static struct xfrm_state *xfrm_user_state_lookup(struct net *net, struct xfrm_usersa_id *p, struct nlattr **attrs, int *errp) { struct xfrm_state *x = NULL; struct xfrm_mark m; int err; u32 mark = xfrm_mark_get(attrs, &m); if (xfrm_id_proto_match(p->proto, IPSEC_PROTO_ANY)) { err = -ESRCH; x = xfrm_state_lookup(net, mark, &p->daddr, p->spi, p->proto, p->family); } else { xfrm_address_t *saddr = NULL; verify_one_addr(attrs, XFRMA_SRCADDR, &saddr); if (!saddr) { err = -EINVAL; goto out; } err = -ESRCH; x = xfrm_state_lookup_byaddr(net, mark, &p->daddr, saddr, p->proto, p->family); } out: if (!x && errp) *errp = err; return x; }
int xfrm6_input_addr(struct sk_buff *skb, xfrm_address_t *daddr, xfrm_address_t *saddr, u8 proto) { struct net *net = dev_net(skb->dev); struct xfrm_state *x = NULL; int i = 0; if (!skb->sp || atomic_read(&skb->sp->refcnt) != 1) { struct sec_path *sp; sp = secpath_dup(skb->sp); if (!sp) { XFRM_INC_STATS(net, LINUX_MIB_XFRMINERROR); goto drop; } if (skb->sp) secpath_put(skb->sp); skb->sp = sp; } if (1 + skb->sp->len == XFRM_MAX_DEPTH) { XFRM_INC_STATS(net, LINUX_MIB_XFRMINBUFFERERROR); goto drop; } for (i = 0; i < 3; i++) { xfrm_address_t *dst, *src; switch (i) { case 0: dst = daddr; src = saddr; break; case 1: dst = daddr; src = (xfrm_address_t *)&in6addr_any; break; default: dst = (xfrm_address_t *)&in6addr_any; src = (xfrm_address_t *)&in6addr_any; break; } x = xfrm_state_lookup_byaddr(net, skb->mark, dst, src, proto, AF_INET6); if (!x) continue; spin_lock(&x->lock); if ((!i || (x->props.flags & XFRM_STATE_WILDRECV)) && likely(x->km.state == XFRM_STATE_VALID) && !xfrm_state_check_expire(x)) { spin_unlock(&x->lock); if (x->type->input(x, skb) > 0) { break; } } else spin_unlock(&x->lock); xfrm_state_put(x); x = NULL; } if (!x) { XFRM_INC_STATS(net, LINUX_MIB_XFRMINNOSTATES); xfrm_audit_state_notfound_simple(skb, AF_INET6); goto drop; } skb->sp->xvec[skb->sp->len++] = x; spin_lock(&x->lock); x->curlft.bytes += skb->len; x->curlft.packets++; spin_unlock(&x->lock); return 1; drop: return -1; }
int xfrm6_input_addr(struct sk_buff *skb, xfrm_address_t *daddr, xfrm_address_t *saddr, u8 proto) { struct xfrm_state *x = NULL; int wildcard = 0; struct in6_addr any; xfrm_address_t *xany; struct xfrm_state *xfrm_vec_one = NULL; int nh = 0; int i = 0; ipv6_addr_set(&any, 0, 0, 0, 0); xany = (xfrm_address_t *)&any; for (i = 0; i < 3; i++) { xfrm_address_t *dst, *src; switch (i) { case 0: dst = daddr; src = saddr; break; case 1: /* lookup state with wild-card source address */ wildcard = 1; dst = daddr; src = xany; break; case 2: default: /* lookup state with wild-card addresses */ wildcard = 1; /* XXX */ dst = xany; src = xany; break; } x = xfrm_state_lookup_byaddr(dst, src, proto, AF_INET6); if (!x) continue; spin_lock(&x->lock); if (wildcard) { if ((x->props.flags & XFRM_STATE_WILDRECV) == 