search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
[IPSEC]: Move type and mode map into xfrm_state.c
[linux-2.6/cjktty.git] / net / xfrm / xfrm_state.c
blobdc438f2b944226a26ec45033d5ff73cffe8dc433
1 /*
2 * xfrm_state.c
3 *
4 * Changes:
5 * Mitsuru KANDA @USAGI
6 * Kazunori MIYAZAWA @USAGI
7 * Kunihiro Ishiguro <kunihiro@ipinfusion.com>
8 * IPv6 support
9 * YOSHIFUJI Hideaki @USAGI
10 * Split up af-specific functions
11 * Derek Atkins <derek@ihtfp.com>
12 * Add UDP Encapsulation
13 *
14 */
15
16 #include <linux/workqueue.h>
17 #include <net/xfrm.h>
18 #include <linux/pfkeyv2.h>
19 #include <linux/ipsec.h>
20 #include <linux/module.h>
21 #include <linux/cache.h>
22 #include <asm/uaccess.h>
23
24 #include "xfrm_hash.h"
25
26 struct sock *xfrm_nl;
27 EXPORT_SYMBOL(xfrm_nl);
28
29 u32 sysctl_xfrm_aevent_etime __read_mostly = XFRM_AE_ETIME;
30 EXPORT_SYMBOL(sysctl_xfrm_aevent_etime);
31
32 u32 sysctl_xfrm_aevent_rseqth __read_mostly = XFRM_AE_SEQT_SIZE;
33 EXPORT_SYMBOL(sysctl_xfrm_aevent_rseqth);
34
35 u32 sysctl_xfrm_acq_expires __read_mostly = 30;
36
37 /* Each xfrm_state may be linked to two tables:
38
39 1. Hash table by (spi,daddr,ah/esp) to find SA by SPI. (input,ctl)
40 2. Hash table by (daddr,family,reqid) to find what SAs exist for given
41 destination/tunnel endpoint. (output)
42 */
43
44 static DEFINE_SPINLOCK(xfrm_state_lock);
45
46 /* Hash table to find appropriate SA towards given target (endpoint
47 * of tunnel or destination of transport mode) allowed by selector.
48 *
49 * Main use is finding SA after policy selected tunnel or transport mode.
50 * Also, it can be used by ah/esp icmp error handler to find offending SA.
51 */
52 static struct hlist_head *xfrm_state_bydst __read_mostly;
53 static struct hlist_head *xfrm_state_bysrc __read_mostly;
54 static struct hlist_head *xfrm_state_byspi __read_mostly;
55 static unsigned int xfrm_state_hmask __read_mostly;
56 static unsigned int xfrm_state_hashmax __read_mostly = 1 * 1024 * 1024;
57 static unsigned int xfrm_state_num;
58 static unsigned int xfrm_state_genid;
59
60 static inline unsigned int xfrm_dst_hash(xfrm_address_t *daddr,
61 xfrm_address_t *saddr,
62 u32 reqid,
63 unsigned short family)
64 {
65 return __xfrm_dst_hash(daddr, saddr, reqid, family, xfrm_state_hmask);
66 }
67
68 static inline unsigned int xfrm_src_hash(xfrm_address_t *daddr,
69 xfrm_address_t *saddr,
70 unsigned short family)
71 {
72 return __xfrm_src_hash(daddr, saddr, family, xfrm_state_hmask);
73 }
74
75 static inline unsigned int
76 xfrm_spi_hash(xfrm_address_t *daddr, __be32 spi, u8 proto, unsigned short family)
77 {
78 return __xfrm_spi_hash(daddr, spi, proto, family, xfrm_state_hmask);
79 }
80
81 static void xfrm_hash_transfer(struct hlist_head *list,
82 struct hlist_head *ndsttable,
83 struct hlist_head *nsrctable,
84 struct hlist_head *nspitable,
85 unsigned int nhashmask)
86 {
87 struct hlist_node *entry, *tmp;
88 struct xfrm_state *x;
89
90 hlist_for_each_entry_safe(x, entry, tmp, list, bydst) {
91 unsigned int h;
92
93 h = __xfrm_dst_hash(&x->id.daddr, &x->props.saddr,
94 x->props.reqid, x->props.family,
95 nhashmask);
96 hlist_add_head(&x->bydst, ndsttable+h);
97
98 h = __xfrm_src_hash(&x->id.daddr, &x->props.saddr,
99 x->props.family,
100 nhashmask);
101 hlist_add_head(&x->bysrc, nsrctable+h);
102
103 if (x->id.spi) {
104 h = __xfrm_spi_hash(&x->id.daddr, x->id.spi,
105 x->id.proto, x->props.family,
106 nhashmask);
107 hlist_add_head(&x->byspi, nspitable+h);
108 }
109 }
110 }
111
112 static unsigned long xfrm_hash_new_size(void)
113 {
114 return ((xfrm_state_hmask + 1) << 1) *
115 sizeof(struct hlist_head);
116 }
117
118 static DEFINE_MUTEX(hash_resize_mutex);
119
120 static void xfrm_hash_resize(struct work_struct *__unused)
121 {
122 struct hlist_head *ndst, *nsrc, *nspi, *odst, *osrc, *ospi;
123 unsigned long nsize, osize;
124 unsigned int nhashmask, ohashmask;
125 int i;
126
127 mutex_lock(&hash_resize_mutex);
128
129 nsize = xfrm_hash_new_size();
130 ndst = xfrm_hash_alloc(nsize);
131 if (!ndst)
132 goto out_unlock;
133 nsrc = xfrm_hash_alloc(nsize);
134 if (!nsrc) {
135 xfrm_hash_free(ndst, nsize);
136 goto out_unlock;
137 }
138 nspi = xfrm_hash_alloc(nsize);
139 if (!nspi) {
140 xfrm_hash_free(ndst, nsize);
141 xfrm_hash_free(nsrc, nsize);
142 goto out_unlock;
143 }
144
145 spin_lock_bh(&xfrm_state_lock);
146
147 nhashmask = (nsize / sizeof(struct hlist_head)) - 1U;
148 for (i = xfrm_state_hmask; i >= 0; i--)
149 xfrm_hash_transfer(xfrm_state_bydst+i, ndst, nsrc, nspi,
150 nhashmask);
151
152 odst = xfrm_state_bydst;
153 osrc = xfrm_state_bysrc;
154 ospi = xfrm_state_byspi;
155 ohashmask = xfrm_state_hmask;
156
157 xfrm_state_bydst = ndst;
158 xfrm_state_bysrc = nsrc;
159 xfrm_state_byspi = nspi;
160 xfrm_state_hmask = nhashmask;
161
162 spin_unlock_bh(&xfrm_state_lock);
163
164 osize = (ohashmask + 1) * sizeof(struct hlist_head);
165 xfrm_hash_free(odst, osize);
166 xfrm_hash_free(osrc, osize);
167 xfrm_hash_free(ospi, osize);
168
169 out_unlock:
170 mutex_unlock(&hash_resize_mutex);
171 }
172
173 static DECLARE_WORK(xfrm_hash_work, xfrm_hash_resize);
174
175 DECLARE_WAIT_QUEUE_HEAD(km_waitq);
176 EXPORT_SYMBOL(km_waitq);
177
178 static DEFINE_RWLOCK(xfrm_state_afinfo_lock);
179 static struct xfrm_state_afinfo *xfrm_state_afinfo[NPROTO];
180
181 static struct work_struct xfrm_state_gc_work;
182 static HLIST_HEAD(xfrm_state_gc_list);
183 static DEFINE_SPINLOCK(xfrm_state_gc_lock);
184
185 int __xfrm_state_delete(struct xfrm_state *x);
186
187 int km_query(struct xfrm_state *x, struct xfrm_tmpl *t, struct xfrm_policy *pol);
188 void km_state_expired(struct xfrm_state *x, int hard, u32 pid);
189
190 static struct xfrm_state_afinfo *xfrm_state_lock_afinfo(unsigned int family)
191 {
192 struct xfrm_state_afinfo *afinfo;
193 if (unlikely(family >= NPROTO))
194 return NULL;
195 write_lock_bh(&xfrm_state_afinfo_lock);
196 afinfo = xfrm_state_afinfo[family];
197 if (unlikely(!afinfo))
198 write_unlock_bh(&xfrm_state_afinfo_lock);
199 return afinfo;
200 }
201
202 static void xfrm_state_unlock_afinfo(struct xfrm_state_afinfo *afinfo)
203 {
204 write_unlock_bh(&xfrm_state_afinfo_lock);
205 }
206
207 int xfrm_register_type(struct xfrm_type *type, unsigned short family)
208 {
209 struct xfrm_state_afinfo *afinfo = xfrm_state_lock_afinfo(family);
210 struct xfrm_type **typemap;
211 int err = 0;
212
213 if (unlikely(afinfo == NULL))
214 return -EAFNOSUPPORT;
215 typemap = afinfo->type_map;
216
217 if (likely(typemap[type->proto] == NULL))
218 typemap[type->proto] = type;
219 else
220 err = -EEXIST;
221 xfrm_state_unlock_afinfo(afinfo);
222 return err;
223 }
224 EXPORT_SYMBOL(xfrm_register_type);
225
226 int xfrm_unregister_type(struct xfrm_type *type, unsigned short family)
227 {
228 struct xfrm_state_afinfo *afinfo = xfrm_state_lock_afinfo(family);
229 struct xfrm_type **typemap;
230 int err = 0;
231
232 if (unlikely(afinfo == NULL))
233 return -EAFNOSUPPORT;
234 typemap = afinfo->type_map;
235
236 if (unlikely(typemap[type->proto] != type))
237 err = -ENOENT;
238 else
239 typemap[type->proto] = NULL;
240 xfrm_state_unlock_afinfo(afinfo);
241 return err;
242 }
243 EXPORT_SYMBOL(xfrm_unregister_type);
244
245 static struct xfrm_type *xfrm_get_type(u8 proto, unsigned short family)
246 {
247 struct xfrm_state_afinfo *afinfo;
