| rjw | 1f88458 | 2022-01-06 17:20:42 +0800 | [diff] [blame] | 1 | /* | 
|  | 2 | * CALIPSO - Common Architecture Label IPv6 Security Option | 
|  | 3 | * | 
|  | 4 | * This is an implementation of the CALIPSO protocol as specified in | 
|  | 5 | * RFC 5570. | 
|  | 6 | * | 
|  | 7 | * Authors: Paul Moore <paul.moore@hp.com> | 
|  | 8 | *          Huw Davies <huw@codeweavers.com> | 
|  | 9 | * | 
|  | 10 | */ | 
|  | 11 |  | 
|  | 12 | /* (c) Copyright Hewlett-Packard Development Company, L.P., 2006, 2008 | 
|  | 13 | * (c) Copyright Huw Davies <huw@codeweavers.com>, 2015 | 
|  | 14 | * | 
|  | 15 | * This program is free software;  you can redistribute it and/or modify | 
|  | 16 | * it under the terms of the GNU General Public License as published by | 
|  | 17 | * the Free Software Foundation; either version 2 of the License, or | 
|  | 18 | * (at your option) any later version. | 
|  | 19 | * | 
|  | 20 | * This program is distributed in the hope that it will be useful, | 
|  | 21 | * but WITHOUT ANY WARRANTY;  without even the implied warranty of | 
|  | 22 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See | 
|  | 23 | * the GNU General Public License for more details. | 
|  | 24 | * | 
|  | 25 | * You should have received a copy of the GNU General Public License | 
|  | 26 | * along with this program;  if not, see <http://www.gnu.org/licenses/>. | 
|  | 27 | * | 
|  | 28 | */ | 
|  | 29 |  | 
|  | 30 | #include <linux/init.h> | 
|  | 31 | #include <linux/types.h> | 
|  | 32 | #include <linux/rcupdate.h> | 
|  | 33 | #include <linux/list.h> | 
|  | 34 | #include <linux/spinlock.h> | 
|  | 35 | #include <linux/string.h> | 
|  | 36 | #include <linux/jhash.h> | 
|  | 37 | #include <linux/audit.h> | 
|  | 38 | #include <linux/slab.h> | 
|  | 39 | #include <net/ip.h> | 
|  | 40 | #include <net/icmp.h> | 
|  | 41 | #include <net/tcp.h> | 
|  | 42 | #include <net/netlabel.h> | 
|  | 43 | #include <net/calipso.h> | 
|  | 44 | #include <linux/atomic.h> | 
|  | 45 | #include <linux/bug.h> | 
|  | 46 | #include <asm/unaligned.h> | 
|  | 47 | #include <linux/crc-ccitt.h> | 
|  | 48 |  | 
|  | 49 | /* Maximium size of the calipso option including | 
|  | 50 | * the two-byte TLV header. | 
|  | 51 | */ | 
|  | 52 | #define CALIPSO_OPT_LEN_MAX (2 + 252) | 
|  | 53 |  | 
|  | 54 | /* Size of the minimum calipso option including | 
|  | 55 | * the two-byte TLV header. | 
|  | 56 | */ | 
|  | 57 | #define CALIPSO_HDR_LEN (2 + 8) | 
|  | 58 |  | 
|  | 59 | /* Maximium size of the calipso option including | 
|  | 60 | * the two-byte TLV header and upto 3 bytes of | 
|  | 61 | * leading pad and 7 bytes of trailing pad. | 
|  | 62 | */ | 
|  | 63 | #define CALIPSO_OPT_LEN_MAX_WITH_PAD (3 + CALIPSO_OPT_LEN_MAX + 7) | 
|  | 64 |  | 
|  | 65 | /* Maximium size of u32 aligned buffer required to hold calipso | 
|  | 66 | * option.  Max of 3 initial pad bytes starting from buffer + 3. | 
|  | 67 | * i.e. the worst case is when the previous tlv finishes on 4n + 3. | 
|  | 68 | */ | 
|  | 69 | #define CALIPSO_MAX_BUFFER (6 + CALIPSO_OPT_LEN_MAX) | 
|  | 70 |  | 
|  | 71 | /* List of available DOI definitions */ | 
|  | 72 | static DEFINE_SPINLOCK(calipso_doi_list_lock); | 
|  | 73 | static LIST_HEAD(calipso_doi_list); | 
|  | 74 |  | 
|  | 75 | /* Label mapping cache */ | 
|  | 76 | int calipso_cache_enabled = 1; | 
|  | 77 | int calipso_cache_bucketsize = 10; | 
|  | 78 | #define CALIPSO_CACHE_BUCKETBITS     7 | 
|  | 79 | #define CALIPSO_CACHE_BUCKETS        BIT(CALIPSO_CACHE_BUCKETBITS) | 
|  | 80 | #define CALIPSO_CACHE_REORDERLIMIT   10 | 
|  | 81 | struct calipso_map_cache_bkt { | 
|  | 82 | spinlock_t lock; | 
|  | 83 | u32 size; | 
|  | 84 | struct list_head list; | 
|  | 85 | }; | 
|  | 86 |  | 
|  | 87 | struct calipso_map_cache_entry { | 
|  | 88 | u32 hash; | 
|  | 89 | unsigned char *key; | 
|  | 90 | size_t key_len; | 
|  | 91 |  | 
|  | 92 | struct netlbl_lsm_cache *lsm_data; | 
|  | 93 |  | 
|  | 94 | u32 activity; | 
|  | 95 | struct list_head list; | 
|  | 96 | }; | 
|  | 97 |  | 
|  | 98 | static struct calipso_map_cache_bkt *calipso_cache; | 
|  | 99 |  | 
|  | 100 | /* Label Mapping Cache Functions | 
|  | 101 | */ | 
|  | 102 |  | 
|  | 103 | /** | 
|  | 104 | * calipso_cache_entry_free - Frees a cache entry | 
|  | 105 | * @entry: the entry to free | 
|  | 106 | * | 
|  | 107 | * Description: | 
|  | 108 | * This function frees the memory associated with a cache entry including the | 
|  | 109 | * LSM cache data if there are no longer any users, i.e. reference count == 0. | 
|  | 110 | * | 
|  | 111 | */ | 
|  | 112 | static void calipso_cache_entry_free(struct calipso_map_cache_entry *entry) | 
|  | 113 | { | 
|  | 114 | if (entry->lsm_data) | 
|  | 115 | netlbl_secattr_cache_free(entry->lsm_data); | 
|  | 116 | kfree(entry->key); | 
|  | 117 | kfree(entry); | 
|  | 118 | } | 
|  | 119 |  | 
|  | 120 | /** | 
|  | 121 | * calipso_map_cache_hash - Hashing function for the CALIPSO cache | 
|  | 122 | * @key: the hash key | 
|  | 123 | * @key_len: the length of the key in bytes | 
|  | 124 | * | 
|  | 125 | * Description: | 
|  | 126 | * The CALIPSO tag hashing function.  Returns a 32-bit hash value. | 
|  | 127 | * | 
|  | 128 | */ | 
|  | 129 | static u32 calipso_map_cache_hash(const unsigned char *key, u32 key_len) | 
|  | 130 | { | 
|  | 131 | return jhash(key, key_len, 0); | 
|  | 132 | } | 
|  | 133 |  | 
|  | 134 | /** | 
|  | 135 | * calipso_cache_init - Initialize the CALIPSO cache | 
|  | 136 | * | 
|  | 137 | * Description: | 
|  | 138 | * Initializes the CALIPSO label mapping cache, this function should be called | 
|  | 139 | * before any of the other functions defined in this file.  Returns zero on | 
|  | 140 | * success, negative values on error. | 
|  | 141 | * | 
|  | 142 | */ | 
|  | 143 | static int __init calipso_cache_init(void) | 
|  | 144 | { | 
|  | 145 | u32 iter; | 
|  | 146 |  | 
|  | 147 | calipso_cache = kcalloc(CALIPSO_CACHE_BUCKETS, | 
|  | 148 | sizeof(struct calipso_map_cache_bkt), | 
|  | 149 | GFP_KERNEL); | 
|  | 150 | if (!calipso_cache) | 
|  | 151 | return -ENOMEM; | 
|  | 152 |  | 
|  | 153 | for (iter = 0; iter < CALIPSO_CACHE_BUCKETS; iter++) { | 
|  | 154 | spin_lock_init(&calipso_cache[iter].lock); | 
|  | 155 | calipso_cache[iter].size = 0; | 
|  | 156 | INIT_LIST_HEAD(&calipso_cache[iter].list); | 
|  | 157 | } | 
|  | 158 |  | 
|  | 159 | return 0; | 
|  | 160 | } | 
|  | 161 |  | 
|  | 162 | /** | 
|  | 163 | * calipso_cache_invalidate - Invalidates the current CALIPSO cache | 
|  | 164 | * | 
|  | 165 | * Description: | 
|  | 166 | * Invalidates and frees any entries in the CALIPSO cache.  Returns zero on | 
|  | 167 | * success and negative values on failure. | 
|  | 168 | * | 
|  | 169 | */ | 
|  | 170 | static void calipso_cache_invalidate(void) | 
|  | 171 | { | 
|  | 172 | struct calipso_map_cache_entry *entry, *tmp_entry; | 
|  | 173 | u32 iter; | 
|  | 174 |  | 
|  | 175 | for (iter = 0; iter < CALIPSO_CACHE_BUCKETS; iter++) { | 
|  | 176 | spin_lock_bh(&calipso_cache[iter].lock); | 
|  | 177 | list_for_each_entry_safe(entry, | 
|  | 178 | tmp_entry, | 
|  | 179 | &calipso_cache[iter].list, list) { | 
|  | 180 | list_del(&entry->list); | 
|  | 181 | calipso_cache_entry_free(entry); | 
|  | 182 | } | 
|  | 183 | calipso_cache[iter].size = 0; | 
