aboutsummaryrefslogtreecommitdiffstats
path: root/net/xfrm
diff options
context:
space:
mode:
Diffstat (limited to 'net/xfrm')
-rw-r--r--net/xfrm/Makefile2
-rw-r--r--net/xfrm/xfrm_algo.c8
-rw-r--r--net/xfrm/xfrm_hash.h32
-rw-r--r--net/xfrm/xfrm_input.c13
-rw-r--r--net/xfrm/xfrm_output.c15
-rw-r--r--net/xfrm/xfrm_policy.c218
-rw-r--r--net/xfrm/xfrm_replay.c534
-rw-r--r--net/xfrm/xfrm_state.c190
-rw-r--r--net/xfrm/xfrm_user.c211
9 files changed, 879 insertions, 344 deletions
diff --git a/net/xfrm/Makefile b/net/xfrm/Makefile
index c631047e1b2..aa429eefe91 100644
--- a/net/xfrm/Makefile
+++ b/net/xfrm/Makefile
@@ -4,7 +4,7 @@
4 4
5obj-$(CONFIG_XFRM) := xfrm_policy.o xfrm_state.o xfrm_hash.o \ 5obj-$(CONFIG_XFRM) := xfrm_policy.o xfrm_state.o xfrm_hash.o \
6 xfrm_input.o xfrm_output.o xfrm_algo.o \ 6 xfrm_input.o xfrm_output.o xfrm_algo.o \
7 xfrm_sysctl.o 7 xfrm_sysctl.o xfrm_replay.o
8obj-$(CONFIG_XFRM_STATISTICS) += xfrm_proc.o 8obj-$(CONFIG_XFRM_STATISTICS) += xfrm_proc.o
9obj-$(CONFIG_XFRM_USER) += xfrm_user.o 9obj-$(CONFIG_XFRM_USER) += xfrm_user.o
10obj-$(CONFIG_XFRM_IPCOMP) += xfrm_ipcomp.o 10obj-$(CONFIG_XFRM_IPCOMP) += xfrm_ipcomp.o
diff --git a/net/xfrm/xfrm_algo.c b/net/xfrm/xfrm_algo.c
index 8b4d6e3246e..58064d9e565 100644
--- a/net/xfrm/xfrm_algo.c
+++ b/net/xfrm/xfrm_algo.c
@@ -618,21 +618,21 @@ static int xfrm_alg_name_match(const struct xfrm_algo_desc *entry,
618 (entry->compat && !strcmp(name, entry->compat))); 618 (entry->compat && !strcmp(name, entry->compat)));
619} 619}
620 620
621struct xfrm_algo_desc *xfrm_aalg_get_byname(char *name, int probe) 621struct xfrm_algo_desc *xfrm_aalg_get_byname(const char *name, int probe)
622{ 622{
623 return xfrm_find_algo(&xfrm_aalg_list, xfrm_alg_name_match, name, 623 return xfrm_find_algo(&xfrm_aalg_list, xfrm_alg_name_match, name,
624 probe); 624 probe);
625} 625}
626EXPORT_SYMBOL_GPL(xfrm_aalg_get_byname); 626EXPORT_SYMBOL_GPL(xfrm_aalg_get_byname);
627 627
628struct xfrm_algo_desc *xfrm_ealg_get_byname(char *name, int probe) 628struct xfrm_algo_desc *xfrm_ealg_get_byname(const char *name, int probe)
629{ 629{
630 return xfrm_find_algo(&xfrm_ealg_list, xfrm_alg_name_match, name, 630 return xfrm_find_algo(&xfrm_ealg_list, xfrm_alg_name_match, name,
631 probe); 631 probe);
632} 632}
633EXPORT_SYMBOL_GPL(xfrm_ealg_get_byname); 633EXPORT_SYMBOL_GPL(xfrm_ealg_get_byname);
634 634
635struct xfrm_algo_desc *xfrm_calg_get_byname(char *name, int probe) 635struct xfrm_algo_desc *xfrm_calg_get_byname(const char *name, int probe)
636{ 636{
637 return xfrm_find_algo(&xfrm_calg_list, xfrm_alg_name_match, name, 637 return xfrm_find_algo(&xfrm_calg_list, xfrm_alg_name_match, name,
638 probe); 638 probe);
@@ -654,7 +654,7 @@ static int xfrm_aead_name_match(const struct xfrm_algo_desc *entry,
654 !strcmp(name, entry->name); 654 !strcmp(name, entry->name);
655} 655}
656 656
657struct xfrm_algo_desc *xfrm_aead_get_byname(char *name, int icv_len, int probe) 657struct xfrm_algo_desc *xfrm_aead_get_byname(const char *name, int icv_len, int probe)
658{ 658{
659 struct xfrm_aead_name data = { 659 struct xfrm_aead_name data = {
660 .name = name, 660 .name = name,
diff --git a/net/xfrm/xfrm_hash.h b/net/xfrm/xfrm_hash.h
index 8e69533d231..7199d78b2aa 100644
--- a/net/xfrm/xfrm_hash.h
+++ b/net/xfrm/xfrm_hash.h
@@ -4,29 +4,32 @@
4#include <linux/xfrm.h> 4#include <linux/xfrm.h>
5#include <linux/socket.h> 5#include <linux/socket.h>
6 6
7static inline unsigned int __xfrm4_addr_hash(xfrm_address_t *addr) 7static inline unsigned int __xfrm4_addr_hash(const xfrm_address_t *addr)
8{ 8{
9 return ntohl(addr->a4); 9 return ntohl(addr->a4);
10} 10}
11 11
12static inline unsigned int __xfrm6_addr_hash(xfrm_address_t *addr) 12static inline unsigned int __xfrm6_addr_hash(const xfrm_address_t *addr)
13{ 13{
14 return ntohl(addr->a6[2] ^ addr->a6[3]); 14 return ntohl(addr->a6[2] ^ addr->a6[3]);
15} 15}
16 16
17static inline unsigned int __xfrm4_daddr_saddr_hash(xfrm_address_t *daddr, xfrm_address_t *saddr) 17static inline unsigned int __xfrm4_daddr_saddr_hash(const xfrm_address_t *daddr,
18 const xfrm_address_t *saddr)
18{ 19{
19 u32 sum = (__force u32)daddr->a4 + (__force u32)saddr->a4; 20 u32 sum = (__force u32)daddr->a4 + (__force u32)saddr->a4;
20 return ntohl((__force __be32)sum); 21 return ntohl((__force __be32)sum);
21} 22}
22 23
23static inline unsigned int __xfrm6_daddr_saddr_hash(xfrm_address_t *daddr, xfrm_address_t *saddr) 24static inline unsigned int __xfrm6_daddr_saddr_hash(const xfrm_address_t *daddr,
25 const xfrm_address_t *saddr)
24{ 26{
25 return ntohl(daddr->a6[2] ^ daddr->a6[3] ^ 27 return ntohl(daddr->a6[2] ^ daddr->a6[3] ^
26 saddr->a6[2] ^ saddr->a6[3]); 28 saddr->a6[2] ^ saddr->a6[3]);
27} 29}
28 30
29static inline unsigned int __xfrm_dst_hash(xfrm_address_t *daddr, xfrm_address_t *saddr, 31static inline unsigned int __xfrm_dst_hash(const xfrm_address_t *daddr,
32 const xfrm_address_t *saddr,
30 u32 reqid, unsigned short family, 33 u32 reqid, unsigned short family,
31 unsigned int hmask) 34 unsigned int hmask)
32{ 35{
@@ -42,8 +45,8 @@ static inline unsigned int __xfrm_dst_hash(xfrm_address_t *daddr, xfrm_address_t
42 return (h ^ (h >> 16)) & hmask; 45 return (h ^ (h >> 16)) & hmask;
43} 46}
44 47
45static inline unsigned __xfrm_src_hash(xfrm_address_t *daddr, 48static inline unsigned __xfrm_src_hash(const xfrm_address_t *daddr,
46 xfrm_address_t *saddr, 49 const xfrm_address_t *saddr,
47 unsigned short family, 50 unsigned short family,
48 unsigned int hmask) 51 unsigned int hmask)
49{ 52{
@@ -60,8 +63,8 @@ static inline unsigned __xfrm_src_hash(xfrm_address_t *daddr,
60} 63}
61 64
62static inline unsigned int 65static inline unsigned int
63__xfrm_spi_hash(xfrm_address_t *daddr, __be32 spi, u8 proto, unsigned short family, 66__xfrm_spi_hash(const xfrm_address_t *daddr, __be32 spi, u8 proto,
64 unsigned int hmask) 67 unsigned short family, unsigned int hmask)
65{ 68{
66 unsigned int h = (__force u32)spi ^ proto; 69 unsigned int h = (__force u32)spi ^ proto;
67 switch (family) { 70 switch (family) {
@@ -80,10 +83,11 @@ static inline unsigned int __idx_hash(u32 index, unsigned int hmask)
80 return (index ^ (index >> 8)) & hmask; 83 return (index ^ (index >> 8)) & hmask;
81} 84}
82 85
83static inline unsigned int __sel_hash(struct xfrm_selector *sel, unsigned short family, unsigned int hmask) 86static inline unsigned int __sel_hash(const struct xfrm_selector *sel,
87 unsigned short family, unsigned int hmask)
84{ 88{
85 xfrm_address_t *daddr = &sel->daddr; 89 const xfrm_address_t *daddr = &sel->daddr;
86 xfrm_address_t *saddr = &sel->saddr; 90 const xfrm_address_t *saddr = &sel->saddr;
87 unsigned int h = 0; 91 unsigned int h = 0;
88 92
89 switch (family) { 93 switch (family) {
@@ -107,7 +111,9 @@ static inline unsigned int __sel_hash(struct xfrm_selector *sel, unsigned short
107 return h & hmask; 111 return h & hmask;
108} 112}
109 113
110static inline unsigned int __addr_hash(xfrm_address_t *daddr, xfrm_address_t *saddr, unsigned short family, unsigned int hmask) 114static inline unsigned int __addr_hash(const xfrm_address_t *daddr,
115 const xfrm_address_t *saddr,
116 unsigned short family, unsigned int hmask)
111{ 117{
112 unsigned int h = 0; 118 unsigned int h = 0;
113 119
diff --git a/net/xfrm/xfrm_input.c b/net/xfrm/xfrm_input.c
index 45f1c98d4fc..872065ca7f8 100644
--- a/net/xfrm/xfrm_input.c
+++ b/net/xfrm/xfrm_input.c
@@ -107,6 +107,7 @@ int xfrm_input(struct sk_buff *skb, int nexthdr, __be32 spi, int encap_type)
107 struct net *net = dev_net(skb->dev); 107 struct net *net = dev_net(skb->dev);
108 int err; 108 int err;
109 __be32 seq; 109 __be32 seq;
110 __be32 seq_hi;
110 struct xfrm_state *x; 111 struct xfrm_state *x;
111 xfrm_address_t *daddr; 112 xfrm_address_t *daddr;
112 struct xfrm_mode *inner_mode; 113 struct xfrm_mode *inner_mode;
@@ -118,7 +119,7 @@ int xfrm_input(struct sk_buff *skb, int nexthdr, __be32 spi, int encap_type)
118 if (encap_type < 0) { 119 if (encap_type < 0) {
119 async = 1; 120 async = 1;
120 x = xfrm_input_state(skb); 121 x = xfrm_input_state(skb);
121 seq = XFRM_SKB_CB(skb)->seq.input; 122 seq = XFRM_SKB_CB(skb)->seq.input.low;
122 goto resume; 123 goto resume;
123 } 124 }
124 125
@@ -172,7 +173,7 @@ int xfrm_input(struct sk_buff *skb, int nexthdr, __be32 spi, int encap_type)
172 goto drop_unlock; 173 goto drop_unlock;
173 } 174 }
174 175
175 if (x->props.replay_window && xfrm_replay_check(x, skb, seq)) { 176 if (x->props.replay_window && x->repl->check(x, skb, seq)) {
176 XFRM_INC_STATS(net, LINUX_MIB_XFRMINSTATESEQERROR); 177 XFRM_INC_STATS(net, LINUX_MIB_XFRMINSTATESEQERROR);
177 goto drop_unlock; 178 goto drop_unlock;
178 } 179 }
@@ -184,7 +185,10 @@ int xfrm_input(struct sk_buff *skb, int nexthdr, __be32 spi, int encap_type)
184 185
185 spin_unlock(&x->lock); 186 spin_unlock(&x->lock);
186 187
187 XFRM_SKB_CB(skb)->seq.input = seq; 188 seq_hi = htonl(xfrm_replay_seqhi(x, seq));
189
190 XFRM_SKB_CB(skb)->seq.input.low = seq;
191 XFRM_SKB_CB(skb)->seq.input.hi = seq_hi;
188 192
189 nexthdr = x->type->input(x, skb); 193 nexthdr = x->type->input(x, skb);
190 194
@@ -206,8 +210,7 @@ resume:
206 /* only the first xfrm gets the encap type */ 210 /* only the first xfrm gets the encap type */
207 encap_type = 0; 211 encap_type = 0;
208 212
209 if (x->props.replay_window) 213 x->repl->advance(x, seq);
210 xfrm_replay_advance(x, seq);
211 214
212 x->curlft.bytes += skb->len; 215 x->curlft.bytes += skb->len;
213 x->curlft.packets++; 216 x->curlft.packets++;
diff --git a/net/xfrm/xfrm_output.c b/net/xfrm/xfrm_output.c
index 64f2ae1fdc1..1aba03f449c 100644
--- a/net/xfrm/xfrm_output.c
+++ b/net/xfrm/xfrm_output.c
@@ -67,17 +67,10 @@ static int xfrm_output_one(struct sk_buff *skb, int err)
67 goto error; 67 goto error;
68 } 68 }
69 69
70 if (x->type->flags & XFRM_TYPE_REPLAY_PROT) { 70 err = x->repl->overflow(x, skb);
71 XFRM_SKB_CB(skb)->seq.output = ++x->replay.oseq; 71 if (err) {
72 if (unlikely(x->replay.oseq == 0)) { 72 XFRM_INC_STATS(net, LINUX_MIB_XFRMOUTSTATESEQERROR);
73 XFRM_INC_STATS(net, LINUX_MIB_XFRMOUTSTATESEQERROR); 73 goto error;
74 x->replay.oseq--;
75 xfrm_audit_state_replay_overflow(x, skb);
76 err = -EOVERFLOW;
77 goto error;
78 }
79 if (xfrm_aevent_is_on(net))
80 xfrm_replay_notify(x, XFRM_REPLAY_UPDATE);
81 } 74 }
82 75
83 x->curlft.bytes += skb->len; 76 x->curlft.bytes += skb->len;
diff --git a/net/xfrm/xfrm_policy.c b/net/xfrm/xfrm_policy.c
index 6459588befc..15792d8b627 100644
--- a/net/xfrm/xfrm_policy.c
+++ b/net/xfrm/xfrm_policy.c
@@ -50,37 +50,40 @@ static struct xfrm_policy_afinfo *xfrm_policy_get_afinfo(unsigned short family);
50static void xfrm_policy_put_afinfo(struct xfrm_policy_afinfo *afinfo); 50static void xfrm_policy_put_afinfo(struct xfrm_policy_afinfo *afinfo);
51static void xfrm_init_pmtu(struct dst_entry *dst); 51static void xfrm_init_pmtu(struct dst_entry *dst);
52static int stale_bundle(struct dst_entry *dst); 52static int stale_bundle(struct dst_entry *dst);
53static int xfrm_bundle_ok(struct xfrm_policy *pol, struct xfrm_dst *xdst, 53static int xfrm_bundle_ok(struct xfrm_dst *xdst, int family);
54 struct flowi *fl, int family, int strict);
55 54
56 55
57static struct xfrm_policy *__xfrm_policy_unlink(struct xfrm_policy *pol, 56static struct xfrm_policy *__xfrm_policy_unlink(struct xfrm_policy *pol,
58 int dir); 57 int dir);
59 58
60static inline int 59static inline int
61__xfrm4_selector_match(struct xfrm_selector *sel, struct flowi *fl) 60__xfrm4_selector_match(const struct xfrm_selector *sel, const struct flowi *fl)
62{ 61{
63 return addr_match(&fl->fl4_dst, &sel->daddr, sel->prefixlen_d) && 62 const struct flowi4 *fl4 = &fl->u.ip4;
64 addr_match(&fl->fl4_src, &sel->saddr, sel->prefixlen_s) && 63
65 !((xfrm_flowi_dport(fl) ^ sel->dport) & sel->dport_mask) && 64 return addr_match(&fl4->daddr, &sel->daddr, sel->prefixlen_d) &&
66 !((xfrm_flowi_sport(fl) ^ sel->sport) & sel->sport_mask) && 65 addr_match(&fl4->saddr, &sel->saddr, sel->prefixlen_s) &&
67 (fl->proto == sel->proto || !sel->proto) && 66 !((xfrm_flowi_dport(fl, &fl4->uli) ^ sel->dport) & sel->dport_mask) &&
68 (fl->oif == sel->ifindex || !sel->ifindex); 67 !((xfrm_flowi_sport(fl, &fl4->uli) ^ sel->sport) & sel->sport_mask) &&
68 (fl4->flowi4_proto == sel->proto || !sel->proto) &&
69 (fl4->flowi4_oif == sel->ifindex || !sel->ifindex);
69} 70}
70 71
71static inline int 72static inline int
72__xfrm6_selector_match(struct xfrm_selector *sel, struct flowi *fl) 73__xfrm6_selector_match(const struct xfrm_selector *sel, const struct flowi *fl)
73{ 74{
74 return addr_match(&fl->fl6_dst, &sel->daddr, sel->prefixlen_d) && 75 const struct flowi6 *fl6 = &fl->u.ip6;
75 addr_match(&fl->fl6_src, &sel->saddr, sel->prefixlen_s) && 76
76 !((xfrm_flowi_dport(fl) ^ sel->dport) & sel->dport_mask) && 77 return addr_match(&fl6->daddr, &sel->daddr, sel->prefixlen_d) &&
77 !((xfrm_flowi_sport(fl) ^ sel->sport) & sel->sport_mask) && 78 addr_match(&fl6->saddr, &sel->saddr, sel->prefixlen_s) &&
78 (fl->proto == sel->proto || !sel->proto) && 79 !((xfrm_flowi_dport(fl, &fl6->uli) ^ sel->dport) & sel->dport_mask) &&
79 (fl->oif == sel->ifindex || !sel->ifindex); 80 !((xfrm_flowi_sport(fl, &fl6->uli) ^ sel->sport) & sel->sport_mask) &&
