SAFE public projects git trees. - safe/jmp/linux-2.6/blob - net/xfrm/xfrm_state.c

   1 /*
   2  * xfrm_state.c
   3  *
   4  * Changes:
   5  *      Mitsuru KANDA @USAGI
   6  *      Kazunori MIYAZAWA @USAGI
   7  *      Kunihiro Ishiguro <kunihiro@ipinfusion.com>
   8  *              IPv6 support
   9  *      YOSHIFUJI Hideaki @USAGI
  10  *              Split up af-specific functions
  11  *      Derek Atkins <derek@ihtfp.com>
  12  *              Add UDP Encapsulation
  13  *
  14  */
  15
  16 #include <linux/workqueue.h>
  17 #include <net/xfrm.h>
  18 #include <linux/pfkeyv2.h>
  19 #include <linux/ipsec.h>
  20 #include <linux/module.h>
  21 #include <linux/cache.h>
  22 #include <asm/uaccess.h>
  23
  24 #include "xfrm_hash.h"
  25
  26 struct sock *xfrm_nl;
  27 EXPORT_SYMBOL(xfrm_nl);
  28
  29 u32 sysctl_xfrm_aevent_etime __read_mostly = XFRM_AE_ETIME;
  30 EXPORT_SYMBOL(sysctl_xfrm_aevent_etime);
  31
  32 u32 sysctl_xfrm_aevent_rseqth __read_mostly = XFRM_AE_SEQT_SIZE;
  33 EXPORT_SYMBOL(sysctl_xfrm_aevent_rseqth);
  34
  35 u32 sysctl_xfrm_acq_expires __read_mostly = 30;
  36
  37 /* Each xfrm_state may be linked to two tables:
  38
  39    1. Hash table by (spi,daddr,ah/esp) to find SA by SPI. (input,ctl)
  40    2. Hash table by (daddr,family,reqid) to find what SAs exist for given
  41       destination/tunnel endpoint. (output)
  42  */
  43
  44 static DEFINE_SPINLOCK(xfrm_state_lock);
  45
  46 /* Hash table to find appropriate SA towards given target (endpoint
  47  * of tunnel or destination of transport mode) allowed by selector.
  48  *
  49  * Main use is finding SA after policy selected tunnel or transport mode.
  50  * Also, it can be used by ah/esp icmp error handler to find offending SA.
  51  */
  52 static struct hlist_head *xfrm_state_bydst __read_mostly;
  53 static struct hlist_head *xfrm_state_bysrc __read_mostly;
  54 static struct hlist_head *xfrm_state_byspi __read_mostly;
  55 static unsigned int xfrm_state_hmask __read_mostly;
  56 static unsigned int xfrm_state_hashmax __read_mostly = 1 * 1024 * 1024;
  57 static unsigned int xfrm_state_num;
  58 static unsigned int xfrm_state_genid;
  59
  60 static inline unsigned int xfrm_dst_hash(xfrm_address_t *daddr,
  61                                          xfrm_address_t *saddr,
  62                                          u32 reqid,
  63                                          unsigned short family)
  64 {
  65         return __xfrm_dst_hash(daddr, saddr, reqid, family, xfrm_state_hmask);
  66 }
  67
  68 static inline unsigned int xfrm_src_hash(xfrm_address_t *daddr,
  69                                          xfrm_address_t *saddr,
  70                                          unsigned short family)
  71 {
  72         return __xfrm_src_hash(daddr, saddr, family, xfrm_state_hmask);
  73 }
  74
  75 static inline unsigned int
  76 xfrm_spi_hash(xfrm_address_t *daddr, __be32 spi, u8 proto, unsigned short family)
  77 {
  78         return __xfrm_spi_hash(daddr, spi, proto, family, xfrm_state_hmask);
  79 }
  80
  81 static void xfrm_hash_transfer(struct hlist_head *list,
  82                                struct hlist_head *ndsttable,
  83                                struct hlist_head *nsrctable,
  84                                struct hlist_head *nspitable,
  85                                unsigned int nhashmask)
  86 {
  87         struct hlist_node *entry, *tmp;
  88         struct xfrm_state *x;
  89
  90         hlist_for_each_entry_safe(x, entry, tmp, list, bydst) {
  91                 unsigned int h;
  92
  93                 h = __xfrm_dst_hash(&x->id.daddr, &x->props.saddr,
  94                                     x->props.reqid, x->props.family,
  95                                     nhashmask);
  96                 hlist_add_head(&x->bydst, ndsttable+h);
  97
  98                 h = __xfrm_src_hash(&x->id.daddr, &x->props.saddr,
  99                                     x->props.family,
 100                                     nhashmask);
 101                 hlist_add_head(&x->bysrc, nsrctable+h);
 102
 103                 if (x->id.spi) {
 104                         h = __xfrm_spi_hash(&x->id.daddr, x->id.spi,
 105                                             x->id.proto, x->props.family,
 106                                             nhashmask);
 107                         hlist_add_head(&x->byspi, nspitable+h);
 108                 }
 109         }
 110 }
 111
 112 static unsigned long xfrm_hash_new_size(void)
 113 {
 114         return ((xfrm_state_hmask + 1) << 1) *
 115                 sizeof(struct hlist_head);
 116 }
 117
 118 static DEFINE_MUTEX(hash_resize_mutex);
 119
 120 static void xfrm_hash_resize(struct work_struct *__unused)
 121 {
 122         struct hlist_head *ndst, *nsrc, *nspi, *odst, *osrc, *ospi;
 123         unsigned long nsize, osize;
 124         unsigned int nhashmask, ohashmask;
 125         int i;
 126
 127         mutex_lock(&hash_resize_mutex);
 128
 129         nsize = xfrm_hash_new_size();
 130         ndst = xfrm_hash_alloc(nsize);
 131         if (!ndst)
 132                 goto out_unlock;
 133         nsrc = xfrm_hash_alloc(nsize);
 134         if (!nsrc) {
 135                 xfrm_hash_free(ndst, nsize);
 136                 goto out_unlock;
 137         }
 138         nspi = xfrm_hash_alloc(nsize);
 139         if (!nspi) {
 140                 xfrm_hash_free(ndst, nsize);
 141                 xfrm_hash_free(nsrc, nsize);
 142                 goto out_unlock;
 143         }
 144
 145         spin_lock_bh(&xfrm_state_lock);
 146
 147         nhashmask = (nsize / sizeof(struct hlist_head)) - 1U;
 148         for (i = xfrm_state_hmask; i >= 0; i--)
 149                 xfrm_hash_transfer(xfrm_state_bydst+i, ndst, nsrc, nspi,
 150                                    nhashmask);
 151
 152         odst = xfrm_state_bydst;
 153         osrc = xfrm_state_bysrc;
 154         ospi = xfrm_state_byspi;
 155         ohashmask = xfrm_state_hmask;
 156
 157         xfrm_state_bydst = ndst;
 158         xfrm_state_bysrc = nsrc;
 159         xfrm_state_byspi = nspi;
 160         xfrm_state_hmask = nhashmask;
 161
 162         spin_unlock_bh(&xfrm_state_lock);
 163
 164         osize = (ohashmask + 1) * sizeof(struct hlist_head);
 165         xfrm_hash_free(odst, osize);
 166         xfrm_hash_free(osrc, osize);
 167         xfrm_hash_free(ospi, osize);
 168
 169 out_unlock:
 170         mutex_unlock(&hash_resize_mutex);
 171 }
 172
 173 static DECLARE_WORK(xfrm_hash_work, xfrm_hash_resize);
 174
 175 DECLARE_WAIT_QUEUE_HEAD(km_waitq);
 176 EXPORT_SYMBOL(km_waitq);
 177
 178 static DEFINE_RWLOCK(xfrm_state_afinfo_lock);
 179 static struct xfrm_state_afinfo *xfrm_state_afinfo[NPROTO];
 180
 181 static struct work_struct xfrm_state_gc_work;
 182 static HLIST_HEAD(xfrm_state_gc_list);
 183 static DEFINE_SPINLOCK(xfrm_state_gc_lock);
 184
 185 int __xfrm_state_delete(struct xfrm_state *x);
 186
 187 int km_query(struct xfrm_state *x, struct xfrm_tmpl *t, struct xfrm_policy *pol);
 188 void km_state_expired(struct xfrm_state *x, int hard, u32 pid);
 189
 190 static void xfrm_state_gc_destroy(struct xfrm_state *x)
 191 {
 192         del_timer_sync(&x->timer);
 193         del_timer_sync(&x->rtimer);
 194         kfree(x->aalg);
 195         kfree(x->ealg);
 196         kfree(x->calg);
 197         kfree(x->encap);
 198         kfree(x->coaddr);
 199         if (x->mode)
 200                 xfrm_put_mode(x->mode);
 201         if (x->type) {
 202                 x->type->destructor(x);
 203                 xfrm_put_type(x->type);
 204         }
 205         security_xfrm_state_free(x);
 206         kfree(x);
 207 }
 208
 209 static void xfrm_state_gc_task(struct work_struct *data)
 210 {
 211         struct xfrm_state *x;
 212         struct hlist_node *entry, *tmp;
 213         struct hlist_head gc_list;
 214
 215         spin_lock_bh(&xfrm_state_gc_lock);
 216         gc_list.first = xfrm_state_gc_list.first;
 217         INIT_HLIST_HEAD(&xfrm_state_gc_list);
 218         spin_unlock_bh(&xfrm_state_gc_lock);
 219
 220         hlist_for_each_entry_safe(x, entry, tmp, &gc_list, bydst)
 221                 xfrm_state_gc_destroy(x);
 222
 223         wake_up(&km_waitq);
 224 }
 225
 226 static inline unsigned long make_jiffies(long secs)
 227 {
 228         if (secs >= (MAX_SCHEDULE_TIMEOUT-1)/HZ)
 229                 return MAX_SCHEDULE_TIMEOUT-1;
 230         else
 231                 return secs*HZ;
 232 }
 233
 234 static void xfrm_timer_handler(unsigned long data)
 235 {
 236         struct xfrm_state *x = (struct xfrm_state*)data;
 237         unsigned long now = get_seconds();
