Line data Source code
1 : /* SPDX-License-Identifier: GPL-2.0 */
2 : #ifndef _NET_XFRM_H
3 : #define _NET_XFRM_H
4 :
5 : #include <linux/compiler.h>
6 : #include <linux/xfrm.h>
7 : #include <linux/spinlock.h>
8 : #include <linux/list.h>
9 : #include <linux/skbuff.h>
10 : #include <linux/socket.h>
11 : #include <linux/pfkeyv2.h>
12 : #include <linux/ipsec.h>
13 : #include <linux/in6.h>
14 : #include <linux/mutex.h>
15 : #include <linux/audit.h>
16 : #include <linux/slab.h>
17 : #include <linux/refcount.h>
18 : #include <linux/sockptr.h>
19 :
20 : #include <net/sock.h>
21 : #include <net/dst.h>
22 : #include <net/ip.h>
23 : #include <net/route.h>
24 : #include <net/ipv6.h>
25 : #include <net/ip6_fib.h>
26 : #include <net/flow.h>
27 : #include <net/gro_cells.h>
28 :
29 : #include <linux/interrupt.h>
30 :
31 : #ifdef CONFIG_XFRM_STATISTICS
32 : #include <net/snmp.h>
33 : #endif
34 :
35 : #define XFRM_PROTO_ESP 50
36 : #define XFRM_PROTO_AH 51
37 : #define XFRM_PROTO_COMP 108
38 : #define XFRM_PROTO_IPIP 4
39 : #define XFRM_PROTO_IPV6 41
40 : #define XFRM_PROTO_ROUTING IPPROTO_ROUTING
41 : #define XFRM_PROTO_DSTOPTS IPPROTO_DSTOPTS
42 :
43 : #define XFRM_ALIGN4(len) (((len) + 3) & ~3)
44 : #define XFRM_ALIGN8(len) (((len) + 7) & ~7)
45 : #define MODULE_ALIAS_XFRM_MODE(family, encap) \
46 : MODULE_ALIAS("xfrm-mode-" __stringify(family) "-" __stringify(encap))
47 : #define MODULE_ALIAS_XFRM_TYPE(family, proto) \
48 : MODULE_ALIAS("xfrm-type-" __stringify(family) "-" __stringify(proto))
49 : #define MODULE_ALIAS_XFRM_OFFLOAD_TYPE(family, proto) \
50 : MODULE_ALIAS("xfrm-offload-" __stringify(family) "-" __stringify(proto))
51 :
52 : #ifdef CONFIG_XFRM_STATISTICS
53 : #define XFRM_INC_STATS(net, field) SNMP_INC_STATS((net)->mib.xfrm_statistics, field)
54 : #else
55 : #define XFRM_INC_STATS(net, field) ((void)(net))
56 : #endif
57 :
58 :
59 : /* Organization of SPD aka "XFRM rules"
60 : ------------------------------------
61 :
62 : Basic objects:
63 : - policy rule, struct xfrm_policy (=SPD entry)
64 : - bundle of transformations, struct dst_entry == struct xfrm_dst (=SA bundle)
65 : - instance of a transformer, struct xfrm_state (=SA)
66 : - template to clone xfrm_state, struct xfrm_tmpl
67 :
68 : SPD is plain linear list of xfrm_policy rules, ordered by priority.
69 : (To be compatible with existing pfkeyv2 implementations,
70 : many rules with priority of 0x7fffffff are allowed to exist and
71 : such rules are ordered in an unpredictable way, thanks to bsd folks.)
72 :
73 : Lookup is plain linear search until the first match with selector.
74 :
75 : If "action" is "block", then we prohibit the flow, otherwise:
76 : if "xfrms_nr" is zero, the flow passes untransformed. Otherwise,
77 : policy entry has list of up to XFRM_MAX_DEPTH transformations,
78 : described by templates xfrm_tmpl. Each template is resolved
79 : to a complete xfrm_state (see below) and we pack bundle of transformations
80 : to a dst_entry returned to requestor.
81 :
82 : dst -. xfrm .-> xfrm_state #1
83 : |---. child .-> dst -. xfrm .-> xfrm_state #2
84 : |---. child .-> dst -. xfrm .-> xfrm_state #3
85 : |---. child .-> NULL
86 :
87 : Bundles are cached at xrfm_policy struct (field ->bundles).
88 :
89 :
90 : Resolution of xrfm_tmpl
91 : -----------------------
92 : Template contains:
93 : 1. ->mode Mode: transport or tunnel
94 : 2. ->id.proto Protocol: AH/ESP/IPCOMP
95 : 3. ->id.daddr Remote tunnel endpoint, ignored for transport mode.
96 : Q: allow to resolve security gateway?
97 : 4. ->id.spi If not zero, static SPI.
98 : 5. ->saddr Local tunnel endpoint, ignored for transport mode.
99 : 6. ->algos List of allowed algos. Plain bitmask now.
100 : Q: ealgos, aalgos, calgos. What a mess...
101 : 7. ->share Sharing mode.
102 : Q: how to implement private sharing mode? To add struct sock* to
103 : flow id?
104 :
105 : Having this template we search through SAD searching for entries
106 : with appropriate mode/proto/algo, permitted by selector.
107 : If no appropriate entry found, it is requested from key manager.
108 :
109 : PROBLEMS:
110 : Q: How to find all the bundles referring to a physical path for
111 : PMTU discovery? Seems, dst should contain list of all parents...
112 : and enter to infinite locking hierarchy disaster.
113 : No! It is easier, we will not search for them, let them find us.
114 : We add genid to each dst plus pointer to genid of raw IP route,
115 : pmtu disc will update pmtu on raw IP route and increase its genid.
116 : dst_check() will see this for top level and trigger resyncing
117 : metrics. Plus, it will be made via sk->sk_dst_cache. Solved.
118 : */
119 :
120 : struct xfrm_state_walk {
121 : struct list_head all;
122 : u8 state;
123 : u8 dying;
124 : u8 proto;
125 : u32 seq;
126 : struct xfrm_address_filter *filter;
127 : };
128 :
129 : struct xfrm_state_offload {
130 : struct net_device *dev;
131 : struct net_device *real_dev;
132 : unsigned long offload_handle;
133 : unsigned int num_exthdrs;
134 : u8 flags;
135 : };
136 :
137 : struct xfrm_mode {
138 : u8 encap;
139 : u8 family;
140 : u8 flags;
141 : };
142 :
143 : /* Flags for xfrm_mode. */
144 : enum {
145 : XFRM_MODE_FLAG_TUNNEL = 1,
146 : };
147 :
148 : /* Full description of state of transformer. */
149 : struct xfrm_state {
150 : possible_net_t xs_net;
151 : union {
152 : struct hlist_node gclist;
153 : struct hlist_node bydst;
154 : };
155 : struct hlist_node bysrc;
156 : struct hlist_node byspi;
157 :
158 : refcount_t refcnt;
159 : spinlock_t lock;
160 :
161 : struct xfrm_id id;
162 : struct xfrm_selector sel;
163 : struct xfrm_mark mark;
164 : u32 if_id;
165 : u32 tfcpad;
166 :
167 : u32 genid;
168 :
169 : /* Key manager bits */
170 : struct xfrm_state_walk km;
171 :
172 : /* Parameters of this state. */
173 : struct {
174 : u32 reqid;
175 : u8 mode;
176 : u8 replay_window;
177 : u8 aalgo, ealgo, calgo;
178 : u8 flags;
179 : u16 family;
180 : xfrm_address_t saddr;
181 : int header_len;
182 : int trailer_len;
183 : u32 extra_flags;
184 : struct xfrm_mark smark;
185 : } props;
186 :
187 : struct xfrm_lifetime_cfg lft;
188 :
189 : /* Data for transformer */
190 : struct xfrm_algo_auth *aalg;
191 : struct xfrm_algo *ealg;
192 : struct xfrm_algo *calg;
193 : struct xfrm_algo_aead *aead;
194 : const char *geniv;
195 :
196 : /* Data for encapsulator */
197 : struct xfrm_encap_tmpl *encap;
198 : struct sock __rcu *encap_sk;
199 :
200 : /* Data for care-of address */
201 : xfrm_address_t *coaddr;
202 :
203 : /* IPComp needs an IPIP tunnel for handling uncompressed packets */
204 : struct xfrm_state *tunnel;
205 :
206 : /* If a tunnel, number of users + 1 */
207 : atomic_t tunnel_users;
208 :
209 : /* State for replay detection */
210 : struct xfrm_replay_state replay;
211 : struct xfrm_replay_state_esn *replay_esn;
212 :
213 : /* Replay detection state at the time we sent the last notification */
214 : struct xfrm_replay_state preplay;
215 : struct xfrm_replay_state_esn *preplay_esn;
216 :
217 : /* The functions for replay detection. */
218 : const struct xfrm_replay *repl;
219 :
220 : /* internal flag that only holds state for delayed aevent at the
221 : * moment
222 : */
223 : u32 xflags;
224 :
225 : /* Replay detection notification settings */
226 : u32 replay_maxage;
227 : u32 replay_maxdiff;
228 :
229 : /* Replay detection notification timer */
230 : struct timer_list rtimer;
231 :
232 : /* Statistics */
233 : struct xfrm_stats stats;
234 :
235 : struct xfrm_lifetime_cur curlft;
236 : struct hrtimer mtimer;
237 :
238 : struct xfrm_state_offload xso;
239 :
240 : /* used to fix curlft->add_time when changing date */
241 : long saved_tmo;
242 :
243 : /* Last used time */
244 : time64_t lastused;
245 :
246 : struct page_frag xfrag;
247 :
248 : /* Reference to data common to all the instances of this
249 : * transformer. */
250 : const struct xfrm_type *type;
251 : struct xfrm_mode inner_mode;
252 : struct xfrm_mode inner_mode_iaf;
253 : struct xfrm_mode outer_mode;
254 :
255 : const struct xfrm_type_offload *type_offload;
256 :
257 : /* Security context */
258 : struct xfrm_sec_ctx *security;
259 :
260 : /* Private data of this transformer, format is opaque,
261 : * interpreted by xfrm_type methods. */
262 : void *data;
263 : };
264 :
265 : static inline struct net *xs_net(struct xfrm_state *x)
266 : {
267 : return read_pnet(&x->xs_net);
268 : }
269 :
270 : /* xflags - make enum if more show up */
271 : #define XFRM_TIME_DEFER 1
272 : #define XFRM_SOFT_EXPIRE 2
273 :
274 : enum {
275 : XFRM_STATE_VOID,
276 : XFRM_STATE_ACQ,
277 : XFRM_STATE_VALID,
278 : XFRM_STATE_ERROR,
279 : XFRM_STATE_EXPIRED,
280 : XFRM_STATE_DEAD
281 : };
282 :
283 : /* callback structure passed from either netlink or pfkey */
284 : struct km_event {
285 : union {
286 : u32 hard;
287 : u32 proto;
288 : u32 byid;
289 : u32 aevent;
290 : u32 type;
291 : } data;
292 :
293 : u32 seq;
294 : u32 portid;
295 : u32 event;
296 : struct net *net;
297 : };
298 :
299 : struct xfrm_replay {
300 : void (*advance)(struct xfrm_state *x, __be32 net_seq);
301 : int (*check)(struct xfrm_state *x,
302 : struct sk_buff *skb,
303 : __be32 net_seq);
304 : int (*recheck)(struct xfrm_state *x,
305 : struct sk_buff *skb,
306 : __be32 net_seq);
307 : void (*notify)(struct xfrm_state *x, int event);
308 : int (*overflow)(struct xfrm_state *x, struct sk_buff *skb);
309 : };
310 :
311 : struct xfrm_if_cb {
312 : struct xfrm_if *(*decode_session)(struct sk_buff *skb,