81 (fl6->flowi6_proto == sel->proto || !sel->proto) &&
82 (fl6->flowi6_oif == sel->ifindex || !sel->ifindex);
80} 83}
81 84
82int xfrm_selector_match(struct xfrm_selector *sel, struct flowi *fl, 85int xfrm_selector_match(const struct xfrm_selector *sel, const struct flowi *fl,
83 unsigned short family) 86 unsigned short family)
84{ 87{
85 switch (family) { 88 switch (family) {
86 case AF_INET: 89 case AF_INET:
@@ -92,8 +95,8 @@ int xfrm_selector_match(struct xfrm_selector *sel, struct flowi *fl,
92} 95}
93 96
94static inline struct dst_entry *__xfrm_dst_lookup(struct net *net, int tos, 97static inline struct dst_entry *__xfrm_dst_lookup(struct net *net, int tos,
95 xfrm_address_t *saddr, 98 const xfrm_address_t *saddr,
96 xfrm_address_t *daddr, 99 const xfrm_address_t *daddr,
97 int family) 100 int family)
98{ 101{
99 struct xfrm_policy_afinfo *afinfo; 102 struct xfrm_policy_afinfo *afinfo;
@@ -311,7 +314,9 @@ static inline unsigned int idx_hash(struct net *net, u32 index)
311 return __idx_hash(index, net->xfrm.policy_idx_hmask); 314 return __idx_hash(index, net->xfrm.policy_idx_hmask);
312} 315}
313 316
314static struct hlist_head *policy_hash_bysel(struct net *net, struct xfrm_selector *sel, unsigned short family, int dir) 317static struct hlist_head *policy_hash_bysel(struct net *net,
318 const struct xfrm_selector *sel,
319 unsigned short family, int dir)
315{ 320{
316 unsigned int hmask = net->xfrm.policy_bydst[dir].hmask; 321 unsigned int hmask = net->xfrm.policy_bydst[dir].hmask;
317 unsigned int hash = __sel_hash(sel, family, hmask); 322 unsigned int hash = __sel_hash(sel, family, hmask);
@@ -321,7 +326,10 @@ static struct hlist_head *policy_hash_bysel(struct net *net, struct xfrm_selecto
321 net->xfrm.policy_bydst[dir].table + hash); 326 net->xfrm.policy_bydst[dir].table + hash);
322} 327}
323 328
324static struct hlist_head *policy_hash_direct(struct net *net, xfrm_address_t *daddr, xfrm_address_t *saddr, unsigned short family, int dir) 329static struct hlist_head *policy_hash_direct(struct net *net,
330 const xfrm_address_t *daddr,
331 const xfrm_address_t *saddr,
332 unsigned short family, int dir)
325{ 333{
326 unsigned int hmask = net->xfrm.policy_bydst[dir].hmask; 334 unsigned int hmask = net->xfrm.policy_bydst[dir].hmask;
327 unsigned int hash = __addr_hash(daddr, saddr, family, hmask); 335 unsigned int hash = __addr_hash(daddr, saddr, family, hmask);
@@ -864,32 +872,33 @@ EXPORT_SYMBOL(xfrm_policy_walk_done);
864 * 872 *
865 * Returns 0 if policy found, else an -errno. 873 * Returns 0 if policy found, else an -errno.
866 */ 874 */
867static int xfrm_policy_match(struct xfrm_policy *pol, struct flowi *fl, 875static int xfrm_policy_match(const struct xfrm_policy *pol,
876 const struct flowi *fl,
868 u8 type, u16 family, int dir) 877 u8 type, u16 family, int dir)
869{ 878{
870 struct xfrm_selector *sel = &pol->selector; 879 const struct xfrm_selector *sel = &pol->selector;
871 int match, ret = -ESRCH; 880 int match, ret = -ESRCH;
872 881
873 if (pol->family != family || 882 if (pol->family != family ||
874 (fl->mark & pol->mark.m) != pol->mark.v || 883 (fl->flowi_mark & pol->mark.m) != pol->mark.v ||
875 pol->type != type) 884 pol->type != type)
876 return ret; 885 return ret;
877 886
878 match = xfrm_selector_match(sel, fl, family); 887 match = xfrm_selector_match(sel, fl, family);
879 if (match) 888 if (match)
880 ret = security_xfrm_policy_lookup(pol->security, fl->secid, 889 ret = security_xfrm_policy_lookup(pol->security, fl->flowi_secid,
881 dir); 890 dir);
882 891
883 return ret; 892 return ret;
884} 893}
885 894
886static struct xfrm_policy *xfrm_policy_lookup_bytype(struct net *net, u8 type, 895static struct xfrm_policy *xfrm_policy_lookup_bytype(struct net *net, u8 type,
887 struct flowi *fl, 896 const struct flowi *fl,
888 u16 family, u8 dir) 897 u16 family, u8 dir)
889{ 898{
890 int err; 899 int err;
891 struct xfrm_policy *pol, *ret; 900 struct xfrm_policy *pol, *ret;
892 xfrm_address_t *daddr, *saddr; 901 const xfrm_address_t *daddr, *saddr;
893 struct hlist_node *entry; 902 struct hlist_node *entry;
894 struct hlist_head *chain; 903 struct hlist_head *chain;
895 u32 priority = ~0U; 904 u32 priority = ~0U;
@@ -941,7 +950,7 @@ fail:
941} 950}
942 951
943static struct xfrm_policy * 952static struct xfrm_policy *
944__xfrm_policy_lookup(struct net *net, struct flowi *fl, u16 family, u8 dir) 953__xfrm_policy_lookup(struct net *net, const struct flowi *fl, u16 family, u8 dir)
945{ 954{
946#ifdef CONFIG_XFRM_SUB_POLICY 955#ifdef CONFIG_XFRM_SUB_POLICY
947 struct xfrm_policy *pol; 956 struct xfrm_policy *pol;
@@ -954,7 +963,7 @@ __xfrm_policy_lookup(struct net *net, struct flowi *fl, u16 family, u8 dir)
954} 963}
955 964
956static struct flow_cache_object * 965static struct flow_cache_object *
957xfrm_policy_lookup(struct net *net, struct flowi *fl, u16 family, 966xfrm_policy_lookup(struct net *net, const struct flowi *fl, u16 family,
958 u8 dir, struct flow_cache_object *old_obj, void *ctx) 967 u8 dir, struct flow_cache_object *old_obj, void *ctx)
959{ 968{
960 struct xfrm_policy *pol; 969 struct xfrm_policy *pol;
@@ -990,7 +999,8 @@ static inline int policy_to_flow_dir(int dir)
990 } 999 }
991} 1000}
992 1001
993static struct xfrm_policy *xfrm_sk_policy_lookup(struct sock *sk, int dir, struct flowi *fl) 1002static struct xfrm_policy *xfrm_sk_policy_lookup(struct sock *sk, int dir,
1003 const struct flowi *fl)
994{ 1004{
995 struct xfrm_policy *pol; 1005 struct xfrm_policy *pol;
996 1006
@@ -1006,7 +1016,7 @@ static struct xfrm_policy *xfrm_sk_policy_lookup(struct sock *sk, int dir, struc
1006 goto out; 1016 goto out;
1007 } 1017 }
1008 err = security_xfrm_policy_lookup(pol->security, 1018 err = security_xfrm_policy_lookup(pol->security,
1009 fl->secid, 1019 fl->flowi_secid,
1010 policy_to_flow_dir(dir)); 1020 policy_to_flow_dir(dir));
1011 if (!err) 1021 if (!err)
1012 xfrm_pol_hold(pol); 1022 xfrm_pol_hold(pol);
@@ -1098,7 +1108,7 @@ int xfrm_sk_policy_insert(struct sock *sk, int dir, struct xfrm_policy *pol)
1098 return 0; 1108 return 0;
1099} 1109}
1100 1110
1101static struct xfrm_policy *clone_policy(struct xfrm_policy *old, int dir) 1111static struct xfrm_policy *clone_policy(const struct xfrm_policy *old, int dir)
1102{ 1112{
1103 struct xfrm_policy *newp = xfrm_policy_alloc(xp_net(old), GFP_ATOMIC); 1113 struct xfrm_policy *newp = xfrm_policy_alloc(xp_net(old), GFP_ATOMIC);
1104 1114
@@ -1157,9 +1167,8 @@ xfrm_get_saddr(struct net *net, xfrm_address_t *local, xfrm_address_t *remote,
1157/* Resolve list of templates for the flow, given policy. */ 1167/* Resolve list of templates for the flow, given policy. */
1158 1168
1159static int 1169static int
1160xfrm_tmpl_resolve_one(struct xfrm_policy *policy, struct flowi *fl, 1170xfrm_tmpl_resolve_one(struct xfrm_policy *policy, const struct flowi *fl,
1161 struct xfrm_state **xfrm, 1171 struct xfrm_state **xfrm, unsigned short family)
1162 unsigned short family)
1163{ 1172{
1164 struct net *net = xp_net(policy); 1173 struct net *net = xp_net(policy);
1165 int nx; 1174 int nx;
@@ -1214,9 +1223,8 @@ fail:
1214} 1223}
1215 1224
1216static int 1225static int
1217xfrm_tmpl_resolve(struct xfrm_policy **pols, int npols, struct flowi *fl, 1226xfrm_tmpl_resolve(struct xfrm_policy **pols, int npols, const struct flowi *fl,
1218 struct xfrm_state **xfrm, 1227 struct xfrm_state **xfrm, unsigned short family)
1219 unsigned short family)
1220{ 1228{
1221 struct xfrm_state *tp[XFRM_MAX_DEPTH]; 1229 struct xfrm_state *tp[XFRM_MAX_DEPTH];
1222 struct xfrm_state **tpp = (npols > 1) ? tp : xfrm; 1230 struct xfrm_state **tpp = (npols > 1) ? tp : xfrm;
@@ -1256,7 +1264,7 @@ xfrm_tmpl_resolve(struct xfrm_policy **pols, int npols, struct flowi *fl,
1256 * still valid. 1264 * still valid.
1257 */ 1265 */
1258 1266
1259static inline int xfrm_get_tos(struct flowi *fl, int family) 1267static inline int xfrm_get_tos(const struct flowi *fl, int family)
1260{ 1268{
1261 struct xfrm_policy_afinfo *afinfo = xfrm_policy_get_afinfo(family); 1269 struct xfrm_policy_afinfo *afinfo = xfrm_policy_get_afinfo(family);
1262 int tos; 1270 int tos;
@@ -1340,7 +1348,7 @@ static inline struct xfrm_dst *xfrm_alloc_dst(struct net *net, int family)
1340 default: 1348 default:
1341 BUG(); 1349 BUG();
1342 } 1350 }
1343 xdst = dst_alloc(dst_ops); 1351 xdst = dst_alloc(dst_ops, 0);
1344 xfrm_policy_put_afinfo(afinfo); 1352 xfrm_policy_put_afinfo(afinfo);
1345 1353
1346 if (likely(xdst)) 1354 if (likely(xdst))
@@ -1369,7 +1377,7 @@ static inline int xfrm_init_path(struct xfrm_dst *path, struct dst_entry *dst,
1369} 1377}
1370 1378
1371static inline int xfrm_fill_dst(struct xfrm_dst *xdst, struct net_device *dev, 1379static inline int xfrm_fill_dst(struct xfrm_dst *xdst, struct net_device *dev,
1372 struct flowi *fl) 1380 const struct flowi *fl)
1373{ 1381{
1374 struct xfrm_policy_afinfo *afinfo = 1382 struct xfrm_policy_afinfo *afinfo =
1375 xfrm_policy_get_afinfo(xdst->u.dst.ops->family); 1383 xfrm_policy_get_afinfo(xdst->u.dst.ops->family);
@@ -1392,7 +1400,7 @@ static inline int xfrm_fill_dst(struct xfrm_dst *xdst, struct net_device *dev,
1392 1400
1393static struct dst_entry *xfrm_bundle_create(struct xfrm_policy *policy, 1401static struct dst_entry *xfrm_bundle_create(struct xfrm_policy *policy,
1394 struct xfrm_state **xfrm, int nx, 1402 struct xfrm_state **xfrm, int nx,
1395 struct flowi *fl, 1403 const struct flowi *fl,
1396 struct dst_entry *dst) 1404 struct dst_entry *dst)
1397{ 1405{
1398 struct net *net = xp_net(policy); 1406 struct net *net = xp_net(policy);
@@ -1508,7 +1516,7 @@ free_dst:
1508} 1516}
1509 1517
1510static int inline 1518static int inline
1511xfrm_dst_alloc_copy(void **target, void *src, int size) 1519xfrm_dst_alloc_copy(void **target, const void *src, int size)
1512{ 1520{
1513 if (!*target) { 1521 if (!*target) {
1514 *target = kmalloc(size, GFP_ATOMIC); 1522 *target = kmalloc(size, GFP_ATOMIC);
@@ -1520,7 +1528,7 @@ xfrm_dst_alloc_copy(void **target, void *src, int size)
1520} 1528}
1521 1529
1522static int inline 1530static int inline
1523xfrm_dst_update_parent(struct dst_entry *dst, struct xfrm_selector *sel) 1531xfrm_dst_update_parent(struct dst_entry *dst, const struct xfrm_selector *sel)
1524{ 1532{
1525#ifdef CONFIG_XFRM_SUB_POLICY 1533#ifdef CONFIG_XFRM_SUB_POLICY
1526 struct xfrm_dst *xdst = (struct xfrm_dst *)dst; 1534 struct xfrm_dst *xdst = (struct xfrm_dst *)dst;
@@ -1532,7 +1540,7 @@ xfrm_dst_update_parent(struct dst_entry *dst, struct xfrm_selector *sel)
1532} 1540}
1533 1541
1534static int inline 1542static int inline
1535xfrm_dst_update_origin(struct dst_entry *dst, struct flowi *fl) 1543xfrm_dst_update_origin(struct dst_entry *dst, const struct flowi *fl)
1536{ 1544{
1537#ifdef CONFIG_XFRM_SUB_POLICY 1545#ifdef CONFIG_XFRM_SUB_POLICY
1538 struct xfrm_dst *xdst = (struct xfrm_dst *)dst; 1546 struct xfrm_dst *xdst = (struct xfrm_dst *)dst;
@@ -1542,7 +1550,7 @@ xfrm_dst_update_origin(struct dst_entry *dst, struct flowi *fl)
1542#endif 1550#endif
1543} 1551}
1544 1552
1545static int xfrm_expand_policies(struct flowi *fl, u16 family, 1553static int xfrm_expand_policies(const struct flowi *fl, u16 family,
1546 struct xfrm_policy **pols, 1554 struct xfrm_policy **pols,
1547 int *num_pols, int *num_xfrms) 1555 int *num_pols, int *num_xfrms)
1548{ 1556{
@@ -1588,7 +1596,7 @@ static int xfrm_expand_policies(struct flowi *fl, u16 family,
1588 1596
1589static struct xfrm_dst * 1597static struct xfrm_dst *
1590xfrm_resolve_and_create_bundle(struct xfrm_policy **pols, int num_pols, 1598xfrm_resolve_and_create_bundle(struct xfrm_policy **pols, int num_pols,
1591 struct flowi *fl, u16 family, 1599 const struct flowi *fl, u16 family,
1592 struct dst_entry *dst_orig) 1600 struct dst_entry *dst_orig)
1593{ 1601{
1594 struct net *net = xp_net(pols[0]); 1602 struct net *net = xp_net(pols[0]);
@@ -1631,7 +1639,7 @@ xfrm_resolve_and_create_bundle(struct xfrm_policy **pols, int num_pols,
1631} 1639}
1632 1640
1633static struct flow_cache_object * 1641static struct flow_cache_object *
1634xfrm_bundle_lookup(struct net *net, struct flowi *fl, u16 family, u8 dir, 1642xfrm_bundle_lookup(struct net *net, const struct flowi *fl, u16 family, u8 dir,
1635 struct flow_cache_object *oldflo, void *ctx) 1643 struct flow_cache_object *oldflo, void *ctx)
1636{ 1644{
1637 struct dst_entry *dst_orig = (struct dst_entry *)ctx; 1645 struct dst_entry *dst_orig = (struct dst_entry *)ctx;
@@ -1730,18 +1738,36 @@ error:
1730 return ERR_PTR(err); 1738 return ERR_PTR(err);
1731} 1739}
1732 1740
1741static struct dst_entry *make_blackhole(struct net *net, u16 family,
1742 struct dst_entry *dst_orig)
1743{
1744 struct xfrm_policy_afinfo *afinfo = xfrm_policy_get_afinfo(family);
1745 struct dst_entry *ret;
1746
1747 if (!afinfo) {
1748 dst_release(dst_orig);
1749 ret = ERR_PTR(-EINVAL);
1750 } else {
1751 ret = afinfo->blackhole_route(net, dst_orig);
1752 }
1753 xfrm_policy_put_afinfo(afinfo);
1754
1755 return ret;
1756}
1757
1733/* Main function: finds/creates a bundle for given flow. 1758/* Main function: finds/creates a bundle for given flow.