 238         long next = LONG_MAX;
 239         int warn = 0;
 240         int err = 0;
 241
 242         spin_lock(&x->lock);
 243         if (x->km.state == XFRM_STATE_DEAD)
 244                 goto out;
 245         if (x->km.state == XFRM_STATE_EXPIRED)
 246                 goto expired;
 247         if (x->lft.hard_add_expires_seconds) {
 248                 long tmo = x->lft.hard_add_expires_seconds +
 249                         x->curlft.add_time - now;
 250                 if (tmo <= 0)
 251                         goto expired;
 252                 if (tmo < next)
 253                         next = tmo;
 254         }
 255         if (x->lft.hard_use_expires_seconds) {
 256                 long tmo = x->lft.hard_use_expires_seconds +
 257                         (x->curlft.use_time ? : now) - now;
 258                 if (tmo <= 0)
 259                         goto expired;
 260                 if (tmo < next)
 261                         next = tmo;
 262         }
 263         if (x->km.dying)
 264                 goto resched;
 265         if (x->lft.soft_add_expires_seconds) {
 266                 long tmo = x->lft.soft_add_expires_seconds +
 267                         x->curlft.add_time - now;
 268                 if (tmo <= 0)
 269                         warn = 1;
 270                 else if (tmo < next)
 271                         next = tmo;
 272         }
 273         if (x->lft.soft_use_expires_seconds) {
 274                 long tmo = x->lft.soft_use_expires_seconds +
 275                         (x->curlft.use_time ? : now) - now;
 276                 if (tmo <= 0)
 277                         warn = 1;
 278                 else if (tmo < next)
 279                         next = tmo;
 280         }
 281
 282         x->km.dying = warn;
 283         if (warn)
 284                 km_state_expired(x, 0, 0);
 285 resched:
 286         if (next != LONG_MAX)
 287                 mod_timer(&x->timer, jiffies + make_jiffies(next));
 288
 289         goto out;
 290
 291 expired:
 292         if (x->km.state == XFRM_STATE_ACQ && x->id.spi == 0) {
 293                 x->km.state = XFRM_STATE_EXPIRED;
 294                 wake_up(&km_waitq);
 295                 next = 2;
 296                 goto resched;
 297         }
 298
 299         err = __xfrm_state_delete(x);
 300         if (!err && x->id.spi)
 301                 km_state_expired(x, 1, 0);
 302
 303         xfrm_audit_state_delete(x, err ? 0 : 1,
 304                                 audit_get_loginuid(current->audit_context), 0);
 305
 306 out:
 307         spin_unlock(&x->lock);
 308 }
 309
 310 static void xfrm_replay_timer_handler(unsigned long data);
 311
 312 struct xfrm_state *xfrm_state_alloc(void)
 313 {
 314         struct xfrm_state *x;
 315
 316         x = kzalloc(sizeof(struct xfrm_state), GFP_ATOMIC);
 317
 318         if (x) {
 319                 atomic_set(&x->refcnt, 1);
 320                 atomic_set(&x->tunnel_users, 0);
 321                 INIT_HLIST_NODE(&x->bydst);
 322                 INIT_HLIST_NODE(&x->bysrc);
 323                 INIT_HLIST_NODE(&x->byspi);
 324                 init_timer(&x->timer);
 325                 x->timer.function = xfrm_timer_handler;
 326                 x->timer.data     = (unsigned long)x;
 327                 init_timer(&x->rtimer);
 328                 x->rtimer.function = xfrm_replay_timer_handler;
 329                 x->rtimer.data     = (unsigned long)x;
 330                 x->curlft.add_time = get_seconds();
 331                 x->lft.soft_byte_limit = XFRM_INF;
 332                 x->lft.soft_packet_limit = XFRM_INF;
 333                 x->lft.hard_byte_limit = XFRM_INF;
 334                 x->lft.hard_packet_limit = XFRM_INF;
 335                 x->replay_maxage = 0;
 336                 x->replay_maxdiff = 0;
 337                 spin_lock_init(&x->lock);
 338         }
 339         return x;
 340 }
 341 EXPORT_SYMBOL(xfrm_state_alloc);
 342
 343 void __xfrm_state_destroy(struct xfrm_state *x)
 344 {
 345         BUG_TRAP(x->km.state == XFRM_STATE_DEAD);
 346
 347         spin_lock_bh(&xfrm_state_gc_lock);
 348         hlist_add_head(&x->bydst, &xfrm_state_gc_list);
 349         spin_unlock_bh(&xfrm_state_gc_lock);
 350         schedule_work(&xfrm_state_gc_work);
 351 }
 352 EXPORT_SYMBOL(__xfrm_state_destroy);
 353
 354 int __xfrm_state_delete(struct xfrm_state *x)
 355 {
 356         int err = -ESRCH;
 357
 358         if (x->km.state != XFRM_STATE_DEAD) {
 359                 x->km.state = XFRM_STATE_DEAD;
 360                 spin_lock(&xfrm_state_lock);
 361                 hlist_del(&x->bydst);
 362                 hlist_del(&x->bysrc);
 363                 if (x->id.spi)
 364                         hlist_del(&x->byspi);
 365                 xfrm_state_num--;
 366                 spin_unlock(&xfrm_state_lock);
 367
 368                 /* All xfrm_state objects are created by xfrm_state_alloc.
 369                  * The xfrm_state_alloc call gives a reference, and that
 370                  * is what we are dropping here.
 371                  */
 372                 __xfrm_state_put(x);
 373                 err = 0;
 374         }
 375
 376         return err;
 377 }
 378 EXPORT_SYMBOL(__xfrm_state_delete);
 379
 380 int xfrm_state_delete(struct xfrm_state *x)
 381 {
 382         int err;
 383
 384         spin_lock_bh(&x->lock);
 385         err = __xfrm_state_delete(x);
 386         spin_unlock_bh(&x->lock);
 387
 388         return err;
 389 }
 390 EXPORT_SYMBOL(xfrm_state_delete);
 391
 392 #ifdef CONFIG_SECURITY_NETWORK_XFRM
 393 static inline int
 394 xfrm_state_flush_secctx_check(u8 proto, struct xfrm_audit *audit_info)
 395 {
 396         int i, err = 0;
 397
 398         for (i = 0; i <= xfrm_state_hmask; i++) {
 399                 struct hlist_node *entry;
 400                 struct xfrm_state *x;
 401
 402                 hlist_for_each_entry(x, entry, xfrm_state_bydst+i, bydst) {
 403                         if (xfrm_id_proto_match(x->id.proto, proto) &&
 404                            (err = security_xfrm_state_delete(x)) != 0) {
 405                                 xfrm_audit_state_delete(x, 0,
 406                                                         audit_info->loginuid,
 407                                                         audit_info->secid);
 408                                 return err;
 409                         }
 410                 }
 411         }
 412
 413         return err;
 414 }
 415 #else
 416 static inline int
 417 xfrm_state_flush_secctx_check(u8 proto, struct xfrm_audit *audit_info)
 418 {
 419         return 0;
 420 }
 421 #endif
 422
 423 int xfrm_state_flush(u8 proto, struct xfrm_audit *audit_info)
 424 {
 425         int i, err = 0;
 426
 427         spin_lock_bh(&xfrm_state_lock);
 428         err = xfrm_state_flush_secctx_check(proto, audit_info);
 429         if (err)
 430                 goto out;
 431
 432         for (i = 0; i <= xfrm_state_hmask; i++) {
 433                 struct hlist_node *entry;
 434                 struct xfrm_state *x;
 435 restart:
 436                 hlist_for_each_entry(x, entry, xfrm_state_bydst+i, bydst) {
 437                         if (!xfrm_state_kern(x) &&
 438                             xfrm_id_proto_match(x->id.proto, proto)) {
 439                                 xfrm_state_hold(x);
 440                                 spin_unlock_bh(&xfrm_state_lock);
 441
 442                                 err = xfrm_state_delete(x);
 443                                 xfrm_audit_state_delete(x, err ? 0 : 1,
 444                                                         audit_info->loginuid,
 445                                                         audit_info->secid);
 446                                 xfrm_state_put(x);
 447
 448                                 spin_lock_bh(&xfrm_state_lock);
 449                                 goto restart;
 450                         }
 451                 }
 452         }
 453         err = 0;
 454
 455 out:
 456         spin_unlock_bh(&xfrm_state_lock);
 457         wake_up(&km_waitq);
 458         return err;
 459 }
 460 EXPORT_SYMBOL(xfrm_state_flush);
 461
 462 void xfrm_sad_getinfo(struct xfrmk_sadinfo *si)
 463 {
 464         spin_lock_bh(&xfrm_state_lock);
 465         si->sadcnt = xfrm_state_num;
 466         si->sadhcnt = xfrm_state_hmask;
 467         si->sadhmcnt = xfrm_state_hashmax;
 468         spin_unlock_bh(&xfrm_state_lock);
 469 }
 470 EXPORT_SYMBOL(xfrm_sad_getinfo);
 471
 472 static int
 473 xfrm_init_tempsel(struct xfrm_state *x, struct flowi *fl,
 474                   struct xfrm_tmpl *tmpl,