0) { spin_unlock(&x->lock); xfrm_state_put(x); x = NULL; continue; } } if (unlikely(x->km.state != XFRM_STATE_VALID)) { spin_unlock(&x->lock); xfrm_state_put(x); x = NULL; continue; } if (xfrm_state_check_expire(x)) { spin_unlock(&x->lock); xfrm_state_put(x); x = NULL; continue; } nh = x->type->input(x, skb); if (nh <= 0) { spin_unlock(&x->lock); xfrm_state_put(x); x = NULL; continue; } x->curlft.bytes += skb->len; x->curlft.packets++; spin_unlock(&x->lock); xfrm_vec_one = x; break; } if (!xfrm_vec_one) goto drop; /* Allocate new secpath or COW existing one. */ if (!skb->sp || atomic_read(&skb->sp->refcnt) != 1) { struct sec_path *sp; sp = secpath_dup(skb->sp); if (!sp) goto drop; if (skb->sp) secpath_put(skb->sp); skb->sp = sp; } if (1 + skb->sp->len > XFRM_MAX_DEPTH) goto drop; skb->sp->xvec[skb->sp->len] = xfrm_vec_one; skb->sp->len ++; return 1; drop: if (xfrm_vec_one) xfrm_state_put(xfrm_vec_one); return -1; }
int __xfrm6_rcv_one(struct sk_buff *skb, xfrm_address_t *daddr, xfrm_address_t *saddr, u8 proto) { struct xfrm_state *x = NULL; int wildcard = 0; struct in6_addr any; xfrm_address_t *xany; struct xfrm_state *xfrm_vec_one = NULL; int nh = 0; int i = 0; ipv6_addr_set(&any, 0, 0, 0, 0); xany = (xfrm_address_t *)&any; for (i = 0; i < 3; i++) { xfrm_address_t *dst, *src; switch (i) { case 0: dst = daddr; src = saddr; break; case 1: /* lookup state with wild-card source address */ wildcard = 1; dst = daddr; src = xany; break; case 2: default: /* lookup state with wild-card addresses */ wildcard = 1; /* XXX */ dst = xany; src = xany; break; } x = xfrm_state_lookup_byaddr(dst, src, proto, AF_INET6); if (!x) continue; spin_lock(&x->lock); if (wildcard) { if ((x->props.flags & XFRM_STATE_WILDRECV) == 0) { printk(KERN_INFO "%s: found state is not wild-card.\n", __FUNCTION__); spin_unlock(&x->lock); xfrm_state_put(x); x = NULL; continue; } } if (unlikely(x->km.state != XFRM_STATE_VALID)) { spin_unlock(&x->lock); xfrm_state_put(x); x = NULL; continue; } if (xfrm_state_check_expire(x)) { spin_unlock(&x->lock); xfrm_state_put(x); x = NULL; continue; } nh = x->type->input(x, skb); if (nh <= 0) { spin_unlock(&x->lock); xfrm_state_put(x); x = NULL; continue; } break; } if (!x) goto error; x->curlft.bytes += skb->len; x->curlft.packets++; x->curlft.use_time = (unsigned long) xtime.tv_sec; spin_unlock(&x->lock); xfrm_vec_one = x; /* Allocate new secpath or COW existing one. */ if (!skb->sp || atomic_read(&skb->sp->refcnt) != 1) { struct sec_path *sp; sp = secpath_dup(skb->sp); if (!sp) { printk(KERN_INFO "%s: dup secpath failed\n", __FUNCTION__); goto error; } if (skb->sp) secpath_put(skb->sp); skb->sp = sp; } if (1 + skb->sp->len > XFRM_MAX_DEPTH) { printk(KERN_INFO "%s: too many states\n", __FUNCTION__); goto error; } skb->sp->xvec[skb->sp->len] = xfrm_vec_one; skb->sp->len ++; skb->ip_summed = CHECKSUM_NONE; return 0; error: return -1; }