2 * CALIPSO - Common Architecture Label IPv6 Security Option
4 * This is an implementation of the CALIPSO protocol as specified in
7 * Authors: Paul Moore <paul.moore@hp.com>
8 * Huw Davies <huw@codeweavers.com>
12 /* (c) Copyright Hewlett-Packard Development Company, L.P., 2006, 2008
13 * (c) Copyright Huw Davies <huw@codeweavers.com>, 2015
15 * This program is free software; you can redistribute it and/or modify
16 * it under the terms of the GNU General Public License as published by
17 * the Free Software Foundation; either version 2 of the License, or
18 * (at your option) any later version.
20 * This program is distributed in the hope that it will be useful,
21 * but WITHOUT ANY WARRANTY; without even the implied warranty of
22 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See
23 * the GNU General Public License for more details.
25 * You should have received a copy of the GNU General Public License
26 * along with this program; if not, see <http://www.gnu.org/licenses/>.
30 #include <linux/init.h>
31 #include <linux/types.h>
32 #include <linux/rcupdate.h>
33 #include <linux/list.h>
34 #include <linux/spinlock.h>
35 #include <linux/string.h>
36 #include <linux/jhash.h>
37 #include <linux/audit.h>
38 #include <linux/slab.h>
42 #include <net/netlabel.h>
43 #include <net/calipso.h>
44 #include <linux/atomic.h>
45 #include <linux/bug.h>
46 #include <asm/unaligned.h>
47 #include <linux/crc-ccitt.h>
49 /* Maximium size of the calipso option including
50 * the two-byte TLV header.
52 #define CALIPSO_OPT_LEN_MAX (2 + 252)
54 /* Size of the minimum calipso option including
55 * the two-byte TLV header.
57 #define CALIPSO_HDR_LEN (2 + 8)
59 /* Maximium size of the calipso option including
60 * the two-byte TLV header and upto 3 bytes of
61 * leading pad and 7 bytes of trailing pad.
63 #define CALIPSO_OPT_LEN_MAX_WITH_PAD (3 + CALIPSO_OPT_LEN_MAX + 7)
65 /* Maximium size of u32 aligned buffer required to hold calipso
66 * option. Max of 3 initial pad bytes starting from buffer + 3.
67 * i.e. the worst case is when the previous tlv finishes on 4n + 3.
69 #define CALIPSO_MAX_BUFFER (6 + CALIPSO_OPT_LEN_MAX)
71 /* List of available DOI definitions */
72 static DEFINE_SPINLOCK(calipso_doi_list_lock);
73 static LIST_HEAD(calipso_doi_list);
75 /* Label mapping cache */
76 int calipso_cache_enabled = 1;
77 int calipso_cache_bucketsize = 10;
78 #define CALIPSO_CACHE_BUCKETBITS 7
79 #define CALIPSO_CACHE_BUCKETS BIT(CALIPSO_CACHE_BUCKETBITS)
80 #define CALIPSO_CACHE_REORDERLIMIT 10
81 struct calipso_map_cache_bkt {
84 struct list_head list;
87 struct calipso_map_cache_entry {
92 struct netlbl_lsm_cache *lsm_data;
95 struct list_head list;
98 static struct calipso_map_cache_bkt *calipso_cache;
100 static void calipso_cache_invalidate(void);
101 static void calipso_doi_putdef(struct calipso_doi *doi_def);
103 /* Label Mapping Cache Functions
107 * calipso_cache_entry_free - Frees a cache entry
108 * @entry: the entry to free
111 * This function frees the memory associated with a cache entry including the
112 * LSM cache data if there are no longer any users, i.e. reference count == 0.
115 static void calipso_cache_entry_free(struct calipso_map_cache_entry *entry)
118 netlbl_secattr_cache_free(entry->lsm_data);
124 * calipso_map_cache_hash - Hashing function for the CALIPSO cache
126 * @key_len: the length of the key in bytes
129 * The CALIPSO tag hashing function. Returns a 32-bit hash value.
132 static u32 calipso_map_cache_hash(const unsigned char *key, u32 key_len)
134 return jhash(key, key_len, 0);
138 * calipso_cache_init - Initialize the CALIPSO cache
141 * Initializes the CALIPSO label mapping cache, this function should be called
142 * before any of the other functions defined in this file. Returns zero on
143 * success, negative values on error.
146 static int __init calipso_cache_init(void)
150 calipso_cache = kcalloc(CALIPSO_CACHE_BUCKETS,
151 sizeof(struct calipso_map_cache_bkt),
156 for (iter = 0; iter < CALIPSO_CACHE_BUCKETS; iter++) {
157 spin_lock_init(&calipso_cache[iter].lock);
158 calipso_cache[iter].size = 0;
159 INIT_LIST_HEAD(&calipso_cache[iter].list);
166 * calipso_cache_invalidate - Invalidates the current CALIPSO cache
169 * Invalidates and frees any entries in the CALIPSO cache. Returns zero on
170 * success and negative values on failure.
