1 // SPDX-License-Identifier: GPL-2.0-only 2 /* xfrm_user.c: User interface to configure xfrm engine. 3 * 4 * Copyright (C) 2002 David S. Miller (davem@redhat.com) 5 * 6 * Changes: 7 * Mitsuru KANDA @USAGI 8 * Kazunori MIYAZAWA @USAGI 9 * Kunihiro Ishiguro <kunihiro@ipinfusion.com> 10 * IPv6 support 11 * 12 */ 13 14 #include <linux/compat.h> 15 #include <linux/crypto.h> 16 #include <linux/module.h> 17 #include <linux/kernel.h> 18 #include <linux/types.h> 19 #include <linux/slab.h> 20 #include <linux/socket.h> 21 #include <linux/string.h> 22 #include <linux/net.h> 23 #include <linux/skbuff.h> 24 #include <linux/pfkeyv2.h> 25 #include <linux/ipsec.h> 26 #include <linux/init.h> 27 #include <linux/security.h> 28 #include <net/sock.h> 29 #include <net/xfrm.h> 30 #include <net/netlink.h> 31 #include <net/ah.h> 32 #include <linux/uaccess.h> 33 #if IS_ENABLED(CONFIG_IPV6) 34 #include <linux/in6.h> 35 #endif 36 #include <linux/unaligned.h> 37 38 static int verify_one_alg(struct nlattr **attrs, enum xfrm_attr_type_t type, 39 struct netlink_ext_ack *extack) 40 { 41 struct nlattr *rt = attrs[type]; 42 struct xfrm_algo *algp; 43 44 if (!rt) 45 return 0; 46 47 algp = nla_data(rt); 48 if (nla_len(rt) < (int)xfrm_alg_len(algp)) { 49 NL_SET_ERR_MSG(extack, "Invalid AUTH/CRYPT/COMP attribute length"); 50 return -EINVAL; 51 } 52 53 switch (type) { 54 case XFRMA_ALG_AUTH: 55 case XFRMA_ALG_CRYPT: 56 case XFRMA_ALG_COMP: 57 break; 58 59 default: 60 NL_SET_ERR_MSG(extack, "Invalid algorithm attribute type"); 61 return -EINVAL; 62 } 63 64 algp->alg_name[sizeof(algp->alg_name) - 1] = '\0'; 65 return 0; 66 } 67 68 static int verify_auth_trunc(struct nlattr **attrs, 69 struct netlink_ext_ack *extack) 70 { 71 struct nlattr *rt = attrs[XFRMA_ALG_AUTH_TRUNC]; 72 struct xfrm_algo_auth *algp; 73 74 if (!rt) 75 return 0; 76 77 algp = nla_data(rt); 78 if (nla_len(rt) < (int)xfrm_alg_auth_len(algp)) { 79 NL_SET_ERR_MSG(extack, "Invalid AUTH_TRUNC attribute length"); 80 return -EINVAL; 81 } 82 83 algp->alg_name[sizeof(algp->alg_name) - 1] = '\0'; 84 return 0; 85 } 86 87 static int verify_aead(struct nlattr **attrs, struct netlink_ext_ack *extack) 88 { 89 struct nlattr *rt = attrs[XFRMA_ALG_AEAD]; 90 struct xfrm_algo_aead *algp; 91 92 if (!rt) 93 return 0; 94 95 algp = nla_data(rt); 96 if (nla_len(rt) < (int)aead_len(algp)) { 97 NL_SET_ERR_MSG(extack, "Invalid AEAD attribute length"); 98 return -EINVAL; 99 } 100 101 algp->alg_name[sizeof(algp->alg_name) - 1] = '\0'; 102 return 0; 103 } 104 105 static void verify_one_addr(struct nlattr **attrs, enum xfrm_attr_type_t type, 106 xfrm_address_t **addrp) 107 { 108 struct nlattr *rt = attrs[type]; 109 110 if (rt && addrp) 111 *addrp = nla_data(rt); 112 } 113 114 static inline int verify_sec_ctx_len(struct nlattr **attrs, struct netlink_ext_ack *extack) 115 { 116 struct nlattr *rt = attrs[XFRMA_SEC_CTX]; 117 struct xfrm_user_sec_ctx *uctx; 118 119 if (!rt) 120 return 0; 121 122 uctx = nla_data(rt); 123 if (uctx->len > nla_len(rt) || 124 uctx->len != (sizeof(struct xfrm_user_sec_ctx) + uctx->ctx_len)) { 125 NL_SET_ERR_MSG(extack, "Invalid security context length"); 126 return -EINVAL; 127 } 128 129 return 0; 130 } 131 132 static inline int verify_replay(struct xfrm_usersa_info *p, 133 struct nlattr **attrs, u8 sa_dir, 134 struct netlink_ext_ack *extack) 135 { 136 struct nlattr *rt = attrs[XFRMA_REPLAY_ESN_VAL]; 137 struct xfrm_replay_state_esn *rs; 138 139 if (!rt) { 140 if (p->flags & XFRM_STATE_ESN) { 141 NL_SET_ERR_MSG(extack, "Missing required attribute for ESN"); 142 return -EINVAL; 143 } 144 return 0; 145 } 146 147 rs = nla_data(rt); 148 149 if (rs->bmp_len > XFRMA_REPLAY_ESN_MAX / sizeof(rs->bmp[0]) / 8) { 150 NL_SET_ERR_MSG(extack, "ESN bitmap length must be <= 128"); 151 return -EINVAL; 152 } 153 154 if (nla_len(rt) < (int)xfrm_replay_state_esn_len(rs) && 155 nla_len(rt) != sizeof(*rs)) { 156 NL_SET_ERR_MSG(extack, "ESN attribute is too short to fit the full bitmap length"); 157 return -EINVAL; 158 } 159 160 /* As only ESP and AH support ESN feature. */ 161 if ((p->id.proto != IPPROTO_ESP) && (p->id.proto != IPPROTO_AH)) { 162 NL_SET_ERR_MSG(extack, "ESN only supported for ESP and AH"); 163 return -EINVAL; 164 } 165 166 if (p->replay_window != 0) { 167 NL_SET_ERR_MSG(extack, "ESN not compatible with legacy replay_window"); 168 return -EINVAL; 169 } 170 171 if (sa_dir == XFRM_SA_DIR_OUT) { 172 if (rs->replay_window) { 173 NL_SET_ERR_MSG(extack, "Replay window should be 0 for output SA"); 174 return -EINVAL; 175 } 176 if (rs->seq || rs->seq_hi) { 177 NL_SET_ERR_MSG(extack, 178 "Replay seq and seq_hi should be 0 for output SA"); 179 return -EINVAL; 180 } 181 if (rs->oseq_hi && !(p->flags & XFRM_STATE_ESN)) { 182 NL_SET_ERR_MSG( 183 extack, 184 "Replay oseq_hi should be 0 in non-ESN mode for output SA"); 185 return -EINVAL; 186 } 187 if (rs->bmp_len) { 188 NL_SET_ERR_MSG(extack, "Replay bmp_len should 0 for output SA"); 189 return -EINVAL; 190 } 191 } 192 193 if (sa_dir == XFRM_SA_DIR_IN) { 194 if (rs->oseq || rs->oseq_hi) { 195 NL_SET_ERR_MSG(extack, 196 "Replay oseq and oseq_hi should be 0 for input SA"); 197 return -EINVAL; 198 } 199 if (rs->seq_hi && !(p->flags & XFRM_STATE_ESN)) { 200 NL_SET_ERR_MSG( 201 extack, 202 "Replay seq_hi should be 0 in non-ESN mode for input SA"); 203 return -EINVAL; 204 } 205 } 206 207 return 0; 208 } 209 210 static int verify_newsa_info(struct xfrm_usersa_info *p, 211 struct nlattr **attrs, 212 struct netlink_ext_ack *extack) 213 { 214 int err; 215 u8 sa_dir = nla_get_u8_default(attrs[XFRMA_SA_DIR], 0); 216 u16 family = p->sel.family; 217 218 err = -EINVAL; 219 switch (p->family) { 220 case AF_INET: 221 break; 222 223 case AF_INET6: 224 #if IS_ENABLED(CONFIG_IPV6) 225 break; 226 #else 227 err = -EAFNOSUPPORT; 228 NL_SET_ERR_MSG(extack, "IPv6 support disabled"); 229 goto out; 230 #endif 231 232 default: 233 NL_SET_ERR_MSG(extack, "Invalid address family"); 234 goto out; 235 } 236 237 if (!family && !(p->flags & XFRM_STATE_AF_UNSPEC)) 238 family = p->family; 239 240 switch (family) { 241 case AF_UNSPEC: 242 break; 243 244 case AF_INET: 245 if (p->sel.prefixlen_d > 32 || p->sel.prefixlen_s > 32) { 246 NL_SET_ERR_MSG(extack, "Invalid prefix length in selector (must be <= 32 for IPv4)"); 247 goto out; 248 } 249 250 break; 251 252 case AF_INET6: 253 #if IS_ENABLED(CONFIG_IPV6) 254 if (p->sel.prefixlen_d > 128 || p->sel.prefixlen_s > 128) { 255 NL_SET_ERR_MSG(extack, "Invalid prefix length in selector (must be <= 128 for IPv6)"); 256 goto out; 257 } 258 259 break; 260 #else 261 NL_SET_ERR_MSG(extack, "IPv6 support disabled"); 262 err = -EAFNOSUPPORT; 263 goto out; 264 #endif 265 266 default: 267 NL_SET_ERR_MSG(extack, "Invalid address family in selector"); 268 goto out; 269 } 270 271 err = -EINVAL; 272 switch (p->id.proto) { 273 case IPPROTO_AH: 274 if (!attrs[XFRMA_ALG_AUTH] && 275 !attrs[XFRMA_ALG_AUTH_TRUNC]) { 276 NL_SET_ERR_MSG(extack, "Missing required attribute for AH: AUTH_TRUNC or AUTH"); 277 goto out; 278 } 279 280 if (attrs[XFRMA_ALG_AEAD] || 281 attrs[XFRMA_ALG_CRYPT] || 282 attrs[XFRMA_ALG_COMP] || 283 attrs[XFRMA_TFCPAD]) { 284 NL_SET_ERR_MSG(extack, "Invalid attributes for AH: AEAD, CRYPT, COMP, TFCPAD"); 285 goto out; 286 } 287 break; 288 289 case IPPROTO_ESP: 290 if (attrs[XFRMA_ALG_COMP]) { 291 NL_SET_ERR_MSG(extack, "Invalid attribute for ESP: COMP"); 292 goto out; 293 } 294 295 if (!attrs[XFRMA_ALG_AUTH] && 296 !attrs[XFRMA_ALG_AUTH_TRUNC] && 297 !attrs[XFRMA_ALG_CRYPT] && 298 !attrs[XFRMA_ALG_AEAD]) { 299 NL_SET_ERR_MSG(extack, "Missing required attribute for ESP: at least one of AUTH, AUTH_TRUNC, CRYPT, AEAD"); 300 goto out; 301 } 302 303 if ((attrs[XFRMA_ALG_AUTH] || 304 attrs[XFRMA_ALG_AUTH_TRUNC] || 305 attrs[XFRMA_ALG_CRYPT]) && 306 attrs[XFRMA_ALG_AEAD]) { 307 NL_SET_ERR_MSG(extack, "Invalid attribute combination for ESP: AEAD can't be used with AUTH, AUTH_TRUNC, CRYPT"); 308 goto out; 309 } 310 311 if (attrs[XFRMA_TFCPAD] && 312 p->mode != XFRM_MODE_TUNNEL) { 313 NL_SET_ERR_MSG(extack, "TFC padding can only be used in tunnel mode"); 314 goto out; 315 } 316 if ((attrs[XFRMA_IPTFS_DROP_TIME] || 317 attrs[XFRMA_IPTFS_REORDER_WINDOW] || 318 attrs[XFRMA_IPTFS_DONT_FRAG] || 319 attrs[XFRMA_IPTFS_INIT_DELAY] || 320 attrs[XFRMA_IPTFS_MAX_QSIZE] || 321 attrs[XFRMA_IPTFS_PKT_SIZE]) && 322 p->mode != XFRM_MODE_IPTFS) { 323 NL_SET_ERR_MSG(extack, "IP-TFS options can only be used in IP-TFS mode"); 324 goto out; 325 } 326 break; 327 328 case IPPROTO_COMP: 329 if (!attrs[XFRMA_ALG_COMP]) { 330 NL_SET_ERR_MSG(extack, "Missing required attribute for COMP: COMP"); 331 goto out; 332 } 333 334 if (attrs[XFRMA_ALG_AEAD] || 335 attrs[XFRMA_ALG_AUTH] || 336 attrs[XFRMA_ALG_AUTH_TRUNC] || 337 attrs[XFRMA_ALG_CRYPT] || 338 attrs[XFRMA_TFCPAD]) { 339 NL_SET_ERR_MSG(extack, "Invalid attributes for COMP: AEAD, AUTH, AUTH_TRUNC, CRYPT, TFCPAD"); 340 goto out; 341 } 342 343 if (ntohl(p->id.spi) >= 0x10000) { 344 NL_SET_ERR_MSG(extack, "SPI is too large for COMP (must be < 0x10000)"); 345 goto out; 346 } 347 break; 348 349 #if IS_ENABLED(CONFIG_IPV6) 350 case IPPROTO_DSTOPTS: 351 case IPPROTO_ROUTING: 352 if (attrs[XFRMA_ALG_COMP] || 353 attrs[XFRMA_ALG_AUTH] || 354 attrs[XFRMA_ALG_AUTH_TRUNC] || 355 attrs[XFRMA_ALG_AEAD] || 356 attrs[XFRMA_ALG_CRYPT] || 357 attrs[XFRMA_ENCAP] || 358 attrs[XFRMA_SEC_CTX] || 359 attrs[XFRMA_TFCPAD]) { 360 NL_SET_ERR_MSG(extack, "Invalid attributes for DSTOPTS/ROUTING"); 361 goto out; 362 } 363 364 if (!attrs[XFRMA_COADDR]) { 365 NL_SET_ERR_MSG(extack, "Missing required COADDR attribute for DSTOPTS/ROUTING"); 366 goto out; 367 } 368 break; 369 #endif 370 371 default: 372 NL_SET_ERR_MSG(extack, "Unsupported protocol"); 373 goto out; 374 } 375 376 if ((err = verify_aead(attrs, extack))) 377 goto out; 378 if ((err = verify_auth_trunc(attrs, extack))) 379 goto out; 380 if ((err = verify_one_alg(attrs, XFRMA_ALG_AUTH, extack))) 381 goto out; 382 if ((err = verify_one_alg(attrs, XFRMA_ALG_CRYPT, extack))) 383 goto out; 384 if ((err = verify_one_alg(attrs, XFRMA_ALG_COMP, extack))) 385 goto out; 386 if ((err = verify_sec_ctx_len(attrs, extack))) 387 goto out; 388 if ((err = verify_replay(p, attrs, sa_dir, extack))) 389 goto out; 390 391 err = -EINVAL; 392 switch (p->mode) { 393 case XFRM_MODE_TRANSPORT: 394 case XFRM_MODE_TUNNEL: 395 case XFRM_MODE_ROUTEOPTIMIZATION: 396 case XFRM_MODE_BEET: 397 break; 398 case XFRM_MODE_IPTFS: 399 if (p->id.proto != IPPROTO_ESP) { 400 NL_SET_ERR_MSG(extack, "IP-TFS mode only supported with ESP"); 401 goto out; 402 } 403 if (sa_dir == 0) { 404 NL_SET_ERR_MSG(extack, "IP-TFS mode requires in or out direction attribute"); 405 goto out; 406 } 407 break; 408 409 default: 410 NL_SET_ERR_MSG(extack, "Unsupported mode"); 411 goto out; 412 } 413 414 err = 0; 415 416 if (attrs[XFRMA_MTIMER_THRESH]) { 417 if (!attrs[XFRMA_ENCAP]) { 418 NL_SET_ERR_MSG(extack, "MTIMER_THRESH attribute can only be set on ENCAP states"); 419 err = -EINVAL; 420 goto out; 421 } 422 423 if (sa_dir == XFRM_SA_DIR_OUT) { 424 NL_SET_ERR_MSG(extack, 425 "MTIMER_THRESH attribute should not be set on output SA"); 426 err = -EINVAL; 427 goto out; 428 } 429 } 430 431 if (sa_dir == XFRM_SA_DIR_OUT) { 432 if (p->flags & XFRM_STATE_DECAP_DSCP) { 433 NL_SET_ERR_MSG(extack, "Flag DECAP_DSCP should not be set for output SA"); 434 err = -EINVAL; 435 goto out; 436 } 437 438 if (p->flags & XFRM_STATE_ICMP) { 439 NL_SET_ERR_MSG(extack, "Flag ICMP should not be set for output SA"); 440 err = -EINVAL; 441 goto out; 442 } 443 444 if (p->flags & XFRM_STATE_WILDRECV) { 445 NL_SET_ERR_MSG(extack, "Flag WILDRECV should not be set for output SA"); 446 err = -EINVAL; 447 goto out; 448 } 449 450 if (p->replay_window) { 451 NL_SET_ERR_MSG(extack, "Replay window should be 0 for output SA"); 452 err = -EINVAL; 453 goto out; 454 } 455 456 if (attrs[XFRMA_IPTFS_DROP_TIME]) { 457 NL_SET_ERR_MSG(extack, "IP-TFS drop time should not be set for output SA"); 458 err = -EINVAL; 459 goto out; 460 } 461 462 if (attrs[XFRMA_IPTFS_REORDER_WINDOW]) { 463 NL_SET_ERR_MSG(extack, "IP-TFS reorder window should not be set for output SA"); 464 err = -EINVAL; 465 goto out; 466 } 467 468 if (attrs[XFRMA_REPLAY_VAL]) { 469 struct xfrm_replay_state *replay; 470 471 replay = nla_data(attrs[XFRMA_REPLAY_VAL]); 472 473 if (replay->seq || replay->bitmap) { 474 NL_SET_ERR_MSG(extack, 475 "Replay seq and bitmap should be 0 for output SA"); 476 err = -EINVAL; 477 goto out; 478 } 479 } 480 } 481 482 if (sa_dir == XFRM_SA_DIR_IN) { 483 if (p->flags & XFRM_STATE_NOPMTUDISC) { 484 NL_SET_ERR_MSG(extack, "Flag NOPMTUDISC should not be set for input SA"); 485 err = -EINVAL; 486 goto out; 487 } 488 489 if (attrs[XFRMA_SA_EXTRA_FLAGS]) { 490 u32 xflags = nla_get_u32(attrs[XFRMA_SA_EXTRA_FLAGS]); 491 492 if (xflags & XFRM_SA_XFLAG_DONT_ENCAP_DSCP) { 493 NL_SET_ERR_MSG(extack, "Flag DONT_ENCAP_DSCP should not be set for input SA"); 494 err = -EINVAL; 495 goto out; 496 } 497 498 if (xflags & XFRM_SA_XFLAG_OSEQ_MAY_WRAP) { 499 NL_SET_ERR_MSG(extack, "Flag OSEQ_MAY_WRAP should not be set for input SA"); 500 err = -EINVAL; 501 goto out; 502 } 503 504 } 505 506 if (attrs[XFRMA_IPTFS_DONT_FRAG]) { 507 NL_SET_ERR_MSG(extack, "IP-TFS don't fragment should not be set for input SA"); 508 err = -EINVAL; 509 goto out; 510 } 511 512 if (attrs[XFRMA_IPTFS_INIT_DELAY]) { 513 NL_SET_ERR_MSG(extack, "IP-TFS initial delay should not be set for input SA"); 514 err = -EINVAL; 515 goto out; 516 } 517 518 if (attrs[XFRMA_IPTFS_MAX_QSIZE]) { 519 NL_SET_ERR_MSG(extack, "IP-TFS max queue size should not be set for input SA"); 520 err = -EINVAL; 521 goto out; 522 } 523 524 if (attrs[XFRMA_IPTFS_PKT_SIZE]) { 525 NL_SET_ERR_MSG(extack, "IP-TFS packet size should not be set for input SA"); 526 err = -EINVAL; 527 goto out; 528 } 529 } 530 531 if (!sa_dir && attrs[XFRMA_SA_PCPU]) { 532 NL_SET_ERR_MSG(extack, "SA_PCPU only supported with SA_DIR"); 533 err = -EINVAL; 534 goto out; 535 } 536 537 out: 538 return err; 539 } 540 541 static int attach_one_algo(struct xfrm_algo **algpp, u8 *props, 542 struct xfrm_algo_desc *(*get_byname)(const char *, int), 543 struct nlattr *rta, struct netlink_ext_ack *extack) 544 { 545 struct xfrm_algo *p, *ualg; 546 struct xfrm_algo_desc *algo; 547 548 if (!rta) 549 return 0; 550 551 ualg = nla_data(rta); 552 553 algo = get_byname(ualg->alg_name, 1); 554 if (!algo) { 555 NL_SET_ERR_MSG(extack, "Requested COMP algorithm not found"); 556 return -ENOSYS; 557 } 558 *props = algo->desc.sadb_alg_id; 559 560 p = kmemdup(ualg, xfrm_alg_len(ualg), GFP_KERNEL); 561 if (!p) 562 return -ENOMEM; 563 564 strcpy(p->alg_name, algo->name); 565 *algpp = p; 566 return 0; 