6 * Kazunori MIYAZAWA @USAGI
7 * Kunihiro Ishiguro <kunihiro@ipinfusion.com>
9 * YOSHIFUJI Hideaki @USAGI
10 * Split up af-specific functions
11 * Derek Atkins <derek@ihtfp.com>
12 * Add UDP Encapsulation
16 #include <linux/workqueue.h>
18 #include <linux/pfkeyv2.h>
19 #include <linux/ipsec.h>
20 #include <linux/module.h>
21 #include <linux/cache.h>
22 #include <linux/audit.h>
23 #include <asm/uaccess.h>
25 #include "xfrm_hash.h"
28 EXPORT_SYMBOL(xfrm_nl);
30 u32 sysctl_xfrm_aevent_etime __read_mostly = XFRM_AE_ETIME;
31 EXPORT_SYMBOL(sysctl_xfrm_aevent_etime);
33 u32 sysctl_xfrm_aevent_rseqth __read_mostly = XFRM_AE_SEQT_SIZE;
34 EXPORT_SYMBOL(sysctl_xfrm_aevent_rseqth);
36 u32 sysctl_xfrm_acq_expires __read_mostly = 30;
38 /* Each xfrm_state may be linked to two tables:
40 1. Hash table by (spi,daddr,ah/esp) to find SA by SPI. (input,ctl)
41 2. Hash table by (daddr,family,reqid) to find what SAs exist for given
42 destination/tunnel endpoint. (output)
45 static DEFINE_SPINLOCK(xfrm_state_lock);
47 /* Hash table to find appropriate SA towards given target (endpoint
48 * of tunnel or destination of transport mode) allowed by selector.
50 * Main use is finding SA after policy selected tunnel or transport mode.
51 * Also, it can be used by ah/esp icmp error handler to find offending SA.
53 static LIST_HEAD(xfrm_state_all);
54 static struct hlist_head *xfrm_state_bydst __read_mostly;
55 static struct hlist_head *xfrm_state_bysrc __read_mostly;
56 static struct hlist_head *xfrm_state_byspi __read_mostly;
57 static unsigned int xfrm_state_hmask __read_mostly;
58 static unsigned int xfrm_state_hashmax __read_mostly = 1 * 1024 * 1024;
59 static unsigned int xfrm_state_num;
60 static unsigned int xfrm_state_genid;
62 static struct xfrm_state_afinfo *xfrm_state_get_afinfo(unsigned int family);
63 static void xfrm_state_put_afinfo(struct xfrm_state_afinfo *afinfo);
65 #ifdef CONFIG_AUDITSYSCALL
66 static void xfrm_audit_state_replay(struct xfrm_state *x,
67 struct sk_buff *skb, __be32 net_seq);
69 #define xfrm_audit_state_replay(x, s, sq) do { ; } while (0)
70 #endif /* CONFIG_AUDITSYSCALL */
72 static inline unsigned int xfrm_dst_hash(xfrm_address_t *daddr,
73 xfrm_address_t *saddr,
75 unsigned short family)
77 return __xfrm_dst_hash(daddr, saddr, reqid, family, xfrm_state_hmask);
80 static inline unsigned int xfrm_src_hash(xfrm_address_t *daddr,
81 xfrm_address_t *saddr,
82 unsigned short family)
84 return __xfrm_src_hash(daddr, saddr, family, xfrm_state_hmask);
87 static inline unsigned int
88 xfrm_spi_hash(xfrm_address_t *daddr, __be32 spi, u8 proto, unsigned short family)
90 return __xfrm_spi_hash(daddr, spi, proto, family, xfrm_state_hmask);
93 static void xfrm_hash_transfer(struct hlist_head *list,
94 struct hlist_head *ndsttable,
95 struct hlist_head *nsrctable,
96 struct hlist_head *nspitable,
97 unsigned int nhashmask)
99 struct hlist_node *entry, *tmp;
100 struct xfrm_state *x;
102 hlist_for_each_entry_safe(x, entry, tmp, list, bydst) {
105 h = __xfrm_dst_hash(&x->id.daddr, &x->props.saddr,
106 x->props.reqid, x->props.family,
108 hlist_add_head(&x->bydst, ndsttable+h);
110 h = __xfrm_src_hash(&x->id.daddr, &x->props.saddr,
113 hlist_add_head(&x->bysrc, nsrctable+h);
116 h = __xfrm_spi_hash(&x->id.daddr, x->id.spi,
117 x->id.proto, x->props.family,
119 hlist_add_head(&x->byspi, nspitable+h);
124 static unsigned long xfrm_hash_new_size(void)
126 return ((xfrm_state_hmask + 1) << 1) *
127 sizeof(struct hlist_head);
130 static DEFINE_MUTEX(hash_resize_mutex);
132 static void xfrm_hash_resize(struct work_struct *__unused)
134 struct hlist_head *ndst, *nsrc, *nspi, *odst, *osrc, *ospi;
135 unsigned long nsize, osize;
136 unsigned int nhashmask, ohashmask;
139 mutex_lock(&hash_resize_mutex);
141 nsize = xfrm_hash_new_size();
142 ndst = xfrm_hash_alloc(nsize);
145 nsrc = xfrm_hash_alloc(nsize);
147 xfrm_hash_free(ndst, nsize);
150 nspi = xfrm_hash_alloc(nsize);
152 xfrm_hash_free(ndst, nsize);
153 xfrm_hash_free(nsrc, nsize);
157 spin_lock_bh(&xfrm_state_lock);
159 nhashmask = (nsize / sizeof(struct hlist_head)) - 1U;
160 for (i = xfrm_state_hmask; i >= 0; i--)
161 xfrm_hash_transfer(xfrm_state_bydst+i, ndst, nsrc, nspi,
164 odst = xfrm_state_bydst;
165 osrc = xfrm_state_bysrc;
166 ospi = xfrm_state_byspi;
167 ohashmask = xfrm_state_hmask;
169 xfrm_state_bydst = ndst;
170 xfrm_state_bysrc = nsrc;
171 xfrm_state_byspi = nspi;
172 xfrm_state_hmask = nhashmask;
174 spin_unlock_bh(&xfrm_state_lock);
176 osize = (ohashmask + 1) * sizeof(struct hlist_head);
177 xfrm_hash_free(odst, osize);
178 xfrm_hash_free(osrc, osize);
179 xfrm_hash_free(ospi, osize);
182 mutex_unlock(&hash_resize_mutex);
185 static DECLARE_WORK(xfrm_hash_work, xfrm_hash_resize);
187 DECLARE_WAIT_QUEUE_HEAD(km_waitq);
188 EXPORT_SYMBOL(km_waitq);
190 static DEFINE_RWLOCK(xfrm_state_afinfo_lock);
191 static struct xfrm_state_afinfo *xfrm_state_afinfo[NPROTO];
193 static struct work_struct xfrm_state_gc_work;
194 static HLIST_HEAD(xfrm_state_gc_list);
195 static DEFINE_SPINLOCK(xfrm_state_gc_lock);
197 int __xfrm_state_delete(struct xfrm_state *x);
199 int km_query(struct xfrm_state *x, struct xfrm_tmpl *t, struct xfrm_policy *pol);
200 void km_state_expired(struct xfrm_state *x, int hard, u32 pid);
202 static struct xfrm_state_afinfo *xfrm_state_lock_afinfo(unsigned int family)
204 struct xfrm_state_afinfo *afinfo;
205 if (unlikely(family >= NPROTO))
207 write_lock_bh(&xfrm_state_afinfo_lock);
208 afinfo = xfrm_state_afinfo[family];
209 if (unlikely(!afinfo))
210 write_unlock_bh(&xfrm_state_afinfo_lock);
214 static void xfrm_state_unlock_afinfo(struct xfrm_state_afinfo *afinfo)
215 __releases(xfrm_state_afinfo_lock)
217 write_unlock_bh(&xfrm_state_afinfo_lock);
220 int xfrm_register_type(const struct xfrm_type *type, unsigned short family)
222 struct xfrm_state_afinfo *afinfo = xfrm_state_lock_afinfo(family);
223 const struct xfrm_type **typemap;
226 if (unlikely(afinfo == NULL))
227 return -EAFNOSUPPORT;
228 typemap = afinfo->type_map;
230 if (likely(typemap[type->proto] == NULL))
231 typemap[type->proto] = type;
234 xfrm_state_unlock_afinfo(afinfo);
237 EXPORT_SYMBOL(xfrm_register_type);
239 int xfrm_unregister_type(const struct xfrm_type *type, unsigned short family)
241 struct xfrm_state_afinfo *afinfo = xfrm_state_lock_afinfo(family);
