 inner_mode = xfrm_get_mode(x->props.mode, AF_INET);
2026 if (inner_mode == NULL)
2029 if (!(inner_mode->flags & XFRM_MODE_FLAG_TUNNEL)) {
2030 xfrm_put_mode(inner_mode);
2034 inner_mode_iaf = xfrm_get_mode(x->props.mode, AF_INET6);
2035 if (inner_mode_iaf == NULL)
2038 if (!(inner_mode_iaf->flags & XFRM_MODE_FLAG_TUNNEL)) {
2039 xfrm_put_mode(inner_mode_iaf);
2043 if (x->props.family == AF_INET) {
2044 x->inner_mode = inner_mode;
2045 x->inner_mode_iaf = inner_mode_iaf;
2047 x->inner_mode = inner_mode_iaf;
2048 x->inner_mode_iaf = inner_mode;
2052 x->type = xfrm_get_type(x->id.proto, family);
2053 if (x->type == NULL)
2056 err = x->type->init_state(x);
2060 x->outer_mode = xfrm_get_mode(x->props.mode, family);
2061 if (x->outer_mode == NULL)
2064 x->km.state = XFRM_STATE_VALID;
2070 EXPORT_SYMBOL(xfrm_init_state);
2072 int __net_init xfrm_state_init(struct net *net)
2076 INIT_LIST_HEAD(&net->xfrm.state_all);
2078 sz = sizeof(struct hlist_head) * 8;
2080 net->xfrm.state_bydst = xfrm_hash_alloc(sz);
2081 if (!net->xfrm.state_bydst)
2083 net->xfrm.state_bysrc = xfrm_hash_alloc(sz);
2084 if (!net->xfrm.state_bysrc)
2086 net->xfrm.state_byspi = xfrm_hash_alloc(sz);
2087 if (!net->xfrm.state_byspi)
2089 net->xfrm.state_hmask = ((sz / sizeof(struct hlist_head)) - 1);
2091 net->xfrm.state_num = 0;
2092 INIT_WORK(&xfrm_state_gc_work, xfrm_state_gc_task);
2096 xfrm_hash_free(net->xfrm.state_bysrc, sz);
2098 xfrm_hash_free(net->xfrm.state_bydst, sz);
2103 void xfrm_state_fini(struct net *net)
2107 WARN_ON(!list_empty(&net->xfrm.state_all));
2109 sz = (net->xfrm.state_hmask + 1) * sizeof(struct hlist_head);
2110 WARN_ON(!hlist_empty(net->xfrm.state_byspi));
2111 xfrm_hash_free(net->xfrm.state_byspi, sz);
2112 WARN_ON(!hlist_empty(net->xfrm.state_bysrc));
2113 xfrm_hash_free(net->xfrm.state_bysrc, sz);
2114 WARN_ON(!hlist_empty(net->xfrm.state_bydst));
2115 xfrm_hash_free(net->xfrm.state_bydst, sz);
2118 #ifdef CONFIG_AUDITSYSCALL
2119 static void xfrm_audit_helper_sainfo(struct xfrm_state *x,
2120 struct audit_buffer *audit_buf)
2122 struct xfrm_sec_ctx *ctx = x->security;
2123 u32 spi = ntohl(x->id.spi);
2126 audit_log_format(audit_buf, " sec_alg=%u sec_doi=%u sec_obj=%s",
2127 ctx->ctx_alg, ctx->ctx_doi, ctx->ctx_str);
2129 switch(x->props.family) {
2131 audit_log_format(audit_buf, " src=%pI4 dst=%pI4",
2132 &x->props.saddr.a4, &x->id.daddr.a4);
2135 audit_log_format(audit_buf, " src=%pI6 dst=%pI6",
2136 x->props.saddr.a6, x->id.daddr.a6);
2140 audit_log_format(audit_buf, " spi=%u(0x%x)", spi, spi);
2143 static void xfrm_audit_helper_pktinfo(struct sk_buff *skb, u16 family,
2144 struct audit_buffer *audit_buf)
2147 struct ipv6hdr *iph6;
2152 audit_log_format(audit_buf, " src=%pI4 dst=%pI4",
2153 &iph4->saddr, &iph4->daddr);
2156 iph6 = ipv6_hdr(skb);
2157 audit_log_format(audit_buf,
2158 " src=%pI6 dst=%pI6 flowlbl=0x%x%02x%02x",
2159 &iph6->saddr,&iph6->daddr,
2160 iph6->flow_lbl[0] & 0x0f,
2167 void xfrm_audit_state_add(struct xfrm_state *x, int result,
2168 uid_t auid, u32 sessionid, u32 secid)
2170 struct audit_buffer *audit_buf;
2172 audit_buf = xfrm_audit_start("SAD-add");
2173 if (audit_buf == NULL)
