2 * IPSEC <> netlink interface
3 * Copyright (C) 1996, 1997 John Ioannidis.
4 * Copyright (C) 1998, 1999, 2000, 2001 Richard Guy Briggs.
6 * This program is free software; you can redistribute it and/or modify it
7 * under the terms of the GNU General Public License as published by the
8 * Free Software Foundation; either version 2 of the License, or (at your
9 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
11 * This program is distributed in the hope that it will be useful, but
12 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
13 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
17 char ipsec_netlink_c_version[] = "RCSID $Id: ipsec_netlink.c,v 1.56 2002/01/29 17:17:55 mcr Exp $";
19 #include <linux/config.h>
20 #include <linux/version.h>
21 #include <linux/kernel.h> /* printk() */
23 #include "ipsec_param.h"
26 # include <linux/slab.h> /* kmalloc() */
27 #else /* MALLOC_SLAB */
28 # include <linux/malloc.h> /* kmalloc() */
29 #endif /* MALLOC_SLAB */
30 #include <linux/errno.h> /* error codes */
31 #include <linux/types.h> /* size_t */
32 #include <linux/interrupt.h> /* mark_bh */
34 #include <linux/netdevice.h> /* struct device, and other headers */
35 #include <linux/etherdevice.h> /* eth_type_trans */
36 #include <linux/ip.h> /* struct iphdr */
37 #include <linux/skbuff.h>
41 # include <linux/spinlock.h> /* *lock* */
42 # else /* 23_SPINLOCK */
43 # include <asm/spinlock.h> /* *lock* */
44 # endif /* 23_SPINLOCK */
47 # include <asm/uaccess.h>
48 # include <linux/in6.h>
49 # define ip_chk_addr inet_addr_type
50 # define IS_MYADDR RTN_LOCAL
52 #include <asm/checksum.h>
55 # include <linux/netlink.h>
57 # include <net/netlink.h>
61 #include "ipsec_encap.h"
62 #include "ipsec_radij.h"
63 #include "ipsec_netlink.h"
64 #include "ipsec_xform.h"
66 #include "ipsec_rcv.h"
68 #include "ipsec_esp.h"
70 #ifdef CONFIG_IPSEC_DEBUG
71 # include "ipsec_tunnel.h"
72 #endif /* CONFIG_IPSEC_DEBUG */
77 #ifdef CONFIG_IPSEC_DEBUG
78 int debug_netlink = 0;
79 #endif /* CONFIG_IPSEC_DEBUG */
81 #define SENDERR(_x) do { len = -(_x); goto errlab; } while (0)
86 ipsec_callback(int proto, struct sk_buff *skb)
87 #else /* NETLINK_SOCK */
88 ipsec_callback(struct sk_buff *skb)
89 #endif /* NETLINK_SOCK */
92 * this happens when we write to /dev/ipsec (c 36 10)
95 u_char *dat = (u_char *)skb->data;
96 struct encap_msghdr *em = (struct encap_msghdr *)dat;
97 struct tdb *tdbp, *tprev;
98 int i, nspis, error = 0;
99 #ifdef CONFIG_IPSEC_DEBUG
103 struct sk_buff *first, *last;
106 sa_len = satoa(em->em_said, 0, sa, SATOA_BUF);
109 printk("klips_debug:ipsec_callback: "
110 "skb=0x%p skblen=%ld em_magic=%d em_type=%d\n",
112 (unsigned long int)skb->len,
115 switch(em->em_type) {
117 printk("klips_debug:ipsec_callback: "
118 "set ipsec_debug level\n");
125 printk("klips_debug:ipsec_callback: "
126 "called for SA:%s\n",
127 sa_len ? sa : " (error)");
130 #endif /* CONFIG_IPSEC_DEBUG */
132 /* XXXX Temporarily disable netlink I/F code until it gets permanantly
133 ripped out in favour of PF_KEYv2 I/F. */
134 SENDERR(EPROTONOSUPPORT);
136 /* em = (struct encap_msghdr *)dat; */