242 const struct xfrm_type **typemap;
245 if (unlikely(afinfo == NULL))
246 return -EAFNOSUPPORT;
247 typemap = afinfo->type_map;
249 if (unlikely(typemap[type->proto] != type))
252 typemap[type->proto] = NULL;
253 xfrm_state_unlock_afinfo(afinfo);
256 EXPORT_SYMBOL(xfrm_unregister_type);
258 static const struct xfrm_type *xfrm_get_type(u8 proto, unsigned short family)
260 struct xfrm_state_afinfo *afinfo;
261 const struct xfrm_type **typemap;
262 const struct xfrm_type *type;
263 int modload_attempted = 0;
266 afinfo = xfrm_state_get_afinfo(family);
267 if (unlikely(afinfo == NULL))
269 typemap = afinfo->type_map;
271 type = typemap[proto];
272 if (unlikely(type && !try_module_get(type->owner)))
274 if (!type && !modload_attempted) {
275 xfrm_state_put_afinfo(afinfo);
276 request_module("xfrm-type-%d-%d", family, proto);
277 modload_attempted = 1;
281 xfrm_state_put_afinfo(afinfo);
285 static void xfrm_put_type(const struct xfrm_type *type)
287 module_put(type->owner);
290 int xfrm_register_mode(struct xfrm_mode *mode, int family)
292 struct xfrm_state_afinfo *afinfo;
293 struct xfrm_mode **modemap;
296 if (unlikely(mode->encap >= XFRM_MODE_MAX))
299 afinfo = xfrm_state_lock_afinfo(family);
300 if (unlikely(afinfo == NULL))
301 return -EAFNOSUPPORT;
304 modemap = afinfo->mode_map;
305 if (modemap[mode->encap])
309 if (!try_module_get(afinfo->owner))
312 mode->afinfo = afinfo;
313 modemap[mode->encap] = mode;
317 xfrm_state_unlock_afinfo(afinfo);
320 EXPORT_SYMBOL(xfrm_register_mode);
322 int xfrm_unregister_mode(struct xfrm_mode *mode, int family)
324 struct xfrm_state_afinfo *afinfo;
325 struct xfrm_mode **modemap;
328 if (unlikely(mode->encap >= XFRM_MODE_MAX))
331 afinfo = xfrm_state_lock_afinfo(family);
332 if (unlikely(afinfo == NULL))
333 return -EAFNOSUPPORT;
336 modemap = afinfo->mode_map;
337 if (likely(modemap[mode->encap] == mode)) {
338 modemap[mode->encap] = NULL;
339 module_put(mode->afinfo->owner);
343 xfrm_state_unlock_afinfo(afinfo);
346 EXPORT_SYMBOL(xfrm_unregister_mode);
348 static struct xfrm_mode *xfrm_get_mode(unsigned int encap, int family)
350 struct xfrm_state_afinfo *afinfo;
351 struct xfrm_mode *mode;
352 int modload_attempted = 0;
354 if (unlikely(encap >= XFRM_MODE_MAX))
358 afinfo = xfrm_state_get_afinfo(family);
359 if (unlikely(afinfo == NULL))
362 mode = afinfo->mode_map[encap];
363 if (unlikely(mode && !try_module_get(mode->owner)))
365 if (!mode && !modload_attempted) {
366 xfrm_state_put_afinfo(afinfo);
367 request_module("xfrm-mode-%d-%d", family, encap);
368 modload_attempted = 1;
372 xfrm_state_put_afinfo(afinfo);
376 static void xfrm_put_mode(struct xfrm_mode *mode)
378 module_put(mode->owner);
381 static void xfrm_state_gc_destroy(struct xfrm_state *x)
383 del_timer_sync(&x->timer);
384 del_timer_sync(&x->rtimer);
391 xfrm_put_mode(x->inner_mode);
392 if (x->inner_mode_iaf)
393 xfrm_put_mode(x->inner_mode_iaf);
395 xfrm_put_mode(x->outer_mode);
397 x->type->destructor(x);
398 xfrm_put_type(x->type);
400 security_xfrm_state_free(x);
404 static void xfrm_state_gc_task(struct work_struct *data)
406 struct xfrm_state *x;
407 struct hlist_node *entry, *tmp;
408 struct hlist_head gc_list;
410 spin_lock_bh(&xfrm_state_gc_lock);
411 hlist_move_list(&xfrm_state_gc_list, &gc_list);
412 spin_unlock_bh(&xfrm_state_gc_lock);
414 hlist_for_each_entry_safe(x, entry, tmp, &gc_list, gclist)
415 xfrm_state_gc_destroy(x);
420 static inline unsigned long make_jiffies(long secs)
422 if (secs >= (MAX_SCHEDULE_TIMEOUT-1)/HZ)
423 return MAX_SCHEDULE_TIMEOUT-1;
428 static void xfrm_timer_handler(unsigned long data)
430 struct xfrm_state *x = (struct xfrm_state*)data;
431 unsigned long now = get_seconds();
432 long next = LONG_MAX;
437 if (x->km.state == XFRM_STATE_DEAD)
439 if (x->km.state == XFRM_STATE_EXPIRED)
441 if (x->lft.hard_add_expires_seconds) {
442 long tmo = x->lft.hard_add_expires_seconds +
443 x->curlft.add_time - now;
449 if (x->lft.hard_use_expires_seconds) {
450 long tmo = x->lft.hard_use_expires_seconds +
451 (x->curlft.use_time ? : now) - now;
459 if (x->lft.soft_add_expires_seconds) {
460 long tmo = x->lft.soft_add_expires_seconds +
461 x->curlft.add_time - now;
467 if (x->lft.soft_use_expires_seconds) {
468 long tmo = x->lft.soft_use_expires_seconds +
469 (x->curlft.use_time ? : now) - now;
478 km_state_expired(x, 0, 0);
480 if (next != LONG_MAX)
481 mod_timer(&x->timer, jiffies + make_jiffies(next));
486 if (x->km.state == XFRM_STATE_ACQ && x->id.spi == 0) {
487 x->km.state = XFRM_STATE_EXPIRED;
493 err = __xfrm_state_delete(x);
494 if (!err && x->id.spi)
495 km_state_expired(x, 1, 0);
497 xfrm_audit_state_delete(x, err ? 0 : 1,
498 audit_get_loginuid(current),
499 audit_get_sessionid(current), 0);
502 spin_unlock(&x->lock);
505 static void xfrm_replay_timer_handler(unsigned long data);
507 struct xfrm_state *xfrm_state_alloc(struct net *net)
509 struct xfrm_state *x;
511 x = kzalloc(sizeof(struct xfrm_state), GFP_ATOMIC);
514 write_pnet(&x->xs_net, net);
515 atomic_set(&x->refcnt, 1);
516 atomic_set(&x->tunnel_users, 0);
517 INIT_LIST_HEAD(&x->km.all);
518 INIT_HLIST_NODE(&x->bydst);
519 INIT_HLIST_NODE(&x->bysrc);
520 INIT_HLIST_NODE(&x->byspi);
521 setup_timer(&x->timer, xfrm_timer_handler, (unsigned long)x);
522 setup_timer(&x->rtimer, xfrm_replay_timer_handler,
524 x->curlft.add_time = get_seconds();
525 x->lft.soft_byte_limit = XFRM_INF;
526 x->lft.soft_packet_limit = XFRM_INF;
527 x->lft.hard_byte_limit = XFRM_INF;
528 x->lft.hard_packet_limit = XFRM_INF;
529 x->replay_maxage = 0;
530 x->replay_maxdiff = 0;
531 x->inner_mode = NULL;
532 x->inner_mode_iaf = NULL;
533 spin_lock_init(&x->lock);
537 EXPORT_SYMBOL(xfrm_state_alloc);
539 void __xfrm_state_destroy(struct xfrm_state *x)
541 WARN_ON(x->km.state != XFRM_STATE_DEAD);
543 spin_lock_bh(&xfrm_state_gc_lock);
544 hlist_add_head(&x->gclist, &xfrm_state_gc_list);
545 spin_unlock_bh(&xfrm_state_gc_lock);
546 schedule_work(&xfrm_state_gc_work);
548 EXPORT_SYMBOL(__xfrm_state_destroy);
550 int __xfrm_state_delete(struct xfrm_state *x)
554 if (x->km.state != XFRM_STATE_DEAD) {
555 x->km.state = XFRM_STATE_DEAD;
556 spin_lock(&xfrm_state_lock);
557 list_del(&x->km.all);
558 hlist_del(&x->bydst);
559 hlist_del(&x->bysrc);
561 hlist_del(&x->byspi);
563 spin_unlock(&xfrm_state_lock);
565 /* All xfrm_state objects are created by xfrm_state_alloc.
