6 * Kazunori MIYAZAWA @USAGI
7 * Kunihiro Ishiguro <kunihiro@ipinfusion.com>
9 * YOSHIFUJI Hideaki @USAGI
10 * Split up af-specific functions
11 * Derek Atkins <derek@ihtfp.com>
12 * Add UDP Encapsulation
16 #include <linux/workqueue.h>
18 #include <linux/pfkeyv2.h>
19 #include <linux/ipsec.h>
20 #include <linux/module.h>
21 #include <linux/cache.h>
22 #include <asm/uaccess.h>
23 #include <linux/audit.h>
25 #include "xfrm_hash.h"
28 EXPORT_SYMBOL(xfrm_nl);
30 u32 sysctl_xfrm_aevent_etime = XFRM_AE_ETIME;
31 EXPORT_SYMBOL(sysctl_xfrm_aevent_etime);
33 u32 sysctl_xfrm_aevent_rseqth = XFRM_AE_SEQT_SIZE;
34 EXPORT_SYMBOL(sysctl_xfrm_aevent_rseqth);
36 /* Each xfrm_state may be linked to two tables:
38 1. Hash table by (spi,daddr,ah/esp) to find SA by SPI. (input,ctl)
39 2. Hash table by (daddr,family,reqid) to find what SAs exist for given
40 destination/tunnel endpoint. (output)
43 static DEFINE_SPINLOCK(xfrm_state_lock);
45 /* Hash table to find appropriate SA towards given target (endpoint
46 * of tunnel or destination of transport mode) allowed by selector.
48 * Main use is finding SA after policy selected tunnel or transport mode.
49 * Also, it can be used by ah/esp icmp error handler to find offending SA.
51 static struct hlist_head *xfrm_state_bydst __read_mostly;
52 static struct hlist_head *xfrm_state_bysrc __read_mostly;
53 static struct hlist_head *xfrm_state_byspi __read_mostly;
54 static unsigned int xfrm_state_hmask __read_mostly;
55 static unsigned int xfrm_state_hashmax __read_mostly = 1 * 1024 * 1024;
56 static unsigned int xfrm_state_num;
57 static unsigned int xfrm_state_genid;
59 static inline unsigned int xfrm_dst_hash(xfrm_address_t *daddr,
60 xfrm_address_t *saddr,
62 unsigned short family)
64 return __xfrm_dst_hash(daddr, saddr, reqid, family, xfrm_state_hmask);
67 static inline unsigned int xfrm_src_hash(xfrm_address_t *daddr,
68 xfrm_address_t *saddr,
69 unsigned short family)
71 return __xfrm_src_hash(daddr, saddr, family, xfrm_state_hmask);
74 static inline unsigned int
75 xfrm_spi_hash(xfrm_address_t *daddr, __be32 spi, u8 proto, unsigned short family)
77 return __xfrm_spi_hash(daddr, spi, proto, family, xfrm_state_hmask);
80 static void xfrm_hash_transfer(struct hlist_head *list,
81 struct hlist_head *ndsttable,
82 struct hlist_head *nsrctable,
83 struct hlist_head *nspitable,
84 unsigned int nhashmask)
86 struct hlist_node *entry, *tmp;
89 hlist_for_each_entry_safe(x, entry, tmp, list, bydst) {
92 h = __xfrm_dst_hash(&x->id.daddr, &x->props.saddr,
93 x->props.reqid, x->props.family,
95 hlist_add_head(&x->bydst, ndsttable+h);
97 h = __xfrm_src_hash(&x->id.daddr, &x->props.saddr,
100 hlist_add_head(&x->bysrc, nsrctable+h);
103 h = __xfrm_spi_hash(&x->id.daddr, x->id.spi,
104 x->id.proto, x->props.family,
106 hlist_add_head(&x->byspi, nspitable+h);
111 static unsigned long xfrm_hash_new_size(void)
113 return ((xfrm_state_hmask + 1) << 1) *
114 sizeof(struct hlist_head);
117 static DEFINE_MUTEX(hash_resize_mutex);
119 static void xfrm_hash_resize(struct work_struct *__unused)
121 struct hlist_head *ndst, *nsrc, *nspi, *odst, *osrc, *ospi;
122 unsigned long nsize, osize;
123 unsigned int nhashmask, ohashmask;
126 mutex_lock(&hash_resize_mutex);
128 nsize = xfrm_hash_new_size();
129 ndst = xfrm_hash_alloc(nsize);
132 nsrc = xfrm_hash_alloc(nsize);
134 xfrm_hash_free(ndst, nsize);
137 nspi = xfrm_hash_alloc(nsize);
139 xfrm_hash_free(ndst, nsize);
140 xfrm_hash_free(nsrc, nsize);
144 spin_lock_bh(&xfrm_state_lock);
146 nhashmask = (nsize / sizeof(struct hlist_head)) - 1U;
147 for (i = xfrm_state_hmask; i >= 0; i--)
148 xfrm_hash_transfer(xfrm_state_bydst+i, ndst, nsrc, nspi,
151 odst = xfrm_state_bydst;
152 osrc = xfrm_state_bysrc;
153 ospi = xfrm_state_byspi;
154 ohashmask = xfrm_state_hmask;
156 xfrm_state_bydst = ndst;
157 xfrm_state_bysrc = nsrc;
158 xfrm_state_byspi = nspi;
159 xfrm_state_hmask = nhashmask;
161 spin_unlock_bh(&xfrm_state_lock);
163 osize = (ohashmask + 1) * sizeof(struct hlist_head);
164 xfrm_hash_free(odst, osize);
165 xfrm_hash_free(osrc, osize);
166 xfrm_hash_free(ospi, osize);
169 mutex_unlock(&hash_resize_mutex);
172 static DECLARE_WORK(xfrm_hash_work, xfrm_hash_resize);
