1 // SPDX-License-Identifier: GPL-2.0-only 2 /* xfrm_user.c: User interface to configure xfrm engine. 3 * 4 * Copyright (C) 2002 David S. Miller (davem@redhat.com) 5 * 6 * Changes: 7 * Mitsuru KANDA @USAGI 8 * Kazunori MIYAZAWA @USAGI 9 * Kunihiro Ishiguro <kunihiro@ipinfusion.com> 10 * IPv6 support 11 * 12 */ 13 14 #include <linux/compat.h> 15 #include <linux/crypto.h> 16 #include <linux/module.h> 17 #include <linux/kernel.h> 18 #include <linux/types.h> 19 #include <linux/slab.h> 20 #include <linux/socket.h> 21 #include <linux/string.h> 22 #include <linux/net.h> 23 #include <linux/skbuff.h> 24 #include <linux/pfkeyv2.h> 25 #include <linux/ipsec.h> 26 #include <linux/init.h> 27 #include <linux/security.h> 28 #include <net/sock.h> 29 #include <net/xfrm.h> 30 #include <net/netlink.h> 31 #include <net/ah.h> 32 #include <linux/uaccess.h> 33 #if IS_ENABLED(CONFIG_IPV6) 34 #include <linux/in6.h> 35 #endif 36 #include <linux/unaligned.h> 37 38 static int verify_one_alg(struct nlattr **attrs, enum xfrm_attr_type_t type, 39 struct netlink_ext_ack *extack) 40 { 41 struct nlattr *rt = attrs[type]; 42 struct xfrm_algo *algp; 43 44 if (!rt) 45 return 0; 46 47 algp = nla_data(rt); 48 if (nla_len(rt) < (int)xfrm_alg_len(algp)) { 49 NL_SET_ERR_MSG(extack, "Invalid AUTH/CRYPT/COMP attribute length"); 50 return -EINVAL; 51 } 52 53 switch (type) { 54 case XFRMA_ALG_AUTH: 55 case XFRMA_ALG_CRYPT: 56 case XFRMA_ALG_COMP: 57 break; 58 59 default: 60 NL_SET_ERR_MSG(extack, "Invalid algorithm attribute type"); 61 return -EINVAL; 62 } 63 64 algp->alg_name[sizeof(algp->alg_name) - 1] = '\0'; 65 return 0; 66 } 67 68 static int verify_auth_trunc(struct nlattr **attrs, 69 struct netlink_ext_ack *extack) 70 { 71 struct nlattr *rt = attrs[XFRMA_ALG_AUTH_TRUNC]; 72 struct xfrm_algo_auth *algp; 73 74 if (!rt) 75 return 0; 76 77 algp = nla_data(rt); 78 if (nla_len(rt) < (int)xfrm_alg_auth_len(algp)) { 79 NL_SET_ERR_MSG(extack, "Invalid AUTH_TRUNC attribute length"); 80 return -EINVAL; 81 } 82 83 algp->alg_name[sizeof(algp->alg_name) - 1] = '\0'; 84 return 0; 85 } 86 87 static int verify_aead(struct nlattr **attrs, struct netlink_ext_ack *extack) 88 { 89 struct nlattr *rt = attrs[XFRMA_ALG_AEAD]; 90 struct xfrm_algo_aead *algp; 91 92 if (!rt) 93 return 0; 94 95 algp = nla_data(rt); 96 if (nla_len(rt) < (int)aead_len(algp)) { 97 NL_SET_ERR_MSG(extack, "Invalid AEAD attribute length"); 98 return -EINVAL; 99 } 100 101 algp->alg_name[sizeof(algp->alg_name) - 1] = '\0'; 102 return 0; 103 } 104 105 static void verify_one_addr(struct nlattr **attrs, enum xfrm_attr_type_t type, 106 xfrm_address_t **addrp) 107 { 108 struct nlattr *rt = attrs[type]; 109 110 if (rt && addrp) 111 *addrp = nla_data(rt); 112 } 113 114 static inline int verify_sec_ctx_len(struct nlattr **attrs, struct netlink_ext_ack *extack) 115 { 116 struct nlattr *rt = attrs[XFRMA_SEC_CTX]; 117 struct xfrm_user_sec_ctx *uctx; 118 119 if (!rt) 120 return 0; 121 122 uctx = nla_data(rt); 123 if (uctx->len > nla_len(rt) || 124 uctx->len != (sizeof(struct xfrm_user_sec_ctx) + uctx->ctx_len)) { 125 NL_SET_ERR_MSG(extack, "Invalid security context length"); 126 return -EINVAL; 127 } 128 129 return 0; 130 } 131 132 static inline int verify_replay(struct xfrm_usersa_info *p, 133 struct nlattr **attrs, u8 sa_dir, 134 struct netlink_ext_ack *extack) 135 { 136 struct nlattr *rt = attrs[XFRMA_REPLAY_ESN_VAL]; 137 struct xfrm_replay_state_esn *rs; 138 139 if (!rt) { 140 if (p->flags & XFRM_STATE_ESN) { 141 NL_SET_ERR_MSG(extack, "Missing required attribute for ESN"); 142 return -EINVAL; 143 } 144 return 0; 145 } 146 147 rs = nla_data(rt); 148 149 if (rs->bmp_len > XFRMA_REPLAY_ESN_MAX / sizeof(rs->bmp[0]) / 8) { 150 NL_SET_ERR_MSG(extack, "ESN bitmap length must be <= 128"); 151 return -EINVAL; 152 } 153 154 if (nla_len(rt) < (int)xfrm_replay_state_esn_len(rs) && 155 nla_len(rt) != sizeof(*rs)) { 156 NL_SET_ERR_MSG(extack, "ESN attribute is too short to fit the full bitmap length"); 157 return -EINVAL; 158 } 159 160 /* As only ESP and AH support ESN feature. */ 161 if ((p->id.proto != IPPROTO_ESP) && (p->id.proto != IPPROTO_AH)) { 162 NL_SET_ERR_MSG(extack, "ESN only supported for ESP and AH"); 163 return -EINVAL; 164 } 165 166 if (p->replay_window != 0) { 167 NL_SET_ERR_MSG(extack, "ESN not compatible with legacy replay_window"); 168 return -EINVAL; 169 } 170 171 if (sa_dir == XFRM_SA_DIR_OUT) { 172 if (rs->replay_window) { 173 NL_SET_ERR_MSG(extack, "Replay window should be 0 for output SA"); 174 return -EINVAL; 175 } 176 if (rs->seq || rs->seq_hi) { 177 NL_SET_ERR_MSG(extack, 178 "Replay seq and seq_hi should be 0 for output SA"); 179 return -EINVAL; 180 } 181 182 if (!(p->flags & XFRM_STATE_ESN)) { 183 if (rs->oseq_hi) { 184 NL_SET_ERR_MSG( 185 extack, 186 "Replay oseq_hi should be 0 in non-ESN mode for output SA"); 187 return -EINVAL; 188 } 189 if (rs->oseq == U32_MAX) { 190 NL_SET_ERR_MSG( 191 extack, 192 "Replay oseq should be less than 0xFFFFFFFF in non-ESN mode for output SA"); 193 return -EINVAL; 194 } 195 } else { 196 if (rs->oseq == U32_MAX && rs->oseq_hi == U32_MAX) { 197 NL_SET_ERR_MSG( 198 extack, 199 "Replay oseq and oseq_hi should be less than 0xFFFFFFFF for output SA"); 200 return -EINVAL; 201 } 202 } 203 if (rs->bmp_len) { 204 NL_SET_ERR_MSG(extack, "Replay bmp_len should 0 for output SA"); 205 return -EINVAL; 206 } 207 } 208 209 if (sa_dir == XFRM_SA_DIR_IN) { 210 if (rs->oseq || rs->oseq_hi) { 211 NL_SET_ERR_MSG(extack, 212 "Replay oseq and oseq_hi should be 0 for input SA"); 213 return -EINVAL; 214 } 215 if (!(p->flags & XFRM_STATE_ESN)) { 216 if (rs->seq_hi) { 217 NL_SET_ERR_MSG( 218 extack, 219 "Replay seq_hi should be 0 in non-ESN mode for input SA"); 220 return -EINVAL; 221 } 222 223 if (rs->seq == U32_MAX) { 224 NL_SET_ERR_MSG( 225 extack, 226 "Replay seq should be less than 0xFFFFFFFF in non-ESN mode for input SA"); 227 return -EINVAL; 228 } 229 } else { 230 if (rs->seq == U32_MAX && rs->seq_hi == U32_MAX) { 231 NL_SET_ERR_MSG( 232 extack, 233 "Replay seq and seq_hi should be less than 0xFFFFFFFF for input SA"); 234 return -EINVAL; 235 } 236 } 237 } 238 239 return 0; 240 } 241 242 static int verify_newsa_info(struct xfrm_usersa_info *p, 243 struct nlattr **attrs, 244 struct netlink_ext_ack *extack) 245 { 246 int err; 247 u8 sa_dir = nla_get_u8_default(attrs[XFRMA_SA_DIR], 0); 248 u16 family = p->sel.family; 249 250 err = -EINVAL; 251 switch (p->family) { 252 case AF_INET: 253 break; 254 255 case AF_INET6: 256 #if IS_ENABLED(CONFIG_IPV6) 257 break; 258 #else 259 err = -EAFNOSUPPORT; 260 NL_SET_ERR_MSG(extack, "IPv6 support disabled"); 261 goto out; 262 #endif 263 264 default: 265 NL_SET_ERR_MSG(extack, "Invalid address family"); 266 goto out; 267 } 268 269 if (!family && !(p->flags & XFRM_STATE_AF_UNSPEC)) 270 family = p->family; 271 272 switch (family) { 273 case AF_UNSPEC: 274 break; 275 276 case AF_INET: 277 if (p->sel.prefixlen_d > 32 || p->sel.prefixlen_s > 32) { 278 NL_SET_ERR_MSG(extack, "Invalid prefix length in selector (must be <= 32 for IPv4)"); 279 goto out; 280 } 281 282 break; 283 284 case AF_INET6: 285 #if IS_ENABLED(CONFIG_IPV6) 286 if (p->sel.prefixlen_d > 128 || p->sel.prefixlen_s > 128) { 287 NL_SET_ERR_MSG(extack, "Invalid prefix length in selector (must be <= 128 for IPv6)"); 288 goto out; 289 } 290 291 break; 292 #else 293 NL_SET_ERR_MSG(extack, "IPv6 support disabled"); 294 err = -EAFNOSUPPORT; 295 goto out; 296 #endif 297 298 default: 299 NL_SET_ERR_MSG(extack, "Invalid address family in selector"); 300 goto out; 301 } 302 303 err = -EINVAL; 304 switch (p->id.proto) { 305 case IPPROTO_AH: 306 if (!attrs[XFRMA_ALG_AUTH] && 307 !attrs[XFRMA_ALG_AUTH_TRUNC]) { 308 NL_SET_ERR_MSG(extack, "Missing required attribute for AH: AUTH_TRUNC or AUTH"); 309 goto out; 310 } 311 312 if (attrs[XFRMA_ALG_AEAD] || 313 attrs[XFRMA_ALG_CRYPT] || 314 attrs[XFRMA_ALG_COMP] || 315 attrs[XFRMA_TFCPAD]) { 316 NL_SET_ERR_MSG(extack, "Invalid attributes for AH: AEAD, CRYPT, COMP, TFCPAD"); 317 goto out; 318 } 319 break; 320 321 case IPPROTO_ESP: 322 if (attrs[XFRMA_ALG_COMP]) { 323 NL_SET_ERR_MSG(extack, "Invalid attribute for ESP: COMP"); 324 goto out; 325 } 326 327 if (!attrs[XFRMA_ALG_AUTH] && 328 !attrs[XFRMA_ALG_AUTH_TRUNC] && 329 !attrs[XFRMA_ALG_CRYPT] && 330 !attrs[XFRMA_ALG_AEAD]) { 331 NL_SET_ERR_MSG(extack, "Missing required attribute for ESP: at least one of AUTH, AUTH_TRUNC, CRYPT, AEAD"); 332 goto out; 333 } 334 335 if ((attrs[XFRMA_ALG_AUTH] || 336 attrs[XFRMA_ALG_AUTH_TRUNC] || 337 attrs[XFRMA_ALG_CRYPT]) && 338 attrs[XFRMA_ALG_AEAD]) { 339 NL_SET_ERR_MSG(extack, "Invalid attribute combination for ESP: AEAD can't be used with AUTH, AUTH_TRUNC, CRYPT"); 340 goto out; 341 } 342 343 if (attrs[XFRMA_TFCPAD] && 344 p->mode != XFRM_MODE_TUNNEL) { 345 NL_SET_ERR_MSG(extack, "TFC padding can only be used in tunnel mode"); 346 goto out; 347 } 348 if ((attrs[XFRMA_IPTFS_DROP_TIME] || 349 attrs[XFRMA_IPTFS_REORDER_WINDOW] || 350 attrs[XFRMA_IPTFS_DONT_FRAG] || 351 attrs[XFRMA_IPTFS_INIT_DELAY] || 352 attrs[XFRMA_IPTFS_MAX_QSIZE] || 353 attrs[XFRMA_IPTFS_PKT_SIZE]) && 354 p->mode != XFRM_MODE_IPTFS) { 355 NL_SET_ERR_MSG(extack, "IP-TFS options can only be used in IP-TFS mode"); 356 goto out; 357 } 358 break; 359 360 case IPPROTO_COMP: 361 if (!attrs[XFRMA_ALG_COMP]) { 362 NL_SET_ERR_MSG(extack, "Missing required attribute for COMP: COMP"); 363 goto out; 364 } 365 366 if (attrs[XFRMA_ALG_AEAD] || 367 attrs[XFRMA_ALG_AUTH] || 368 attrs[XFRMA_ALG_AUTH_TRUNC] || 369 attrs[XFRMA_ALG_CRYPT] || 370 attrs[XFRMA_TFCPAD]) { 371 NL_SET_ERR_MSG(extack, "Invalid attributes for COMP: AEAD, AUTH, AUTH_TRUNC, CRYPT, TFCPAD"); 372 goto out; 373 } 374 375 if (ntohl(p->id.spi) >= 0x10000) { 376 NL_SET_ERR_MSG(extack, "SPI is too large for COMP (must be < 0x10000)"); 377 goto out; 378 } 379 break; 380 381 #if IS_ENABLED(CONFIG_IPV6) 382 case IPPROTO_DSTOPTS: 383 case IPPROTO_ROUTING: 384 if (attrs[XFRMA_ALG_COMP] || 385 attrs[XFRMA_ALG_AUTH] || 386 attrs[XFRMA_ALG_AUTH_TRUNC] || 387 attrs[XFRMA_ALG_AEAD] || 388 attrs[XFRMA_ALG_CRYPT] || 389 attrs[XFRMA_ENCAP] || 390 attrs[XFRMA_SEC_CTX] || 391 attrs[XFRMA_TFCPAD]) { 392 NL_SET_ERR_MSG(extack, "Invalid attributes for DSTOPTS/ROUTING"); 393 goto out; 394 } 395 396 if (!attrs[XFRMA_COADDR]) { 397 NL_SET_ERR_MSG(extack, "Missing required COADDR attribute for DSTOPTS/ROUTING"); 398 goto out; 399 } 400 break; 401 #endif 402 403 default: 404 NL_SET_ERR_MSG(extack, "Unsupported protocol"); 405 goto out; 406 } 407 408 if ((err = verify_aead(attrs, extack))) 409 goto out; 410 if ((err = verify_auth_trunc(attrs, extack))) 411 goto out; 412 if ((err = verify_one_alg(attrs, XFRMA_ALG_AUTH, extack))) 413 goto out; 414 if ((err = verify_one_alg(attrs, XFRMA_ALG_CRYPT, extack))) 415 goto out; 416 if ((err = verify_one_alg(attrs, XFRMA_ALG_COMP, extack))) 417 goto out; 418 if ((err = verify_sec_ctx_len(attrs, extack))) 419 goto out; 420 if ((err = verify_replay(p, attrs, sa_dir, extack))) 421 goto out; 422 423 err = -EINVAL; 424 switch (p->mode) { 425 case XFRM_MODE_TRANSPORT: 426 case XFRM_MODE_TUNNEL: 427 case XFRM_MODE_ROUTEOPTIMIZATION: 428 case XFRM_MODE_BEET: 429 break; 430 case XFRM_MODE_IPTFS: 431 if (p->id.proto != IPPROTO_ESP) { 432 NL_SET_ERR_MSG(extack, "IP-TFS mode only supported with ESP"); 433 goto out; 434 } 435 if (sa_dir == 0) { 436 NL_SET_ERR_MSG(extack, "IP-TFS mode requires in or out direction attribute"); 437 goto out; 438 } 439 break; 440 441 default: 442 NL_SET_ERR_MSG(extack, "Unsupported mode"); 443 goto out; 444 } 445 446 err = 0; 447 448 if (attrs[XFRMA_MTIMER_THRESH]) { 449 if (!attrs[XFRMA_ENCAP]) { 450 NL_SET_ERR_MSG(extack, "MTIMER_THRESH attribute can only be set on ENCAP states"); 451 err = -EINVAL; 452 goto out; 453 } 454 455 if (sa_dir == XFRM_SA_DIR_OUT) { 456 NL_SET_ERR_MSG(extack, 457 "MTIMER_THRESH attribute should not be set on output SA"); 458 err = -EINVAL; 459 goto out; 460 } 461 } 462 463 if (sa_dir == XFRM_SA_DIR_OUT) { 464 if (p->flags & XFRM_STATE_DECAP_DSCP) { 465 NL_SET_ERR_MSG(extack, "Flag DECAP_DSCP should not be set for output SA"); 466 err = -EINVAL; 467 goto out; 468 } 469 470 if (p->flags & XFRM_STATE_ICMP) { 471 NL_SET_ERR_MSG(extack, "Flag ICMP should not be set for output SA"); 472 err = -EINVAL; 473 goto out; 474 } 475 476 if (p->flags & XFRM_STATE_WILDRECV) { 477 NL_SET_ERR_MSG(extack, "Flag WILDRECV should not be set for output SA"); 478 err = -EINVAL; 479 goto out; 480 } 481 482 if (p->replay_window) { 483 NL_SET_ERR_MSG(extack, "Replay window should be 0 for output SA"); 484 err = -EINVAL; 485 goto out; 486 } 487 488 if (attrs[XFRMA_IPTFS_DROP_TIME]) { 489 NL_SET_ERR_MSG(extack, "IP-TFS drop time should not be set for output SA"); 490 err = -EINVAL; 491 goto out; 492 } 493 494 if (attrs[XFRMA_IPTFS_REORDER_WINDOW]) { 495 NL_SET_ERR_MSG(extack, "IP-TFS reorder window should not be set for output SA"); 496 err = -EINVAL; 497 goto out; 498 } 499 500 if (attrs[XFRMA_REPLAY_VAL]) { 501 struct xfrm_replay_state *replay; 502 503 replay = nla_data(attrs[XFRMA_REPLAY_VAL]); 504 505 if (replay->seq || replay->bitmap) { 506 NL_SET_ERR_MSG(extack, 507 "Replay seq and bitmap should be 0 for output SA"); 508 err = -EINVAL; 509 goto out; 510 } 511 } 512 } 513 514 if (sa_dir == XFRM_SA_DIR_IN) { 515 if (p->flags & XFRM_STATE_NOPMTUDISC) { 516 NL_SET_ERR_MSG(extack, "Flag NOPMTUDISC should not be set for input SA"); 517 err = -EINVAL; 518 goto out; 519 } 520 521 if (attrs[XFRMA_SA_EXTRA_FLAGS]) { 522 u32 xflags = nla_get_u32(attrs[XFRMA_SA_EXTRA_FLAGS]); 523 524 if (xflags & XFRM_SA_XFLAG_DONT_ENCAP_DSCP) { 525 NL_SET_ERR_MSG(extack, "Flag DONT_ENCAP_DSCP should not be set for input SA"); 526 err = -EINVAL; 527 goto out; 528 } 529 530 if (xflags & XFRM_SA_XFLAG_OSEQ_MAY_WRAP) { 531 NL_SET_ERR_MSG(extack, "Flag OSEQ_MAY_WRAP should not be set for input SA"); 532 err = -EINVAL; 533 goto out; 534 } 535 536 } 537 538 if (attrs[XFRMA_IPTFS_DONT_FRAG]) { 539 NL_SET_ERR_MSG(extack, "IP-TFS don't fragment should not be set for input SA"); 540 err = -EINVAL; 541 goto out; 542 } 543 544 if (attrs[XFRMA_IPTFS_INIT_DELAY]) { 545 NL_SET_ERR_MSG(extack, "IP-TFS initial delay should not be set for input SA"); 546 err = -EINVAL; 547 goto out; 548 } 549 550 if (attrs[XFRMA_IPTFS_MAX_QSIZE]) { 551 NL_SET_ERR_MSG(extack, "IP-TFS max queue size should not be set for input SA"); 552 err = -EINVAL; 553 goto out; 554 } 555 556 if (attrs[XFRMA_IPTFS_PKT_SIZE]) { 557 NL_SET_ERR_MSG(extack, "IP-TFS packet size should not be set for input SA"); 558 err = -EINVAL; 559 goto out; 560 } 561 } 562 563 if (!sa_dir && attrs[XFRMA_SA_PCPU]) { 564 NL_SET_ERR_MSG(extack, "SA_PCPU only supported with SA_DIR"); 565 err = -EINVAL; 566 goto out; 567 } 568 569 out: 570 return err; 571 } 572 573 static int