1 /* xfrm_user.c: User interface to configure xfrm engine.
3 * Copyright (C) 2002 David S. Miller (davem@redhat.com)
7 * Kazunori MIYAZAWA @USAGI
8 * Kunihiro Ishiguro <kunihiro@ipinfusion.com>
13 #include <linux/module.h>
14 #include <linux/kernel.h>
15 #include <linux/types.h>
16 #include <linux/slab.h>
17 #include <linux/socket.h>
18 #include <linux/string.h>
19 #include <linux/net.h>
20 #include <linux/skbuff.h>
21 #include <linux/netlink.h>
22 #include <linux/rtnetlink.h>
23 #include <linux/pfkeyv2.h>
24 #include <linux/ipsec.h>
25 #include <linux/init.h>
26 #include <linux/security.h>
29 #include <asm/uaccess.h>
31 static struct sock *xfrm_nl;
33 static int verify_one_alg(struct rtattr **xfrma, enum xfrm_attr_type_t type)
35 struct rtattr *rt = xfrma[type - 1];
36 struct xfrm_algo *algp;
42 len = (rt->rta_len - sizeof(*rt)) - sizeof(*algp);
48 len -= (algp->alg_key_len + 7U) / 8;
54 if (!algp->alg_key_len &&
55 strcmp(algp->alg_name, "digest_null") != 0)
60 if (!algp->alg_key_len &&
61 strcmp(algp->alg_name, "cipher_null") != 0)
66 /* Zero length keys are legal. */
73 algp->alg_name[CRYPTO_MAX_ALG_NAME - 1] = '\0';
77 static int verify_encap_tmpl(struct rtattr **xfrma)
79 struct rtattr *rt = xfrma[XFRMA_ENCAP - 1];
80 struct xfrm_encap_tmpl *encap;
85 if ((rt->rta_len - sizeof(*rt)) < sizeof(*encap))
91 static int verify_newsa_info(struct xfrm_usersa_info *p,
92 struct rtattr **xfrma)
102 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
114 switch (p->id.proto) {
116 if (!xfrma[XFRMA_ALG_AUTH-1] ||
117 xfrma[XFRMA_ALG_CRYPT-1] ||
118 xfrma[XFRMA_ALG_COMP-1])
123 if ((!xfrma[XFRMA_ALG_AUTH-1] &&
124 !xfrma[XFRMA_ALG_CRYPT-1]) ||
125 xfrma[XFRMA_ALG_COMP-1])
130 if (!xfrma[XFRMA_ALG_COMP-1] ||
131 xfrma[XFRMA_ALG_AUTH-1] ||
132 xfrma[XFRMA_ALG_CRYPT-1])
140 if ((err = verify_one_alg(xfrma, XFRMA_ALG_AUTH)))
142 if ((err = verify_one_alg(xfrma, XFRMA_ALG_CRYPT)))
144 if ((err = verify_one_alg(xfrma, XFRMA_ALG_COMP)))
146 if ((err = verify_encap_tmpl(xfrma)))
165 static int attach_one_algo(struct xfrm_algo **algpp, u8 *props,
166 struct xfrm_algo_desc *(*get_byname)(char *, int),
167 struct rtattr *u_arg)
169 struct rtattr *rta = u_arg;
170 struct xfrm_algo *p, *ualg;
171 struct xfrm_algo_desc *algo;
177 ualg = RTA_DATA(rta);
179 algo = get_byname(ualg->alg_name, 1);
182 *props = algo->desc.sadb_alg_id;
184 len = sizeof(*ualg) + (ualg->alg_key_len + 7U) / 8;
185 p = kmalloc(len, GFP_KERNEL);
189 memcpy(p, ualg, len);
194 static int attach_encap_tmpl(struct xfrm_encap_tmpl **encapp, struct rtattr *u_arg)
196 struct rtattr *rta = u_arg;
197 struct xfrm_encap_tmpl *p, *uencap;
202 uencap = RTA_DATA(rta);
203 p = kmalloc(sizeof(*p), GFP_KERNEL);
207 memcpy(p, uencap, sizeof(*p));
212 static void copy_from_user_state(struct xfrm_state *x, struct xfrm_usersa_info *p)
214 memcpy(&x->id, &p->id, sizeof(x->id));
215 memcpy(&x->sel, &p->sel, sizeof(x->sel));
216 memcpy(&x->lft, &p->lft, sizeof(x->lft));
217 x->props.mode = p->mode;
218 x->props.replay_window = p->replay_window;
219 x->props.reqid = p->reqid;
220 x->props.family = p->family;
221 x->props.saddr = p->saddr;
222 x->props.flags = p->flags;
225 static struct xfrm_state *xfrm_state_construct(struct xfrm_usersa_info *p,
226 struct rtattr **xfrma,
229 struct xfrm_state *x = xfrm_state_alloc();
235 copy_from_user_state(x, p);
237 if ((err = attach_one_algo(&x->aalg, &x->props.aalgo,
238 xfrm_aalg_get_byname,
239 xfrma[XFRMA_ALG_AUTH-1])))
241 if ((err = attach_one_algo(&x->ealg, &x->props.ealgo,
242 xfrm_ealg_get_byname,
243 xfrma[XFRMA_ALG_CRYPT-1])))
245 if ((err = attach_one_algo(&x->calg, &x->props.calgo,
246 xfrm_calg_get_byname,
247 xfrma[XFRMA_ALG_COMP-1])))
249 if ((err = attach_encap_tmpl(&x->encap, xfrma[XFRMA_ENCAP-1])))