174 DECLARE_WAIT_QUEUE_HEAD(km_waitq);
175 EXPORT_SYMBOL(km_waitq);
177 static DEFINE_RWLOCK(xfrm_state_afinfo_lock);
178 static struct xfrm_state_afinfo *xfrm_state_afinfo[NPROTO];
180 static struct work_struct xfrm_state_gc_work;
181 static HLIST_HEAD(xfrm_state_gc_list);
182 static DEFINE_SPINLOCK(xfrm_state_gc_lock);
184 int __xfrm_state_delete(struct xfrm_state *x);
186 int km_query(struct xfrm_state *x, struct xfrm_tmpl *t, struct xfrm_policy *pol);
187 void km_state_expired(struct xfrm_state *x, int hard, u32 pid);
189 static void xfrm_state_gc_destroy(struct xfrm_state *x)
191 del_timer_sync(&x->timer);
192 del_timer_sync(&x->rtimer);
199 xfrm_put_mode(x->mode);
201 x->type->destructor(x);
202 xfrm_put_type(x->type);
204 security_xfrm_state_free(x);
208 static void xfrm_state_gc_task(struct work_struct *data)
210 struct xfrm_state *x;
211 struct hlist_node *entry, *tmp;
212 struct hlist_head gc_list;
214 spin_lock_bh(&xfrm_state_gc_lock);
215 gc_list.first = xfrm_state_gc_list.first;
216 INIT_HLIST_HEAD(&xfrm_state_gc_list);
217 spin_unlock_bh(&xfrm_state_gc_lock);
219 hlist_for_each_entry_safe(x, entry, tmp, &gc_list, bydst)
220 xfrm_state_gc_destroy(x);
225 static inline unsigned long make_jiffies(long secs)
227 if (secs >= (MAX_SCHEDULE_TIMEOUT-1)/HZ)
228 return MAX_SCHEDULE_TIMEOUT-1;
233 static void xfrm_timer_handler(unsigned long data)
235 struct xfrm_state *x = (struct xfrm_state*)data;
236 unsigned long now = get_seconds();
237 long next = LONG_MAX;
242 if (x->km.state == XFRM_STATE_DEAD)
244 if (x->km.state == XFRM_STATE_EXPIRED)
246 if (x->lft.hard_add_expires_seconds) {
247 long tmo = x->lft.hard_add_expires_seconds +
248 x->curlft.add_time - now;
254 if (x->lft.hard_use_expires_seconds) {
255 long tmo = x->lft.hard_use_expires_seconds +
256 (x->curlft.use_time ? : now) - now;
264 if (x->lft.soft_add_expires_seconds) {
265 long tmo = x->lft.soft_add_expires_seconds +
266 x->curlft.add_time - now;
272 if (x->lft.soft_use_expires_seconds) {
273 long tmo = x->lft.soft_use_expires_seconds +
274 (x->curlft.use_time ? : now) - now;
283 km_state_expired(x, 0, 0);
285 if (next != LONG_MAX)
286 mod_timer(&x->timer, jiffies + make_jiffies(next));
291 if (x->km.state == XFRM_STATE_ACQ && x->id.spi == 0) {
292 x->km.state = XFRM_STATE_EXPIRED;
298 err = __xfrm_state_delete(x);
299 if (!err && x->id.spi)
300 km_state_expired(x, 1, 0);
302 xfrm_audit_log(audit_get_loginuid(current->audit_context), 0,
303 AUDIT_MAC_IPSEC_DELSA, err ? 0 : 1, NULL, x);
306 spin_unlock(&x->lock);
309 static void xfrm_replay_timer_handler(unsigned long data);
311 struct xfrm_state *xfrm_state_alloc(void)
313 struct xfrm_state *x;
315 x = kzalloc(sizeof(struct xfrm_state), GFP_ATOMIC);
318 atomic_set(&x->refcnt, 1);
319 atomic_set(&x->tunnel_users, 0);
320 INIT_HLIST_NODE(&x->bydst);
321 INIT_HLIST_NODE(&x->bysrc);
322 INIT_HLIST_NODE(&x->byspi);
323 init_timer(&x->timer);
324 x->timer.function = xfrm_timer_handler;
325 x->timer.data = (unsigned long)x;
326 init_timer(&x->rtimer);
327 x->rtimer.function = xfrm_replay_timer_handler;
328 x->rtimer.data = (unsigned long)x;
329 x->curlft.add_time = get_seconds();
330 x->lft.soft_byte_limit = XFRM_INF;
331 x->lft.soft_packet_limit = XFRM_INF;
332 x->lft.hard_byte_limit = XFRM_INF;
333 x->lft.hard_packet_limit = XFRM_INF;
334 x->replay_maxage = 0;
335 x->replay_maxdiff = 0;
336 spin_lock_init(&x->lock);
340 EXPORT_SYMBOL(xfrm_state_alloc);
342 void __xfrm_state_destroy(struct xfrm_state *x)
344 BUG_TRAP(x->km.state == XFRM_STATE_DEAD);
346 spin_lock_bh(&xfrm_state_gc_lock);
347 hlist_add_head(&x->bydst, &xfrm_state_gc_list);
348 spin_unlock_bh(&xfrm_state_gc_lock);
349 schedule_work(&xfrm_state_gc_work);
351 EXPORT_SYMBOL(__xfrm_state_destroy);
353 int __xfrm_state_delete(struct xfrm_state *x)
357 if (x->km.state != XFRM_STATE_DEAD) {
358 x->km.state = XFRM_STATE_DEAD;
359 spin_lock(&xfrm_state_lock);
360 hlist_del(&x->bydst);
361 hlist_del(&x->bysrc);
363 hlist_del(&x->byspi);
365 spin_unlock(&xfrm_state_lock);
367 /* All xfrm_state objects are created by xfrm_state_alloc.
368 * The xfrm_state_alloc call gives a reference, and that
369 * is what we are dropping here.
