2005-04-17 06:20:36 +08:00
|
|
|
#ifndef _NET_XFRM_H
|
|
|
|
#define _NET_XFRM_H
|
|
|
|
|
2005-05-04 07:27:10 +08:00
|
|
|
#include <linux/compiler.h>
|
2005-12-27 12:43:12 +08:00
|
|
|
#include <linux/in.h>
|
2005-04-17 06:20:36 +08:00
|
|
|
#include <linux/xfrm.h>
|
|
|
|
#include <linux/spinlock.h>
|
|
|
|
#include <linux/list.h>
|
|
|
|
#include <linux/skbuff.h>
|
2005-12-27 12:43:12 +08:00
|
|
|
#include <linux/socket.h>
|
2005-04-17 06:20:36 +08:00
|
|
|
#include <linux/pfkeyv2.h>
|
2006-09-23 06:06:24 +08:00
|
|
|
#include <linux/ipsec.h>
|
2005-04-17 06:20:36 +08:00
|
|
|
#include <linux/in6.h>
|
2006-03-21 14:33:17 +08:00
|
|
|
#include <linux/mutex.h>
|
2005-04-17 06:20:36 +08:00
|
|
|
|
|
|
|
#include <net/sock.h>
|
|
|
|
#include <net/dst.h>
|
|
|
|
#include <net/route.h>
|
|
|
|
#include <net/ipv6.h>
|
|
|
|
#include <net/ip6_fib.h>
|
|
|
|
|
|
|
|
#define XFRM_ALIGN8(len) (((len) + 7) & ~7)
|
2006-05-28 14:05:54 +08:00
|
|
|
#define MODULE_ALIAS_XFRM_MODE(family, encap) \
|
|
|
|
MODULE_ALIAS("xfrm-mode-" __stringify(family) "-" __stringify(encap))
|
2005-04-17 06:20:36 +08:00
|
|
|
|
2006-03-21 11:15:11 +08:00
|
|
|
extern struct sock *xfrm_nl;
|
|
|
|
extern u32 sysctl_xfrm_aevent_etime;
|
|
|
|
extern u32 sysctl_xfrm_aevent_rseqth;
|
|
|
|
|
2006-03-21 14:33:17 +08:00
|
|
|
extern struct mutex xfrm_cfg_mutex;
|
2005-04-17 06:20:36 +08:00
|
|
|
|
|
|
|
/* Organization of SPD aka "XFRM rules"
|
|
|
|
------------------------------------
|
|
|
|
|
|
|
|
Basic objects:
|
|
|
|
- policy rule, struct xfrm_policy (=SPD entry)
|
|
|
|
- bundle of transformations, struct dst_entry == struct xfrm_dst (=SA bundle)
|
|
|
|
- instance of a transformer, struct xfrm_state (=SA)
|
|
|
|
- template to clone xfrm_state, struct xfrm_tmpl
|
|
|
|
|
|
|
|
SPD is plain linear list of xfrm_policy rules, ordered by priority.
|
|
|
|
(To be compatible with existing pfkeyv2 implementations,
|
|
|
|
many rules with priority of 0x7fffffff are allowed to exist and
|
|
|
|
such rules are ordered in an unpredictable way, thanks to bsd folks.)
|
|
|
|
|
|
|
|
Lookup is plain linear search until the first match with selector.
|
|
|
|
|
|
|
|
If "action" is "block", then we prohibit the flow, otherwise:
|
|
|
|
if "xfrms_nr" is zero, the flow passes untransformed. Otherwise,
|
|
|
|
policy entry has list of up to XFRM_MAX_DEPTH transformations,
|
|
|
|
described by templates xfrm_tmpl. Each template is resolved
|
|
|
|
to a complete xfrm_state (see below) and we pack bundle of transformations
|
|
|
|
to a dst_entry returned to requestor.
|
|
|
|
|
|
|
|
dst -. xfrm .-> xfrm_state #1
|
|
|
|
|---. child .-> dst -. xfrm .-> xfrm_state #2
|
|
|
|
|---. child .-> dst -. xfrm .-> xfrm_state #3
|
|
|
|
|---. child .-> NULL
|
|
|
|
|
|
|
|
Bundles are cached at xrfm_policy struct (field ->bundles).
|
|
|
|
|
|
|
|
|
|
|
|
Resolution of xrfm_tmpl
|
|
|
|
-----------------------
|
|
|
|
Template contains:
|
|
|
|
1. ->mode Mode: transport or tunnel
|
|
|
|
2. ->id.proto Protocol: AH/ESP/IPCOMP
|
|
|
|
3. ->id.daddr Remote tunnel endpoint, ignored for transport mode.
|
|
|
|
Q: allow to resolve security gateway?
|
|
|
|
4. ->id.spi If not zero, static SPI.
|
|
|
|
5. ->saddr Local tunnel endpoint, ignored for transport mode.
|
|
|
|
6. ->algos List of allowed algos. Plain bitmask now.
|
|
|
|
Q: ealgos, aalgos, calgos. What a mess...
|
|
|
|
7. ->share Sharing mode.
|
|
|
|
Q: how to implement private sharing mode? To add struct sock* to
|
|
|
|
flow id?
|
|
|
|
|
|
|
|
Having this template we search through SAD searching for entries
|
|
|
|
with appropriate mode/proto/algo, permitted by selector.
|
|
|
|
If no appropriate entry found, it is requested from key manager.
|
|
|
|
|
|
|
|
PROBLEMS:
|
|
|
|
Q: How to find all the bundles referring to a physical path for
|
|
|
|
PMTU discovery? Seems, dst should contain list of all parents...
|
|
|
|
and enter to infinite locking hierarchy disaster.
|
|
|
|
No! It is easier, we will not search for them, let them find us.
|
|
|
|
We add genid to each dst plus pointer to genid of raw IP route,
|
|
|
|
pmtu disc will update pmtu on raw IP route and increase its genid.
|
|
|
|
dst_check() will see this for top level and trigger resyncing
|
|
|
|
metrics. Plus, it will be made via sk->sk_dst_cache. Solved.
|
|
|
|
*/
|
|
|
|
|
|
|
|
/* Full description of state of transformer. */
|
|
|
|
struct xfrm_state
|
|
|
|
{
|
|
|
|
/* Note: bydst is re-used during gc */
|
2006-08-24 17:45:07 +08:00
|
|
|
struct hlist_node bydst;
|
|
|
|
struct hlist_node bysrc;
|
|
|
|
struct hlist_node byspi;
|
2005-04-17 06:20:36 +08:00
|
|
|
|
|
|
|
atomic_t refcnt;
|
|
|
|
spinlock_t lock;
|
|
|
|
|
|
|
|
struct xfrm_id id;
|
|
|
|
struct xfrm_selector sel;
|
|
|
|
|
2006-08-24 18:18:09 +08:00
|
|
|
u32 genid;
|
|
|
|
|
2005-04-17 06:20:36 +08:00
|
|
|
/* Key manger bits */
|
|
|
|
struct {
|
|
|
|
u8 state;
|
|
|
|
u8 dying;
|
|
|
|
u32 seq;
|
|
|
|
} km;
|
|
|
|
|
|
|
|
/* Parameters of this state. */
|
|
|
|
struct {
|
|
|
|
u32 reqid;
|
|
|
|
u8 mode;
|
|
|
|
u8 replay_window;
|
|
|
|
u8 aalgo, ealgo, calgo;
|
|
|
|
u8 flags;
|
|
|
|
u16 family;
|
|
|
|
xfrm_address_t saddr;
|
|
|
|
int header_len;
|
|
|
|
int trailer_len;
|
|
|
|
} props;
|
|
|
|
|
|
|
|
struct xfrm_lifetime_cfg lft;
|
|
|
|
|
|
|
|
/* Data for transformer */
|
|
|
|
struct xfrm_algo *aalg;
|
|
|
|
struct xfrm_algo *ealg;
|
|
|
|
struct xfrm_algo *calg;
|
|
|
|
|
|
|
|
/* Data for encapsulator */
|
|
|
|
struct xfrm_encap_tmpl *encap;
|
|
|
|
|
2006-08-24 09:18:55 +08:00
|
|
|
/* Data for care-of address */
|
|
|
|
xfrm_address_t *coaddr;
|
|
|
|
|
2005-04-17 06:20:36 +08:00
|
|
|
/* IPComp needs an IPIP tunnel for handling uncompressed packets */
|
|
|
|
struct xfrm_state *tunnel;
|
|
|
|
|
|
|
|
/* If a tunnel, number of users + 1 */
|
|
|
|
atomic_t tunnel_users;
|
|
|
|
|
|
|
|
/* State for replay detection */
|
|
|
|
struct xfrm_replay_state replay;
|
|
|
|
|
2006-03-21 11:15:11 +08:00
|
|
|
/* Replay detection state at the time we sent the last notification */
|
|
|
|
struct xfrm_replay_state preplay;
|
|
|
|
|
2006-04-15 06:03:05 +08:00
|
|
|
/* internal flag that only holds state for delayed aevent at the
|
|
|
|
* moment
|
|
|
|
*/
|
|
|
|
u32 xflags;
|
|
|
|
|
2006-03-21 11:15:11 +08:00
|
|
|
/* Replay detection notification settings */
|
|
|
|
u32 replay_maxage;
|
|
|
|
u32 replay_maxdiff;
|
|
|
|
|
|
|
|
/* Replay detection notification timer */
|
|
|
|
struct timer_list rtimer;
|
|
|
|
|
2005-04-17 06:20:36 +08:00
|
|
|
/* Statistics */
|
|
|
|
struct xfrm_stats stats;
|
|
|
|
|
|
|
|
struct xfrm_lifetime_cur curlft;
|
|
|
|
struct timer_list timer;
|
|
|
|
|
2006-08-24 09:20:16 +08:00
|
|
|
/* Last used time */
|
|
|
|
u64 lastused;
|
|
|
|
|
2005-04-17 06:20:36 +08:00
|
|
|
/* Reference to data common to all the instances of this
|
|
|
|
* transformer. */
|
|
|
|
struct xfrm_type *type;
|
2006-05-28 14:05:54 +08:00
|
|
|
struct xfrm_mode *mode;
|
2005-04-17 06:20:36 +08:00
|
|
|
|
[LSM-IPSec]: Security association restriction.
This patch series implements per packet access control via the
extension of the Linux Security Modules (LSM) interface by hooks in
the XFRM and pfkey subsystems that leverage IPSec security
associations to label packets. Extensions to the SELinux LSM are
included that leverage the patch for this purpose.
This patch implements the changes necessary to the XFRM subsystem,
pfkey interface, ipv4/ipv6, and xfrm_user interface to restrict a
socket to use only authorized security associations (or no security
association) to send/receive network packets.