173 static void calipso_cache_invalidate(void)
175 struct calipso_map_cache_entry *entry, *tmp_entry;
178 for (iter = 0; iter < CALIPSO_CACHE_BUCKETS; iter++) {
179 spin_lock_bh(&calipso_cache[iter].lock);
180 list_for_each_entry_safe(entry,
182 &calipso_cache[iter].list, list) {
183 list_del(&entry->list);
184 calipso_cache_entry_free(entry);
186 calipso_cache[iter].size = 0;
187 spin_unlock_bh(&calipso_cache[iter].lock);
192 * calipso_cache_check - Check the CALIPSO cache for a label mapping
193 * @key: the buffer to check
194 * @key_len: buffer length in bytes
195 * @secattr: the security attribute struct to use
198 * This function checks the cache to see if a label mapping already exists for
199 * the given key. If there is a match then the cache is adjusted and the
200 * @secattr struct is populated with the correct LSM security attributes. The
201 * cache is adjusted in the following manner if the entry is not already the
202 * first in the cache bucket:
204 * 1. The cache entry's activity counter is incremented
205 * 2. The previous (higher ranking) entry's activity counter is decremented
206 * 3. If the difference between the two activity counters is geater than
207 * CALIPSO_CACHE_REORDERLIMIT the two entries are swapped
209 * Returns zero on success, -ENOENT for a cache miss, and other negative values
213 static int calipso_cache_check(const unsigned char *key,
215 struct netlbl_lsm_secattr *secattr)
218 struct calipso_map_cache_entry *entry;
219 struct calipso_map_cache_entry *prev_entry = NULL;
222 if (!calipso_cache_enabled)
225 hash = calipso_map_cache_hash(key, key_len);
226 bkt = hash & (CALIPSO_CACHE_BUCKETS - 1);
227 spin_lock_bh(&calipso_cache[bkt].lock);
228 list_for_each_entry(entry, &calipso_cache[bkt].list, list) {
229 if (entry->hash == hash &&
230 entry->key_len == key_len &&
231 memcmp(entry->key, key, key_len) == 0) {
232 entry->activity += 1;
233 refcount_inc(&entry->lsm_data->refcount);
234 secattr->cache = entry->lsm_data;
235 secattr->flags |= NETLBL_SECATTR_CACHE;
236 secattr->type = NETLBL_NLTYPE_CALIPSO;
238 spin_unlock_bh(&calipso_cache[bkt].lock);
242 if (prev_entry->activity > 0)
243 prev_entry->activity -= 1;
244 if (entry->activity > prev_entry->activity &&
245 entry->activity - prev_entry->activity >
246 CALIPSO_CACHE_REORDERLIMIT) {
247 __list_del(entry->list.prev, entry->list.next);
248 __list_add(&entry->list,
249 prev_entry->list.prev,
253 spin_unlock_bh(&calipso_cache[bkt].lock);
258 spin_unlock_bh(&calipso_cache[bkt].lock);
264 * calipso_cache_add - Add an entry to the CALIPSO cache
265 * @calipso_ptr: the CALIPSO option
266 * @secattr: the packet's security attributes
269 * Add a new entry into the CALIPSO label mapping cache. Add the new entry to
270 * head of the cache bucket's list, if the cache bucket is out of room remove
271 * the last entry in the list first. It is important to note that there is
272 * currently no checking for duplicate keys. Returns zero on success,
273 * negative values on failure. The key stored starts at calipso_ptr + 2,
274 * i.e. the type and length bytes are not stored, this corresponds to
275 * calipso_ptr[1] bytes of data.
278 static int calipso_cache_add(const unsigned char *calipso_ptr,
279 const struct netlbl_lsm_secattr *secattr)
281 int ret_val = -EPERM;
283 struct calipso_map_cache_entry *entry = NULL;
284 struct calipso_map_cache_entry *old_entry = NULL;
287 if (!calipso_cache_enabled || calipso_cache_bucketsize <= 0)
290 calipso_ptr_len = calipso_ptr[1];
292 entry = kzalloc(sizeof(*entry), GFP_ATOMIC);
295 entry->key = kmemdup(calipso_ptr + 2, calipso_ptr_len, GFP_ATOMIC);
298 goto cache_add_failure;
300 entry->key_len = calipso_ptr_len;
301 entry->hash = calipso_map_cache_hash(calipso_ptr, calipso_ptr_len);
302 refcount_inc(&secattr->cache->refcount);
303 entry->lsm_data = secattr->cache;
305 bkt = entry->hash & (CALIPSO_CACHE_BUCKETS - 1);
306 spin_lock_bh(&calipso_cache[bkt].lock);
307 if (calipso_cache[bkt].size < calipso_cache_bucketsize) {
308 list_add(&entry->list, &calipso_cache[bkt].list);
309 calipso_cache[bkt].size += 1;
311 old_entry = list_entry(calipso_cache[bkt].list.prev,
312 struct calipso_map_cache_entry, list);
313 list_del(&old_entry->list);
314 list_add(&entry->list, &calipso_cache[bkt].list);
315 calipso_cache_entry_free(old_entry);
317 spin_unlock_bh(&calipso_cache[bkt].lock);
323 calipso_cache_entry_free(entry);
327 /* DOI List Functions
331 * calipso_doi_search - Searches for a DOI definition
332 * @doi: the DOI to search for
335 * Search the DOI definition list for a DOI definition with a DOI value that
336 * matches @doi. The caller is responsible for calling rcu_read_[un]lock().