attach_one_algo(struct xfrm_algo **algpp, u8 *props, 574 struct xfrm_algo_desc *(*get_byname)(const char *, int), 575 struct nlattr *rta, struct netlink_ext_ack *extack) 576 { 577 struct xfrm_algo *p, *ualg; 578 struct xfrm_algo_desc *algo; 579 580 if (!rta) 581 return 0; 582 583 ualg = nla_data(rta); 584 585 algo = get_byname(ualg->alg_name, 1); 586 if (!algo) { 587 NL_SET_ERR_MSG(extack, "Requested COMP algorithm not found"); 588 return -ENOSYS; 589 } 590 *props = algo->desc.sadb_alg_id; 591 592 p = kmemdup(ualg, xfrm_alg_len(ualg), GFP_KERNEL); 593 if (!p) 594 return -ENOMEM; 595 596 strcpy(p->alg_name, algo->name); 597 *algpp = p; 598 return 0; 599 } 600 601 static int attach_crypt(struct xfrm_state *x, struct nlattr *rta, 602 struct netlink_ext_ack *extack) 603 { 604 struct xfrm_algo *p, *ualg; 605 struct xfrm_algo_desc *algo; 606 607 if (!rta) 608 return 0; 609 610 ualg = nla_data(rta); 611 612 algo = xfrm_ealg_get_byname(ualg->alg_name, 1); 613 if (!algo) { 614 NL_SET_ERR_MSG(extack, "Requested CRYPT algorithm not found"); 615 return -ENOSYS; 616 } 617 x->props.ealgo = algo->desc.sadb_alg_id; 618 619 p = kmemdup(ualg, xfrm_alg_len(ualg), GFP_KERNEL); 620 if (!p) 621 return -ENOMEM; 622 623 strcpy(p->alg_name, algo->name); 624 x->ealg = p; 625 x->geniv = algo->uinfo.encr.geniv; 626 return 0; 627 } 628 629 static int attach_auth(struct xfrm_algo_auth **algpp, u8 *props, 630 struct nlattr *rta, struct netlink_ext_ack *extack) 631 { 632 struct xfrm_algo *ualg; 633 struct xfrm_algo_auth *p; 634 struct xfrm_algo_desc *algo; 635 636 if (!rta) 637 return 0; 638 639 ualg = nla_data(rta); 640 641 algo = xfrm_aalg_get_byname(ualg->alg_name, 1); 642 if (!algo) { 643 NL_SET_ERR_MSG(extack, "Requested AUTH algorithm not found"); 644 return -ENOSYS; 645 } 646 *props = algo->desc.sadb_alg_id; 647 648 p = kmalloc(sizeof(*p) + (ualg->alg_key_len + 7) / 8, GFP_KERNEL); 649 if (!p) 650 return -ENOMEM; 651 652 strcpy(p->alg_name, algo->name); 653 p->alg_key_len = ualg->alg_key_len; 654 p->alg_trunc_len = algo->uinfo.auth.icv_truncbits; 655 memcpy(p->alg_key, ualg->alg_key, (ualg->alg_key_len + 7) / 8); 656 657 *algpp = p; 658 return 0; 659 } 660 661 static int attach_auth_trunc(struct xfrm_algo_auth **algpp, u8 *props, 662 struct nlattr *rta, struct netlink_ext_ack *extack) 663 { 664 struct xfrm_algo_auth *p, *ualg; 665 struct xfrm_algo_desc *algo; 666 667 if (!rta) 668 return 0; 669 670 ualg = nla_data(rta); 671 672 algo = xfrm_aalg_get_byname(ualg->alg_name, 1); 673 if (!algo) { 674 NL_SET_ERR_MSG(extack, "Requested AUTH_TRUNC algorithm not found"); 675 return -ENOSYS; 676 } 677 if (ualg->alg_trunc_len > algo->uinfo.auth.icv_fullbits) { 678 NL_SET_ERR_MSG(extack, "Invalid length requested for truncated ICV"); 679 return -EINVAL; 680 } 681 *props = algo->desc.sadb_alg_id; 682 683 p = kmemdup(ualg, xfrm_alg_auth_len(ualg), GFP_KERNEL); 684 if (!p) 685 return -ENOMEM; 686 687 strcpy(p->alg_name, algo->name); 688 if (!p->alg_trunc_len) 689 p->alg_trunc_len = algo->uinfo.auth.icv_truncbits; 690 691 *algpp = p; 692 return 0; 693 } 694 695 static int attach_aead(struct xfrm_state *x, struct nlattr *rta, 696 struct netlink_ext_ack *extack) 697 { 698 struct xfrm_algo_aead *p, *ualg; 699 struct xfrm_algo_desc *algo; 700 701 if (!rta) 702 return 0; 703 704 ualg = nla_data(rta); 705 706 algo = xfrm_aead_get_byname(ualg->alg_name, ualg->alg_icv_len, 1); 707 if (!algo) { 708 NL_SET_ERR_MSG(extack, "Requested AEAD algorithm not found"); 709 return -ENOSYS; 710 } 711 x->props.ealgo = algo->desc.sadb_alg_id; 712 713 p = kmemdup(ualg, aead_len(ualg), GFP_KERNEL); 714 if (!p) 715 return -ENOMEM; 716 717 strcpy(p->alg_name, algo->name); 718 x->aead = p; 719 x->geniv = algo->uinfo.aead.geniv; 720 return 0; 721 } 722 723 static inline int xfrm_replay_verify_len(struct xfrm_replay_state_esn *replay_esn, 724 struct nlattr *rp, 725 struct netlink_ext_ack *extack) 726 { 727 struct xfrm_replay_state_esn *up; 728 unsigned int ulen; 729 730 if (!replay_esn || !rp) 731 return 0; 732 733 up = nla_data(rp); 734 ulen = xfrm_replay_state_esn_len(up); 735 736 /* Check the overall length and the internal bitmap length to avoid 737 * potential overflow. */ 738 if (nla_len(rp) < (int)ulen) { 739 NL_SET_ERR_MSG(extack, "ESN attribute is too short"); 740 return -EINVAL; 741 } 742 743 if (xfrm_replay_state_esn_len(replay_esn) != ulen) { 744 NL_SET_ERR_MSG(extack, "New ESN size doesn't match the existing SA's ESN size"); 745 return -EINVAL; 746 } 747 748 if (replay_esn->bmp_len != up->bmp_len) { 749 NL_SET_ERR_MSG(extack, "New ESN bitmap size doesn't match the existing SA's ESN bitmap"); 750 return -EINVAL; 751 } 752 753 if (up->replay_window > up->bmp_len * sizeof(__u32) * 8) { 754 NL_SET_ERR_MSG(extack, "ESN replay window is longer than the bitmap"); 755 return -EINVAL; 756 } 757 758 return 0; 759 } 760 761 static int xfrm_alloc_replay_state_esn(struct xfrm_replay_state_esn **replay_esn, 762 struct xfrm_replay_state_esn **preplay_esn, 763 struct nlattr *rta) 764 { 765 struct xfrm_replay_state_esn *p, *pp, *up; 766 unsigned int klen, ulen; 767 768 if (!rta) 769 return 0; 770 771 up = nla_data(rta); 772 klen = xfrm_replay_state_esn_len(up); 773 ulen = nla_len(rta) >= (int)klen ? klen : sizeof(*up); 774 775 p = kzalloc(klen, GFP_KERNEL); 776 if (!p) 777 return -ENOMEM; 778 779 pp = kzalloc(klen, GFP_KERNEL); 780 if (!pp) { 781 kfree(p); 782 return -ENOMEM; 783 } 784 785 memcpy(p, up, ulen); 786 memcpy(pp, up, ulen); 787 788 *replay_esn = p; 789 *preplay_esn = pp; 790 791 return 0; 792 } 793 794 static inline unsigned int xfrm_user_sec_ctx_size(struct xfrm_sec_ctx *xfrm_ctx) 795 { 796 unsigned int len = 0; 797 798 if (xfrm_ctx) { 799 len += sizeof(struct xfrm_user_sec_ctx); 800 len += xfrm_ctx->ctx_len; 801 } 802 return len; 803 } 804 805 static void copy_from_user_state(struct xfrm_state *x, struct xfrm_usersa_info *p) 806 { 807 memcpy(&x->id, &p->id, sizeof(x->id)); 808 memcpy(&x->sel, &p->sel, sizeof(x->sel)); 809 memcpy(&x->lft, &p->lft, sizeof(x->lft)); 810 x->props.mode = p->mode; 811 x->props.replay_window = min_t(unsigned int, p->replay_window, 812 sizeof(x->replay.bitmap) * 8); 813 x->props.reqid = p->reqid; 814 x->props.family = p->family; 815 memcpy(&x->props.saddr, &p->saddr, sizeof(x->props.saddr)); 816 x->props.flags = p->flags; 817 818 if (!x->sel.family && !(p->flags & XFRM_STATE_AF_UNSPEC)) 819 x->sel.family = p->family; 820 } 821 822 /* 823 * someday when pfkey also has support, we could have the code 824 * somehow made shareable and move it to xfrm_state.c - JHS 825 * 826 */ 827 static void xfrm_update_ae_params(struct xfrm_state *x, struct nlattr **attrs, 828 int update_esn) 829 { 830 struct nlattr *rp = attrs[XFRMA_REPLAY_VAL]; 831 struct nlattr *re = update_esn ? attrs[XFRMA_REPLAY_ESN_VAL] : NULL; 832 struct nlattr *lt = attrs[XFRMA_LTIME_VAL]; 833 struct nlattr *et = attrs[XFRMA_ETIMER_THRESH]; 834 struct nlattr *rt = attrs[XFRMA_REPLAY_THRESH]; 835 struct nlattr *mt = attrs[XFRMA_MTIMER_THRESH]; 836 837 if (re && x->replay_esn && x->preplay_esn) { 838 struct xfrm_replay_state_esn *replay_esn; 839 replay_esn = nla_data(re); 840 memcpy(x->replay_esn, replay_esn, 841 xfrm_replay_state_esn_len(replay_esn)); 842 memcpy(x->preplay_esn, replay_esn, 843 xfrm_replay_state_esn_len(replay_esn)); 844 } 845 846 if (rp) { 847 struct xfrm_replay_state *replay; 848 replay = nla_data(rp); 849 memcpy(&x->replay, replay, sizeof(*replay)); 850 memcpy(&x->preplay, replay, sizeof(*replay)); 851 } 852 853 if (lt) { 854 struct xfrm_lifetime_cur *ltime; 855 ltime = nla_data(lt); 856 x->curlft.bytes = ltime->bytes; 857 x->curlft.packets = ltime->packets; 858 x->curlft.add_time = ltime->add_time; 859 x->curlft.use_time = ltime->use_time; 860 } 861 862 if (et) 863 x->replay_maxage = nla_get_u32(et); 864 865 if (rt) 866 x->replay_maxdiff = nla_get_u32(rt); 867 868 if (mt) 869 x->mapping_maxage = nla_get_u32(mt); 870 } 871 872 static void xfrm_smark_init(struct nlattr **attrs, struct xfrm_mark *m) 873 { 874 if (attrs[XFRMA_SET_MARK]) { 875 m->v = nla_get_u32(attrs[XFRMA_SET_MARK]); 876 m->m = nla_get_u32_default(attrs[XFRMA_SET_MARK_MASK], 877 0xffffffff); 878 } else { 879 m->v = m->m = 0; 880 } 881 } 882 883 static struct xfrm_state *xfrm_state_construct(struct net *net, 884 struct xfrm_usersa_info *p, 885 struct nlattr **attrs, 886 int *errp, 887 struct netlink_ext_ack *extack) 888 { 889 struct xfrm_state *x = xfrm_state_alloc(net); 890 int err = -ENOMEM; 891 892 if (!x) 893 goto error_no_put; 894 895 copy_from_user_state(x, p); 896 897 if (attrs[XFRMA_ENCAP]) { 898 x->encap = kmemdup(nla_data(attrs[XFRMA_ENCAP]), 899 sizeof(*x->encap), GFP_KERNEL); 900 if (x->encap == NULL) 901 goto error; 902 } 903 904 if (attrs[XFRMA_COADDR]) { 905 x->coaddr = kmemdup(nla_data(attrs[XFRMA_COADDR]), 906 sizeof(*x->coaddr), GFP_KERNEL); 907 if (x->coaddr == NULL) 908 goto error; 909 } 910 911 if (attrs[XFRMA_SA_EXTRA_FLAGS]) 912 x->props.extra_flags = nla_get_u32(attrs[XFRMA_SA_EXTRA_FLAGS]); 913 914 if ((err = attach_aead(x, attrs[XFRMA_ALG_AEAD], extack))) 915 goto error; 916 if ((err = attach_auth_trunc(&x->aalg, &x->props.aalgo, 917 attrs[XFRMA_ALG_AUTH_TRUNC], extack))) 918 goto error; 919 if (!x->props.aalgo) { 920 if ((err = attach_auth(&x->aalg, &x->props.aalgo, 921 attrs[XFRMA_ALG_AUTH], extack))) 922 goto error; 923 } 924 if ((err = attach_crypt(x, attrs[XFRMA_ALG_CRYPT], extack))) 925 goto error; 926 if ((err = attach_one_algo(&x->calg, &x->props.calgo, 927 xfrm_calg_get_byname, 928 attrs[XFRMA_ALG_COMP], extack))) 929 goto error; 930 931 if (attrs[XFRMA_TFCPAD]) 932 x->tfcpad = nla_get_u32(attrs[XFRMA_TFCPAD]); 933 934 xfrm_mark_get(attrs, &x->mark); 935 936 xfrm_smark_init(attrs, &x->props.smark); 937 938 if (attrs[XFRMA_IF_ID]) 939 x->if_id = nla_get_u32(attrs[XFRMA_IF_ID]); 940 941 if (attrs[XFRMA_SA_DIR]) 942 x->dir = nla_get_u8(attrs[XFRMA_SA_DIR]); 943 944 if (attrs[XFRMA_NAT_KEEPALIVE_INTERVAL]) 945 x->nat_keepalive_interval = 946 nla_get_u32(attrs[XFRMA_NAT_KEEPALIVE_INTERVAL]); 947 948 if (attrs[XFRMA_SA_PCPU]) { 949 x->pcpu_num = nla_get_u32(attrs[XFRMA_SA_PCPU]); 950 if (x->pcpu_num >= num_possible_cpus()) 951 goto error; 952 } 953 954 err = __xfrm_init_state(x, extack); 955 if (err) 956 goto error; 957 958 if (attrs[XFRMA_SEC_CTX]) { 959 err = security_xfrm_state_alloc(x, 960 nla_data(attrs[XFRMA_SEC_CTX])); 961 if (err) 962 goto error; 963 } 964 965 if ((err = xfrm_alloc_replay_state_esn(&x->replay_esn, &x->preplay_esn, 966 attrs[XFRMA_REPLAY_ESN_VAL]))) 967 goto error; 968 969 x->km.seq = p->seq; 970 x->replay_maxdiff = net->xfrm.sysctl_aevent_rseqth; 971 /* sysctl_xfrm_aevent_etime is in 100ms units */ 972 x->replay_maxage = (net->xfrm.sysctl_aevent_etime*HZ)/XFRM_AE_ETH_M; 973 974 if ((err = xfrm_init_replay(x, extack))) 975 goto error; 976 977 /* override default values from above */ 978 xfrm_update_ae_params(x, attrs, 0); 979 980 xfrm_set_type_offload(x, attrs[XFRMA_OFFLOAD_DEV]); 981 /* configure the hardware if offload is requested */ 982 if (attrs[XFRMA_OFFLOAD_DEV]) { 983 err = xfrm_dev_state_add(net, x, 984 nla_data(attrs[XFRMA_OFFLOAD_DEV]), 985 extack); 986 if (err) 987 goto error; 988 } 989 990 if (x->mode_cbs && x->mode_cbs->user_init) { 991 err = x->mode_cbs->user_init(net, x, attrs, extack); 992 if (err) 993 goto error; 994 } 995 996 return x; 997 998 error: 999 x->km.state = XFRM_STATE_DEAD; 1000 xfrm_state_put(x); 1001 error_no_put: 1002 *errp = err; 1003 return NULL; 1004 } 1005 1006 static int xfrm_add_sa(struct sk_buff *skb, struct nlmsghdr *nlh, 1007 struct nlattr **attrs, struct netlink_ext_ack *extack) 1008 { 1009 struct net *net = sock_net(skb->sk); 1010 struct xfrm_usersa_info *p = nlmsg_data(nlh); 1011 struct xfrm_state *x; 1012 int err; 1013 struct km_event c; 1014 1015 err = verify_newsa_info(p, attrs, extack); 1016 if (err) 1017 return err; 1018 1019 x = xfrm_state_construct(net, p, attrs, &err, extack); 1020 if (!x) 1021 return err; 1022 1023 xfrm_state_hold(x); 1024 if (nlh->nlmsg_type == XFRM_MSG_NEWSA) 1025 err = xfrm_state_add(x); 1026 else 1027 err = xfrm_state_update(x); 1028 1029 xfrm_audit_state_add(x, err ? 0 : 1, true); 1030 1031 if (err < 0) { 1032 x->km.state = XFRM_STATE_DEAD; 1033 xfrm_dev_state_delete(x); 1034 __xfrm_state_put(x); 1035 goto out; 1036 } 1037 1038 if (x->km.state == XFRM_STATE_VOID) 1039 x->km.state = XFRM_STATE_VALID; 1040 1041 c.seq = nlh->nlmsg_seq; 1042 c.portid = nlh->nlmsg_pid; 1043 c.event = nlh->nlmsg_type; 1044 1045 km_state_notify(x, &c); 1046 out: 1047 xfrm_state_put(x); 1048 return err; 1049 } 1050 1051 static struct xfrm_state *xfrm_user_state_lookup(struct net *net, 1052 struct xfrm_usersa_id *p, 1053 struct nlattr **attrs, 1054 int *errp) 1055 { 1056 struct xfrm_state *x = NULL; 1057 struct xfrm_mark m; 1058 int err; 1059 u32 mark = xfrm_mark_get(attrs, &m); 1060 1061 if (xfrm_id_proto_match(p->proto, IPSEC_PROTO_ANY)) { 1062 err = -ESRCH; 1063 x = xfrm_state_lookup(net, mark, &p->daddr, p->spi, p->proto, p->family); 1064 } else { 1065 xfrm_address_t *saddr = NULL; 1066 1067 verify_one_addr(attrs, XFRMA_SRCADDR, &saddr); 1068 if (!saddr) { 1069 err = -EINVAL; 1070 goto out; 1071 } 1072 1073 err = -ESRCH; 1074 x = xfrm_state_lookup_byaddr(net, mark, 1075 &p->daddr, saddr, 1076 p->proto, p->family); 1077 } 1078 1079 out: 1080 if (!x && errp) 1081 *errp = err; 1082 return x; 1083 } 1084 1085 static int xfrm_del_sa(struct sk_buff *skb, struct nlmsghdr *nlh, 1086 struct nlattr **attrs, struct netlink_ext_ack *extack) 1087 { 1088 struct net *net = sock_net(skb->sk); 1089 struct xfrm_state *x; 1090 int err = -ESRCH; 1091 struct km_event c; 1092 struct xfrm_usersa_id *p = nlmsg_data(nlh); 1093 1094 x = xfrm_user_state_lookup(net, p, attrs, &err); 1095 if (x == NULL) 1096 return err; 1097 1098 if ((err = security_xfrm_state_delete(x)) != 0) 1099 goto out; 1100 1101 if (xfrm_state_kern(x)) { 1102 NL_SET_ERR_MSG(extack, "SA is in use by tunnels"); 1103 err = -EPERM; 1104 goto out; 1105 } 1106 1107 err = xfrm_state_delete(x); 1108 if (err < 0) 1109 goto out; 1110 1111 c.seq = nlh->nlmsg_seq; 1112 c.portid = nlh->nlmsg_pid; 1113 c.event = nlh->nlmsg_type; 1114 km_state_notify(x, &c); 1115 1116 out: 1117 xfrm_audit_state_delete(x, err ? 