6 * Kazunori MIYAZAWA @USAGI
7 * Kunihiro Ishiguro <kunihiro@ipinfusion.com>
9 * YOSHIFUJI Hideaki @USAGI
10 * Split up af-specific functions
11 * Derek Atkins <derek@ihtfp.com>
12 * Add UDP Encapsulation
16 #include <linux/workqueue.h>
18 #include <linux/pfkeyv2.h>
19 #include <linux/ipsec.h>
20 #include <linux/module.h>
21 #include <asm/uaccess.h>
24 EXPORT_SYMBOL(xfrm_nl);
26 u32 sysctl_xfrm_aevent_etime = XFRM_AE_ETIME;
27 EXPORT_SYMBOL(sysctl_xfrm_aevent_etime);
29 u32 sysctl_xfrm_aevent_rseqth = XFRM_AE_SEQT_SIZE;
30 EXPORT_SYMBOL(sysctl_xfrm_aevent_rseqth);
32 /* Each xfrm_state may be linked to two tables:
34 1. Hash table by (spi,daddr,ah/esp) to find SA by SPI. (input,ctl)
35 2. Hash table by daddr to find what SAs exist for given
36 destination/tunnel endpoint. (output)
39 static DEFINE_SPINLOCK(xfrm_state_lock);
41 #define XFRM_DST_HSIZE 1024
43 /* Hash table to find appropriate SA towards given target (endpoint
44 * of tunnel or destination of transport mode) allowed by selector.
46 * Main use is finding SA after policy selected tunnel or transport mode.
47 * Also, it can be used by ah/esp icmp error handler to find offending SA.
49 static struct list_head xfrm_state_bydst[XFRM_DST_HSIZE];
50 static struct list_head xfrm_state_bysrc[XFRM_DST_HSIZE];
51 static struct list_head xfrm_state_byspi[XFRM_DST_HSIZE];
54 unsigned __xfrm4_dst_hash(xfrm_address_t *addr)
58 h = (h ^ (h>>16)) % XFRM_DST_HSIZE;
63 unsigned __xfrm6_dst_hash(xfrm_address_t *addr)
66 h = ntohl(addr->a6[2]^addr->a6[3]);
67 h = (h ^ (h>>16)) % XFRM_DST_HSIZE;
72 unsigned __xfrm4_src_hash(xfrm_address_t *addr)
74 return __xfrm4_dst_hash(addr);
78 unsigned __xfrm6_src_hash(xfrm_address_t *addr)
80 return __xfrm6_dst_hash(addr);
84 unsigned xfrm_src_hash(xfrm_address_t *addr, unsigned short family)
88 return __xfrm4_src_hash(addr);
90 return __xfrm6_src_hash(addr);
96 unsigned xfrm_dst_hash(xfrm_address_t *addr, unsigned short family)
100 return __xfrm4_dst_hash(addr);
102 return __xfrm6_dst_hash(addr);
108 unsigned __xfrm4_spi_hash(xfrm_address_t *addr, u32 spi, u8 proto)
111 h = ntohl(addr->a4^spi^proto);
112 h = (h ^ (h>>10) ^ (h>>20)) % XFRM_DST_HSIZE;
117 unsigned __xfrm6_spi_hash(xfrm_address_t *addr, u32 spi, u8 proto)
120 h = ntohl(addr->a6[2]^addr->a6[3]^spi^proto);
121 h = (h ^ (h>>10) ^ (h>>20)) % XFRM_DST_HSIZE;
126 unsigned xfrm_spi_hash(xfrm_address_t *addr, u32 spi, u8 proto, unsigned short family)
130 return __xfrm4_spi_hash(addr, spi, proto);
132 return __xfrm6_spi_hash(addr, spi, proto);
137 DECLARE_WAIT_QUEUE_HEAD(km_waitq);
138 EXPORT_SYMBOL(km_waitq);
140 static DEFINE_RWLOCK(xfrm_state_afinfo_lock);
141 static struct xfrm_state_afinfo *xfrm_state_afinfo[NPROTO];
143 static struct work_struct xfrm_state_gc_work;
144 static struct list_head xfrm_state_gc_list = LIST_HEAD_INIT(xfrm_state_gc_list);
145 static DEFINE_SPINLOCK(xfrm_state_gc_lock);
147 static int xfrm_state_gc_flush_bundles;
149 int __xfrm_state_delete(struct xfrm_state *x);
151 static struct xfrm_state_afinfo *xfrm_state_get_afinfo(unsigned short family);
152 static void xfrm_state_put_afinfo(struct xfrm_state_afinfo *afinfo);
154 int km_query(struct xfrm_state *x, struct xfrm_tmpl *t, struct xfrm_policy *pol);
155 void km_state_expired(struct xfrm_state *x, int hard, u32 pid);
157 static void xfrm_state_gc_destroy(struct xfrm_state *x)
159 if (del_timer(&x->timer))
161 if (del_timer(&x->rtimer))
169 xfrm_put_mode(x->mode);
171 x->type->destructor(x);
172 xfrm_put_type(x->type);
174 security_xfrm_state_free(x);
178 static void xfrm_state_gc_task(void *data)
180 struct xfrm_state *x;
181 struct list_head *entry, *tmp;