337 * Returns a pointer to the DOI definition on success and NULL on failure.
339 static struct calipso_doi *calipso_doi_search(u32 doi)
341 struct calipso_doi *iter;
343 list_for_each_entry_rcu(iter, &calipso_doi_list, list)
344 if (iter->doi == doi && refcount_read(&iter->refcount))
350 * calipso_doi_add - Add a new DOI to the CALIPSO protocol engine
351 * @doi_def: the DOI structure
352 * @audit_info: NetLabel audit information
355 * The caller defines a new DOI for use by the CALIPSO engine and calls this
356 * function to add it to the list of acceptable domains. The caller must
357 * ensure that the mapping table specified in @doi_def->map meets all of the
358 * requirements of the mapping type (see calipso.h for details). Returns
359 * zero on success and non-zero on failure.
362 static int calipso_doi_add(struct calipso_doi *doi_def,
363 struct netlbl_audit *audit_info)
365 int ret_val = -EINVAL;
368 struct audit_buffer *audit_buf;
371 doi_type = doi_def->type;
373 if (doi_def->doi == CALIPSO_DOI_UNKNOWN)
376 refcount_set(&doi_def->refcount, 1);
378 spin_lock(&calipso_doi_list_lock);
379 if (calipso_doi_search(doi_def->doi)) {
380 spin_unlock(&calipso_doi_list_lock);
384 list_add_tail_rcu(&doi_def->list, &calipso_doi_list);
385 spin_unlock(&calipso_doi_list_lock);
389 audit_buf = netlbl_audit_start(AUDIT_MAC_CALIPSO_ADD, audit_info);
391 const char *type_str;
394 case CALIPSO_MAP_PASS:
398 type_str = "(unknown)";
400 audit_log_format(audit_buf,
401 " calipso_doi=%u calipso_type=%s res=%u",
402 doi, type_str, ret_val == 0 ? 1 : 0);
403 audit_log_end(audit_buf);
410 * calipso_doi_free - Frees a DOI definition
411 * @doi_def: the DOI definition
414 * This function frees all of the memory associated with a DOI definition.
417 static void calipso_doi_free(struct calipso_doi *doi_def)
423 * calipso_doi_free_rcu - Frees a DOI definition via the RCU pointer
424 * @entry: the entry's RCU field
427 * This function is designed to be used as a callback to the call_rcu()
428 * function so that the memory allocated to the DOI definition can be released
432 static void calipso_doi_free_rcu(struct rcu_head *entry)
434 struct calipso_doi *doi_def;
436 doi_def = container_of(entry, struct calipso_doi, rcu);
437 calipso_doi_free(doi_def);
441 * calipso_doi_remove - Remove an existing DOI from the CALIPSO protocol engine
442 * @doi: the DOI value
443 * @audit_secid: the LSM secid to use in the audit message
446 * Removes a DOI definition from the CALIPSO engine. The NetLabel routines will
447 * be called to release their own LSM domain mappings as well as our own
448 * domain list. Returns zero on success and negative values on failure.
451 static int calipso_doi_remove(u32 doi, struct netlbl_audit *audit_info)
454 struct calipso_doi *doi_def;
455 struct audit_buffer *audit_buf;
457 spin_lock(&calipso_doi_list_lock);
458 doi_def = calipso_doi_search(doi);
460 spin_unlock(&calipso_doi_list_lock);
462 goto doi_remove_return;
464 list_del_rcu(&doi_def->list);
465 spin_unlock(&calipso_doi_list_lock);
467 calipso_doi_putdef(doi_def);
471 audit_buf = netlbl_audit_start(AUDIT_MAC_CALIPSO_DEL, audit_info);
473 audit_log_format(audit_buf,
474 " calipso_doi=%u res=%u",
475 doi, ret_val == 0 ? 1 : 0);
476 audit_log_end(audit_buf);
483 * calipso_doi_getdef - Returns a reference to a valid DOI definition
484 * @doi: the DOI value
487 * Searches for a valid DOI definition and if one is found it is returned to
488 * the caller. Otherwise NULL is returned. The caller must ensure that
489 * calipso_doi_putdef() is called when the caller is done.
492 static struct calipso_doi *calipso_doi_getdef(u32 doi)
494 struct calipso_doi *doi_def;
497 doi_def = calipso_doi_search(doi);
499 goto doi_getdef_return;
500 if (!refcount_inc_not_zero(&doi_def->refcount))
509 * calipso_doi_putdef - Releases a reference for the given DOI definition
510 * @doi_def: the DOI definition
513 * Releases a DOI definition reference obtained from calipso_doi_getdef().
516 static void calipso_doi_putdef(struct calipso_doi *doi_def)
521 if (!refcount_dec_and_test(&doi_def->refcount))
524 calipso_cache_invalidate();
525 call_rcu(&doi_def->rcu, calipso_doi_free_rcu);
529 * calipso_doi_walk - Iterate through the DOI definitions
530 * @skip_cnt: skip past this number of DOI definitions, updated
531 * @callback: callback for each DOI definition
532 * @cb_arg: argument for the callback function
535 * Iterate over the DOI definition list, skipping the first @skip_cnt entries.