377 EXPORT_SYMBOL(__xfrm_state_delete);
379 int xfrm_state_delete(struct xfrm_state *x)
383 spin_lock_bh(&x->lock);
384 err = __xfrm_state_delete(x);
385 spin_unlock_bh(&x->lock);
389 EXPORT_SYMBOL(xfrm_state_delete);
391 void xfrm_state_flush(u8 proto, struct xfrm_audit *audit_info)
396 spin_lock_bh(&xfrm_state_lock);
397 for (i = 0; i <= xfrm_state_hmask; i++) {
398 struct hlist_node *entry;
399 struct xfrm_state *x;
401 hlist_for_each_entry(x, entry, xfrm_state_bydst+i, bydst) {
402 if (!xfrm_state_kern(x) &&
403 xfrm_id_proto_match(x->id.proto, proto)) {
405 spin_unlock_bh(&xfrm_state_lock);
407 err = xfrm_state_delete(x);
408 xfrm_audit_log(audit_info->loginuid,
410 AUDIT_MAC_IPSEC_DELSA,
411 err ? 0 : 1, NULL, x);
414 spin_lock_bh(&xfrm_state_lock);
419 spin_unlock_bh(&xfrm_state_lock);
422 EXPORT_SYMBOL(xfrm_state_flush);
424 void xfrm_sad_getinfo(struct xfrmk_sadinfo *si)
426 spin_lock_bh(&xfrm_state_lock);
427 si->sadcnt = xfrm_state_num;
428 si->sadhcnt = xfrm_state_hmask;
429 si->sadhmcnt = xfrm_state_hashmax;
430 spin_unlock_bh(&xfrm_state_lock);
432 EXPORT_SYMBOL(xfrm_sad_getinfo);
435 xfrm_init_tempsel(struct xfrm_state *x, struct flowi *fl,
436 struct xfrm_tmpl *tmpl,
437 xfrm_address_t *daddr, xfrm_address_t *saddr,
438 unsigned short family)
440 struct xfrm_state_afinfo *afinfo = xfrm_state_get_afinfo(family);
443 afinfo->init_tempsel(x, fl, tmpl, daddr, saddr);
444 xfrm_state_put_afinfo(afinfo);
448 static struct xfrm_state *__xfrm_state_lookup(xfrm_address_t *daddr, __be32 spi, u8 proto, unsigned short family)
450 unsigned int h = xfrm_spi_hash(daddr, spi, proto, family);
451 struct xfrm_state *x;
452 struct hlist_node *entry;
454 hlist_for_each_entry(x, entry, xfrm_state_byspi+h, byspi) {
455 if (x->props.family != family ||
457 x->id.proto != proto)
462 if (x->id.daddr.a4 != daddr->a4)
466 if (!ipv6_addr_equal((struct in6_addr *)daddr,
480 static struct xfrm_state *__xfrm_state_lookup_byaddr(xfrm_address_t *daddr, xfrm_address_t *saddr, u8 proto, unsigned short family)
482 unsigned int h = xfrm_src_hash(daddr, saddr, family);
483 struct xfrm_state *x;
484 struct hlist_node *entry;
486 hlist_for_each_entry(x, entry, xfrm_state_bysrc+h, bysrc) {
487 if (x->props.family != family ||
488 x->id.proto != proto)
493 if (x->id.daddr.a4 != daddr->a4 ||
494 x->props.saddr.a4 != saddr->a4)
498 if (!ipv6_addr_equal((struct in6_addr *)daddr,
501 !ipv6_addr_equal((struct in6_addr *)saddr,
515 static inline struct xfrm_state *
516 __xfrm_state_locate(struct xfrm_state *x, int use_spi, int family)
519 return __xfrm_state_lookup(&x->id.daddr, x->id.spi,
520 x->id.proto, family);
522 return __xfrm_state_lookup_byaddr(&x->id.daddr,
524 x->id.proto, family);
527 static void xfrm_hash_grow_check(int have_hash_collision)
529 if (have_hash_collision &&
530 (xfrm_state_hmask + 1) < xfrm_state_hashmax &&
531 xfrm_state_num > xfrm_state_hmask)
532 schedule_work(&xfrm_hash_work);
536 xfrm_state_find(xfrm_address_t *daddr, xfrm_address_t *saddr,
537 struct flowi *fl, struct xfrm_tmpl *tmpl,
538 struct xfrm_policy *pol, int *err,
539 unsigned short family)
541 unsigned int h = xfrm_dst_hash(daddr, saddr, tmpl->reqid, family);
542 struct hlist_node *entry;
543 struct xfrm_state *x, *x0;
544 int acquire_in_progress = 0;
546 struct xfrm_state *best = NULL;
548 spin_lock_bh(&xfrm_state_lock);
549 hlist_for_each_entry(x, entry, xfrm_state_bydst+h, bydst) {
550 if (x->props.family == family &&
551 x->props.reqid == tmpl->reqid &&
552 !(x->props.flags & XFRM_STATE_WILDRECV) &&
553 xfrm_state_addr_check(x, daddr, saddr, family) &&
554 tmpl->mode == x->props.mode &&
555 tmpl->id.proto == x->id.proto &&
556 (tmpl->id.spi == x->id.spi || !tmpl->id.spi)) {
558 1. There is a valid state with matching selector.
560 2. Valid state with inappropriate selector. Skip.
