lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date:   Fri, 13 May 2022 17:02:54 +0200
From:   Steffen Klassert <steffen.klassert@...unet.com>
To:     Leon Romanovsky <leon@...nel.org>
CC:     Leon Romanovsky <leonro@...dia.com>,
        "David S . Miller" <davem@...emloft.net>,
        Herbert Xu <herbert@...dor.apana.org.au>,
        <netdev@...r.kernel.org>, Raed Salem <raeds@...dia.com>,
        ipsec-devel <devel@...ux-ipsec.org>
Subject: Re: [PATCH ipsec-next 5/6] xfrm: add RX datapath protection for
 IPsec full offload mode

On Tue, May 10, 2022 at 01:36:56PM +0300, Leon Romanovsky wrote:
> From: Leon Romanovsky <leonro@...dia.com>
> 
> Traffic received by device with enabled IPsec full offload should be
> forwarded to the stack only after decryption, packet headers and
> trailers removed.
> 
> Such packets are expected to be seen as normal (non-XFRM) ones, while
> not-supported packets should be dropped by the HW.
> 
> Signed-off-by: Leon Romanovsky <leonro@...dia.com>
> ---
>  include/net/xfrm.h | 55 +++++++++++++++++++++++++++-------------------
>  1 file changed, 32 insertions(+), 23 deletions(-)
> 
> diff --git a/include/net/xfrm.h b/include/net/xfrm.h
> index 21be19ece4f7..9f9250fe1c4d 100644
> --- a/include/net/xfrm.h
> +++ b/include/net/xfrm.h
> @@ -1094,6 +1094,29 @@ xfrm_state_addr_cmp(const struct xfrm_tmpl *tmpl, const struct xfrm_state *x, un
>  	return !0;
>  }
>  
> +#ifdef CONFIG_XFRM
> +static inline struct xfrm_state *xfrm_input_state(struct sk_buff *skb)
> +{
> +	struct sec_path *sp = skb_sec_path(skb);
> +
> +	return sp->xvec[sp->len - 1];
> +}
> +#endif
> +
> +static inline struct xfrm_offload *xfrm_offload(struct sk_buff *skb)
> +{
> +#ifdef CONFIG_XFRM
> +	struct sec_path *sp = skb_sec_path(skb);
> +
> +	if (!sp || !sp->olen || sp->len != sp->olen)
> +		return NULL;
> +
> +	return &sp->ovec[sp->olen - 1];
> +#else
> +	return NULL;
> +#endif
> +}
> +
>  #ifdef CONFIG_XFRM
>  int __xfrm_policy_check(struct sock *, int dir, struct sk_buff *skb,
>  			unsigned short family);
> @@ -1113,6 +1136,15 @@ static inline int __xfrm_policy_check2(struct sock *sk, int dir,
>  {
>  	struct net *net = dev_net(skb->dev);
>  	int ndir = dir | (reverse ? XFRM_POLICY_MASK + 1 : 0);
> +	struct xfrm_offload *xo = xfrm_offload(skb);
> +	struct xfrm_state *x;
> +
> +	if (xo) {
> +		x = xfrm_input_state(skb);
> +		if (x->xso.type == XFRM_DEV_OFFLOAD_FULL)
> +			return (xo->flags & CRYPTO_DONE) &&
> +			       (xo->status & CRYPTO_SUCCESS);
> +	}

We can not exit without doing the policy check here. The inner
packet could still match a block policy in software. Maybe
we can reset the secpath and do the policy check.

Powered by blists - more mailing lists