0 : 1, true); 1118 xfrm_state_put(x); 1119 return err; 1120 } 1121 1122 static void copy_to_user_state(struct xfrm_state *x, struct xfrm_usersa_info *p) 1123 { 1124 memset(p, 0, sizeof(*p)); 1125 memcpy(&p->id, &x->id, sizeof(p->id)); 1126 memcpy(&p->sel, &x->sel, sizeof(p->sel)); 1127 memcpy(&p->lft, &x->lft, sizeof(p->lft)); 1128 if (x->xso.dev) 1129 xfrm_dev_state_update_stats(x); 1130 memcpy(&p->curlft, &x->curlft, sizeof(p->curlft)); 1131 put_unaligned(x->stats.replay_window, &p->stats.replay_window); 1132 put_unaligned(x->stats.replay, &p->stats.replay); 1133 put_unaligned(x->stats.integrity_failed, &p->stats.integrity_failed); 1134 memcpy(&p->saddr, &x->props.saddr, sizeof(p->saddr)); 1135 p->mode = x->props.mode; 1136 p->replay_window = x->props.replay_window; 1137 p->reqid = x->props.reqid; 1138 p->family = x->props.family; 1139 p->flags = x->props.flags; 1140 p->seq = x->km.seq; 1141 } 1142 1143 struct xfrm_dump_info { 1144 struct sk_buff *in_skb; 1145 struct sk_buff *out_skb; 1146 u32 nlmsg_seq; 1147 u16 nlmsg_flags; 1148 }; 1149 1150 static int copy_sec_ctx(struct xfrm_sec_ctx *s, struct sk_buff *skb) 1151 { 1152 struct xfrm_user_sec_ctx *uctx; 1153 struct nlattr *attr; 1154 int ctx_size = sizeof(*uctx) + s->ctx_len; 1155 1156 attr = nla_reserve(skb, XFRMA_SEC_CTX, ctx_size); 1157 if (attr == NULL) 1158 return -EMSGSIZE; 1159 1160 uctx = nla_data(attr); 1161 uctx->exttype = XFRMA_SEC_CTX; 1162 uctx->len = ctx_size; 1163 uctx->ctx_doi = s->ctx_doi; 1164 uctx->ctx_alg = s->ctx_alg; 1165 uctx->ctx_len = s->ctx_len; 1166 memcpy(uctx + 1, s->ctx_str, s->ctx_len); 1167 1168 return 0; 1169 } 1170 1171 static int copy_user_offload(struct xfrm_dev_offload *xso, struct sk_buff *skb) 1172 { 1173 struct xfrm_user_offload *xuo; 1174 struct nlattr *attr; 1175 1176 attr = nla_reserve(skb, XFRMA_OFFLOAD_DEV, sizeof(*xuo)); 1177 if (attr == NULL) 1178 return -EMSGSIZE; 1179 1180 xuo = nla_data(attr); 1181 memset(xuo, 0, sizeof(*xuo)); 1182 xuo->ifindex = xso->dev->ifindex; 1183 if (xso->dir == XFRM_DEV_OFFLOAD_IN) 1184 xuo->flags = XFRM_OFFLOAD_INBOUND; 1185 if (xso->type == XFRM_DEV_OFFLOAD_PACKET) 1186 xuo->flags |= XFRM_OFFLOAD_PACKET; 1187 1188 return 0; 1189 } 1190 1191 static bool xfrm_redact(void) 1192 { 1193 return IS_ENABLED(CONFIG_SECURITY) && 1194 security_locked_down(LOCKDOWN_XFRM_SECRET); 1195 } 1196 1197 static int copy_to_user_auth(struct xfrm_algo_auth *auth, struct sk_buff *skb) 1198 { 1199 struct xfrm_algo *algo; 1200 struct xfrm_algo_auth *ap; 1201 struct nlattr *nla; 1202 bool redact_secret = xfrm_redact(); 1203 1204 nla = nla_reserve(skb, XFRMA_ALG_AUTH, 1205 sizeof(*algo) + (auth->alg_key_len + 7) / 8); 1206 if (!nla) 1207 return -EMSGSIZE; 1208 algo = nla_data(nla); 1209 strscpy_pad(algo->alg_name, auth->alg_name); 1210 1211 if (redact_secret && auth->alg_key_len) 1212 memset(algo->alg_key, 0, (auth->alg_key_len + 7) / 8); 1213 else 1214 memcpy(algo->alg_key, auth->alg_key, 1215 (auth->alg_key_len + 7) / 8); 1216 algo->alg_key_len = auth->alg_key_len; 1217 1218 nla = nla_reserve(skb, XFRMA_ALG_AUTH_TRUNC, xfrm_alg_auth_len(auth)); 1219 if (!nla) 1220 return -EMSGSIZE; 1221 ap = nla_data(nla); 1222 strscpy_pad(ap->alg_name, auth->alg_name); 1223 ap->alg_key_len = auth->alg_key_len; 1224 ap->alg_trunc_len = auth->alg_trunc_len; 1225 if (redact_secret && auth->alg_key_len) 1226 memset(ap->alg_key, 0, (auth->alg_key_len + 7) / 8); 1227 else 1228 memcpy(ap->alg_key, auth->alg_key, 1229 (auth->alg_key_len + 7) / 8); 1230 return 0; 1231 } 1232 1233 static int copy_to_user_aead(struct xfrm_algo_aead *aead, struct sk_buff *skb) 1234 { 1235 struct nlattr *nla = nla_reserve(skb, XFRMA_ALG_AEAD, aead_len(aead)); 1236 struct xfrm_algo_aead *ap; 1237 bool redact_secret = xfrm_redact(); 1238 1239 if (!nla) 1240 return -EMSGSIZE; 1241 1242 ap = nla_data(nla); 1243 strscpy_pad(ap->alg_name, aead->alg_name); 1244 ap->alg_key_len = aead->alg_key_len; 1245 ap->alg_icv_len = aead->alg_icv_len; 1246 1247 if (redact_secret && aead->alg_key_len) 1248 memset(ap->alg_key, 0, (aead->alg_key_len + 7) / 8); 1249 else 1250 memcpy(ap->alg_key, aead->alg_key, 1251 (aead->alg_key_len + 7) / 8); 1252 return 0; 1253 } 1254 1255 static int copy_to_user_ealg(struct xfrm_algo *ealg, struct sk_buff *skb) 1256 { 1257 struct xfrm_algo *ap; 1258 bool redact_secret = xfrm_redact(); 1259 struct nlattr *nla = nla_reserve(skb, XFRMA_ALG_CRYPT, 1260 xfrm_alg_len(ealg)); 1261 if (!nla) 1262 return -EMSGSIZE; 1263 1264 ap = nla_data(nla); 1265 strscpy_pad(ap->alg_name, ealg->alg_name); 1266 ap->alg_key_len = ealg->alg_key_len; 1267 1268 if (redact_secret && ealg->alg_key_len) 1269 memset(ap->alg_key, 0, (ealg->alg_key_len + 7) / 8); 1270 else 1271 memcpy(ap->alg_key, ealg->alg_key, 1272 (ealg->alg_key_len + 7) / 8); 1273 1274 return 0; 1275 } 1276 1277 static int copy_to_user_calg(struct xfrm_algo *calg, struct sk_buff *skb) 1278 { 1279 struct nlattr *nla = nla_reserve(skb, XFRMA_ALG_COMP, sizeof(*calg)); 1280 struct xfrm_algo *ap; 1281 1282 if (!nla) 1283 return -EMSGSIZE; 1284 1285 ap = nla_data(nla); 1286 strscpy_pad(ap->alg_name, calg->alg_name); 1287 ap->alg_key_len = 0; 1288 1289 return 0; 1290 } 1291 1292 static int copy_to_user_encap(struct xfrm_encap_tmpl *ep, struct sk_buff *skb) 1293 { 1294 struct nlattr *nla = nla_reserve(skb, XFRMA_ENCAP, sizeof(*ep)); 1295 struct xfrm_encap_tmpl *uep; 1296 1297 if (!nla) 1298 return -EMSGSIZE; 1299 1300 uep = nla_data(nla); 1301 memset(uep, 0, sizeof(*uep)); 1302 1303 uep->encap_type = ep->encap_type; 1304 uep->encap_sport = ep->encap_sport; 1305 uep->encap_dport = ep->encap_dport; 1306 uep->encap_oa = ep->encap_oa; 1307 1308 return 0; 1309 } 1310 1311 static int xfrm_smark_put(struct sk_buff *skb, struct xfrm_mark *m) 1312 { 1313 int ret = 0; 1314 1315 if (m->v | m->m) { 1316 ret = nla_put_u32(skb, XFRMA_SET_MARK, m->v); 1317 if (!ret) 1318 ret = nla_put_u32(skb, XFRMA_SET_MARK_MASK, m->m); 1319 } 1320 return ret; 1321 } 1322 1323 /* Don't change this without updating xfrm_sa_len! */ 1324 static int copy_to_user_state_extra(struct xfrm_state *x, 1325 struct xfrm_usersa_info *p, 1326 struct sk_buff *skb) 1327 { 1328 int ret = 0; 1329 1330 copy_to_user_state(x, p); 1331 1332 if (x->props.extra_flags) { 1333 ret = nla_put_u32(skb, XFRMA_SA_EXTRA_FLAGS, 1334 x->props.extra_flags); 1335 if (ret) 1336 goto out; 1337 } 1338 1339 if (x->coaddr) { 1340 ret = nla_put(skb, XFRMA_COADDR, sizeof(*x->coaddr), x->coaddr); 1341 if (ret) 1342 goto out; 1343 } 1344 if (x->lastused) { 1345 ret = nla_put_u64_64bit(skb, XFRMA_LASTUSED, x->lastused, 1346 XFRMA_PAD); 1347 if (ret) 1348 goto out; 1349 } 1350 if (x->aead) { 1351 ret = copy_to_user_aead(x->aead, skb); 1352 if (ret) 1353 goto out; 1354 } 1355 if (x->aalg) { 1356 ret = copy_to_user_auth(x->aalg, skb); 1357 if (ret) 1358 goto out; 1359 } 1360 if (x->ealg) { 1361 ret = copy_to_user_ealg(x->ealg, skb); 1362 if (ret) 1363 goto out; 1364 } 1365 if (x->calg) { 1366 ret = copy_to_user_calg(x->calg, skb); 1367 if (ret) 1368 goto out; 1369 } 1370 if (x->encap) { 1371 ret = copy_to_user_encap(x->encap, skb); 1372 if (ret) 1373 goto out; 1374 } 1375 if (x->tfcpad) { 1376 ret = nla_put_u32(skb, XFRMA_TFCPAD, x->tfcpad); 1377 if (ret) 1378 goto out; 1379 } 1380 ret = xfrm_mark_put(skb, &x->mark); 1381 if (ret) 1382 goto out; 1383 1384 ret = xfrm_smark_put(skb, &x->props.smark); 1385 if (ret) 1386 goto out; 1387 1388 if (x->replay_esn) 1389 ret = nla_put(skb, XFRMA_REPLAY_ESN_VAL, 1390 xfrm_replay_state_esn_len(x->replay_esn), 1391 x->replay_esn); 1392 else 1393 ret = nla_put(skb, XFRMA_REPLAY_VAL, sizeof(x->replay), 1394 &x->replay); 1395 if (ret) 1396 goto out; 1397 if(x->xso.dev) 1398 ret = copy_user_offload(&x->xso, skb); 1399 if (ret) 1400 goto out; 1401 if (x->if_id) { 1402 ret = nla_put_u32(skb, XFRMA_IF_ID, x->if_id); 1403 if (ret) 1404 goto out; 1405 } 1406 if (x->security) { 1407 ret = copy_sec_ctx(x->security, skb); 1408 if (ret) 1409 goto out; 1410 } 1411 if (x->mode_cbs && x->mode_cbs->copy_to_user) 1412 ret = x->mode_cbs->copy_to_user(x, skb); 1413 if (ret) 1414 goto out; 1415 if (x->mapping_maxage) { 1416 ret = nla_put_u32(skb, XFRMA_MTIMER_THRESH, x->mapping_maxage); 1417 if (ret) 1418 goto out; 1419 } 1420 if (x->pcpu_num != UINT_MAX) { 1421 ret = nla_put_u32(skb, XFRMA_SA_PCPU, x->pcpu_num); 1422 if (ret) 1423 goto out; 1424 } 1425 if (x->dir) 1426 ret = nla_put_u8(skb, XFRMA_SA_DIR, x->dir); 1427 1428 if (x->nat_keepalive_interval) { 1429 ret = nla_put_u32(skb, XFRMA_NAT_KEEPALIVE_INTERVAL, 1430 x->nat_keepalive_interval); 1431 if (ret) 1432 goto out; 1433 } 1434 out: 1435 return ret; 1436 } 1437 1438 static int dump_one_state(struct xfrm_state *x, int count, void *ptr) 1439 { 1440 struct xfrm_dump_info *sp = ptr; 1441 struct sk_buff *in_skb = sp->in_skb; 1442 struct sk_buff *skb = sp->out_skb; 1443 struct xfrm_translator *xtr; 1444 struct xfrm_usersa_info *p; 1445 struct nlmsghdr *nlh; 1446 int err; 1447 1448 nlh = nlmsg_put(skb, NETLINK_CB(in_skb).portid, sp->nlmsg_seq, 1449 XFRM_MSG_NEWSA, sizeof(*p), sp->nlmsg_flags); 1450 if (nlh == NULL) 1451 return -EMSGSIZE; 1452 1453 p = nlmsg_data(nlh); 1454 1455 err = copy_to_user_state_extra(x, p, skb); 1456 if (err) { 1457 nlmsg_cancel(skb, nlh); 1458 return err; 1459 } 1460 nlmsg_end(skb, nlh); 1461 1462 xtr = xfrm_get_translator(); 1463 if (xtr) { 1464 err = xtr->alloc_compat(skb, nlh); 1465 1466 xfrm_put_translator(xtr); 1467 if (err) { 1468 nlmsg_cancel(skb, nlh); 1469 return err; 1470 } 1471 } 1472 1473 return 0; 1474 } 1475 1476 static int xfrm_dump_sa_done(struct netlink_callback *cb) 1477 { 1478 struct xfrm_state_walk *walk = (struct xfrm_state_walk *) &cb->args[1]; 1479 struct sock *sk = cb->skb->sk; 1480 struct net *net = sock_net(sk); 1481 1482 if (cb->args[0]) 1483 xfrm_state_walk_done(walk, net); 1484 return 0; 1485 } 1486 1487 static int xfrm_dump_sa(struct sk_buff *skb, struct netlink_callback *cb) 1488 { 1489 struct net *net = sock_net(skb->sk); 1490 struct xfrm_state_walk *walk = (struct xfrm_state_walk *) &cb->args[1]; 1491 struct xfrm_dump_info info; 1492 1493 BUILD_BUG_ON(sizeof(struct xfrm_state_walk) > 1494 sizeof(cb->args) - sizeof(cb->args[0])); 1495 1496 info.in_skb = cb->skb; 1497 info.out_skb = skb; 1498 info.nlmsg_seq = cb->nlh->nlmsg_seq; 1499 info.nlmsg_flags = NLM_F_MULTI; 1500 1501 if (!cb->args[0]) { 1502 struct nlattr *attrs[XFRMA_MAX+1]; 1503 struct xfrm_address_filter *filter = NULL; 1504 u8 proto = 0; 1505 int err; 1506 1507 err = nlmsg_parse_deprecated(cb->nlh, 0, attrs, XFRMA_MAX, 1508 xfrma_policy, cb->extack); 1509 if (err < 0) 1510 return err; 1511 1512 if (attrs[XFRMA_ADDRESS_FILTER]) { 1513 filter = kmemdup(nla_data(attrs[XFRMA_ADDRESS_FILTER]), 1514 sizeof(*filter), GFP_KERNEL); 1515 if (filter == NULL) 1516 return -ENOMEM; 1517 1518 /* see addr_match(), (prefix length >> 5) << 2 1519 * will be used to compare xfrm_address_t 1520 */ 1521 if (filter->splen > (sizeof(xfrm_address_t) << 3) || 1522 filter->dplen > (sizeof(xfrm_address_t) << 3)) { 1523 kfree(filter); 1524 return -EINVAL; 1525 } 1526 } 1527 1528 if (attrs[XFRMA_PROTO]) 1529 proto = nla_get_u8(attrs[XFRMA_PROTO]); 1530 1531 xfrm_state_walk_init(walk, proto, filter); 1532 cb->args[0] = 1; 1533 } 1534 1535 (void) xfrm_state_walk(net, walk, dump_one_state, &info); 1536 1537 return skb->len; 1538 } 1539 1540 static struct sk_buff *xfrm_state_netlink(struct sk_buff *in_skb, 1541 struct xfrm_state *x, u32 seq) 1542 { 1543 struct xfrm_dump_info info; 1544 struct sk_buff *skb; 1545 int err; 1546 1547 skb = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_ATOMIC); 1548 if (!skb) 1549 return ERR_PTR(-ENOMEM); 1550 1551 info.in_skb = in_skb; 1552 info.out_skb = skb; 1553 info.nlmsg_seq = seq; 1554 info.nlmsg_flags = 0; 1555 1556 err = dump_one_state(x, 0, &info); 1557 if (err) { 1558 kfree_skb(skb); 1559 return ERR_PTR(err); 1560 } 1561 1562 return skb; 1563 } 1564 1565 /* A wrapper for nlmsg_multicast() checking that nlsk is still available. 1566 * Must be called with RCU read lock. 1567 */ 1568 static inline int xfrm_nlmsg_multicast(struct net *net, struct sk_buff *skb, 1569 u32 pid, unsigned int group) 1570 { 1571 struct sock *nlsk = rcu_dereference(net->xfrm.nlsk); 1572 struct xfrm_translator *xtr; 1573 1574 if (!nlsk) { 1575 kfree_skb(skb); 1576 return -EPIPE; 1577 } 1578 1579 xtr = xfrm_get_translator(); 1580 if (xtr) { 1581 int err = xtr->alloc_compat(skb, nlmsg_hdr(skb)); 1582 1583 xfrm_put_translator(xtr); 1584 if (err) { 1585 kfree_skb(skb); 1586 return err; 1587 } 1588 } 1589 1590 return nlmsg_multicast(nlsk, skb, pid, group, GFP_ATOMIC); 1591 } 1592 1593 static inline unsigned int xfrm_spdinfo_msgsize(void) 1594 { 1595 return NLMSG_ALIGN(4) 1596 + nla_total_size(sizeof(struct xfrmu_spdinfo)) 1597 + nla_total_size(sizeof(struct xfrmu_spdhinfo)) 1598 + nla_total_size(sizeof(struct xfrmu_spdhthresh)) 1599 + nla_total_size(sizeof(struct xfrmu_spdhthresh)); 1600 } 1601 1602 static int build_spdinfo(struct sk_buff *skb, struct net *net, 1603 u32 portid, u32 seq, u32 flags) 1604 { 1605 struct xfrmk_spdinfo si; 1606 struct xfrmu_spdinfo spc; 1607 struct xfrmu_spdhinfo sph; 1608 struct xfrmu_spdhthresh spt4, spt6; 1609 struct nlmsghdr *nlh; 1610 int err; 1611 u32 *f; 1612 unsigned lseq; 1613 1614 nlh = nlmsg_put(skb, portid, seq, XFRM_MSG_NEWSPDINFO, sizeof(u32), 0); 1615 if (nlh == NULL) /* shouldn't really happen ... */ 1616 return -EMSGSIZE; 1617 1618 f = nlmsg_data(nlh); 1619 *f = flags; 1620 xfrm_spd_getinfo(net, &si); 1621 spc.incnt = si.incnt; 1622 spc.outcnt = si.outcnt; 1623 spc.fwdcnt = si.fwdcnt; 1624 spc.inscnt = si.inscnt; 1625 spc.outscnt = si.outscnt; 1626 spc.fwdscnt = si.fwdscnt; 1627 sph.spdhcnt = si.spdhcnt; 1628 sph.spdhmcnt = si.spdhmcnt; 1629 1630 do { 1631 lseq = read_seqbegin(&net->xfrm.policy_hthresh.lock); 1632 1633 spt4.lbits = net->xfrm.policy_hthresh.lbits4; 1634 spt4.rbits = net->xfrm.policy_hthresh.rbits4; 1635 spt6.lbits = net->xfrm.policy_hthresh.lbits6; 1636 spt6.rbits = net->xfrm.policy_hthresh.rbits6; 1637 } while (read_seqretry(&net->xfrm.policy_hthresh.lock, lseq)); 1638 1639 err = nla_put(skb, XFRMA_SPD_INFO, sizeof(spc), &spc); 1640 if (!err) 1641 err = nla_put(skb, XFRMA_SPD_HINFO, sizeof(sph), &sph); 1642 if (!err) 1643 err = nla_put(skb, XFRMA_SPD_IPV4_HTHRESH, sizeof(spt4), &spt4); 1644 if (!err) 1645 err = nla_put(skb, XFRMA_SPD_IPV6_HTHRESH, sizeof(spt6), &spt6); 1646 if (err) { 1647 nlmsg_cancel(skb, nlh); 1648 return err; 1649 } 1650 1651 nlmsg_end(skb, nlh); 1652 return 0; 1653 } 1654 1655 static int xfrm_set_spdinfo(struct sk_buff *skb, struct nlmsghdr *nlh, 1656 struct nlattr **attrs, 1657 struct netlink_ext_ack *extack) 1658 { 1659 struct net *net = sock_net(skb->sk); 1660 struct xfrmu_spdhthresh *thresh4 = NULL; 1661 struct xfrmu_spdhthresh *thresh6 = NULL; 1662 1663 /* selector prefixlen thresholds to hash policies */ 1664 if (attrs[XFRMA_SPD_IPV4_HTHRESH]) { 1665 struct nlattr *rta = attrs[XFRMA_SPD_IPV4_HTHRESH]; 1666 1667 if (nla_len(rta) < sizeof(*thresh4)) { 1668 NL_SET_ERR_MSG(extack, "Invalid SPD_IPV4_HTHRESH attribute length"); 1669 return -EINVAL; 1670 } 1671 thresh4 = nla_data(rta); 1672 if (thresh4->lbits > 32 || thresh4->rbits > 32) { 1673 NL_SET_ERR_MSG(extack, "Invalid hash threshold (must be <= 32 for IPv4)"); 