536 * For each entry call @callback, if @callback returns a negative value stop
537 * 'walking' through the list and return. Updates the value in @skip_cnt upon
538 * return. Returns zero on success, negative values on failure.
541 static int calipso_doi_walk(u32 *skip_cnt,
542 int (*callback)(struct calipso_doi *doi_def,
546 int ret_val = -ENOENT;
548 struct calipso_doi *iter_doi;
551 list_for_each_entry_rcu(iter_doi, &calipso_doi_list, list)
552 if (refcount_read(&iter_doi->refcount) > 0) {
553 if (doi_cnt++ < *skip_cnt)
555 ret_val = callback(iter_doi, cb_arg);
558 goto doi_walk_return;
569 * calipso_validate - Validate a CALIPSO option
571 * @option: the start of the option
574 * This routine is called to validate a CALIPSO option.
575 * If the option is valid then %true is returned, otherwise
576 * %false is returned.
578 * The caller should have already checked that the length of the
579 * option (including the TLV header) is >= 10 and that the catmap
580 * length is consistent with the option length.
582 * We leave checks on the level and categories to the socket layer.
584 bool calipso_validate(const struct sk_buff *skb, const unsigned char *option)
586 struct calipso_doi *doi_def;
588 u16 crc, len = option[1] + 2;
589 static const u8 zero[2];
591 /* The original CRC runs over the option including the TLV header
592 * with the CRC-16 field (at offset 8) zeroed out. */
593 crc = crc_ccitt(0xffff, option, 8);
594 crc = crc_ccitt(crc, zero, sizeof(zero));
596 crc = crc_ccitt(crc, option + 10, len - 10);
598 if (option[8] != (crc & 0xff) || option[9] != ((crc >> 8) & 0xff))
602 doi_def = calipso_doi_search(get_unaligned_be32(option + 2));
610 * calipso_map_cat_hton - Perform a category mapping from host to network
611 * @doi_def: the DOI definition
612 * @secattr: the security attributes
613 * @net_cat: the zero'd out category bitmap in network/CALIPSO format
614 * @net_cat_len: the length of the CALIPSO bitmap in bytes
617 * Perform a label mapping to translate a local MLS category bitmap to the
618 * correct CALIPSO bitmap using the given DOI definition. Returns the minimum
619 * size in bytes of the network bitmap on success, negative values otherwise.
622 static int calipso_map_cat_hton(const struct calipso_doi *doi_def,
623 const struct netlbl_lsm_secattr *secattr,
624 unsigned char *net_cat,
628 u32 net_spot_max = 0;
629 u32 net_clen_bits = net_cat_len * 8;
632 spot = netlbl_catmap_walk(secattr->attr.mls.cat,
636 if (spot >= net_clen_bits)
638 netlbl_bitmap_setbit(net_cat, spot, 1);
640 if (spot > net_spot_max)
644 return (net_spot_max / 32 + 1) * 4;
648 * calipso_map_cat_ntoh - Perform a category mapping from network to host
649 * @doi_def: the DOI definition
650 * @net_cat: the category bitmap in network/CALIPSO format
651 * @net_cat_len: the length of the CALIPSO bitmap in bytes
652 * @secattr: the security attributes
655 * Perform a label mapping to translate a CALIPSO bitmap to the correct local
656 * MLS category bitmap using the given DOI definition. Returns zero on
657 * success, negative values on failure.
660 static int calipso_map_cat_ntoh(const struct calipso_doi *doi_def,
661 const unsigned char *net_cat,
663 struct netlbl_lsm_secattr *secattr)
667 u32 net_clen_bits = net_cat_len * 8;
670 spot = netlbl_bitmap_walk(net_cat,
680 ret_val = netlbl_catmap_setbit(&secattr->attr.mls.cat,
691 * calipso_pad_write - Writes pad bytes in TLV format
693 * @offset: offset from start of buffer to write padding
694 * @count: number of pad bytes to write
697 * Write @count bytes of TLV padding into @buffer starting at offset @offset.
698 * @count should be less than 8 - see RFC 4942.
701 static int calipso_pad_write(unsigned char *buf, unsigned int offset,
704 if (WARN_ON_ONCE(count >= 8))
711 buf[offset] = IPV6_TLV_PAD1;
714 buf[offset] = IPV6_TLV_PADN;
715 buf[offset + 1] = count - 2;
717 memset(buf + offset + 2, 0, count - 2);
724 * calipso_genopt - Generate a CALIPSO option
725 * @buf: the option buffer
726 * @start: offset from which to write
727 * @buf_len: the size of opt_buf
728 * @doi_def: the CALIPSO DOI to use
729 * @secattr: the security attributes
732 * Generate a CALIPSO option using the DOI definition and security attributes
733 * passed to the function. This also generates upto three bytes of leading
734 * padding that ensures that the option is 4n + 2 aligned. It returns the
735 * number of bytes written (including any initial padding).