|  | 184 | spin_unlock_bh(&calipso_cache[iter].lock); | 
|  | 185 | } | 
|  | 186 | } | 
|  | 187 |  | 
|  | 188 | /** | 
|  | 189 | * calipso_cache_check - Check the CALIPSO cache for a label mapping | 
|  | 190 | * @key: the buffer to check | 
|  | 191 | * @key_len: buffer length in bytes | 
|  | 192 | * @secattr: the security attribute struct to use | 
|  | 193 | * | 
|  | 194 | * Description: | 
|  | 195 | * This function checks the cache to see if a label mapping already exists for | 
|  | 196 | * the given key.  If there is a match then the cache is adjusted and the | 
|  | 197 | * @secattr struct is populated with the correct LSM security attributes.  The | 
|  | 198 | * cache is adjusted in the following manner if the entry is not already the | 
|  | 199 | * first in the cache bucket: | 
|  | 200 | * | 
|  | 201 | *  1. The cache entry's activity counter is incremented | 
|  | 202 | *  2. The previous (higher ranking) entry's activity counter is decremented | 
|  | 203 | *  3. If the difference between the two activity counters is geater than | 
|  | 204 | *     CALIPSO_CACHE_REORDERLIMIT the two entries are swapped | 
|  | 205 | * | 
|  | 206 | * Returns zero on success, -ENOENT for a cache miss, and other negative values | 
|  | 207 | * on error. | 
|  | 208 | * | 
|  | 209 | */ | 
|  | 210 | static int calipso_cache_check(const unsigned char *key, | 
|  | 211 | u32 key_len, | 
|  | 212 | struct netlbl_lsm_secattr *secattr) | 
|  | 213 | { | 
|  | 214 | u32 bkt; | 
|  | 215 | struct calipso_map_cache_entry *entry; | 
|  | 216 | struct calipso_map_cache_entry *prev_entry = NULL; | 
|  | 217 | u32 hash; | 
|  | 218 |  | 
|  | 219 | if (!calipso_cache_enabled) | 
|  | 220 | return -ENOENT; | 
|  | 221 |  | 
|  | 222 | hash = calipso_map_cache_hash(key, key_len); | 
|  | 223 | bkt = hash & (CALIPSO_CACHE_BUCKETS - 1); | 
|  | 224 | spin_lock_bh(&calipso_cache[bkt].lock); | 
|  | 225 | list_for_each_entry(entry, &calipso_cache[bkt].list, list) { | 
|  | 226 | if (entry->hash == hash && | 
|  | 227 | entry->key_len == key_len && | 
|  | 228 | memcmp(entry->key, key, key_len) == 0) { | 
|  | 229 | entry->activity += 1; | 
|  | 230 | refcount_inc(&entry->lsm_data->refcount); | 
|  | 231 | secattr->cache = entry->lsm_data; | 
|  | 232 | secattr->flags |= NETLBL_SECATTR_CACHE; | 
|  | 233 | secattr->type = NETLBL_NLTYPE_CALIPSO; | 
|  | 234 | if (!prev_entry) { | 
|  | 235 | spin_unlock_bh(&calipso_cache[bkt].lock); | 
|  | 236 | return 0; | 
|  | 237 | } | 
|  | 238 |  | 
|  | 239 | if (prev_entry->activity > 0) | 
|  | 240 | prev_entry->activity -= 1; | 
|  | 241 | if (entry->activity > prev_entry->activity && | 
|  | 242 | entry->activity - prev_entry->activity > | 
|  | 243 | CALIPSO_CACHE_REORDERLIMIT) { | 
|  | 244 | __list_del(entry->list.prev, entry->list.next); | 
|  | 245 | __list_add(&entry->list, | 
|  | 246 | prev_entry->list.prev, | 
|  | 247 | &prev_entry->list); | 
|  | 248 | } | 
|  | 249 |  | 
|  | 250 | spin_unlock_bh(&calipso_cache[bkt].lock); | 
|  | 251 | return 0; | 
|  | 252 | } | 
|  | 253 | prev_entry = entry; | 
|  | 254 | } | 
|  | 255 | spin_unlock_bh(&calipso_cache[bkt].lock); | 
|  | 256 |  | 
|  | 257 | return -ENOENT; | 
|  | 258 | } | 
|  | 259 |  | 
|  | 260 | /** | 
|  | 261 | * calipso_cache_add - Add an entry to the CALIPSO cache | 
|  | 262 | * @calipso_ptr: the CALIPSO option | 
|  | 263 | * @secattr: the packet's security attributes | 
|  | 264 | * | 
|  | 265 | * Description: | 
|  | 266 | * Add a new entry into the CALIPSO label mapping cache.  Add the new entry to | 
|  | 267 | * head of the cache bucket's list, if the cache bucket is out of room remove | 
|  | 268 | * the last entry in the list first.  It is important to note that there is | 
|  | 269 | * currently no checking for duplicate keys.  Returns zero on success, | 
|  | 270 | * negative values on failure.  The key stored starts at calipso_ptr + 2, | 
|  | 271 | * i.e. the type and length bytes are not stored, this corresponds to | 
|  | 272 | * calipso_ptr[1] bytes of data. | 
|  | 273 | * | 
|  | 274 | */ | 
|  | 275 | static int calipso_cache_add(const unsigned char *calipso_ptr, | 
|  | 276 | const struct netlbl_lsm_secattr *secattr) | 
|  | 277 | { | 
|  | 278 | int ret_val = -EPERM; | 
|  | 279 | u32 bkt; | 
|  | 280 | struct calipso_map_cache_entry *entry = NULL; | 
|  | 281 | struct calipso_map_cache_entry *old_entry = NULL; | 
|  | 282 | u32 calipso_ptr_len; | 
|  | 283 |  | 
|  | 284 | if (!calipso_cache_enabled || calipso_cache_bucketsize <= 0) | 
|  | 285 | return 0; | 
|  | 286 |  | 
|  | 287 | calipso_ptr_len = calipso_ptr[1]; | 
|  | 288 |  | 
|  | 289 | entry = kzalloc(sizeof(*entry), GFP_ATOMIC); | 
|  | 290 | if (!entry) | 
|  | 291 | return -ENOMEM; | 
|  | 292 | entry->key = kmemdup(calipso_ptr + 2, calipso_ptr_len, GFP_ATOMIC); | 
|  | 293 | if (!entry->key) { | 
|  | 294 | ret_val = -ENOMEM; | 
|  | 295 | goto cache_add_failure; | 
|  | 296 | } | 
|  | 297 | entry->key_len = calipso_ptr_len; | 
|  | 298 | entry->hash = calipso_map_cache_hash(calipso_ptr, calipso_ptr_len); | 
|  | 299 | refcount_inc(&secattr->cache->refcount); | 
|  | 300 | entry->lsm_data = secattr->cache; | 
|  | 301 |  | 
|  | 302 | bkt = entry->hash & (CALIPSO_CACHE_BUCKETS - 1); | 
|  | 303 | spin_lock_bh(&calipso_cache[bkt].lock); | 
|  | 304 | if (calipso_cache[bkt].size < calipso_cache_bucketsize) { | 
|  | 305 | list_add(&entry->list, &calipso_cache[bkt].list); | 
|  | 306 | calipso_cache[bkt].size += 1; | 
|  | 307 | } else { | 
|  | 308 | old_entry = list_entry(calipso_cache[bkt].list.prev, | 
|  | 309 | struct calipso_map_cache_entry, list); | 
|  | 310 | list_del(&old_entry->list); | 
|  | 311 | list_add(&entry->list, &calipso_cache[bkt].list); | 
|  | 312 | calipso_cache_entry_free(old_entry); | 
|  | 313 | } | 
|  | 314 | spin_unlock_bh(&calipso_cache[bkt].lock); | 
|  | 315 |  | 
|  | 316 | return 0; | 
|  | 317 |  | 
|  | 318 | cache_add_failure: | 
|  | 319 | if (entry) | 
|  | 320 | calipso_cache_entry_free(entry); | 
|  | 321 | return ret_val; | 
|  | 322 | } | 
|  | 323 |  | 
|  | 324 | /* DOI List Functions | 
|  | 325 | */ | 
|  | 326 |  | 
|  | 327 | /** | 
|  | 328 | * calipso_doi_search - Searches for a DOI definition | 
|  | 329 | * @doi: the DOI to search for | 
|  | 330 | * | 
|  | 331 | * Description: | 
|  | 332 | * Search the DOI definition list for a DOI definition with a DOI value that | 
|  | 333 | * matches @doi.  The caller is responsible for calling rcu_read_[un]lock(). | 
|  | 334 | * Returns a pointer to the DOI definition on success and NULL on failure. | 
|  | 335 | */ | 
|  | 336 | static struct calipso_doi *calipso_doi_search(u32 doi) | 
|  | 337 | { | 
|  | 338 | struct calipso_doi *iter; | 
|  | 339 |  | 
|  | 340 | list_for_each_entry_rcu(iter, &calipso_doi_list, list) | 
|  | 341 | if (iter->doi == doi && refcount_read(&iter->refcount)) | 
|  | 342 | return iter; | 
|  | 343 | return NULL; | 
|  | 344 | } | 
|  | 345 |  | 
|  | 346 | /** | 
|  | 347 | * calipso_doi_add - Add a new DOI to the CALIPSO protocol engine | 
|  | 348 | * @doi_def: the DOI structure | 
|  | 349 | * @audit_info: NetLabel audit information | 
|  | 350 | * | 
|  | 351 | * Description: | 
|  | 352 | * The caller defines a new DOI for use by the CALIPSO engine and calls this | 