 475                   xfrm_address_t *daddr, xfrm_address_t *saddr,
 476                   unsigned short family)
 477 {
 478         struct xfrm_state_afinfo *afinfo = xfrm_state_get_afinfo(family);
 479         if (!afinfo)
 480                 return -1;
 481         afinfo->init_tempsel(x, fl, tmpl, daddr, saddr);
 482         xfrm_state_put_afinfo(afinfo);
 483         return 0;
 484 }
 485
 486 static struct xfrm_state *__xfrm_state_lookup(xfrm_address_t *daddr, __be32 spi, u8 proto, unsigned short family)
 487 {
 488         unsigned int h = xfrm_spi_hash(daddr, spi, proto, family);
 489         struct xfrm_state *x;
 490         struct hlist_node *entry;
 491
 492         hlist_for_each_entry(x, entry, xfrm_state_byspi+h, byspi) {
 493                 if (x->props.family != family ||
 494                     x->id.spi       != spi ||
 495                     x->id.proto     != proto)
 496                         continue;
 497
 498                 switch (family) {
 499                 case AF_INET:
 500                         if (x->id.daddr.a4 != daddr->a4)
 501                                 continue;
 502                         break;
 503                 case AF_INET6:
 504                         if (!ipv6_addr_equal((struct in6_addr *)daddr,
 505                                              (struct in6_addr *)
 506                                              x->id.daddr.a6))
 507                                 continue;
 508                         break;
 509                 }
 510
 511                 xfrm_state_hold(x);
 512                 return x;
 513         }
 514
 515         return NULL;
 516 }
 517
 518 static struct xfrm_state *__xfrm_state_lookup_byaddr(xfrm_address_t *daddr, xfrm_address_t *saddr, u8 proto, unsigned short family)
 519 {
 520         unsigned int h = xfrm_src_hash(daddr, saddr, family);
 521         struct xfrm_state *x;
 522         struct hlist_node *entry;
 523
 524         hlist_for_each_entry(x, entry, xfrm_state_bysrc+h, bysrc) {
 525                 if (x->props.family != family ||
 526                     x->id.proto     != proto)
 527                         continue;
 528
 529                 switch (family) {
 530                 case AF_INET:
 531                         if (x->id.daddr.a4 != daddr->a4 ||
 532                             x->props.saddr.a4 != saddr->a4)
 533                                 continue;
 534                         break;
 535                 case AF_INET6:
 536                         if (!ipv6_addr_equal((struct in6_addr *)daddr,
 537                                              (struct in6_addr *)
 538                                              x->id.daddr.a6) ||
 539                             !ipv6_addr_equal((struct in6_addr *)saddr,
 540                                              (struct in6_addr *)
 541                                              x->props.saddr.a6))
 542                                 continue;
 543                         break;
 544                 }
 545
 546                 xfrm_state_hold(x);
 547                 return x;
 548         }
 549
 550         return NULL;
 551 }
 552
 553 static inline struct xfrm_state *
 554 __xfrm_state_locate(struct xfrm_state *x, int use_spi, int family)
 555 {
 556         if (use_spi)
 557                 return __xfrm_state_lookup(&x->id.daddr, x->id.spi,
 558                                            x->id.proto, family);
 559         else
 560                 return __xfrm_state_lookup_byaddr(&x->id.daddr,
 561                                                   &x->props.saddr,
 562                                                   x->id.proto, family);
 563 }
 564
 565 static void xfrm_hash_grow_check(int have_hash_collision)
 566 {
 567         if (have_hash_collision &&
 568             (xfrm_state_hmask + 1) < xfrm_state_hashmax &&
 569             xfrm_state_num > xfrm_state_hmask)
 570                 schedule_work(&xfrm_hash_work);
 571 }
 572
 573 struct xfrm_state *
 574 xfrm_state_find(xfrm_address_t *daddr, xfrm_address_t *saddr,
 575                 struct flowi *fl, struct xfrm_tmpl *tmpl,
 576                 struct xfrm_policy *pol, int *err,
 577                 unsigned short family)
 578 {
 579         unsigned int h = xfrm_dst_hash(daddr, saddr, tmpl->reqid, family);
 580         struct hlist_node *entry;
 581         struct xfrm_state *x, *x0;
 582         int acquire_in_progress = 0;
 583         int error = 0;
 584         struct xfrm_state *best = NULL;
 585
 586         spin_lock_bh(&xfrm_state_lock);
 587         hlist_for_each_entry(x, entry, xfrm_state_bydst+h, bydst) {
 588                 if (x->props.family == family &&
 589                     x->props.reqid == tmpl->reqid &&
 590                     !(x->props.flags & XFRM_STATE_WILDRECV) &&
 591                     xfrm_state_addr_check(x, daddr, saddr, family) &&
 592                     tmpl->mode == x->props.mode &&
 593                     tmpl->id.proto == x->id.proto &&
 594                     (tmpl->id.spi == x->id.spi || !tmpl->id.spi)) {
 595                         /* Resolution logic:
 596                            1. There is a valid state with matching selector.
 597                               Done.
 598                            2. Valid state with inappropriate selector. Skip.
 599
 600                            Entering area of "sysdeps".
 601
 602                            3. If state is not valid, selector is temporary,
 603                               it selects only session which triggered
 604                               previous resolution. Key manager will do
 605                               something to install a state with proper
 606                               selector.
 607                          */
 608                         if (x->km.state == XFRM_STATE_VALID) {
 609                                 if (!xfrm_selector_match(&x->sel, fl, x->sel.family) ||
 610                                     !security_xfrm_state_pol_flow_match(x, pol, fl))
 611                                         continue;
 612                                 if (!best ||
 613                                     best->km.dying > x->km.dying ||
 614                                     (best->km.dying == x->km.dying &&
 615                                      best->curlft.add_time < x->curlft.add_time))
 616                                         best = x;
 617                         } else if (x->km.state == XFRM_STATE_ACQ) {
 618                                 acquire_in_progress = 1;
 619                         } else if (x->km.state == XFRM_STATE_ERROR ||
 620                                    x->km.state == XFRM_STATE_EXPIRED) {
 621                                 if (xfrm_selector_match(&x->sel, fl, x->sel.family) &&
 622                                     security_xfrm_state_pol_flow_match(x, pol, fl))
 623                                         error = -ESRCH;
 624                         }
 625                 }
 626         }
 627
 628         x = best;
 629         if (!x && !error && !acquire_in_progress) {
 630                 if (tmpl->id.spi &&
 631                     (x0 = __xfrm_state_lookup(daddr, tmpl->id.spi,
 632                                               tmpl->id.proto, family)) != NULL) {
 633                         xfrm_state_put(x0);
 634                         error = -EEXIST;
 635                         goto out;
 636                 }
 637                 x = xfrm_state_alloc();
 638                 if (x == NULL) {
 639                         error = -ENOMEM;
 640                         goto out;
 641                 }
 642                 /* Initialize temporary selector matching only
 643                  * to current session. */
 644                 xfrm_init_tempsel(x, fl, tmpl, daddr, saddr, family);
 645
 646                 error = security_xfrm_state_alloc_acquire(x, pol->security, fl->secid);
 647                 if (error) {
 648                         x->km.state = XFRM_STATE_DEAD;
 649                         xfrm_state_put(x);
 650                         x = NULL;
 651                         goto out;
 652                 }
 653
 654                 if (km_query(x, tmpl, pol) == 0) {
 655                         x->km.state = XFRM_STATE_ACQ;
 656                         hlist_add_head(&x->bydst, xfrm_state_bydst+h);
 657                         h = xfrm_src_hash(daddr, saddr, family);
 658                         hlist_add_head(&x->bysrc, xfrm_state_bysrc+h);
 659                         if (x->id.spi) {
 660                                 h = xfrm_spi_hash(&x->id.daddr, x->id.spi, x->id.proto, family);