562 Entering area of "sysdeps".
564 3. If state is not valid, selector is temporary,
565 it selects only session which triggered
566 previous resolution. Key manager will do
567 something to install a state with proper
570 if (x->km.state == XFRM_STATE_VALID) {
571 if (!xfrm_selector_match(&x->sel, fl, family) ||
572 !security_xfrm_state_pol_flow_match(x, pol, fl))
575 best->km.dying > x->km.dying ||
576 (best->km.dying == x->km.dying &&
577 best->curlft.add_time < x->curlft.add_time))
579 } else if (x->km.state == XFRM_STATE_ACQ) {
580 acquire_in_progress = 1;
581 } else if (x->km.state == XFRM_STATE_ERROR ||
582 x->km.state == XFRM_STATE_EXPIRED) {
583 if (xfrm_selector_match(&x->sel, fl, family) &&
584 security_xfrm_state_pol_flow_match(x, pol, fl))
591 if (!x && !error && !acquire_in_progress) {
593 (x0 = __xfrm_state_lookup(daddr, tmpl->id.spi,
594 tmpl->id.proto, family)) != NULL) {
599 x = xfrm_state_alloc();
604 /* Initialize temporary selector matching only
605 * to current session. */
606 xfrm_init_tempsel(x, fl, tmpl, daddr, saddr, family);
608 error = security_xfrm_state_alloc_acquire(x, pol->security, fl->secid);
610 x->km.state = XFRM_STATE_DEAD;
616 if (km_query(x, tmpl, pol) == 0) {
617 x->km.state = XFRM_STATE_ACQ;
618 hlist_add_head(&x->bydst, xfrm_state_bydst+h);
619 h = xfrm_src_hash(daddr, saddr, family);
620 hlist_add_head(&x->bysrc, xfrm_state_bysrc+h);
622 h = xfrm_spi_hash(&x->id.daddr, x->id.spi, x->id.proto, family);
623 hlist_add_head(&x->byspi, xfrm_state_byspi+h);
625 x->lft.hard_add_expires_seconds = XFRM_ACQ_EXPIRES;
626 x->timer.expires = jiffies + XFRM_ACQ_EXPIRES*HZ;
627 add_timer(&x->timer);
629 xfrm_hash_grow_check(x->bydst.next != NULL);
631 x->km.state = XFRM_STATE_DEAD;
641 *err = acquire_in_progress ? -EAGAIN : error;
642 spin_unlock_bh(&xfrm_state_lock);
646 static void __xfrm_state_insert(struct xfrm_state *x)
650 x->genid = ++xfrm_state_genid;
652 h = xfrm_dst_hash(&x->id.daddr, &x->props.saddr,
653 x->props.reqid, x->props.family);
654 hlist_add_head(&x->bydst, xfrm_state_bydst+h);
656 h = xfrm_src_hash(&x->id.daddr, &x->props.saddr, x->props.family);
657 hlist_add_head(&x->bysrc, xfrm_state_bysrc+h);
660 h = xfrm_spi_hash(&x->id.daddr, x->id.spi, x->id.proto,
663 hlist_add_head(&x->byspi, xfrm_state_byspi+h);
666 mod_timer(&x->timer, jiffies + HZ);
667 if (x->replay_maxage)
668 mod_timer(&x->rtimer, jiffies + x->replay_maxage);
674 xfrm_hash_grow_check(x->bydst.next != NULL);
677 /* xfrm_state_lock is held */
678 static void __xfrm_state_bump_genids(struct xfrm_state *xnew)
680 unsigned short family = xnew->props.family;
681 u32 reqid = xnew->props.reqid;
682 struct xfrm_state *x;
683 struct hlist_node *entry;
686 h = xfrm_dst_hash(&xnew->id.daddr, &xnew->props.saddr, reqid, family);
687 hlist_for_each_entry(x, entry, xfrm_state_bydst+h, bydst) {
688 if (x->props.family == family &&
689 x->props.reqid == reqid &&
690 !xfrm_addr_cmp(&x->id.daddr, &xnew->id.daddr, family) &&
691 !xfrm_addr_cmp(&x->props.saddr, &xnew->props.saddr, family))
692 x->genid = xfrm_state_genid;
696 void xfrm_state_insert(struct xfrm_state *x)
698 spin_lock_bh(&xfrm_state_lock);
699 __xfrm_state_bump_genids(x);
700 __xfrm_state_insert(x);
701 spin_unlock_bh(&xfrm_state_lock);
703 EXPORT_SYMBOL(xfrm_state_insert);
705 /* xfrm_state_lock is held */
706 static struct xfrm_state *__find_acq_core(unsigned short family, u8 mode, u32 reqid, u8 proto, xfrm_address_t *daddr, xfrm_address_t *saddr, int create)
708 unsigned int h = xfrm_dst_hash(daddr, saddr, reqid, family);
709 struct hlist_node *entry;
710 struct xfrm_state *x;
712 hlist_for_each_entry(x, entry, xfrm_state_bydst+h, bydst) {
713 if (x->props.reqid != reqid ||
714 x->props.mode != mode ||
715 x->props.family != family ||
716 x->km.state != XFRM_STATE_ACQ ||
718 x->id.proto != proto)
723 if (x->id.daddr.a4 != daddr->a4 ||
724 x->props.saddr.a4 != saddr->a4)
728 if (!ipv6_addr_equal((struct in6_addr *)x->id.daddr.a6,
729 (struct in6_addr *)daddr) ||
730 !ipv6_addr_equal((struct in6_addr *)
732 (struct in6_addr *)saddr))
744 x = xfrm_state_alloc();
748 x->sel.daddr.a4 = daddr->a4;
749 x->sel.saddr.a4 = saddr->a4;
750 x->sel.prefixlen_d = 32;
751 x->sel.prefixlen_s = 32;
752 x->props.saddr.a4 = saddr->a4;
753 x->id.daddr.a4 = daddr->a4;
757 ipv6_addr_copy((struct in6_addr *)x->sel.daddr.a6,
758 (struct in6_addr *)daddr);
759 ipv6_addr_copy((struct in6_addr *)x->sel.saddr.a6,
760 (struct in6_addr *)saddr);
761 x->sel.prefixlen_d = 128;
762 x->sel.prefixlen_s = 128;
763 ipv6_addr_copy((struct in6_addr *)x->props.saddr.a6,
764 (struct in6_addr *)saddr);
765 ipv6_addr_copy((struct in6_addr *)x->id.daddr.a6,
766 (struct in6_addr *)daddr);
770 x->km.state = XFRM_STATE_ACQ;
772 x->props.family = family;
773 x->props.mode = mode;
774 x->props.reqid = reqid;
775 x->lft.hard_add_expires_seconds = XFRM_ACQ_EXPIRES;
777 x->timer.expires = jiffies + XFRM_ACQ_EXPIRES*HZ;