737 static int calipso_genopt(unsigned char *buf, u32 start, u32 buf_len,
738 const struct calipso_doi *doi_def,
739 const struct netlbl_lsm_secattr *secattr)
744 static const unsigned char padding[4] = {2, 1, 0, 3};
745 unsigned char *calipso;
747 /* CALIPSO has 4n + 2 alignment */
748 pad = padding[start & 3];
749 if (buf_len <= start + pad + CALIPSO_HDR_LEN)
752 if ((secattr->flags & NETLBL_SECATTR_MLS_LVL) == 0)
755 len = CALIPSO_HDR_LEN;
757 if (secattr->flags & NETLBL_SECATTR_MLS_CAT) {
758 ret_val = calipso_map_cat_hton(doi_def,
760 buf + start + pad + len,
761 buf_len - start - pad - len);
767 calipso_pad_write(buf, start, pad);
768 calipso = buf + start + pad;
770 calipso[0] = IPV6_TLV_CALIPSO;
771 calipso[1] = len - 2;
772 *(__be32 *)(calipso + 2) = htonl(doi_def->doi);
773 calipso[6] = (len - CALIPSO_HDR_LEN) / 4;
774 calipso[7] = secattr->attr.mls.lvl,
775 crc = ~crc_ccitt(0xffff, calipso, len);
776 calipso[8] = crc & 0xff;
777 calipso[9] = (crc >> 8) & 0xff;
781 /* Hop-by-hop hdr helper functions
785 * calipso_opt_update - Replaces socket's hop options with a new set
787 * @hop: new hop options
790 * Replaces @sk's hop options with @hop. @hop may be NULL to leave
791 * the socket with no hop options.
794 static int calipso_opt_update(struct sock *sk, struct ipv6_opt_hdr *hop)
796 struct ipv6_txoptions *old = txopt_get(inet6_sk(sk)), *txopts;
798 txopts = ipv6_renew_options(sk, old, IPV6_HOPOPTS, hop);
801 return PTR_ERR(txopts);
803 txopts = ipv6_update_options(sk, txopts);
805 atomic_sub(txopts->tot_len, &sk->sk_omem_alloc);
813 * calipso_tlv_len - Returns the length of the TLV
814 * @opt: the option header
815 * @offset: offset of the TLV within the header
818 * Returns the length of the TLV option at offset @offset within
819 * the option header @opt. Checks that the entire TLV fits inside
820 * the option header, returns a negative value if this is not the case.
822 static int calipso_tlv_len(struct ipv6_opt_hdr *opt, unsigned int offset)
824 unsigned char *tlv = (unsigned char *)opt;
825 unsigned int opt_len = ipv6_optlen(opt), tlv_len;
827 if (offset < sizeof(*opt) || offset >= opt_len)
829 if (tlv[offset] == IPV6_TLV_PAD1)
831 if (offset + 1 >= opt_len)
833 tlv_len = tlv[offset + 1] + 2;
834 if (offset + tlv_len > opt_len)
840 * calipso_opt_find - Finds the CALIPSO option in an IPv6 hop options header
841 * @hop: the hop options header
842 * @start: on return holds the offset of any leading padding
843 * @end: on return holds the offset of the first non-pad TLV after CALIPSO
846 * Finds the space occupied by a CALIPSO option (including any leading and
849 * If a CALIPSO option exists set @start and @end to the
850 * offsets within @hop of the start of padding before the first
851 * CALIPSO option and the end of padding after the first CALIPSO
852 * option. In this case the function returns 0.
854 * In the absence of a CALIPSO option, @start and @end will be
855 * set to the start and end of any trailing padding in the header.
856 * This is useful when appending a new option, as the caller may want
857 * to overwrite some of this padding. In this case the function will
860 static int calipso_opt_find(struct ipv6_opt_hdr *hop, unsigned int *start,
863 int ret_val = -ENOENT, tlv_len;
864 unsigned int opt_len, offset, offset_s = 0, offset_e = 0;
865 unsigned char *opt = (unsigned char *)hop;
867 opt_len = ipv6_optlen(hop);
868 offset = sizeof(*hop);
870 while (offset < opt_len) {
871 tlv_len = calipso_tlv_len(hop, offset);
875 switch (opt[offset]) {
881 case IPV6_TLV_CALIPSO:
896 *start = offset_s + calipso_tlv_len(hop, offset_s);
898 *start = sizeof(*hop);
900 *end = offset_e + calipso_tlv_len(hop, offset_e);
908 * calipso_opt_insert - Inserts a CALIPSO option into an IPv6 hop opt hdr
909 * @hop: the original hop options header
910 * @doi_def: the CALIPSO DOI to use
911 * @secattr: the specific security attributes of the socket
914 * Creates a new hop options header based on @hop with a
915 * CALIPSO option added to it. If @hop already contains a CALIPSO
916 * option this is overwritten, otherwise the new option is appended
917 * after any existing options. If @hop is NULL then the new header
918 * will contain just the CALIPSO option and any needed padding.