566 * The xfrm_state_alloc call gives a reference, and that
567 * is what we are dropping here.
575 EXPORT_SYMBOL(__xfrm_state_delete);
577 int xfrm_state_delete(struct xfrm_state *x)
581 spin_lock_bh(&x->lock);
582 err = __xfrm_state_delete(x);
583 spin_unlock_bh(&x->lock);
587 EXPORT_SYMBOL(xfrm_state_delete);
589 #ifdef CONFIG_SECURITY_NETWORK_XFRM
591 xfrm_state_flush_secctx_check(u8 proto, struct xfrm_audit *audit_info)
595 for (i = 0; i <= xfrm_state_hmask; i++) {
596 struct hlist_node *entry;
597 struct xfrm_state *x;
599 hlist_for_each_entry(x, entry, xfrm_state_bydst+i, bydst) {
600 if (xfrm_id_proto_match(x->id.proto, proto) &&
601 (err = security_xfrm_state_delete(x)) != 0) {
602 xfrm_audit_state_delete(x, 0,
603 audit_info->loginuid,
604 audit_info->sessionid,
615 xfrm_state_flush_secctx_check(u8 proto, struct xfrm_audit *audit_info)
621 int xfrm_state_flush(u8 proto, struct xfrm_audit *audit_info)
625 spin_lock_bh(&xfrm_state_lock);
626 err = xfrm_state_flush_secctx_check(proto, audit_info);
630 for (i = 0; i <= xfrm_state_hmask; i++) {
631 struct hlist_node *entry;
632 struct xfrm_state *x;
634 hlist_for_each_entry(x, entry, xfrm_state_bydst+i, bydst) {
635 if (!xfrm_state_kern(x) &&
636 xfrm_id_proto_match(x->id.proto, proto)) {
638 spin_unlock_bh(&xfrm_state_lock);
640 err = xfrm_state_delete(x);
641 xfrm_audit_state_delete(x, err ? 0 : 1,
642 audit_info->loginuid,
643 audit_info->sessionid,
647 spin_lock_bh(&xfrm_state_lock);
655 spin_unlock_bh(&xfrm_state_lock);
659 EXPORT_SYMBOL(xfrm_state_flush);
661 void xfrm_sad_getinfo(struct xfrmk_sadinfo *si)
663 spin_lock_bh(&xfrm_state_lock);
664 si->sadcnt = xfrm_state_num;
665 si->sadhcnt = xfrm_state_hmask;
666 si->sadhmcnt = xfrm_state_hashmax;
667 spin_unlock_bh(&xfrm_state_lock);
669 EXPORT_SYMBOL(xfrm_sad_getinfo);
672 xfrm_init_tempsel(struct xfrm_state *x, struct flowi *fl,
673 struct xfrm_tmpl *tmpl,
674 xfrm_address_t *daddr, xfrm_address_t *saddr,
675 unsigned short family)
677 struct xfrm_state_afinfo *afinfo = xfrm_state_get_afinfo(family);
680 afinfo->init_tempsel(x, fl, tmpl, daddr, saddr);
681 xfrm_state_put_afinfo(afinfo);
685 static struct xfrm_state *__xfrm_state_lookup(xfrm_address_t *daddr, __be32 spi, u8 proto, unsigned short family)
687 unsigned int h = xfrm_spi_hash(daddr, spi, proto, family);
688 struct xfrm_state *x;
689 struct hlist_node *entry;
691 hlist_for_each_entry(x, entry, xfrm_state_byspi+h, byspi) {
692 if (x->props.family != family ||
694 x->id.proto != proto)
699 if (x->id.daddr.a4 != daddr->a4)
703 if (!ipv6_addr_equal((struct in6_addr *)daddr,
717 static struct xfrm_state *__xfrm_state_lookup_byaddr(xfrm_address_t *daddr, xfrm_address_t *saddr, u8 proto, unsigned short family)
719 unsigned int h = xfrm_src_hash(daddr, saddr, family);
720 struct xfrm_state *x;
721 struct hlist_node *entry;
723 hlist_for_each_entry(x, entry, xfrm_state_bysrc+h, bysrc) {
724 if (x->props.family != family ||
725 x->id.proto != proto)
730 if (x->id.daddr.a4 != daddr->a4 ||
731 x->props.saddr.a4 != saddr->a4)
735 if (!ipv6_addr_equal((struct in6_addr *)daddr,
738 !ipv6_addr_equal((struct in6_addr *)saddr,
752 static inline struct xfrm_state *
753 __xfrm_state_locate(struct xfrm_state *x, int use_spi, int family)
756 return __xfrm_state_lookup(&x->id.daddr, x->id.spi,
757 x->id.proto, family);
759 return __xfrm_state_lookup_byaddr(&x->id.daddr,
761 x->id.proto, family);
764 static void xfrm_hash_grow_check(int have_hash_collision)
766 if (have_hash_collision &&
767 (xfrm_state_hmask + 1) < xfrm_state_hashmax &&
768 xfrm_state_num > xfrm_state_hmask)
769 schedule_work(&xfrm_hash_work);
773 xfrm_state_find(xfrm_address_t *daddr, xfrm_address_t *saddr,
774 struct flowi *fl, struct xfrm_tmpl *tmpl,
775 struct xfrm_policy *pol, int *err,
776 unsigned short family)
779 struct hlist_node *entry;
780 struct xfrm_state *x, *x0, *to_put;
781 int acquire_in_progress = 0;
783 struct xfrm_state *best = NULL;
787 spin_lock_bh(&xfrm_state_lock);
788 h = xfrm_dst_hash(daddr, saddr, tmpl->reqid, family);
789 hlist_for_each_entry(x, entry, xfrm_state_bydst+h, bydst) {
790 if (x->props.family == family &&
791 x->props.reqid == tmpl->reqid &&
792 !(x->props.flags & XFRM_STATE_WILDRECV) &&
793 xfrm_state_addr_check(x, daddr, saddr, family) &&
794 tmpl->mode == x->props.mode &&
795 tmpl->id.proto == x->id.proto &&
796 (tmpl->id.spi == x->id.spi || !tmpl->id.spi)) {
798 1. There is a valid state with matching selector.
800 2. Valid state with inappropriate selector. Skip.