Patch purpose:
The patch is designed to enable access control per packets based on
the strongly authenticated IPSec security association. Such access
controls augment the existing ones based on network interface and IP
address. The former are very coarse-grained, and the latter can be
spoofed. By using IPSec, the system can control access to remote
hosts based on cryptographic keys generated using the IPSec mechanism.
This enables access control on a per-machine basis or per-application
if the remote machine is running the same mechanism and trusted to
enforce the access control policy.
Patch design approach:
The overall approach is that policy (xfrm_policy) entries set by
user-level programs (e.g., setkey for ipsec-tools) are extended with a
security context that is used at policy selection time in the XFRM
subsystem to restrict the sockets that can send/receive packets via
security associations (xfrm_states) that are built from those
policies.
A presentation available at
www.selinux-symposium.org/2005/presentations/session2/2-3-jaeger.pdf
from the SELinux symposium describes the overall approach.
Patch implementation details:
On output, the policy retrieved (via xfrm_policy_lookup or
xfrm_sk_policy_lookup) must be authorized for the security context of
the socket and the same security context is required for resultant
security association (retrieved or negotiated via racoon in
ipsec-tools). This is enforced in xfrm_state_find.
On input, the policy retrieved must also be authorized for the socket
(at __xfrm_policy_check), and the security context of the policy must
also match the security association being used.
The patch has virtually no impact on packets that do not use IPSec.
The existing Netfilter (outgoing) and LSM rcv_skb hooks are used as
before.
Also, if IPSec is used without security contexts, the impact is
minimal. The LSM must allow such policies to be selected for the
combination of socket and remote machine, but subsequent IPSec
processing proceeds as in the original case.
Testing:
The pfkey interface is tested using the ipsec-tools. ipsec-tools have
been modified (a separate ipsec-tools patch is available for version
0.5) that supports assignment of xfrm_policy entries and security
associations with security contexts via setkey and the negotiation
using the security contexts via racoon.
The xfrm_user interface is tested via ad hoc programs that set
security contexts. These programs are also available from me, and
contain programs for setting, getting, and deleting policy for testing
this interface. Testing of sa functions was done by tracing kernel
behavior.
Signed-off-by: Trent Jaeger <tjaeger@cse.psu.edu>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: David S. Miller <davem@davemloft.net>
2005-12-14 15:12:27 +08:00
|
|
|
/* Security context */
|
|
|
|
struct xfrm_sec_ctx *security;
|
|
|
|
|
2005-04-17 06:20:36 +08:00
|
|
|
/* Private data of this transformer, format is opaque,
|
|
|
|
* interpreted by xfrm_type methods. */
|
|
|
|
void *data;
|
|
|
|
};
|
|
|
|
|
2006-04-15 06:03:05 +08:00
|
|
|
/* xflags - make enum if more show up */
|
|
|
|
#define XFRM_TIME_DEFER 1
|
|
|
|
|
2005-04-17 06:20:36 +08:00
|
|
|
enum {
|
|
|
|
XFRM_STATE_VOID,
|
|
|
|
XFRM_STATE_ACQ,
|
|
|
|
XFRM_STATE_VALID,
|
|
|
|
XFRM_STATE_ERROR,
|
|
|
|
XFRM_STATE_EXPIRED,
|
|
|
|
XFRM_STATE_DEAD
|
|
|
|
};
|
|
|
|
|
2005-06-19 13:42:13 +08:00
|
|
|
/* callback structure passed from either netlink or pfkey */
|
|
|
|
struct km_event
|
|
|
|
{
|
2005-06-19 13:44:00 +08:00
|
|
|
union {
|
|
|
|
u32 hard;
|
|
|
|
u32 proto;
|
|
|
|
u32 byid;
|
2006-03-21 11:15:11 +08:00
|
|
|
u32 aevent;
|
2006-08-24 13:49:28 +08:00
|
|
|
u32 type;
|
2005-06-19 13:44:00 +08:00
|
|
|
} data;
|
|
|
|
|
2005-06-19 13:42:13 +08:00
|
|
|
u32 seq;
|
|
|
|
u32 pid;
|
|
|
|
u32 event;
|
|
|
|
};
|
|
|
|
|
2005-04-17 06:20:36 +08:00
|
|
|
struct xfrm_type;
|
|
|
|
struct xfrm_dst;
|
|
|
|
struct xfrm_policy_afinfo {
|
|
|
|
unsigned short family;
|
2006-05-28 14:06:33 +08:00
|
|
|
struct xfrm_type *type_map[IPPROTO_MAX];
|
2006-05-28 14:05:54 +08:00
|
|
|
struct xfrm_mode *mode_map[XFRM_MODE_MAX];
|
2005-04-17 06:20:36 +08:00
|
|
|
struct dst_ops *dst_ops;
|
|
|
|
void (*garbage_collect)(void);
|
|
|
|
int (*dst_lookup)(struct xfrm_dst **dst, struct flowi *fl);
|
2006-09-20 03:57:34 +08:00
|
|
|
int (*get_saddr)(xfrm_address_t *saddr, xfrm_address_t *daddr);
|
2005-04-17 06:20:36 +08:00
|
|
|
struct dst_entry *(*find_bundle)(struct flowi *fl, struct xfrm_policy *policy);
|
|
|
|
int (*bundle_create)(struct xfrm_policy *policy,
|
|
|
|
struct xfrm_state **xfrm,
|
|
|
|
int nx,
|
|
|
|
struct flowi *fl,
|
|
|
|
struct dst_entry **dst_p);
|
|
|
|
void (*decode_session)(struct sk_buff *skb,
|
|
|
|
struct flowi *fl);
|
|
|
|
};
|
|
|
|
|
|
|
|
extern int xfrm_policy_register_afinfo(struct xfrm_policy_afinfo *afinfo);
|
|
|
|
extern int xfrm_policy_unregister_afinfo(struct xfrm_policy_afinfo *afinfo);
|
2005-06-19 13:42:13 +08:00
|
|
|
extern void km_policy_notify(struct xfrm_policy *xp, int dir, struct km_event *c);
|
|
|
|
extern void km_state_notify(struct xfrm_state *x, struct km_event *c);
|
2005-04-17 06:20:36 +08:00
|
|
|
#define XFRM_ACQ_EXPIRES 30
|
|
|
|
|
|
|
|
struct xfrm_tmpl;
|
[IPSEC]: Sync series - acquire insert
This introduces a feature similar to the one described in RFC 2367:
"
... the application needing an SA sends a PF_KEY
SADB_ACQUIRE message down to the Key Engine, which then either
returns an error or sends a similar SADB_ACQUIRE message up to one or
more key management applications capable of creating such SAs.
...
...
The third is where an application-layer consumer of security
associations (e.g. an OSPFv2 or RIPv2 daemon) needs a security
association.
Send an SADB_ACQUIRE message from a user process to the kernel.
<base, address(SD), (address(P),) (identity(SD),) (sensitivity,)
proposal>
The kernel returns an SADB_ACQUIRE message to registered
sockets.
<base, address(SD), (address(P),) (identity(SD),) (sensitivity,)
proposal>
The user-level consumer waits for an SADB_UPDATE or SADB_ADD
message for its particular type, and then can use that
association by using SADB_GET messages.
"
An app such as OSPF could then use ipsec KM to get keys
Signed-off-by: Jamal Hadi Salim <hadi@cyberus.ca>
Signed-off-by: David S. Miller <davem@davemloft.net>
2006-03-21 11:16:40 +08:00
|
|
|
extern int km_query(struct xfrm_state *x, struct xfrm_tmpl *t, struct xfrm_policy *pol);
|
2006-03-21 11:17:03 +08:00
|
|
|
extern void km_state_expired(struct xfrm_state *x, int hard, u32 pid);
|
|
|
|
extern int __xfrm_state_delete(struct xfrm_state *x);
|
|
|
|
|
2005-04-17 06:20:36 +08:00
|
|
|
struct xfrm_state_afinfo {
|
|
|
|
unsigned short family;
|
2005-06-21 04:19:41 +08:00
|
|
|
int (*init_flags)(struct xfrm_state *x);
|
2005-04-17 06:20:36 +08:00
|
|
|
void (*init_tempsel)(struct xfrm_state *x, struct flowi *fl,
|
|
|
|
struct xfrm_tmpl *tmpl,
|
|
|
|
xfrm_address_t *daddr, xfrm_address_t *saddr);
|
2006-08-24 13:48:31 +08:00
|
|
|
int (*tmpl_sort)(struct xfrm_tmpl **dst, struct xfrm_tmpl **src, int n);
|
|
|
|
int (*state_sort)(struct xfrm_state **dst, struct xfrm_state **src, int n);
|
2007-02-07 06:24:56 +08:00
|
|
|
int (*output)(struct sk_buff *skb);
|
2005-04-17 06:20:36 +08:00
|
|
|
};
|
|
|
|
|
|
|
|
extern int xfrm_state_register_afinfo(struct xfrm_state_afinfo *afinfo);
|
|
|
|
extern int xfrm_state_unregister_afinfo(struct xfrm_state_afinfo *afinfo);
|
2007-02-07 06:24:56 +08:00
|
|
|
extern struct xfrm_state_afinfo *xfrm_state_get_afinfo(unsigned short family);
|
|
|
|
extern void xfrm_state_put_afinfo(struct xfrm_state_afinfo *afinfo);
|
2005-04-17 06:20:36 +08:00
|
|
|
|
|
|
|
extern void xfrm_state_delete_tunnel(struct xfrm_state *x);
|
|
|
|
|
|
|
|
struct xfrm_type
|
|
|
|
{
|
|
|
|
char *description;
|
|
|
|
struct module *owner;
|
|
|
|
__u8 proto;
|
2006-08-24 09:11:50 +08:00
|
|
|
__u8 flags;
|
|
|
|
#define XFRM_TYPE_NON_FRAGMENT 1
|
2005-04-17 06:20:36 +08:00
|
|
|
|
2005-06-21 04:18:08 +08:00
|
|
|
int (*init_state)(struct xfrm_state *x);
|
2005-04-17 06:20:36 +08:00
|
|
|
void (*destructor)(struct xfrm_state *);
|
2006-04-01 16:52:46 +08:00
|
|
|
int (*input)(struct xfrm_state *, struct sk_buff *skb);
|
2005-04-17 06:20:36 +08:00
|
|
|
int (*output)(struct xfrm_state *, struct sk_buff *pskb);
|
2006-08-24 11:41:00 +08:00
|
|
|
int (*reject)(struct xfrm_state *, struct sk_buff *, struct flowi *);
|
2006-08-24 08:57:28 +08:00
|
|
|
int (*hdr_offset)(struct xfrm_state *, struct sk_buff *, u8 **);
|
2006-08-24 09:10:33 +08:00
|
|
|
xfrm_address_t *(*local_addr)(struct xfrm_state *, xfrm_address_t *);
|
|
|
|
xfrm_address_t *(*remote_addr)(struct xfrm_state *, xfrm_address_t *);
|
2005-04-17 06:20:36 +08:00
|
|
|
/* Estimate maximal size of result of transformation of a dgram */
|
2007-04-10 02:47:18 +08:00
|
|
|
u32 (*get_mtu)(struct xfrm_state *, int size);
|
2005-04-17 06:20:36 +08:00
|
|
|
};
|
|
|
|
|
|
|
|
extern int xfrm_register_type(struct xfrm_type *type, unsigned short family);
|
|
|
|
extern int xfrm_unregister_type(struct xfrm_type *type, unsigned short family);
|
|
|
|
extern struct xfrm_type *xfrm_get_type(u8 proto, unsigned short family);
|
|
|
|
extern void xfrm_put_type(struct xfrm_type *type);
|
|
|
|
|
2006-05-28 14:05:54 +08:00
|
|
|
struct xfrm_mode {
|
|
|
|
int (*input)(struct xfrm_state *x, struct sk_buff *skb);
|
2006-09-01 08:42:59 +08:00
|
|
|
int (*output)(struct xfrm_state *x,struct sk_buff *skb);
|
2006-05-28 14:05:54 +08:00
|
|
|
|
|
|
|
struct module *owner;
|
|
|
|
unsigned int encap;
|
|
|
|
};
|
|
|
|
|
|
|
|
extern int xfrm_register_mode(struct xfrm_mode *mode, int family);
|
|
|
|
extern int xfrm_unregister_mode(struct xfrm_mode *mode, int family);
|
|
|
|
extern struct xfrm_mode *xfrm_get_mode(unsigned int encap, int family);
|
|
|
|
extern void xfrm_put_mode(struct xfrm_mode *mode);
|
|
|
|
|
2005-04-17 06:20:36 +08:00
|
|
|
struct xfrm_tmpl
|
|
|
|
{
|
|
|
|
/* id in template is interpreted as:
|
|
|
|
* daddr - destination of tunnel, may be zero for transport mode.