|  | 353 | * function to add it to the list of acceptable domains.  The caller must | 
|  | 354 | * ensure that the mapping table specified in @doi_def->map meets all of the | 
|  | 355 | * requirements of the mapping type (see calipso.h for details).  Returns | 
|  | 356 | * zero on success and non-zero on failure. | 
|  | 357 | * | 
|  | 358 | */ | 
|  | 359 | static int calipso_doi_add(struct calipso_doi *doi_def, | 
|  | 360 | struct netlbl_audit *audit_info) | 
|  | 361 | { | 
|  | 362 | int ret_val = -EINVAL; | 
|  | 363 | u32 doi; | 
|  | 364 | u32 doi_type; | 
|  | 365 | struct audit_buffer *audit_buf; | 
|  | 366 |  | 
|  | 367 | doi = doi_def->doi; | 
|  | 368 | doi_type = doi_def->type; | 
|  | 369 |  | 
|  | 370 | if (doi_def->doi == CALIPSO_DOI_UNKNOWN) | 
|  | 371 | goto doi_add_return; | 
|  | 372 |  | 
|  | 373 | refcount_set(&doi_def->refcount, 1); | 
|  | 374 |  | 
|  | 375 | spin_lock(&calipso_doi_list_lock); | 
|  | 376 | if (calipso_doi_search(doi_def->doi)) { | 
|  | 377 | spin_unlock(&calipso_doi_list_lock); | 
|  | 378 | ret_val = -EEXIST; | 
|  | 379 | goto doi_add_return; | 
|  | 380 | } | 
|  | 381 | list_add_tail_rcu(&doi_def->list, &calipso_doi_list); | 
|  | 382 | spin_unlock(&calipso_doi_list_lock); | 
|  | 383 | ret_val = 0; | 
|  | 384 |  | 
|  | 385 | doi_add_return: | 
|  | 386 | audit_buf = netlbl_audit_start(AUDIT_MAC_CALIPSO_ADD, audit_info); | 
|  | 387 | if (audit_buf) { | 
|  | 388 | const char *type_str; | 
|  | 389 |  | 
|  | 390 | switch (doi_type) { | 
|  | 391 | case CALIPSO_MAP_PASS: | 
|  | 392 | type_str = "pass"; | 
|  | 393 | break; | 
|  | 394 | default: | 
|  | 395 | type_str = "(unknown)"; | 
|  | 396 | } | 
|  | 397 | audit_log_format(audit_buf, | 
|  | 398 | " calipso_doi=%u calipso_type=%s res=%u", | 
|  | 399 | doi, type_str, ret_val == 0 ? 1 : 0); | 
|  | 400 | audit_log_end(audit_buf); | 
|  | 401 | } | 
|  | 402 |  | 
|  | 403 | return ret_val; | 
|  | 404 | } | 
|  | 405 |  | 
|  | 406 | /** | 
|  | 407 | * calipso_doi_free - Frees a DOI definition | 
|  | 408 | * @doi_def: the DOI definition | 
|  | 409 | * | 
|  | 410 | * Description: | 
|  | 411 | * This function frees all of the memory associated with a DOI definition. | 
|  | 412 | * | 
|  | 413 | */ | 
|  | 414 | static void calipso_doi_free(struct calipso_doi *doi_def) | 
|  | 415 | { | 
|  | 416 | kfree(doi_def); | 
|  | 417 | } | 
|  | 418 |  | 
|  | 419 | /** | 
|  | 420 | * calipso_doi_free_rcu - Frees a DOI definition via the RCU pointer | 
|  | 421 | * @entry: the entry's RCU field | 
|  | 422 | * | 
|  | 423 | * Description: | 
|  | 424 | * This function is designed to be used as a callback to the call_rcu() | 
|  | 425 | * function so that the memory allocated to the DOI definition can be released | 
|  | 426 | * safely. | 
|  | 427 | * | 
|  | 428 | */ | 
|  | 429 | static void calipso_doi_free_rcu(struct rcu_head *entry) | 
|  | 430 | { | 
|  | 431 | struct calipso_doi *doi_def; | 
|  | 432 |  | 
|  | 433 | doi_def = container_of(entry, struct calipso_doi, rcu); | 
|  | 434 | calipso_doi_free(doi_def); | 
|  | 435 | } | 
|  | 436 |  | 
|  | 437 | /** | 
|  | 438 | * calipso_doi_remove - Remove an existing DOI from the CALIPSO protocol engine | 
|  | 439 | * @doi: the DOI value | 
|  | 440 | * @audit_secid: the LSM secid to use in the audit message | 
|  | 441 | * | 
|  | 442 | * Description: | 
|  | 443 | * Removes a DOI definition from the CALIPSO engine.  The NetLabel routines will | 
|  | 444 | * be called to release their own LSM domain mappings as well as our own | 
|  | 445 | * domain list.  Returns zero on success and negative values on failure. | 
|  | 446 | * | 
|  | 447 | */ | 
|  | 448 | static int calipso_doi_remove(u32 doi, struct netlbl_audit *audit_info) | 
|  | 449 | { | 
|  | 450 | int ret_val; | 
|  | 451 | struct calipso_doi *doi_def; | 
|  | 452 | struct audit_buffer *audit_buf; | 
|  | 453 |  | 
|  | 454 | spin_lock(&calipso_doi_list_lock); | 
|  | 455 | doi_def = calipso_doi_search(doi); | 
|  | 456 | if (!doi_def) { | 
|  | 457 | spin_unlock(&calipso_doi_list_lock); | 
|  | 458 | ret_val = -ENOENT; | 
|  | 459 | goto doi_remove_return; | 
|  | 460 | } | 
|  | 461 | if (!refcount_dec_and_test(&doi_def->refcount)) { | 
|  | 462 | spin_unlock(&calipso_doi_list_lock); | 
|  | 463 | ret_val = -EBUSY; | 
|  | 464 | goto doi_remove_return; | 
|  | 465 | } | 
|  | 466 | list_del_rcu(&doi_def->list); | 
|  | 467 | spin_unlock(&calipso_doi_list_lock); | 
|  | 468 |  | 
|  | 469 | call_rcu(&doi_def->rcu, calipso_doi_free_rcu); | 
|  | 470 | ret_val = 0; | 
|  | 471 |  | 
|  | 472 | doi_remove_return: | 
|  | 473 | audit_buf = netlbl_audit_start(AUDIT_MAC_CALIPSO_DEL, audit_info); | 
|  | 474 | if (audit_buf) { | 
|  | 475 | audit_log_format(audit_buf, | 
|  | 476 | " calipso_doi=%u res=%u", | 
|  | 477 | doi, ret_val == 0 ? 1 : 0); | 
|  | 478 | audit_log_end(audit_buf); | 
|  | 479 | } | 
|  | 480 |  | 
|  | 481 | return ret_val; | 
|  | 482 | } | 
|  | 483 |  | 
|  | 484 | /** | 
|  | 485 | * calipso_doi_getdef - Returns a reference to a valid DOI definition | 
|  | 486 | * @doi: the DOI value | 
|  | 487 | * | 
|  | 488 | * Description: | 
|  | 489 | * Searches for a valid DOI definition and if one is found it is returned to | 
|  | 490 | * the caller.  Otherwise NULL is returned.  The caller must ensure that | 
|  | 491 | * calipso_doi_putdef() is called when the caller is done. | 
|  | 492 | * | 
|  | 493 | */ | 
|  | 494 | static struct calipso_doi *calipso_doi_getdef(u32 doi) | 
|  | 495 | { | 
|  | 496 | struct calipso_doi *doi_def; | 
|  | 497 |  | 
|  | 498 | rcu_read_lock(); | 
|  | 499 | doi_def = calipso_doi_search(doi); | 
|  | 500 | if (!doi_def) | 
|  | 501 | goto doi_getdef_return; | 
|  | 502 | if (!refcount_inc_not_zero(&doi_def->refcount)) | 
|  | 503 | doi_def = NULL; | 
|  | 504 |  | 
|  | 505 | doi_getdef_return: | 
|  | 506 | rcu_read_unlock(); | 
|  | 507 | return doi_def; | 
|  | 508 | } | 
|  | 509 |  | 
|  | 510 | /** | 
|  | 511 | * calipso_doi_putdef - Releases a reference for the given DOI definition | 
|  | 512 | * @doi_def: the DOI definition | 
|  | 513 | * | 
|  | 514 | * Description: | 
|  | 515 | * Releases a DOI definition reference obtained from calipso_doi_getdef(). | 
|  | 516 | * | 
|  | 517 | */ | 
|  | 518 | static void calipso_doi_putdef(struct calipso_doi *doi_def) | 
|  | 519 | { | 
|  | 520 | if (!doi_def) | 
|  | 521 | return; | 
|  | 522 |  | 
|  | 523 | if (!refcount_dec_and_test(&doi_def->refcount)) | 
|  | 524 | return; | 
|  | 525 | spin_lock(&calipso_doi_list_lock); | 
|  | 526 | list_del_rcu(&doi_def->list); | 
|  | 527 | spin_unlock(&calipso_doi_list_lock); | 
|  | 528 |  | 
|  | 529 | call_rcu(&doi_def->rcu, calipso_doi_free_rcu); | 
|  | 530 | } | 
|  | 531 |  | 
|  | 532 | /** | 
|  | 533 | * calipso_doi_walk - Iterate through the DOI definitions | 
|  | 534 | * @skip_cnt: skip past this number of DOI definitions, updated | 
|  | 535 | * @callback: callback for each DOI definition | 
|  | 536 | * @cb_arg: argument for the callback function | 
|  | 537 | * | 
|  | 538 | * Description: | 
|  | 539 | * Iterate over the DOI definition list, skipping the first @skip_cnt entries. | 
|  | 540 | * For each entry call @callback, if @callback returns a negative value stop | 
|  | 541 | * 'walking' through the list and return.  Updates the value in @skip_cnt upon | 