802 Entering area of "sysdeps".
804 3. If state is not valid, selector is temporary,
805 it selects only session which triggered
806 previous resolution. Key manager will do
807 something to install a state with proper
810 if (x->km.state == XFRM_STATE_VALID) {
811 if ((x->sel.family && !xfrm_selector_match(&x->sel, fl, x->sel.family)) ||
812 !security_xfrm_state_pol_flow_match(x, pol, fl))
815 best->km.dying > x->km.dying ||
816 (best->km.dying == x->km.dying &&
817 best->curlft.add_time < x->curlft.add_time))
819 } else if (x->km.state == XFRM_STATE_ACQ) {
820 acquire_in_progress = 1;
821 } else if (x->km.state == XFRM_STATE_ERROR ||
822 x->km.state == XFRM_STATE_EXPIRED) {
823 if (xfrm_selector_match(&x->sel, fl, x->sel.family) &&
824 security_xfrm_state_pol_flow_match(x, pol, fl))
831 if (!x && !error && !acquire_in_progress) {
833 (x0 = __xfrm_state_lookup(daddr, tmpl->id.spi,
834 tmpl->id.proto, family)) != NULL) {
839 x = xfrm_state_alloc(&init_net);
844 /* Initialize temporary selector matching only
845 * to current session. */
846 xfrm_init_tempsel(x, fl, tmpl, daddr, saddr, family);
848 error = security_xfrm_state_alloc_acquire(x, pol->security, fl->secid);
850 x->km.state = XFRM_STATE_DEAD;
856 if (km_query(x, tmpl, pol) == 0) {
857 x->km.state = XFRM_STATE_ACQ;
858 list_add(&x->km.all, &xfrm_state_all);
859 hlist_add_head(&x->bydst, xfrm_state_bydst+h);
860 h = xfrm_src_hash(daddr, saddr, family);
861 hlist_add_head(&x->bysrc, xfrm_state_bysrc+h);
863 h = xfrm_spi_hash(&x->id.daddr, x->id.spi, x->id.proto, family);
864 hlist_add_head(&x->byspi, xfrm_state_byspi+h);
866 x->lft.hard_add_expires_seconds = sysctl_xfrm_acq_expires;
867 x->timer.expires = jiffies + sysctl_xfrm_acq_expires*HZ;
868 add_timer(&x->timer);
870 xfrm_hash_grow_check(x->bydst.next != NULL);
872 x->km.state = XFRM_STATE_DEAD;
882 *err = acquire_in_progress ? -EAGAIN : error;
883 spin_unlock_bh(&xfrm_state_lock);
885 xfrm_state_put(to_put);
890 xfrm_stateonly_find(xfrm_address_t *daddr, xfrm_address_t *saddr,
891 unsigned short family, u8 mode, u8 proto, u32 reqid)
894 struct xfrm_state *rx = NULL, *x = NULL;
895 struct hlist_node *entry;
897 spin_lock(&xfrm_state_lock);
898 h = xfrm_dst_hash(daddr, saddr, reqid, family);
899 hlist_for_each_entry(x, entry, xfrm_state_bydst+h, bydst) {
900 if (x->props.family == family &&
901 x->props.reqid == reqid &&
902 !(x->props.flags & XFRM_STATE_WILDRECV) &&
903 xfrm_state_addr_check(x, daddr, saddr, family) &&
904 mode == x->props.mode &&
905 proto == x->id.proto &&
906 x->km.state == XFRM_STATE_VALID) {
914 spin_unlock(&xfrm_state_lock);
919 EXPORT_SYMBOL(xfrm_stateonly_find);
921 static void __xfrm_state_insert(struct xfrm_state *x)
925 x->genid = ++xfrm_state_genid;
927 list_add(&x->km.all, &xfrm_state_all);
929 h = xfrm_dst_hash(&x->id.daddr, &x->props.saddr,
930 x->props.reqid, x->props.family);
931 hlist_add_head(&x->bydst, xfrm_state_bydst+h);
933 h = xfrm_src_hash(&x->id.daddr, &x->props.saddr, x->props.family);
934 hlist_add_head(&x->bysrc, xfrm_state_bysrc+h);
937 h = xfrm_spi_hash(&x->id.daddr, x->id.spi, x->id.proto,
940 hlist_add_head(&x->byspi, xfrm_state_byspi+h);
943 mod_timer(&x->timer, jiffies + HZ);
944 if (x->replay_maxage)
945 mod_timer(&x->rtimer, jiffies + x->replay_maxage);
951 xfrm_hash_grow_check(x->bydst.next != NULL);
954 /* xfrm_state_lock is held */
955 static void __xfrm_state_bump_genids(struct xfrm_state *xnew)
957 unsigned short family = xnew->props.family;
958 u32 reqid = xnew->props.reqid;
959 struct xfrm_state *x;
960 struct hlist_node *entry;
963 h = xfrm_dst_hash(&xnew->id.daddr, &xnew->props.saddr, reqid, family);
964 hlist_for_each_entry(x, entry, xfrm_state_bydst+h, bydst) {
965 if (x->props.family == family &&
966 x->props.reqid == reqid &&
967 !xfrm_addr_cmp(&x->id.daddr, &xnew->id.daddr, family) &&
968 !xfrm_addr_cmp(&x->props.saddr, &xnew->props.saddr, family))
969 x->genid = xfrm_state_genid;
973 void xfrm_state_insert(struct xfrm_state *x)
975 spin_lock_bh(&xfrm_state_lock);
976 __xfrm_state_bump_genids(x);
977 __xfrm_state_insert(x);
978 spin_unlock_bh(&xfrm_state_lock);
980 EXPORT_SYMBOL(xfrm_state_insert);
982 /* xfrm_state_lock is held */
983 static struct xfrm_state *__find_acq_core(unsigned short family, u8 mode, u32 reqid, u8 proto, xfrm_address_t *daddr, xfrm_address_t *saddr, int create)
985 unsigned int h = xfrm_dst_hash(daddr, saddr, reqid, family);
986 struct hlist_node *entry;
987 struct xfrm_state *x;
989 hlist_for_each_entry(x, entry, xfrm_state_bydst+h, bydst) {
990 if (x->props.reqid != reqid ||
991 x->props.mode != mode ||
992 x->props.family != family ||
993 x->km.state != XFRM_STATE_ACQ ||
995 x->id.proto != proto)
1000 if (x->id.daddr.a4 != daddr->a4 ||
1001 x->props.saddr.a4 != saddr->a4)
1005 if (!ipv6_addr_equal((struct in6_addr *)x->id.daddr.a6,
1006 (struct in6_addr *)daddr) ||
1007 !ipv6_addr_equal((struct in6_addr *)
1009 (struct in6_addr *)saddr))
1021 x = xfrm_state_alloc(&init_net);
1025 x->sel.daddr.a4 = daddr->a4;
1026 x->sel.saddr.a4 = saddr->a4;
1027 x->sel.prefixlen_d = 32;
1028 x->sel.prefixlen_s = 32;
1029 x->props.saddr.a4 = saddr->a4;
1030 x->id.daddr.a4 = daddr->a4;
1034 ipv6_addr_copy((struct in6_addr *)x->sel.daddr.a6,
1035 (struct in6_addr *)daddr);
1036 ipv6_addr_copy((struct in6_addr *)x->sel.saddr.a6,
1037 (struct in6_addr *)saddr);
1038 x->sel.prefixlen_d = 128;
1039 x->sel.prefixlen_s = 128;
1040 ipv6_addr_copy((struct in6_addr *)x->props.saddr.a6,
1041 (struct in6_addr *)saddr);
1042 ipv6_addr_copy((struct in6_addr *)x->id.daddr.a6,
1043 (struct in6_addr *)daddr);
1047 x->km.state = XFRM_STATE_ACQ;
1048 x->id.proto = proto;
1049 x->props.family = family;
1050 x->props.mode = mode;
1051 x->props.reqid = reqid;
1052 x->lft.hard_add_expires_seconds = sysctl_xfrm_acq_expires;
1054 x->timer.expires = jiffies + sysctl_xfrm_acq_expires*HZ;
1055 add_timer(&x->timer);
1056 list_add(&x->km.all, &xfrm_state_all);
1057 hlist_add_head(&x->bydst, xfrm_state_bydst+h);
1058 h = xfrm_src_hash(daddr, saddr, family);