2175 xfrm_audit_helper_usrinfo(auid, sessionid, secid, audit_buf);
2176 xfrm_audit_helper_sainfo(x, audit_buf);
2177 audit_log_format(audit_buf, " res=%u", result);
2178 audit_log_end(audit_buf);
2180 EXPORT_SYMBOL_GPL(xfrm_audit_state_add);
2182 void xfrm_audit_state_delete(struct xfrm_state *x, int result,
2183 uid_t auid, u32 sessionid, u32 secid)
2185 struct audit_buffer *audit_buf;
2187 audit_buf = xfrm_audit_start("SAD-delete");
2188 if (audit_buf == NULL)
2190 xfrm_audit_helper_usrinfo(auid, sessionid, secid, audit_buf);
2191 xfrm_audit_helper_sainfo(x, audit_buf);
2192 audit_log_format(audit_buf, " res=%u", result);
2193 audit_log_end(audit_buf);
2195 EXPORT_SYMBOL_GPL(xfrm_audit_state_delete);
2197 void xfrm_audit_state_replay_overflow(struct xfrm_state *x,
2198 struct sk_buff *skb)
2200 struct audit_buffer *audit_buf;
2203 audit_buf = xfrm_audit_start("SA-replay-overflow");
2204 if (audit_buf == NULL)
2206 xfrm_audit_helper_pktinfo(skb, x->props.family, audit_buf);
2207 /* don't record the sequence number because it's inherent in this kind
2208 * of audit message */
2209 spi = ntohl(x->id.spi);
2210 audit_log_format(audit_buf, " spi=%u(0x%x)", spi, spi);
2211 audit_log_end(audit_buf);
2213 EXPORT_SYMBOL_GPL(xfrm_audit_state_replay_overflow);
2215 static void xfrm_audit_state_replay(struct xfrm_state *x,
2216 struct sk_buff *skb, __be32 net_seq)
2218 struct audit_buffer *audit_buf;
2221 audit_buf = xfrm_audit_start("SA-replayed-pkt");
2222 if (audit_buf == NULL)
2224 xfrm_audit_helper_pktinfo(skb, x->props.family, audit_buf);
2225 spi = ntohl(x->id.spi);
2226 audit_log_format(audit_buf, " spi=%u(0x%x) seqno=%u",
2227 spi, spi, ntohl(net_seq));
2228 audit_log_end(audit_buf);
2231 void xfrm_audit_state_notfound_simple(struct sk_buff *skb, u16 family)
2233 struct audit_buffer *audit_buf;
2235 audit_buf = xfrm_audit_start("SA-notfound");
2236 if (audit_buf == NULL)
2238 xfrm_audit_helper_pktinfo(skb, family, audit_buf);
2239 audit_log_end(audit_buf);
2241 EXPORT_SYMBOL_GPL(xfrm_audit_state_notfound_simple);
2243 void xfrm_audit_state_notfound(struct sk_buff *skb, u16 family,
2244 __be32 net_spi, __be32 net_seq)
2246 struct audit_buffer *audit_buf;
2249 audit_buf = xfrm_audit_start("SA-notfound");
2250 if (audit_buf == NULL)
2252 xfrm_audit_helper_pktinfo(skb, family, audit_buf);
2253 spi = ntohl(net_spi);
2254 audit_log_format(audit_buf, " spi=%u(0x%x) seqno=%u",
2255 spi, spi, ntohl(net_seq));
2256 audit_log_end(audit_buf);
2258 EXPORT_SYMBOL_GPL(xfrm_audit_state_notfound);
2260 void xfrm_audit_state_icvfail(struct xfrm_state *x,
2261 struct sk_buff *skb, u8 proto)
2263 struct audit_buffer *audit_buf;
2267 audit_buf = xfrm_audit_start("SA-icv-failure");
2268 if (audit_buf == NULL)
2270 xfrm_audit_helper_pktinfo(skb, x->props.family, audit_buf);
2271 if (xfrm_parse_spi(skb, proto, &net_spi, &net_seq) == 0) {
2272 u32 spi = ntohl(net_spi);
2273 audit_log_format(audit_buf, " spi=%u(0x%x) seqno=%u",
2274 spi, spi, ntohl(net_seq));
2276 audit_log_end(audit_buf);
2278 EXPORT_SYMBOL_GPL(xfrm_audit_state_icvfail);
2279 #endif /* CONFIG_AUDITSYSCALL */
projects / linux-2.6-omap-h63xx.git / blob