137 if (em->em_magic != EM_MAGIC) {
138 printk("klips_debug:ipsec_callback: "
139 "bad magic=%d failed, should be %d\n",
144 switch (em->em_type) {
146 #ifdef CONFIG_IPSEC_DEBUG
147 if(em->em_db_nl >> (sizeof(em->em_db_nl) * 8 - 1)) {
148 em->em_db_nl &= ~(1 << (sizeof(em->em_db_nl) * 8 -1));
149 debug_tunnel |= em->em_db_tn;
150 debug_netlink |= em->em_db_nl;
151 debug_xform |= em->em_db_xf;
152 debug_eroute |= em->em_db_er;
153 debug_spi |= em->em_db_sp;
154 debug_radij |= em->em_db_rj;
155 debug_esp |= em->em_db_es;
156 debug_ah |= em->em_db_ah;
157 debug_rcv |= em->em_db_rx;
158 debug_pfkey |= em->em_db_ky;
160 printk("klips_debug:ipsec_callback: set\n");
163 printk("klips_debug:ipsec_callback: unset\n");
164 debug_tunnel &= em->em_db_tn;
165 debug_netlink &= em->em_db_nl;
166 debug_xform &= em->em_db_xf;
167 debug_eroute &= em->em_db_er;
168 debug_spi &= em->em_db_sp;
169 debug_radij &= em->em_db_rj;
170 debug_esp &= em->em_db_es;
171 debug_ah &= em->em_db_ah;
172 debug_rcv &= em->em_db_rx;
173 debug_pfkey &= em->em_db_ky;
175 #else /* CONFIG_IPSEC_DEBUG */
176 printk("klips_debug:ipsec_callback: "
177 "debugging not enabled\n");
179 #endif /* CONFIG_IPSEC_DEBUG */
183 if ((error = ipsec_makeroute(&(em->em_eaddr), &(em->em_emask), em->em_ersaid, 0, NULL, NULL, NULL)))
187 case EMT_REPLACEROUTE:
188 if ((error = ipsec_breakroute(&(em->em_eaddr), &(em->em_emask), &first, &last)) == EINVAL) {
193 if ((error = ipsec_makeroute(&(em->em_eaddr), &(em->em_emask), em->em_ersaid, NULL, NULL)))
198 if ((error = ipsec_breakroute(&(em->em_eaddr), &(em->em_emask), &first, &last)))
205 if ((error = ipsec_cleareroutes()))
210 if (em->em_if >= 5) /* XXX -- why 5? */
213 tdbp = gettdb(&(em->em_said));
215 tdbp = (struct tdb *)kmalloc(sizeof (*tdbp), GFP_ATOMIC);
220 memset((caddr_t)tdbp, 0, sizeof(*tdbp));
222 tdbp->tdb_said = em->em_said;
223 tdbp->tdb_flags = em->em_flags;
225 if(ip_chk_addr((unsigned long)em->em_said.dst.s_addr) == IS_MYADDR) {
226 tdbp->tdb_flags |= EMT_INBOUND;
228 KLIPS_PRINT(debug_netlink & DB_NL_TDBCB,
229 "klips_debug:ipsec_callback: "
230 "existing Tunnel Descriptor Block not found (this is good) for SA: %s, %s-bound, allocating.\n",
231 sa_len ? sa : " (error)",
232 (tdbp->tdb_flags & EMT_INBOUND) ? "in" : "out");
234 /* XXX tdbp->tdb_rcvif = &(enc_softc[em->em_if].enc_if);*/
235 tdbp->tdb_rcvif = NULL;
237 KLIPS_PRINT(debug_netlink & DB_NL_TDBCB,
238 "klips_debug:ipsec_callback: "
239 "EMT_SETSPI found an old Tunnel Descriptor Block for SA: %s, delete it first.\n",
240 sa_len ? sa : " (error)");
244 if ((error = tdb_init(tdbp, em))) {
245 KLIPS_PRINT(debug_netlink & DB_NL_TDBCB,
246 "klips_debug:ipsec_callback: "
247 "EMT_SETSPI not successful for SA: %s, deleting.\n",
248 sa_len ? sa : " (error)");
254 tdbp->tdb_lifetime_addtime_c = jiffies/HZ;
256 if(!tdbp->tdb_lifetime_allocations_c) {
257 tdbp->tdb_lifetime_allocations_c += 1;
261 KLIPS_PRINT(debug_netlink & DB_NL_TDBCB,
262 "klips_debug:ipsec_callback: "
263 "EMT_SETSPI successful for SA: %s\n",
264 sa_len ? sa : " (error)");
268 if (em->em_if >= 5) /* XXX -- why 5? */