313 : unsigned short family);
314 : };
315 :
316 : void xfrm_if_register_cb(const struct xfrm_if_cb *ifcb);
317 : void xfrm_if_unregister_cb(void);
318 :
319 : struct net_device;
320 : struct xfrm_type;
321 : struct xfrm_dst;
322 : struct xfrm_policy_afinfo {
323 : struct dst_ops *dst_ops;
324 : struct dst_entry *(*dst_lookup)(struct net *net,
325 : int tos, int oif,
326 : const xfrm_address_t *saddr,
327 : const xfrm_address_t *daddr,
328 : u32 mark);
329 : int (*get_saddr)(struct net *net, int oif,
330 : xfrm_address_t *saddr,
331 : xfrm_address_t *daddr,
332 : u32 mark);
333 : int (*fill_dst)(struct xfrm_dst *xdst,
334 : struct net_device *dev,
335 : const struct flowi *fl);
336 : struct dst_entry *(*blackhole_route)(struct net *net, struct dst_entry *orig);
337 : };
338 :
339 : int xfrm_policy_register_afinfo(const struct xfrm_policy_afinfo *afinfo, int family);
340 : void xfrm_policy_unregister_afinfo(const struct xfrm_policy_afinfo *afinfo);
341 : void km_policy_notify(struct xfrm_policy *xp, int dir,
342 : const struct km_event *c);
343 : void km_state_notify(struct xfrm_state *x, const struct km_event *c);
344 :
345 : struct xfrm_tmpl;
346 : int km_query(struct xfrm_state *x, struct xfrm_tmpl *t,
347 : struct xfrm_policy *pol);
348 : void km_state_expired(struct xfrm_state *x, int hard, u32 portid);
349 : int __xfrm_state_delete(struct xfrm_state *x);
350 :
351 : struct xfrm_state_afinfo {
352 : u8 family;
353 : u8 proto;
354 :
355 : const struct xfrm_type_offload *type_offload_esp;
356 :
357 : const struct xfrm_type *type_esp;
358 : const struct xfrm_type *type_ipip;
359 : const struct xfrm_type *type_ipip6;
360 : const struct xfrm_type *type_comp;
361 : const struct xfrm_type *type_ah;
362 : const struct xfrm_type *type_routing;
363 : const struct xfrm_type *type_dstopts;
364 :
365 : int (*output)(struct net *net, struct sock *sk, struct sk_buff *skb);
366 : int (*transport_finish)(struct sk_buff *skb,
367 : int async);
368 : void (*local_error)(struct sk_buff *skb, u32 mtu);
369 : };
370 :
371 : int xfrm_state_register_afinfo(struct xfrm_state_afinfo *afinfo);
372 : int xfrm_state_unregister_afinfo(struct xfrm_state_afinfo *afinfo);
373 : struct xfrm_state_afinfo *xfrm_state_get_afinfo(unsigned int family);
374 : struct xfrm_state_afinfo *xfrm_state_afinfo_get_rcu(unsigned int family);
375 :
376 : struct xfrm_input_afinfo {
377 : u8 family;
378 : bool is_ipip;
379 : int (*callback)(struct sk_buff *skb, u8 protocol,
380 : int err);
381 : };
382 :
383 : int xfrm_input_register_afinfo(const struct xfrm_input_afinfo *afinfo);
384 : int xfrm_input_unregister_afinfo(const struct xfrm_input_afinfo *afinfo);
385 :
386 : void xfrm_flush_gc(void);
387 : void xfrm_state_delete_tunnel(struct xfrm_state *x);
388 :
389 : struct xfrm_type {
390 : char *description;
391 : struct module *owner;
392 : u8 proto;
393 : u8 flags;
394 : #define XFRM_TYPE_NON_FRAGMENT 1
395 : #define XFRM_TYPE_REPLAY_PROT 2
396 : #define XFRM_TYPE_LOCAL_COADDR 4
397 : #define XFRM_TYPE_REMOTE_COADDR 8
398 :
399 : int (*init_state)(struct xfrm_state *x);
400 : void (*destructor)(struct xfrm_state *);
401 : int (*input)(struct xfrm_state *, struct sk_buff *skb);
402 : int (*output)(struct xfrm_state *, struct sk_buff *pskb);
403 : int (*reject)(struct xfrm_state *, struct sk_buff *,
404 : const struct flowi *);
405 : int (*hdr_offset)(struct xfrm_state *, struct sk_buff *, u8 **);
406 : };
407 :
408 : int xfrm_register_type(const struct xfrm_type *type, unsigned short family);
409 : void xfrm_unregister_type(const struct xfrm_type *type, unsigned short family);
410 :
411 : struct xfrm_type_offload {
412 : char *description;
413 : struct module *owner;
414 : u8 proto;
415 : void (*encap)(struct xfrm_state *, struct sk_buff *pskb);
416 : int (*input_tail)(struct xfrm_state *x, struct sk_buff *skb);
417 : int (*xmit)(struct xfrm_state *, struct sk_buff *pskb, netdev_features_t features);
418 : };
419 :
420 : int xfrm_register_type_offload(const struct xfrm_type_offload *type, unsigned short family);
421 : void xfrm_unregister_type_offload(const struct xfrm_type_offload *type, unsigned short family);
422 :
423 : static inline int xfrm_af2proto(unsigned int family)
424 : {
425 : switch(family) {
426 : case AF_INET:
427 : return IPPROTO_IPIP;
428 : case AF_INET6:
429 : return IPPROTO_IPV6;
430 : default:
431 : return 0;
432 : }
433 : }
434 :
435 : static inline const struct xfrm_mode *xfrm_ip2inner_mode(struct xfrm_state *x, int ipproto)
436 : {
437 : if ((ipproto == IPPROTO_IPIP && x->props.family == AF_INET) ||
438 : (ipproto == IPPROTO_IPV6 && x->props.family == AF_INET6))
439 : return &x->inner_mode;
440 : else
441 : return &x->inner_mode_iaf;
442 : }
443 :
444 : struct xfrm_tmpl {
445 : /* id in template is interpreted as:
446 : * daddr - destination of tunnel, may be zero for transport mode.
447 : * spi - zero to acquire spi. Not zero if spi is static, then
448 : * daddr must be fixed too.
449 : * proto - AH/ESP/IPCOMP
450 : */
451 : struct xfrm_id id;
452 :
453 : /* Source address of tunnel. Ignored, if it is not a tunnel. */
454 : xfrm_address_t saddr;
455 :
456 : unsigned short encap_family;
457 :
458 : u32 reqid;
459 :
460 : /* Mode: transport, tunnel etc. */
461 : u8 mode;
462 :
463 : /* Sharing mode: unique, this session only, this user only etc. */
464 : u8 share;
465 :
466 : /* May skip this transfomration if no SA is found */
467 : u8 optional;
468 :
469 : /* Skip aalgos/ealgos/calgos checks. */
470 : u8 allalgs;
471 :
472 : /* Bit mask of algos allowed for acquisition */
473 : u32 aalgos;
474 : u32 ealgos;
475 : u32 calgos;
476 : };
477 :
478 : #define XFRM_MAX_DEPTH 6
479 : #define XFRM_MAX_OFFLOAD_DEPTH 1
480 :
481 : struct xfrm_policy_walk_entry {
482 : struct list_head all;
483 : u8 dead;
484 : };
485 :
486 : struct xfrm_policy_walk {
487 : struct xfrm_policy_walk_entry walk;
488 : u8 type;
489 : u32 seq;
490 : };
491 :
492 : struct xfrm_policy_queue {
493 : struct sk_buff_head hold_queue;
494 : struct timer_list hold_timer;
495 : unsigned long timeout;
496 : };
497 :
498 : struct xfrm_policy {
499 : possible_net_t xp_net;
500 : struct hlist_node bydst;
501 : struct hlist_node byidx;
502 :
503 : /* This lock only affects elements except for entry. */
504 : rwlock_t lock;
505 : refcount_t refcnt;
506 : u32 pos;
507 : struct timer_list timer;
508 :
509 : atomic_t genid;
510 : u32 priority;
511 : u32 index;
512 : u32 if_id;
513 : struct xfrm_mark mark;
514 : struct xfrm_selector selector;
515 : struct xfrm_lifetime_cfg lft;
516 : struct xfrm_lifetime_cur curlft;
517 : struct xfrm_policy_walk_entry walk;
518 : struct xfrm_policy_queue polq;
519 : bool bydst_reinsert;
520 : u8 type;
521 : u8 action;
522 : u8 flags;
523 : u8 xfrm_nr;
524 : u16 family;
525 : struct xfrm_sec_ctx *security;
526 : struct xfrm_tmpl xfrm_vec[XFRM_MAX_DEPTH];
527 : struct hlist_node bydst_inexact_list;
528 : struct rcu_head rcu;
529 : };
530 :
531 : static inline struct net *xp_net(const struct xfrm_policy *xp)
532 : {
533 : return read_pnet(&xp->xp_net);
534 : }
535 :
536 : struct xfrm_kmaddress {
537 : xfrm_address_t local;
538 : xfrm_address_t remote;
539 : u32 reserved;
540 : u16 family;
541 : };
542 :
543 : struct xfrm_migrate {
544 : xfrm_address_t old_daddr;
545 : xfrm_address_t old_saddr;
546 : xfrm_address_t new_daddr;
547 : xfrm_address_t new_saddr;
548 : u8 proto;
549 : u8 mode;
550 : u16 reserved;
551 : u32 reqid;
552 : u16 old_family;
553 : u16 new_family;
554 : };
555 :
556 : #define XFRM_KM_TIMEOUT 30
557 : /* what happened */
558 : #define XFRM_REPLAY_UPDATE XFRM_AE_CR
559 : #define XFRM_REPLAY_TIMEOUT XFRM_AE_CE
560 :
561 : /* default aevent timeout in units of 100ms */
562 : #define XFRM_AE_ETIME 10
563 : /* Async Event timer multiplier */
564 : #define XFRM_AE_ETH_M 10
565 : /* default seq threshold size */
566 : #define XFRM_AE_SEQT_SIZE 2
567 :
568 : struct xfrm_mgr {
569 : struct list_head list;
570 : int (*notify)(struct xfrm_state *x, const struct km_event *c);
571 : int (*acquire)(struct xfrm_state *x, struct xfrm_tmpl *, struct xfrm_policy *xp);
572 : struct xfrm_policy *(*compile_policy)(struct sock *sk, int opt, u8 *data, int len, int *dir);
573 : int (*new_mapping)(struct xfrm_state *x, xfrm_address_t *ipaddr, __be16 sport);
574 : int (*notify_policy)(struct xfrm_policy *x, int dir, const struct km_event *c);
575 : int (*report)(struct net *net, u8 proto, struct xfrm_selector *sel, xfrm_address_t *addr);
576 : int (*migrate)(const struct xfrm_selector *sel,
577 : u8 dir, u8 type,
578 : const struct xfrm_migrate *m,
579 : int num_bundles,
580 : const struct xfrm_kmaddress *k,
581 : const struct xfrm_encap_tmpl *encap);
582 : bool (*is_alive)(const struct km_event *c);
583 : };
584 :
585 : int xfrm_register_km(struct xfrm_mgr *km);
586 : int xfrm_unregister_km(struct xfrm_mgr *km);
587 :
588 : struct xfrm_tunnel_skb_cb {
589 : union {
590 : struct inet_skb_parm h4;
591 : struct inet6_skb_parm h6;
592 : } header;
593 :
594 : union {
595 : struct ip_tunnel *ip4;
596 : struct ip6_tnl *ip6;
597 : } tunnel;
598 : };
599 :
600 : #define XFRM_TUNNEL_SKB_CB(__skb) ((struct xfrm_tunnel_skb_cb *)&((__skb)->cb[0]))
601 :
602 : /*
603 : * This structure is used for the duration where packets are being
604 : * transformed by IPsec. As soon as the packet leaves IPsec the
605 : * area beyond the generic IP part may be overwritten.
