net/ipv6/calipso.c

0001 // SPDX-License-Identifier: GPL-2.0-or-later
0002 /*
0003  * CALIPSO - Common Architecture Label IPv6 Security Option
0004  *
0005  * This is an implementation of the CALIPSO protocol as specified in
0006  * RFC 5570.
0007  *
0008  * Authors: Paul Moore <paul.moore@hp.com>
0009  *          Huw Davies <huw@codeweavers.com>
0010  */
0011
0012 /* (c) Copyright Hewlett-Packard Development Company, L.P., 2006, 2008
0013  * (c) Copyright Huw Davies <huw@codeweavers.com>, 2015
0014  */
0015
0016 #include <linux/init.h>
0017 #include <linux/types.h>
0018 #include <linux/rcupdate.h>
0019 #include <linux/list.h>
0020 #include <linux/spinlock.h>
0021 #include <linux/string.h>
0022 #include <linux/jhash.h>
0023 #include <linux/audit.h>
0024 #include <linux/slab.h>
0025 #include <net/ip.h>
0026 #include <net/icmp.h>
0027 #include <net/tcp.h>
0028 #include <net/netlabel.h>
0029 #include <net/calipso.h>
0030 #include <linux/atomic.h>
0031 #include <linux/bug.h>
0032 #include <asm/unaligned.h>
0033 #include <linux/crc-ccitt.h>
0034
0035 /* Maximium size of the calipso option including
0036  * the two-byte TLV header.
0037  */
0038 #define CALIPSO_OPT_LEN_MAX (2 + 252)
0039
0040 /* Size of the minimum calipso option including
0041  * the two-byte TLV header.
0042  */
0043 #define CALIPSO_HDR_LEN (2 + 8)
0044
0045 /* Maximium size of the calipso option including
0046  * the two-byte TLV header and upto 3 bytes of
0047  * leading pad and 7 bytes of trailing pad.
0048  */
0049 #define CALIPSO_OPT_LEN_MAX_WITH_PAD (3 + CALIPSO_OPT_LEN_MAX + 7)
0050
0051  /* Maximium size of u32 aligned buffer required to hold calipso
0052   * option.  Max of 3 initial pad bytes starting from buffer + 3.
0053   * i.e. the worst case is when the previous tlv finishes on 4n + 3.
0054   */
0055 #define CALIPSO_MAX_BUFFER (6 + CALIPSO_OPT_LEN_MAX)
0056
0057 /* List of available DOI definitions */
0058 static DEFINE_SPINLOCK(calipso_doi_list_lock);
0059 static LIST_HEAD(calipso_doi_list);
0060
0061 /* Label mapping cache */
0062 int calipso_cache_enabled = 1;
0063 int calipso_cache_bucketsize = 10;
0064 #define CALIPSO_CACHE_BUCKETBITS     7
0065 #define CALIPSO_CACHE_BUCKETS        BIT(CALIPSO_CACHE_BUCKETBITS)
0066 #define CALIPSO_CACHE_REORDERLIMIT   10
0067 struct calipso_map_cache_bkt {
0068     spinlock_t lock;
0069     u32 size;
0070     struct list_head list;
0071 };
0072
0073 struct calipso_map_cache_entry {
0074     u32 hash;
0075     unsigned char *key;
0076     size_t key_len;
0077
0078     struct netlbl_lsm_cache *lsm_data;
0079
0080     u32 activity;
0081     struct list_head list;
0082 };
0083
0084 static struct calipso_map_cache_bkt *calipso_cache;
0085
0086 static void calipso_cache_invalidate(void);
0087 static void calipso_doi_putdef(struct calipso_doi *doi_def);
0088
0089 /* Label Mapping Cache Functions
0090  */
0091
0092 /**
0093  * calipso_cache_entry_free - Frees a cache entry
0094  * @entry: the entry to free
0095  *
0096  * Description:
0097  * This function frees the memory associated with a cache entry including the
0098  * LSM cache data if there are no longer any users, i.e. reference count == 0.
0099  *
0100  */
0101 static void calipso_cache_entry_free(struct calipso_map_cache_entry *entry)
0102 {
0103     if (entry->lsm_data)
0104         netlbl_secattr_cache_free(entry->lsm_data);
0105     kfree(entry->key);
0106     kfree(entry);
0107 }
0108
0109 /**
0110  * calipso_map_cache_hash - Hashing function for the CALIPSO cache
0111  * @key: the hash key
0112  * @key_len: the length of the key in bytes
0113  *
0114  * Description:
0115  * The CALIPSO tag hashing function.  Returns a 32-bit hash value.
0116  *
0117  */
0118 static u32 calipso_map_cache_hash(const unsigned char *key, u32 key_len)
0119 {
0120     return jhash(key, key_len, 0);
0121 }
0122
0123 /**
0124  * calipso_cache_init - Initialize the CALIPSO cache
0125  *
0126  * Description:
0127  * Initializes the CALIPSO label mapping cache, this function should be called
0128  * before any of the other functions defined in this file.  Returns zero on
0129  * success, negative values on error.
0130  *
0131  */
0132 static int __init calipso_cache_init(void)
0133 {
0134     u32 iter;
0135
0136     calipso_cache = kcalloc(CALIPSO_CACHE_BUCKETS,
0137                 sizeof(struct calipso_map_cache_bkt),
0138                 GFP_KERNEL);
0139     if (!calipso_cache)
0140         return -ENOMEM;
0141
0142     for (iter = 0; iter < CALIPSO_CACHE_BUCKETS; iter++) {
0143         spin_lock_init(&calipso_cache[iter].lock);
0144         calipso_cache[iter].size = 0;
0145         INIT_LIST_HEAD(&calipso_cache[iter].list);
0146     }
0147
0148     return 0;
0149 }
0150
0151 /**
0152  * calipso_cache_invalidate - Invalidates the current CALIPSO cache
0153  *
0154  * Description:
0155  * Invalidates and frees any entries in the CALIPSO cache.  Returns zero on
0156  * success and negative values on failure.
0157  *
0158  */
0159 static void calipso_cache_invalidate(void)
0160 {
0161     struct calipso_map_cache_entry *entry, *tmp_entry;
0162     u32 iter;
0163
0164     for (iter = 0; iter < CALIPSO_CACHE_BUCKETS; iter++) {
0165         spin_lock_bh(&calipso_cache[iter].lock);
0166         list_for_each_entry_safe(entry,
0167                      tmp_entry,
0168                      &calipso_cache[iter].list, list) {
0169             list_del(&entry->list);
0170             calipso_cache_entry_free(entry);
0171         }
0172         calipso_cache[iter].size = 0;
0173         spin_unlock_bh(&calipso_cache[iter].lock);
0174     }
0175 }
0176
0177 /**
0178  * calipso_cache_check - Check the CALIPSO cache for a label mapping
0179  * @key: the buffer to check
0180  * @key_len: buffer length in bytes
0181  * @secattr: the security attribute struct to use
0182  *
0183  * Description:
0184  * This function checks the cache to see if a label mapping already exists for
0185  * the given key.  If there is a match then the cache is adjusted and the
0186  * @secattr struct is populated with the correct LSM security attributes.  The
0187  * cache is adjusted in the following manner if the entry is not already the
0188  * first in the cache bucket:
0189  *
0190  *  1. The cache entry's activity counter is incremented
0191  *  2. The previous (higher ranking) entry's activity counter is decremented
0192  *  3. If the difference between the two activity counters is geater than
0193  *     CALIPSO_CACHE_REORDERLIMIT the two entries are swapped
0194  *
0195  * Returns zero on success, -ENOENT for a cache miss, and other negative values
0196  * on error.