253 x->type = xfrm_get_type(x->id.proto, x->props.family);
257 err = x->type->init_state(x, NULL);
261 x->curlft.add_time = (unsigned long) xtime.tv_sec;
262 x->km.state = XFRM_STATE_VALID;
268 x->km.state = XFRM_STATE_DEAD;
275 static int xfrm_add_sa(struct sk_buff *skb, struct nlmsghdr *nlh, void **xfrma)
277 struct xfrm_usersa_info *p = NLMSG_DATA(nlh);
278 struct xfrm_state *x;
282 err = verify_newsa_info(p, (struct rtattr **) xfrma);
286 x = xfrm_state_construct(p, (struct rtattr **) xfrma, &err);
291 if (nlh->nlmsg_type == XFRM_MSG_NEWSA)
292 err = xfrm_state_add(x);
294 err = xfrm_state_update(x);
297 x->km.state = XFRM_STATE_DEAD;
302 c.seq = nlh->nlmsg_seq;
303 c.pid = nlh->nlmsg_pid;
304 if (nlh->nlmsg_type == XFRM_MSG_NEWSA)
305 c.event = XFRM_SAP_ADDED;
307 c.event = XFRM_SAP_UPDATED;
309 km_state_notify(x, &c);
315 static int xfrm_del_sa(struct sk_buff *skb, struct nlmsghdr *nlh, void **xfrma)
317 struct xfrm_state *x;
320 struct xfrm_usersa_id *p = NLMSG_DATA(nlh);
322 x = xfrm_state_lookup(&p->daddr, p->spi, p->proto, p->family);
326 if (xfrm_state_kern(x)) {
331 err = xfrm_state_delete(x);
337 c.seq = nlh->nlmsg_seq;
338 c.pid = nlh->nlmsg_pid;
339 c.event = XFRM_SAP_DELETED;
340 km_state_notify(x, &c);
346 static void copy_to_user_state(struct xfrm_state *x, struct xfrm_usersa_info *p)
348 memcpy(&p->id, &x->id, sizeof(p->id));
349 memcpy(&p->sel, &x->sel, sizeof(p->sel));
350 memcpy(&p->lft, &x->lft, sizeof(p->lft));
351 memcpy(&p->curlft, &x->curlft, sizeof(p->curlft));
352 memcpy(&p->stats, &x->stats, sizeof(p->stats));
353 p->saddr = x->props.saddr;
354 p->mode = x->props.mode;
355 p->replay_window = x->props.replay_window;
356 p->reqid = x->props.reqid;
357 p->family = x->props.family;
358 p->flags = x->props.flags;
362 struct xfrm_dump_info {
363 struct sk_buff *in_skb;
364 struct sk_buff *out_skb;
371 static int dump_one_state(struct xfrm_state *x, int count, void *ptr)
373 struct xfrm_dump_info *sp = ptr;
374 struct sk_buff *in_skb = sp->in_skb;
375 struct sk_buff *skb = sp->out_skb;
376 struct xfrm_usersa_info *p;
377 struct nlmsghdr *nlh;
378 unsigned char *b = skb->tail;
380 if (sp->this_idx < sp->start_idx)
383 nlh = NLMSG_PUT(skb, NETLINK_CB(in_skb).pid,
385 XFRM_MSG_NEWSA, sizeof(*p));
386 nlh->nlmsg_flags = sp->nlmsg_flags;
389 copy_to_user_state(x, p);
392 RTA_PUT(skb, XFRMA_ALG_AUTH,
393 sizeof(*(x->aalg))+(x->aalg->alg_key_len+7)/8, x->aalg);
395 RTA_PUT(skb, XFRMA_ALG_CRYPT,
396 sizeof(*(x->ealg))+(x->ealg->alg_key_len+7)/8, x->ealg);
398 RTA_PUT(skb, XFRMA_ALG_COMP, sizeof(*(x->calg)), x->calg);
401 RTA_PUT(skb, XFRMA_ENCAP, sizeof(*x->encap), x->encap);
403 nlh->nlmsg_len = skb->tail - b;
410 skb_trim(skb, b - skb->data);
414 static int xfrm_dump_sa(struct sk_buff *skb, struct netlink_callback *cb)
416 struct xfrm_dump_info info;
418 info.in_skb = cb->skb;
420 info.nlmsg_seq = cb->nlh->nlmsg_seq;
421 info.nlmsg_flags = NLM_F_MULTI;
423 info.start_idx = cb->args[0];
424 (void) xfrm_state_walk(IPSEC_PROTO_ANY, dump_one_state, &info);
425 cb->args[0] = info.this_idx;
430 static struct sk_buff *xfrm_state_netlink(struct sk_buff *in_skb,
431 struct xfrm_state *x, u32 seq)
433 struct xfrm_dump_info info;
436 skb = alloc_skb(NLMSG_GOODSIZE, GFP_ATOMIC);
438 return ERR_PTR(-ENOMEM);
440 NETLINK_CB(skb).dst_pid = NETLINK_CB(in_skb).pid;
441 info.in_skb = in_skb;
443 info.nlmsg_seq = seq;
444 info.nlmsg_flags = 0;
445 info.this_idx = info.start_idx = 0;
447 if (dump_one_state(x, 0, &info)) {
455 static int xfrm_get_sa(struct sk_buff *skb, struct nlmsghdr *nlh, void **xfrma)
457 struct xfrm_usersa_id *p = NLMSG_DATA(nlh);
458 struct xfrm_state *x;
459 struct sk_buff *resp_skb;
462 x = xfrm_state_lookup(&p->daddr, p->spi, p->proto, p->family);
467 resp_skb = xfrm_state_netlink(skb, x, nlh->nlmsg_seq);