248 struct xfrm_type **typemap;
249 struct xfrm_type *type;
250 int modload_attempted = 0;
251
252 retry:
253 afinfo = xfrm_state_get_afinfo(family);
254 if (unlikely(afinfo == NULL))
255 return NULL;
256 typemap = afinfo->type_map;
257
258 type = typemap[proto];
259 if (unlikely(type && !try_module_get(type->owner)))
260 type = NULL;
261 if (!type && !modload_attempted) {
262 xfrm_state_put_afinfo(afinfo);
263 request_module("xfrm-type-%d-%d", family, proto);
264 modload_attempted = 1;
265 goto retry;
266 }
267
268 xfrm_state_put_afinfo(afinfo);
269 return type;
270 }
271
272 static void xfrm_put_type(struct xfrm_type *type)
273 {
274 module_put(type->owner);
275 }
276
277 int xfrm_register_mode(struct xfrm_mode *mode, int family)
278 {
279 struct xfrm_state_afinfo *afinfo;
280 struct xfrm_mode **modemap;
281 int err;
282
283 if (unlikely(mode->encap >= XFRM_MODE_MAX))
284 return -EINVAL;
285
286 afinfo = xfrm_state_lock_afinfo(family);
287 if (unlikely(afinfo == NULL))
288 return -EAFNOSUPPORT;
289
290 err = -EEXIST;
291 modemap = afinfo->mode_map;
292 if (likely(modemap[mode->encap] == NULL)) {
293 modemap[mode->encap] = mode;
294 err = 0;
295 }
296
297 xfrm_state_unlock_afinfo(afinfo);
298 return err;
299 }
300 EXPORT_SYMBOL(xfrm_register_mode);
301
302 int xfrm_unregister_mode(struct xfrm_mode *mode, int family)
303 {
304 struct xfrm_state_afinfo *afinfo;
305 struct xfrm_mode **modemap;
306 int err;
307
308 if (unlikely(mode->encap >= XFRM_MODE_MAX))
309 return -EINVAL;
310
311 afinfo = xfrm_state_lock_afinfo(family);
312 if (unlikely(afinfo == NULL))
313 return -EAFNOSUPPORT;
314
315 err = -ENOENT;
316 modemap = afinfo->mode_map;
317 if (likely(modemap[mode->encap] == mode)) {
318 modemap[mode->encap] = NULL;
319 err = 0;
320 }
321
322 xfrm_state_unlock_afinfo(afinfo);
323 return err;
324 }
325 EXPORT_SYMBOL(xfrm_unregister_mode);
326
327 static struct xfrm_mode *xfrm_get_mode(unsigned int encap, int family)
328 {
329 struct xfrm_state_afinfo *afinfo;
330 struct xfrm_mode *mode;
331 int modload_attempted = 0;
332
333 if (unlikely(encap >= XFRM_MODE_MAX))
334 return NULL;
335
336 retry:
337 afinfo = xfrm_state_get_afinfo(family);
338 if (unlikely(afinfo == NULL))
339 return NULL;
340
341 mode = afinfo->mode_map[encap];
342 if (unlikely(mode && !try_module_get(mode->owner)))
343 mode = NULL;
344 if (!mode && !modload_attempted) {
345 xfrm_state_put_afinfo(afinfo);
346 request_module("xfrm-mode-%d-%d", family, encap);
347 modload_attempted = 1;
348 goto retry;
349 }
350
351 xfrm_state_put_afinfo(afinfo);
352 return mode;
353 }
354
355 static void xfrm_put_mode(struct xfrm_mode *mode)
356 {
357 module_put(mode->owner);
358 }
359
360 static void xfrm_state_gc_destroy(struct xfrm_state *x)
361 {
362 del_timer_sync(&x->timer);
363 del_timer_sync(&x->rtimer);
364 kfree(x->aalg);
365 kfree(x->ealg);
366 kfree(x->calg);
367 kfree(x->encap);
368 kfree(x->coaddr);
369 if (x->mode)
370 xfrm_put_mode(x->mode);
371 if (x->type) {
372 x->type->destructor(x);
373 xfrm_put_type(x->type);
374 }
375 security_xfrm_state_free(x);
376 kfree(x);
377 }
378
379 static void xfrm_state_gc_task(struct work_struct *data)
380 {
381 struct xfrm_state *x;
382 struct hlist_node *entry, *tmp;
383 struct hlist_head gc_list;
384
385 spin_lock_bh(&xfrm_state_gc_lock);
386 gc_list.first = xfrm_state_gc_list.first;
387 INIT_HLIST_HEAD(&xfrm_state_gc_list);
388 spin_unlock_bh(&xfrm_state_gc_lock);
389
390 hlist_for_each_entry_safe(x, entry, tmp, &gc_list, bydst)
391 xfrm_state_gc_destroy(x);
392
393 wake_up(&km_waitq);
394 }
395
396 static inline unsigned long make_jiffies(long secs)
397 {
398 if (secs >= (MAX_SCHEDULE_TIMEOUT-1)/HZ)
399 return MAX_SCHEDULE_TIMEOUT-1;
400 else
401 return secs*HZ;
402 }
403
404 static void xfrm_timer_handler(unsigned long data)
405 {
406 struct xfrm_state *x = (struct xfrm_state*)data;
407 unsigned long now = get_seconds();
408 long next = LONG_MAX;
409 int warn = 0;
410 int err = 0;
411
412 spin_lock(&x->lock);
413 if (x->km.state == XFRM_STATE_DEAD)
414 goto out;
415 if (x->km.state == XFRM_STATE_EXPIRED)
416 goto expired;
417 if (x->lft.hard_add_expires_seconds) {
418 long tmo = x->lft.hard_add_expires_seconds +
419 x->curlft.add_time - now;
420 if (tmo <= 0)
421 goto expired;
422 if (tmo < next)
423 next = tmo;
424 }
425 if (x->lft.hard_use_expires_seconds) {
426 long tmo = x->lft.hard_use_expires_seconds +
427 (x->curlft.use_time ? : now) - now;
428 if (tmo <= 0)
429 goto expired;
430 if (tmo < next)
431 next = tmo;
432 }
433 if (x->km.dying)
434 goto resched;
435 if (x->lft.soft_add_expires_seconds) {
436 long tmo = x->lft.soft_add_expires_seconds +
437 x->curlft.add_time - now;
438 if (tmo <= 0)
439 warn = 1;
440 else if (tmo < next)
441 next = tmo;
442 }
443 if (x->lft.soft_use_expires_seconds) {
444 long tmo = x->lft.soft_use_expires_seconds +
445 (x->curlft.use_time ? : now) - now;
446 if (tmo <= 0)
447 warn = 1;
448 else if (tmo < next)
449 next = tmo;
450 }
451
452 x->km.dying = warn;
453 if (warn)
454 km_state_expired(x, 0, 0);
455 resched:
456 if (next != LONG_MAX)
457 mod_timer(&x->timer, jiffies + make_jiffies(next));
458
459 goto out;
460
461 expired:
462 if (x->km.state == XFRM_STATE_ACQ && x->id.spi == 0) {
463 x->km.state = XFRM_STATE_EXPIRED;
464 wake_up(&km_waitq);
465 next = 2;
466 goto resched;
467 }
468
469 err = __xfrm_state_delete(x);
470 if (!err && x->id.spi)
471 km_state_expired(x, 1, 0);
472
473 xfrm_audit_state_delete(x, err ? 0 : 1,
474 audit_get_loginuid(current->audit_context), 0);
475
476 out:
477 spin_unlock(&x->lock);
478 }
479
480 static void xfrm_replay_timer_handler(unsigned long data);
481
482 struct xfrm_state *xfrm_state_alloc(void)
483 {
484 struct xfrm_state *x;
485
486 x = kzalloc(sizeof(struct xfrm_state), GFP_ATOMIC);
487
488 if (x) {
489 atomic_set(&x->refcnt, 1);
490 atomic_set(&x->tunnel_users, 0);
491 INIT_HLIST_NODE(&x->bydst);
492 INIT_HLIST_NODE(&x->bysrc);
493 INIT_HLIST_NODE(&x->byspi);
494 init_timer(&x->timer);
495 x->timer.function = xfrm_timer_handler;
496 x->timer.data = (unsigned long)x;
497 init_timer(&x->rtimer);
498 x->rtimer.function = xfrm_replay_timer_handler;
499 x->rtimer.data = (unsigned long)x;
500 x->curlft.add_time = get_seconds();
501 x->lft.soft_byte_limit = XFRM_INF;
502 x->lft.soft_packet_limit = XFRM_INF;
503 x->lft.hard_byte_limit = XFRM_INF;
504 x->lft.hard_packet_limit = XFRM_INF;
505 x->replay_maxage = 0;
506 x->replay_maxdiff = 0;
507 spin_lock_init(&x->lock);
508 }
509 return x;
510 }
511 EXPORT_SYMBOL(xfrm_state_alloc);
512
513 void __xfrm_state_destroy(struct xfrm_state *x)
514 {
515 BUG_TRAP(x->km.state == XFRM_STATE_DEAD);
516
517 spin_lock_bh(&xfrm_state_gc_lock);
518 hlist_add_head(&x->bydst, &xfrm_state_gc_list);
519 spin_unlock_bh(&xfrm_state_gc_lock);
520 schedule_work(&xfrm_state_gc_work);
521 }
522 EXPORT_SYMBOL(__xfrm_state_destroy);
523
524 int __xfrm_state_delete(struct xfrm_state *x)
525 {
526 int err = -ESRCH;
527
528 if (x->km.state != XFRM_STATE_DEAD) {
529 x->km.state = XFRM_STATE_DEAD;
530 spin_lock(&xfrm_state_lock);
531 hlist_del(&x->bydst);
532 hlist_del(&x->bysrc);
533 if (x->id.spi)
534 hlist_del(&x->byspi);
535 xfrm_state_num--;
536 spin_unlock(&xfrm_state_lock);
537
538 /* All xfrm_state objects are created by xfrm_state_alloc.