0197  *
0198  */
0199 static int calipso_cache_check(const unsigned char *key,
0200                    u32 key_len,
0201                    struct netlbl_lsm_secattr *secattr)
0202 {
0203     u32 bkt;
0204     struct calipso_map_cache_entry *entry;
0205     struct calipso_map_cache_entry *prev_entry = NULL;
0206     u32 hash;
0207
0208     if (!calipso_cache_enabled)
0209         return -ENOENT;
0210
0211     hash = calipso_map_cache_hash(key, key_len);
0212     bkt = hash & (CALIPSO_CACHE_BUCKETS - 1);
0213     spin_lock_bh(&calipso_cache[bkt].lock);
0214     list_for_each_entry(entry, &calipso_cache[bkt].list, list) {
0215         if (entry->hash == hash &&
0216             entry->key_len == key_len &&
0217             memcmp(entry->key, key, key_len) == 0) {
0218             entry->activity += 1;
0219             refcount_inc(&entry->lsm_data->refcount);
0220             secattr->cache = entry->lsm_data;
0221             secattr->flags |= NETLBL_SECATTR_CACHE;
0222             secattr->type = NETLBL_NLTYPE_CALIPSO;
0223             if (!prev_entry) {
0224                 spin_unlock_bh(&calipso_cache[bkt].lock);
0225                 return 0;
0226             }
0227
0228             if (prev_entry->activity > 0)
0229                 prev_entry->activity -= 1;
0230             if (entry->activity > prev_entry->activity &&
0231                 entry->activity - prev_entry->activity >
0232                 CALIPSO_CACHE_REORDERLIMIT) {
0233                 __list_del(entry->list.prev, entry->list.next);
0234                 __list_add(&entry->list,
0235                        prev_entry->list.prev,
0236                        &prev_entry->list);
0237             }
0238
0239             spin_unlock_bh(&calipso_cache[bkt].lock);
0240             return 0;
0241         }
0242         prev_entry = entry;
0243     }
0244     spin_unlock_bh(&calipso_cache[bkt].lock);
0245
0246     return -ENOENT;
0247 }
0248
0249 /**
0250  * calipso_cache_add - Add an entry to the CALIPSO cache
0251  * @calipso_ptr: the CALIPSO option
0252  * @secattr: the packet's security attributes
0253  *
0254  * Description:
0255  * Add a new entry into the CALIPSO label mapping cache.  Add the new entry to
0256  * head of the cache bucket's list, if the cache bucket is out of room remove
0257  * the last entry in the list first.  It is important to note that there is
0258  * currently no checking for duplicate keys.  Returns zero on success,
0259  * negative values on failure.  The key stored starts at calipso_ptr + 2,
0260  * i.e. the type and length bytes are not stored, this corresponds to
0261  * calipso_ptr[1] bytes of data.
0262  *
0263  */
0264 static int calipso_cache_add(const unsigned char *calipso_ptr,
0265                  const struct netlbl_lsm_secattr *secattr)
0266 {
0267     int ret_val = -EPERM;
0268     u32 bkt;
0269     struct calipso_map_cache_entry *entry = NULL;
0270     struct calipso_map_cache_entry *old_entry = NULL;
0271     u32 calipso_ptr_len;
0272
0273     if (!calipso_cache_enabled || calipso_cache_bucketsize <= 0)
0274         return 0;
0275
0276     calipso_ptr_len = calipso_ptr[1];
0277
0278     entry = kzalloc(sizeof(*entry), GFP_ATOMIC);
0279     if (!entry)
0280         return -ENOMEM;
0281     entry->key = kmemdup(calipso_ptr + 2, calipso_ptr_len, GFP_ATOMIC);
0282     if (!entry->key) {
0283         ret_val = -ENOMEM;
0284         goto cache_add_failure;
0285     }
0286     entry->key_len = calipso_ptr_len;
0287     entry->hash = calipso_map_cache_hash(calipso_ptr, calipso_ptr_len);
0288     refcount_inc(&secattr->cache->refcount);
0289     entry->lsm_data = secattr->cache;
0290
0291     bkt = entry->hash & (CALIPSO_CACHE_BUCKETS - 1);
0292     spin_lock_bh(&calipso_cache[bkt].lock);
0293     if (calipso_cache[bkt].size < calipso_cache_bucketsize) {
0294         list_add(&entry->list, &calipso_cache[bkt].list);
0295         calipso_cache[bkt].size += 1;
0296     } else {
0297         old_entry = list_entry(calipso_cache[bkt].list.prev,
0298                        struct calipso_map_cache_entry, list);
0299         list_del(&old_entry->list);
0300         list_add(&entry->list, &calipso_cache[bkt].list);
0301         calipso_cache_entry_free(old_entry);
0302     }
0303     spin_unlock_bh(&calipso_cache[bkt].lock);
0304
0305     return 0;
0306
0307 cache_add_failure:
0308     if (entry)
0309         calipso_cache_entry_free(entry);
0310     return ret_val;
0311 }
0312
0313 /* DOI List Functions
0314  */
0315
0316 /**
0317  * calipso_doi_search - Searches for a DOI definition
0318  * @doi: the DOI to search for
0319  *
0320  * Description:
0321  * Search the DOI definition list for a DOI definition with a DOI value that
0322  * matches @doi.  The caller is responsible for calling rcu_read_[un]lock().
0323  * Returns a pointer to the DOI definition on success and NULL on failure.
0324  */
0325 static struct calipso_doi *calipso_doi_search(u32 doi)
0326 {
0327     struct calipso_doi *iter;
0328
0329     list_for_each_entry_rcu(iter, &calipso_doi_list, list)
0330         if (iter->doi == doi && refcount_read(&iter->refcount))
0331             return iter;
0332     return NULL;
0333 }
0334
0335 /**
0336  * calipso_doi_add - Add a new DOI to the CALIPSO protocol engine
0337  * @doi_def: the DOI structure
0338  * @audit_info: NetLabel audit information
0339  *
0340  * Description:
0341  * The caller defines a new DOI for use by the CALIPSO engine and calls this
0342  * function to add it to the list of acceptable domains.  The caller must
0343  * ensure that the mapping table specified in @doi_def->map meets all of the
0344  * requirements of the mapping type (see calipso.h for details).  Returns
0345  * zero on success and non-zero on failure.