 661                                 hlist_add_head(&x->byspi, xfrm_state_byspi+h);
 662                         }
 663                         x->lft.hard_add_expires_seconds = sysctl_xfrm_acq_expires;
 664                         x->timer.expires = jiffies + sysctl_xfrm_acq_expires*HZ;
 665                         add_timer(&x->timer);
 666                         xfrm_state_num++;
 667                         xfrm_hash_grow_check(x->bydst.next != NULL);
 668                 } else {
 669                         x->km.state = XFRM_STATE_DEAD;
 670                         xfrm_state_put(x);
 671                         x = NULL;
 672                         error = -ESRCH;
 673                 }
 674         }
 675 out:
 676         if (x)
 677                 xfrm_state_hold(x);
 678         else
 679                 *err = acquire_in_progress ? -EAGAIN : error;
 680         spin_unlock_bh(&xfrm_state_lock);
 681         return x;
 682 }
 683
 684 struct xfrm_state *
 685 xfrm_stateonly_find(xfrm_address_t *daddr, xfrm_address_t *saddr,
 686                     unsigned short family, u8 mode, u8 proto, u32 reqid)
 687 {
 688         unsigned int h = xfrm_dst_hash(daddr, saddr, reqid, family);
 689         struct xfrm_state *rx = NULL, *x = NULL;
 690         struct hlist_node *entry;
 691
 692         spin_lock(&xfrm_state_lock);
 693         hlist_for_each_entry(x, entry, xfrm_state_bydst+h, bydst) {
 694                 if (x->props.family == family &&
 695                     x->props.reqid == reqid &&
 696                     !(x->props.flags & XFRM_STATE_WILDRECV) &&
 697                     xfrm_state_addr_check(x, daddr, saddr, family) &&
 698                     mode == x->props.mode &&
 699                     proto == x->id.proto &&
 700                     x->km.state == XFRM_STATE_VALID) {
 701                         rx = x;
 702                         break;
 703                 }
 704         }
 705
 706         if (rx)
 707                 xfrm_state_hold(rx);
 708         spin_unlock(&xfrm_state_lock);
 709
 710
 711         return rx;
 712 }
 713 EXPORT_SYMBOL(xfrm_stateonly_find);
 714
 715 static void __xfrm_state_insert(struct xfrm_state *x)
 716 {
 717         unsigned int h;
 718
 719         x->genid = ++xfrm_state_genid;
 720
 721         h = xfrm_dst_hash(&x->id.daddr, &x->props.saddr,
 722                           x->props.reqid, x->props.family);
 723         hlist_add_head(&x->bydst, xfrm_state_bydst+h);
 724
 725         h = xfrm_src_hash(&x->id.daddr, &x->props.saddr, x->props.family);
 726         hlist_add_head(&x->bysrc, xfrm_state_bysrc+h);
 727
 728         if (x->id.spi) {
 729                 h = xfrm_spi_hash(&x->id.daddr, x->id.spi, x->id.proto,
 730                                   x->props.family);
 731
 732                 hlist_add_head(&x->byspi, xfrm_state_byspi+h);
 733         }
 734
 735         mod_timer(&x->timer, jiffies + HZ);
 736         if (x->replay_maxage)
 737                 mod_timer(&x->rtimer, jiffies + x->replay_maxage);
 738
 739         wake_up(&km_waitq);
 740
 741         xfrm_state_num++;
 742
 743         xfrm_hash_grow_check(x->bydst.next != NULL);
 744 }
 745
 746 /* xfrm_state_lock is held */
 747 static void __xfrm_state_bump_genids(struct xfrm_state *xnew)
 748 {
 749         unsigned short family = xnew->props.family;
 750         u32 reqid = xnew->props.reqid;
 751         struct xfrm_state *x;
 752         struct hlist_node *entry;
 753         unsigned int h;
 754
 755         h = xfrm_dst_hash(&xnew->id.daddr, &xnew->props.saddr, reqid, family);
 756         hlist_for_each_entry(x, entry, xfrm_state_bydst+h, bydst) {
 757                 if (x->props.family     == family &&
 758                     x->props.reqid      == reqid &&
 759                     !xfrm_addr_cmp(&x->id.daddr, &xnew->id.daddr, family) &&
 760                     !xfrm_addr_cmp(&x->props.saddr, &xnew->props.saddr, family))
 761                         x->genid = xfrm_state_genid;
 762         }
 763 }
 764
 765 void xfrm_state_insert(struct xfrm_state *x)
 766 {
 767         spin_lock_bh(&xfrm_state_lock);
 768         __xfrm_state_bump_genids(x);
 769         __xfrm_state_insert(x);
 770         spin_unlock_bh(&xfrm_state_lock);
 771 }
 772 EXPORT_SYMBOL(xfrm_state_insert);
 773
 774 /* xfrm_state_lock is held */
 775 static struct xfrm_state *__find_acq_core(unsigned short family, u8 mode, u32 reqid, u8 proto, xfrm_address_t *daddr, xfrm_address_t *saddr, int create)
 776 {
 777         unsigned int h = xfrm_dst_hash(daddr, saddr, reqid, family);
 778         struct hlist_node *entry;
 779         struct xfrm_state *x;
 780
 781         hlist_for_each_entry(x, entry, xfrm_state_bydst+h, bydst) {
 782                 if (x->props.reqid  != reqid ||
 783                     x->props.mode   != mode ||
 784                     x->props.family != family ||
 785                     x->km.state     != XFRM_STATE_ACQ ||
 786                     x->id.spi       != 0 ||
 787                     x->id.proto     != proto)
 788                         continue;
 789
 790                 switch (family) {
 791                 case AF_INET:
 792                         if (x->id.daddr.a4    != daddr->a4 ||
 793                             x->props.saddr.a4 != saddr->a4)
 794                                 continue;
 795                         break;
 796                 case AF_INET6:
 797                         if (!ipv6_addr_equal((struct in6_addr *)x->id.daddr.a6,
 798                                              (struct in6_addr *)daddr) ||
 799                             !ipv6_addr_equal((struct in6_addr *)
 800                                              x->props.saddr.a6,
 801                                              (struct in6_addr *)saddr))
 802                                 continue;
 803                         break;
 804                 }
 805
 806                 xfrm_state_hold(x);
 807                 return x;
 808         }
 809
 810         if (!create)
 811                 return NULL;
 812
 813         x = xfrm_state_alloc();
 814         if (likely(x)) {
 815                 switch (family) {
 816                 case AF_INET:
 817                         x->sel.daddr.a4 = daddr->a4;
 818                         x->sel.saddr.a4 = saddr->a4;
 819                         x->sel.prefixlen_d = 32;
 820                         x->sel.prefixlen_s = 32;
 821                         x->props.saddr.a4 = saddr->a4;
 822                         x->id.daddr.a4 = daddr->a4;
 823                         break;
 824
 825                 case AF_INET6:
 826                         ipv6_addr_copy((struct in6_addr *)x->sel.daddr.a6,
 827                                        (struct in6_addr *)daddr);
 828                         ipv6_addr_copy((struct in6_addr *)x->sel.saddr.a6,
 829                                        (struct in6_addr *)saddr);
 830                         x->sel.prefixlen_d = 128;
 831                         x->sel.prefixlen_s = 128;
 832                         ipv6_addr_copy((struct in6_addr *)x->props.saddr.a6,
 833                                        (struct in6_addr *)saddr);
 834                         ipv6_addr_copy((struct in6_addr *)x->id.daddr.a6,
 835                                        (struct in6_addr *)daddr);
 836                         break;
 837                 }
 838
 839                 x->km.state = XFRM_STATE_ACQ;
 840                 x->id.proto = proto;
 841                 x->props.family = family;
 842                 x->props.mode = mode;
 843                 x->props.reqid = reqid;
 844                 x->lft.hard_add_expires_seconds = sysctl_xfrm_acq_expires;
 845                 xfrm_state_hold(x);
 846                 x->timer.expires = jiffies + sysctl_xfrm_acq_expires*HZ;
 847                 add_timer(&x->timer);
 848                 hlist_add_head(&x->bydst, xfrm_state_bydst+h);
 849                 h = xfrm_src_hash(daddr, saddr, family);
 850                 hlist_add_head(&x->bysrc, xfrm_state_bysrc+h);
 851                 wake_up(&km_waitq);
 852
 853                 xfrm_state_num++;
 854
 855                 xfrm_hash_grow_check(x->bydst.next != NULL);
 856         }
 857
 858         return x;
 859 }
 860
 861 static struct xfrm_state *__xfrm_find_acq_byseq(u32 seq);
 862
 863 int xfrm_state_add(struct xfrm_state *x)
 864 {
 865         struct xfrm_state *x1;
 866         int family;
 867         int err;
 868         int use_spi = xfrm_id_proto_match(x->id.proto, IPSEC_PROTO_ANY);
 869
 870         family = x->props.family;
 871
 872         spin_lock_bh(&xfrm_state_lock);
 873