606 : */
607 : struct xfrm_skb_cb {
608 : struct xfrm_tunnel_skb_cb header;
609 :
610 : /* Sequence number for replay protection. */
611 : union {
612 : struct {
613 : __u32 low;
614 : __u32 hi;
615 : } output;
616 : struct {
617 : __be32 low;
618 : __be32 hi;
619 : } input;
620 : } seq;
621 : };
622 :
623 : #define XFRM_SKB_CB(__skb) ((struct xfrm_skb_cb *)&((__skb)->cb[0]))
624 :
625 : /*
626 : * This structure is used by the afinfo prepare_input/prepare_output functions
627 : * to transmit header information to the mode input/output functions.
628 : */
629 : struct xfrm_mode_skb_cb {
630 : struct xfrm_tunnel_skb_cb header;
631 :
632 : /* Copied from header for IPv4, always set to zero and DF for IPv6. */
633 : __be16 id;
634 : __be16 frag_off;
635 :
636 : /* IP header length (excluding options or extension headers). */
637 : u8 ihl;
638 :
639 : /* TOS for IPv4, class for IPv6. */
640 : u8 tos;
641 :
642 : /* TTL for IPv4, hop limitfor IPv6. */
643 : u8 ttl;
644 :
645 : /* Protocol for IPv4, NH for IPv6. */
646 : u8 protocol;
647 :
648 : /* Option length for IPv4, zero for IPv6. */
649 : u8 optlen;
650 :
651 : /* Used by IPv6 only, zero for IPv4. */
652 : u8 flow_lbl[3];
653 : };
654 :
655 : #define XFRM_MODE_SKB_CB(__skb) ((struct xfrm_mode_skb_cb *)&((__skb)->cb[0]))
656 :
657 : /*
658 : * This structure is used by the input processing to locate the SPI and
659 : * related information.
660 : */
661 : struct xfrm_spi_skb_cb {
662 : struct xfrm_tunnel_skb_cb header;
663 :
664 : unsigned int daddroff;
665 : unsigned int family;
666 : __be32 seq;
667 : };
668 :
669 : #define XFRM_SPI_SKB_CB(__skb) ((struct xfrm_spi_skb_cb *)&((__skb)->cb[0]))
670 :
671 : #ifdef CONFIG_AUDITSYSCALL
672 : static inline struct audit_buffer *xfrm_audit_start(const char *op)
673 : {
674 : struct audit_buffer *audit_buf = NULL;
675 :
676 : if (audit_enabled == AUDIT_OFF)
677 : return NULL;
678 : audit_buf = audit_log_start(audit_context(), GFP_ATOMIC,
679 : AUDIT_MAC_IPSEC_EVENT);
680 : if (audit_buf == NULL)
681 : return NULL;
682 : audit_log_format(audit_buf, "op=%s", op);
683 : return audit_buf;
684 : }
685 :
686 : static inline void xfrm_audit_helper_usrinfo(bool task_valid,
687 : struct audit_buffer *audit_buf)
688 : {
689 : const unsigned int auid = from_kuid(&init_user_ns, task_valid ?
690 : audit_get_loginuid(current) :
691 : INVALID_UID);
692 : const unsigned int ses = task_valid ? audit_get_sessionid(current) :
693 : AUDIT_SID_UNSET;
694 :
695 : audit_log_format(audit_buf, " auid=%u ses=%u", auid, ses);
696 : audit_log_task_context(audit_buf);
697 : }
698 :
699 : void xfrm_audit_policy_add(struct xfrm_policy *xp, int result, bool task_valid);
700 : void xfrm_audit_policy_delete(struct xfrm_policy *xp, int result,
701 : bool task_valid);
702 : void xfrm_audit_state_add(struct xfrm_state *x, int result, bool task_valid);
703 : void xfrm_audit_state_delete(struct xfrm_state *x, int result, bool task_valid);
704 : void xfrm_audit_state_replay_overflow(struct xfrm_state *x,
705 : struct sk_buff *skb);
706 : void xfrm_audit_state_replay(struct xfrm_state *x, struct sk_buff *skb,
707 : __be32 net_seq);
708 : void xfrm_audit_state_notfound_simple(struct sk_buff *skb, u16 family);
709 : void xfrm_audit_state_notfound(struct sk_buff *skb, u16 family, __be32 net_spi,
710 : __be32 net_seq);
711 : void xfrm_audit_state_icvfail(struct xfrm_state *x, struct sk_buff *skb,
712 : u8 proto);
713 : #else
714 :
715 : static inline void xfrm_audit_policy_add(struct xfrm_policy *xp, int result,
716 : bool task_valid)
717 : {
718 : }
719 :
720 : static inline void xfrm_audit_policy_delete(struct xfrm_policy *xp, int result,
721 : bool task_valid)
722 : {
723 : }
724 :
725 : static inline void xfrm_audit_state_add(struct xfrm_state *x, int result,
726 : bool task_valid)
727 : {
728 : }
729 :
730 : static inline void xfrm_audit_state_delete(struct xfrm_state *x, int result,
731 : bool task_valid)
732 : {
733 : }
734 :
735 : static inline void xfrm_audit_state_replay_overflow(struct xfrm_state *x,
736 : struct sk_buff *skb)
737 : {
738 : }
739 :
740 : static inline void xfrm_audit_state_replay(struct xfrm_state *x,
741 : struct sk_buff *skb, __be32 net_seq)
742 : {
743 : }
744 :
745 : static inline void xfrm_audit_state_notfound_simple(struct sk_buff *skb,
746 : u16 family)
747 : {
748 : }
749 :
750 : static inline void xfrm_audit_state_notfound(struct sk_buff *skb, u16 family,
751 : __be32 net_spi, __be32 net_seq)
752 : {
753 : }
754 :
755 : static inline void xfrm_audit_state_icvfail(struct xfrm_state *x,
756 : struct sk_buff *skb, u8 proto)
757 : {
758 : }
759 : #endif /* CONFIG_AUDITSYSCALL */
760 :
761 : static inline void xfrm_pol_hold(struct xfrm_policy *policy)
762 : {
763 : if (likely(policy != NULL))
764 : refcount_inc(&policy->refcnt);
765 : }
766 :
767 : void xfrm_policy_destroy(struct xfrm_policy *policy);
768 :
769 : static inline void xfrm_pol_put(struct xfrm_policy *policy)
770 : {
771 : if (refcount_dec_and_test(&policy->refcnt))
772 : xfrm_policy_destroy(policy);
773 : }
774 :
775 : static inline void xfrm_pols_put(struct xfrm_policy **pols, int npols)
776 : {
777 : int i;
778 : for (i = npols - 1; i >= 0; --i)
779 : xfrm_pol_put(pols[i]);
780 : }
781 :
782 : void __xfrm_state_destroy(struct xfrm_state *, bool);
783 :
784 : static inline void __xfrm_state_put(struct xfrm_state *x)
785 : {
786 : refcount_dec(&x->refcnt);
787 : }
788 :
789 : static inline void xfrm_state_put(struct xfrm_state *x)
790 : {
791 : if (refcount_dec_and_test(&x->refcnt))
792 : __xfrm_state_destroy(x, false);
793 : }
794 :
795 : static inline void xfrm_state_put_sync(struct xfrm_state *x)
796 : {
797 : if (refcount_dec_and_test(&x->refcnt))
798 : __xfrm_state_destroy(x, true);
799 : }
800 :
801 : static inline void xfrm_state_hold(struct xfrm_state *x)
802 : {
803 : refcount_inc(&x->refcnt);
804 : }
805 :
806 : static inline bool addr_match(const void *token1, const void *token2,
807 : unsigned int prefixlen)
808 : {
809 : const __be32 *a1 = token1;
810 : const __be32 *a2 = token2;
811 : unsigned int pdw;
812 : unsigned int pbi;
813 :
814 : pdw = prefixlen >> 5; /* num of whole u32 in prefix */
815 : pbi = prefixlen & 0x1f; /* num of bits in incomplete u32 in prefix */
816 :
817 : if (pdw)
818 : if (memcmp(a1, a2, pdw << 2))
819 : return false;
820 :
821 : if (pbi) {
822 : __be32 mask;
823 :
824 : mask = htonl((0xffffffff) << (32 - pbi));
825 :
826 : if ((a1[pdw] ^ a2[pdw]) & mask)
827 : return false;
828 : }
829 :
830 : return true;
831 : }
832 :
833 : static inline bool addr4_match(__be32 a1, __be32 a2, u8 prefixlen)
834 : {
835 : /* C99 6.5.7 (3): u32 << 32 is undefined behaviour */
836 : if (sizeof(long) == 4 && prefixlen == 0)
837 : return true;
838 : return !((a1 ^ a2) & htonl(~0UL << (32 - prefixlen)));
839 : }
840 :
841 : static __inline__
842 : __be16 xfrm_flowi_sport(const struct flowi *fl, const union flowi_uli *uli)
843 : {
844 : __be16 port;
845 : switch(fl->flowi_proto) {
846 : case IPPROTO_TCP:
847 : case IPPROTO_UDP:
848 : case IPPROTO_UDPLITE:
849 : case IPPROTO_SCTP:
850 : port = uli->ports.sport;
851 : break;
852 : case IPPROTO_ICMP:
853 : case IPPROTO_ICMPV6:
854 : port = htons(uli->icmpt.type);
855 : break;
856 : case IPPROTO_MH:
857 : port = htons(uli->mht.type);
858 : break;
859 : case IPPROTO_GRE:
860 : port = htons(ntohl(uli->gre_key) >> 16);
861 : break;
862 : default:
863 : port = 0; /*XXX*/
864 : }
865 : return port;
866 : }
867 :
868 : static __inline__
869 : __be16 xfrm_flowi_dport(const struct flowi *fl, const union flowi_uli *uli)
870 : {
871 : __be16 port;
872 : switch(fl->flowi_proto) {
873 : case IPPROTO_TCP:
874 : case IPPROTO_UDP:
875 : case IPPROTO_UDPLITE:
876 : case IPPROTO_SCTP:
877 : port = uli->ports.dport;
878 : break;
879 : case IPPROTO_ICMP:
880 : case IPPROTO_ICMPV6:
881 : port = htons(uli->icmpt.code);
882 : break;
883 : case IPPROTO_GRE:
884 : port = htons(ntohl(uli->gre_key) & 0xffff);
885 : break;
886 : default:
887 : port = 0; /*XXX*/
888 : }
889 : return port;
890 : }
891 :
892 : bool xfrm_selector_match(const struct xfrm_selector *sel,
893 : const struct flowi *fl, unsigned short family);
894 :
895 : #ifdef CONFIG_SECURITY_NETWORK_XFRM
896 : /* If neither has a context --> match
897 : * Otherwise, both must have a context and the sids, doi, alg must match
898 : */
899 : static inline bool xfrm_sec_ctx_match(struct xfrm_sec_ctx *s1, struct xfrm_sec_ctx *s2)
900 : {
901 : return ((!s1 && !s2) ||
902 : (s1 && s2 &&
903 : (s1->ctx_sid == s2->ctx_sid) &&
904 : (s1->ctx_doi == s2->ctx_doi) &&
905 : (s1->ctx_alg == s2->ctx_alg)));
906 : }
907 : #else
908 : static inline bool xfrm_sec_ctx_match(struct xfrm_sec_ctx *s1, struct xfrm_sec_ctx *s2)
909 : {
910 : return true;
911 : }
912 : #endif
913 :
914 : /* A struct encoding bundle of transformations to apply to some set of flow.