0346  *
0347  */
0348 static int calipso_doi_add(struct calipso_doi *doi_def,
0349                struct netlbl_audit *audit_info)
0350 {
0351     int ret_val = -EINVAL;
0352     u32 doi;
0353     u32 doi_type;
0354     struct audit_buffer *audit_buf;
0355
0356     doi = doi_def->doi;
0357     doi_type = doi_def->type;
0358
0359     if (doi_def->doi == CALIPSO_DOI_UNKNOWN)
0360         goto doi_add_return;
0361
0362     refcount_set(&doi_def->refcount, 1);
0363
0364     spin_lock(&calipso_doi_list_lock);
0365     if (calipso_doi_search(doi_def->doi)) {
0366         spin_unlock(&calipso_doi_list_lock);
0367         ret_val = -EEXIST;
0368         goto doi_add_return;
0369     }
0370     list_add_tail_rcu(&doi_def->list, &calipso_doi_list);
0371     spin_unlock(&calipso_doi_list_lock);
0372     ret_val = 0;
0373
0374 doi_add_return:
0375     audit_buf = netlbl_audit_start(AUDIT_MAC_CALIPSO_ADD, audit_info);
0376     if (audit_buf) {
0377         const char *type_str;
0378
0379         switch (doi_type) {
0380         case CALIPSO_MAP_PASS:
0381             type_str = "pass";
0382             break;
0383         default:
0384             type_str = "(unknown)";
0385         }
0386         audit_log_format(audit_buf,
0387                  " calipso_doi=%u calipso_type=%s res=%u",
0388                  doi, type_str, ret_val == 0 ? 1 : 0);
0389         audit_log_end(audit_buf);
0390     }
0391
0392     return ret_val;
0393 }
0394
0395 /**
0396  * calipso_doi_free - Frees a DOI definition
0397  * @doi_def: the DOI definition
0398  *
0399  * Description:
0400  * This function frees all of the memory associated with a DOI definition.
0401  *
0402  */
0403 static void calipso_doi_free(struct calipso_doi *doi_def)
0404 {
0405     kfree(doi_def);
0406 }
0407
0408 /**
0409  * calipso_doi_free_rcu - Frees a DOI definition via the RCU pointer
0410  * @entry: the entry's RCU field
0411  *
0412  * Description:
0413  * This function is designed to be used as a callback to the call_rcu()
0414  * function so that the memory allocated to the DOI definition can be released
0415  * safely.
0416  *
0417  */
0418 static void calipso_doi_free_rcu(struct rcu_head *entry)
0419 {
0420     struct calipso_doi *doi_def;
0421
0422     doi_def = container_of(entry, struct calipso_doi, rcu);
0423     calipso_doi_free(doi_def);
0424 }
0425
0426 /**
0427  * calipso_doi_remove - Remove an existing DOI from the CALIPSO protocol engine
0428  * @doi: the DOI value
0429  * @audit_info: NetLabel audit information
0430  *
0431  * Description:
0432  * Removes a DOI definition from the CALIPSO engine.  The NetLabel routines will
0433  * be called to release their own LSM domain mappings as well as our own
0434  * domain list.  Returns zero on success and negative values on failure.
0435  *
0436  */
0437 static int calipso_doi_remove(u32 doi, struct netlbl_audit *audit_info)
0438 {
0439     int ret_val;
0440     struct calipso_doi *doi_def;
0441     struct audit_buffer *audit_buf;
0442
0443     spin_lock(&calipso_doi_list_lock);
0444     doi_def = calipso_doi_search(doi);
0445     if (!doi_def) {
0446         spin_unlock(&calipso_doi_list_lock);
0447         ret_val = -ENOENT;
0448         goto doi_remove_return;
0449     }
0450     list_del_rcu(&doi_def->list);
0451     spin_unlock(&calipso_doi_list_lock);
0452
0453     calipso_doi_putdef(doi_def);
0454     ret_val = 0;
0455
0456 doi_remove_return:
0457     audit_buf = netlbl_audit_start(AUDIT_MAC_CALIPSO_DEL, audit_info);
0458     if (audit_buf) {
0459         audit_log_format(audit_buf,
0460                  " calipso_doi=%u res=%u",
0461                  doi, ret_val == 0 ? 1 : 0);
0462         audit_log_end(audit_buf);
0463     }
0464
0465     return ret_val;
0466 }
0467
0468 /**
0469  * calipso_doi_getdef - Returns a reference to a valid DOI definition
0470  * @doi: the DOI value
0471  *
0472  * Description:
0473  * Searches for a valid DOI definition and if one is found it is returned to
0474  * the caller.  Otherwise NULL is returned.  The caller must ensure that
0475  * calipso_doi_putdef() is called when the caller is done.
0476  *
0477  */
0478 static struct calipso_doi *calipso_doi_getdef(u32 doi)
0479 {
0480     struct calipso_doi *doi_def;
0481
0482     rcu_read_lock();
0483     doi_def = calipso_doi_search(doi);
0484     if (!doi_def)
0485         goto doi_getdef_return;
0486     if (!refcount_inc_not_zero(&doi_def->refcount))
0487         doi_def = NULL;
0488
0489 doi_getdef_return:
0490     rcu_read_unlock();
0491     return doi_def;
0492 }
0493
0494 /**
0495  * calipso_doi_putdef - Releases a reference for the given DOI definition
0496  * @doi_def: the DOI definition
0497  *
0498  * Description:
0499  * Releases a DOI definition reference obtained from calipso_doi_getdef().
0500  *
0501  */
0502 static void calipso_doi_putdef(struct calipso_doi *doi_def)
0503 {
0504     if (!doi_def)
0505         return;
0506
0507     if (!refcount_dec_and_test(&doi_def->refcount))
0508         return;
0509
0510     calipso_cache_invalidate();
0511     call_rcu(&doi_def->rcu, calipso_doi_free_rcu);
0512 }
0513
0514 /**
0515  * calipso_doi_walk - Iterate through the DOI definitions
0516  * @skip_cnt: skip past this number of DOI definitions, updated
0517  * @callback: callback for each DOI definition
0518  * @cb_arg: argument for the callback function
0519  *
0520  * Description:
0521  * Iterate over the DOI definition list, skipping the first @skip_cnt entries.
0522  * For each entry call @callback, if @callback returns a negative value stop
0523  * 'walking' through the list and return.  Updates the value in @skip_cnt upon
0524  * return.  Returns zero on success, negative values on failure.