778 add_timer(&x->timer);
779 hlist_add_head(&x->bydst, xfrm_state_bydst+h);
780 h = xfrm_src_hash(daddr, saddr, family);
781 hlist_add_head(&x->bysrc, xfrm_state_bysrc+h);
786 xfrm_hash_grow_check(x->bydst.next != NULL);
792 static struct xfrm_state *__xfrm_find_acq_byseq(u32 seq);
794 int xfrm_state_add(struct xfrm_state *x)
796 struct xfrm_state *x1;
799 int use_spi = xfrm_id_proto_match(x->id.proto, IPSEC_PROTO_ANY);
801 family = x->props.family;
803 spin_lock_bh(&xfrm_state_lock);
805 x1 = __xfrm_state_locate(x, use_spi, family);
813 if (use_spi && x->km.seq) {
814 x1 = __xfrm_find_acq_byseq(x->km.seq);
815 if (x1 && ((x1->id.proto != x->id.proto) ||
816 xfrm_addr_cmp(&x1->id.daddr, &x->id.daddr, family))) {
823 x1 = __find_acq_core(family, x->props.mode, x->props.reqid,
825 &x->id.daddr, &x->props.saddr, 0);
827 __xfrm_state_bump_genids(x);
828 __xfrm_state_insert(x);
832 spin_unlock_bh(&xfrm_state_lock);
835 xfrm_state_delete(x1);
841 EXPORT_SYMBOL(xfrm_state_add);
843 #ifdef CONFIG_XFRM_MIGRATE
844 struct xfrm_state *xfrm_state_clone(struct xfrm_state *orig, int *errp)
847 struct xfrm_state *x = xfrm_state_alloc();
851 memcpy(&x->id, &orig->id, sizeof(x->id));
852 memcpy(&x->sel, &orig->sel, sizeof(x->sel));
853 memcpy(&x->lft, &orig->lft, sizeof(x->lft));
854 x->props.mode = orig->props.mode;
855 x->props.replay_window = orig->props.replay_window;
856 x->props.reqid = orig->props.reqid;
857 x->props.family = orig->props.family;
858 x->props.saddr = orig->props.saddr;
861 x->aalg = xfrm_algo_clone(orig->aalg);
865 x->props.aalgo = orig->props.aalgo;
868 x->ealg = xfrm_algo_clone(orig->ealg);
872 x->props.ealgo = orig->props.ealgo;
875 x->calg = xfrm_algo_clone(orig->calg);
879 x->props.calgo = orig->props.calgo;
882 x->encap = kmemdup(orig->encap, sizeof(*x->encap), GFP_KERNEL);
888 x->coaddr = kmemdup(orig->coaddr, sizeof(*x->coaddr),
894 err = xfrm_init_state(x);
898 x->props.flags = orig->props.flags;
900 x->curlft.add_time = orig->curlft.add_time;
901 x->km.state = orig->km.state;
902 x->km.seq = orig->km.seq;
919 EXPORT_SYMBOL(xfrm_state_clone);
921 /* xfrm_state_lock is held */
922 struct xfrm_state * xfrm_migrate_state_find(struct xfrm_migrate *m)
925 struct xfrm_state *x;
926 struct hlist_node *entry;
929 h = xfrm_dst_hash(&m->old_daddr, &m->old_saddr,
930 m->reqid, m->old_family);
931 hlist_for_each_entry(x, entry, xfrm_state_bydst+h, bydst) {
932 if (x->props.mode != m->mode ||
933 x->id.proto != m->proto)
935 if (m->reqid && x->props.reqid != m->reqid)
937 if (xfrm_addr_cmp(&x->id.daddr, &m->old_daddr,
939 xfrm_addr_cmp(&x->props.saddr, &m->old_saddr,
946 h = xfrm_src_hash(&m->old_daddr, &m->old_saddr,
948 hlist_for_each_entry(x, entry, xfrm_state_bysrc+h, bysrc) {
949 if (x->props.mode != m->mode ||
950 x->id.proto != m->proto)
952 if (xfrm_addr_cmp(&x->id.daddr, &m->old_daddr,
954 xfrm_addr_cmp(&x->props.saddr, &m->old_saddr,
964 EXPORT_SYMBOL(xfrm_migrate_state_find);
966 struct xfrm_state * xfrm_state_migrate(struct xfrm_state *x,
967 struct xfrm_migrate *m)
969 struct xfrm_state *xc;
972 xc = xfrm_state_clone(x, &err);
976 memcpy(&xc->id.daddr, &m->new_daddr, sizeof(xc->id.daddr));
977 memcpy(&xc->props.saddr, &m->new_saddr, sizeof(xc->props.saddr));
980 if (!xfrm_addr_cmp(&x->id.daddr, &m->new_daddr, m->new_family)) {
981 /* a care is needed when the destination address of the
982 state is to be updated as it is a part of triplet */
983 xfrm_state_insert(xc);
985 if ((err = xfrm_state_add(xc)) < 0)
994 EXPORT_SYMBOL(xfrm_state_migrate);
997 int xfrm_state_update(struct xfrm_state *x)
999 struct xfrm_state *x1;
1001 int use_spi = xfrm_id_proto_match(x->id.proto, IPSEC_PROTO_ANY);
1003 spin_lock_bh(&xfrm_state_lock);
1004 x1 = __xfrm_state_locate(x, use_spi, x->props.family);
1010 if (xfrm_state_kern(x1)) {
1016 if (x1->km.state == XFRM_STATE_ACQ) {
1017 __xfrm_state_insert(x);
1023 spin_unlock_bh(&xfrm_state_lock);
1029 xfrm_state_delete(x1);
1035 spin_lock_bh(&x1->lock);
1036 if (likely(x1->km.state == XFRM_STATE_VALID)) {
1037 if (x->encap && x1->encap)
1038 memcpy(x1->encap, x->encap, sizeof(*x1->encap));
1039 if (x->coaddr && x1->coaddr) {
1040 memcpy(x1->coaddr, x->coaddr, sizeof(*x1->coaddr));
1042 if (!use_spi && memcmp(&x1->sel, &x->sel, sizeof(x1->sel)))
1043 memcpy(&x1->sel, &x->sel, sizeof(x1->sel));
1044 memcpy(&x1->lft, &x->lft, sizeof(x1->lft));
1047 mod_timer(&x1->timer, jiffies + HZ);
1048 if (x1->curlft.use_time)
1049 xfrm_state_check_expire(x1);
1053 spin_unlock_bh(&x1->lock);
1059 EXPORT_SYMBOL(xfrm_state_update);
1061 int xfrm_state_check_expire(struct xfrm_state *x)
1063 if (!x->curlft.use_time)
1064 x->curlft.use_time = get_seconds();
1066 if (x->km.state != XFRM_STATE_VALID)
1069 if (x->curlft.bytes >= x->lft.hard_byte_limit ||
1070 x->curlft.packets >= x->lft.hard_packet_limit) {
1071 x->km.state = XFRM_STATE_EXPIRED;
1072 mod_timer(&x->timer, jiffies);