182 struct list_head gc_list = LIST_HEAD_INIT(gc_list);
184 if (xfrm_state_gc_flush_bundles) {
185 xfrm_state_gc_flush_bundles = 0;
186 xfrm_flush_bundles();
189 spin_lock_bh(&xfrm_state_gc_lock);
190 list_splice_init(&xfrm_state_gc_list, &gc_list);
191 spin_unlock_bh(&xfrm_state_gc_lock);
193 list_for_each_safe(entry, tmp, &gc_list) {
194 x = list_entry(entry, struct xfrm_state, bydst);
195 xfrm_state_gc_destroy(x);
200 static inline unsigned long make_jiffies(long secs)
202 if (secs >= (MAX_SCHEDULE_TIMEOUT-1)/HZ)
203 return MAX_SCHEDULE_TIMEOUT-1;
208 static void xfrm_timer_handler(unsigned long data)
210 struct xfrm_state *x = (struct xfrm_state*)data;
211 unsigned long now = (unsigned long)xtime.tv_sec;
212 long next = LONG_MAX;
216 if (x->km.state == XFRM_STATE_DEAD)
218 if (x->km.state == XFRM_STATE_EXPIRED)
220 if (x->lft.hard_add_expires_seconds) {
221 long tmo = x->lft.hard_add_expires_seconds +
222 x->curlft.add_time - now;
228 if (x->lft.hard_use_expires_seconds) {
229 long tmo = x->lft.hard_use_expires_seconds +
230 (x->curlft.use_time ? : now) - now;
238 if (x->lft.soft_add_expires_seconds) {
239 long tmo = x->lft.soft_add_expires_seconds +
240 x->curlft.add_time - now;
246 if (x->lft.soft_use_expires_seconds) {
247 long tmo = x->lft.soft_use_expires_seconds +
248 (x->curlft.use_time ? : now) - now;
257 km_state_expired(x, 0, 0);
259 if (next != LONG_MAX &&
260 !mod_timer(&x->timer, jiffies + make_jiffies(next)))
265 if (x->km.state == XFRM_STATE_ACQ && x->id.spi == 0) {
266 x->km.state = XFRM_STATE_EXPIRED;
271 if (!__xfrm_state_delete(x) && x->id.spi)
272 km_state_expired(x, 1, 0);
275 spin_unlock(&x->lock);
279 static void xfrm_replay_timer_handler(unsigned long data);
281 struct xfrm_state *xfrm_state_alloc(void)
283 struct xfrm_state *x;
285 x = kzalloc(sizeof(struct xfrm_state), GFP_ATOMIC);
288 atomic_set(&x->refcnt, 1);
289 atomic_set(&x->tunnel_users, 0);
290 INIT_LIST_HEAD(&x->bydst);
291 INIT_LIST_HEAD(&x->bysrc);
292 INIT_LIST_HEAD(&x->byspi);
293 init_timer(&x->timer);
294 x->timer.function = xfrm_timer_handler;
295 x->timer.data = (unsigned long)x;
296 init_timer(&x->rtimer);
297 x->rtimer.function = xfrm_replay_timer_handler;
298 x->rtimer.data = (unsigned long)x;
299 x->curlft.add_time = (unsigned long)xtime.tv_sec;
300 x->lft.soft_byte_limit = XFRM_INF;
301 x->lft.soft_packet_limit = XFRM_INF;
302 x->lft.hard_byte_limit = XFRM_INF;
303 x->lft.hard_packet_limit = XFRM_INF;
304 x->replay_maxage = 0;
305 x->replay_maxdiff = 0;
306 spin_lock_init(&x->lock);
310 EXPORT_SYMBOL(xfrm_state_alloc);
312 void __xfrm_state_destroy(struct xfrm_state *x)
314 BUG_TRAP(x->km.state == XFRM_STATE_DEAD);
316 spin_lock_bh(&xfrm_state_gc_lock);
317 list_add(&x->bydst, &xfrm_state_gc_list);
318 spin_unlock_bh(&xfrm_state_gc_lock);
319 schedule_work(&xfrm_state_gc_work);
321 EXPORT_SYMBOL(__xfrm_state_destroy);
323 int __xfrm_state_delete(struct xfrm_state *x)
327 if (x->km.state != XFRM_STATE_DEAD) {
328 x->km.state = XFRM_STATE_DEAD;
329 spin_lock(&xfrm_state_lock);
338 spin_unlock(&xfrm_state_lock);
339 if (del_timer(&x->timer))
341 if (del_timer(&x->rtimer))
344 /* The number two in this test is the reference
345 * mentioned in the comment below plus the reference
346 * our caller holds. A larger value means that
347 * there are DSTs attached to this xfrm_state.
349 if (atomic_read(&x->refcnt) > 2) {
350 xfrm_state_gc_flush_bundles = 1;
351 schedule_work(&xfrm_state_gc_work);
354 /* All xfrm_state objects are created by xfrm_state_alloc.
355 * The xfrm_state_alloc call gives a reference, and that
356 * is what we are dropping here.