|  | 542 | * return.  Returns zero on success, negative values on failure. | 
|  | 543 | * | 
|  | 544 | */ | 
|  | 545 | static int calipso_doi_walk(u32 *skip_cnt, | 
|  | 546 | int (*callback)(struct calipso_doi *doi_def, | 
|  | 547 | void *arg), | 
|  | 548 | void *cb_arg) | 
|  | 549 | { | 
|  | 550 | int ret_val = -ENOENT; | 
|  | 551 | u32 doi_cnt = 0; | 
|  | 552 | struct calipso_doi *iter_doi; | 
|  | 553 |  | 
|  | 554 | rcu_read_lock(); | 
|  | 555 | list_for_each_entry_rcu(iter_doi, &calipso_doi_list, list) | 
|  | 556 | if (refcount_read(&iter_doi->refcount) > 0) { | 
|  | 557 | if (doi_cnt++ < *skip_cnt) | 
|  | 558 | continue; | 
|  | 559 | ret_val = callback(iter_doi, cb_arg); | 
|  | 560 | if (ret_val < 0) { | 
|  | 561 | doi_cnt--; | 
|  | 562 | goto doi_walk_return; | 
|  | 563 | } | 
|  | 564 | } | 
|  | 565 |  | 
|  | 566 | doi_walk_return: | 
|  | 567 | rcu_read_unlock(); | 
|  | 568 | *skip_cnt = doi_cnt; | 
|  | 569 | return ret_val; | 
|  | 570 | } | 
|  | 571 |  | 
|  | 572 | /** | 
|  | 573 | * calipso_validate - Validate a CALIPSO option | 
|  | 574 | * @skb: the packet | 
|  | 575 | * @option: the start of the option | 
|  | 576 | * | 
|  | 577 | * Description: | 
|  | 578 | * This routine is called to validate a CALIPSO option. | 
|  | 579 | * If the option is valid then %true is returned, otherwise | 
|  | 580 | * %false is returned. | 
|  | 581 | * | 
|  | 582 | * The caller should have already checked that the length of the | 
|  | 583 | * option (including the TLV header) is >= 10 and that the catmap | 
|  | 584 | * length is consistent with the option length. | 
|  | 585 | * | 
|  | 586 | * We leave checks on the level and categories to the socket layer. | 
|  | 587 | */ | 
|  | 588 | bool calipso_validate(const struct sk_buff *skb, const unsigned char *option) | 
|  | 589 | { | 
|  | 590 | struct calipso_doi *doi_def; | 
|  | 591 | bool ret_val; | 
|  | 592 | u16 crc, len = option[1] + 2; | 
|  | 593 | static const u8 zero[2]; | 
|  | 594 |  | 
|  | 595 | /* The original CRC runs over the option including the TLV header | 
|  | 596 | * with the CRC-16 field (at offset 8) zeroed out. */ | 
|  | 597 | crc = crc_ccitt(0xffff, option, 8); | 
|  | 598 | crc = crc_ccitt(crc, zero, sizeof(zero)); | 
|  | 599 | if (len > 10) | 
|  | 600 | crc = crc_ccitt(crc, option + 10, len - 10); | 
|  | 601 | crc = ~crc; | 
|  | 602 | if (option[8] != (crc & 0xff) || option[9] != ((crc >> 8) & 0xff)) | 
|  | 603 | return false; | 
|  | 604 |  | 
|  | 605 | rcu_read_lock(); | 
|  | 606 | doi_def = calipso_doi_search(get_unaligned_be32(option + 2)); | 
|  | 607 | ret_val = !!doi_def; | 
|  | 608 | rcu_read_unlock(); | 
|  | 609 |  | 
|  | 610 | return ret_val; | 
|  | 611 | } | 
|  | 612 |  | 
|  | 613 | /** | 
|  | 614 | * calipso_map_cat_hton - Perform a category mapping from host to network | 
|  | 615 | * @doi_def: the DOI definition | 
|  | 616 | * @secattr: the security attributes | 
|  | 617 | * @net_cat: the zero'd out category bitmap in network/CALIPSO format | 
|  | 618 | * @net_cat_len: the length of the CALIPSO bitmap in bytes | 
|  | 619 | * | 
|  | 620 | * Description: | 
|  | 621 | * Perform a label mapping to translate a local MLS category bitmap to the | 
|  | 622 | * correct CALIPSO bitmap using the given DOI definition.  Returns the minimum | 
|  | 623 | * size in bytes of the network bitmap on success, negative values otherwise. | 
|  | 624 | * | 
|  | 625 | */ | 
|  | 626 | static int calipso_map_cat_hton(const struct calipso_doi *doi_def, | 
|  | 627 | const struct netlbl_lsm_secattr *secattr, | 
|  | 628 | unsigned char *net_cat, | 
|  | 629 | u32 net_cat_len) | 
|  | 630 | { | 
|  | 631 | int spot = -1; | 
|  | 632 | u32 net_spot_max = 0; | 
|  | 633 | u32 net_clen_bits = net_cat_len * 8; | 
|  | 634 |  | 
|  | 635 | for (;;) { | 
|  | 636 | spot = netlbl_catmap_walk(secattr->attr.mls.cat, | 
|  | 637 | spot + 1); | 
|  | 638 | if (spot < 0) | 
|  | 639 | break; | 
|  | 640 | if (spot >= net_clen_bits) | 
|  | 641 | return -ENOSPC; | 
|  | 642 | netlbl_bitmap_setbit(net_cat, spot, 1); | 
|  | 643 |  | 
|  | 644 | if (spot > net_spot_max) | 
|  | 645 | net_spot_max = spot; | 
|  | 646 | } | 
|  | 647 |  | 
|  | 648 | return (net_spot_max / 32 + 1) * 4; | 
|  | 649 | } | 
|  | 650 |  | 
|  | 651 | /** | 
|  | 652 | * calipso_map_cat_ntoh - Perform a category mapping from network to host | 
|  | 653 | * @doi_def: the DOI definition | 
|  | 654 | * @net_cat: the category bitmap in network/CALIPSO format | 
|  | 655 | * @net_cat_len: the length of the CALIPSO bitmap in bytes | 
|  | 656 | * @secattr: the security attributes | 
|  | 657 | * | 
|  | 658 | * Description: | 
|  | 659 | * Perform a label mapping to translate a CALIPSO bitmap to the correct local | 
|  | 660 | * MLS category bitmap using the given DOI definition.  Returns zero on | 
|  | 661 | * success, negative values on failure. | 
|  | 662 | * | 
|  | 663 | */ | 
|  | 664 | static int calipso_map_cat_ntoh(const struct calipso_doi *doi_def, | 
|  | 665 | const unsigned char *net_cat, | 
|  | 666 | u32 net_cat_len, | 
|  | 667 | struct netlbl_lsm_secattr *secattr) | 
|  | 668 | { | 
|  | 669 | int ret_val; | 
|  | 670 | int spot = -1; | 
|  | 671 | u32 net_clen_bits = net_cat_len * 8; | 
|  | 672 |  | 
|  | 673 | for (;;) { | 
|  | 674 | spot = netlbl_bitmap_walk(net_cat, | 
|  | 675 | net_clen_bits, | 
|  | 676 | spot + 1, | 
|  | 677 | 1); | 
|  | 678 | if (spot < 0) { | 
|  | 679 | if (spot == -2) | 
|  | 680 | return -EFAULT; | 
|  | 681 | return 0; | 
|  | 682 | } | 
|  | 683 |  | 
|  | 684 | ret_val = netlbl_catmap_setbit(&secattr->attr.mls.cat, | 
|  | 685 | spot, | 
|  | 686 | GFP_ATOMIC); | 
|  | 687 | if (ret_val != 0) | 
|  | 688 | return ret_val; | 
|  | 689 | } | 
|  | 690 |  | 
|  | 691 | return -EINVAL; | 
|  | 692 | } | 
|  | 693 |  | 
|  | 694 | /** | 
|  | 695 | * calipso_pad_write - Writes pad bytes in TLV format | 
|  | 696 | * @buf: the buffer | 
|  | 697 | * @offset: offset from start of buffer to write padding | 
|  | 698 | * @count: number of pad bytes to write | 
|  | 699 | * | 
|  | 700 | * Description: | 
|  | 701 | * Write @count bytes of TLV padding into @buffer starting at offset @offset. | 
|  | 702 | * @count should be less than 8 - see RFC 4942. | 
|  | 703 | * | 
|  | 704 | */ | 
|  | 705 | static int calipso_pad_write(unsigned char *buf, unsigned int offset, | 
|  | 706 | unsigned int count) | 
|  | 707 | { | 
|  | 708 | if (WARN_ON_ONCE(count >= 8)) | 
|  | 709 | return -EINVAL; | 
|  | 710 |  | 
|  | 711 | switch (count) { | 
|  | 712 | case 0: | 
|  | 713 | break; | 
|  | 714 | case 1: | 
|  | 715 | buf[offset] = IPV6_TLV_PAD1; | 
|  | 716 | break; | 
|  | 717 | default: | 
|  | 718 | buf[offset] = IPV6_TLV_PADN; | 
|  | 719 | buf[offset + 1] = count - 2; | 
|  | 720 | if (count > 2) | 
|  | 721 | memset(buf + offset + 2, 0, count - 2); | 
|  | 722 | break; | 
|  | 723 | } | 
|  | 724 | return 0; | 
|  | 725 | } | 
|  | 726 |  | 
|  | 727 | /** | 
|  | 728 | * calipso_genopt - Generate a CALIPSO option | 
|  | 729 | * @buf: the option buffer | 
|  | 730 | * @start: offset from which to write | 
|  | 731 | * @buf_len: the size of opt_buf | 
|  | 732 | * @doi_def: the CALIPSO DOI to use | 
|  | 733 | * @secattr: the security attributes | 