1059 hlist_add_head(&x->bysrc, xfrm_state_bysrc+h);
1063 xfrm_hash_grow_check(x->bydst.next != NULL);
1069 static struct xfrm_state *__xfrm_find_acq_byseq(u32 seq);
1071 int xfrm_state_add(struct xfrm_state *x)
1073 struct xfrm_state *x1, *to_put;
1076 int use_spi = xfrm_id_proto_match(x->id.proto, IPSEC_PROTO_ANY);
1078 family = x->props.family;
1082 spin_lock_bh(&xfrm_state_lock);
1084 x1 = __xfrm_state_locate(x, use_spi, family);
1092 if (use_spi && x->km.seq) {
1093 x1 = __xfrm_find_acq_byseq(x->km.seq);
1094 if (x1 && ((x1->id.proto != x->id.proto) ||
1095 xfrm_addr_cmp(&x1->id.daddr, &x->id.daddr, family))) {
1102 x1 = __find_acq_core(family, x->props.mode, x->props.reqid,
1104 &x->id.daddr, &x->props.saddr, 0);
1106 __xfrm_state_bump_genids(x);
1107 __xfrm_state_insert(x);
1111 spin_unlock_bh(&xfrm_state_lock);
1114 xfrm_state_delete(x1);
1119 xfrm_state_put(to_put);
1123 EXPORT_SYMBOL(xfrm_state_add);
1125 #ifdef CONFIG_XFRM_MIGRATE
1126 static struct xfrm_state *xfrm_state_clone(struct xfrm_state *orig, int *errp)
1129 struct xfrm_state *x = xfrm_state_alloc(&init_net);
1133 memcpy(&x->id, &orig->id, sizeof(x->id));
1134 memcpy(&x->sel, &orig->sel, sizeof(x->sel));
1135 memcpy(&x->lft, &orig->lft, sizeof(x->lft));
1136 x->props.mode = orig->props.mode;
1137 x->props.replay_window = orig->props.replay_window;
1138 x->props.reqid = orig->props.reqid;
1139 x->props.family = orig->props.family;
1140 x->props.saddr = orig->props.saddr;
1143 x->aalg = xfrm_algo_clone(orig->aalg);
1147 x->props.aalgo = orig->props.aalgo;
1150 x->ealg = xfrm_algo_clone(orig->ealg);
1154 x->props.ealgo = orig->props.ealgo;
1157 x->calg = xfrm_algo_clone(orig->calg);
1161 x->props.calgo = orig->props.calgo;
1164 x->encap = kmemdup(orig->encap, sizeof(*x->encap), GFP_KERNEL);
1170 x->coaddr = kmemdup(orig->coaddr, sizeof(*x->coaddr),
1176 err = xfrm_init_state(x);
1180 x->props.flags = orig->props.flags;
1182 x->curlft.add_time = orig->curlft.add_time;
1183 x->km.state = orig->km.state;
1184 x->km.seq = orig->km.seq;
1202 /* xfrm_state_lock is held */
1203 struct xfrm_state * xfrm_migrate_state_find(struct xfrm_migrate *m)
1206 struct xfrm_state *x;
1207 struct hlist_node *entry;
1210 h = xfrm_dst_hash(&m->old_daddr, &m->old_saddr,
1211 m->reqid, m->old_family);
1212 hlist_for_each_entry(x, entry, xfrm_state_bydst+h, bydst) {
1213 if (x->props.mode != m->mode ||
1214 x->id.proto != m->proto)
1216 if (m->reqid && x->props.reqid != m->reqid)
1218 if (xfrm_addr_cmp(&x->id.daddr, &m->old_daddr,
1220 xfrm_addr_cmp(&x->props.saddr, &m->old_saddr,
1227 h = xfrm_src_hash(&m->old_daddr, &m->old_saddr,
1229 hlist_for_each_entry(x, entry, xfrm_state_bysrc+h, bysrc) {
1230 if (x->props.mode != m->mode ||
1231 x->id.proto != m->proto)
1233 if (xfrm_addr_cmp(&x->id.daddr, &m->old_daddr,
1235 xfrm_addr_cmp(&x->props.saddr, &m->old_saddr,
1245 EXPORT_SYMBOL(xfrm_migrate_state_find);
1247 struct xfrm_state * xfrm_state_migrate(struct xfrm_state *x,
1248 struct xfrm_migrate *m)
1250 struct xfrm_state *xc;
1253 xc = xfrm_state_clone(x, &err);
1257 memcpy(&xc->id.daddr, &m->new_daddr, sizeof(xc->id.daddr));
1258 memcpy(&xc->props.saddr, &m->new_saddr, sizeof(xc->props.saddr));
1261 if (!xfrm_addr_cmp(&x->id.daddr, &m->new_daddr, m->new_family)) {
1262 /* a care is needed when the destination address of the
1263 state is to be updated as it is a part of triplet */
1264 xfrm_state_insert(xc);
1266 if ((err = xfrm_state_add(xc)) < 0)
1275 EXPORT_SYMBOL(xfrm_state_migrate);
1278 int xfrm_state_update(struct xfrm_state *x)
1280 struct xfrm_state *x1, *to_put;
1282 int use_spi = xfrm_id_proto_match(x->id.proto, IPSEC_PROTO_ANY);
1286 spin_lock_bh(&xfrm_state_lock);
1287 x1 = __xfrm_state_locate(x, use_spi, x->props.family);
1293 if (xfrm_state_kern(x1)) {
1299 if (x1->km.state == XFRM_STATE_ACQ) {
1300 __xfrm_state_insert(x);
1306 spin_unlock_bh(&xfrm_state_lock);
1309 xfrm_state_put(to_put);
1315 xfrm_state_delete(x1);
1321 spin_lock_bh(&x1->lock);
1322 if (likely(x1->km.state == XFRM_STATE_VALID)) {
1323 if (x->encap && x1->encap)
1324 memcpy(x1->encap, x->encap, sizeof(*x1->encap));
1325 if (x->coaddr && x1->coaddr) {
1326 memcpy(x1->coaddr, x->coaddr, sizeof(*x1->coaddr));
1328 if (!use_spi && memcmp(&x1->sel, &x->sel, sizeof(x1->sel)))
1329 memcpy(&x1->sel, &x->sel, sizeof(x1->sel));
1330 memcpy(&x1->lft, &x->lft, sizeof(x1->lft));
1333 mod_timer(&x1->timer, jiffies + HZ);
1334 if (x1->curlft.use_time)
1335 xfrm_state_check_expire(x1);
1339 spin_unlock_bh(&x1->lock);
1345 EXPORT_SYMBOL(xfrm_state_update);
1347 int xfrm_state_check_expire(struct xfrm_state *x)
1349 if (!x->curlft.use_time)
1350 x->curlft.use_time = get_seconds();
1352 if (x->km.state != XFRM_STATE_VALID)
1355 if (x->curlft.bytes >= x->lft.hard_byte_limit ||
1356 x->curlft.packets >= x->lft.hard_packet_limit) {
1357 x->km.state = XFRM_STATE_EXPIRED;
1358 mod_timer(&x->timer, jiffies);
1363 (x->curlft.bytes >= x->lft.soft_byte_limit ||
1364 x->curlft.packets >= x->lft.soft_packet_limit)) {
1366 km_state_expired(x, 0, 0);
1370 EXPORT_SYMBOL(xfrm_state_check_expire);
1373 xfrm_state_lookup(xfrm_address_t *daddr, __be32 spi, u8 proto,
1374 unsigned short family)
1376 struct xfrm_state *x;
1378 spin_lock_bh(&xfrm_state_lock);
1379 x = __xfrm_state_lookup(daddr, spi, proto, family);
1380 spin_unlock_bh(&xfrm_state_lock);
1383 EXPORT_SYMBOL(xfrm_state_lookup);
1386 xfrm_state_lookup_byaddr(xfrm_address_t *daddr, xfrm_address_t *saddr,
1387 u8 proto, unsigned short family)
1389 struct xfrm_state *x;
1391 spin_lock_bh(&xfrm_state_lock);
1392 x = __xfrm_state_lookup_byaddr(daddr, saddr, proto, family);
1393 spin_unlock_bh(&xfrm_state_lock);
1396 EXPORT_SYMBOL(xfrm_state_lookup_byaddr);
1399 xfrm_find_acq(u8 mode, u32 reqid, u8 proto,
1400 xfrm_address_t *daddr, xfrm_address_t *saddr,
1401 int create, unsigned short family)
1403 struct xfrm_state *x;
1405 spin_lock_bh(&xfrm_state_lock);
1406 x = __find_acq_core(family, mode, reqid, proto, daddr, saddr, create);