915 : *
916 : * xdst->child points to the next element of bundle.
917 : * dst->xfrm points to an instanse of transformer.
918 : *
919 : * Due to unfortunate limitations of current routing cache, which we
920 : * have no time to fix, it mirrors struct rtable and bound to the same
921 : * routing key, including saddr,daddr. However, we can have many of
922 : * bundles differing by session id. All the bundles grow from a parent
923 : * policy rule.
924 : */
925 : struct xfrm_dst {
926 : union {
927 : struct dst_entry dst;
928 : struct rtable rt;
929 : struct rt6_info rt6;
930 : } u;
931 : struct dst_entry *route;
932 : struct dst_entry *child;
933 : struct dst_entry *path;
934 : struct xfrm_policy *pols[XFRM_POLICY_TYPE_MAX];
935 : int num_pols, num_xfrms;
936 : u32 xfrm_genid;
937 : u32 policy_genid;
938 : u32 route_mtu_cached;
939 : u32 child_mtu_cached;
940 : u32 route_cookie;
941 : u32 path_cookie;
942 : };
943 :
944 0 : static inline struct dst_entry *xfrm_dst_path(const struct dst_entry *dst)
945 : {
946 : #ifdef CONFIG_XFRM
947 : if (dst->xfrm || (dst->flags & DST_XFRM_QUEUE)) {
948 : const struct xfrm_dst *xdst = (const struct xfrm_dst *) dst;
949 :
950 : return xdst->path;
951 : }
952 : #endif
953 0 : return (struct dst_entry *) dst;
954 : }
955 :
956 : static inline struct dst_entry *xfrm_dst_child(const struct dst_entry *dst)
957 : {
958 : #ifdef CONFIG_XFRM
959 : if (dst->xfrm || (dst->flags & DST_XFRM_QUEUE)) {
960 : struct xfrm_dst *xdst = (struct xfrm_dst *) dst;
961 : return xdst->child;
962 : }
963 : #endif
964 : return NULL;
965 : }
966 :
967 : #ifdef CONFIG_XFRM
968 : static inline void xfrm_dst_set_child(struct xfrm_dst *xdst, struct dst_entry *child)
969 : {
970 : xdst->child = child;
971 : }
972 :
973 : static inline void xfrm_dst_destroy(struct xfrm_dst *xdst)
974 : {
975 : xfrm_pols_put(xdst->pols, xdst->num_pols);
976 : dst_release(xdst->route);
977 : if (likely(xdst->u.dst.xfrm))
978 : xfrm_state_put(xdst->u.dst.xfrm);
979 : }
980 : #endif
981 :
982 : void xfrm_dst_ifdown(struct dst_entry *dst, struct net_device *dev);
983 :
984 : struct xfrm_if_parms {
985 : int link; /* ifindex of underlying L2 interface */
986 : u32 if_id; /* interface identifyer */
987 : };
988 :
989 : struct xfrm_if {
990 : struct xfrm_if __rcu *next; /* next interface in list */
991 : struct net_device *dev; /* virtual device associated with interface */
992 : struct net *net; /* netns for packet i/o */
993 : struct xfrm_if_parms p; /* interface parms */
994 :
995 : struct gro_cells gro_cells;
996 : };
997 :
998 : struct xfrm_offload {
999 : /* Output sequence number for replay protection on offloading. */
1000 : struct {
1001 : __u32 low;
1002 : __u32 hi;
1003 : } seq;
1004 :
1005 : __u32 flags;
1006 : #define SA_DELETE_REQ 1
1007 : #define CRYPTO_DONE 2
1008 : #define CRYPTO_NEXT_DONE 4
1009 : #define CRYPTO_FALLBACK 8
1010 : #define XFRM_GSO_SEGMENT 16
1011 : #define XFRM_GRO 32
1012 : #define XFRM_ESP_NO_TRAILER 64
1013 : #define XFRM_DEV_RESUME 128
1014 : #define XFRM_XMIT 256
1015 :
1016 : __u32 status;
1017 : #define CRYPTO_SUCCESS 1
1018 : #define CRYPTO_GENERIC_ERROR 2
1019 : #define CRYPTO_TRANSPORT_AH_AUTH_FAILED 4
1020 : #define CRYPTO_TRANSPORT_ESP_AUTH_FAILED 8
1021 : #define CRYPTO_TUNNEL_AH_AUTH_FAILED 16
1022 : #define CRYPTO_TUNNEL_ESP_AUTH_FAILED 32
1023 : #define CRYPTO_INVALID_PACKET_SYNTAX 64
1024 : #define CRYPTO_INVALID_PROTOCOL 128
1025 :
1026 : __u8 proto;
1027 : };
1028 :
1029 : struct sec_path {
1030 : int len;
1031 : int olen;
1032 :
1033 : struct xfrm_state *xvec[XFRM_MAX_DEPTH];
1034 : struct xfrm_offload ovec[XFRM_MAX_OFFLOAD_DEPTH];
1035 : };
1036 :
1037 : struct sec_path *secpath_set(struct sk_buff *skb);
1038 :
1039 : static inline void
1040 : secpath_reset(struct sk_buff *skb)
1041 : {
1042 : #ifdef CONFIG_XFRM
1043 : skb_ext_del(skb, SKB_EXT_SEC_PATH);
1044 : #endif
1045 : }
1046 :
1047 : static inline int
1048 : xfrm_addr_any(const xfrm_address_t *addr, unsigned short family)
1049 : {
1050 : switch (family) {
1051 : case AF_INET:
1052 : return addr->a4 == 0;
1053 : case AF_INET6:
1054 : return ipv6_addr_any(&addr->in6);
1055 : }
1056 : return 0;
1057 : }
1058 :
1059 : static inline int
1060 : __xfrm4_state_addr_cmp(const struct xfrm_tmpl *tmpl, const struct xfrm_state *x)
1061 : {
1062 : return (tmpl->saddr.a4 &&
1063 : tmpl->saddr.a4 != x->props.saddr.a4);
1064 : }
1065 :
1066 : static inline int
1067 : __xfrm6_state_addr_cmp(const struct xfrm_tmpl *tmpl, const struct xfrm_state *x)
1068 : {
1069 : return (!ipv6_addr_any((struct in6_addr*)&tmpl->saddr) &&
1070 : !ipv6_addr_equal((struct in6_addr *)&tmpl->saddr, (struct in6_addr*)&x->props.saddr));
1071 : }
1072 :
1073 : static inline int
1074 : xfrm_state_addr_cmp(const struct xfrm_tmpl *tmpl, const struct xfrm_state *x, unsigned short family)
1075 : {
1076 : switch (family) {
1077 : case AF_INET:
1078 : return __xfrm4_state_addr_cmp(tmpl, x);
1079 : case AF_INET6:
1080 : return __xfrm6_state_addr_cmp(tmpl, x);
1081 : }
1082 : return !0;
1083 : }
1084 :
1085 : #ifdef CONFIG_XFRM
1086 : int __xfrm_policy_check(struct sock *, int dir, struct sk_buff *skb,
1087 : unsigned short family);
1088 :
1089 : static inline int __xfrm_policy_check2(struct sock *sk, int dir,
1090 : struct sk_buff *skb,
1091 : unsigned int family, int reverse)
1092 : {
1093 : struct net *net = dev_net(skb->dev);
1094 : int ndir = dir | (reverse ? XFRM_POLICY_MASK + 1 : 0);
1095 :
1096 : if (sk && sk->sk_policy[XFRM_POLICY_IN])
1097 : return __xfrm_policy_check(sk, ndir, skb, family);
1098 :
1099 : return (!net->xfrm.policy_count[dir] && !secpath_exists(skb)) ||
1100 : (skb_dst(skb)->flags & DST_NOPOLICY) ||
1101 : __xfrm_policy_check(sk, ndir, skb, family);
1102 : }
1103 :
1104 : static inline int xfrm_policy_check(struct sock *sk, int dir, struct sk_buff *skb, unsigned short family)
1105 : {
1106 : return __xfrm_policy_check2(sk, dir, skb, family, 0);
1107 : }
1108 :
1109 : static inline int xfrm4_policy_check(struct sock *sk, int dir, struct sk_buff *skb)
1110 : {
1111 : return xfrm_policy_check(sk, dir, skb, AF_INET);
1112 : }
1113 :
1114 : static inline int xfrm6_policy_check(struct sock *sk, int dir, struct sk_buff *skb)
1115 : {
1116 : return xfrm_policy_check(sk, dir, skb, AF_INET6);
1117 : }
1118 :
1119 : static inline int xfrm4_policy_check_reverse(struct sock *sk, int dir,
1120 : struct sk_buff *skb)
1121 : {
1122 : return __xfrm_policy_check2(sk, dir, skb, AF_INET, 1);
1123 : }
1124 :
1125 : static inline int xfrm6_policy_check_reverse(struct sock *sk, int dir,
1126 : struct sk_buff *skb)
1127 : {
1128 : return __xfrm_policy_check2(sk, dir, skb, AF_INET6, 1);
1129 : }
1130 :
1131 : int __xfrm_decode_session(struct sk_buff *skb, struct flowi *fl,
1132 : unsigned int family, int reverse);
1133 :
1134 : static inline int xfrm_decode_session(struct sk_buff *skb, struct flowi *fl,
1135 : unsigned int family)
1136 : {
1137 : return __xfrm_decode_session(skb, fl, family, 0);
1138 : }
1139 :
1140 : static inline int xfrm_decode_session_reverse(struct sk_buff *skb,
1141 : struct flowi *fl,
1142 : unsigned int family)
1143 : {
1144 : return __xfrm_decode_session(skb, fl, family, 1);
1145 : }
1146 :
1147 : int __xfrm_route_forward(struct sk_buff *skb, unsigned short family);
1148 :
1149 : static inline int xfrm_route_forward(struct sk_buff *skb, unsigned short family)
1150 : {
1151 : struct net *net = dev_net(skb->dev);
1152 :
1153 : return !net->xfrm.policy_count[XFRM_POLICY_OUT] ||
1154 : (skb_dst(skb)->flags & DST_NOXFRM) ||
1155 : __xfrm_route_forward(skb, family);
1156 : }
1157 :
1158 : static inline int xfrm4_route_forward(struct sk_buff *skb)
1159 : {