539 * The xfrm_state_alloc call gives a reference, and that
540 * is what we are dropping here.
541 */
542 __xfrm_state_put(x);
543 err = 0;
544 }
545
546 return err;
547 }
548 EXPORT_SYMBOL(__xfrm_state_delete);
549
550 int xfrm_state_delete(struct xfrm_state *x)
551 {
552 int err;
553
554 spin_lock_bh(&x->lock);
555 err = __xfrm_state_delete(x);
556 spin_unlock_bh(&x->lock);
557
558 return err;
559 }
560 EXPORT_SYMBOL(xfrm_state_delete);
561
562 #ifdef CONFIG_SECURITY_NETWORK_XFRM
563 static inline int
564 xfrm_state_flush_secctx_check(u8 proto, struct xfrm_audit *audit_info)
565 {
566 int i, err = 0;
567
568 for (i = 0; i <= xfrm_state_hmask; i++) {
569 struct hlist_node *entry;
570 struct xfrm_state *x;
571
572 hlist_for_each_entry(x, entry, xfrm_state_bydst+i, bydst) {
573 if (xfrm_id_proto_match(x->id.proto, proto) &&
574 (err = security_xfrm_state_delete(x)) != 0) {
575 xfrm_audit_state_delete(x, 0,
576 audit_info->loginuid,
577 audit_info->secid);
578 return err;
579 }
580 }
581 }
582
583 return err;
584 }
585 #else
586 static inline int
587 xfrm_state_flush_secctx_check(u8 proto, struct xfrm_audit *audit_info)
588 {
589 return 0;
590 }
591 #endif
592
593 int xfrm_state_flush(u8 proto, struct xfrm_audit *audit_info)
594 {
595 int i, err = 0;
596
597 spin_lock_bh(&xfrm_state_lock);
598 err = xfrm_state_flush_secctx_check(proto, audit_info);
599 if (err)
600 goto out;
601
602 for (i = 0; i <= xfrm_state_hmask; i++) {
603 struct hlist_node *entry;
604 struct xfrm_state *x;
605 restart:
606 hlist_for_each_entry(x, entry, xfrm_state_bydst+i, bydst) {
607 if (!xfrm_state_kern(x) &&
608 xfrm_id_proto_match(x->id.proto, proto)) {
609 xfrm_state_hold(x);
610 spin_unlock_bh(&xfrm_state_lock);
611
612 err = xfrm_state_delete(x);
613 xfrm_audit_state_delete(x, err ? 0 : 1,
614 audit_info->loginuid,
615 audit_info->secid);
616 xfrm_state_put(x);
617
618 spin_lock_bh(&xfrm_state_lock);
619 goto restart;
620 }
621 }
622 }
623 err = 0;
624
625 out:
626 spin_unlock_bh(&xfrm_state_lock);
627 wake_up(&km_waitq);
628 return err;
629 }
630 EXPORT_SYMBOL(xfrm_state_flush);
631
632 void xfrm_sad_getinfo(struct xfrmk_sadinfo *si)
633 {
634 spin_lock_bh(&xfrm_state_lock);
635 si->sadcnt = xfrm_state_num;
636 si->sadhcnt = xfrm_state_hmask;
637 si->sadhmcnt = xfrm_state_hashmax;
638 spin_unlock_bh(&xfrm_state_lock);
639 }
640 EXPORT_SYMBOL(xfrm_sad_getinfo);
641
642 static int
643 xfrm_init_tempsel(struct xfrm_state *x, struct flowi *fl,
644 struct xfrm_tmpl *tmpl,
645 xfrm_address_t *daddr, xfrm_address_t *saddr,
646 unsigned short family)
647 {
648 struct xfrm_state_afinfo *afinfo = xfrm_state_get_afinfo(family);
649 if (!afinfo)
650 return -1;
651 afinfo->init_tempsel(x, fl, tmpl, daddr, saddr);
652 xfrm_state_put_afinfo(afinfo);
653 return 0;
654 }
655
656 static struct xfrm_state *__xfrm_state_lookup(xfrm_address_t *daddr, __be32 spi, u8 proto, unsigned short family)
657 {
658 unsigned int h = xfrm_spi_hash(daddr, spi, proto, family);
659 struct xfrm_state *x;
660 struct hlist_node *entry;
661
662 hlist_for_each_entry(x, entry, xfrm_state_byspi+h, byspi) {
663 if (x->props.family != family ||
664 x->id.spi != spi ||
665 x->id.proto != proto)
666 continue;
667
668 switch (family) {
669 case AF_INET:
670 if (x->id.daddr.a4 != daddr->a4)
671 continue;
672 break;
673 case AF_INET6:
674 if (!ipv6_addr_equal((struct in6_addr *)daddr,
675 (struct in6_addr *)
676 x->id.daddr.a6))
677 continue;
678 break;
679 }
680
681 xfrm_state_hold(x);
682 return x;
683 }
684
685 return NULL;
686 }
687
688 static struct xfrm_state *__xfrm_state_lookup_byaddr(xfrm_address_t *daddr, xfrm_address_t *saddr, u8 proto, unsigned short family)
689 {
690 unsigned int h = xfrm_src_hash(daddr, saddr, family);
691 struct xfrm_state *x;
692 struct hlist_node *entry;
693
694 hlist_for_each_entry(x, entry, xfrm_state_bysrc+h, bysrc) {
695 if (x->props.family != family ||
696 x->id.proto != proto)
697 continue;
698
699 switch (family) {
700 case AF_INET:
701 if (x->id.daddr.a4 != daddr->a4 ||
702 x->props.saddr.a4 != saddr->a4)
703 continue;
704 break;
705 case AF_INET6:
706 if (!ipv6_addr_equal((struct in6_addr *)daddr,
707 (struct in6_addr *)
708 x->id.daddr.a6) ||
709 !ipv6_addr_equal((struct in6_addr *)saddr,
710 (struct in6_addr *)
711 x->props.saddr.a6))
712 continue;
713 break;
714 }
715
716 xfrm_state_hold(x);
717 return x;
718 }
719
720 return NULL;
721 }
722
723 static inline struct xfrm_state *
724 __xfrm_state_locate(struct xfrm_state *x, int use_spi, int family)
725 {
726 if (use_spi)
727 return __xfrm_state_lookup(&x->id.daddr, x->id.spi,
728 x->id.proto, family);
729 else
730 return __xfrm_state_lookup_byaddr(&x->id.daddr,
731 &x->props.saddr,
732 x->id.proto, family);
733 }
734
735 static void xfrm_hash_grow_check(int have_hash_collision)
736 {
737 if (have_hash_collision &&
738 (xfrm_state_hmask + 1) < xfrm_state_hashmax &&
739 xfrm_state_num > xfrm_state_hmask)
740 schedule_work(&xfrm_hash_work);
741 }
742
743 struct xfrm_state *
744 xfrm_state_find(xfrm_address_t *daddr, xfrm_address_t *saddr,
745 struct flowi *fl, struct xfrm_tmpl *tmpl,
746 struct xfrm_policy *pol, int *err,
747 unsigned short family)
748 {
749 unsigned int h = xfrm_dst_hash(daddr, saddr, tmpl->reqid, family);
750 struct hlist_node *entry;
751 struct xfrm_state *x, *x0;
752 int acquire_in_progress = 0;
753 int error = 0;
754 struct xfrm_state *best = NULL;
755
756 spin_lock_bh(&xfrm_state_lock);
757 hlist_for_each_entry(x, entry, xfrm_state_bydst+h, bydst) {
758 if (x->props.family == family &&
759 x->props.reqid == tmpl->reqid &&
760 !(x->props.flags & XFRM_STATE_WILDRECV) &&
761 xfrm_state_addr_check(x, daddr, saddr, family) &&
762 tmpl->mode == x->props.mode &&
763 tmpl->id.proto == x->id.proto &&
764 (tmpl->id.spi == x->id.spi || !tmpl->id.spi)) {
765 /* Resolution logic:
766 1. There is a valid state with matching selector.
767 Done.
768 2. Valid state with inappropriate selector. Skip.
769
770 Entering area of "sysdeps".
771
772 3. If state is not valid, selector is temporary,
773 it selects only session which triggered
774 previous resolution. Key manager will do
775 something to install a state with proper
776 selector.