567 } 568 569 static int attach_crypt(struct xfrm_state *x, struct nlattr *rta, 570 struct netlink_ext_ack *extack) 571 { 572 struct xfrm_algo *p, *ualg; 573 struct xfrm_algo_desc *algo; 574 575 if (!rta) 576 return 0; 577 578 ualg = nla_data(rta); 579 580 algo = xfrm_ealg_get_byname(ualg->alg_name, 1); 581 if (!algo) { 582 NL_SET_ERR_MSG(extack, "Requested CRYPT algorithm not found"); 583 return -ENOSYS; 584 } 585 x->props.ealgo = algo->desc.sadb_alg_id; 586 587 p = kmemdup(ualg, xfrm_alg_len(ualg), GFP_KERNEL); 588 if (!p) 589 return -ENOMEM; 590 591 strcpy(p->alg_name, algo->name); 592 x->ealg = p; 593 x->geniv = algo->uinfo.encr.geniv; 594 return 0; 595 } 596 597 static int attach_auth(struct xfrm_algo_auth **algpp, u8 *props, 598 struct nlattr *rta, struct netlink_ext_ack *extack) 599 { 600 struct xfrm_algo *ualg; 601 struct xfrm_algo_auth *p; 602 struct xfrm_algo_desc *algo; 603 604 if (!rta) 605 return 0; 606 607 ualg = nla_data(rta); 608 609 algo = xfrm_aalg_get_byname(ualg->alg_name, 1); 610 if (!algo) { 611 NL_SET_ERR_MSG(extack, "Requested AUTH algorithm not found"); 612 return -ENOSYS; 613 } 614 *props = algo->desc.sadb_alg_id; 615 616 p = kmalloc(sizeof(*p) + (ualg->alg_key_len + 7) / 8, GFP_KERNEL); 617 if (!p) 618 return -ENOMEM; 619 620 strcpy(p->alg_name, algo->name); 621 p->alg_key_len = ualg->alg_key_len; 622 p->alg_trunc_len = algo->uinfo.auth.icv_truncbits; 623 memcpy(p->alg_key, ualg->alg_key, (ualg->alg_key_len + 7) / 8); 624 625 *algpp = p; 626 return 0; 627 } 628 629 static int attach_auth_trunc(struct xfrm_algo_auth **algpp, u8 *props, 630 struct nlattr *rta, struct netlink_ext_ack *extack) 631 { 632 struct xfrm_algo_auth *p, *ualg; 633 struct xfrm_algo_desc *algo; 634 635 if (!rta) 636 return 0; 637 638 ualg = nla_data(rta); 639 640 algo = xfrm_aalg_get_byname(ualg->alg_name, 1); 641 if (!algo) { 642 NL_SET_ERR_MSG(extack, "Requested AUTH_TRUNC algorithm not found"); 643 return -ENOSYS; 644 } 645 if (ualg->alg_trunc_len > algo->uinfo.auth.icv_fullbits) { 646 NL_SET_ERR_MSG(extack, "Invalid length requested for truncated ICV"); 647 return -EINVAL; 648 } 649 *props = algo->desc.sadb_alg_id; 650 651 p = kmemdup(ualg, xfrm_alg_auth_len(ualg), GFP_KERNEL); 652 if (!p) 653 return -ENOMEM; 654 655 strcpy(p->alg_name, algo->name); 656 if (!p->alg_trunc_len) 657 p->alg_trunc_len = algo->uinfo.auth.icv_truncbits; 658 659 *algpp = p; 660 return 0; 661 } 662 663 static int attach_aead(struct xfrm_state *x, struct nlattr *rta, 664 struct netlink_ext_ack *extack) 665 { 666 struct xfrm_algo_aead *p, *ualg; 667 struct xfrm_algo_desc *algo; 668 669 if (!rta) 670 return 0; 671 672 ualg = nla_data(rta); 673 674 algo = xfrm_aead_get_byname(ualg->alg_name, ualg->alg_icv_len, 1); 675 if (!algo) { 676 NL_SET_ERR_MSG(extack, "Requested AEAD algorithm not found"); 677 return -ENOSYS; 678 } 679 x->props.ealgo = algo->desc.sadb_alg_id; 680 681 p = kmemdup(ualg, aead_len(ualg), GFP_KERNEL); 682 if (!p) 683 return -ENOMEM; 684 685 strcpy(p->alg_name, algo->name); 686 x->aead = p; 687 x->geniv = algo->uinfo.aead.geniv; 688 return 0; 689 } 690 691 static inline int xfrm_replay_verify_len(struct xfrm_replay_state_esn *replay_esn, 692 struct nlattr *rp, 693 struct netlink_ext_ack *extack) 694 { 695 struct xfrm_replay_state_esn *up; 696 unsigned int ulen; 697 698 if (!replay_esn || !rp) 699 return 0; 700 701 up = nla_data(rp); 702 ulen = xfrm_replay_state_esn_len(up); 703 704 /* Check the overall length and the internal bitmap length to avoid 705 * potential overflow. */ 706 if (nla_len(rp) < (int)ulen) { 707 NL_SET_ERR_MSG(extack, "ESN attribute is too short"); 708 return -EINVAL; 709 } 710 711 if (xfrm_replay_state_esn_len(replay_esn) != ulen) { 712 NL_SET_ERR_MSG(extack, "New ESN size doesn't match the existing SA's ESN size"); 713 return -EINVAL; 714 } 715 716 if (replay_esn->bmp_len != up->bmp_len) { 717 NL_SET_ERR_MSG(extack, "New ESN bitmap size doesn't match the existing SA's ESN bitmap"); 718 return -EINVAL; 719 } 720 721 if (up->replay_window > up->bmp_len * sizeof(__u32) * 8) { 722 NL_SET_ERR_MSG(extack, "ESN replay window is longer than the bitmap"); 723 return -EINVAL; 724 } 725 726 return 0; 727 } 728 729 static int xfrm_alloc_replay_state_esn(struct xfrm_replay_state_esn **replay_esn, 730 struct xfrm_replay_state_esn **preplay_esn, 731 struct nlattr *rta) 732 { 733 struct xfrm_replay_state_esn *p, *pp, *up; 734 unsigned int klen, ulen; 735 736 if (!rta) 737 return 0; 738 739 up = nla_data(rta); 740 klen = xfrm_replay_state_esn_len(up); 741 ulen = nla_len(rta) >= (int)klen ? klen : sizeof(*up); 742 743 p = kzalloc(klen, GFP_KERNEL); 744 if (!p) 745 return -ENOMEM; 746 747 pp = kzalloc(klen, GFP_KERNEL); 748 if (!pp) { 749 kfree(p); 750 return -ENOMEM; 751 } 752 753 memcpy(p, up, ulen); 754 memcpy(pp, up, ulen); 755 756 *replay_esn = p; 757 *preplay_esn = pp; 758 759 return 0; 760 } 761 762 static inline unsigned int xfrm_user_sec_ctx_size(struct xfrm_sec_ctx *xfrm_ctx) 763 { 764 unsigned int len = 0; 765 766 if (xfrm_ctx) { 767 len += sizeof(struct xfrm_user_sec_ctx); 768 len += xfrm_ctx->ctx_len; 769 } 770 return len; 771 } 772 773 static void copy_from_user_state(struct xfrm_state *x, struct xfrm_usersa_info *p) 774 { 775 memcpy(&x->id, &p->id, sizeof(x->id)); 776 memcpy(&x->sel, &p->sel, sizeof(x->sel)); 777 memcpy(&x->lft, &p->lft, sizeof(x->lft)); 778 x->props.mode = p->mode; 779 x->props.replay_window = min_t(unsigned int, p->replay_window, 780 sizeof(x->replay.bitmap) * 8); 781 x->props.reqid = p->reqid; 782 x->props.family = p->family; 783 memcpy(&x->props.saddr, &p->saddr, sizeof(x->props.saddr)); 784 x->props.flags = p->flags; 785 786 if (!x->sel.family && !(p->flags & XFRM_STATE_AF_UNSPEC)) 787 x->sel.family = p->family; 788 } 789 790 /* 791 * someday when pfkey also has support, we could have the code 792 * somehow made shareable and move it to xfrm_state.c - JHS 793 * 794 */ 795 static void xfrm_update_ae_params(struct xfrm_state *x, struct nlattr **attrs, 796 int update_esn) 797 { 798 struct nlattr *rp = attrs[XFRMA_REPLAY_VAL]; 799 struct nlattr *re = update_esn ? attrs[XFRMA_REPLAY_ESN_VAL] : NULL; 800 struct nlattr *lt = attrs[XFRMA_LTIME_VAL]; 801 struct nlattr *et = attrs[XFRMA_ETIMER_THRESH]; 802 struct nlattr *rt = attrs[XFRMA_REPLAY_THRESH]; 803 struct nlattr *mt = attrs[XFRMA_MTIMER_THRESH]; 804 805 if (re && x->replay_esn && x->preplay_esn) { 806 struct xfrm_replay_state_esn *replay_esn; 807 replay_esn = nla_data(re); 808 memcpy(x->replay_esn, replay_esn, 809 xfrm_replay_state_esn_len(replay_esn)); 810 memcpy(x->preplay_esn, replay_esn, 811 xfrm_replay_state_esn_len(replay_esn)); 812 } 813 814 if (rp) { 815 struct xfrm_replay_state *replay; 816 replay = nla_data(rp); 817 memcpy(&x->replay, replay, sizeof(*replay)); 818 memcpy(&x->preplay, replay, sizeof(*replay)); 819 } 820 821 if (lt) { 822 struct xfrm_lifetime_cur *ltime; 823 ltime = nla_data(lt); 824 x->curlft.bytes = ltime->bytes; 825 x->curlft.packets = ltime->packets; 826 x->curlft.add_time = ltime->add_time; 827 x->curlft.use_time = ltime->use_time; 828 } 829 830 if (et) 831 x->replay_maxage = nla_get_u32(et); 832 833 if (rt) 834 x->replay_maxdiff = nla_get_u32(rt); 835 836 if (mt) 837 x->mapping_maxage = nla_get_u32(mt); 838 } 839 840 static void xfrm_smark_init(struct nlattr **attrs, struct xfrm_mark *m) 841 { 842 if (attrs[XFRMA_SET_MARK]) { 843 m->v = nla_get_u32(attrs[XFRMA_SET_MARK]); 844 m->m = nla_get_u32_default(attrs[XFRMA_SET_MARK_MASK], 845 0xffffffff); 846 } else { 847 m->v = m->m = 0; 848 } 849 } 850 851 static struct xfrm_state *xfrm_state_construct(struct net *net, 852 struct xfrm_usersa_info *p, 853 struct nlattr **attrs, 854 int *errp, 855 struct netlink_ext_ack *extack) 856 { 857 struct xfrm_state *x = xfrm_state_alloc(net); 858 int err = -ENOMEM; 859 860 if (!x) 861 goto error_no_put; 862 863 copy_from_user_state(x, p); 864 865 if (attrs[XFRMA_ENCAP]) { 866 x->encap = kmemdup(nla_data(attrs[XFRMA_ENCAP]), 867 sizeof(*x->encap), GFP_KERNEL); 868 if (x->encap == NULL) 869 goto error; 870 } 871 872 if (attrs[XFRMA_COADDR]) { 873 x->coaddr = kmemdup(nla_data(attrs[XFRMA_COADDR]), 874 sizeof(*x->coaddr), GFP_KERNEL); 875 if (x->coaddr == NULL) 876 goto error; 877 } 878 879 if (attrs[XFRMA_SA_EXTRA_FLAGS]) 880 x->props.extra_flags = nla_get_u32(attrs[XFRMA_SA_EXTRA_FLAGS]); 881 882 if ((err = attach_aead(x, attrs[XFRMA_ALG_AEAD], extack))) 883 goto error; 884 if ((err = attach_auth_trunc(&x->aalg, &x->props.aalgo, 885 attrs[XFRMA_ALG_AUTH_TRUNC], extack))) 886 goto error; 887 if (!x->props.aalgo) { 888 if ((err = attach_auth(&x->aalg, &x->props.aalgo, 889 attrs[XFRMA_ALG_AUTH], extack))) 890 goto error; 891 } 892 if ((err = attach_crypt(x, attrs[XFRMA_ALG_CRYPT], extack))) 893 goto error; 894 if ((err = attach_one_algo(&x->calg, &x->props.calgo, 895 xfrm_calg_get_byname, 896 attrs[XFRMA_ALG_COMP], extack))) 897 goto error; 898 899 if (attrs[XFRMA_TFCPAD]) 900 x->tfcpad = nla_get_u32(attrs[XFRMA_TFCPAD]); 901 902 xfrm_mark_get(attrs, &x->mark); 903 904 xfrm_smark_init(attrs, &x->props.smark); 905 906 if (attrs[XFRMA_IF_ID]) 907 x->if_id = nla_get_u32(attrs[XFRMA_IF_ID]); 908 909 if (attrs[XFRMA_SA_DIR]) 910 x->dir = nla_get_u8(attrs[XFRMA_SA_DIR]); 911 912 if (attrs[XFRMA_NAT_KEEPALIVE_INTERVAL]) 913 x->nat_keepalive_interval = 914 nla_get_u32(attrs[XFRMA_NAT_KEEPALIVE_INTERVAL]); 915 916 if (attrs[XFRMA_SA_PCPU]) { 917 x->pcpu_num = nla_get_u32(attrs[XFRMA_SA_PCPU]); 918 if (x->pcpu_num >= num_possible_cpus()) 919 goto error; 920 } 921 922 err = __xfrm_init_state(x, extack); 923 if (err) 924 goto error; 925 926 if (attrs[XFRMA_SEC_CTX]) { 927 err = security_xfrm_state_alloc(x, 928 nla_data(attrs[XFRMA_SEC_CTX])); 929 if (err) 930 goto error; 931 } 932 933 if ((err = xfrm_alloc_replay_state_esn(&x->replay_esn, &x->preplay_esn, 934 attrs[XFRMA_REPLAY_ESN_VAL]))) 935 goto error; 936 937 x->km.seq = p->seq; 938 x->replay_maxdiff = net->xfrm.sysctl_aevent_rseqth; 939 /* sysctl_xfrm_aevent_etime is in 100ms units */ 940 x->replay_maxage = (net->xfrm.sysctl_aevent_etime*HZ)/XFRM_AE_ETH_M; 941 942 if ((err = xfrm_init_replay(x, extack))) 943 goto error; 944 945 /* override default values from above */ 946 xfrm_update_ae_params(x, attrs, 0); 947 948 /* configure the hardware if offload is requested */ 949 if (attrs[XFRMA_OFFLOAD_DEV]) { 950 err = xfrm_dev_state_add(net, x, 951 nla_data(attrs[XFRMA_OFFLOAD_DEV]), 952 extack); 953 if (err) 954 goto error; 955 } 956 957 if (x->mode_cbs && x->mode_cbs->user_init) { 958 err = x->mode_cbs->user_init(net, x, attrs, extack); 959 if (err) 960 goto error; 961 } 962 963 return x; 964 965 error: 966 x->km.state = XFRM_STATE_DEAD; 967 xfrm_state_put(x); 968 error_no_put: 969 *errp = err; 970 return NULL; 971 } 972 973 static int xfrm_add_sa(struct sk_buff *skb, struct nlmsghdr *nlh, 974 struct nlattr **attrs, struct netlink_ext_ack *extack) 975 { 976 struct net *net = sock_net(skb->sk); 977 struct xfrm_usersa_info *p = nlmsg_data(nlh); 978 struct xfrm_state *x; 979 int err; 980 struct km_event c; 981 982 err = verify_newsa_info(p, attrs, extack); 983 if (err) 984 return err; 985 986 x = xfrm_state_construct(net, p, attrs, &err, extack); 987 if (!x) 988 return err; 989 990 xfrm_state_hold(x); 991 if (nlh->nlmsg_type == XFRM_MSG_NEWSA) 992 err = xfrm_state_add(x); 993 else 994 err = xfrm_state_update(x); 995 996 xfrm_audit_state_add(x, err ? 0 : 1, true); 997 998 if (err < 0) { 999 x->km.state = XFRM_STATE_DEAD; 1000 xfrm_dev_state_delete(x); 1001 __xfrm_state_put(x); 1002 goto out; 1003 } 1004 1005 if (x->km.state == XFRM_STATE_VOID) 1006 x->km.state = XFRM_STATE_VALID; 1007 1008 c.seq = nlh->nlmsg_seq; 1009 c.portid = nlh->nlmsg_pid; 1010 c.event = nlh->nlmsg_type; 1011 1012 km_state_notify(x, &c); 1013 out: 1014 xfrm_state_put(x); 1015 return err; 1016 } 1017 1018 static struct xfrm_state *xfrm_user_state_lookup(struct net *net, 1019 struct xfrm_usersa_id *p, 1020 struct nlattr **attrs, 1021 int *errp) 1022 { 1023 struct xfrm_state *x = NULL; 1024 struct xfrm_mark m; 1025 int err; 1026 u32 mark = xfrm_mark_get(attrs, &m); 1027 1028 if (xfrm_id_proto_match(p->proto, IPSEC_PROTO_ANY)) { 1029 err = -ESRCH; 1030 x = xfrm_state_lookup(net, mark, &p->daddr, p->spi, p->proto, p->family); 1031 } else { 1032 xfrm_address_t *saddr = NULL; 1033 1034 verify_one_addr(attrs, XFRMA_SRCADDR, &saddr); 1035 if (!saddr) { 1036 err = -EINVAL; 1037 goto out; 1038 } 1039 1040 err = -ESRCH; 1041 x = xfrm_state_lookup_byaddr(net, mark, 1042 &p->daddr, saddr, 1043 p->proto, p->family); 1044 } 1045 1046 out: 1047 if (!x && errp) 1048 *errp = err; 1049 return x; 1050 } 1051 1052 static int xfrm_del_sa(struct sk_buff *skb, struct nlmsghdr *nlh, 1053 struct nlattr **attrs, struct netlink_ext_ack *extack) 1054 { 1055 struct net *net = sock_net(skb->sk); 1056 struct xfrm_state *x; 1057 int err = -ESRCH; 1058 struct km_event c; 1059 struct xfrm_usersa_id *p = nlmsg_data(nlh); 1060 1061 x = xfrm_user_state_lookup(net, p, attrs, &err); 1062 if (x == NULL) 1063 return err; 1064 1065 if ((err = security_xfrm_state_delete(x)) != 0) 1066 goto out; 1067 1068 if (xfrm_state_kern(x)) { 1069 NL_SET_ERR_MSG(extack, "SA is in use by tunnels"); 1070 err = -EPERM; 1071 goto out; 1072 } 1073 1074 err = xfrm_state_delete(x); 1075 if (err < 0) 1076 goto out; 1077 1078 c.seq = nlh->nlmsg_seq; 1079 c.portid = nlh->nlmsg_pid; 1080 c.event = nlh->nlmsg_type; 1081 km_state_notify(x, &c); 1082 1083 out: 1084 xfrm_audit_state_delete(x, err ? 