|  | 734 | * | 
|  | 735 | * Description: | 
|  | 736 | * Generate a CALIPSO option using the DOI definition and security attributes | 
|  | 737 | * passed to the function. This also generates upto three bytes of leading | 
|  | 738 | * padding that ensures that the option is 4n + 2 aligned.  It returns the | 
|  | 739 | * number of bytes written (including any initial padding). | 
|  | 740 | */ | 
|  | 741 | static int calipso_genopt(unsigned char *buf, u32 start, u32 buf_len, | 
|  | 742 | const struct calipso_doi *doi_def, | 
|  | 743 | const struct netlbl_lsm_secattr *secattr) | 
|  | 744 | { | 
|  | 745 | int ret_val; | 
|  | 746 | u32 len, pad; | 
|  | 747 | u16 crc; | 
|  | 748 | static const unsigned char padding[4] = {2, 1, 0, 3}; | 
|  | 749 | unsigned char *calipso; | 
|  | 750 |  | 
|  | 751 | /* CALIPSO has 4n + 2 alignment */ | 
|  | 752 | pad = padding[start & 3]; | 
|  | 753 | if (buf_len <= start + pad + CALIPSO_HDR_LEN) | 
|  | 754 | return -ENOSPC; | 
|  | 755 |  | 
|  | 756 | if ((secattr->flags & NETLBL_SECATTR_MLS_LVL) == 0) | 
|  | 757 | return -EPERM; | 
|  | 758 |  | 
|  | 759 | len = CALIPSO_HDR_LEN; | 
|  | 760 |  | 
|  | 761 | if (secattr->flags & NETLBL_SECATTR_MLS_CAT) { | 
|  | 762 | ret_val = calipso_map_cat_hton(doi_def, | 
|  | 763 | secattr, | 
|  | 764 | buf + start + pad + len, | 
|  | 765 | buf_len - start - pad - len); | 
|  | 766 | if (ret_val < 0) | 
|  | 767 | return ret_val; | 
|  | 768 | len += ret_val; | 
|  | 769 | } | 
|  | 770 |  | 
|  | 771 | calipso_pad_write(buf, start, pad); | 
|  | 772 | calipso = buf + start + pad; | 
|  | 773 |  | 
|  | 774 | calipso[0] = IPV6_TLV_CALIPSO; | 
|  | 775 | calipso[1] = len - 2; | 
|  | 776 | *(__be32 *)(calipso + 2) = htonl(doi_def->doi); | 
|  | 777 | calipso[6] = (len - CALIPSO_HDR_LEN) / 4; | 
|  | 778 | calipso[7] = secattr->attr.mls.lvl, | 
|  | 779 | crc = ~crc_ccitt(0xffff, calipso, len); | 
|  | 780 | calipso[8] = crc & 0xff; | 
|  | 781 | calipso[9] = (crc >> 8) & 0xff; | 
|  | 782 | return pad + len; | 
|  | 783 | } | 
|  | 784 |  | 
|  | 785 | /* Hop-by-hop hdr helper functions | 
|  | 786 | */ | 
|  | 787 |  | 
|  | 788 | /** | 
|  | 789 | * calipso_opt_update - Replaces socket's hop options with a new set | 
|  | 790 | * @sk: the socket | 
|  | 791 | * @hop: new hop options | 
|  | 792 | * | 
|  | 793 | * Description: | 
|  | 794 | * Replaces @sk's hop options with @hop.  @hop may be NULL to leave | 
|  | 795 | * the socket with no hop options. | 
|  | 796 | * | 
|  | 797 | */ | 
|  | 798 | static int calipso_opt_update(struct sock *sk, struct ipv6_opt_hdr *hop) | 
|  | 799 | { | 
|  | 800 | struct ipv6_txoptions *old = txopt_get(inet6_sk(sk)), *txopts; | 
|  | 801 |  | 
|  | 802 | txopts = ipv6_renew_options(sk, old, IPV6_HOPOPTS, hop); | 
|  | 803 | txopt_put(old); | 
|  | 804 | if (IS_ERR(txopts)) | 
|  | 805 | return PTR_ERR(txopts); | 
|  | 806 |  | 
|  | 807 | txopts = ipv6_update_options(sk, txopts); | 
|  | 808 | if (txopts) { | 
|  | 809 | atomic_sub(txopts->tot_len, &sk->sk_omem_alloc); | 
|  | 810 | txopt_put(txopts); | 
|  | 811 | } | 
|  | 812 |  | 
|  | 813 | return 0; | 
|  | 814 | } | 
|  | 815 |  | 
|  | 816 | /** | 
|  | 817 | * calipso_tlv_len - Returns the length of the TLV | 
|  | 818 | * @opt: the option header | 
|  | 819 | * @offset: offset of the TLV within the header | 
|  | 820 | * | 
|  | 821 | * Description: | 
|  | 822 | * Returns the length of the TLV option at offset @offset within | 
|  | 823 | * the option header @opt.  Checks that the entire TLV fits inside | 
|  | 824 | * the option header, returns a negative value if this is not the case. | 
|  | 825 | */ | 
|  | 826 | static int calipso_tlv_len(struct ipv6_opt_hdr *opt, unsigned int offset) | 
|  | 827 | { | 
|  | 828 | unsigned char *tlv = (unsigned char *)opt; | 
|  | 829 | unsigned int opt_len = ipv6_optlen(opt), tlv_len; | 
|  | 830 |  | 
|  | 831 | if (offset < sizeof(*opt) || offset >= opt_len) | 
|  | 832 | return -EINVAL; | 
|  | 833 | if (tlv[offset] == IPV6_TLV_PAD1) | 
|  | 834 | return 1; | 
|  | 835 | if (offset + 1 >= opt_len) | 
|  | 836 | return -EINVAL; | 
|  | 837 | tlv_len = tlv[offset + 1] + 2; | 
|  | 838 | if (offset + tlv_len > opt_len) | 
|  | 839 | return -EINVAL; | 
|  | 840 | return tlv_len; | 
|  | 841 | } | 
|  | 842 |  | 
|  | 843 | /** | 
|  | 844 | * calipso_opt_find - Finds the CALIPSO option in an IPv6 hop options header | 
|  | 845 | * @hop: the hop options header | 
|  | 846 | * @start: on return holds the offset of any leading padding | 
|  | 847 | * @end: on return holds the offset of the first non-pad TLV after CALIPSO | 
|  | 848 | * | 
|  | 849 | * Description: | 
|  | 850 | * Finds the space occupied by a CALIPSO option (including any leading and | 
|  | 851 | * trailing padding). | 
|  | 852 | * | 
|  | 853 | * If a CALIPSO option exists set @start and @end to the | 
|  | 854 | * offsets within @hop of the start of padding before the first | 
|  | 855 | * CALIPSO option and the end of padding after the first CALIPSO | 
|  | 856 | * option.  In this case the function returns 0. | 
|  | 857 | * | 
|  | 858 | * In the absence of a CALIPSO option, @start and @end will be | 
|  | 859 | * set to the start and end of any trailing padding in the header. | 
|  | 860 | * This is useful when appending a new option, as the caller may want | 
|  | 861 | * to overwrite some of this padding.  In this case the function will | 
|  | 862 | * return -ENOENT. | 
|  | 863 | */ | 
|  | 864 | static int calipso_opt_find(struct ipv6_opt_hdr *hop, unsigned int *start, | 
|  | 865 | unsigned int *end) | 
|  | 866 | { | 
|  | 867 | int ret_val = -ENOENT, tlv_len; | 
|  | 868 | unsigned int opt_len, offset, offset_s = 0, offset_e = 0; | 
|  | 869 | unsigned char *opt = (unsigned char *)hop; | 
|  | 870 |  | 
|  | 871 | opt_len = ipv6_optlen(hop); | 
|  | 872 | offset = sizeof(*hop); | 
|  | 873 |  | 
|  | 874 | while (offset < opt_len) { | 
|  | 875 | tlv_len = calipso_tlv_len(hop, offset); | 
|  | 876 | if (tlv_len < 0) | 
|  | 877 | return tlv_len; | 
|  | 878 |  | 
|  | 879 | switch (opt[offset]) { | 
|  | 880 | case IPV6_TLV_PAD1: | 
|  | 881 | case IPV6_TLV_PADN: | 
|  | 882 | if (offset_e) | 
|  | 883 | offset_e = offset; | 
|  | 884 | break; | 
|  | 885 | case IPV6_TLV_CALIPSO: | 
|  | 886 | ret_val = 0; | 
|  | 887 | offset_e = offset; | 
|  | 888 | break; | 
|  | 889 | default: | 
|  | 890 | if (offset_e == 0) | 
|  | 891 | offset_s = offset; | 
|  | 892 | else | 
|  | 893 | goto out; | 
|  | 894 | } | 
|  | 895 | offset += tlv_len; | 
|  | 896 | } | 
|  | 897 |  | 
|  | 898 | out: | 
|  | 899 | if (offset_s) | 
|  | 900 | *start = offset_s + calipso_tlv_len(hop, offset_s); | 
|  | 901 | else | 
|  | 902 | *start = sizeof(*hop); | 
|  | 903 | if (offset_e) | 
|  | 904 | *end = offset_e + calipso_tlv_len(hop, offset_e); | 
|  | 905 | else | 
|  | 906 | *end = opt_len; | 
|  | 907 |  | 
|  | 908 | return ret_val; | 
|  | 909 | } | 
|  | 910 |  | 
|  | 911 | /** | 
|  | 912 | * calipso_opt_insert - Inserts a CALIPSO option into an IPv6 hop opt hdr | 
|  | 913 | * @hop: the original hop options header | 
|  | 914 | * @doi_def: the CALIPSO DOI to use | 
|  | 915 | * @secattr: the specific security attributes of the socket | 
|  | 916 | * | 
|  | 917 | * Description: | 