777 */
778 if (x->km.state == XFRM_STATE_VALID) {
779 if (!xfrm_selector_match(&x->sel, fl, x->sel.family) ||
780 !security_xfrm_state_pol_flow_match(x, pol, fl))
781 continue;
782 if (!best ||
783 best->km.dying > x->km.dying ||
784 (best->km.dying == x->km.dying &&
785 best->curlft.add_time < x->curlft.add_time))
786 best = x;
787 } else if (x->km.state == XFRM_STATE_ACQ) {
788 acquire_in_progress = 1;
789 } else if (x->km.state == XFRM_STATE_ERROR ||
790 x->km.state == XFRM_STATE_EXPIRED) {
791 if (xfrm_selector_match(&x->sel, fl, x->sel.family) &&
792 security_xfrm_state_pol_flow_match(x, pol, fl))
793 error = -ESRCH;
794 }
795 }
796 }
797
798 x = best;
799 if (!x && !error && !acquire_in_progress) {
800 if (tmpl->id.spi &&
801 (x0 = __xfrm_state_lookup(daddr, tmpl->id.spi,
802 tmpl->id.proto, family)) != NULL) {
803 xfrm_state_put(x0);
804 error = -EEXIST;
805 goto out;
806 }
807 x = xfrm_state_alloc();
808 if (x == NULL) {
809 error = -ENOMEM;
810 goto out;
811 }
812 /* Initialize temporary selector matching only
813 * to current session. */
814 xfrm_init_tempsel(x, fl, tmpl, daddr, saddr, family);
815
816 error = security_xfrm_state_alloc_acquire(x, pol->security, fl->secid);
817 if (error) {
818 x->km.state = XFRM_STATE_DEAD;
819 xfrm_state_put(x);
820 x = NULL;
821 goto out;
822 }
823
824 if (km_query(x, tmpl, pol) == 0) {
825 x->km.state = XFRM_STATE_ACQ;
826 hlist_add_head(&x->bydst, xfrm_state_bydst+h);
827 h = xfrm_src_hash(daddr, saddr, family);
828 hlist_add_head(&x->bysrc, xfrm_state_bysrc+h);
829 if (x->id.spi) {
830 h = xfrm_spi_hash(&x->id.daddr, x->id.spi, x->id.proto, family);
831 hlist_add_head(&x->byspi, xfrm_state_byspi+h);
832 }
833 x->lft.hard_add_expires_seconds = sysctl_xfrm_acq_expires;
834 x->timer.expires = jiffies + sysctl_xfrm_acq_expires*HZ;
835 add_timer(&x->timer);
836 xfrm_state_num++;
837 xfrm_hash_grow_check(x->bydst.next != NULL);
838 } else {
839 x->km.state = XFRM_STATE_DEAD;
840 xfrm_state_put(x);
841 x = NULL;
842 error = -ESRCH;
843 }
844 }
845 out:
846 if (x)
847 xfrm_state_hold(x);
848 else
849 *err = acquire_in_progress ? -EAGAIN : error;
850 spin_unlock_bh(&xfrm_state_lock);
851 return x;
852 }
853
854 struct xfrm_state *
855 xfrm_stateonly_find(xfrm_address_t *daddr, xfrm_address_t *saddr,
856 unsigned short family, u8 mode, u8 proto, u32 reqid)
857 {
858 unsigned int h = xfrm_dst_hash(daddr, saddr, reqid, family);
859 struct xfrm_state *rx = NULL, *x = NULL;
860 struct hlist_node *entry;
861
862 spin_lock(&xfrm_state_lock);
863 hlist_for_each_entry(x, entry, xfrm_state_bydst+h, bydst) {
864 if (x->props.family == family &&
865 x->props.reqid == reqid &&
866 !(x->props.flags & XFRM_STATE_WILDRECV) &&
867 xfrm_state_addr_check(x, daddr, saddr, family) &&
868 mode == x->props.mode &&
869 proto == x->id.proto &&
870 x->km.state == XFRM_STATE_VALID) {
871 rx = x;
872 break;
873 }
874 }
875
876 if (rx)
877 xfrm_state_hold(rx);
878 spin_unlock(&xfrm_state_lock);
879
880
881 return rx;
882 }
883 EXPORT_SYMBOL(xfrm_stateonly_find);
884
885 static void __xfrm_state_insert(struct xfrm_state *x)
886 {
887 unsigned int h;
888
889 x->genid = ++xfrm_state_genid;
890
891 h = xfrm_dst_hash(&x->id.daddr, &x->props.saddr,
892 x->props.reqid, x->props.family);
893 hlist_add_head(&x->bydst, xfrm_state_bydst+h);
894
895 h = xfrm_src_hash(&x->id.daddr, &x->props.saddr, x->props.family);
896 hlist_add_head(&x->bysrc, xfrm_state_bysrc+h);
897
898 if (x->id.spi) {
899 h = xfrm_spi_hash(&x->id.daddr, x->id.spi, x->id.proto,
900 x->props.family);
901
902 hlist_add_head(&x->byspi, xfrm_state_byspi+h);
903 }
904
905 mod_timer(&x->timer, jiffies + HZ);
906 if (x->replay_maxage)
907 mod_timer(&x->rtimer, jiffies + x->replay_maxage);
908
909 wake_up(&km_waitq);
910
911 xfrm_state_num++;
912
913 xfrm_hash_grow_check(x->bydst.next != NULL);
914 }
915
916 /* xfrm_state_lock is held */
917 static void __xfrm_state_bump_genids(struct xfrm_state *xnew)
918 {
919 unsigned short family = xnew->props.family;
920 u32 reqid = xnew->props.reqid;
921 struct xfrm_state *x;
922 struct hlist_node *entry;
923 unsigned int h;
924
925 h = xfrm_dst_hash(&xnew->id.daddr, &xnew->props.saddr, reqid, family);
926 hlist_for_each_entry(x, entry, xfrm_state_bydst+h, bydst) {
927 if (x->props.family == family &&
928 x->props.reqid == reqid &&
929 !xfrm_addr_cmp(&x->id.daddr, &xnew->id.daddr, family) &&
930 !xfrm_addr_cmp(&x->props.saddr, &xnew->props.saddr, family))
931 x->genid = xfrm_state_genid;
932 }
933 }
934
935 void xfrm_state_insert(struct xfrm_state *x)
936 {
937 spin_lock_bh(&xfrm_state_lock);
938 __xfrm_state_bump_genids(x);
939 __xfrm_state_insert(x);
940 spin_unlock_bh(&xfrm_state_lock);
941 }
942 EXPORT_SYMBOL(xfrm_state_insert);
943
944 /* xfrm_state_lock is held */
945 static struct xfrm_state *__find_acq_core(unsigned short family, u8 mode, u32 reqid, u8 proto, xfrm_address_t *daddr, xfrm_address_t *saddr, int create)
946 {
947 unsigned int h = xfrm_dst_hash(daddr, saddr, reqid, family);
948 struct hlist_node *entry;
949 struct xfrm_state *x;
950
951 hlist_for_each_entry(x, entry, xfrm_state_bydst+h, bydst) {
952 if (x->props.reqid != reqid ||
953 x->props.mode != mode ||
954 x->props.family != family ||
955 x->km.state != XFRM_STATE_ACQ ||
956 x->id.spi != 0 ||
957 x->id.proto != proto)
958 continue;
959
960 switch (family) {
961 case AF_INET:
962 if (x->id.daddr.a4 != daddr->a4 ||
963 x->props.saddr.a4 != saddr->a4)
964 continue;
965 break;
966 case AF_INET6:
967 if (!ipv6_addr_equal((struct in6_addr *)x->id.daddr.a6,
968 (struct in6_addr *)daddr) ||
969 !ipv6_addr_equal((struct in6_addr *)
970 x->props.saddr.a6,
971 (struct in6_addr *)saddr))
972 continue;
973 break;
974 }
975
976 xfrm_state_hold(x);
977 return x;
978 }
979
980 if (!create)
981 return NULL;
982
983 x = xfrm_state_alloc();
984 if (likely(x)) {
985 switch (family) {
986 case AF_INET:
987 x->sel.daddr.a4 = daddr->a4;
988 x->sel.saddr.a4 = saddr->a4;
989 x->sel.prefixlen_d = 32;
990 x->sel.prefixlen_s = 32;
991 x->props.saddr.a4 = saddr->a4;
992 x->id.daddr.a4 = daddr->a4;
993 break;
994
995 case AF_INET6:
996 ipv6_addr_copy((struct in6_addr *)x->sel.daddr.a6,
997 (struct in6_addr *)daddr);
998 ipv6_addr_copy((struct in6_addr *)x->sel.saddr.a6,
999 (struct in6_addr *)saddr);
1000 x->sel.prefixlen_d = 128;
1001 x->sel.prefixlen_s = 128;
1002 ipv6_addr_copy((struct in6_addr *)x->props.saddr.a6,
1003 (struct in6_addr *)saddr);
1004 ipv6_addr_copy((struct in6_addr *)x->id.daddr.a6,
1005 (struct in6_addr *)daddr);
1006 break;
1007 }
1008
1009 x->km.state = XFRM_STATE_ACQ;
1010 x->id.proto = proto;
1011 x->props.family = family;
1012 x->props.mode = mode;
1013 x->props.reqid = reqid;
1014 x->lft.hard_add_expires_seconds = sysctl_xfrm_acq_expires;