0 : 1, true); 1085 xfrm_state_put(x); 1086 return err; 1087 } 1088 1089 static void copy_to_user_state(struct xfrm_state *x, struct xfrm_usersa_info *p) 1090 { 1091 memset(p, 0, sizeof(*p)); 1092 memcpy(&p->id, &x->id, sizeof(p->id)); 1093 memcpy(&p->sel, &x->sel, sizeof(p->sel)); 1094 memcpy(&p->lft, &x->lft, sizeof(p->lft)); 1095 if (x->xso.dev) 1096 xfrm_dev_state_update_stats(x); 1097 memcpy(&p->curlft, &x->curlft, sizeof(p->curlft)); 1098 put_unaligned(x->stats.replay_window, &p->stats.replay_window); 1099 put_unaligned(x->stats.replay, &p->stats.replay); 1100 put_unaligned(x->stats.integrity_failed, &p->stats.integrity_failed); 1101 memcpy(&p->saddr, &x->props.saddr, sizeof(p->saddr)); 1102 p->mode = x->props.mode; 1103 p->replay_window = x->props.replay_window; 1104 p->reqid = x->props.reqid; 1105 p->family = x->props.family; 1106 p->flags = x->props.flags; 1107 p->seq = x->km.seq; 1108 } 1109 1110 struct xfrm_dump_info { 1111 struct sk_buff *in_skb; 1112 struct sk_buff *out_skb; 1113 u32 nlmsg_seq; 1114 u16 nlmsg_flags; 1115 }; 1116 1117 static int copy_sec_ctx(struct xfrm_sec_ctx *s, struct sk_buff *skb) 1118 { 1119 struct xfrm_user_sec_ctx *uctx; 1120 struct nlattr *attr; 1121 int ctx_size = sizeof(*uctx) + s->ctx_len; 1122 1123 attr = nla_reserve(skb, XFRMA_SEC_CTX, ctx_size); 1124 if (attr == NULL) 1125 return -EMSGSIZE; 1126 1127 uctx = nla_data(attr); 1128 uctx->exttype = XFRMA_SEC_CTX; 1129 uctx->len = ctx_size; 1130 uctx->ctx_doi = s->ctx_doi; 1131 uctx->ctx_alg = s->ctx_alg; 1132 uctx->ctx_len = s->ctx_len; 1133 memcpy(uctx + 1, s->ctx_str, s->ctx_len); 1134 1135 return 0; 1136 } 1137 1138 static int copy_user_offload(struct xfrm_dev_offload *xso, struct sk_buff *skb) 1139 { 1140 struct xfrm_user_offload *xuo; 1141 struct nlattr *attr; 1142 1143 attr = nla_reserve(skb, XFRMA_OFFLOAD_DEV, sizeof(*xuo)); 1144 if (attr == NULL) 1145 return -EMSGSIZE; 1146 1147 xuo = nla_data(attr); 1148 memset(xuo, 0, sizeof(*xuo)); 1149 xuo->ifindex = xso->dev->ifindex; 1150 if (xso->dir == XFRM_DEV_OFFLOAD_IN) 1151 xuo->flags = XFRM_OFFLOAD_INBOUND; 1152 if (xso->type == XFRM_DEV_OFFLOAD_PACKET) 1153 xuo->flags |= XFRM_OFFLOAD_PACKET; 1154 1155 return 0; 1156 } 1157 1158 static bool xfrm_redact(void) 1159 { 1160 return IS_ENABLED(CONFIG_SECURITY) && 1161 security_locked_down(LOCKDOWN_XFRM_SECRET); 1162 } 1163 1164 static int copy_to_user_auth(struct xfrm_algo_auth *auth, struct sk_buff *skb) 1165 { 1166 struct xfrm_algo *algo; 1167 struct xfrm_algo_auth *ap; 1168 struct nlattr *nla; 1169 bool redact_secret = xfrm_redact(); 1170 1171 nla = nla_reserve(skb, XFRMA_ALG_AUTH, 1172 sizeof(*algo) + (auth->alg_key_len + 7) / 8); 1173 if (!nla) 1174 return -EMSGSIZE; 1175 algo = nla_data(nla); 1176 strscpy_pad(algo->alg_name, auth->alg_name, sizeof(algo->alg_name)); 1177 1178 if (redact_secret && auth->alg_key_len) 1179 memset(algo->alg_key, 0, (auth->alg_key_len + 7) / 8); 1180 else 1181 memcpy(algo->alg_key, auth->alg_key, 1182 (auth->alg_key_len + 7) / 8); 1183 algo->alg_key_len = auth->alg_key_len; 1184 1185 nla = nla_reserve(skb, XFRMA_ALG_AUTH_TRUNC, xfrm_alg_auth_len(auth)); 1186 if (!nla) 1187 return -EMSGSIZE; 1188 ap = nla_data(nla); 1189 strscpy_pad(ap->alg_name, auth->alg_name, sizeof(ap->alg_name)); 1190 ap->alg_key_len = auth->alg_key_len; 1191 ap->alg_trunc_len = auth->alg_trunc_len; 1192 if (redact_secret && auth->alg_key_len) 1193 memset(ap->alg_key, 0, (auth->alg_key_len + 7) / 8); 1194 else 1195 memcpy(ap->alg_key, auth->alg_key, 1196 (auth->alg_key_len + 7) / 8); 1197 return 0; 1198 } 1199 1200 static int copy_to_user_aead(struct xfrm_algo_aead *aead, struct sk_buff *skb) 1201 { 1202 struct nlattr *nla = nla_reserve(skb, XFRMA_ALG_AEAD, aead_len(aead)); 1203 struct xfrm_algo_aead *ap; 1204 bool redact_secret = xfrm_redact(); 1205 1206 if (!nla) 1207 return -EMSGSIZE; 1208 1209 ap = nla_data(nla); 1210 strscpy_pad(ap->alg_name, aead->alg_name, sizeof(ap->alg_name)); 1211 ap->alg_key_len = aead->alg_key_len; 1212 ap->alg_icv_len = aead->alg_icv_len; 1213 1214 if (redact_secret && aead->alg_key_len) 1215 memset(ap->alg_key, 0, (aead->alg_key_len + 7) / 8); 1216 else 1217 memcpy(ap->alg_key, aead->alg_key, 1218 (aead->alg_key_len + 7) / 8); 1219 return 0; 1220 } 1221 1222 static int copy_to_user_ealg(struct xfrm_algo *ealg, struct sk_buff *skb) 1223 { 1224 struct xfrm_algo *ap; 1225 bool redact_secret = xfrm_redact(); 1226 struct nlattr *nla = nla_reserve(skb, XFRMA_ALG_CRYPT, 1227 xfrm_alg_len(ealg)); 1228 if (!nla) 1229 return -EMSGSIZE; 1230 1231 ap = nla_data(nla); 1232 strscpy_pad(ap->alg_name, ealg->alg_name, sizeof(ap->alg_name)); 1233 ap->alg_key_len = ealg->alg_key_len; 1234 1235 if (redact_secret && ealg->alg_key_len) 1236 memset(ap->alg_key, 0, (ealg->alg_key_len + 7) / 8); 1237 else 1238 memcpy(ap->alg_key, ealg->alg_key, 1239 (ealg->alg_key_len + 7) / 8); 1240 1241 return 0; 1242 } 1243 1244 static int copy_to_user_calg(struct xfrm_algo *calg, struct sk_buff *skb) 1245 { 1246 struct nlattr *nla = nla_reserve(skb, XFRMA_ALG_COMP, sizeof(*calg)); 1247 struct xfrm_algo *ap; 1248 1249 if (!nla) 1250 return -EMSGSIZE; 1251 1252 ap = nla_data(nla); 1253 strscpy_pad(ap->alg_name, calg->alg_name, sizeof(ap->alg_name)); 1254 ap->alg_key_len = 0; 1255 1256 return 0; 1257 } 1258 1259 static int copy_to_user_encap(struct xfrm_encap_tmpl *ep, struct sk_buff *skb) 1260 { 1261 struct nlattr *nla = nla_reserve(skb, XFRMA_ENCAP, sizeof(*ep)); 1262 struct xfrm_encap_tmpl *uep; 1263 1264 if (!nla) 1265 return -EMSGSIZE; 1266 1267 uep = nla_data(nla); 1268 memset(uep, 0, sizeof(*uep)); 1269 1270 uep->encap_type = ep->encap_type; 1271 uep->encap_sport = ep->encap_sport; 1272 uep->encap_dport = ep->encap_dport; 1273 uep->encap_oa = ep->encap_oa; 1274 1275 return 0; 1276 } 1277 1278 static int xfrm_smark_put(struct sk_buff *skb, struct xfrm_mark *m) 1279 { 1280 int ret = 0; 1281 1282 if (m->v | m->m) { 1283 ret = nla_put_u32(skb, XFRMA_SET_MARK, m->v); 1284 if (!ret) 1285 ret = nla_put_u32(skb, XFRMA_SET_MARK_MASK, m->m); 1286 } 1287 return ret; 1288 } 1289 1290 /* Don't change this without updating xfrm_sa_len! */ 1291 static int copy_to_user_state_extra(struct xfrm_state *x, 1292 struct xfrm_usersa_info *p, 1293 struct sk_buff *skb) 1294 { 1295 int ret = 0; 1296 1297 copy_to_user_state(x, p); 1298 1299 if (x->props.extra_flags) { 1300 ret = nla_put_u32(skb, XFRMA_SA_EXTRA_FLAGS, 1301 x->props.extra_flags); 1302 if (ret) 1303 goto out; 1304 } 1305 1306 if (x->coaddr) { 1307 ret = nla_put(skb, XFRMA_COADDR, sizeof(*x->coaddr), x->coaddr); 1308 if (ret) 1309 goto out; 1310 } 1311 if (x->lastused) { 1312 ret = nla_put_u64_64bit(skb, XFRMA_LASTUSED, x->lastused, 1313 XFRMA_PAD); 1314 if (ret) 1315 goto out; 1316 } 1317 if (x->aead) { 1318 ret = copy_to_user_aead(x->aead, skb); 1319 if (ret) 1320 goto out; 1321 } 1322 if (x->aalg) { 1323 ret = copy_to_user_auth(x->aalg, skb); 1324 if (ret) 1325 goto out; 1326 } 1327 if (x->ealg) { 1328 ret = copy_to_user_ealg(x->ealg, skb); 1329 if (ret) 1330 goto out; 1331 } 1332 if (x->calg) { 1333 ret = copy_to_user_calg(x->calg, skb); 1334 if (ret) 1335 goto out; 1336 } 1337 if (x->encap) { 1338 ret = copy_to_user_encap(x->encap, skb); 1339 if (ret) 1340 goto out; 1341 } 1342 if (x->tfcpad) { 1343 ret = nla_put_u32(skb, XFRMA_TFCPAD, x->tfcpad); 1344 if (ret) 1345 goto out; 1346 } 1347 ret = xfrm_mark_put(skb, &x->mark); 1348 if (ret) 1349 goto out; 1350 1351 ret = xfrm_smark_put(skb, &x->props.smark); 1352 if (ret) 1353 goto out; 1354 1355 if (x->replay_esn) 1356 ret = nla_put(skb, XFRMA_REPLAY_ESN_VAL, 1357 xfrm_replay_state_esn_len(x->replay_esn), 1358 x->replay_esn); 1359 else 1360 ret = nla_put(skb, XFRMA_REPLAY_VAL, sizeof(x->replay), 1361 &x->replay); 1362 if (ret) 1363 goto out; 1364 if(x->xso.dev) 1365 ret = copy_user_offload(&x->xso, skb); 1366 if (ret) 1367 goto out; 1368 if (x->if_id) { 1369 ret = nla_put_u32(skb, XFRMA_IF_ID, x->if_id); 1370 if (ret) 1371 goto out; 1372 } 1373 if (x->security) { 1374 ret = copy_sec_ctx(x->security, skb); 1375 if (ret) 1376 goto out; 1377 } 1378 if (x->mode_cbs && x->mode_cbs->copy_to_user) 1379 ret = x->mode_cbs->copy_to_user(x, skb); 1380 if (ret) 1381 goto out; 1382 if (x->mapping_maxage) { 1383 ret = nla_put_u32(skb, XFRMA_MTIMER_THRESH, x->mapping_maxage); 1384 if (ret) 1385 goto out; 1386 } 1387 if (x->pcpu_num != UINT_MAX) { 1388 ret = nla_put_u32(skb, XFRMA_SA_PCPU, x->pcpu_num); 1389 if (ret) 1390 goto out; 1391 } 1392 if (x->dir) 1393 ret = nla_put_u8(skb, XFRMA_SA_DIR, x->dir); 1394 1395 if (x->nat_keepalive_interval) { 1396 ret = nla_put_u32(skb, XFRMA_NAT_KEEPALIVE_INTERVAL, 1397 x->nat_keepalive_interval); 1398 if (ret) 1399 goto out; 1400 } 1401 out: 1402 return ret; 1403 } 1404 1405 static int dump_one_state(struct xfrm_state *x, int count, void *ptr) 1406 { 1407 struct xfrm_dump_info *sp = ptr; 1408 struct sk_buff *in_skb = sp->in_skb; 1409 struct sk_buff *skb = sp->out_skb; 1410 struct xfrm_translator *xtr; 1411 struct xfrm_usersa_info *p; 1412 struct nlmsghdr *nlh; 1413 int err; 1414 1415 nlh = nlmsg_put(skb, NETLINK_CB(in_skb).portid, sp->nlmsg_seq, 1416 XFRM_MSG_NEWSA, sizeof(*p), sp->nlmsg_flags); 1417 if (nlh == NULL) 1418 return -EMSGSIZE; 1419 1420 p = nlmsg_data(nlh); 1421 1422 err = copy_to_user_state_extra(x, p, skb); 1423 if (err) { 1424 nlmsg_cancel(skb, nlh); 1425 return err; 1426 } 1427 nlmsg_end(skb, nlh); 1428 1429 xtr = xfrm_get_translator(); 1430 if (xtr) { 1431 err = xtr->alloc_compat(skb, nlh); 1432 1433 xfrm_put_translator(xtr); 1434 if (err) { 1435 nlmsg_cancel(skb, nlh); 1436 return err; 1437 } 1438 } 1439 1440 return 0; 1441 } 1442 1443 static int xfrm_dump_sa_done(struct netlink_callback *cb) 1444 { 1445 struct xfrm_state_walk *walk = (struct xfrm_state_walk *) &cb->args[1]; 1446 struct sock *sk = cb->skb->sk; 1447 struct net *net = sock_net(sk); 1448 1449 if (cb->args[0]) 1450 xfrm_state_walk_done(walk, net); 1451 return 0; 1452 } 1453 1454 static int xfrm_dump_sa(struct sk_buff *skb, struct netlink_callback *cb) 1455 { 1456 struct net *net = sock_net(skb->sk); 1457 struct xfrm_state_walk *walk = (struct xfrm_state_walk *) &cb->args[1]; 1458 struct xfrm_dump_info info; 1459 1460 BUILD_BUG_ON(sizeof(struct xfrm_state_walk) > 1461 sizeof(cb->args) - sizeof(cb->args[0])); 1462 1463 info.in_skb = cb->skb; 1464 info.out_skb = skb; 1465 info.nlmsg_seq = cb->nlh->nlmsg_seq; 1466 info.nlmsg_flags = NLM_F_MULTI; 1467 1468 if (!cb->args[0]) { 1469 struct nlattr *attrs[XFRMA_MAX+1]; 1470 struct xfrm_address_filter *filter = NULL; 1471 u8 proto = 0; 1472 int err; 1473 1474 err = nlmsg_parse_deprecated(cb->nlh, 0, attrs, XFRMA_MAX, 1475 xfrma_policy, cb->extack); 1476 if (err < 0) 1477 return err; 1478 1479 if (attrs[XFRMA_ADDRESS_FILTER]) { 1480 filter = kmemdup(nla_data(attrs[XFRMA_ADDRESS_FILTER]), 1481 sizeof(*filter), GFP_KERNEL); 1482 if (filter == NULL) 1483 return -ENOMEM; 1484 1485 /* see addr_match(), (prefix length >> 5) << 2 1486 * will be used to compare xfrm_address_t 1487 */ 1488 if (filter->splen > (sizeof(xfrm_address_t) << 3) || 1489 filter->dplen > (sizeof(xfrm_address_t) << 3)) { 1490 kfree(filter); 1491 return -EINVAL; 1492 } 1493 } 1494 1495 if (attrs[XFRMA_PROTO]) 1496 proto = nla_get_u8(attrs[XFRMA_PROTO]); 1497 1498 xfrm_state_walk_init(walk, proto, filter); 1499 cb->args[0] = 1; 1500 } 1501 1502 (void) xfrm_state_walk(net, walk, dump_one_state, &info); 1503 1504 return skb->len; 1505 } 1506 1507 static struct sk_buff *xfrm_state_netlink(struct sk_buff *in_skb, 1508 struct xfrm_state *x, u32 seq) 1509 { 1510 struct xfrm_dump_info info; 1511 struct sk_buff *skb; 1512 int err; 1513 1514 skb = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_ATOMIC); 1515 if (!skb) 1516 return ERR_PTR(-ENOMEM); 1517 1518 info.in_skb = in_skb; 1519 info.out_skb = skb; 1520 info.nlmsg_seq = seq; 1521 info.nlmsg_flags = 0; 1522 1523 err = dump_one_state(x, 0, &info); 1524 if (err) { 1525 kfree_skb(skb); 1526 return ERR_PTR(err); 1527 } 1528 1529 return skb; 1530 } 1531 1532 /* A wrapper for nlmsg_multicast() checking that nlsk is still available. 1533 * Must be called with RCU read lock. 1534 */ 1535 static inline int xfrm_nlmsg_multicast(struct net *net, struct sk_buff *skb, 1536 u32 pid, unsigned int group) 1537 { 1538 struct sock *nlsk = rcu_dereference(net->xfrm.nlsk); 1539 struct xfrm_translator *xtr; 1540 1541 if (!nlsk) { 1542 kfree_skb(skb); 1543 return -EPIPE; 1544 } 1545 1546 xtr = xfrm_get_translator(); 1547 if (xtr) { 1548 int err = xtr->alloc_compat(skb, nlmsg_hdr(skb)); 1549 1550 xfrm_put_translator(xtr); 1551 if (err) { 1552 kfree_skb(skb); 1553 return err; 1554 } 1555 } 1556 1557 return nlmsg_multicast(nlsk, skb, pid, group, GFP_ATOMIC); 1558 } 1559 1560 static inline unsigned int xfrm_spdinfo_msgsize(void) 1561 { 1562 return NLMSG_ALIGN(4) 1563 + nla_total_size(sizeof(struct xfrmu_spdinfo)) 1564 + nla_total_size(sizeof(struct xfrmu_spdhinfo)) 1565 + nla_total_size(sizeof(struct xfrmu_spdhthresh)) 1566 + nla_total_size(sizeof(struct xfrmu_spdhthresh)); 1567 } 1568 1569 static int build_spdinfo(struct sk_buff *skb, struct net *net, 1570 u32 portid, u32 seq, u32 flags) 1571 { 1572 struct xfrmk_spdinfo si; 1573 struct xfrmu_spdinfo spc; 1574 struct xfrmu_spdhinfo sph; 1575 struct xfrmu_spdhthresh spt4, spt6; 1576 struct nlmsghdr *nlh; 1577 int err; 1578 u32 *f; 1579 unsigned lseq; 1580 1581 nlh = nlmsg_put(skb, portid, seq, XFRM_MSG_NEWSPDINFO, sizeof(u32), 0); 1582 if (nlh == NULL) /* shouldn't really happen ... */ 1583 return -EMSGSIZE; 1584 1585 f = nlmsg_data(nlh); 1586 *f = flags; 1587 xfrm_spd_getinfo(net, &si); 1588 spc.incnt = si.incnt; 1589 spc.outcnt = si.outcnt; 1590 spc.fwdcnt = si.fwdcnt; 1591 spc.inscnt = si.inscnt; 1592 spc.outscnt = si.outscnt; 1593 spc.fwdscnt = si.fwdscnt; 1594 sph.spdhcnt = si.spdhcnt; 1595 sph.spdhmcnt = si.spdhmcnt; 1596 1597 do { 1598 lseq = read_seqbegin(&net->xfrm.policy_hthresh.lock); 1599 1600 spt4.lbits = net->xfrm.policy_hthresh.lbits4; 1601 spt4.rbits = net->xfrm.policy_hthresh.rbits4; 1602 spt6.lbits = net->xfrm.policy_hthresh.lbits6; 1603 spt6.rbits = net->xfrm.policy_hthresh.rbits6; 1604 } while (read_seqretry(&net->xfrm.policy_hthresh.lock, lseq)); 1605 1606 err = nla_put(skb, XFRMA_SPD_INFO, sizeof(spc), &spc); 1607 if (!err) 1608 err = nla_put(skb, XFRMA_SPD_HINFO, sizeof(sph), &sph); 1609 if (!err) 1610 err = nla_put(skb, XFRMA_SPD_IPV4_HTHRESH, sizeof(spt4), &spt4); 1611 if (!err) 1612 err = nla_put(skb, XFRMA_SPD_IPV6_HTHRESH, sizeof(spt6), &spt6); 1613 if (err) { 1614 nlmsg_cancel(skb, nlh); 1615 return err; 1616 } 1617 1618 nlmsg_end(skb, nlh); 1619 return 0; 1620 } 1621 1622 static int xfrm_set_spdinfo(struct sk_buff *skb, struct nlmsghdr *nlh, 1623 struct nlattr **attrs, 1624 struct netlink_ext_ack *extack) 1625 { 1626 struct net *net = sock_net(skb->sk); 1627 struct xfrmu_spdhthresh *thresh4 = NULL; 1628 struct xfrmu_spdhthresh *thresh6 = NULL; 1629 1630 /* selector prefixlen thresholds to hash policies */ 1631 if (attrs[XFRMA_SPD_IPV4_HTHRESH]) { 1632 struct nlattr *rta = attrs[XFRMA_SPD_IPV4_HTHRESH]; 1633 1634 if (nla_len(rta) < sizeof(*thresh4)) { 1635 NL_SET_ERR_MSG(extack, "Invalid SPD_IPV4_HTHRESH attribute length"); 1636 return -EINVAL; 1637 } 1638 thresh4 = nla_data(rta); 1639 if (thresh4->lbits > 32 || thresh4->rbits > 32) { 1640 NL_SET_ERR_MSG(extack, "Invalid hash threshold (must be <= 32 for IPv4)"); 1641 return -EINVAL; 1642 } 1643 } 1644 if (attrs[XFRMA_SPD_IPV6_HTHRESH]) { 1645 struct nlattr *rta = attrs[XFRMA_SPD_IPV6_HTHRESH]; 1646 1647 if (nla_len(rta) < sizeof(*thresh6)) { 1648 NL_SET_ERR_MSG(extack, "Invalid SPD_IPV6_HTHRESH attribute length"); 1649 return -EINVAL; 1650 } 1651 thresh6 = nla_data(rta); 1652 if (thresh6->lbits > 128 || thresh6->rbits > 128) { 1653 