1734 * 1759 *
1735 * At the moment we eat a raw IP route. Mostly to speed up lookups 1760 * At the moment we eat a raw IP route. Mostly to speed up lookups
1736 * on interfaces with disabled IPsec. 1761 * on interfaces with disabled IPsec.
1737 */ 1762 */
1738int __xfrm_lookup(struct net *net, struct dst_entry **dst_p, struct flowi *fl, 1763struct dst_entry *xfrm_lookup(struct net *net, struct dst_entry *dst_orig,
1739 struct sock *sk, int flags) 1764 const struct flowi *fl,
1765 struct sock *sk, int flags)
1740{ 1766{
1741 struct xfrm_policy *pols[XFRM_POLICY_TYPE_MAX]; 1767 struct xfrm_policy *pols[XFRM_POLICY_TYPE_MAX];
1742 struct flow_cache_object *flo; 1768 struct flow_cache_object *flo;
1743 struct xfrm_dst *xdst; 1769 struct xfrm_dst *xdst;
1744 struct dst_entry *dst, *dst_orig = *dst_p, *route; 1770 struct dst_entry *dst, *route;
1745 u16 family = dst_orig->ops->family; 1771 u16 family = dst_orig->ops->family;
1746 u8 dir = policy_to_flow_dir(XFRM_POLICY_OUT); 1772 u8 dir = policy_to_flow_dir(XFRM_POLICY_OUT);
1747 int i, err, num_pols, num_xfrms = 0, drop_pols = 0; 1773 int i, err, num_pols, num_xfrms = 0, drop_pols = 0;
@@ -1778,6 +1804,8 @@ restart:
1778 goto no_transform; 1804 goto no_transform;
1779 } 1805 }
1780 1806
1807 dst_hold(&xdst->u.dst);
1808
1781 spin_lock_bh(&xfrm_policy_sk_bundle_lock); 1809 spin_lock_bh(&xfrm_policy_sk_bundle_lock);
1782 xdst->u.dst.next = xfrm_policy_sk_bundles; 1810 xdst->u.dst.next = xfrm_policy_sk_bundles;
1783 xfrm_policy_sk_bundles = &xdst->u.dst; 1811 xfrm_policy_sk_bundles = &xdst->u.dst;
@@ -1823,9 +1851,10 @@ restart:
1823 dst_release(dst); 1851 dst_release(dst);
1824 xfrm_pols_put(pols, drop_pols); 1852 xfrm_pols_put(pols, drop_pols);
1825 XFRM_INC_STATS(net, LINUX_MIB_XFRMOUTNOSTATES); 1853 XFRM_INC_STATS(net, LINUX_MIB_XFRMOUTNOSTATES);
1826 return -EREMOTE; 1854
1855 return make_blackhole(net, family, dst_orig);
1827 } 1856 }
1828 if (flags & XFRM_LOOKUP_WAIT) { 1857 if (fl->flowi_flags & FLOWI_FLAG_CAN_SLEEP) {
1829 DECLARE_WAITQUEUE(wait, current); 1858 DECLARE_WAITQUEUE(wait, current);
1830 1859
1831 add_wait_queue(&net->xfrm.km_waitq, &wait); 1860 add_wait_queue(&net->xfrm.km_waitq, &wait);
@@ -1867,47 +1896,33 @@ no_transform:
1867 goto error; 1896 goto error;
1868 } else if (num_xfrms > 0) { 1897 } else if (num_xfrms > 0) {
1869 /* Flow transformed */ 1898 /* Flow transformed */
1870 *dst_p = dst;
1871 dst_release(dst_orig); 1899 dst_release(dst_orig);
1872 } else { 1900 } else {
1873 /* Flow passes untransformed */ 1901 /* Flow passes untransformed */
1874 dst_release(dst); 1902 dst_release(dst);
1903 dst = dst_orig;
1875 } 1904 }
1876ok: 1905ok:
1877 xfrm_pols_put(pols, drop_pols); 1906 xfrm_pols_put(pols, drop_pols);
1878 return 0; 1907 return dst;
1879 1908
1880nopol: 1909nopol:
1881 if (!(flags & XFRM_LOOKUP_ICMP)) 1910 if (!(flags & XFRM_LOOKUP_ICMP)) {
1911 dst = dst_orig;
1882 goto ok; 1912 goto ok;
1913 }
1883 err = -ENOENT; 1914 err = -ENOENT;
1884error: 1915error:
1885 dst_release(dst); 1916 dst_release(dst);
1886dropdst: 1917dropdst:
1887 dst_release(dst_orig); 1918 dst_release(dst_orig);
1888 *dst_p = NULL;
1889 xfrm_pols_put(pols, drop_pols); 1919 xfrm_pols_put(pols, drop_pols);
1890 return err; 1920 return ERR_PTR(err);
1891}
1892EXPORT_SYMBOL(__xfrm_lookup);
1893
1894int xfrm_lookup(struct net *net, struct dst_entry **dst_p, struct flowi *fl,
1895 struct sock *sk, int flags)
1896{
1897 int err = __xfrm_lookup(net, dst_p, fl, sk, flags);
1898
1899 if (err == -EREMOTE) {
1900 dst_release(*dst_p);
1901 *dst_p = NULL;
1902 err = -EAGAIN;
1903 }
1904
1905 return err;
1906} 1921}
1907EXPORT_SYMBOL(xfrm_lookup); 1922EXPORT_SYMBOL(xfrm_lookup);
1908 1923
1909static inline int 1924static inline int
1910xfrm_secpath_reject(int idx, struct sk_buff *skb, struct flowi *fl) 1925xfrm_secpath_reject(int idx, struct sk_buff *skb, const struct flowi *fl)
1911{ 1926{
1912 struct xfrm_state *x; 1927 struct xfrm_state *x;
1913 1928
@@ -1926,7 +1941,7 @@ xfrm_secpath_reject(int idx, struct sk_buff *skb, struct flowi *fl)
1926 */ 1941 */
1927 1942
1928static inline int 1943static inline int
1929xfrm_state_ok(struct xfrm_tmpl *tmpl, struct xfrm_state *x, 1944xfrm_state_ok(const struct xfrm_tmpl *tmpl, const struct xfrm_state *x,
1930 unsigned short family) 1945 unsigned short family)
1931{ 1946{
1932 if (xfrm_state_kern(x)) 1947 if (xfrm_state_kern(x))
@@ -1949,7 +1964,7 @@ xfrm_state_ok(struct xfrm_tmpl *tmpl, struct xfrm_state *x,
1949 * Otherwise "-2 - errored_index" is returned. 1964 * Otherwise "-2 - errored_index" is returned.
1950 */ 1965 */
1951static inline int 1966static inline int
1952xfrm_policy_ok(struct xfrm_tmpl *tmpl, struct sec_path *sp, int start, 1967xfrm_policy_ok(const struct xfrm_tmpl *tmpl, const struct sec_path *sp, int start,
1953 unsigned short family) 1968 unsigned short family)
1954{ 1969{
1955 int idx = start; 1970 int idx = start;
@@ -1981,13 +1996,13 @@ int __xfrm_decode_session(struct sk_buff *skb, struct flowi *fl,
1981 return -EAFNOSUPPORT; 1996 return -EAFNOSUPPORT;
1982 1997
1983 afinfo->decode_session(skb, fl, reverse); 1998 afinfo->decode_session(skb, fl, reverse);
1984 err = security_xfrm_decode_session(skb, &fl->secid); 1999 err = security_xfrm_decode_session(skb, &fl->flowi_secid);
1985 xfrm_policy_put_afinfo(afinfo); 2000 xfrm_policy_put_afinfo(afinfo);
1986 return err; 2001 return err;
1987} 2002}
1988EXPORT_SYMBOL(__xfrm_decode_session); 2003EXPORT_SYMBOL(__xfrm_decode_session);
1989 2004
1990static inline int secpath_has_nontransport(struct sec_path *sp, int k, int *idxp) 2005static inline int secpath_has_nontransport(const struct sec_path *sp, int k, int *idxp)
1991{ 2006{
1992 for (; k < sp->len; k++) { 2007 for (; k < sp->len; k++) {
1993 if (sp->xvec[k]->props.mode != XFRM_MODE_TRANSPORT) { 2008 if (sp->xvec[k]->props.mode != XFRM_MODE_TRANSPORT) {
@@ -2162,7 +2177,7 @@ int __xfrm_route_forward(struct sk_buff *skb, unsigned short family)
2162 struct net *net = dev_net(skb->dev); 2177 struct net *net = dev_net(skb->dev);
2163 struct flowi fl; 2178 struct flowi fl;
2164 struct dst_entry *dst; 2179 struct dst_entry *dst;
2165 int res; 2180 int res = 1;
2166 2181
2167 if (xfrm_decode_session(skb, &fl, family) < 0) { 2182 if (xfrm_decode_session(skb, &fl, family) < 0) {
2168 XFRM_INC_STATS(net, LINUX_MIB_XFRMFWDHDRERROR); 2183 XFRM_INC_STATS(net, LINUX_MIB_XFRMFWDHDRERROR);
@@ -2170,9 +2185,12 @@ int __xfrm_route_forward(struct sk_buff *skb, unsigned short family)
2170 } 2185 }
2171 2186
2172 skb_dst_force(skb); 2187 skb_dst_force(skb);
2173 dst = skb_dst(skb);
2174 2188
2175 res = xfrm_lookup(net, &dst, &fl, NULL, 0) == 0; 2189 dst = xfrm_lookup(net, skb_dst(skb), &fl, NULL, 0);
2190 if (IS_ERR(dst)) {
2191 res = 0;
2192 dst = NULL;
2193 }
2176 skb_dst_set(skb, dst); 2194 skb_dst_set(skb, dst);
2177 return res; 2195 return res;
2178} 2196}
@@ -2210,7 +2228,7 @@ static struct dst_entry *xfrm_dst_check(struct dst_entry *dst, u32 cookie)
2210 2228
2211static int stale_bundle(struct dst_entry *dst) 2229static int stale_bundle(struct dst_entry *dst)
2212{ 2230{
2213 return !xfrm_bundle_ok(NULL, (struct xfrm_dst *)dst, NULL, AF_UNSPEC, 0); 2231 return !xfrm_bundle_ok((struct xfrm_dst *)dst, AF_UNSPEC);
2214} 2232}
2215 2233
2216void xfrm_dst_ifdown(struct dst_entry *dst, struct net_device *dev) 2234void xfrm_dst_ifdown(struct dst_entry *dst, struct net_device *dev)
@@ -2282,8 +2300,7 @@ static void xfrm_init_pmtu(struct dst_entry *dst)
2282 * still valid. 2300 * still valid.