1160 : return xfrm_route_forward(skb, AF_INET);
1161 : }
1162 :
1163 : static inline int xfrm6_route_forward(struct sk_buff *skb)
1164 : {
1165 : return xfrm_route_forward(skb, AF_INET6);
1166 : }
1167 :
1168 : int __xfrm_sk_clone_policy(struct sock *sk, const struct sock *osk);
1169 :
1170 : static inline int xfrm_sk_clone_policy(struct sock *sk, const struct sock *osk)
1171 : {
1172 : sk->sk_policy[0] = NULL;
1173 : sk->sk_policy[1] = NULL;
1174 : if (unlikely(osk->sk_policy[0] || osk->sk_policy[1]))
1175 : return __xfrm_sk_clone_policy(sk, osk);
1176 : return 0;
1177 : }
1178 :
1179 : int xfrm_policy_delete(struct xfrm_policy *pol, int dir);
1180 :
1181 : static inline void xfrm_sk_free_policy(struct sock *sk)
1182 : {
1183 : struct xfrm_policy *pol;
1184 :
1185 : pol = rcu_dereference_protected(sk->sk_policy[0], 1);
1186 : if (unlikely(pol != NULL)) {
1187 : xfrm_policy_delete(pol, XFRM_POLICY_MAX);
1188 : sk->sk_policy[0] = NULL;
1189 : }
1190 : pol = rcu_dereference_protected(sk->sk_policy[1], 1);
1191 : if (unlikely(pol != NULL)) {
1192 : xfrm_policy_delete(pol, XFRM_POLICY_MAX+1);
1193 : sk->sk_policy[1] = NULL;
1194 : }
1195 : }
1196 :
1197 : #else
1198 :
1199 43 : static inline void xfrm_sk_free_policy(struct sock *sk) {}
1200 4 : static inline int xfrm_sk_clone_policy(struct sock *sk, const struct sock *osk) { return 0; }
1201 : static inline int xfrm6_route_forward(struct sk_buff *skb) { return 1; }
1202 0 : static inline int xfrm4_route_forward(struct sk_buff *skb) { return 1; }
1203 : static inline int xfrm6_policy_check(struct sock *sk, int dir, struct sk_buff *skb)
1204 : {
1205 : return 1;
1206 : }
1207 450 : static inline int xfrm4_policy_check(struct sock *sk, int dir, struct sk_buff *skb)
1208 : {
1209 450 : return 1;
1210 : }
1211 : static inline int xfrm_policy_check(struct sock *sk, int dir, struct sk_buff *skb, unsigned short family)
1212 : {
1213 : return 1;
1214 : }
1215 0 : static inline int xfrm_decode_session_reverse(struct sk_buff *skb,
1216 : struct flowi *fl,
1217 : unsigned int family)
1218 : {
1219 0 : return -ENOSYS;
1220 : }
1221 : static inline int xfrm4_policy_check_reverse(struct sock *sk, int dir,
1222 : struct sk_buff *skb)
1223 : {
1224 : return 1;
1225 : }
1226 : static inline int xfrm6_policy_check_reverse(struct sock *sk, int dir,
1227 : struct sk_buff *skb)
1228 : {
1229 : return 1;
1230 : }
1231 : #endif
1232 :
1233 : static __inline__
1234 : xfrm_address_t *xfrm_flowi_daddr(const struct flowi *fl, unsigned short family)
1235 : {
1236 : switch (family){
1237 : case AF_INET:
1238 : return (xfrm_address_t *)&fl->u.ip4.daddr;
1239 : case AF_INET6:
1240 : return (xfrm_address_t *)&fl->u.ip6.daddr;
1241 : }
1242 : return NULL;
1243 : }
1244 :
1245 : static __inline__
1246 : xfrm_address_t *xfrm_flowi_saddr(const struct flowi *fl, unsigned short family)
1247 : {
1248 : switch (family){
1249 : case AF_INET:
1250 : return (xfrm_address_t *)&fl->u.ip4.saddr;
1251 : case AF_INET6:
1252 : return (xfrm_address_t *)&fl->u.ip6.saddr;
1253 : }
1254 : return NULL;
1255 : }
1256 :
1257 : static __inline__
1258 : void xfrm_flowi_addr_get(const struct flowi *fl,
1259 : xfrm_address_t *saddr, xfrm_address_t *daddr,
1260 : unsigned short family)
1261 : {
1262 : switch(family) {
1263 : case AF_INET:
1264 : memcpy(&saddr->a4, &fl->u.ip4.saddr, sizeof(saddr->a4));
1265 : memcpy(&daddr->a4, &fl->u.ip4.daddr, sizeof(daddr->a4));
1266 : break;
1267 : case AF_INET6:
1268 : saddr->in6 = fl->u.ip6.saddr;
1269 : daddr->in6 = fl->u.ip6.daddr;
1270 : break;
1271 : }
1272 : }
1273 :
1274 : static __inline__ int
1275 : __xfrm4_state_addr_check(const struct xfrm_state *x,
1276 : const xfrm_address_t *daddr, const xfrm_address_t *saddr)
1277 : {
1278 : if (daddr->a4 == x->id.daddr.a4 &&
1279 : (saddr->a4 == x->props.saddr.a4 || !saddr->a4 || !x->props.saddr.a4))
1280 : return 1;
1281 : return 0;
1282 : }
1283 :
1284 : static __inline__ int
1285 : __xfrm6_state_addr_check(const struct xfrm_state *x,
1286 : const xfrm_address_t *daddr, const xfrm_address_t *saddr)
1287 : {
1288 : if (ipv6_addr_equal((struct in6_addr *)daddr, (struct in6_addr *)&x->id.daddr) &&
1289 : (ipv6_addr_equal((struct in6_addr *)saddr, (struct in6_addr *)&x->props.saddr) ||
1290 : ipv6_addr_any((struct in6_addr *)saddr) ||
1291 : ipv6_addr_any((struct in6_addr *)&x->props.saddr)))
1292 : return 1;
1293 : return 0;
1294 : }
1295 :
1296 : static __inline__ int
1297 : xfrm_state_addr_check(const struct xfrm_state *x,
1298 : const xfrm_address_t *daddr, const xfrm_address_t *saddr,
1299 : unsigned short family)
1300 : {
1301 : switch (family) {
1302 : case AF_INET:
1303 : return __xfrm4_state_addr_check(x, daddr, saddr);
1304 : case AF_INET6:
1305 : return __xfrm6_state_addr_check(x, daddr, saddr);
1306 : }
1307 : return 0;
1308 : }
1309 :
1310 : static __inline__ int
1311 : xfrm_state_addr_flow_check(const struct xfrm_state *x, const struct flowi *fl,
1312 : unsigned short family)
1313 : {
1314 : switch (family) {
1315 : case AF_INET:
1316 : return __xfrm4_state_addr_check(x,
1317 : (const xfrm_address_t *)&fl->u.ip4.daddr,
1318 : (const xfrm_address_t *)&fl->u.ip4.saddr);
1319 : case AF_INET6:
1320 : return __xfrm6_state_addr_check(x,
1321 : (const xfrm_address_t *)&fl->u.ip6.daddr,
1322 : (const xfrm_address_t *)&fl->u.ip6.saddr);
1323 : }
1324 : return 0;
1325 : }
1326 :
1327 : static inline int xfrm_state_kern(const struct xfrm_state *x)
1328 : {
1329 : return atomic_read(&x->tunnel_users);
1330 : }
1331 :
1332 : static inline bool xfrm_id_proto_valid(u8 proto)
1333 : {
1334 : switch (proto) {
1335 : case IPPROTO_AH:
1336 : case IPPROTO_ESP:
1337 : case IPPROTO_COMP:
1338 : #if IS_ENABLED(CONFIG_IPV6)
1339 : case IPPROTO_ROUTING:
1340 : case IPPROTO_DSTOPTS:
1341 : #endif
1342 : return true;
1343 : default:
1344 : return false;
1345 : }
1346 : }
1347 :
1348 : /* IPSEC_PROTO_ANY only matches 3 IPsec protocols, 0 could match all. */
1349 : static inline int xfrm_id_proto_match(u8 proto, u8 userproto)
1350 : {
1351 : return (!userproto || proto == userproto ||
1352 : (userproto == IPSEC_PROTO_ANY && (proto == IPPROTO_AH ||
1353 : proto == IPPROTO_ESP ||
1354 : proto == IPPROTO_COMP)));
1355 : }
1356 :
1357 : /*
1358 : * xfrm algorithm information
1359 : */
1360 : struct xfrm_algo_aead_info {
1361 : char *geniv;
1362 : u16 icv_truncbits;
1363 : };
1364 :
1365 : struct xfrm_algo_auth_info {
1366 : u16 icv_truncbits;
1367 : u16 icv_fullbits;
1368 : };
1369 :
1370 : struct xfrm_algo_encr_info {
1371 : char *geniv;
1372 : u16 blockbits;
1373 : u16 defkeybits;
1374 : };
1375 :
1376 : struct xfrm_algo_comp_info {
1377 : u16 threshold;
1378 : };
1379 :
1380 : struct xfrm_algo_desc {
1381 : char *name;
1382 : char *compat;
1383 : u8 available:1;
1384 : u8 pfkey_supported:1;
1385 : union {
1386 : struct xfrm_algo_aead_info aead;
1387 : struct xfrm_algo_auth_info auth;
1388 : struct xfrm_algo_encr_info encr;
1389 : struct xfrm_algo_comp_info comp;
1390 : } uinfo;
1391 : struct sadb_alg desc;
1392 : };
1393 :
1394 : /* XFRM protocol handlers. */
1395 : struct xfrm4_protocol {
1396 : int (*handler)(struct sk_buff *skb);
1397 : int (*input_handler)(struct sk_buff *skb, int nexthdr, __be32 spi,
1398 : int encap_type);
1399 : int (*cb_handler)(struct sk_buff *skb, int err);
1400 : int (*err_handler)(struct sk_buff *skb, u32 info);
1401 :
1402 : struct xfrm4_protocol __rcu *next;
1403 : int priority;
1404 : };
1405 :
1406 : struct xfrm6_protocol {
1407 : int (*handler)(struct sk_buff *skb);
1408 : int (*input_handler)(struct sk_buff *skb, int nexthdr, __be32 spi,
1409 : int encap_type);
1410 : int (*cb_handler)(struct sk_buff *skb, int err);