1015 xfrm_state_hold(x);
1016 x->timer.expires = jiffies + sysctl_xfrm_acq_expires*HZ;
1017 add_timer(&x->timer);
1018 hlist_add_head(&x->bydst, xfrm_state_bydst+h);
1019 h = xfrm_src_hash(daddr, saddr, family);
1020 hlist_add_head(&x->bysrc, xfrm_state_bysrc+h);
1021
1022 xfrm_state_num++;
1023
1024 xfrm_hash_grow_check(x->bydst.next != NULL);
1025 }
1026
1027 return x;
1028 }
1029
1030 static struct xfrm_state *__xfrm_find_acq_byseq(u32 seq);
1031
1032 int xfrm_state_add(struct xfrm_state *x)
1033 {
1034 struct xfrm_state *x1;
1035 int family;
1036 int err;
1037 int use_spi = xfrm_id_proto_match(x->id.proto, IPSEC_PROTO_ANY);
1038
1039 family = x->props.family;
1040
1041 spin_lock_bh(&xfrm_state_lock);
1042
1043 x1 = __xfrm_state_locate(x, use_spi, family);
1044 if (x1) {
1045 xfrm_state_put(x1);
1046 x1 = NULL;
1047 err = -EEXIST;
1048 goto out;
1049 }
1050
1051 if (use_spi && x->km.seq) {
1052 x1 = __xfrm_find_acq_byseq(x->km.seq);
1053 if (x1 && ((x1->id.proto != x->id.proto) ||
1054 xfrm_addr_cmp(&x1->id.daddr, &x->id.daddr, family))) {
1055 xfrm_state_put(x1);
1056 x1 = NULL;
1057 }
1058 }
1059
1060 if (use_spi && !x1)
1061 x1 = __find_acq_core(family, x->props.mode, x->props.reqid,
1062 x->id.proto,
1063 &x->id.daddr, &x->props.saddr, 0);
1064
1065 __xfrm_state_bump_genids(x);
1066 __xfrm_state_insert(x);
1067 err = 0;
1068
1069 out:
1070 spin_unlock_bh(&xfrm_state_lock);
1071
1072 if (x1) {
1073 xfrm_state_delete(x1);
1074 xfrm_state_put(x1);
1075 }
1076
1077 return err;
1078 }
1079 EXPORT_SYMBOL(xfrm_state_add);
1080
1081 #ifdef CONFIG_XFRM_MIGRATE
1082 struct xfrm_state *xfrm_state_clone(struct xfrm_state *orig, int *errp)
1083 {
1084 int err = -ENOMEM;
1085 struct xfrm_state *x = xfrm_state_alloc();
1086 if (!x)
1087 goto error;
1088
1089 memcpy(&x->id, &orig->id, sizeof(x->id));
1090 memcpy(&x->sel, &orig->sel, sizeof(x->sel));
1091 memcpy(&x->lft, &orig->lft, sizeof(x->lft));
1092 x->props.mode = orig->props.mode;
1093 x->props.replay_window = orig->props.replay_window;
1094 x->props.reqid = orig->props.reqid;
1095 x->props.family = orig->props.family;
1096 x->props.saddr = orig->props.saddr;
1097
1098 if (orig->aalg) {
1099 x->aalg = xfrm_algo_clone(orig->aalg);
1100 if (!x->aalg)
1101 goto error;
1102 }
1103 x->props.aalgo = orig->props.aalgo;
1104
1105 if (orig->ealg) {
1106 x->ealg = xfrm_algo_clone(orig->ealg);
1107 if (!x->ealg)
1108 goto error;
1109 }
1110 x->props.ealgo = orig->props.ealgo;
1111
1112 if (orig->calg) {
1113 x->calg = xfrm_algo_clone(orig->calg);
1114 if (!x->calg)
1115 goto error;
1116 }
1117 x->props.calgo = orig->props.calgo;
1118
1119 if (orig->encap) {
1120 x->encap = kmemdup(orig->encap, sizeof(*x->encap), GFP_KERNEL);
1121 if (!x->encap)
1122 goto error;
1123 }
1124
1125 if (orig->coaddr) {
1126 x->coaddr = kmemdup(orig->coaddr, sizeof(*x->coaddr),
1127 GFP_KERNEL);
1128 if (!x->coaddr)
1129 goto error;
1130 }
1131
1132 err = xfrm_init_state(x);
1133 if (err)
1134 goto error;
1135
1136 x->props.flags = orig->props.flags;
1137
1138 x->curlft.add_time = orig->curlft.add_time;
1139 x->km.state = orig->km.state;
1140 x->km.seq = orig->km.seq;
1141
1142 return x;
1143
1144 error:
1145 if (errp)
1146 *errp = err;
1147 if (x) {
1148 kfree(x->aalg);
1149 kfree(x->ealg);
1150 kfree(x->calg);
1151 kfree(x->encap);
1152 kfree(x->coaddr);
1153 }
1154 kfree(x);
1155 return NULL;
1156 }
1157 EXPORT_SYMBOL(xfrm_state_clone);
1158
1159 /* xfrm_state_lock is held */
1160 struct xfrm_state * xfrm_migrate_state_find(struct xfrm_migrate *m)
1161 {
1162 unsigned int h;
1163 struct xfrm_state *x;
1164 struct hlist_node *entry;
1165
1166 if (m->reqid) {
1167 h = xfrm_dst_hash(&m->old_daddr, &m->old_saddr,
1168 m->reqid, m->old_family);
1169 hlist_for_each_entry(x, entry, xfrm_state_bydst+h, bydst) {
1170 if (x->props.mode != m->mode ||
1171 x->id.proto != m->proto)
1172 continue;
1173 if (m->reqid && x->props.reqid != m->reqid)
1174 continue;
1175 if (xfrm_addr_cmp(&x->id.daddr, &m->old_daddr,
1176 m->old_family) ||
1177 xfrm_addr_cmp(&x->props.saddr, &m->old_saddr,
1178 m->old_family))
1179 continue;
1180 xfrm_state_hold(x);
1181 return x;
1182 }
1183 } else {
1184 h = xfrm_src_hash(&m->old_daddr, &m->old_saddr,
1185 m->old_family);
1186 hlist_for_each_entry(x, entry, xfrm_state_bysrc+h, bysrc) {
1187 if (x->props.mode != m->mode ||
1188 x->id.proto != m->proto)
1189 continue;
1190 if (xfrm_addr_cmp(&x->id.daddr, &m->old_daddr,
1191 m->old_family) ||
1192 xfrm_addr_cmp(&x->props.saddr, &m->old_saddr,
1193 m->old_family))
1194 continue;
1195 xfrm_state_hold(x);
1196 return x;
1197 }
1198 }
1199
1200 return NULL;
1201 }
1202 EXPORT_SYMBOL(xfrm_migrate_state_find);
1203
1204 struct xfrm_state * xfrm_state_migrate(struct xfrm_state *x,
1205 struct xfrm_migrate *m)
1206 {
1207 struct xfrm_state *xc;
1208 int err;
1209
1210 xc = xfrm_state_clone(x, &err);
1211 if (!xc)
1212 return NULL;
1213
1214 memcpy(&xc->id.daddr, &m->new_daddr, sizeof(xc->id.daddr));
1215 memcpy(&xc->props.saddr, &m->new_saddr, sizeof(xc->props.saddr));
1216
1217 /* add state */
1218 if (!xfrm_addr_cmp(&x->id.daddr, &m->new_daddr, m->new_family)) {
1219 /* a care is needed when the destination address of the
1220 state is to be updated as it is a part of triplet */
1221 xfrm_state_insert(xc);
1222 } else {
1223 if ((err = xfrm_state_add(xc)) < 0)
1224 goto error;
1225 }
1226
1227 return xc;
1228 error:
1229 kfree(xc);
1230 return NULL;
1231 }
1232 EXPORT_SYMBOL(xfrm_state_migrate);
1233 #endif
1234
1235 int xfrm_state_update(struct xfrm_state *x)
1236 {
1237 struct xfrm_state *x1;
1238 int err;
1239 int use_spi = xfrm_id_proto_match(x->id.proto, IPSEC_PROTO_ANY);
1240
1241 spin_lock_bh(&xfrm_state_lock);
1242 x1 = __xfrm_state_locate(x, use_spi, x->props.family);
1243
1244 err = -ESRCH;
1245 if (!x1)
1246 goto out;
1247
1248 if (xfrm_state_kern(x1)) {
1249 xfrm_state_put(x1);
1250 err = -EEXIST;
1251 goto out;
1252 }
1253
1254 if (x1->km.state == XFRM_STATE_ACQ) {
1255 __xfrm_state_insert(x);
1256 x = NULL;
1257 }
1258 err = 0;
1259
1260 out:
1261 spin_unlock_bh(&xfrm_state_lock);
1262
1263 if (err)
1264 return err;
1265
1266 if (!x) {
1267 xfrm_state_delete(x1);
1268 xfrm_state_put(x1);
1269 return 0;
1270 }
1271
1272 err = -EINVAL;
1273 spin_lock_bh(&x1->lock);
1274 if (likely(x1->km.state == XFRM_STATE_VALID)) {
1275 if (x->encap && x1->encap)
1276 memcpy(x1->encap, x->encap, sizeof(*x1->encap));
1277 if (x->coaddr && x1->coaddr) {
1278 memcpy(x1->coaddr, x->coaddr, sizeof(*x1->coaddr));
1279 }
1280 if (!use_spi && memcmp(&x1->sel, &x->sel, sizeof(x1->sel)))
1281 memcpy(&x1->sel, &x->sel, sizeof(x1->sel));
1282 memcpy(&x1->lft, &x->lft, sizeof(x1->lft));
1283 x1->km.dying = 0;
1284
1285 mod_timer(&x1->timer, jiffies + HZ);