271 spin_lock_bh(&tdb_lock);
273 tdbp = gettdb(&(em->em_said));
275 KLIPS_PRINT(debug_netlink & DB_NL_TDBCB,
276 "klips_debug:ipsec_callback: "
277 "EMT_DELSPI Tunnel Descriptor Block not found for SA%s, could not delete.\n",
278 sa_len ? sa : " (error)");
279 spin_unlock_bh(&tdb_lock);
280 SENDERR(ENXIO); /* XXX -- wrong error message... */
282 if((error = deltdbchain(tdbp))) {
283 spin_unlock_bh(&tdb_lock);
287 spin_unlock_bh(&tdb_lock);
292 nspis = (len - EMT_GRPSPIS_FLEN) / sizeof(em->em_rel[0]);
293 if ((nspis * (sizeof(em->em_rel[0]))) != (len - EMT_GRPSPIS_FLEN)) {
294 printk("klips_debug:ipsec_callback: "
295 "EMT_GRPSPI message size incorrect, expected nspis(%d)*%d, got %d.\n",
297 sizeof(em->em_rel[0]),
298 (len - EMT_GRPSPIS_FLEN));
303 spin_lock_bh(&tdb_lock);
305 for (i = 0; i < nspis; i++) {
306 KLIPS_PRINT(debug_netlink,
307 "klips_debug:ipsec_callback: "
308 "EMT_GRPSPI for SA(%d) %s,\n",
310 sa_len ? sa : " (error)");
311 if ((tdbp = gettdb(&(em->em_rel[i].emr_said))) == NULL) {
312 KLIPS_PRINT(debug_netlink,
313 "klips_debug:ipsec_callback: "
314 "EMT_GRPSPI Tunnel Descriptor Block not found for SA%s, could not group.\n",
315 sa_len ? sa : " (error)");
316 spin_unlock_bh(&tdb_lock);
319 if(tdbp->tdb_inext || tdbp->tdb_onext) {
320 KLIPS_PRINT(debug_netlink,
321 "klips_debug:ipsec_callback: "
322 "EMT_GRPSPI Tunnel Descriptor Block already grouped for SA: %s, can't regroup.\n",
323 sa_len ? sa : " (error)");
324 spin_unlock_bh(&tdb_lock);
327 em->em_rel[i].emr_tdb = tdbp;
330 tprev = em->em_rel[0].emr_tdb;
331 tprev->tdb_inext = NULL;
332 for (i = 1; i < nspis; i++) {
333 tdbp = em->em_rel[i].emr_tdb;
334 tprev->tdb_onext = tdbp;
335 tdbp->tdb_inext = tprev;
338 tprev->tdb_onext = NULL;
340 spin_unlock_bh(&tdb_lock);
346 if (len != (8 + (sizeof(struct sa_id) + sizeof(struct tdb *)) /* 12 */) ) {
347 printk("klips_debug:ipsec_callback: "
348 "EMT_UNGRPSPIS message size incorrect, expected %d, got %d.\n",
349 8 + (sizeof(struct sa_id) + sizeof(struct tdb *)),
355 spin_lock_bh(&tdb_lock);
357 if ((tdbp = gettdb(&(em->em_rel[0].emr_said))) == NULL) {
358 KLIPS_PRINT(debug_netlink,
359 "klips_debug:ipsec_callback: "
360 "EMT_UGRPSPI Tunnel Descriptor Block not found for SA%s, could not ungroup.\n",
361 sa_len ? sa : " (error)");
362 spin_unlock_bh(&tdb_lock);
365 while(tdbp->tdb_onext) {
366 tdbp = tdbp->tdb_onext;
368 while(tdbp->tdb_inext) {
370 tdbp = tdbp->tdb_inext;
371 tprev->tdb_inext = NULL;
372 tdbp->tdb_onext = NULL;
375 spin_unlock_bh(&tdb_lock);
380 KLIPS_PRINT(debug_netlink,
381 "klips_debug:ipsec_callback: "
382 "spi clear called.\n");
383 if (em->em_if >= 5) /* XXX -- why 5? */
388 KLIPS_PRINT(debug_netlink,
389 "klips_debug:ipsec_callback: "
390 "unknown message type\n");
397 kfree_skb(skb, FREE_WRITE);
404 * $Log: ipsec_netlink.c,v $
405 * Revision 1.56 2002/01/29 17:17:55 mcr
406 * moved include of ipsec_param.h to after include of linux/kernel.h
407 * otherwise, it seems that some option that is set in ipsec_param.h
408 * screws up something subtle in the include path to kernel.h, and
409 * it complains on the snprintf() prototype.