NL_SET_ERR_MSG(extack, "Invalid hash threshold (must be <= 128 for IPv6)"); 1654 return -EINVAL; 1655 } 1656 } 1657 1658 if (thresh4 || thresh6) { 1659 write_seqlock(&net->xfrm.policy_hthresh.lock); 1660 if (thresh4) { 1661 net->xfrm.policy_hthresh.lbits4 = thresh4->lbits; 1662 net->xfrm.policy_hthresh.rbits4 = thresh4->rbits; 1663 } 1664 if (thresh6) { 1665 net->xfrm.policy_hthresh.lbits6 = thresh6->lbits; 1666 net->xfrm.policy_hthresh.rbits6 = thresh6->rbits; 1667 } 1668 write_sequnlock(&net->xfrm.policy_hthresh.lock); 1669 1670 xfrm_policy_hash_rebuild(net); 1671 } 1672 1673 return 0; 1674 } 1675 1676 static int xfrm_get_spdinfo(struct sk_buff *skb, struct nlmsghdr *nlh, 1677 struct nlattr **attrs, 1678 struct netlink_ext_ack *extack) 1679 { 1680 struct net *net = sock_net(skb->sk); 1681 struct sk_buff *r_skb; 1682 u32 *flags = nlmsg_data(nlh); 1683 u32 sportid = NETLINK_CB(skb).portid; 1684 u32 seq = nlh->nlmsg_seq; 1685 int err; 1686 1687 r_skb = nlmsg_new(xfrm_spdinfo_msgsize(), GFP_ATOMIC); 1688 if (r_skb == NULL) 1689 return -ENOMEM; 1690 1691 err = build_spdinfo(r_skb, net, sportid, seq, *flags); 1692 BUG_ON(err < 0); 1693 1694 return nlmsg_unicast(net->xfrm.nlsk, r_skb, sportid); 1695 } 1696 1697 static inline unsigned int xfrm_sadinfo_msgsize(void) 1698 { 1699 return NLMSG_ALIGN(4) 1700 + nla_total_size(sizeof(struct xfrmu_sadhinfo)) 1701 + nla_total_size(4); /* XFRMA_SAD_CNT */ 1702 } 1703 1704 static int build_sadinfo(struct sk_buff *skb, struct net *net, 1705 u32 portid, u32 seq, u32 flags) 1706 { 1707 struct xfrmk_sadinfo si; 1708 struct xfrmu_sadhinfo sh; 1709 struct nlmsghdr *nlh; 1710 int err; 1711 u32 *f; 1712 1713 nlh = nlmsg_put(skb, portid, seq, XFRM_MSG_NEWSADINFO, sizeof(u32), 0); 1714 if (nlh == NULL) /* shouldn't really happen ... */ 1715 return -EMSGSIZE; 1716 1717 f = nlmsg_data(nlh); 1718 *f = flags; 1719 xfrm_sad_getinfo(net, &si); 1720 1721 sh.sadhmcnt = si.sadhmcnt; 1722 sh.sadhcnt = si.sadhcnt; 1723 1724 err = nla_put_u32(skb, XFRMA_SAD_CNT, si.sadcnt); 1725 if (!err) 1726 err = nla_put(skb, XFRMA_SAD_HINFO, sizeof(sh), &sh); 1727 if (err) { 1728 nlmsg_cancel(skb, nlh); 1729 return err; 1730 } 1731 1732 nlmsg_end(skb, nlh); 1733 return 0; 1734 } 1735 1736 static int xfrm_get_sadinfo(struct sk_buff *skb, struct nlmsghdr *nlh, 1737 struct nlattr **attrs, 1738 struct netlink_ext_ack *extack) 1739 { 1740 struct net *net = sock_net(skb->sk); 1741 struct sk_buff *r_skb; 1742 u32 *flags = nlmsg_data(nlh); 1743 u32 sportid = NETLINK_CB(skb).portid; 1744 u32 seq = nlh->nlmsg_seq; 1745 int err; 1746 1747 r_skb = nlmsg_new(xfrm_sadinfo_msgsize(), GFP_ATOMIC); 1748 if (r_skb == NULL) 1749 return -ENOMEM; 1750 1751 err = build_sadinfo(r_skb, net, sportid, seq, *flags); 1752 BUG_ON(err < 0); 1753 1754 return nlmsg_unicast(net->xfrm.nlsk, r_skb, sportid); 1755 } 1756 1757 static int xfrm_get_sa(struct sk_buff *skb, struct nlmsghdr *nlh, 1758 struct nlattr **attrs, struct netlink_ext_ack *extack) 1759 { 1760 struct net *net = sock_net(skb->sk); 1761 struct xfrm_usersa_id *p = nlmsg_data(nlh); 1762 struct xfrm_state *x; 1763 struct sk_buff *resp_skb; 1764 int err = -ESRCH; 1765 1766 x = xfrm_user_state_lookup(net, p, attrs, &err); 1767 if (x == NULL) 1768 goto out_noput; 1769 1770 resp_skb = xfrm_state_netlink(skb, x, nlh->nlmsg_seq); 1771 if (IS_ERR(resp_skb)) { 1772 err = PTR_ERR(resp_skb); 1773 } else { 1774 err = nlmsg_unicast(net->xfrm.nlsk, resp_skb, NETLINK_CB(skb).portid); 1775 } 1776 xfrm_state_put(x); 1777 out_noput: 1778 return err; 1779 } 1780 1781 static int xfrm_alloc_userspi(struct sk_buff *skb, struct nlmsghdr *nlh, 1782 struct nlattr **attrs, 1783 struct netlink_ext_ack *extack) 1784 { 1785 struct net *net = sock_net(skb->sk); 1786 struct xfrm_state *x; 1787 struct xfrm_userspi_info *p; 1788 struct xfrm_translator *xtr; 1789 struct sk_buff *resp_skb; 1790 xfrm_address_t *daddr; 1791 int family; 1792 int err; 1793 u32 mark; 1794 struct xfrm_mark m; 1795 u32 if_id = 0; 1796 u32 pcpu_num = UINT_MAX; 1797 1798 p = nlmsg_data(nlh); 1799 err = verify_spi_info(p->info.id.proto, p->min, p->max, extack); 1800 if (err) 1801 goto out_noput; 1802 1803 family = p->info.family; 1804 daddr = &p->info.id.daddr; 1805 1806 x = NULL; 1807 1808 mark = xfrm_mark_get(attrs, &m); 1809 1810 if (attrs[XFRMA_IF_ID]) 1811 if_id = nla_get_u32(attrs[XFRMA_IF_ID]); 1812 1813 if (attrs[XFRMA_SA_PCPU]) { 1814 pcpu_num = nla_get_u32(attrs[XFRMA_SA_PCPU]); 1815 if (pcpu_num >= num_possible_cpus()) { 1816 err = -EINVAL; 1817 goto out_noput; 1818 } 1819 } 1820 1821 if (p->info.seq) { 1822 x = xfrm_find_acq_byseq(net, mark, p->info.seq, pcpu_num); 1823 if (x && !xfrm_addr_equal(&x->id.daddr, daddr, family)) { 1824 xfrm_state_put(x); 1825 x = NULL; 1826 } 1827 } 1828 1829 if (!x) 1830 x = xfrm_find_acq(net, &m, p->info.mode, p->info.reqid, 1831 if_id, pcpu_num, p->info.id.proto, daddr, 1832 &p->info.saddr, 1, 1833 family); 1834 err = -ENOENT; 1835 if (!x) { 1836 NL_SET_ERR_MSG(extack, "Target ACQUIRE not found"); 1837 goto out_noput; 1838 } 1839 1840 err = xfrm_alloc_spi(x, p->min, p->max, extack); 1841 if (err) 1842 goto out; 1843 1844 if (attrs[XFRMA_SA_DIR]) 1845 x->dir = nla_get_u8(attrs[XFRMA_SA_DIR]); 1846 1847 resp_skb = xfrm_state_netlink(skb, x, nlh->nlmsg_seq); 1848 if (IS_ERR(resp_skb)) { 1849 err = PTR_ERR(resp_skb); 1850 goto out; 1851 } 1852 1853 xtr = xfrm_get_translator(); 1854 if (xtr) { 1855 err = xtr->alloc_compat(skb, nlmsg_hdr(skb)); 1856 1857 xfrm_put_translator(xtr); 1858 if (err) { 1859 kfree_skb(resp_skb); 1860 goto out; 1861 } 1862 } 1863 1864 err = nlmsg_unicast(net->xfrm.nlsk, resp_skb, NETLINK_CB(skb).portid); 1865 1866 out: 1867 xfrm_state_put(x); 1868 out_noput: 1869 return err; 1870 } 1871 1872 static int verify_policy_dir(u8 dir, struct netlink_ext_ack *extack) 1873 { 1874 switch (dir) { 1875 case XFRM_POLICY_IN: 1876 case XFRM_POLICY_OUT: 1877 case XFRM_POLICY_FWD: 1878 break; 1879 1880 default: 1881 NL_SET_ERR_MSG(extack, "Invalid policy direction"); 1882 return -EINVAL; 1883 } 1884 1885 return 0; 1886 } 1887 1888 static int verify_policy_type(u8 type, struct netlink_ext_ack *extack) 1889 { 1890 switch (type) { 1891 case XFRM_POLICY_TYPE_MAIN: 1892 #ifdef CONFIG_XFRM_SUB_POLICY 1893 case XFRM_POLICY_TYPE_SUB: 1894 #endif 1895 break; 1896 1897 default: 1898 NL_SET_ERR_MSG(extack, "Invalid policy type"); 1899 return -EINVAL; 1900 } 1901 1902 return 0; 1903 } 1904 1905 static int verify_newpolicy_info(struct xfrm_userpolicy_info *p, 1906 struct netlink_ext_ack *extack) 1907 { 1908 int ret; 1909 1910 switch (p->share) { 1911 case XFRM_SHARE_ANY: 1912 case XFRM_SHARE_SESSION: 1913 case XFRM_SHARE_USER: 1914 case XFRM_SHARE_UNIQUE: 1915 break; 1916 1917 default: 1918 NL_SET_ERR_MSG(extack, "Invalid policy share"); 1919 return -EINVAL; 1920 } 1921 1922 switch (p->action) { 1923 case XFRM_POLICY_ALLOW: 1924 case XFRM_POLICY_BLOCK: 1925 break; 1926 1927 default: 1928 NL_SET_ERR_MSG(extack, "Invalid policy action"); 1929 return -EINVAL; 1930 } 1931 1932 switch (p->sel.family) { 1933 case AF_INET: 1934 if (p->sel.prefixlen_d > 32 || p->sel.prefixlen_s > 32) { 1935 NL_SET_ERR_MSG(extack, "Invalid prefix length in selector (must be <= 32 for IPv4)"); 1936 return -EINVAL; 1937 } 1938 1939 break; 1940 1941 case AF_INET6: 1942 #if IS_ENABLED(CONFIG_IPV6) 1943 if (p->sel.prefixlen_d > 128 || p->sel.prefixlen_s > 128) { 1944 NL_SET_ERR_MSG(extack, "Invalid prefix length in selector (must be <= 128 for IPv6)"); 1945 return -EINVAL; 1946 } 1947 1948 break; 1949 #else 1950 NL_SET_ERR_MSG(extack, "IPv6 support disabled"); 1951 return -EAFNOSUPPORT; 1952 #endif 1953 1954 default: 1955 NL_SET_ERR_MSG(extack, "Invalid selector family"); 1956 return -EINVAL; 1957 } 1958 1959 ret = verify_policy_dir(p->dir, extack); 1960 if (ret) 1961 return ret; 1962 if (p->index && (xfrm_policy_id2dir(p->index) != p->dir)) { 1963 NL_SET_ERR_MSG(extack, "Policy index doesn't match direction"); 1964 return -EINVAL; 1965 } 1966 1967 return 0; 1968 } 1969 1970 static int copy_from_user_sec_ctx(struct xfrm_policy *pol, struct nlattr **attrs) 1971 { 1972 struct nlattr *rt = attrs[XFRMA_SEC_CTX]; 1973 struct xfrm_user_sec_ctx *uctx; 1974 1975 if (!rt) 1976 return 0; 1977 1978 uctx = nla_data(rt); 1979 return security_xfrm_policy_alloc(&pol->security, uctx, GFP_KERNEL); 1980 } 1981 1982 static void copy_templates(struct xfrm_policy *xp, struct xfrm_user_tmpl *ut, 1983 int nr) 1984 { 1985 int i; 1986 1987 xp->xfrm_nr = nr; 1988 for (i = 0; i < nr; i++, ut++) { 1989 struct xfrm_tmpl *t = &xp->xfrm_vec[i]; 1990 1991 memcpy(&t->id, &ut->id, sizeof(struct xfrm_id)); 1992 memcpy(&t->saddr, &ut->saddr, 1993 sizeof(xfrm_address_t)); 1994 t->reqid = ut->reqid; 1995 t->mode = ut->mode; 1996 t->share = ut->share; 1997 t->optional = ut->optional; 1998 t->aalgos = ut->aalgos; 1999 t->ealgos = ut->ealgos; 2000 t->calgos = ut->calgos; 2001 /* If all masks are ~0, then we allow all algorithms. */ 2002 t->allalgs = !~(t->aalgos & t->ealgos & t->calgos); 2003 t->encap_family = ut->family; 2004 } 2005 } 2006 2007 static int validate_tmpl(int nr, struct xfrm_user_tmpl *ut, u16 family, 2008 int dir, struct netlink_ext_ack *extack) 2009 { 2010 u16 prev_family; 2011 int i; 2012 2013 if (nr > XFRM_MAX_DEPTH) { 2014 NL_SET_ERR_MSG(extack, "Template count must be <= XFRM_MAX_DEPTH (" __stringify(XFRM_MAX_DEPTH) ")"); 2015 return -EINVAL; 2016 } 2017 2018 prev_family = family; 2019 2020 for (i = 0; i < nr; i++) { 2021 /* We never validated the ut->family value, so many 2022 * applications simply leave it at zero. The check was 2023 * never made and ut->family was ignored because all 2024 * templates could be assumed to have the same family as 2025 * the policy itself. Now that we will have ipv4-in-ipv6 2026 * and ipv6-in-ipv4 tunnels, this is no longer true. 2027 */ 2028 if (!ut[i].family) 2029 ut[i].family = family; 2030 2031 switch (ut[i].mode) { 2032 case XFRM_MODE_TUNNEL: 2033 case XFRM_MODE_BEET: 2034 if (ut[i].optional && dir == XFRM_POLICY_OUT) { 2035 NL_SET_ERR_MSG(extack, "Mode in optional template not allowed in outbound policy"); 2036 return -EINVAL; 2037 } 2038 break; 2039 case XFRM_MODE_IPTFS: 2040 break; 2041 default: 2042 if (ut[i].family != prev_family) { 2043 NL_SET_ERR_MSG(extack, "Mode in template doesn't support a family change"); 2044 return -EINVAL; 2045 } 2046 break; 2047 } 2048 if (ut[i].mode >= XFRM_MODE_MAX) { 2049 NL_SET_ERR_MSG(extack, "Mode in template must be < XFRM_MODE_MAX (" __stringify(XFRM_MODE_MAX) ")"); 2050 return -EINVAL; 2051 } 2052 2053 prev_family = ut[i].family; 2054 2055 switch (ut[i].family) { 2056 case AF_INET: 2057 break; 2058 #if IS_ENABLED(CONFIG_IPV6) 2059 case AF_INET6: 2060 break; 2061 #endif 2062 default: 2063 NL_SET_ERR_MSG(extack, "Invalid family in template"); 2064 return -EINVAL; 2065 } 2066 2067 if (!xfrm_id_proto_valid(ut[i].id.proto)) { 2068 NL_SET_ERR_MSG(extack, "Invalid XFRM protocol in template"); 2069 return -EINVAL; 2070 } 2071 } 2072 2073 return 0; 2074 } 2075 2076 static int copy_from_user_tmpl(struct xfrm_policy *pol, struct nlattr **attrs, 2077 int dir, struct netlink_ext_ack *extack) 2078 { 2079 struct nlattr *rt = attrs[XFRMA_TMPL]; 2080 2081 if (!rt) { 2082 pol->xfrm_nr = 0; 2083 } else { 2084 struct xfrm_user_tmpl *utmpl = nla_data(rt); 2085 int nr = nla_len(rt) / sizeof(*utmpl); 2086 int err; 2087 2088 err = validate_tmpl(nr, utmpl, pol->family, dir, extack); 2089 if (err) 2090 return err; 2091 2092 copy_templates(pol, utmpl, nr); 2093 } 2094 return 0; 2095 } 2096 2097 static int copy_from_user_policy_type(u8 *tp, struct nlattr **attrs, 2098 struct netlink_ext_ack *extack) 2099 { 2100 struct nlattr *rt = attrs[XFRMA_POLICY_TYPE]; 2101 struct xfrm_userpolicy_type *upt; 2102 u8 type = XFRM_POLICY_TYPE_MAIN; 2103 int err; 2104 2105 if (rt) { 2106 upt = nla_data(rt); 2107 type = upt->type; 2108 } 2109 2110 err = verify_policy_type(type, extack); 2111 if (err) 2112 return err; 2113 2114 *tp = type; 2115 return 0; 2116 } 2117 2118 static void copy_from_user_policy(struct xfrm_policy *xp, struct xfrm_userpolicy_info *p) 2119 { 2120 xp->priority = p->priority; 2121 xp->index = p->index; 2122 memcpy(&xp->selector, &p->sel, sizeof(xp->selector)); 2123 memcpy(&xp->lft, &p->lft, sizeof(xp->lft)); 2124 xp->action = p->action; 2125 xp->flags = p->flags; 2126 xp->family = p->sel.family; 2127 /* XXX xp->share = p->share; */ 2128 } 2129 2130 static void copy_to_user_policy(struct xfrm_policy *xp, struct xfrm_userpolicy_info *p, int dir) 2131 { 2132 memset(p, 0, sizeof(*p)); 2133 memcpy(&p->sel, &xp->selector, sizeof(p->sel)); 2134 memcpy(&p->lft, &xp->lft, sizeof(p->lft)); 2135 memcpy(&p->curlft, &xp->curlft, sizeof(p->curlft)); 2136 p->priority = xp->priority; 2137 p->index = xp->index; 2138 p->sel.family = xp->family; 2139 p->dir = dir; 2140 p->action = xp->action; 2141 p->flags = xp->flags; 2142 p->share = XFRM_SHARE_ANY; /* XXX xp->share */ 2143 } 2144 2145 static struct xfrm_policy *xfrm_policy_construct(struct net *net, 2146 struct xfrm_userpolicy_info *p, 2147 struct nlattr **attrs, 2148 int *errp, 2149 struct netlink_ext_ack *extack) 2150 { 2151 struct xfrm_policy *xp = xfrm_policy_alloc(net, GFP_KERNEL); 2152 int err; 2153 2154 if (!xp) { 2155 *errp = -ENOMEM; 2156 return NULL; 2157 } 2158 2159 copy_from_user_policy(xp, p); 2160 2161 err = copy_from_user_policy_type(&xp->type, attrs, extack); 2162 if (err) 2163 goto error; 2164 2165 if (!(err = copy_from_user_tmpl(xp, attrs, p->dir, extack))) 2166 err = copy_from_user_sec_ctx(xp, attrs); 2167 if (err) 2168 goto error; 2169 2170 xfrm_mark_get(attrs, &xp->mark); 2171 2172 if (attrs[XFRMA_IF_ID]) 2173 xp->if_id = nla_get_u32(attrs[XFRMA_IF_ID]); 2174 2175 /* configure the hardware if offload is requested */ 2176 if (attrs[XFRMA_OFFLOAD_DEV]) { 2177 err = xfrm_dev_policy_add(net, xp, 2178 nla_data(attrs[XFRMA_OFFLOAD_DEV]), 2179 p->dir, extack); 2180 if (err) 2181 goto error; 2182 } 2183 2184 return xp; 2185 error: 2186 *errp = err; 2187 xp->walk.dead = 1; 2188 xfrm_policy_destroy(xp); 2189 return NULL; 2190 } 2191 2192 static int xfrm_add_policy(struct sk_buff *skb, struct nlmsghdr *nlh, 2193 struct nlattr **attrs, 2194 struct netlink_ext_ack *extack) 2195 { 2196 struct net *net = sock_net(skb->sk); 2197 struct xfrm_userpolicy_info *p = nlmsg_data(nlh); 2198 struct xfrm_policy *xp; 2199 struct km_event c; 2200 int err; 2201 int excl; 2202 2203 err = verify_newpolicy_info(p, extack); 2204 if (err) 2205 return err; 2206 err = verify_sec_ctx_len(attrs, extack); 2207 if (err) 2208 return err; 2209 2210 xp = xfrm_policy_construct(net, p, attrs, &err, extack); 2211 if (!xp) 2212 return err; 2213 2214 /* shouldn't excl be based on nlh flags?? 