0525  *
0526  */
0527 static int calipso_doi_walk(u32 *skip_cnt,
0528                 int (*callback)(struct calipso_doi *doi_def,
0529                         void *arg),
0530                 void *cb_arg)
0531 {
0532     int ret_val = -ENOENT;
0533     u32 doi_cnt = 0;
0534     struct calipso_doi *iter_doi;
0535
0536     rcu_read_lock();
0537     list_for_each_entry_rcu(iter_doi, &calipso_doi_list, list)
0538         if (refcount_read(&iter_doi->refcount) > 0) {
0539             if (doi_cnt++ < *skip_cnt)
0540                 continue;
0541             ret_val = callback(iter_doi, cb_arg);
0542             if (ret_val < 0) {
0543                 doi_cnt--;
0544                 goto doi_walk_return;
0545             }
0546         }
0547
0548 doi_walk_return:
0549     rcu_read_unlock();
0550     *skip_cnt = doi_cnt;
0551     return ret_val;
0552 }
0553
0554 /**
0555  * calipso_validate - Validate a CALIPSO option
0556  * @skb: the packet
0557  * @option: the start of the option
0558  *
0559  * Description:
0560  * This routine is called to validate a CALIPSO option.
0561  * If the option is valid then %true is returned, otherwise
0562  * %false is returned.
0563  *
0564  * The caller should have already checked that the length of the
0565  * option (including the TLV header) is >= 10 and that the catmap
0566  * length is consistent with the option length.
0567  *
0568  * We leave checks on the level and categories to the socket layer.
0569  */
0570 bool calipso_validate(const struct sk_buff *skb, const unsigned char *option)
0571 {
0572     struct calipso_doi *doi_def;
0573     bool ret_val;
0574     u16 crc, len = option[1] + 2;
0575     static const u8 zero[2];
0576
0577     /* The original CRC runs over the option including the TLV header
0578      * with the CRC-16 field (at offset 8) zeroed out. */
0579     crc = crc_ccitt(0xffff, option, 8);
0580     crc = crc_ccitt(crc, zero, sizeof(zero));
0581     if (len > 10)
0582         crc = crc_ccitt(crc, option + 10, len - 10);
0583     crc = ~crc;
0584     if (option[8] != (crc & 0xff) || option[9] != ((crc >> 8) & 0xff))
0585         return false;
0586
0587     rcu_read_lock();
0588     doi_def = calipso_doi_search(get_unaligned_be32(option + 2));
0589     ret_val = !!doi_def;
0590     rcu_read_unlock();
0591
0592     return ret_val;
0593 }
0594
0595 /**
0596  * calipso_map_cat_hton - Perform a category mapping from host to network
0597  * @doi_def: the DOI definition
0598  * @secattr: the security attributes
0599  * @net_cat: the zero'd out category bitmap in network/CALIPSO format
0600  * @net_cat_len: the length of the CALIPSO bitmap in bytes
0601  *
0602  * Description:
0603  * Perform a label mapping to translate a local MLS category bitmap to the
0604  * correct CALIPSO bitmap using the given DOI definition.  Returns the minimum
0605  * size in bytes of the network bitmap on success, negative values otherwise.
0606  *
0607  */
0608 static int calipso_map_cat_hton(const struct calipso_doi *doi_def,
0609                 const struct netlbl_lsm_secattr *secattr,
0610                 unsigned char *net_cat,
0611                 u32 net_cat_len)
0612 {
0613     int spot = -1;
0614     u32 net_spot_max = 0;
0615     u32 net_clen_bits = net_cat_len * 8;
0616
0617     for (;;) {
0618         spot = netlbl_catmap_walk(secattr->attr.mls.cat,
0619                       spot + 1);
0620         if (spot < 0)
0621             break;
0622         if (spot >= net_clen_bits)
0623             return -ENOSPC;
0624         netlbl_bitmap_setbit(net_cat, spot, 1);
0625
0626         if (spot > net_spot_max)
0627             net_spot_max = spot;
0628     }
0629
0630     return (net_spot_max / 32 + 1) * 4;
0631 }
0632
0633 /**
0634  * calipso_map_cat_ntoh - Perform a category mapping from network to host
0635  * @doi_def: the DOI definition
0636  * @net_cat: the category bitmap in network/CALIPSO format
0637  * @net_cat_len: the length of the CALIPSO bitmap in bytes
0638  * @secattr: the security attributes
0639  *
0640  * Description:
0641  * Perform a label mapping to translate a CALIPSO bitmap to the correct local
0642  * MLS category bitmap using the given DOI definition.  Returns zero on
0643  * success, negative values on failure.
0644  *
0645  */
0646 static int calipso_map_cat_ntoh(const struct calipso_doi *doi_def,
0647                 const unsigned char *net_cat,
0648                 u32 net_cat_len,
0649                 struct netlbl_lsm_secattr *secattr)
0650 {
0651     int ret_val;
0652     int spot = -1;
0653     u32 net_clen_bits = net_cat_len * 8;
0654
0655     for (;;) {
0656         spot = netlbl_bitmap_walk(net_cat,
0657                       net_clen_bits,
0658                       spot + 1,
0659                       1);
0660         if (spot < 0) {
0661             if (spot == -2)
0662                 return -EFAULT;
0663             return 0;
0664         }
0665
0666         ret_val = netlbl_catmap_setbit(&secattr->attr.mls.cat,
0667                            spot,
0668                            GFP_ATOMIC);
0669         if (ret_val != 0)
0670             return ret_val;
0671     }
0672
0673     return -EINVAL;
0674 }
0675
0676 /**
0677  * calipso_pad_write - Writes pad bytes in TLV format
0678  * @buf: the buffer
0679  * @offset: offset from start of buffer to write padding
0680  * @count: number of pad bytes to write
0681  *
0682  * Description:
0683  * Write @count bytes of TLV padding into @buffer starting at offset @offset.
0684  * @count should be less than 8 - see RFC 4942.
0685  *
0686  */
0687 static int calipso_pad_write(unsigned char *buf, unsigned int offset,
0688                  unsigned int count)
0689 {
0690     if (WARN_ON_ONCE(count >= 8))
0691         return -EINVAL;
0692
0693     switch (count) {
0694     case 0:
0695         break;
0696     case 1:
0697         buf[offset] = IPV6_TLV_PAD1;
0698         break;
0699     default:
0700         buf[offset] = IPV6_TLV_PADN;
0701         buf[offset + 1] = count - 2;
0702         if (count > 2)
0703             memset(buf + offset + 2, 0, count - 2);
0704         break;
0705     }
0706     return 0;
0707 }
0708
0709 /**
0710  * calipso_genopt - Generate a CALIPSO option
0711  * @buf: the option buffer
0712  * @start: offset from which to write
0713  * @buf_len: the size of opt_buf
0714  * @doi_def: the CALIPSO DOI to use
0715  * @secattr: the security attributes
0716  *
0717  * Description:
0718  * Generate a CALIPSO option using the DOI definition and security attributes
0719  * passed to the function. This also generates upto three bytes of leading
0720  * padding that ensures that the option is 4n + 2 aligned.  It returns the
0721  * number of bytes written (including any initial padding).