1407 spin_unlock_bh(&xfrm_state_lock);
1411 EXPORT_SYMBOL(xfrm_find_acq);
1413 #ifdef CONFIG_XFRM_SUB_POLICY
1415 xfrm_tmpl_sort(struct xfrm_tmpl **dst, struct xfrm_tmpl **src, int n,
1416 unsigned short family)
1419 struct xfrm_state_afinfo *afinfo = xfrm_state_get_afinfo(family);
1421 return -EAFNOSUPPORT;
1423 spin_lock_bh(&xfrm_state_lock);
1424 if (afinfo->tmpl_sort)
1425 err = afinfo->tmpl_sort(dst, src, n);
1426 spin_unlock_bh(&xfrm_state_lock);
1427 xfrm_state_put_afinfo(afinfo);
1430 EXPORT_SYMBOL(xfrm_tmpl_sort);
1433 xfrm_state_sort(struct xfrm_state **dst, struct xfrm_state **src, int n,
1434 unsigned short family)
1437 struct xfrm_state_afinfo *afinfo = xfrm_state_get_afinfo(family);
1439 return -EAFNOSUPPORT;
1441 spin_lock_bh(&xfrm_state_lock);
1442 if (afinfo->state_sort)
1443 err = afinfo->state_sort(dst, src, n);
1444 spin_unlock_bh(&xfrm_state_lock);
1445 xfrm_state_put_afinfo(afinfo);
1448 EXPORT_SYMBOL(xfrm_state_sort);
1451 /* Silly enough, but I'm lazy to build resolution list */
1453 static struct xfrm_state *__xfrm_find_acq_byseq(u32 seq)
1457 for (i = 0; i <= xfrm_state_hmask; i++) {
1458 struct hlist_node *entry;
1459 struct xfrm_state *x;
1461 hlist_for_each_entry(x, entry, xfrm_state_bydst+i, bydst) {
1462 if (x->km.seq == seq &&
1463 x->km.state == XFRM_STATE_ACQ) {
1472 struct xfrm_state *xfrm_find_acq_byseq(u32 seq)
1474 struct xfrm_state *x;
1476 spin_lock_bh(&xfrm_state_lock);
1477 x = __xfrm_find_acq_byseq(seq);
1478 spin_unlock_bh(&xfrm_state_lock);
1481 EXPORT_SYMBOL(xfrm_find_acq_byseq);
1483 u32 xfrm_get_acqseq(void)
1487 static DEFINE_SPINLOCK(acqseq_lock);
1489 spin_lock_bh(&acqseq_lock);
1490 res = (++acqseq ? : ++acqseq);
1491 spin_unlock_bh(&acqseq_lock);
1494 EXPORT_SYMBOL(xfrm_get_acqseq);
1496 int xfrm_alloc_spi(struct xfrm_state *x, u32 low, u32 high)
1499 struct xfrm_state *x0;
1501 __be32 minspi = htonl(low);
1502 __be32 maxspi = htonl(high);
1504 spin_lock_bh(&x->lock);
1505 if (x->km.state == XFRM_STATE_DEAD)
1514 if (minspi == maxspi) {
1515 x0 = xfrm_state_lookup(&x->id.daddr, minspi, x->id.proto, x->props.family);
1523 for (h=0; h<high-low+1; h++) {
1524 spi = low + net_random()%(high-low+1);
1525 x0 = xfrm_state_lookup(&x->id.daddr, htonl(spi), x->id.proto, x->props.family);
1527 x->id.spi = htonl(spi);
1534 spin_lock_bh(&xfrm_state_lock);
1535 h = xfrm_spi_hash(&x->id.daddr, x->id.spi, x->id.proto, x->props.family);
1536 hlist_add_head(&x->byspi, xfrm_state_byspi+h);
1537 spin_unlock_bh(&xfrm_state_lock);
1543 spin_unlock_bh(&x->lock);
1547 EXPORT_SYMBOL(xfrm_alloc_spi);
1549 int xfrm_state_walk(struct xfrm_state_walk *walk,
1550 int (*func)(struct xfrm_state *, int, void*),
1553 struct xfrm_state *state;
1554 struct xfrm_state_walk *x;
1557 if (walk->seq != 0 && list_empty(&walk->all))
1560 spin_lock_bh(&xfrm_state_lock);
1561 if (list_empty(&walk->all))
1562 x = list_first_entry(&xfrm_state_all, struct xfrm_state_walk, all);
1564 x = list_entry(&walk->all, struct xfrm_state_walk, all);
1565 list_for_each_entry_from(x, &xfrm_state_all, all) {
1566 if (x->state == XFRM_STATE_DEAD)
1568 state = container_of(x, struct xfrm_state, km);
1569 if (!xfrm_id_proto_match(state->id.proto, walk->proto))
1571 err = func(state, walk->seq, data);
1573 list_move_tail(&walk->all, &x->all);
1578 if (walk->seq == 0) {
1582 list_del_init(&walk->all);
1584 spin_unlock_bh(&xfrm_state_lock);
1587 EXPORT_SYMBOL(xfrm_state_walk);
1589 void xfrm_state_walk_init(struct xfrm_state_walk *walk, u8 proto)
1591 INIT_LIST_HEAD(&walk->all);
1592 walk->proto = proto;
1593 walk->state = XFRM_STATE_DEAD;
1596 EXPORT_SYMBOL(xfrm_state_walk_init);
1598 void xfrm_state_walk_done(struct xfrm_state_walk *walk)
1600 if (list_empty(&walk->all))
1603 spin_lock_bh(&xfrm_state_lock);
1604 list_del(&walk->all);
1605 spin_lock_bh(&xfrm_state_lock);
1607 EXPORT_SYMBOL(xfrm_state_walk_done);
1610 void xfrm_replay_notify(struct xfrm_state *x, int event)
1613 /* we send notify messages in case
1614 * 1. we updated on of the sequence numbers, and the seqno difference
1615 * is at least x->replay_maxdiff, in this case we also update the
1616 * timeout of our timer function
1617 * 2. if x->replay_maxage has elapsed since last update,
1618 * and there were changes
1620 * The state structure must be locked!
1624 case XFRM_REPLAY_UPDATE:
1625 if (x->replay_maxdiff &&
1626 (x->replay.seq - x->preplay.seq < x->replay_maxdiff) &&
1627 (x->replay.oseq - x->preplay.oseq < x->replay_maxdiff)) {
1628 if (x->xflags & XFRM_TIME_DEFER)
1629 event = XFRM_REPLAY_TIMEOUT;
1636 case XFRM_REPLAY_TIMEOUT:
1637 if ((x->replay.seq == x->preplay.seq) &&
1638 (x->replay.bitmap == x->preplay.bitmap) &&
1639 (x->replay.oseq == x->preplay.oseq)) {
1640 x->xflags |= XFRM_TIME_DEFER;
1647 memcpy(&x->preplay, &x->replay, sizeof(struct xfrm_replay_state));
1648 c.event = XFRM_MSG_NEWAE;
1649 c.data.aevent = event;
1650 km_state_notify(x, &c);
1652 if (x->replay_maxage &&
1653 !mod_timer(&x->rtimer, jiffies + x->replay_maxage))
1654 x->xflags &= ~XFRM_TIME_DEFER;
1657 static void xfrm_replay_timer_handler(unsigned long data)
1659 struct xfrm_state *x = (struct xfrm_state*)data;
1661 spin_lock(&x->lock);
1663 if (x->km.state == XFRM_STATE_VALID) {
1664 if (xfrm_aevent_is_on())
1665 xfrm_replay_notify(x, XFRM_REPLAY_TIMEOUT);
1667 x->xflags |= XFRM_TIME_DEFER;
1670 spin_unlock(&x->lock);
1673 int xfrm_replay_check(struct xfrm_state *x,
1674 struct sk_buff *skb, __be32 net_seq)
1677 u32 seq = ntohl(net_seq);
1679 if (unlikely(seq == 0))
1682 if (likely(seq > x->replay.seq))
1685 diff = x->replay.seq - seq;
1686 if (diff >= min_t(unsigned int, x->props.replay_window,
1687 sizeof(x->replay.bitmap) * 8)) {
1688 x->stats.replay_window++;
1692 if (x->replay.bitmap & (1U << diff)) {
1699 xfrm_audit_state_replay(x, skb, net_seq);
1703 void xfrm_replay_advance(struct xfrm_state *x, __be32 net_seq)
1706 u32 seq = ntohl(net_seq);
1708 if (seq > x->replay.seq) {
1709 diff = seq - x->replay.seq;
1710 if (diff < x->props.replay_window)
1711 x->replay.bitmap = ((x->replay.bitmap) << diff) | 1;