468 if (IS_ERR(resp_skb)) {
469 err = PTR_ERR(resp_skb);
471 err = netlink_unicast(xfrm_nl, resp_skb,
472 NETLINK_CB(skb).pid, MSG_DONTWAIT);
479 static int verify_userspi_info(struct xfrm_userspi_info *p)
481 switch (p->info.id.proto) {
487 /* IPCOMP spi is 16-bits. */
488 if (p->max >= 0x10000)
502 static int xfrm_alloc_userspi(struct sk_buff *skb, struct nlmsghdr *nlh, void **xfrma)
504 struct xfrm_state *x;
505 struct xfrm_userspi_info *p;
506 struct sk_buff *resp_skb;
507 xfrm_address_t *daddr;
512 err = verify_userspi_info(p);
516 family = p->info.family;
517 daddr = &p->info.id.daddr;
521 x = xfrm_find_acq_byseq(p->info.seq);
522 if (x && xfrm_addr_cmp(&x->id.daddr, daddr, family)) {
529 x = xfrm_find_acq(p->info.mode, p->info.reqid,
530 p->info.id.proto, daddr,
537 resp_skb = ERR_PTR(-ENOENT);
539 spin_lock_bh(&x->lock);
540 if (x->km.state != XFRM_STATE_DEAD) {
541 xfrm_alloc_spi(x, htonl(p->min), htonl(p->max));
543 resp_skb = xfrm_state_netlink(skb, x, nlh->nlmsg_seq);
545 spin_unlock_bh(&x->lock);
547 if (IS_ERR(resp_skb)) {
548 err = PTR_ERR(resp_skb);
552 err = netlink_unicast(xfrm_nl, resp_skb,
553 NETLINK_CB(skb).pid, MSG_DONTWAIT);
561 static int verify_policy_dir(__u8 dir)
565 case XFRM_POLICY_OUT:
566 case XFRM_POLICY_FWD:
576 static int verify_newpolicy_info(struct xfrm_userpolicy_info *p)
580 case XFRM_SHARE_SESSION:
581 case XFRM_SHARE_USER:
582 case XFRM_SHARE_UNIQUE:
590 case XFRM_POLICY_ALLOW:
591 case XFRM_POLICY_BLOCK:
598 switch (p->sel.family) {
603 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
606 return -EAFNOSUPPORT;
613 return verify_policy_dir(p->dir);
616 static void copy_templates(struct xfrm_policy *xp, struct xfrm_user_tmpl *ut,
622 for (i = 0; i < nr; i++, ut++) {
623 struct xfrm_tmpl *t = &xp->xfrm_vec[i];
625 memcpy(&t->id, &ut->id, sizeof(struct xfrm_id));
626 memcpy(&t->saddr, &ut->saddr,
627 sizeof(xfrm_address_t));
628 t->reqid = ut->reqid;
630 t->share = ut->share;
631 t->optional = ut->optional;
632 t->aalgos = ut->aalgos;
633 t->ealgos = ut->ealgos;
634 t->calgos = ut->calgos;
638 static int copy_from_user_tmpl(struct xfrm_policy *pol, struct rtattr **xfrma)
640 struct rtattr *rt = xfrma[XFRMA_TMPL-1];
641 struct xfrm_user_tmpl *utmpl;
647 nr = (rt->rta_len - sizeof(*rt)) / sizeof(*utmpl);
649 if (nr > XFRM_MAX_DEPTH)
652 copy_templates(pol, RTA_DATA(rt), nr);
657 static void copy_from_user_policy(struct xfrm_policy *xp, struct xfrm_userpolicy_info *p)
659 xp->priority = p->priority;
660 xp->index = p->index;
661 memcpy(&xp->selector, &p->sel, sizeof(xp->selector));
662 memcpy(&xp->lft, &p->lft, sizeof(xp->lft));
663 xp->action = p->action;
664 xp->flags = p->flags;
665 xp->family = p->sel.family;
666 /* XXX xp->share = p->share; */
669 static void copy_to_user_policy(struct xfrm_policy *xp, struct xfrm_userpolicy_info *p, int dir)
671 memcpy(&p->sel, &xp->selector, sizeof(p->sel));
672 memcpy(&p->lft, &xp->lft, sizeof(p->lft));
673 memcpy(&p->curlft, &xp->curlft, sizeof(p->curlft));
674 p->priority = xp->priority;
675 p->index = xp->index;
676 p->sel.family = xp->family;
678 p->action = xp->action;
679 p->flags = xp->flags;
680 p->share = XFRM_SHARE_ANY; /* XXX xp->share */
683 static struct xfrm_policy *xfrm_policy_construct(struct xfrm_userpolicy_info *p, struct rtattr **xfrma, int *errp)
685 struct xfrm_policy *xp = xfrm_policy_alloc(GFP_KERNEL);
693 copy_from_user_policy(xp, p);
694 err = copy_from_user_tmpl(xp, xfrma);
704 static int xfrm_add_policy(struct sk_buff *skb, struct nlmsghdr *nlh, void **xfrma)
706 struct xfrm_userpolicy_info *p = NLMSG_DATA(nlh);
707 struct xfrm_policy *xp;
712 err = verify_newpolicy_info(p);
716 xp = xfrm_policy_construct(p, (struct rtattr **) xfrma, &err);
720 /* shouldnt excl be based on nlh flags??