1286 if (x1->curlft.use_time)
1287 xfrm_state_check_expire(x1);
1288
1289 err = 0;
1290 }
1291 spin_unlock_bh(&x1->lock);
1292
1293 xfrm_state_put(x1);
1294
1295 return err;
1296 }
1297 EXPORT_SYMBOL(xfrm_state_update);
1298
1299 int xfrm_state_check_expire(struct xfrm_state *x)
1300 {
1301 if (!x->curlft.use_time)
1302 x->curlft.use_time = get_seconds();
1303
1304 if (x->km.state != XFRM_STATE_VALID)
1305 return -EINVAL;
1306
1307 if (x->curlft.bytes >= x->lft.hard_byte_limit ||
1308 x->curlft.packets >= x->lft.hard_packet_limit) {
1309 x->km.state = XFRM_STATE_EXPIRED;
1310 mod_timer(&x->timer, jiffies);
1311 return -EINVAL;
1312 }
1313
1314 if (!x->km.dying &&
1315 (x->curlft.bytes >= x->lft.soft_byte_limit ||
1316 x->curlft.packets >= x->lft.soft_packet_limit)) {
1317 x->km.dying = 1;
1318 km_state_expired(x, 0, 0);
1319 }
1320 return 0;
1321 }
1322 EXPORT_SYMBOL(xfrm_state_check_expire);
1323
1324 struct xfrm_state *
1325 xfrm_state_lookup(xfrm_address_t *daddr, __be32 spi, u8 proto,
1326 unsigned short family)
1327 {
1328 struct xfrm_state *x;
1329
1330 spin_lock_bh(&xfrm_state_lock);
1331 x = __xfrm_state_lookup(daddr, spi, proto, family);
1332 spin_unlock_bh(&xfrm_state_lock);
1333 return x;
1334 }
1335 EXPORT_SYMBOL(xfrm_state_lookup);
1336
1337 struct xfrm_state *
1338 xfrm_state_lookup_byaddr(xfrm_address_t *daddr, xfrm_address_t *saddr,
1339 u8 proto, unsigned short family)
1340 {
1341 struct xfrm_state *x;
1342
1343 spin_lock_bh(&xfrm_state_lock);
1344 x = __xfrm_state_lookup_byaddr(daddr, saddr, proto, family);
1345 spin_unlock_bh(&xfrm_state_lock);
1346 return x;
1347 }
1348 EXPORT_SYMBOL(xfrm_state_lookup_byaddr);
1349
1350 struct xfrm_state *
1351 xfrm_find_acq(u8 mode, u32 reqid, u8 proto,
1352 xfrm_address_t *daddr, xfrm_address_t *saddr,
1353 int create, unsigned short family)
1354 {
1355 struct xfrm_state *x;
1356
1357 spin_lock_bh(&xfrm_state_lock);
1358 x = __find_acq_core(family, mode, reqid, proto, daddr, saddr, create);
1359 spin_unlock_bh(&xfrm_state_lock);
1360
1361 return x;
1362 }
1363 EXPORT_SYMBOL(xfrm_find_acq);
1364
1365 #ifdef CONFIG_XFRM_SUB_POLICY
1366 int
1367 xfrm_tmpl_sort(struct xfrm_tmpl **dst, struct xfrm_tmpl **src, int n,
1368 unsigned short family)
1369 {
1370 int err = 0;
1371 struct xfrm_state_afinfo *afinfo = xfrm_state_get_afinfo(family);
1372 if (!afinfo)
1373 return -EAFNOSUPPORT;
1374
1375 spin_lock_bh(&xfrm_state_lock);
1376 if (afinfo->tmpl_sort)
1377 err = afinfo->tmpl_sort(dst, src, n);
1378 spin_unlock_bh(&xfrm_state_lock);
1379 xfrm_state_put_afinfo(afinfo);
1380 return err;
1381 }
1382 EXPORT_SYMBOL(xfrm_tmpl_sort);
1383
1384 int
1385 xfrm_state_sort(struct xfrm_state **dst, struct xfrm_state **src, int n,
1386 unsigned short family)
1387 {
1388 int err = 0;
1389 struct xfrm_state_afinfo *afinfo = xfrm_state_get_afinfo(family);
1390 if (!afinfo)
1391 return -EAFNOSUPPORT;
1392
1393 spin_lock_bh(&xfrm_state_lock);
1394 if (afinfo->state_sort)
1395 err = afinfo->state_sort(dst, src, n);
1396 spin_unlock_bh(&xfrm_state_lock);
1397 xfrm_state_put_afinfo(afinfo);
1398 return err;
1399 }
1400 EXPORT_SYMBOL(xfrm_state_sort);
1401 #endif
1402
1403 /* Silly enough, but I'm lazy to build resolution list */
1404
1405 static struct xfrm_state *__xfrm_find_acq_byseq(u32 seq)
1406 {
1407 int i;
1408
1409 for (i = 0; i <= xfrm_state_hmask; i++) {
1410 struct hlist_node *entry;
1411 struct xfrm_state *x;
1412
1413 hlist_for_each_entry(x, entry, xfrm_state_bydst+i, bydst) {
1414 if (x->km.seq == seq &&
1415 x->km.state == XFRM_STATE_ACQ) {
1416 xfrm_state_hold(x);
1417 return x;
1418 }
1419 }
1420 }
1421 return NULL;
1422 }
1423
1424 struct xfrm_state *xfrm_find_acq_byseq(u32 seq)
1425 {
1426 struct xfrm_state *x;
1427
1428 spin_lock_bh(&xfrm_state_lock);
1429 x = __xfrm_find_acq_byseq(seq);
1430 spin_unlock_bh(&xfrm_state_lock);
1431 return x;
1432 }
1433 EXPORT_SYMBOL(xfrm_find_acq_byseq);
1434
1435 u32 xfrm_get_acqseq(void)
1436 {
1437 u32 res;
1438 static u32 acqseq;
1439 static DEFINE_SPINLOCK(acqseq_lock);
1440
1441 spin_lock_bh(&acqseq_lock);
1442 res = (++acqseq ? : ++acqseq);
1443 spin_unlock_bh(&acqseq_lock);
1444 return res;
1445 }
1446 EXPORT_SYMBOL(xfrm_get_acqseq);
1447
1448 int xfrm_alloc_spi(struct xfrm_state *x, u32 low, u32 high)
1449 {
1450 unsigned int h;
1451 struct xfrm_state *x0;
1452 int err = -ENOENT;
1453 __be32 minspi = htonl(low);
1454 __be32 maxspi = htonl(high);
1455
1456 spin_lock_bh(&x->lock);
1457 if (x->km.state == XFRM_STATE_DEAD)
1458 goto unlock;
1459
1460 err = 0;
1461 if (x->id.spi)
1462 goto unlock;
1463
1464 err = -ENOENT;
1465
1466 if (minspi == maxspi) {
1467 x0 = xfrm_state_lookup(&x->id.daddr, minspi, x->id.proto, x->props.family);
1468 if (x0) {
1469 xfrm_state_put(x0);
1470 goto unlock;
1471 }
1472 x->id.spi = minspi;
1473 } else {
1474 u32 spi = 0;
1475 for (h=0; h<high-low+1; h++) {
1476 spi = low + net_random()%(high-low+1);
1477 x0 = xfrm_state_lookup(&x->id.daddr, htonl(spi), x->id.proto, x->props.family);
1478 if (x0 == NULL) {
1479 x->id.spi = htonl(spi);
1480 break;
1481 }
1482 xfrm_state_put(x0);
1483 }
1484 }
1485 if (x->id.spi) {
1486 spin_lock_bh(&xfrm_state_lock);
1487 h = xfrm_spi_hash(&x->id.daddr, x->id.spi, x->id.proto, x->props.family);
1488 hlist_add_head(&x->byspi, xfrm_state_byspi+h);
1489 spin_unlock_bh(&xfrm_state_lock);
1490
1491 err = 0;
1492 }
1493
1494 unlock:
1495 spin_unlock_bh(&x->lock);
1496
1497 return err;
1498 }
1499 EXPORT_SYMBOL(xfrm_alloc_spi);
1500
1501 int xfrm_state_walk(u8 proto, int (*func)(struct xfrm_state *, int, void*),
1502 void *data)
1503 {
1504 int i;
1505 struct xfrm_state *x, *last = NULL;
1506 struct hlist_node *entry;
1507 int count = 0;
1508 int err = 0;
1509
1510 spin_lock_bh(&xfrm_state_lock);
1511 for (i = 0; i <= xfrm_state_hmask; i++) {
1512 hlist_for_each_entry(x, entry, xfrm_state_bydst+i, bydst) {
1513 if (!xfrm_id_proto_match(x->id.proto, proto))
1514 continue;
1515 if (last) {
1516 err = func(last, count, data);
1517 if (err)
1518 goto out;
1519 }
1520 last = x;
1521 count++;
1522 }
1523 }
1524 if (count == 0) {
1525 err = -ENOENT;
1526 goto out;
1527 }
1528 err = func(last, 0, data);
1529 out:
1530 spin_unlock_bh(&xfrm_state_lock);
1531 return err;
1532 }
1533 EXPORT_SYMBOL(xfrm_state_walk);
1534
1535
1536 void xfrm_replay_notify(struct xfrm_state *x, int event)
1537 {
1538 struct km_event c;
1539 /* we send notify messages in case
1540 * 1. we updated on of the sequence numbers, and the seqno difference
1541 * is at least x->replay_maxdiff, in this case we also update the
1542 * timeout of our timer function
1543 * 2. if x->replay_maxage has elapsed since last update,
1544 * and there were changes
1545 *
1546 * The state structure must be locked!