|  | 918 | * Creates a new hop options header based on @hop with a | 
|  | 919 | * CALIPSO option added to it.  If @hop already contains a CALIPSO | 
|  | 920 | * option this is overwritten, otherwise the new option is appended | 
|  | 921 | * after any existing options.  If @hop is NULL then the new header | 
|  | 922 | * will contain just the CALIPSO option and any needed padding. | 
|  | 923 | * | 
|  | 924 | */ | 
|  | 925 | static struct ipv6_opt_hdr * | 
|  | 926 | calipso_opt_insert(struct ipv6_opt_hdr *hop, | 
|  | 927 | const struct calipso_doi *doi_def, | 
|  | 928 | const struct netlbl_lsm_secattr *secattr) | 
|  | 929 | { | 
|  | 930 | unsigned int start, end, buf_len, pad, hop_len; | 
|  | 931 | struct ipv6_opt_hdr *new; | 
|  | 932 | int ret_val; | 
|  | 933 |  | 
|  | 934 | if (hop) { | 
|  | 935 | hop_len = ipv6_optlen(hop); | 
|  | 936 | ret_val = calipso_opt_find(hop, &start, &end); | 
|  | 937 | if (ret_val && ret_val != -ENOENT) | 
|  | 938 | return ERR_PTR(ret_val); | 
|  | 939 | } else { | 
|  | 940 | hop_len = 0; | 
|  | 941 | start = sizeof(*hop); | 
|  | 942 | end = 0; | 
|  | 943 | } | 
|  | 944 |  | 
|  | 945 | buf_len = hop_len + start - end + CALIPSO_OPT_LEN_MAX_WITH_PAD; | 
|  | 946 | new = kzalloc(buf_len, GFP_ATOMIC); | 
|  | 947 | if (!new) | 
|  | 948 | return ERR_PTR(-ENOMEM); | 
|  | 949 |  | 
|  | 950 | if (start > sizeof(*hop)) | 
|  | 951 | memcpy(new, hop, start); | 
|  | 952 | ret_val = calipso_genopt((unsigned char *)new, start, buf_len, doi_def, | 
|  | 953 | secattr); | 
|  | 954 | if (ret_val < 0) { | 
|  | 955 | kfree(new); | 
|  | 956 | return ERR_PTR(ret_val); | 
|  | 957 | } | 
|  | 958 |  | 
|  | 959 | buf_len = start + ret_val; | 
|  | 960 | /* At this point buf_len aligns to 4n, so (buf_len & 4) pads to 8n */ | 
|  | 961 | pad = ((buf_len & 4) + (end & 7)) & 7; | 
|  | 962 | calipso_pad_write((unsigned char *)new, buf_len, pad); | 
|  | 963 | buf_len += pad; | 
|  | 964 |  | 
|  | 965 | if (end != hop_len) { | 
|  | 966 | memcpy((char *)new + buf_len, (char *)hop + end, hop_len - end); | 
|  | 967 | buf_len += hop_len - end; | 
|  | 968 | } | 
|  | 969 | new->nexthdr = 0; | 
|  | 970 | new->hdrlen = buf_len / 8 - 1; | 
|  | 971 |  | 
|  | 972 | return new; | 
|  | 973 | } | 
|  | 974 |  | 
|  | 975 | /** | 
|  | 976 | * calipso_opt_del - Removes the CALIPSO option from an option header | 
|  | 977 | * @hop: the original header | 
|  | 978 | * @new: the new header | 
|  | 979 | * | 
|  | 980 | * Description: | 
|  | 981 | * Creates a new header based on @hop without any CALIPSO option.  If @hop | 
|  | 982 | * doesn't contain a CALIPSO option it returns -ENOENT.  If @hop contains | 
|  | 983 | * no other non-padding options, it returns zero with @new set to NULL. | 
|  | 984 | * Otherwise it returns zero, creates a new header without the CALIPSO | 
|  | 985 | * option (and removing as much padding as possible) and returns with | 
|  | 986 | * @new set to that header. | 
|  | 987 | * | 
|  | 988 | */ | 
|  | 989 | static int calipso_opt_del(struct ipv6_opt_hdr *hop, | 
|  | 990 | struct ipv6_opt_hdr **new) | 
|  | 991 | { | 
|  | 992 | int ret_val; | 
|  | 993 | unsigned int start, end, delta, pad, hop_len; | 
|  | 994 |  | 
|  | 995 | ret_val = calipso_opt_find(hop, &start, &end); | 
|  | 996 | if (ret_val) | 
|  | 997 | return ret_val; | 
|  | 998 |  | 
|  | 999 | hop_len = ipv6_optlen(hop); | 
|  | 1000 | if (start == sizeof(*hop) && end == hop_len) { | 
|  | 1001 | /* There's no other option in the header so return NULL */ | 
|  | 1002 | *new = NULL; | 
|  | 1003 | return 0; | 
|  | 1004 | } | 
|  | 1005 |  | 
|  | 1006 | delta = (end - start) & ~7; | 
|  | 1007 | *new = kzalloc(hop_len - delta, GFP_ATOMIC); | 
|  | 1008 | if (!*new) | 
|  | 1009 | return -ENOMEM; | 
|  | 1010 |  | 
|  | 1011 | memcpy(*new, hop, start); | 
|  | 1012 | (*new)->hdrlen -= delta / 8; | 
|  | 1013 | pad = (end - start) & 7; | 
|  | 1014 | calipso_pad_write((unsigned char *)*new, start, pad); | 
|  | 1015 | if (end != hop_len) | 
|  | 1016 | memcpy((char *)*new + start + pad, (char *)hop + end, | 
|  | 1017 | hop_len - end); | 
|  | 1018 |  | 
|  | 1019 | return 0; | 
|  | 1020 | } | 
|  | 1021 |  | 
|  | 1022 | /** | 
|  | 1023 | * calipso_opt_getattr - Get the security attributes from a memory block | 
|  | 1024 | * @calipso: the CALIPSO option | 
|  | 1025 | * @secattr: the security attributes | 
|  | 1026 | * | 
|  | 1027 | * Description: | 
|  | 1028 | * Inspect @calipso and return the security attributes in @secattr. | 
|  | 1029 | * Returns zero on success and negative values on failure. | 
|  | 1030 | * | 
|  | 1031 | */ | 
|  | 1032 | static int calipso_opt_getattr(const unsigned char *calipso, | 
|  | 1033 | struct netlbl_lsm_secattr *secattr) | 
|  | 1034 | { | 
|  | 1035 | int ret_val = -ENOMSG; | 
|  | 1036 | u32 doi, len = calipso[1], cat_len = calipso[6] * 4; | 
|  | 1037 | struct calipso_doi *doi_def; | 
|  | 1038 |  | 
|  | 1039 | if (cat_len + 8 > len) | 
|  | 1040 | return -EINVAL; | 
|  | 1041 |  | 
|  | 1042 | if (calipso_cache_check(calipso + 2, calipso[1], secattr) == 0) | 
|  | 1043 | return 0; | 
|  | 1044 |  | 
|  | 1045 | doi = get_unaligned_be32(calipso + 2); | 
|  | 1046 | rcu_read_lock(); | 
|  | 1047 | doi_def = calipso_doi_search(doi); | 
|  | 1048 | if (!doi_def) | 
|  | 1049 | goto getattr_return; | 
|  | 1050 |  | 
|  | 1051 | secattr->attr.mls.lvl = calipso[7]; | 
|  | 1052 | secattr->flags |= NETLBL_SECATTR_MLS_LVL; | 
|  | 1053 |  | 
|  | 1054 | if (cat_len) { | 
|  | 1055 | ret_val = calipso_map_cat_ntoh(doi_def, | 
|  | 1056 | calipso + 10, | 
|  | 1057 | cat_len, | 
|  | 1058 | secattr); | 
|  | 1059 | if (ret_val != 0) { | 
|  | 1060 | netlbl_catmap_free(secattr->attr.mls.cat); | 
|  | 1061 | goto getattr_return; | 
|  | 1062 | } | 
|  | 1063 |  | 
|  | 1064 | if (secattr->attr.mls.cat) | 
|  | 1065 | secattr->flags |= NETLBL_SECATTR_MLS_CAT; | 
|  | 1066 | } | 
|  | 1067 |  | 
|  | 1068 | secattr->type = NETLBL_NLTYPE_CALIPSO; | 
|  | 1069 |  | 
|  | 1070 | getattr_return: | 
|  | 1071 | rcu_read_unlock(); | 
|  | 1072 | return ret_val; | 
|  | 1073 | } | 
|  | 1074 |  | 
|  | 1075 | /* sock functions. | 
|  | 1076 | */ | 
|  | 1077 |  | 
|  | 1078 | /** | 
|  | 1079 | * calipso_sock_getattr - Get the security attributes from a sock | 
|  | 1080 | * @sk: the sock | 
|  | 1081 | * @secattr: the security attributes | 
|  | 1082 | * | 
|  | 1083 | * Description: | 
|  | 1084 | * Query @sk to see if there is a CALIPSO option attached to the sock and if | 
|  | 1085 | * there is return the CALIPSO security attributes in @secattr.  This function | 
|  | 1086 | * requires that @sk be locked, or privately held, but it does not do any | 
|  | 1087 | * locking itself.  Returns zero on success and negative values on failure. | 
|  | 1088 | * | 
|  | 1089 | */ | 
|  | 1090 | static int calipso_sock_getattr(struct sock *sk, | 
|  | 1091 | struct netlbl_lsm_secattr *secattr) | 
|  | 1092 | { | 
|  | 1093 | struct ipv6_opt_hdr *hop; | 
|  | 1094 | int opt_len, len, ret_val = -ENOMSG, offset; | 
|  | 1095 | unsigned char *opt; | 
|  | 1096 | struct ipv6_txoptions *txopts = txopt_get(inet6_sk(sk)); | 
|  | 1097 |  | 
|  | 1098 | if (!txopts || !txopts->hopopt) | 
|  | 1099 | goto done; | 
|  | 1100 |  | 
|  | 1101 | hop = txopts->hopopt; | 
|  | 1102 | opt = (unsigned char *)hop; | 