|
|
|
|
* spi - zero to acquire spi. Not zero if spi is static, then
|
|
|
|
* daddr must be fixed too.
|
|
|
|
* proto - AH/ESP/IPCOMP
|
|
|
|
*/
|
|
|
|
struct xfrm_id id;
|
|
|
|
|
|
|
|
/* Source address of tunnel. Ignored, if it is not a tunnel. */
|
|
|
|
xfrm_address_t saddr;
|
|
|
|
|
2006-12-01 08:40:43 +08:00
|
|
|
unsigned short encap_family;
|
|
|
|
|
2005-04-17 06:20:36 +08:00
|
|
|
__u32 reqid;
|
|
|
|
|
2006-09-23 06:05:15 +08:00
|
|
|
/* Mode: transport, tunnel etc. */
|
2005-04-17 06:20:36 +08:00
|
|
|
__u8 mode;
|
|
|
|
|
|
|
|
/* Sharing mode: unique, this session only, this user only etc. */
|
|
|
|
__u8 share;
|
|
|
|
|
|
|
|
/* May skip this transfomration if no SA is found */
|
|
|
|
__u8 optional;
|
|
|
|
|
|
|
|
/* Bit mask of algos allowed for acquisition */
|
|
|
|
__u32 aalgos;
|
|
|
|
__u32 ealgos;
|
|
|
|
__u32 calgos;
|
|
|
|
};
|
|
|
|
|
2006-08-24 08:52:01 +08:00
|
|
|
#define XFRM_MAX_DEPTH 6
|
2005-04-17 06:20:36 +08:00
|
|
|
|
|
|
|
struct xfrm_policy
|
|
|
|
{
|
|
|
|
struct xfrm_policy *next;
|
2006-08-24 19:45:07 +08:00
|
|
|
struct hlist_node bydst;
|
|
|
|
struct hlist_node byidx;
|
2005-04-17 06:20:36 +08:00
|
|
|
|
|
|
|
/* This lock only affects elements except for entry. */
|
|
|
|
rwlock_t lock;
|
|
|
|
atomic_t refcnt;
|
|
|
|
struct timer_list timer;
|
|
|
|
|
|
|
|
u32 priority;
|
|
|
|
u32 index;
|
|
|
|
struct xfrm_selector selector;
|
|
|
|
struct xfrm_lifetime_cfg lft;
|
|
|
|
struct xfrm_lifetime_cur curlft;
|
|
|
|
struct dst_entry *bundles;
|
[XFRM]: Pack struct xfrm_policy
[acme@newtoy net-2.6.20]$ pahole net/ipv4/tcp.o xfrm_policy
/* /pub/scm/linux/kernel/git/acme/net-2.6.20/include/linux/security.h:67 */
struct xfrm_policy {
struct xfrm_policy * next; /* 0 4 */
struct hlist_node bydst; /* 4 8 */
struct hlist_node byidx; /* 12 8 */
rwlock_t lock; /* 20 36 */
atomic_t refcnt; /* 56 4 */
struct timer_list timer; /* 60 24 */
u8 type; /* 84 1 */
/* XXX 3 bytes hole, try to pack */
u32 priority; /* 88 4 */
u32 index; /* 92 4 */
struct xfrm_selector selector; /* 96 56 */
struct xfrm_lifetime_cfg lft; /* 152 64 */
struct xfrm_lifetime_cur curlft; /* 216 32 */
struct dst_entry * bundles; /* 248 4 */
__u16 family; /* 252 2 */
__u8 action; /* 254 1 */
__u8 flags; /* 255 1 */
__u8 dead; /* 256 1 */
__u8 xfrm_nr; /* 257 1 */
/* XXX 2 bytes hole, try to pack */
struct xfrm_sec_ctx * security; /* 260 4 */
struct xfrm_tmpl xfrm_vec[6]; /* 264 360 */
}; /* size: 624, sum members: 619, holes: 2, sum holes: 5 */
So lets have just one hole instead of two, by moving 'type' to just before 'action',
end result:
[acme@newtoy net-2.6.20]$ codiff -s /tmp/tcp.o.before net/ipv4/tcp.o
/pub/scm/linux/kernel/git/acme/net-2.6.20/net/ipv4/tcp.c:
struct xfrm_policy | -4
1 struct changed
[acme@newtoy net-2.6.20]$
[acme@newtoy net-2.6.20]$ pahole -c 64 net/ipv4/tcp.o xfrm_policy
/* /pub/scm/linux/kernel/git/acme/net-2.6.20/include/linux/security.h:67 */
struct xfrm_policy {
struct xfrm_policy * next; /* 0 4 */
struct hlist_node bydst; /* 4 8 */
struct hlist_node byidx; /* 12 8 */
rwlock_t lock; /* 20 36 */
atomic_t refcnt; /* 56 4 */
struct timer_list timer; /* 60 24 */
u32 priority; /* 84 4 */
u32 index; /* 88 4 */
struct xfrm_selector selector; /* 92 56 */
struct xfrm_lifetime_cfg lft; /* 148 64 */
struct xfrm_lifetime_cur curlft; /* 212 32 */
struct dst_entry * bundles; /* 244 4 */
u16 family; /* 248 2 */
u8 type; /* 250 1 */
u8 action; /* 251 1 */
u8 flags; /* 252 1 */
u8 dead; /* 253 1 */
u8 xfrm_nr; /* 254 1 */
/* XXX 1 byte hole, try to pack */
struct xfrm_sec_ctx * security; /* 256 4 */
struct xfrm_tmpl xfrm_vec[6]; /* 260 360 */
}; /* size: 620, sum members: 619, holes: 1, sum holes: 1 */
Are there any fugly data dependencies here? None that I know.
In the process changed the removed the __ prefixed types, that are just for
userspace visible headers.
Signed-off-by: Arnaldo Carvalho de Melo <acme@mandriva.com>
2006-11-28 03:58:59 +08:00
|
|
|
u16 family;
|
|
|
|
u8 type;
|
|
|
|
u8 action;
|
|
|
|
u8 flags;
|
|
|
|
u8 dead;
|
|
|
|
u8 xfrm_nr;
|
|
|
|
/* XXX 1 byte hole, try to pack */
|
[LSM-IPSec]: Security association restriction.
This patch series implements per packet access control via the
extension of the Linux Security Modules (LSM) interface by hooks in
the XFRM and pfkey subsystems that leverage IPSec security
associations to label packets. Extensions to the SELinux LSM are
included that leverage the patch for this purpose.
This patch implements the changes necessary to the XFRM subsystem,
pfkey interface, ipv4/ipv6, and xfrm_user interface to restrict a
socket to use only authorized security associations (or no security
association) to send/receive network packets.
Patch purpose:
The patch is designed to enable access control per packets based on
the strongly authenticated IPSec security association. Such access
controls augment the existing ones based on network interface and IP
address. The former are very coarse-grained, and the latter can be
spoofed. By using IPSec, the system can control access to remote
hosts based on cryptographic keys generated using the IPSec mechanism.
This enables access control on a per-machine basis or per-application
if the remote machine is running the same mechanism and trusted to
enforce the access control policy.
Patch design approach:
The overall approach is that policy (xfrm_policy) entries set by
user-level programs (e.g., setkey for ipsec-tools) are extended with a
security context that is used at policy selection time in the XFRM
subsystem to restrict the sockets that can send/receive packets via
security associations (xfrm_states) that are built from those
policies.
A presentation available at
www.selinux-symposium.org/2005/presentations/session2/2-3-jaeger.pdf
from the SELinux symposium describes the overall approach.
Patch implementation details:
On output, the policy retrieved (via xfrm_policy_lookup or
xfrm_sk_policy_lookup) must be authorized for the security context of
the socket and the same security context is required for resultant
security association (retrieved or negotiated via racoon in
ipsec-tools). This is enforced in xfrm_state_find.
On input, the policy retrieved must also be authorized for the socket
(at __xfrm_policy_check), and the security context of the policy must
also match the security association being used.
The patch has virtually no impact on packets that do not use IPSec.
The existing Netfilter (outgoing) and LSM rcv_skb hooks are used as
before.
Also, if IPSec is used without security contexts, the impact is
minimal. The LSM must allow such policies to be selected for the
combination of socket and remote machine, but subsequent IPSec
processing proceeds as in the original case.
Testing:
The pfkey interface is tested using the ipsec-tools. ipsec-tools have
been modified (a separate ipsec-tools patch is available for version
0.5) that supports assignment of xfrm_policy entries and security
associations with security contexts via setkey and the negotiation
using the security contexts via racoon.
The xfrm_user interface is tested via ad hoc programs that set
security contexts. These programs are also available from me, and
contain programs for setting, getting, and deleting policy for testing
this interface. Testing of sa functions was done by tracing kernel
behavior.