2283 */ 2301 */
2284 2302
2285static int xfrm_bundle_ok(struct xfrm_policy *pol, struct xfrm_dst *first, 2303static int xfrm_bundle_ok(struct xfrm_dst *first, int family)
2286 struct flowi *fl, int family, int strict)
2287{ 2304{
2288 struct dst_entry *dst = &first->u.dst; 2305 struct dst_entry *dst = &first->u.dst;
2289 struct xfrm_dst *last; 2306 struct xfrm_dst *last;
@@ -2292,26 +2309,12 @@ static int xfrm_bundle_ok(struct xfrm_policy *pol, struct xfrm_dst *first,
2292 if (!dst_check(dst->path, ((struct xfrm_dst *)dst)->path_cookie) || 2309 if (!dst_check(dst->path, ((struct xfrm_dst *)dst)->path_cookie) ||
2293 (dst->dev && !netif_running(dst->dev))) 2310 (dst->dev && !netif_running(dst->dev)))
2294 return 0; 2311 return 0;
2295#ifdef CONFIG_XFRM_SUB_POLICY
2296 if (fl) {
2297 if (first->origin && !flow_cache_uli_match(first->origin, fl))
2298 return 0;
2299 if (first->partner &&
2300 !xfrm_selector_match(first->partner, fl, family))
2301 return 0;
2302 }
2303#endif
2304 2312
2305 last = NULL; 2313 last = NULL;
2306 2314
2307 do { 2315 do {
2308 struct xfrm_dst *xdst = (struct xfrm_dst *)dst; 2316 struct xfrm_dst *xdst = (struct xfrm_dst *)dst;
2309 2317
2310 if (fl && !xfrm_selector_match(&dst->xfrm->sel, fl, family))
2311 return 0;
2312 if (fl && pol &&
2313 !security_xfrm_state_pol_flow_match(dst->xfrm, pol, fl))
2314 return 0;
2315 if (dst->xfrm->km.state != XFRM_STATE_VALID) 2318 if (dst->xfrm->km.state != XFRM_STATE_VALID)
2316 return 0; 2319 return 0;
2317 if (xdst->xfrm_genid != dst->xfrm->genid) 2320 if (xdst->xfrm_genid != dst->xfrm->genid)
@@ -2320,11 +2323,6 @@ static int xfrm_bundle_ok(struct xfrm_policy *pol, struct xfrm_dst *first,
2320 xdst->policy_genid != atomic_read(&xdst->pols[0]->genid)) 2323 xdst->policy_genid != atomic_read(&xdst->pols[0]->genid))
2321 return 0; 2324 return 0;
2322 2325
2323 if (strict && fl &&
2324 !(dst->xfrm->outer_mode->flags & XFRM_MODE_FLAG_TUNNEL) &&
2325 !xfrm_state_addr_flow_check(dst->xfrm, fl, family))
2326 return 0;
2327
2328 mtu = dst_mtu(dst->child); 2326 mtu = dst_mtu(dst->child);
2329 if (xdst->child_mtu_cached != mtu) { 2327 if (xdst->child_mtu_cached != mtu) {
2330 last = xdst; 2328 last = xdst;
@@ -2735,8 +2733,8 @@ EXPORT_SYMBOL_GPL(xfrm_audit_policy_delete);
2735#endif 2733#endif
2736 2734
2737#ifdef CONFIG_XFRM_MIGRATE 2735#ifdef CONFIG_XFRM_MIGRATE
2738static int xfrm_migrate_selector_match(struct xfrm_selector *sel_cmp, 2736static int xfrm_migrate_selector_match(const struct xfrm_selector *sel_cmp,
2739 struct xfrm_selector *sel_tgt) 2737 const struct xfrm_selector *sel_tgt)
2740{ 2738{
2741 if (sel_cmp->proto == IPSEC_ULPROTO_ANY) { 2739 if (sel_cmp->proto == IPSEC_ULPROTO_ANY) {
2742 if (sel_tgt->family == sel_cmp->family && 2740 if (sel_tgt->family == sel_cmp->family &&
@@ -2756,7 +2754,7 @@ static int xfrm_migrate_selector_match(struct xfrm_selector *sel_cmp,
2756 return 0; 2754 return 0;
2757} 2755}
2758 2756
2759static struct xfrm_policy * xfrm_migrate_policy_find(struct xfrm_selector *sel, 2757static struct xfrm_policy * xfrm_migrate_policy_find(const struct xfrm_selector *sel,
2760 u8 dir, u8 type) 2758 u8 dir, u8 type)
2761{ 2759{
2762 struct xfrm_policy *pol, *ret = NULL; 2760 struct xfrm_policy *pol, *ret = NULL;
@@ -2792,7 +2790,7 @@ static struct xfrm_policy * xfrm_migrate_policy_find(struct xfrm_selector *sel,
2792 return ret; 2790 return ret;
2793} 2791}
2794 2792
2795static int migrate_tmpl_match(struct xfrm_migrate *m, struct xfrm_tmpl *t) 2793static int migrate_tmpl_match(const struct xfrm_migrate *m, const struct xfrm_tmpl *t)
2796{ 2794{
2797 int match = 0; 2795 int match = 0;
2798 2796
@@ -2862,7 +2860,7 @@ static int xfrm_policy_migrate(struct xfrm_policy *pol,
2862 return 0; 2860 return 0;
2863} 2861}
2864 2862
2865static int xfrm_migrate_check(struct xfrm_migrate *m, int num_migrate) 2863static int xfrm_migrate_check(const struct xfrm_migrate *m, int num_migrate)
2866{ 2864{
2867 int i, j; 2865 int i, j;
2868 2866
@@ -2896,7 +2894,7 @@ static int xfrm_migrate_check(struct xfrm_migrate *m, int num_migrate)
2896 return 0; 2894 return 0;
2897} 2895}
2898 2896
2899int xfrm_migrate(struct xfrm_selector *sel, u8 dir, u8 type, 2897int xfrm_migrate(const struct xfrm_selector *sel, u8 dir, u8 type,
2900 struct xfrm_migrate *m, int num_migrate, 2898 struct xfrm_migrate *m, int num_migrate,
2901 struct xfrm_kmaddress *k) 2899 struct xfrm_kmaddress *k)
2902{ 2900{
diff --git a/net/xfrm/xfrm_replay.c b/net/xfrm/xfrm_replay.c
new file mode 100644
index 00000000000..2f5be5b1574
--- /dev/null
+++ b/net/xfrm/xfrm_replay.c
@@ -0,0 +1,534 @@
1/*
2 * xfrm_replay.c - xfrm replay detection, derived from xfrm_state.c.
3 *
4 * Copyright (C) 2010 secunet Security Networks AG
5 * Copyright (C) 2010 Steffen Klassert <steffen.klassert@secunet.com>
6 *
7 * This program is free software; you can redistribute it and/or modify it
8 * under the terms and conditions of the GNU General Public License,
9 * version 2, as published by the Free Software Foundation.
10 *
11 * This program is distributed in the hope it will be useful, but WITHOUT
12 * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
13 * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for
14 * more details.
15 *
16 * You should have received a copy of the GNU General Public License along with
17 * this program; if not, write to the Free Software Foundation, Inc.,
18 * 51 Franklin St - Fifth Floor, Boston, MA 02110-1301 USA.
19 */
20
21#include <net/xfrm.h>
22
23u32 xfrm_replay_seqhi(struct xfrm_state *x, __be32 net_seq)
24{
25 u32 seq, seq_hi, bottom;
26 struct xfrm_replay_state_esn *replay_esn = x->replay_esn;
27
28 if (!(x->props.flags & XFRM_STATE_ESN))
29 return 0;
30
31 seq = ntohl(net_seq);
32 seq_hi = replay_esn->seq_hi;
33 bottom = replay_esn->seq - replay_esn->replay_window + 1;
34
35 if (likely(replay_esn->seq >= replay_esn->replay_window - 1)) {
36 /* A. same subspace */
37 if (unlikely(seq < bottom))
38 seq_hi++;
39 } else {
40 /* B. window spans two subspaces */
41 if (unlikely(seq >= bottom))
42 seq_hi--;
43 }
44
45 return seq_hi;
46}
47
48static void xfrm_replay_notify(struct xfrm_state *x, int event)
49{
50 struct km_event c;
51 /* we send notify messages in case
52 * 1. we updated on of the sequence numbers, and the seqno difference
53 * is at least x->replay_maxdiff, in this case we also update the
54 * timeout of our timer function
55 * 2. if x->replay_maxage has elapsed since last update,
56 * and there were changes
57 *
58 * The state structure must be locked!
59 */
60
61 switch (event) {
62 case XFRM_REPLAY_UPDATE:
63 if (x->replay_maxdiff &&
64 (x->replay.seq - x->preplay.seq < x->replay_maxdiff) &&
65 (x->replay.oseq - x->preplay.oseq < x->replay_maxdiff)) {
66 if (x->xflags & XFRM_TIME_DEFER)
67 event = XFRM_REPLAY_TIMEOUT;
68 else
69 return;
70 }
71
72 break;
73
74 case XFRM_REPLAY_TIMEOUT:
75 if (memcmp(&x->replay, &x->preplay,
76 sizeof(struct xfrm_replay_state)) == 0) {
77 x->xflags |= XFRM_TIME_DEFER;
78 return;
79 }
80
81 break;
82 }
83
84 memcpy(&x->preplay, &x->replay, sizeof(struct xfrm_replay_state));
85 c.event = XFRM_MSG_NEWAE;
86 c.data.aevent = event;
87 km_state_notify(x, &c);
88
89 if (x->replay_maxage &&
90 !mod_timer(&x->rtimer, jiffies + x->replay_maxage))
91 x->xflags &= ~XFRM_TIME_DEFER;
92}
93
94static int xfrm_replay_overflow(struct xfrm_state *x, struct sk_buff *skb)
95{
96 int err = 0;
97 struct net *net = xs_net(x);
98
99 if (x->type->flags & XFRM_TYPE_REPLAY_PROT) {
100 XFRM_SKB_CB(skb)->seq.output.low = ++x->replay.oseq;
101 if (unlikely(x->replay.oseq == 0)) {
102 x->replay.oseq--;
103 xfrm_audit_state_replay_overflow(x, skb);
104 err = -EOVERFLOW;
105
106 return err;
107 }
108 if (xfrm_aevent_is_on(net))
109 x->repl->notify(x, XFRM_REPLAY_UPDATE);
110 }
111
112 return err;
113}
114
115static int xfrm_replay_check(struct xfrm_state *x,
116 struct sk_buff *skb, __be32 net_seq)
117{
118 u32 diff;
119 u32 seq = ntohl(net_seq);
120
121 if (unlikely(seq == 0))
122 goto err;
123
124 if (likely(seq > x->replay.seq))
125 return 0;
126
127 diff = x->replay.seq - seq;
128 if (diff >= min_t(unsigned int, x->props.replay_window,
129 sizeof(x->replay.bitmap) * 8)) {
130 x->stats.replay_window++;
131 goto err;
132 }
133
134 if (x->replay.bitmap & (1U << diff)) {
135 x->stats.replay++;
136 goto err;
137 }
138 return 0;
139
140err:
141 xfrm_audit_state_replay(x, skb, net_seq);
142 return -EINVAL;
143}
144
145static void xfrm_replay_advance(struct xfrm_state *x, __be32 net_seq)
146{
147 u32 diff;
148 u32 seq = ntohl(net_seq);
149
150 if (!x->props.replay_window)
151 return;
152
153 if (seq > x->replay.seq) {
154 diff = seq - x->replay.seq;
155 if (diff < x->props.replay_window)
156 x->replay.bitmap = ((x->replay.bitmap) << diff) | 1;
157 else
158 x->replay.bitmap = 1;
159 x->replay.seq = seq;
160 } else {
161 diff = x->replay.seq - seq;
162 x->replay.bitmap |= (1U << diff);
163 }
164
165 if (xfrm_aevent_is_on(xs_net(x)))
166 xfrm_replay_notify(x, XFRM_REPLAY_UPDATE);
167}
168
169static int xfrm_replay_overflow_bmp(struct xfrm_state *x, struct sk_buff *skb)
170{
171 int err = 0;
172 struct xfrm_replay_state_esn *replay_esn = x->replay_esn;
173 struct net *net = xs_net(x);
174
175 if (x->type->flags & XFRM_TYPE_REPLAY_PROT) {
176 XFRM_SKB_CB(skb)->seq.output.low = ++replay_esn->oseq;
177 if (unlikely(replay_esn->oseq == 0)) {
178 replay_esn->oseq--;
179 xfrm_audit_state_replay_overflow(x, skb);
180 err = -EOVERFLOW;
181
182 return err;
183 }
184 if (xfrm_aevent_is_on(net))
185 x->repl->notify(x, XFRM_REPLAY_UPDATE);
186 }
187
188 return err;
189}
190
191static int xfrm_replay_check_bmp(struct xfrm_state *x,
192 struct sk_buff *skb, __be32 net_seq)
193{
194 unsigned int bitnr, nr;
195 struct xfrm_replay_state_esn *replay_esn = x->replay_esn;
196 u32 seq = ntohl(net_seq);
197 u32 diff = replay_esn->seq - seq;
198 u32 pos = (replay_esn->seq - 1) % replay_esn->replay_window;
199
200 if (unlikely(seq == 0))
201 goto err;
202
203 if (likely(seq > replay_esn->seq))
204 return 0;
205
206 if (diff >= replay_esn->replay_window) {
207 x->stats.replay_window++;
208 goto err;
209 }
210
211 if (pos >= diff) {
212 bitnr = (pos - diff) % replay_esn->replay_window;
213 nr = bitnr >> 5;
214 bitnr = bitnr & 0x1F;
215 if (replay_esn->bmp[nr] & (1U << bitnr))
216 goto err_replay;
217 } else {
218 bitnr = replay_esn->replay_window - (diff - pos);
219 nr = bitnr >> 5;
220 bitnr = bitnr & 0x1F;
221 if (replay_esn->bmp[nr] & (1U << bitnr))
222 goto err_replay;
223 }
224 return 0;
225
226err_replay:
227 x->stats.replay++;
228err:
229 xfrm_audit_state_replay(x, skb, net_seq);
230 return -EINVAL;
231}
232
233static void xfrm_replay_advance_bmp(struct xfrm_state *x, __be32 net_seq)
234{
235 unsigned int bitnr, nr, i;
236 u32 diff;
237 struct xfrm_replay_state_esn *replay_esn = x->replay_esn;
238 u32 seq = ntohl(net_seq);
239 u32 pos = (replay_esn->seq - 1) % replay_esn->replay_window;
240
241 if (!replay_esn->replay_window)
242 return;
243
244 if (seq > replay_esn->seq) {
245 diff = seq - replay_esn->seq;
246
247 if (diff < replay_esn->replay_window) {
248 for (i = 1; i < diff; i++) {
249 bitnr = (pos + i) % replay_esn->replay_window;
250 nr = bitnr >> 5;
251 bitnr = bitnr & 0x1F;
252 replay_esn->bmp[nr] &= ~(1U << bitnr);
253 }
254
255 bitnr = (pos + diff) % replay_esn->replay_window;
256 nr = bitnr >> 5;
257 bitnr = bitnr & 0x1F;
258 replay_esn->bmp[nr] |= (1U << bitnr);
259 } else {
260 nr = replay_esn->replay_window >> 5;
261 for (i = 0; i <= nr; i++)
262 replay_esn->bmp[i] = 0;
263
264 bitnr = (pos + diff) % replay_esn->replay_window;
265 nr = bitnr >> 5;
266 bitnr = bitnr & 0x1F;
267 replay_esn->bmp[nr] |= (1U << bitnr);
268 }
269
270 replay_esn->seq = seq;
271 } else {
272 diff = replay_esn->seq - seq;
273
274 if (pos >= diff) {
275 bitnr = (pos - diff) % replay_esn->replay_window;
276 nr = bitnr >> 5;
277 bitnr = bitnr & 0x1F;
278 replay_esn->bmp[nr] |= (1U << bitnr);
279 } else {
280 bitnr = replay_esn->replay_window - (diff - pos);
281 nr = bitnr >> 5;
282 bitnr = bitnr & 0x1F;
283 replay_esn->bmp[nr] |= (1U << bitnr);
284 }
285 }
286
287 if (xfrm_aevent_is_on(xs_net(x)))
288 xfrm_replay_notify(x, XFRM_REPLAY_UPDATE);
289}
290
291static void xfrm_replay_notify_bmp(struct xfrm_state *x, int event)
292{
293 struct km_event c;
294 struct xfrm_replay_state_esn *replay_esn = x->replay_esn;
295 struct xfrm_replay_state_esn *preplay_esn = x->preplay_esn;
296
297 /* we send notify messages in case
298 * 1. we updated on of the sequence numbers, and the seqno difference
299 * is at least x->replay_maxdiff, in this case we also update the
300 * timeout of our timer function
301 * 2. if x->replay_maxage has elapsed since last update,
302 * and there were changes
303 *
304 * The state structure must be locked!