2215 * Aha! this is anti-netlink really i.e more pfkey derived 2216 * in netlink excl is a flag and you wouldn't need 2217 * a type XFRM_MSG_UPDPOLICY - JHS */ 2218 excl = nlh->nlmsg_type == XFRM_MSG_NEWPOLICY; 2219 err = xfrm_policy_insert(p->dir, xp, excl); 2220 xfrm_audit_policy_add(xp, err ? 0 : 1, true); 2221 2222 if (err) { 2223 xfrm_dev_policy_delete(xp); 2224 xfrm_dev_policy_free(xp); 2225 security_xfrm_policy_free(xp->security); 2226 kfree(xp); 2227 return err; 2228 } 2229 2230 c.event = nlh->nlmsg_type; 2231 c.seq = nlh->nlmsg_seq; 2232 c.portid = nlh->nlmsg_pid; 2233 km_policy_notify(xp, p->dir, &c); 2234 2235 xfrm_pol_put(xp); 2236 2237 return 0; 2238 } 2239 2240 static int copy_to_user_tmpl(struct xfrm_policy *xp, struct sk_buff *skb) 2241 { 2242 struct xfrm_user_tmpl vec[XFRM_MAX_DEPTH]; 2243 int i; 2244 2245 if (xp->xfrm_nr == 0) 2246 return 0; 2247 2248 if (xp->xfrm_nr > XFRM_MAX_DEPTH) 2249 return -ENOBUFS; 2250 2251 for (i = 0; i < xp->xfrm_nr; i++) { 2252 struct xfrm_user_tmpl *up = &vec[i]; 2253 struct xfrm_tmpl *kp = &xp->xfrm_vec[i]; 2254 2255 memset(up, 0, sizeof(*up)); 2256 memcpy(&up->id, &kp->id, sizeof(up->id)); 2257 up->family = kp->encap_family; 2258 memcpy(&up->saddr, &kp->saddr, sizeof(up->saddr)); 2259 up->reqid = kp->reqid; 2260 up->mode = kp->mode; 2261 up->share = kp->share; 2262 up->optional = kp->optional; 2263 up->aalgos = kp->aalgos; 2264 up->ealgos = kp->ealgos; 2265 up->calgos = kp->calgos; 2266 } 2267 2268 return nla_put(skb, XFRMA_TMPL, 2269 sizeof(struct xfrm_user_tmpl) * xp->xfrm_nr, vec); 2270 } 2271 2272 static inline int copy_to_user_state_sec_ctx(struct xfrm_state *x, struct sk_buff *skb) 2273 { 2274 if (x->security) { 2275 return copy_sec_ctx(x->security, skb); 2276 } 2277 return 0; 2278 } 2279 2280 static inline int copy_to_user_sec_ctx(struct xfrm_policy *xp, struct sk_buff *skb) 2281 { 2282 if (xp->security) 2283 return copy_sec_ctx(xp->security, skb); 2284 return 0; 2285 } 2286 static inline unsigned int userpolicy_type_attrsize(void) 2287 { 2288 #ifdef CONFIG_XFRM_SUB_POLICY 2289 return nla_total_size(sizeof(struct xfrm_userpolicy_type)); 2290 #else 2291 return 0; 2292 #endif 2293 } 2294 2295 #ifdef CONFIG_XFRM_SUB_POLICY 2296 static int copy_to_user_policy_type(u8 type, struct sk_buff *skb) 2297 { 2298 struct xfrm_userpolicy_type upt; 2299 2300 /* Sadly there are two holes in struct xfrm_userpolicy_type */ 2301 memset(&upt, 0, sizeof(upt)); 2302 upt.type = type; 2303 2304 return nla_put(skb, XFRMA_POLICY_TYPE, sizeof(upt), &upt); 2305 } 2306 2307 #else 2308 static inline int copy_to_user_policy_type(u8 type, struct sk_buff *skb) 2309 { 2310 return 0; 2311 } 2312 #endif 2313 2314 static int dump_one_policy(struct xfrm_policy *xp, int dir, int count, void *ptr) 2315 { 2316 struct xfrm_dump_info *sp = ptr; 2317 struct xfrm_userpolicy_info *p; 2318 struct sk_buff *in_skb = sp->in_skb; 2319 struct sk_buff *skb = sp->out_skb; 2320 struct xfrm_translator *xtr; 2321 struct nlmsghdr *nlh; 2322 int err; 2323 2324 nlh = nlmsg_put(skb, NETLINK_CB(in_skb).portid, sp->nlmsg_seq, 2325 XFRM_MSG_NEWPOLICY, sizeof(*p), sp->nlmsg_flags); 2326 if (nlh == NULL) 2327 return -EMSGSIZE; 2328 2329 p = nlmsg_data(nlh); 2330 copy_to_user_policy(xp, p, dir); 2331 err = copy_to_user_tmpl(xp, skb); 2332 if (!err) 2333 err = copy_to_user_sec_ctx(xp, skb); 2334 if (!err) 2335 err = copy_to_user_policy_type(xp->type, skb); 2336 if (!err) 2337 err = xfrm_mark_put(skb, &xp->mark); 2338 if (!err) 2339 err = xfrm_if_id_put(skb, xp->if_id); 2340 if (!err && xp->xdo.dev) 2341 err = copy_user_offload(&xp->xdo, skb); 2342 if (err) { 2343 nlmsg_cancel(skb, nlh); 2344 return err; 2345 } 2346 nlmsg_end(skb, nlh); 2347 2348 xtr = xfrm_get_translator(); 2349 if (xtr) { 2350 err = xtr->alloc_compat(skb, nlh); 2351 2352 xfrm_put_translator(xtr); 2353 if (err) { 2354 nlmsg_cancel(skb, nlh); 2355 return err; 2356 } 2357 } 2358 2359 return 0; 2360 } 2361 2362 static int xfrm_dump_policy_done(struct netlink_callback *cb) 2363 { 2364 struct xfrm_policy_walk *walk = (struct xfrm_policy_walk *)cb->args; 2365 struct net *net = sock_net(cb->skb->sk); 2366 2367 xfrm_policy_walk_done(walk, net); 2368 return 0; 2369 } 2370 2371 static int xfrm_dump_policy_start(struct netlink_callback *cb) 2372 { 2373 struct xfrm_policy_walk *walk = (struct xfrm_policy_walk *)cb->args; 2374 2375 BUILD_BUG_ON(sizeof(*walk) > sizeof(cb->args)); 2376 2377 xfrm_policy_walk_init(walk, XFRM_POLICY_TYPE_ANY); 2378 return 0; 2379 } 2380 2381 static int xfrm_dump_policy(struct sk_buff *skb, struct netlink_callback *cb) 2382 { 2383 struct net *net = sock_net(skb->sk); 2384 struct xfrm_policy_walk *walk = (struct xfrm_policy_walk *)cb->args; 2385 struct xfrm_dump_info info; 2386 2387 info.in_skb = cb->skb; 2388 info.out_skb = skb; 2389 info.nlmsg_seq = cb->nlh->nlmsg_seq; 2390 info.nlmsg_flags = NLM_F_MULTI; 2391 2392 (void) xfrm_policy_walk(net, walk, dump_one_policy, &info); 2393 2394 return skb->len; 2395 } 2396 2397 static struct sk_buff *xfrm_policy_netlink(struct sk_buff *in_skb, 2398 struct xfrm_policy *xp, 2399 int dir, u32 seq) 2400 { 2401 struct xfrm_dump_info info; 2402 struct sk_buff *skb; 2403 int err; 2404 2405 skb = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL); 2406 if (!skb) 2407 return ERR_PTR(-ENOMEM); 2408 2409 info.in_skb = in_skb; 2410 info.out_skb = skb; 2411 info.nlmsg_seq = seq; 2412 info.nlmsg_flags = 0; 2413 2414 err = dump_one_policy(xp, dir, 0, &info); 2415 if (err) { 2416 kfree_skb(skb); 2417 return ERR_PTR(err); 2418 } 2419 2420 return skb; 2421 } 2422 2423 static int xfrm_notify_userpolicy(struct net *net) 2424 { 2425 struct xfrm_userpolicy_default *up; 2426 int len = NLMSG_ALIGN(sizeof(*up)); 2427 struct nlmsghdr *nlh; 2428 struct sk_buff *skb; 2429 int err; 2430 2431 skb = nlmsg_new(len, GFP_ATOMIC); 2432 if (skb == NULL) 2433 return -ENOMEM; 2434 2435 nlh = nlmsg_put(skb, 0, 0, XFRM_MSG_GETDEFAULT, sizeof(*up), 0); 2436 if (nlh == NULL) { 2437 kfree_skb(skb); 2438 return -EMSGSIZE; 2439 } 2440 2441 up = nlmsg_data(nlh); 2442 up->in = net->xfrm.policy_default[XFRM_POLICY_IN]; 2443 up->fwd = net->xfrm.policy_default[XFRM_POLICY_FWD]; 2444 up->out = net->xfrm.policy_default[XFRM_POLICY_OUT]; 2445 2446 nlmsg_end(skb, nlh); 2447 2448 rcu_read_lock(); 2449 err = xfrm_nlmsg_multicast(net, skb, 0, XFRMNLGRP_POLICY); 2450 rcu_read_unlock(); 2451 2452 return err; 2453 } 2454 2455 static bool xfrm_userpolicy_is_valid(__u8 policy) 2456 { 2457 return policy == XFRM_USERPOLICY_BLOCK || 2458 policy == XFRM_USERPOLICY_ACCEPT; 2459 } 2460 2461 static int xfrm_set_default(struct sk_buff *skb, struct nlmsghdr *nlh, 2462 struct nlattr **attrs, struct netlink_ext_ack *extack) 2463 { 2464 struct net *net = sock_net(skb->sk); 2465 struct xfrm_userpolicy_default *up = nlmsg_data(nlh); 2466 2467 if (xfrm_userpolicy_is_valid(up->in)) 2468 net->xfrm.policy_default[XFRM_POLICY_IN] = up->in; 2469 2470 if (xfrm_userpolicy_is_valid(up->fwd)) 2471 net->xfrm.policy_default[XFRM_POLICY_FWD] = up->fwd; 2472 2473 if (xfrm_userpolicy_is_valid(up->out)) 2474 net->xfrm.policy_default[XFRM_POLICY_OUT] = up->out; 2475 2476 rt_genid_bump_all(net); 2477 2478 xfrm_notify_userpolicy(net); 2479 return 0; 2480 } 2481 2482 static int xfrm_get_default(struct sk_buff *skb, struct nlmsghdr *nlh, 2483 struct nlattr **attrs, struct netlink_ext_ack *extack) 2484 { 2485 struct sk_buff *r_skb; 2486 struct nlmsghdr *r_nlh; 2487 struct net *net = sock_net(skb->sk); 2488 struct xfrm_userpolicy_default *r_up; 2489 int len = NLMSG_ALIGN(sizeof(struct xfrm_userpolicy_default)); 2490 u32 portid = NETLINK_CB(skb).portid; 2491 u32 seq = nlh->nlmsg_seq; 2492 2493 r_skb = nlmsg_new(len, GFP_ATOMIC); 2494 if (!r_skb) 2495 return -ENOMEM; 2496 2497 r_nlh = nlmsg_put(r_skb, portid, seq, XFRM_MSG_GETDEFAULT, sizeof(*r_up), 0); 2498 if (!r_nlh) { 2499 kfree_skb(r_skb); 2500 return -EMSGSIZE; 2501 } 2502 2503 r_up = nlmsg_data(r_nlh); 2504 r_up->in = net->xfrm.policy_default[XFRM_POLICY_IN]; 2505 r_up->fwd = net->xfrm.policy_default[XFRM_POLICY_FWD]; 2506 r_up->out = net->xfrm.policy_default[XFRM_POLICY_OUT]; 2507 nlmsg_end(r_skb, r_nlh); 2508 2509 return nlmsg_unicast(net->xfrm.nlsk, r_skb, portid); 2510 } 2511 2512 static int xfrm_get_policy(struct sk_buff *skb, struct nlmsghdr *nlh, 2513 struct nlattr **attrs, 2514 struct netlink_ext_ack *extack) 2515 { 2516 struct net *net = sock_net(skb->sk); 2517 struct xfrm_policy *xp; 2518 struct xfrm_userpolicy_id *p; 2519 u8 type = XFRM_POLICY_TYPE_MAIN; 2520 int err; 2521 struct km_event c; 2522 int delete; 2523 struct xfrm_mark m; 2524 u32 if_id = 0; 2525 2526 p = nlmsg_data(nlh); 2527 delete = nlh->nlmsg_type == XFRM_MSG_DELPOLICY; 2528 2529 err = copy_from_user_policy_type(&type, attrs, extack); 2530 if (err) 2531 return err; 2532 2533 err = verify_policy_dir(p->dir, extack); 2534 if (err) 2535 return err; 2536 2537 if (attrs[XFRMA_IF_ID]) 2538 if_id = nla_get_u32(attrs[XFRMA_IF_ID]); 2539 2540 xfrm_mark_get(attrs, &m); 2541 2542 if (p->index) 2543 xp = xfrm_policy_byid(net, &m, if_id, type, p->dir, 2544 p->index, delete, &err); 2545 else { 2546 struct nlattr *rt = attrs[XFRMA_SEC_CTX]; 2547 struct xfrm_sec_ctx *ctx; 2548 2549 err = verify_sec_ctx_len(attrs, extack); 2550 if (err) 2551 return err; 2552 2553 ctx = NULL; 2554 if (rt) { 2555 struct xfrm_user_sec_ctx *uctx = nla_data(rt); 2556 2557 err = security_xfrm_policy_alloc(&ctx, uctx, GFP_KERNEL); 2558 if (err) 2559 return err; 2560 } 2561 xp = xfrm_policy_bysel_ctx(net, &m, if_id, type, p->dir, 2562 &p->sel, ctx, delete, &err); 2563 security_xfrm_policy_free(ctx); 2564 } 2565 if (xp == NULL) 2566 return -ENOENT; 2567 2568 if (!delete) { 2569 struct sk_buff *resp_skb; 2570 2571 resp_skb = xfrm_policy_netlink(skb, xp, p->dir, nlh->nlmsg_seq); 2572 if (IS_ERR(resp_skb)) { 2573 err = PTR_ERR(resp_skb); 2574 } else { 2575 err = nlmsg_unicast(net->xfrm.nlsk, resp_skb, 2576 NETLINK_CB(skb).portid); 2577 } 2578 } else { 2579 xfrm_audit_policy_delete(xp, err ? 0 : 1, true); 2580 2581 if (err != 0) 2582 goto out; 2583 2584 c.data.byid = p->index; 2585 c.event = nlh->nlmsg_type; 2586 c.seq = nlh->nlmsg_seq; 2587 c.portid = nlh->nlmsg_pid; 2588 km_policy_notify(xp, p->dir, &c); 2589 } 2590 2591 out: 2592 xfrm_pol_put(xp); 2593 return err; 2594 } 2595 2596 static int xfrm_flush_sa(struct sk_buff *skb, struct nlmsghdr *nlh, 2597 struct nlattr **attrs, 2598 struct netlink_ext_ack *extack) 2599 { 2600 struct net *net = sock_net(skb->sk); 2601 struct km_event c; 2602 struct xfrm_usersa_flush *p = nlmsg_data(nlh); 2603 int err; 2604 2605 err = xfrm_state_flush(net, p->proto, true, false); 2606 if (err) { 2607 if (err == -ESRCH) /* empty table */ 2608 return 0; 2609 return err; 2610 } 2611 c.data.proto = p->proto; 2612 c.event = nlh->nlmsg_type; 2613 c.seq = nlh->nlmsg_seq; 2614 c.portid = nlh->nlmsg_pid; 2615 c.net = net; 2616 km_state_notify(NULL, &c); 2617 2618 return 0; 2619 } 2620 2621 static inline unsigned int xfrm_aevent_msgsize(struct xfrm_state *x) 2622 { 2623 unsigned int replay_size = x->replay_esn ? 2624 xfrm_replay_state_esn_len(x->replay_esn) : 2625 sizeof(struct xfrm_replay_state); 2626 2627 return NLMSG_ALIGN(sizeof(struct xfrm_aevent_id)) 2628 + nla_total_size(replay_size) 2629 + nla_total_size_64bit(sizeof(struct xfrm_lifetime_cur)) 2630 + nla_total_size(sizeof(struct xfrm_mark)) 2631 + nla_total_size(4) /* XFRM_AE_RTHR */ 2632 + nla_total_size(4) /* XFRM_AE_ETHR */ 2633 + nla_total_size(sizeof(x->dir)) /* XFRMA_SA_DIR */ 2634 + nla_total_size(4); /* XFRMA_SA_PCPU */ 2635 } 2636 2637 static int build_aevent(struct sk_buff *skb, struct xfrm_state *x, const struct km_event *c) 2638 { 2639 struct xfrm_aevent_id *id; 2640 struct nlmsghdr *nlh; 2641 int err; 2642 2643 nlh = nlmsg_put(skb, c->portid, c->seq, XFRM_MSG_NEWAE, sizeof(*id), 0); 2644 if (nlh == NULL) 2645 return -EMSGSIZE; 2646 2647 id = nlmsg_data(nlh); 2648 memset(&id->sa_id, 0, sizeof(id->sa_id)); 2649 memcpy(&id->sa_id.daddr, &x->id.daddr, sizeof(x->id.daddr)); 2650 id->sa_id.spi = x->id.spi; 2651 id->sa_id.family = x->props.family; 2652 id->sa_id.proto = x->id.proto; 2653 memcpy(&id->saddr, &x->props.saddr, sizeof(x->props.saddr)); 2654 id->reqid = x->props.reqid; 2655 id->flags = c->data.aevent; 2656 2657 if (x->replay_esn) { 2658 err = nla_put(skb, XFRMA_REPLAY_ESN_VAL, 2659 xfrm_replay_state_esn_len(x->replay_esn), 2660 x->replay_esn); 2661 } else { 2662 err = nla_put(skb, XFRMA_REPLAY_VAL, sizeof(x->replay), 2663 &x->replay); 2664 } 2665 if (err) 2666 goto out_cancel; 2667 err = nla_put_64bit(skb, XFRMA_LTIME_VAL, sizeof(x->curlft), &x->curlft, 2668 XFRMA_PAD); 2669 if (err) 2670 goto out_cancel; 2671 2672 if (id->flags & XFRM_AE_RTHR) { 2673 err = nla_put_u32(skb, XFRMA_REPLAY_THRESH, x->replay_maxdiff); 2674 if (err) 2675 goto out_cancel; 2676 } 2677 if (id->flags & XFRM_AE_ETHR) { 2678 err = nla_put_u32(skb, XFRMA_ETIMER_THRESH, 2679 x->replay_maxage * 10 / HZ); 2680 if (err) 2681 goto out_cancel; 2682 } 2683 err = xfrm_mark_put(skb, &x->mark); 2684 if (err) 2685 goto out_cancel; 2686 2687 err = xfrm_if_id_put(skb, x->if_id); 2688 if (err) 2689 goto out_cancel; 2690 if (x->pcpu_num != UINT_MAX) { 2691 err = nla_put_u32(skb, XFRMA_SA_PCPU, x->pcpu_num); 2692 if (err) 2693 goto out_cancel; 2694 } 2695 2696 if (x->dir) { 2697 err = nla_put_u8(skb, XFRMA_SA_DIR, x->dir); 2698 if (err) 2699 goto out_cancel; 2700 } 2701 2702 nlmsg_end(skb, nlh); 2703 return 0; 2704 2705 out_cancel: 2706 nlmsg_cancel(skb, nlh); 2707 return err; 2708 } 2709 2710 static int xfrm_get_ae(struct sk_buff *skb, struct nlmsghdr *nlh, 2711 struct nlattr **attrs, struct netlink_ext_ack *extack) 2712 { 2713 struct net *net = sock_net(skb->sk); 2714 struct xfrm_state *x; 2715 struct sk_buff *r_skb; 2716 int err; 2717 struct km_event c; 2718 u32 mark; 2719 struct xfrm_mark m; 2720 struct xfrm_aevent_id *p = nlmsg_data(nlh); 2721 struct xfrm_usersa_id *id = &p->sa_id; 2722 2723 mark = xfrm_mark_get(attrs, &m); 2724 2725 x = xfrm_state_lookup(net, mark, &id->daddr, id->spi, id->proto, id->family); 2726 if (x == NULL) 2727 return -ESRCH; 2728 2729 r_skb = nlmsg_new(xfrm_aevent_msgsize(x), GFP_ATOMIC); 2730 if (r_skb == NULL) { 2731 xfrm_state_put(x); 2732 return -ENOMEM; 2733 } 2734 2735 /* 2736 * XXX: is this lock really needed - none of the other 2737 * gets lock (the concern is things getting updated 2738 * while we are still reading) - jhs 2739 */ 2740 spin_lock_bh(&x->lock); 2741 c.data.aevent = p->flags; 2742 c.seq = nlh->nlmsg_seq; 2743 c.portid = nlh->nlmsg_pid; 2744 2745 err = build_aevent(r_skb, x, &c); 2746 BUG_ON(err < 0); 2747 2748 err = nlmsg_unicast(net->xfrm.nlsk, r_skb, NETLINK_CB(skb).portid); 2749 spin_unlock_bh(&x->lock); 2750 xfrm_state_put(x); 2751 return err; 2752 } 2753 2754 static int xfrm_new_ae(struct sk_buff *skb, struct nlmsghdr *nlh, 2755 struct nlattr **attrs, struct netlink_ext_ack *extack) 2756 { 2757 struct net *net = sock_net(skb->sk); 2758 struct xfrm_state *x; 2759 struct km_event c; 2760 int err = -EINVAL; 2761 u32 mark = 0; 2762 struct xfrm_mark m; 2763 struct xfrm_aevent_id *p = nlmsg_data(nlh); 2764 struct nlattr *rp = attrs[XFRMA_REPLAY_VAL]; 2765 struct nlattr *re = attrs[XFRMA_REPLAY_ESN_VAL]; 2766 struct nlattr *lt = attrs[XFRMA_LTIME_VAL]; 2767 struct nlattr *et = attrs[XFRMA_ETIMER_THRESH]; 2768 struct nlattr *rt = attrs[XFRMA_REPLAY_THRESH]; 2769 2770 if (!lt && !rp && !re && !et && !rt) { 2771 NL_SET_ERR_MSG(extack, "Missing required attribute for AE"); 2772 return err; 2773 } 2774 2775 /* pedantic mode - thou shalt sayeth replaceth */ 2776 if (!