1674 return -EINVAL; 1675 } 1676 } 1677 if (attrs[XFRMA_SPD_IPV6_HTHRESH]) { 1678 struct nlattr *rta = attrs[XFRMA_SPD_IPV6_HTHRESH]; 1679 1680 if (nla_len(rta) < sizeof(*thresh6)) { 1681 NL_SET_ERR_MSG(extack, "Invalid SPD_IPV6_HTHRESH attribute length"); 1682 return -EINVAL; 1683 } 1684 thresh6 = nla_data(rta); 1685 if (thresh6->lbits > 128 || thresh6->rbits > 128) { 1686 NL_SET_ERR_MSG(extack, "Invalid hash threshold (must be <= 128 for IPv6)"); 1687 return -EINVAL; 1688 } 1689 } 1690 1691 if (thresh4 || thresh6) { 1692 write_seqlock(&net->xfrm.policy_hthresh.lock); 1693 if (thresh4) { 1694 net->xfrm.policy_hthresh.lbits4 = thresh4->lbits; 1695 net->xfrm.policy_hthresh.rbits4 = thresh4->rbits; 1696 } 1697 if (thresh6) { 1698 net->xfrm.policy_hthresh.lbits6 = thresh6->lbits; 1699 net->xfrm.policy_hthresh.rbits6 = thresh6->rbits; 1700 } 1701 write_sequnlock(&net->xfrm.policy_hthresh.lock); 1702 1703 xfrm_policy_hash_rebuild(net); 1704 } 1705 1706 return 0; 1707 } 1708 1709 static int xfrm_get_spdinfo(struct sk_buff *skb, struct nlmsghdr *nlh, 1710 struct nlattr **attrs, 1711 struct netlink_ext_ack *extack) 1712 { 1713 struct net *net = sock_net(skb->sk); 1714 struct sk_buff *r_skb; 1715 u32 *flags = nlmsg_data(nlh); 1716 u32 sportid = NETLINK_CB(skb).portid; 1717 u32 seq = nlh->nlmsg_seq; 1718 int err; 1719 1720 r_skb = nlmsg_new(xfrm_spdinfo_msgsize(), GFP_ATOMIC); 1721 if (r_skb == NULL) 1722 return -ENOMEM; 1723 1724 err = build_spdinfo(r_skb, net, sportid, seq, *flags); 1725 BUG_ON(err < 0); 1726 1727 return nlmsg_unicast(net->xfrm.nlsk, r_skb, sportid); 1728 } 1729 1730 static inline unsigned int xfrm_sadinfo_msgsize(void) 1731 { 1732 return NLMSG_ALIGN(4) 1733 + nla_total_size(sizeof(struct xfrmu_sadhinfo)) 1734 + nla_total_size(4); /* XFRMA_SAD_CNT */ 1735 } 1736 1737 static int build_sadinfo(struct sk_buff *skb, struct net *net, 1738 u32 portid, u32 seq, u32 flags) 1739 { 1740 struct xfrmk_sadinfo si; 1741 struct xfrmu_sadhinfo sh; 1742 struct nlmsghdr *nlh; 1743 int err; 1744 u32 *f; 1745 1746 nlh = nlmsg_put(skb, portid, seq, XFRM_MSG_NEWSADINFO, sizeof(u32), 0); 1747 if (nlh == NULL) /* shouldn't really happen ... */ 1748 return -EMSGSIZE; 1749 1750 f = nlmsg_data(nlh); 1751 *f = flags; 1752 xfrm_sad_getinfo(net, &si); 1753 1754 sh.sadhmcnt = si.sadhmcnt; 1755 sh.sadhcnt = si.sadhcnt; 1756 1757 err = nla_put_u32(skb, XFRMA_SAD_CNT, si.sadcnt); 1758 if (!err) 1759 err = nla_put(skb, XFRMA_SAD_HINFO, sizeof(sh), &sh); 1760 if (err) { 1761 nlmsg_cancel(skb, nlh); 1762 return err; 1763 } 1764 1765 nlmsg_end(skb, nlh); 1766 return 0; 1767 } 1768 1769 static int xfrm_get_sadinfo(struct sk_buff *skb, struct nlmsghdr *nlh, 1770 struct nlattr **attrs, 1771 struct netlink_ext_ack *extack) 1772 { 1773 struct net *net = sock_net(skb->sk); 1774 struct sk_buff *r_skb; 1775 u32 *flags = nlmsg_data(nlh); 1776 u32 sportid = NETLINK_CB(skb).portid; 1777 u32 seq = nlh->nlmsg_seq; 1778 int err; 1779 1780 r_skb = nlmsg_new(xfrm_sadinfo_msgsize(), GFP_ATOMIC); 1781 if (r_skb == NULL) 1782 return -ENOMEM; 1783 1784 err = build_sadinfo(r_skb, net, sportid, seq, *flags); 1785 BUG_ON(err < 0); 1786 1787 return nlmsg_unicast(net->xfrm.nlsk, r_skb, sportid); 1788 } 1789 1790 static int xfrm_get_sa(struct sk_buff *skb, struct nlmsghdr *nlh, 1791 struct nlattr **attrs, struct netlink_ext_ack *extack) 1792 { 1793 struct net *net = sock_net(skb->sk); 1794 struct xfrm_usersa_id *p = nlmsg_data(nlh); 1795 struct xfrm_state *x; 1796 struct sk_buff *resp_skb; 1797 int err = -ESRCH; 1798 1799 x = xfrm_user_state_lookup(net, p, attrs, &err); 1800 if (x == NULL) 1801 goto out_noput; 1802 1803 resp_skb = xfrm_state_netlink(skb, x, nlh->nlmsg_seq); 1804 if (IS_ERR(resp_skb)) { 1805 err = PTR_ERR(resp_skb); 1806 } else { 1807 err = nlmsg_unicast(net->xfrm.nlsk, resp_skb, NETLINK_CB(skb).portid); 1808 } 1809 xfrm_state_put(x); 1810 out_noput: 1811 return err; 1812 } 1813 1814 static int xfrm_alloc_userspi(struct sk_buff *skb, struct nlmsghdr *nlh, 1815 struct nlattr **attrs, 1816 struct netlink_ext_ack *extack) 1817 { 1818 struct net *net = sock_net(skb->sk); 1819 struct xfrm_state *x; 1820 struct xfrm_userspi_info *p; 1821 struct xfrm_translator *xtr; 1822 struct sk_buff *resp_skb; 1823 xfrm_address_t *daddr; 1824 int family; 1825 int err; 1826 u32 mark; 1827 struct xfrm_mark m; 1828 u32 if_id = 0; 1829 u32 pcpu_num = UINT_MAX; 1830 1831 p = nlmsg_data(nlh); 1832 err = verify_spi_info(p->info.id.proto, p->min, p->max, extack); 1833 if (err) 1834 goto out_noput; 1835 1836 family = p->info.family; 1837 daddr = &p->info.id.daddr; 1838 1839 x = NULL; 1840 1841 mark = xfrm_mark_get(attrs, &m); 1842 1843 if (attrs[XFRMA_IF_ID]) 1844 if_id = nla_get_u32(attrs[XFRMA_IF_ID]); 1845 1846 if (attrs[XFRMA_SA_PCPU]) { 1847 pcpu_num = nla_get_u32(attrs[XFRMA_SA_PCPU]); 1848 if (pcpu_num >= num_possible_cpus()) { 1849 err = -EINVAL; 1850 goto out_noput; 1851 } 1852 } 1853 1854 if (p->info.seq) { 1855 x = xfrm_find_acq_byseq(net, mark, p->info.seq, pcpu_num); 1856 if (x && !xfrm_addr_equal(&x->id.daddr, daddr, family)) { 1857 xfrm_state_put(x); 1858 x = NULL; 1859 } 1860 } 1861 1862 if (!x) 1863 x = xfrm_find_acq(net, &m, p->info.mode, p->info.reqid, 1864 if_id, pcpu_num, p->info.id.proto, daddr, 1865 &p->info.saddr, 1, 1866 family); 1867 err = -ENOENT; 1868 if (!x) { 1869 NL_SET_ERR_MSG(extack, "Target ACQUIRE not found"); 1870 goto out_noput; 1871 } 1872 1873 err = xfrm_alloc_spi(x, p->min, p->max, extack); 1874 if (err) 1875 goto out; 1876 1877 if (attrs[XFRMA_SA_DIR]) 1878 x->dir = nla_get_u8(attrs[XFRMA_SA_DIR]); 1879 1880 resp_skb = xfrm_state_netlink(skb, x, nlh->nlmsg_seq); 1881 if (IS_ERR(resp_skb)) { 1882 err = PTR_ERR(resp_skb); 1883 goto out; 1884 } 1885 1886 xtr = xfrm_get_translator(); 1887 if (xtr) { 1888 err = xtr->alloc_compat(skb, nlmsg_hdr(skb)); 1889 1890 xfrm_put_translator(xtr); 1891 if (err) { 1892 kfree_skb(resp_skb); 1893 goto out; 1894 } 1895 } 1896 1897 err = nlmsg_unicast(net->xfrm.nlsk, resp_skb, NETLINK_CB(skb).portid); 1898 1899 out: 1900 xfrm_state_put(x); 1901 out_noput: 1902 return err; 1903 } 1904 1905 static int verify_policy_dir(u8 dir, struct netlink_ext_ack *extack) 1906 { 1907 switch (dir) { 1908 case XFRM_POLICY_IN: 1909 case XFRM_POLICY_OUT: 1910 case XFRM_POLICY_FWD: 1911 break; 1912 1913 default: 1914 NL_SET_ERR_MSG(extack, "Invalid policy direction"); 1915 return -EINVAL; 1916 } 1917 1918 return 0; 1919 } 1920 1921 static int verify_policy_type(u8 type, struct netlink_ext_ack *extack) 1922 { 1923 switch (type) { 1924 case XFRM_POLICY_TYPE_MAIN: 1925 #ifdef CONFIG_XFRM_SUB_POLICY 1926 case XFRM_POLICY_TYPE_SUB: 1927 #endif 1928 break; 1929 1930 default: 1931 NL_SET_ERR_MSG(extack, "Invalid policy type"); 1932 return -EINVAL; 1933 } 1934 1935 return 0; 1936 } 1937 1938 static int verify_newpolicy_info(struct xfrm_userpolicy_info *p, 1939 struct netlink_ext_ack *extack) 1940 { 1941 int ret; 1942 1943 switch (p->share) { 1944 case XFRM_SHARE_ANY: 1945 case XFRM_SHARE_SESSION: 1946 case XFRM_SHARE_USER: 1947 case XFRM_SHARE_UNIQUE: 1948 break; 1949 1950 default: 1951 NL_SET_ERR_MSG(extack, "Invalid policy share"); 1952 return -EINVAL; 1953 } 1954 1955 switch (p->action) { 1956 case XFRM_POLICY_ALLOW: 1957 case XFRM_POLICY_BLOCK: 1958 break; 1959 1960 default: 1961 NL_SET_ERR_MSG(extack, "Invalid policy action"); 1962 return -EINVAL; 1963 } 1964 1965 switch (p->sel.family) { 1966 case AF_INET: 1967 if (p->sel.prefixlen_d > 32 || p->sel.prefixlen_s > 32) { 1968 NL_SET_ERR_MSG(extack, "Invalid prefix length in selector (must be <= 32 for IPv4)"); 1969 return -EINVAL; 1970 } 1971 1972 break; 1973 1974 case AF_INET6: 1975 #if IS_ENABLED(CONFIG_IPV6) 1976 if (p->sel.prefixlen_d > 128 || p->sel.prefixlen_s > 128) { 1977 NL_SET_ERR_MSG(extack, "Invalid prefix length in selector (must be <= 128 for IPv6)"); 1978 return -EINVAL; 1979 } 1980 1981 break; 1982 #else 1983 NL_SET_ERR_MSG(extack, "IPv6 support disabled"); 1984 return -EAFNOSUPPORT; 1985 #endif 1986 1987 default: 1988 NL_SET_ERR_MSG(extack, "Invalid selector family"); 1989 return -EINVAL; 1990 } 1991 1992 ret = verify_policy_dir(p->dir, extack); 1993 if (ret) 1994 return ret; 1995 if (p->index && (xfrm_policy_id2dir(p->index) != p->dir)) { 1996 NL_SET_ERR_MSG(extack, "Policy index doesn't match direction"); 1997 return -EINVAL; 1998 } 1999 2000 return 0; 2001 } 2002 2003 static int copy_from_user_sec_ctx(struct xfrm_policy *pol, struct nlattr **attrs) 2004 { 2005 struct nlattr *rt = attrs[XFRMA_SEC_CTX]; 2006 struct xfrm_user_sec_ctx *uctx; 2007 2008 if (!rt) 2009 return 0; 2010 2011 uctx = nla_data(rt); 2012 return security_xfrm_policy_alloc(&pol->security, uctx, GFP_KERNEL); 2013 } 2014 2015 static void copy_templates(struct xfrm_policy *xp, struct xfrm_user_tmpl *ut, 2016 int nr) 2017 { 2018 int i; 2019 2020 xp->xfrm_nr = nr; 2021 for (i = 0; i < nr; i++, ut++) { 2022 struct xfrm_tmpl *t = &xp->xfrm_vec[i]; 2023 2024 memcpy(&t->id, &ut->id, sizeof(struct xfrm_id)); 2025 memcpy(&t->saddr, &ut->saddr, 2026 sizeof(xfrm_address_t)); 2027 t->reqid = ut->reqid; 2028 t->mode = ut->mode; 2029 t->share = ut->share; 2030 t->optional = ut->optional; 2031 t->aalgos = ut->aalgos; 2032 t->ealgos = ut->ealgos; 2033 t->calgos = ut->calgos; 2034 /* If all masks are ~0, then we allow all algorithms. */ 2035 t->allalgs = !~(t->aalgos & t->ealgos & t->calgos); 2036 t->encap_family = ut->family; 2037 } 2038 } 2039 2040 static int validate_tmpl(int nr, struct xfrm_user_tmpl *ut, u16 family, 2041 int dir, struct netlink_ext_ack *extack) 2042 { 2043 u16 prev_family; 2044 int i; 2045 2046 if (nr > XFRM_MAX_DEPTH) { 2047 NL_SET_ERR_MSG(extack, "Template count must be <= XFRM_MAX_DEPTH (" __stringify(XFRM_MAX_DEPTH) ")"); 2048 return -EINVAL; 2049 } 2050 2051 prev_family = family; 2052 2053 for (i = 0; i < nr; i++) { 2054 /* We never validated the ut->family value, so many 2055 * applications simply leave it at zero. The check was 2056 * never made and ut->family was ignored because all 2057 * templates could be assumed to have the same family as 2058 * the policy itself. Now that we will have ipv4-in-ipv6 2059 * and ipv6-in-ipv4 tunnels, this is no longer true. 2060 */ 2061 if (!ut[i].family) 2062 ut[i].family = family; 2063 2064 switch (ut[i].mode) { 2065 case XFRM_MODE_TUNNEL: 2066 case XFRM_MODE_BEET: 2067 if (ut[i].optional && dir == XFRM_POLICY_OUT) { 2068 NL_SET_ERR_MSG(extack, "Mode in optional template not allowed in outbound policy"); 2069 return -EINVAL; 2070 } 2071 break; 2072 case XFRM_MODE_IPTFS: 2073 break; 2074 default: 2075 if (ut[i].family != prev_family) { 2076 NL_SET_ERR_MSG(extack, "Mode in template doesn't support a family change"); 2077 return -EINVAL; 2078 } 2079 break; 2080 } 2081 if (ut[i].mode >= XFRM_MODE_MAX) { 2082 NL_SET_ERR_MSG(extack, "Mode in template must be < XFRM_MODE_MAX (" __stringify(XFRM_MODE_MAX) ")"); 2083 return -EINVAL; 2084 } 2085 2086 prev_family = ut[i].family; 2087 2088 switch (ut[i].family) { 2089 case AF_INET: 2090 break; 2091 #if IS_ENABLED(CONFIG_IPV6) 2092 case AF_INET6: 2093 break; 2094 #endif 2095 default: 2096 NL_SET_ERR_MSG(extack, "Invalid family in template"); 2097 return -EINVAL; 2098 } 2099 2100 if (!xfrm_id_proto_valid(ut[i].id.proto)) { 2101 NL_SET_ERR_MSG(extack, "Invalid XFRM protocol in template"); 2102 return -EINVAL; 2103 } 2104 } 2105 2106 return 0; 2107 } 2108 2109 static int copy_from_user_tmpl(struct xfrm_policy *pol, struct nlattr **attrs, 2110 int dir, struct netlink_ext_ack *extack) 2111 { 2112 struct nlattr *rt = attrs[XFRMA_TMPL]; 2113 2114 if (!rt) { 2115 pol->xfrm_nr = 0; 2116 } else { 2117 struct xfrm_user_tmpl *utmpl = nla_data(rt); 2118 int nr = nla_len(rt) / sizeof(*utmpl); 2119 int err; 2120 2121 err = validate_tmpl(nr, utmpl, pol->family, dir, extack); 2122 if (err) 2123 return err; 2124 2125 copy_templates(pol, utmpl, nr); 2126 } 2127 return 0; 2128 } 2129 2130 static int copy_from_user_policy_type(u8 *tp, struct nlattr **attrs, 2131 struct netlink_ext_ack *extack) 2132 { 2133 struct nlattr *rt = attrs[XFRMA_POLICY_TYPE]; 2134 struct xfrm_userpolicy_type *upt; 2135 u8 type = XFRM_POLICY_TYPE_MAIN; 2136 int err; 2137 2138 if (rt) { 2139 upt = nla_data(rt); 2140 type = upt->type; 2141 } 2142 2143 err = verify_policy_type(type, extack); 2144 if (err) 2145 return err; 2146 2147 *tp = type; 2148 return 0; 2149 } 2150 2151 static void copy_from_user_policy(struct xfrm_policy *xp, struct xfrm_userpolicy_info *p) 2152 { 2153 xp->priority = p->priority; 2154 xp->index = p->index; 2155 memcpy(&xp->selector, &p->sel, sizeof(xp->selector)); 2156 memcpy(&xp->lft, &p->lft, sizeof(xp->lft)); 2157 xp->action = p->action; 2158 xp->flags = p->flags; 2159 xp->family = p->sel.family; 2160 /* XXX xp->share = p->share; */ 2161 } 2162 2163 static void copy_to_user_policy(struct xfrm_policy *xp, struct xfrm_userpolicy_info *p, int dir) 2164 { 2165 memset(p, 0, sizeof(*p)); 2166 memcpy(&p->sel, &xp->selector, sizeof(p->sel)); 2167 memcpy(&p->lft, &xp->lft, sizeof(p->lft)); 2168 memcpy(&p->curlft, &xp->curlft, sizeof(p->curlft)); 2169 p->priority = xp->priority; 2170 p->index = xp->index; 2171 p->sel.family = xp->family; 2172 p->dir = dir; 2173 p->action = xp->action; 2174 p->flags = xp->flags; 2175 p->share = XFRM_SHARE_ANY; /* XXX xp->share */ 2176 } 2177 2178 static struct xfrm_policy *xfrm_policy_construct(struct net *net, 2179 struct xfrm_userpolicy_info *p, 2180 struct nlattr **attrs, 2181 int *errp, 2182 struct netlink_ext_ack *extack) 2183 { 2184 struct xfrm_policy *xp = xfrm_policy_alloc(net, GFP_KERNEL); 2185 int err; 2186 2187 if (!xp) { 2188 *errp = -ENOMEM; 2189 return NULL; 2190 } 2191 2192 copy_from_user_policy(xp, p); 2193 2194 err = copy_from_user_policy_type(&xp->type, attrs, extack); 2195 if (err) 2196 goto error; 2197 2198 if (!(err = copy_from_user_tmpl(xp, attrs, p->dir, extack))) 2199 err = copy_from_user_sec_ctx(xp, attrs); 2200 if (err) 2201 goto error; 2202 2203 xfrm_mark_get(attrs, &xp->mark); 2204 2205 if (attrs[XFRMA_IF_ID]) 2206 xp->if_id = nla_get_u32(attrs[XFRMA_IF_ID]); 2207 2208 /* configure the hardware if offload is requested */ 2209 if (attrs[XFRMA_OFFLOAD_DEV]) { 2210 err = xfrm_dev_policy_add(net, xp, 2211 nla_data(attrs[XFRMA_OFFLOAD_DEV]), 2212 p->dir, extack); 2213 if (err) 2214 goto error; 2215 } 2216 2217 return xp; 2218 error: 2219 *errp = err; 2220 xp->walk.dead = 1; 2221 xfrm_policy_destroy(xp); 2222 return NULL; 2223 } 2224 2225 static int xfrm_add_policy(struct sk_buff *skb, struct nlmsghdr *nlh, 2226 struct nlattr **attrs, 2227 struct netlink_ext_ack *extack) 2228 { 2229 struct net *net = sock_net(skb->sk); 2230 struct xfrm_userpolicy_info *p = nlmsg_data(nlh); 2231 struct xfrm_policy *xp; 2232 struct km_event c; 2233 int err; 2234 int excl; 2235 2236 err = verify_newpolicy_info(p, extack); 2237 if (err) 2238 return err; 2239 err = verify_sec_ctx_len(attrs, extack); 2240 if (err) 2241 return err; 2242 2243 xp = xfrm_policy_construct(net, p, attrs, &err, extack); 2244 if (!xp) 2245 return err; 2246 2247 /* shouldn't excl be based on nlh flags?? 