364 EXPORT_SYMBOL(__xfrm_state_delete);
366 int xfrm_state_delete(struct xfrm_state *x)
370 spin_lock_bh(&x->lock);
371 err = __xfrm_state_delete(x);
372 spin_unlock_bh(&x->lock);
376 EXPORT_SYMBOL(xfrm_state_delete);
378 void xfrm_state_flush(u8 proto)
381 struct xfrm_state *x;
383 spin_lock_bh(&xfrm_state_lock);
384 for (i = 0; i < XFRM_DST_HSIZE; i++) {
386 list_for_each_entry(x, xfrm_state_bydst+i, bydst) {
387 if (!xfrm_state_kern(x) &&
388 xfrm_id_proto_match(x->id.proto, proto)) {
390 spin_unlock_bh(&xfrm_state_lock);
392 xfrm_state_delete(x);
395 spin_lock_bh(&xfrm_state_lock);
400 spin_unlock_bh(&xfrm_state_lock);
403 EXPORT_SYMBOL(xfrm_state_flush);
406 xfrm_init_tempsel(struct xfrm_state *x, struct flowi *fl,
407 struct xfrm_tmpl *tmpl,
408 xfrm_address_t *daddr, xfrm_address_t *saddr,
409 unsigned short family)
411 struct xfrm_state_afinfo *afinfo = xfrm_state_get_afinfo(family);
414 afinfo->init_tempsel(x, fl, tmpl, daddr, saddr);
415 xfrm_state_put_afinfo(afinfo);
419 static struct xfrm_state *__xfrm_state_lookup(xfrm_address_t *daddr, u32 spi, u8 proto, unsigned short family)
421 unsigned int h = xfrm_spi_hash(daddr, spi, proto, family);
422 struct xfrm_state *x;
424 list_for_each_entry(x, xfrm_state_byspi+h, byspi) {
425 if (x->props.family != family ||
427 x->id.proto != proto)
432 if (x->id.daddr.a4 != daddr->a4)
436 if (!ipv6_addr_equal((struct in6_addr *)daddr,
450 static struct xfrm_state *__xfrm_state_lookup_byaddr(xfrm_address_t *daddr, xfrm_address_t *saddr, u8 proto, unsigned short family)
452 unsigned int h = xfrm_src_hash(saddr, family);
453 struct xfrm_state *x;
455 list_for_each_entry(x, xfrm_state_bysrc+h, bysrc) {
456 if (x->props.family != family ||
457 x->id.proto != proto)
462 if (x->id.daddr.a4 != daddr->a4 ||
463 x->props.saddr.a4 != saddr->a4)
467 if (!ipv6_addr_equal((struct in6_addr *)daddr,
470 !ipv6_addr_equal((struct in6_addr *)saddr,
484 static inline struct xfrm_state *
485 __xfrm_state_locate(struct xfrm_state *x, int use_spi, int family)
488 return __xfrm_state_lookup(&x->id.daddr, x->id.spi,
489 x->id.proto, family);
491 return __xfrm_state_lookup_byaddr(&x->id.daddr,
493 x->id.proto, family);
497 xfrm_state_find(xfrm_address_t *daddr, xfrm_address_t *saddr,
498 struct flowi *fl, struct xfrm_tmpl *tmpl,
499 struct xfrm_policy *pol, int *err,
500 unsigned short family)
502 unsigned h = xfrm_dst_hash(daddr, family);
503 struct xfrm_state *x, *x0;
504 int acquire_in_progress = 0;
506 struct xfrm_state *best = NULL;
508 spin_lock_bh(&xfrm_state_lock);
509 list_for_each_entry(x, xfrm_state_bydst+h, bydst) {
510 if (x->props.family == family &&
511 x->props.reqid == tmpl->reqid &&
512 !(x->props.flags & XFRM_STATE_WILDRECV) &&
513 xfrm_state_addr_check(x, daddr, saddr, family) &&
514 tmpl->mode == x->props.mode &&
515 tmpl->id.proto == x->id.proto &&
516 (tmpl->id.spi == x->id.spi || !tmpl->id.spi)) {
518 1. There is a valid state with matching selector.
520 2. Valid state with inappropriate selector. Skip.