305 */
306
307 switch (event) {
308 case XFRM_REPLAY_UPDATE:
309 if (x->replay_maxdiff &&
310 (replay_esn->seq - preplay_esn->seq < x->replay_maxdiff) &&
311 (replay_esn->oseq - preplay_esn->oseq < x->replay_maxdiff)) {
312 if (x->xflags & XFRM_TIME_DEFER)
313 event = XFRM_REPLAY_TIMEOUT;
314 else
315 return;
316 }
317
318 break;
319
320 case XFRM_REPLAY_TIMEOUT:
321 if (memcmp(x->replay_esn, x->preplay_esn,
322 xfrm_replay_state_esn_len(replay_esn)) == 0) {
323 x->xflags |= XFRM_TIME_DEFER;
324 return;
325 }
326
327 break;
328 }
329
330 memcpy(x->preplay_esn, x->replay_esn,
331 xfrm_replay_state_esn_len(replay_esn));
332 c.event = XFRM_MSG_NEWAE;
333 c.data.aevent = event;
334 km_state_notify(x, &c);
335
336 if (x->replay_maxage &&
337 !mod_timer(&x->rtimer, jiffies + x->replay_maxage))
338 x->xflags &= ~XFRM_TIME_DEFER;
339}
340
341static int xfrm_replay_overflow_esn(struct xfrm_state *x, struct sk_buff *skb)
342{
343 int err = 0;
344 struct xfrm_replay_state_esn *replay_esn = x->replay_esn;
345 struct net *net = xs_net(x);
346
347 if (x->type->flags & XFRM_TYPE_REPLAY_PROT) {
348 XFRM_SKB_CB(skb)->seq.output.low = ++replay_esn->oseq;
349 XFRM_SKB_CB(skb)->seq.output.hi = replay_esn->oseq_hi;
350
351 if (unlikely(replay_esn->oseq == 0)) {
352 XFRM_SKB_CB(skb)->seq.output.hi = ++replay_esn->oseq_hi;
353
354 if (replay_esn->oseq_hi == 0) {
355 replay_esn->oseq--;
356 replay_esn->oseq_hi--;
357 xfrm_audit_state_replay_overflow(x, skb);
358 err = -EOVERFLOW;
359
360 return err;
361 }
362 }
363 if (xfrm_aevent_is_on(net))
364 x->repl->notify(x, XFRM_REPLAY_UPDATE);
365 }
366
367 return err;
368}
369
370static int xfrm_replay_check_esn(struct xfrm_state *x,
371 struct sk_buff *skb, __be32 net_seq)
372{
373 unsigned int bitnr, nr;
374 u32 diff;
375 struct xfrm_replay_state_esn *replay_esn = x->replay_esn;
376 u32 seq = ntohl(net_seq);
377 u32 pos = (replay_esn->seq - 1) % replay_esn->replay_window;
378 u32 wsize = replay_esn->replay_window;
379 u32 top = replay_esn->seq;
380 u32 bottom = top - wsize + 1;
381
382 if (unlikely(seq == 0 && replay_esn->seq_hi == 0 &&
383 (replay_esn->seq < replay_esn->replay_window - 1)))
384 goto err;
385
386 diff = top - seq;
387
388 if (likely(top >= wsize - 1)) {
389 /* A. same subspace */
390 if (likely(seq > top) || seq < bottom)
391 return 0;
392 } else {
393 /* B. window spans two subspaces */
394 if (likely(seq > top && seq < bottom))
395 return 0;
396 if (seq >= bottom)
397 diff = ~seq + top + 1;
398 }
399
400 if (diff >= replay_esn->replay_window) {
401 x->stats.replay_window++;
402 goto err;
403 }
404
405 if (pos >= diff) {
406 bitnr = (pos - diff) % replay_esn->replay_window;
407 nr = bitnr >> 5;
408 bitnr = bitnr & 0x1F;
409 if (replay_esn->bmp[nr] & (1U << bitnr))
410 goto err_replay;
411 } else {
412 bitnr = replay_esn->replay_window - (diff - pos);
413 nr = bitnr >> 5;
414 bitnr = bitnr & 0x1F;
415 if (replay_esn->bmp[nr] & (1U << bitnr))
416 goto err_replay;
417 }
418 return 0;
419
420err_replay:
421 x->stats.replay++;
422err:
423 xfrm_audit_state_replay(x, skb, net_seq);
424 return -EINVAL;
425}
426
427static void xfrm_replay_advance_esn(struct xfrm_state *x, __be32 net_seq)
428{
429 unsigned int bitnr, nr, i;
430 int wrap;
431 u32 diff, pos, seq, seq_hi;
432 struct xfrm_replay_state_esn *replay_esn = x->replay_esn;
433
434 if (!replay_esn->replay_window)
435 return;
436
437 seq = ntohl(net_seq);
438 pos = (replay_esn->seq - 1) % replay_esn->replay_window;
439 seq_hi = xfrm_replay_seqhi(x, net_seq);
440 wrap = seq_hi - replay_esn->seq_hi;
441
442 if ((!wrap && seq > replay_esn->seq) || wrap > 0) {
443 if (likely(!wrap))
444 diff = seq - replay_esn->seq;
445 else
446 diff = ~replay_esn->seq + seq + 1;
447
448 if (diff < replay_esn->replay_window) {
449 for (i = 1; i < diff; i++) {
450 bitnr = (pos + i) % replay_esn->replay_window;
451 nr = bitnr >> 5;
452 bitnr = bitnr & 0x1F;
453 replay_esn->bmp[nr] &= ~(1U << bitnr);
454 }
455
456 bitnr = (pos + diff) % replay_esn->replay_window;
457 nr = bitnr >> 5;
458 bitnr = bitnr & 0x1F;
459 replay_esn->bmp[nr] |= (1U << bitnr);
460 } else {
461 nr = replay_esn->replay_window >> 5;
462 for (i = 0; i <= nr; i++)
463 replay_esn->bmp[i] = 0;
464
465 bitnr = (pos + diff) % replay_esn->replay_window;
466 nr = bitnr >> 5;
467 bitnr = bitnr & 0x1F;
468 replay_esn->bmp[nr] |= (1U << bitnr);
469 }
470
471 replay_esn->seq = seq;
472
473 if (unlikely(wrap > 0))
474 replay_esn->seq_hi++;
475 } else {
476 diff = replay_esn->seq - seq;
477
478 if (pos >= diff) {
479 bitnr = (pos - diff) % replay_esn->replay_window;
480 nr = bitnr >> 5;
481 bitnr = bitnr & 0x1F;
482 replay_esn->bmp[nr] |= (1U << bitnr);
483 } else {
484 bitnr = replay_esn->replay_window - (diff - pos);
485 nr = bitnr >> 5;
486 bitnr = bitnr & 0x1F;
487 replay_esn->bmp[nr] |= (1U << bitnr);
488 }
489 }
490
491 if (xfrm_aevent_is_on(xs_net(x)))
492 xfrm_replay_notify(x, XFRM_REPLAY_UPDATE);
493}
494
495static struct xfrm_replay xfrm_replay_legacy = {
496 .advance = xfrm_replay_advance,
497 .check = xfrm_replay_check,
498 .notify = xfrm_replay_notify,
499 .overflow = xfrm_replay_overflow,
500};
501
502static struct xfrm_replay xfrm_replay_bmp = {
503 .advance = xfrm_replay_advance_bmp,
504 .check = xfrm_replay_check_bmp,
505 .notify = xfrm_replay_notify_bmp,
506 .overflow = xfrm_replay_overflow_bmp,
507};
508
509static struct xfrm_replay xfrm_replay_esn = {
510 .advance = xfrm_replay_advance_esn,
511 .check = xfrm_replay_check_esn,
512 .notify = xfrm_replay_notify_bmp,
513 .overflow = xfrm_replay_overflow_esn,
514};
515
516int xfrm_init_replay(struct xfrm_state *x)
517{
518 struct xfrm_replay_state_esn *replay_esn = x->replay_esn;
519
520 if (replay_esn) {
521 if (replay_esn->replay_window >
522 replay_esn->bmp_len * sizeof(__u32))
523 return -EINVAL;
524
525 if ((x->props.flags & XFRM_STATE_ESN) && x->replay_esn)
526 x->repl = &xfrm_replay_esn;
527 else
528 x->repl = &xfrm_replay_bmp;
529 } else
530 x->repl = &xfrm_replay_legacy;
531
532 return 0;
533}
534EXPORT_SYMBOL(xfrm_init_replay);
diff --git a/net/xfrm/xfrm_state.c b/net/xfrm/xfrm_state.c
index 220ebc05c7a..f83a3d1da81 100644
--- a/net/xfrm/xfrm_state.c
+++ b/net/xfrm/xfrm_state.c
@@ -42,16 +42,9 @@ static unsigned int xfrm_state_hashmax __read_mostly = 1 * 1024 * 1024;
42static struct xfrm_state_afinfo *xfrm_state_get_afinfo(unsigned int family); 42static struct xfrm_state_afinfo *xfrm_state_get_afinfo(unsigned int family);
43static void xfrm_state_put_afinfo(struct xfrm_state_afinfo *afinfo); 43static void xfrm_state_put_afinfo(struct xfrm_state_afinfo *afinfo);
44 44
45#ifdef CONFIG_AUDITSYSCALL
46static void xfrm_audit_state_replay(struct xfrm_state *x,
47 struct sk_buff *skb, __be32 net_seq);
48#else
49#define xfrm_audit_state_replay(x, s, sq) do { ; } while (0)
50#endif /* CONFIG_AUDITSYSCALL */
51
52static inline unsigned int xfrm_dst_hash(struct net *net, 45static inline unsigned int xfrm_dst_hash(struct net *net,
53 xfrm_address_t *daddr, 46 const xfrm_address_t *daddr,
54 xfrm_address_t *saddr, 47 const xfrm_address_t *saddr,
55 u32 reqid, 48 u32 reqid,
56 unsigned short family) 49 unsigned short family)
57{ 50{
@@ -59,15 +52,16 @@ static inline unsigned int xfrm_dst_hash(struct net *net,
59} 52}
60 53
61static inline unsigned int xfrm_src_hash(struct net *net, 54static inline unsigned int xfrm_src_hash(struct net *net,
62 xfrm_address_t *daddr, 55 const xfrm_address_t *daddr,
63 xfrm_address_t *saddr, 56 const xfrm_address_t *saddr,
64 unsigned short family) 57 unsigned short family)
65{ 58{
66 return __xfrm_src_hash(daddr, saddr, family, net->xfrm.state_hmask); 59 return __xfrm_src_hash(daddr, saddr, family, net->xfrm.state_hmask);
67} 60}
68 61
69static inline unsigned int 62static inline unsigned int
70xfrm_spi_hash(struct net *net, xfrm_address_t *daddr, __be32 spi, u8 proto, unsigned short family) 63xfrm_spi_hash(struct net *net, const xfrm_address_t *daddr,
64 __be32 spi, u8 proto, unsigned short family)
71{ 65{
72 return __xfrm_spi_hash(daddr, spi, proto, family, net->xfrm.state_hmask); 66 return __xfrm_spi_hash(daddr, spi, proto, family, net->xfrm.state_hmask);
73} 67}
@@ -362,6 +356,8 @@ static void xfrm_state_gc_destroy(struct xfrm_state *x)
362 kfree(x->calg); 356 kfree(x->calg);
363 kfree(x->encap); 357 kfree(x->encap);
364 kfree(x->coaddr); 358 kfree(x->coaddr);
359 kfree(x->replay_esn);
360 kfree(x->preplay_esn);
365 if (x->inner_mode) 361 if (x->inner_mode)
366 xfrm_put_mode(x->inner_mode); 362 xfrm_put_mode(x->inner_mode);
367 if (x->inner_mode_iaf) 363 if (x->inner_mode_iaf)
@@ -656,9 +652,9 @@ void xfrm_sad_getinfo(struct net *net, struct xfrmk_sadinfo *si)
656EXPORT_SYMBOL(xfrm_sad_getinfo); 652EXPORT_SYMBOL(xfrm_sad_getinfo);
657 653
658static int 654static int
659xfrm_init_tempstate(struct xfrm_state *x, struct flowi *fl, 655xfrm_init_tempstate(struct xfrm_state *x, const struct flowi *fl,
660 struct xfrm_tmpl *tmpl, 656 const struct xfrm_tmpl *tmpl,
661 xfrm_address_t *daddr, xfrm_address_t *saddr, 657 const xfrm_address_t *daddr, const xfrm_address_t *saddr,
662 unsigned short family) 658 unsigned short family)
663{ 659{
664 struct xfrm_state_afinfo *afinfo = xfrm_state_get_afinfo(family); 660 struct xfrm_state_afinfo *afinfo = xfrm_state_get_afinfo(family);
@@ -677,7 +673,10 @@ xfrm_init_tempstate(struct xfrm_state *x, struct flowi *fl,
677 return 0; 673 return 0;
678} 674}
679 675
680static struct xfrm_state *__xfrm_state_lookup(struct net *net, u32 mark, xfrm_address_t *daddr, __be32 spi, u8 proto, unsigned short family) 676static struct xfrm_state *__xfrm_state_lookup(struct net *net, u32 mark,
677 const xfrm_address_t *daddr,
678 __be32 spi, u8 proto,
679 unsigned short family)
681{ 680{
682 unsigned int h = xfrm_spi_hash(net, daddr, spi, proto, family); 681 unsigned int h = xfrm_spi_hash(net, daddr, spi, proto, family);
683 struct xfrm_state *x; 682 struct xfrm_state *x;
@@ -699,7 +698,10 @@ static struct xfrm_state *__xfrm_state_lookup(struct net *net, u32 mark, xfrm_ad
699 return NULL; 698 return NULL;
700} 699}
701 700
702static struct xfrm_state *__xfrm_state_lookup_byaddr(struct net *net, u32 mark, xfrm_address_t *daddr, xfrm_address_t *saddr, u8 proto, unsigned short family) 701static struct xfrm_state *__xfrm_state_lookup_byaddr(struct net *net, u32 mark,
702 const xfrm_address_t *daddr,
703 const xfrm_address_t *saddr,
704 u8 proto, unsigned short family)
703{ 705{
704 unsigned int h = xfrm_src_hash(net, daddr, saddr, family); 706 unsigned int h = xfrm_src_hash(net, daddr, saddr, family);
705 struct xfrm_state *x; 707 struct xfrm_state *x;
@@ -746,8 +748,7 @@ static void xfrm_hash_grow_check(struct net *net, int have_hash_collision)
746} 748}
747 749
748static void xfrm_state_look_at(struct xfrm_policy *pol, struct xfrm_state *x, 750static void xfrm_state_look_at(struct xfrm_policy *pol, struct xfrm_state *x,
749 struct flowi *fl, unsigned short family, 751 const struct flowi *fl, unsigned short family,
750 xfrm_address_t *daddr, xfrm_address_t *saddr,
751 struct xfrm_state **best, int *acq_in_progress, 752 struct xfrm_state **best, int *acq_in_progress,
752 int *error) 753 int *error)
753{ 754{
@@ -784,8 +785,8 @@ static void xfrm_state_look_at(struct xfrm_policy *pol, struct xfrm_state *x,
784} 785}
785 786
786struct xfrm_state * 787struct xfrm_state *
787xfrm_state_find(xfrm_address_t *daddr, xfrm_address_t *saddr, 788xfrm_state_find(const xfrm_address_t *daddr, const xfrm_address_t *saddr,
788 struct flowi *fl, struct xfrm_tmpl *tmpl, 789 const struct flowi *fl, struct xfrm_tmpl *tmpl,
789 struct xfrm_policy *pol, int *err, 790 struct xfrm_policy *pol, int *err,
790 unsigned short family) 791 unsigned short family)
791{ 792{
@@ -813,7 +814,7 @@ xfrm_state_find(xfrm_address_t *daddr, xfrm_address_t *saddr,
813 tmpl->mode == x->props.mode && 814 tmpl->mode == x->props.mode &&
814 tmpl->id.proto == x->id.proto && 815 tmpl->id.proto == x->id.proto &&
815 (tmpl->id.spi == x->id.spi || !tmpl->id.spi)) 816 (tmpl->id.spi == x->id.spi || !tmpl->id.spi))
816 xfrm_state_look_at(pol, x, fl, encap_family, daddr, saddr, 817 xfrm_state_look_at(pol, x, fl, encap_family,
817 &best, &acquire_in_progress, &error); 818 &best, &acquire_in_progress, &error);
818 } 819 }
819 if (best) 820 if (best)
@@ -829,7 +830,7 @@ xfrm_state_find(xfrm_address_t *daddr, xfrm_address_t *saddr,
829 tmpl->mode == x->props.mode && 830 tmpl->mode == x->props.mode &&
830 tmpl->id.proto == x->id.proto && 831 tmpl->id.proto == x->id.proto &&
831 (tmpl->id.spi == x->id.spi || !tmpl->id.spi)) 832 (tmpl->id.spi == x->id.spi || !tmpl->id.spi))
832 xfrm_state_look_at(pol, x, fl, encap_family, daddr, saddr, 833 xfrm_state_look_at(pol, x, fl, encap_family,
833 &best, &acquire_in_progress, &error); 834 &best, &acquire_in_progress, &error);
834 } 835 }
835 836
@@ -853,7 +854,7 @@ found:
853 xfrm_init_tempstate(x, fl, tmpl, daddr, saddr, family); 854 xfrm_init_tempstate(x, fl, tmpl, daddr, saddr, family);
854 memcpy(&x->mark, &pol->mark, sizeof(x->mark)); 855 memcpy(&x->mark, &pol->mark, sizeof(x->mark));
855 856
856 error = security_xfrm_state_alloc_acquire(x, pol->security, fl->secid); 857 error = security_xfrm_state_alloc_acquire(x, pol->security, fl->flowi_secid);
857 if (error) { 858 if (error) {
858 x->km.state = XFRM_STATE_DEAD; 859 x->km.state = XFRM_STATE_DEAD;
859 to_put = x; 860 to_put = x;
@@ -991,7 +992,11 @@ void xfrm_state_insert(struct xfrm_state *x)
991EXPORT_SYMBOL(xfrm_state_insert); 992EXPORT_SYMBOL(xfrm_state_insert);
992 993
993/* xfrm_state_lock is held */ 994/* xfrm_state_lock is held */
994static struct xfrm_state *__find_acq_core(struct net *net, struct xfrm_mark *m, unsigned short family, u8 mode, u32 reqid, u8 proto, xfrm_address_t *daddr, xfrm_address_t *saddr, int create) 995static struct xfrm_state *__find_acq_core(struct net *net, struct xfrm_mark *m,
996 unsigned short family, u8 mode,
997 u32 reqid, u8 proto,
998 const xfrm_address_t *daddr,
999 const xfrm_address_t *saddr, int create)
995{ 1000{
996 unsigned int h = xfrm_dst_hash(net, daddr, saddr, reqid, family); 1001 unsigned int h = xfrm_dst_hash(net, daddr, saddr, reqid, family);
997 struct hlist_node *entry; 1002 struct hlist_node *entry;
@@ -1369,7 +1374,7 @@ int xfrm_state_check_expire(struct xfrm_state *x)
1369EXPORT_SYMBOL(xfrm_state_check_expire); 1374EXPORT_SYMBOL(xfrm_state_check_expire);
1370 1375
1371struct xfrm_state * 1376struct xfrm_state *
1372xfrm_state_lookup(struct net *net, u32 mark, xfrm_address_t *daddr, __be32 spi, 1377xfrm_state_lookup(struct net *net, u32 mark, const xfrm_address_t *daddr, __be32 spi,
1373 u8 proto, unsigned short family) 1378 u8 proto, unsigned short family)
1374{ 1379{
1375 struct xfrm_state *x; 1380 struct xfrm_state *x;
@@ -1383,7 +1388,7 @@ EXPORT_SYMBOL(xfrm_state_lookup);
1383 1388
1384struct xfrm_state * 1389struct xfrm_state *
1385xfrm_state_lookup_byaddr(struct net *net, u32 mark, 1390xfrm_state_lookup_byaddr(struct net *net, u32 mark,
1386 xfrm_address_t *daddr, xfrm_address_t *saddr, 1391 const xfrm_address_t *daddr, const xfrm_address_t *saddr,
1387 u8 proto, unsigned short family) 1392 u8 proto, unsigned short family)
1388{ 1393{
1389 struct xfrm_state *x; 1394 struct xfrm_state *x;
@@ -1397,7 +1402,7 @@ EXPORT_SYMBOL(xfrm_state_lookup_byaddr);
1397 1402
1398struct xfrm_state * 1403struct xfrm_state *
1399xfrm_find_acq(struct net *net, struct xfrm_mark *mark, u8 mode, u32 reqid, u8 proto, 1404xfrm_find_acq(struct net *net, struct xfrm_mark *mark, u8 mode, u32 reqid, u8 proto,
1400 xfrm_address_t *daddr, xfrm_address_t *saddr, 1405 const xfrm_address_t *daddr, const xfrm_address_t *saddr,
1401 int create, unsigned short family) 1406 int create, unsigned short family)
1402{ 1407{
1403 struct xfrm_state *x; 1408 struct xfrm_state *x;
@@ -1609,54 +1614,6 @@ void xfrm_state_walk_done(struct xfrm_state_walk *walk)
1609} 1614}
1610EXPORT_SYMBOL(xfrm_state_walk_done); 1615EXPORT_SYMBOL(xfrm_state_walk_done);
1611 1616
1612
1613void xfrm_replay_notify(struct xfrm_state *x, int event)
1614{
1615 struct km_event c;
1616 /* we send notify messages in case
1617 * 1. we updated on of the sequence numbers, and the seqno difference
1618 * is at least x->replay_maxdiff, in this case we also update the
1619 * timeout of our timer function
1620 * 2. if x->replay_maxage has elapsed since last update,
1621 * and there were changes
1622 *
1623 * The state structure must be locked!