2248 * Aha! this is anti-netlink really i.e more pfkey derived 2249 * in netlink excl is a flag and you wouldn't need 2250 * a type XFRM_MSG_UPDPOLICY - JHS */ 2251 excl = nlh->nlmsg_type == XFRM_MSG_NEWPOLICY; 2252 err = xfrm_policy_insert(p->dir, xp, excl); 2253 xfrm_audit_policy_add(xp, err ? 0 : 1, true); 2254 2255 if (err) { 2256 xfrm_dev_policy_delete(xp); 2257 xfrm_dev_policy_free(xp); 2258 security_xfrm_policy_free(xp->security); 2259 kfree(xp); 2260 return err; 2261 } 2262 2263 c.event = nlh->nlmsg_type; 2264 c.seq = nlh->nlmsg_seq; 2265 c.portid = nlh->nlmsg_pid; 2266 km_policy_notify(xp, p->dir, &c); 2267 2268 xfrm_pol_put(xp); 2269 2270 return 0; 2271 } 2272 2273 static int copy_to_user_tmpl(struct xfrm_policy *xp, struct sk_buff *skb) 2274 { 2275 struct xfrm_user_tmpl vec[XFRM_MAX_DEPTH]; 2276 int i; 2277 2278 if (xp->xfrm_nr == 0) 2279 return 0; 2280 2281 if (xp->xfrm_nr > XFRM_MAX_DEPTH) 2282 return -ENOBUFS; 2283 2284 for (i = 0; i < xp->xfrm_nr; i++) { 2285 struct xfrm_user_tmpl *up = &vec[i]; 2286 struct xfrm_tmpl *kp = &xp->xfrm_vec[i]; 2287 2288 memset(up, 0, sizeof(*up)); 2289 memcpy(&up->id, &kp->id, sizeof(up->id)); 2290 up->family = kp->encap_family; 2291 memcpy(&up->saddr, &kp->saddr, sizeof(up->saddr)); 2292 up->reqid = kp->reqid; 2293 up->mode = kp->mode; 2294 up->share = kp->share; 2295 up->optional = kp->optional; 2296 up->aalgos = kp->aalgos; 2297 up->ealgos = kp->ealgos; 2298 up->calgos = kp->calgos; 2299 } 2300 2301 return nla_put(skb, XFRMA_TMPL, 2302 sizeof(struct xfrm_user_tmpl) * xp->xfrm_nr, vec); 2303 } 2304 2305 static inline int copy_to_user_state_sec_ctx(struct xfrm_state *x, struct sk_buff *skb) 2306 { 2307 if (x->security) { 2308 return copy_sec_ctx(x->security, skb); 2309 } 2310 return 0; 2311 } 2312 2313 static inline int copy_to_user_sec_ctx(struct xfrm_policy *xp, struct sk_buff *skb) 2314 { 2315 if (xp->security) 2316 return copy_sec_ctx(xp->security, skb); 2317 return 0; 2318 } 2319 static inline unsigned int userpolicy_type_attrsize(void) 2320 { 2321 #ifdef CONFIG_XFRM_SUB_POLICY 2322 return nla_total_size(sizeof(struct xfrm_userpolicy_type)); 2323 #else 2324 return 0; 2325 #endif 2326 } 2327 2328 #ifdef CONFIG_XFRM_SUB_POLICY 2329 static int copy_to_user_policy_type(u8 type, struct sk_buff *skb) 2330 { 2331 struct xfrm_userpolicy_type upt; 2332 2333 /* Sadly there are two holes in struct xfrm_userpolicy_type */ 2334 memset(&upt, 0, sizeof(upt)); 2335 upt.type = type; 2336 2337 return nla_put(skb, XFRMA_POLICY_TYPE, sizeof(upt), &upt); 2338 } 2339 2340 #else 2341 static inline int copy_to_user_policy_type(u8 type, struct sk_buff *skb) 2342 { 2343 return 0; 2344 } 2345 #endif 2346 2347 static int dump_one_policy(struct xfrm_policy *xp, int dir, int count, void *ptr) 2348 { 2349 struct xfrm_dump_info *sp = ptr; 2350 struct xfrm_userpolicy_info *p; 2351 struct sk_buff *in_skb = sp->in_skb; 2352 struct sk_buff *skb = sp->out_skb; 2353 struct xfrm_translator *xtr; 2354 struct nlmsghdr *nlh; 2355 int err; 2356 2357 nlh = nlmsg_put(skb, NETLINK_CB(in_skb).portid, sp->nlmsg_seq, 2358 XFRM_MSG_NEWPOLICY, sizeof(*p), sp->nlmsg_flags); 2359 if (nlh == NULL) 2360 return -EMSGSIZE; 2361 2362 p = nlmsg_data(nlh); 2363 copy_to_user_policy(xp, p, dir); 2364 err = copy_to_user_tmpl(xp, skb); 2365 if (!err) 2366 err = copy_to_user_sec_ctx(xp, skb); 2367 if (!err) 2368 err = copy_to_user_policy_type(xp->type, skb); 2369 if (!err) 2370 err = xfrm_mark_put(skb, &xp->mark); 2371 if (!err) 2372 err = xfrm_if_id_put(skb, xp->if_id); 2373 if (!err && xp->xdo.dev) 2374 err = copy_user_offload(&xp->xdo, skb); 2375 if (err) { 2376 nlmsg_cancel(skb, nlh); 2377 return err; 2378 } 2379 nlmsg_end(skb, nlh); 2380 2381 xtr = xfrm_get_translator(); 2382 if (xtr) { 2383 err = xtr->alloc_compat(skb, nlh); 2384 2385 xfrm_put_translator(xtr); 2386 if (err) { 2387 nlmsg_cancel(skb, nlh); 2388 return err; 2389 } 2390 } 2391 2392 return 0; 2393 } 2394 2395 static int xfrm_dump_policy_done(struct netlink_callback *cb) 2396 { 2397 struct xfrm_policy_walk *walk = (struct xfrm_policy_walk *)cb->args; 2398 struct net *net = sock_net(cb->skb->sk); 2399 2400 xfrm_policy_walk_done(walk, net); 2401 return 0; 2402 } 2403 2404 static int xfrm_dump_policy_start(struct netlink_callback *cb) 2405 { 2406 struct xfrm_policy_walk *walk = (struct xfrm_policy_walk *)cb->args; 2407 2408 BUILD_BUG_ON(sizeof(*walk) > sizeof(cb->args)); 2409 2410 xfrm_policy_walk_init(walk, XFRM_POLICY_TYPE_ANY); 2411 return 0; 2412 } 2413 2414 static int xfrm_dump_policy(struct sk_buff *skb, struct netlink_callback *cb) 2415 { 2416 struct net *net = sock_net(skb->sk); 2417 struct xfrm_policy_walk *walk = (struct xfrm_policy_walk *)cb->args; 2418 struct xfrm_dump_info info; 2419 2420 info.in_skb = cb->skb; 2421 info.out_skb = skb; 2422 info.nlmsg_seq = cb->nlh->nlmsg_seq; 2423 info.nlmsg_flags = NLM_F_MULTI; 2424 2425 (void) xfrm_policy_walk(net, walk, dump_one_policy, &info); 2426 2427 return skb->len; 2428 } 2429 2430 static struct sk_buff *xfrm_policy_netlink(struct sk_buff *in_skb, 2431 struct xfrm_policy *xp, 2432 int dir, u32 seq) 2433 { 2434 struct xfrm_dump_info info; 2435 struct sk_buff *skb; 2436 int err; 2437 2438 skb = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL); 2439 if (!skb) 2440 return ERR_PTR(-ENOMEM); 2441 2442 info.in_skb = in_skb; 2443 info.out_skb = skb; 2444 info.nlmsg_seq = seq; 2445 info.nlmsg_flags = 0; 2446 2447 err = dump_one_policy(xp, dir, 0, &info); 2448 if (err) { 2449 kfree_skb(skb); 2450 return ERR_PTR(err); 2451 } 2452 2453 return skb; 2454 } 2455 2456 static int xfrm_notify_userpolicy(struct net *net) 2457 { 2458 struct xfrm_userpolicy_default *up; 2459 int len = NLMSG_ALIGN(sizeof(*up)); 2460 struct nlmsghdr *nlh; 2461 struct sk_buff *skb; 2462 int err; 2463 2464 skb = nlmsg_new(len, GFP_ATOMIC); 2465 if (skb == NULL) 2466 return -ENOMEM; 2467 2468 nlh = nlmsg_put(skb, 0, 0, XFRM_MSG_GETDEFAULT, sizeof(*up), 0); 2469 if (nlh == NULL) { 2470 kfree_skb(skb); 2471 return -EMSGSIZE; 2472 } 2473 2474 up = nlmsg_data(nlh); 2475 up->in = net->xfrm.policy_default[XFRM_POLICY_IN]; 2476 up->fwd = net->xfrm.policy_default[XFRM_POLICY_FWD]; 2477 up->out = net->xfrm.policy_default[XFRM_POLICY_OUT]; 2478 2479 nlmsg_end(skb, nlh); 2480 2481 rcu_read_lock(); 2482 err = xfrm_nlmsg_multicast(net, skb, 0, XFRMNLGRP_POLICY); 2483 rcu_read_unlock(); 2484 2485 return err; 2486 } 2487 2488 static bool xfrm_userpolicy_is_valid(__u8 policy) 2489 { 2490 return policy == XFRM_USERPOLICY_BLOCK || 2491 policy == XFRM_USERPOLICY_ACCEPT; 2492 } 2493 2494 static int xfrm_set_default(struct sk_buff *skb, struct nlmsghdr *nlh, 2495 struct nlattr **attrs, struct netlink_ext_ack *extack) 2496 { 2497 struct net *net = sock_net(skb->sk); 2498 struct xfrm_userpolicy_default *up = nlmsg_data(nlh); 2499 2500 if (xfrm_userpolicy_is_valid(up->in)) 2501 net->xfrm.policy_default[XFRM_POLICY_IN] = up->in; 2502 2503 if (xfrm_userpolicy_is_valid(up->fwd)) 2504 net->xfrm.policy_default[XFRM_POLICY_FWD] = up->fwd; 2505 2506 if (xfrm_userpolicy_is_valid(up->out)) 2507 net->xfrm.policy_default[XFRM_POLICY_OUT] = up->out; 2508 2509 rt_genid_bump_all(net); 2510 2511 xfrm_notify_userpolicy(net); 2512 return 0; 2513 } 2514 2515 static int xfrm_get_default(struct sk_buff *skb, struct nlmsghdr *nlh, 2516 struct nlattr **attrs, struct netlink_ext_ack *extack) 2517 { 2518 struct sk_buff *r_skb; 2519 struct nlmsghdr *r_nlh; 2520 struct net *net = sock_net(skb->sk); 2521 struct xfrm_userpolicy_default *r_up; 2522 int len = NLMSG_ALIGN(sizeof(struct xfrm_userpolicy_default)); 2523 u32 portid = NETLINK_CB(skb).portid; 2524 u32 seq = nlh->nlmsg_seq; 2525 2526 r_skb = nlmsg_new(len, GFP_ATOMIC); 2527 if (!r_skb) 2528 return -ENOMEM; 2529 2530 r_nlh = nlmsg_put(r_skb, portid, seq, XFRM_MSG_GETDEFAULT, sizeof(*r_up), 0); 2531 if (!r_nlh) { 2532 kfree_skb(r_skb); 2533 return -EMSGSIZE; 2534 } 2535 2536 r_up = nlmsg_data(r_nlh); 2537 r_up->in = net->xfrm.policy_default[XFRM_POLICY_IN]; 2538 r_up->fwd = net->xfrm.policy_default[XFRM_POLICY_FWD]; 2539 r_up->out = net->xfrm.policy_default[XFRM_POLICY_OUT]; 2540 nlmsg_end(r_skb, r_nlh); 2541 2542 return nlmsg_unicast(net->xfrm.nlsk, r_skb, portid); 2543 } 2544 2545 static int xfrm_get_policy(struct sk_buff *skb, struct nlmsghdr *nlh, 2546 struct nlattr **attrs, 2547 struct netlink_ext_ack *extack) 2548 { 2549 struct net *net = sock_net(skb->sk); 2550 struct xfrm_policy *xp; 2551 struct xfrm_userpolicy_id *p; 2552 u8 type = XFRM_POLICY_TYPE_MAIN; 2553 int err; 2554 struct km_event c; 2555 int delete; 2556 struct xfrm_mark m; 2557 u32 if_id = 0; 2558 2559 p = nlmsg_data(nlh); 2560 delete = nlh->nlmsg_type == XFRM_MSG_DELPOLICY; 2561 2562 err = copy_from_user_policy_type(&type, attrs, extack); 2563 if (err) 2564 return err; 2565 2566 err = verify_policy_dir(p->dir, extack); 2567 if (err) 2568 return err; 2569 2570 if (attrs[XFRMA_IF_ID]) 2571 if_id = nla_get_u32(attrs[XFRMA_IF_ID]); 2572 2573 xfrm_mark_get(attrs, &m); 2574 2575 if (p->index) 2576 xp = xfrm_policy_byid(net, &m, if_id, type, p->dir, 2577 p->index, delete, &err); 2578 else { 2579 struct nlattr *rt = attrs[XFRMA_SEC_CTX]; 2580 struct xfrm_sec_ctx *ctx; 2581 2582 err = verify_sec_ctx_len(attrs, extack); 2583 if (err) 2584 return err; 2585 2586 ctx = NULL; 2587 if (rt) { 2588 struct xfrm_user_sec_ctx *uctx = nla_data(rt); 2589 2590 err = security_xfrm_policy_alloc(&ctx, uctx, GFP_KERNEL); 2591 if (err) 2592 return err; 2593 } 2594 xp = xfrm_policy_bysel_ctx(net, &m, if_id, type, p->dir, 2595 &p->sel, ctx, delete, &err); 2596 security_xfrm_policy_free(ctx); 2597 } 2598 if (xp == NULL) 2599 return -ENOENT; 2600 2601 if (!delete) { 2602 struct sk_buff *resp_skb; 2603 2604 resp_skb = xfrm_policy_netlink(skb, xp, p->dir, nlh->nlmsg_seq); 2605 if (IS_ERR(resp_skb)) { 2606 err = PTR_ERR(resp_skb); 2607 } else { 2608 err = nlmsg_unicast(net->xfrm.nlsk, resp_skb, 2609 NETLINK_CB(skb).portid); 2610 } 2611 } else { 2612 xfrm_audit_policy_delete(xp, err ? 0 : 1, true); 2613 2614 if (err != 0) 2615 goto out; 2616 2617 c.data.byid = p->index; 2618 c.event = nlh->nlmsg_type; 2619 c.seq = nlh->nlmsg_seq; 2620 c.portid = nlh->nlmsg_pid; 2621 km_policy_notify(xp, p->dir, &c); 2622 } 2623 2624 out: 2625 xfrm_pol_put(xp); 2626 return err; 2627 } 2628 2629 static int xfrm_flush_sa(struct sk_buff *skb, struct nlmsghdr *nlh, 2630 struct nlattr **attrs, 2631 struct netlink_ext_ack *extack) 2632 { 2633 struct net *net = sock_net(skb->sk); 2634 struct km_event c; 2635 struct xfrm_usersa_flush *p = nlmsg_data(nlh); 2636 int err; 2637 2638 err = xfrm_state_flush(net, p->proto, true); 2639 if (err) { 2640 if (err == -ESRCH) /* empty table */ 2641 return 0; 2642 return err; 2643 } 2644 c.data.proto = p->proto; 2645 c.event = nlh->nlmsg_type; 2646 c.seq = nlh->nlmsg_seq; 2647 c.portid = nlh->nlmsg_pid; 2648 c.net = net; 2649 km_state_notify(NULL, &c); 2650 2651 return 0; 2652 } 2653 2654 static inline unsigned int xfrm_aevent_msgsize(struct xfrm_state *x) 2655 { 2656 unsigned int replay_size = x->replay_esn ? 2657 xfrm_replay_state_esn_len(x->replay_esn) : 2658 sizeof(struct xfrm_replay_state); 2659 2660 return NLMSG_ALIGN(sizeof(struct xfrm_aevent_id)) 2661 + nla_total_size(replay_size) 2662 + nla_total_size_64bit(sizeof(struct xfrm_lifetime_cur)) 2663 + nla_total_size(sizeof(struct xfrm_mark)) 2664 + nla_total_size(4) /* XFRM_AE_RTHR */ 2665 + nla_total_size(4) /* XFRM_AE_ETHR */ 2666 + nla_total_size(sizeof(x->dir)) /* XFRMA_SA_DIR */ 2667 + nla_total_size(4); /* XFRMA_SA_PCPU */ 2668 } 2669 2670 static int build_aevent(struct sk_buff *skb, struct xfrm_state *x, const struct km_event *c) 2671 { 2672 struct xfrm_aevent_id *id; 2673 struct nlmsghdr *nlh; 2674 int err; 2675 2676 nlh = nlmsg_put(skb, c->portid, c->seq, XFRM_MSG_NEWAE, sizeof(*id), 0); 2677 if (nlh == NULL) 2678 return -EMSGSIZE; 2679 2680 id = nlmsg_data(nlh); 2681 memset(&id->sa_id, 0, sizeof(id->sa_id)); 2682 memcpy(&id->sa_id.daddr, &x->id.daddr, sizeof(x->id.daddr)); 2683 id->sa_id.spi = x->id.spi; 2684 id->sa_id.family = x->props.family; 2685 id->sa_id.proto = x->id.proto; 2686 memcpy(&id->saddr, &x->props.saddr, sizeof(x->props.saddr)); 2687 id->reqid = x->props.reqid; 2688 id->flags = c->data.aevent; 2689 2690 if (x->replay_esn) { 2691 err = nla_put(skb, XFRMA_REPLAY_ESN_VAL, 2692 xfrm_replay_state_esn_len(x->replay_esn), 2693 x->replay_esn); 2694 } else { 2695 err = nla_put(skb, XFRMA_REPLAY_VAL, sizeof(x->replay), 2696 &x->replay); 2697 } 2698 if (err) 2699 goto out_cancel; 2700 err = nla_put_64bit(skb, XFRMA_LTIME_VAL, sizeof(x->curlft), &x->curlft, 2701 XFRMA_PAD); 2702 if (err) 2703 goto out_cancel; 2704 2705 if (id->flags & XFRM_AE_RTHR) { 2706 err = nla_put_u32(skb, XFRMA_REPLAY_THRESH, x->replay_maxdiff); 2707 if (err) 2708 goto out_cancel; 2709 } 2710 if (id->flags & XFRM_AE_ETHR) { 2711 err = nla_put_u32(skb, XFRMA_ETIMER_THRESH, 2712 x->replay_maxage * 10 / HZ); 2713 if (err) 2714 goto out_cancel; 2715 } 2716 err = xfrm_mark_put(skb, &x->mark); 2717 if (err) 2718 goto out_cancel; 2719 2720 err = xfrm_if_id_put(skb, x->if_id); 2721 if (err) 2722 goto out_cancel; 2723 if (x->pcpu_num != UINT_MAX) { 2724 err = nla_put_u32(skb, XFRMA_SA_PCPU, x->pcpu_num); 2725 if (err) 2726 goto out_cancel; 2727 } 2728 2729 if (x->dir) { 2730 err = nla_put_u8(skb, XFRMA_SA_DIR, x->dir); 2731 if (err) 2732 goto out_cancel; 2733 } 2734 2735 nlmsg_end(skb, nlh); 2736 return 0; 2737 2738 out_cancel: 2739 nlmsg_cancel(skb, nlh); 2740 return err; 2741 } 2742 2743 static int xfrm_get_ae(struct sk_buff *skb, struct nlmsghdr *nlh, 2744 struct nlattr **attrs, struct netlink_ext_ack *extack) 2745 { 2746 struct net *net = sock_net(skb->sk); 2747 struct xfrm_state *x; 2748 struct sk_buff *r_skb; 2749 int err; 2750 struct km_event c; 2751 u32 mark; 2752 struct xfrm_mark m; 2753 struct xfrm_aevent_id *p = nlmsg_data(nlh); 2754 struct xfrm_usersa_id *id = &p->sa_id; 2755 2756 mark = xfrm_mark_get(attrs, &m); 2757 2758 x = xfrm_state_lookup(net, mark, &id->daddr, id->spi, id->proto, id->family); 2759 if (x == NULL) 2760 return -ESRCH; 2761 2762 r_skb = nlmsg_new(xfrm_aevent_msgsize(x), GFP_ATOMIC); 2763 if (r_skb == NULL) { 2764 xfrm_state_put(x); 2765 return -ENOMEM; 2766 } 2767 2768 /* 2769 * XXX: is this lock really needed - none of the other 2770 * gets lock (the concern is things getting updated 2771 * while we are still reading) - jhs 2772 */ 2773 spin_lock_bh(&x->lock); 2774 c.data.aevent = p->flags; 2775 c.seq = nlh->nlmsg_seq; 2776 c.portid = nlh->nlmsg_pid; 2777 2778 err = build_aevent(r_skb, x, &c); 2779 BUG_ON(err < 0); 2780 2781 err = nlmsg_unicast(net->xfrm.nlsk, r_skb, NETLINK_CB(skb).portid); 2782 spin_unlock_bh(&x->lock); 2783 xfrm_state_put(x); 2784 return err; 2785 } 2786 2787 static int xfrm_new_ae(struct sk_buff *skb, struct nlmsghdr *nlh, 2788 struct nlattr **attrs, struct netlink_ext_ack *extack) 2789 { 2790 struct net *net = sock_net(skb->sk); 2791 struct xfrm_state *x; 2792 struct km_event c; 2793 int err = -EINVAL; 2794 u32 mark = 0; 2795 struct xfrm_mark m; 2796 struct xfrm_aevent_id *p = nlmsg_data(nlh); 2797 struct nlattr *rp = attrs[XFRMA_REPLAY_VAL]; 2798 struct nlattr *re = attrs[XFRMA_REPLAY_ESN_VAL]; 2799 struct nlattr *lt = attrs[XFRMA_LTIME_VAL]; 2800 struct nlattr *et = attrs[XFRMA_ETIMER_THRESH]; 2801 struct nlattr *rt = attrs[XFRMA_REPLAY_THRESH]; 2802 2803 if (!lt && !rp && !re && !et && !rt) { 2804 NL_SET_ERR_MSG(extack, "Missing required attribute for AE"); 2805 return err; 2806 } 2807 2808 /* pedantic mode - thou shalt sayeth replaceth */ 2809 if (!