1077 (x->curlft.bytes >= x->lft.soft_byte_limit ||
1078 x->curlft.packets >= x->lft.soft_packet_limit)) {
1080 km_state_expired(x, 0, 0);
1084 EXPORT_SYMBOL(xfrm_state_check_expire);
1086 static int xfrm_state_check_space(struct xfrm_state *x, struct sk_buff *skb)
1088 int nhead = x->props.header_len + LL_RESERVED_SPACE(skb->dst->dev)
1089 - skb_headroom(skb);
1092 return pskb_expand_head(skb, nhead, 0, GFP_ATOMIC);
1094 /* Check tail too... */
1098 int xfrm_state_check(struct xfrm_state *x, struct sk_buff *skb)
1100 int err = xfrm_state_check_expire(x);
1103 err = xfrm_state_check_space(x, skb);
1107 EXPORT_SYMBOL(xfrm_state_check);
1110 xfrm_state_lookup(xfrm_address_t *daddr, __be32 spi, u8 proto,
1111 unsigned short family)
1113 struct xfrm_state *x;
1115 spin_lock_bh(&xfrm_state_lock);
1116 x = __xfrm_state_lookup(daddr, spi, proto, family);
1117 spin_unlock_bh(&xfrm_state_lock);
1120 EXPORT_SYMBOL(xfrm_state_lookup);
1123 xfrm_state_lookup_byaddr(xfrm_address_t *daddr, xfrm_address_t *saddr,
1124 u8 proto, unsigned short family)
1126 struct xfrm_state *x;
1128 spin_lock_bh(&xfrm_state_lock);
1129 x = __xfrm_state_lookup_byaddr(daddr, saddr, proto, family);
1130 spin_unlock_bh(&xfrm_state_lock);
1133 EXPORT_SYMBOL(xfrm_state_lookup_byaddr);
1136 xfrm_find_acq(u8 mode, u32 reqid, u8 proto,
1137 xfrm_address_t *daddr, xfrm_address_t *saddr,
1138 int create, unsigned short family)
1140 struct xfrm_state *x;
1142 spin_lock_bh(&xfrm_state_lock);
1143 x = __find_acq_core(family, mode, reqid, proto, daddr, saddr, create);
1144 spin_unlock_bh(&xfrm_state_lock);
1148 EXPORT_SYMBOL(xfrm_find_acq);
1150 #ifdef CONFIG_XFRM_SUB_POLICY
1152 xfrm_tmpl_sort(struct xfrm_tmpl **dst, struct xfrm_tmpl **src, int n,
1153 unsigned short family)
1156 struct xfrm_state_afinfo *afinfo = xfrm_state_get_afinfo(family);
1158 return -EAFNOSUPPORT;
1160 spin_lock_bh(&xfrm_state_lock);
1161 if (afinfo->tmpl_sort)
1162 err = afinfo->tmpl_sort(dst, src, n);
1163 spin_unlock_bh(&xfrm_state_lock);
1164 xfrm_state_put_afinfo(afinfo);
1167 EXPORT_SYMBOL(xfrm_tmpl_sort);
1170 xfrm_state_sort(struct xfrm_state **dst, struct xfrm_state **src, int n,
1171 unsigned short family)
1174 struct xfrm_state_afinfo *afinfo = xfrm_state_get_afinfo(family);
1176 return -EAFNOSUPPORT;
1178 spin_lock_bh(&xfrm_state_lock);
1179 if (afinfo->state_sort)
1180 err = afinfo->state_sort(dst, src, n);
1181 spin_unlock_bh(&xfrm_state_lock);
1182 xfrm_state_put_afinfo(afinfo);
1185 EXPORT_SYMBOL(xfrm_state_sort);
1188 /* Silly enough, but I'm lazy to build resolution list */
1190 static struct xfrm_state *__xfrm_find_acq_byseq(u32 seq)
1194 for (i = 0; i <= xfrm_state_hmask; i++) {
1195 struct hlist_node *entry;
1196 struct xfrm_state *x;
1198 hlist_for_each_entry(x, entry, xfrm_state_bydst+i, bydst) {
1199 if (x->km.seq == seq &&
1200 x->km.state == XFRM_STATE_ACQ) {
1209 struct xfrm_state *xfrm_find_acq_byseq(u32 seq)
1211 struct xfrm_state *x;
1213 spin_lock_bh(&xfrm_state_lock);
1214 x = __xfrm_find_acq_byseq(seq);
1215 spin_unlock_bh(&xfrm_state_lock);
1218 EXPORT_SYMBOL(xfrm_find_acq_byseq);
1220 u32 xfrm_get_acqseq(void)
1224 static DEFINE_SPINLOCK(acqseq_lock);
1226 spin_lock_bh(&acqseq_lock);
1227 res = (++acqseq ? : ++acqseq);
1228 spin_unlock_bh(&acqseq_lock);
1231 EXPORT_SYMBOL(xfrm_get_acqseq);
1234 xfrm_alloc_spi(struct xfrm_state *x, __be32 minspi, __be32 maxspi)
1237 struct xfrm_state *x0;
1242 if (minspi == maxspi) {
1243 x0 = xfrm_state_lookup(&x->id.daddr, minspi, x->id.proto, x->props.family);
1251 u32 low = ntohl(minspi);
1252 u32 high = ntohl(maxspi);
1253 for (h=0; h<high-low+1; h++) {
1254 spi = low + net_random()%(high-low+1);
1255 x0 = xfrm_state_lookup(&x->id.daddr, htonl(spi), x->id.proto, x->props.family);
1257 x->id.spi = htonl(spi);
1264 spin_lock_bh(&xfrm_state_lock);
1265 h = xfrm_spi_hash(&x->id.daddr, x->id.spi, x->id.proto, x->props.family);
1266 hlist_add_head(&x->byspi, xfrm_state_byspi+h);
1267 spin_unlock_bh(&xfrm_state_lock);
1271 EXPORT_SYMBOL(xfrm_alloc_spi);
1273 int xfrm_state_walk(u8 proto, int (*func)(struct xfrm_state *, int, void*),
1277 struct xfrm_state *x, *last = NULL;
1278 struct hlist_node *entry;
1282 spin_lock_bh(&xfrm_state_lock);
1283 for (i = 0; i <= xfrm_state_hmask; i++) {
1284 hlist_for_each_entry(x, entry, xfrm_state_bydst+i, bydst) {
1285 if (!xfrm_id_proto_match(x->id.proto, proto))
1288 err = func(last, count, data);
1300 err = func(last, 0, data);
1302 spin_unlock_bh(&xfrm_state_lock);
1305 EXPORT_SYMBOL(xfrm_state_walk);
1308 void xfrm_replay_notify(struct xfrm_state *x, int event)
1311 /* we send notify messages in case
1312 * 1. we updated on of the sequence numbers, and the seqno difference
1313 * is at least x->replay_maxdiff, in this case we also update the
1314 * timeout of our timer function
1315 * 2. if x->replay_maxage has elapsed since last update,
1316 * and there were changes
1318 * The state structure must be locked!