1624 */
1625
1626 switch (event) {
1627 case XFRM_REPLAY_UPDATE:
1628 if (x->replay_maxdiff &&
1629 (x->replay.seq - x->preplay.seq < x->replay_maxdiff) &&
1630 (x->replay.oseq - x->preplay.oseq < x->replay_maxdiff)) {
1631 if (x->xflags & XFRM_TIME_DEFER)
1632 event = XFRM_REPLAY_TIMEOUT;
1633 else
1634 return;
1635 }
1636
1637 break;
1638
1639 case XFRM_REPLAY_TIMEOUT:
1640 if ((x->replay.seq == x->preplay.seq) &&
1641 (x->replay.bitmap == x->preplay.bitmap) &&
1642 (x->replay.oseq == x->preplay.oseq)) {
1643 x->xflags |= XFRM_TIME_DEFER;
1644 return;
1645 }
1646
1647 break;
1648 }
1649
1650 memcpy(&x->preplay, &x->replay, sizeof(struct xfrm_replay_state));
1651 c.event = XFRM_MSG_NEWAE;
1652 c.data.aevent = event;
1653 km_state_notify(x, &c);
1654
1655 if (x->replay_maxage &&
1656 !mod_timer(&x->rtimer, jiffies + x->replay_maxage))
1657 x->xflags &= ~XFRM_TIME_DEFER;
1658}
1659
1660static void xfrm_replay_timer_handler(unsigned long data) 1617static void xfrm_replay_timer_handler(unsigned long data)
1661{ 1618{
1662 struct xfrm_state *x = (struct xfrm_state*)data; 1619 struct xfrm_state *x = (struct xfrm_state*)data;
@@ -1665,7 +1622,7 @@ static void xfrm_replay_timer_handler(unsigned long data)
1665 1622
1666 if (x->km.state == XFRM_STATE_VALID) { 1623 if (x->km.state == XFRM_STATE_VALID) {
1667 if (xfrm_aevent_is_on(xs_net(x))) 1624 if (xfrm_aevent_is_on(xs_net(x)))
1668 xfrm_replay_notify(x, XFRM_REPLAY_TIMEOUT); 1625 x->repl->notify(x, XFRM_REPLAY_TIMEOUT);
1669 else 1626 else
1670 x->xflags |= XFRM_TIME_DEFER; 1627 x->xflags |= XFRM_TIME_DEFER;
1671 } 1628 }
@@ -1673,61 +1630,10 @@ static void xfrm_replay_timer_handler(unsigned long data)
1673 spin_unlock(&x->lock); 1630 spin_unlock(&x->lock);
1674} 1631}
1675 1632
1676int xfrm_replay_check(struct xfrm_state *x,
1677 struct sk_buff *skb, __be32 net_seq)
1678{
1679 u32 diff;
1680 u32 seq = ntohl(net_seq);
1681
1682 if (unlikely(seq == 0))
1683 goto err;
1684
1685 if (likely(seq > x->replay.seq))
1686 return 0;
1687
1688 diff = x->replay.seq - seq;
1689 if (diff >= min_t(unsigned int, x->props.replay_window,
1690 sizeof(x->replay.bitmap) * 8)) {
1691 x->stats.replay_window++;
1692 goto err;
1693 }
1694
1695 if (x->replay.bitmap & (1U << diff)) {
1696 x->stats.replay++;
1697 goto err;
1698 }
1699 return 0;
1700
1701err:
1702 xfrm_audit_state_replay(x, skb, net_seq);
1703 return -EINVAL;
1704}
1705
1706void xfrm_replay_advance(struct xfrm_state *x, __be32 net_seq)
1707{
1708 u32 diff;
1709 u32 seq = ntohl(net_seq);
1710
1711 if (seq > x->replay.seq) {
1712 diff = seq - x->replay.seq;
1713 if (diff < x->props.replay_window)
1714 x->replay.bitmap = ((x->replay.bitmap) << diff) | 1;
1715 else
1716 x->replay.bitmap = 1;
1717 x->replay.seq = seq;
1718 } else {
1719 diff = x->replay.seq - seq;
1720 x->replay.bitmap |= (1U << diff);
1721 }
1722
1723 if (xfrm_aevent_is_on(xs_net(x)))
1724 xfrm_replay_notify(x, XFRM_REPLAY_UPDATE);
1725}
1726
1727static LIST_HEAD(xfrm_km_list); 1633static LIST_HEAD(xfrm_km_list);
1728static DEFINE_RWLOCK(xfrm_km_lock); 1634static DEFINE_RWLOCK(xfrm_km_lock);
1729 1635
1730void km_policy_notify(struct xfrm_policy *xp, int dir, struct km_event *c) 1636void km_policy_notify(struct xfrm_policy *xp, int dir, const struct km_event *c)
1731{ 1637{
1732 struct xfrm_mgr *km; 1638 struct xfrm_mgr *km;
1733 1639
@@ -1738,7 +1644,7 @@ void km_policy_notify(struct xfrm_policy *xp, int dir, struct km_event *c)
1738 read_unlock(&xfrm_km_lock); 1644 read_unlock(&xfrm_km_lock);
1739} 1645}
1740 1646
1741void km_state_notify(struct xfrm_state *x, struct km_event *c) 1647void km_state_notify(struct xfrm_state *x, const struct km_event *c)
1742{ 1648{
1743 struct xfrm_mgr *km; 1649 struct xfrm_mgr *km;
1744 read_lock(&xfrm_km_lock); 1650 read_lock(&xfrm_km_lock);
@@ -1819,9 +1725,9 @@ void km_policy_expired(struct xfrm_policy *pol, int dir, int hard, u32 pid)
1819EXPORT_SYMBOL(km_policy_expired); 1725EXPORT_SYMBOL(km_policy_expired);
1820 1726
1821#ifdef CONFIG_XFRM_MIGRATE 1727#ifdef CONFIG_XFRM_MIGRATE
1822int km_migrate(struct xfrm_selector *sel, u8 dir, u8 type, 1728int km_migrate(const struct xfrm_selector *sel, u8 dir, u8 type,
1823 struct xfrm_migrate *m, int num_migrate, 1729 const struct xfrm_migrate *m, int num_migrate,
1824 struct xfrm_kmaddress *k) 1730 const struct xfrm_kmaddress *k)
1825{ 1731{
1826 int err = -EINVAL; 1732 int err = -EINVAL;
1827 int ret; 1733 int ret;
@@ -2001,7 +1907,7 @@ int xfrm_state_mtu(struct xfrm_state *x, int mtu)
2001 return res; 1907 return res;
2002} 1908}
2003 1909
2004int xfrm_init_state(struct xfrm_state *x) 1910int __xfrm_init_state(struct xfrm_state *x, bool init_replay)
2005{ 1911{
2006 struct xfrm_state_afinfo *afinfo; 1912 struct xfrm_state_afinfo *afinfo;
2007 struct xfrm_mode *inner_mode; 1913 struct xfrm_mode *inner_mode;
@@ -2074,12 +1980,25 @@ int xfrm_init_state(struct xfrm_state *x)
2074 if (x->outer_mode == NULL) 1980 if (x->outer_mode == NULL)
2075 goto error; 1981 goto error;
2076 1982
1983 if (init_replay) {
1984 err = xfrm_init_replay(x);
1985 if (err)
1986 goto error;
1987 }
1988
2077 x->km.state = XFRM_STATE_VALID; 1989 x->km.state = XFRM_STATE_VALID;
2078 1990
2079error: 1991error:
2080 return err; 1992 return err;
2081} 1993}
2082 1994
1995EXPORT_SYMBOL(__xfrm_init_state);
1996
1997int xfrm_init_state(struct xfrm_state *x)
1998{
1999 return __xfrm_init_state(x, true);
2000}
2001
2083EXPORT_SYMBOL(xfrm_init_state); 2002EXPORT_SYMBOL(xfrm_init_state);
2084 2003
2085int __net_init xfrm_state_init(struct net *net) 2004int __net_init xfrm_state_init(struct net *net)
@@ -2236,7 +2155,7 @@ void xfrm_audit_state_replay_overflow(struct xfrm_state *x,
2236} 2155}
2237EXPORT_SYMBOL_GPL(xfrm_audit_state_replay_overflow); 2156EXPORT_SYMBOL_GPL(xfrm_audit_state_replay_overflow);
2238 2157
2239static void xfrm_audit_state_replay(struct xfrm_state *x, 2158void xfrm_audit_state_replay(struct xfrm_state *x,
2240 struct sk_buff *skb, __be32 net_seq) 2159 struct sk_buff *skb, __be32 net_seq)
2241{ 2160{
2242 struct audit_buffer *audit_buf; 2161 struct audit_buffer *audit_buf;
@@ -2251,6 +2170,7 @@ static void xfrm_audit_state_replay(struct xfrm_state *x,
2251 spi, spi, ntohl(net_seq)); 2170 spi, spi, ntohl(net_seq));
2252 audit_log_end(audit_buf); 2171 audit_log_end(audit_buf);
2253} 2172}
2173EXPORT_SYMBOL_GPL(xfrm_audit_state_replay);
2254 2174
2255void xfrm_audit_state_notfound_simple(struct sk_buff *skb, u16 family) 2175void xfrm_audit_state_notfound_simple(struct sk_buff *skb, u16 family)
2256{ 2176{
diff --git a/net/xfrm/xfrm_user.c b/net/xfrm/xfrm_user.c
index 61291965c5f..fc152d28753 100644
--- a/net/xfrm/xfrm_user.c
+++ b/net/xfrm/xfrm_user.c
@@ -119,6 +119,19 @@ static inline int verify_sec_ctx_len(struct nlattr **attrs)
119 return 0; 119 return 0;
120} 120}
121 121
122static inline int verify_replay(struct xfrm_usersa_info *p,
123 struct nlattr **attrs)
124{
125 struct nlattr *rt = attrs[XFRMA_REPLAY_ESN_VAL];
126
127 if (!rt)
128 return 0;
129
130 if (p->replay_window != 0)
131 return -EINVAL;
132
133 return 0;
134}
122 135
123static int verify_newsa_info(struct xfrm_usersa_info *p, 136static int verify_newsa_info(struct xfrm_usersa_info *p,
124 struct nlattr **attrs) 137 struct nlattr **attrs)
@@ -214,6 +227,8 @@ static int verify_newsa_info(struct xfrm_usersa_info *p,
214 goto out; 227 goto out;
215 if ((err = verify_sec_ctx_len(attrs))) 228 if ((err = verify_sec_ctx_len(attrs)))
216 goto out; 229 goto out;
230 if ((err = verify_replay(p, attrs)))
231 goto out;
217 232
218 err = -EINVAL; 233 err = -EINVAL;
219 switch (p->mode) { 234 switch (p->mode) {
@@ -234,7 +249,7 @@ out:
234} 249}
235 250
236static int attach_one_algo(struct xfrm_algo **algpp, u8 *props, 251static int attach_one_algo(struct xfrm_algo **algpp, u8 *props,
237 struct xfrm_algo_desc *(*get_byname)(char *, int), 252 struct xfrm_algo_desc *(*get_byname)(const char *, int),
238 struct nlattr *rta) 253 struct nlattr *rta)
239{ 254{
240 struct xfrm_algo *p, *ualg; 255 struct xfrm_algo *p, *ualg;
@@ -345,6 +360,33 @@ static int attach_aead(struct xfrm_algo_aead **algpp, u8 *props,
345 return 0; 360 return 0;
346} 361}
347 362
363static int xfrm_alloc_replay_state_esn(struct xfrm_replay_state_esn **replay_esn,
364 struct xfrm_replay_state_esn **preplay_esn,
365 struct nlattr *rta)
366{
367 struct xfrm_replay_state_esn *p, *pp, *up;
368
369 if (!rta)
370 return 0;
371
372 up = nla_data(rta);
373
374 p = kmemdup(up, xfrm_replay_state_esn_len(up), GFP_KERNEL);
375 if (!p)
376 return -ENOMEM;
377