1411 : int (*err_handler)(struct sk_buff *skb, struct inet6_skb_parm *opt,
1412 : u8 type, u8 code, int offset, __be32 info);
1413 :
1414 : struct xfrm6_protocol __rcu *next;
1415 : int priority;
1416 : };
1417 :
1418 : /* XFRM tunnel handlers. */
1419 : struct xfrm_tunnel {
1420 : int (*handler)(struct sk_buff *skb);
1421 : int (*cb_handler)(struct sk_buff *skb, int err);
1422 : int (*err_handler)(struct sk_buff *skb, u32 info);
1423 :
1424 : struct xfrm_tunnel __rcu *next;
1425 : int priority;
1426 : };
1427 :
1428 : struct xfrm6_tunnel {
1429 : int (*handler)(struct sk_buff *skb);
1430 : int (*cb_handler)(struct sk_buff *skb, int err);
1431 : int (*err_handler)(struct sk_buff *skb, struct inet6_skb_parm *opt,
1432 : u8 type, u8 code, int offset, __be32 info);
1433 : struct xfrm6_tunnel __rcu *next;
1434 : int priority;
1435 : };
1436 :
1437 : void xfrm_init(void);
1438 : void xfrm4_init(void);
1439 : int xfrm_state_init(struct net *net);
1440 : void xfrm_state_fini(struct net *net);
1441 : void xfrm4_state_init(void);
1442 : void xfrm4_protocol_init(void);
1443 : #ifdef CONFIG_XFRM
1444 : int xfrm6_init(void);
1445 : void xfrm6_fini(void);
1446 : int xfrm6_state_init(void);
1447 : void xfrm6_state_fini(void);
1448 : int xfrm6_protocol_init(void);
1449 : void xfrm6_protocol_fini(void);
1450 : #else
1451 : static inline int xfrm6_init(void)
1452 : {
1453 : return 0;
1454 : }
1455 : static inline void xfrm6_fini(void)
1456 : {
1457 : ;
1458 : }
1459 : #endif
1460 :
1461 : #ifdef CONFIG_XFRM_STATISTICS
1462 : int xfrm_proc_init(struct net *net);
1463 : void xfrm_proc_fini(struct net *net);
1464 : #endif
1465 :
1466 : int xfrm_sysctl_init(struct net *net);
1467 : #ifdef CONFIG_SYSCTL
1468 : void xfrm_sysctl_fini(struct net *net);
1469 : #else
1470 : static inline void xfrm_sysctl_fini(struct net *net)
1471 : {
1472 : }
1473 : #endif
1474 :
1475 : void xfrm_state_walk_init(struct xfrm_state_walk *walk, u8 proto,
1476 : struct xfrm_address_filter *filter);
1477 : int xfrm_state_walk(struct net *net, struct xfrm_state_walk *walk,
1478 : int (*func)(struct xfrm_state *, int, void*), void *);
1479 : void xfrm_state_walk_done(struct xfrm_state_walk *walk, struct net *net);
1480 : struct xfrm_state *xfrm_state_alloc(struct net *net);
1481 : void xfrm_state_free(struct xfrm_state *x);
1482 : struct xfrm_state *xfrm_state_find(const xfrm_address_t *daddr,
1483 : const xfrm_address_t *saddr,
1484 : const struct flowi *fl,
1485 : struct xfrm_tmpl *tmpl,
1486 : struct xfrm_policy *pol, int *err,
1487 : unsigned short family, u32 if_id);
1488 : struct xfrm_state *xfrm_stateonly_find(struct net *net, u32 mark, u32 if_id,
1489 : xfrm_address_t *daddr,
1490 : xfrm_address_t *saddr,
1491 : unsigned short family,
1492 : u8 mode, u8 proto, u32 reqid);
1493 : struct xfrm_state *xfrm_state_lookup_byspi(struct net *net, __be32 spi,
1494 : unsigned short family);
1495 : int xfrm_state_check_expire(struct xfrm_state *x);
1496 : void xfrm_state_insert(struct xfrm_state *x);
1497 : int xfrm_state_add(struct xfrm_state *x);
1498 : int xfrm_state_update(struct xfrm_state *x);
1499 : struct xfrm_state *xfrm_state_lookup(struct net *net, u32 mark,
1500 : const xfrm_address_t *daddr, __be32 spi,
1501 : u8 proto, unsigned short family);
1502 : struct xfrm_state *xfrm_state_lookup_byaddr(struct net *net, u32 mark,
1503 : const xfrm_address_t *daddr,
1504 : const xfrm_address_t *saddr,
1505 : u8 proto,
1506 : unsigned short family);
1507 : #ifdef CONFIG_XFRM_SUB_POLICY
1508 : void xfrm_tmpl_sort(struct xfrm_tmpl **dst, struct xfrm_tmpl **src, int n,
1509 : unsigned short family);
1510 : void xfrm_state_sort(struct xfrm_state **dst, struct xfrm_state **src, int n,
1511 : unsigned short family);
1512 : #else
1513 : static inline void xfrm_tmpl_sort(struct xfrm_tmpl **d, struct xfrm_tmpl **s,
1514 : int n, unsigned short family)
1515 : {
1516 : }
1517 :
1518 : static inline void xfrm_state_sort(struct xfrm_state **d, struct xfrm_state **s,
1519 : int n, unsigned short family)
1520 : {
1521 : }
1522 : #endif
1523 :
1524 : struct xfrmk_sadinfo {
1525 : u32 sadhcnt; /* current hash bkts */
1526 : u32 sadhmcnt; /* max allowed hash bkts */
1527 : u32 sadcnt; /* current running count */
1528 : };
1529 :
1530 : struct xfrmk_spdinfo {
1531 : u32 incnt;
1532 : u32 outcnt;
1533 : u32 fwdcnt;
1534 : u32 inscnt;
1535 : u32 outscnt;
1536 : u32 fwdscnt;
1537 : u32 spdhcnt;
1538 : u32 spdhmcnt;
1539 : };
1540 :
1541 : struct xfrm_state *xfrm_find_acq_byseq(struct net *net, u32 mark, u32 seq);
1542 : int xfrm_state_delete(struct xfrm_state *x);
1543 : int xfrm_state_flush(struct net *net, u8 proto, bool task_valid, bool sync);
1544 : int xfrm_dev_state_flush(struct net *net, struct net_device *dev, bool task_valid);
1545 : void xfrm_sad_getinfo(struct net *net, struct xfrmk_sadinfo *si);
1546 : void xfrm_spd_getinfo(struct net *net, struct xfrmk_spdinfo *si);
1547 : u32 xfrm_replay_seqhi(struct xfrm_state *x, __be32 net_seq);
1548 : int xfrm_init_replay(struct xfrm_state *x);
1549 : u32 xfrm_state_mtu(struct xfrm_state *x, int mtu);
1550 : int __xfrm_init_state(struct xfrm_state *x, bool init_replay, bool offload);
1551 : int xfrm_init_state(struct xfrm_state *x);
1552 : int xfrm_input(struct sk_buff *skb, int nexthdr, __be32 spi, int encap_type);
1553 : int xfrm_input_resume(struct sk_buff *skb, int nexthdr);
1554 : int xfrm_trans_queue_net(struct net *net, struct sk_buff *skb,
1555 : int (*finish)(struct net *, struct sock *,
1556 : struct sk_buff *));
1557 : int xfrm_trans_queue(struct sk_buff *skb,
1558 : int (*finish)(struct net *, struct sock *,
1559 : struct sk_buff *));
1560 : int xfrm_output_resume(struct sk_buff *skb, int err);
1561 : int xfrm_output(struct sock *sk, struct sk_buff *skb);
1562 :
1563 : #if IS_ENABLED(CONFIG_NET_PKTGEN)
1564 : int pktgen_xfrm_outer_mode_output(struct xfrm_state *x, struct sk_buff *skb);
1565 : #endif
1566 :
1567 : void xfrm_local_error(struct sk_buff *skb, int mtu);
1568 : int xfrm4_extract_input(struct xfrm_state *x, struct sk_buff *skb);
1569 : int xfrm4_rcv_encap(struct sk_buff *skb, int nexthdr, __be32 spi,
1570 : int encap_type);
1571 : int xfrm4_transport_finish(struct sk_buff *skb, int async);
1572 : int xfrm4_rcv(struct sk_buff *skb);
1573 : int xfrm_parse_spi(struct sk_buff *skb, u8 nexthdr, __be32 *spi, __be32 *seq);
1574 :
1575 : static inline int xfrm4_rcv_spi(struct sk_buff *skb, int nexthdr, __be32 spi)
1576 : {
1577 : XFRM_TUNNEL_SKB_CB(skb)->tunnel.ip4 = NULL;
1578 : XFRM_SPI_SKB_CB(skb)->family = AF_INET;
1579 : XFRM_SPI_SKB_CB(skb)->daddroff = offsetof(struct iphdr, daddr);
1580 : return xfrm_input(skb, nexthdr, spi, 0);
1581 : }
1582 :
1583 : int xfrm4_output(struct net *net, struct sock *sk, struct sk_buff *skb);
1584 : int xfrm4_output_finish(struct sock *sk, struct sk_buff *skb);
1585 : int xfrm4_protocol_register(struct xfrm4_protocol *handler, unsigned char protocol);
1586 : int xfrm4_protocol_deregister(struct xfrm4_protocol *handler, unsigned char protocol);
1587 : int xfrm4_tunnel_register(struct xfrm_tunnel *handler, unsigned short family);
1588 : int xfrm4_tunnel_deregister(struct xfrm_tunnel *handler, unsigned short family);
1589 : void xfrm4_local_error(struct sk_buff *skb, u32 mtu);
1590 : int xfrm6_extract_input(struct xfrm_state *x, struct sk_buff *skb);
1591 : int xfrm6_rcv_spi(struct sk_buff *skb, int nexthdr, __be32 spi,
1592 : struct ip6_tnl *t);
1593 : int xfrm6_rcv_encap(struct sk_buff *skb, int nexthdr, __be32 spi,
1594 : int encap_type);
1595 : int xfrm6_transport_finish(struct sk_buff *skb, int async);
1596 : int xfrm6_rcv_tnl(struct sk_buff *skb, struct ip6_tnl *t);
1597 : int xfrm6_rcv(struct sk_buff *skb);