411 * Revision 1.55 2002/01/29 04:00:51 mcr
412 * more excise of kversions.h header.
414 * Revision 1.54 2001/10/18 04:45:19 rgb
415 * 2.4.9 kernel deprecates linux/malloc.h in favour of linux/slab.h,
416 * lib/freeswan.h version macros moved to lib/kversions.h.
417 * Other compiler directive cleanups.
419 * Revision 1.53 2001/09/15 16:24:04 rgb
420 * Re-inject first and last HOLD packet when an eroute REPLACE is done.
422 * Revision 1.52 2001/09/14 16:58:36 rgb
423 * Added support for storing the first and last packets through a HOLD.
425 * Revision 1.51 2001/09/08 21:13:32 rgb
426 * Added pfkey ident extension support for ISAKMPd. (NetCelo)
428 * Revision 1.50 2001/07/06 19:49:00 rgb
429 * Renamed EMT_RPLACEROUTE to EMT_REPLACEROUTE for clarity and logical text
432 * Revision 1.49 2001/06/14 19:35:08 rgb
433 * Update copyright date.
435 * Revision 1.48 2001/02/27 22:24:54 rgb
436 * Re-formatting debug output (line-splitting, joining, 1arg/line).
437 * Check for satoa() return codes.
439 * Revision 1.47 2000/11/06 04:32:08 rgb
440 * Ditched spin_lock_irqsave in favour of spin_lock_bh.
442 * Revision 1.46 2000/09/08 19:16:50 rgb
443 * Change references from DEBUG_IPSEC to CONFIG_IPSEC_DEBUG.
444 * Removed all references to CONFIG_IPSEC_PFKEYv2.
446 * Revision 1.45 2000/08/30 05:23:55 rgb
447 * Compiler-define out ipsec_callback() function of ipsec_netlink.c.
448 * Nothing should be using it anyways.
450 * Revision 1.44 2000/03/16 14:01:26 rgb
451 * Indented headers for readability.
453 * Revision 1.43 2000/03/16 07:13:04 rgb
454 * Hardcode PF_KEYv2 support.
455 * Disable NET_LINK support.
457 * Revision 1.42 2000/01/21 06:14:27 rgb
458 * Moved debug message for expected output on set or clear.
460 * Revision 1.41 1999/12/01 22:14:37 rgb
461 * Added debugging message for bad netlink magic.
462 * Initialise tdb_sastate to MATURE (1).
463 * Added UNGRPSPIS bad length debugging message.
465 * Revision 1.40 1999/11/23 23:06:25 rgb
466 * Sort out pfkey and freeswan headers, putting them in a library path.
468 * Revision 1.39 1999/11/18 04:09:18 rgb
469 * Replaced all kernel version macros to shorter, readable form.
471 * Revision 1.38 1999/11/17 15:53:39 rgb
472 * Changed all occurrences of #include "../../../lib/freeswan.h"
473 * to #include <freeswan.h> which works due to -Ilibfreeswan in the
474 * klips/net/ipsec/Makefile.
476 * Revision 1.37 1999/10/26 13:58:32 rgb
477 * Put spinlock flags variable declaration outside the debug compiler
478 * directive to enable compilation with debug shut off.
480 * Revision 1.36 1999/10/16 18:24:22 rgb
481 * Initialize lifetime_addtime_c and lifetime_allocations_c.
482 * Clean-up unused cruft.
484 * Revision 1.35 1999/10/08 18:37:34 rgb
485 * Fix end-of-line spacing to sate whining PHMs.