1713 x->replay.bitmap = 1;
1714 x->replay.seq = seq;
1716 diff = x->replay.seq - seq;
1717 x->replay.bitmap |= (1U << diff);
1720 if (xfrm_aevent_is_on())
1721 xfrm_replay_notify(x, XFRM_REPLAY_UPDATE);
1724 static LIST_HEAD(xfrm_km_list);
1725 static DEFINE_RWLOCK(xfrm_km_lock);
1727 void km_policy_notify(struct xfrm_policy *xp, int dir, struct km_event *c)
1729 struct xfrm_mgr *km;
1731 read_lock(&xfrm_km_lock);
1732 list_for_each_entry(km, &xfrm_km_list, list)
1733 if (km->notify_policy)
1734 km->notify_policy(xp, dir, c);
1735 read_unlock(&xfrm_km_lock);
1738 void km_state_notify(struct xfrm_state *x, struct km_event *c)
1740 struct xfrm_mgr *km;
1741 read_lock(&xfrm_km_lock);
1742 list_for_each_entry(km, &xfrm_km_list, list)
1745 read_unlock(&xfrm_km_lock);
1748 EXPORT_SYMBOL(km_policy_notify);
1749 EXPORT_SYMBOL(km_state_notify);
1751 void km_state_expired(struct xfrm_state *x, int hard, u32 pid)
1757 c.event = XFRM_MSG_EXPIRE;
1758 km_state_notify(x, &c);
1764 EXPORT_SYMBOL(km_state_expired);
1766 * We send to all registered managers regardless of failure
1767 * We are happy with one success
1769 int km_query(struct xfrm_state *x, struct xfrm_tmpl *t, struct xfrm_policy *pol)
1771 int err = -EINVAL, acqret;
1772 struct xfrm_mgr *km;
1774 read_lock(&xfrm_km_lock);
1775 list_for_each_entry(km, &xfrm_km_list, list) {
1776 acqret = km->acquire(x, t, pol, XFRM_POLICY_OUT);
1780 read_unlock(&xfrm_km_lock);
1783 EXPORT_SYMBOL(km_query);
1785 int km_new_mapping(struct xfrm_state *x, xfrm_address_t *ipaddr, __be16 sport)
1788 struct xfrm_mgr *km;
1790 read_lock(&xfrm_km_lock);
1791 list_for_each_entry(km, &xfrm_km_list, list) {
1792 if (km->new_mapping)
1793 err = km->new_mapping(x, ipaddr, sport);
1797 read_unlock(&xfrm_km_lock);
1800 EXPORT_SYMBOL(km_new_mapping);
1802 void km_policy_expired(struct xfrm_policy *pol, int dir, int hard, u32 pid)
1808 c.event = XFRM_MSG_POLEXPIRE;
1809 km_policy_notify(pol, dir, &c);
1814 EXPORT_SYMBOL(km_policy_expired);
1816 #ifdef CONFIG_XFRM_MIGRATE
1817 int km_migrate(struct xfrm_selector *sel, u8 dir, u8 type,
1818 struct xfrm_migrate *m, int num_migrate,
1819 struct xfrm_kmaddress *k)
1823 struct xfrm_mgr *km;
1825 read_lock(&xfrm_km_lock);
1826 list_for_each_entry(km, &xfrm_km_list, list) {
1828 ret = km->migrate(sel, dir, type, m, num_migrate, k);
1833 read_unlock(&xfrm_km_lock);
1836 EXPORT_SYMBOL(km_migrate);
1839 int km_report(u8 proto, struct xfrm_selector *sel, xfrm_address_t *addr)
1843 struct xfrm_mgr *km;
1845 read_lock(&xfrm_km_lock);
1846 list_for_each_entry(km, &xfrm_km_list, list) {
1848 ret = km->report(proto, sel, addr);
1853 read_unlock(&xfrm_km_lock);
1856 EXPORT_SYMBOL(km_report);
1858 int xfrm_user_policy(struct sock *sk, int optname, u8 __user *optval, int optlen)
1862 struct xfrm_mgr *km;
1863 struct xfrm_policy *pol = NULL;
1865 if (optlen <= 0 || optlen > PAGE_SIZE)
1868 data = kmalloc(optlen, GFP_KERNEL);
1873 if (copy_from_user(data, optval, optlen))
1877 read_lock(&xfrm_km_lock);
1878 list_for_each_entry(km, &xfrm_km_list, list) {
1879 pol = km->compile_policy(sk, optname, data,
1884 read_unlock(&xfrm_km_lock);
1887 xfrm_sk_policy_insert(sk, err, pol);
1896 EXPORT_SYMBOL(xfrm_user_policy);
1898 int xfrm_register_km(struct xfrm_mgr *km)
1900 write_lock_bh(&xfrm_km_lock);
1901 list_add_tail(&km->list, &xfrm_km_list);
1902 write_unlock_bh(&xfrm_km_lock);
1905 EXPORT_SYMBOL(xfrm_register_km);
1907 int xfrm_unregister_km(struct xfrm_mgr *km)
1909 write_lock_bh(&xfrm_km_lock);
1910 list_del(&km->list);
1911 write_unlock_bh(&xfrm_km_lock);
1914 EXPORT_SYMBOL(xfrm_unregister_km);
1916 int xfrm_state_register_afinfo(struct xfrm_state_afinfo *afinfo)
1919 if (unlikely(afinfo == NULL))
1921 if (unlikely(afinfo->family >= NPROTO))
1922 return -EAFNOSUPPORT;
1923 write_lock_bh(&xfrm_state_afinfo_lock);
1924 if (unlikely(xfrm_state_afinfo[afinfo->family] != NULL))
1927 xfrm_state_afinfo[afinfo->family] = afinfo;
1928 write_unlock_bh(&xfrm_state_afinfo_lock);
1931 EXPORT_SYMBOL(xfrm_state_register_afinfo);
1933 int xfrm_state_unregister_afinfo(struct xfrm_state_afinfo *afinfo)
1936 if (unlikely(afinfo == NULL))
1938 if (unlikely(afinfo->family >= NPROTO))
1939 return -EAFNOSUPPORT;
1940 write_lock_bh(&xfrm_state_afinfo_lock);
1941 if (likely(xfrm_state_afinfo[afinfo->family] != NULL)) {
1942 if (unlikely(xfrm_state_afinfo[afinfo->family] != afinfo))
1945 xfrm_state_afinfo[afinfo->family] = NULL;
1947 write_unlock_bh(&xfrm_state_afinfo_lock);
1950 EXPORT_SYMBOL(xfrm_state_unregister_afinfo);
1952 static struct xfrm_state_afinfo *xfrm_state_get_afinfo(unsigned int family)
1954 struct xfrm_state_afinfo *afinfo;
1955 if (unlikely(family >= NPROTO))
1957 read_lock(&xfrm_state_afinfo_lock);
1958 afinfo = xfrm_state_afinfo[family];
1959 if (unlikely(!afinfo))
1960 read_unlock(&xfrm_state_afinfo_lock);
1964 static void xfrm_state_put_afinfo(struct xfrm_state_afinfo *afinfo)
1965 __releases(xfrm_state_afinfo_lock)
1967 read_unlock(&xfrm_state_afinfo_lock);
1970 /* Temporarily located here until net/xfrm/xfrm_tunnel.c is created */
1971 void xfrm_state_delete_tunnel(struct xfrm_state *x)
1974 struct xfrm_state *t = x->tunnel;
1976 if (atomic_read(&t->tunnel_users) == 2)
1977 xfrm_state_delete(t);
1978 atomic_dec(&t->tunnel_users);
1983 EXPORT_SYMBOL(xfrm_state_delete_tunnel);
1985 int xfrm_state_mtu(struct xfrm_state *x, int mtu)
1989 spin_lock_bh(&x->lock);
1990 if (x->km.state == XFRM_STATE_VALID &&
1991 x->type && x->type->get_mtu)
1992 res = x->type->get_mtu(x, mtu);
1994 res = mtu - x->props.header_len;
1995 spin_unlock_bh(&x->lock);
1999 int xfrm_init_state(struct xfrm_state *x)
2001 struct xfrm_state_afinfo *afinfo;
2002 struct xfrm_mode *inner_mode;
2003 int family = x->props.family;
2006 err = -EAFNOSUPPORT;
2007 afinfo = xfrm_state_get_afinfo(family);
2012 if (afinfo->init_flags)
2013 err = afinfo->init_flags(x);
2015 xfrm_state_put_afinfo(afinfo);
2020 err = -EPROTONOSUPPORT;
2022 if (x->sel.family != AF_UNSPEC) {