(nlh->nlmsg_flags & NLM_F_REPLACE)) { 2810 NL_SET_ERR_MSG(extack, "NLM_F_REPLACE flag is required"); 2811 return err; 2812 } 2813 2814 mark = xfrm_mark_get(attrs, &m); 2815 2816 x = xfrm_state_lookup(net, mark, &p->sa_id.daddr, p->sa_id.spi, p->sa_id.proto, p->sa_id.family); 2817 if (x == NULL) 2818 return -ESRCH; 2819 2820 if (x->km.state != XFRM_STATE_VALID) { 2821 NL_SET_ERR_MSG(extack, "SA must be in VALID state"); 2822 goto out; 2823 } 2824 2825 err = xfrm_replay_verify_len(x->replay_esn, re, extack); 2826 if (err) 2827 goto out; 2828 2829 spin_lock_bh(&x->lock); 2830 xfrm_update_ae_params(x, attrs, 1); 2831 spin_unlock_bh(&x->lock); 2832 2833 c.event = nlh->nlmsg_type; 2834 c.seq = nlh->nlmsg_seq; 2835 c.portid = nlh->nlmsg_pid; 2836 c.data.aevent = XFRM_AE_CU; 2837 km_state_notify(x, &c); 2838 err = 0; 2839 out: 2840 xfrm_state_put(x); 2841 return err; 2842 } 2843 2844 static int xfrm_flush_policy(struct sk_buff *skb, struct nlmsghdr *nlh, 2845 struct nlattr **attrs, 2846 struct netlink_ext_ack *extack) 2847 { 2848 struct net *net = sock_net(skb->sk); 2849 struct km_event c; 2850 u8 type = XFRM_POLICY_TYPE_MAIN; 2851 int err; 2852 2853 err = copy_from_user_policy_type(&type, attrs, extack); 2854 if (err) 2855 return err; 2856 2857 err = xfrm_policy_flush(net, type, true); 2858 if (err) { 2859 if (err == -ESRCH) /* empty table */ 2860 return 0; 2861 return err; 2862 } 2863 2864 c.data.type = type; 2865 c.event = nlh->nlmsg_type; 2866 c.seq = nlh->nlmsg_seq; 2867 c.portid = nlh->nlmsg_pid; 2868 c.net = net; 2869 km_policy_notify(NULL, 0, &c); 2870 return 0; 2871 } 2872 2873 static int xfrm_add_pol_expire(struct sk_buff *skb, struct nlmsghdr *nlh, 2874 struct nlattr **attrs, 2875 struct netlink_ext_ack *extack) 2876 { 2877 struct net *net = sock_net(skb->sk); 2878 struct xfrm_policy *xp; 2879 struct xfrm_user_polexpire *up = nlmsg_data(nlh); 2880 struct xfrm_userpolicy_info *p = &up->pol; 2881 u8 type = XFRM_POLICY_TYPE_MAIN; 2882 int err = -ENOENT; 2883 struct xfrm_mark m; 2884 u32 if_id = 0; 2885 2886 err = copy_from_user_policy_type(&type, attrs, extack); 2887 if (err) 2888 return err; 2889 2890 err = verify_policy_dir(p->dir, extack); 2891 if (err) 2892 return err; 2893 2894 if (attrs[XFRMA_IF_ID]) 2895 if_id = nla_get_u32(attrs[XFRMA_IF_ID]); 2896 2897 xfrm_mark_get(attrs, &m); 2898 2899 if (p->index) 2900 xp = xfrm_policy_byid(net, &m, if_id, type, p->dir, p->index, 2901 0, &err); 2902 else { 2903 struct nlattr *rt = attrs[XFRMA_SEC_CTX]; 2904 struct xfrm_sec_ctx *ctx; 2905 2906 err = verify_sec_ctx_len(attrs, extack); 2907 if (err) 2908 return err; 2909 2910 ctx = NULL; 2911 if (rt) { 2912 struct xfrm_user_sec_ctx *uctx = nla_data(rt); 2913 2914 err = security_xfrm_policy_alloc(&ctx, uctx, GFP_KERNEL); 2915 if (err) 2916 return err; 2917 } 2918 xp = xfrm_policy_bysel_ctx(net, &m, if_id, type, p->dir, 2919 &p->sel, ctx, 0, &err); 2920 security_xfrm_policy_free(ctx); 2921 } 2922 if (xp == NULL) 2923 return -ENOENT; 2924 2925 if (unlikely(xp->walk.dead)) 2926 goto out; 2927 2928 err = 0; 2929 if (up->hard) { 2930 xfrm_policy_delete(xp, p->dir); 2931 xfrm_audit_policy_delete(xp, 1, true); 2932 } 2933 km_policy_expired(xp, p->dir, up->hard, nlh->nlmsg_pid); 2934 2935 out: 2936 xfrm_pol_put(xp); 2937 return err; 2938 } 2939 2940 static int xfrm_add_sa_expire(struct sk_buff *skb, struct nlmsghdr *nlh, 2941 struct nlattr **attrs, 2942 struct netlink_ext_ack *extack) 2943 { 2944 struct net *net = sock_net(skb->sk); 2945 struct xfrm_state *x; 2946 int err; 2947 struct xfrm_user_expire *ue = nlmsg_data(nlh); 2948 struct xfrm_usersa_info *p = &ue->state; 2949 struct xfrm_mark m; 2950 u32 mark = xfrm_mark_get(attrs, &m); 2951 2952 x = xfrm_state_lookup(net, mark, &p->id.daddr, p->id.spi, p->id.proto, p->family); 2953 2954 err = -ENOENT; 2955 if (x == NULL) 2956 return err; 2957 2958 spin_lock_bh(&x->lock); 2959 err = -EINVAL; 2960 if (x->km.state != XFRM_STATE_VALID) { 2961 NL_SET_ERR_MSG(extack, "SA must be in VALID state"); 2962 goto out; 2963 } 2964 2965 km_state_expired(x, ue->hard, nlh->nlmsg_pid); 2966 2967 if (ue->hard) { 2968 __xfrm_state_delete(x); 2969 xfrm_audit_state_delete(x, 1, true); 2970 } 2971 err = 0; 2972 out: 2973 spin_unlock_bh(&x->lock); 2974 xfrm_state_put(x); 2975 return err; 2976 } 2977 2978 static int xfrm_add_acquire(struct sk_buff *skb, struct nlmsghdr *nlh, 2979 struct nlattr **attrs, 2980 struct netlink_ext_ack *extack) 2981 { 2982 struct net *net = sock_net(skb->sk); 2983 struct xfrm_policy *xp; 2984 struct xfrm_user_tmpl *ut; 2985 int i; 2986 struct nlattr *rt = attrs[XFRMA_TMPL]; 2987 struct xfrm_mark mark; 2988 2989 struct xfrm_user_acquire *ua = nlmsg_data(nlh); 2990 struct xfrm_state *x = xfrm_state_alloc(net); 2991 int err = -ENOMEM; 2992 2993 if (!x) 2994 goto nomem; 2995 2996 xfrm_mark_get(attrs, &mark); 2997 2998 if (attrs[XFRMA_SA_PCPU]) { 2999 x->pcpu_num = nla_get_u32(attrs[XFRMA_SA_PCPU]); 3000 err = -EINVAL; 3001 if (x->pcpu_num >= num_possible_cpus()) 3002 goto free_state; 3003 } 3004 3005 err = verify_newpolicy_info(&ua->policy, extack); 3006 if (err) 3007 goto free_state; 3008 err = verify_sec_ctx_len(attrs, extack); 3009 if (err) 3010 goto free_state; 3011 3012 /* build an XP */ 3013 xp = xfrm_policy_construct(net, &ua->policy, attrs, &err, extack); 3014 if (!xp) 3015 goto free_state; 3016 3017 memcpy(&x->id, &ua->id, sizeof(ua->id)); 3018 memcpy(&x->props.saddr, &ua->saddr, sizeof(ua->saddr)); 3019 memcpy(&x->sel, &ua->sel, sizeof(ua->sel)); 3020 xp->mark.m = x->mark.m = mark.m; 3021 xp->mark.v = x->mark.v = mark.v; 3022 ut = nla_data(rt); 3023 /* extract the templates and for each call km_key */ 3024 for (i = 0; i < xp->xfrm_nr; i++, ut++) { 3025 struct xfrm_tmpl *t = &xp->xfrm_vec[i]; 3026 memcpy(&x->id, &t->id, sizeof(x->id)); 3027 x->props.mode = t->mode; 3028 x->props.reqid = t->reqid; 3029 x->props.family = ut->family; 3030 t->aalgos = ua->aalgos; 3031 t->ealgos = ua->ealgos; 3032 t->calgos = ua->calgos; 3033 err = km_query(x, t, xp); 3034 3035 } 3036 3037 xfrm_state_free(x); 3038 kfree(xp); 3039 3040 return 0; 3041 3042 free_state: 3043 xfrm_state_free(x); 3044 nomem: 3045 return err; 3046 } 3047 3048 #ifdef CONFIG_XFRM_MIGRATE 3049 static int copy_from_user_migrate(struct xfrm_migrate *ma, 3050 struct xfrm_kmaddress *k, 3051 struct nlattr **attrs, int *num, 3052 struct netlink_ext_ack *extack) 3053 { 3054 struct nlattr *rt = attrs[XFRMA_MIGRATE]; 3055 struct xfrm_user_migrate *um; 3056 int i, num_migrate; 3057 3058 if (k != NULL) { 3059 struct xfrm_user_kmaddress *uk; 3060 3061 uk = nla_data(attrs[XFRMA_KMADDRESS]); 3062 memcpy(&k->local, &uk->local, sizeof(k->local)); 3063 memcpy(&k->remote, &uk->remote, sizeof(k->remote)); 3064 k->family = uk->family; 3065 k->reserved = uk->reserved; 3066 } 3067 3068 um = nla_data(rt); 3069 num_migrate = nla_len(rt) / sizeof(*um); 3070 3071 if (num_migrate <= 0 || num_migrate > XFRM_MAX_DEPTH) { 3072 NL_SET_ERR_MSG(extack, "Invalid number of SAs to migrate, must be 0 < num <= XFRM_MAX_DEPTH (6)"); 3073 return -EINVAL; 3074 } 3075 3076 for (i = 0; i < num_migrate; i++, um++, ma++) { 3077 memcpy(&ma->old_daddr, &um->old_daddr, sizeof(ma->old_daddr)); 3078 memcpy(&ma->old_saddr, &um->old_saddr, sizeof(ma->old_saddr)); 3079 memcpy(&ma->new_daddr, &um->new_daddr, sizeof(ma->new_daddr)); 3080 memcpy(&ma->new_saddr, &um->new_saddr, sizeof(ma->new_saddr)); 3081 3082 ma->proto = um->proto; 3083 ma->mode = um->mode; 3084 ma->reqid = um->reqid; 3085 3086 ma->old_family = um->old_family; 3087 ma->new_family = um->new_family; 3088 } 3089 3090 *num = i; 3091 return 0; 3092 } 3093 3094 static int xfrm_do_migrate(struct sk_buff *skb, struct nlmsghdr *nlh, 3095 struct nlattr **attrs, struct netlink_ext_ack *extack) 3096 { 3097 struct xfrm_userpolicy_id *pi = nlmsg_data(nlh); 3098 struct xfrm_migrate m[XFRM_MAX_DEPTH]; 3099 struct xfrm_kmaddress km, *kmp; 3100 u8 type; 3101 int err; 3102 int n = 0; 3103 struct net *net = sock_net(skb->sk); 3104 struct xfrm_encap_tmpl *encap = NULL; 3105 struct xfrm_user_offload *xuo = NULL; 3106 u32 if_id = 0; 3107 3108 if (!attrs[XFRMA_MIGRATE]) { 3109 NL_SET_ERR_MSG(extack, "Missing required MIGRATE attribute"); 3110 return -EINVAL; 3111 } 3112 3113 kmp = attrs[XFRMA_KMADDRESS] ? &km : NULL; 3114 3115 err = copy_from_user_policy_type(&type, attrs, extack); 3116 if (err) 3117 return err; 3118 3119 err = copy_from_user_migrate(m, kmp, attrs, &n, extack); 3120 if (err) 3121 return err; 3122 3123 if (!n) 3124 return 0; 3125 3126 if (attrs[XFRMA_ENCAP]) { 3127 encap = kmemdup(nla_data(attrs[XFRMA_ENCAP]), 3128 sizeof(*encap), GFP_KERNEL); 3129 if (!encap) 3130 return -ENOMEM; 3131 } 3132 3133 if (attrs[XFRMA_IF_ID]) 3134 if_id = nla_get_u32(attrs[XFRMA_IF_ID]); 3135 3136 if (attrs[XFRMA_OFFLOAD_DEV]) { 3137 xuo = kmemdup(nla_data(attrs[XFRMA_OFFLOAD_DEV]), 3138 sizeof(*xuo), GFP_KERNEL); 3139 if (!xuo) { 3140 err = -ENOMEM; 3141 goto error; 3142 } 3143 } 3144 err = xfrm_migrate(&pi->sel, pi->dir, type, m, n, kmp, net, encap, 3145 if_id, extack, xuo); 3146 error: 3147 kfree(encap); 3148 kfree(xuo); 3149 return err; 3150 } 3151 #else 3152 static int xfrm_do_migrate(struct sk_buff *skb, struct nlmsghdr *nlh, 3153 struct nlattr **attrs, struct netlink_ext_ack *extack) 3154 { 3155 return -ENOPROTOOPT; 3156 } 3157 #endif 3158 3159 #ifdef CONFIG_XFRM_MIGRATE 3160 static int copy_to_user_migrate(const struct xfrm_migrate *m, struct sk_buff *skb) 3161 { 3162 struct xfrm_user_migrate um; 3163 3164 memset(&um, 0, sizeof(um)); 3165 um.proto = m->proto; 3166 um.mode = m->mode; 3167 um.reqid = m->reqid; 3168 um.old_family = m->old_family; 3169 memcpy(&um.old_daddr, &m->old_daddr, sizeof(um.old_daddr)); 3170 memcpy(&um.old_saddr, &m->old_saddr, sizeof(um.old_saddr)); 3171 um.new_family = m->new_family; 3172 memcpy(&um.new_daddr, &m->new_daddr, sizeof(um.new_daddr)); 3173 memcpy(&um.new_saddr, &m->new_saddr, sizeof(um.new_saddr)); 3174 3175 return nla_put(skb, XFRMA_MIGRATE, sizeof(um), &um); 3176 } 3177 3178 static int copy_to_user_kmaddress(const struct xfrm_kmaddress *k, struct sk_buff *skb) 3179 { 3180 struct xfrm_user_kmaddress uk; 3181 3182 memset(&uk, 0, sizeof(uk)); 3183 uk.family = k->family; 3184 uk.reserved = k->reserved; 3185 memcpy(&uk.local, &k->local, sizeof(uk.local)); 3186 memcpy(&uk.remote, &k->remote, sizeof(uk.remote)); 3187 3188 return nla_put(skb, XFRMA_KMADDRESS, sizeof(uk), &uk); 3189 } 3190 3191 static inline unsigned int xfrm_migrate_msgsize(int num_migrate, int with_kma, 3192 int with_encp) 3193 { 3194 return NLMSG_ALIGN(sizeof(struct xfrm_userpolicy_id)) 3195 + (with_kma ? nla_total_size(sizeof(struct xfrm_kmaddress)) : 0) 3196 + (with_encp ? nla_total_size(sizeof(struct xfrm_encap_tmpl)) : 0) 3197 + nla_total_size(sizeof(struct xfrm_user_migrate) * num_migrate) 3198 + userpolicy_type_attrsize(); 3199 } 3200 3201 static int build_migrate(struct sk_buff *skb, const struct xfrm_migrate *m, 3202 int num_migrate, const struct xfrm_kmaddress *k, 3203 const struct xfrm_selector *sel, 3204 const struct xfrm_encap_tmpl *encap, u8 dir, u8 type) 3205 { 3206 const struct xfrm_migrate *mp; 3207 struct xfrm_userpolicy_id *pol_id; 3208 struct nlmsghdr *nlh; 3209 int i, err; 3210 3211 nlh = nlmsg_put(skb, 0, 0, XFRM_MSG_MIGRATE, sizeof(*pol_id), 0); 3212 if (nlh == NULL) 3213 return -EMSGSIZE; 3214 3215 pol_id = nlmsg_data(nlh); 3216 /* copy data from selector, dir, and type to the pol_id */ 3217 memset(pol_id, 0, sizeof(*pol_id)); 3218 memcpy(&pol_id->sel, sel, sizeof(pol_id->sel)); 3219 pol_id->dir = dir; 3220 3221 if (k != NULL) { 3222 err = copy_to_user_kmaddress(k, skb); 3223 if (err) 3224 goto out_cancel; 3225 } 3226 if (encap) { 3227 err = nla_put(skb, XFRMA_ENCAP, sizeof(*encap), encap); 3228 if (err) 3229 goto out_cancel; 3230 } 3231 err = copy_to_user_policy_type(type, skb); 3232 if (err) 3233 goto out_cancel; 3234 for (i = 0, mp = m ; i < num_migrate; i++, mp++) { 3235 err = copy_to_user_migrate(mp, skb); 3236 if (err) 3237 goto out_cancel; 3238 } 3239 3240 nlmsg_end(skb, nlh); 3241 return 0; 3242 3243 out_cancel: 3244 nlmsg_cancel(skb, nlh); 3245 return err; 3246 } 3247 3248 static int xfrm_send_migrate(const struct xfrm_selector *sel, u8 dir, u8 type, 3249 const struct xfrm_migrate *m, int num_migrate, 3250 const struct xfrm_kmaddress *k, 3251 const struct xfrm_encap_tmpl *encap) 3252 { 3253 struct net *net = &init_net; 3254 struct sk_buff *skb; 3255 int err; 3256 3257 skb = nlmsg_new(xfrm_migrate_msgsize(num_migrate, !!k, !!encap), 3258 GFP_ATOMIC); 3259 if (skb == NULL) 3260 return -ENOMEM; 3261 3262 /* build migrate */ 3263 err = build_migrate(skb, m, num_migrate, k, sel, encap, dir, type); 3264 BUG_ON(err < 0); 3265 3266 return xfrm_nlmsg_multicast(net, skb, 0, XFRMNLGRP_MIGRATE); 3267 } 3268 #else 3269 static int xfrm_send_migrate(const struct xfrm_selector *sel, u8 dir, u8 type, 3270 const struct xfrm_migrate *m, int num_migrate, 3271 const struct xfrm_kmaddress *k, 3272 const struct xfrm_encap_tmpl *encap) 3273 { 3274 return -ENOPROTOOPT; 3275 } 3276 #endif 3277 3278 #define XMSGSIZE(type) sizeof(struct type) 3279 3280 const int xfrm_msg_min[XFRM_NR_MSGTYPES] = { 3281 [XFRM_MSG_NEWSA - XFRM_MSG_BASE] = XMSGSIZE(xfrm_usersa_info), 3282 [XFRM_MSG_DELSA - XFRM_MSG_BASE] = XMSGSIZE(xfrm_usersa_id), 3283 [XFRM_MSG_GETSA - XFRM_MSG_BASE] = XMSGSIZE(xfrm_usersa_id), 3284 [XFRM_MSG_NEWPOLICY - XFRM_MSG_BASE] = XMSGSIZE(xfrm_userpolicy_info), 3285 [XFRM_MSG_DELPOLICY - XFRM_MSG_BASE] = XMSGSIZE(xfrm_userpolicy_id), 3286 [XFRM_MSG_GETPOLICY - XFRM_MSG_BASE] = XMSGSIZE(xfrm_userpolicy_id), 3287 [XFRM_MSG_ALLOCSPI - XFRM_MSG_BASE] = XMSGSIZE(xfrm_userspi_info), 