921 static struct ipv6_opt_hdr *
922 calipso_opt_insert(struct ipv6_opt_hdr *hop,
923 const struct calipso_doi *doi_def,
924 const struct netlbl_lsm_secattr *secattr)
926 unsigned int start, end, buf_len, pad, hop_len;
927 struct ipv6_opt_hdr *new;
931 hop_len = ipv6_optlen(hop);
932 ret_val = calipso_opt_find(hop, &start, &end);
933 if (ret_val && ret_val != -ENOENT)
934 return ERR_PTR(ret_val);
937 start = sizeof(*hop);
941 buf_len = hop_len + start - end + CALIPSO_OPT_LEN_MAX_WITH_PAD;
942 new = kzalloc(buf_len, GFP_ATOMIC);
944 return ERR_PTR(-ENOMEM);
946 if (start > sizeof(*hop))
947 memcpy(new, hop, start);
948 ret_val = calipso_genopt((unsigned char *)new, start, buf_len, doi_def,
952 return ERR_PTR(ret_val);
955 buf_len = start + ret_val;
956 /* At this point buf_len aligns to 4n, so (buf_len & 4) pads to 8n */
957 pad = ((buf_len & 4) + (end & 7)) & 7;
958 calipso_pad_write((unsigned char *)new, buf_len, pad);
961 if (end != hop_len) {
962 memcpy((char *)new + buf_len, (char *)hop + end, hop_len - end);
963 buf_len += hop_len - end;
966 new->hdrlen = buf_len / 8 - 1;
972 * calipso_opt_del - Removes the CALIPSO option from an option header
973 * @hop: the original header
974 * @new: the new header
977 * Creates a new header based on @hop without any CALIPSO option. If @hop
978 * doesn't contain a CALIPSO option it returns -ENOENT. If @hop contains
979 * no other non-padding options, it returns zero with @new set to NULL.
980 * Otherwise it returns zero, creates a new header without the CALIPSO
981 * option (and removing as much padding as possible) and returns with
982 * @new set to that header.
985 static int calipso_opt_del(struct ipv6_opt_hdr *hop,
986 struct ipv6_opt_hdr **new)
989 unsigned int start, end, delta, pad, hop_len;
991 ret_val = calipso_opt_find(hop, &start, &end);
995 hop_len = ipv6_optlen(hop);
996 if (start == sizeof(*hop) && end == hop_len) {
997 /* There's no other option in the header so return NULL */
1002 delta = (end - start) & ~7;
1003 *new = kzalloc(hop_len - delta, GFP_ATOMIC);
1007 memcpy(*new, hop, start);
1008 (*new)->hdrlen -= delta / 8;
1009 pad = (end - start) & 7;
1010 calipso_pad_write((unsigned char *)*new, start, pad);
1012 memcpy((char *)*new + start + pad, (char *)hop + end,
1019 * calipso_opt_getattr - Get the security attributes from a memory block
1020 * @calipso: the CALIPSO option
1021 * @secattr: the security attributes
1024 * Inspect @calipso and return the security attributes in @secattr.
1025 * Returns zero on success and negative values on failure.
1028 static int calipso_opt_getattr(const unsigned char *calipso,
1029 struct netlbl_lsm_secattr *secattr)
1031 int ret_val = -ENOMSG;
1032 u32 doi, len = calipso[1], cat_len = calipso[6] * 4;
1033 struct calipso_doi *doi_def;
1035 if (cat_len + 8 > len)
1038 if (calipso_cache_check(calipso + 2, calipso[1], secattr) == 0)
1041 doi = get_unaligned_be32(calipso + 2);
1043 doi_def = calipso_doi_search(doi);
1045 goto getattr_return;
1047 secattr->attr.mls.lvl = calipso[7];
1048 secattr->flags |= NETLBL_SECATTR_MLS_LVL;
1051 ret_val = calipso_map_cat_ntoh(doi_def,
1056 netlbl_catmap_free(secattr->attr.mls.cat);
1057 goto getattr_return;
1060 if (secattr->attr.mls.cat)
1061 secattr->flags |= NETLBL_SECATTR_MLS_CAT;
1064 secattr->type = NETLBL_NLTYPE_CALIPSO;
1075 * calipso_sock_getattr - Get the security attributes from a sock
1077 * @secattr: the security attributes
1080 * Query @sk to see if there is a CALIPSO option attached to the sock and if
1081 * there is return the CALIPSO security attributes in @secattr. This function
1082 * requires that @sk be locked, or privately held, but it does not do any
1083 * locking itself. Returns zero on success and negative values on failure.
1086 static int calipso_sock_getattr(struct sock *sk,
1087 struct netlbl_lsm_secattr *secattr)
1089 struct ipv6_opt_hdr *hop;
1090 int opt_len, len, ret_val = -ENOMSG, offset;
1092 struct ipv6_txoptions *txopts = txopt_get(inet6_sk(sk));
1094 if (!txopts || !txopts->hopopt)
1097 hop = txopts->hopopt;
1098 opt = (unsigned char *)hop;
1099 opt_len = ipv6_optlen(hop);
1100 offset = sizeof(*hop);
1101 while (offset < opt_len) {
1102 len = calipso_tlv_len(hop, offset);
1107 switch (opt[offset]) {
1108 case IPV6_TLV_CALIPSO:
1109 if (len < CALIPSO_HDR_LEN)
1112 ret_val = calipso_opt_getattr(&opt[offset],
1126 * calipso_sock_setattr - Add a CALIPSO option to a socket
1128 * @doi_def: the CALIPSO DOI to use
1129 * @secattr: the specific security attributes of the socket
1132 * Set the CALIPSO option on the given socket using the DOI definition and
1133 * security attributes passed to the function. This function requires
1134 * exclusive access to @sk, which means it either needs to be in the
1135 * process of being created or locked. Returns zero on success and negative
1136 * values on failure.
