1 // SPDX-License-Identifier: GPL-2.0-only 2 /* xfrm_user.c: User interface to configure xfrm engine. 3 * 4 * Copyright (C) 2002 David S. Miller (davem@redhat.com) 5 * 6 * Changes: 7 * Mitsuru KANDA @USAGI 8 * Kazunori MIYAZAWA @USAGI 9 * Kunihiro Ishiguro <kunihiro@ipinfusion.com> 10 * IPv6 support 11 * 12 */ 13 14 #include <linux/compat.h> 15 #include <linux/crypto.h> 16 #include <linux/module.h> 17 #include <linux/kernel.h> 18 #include <linux/types.h> 19 #include <linux/slab.h> 20 #include <linux/socket.h> 21 #include <linux/string.h> 22 #include <linux/net.h> 23 #include <linux/skbuff.h> 24 #include <linux/pfkeyv2.h> 25 #include <linux/ipsec.h> 26 #include <linux/init.h> 27 #include <linux/security.h> 28 #include <net/sock.h> 29 #include <net/xfrm.h> 30 #include <net/netlink.h> 31 #include <net/ah.h> 32 #include <linux/uaccess.h> 33 #if IS_ENABLED(CONFIG_IPV6) 34 #include <linux/in6.h> 35 #endif 36 #include <linux/unaligned.h> 37 38 static struct sock *xfrm_net_nlsk(const struct net *net, const struct sk_buff *skb) 39 { 40 /* get the source of this request, see netlink_unicast_kernel */ 41 const struct sock *sk = NETLINK_CB(skb).sk; 42 43 /* sk is refcounted, the netns stays alive and nlsk with it */ 44 return rcu_dereference_protected(net->xfrm.nlsk, sk->sk_net_refcnt); 45 } 46 47 static int verify_one_alg(struct nlattr **attrs, enum xfrm_attr_type_t type, 48 struct netlink_ext_ack *extack) 49 { 50 struct nlattr *rt = attrs[type]; 51 struct xfrm_algo *algp; 52 53 if (!rt) 54 return 0; 55 56 algp = nla_data(rt); 57 if (nla_len(rt) < (int)xfrm_alg_len(algp)) { 58 NL_SET_ERR_MSG(extack, "Invalid AUTH/CRYPT/COMP attribute length"); 59 return -EINVAL; 60 } 61 62 switch (type) { 63 case XFRMA_ALG_AUTH: 64 case XFRMA_ALG_CRYPT: 65 case XFRMA_ALG_COMP: 66 break; 67 68 default: 69 NL_SET_ERR_MSG(extack, "Invalid algorithm attribute type"); 70 return -EINVAL; 71 } 72 73 algp->alg_name[sizeof(algp->alg_name) - 1] = '\0'; 74 return 0; 75 } 76 77 static int verify_auth_trunc(struct nlattr **attrs, 78 struct netlink_ext_ack *extack) 79 { 80 struct nlattr *rt = attrs[XFRMA_ALG_AUTH_TRUNC]; 81 struct xfrm_algo_auth *algp; 82 83 if (!rt) 84 return 0; 85 86 algp = nla_data(rt); 87 if (nla_len(rt) < (int)xfrm_alg_auth_len(algp)) { 88 NL_SET_ERR_MSG(extack, "Invalid AUTH_TRUNC attribute length"); 89 return -EINVAL; 90 } 91 92 algp->alg_name[sizeof(algp->alg_name) - 1] = '\0'; 93 return 0; 94 } 95 96 static int verify_aead(struct nlattr **attrs, struct netlink_ext_ack *extack) 97 { 98 struct nlattr *rt = attrs[XFRMA_ALG_AEAD]; 99 struct xfrm_algo_aead *algp; 100 101 if (!rt) 102 return 0; 103 104 algp = nla_data(rt); 105 if (nla_len(rt) < (int)aead_len(algp)) { 106 NL_SET_ERR_MSG(extack, "Invalid AEAD attribute length"); 107 return -EINVAL; 108 } 109 110 algp->alg_name[sizeof(algp->alg_name) - 1] = '\0'; 111 return 0; 112 } 113 114 static void verify_one_addr(struct nlattr **attrs, enum xfrm_attr_type_t type, 115 xfrm_address_t **addrp) 116 { 117 struct nlattr *rt = attrs[type]; 118 119 if (rt && addrp) 120 *addrp = nla_data(rt); 121 } 122 123 static inline int verify_sec_ctx_len(struct nlattr **attrs, struct netlink_ext_ack *extack) 124 { 125 struct nlattr *rt = attrs[XFRMA_SEC_CTX]; 126 struct xfrm_user_sec_ctx *uctx; 127 128 if (!rt) 129 return 0; 130 131 uctx = nla_data(rt); 132 if (uctx->len > nla_len(rt) || 133 uctx->len != (sizeof(struct xfrm_user_sec_ctx) + uctx->ctx_len)) { 134 NL_SET_ERR_MSG(extack, "Invalid security context length"); 135 return -EINVAL; 136 } 137 138 return 0; 139 } 140 141 static inline int verify_replay(struct xfrm_usersa_info *p, 142 struct nlattr **attrs, u8 sa_dir, 143 struct netlink_ext_ack *extack) 144 { 145 struct nlattr *rt = attrs[XFRMA_REPLAY_ESN_VAL]; 146 struct xfrm_replay_state_esn *rs; 147 148 if (!rt) { 149 if (p->flags & XFRM_STATE_ESN) { 150 NL_SET_ERR_MSG(extack, "Missing required attribute for ESN"); 151 return -EINVAL; 152 } 153 return 0; 154 } 155 156 rs = nla_data(rt); 157 158 if (rs->bmp_len > XFRMA_REPLAY_ESN_MAX / sizeof(rs->bmp[0]) / 8) { 159 NL_SET_ERR_MSG(extack, "ESN bitmap length must be <= 128"); 160 return -EINVAL; 161 } 162 163 if (nla_len(rt) < (int)xfrm_replay_state_esn_len(rs) && 164 nla_len(rt) != sizeof(*rs)) { 165 NL_SET_ERR_MSG(extack, "ESN attribute is too short to fit the full bitmap length"); 166 return -EINVAL; 167 } 168 169 /* As only ESP and AH support ESN feature. */ 170 if ((p->id.proto != IPPROTO_ESP) && (p->id.proto != IPPROTO_AH)) { 171 NL_SET_ERR_MSG(extack, "ESN only supported for ESP and AH"); 172 return -EINVAL; 173 } 174 175 if (p->replay_window != 0) { 176 NL_SET_ERR_MSG(extack, "ESN not compatible with legacy replay_window"); 177 return -EINVAL; 178 } 179 180 if (sa_dir == XFRM_SA_DIR_OUT) { 181 if (rs->replay_window) { 182 NL_SET_ERR_MSG(extack, "Replay window should be 0 for output SA"); 183 return -EINVAL; 184 } 185 if (rs->seq || rs->seq_hi) { 186 NL_SET_ERR_MSG(extack, 187 "Replay seq and seq_hi should be 0 for output SA"); 188 return -EINVAL; 189 } 190 191 if (!(p->flags & XFRM_STATE_ESN)) { 192 if (rs->oseq_hi) { 193 NL_SET_ERR_MSG( 194 extack, 195 "Replay oseq_hi should be 0 in non-ESN mode for output SA"); 196 return -EINVAL; 197 } 198 if (rs->oseq == U32_MAX) { 199 NL_SET_ERR_MSG( 200 extack, 201 "Replay oseq should be less than 0xFFFFFFFF in non-ESN mode for output SA"); 202 return -EINVAL; 203 } 204 } else { 205 if (rs->oseq == U32_MAX && rs->oseq_hi == U32_MAX) { 206 NL_SET_ERR_MSG( 207 extack, 208 "Replay oseq and oseq_hi should be less than 0xFFFFFFFF for output SA"); 209 return -EINVAL; 210 } 211 } 212 if (rs->bmp_len) { 213 NL_SET_ERR_MSG(extack, "Replay bmp_len should 0 for output SA"); 214 return -EINVAL; 215 } 216 } 217 218 if (sa_dir == XFRM_SA_DIR_IN) { 219 if (rs->oseq || rs->oseq_hi) { 220 NL_SET_ERR_MSG(extack, 221 "Replay oseq and oseq_hi should be 0 for input SA"); 222 return -EINVAL; 223 } 224 if (!(p->flags & XFRM_STATE_ESN)) { 225 if (rs->seq_hi) { 226 NL_SET_ERR_MSG( 227 extack, 228 "Replay seq_hi should be 0 in non-ESN mode for input SA"); 229 return -EINVAL; 230 } 231 232 if (rs->seq == U32_MAX) { 233 NL_SET_ERR_MSG( 234 extack, 235 "Replay seq should be less than 0xFFFFFFFF in non-ESN mode for input SA"); 236 return -EINVAL; 237 } 238 } else { 239 if (rs->seq == U32_MAX && rs->seq_hi == U32_MAX) { 240 NL_SET_ERR_MSG( 241 extack, 242 "Replay seq and seq_hi should be less than 0xFFFFFFFF for input SA"); 243 return -EINVAL; 244 } 245 } 246 } 247 248 return 0; 249 } 250 251 static int verify_mtimer_thresh(bool has_encap, u8 dir, 252 struct netlink_ext_ack *extack) 253 { 254 if (!has_encap) { 255 NL_SET_ERR_MSG(extack, 256 "MTIMER_THRESH requires encapsulation"); 257 return -EINVAL; 258 } 259 if (dir == XFRM_SA_DIR_OUT) { 260 NL_SET_ERR_MSG(extack, 261 "MTIMER_THRESH should not be set on output SA"); 262 return -EINVAL; 263 } 264 return 0; 265 } 266 267 static int verify_xfrm_family(u16 family, struct netlink_ext_ack *extack) 268 { 269 switch (family) { 270 case AF_INET: 271 return 0; 272 case AF_INET6: 273 #if IS_ENABLED(CONFIG_IPV6) 274 return 0; 275 #else 276 NL_SET_ERR_MSG(extack, "IPv6 support disabled"); 277 return -EAFNOSUPPORT; 278 #endif 279 default: 280 NL_SET_ERR_MSG(extack, "Invalid address family"); 281 return -EINVAL; 282 } 283 } 284 285 static int verify_selector_prefixlen(u16 family, 286 const struct xfrm_selector *sel, 287 struct netlink_ext_ack *extack) 288 { 289 switch (family) { 290 case AF_UNSPEC: 291 return 0; 292 case AF_INET: 293 if (sel->prefixlen_d > 32 || sel->prefixlen_s > 32) { 294 NL_SET_ERR_MSG(extack, 295 "Invalid prefix length in selector (must be <= 32 for IPv4)"); 296 return -EINVAL; 297 } 298 return 0; 299 case AF_INET6: 300 #if IS_ENABLED(CONFIG_IPV6) 301 if (sel->prefixlen_d > 128 || sel->prefixlen_s > 128) { 302 NL_SET_ERR_MSG(extack, 303 "Invalid prefix length in selector (must be <= 128 for IPv6)"); 304 return -EINVAL; 305 } 306 return 0; 307 #else 308 NL_SET_ERR_MSG(extack, "IPv6 support disabled"); 309 return -EAFNOSUPPORT; 310 #endif 311 default: 312 NL_SET_ERR_MSG(extack, "Invalid address family in selector"); 313 return -EINVAL; 314 } 315 } 316 317 static int verify_newsa_info(struct xfrm_usersa_info *p, 318 struct nlattr **attrs, 319 struct netlink_ext_ack *extack) 320 { 321 int err; 322 u8 sa_dir = nla_get_u8_default(attrs[XFRMA_SA_DIR], 0); 323 u16 family = p->sel.family; 324 325 err = verify_xfrm_family(p->family, extack); 326 if (err) 327 goto out; 328 329 if (!family && !(p->flags & XFRM_STATE_AF_UNSPEC)) 330 family = p->family; 331 332 err = verify_selector_prefixlen(family, &p->sel, extack); 333 if (err) 334 goto out; 335 336 err = -EINVAL; 337 switch (p->id.proto) { 338 case IPPROTO_AH: 339 if (!attrs[XFRMA_ALG_AUTH] && 340 !attrs[XFRMA_ALG_AUTH_TRUNC]) { 341 NL_SET_ERR_MSG(extack, "Missing required attribute for AH: AUTH_TRUNC or AUTH"); 342 goto out; 343 } 344 345 if (attrs[XFRMA_ALG_AEAD] || 346 attrs[XFRMA_ALG_CRYPT] || 347 attrs[XFRMA_ALG_COMP] || 348 attrs[XFRMA_TFCPAD]) { 349 NL_SET_ERR_MSG(extack, "Invalid attributes for AH: AEAD, CRYPT, COMP, TFCPAD"); 350 goto out; 351 } 352 break; 353 354 case IPPROTO_ESP: 355 if (attrs[XFRMA_ALG_COMP]) { 356 NL_SET_ERR_MSG(extack, "Invalid attribute for ESP: COMP"); 357 goto out; 358 } 359 360 if (!attrs[XFRMA_ALG_AUTH] && 361 !attrs[XFRMA_ALG_AUTH_TRUNC] && 362 !attrs[XFRMA_ALG_CRYPT] && 363 !attrs[XFRMA_ALG_AEAD]) { 364 NL_SET_ERR_MSG(extack, "Missing required attribute for ESP: at least one of AUTH, AUTH_TRUNC, CRYPT, AEAD"); 365 goto out; 366 } 367 368 if ((attrs[XFRMA_ALG_AUTH] || 369 attrs[XFRMA_ALG_AUTH_TRUNC] || 370 attrs[XFRMA_ALG_CRYPT]) && 371 attrs[XFRMA_ALG_AEAD]) { 372 NL_SET_ERR_MSG(extack, "Invalid attribute combination for ESP: AEAD can't be used with AUTH, AUTH_TRUNC, CRYPT"); 373 goto out; 374 } 375 376 if (attrs[XFRMA_TFCPAD] && 377 p->mode != XFRM_MODE_TUNNEL) { 378 NL_SET_ERR_MSG(extack, "TFC padding can only be used in tunnel mode"); 379 goto out; 380 } 381 if ((attrs[XFRMA_IPTFS_DROP_TIME] || 382 attrs[XFRMA_IPTFS_REORDER_WINDOW] || 383 attrs[XFRMA_IPTFS_DONT_FRAG] || 384 attrs[XFRMA_IPTFS_INIT_DELAY] || 385 attrs[XFRMA_IPTFS_MAX_QSIZE] || 386 attrs[XFRMA_IPTFS_PKT_SIZE]) && 387 p->mode != XFRM_MODE_IPTFS) { 388 NL_SET_ERR_MSG(extack, "IP-TFS options can only be used in IP-TFS mode"); 389 goto out; 390 } 391 break; 392 393 case IPPROTO_COMP: 394 if (!attrs[XFRMA_ALG_COMP]) { 395 NL_SET_ERR_MSG(extack, "Missing required attribute for COMP: COMP"); 396 goto out; 397 } 398 399 if (attrs[XFRMA_ALG_AEAD] || 400 attrs[XFRMA_ALG_AUTH] || 401 attrs[XFRMA_ALG_AUTH_TRUNC] || 402 attrs[XFRMA_ALG_CRYPT] || 403 attrs[XFRMA_TFCPAD]) { 404 NL_SET_ERR_MSG(extack, "Invalid attributes for COMP: AEAD, AUTH, AUTH_TRUNC, CRYPT, TFCPAD"); 405 goto out; 406 } 407 408 if (ntohl(p->id.spi) >= 0x10000) { 409 NL_SET_ERR_MSG(extack, "SPI is too large for COMP (must be < 0x10000)"); 410 goto out; 411 } 412 break; 413 414 #if IS_ENABLED(CONFIG_IPV6) 415 case IPPROTO_DSTOPTS: 416 case IPPROTO_ROUTING: 417 if (attrs[XFRMA_ALG_COMP] || 418 attrs[XFRMA_ALG_AUTH] || 419 attrs[XFRMA_ALG_AUTH_TRUNC] || 420 attrs[XFRMA_ALG_AEAD] || 421 attrs[XFRMA_ALG_CRYPT] || 422 attrs[XFRMA_ENCAP] || 423 attrs[XFRMA_SEC_CTX] || 424 attrs[XFRMA_TFCPAD]) { 425 NL_SET_ERR_MSG(extack, "Invalid attributes for DSTOPTS/ROUTING"); 426 goto out; 427 } 428 429 if (!attrs[XFRMA_COADDR]) { 430 NL_SET_ERR_MSG(extack, "Missing required COADDR attribute for DSTOPTS/ROUTING"); 431 goto out; 432 } 433 break; 434 #endif 435 436 default: 437 NL_SET_ERR_MSG(extack, "Unsupported protocol"); 438 goto out; 439 } 440 441 if ((err = verify_aead(attrs, extack))) 442 goto out; 443 if ((err = verify_auth_trunc(attrs, extack))) 444 goto out; 445 if ((err = verify_one_alg(attrs, XFRMA_ALG_AUTH, extack))) 446 goto out; 447 if ((err = verify_one_alg(attrs, XFRMA_ALG_CRYPT, extack))) 448 goto out; 449 if ((err = verify_one_alg(attrs, XFRMA_ALG_COMP, extack))) 450 goto out; 451 if ((err = verify_sec_ctx_len(attrs, extack))) 452 goto out; 453 if ((err = verify_replay(p, attrs, sa_dir, extack))) 454 goto out; 455 456 err = -EINVAL; 457 switch (p->mode) { 458 case XFRM_MODE_TRANSPORT: 459 case XFRM_MODE_TUNNEL: 460 case XFRM_MODE_ROUTEOPTIMIZATION: 461 case XFRM_MODE_BEET: 462 break; 463 case XFRM_MODE_IPTFS: 464 if (p->id.proto != IPPROTO_ESP) { 465 NL_SET_ERR_MSG(extack, "IP-TFS mode only supported with ESP"); 466 goto out; 467 } 468 if (sa_dir == 0) { 469 NL_SET_ERR_MSG(extack, "IP-TFS mode requires in or out direction attribute"); 470 goto out; 471 } 472 break; 473 474 default: 475 NL_SET_ERR_MSG(extack, "Unsupported mode"); 476 goto out; 477 } 478 479 err = 0; 480 481 if (attrs[XFRMA_MTIMER_THRESH]) { 482 err = verify_mtimer_thresh(!!attrs[XFRMA_ENCAP], sa_dir, extack); 483 if (err) 484 goto out; 485 } 486 487 if (sa_dir == XFRM_SA_DIR_OUT) { 488 if (p->flags & XFRM_STATE_DECAP_DSCP) { 489 NL_SET_ERR_MSG(extack, "Flag DECAP_DSCP should not be set for output SA"); 490 err = -EINVAL; 491 goto out; 492 } 493 494 if (p->flags & XFRM_STATE_ICMP) { 495 NL_SET_ERR_MSG(extack, "Flag ICMP should not be set for output SA"); 496 err = -EINVAL; 497 goto out; 498 } 499 500 if (p->flags & XFRM_STATE_WILDRECV) { 501 NL_SET_ERR_MSG(extack, "Flag WILDRECV should not be set for output SA"); 502 err = -EINVAL; 503 goto out; 504 } 505 506 if (p->replay_window) { 507 NL_SET_ERR_MSG(extack, "Replay window should be 0 for output SA"); 508 err = -EINVAL; 509 goto out; 510 } 511 512 if (attrs[XFRMA_IPTFS_DROP_TIME]) { 513 NL_SET_ERR_MSG(extack, "IP-TFS drop time should not be set for output SA"); 514 err = -EINVAL; 515 goto out; 516 } 517 518 if (attrs[XFRMA_IPTFS_REORDER_WINDOW]) { 519 NL_SET_ERR_MSG(extack, "IP-TFS reorder window should not be set for output SA"); 520 err = -EINVAL; 521 goto out; 522 } 523 524 if (attrs[XFRMA_REPLAY_VAL]) { 525 struct xfrm_replay_state *replay; 526 527 replay = nla_data(attrs[XFRMA_REPLAY_VAL]); 528 529 if (replay->seq || replay->bitmap) { 530 NL_SET_ERR_MSG(extack, 531 "Replay seq and bitmap should be 0 for output SA"); 532 err = -EINVAL; 533 goto out; 534 } 535 } 536 } 537 538 if (sa_dir == XFRM_SA_DIR_IN) { 539 if (p->flags & XFRM_STATE_NOPMTUDISC) { 540 NL_SET_ERR_MSG(extack, "Flag NOPMTUDISC should not be set for input SA"); 541 err = -EINVAL; 542 goto out; 543 } 544 545 if (attrs[XFRMA_SA_EXTRA_FLAGS]) { 546 u32 xflags = nla_get_u32(attrs[XFRMA_SA_EXTRA_FLAGS]); 547 548 if (xflags & XFRM_SA_XFLAG_DONT_ENCAP_DSCP) { 549 NL_SET_ERR_MSG(extack, "Flag DONT_ENCAP_DSCP should not be set for input SA"); 550 err = -EINVAL; 551 goto out; 552 } 553 554 if (xflags & XFRM_SA_XFLAG_OSEQ_MAY_WRAP) { 555 NL_SET_ERR_MSG(extack, "Flag OSEQ_MAY_WRAP should not be set for input SA"); 556 err = -EINVAL; 557 goto out; 558 } 559 560 } 561 562 if (attrs[XFRMA_IPTFS_DONT_FRAG]) { 563 NL_SET_ERR_MSG(extack, "IP-TFS don't fragment should not be set for input SA"); 564 err = -EINVAL; 565 goto out; 566 } 567 568 if (attrs[XFRMA_IPTFS_INIT_DELAY]) { 569 NL_SET_ERR_MSG(extack, "IP-TFS initial delay should not be set for input SA"); 570 err = -EINVAL; 571 goto out; 572 } 573 574 if (attrs[XFRMA_IPTFS_MAX_QSIZE]) { 575 NL_SET_ERR_MSG(extack, "IP-TFS max queue size should not be set for input SA"); 576 err = -EINVAL; 577 goto out; 578 } 579 580 if (attrs[XFRMA_IPTFS_PKT_SIZE]) { 581 NL_SET_ERR_MSG(extack, "IP-TFS packet size should not be set for input SA"); 582 err = -EINVAL; 583 goto out; 584 } 585 } 586 587 if (!sa_dir && attrs[XFRMA_SA_PCPU]) { 588 NL_SET_ERR_MSG(extack, "SA_PCPU only supported with SA_DIR"); 589 err = -EINVAL; 590 goto out; 591 } 592 593 out: 594 return err; 595 } 596 597 static int attach_one_algo(struct xfrm_algo **algpp, u8 *props, 598 struct xfrm_algo_desc *(*get_byname)(const char *, int), 599 struct nlattr *rta, struct netlink_ext_ack *extack) 600 { 601 struct xfrm_algo *p, *ualg; 602 struct xfrm_algo_desc *algo; 603 604 if (!rta) 605 return 0; 606 607 ualg = nla_data(rta); 608 609 algo = get_byname(ualg->alg_name, 1); 610 if (!algo) { 611 NL_SET_ERR_MSG(extack, "Requested COMP algorithm not found"); 612 return -ENOSYS; 613 } 614 *props = algo->desc.sadb_alg_id; 615 616 p = kmemdup(ualg, xfrm_alg_len(ualg), GFP_KERNEL); 617 if (!p) 618 return -ENOMEM; 