721 * Aha! this is anti-netlink really i.e more pfkey derived
722 * in netlink excl is a flag and you wouldnt need
723 * a type XFRM_MSG_UPDPOLICY - JHS */
724 excl = nlh->nlmsg_type == XFRM_MSG_NEWPOLICY;
725 err = xfrm_policy_insert(p->dir, xp, excl);
732 c.event = XFRM_SAP_UPDATED;
734 c.event = XFRM_SAP_ADDED;
736 c.seq = nlh->nlmsg_seq;
737 c.pid = nlh->nlmsg_pid;
738 km_policy_notify(xp, p->dir, &c);
745 static int copy_to_user_tmpl(struct xfrm_policy *xp, struct sk_buff *skb)
747 struct xfrm_user_tmpl vec[XFRM_MAX_DEPTH];
750 if (xp->xfrm_nr == 0)
753 for (i = 0; i < xp->xfrm_nr; i++) {
754 struct xfrm_user_tmpl *up = &vec[i];
755 struct xfrm_tmpl *kp = &xp->xfrm_vec[i];
757 memcpy(&up->id, &kp->id, sizeof(up->id));
758 up->family = xp->family;
759 memcpy(&up->saddr, &kp->saddr, sizeof(up->saddr));
760 up->reqid = kp->reqid;
762 up->share = kp->share;
763 up->optional = kp->optional;
764 up->aalgos = kp->aalgos;
765 up->ealgos = kp->ealgos;
766 up->calgos = kp->calgos;
768 RTA_PUT(skb, XFRMA_TMPL,
769 (sizeof(struct xfrm_user_tmpl) * xp->xfrm_nr),
778 static int dump_one_policy(struct xfrm_policy *xp, int dir, int count, void *ptr)
780 struct xfrm_dump_info *sp = ptr;
781 struct xfrm_userpolicy_info *p;
782 struct sk_buff *in_skb = sp->in_skb;
783 struct sk_buff *skb = sp->out_skb;
784 struct nlmsghdr *nlh;
785 unsigned char *b = skb->tail;
787 if (sp->this_idx < sp->start_idx)
790 nlh = NLMSG_PUT(skb, NETLINK_CB(in_skb).pid,
792 XFRM_MSG_NEWPOLICY, sizeof(*p));
794 nlh->nlmsg_flags = sp->nlmsg_flags;
796 copy_to_user_policy(xp, p, dir);
797 if (copy_to_user_tmpl(xp, skb) < 0)
800 nlh->nlmsg_len = skb->tail - b;
806 skb_trim(skb, b - skb->data);
810 static int xfrm_dump_policy(struct sk_buff *skb, struct netlink_callback *cb)
812 struct xfrm_dump_info info;
814 info.in_skb = cb->skb;
816 info.nlmsg_seq = cb->nlh->nlmsg_seq;
817 info.nlmsg_flags = NLM_F_MULTI;
819 info.start_idx = cb->args[0];
820 (void) xfrm_policy_walk(dump_one_policy, &info);
821 cb->args[0] = info.this_idx;
826 static struct sk_buff *xfrm_policy_netlink(struct sk_buff *in_skb,
827 struct xfrm_policy *xp,
830 struct xfrm_dump_info info;
833 skb = alloc_skb(NLMSG_GOODSIZE, GFP_KERNEL);
835 return ERR_PTR(-ENOMEM);
837 NETLINK_CB(skb).dst_pid = NETLINK_CB(in_skb).pid;
838 info.in_skb = in_skb;
840 info.nlmsg_seq = seq;
841 info.nlmsg_flags = 0;
842 info.this_idx = info.start_idx = 0;
844 if (dump_one_policy(xp, dir, 0, &info) < 0) {
852 static int xfrm_get_policy(struct sk_buff *skb, struct nlmsghdr *nlh, void **xfrma)
854 struct xfrm_policy *xp;
855 struct xfrm_userpolicy_id *p;
861 delete = nlh->nlmsg_type == XFRM_MSG_DELPOLICY;
863 err = verify_policy_dir(p->dir);
868 xp = xfrm_policy_byid(p->dir, p->index, delete);
870 xp = xfrm_policy_bysel(p->dir, &p->sel, delete);
875 struct sk_buff *resp_skb;
877 resp_skb = xfrm_policy_netlink(skb, xp, p->dir, nlh->nlmsg_seq);
878 if (IS_ERR(resp_skb)) {
879 err = PTR_ERR(resp_skb);
881 err = netlink_unicast(xfrm_nl, resp_skb,
886 c.event = XFRM_SAP_DELETED;
887 c.seq = nlh->nlmsg_seq;
888 c.pid = nlh->nlmsg_pid;
889 km_policy_notify(xp, p->dir, &c);