1139 static int calipso_sock_setattr(struct sock *sk,
1140 const struct calipso_doi *doi_def,
1141 const struct netlbl_lsm_secattr *secattr)
1144 struct ipv6_opt_hdr *old, *new;
1145 struct ipv6_txoptions *txopts = txopt_get(inet6_sk(sk));
1149 old = txopts->hopopt;
1151 new = calipso_opt_insert(old, doi_def, secattr);
1154 return PTR_ERR(new);
1156 ret_val = calipso_opt_update(sk, new);
1163 * calipso_sock_delattr - Delete the CALIPSO option from a socket
1167 * Removes the CALIPSO option from a socket, if present.
1170 static void calipso_sock_delattr(struct sock *sk)
1172 struct ipv6_opt_hdr *new_hop;
1173 struct ipv6_txoptions *txopts = txopt_get(inet6_sk(sk));
1175 if (!txopts || !txopts->hopopt)
1178 if (calipso_opt_del(txopts->hopopt, &new_hop))
1181 calipso_opt_update(sk, new_hop);
1188 /* request sock functions.
1192 * calipso_req_setattr - Add a CALIPSO option to a connection request socket
1193 * @req: the connection request socket
1194 * @doi_def: the CALIPSO DOI to use
1195 * @secattr: the specific security attributes of the socket
1198 * Set the CALIPSO option on the given socket using the DOI definition and
1199 * security attributes passed to the function. Returns zero on success and
1200 * negative values on failure.
1203 static int calipso_req_setattr(struct request_sock *req,
1204 const struct calipso_doi *doi_def,
1205 const struct netlbl_lsm_secattr *secattr)
1207 struct ipv6_txoptions *txopts;
1208 struct inet_request_sock *req_inet = inet_rsk(req);
1209 struct ipv6_opt_hdr *old, *new;
1210 struct sock *sk = sk_to_full_sk(req_to_sk(req));
1212 if (req_inet->ipv6_opt && req_inet->ipv6_opt->hopopt)
1213 old = req_inet->ipv6_opt->hopopt;
1217 new = calipso_opt_insert(old, doi_def, secattr);
1219 return PTR_ERR(new);
1221 txopts = ipv6_renew_options(sk, req_inet->ipv6_opt, IPV6_HOPOPTS, new);
1226 return PTR_ERR(txopts);
1228 txopts = xchg(&req_inet->ipv6_opt, txopts);
1230 atomic_sub(txopts->tot_len, &sk->sk_omem_alloc);
1238 * calipso_req_delattr - Delete the CALIPSO option from a request socket
1239 * @reg: the request socket
1242 * Removes the CALIPSO option from a request socket, if present.
1245 static void calipso_req_delattr(struct request_sock *req)
1247 struct inet_request_sock *req_inet = inet_rsk(req);
1248 struct ipv6_opt_hdr *new;
1249 struct ipv6_txoptions *txopts;
1250 struct sock *sk = sk_to_full_sk(req_to_sk(req));
1252 if (!req_inet->ipv6_opt || !req_inet->ipv6_opt->hopopt)
1255 if (calipso_opt_del(req_inet->ipv6_opt->hopopt, &new))
1256 return; /* Nothing to do */
1258 txopts = ipv6_renew_options(sk, req_inet->ipv6_opt, IPV6_HOPOPTS, new);
1260 if (!IS_ERR(txopts)) {
1261 txopts = xchg(&req_inet->ipv6_opt, txopts);
1263 atomic_sub(txopts->tot_len, &sk->sk_omem_alloc);
1270 /* skbuff functions.
1274 * calipso_skbuff_optptr - Find the CALIPSO option in the packet
1278 * Parse the packet's IP header looking for a CALIPSO option. Returns a pointer
1279 * to the start of the CALIPSO option on success, NULL if one if not found.
1282 static unsigned char *calipso_skbuff_optptr(const struct sk_buff *skb)
1284 const struct ipv6hdr *ip6_hdr = ipv6_hdr(skb);
1287 if (ip6_hdr->nexthdr != NEXTHDR_HOP)
1290 offset = ipv6_find_tlv(skb, sizeof(*ip6_hdr), IPV6_TLV_CALIPSO);
1292 return (unsigned char *)ip6_hdr + offset;
1298 * calipso_skbuff_setattr - Set the CALIPSO option on a packet
1300 * @doi_def: the CALIPSO DOI to use
1301 * @secattr: the security attributes
1304 * Set the CALIPSO option on the given packet based on the security attributes.
1305 * Returns a pointer to the IP header on success and NULL on failure.