522 Entering area of "sysdeps".
524 3. If state is not valid, selector is temporary,
525 it selects only session which triggered
526 previous resolution. Key manager will do
527 something to install a state with proper
530 if (x->km.state == XFRM_STATE_VALID) {
531 if (!xfrm_selector_match(&x->sel, fl, family) ||
532 !security_xfrm_state_pol_flow_match(x, pol, fl))
535 best->km.dying > x->km.dying ||
536 (best->km.dying == x->km.dying &&
537 best->curlft.add_time < x->curlft.add_time))
539 } else if (x->km.state == XFRM_STATE_ACQ) {
540 acquire_in_progress = 1;
541 } else if (x->km.state == XFRM_STATE_ERROR ||
542 x->km.state == XFRM_STATE_EXPIRED) {
543 if (xfrm_selector_match(&x->sel, fl, family) &&
544 security_xfrm_state_pol_flow_match(x, pol, fl))
551 if (!x && !error && !acquire_in_progress) {
553 (x0 = __xfrm_state_lookup(daddr, tmpl->id.spi,
554 tmpl->id.proto, family)) != NULL) {
559 x = xfrm_state_alloc();
564 /* Initialize temporary selector matching only
565 * to current session. */
566 xfrm_init_tempsel(x, fl, tmpl, daddr, saddr, family);
568 error = security_xfrm_state_alloc_acquire(x, pol->security, fl->secid);
570 x->km.state = XFRM_STATE_DEAD;
576 if (km_query(x, tmpl, pol) == 0) {
577 x->km.state = XFRM_STATE_ACQ;
578 list_add_tail(&x->bydst, xfrm_state_bydst+h);
580 list_add_tail(&x->bysrc, xfrm_state_bysrc+h);
583 h = xfrm_spi_hash(&x->id.daddr, x->id.spi, x->id.proto, family);
584 list_add(&x->byspi, xfrm_state_byspi+h);
587 x->lft.hard_add_expires_seconds = XFRM_ACQ_EXPIRES;
589 x->timer.expires = jiffies + XFRM_ACQ_EXPIRES*HZ;
590 add_timer(&x->timer);
592 x->km.state = XFRM_STATE_DEAD;
602 *err = acquire_in_progress ? -EAGAIN : error;
603 spin_unlock_bh(&xfrm_state_lock);
607 static void __xfrm_state_insert(struct xfrm_state *x)
609 unsigned h = xfrm_dst_hash(&x->id.daddr, x->props.family);
611 list_add(&x->bydst, xfrm_state_bydst+h);
614 h = xfrm_src_hash(&x->props.saddr, x->props.family);
616 list_add(&x->bysrc, xfrm_state_bysrc+h);
619 if (xfrm_id_proto_match(x->id.proto, IPSEC_PROTO_ANY)) {
620 h = xfrm_spi_hash(&x->id.daddr, x->id.spi, x->id.proto,
623 list_add(&x->byspi, xfrm_state_byspi+h);
627 if (!mod_timer(&x->timer, jiffies + HZ))
630 if (x->replay_maxage &&
631 !mod_timer(&x->rtimer, jiffies + x->replay_maxage))
637 void xfrm_state_insert(struct xfrm_state *x)
639 spin_lock_bh(&xfrm_state_lock);
640 __xfrm_state_insert(x);
641 spin_unlock_bh(&xfrm_state_lock);
643 xfrm_flush_all_bundles();
645 EXPORT_SYMBOL(xfrm_state_insert);
647 /* xfrm_state_lock is held */
648 static struct xfrm_state *__find_acq_core(unsigned short family, u8 mode, u32 reqid, u8 proto, xfrm_address_t *daddr, xfrm_address_t *saddr, int create)
650 unsigned int h = xfrm_dst_hash(daddr, family);
651 struct xfrm_state *x;
653 list_for_each_entry(x, xfrm_state_bydst+h, bydst) {
654 if (x->props.reqid != reqid ||
655 x->props.mode != mode ||
656 x->props.family != family ||
657 x->km.state != XFRM_STATE_ACQ ||
663 if (x->id.daddr.a4 != daddr->a4 ||
664 x->props.saddr.a4 != saddr->a4)
668 if (!ipv6_addr_equal((struct in6_addr *)x->id.daddr.a6,
669 (struct in6_addr *)daddr) ||
670 !ipv6_addr_equal((struct in6_addr *)
672 (struct in6_addr *)saddr))
684 x = xfrm_state_alloc();
688 x->sel.daddr.a4 = daddr->a4;
689 x->sel.saddr.a4 = saddr->a4;
690 x->sel.prefixlen_d = 32;
691 x->sel.prefixlen_s = 32;
692 x->props.saddr.a4 = saddr->a4;
693 x->id.daddr.a4 = daddr->a4;
697 ipv6_addr_copy((struct in6_addr *)x->sel.daddr.a6,
698 (struct in6_addr *)daddr);
699 ipv6_addr_copy((struct in6_addr *)x->sel.saddr.a6,
700 (struct in6_addr *)saddr);
701 x->sel.prefixlen_d = 128;
702 x->sel.prefixlen_s = 128;
703 ipv6_addr_copy((struct in6_addr *)x->props.saddr.a6,