1322 case XFRM_REPLAY_UPDATE:
1323 if (x->replay_maxdiff &&
1324 (x->replay.seq - x->preplay.seq < x->replay_maxdiff) &&
1325 (x->replay.oseq - x->preplay.oseq < x->replay_maxdiff)) {
1326 if (x->xflags & XFRM_TIME_DEFER)
1327 event = XFRM_REPLAY_TIMEOUT;
1334 case XFRM_REPLAY_TIMEOUT:
1335 if ((x->replay.seq == x->preplay.seq) &&
1336 (x->replay.bitmap == x->preplay.bitmap) &&
1337 (x->replay.oseq == x->preplay.oseq)) {
1338 x->xflags |= XFRM_TIME_DEFER;
1345 memcpy(&x->preplay, &x->replay, sizeof(struct xfrm_replay_state));
1346 c.event = XFRM_MSG_NEWAE;
1347 c.data.aevent = event;
1348 km_state_notify(x, &c);
1350 if (x->replay_maxage &&
1351 !mod_timer(&x->rtimer, jiffies + x->replay_maxage))
1352 x->xflags &= ~XFRM_TIME_DEFER;
1354 EXPORT_SYMBOL(xfrm_replay_notify);
1356 static void xfrm_replay_timer_handler(unsigned long data)
1358 struct xfrm_state *x = (struct xfrm_state*)data;
1360 spin_lock(&x->lock);
1362 if (x->km.state == XFRM_STATE_VALID) {
1363 if (xfrm_aevent_is_on())
1364 xfrm_replay_notify(x, XFRM_REPLAY_TIMEOUT);
1366 x->xflags |= XFRM_TIME_DEFER;
1369 spin_unlock(&x->lock);
1372 int xfrm_replay_check(struct xfrm_state *x, __be32 net_seq)
1375 u32 seq = ntohl(net_seq);
1377 if (unlikely(seq == 0))
1380 if (likely(seq > x->replay.seq))
1383 diff = x->replay.seq - seq;
1384 if (diff >= min_t(unsigned int, x->props.replay_window,
1385 sizeof(x->replay.bitmap) * 8)) {
1386 x->stats.replay_window++;
1390 if (x->replay.bitmap & (1U << diff)) {
1396 EXPORT_SYMBOL(xfrm_replay_check);
1398 void xfrm_replay_advance(struct xfrm_state *x, __be32 net_seq)
1401 u32 seq = ntohl(net_seq);
1403 if (seq > x->replay.seq) {
1404 diff = seq - x->replay.seq;
1405 if (diff < x->props.replay_window)
1406 x->replay.bitmap = ((x->replay.bitmap) << diff) | 1;
1408 x->replay.bitmap = 1;
1409 x->replay.seq = seq;
1411 diff = x->replay.seq - seq;
1412 x->replay.bitmap |= (1U << diff);
1415 if (xfrm_aevent_is_on())
1416 xfrm_replay_notify(x, XFRM_REPLAY_UPDATE);
1418 EXPORT_SYMBOL(xfrm_replay_advance);
1420 static struct list_head xfrm_km_list = LIST_HEAD_INIT(xfrm_km_list);
1421 static DEFINE_RWLOCK(xfrm_km_lock);
1423 void km_policy_notify(struct xfrm_policy *xp, int dir, struct km_event *c)
1425 struct xfrm_mgr *km;
1427 read_lock(&xfrm_km_lock);
1428 list_for_each_entry(km, &xfrm_km_list, list)
1429 if (km->notify_policy)
1430 km->notify_policy(xp, dir, c);
1431 read_unlock(&xfrm_km_lock);
1434 void km_state_notify(struct xfrm_state *x, struct km_event *c)
1436 struct xfrm_mgr *km;
1437 read_lock(&xfrm_km_lock);
1438 list_for_each_entry(km, &xfrm_km_list, list)
1441 read_unlock(&xfrm_km_lock);
1444 EXPORT_SYMBOL(km_policy_notify);
1445 EXPORT_SYMBOL(km_state_notify);
1447 void km_state_expired(struct xfrm_state *x, int hard, u32 pid)
1453 c.event = XFRM_MSG_EXPIRE;
1454 km_state_notify(x, &c);
1460 EXPORT_SYMBOL(km_state_expired);
1462 * We send to all registered managers regardless of failure
1463 * We are happy with one success
1465 int km_query(struct xfrm_state *x, struct xfrm_tmpl *t, struct xfrm_policy *pol)
1467 int err = -EINVAL, acqret;
1468 struct xfrm_mgr *km;
1470 read_lock(&xfrm_km_lock);
1471 list_for_each_entry(km, &xfrm_km_list, list) {
1472 acqret = km->acquire(x, t, pol, XFRM_POLICY_OUT);
1476 read_unlock(&xfrm_km_lock);
1479 EXPORT_SYMBOL(km_query);
1481 int km_new_mapping(struct xfrm_state *x, xfrm_address_t *ipaddr, __be16 sport)
1484 struct xfrm_mgr *km;
1486 read_lock(&xfrm_km_lock);
1487 list_for_each_entry(km, &xfrm_km_list, list) {
1488 if (km->new_mapping)
1489 err = km->new_mapping(x, ipaddr, sport);
1493 read_unlock(&xfrm_km_lock);
1496 EXPORT_SYMBOL(km_new_mapping);
1498 void km_policy_expired(struct xfrm_policy *pol, int dir, int hard, u32 pid)
1504 c.event = XFRM_MSG_POLEXPIRE;
1505 km_policy_notify(pol, dir, &c);
1510 EXPORT_SYMBOL(km_policy_expired);
1512 int km_migrate(struct xfrm_selector *sel, u8 dir, u8 type,
1513 struct xfrm_migrate *m, int num_migrate)
1517 struct xfrm_mgr *km;
1519 read_lock(&xfrm_km_lock);
1520 list_for_each_entry(km, &xfrm_km_list, list) {
1522 ret = km->migrate(sel, dir, type, m, num_migrate);
1527 read_unlock(&xfrm_km_lock);
1530 EXPORT_SYMBOL(km_migrate);
1532 int km_report(u8 proto, struct xfrm_selector *sel, xfrm_address_t *addr)