 874         x1 = __xfrm_state_locate(x, use_spi, family);
 875         if (x1) {
 876                 xfrm_state_put(x1);
 877                 x1 = NULL;
 878                 err = -EEXIST;
 879                 goto out;
 880         }
 881
 882         if (use_spi && x->km.seq) {
 883                 x1 = __xfrm_find_acq_byseq(x->km.seq);
 884                 if (x1 && ((x1->id.proto != x->id.proto) ||
 885                     xfrm_addr_cmp(&x1->id.daddr, &x->id.daddr, family))) {
 886                         xfrm_state_put(x1);
 887                         x1 = NULL;
 888                 }
 889         }
 890
 891         if (use_spi && !x1)
 892                 x1 = __find_acq_core(family, x->props.mode, x->props.reqid,
 893                                      x->id.proto,
 894                                      &x->id.daddr, &x->props.saddr, 0);
 895
 896         __xfrm_state_bump_genids(x);
 897         __xfrm_state_insert(x);
 898         err = 0;
 899
 900 out:
 901         spin_unlock_bh(&xfrm_state_lock);
 902
 903         if (x1) {
 904                 xfrm_state_delete(x1);
 905                 xfrm_state_put(x1);
 906         }
 907
 908         return err;
 909 }
 910 EXPORT_SYMBOL(xfrm_state_add);
 911
 912 #ifdef CONFIG_XFRM_MIGRATE
 913 struct xfrm_state *xfrm_state_clone(struct xfrm_state *orig, int *errp)
 914 {
 915         int err = -ENOMEM;
 916         struct xfrm_state *x = xfrm_state_alloc();
 917         if (!x)
 918                 goto error;
 919
 920         memcpy(&x->id, &orig->id, sizeof(x->id));
 921         memcpy(&x->sel, &orig->sel, sizeof(x->sel));
 922         memcpy(&x->lft, &orig->lft, sizeof(x->lft));
 923         x->props.mode = orig->props.mode;
 924         x->props.replay_window = orig->props.replay_window;
 925         x->props.reqid = orig->props.reqid;
 926         x->props.family = orig->props.family;
 927         x->props.saddr = orig->props.saddr;
 928
 929         if (orig->aalg) {
 930                 x->aalg = xfrm_algo_clone(orig->aalg);
 931                 if (!x->aalg)
 932                         goto error;
 933         }
 934         x->props.aalgo = orig->props.aalgo;
 935
 936         if (orig->ealg) {
 937                 x->ealg = xfrm_algo_clone(orig->ealg);
 938                 if (!x->ealg)
 939                         goto error;
 940         }
 941         x->props.ealgo = orig->props.ealgo;
 942
 943         if (orig->calg) {
 944                 x->calg = xfrm_algo_clone(orig->calg);
 945                 if (!x->calg)
 946                         goto error;
 947         }
 948         x->props.calgo = orig->props.calgo;
 949
 950         if (orig->encap) {
 951                 x->encap = kmemdup(orig->encap, sizeof(*x->encap), GFP_KERNEL);
 952                 if (!x->encap)
 953                         goto error;
 954         }
 955
 956         if (orig->coaddr) {
 957                 x->coaddr = kmemdup(orig->coaddr, sizeof(*x->coaddr),
 958                                     GFP_KERNEL);
 959                 if (!x->coaddr)
 960                         goto error;
 961         }
 962
 963         err = xfrm_init_state(x);
 964         if (err)
 965                 goto error;
 966
 967         x->props.flags = orig->props.flags;
 968
 969         x->curlft.add_time = orig->curlft.add_time;
 970         x->km.state = orig->km.state;
 971         x->km.seq = orig->km.seq;
 972
 973         return x;
 974
 975  error:
 976         if (errp)
 977                 *errp = err;
 978         if (x) {
 979                 kfree(x->aalg);
 980                 kfree(x->ealg);
 981                 kfree(x->calg);
 982                 kfree(x->encap);
 983                 kfree(x->coaddr);
 984         }
 985         kfree(x);
 986         return NULL;
 987 }
 988 EXPORT_SYMBOL(xfrm_state_clone);
 989
 990 /* xfrm_state_lock is held */
 991 struct xfrm_state * xfrm_migrate_state_find(struct xfrm_migrate *m)
 992 {
 993         unsigned int h;
 994         struct xfrm_state *x;
 995         struct hlist_node *entry;
 996
 997         if (m->reqid) {
 998                 h = xfrm_dst_hash(&m->old_daddr, &m->old_saddr,
 999                                   m->reqid, m->old_family);
1000                 hlist_for_each_entry(x, entry, xfrm_state_bydst+h, bydst) {
1001                         if (x->props.mode != m->mode ||
1002                             x->id.proto != m->proto)
1003                                 continue;
1004                         if (m->reqid && x->props.reqid != m->reqid)
1005                                 continue;
1006                         if (xfrm_addr_cmp(&x->id.daddr, &m->old_daddr,
1007                                           m->old_family) ||
1008                             xfrm_addr_cmp(&x->props.saddr, &m->old_saddr,
1009                                           m->old_family))
1010                                 continue;
1011                         xfrm_state_hold(x);
1012                         return x;
1013                 }
1014         } else {
1015                 h = xfrm_src_hash(&m->old_daddr, &m->old_saddr,
1016                                   m->old_family);
1017                 hlist_for_each_entry(x, entry, xfrm_state_bysrc+h, bysrc) {
1018                         if (x->props.mode != m->mode ||
1019                             x->id.proto != m->proto)
1020                                 continue;
1021                         if (xfrm_addr_cmp(&x->id.daddr, &m->old_daddr,
1022                                           m->old_family) ||
1023                             xfrm_addr_cmp(&x->props.saddr, &m->old_saddr,
1024                                           m->old_family))
1025                                 continue;
1026                         xfrm_state_hold(x);
1027                         return x;
1028                 }
1029         }
1030
1031         return NULL;
1032 }
1033 EXPORT_SYMBOL(xfrm_migrate_state_find);
1034
1035 struct xfrm_state * xfrm_state_migrate(struct xfrm_state *x,
1036                                        struct xfrm_migrate *m)
1037 {
1038         struct xfrm_state *xc;
1039         int err;
1040
1041         xc = xfrm_state_clone(x, &err);
1042         if (!xc)
1043                 return NULL;
1044
1045         memcpy(&xc->id.daddr, &m->new_daddr, sizeof(xc->id.daddr));
1046         memcpy(&xc->props.saddr, &m->new_saddr, sizeof(xc->props.saddr));
1047
1048         /* add state */
1049         if (!xfrm_addr_cmp(&x->id.daddr, &m->new_daddr, m->new_family)) {
1050                 /* a care is needed when the destination address of the
1051                    state is to be updated as it is a part of triplet */
1052                 xfrm_state_insert(xc);
1053         } else {
1054                 if ((err = xfrm_state_add(xc)) < 0)
1055                         goto error;
1056         }
1057
1058         return xc;
1059 error:
1060         kfree(xc);
1061         return NULL;
1062 }
1063 EXPORT_SYMBOL(xfrm_state_migrate);
1064 #endif
1065
1066 int xfrm_state_update(struct xfrm_state *x)
1067 {
1068         struct xfrm_state *x1;
1069         int err;
1070         int use_spi = xfrm_id_proto_match(x->id.proto, IPSEC_PROTO_ANY);
1071
1072         spin_lock_bh(&xfrm_state_lock);
1073         x1 = __xfrm_state_locate(x, use_spi, x->props.family);
1074
1075         err = -ESRCH;
1076         if (!x1)
1077                 goto out;
1078
1079         if (xfrm_state_kern(x1)) {
1080                 xfrm_state_put(x1);
1081                 err = -EEXIST;
1082                 goto out;
1083         }
1084
1085         if (x1->km.state == XFRM_STATE_ACQ) {
1086                 __xfrm_state_insert(x);
1087                 x = NULL;
1088         }
1089         err = 0;
1090
1091 out:
1092         spin_unlock_bh(&xfrm_state_lock);
1093
1094         if (err)
1095                 return err;
1096
1097         if (!x) {
1098                 xfrm_state_delete(x1);
1099                 xfrm_state_put(x1);
1100                 return 0;
1101         }
1102
1103         err = -EINVAL;
1104         spin_lock_bh(&x1->lock);
1105         if (likely(x1->km.state == XFRM_STATE_VALID)) {
1106                 if (x->encap && x1->encap)
1107                         memcpy(x1->encap, x->encap, sizeof(*x1->encap));
1108                 if (x->coaddr && x1->coaddr) {
1109                         memcpy(x1->coaddr, x->coaddr, sizeof(*x1->coaddr));
1110                 }
1111                 if (!use_spi && memcmp(&x1->sel, &x->sel, sizeof(x1->sel)))
1112                         memcpy(&x1->sel, &x->sel, sizeof(x1->sel));
1113                 memcpy(&x1->lft, &x->lft, sizeof(x1->lft));
1114                 x1->km.dying = 0;