0722  */
0723 static int calipso_genopt(unsigned char *buf, u32 start, u32 buf_len,
0724               const struct calipso_doi *doi_def,
0725               const struct netlbl_lsm_secattr *secattr)
0726 {
0727     int ret_val;
0728     u32 len, pad;
0729     u16 crc;
0730     static const unsigned char padding[4] = {2, 1, 0, 3};
0731     unsigned char *calipso;
0732
0733     /* CALIPSO has 4n + 2 alignment */
0734     pad = padding[start & 3];
0735     if (buf_len <= start + pad + CALIPSO_HDR_LEN)
0736         return -ENOSPC;
0737
0738     if ((secattr->flags & NETLBL_SECATTR_MLS_LVL) == 0)
0739         return -EPERM;
0740
0741     len = CALIPSO_HDR_LEN;
0742
0743     if (secattr->flags & NETLBL_SECATTR_MLS_CAT) {
0744         ret_val = calipso_map_cat_hton(doi_def,
0745                            secattr,
0746                            buf + start + pad + len,
0747                            buf_len - start - pad - len);
0748         if (ret_val < 0)
0749             return ret_val;
0750         len += ret_val;
0751     }
0752
0753     calipso_pad_write(buf, start, pad);
0754     calipso = buf + start + pad;
0755
0756     calipso[0] = IPV6_TLV_CALIPSO;
0757     calipso[1] = len - 2;
0758     *(__be32 *)(calipso + 2) = htonl(doi_def->doi);
0759     calipso[6] = (len - CALIPSO_HDR_LEN) / 4;
0760     calipso[7] = secattr->attr.mls.lvl;
0761     crc = ~crc_ccitt(0xffff, calipso, len);
0762     calipso[8] = crc & 0xff;
0763     calipso[9] = (crc >> 8) & 0xff;
0764     return pad + len;
0765 }
0766
0767 /* Hop-by-hop hdr helper functions
0768  */
0769
0770 /**
0771  * calipso_opt_update - Replaces socket's hop options with a new set
0772  * @sk: the socket
0773  * @hop: new hop options
0774  *
0775  * Description:
0776  * Replaces @sk's hop options with @hop.  @hop may be NULL to leave
0777  * the socket with no hop options.
0778  *
0779  */
0780 static int calipso_opt_update(struct sock *sk, struct ipv6_opt_hdr *hop)
0781 {
0782     struct ipv6_txoptions *old = txopt_get(inet6_sk(sk)), *txopts;
0783
0784     txopts = ipv6_renew_options(sk, old, IPV6_HOPOPTS, hop);
0785     txopt_put(old);
0786     if (IS_ERR(txopts))
0787         return PTR_ERR(txopts);
0788
0789     txopts = ipv6_update_options(sk, txopts);
0790     if (txopts) {
0791         atomic_sub(txopts->tot_len, &sk->sk_omem_alloc);
0792         txopt_put(txopts);
0793     }
0794
0795     return 0;
0796 }
0797
0798 /**
0799  * calipso_tlv_len - Returns the length of the TLV
0800  * @opt: the option header
0801  * @offset: offset of the TLV within the header
0802  *
0803  * Description:
0804  * Returns the length of the TLV option at offset @offset within
0805  * the option header @opt.  Checks that the entire TLV fits inside
0806  * the option header, returns a negative value if this is not the case.
0807  */
0808 static int calipso_tlv_len(struct ipv6_opt_hdr *opt, unsigned int offset)
0809 {
0810     unsigned char *tlv = (unsigned char *)opt;
0811     unsigned int opt_len = ipv6_optlen(opt), tlv_len;
0812
0813     if (offset < sizeof(*opt) || offset >= opt_len)
0814         return -EINVAL;
0815     if (tlv[offset] == IPV6_TLV_PAD1)
0816         return 1;
0817     if (offset + 1 >= opt_len)
0818         return -EINVAL;
0819     tlv_len = tlv[offset + 1] + 2;
0820     if (offset + tlv_len > opt_len)
0821         return -EINVAL;
0822     return tlv_len;
0823 }
0824
0825 /**
0826  * calipso_opt_find - Finds the CALIPSO option in an IPv6 hop options header
0827  * @hop: the hop options header
0828  * @start: on return holds the offset of any leading padding
0829  * @end: on return holds the offset of the first non-pad TLV after CALIPSO
0830  *
0831  * Description:
0832  * Finds the space occupied by a CALIPSO option (including any leading and
0833  * trailing padding).
0834  *
0835  * If a CALIPSO option exists set @start and @end to the
0836  * offsets within @hop of the start of padding before the first
0837  * CALIPSO option and the end of padding after the first CALIPSO
0838  * option.  In this case the function returns 0.
0839  *
0840  * In the absence of a CALIPSO option, @start and @end will be
0841  * set to the start and end of any trailing padding in the header.
0842  * This is useful when appending a new option, as the caller may want
0843  * to overwrite some of this padding.  In this case the function will
0844  * return -ENOENT.
0845  */
0846 static int calipso_opt_find(struct ipv6_opt_hdr *hop, unsigned int *start,
0847                 unsigned int *end)
0848 {
0849     int ret_val = -ENOENT, tlv_len;
0850     unsigned int opt_len, offset, offset_s = 0, offset_e = 0;
0851     unsigned char *opt = (unsigned char *)hop;
0852
0853     opt_len = ipv6_optlen(hop);
0854     offset = sizeof(*hop);
0855
0856     while (offset < opt_len) {
0857         tlv_len = calipso_tlv_len(hop, offset);
0858         if (tlv_len < 0)
0859             return tlv_len;
0860
0861         switch (opt[offset]) {
0862         case IPV6_TLV_PAD1:
0863         case IPV6_TLV_PADN:
0864             if (offset_e)
0865                 offset_e = offset;
0866             break;
0867         case IPV6_TLV_CALIPSO:
0868             ret_val = 0;
0869             offset_e = offset;
0870             break;
0871         default:
0872             if (offset_e == 0)
0873                 offset_s = offset;
0874             else
0875                 goto out;
0876         }
0877         offset += tlv_len;
0878     }
0879
0880 out:
0881     if (offset_s)
0882         *start = offset_s + calipso_tlv_len(hop, offset_s);
0883     else
0884         *start = sizeof(*hop);
0885     if (offset_e)
0886         *end = offset_e + calipso_tlv_len(hop, offset_e);
0887     else
0888         *end = opt_len;
0889
0890     return ret_val;
0891 }
0892
0893 /**
0894  * calipso_opt_insert - Inserts a CALIPSO option into an IPv6 hop opt hdr
0895  * @hop: the original hop options header
0896  * @doi_def: the CALIPSO DOI to use
0897  * @secattr: the specific security attributes of the socket
0898  *
0899  * Description:
0900  * Creates a new hop options header based on @hop with a
0901  * CALIPSO option added to it.  If @hop already contains a CALIPSO
0902  * option this is overwritten, otherwise the new option is appended
0903  * after any existing options.  If @hop is NULL then the new header
0904  * will contain just the CALIPSO option and any needed padding.