487 * Revision 1.34 1999/10/03 18:49:11 rgb
488 * Spinlock fixes for 2.0.xx and 2.3.xx.
490 * Revision 1.33 1999/10/01 15:44:53 rgb
491 * Move spinlock header include to 2.1> scope.
493 * Revision 1.32 1999/10/01 00:00:53 rgb
494 * Fix for proper netlink debugging operation.
495 * Added tdb structure locking.
496 * Minor formatting changes.
498 * Revision 1.31 1999/05/25 21:21:43 rgb
499 * Fix deltdbchain() error return code checking.
501 * Revision 1.30 1999/05/09 03:25:36 rgb
502 * Fix bug introduced by 2.2 quick-and-dirty patch.
504 * Revision 1.29 1999/05/08 21:23:27 rgb
505 * Simplify satoa() calling.
506 * Fix error return reporting.
507 * Add casting to silence the 2.2.x compile.
509 * Revision 1.28 1999/05/05 22:02:31 rgb
510 * Add a quick and dirty port to 2.2 kernels by Marc Boucher <marc@mbsi.ca>.
512 * Revision 1.27 1999/04/29 15:16:24 rgb
513 * Add pfkey support to debugging.
514 * Change gettdb parameter to a pointer to reduce stack loading and
516 * parameter sanity checking.
517 * Add IS_MYADDR support obviating the necessity of doing this in user
519 * Fix undetected bug by moving puttdb in SETSPI until after initialisation
521 * prevent tdb usage before it is ready and to save work if it does not
523 * Clean up deltdb/wipe code.
524 * Fix undetected bug of returning error as positive value.
525 * Add a parameter to tdbcleanup to be able to delete a class of SAs.
527 * Revision 1.26 1999/04/16 15:39:35 rgb
528 * Fix already fixed unbalanced #endif.
530 * Revision 1.25 1999/04/15 15:37:24 rgb
531 * Forward check changes from POST1_00 branch.
533 * Revision 1.21.2.1 1999/04/13 20:30:26 rgb
534 * Add experimental 'getdebug'.
536 * Revision 1.24 1999/04/11 00:28:58 henry
539 * Revision 1.23 1999/04/07 17:44:21 rgb
540 * Fix ipsec_callback memory leak, skb not freed after use.
542 * Revision 1.22 1999/04/06 04:54:26 rgb
543 * Fix/Add RCSID Id: and Log: bits to make PHMDs happy. This includes
546 * Revision 1.21 1999/02/17 16:50:11 rgb
547 * Consolidate satoa()s for space and speed efficiency.
548 * Convert DEBUG_IPSEC to KLIPS_PRINT
549 * Clean out unused cruft.
551 * Revision 1.20 1999/01/28 23:20:49 rgb
552 * Replace hard-coded numbers in macros and code with meaningful values
553 * automatically generated from sizeof() and offsetof() to further the
554 * goal of platform independance.
556 * Revision 1.19 1999/01/26 02:07:07 rgb
557 * Removed CONFIG_IPSEC_ALGO_SWITCH macro.
558 * Remove ah/esp switching on include files.
561 * Revision 1.18 1999/01/22 06:20:36 rgb
564 * Added algorithm switch code.
566 * Revision 1.17 1998/12/02 03:09:39 rgb
567 * Clean up debug printing conditionals to compile with debugging off.
569 * Revision 1.16 1998/12/01 05:56:57 rgb
570 * Add support for debug printing of version info.
571 * Fail on unknown error for breakroute in replace command.
573 * Revision 1.15 1998/11/30 13:22:54 rgb
574 * Rationalised all the klips kernel file headers. They are much shorter
575 * now and won't conflict under RH5.2.
577 * Revision 1.14 1998/11/10 05:36:14 rgb
578 * Clean up debug output.
579 * Add direction to spi setup debug code.
580 * Add support for SA direction flag.
582 * Revision 1.13 1998/10/31 06:51:56 rgb
583 * Get zeroize to return something useful.
584 * Clean up code to isolate 'spi --add/del' memory leak.
585 * Fixed up comments in #endif directives.
587 * Revision 1.12 1998/10/27 00:35:02 rgb
588 * Supressed debug output during normal operation.