704 (struct in6_addr *)saddr);
705 ipv6_addr_copy((struct in6_addr *)x->id.daddr.a6,
706 (struct in6_addr *)daddr);
710 x->km.state = XFRM_STATE_ACQ;
712 x->props.family = family;
713 x->props.mode = mode;
714 x->props.reqid = reqid;
715 x->lft.hard_add_expires_seconds = XFRM_ACQ_EXPIRES;
717 x->timer.expires = jiffies + XFRM_ACQ_EXPIRES*HZ;
718 add_timer(&x->timer);
720 list_add_tail(&x->bydst, xfrm_state_bydst+h);
721 h = xfrm_src_hash(saddr, family);
723 list_add_tail(&x->bysrc, xfrm_state_bysrc+h);
730 static struct xfrm_state *__xfrm_find_acq_byseq(u32 seq);
732 int xfrm_state_add(struct xfrm_state *x)
734 struct xfrm_state *x1;
737 int use_spi = xfrm_id_proto_match(x->id.proto, IPSEC_PROTO_ANY);
739 family = x->props.family;
741 spin_lock_bh(&xfrm_state_lock);
743 x1 = __xfrm_state_locate(x, use_spi, family);
751 if (use_spi && x->km.seq) {
752 x1 = __xfrm_find_acq_byseq(x->km.seq);
753 if (x1 && xfrm_addr_cmp(&x1->id.daddr, &x->id.daddr, family)) {
760 x1 = __find_acq_core(family, x->props.mode, x->props.reqid,
762 &x->id.daddr, &x->props.saddr, 0);
764 __xfrm_state_insert(x);
768 spin_unlock_bh(&xfrm_state_lock);
771 xfrm_flush_all_bundles();
774 xfrm_state_delete(x1);
780 EXPORT_SYMBOL(xfrm_state_add);
782 int xfrm_state_update(struct xfrm_state *x)
784 struct xfrm_state *x1;
786 int use_spi = xfrm_id_proto_match(x->id.proto, IPSEC_PROTO_ANY);
788 spin_lock_bh(&xfrm_state_lock);
789 x1 = __xfrm_state_locate(x, use_spi, x->props.family);
795 if (xfrm_state_kern(x1)) {
801 if (x1->km.state == XFRM_STATE_ACQ) {
802 __xfrm_state_insert(x);
808 spin_unlock_bh(&xfrm_state_lock);
814 xfrm_state_delete(x1);
820 spin_lock_bh(&x1->lock);
821 if (likely(x1->km.state == XFRM_STATE_VALID)) {
822 if (x->encap && x1->encap)
823 memcpy(x1->encap, x->encap, sizeof(*x1->encap));
824 if (x->coaddr && x1->coaddr) {
825 memcpy(x1->coaddr, x->coaddr, sizeof(*x1->coaddr));
827 if (!use_spi && memcmp(&x1->sel, &x->sel, sizeof(x1->sel)))
828 memcpy(&x1->sel, &x->sel, sizeof(x1->sel));
829 memcpy(&x1->lft, &x->lft, sizeof(x1->lft));
832 if (!mod_timer(&x1->timer, jiffies + HZ))
834 if (x1->curlft.use_time)
835 xfrm_state_check_expire(x1);
839 spin_unlock_bh(&x1->lock);
845 EXPORT_SYMBOL(xfrm_state_update);
847 int xfrm_state_check_expire(struct xfrm_state *x)
849 if (!x->curlft.use_time)
850 x->curlft.use_time = (unsigned long)xtime.tv_sec;
852 if (x->km.state != XFRM_STATE_VALID)
855 if (x->curlft.bytes >= x->lft.hard_byte_limit ||
856 x->curlft.packets >= x->lft.hard_packet_limit) {
857 x->km.state = XFRM_STATE_EXPIRED;
858 if (!mod_timer(&x->timer, jiffies))
864 (x->curlft.bytes >= x->lft.soft_byte_limit ||
865 x->curlft.packets >= x->lft.soft_packet_limit)) {
867 km_state_expired(x, 0, 0);
871 EXPORT_SYMBOL(xfrm_state_check_expire);
873 static int xfrm_state_check_space(struct xfrm_state *x, struct sk_buff *skb)
875 int nhead = x->props.header_len + LL_RESERVED_SPACE(skb->dst->dev)
879 return pskb_expand_head(skb, nhead, 0, GFP_ATOMIC);
881 /* Check tail too... */
885 int xfrm_state_check(struct xfrm_state *x, struct sk_buff *skb)
887 int err = xfrm_state_check_expire(x);
890 err = xfrm_state_check_space(x, skb);
894 EXPORT_SYMBOL(xfrm_state_check);
897 xfrm_state_lookup(xfrm_address_t *daddr, u32 spi, u8 proto,
898 unsigned short family)
900 struct xfrm_state *x;
902 spin_lock_bh(&xfrm_state_lock);
903 x = __xfrm_state_lookup(daddr, spi, proto, family);
904 spin_unlock_bh(&xfrm_state_lock);
907 EXPORT_SYMBOL(xfrm_state_lookup);
910 xfrm_state_lookup_byaddr(xfrm_address_t *daddr, xfrm_address_t *saddr,
911 u8 proto, unsigned short family)
913 struct xfrm_state *x;
915 spin_lock_bh(&xfrm_state_lock);
916 x = __xfrm_state_lookup_byaddr(daddr, saddr, proto, family);