619 620 strscpy(p->alg_name, algo->name); 621 *algpp = p; 622 return 0; 623 } 624 625 static int attach_crypt(struct xfrm_state *x, struct nlattr *rta, 626 struct netlink_ext_ack *extack) 627 { 628 struct xfrm_algo *p, *ualg; 629 struct xfrm_algo_desc *algo; 630 631 if (!rta) 632 return 0; 633 634 ualg = nla_data(rta); 635 636 algo = xfrm_ealg_get_byname(ualg->alg_name, 1); 637 if (!algo) { 638 NL_SET_ERR_MSG(extack, "Requested CRYPT algorithm not found"); 639 return -ENOSYS; 640 } 641 x->props.ealgo = algo->desc.sadb_alg_id; 642 643 p = kmemdup(ualg, xfrm_alg_len(ualg), GFP_KERNEL); 644 if (!p) 645 return -ENOMEM; 646 647 strscpy(p->alg_name, algo->name); 648 x->ealg = p; 649 x->geniv = algo->uinfo.encr.geniv; 650 return 0; 651 } 652 653 static int attach_auth(struct xfrm_algo_auth **algpp, u8 *props, 654 struct nlattr *rta, struct netlink_ext_ack *extack) 655 { 656 struct xfrm_algo *ualg; 657 struct xfrm_algo_auth *p; 658 struct xfrm_algo_desc *algo; 659 660 if (!rta) 661 return 0; 662 663 ualg = nla_data(rta); 664 665 algo = xfrm_aalg_get_byname(ualg->alg_name, 1); 666 if (!algo) { 667 NL_SET_ERR_MSG(extack, "Requested AUTH algorithm not found"); 668 return -ENOSYS; 669 } 670 *props = algo->desc.sadb_alg_id; 671 672 p = kmalloc(sizeof(*p) + (ualg->alg_key_len + 7) / 8, GFP_KERNEL); 673 if (!p) 674 return -ENOMEM; 675 676 strscpy(p->alg_name, algo->name); 677 p->alg_key_len = ualg->alg_key_len; 678 p->alg_trunc_len = algo->uinfo.auth.icv_truncbits; 679 memcpy(p->alg_key, ualg->alg_key, (ualg->alg_key_len + 7) / 8); 680 681 *algpp = p; 682 return 0; 683 } 684 685 static int attach_auth_trunc(struct xfrm_algo_auth **algpp, u8 *props, 686 struct nlattr *rta, struct netlink_ext_ack *extack) 687 { 688 struct xfrm_algo_auth *p, *ualg; 689 struct xfrm_algo_desc *algo; 690 691 if (!rta) 692 return 0; 693 694 ualg = nla_data(rta); 695 696 algo = xfrm_aalg_get_byname(ualg->alg_name, 1); 697 if (!algo) { 698 NL_SET_ERR_MSG(extack, "Requested AUTH_TRUNC algorithm not found"); 699 return -ENOSYS; 700 } 701 if (ualg->alg_trunc_len > algo->uinfo.auth.icv_fullbits) { 702 NL_SET_ERR_MSG(extack, "Invalid length requested for truncated ICV"); 703 return -EINVAL; 704 } 705 *props = algo->desc.sadb_alg_id; 706 707 p = kmemdup(ualg, xfrm_alg_auth_len(ualg), GFP_KERNEL); 708 if (!p) 709 return -ENOMEM; 710 711 strscpy(p->alg_name, algo->name); 712 if (!p->alg_trunc_len) 713 p->alg_trunc_len = algo->uinfo.auth.icv_truncbits; 714 715 *algpp = p; 716 return 0; 717 } 718 719 static int attach_aead(struct xfrm_state *x, struct nlattr *rta, 720 struct netlink_ext_ack *extack) 721 { 722 struct xfrm_algo_aead *p, *ualg; 723 struct xfrm_algo_desc *algo; 724 725 if (!rta) 726 return 0; 727 728 ualg = nla_data(rta); 729 730 algo = xfrm_aead_get_byname(ualg->alg_name, ualg->alg_icv_len, 1); 731 if (!algo) { 732 NL_SET_ERR_MSG(extack, "Requested AEAD algorithm not found"); 733 return -ENOSYS; 734 } 735 x->props.ealgo = algo->desc.sadb_alg_id; 736 737 p = kmemdup(ualg, aead_len(ualg), GFP_KERNEL); 738 if (!p) 739 return -ENOMEM; 740 741 strscpy(p->alg_name, algo->name); 742 x->aead = p; 743 x->geniv = algo->uinfo.aead.geniv; 744 return 0; 745 } 746 747 static inline int xfrm_replay_verify_len(struct xfrm_replay_state_esn *replay_esn, 748 struct nlattr *rp, 749 struct netlink_ext_ack *extack) 750 { 751 struct xfrm_replay_state_esn *up; 752 unsigned int ulen; 753 754 if (!replay_esn || !rp) 755 return 0; 756 757 up = nla_data(rp); 758 ulen = xfrm_replay_state_esn_len(up); 759 760 /* Check the overall length and the internal bitmap length to avoid 761 * potential overflow. */ 762 if (nla_len(rp) < (int)ulen) { 763 NL_SET_ERR_MSG(extack, "ESN attribute is too short"); 764 return -EINVAL; 765 } 766 767 if (xfrm_replay_state_esn_len(replay_esn) != ulen) { 768 NL_SET_ERR_MSG(extack, "New ESN size doesn't match the existing SA's ESN size"); 769 return -EINVAL; 770 } 771 772 if (replay_esn->bmp_len != up->bmp_len) { 773 NL_SET_ERR_MSG(extack, "New ESN bitmap size doesn't match the existing SA's ESN bitmap"); 774 return -EINVAL; 775 } 776 777 if (up->replay_window > up->bmp_len * sizeof(__u32) * 8) { 778 NL_SET_ERR_MSG(extack, "ESN replay window is longer than the bitmap"); 779 return -EINVAL; 780 } 781 782 return 0; 783 } 784 785 static int xfrm_alloc_replay_state_esn(struct xfrm_replay_state_esn **replay_esn, 786 struct xfrm_replay_state_esn **preplay_esn, 787 struct nlattr *rta) 788 { 789 struct xfrm_replay_state_esn *p, *pp, *up; 790 unsigned int klen, ulen; 791 792 if (!rta) 793 return 0; 794 795 up = nla_data(rta); 796 klen = xfrm_replay_state_esn_len(up); 797 ulen = nla_len(rta) >= (int)klen ? klen : sizeof(*up); 798 799 p = kzalloc(klen, GFP_KERNEL); 800 if (!p) 801 return -ENOMEM; 802 803 pp = kzalloc(klen, GFP_KERNEL); 804 if (!pp) { 805 kfree(p); 806 return -ENOMEM; 807 } 808 809 memcpy(p, up, ulen); 810 memcpy(pp, up, ulen); 811 812 *replay_esn = p; 813 *preplay_esn = pp; 814 815 return 0; 816 } 817 818 static inline unsigned int xfrm_user_sec_ctx_size(struct xfrm_sec_ctx *xfrm_ctx) 819 { 820 unsigned int len = 0; 821 822 if (xfrm_ctx) { 823 len += sizeof(struct xfrm_user_sec_ctx); 824 len += xfrm_ctx->ctx_len; 825 } 826 return len; 827 } 828 829 static void copy_from_user_state(struct xfrm_state *x, struct xfrm_usersa_info *p) 830 { 831 memcpy(&x->id, &p->id, sizeof(x->id)); 832 memcpy(&x->sel, &p->sel, sizeof(x->sel)); 833 memcpy(&x->lft, &p->lft, sizeof(x->lft)); 834 x->props.mode = p->mode; 835 x->props.replay_window = min_t(unsigned int, p->replay_window, 836 sizeof(x->replay.bitmap) * 8); 837 x->props.reqid = p->reqid; 838 x->props.family = p->family; 839 memcpy(&x->props.saddr, &p->saddr, sizeof(x->props.saddr)); 840 x->props.flags = p->flags; 841 842 if (!x->sel.family && !(p->flags & XFRM_STATE_AF_UNSPEC)) 843 x->sel.family = p->family; 844 } 845 846 /* 847 * someday when pfkey also has support, we could have the code 848 * somehow made shareable and move it to xfrm_state.c - JHS 849 * 850 */ 851 static void xfrm_update_ae_params(struct xfrm_state *x, struct nlattr **attrs, 852 int update_esn) 853 { 854 struct nlattr *rp = attrs[XFRMA_REPLAY_VAL]; 855 struct nlattr *re = update_esn ? attrs[XFRMA_REPLAY_ESN_VAL] : NULL; 856 struct nlattr *lt = attrs[XFRMA_LTIME_VAL]; 857 struct nlattr *et = attrs[XFRMA_ETIMER_THRESH]; 858 struct nlattr *rt = attrs[XFRMA_REPLAY_THRESH]; 859 struct nlattr *mt = attrs[XFRMA_MTIMER_THRESH]; 860 861 if (re && x->replay_esn && x->preplay_esn) { 862 struct xfrm_replay_state_esn *replay_esn; 863 replay_esn = nla_data(re); 864 memcpy(x->replay_esn, replay_esn, 865 xfrm_replay_state_esn_len(replay_esn)); 866 memcpy(x->preplay_esn, replay_esn, 867 xfrm_replay_state_esn_len(replay_esn)); 868 } 869 870 if (rp) { 871 struct xfrm_replay_state *replay; 872 replay = nla_data(rp); 873 memcpy(&x->replay, replay, sizeof(*replay)); 874 memcpy(&x->preplay, replay, sizeof(*replay)); 875 } 876 877 if (lt) { 878 struct xfrm_lifetime_cur *ltime; 879 ltime = nla_data(lt); 880 x->curlft.bytes = ltime->bytes; 881 x->curlft.packets = ltime->packets; 882 x->curlft.add_time = ltime->add_time; 883 x->curlft.use_time = ltime->use_time; 884 } 885 886 if (et) 887 x->replay_maxage = nla_get_u32(et); 888 889 if (rt) 890 x->replay_maxdiff = nla_get_u32(rt); 891 892 if (mt) 893 x->mapping_maxage = nla_get_u32(mt); 894 } 895 896 static void xfrm_smark_init(struct nlattr **attrs, struct xfrm_mark *m) 897 { 898 if (attrs[XFRMA_SET_MARK]) { 899 m->v = nla_get_u32(attrs[XFRMA_SET_MARK]); 900 m->m = nla_get_u32_default(attrs[XFRMA_SET_MARK_MASK], 901 0xffffffff); 902 } else { 903 m->v = m->m = 0; 904 } 905 } 906 907 static struct xfrm_state *xfrm_state_construct(struct net *net, 908 struct xfrm_usersa_info *p, 909 struct nlattr **attrs, 910 int *errp, 911 struct netlink_ext_ack *extack) 912 { 913 struct xfrm_state *x = xfrm_state_alloc(net); 914 int err = -ENOMEM; 915 916 if (!x) 917 goto error_no_put; 918 919 copy_from_user_state(x, p); 920 921 if (attrs[XFRMA_ENCAP]) { 922 x->encap = kmemdup(nla_data(attrs[XFRMA_ENCAP]), 923 sizeof(*x->encap), GFP_KERNEL); 924 if (x->encap == NULL) 925 goto error; 926 } 927 928 if (attrs[XFRMA_COADDR]) { 929 x->coaddr = kmemdup(nla_data(attrs[XFRMA_COADDR]), 930 sizeof(*x->coaddr), GFP_KERNEL); 931 if (x->coaddr == NULL) 932 goto error; 933 } 934 935 if (attrs[XFRMA_SA_EXTRA_FLAGS]) 936 x->props.extra_flags = nla_get_u32(attrs[XFRMA_SA_EXTRA_FLAGS]); 937 938 if ((err = attach_aead(x, attrs[XFRMA_ALG_AEAD], extack))) 939 goto error; 940 if ((err = attach_auth_trunc(&x->aalg, &x->props.aalgo, 941 attrs[XFRMA_ALG_AUTH_TRUNC], extack))) 942 goto error; 943 if (!x->props.aalgo) { 944 if ((err = attach_auth(&x->aalg, &x->props.aalgo, 945 attrs[XFRMA_ALG_AUTH], extack))) 946 goto error; 947 } 948 if ((err = attach_crypt(x, attrs[XFRMA_ALG_CRYPT], extack))) 949 goto error; 950 if ((err = attach_one_algo(&x->calg, &x->props.calgo, 951 xfrm_calg_get_byname, 952 attrs[XFRMA_ALG_COMP], extack))) 953 goto error; 954 955 if (attrs[XFRMA_TFCPAD]) { 956 x->tfcpad = nla_get_u32(attrs[XFRMA_TFCPAD]); 957 if (x->tfcpad > IP_MAX_MTU) { 958 NL_SET_ERR_MSG(extack, "Excessive TFC padding"); 959 err = -EINVAL; 960 goto error; 961 } 962 } 963 964 xfrm_mark_get(attrs, &x->mark); 965 966 xfrm_smark_init(attrs, &x->props.smark); 967 968 if (attrs[XFRMA_IF_ID]) 969 x->if_id = nla_get_u32(attrs[XFRMA_IF_ID]); 970 971 if (attrs[XFRMA_SA_DIR]) 972 x->dir = nla_get_u8(attrs[XFRMA_SA_DIR]); 973 974 if (attrs[XFRMA_NAT_KEEPALIVE_INTERVAL]) 975 x->nat_keepalive_interval = 976 nla_get_u32(attrs[XFRMA_NAT_KEEPALIVE_INTERVAL]); 977 978 if (attrs[XFRMA_SA_PCPU]) { 979 x->pcpu_num = nla_get_u32(attrs[XFRMA_SA_PCPU]); 980 if (x->pcpu_num >= num_possible_cpus()) { 981 err = -ERANGE; 982 NL_SET_ERR_MSG(extack, "pCPU number too big"); 983 goto error; 984 } 985 } 986 987 err = __xfrm_init_state(x, extack); 988 if (err) 989 goto error; 990 991 if (attrs[XFRMA_SEC_CTX]) { 992 err = security_xfrm_state_alloc(x, 993 nla_data(attrs[XFRMA_SEC_CTX])); 994 if (err) 995 goto error; 996 } 997 998 if ((err = xfrm_alloc_replay_state_esn(&x->replay_esn, &x->preplay_esn, 999 attrs[XFRMA_REPLAY_ESN_VAL]))) 1000 goto error; 1001 1002 x->km.seq = p->seq; 1003 x->replay_maxdiff = net->xfrm.sysctl_aevent_rseqth; 1004 /* sysctl_xfrm_aevent_etime is in 100ms units */ 1005 x->replay_maxage = (net->xfrm.sysctl_aevent_etime*HZ)/XFRM_AE_ETH_M; 1006 1007 if ((err = xfrm_init_replay(x, extack))) 1008 goto error; 1009 1010 /* override default values from above */ 1011 xfrm_update_ae_params(x, attrs, 0); 1012 1013 xfrm_set_type_offload(x, attrs[XFRMA_OFFLOAD_DEV]); 1014 /* configure the hardware if offload is requested */ 1015 if (attrs[XFRMA_OFFLOAD_DEV]) { 1016 err = xfrm_dev_state_add(net, x, 1017 nla_data(attrs[XFRMA_OFFLOAD_DEV]), 1018 extack); 1019 if (err) 1020 goto error; 1021 } 1022 1023 if (x->mode_cbs && x->mode_cbs->user_init) { 1024 err = x->mode_cbs->user_init(net, x, attrs, extack); 1025 if (err) 1026 goto error; 1027 } 1028 1029 return x; 1030 1031 error: 1032 x->km.state = XFRM_STATE_DEAD; 1033 xfrm_state_put(x); 1034 error_no_put: 1035 *errp = err; 1036 return NULL; 1037 } 1038 1039 static int xfrm_add_sa(struct sk_buff *skb, struct nlmsghdr *nlh, 1040 struct nlattr **attrs, struct netlink_ext_ack *extack) 1041 { 1042 struct net *net = sock_net(skb->sk); 1043 struct xfrm_usersa_info *p = nlmsg_data(nlh); 1044 struct xfrm_state *x; 1045 int err; 1046 struct km_event c; 1047 1048 err = verify_newsa_info(p, attrs, extack); 1049 if (err) 1050 return err; 1051 1052 x = xfrm_state_construct(net, p, attrs, &err, extack); 1053 if (!x) 1054 return err; 1055 1056 xfrm_state_hold(x); 1057 if (nlh->nlmsg_type == XFRM_MSG_NEWSA) 1058 err = xfrm_state_add(x); 1059 else 1060 err = xfrm_state_update(x); 1061 1062 xfrm_audit_state_add(x, err ? 0 : 1, true); 1063 1064 if (err < 0) { 1065 x->km.state = XFRM_STATE_DEAD; 1066 xfrm_dev_state_delete(x); 1067 __xfrm_state_put(x); 1068 goto out; 1069 } 1070 1071 if (x->km.state == XFRM_STATE_VOID) 1072 x->km.state = XFRM_STATE_VALID; 1073 1074 c.seq = nlh->nlmsg_seq; 1075 c.portid = nlh->nlmsg_pid; 1076 c.event = nlh->nlmsg_type; 1077 1078 km_state_notify(x, &c); 1079 out: 1080 xfrm_state_put(x); 1081 return err; 1082 } 1083 1084 static struct xfrm_state *xfrm_user_state_lookup(struct net *net, 1085 struct xfrm_usersa_id *p, 1086 struct nlattr **attrs, 1087 int *errp) 1088 { 1089 struct xfrm_state *x = NULL; 1090 struct xfrm_mark m; 1091 int err; 1092 u32 mark = xfrm_mark_get(attrs, &m); 1093 1094 if (xfrm_id_proto_match(p->proto, IPSEC_PROTO_ANY)) { 1095 err = -ESRCH; 1096 x = xfrm_state_lookup(net, mark, &p->daddr, p->spi, p->proto, p->family); 1097 } else { 1098 xfrm_address_t *saddr = NULL; 1099 1100 verify_one_addr(attrs, XFRMA_SRCADDR, &saddr); 1101 if (!saddr) { 1102 err = -EINVAL; 1103 goto out; 1104 } 1105 1106 err = -ESRCH; 1107 x = xfrm_state_lookup_byaddr(net, mark, 1108 &p->daddr, saddr, 1109 p->proto, p->family); 1110 } 1111 1112 out: 1113 if (!x && errp) 1114 *errp = err; 1115 return x; 1116 } 1117 1118 static int xfrm_del_sa(struct sk_buff *skb, struct nlmsghdr *nlh, 1119 struct nlattr **attrs, struct netlink_ext_ack *extack) 1120 { 1121 struct net *net = sock_net(skb->sk); 1122 struct xfrm_state *x; 1123 int err = -ESRCH; 1124 struct km_event c; 1125 struct xfrm_usersa_id *p = nlmsg_data(nlh); 1126 1127 x = xfrm_user_state_lookup(net, p, attrs, &err); 1128 if (x == NULL) 1129 return err; 1130 1131 if ((err = security_xfrm_state_delete(x)) != 0) 1132 goto out; 1133 1134 if (xfrm_state_kern(x)) { 1135 NL_SET_ERR_MSG(extack, "SA is in use by tunnels"); 1136 err = -EPERM; 1137 goto out; 1138 } 1139 1140 err = xfrm_state_delete(x); 1141 if (err < 0) 1142 goto out; 1143 1144 c.seq = nlh->nlmsg_seq; 1145 c.portid = nlh->nlmsg_pid; 1146 c.event = nlh->nlmsg_type; 1147 km_state_notify(x, &c); 1148 1149 out: 1150 xfrm_audit_state_delete(x, err ? 