1547 */
1548
1549 switch (event) {
1550 case XFRM_REPLAY_UPDATE:
1551 if (x->replay_maxdiff &&
1552 (x->replay.seq - x->preplay.seq < x->replay_maxdiff) &&
1553 (x->replay.oseq - x->preplay.oseq < x->replay_maxdiff)) {
1554 if (x->xflags & XFRM_TIME_DEFER)
1555 event = XFRM_REPLAY_TIMEOUT;
1556 else
1557 return;
1558 }
1559
1560 break;
1561
1562 case XFRM_REPLAY_TIMEOUT:
1563 if ((x->replay.seq == x->preplay.seq) &&
1564 (x->replay.bitmap == x->preplay.bitmap) &&
1565 (x->replay.oseq == x->preplay.oseq)) {
1566 x->xflags |= XFRM_TIME_DEFER;
1567 return;
1568 }
1569
1570 break;
1571 }
1572
1573 memcpy(&x->preplay, &x->replay, sizeof(struct xfrm_replay_state));
1574 c.event = XFRM_MSG_NEWAE;
1575 c.data.aevent = event;
1576 km_state_notify(x, &c);
1577
1578 if (x->replay_maxage &&
1579 !mod_timer(&x->rtimer, jiffies + x->replay_maxage))
1580 x->xflags &= ~XFRM_TIME_DEFER;
1581 }
1582
1583 static void xfrm_replay_timer_handler(unsigned long data)
1584 {
1585 struct xfrm_state *x = (struct xfrm_state*)data;
1586
1587 spin_lock(&x->lock);
1588
1589 if (x->km.state == XFRM_STATE_VALID) {
1590 if (xfrm_aevent_is_on())
1591 xfrm_replay_notify(x, XFRM_REPLAY_TIMEOUT);
1592 else
1593 x->xflags |= XFRM_TIME_DEFER;
1594 }
1595
1596 spin_unlock(&x->lock);
1597 }
1598
1599 int xfrm_replay_check(struct xfrm_state *x, __be32 net_seq)
1600 {
1601 u32 diff;
1602 u32 seq = ntohl(net_seq);
1603
1604 if (unlikely(seq == 0))
1605 return -EINVAL;
1606
1607 if (likely(seq > x->replay.seq))
1608 return 0;
1609
1610 diff = x->replay.seq - seq;
1611 if (diff >= min_t(unsigned int, x->props.replay_window,
1612 sizeof(x->replay.bitmap) * 8)) {
1613 x->stats.replay_window++;
1614 return -EINVAL;
1615 }
1616
1617 if (x->replay.bitmap & (1U << diff)) {
1618 x->stats.replay++;
1619 return -EINVAL;
1620 }
1621 return 0;
1622 }
1623 EXPORT_SYMBOL(xfrm_replay_check);
1624
1625 void xfrm_replay_advance(struct xfrm_state *x, __be32 net_seq)
1626 {
1627 u32 diff;
1628 u32 seq = ntohl(net_seq);
1629
1630 if (seq > x->replay.seq) {
1631 diff = seq - x->replay.seq;
1632 if (diff < x->props.replay_window)
1633 x->replay.bitmap = ((x->replay.bitmap) << diff) | 1;
1634 else
1635 x->replay.bitmap = 1;
1636 x->replay.seq = seq;
1637 } else {
1638 diff = x->replay.seq - seq;
1639 x->replay.bitmap |= (1U << diff);
1640 }
1641
1642 if (xfrm_aevent_is_on())
1643 xfrm_replay_notify(x, XFRM_REPLAY_UPDATE);
1644 }
1645 EXPORT_SYMBOL(xfrm_replay_advance);
1646
1647 static struct list_head xfrm_km_list = LIST_HEAD_INIT(xfrm_km_list);
1648 static DEFINE_RWLOCK(xfrm_km_lock);
1649
1650 void km_policy_notify(struct xfrm_policy *xp, int dir, struct km_event *c)
1651 {
1652 struct xfrm_mgr *km;
1653
1654 read_lock(&xfrm_km_lock);
1655 list_for_each_entry(km, &xfrm_km_list, list)
1656 if (km->notify_policy)
1657 km->notify_policy(xp, dir, c);
1658 read_unlock(&xfrm_km_lock);
1659 }
1660
1661 void km_state_notify(struct xfrm_state *x, struct km_event *c)
1662 {
1663 struct xfrm_mgr *km;
1664 read_lock(&xfrm_km_lock);
1665 list_for_each_entry(km, &xfrm_km_list, list)
1666 if (km->notify)
1667 km->notify(x, c);
1668 read_unlock(&xfrm_km_lock);
1669 }
1670
1671 EXPORT_SYMBOL(km_policy_notify);
1672 EXPORT_SYMBOL(km_state_notify);
1673
1674 void km_state_expired(struct xfrm_state *x, int hard, u32 pid)
1675 {
1676 struct km_event c;
1677
1678 c.data.hard = hard;
1679 c.pid = pid;
1680 c.event = XFRM_MSG_EXPIRE;
1681 km_state_notify(x, &c);
1682
1683 if (hard)
1684 wake_up(&km_waitq);
1685 }
1686
1687 EXPORT_SYMBOL(km_state_expired);
1688 /*
1689 * We send to all registered managers regardless of failure
1690 * We are happy with one success
1691 */
1692 int km_query(struct xfrm_state *x, struct xfrm_tmpl *t, struct xfrm_policy *pol)
1693 {
1694 int err = -EINVAL, acqret;
1695 struct xfrm_mgr *km;
1696
1697 read_lock(&xfrm_km_lock);
1698 list_for_each_entry(km, &xfrm_km_list, list) {
1699 acqret = km->acquire(x, t, pol, XFRM_POLICY_OUT);
1700 if (!acqret)
1701 err = acqret;
1702 }
1703 read_unlock(&xfrm_km_lock);
1704 return err;
1705 }
1706 EXPORT_SYMBOL(km_query);
1707
1708 int km_new_mapping(struct xfrm_state *x, xfrm_address_t *ipaddr, __be16 sport)
1709 {
1710 int err = -EINVAL;
1711 struct xfrm_mgr *km;
1712
1713 read_lock(&xfrm_km_lock);
1714 list_for_each_entry(km, &xfrm_km_list, list) {
1715 if (km->new_mapping)
1716 err = km->new_mapping(x, ipaddr, sport);
1717 if (!err)
1718 break;
1719 }
1720 read_unlock(&xfrm_km_lock);
1721 return err;
1722 }
1723 EXPORT_SYMBOL(km_new_mapping);
1724
1725 void km_policy_expired(struct xfrm_policy *pol, int dir, int hard, u32 pid)
1726 {
1727 struct km_event c;
1728
1729 c.data.hard = hard;
1730 c.pid = pid;
1731 c.event = XFRM_MSG_POLEXPIRE;
1732 km_policy_notify(pol, dir, &c);
1733
1734 if (hard)
1735 wake_up(&km_waitq);
1736 }
1737 EXPORT_SYMBOL(km_policy_expired);
1738
1739 int km_migrate(struct xfrm_selector *sel, u8 dir, u8 type,
1740 struct xfrm_migrate *m, int num_migrate)
1741 {
1742 int err = -EINVAL;
1743 int ret;
1744 struct xfrm_mgr *km;
1745
1746 read_lock(&xfrm_km_lock);
1747 list_for_each_entry(km, &xfrm_km_list, list) {
1748 if (km->migrate) {
1749 ret = km->migrate(sel, dir, type, m, num_migrate);
1750 if (!ret)
1751 err = ret;
1752 }
1753 }
1754 read_unlock(&xfrm_km_lock);
1755 return err;
1756 }
1757 EXPORT_SYMBOL(km_migrate);
1758
1759 int km_report(u8 proto, struct xfrm_selector *sel, xfrm_address_t *addr)
1760 {
1761 int err = -EINVAL;
1762 int ret;
1763 struct xfrm_mgr *km;
1764
1765 read_lock(&xfrm_km_lock);
1766 list_for_each_entry(km, &xfrm_km_list, list) {
1767 if (km->report) {
1768 ret = km->report(proto, sel, addr);
1769 if (!ret)
1770 err = ret;
1771 }
1772 }
1773 read_unlock(&xfrm_km_lock);
1774 return err;
1775 }
1776 EXPORT_SYMBOL(km_report);
1777
1778 int xfrm_user_policy(struct sock *sk, int optname, u8 __user *optval, int optlen)
1779 {
1780 int err;
1781 u8 *data;
1782 struct xfrm_mgr *km;
1783 struct xfrm_policy *pol = NULL;
1784
1785 if (optlen <= 0 || optlen > PAGE_SIZE)
1786 return -EMSGSIZE;
1787
1788 data = kmalloc(optlen, GFP_KERNEL);
1789 if (!data)
1790 return -ENOMEM;
1791
1792 err = -EFAULT;
1793 if (copy_from_user(data, optval, optlen))
1794 goto out;
1795
1796 err = -EINVAL;
1797 read_lock(&xfrm_km_lock);
1798 list_for_each_entry(km, &xfrm_km_list, list) {
1799 pol = km->compile_policy(sk, optname, data,
1800 optlen, &err);
1801 if (err >= 0)
1802 break;
1803 }
1804 read_unlock(&xfrm_km_lock);
1805
1806 if (err >= 0) {
1807 xfrm_sk_policy_insert(sk, err, pol);
1808 xfrm_pol_put(pol);
1809 err = 0;
1810 }
1811