917 spin_unlock_bh(&xfrm_state_lock);
920 EXPORT_SYMBOL(xfrm_state_lookup_byaddr);
923 xfrm_find_acq(u8 mode, u32 reqid, u8 proto,
924 xfrm_address_t *daddr, xfrm_address_t *saddr,
925 int create, unsigned short family)
927 struct xfrm_state *x;
929 spin_lock_bh(&xfrm_state_lock);
930 x = __find_acq_core(family, mode, reqid, proto, daddr, saddr, create);
931 spin_unlock_bh(&xfrm_state_lock);
935 EXPORT_SYMBOL(xfrm_find_acq);
937 #ifdef CONFIG_XFRM_SUB_POLICY
939 xfrm_tmpl_sort(struct xfrm_tmpl **dst, struct xfrm_tmpl **src, int n,
940 unsigned short family)
943 struct xfrm_state_afinfo *afinfo = xfrm_state_get_afinfo(family);
945 return -EAFNOSUPPORT;
947 spin_lock_bh(&xfrm_state_lock);
948 if (afinfo->tmpl_sort)
949 err = afinfo->tmpl_sort(dst, src, n);
950 spin_unlock_bh(&xfrm_state_lock);
951 xfrm_state_put_afinfo(afinfo);
954 EXPORT_SYMBOL(xfrm_tmpl_sort);
957 xfrm_state_sort(struct xfrm_state **dst, struct xfrm_state **src, int n,
958 unsigned short family)
961 struct xfrm_state_afinfo *afinfo = xfrm_state_get_afinfo(family);
963 return -EAFNOSUPPORT;
965 spin_lock_bh(&xfrm_state_lock);
966 if (afinfo->state_sort)
967 err = afinfo->state_sort(dst, src, n);
968 spin_unlock_bh(&xfrm_state_lock);
969 xfrm_state_put_afinfo(afinfo);
972 EXPORT_SYMBOL(xfrm_state_sort);
975 /* Silly enough, but I'm lazy to build resolution list */
977 static struct xfrm_state *__xfrm_find_acq_byseq(u32 seq)
980 struct xfrm_state *x;
982 for (i = 0; i < XFRM_DST_HSIZE; i++) {
983 list_for_each_entry(x, xfrm_state_bydst+i, bydst) {
984 if (x->km.seq == seq && x->km.state == XFRM_STATE_ACQ) {
993 struct xfrm_state *xfrm_find_acq_byseq(u32 seq)
995 struct xfrm_state *x;
997 spin_lock_bh(&xfrm_state_lock);
998 x = __xfrm_find_acq_byseq(seq);
999 spin_unlock_bh(&xfrm_state_lock);
1002 EXPORT_SYMBOL(xfrm_find_acq_byseq);
1004 u32 xfrm_get_acqseq(void)
1008 static DEFINE_SPINLOCK(acqseq_lock);
1010 spin_lock_bh(&acqseq_lock);
1011 res = (++acqseq ? : ++acqseq);
1012 spin_unlock_bh(&acqseq_lock);
1015 EXPORT_SYMBOL(xfrm_get_acqseq);
1018 xfrm_alloc_spi(struct xfrm_state *x, u32 minspi, u32 maxspi)
1021 struct xfrm_state *x0;
1026 if (minspi == maxspi) {
1027 x0 = xfrm_state_lookup(&x->id.daddr, minspi, x->id.proto, x->props.family);
1035 minspi = ntohl(minspi);
1036 maxspi = ntohl(maxspi);
1037 for (h=0; h<maxspi-minspi+1; h++) {
1038 spi = minspi + net_random()%(maxspi-minspi+1);
1039 x0 = xfrm_state_lookup(&x->id.daddr, htonl(spi), x->id.proto, x->props.family);
1041 x->id.spi = htonl(spi);
1048 spin_lock_bh(&xfrm_state_lock);
1049 h = xfrm_spi_hash(&x->id.daddr, x->id.spi, x->id.proto, x->props.family);
1050 list_add(&x->byspi, xfrm_state_byspi+h);
1052 spin_unlock_bh(&xfrm_state_lock);
1056 EXPORT_SYMBOL(xfrm_alloc_spi);
1058 int xfrm_state_walk(u8 proto, int (*func)(struct xfrm_state *, int, void*),
1062 struct xfrm_state *x;
1066 spin_lock_bh(&xfrm_state_lock);
1067 for (i = 0; i < XFRM_DST_HSIZE; i++) {
1068 list_for_each_entry(x, xfrm_state_bydst+i, bydst) {
1069 if (xfrm_id_proto_match(x->id.proto, proto))
1078 for (i = 0; i < XFRM_DST_HSIZE; i++) {
1079 list_for_each_entry(x, xfrm_state_bydst+i, bydst) {
1080 if (!xfrm_id_proto_match(x->id.proto, proto))
1082 err = func(x, --count, data);
1088 spin_unlock_bh(&xfrm_state_lock);
1091 EXPORT_SYMBOL(xfrm_state_walk);
1094 void xfrm_replay_notify(struct xfrm_state *x, int event)
1097 /* we send notify messages in case
1098 * 1. we updated on of the sequence numbers, and the seqno difference
1099 * is at least x->replay_maxdiff, in this case we also update the
1100 * timeout of our timer function
1101 * 2. if x->replay_maxage has elapsed since last update,
1102 * and there were changes
1104 * The state structure must be locked!