|  | 1103 | opt_len = ipv6_optlen(hop); | 
|  | 1104 | offset = sizeof(*hop); | 
|  | 1105 | while (offset < opt_len) { | 
|  | 1106 | len = calipso_tlv_len(hop, offset); | 
|  | 1107 | if (len < 0) { | 
|  | 1108 | ret_val = len; | 
|  | 1109 | goto done; | 
|  | 1110 | } | 
|  | 1111 | switch (opt[offset]) { | 
|  | 1112 | case IPV6_TLV_CALIPSO: | 
|  | 1113 | if (len < CALIPSO_HDR_LEN) | 
|  | 1114 | ret_val = -EINVAL; | 
|  | 1115 | else | 
|  | 1116 | ret_val = calipso_opt_getattr(&opt[offset], | 
|  | 1117 | secattr); | 
|  | 1118 | goto done; | 
|  | 1119 | default: | 
|  | 1120 | offset += len; | 
|  | 1121 | break; | 
|  | 1122 | } | 
|  | 1123 | } | 
|  | 1124 | done: | 
|  | 1125 | txopt_put(txopts); | 
|  | 1126 | return ret_val; | 
|  | 1127 | } | 
|  | 1128 |  | 
|  | 1129 | /** | 
|  | 1130 | * calipso_sock_setattr - Add a CALIPSO option to a socket | 
|  | 1131 | * @sk: the socket | 
|  | 1132 | * @doi_def: the CALIPSO DOI to use | 
|  | 1133 | * @secattr: the specific security attributes of the socket | 
|  | 1134 | * | 
|  | 1135 | * Description: | 
|  | 1136 | * Set the CALIPSO option on the given socket using the DOI definition and | 
|  | 1137 | * security attributes passed to the function.  This function requires | 
|  | 1138 | * exclusive access to @sk, which means it either needs to be in the | 
|  | 1139 | * process of being created or locked.  Returns zero on success and negative | 
|  | 1140 | * values on failure. | 
|  | 1141 | * | 
|  | 1142 | */ | 
|  | 1143 | static int calipso_sock_setattr(struct sock *sk, | 
|  | 1144 | const struct calipso_doi *doi_def, | 
|  | 1145 | const struct netlbl_lsm_secattr *secattr) | 
|  | 1146 | { | 
|  | 1147 | int ret_val; | 
|  | 1148 | struct ipv6_opt_hdr *old, *new; | 
|  | 1149 | struct ipv6_txoptions *txopts = txopt_get(inet6_sk(sk)); | 
|  | 1150 |  | 
|  | 1151 | old = NULL; | 
|  | 1152 | if (txopts) | 
|  | 1153 | old = txopts->hopopt; | 
|  | 1154 |  | 
|  | 1155 | new = calipso_opt_insert(old, doi_def, secattr); | 
|  | 1156 | txopt_put(txopts); | 
|  | 1157 | if (IS_ERR(new)) | 
|  | 1158 | return PTR_ERR(new); | 
|  | 1159 |  | 
|  | 1160 | ret_val = calipso_opt_update(sk, new); | 
|  | 1161 |  | 
|  | 1162 | kfree(new); | 
|  | 1163 | return ret_val; | 
|  | 1164 | } | 
|  | 1165 |  | 
|  | 1166 | /** | 
|  | 1167 | * calipso_sock_delattr - Delete the CALIPSO option from a socket | 
|  | 1168 | * @sk: the socket | 
|  | 1169 | * | 
|  | 1170 | * Description: | 
|  | 1171 | * Removes the CALIPSO option from a socket, if present. | 
|  | 1172 | * | 
|  | 1173 | */ | 
|  | 1174 | static void calipso_sock_delattr(struct sock *sk) | 
|  | 1175 | { | 
|  | 1176 | struct ipv6_opt_hdr *new_hop; | 
|  | 1177 | struct ipv6_txoptions *txopts = txopt_get(inet6_sk(sk)); | 
|  | 1178 |  | 
|  | 1179 | if (!txopts || !txopts->hopopt) | 
|  | 1180 | goto done; | 
|  | 1181 |  | 
|  | 1182 | if (calipso_opt_del(txopts->hopopt, &new_hop)) | 
|  | 1183 | goto done; | 
|  | 1184 |  | 
|  | 1185 | calipso_opt_update(sk, new_hop); | 
|  | 1186 | kfree(new_hop); | 
|  | 1187 |  | 
|  | 1188 | done: | 
|  | 1189 | txopt_put(txopts); | 
|  | 1190 | } | 
|  | 1191 |  | 
|  | 1192 | /* request sock functions. | 
|  | 1193 | */ | 
|  | 1194 |  | 
|  | 1195 | /** | 
|  | 1196 | * calipso_req_setattr - Add a CALIPSO option to a connection request socket | 
|  | 1197 | * @req: the connection request socket | 
|  | 1198 | * @doi_def: the CALIPSO DOI to use | 
|  | 1199 | * @secattr: the specific security attributes of the socket | 
|  | 1200 | * | 
|  | 1201 | * Description: | 
|  | 1202 | * Set the CALIPSO option on the given socket using the DOI definition and | 
|  | 1203 | * security attributes passed to the function.  Returns zero on success and | 
|  | 1204 | * negative values on failure. | 
|  | 1205 | * | 
|  | 1206 | */ | 
|  | 1207 | static int calipso_req_setattr(struct request_sock *req, | 
|  | 1208 | const struct calipso_doi *doi_def, | 
|  | 1209 | const struct netlbl_lsm_secattr *secattr) | 
|  | 1210 | { | 
|  | 1211 | struct ipv6_txoptions *txopts; | 
|  | 1212 | struct inet_request_sock *req_inet = inet_rsk(req); | 
|  | 1213 | struct ipv6_opt_hdr *old, *new; | 
|  | 1214 | struct sock *sk = sk_to_full_sk(req_to_sk(req)); | 
|  | 1215 |  | 
|  | 1216 | if (req_inet->ipv6_opt && req_inet->ipv6_opt->hopopt) | 
|  | 1217 | old = req_inet->ipv6_opt->hopopt; | 
|  | 1218 | else | 
|  | 1219 | old = NULL; | 
|  | 1220 |  | 
|  | 1221 | new = calipso_opt_insert(old, doi_def, secattr); | 
|  | 1222 | if (IS_ERR(new)) | 
|  | 1223 | return PTR_ERR(new); | 
|  | 1224 |  | 
|  | 1225 | txopts = ipv6_renew_options(sk, req_inet->ipv6_opt, IPV6_HOPOPTS, new); | 
|  | 1226 |  | 
|  | 1227 | kfree(new); | 
|  | 1228 |  | 
|  | 1229 | if (IS_ERR(txopts)) | 
|  | 1230 | return PTR_ERR(txopts); | 
|  | 1231 |  | 
|  | 1232 | txopts = xchg(&req_inet->ipv6_opt, txopts); | 
|  | 1233 | if (txopts) { | 
|  | 1234 | atomic_sub(txopts->tot_len, &sk->sk_omem_alloc); | 
|  | 1235 | txopt_put(txopts); | 
|  | 1236 | } | 
|  | 1237 |  | 
|  | 1238 | return 0; | 
|  | 1239 | } | 
|  | 1240 |  | 
|  | 1241 | /** | 
|  | 1242 | * calipso_req_delattr - Delete the CALIPSO option from a request socket | 
|  | 1243 | * @reg: the request socket | 
|  | 1244 | * | 
|  | 1245 | * Description: | 
|  | 1246 | * Removes the CALIPSO option from a request socket, if present. | 
|  | 1247 | * | 
|  | 1248 | */ | 
|  | 1249 | static void calipso_req_delattr(struct request_sock *req) | 
|  | 1250 | { | 
|  | 1251 | struct inet_request_sock *req_inet = inet_rsk(req); | 
|  | 1252 | struct ipv6_opt_hdr *new; | 
|  | 1253 | struct ipv6_txoptions *txopts; | 
|  | 1254 | struct sock *sk = sk_to_full_sk(req_to_sk(req)); | 
|  | 1255 |  | 
|  | 1256 | if (!req_inet->ipv6_opt || !req_inet->ipv6_opt->hopopt) | 
|  | 1257 | return; | 
|  | 1258 |  | 
|  | 1259 | if (calipso_opt_del(req_inet->ipv6_opt->hopopt, &new)) | 
|  | 1260 | return; /* Nothing to do */ | 
|  | 1261 |  | 
|  | 1262 | txopts = ipv6_renew_options(sk, req_inet->ipv6_opt, IPV6_HOPOPTS, new); | 
|  | 1263 |  | 
|  | 1264 | if (!IS_ERR(txopts)) { | 
|  | 1265 | txopts = xchg(&req_inet->ipv6_opt, txopts); | 
|  | 1266 | if (txopts) { | 
|  | 1267 | atomic_sub(txopts->tot_len, &sk->sk_omem_alloc); | 
|  | 1268 | txopt_put(txopts); | 
|  | 1269 | } | 
|  | 1270 | } | 
|  | 1271 | kfree(new); | 
|  | 1272 | } | 
|  | 1273 |  | 
|  | 1274 | /* skbuff functions. | 
|  | 1275 | */ | 
|  | 1276 |  | 
|  | 1277 | /** | 
|  | 1278 | * calipso_skbuff_optptr - Find the CALIPSO option in the packet | 
|  | 1279 | * @skb: the packet | 
|  | 1280 | * | 
|  | 1281 | * Description: | 
|  | 1282 | * Parse the packet's IP header looking for a CALIPSO option.  Returns a pointer | 
|  | 1283 | * to the start of the CALIPSO option on success, NULL if one if not found. | 
|  | 1284 | * | 
|  | 1285 | */ | 
|  | 1286 | static unsigned char *calipso_skbuff_optptr(const struct sk_buff *skb) | 
|  | 1287 | { | 
|  | 1288 | const struct ipv6hdr *ip6_hdr = ipv6_hdr(skb); | 
|  | 1289 | int offset; | 
|  | 1290 |  | 
|  | 1291 | if (ip6_hdr->nexthdr != NEXTHDR_HOP) | 
|  | 1292 | return NULL; | 
|  | 1293 |  | 
|  | 1294 | offset = ipv6_find_tlv(skb, sizeof(*ip6_hdr), IPV6_TLV_CALIPSO); | 
|  | 1295 | if (offset >= 0) | 
