| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <3c5f04d21ebf5e6c0f6344aef9646a37926a7032.1716143499.git.antony.antony@secunet.com>
Date: Sun, 19 May 2024 20:37:23 +0200
From: Antony Antony <antony.antony@...unet.com>
To: Stephen Hemminger <stephen@...workplumber.org>, David Ahern
<dsahern@...il.com>
CC: <netdev@...r.kernel.org>, <devel@...ux-ipsec.org>, Steffen Klassert
<steffen.klassert@...unet.com>, Eyal Birger <eyal.birger@...il.com>, "Antony
Antony" <antony.antony@...unet.com>, Nicolas Dichtel
<nicolas.dichtel@...nd.com>, Sabrina Dubroca <sd@...asysnail.net>, "Christian
Hopps" <chopps@...pps.org>
Subject: [PATCH RFC iproute2-next 2/3] xfrm: support xfrm SA direction
attribute
- Add parsing "ip xfrm state add .. dir [ in|out ]
- Add printing XFRMA_SA_DIR.
- allow replay-window 0 on output state with esn
Previously:
ip xfrm state add src 192.1.3.33 dst 192.1.2.23 proto esp spi 1 \
reqid 1 mode tunnel aead 'rfc4106(gcm(aes))' \
0x1111111111111111111111111111111111111111 96
sel src 192.0.3.0/25 dst 192.0.2.0/25 dir out flag esn
Error: esn flag set without replay-window.
When the SA direction is set, kernel only allows oputput SA, with ESN
and replay-window zero. This change would not affect any existing use
cases; configuring SA.
Signed-off-by: Antony Antony <antony.antony@...unet.com>
---
ip/ipxfrm.c | 12 ++++++++++++
ip/xfrm_state.c | 44 ++++++++++++++++++++++++++++++++++++++++----
2 files changed, 52 insertions(+), 4 deletions(-)
diff --git a/ip/ipxfrm.c b/ip/ipxfrm.c
index b78c712d..3c0faf62 100644
--- a/ip/ipxfrm.c
+++ b/ip/ipxfrm.c
@@ -904,6 +904,18 @@ void xfrm_xfrma_print(struct rtattr *tb[], __u16 family, FILE *fp,
fprintf(fp, "tfcpad %u", tfcpad);
fprintf(fp, "%s", _SL_);
}
+ if (tb[XFRMA_SA_DIR]) {
+ __u8 dir = rta_getattr_u8(tb[XFRMA_SA_DIR]);
+
+ fprintf(fp, "\tdir ");
+ if (dir == XFRM_SA_DIR_IN)
+ fprintf(fp, "in");
+ else if (dir == XFRM_SA_DIR_OUT)
+ fprintf(fp, "out");
+ else
+ fprintf(fp, " %d", dir);
+ fprintf(fp, "%s", _SL_);
+ }
}
static int xfrm_selector_iszero(struct xfrm_selector *s)
diff --git a/ip/xfrm_state.c b/ip/xfrm_state.c
index 9be65b2f..214d0d07 100644
--- a/ip/xfrm_state.c
+++ b/ip/xfrm_state.c
@@ -47,9 +47,9 @@ static void usage(void)
" [ coa ADDR[/PLEN] ] [ ctx CTX ] [ extra-flag EXTRA-FLAG-LIST ]\n"
" [ offload [ crypto | packet ] dev DEV dir DIR ]\n"
" [ output-mark OUTPUT-MARK [ mask MASK ] ]\n"
- " [ if_id IF_ID ] [ tfcpad LENGTH ]\n"
+ " [ if_id IF_ID ] [ tfcpad LENGTH ] [dir DIR]\n"
"Usage: ip xfrm state allocspi ID [ mode MODE ] [ mark MARK [ mask MASK ] ]\n"
- " [ reqid REQID ] [ seq SEQ ] [ min SPI max SPI ]\n"
+ " [ reqid REQID ] [ seq SEQ ] [ min SPI max SPI ] [dir DIR]\n"
"Usage: ip xfrm state { delete | get } ID [ mark MARK [ mask MASK ] ]\n"
"Usage: ip xfrm state deleteall [ ID ] [ mode MODE ] [ reqid REQID ]\n"