1115
1116                 mod_timer(&x1->timer, jiffies + HZ);
1117                 if (x1->curlft.use_time)
1118                         xfrm_state_check_expire(x1);
1119
1120                 err = 0;
1121         }
1122         spin_unlock_bh(&x1->lock);
1123
1124         xfrm_state_put(x1);
1125
1126         return err;
1127 }
1128 EXPORT_SYMBOL(xfrm_state_update);
1129
1130 int xfrm_state_check_expire(struct xfrm_state *x)
1131 {
1132         if (!x->curlft.use_time)
1133                 x->curlft.use_time = get_seconds();
1134
1135         if (x->km.state != XFRM_STATE_VALID)
1136                 return -EINVAL;
1137
1138         if (x->curlft.bytes >= x->lft.hard_byte_limit ||
1139             x->curlft.packets >= x->lft.hard_packet_limit) {
1140                 x->km.state = XFRM_STATE_EXPIRED;
1141                 mod_timer(&x->timer, jiffies);
1142                 return -EINVAL;
1143         }
1144
1145         if (!x->km.dying &&
1146             (x->curlft.bytes >= x->lft.soft_byte_limit ||
1147              x->curlft.packets >= x->lft.soft_packet_limit)) {
1148                 x->km.dying = 1;
1149                 km_state_expired(x, 0, 0);
1150         }
1151         return 0;
1152 }
1153 EXPORT_SYMBOL(xfrm_state_check_expire);
1154
1155 struct xfrm_state *
1156 xfrm_state_lookup(xfrm_address_t *daddr, __be32 spi, u8 proto,
1157                   unsigned short family)
1158 {
1159         struct xfrm_state *x;
1160
1161         spin_lock_bh(&xfrm_state_lock);
1162         x = __xfrm_state_lookup(daddr, spi, proto, family);
1163         spin_unlock_bh(&xfrm_state_lock);
1164         return x;
1165 }
1166 EXPORT_SYMBOL(xfrm_state_lookup);
1167
1168 struct xfrm_state *
1169 xfrm_state_lookup_byaddr(xfrm_address_t *daddr, xfrm_address_t *saddr,
1170                          u8 proto, unsigned short family)
1171 {
1172         struct xfrm_state *x;
1173
1174         spin_lock_bh(&xfrm_state_lock);
1175         x = __xfrm_state_lookup_byaddr(daddr, saddr, proto, family);
1176         spin_unlock_bh(&xfrm_state_lock);
1177         return x;
1178 }
1179 EXPORT_SYMBOL(xfrm_state_lookup_byaddr);
1180
1181 struct xfrm_state *
1182 xfrm_find_acq(u8 mode, u32 reqid, u8 proto,
1183               xfrm_address_t *daddr, xfrm_address_t *saddr,
1184               int create, unsigned short family)
1185 {
1186         struct xfrm_state *x;
1187
1188         spin_lock_bh(&xfrm_state_lock);
1189         x = __find_acq_core(family, mode, reqid, proto, daddr, saddr, create);
1190         spin_unlock_bh(&xfrm_state_lock);
1191
1192         return x;
1193 }
1194 EXPORT_SYMBOL(xfrm_find_acq);
1195
1196 #ifdef CONFIG_XFRM_SUB_POLICY
1197 int
1198 xfrm_tmpl_sort(struct xfrm_tmpl **dst, struct xfrm_tmpl **src, int n,
1199                unsigned short family)
1200 {
1201         int err = 0;
1202         struct xfrm_state_afinfo *afinfo = xfrm_state_get_afinfo(family);
1203         if (!afinfo)
1204                 return -EAFNOSUPPORT;
1205
1206         spin_lock_bh(&xfrm_state_lock);
1207         if (afinfo->tmpl_sort)
1208                 err = afinfo->tmpl_sort(dst, src, n);
1209         spin_unlock_bh(&xfrm_state_lock);
1210         xfrm_state_put_afinfo(afinfo);
1211         return err;
1212 }
1213 EXPORT_SYMBOL(xfrm_tmpl_sort);
1214
1215 int
1216 xfrm_state_sort(struct xfrm_state **dst, struct xfrm_state **src, int n,
1217                 unsigned short family)
1218 {
1219         int err = 0;
1220         struct xfrm_state_afinfo *afinfo = xfrm_state_get_afinfo(family);
1221         if (!afinfo)
1222                 return -EAFNOSUPPORT;
1223
1224         spin_lock_bh(&xfrm_state_lock);
1225         if (afinfo->state_sort)
1226                 err = afinfo->state_sort(dst, src, n);
1227         spin_unlock_bh(&xfrm_state_lock);
1228         xfrm_state_put_afinfo(afinfo);
1229         return err;
1230 }
1231 EXPORT_SYMBOL(xfrm_state_sort);
1232 #endif
1233
1234 /* Silly enough, but I'm lazy to build resolution list */
1235
1236 static struct xfrm_state *__xfrm_find_acq_byseq(u32 seq)
1237 {
1238         int i;
1239
1240         for (i = 0; i <= xfrm_state_hmask; i++) {
1241                 struct hlist_node *entry;
1242                 struct xfrm_state *x;
1243
1244                 hlist_for_each_entry(x, entry, xfrm_state_bydst+i, bydst) {
1245                         if (x->km.seq == seq &&
1246                             x->km.state == XFRM_STATE_ACQ) {
1247                                 xfrm_state_hold(x);
1248                                 return x;
1249                         }
1250                 }
1251         }
1252         return NULL;
1253 }
1254
1255 struct xfrm_state *xfrm_find_acq_byseq(u32 seq)
1256 {
1257         struct xfrm_state *x;
1258
1259         spin_lock_bh(&xfrm_state_lock);
1260         x = __xfrm_find_acq_byseq(seq);
1261         spin_unlock_bh(&xfrm_state_lock);
1262         return x;
1263 }
1264 EXPORT_SYMBOL(xfrm_find_acq_byseq);
1265
1266 u32 xfrm_get_acqseq(void)
1267 {
1268         u32 res;
1269         static u32 acqseq;
1270         static DEFINE_SPINLOCK(acqseq_lock);
1271
1272         spin_lock_bh(&acqseq_lock);
1273         res = (++acqseq ? : ++acqseq);
1274         spin_unlock_bh(&acqseq_lock);
1275         return res;
1276 }
1277 EXPORT_SYMBOL(xfrm_get_acqseq);
1278
1279 void
1280 xfrm_alloc_spi(struct xfrm_state *x, __be32 minspi, __be32 maxspi)
1281 {
1282         unsigned int h;
1283         struct xfrm_state *x0;
1284
1285         if (x->id.spi)
1286                 return;
1287
1288         if (minspi == maxspi) {
1289                 x0 = xfrm_state_lookup(&x->id.daddr, minspi, x->id.proto, x->props.family);
1290                 if (x0) {
1291                         xfrm_state_put(x0);
1292                         return;
1293                 }
1294                 x->id.spi = minspi;
1295         } else {
1296                 u32 spi = 0;
1297                 u32 low = ntohl(minspi);
1298                 u32 high = ntohl(maxspi);
1299                 for (h=0; h<high-low+1; h++) {
1300                         spi = low + net_random()%(high-low+1);
1301                         x0 = xfrm_state_lookup(&x->id.daddr, htonl(spi), x->id.proto, x->props.family);
1302                         if (x0 == NULL) {
1303                                 x->id.spi = htonl(spi);
1304                                 break;
1305                         }
1306                         xfrm_state_put(x0);
1307                 }
1308         }
1309         if (x->id.spi) {
1310                 spin_lock_bh(&xfrm_state_lock);
1311                 h = xfrm_spi_hash(&x->id.daddr, x->id.spi, x->id.proto, x->props.family);
1312                 hlist_add_head(&x->byspi, xfrm_state_byspi+h);
1313                 spin_unlock_bh(&xfrm_state_lock);
1314                 wake_up(&km_waitq);
1315         }
1316 }
1317 EXPORT_SYMBOL(xfrm_alloc_spi);
1318
1319 int xfrm_state_walk(u8 proto, int (*func)(struct xfrm_state *, int, void*),
1320                     void *data)
1321 {
1322         int i;
1323         struct xfrm_state *x, *last = NULL;
1324         struct hlist_node *entry;
1325         int count = 0;
1326         int err = 0;
1327
1328         spin_lock_bh(&xfrm_state_lock);
1329         for (i = 0; i <= xfrm_state_hmask; i++) {
1330                 hlist_for_each_entry(x, entry, xfrm_state_bydst+i, bydst) {
1331                         if (!xfrm_id_proto_match(x->id.proto, proto))
1332                                 continue;
1333                         if (last) {
1334                                 err = func(last, count, data);
1335                                 if (err)
1336                                         goto out;
1337                         }
1338                         last = x;
1339                         count++;
1340                 }
1341         }
1342         if (count == 0) {
1343                 err = -ENOENT;
1344                 goto out;
1345         }
1346         err = func(last, 0, data);
1347 out:
1348         spin_unlock_bh(&xfrm_state_lock);
1349         return err;
1350 }
1351 EXPORT_SYMBOL(xfrm_state_walk);
1352
1353
1354 void xfrm_replay_notify(struct xfrm_state *x, int event)
1355 {
1356         struct km_event c;
1357         /* we send notify messages in case
1358          *  1. we updated on of the sequence numbers, and the seqno difference
1359          *     is at least x->replay_maxdiff, in this case we also update the
1360          *     timeout of our timer function
1361          *  2. if x->replay_maxage has elapsed since last update,
1362          *     and there were changes
1363          *
1364          *  The state structure must be locked!