1108 case XFRM_REPLAY_UPDATE:
1109 if (x->replay_maxdiff &&
1110 (x->replay.seq - x->preplay.seq < x->replay_maxdiff) &&
1111 (x->replay.oseq - x->preplay.oseq < x->replay_maxdiff)) {
1112 if (x->xflags & XFRM_TIME_DEFER)
1113 event = XFRM_REPLAY_TIMEOUT;
1120 case XFRM_REPLAY_TIMEOUT:
1121 if ((x->replay.seq == x->preplay.seq) &&
1122 (x->replay.bitmap == x->preplay.bitmap) &&
1123 (x->replay.oseq == x->preplay.oseq)) {
1124 x->xflags |= XFRM_TIME_DEFER;
1131 memcpy(&x->preplay, &x->replay, sizeof(struct xfrm_replay_state));
1132 c.event = XFRM_MSG_NEWAE;
1133 c.data.aevent = event;
1134 km_state_notify(x, &c);
1136 if (x->replay_maxage &&
1137 !mod_timer(&x->rtimer, jiffies + x->replay_maxage)) {
1139 x->xflags &= ~XFRM_TIME_DEFER;
1142 EXPORT_SYMBOL(xfrm_replay_notify);
1144 static void xfrm_replay_timer_handler(unsigned long data)
1146 struct xfrm_state *x = (struct xfrm_state*)data;
1148 spin_lock(&x->lock);
1150 if (x->km.state == XFRM_STATE_VALID) {
1151 if (xfrm_aevent_is_on())
1152 xfrm_replay_notify(x, XFRM_REPLAY_TIMEOUT);
1154 x->xflags |= XFRM_TIME_DEFER;
1157 spin_unlock(&x->lock);
1161 int xfrm_replay_check(struct xfrm_state *x, u32 seq)
1167 if (unlikely(seq == 0))
1170 if (likely(seq > x->replay.seq))
1173 diff = x->replay.seq - seq;
1174 if (diff >= x->props.replay_window) {
1175 x->stats.replay_window++;
1179 if (x->replay.bitmap & (1U << diff)) {
1185 EXPORT_SYMBOL(xfrm_replay_check);
1187 void xfrm_replay_advance(struct xfrm_state *x, u32 seq)
1193 if (seq > x->replay.seq) {
1194 diff = seq - x->replay.seq;
1195 if (diff < x->props.replay_window)
1196 x->replay.bitmap = ((x->replay.bitmap) << diff) | 1;
1198 x->replay.bitmap = 1;
1199 x->replay.seq = seq;
1201 diff = x->replay.seq - seq;
1202 x->replay.bitmap |= (1U << diff);
1205 if (xfrm_aevent_is_on())
1206 xfrm_replay_notify(x, XFRM_REPLAY_UPDATE);
1208 EXPORT_SYMBOL(xfrm_replay_advance);
1210 static struct list_head xfrm_km_list = LIST_HEAD_INIT(xfrm_km_list);
1211 static DEFINE_RWLOCK(xfrm_km_lock);
1213 void km_policy_notify(struct xfrm_policy *xp, int dir, struct km_event *c)
1215 struct xfrm_mgr *km;
1217 read_lock(&xfrm_km_lock);
1218 list_for_each_entry(km, &xfrm_km_list, list)
1219 if (km->notify_policy)
1220 km->notify_policy(xp, dir, c);
1221 read_unlock(&xfrm_km_lock);
1224 void km_state_notify(struct xfrm_state *x, struct km_event *c)
1226 struct xfrm_mgr *km;
1227 read_lock(&xfrm_km_lock);
1228 list_for_each_entry(km, &xfrm_km_list, list)
1231 read_unlock(&xfrm_km_lock);
1234 EXPORT_SYMBOL(km_policy_notify);
1235 EXPORT_SYMBOL(km_state_notify);
1237 void km_state_expired(struct xfrm_state *x, int hard, u32 pid)
1243 c.event = XFRM_MSG_EXPIRE;
1244 km_state_notify(x, &c);
1250 EXPORT_SYMBOL(km_state_expired);
1252 * We send to all registered managers regardless of failure
1253 * We are happy with one success
1255 int km_query(struct xfrm_state *x, struct xfrm_tmpl *t, struct xfrm_policy *pol)
1257 int err = -EINVAL, acqret;
1258 struct xfrm_mgr *km;
1260 read_lock(&xfrm_km_lock);
1261 list_for_each_entry(km, &xfrm_km_list, list) {
1262 acqret = km->acquire(x, t, pol, XFRM_POLICY_OUT);
1266 read_unlock(&xfrm_km_lock);
1269 EXPORT_SYMBOL(km_query);
1271 int km_new_mapping(struct xfrm_state *x, xfrm_address_t *ipaddr, u16 sport)
1274 struct xfrm_mgr *km;
1276 read_lock(&xfrm_km_lock);
1277 list_for_each_entry(km, &xfrm_km_list, list) {
1278 if (km->new_mapping)
1279 err = km->new_mapping(x, ipaddr, sport);
1283 read_unlock(&xfrm_km_lock);
1286 EXPORT_SYMBOL(km_new_mapping);
1288 void km_policy_expired(struct xfrm_policy *pol, int dir, int hard, u32 pid)
1294 c.event = XFRM_MSG_POLEXPIRE;
1295 km_policy_notify(pol, dir, &c);
1300 EXPORT_SYMBOL(km_policy_expired);
1302 int km_report(u8 proto, struct xfrm_selector *sel, xfrm_address_t *addr)
1306 struct xfrm_mgr *km;
1308 read_lock(&xfrm_km_lock);
1309 list_for_each_entry(km, &xfrm_km_list, list) {
1311 ret = km->report(proto, sel, addr);
1316 read_unlock(&xfrm_km_lock);
1319 EXPORT_SYMBOL(km_report);