(nlh->nlmsg_flags & NLM_F_REPLACE)) { 2777 NL_SET_ERR_MSG(extack, "NLM_F_REPLACE flag is required"); 2778 return err; 2779 } 2780 2781 mark = xfrm_mark_get(attrs, &m); 2782 2783 x = xfrm_state_lookup(net, mark, &p->sa_id.daddr, p->sa_id.spi, p->sa_id.proto, p->sa_id.family); 2784 if (x == NULL) 2785 return -ESRCH; 2786 2787 if (x->km.state != XFRM_STATE_VALID) { 2788 NL_SET_ERR_MSG(extack, "SA must be in VALID state"); 2789 goto out; 2790 } 2791 2792 err = xfrm_replay_verify_len(x->replay_esn, re, extack); 2793 if (err) 2794 goto out; 2795 2796 spin_lock_bh(&x->lock); 2797 xfrm_update_ae_params(x, attrs, 1); 2798 spin_unlock_bh(&x->lock); 2799 2800 c.event = nlh->nlmsg_type; 2801 c.seq = nlh->nlmsg_seq; 2802 c.portid = nlh->nlmsg_pid; 2803 c.data.aevent = XFRM_AE_CU; 2804 km_state_notify(x, &c); 2805 err = 0; 2806 out: 2807 xfrm_state_put(x); 2808 return err; 2809 } 2810 2811 static int xfrm_flush_policy(struct sk_buff *skb, struct nlmsghdr *nlh, 2812 struct nlattr **attrs, 2813 struct netlink_ext_ack *extack) 2814 { 2815 struct net *net = sock_net(skb->sk); 2816 struct km_event c; 2817 u8 type = XFRM_POLICY_TYPE_MAIN; 2818 int err; 2819 2820 err = copy_from_user_policy_type(&type, attrs, extack); 2821 if (err) 2822 return err; 2823 2824 err = xfrm_policy_flush(net, type, true); 2825 if (err) { 2826 if (err == -ESRCH) /* empty table */ 2827 return 0; 2828 return err; 2829 } 2830 2831 c.data.type = type; 2832 c.event = nlh->nlmsg_type; 2833 c.seq = nlh->nlmsg_seq; 2834 c.portid = nlh->nlmsg_pid; 2835 c.net = net; 2836 km_policy_notify(NULL, 0, &c); 2837 return 0; 2838 } 2839 2840 static int xfrm_add_pol_expire(struct sk_buff *skb, struct nlmsghdr *nlh, 2841 struct nlattr **attrs, 2842 struct netlink_ext_ack *extack) 2843 { 2844 struct net *net = sock_net(skb->sk); 2845 struct xfrm_policy *xp; 2846 struct xfrm_user_polexpire *up = nlmsg_data(nlh); 2847 struct xfrm_userpolicy_info *p = &up->pol; 2848 u8 type = XFRM_POLICY_TYPE_MAIN; 2849 int err = -ENOENT; 2850 struct xfrm_mark m; 2851 u32 if_id = 0; 2852 2853 err = copy_from_user_policy_type(&type, attrs, extack); 2854 if (err) 2855 return err; 2856 2857 err = verify_policy_dir(p->dir, extack); 2858 if (err) 2859 return err; 2860 2861 if (attrs[XFRMA_IF_ID]) 2862 if_id = nla_get_u32(attrs[XFRMA_IF_ID]); 2863 2864 xfrm_mark_get(attrs, &m); 2865 2866 if (p->index) 2867 xp = xfrm_policy_byid(net, &m, if_id, type, p->dir, p->index, 2868 0, &err); 2869 else { 2870 struct nlattr *rt = attrs[XFRMA_SEC_CTX]; 2871 struct xfrm_sec_ctx *ctx; 2872 2873 err = verify_sec_ctx_len(attrs, extack); 2874 if (err) 2875 return err; 2876 2877 ctx = NULL; 2878 if (rt) { 2879 struct xfrm_user_sec_ctx *uctx = nla_data(rt); 2880 2881 err = security_xfrm_policy_alloc(&ctx, uctx, GFP_KERNEL); 2882 if (err) 2883 return err; 2884 } 2885 xp = xfrm_policy_bysel_ctx(net, &m, if_id, type, p->dir, 2886 &p->sel, ctx, 0, &err); 2887 security_xfrm_policy_free(ctx); 2888 } 2889 if (xp == NULL) 2890 return -ENOENT; 2891 2892 if (unlikely(xp->walk.dead)) 2893 goto out; 2894 2895 err = 0; 2896 if (up->hard) { 2897 xfrm_policy_delete(xp, p->dir); 2898 xfrm_audit_policy_delete(xp, 1, true); 2899 } 2900 km_policy_expired(xp, p->dir, up->hard, nlh->nlmsg_pid); 2901 2902 out: 2903 xfrm_pol_put(xp); 2904 return err; 2905 } 2906 2907 static int xfrm_add_sa_expire(struct sk_buff *skb, struct nlmsghdr *nlh, 2908 struct nlattr **attrs, 2909 struct netlink_ext_ack *extack) 2910 { 2911 struct net *net = sock_net(skb->sk); 2912 struct xfrm_state *x; 2913 int err; 2914 struct xfrm_user_expire *ue = nlmsg_data(nlh); 2915 struct xfrm_usersa_info *p = &ue->state; 2916 struct xfrm_mark m; 2917 u32 mark = xfrm_mark_get(attrs, &m); 2918 2919 x = xfrm_state_lookup(net, mark, &p->id.daddr, p->id.spi, p->id.proto, p->family); 2920 2921 err = -ENOENT; 2922 if (x == NULL) 2923 return err; 2924 2925 spin_lock_bh(&x->lock); 2926 err = -EINVAL; 2927 if (x->km.state != XFRM_STATE_VALID) { 2928 NL_SET_ERR_MSG(extack, "SA must be in VALID state"); 2929 goto out; 2930 } 2931 2932 km_state_expired(x, ue->hard, nlh->nlmsg_pid); 2933 2934 if (ue->hard) { 2935 __xfrm_state_delete(x); 2936 xfrm_audit_state_delete(x, 1, true); 2937 } 2938 err = 0; 2939 out: 2940 spin_unlock_bh(&x->lock); 2941 xfrm_state_put(x); 2942 return err; 2943 } 2944 2945 static int xfrm_add_acquire(struct sk_buff *skb, struct nlmsghdr *nlh, 2946 struct nlattr **attrs, 2947 struct netlink_ext_ack *extack) 2948 { 2949 struct net *net = sock_net(skb->sk); 2950 struct xfrm_policy *xp; 2951 struct xfrm_user_tmpl *ut; 2952 int i; 2953 struct nlattr *rt = attrs[XFRMA_TMPL]; 2954 struct xfrm_mark mark; 2955 2956 struct xfrm_user_acquire *ua = nlmsg_data(nlh); 2957 struct xfrm_state *x = xfrm_state_alloc(net); 2958 int err = -ENOMEM; 2959 2960 if (!x) 2961 goto nomem; 2962 2963 xfrm_mark_get(attrs, &mark); 2964 2965 if (attrs[XFRMA_SA_PCPU]) { 2966 x->pcpu_num = nla_get_u32(attrs[XFRMA_SA_PCPU]); 2967 err = -EINVAL; 2968 if (x->pcpu_num >= num_possible_cpus()) 2969 goto free_state; 2970 } 2971 2972 err = verify_newpolicy_info(&ua->policy, extack); 2973 if (err) 2974 goto free_state; 2975 err = verify_sec_ctx_len(attrs, extack); 2976 if (err) 2977 goto free_state; 2978 2979 /* build an XP */ 2980 xp = xfrm_policy_construct(net, &ua->policy, attrs, &err, extack); 2981 if (!xp) 2982 goto free_state; 2983 2984 memcpy(&x->id, &ua->id, sizeof(ua->id)); 2985 memcpy(&x->props.saddr, &ua->saddr, sizeof(ua->saddr)); 2986 memcpy(&x->sel, &ua->sel, sizeof(ua->sel)); 2987 xp->mark.m = x->mark.m = mark.m; 2988 xp->mark.v = x->mark.v = mark.v; 2989 ut = nla_data(rt); 2990 /* extract the templates and for each call km_key */ 2991 for (i = 0; i < xp->xfrm_nr; i++, ut++) { 2992 struct xfrm_tmpl *t = &xp->xfrm_vec[i]; 2993 memcpy(&x->id, &t->id, sizeof(x->id)); 2994 x->props.mode = t->mode; 2995 x->props.reqid = t->reqid; 2996 x->props.family = ut->family; 2997 t->aalgos = ua->aalgos; 2998 t->ealgos = ua->ealgos; 2999 t->calgos = ua->calgos; 3000 err = km_query(x, t, xp); 3001 3002 } 3003 3004 xfrm_state_free(x); 3005 kfree(xp); 3006 3007 return 0; 3008 3009 free_state: 3010 xfrm_state_free(x); 3011 nomem: 3012 return err; 3013 } 3014 3015 #ifdef CONFIG_XFRM_MIGRATE 3016 static int copy_from_user_migrate(struct xfrm_migrate *ma, 3017 struct xfrm_kmaddress *k, 3018 struct nlattr **attrs, int *num, 3019 struct netlink_ext_ack *extack) 3020 { 3021 struct nlattr *rt = attrs[XFRMA_MIGRATE]; 3022 struct xfrm_user_migrate *um; 3023 int i, num_migrate; 3024 3025 if (k != NULL) { 3026 struct xfrm_user_kmaddress *uk; 3027 3028 uk = nla_data(attrs[XFRMA_KMADDRESS]); 3029 memcpy(&k->local, &uk->local, sizeof(k->local)); 3030 memcpy(&k->remote, &uk->remote, sizeof(k->remote)); 3031 k->family = uk->family; 3032 k->reserved = uk->reserved; 3033 } 3034 3035 um = nla_data(rt); 3036 num_migrate = nla_len(rt) / sizeof(*um); 3037 3038 if (num_migrate <= 0 || num_migrate > XFRM_MAX_DEPTH) { 3039 NL_SET_ERR_MSG(extack, "Invalid number of SAs to migrate, must be 0 < num <= XFRM_MAX_DEPTH (6)"); 3040 return -EINVAL; 3041 } 3042 3043 for (i = 0; i < num_migrate; i++, um++, ma++) { 3044 memcpy(&ma->old_daddr, &um->old_daddr, sizeof(ma->old_daddr)); 3045 memcpy(&ma->old_saddr, &um->old_saddr, sizeof(ma->old_saddr)); 3046 memcpy(&ma->new_daddr, &um->new_daddr, sizeof(ma->new_daddr)); 3047 memcpy(&ma->new_saddr, &um->new_saddr, sizeof(ma->new_saddr)); 3048 3049 ma->proto = um->proto; 3050 ma->mode = um->mode; 3051 ma->reqid = um->reqid; 3052 3053 ma->old_family = um->old_family; 3054 ma->new_family = um->new_family; 3055 } 3056 3057 *num = i; 3058 return 0; 3059 } 3060 3061 static int xfrm_do_migrate(struct sk_buff *skb, struct nlmsghdr *nlh, 3062 struct nlattr **attrs, struct netlink_ext_ack *extack) 3063 { 3064 struct xfrm_userpolicy_id *pi = nlmsg_data(nlh); 3065 struct xfrm_migrate m[XFRM_MAX_DEPTH]; 3066 struct xfrm_kmaddress km, *kmp; 3067 u8 type; 3068 int err; 3069 int n = 0; 3070 struct net *net = sock_net(skb->sk); 3071 struct xfrm_encap_tmpl *encap = NULL; 3072 u32 if_id = 0; 3073 3074 if (!attrs[XFRMA_MIGRATE]) { 3075 NL_SET_ERR_MSG(extack, "Missing required MIGRATE attribute"); 3076 return -EINVAL; 3077 } 3078 3079 kmp = attrs[XFRMA_KMADDRESS] ? &km : NULL; 3080 3081 err = copy_from_user_policy_type(&type, attrs, extack); 3082 if (err) 3083 return err; 3084 3085 err = copy_from_user_migrate(m, kmp, attrs, &n, extack); 3086 if (err) 3087 return err; 3088 3089 if (!n) 3090 return 0; 3091 3092 if (attrs[XFRMA_ENCAP]) { 3093 encap = kmemdup(nla_data(attrs[XFRMA_ENCAP]), 3094 sizeof(*encap), GFP_KERNEL); 3095 if (!encap) 3096 return -ENOMEM; 3097 } 3098 3099 if (attrs[XFRMA_IF_ID]) 3100 if_id = nla_get_u32(attrs[XFRMA_IF_ID]); 3101 3102 err = xfrm_migrate(&pi->sel, pi->dir, type, m, n, kmp, net, encap, 3103 if_id, extack); 3104 3105 kfree(encap); 3106 3107 return err; 3108 } 3109 #else 3110 static int xfrm_do_migrate(struct sk_buff *skb, struct nlmsghdr *nlh, 3111 struct nlattr **attrs, struct netlink_ext_ack *extack) 3112 { 3113 return -ENOPROTOOPT; 3114 } 3115 #endif 3116 3117 #ifdef CONFIG_XFRM_MIGRATE 3118 static int copy_to_user_migrate(const struct xfrm_migrate *m, struct sk_buff *skb) 3119 { 3120 struct xfrm_user_migrate um; 3121 3122 memset(&um, 0, sizeof(um)); 3123 um.proto = m->proto; 3124 um.mode = m->mode; 3125 um.reqid = m->reqid; 3126 um.old_family = m->old_family; 3127 memcpy(&um.old_daddr, &m->old_daddr, sizeof(um.old_daddr)); 3128 memcpy(&um.old_saddr, &m->old_saddr, sizeof(um.old_saddr)); 3129 um.new_family = m->new_family; 3130 memcpy(&um.new_daddr, &m->new_daddr, sizeof(um.new_daddr)); 3131 memcpy(&um.new_saddr, &m->new_saddr, sizeof(um.new_saddr)); 3132 3133 return nla_put(skb, XFRMA_MIGRATE, sizeof(um), &um); 3134 } 3135 3136 static int copy_to_user_kmaddress(const struct xfrm_kmaddress *k, struct sk_buff *skb) 3137 { 3138 struct xfrm_user_kmaddress uk; 3139 3140 memset(&uk, 0, sizeof(uk)); 3141 uk.family = k->family; 3142 uk.reserved = k->reserved; 3143 memcpy(&uk.local, &k->local, sizeof(uk.local)); 3144 memcpy(&uk.remote, &k->remote, sizeof(uk.remote)); 3145 3146 return nla_put(skb, XFRMA_KMADDRESS, sizeof(uk), &uk); 3147 } 3148 3149 static inline unsigned int xfrm_migrate_msgsize(int num_migrate, int with_kma, 3150 int with_encp) 3151 { 3152 return NLMSG_ALIGN(sizeof(struct xfrm_userpolicy_id)) 3153 + (with_kma ? nla_total_size(sizeof(struct xfrm_kmaddress)) : 0) 3154 + (with_encp ? nla_total_size(sizeof(struct xfrm_encap_tmpl)) : 0) 3155 + nla_total_size(sizeof(struct xfrm_user_migrate) * num_migrate) 3156 + userpolicy_type_attrsize(); 3157 } 3158 3159 static int build_migrate(struct sk_buff *skb, const struct xfrm_migrate *m, 3160 int num_migrate, const struct xfrm_kmaddress *k, 3161 const struct xfrm_selector *sel, 3162 const struct xfrm_encap_tmpl *encap, u8 dir, u8 type) 3163 { 3164 const struct xfrm_migrate *mp; 3165 struct xfrm_userpolicy_id *pol_id; 3166 struct nlmsghdr *nlh; 3167 int i, err; 3168 3169 nlh = nlmsg_put(skb, 0, 0, XFRM_MSG_MIGRATE, sizeof(*pol_id), 0); 3170 if (nlh == NULL) 3171 return -EMSGSIZE; 3172 3173 pol_id = nlmsg_data(nlh); 3174 /* copy data from selector, dir, and type to the pol_id */ 3175 memset(pol_id, 0, sizeof(*pol_id)); 3176 memcpy(&pol_id->sel, sel, sizeof(pol_id->sel)); 3177 pol_id->dir = dir; 3178 3179 if (k != NULL) { 3180 err = copy_to_user_kmaddress(k, skb); 3181 if (err) 3182 goto out_cancel; 3183 } 3184 if (encap) { 3185 err = nla_put(skb, XFRMA_ENCAP, sizeof(*encap), encap); 3186 if (err) 3187 goto out_cancel; 3188 } 3189 err = copy_to_user_policy_type(type, skb); 3190 if (err) 3191 goto out_cancel; 3192 for (i = 0, mp = m ; i < num_migrate; i++, mp++) { 3193 err = copy_to_user_migrate(mp, skb); 3194 if (err) 3195 goto out_cancel; 3196 } 3197 3198 nlmsg_end(skb, nlh); 3199 return 0; 3200 3201 out_cancel: 3202 nlmsg_cancel(skb, nlh); 3203 return err; 3204 } 3205 3206 static int xfrm_send_migrate(const struct xfrm_selector *sel, u8 dir, u8 type, 3207 const struct xfrm_migrate *m, int num_migrate, 3208 const struct xfrm_kmaddress *k, 3209 const struct xfrm_encap_tmpl *encap) 3210 { 3211 struct net *net = &init_net; 3212 struct sk_buff *skb; 3213 int err; 3214 3215 skb = nlmsg_new(xfrm_migrate_msgsize(num_migrate, !!k, !!encap), 3216 GFP_ATOMIC); 3217 if (skb == NULL) 3218 return -ENOMEM; 3219 3220 /* build migrate */ 3221 err = build_migrate(skb, m, num_migrate, k, sel, encap, dir, type); 3222 BUG_ON(err < 0); 3223 3224 return xfrm_nlmsg_multicast(net, skb, 0, XFRMNLGRP_MIGRATE); 3225 } 3226 #else 3227 static int xfrm_send_migrate(const struct xfrm_selector *sel, u8 dir, u8 type, 3228 const struct xfrm_migrate *m, int num_migrate, 3229 const struct xfrm_kmaddress *k, 3230 const struct xfrm_encap_tmpl *encap) 3231 { 3232 return -ENOPROTOOPT; 3233 } 3234 #endif 3235 3236 #define XMSGSIZE(type) sizeof(struct type) 3237 3238 const int xfrm_msg_min[XFRM_NR_MSGTYPES] = { 3239 [XFRM_MSG_NEWSA - XFRM_MSG_BASE] = XMSGSIZE(xfrm_usersa_info), 3240 [XFRM_MSG_DELSA - XFRM_MSG_BASE] = XMSGSIZE(xfrm_usersa_id), 3241 [XFRM_MSG_GETSA - XFRM_MSG_BASE] = XMSGSIZE(xfrm_usersa_id), 3242 [XFRM_MSG_NEWPOLICY - XFRM_MSG_BASE] = XMSGSIZE(xfrm_userpolicy_info), 3243 [XFRM_MSG_DELPOLICY - XFRM_MSG_BASE] = XMSGSIZE(xfrm_userpolicy_id), 3244 [XFRM_MSG_GETPOLICY - XFRM_MSG_BASE] = XMSGSIZE(xfrm_userpolicy_id), 3245 [XFRM_MSG_ALLOCSPI - XFRM_MSG_BASE] = XMSGSIZE(xfrm_userspi_info), 3246 [XFRM_MSG_ACQUIRE - XFRM_MSG_BASE] = XMSGSIZE(xfrm_user_acquire), 3247 [XFRM_MSG_EXPIRE - XFRM_MSG_BASE] = XMSGSIZE(xfrm_user_expire), 3248 [XFRM_MSG_UPDPOLICY - XFRM_MSG_BASE] = XMSGSIZE(xfrm_userpolicy_info), 3249 [XFRM_MSG_UPDSA - XFRM_MSG_BASE] = XMSGSIZE(xfrm_usersa_info), 3250 [XFRM_MSG_POLEXPIRE - XFRM_MSG_BASE] = XMSGSIZE(xfrm_user_polexpire), 3251 [XFRM_MSG_FLUSHSA - XFRM_MSG_BASE] = XMSGSIZE(xfrm_usersa_flush), 3252 [XFRM_MSG_FLUSHPOLICY - XFRM_MSG_BASE] = 0, 3253 [XFRM_MSG_NEWAE - XFRM_MSG_BASE] = XMSGSIZE(xfrm_aevent_id), 3254 [XFRM_MSG_GETAE - XFRM_MSG_BASE] = XMSGSIZE(xfrm_aevent_id), 3255 [XFRM_MSG_REPORT - XFRM_MSG_BASE] = XMSGSIZE(xfrm_user_report), 3256 [XFRM_MSG_MIGRATE - XFRM_MSG_BASE] = XMSGSIZE(xfrm_userpolicy_id), 3257 [XFRM_MSG_GETSADINFO - XFRM_MSG_BASE] = sizeof(u32), 3258 [XFRM_MSG_NEWSPDINFO - XFRM_MSG_BASE] = sizeof(u32), 3259 [XFRM_MSG_GETSPDINFO - XFRM_MSG_BASE] = sizeof(u32), 3260 [XFRM_MSG_SETDEFAULT - XFRM_MSG_BASE] = XMSGSIZE(xfrm_userpolicy_default), 3261 [XFRM_MSG_GETDEFAULT - XFRM_MSG_BASE] = XMSGSIZE(xfrm_userpolicy_default), 3262 }; 3263 EXPORT_SYMBOL_GPL(xfrm_msg_min); 3264 3265 #undef XMSGSIZE 3266 3267 const struct nla_policy xfrma_policy[XFRMA_MAX+1] = { 3268 [XFRMA_UNSPEC] = { .strict_start_type = XFRMA_SA_DIR }, 3269 [XFRMA_SA] = { .len = sizeof(struct xfrm_usersa_info)}, 3270 [XFRMA_POLICY] = { .len = sizeof(struct xfrm_userpolicy_info)}, 3271 [XFRMA_LASTUSED] = { .type = NLA_U64}, 3272 [XFRMA_ALG_AUTH_TRUNC] = { .len = sizeof(struct xfrm_algo_auth)}, 3273 [XFRMA_ALG_AEAD] = { .len = sizeof(struct xfrm_algo_aead) }, 3274 [XFRMA_ALG_AUTH] = { .len = sizeof(struct xfrm_algo) }, 3275 [XFRMA_ALG_CRYPT] = { .len = sizeof(struct xfrm_algo) }, 3276 [XFRMA_ALG_COMP] = { .len = sizeof(struct xfrm_algo) }, 3277 [XFRMA_ENCAP] = { .len = sizeof(struct xfrm_encap_tmpl) }, 3278 [XFRMA_TMPL] = { .len = sizeof(struct xfrm_user_tmpl) }, 3279 [XFRMA_SEC_CTX] = { .len = sizeof(struct xfrm_user_sec_ctx) }, 3280 [XFRMA_LTIME_VAL] = { .len = sizeof(struct xfrm_lifetime_cur) }, 3281 [XFRMA_REPLAY_VAL] = { .len = sizeof(struct xfrm_replay_state) }, 3282 [XFRMA_REPLAY_THRESH] = { .type = NLA_U32 }, 3283 [XFRMA_ETIMER_THRESH] = { .type = NLA_U32 }, 3284 [XFRMA_SRCADDR] = { .len = sizeof(xfrm_address_t) }, 3285 [XFRMA_COADDR] = { .len = sizeof(xfrm_address_t) }, 3286 [XFRMA_POLICY_TYPE] = { .len = sizeof(struct xfrm_userpolicy_type)}, 3287 [XFRMA_MIGRATE] = { .len = sizeof(struct xfrm_user_migrate) }, 3288 [XFRMA_KMADDRESS] = { .len = sizeof(struct xfrm_user_kmaddress) }, 3289 [XFRMA_MARK] = { .len = sizeof(struct xfrm_mark) }, 3290 [XFRMA_TFCPAD] = { .type = NLA_U32 }, 3291 [XFRMA_REPLAY_ESN_VAL] = { .len = sizeof(struct xfrm_replay_state_esn) }, 3292 [XFRMA_SA_EXTRA_FLAGS] = { .type = NLA_U32 }, 3293 [XFRMA_PROTO] = { .type = NLA_U8 }, 3294 [XFRMA_ADDRESS_FILTER] = { .len = sizeof(struct xfrm_address_filter) }, 3295 [XFRMA_OFFLOAD_DEV] = { .len = sizeof(struct xfrm_user_offload) }, 3296 [XFRMA_SET_MARK] = { .type = NLA_U32 }, 3297 [XFRMA_SET_MARK_MASK] = { .type = NLA_U32 }, 3298 [XFRMA_IF_ID] = { .type = NLA_U32 }, 3299 [XFRMA_MTIMER_THRESH] = { .type = NLA_U32 }, 3300 [XFRMA_SA_DIR] = NLA_POLICY_RANGE(NLA_U8, XFRM_SA_DIR_IN, XFRM_SA_DIR_OUT), 3301 [XFRMA_NAT_KEEPALIVE_INTERVAL] = { .type = NLA_U32 }, 3302 [XFRMA_SA_PCPU] = { .type = NLA_U32 }, 3303 [XFRMA_IPTFS_DROP_TIME] = { .type = NLA_U32 }, 3304 [XFRMA_IPTFS_REORDER_WINDOW] = { .type = NLA_U16 }, 3305 [XFRMA_IPTFS_DONT_FRAG] = { .type = NLA_FLAG }, 3306 [XFRMA_IPTFS_INIT_DELAY] = { .type = NLA_U32 }, 3307 [XFRMA_IPTFS_MAX_QSIZE] = { .type = NLA_U32 }, 3308 [XFRMA_IPTFS_PKT_SIZE] = { .type = NLA_U32 }, 3309 }; 3310 EXPORT_SYMBOL_GPL(xfrma_policy); 3311 3312 static const struct nla_policy xfrma_spd_policy[XFRMA_SPD_MAX+1] = { 3313 [XFRMA_SPD_IPV4_HTHRESH] = { .len = sizeof(struct xfrmu_spdhthresh) }, 3314 [XFRMA_SPD_IPV6_HTHRESH] = { .len = sizeof(struct xfrmu_spdhthresh) }, 3315 }; 3316 3317 static const struct xfrm_link { 3318 int (*doit)(struct sk_buff *, struct nlmsghdr *, struct nlattr **, 3319 struct netlink_ext_ack *); 3320 int (*start)(struct netlink_callback *); 3321 int (*dump)(struct sk_buff *, struct netlink_callback *); 3322 int (*done)(struct netlink_callback *); 3323 const struct nla_policy *nla_pol; 3324 int nla_max; 3325 } xfrm_dispatch[XFRM_NR_MSGTYPES] = { 3326 [XFRM_MSG_NEWSA - XFRM_MSG_BASE] = { .doit = xfrm_add_sa }, 3327 [XFRM_MSG_DELSA - XFRM_MSG_BASE] = { .doit = xfrm_del_sa }, 3328 [XFRM_MSG_GETSA - XFRM_MSG_BASE] = { .doit = xfrm_get_sa, 3329 .dump = xfrm_dump_sa, 3330 .done = xfrm_dump_sa_done }, 3331 [XFRM_MSG_NEWPOLICY - XFRM_MSG_BASE] = { .doit = xfrm_add_policy }, 3332 [XFRM_MSG_DELPOLICY - XFRM_MSG_BASE] = { .doit = xfrm_get_policy }, 3333 [XFRM_MSG_GETPOLICY - XFRM_MSG_BASE] = { .doit = xfrm_get_policy, 3334 .start = xfrm_dump_policy_start, 3335 .dump = xfrm_dump_policy, 3336 .done = xfrm_dump_policy_done }, 3337 [XFRM_MSG_ALLOCSPI - XFRM_MSG_BASE] = { .doit = xfrm_alloc_userspi }, 3338 [XFRM_MSG_ACQUIRE - XFRM_MSG_BASE] = { .doit = xfrm_add_acquire }, 3339 [XFRM_MSG_EXPIRE - XFRM_MSG_BASE] = { .doit = xfrm_add_sa_expire }, 3340 [XFRM_MSG_UPDPOLICY - XFRM_MSG_BASE] = { .doit = xfrm_add_policy }, 3341 [XFRM_MSG_UPDSA - XFRM_MSG_BASE] = { .doit = xfrm_add_sa }, 3342 [XFRM_MSG_POLEXPIRE - XFRM_MSG_BASE] = { .doit = xfrm_add_pol_expire}, 3343 [XFRM_MSG_FLUSHSA - XFRM_MSG_BASE] = { .doit = xfrm_flush_sa }, 3344 [XFRM_MSG_FLUSHPOLICY - XFRM_MSG_BASE] = { .doit = xfrm_flush_policy }, 3345 [XFRM_MSG_NEWAE - XFRM_MSG_BASE] = { .doit = xfrm_new_ae }, 3346 [XFRM_MSG_GETAE - XFRM_MSG_BASE] = { .doit = xfrm_get_ae }, 3347 [XFRM_MSG_MIGRATE - XFRM_MSG_BASE] = { .doit = xfrm_do_migrate }, 3348 [XFRM_MSG_GETSADINFO - XFRM_MSG_BASE] = { .doit = xfrm_get_sadinfo }, 3349 [XFRM_MSG_NEWSPDINFO - XFRM_MSG_BASE] = { .doit = xfrm_set_spdinfo, 3350 .nla_pol = xfrma_spd_policy, 3351 .nla_max = XFRMA_SPD_MAX }, 3352 [XFRM_MSG_GETSPDINFO - XFRM_MSG_BASE] = { .doit = xfrm_get_spdinfo }, 3353 [XFRM_MSG_SETDEFAULT - XFRM_MSG_BASE] = { .doit = xfrm_set_default }, 3354 [XFRM_MSG_GETDEFAULT - XFRM_MSG_BASE] = { .doit = xfrm_get_default }, 3355 }; 3356 3357 static int xfrm_reject_unused_attr(int type, struct nlattr **attrs, 3358 struct netlink_ext_ack *extack) 3359 { 3360 if (attrs[XFRMA_SA_DIR]) { 3361 switch (type) { 3362 case XFRM_MSG_NEWSA: 3363 case XFRM_MSG_UPDSA: 3364 case XFRM_MSG_ALLOCSPI: 3365 break; 3366 default: 3367 NL_SET_ERR_MSG(extack, "Invalid attribute SA_DIR"); 3368 return -EINVAL; 3369 } 3370 } 3371 3372 if (attrs[XFRMA_SA_PCPU]) { 3373 switch (type) { 3374 case XFRM_MSG_NEWSA: 3375 case XFRM_MSG_UPDSA: 3376 case XFRM_MSG_ALLOCSPI: 3377 case XFRM_MSG_ACQUIRE: 3378 3379 break; 3380 default: 3381 NL_SET_ERR_MSG(extack, "Invalid attribute SA_PCPU"); 3382 return -EINVAL; 3383 } 3384 } 3385 3386 return 0; 3387 } 3388 3389 static int xfrm_user_rcv_msg(struct sk_buff *skb, struct nlmsghdr *nlh, 3390 struct netlink_ext_ack *extack) 3391 { 3392 struct net *net = sock_net(skb->sk); 3393 struct nlattr *attrs[XFRMA_MAX+1]; 3394 const struct xfrm_link *link; 3395 struct nlmsghdr *nlh64 = NULL; 3396 int type, err; 3397 3398 type = nlh->nlmsg_type; 3399 if (type > XFRM_MSG_MAX) 3400 return -EINVAL; 3401 3402 type -= XFRM_MSG_BASE; 3403 link = &xfrm_dispatch[type]; 3404 3405 /* All operations require privileges, even GET */ 3406 if (!netlink_net_capable(skb, CAP_NET_ADMIN)) 3407 return -EPERM; 3408 3409 if (in_compat_syscall()) { 3410 struct xfrm_translator *xtr = xfrm_get_translator(); 3411 3412 if (!xtr) 3413 return -EOPNOTSUPP; 3414 3415 nlh64 = xtr->rcv_msg_compat(nlh, link->nla_max, 3416 link->nla_pol, extack); 3417 xfrm_put_translator(xtr); 3418 if (IS_ERR(nlh64)) 3419 return PTR_ERR(nlh64); 3420 if (nlh64) 3421 nlh = nlh64; 3422 } 3423 3424 if ((type == (XFRM_MSG_GETSA - XFRM_MSG_BASE) || 3425 type == (XFRM_MSG_GETPOLICY - XFRM_MSG_BASE)) && 3426 (nlh->nlmsg_flags & NLM_F_DUMP)) { 3427 struct netlink_dump_control c = { 3428 .start = link->start, 3429 .dump = link->dump, 3430 .done = link->done, 3431 }; 3432 3433 if (link->dump == NULL) { 3434 err = -EINVAL; 3435 goto err; 3436 } 3437 3438 err = netlink_dump_start(net->xfrm.nlsk, skb, nlh, &c); 3439 goto err; 3440 } 3441 3442 err = nlmsg_parse_deprecated(nlh, xfrm_msg_min[type], attrs, 3443 link->nla_max ? : XFRMA_MAX, 3444 link->nla_pol ? : xfrma_policy, extack); 3445 if (err < 0) 3446 goto err; 3447 3448 if (!link->nla_pol || link->nla_pol == xfrma_policy) { 3449 err = xfrm_reject_unused_attr((type + XFRM_MSG_BASE), attrs, extack); 3450 if (err < 0) 3451 goto err; 3452 } 3453 3454 if (link->doit == NULL) { 3455 err = -EINVAL; 3456 goto err; 3457 } 3458 3459 err = link->doit(skb, nlh, attrs, extack); 3460 3461 /* We need to free skb allocated in xfrm_alloc_compat() before 3462 * returning from this function, because consume_skb() won't take 3463 * care of frag_list since netlink destructor sets 3464 * sbk->head to NULL. (see netlink_skb_destructor()) 3465 */ 3466 if (skb_has_frag_list(skb)) { 3467 kfree_skb(skb_shinfo(skb)->frag_list); 3468 skb_shinfo(skb)->frag_list = NULL; 3469 } 3470 3471 err: 3472 kvfree(nlh64); 3473 return err; 3474 } 3475 3476 static void xfrm_netlink_rcv(struct sk_buff *skb) 3477 { 3478 struct net *net = sock_net(skb->sk); 3479 3480 mutex_lock(&net->xfrm.xfrm_cfg_mutex); 3481 netlink_rcv_skb(skb, &xfrm_user_rcv_msg); 3482 mutex_unlock(&net->xfrm.xfrm_cfg_mutex); 3483 } 3484 3485 static inline unsigned int xfrm_expire_msgsize(void) 3486 { 3487 return NLMSG_ALIGN(sizeof(struct xfrm_user_expire)) + 3488 nla_total_size(sizeof(struct xfrm_mark)) + 3489 nla_total_size(sizeof_field(struct xfrm_state, dir)) + 3490 nla_total_size(4); /* XFRMA_SA_PCPU */ 3491 } 3492 3493 static int build_expire(struct sk_buff *skb, struct xfrm_state *x, const struct km_event *c) 3494 { 3495 struct xfrm_user_expire *ue; 3496 struct nlmsghdr *nlh; 3497 int err; 3498 3499 nlh = nlmsg_put(skb, c->portid, 0, XFRM_MSG_EXPIRE, sizeof(*ue), 0); 3500 if (nlh == NULL) 3501 return -EMSGSIZE; 3502 3503 ue = nlmsg_data(nlh); 3504 copy_to_user_state(x, &ue->state); 3505 ue->hard = (c->data.hard != 0) ? 1 : 0; 3506 /* clear the padding bytes */ 3507 memset_after(ue, 0, hard); 3508 3509 err = xfrm_mark_put(skb, &x->mark); 3510 if (err) 3511 return err; 3512 3513 err = xfrm_if_id_put(skb, x->if_id); 3514 if (err) 3515 return err; 3516 if (x->pcpu_num != UINT_MAX) { 3517 err = nla_put_u32(skb, XFRMA_SA_PCPU, x->pcpu_num); 3518 if (err) 3519 return err; 3520 } 3521 3522 if (x->dir) { 3523 err = nla_put_u8(skb, XFRMA_SA_DIR, x->dir); 3524 if (err) 3525 return err; 3526 } 3527 3528 nlmsg_end(skb, nlh); 3529 return 0; 3530 } 3531 3532 static int xfrm_exp_state_notify(struct xfrm_state *x, const struct km_event *c) 3533 { 3534 struct net *net = xs_net(x); 3535 struct sk_buff *skb; 3536 3537 skb = nlmsg_new(xfrm_expire_msgsize(), GFP_ATOMIC); 3538 if (skb == NULL) 3539 return -ENOMEM; 3540 3541 if (build_expire(skb, x, c) < 0) { 3542 kfree_skb(skb); 3543 return -EMSGSIZE; 3544 } 3545 3546 return xfrm_nlmsg_multicast(net, skb, 0, XFRMNLGRP_EXPIRE); 3547 } 3548 3549 static int xfrm_aevent_state_notify(struct xfrm_state *x, const struct km_event *c) 3550 { 3551 struct net *net = xs_net(x); 3552 struct sk_buff *skb; 3553 int err; 3554 3555 skb = nlmsg_new(xfrm_aevent_msgsize(x), GFP_ATOMIC); 3556 if (skb == NULL) 3557 return -ENOMEM; 3558 3559 err = build_aevent(skb, x, c); 3560 BUG_ON(err < 0); 3561 3562 return xfrm_nlmsg_multicast(net, skb, 0, XFRMNLGRP_AEVENTS); 3563 } 3564 3565 static int xfrm_notify_sa_flush(const struct km_event *c) 3566 { 3567 struct net *net = c->net; 3568 struct xfrm_usersa_flush *p; 3569 struct nlmsghdr *nlh; 3570 struct sk_buff *skb; 3571 int len = NLMSG_ALIGN(sizeof(struct xfrm_usersa_flush)); 3572 3573 skb = nlmsg_new(len, GFP_ATOMIC); 3574 if (skb == NULL) 3575 return -ENOMEM; 3576 3577 nlh = nlmsg_put(skb, c->portid, c->seq, XFRM_MSG_FLUSHSA, sizeof(*p), 0); 3578 if (nlh == NULL) { 3579 kfree_skb(skb); 3580 return -EMSGSIZE; 3581 } 3582 3583 p = nlmsg_data(nlh); 3584 p->proto = c->data.proto; 3585 3586 nlmsg_end(skb, nlh); 3587 3588 return xfrm_nlmsg_multicast(net, skb, 0, XFRMNLGRP_SA); 3589 } 3590 3591 static inline unsigned int xfrm_sa_len(struct xfrm_state *x) 3592 { 3593 unsigned int l = 0; 3594 if (x->aead) 3595 l += nla_total_size(aead_len(x->aead)); 3596 if (x->aalg) { 3597 l += nla_total_size(sizeof(struct xfrm_algo) + 3598 (x->aalg->alg_key_len + 7) / 8); 3599 l += nla_total_size(xfrm_alg_auth_len(x->aalg)); 3600 } 3601 if (x->ealg) 3602 l += nla_total_size(xfrm_alg_len(x->ealg)); 3603 if (x->calg) 3604 l += nla_total_size(sizeof(*x->calg)); 3605 if (x->encap) 3606 l += nla_total_size(sizeof(*x->encap)); 3607 if (x->tfcpad) 3608 l += nla_total_size(sizeof(x->tfcpad)); 3609 if (x->replay_esn) 3610 l += nla_total_size(xfrm_replay_state_esn_len(x->replay_esn)); 3611 else 3612 l += nla_total_size(sizeof(struct xfrm_replay_state)); 3613 if (x->security) 3614 l += nla_total_size(sizeof(struct xfrm_user_sec_ctx) + 3615 x->security->ctx_len); 3616 if (x->coaddr) 3617 l += nla_total_size(sizeof(*x->coaddr)); 3618 if (x->props.extra_flags) 3619 l += nla_total_size(sizeof(x->props.extra_flags)); 3620 if (x->xso.dev) 3621 l += nla_total_size(sizeof(struct xfrm_user_offload)); 3622 if (x->props.smark.v | x->props.smark.m) { 3623 l += nla_total_size(sizeof(x->props.smark.v)); 3624 l += nla_total_size(sizeof(x->props.smark.m)); 3625 } 3626 if (x->if_id) 3627 l += nla_total_size(sizeof(x->if_id)); 3628 if (x->pcpu_num) 3629 l += nla_total_size(sizeof(x->pcpu_num)); 3630 3631 /* Must count x->lastused as it may become non-zero behind our back. */ 3632 l += nla_total_size_64bit(sizeof(u64)); 3633 3634 if (x->mapping_maxage) 3635 l += nla_total_size(sizeof(x->mapping_maxage)); 3636 3637 if (x->dir) 3638 l += nla_total_size(sizeof(x->dir)); 3639 3640 if (x->nat_keepalive_interval) 3641 l += nla_total_size(sizeof(x->nat_keepalive_interval)); 3642 3643 if (x->mode_cbs && x->mode_cbs->sa_len) 3644 l += x->mode_cbs->sa_len(x); 3645 3646 return l; 3647 } 3648 3649 static int xfrm_notify_sa(struct xfrm_state *x, const struct km_event *c) 3650 { 3651 struct net *net = xs_net(x); 3652 struct xfrm_usersa_info *p; 3653 struct xfrm_usersa_id *id; 3654 struct nlmsghdr *nlh; 3655 struct sk_buff *skb; 3656 unsigned int len = xfrm_sa_len(x); 3657 unsigned int headlen; 3658 int err; 3659 3660 headlen = sizeof(*p); 3661 if (c->event == XFRM_MSG_DELSA) { 3662 len += nla_total_size(headlen); 3663 headlen = sizeof(*id); 3664 len += nla_total_size(sizeof(struct xfrm_mark)); 3665 } 3666 len += NLMSG_ALIGN(headlen); 3667 3668 skb = nlmsg_new(len, GFP_ATOMIC); 3669 if (skb == NULL) 3670 return -ENOMEM; 3671 3672 nlh = nlmsg_put(skb, c->portid, c->seq, c->event, headlen, 0); 3673 err = -EMSGSIZE; 3674 if (nlh == NULL) 3675 goto out_free_skb; 3676 3677 p = nlmsg_data(nlh); 