1365          */
1366
1367         switch (event) {
1368         case XFRM_REPLAY_UPDATE:
1369                 if (x->replay_maxdiff &&
1370                     (x->replay.seq - x->preplay.seq < x->replay_maxdiff) &&
1371                     (x->replay.oseq - x->preplay.oseq < x->replay_maxdiff)) {
1372                         if (x->xflags & XFRM_TIME_DEFER)
1373                                 event = XFRM_REPLAY_TIMEOUT;
1374                         else
1375                                 return;
1376                 }
1377
1378                 break;
1379
1380         case XFRM_REPLAY_TIMEOUT:
1381                 if ((x->replay.seq == x->preplay.seq) &&
1382                     (x->replay.bitmap == x->preplay.bitmap) &&
1383                     (x->replay.oseq == x->preplay.oseq)) {
1384                         x->xflags |= XFRM_TIME_DEFER;
1385                         return;
1386                 }
1387
1388                 break;
1389         }
1390
1391         memcpy(&x->preplay, &x->replay, sizeof(struct xfrm_replay_state));
1392         c.event = XFRM_MSG_NEWAE;
1393         c.data.aevent = event;
1394         km_state_notify(x, &c);
1395
1396         if (x->replay_maxage &&
1397             !mod_timer(&x->rtimer, jiffies + x->replay_maxage))
1398                 x->xflags &= ~XFRM_TIME_DEFER;
1399 }
1400
1401 static void xfrm_replay_timer_handler(unsigned long data)
1402 {
1403         struct xfrm_state *x = (struct xfrm_state*)data;
1404
1405         spin_lock(&x->lock);
1406
1407         if (x->km.state == XFRM_STATE_VALID) {
1408                 if (xfrm_aevent_is_on())
1409                         xfrm_replay_notify(x, XFRM_REPLAY_TIMEOUT);
1410                 else
1411                         x->xflags |= XFRM_TIME_DEFER;
1412         }
1413
1414         spin_unlock(&x->lock);
1415 }
1416
1417 int xfrm_replay_check(struct xfrm_state *x, __be32 net_seq)
1418 {
1419         u32 diff;
1420         u32 seq = ntohl(net_seq);
1421
1422         if (unlikely(seq == 0))
1423                 return -EINVAL;
1424
1425         if (likely(seq > x->replay.seq))
1426                 return 0;
1427
1428         diff = x->replay.seq - seq;
1429         if (diff >= min_t(unsigned int, x->props.replay_window,
1430                           sizeof(x->replay.bitmap) * 8)) {
1431                 x->stats.replay_window++;
1432                 return -EINVAL;
1433         }
1434
1435         if (x->replay.bitmap & (1U << diff)) {
1436                 x->stats.replay++;
1437                 return -EINVAL;
1438         }
1439         return 0;
1440 }
1441 EXPORT_SYMBOL(xfrm_replay_check);
1442
1443 void xfrm_replay_advance(struct xfrm_state *x, __be32 net_seq)
1444 {
1445         u32 diff;
1446         u32 seq = ntohl(net_seq);
1447
1448         if (seq > x->replay.seq) {
1449                 diff = seq - x->replay.seq;
1450                 if (diff < x->props.replay_window)
1451                         x->replay.bitmap = ((x->replay.bitmap) << diff) | 1;
1452                 else
1453                         x->replay.bitmap = 1;
1454                 x->replay.seq = seq;
1455         } else {
1456                 diff = x->replay.seq - seq;
1457                 x->replay.bitmap |= (1U << diff);
1458         }
1459
1460         if (xfrm_aevent_is_on())
1461                 xfrm_replay_notify(x, XFRM_REPLAY_UPDATE);
1462 }
1463 EXPORT_SYMBOL(xfrm_replay_advance);
1464
1465 static struct list_head xfrm_km_list = LIST_HEAD_INIT(xfrm_km_list);
1466 static DEFINE_RWLOCK(xfrm_km_lock);
1467
1468 void km_policy_notify(struct xfrm_policy *xp, int dir, struct km_event *c)
1469 {
1470         struct xfrm_mgr *km;
1471
1472         read_lock(&xfrm_km_lock);
1473         list_for_each_entry(km, &xfrm_km_list, list)
1474                 if (km->notify_policy)
1475                         km->notify_policy(xp, dir, c);
1476         read_unlock(&xfrm_km_lock);
1477 }
1478
1479 void km_state_notify(struct xfrm_state *x, struct km_event *c)
1480 {
1481         struct xfrm_mgr *km;
1482         read_lock(&xfrm_km_lock);
1483         list_for_each_entry(km, &xfrm_km_list, list)
1484                 if (km->notify)
1485                         km->notify(x, c);
1486         read_unlock(&xfrm_km_lock);
1487 }
1488
1489 EXPORT_SYMBOL(km_policy_notify);
1490 EXPORT_SYMBOL(km_state_notify);
1491
1492 void km_state_expired(struct xfrm_state *x, int hard, u32 pid)
1493 {
1494         struct km_event c;
1495
1496         c.data.hard = hard;
1497         c.pid = pid;
1498         c.event = XFRM_MSG_EXPIRE;
1499         km_state_notify(x, &c);
1500
1501         if (hard)
1502                 wake_up(&km_waitq);
1503 }
1504
1505 EXPORT_SYMBOL(km_state_expired);
1506 /*
1507  * We send to all registered managers regardless of failure
1508  * We are happy with one success
1509 */
1510 int km_query(struct xfrm_state *x, struct xfrm_tmpl *t, struct xfrm_policy *pol)
1511 {
1512         int err = -EINVAL, acqret;
1513         struct xfrm_mgr *km;
1514
1515         read_lock(&xfrm_km_lock);
1516         list_for_each_entry(km, &xfrm_km_list, list) {
1517                 acqret = km->acquire(x, t, pol, XFRM_POLICY_OUT);
1518                 if (!acqret)
1519                         err = acqret;
1520         }
1521         read_unlock(&xfrm_km_lock);
1522         return err;
1523 }
1524 EXPORT_SYMBOL(km_query);
1525
1526 int km_new_mapping(struct xfrm_state *x, xfrm_address_t *ipaddr, __be16 sport)
1527 {
1528         int err = -EINVAL;
1529         struct xfrm_mgr *km;
1530
1531         read_lock(&xfrm_km_lock);
1532         list_for_each_entry(km, &xfrm_km_list, list) {
1533                 if (km->new_mapping)
1534                         err = km->new_mapping(x, ipaddr, sport);
1535                 if (!err)
1536                         break;
1537         }
1538         read_unlock(&xfrm_km_lock);
1539         return err;
1540 }
1541 EXPORT_SYMBOL(km_new_mapping);
1542
1543 void km_policy_expired(struct xfrm_policy *pol, int dir, int hard, u32 pid)
1544 {
1545         struct km_event c;
1546
1547         c.data.hard = hard;
1548         c.pid = pid;
1549         c.event = XFRM_MSG_POLEXPIRE;
1550         km_policy_notify(pol, dir, &c);
1551
1552         if (hard)
1553                 wake_up(&km_waitq);
1554 }
1555 EXPORT_SYMBOL(km_policy_expired);
1556
1557 int km_migrate(struct xfrm_selector *sel, u8 dir, u8 type,
1558                struct xfrm_migrate *m, int num_migrate)
1559 {
1560         int err = -EINVAL;
1561         int ret;
1562         struct xfrm_mgr *km;
1563
1564         read_lock(&xfrm_km_lock);
1565         list_for_each_entry(km, &xfrm_km_list, list) {
1566                 if (km->migrate) {
1567                         ret = km->migrate(sel, dir, type, m, num_migrate);
1568                         if (!ret)
1569                                 err = ret;
1570                 }
1571         }
1572         read_unlock(&xfrm_km_lock);
1573         return err;
1574 }
1575 EXPORT_SYMBOL(km_migrate);
1576
1577 int km_report(u8 proto, struct xfrm_selector *sel, xfrm_address_t *addr)
1578 {
1579         int err = -EINVAL;
1580         int ret;
1581         struct xfrm_mgr *km;
1582
1583         read_lock(&xfrm_km_lock);
1584         list_for_each_entry(km, &xfrm_km_list, list) {
1585                 if (km->report) {
1586                         ret = km->report(proto, sel, addr);
1587                         if (!ret)
1588                                 err = ret;
1589                 }
1590         }
1591         read_unlock(&xfrm_km_lock);
1592         return err;
1593 }
1594 EXPORT_SYMBOL(km_report);
1595
1596 int xfrm_user_policy(struct sock *sk, int optname, u8 __user *optval, int optlen)
1597 {
1598         int err;
1599         u8 *data;
1600         struct xfrm_mgr *km;
1601         struct xfrm_policy *pol = NULL;
1602
1603         if (optlen <= 0 || optlen > PAGE_SIZE)
1604                 return -EMSGSIZE;
1605
1606         data = kmalloc(optlen, GFP_KERNEL);
1607         if (!data)
1608                 return -ENOMEM;
1609
1610         err = -EFAULT;
1611         if (copy_from_user(data, optval, optlen))
1612                 goto out;
1613
1614         err = -EINVAL;
1615         read_lock(&xfrm_km_lock);
1616         list_for_each_entry(km, &xfrm_km_list, list) {
1617                 pol = km->compile_policy(sk, optname, data,
1618                                          optlen, &err);
1619                 if (err >= 0)
1620                         break;
1621         }
1622         read_unlock(&xfrm_km_lock);