0 : 1, true); 1151 xfrm_state_put(x); 1152 return err; 1153 } 1154 1155 static void copy_to_user_state(struct xfrm_state *x, struct xfrm_usersa_info *p) 1156 { 1157 memset(p, 0, sizeof(*p)); 1158 memcpy(&p->id, &x->id, sizeof(p->id)); 1159 memcpy(&p->sel, &x->sel, sizeof(p->sel)); 1160 memcpy(&p->lft, &x->lft, sizeof(p->lft)); 1161 if (x->xso.dev) 1162 xfrm_dev_state_update_stats(x); 1163 memcpy(&p->curlft, &x->curlft, sizeof(p->curlft)); 1164 put_unaligned(x->stats.replay_window, &p->stats.replay_window); 1165 put_unaligned(x->stats.replay, &p->stats.replay); 1166 put_unaligned(x->stats.integrity_failed, &p->stats.integrity_failed); 1167 memcpy(&p->saddr, &x->props.saddr, sizeof(p->saddr)); 1168 p->mode = x->props.mode; 1169 p->replay_window = x->props.replay_window; 1170 p->reqid = x->props.reqid; 1171 p->family = x->props.family; 1172 p->flags = x->props.flags; 1173 p->seq = x->km.seq; 1174 } 1175 1176 struct xfrm_dump_info { 1177 struct sk_buff *in_skb; 1178 struct sk_buff *out_skb; 1179 u32 nlmsg_seq; 1180 u16 nlmsg_flags; 1181 }; 1182 1183 static int copy_sec_ctx(struct xfrm_sec_ctx *s, struct sk_buff *skb) 1184 { 1185 struct xfrm_user_sec_ctx *uctx; 1186 struct nlattr *attr; 1187 int ctx_size = sizeof(*uctx) + s->ctx_len; 1188 1189 attr = nla_reserve(skb, XFRMA_SEC_CTX, ctx_size); 1190 if (attr == NULL) 1191 return -EMSGSIZE; 1192 1193 uctx = nla_data(attr); 1194 uctx->exttype = XFRMA_SEC_CTX; 1195 uctx->len = ctx_size; 1196 uctx->ctx_doi = s->ctx_doi; 1197 uctx->ctx_alg = s->ctx_alg; 1198 uctx->ctx_len = s->ctx_len; 1199 memcpy(uctx + 1, s->ctx_str, s->ctx_len); 1200 1201 return 0; 1202 } 1203 1204 static void xso_to_xuo(const struct xfrm_dev_offload *xso, 1205 struct xfrm_user_offload *xuo) 1206 { 1207 xuo->ifindex = xso->dev->ifindex; 1208 if (xso->dir == XFRM_DEV_OFFLOAD_IN) 1209 xuo->flags = XFRM_OFFLOAD_INBOUND; 1210 if (xso->type == XFRM_DEV_OFFLOAD_PACKET) 1211 xuo->flags |= XFRM_OFFLOAD_PACKET; 1212 } 1213 1214 static int copy_user_offload(struct xfrm_dev_offload *xso, struct sk_buff *skb) 1215 { 1216 struct xfrm_user_offload *xuo; 1217 struct nlattr *attr; 1218 1219 attr = nla_reserve(skb, XFRMA_OFFLOAD_DEV, sizeof(*xuo)); 1220 if (attr == NULL) 1221 return -EMSGSIZE; 1222 1223 xuo = nla_data(attr); 1224 memset(xuo, 0, sizeof(*xuo)); 1225 xso_to_xuo(xso, xuo); 1226 1227 return 0; 1228 } 1229 1230 static bool xfrm_redact(void) 1231 { 1232 return IS_ENABLED(CONFIG_SECURITY) && 1233 security_locked_down(LOCKDOWN_XFRM_SECRET); 1234 } 1235 1236 static int copy_to_user_auth(struct xfrm_algo_auth *auth, struct sk_buff *skb) 1237 { 1238 struct xfrm_algo *algo; 1239 struct xfrm_algo_auth *ap; 1240 struct nlattr *nla; 1241 bool redact_secret = xfrm_redact(); 1242 1243 nla = nla_reserve(skb, XFRMA_ALG_AUTH, 1244 sizeof(*algo) + (auth->alg_key_len + 7) / 8); 1245 if (!nla) 1246 return -EMSGSIZE; 1247 algo = nla_data(nla); 1248 strscpy_pad(algo->alg_name, auth->alg_name); 1249 1250 if (redact_secret && auth->alg_key_len) 1251 memset(algo->alg_key, 0, (auth->alg_key_len + 7) / 8); 1252 else 1253 memcpy(algo->alg_key, auth->alg_key, 1254 (auth->alg_key_len + 7) / 8); 1255 algo->alg_key_len = auth->alg_key_len; 1256 1257 nla = nla_reserve(skb, XFRMA_ALG_AUTH_TRUNC, xfrm_alg_auth_len(auth)); 1258 if (!nla) 1259 return -EMSGSIZE; 1260 ap = nla_data(nla); 1261 strscpy_pad(ap->alg_name, auth->alg_name); 1262 ap->alg_key_len = auth->alg_key_len; 1263 ap->alg_trunc_len = auth->alg_trunc_len; 1264 if (redact_secret && auth->alg_key_len) 1265 memset(ap->alg_key, 0, (auth->alg_key_len + 7) / 8); 1266 else 1267 memcpy(ap->alg_key, auth->alg_key, 1268 (auth->alg_key_len + 7) / 8); 1269 return 0; 1270 } 1271 1272 static int copy_to_user_aead(struct xfrm_algo_aead *aead, struct sk_buff *skb) 1273 { 1274 struct nlattr *nla = nla_reserve(skb, XFRMA_ALG_AEAD, aead_len(aead)); 1275 struct xfrm_algo_aead *ap; 1276 bool redact_secret = xfrm_redact(); 1277 1278 if (!nla) 1279 return -EMSGSIZE; 1280 1281 ap = nla_data(nla); 1282 strscpy_pad(ap->alg_name, aead->alg_name); 1283 ap->alg_key_len = aead->alg_key_len; 1284 ap->alg_icv_len = aead->alg_icv_len; 1285 1286 if (redact_secret && aead->alg_key_len) 1287 memset(ap->alg_key, 0, (aead->alg_key_len + 7) / 8); 1288 else 1289 memcpy(ap->alg_key, aead->alg_key, 1290 (aead->alg_key_len + 7) / 8); 1291 return 0; 1292 } 1293 1294 static int copy_to_user_ealg(struct xfrm_algo *ealg, struct sk_buff *skb) 1295 { 1296 struct xfrm_algo *ap; 1297 bool redact_secret = xfrm_redact(); 1298 struct nlattr *nla = nla_reserve(skb, XFRMA_ALG_CRYPT, 1299 xfrm_alg_len(ealg)); 1300 if (!nla) 1301 return -EMSGSIZE; 1302 1303 ap = nla_data(nla); 1304 strscpy_pad(ap->alg_name, ealg->alg_name); 1305 ap->alg_key_len = ealg->alg_key_len; 1306 1307 if (redact_secret && ealg->alg_key_len) 1308 memset(ap->alg_key, 0, (ealg->alg_key_len + 7) / 8); 1309 else 1310 memcpy(ap->alg_key, ealg->alg_key, 1311 (ealg->alg_key_len + 7) / 8); 1312 1313 return 0; 1314 } 1315 1316 static int copy_to_user_calg(struct xfrm_algo *calg, struct sk_buff *skb) 1317 { 1318 struct nlattr *nla = nla_reserve(skb, XFRMA_ALG_COMP, sizeof(*calg)); 1319 struct xfrm_algo *ap; 1320 1321 if (!nla) 1322 return -EMSGSIZE; 1323 1324 ap = nla_data(nla); 1325 strscpy_pad(ap->alg_name, calg->alg_name); 1326 ap->alg_key_len = 0; 1327 1328 return 0; 1329 } 1330 1331 static int copy_to_user_encap(struct xfrm_encap_tmpl *ep, struct sk_buff *skb) 1332 { 1333 struct nlattr *nla = nla_reserve(skb, XFRMA_ENCAP, sizeof(*ep)); 1334 struct xfrm_encap_tmpl *uep; 1335 1336 if (!nla) 1337 return -EMSGSIZE; 1338 1339 uep = nla_data(nla); 1340 memset(uep, 0, sizeof(*uep)); 1341 1342 uep->encap_type = ep->encap_type; 1343 uep->encap_sport = ep->encap_sport; 1344 uep->encap_dport = ep->encap_dport; 1345 uep->encap_oa = ep->encap_oa; 1346 1347 return 0; 1348 } 1349 1350 static int xfrm_smark_put(struct sk_buff *skb, const struct xfrm_mark *m) 1351 { 1352 int ret = 0; 1353 1354 if (m->v | m->m) { 1355 ret = nla_put_u32(skb, XFRMA_SET_MARK, m->v); 1356 if (!ret) 1357 ret = nla_put_u32(skb, XFRMA_SET_MARK_MASK, m->m); 1358 } 1359 return ret; 1360 } 1361 1362 /* Don't change this without updating xfrm_sa_len! */ 1363 static int copy_to_user_state_extra(struct xfrm_state *x, 1364 struct xfrm_usersa_info *p, 1365 struct sk_buff *skb) 1366 { 1367 int ret = 0; 1368 1369 copy_to_user_state(x, p); 1370 1371 if (x->props.extra_flags) { 1372 ret = nla_put_u32(skb, XFRMA_SA_EXTRA_FLAGS, 1373 x->props.extra_flags); 1374 if (ret) 1375 goto out; 1376 } 1377 1378 if (x->coaddr) { 1379 ret = nla_put(skb, XFRMA_COADDR, sizeof(*x->coaddr), x->coaddr); 1380 if (ret) 1381 goto out; 1382 } 1383 if (x->lastused) { 1384 ret = nla_put_u64_64bit(skb, XFRMA_LASTUSED, x->lastused, 1385 XFRMA_PAD); 1386 if (ret) 1387 goto out; 1388 } 1389 if (x->aead) { 1390 ret = copy_to_user_aead(x->aead, skb); 1391 if (ret) 1392 goto out; 1393 } 1394 if (x->aalg) { 1395 ret = copy_to_user_auth(x->aalg, skb); 1396 if (ret) 1397 goto out; 1398 } 1399 if (x->ealg) { 1400 ret = copy_to_user_ealg(x->ealg, skb); 1401 if (ret) 1402 goto out; 1403 } 1404 if (x->calg) { 1405 ret = copy_to_user_calg(x->calg, skb); 1406 if (ret) 1407 goto out; 1408 } 1409 if (x->encap) { 1410 ret = copy_to_user_encap(x->encap, skb); 1411 if (ret) 1412 goto out; 1413 } 1414 if (x->tfcpad) { 1415 ret = nla_put_u32(skb, XFRMA_TFCPAD, x->tfcpad); 1416 if (ret) 1417 goto out; 1418 } 1419 ret = xfrm_mark_put(skb, &x->mark); 1420 if (ret) 1421 goto out; 1422 1423 ret = xfrm_smark_put(skb, &x->props.smark); 1424 if (ret) 1425 goto out; 1426 1427 if (x->replay_esn) 1428 ret = nla_put(skb, XFRMA_REPLAY_ESN_VAL, 1429 xfrm_replay_state_esn_len(x->replay_esn), 1430 x->replay_esn); 1431 else 1432 ret = nla_put(skb, XFRMA_REPLAY_VAL, sizeof(x->replay), 1433 &x->replay); 1434 if (ret) 1435 goto out; 1436 if(x->xso.dev) 1437 ret = copy_user_offload(&x->xso, skb); 1438 if (ret) 1439 goto out; 1440 if (x->if_id) { 1441 ret = nla_put_u32(skb, XFRMA_IF_ID, x->if_id); 1442 if (ret) 1443 goto out; 1444 } 1445 if (x->security) { 1446 ret = copy_sec_ctx(x->security, skb); 1447 if (ret) 1448 goto out; 1449 } 1450 if (x->mode_cbs && x->mode_cbs->copy_to_user) 1451 ret = x->mode_cbs->copy_to_user(x, skb); 1452 if (ret) 1453 goto out; 1454 if (x->mapping_maxage) { 1455 ret = nla_put_u32(skb, XFRMA_MTIMER_THRESH, x->mapping_maxage); 1456 if (ret) 1457 goto out; 1458 } 1459 if (x->pcpu_num != UINT_MAX) { 1460 ret = nla_put_u32(skb, XFRMA_SA_PCPU, x->pcpu_num); 1461 if (ret) 1462 goto out; 1463 } 1464 if (x->dir) 1465 ret = nla_put_u8(skb, XFRMA_SA_DIR, x->dir); 1466 1467 if (x->nat_keepalive_interval) { 1468 ret = nla_put_u32(skb, XFRMA_NAT_KEEPALIVE_INTERVAL, 1469 x->nat_keepalive_interval); 1470 if (ret) 1471 goto out; 1472 } 1473 out: 1474 return ret; 1475 } 1476 1477 static int dump_one_state(struct xfrm_state *x, int count, void *ptr) 1478 { 1479 struct xfrm_dump_info *sp = ptr; 1480 struct sk_buff *in_skb = sp->in_skb; 1481 struct sk_buff *skb = sp->out_skb; 1482 struct xfrm_translator *xtr; 1483 struct xfrm_usersa_info *p; 1484 struct nlmsghdr *nlh; 1485 int err; 1486 1487 nlh = nlmsg_put(skb, NETLINK_CB(in_skb).portid, sp->nlmsg_seq, 1488 XFRM_MSG_NEWSA, sizeof(*p), sp->nlmsg_flags); 1489 if (nlh == NULL) 1490 return -EMSGSIZE; 1491 1492 p = nlmsg_data(nlh); 1493 1494 err = copy_to_user_state_extra(x, p, skb); 1495 if (err) { 1496 nlmsg_cancel(skb, nlh); 1497 return err; 1498 } 1499 nlmsg_end(skb, nlh); 1500 1501 xtr = xfrm_get_translator(); 1502 if (xtr) { 1503 err = xtr->alloc_compat(skb, nlh); 1504 1505 xfrm_put_translator(xtr); 1506 if (err) { 1507 nlmsg_cancel(skb, nlh); 1508 return err; 1509 } 1510 } 1511 1512 return 0; 1513 } 1514 1515 static int xfrm_dump_sa_done(struct netlink_callback *cb) 1516 { 1517 struct xfrm_state_walk *walk = (struct xfrm_state_walk *) &cb->args[1]; 1518 struct sock *sk = cb->skb->sk; 1519 struct net *net = sock_net(sk); 1520 1521 if (cb->args[0]) 1522 xfrm_state_walk_done(walk, net); 1523 return 0; 1524 } 1525 1526 static int xfrm_dump_sa(struct sk_buff *skb, struct netlink_callback *cb) 1527 { 1528 struct net *net = sock_net(skb->sk); 1529 struct xfrm_state_walk *walk = (struct xfrm_state_walk *) &cb->args[1]; 1530 struct xfrm_dump_info info; 1531 1532 BUILD_BUG_ON(sizeof(struct xfrm_state_walk) > 1533 sizeof(cb->args) - sizeof(cb->args[0])); 1534 1535 info.in_skb = cb->skb; 1536 info.out_skb = skb; 1537 info.nlmsg_seq = cb->nlh->nlmsg_seq; 1538 info.nlmsg_flags = NLM_F_MULTI; 1539 1540 if (!cb->args[0]) { 1541 struct nlattr *attrs[XFRMA_MAX+1]; 1542 struct xfrm_address_filter *filter = NULL; 1543 u8 proto = 0; 1544 int err; 1545 1546 err = nlmsg_parse_deprecated(cb->nlh, 0, attrs, XFRMA_MAX, 1547 xfrma_policy, cb->extack); 1548 if (err < 0) 1549 return err; 1550 1551 if (attrs[XFRMA_ADDRESS_FILTER]) { 1552 filter = kmemdup(nla_data(attrs[XFRMA_ADDRESS_FILTER]), 1553 sizeof(*filter), GFP_KERNEL); 1554 if (filter == NULL) 1555 return -ENOMEM; 1556 1557 /* see addr_match(), (prefix length >> 5) << 2 1558 * will be used to compare xfrm_address_t 1559 */ 1560 if (filter->splen > (sizeof(xfrm_address_t) << 3) || 1561 filter->dplen > (sizeof(xfrm_address_t) << 3)) { 1562 kfree(filter); 1563 return -EINVAL; 1564 } 1565 } 1566 1567 if (attrs[XFRMA_PROTO]) 1568 proto = nla_get_u8(attrs[XFRMA_PROTO]); 1569 1570 xfrm_state_walk_init(walk, proto, filter); 1571 cb->args[0] = 1; 1572 } 1573 1574 (void) xfrm_state_walk(net, walk, dump_one_state, &info); 1575 1576 return skb->len; 1577 } 1578 1579 static struct sk_buff *xfrm_state_netlink(struct sk_buff *in_skb, 1580 struct xfrm_state *x, u32 seq) 1581 { 1582 struct xfrm_dump_info info; 1583 struct sk_buff *skb; 1584 int err; 1585 1586 skb = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_ATOMIC); 1587 if (!skb) 1588 return ERR_PTR(-ENOMEM); 1589 1590 info.in_skb = in_skb; 1591 info.out_skb = skb; 1592 info.nlmsg_seq = seq; 1593 info.nlmsg_flags = 0; 1594 1595 err = dump_one_state(x, 0, &info); 1596 if (err) { 1597 kfree_skb(skb); 1598 return ERR_PTR(err); 1599 } 1600 1601 return skb; 1602 } 1603 1604 /* A wrapper for nlmsg_multicast() checking that nlsk is still available. 1605 * Must be called with RCU read lock. 1606 */ 1607 static inline int xfrm_nlmsg_multicast(struct net *net, struct sk_buff *skb, 1608 u32 pid, unsigned int group) 1609 { 1610 struct sock *nlsk = rcu_dereference(net->xfrm.nlsk); 1611 struct xfrm_translator *xtr; 1612 1613 if (!nlsk) { 1614 kfree_skb(skb); 1615 return -EPIPE; 1616 } 1617 1618 xtr = xfrm_get_translator(); 1619 if (xtr) { 1620 int err = xtr->alloc_compat(skb, nlmsg_hdr(skb)); 1621 1622 xfrm_put_translator(xtr); 1623 if (err) { 1624 kfree_skb(skb); 1625 return err; 1626 } 1627 } 1628 1629 return nlmsg_multicast(nlsk, skb, pid, group, GFP_ATOMIC); 1630 } 1631 1632 static inline unsigned int xfrm_spdinfo_msgsize(void) 1633 { 1634 return NLMSG_ALIGN(4) 1635 + nla_total_size(sizeof(struct xfrmu_spdinfo)) 1636 + nla_total_size(sizeof(struct xfrmu_spdhinfo)) 1637 + nla_total_size(sizeof(struct xfrmu_spdhthresh)) 1638 + nla_total_size(sizeof(struct xfrmu_spdhthresh)); 1639 } 1640 1641 static int build_spdinfo(struct sk_buff *skb, struct net *net, 1642 u32 portid, u32 seq, u32 flags) 1643 { 1644 struct xfrmk_spdinfo si; 1645 struct xfrmu_spdinfo spc; 1646 struct xfrmu_spdhinfo sph; 1647 struct xfrmu_spdhthresh spt4, spt6; 1648 struct nlmsghdr *nlh; 1649 int err; 1650 u32 *f; 1651 unsigned lseq; 1652 1653 nlh = nlmsg_put(skb, portid, seq, XFRM_MSG_NEWSPDINFO, sizeof(u32), 0); 1654 if (nlh == NULL) /* shouldn't really happen ... */ 1655 return -EMSGSIZE; 1656 1657 f = nlmsg_data(nlh); 1658 *f = flags; 1659 xfrm_spd_getinfo(net, &si); 1660 spc.incnt = si.incnt; 1661 spc.outcnt = si.outcnt; 1662 spc.fwdcnt = si.fwdcnt; 1663 spc.inscnt = si.inscnt; 1664 spc.outscnt = si.outscnt; 1665 spc.fwdscnt = si.fwdscnt; 1666 sph.spdhcnt = si.spdhcnt; 1667 sph.spdhmcnt = si.spdhmcnt; 1668 1669 do { 1670 lseq = read_seqbegin(&net->xfrm.policy_hthresh.lock); 1671 1672 spt4.lbits = net->xfrm.policy_hthresh.lbits4; 1673 spt4.rbits = net->xfrm.policy_hthresh.rbits4; 1674 spt6.lbits = net->xfrm.policy_hthresh.lbits6; 1675 spt6.rbits = net->xfrm.policy_hthresh.rbits6; 1676 } while (read_seqretry(&net->xfrm.policy_hthresh.lock, lseq)); 1677 1678 err = nla_put(skb, XFRMA_SPD_INFO, sizeof(spc), &spc); 1679 if (!err) 1680 err = nla_put(skb, XFRMA_SPD_HINFO, sizeof(sph), &sph); 1681 if (!err) 1682 err = nla_put(skb, XFRMA_SPD_IPV4_HTHRESH, sizeof(spt4), &spt4); 1683 if (!err) 1684 err = nla_put(skb, XFRMA_SPD_IPV6_HTHRESH, sizeof(spt6), &spt6); 1685 if (err) { 1686 nlmsg_cancel(skb, nlh); 1687 return err; 1688 } 1689 1690 nlmsg_end(skb, nlh); 1691 return 0; 1692 } 1693 1694 static int xfrm_set_spdinfo(struct sk_buff *skb, struct nlmsghdr *nlh, 1695 struct nlattr **attrs, 1696 struct netlink_ext_ack *extack) 1697 { 1698 struct net *net = sock_net(skb->sk); 1699 struct xfrmu_spdhthresh *thresh4 = NULL; 1700 struct xfrmu_spdhthresh *thresh6 = NULL; 1701 1702 /* selector prefixlen thresholds to hash policies */ 1703 if (attrs[XFRMA_SPD_IPV4_HTHRESH]) { 1704 struct nlattr *rta = attrs[XFRMA_SPD_IPV4_HTHRESH]; 1705 1706 if (nla_len(rta) < sizeof(*thresh4)) { 1707 NL_SET_ERR_MSG(extack, "Invalid SPD_IPV4_HTHRESH attribute length"); 1708 return -EINVAL; 1709 } 1710 thresh4 = nla_data(rta); 1711 if (thresh4->lbits > 32 || thresh4->rbits > 32) { 1712 NL_SET_ERR_MSG(extack, "Invalid hash threshold (must be <= 32 for IPv4)"); 1713 return -EINVAL; 1714 } 1715 } 1716 if (attrs[XFRMA_SPD_IPV6_HTHRESH]) { 1717 struct nlattr *rta = attrs[XFRMA_SPD_IPV6_HTHRESH]; 1718 1719 if (nla_len(rta) < sizeof(*thresh6)) { 1720 NL_SET_ERR_MSG(extack, "Invalid SPD_IPV6_HTHRESH attribute length"); 1721 return -EINVAL; 1722 } 1723 thresh6 = nla_data(rta); 1724 if (thresh6->lbits > 128 || thresh6->rbits > 128) { 1725 NL_SET_ERR_MSG(extack, "Invalid hash threshold (must be <= 128 for IPv6)"); 1726 return -EINVAL; 1727 } 1728 } 1729 1730 if (thresh4 || thresh6) { 1731 write_seqlock(&net->xfrm.policy_hthresh.lock); 1732 if (thresh4) { 1733 net->xfrm.policy_hthresh.lbits4 = thresh4->lbits; 1734 net->xfrm.policy_hthresh.rbits4 = thresh4->rbits; 1735 } 1736 if (thresh6) { 1737 net->xfrm.policy_hthresh.lbits6 = thresh6->lbits; 1738 net->xfrm.policy_hthresh.rbits6 = thresh6->rbits; 1739 } 1740 write_sequnlock(&net->xfrm.policy_hthresh.lock); 1741 1742 xfrm_policy_hash_rebuild(net); 1743 } 1744 1745 return 0; 1746 } 1747 1748 static int xfrm_get_spdinfo(struct sk_buff *skb, struct nlmsghdr *nlh, 1749 struct nlattr **attrs, 1750 struct netlink_ext_ack *extack) 1751 { 1752 struct net *net = sock_net(skb->sk); 1753 struct sk_buff *r_skb; 1754 u32 *flags = nlmsg_data(nlh); 1755 u32 sportid = NETLINK_CB(skb).portid; 1756 u32 seq = nlh->nlmsg_seq; 1757 int err; 1758 1759 r_skb = nlmsg_new(xfrm_spdinfo_msgsize(), GFP_ATOMIC); 1760 if (r_skb == NULL) 1761 return -ENOMEM; 1762 1763 err = build_spdinfo(r_skb, net, sportid, seq, *flags); 1764 BUG_ON(err < 0); 1765 1766 return nlmsg_unicast(xfrm_net_nlsk(net, skb), r_skb, sportid); 1767 } 1768 1769 static inline unsigned int xfrm_sadinfo_msgsize(void) 1770 { 1771 return NLMSG_ALIGN(4) 1772 + nla_total_size(sizeof(struct xfrmu_sadhinfo)) 1773 + nla_total_size(4); /* XFRMA_SAD_CNT */ 1774 } 1775 1776 static int build_sadinfo(struct sk_buff *skb, struct net *net, 1777 u32 portid, u32 seq, u32 flags) 1778 { 1779 struct xfrmk_sadinfo si; 1780 struct xfrmu_sadhinfo sh; 1781 struct nlmsghdr *nlh; 1782 int err; 1783 u32 *f; 1784 1785 nlh = nlmsg_put(skb, portid, seq, XFRM_MSG_NEWSADINFO, sizeof(u32), 0); 1786 if (nlh == NULL) /* shouldn't really happen ... */ 1787 return -EMSGSIZE; 1788 1789 f = nlmsg_data(nlh); 1790 *f = flags; 1791 xfrm_sad_getinfo(net, &si); 1792 1793 sh.sadhmcnt = si.sadhmcnt; 1794 sh.sadhcnt = si.sadhcnt; 1795 1796 err = nla_put_u32(skb, XFRMA_SAD_CNT, si.sadcnt); 1797 if (!err) 1798 err = nla_put(skb, XFRMA_SAD_HINFO, sizeof(sh), &sh); 1799 if (err) { 1800 nlmsg_cancel(skb, nlh); 1801 return err; 1802 } 1803 1804 nlmsg_end(skb, nlh); 1805 return 0; 1806 } 1807 1808 static int xfrm_get_sadinfo(struct sk_buff *skb, struct nlmsghdr *nlh, 1809 struct nlattr **attrs, 1810 struct netlink_ext_ack *extack) 1811 { 1812 struct net *net = sock_net(skb->sk); 1813 struct sk_buff *r_skb; 1814 u32 *flags = nlmsg_data(nlh); 1815 u32 sportid = NETLINK_CB(skb).portid; 1816 u32 seq = nlh->nlmsg_seq; 1817 int err; 1818 1819 r_skb = nlmsg_new(xfrm_sadinfo_msgsize(), GFP_ATOMIC); 1820 if (r_skb == NULL) 1821 return -ENOMEM; 1822 1823 err = build_sadinfo(r_skb, net, sportid, seq, *flags); 1824 BUG_ON(err < 0); 1825 1826 return nlmsg_unicast(xfrm_net_nlsk(net, skb), r_skb, sportid); 1827 } 1828 1829 static int xfrm_get_sa(struct sk_buff *skb, struct nlmsghdr *nlh, 1830 struct nlattr **attrs, struct netlink_ext_ack *extack) 1831 { 1832 struct net *net = sock_net(skb->sk); 1833 struct xfrm_usersa_id *p = nlmsg_data(nlh); 1834 struct xfrm_state *x; 1835 struct sk_buff *resp_skb; 1836 int err = -ESRCH; 1837 1838 x = xfrm_user_state_lookup(net, p, attrs, &err); 1839 if (x == NULL) 1840 goto out_noput; 1841 1842 resp_skb = xfrm_state_netlink(skb, x, nlh->nlmsg_seq); 1843 if (IS_ERR(resp_skb)) { 1844 err = PTR_ERR(resp_skb); 1845 } else { 1846 err = nlmsg_unicast(xfrm_net_nlsk(net, skb), resp_skb, NETLINK_CB(skb).portid); 1847 } 1848 xfrm_state_put(x); 1849 out_noput: 1850 return err; 1851 } 1852 1853 static int xfrm_alloc_userspi(struct sk_buff *skb, struct nlmsghdr *nlh, 1854 struct nlattr **attrs, 1855 struct netlink_ext_ack *extack) 1856 { 1857 struct net *net = sock_net(skb->sk); 1858 struct xfrm_state *x; 1859 struct xfrm_userspi_info *p; 1860 struct xfrm_translator *xtr; 1861 struct sk_buff *resp_skb; 1862 xfrm_address_t *daddr; 1863 int family; 1864 int err; 1865 u32 mark; 1866 struct xfrm_mark m; 1867 u32 if_id = 0; 1868 u32 pcpu_num = UINT_MAX; 1869 1870 p = nlmsg_data(nlh); 1871 err = verify_spi_info(p->info.id.proto, p->min, p->max, extack); 1872 if (err) 1873 goto out_noput; 1874 1875 family = p->info.family; 1876 daddr = &p->info.id.daddr; 1877 1878 x = NULL; 1879 1880 mark = xfrm_mark_get(attrs, &m); 1881 1882 if (attrs[XFRMA_IF_ID]) 1883 if_id = nla_get_u32(attrs[XFRMA_IF_ID]); 1884 1885 if (attrs[XFRMA_SA_PCPU]) { 1886 pcpu_num = nla_get_u32(attrs[XFRMA_SA_PCPU]); 1887 if (pcpu_num >= num_possible_cpus()) { 1888 err = -EINVAL; 1889 NL_SET_ERR_MSG(extack, "pCPU number too big"); 1890 goto out_noput; 1891 } 1892 } 1893 1894 if (p->info.seq) { 1895 x = xfrm_find_acq_byseq(net, mark, p->info.seq, pcpu_num); 1896 if (x && !xfrm_addr_equal(&x->id.daddr, daddr, family)) { 1897 xfrm_state_put(x); 1898 x = NULL; 1899 } 1900 } 1901 1902 if (!x) 1903 x = xfrm_find_acq(net, &m, p->info.mode, p->info.reqid, 1904 if_id, pcpu_num, p->info.id.proto, daddr, 1905 &p->info.saddr, 1, 1906 family); 1907 err = -ENOENT; 1908 if (!x) { 1909 NL_SET_ERR_MSG(extack, "Target ACQUIRE not found"); 1910 goto out_noput; 1911 } 1912 1913 err = xfrm_alloc_spi(x, p->min, p->max, extack); 1914 if (err) 1915 goto out; 1916 1917 if (attrs[XFRMA_SA_DIR]) 1918 x->dir = nla_get_u8(attrs[XFRMA_SA_DIR]); 1919 1920 resp_skb = xfrm_state_netlink(skb, x, nlh->nlmsg_seq); 1921 if (IS_ERR(resp_skb)) { 1922 err = PTR_ERR(resp_skb); 1923 goto out; 1924 } 1925 1926 xtr = xfrm_get_translator(); 1927 if (xtr) { 1928 err = xtr->alloc_compat(skb, nlmsg_hdr(skb)); 1929 1930 xfrm_put_translator(xtr); 1931 if (err) { 1932 kfree_skb(resp_skb); 1933 goto out; 1934 } 1935 } 1936 1937 err = nlmsg_unicast(xfrm_net_nlsk(net, skb), resp_skb, NETLINK_CB(skb).portid); 1938 1939 out: 1940 xfrm_state_put(x); 1941 out_noput: 1942 return err; 1943 } 1944 1945 static int verify_policy_dir(u8 dir, struct netlink_ext_ack *extack) 1946 { 1947 switch (dir) { 1948 case XFRM_POLICY_IN: 1949 case XFRM_POLICY_OUT: 1950 case XFRM_POLICY_FWD: 1951 break; 1952 1953 default: 1954 NL_SET_ERR_MSG(extack, "Invalid policy direction"); 1955 return -EINVAL; 1956 } 1957 1958 return 0; 1959 } 1960 1961 static int verify_policy_type(u8 type, struct netlink_ext_ack *extack) 1962 { 1963 switch (type) { 1964 case XFRM_POLICY_TYPE_MAIN: 1965 #ifdef CONFIG_XFRM_SUB_POLICY 1966 case XFRM_POLICY_TYPE_SUB: 1967 #endif 1968 break; 1969 1970 default: 1971 NL_SET_ERR_MSG(extack, "Invalid policy type"); 1972 return -EINVAL; 1973 } 1974 1975 return 0; 1976 } 1977 1978 static int verify_newpolicy_info(struct xfrm_userpolicy_info *p, 1979 struct netlink_ext_ack *extack) 1980 { 1981 int ret; 1982 1983 switch (p->share) { 1984 case XFRM_SHARE_ANY: 1985 case XFRM_SHARE_SESSION: 1986 case XFRM_SHARE_USER: 1987 case XFRM_SHARE_UNIQUE: 1988 break; 1989 1990 default: 1991 NL_SET_ERR_MSG(extack, "Invalid policy share"); 1992 return -EINVAL; 1993 } 1994 1995 switch (p->action) { 1996 case XFRM_POLICY_ALLOW: 1997 case XFRM_POLICY_BLOCK: 1998 break; 1999 2000 default: 2001 NL_SET_ERR_MSG(extack, "Invalid policy action"); 2002 return -EINVAL; 2003 } 2004 2005 switch (p->sel.family) { 2006 case AF_INET: 2007 if (p->sel.prefixlen_d > 32 || p->sel.prefixlen_s > 32) { 2008 NL_SET_ERR_MSG(extack, "Invalid prefix length in selector (must be <= 32 for IPv4)"); 2009 return -EINVAL; 2010 } 2011 2012 break; 2013 2014 case AF_INET6: 2015 #if IS_ENABLED(CONFIG_IPV6) 2016 if (p->sel.prefixlen_d > 128 || p->sel.prefixlen_s > 128) { 2017 NL_SET_ERR_MSG(extack, "Invalid prefix length in selector (must be <= 128 for IPv6)"); 2018 return -EINVAL; 2019 } 2020 2021 break; 2022 #else 2023 NL_SET_ERR_MSG(extack, "IPv6 support disabled"); 2024 return -EAFNOSUPPORT; 2025 #endif 2026 2027 default: 2028 NL_SET_ERR_MSG(extack, "Invalid selector family"); 2029 return -EINVAL; 2030 } 2031 2032 ret = verify_policy_dir(p->dir, extack); 2033 if (ret) 2034 return ret; 2035 if (p->index && (xfrm_policy_id2dir(p->index) != p->dir)) { 2036 NL_SET_ERR_MSG(extack, "Policy index doesn't match direction"); 2037 return -EINVAL; 2038 } 2039 2040 return 0; 2041 } 2042 2043 static int copy_from_user_sec_ctx(struct xfrm_policy *pol, struct nlattr **attrs) 2044 { 2045 struct nlattr *rt = attrs[XFRMA_SEC_CTX]; 2046 struct xfrm_user_sec_ctx *uctx; 2047 2048 if (!rt) 2049 return 0; 2050 2051 uctx = nla_data(rt); 2052 return security_xfrm_policy_alloc(&pol->security, uctx, GFP_KERNEL); 2053 } 2054 2055 static void copy_templates(struct xfrm_policy *xp, struct xfrm_user_tmpl *ut, 2056 int nr) 2057 { 2058 int i; 2059 2060 xp->xfrm_nr = nr; 2061 for (i = 0; i < nr; i++, ut++) { 2062 struct xfrm_tmpl *t = &xp->xfrm_vec[i]; 2063 2064 memcpy(&t->id, &ut->id, sizeof(struct xfrm_id)); 2065 memcpy(&t->saddr, &ut->saddr, 2066 sizeof(xfrm_address_t)); 2067 t->reqid = ut->reqid; 2068 t->mode = ut->mode; 2069 t->share = ut->share; 2070 t->optional = ut->optional; 2071 t->aalgos = ut->aalgos; 2072 t->ealgos = ut->ealgos; 2073 t->calgos = ut->calgos; 2074 /* If all masks are ~0, then we allow all algorithms. */ 2075 t->allalgs = !~(t->aalgos & t->ealgos & t->calgos); 2076 t->encap_family = ut->family; 2077 } 2078 } 2079 2080 static int validate_tmpl(int nr, struct xfrm_user_tmpl *ut, u16 family, 2081 int dir, struct netlink_ext_ack *extack) 2082 { 2083 u16 prev_family; 2084 int i; 2085 2086 if (nr > XFRM_MAX_DEPTH) { 2087 NL_SET_ERR_MSG(extack, "Template count must be <= XFRM_MAX_DEPTH (" __stringify(XFRM_MAX_DEPTH) ")"); 2088 return -EINVAL; 2089 } 2090 2091 prev_family = family; 2092 2093 for (i = 0; i < nr; i++) { 2094 /* We never validated the ut->family value, so many 2095 * applications simply leave it at zero. The check was 2096 * never made and ut->family was ignored because all 2097 * templates could be assumed to have the same family as 2098 * the policy itself. Now that we will have ipv4-in-ipv6 2099 * and ipv6-in-ipv4 tunnels, this is no longer true. 2100 */ 2101 if (!ut[i].family) 2102 ut[i].family = family; 2103 2104 switch (ut[i].mode) { 2105 case XFRM_MODE_TUNNEL: 2106 case XFRM_MODE_BEET: 2107 if (ut[i].optional && dir == XFRM_POLICY_OUT) { 2108 NL_SET_ERR_MSG(extack, "Mode in optional template not allowed in outbound policy"); 2109 return -EINVAL; 2110 } 2111 break; 2112 case XFRM_MODE_IPTFS: 2113 break; 2114 default: 2115 if (ut[i].family != prev_family) { 2116 NL_SET_ERR_MSG(extack, "Mode in template doesn't support a family change"); 2117 return -EINVAL; 2118 } 2119 break; 2120 } 2121 if (ut[i].mode >= XFRM_MODE_MAX) { 2122 NL_SET_ERR_MSG(extack, "Mode in template must be < XFRM_MODE_MAX (" __stringify(XFRM_MODE_MAX) ")"); 2123 return -EINVAL; 2124 } 2125 2126 prev_family = ut[i].family; 2127 2128 switch (ut[i].family) { 2129 case AF_INET: 2130 break; 2131 #if IS_ENABLED(CONFIG_IPV6) 2132 case AF_INET6: 2133 break; 2134 #endif 2135 default: 2136 NL_SET_ERR_MSG(extack, "Invalid family in template"); 2137 return -EINVAL; 2138 } 2139 2140 if (!xfrm_id_proto_valid(ut[i].id.proto)) { 2141 NL_SET_ERR_MSG(extack, "Invalid XFRM protocol in template"); 2142 return -EINVAL; 2143 } 2144 } 2145 2146 return 0; 2147 } 2148 2149 static int copy_from_user_tmpl(struct xfrm_policy *pol, struct nlattr **attrs, 2150 int dir, struct netlink_ext_ack *extack) 2151 { 2152 struct nlattr *rt = attrs[XFRMA_TMPL]; 2153 2154 if (!rt) { 2155 pol->xfrm_nr = 0; 2156 } else { 2157 struct xfrm_user_tmpl *utmpl = nla_data(rt); 2158 int nr = nla_len(rt) / sizeof(*utmpl); 2159 int err; 2160 2161 err = validate_tmpl(nr, utmpl, pol->family, dir, extack); 2162 if (err) 2163 return err; 2164 2165 copy_templates(pol, utmpl, nr); 2166 } 2167 return 0; 2168 } 2169 2170 static int copy_from_user_policy_type(u8 *tp, struct nlattr **attrs, 2171 struct netlink_ext_ack *extack) 2172 { 2173 struct nlattr *rt = attrs[XFRMA_POLICY_TYPE]; 2174 struct xfrm_userpolicy_type *upt; 2175 u8 type = XFRM_POLICY_TYPE_MAIN; 2176 int err; 2177 2178 if (rt) { 2179 upt = nla_data(rt); 2180 type = upt->type; 2181 } 2182 2183 err = verify_policy_type(type, extack); 2184 if (err) 2185 return err; 2186 2187 *tp = type; 2188 return 0; 2189 } 2190 2191 static void copy_from_user_policy(struct xfrm_policy *xp, struct xfrm_userpolicy_info *p) 2192 { 2193 xp->priority = p->priority; 2194 xp->index = p->index; 2195 memcpy(&xp->selector, &p->sel, sizeof(xp->selector)); 2196 memcpy(&xp->lft, &p->lft, sizeof(xp->lft)); 2197 xp->action = p->action; 2198 xp->flags = p->flags; 2199 xp->family = p->sel.family; 2200 /* XXX xp->share = p->share; */ 2201 } 2202 2203 static void copy_to_user_policy(struct xfrm_policy *xp, struct xfrm_userpolicy_info *p, int dir) 2204 { 2205 memset(p, 0, sizeof(*p)); 2206 memcpy(&p->sel, &xp->selector, sizeof(p->sel)); 2207 memcpy(&p->lft, &xp->lft, sizeof(p->lft)); 2208 memcpy(&p->curlft, &xp->curlft, sizeof(p->curlft)); 2209 p->priority = xp->priority; 2210 p->index = xp->index; 2211 p->sel.family = xp->family; 2212 p->dir = dir; 2213 p->action = xp->action; 2214 p->flags = xp->flags; 2215 p->share = XFRM_SHARE_ANY; /* XXX xp->share */ 2216 } 2217 2218 static struct xfrm_policy *xfrm_policy_construct(struct net *net, 2219 struct xfrm_userpolicy_info *p, 2220 struct nlattr **attrs, 2221 int *errp, 2222 struct netlink_ext_ack *extack) 2223 { 2224 struct xfrm_policy *xp = xfrm_policy_alloc(net, GFP_KERNEL); 2225 int err; 2226 2227 if (!xp) { 2228 *errp = -ENOMEM; 2229 return NULL; 2230 } 2231 2232 copy_from_user_policy(xp, p); 2233 2234 err = copy_from_user_policy_type(&xp->type, attrs, extack); 2235 if (err) 2236 goto error; 2237 2238 if (!(err = copy_from_user_tmpl(xp, attrs, p->dir, extack))) 2239 err = copy_from_user_sec_ctx(xp, attrs); 2240 if (err) 2241 goto error; 2242 2243 xfrm_mark_get(attrs, &xp->mark); 2244 2245 if (attrs[XFRMA_IF_ID]) 2246 xp->if_id = nla_get_u32(attrs[XFRMA_IF_ID]); 2247 2248 /* configure the hardware if offload is requested */ 2249 if (attrs[XFRMA_OFFLOAD_DEV]) { 2250 err = xfrm_dev_policy_add(net, xp, 2251 nla_data(attrs[XFRMA_OFFLOAD_DEV]), 2252 p->dir, extack); 2253 if (err) 2254 goto error; 2255 } 2256 2257 return xp; 2258 error: 2259 *errp = err; 2260 xp->walk.dead = 1; 2261 xfrm_policy_destroy(xp); 2262 return NULL; 2263 } 2264 2265 static int xfrm_add_policy(struct sk_buff *skb, struct nlmsghdr *nlh, 2266 struct nlattr **attrs, 2267 struct netlink_ext_ack *extack) 2268 { 2269 struct net *net = sock_net(skb->sk); 2270 struct xfrm_userpolicy_info *p = nlmsg_data(nlh); 2271 struct xfrm_policy *xp; 2272 struct km_event c; 2273 int err; 2274 int excl; 2275 2276 err = verify_newpolicy_info(p, extack); 2277 if (err) 2278 return err; 2279 err = verify_sec_ctx_len(attrs, extack); 2280 if (err) 2281 return err; 2282 2283 xp = xfrm_policy_construct(net, p, attrs, &err, extack); 2284 if (!xp) 2285 return err; 2286 2287 /* shouldn't excl be based on nlh flags?? 2288 * Aha! this is anti-netlink really i.e more pfkey derived 2289 * in netlink excl is a flag and you wouldn't need 2290 * a type XFRM_MSG_UPDPOLICY - JHS */ 2291 excl = nlh->nlmsg_type == XFRM_MSG_NEWPOLICY; 2292 err = xfrm_policy_insert(p->dir, xp, excl); 2293 xfrm_audit_policy_add(xp, err ? 0 : 1, true); 2294 2295 if (err) { 2296 xfrm_dev_policy_delete(xp); 2297 xp->walk.dead = 1; 2298 xfrm_policy_destroy(xp); 2299 return err; 2300 } 2301 2302 c.event = nlh->nlmsg_type; 2303 c.seq = nlh->nlmsg_seq; 2304 c.portid = nlh->nlmsg_pid; 2305 km_policy_notify(xp, p->dir, &c); 2306 2307 xfrm_pol_put(xp); 2308 2309 return 0; 2310 } 2311 2312 static int copy_to_user_tmpl(struct xfrm_policy *xp, struct sk_buff *skb) 2313 { 2314 struct xfrm_user_tmpl vec[XFRM_MAX_DEPTH]; 2315 int i; 2316 2317 if (xp->xfrm_nr == 0) 2318 return 0; 2319 2320 if (xp->xfrm_nr > XFRM_MAX_DEPTH) 2321 return -ENOBUFS; 2322 2323 for (i = 0; i < xp->xfrm_nr; i++) { 2324 struct xfrm_user_tmpl *up = &vec[i]; 2325 struct xfrm_tmpl *kp = &xp->xfrm_vec[i]; 2326 2327 memset(up, 0, sizeof(*up)); 2328 memcpy(&up->id, &kp->id, sizeof(up->id)); 2329 up->family = kp->encap_family; 2330 memcpy(&up->saddr, &kp->saddr, sizeof(up->saddr)); 2331 up->reqid = kp->reqid; 2332 up->mode = kp->mode; 2333 up->share = kp->share; 2334 up->optional = kp->optional; 2335 up->aalgos = kp->aalgos; 2336 up->ealgos = kp->ealgos; 2337 up->calgos = kp->calgos; 2338 } 2339 2340 return nla_put(skb, XFRMA_TMPL, 2341 sizeof(struct xfrm_user_tmpl) * xp->xfrm_nr, vec); 2342 } 2343 2344 static inline int copy_to_user_state_sec_ctx(struct xfrm_state *x, struct sk_buff *skb) 2345 { 2346 if (x->security) { 2347 return copy_sec_ctx(x->security, skb); 2348 } 2349 return 0; 2350 } 2351 2352 static inline int copy_to_user_sec_ctx(struct xfrm_policy *xp, struct sk_buff *skb) 2353 { 2354 if (xp->security) 2355 return copy_sec_ctx(xp->security, skb); 2356 return 0; 2357 } 2358 static inline unsigned int userpolicy_type_attrsize(void) 2359 { 2360 #ifdef CONFIG_XFRM_SUB_POLICY 2361 return nla_total_size(sizeof(struct xfrm_userpolicy_type)); 2362 #else 2363 return 0; 2364 #endif 2365 } 2366 2367 #ifdef CONFIG_XFRM_SUB_POLICY 2368 static int copy_to_user_policy_type(u8 type, struct sk_buff *skb) 2369 { 2370 struct xfrm_userpolicy_type upt; 2371 2372 /* Sadly there are two holes in struct xfrm_userpolicy_type */ 2373 memset(&upt, 0, sizeof(upt)); 2374 upt.type = type; 2375 2376 return nla_put(skb, XFRMA_POLICY_TYPE, sizeof(upt), &upt); 2377 } 2378 2379 #else 2380 static inline int copy_to_user_policy_type(u8 type, struct sk_buff *skb) 2381 { 2382 return 0; 2383 } 2384 #endif 2385 2386 static int dump_one_policy(struct xfrm_policy *xp, int dir, int count, void *ptr) 2387 { 2388 struct xfrm_dump_info *sp = ptr; 2389 struct xfrm_userpolicy_info *p; 2390 struct sk_buff *in_skb = sp->in_skb; 2391 struct sk_buff *skb = sp->out_skb; 2392 struct xfrm_translator *xtr; 2393 struct nlmsghdr *nlh; 2394 int err; 2395 2396 nlh = nlmsg_put(skb, NETLINK_CB(in_skb).portid, sp->nlmsg_seq, 2397 XFRM_MSG_NEWPOLICY, sizeof(*p), sp->nlmsg_flags); 2398 if (nlh == NULL) 2399 return -EMSGSIZE; 2400 2401 p = nlmsg_data(nlh); 2402 copy_to_user_policy(xp, p, dir); 2403 err = copy_to_user_tmpl(xp, skb); 2404 if (!err) 2405 err = copy_to_user_sec_ctx(xp, skb); 2406 if (!err) 2407 err = copy_to_user_policy_type(xp->type, skb); 2408 if (!err) 2409 err = xfrm_mark_put(skb, &xp->mark); 2410 if (!err) 2411 err = xfrm_if_id_put(skb, xp->if_id); 2412 if (!err && xp->xdo.dev) 2413 err = copy_user_offload(&xp->xdo, skb); 2414 if (err) { 2415 nlmsg_cancel(skb, nlh); 2416 return err; 2417 } 2418 nlmsg_end(skb, nlh); 2419 2420 xtr = xfrm_get_translator(); 2421 if (xtr) { 2422 err = xtr->alloc_compat(skb, nlh); 2423 2424 xfrm_put_translator(xtr); 2425 if (err) { 2426 nlmsg_cancel(skb, nlh); 2427 return err; 2428 } 2429 } 2430 2431 return 0; 2432 } 2433 2434 static int xfrm_dump_policy_done(struct netlink_callback *cb) 2435 { 2436 struct xfrm_policy_walk *walk = (struct xfrm_policy_walk *)cb->args; 2437 struct net *net = sock_net(cb->skb->sk); 2438 2439 xfrm_policy_walk_done(walk, net); 2440 return 0; 2441 } 2442 