1308 static int calipso_skbuff_setattr(struct sk_buff *skb,
1309 const struct calipso_doi *doi_def,
1310 const struct netlbl_lsm_secattr *secattr)
1313 struct ipv6hdr *ip6_hdr;
1314 struct ipv6_opt_hdr *hop;
1315 unsigned char buf[CALIPSO_MAX_BUFFER];
1316 int len_delta, new_end, pad, payload;
1317 unsigned int start, end;
1319 ip6_hdr = ipv6_hdr(skb);
1320 if (ip6_hdr->nexthdr == NEXTHDR_HOP) {
1321 hop = (struct ipv6_opt_hdr *)(ip6_hdr + 1);
1322 ret_val = calipso_opt_find(hop, &start, &end);
1323 if (ret_val && ret_val != -ENOENT)
1330 memset(buf, 0, sizeof(buf));
1331 ret_val = calipso_genopt(buf, start & 3, sizeof(buf), doi_def, secattr);
1335 new_end = start + ret_val;
1336 /* At this point new_end aligns to 4n, so (new_end & 4) pads to 8n */
1337 pad = ((new_end & 4) + (end & 7)) & 7;
1338 len_delta = new_end - (int)end + pad;
1339 ret_val = skb_cow(skb, skb_headroom(skb) + len_delta);
1343 ip6_hdr = ipv6_hdr(skb); /* Reset as skb_cow() may have moved it */
1347 skb_push(skb, len_delta);
1349 skb_pull(skb, -len_delta);
1350 memmove((char *)ip6_hdr - len_delta, ip6_hdr,
1351 sizeof(*ip6_hdr) + start);
1352 skb_reset_network_header(skb);
1353 ip6_hdr = ipv6_hdr(skb);
1354 payload = ntohs(ip6_hdr->payload_len);
1355 ip6_hdr->payload_len = htons(payload + len_delta);
1358 hop = (struct ipv6_opt_hdr *)(ip6_hdr + 1);
1360 struct ipv6_opt_hdr *new_hop = (struct ipv6_opt_hdr *)buf;
1362 new_hop->nexthdr = ip6_hdr->nexthdr;
1363 new_hop->hdrlen = len_delta / 8 - 1;
1364 ip6_hdr->nexthdr = NEXTHDR_HOP;
1366 hop->hdrlen += len_delta / 8;
1368 memcpy((char *)hop + start, buf + (start & 3), new_end - start);
1369 calipso_pad_write((unsigned char *)hop, new_end, pad);
1375 * calipso_skbuff_delattr - Delete any CALIPSO options from a packet
1379 * Removes any and all CALIPSO options from the given packet. Returns zero on
1380 * success, negative values on failure.
1383 static int calipso_skbuff_delattr(struct sk_buff *skb)
1386 struct ipv6hdr *ip6_hdr;
1387 struct ipv6_opt_hdr *old_hop;
1388 u32 old_hop_len, start = 0, end = 0, delta, size, pad;
1390 if (!calipso_skbuff_optptr(skb))
1393 /* since we are changing the packet we should make a copy */
1394 ret_val = skb_cow(skb, skb_headroom(skb));
1398 ip6_hdr = ipv6_hdr(skb);
1399 old_hop = (struct ipv6_opt_hdr *)(ip6_hdr + 1);
1400 old_hop_len = ipv6_optlen(old_hop);
1402 ret_val = calipso_opt_find(old_hop, &start, &end);
1406 if (start == sizeof(*old_hop) && end == old_hop_len) {
1407 /* There's no other option in the header so we delete
1408 * the whole thing. */
1409 delta = old_hop_len;
1410 size = sizeof(*ip6_hdr);
1411 ip6_hdr->nexthdr = old_hop->nexthdr;
1413 delta = (end - start) & ~7;
1415 old_hop->hdrlen -= delta / 8;
1416 pad = (end - start) & 7;
1417 size = sizeof(*ip6_hdr) + start + pad;
1418 calipso_pad_write((unsigned char *)old_hop, start, pad);
1422 skb_pull(skb, delta);
1423 memmove((char *)ip6_hdr + delta, ip6_hdr, size);
1424 skb_reset_network_header(skb);
1430 static const struct netlbl_calipso_ops ops = {
1431 .doi_add = calipso_doi_add,
1432 .doi_free = calipso_doi_free,
1433 .doi_remove = calipso_doi_remove,
1434 .doi_getdef = calipso_doi_getdef,
1435 .doi_putdef = calipso_doi_putdef,
1436 .doi_walk = calipso_doi_walk,
1437 .sock_getattr = calipso_sock_getattr,
1438 .sock_setattr = calipso_sock_setattr,
1439 .sock_delattr = calipso_sock_delattr,
1440 .req_setattr = calipso_req_setattr,
1441 .req_delattr = calipso_req_delattr,
1442 .opt_getattr = calipso_opt_getattr,
1443 .skbuff_optptr = calipso_skbuff_optptr,
1444 .skbuff_setattr = calipso_skbuff_setattr,
1445 .skbuff_delattr = calipso_skbuff_delattr,
1446 .cache_invalidate = calipso_cache_invalidate,
1447 .cache_add = calipso_cache_add
1451 * calipso_init - Initialize the CALIPSO module
1454 * Initialize the CALIPSO module and prepare it for use. Returns zero on
1455 * success and negative values on failure.
1458 int __init calipso_init(void)
1462 ret_val = calipso_cache_init();
1464 netlbl_calipso_ops_register(&ops);
1468 void calipso_exit(void)
1470 netlbl_calipso_ops_register(NULL);
1471 calipso_cache_invalidate();
1472 kfree(calipso_cache);
projects / releases.git / blob