897 static int xfrm_flush_sa(struct sk_buff *skb, struct nlmsghdr *nlh, void **xfrma)
900 struct xfrm_usersa_flush *p = NLMSG_DATA(nlh);
902 xfrm_state_flush(p->proto);
904 c.event = XFRM_SAP_FLUSHED;
905 c.seq = nlh->nlmsg_seq;
906 c.pid = nlh->nlmsg_pid;
907 km_state_notify(NULL, &c);
912 static int xfrm_flush_policy(struct sk_buff *skb, struct nlmsghdr *nlh, void **xfrma)
917 c.event = XFRM_SAP_FLUSHED;
918 c.seq = nlh->nlmsg_seq;
919 c.pid = nlh->nlmsg_pid;
920 km_policy_notify(NULL, 0, &c);
924 #define XMSGSIZE(type) NLMSG_LENGTH(sizeof(struct type))
926 static const int xfrm_msg_min[XFRM_NR_MSGTYPES] = {
927 [XFRM_MSG_NEWSA - XFRM_MSG_BASE] = XMSGSIZE(xfrm_usersa_info),
928 [XFRM_MSG_DELSA - XFRM_MSG_BASE] = XMSGSIZE(xfrm_usersa_id),
929 [XFRM_MSG_GETSA - XFRM_MSG_BASE] = XMSGSIZE(xfrm_usersa_id),
930 [XFRM_MSG_NEWPOLICY - XFRM_MSG_BASE] = XMSGSIZE(xfrm_userpolicy_info),
931 [XFRM_MSG_DELPOLICY - XFRM_MSG_BASE] = XMSGSIZE(xfrm_userpolicy_id),
932 [XFRM_MSG_GETPOLICY - XFRM_MSG_BASE] = XMSGSIZE(xfrm_userpolicy_id),
933 [XFRM_MSG_ALLOCSPI - XFRM_MSG_BASE] = XMSGSIZE(xfrm_userspi_info),
934 [XFRM_MSG_ACQUIRE - XFRM_MSG_BASE] = XMSGSIZE(xfrm_user_acquire),
935 [XFRM_MSG_EXPIRE - XFRM_MSG_BASE] = XMSGSIZE(xfrm_user_expire),
936 [XFRM_MSG_UPDPOLICY - XFRM_MSG_BASE] = XMSGSIZE(xfrm_userpolicy_info),
937 [XFRM_MSG_UPDSA - XFRM_MSG_BASE] = XMSGSIZE(xfrm_usersa_info),
938 [XFRM_MSG_POLEXPIRE - XFRM_MSG_BASE] = XMSGSIZE(xfrm_user_polexpire),
939 [XFRM_MSG_FLUSHSA - XFRM_MSG_BASE] = XMSGSIZE(xfrm_usersa_flush),
940 [XFRM_MSG_FLUSHPOLICY - XFRM_MSG_BASE] = NLMSG_LENGTH(0),
945 static struct xfrm_link {
946 int (*doit)(struct sk_buff *, struct nlmsghdr *, void **);
947 int (*dump)(struct sk_buff *, struct netlink_callback *);
948 } xfrm_dispatch[XFRM_NR_MSGTYPES] = {
949 [XFRM_MSG_NEWSA - XFRM_MSG_BASE] = { .doit = xfrm_add_sa },
950 [XFRM_MSG_DELSA - XFRM_MSG_BASE] = { .doit = xfrm_del_sa },
951 [XFRM_MSG_GETSA - XFRM_MSG_BASE] = { .doit = xfrm_get_sa,
952 .dump = xfrm_dump_sa },
953 [XFRM_MSG_NEWPOLICY - XFRM_MSG_BASE] = { .doit = xfrm_add_policy },
954 [XFRM_MSG_DELPOLICY - XFRM_MSG_BASE] = { .doit = xfrm_get_policy },
955 [XFRM_MSG_GETPOLICY - XFRM_MSG_BASE] = { .doit = xfrm_get_policy,
956 .dump = xfrm_dump_policy },
957 [XFRM_MSG_ALLOCSPI - XFRM_MSG_BASE] = { .doit = xfrm_alloc_userspi },
958 [XFRM_MSG_UPDPOLICY - XFRM_MSG_BASE] = { .doit = xfrm_add_policy },
959 [XFRM_MSG_UPDSA - XFRM_MSG_BASE] = { .doit = xfrm_add_sa },
960 [XFRM_MSG_FLUSHSA - XFRM_MSG_BASE] = { .doit = xfrm_flush_sa },
961 [XFRM_MSG_FLUSHPOLICY - XFRM_MSG_BASE] = { .doit = xfrm_flush_policy },
964 static int xfrm_done(struct netlink_callback *cb)
969 static int xfrm_user_rcv_msg(struct sk_buff *skb, struct nlmsghdr *nlh, int *errp)
971 struct rtattr *xfrma[XFRMA_MAX];
972 struct xfrm_link *link;
975 if (!(nlh->nlmsg_flags & NLM_F_REQUEST))
978 type = nlh->nlmsg_type;
980 /* A control message: ignore them */
981 if (type < XFRM_MSG_BASE)
984 /* Unknown message: reply with EINVAL */
985 if (type > XFRM_MSG_MAX)
988 type -= XFRM_MSG_BASE;
989 link = &xfrm_dispatch[type];
991 /* All operations require privileges, even GET */