0905  *
0906  */
0907 static struct ipv6_opt_hdr *
0908 calipso_opt_insert(struct ipv6_opt_hdr *hop,
0909            const struct calipso_doi *doi_def,
0910            const struct netlbl_lsm_secattr *secattr)
0911 {
0912     unsigned int start, end, buf_len, pad, hop_len;
0913     struct ipv6_opt_hdr *new;
0914     int ret_val;
0915
0916     if (hop) {
0917         hop_len = ipv6_optlen(hop);
0918         ret_val = calipso_opt_find(hop, &start, &end);
0919         if (ret_val && ret_val != -ENOENT)
0920             return ERR_PTR(ret_val);
0921     } else {
0922         hop_len = 0;
0923         start = sizeof(*hop);
0924         end = 0;
0925     }
0926
0927     buf_len = hop_len + start - end + CALIPSO_OPT_LEN_MAX_WITH_PAD;
0928     new = kzalloc(buf_len, GFP_ATOMIC);
0929     if (!new)
0930         return ERR_PTR(-ENOMEM);
0931
0932     if (start > sizeof(*hop))
0933         memcpy(new, hop, start);
0934     ret_val = calipso_genopt((unsigned char *)new, start, buf_len, doi_def,
0935                  secattr);
0936     if (ret_val < 0) {
0937         kfree(new);
0938         return ERR_PTR(ret_val);
0939     }
0940
0941     buf_len = start + ret_val;
0942     /* At this point buf_len aligns to 4n, so (buf_len & 4) pads to 8n */
0943     pad = ((buf_len & 4) + (end & 7)) & 7;
0944     calipso_pad_write((unsigned char *)new, buf_len, pad);
0945     buf_len += pad;
0946
0947     if (end != hop_len) {
0948         memcpy((char *)new + buf_len, (char *)hop + end, hop_len - end);
0949         buf_len += hop_len - end;
0950     }
0951     new->nexthdr = 0;
0952     new->hdrlen = buf_len / 8 - 1;
0953
0954     return new;
0955 }
0956
0957 /**
0958  * calipso_opt_del - Removes the CALIPSO option from an option header
0959  * @hop: the original header
0960  * @new: the new header
0961  *
0962  * Description:
0963  * Creates a new header based on @hop without any CALIPSO option.  If @hop
0964  * doesn't contain a CALIPSO option it returns -ENOENT.  If @hop contains
0965  * no other non-padding options, it returns zero with @new set to NULL.
0966  * Otherwise it returns zero, creates a new header without the CALIPSO
0967  * option (and removing as much padding as possible) and returns with
0968  * @new set to that header.
0969  *
0970  */
0971 static int calipso_opt_del(struct ipv6_opt_hdr *hop,
0972                struct ipv6_opt_hdr **new)
0973 {
0974     int ret_val;
0975     unsigned int start, end, delta, pad, hop_len;
0976
0977     ret_val = calipso_opt_find(hop, &start, &end);
0978     if (ret_val)
0979         return ret_val;
0980
0981     hop_len = ipv6_optlen(hop);
0982     if (start == sizeof(*hop) && end == hop_len) {
0983         /* There's no other option in the header so return NULL */
0984         *new = NULL;
0985         return 0;
0986     }
0987
0988     delta = (end - start) & ~7;
0989     *new = kzalloc(hop_len - delta, GFP_ATOMIC);
0990     if (!*new)
0991         return -ENOMEM;
0992
0993     memcpy(*new, hop, start);
0994     (*new)->hdrlen -= delta / 8;
0995     pad = (end - start) & 7;
0996     calipso_pad_write((unsigned char *)*new, start, pad);
0997     if (end != hop_len)
0998         memcpy((char *)*new + start + pad, (char *)hop + end,
0999                hop_len - end);
1000
1001     return 0;
1002 }
1003
1004 /**
1005  * calipso_opt_getattr - Get the security attributes from a memory block
1006  * @calipso: the CALIPSO option
1007  * @secattr: the security attributes
1008  *
1009  * Description:
1010  * Inspect @calipso and return the security attributes in @secattr.
1011  * Returns zero on success and negative values on failure.
1012  *
1013  */
1014 static int calipso_opt_getattr(const unsigned char *calipso,
1015                    struct netlbl_lsm_secattr *secattr)
1016 {
1017     int ret_val = -ENOMSG;
1018     u32 doi, len = calipso[1], cat_len = calipso[6] * 4;
1019     struct calipso_doi *doi_def;
1020
1021     if (cat_len + 8 > len)
1022         return -EINVAL;
1023
1024     if (calipso_cache_check(calipso + 2, calipso[1], secattr) == 0)
1025         return 0;
1026
1027     doi = get_unaligned_be32(calipso + 2);
1028     rcu_read_lock();
1029     doi_def = calipso_doi_search(doi);
1030     if (!doi_def)
1031         goto getattr_return;
1032
1033     secattr->attr.mls.lvl = calipso[7];
1034     secattr->flags |= NETLBL_SECATTR_MLS_LVL;
1035
1036     if (cat_len) {
1037         ret_val = calipso_map_cat_ntoh(doi_def,
1038                            calipso + 10,
1039                            cat_len,
1040                            secattr);
1041         if (ret_val != 0) {
1042             netlbl_catmap_free(secattr->attr.mls.cat);
1043             goto getattr_return;
1044         }
1045
1046         if (secattr->attr.mls.cat)
1047             secattr->flags |= NETLBL_SECATTR_MLS_CAT;
1048     }
1049
1050     secattr->type = NETLBL_NLTYPE_CALIPSO;
1051
1052 getattr_return:
1053     rcu_read_unlock();
1054     return ret_val;
1055 }
1056
1057 /* sock functions.
1058  */
1059
1060 /**
1061  * calipso_sock_getattr - Get the security attributes from a sock
1062  * @sk: the sock
1063  * @secattr: the security attributes
1064  *
1065  * Description:
1066  * Query @sk to see if there is a CALIPSO option attached to the sock and if
1067  * there is return the CALIPSO security attributes in @secattr.  This function
1068  * requires that @sk be locked, or privately held, but it does not do any
1069  * locking itself.  Returns zero on success and negative values on failure.
1070  *
1071  */
1072 static int calipso_sock_getattr(struct sock *sk,
1073                 struct netlbl_lsm_secattr *secattr)
1074 {
1075     struct ipv6_opt_hdr *hop;
1076     int opt_len, len, ret_val = -ENOMSG, offset;
1077     unsigned char *opt;
1078     struct ipv6_txoptions *txopts = txopt_get(inet6_sk(sk));
1079
1080     if (!txopts || !txopts->hopopt)
1081         goto done;
1082
1083     hop = txopts->hopopt;
1084     opt = (unsigned char *)hop;
1085     opt_len = ipv6_optlen(hop);
1086     offset = sizeof(*hop);
1087     while (offset < opt_len) {
1088         len = calipso_tlv_len(hop, offset);
1089         if (len < 0) {
1090             ret_val = len;
1091             goto done;
1092         }
1093         switch (opt[offset]) {
1094         case IPV6_TLV_CALIPSO:
1095             if (len < CALIPSO_HDR_LEN)
1096                 ret_val = -EINVAL;
1097             else
1098                 ret_val = calipso_opt_getattr(&opt[offset],
1099                                   secattr);
1100             goto done;
1101         default:
1102             offset += len;
1103             break;
1104         }
1105     }
1106 done:
1107     txopt_put(txopts);
1108     return ret_val;
1109 }
1110
1111 /**
1112  * calipso_sock_setattr - Add a CALIPSO option to a socket
1113  * @sk: the socket
1114  * @doi_def: the CALIPSO DOI to use
1115  * @secattr: the specific security attributes of the socket
1116  *
1117  * Description:
1118  * Set the CALIPSO option on the given socket using the DOI definition and
1119  * security attributes passed to the function.  This function requires
1120  * exclusive access to @sk, which means it either needs to be in the
1121  * process of being created or locked.  Returns zero on success and negative
1122  * values on failure.