1598 : int xfrm6_input_addr(struct sk_buff *skb, xfrm_address_t *daddr,
1599 : xfrm_address_t *saddr, u8 proto);
1600 : void xfrm6_local_error(struct sk_buff *skb, u32 mtu);
1601 : int xfrm6_protocol_register(struct xfrm6_protocol *handler, unsigned char protocol);
1602 : int xfrm6_protocol_deregister(struct xfrm6_protocol *handler, unsigned char protocol);
1603 : int xfrm6_tunnel_register(struct xfrm6_tunnel *handler, unsigned short family);
1604 : int xfrm6_tunnel_deregister(struct xfrm6_tunnel *handler, unsigned short family);
1605 : __be32 xfrm6_tunnel_alloc_spi(struct net *net, xfrm_address_t *saddr);
1606 : __be32 xfrm6_tunnel_spi_lookup(struct net *net, const xfrm_address_t *saddr);
1607 : int xfrm6_output(struct net *net, struct sock *sk, struct sk_buff *skb);
1608 : int xfrm6_output_finish(struct sock *sk, struct sk_buff *skb);
1609 : int xfrm6_find_1stfragopt(struct xfrm_state *x, struct sk_buff *skb,
1610 : u8 **prevhdr);
1611 :
1612 : #ifdef CONFIG_XFRM
1613 : void xfrm6_local_rxpmtu(struct sk_buff *skb, u32 mtu);
1614 : int xfrm4_udp_encap_rcv(struct sock *sk, struct sk_buff *skb);
1615 : int xfrm6_udp_encap_rcv(struct sock *sk, struct sk_buff *skb);
1616 : int xfrm_user_policy(struct sock *sk, int optname, sockptr_t optval,
1617 : int optlen);
1618 : #else
1619 0 : static inline int xfrm_user_policy(struct sock *sk, int optname,
1620 : sockptr_t optval, int optlen)
1621 : {
1622 0 : return -ENOPROTOOPT;
1623 : }
1624 : #endif
1625 :
1626 : struct dst_entry *__xfrm_dst_lookup(struct net *net, int tos, int oif,
1627 : const xfrm_address_t *saddr,
1628 : const xfrm_address_t *daddr,
1629 : int family, u32 mark);
1630 :
1631 : struct xfrm_policy *xfrm_policy_alloc(struct net *net, gfp_t gfp);
1632 :
1633 : void xfrm_policy_walk_init(struct xfrm_policy_walk *walk, u8 type);
1634 : int xfrm_policy_walk(struct net *net, struct xfrm_policy_walk *walk,
1635 : int (*func)(struct xfrm_policy *, int, int, void*),
1636 : void *);
1637 : void xfrm_policy_walk_done(struct xfrm_policy_walk *walk, struct net *net);
1638 : int xfrm_policy_insert(int dir, struct xfrm_policy *policy, int excl);
1639 : struct xfrm_policy *xfrm_policy_bysel_ctx(struct net *net,
1640 : const struct xfrm_mark *mark,
1641 : u32 if_id, u8 type, int dir,
1642 : struct xfrm_selector *sel,
1643 : struct xfrm_sec_ctx *ctx, int delete,
1644 : int *err);
1645 : struct xfrm_policy *xfrm_policy_byid(struct net *net,
1646 : const struct xfrm_mark *mark, u32 if_id,
1647 : u8 type, int dir, u32 id, int delete,
1648 : int *err);
1649 : int xfrm_policy_flush(struct net *net, u8 type, bool task_valid);
1650 : void xfrm_policy_hash_rebuild(struct net *net);
1651 : u32 xfrm_get_acqseq(void);
1652 : int verify_spi_info(u8 proto, u32 min, u32 max);
1653 : int xfrm_alloc_spi(struct xfrm_state *x, u32 minspi, u32 maxspi);
1654 : struct xfrm_state *xfrm_find_acq(struct net *net, const struct xfrm_mark *mark,
1655 : u8 mode, u32 reqid, u32 if_id, u8 proto,
1656 : const xfrm_address_t *daddr,
1657 : const xfrm_address_t *saddr, int create,
1658 : unsigned short family);
1659 : int xfrm_sk_policy_insert(struct sock *sk, int dir, struct xfrm_policy *pol);
1660 :
1661 : #ifdef CONFIG_XFRM_MIGRATE
1662 : int km_migrate(const struct xfrm_selector *sel, u8 dir, u8 type,
1663 : const struct xfrm_migrate *m, int num_bundles,
1664 : const struct xfrm_kmaddress *k,
1665 : const struct xfrm_encap_tmpl *encap);
1666 : struct xfrm_state *xfrm_migrate_state_find(struct xfrm_migrate *m, struct net *net);
1667 : struct xfrm_state *xfrm_state_migrate(struct xfrm_state *x,
1668 : struct xfrm_migrate *m,
1669 : struct xfrm_encap_tmpl *encap);
1670 : int xfrm_migrate(const struct xfrm_selector *sel, u8 dir, u8 type,
1671 : struct xfrm_migrate *m, int num_bundles,
1672 : struct xfrm_kmaddress *k, struct net *net,
1673 : struct xfrm_encap_tmpl *encap);
1674 : #endif
1675 :
1676 : int km_new_mapping(struct xfrm_state *x, xfrm_address_t *ipaddr, __be16 sport);
1677 : void km_policy_expired(struct xfrm_policy *pol, int dir, int hard, u32 portid);
1678 : int km_report(struct net *net, u8 proto, struct xfrm_selector *sel,
1679 : xfrm_address_t *addr);
1680 :
1681 : void xfrm_input_init(void);
1682 : int xfrm_parse_spi(struct sk_buff *skb, u8 nexthdr, __be32 *spi, __be32 *seq);
1683 :
1684 : void xfrm_probe_algs(void);
1685 : int xfrm_count_pfkey_auth_supported(void);
1686 : int xfrm_count_pfkey_enc_supported(void);
1687 : struct xfrm_algo_desc *xfrm_aalg_get_byidx(unsigned int idx);
1688 : struct xfrm_algo_desc *xfrm_ealg_get_byidx(unsigned int idx);
1689 : struct xfrm_algo_desc *xfrm_aalg_get_byid(int alg_id);
1690 : struct xfrm_algo_desc *xfrm_ealg_get_byid(int alg_id);
1691 : struct xfrm_algo_desc *xfrm_calg_get_byid(int alg_id);
1692 : struct xfrm_algo_desc *xfrm_aalg_get_byname(const char *name, int probe);
1693 : struct xfrm_algo_desc *xfrm_ealg_get_byname(const char *name, int probe);
1694 : struct xfrm_algo_desc *xfrm_calg_get_byname(const char *name, int probe);
1695 : struct xfrm_algo_desc *xfrm_aead_get_byname(const char *name, int icv_len,
1696 : int probe);
1697 :
1698 : static inline bool xfrm6_addr_equal(const xfrm_address_t *a,
1699 : const xfrm_address_t *b)
1700 : {
1701 : return ipv6_addr_equal((const struct in6_addr *)a,
1702 : (const struct in6_addr *)b);
1703 : }
1704 :
1705 : static inline bool xfrm_addr_equal(const xfrm_address_t *a,
1706 : const xfrm_address_t *b,
1707 : sa_family_t family)
1708 : {
1709 : switch (family) {
1710 : default:
1711 : case AF_INET:
1712 : return ((__force u32)a->a4 ^ (__force u32)b->a4) == 0;
1713 : case AF_INET6:
1714 : return xfrm6_addr_equal(a, b);
1715 : }
1716 : }
1717 :
1718 : static inline int xfrm_policy_id2dir(u32 index)
1719 : {
1720 : return index & 7;
1721 : }
1722 :
1723 : #ifdef CONFIG_XFRM
1724 : static inline int xfrm_aevent_is_on(struct net *net)
1725 : {
1726 : struct sock *nlsk;
1727 : int ret = 0;
1728 :
1729 : rcu_read_lock();
1730 : nlsk = rcu_dereference(net->xfrm.nlsk);
1731 : if (nlsk)
1732 : ret = netlink_has_listeners(nlsk, XFRMNLGRP_AEVENTS);
1733 : rcu_read_unlock();
1734 : return ret;
1735 : }
1736 :
1737 : static inline int xfrm_acquire_is_on(struct net *net)
1738 : {
1739 : struct sock *nlsk;
1740 : int ret = 0;
1741 :
1742 : rcu_read_lock();
1743 : nlsk = rcu_dereference(net->xfrm.nlsk);
1744 : if (nlsk)
1745 : ret = netlink_has_listeners(nlsk, XFRMNLGRP_ACQUIRE);
1746 : rcu_read_unlock();
1747 :
1748 : return ret;
1749 : }
1750 : #endif
1751 :
1752 : static inline unsigned int aead_len(struct xfrm_algo_aead *alg)
1753 : {
1754 : return sizeof(*alg) + ((alg->alg_key_len + 7) / 8);
1755 : }
1756 :
1757 : static inline unsigned int xfrm_alg_len(const struct xfrm_algo *alg)
1758 : {
1759 : return sizeof(*alg) + ((alg->alg_key_len + 7) / 8);
1760 : }
1761 :
1762 : static inline unsigned int xfrm_alg_auth_len(const struct xfrm_algo_auth *alg)
1763 : {
1764 : return sizeof(*alg) + ((alg->alg_key_len + 7) / 8);
1765 : }
1766 :
1767 : static inline unsigned int xfrm_replay_state_esn_len(struct xfrm_replay_state_esn *replay_esn)
1768 : {
1769 : return sizeof(*replay_esn) + replay_esn->bmp_len * sizeof(__u32);
1770 : }
1771 :
1772 : #ifdef CONFIG_XFRM_MIGRATE
1773 : static inline int xfrm_replay_clone(struct xfrm_state *x,
1774 : struct xfrm_state *orig)
1775 : {
1776 :
1777 : x->replay_esn = kmemdup(orig->replay_esn,
1778 : xfrm_replay_state_esn_len(orig->replay_esn),
1779 : GFP_KERNEL);
1780 : if (!x->replay_esn)
1781 : return -ENOMEM;
1782 : x->preplay_esn = kmemdup(orig->preplay_esn,
1783 : xfrm_replay_state_esn_len(orig->preplay_esn),
1784 : GFP_KERNEL);
1785 : if (!x->preplay_esn)
1786 : return -ENOMEM;
1787 :
1788 : return 0;
1789 : }