1536 struct xfrm_mgr *km;
1538 read_lock(&xfrm_km_lock);
1539 list_for_each_entry(km, &xfrm_km_list, list) {
1541 ret = km->report(proto, sel, addr);
1546 read_unlock(&xfrm_km_lock);
1549 EXPORT_SYMBOL(km_report);
1551 int xfrm_user_policy(struct sock *sk, int optname, u8 __user *optval, int optlen)
1555 struct xfrm_mgr *km;
1556 struct xfrm_policy *pol = NULL;
1558 if (optlen <= 0 || optlen > PAGE_SIZE)
1561 data = kmalloc(optlen, GFP_KERNEL);
1566 if (copy_from_user(data, optval, optlen))
1570 read_lock(&xfrm_km_lock);
1571 list_for_each_entry(km, &xfrm_km_list, list) {
1572 pol = km->compile_policy(sk, optname, data,
1577 read_unlock(&xfrm_km_lock);
1580 xfrm_sk_policy_insert(sk, err, pol);
1589 EXPORT_SYMBOL(xfrm_user_policy);
1591 int xfrm_register_km(struct xfrm_mgr *km)
1593 write_lock_bh(&xfrm_km_lock);
1594 list_add_tail(&km->list, &xfrm_km_list);
1595 write_unlock_bh(&xfrm_km_lock);
1598 EXPORT_SYMBOL(xfrm_register_km);
1600 int xfrm_unregister_km(struct xfrm_mgr *km)
1602 write_lock_bh(&xfrm_km_lock);
1603 list_del(&km->list);
1604 write_unlock_bh(&xfrm_km_lock);
1607 EXPORT_SYMBOL(xfrm_unregister_km);
1609 int xfrm_state_register_afinfo(struct xfrm_state_afinfo *afinfo)
1612 if (unlikely(afinfo == NULL))
1614 if (unlikely(afinfo->family >= NPROTO))
1615 return -EAFNOSUPPORT;
1616 write_lock_bh(&xfrm_state_afinfo_lock);
1617 if (unlikely(xfrm_state_afinfo[afinfo->family] != NULL))
1620 xfrm_state_afinfo[afinfo->family] = afinfo;
1621 write_unlock_bh(&xfrm_state_afinfo_lock);
1624 EXPORT_SYMBOL(xfrm_state_register_afinfo);
1626 int xfrm_state_unregister_afinfo(struct xfrm_state_afinfo *afinfo)
1629 if (unlikely(afinfo == NULL))
1631 if (unlikely(afinfo->family >= NPROTO))
1632 return -EAFNOSUPPORT;
1633 write_lock_bh(&xfrm_state_afinfo_lock);
1634 if (likely(xfrm_state_afinfo[afinfo->family] != NULL)) {
1635 if (unlikely(xfrm_state_afinfo[afinfo->family] != afinfo))
1638 xfrm_state_afinfo[afinfo->family] = NULL;
1640 write_unlock_bh(&xfrm_state_afinfo_lock);
1643 EXPORT_SYMBOL(xfrm_state_unregister_afinfo);
1645 struct xfrm_state_afinfo *xfrm_state_get_afinfo(unsigned short family)
1647 struct xfrm_state_afinfo *afinfo;
1648 if (unlikely(family >= NPROTO))
1650 read_lock(&xfrm_state_afinfo_lock);
1651 afinfo = xfrm_state_afinfo[family];
1652 if (unlikely(!afinfo))
1653 read_unlock(&xfrm_state_afinfo_lock);
1657 void xfrm_state_put_afinfo(struct xfrm_state_afinfo *afinfo)
1659 read_unlock(&xfrm_state_afinfo_lock);
1662 EXPORT_SYMBOL(xfrm_state_get_afinfo);
1663 EXPORT_SYMBOL(xfrm_state_put_afinfo);
1665 /* Temporarily located here until net/xfrm/xfrm_tunnel.c is created */
1666 void xfrm_state_delete_tunnel(struct xfrm_state *x)
1669 struct xfrm_state *t = x->tunnel;
1671 if (atomic_read(&t->tunnel_users) == 2)
1672 xfrm_state_delete(t);
1673 atomic_dec(&t->tunnel_users);
1678 EXPORT_SYMBOL(xfrm_state_delete_tunnel);
1680 int xfrm_state_mtu(struct xfrm_state *x, int mtu)
1684 spin_lock_bh(&x->lock);
1685 if (x->km.state == XFRM_STATE_VALID &&
1686 x->type && x->type->get_mtu)
1687 res = x->type->get_mtu(x, mtu);
1690 spin_unlock_bh(&x->lock);
1694 int xfrm_init_state(struct xfrm_state *x)
1696 struct xfrm_state_afinfo *afinfo;
1697 int family = x->props.family;
1700 err = -EAFNOSUPPORT;
1701 afinfo = xfrm_state_get_afinfo(family);
1706 if (afinfo->init_flags)
1707 err = afinfo->init_flags(x);
1709 xfrm_state_put_afinfo(afinfo);
1714 err = -EPROTONOSUPPORT;
1715 x->type = xfrm_get_type(x->id.proto, family);
1716 if (x->type == NULL)
1719 err = x->type->init_state(x);
1723 x->mode = xfrm_get_mode(x->props.mode, family);
1724 if (x->mode == NULL)
1727 x->km.state = XFRM_STATE_VALID;
1733 EXPORT_SYMBOL(xfrm_init_state);
1735 void __init xfrm_state_init(void)
1739 sz = sizeof(struct hlist_head) * 8;
1741 xfrm_state_bydst = xfrm_hash_alloc(sz);
1742 xfrm_state_bysrc = xfrm_hash_alloc(sz);
1743 xfrm_state_byspi = xfrm_hash_alloc(sz);
1744 if (!xfrm_state_bydst || !xfrm_state_bysrc || !xfrm_state_byspi)
1745 panic("XFRM: Cannot allocate bydst/bysrc/byspi hashes.");
1746 xfrm_state_hmask = ((sz / sizeof(struct hlist_head)) - 1);
1748 INIT_WORK(&xfrm_state_gc_work, xfrm_state_gc_task);
projects / linux-2.6 / blob