Signed-off-by: Trent Jaeger <tjaeger@cse.psu.edu>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: David S. Miller <davem@davemloft.net>
2005-12-14 15:12:27 +08:00
|
|
|
struct xfrm_sec_ctx *security;
|
2005-04-17 06:20:36 +08:00
|
|
|
struct xfrm_tmpl xfrm_vec[XFRM_MAX_DEPTH];
|
|
|
|
};
|
|
|
|
|
2007-02-09 05:11:42 +08:00
|
|
|
struct xfrm_migrate {
|
|
|
|
xfrm_address_t old_daddr;
|
|
|
|
xfrm_address_t old_saddr;
|
|
|
|
xfrm_address_t new_daddr;
|
|
|
|
xfrm_address_t new_saddr;
|
|
|
|
u8 proto;
|
|
|
|
u8 mode;
|
|
|
|
u16 reserved;
|
|
|
|
u32 reqid;
|
|
|
|
u16 old_family;
|
|
|
|
u16 new_family;
|
|
|
|
};
|
|
|
|
|
2006-03-21 11:15:11 +08:00
|
|
|
#define XFRM_KM_TIMEOUT 30
|
|
|
|
/* which seqno */
|
|
|
|
#define XFRM_REPLAY_SEQ 1
|
|
|
|
#define XFRM_REPLAY_OSEQ 2
|
|
|
|
#define XFRM_REPLAY_SEQ_MASK 3
|
|
|
|
/* what happened */
|
|
|
|
#define XFRM_REPLAY_UPDATE XFRM_AE_CR
|
|
|
|
#define XFRM_REPLAY_TIMEOUT XFRM_AE_CE
|
|
|
|
|
|
|
|
/* default aevent timeout in units of 100ms */
|
|
|
|
#define XFRM_AE_ETIME 10
|
|
|
|
/* Async Event timer multiplier */
|
|
|
|
#define XFRM_AE_ETH_M 10
|
|
|
|
/* default seq threshold size */
|
|
|
|
#define XFRM_AE_SEQT_SIZE 2
|
2005-04-17 06:20:36 +08:00
|
|
|
|
|
|
|
struct xfrm_mgr
|
|
|
|
{
|
|
|
|
struct list_head list;
|
|
|
|
char *id;
|
2005-06-19 13:42:13 +08:00
|
|
|
int (*notify)(struct xfrm_state *x, struct km_event *c);
|
2005-04-17 06:20:36 +08:00
|
|
|
int (*acquire)(struct xfrm_state *x, struct xfrm_tmpl *, struct xfrm_policy *xp, int dir);
|
2006-07-25 14:32:20 +08:00
|
|
|
struct xfrm_policy *(*compile_policy)(struct sock *sk, int opt, u8 *data, int len, int *dir);
|
2006-11-08 16:24:06 +08:00
|
|
|
int (*new_mapping)(struct xfrm_state *x, xfrm_address_t *ipaddr, __be16 sport);
|
2005-06-19 13:42:13 +08:00
|
|
|
int (*notify_policy)(struct xfrm_policy *x, int dir, struct km_event *c);
|
2006-08-24 11:44:06 +08:00
|
|
|
int (*report)(u8 proto, struct xfrm_selector *sel, xfrm_address_t *addr);
|
2007-02-09 05:11:42 +08:00
|
|
|
int (*migrate)(struct xfrm_selector *sel, u8 dir, u8 type, struct xfrm_migrate *m, int num_bundles);
|
2005-04-17 06:20:36 +08:00
|
|
|
};
|
|
|
|
|
|
|
|
extern int xfrm_register_km(struct xfrm_mgr *km);
|
|
|
|
extern int xfrm_unregister_km(struct xfrm_mgr *km);
|
|
|
|
|
2006-08-24 19:45:07 +08:00
|
|
|
extern unsigned int xfrm_policy_count[XFRM_POLICY_MAX*2];
|
2005-04-17 06:20:36 +08:00
|
|
|
|
2006-11-28 03:11:54 +08:00
|
|
|
/* Audit Information */
|
|
|
|
struct xfrm_audit
|
|
|
|
{
|
|
|
|
uid_t loginuid;
|
|
|
|
u32 secid;
|
|
|
|
};
|
2006-12-01 05:50:43 +08:00
|
|
|
|
2007-04-29 12:20:32 +08:00
|
|
|
struct xfrm_spdinfo
|
|
|
|
{
|
|
|
|
u32 incnt;
|
|
|
|
u32 outcnt;
|
|
|
|
u32 fwdcnt;
|
|
|
|
u32 inscnt;
|
|
|
|
u32 outscnt;
|
|
|
|
u32 fwdscnt;
|
|
|
|
u32 spdhcnt;
|
|
|
|
u32 spdhmcnt;
|
|
|
|
};
|
2006-12-01 05:50:43 +08:00
|
|
|
#ifdef CONFIG_AUDITSYSCALL
|
|
|
|
extern void xfrm_audit_log(uid_t auid, u32 secid, int type, int result,
|
2006-11-28 03:11:54 +08:00
|
|
|
struct xfrm_policy *xp, struct xfrm_state *x);
|
2006-12-01 05:50:43 +08:00
|
|
|
#else
|
|
|
|
#define xfrm_audit_log(a,s,t,r,p,x) do { ; } while (0)
|
|
|
|
#endif /* CONFIG_AUDITSYSCALL */
|
2006-11-28 03:11:54 +08:00
|
|
|
|
2005-04-17 06:20:36 +08:00
|
|
|
static inline void xfrm_pol_hold(struct xfrm_policy *policy)
|
|
|
|
{
|
|
|
|
if (likely(policy != NULL))
|
|
|
|
atomic_inc(&policy->refcnt);
|
|
|
|
}
|
|
|
|
|
|
|
|
extern void __xfrm_policy_destroy(struct xfrm_policy *policy);
|
|
|
|
|
|
|
|
static inline void xfrm_pol_put(struct xfrm_policy *policy)
|
|
|
|
{
|
|
|
|
if (atomic_dec_and_test(&policy->refcnt))
|
|
|
|
__xfrm_policy_destroy(policy);
|
|
|
|
}
|
|
|
|
|
2006-08-24 13:43:30 +08:00
|
|
|
#ifdef CONFIG_XFRM_SUB_POLICY
|
|
|
|
static inline void xfrm_pols_put(struct xfrm_policy **pols, int npols)
|
|
|
|
{
|
|
|
|
int i;
|
|
|
|
for (i = npols - 1; i >= 0; --i)
|
|
|
|
xfrm_pol_put(pols[i]);
|
|
|
|
}
|
|
|
|
#else
|
|
|
|
static inline void xfrm_pols_put(struct xfrm_policy **pols, int npols)
|
|
|
|
{
|
|
|
|
xfrm_pol_put(pols[0]);
|
|
|
|
}
|
|
|
|
#endif
|
|
|
|
|
2005-04-17 06:20:36 +08:00
|
|
|
extern void __xfrm_state_destroy(struct xfrm_state *);
|
|
|
|
|
2006-02-23 06:47:13 +08:00
|
|
|
static inline void __xfrm_state_put(struct xfrm_state *x)
|
|
|
|
{
|
|
|
|
atomic_dec(&x->refcnt);
|
|
|
|
}
|
|
|
|
|
2005-04-17 06:20:36 +08:00
|
|
|
static inline void xfrm_state_put(struct xfrm_state *x)
|
|
|
|
{
|
|
|
|
if (atomic_dec_and_test(&x->refcnt))
|
|
|
|
__xfrm_state_destroy(x);
|
|
|
|
}
|
|
|
|
|
|
|
|
static inline void xfrm_state_hold(struct xfrm_state *x)
|
|
|
|
{
|
|
|
|
atomic_inc(&x->refcnt);
|
|
|
|
}
|
|
|
|
|
|
|
|
static __inline__ int addr_match(void *token1, void *token2, int prefixlen)
|
|
|
|
{
|
2006-09-28 09:46:32 +08:00
|
|
|
__be32 *a1 = token1;
|
|
|
|
__be32 *a2 = token2;
|
2005-04-17 06:20:36 +08:00
|
|
|
int pdw;
|
|
|
|
int pbi;
|
|
|
|
|
|
|
|
pdw = prefixlen >> 5; /* num of whole __u32 in prefix */
|
|
|
|
pbi = prefixlen & 0x1f; /* num of bits in incomplete u32 in prefix */
|
|
|
|
|
|
|
|
if (pdw)
|
|
|
|
if (memcmp(a1, a2, pdw << 2))
|
|
|
|
return 0;
|
|
|
|
|
|
|
|
if (pbi) {
|
2006-09-28 09:46:32 +08:00
|
|
|
__be32 mask;
|
2005-04-17 06:20:36 +08:00
|
|
|
|
|
|
|
mask = htonl((0xffffffff) << (32 - pbi));
|
|
|
|
|
|
|
|
if ((a1[pdw] ^ a2[pdw]) & mask)
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
|
|
|
return 1;
|
|
|
|
}
|
|
|
|
|
|
|
|
static __inline__
|
2006-09-28 09:45:50 +08:00
|
|
|
__be16 xfrm_flowi_sport(struct flowi *fl)
|
2005-04-17 06:20:36 +08:00
|
|
|
{
|
2006-09-28 09:45:50 +08:00
|
|
|
__be16 port;
|
2005-04-17 06:20:36 +08:00
|
|
|
switch(fl->proto) {
|
|
|
|
case IPPROTO_TCP:
|
|
|
|
case IPPROTO_UDP:
|
2006-11-28 03:10:57 +08:00
|
|
|
case IPPROTO_UDPLITE:
|
2005-04-17 06:20:36 +08:00
|
|
|
case IPPROTO_SCTP:
|
|
|
|
port = fl->fl_ip_sport;
|
|
|
|
break;
|
|
|
|
case IPPROTO_ICMP:
|
|
|
|
case IPPROTO_ICMPV6:
|
|
|
|
port = htons(fl->fl_icmp_type);
|
|
|
|
break;
|
2006-08-24 11:39:03 +08:00
|
|
|
#ifdef CONFIG_IPV6_MIP6
|
|
|
|
case IPPROTO_MH:
|
|
|
|
port = htons(fl->fl_mh_type);
|
|
|
|
break;
|
|
|
|
#endif
|
2005-04-17 06:20:36 +08:00
|
|
|
default:
|
|
|
|
port = 0; /*XXX*/
|
|
|
|
}
|
|
|
|
return port;
|
|
|
|
}
|
|
|
|
|
|
|
|
static __inline__
|
2006-09-28 09:45:50 +08:00
|
|
|
__be16 xfrm_flowi_dport(struct flowi *fl)
|
2005-04-17 06:20:36 +08:00
|
|
|
{
|
2006-09-28 09:45:50 +08:00
|
|
|
__be16 port;
|
2005-04-17 06:20:36 +08:00
|
|
|
switch(fl->proto) {
|
|
|
|
case IPPROTO_TCP:
|
|
|
|
case IPPROTO_UDP:
|
2006-11-28 03:10:57 +08:00
|
|
|
case IPPROTO_UDPLITE:
|
2005-04-17 06:20:36 +08:00
|
|
|
case IPPROTO_SCTP:
|
|
|
|
port = fl->fl_ip_dport;
|
|
|
|
break;
|
|
|
|
case IPPROTO_ICMP:
|
|
|
|
case IPPROTO_ICMPV6:
|
|
|
|
port = htons(fl->fl_icmp_code);
|
|
|
|
break;
|
|
|
|
default:
|
|
|
|
port = 0; /*XXX*/
|
|
|
|
}
|
|
|
|
return port;
|
|
|
|
}
|
|
|
|
|
2006-11-09 14:46:26 +08:00
|
|
|
extern int xfrm_selector_match(struct xfrm_selector *sel, struct flowi *fl,
|
|
|
|
unsigned short family);
|
2005-04-17 06:20:36 +08:00
|
|
|
|
[LSM-IPSec]: Security association restriction.