3678 if (c->event == XFRM_MSG_DELSA) { 3679 struct nlattr *attr; 3680 3681 id = nlmsg_data(nlh); 3682 memset(id, 0, sizeof(*id)); 3683 memcpy(&id->daddr, &x->id.daddr, sizeof(id->daddr)); 3684 id->spi = x->id.spi; 3685 id->family = x->props.family; 3686 id->proto = x->id.proto; 3687 3688 attr = nla_reserve(skb, XFRMA_SA, sizeof(*p)); 3689 err = -EMSGSIZE; 3690 if (attr == NULL) 3691 goto out_free_skb; 3692 3693 p = nla_data(attr); 3694 } 3695 err = copy_to_user_state_extra(x, p, skb); 3696 if (err) 3697 goto out_free_skb; 3698 3699 nlmsg_end(skb, nlh); 3700 3701 return xfrm_nlmsg_multicast(net, skb, 0, XFRMNLGRP_SA); 3702 3703 out_free_skb: 3704 kfree_skb(skb); 3705 return err; 3706 } 3707 3708 static int xfrm_send_state_notify(struct xfrm_state *x, const struct km_event *c) 3709 { 3710 3711 switch (c->event) { 3712 case XFRM_MSG_EXPIRE: 3713 return xfrm_exp_state_notify(x, c); 3714 case XFRM_MSG_NEWAE: 3715 return xfrm_aevent_state_notify(x, c); 3716 case XFRM_MSG_DELSA: 3717 case XFRM_MSG_UPDSA: 3718 case XFRM_MSG_NEWSA: 3719 return xfrm_notify_sa(x, c); 3720 case XFRM_MSG_FLUSHSA: 3721 return xfrm_notify_sa_flush(c); 3722 default: 3723 printk(KERN_NOTICE "xfrm_user: Unknown SA event %d\n", 3724 c->event); 3725 break; 3726 } 3727 3728 return 0; 3729 3730 } 3731 3732 static inline unsigned int xfrm_acquire_msgsize(struct xfrm_state *x, 3733 struct xfrm_policy *xp) 3734 { 3735 return NLMSG_ALIGN(sizeof(struct xfrm_user_acquire)) 3736 + nla_total_size(sizeof(struct xfrm_user_tmpl) * xp->xfrm_nr) 3737 + nla_total_size(sizeof(struct xfrm_mark)) 3738 + nla_total_size(xfrm_user_sec_ctx_size(x->security)) 3739 + nla_total_size(4) /* XFRMA_SA_PCPU */ 3740 + userpolicy_type_attrsize(); 3741 } 3742 3743 static int build_acquire(struct sk_buff *skb, struct xfrm_state *x, 3744 struct xfrm_tmpl *xt, struct xfrm_policy *xp) 3745 { 3746 __u32 seq = xfrm_get_acqseq(); 3747 struct xfrm_user_acquire *ua; 3748 struct nlmsghdr *nlh; 3749 int err; 3750 3751 nlh = nlmsg_put(skb, 0, 0, XFRM_MSG_ACQUIRE, sizeof(*ua), 0); 3752 if (nlh == NULL) 3753 return -EMSGSIZE; 3754 3755 ua = nlmsg_data(nlh); 3756 memcpy(&ua->id, &x->id, sizeof(ua->id)); 3757 memcpy(&ua->saddr, &x->props.saddr, sizeof(ua->saddr)); 3758 memcpy(&ua->sel, &x->sel, sizeof(ua->sel)); 3759 copy_to_user_policy(xp, &ua->policy, XFRM_POLICY_OUT); 3760 ua->aalgos = xt->aalgos; 3761 ua->ealgos = xt->ealgos; 3762 ua->calgos = xt->calgos; 3763 ua->seq = x->km.seq = seq; 3764 3765 err = copy_to_user_tmpl(xp, skb); 3766 if (!err) 3767 err = copy_to_user_state_sec_ctx(x, skb); 3768 if (!err) 3769 err = copy_to_user_policy_type(xp->type, skb); 3770 if (!err) 3771 err = xfrm_mark_put(skb, &xp->mark); 3772 if (!err) 3773 err = xfrm_if_id_put(skb, xp->if_id); 3774 if (!err && xp->xdo.dev) 3775 err = copy_user_offload(&xp->xdo, skb); 3776 if (!err && x->pcpu_num != UINT_MAX) 3777 err = nla_put_u32(skb, XFRMA_SA_PCPU, x->pcpu_num); 3778 if (err) { 3779 nlmsg_cancel(skb, nlh); 3780 return err; 3781 } 3782 3783 nlmsg_end(skb, nlh); 3784 return 0; 3785 } 3786 3787 static int xfrm_send_acquire(struct xfrm_state *x, struct xfrm_tmpl *xt, 3788 struct xfrm_policy *xp) 3789 { 3790 struct net *net = xs_net(x); 3791 struct sk_buff *skb; 3792 int err; 3793 3794 skb = nlmsg_new(xfrm_acquire_msgsize(x, xp), GFP_ATOMIC); 3795 if (skb == NULL) 3796 return -ENOMEM; 3797 3798 err = build_acquire(skb, x, xt, xp); 3799 BUG_ON(err < 0); 3800 3801 return xfrm_nlmsg_multicast(net, skb, 0, XFRMNLGRP_ACQUIRE); 3802 } 3803 3804 /* User gives us xfrm_user_policy_info followed by an array of 0 3805 * or more templates. 3806 */ 3807 static struct xfrm_policy *xfrm_compile_policy(struct sock *sk, int opt, 3808 u8 *data, int len, int *dir) 3809 { 3810 struct net *net = sock_net(sk); 3811 struct xfrm_userpolicy_info *p = (struct xfrm_userpolicy_info *)data; 3812 struct xfrm_user_tmpl *ut = (struct xfrm_user_tmpl *) (p + 1); 3813 struct xfrm_policy *xp; 3814 int nr; 3815 3816 switch (sk->sk_family) { 3817 case AF_INET: 3818 if (opt != IP_XFRM_POLICY) { 3819 *dir = -EOPNOTSUPP; 3820 return NULL; 3821 } 3822 break; 3823 #if IS_ENABLED(CONFIG_IPV6) 3824 case AF_INET6: 3825 if (opt != IPV6_XFRM_POLICY) { 3826 *dir = -EOPNOTSUPP; 3827 return NULL; 3828 } 3829 break; 3830 #endif 3831 default: 3832 *dir = -EINVAL; 3833 return NULL; 3834 } 3835 3836 *dir = -EINVAL; 3837 3838 if (len < sizeof(*p) || 3839 verify_newpolicy_info(p, NULL)) 3840 return NULL; 3841 3842 nr = ((len - sizeof(*p)) / sizeof(*ut)); 3843 if (validate_tmpl(nr, ut, p->sel.family, p->dir, NULL)) 3844 return NULL; 3845 3846 if (p->dir > XFRM_POLICY_OUT) 3847 return NULL; 3848 3849 xp = xfrm_policy_alloc(net, GFP_ATOMIC); 3850 if (xp == NULL) { 3851 *dir = -ENOBUFS; 3852 return NULL; 3853 } 3854 3855 copy_from_user_policy(xp, p); 3856 xp->type = XFRM_POLICY_TYPE_MAIN; 3857 copy_templates(xp, ut, nr); 3858 3859 *dir = p->dir; 3860 3861 return xp; 3862 } 3863 3864 static inline unsigned int xfrm_polexpire_msgsize(struct xfrm_policy *xp) 3865 { 3866 return NLMSG_ALIGN(sizeof(struct xfrm_user_polexpire)) 3867 + nla_total_size(sizeof(struct xfrm_user_tmpl) * xp->xfrm_nr) 3868 + nla_total_size(xfrm_user_sec_ctx_size(xp->security)) 3869 + nla_total_size(sizeof(struct xfrm_mark)) 3870 + userpolicy_type_attrsize(); 3871 } 3872 3873 static int build_polexpire(struct sk_buff *skb, struct xfrm_policy *xp, 3874 int dir, const struct km_event *c) 3875 { 3876 struct xfrm_user_polexpire *upe; 3877 int hard = c->data.hard; 3878 struct nlmsghdr *nlh; 3879 int err; 3880 3881 nlh = nlmsg_put(skb, c->portid, 0, XFRM_MSG_POLEXPIRE, sizeof(*upe), 0); 3882 if (nlh == NULL) 3883 return -EMSGSIZE; 3884 3885 upe = nlmsg_data(nlh); 3886 copy_to_user_policy(xp, &upe->pol, dir); 3887 err = copy_to_user_tmpl(xp, skb); 3888 if (!err) 3889 err = copy_to_user_sec_ctx(xp, skb); 3890 if (!err) 3891 err = copy_to_user_policy_type(xp->type, skb); 3892 if (!err) 3893 err = xfrm_mark_put(skb, &xp->mark); 3894 if (!err) 3895 err = xfrm_if_id_put(skb, xp->if_id); 3896 if (!err && xp->xdo.dev) 3897 err = copy_user_offload(&xp->xdo, skb); 3898 if (err) { 3899 nlmsg_cancel(skb, nlh); 3900 return err; 3901 } 3902 upe->hard = !!hard; 3903 3904 nlmsg_end(skb, nlh); 3905 return 0; 3906 } 3907 3908 static int xfrm_exp_policy_notify(struct xfrm_policy *xp, int dir, const struct km_event *c) 3909 { 3910 struct net *net = xp_net(xp); 3911 struct sk_buff *skb; 3912 int err; 3913 3914 skb = nlmsg_new(xfrm_polexpire_msgsize(xp), GFP_ATOMIC); 3915 if (skb == NULL) 3916 return -ENOMEM; 3917 3918 err = build_polexpire(skb, xp, dir, c); 3919 BUG_ON(err < 0); 3920 3921 return xfrm_nlmsg_multicast(net, skb, 0, XFRMNLGRP_EXPIRE); 3922 } 3923 3924 static int xfrm_notify_policy(struct xfrm_policy *xp, int dir, const struct km_event *c) 3925 { 3926 unsigned int len = nla_total_size(sizeof(struct xfrm_user_tmpl) * xp->xfrm_nr); 3927 struct net *net = xp_net(xp); 3928 struct xfrm_userpolicy_info *p; 3929 struct xfrm_userpolicy_id *id; 3930 struct nlmsghdr *nlh; 3931 struct sk_buff *skb; 3932 unsigned int headlen; 3933 int err; 3934 3935 headlen = sizeof(*p); 3936 if (c->event == XFRM_MSG_DELPOLICY) { 3937 len += nla_total_size(headlen); 3938 headlen = sizeof(*id); 3939 } 3940 len += userpolicy_type_attrsize(); 3941 len += nla_total_size(sizeof(struct xfrm_mark)); 3942 len += NLMSG_ALIGN(headlen); 3943 3944 skb = nlmsg_new(len, GFP_ATOMIC); 3945 if (skb == NULL) 3946 return -ENOMEM; 3947 3948 nlh = nlmsg_put(skb, c->portid, c->seq, c->event, headlen, 0); 3949 err = -EMSGSIZE; 3950 if (nlh == NULL) 3951 goto out_free_skb; 3952 3953 p = nlmsg_data(nlh); 3954 if (c->event == XFRM_MSG_DELPOLICY) { 3955 struct nlattr *attr; 3956 3957 id = nlmsg_data(nlh); 3958 memset(id, 0, sizeof(*id)); 3959 id->dir = dir; 3960 if (c->data.byid) 3961 id->index = xp->index; 3962 else 3963 memcpy(&id->sel, &xp->selector, sizeof(id->sel)); 3964 3965 attr = nla_reserve(skb, XFRMA_POLICY, sizeof(*p)); 3966 err = -EMSGSIZE; 3967 if (attr == NULL) 3968 goto out_free_skb; 3969 3970 p = nla_data(attr); 3971 } 3972 3973 copy_to_user_policy(xp, p, dir); 3974 err = copy_to_user_tmpl(xp, skb); 3975 if (!err) 3976 err = copy_to_user_policy_type(xp->type, skb); 3977 if (!err) 3978 err = xfrm_mark_put(skb, &xp->mark); 3979 if (!err) 3980 err = xfrm_if_id_put(skb, xp->if_id); 3981 if (!err && xp->xdo.dev) 3982 err = copy_user_offload(&xp->xdo, skb); 3983 if (err) 3984 goto out_free_skb; 3985 3986 nlmsg_end(skb, nlh); 3987 3988 return xfrm_nlmsg_multicast(net, skb, 0, XFRMNLGRP_POLICY); 3989 3990 out_free_skb: 3991 kfree_skb(skb); 3992 return err; 3993 } 3994 3995 static int xfrm_notify_policy_flush(const struct km_event *c) 3996 { 3997 struct net *net = c->net; 3998 struct nlmsghdr *nlh; 3999 struct sk_buff *skb; 4000 int err; 4001 4002 skb = nlmsg_new(userpolicy_type_attrsize(), GFP_ATOMIC); 4003 if (skb == NULL) 4004 return -ENOMEM; 4005 4006 nlh = nlmsg_put(skb, c->portid, c->seq, XFRM_MSG_FLUSHPOLICY, 0, 0); 4007 err = -EMSGSIZE; 4008 if (nlh == NULL) 4009 goto out_free_skb; 4010 err = copy_to_user_policy_type(c->data.type, skb); 4011 if (err) 4012 goto out_free_skb; 4013 4014 nlmsg_end(skb, nlh); 4015 4016 return xfrm_nlmsg_multicast(net, skb, 0, XFRMNLGRP_POLICY); 4017 4018 out_free_skb: 4019 kfree_skb(skb); 4020 return err; 4021 } 4022 4023 static int xfrm_send_policy_notify(struct xfrm_policy *xp, int dir, const struct km_event *c) 4024 { 4025 4026 switch (c->event) { 4027 case XFRM_MSG_NEWPOLICY: 4028 case XFRM_MSG_UPDPOLICY: 4029 case XFRM_MSG_DELPOLICY: 4030 return xfrm_notify_policy(xp, dir, c); 4031 case XFRM_MSG_FLUSHPOLICY: 4032 return xfrm_notify_policy_flush(c); 4033 case XFRM_MSG_POLEXPIRE: 4034 return xfrm_exp_policy_notify(xp, dir, c); 4035 default: 4036 printk(KERN_NOTICE "xfrm_user: Unknown Policy event %d\n", 4037 c->event); 4038 } 4039 4040 return 0; 4041 4042 } 4043 4044 static inline unsigned int xfrm_report_msgsize(void) 4045 { 4046 return NLMSG_ALIGN(sizeof(struct xfrm_user_report)); 4047 } 4048 4049 static int build_report(struct sk_buff *skb, u8 proto, 4050 struct xfrm_selector *sel, xfrm_address_t *addr) 4051 { 4052 struct xfrm_user_report *ur; 4053 struct nlmsghdr *nlh; 4054 4055 nlh = nlmsg_put(skb, 0, 0, XFRM_MSG_REPORT, sizeof(*ur), 0); 4056 if (nlh == NULL) 4057 return -EMSGSIZE; 4058 4059 ur = nlmsg_data(nlh); 4060 ur->proto = proto; 4061 memcpy(&ur->sel, sel, sizeof(ur->sel)); 4062 4063 if (addr) { 4064 int err = nla_put(skb, XFRMA_COADDR, sizeof(*addr), addr); 4065 if (err) { 4066 nlmsg_cancel(skb, nlh); 4067 return err; 4068 } 4069 } 4070 nlmsg_end(skb, nlh); 4071 return 0; 4072 } 4073 4074 static int xfrm_send_report(struct net *net, u8 proto, 4075 struct xfrm_selector *sel, xfrm_address_t *addr) 4076 { 4077 struct sk_buff *skb; 4078 int err; 4079 4080 skb = nlmsg_new(xfrm_report_msgsize(), GFP_ATOMIC); 4081 if (skb == NULL) 4082 return -ENOMEM; 4083 4084 err = build_report(skb, proto, sel, addr); 4085 BUG_ON(err < 0); 4086 4087 return xfrm_nlmsg_multicast(net, skb, 0, XFRMNLGRP_REPORT); 4088 } 4089 4090 static inline unsigned int xfrm_mapping_msgsize(void) 4091 { 4092 return NLMSG_ALIGN(sizeof(struct xfrm_user_mapping)); 4093 } 4094 4095 static int build_mapping(struct sk_buff *skb, struct xfrm_state *x, 4096 xfrm_address_t *new_saddr, __be16 new_sport) 4097 { 4098 struct xfrm_user_mapping *um; 4099 struct nlmsghdr *nlh; 4100 4101 nlh = nlmsg_put(skb, 0, 0, XFRM_MSG_MAPPING, sizeof(*um), 0); 4102 if (nlh == NULL) 4103 return -EMSGSIZE; 4104 4105 um = nlmsg_data(nlh); 4106 4107 memcpy(&um->id.daddr, &x->id.daddr, sizeof(um->id.daddr)); 4108 um->id.spi = x->id.spi; 4109 um->id.family = x->props.family; 4110 um->id.proto = x->id.proto; 4111 memcpy(&um->new_saddr, new_saddr, sizeof(um->new_saddr)); 4112 memcpy(&um->old_saddr, &x->props.saddr, sizeof(um->old_saddr)); 4113 um->new_sport = new_sport; 4114 um->old_sport = x->encap->encap_sport; 4115 um->reqid = x->props.reqid; 4116 4117 nlmsg_end(skb, nlh); 4118 return 0; 4119 } 4120 4121 static int xfrm_send_mapping(struct xfrm_state *x, xfrm_address_t *ipaddr, 4122 __be16 sport) 4123 { 4124 struct net *net = xs_net(x); 4125 struct sk_buff *skb; 4126 int err; 4127 4128 if (x->id.proto != IPPROTO_ESP) 4129 return -EINVAL; 4130 4131 if (!x->encap) 4132 return -EINVAL; 4133 4134 skb = nlmsg_new(xfrm_mapping_msgsize(), GFP_ATOMIC); 4135 if (skb == NULL) 4136 return -ENOMEM; 4137 4138 err = build_mapping(skb, x, ipaddr, sport); 4139 BUG_ON(err < 0); 4140 4141 return xfrm_nlmsg_multicast(net, skb, 0, XFRMNLGRP_MAPPING); 4142 } 4143 4144 static bool xfrm_is_alive(const struct km_event *c) 4145 { 4146 return (bool)xfrm_acquire_is_on(c->net); 4147 } 4148 4149 static struct xfrm_mgr netlink_mgr = { 4150 .notify = xfrm_send_state_notify, 4151 .acquire = xfrm_send_acquire, 4152 .compile_policy = xfrm_compile_policy, 4153 .notify_policy = xfrm_send_policy_notify, 4154 .report = xfrm_send_report, 4155 .migrate = xfrm_send_migrate, 4156 .new_mapping = xfrm_send_mapping, 4157 .is_alive = xfrm_is_alive, 4158 }; 4159 4160 static int __net_init xfrm_user_net_init(struct net *net) 4161 { 4162 struct sock *nlsk; 4163 struct netlink_kernel_cfg cfg = { 4164 .groups = XFRMNLGRP_MAX, 4165 .input = xfrm_netlink_rcv, 4166 }; 4167 4168 nlsk = netlink_kernel_create(net, NETLINK_XFRM, &cfg); 4169 if (nlsk == NULL) 4170 return -ENOMEM; 4171 net->xfrm.nlsk_stash = nlsk; /* Don't set to NULL */ 4172 rcu_assign_pointer(net->xfrm.nlsk, nlsk); 4173 return 0; 4174 } 4175 4176 static void __net_exit xfrm_user_net_pre_exit(struct net *net) 4177 { 4178 RCU_INIT_POINTER(net->xfrm.nlsk, NULL); 4179 } 4180 4181 static void __net_exit xfrm_user_net_exit(struct list_head *net_exit_list) 4182 { 4183 struct net *net; 4184 4185 list_for_each_entry(net, net_exit_list, exit_list) 4186 netlink_kernel_release(net->xfrm.nlsk_stash); 4187 } 4188 4189 static struct pernet_operations xfrm_user_net_ops = { 4190 .init = xfrm_user_net_init, 4191 .pre_exit = xfrm_user_net_pre_exit, 4192 .exit_batch = xfrm_user_net_exit, 4193 }; 4194 4195 static int __init xfrm_user_init(void) 4196 { 4197 int rv; 4198 4199 printk(KERN_INFO "Initializing XFRM netlink socket\n"); 4200 4201 rv = register_pernet_subsys(&xfrm_user_net_ops); 4202 if (rv < 0) 4203 return rv; 4204 xfrm_register_km(&netlink_mgr); 4205 return 0; 4206 } 4207 4208 static void __exit xfrm_user_exit(void) 4209 { 4210 xfrm_unregister_km(&netlink_mgr); 4211 unregister_pernet_subsys(&xfrm_user_net_ops); 4212 } 4213 4214 module_init(xfrm_user_init); 4215 module_exit(xfrm_user_exit); 4216 MODULE_DESCRIPTION("XFRM User interface"); 4217 MODULE_LICENSE("GPL"); 4218 MODULE_ALIAS_NET_PF_PROTO(PF_NETLINK, NETLINK_XFRM); 4219