3288 [XFRM_MSG_ACQUIRE - XFRM_MSG_BASE] = XMSGSIZE(xfrm_user_acquire), 3289 [XFRM_MSG_EXPIRE - XFRM_MSG_BASE] = XMSGSIZE(xfrm_user_expire), 3290 [XFRM_MSG_UPDPOLICY - XFRM_MSG_BASE] = XMSGSIZE(xfrm_userpolicy_info), 3291 [XFRM_MSG_UPDSA - XFRM_MSG_BASE] = XMSGSIZE(xfrm_usersa_info), 3292 [XFRM_MSG_POLEXPIRE - XFRM_MSG_BASE] = XMSGSIZE(xfrm_user_polexpire), 3293 [XFRM_MSG_FLUSHSA - XFRM_MSG_BASE] = XMSGSIZE(xfrm_usersa_flush), 3294 [XFRM_MSG_FLUSHPOLICY - XFRM_MSG_BASE] = 0, 3295 [XFRM_MSG_NEWAE - XFRM_MSG_BASE] = XMSGSIZE(xfrm_aevent_id), 3296 [XFRM_MSG_GETAE - XFRM_MSG_BASE] = XMSGSIZE(xfrm_aevent_id), 3297 [XFRM_MSG_REPORT - XFRM_MSG_BASE] = XMSGSIZE(xfrm_user_report), 3298 [XFRM_MSG_MIGRATE - XFRM_MSG_BASE] = XMSGSIZE(xfrm_userpolicy_id), 3299 [XFRM_MSG_GETSADINFO - XFRM_MSG_BASE] = sizeof(u32), 3300 [XFRM_MSG_NEWSPDINFO - XFRM_MSG_BASE] = sizeof(u32), 3301 [XFRM_MSG_GETSPDINFO - XFRM_MSG_BASE] = sizeof(u32), 3302 [XFRM_MSG_SETDEFAULT - XFRM_MSG_BASE] = XMSGSIZE(xfrm_userpolicy_default), 3303 [XFRM_MSG_GETDEFAULT - XFRM_MSG_BASE] = XMSGSIZE(xfrm_userpolicy_default), 3304 }; 3305 EXPORT_SYMBOL_GPL(xfrm_msg_min); 3306 3307 #undef XMSGSIZE 3308 3309 const struct nla_policy xfrma_policy[XFRMA_MAX+1] = { 3310 [XFRMA_UNSPEC] = { .strict_start_type = XFRMA_SA_DIR }, 3311 [XFRMA_SA] = { .len = sizeof(struct xfrm_usersa_info)}, 3312 [XFRMA_POLICY] = { .len = sizeof(struct xfrm_userpolicy_info)}, 3313 [XFRMA_LASTUSED] = { .type = NLA_U64}, 3314 [XFRMA_ALG_AUTH_TRUNC] = { .len = sizeof(struct xfrm_algo_auth)}, 3315 [XFRMA_ALG_AEAD] = { .len = sizeof(struct xfrm_algo_aead) }, 3316 [XFRMA_ALG_AUTH] = { .len = sizeof(struct xfrm_algo) }, 3317 [XFRMA_ALG_CRYPT] = { .len = sizeof(struct xfrm_algo) }, 3318 [XFRMA_ALG_COMP] = { .len = sizeof(struct xfrm_algo) }, 3319 [XFRMA_ENCAP] = { .len = sizeof(struct xfrm_encap_tmpl) }, 3320 [XFRMA_TMPL] = { .len = sizeof(struct xfrm_user_tmpl) }, 3321 [XFRMA_SEC_CTX] = { .len = sizeof(struct xfrm_user_sec_ctx) }, 3322 [XFRMA_LTIME_VAL] = { .len = sizeof(struct xfrm_lifetime_cur) }, 3323 [XFRMA_REPLAY_VAL] = { .len = sizeof(struct xfrm_replay_state) }, 3324 [XFRMA_REPLAY_THRESH] = { .type = NLA_U32 }, 3325 [XFRMA_ETIMER_THRESH] = { .type = NLA_U32 }, 3326 [XFRMA_SRCADDR] = { .len = sizeof(xfrm_address_t) }, 3327 [XFRMA_COADDR] = { .len = sizeof(xfrm_address_t) }, 3328 [XFRMA_POLICY_TYPE] = { .len = sizeof(struct xfrm_userpolicy_type)}, 3329 [XFRMA_MIGRATE] = { .len = sizeof(struct xfrm_user_migrate) }, 3330 [XFRMA_KMADDRESS] = { .len = sizeof(struct xfrm_user_kmaddress) }, 3331 [XFRMA_MARK] = { .len = sizeof(struct xfrm_mark) }, 3332 [XFRMA_TFCPAD] = { .type = NLA_U32 }, 3333 [XFRMA_REPLAY_ESN_VAL] = { .len = sizeof(struct xfrm_replay_state_esn) }, 3334 [XFRMA_SA_EXTRA_FLAGS] = { .type = NLA_U32 }, 3335 [XFRMA_PROTO] = { .type = NLA_U8 }, 3336 [XFRMA_ADDRESS_FILTER] = { .len = sizeof(struct xfrm_address_filter) }, 3337 [XFRMA_OFFLOAD_DEV] = { .len = sizeof(struct xfrm_user_offload) }, 3338 [XFRMA_SET_MARK] = { .type = NLA_U32 }, 3339 [XFRMA_SET_MARK_MASK] = { .type = NLA_U32 }, 3340 [XFRMA_IF_ID] = { .type = NLA_U32 }, 3341 [XFRMA_MTIMER_THRESH] = { .type = NLA_U32 }, 3342 [XFRMA_SA_DIR] = NLA_POLICY_RANGE(NLA_U8, XFRM_SA_DIR_IN, XFRM_SA_DIR_OUT), 3343 [XFRMA_NAT_KEEPALIVE_INTERVAL] = { .type = NLA_U32 }, 3344 [XFRMA_SA_PCPU] = { .type = NLA_U32 }, 3345 [XFRMA_IPTFS_DROP_TIME] = { .type = NLA_U32 }, 3346 [XFRMA_IPTFS_REORDER_WINDOW] = { .type = NLA_U16 }, 3347 [XFRMA_IPTFS_DONT_FRAG] = { .type = NLA_FLAG }, 3348 [XFRMA_IPTFS_INIT_DELAY] = { .type = NLA_U32 }, 3349 [XFRMA_IPTFS_MAX_QSIZE] = { .type = NLA_U32 }, 3350 [XFRMA_IPTFS_PKT_SIZE] = { .type = NLA_U32 }, 3351 }; 3352 EXPORT_SYMBOL_GPL(xfrma_policy); 3353 3354 static const struct nla_policy xfrma_spd_policy[XFRMA_SPD_MAX+1] = { 3355 [XFRMA_SPD_IPV4_HTHRESH] = { .len = sizeof(struct xfrmu_spdhthresh) }, 3356 [XFRMA_SPD_IPV6_HTHRESH] = { .len = sizeof(struct xfrmu_spdhthresh) }, 3357 }; 3358 3359 static const struct xfrm_link { 3360 int (*doit)(struct sk_buff *, struct nlmsghdr *, struct nlattr **, 3361 struct netlink_ext_ack *); 3362 int (*start)(struct netlink_callback *); 3363 int (*dump)(struct sk_buff *, struct netlink_callback *); 3364 int (*done)(struct netlink_callback *); 3365 const struct nla_policy *nla_pol; 3366 int nla_max; 3367 } xfrm_dispatch[XFRM_NR_MSGTYPES] = { 3368 [XFRM_MSG_NEWSA - XFRM_MSG_BASE] = { .doit = xfrm_add_sa }, 3369 [XFRM_MSG_DELSA - XFRM_MSG_BASE] = { .doit = xfrm_del_sa }, 3370 [XFRM_MSG_GETSA - XFRM_MSG_BASE] = { .doit = xfrm_get_sa, 3371 .dump = xfrm_dump_sa, 3372 .done = xfrm_dump_sa_done }, 3373 [XFRM_MSG_NEWPOLICY - XFRM_MSG_BASE] = { .doit = xfrm_add_policy }, 3374 [XFRM_MSG_DELPOLICY - XFRM_MSG_BASE] = { .doit = xfrm_get_policy }, 3375 [XFRM_MSG_GETPOLICY - XFRM_MSG_BASE] = { .doit = xfrm_get_policy, 3376 .start = xfrm_dump_policy_start, 3377 .dump = xfrm_dump_policy, 3378 .done = xfrm_dump_policy_done }, 3379 [XFRM_MSG_ALLOCSPI - XFRM_MSG_BASE] = { .doit = xfrm_alloc_userspi }, 3380 [XFRM_MSG_ACQUIRE - XFRM_MSG_BASE] = { .doit = xfrm_add_acquire }, 3381 [XFRM_MSG_EXPIRE - XFRM_MSG_BASE] = { .doit = xfrm_add_sa_expire }, 3382 [XFRM_MSG_UPDPOLICY - XFRM_MSG_BASE] = { .doit = xfrm_add_policy }, 3383 [XFRM_MSG_UPDSA - XFRM_MSG_BASE] = { .doit = xfrm_add_sa }, 3384 [XFRM_MSG_POLEXPIRE - XFRM_MSG_BASE] = { .doit = xfrm_add_pol_expire}, 3385 [XFRM_MSG_FLUSHSA - XFRM_MSG_BASE] = { .doit = xfrm_flush_sa }, 3386 [XFRM_MSG_FLUSHPOLICY - XFRM_MSG_BASE] = { .doit = xfrm_flush_policy }, 3387 [XFRM_MSG_NEWAE - XFRM_MSG_BASE] = { .doit = xfrm_new_ae }, 3388 [XFRM_MSG_GETAE - XFRM_MSG_BASE] = { .doit = xfrm_get_ae }, 3389 [XFRM_MSG_MIGRATE - XFRM_MSG_BASE] = { .doit = xfrm_do_migrate }, 3390 [XFRM_MSG_GETSADINFO - XFRM_MSG_BASE] = { .doit = xfrm_get_sadinfo }, 3391 [XFRM_MSG_NEWSPDINFO - XFRM_MSG_BASE] = { .doit = xfrm_set_spdinfo, 3392 .nla_pol = xfrma_spd_policy, 3393 .nla_max = XFRMA_SPD_MAX }, 3394 [XFRM_MSG_GETSPDINFO - XFRM_MSG_BASE] = { .doit = xfrm_get_spdinfo }, 3395 [XFRM_MSG_SETDEFAULT - XFRM_MSG_BASE] = { .doit = xfrm_set_default }, 3396 [XFRM_MSG_GETDEFAULT - XFRM_MSG_BASE] = { .doit = xfrm_get_default }, 3397 }; 3398 3399 static int xfrm_reject_unused_attr(int type, struct nlattr **attrs, 3400 struct netlink_ext_ack *extack) 3401 { 3402 if (attrs[XFRMA_SA_DIR]) { 3403 switch (type) { 3404 case XFRM_MSG_NEWSA: 3405 case XFRM_MSG_UPDSA: 3406 case XFRM_MSG_ALLOCSPI: 3407 break; 3408 default: 3409 NL_SET_ERR_MSG(extack, "Invalid attribute SA_DIR"); 3410 return -EINVAL; 3411 } 3412 } 3413 3414 if (attrs[XFRMA_SA_PCPU]) { 3415 switch (type) { 3416 case XFRM_MSG_NEWSA: 3417 case XFRM_MSG_UPDSA: 3418 case XFRM_MSG_ALLOCSPI: 3419 case XFRM_MSG_ACQUIRE: 3420 3421 break; 3422 default: 3423 NL_SET_ERR_MSG(extack, "Invalid attribute SA_PCPU"); 3424 return -EINVAL; 3425 } 3426 } 3427 3428 return 0; 3429 } 3430 3431 static int xfrm_user_rcv_msg(struct sk_buff *skb, struct nlmsghdr *nlh, 3432 struct netlink_ext_ack *extack) 3433 { 3434 struct net *net = sock_net(skb->sk); 3435 struct nlattr *attrs[XFRMA_MAX+1]; 3436 const struct xfrm_link *link; 3437 struct nlmsghdr *nlh64 = NULL; 3438 int type, err; 3439 3440 type = nlh->nlmsg_type; 3441 if (type > XFRM_MSG_MAX) 3442 return -EINVAL; 3443 3444 type -= XFRM_MSG_BASE; 3445 link = &xfrm_dispatch[type]; 3446 3447 /* All operations require privileges, even GET */ 3448 if (!netlink_net_capable(skb, CAP_NET_ADMIN)) 3449 return -EPERM; 3450 3451 if (in_compat_syscall()) { 3452 struct xfrm_translator *xtr = xfrm_get_translator(); 3453 3454 if (!xtr) 3455 return -EOPNOTSUPP; 3456 3457 nlh64 = xtr->rcv_msg_compat(nlh, link->nla_max, 3458 link->nla_pol, extack); 3459 xfrm_put_translator(xtr); 3460 if (IS_ERR(nlh64)) 3461 return PTR_ERR(nlh64); 3462 if (nlh64) 3463 nlh = nlh64; 3464 } 3465 3466 if ((type == (XFRM_MSG_GETSA - XFRM_MSG_BASE) || 3467 type == (XFRM_MSG_GETPOLICY - XFRM_MSG_BASE)) && 3468 (nlh->nlmsg_flags & NLM_F_DUMP)) { 3469 struct netlink_dump_control c = { 3470 .start = link->start, 3471 .dump = link->dump, 3472 .done = link->done, 3473 }; 3474 3475 if (link->dump == NULL) { 3476 err = -EINVAL; 3477 goto err; 3478 } 3479 3480 err = netlink_dump_start(net->xfrm.nlsk, skb, nlh, &c); 3481 goto err; 3482 } 3483 3484 err = nlmsg_parse_deprecated(nlh, xfrm_msg_min[type], attrs, 3485 link->nla_max ? : XFRMA_MAX, 3486 link->nla_pol ? : xfrma_policy, extack); 3487 if (err < 0) 3488 goto err; 3489 3490 if (!link->nla_pol || link->nla_pol == xfrma_policy) { 3491 err = xfrm_reject_unused_attr((type + XFRM_MSG_BASE), attrs, extack); 3492 if (err < 0) 3493 goto err; 3494 } 3495 3496 if (link->doit == NULL) { 3497 err = -EINVAL; 3498 goto err; 3499 } 3500 3501 err = link->doit(skb, nlh, attrs, extack); 3502 3503 /* We need to free skb allocated in xfrm_alloc_compat() before 3504 * returning from this function, because consume_skb() won't take 3505 * care of frag_list since netlink destructor sets 3506 * sbk->head to NULL. (see netlink_skb_destructor()) 3507 */ 3508 if (skb_has_frag_list(skb)) { 3509 kfree_skb(skb_shinfo(skb)->frag_list); 3510 skb_shinfo(skb)->frag_list = NULL; 3511 } 3512 3513 err: 3514 kvfree(nlh64); 3515 return err; 3516 } 3517 3518 static void xfrm_netlink_rcv(struct sk_buff *skb) 3519 { 3520 struct net *net = sock_net(skb->sk); 3521 3522 mutex_lock(&net->xfrm.xfrm_cfg_mutex); 3523 netlink_rcv_skb(skb, &xfrm_user_rcv_msg); 3524 mutex_unlock(&net->xfrm.xfrm_cfg_mutex); 3525 } 3526 3527 static inline unsigned int xfrm_expire_msgsize(void) 3528 { 3529 return NLMSG_ALIGN(sizeof(struct xfrm_user_expire)) + 3530 nla_total_size(sizeof(struct xfrm_mark)) + 3531 nla_total_size(sizeof_field(struct xfrm_state, dir)) + 3532 nla_total_size(4); /* XFRMA_SA_PCPU */ 3533 } 3534 3535 static int build_expire(struct sk_buff *skb, struct xfrm_state *x, const struct km_event *c) 3536 { 3537 struct xfrm_user_expire *ue; 3538 struct nlmsghdr *nlh; 3539 int err; 3540 3541 nlh = nlmsg_put(skb, c->portid, 0, XFRM_MSG_EXPIRE, sizeof(*ue), 0); 3542 if (nlh == NULL) 3543 return -EMSGSIZE; 3544 3545 ue = nlmsg_data(nlh); 3546 copy_to_user_state(x, &ue->state); 3547 ue->hard = (c->data.hard != 0) ? 1 : 0; 3548 /* clear the padding bytes */ 3549 memset_after(ue, 0, hard); 3550 3551 err = xfrm_mark_put(skb, &x->mark); 3552 if (err) 3553 return err; 3554 3555 err = xfrm_if_id_put(skb, x->if_id); 3556 if (err) 3557 return err; 3558 if (x->pcpu_num != UINT_MAX) { 3559 err = nla_put_u32(skb, XFRMA_SA_PCPU, x->pcpu_num); 3560 if (err) 3561 return err; 3562 } 3563 3564 if (x->dir) { 3565 err = nla_put_u8(skb, XFRMA_SA_DIR, x->dir); 3566 if (err) 3567 return err; 3568 } 3569 3570 nlmsg_end(skb, nlh); 3571 return 0; 3572 } 3573 3574 static int xfrm_exp_state_notify(struct xfrm_state *x, const struct km_event *c) 3575 { 3576 struct net *net = xs_net(x); 3577 struct sk_buff *skb; 3578 3579 skb = nlmsg_new(xfrm_expire_msgsize(), GFP_ATOMIC); 3580 if (skb == NULL) 3581 return -ENOMEM; 3582 3583 if (build_expire(skb, x, c) < 0) { 3584 kfree_skb(skb); 3585 return -EMSGSIZE; 3586 } 3587 3588 return xfrm_nlmsg_multicast(net, skb, 0, XFRMNLGRP_EXPIRE); 3589 } 3590 3591 static int xfrm_aevent_state_notify(struct xfrm_state *x, const struct km_event *c) 3592 { 3593 struct net *net = xs_net(x); 3594 struct sk_buff *skb; 3595 int err; 3596 3597 skb = nlmsg_new(xfrm_aevent_msgsize(x), GFP_ATOMIC); 3598 if (skb == NULL) 3599 return -ENOMEM; 3600 3601 err = build_aevent(skb, x, c); 3602 BUG_ON(err < 0); 3603 3604 return xfrm_nlmsg_multicast(net, skb, 0, XFRMNLGRP_AEVENTS); 3605 } 3606 3607 static int xfrm_notify_sa_flush(const struct km_event *c) 3608 { 3609 struct net *net = c->net; 3610 struct xfrm_usersa_flush *p; 3611 struct nlmsghdr *nlh; 3612 struct sk_buff *skb; 3613 int len = NLMSG_ALIGN(sizeof(struct xfrm_usersa_flush)); 3614 3615 skb = nlmsg_new(len, GFP_ATOMIC); 3616 if (skb == NULL) 3617 return -ENOMEM; 3618 3619 nlh = nlmsg_put(skb, c->portid, c->seq, XFRM_MSG_FLUSHSA, sizeof(*p), 0); 3620 if (nlh == NULL) { 3621 kfree_skb(skb); 3622 return -EMSGSIZE; 3623 } 3624 3625 p = nlmsg_data(nlh); 3626 p->proto = c->data.proto; 3627 3628 nlmsg_end(skb, nlh); 3629 3630 return xfrm_nlmsg_multicast(net, skb, 0, XFRMNLGRP_SA); 3631 } 3632 3633 static inline unsigned int xfrm_sa_len(struct xfrm_state *x) 3634 { 3635 unsigned int l = 0; 3636 if (x->aead) 3637 l += nla_total_size(aead_len(x->aead)); 3638 if (x->aalg) { 3639 l += nla_total_size(sizeof(struct xfrm_algo) + 3640 (x->aalg->alg_key_len + 7) / 8); 3641 l += nla_total_size(xfrm_alg_auth_len(x->aalg)); 3642 } 3643 if (x->ealg) 3644 l += nla_total_size(xfrm_alg_len(x->ealg)); 3645 if (x->calg) 3646 l += nla_total_size(sizeof(*x->calg)); 3647 if (x->encap) 3648 l += nla_total_size(sizeof(*x->encap)); 3649 if (x->tfcpad) 3650 l += nla_total_size(sizeof(x->tfcpad)); 3651 if (x->replay_esn) 3652 l += nla_total_size(xfrm_replay_state_esn_len(x->replay_esn)); 3653 else 3654 l += nla_total_size(sizeof(struct xfrm_replay_state)); 3655 if (x->security) 3656 l += nla_total_size(sizeof(struct xfrm_user_sec_ctx) + 3657 x->security->ctx_len); 3658 if (x->coaddr) 3659 l += nla_total_size(sizeof(*x->coaddr)); 3660 if (x->props.extra_flags) 3661 l += nla_total_size(sizeof(x->props.extra_flags)); 3662 if (x->xso.dev) 3663 l += nla_total_size(sizeof(struct xfrm_user_offload)); 3664 if (x->props.smark.v | x->props.smark.m) { 3665 l += nla_total_size(sizeof(x->props.smark.v)); 3666 l += nla_total_size(sizeof(x->props.smark.m)); 3667 } 3668 if (x->if_id) 3669 l += nla_total_size(sizeof(x->if_id)); 3670 if (x->pcpu_num) 3671 l += nla_total_size(sizeof(x->pcpu_num)); 3672 3673 /* Must count x->lastused as it may become non-zero behind our back. */ 3674 l += nla_total_size_64bit(sizeof(u64)); 3675 3676 if (x->mapping_maxage) 3677 l += nla_total_size(sizeof(x->mapping_maxage)); 3678 3679 if (x->dir) 3680 l += nla_total_size(sizeof(x->dir)); 3681 3682 if (x->nat_keepalive_interval) 3683 l += nla_total_size(sizeof(x->nat_keepalive_interval)); 3684 3685 if (x->mode_cbs && x->mode_cbs->sa_len) 3686 l += x->mode_cbs->sa_len(x); 3687 3688 return l; 3689 } 3690 3691 static int xfrm_notify_sa(struct xfrm_state *x, const struct km_event *c) 3692 { 3693 struct net *net = xs_net(x); 3694 struct xfrm_usersa_info *p; 3695 struct xfrm_usersa_id *id; 3696 struct nlmsghdr *nlh; 3697 struct sk_buff *skb; 3698 unsigned int len = xfrm_sa_len(x); 3699 unsigned int headlen; 3700 int err; 3701 3702 headlen = sizeof(*p); 3703 if (c->event == XFRM_MSG_DELSA) { 3704 len += nla_total_size(headlen); 3705 headlen = sizeof(*id); 3706 len += nla_total_size(sizeof(struct xfrm_mark)); 3707 } 3708 len += NLMSG_ALIGN(headlen); 3709 3710 skb = nlmsg_new(len, GFP_ATOMIC); 3711 if (skb == NULL) 3712 return -ENOMEM; 3713 3714 nlh = nlmsg_put(skb, c->portid, c->seq, c->event, headlen, 