This patch series implements per packet access control via the
extension of the Linux Security Modules (LSM) interface by hooks in
the XFRM and pfkey subsystems that leverage IPSec security
associations to label packets. Extensions to the SELinux LSM are
included that leverage the patch for this purpose.
This patch implements the changes necessary to the XFRM subsystem,
pfkey interface, ipv4/ipv6, and xfrm_user interface to restrict a
socket to use only authorized security associations (or no security
association) to send/receive network packets.
Patch purpose:
The patch is designed to enable access control per packets based on
the strongly authenticated IPSec security association. Such access
controls augment the existing ones based on network interface and IP
address. The former are very coarse-grained, and the latter can be
spoofed. By using IPSec, the system can control access to remote
hosts based on cryptographic keys generated using the IPSec mechanism.
This enables access control on a per-machine basis or per-application
if the remote machine is running the same mechanism and trusted to
enforce the access control policy.
Patch design approach:
The overall approach is that policy (xfrm_policy) entries set by
user-level programs (e.g., setkey for ipsec-tools) are extended with a
security context that is used at policy selection time in the XFRM
subsystem to restrict the sockets that can send/receive packets via
security associations (xfrm_states) that are built from those
policies.
A presentation available at
www.selinux-symposium.org/2005/presentations/session2/2-3-jaeger.pdf
from the SELinux symposium describes the overall approach.
Patch implementation details:
On output, the policy retrieved (via xfrm_policy_lookup or
xfrm_sk_policy_lookup) must be authorized for the security context of
the socket and the same security context is required for resultant
security association (retrieved or negotiated via racoon in
ipsec-tools). This is enforced in xfrm_state_find.
On input, the policy retrieved must also be authorized for the socket
(at __xfrm_policy_check), and the security context of the policy must
also match the security association being used.
The patch has virtually no impact on packets that do not use IPSec.
The existing Netfilter (outgoing) and LSM rcv_skb hooks are used as
before.
Also, if IPSec is used without security contexts, the impact is
minimal. The LSM must allow such policies to be selected for the
combination of socket and remote machine, but subsequent IPSec
processing proceeds as in the original case.
Testing:
The pfkey interface is tested using the ipsec-tools. ipsec-tools have
been modified (a separate ipsec-tools patch is available for version
0.5) that supports assignment of xfrm_policy entries and security
associations with security contexts via setkey and the negotiation
using the security contexts via racoon.
The xfrm_user interface is tested via ad hoc programs that set
security contexts. These programs are also available from me, and
contain programs for setting, getting, and deleting policy for testing
this interface. Testing of sa functions was done by tracing kernel
behavior.
Signed-off-by: Trent Jaeger <tjaeger@cse.psu.edu>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: David S. Miller <davem@davemloft.net>
2005-12-14 15:12:27 +08:00
|
|
|
#ifdef CONFIG_SECURITY_NETWORK_XFRM
|
|
|
|
/* If neither has a context --> match
|
|
|
|
* Otherwise, both must have a context and the sids, doi, alg must match
|
|
|
|
*/
|
|
|
|
static inline int xfrm_sec_ctx_match(struct xfrm_sec_ctx *s1, struct xfrm_sec_ctx *s2)
|
|
|
|
{
|
|
|
|
return ((!s1 && !s2) ||
|
|
|
|
(s1 && s2 &&
|
|
|
|
(s1->ctx_sid == s2->ctx_sid) &&
|
|
|
|
(s1->ctx_doi == s2->ctx_doi) &&
|
|
|
|
(s1->ctx_alg == s2->ctx_alg)));
|
|
|
|
}
|
|
|
|
#else
|
|
|
|
static inline int xfrm_sec_ctx_match(struct xfrm_sec_ctx *s1, struct xfrm_sec_ctx *s2)
|
|
|
|
{
|
|
|
|
return 1;
|
|
|
|
}
|
|
|
|
#endif
|
|
|
|
|
2005-04-17 06:20:36 +08:00
|
|
|
/* A struct encoding bundle of transformations to apply to some set of flow.
|
|
|
|
*
|
|
|
|
* dst->child points to the next element of bundle.
|
|
|
|
* dst->xfrm points to an instanse of transformer.
|
|
|
|
*
|
|
|
|
* Due to unfortunate limitations of current routing cache, which we
|
|
|
|
* have no time to fix, it mirrors struct rtable and bound to the same
|
|
|
|
* routing key, including saddr,daddr. However, we can have many of
|
|
|
|
* bundles differing by session id. All the bundles grow from a parent
|
|
|
|
* policy rule.
|
|
|
|
*/
|
|
|
|
struct xfrm_dst
|
|
|
|
{
|
|
|
|
union {
|
|
|
|
struct xfrm_dst *next;
|
|
|
|
struct dst_entry dst;
|
|
|
|
struct rtable rt;
|
|
|
|
struct rt6_info rt6;
|
|
|
|
} u;
|
|
|
|
struct dst_entry *route;
|
2007-04-30 15:33:35 +08:00
|
|
|
#ifdef CONFIG_XFRM_SUB_POLICY
|
|
|
|
struct flowi *origin;
|
|
|
|
struct xfrm_selector *partner;
|
|
|
|
#endif
|
2006-08-24 18:18:09 +08:00
|
|
|
u32 genid;
|
2005-04-17 06:20:36 +08:00
|
|
|
u32 route_mtu_cached;
|
|
|
|
u32 child_mtu_cached;
|
2005-05-27 03:58:04 +08:00
|
|
|
u32 route_cookie;
|
|
|
|
u32 path_cookie;
|
2005-04-17 06:20:36 +08:00
|
|
|
};
|
|
|
|
|
2005-05-04 07:27:10 +08:00
|
|
|
static inline void xfrm_dst_destroy(struct xfrm_dst *xdst)
|
|
|
|
{
|
|
|
|
dst_release(xdst->route);
|
|
|
|
if (likely(xdst->u.dst.xfrm))
|
|
|
|
xfrm_state_put(xdst->u.dst.xfrm);
|
2007-04-30 15:33:35 +08:00
|
|
|
#ifdef CONFIG_XFRM_SUB_POLICY
|
|
|
|
kfree(xdst->origin);
|
|
|
|
xdst->origin = NULL;
|
|
|
|
kfree(xdst->partner);
|
|
|
|
xdst->partner = NULL;
|
|
|
|
#endif
|
2005-05-04 07:27:10 +08:00
|
|
|
}
|
|
|
|
|
|
|
|
extern void xfrm_dst_ifdown(struct dst_entry *dst, struct net_device *dev);
|
|
|
|
|
2005-04-17 06:20:36 +08:00
|
|
|
struct sec_path
|
|
|
|
{
|
|
|
|
atomic_t refcnt;
|
|
|
|
int len;
|
2006-04-01 16:54:16 +08:00
|
|
|
struct xfrm_state *xvec[XFRM_MAX_DEPTH];
|
2005-04-17 06:20:36 +08:00
|
|
|
};
|
|
|
|
|
|
|
|
static inline struct sec_path *
|
|
|
|
secpath_get(struct sec_path *sp)
|
|
|
|
{
|
|
|
|
if (sp)
|
|
|
|
atomic_inc(&sp->refcnt);
|
|
|
|
return sp;
|
|
|
|
}
|
|
|
|
|
|
|
|
extern void __secpath_destroy(struct sec_path *sp);
|
|
|
|
|
|
|
|
static inline void
|
|
|
|
secpath_put(struct sec_path *sp)
|
|
|
|
{
|
|
|
|
if (sp && atomic_dec_and_test(&sp->refcnt))
|
|
|
|
__secpath_destroy(sp);
|
|
|
|
}
|
|
|
|
|
|
|
|
extern struct sec_path *secpath_dup(struct sec_path *src);
|
|
|
|
|
|
|
|
static inline void
|
|
|
|
secpath_reset(struct sk_buff *skb)
|
|
|
|
{
|
|
|
|
#ifdef CONFIG_XFRM
|
|
|
|
secpath_put(skb->sp);
|
|
|
|
skb->sp = NULL;
|
|
|
|
#endif
|
|
|
|
}
|
|
|
|
|
2006-09-20 03:57:34 +08:00
|
|
|
static inline int
|
|
|
|
xfrm_addr_any(xfrm_address_t *addr, unsigned short family)
|
|
|
|
{
|
|
|
|
switch (family) {
|
|
|
|
case AF_INET:
|
|
|
|
return addr->a4 == 0;
|
|
|
|
case AF_INET6:
|
|
|
|
return ipv6_addr_any((struct in6_addr *)&addr->a6);
|
|
|
|
}
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
2005-04-17 06:20:36 +08:00
|
|
|
static inline int
|
|
|
|
__xfrm4_state_addr_cmp(struct xfrm_tmpl *tmpl, struct xfrm_state *x)
|
|
|
|
{
|
|
|
|
return (tmpl->saddr.a4 &&
|
|
|
|
tmpl->saddr.a4 != x->props.saddr.a4);
|
|
|
|
}
|
|
|
|
|
|
|
|
static inline int
|
|
|
|
__xfrm6_state_addr_cmp(struct xfrm_tmpl *tmpl, struct xfrm_state *x)
|
|
|
|
{
|
|
|
|
return (!ipv6_addr_any((struct in6_addr*)&tmpl->saddr) &&
|
|
|
|
ipv6_addr_cmp((struct in6_addr *)&tmpl->saddr, (struct in6_addr*)&x->props.saddr));
|
|
|
|
}
|
|
|
|
|
|
|
|
static inline int
|
|
|
|
xfrm_state_addr_cmp(struct xfrm_tmpl *tmpl, struct xfrm_state *x, unsigned short family)
|
|
|
|
{
|
|
|
|
switch (family) {
|
|
|
|
case AF_INET:
|
|
|
|