590 * Revision 1.11 1998/10/25 02:40:21 rgb
591 * Selective debug printing, depending upon called service.
592 * Institute more precise error return codes from eroute commands.
593 * Fix bug in size of stucture passed in from user space for grpspi command.
595 * Revision 1.10 1998/10/22 06:44:58 rgb
596 * Convert to use satoa for printk.
597 * Moved break; in 'set debug level code to avoid undetected bug.
598 * Fixed run-on error message to fit 80 columns.
600 * Revision 1.9 1998/10/19 14:44:28 rgb
601 * Added inclusion of freeswan.h.
602 * sa_id structure implemented and used: now includes protocol.
604 * Revision 1.8 1998/10/09 04:29:51 rgb
605 * Added support for '-replace' option to eroute.
606 * Fixed spiungroup bug.
607 * Added 'klips_debug' prefix to all klips printk debug statements.
609 * Revision 1.7 1998/08/12 00:10:06 rgb
610 * Fixed minor error return code syntax.
612 * Revision 1.6 1998/07/29 20:22:57 rgb
615 * Revision 1.5 1998/07/27 21:53:11 rgb
616 * Check for proper return code from eroute clear command.
617 * Use appropriate error return codes from kernel.
618 * Add an option to clear the SA table.
620 * Revision 1.4 1998/07/14 18:02:40 rgb
621 * Add a command to clear the eroute table.
622 * Clean up some error codes.
624 * Revision 1.3 1998/06/25 19:52:33 rgb
625 * Code cosmetic changes only.
627 * Revision 1.2 1998/06/23 02:57:58 rgb
628 * Clean up after an error condition in setspi.
630 * Revision 1.9 1998/06/18 21:29:06 henry
631 * move sources from klips/src to klips/net/ipsec, to keep stupid kernel
632 * build scripts happier in presence of symbolic links
634 * Revision 1.8 1998/06/08 17:57:15 rgb
635 * Very minor spacing change.
637 * Revision 1.7 1998/05/18 21:46:45 rgb
638 * Clean up for numerical consistency of output.
640 * Added debugging switch output.
642 * SETSPI will refuse to overwrite a previous SA. This is to make it
643 * consistent with the eroute command.
645 * spidel now deletes entire chain of spi's.
647 * spigrp can now ungroup a set of spi's.
649 * spigrp will not regroup a previously grouped spi.
651 * Key data is properly cleaned up, ie. zeroed.
653 * Revision 1.6 1998/05/07 20:36:27 rgb
654 * Fixed case where debugging not enabled that caused ipsec_netlink.c to
657 * Revision 1.5 1998/05/06 03:34:21 rgb
658 * Updated debugging output statements.
660 * Revision 1.4 1998/04/23 21:03:59 rgb
661 * Completed kernel development for userspace access to klips kernel debugging
663 * Added detail to the kernel error message when trying to group non-existant
666 * Revision 1.3 1998/04/21 21:29:06 rgb
667 * Rearrange debug switches to change on the fly debug output from user
668 * space. Only kernel changes checked in at this time. radij.c was also
669 * changed to temporarily remove buggy debugging code in rj_delete causing
670 * an OOPS and hence, netlink device open errors.
672 * Revision 1.2 1998/04/12 22:03:23 rgb
673 * Updated ESP-3DES-HMAC-MD5-96,
674 * ESP-DES-HMAC-MD5-96,
676 * AH-HMAC-SHA1-96 since Henry started freeswan cvs repository
677 * from old standards (RFC182[5-9] to new (as of March 1998) drafts.
679 * Fixed eroute references in /proc/net/ipsec*.
681 * Started to patch module unloading memory leaks in ipsec_netlink and
682 * radij tree unloading.
684 * Revision 1.1 1998/04/09 03:06:08 henry
685 * sources moved up from linux/net/ipsec
687 * Revision 1.1.1.1 1998/04/08 05:35:02 henry
688 * RGB's ipsec-0.8pre2.tar.gz ipsec-0.8
690 * Revision 0.4 1997/01/15 01:28:15 ji
693 * Revision 0.3 1996/11/20 14:39:04 ji
695 * Rationalized debugging code.
697 * Revision 0.2 1996/11/02 00:18:33 ji
698 * First limited release.