1790 :
1791 : static inline struct xfrm_algo_aead *xfrm_algo_aead_clone(struct xfrm_algo_aead *orig)
1792 : {
1793 : return kmemdup(orig, aead_len(orig), GFP_KERNEL);
1794 : }
1795 :
1796 :
1797 : static inline struct xfrm_algo *xfrm_algo_clone(struct xfrm_algo *orig)
1798 : {
1799 : return kmemdup(orig, xfrm_alg_len(orig), GFP_KERNEL);
1800 : }
1801 :
1802 : static inline struct xfrm_algo_auth *xfrm_algo_auth_clone(struct xfrm_algo_auth *orig)
1803 : {
1804 : return kmemdup(orig, xfrm_alg_auth_len(orig), GFP_KERNEL);
1805 : }
1806 :
1807 : static inline void xfrm_states_put(struct xfrm_state **states, int n)
1808 : {
1809 : int i;
1810 : for (i = 0; i < n; i++)
1811 : xfrm_state_put(*(states + i));
1812 : }
1813 :
1814 : static inline void xfrm_states_delete(struct xfrm_state **states, int n)
1815 : {
1816 : int i;
1817 : for (i = 0; i < n; i++)
1818 : xfrm_state_delete(*(states + i));
1819 : }
1820 : #endif
1821 :
1822 : #ifdef CONFIG_XFRM
1823 : static inline struct xfrm_state *xfrm_input_state(struct sk_buff *skb)
1824 : {
1825 : struct sec_path *sp = skb_sec_path(skb);
1826 :
1827 : return sp->xvec[sp->len - 1];
1828 : }
1829 : #endif
1830 :
1831 0 : static inline struct xfrm_offload *xfrm_offload(struct sk_buff *skb)
1832 : {
1833 : #ifdef CONFIG_XFRM
1834 : struct sec_path *sp = skb_sec_path(skb);
1835 :
1836 : if (!sp || !sp->olen || sp->len != sp->olen)
1837 : return NULL;
1838 :
1839 : return &sp->ovec[sp->olen - 1];
1840 : #else
1841 0 : return NULL;
1842 : #endif
1843 : }
1844 :
1845 : void __init xfrm_dev_init(void);
1846 :
1847 : #ifdef CONFIG_XFRM_OFFLOAD
1848 : void xfrm_dev_resume(struct sk_buff *skb);
1849 : void xfrm_dev_backlog(struct softnet_data *sd);
1850 : struct sk_buff *validate_xmit_xfrm(struct sk_buff *skb, netdev_features_t features, bool *again);
1851 : int xfrm_dev_state_add(struct net *net, struct xfrm_state *x,
1852 : struct xfrm_user_offload *xuo);
1853 : bool xfrm_dev_offload_ok(struct sk_buff *skb, struct xfrm_state *x);
1854 :
1855 : static inline void xfrm_dev_state_advance_esn(struct xfrm_state *x)
1856 : {
1857 : struct xfrm_state_offload *xso = &x->xso;
1858 :
1859 : if (xso->dev && xso->dev->xfrmdev_ops->xdo_dev_state_advance_esn)
1860 : xso->dev->xfrmdev_ops->xdo_dev_state_advance_esn(x);
1861 : }
1862 :
1863 : static inline bool xfrm_dst_offload_ok(struct dst_entry *dst)
1864 : {
1865 : struct xfrm_state *x = dst->xfrm;
1866 : struct xfrm_dst *xdst;
1867 :
1868 : if (!x || !x->type_offload)
1869 : return false;
1870 :
1871 : xdst = (struct xfrm_dst *) dst;
1872 : if (!x->xso.offload_handle && !xdst->child->xfrm)
1873 : return true;
1874 : if (x->xso.offload_handle && (x->xso.dev == xfrm_dst_path(dst)->dev) &&
1875 : !xdst->child->xfrm)
1876 : return true;
1877 :
1878 : return false;
1879 : }
1880 :
1881 : static inline void xfrm_dev_state_delete(struct xfrm_state *x)
1882 : {
1883 : struct xfrm_state_offload *xso = &x->xso;
1884 :
1885 : if (xso->dev)
1886 : xso->dev->xfrmdev_ops->xdo_dev_state_delete(x);
1887 : }
1888 :
1889 : static inline void xfrm_dev_state_free(struct xfrm_state *x)
1890 : {
1891 : struct xfrm_state_offload *xso = &x->xso;
1892 : struct net_device *dev = xso->dev;
1893 :
1894 : if (dev && dev->xfrmdev_ops) {
1895 : if (dev->xfrmdev_ops->xdo_dev_state_free)
1896 : dev->xfrmdev_ops->xdo_dev_state_free(x);
1897 : xso->dev = NULL;
1898 : dev_put(dev);
1899 : }
1900 : }
1901 : #else
1902 : static inline void xfrm_dev_resume(struct sk_buff *skb)
1903 : {
1904 : }
1905 :
1906 0 : static inline void xfrm_dev_backlog(struct softnet_data *sd)
1907 : {
1908 0 : }
1909 :
1910 : static inline struct sk_buff *validate_xmit_xfrm(struct sk_buff *skb, netdev_features_t features, bool *again)
1911 : {
1912 : return skb;
1913 : }
1914 :
1915 : static inline int xfrm_dev_state_add(struct net *net, struct xfrm_state *x, struct xfrm_user_offload *xuo)
1916 : {
1917 : return 0;
1918 : }
1919 :
1920 : static inline void xfrm_dev_state_delete(struct xfrm_state *x)
1921 : {
1922 : }
1923 :
1924 : static inline void xfrm_dev_state_free(struct xfrm_state *x)
1925 : {
1926 : }
1927 :
1928 : static inline bool xfrm_dev_offload_ok(struct sk_buff *skb, struct xfrm_state *x)
1929 : {
1930 : return false;
1931 : }
1932 :
1933 : static inline void xfrm_dev_state_advance_esn(struct xfrm_state *x)
1934 : {
1935 : }
1936 :
1937 0 : static inline bool xfrm_dst_offload_ok(struct dst_entry *dst)
1938 : {
1939 0 : return false;
1940 : }
1941 : #endif
1942 :
1943 : static inline int xfrm_mark_get(struct nlattr **attrs, struct xfrm_mark *m)
1944 : {
1945 : if (attrs[XFRMA_MARK])
1946 : memcpy(m, nla_data(attrs[XFRMA_MARK]), sizeof(struct xfrm_mark));
1947 : else
1948 : m->v = m->m = 0;
1949 :
1950 : return m->v & m->m;
1951 : }
1952 :
1953 : static inline int xfrm_mark_put(struct sk_buff *skb, const struct xfrm_mark *m)
1954 : {
1955 : int ret = 0;
1956 :
1957 : if (m->m | m->v)
1958 : ret = nla_put(skb, XFRMA_MARK, sizeof(struct xfrm_mark), m);
1959 : return ret;
1960 : }
1961 :
1962 : static inline __u32 xfrm_smark_get(__u32 mark, struct xfrm_state *x)
1963 : {
1964 : struct xfrm_mark *m = &x->props.smark;
1965 :
1966 : return (m->v & m->m) | (mark & ~m->m);
1967 : }
1968 :
1969 : static inline int xfrm_if_id_put(struct sk_buff *skb, __u32 if_id)
1970 : {
1971 : int ret = 0;
1972 :
1973 : if (if_id)
1974 : ret = nla_put_u32(skb, XFRMA_IF_ID, if_id);
1975 : return ret;
1976 : }
1977 :
1978 : static inline int xfrm_tunnel_check(struct sk_buff *skb, struct xfrm_state *x,
1979 : unsigned int family)
1980 : {
1981 : bool tunnel = false;
1982 :
1983 : switch(family) {
1984 : case AF_INET:
1985 : if (XFRM_TUNNEL_SKB_CB(skb)->tunnel.ip4)
1986 : tunnel = true;
1987 : break;
1988 : case AF_INET6:
1989 : if (XFRM_TUNNEL_SKB_CB(skb)->tunnel.ip6)
1990 : tunnel = true;
1991 : break;
1992 : }
1993 : if (tunnel && !(x->outer_mode.flags & XFRM_MODE_FLAG_TUNNEL))
1994 : return -EINVAL;
1995 :
1996 : return 0;
1997 : }
1998 :
1999 : extern const int xfrm_msg_min[XFRM_NR_MSGTYPES];
2000 : extern const struct nla_policy xfrma_policy[XFRMA_MAX+1];
2001 :
2002 : struct xfrm_translator {
2003 : /* Allocate frag_list and put compat translation there */
2004 : int (*alloc_compat)(struct sk_buff *skb, const struct nlmsghdr *src);
2005 :
2006 : /* Allocate nlmsg with 64-bit translaton of received 32-bit message */
2007 : struct nlmsghdr *(*rcv_msg_compat)(const struct nlmsghdr *nlh,
2008 : int maxtype, const struct nla_policy *policy,
2009 : struct netlink_ext_ack *extack);
2010 :
2011 : /* Translate 32-bit user_policy from sockptr */
2012 : int (*xlate_user_policy_sockptr)(u8 **pdata32, int optlen);
2013 :
2014 : struct module *owner;
2015 : };
2016 :
2017 : #if IS_ENABLED(CONFIG_XFRM_USER_COMPAT)
2018 : extern int xfrm_register_translator(struct xfrm_translator *xtr);
2019 : extern int xfrm_unregister_translator(struct xfrm_translator *xtr);
2020 : extern struct xfrm_translator *xfrm_get_translator(void);
2021 : extern void xfrm_put_translator(struct xfrm_translator *xtr);
2022 : #else
2023 : static inline struct xfrm_translator *xfrm_get_translator(void)
2024 : {
2025 : return NULL;
2026 : }
2027 : static inline void xfrm_put_translator(struct xfrm_translator *xtr)
2028 : {
2029 : }
2030 : #endif
2031 :
2032 : #if IS_ENABLED(CONFIG_IPV6)
2033 : static inline bool xfrm6_local_dontfrag(const struct sock *sk)
2034 : {
2035 : int proto;
2036 :
2037 : if (!sk || sk->sk_family != AF_INET6)
2038 : return false;
2039 :
2040 : proto = sk->sk_protocol;
2041 : if (proto == IPPROTO_UDP || proto == IPPROTO_RAW)
2042 : return inet6_sk(sk)->dontfrag;
2043 :
2044 : return false;
2045 : }
2046 : #endif
2047 : #endif /* _NET_XFRM_H */
|