return __xfrm4_state_addr_cmp(tmpl, x);
|
|
|
|
case AF_INET6:
|
|
|
|
return __xfrm6_state_addr_cmp(tmpl, x);
|
|
|
|
}
|
|
|
|
return !0;
|
|
|
|
}
|
|
|
|
|
|
|
|
#ifdef CONFIG_XFRM
|
|
|
|
|
|
|
|
extern int __xfrm_policy_check(struct sock *, int dir, struct sk_buff *skb, unsigned short family);
|
|
|
|
|
|
|
|
static inline int xfrm_policy_check(struct sock *sk, int dir, struct sk_buff *skb, unsigned short family)
|
|
|
|
{
|
|
|
|
if (sk && sk->sk_policy[XFRM_POLICY_IN])
|
|
|
|
return __xfrm_policy_check(sk, dir, skb, family);
|
2006-08-24 13:43:30 +08:00
|
|
|
|
2006-08-24 19:45:07 +08:00
|
|
|
return (!xfrm_policy_count[dir] && !skb->sp) ||
|
2005-04-17 06:20:36 +08:00
|
|
|
(skb->dst->flags & DST_NOPOLICY) ||
|
|
|
|
__xfrm_policy_check(sk, dir, skb, family);
|
|
|
|
}
|
|
|
|
|
|
|
|
static inline int xfrm4_policy_check(struct sock *sk, int dir, struct sk_buff *skb)
|
|
|
|
{
|
|
|
|
return xfrm_policy_check(sk, dir, skb, AF_INET);
|
|
|
|
}
|
|
|
|
|
|
|
|
static inline int xfrm6_policy_check(struct sock *sk, int dir, struct sk_buff *skb)
|
|
|
|
{
|
|
|
|
return xfrm_policy_check(sk, dir, skb, AF_INET6);
|
|
|
|
}
|
|
|
|
|
2006-01-07 15:04:54 +08:00
|
|
|
extern int xfrm_decode_session(struct sk_buff *skb, struct flowi *fl, unsigned short family);
|
2005-04-17 06:20:36 +08:00
|
|
|
extern int __xfrm_route_forward(struct sk_buff *skb, unsigned short family);
|
|
|
|
|
|
|
|
static inline int xfrm_route_forward(struct sk_buff *skb, unsigned short family)
|
|
|
|
{
|
2006-08-24 19:45:07 +08:00
|
|
|
return !xfrm_policy_count[XFRM_POLICY_OUT] ||
|
2005-04-17 06:20:36 +08:00
|
|
|
(skb->dst->flags & DST_NOXFRM) ||
|
|
|
|
__xfrm_route_forward(skb, family);
|
|
|
|
}
|
|
|
|
|
|
|
|
static inline int xfrm4_route_forward(struct sk_buff *skb)
|
|
|
|
{
|
|
|
|
return xfrm_route_forward(skb, AF_INET);
|
|
|
|
}
|
|
|
|
|
|
|
|
static inline int xfrm6_route_forward(struct sk_buff *skb)
|
|
|
|
{
|
|
|
|
return xfrm_route_forward(skb, AF_INET6);
|
|
|
|
}
|
|
|
|
|
|
|
|
extern int __xfrm_sk_clone_policy(struct sock *sk);
|
|
|
|
|
|
|
|
static inline int xfrm_sk_clone_policy(struct sock *sk)
|
|
|
|
{
|
|
|
|
if (unlikely(sk->sk_policy[0] || sk->sk_policy[1]))
|
|
|
|
return __xfrm_sk_clone_policy(sk);
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
2005-06-19 13:43:22 +08:00
|
|
|
extern int xfrm_policy_delete(struct xfrm_policy *pol, int dir);
|
2005-04-17 06:20:36 +08:00
|
|
|
|
|
|
|
static inline void xfrm_sk_free_policy(struct sock *sk)
|
|
|
|
{
|
|
|
|
if (unlikely(sk->sk_policy[0] != NULL)) {
|
|
|
|
xfrm_policy_delete(sk->sk_policy[0], XFRM_POLICY_MAX);
|
|
|
|
sk->sk_policy[0] = NULL;
|
|
|
|
}
|
|
|
|
if (unlikely(sk->sk_policy[1] != NULL)) {
|
|
|
|
xfrm_policy_delete(sk->sk_policy[1], XFRM_POLICY_MAX+1);
|
|
|
|
sk->sk_policy[1] = NULL;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
#else
|
|
|
|
|
|
|
|
static inline void xfrm_sk_free_policy(struct sock *sk) {}
|
|
|
|
static inline int xfrm_sk_clone_policy(struct sock *sk) { return 0; }
|
|
|
|
static inline int xfrm6_route_forward(struct sk_buff *skb) { return 1; }
|
|
|
|
static inline int xfrm4_route_forward(struct sk_buff *skb) { return 1; }
|
|
|
|
static inline int xfrm6_policy_check(struct sock *sk, int dir, struct sk_buff *skb)
|
|
|
|
{
|
|
|
|
return 1;
|
|
|
|
}
|
|
|
|
static inline int xfrm4_policy_check(struct sock *sk, int dir, struct sk_buff *skb)
|
|
|
|
{
|
|
|
|
return 1;
|
|
|
|
}
|
|
|
|
static inline int xfrm_policy_check(struct sock *sk, int dir, struct sk_buff *skb, unsigned short family)
|
|
|
|
{
|
|
|
|
return 1;
|
|
|
|
}
|
|
|
|
#endif
|
|
|
|
|
|
|
|
static __inline__
|
|
|
|
xfrm_address_t *xfrm_flowi_daddr(struct flowi *fl, unsigned short family)
|
|
|
|
{
|
|
|
|
switch (family){
|
|
|
|
case AF_INET:
|
|
|
|
return (xfrm_address_t *)&fl->fl4_dst;
|
|
|
|
case AF_INET6:
|
|
|
|
return (xfrm_address_t *)&fl->fl6_dst;
|
|
|
|
}
|
|
|
|
return NULL;
|
|
|
|
}
|
|
|
|
|
|
|
|
static __inline__
|
|
|
|
xfrm_address_t *xfrm_flowi_saddr(struct flowi *fl, unsigned short family)
|
|
|
|
{
|
|
|
|
switch (family){
|
|
|
|
case AF_INET:
|
|
|
|
return (xfrm_address_t *)&fl->fl4_src;
|
|
|
|
case AF_INET6:
|
|
|
|
return (xfrm_address_t *)&fl->fl6_src;
|
|
|
|
}
|
|
|
|
return NULL;
|
|
|
|
}
|
|
|
|
|
|
|
|
static __inline__ int
|
|
|
|
__xfrm4_state_addr_check(struct xfrm_state *x,
|
|
|
|
xfrm_address_t *daddr, xfrm_address_t *saddr)
|
|
|
|
{
|
|
|
|
if (daddr->a4 == x->id.daddr.a4 &&
|
|
|
|
(saddr->a4 == x->props.saddr.a4 || !saddr->a4 || !x->props.saddr.a4))
|
|
|
|
return 1;
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
|
|
|
static __inline__ int
|
|
|
|
__xfrm6_state_addr_check(struct xfrm_state *x,
|
|
|
|
xfrm_address_t *daddr, xfrm_address_t *saddr)
|
|
|
|
{
|
|
|
|
if (!ipv6_addr_cmp((struct in6_addr *)daddr, (struct in6_addr *)&x->id.daddr) &&
|
|
|
|
(!ipv6_addr_cmp((struct in6_addr *)saddr, (struct in6_addr *)&x->props.saddr)||
|
|
|
|
ipv6_addr_any((struct in6_addr *)saddr) ||
|
|
|
|
ipv6_addr_any((struct in6_addr *)&x->props.saddr)))
|
|
|
|
return 1;
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
|
|
|
static __inline__ int
|
|
|
|
xfrm_state_addr_check(struct xfrm_state *x,
|
|
|
|
xfrm_address_t *daddr, xfrm_address_t *saddr,
|
|
|
|
unsigned short family)
|
|
|
|
{
|
|
|
|
switch (family) {
|
|
|
|
case AF_INET:
|
|
|
|
return __xfrm4_state_addr_check(x, daddr, saddr);
|
|
|
|
case AF_INET6:
|
|
|
|
return __xfrm6_state_addr_check(x, daddr, saddr);
|
|
|
|
}
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
2006-08-24 10:12:01 +08:00
|
|
|
static __inline__ int
|
|
|
|
xfrm_state_addr_flow_check(struct xfrm_state *x, struct flowi *fl,
|
|
|
|
unsigned short family)
|
|
|
|
{
|
|
|
|
switch (family) {
|
|
|
|
case AF_INET:
|
|
|
|
return __xfrm4_state_addr_check(x,
|
|
|
|
(xfrm_address_t *)&fl->fl4_dst,
|
|
|
|
(xfrm_address_t *)&fl->fl4_src);
|
|
|
|
case AF_INET6:
|
|
|
|
return __xfrm6_state_addr_check(x,
|
|
|
|
(xfrm_address_t *)&fl->fl6_dst,
|
|
|
|
(xfrm_address_t *)&fl->fl6_src);
|
|
|
|
}
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
2005-04-17 06:20:36 +08:00
|
|
|
static inline int xfrm_state_kern(struct xfrm_state *x)
|
|
|
|
{
|
|
|
|
return atomic_read(&x->tunnel_users);
|
|
|
|
}
|
|
|
|
|
2006-09-23 06:06:24 +08:00
|
|
|
static inline int xfrm_id_proto_match(u8 proto, u8 userproto)
|
|
|
|
{
|
2006-08-24 08:49:52 +08:00
|
|
|
return (!userproto || proto == userproto ||
|
|
|
|
(userproto == IPSEC_PROTO_ANY && (proto == IPPROTO_AH ||
|
|
|
|
proto == IPPROTO_ESP ||
|
|
|
|
proto == IPPROTO_COMP)));
|
2006-09-23 06:06:24 +08:00
|
|
|
}
|
|
|
|
|
2005-04-17 06:20:36 +08:00
|
|
|
/*
|
|
|
|
* xfrm algorithm information
|
|
|
|
*/
|
|
|
|
struct xfrm_algo_auth_info {
|
|
|
|
u16 icv_truncbits;
|
|
|
|
u16 icv_fullbits;
|
|
|
|
};
|
|
|
|
|
|
|
|
struct xfrm_algo_encr_info {
|
|
|
|
u16 blockbits;
|
|
|
|
u16 defkeybits;
|
|
|
|
};
|
|
|
|
|
|
|
|
struct xfrm_algo_comp_info {
|
|
|
|
u16 threshold;
|
|
|
|
};
|
|
|
|
|
|
|
|
struct xfrm_algo_desc {
|
|
|
|
char *name;
|
2006-08-13 06:50:00 +08:00
|
|
|
char *compat;
|
2005-04-17 06:20:36 +08:00
|
|
|
u8 available:1;
|
|
|
|
union {
|
|
|
|
struct xfrm_algo_auth_info auth;
|
|
|
|
struct xfrm_algo_encr_info encr;
|
|
|
|
struct xfrm_algo_comp_info comp;
|
|
|
|
} uinfo;
|
|
|
|
struct sadb_alg desc;
|
|
|
|
};
|
|
|
|
|
|
|
|
/* XFRM tunnel handlers. */
|
|
|
|
struct xfrm_tunnel {
|
|
|
|
int (*handler)(struct sk_buff *skb);
|
2006-03-28 17:12:13 +08:00
|
|
|
int (*err_handler)(struct sk_buff *skb, __u32 info);
|
|
|
|
|
|
|
|
struct xfrm_tunnel *next;
|
|
|
|
int priority;
|
2005-04-17 06:20:36 +08:00
|
|
|
};
|
|
|
|
|
|
|
|
struct xfrm6_tunnel {
|
2006-03-28 17:12:13 +08:00
|
|
|