1812 out:
1813 kfree(data);
1814 return err;
1815 }
1816 EXPORT_SYMBOL(xfrm_user_policy);
1817
1818 int xfrm_register_km(struct xfrm_mgr *km)
1819 {
1820 write_lock_bh(&xfrm_km_lock);
1821 list_add_tail(&km->list, &xfrm_km_list);
1822 write_unlock_bh(&xfrm_km_lock);
1823 return 0;
1824 }
1825 EXPORT_SYMBOL(xfrm_register_km);
1826
1827 int xfrm_unregister_km(struct xfrm_mgr *km)
1828 {
1829 write_lock_bh(&xfrm_km_lock);
1830 list_del(&km->list);
1831 write_unlock_bh(&xfrm_km_lock);
1832 return 0;
1833 }
1834 EXPORT_SYMBOL(xfrm_unregister_km);
1835
1836 int xfrm_state_register_afinfo(struct xfrm_state_afinfo *afinfo)
1837 {
1838 int err = 0;
1839 if (unlikely(afinfo == NULL))
1840 return -EINVAL;
1841 if (unlikely(afinfo->family >= NPROTO))
1842 return -EAFNOSUPPORT;
1843 write_lock_bh(&xfrm_state_afinfo_lock);
1844 if (unlikely(xfrm_state_afinfo[afinfo->family] != NULL))
1845 err = -ENOBUFS;
1846 else
1847 xfrm_state_afinfo[afinfo->family] = afinfo;
1848 write_unlock_bh(&xfrm_state_afinfo_lock);
1849 return err;
1850 }
1851 EXPORT_SYMBOL(xfrm_state_register_afinfo);
1852
1853 int xfrm_state_unregister_afinfo(struct xfrm_state_afinfo *afinfo)
1854 {
1855 int err = 0;
1856 if (unlikely(afinfo == NULL))
1857 return -EINVAL;
1858 if (unlikely(afinfo->family >= NPROTO))
1859 return -EAFNOSUPPORT;
1860 write_lock_bh(&xfrm_state_afinfo_lock);
1861 if (likely(xfrm_state_afinfo[afinfo->family] != NULL)) {
1862 if (unlikely(xfrm_state_afinfo[afinfo->family] != afinfo))
1863 err = -EINVAL;
1864 else
1865 xfrm_state_afinfo[afinfo->family] = NULL;
1866 }
1867 write_unlock_bh(&xfrm_state_afinfo_lock);
1868 return err;
1869 }
1870 EXPORT_SYMBOL(xfrm_state_unregister_afinfo);
1871
1872 struct xfrm_state_afinfo *xfrm_state_get_afinfo(unsigned short family)
1873 {
1874 struct xfrm_state_afinfo *afinfo;
1875 if (unlikely(family >= NPROTO))
1876 return NULL;
1877 read_lock(&xfrm_state_afinfo_lock);
1878 afinfo = xfrm_state_afinfo[family];
1879 if (unlikely(!afinfo))
1880 read_unlock(&xfrm_state_afinfo_lock);
1881 return afinfo;
1882 }
1883
1884 void xfrm_state_put_afinfo(struct xfrm_state_afinfo *afinfo)
1885 {
1886 read_unlock(&xfrm_state_afinfo_lock);
1887 }
1888
1889 EXPORT_SYMBOL(xfrm_state_get_afinfo);
1890 EXPORT_SYMBOL(xfrm_state_put_afinfo);
1891
1892 /* Temporarily located here until net/xfrm/xfrm_tunnel.c is created */
1893 void xfrm_state_delete_tunnel(struct xfrm_state *x)
1894 {
1895 if (x->tunnel) {
1896 struct xfrm_state *t = x->tunnel;
1897
1898 if (atomic_read(&t->tunnel_users) == 2)
1899 xfrm_state_delete(t);
1900 atomic_dec(&t->tunnel_users);
1901 xfrm_state_put(t);
1902 x->tunnel = NULL;
1903 }
1904 }
1905 EXPORT_SYMBOL(xfrm_state_delete_tunnel);
1906
1907 int xfrm_state_mtu(struct xfrm_state *x, int mtu)
1908 {
1909 int res;
1910
1911 spin_lock_bh(&x->lock);
1912 if (x->km.state == XFRM_STATE_VALID &&
1913 x->type && x->type->get_mtu)
1914 res = x->type->get_mtu(x, mtu);
1915 else
1916 res = mtu - x->props.header_len;
1917 spin_unlock_bh(&x->lock);
1918 return res;
1919 }
1920
1921 int xfrm_init_state(struct xfrm_state *x)
1922 {
1923 struct xfrm_state_afinfo *afinfo;
1924 int family = x->props.family;
1925 int err;
1926
1927 err = -EAFNOSUPPORT;
1928 afinfo = xfrm_state_get_afinfo(family);
1929 if (!afinfo)
1930 goto error;
1931
1932 err = 0;
1933 if (afinfo->init_flags)
1934 err = afinfo->init_flags(x);
1935
1936 xfrm_state_put_afinfo(afinfo);
1937
1938 if (err)
1939 goto error;
1940
1941 err = -EPROTONOSUPPORT;
1942 x->type = xfrm_get_type(x->id.proto, family);
1943 if (x->type == NULL)
1944 goto error;
1945
1946 err = x->type->init_state(x);
1947 if (err)
1948 goto error;
1949
1950 x->mode = xfrm_get_mode(x->props.mode, family);
1951 if (x->mode == NULL)
1952 goto error;
1953
1954 x->km.state = XFRM_STATE_VALID;
1955
1956 error:
1957 return err;
1958 }
1959
1960 EXPORT_SYMBOL(xfrm_init_state);
1961
1962 void __init xfrm_state_init(void)
1963 {
1964 unsigned int sz;
1965
1966 sz = sizeof(struct hlist_head) * 8;
1967
1968 xfrm_state_bydst = xfrm_hash_alloc(sz);
1969 xfrm_state_bysrc = xfrm_hash_alloc(sz);
1970 xfrm_state_byspi = xfrm_hash_alloc(sz);
1971 if (!xfrm_state_bydst || !xfrm_state_bysrc || !xfrm_state_byspi)
1972 panic("XFRM: Cannot allocate bydst/bysrc/byspi hashes.");
1973 xfrm_state_hmask = ((sz / sizeof(struct hlist_head)) - 1);
1974
1975 INIT_WORK(&xfrm_state_gc_work, xfrm_state_gc_task);
1976 }
1977
1978 #ifdef CONFIG_AUDITSYSCALL
1979 static inline void xfrm_audit_common_stateinfo(struct xfrm_state *x,
1980 struct audit_buffer *audit_buf)
1981 {
1982 if (x->security)
1983 audit_log_format(audit_buf, " sec_alg=%u sec_doi=%u sec_obj=%s",
1984 x->security->ctx_alg, x->security->ctx_doi,
1985 x->security->ctx_str);
1986
1987 switch(x->props.family) {
1988 case AF_INET:
1989 audit_log_format(audit_buf, " src=%u.%u.%u.%u dst=%u.%u.%u.%u",
1990 NIPQUAD(x->props.saddr.a4),
1991 NIPQUAD(x->id.daddr.a4));
1992 break;
1993 case AF_INET6:
1994 {
1995 struct in6_addr saddr6, daddr6;
1996
1997 memcpy(&saddr6, x->props.saddr.a6,
1998 sizeof(struct in6_addr));
1999 memcpy(&daddr6, x->id.daddr.a6,
2000 sizeof(struct in6_addr));
2001 audit_log_format(audit_buf,
2002 " src=" NIP6_FMT " dst=" NIP6_FMT,
2003 NIP6(saddr6), NIP6(daddr6));
2004 }
2005 break;
2006 }
2007 }
2008
2009 void
2010 xfrm_audit_state_add(struct xfrm_state *x, int result, u32 auid, u32 sid)
2011 {
2012 struct audit_buffer *audit_buf;
2013 extern int audit_enabled;
2014
2015 if (audit_enabled == 0)
2016 return;
2017 audit_buf = xfrm_audit_start(sid, auid);
2018 if (audit_buf == NULL)
2019 return;
2020 audit_log_format(audit_buf, " op=SAD-add res=%u",result);
2021 xfrm_audit_common_stateinfo(x, audit_buf);
2022 audit_log_format(audit_buf, " spi=%lu(0x%lx)",
2023 (unsigned long)x->id.spi, (unsigned long)x->id.spi);
2024 audit_log_end(audit_buf);
2025 }
2026 EXPORT_SYMBOL_GPL(xfrm_audit_state_add);
2027
2028 void
2029 xfrm_audit_state_delete(struct xfrm_state *x, int result, u32 auid, u32 sid)
2030 {
2031 struct audit_buffer *audit_buf;
2032 extern int audit_enabled;
2033
2034 if (audit_enabled == 0)
2035 return;
2036 audit_buf = xfrm_audit_start(sid, auid);
2037 if (audit_buf == NULL)
2038 return;
2039 audit_log_format(audit_buf, " op=SAD-delete res=%u",result);
2040 xfrm_audit_common_stateinfo(x, audit_buf);
2041 audit_log_format(audit_buf, " spi=%lu(0x%lx)",
2042 (unsigned long)x->id.spi, (unsigned long)x->id.spi);
2043 audit_log_end(audit_buf);
2044 }
2045 EXPORT_SYMBOL_GPL(xfrm_audit_state_delete);
2046 #endif /* CONFIG_AUDITSYSCALL */
CJK support for tty framebuffer vt