1123  *
1124  */
1125 static int calipso_sock_setattr(struct sock *sk,
1126                 const struct calipso_doi *doi_def,
1127                 const struct netlbl_lsm_secattr *secattr)
1128 {
1129     int ret_val;
1130     struct ipv6_opt_hdr *old, *new;
1131     struct ipv6_txoptions *txopts = txopt_get(inet6_sk(sk));
1132
1133     old = NULL;
1134     if (txopts)
1135         old = txopts->hopopt;
1136
1137     new = calipso_opt_insert(old, doi_def, secattr);
1138     txopt_put(txopts);
1139     if (IS_ERR(new))
1140         return PTR_ERR(new);
1141
1142     ret_val = calipso_opt_update(sk, new);
1143
1144     kfree(new);
1145     return ret_val;
1146 }
1147
1148 /**
1149  * calipso_sock_delattr - Delete the CALIPSO option from a socket
1150  * @sk: the socket
1151  *
1152  * Description:
1153  * Removes the CALIPSO option from a socket, if present.
1154  *
1155  */
1156 static void calipso_sock_delattr(struct sock *sk)
1157 {
1158     struct ipv6_opt_hdr *new_hop;
1159     struct ipv6_txoptions *txopts = txopt_get(inet6_sk(sk));
1160
1161     if (!txopts || !txopts->hopopt)
1162         goto done;
1163
1164     if (calipso_opt_del(txopts->hopopt, &new_hop))
1165         goto done;
1166
1167     calipso_opt_update(sk, new_hop);
1168     kfree(new_hop);
1169
1170 done:
1171     txopt_put(txopts);
1172 }
1173
1174 /* request sock functions.
1175  */
1176
1177 /**
1178  * calipso_req_setattr - Add a CALIPSO option to a connection request socket
1179  * @req: the connection request socket
1180  * @doi_def: the CALIPSO DOI to use
1181  * @secattr: the specific security attributes of the socket
1182  *
1183  * Description:
1184  * Set the CALIPSO option on the given socket using the DOI definition and
1185  * security attributes passed to the function.  Returns zero on success and
1186  * negative values on failure.
1187  *
1188  */
1189 static int calipso_req_setattr(struct request_sock *req,
1190                    const struct calipso_doi *doi_def,
1191                    const struct netlbl_lsm_secattr *secattr)
1192 {
1193     struct ipv6_txoptions *txopts;
1194     struct inet_request_sock *req_inet = inet_rsk(req);
1195     struct ipv6_opt_hdr *old, *new;
1196     struct sock *sk = sk_to_full_sk(req_to_sk(req));
1197
1198     if (req_inet->ipv6_opt && req_inet->ipv6_opt->hopopt)
1199         old = req_inet->ipv6_opt->hopopt;
1200     else
1201         old = NULL;
1202
1203     new = calipso_opt_insert(old, doi_def, secattr);
1204     if (IS_ERR(new))
1205         return PTR_ERR(new);
1206
1207     txopts = ipv6_renew_options(sk, req_inet->ipv6_opt, IPV6_HOPOPTS, new);
1208
1209     kfree(new);
1210
1211     if (IS_ERR(txopts))
1212         return PTR_ERR(txopts);
1213
1214     txopts = xchg(&req_inet->ipv6_opt, txopts);
1215     if (txopts) {
1216         atomic_sub(txopts->tot_len, &sk->sk_omem_alloc);
1217         txopt_put(txopts);
1218     }
1219
1220     return 0;
1221 }
1222
1223 /**
1224  * calipso_req_delattr - Delete the CALIPSO option from a request socket
1225  * @req: the request socket
1226  *
1227  * Description:
1228  * Removes the CALIPSO option from a request socket, if present.
1229  *
1230  */
1231 static void calipso_req_delattr(struct request_sock *req)
1232 {
1233     struct inet_request_sock *req_inet = inet_rsk(req);
1234     struct ipv6_opt_hdr *new;
1235     struct ipv6_txoptions *txopts;
1236     struct sock *sk = sk_to_full_sk(req_to_sk(req));
1237
1238     if (!req_inet->ipv6_opt || !req_inet->ipv6_opt->hopopt)
1239         return;
1240
1241     if (calipso_opt_del(req_inet->ipv6_opt->hopopt, &new))
1242         return; /* Nothing to do */
1243
1244     txopts = ipv6_renew_options(sk, req_inet->ipv6_opt, IPV6_HOPOPTS, new);
1245
1246     if (!IS_ERR(txopts)) {
1247         txopts = xchg(&req_inet->ipv6_opt, txopts);
1248         if (txopts) {
1249             atomic_sub(txopts->tot_len, &sk->sk_omem_alloc);
1250             txopt_put(txopts);
1251         }
1252     }
1253     kfree(new);
1254 }
1255
1256 /* skbuff functions.
1257  */
1258
1259 /**
1260  * calipso_skbuff_optptr - Find the CALIPSO option in the packet
1261  * @skb: the packet
1262  *
1263  * Description:
1264  * Parse the packet's IP header looking for a CALIPSO option.  Returns a pointer
1265  * to the start of the CALIPSO option on success, NULL if one if not found.
1266  *
1267  */
1268 static unsigned char *calipso_skbuff_optptr(const struct sk_buff *skb)
1269 {
1270     const struct ipv6hdr *ip6_hdr = ipv6_hdr(skb);
1271     int offset;
1272
1273     if (ip6_hdr->nexthdr != NEXTHDR_HOP)
1274         return NULL;
1275
1276     offset = ipv6_find_tlv(skb, sizeof(*ip6_hdr), IPV6_TLV_CALIPSO);
1277     if (offset >= 0)
1278         return (unsigned char *)ip6_hdr + offset;
1279
1280     return NULL;
1281 }
1282
1283 /**
1284  * calipso_skbuff_setattr - Set the CALIPSO option on a packet
1285  * @skb: the packet
1286  * @doi_def: the CALIPSO DOI to use
1287  * @secattr: the security attributes
1288  *
1289  * Description:
1290  * Set the CALIPSO option on the given packet based on the security attributes.