2443 static int xfrm_dump_policy_start(struct netlink_callback *cb) 2444 { 2445 struct xfrm_policy_walk *walk = (struct xfrm_policy_walk *)cb->args; 2446 2447 BUILD_BUG_ON(sizeof(*walk) > sizeof(cb->args)); 2448 2449 xfrm_policy_walk_init(walk, XFRM_POLICY_TYPE_ANY); 2450 return 0; 2451 } 2452 2453 static int xfrm_dump_policy(struct sk_buff *skb, struct netlink_callback *cb) 2454 { 2455 struct net *net = sock_net(skb->sk); 2456 struct xfrm_policy_walk *walk = (struct xfrm_policy_walk *)cb->args; 2457 struct xfrm_dump_info info; 2458 2459 info.in_skb = cb->skb; 2460 info.out_skb = skb; 2461 info.nlmsg_seq = cb->nlh->nlmsg_seq; 2462 info.nlmsg_flags = NLM_F_MULTI; 2463 2464 (void) xfrm_policy_walk(net, walk, dump_one_policy, &info); 2465 2466 return skb->len; 2467 } 2468 2469 static struct sk_buff *xfrm_policy_netlink(struct sk_buff *in_skb, 2470 struct xfrm_policy *xp, 2471 int dir, u32 seq) 2472 { 2473 struct xfrm_dump_info info; 2474 struct sk_buff *skb; 2475 int err; 2476 2477 skb = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL); 2478 if (!skb) 2479 return ERR_PTR(-ENOMEM); 2480 2481 info.in_skb = in_skb; 2482 info.out_skb = skb; 2483 info.nlmsg_seq = seq; 2484 info.nlmsg_flags = 0; 2485 2486 err = dump_one_policy(xp, dir, 0, &info); 2487 if (err) { 2488 kfree_skb(skb); 2489 return ERR_PTR(err); 2490 } 2491 2492 return skb; 2493 } 2494 2495 static int xfrm_notify_userpolicy(struct net *net) 2496 { 2497 struct xfrm_userpolicy_default *up; 2498 int len = NLMSG_ALIGN(sizeof(*up)); 2499 struct nlmsghdr *nlh; 2500 struct sk_buff *skb; 2501 int err; 2502 2503 skb = nlmsg_new(len, GFP_ATOMIC); 2504 if (skb == NULL) 2505 return -ENOMEM; 2506 2507 nlh = nlmsg_put(skb, 0, 0, XFRM_MSG_GETDEFAULT, sizeof(*up), 0); 2508 if (nlh == NULL) { 2509 kfree_skb(skb); 2510 return -EMSGSIZE; 2511 } 2512 2513 up = nlmsg_data(nlh); 2514 up->in = net->xfrm.policy_default[XFRM_POLICY_IN]; 2515 up->fwd = net->xfrm.policy_default[XFRM_POLICY_FWD]; 2516 up->out = net->xfrm.policy_default[XFRM_POLICY_OUT]; 2517 2518 nlmsg_end(skb, nlh); 2519 2520 rcu_read_lock(); 2521 err = xfrm_nlmsg_multicast(net, skb, 0, XFRMNLGRP_POLICY); 2522 rcu_read_unlock(); 2523 2524 return err; 2525 } 2526 2527 static bool xfrm_userpolicy_is_valid(__u8 policy) 2528 { 2529 return policy == XFRM_USERPOLICY_BLOCK || 2530 policy == XFRM_USERPOLICY_ACCEPT; 2531 } 2532 2533 static int xfrm_set_default(struct sk_buff *skb, struct nlmsghdr *nlh, 2534 struct nlattr **attrs, struct netlink_ext_ack *extack) 2535 { 2536 struct net *net = sock_net(skb->sk); 2537 struct xfrm_userpolicy_default *up = nlmsg_data(nlh); 2538 2539 if (xfrm_userpolicy_is_valid(up->in)) 2540 net->xfrm.policy_default[XFRM_POLICY_IN] = up->in; 2541 2542 if (xfrm_userpolicy_is_valid(up->fwd)) 2543 net->xfrm.policy_default[XFRM_POLICY_FWD] = up->fwd; 2544 2545 if (xfrm_userpolicy_is_valid(up->out)) 2546 net->xfrm.policy_default[XFRM_POLICY_OUT] = up->out; 2547 2548 rt_genid_bump_all(net); 2549 2550 xfrm_notify_userpolicy(net); 2551 return 0; 2552 } 2553 2554 static int xfrm_get_default(struct sk_buff *skb, struct nlmsghdr *nlh, 2555 struct nlattr **attrs, struct netlink_ext_ack *extack) 2556 { 2557 struct sk_buff *r_skb; 2558 struct nlmsghdr *r_nlh; 2559 struct net *net = sock_net(skb->sk); 2560 struct xfrm_userpolicy_default *r_up; 2561 int len = NLMSG_ALIGN(sizeof(struct xfrm_userpolicy_default)); 2562 u32 portid = NETLINK_CB(skb).portid; 2563 u32 seq = nlh->nlmsg_seq; 2564 2565 r_skb = nlmsg_new(len, GFP_ATOMIC); 2566 if (!r_skb) 2567 return -ENOMEM; 2568 2569 r_nlh = nlmsg_put(r_skb, portid, seq, XFRM_MSG_GETDEFAULT, sizeof(*r_up), 0); 2570 if (!r_nlh) { 2571 kfree_skb(r_skb); 2572 return -EMSGSIZE; 2573 } 2574 2575 r_up = nlmsg_data(r_nlh); 2576 r_up->in = net->xfrm.policy_default[XFRM_POLICY_IN]; 2577 r_up->fwd = net->xfrm.policy_default[XFRM_POLICY_FWD]; 2578 r_up->out = net->xfrm.policy_default[XFRM_POLICY_OUT]; 2579 nlmsg_end(r_skb, r_nlh); 2580 2581 return nlmsg_unicast(xfrm_net_nlsk(net, skb), r_skb, portid); 2582 } 2583 2584 static int xfrm_get_policy(struct sk_buff *skb, struct nlmsghdr *nlh, 2585 struct nlattr **attrs, 2586 struct netlink_ext_ack *extack) 2587 { 2588 struct net *net = sock_net(skb->sk); 2589 struct xfrm_policy *xp; 2590 struct xfrm_userpolicy_id *p; 2591 u8 type = XFRM_POLICY_TYPE_MAIN; 2592 int err; 2593 struct km_event c; 2594 int delete; 2595 struct xfrm_mark m; 2596 u32 if_id = 0; 2597 2598 p = nlmsg_data(nlh); 2599 delete = nlh->nlmsg_type == XFRM_MSG_DELPOLICY; 2600 2601 err = copy_from_user_policy_type(&type, attrs, extack); 2602 if (err) 2603 return err; 2604 2605 err = verify_policy_dir(p->dir, extack); 2606 if (err) 2607 return err; 2608 2609 if (attrs[XFRMA_IF_ID]) 2610 if_id = nla_get_u32(attrs[XFRMA_IF_ID]); 2611 2612 xfrm_mark_get(attrs, &m); 2613 2614 if (p->index) 2615 xp = xfrm_policy_byid(net, &m, if_id, type, p->dir, 2616 p->index, delete, &err); 2617 else { 2618 struct nlattr *rt = attrs[XFRMA_SEC_CTX]; 2619 struct xfrm_sec_ctx *ctx; 2620 2621 err = verify_sec_ctx_len(attrs, extack); 2622 if (err) 2623 return err; 2624 2625 ctx = NULL; 2626 if (rt) { 2627 struct xfrm_user_sec_ctx *uctx = nla_data(rt); 2628 2629 err = security_xfrm_policy_alloc(&ctx, uctx, GFP_KERNEL); 2630 if (err) 2631 return err; 2632 } 2633 xp = xfrm_policy_bysel_ctx(net, &m, if_id, type, p->dir, 2634 &p->sel, ctx, delete, &err); 2635 security_xfrm_policy_free(ctx); 2636 } 2637 if (xp == NULL) 2638 return -ENOENT; 2639 2640 if (!delete) { 2641 struct sk_buff *resp_skb; 2642 2643 resp_skb = xfrm_policy_netlink(skb, xp, p->dir, nlh->nlmsg_seq); 2644 if (IS_ERR(resp_skb)) { 2645 err = PTR_ERR(resp_skb); 2646 } else { 2647 err = nlmsg_unicast(xfrm_net_nlsk(net, skb), resp_skb, 2648 NETLINK_CB(skb).portid); 2649 } 2650 } else { 2651 xfrm_audit_policy_delete(xp, err ? 0 : 1, true); 2652 2653 if (err != 0) 2654 goto out; 2655 2656 c.data.byid = p->index; 2657 c.event = nlh->nlmsg_type; 2658 c.seq = nlh->nlmsg_seq; 2659 c.portid = nlh->nlmsg_pid; 2660 km_policy_notify(xp, p->dir, &c); 2661 } 2662 2663 out: 2664 xfrm_pol_put(xp); 2665 return err; 2666 } 2667 2668 static int xfrm_flush_sa(struct sk_buff *skb, struct nlmsghdr *nlh, 2669 struct nlattr **attrs, 2670 struct netlink_ext_ack *extack) 2671 { 2672 struct net *net = sock_net(skb->sk); 2673 struct km_event c; 2674 struct xfrm_usersa_flush *p = nlmsg_data(nlh); 2675 int err; 2676 2677 err = xfrm_state_flush(net, p->proto, true); 2678 if (err) { 2679 if (err == -ESRCH) /* empty table */ 2680 return 0; 2681 return err; 2682 } 2683 c.data.proto = p->proto; 2684 c.event = nlh->nlmsg_type; 2685 c.seq = nlh->nlmsg_seq; 2686 c.portid = nlh->nlmsg_pid; 2687 c.net = net; 2688 km_state_notify(NULL, &c); 2689 2690 return 0; 2691 } 2692 2693 static inline unsigned int xfrm_aevent_msgsize(struct xfrm_state *x) 2694 { 2695 unsigned int replay_size = x->replay_esn ? 2696 xfrm_replay_state_esn_len(x->replay_esn) : 2697 sizeof(struct xfrm_replay_state); 2698 2699 return NLMSG_ALIGN(sizeof(struct xfrm_aevent_id)) 2700 + nla_total_size(replay_size) 2701 + nla_total_size_64bit(sizeof(struct xfrm_lifetime_cur)) 2702 + nla_total_size(sizeof(struct xfrm_mark)) 2703 + nla_total_size(4) /* XFRM_AE_RTHR */ 2704 + nla_total_size(4) /* XFRM_AE_ETHR */ 2705 + nla_total_size(sizeof(x->dir)) /* XFRMA_SA_DIR */ 2706 + nla_total_size(4) /* XFRMA_SA_PCPU */ 2707 + nla_total_size(sizeof(x->if_id)); /* XFRMA_IF_ID */ 2708 } 2709 2710 static int build_aevent(struct sk_buff *skb, struct xfrm_state *x, const struct km_event *c) 2711 { 2712 struct xfrm_aevent_id *id; 2713 struct nlmsghdr *nlh; 2714 int err; 2715 2716 nlh = nlmsg_put(skb, c->portid, c->seq, XFRM_MSG_NEWAE, sizeof(*id), 0); 2717 if (nlh == NULL) 2718 return -EMSGSIZE; 2719 2720 id = nlmsg_data(nlh); 2721 memset(&id->sa_id, 0, sizeof(id->sa_id)); 2722 memcpy(&id->sa_id.daddr, &x->id.daddr, sizeof(x->id.daddr)); 2723 id->sa_id.spi = x->id.spi; 2724 id->sa_id.family = x->props.family; 2725 id->sa_id.proto = x->id.proto; 2726 memcpy(&id->saddr, &x->props.saddr, sizeof(x->props.saddr)); 2727 id->reqid = x->props.reqid; 2728 id->flags = c->data.aevent; 2729 2730 if (x->replay_esn) { 2731 err = nla_put(skb, XFRMA_REPLAY_ESN_VAL, 2732 xfrm_replay_state_esn_len(x->replay_esn), 2733 x->replay_esn); 2734 } else { 2735 err = nla_put(skb, XFRMA_REPLAY_VAL, sizeof(x->replay), 2736 &x->replay); 2737 } 2738 if (err) 2739 goto out_cancel; 2740 err = nla_put_64bit(skb, XFRMA_LTIME_VAL, sizeof(x->curlft), &x->curlft, 2741 XFRMA_PAD); 2742 if (err) 2743 goto out_cancel; 2744 2745 if (id->flags & XFRM_AE_RTHR) { 2746 err = nla_put_u32(skb, XFRMA_REPLAY_THRESH, x->replay_maxdiff); 2747 if (err) 2748 goto out_cancel; 2749 } 2750 if (id->flags & XFRM_AE_ETHR) { 2751 err = nla_put_u32(skb, XFRMA_ETIMER_THRESH, 2752 x->replay_maxage * 10 / HZ); 2753 if (err) 2754 goto out_cancel; 2755 } 2756 err = xfrm_mark_put(skb, &x->mark); 2757 if (err) 2758 goto out_cancel; 2759 2760 err = xfrm_if_id_put(skb, x->if_id); 2761 if (err) 2762 goto out_cancel; 2763 if (x->pcpu_num != UINT_MAX) { 2764 err = nla_put_u32(skb, XFRMA_SA_PCPU, x->pcpu_num); 2765 if (err) 2766 goto out_cancel; 2767 } 2768 2769 if (x->dir) { 2770 err = nla_put_u8(skb, XFRMA_SA_DIR, x->dir); 2771 if (err) 2772 goto out_cancel; 2773 } 2774 2775 nlmsg_end(skb, nlh); 2776 return 0; 2777 2778 out_cancel: 2779 nlmsg_cancel(skb, nlh); 2780 return err; 2781 } 2782 2783 static int xfrm_get_ae(struct sk_buff *skb, struct nlmsghdr *nlh, 2784 struct nlattr **attrs, struct netlink_ext_ack *extack) 2785 { 2786 struct net *net = sock_net(skb->sk); 2787 struct xfrm_state *x; 2788 struct sk_buff *r_skb; 2789 int err; 2790 struct km_event c; 2791 u32 mark; 2792 struct xfrm_mark m; 2793 struct xfrm_aevent_id *p = nlmsg_data(nlh); 2794 struct xfrm_usersa_id *id = &p->sa_id; 2795 2796 mark = xfrm_mark_get(attrs, &m); 2797 2798 x = xfrm_state_lookup(net, mark, &id->daddr, id->spi, id->proto, id->family); 2799 if (x == NULL) 2800 return -ESRCH; 2801 2802 r_skb = nlmsg_new(xfrm_aevent_msgsize(x), GFP_ATOMIC); 2803 if (r_skb == NULL) { 2804 xfrm_state_put(x); 2805 return -ENOMEM; 2806 } 2807 2808 /* 2809 * XXX: is this lock really needed - none of the other 2810 * gets lock (the concern is things getting updated 2811 * while we are still reading) - jhs 2812 */ 2813 spin_lock_bh(&x->lock); 2814 c.data.aevent = p->flags; 2815 c.seq = nlh->nlmsg_seq; 2816 c.portid = nlh->nlmsg_pid; 2817 2818 err = build_aevent(r_skb, x, &c); 2819 if (err < 0) { 2820 spin_unlock_bh(&x->lock); 2821 xfrm_state_put(x); 2822 kfree_skb(r_skb); 2823 return err; 2824 } 2825 2826 err = nlmsg_unicast(xfrm_net_nlsk(net, skb), r_skb, NETLINK_CB(skb).portid); 2827 spin_unlock_bh(&x->lock); 2828 xfrm_state_put(x); 2829 return err; 2830 } 2831 2832 static int xfrm_new_ae(struct sk_buff *skb, struct nlmsghdr *nlh, 2833 struct nlattr **attrs, struct netlink_ext_ack *extack) 2834 { 2835 struct net *net = sock_net(skb->sk); 2836 struct xfrm_state *x; 2837 struct km_event c; 2838 int err = -EINVAL; 2839 u32 mark = 0; 2840 struct xfrm_mark m; 2841 struct xfrm_aevent_id *p = nlmsg_data(nlh); 2842 struct nlattr *rp = attrs[XFRMA_REPLAY_VAL]; 2843 struct nlattr *re = attrs[XFRMA_REPLAY_ESN_VAL]; 2844 struct nlattr *lt = attrs[XFRMA_LTIME_VAL]; 2845 struct nlattr *et = attrs[XFRMA_ETIMER_THRESH]; 2846 struct nlattr *rt = attrs[XFRMA_REPLAY_THRESH]; 2847 2848 if (!lt && !rp && !re && !et && !rt) { 2849 NL_SET_ERR_MSG(extack, "Missing required attribute for AE"); 2850 return err; 2851 } 2852 2853 /* pedantic mode - thou shalt sayeth replaceth */ 2854 if (!(nlh->nlmsg_flags & NLM_F_REPLACE)) { 2855 NL_SET_ERR_MSG(extack, "NLM_F_REPLACE flag is required"); 2856 return err; 2857 } 2858 2859 mark = xfrm_mark_get(attrs, &m); 2860 2861 x = xfrm_state_lookup(net, mark, &p->sa_id.daddr, p->sa_id.spi, p->sa_id.proto, p->sa_id.family); 2862 if (x == NULL) 2863 return -ESRCH; 2864 2865 if (x->km.state != XFRM_STATE_VALID) { 2866 NL_SET_ERR_MSG(extack, "SA must be in VALID state"); 2867 goto out; 2868 } 2869 2870 err = xfrm_replay_verify_len(x->replay_esn, re, extack); 2871 if (err) 2872 goto out; 2873 2874 spin_lock_bh(&x->lock); 2875 xfrm_update_ae_params(x, attrs, 1); 2876 spin_unlock_bh(&x->lock); 2877 2878 c.event = nlh->nlmsg_type; 2879 c.seq = nlh->nlmsg_seq; 2880 c.portid = nlh->nlmsg_pid; 2881 c.data.aevent = XFRM_AE_CU; 2882 km_state_notify(x, &c); 2883 err = 0; 2884 out: 2885 xfrm_state_put(x); 2886 return err; 2887 } 2888 2889 static int xfrm_flush_policy(struct sk_buff *skb, struct nlmsghdr *nlh, 2890 struct nlattr **attrs, 2891 struct netlink_ext_ack *extack) 2892 { 2893 struct net *net = sock_net(skb->sk); 2894 struct km_event c; 2895 u8 type = XFRM_POLICY_TYPE_MAIN; 2896 int err; 2897 2898 err = copy_from_user_policy_type(&type, attrs, extack); 2899 if (err) 2900 return err; 2901 2902 err = xfrm_policy_flush(net, type, true); 2903 if (err) { 2904 if (err == -ESRCH) /* empty table */ 2905 return 0; 2906 return err; 2907 } 2908 2909 c.data.type = type; 2910 c.event = nlh->nlmsg_type; 2911 c.seq = nlh->nlmsg_seq; 2912 c.portid = nlh->nlmsg_pid; 2913 c.net = net; 2914 km_policy_notify(NULL, 0, &c); 2915 return 0; 2916 } 2917 2918 static int xfrm_add_pol_expire(struct sk_buff *skb, struct nlmsghdr *nlh, 2919 struct nlattr **attrs, 2920 struct netlink_ext_ack *extack) 2921 { 2922 struct net *net = sock_net(skb->sk); 2923 struct xfrm_policy *xp; 2924 struct xfrm_user_polexpire *up = nlmsg_data(nlh); 2925 struct xfrm_userpolicy_info *p = &up->pol; 2926 u8 type = XFRM_POLICY_TYPE_MAIN; 2927 int err = -ENOENT; 2928 struct xfrm_mark m; 2929 u32 if_id = 0; 2930 2931 err = copy_from_user_policy_type(&type, attrs, extack); 2932 if (err) 2933 return err; 2934 2935 err = verify_policy_dir(p->dir, extack); 2936 if (err) 2937 return err; 2938 2939 if (attrs[XFRMA_IF_ID]) 2940 if_id = nla_get_u32(attrs[XFRMA_IF_ID]); 2941 2942 xfrm_mark_get(attrs, &m); 2943 2944 if (p->index) 2945 xp = xfrm_policy_byid(net, &m, if_id, type, p->dir, p->index, 2946 0, &err); 2947 else { 2948 struct nlattr *rt = attrs[XFRMA_SEC_CTX]; 2949 struct xfrm_sec_ctx *ctx; 2950 2951 err = verify_sec_ctx_len(attrs, extack); 2952 if (err) 2953 return err; 2954 2955 ctx = NULL; 2956 if (rt) { 2957 struct xfrm_user_sec_ctx *uctx = nla_data(rt); 2958 2959 err = security_xfrm_policy_alloc(&ctx, uctx, GFP_KERNEL); 2960 if (err) 2961 return err; 2962 } 2963 xp = xfrm_policy_bysel_ctx(net, &m, if_id, type, p->dir, 2964 &p->sel, ctx, 0, &err); 2965 security_xfrm_policy_free(ctx); 2966 } 2967 if (xp == NULL) 2968 return -ENOENT; 2969 2970 if (unlikely(xp->walk.dead)) 2971 goto out; 2972 2973 err = 0; 2974 if (up->hard) { 2975 xfrm_policy_delete(xp, p->dir); 2976 xfrm_audit_policy_delete(xp, 1, true); 2977 } 2978 km_policy_expired(xp, p->dir, up->hard, nlh->nlmsg_pid); 2979 2980 out: 2981 xfrm_pol_put(xp); 2982 return err; 2983 } 2984 2985 static int xfrm_add_sa_expire(struct sk_buff *skb, struct nlmsghdr *nlh, 2986 struct nlattr **attrs, 2987 struct netlink_ext_ack *extack) 2988 { 2989 struct net *net = sock_net(skb->sk); 2990 struct xfrm_state *x; 2991 int err; 2992 struct xfrm_user_expire *ue = nlmsg_data(nlh); 2993 struct xfrm_usersa_info *p = &ue->state; 2994 struct xfrm_mark m; 2995 u32 mark = xfrm_mark_get(attrs, &m); 2996 2997 x = xfrm_state_lookup(net, mark, &p->id.daddr, p->id.spi, p->id.proto, p->family); 2998 2999 err = -ENOENT; 3000 if (x == NULL) 3001 return err; 3002 3003 spin_lock_bh(&x->lock); 3004 err = -EINVAL; 3005 if (x->km.state != XFRM_STATE_VALID) { 3006 NL_SET_ERR_MSG(extack, "SA must be in VALID state"); 3007 goto out; 3008 } 3009 3010 km_state_expired(x, ue->hard, nlh->nlmsg_pid); 3011 3012 if (ue->hard) { 3013 __xfrm_state_delete(x); 3014 xfrm_audit_state_delete(x, 1, true); 3015 } 3016 err = 0; 3017 out: 3018 spin_unlock_bh(&x->lock); 3019 xfrm_state_put(x); 3020 return err; 3021 } 3022 3023 static int xfrm_add_acquire(struct sk_buff *skb, struct nlmsghdr *nlh, 3024 struct nlattr **attrs, 3025 struct netlink_ext_ack *extack) 3026 { 3027 struct net *net = sock_net(skb->sk); 3028 struct xfrm_policy *xp; 3029 struct xfrm_user_tmpl *ut; 3030 int i; 3031 struct nlattr *rt = attrs[XFRMA_TMPL]; 3032 struct xfrm_mark mark; 3033 3034 struct xfrm_user_acquire *ua = nlmsg_data(nlh); 3035 struct xfrm_state *x = xfrm_state_alloc(net); 3036 int err = -ENOMEM; 3037 3038 if (!x) 3039 goto nomem; 3040 3041 xfrm_mark_get(attrs, &mark); 3042 3043 if (attrs[XFRMA_SA_PCPU]) { 3044 x->pcpu_num = nla_get_u32(attrs[XFRMA_SA_PCPU]); 3045 err = -EINVAL; 3046 if (x->pcpu_num >= num_possible_cpus()) { 3047 NL_SET_ERR_MSG(extack, "pCPU number too big"); 3048 goto free_state; 3049 } 3050 } 3051 3052 err = verify_newpolicy_info(&ua->policy, extack); 3053 if (err) 3054 goto free_state; 3055 err = verify_sec_ctx_len(attrs, extack); 3056 if (err) 3057 goto free_state; 3058 3059 /* build an XP */ 3060 xp = xfrm_policy_construct(net, &ua->policy, attrs, &err, extack); 3061 if (!xp) 3062 goto free_state; 3063 3064 memcpy(&x->id, &ua->id, sizeof(ua->id)); 3065 memcpy(&x->props.saddr, &ua->saddr, sizeof(ua->saddr)); 3066 memcpy(&x->sel, &ua->sel, sizeof(ua->sel)); 3067 xp->mark.m = x->mark.m = mark.m; 3068 xp->mark.v = x->mark.v = mark.v; 3069 ut = nla_data(rt); 3070 /* extract the templates and for each call km_key */ 3071 for (i = 0; i < xp->xfrm_nr; i++, ut++) { 3072 struct xfrm_tmpl *t = &xp->xfrm_vec[i]; 3073 memcpy(&x->id, &t->id, sizeof(x->id)); 3074 x->props.mode = t->mode; 3075 x->props.reqid = t->reqid; 3076 x->props.family = ut->family; 3077 t->aalgos = ua->aalgos; 3078 t->ealgos = ua->ealgos; 3079 t->calgos = ua->calgos; 3080 err = km_query(x, t, xp); 3081 3082 } 3083 3084 xfrm_state_free(x); 3085 xfrm_dev_policy_delete(xp); 3086 xfrm_dev_policy_free(xp); 3087 security_xfrm_policy_free(xp->security); 3088 kfree(xp); 3089 3090 return 0; 3091 3092 free_state: 3093 xfrm_state_free(x); 3094 nomem: 3095 return err; 3096 } 3097 3098 #ifdef CONFIG_XFRM_MIGRATE 3099 static void copy_from_user_migrate_state(struct xfrm_migrate *ma, 3100 const struct xfrm_user_migrate_state *um) 3101 { 3102 memcpy(&ma->old_daddr, &um->id.daddr, sizeof(ma->old_daddr)); 3103 memcpy(&ma->new_daddr, &um->new_daddr, sizeof(ma->new_daddr)); 3104 memcpy(&ma->new_saddr, &um->new_saddr, sizeof(ma->new_saddr)); 3105 3106 ma->proto = um->id.proto; 3107 ma->new_reqid = um->new_reqid; 3108 3109 ma->old_family = um->id.family; 3110 ma->new_family = um->new_family; 3111 3112 ma->old_mark = um->old_mark; 3113 ma->flags = um->flags; 3114 ma->new_sel = &um->new_sel; 3115 ma->msg_type = XFRM_MSG_MIGRATE_STATE; 3116 } 3117 3118 static int copy_from_user_migrate(struct xfrm_migrate *ma, 3119 struct xfrm_kmaddress *k, 3120 struct nlattr **attrs, int *num, 3121 struct netlink_ext_ack *extack) 3122 { 3123 struct nlattr *rt = attrs[XFRMA_MIGRATE]; 3124 struct xfrm_user_migrate *um; 3125 int i, num_migrate; 3126 3127 if (k != NULL) { 3128 struct xfrm_user_kmaddress *uk; 3129 3130 uk = nla_data(attrs[XFRMA_KMADDRESS]); 3131 memcpy(&k->local, &uk->local, sizeof(k->local)); 3132 memcpy(&k->remote, &uk->remote, sizeof(k->remote)); 3133 k->family = uk->family; 3134 k->reserved = uk->reserved; 3135 } 3136 3137 um = nla_data(rt); 3138 num_migrate = nla_len(rt) / sizeof(*um); 3139 3140 if (num_migrate <= 0 || num_migrate > XFRM_MAX_DEPTH) { 3141 NL_SET_ERR_MSG(extack, "Invalid number of SAs to migrate, must be 0 < num <= XFRM_MAX_DEPTH (6)"); 3142 return -EINVAL; 3143 } 3144 3145 for (i = 0; i < num_migrate; i++, um++, ma++) { 3146 memcpy(&ma->old_daddr, &um->old_daddr, sizeof(ma->old_daddr)); 3147 memcpy(&ma->old_saddr, &um->old_saddr, sizeof(ma->old_saddr)); 3148 memcpy(&ma->new_daddr, &um->new_daddr, sizeof(ma->new_daddr)); 3149 memcpy(&ma->new_saddr, &um->new_saddr, sizeof(ma->new_saddr)); 3150 3151 ma->proto = um->proto; 3152 ma->mode = um->mode; 3153 ma->old_reqid = um->reqid; 3154 3155 ma->old_family = um->old_family; 3156 ma->new_family = um->new_family; 3157 ma->msg_type = XFRM_MSG_MIGRATE; 3158 } 3159 3160 *num = i; 3161 return 0; 3162 } 3163 3164 static int xfrm_do_migrate(struct sk_buff *skb, struct nlmsghdr *nlh, 3165 struct nlattr **attrs, struct netlink_ext_ack *extack) 3166 { 3167 struct xfrm_userpolicy_id *pi = nlmsg_data(nlh); 3168 struct xfrm_migrate m[XFRM_MAX_DEPTH] = {}; 3169 struct xfrm_kmaddress km, *kmp; 3170 u8 type; 3171 int err; 3172 int n = 0; 3173 struct net *net = sock_net(skb->sk); 3174 struct xfrm_encap_tmpl *encap = NULL; 3175 struct xfrm_user_offload *xuo = NULL; 3176 u32 if_id = 0; 3177 3178 if (!attrs[XFRMA_MIGRATE]) { 3179 NL_SET_ERR_MSG(extack, "Missing required MIGRATE attribute"); 3180 return -EINVAL; 3181 } 3182 3183 kmp = attrs[XFRMA_KMADDRESS] ? &km : NULL; 3184 3185 err = copy_from_user_policy_type(&type, attrs, extack); 3186 if (err) 3187 return err; 3188 3189 err = copy_from_user_migrate(m, kmp, attrs, &n, extack); 3190 if (err) 3191 return err; 3192 3193 if (!n) 3194 return 0; 3195 3196 if (attrs[XFRMA_ENCAP]) { 3197 encap = kmemdup(nla_data(attrs[XFRMA_ENCAP]), 3198 sizeof(*encap), GFP_KERNEL); 3199 if (!encap) 3200 return -ENOMEM; 3201 } 3202 3203 if (attrs[XFRMA_IF_ID]) 3204 if_id = nla_get_u32(attrs[XFRMA_IF_ID]); 3205 3206 if (attrs[XFRMA_OFFLOAD_DEV]) { 3207 xuo = kmemdup(nla_data(attrs[XFRMA_OFFLOAD_DEV]), 3208 sizeof(*xuo), GFP_KERNEL); 3209 if (!xuo) { 3210 err = -ENOMEM; 3211 goto error; 3212 } 3213 } 3214 err = xfrm_migrate(&pi->sel, pi->dir, type, m, n, kmp, net, encap, 3215 if_id, extack, xuo); 3216 error: 3217 kfree(encap); 3218 kfree(xuo); 3219 return err; 3220 } 3221 3222 static int build_migrate_state(struct sk_buff *skb, 3223 const struct xfrm_user_migrate_state *um, 3224 const struct xfrm_migrate *m, 3225 u8 dir, u32 portid, u32 seq) 3226 { 3227 int err; 3228 struct nlmsghdr *nlh; 3229 struct xfrm_user_migrate_state *hdr; 3230 3231 nlh = nlmsg_put(skb, portid, seq, XFRM_MSG_MIGRATE_STATE, 3232 sizeof(struct xfrm_user_migrate_state), 0); 3233 if (!nlh) 3234 return -EMSGSIZE; 3235 3236 hdr = nlmsg_data(nlh); 3237 *hdr = *um; 3238 hdr->new_sel = *m->new_sel; 3239 3240 if (m->encap) { 3241 err = nla_put(skb, XFRMA_ENCAP, sizeof(*m->encap), m->encap); 3242 if (err) 3243 goto out_cancel; 3244 } 3245 3246 if (m->xuo) { 3247 err = nla_put(skb, XFRMA_OFFLOAD_DEV, sizeof(*m->xuo), m->xuo); 3248 if (err) 3249 goto out_cancel; 3250 } 3251 3252 if (m->new_mark) { 3253 err = nla_put(skb, XFRMA_MARK, sizeof(*m->new_mark), 3254 m->new_mark); 3255 if (err) 3256 goto out_cancel; 3257 } 3258 3259 err = xfrm_smark_put(skb, &m->smark); 3260 if (err) 3261 goto out_cancel; 3262 3263 if (m->mapping_maxage) { 3264 err = nla_put_u32(skb, XFRMA_MTIMER_THRESH, m->mapping_maxage); 3265 if (err) 3266 goto out_cancel; 3267 } 3268 3269 if (m->nat_keepalive_interval) { 3270 err = nla_put_u32(skb, XFRMA_NAT_KEEPALIVE_INTERVAL, 3271 m->nat_keepalive_interval); 3272 if (err) 3273 goto out_cancel; 3274 } 3275 3276 if (dir) { 3277 err = nla_put_u8(skb, XFRMA_SA_DIR, dir); 3278 if (err) 3279 goto out_cancel; 3280 } 3281 3282 nlmsg_end(skb, nlh); 3283 return 0; 3284 3285 out_cancel: 3286 nlmsg_cancel(skb, nlh); 3287 return err; 3288 } 3289 3290 static unsigned int xfrm_migrate_state_msgsize(const struct xfrm_migrate *m, 3291 u8 dir) 3292 { 3293 return NLMSG_ALIGN(sizeof(struct xfrm_user_migrate_state)) + 3294 (m->encap ? nla_total_size(sizeof(struct xfrm_encap_tmpl)) : 0) + 3295 (m->xuo ? nla_total_size(sizeof(struct xfrm_user_offload)) : 0) + 3296 (m->new_mark ? nla_total_size(sizeof(struct xfrm_mark)) : 0) + 3297 ((m->smark.v | m->smark.m) ? nla_total_size(sizeof(u32)) * 2 : 0) + 3298 (m->mapping_maxage ? nla_total_size(sizeof(u32)) : 0) + 3299 (m->nat_keepalive_interval ? nla_total_size(sizeof(u32)) : 0) + 3300 (dir ? nla_total_size(sizeof(u8)) : 0); /* XFRMA_SA_DIR */ 3301 } 3302 3303 static int xfrm_send_migrate_state(struct net *net, 3304 const struct xfrm_user_migrate_state *um, 3305 const struct xfrm_migrate *m, 3306 u8 dir, u32 portid, u32 seq) 3307 { 3308 int err; 3309 struct sk_buff *skb; 3310 3311 skb = nlmsg_new(xfrm_migrate_state_msgsize(m, dir), GFP_ATOMIC); 3312 if (!skb) 3313 return -ENOMEM; 3314 3315 err = build_migrate_state(skb, um, m, dir, portid, seq); 3316 if (err < 0) { 3317 kfree_skb(skb); 3318 return err; 3319 } 3320 3321 return xfrm_nlmsg_multicast(net, skb, 0, XFRMNLGRP_MIGRATE); 3322 } 3323 3324 static int xfrm_do_migrate_state(struct sk_buff *skb, struct nlmsghdr *nlh, 3325 struct nlattr **attrs, struct netlink_ext_ack *extack) 3326 { 3327 struct xfrm_user_migrate_state *um = nlmsg_data(nlh); 3328 struct net *net = sock_net(skb->sk); 3329 struct xfrm_user_offload xuo = {}; 3330 struct xfrm_migrate m = {}; 3331 struct xfrm_state *xc; 3332 struct xfrm_state *x; 3333 int err; 3334 3335 if (!um->id.spi) { 3336 NL_SET_ERR_MSG(extack, "Invalid SPI 0x0"); 3337 return -EINVAL; 3338 } 3339 3340 if (um->reserved) { 3341 NL_SET_ERR_MSG(extack, "Reserved field must be zero"); 3342 return -EINVAL; 3343 } 3344 3345 if (um->flags & ~XFRM_MIGRATE_STATE_KNOWN_FLAGS) { 3346 NL_SET_ERR_MSG_FMT(extack, "Unknown flags: 0x%x", 3347 um->flags & ~XFRM_MIGRATE_STATE_KNOWN_FLAGS); 3348 return -EINVAL; 3349 } 3350 3351 err = verify_xfrm_family(um->new_family, extack); 3352 if (err) 3353 return err; 3354 3355 if (!(um->flags & XFRM_MIGRATE_STATE_UPDATE_H2H_SEL)) { 3356 err = verify_selector_prefixlen(um->new_sel.family, 3357 &um->new_sel, extack); 3358 if (err) 3359 return err; 3360 } 3361 3362 copy_from_user_migrate_state(&m, um); 3363 3364 x = xfrm_state_lookup(net, m.old_mark.v & m.old_mark.m, 3365 &um->id.daddr, um->id.spi, 3366 um->id.proto, um->id.family); 3367 if (!x) { 3368 NL_SET_ERR_MSG(extack, "Can not find state"); 3369 return -ESRCH; 3370 } 3371 3372 if (um->flags & XFRM_MIGRATE_STATE_UPDATE_H2H_SEL) { 3373 u8 prefixlen = (x->props.family == AF_INET6) ? 128 : 32; 3374 3375 if (x->sel.prefixlen_s != x->sel.prefixlen_d || 3376 x->sel.prefixlen_d != prefixlen || 3377 !xfrm_addr_equal(&x->sel.daddr, &x->id.daddr, x->props.family) || 3378 !xfrm_addr_equal(&x->sel.saddr, &x->props.saddr, x->props.family)) { 3379 NL_SET_ERR_MSG(extack, 3380 "SA selector is not a single-host match for SA addresses"); 3381 err = -EINVAL; 3382 goto out; 3383 } 3384 } 3385 3386 if (attrs[XFRMA_ENCAP]) { 3387 m.encap = nla_data(attrs[XFRMA_ENCAP]); 3388 if (m.encap->encap_type == 0) { 3389 m.encap = NULL; /* sentinel: remove encap */ 3390 } else if (m.encap->encap_type != UDP_ENCAP_ESPINUDP) { 3391 NL_SET_ERR_MSG(extack, "Unsupported encapsulation type"); 3392 err = -EINVAL; 3393 goto out; 3394 } 3395 } else { 3396 m.encap = x->encap; /* omit-to-inherit */ 3397 } 3398 3399 if (attrs[XFRMA_MTIMER_THRESH]) { 3400 err = verify_mtimer_thresh(!!m.encap, x->dir, extack); 3401 if (err) 3402 goto out; 3403 } 3404 3405 if (nla_get_u32_default(attrs[XFRMA_NAT_KEEPALIVE_INTERVAL], 0) && !m.encap) { 3406 NL_SET_ERR_MSG(extack, 3407 "NAT_KEEPALIVE_INTERVAL requires encapsulation"); 3408 err = -EINVAL; 3409 goto out; 3410 } 3411 3412 if (attrs[XFRMA_OFFLOAD_DEV]) { 3413 m.xuo = nla_data(attrs[XFRMA_OFFLOAD_DEV]); 3414 } else { 3415 bool inherit_offload = !(um->flags & XFRM_MIGRATE_STATE_CLEAR_OFFLOAD); 3416 3417 if (inherit_offload && x->xso.dev) { 3418 xso_to_xuo(&x->xso, &xuo); 3419 m.xuo = &xuo; 3420 } 3421 } 3422 3423 if (attrs[XFRMA_MARK]) 3424 m.new_mark = nla_data(attrs[XFRMA_MARK]); 3425 3426 if (attrs[XFRMA_SET_MARK]) 3427 xfrm_smark_init(attrs, &m.smark); 3428 else 3429 m.smark = x->props.smark; 3430 3431 m.mapping_maxage = nla_get_u32_default(attrs[XFRMA_MTIMER_THRESH], 3432 x->mapping_maxage); 3433 m.nat_keepalive_interval = nla_get_u32_default(attrs[XFRMA_NAT_KEEPALIVE_INTERVAL], 3434 x->nat_keepalive_interval); 3435 3436 if (m.new_family != um->id.family || 3437 !xfrm_addr_equal(&m.new_daddr, &um->id.daddr, um->id.family)) { 3438 u32 new_mark_key = m.new_mark ? m.new_mark->v & m.new_mark->m : 3439 m.old_mark.v & m.old_mark.m; 3440 struct xfrm_state *x_new; 3441 3442 x_new = xfrm_state_lookup(net, new_mark_key, &m.new_daddr, 3443 um->id.spi, um->id.proto, m.new_family); 3444 if (x_new) { 3445 xfrm_state_put(x_new); 3446 NL_SET_ERR_MSG(extack, "New SA tuple already occupied"); 3447 err = -EEXIST; 3448 goto out; 3449 } 3450 } 3451 3452 xc = xfrm_state_migrate_create(x, &m, net, extack); 3453 if (!xc) { 3454 NL_SET_ERR_MSG_WEAK(extack, "State migration clone failed"); 3455 err = -EINVAL; 3456 goto out; 3457 } 3458 3459 spin_lock_bh(&x->lock); 3460 if (x->km.state != XFRM_STATE_VALID) { 3461 spin_unlock_bh(&x->lock); 3462 NL_SET_ERR_MSG(extack, "State already deleted"); 3463 err = -ESRCH; 3464 goto out_xc; 3465 } 3466 xfrm_migrate_sync(xc, x); /* to prevent SN/IV reuse */ 3467 __xfrm_state_delete(x); 3468 spin_unlock_bh(&x->lock); 3469 3470 err = xfrm_state_migrate_install(x, xc, &m, extack); 3471 if (err < 0) { 3472 /* 3473 * Should not occur: pre-check above ensures the new tuple is 3474 * free under xfrm_cfg_mutex. Both SAs are gone if it does; 3475 * restoring x would risk SN/IV reuse. 3476 */ 3477 goto out; 3478 } 3479 3480 /* Restore encap cleared by sentinel (type=0) during migration. */ 3481 if (attrs[XFRMA_ENCAP]) 3482 m.encap = nla_data(attrs[XFRMA_ENCAP]); 3483 3484 m.new_sel = &xc->sel; 3485 m.mapping_maxage = xc->mapping_maxage; 3486 m.nat_keepalive_interval = xc->nat_keepalive_interval; 3487 3488 err = xfrm_send_migrate_state(net, um, &m, xc->dir, 3489 nlh->nlmsg_pid, nlh->nlmsg_seq); 3490 if (err < 0) { 3491 NL_SET_ERR_MSG(extack, "Failed to send migration notification"); 3492 err = 0; 3493 } 3494 3495 out: 3496 xfrm_state_put(x); 3497 return err; 3498 out_xc: 3499 xc->km.state = XFRM_STATE_DEAD; 3500 xfrm_state_put(xc); 3501 xfrm_state_put(x); 3502 return err; 3503 } 3504 3505 #else 3506 static int xfrm_do_migrate_state(struct sk_buff *skb, struct nlmsghdr *nlh, 3507 struct nlattr **attrs, struct netlink_ext_ack *extack) 3508 { 3509 NL_SET_ERR_MSG(extack, "XFRM_MSG_MIGRATE_STATE is not supported"); 3510 return -ENOPROTOOPT; 3511 } 3512 3513 static int xfrm_do_migrate(struct sk_buff *skb, struct nlmsghdr *nlh, 3514 struct nlattr **attrs, struct netlink_ext_ack *extack) 3515 { 3516 return -ENOPROTOOPT; 3517 } 3518 #endif 3519 3520 #ifdef CONFIG_XFRM_MIGRATE 3521 static int copy_to_user_migrate(const struct xfrm_migrate *m, struct sk_buff *skb) 3522 { 3523 struct xfrm_user_migrate um; 3524 3525 memset(&um, 0, sizeof(um)); 3526 um.proto = m->proto; 3527 um.mode = m->mode; 3528 um.reqid = m->old_reqid; 3529 um.old_family = m->old_family; 3530 memcpy(&um.old_daddr, &m->old_daddr, sizeof(um.old_daddr)); 3531 memcpy(&um.old_saddr, &m->old_saddr, sizeof(um.old_saddr)); 3532 um.new_family = m->new_family; 3533 memcpy(&um.new_daddr, &m->new_daddr, sizeof(um.new_daddr)); 3534 memcpy(&um.new_saddr, &m->new_saddr, sizeof(um.new_saddr)); 3535 3536 return nla_put(skb, XFRMA_MIGRATE, sizeof(um), &um); 3537 } 3538 3539 static int copy_to_user_kmaddress(const struct xfrm_kmaddress *k, struct sk_buff *skb) 3540 { 3541 struct xfrm_user_kmaddress uk; 3542 3543 memset(&uk, 0, sizeof(uk)); 3544 uk.family = k->family; 3545 uk.reserved = k->reserved; 3546 memcpy(&uk.local, &k->local, sizeof(uk.local)); 3547 memcpy(&uk.remote, &k->remote, sizeof(uk.remote)); 3548 3549 return nla_put(skb, XFRMA_KMADDRESS, sizeof(uk), &uk); 3550 } 3551 3552 static inline unsigned int xfrm_migrate_msgsize(int num_migrate, int with_kma, 3553 int with_encp) 3554 { 3555 return NLMSG_ALIGN(sizeof(struct xfrm_userpolicy_id)) 3556 + (with_kma ? nla_total_size(sizeof(struct xfrm_kmaddress)) : 0) 3557 + (with_encp ? nla_total_size(sizeof(struct xfrm_encap_tmpl)) : 0) 3558 + nla_total_size(sizeof(struct xfrm_user_migrate) * num_migrate) 3559 + userpolicy_type_attrsize(); 3560 } 3561 3562 static int build_migrate(struct sk_buff *skb, const struct xfrm_migrate *m, 3563 int num_migrate, const struct xfrm_kmaddress *k, 3564 const struct xfrm_selector *sel, 3565 const struct xfrm_encap_tmpl *encap, u8 dir, u8 type) 3566 { 3567 const struct xfrm_migrate *mp; 3568 struct xfrm_userpolicy_id *pol_id; 3569 struct nlmsghdr *nlh; 3570 int i, err; 3571 3572 nlh = nlmsg_put(skb, 0, 0, XFRM_MSG_MIGRATE, sizeof(*pol_id), 0); 3573 if (nlh == NULL) 3574 return -EMSGSIZE; 3575 3576 pol_id = nlmsg_data(nlh); 3577 /* copy data from selector, dir, and type to the pol_id */ 3578 memset(pol_id, 0, sizeof(*pol_id)); 3579 memcpy(&pol_id->sel, sel, sizeof(pol_id->sel)); 3580 pol_id->dir = dir; 3581 3582 if (k != NULL) { 3583 err = copy_to_user_kmaddress(k, skb); 3584 if (err) 3585 goto out_cancel; 