1321 int xfrm_user_policy(struct sock *sk, int optname, u8 __user *optval, int optlen)
1325 struct xfrm_mgr *km;
1326 struct xfrm_policy *pol = NULL;
1328 if (optlen <= 0 || optlen > PAGE_SIZE)
1331 data = kmalloc(optlen, GFP_KERNEL);
1336 if (copy_from_user(data, optval, optlen))
1340 read_lock(&xfrm_km_lock);
1341 list_for_each_entry(km, &xfrm_km_list, list) {
1342 pol = km->compile_policy(sk, optname, data,
1347 read_unlock(&xfrm_km_lock);
1350 xfrm_sk_policy_insert(sk, err, pol);
1359 EXPORT_SYMBOL(xfrm_user_policy);
1361 int xfrm_register_km(struct xfrm_mgr *km)
1363 write_lock_bh(&xfrm_km_lock);
1364 list_add_tail(&km->list, &xfrm_km_list);
1365 write_unlock_bh(&xfrm_km_lock);
1368 EXPORT_SYMBOL(xfrm_register_km);
1370 int xfrm_unregister_km(struct xfrm_mgr *km)
1372 write_lock_bh(&xfrm_km_lock);
1373 list_del(&km->list);
1374 write_unlock_bh(&xfrm_km_lock);
1377 EXPORT_SYMBOL(xfrm_unregister_km);
1379 int xfrm_state_register_afinfo(struct xfrm_state_afinfo *afinfo)
1382 if (unlikely(afinfo == NULL))
1384 if (unlikely(afinfo->family >= NPROTO))
1385 return -EAFNOSUPPORT;
1386 write_lock_bh(&xfrm_state_afinfo_lock);
1387 if (unlikely(xfrm_state_afinfo[afinfo->family] != NULL))
1390 xfrm_state_afinfo[afinfo->family] = afinfo;
1391 write_unlock_bh(&xfrm_state_afinfo_lock);
1394 EXPORT_SYMBOL(xfrm_state_register_afinfo);
1396 int xfrm_state_unregister_afinfo(struct xfrm_state_afinfo *afinfo)
1399 if (unlikely(afinfo == NULL))
1401 if (unlikely(afinfo->family >= NPROTO))
1402 return -EAFNOSUPPORT;
1403 write_lock_bh(&xfrm_state_afinfo_lock);
1404 if (likely(xfrm_state_afinfo[afinfo->family] != NULL)) {
1405 if (unlikely(xfrm_state_afinfo[afinfo->family] != afinfo))
1408 xfrm_state_afinfo[afinfo->family] = NULL;
1410 write_unlock_bh(&xfrm_state_afinfo_lock);
1413 EXPORT_SYMBOL(xfrm_state_unregister_afinfo);
1415 static struct xfrm_state_afinfo *xfrm_state_get_afinfo(unsigned short family)
1417 struct xfrm_state_afinfo *afinfo;
1418 if (unlikely(family >= NPROTO))
1420 read_lock(&xfrm_state_afinfo_lock);
1421 afinfo = xfrm_state_afinfo[family];
1422 if (unlikely(!afinfo))
1423 read_unlock(&xfrm_state_afinfo_lock);
1427 static void xfrm_state_put_afinfo(struct xfrm_state_afinfo *afinfo)
1429 read_unlock(&xfrm_state_afinfo_lock);
1432 /* Temporarily located here until net/xfrm/xfrm_tunnel.c is created */
1433 void xfrm_state_delete_tunnel(struct xfrm_state *x)
1436 struct xfrm_state *t = x->tunnel;
1438 if (atomic_read(&t->tunnel_users) == 2)
1439 xfrm_state_delete(t);
1440 atomic_dec(&t->tunnel_users);
1445 EXPORT_SYMBOL(xfrm_state_delete_tunnel);
1448 * This function is NOT optimal. For example, with ESP it will give an
1449 * MTU that's usually two bytes short of being optimal. However, it will
1450 * usually give an answer that's a multiple of 4 provided the input is
1451 * also a multiple of 4.
1453 int xfrm_state_mtu(struct xfrm_state *x, int mtu)
1457 res -= x->props.header_len;
1465 spin_lock_bh(&x->lock);
1466 if (x->km.state == XFRM_STATE_VALID &&
1467 x->type && x->type->get_max_size)
1468 m = x->type->get_max_size(x, m);
1470 m += x->props.header_len;
1471 spin_unlock_bh(&x->lock);
1481 int xfrm_init_state(struct xfrm_state *x)
1483 struct xfrm_state_afinfo *afinfo;
1484 int family = x->props.family;
1487 err = -EAFNOSUPPORT;
1488 afinfo = xfrm_state_get_afinfo(family);
1493 if (afinfo->init_flags)
1494 err = afinfo->init_flags(x);
1496 xfrm_state_put_afinfo(afinfo);
1501 err = -EPROTONOSUPPORT;
1502 x->type = xfrm_get_type(x->id.proto, family);
1503 if (x->type == NULL)
1506 err = x->type->init_state(x);
1510 x->mode = xfrm_get_mode(x->props.mode, family);
1511 if (x->mode == NULL)
1514 x->km.state = XFRM_STATE_VALID;
1520 EXPORT_SYMBOL(xfrm_init_state);
1522 void __init xfrm_state_init(void)
1526 for (i=0; i<XFRM_DST_HSIZE; i++) {
1527 INIT_LIST_HEAD(&xfrm_state_bydst[i]);
1528 INIT_LIST_HEAD(&xfrm_state_bysrc[i]);
1529 INIT_LIST_HEAD(&xfrm_state_byspi[i]);
1531 INIT_WORK(&xfrm_state_gc_work, xfrm_state_gc_task, NULL);
projects / ~andy / linux / blob