|  | 1296 | return (unsigned char *)ip6_hdr + offset; | 
|  | 1297 |  | 
|  | 1298 | return NULL; | 
|  | 1299 | } | 
|  | 1300 |  | 
|  | 1301 | /** | 
|  | 1302 | * calipso_skbuff_setattr - Set the CALIPSO option on a packet | 
|  | 1303 | * @skb: the packet | 
|  | 1304 | * @doi_def: the CALIPSO DOI to use | 
|  | 1305 | * @secattr: the security attributes | 
|  | 1306 | * | 
|  | 1307 | * Description: | 
|  | 1308 | * Set the CALIPSO option on the given packet based on the security attributes. | 
|  | 1309 | * Returns a pointer to the IP header on success and NULL on failure. | 
|  | 1310 | * | 
|  | 1311 | */ | 
|  | 1312 | static int calipso_skbuff_setattr(struct sk_buff *skb, | 
|  | 1313 | const struct calipso_doi *doi_def, | 
|  | 1314 | const struct netlbl_lsm_secattr *secattr) | 
|  | 1315 | { | 
|  | 1316 | int ret_val; | 
|  | 1317 | struct ipv6hdr *ip6_hdr; | 
|  | 1318 | struct ipv6_opt_hdr *hop; | 
|  | 1319 | unsigned char buf[CALIPSO_MAX_BUFFER]; | 
|  | 1320 | int len_delta, new_end, pad, payload; | 
|  | 1321 | unsigned int start, end; | 
|  | 1322 |  | 
|  | 1323 | ip6_hdr = ipv6_hdr(skb); | 
|  | 1324 | if (ip6_hdr->nexthdr == NEXTHDR_HOP) { | 
|  | 1325 | hop = (struct ipv6_opt_hdr *)(ip6_hdr + 1); | 
|  | 1326 | ret_val = calipso_opt_find(hop, &start, &end); | 
|  | 1327 | if (ret_val && ret_val != -ENOENT) | 
|  | 1328 | return ret_val; | 
|  | 1329 | } else { | 
|  | 1330 | start = 0; | 
|  | 1331 | end = 0; | 
|  | 1332 | } | 
|  | 1333 |  | 
|  | 1334 | memset(buf, 0, sizeof(buf)); | 
|  | 1335 | ret_val = calipso_genopt(buf, start & 3, sizeof(buf), doi_def, secattr); | 
|  | 1336 | if (ret_val < 0) | 
|  | 1337 | return ret_val; | 
|  | 1338 |  | 
|  | 1339 | new_end = start + ret_val; | 
|  | 1340 | /* At this point new_end aligns to 4n, so (new_end & 4) pads to 8n */ | 
|  | 1341 | pad = ((new_end & 4) + (end & 7)) & 7; | 
|  | 1342 | len_delta = new_end - (int)end + pad; | 
|  | 1343 | ret_val = skb_cow(skb, skb_headroom(skb) + len_delta); | 
|  | 1344 | if (ret_val < 0) | 
|  | 1345 | return ret_val; | 
|  | 1346 |  | 
|  | 1347 | ip6_hdr = ipv6_hdr(skb); /* Reset as skb_cow() may have moved it */ | 
|  | 1348 |  | 
|  | 1349 | if (len_delta) { | 
|  | 1350 | if (len_delta > 0) | 
|  | 1351 | skb_push(skb, len_delta); | 
|  | 1352 | else | 
|  | 1353 | skb_pull(skb, -len_delta); | 
|  | 1354 | memmove((char *)ip6_hdr - len_delta, ip6_hdr, | 
|  | 1355 | sizeof(*ip6_hdr) + start); | 
|  | 1356 | skb_reset_network_header(skb); | 
|  | 1357 | ip6_hdr = ipv6_hdr(skb); | 
|  | 1358 | payload = ntohs(ip6_hdr->payload_len); | 
|  | 1359 | ip6_hdr->payload_len = htons(payload + len_delta); | 
|  | 1360 | } | 
|  | 1361 |  | 
|  | 1362 | hop = (struct ipv6_opt_hdr *)(ip6_hdr + 1); | 
|  | 1363 | if (start == 0) { | 
|  | 1364 | struct ipv6_opt_hdr *new_hop = (struct ipv6_opt_hdr *)buf; | 
|  | 1365 |  | 
|  | 1366 | new_hop->nexthdr = ip6_hdr->nexthdr; | 
|  | 1367 | new_hop->hdrlen = len_delta / 8 - 1; | 
|  | 1368 | ip6_hdr->nexthdr = NEXTHDR_HOP; | 
|  | 1369 | } else { | 
|  | 1370 | hop->hdrlen += len_delta / 8; | 
|  | 1371 | } | 
|  | 1372 | memcpy((char *)hop + start, buf + (start & 3), new_end - start); | 
|  | 1373 | calipso_pad_write((unsigned char *)hop, new_end, pad); | 
|  | 1374 |  | 
|  | 1375 | return 0; | 
|  | 1376 | } | 
|  | 1377 |  | 
|  | 1378 | /** | 
|  | 1379 | * calipso_skbuff_delattr - Delete any CALIPSO options from a packet | 
|  | 1380 | * @skb: the packet | 
|  | 1381 | * | 
|  | 1382 | * Description: | 
|  | 1383 | * Removes any and all CALIPSO options from the given packet.  Returns zero on | 
|  | 1384 | * success, negative values on failure. | 
|  | 1385 | * | 
|  | 1386 | */ | 
|  | 1387 | static int calipso_skbuff_delattr(struct sk_buff *skb) | 
|  | 1388 | { | 
|  | 1389 | int ret_val; | 
|  | 1390 | struct ipv6hdr *ip6_hdr; | 
|  | 1391 | struct ipv6_opt_hdr *old_hop; | 
|  | 1392 | u32 old_hop_len, start = 0, end = 0, delta, size, pad; | 
|  | 1393 |  | 
|  | 1394 | if (!calipso_skbuff_optptr(skb)) | 
|  | 1395 | return 0; | 
|  | 1396 |  | 
|  | 1397 | /* since we are changing the packet we should make a copy */ | 
|  | 1398 | ret_val = skb_cow(skb, skb_headroom(skb)); | 
|  | 1399 | if (ret_val < 0) | 
|  | 1400 | return ret_val; | 
|  | 1401 |  | 
|  | 1402 | ip6_hdr = ipv6_hdr(skb); | 
|  | 1403 | old_hop = (struct ipv6_opt_hdr *)(ip6_hdr + 1); | 
|  | 1404 | old_hop_len = ipv6_optlen(old_hop); | 
|  | 1405 |  | 
|  | 1406 | ret_val = calipso_opt_find(old_hop, &start, &end); | 
|  | 1407 | if (ret_val) | 
|  | 1408 | return ret_val; | 
|  | 1409 |  | 
|  | 1410 | if (start == sizeof(*old_hop) && end == old_hop_len) { | 
|  | 1411 | /* There's no other option in the header so we delete | 
|  | 1412 | * the whole thing. */ | 
|  | 1413 | delta = old_hop_len; | 
|  | 1414 | size = sizeof(*ip6_hdr); | 
|  | 1415 | ip6_hdr->nexthdr = old_hop->nexthdr; | 
|  | 1416 | } else { | 
|  | 1417 | delta = (end - start) & ~7; | 
|  | 1418 | if (delta) | 
|  | 1419 | old_hop->hdrlen -= delta / 8; | 
|  | 1420 | pad = (end - start) & 7; | 
|  | 1421 | size = sizeof(*ip6_hdr) + start + pad; | 
|  | 1422 | calipso_pad_write((unsigned char *)old_hop, start, pad); | 
|  | 1423 | } | 
|  | 1424 |  | 
|  | 1425 | if (delta) { | 
|  | 1426 | skb_pull(skb, delta); | 
|  | 1427 | memmove((char *)ip6_hdr + delta, ip6_hdr, size); | 
|  | 1428 | skb_reset_network_header(skb); | 
|  | 1429 | } | 
|  | 1430 |  | 
|  | 1431 | return 0; | 
|  | 1432 | } | 
|  | 1433 |  | 
|  | 1434 | static const struct netlbl_calipso_ops ops = { | 
|  | 1435 | .doi_add          = calipso_doi_add, | 
|  | 1436 | .doi_free         = calipso_doi_free, | 
|  | 1437 | .doi_remove       = calipso_doi_remove, | 
|  | 1438 | .doi_getdef       = calipso_doi_getdef, | 
|  | 1439 | .doi_putdef       = calipso_doi_putdef, | 
|  | 1440 | .doi_walk         = calipso_doi_walk, | 
|  | 1441 | .sock_getattr     = calipso_sock_getattr, | 
|  | 1442 | .sock_setattr     = calipso_sock_setattr, | 
|  | 1443 | .sock_delattr     = calipso_sock_delattr, | 
|  | 1444 | .req_setattr      = calipso_req_setattr, | 
|  | 1445 | .req_delattr      = calipso_req_delattr, | 
|  | 1446 | .opt_getattr      = calipso_opt_getattr, | 
|  | 1447 | .skbuff_optptr    = calipso_skbuff_optptr, | 
|  | 1448 | .skbuff_setattr   = calipso_skbuff_setattr, | 
|  | 1449 | .skbuff_delattr   = calipso_skbuff_delattr, | 
|  | 1450 | .cache_invalidate = calipso_cache_invalidate, | 
|  | 1451 | .cache_add        = calipso_cache_add | 
|  | 1452 | }; | 
|  | 1453 |  | 
|  | 1454 | /** | 
|  | 1455 | * calipso_init - Initialize the CALIPSO module | 
|  | 1456 | * | 
|  | 1457 | * Description: | 
|  | 1458 | * Initialize the CALIPSO module and prepare it for use.  Returns zero on | 
|  | 1459 | * success and negative values on failure. | 
|  | 1460 | * | 
|  | 1461 | */ | 
|  | 1462 | int __init calipso_init(void) | 
|  | 1463 | { | 
|  | 1464 | int ret_val; | 
|  | 1465 |  | 
|  | 1466 | ret_val = calipso_cache_init(); | 
|  | 1467 | if (!ret_val) | 
|  | 1468 | netlbl_calipso_ops_register(&ops); | 
|  | 1469 | return ret_val; | 
|  | 1470 | } | 
|  | 1471 |  | 
|  | 1472 | void calipso_exit(void) | 
|  | 1473 | { | 
|  | 1474 | netlbl_calipso_ops_register(NULL); | 
|  | 1475 | calipso_cache_invalidate(); | 
|  | 1476 | kfree(calipso_cache); | 
|  | 1477 | } |