3586 } 3587 if (encap) { 3588 err = nla_put(skb, XFRMA_ENCAP, sizeof(*encap), encap); 3589 if (err) 3590 goto out_cancel; 3591 } 3592 err = copy_to_user_policy_type(type, skb); 3593 if (err) 3594 goto out_cancel; 3595 for (i = 0, mp = m ; i < num_migrate; i++, mp++) { 3596 err = copy_to_user_migrate(mp, skb); 3597 if (err) 3598 goto out_cancel; 3599 } 3600 3601 nlmsg_end(skb, nlh); 3602 return 0; 3603 3604 out_cancel: 3605 nlmsg_cancel(skb, nlh); 3606 return err; 3607 } 3608 3609 static int xfrm_send_migrate(const struct xfrm_selector *sel, u8 dir, u8 type, 3610 const struct xfrm_migrate *m, int num_migrate, 3611 const struct xfrm_kmaddress *k, struct net *net, 3612 const struct xfrm_encap_tmpl *encap) 3613 { 3614 struct sk_buff *skb; 3615 int err; 3616 3617 skb = nlmsg_new(xfrm_migrate_msgsize(num_migrate, !!k, !!encap), 3618 GFP_ATOMIC); 3619 if (skb == NULL) 3620 return -ENOMEM; 3621 3622 /* build migrate */ 3623 err = build_migrate(skb, m, num_migrate, k, sel, encap, dir, type); 3624 BUG_ON(err < 0); 3625 3626 return xfrm_nlmsg_multicast(net, skb, 0, XFRMNLGRP_MIGRATE); 3627 } 3628 #else 3629 static int xfrm_send_migrate(const struct xfrm_selector *sel, u8 dir, u8 type, 3630 const struct xfrm_migrate *m, int num_migrate, 3631 const struct xfrm_kmaddress *k, struct net *net, 3632 const struct xfrm_encap_tmpl *encap) 3633 { 3634 return -ENOPROTOOPT; 3635 } 3636 #endif 3637 3638 #define XMSGSIZE(type) sizeof(struct type) 3639 3640 const int xfrm_msg_min[XFRM_NR_MSGTYPES] = { 3641 [XFRM_MSG_NEWSA - XFRM_MSG_BASE] = XMSGSIZE(xfrm_usersa_info), 3642 [XFRM_MSG_DELSA - XFRM_MSG_BASE] = XMSGSIZE(xfrm_usersa_id), 3643 [XFRM_MSG_GETSA - XFRM_MSG_BASE] = XMSGSIZE(xfrm_usersa_id), 3644 [XFRM_MSG_NEWPOLICY - XFRM_MSG_BASE] = XMSGSIZE(xfrm_userpolicy_info), 3645 [XFRM_MSG_DELPOLICY - XFRM_MSG_BASE] = XMSGSIZE(xfrm_userpolicy_id), 3646 [XFRM_MSG_GETPOLICY - XFRM_MSG_BASE] = XMSGSIZE(xfrm_userpolicy_id), 3647 [XFRM_MSG_ALLOCSPI - XFRM_MSG_BASE] = XMSGSIZE(xfrm_userspi_info), 3648 [XFRM_MSG_ACQUIRE - XFRM_MSG_BASE] = XMSGSIZE(xfrm_user_acquire), 3649 [XFRM_MSG_EXPIRE - XFRM_MSG_BASE] = XMSGSIZE(xfrm_user_expire), 3650 [XFRM_MSG_UPDPOLICY - XFRM_MSG_BASE] = XMSGSIZE(xfrm_userpolicy_info), 3651 [XFRM_MSG_UPDSA - XFRM_MSG_BASE] = XMSGSIZE(xfrm_usersa_info), 3652 [XFRM_MSG_POLEXPIRE - XFRM_MSG_BASE] = XMSGSIZE(xfrm_user_polexpire), 3653 [XFRM_MSG_FLUSHSA - XFRM_MSG_BASE] = XMSGSIZE(xfrm_usersa_flush), 3654 [XFRM_MSG_FLUSHPOLICY - XFRM_MSG_BASE] = 0, 3655 [XFRM_MSG_NEWAE - XFRM_MSG_BASE] = XMSGSIZE(xfrm_aevent_id), 3656 [XFRM_MSG_GETAE - XFRM_MSG_BASE] = XMSGSIZE(xfrm_aevent_id), 3657 [XFRM_MSG_REPORT - XFRM_MSG_BASE] = XMSGSIZE(xfrm_user_report), 3658 [XFRM_MSG_MIGRATE - XFRM_MSG_BASE] = XMSGSIZE(xfrm_userpolicy_id), 3659 [XFRM_MSG_GETSADINFO - XFRM_MSG_BASE] = sizeof(u32), 3660 [XFRM_MSG_NEWSPDINFO - XFRM_MSG_BASE] = sizeof(u32), 3661 [XFRM_MSG_GETSPDINFO - XFRM_MSG_BASE] = sizeof(u32), 3662 [XFRM_MSG_MAPPING - XFRM_MSG_BASE] = XMSGSIZE(xfrm_user_mapping), 3663 [XFRM_MSG_SETDEFAULT - XFRM_MSG_BASE] = XMSGSIZE(xfrm_userpolicy_default), 3664 [XFRM_MSG_GETDEFAULT - XFRM_MSG_BASE] = XMSGSIZE(xfrm_userpolicy_default), 3665 [XFRM_MSG_MIGRATE_STATE - XFRM_MSG_BASE] = XMSGSIZE(xfrm_user_migrate_state), 3666 }; 3667 EXPORT_SYMBOL_GPL(xfrm_msg_min); 3668 3669 #undef XMSGSIZE 3670 3671 const struct nla_policy xfrma_policy[XFRMA_MAX+1] = { 3672 [XFRMA_UNSPEC] = { .strict_start_type = XFRMA_SA_DIR }, 3673 [XFRMA_SA] = { .len = sizeof(struct xfrm_usersa_info)}, 3674 [XFRMA_POLICY] = { .len = sizeof(struct xfrm_userpolicy_info)}, 3675 [XFRMA_LASTUSED] = { .type = NLA_U64}, 3676 [XFRMA_ALG_AUTH_TRUNC] = { .len = sizeof(struct xfrm_algo_auth)}, 3677 [XFRMA_ALG_AEAD] = { .len = sizeof(struct xfrm_algo_aead) }, 3678 [XFRMA_ALG_AUTH] = { .len = sizeof(struct xfrm_algo) }, 3679 [XFRMA_ALG_CRYPT] = { .len = sizeof(struct xfrm_algo) }, 3680 [XFRMA_ALG_COMP] = { .len = sizeof(struct xfrm_algo) }, 3681 [XFRMA_ENCAP] = { .len = sizeof(struct xfrm_encap_tmpl) }, 3682 [XFRMA_TMPL] = { .len = sizeof(struct xfrm_user_tmpl) }, 3683 [XFRMA_SEC_CTX] = { .len = sizeof(struct xfrm_user_sec_ctx) }, 3684 [XFRMA_LTIME_VAL] = { .len = sizeof(struct xfrm_lifetime_cur) }, 3685 [XFRMA_REPLAY_VAL] = { .len = sizeof(struct xfrm_replay_state) }, 3686 [XFRMA_REPLAY_THRESH] = { .type = NLA_U32 }, 3687 [XFRMA_ETIMER_THRESH] = { .type = NLA_U32 }, 3688 [XFRMA_SRCADDR] = { .len = sizeof(xfrm_address_t) }, 3689 [XFRMA_COADDR] = { .len = sizeof(xfrm_address_t) }, 3690 [XFRMA_POLICY_TYPE] = { .len = sizeof(struct xfrm_userpolicy_type)}, 3691 [XFRMA_MIGRATE] = { .len = sizeof(struct xfrm_user_migrate) }, 3692 [XFRMA_KMADDRESS] = { .len = sizeof(struct xfrm_user_kmaddress) }, 3693 [XFRMA_MARK] = { .len = sizeof(struct xfrm_mark) }, 3694 [XFRMA_TFCPAD] = { .type = NLA_U32 }, 3695 [XFRMA_REPLAY_ESN_VAL] = { .len = sizeof(struct xfrm_replay_state_esn) }, 3696 [XFRMA_SA_EXTRA_FLAGS] = { .type = NLA_U32 }, 3697 [XFRMA_PROTO] = { .type = NLA_U8 }, 3698 [XFRMA_ADDRESS_FILTER] = { .len = sizeof(struct xfrm_address_filter) }, 3699 [XFRMA_OFFLOAD_DEV] = { .len = sizeof(struct xfrm_user_offload) }, 3700 [XFRMA_SET_MARK] = { .type = NLA_U32 }, 3701 [XFRMA_SET_MARK_MASK] = { .type = NLA_U32 }, 3702 [XFRMA_IF_ID] = { .type = NLA_U32 }, 3703 [XFRMA_MTIMER_THRESH] = { .type = NLA_U32 }, 3704 [XFRMA_SA_DIR] = NLA_POLICY_RANGE(NLA_U8, XFRM_SA_DIR_IN, XFRM_SA_DIR_OUT), 3705 [XFRMA_NAT_KEEPALIVE_INTERVAL] = { .type = NLA_U32 }, 3706 [XFRMA_SA_PCPU] = { .type = NLA_U32 }, 3707 [XFRMA_IPTFS_DROP_TIME] = { .type = NLA_U32 }, 3708 [XFRMA_IPTFS_REORDER_WINDOW] = { .type = NLA_U16 }, 3709 [XFRMA_IPTFS_DONT_FRAG] = { .type = NLA_FLAG }, 3710 [XFRMA_IPTFS_INIT_DELAY] = { .type = NLA_U32 }, 3711 [XFRMA_IPTFS_MAX_QSIZE] = { .type = NLA_U32 }, 3712 [XFRMA_IPTFS_PKT_SIZE] = { .type = NLA_U32 }, 3713 }; 3714 EXPORT_SYMBOL_GPL(xfrma_policy); 3715 3716 static const struct nla_policy xfrma_spd_policy[XFRMA_SPD_MAX+1] = { 3717 [XFRMA_SPD_IPV4_HTHRESH] = { .len = sizeof(struct xfrmu_spdhthresh) }, 3718 [XFRMA_SPD_IPV6_HTHRESH] = { .len = sizeof(struct xfrmu_spdhthresh) }, 3719 }; 3720 3721 static const struct xfrm_link { 3722 int (*doit)(struct sk_buff *, struct nlmsghdr *, struct nlattr **, 3723 struct netlink_ext_ack *); 3724 int (*start)(struct netlink_callback *); 3725 int (*dump)(struct sk_buff *, struct netlink_callback *); 3726 int (*done)(struct netlink_callback *); 3727 const struct nla_policy *nla_pol; 3728 int nla_max; 3729 } xfrm_dispatch[XFRM_NR_MSGTYPES] = { 3730 [XFRM_MSG_NEWSA - XFRM_MSG_BASE] = { .doit = xfrm_add_sa }, 3731 [XFRM_MSG_DELSA - XFRM_MSG_BASE] = { .doit = xfrm_del_sa }, 3732 [XFRM_MSG_GETSA - XFRM_MSG_BASE] = { .doit = xfrm_get_sa, 3733 .dump = xfrm_dump_sa, 3734 .done = xfrm_dump_sa_done }, 3735 [XFRM_MSG_NEWPOLICY - XFRM_MSG_BASE] = { .doit = xfrm_add_policy }, 3736 [XFRM_MSG_DELPOLICY - XFRM_MSG_BASE] = { .doit = xfrm_get_policy }, 3737 [XFRM_MSG_GETPOLICY - XFRM_MSG_BASE] = { .doit = xfrm_get_policy, 3738 .start = xfrm_dump_policy_start, 3739 .dump = xfrm_dump_policy, 3740 .done = xfrm_dump_policy_done }, 3741 [XFRM_MSG_ALLOCSPI - XFRM_MSG_BASE] = { .doit = xfrm_alloc_userspi }, 3742 [XFRM_MSG_ACQUIRE - XFRM_MSG_BASE] = { .doit = xfrm_add_acquire }, 3743 [XFRM_MSG_EXPIRE - XFRM_MSG_BASE] = { .doit = xfrm_add_sa_expire }, 3744 [XFRM_MSG_UPDPOLICY - XFRM_MSG_BASE] = { .doit = xfrm_add_policy }, 3745 [XFRM_MSG_UPDSA - XFRM_MSG_BASE] = { .doit = xfrm_add_sa }, 3746 [XFRM_MSG_POLEXPIRE - XFRM_MSG_BASE] = { .doit = xfrm_add_pol_expire}, 3747 [XFRM_MSG_FLUSHSA - XFRM_MSG_BASE] = { .doit = xfrm_flush_sa }, 3748 [XFRM_MSG_FLUSHPOLICY - XFRM_MSG_BASE] = { .doit = xfrm_flush_policy }, 3749 [XFRM_MSG_NEWAE - XFRM_MSG_BASE] = { .doit = xfrm_new_ae }, 3750 [XFRM_MSG_GETAE - XFRM_MSG_BASE] = { .doit = xfrm_get_ae }, 3751 [XFRM_MSG_MIGRATE - XFRM_MSG_BASE] = { .doit = xfrm_do_migrate }, 3752 [XFRM_MSG_GETSADINFO - XFRM_MSG_BASE] = { .doit = xfrm_get_sadinfo }, 3753 [XFRM_MSG_NEWSPDINFO - XFRM_MSG_BASE] = { .doit = xfrm_set_spdinfo, 3754 .nla_pol = xfrma_spd_policy, 3755 .nla_max = XFRMA_SPD_MAX }, 3756 [XFRM_MSG_GETSPDINFO - XFRM_MSG_BASE] = { .doit = xfrm_get_spdinfo }, 3757 [XFRM_MSG_SETDEFAULT - XFRM_MSG_BASE] = { .doit = xfrm_set_default }, 3758 [XFRM_MSG_GETDEFAULT - XFRM_MSG_BASE] = { .doit = xfrm_get_default }, 3759 [XFRM_MSG_MIGRATE_STATE - XFRM_MSG_BASE] = { .doit = xfrm_do_migrate_state }, 3760 }; 3761 3762 static int xfrm_reject_unused_attr(int type, struct nlattr **attrs, 3763 struct netlink_ext_ack *extack) 3764 { 3765 if (attrs[XFRMA_SA_DIR]) { 3766 switch (type) { 3767 case XFRM_MSG_NEWSA: 3768 case XFRM_MSG_UPDSA: 3769 case XFRM_MSG_ALLOCSPI: 3770 break; 3771 default: 3772 NL_SET_ERR_MSG(extack, "Invalid attribute SA_DIR"); 3773 return -EINVAL; 3774 } 3775 } 3776 3777 if (attrs[XFRMA_SA_PCPU]) { 3778 switch (type) { 3779 case XFRM_MSG_NEWSA: 3780 case XFRM_MSG_UPDSA: 3781 case XFRM_MSG_ALLOCSPI: 3782 case XFRM_MSG_ACQUIRE: 3783 3784 break; 3785 default: 3786 NL_SET_ERR_MSG(extack, "Invalid attribute SA_PCPU"); 3787 return -EINVAL; 3788 } 3789 } 3790 3791 if (type == XFRM_MSG_MIGRATE_STATE) { 3792 int i; 3793 3794 for (i = 0; i <= XFRMA_MAX; i++) { 3795 if (!attrs[i]) 3796 continue; 3797 3798 switch (i) { 3799 case XFRMA_MARK: 3800 case XFRMA_ENCAP: 3801 case XFRMA_OFFLOAD_DEV: 3802 case XFRMA_SET_MARK: 3803 case XFRMA_SET_MARK_MASK: 3804 case XFRMA_MTIMER_THRESH: 3805 case XFRMA_NAT_KEEPALIVE_INTERVAL: 3806 break; 3807 default: 3808 NL_SET_ERR_MSG_ATTR(extack, attrs[i], 3809 "Unsupported attribute in XFRM_MSG_MIGRATE_STATE"); 3810 return -EINVAL; 3811 } 3812 } 3813 } 3814 3815 return 0; 3816 } 3817 3818 static int xfrm_user_rcv_msg(struct sk_buff *skb, struct nlmsghdr *nlh, 3819 struct netlink_ext_ack *extack) 3820 { 3821 struct net *net = sock_net(skb->sk); 3822 struct nlattr *attrs[XFRMA_MAX+1]; 3823 const struct xfrm_link *link; 3824 struct nlmsghdr *nlh64 = NULL; 3825 int type, err; 3826 3827 type = nlh->nlmsg_type; 3828 if (type > XFRM_MSG_MAX) 3829 return -EINVAL; 3830 3831 type -= XFRM_MSG_BASE; 3832 link = &xfrm_dispatch[type]; 3833 3834 /* All operations require privileges, even GET */ 3835 if (!netlink_net_capable(skb, CAP_NET_ADMIN)) 3836 return -EPERM; 3837 3838 if (in_compat_syscall()) { 3839 struct xfrm_translator *xtr = xfrm_get_translator(); 3840 3841 if (!xtr) 3842 return -EOPNOTSUPP; 3843 3844 nlh64 = xtr->rcv_msg_compat(nlh, link->nla_max, 3845 link->nla_pol, extack); 3846 xfrm_put_translator(xtr); 3847 if (IS_ERR(nlh64)) 3848 return PTR_ERR(nlh64); 3849 if (nlh64) 3850 nlh = nlh64; 3851 } 3852 3853 if ((type == (XFRM_MSG_GETSA - XFRM_MSG_BASE) || 3854 type == (XFRM_MSG_GETPOLICY - XFRM_MSG_BASE)) && 3855 (nlh->nlmsg_flags & NLM_F_DUMP)) { 3856 struct netlink_dump_control c = { 3857 .start = link->start, 3858 .dump = link->dump, 3859 .done = link->done, 3860 }; 3861 3862 if (link->dump == NULL) { 3863 err = -EINVAL; 3864 goto err; 3865 } 3866 3867 err = netlink_dump_start(xfrm_net_nlsk(net, skb), skb, nlh, &c); 3868 goto err; 3869 } 3870 3871 err = nlmsg_parse_deprecated(nlh, xfrm_msg_min[type], attrs, 3872 link->nla_max ? : XFRMA_MAX, 3873 link->nla_pol ? : xfrma_policy, extack); 3874 if (err < 0) 3875 goto err; 3876 3877 if (!link->nla_pol || link->nla_pol == xfrma_policy) { 3878 err = xfrm_reject_unused_attr((type + XFRM_MSG_BASE), attrs, extack); 3879 if (err < 0) 3880 goto err; 3881 } 3882 3883 if (link->doit == NULL) { 3884 err = -EINVAL; 3885 goto err; 3886 } 3887 3888 err = link->doit(skb, nlh, attrs, extack); 3889 3890 /* We need to free skb allocated in xfrm_alloc_compat() before 3891 * returning from this function, because consume_skb() won't take 3892 * care of frag_list since netlink destructor sets 3893 * sbk->head to NULL. (see netlink_skb_destructor()) 3894 */ 3895 if (skb_has_frag_list(skb)) { 3896 kfree_skb(skb_shinfo(skb)->frag_list); 3897 skb_shinfo(skb)->frag_list = NULL; 3898 } 3899 3900 err: 3901 kvfree(nlh64); 3902 return err; 3903 } 3904 3905 static void xfrm_netlink_rcv(struct sk_buff *skb) 3906 { 3907 struct net *net = sock_net(skb->sk); 3908 3909 mutex_lock(&net->xfrm.xfrm_cfg_mutex); 3910 netlink_rcv_skb(skb, &xfrm_user_rcv_msg); 3911 mutex_unlock(&net->xfrm.xfrm_cfg_mutex); 3912 } 3913 3914 static inline unsigned int xfrm_expire_msgsize(void) 3915 { 3916 return NLMSG_ALIGN(sizeof(struct xfrm_user_expire)) + 3917 nla_total_size(sizeof(struct xfrm_mark)) + 3918 nla_total_size(sizeof_field(struct xfrm_state, dir)) + 3919 nla_total_size(4); /* XFRMA_SA_PCPU */ 3920 } 3921 3922 static int build_expire(struct sk_buff *skb, struct xfrm_state *x, const struct km_event *c) 3923 { 3924 struct xfrm_user_expire *ue; 3925 struct nlmsghdr *nlh; 3926 int err; 3927 3928 nlh = nlmsg_put(skb, c->portid, 0, XFRM_MSG_EXPIRE, sizeof(*ue), 0); 3929 if (nlh == NULL) 3930 return -EMSGSIZE; 3931 3932 ue = nlmsg_data(nlh); 3933 copy_to_user_state(x, &ue->state); 3934 ue->hard = (c->data.hard != 0) ? 1 : 0; 3935 /* clear the padding bytes */ 3936 memset_after(ue, 0, hard); 3937 3938 err = xfrm_mark_put(skb, &x->mark); 3939 if (err) 3940 return err; 3941 3942 err = xfrm_if_id_put(skb, x->if_id); 3943 if (err) 3944 return err; 3945 if (x->pcpu_num != UINT_MAX) { 3946 err = nla_put_u32(skb, XFRMA_SA_PCPU, x->pcpu_num); 3947 if (err) 3948 return err; 3949 } 3950 3951 if (x->dir) { 3952 err = nla_put_u8(skb, XFRMA_SA_DIR, x->dir); 3953 if (err) 3954 return err; 3955 } 3956 3957 nlmsg_end(skb, nlh); 3958 return 0; 3959 } 3960 3961 static int xfrm_exp_state_notify(struct xfrm_state *x, const struct km_event *c) 3962 { 3963 struct net *net = xs_net(x); 3964 struct sk_buff *skb; 3965 3966 skb = nlmsg_new(xfrm_expire_msgsize(), GFP_ATOMIC); 3967 if (skb == NULL) 3968 return -ENOMEM; 3969 3970 if (build_expire(skb, x, c) < 0) { 3971 kfree_skb(skb); 3972 return -EMSGSIZE; 3973 } 3974 3975 return xfrm_nlmsg_multicast(net, skb, 0, XFRMNLGRP_EXPIRE); 3976 } 3977 3978 static int xfrm_aevent_state_notify(struct xfrm_state *x, const struct km_event *c) 3979 { 3980 struct net *net = xs_net(x); 3981 struct sk_buff *skb; 3982 int err; 3983 3984 skb = nlmsg_new(xfrm_aevent_msgsize(x), GFP_ATOMIC); 3985 if (skb == NULL) 3986 return -ENOMEM; 3987 3988 err = build_aevent(skb, x, c); 3989 BUG_ON(err < 0); 3990 3991 return xfrm_nlmsg_multicast(net, skb, 0, XFRMNLGRP_AEVENTS); 3992 } 3993 3994 static int xfrm_notify_sa_flush(const struct km_event *c) 3995 { 3996 struct net *net = c->net; 3997 struct xfrm_usersa_flush *p; 3998 struct nlmsghdr *nlh; 3999 struct sk_buff *skb; 4000 int len = NLMSG_ALIGN(sizeof(struct xfrm_usersa_flush)); 4001 4002 skb = nlmsg_new(len, GFP_ATOMIC); 4003 if (skb == NULL) 4004 return -ENOMEM; 4005 4006 nlh = nlmsg_put(skb, c->portid, c->seq, XFRM_MSG_FLUSHSA, sizeof(*p), 0); 4007 if (nlh == NULL) { 4008 kfree_skb(skb); 4009 return -EMSGSIZE; 4010 } 4011 4012 p = nlmsg_data(nlh); 4013 p->proto = c->data.proto; 4014 4015 nlmsg_end(skb, nlh); 4016 4017 return xfrm_nlmsg_multicast(net, skb, 0, XFRMNLGRP_SA); 4018 } 4019 4020 static inline unsigned int xfrm_sa_len(struct xfrm_state *x) 4021 { 4022 unsigned int l = 0; 4023 if (x->aead) 4024 l += nla_total_size(aead_len(x->aead)); 4025 if (x->aalg) { 4026 l += nla_total_size(sizeof(struct xfrm_algo) + 4027 (x->aalg->alg_key_len + 7) / 8); 4028 l += nla_total_size(xfrm_alg_auth_len(x->aalg)); 4029 } 4030 if (x->ealg) 4031 l += nla_total_size(xfrm_alg_len(x->ealg)); 4032 if (x->calg) 4033 l += nla_total_size(sizeof(*x->calg)); 4034 if (x->encap) 4035 l += nla_total_size(sizeof(*x->encap)); 4036 if (x->tfcpad) 4037 l += nla_total_size(sizeof(x->tfcpad)); 4038 if (x->replay_esn) 4039 l += nla_total_size(xfrm_replay_state_esn_len(x->replay_esn)); 4040 else 4041 l += nla_total_size(sizeof(struct xfrm_replay_state)); 4042 if (x->security) 4043 l += nla_total_size(sizeof(struct xfrm_user_sec_ctx) + 4044 x->security->ctx_len); 4045 if (x->coaddr) 4046 l += nla_total_size(sizeof(*x->coaddr)); 4047 if (x->props.extra_flags) 4048 l += nla_total_size(sizeof(x->props.extra_flags)); 4049 if (x->xso.dev) 4050 l += nla_total_size(sizeof(struct xfrm_user_offload)); 4051 if (x->props.smark.v | x->props.smark.m) { 4052 l += nla_total_size(sizeof(x->props.smark.v)); 4053 l += nla_total_size(sizeof(x->props.smark.m)); 4054 } 