1291  * Returns a pointer to the IP header on success and NULL on failure.
1292  *
1293  */
1294 static int calipso_skbuff_setattr(struct sk_buff *skb,
1295                   const struct calipso_doi *doi_def,
1296                   const struct netlbl_lsm_secattr *secattr)
1297 {
1298     int ret_val;
1299     struct ipv6hdr *ip6_hdr;
1300     struct ipv6_opt_hdr *hop;
1301     unsigned char buf[CALIPSO_MAX_BUFFER];
1302     int len_delta, new_end, pad, payload;
1303     unsigned int start, end;
1304
1305     ip6_hdr = ipv6_hdr(skb);
1306     if (ip6_hdr->nexthdr == NEXTHDR_HOP) {
1307         hop = (struct ipv6_opt_hdr *)(ip6_hdr + 1);
1308         ret_val = calipso_opt_find(hop, &start, &end);
1309         if (ret_val && ret_val != -ENOENT)
1310             return ret_val;
1311     } else {
1312         start = 0;
1313         end = 0;
1314     }
1315
1316     memset(buf, 0, sizeof(buf));
1317     ret_val = calipso_genopt(buf, start & 3, sizeof(buf), doi_def, secattr);
1318     if (ret_val < 0)
1319         return ret_val;
1320
1321     new_end = start + ret_val;
1322     /* At this point new_end aligns to 4n, so (new_end & 4) pads to 8n */
1323     pad = ((new_end & 4) + (end & 7)) & 7;
1324     len_delta = new_end - (int)end + pad;
1325     ret_val = skb_cow(skb, skb_headroom(skb) + len_delta);
1326     if (ret_val < 0)
1327         return ret_val;
1328
1329     ip6_hdr = ipv6_hdr(skb); /* Reset as skb_cow() may have moved it */
1330
1331     if (len_delta) {
1332         if (len_delta > 0)
1333             skb_push(skb, len_delta);
1334         else
1335             skb_pull(skb, -len_delta);
1336         memmove((char *)ip6_hdr - len_delta, ip6_hdr,
1337             sizeof(*ip6_hdr) + start);
1338         skb_reset_network_header(skb);
1339         ip6_hdr = ipv6_hdr(skb);
1340         payload = ntohs(ip6_hdr->payload_len);
1341         ip6_hdr->payload_len = htons(payload + len_delta);
1342     }
1343
1344     hop = (struct ipv6_opt_hdr *)(ip6_hdr + 1);
1345     if (start == 0) {
1346         struct ipv6_opt_hdr *new_hop = (struct ipv6_opt_hdr *)buf;
1347
1348         new_hop->nexthdr = ip6_hdr->nexthdr;
1349         new_hop->hdrlen = len_delta / 8 - 1;
1350         ip6_hdr->nexthdr = NEXTHDR_HOP;
1351     } else {
1352         hop->hdrlen += len_delta / 8;
1353     }
1354     memcpy((char *)hop + start, buf + (start & 3), new_end - start);
1355     calipso_pad_write((unsigned char *)hop, new_end, pad);
1356
1357     return 0;
1358 }
1359
1360 /**
1361  * calipso_skbuff_delattr - Delete any CALIPSO options from a packet
1362  * @skb: the packet
1363  *
1364  * Description:
1365  * Removes any and all CALIPSO options from the given packet.  Returns zero on
1366  * success, negative values on failure.
1367  *
1368  */
1369 static int calipso_skbuff_delattr(struct sk_buff *skb)
1370 {
1371     int ret_val;
1372     struct ipv6hdr *ip6_hdr;
1373     struct ipv6_opt_hdr *old_hop;
1374     u32 old_hop_len, start = 0, end = 0, delta, size, pad;
1375
1376     if (!calipso_skbuff_optptr(skb))
1377         return 0;
1378
1379     /* since we are changing the packet we should make a copy */
1380     ret_val = skb_cow(skb, skb_headroom(skb));
1381     if (ret_val < 0)
1382         return ret_val;
1383
1384     ip6_hdr = ipv6_hdr(skb);
1385     old_hop = (struct ipv6_opt_hdr *)(ip6_hdr + 1);
1386     old_hop_len = ipv6_optlen(old_hop);
1387
1388     ret_val = calipso_opt_find(old_hop, &start, &end);
1389     if (ret_val)
1390         return ret_val;
1391
1392     if (start == sizeof(*old_hop) && end == old_hop_len) {
1393         /* There's no other option in the header so we delete
1394          * the whole thing. */
1395         delta = old_hop_len;
1396         size = sizeof(*ip6_hdr);
1397         ip6_hdr->nexthdr = old_hop->nexthdr;
1398     } else {
1399         delta = (end - start) & ~7;
1400         if (delta)
1401             old_hop->hdrlen -= delta / 8;
1402         pad = (end - start) & 7;
1403         size = sizeof(*ip6_hdr) + start + pad;
1404         calipso_pad_write((unsigned char *)old_hop, start, pad);
1405     }
1406
1407     if (delta) {
1408         skb_pull(skb, delta);
1409         memmove((char *)ip6_hdr + delta, ip6_hdr, size);
1410         skb_reset_network_header(skb);
1411     }
1412
1413     return 0;
1414 }
1415
1416 static const struct netlbl_calipso_ops ops = {
1417     .doi_add          = calipso_doi_add,
1418     .doi_free         = calipso_doi_free,
1419     .doi_remove       = calipso_doi_remove,
1420     .doi_getdef       = calipso_doi_getdef,
1421     .doi_putdef       = calipso_doi_putdef,
1422     .doi_walk         = calipso_doi_walk,
1423     .sock_getattr     = calipso_sock_getattr,
1424     .sock_setattr     = calipso_sock_setattr,
1425     .sock_delattr     = calipso_sock_delattr,
1426     .req_setattr      = calipso_req_setattr,
1427     .req_delattr      = calipso_req_delattr,
1428     .opt_getattr      = calipso_opt_getattr,
1429     .skbuff_optptr    = calipso_skbuff_optptr,
1430     .skbuff_setattr   = calipso_skbuff_setattr,
1431     .skbuff_delattr   = calipso_skbuff_delattr,
1432     .cache_invalidate = calipso_cache_invalidate,
1433     .cache_add        = calipso_cache_add
1434 };
1435
1436 /**
1437  * calipso_init - Initialize the CALIPSO module
1438  *
1439  * Description:
1440  * Initialize the CALIPSO module and prepare it for use.  Returns zero on
1441  * success and negative values on failure.
1442  *
1443  */
1444 int __init calipso_init(void)
1445 {
1446     int ret_val;
1447
1448     ret_val = calipso_cache_init();
1449     if (!ret_val)
1450         netlbl_calipso_ops_register(&ops);
1451     return ret_val;
1452 }
1453
1454 void calipso_exit(void)
1455 {
1456     netlbl_calipso_ops_register(NULL);
1457     calipso_cache_invalidate();
1458     kfree(calipso_cache);
1459 }