992 if (security_netlink_recv(skb)) {
997 if ((type == (XFRM_MSG_GETSA - XFRM_MSG_BASE) ||
998 type == (XFRM_MSG_GETPOLICY - XFRM_MSG_BASE)) &&
999 (nlh->nlmsg_flags & NLM_F_DUMP)) {
1002 if (link->dump == NULL)
1005 if ((*errp = netlink_dump_start(xfrm_nl, skb, nlh,
1010 rlen = NLMSG_ALIGN(nlh->nlmsg_len);
1011 if (rlen > skb->len)
1013 skb_pull(skb, rlen);
1017 memset(xfrma, 0, sizeof(xfrma));
1019 if (nlh->nlmsg_len < (min_len = xfrm_msg_min[type]))
1022 if (nlh->nlmsg_len > min_len) {
1023 int attrlen = nlh->nlmsg_len - NLMSG_ALIGN(min_len);
1024 struct rtattr *attr = (void *) nlh + NLMSG_ALIGN(min_len);
1026 while (RTA_OK(attr, attrlen)) {
1027 unsigned short flavor = attr->rta_type;
1029 if (flavor > XFRMA_MAX)
1031 xfrma[flavor - 1] = attr;
1033 attr = RTA_NEXT(attr, attrlen);
1037 if (link->doit == NULL)
1039 *errp = link->doit(skb, nlh, (void **) &xfrma);
1048 static int xfrm_user_rcv_skb(struct sk_buff *skb)
1051 struct nlmsghdr *nlh;
1053 while (skb->len >= NLMSG_SPACE(0)) {
1056 nlh = (struct nlmsghdr *) skb->data;
1057 if (nlh->nlmsg_len < sizeof(*nlh) ||
1058 skb->len < nlh->nlmsg_len)
1060 rlen = NLMSG_ALIGN(nlh->nlmsg_len);
1061 if (rlen > skb->len)
1063 if (xfrm_user_rcv_msg(skb, nlh, &err) < 0) {
1066 netlink_ack(skb, nlh, err);
1067 } else if (nlh->nlmsg_flags & NLM_F_ACK)
1068 netlink_ack(skb, nlh, 0);
1069 skb_pull(skb, rlen);
1075 static void xfrm_netlink_rcv(struct sock *sk, int len)
1077 unsigned int qlen = skb_queue_len(&sk->sk_receive_queue);
1080 struct sk_buff *skb;
1082 down(&xfrm_cfg_sem);
1084 if (qlen > skb_queue_len(&sk->sk_receive_queue))
1085 qlen = skb_queue_len(&sk->sk_receive_queue);
1087 for (; qlen; qlen--) {
1088 skb = skb_dequeue(&sk->sk_receive_queue);
1089 if (xfrm_user_rcv_skb(skb)) {
1091 skb_queue_head(&sk->sk_receive_queue,
1107 static int build_expire(struct sk_buff *skb, struct xfrm_state *x, int hard)
1109 struct xfrm_user_expire *ue;
1110 struct nlmsghdr *nlh;
1111 unsigned char *b = skb->tail;
1113 nlh = NLMSG_PUT(skb, 0, 0, XFRM_MSG_EXPIRE,
1115 ue = NLMSG_DATA(nlh);
1116 nlh->nlmsg_flags = 0;
1118 copy_to_user_state(x, &ue->state);
1119 ue->hard = (hard != 0) ? 1 : 0;
1121 nlh->nlmsg_len = skb->tail - b;
1125 skb_trim(skb, b - skb->data);
1129 static int xfrm_exp_state_notify(struct xfrm_state *x, struct km_event *c)
1131 struct sk_buff *skb;
1132 int hard = c ->data;
1134 /* fix to do alloc using NLM macros */
1135 skb = alloc_skb(sizeof(struct xfrm_user_expire) + 16, GFP_ATOMIC);
1139 if (build_expire(skb, x, hard) < 0)
1142 NETLINK_CB(skb).dst_groups = XFRMGRP_EXPIRE;
1144 return netlink_broadcast(xfrm_nl, skb, 0, XFRMGRP_EXPIRE, GFP_ATOMIC);
1147 static int xfrm_notify_sa_flush(struct km_event *c)
1149 struct xfrm_usersa_flush *p;
1150 struct nlmsghdr *nlh;
1151 struct sk_buff *skb;
1153 int len = NLMSG_LENGTH(sizeof(struct xfrm_usersa_flush));
1155 skb = alloc_skb(len, GFP_ATOMIC);
1160 nlh = NLMSG_PUT(skb, c->pid, c->seq,
1161 XFRM_MSG_FLUSHSA, sizeof(*p));
1162 nlh->nlmsg_flags = 0;
1164 p = NLMSG_DATA(nlh);
1167 nlh->nlmsg_len = skb->tail - b;
1169 return netlink_broadcast(xfrm_nl, skb, 0, XFRMGRP_SA, GFP_ATOMIC);