4055 if (x->if_id) 4056 l += nla_total_size(sizeof(x->if_id)); 4057 if (x->pcpu_num != UINT_MAX) 4058 l += nla_total_size(sizeof(x->pcpu_num)); 4059 4060 /* Must count x->lastused as it may become non-zero behind our back. */ 4061 l += nla_total_size_64bit(sizeof(u64)); 4062 4063 if (x->mapping_maxage) 4064 l += nla_total_size(sizeof(x->mapping_maxage)); 4065 4066 if (x->dir) 4067 l += nla_total_size(sizeof(x->dir)); 4068 4069 if (x->nat_keepalive_interval) 4070 l += nla_total_size(sizeof(x->nat_keepalive_interval)); 4071 4072 if (x->mode_cbs && x->mode_cbs->sa_len) 4073 l += x->mode_cbs->sa_len(x); 4074 4075 return l; 4076 } 4077 4078 static int xfrm_notify_sa(struct xfrm_state *x, const struct km_event *c) 4079 { 4080 struct net *net = xs_net(x); 4081 struct xfrm_usersa_info *p; 4082 struct xfrm_usersa_id *id; 4083 struct nlmsghdr *nlh; 4084 struct sk_buff *skb; 4085 unsigned int len = xfrm_sa_len(x); 4086 unsigned int headlen; 4087 int err; 4088 4089 headlen = sizeof(*p); 4090 if (c->event == XFRM_MSG_DELSA) { 4091 len += nla_total_size(headlen); 4092 headlen = sizeof(*id); 4093 len += nla_total_size(sizeof(struct xfrm_mark)); 4094 } 4095 len += NLMSG_ALIGN(headlen); 4096 4097 skb = nlmsg_new(len, GFP_ATOMIC); 4098 if (skb == NULL) 4099 return -ENOMEM; 4100 4101 nlh = nlmsg_put(skb, c->portid, c->seq, c->event, headlen, 0); 4102 err = -EMSGSIZE; 4103 if (nlh == NULL) 4104 goto out_free_skb; 4105 4106 p = nlmsg_data(nlh); 4107 if (c->event == XFRM_MSG_DELSA) { 4108 struct nlattr *attr; 4109 4110 id = nlmsg_data(nlh); 4111 memset(id, 0, sizeof(*id)); 4112 memcpy(&id->daddr, &x->id.daddr, sizeof(id->daddr)); 4113 id->spi = x->id.spi; 4114 id->family = x->props.family; 4115 id->proto = x->id.proto; 4116 4117 attr = nla_reserve(skb, XFRMA_SA, sizeof(*p)); 4118 err = -EMSGSIZE; 4119 if (attr == NULL) 4120 goto out_free_skb; 4121 4122 p = nla_data(attr); 4123 } 4124 err = copy_to_user_state_extra(x, p, skb); 4125 if (err) 4126 goto out_free_skb; 4127 4128 nlmsg_end(skb, nlh); 4129 4130 return xfrm_nlmsg_multicast(net, skb, 0, XFRMNLGRP_SA); 4131 4132 out_free_skb: 4133 kfree_skb(skb); 4134 return err; 4135 } 4136 4137 static int xfrm_send_state_notify(struct xfrm_state *x, const struct km_event *c) 4138 { 4139 4140 switch (c->event) { 4141 case XFRM_MSG_EXPIRE: 4142 return xfrm_exp_state_notify(x, c); 4143 case XFRM_MSG_NEWAE: 4144 return xfrm_aevent_state_notify(x, c); 4145 case XFRM_MSG_DELSA: 4146 case XFRM_MSG_UPDSA: 4147 case XFRM_MSG_NEWSA: 4148 return xfrm_notify_sa(x, c); 4149 case XFRM_MSG_FLUSHSA: 4150 return xfrm_notify_sa_flush(c); 4151 default: 4152 printk(KERN_NOTICE "xfrm_user: Unknown SA event %d\n", 4153 c->event); 4154 break; 4155 } 4156 4157 return 0; 4158 4159 } 4160 4161 static inline unsigned int xfrm_acquire_msgsize(struct xfrm_state *x, 4162 struct xfrm_policy *xp) 4163 { 4164 return NLMSG_ALIGN(sizeof(struct xfrm_user_acquire)) 4165 + nla_total_size(sizeof(struct xfrm_user_tmpl) * xp->xfrm_nr) 4166 + nla_total_size(sizeof(struct xfrm_mark)) 4167 + nla_total_size(xfrm_user_sec_ctx_size(x->security)) 4168 + nla_total_size(4) /* XFRMA_SA_PCPU */ 4169 + userpolicy_type_attrsize(); 4170 } 4171 4172 static int build_acquire(struct sk_buff *skb, struct xfrm_state *x, 4173 struct xfrm_tmpl *xt, struct xfrm_policy *xp) 4174 { 4175 __u32 seq = xfrm_get_acqseq(); 4176 struct xfrm_user_acquire *ua; 4177 struct nlmsghdr *nlh; 4178 int err; 4179 4180 nlh = nlmsg_put(skb, 0, 0, XFRM_MSG_ACQUIRE, sizeof(*ua), 0); 4181 if (nlh == NULL) 4182 return -EMSGSIZE; 4183 4184 ua = nlmsg_data(nlh); 4185 memcpy(&ua->id, &x->id, sizeof(ua->id)); 4186 memcpy(&ua->saddr, &x->props.saddr, sizeof(ua->saddr)); 4187 memcpy(&ua->sel, &x->sel, sizeof(ua->sel)); 4188 copy_to_user_policy(xp, &ua->policy, XFRM_POLICY_OUT); 4189 ua->aalgos = xt->aalgos; 4190 ua->ealgos = xt->ealgos; 4191 ua->calgos = xt->calgos; 4192 ua->seq = x->km.seq = seq; 4193 4194 err = copy_to_user_tmpl(xp, skb); 4195 if (!err) 4196 err = copy_to_user_state_sec_ctx(x, skb); 4197 if (!err) 4198 err = copy_to_user_policy_type(xp->type, skb); 4199 if (!err) 4200 err = xfrm_mark_put(skb, &xp->mark); 4201 if (!err) 4202 err = xfrm_if_id_put(skb, xp->if_id); 4203 if (!err && xp->xdo.dev) 4204 err = copy_user_offload(&xp->xdo, skb); 4205 if (!err && x->pcpu_num != UINT_MAX) 4206 err = nla_put_u32(skb, XFRMA_SA_PCPU, x->pcpu_num); 4207 if (err) { 4208 nlmsg_cancel(skb, nlh); 4209 return err; 4210 } 4211 4212 nlmsg_end(skb, nlh); 4213 return 0; 4214 } 4215 4216 static int xfrm_send_acquire(struct xfrm_state *x, struct xfrm_tmpl *xt, 4217 struct xfrm_policy *xp) 4218 { 4219 struct net *net = xs_net(x); 4220 struct sk_buff *skb; 4221 int err; 4222 4223 skb = nlmsg_new(xfrm_acquire_msgsize(x, xp), GFP_ATOMIC); 4224 if (skb == NULL) 4225 return -ENOMEM; 4226 4227 err = build_acquire(skb, x, xt, xp); 4228 BUG_ON(err < 0); 4229 4230 return xfrm_nlmsg_multicast(net, skb, 0, XFRMNLGRP_ACQUIRE); 4231 } 4232 4233 /* User gives us xfrm_user_policy_info followed by an array of 0 4234 * or more templates. 4235 */ 4236 static struct xfrm_policy *xfrm_compile_policy(struct sock *sk, int opt, 4237 u8 *data, int len, int *dir) 4238 { 4239 struct net *net = sock_net(sk); 4240 struct xfrm_userpolicy_info *p = (struct xfrm_userpolicy_info *)data; 4241 struct xfrm_user_tmpl *ut = (struct xfrm_user_tmpl *) (p + 1); 4242 struct xfrm_policy *xp; 4243 int nr; 4244 4245 switch (sk->sk_family) { 4246 case AF_INET: 4247 if (opt != IP_XFRM_POLICY) { 4248 *dir = -EOPNOTSUPP; 4249 return NULL; 4250 } 4251 break; 4252 #if IS_ENABLED(CONFIG_IPV6) 4253 case AF_INET6: 4254 if (opt != IPV6_XFRM_POLICY) { 4255 *dir = -EOPNOTSUPP; 4256 return NULL; 4257 } 4258 break; 4259 #endif 4260 default: 4261 *dir = -EINVAL; 4262 return NULL; 4263 } 4264 4265 *dir = -EINVAL; 4266 4267 if (len < sizeof(*p) || 4268 verify_newpolicy_info(p, NULL)) 4269 return NULL; 4270 4271 nr = ((len - sizeof(*p)) / sizeof(*ut)); 4272 if (validate_tmpl(nr, ut, p->sel.family, p->dir, NULL)) 4273 return NULL; 4274 4275 if (p->dir > XFRM_POLICY_OUT) 4276 return NULL; 4277 4278 xp = xfrm_policy_alloc(net, GFP_ATOMIC); 4279 if (xp == NULL) { 4280 *dir = -ENOBUFS; 4281 return NULL; 4282 } 4283 4284 copy_from_user_policy(xp, p); 4285 xp->type = XFRM_POLICY_TYPE_MAIN; 4286 copy_templates(xp, ut, nr); 4287 4288 *dir = p->dir; 4289 4290 return xp; 4291 } 4292 4293 static inline unsigned int xfrm_polexpire_msgsize(struct xfrm_policy *xp) 4294 { 4295 return NLMSG_ALIGN(sizeof(struct xfrm_user_polexpire)) 4296 + nla_total_size(sizeof(struct xfrm_user_tmpl) * xp->xfrm_nr) 4297 + nla_total_size(xfrm_user_sec_ctx_size(xp->security)) 4298 + nla_total_size(sizeof(struct xfrm_mark)) 4299 + userpolicy_type_attrsize(); 4300 } 4301 4302 static int build_polexpire(struct sk_buff *skb, struct xfrm_policy *xp, 4303 int dir, const struct km_event *c) 4304 { 4305 struct xfrm_user_polexpire *upe; 4306 int hard = c->data.hard; 4307 struct nlmsghdr *nlh; 4308 int err; 4309 4310 nlh = nlmsg_put(skb, c->portid, 0, XFRM_MSG_POLEXPIRE, sizeof(*upe), 0); 4311 if (nlh == NULL) 4312 return -EMSGSIZE; 4313 4314 upe = nlmsg_data(nlh); 4315 copy_to_user_policy(xp, &upe->pol, dir); 4316 err = copy_to_user_tmpl(xp, skb); 4317 if (!err) 4318 err = copy_to_user_sec_ctx(xp, skb); 4319 if (!err) 4320 err = copy_to_user_policy_type(xp->type, skb); 4321 if (!err) 4322 err = xfrm_mark_put(skb, &xp->mark); 4323 if (!err) 4324 err = xfrm_if_id_put(skb, xp->if_id); 4325 if (!err && xp->xdo.dev) 4326 err = copy_user_offload(&xp->xdo, skb); 4327 if (err) { 4328 nlmsg_cancel(skb, nlh); 4329 return err; 4330 } 4331 upe->hard = !!hard; 4332 /* clear the padding bytes */ 4333 memset_after(upe, 0, hard); 4334 4335 nlmsg_end(skb, nlh); 4336 return 0; 4337 } 4338 4339 static int xfrm_exp_policy_notify(struct xfrm_policy *xp, int dir, const struct km_event *c) 4340 { 4341 struct net *net = xp_net(xp); 4342 struct sk_buff *skb; 4343 int err; 4344 4345 skb = nlmsg_new(xfrm_polexpire_msgsize(xp), GFP_ATOMIC); 4346 if (skb == NULL) 4347 return -ENOMEM; 4348 4349 err = build_polexpire(skb, xp, dir, c); 4350 BUG_ON(err < 0); 4351 4352 return xfrm_nlmsg_multicast(net, skb, 0, XFRMNLGRP_EXPIRE); 4353 } 4354 4355 static int xfrm_notify_policy(struct xfrm_policy *xp, int dir, const struct km_event *c) 4356 { 4357 unsigned int len = nla_total_size(sizeof(struct xfrm_user_tmpl) * xp->xfrm_nr); 4358 struct net *net = xp_net(xp); 4359 struct xfrm_userpolicy_info *p; 4360 struct xfrm_userpolicy_id *id; 4361 struct nlmsghdr *nlh; 4362 struct sk_buff *skb; 4363 unsigned int headlen; 4364 int err; 4365 4366 headlen = sizeof(*p); 4367 if (c->event == XFRM_MSG_DELPOLICY) { 4368 len += nla_total_size(headlen); 4369 headlen = sizeof(*id); 4370 } 4371 len += userpolicy_type_attrsize(); 4372 len += nla_total_size(sizeof(struct xfrm_mark)); 4373 len += NLMSG_ALIGN(headlen); 4374 4375 skb = nlmsg_new(len, GFP_ATOMIC); 4376 if (skb == NULL) 4377 return -ENOMEM; 4378 4379 nlh = nlmsg_put(skb, c->portid, c->seq, c->event, headlen, 0); 4380 err = -EMSGSIZE; 4381 if (nlh == NULL) 4382 goto out_free_skb; 4383 4384 p = nlmsg_data(nlh); 4385 if (c->event == XFRM_MSG_DELPOLICY) { 4386 struct nlattr *attr; 4387 4388 id = nlmsg_data(nlh); 4389 memset(id, 0, sizeof(*id)); 4390 id->dir = dir; 4391 if (c->data.byid) 4392 id->index = xp->index; 4393 else 4394 memcpy(&id->sel, &xp->selector, sizeof(id->sel)); 4395 4396 attr = nla_reserve(skb, XFRMA_POLICY, sizeof(*p)); 4397 err = -EMSGSIZE; 4398 if (attr == NULL) 4399 goto out_free_skb; 4400 4401 p = nla_data(attr); 4402 } 4403 4404 copy_to_user_policy(xp, p, dir); 4405 err = copy_to_user_tmpl(xp, skb); 4406 if (!err) 4407 err = copy_to_user_policy_type(xp->type, skb); 4408 if (!err) 4409 err = xfrm_mark_put(skb, &xp->mark); 4410 if (!err) 4411 err = xfrm_if_id_put(skb, xp->if_id); 4412 if (!err && xp->xdo.dev) 4413 err = copy_user_offload(&xp->xdo, skb); 4414 if (err) 4415 goto out_free_skb; 4416 4417 nlmsg_end(skb, nlh); 4418 4419 return xfrm_nlmsg_multicast(net, skb, 0, XFRMNLGRP_POLICY); 4420 4421 out_free_skb: 4422 kfree_skb(skb); 4423 return err; 4424 } 4425 4426 static int xfrm_notify_policy_flush(const struct km_event *c) 4427 { 4428 struct net *net = c->net; 4429 struct nlmsghdr *nlh; 4430 struct sk_buff *skb; 4431 int err; 4432 4433 skb = nlmsg_new(userpolicy_type_attrsize(), GFP_ATOMIC); 4434 if (skb == NULL) 4435 return -ENOMEM; 4436 4437 nlh = nlmsg_put(skb, c->portid, c->seq, XFRM_MSG_FLUSHPOLICY, 0, 0); 4438 err = -EMSGSIZE; 4439 if (nlh == NULL) 4440 goto out_free_skb; 4441 err = copy_to_user_policy_type(c->data.type, skb); 4442 if (err) 4443 goto out_free_skb; 4444 4445 nlmsg_end(skb, nlh); 4446 4447 return xfrm_nlmsg_multicast(net, skb, 0, XFRMNLGRP_POLICY); 4448 4449 out_free_skb: 4450 kfree_skb(skb); 4451 return err; 4452 } 4453 4454 static int xfrm_send_policy_notify(struct xfrm_policy *xp, int dir, const struct km_event *c) 4455 { 4456 4457 switch (c->event) { 4458 case XFRM_MSG_NEWPOLICY: 4459 case XFRM_MSG_UPDPOLICY: 4460 case XFRM_MSG_DELPOLICY: 4461 return xfrm_notify_policy(xp, dir, c); 4462 case XFRM_MSG_FLUSHPOLICY: 4463 return xfrm_notify_policy_flush(c); 4464 case XFRM_MSG_POLEXPIRE: 4465 return xfrm_exp_policy_notify(xp, dir, c); 4466 default: 4467 printk(KERN_NOTICE "xfrm_user: Unknown Policy event %d\n", 4468 c->event); 4469 } 4470 4471 return 0; 4472 4473 } 4474 4475 static inline unsigned int xfrm_report_msgsize(void) 4476 { 4477 return NLMSG_ALIGN(sizeof(struct xfrm_user_report)); 4478 } 4479 4480 static int build_report(struct sk_buff *skb, u8 proto, 4481 struct xfrm_selector *sel, xfrm_address_t *addr) 4482 { 4483 struct xfrm_user_report *ur; 4484 struct nlmsghdr *nlh; 4485 4486 nlh = nlmsg_put(skb, 0, 0, XFRM_MSG_REPORT, sizeof(*ur), 0); 4487 if (nlh == NULL) 4488 return -EMSGSIZE; 4489 4490 ur = nlmsg_data(nlh); 4491 memset(ur, 0, sizeof(*ur)); 4492 ur->proto = proto; 4493 memcpy(&ur->sel, sel, sizeof(ur->sel)); 4494 4495 if (addr) { 4496 int err = nla_put(skb, XFRMA_COADDR, sizeof(*addr), addr); 4497 if (err) { 4498 nlmsg_cancel(skb, nlh); 4499 return err; 4500 } 4501 } 4502 nlmsg_end(skb, nlh); 4503 return 0; 4504 } 4505 4506 static int xfrm_send_report(struct net *net, u8 proto, 4507 struct xfrm_selector *sel, xfrm_address_t *addr) 4508 { 4509 struct sk_buff *skb; 4510 int err; 4511 4512 skb = nlmsg_new(xfrm_report_msgsize(), GFP_ATOMIC); 4513 if (skb == NULL) 4514 return -ENOMEM; 4515 4516 err = build_report(skb, proto, sel, addr); 4517 BUG_ON(err < 0); 4518 4519 return xfrm_nlmsg_multicast(net, skb, 0, XFRMNLGRP_REPORT); 4520 } 4521 4522 static inline unsigned int xfrm_mapping_msgsize(void) 4523 { 4524 return NLMSG_ALIGN(sizeof(struct xfrm_user_mapping)); 4525 } 4526 4527 static int build_mapping(struct sk_buff *skb, struct xfrm_state *x, 4528 xfrm_address_t *new_saddr, __be16 new_sport) 4529 { 4530 struct xfrm_user_mapping *um; 4531 struct nlmsghdr *nlh; 4532 4533 nlh = nlmsg_put(skb, 0, 0, XFRM_MSG_MAPPING, sizeof(*um), 0); 4534 if (nlh == NULL) 4535 return -EMSGSIZE; 4536 4537 um = nlmsg_data(nlh); 4538 4539 memset(&um->id, 0, sizeof(um->id)); 4540 memcpy(&um->id.daddr, &x->id.daddr, sizeof(um->id.daddr)); 4541 um->id.spi = x->id.spi; 4542 um->id.family = x->props.family; 4543 um->id.proto = x->id.proto; 4544 memcpy(&um->new_saddr, new_saddr, sizeof(um->new_saddr)); 4545 memcpy(&um->old_saddr, &x->props.saddr, sizeof(um->old_saddr)); 4546 um->new_sport = new_sport; 4547 um->old_sport = x->encap->encap_sport; 4548 um->reqid = x->props.reqid; 4549 4550 nlmsg_end(skb, nlh); 4551 return 0; 4552 } 4553 4554 static int xfrm_send_mapping(struct xfrm_state *x, xfrm_address_t *ipaddr, 4555 __be16 sport) 4556 { 4557 struct net *net = xs_net(x); 4558 struct sk_buff *skb; 4559 int err; 4560 4561 if (x->id.proto != IPPROTO_ESP) 4562 return -EINVAL; 4563 4564 if (!x->encap) 4565 return -EINVAL; 4566 4567 skb = nlmsg_new(xfrm_mapping_msgsize(), GFP_ATOMIC); 4568 if (skb == NULL) 4569 return -ENOMEM; 4570 4571 err = build_mapping(skb, x, ipaddr, sport); 4572 BUG_ON(err < 0); 4573 4574 return xfrm_nlmsg_multicast(net, skb, 0, XFRMNLGRP_MAPPING); 4575 } 4576 4577 static bool xfrm_is_alive(const struct km_event *c) 4578 { 4579 return (bool)xfrm_acquire_is_on(c->net); 4580 } 4581 4582 static struct xfrm_mgr netlink_mgr = { 4583 .notify = xfrm_send_state_notify, 4584 .acquire = xfrm_send_acquire, 4585 .compile_policy = xfrm_compile_policy, 4586 .notify_policy = xfrm_send_policy_notify, 4587 .report = xfrm_send_report, 4588 .migrate = xfrm_send_migrate, 4589 .new_mapping = xfrm_send_mapping, 4590 .is_alive = xfrm_is_alive, 4591 }; 4592 4593 static int __net_init xfrm_user_net_init(struct net *net) 4594 { 4595 struct sock *nlsk; 4596 struct netlink_kernel_cfg cfg = { 4597 .groups = XFRMNLGRP_MAX, 4598 .input = xfrm_netlink_rcv, 4599 }; 4600 4601 nlsk = netlink_kernel_create(net, NETLINK_XFRM, &cfg); 4602 if (nlsk == NULL) 4603 return -ENOMEM; 4604 net->xfrm.nlsk_stash = nlsk; /* Don't set to NULL */ 4605 rcu_assign_pointer(net->xfrm.nlsk, nlsk); 4606 return 0; 4607 } 4608 4609 static void __net_exit xfrm_user_net_pre_exit(struct net *net) 4610 { 4611 RCU_INIT_POINTER(net->xfrm.nlsk, NULL); 4612 } 4613 4614 static void __net_exit xfrm_user_net_exit(struct list_head *net_exit_list) 4615 { 4616 struct net *net; 4617 4618 list_for_each_entry(net, net_exit_list, exit_list) 4619 netlink_kernel_release(net->xfrm.nlsk_stash); 4620 } 4621 4622 static struct pernet_operations xfrm_user_net_ops = { 4623 .init = xfrm_user_net_init, 4624 .pre_exit = xfrm_user_net_pre_exit, 4625 .exit_batch = xfrm_user_net_exit, 4626 }; 4627 4628 static int __init xfrm_user_init(void) 4629 { 4630 int rv; 4631 4632 printk(KERN_INFO "Initializing XFRM netlink socket\n"); 4633 4634 rv = register_pernet_subsys(&xfrm_user_net_ops); 4635 if (rv < 0) 4636 return rv; 4637 xfrm_register_km(&netlink_mgr); 4638 return 0; 4639 } 4640 4641 static void __exit xfrm_user_exit(void) 4642 { 4643 xfrm_unregister_km(&netlink_mgr); 4644 unregister_pernet_subsys(&xfrm_user_net_ops); 4645 } 4646 4647 module_init(xfrm_user_init); 4648 module_exit(xfrm_user_exit); 4649 MODULE_DESCRIPTION("XFRM User interface"); 4650 MODULE_LICENSE("GPL"); 4651 MODULE_ALIAS_NET_PF_PROTO(PF_NETLINK, NETLINK_XFRM); 4652