378 pp = kmemdup(up, xfrm_replay_state_esn_len(up), GFP_KERNEL);
379 if (!pp) {
380 kfree(p);
381 return -ENOMEM;
382 }
383
384 *replay_esn = p;
385 *preplay_esn = pp;
386
387 return 0;
388}
389
348static inline int xfrm_user_sec_ctx_size(struct xfrm_sec_ctx *xfrm_ctx) 390static inline int xfrm_user_sec_ctx_size(struct xfrm_sec_ctx *xfrm_ctx)
349{ 391{
350 int len = 0; 392 int len = 0;
@@ -380,10 +422,20 @@ static void copy_from_user_state(struct xfrm_state *x, struct xfrm_usersa_info *
380static void xfrm_update_ae_params(struct xfrm_state *x, struct nlattr **attrs) 422static void xfrm_update_ae_params(struct xfrm_state *x, struct nlattr **attrs)
381{ 423{
382 struct nlattr *rp = attrs[XFRMA_REPLAY_VAL]; 424 struct nlattr *rp = attrs[XFRMA_REPLAY_VAL];
425 struct nlattr *re = attrs[XFRMA_REPLAY_ESN_VAL];
383 struct nlattr *lt = attrs[XFRMA_LTIME_VAL]; 426 struct nlattr *lt = attrs[XFRMA_LTIME_VAL];
384 struct nlattr *et = attrs[XFRMA_ETIMER_THRESH]; 427 struct nlattr *et = attrs[XFRMA_ETIMER_THRESH];
385 struct nlattr *rt = attrs[XFRMA_REPLAY_THRESH]; 428 struct nlattr *rt = attrs[XFRMA_REPLAY_THRESH];
386 429
430 if (re) {
431 struct xfrm_replay_state_esn *replay_esn;
432 replay_esn = nla_data(re);
433 memcpy(x->replay_esn, replay_esn,
434 xfrm_replay_state_esn_len(replay_esn));
435 memcpy(x->preplay_esn, replay_esn,
436 xfrm_replay_state_esn_len(replay_esn));
437 }
438
387 if (rp) { 439 if (rp) {
388 struct xfrm_replay_state *replay; 440 struct xfrm_replay_state *replay;
389 replay = nla_data(rp); 441 replay = nla_data(rp);
@@ -459,7 +511,7 @@ static struct xfrm_state *xfrm_state_construct(struct net *net,
459 511
460 xfrm_mark_get(attrs, &x->mark); 512 xfrm_mark_get(attrs, &x->mark);
461 513
462 err = xfrm_init_state(x); 514 err = __xfrm_init_state(x, false);
463 if (err) 515 if (err)
464 goto error; 516 goto error;
465 517
@@ -467,16 +519,19 @@ static struct xfrm_state *xfrm_state_construct(struct net *net,
467 security_xfrm_state_alloc(x, nla_data(attrs[XFRMA_SEC_CTX]))) 519 security_xfrm_state_alloc(x, nla_data(attrs[XFRMA_SEC_CTX])))
468 goto error; 520 goto error;
469 521
522 if ((err = xfrm_alloc_replay_state_esn(&x->replay_esn, &x->preplay_esn,
523 attrs[XFRMA_REPLAY_ESN_VAL])))
524 goto error;
525
470 x->km.seq = p->seq; 526 x->km.seq = p->seq;
471 x->replay_maxdiff = net->xfrm.sysctl_aevent_rseqth; 527 x->replay_maxdiff = net->xfrm.sysctl_aevent_rseqth;
472 /* sysctl_xfrm_aevent_etime is in 100ms units */ 528 /* sysctl_xfrm_aevent_etime is in 100ms units */
473 x->replay_maxage = (net->xfrm.sysctl_aevent_etime*HZ)/XFRM_AE_ETH_M; 529 x->replay_maxage = (net->xfrm.sysctl_aevent_etime*HZ)/XFRM_AE_ETH_M;
474 x->preplay.bitmap = 0;
475 x->preplay.seq = x->replay.seq+x->replay_maxdiff;
476 x->preplay.oseq = x->replay.oseq +x->replay_maxdiff;
477 530
478 /* override default values from above */ 531 if ((err = xfrm_init_replay(x)))
532 goto error;
479 533
534 /* override default values from above */
480 xfrm_update_ae_params(x, attrs); 535 xfrm_update_ae_params(x, attrs);
481 536
482 return x; 537 return x;
@@ -497,9 +552,9 @@ static int xfrm_add_sa(struct sk_buff *skb, struct nlmsghdr *nlh,
497 struct xfrm_state *x; 552 struct xfrm_state *x;
498 int err; 553 int err;
499 struct km_event c; 554 struct km_event c;
500 uid_t loginuid = NETLINK_CB(skb).loginuid; 555 uid_t loginuid = audit_get_loginuid(current);
501 u32 sessionid = NETLINK_CB(skb).sessionid; 556 u32 sessionid = audit_get_sessionid(current);
502 u32 sid = NETLINK_CB(skb).sid; 557 u32 sid;
503 558
504 err = verify_newsa_info(p, attrs); 559 err = verify_newsa_info(p, attrs);
505 if (err) 560 if (err)
@@ -515,6 +570,7 @@ static int xfrm_add_sa(struct sk_buff *skb, struct nlmsghdr *nlh,
515 else 570 else
516 err = xfrm_state_update(x); 571 err = xfrm_state_update(x);
517 572
573 security_task_getsecid(current, &sid);
518 xfrm_audit_state_add(x, err ? 0 : 1, loginuid, sessionid, sid); 574 xfrm_audit_state_add(x, err ? 0 : 1, loginuid, sessionid, sid);
519 575
520 if (err < 0) { 576 if (err < 0) {
@@ -575,9 +631,9 @@ static int xfrm_del_sa(struct sk_buff *skb, struct nlmsghdr *nlh,
575 int err = -ESRCH; 631 int err = -ESRCH;
576 struct km_event c; 632 struct km_event c;
577 struct xfrm_usersa_id *p = nlmsg_data(nlh); 633 struct xfrm_usersa_id *p = nlmsg_data(nlh);
578 uid_t loginuid = NETLINK_CB(skb).loginuid; 634 uid_t loginuid = audit_get_loginuid(current);
579 u32 sessionid = NETLINK_CB(skb).sessionid; 635 u32 sessionid = audit_get_sessionid(current);
580 u32 sid = NETLINK_CB(skb).sid; 636 u32 sid;
581 637
582 x = xfrm_user_state_lookup(net, p, attrs, &err); 638 x = xfrm_user_state_lookup(net, p, attrs, &err);
583 if (x == NULL) 639 if (x == NULL)
@@ -602,6 +658,7 @@ static int xfrm_del_sa(struct sk_buff *skb, struct nlmsghdr *nlh,
602 km_state_notify(x, &c); 658 km_state_notify(x, &c);
603 659
604out: 660out:
661 security_task_getsecid(current, &sid);
605 xfrm_audit_state_delete(x, err ? 0 : 1, loginuid, sessionid, sid); 662 xfrm_audit_state_delete(x, err ? 0 : 1, loginuid, sessionid, sid);
606 xfrm_state_put(x); 663 xfrm_state_put(x);
607 return err; 664 return err;
@@ -705,6 +762,10 @@ static int copy_to_user_state_extra(struct xfrm_state *x,
705 if (xfrm_mark_put(skb, &x->mark)) 762 if (xfrm_mark_put(skb, &x->mark))
706 goto nla_put_failure; 763 goto nla_put_failure;
707 764
765 if (x->replay_esn)
766 NLA_PUT(skb, XFRMA_REPLAY_ESN_VAL,
767 xfrm_replay_state_esn_len(x->replay_esn), x->replay_esn);
768
708 if (x->security && copy_sec_ctx(x->security, skb) < 0) 769 if (x->security && copy_sec_ctx(x->security, skb) < 0)
709 goto nla_put_failure; 770 goto nla_put_failure;
710 771
@@ -1265,9 +1326,9 @@ static int xfrm_add_policy(struct sk_buff *skb, struct nlmsghdr *nlh,
1265 struct km_event c; 1326 struct km_event c;
1266 int err; 1327 int err;
1267 int excl; 1328 int excl;
1268 uid_t loginuid = NETLINK_CB(skb).loginuid; 1329 uid_t loginuid = audit_get_loginuid(current);
1269 u32 sessionid = NETLINK_CB(skb).sessionid; 1330 u32 sessionid = audit_get_sessionid(current);
1270 u32 sid = NETLINK_CB(skb).sid; 1331 u32 sid;
1271 1332
1272 err = verify_newpolicy_info(p); 1333 err = verify_newpolicy_info(p);
1273 if (err) 1334 if (err)
@@ -1286,6 +1347,7 @@ static int xfrm_add_policy(struct sk_buff *skb, struct nlmsghdr *nlh,
1286 * a type XFRM_MSG_UPDPOLICY - JHS */ 1347 * a type XFRM_MSG_UPDPOLICY - JHS */
1287 excl = nlh->nlmsg_type == XFRM_MSG_NEWPOLICY; 1348 excl = nlh->nlmsg_type == XFRM_MSG_NEWPOLICY;
1288 err = xfrm_policy_insert(p->dir, xp, excl); 1349 err = xfrm_policy_insert(p->dir, xp, excl);
1350 security_task_getsecid(current, &sid);
1289 xfrm_audit_policy_add(xp, err ? 0 : 1, loginuid, sessionid, sid); 1351 xfrm_audit_policy_add(xp, err ? 0 : 1, loginuid, sessionid, sid);
1290 1352
1291 if (err) { 1353 if (err) {
@@ -1522,10 +1584,11 @@ static int xfrm_get_policy(struct sk_buff *skb, struct nlmsghdr *nlh,
1522 NETLINK_CB(skb).pid); 1584 NETLINK_CB(skb).pid);
1523 } 1585 }
1524 } else { 1586 } else {
1525 uid_t loginuid = NETLINK_CB(skb).loginuid; 1587 uid_t loginuid = audit_get_loginuid(current);
1526 u32 sessionid = NETLINK_CB(skb).sessionid; 1588 u32 sessionid = audit_get_sessionid(current);
1527 u32 sid = NETLINK_CB(skb).sid; 1589 u32 sid;
1528 1590
1591 security_task_getsecid(current, &sid);
1529 xfrm_audit_policy_delete(xp, err ? 0 : 1, loginuid, sessionid, 1592 xfrm_audit_policy_delete(xp, err ? 0 : 1, loginuid, sessionid,
1530 sid); 1593 sid);
1531 1594
@@ -1553,9 +1616,9 @@ static int xfrm_flush_sa(struct sk_buff *skb, struct nlmsghdr *nlh,
1553 struct xfrm_audit audit_info; 1616 struct xfrm_audit audit_info;
1554 int err; 1617 int err;
1555 1618
1556 audit_info.loginuid = NETLINK_CB(skb).loginuid; 1619 audit_info.loginuid = audit_get_loginuid(current);
1557 audit_info.sessionid = NETLINK_CB(skb).sessionid; 1620 audit_info.sessionid = audit_get_sessionid(current);
1558 audit_info.secid = NETLINK_CB(skb).sid; 1621 security_task_getsecid(current, &audit_info.secid);
1559 err = xfrm_state_flush(net, p->proto, &audit_info); 1622 err = xfrm_state_flush(net, p->proto, &audit_info);
1560 if (err) { 1623 if (err) {
1561 if (err == -ESRCH) /* empty table */ 1624 if (err == -ESRCH) /* empty table */
@@ -1572,17 +1635,21 @@ static int xfrm_flush_sa(struct sk_buff *skb, struct nlmsghdr *nlh,
1572 return 0; 1635 return 0;
1573} 1636}
1574 1637
1575static inline size_t xfrm_aevent_msgsize(void) 1638static inline size_t xfrm_aevent_msgsize(struct xfrm_state *x)
1576{ 1639{
1640 size_t replay_size = x->replay_esn ?