1176 static int inline xfrm_sa_len(struct xfrm_state *x)
1178 int l = NLMSG_LENGTH(sizeof(struct xfrm_usersa_info));
1180 l += RTA_SPACE(sizeof(*x->aalg) + (x->aalg->alg_key_len+7)/8);
1182 l += RTA_SPACE(sizeof(*x->ealg) + (x->ealg->alg_key_len+7)/8);
1184 l += RTA_SPACE(sizeof(*x->calg));
1186 l += RTA_SPACE(sizeof(*x->encap));
1191 static int xfrm_notify_sa(struct xfrm_state *x, struct km_event *c)
1193 struct xfrm_usersa_info *p;
1194 struct nlmsghdr *nlh;
1195 struct sk_buff *skb;
1198 int len = xfrm_sa_len(x);
1200 skb = alloc_skb(len, GFP_ATOMIC);
1205 if (c->event == XFRM_SAP_ADDED)
1206 nlt = XFRM_MSG_NEWSA;
1207 else if (c->event == XFRM_SAP_UPDATED)
1208 nlt = XFRM_MSG_UPDSA;
1209 else if (c->event == XFRM_SAP_DELETED)
1210 nlt = XFRM_MSG_DELSA;
1214 nlh = NLMSG_PUT(skb, c->pid, c->seq, nlt, sizeof(*p));
1215 nlh->nlmsg_flags = 0;
1217 p = NLMSG_DATA(nlh);
1218 copy_to_user_state(x, p);
1221 RTA_PUT(skb, XFRMA_ALG_AUTH,
1222 sizeof(*(x->aalg))+(x->aalg->alg_key_len+7)/8, x->aalg);
1224 RTA_PUT(skb, XFRMA_ALG_CRYPT,
1225 sizeof(*(x->ealg))+(x->ealg->alg_key_len+7)/8, x->ealg);
1227 RTA_PUT(skb, XFRMA_ALG_COMP, sizeof(*(x->calg)), x->calg);
1230 RTA_PUT(skb, XFRMA_ENCAP, sizeof(*x->encap), x->encap);
1232 nlh->nlmsg_len = skb->tail - b;
1234 return netlink_broadcast(xfrm_nl, skb, 0, XFRMGRP_SA, GFP_ATOMIC);
1242 static int xfrm_send_state_notify(struct xfrm_state *x, struct km_event *c)
1246 case XFRM_SAP_EXPIRED:
1247 return xfrm_exp_state_notify(x, c);
1248 case XFRM_SAP_DELETED:
1249 case XFRM_SAP_UPDATED:
1250 case XFRM_SAP_ADDED:
1251 return xfrm_notify_sa(x, c);
1252 case XFRM_SAP_FLUSHED:
1253 return xfrm_notify_sa_flush(c);
1255 printk("xfrm_user: Unknown SA event %d\n", c->event);
1263 static int build_acquire(struct sk_buff *skb, struct xfrm_state *x,
1264 struct xfrm_tmpl *xt, struct xfrm_policy *xp,
1267 struct xfrm_user_acquire *ua;
1268 struct nlmsghdr *nlh;
1269 unsigned char *b = skb->tail;
1270 __u32 seq = xfrm_get_acqseq();
1272 nlh = NLMSG_PUT(skb, 0, 0, XFRM_MSG_ACQUIRE,
1274 ua = NLMSG_DATA(nlh);
1275 nlh->nlmsg_flags = 0;
1277 memcpy(&ua->id, &x->id, sizeof(ua->id));
1278 memcpy(&ua->saddr, &x->props.saddr, sizeof(ua->saddr));
1279 memcpy(&ua->sel, &x->sel, sizeof(ua->sel));
1280 copy_to_user_policy(xp, &ua->policy, dir);
1281 ua->aalgos = xt->aalgos;
1282 ua->ealgos = xt->ealgos;
1283 ua->calgos = xt->calgos;
1284 ua->seq = x->km.seq = seq;
1286 if (copy_to_user_tmpl(xp, skb) < 0)
1289 nlh->nlmsg_len = skb->tail - b;
1293 skb_trim(skb, b - skb->data);
1297 static int xfrm_send_acquire(struct xfrm_state *x, struct xfrm_tmpl *xt,
1298 struct xfrm_policy *xp, int dir)
1300 struct sk_buff *skb;
1303 len = RTA_SPACE(sizeof(struct xfrm_user_tmpl) * xp->xfrm_nr);
1304 len += NLMSG_SPACE(sizeof(struct xfrm_user_acquire));
1305 skb = alloc_skb(len, GFP_ATOMIC);
1309 if (build_acquire(skb, x, xt, xp, dir) < 0)
1312 NETLINK_CB(skb).dst_groups = XFRMGRP_ACQUIRE;
1314 return netlink_broadcast(xfrm_nl, skb, 0, XFRMGRP_ACQUIRE, GFP_ATOMIC);
1317 /* User gives us xfrm_user_policy_info followed by an array of 0
1318 * or more templates.