1623
1624         if (err >= 0) {
1625                 xfrm_sk_policy_insert(sk, err, pol);
1626                 xfrm_pol_put(pol);
1627                 err = 0;
1628         }
1629
1630 out:
1631         kfree(data);
1632         return err;
1633 }
1634 EXPORT_SYMBOL(xfrm_user_policy);
1635
1636 int xfrm_register_km(struct xfrm_mgr *km)
1637 {
1638         write_lock_bh(&xfrm_km_lock);
1639         list_add_tail(&km->list, &xfrm_km_list);
1640         write_unlock_bh(&xfrm_km_lock);
1641         return 0;
1642 }
1643 EXPORT_SYMBOL(xfrm_register_km);
1644
1645 int xfrm_unregister_km(struct xfrm_mgr *km)
1646 {
1647         write_lock_bh(&xfrm_km_lock);
1648         list_del(&km->list);
1649         write_unlock_bh(&xfrm_km_lock);
1650         return 0;
1651 }
1652 EXPORT_SYMBOL(xfrm_unregister_km);
1653
1654 int xfrm_state_register_afinfo(struct xfrm_state_afinfo *afinfo)
1655 {
1656         int err = 0;
1657         if (unlikely(afinfo == NULL))
1658                 return -EINVAL;
1659         if (unlikely(afinfo->family >= NPROTO))
1660                 return -EAFNOSUPPORT;
1661         write_lock_bh(&xfrm_state_afinfo_lock);
1662         if (unlikely(xfrm_state_afinfo[afinfo->family] != NULL))
1663                 err = -ENOBUFS;
1664         else
1665                 xfrm_state_afinfo[afinfo->family] = afinfo;
1666         write_unlock_bh(&xfrm_state_afinfo_lock);
1667         return err;
1668 }
1669 EXPORT_SYMBOL(xfrm_state_register_afinfo);
1670
1671 int xfrm_state_unregister_afinfo(struct xfrm_state_afinfo *afinfo)
1672 {
1673         int err = 0;
1674         if (unlikely(afinfo == NULL))
1675                 return -EINVAL;
1676         if (unlikely(afinfo->family >= NPROTO))
1677                 return -EAFNOSUPPORT;
1678         write_lock_bh(&xfrm_state_afinfo_lock);
1679         if (likely(xfrm_state_afinfo[afinfo->family] != NULL)) {
1680                 if (unlikely(xfrm_state_afinfo[afinfo->family] != afinfo))
1681                         err = -EINVAL;
1682                 else
1683                         xfrm_state_afinfo[afinfo->family] = NULL;
1684         }
1685         write_unlock_bh(&xfrm_state_afinfo_lock);
1686         return err;
1687 }
1688 EXPORT_SYMBOL(xfrm_state_unregister_afinfo);
1689
1690 struct xfrm_state_afinfo *xfrm_state_get_afinfo(unsigned short family)
1691 {
1692         struct xfrm_state_afinfo *afinfo;
1693         if (unlikely(family >= NPROTO))
1694                 return NULL;
1695         read_lock(&xfrm_state_afinfo_lock);
1696         afinfo = xfrm_state_afinfo[family];
1697         if (unlikely(!afinfo))
1698                 read_unlock(&xfrm_state_afinfo_lock);
1699         return afinfo;
1700 }
1701
1702 void xfrm_state_put_afinfo(struct xfrm_state_afinfo *afinfo)
1703 {
1704         read_unlock(&xfrm_state_afinfo_lock);
1705 }
1706
1707 EXPORT_SYMBOL(xfrm_state_get_afinfo);
1708 EXPORT_SYMBOL(xfrm_state_put_afinfo);
1709
1710 /* Temporarily located here until net/xfrm/xfrm_tunnel.c is created */
1711 void xfrm_state_delete_tunnel(struct xfrm_state *x)
1712 {
1713         if (x->tunnel) {
1714                 struct xfrm_state *t = x->tunnel;
1715
1716                 if (atomic_read(&t->tunnel_users) == 2)
1717                         xfrm_state_delete(t);
1718                 atomic_dec(&t->tunnel_users);
1719                 xfrm_state_put(t);
1720                 x->tunnel = NULL;
1721         }
1722 }
1723 EXPORT_SYMBOL(xfrm_state_delete_tunnel);
1724
1725 int xfrm_state_mtu(struct xfrm_state *x, int mtu)
1726 {
1727         int res;
1728
1729         spin_lock_bh(&x->lock);
1730         if (x->km.state == XFRM_STATE_VALID &&
1731             x->type && x->type->get_mtu)
1732                 res = x->type->get_mtu(x, mtu);
1733         else
1734                 res = mtu - x->props.header_len;
1735         spin_unlock_bh(&x->lock);
1736         return res;
1737 }
1738
1739 int xfrm_init_state(struct xfrm_state *x)
1740 {
1741         struct xfrm_state_afinfo *afinfo;
1742         int family = x->props.family;
1743         int err;
1744
1745         err = -EAFNOSUPPORT;
1746         afinfo = xfrm_state_get_afinfo(family);
1747         if (!afinfo)
1748                 goto error;
1749
1750         err = 0;
1751         if (afinfo->init_flags)
1752                 err = afinfo->init_flags(x);
1753
1754         xfrm_state_put_afinfo(afinfo);
1755
1756         if (err)
1757                 goto error;
1758
1759         err = -EPROTONOSUPPORT;
1760         x->type = xfrm_get_type(x->id.proto, family);
1761         if (x->type == NULL)
1762                 goto error;
1763
1764         err = x->type->init_state(x);
1765         if (err)
1766                 goto error;
1767
1768         x->mode = xfrm_get_mode(x->props.mode, family);
1769         if (x->mode == NULL)
1770                 goto error;
1771
1772         x->km.state = XFRM_STATE_VALID;
1773
1774 error:
1775         return err;
1776 }
1777
1778 EXPORT_SYMBOL(xfrm_init_state);
1779
1780 void __init xfrm_state_init(void)
1781 {
1782         unsigned int sz;
1783
1784         sz = sizeof(struct hlist_head) * 8;
1785
1786         xfrm_state_bydst = xfrm_hash_alloc(sz);
1787         xfrm_state_bysrc = xfrm_hash_alloc(sz);
1788         xfrm_state_byspi = xfrm_hash_alloc(sz);
1789         if (!xfrm_state_bydst || !xfrm_state_bysrc || !xfrm_state_byspi)
1790                 panic("XFRM: Cannot allocate bydst/bysrc/byspi hashes.");
1791         xfrm_state_hmask = ((sz / sizeof(struct hlist_head)) - 1);
1792
1793         INIT_WORK(&xfrm_state_gc_work, xfrm_state_gc_task);
1794 }
1795
1796 #ifdef CONFIG_AUDITSYSCALL
1797 static inline void xfrm_audit_common_stateinfo(struct xfrm_state *x,
1798                                                struct audit_buffer *audit_buf)
1799 {
1800         if (x->security)
1801                 audit_log_format(audit_buf, " sec_alg=%u sec_doi=%u sec_obj=%s",
1802                                  x->security->ctx_alg, x->security->ctx_doi,
1803                                  x->security->ctx_str);
1804
1805         switch(x->props.family) {
1806         case AF_INET:
1807                 audit_log_format(audit_buf, " src=%u.%u.%u.%u dst=%u.%u.%u.%u",
1808                                  NIPQUAD(x->props.saddr.a4),
1809                                  NIPQUAD(x->id.daddr.a4));
1810                 break;
1811         case AF_INET6:
1812                 {
1813                         struct in6_addr saddr6, daddr6;
1814
1815                         memcpy(&saddr6, x->props.saddr.a6,
1816                                 sizeof(struct in6_addr));
1817                         memcpy(&daddr6, x->id.daddr.a6,
1818                                 sizeof(struct in6_addr));
1819                         audit_log_format(audit_buf,
1820                                          " src=" NIP6_FMT " dst=" NIP6_FMT,
1821                                          NIP6(saddr6), NIP6(daddr6));
1822                 }
1823                 break;
1824         }
1825 }
1826
1827 void
1828 xfrm_audit_state_add(struct xfrm_state *x, int result, u32 auid, u32 sid)
1829 {
1830         struct audit_buffer *audit_buf;
1831         extern int audit_enabled;
1832
1833         if (audit_enabled == 0)
1834                 return;
1835         audit_buf = xfrm_audit_start(sid, auid);
1836         if (audit_buf == NULL)
1837                 return;
1838         audit_log_format(audit_buf, " op=SAD-add res=%u",result);
1839         xfrm_audit_common_stateinfo(x, audit_buf);
1840         audit_log_format(audit_buf, " spi=%lu(0x%lx)",
1841                          (unsigned long)x->id.spi, (unsigned long)x->id.spi);
1842         audit_log_end(audit_buf);
1843 }
1844 EXPORT_SYMBOL_GPL(xfrm_audit_state_add);
1845
1846 void
1847 xfrm_audit_state_delete(struct xfrm_state *x, int result, u32 auid, u32 sid)
1848 {
1849         struct audit_buffer *audit_buf;
1850         extern int audit_enabled;
1851
1852         if (audit_enabled == 0)
1853                 return;
1854         audit_buf = xfrm_audit_start(sid, auid);
1855         if (audit_buf == NULL)
1856                 return;
1857         audit_log_format(audit_buf, " op=SAD-delete res=%u",result);
1858         xfrm_audit_common_stateinfo(x, audit_buf);
1859         audit_log_format(audit_buf, " spi=%lu(0x%lx)",
1860                          (unsigned long)x->id.spi, (unsigned long)x->id.spi);
1861         audit_log_end(audit_buf);
1862 }
1863 EXPORT_SYMBOL_GPL(xfrm_audit_state_delete);
1864 #endif /* CONFIG_AUDITSYSCALL */