" [ flag FLAG-LIST ]\n"
@@ -290,7 +290,9 @@ static int xfrm_state_modify(int cmd, unsigned int flags, int argc, char **argv)
struct xfrm_replay_state_esn replay_esn = {};
struct xfrm_user_offload xuo = {};
unsigned int ifindex = 0;
- __u8 dir = 0;
+ __u8 dir = 0; /* only used with xuo XFRMA_OFFLOAD */
+ __u8 sa_dir = 0; /* state direction. Should match the above when offload */
+
bool is_offload = false, is_packet_offload = false;
__u32 replay_window = 0;
__u32 seq = 0, oseq = 0, seq_hi = 0, oseq_hi = 0;
@@ -462,6 +464,14 @@ static int xfrm_state_modify(int cmd, unsigned int flags, int argc, char **argv)
NEXT_ARG();
if (get_u32(&tfcpad, *argv, 0))
invarg("value after \"tfcpad\" is invalid", *argv);
+ } else if (strcmp(*argv, "dir") == 0) {
+ NEXT_ARG();
+ if (strcmp(*argv, "in") == 0)
+ sa_dir = XFRM_SA_DIR_IN;
+ else if (strcmp(*argv, "out") == 0)
+ sa_dir = XFRM_SA_DIR_OUT;
+ else
+ invarg("value after \"dir\" is invalid", *argv);
} else {
/* try to assume ALGO */
int type = xfrm_algotype_getbyname(*argv);
@@ -587,7 +597,7 @@ static int xfrm_state_modify(int cmd, unsigned int flags, int argc, char **argv)
}
if (req.xsinfo.flags & XFRM_STATE_ESN &&
- replay_window == 0) {
+ replay_window == 0 && sa_dir != XFRM_SA_DIR_OUT ) {
fprintf(stderr, "Error: esn flag set without replay-window.\n");
exit(-1);
}
@@ -760,6 +770,14 @@ static int xfrm_state_modify(int cmd, unsigned int flags, int argc, char **argv)
if (output_mark.m)
addattr32(&req.n, sizeof(req.buf), XFRMA_SET_MARK_MASK, output_mark.m);
+ if (sa_dir) {
+ int r = addattr8(&req.n, sizeof(req.buf), XFRMA_SA_DIR, sa_dir);
+ if (r < 0) {
+ fprintf(stderr, "XFRMA_SA_DIR failed\n");
+ exit(1);
+ }
+ }
+
if (rtnl_open_byproto(&rth, 0, NETLINK_XFRM) < 0)
exit(1);
@@ -792,6 +810,7 @@ static int xfrm_state_allocspi(int argc, char **argv)
char *maxp = NULL;
struct xfrm_mark mark = {0, 0};
struct nlmsghdr *answer;
+ __u8 sa_dir = 0;
while (argc > 0) {
if (strcmp(*argv, "mode") == 0) {
@@ -823,6 +842,14 @@ static int xfrm_state_allocspi(int argc, char **argv)
if (get_u32(&req.xspi.max, *argv, 0))
invarg("value after \"max\" is invalid", *argv);
+ } else if (strcmp(*argv, "dir") == 0) {
+ NEXT_ARG();
+ if (strcmp(*argv, "in") == 0)
+ sa_dir = XFRM_SA_DIR_IN;
+ else if (strcmp(*argv, "out") == 0)
+ sa_dir = XFRM_SA_DIR_OUT;
+ else
+ invarg("value after \"dir\" is invalid", *argv);
} else {
/* try to assume ID */
if (idp)
@@ -875,6 +902,15 @@ static int xfrm_state_allocspi(int argc, char **argv)
req.xspi.max = 0xffff;
}
+ if (sa_dir) {
+ int r = addattr8(&req.n, sizeof(req.buf), XFRMA_SA_DIR, sa_dir);
+
+ if (r < 0) {
+ fprintf(stderr, "XFRMA_SA_DIR failed\n");
+ exit(1);
+ }
+ }
+
if (mark.m & mark.v) {
int r = addattr_l(&req.n, sizeof(req.buf), XFRMA_MARK,
(void *)&mark, sizeof(mark));
--
2.30.2
Powered by blists - more mailing lists