0); 3715 err = -EMSGSIZE; 3716 if (nlh == NULL) 3717 goto out_free_skb; 3718 3719 p = nlmsg_data(nlh); 3720 if (c->event == XFRM_MSG_DELSA) { 3721 struct nlattr *attr; 3722 3723 id = nlmsg_data(nlh); 3724 memset(id, 0, sizeof(*id)); 3725 memcpy(&id->daddr, &x->id.daddr, sizeof(id->daddr)); 3726 id->spi = x->id.spi; 3727 id->family = x->props.family; 3728 id->proto = x->id.proto; 3729 3730 attr = nla_reserve(skb, XFRMA_SA, sizeof(*p)); 3731 err = -EMSGSIZE; 3732 if (attr == NULL) 3733 goto out_free_skb; 3734 3735 p = nla_data(attr); 3736 } 3737 err = copy_to_user_state_extra(x, p, skb); 3738 if (err) 3739 goto out_free_skb; 3740 3741 nlmsg_end(skb, nlh); 3742 3743 return xfrm_nlmsg_multicast(net, skb, 0, XFRMNLGRP_SA); 3744 3745 out_free_skb: 3746 kfree_skb(skb); 3747 return err; 3748 } 3749 3750 static int xfrm_send_state_notify(struct xfrm_state *x, const struct km_event *c) 3751 { 3752 3753 switch (c->event) { 3754 case XFRM_MSG_EXPIRE: 3755 return xfrm_exp_state_notify(x, c); 3756 case XFRM_MSG_NEWAE: 3757 return xfrm_aevent_state_notify(x, c); 3758 case XFRM_MSG_DELSA: 3759 case XFRM_MSG_UPDSA: 3760 case XFRM_MSG_NEWSA: 3761 return xfrm_notify_sa(x, c); 3762 case XFRM_MSG_FLUSHSA: 3763 return xfrm_notify_sa_flush(c); 3764 default: 3765 printk(KERN_NOTICE "xfrm_user: Unknown SA event %d\n", 3766 c->event); 3767 break; 3768 } 3769 3770 return 0; 3771 3772 } 3773 3774 static inline unsigned int xfrm_acquire_msgsize(struct xfrm_state *x, 3775 struct xfrm_policy *xp) 3776 { 3777 return NLMSG_ALIGN(sizeof(struct xfrm_user_acquire)) 3778 + nla_total_size(sizeof(struct xfrm_user_tmpl) * xp->xfrm_nr) 3779 + nla_total_size(sizeof(struct xfrm_mark)) 3780 + nla_total_size(xfrm_user_sec_ctx_size(x->security)) 3781 + nla_total_size(4) /* XFRMA_SA_PCPU */ 3782 + userpolicy_type_attrsize(); 3783 } 3784 3785 static int build_acquire(struct sk_buff *skb, struct xfrm_state *x, 3786 struct xfrm_tmpl *xt, struct xfrm_policy *xp) 3787 { 3788 __u32 seq = xfrm_get_acqseq(); 3789 struct xfrm_user_acquire *ua; 3790 struct nlmsghdr *nlh; 3791 int err; 3792 3793 nlh = nlmsg_put(skb, 0, 0, XFRM_MSG_ACQUIRE, sizeof(*ua), 0); 3794 if (nlh == NULL) 3795 return -EMSGSIZE; 3796 3797 ua = nlmsg_data(nlh); 3798 memcpy(&ua->id, &x->id, sizeof(ua->id)); 3799 memcpy(&ua->saddr, &x->props.saddr, sizeof(ua->saddr)); 3800 memcpy(&ua->sel, &x->sel, sizeof(ua->sel)); 3801 copy_to_user_policy(xp, &ua->policy, XFRM_POLICY_OUT); 3802 ua->aalgos = xt->aalgos; 3803 ua->ealgos = xt->ealgos; 3804 ua->calgos = xt->calgos; 3805 ua->seq = x->km.seq = seq; 3806 3807 err = copy_to_user_tmpl(xp, skb); 3808 if (!err) 3809 err = copy_to_user_state_sec_ctx(x, skb); 3810 if (!err) 3811 err = copy_to_user_policy_type(xp->type, skb); 3812 if (!err) 3813 err = xfrm_mark_put(skb, &xp->mark); 3814 if (!err) 3815 err = xfrm_if_id_put(skb, xp->if_id); 3816 if (!err && xp->xdo.dev) 3817 err = copy_user_offload(&xp->xdo, skb); 3818 if (!err && x->pcpu_num != UINT_MAX) 3819 err = nla_put_u32(skb, XFRMA_SA_PCPU, x->pcpu_num); 3820 if (err) { 3821 nlmsg_cancel(skb, nlh); 3822 return err; 3823 } 3824 3825 nlmsg_end(skb, nlh); 3826 return 0; 3827 } 3828 3829 static int xfrm_send_acquire(struct xfrm_state *x, struct xfrm_tmpl *xt, 3830 struct xfrm_policy *xp) 3831 { 3832 struct net *net = xs_net(x); 3833 struct sk_buff *skb; 3834 int err; 3835 3836 skb = nlmsg_new(xfrm_acquire_msgsize(x, xp), GFP_ATOMIC); 3837 if (skb == NULL) 3838 return -ENOMEM; 3839 3840 err = build_acquire(skb, x, xt, xp); 3841 BUG_ON(err < 0); 3842 3843 return xfrm_nlmsg_multicast(net, skb, 0, XFRMNLGRP_ACQUIRE); 3844 } 3845 3846 /* User gives us xfrm_user_policy_info followed by an array of 0 3847 * or more templates. 3848 */ 3849 static struct xfrm_policy *xfrm_compile_policy(struct sock *sk, int opt, 3850 u8 *data, int len, int *dir) 3851 { 3852 struct net *net = sock_net(sk); 3853 struct xfrm_userpolicy_info *p = (struct xfrm_userpolicy_info *)data; 3854 struct xfrm_user_tmpl *ut = (struct xfrm_user_tmpl *) (p + 1); 3855 struct xfrm_policy *xp; 3856 int nr; 3857 3858 switch (sk->sk_family) { 3859 case AF_INET: 3860 if (opt != IP_XFRM_POLICY) { 3861 *dir = -EOPNOTSUPP; 3862 return NULL; 3863 } 3864 break; 3865 #if IS_ENABLED(CONFIG_IPV6) 3866 case AF_INET6: 3867 if (opt != IPV6_XFRM_POLICY) { 3868 *dir = -EOPNOTSUPP; 3869 return NULL; 3870 } 3871 break; 3872 #endif 3873 default: 3874 *dir = -EINVAL; 3875 return NULL; 3876 } 3877 3878 *dir = -EINVAL; 3879 3880 if (len < sizeof(*p) || 3881 verify_newpolicy_info(p, NULL)) 3882 return NULL; 3883 3884 nr = ((len - sizeof(*p)) / sizeof(*ut)); 3885 if (validate_tmpl(nr, ut, p->sel.family, p->dir, NULL)) 3886 return NULL; 3887 3888 if (p->dir > XFRM_POLICY_OUT) 3889 return NULL; 3890 3891 xp = xfrm_policy_alloc(net, GFP_ATOMIC); 3892 if (xp == NULL) { 3893 *dir = -ENOBUFS; 3894 return NULL; 3895 } 3896 3897 copy_from_user_policy(xp, p); 3898 xp->type = XFRM_POLICY_TYPE_MAIN; 3899 copy_templates(xp, ut, nr); 3900 3901 *dir = p->dir; 3902 3903 return xp; 3904 } 3905 3906 static inline unsigned int xfrm_polexpire_msgsize(struct xfrm_policy *xp) 3907 { 3908 return NLMSG_ALIGN(sizeof(struct xfrm_user_polexpire)) 3909 + nla_total_size(sizeof(struct xfrm_user_tmpl) * xp->xfrm_nr) 3910 + nla_total_size(xfrm_user_sec_ctx_size(xp->security)) 3911 + nla_total_size(sizeof(struct xfrm_mark)) 3912 + userpolicy_type_attrsize(); 3913 } 3914 3915 static int build_polexpire(struct sk_buff *skb, struct xfrm_policy *xp, 3916 int dir, const struct km_event *c) 3917 { 3918 struct xfrm_user_polexpire *upe; 3919 int hard = c->data.hard; 3920 struct nlmsghdr *nlh; 3921 int err; 3922 3923 nlh = nlmsg_put(skb, c->portid, 0, XFRM_MSG_POLEXPIRE, sizeof(*upe), 0); 3924 if (nlh == NULL) 3925 return -EMSGSIZE; 3926 3927 upe = nlmsg_data(nlh); 3928 copy_to_user_policy(xp, &upe->pol, dir); 3929 err = copy_to_user_tmpl(xp, skb); 3930 if (!err) 3931 err = copy_to_user_sec_ctx(xp, skb); 3932 if (!err) 3933 err = copy_to_user_policy_type(xp->type, skb); 3934 if (!err) 3935 err = xfrm_mark_put(skb, &xp->mark); 3936 if (!err) 3937 err = xfrm_if_id_put(skb, xp->if_id); 3938 if (!err && xp->xdo.dev) 3939 err = copy_user_offload(&xp->xdo, skb); 3940 if (err) { 3941 nlmsg_cancel(skb, nlh); 3942 return err; 3943 } 3944 upe->hard = !!hard; 3945 3946 nlmsg_end(skb, nlh); 3947 return 0; 3948 } 3949 3950 static int xfrm_exp_policy_notify(struct xfrm_policy *xp, int dir, const struct km_event *c) 3951 { 3952 struct net *net = xp_net(xp); 3953 struct sk_buff *skb; 3954 int err; 3955 3956 skb = nlmsg_new(xfrm_polexpire_msgsize(xp), GFP_ATOMIC); 3957 if (skb == NULL) 3958 return -ENOMEM; 3959 3960 err = build_polexpire(skb, xp, dir, c); 3961 BUG_ON(err < 0); 3962 3963 return xfrm_nlmsg_multicast(net, skb, 0, XFRMNLGRP_EXPIRE); 3964 } 3965 3966 static int xfrm_notify_policy(struct xfrm_policy *xp, int dir, const struct km_event *c) 3967 { 3968 unsigned int len = nla_total_size(sizeof(struct xfrm_user_tmpl) * xp->xfrm_nr); 3969 struct net *net = xp_net(xp); 3970 struct xfrm_userpolicy_info *p; 3971 struct xfrm_userpolicy_id *id; 3972 struct nlmsghdr *nlh; 3973 struct sk_buff *skb; 3974 unsigned int headlen; 3975 int err; 3976 3977 headlen = sizeof(*p); 3978 if (c->event == XFRM_MSG_DELPOLICY) { 3979 len += nla_total_size(headlen); 3980 headlen = sizeof(*id); 3981 } 3982 len += userpolicy_type_attrsize(); 3983 len += nla_total_size(sizeof(struct xfrm_mark)); 3984 len += NLMSG_ALIGN(headlen); 3985 3986 skb = nlmsg_new(len, GFP_ATOMIC); 3987 if (skb == NULL) 3988 return -ENOMEM; 3989 3990 nlh = nlmsg_put(skb, c->portid, c->seq, c->event, headlen, 0); 3991 err = -EMSGSIZE; 3992 if (nlh == NULL) 3993 goto out_free_skb; 3994 3995 p = nlmsg_data(nlh); 3996 if (c->event == XFRM_MSG_DELPOLICY) { 3997 struct nlattr *attr; 3998 3999 id = nlmsg_data(nlh); 4000 memset(id, 0, sizeof(*id)); 4001 id->dir = dir; 4002 if (c->data.byid) 4003 id->index = xp->index; 4004 else 4005 memcpy(&id->sel, &xp->selector, sizeof(id->sel)); 4006 4007 attr = nla_reserve(skb, XFRMA_POLICY, sizeof(*p)); 4008 err = -EMSGSIZE; 4009 if (attr == NULL) 4010 goto out_free_skb; 4011 4012 p = nla_data(attr); 4013 } 4014 4015 copy_to_user_policy(xp, p, dir); 4016 err = copy_to_user_tmpl(xp, skb); 4017 if (!err) 4018 err = copy_to_user_policy_type(xp->type, skb); 4019 if (!err) 4020 err = xfrm_mark_put(skb, &xp->mark); 4021 if (!err) 4022 err = xfrm_if_id_put(skb, xp->if_id); 4023 if (!err && xp->xdo.dev) 4024 err = copy_user_offload(&xp->xdo, skb); 4025 if (err) 4026 goto out_free_skb; 4027 4028 nlmsg_end(skb, nlh); 4029 4030 return xfrm_nlmsg_multicast(net, skb, 0, XFRMNLGRP_POLICY); 4031 4032 out_free_skb: 4033 kfree_skb(skb); 4034 return err; 4035 } 4036 4037 static int xfrm_notify_policy_flush(const struct km_event *c) 4038 { 4039 struct net *net = c->net; 4040 struct nlmsghdr *nlh; 4041 struct sk_buff *skb; 4042 int err; 4043 4044 skb = nlmsg_new(userpolicy_type_attrsize(), GFP_ATOMIC); 4045 if (skb == NULL) 4046 return -ENOMEM; 4047 4048 nlh = nlmsg_put(skb, c->portid, c->seq, XFRM_MSG_FLUSHPOLICY, 0, 0); 4049 err = -EMSGSIZE; 4050 if (nlh == NULL) 4051 goto out_free_skb; 4052 err = copy_to_user_policy_type(c->data.type, skb); 4053 if (err) 4054 goto out_free_skb; 4055 4056 nlmsg_end(skb, nlh); 4057 4058 return xfrm_nlmsg_multicast(net, skb, 0, XFRMNLGRP_POLICY); 4059 4060 out_free_skb: 4061 kfree_skb(skb); 4062 return err; 4063 } 4064 4065 static int xfrm_send_policy_notify(struct xfrm_policy *xp, int dir, const struct km_event *c) 4066 { 4067 4068 switch (c->event) { 4069 case XFRM_MSG_NEWPOLICY: 4070 case XFRM_MSG_UPDPOLICY: 4071 case XFRM_MSG_DELPOLICY: 4072 return xfrm_notify_policy(xp, dir, c); 4073 case XFRM_MSG_FLUSHPOLICY: 4074 return xfrm_notify_policy_flush(c); 4075 case XFRM_MSG_POLEXPIRE: 4076 return xfrm_exp_policy_notify(xp, dir, c); 4077 default: 4078 printk(KERN_NOTICE "xfrm_user: Unknown Policy event %d\n", 4079 c->event); 4080 } 4081 4082 return 0; 4083 4084 } 4085 4086 static inline unsigned int xfrm_report_msgsize(void) 4087 { 4088 return NLMSG_ALIGN(sizeof(struct xfrm_user_report)); 4089 } 4090 4091 static int build_report(struct sk_buff *skb, u8 proto, 4092 struct xfrm_selector *sel, xfrm_address_t *addr) 4093 { 4094 struct xfrm_user_report *ur; 4095 struct nlmsghdr *nlh; 4096 4097 nlh = nlmsg_put(skb, 0, 0, XFRM_MSG_REPORT, sizeof(*ur), 0); 4098 if (nlh == NULL) 4099 return -EMSGSIZE; 4100 4101 ur = nlmsg_data(nlh); 4102 ur->proto = proto; 4103 memcpy(&ur->sel, sel, sizeof(ur->sel)); 4104 4105 if (addr) { 4106 int err = nla_put(skb, XFRMA_COADDR, sizeof(*addr), addr); 4107 if (err) { 4108 nlmsg_cancel(skb, nlh); 4109 return err; 4110 } 4111 } 4112 nlmsg_end(skb, nlh); 4113 return 0; 4114 } 4115 4116 static int xfrm_send_report(struct net *net, u8 proto, 4117 struct xfrm_selector *sel, xfrm_address_t *addr) 4118 { 4119 struct sk_buff *skb; 4120 int err; 4121 4122 skb = nlmsg_new(xfrm_report_msgsize(), GFP_ATOMIC); 4123 if (skb == NULL) 4124 return -ENOMEM; 4125 4126 err = build_report(skb, proto, sel, addr); 4127 BUG_ON(err < 0); 4128 4129 return xfrm_nlmsg_multicast(net, skb, 0, XFRMNLGRP_REPORT); 4130 } 4131 4132 static inline unsigned int xfrm_mapping_msgsize(void) 4133 { 4134 return NLMSG_ALIGN(sizeof(struct xfrm_user_mapping)); 4135 } 4136 4137 static int build_mapping(struct sk_buff *skb, struct xfrm_state *x, 4138 xfrm_address_t *new_saddr, __be16 new_sport) 4139 { 4140 struct xfrm_user_mapping *um; 4141 struct nlmsghdr *nlh; 4142 4143 nlh = nlmsg_put(skb, 0, 0, XFRM_MSG_MAPPING, sizeof(*um), 0); 4144 if (nlh == NULL) 4145 return -EMSGSIZE; 4146 4147 um = nlmsg_data(nlh); 4148 4149 memcpy(&um->id.daddr, &x->id.daddr, sizeof(um->id.daddr)); 4150 um->id.spi = x->id.spi; 4151 um->id.family = x->props.family; 4152 um->id.proto = x->id.proto; 4153 memcpy(&um->new_saddr, new_saddr, sizeof(um->new_saddr)); 4154 memcpy(&um->old_saddr, &x->props.saddr, sizeof(um->old_saddr)); 4155 um->new_sport = new_sport; 4156 um->old_sport = x->encap->encap_sport; 4157 um->reqid = x->props.reqid; 4158 4159 nlmsg_end(skb, nlh); 4160 return 0; 4161 } 4162 4163 static int xfrm_send_mapping(struct xfrm_state *x, xfrm_address_t *ipaddr, 4164 __be16 sport) 4165 { 4166 struct net *net = xs_net(x); 4167 struct sk_buff *skb; 4168 int err; 4169 4170 if (x->id.proto != IPPROTO_ESP) 4171 return -EINVAL; 4172 4173 if (!x->encap) 4174 return -EINVAL; 4175 4176 skb = nlmsg_new(xfrm_mapping_msgsize(), GFP_ATOMIC); 4177 if (skb == NULL) 4178 return -ENOMEM; 4179 4180 err = build_mapping(skb, x, ipaddr, sport); 4181 BUG_ON(err < 0); 4182 4183 return xfrm_nlmsg_multicast(net, skb, 0, XFRMNLGRP_MAPPING); 4184 } 4185 4186 static bool xfrm_is_alive(const struct km_event *c) 4187 { 4188 return (bool)xfrm_acquire_is_on(c->net); 4189 } 4190 4191 static struct xfrm_mgr netlink_mgr = { 4192 .notify = xfrm_send_state_notify, 4193 .acquire = xfrm_send_acquire, 4194 .compile_policy = xfrm_compile_policy, 4195 .notify_policy = xfrm_send_policy_notify, 4196 .report = xfrm_send_report, 4197 .migrate = xfrm_send_migrate, 4198 .new_mapping = xfrm_send_mapping, 4199 .is_alive = xfrm_is_alive, 4200 }; 4201 4202 static int __net_init xfrm_user_net_init(struct net *net) 4203 { 4204 struct sock *nlsk; 4205 struct netlink_kernel_cfg cfg = { 4206 .groups = XFRMNLGRP_MAX, 4207 .input = xfrm_netlink_rcv, 4208 }; 4209 4210 nlsk = netlink_kernel_create(net, NETLINK_XFRM, &cfg); 4211 if (nlsk == NULL) 4212 return -ENOMEM; 4213 net->xfrm.nlsk_stash = nlsk; /* Don't set to NULL */ 4214 rcu_assign_pointer(net->xfrm.nlsk, nlsk); 4215 return 0; 4216 } 4217 4218 static void __net_exit xfrm_user_net_pre_exit(struct net *net) 4219 { 4220 RCU_INIT_POINTER(net->xfrm.nlsk, NULL); 4221 } 4222 4223 static void __net_exit xfrm_user_net_exit(struct list_head *net_exit_list) 4224 { 4225 struct net *net; 4226 4227 list_for_each_entry(net, net_exit_list, exit_list) 4228 netlink_kernel_release(net->xfrm.nlsk_stash); 4229 } 4230 4231 static struct pernet_operations xfrm_user_net_ops = { 4232 .init = xfrm_user_net_init, 4233 .pre_exit = xfrm_user_net_pre_exit, 4234 .exit_batch = xfrm_user_net_exit, 4235 }; 4236 4237 static int __init xfrm_user_init(void) 4238 { 4239 int rv; 4240 4241 printk(KERN_INFO "Initializing XFRM netlink socket\n"); 4242 4243 rv = register_pernet_subsys(&xfrm_user_net_ops); 4244 if (rv < 0) 4245 return rv; 4246 xfrm_register_km(&netlink_mgr); 4247 return 0; 4248 } 4249 4250 static void __exit xfrm_user_exit(void) 4251 { 4252 xfrm_unregister_km(&netlink_mgr); 4253 unregister_pernet_subsys(&xfrm_user_net_ops); 4254 } 4255 4256 module_init(xfrm_user_init); 4257 module_exit(xfrm_user_exit); 4258 MODULE_DESCRIPTION("XFRM User interface"); 4259 MODULE_LICENSE("GPL"); 4260 MODULE_ALIAS_NET_PF_PROTO(PF_NETLINK, NETLINK_XFRM); 4261