1320 static struct xfrm_policy *xfrm_compile_policy(u16 family, int opt,
1321 u8 *data, int len, int *dir)
1323 struct xfrm_userpolicy_info *p = (struct xfrm_userpolicy_info *)data;
1324 struct xfrm_user_tmpl *ut = (struct xfrm_user_tmpl *) (p + 1);
1325 struct xfrm_policy *xp;
1330 if (opt != IP_XFRM_POLICY) {
1335 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
1337 if (opt != IPV6_XFRM_POLICY) {
1350 if (len < sizeof(*p) ||
1351 verify_newpolicy_info(p))
1354 nr = ((len - sizeof(*p)) / sizeof(*ut));
1355 if (nr > XFRM_MAX_DEPTH)
1358 xp = xfrm_policy_alloc(GFP_KERNEL);
1364 copy_from_user_policy(xp, p);
1365 copy_templates(xp, ut, nr);
1372 static int build_polexpire(struct sk_buff *skb, struct xfrm_policy *xp,
1375 struct xfrm_user_polexpire *upe;
1376 struct nlmsghdr *nlh;
1377 unsigned char *b = skb->tail;
1379 nlh = NLMSG_PUT(skb, 0, 0, XFRM_MSG_POLEXPIRE, sizeof(*upe));
1380 upe = NLMSG_DATA(nlh);
1381 nlh->nlmsg_flags = 0;
1383 copy_to_user_policy(xp, &upe->pol, dir);
1384 if (copy_to_user_tmpl(xp, skb) < 0)
1388 nlh->nlmsg_len = skb->tail - b;
1392 skb_trim(skb, b - skb->data);
1396 static int xfrm_exp_policy_notify(struct xfrm_policy *xp, int dir, struct km_event *c)
1398 struct sk_buff *skb;
1401 len = RTA_SPACE(sizeof(struct xfrm_user_tmpl) * xp->xfrm_nr);
1402 len += NLMSG_SPACE(sizeof(struct xfrm_user_polexpire));
1403 skb = alloc_skb(len, GFP_ATOMIC);
1407 if (build_polexpire(skb, xp, dir, c->data) < 0)
1410 NETLINK_CB(skb).dst_groups = XFRMGRP_EXPIRE;
1412 return netlink_broadcast(xfrm_nl, skb, 0, XFRMGRP_EXPIRE, GFP_ATOMIC);
1415 static int xfrm_notify_policy(struct xfrm_policy *xp, int dir, struct km_event *c)
1417 struct xfrm_userpolicy_info *p;
1418 struct nlmsghdr *nlh;
1419 struct sk_buff *skb;
1422 int len = RTA_SPACE(sizeof(struct xfrm_user_tmpl) * xp->xfrm_nr);
1423 len += NLMSG_SPACE(sizeof(struct xfrm_userpolicy_info));
1425 skb = alloc_skb(len, GFP_ATOMIC);
1430 if (c->event == XFRM_SAP_ADDED)
1431 nlt = XFRM_MSG_NEWPOLICY;
1432 else if (c->event == XFRM_SAP_UPDATED)
1433 nlt = XFRM_MSG_UPDPOLICY;
1434 else if (c->event == XFRM_SAP_DELETED)
1435 nlt = XFRM_MSG_DELPOLICY;
1439 nlh = NLMSG_PUT(skb, c->pid, c->seq, nlt, sizeof(*p));
1441 p = NLMSG_DATA(nlh);
1443 nlh->nlmsg_flags = 0;
1445 copy_to_user_policy(xp, p, dir);
1446 if (copy_to_user_tmpl(xp, skb) < 0)
1449 nlh->nlmsg_len = skb->tail - b;
1451 return netlink_broadcast(xfrm_nl, skb, 0, XFRMGRP_POLICY, GFP_ATOMIC);
1458 static int xfrm_notify_policy_flush(struct km_event *c)
1460 struct nlmsghdr *nlh;
1461 struct sk_buff *skb;
1463 int len = NLMSG_LENGTH(0);
1465 skb = alloc_skb(len, GFP_ATOMIC);
1471 nlh = NLMSG_PUT(skb, c->pid, c->seq, XFRM_MSG_FLUSHPOLICY, 0);
1473 nlh->nlmsg_len = skb->tail - b;
1475 return netlink_broadcast(xfrm_nl, skb, 0, XFRMGRP_POLICY, GFP_ATOMIC);
1482 static int xfrm_send_policy_notify(struct xfrm_policy *xp, int dir, struct km_event *c)
1486 case XFRM_SAP_ADDED:
1487 case XFRM_SAP_UPDATED:
1488 case XFRM_SAP_DELETED:
1489 return xfrm_notify_policy(xp, dir, c);
1490 case XFRM_SAP_FLUSHED:
1491 return xfrm_notify_policy_flush(c);
1492 case XFRM_SAP_EXPIRED:
1493 return xfrm_exp_policy_notify(xp, dir, c);
1495 printk("xfrm_user: Unknown Policy event %d\n", c->event);
1502 static struct xfrm_mgr netlink_mgr = {
1504 .notify = xfrm_send_state_notify,
1505 .acquire = xfrm_send_acquire,
1506 .compile_policy = xfrm_compile_policy,
1507 .notify_policy = xfrm_send_policy_notify,
1510 static int __init xfrm_user_init(void)
1512 printk(KERN_INFO "Initializing IPsec netlink socket\n");
1514 xfrm_nl = netlink_kernel_create(NETLINK_XFRM, xfrm_netlink_rcv);
1515 if (xfrm_nl == NULL)
1518 xfrm_register_km(&netlink_mgr);
1523 static void __exit xfrm_user_exit(void)
1525 xfrm_unregister_km(&netlink_mgr);
1526 sock_release(xfrm_nl->sk_socket);
1529 module_init(xfrm_user_init);
1530 module_exit(xfrm_user_exit);
1531 MODULE_LICENSE("GPL");
projects / linux-2.6-omap-h63xx.git / blob