1641 xfrm_replay_state_esn_len(x->replay_esn) :
1642 sizeof(struct xfrm_replay_state);
1643
1577 return NLMSG_ALIGN(sizeof(struct xfrm_aevent_id)) 1644 return NLMSG_ALIGN(sizeof(struct xfrm_aevent_id))
1578 + nla_total_size(sizeof(struct xfrm_replay_state)) 1645 + nla_total_size(replay_size)
1579 + nla_total_size(sizeof(struct xfrm_lifetime_cur)) 1646 + nla_total_size(sizeof(struct xfrm_lifetime_cur))
1580 + nla_total_size(sizeof(struct xfrm_mark)) 1647 + nla_total_size(sizeof(struct xfrm_mark))
1581 + nla_total_size(4) /* XFRM_AE_RTHR */ 1648 + nla_total_size(4) /* XFRM_AE_RTHR */
1582 + nla_total_size(4); /* XFRM_AE_ETHR */ 1649 + nla_total_size(4); /* XFRM_AE_ETHR */
1583} 1650}
1584 1651
1585static int build_aevent(struct sk_buff *skb, struct xfrm_state *x, struct km_event *c) 1652static int build_aevent(struct sk_buff *skb, struct xfrm_state *x, const struct km_event *c)
1586{ 1653{
1587 struct xfrm_aevent_id *id; 1654 struct xfrm_aevent_id *id;
1588 struct nlmsghdr *nlh; 1655 struct nlmsghdr *nlh;
@@ -1600,7 +1667,13 @@ static int build_aevent(struct sk_buff *skb, struct xfrm_state *x, struct km_eve
1600 id->reqid = x->props.reqid; 1667 id->reqid = x->props.reqid;
1601 id->flags = c->data.aevent; 1668 id->flags = c->data.aevent;
1602 1669
1603 NLA_PUT(skb, XFRMA_REPLAY_VAL, sizeof(x->replay), &x->replay); 1670 if (x->replay_esn)
1671 NLA_PUT(skb, XFRMA_REPLAY_ESN_VAL,
1672 xfrm_replay_state_esn_len(x->replay_esn),
1673 x->replay_esn);
1674 else
1675 NLA_PUT(skb, XFRMA_REPLAY_VAL, sizeof(x->replay), &x->replay);
1676
1604 NLA_PUT(skb, XFRMA_LTIME_VAL, sizeof(x->curlft), &x->curlft); 1677 NLA_PUT(skb, XFRMA_LTIME_VAL, sizeof(x->curlft), &x->curlft);
1605 1678
1606 if (id->flags & XFRM_AE_RTHR) 1679 if (id->flags & XFRM_AE_RTHR)
@@ -1633,16 +1706,16 @@ static int xfrm_get_ae(struct sk_buff *skb, struct nlmsghdr *nlh,
1633 struct xfrm_aevent_id *p = nlmsg_data(nlh); 1706 struct xfrm_aevent_id *p = nlmsg_data(nlh);
1634 struct xfrm_usersa_id *id = &p->sa_id; 1707 struct xfrm_usersa_id *id = &p->sa_id;
1635 1708
1636 r_skb = nlmsg_new(xfrm_aevent_msgsize(), GFP_ATOMIC);
1637 if (r_skb == NULL)
1638 return -ENOMEM;
1639
1640 mark = xfrm_mark_get(attrs, &m); 1709 mark = xfrm_mark_get(attrs, &m);
1641 1710
1642 x = xfrm_state_lookup(net, mark, &id->daddr, id->spi, id->proto, id->family); 1711 x = xfrm_state_lookup(net, mark, &id->daddr, id->spi, id->proto, id->family);
1643 if (x == NULL) { 1712 if (x == NULL)
1644 kfree_skb(r_skb);
1645 return -ESRCH; 1713 return -ESRCH;
1714
1715 r_skb = nlmsg_new(xfrm_aevent_msgsize(x), GFP_ATOMIC);
1716 if (r_skb == NULL) {
1717 xfrm_state_put(x);
1718 return -ENOMEM;
1646 } 1719 }
1647 1720
1648 /* 1721 /*
@@ -1674,9 +1747,10 @@ static int xfrm_new_ae(struct sk_buff *skb, struct nlmsghdr *nlh,
1674 struct xfrm_mark m; 1747 struct xfrm_mark m;
1675 struct xfrm_aevent_id *p = nlmsg_data(nlh); 1748 struct xfrm_aevent_id *p = nlmsg_data(nlh);
1676 struct nlattr *rp = attrs[XFRMA_REPLAY_VAL]; 1749 struct nlattr *rp = attrs[XFRMA_REPLAY_VAL];
1750 struct nlattr *re = attrs[XFRMA_REPLAY_ESN_VAL];
1677 struct nlattr *lt = attrs[XFRMA_LTIME_VAL]; 1751 struct nlattr *lt = attrs[XFRMA_LTIME_VAL];
1678 1752
1679 if (!lt && !rp) 1753 if (!lt && !rp && !re)
1680 return err; 1754 return err;
1681 1755
1682 /* pedantic mode - thou shalt sayeth replaceth */ 1756 /* pedantic mode - thou shalt sayeth replaceth */
@@ -1720,9 +1794,9 @@ static int xfrm_flush_policy(struct sk_buff *skb, struct nlmsghdr *nlh,
1720 if (err) 1794 if (err)
1721 return err; 1795 return err;
1722 1796
1723 audit_info.loginuid = NETLINK_CB(skb).loginuid; 1797 audit_info.loginuid = audit_get_loginuid(current);
1724 audit_info.sessionid = NETLINK_CB(skb).sessionid; 1798 audit_info.sessionid = audit_get_sessionid(current);
1725 audit_info.secid = NETLINK_CB(skb).sid; 1799 security_task_getsecid(current, &audit_info.secid);
1726 err = xfrm_policy_flush(net, type, &audit_info); 1800 err = xfrm_policy_flush(net, type, &audit_info);
1727 if (err) { 1801 if (err) {
1728 if (err == -ESRCH) /* empty table */ 1802 if (err == -ESRCH) /* empty table */
@@ -1789,9 +1863,11 @@ static int xfrm_add_pol_expire(struct sk_buff *skb, struct nlmsghdr *nlh,
1789 1863
1790 err = 0; 1864 err = 0;
1791 if (up->hard) { 1865 if (up->hard) {
1792 uid_t loginuid = NETLINK_CB(skb).loginuid; 1866 uid_t loginuid = audit_get_loginuid(current);
1793 uid_t sessionid = NETLINK_CB(skb).sessionid; 1867 u32 sessionid = audit_get_sessionid(current);
1794 u32 sid = NETLINK_CB(skb).sid; 1868 u32 sid;
1869
1870 security_task_getsecid(current, &sid);
1795 xfrm_policy_delete(xp, p->dir); 1871 xfrm_policy_delete(xp, p->dir);
1796 xfrm_audit_policy_delete(xp, 1, loginuid, sessionid, sid); 1872 xfrm_audit_policy_delete(xp, 1, loginuid, sessionid, sid);
1797 1873
@@ -1830,9 +1906,11 @@ static int xfrm_add_sa_expire(struct sk_buff *skb, struct nlmsghdr *nlh,
1830 km_state_expired(x, ue->hard, current->pid); 1906 km_state_expired(x, ue->hard, current->pid);
1831 1907
1832 if (ue->hard) { 1908 if (ue->hard) {
1833 uid_t loginuid = NETLINK_CB(skb).loginuid; 1909 uid_t loginuid = audit_get_loginuid(current);
1834 uid_t sessionid = NETLINK_CB(skb).sessionid; 1910 u32 sessionid = audit_get_sessionid(current);
1835 u32 sid = NETLINK_CB(skb).sid; 1911 u32 sid;
1912
1913 security_task_getsecid(current, &sid);
1836 __xfrm_state_delete(x); 1914 __xfrm_state_delete(x);
1837 xfrm_audit_state_delete(x, 1, loginuid, sessionid, sid); 1915 xfrm_audit_state_delete(x, 1, loginuid, sessionid, sid);
1838 } 1916 }
@@ -1986,7 +2064,7 @@ static int xfrm_do_migrate(struct sk_buff *skb, struct nlmsghdr *nlh,
1986#endif 2064#endif
1987 2065
1988#ifdef CONFIG_XFRM_MIGRATE 2066#ifdef CONFIG_XFRM_MIGRATE
1989static int copy_to_user_migrate(struct xfrm_migrate *m, struct sk_buff *skb) 2067static int copy_to_user_migrate(const struct xfrm_migrate *m, struct sk_buff *skb)
1990{ 2068{
1991 struct xfrm_user_migrate um; 2069 struct xfrm_user_migrate um;
1992 2070
@@ -2004,7 +2082,7 @@ static int copy_to_user_migrate(struct xfrm_migrate *m, struct sk_buff *skb)
2004 return nla_put(skb, XFRMA_MIGRATE, sizeof(um), &um); 2082 return nla_put(skb, XFRMA_MIGRATE, sizeof(um), &um);
2005} 2083}
2006 2084
2007static int copy_to_user_kmaddress(struct xfrm_kmaddress *k, struct sk_buff *skb) 2085static int copy_to_user_kmaddress(const struct xfrm_kmaddress *k, struct sk_buff *skb)
2008{ 2086{
2009 struct xfrm_user_kmaddress uk; 2087 struct xfrm_user_kmaddress uk;
2010 2088
@@ -2025,11 +2103,11 @@ static inline size_t xfrm_migrate_msgsize(int num_migrate, int with_kma)
2025 + userpolicy_type_attrsize(); 2103 + userpolicy_type_attrsize();
2026} 2104}
2027 2105
2028static int build_migrate(struct sk_buff *skb, struct xfrm_migrate *m, 2106static int build_migrate(struct sk_buff *skb, const struct xfrm_migrate *m,
2029 int num_migrate, struct xfrm_kmaddress *k, 2107 int num_migrate, const struct xfrm_kmaddress *k,
2030 struct xfrm_selector *sel, u8 dir, u8 type) 2108 const struct xfrm_selector *sel, u8 dir, u8 type)
2031{ 2109{
2032 struct xfrm_migrate *mp; 2110 const struct xfrm_migrate *mp;
2033 struct xfrm_userpolicy_id *pol_id; 2111 struct xfrm_userpolicy_id *pol_id;
2034 struct nlmsghdr *nlh; 2112 struct nlmsghdr *nlh;
2035 int i; 2113 int i;
@@ -2061,9 +2139,9 @@ nlmsg_failure:
2061 return -EMSGSIZE; 2139 return -EMSGSIZE;
2062} 2140}
2063 2141
2064static int xfrm_send_migrate(struct xfrm_selector *sel, u8 dir, u8 type, 2142static int xfrm_send_migrate(const struct xfrm_selector *sel, u8 dir, u8 type,
2065 struct xfrm_migrate *m, int num_migrate, 2143 const struct xfrm_migrate *m, int num_migrate,
2066 struct xfrm_kmaddress *k) 2144 const struct xfrm_kmaddress *k)
2067{ 2145{
2068 struct net *net = &init_net; 2146 struct net *net = &init_net;
2069 struct sk_buff *skb; 2147 struct sk_buff *skb;
@@ -2079,9 +2157,9 @@ static int xfrm_send_migrate(struct xfrm_selector *sel, u8 dir, u8 type,
2079 return nlmsg_multicast(net->xfrm.nlsk, skb, 0, XFRMNLGRP_MIGRATE, GFP_ATOMIC); 2157 return nlmsg_multicast(net->xfrm.nlsk, skb, 0, XFRMNLGRP_MIGRATE, GFP_ATOMIC);
2080} 2158}
2081#else 2159#else
2082static int xfrm_send_migrate(struct xfrm_selector *sel, u8 dir, u8 type, 2160static int xfrm_send_migrate(const struct xfrm_selector *sel, u8 dir, u8 type,
2083 struct xfrm_migrate *m, int num_migrate, 2161 const struct xfrm_migrate *m, int num_migrate,
2084 struct xfrm_kmaddress *k) 2162 const struct xfrm_kmaddress *k)
2085{ 2163{
2086 return -ENOPROTOOPT; 2164 return -ENOPROTOOPT;
2087} 2165}
@@ -2137,6 +2215,7 @@ static const struct nla_policy xfrma_policy[XFRMA_MAX+1] = {
2137 [XFRMA_KMADDRESS] = { .len = sizeof(struct xfrm_user_kmaddress) }, 2215 [XFRMA_KMADDRESS] = { .len = sizeof(struct xfrm_user_kmaddress) },
2138 [XFRMA_MARK] = { .len = sizeof(struct xfrm_mark) }, 2216 [XFRMA_MARK] = { .len = sizeof(struct xfrm_mark) },
2139 [XFRMA_TFCPAD] = { .type = NLA_U32 }, 2217 [XFRMA_TFCPAD] = { .type = NLA_U32 },
2218 [XFRMA_REPLAY_ESN_VAL] = { .len = sizeof(struct xfrm_replay_state_esn) },
2140}; 2219};
2141 2220
2142static struct xfrm_link { 2221static struct xfrm_link {
@@ -2220,7 +2299,7 @@ static inline size_t xfrm_expire_msgsize(void)
2220 + nla_total_size(sizeof(struct xfrm_mark)); 2299 + nla_total_size(sizeof(struct xfrm_mark));
2221} 2300}
2222 2301
2223static int build_expire(struct sk_buff *skb, struct xfrm_state *x, struct km_event *c) 2302static int build_expire(struct sk_buff *skb, struct xfrm_state *x, const struct km_event *c)
2224{ 2303{
2225 struct xfrm_user_expire *ue; 2304 struct xfrm_user_expire *ue;
2226 struct nlmsghdr *nlh; 2305 struct nlmsghdr *nlh;
@@ -2242,7 +2321,7 @@ nla_put_failure:
2242 return -EMSGSIZE; 2321 return -EMSGSIZE;
2243} 2322}
2244 2323
2245static int xfrm_exp_state_notify(struct xfrm_state *x, struct km_event *c) 2324static int xfrm_exp_state_notify(struct xfrm_state *x, const struct km_event *c)
2246{ 2325{
2247 struct net *net = xs_net(x); 2326 struct net *net = xs_net(x);
2248 struct sk_buff *skb; 2327 struct sk_buff *skb;
@@ -2259,12 +2338,12 @@ static int xfrm_exp_state_notify(struct xfrm_state *x, struct km_event *c)
2259 return nlmsg_multicast(net->xfrm.nlsk, skb, 0, XFRMNLGRP_EXPIRE, GFP_ATOMIC); 2338 return nlmsg_multicast(net->xfrm.nlsk, skb, 0, XFRMNLGRP_EXPIRE, GFP_ATOMIC);
2260} 2339}
2261 2340
2262static int xfrm_aevent_state_notify(struct xfrm_state *x, struct km_event *c) 2341static int xfrm_aevent_state_notify(struct xfrm_state *x, const struct km_event *c)
2263{ 2342{
2264 struct net *net = xs_net(x); 2343 struct net *net = xs_net(x);
2265 struct sk_buff *skb; 2344 struct sk_buff *skb;
2266 2345
2267 skb = nlmsg_new(xfrm_aevent_msgsize(), GFP_ATOMIC); 2346 skb = nlmsg_new(xfrm_aevent_msgsize(x), GFP_ATOMIC);
2268 if (skb == NULL) 2347 if (skb == NULL)
2269 return -ENOMEM; 2348 return -ENOMEM;
2270 2349
@@ -2274,7 +2353,7 @@ static int xfrm_aevent_state_notify(struct xfrm_state *x, struct km_event *c)
2274 return nlmsg_multicast(net->xfrm.nlsk, skb, 0, XFRMNLGRP_AEVENTS, GFP_ATOMIC); 2353 return nlmsg_multicast(net->xfrm.nlsk, skb, 0, XFRMNLGRP_AEVENTS, GFP_ATOMIC);
2275} 2354}
2276 2355
2277static int xfrm_notify_sa_flush(struct km_event *c) 2356static int xfrm_notify_sa_flush(const struct km_event *c)
2278{ 2357{
2279 struct net *net = c->net; 2358 struct net *net = c->net;
2280 struct xfrm_usersa_flush *p; 2359 struct xfrm_usersa_flush *p;
@@ -2318,6 +2397,8 @@ static inline size_t xfrm_sa_len(struct xfrm_state *x)
2318 l += nla_total_size(sizeof(*x->encap)); 2397 l += nla_total_size(sizeof(*x->encap));
2319 if (x->tfcpad) 2398 if (x->tfcpad)
2320 l += nla_total_size(sizeof(x->tfcpad)); 2399 l += nla_total_size(sizeof(x->tfcpad));
2400 if (x->replay_esn)
2401 l += nla_total_size(xfrm_replay_state_esn_len(x->replay_esn));
2321 if (x->security) 2402 if (x->security)
2322 l += nla_total_size(sizeof(struct xfrm_user_sec_ctx) + 2403 l += nla_total_size(sizeof(struct xfrm_user_sec_ctx) +
2323 x->security->ctx_len); 2404 x->security->ctx_len);
@@ -2330,7 +2411,7 @@ static inline size_t xfrm_sa_len(struct xfrm_state *x)
2330 return l; 2411 return l;
2331} 2412}
2332 2413
2333static int xfrm_notify_sa(struct xfrm_state *x, struct km_event *c) 2414static int xfrm_notify_sa(struct xfrm_state *x, const struct km_event *c)
2334{ 2415{
2335 struct net *net = xs_net(x); 2416 struct net *net = xs_net(x);
2336 struct xfrm_usersa_info *p; 2417 struct xfrm_usersa_info *p;
@@ -2387,7 +2468,7 @@ nla_put_failure:
2387 return -1; 2468 return -1;
2388} 2469}
2389 2470
2390static int xfrm_send_state_notify(struct xfrm_state *x, struct km_event *c) 2471static int xfrm_send_state_notify(struct xfrm_state *x, const struct km_event *c)
2391{ 2472{
2392 2473
2393 switch (c->event) { 2474 switch (c->event) {
@@ -2546,7 +2627,7 @@ static inline size_t xfrm_polexpire_msgsize(struct xfrm_policy *xp)
2546} 2627}
2547 2628
2548static int build_polexpire(struct sk_buff *skb, struct xfrm_policy *xp, 2629static int build_polexpire(struct sk_buff *skb, struct xfrm_policy *xp,
2549 int dir, struct km_event *c) 2630 int dir, const struct km_event *c)
2550{ 2631{
2551 struct xfrm_user_polexpire *upe; 2632 struct xfrm_user_polexpire *upe;
2552 struct nlmsghdr *nlh; 2633 struct nlmsghdr *nlh;
@@ -2576,7 +2657,7 @@ nlmsg_failure:
2576 return -EMSGSIZE; 2657 return -EMSGSIZE;
2577} 2658}
2578 2659
2579static int xfrm_exp_policy_notify(struct xfrm_policy *xp, int dir, struct km_event *c) 2660static int xfrm_exp_policy_notify(struct xfrm_policy *xp, int dir, const struct km_event *c)
2580{ 2661{
2581 struct net *net = xp_net(xp); 2662 struct net *net = xp_net(xp);
2582 struct sk_buff *skb; 2663 struct sk_buff *skb;
@@ -2591,7 +2672,7 @@ static int xfrm_exp_policy_notify(struct xfrm_policy *xp, int dir, struct km_eve
2591 return nlmsg_multicast(net->xfrm.nlsk, skb, 0, XFRMNLGRP_EXPIRE, GFP_ATOMIC); 2672 return nlmsg_multicast(net->xfrm.nlsk, skb, 0, XFRMNLGRP_EXPIRE, GFP_ATOMIC);
2592} 2673}
2593 2674
2594static int xfrm_notify_policy(struct xfrm_policy *xp, int dir, struct km_event *c) 2675static int xfrm_notify_policy(struct xfrm_policy *xp, int dir, const struct km_event *c)
2595{ 2676{
2596 struct net *net = xp_net(xp); 2677 struct net *net = xp_net(xp);
2597 struct xfrm_userpolicy_info *p; 2678 struct xfrm_userpolicy_info *p;
@@ -2656,7 +2737,7 @@ nlmsg_failure:
2656 return -1; 2737 return -1;
2657} 2738}
2658 2739
2659static int xfrm_notify_policy_flush(struct km_event *c) 2740static int xfrm_notify_policy_flush(const struct km_event *c)
2660{ 2741{
2661 struct net *net = c->net; 2742 struct net *net = c->net;
2662 struct nlmsghdr *nlh; 2743 struct nlmsghdr *nlh;
@@ -2681,7 +2762,7 @@ nlmsg_failure:
2681 return -1; 2762 return -1;
2682} 2763}
2683 2764
2684static int xfrm_send_policy_notify(struct xfrm_policy *xp, int dir, struct km_event *c) 2765static int xfrm_send_policy_notify(struct xfrm_policy *xp, int dir, const struct km_event *c)
2685{ 2766{
2686 2767
2687 switch (c->event) { 2768 switch (c->event) {
generated by cgit v1.2.2 (git 2.25.0) at 2024-10-20 23:35:55 -0400