[PATCH 01/19] xfrm: introduce oseq-may-wrap flag

netdev.vger.kernel.org archive mirror
 help / color / mirror / Atom feed

From: Steffen Klassert <steffen.klassert@secunet.com>
To: David Miller <davem@davemloft.net>
Cc: Herbert Xu <herbert@gondor.apana.org.au>,
	Steffen Klassert <steffen.klassert@secunet.com>,
	<netdev@vger.kernel.org>
Subject: [PATCH 01/19] xfrm: introduce oseq-may-wrap flag
Date: Thu, 30 Jul 2020 07:41:12 +0200	[thread overview]
Message-ID: <20200730054130.16923-2-steffen.klassert@secunet.com> (raw)
In-Reply-To: <20200730054130.16923-1-steffen.klassert@secunet.com>

From: Petr Vaněk <pv@excello.cz>

RFC 4303 in section 3.3.3 suggests to disable anti-replay for manually
distributed ICVs in which case the sender does not need to monitor or
reset the counter. However, the sender still increments the counter and
when it reaches the maximum value, the counter rolls over back to zero.

This patch introduces new extra_flag XFRM_SA_XFLAG_OSEQ_MAY_WRAP which
allows sequence number to cycle in outbound packets if set. This flag is
used only in legacy and bmp code, because esn should not be negotiated
if anti-replay is disabled (see note in 3.3.3 section).

Signed-off-by: Petr Vaněk <pv@excello.cz>
Acked-by: Christophe Gouault <christophe.gouault@6wind.com>
Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
---
 include/uapi/linux/xfrm.h |  1 +
 net/xfrm/xfrm_replay.c    | 12 ++++++++----
 2 files changed, 9 insertions(+), 4 deletions(-)

diff --git a/include/uapi/linux/xfrm.h b/include/uapi/linux/xfrm.h
index ff7cfdc6cb44..ffc6a5391bb7 100644
--- a/include/uapi/linux/xfrm.h
+++ b/include/uapi/linux/xfrm.h
@@ -387,6 +387,7 @@ struct xfrm_usersa_info {
 };
 
 #define XFRM_SA_XFLAG_DONT_ENCAP_DSCP	1
+#define XFRM_SA_XFLAG_OSEQ_MAY_WRAP	2
 
 struct xfrm_usersa_id {
 	xfrm_address_t			daddr;
diff --git a/net/xfrm/xfrm_replay.c b/net/xfrm/xfrm_replay.c
index 98943f8d01aa..c6a4338a0d08 100644
--- a/net/xfrm/xfrm_replay.c
+++ b/net/xfrm/xfrm_replay.c
@@ -89,7 +89,8 @@ static int xfrm_replay_overflow(struct xfrm_state *x, struct sk_buff *skb)
 	if (x->type->flags & XFRM_TYPE_REPLAY_PROT) {
 		XFRM_SKB_CB(skb)->seq.output.low = ++x->replay.oseq;
 		XFRM_SKB_CB(skb)->seq.output.hi = 0;
-		if (unlikely(x->replay.oseq == 0)) {
+		if (unlikely(x->replay.oseq == 0) &&
+		    !(x->props.extra_flags & XFRM_SA_XFLAG_OSEQ_MAY_WRAP)) {
 			x->replay.oseq--;
 			xfrm_audit_state_replay_overflow(x, skb);
 			err = -EOVERFLOW;
@@ -168,7 +169,8 @@ static int xfrm_replay_overflow_bmp(struct xfrm_state *x, struct sk_buff *skb)
 	if (x->type->flags & XFRM_TYPE_REPLAY_PROT) {
 		XFRM_SKB_CB(skb)->seq.output.low = ++replay_esn->oseq;
 		XFRM_SKB_CB(skb)->seq.output.hi = 0;
-		if (unlikely(replay_esn->oseq == 0)) {
+		if (unlikely(replay_esn->oseq == 0) &&
+		    !(x->props.extra_flags & XFRM_SA_XFLAG_OSEQ_MAY_WRAP)) {
 			replay_esn->oseq--;
 			xfrm_audit_state_replay_overflow(x, skb);
 			err = -EOVERFLOW;
@@ -572,7 +574,8 @@ static int xfrm_replay_overflow_offload(struct xfrm_state *x, struct sk_buff *sk
 
 		XFRM_SKB_CB(skb)->seq.output.hi = 0;
 		xo->seq.hi = 0;
-		if (unlikely(oseq < x->replay.oseq)) {
+		if (unlikely(oseq < x->replay.oseq) &&
+		    !(x->props.extra_flags & XFRM_SA_XFLAG_OSEQ_MAY_WRAP)) {
 			xfrm_audit_state_replay_overflow(x, skb);
 			err = -EOVERFLOW;
 