int (*handler)(struct sk_buff *skb);
|
|
|
|
int (*err_handler)(struct sk_buff *skb, struct inet6_skb_parm *opt,
|
2006-11-08 16:21:01 +08:00
|
|
|
int type, int code, int offset, __be32 info);
|
2006-03-28 17:12:13 +08:00
|
|
|
struct xfrm6_tunnel *next;
|
|
|
|
int priority;
|
2005-04-17 06:20:36 +08:00
|
|
|
};
|
|
|
|
|
|
|
|
extern void xfrm_init(void);
|
|
|
|
extern void xfrm4_init(void);
|
|
|
|
extern void xfrm6_init(void);
|
|
|
|
extern void xfrm6_fini(void);
|
|
|
|
extern void xfrm_state_init(void);
|
|
|
|
extern void xfrm4_state_init(void);
|
|
|
|
extern void xfrm6_state_init(void);
|
|
|
|
extern void xfrm6_state_fini(void);
|
|
|
|
|
|
|
|
extern int xfrm_state_walk(u8 proto, int (*func)(struct xfrm_state *, int, void*), void *);
|
|
|
|
extern struct xfrm_state *xfrm_state_alloc(void);
|
|
|
|
extern struct xfrm_state *xfrm_state_find(xfrm_address_t *daddr, xfrm_address_t *saddr,
|
|
|
|
struct flowi *fl, struct xfrm_tmpl *tmpl,
|
|
|
|
struct xfrm_policy *pol, int *err,
|
|
|
|
unsigned short family);
|
|
|
|
extern int xfrm_state_check_expire(struct xfrm_state *x);
|
|
|
|
extern void xfrm_state_insert(struct xfrm_state *x);
|
|
|
|
extern int xfrm_state_add(struct xfrm_state *x);
|
|
|
|
extern int xfrm_state_update(struct xfrm_state *x);
|
2006-09-28 09:47:24 +08:00
|
|
|
extern struct xfrm_state *xfrm_state_lookup(xfrm_address_t *daddr, __be32 spi, u8 proto, unsigned short family);
|
2006-08-24 08:56:04 +08:00
|
|
|
extern struct xfrm_state *xfrm_state_lookup_byaddr(xfrm_address_t *daddr, xfrm_address_t *saddr, u8 proto, unsigned short family);
|
2006-08-24 13:48:31 +08:00
|
|
|
#ifdef CONFIG_XFRM_SUB_POLICY
|
|
|
|
extern int xfrm_tmpl_sort(struct xfrm_tmpl **dst, struct xfrm_tmpl **src,
|
|
|
|
int n, unsigned short family);
|
|
|
|
extern int xfrm_state_sort(struct xfrm_state **dst, struct xfrm_state **src,
|
|
|
|
int n, unsigned short family);
|
|
|
|
#else
|
|
|
|
static inline int xfrm_tmpl_sort(struct xfrm_tmpl **dst, struct xfrm_tmpl **src,
|
|
|
|
int n, unsigned short family)
|
|
|
|
{
|
|
|
|
return -ENOSYS;
|
|
|
|
}
|
|
|
|
|
|
|
|
static inline int xfrm_state_sort(struct xfrm_state **dst, struct xfrm_state **src,
|
|
|
|
int n, unsigned short family)
|
|
|
|
{
|
|
|
|
return -ENOSYS;
|
|
|
|
}
|
|
|
|
#endif
|
2007-05-05 03:55:13 +08:00
|
|
|
|
|
|
|
struct xfrmk_sadinfo {
|
|
|
|
u32 sadhcnt; /* current hash bkts */
|
|
|
|
u32 sadhmcnt; /* max allowed hash bkts */
|
|
|
|
u32 sadcnt; /* current running count */
|
|
|
|
};
|
|
|
|
|
2005-04-17 06:20:36 +08:00
|
|
|
extern struct xfrm_state *xfrm_find_acq_byseq(u32 seq);
|
2005-06-19 13:42:13 +08:00
|
|
|
extern int xfrm_state_delete(struct xfrm_state *x);
|
2006-11-28 03:11:54 +08:00
|
|
|
extern void xfrm_state_flush(u8 proto, struct xfrm_audit *audit_info);
|
2007-05-05 03:55:13 +08:00
|
|
|
extern void xfrm_sad_getinfo(struct xfrmk_sadinfo *si);
|
2007-04-29 12:20:32 +08:00
|
|
|
extern void xfrm_spd_getinfo(struct xfrm_spdinfo *si);
|
2006-09-28 09:48:18 +08:00
|
|
|
extern int xfrm_replay_check(struct xfrm_state *x, __be32 seq);
|
2006-09-28 09:48:33 +08:00
|
|
|
extern void xfrm_replay_advance(struct xfrm_state *x, __be32 seq);
|
2006-03-21 11:15:11 +08:00
|
|
|
extern void xfrm_replay_notify(struct xfrm_state *x, int event);
|
2005-04-17 06:20:36 +08:00
|
|
|
extern int xfrm_state_check(struct xfrm_state *x, struct sk_buff *skb);
|
|
|
|
extern int xfrm_state_mtu(struct xfrm_state *x, int mtu);
|
2005-06-21 04:18:08 +08:00
|
|
|
extern int xfrm_init_state(struct xfrm_state *x);
|
2005-04-17 06:20:36 +08:00
|
|
|
extern int xfrm4_rcv(struct sk_buff *skb);
|
|
|
|
extern int xfrm4_output(struct sk_buff *skb);
|
2007-02-14 04:54:47 +08:00
|
|
|
extern int xfrm4_tunnel_register(struct xfrm_tunnel *handler, unsigned short family);
|
|
|
|
extern int xfrm4_tunnel_deregister(struct xfrm_tunnel *handler, unsigned short family);
|
2006-09-28 09:48:18 +08:00
|
|
|
extern int xfrm6_rcv_spi(struct sk_buff *skb, __be32 spi);
|
2006-01-07 15:02:34 +08:00
|
|
|
extern int xfrm6_rcv(struct sk_buff **pskb);
|
2006-08-24 09:08:21 +08:00
|
|
|
extern int xfrm6_input_addr(struct sk_buff *skb, xfrm_address_t *daddr,
|
|
|
|
xfrm_address_t *saddr, u8 proto);
|
2007-02-14 04:55:55 +08:00
|
|
|
extern int xfrm6_tunnel_register(struct xfrm6_tunnel *handler, unsigned short family);
|
|
|
|
extern int xfrm6_tunnel_deregister(struct xfrm6_tunnel *handler, unsigned short family);
|
2006-11-08 16:20:21 +08:00
|
|
|
extern __be32 xfrm6_tunnel_alloc_spi(xfrm_address_t *saddr);
|
2005-04-17 06:20:36 +08:00
|
|
|
extern void xfrm6_tunnel_free_spi(xfrm_address_t *saddr);
|
2006-11-08 16:20:21 +08:00
|
|
|
extern __be32 xfrm6_tunnel_spi_lookup(xfrm_address_t *saddr);
|
2005-04-17 06:20:36 +08:00
|
|
|
extern int xfrm6_output(struct sk_buff *skb);
|
2006-08-24 08:57:28 +08:00
|
|
|
extern int xfrm6_find_1stfragopt(struct xfrm_state *x, struct sk_buff *skb,
|
|
|
|
u8 **prevhdr);
|
2005-04-17 06:20:36 +08:00
|
|
|
|
|
|
|
#ifdef CONFIG_XFRM
|
|
|
|
extern int xfrm4_rcv_encap(struct sk_buff *skb, __u16 encap_type);
|
|
|
|
extern int xfrm_user_policy(struct sock *sk, int optname, u8 __user *optval, int optlen);
|
|
|
|
extern int xfrm_dst_lookup(struct xfrm_dst **dst, struct flowi *fl, unsigned short family);
|
|
|
|
#else
|
|
|
|
static inline int xfrm_user_policy(struct sock *sk, int optname, u8 __user *optval, int optlen)
|
|
|
|
{
|
|
|
|
return -ENOPROTOOPT;
|
|
|
|
}
|
|
|
|
|
|
|
|
static inline int xfrm4_rcv_encap(struct sk_buff *skb, __u16 encap_type)
|
|
|
|
{
|
|
|
|
/* should not happen */
|
|
|
|
kfree_skb(skb);
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
static inline int xfrm_dst_lookup(struct xfrm_dst **dst, struct flowi *fl, unsigned short family)
|
|
|
|
{
|
|
|
|
return -EINVAL;
|
|
|
|
}
|
|
|
|
#endif
|
|
|
|
|
2005-10-07 14:46:04 +08:00
|
|
|
struct xfrm_policy *xfrm_policy_alloc(gfp_t gfp);
|
2006-08-24 13:43:30 +08:00
|
|
|
extern int xfrm_policy_walk(u8 type, int (*func)(struct xfrm_policy *, int, int, void*), void *);
|
2005-04-17 06:20:36 +08:00
|
|
|
int xfrm_policy_insert(int dir, struct xfrm_policy *policy, int excl);
|
2006-08-24 13:43:30 +08:00
|
|
|
struct xfrm_policy *xfrm_policy_bysel_ctx(u8 type, int dir,
|
|
|
|
struct xfrm_selector *sel,
|
2007-03-08 07:37:58 +08:00
|
|
|
struct xfrm_sec_ctx *ctx, int delete,
|
|
|
|
int *err);
|
|
|
|
struct xfrm_policy *xfrm_policy_byid(u8, int dir, u32 id, int delete, int *err);
|
2006-11-28 03:11:54 +08:00
|
|
|
void xfrm_policy_flush(u8 type, struct xfrm_audit *audit_info);
|
2005-04-17 06:20:36 +08:00
|
|
|
u32 xfrm_get_acqseq(void);
|
2006-09-28 09:47:05 +08:00
|
|
|
void xfrm_alloc_spi(struct xfrm_state *x, __be32 minspi, __be32 maxspi);
|
2006-11-28 03:11:54 +08:00
|
|
|
struct xfrm_state * xfrm_find_acq(u8 mode, u32 reqid, u8 proto,
|
|
|
|
xfrm_address_t *daddr, xfrm_address_t *saddr,
|
2005-04-17 06:20:36 +08:00
|
|
|
int create, unsigned short family);
|
2006-11-28 03:11:54 +08:00
|
|
|
extern void xfrm_policy_flush(u8 type, struct xfrm_audit *audit_info);
|
2005-04-17 06:20:36 +08:00
|
|
|
extern int xfrm_sk_policy_insert(struct sock *sk, int dir, struct xfrm_policy *pol);
|
IPsec: correct semantics for SELinux policy matching
Currently when an IPSec policy rule doesn't specify a security
context, it is assumed to be "unlabeled" by SELinux, and so
the IPSec policy rule fails to match to a flow that it would
otherwise match to, unless one has explicitly added an SELinux
policy rule allowing the flow to "polmatch" to the "unlabeled"
IPSec policy rules. In the absence of such an explicitly added
SELinux policy rule, the IPSec policy rule fails to match and
so the packet(s) flow in clear text without the otherwise applicable
xfrm(s) applied.