2023 inner_mode = xfrm_get_mode(x->props.mode, x->sel.family);
2024 if (inner_mode == NULL)
2027 if (!(inner_mode->flags & XFRM_MODE_FLAG_TUNNEL) &&
2028 family != x->sel.family) {
2029 xfrm_put_mode(inner_mode);
2033 x->inner_mode = inner_mode;
2035 struct xfrm_mode *inner_mode_iaf;
2037 inner_mode = xfrm_get_mode(x->props.mode, AF_INET);
2038 if (inner_mode == NULL)
2041 if (!(inner_mode->flags & XFRM_MODE_FLAG_TUNNEL)) {
2042 xfrm_put_mode(inner_mode);
2046 inner_mode_iaf = xfrm_get_mode(x->props.mode, AF_INET6);
2047 if (inner_mode_iaf == NULL)
2050 if (!(inner_mode_iaf->flags & XFRM_MODE_FLAG_TUNNEL)) {
2051 xfrm_put_mode(inner_mode_iaf);
2055 if (x->props.family == AF_INET) {
2056 x->inner_mode = inner_mode;
2057 x->inner_mode_iaf = inner_mode_iaf;
2059 x->inner_mode = inner_mode_iaf;
2060 x->inner_mode_iaf = inner_mode;
2064 x->type = xfrm_get_type(x->id.proto, family);
2065 if (x->type == NULL)
2068 err = x->type->init_state(x);
2072 x->outer_mode = xfrm_get_mode(x->props.mode, family);
2073 if (x->outer_mode == NULL)
2076 x->km.state = XFRM_STATE_VALID;
2082 EXPORT_SYMBOL(xfrm_init_state);
2084 int __net_init xfrm_state_init(struct net *net)
2088 sz = sizeof(struct hlist_head) * 8;
2090 xfrm_state_bydst = xfrm_hash_alloc(sz);
2091 xfrm_state_bysrc = xfrm_hash_alloc(sz);
2092 xfrm_state_byspi = xfrm_hash_alloc(sz);
2093 if (!xfrm_state_bydst || !xfrm_state_bysrc || !xfrm_state_byspi)
2094 panic("XFRM: Cannot allocate bydst/bysrc/byspi hashes.");
2095 xfrm_state_hmask = ((sz / sizeof(struct hlist_head)) - 1);
2097 INIT_WORK(&xfrm_state_gc_work, xfrm_state_gc_task);
2101 void xfrm_state_fini(struct net *net)
2105 #ifdef CONFIG_AUDITSYSCALL
2106 static void xfrm_audit_helper_sainfo(struct xfrm_state *x,
2107 struct audit_buffer *audit_buf)
2109 struct xfrm_sec_ctx *ctx = x->security;
2110 u32 spi = ntohl(x->id.spi);
2113 audit_log_format(audit_buf, " sec_alg=%u sec_doi=%u sec_obj=%s",
2114 ctx->ctx_alg, ctx->ctx_doi, ctx->ctx_str);
2116 switch(x->props.family) {
2118 audit_log_format(audit_buf, " src=%pI4 dst=%pI4",
2119 &x->props.saddr.a4, &x->id.daddr.a4);
2122 audit_log_format(audit_buf, " src=%pI6 dst=%pI6",
2123 x->props.saddr.a6, x->id.daddr.a6);
2127 audit_log_format(audit_buf, " spi=%u(0x%x)", spi, spi);
2130 static void xfrm_audit_helper_pktinfo(struct sk_buff *skb, u16 family,
2131 struct audit_buffer *audit_buf)
2134 struct ipv6hdr *iph6;
2139 audit_log_format(audit_buf, " src=%pI4 dst=%pI4",
2140 &iph4->saddr, &iph4->daddr);
2143 iph6 = ipv6_hdr(skb);
2144 audit_log_format(audit_buf,
2145 " src=%pI6 dst=%pI6 flowlbl=0x%x%02x%02x",
2146 &iph6->saddr,&iph6->daddr,
2147 iph6->flow_lbl[0] & 0x0f,
2154 void xfrm_audit_state_add(struct xfrm_state *x, int result,
2155 uid_t auid, u32 sessionid, u32 secid)
2157 struct audit_buffer *audit_buf;
2159 audit_buf = xfrm_audit_start("SAD-add");
2160 if (audit_buf == NULL)
2162 xfrm_audit_helper_usrinfo(auid, sessionid, secid, audit_buf);
2163 xfrm_audit_helper_sainfo(x, audit_buf);
2164 audit_log_format(audit_buf, " res=%u", result);
2165 audit_log_end(audit_buf);
2167 EXPORT_SYMBOL_GPL(xfrm_audit_state_add);
2169 void xfrm_audit_state_delete(struct xfrm_state *x, int result,
2170 uid_t auid, u32 sessionid, u32 secid)
2172 struct audit_buffer *audit_buf;
2174 audit_buf = xfrm_audit_start("SAD-delete");
2175 if (audit_buf == NULL)
2177 xfrm_audit_helper_usrinfo(auid, sessionid, secid, audit_buf);
2178 xfrm_audit_helper_sainfo(x, audit_buf);
2179 audit_log_format(audit_buf, " res=%u", result);
2180 audit_log_end(audit_buf);
2182 EXPORT_SYMBOL_GPL(xfrm_audit_state_delete);
2184 void xfrm_audit_state_replay_overflow(struct xfrm_state *x,
2185 struct sk_buff *skb)
2187 struct audit_buffer *audit_buf;
2190 audit_buf = xfrm_audit_start("SA-replay-overflow");
2191 if (audit_buf == NULL)
2193 xfrm_audit_helper_pktinfo(skb, x->props.family, audit_buf);
2194 /* don't record the sequence number because it's inherent in this kind
2195 * of audit message */
2196 spi = ntohl(x->id.spi);
2197 audit_log_format(audit_buf, " spi=%u(0x%x)", spi, spi);
2198 audit_log_end(audit_buf);
2200 EXPORT_SYMBOL_GPL(xfrm_audit_state_replay_overflow);
2202 static void xfrm_audit_state_replay(struct xfrm_state *x,
2203 struct sk_buff *skb, __be32 net_seq)
2205 struct audit_buffer *audit_buf;
2208 audit_buf = xfrm_audit_start("SA-replayed-pkt");
2209 if (audit_buf == NULL)
2211 xfrm_audit_helper_pktinfo(skb, x->props.family, audit_buf);
2212 spi = ntohl(x->id.spi);
2213 audit_log_format(audit_buf, " spi=%u(0x%x) seqno=%u",
2214 spi, spi, ntohl(net_seq));
2215 audit_log_end(audit_buf);
2218 void xfrm_audit_state_notfound_simple(struct sk_buff *skb, u16 family)
2220 struct audit_buffer *audit_buf;
2222 audit_buf = xfrm_audit_start("SA-notfound");
2223 if (audit_buf == NULL)
2225 xfrm_audit_helper_pktinfo(skb, family, audit_buf);
2226 audit_log_end(audit_buf);
2228 EXPORT_SYMBOL_GPL(xfrm_audit_state_notfound_simple);
2230 void xfrm_audit_state_notfound(struct sk_buff *skb, u16 family,
2231 __be32 net_spi, __be32 net_seq)
2233 struct audit_buffer *audit_buf;
2236 audit_buf = xfrm_audit_start("SA-notfound");
2237 if (audit_buf == NULL)
2239 xfrm_audit_helper_pktinfo(skb, family, audit_buf);
2240 spi = ntohl(net_spi);
2241 audit_log_format(audit_buf, " spi=%u(0x%x) seqno=%u",
2242 spi, spi, ntohl(net_seq));
2243 audit_log_end(audit_buf);
2245 EXPORT_SYMBOL_GPL(xfrm_audit_state_notfound);
2247 void xfrm_audit_state_icvfail(struct xfrm_state *x,
2248 struct sk_buff *skb, u8 proto)
2250 struct audit_buffer *audit_buf;
2254 audit_buf = xfrm_audit_start("SA-icv-failure");
2255 if (audit_buf == NULL)
2257 xfrm_audit_helper_pktinfo(skb, x->props.family, audit_buf);
2258 if (xfrm_parse_spi(skb, proto, &net_spi, &net_seq) == 0) {
2259 u32 spi = ntohl(net_spi);
2260 audit_log_format(audit_buf, " spi=%u(0x%x) seqno=%u",
2261 spi, spi, ntohl(net_seq));
2263 audit_log_end(audit_buf);
2265 EXPORT_SYMBOL_GPL(xfrm_audit_state_icvfail);
2266 #endif /* CONFIG_AUDITSYSCALL */
git://ftp.safe.ca / safe / jmp / linux-2.6 / blob