@@ -611,7 +614,8 @@ static int xfrm_replay_overflow_offload_bmp(struct xfrm_state *x, struct sk_buff
 
 		XFRM_SKB_CB(skb)->seq.output.hi = 0;
 		xo->seq.hi = 0;
-		if (unlikely(oseq < replay_esn->oseq)) {
+		if (unlikely(oseq < replay_esn->oseq) &&
+		    !(x->props.extra_flags & XFRM_SA_XFLAG_OSEQ_MAY_WRAP)) {
 			xfrm_audit_state_replay_overflow(x, skb);
 			err = -EOVERFLOW;
 
-- 
2.17.1

next prev parent reply	other threads:[~2020-07-30  5:42 UTC|newest]

Thread overview: 27+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2020-07-30  5:41 pull request (net-next): ipsec-next 2020-07-30 Steffen Klassert
2020-07-30  5:41 ` Steffen Klassert [this message]
2020-07-30  5:41 ` [PATCH 02/19] xfrm: add is_ipip to struct xfrm_input_afinfo Steffen Klassert
2020-07-30  5:41 ` [PATCH 03/19] tunnel4: add cb_handler to struct xfrm_tunnel Steffen Klassert
2020-07-30  5:41 ` [PATCH 04/19] tunnel6: add tunnel6_input_afinfo for ipip and ipv6 tunnels Steffen Klassert
2020-07-30  5:41 ` [PATCH 05/19] ip_vti: support IPIP tunnel processing with .cb_handler Steffen Klassert
2020-07-30  5:41 ` [PATCH 06/19] ip_vti: support IPIP6 tunnel processing Steffen Klassert
2020-07-30  5:41 ` [PATCH 07/19] ip6_vti: support IP6IP6 tunnel processing with .cb_handler Steffen Klassert
2020-07-30  5:41 ` [PATCH 08/19] ip6_vti: support IP6IP tunnel processing Steffen Klassert
2020-07-30  5:41 ` [PATCH 09/19] ipcomp: assign if_id to child tunnel from parent tunnel Steffen Klassert
2020-07-30  5:41 ` [PATCH 10/19] xfrm: interface: support IP6IP6 and IP6IP tunnels processing with .cb_handler Steffen Klassert
2020-10-02 14:44   ` Nicolas Dichtel
2020-10-03  9:41     ` Xin Long
2020-10-05 15:11       ` Nicolas Dichtel
2020-10-07 15:40         ` Nicolas Dichtel
2020-10-07 16:26           ` Xin Long
2020-10-07 18:44             ` Nicolas Dichtel
2020-07-30  5:41 ` [PATCH 11/19] xfrm: interface: support IPIP and IPIP6 " Steffen Klassert
2020-07-30  5:41 ` [PATCH 12/19] xfrm interface: avoid xi lookup in xfrmi_decode_session() Steffen Klassert
2020-07-30  5:41 ` [PATCH 13/19] xfrm interface: store xfrmi contexts in a hash by if_id Steffen Klassert
2020-07-30  5:41 ` [PATCH 14/19] ip_vti: not register vti_ipip_handler twice Steffen Klassert
2020-07-30  5:41 ` [PATCH 15/19] ip6_vti: not register vti_ipv6_handler twice Steffen Klassert
2020-07-30  5:41 ` [PATCH 16/19] xfrm: interface: not xfrmi_ipv6/ipip_handler twice Steffen Klassert
2020-07-30  5:41 ` [PATCH 17/19] xfrm: interface: use IS_REACHABLE to avoid some compile errors Steffen Klassert
2020-07-30  5:41 ` [PATCH 18/19] ip6_vti: " Steffen Klassert
2020-07-30  5:41 ` [PATCH 19/19] xfrm: Make the policy hold queue work with VTI Steffen Klassert
2020-07-30 21:40 ` pull request (net-next): ipsec-next 2020-07-30 David Miller

find likely ancestor, descendant, or conflicting patches for this message:
( dfblob:ff7cfdc6cb4 dfblob:ffc6a5391bb dfblob:98943f8d01a
dfblob:c6a4338a0d0 )
 OR (
bs:"[PATCH 01/19] xfrm: introduce oseq-may-wrap flag" )
	(help)

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20200730054130.16923-2-steffen.klassert@secunet.com \
    --to=steffen.klassert@secunet.com \
    --cc=davem@davemloft.net \
    --cc=herbert@gondor.apana.org.au \
    --cc=netdev@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).