The above SELinux behavior violates the SELinux security notion of
"deny by default" which should actually translate to "encrypt by
default" in the above case.
This was first reported by Evgeniy Polyakov and the way James Morris
was seeing the problem was when connecting via IPsec to a
confined service on an SELinux box (vsftpd), which did not have the
appropriate SELinux policy permissions to send packets via IPsec.
With this patch applied, SELinux "polmatching" of flows Vs. IPSec
policy rules will only come into play when there's a explicit context
specified for the IPSec policy rule (which also means there's corresponding
SELinux policy allowing appropriate domains/flows to polmatch to this context).
Secondly, when a security module is loaded (in this case, SELinux), the
security_xfrm_policy_lookup() hook can return errors other than access denied,
such as -EINVAL. We were not handling that correctly, and in fact
inverting the return logic and propagating a false "ok" back up to
xfrm_lookup(), which then allowed packets to pass as if they were not
associated with an xfrm policy.
The solution for this is to first ensure that errno values are
correctly propagated all the way back up through the various call chains
from security_xfrm_policy_lookup(), and handled correctly.
Then, flow_cache_lookup() is modified, so that if the policy resolver
fails (typically a permission denied via the security module), the flow
cache entry is killed rather than having a null policy assigned (which
indicates that the packet can pass freely). This also forces any future
lookups for the same flow to consult the security module (e.g. SELinux)
for current security policy (rather than, say, caching the error on the
flow cache entry).
This patch: Fix the selinux side of things.
This makes sure SELinux polmatching of flow contexts to IPSec policy
rules comes into play only when an explicit context is associated
with the IPSec policy rule.
Also, this no longer defaults the context of a socket policy to
the context of the socket since the "no explicit context" case
is now handled properly.
Signed-off-by: Venkat Yekkirala <vyekkirala@TrustedCS.com>
Signed-off-by: James Morris <jmorris@namei.org>
2006-10-06 04:42:18 +08:00
|
|
|
extern int xfrm_bundle_ok(struct xfrm_policy *pol, struct xfrm_dst *xdst,
|
|
|
|
struct flowi *fl, int family, int strict);
|
2005-04-17 06:20:36 +08:00
|
|
|
extern void xfrm_init_pmtu(struct dst_entry *dst);
|
|
|
|
|
2007-02-09 05:11:42 +08:00
|
|
|
#ifdef CONFIG_XFRM_MIGRATE
|
|
|
|
extern int km_migrate(struct xfrm_selector *sel, u8 dir, u8 type,
|
|
|
|
struct xfrm_migrate *m, int num_bundles);
|
|
|
|
extern struct xfrm_state * xfrm_migrate_state_find(struct xfrm_migrate *m);
|
|
|
|
extern struct xfrm_state * xfrm_state_migrate(struct xfrm_state *x,
|
|
|
|
struct xfrm_migrate *m);
|
|
|
|
extern int xfrm_migrate(struct xfrm_selector *sel, u8 dir, u8 type,
|
|
|
|
struct xfrm_migrate *m, int num_bundles);
|
|
|
|
#endif
|
|
|
|
|
2005-04-17 06:20:36 +08:00
|
|
|
extern wait_queue_head_t km_waitq;
|
2006-11-08 16:24:06 +08:00
|
|
|
extern int km_new_mapping(struct xfrm_state *x, xfrm_address_t *ipaddr, __be16 sport);
|
2006-03-21 11:17:25 +08:00
|
|
|
extern void km_policy_expired(struct xfrm_policy *pol, int dir, int hard, u32 pid);
|
2006-08-24 11:44:06 +08:00
|
|
|
extern int km_report(u8 proto, struct xfrm_selector *sel, xfrm_address_t *addr);
|
2005-04-17 06:20:36 +08:00
|
|
|
|
|
|
|
extern void xfrm_input_init(void);
|
2006-09-28 09:47:59 +08:00
|
|
|
extern int xfrm_parse_spi(struct sk_buff *skb, u8 nexthdr, __be32 *spi, __be32 *seq);
|
2005-04-17 06:20:36 +08:00
|
|
|
|
|
|
|
extern void xfrm_probe_algs(void);
|
|
|
|
extern int xfrm_count_auth_supported(void);
|
|
|
|
extern int xfrm_count_enc_supported(void);
|
|
|
|
extern struct xfrm_algo_desc *xfrm_aalg_get_byidx(unsigned int idx);
|
|
|
|
extern struct xfrm_algo_desc *xfrm_ealg_get_byidx(unsigned int idx);
|
|
|
|
extern struct xfrm_algo_desc *xfrm_aalg_get_byid(int alg_id);
|
|
|
|
extern struct xfrm_algo_desc *xfrm_ealg_get_byid(int alg_id);
|
|
|
|
extern struct xfrm_algo_desc *xfrm_calg_get_byid(int alg_id);
|
|
|
|
extern struct xfrm_algo_desc *xfrm_aalg_get_byname(char *name, int probe);
|
|
|
|
extern struct xfrm_algo_desc *xfrm_ealg_get_byname(char *name, int probe);
|
|
|
|
extern struct xfrm_algo_desc *xfrm_calg_get_byname(char *name, int probe);
|
|
|
|
|
2006-08-20 12:24:50 +08:00
|
|
|
struct hash_desc;
|
2006-08-06 17:49:12 +08:00
|
|
|
struct scatterlist;
|
2006-08-20 12:24:50 +08:00
|
|
|
typedef int (icv_update_fn_t)(struct hash_desc *, struct scatterlist *,
|
|
|
|
unsigned int);
|
2005-04-17 06:20:36 +08:00
|
|
|
|
2006-08-20 12:24:50 +08:00
|
|
|
extern int skb_icv_walk(const struct sk_buff *skb, struct hash_desc *tfm,
|
|
|
|
int offset, int len, icv_update_fn_t icv_update);
|
2005-04-17 06:20:36 +08:00
|
|
|
|
|
|
|
static inline int xfrm_addr_cmp(xfrm_address_t *a, xfrm_address_t *b,
|
|
|
|
int family)
|
|
|
|
{
|
|
|
|
switch (family) {
|
|
|
|
default:
|
|
|
|
case AF_INET:
|
2006-11-08 16:20:21 +08:00
|
|
|
return (__force __u32)a->a4 - (__force __u32)b->a4;
|
2005-04-17 06:20:36 +08:00
|
|
|
case AF_INET6:
|
|
|
|
return ipv6_addr_cmp((struct in6_addr *)a,
|
|
|
|
(struct in6_addr *)b);
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2005-10-06 03:15:12 +08:00
|
|
|
static inline int xfrm_policy_id2dir(u32 index)
|
|
|
|
{
|
|
|
|
return index & 7;
|
|
|
|
}
|
|
|
|
|
2006-03-21 11:15:11 +08:00
|
|
|
static inline int xfrm_aevent_is_on(void)
|
|
|
|
{
|
2006-03-21 14:40:54 +08:00
|
|
|
struct sock *nlsk;
|
|
|
|
int ret = 0;
|
|
|
|
|
|
|
|
rcu_read_lock();
|
|
|
|
nlsk = rcu_dereference(xfrm_nl);
|
|
|
|
if (nlsk)
|
|
|
|
ret = netlink_has_listeners(nlsk, XFRMNLGRP_AEVENTS);
|
|
|
|
rcu_read_unlock();
|
|
|
|
return ret;
|
2006-03-21 11:15:11 +08:00
|
|
|
}
|
|
|
|
|
|
|
|
static inline void xfrm_aevent_doreplay(struct xfrm_state *x)
|
|
|
|
{
|
|
|
|
if (xfrm_aevent_is_on())
|
|
|
|
xfrm_replay_notify(x, XFRM_REPLAY_UPDATE);
|
|
|
|
}
|
|
|
|
|
2007-02-09 05:11:42 +08:00
|
|
|
#ifdef CONFIG_XFRM_MIGRATE
|
|
|
|
static inline struct xfrm_algo *xfrm_algo_clone(struct xfrm_algo *orig)
|
|
|
|
{
|
|
|
|
return (struct xfrm_algo *)kmemdup(orig, sizeof(*orig) + orig->alg_key_len, GFP_KERNEL);
|
|
|
|
}
|
|
|
|
|
|
|
|
static inline void xfrm_states_put(struct xfrm_state **states, int n)
|
|
|
|
{
|
|
|
|
int i;
|
|
|
|
for (i = 0; i < n; i++)
|
|
|
|
xfrm_state_put(*(states + i));
|
|
|
|
}
|
|
|
|
|
|
|
|
static inline void xfrm_states_delete(struct xfrm_state **states, int n)
|
|
|
|
{
|
|
|
|
int i;
|
|
|
|
for (i = 0; i < n; i++)
|
|
|
|
xfrm_state_delete(*(states + i));
|
|
|
|
}
|
|
|
|
#endif
|
2006-03-21 11:15:11 +08:00
|
|
|
|
2005-04-17 06:20:36 +08:00
|
|
|
#endif /* _NET_XFRM_H */
|