Received: by 2002:a25:2c96:0:0:0:0:0 with SMTP id s144csp1174198ybs; Mon, 25 May 2020 08:55:25 -0700 (PDT) X-Google-Smtp-Source: ABdhPJxswbd4DdiPRM/y5DQ3COFtqs9UiZ5rA/hSemH1ygd/4q3+auQi8mVSYl1mza2gzdubgE8g X-Received: by 2002:a05:6402:30b2:: with SMTP id df18mr15395367edb.323.1590422125188; Mon, 25 May 2020 08:55:25 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1590422125; cv=none; d=google.com; s=arc-20160816; b=0G7EdVheCuMex4psGqD0N2ZFwqJ+Zcty5tAzbXJ0l3pQBJGWriybOsR/Dz6YKlzTKy QL5Or8gSaAiYhgC2qN0sGl7Taj40sU6h+k5ONXu/5lC1WjCEt1H0DUInbqJ/p8Lnx/Wt Nx0k18IBZFRC07+JRV5lCVssLmeD6KCfGGHR6kQlT4LONuAdTS53FlipmhtvMoq2MSXx hMYgQD+whJyM6o4JHwa6qInyCxPuunsZu9cLRJLGu+23Kufd/jluQOhpgkcrKuugY0J+ k6Fn6FeCmU1NWm8gt4zzvekFsBl9lTd5olAPWlMasFezytrkoeaUWuBuB+aPiPo80qvk C4Cw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding :content-disposition:mime-version:message-id:subject:cc:to:from:date :dkim-signature; bh=D2NB0B1nNWW9+PqZLh+XgusboSNLV3L95Jp2Llp9dRA=; b=dt2Asae5gvggwndFS0uWJeb53+nDHWZK4cTjMyazD4mC7l+DGMDw+BD4Tsa03yENek kP8h4lAZkg1dBIx3vz5qoi+Z1wKn+598zP+BmpDB1g7yUg8IeAspVzZwYgHRCI50ak3Q T2a4PJpV4LEv+Dj4DhsOxXAzBS65EgmtAx9NVM4hjTd1iqoPCTvUgivtWIYkUmRHinZu NXafD+cSwWXfickMhha9dSlw9AjCgNg0m4ddvVX06/g1Ic+aLxHTUMS0Uqwk59eoS2OS K74C4rmcZupHCHTGVUUL5hrVOPwR7Z9U1UPoXHaPqrx8BrfLVWK7nxQJ1NWJOke1tLWa VFXQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass (test mode) header.i=@excello.cz header.s=default header.b="TWu/nrai"; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=excello.cz Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id la7si10378455ejb.199.2020.05.25.08.55.01; Mon, 25 May 2020 08:55:25 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass (test mode) header.i=@excello.cz header.s=default header.b="TWu/nrai"; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=excello.cz Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S2391089AbgEYPxU (ORCPT + 99 others); Mon, 25 May 2020 11:53:20 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:59614 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S2391065AbgEYPxU (ORCPT ); Mon, 25 May 2020 11:53:20 -0400 X-Greylist: delayed 400 seconds by postgrey-1.37 at lindbergh.monkeyblade.net; Mon, 25 May 2020 08:53:19 PDT Received: from out1.virusfree.cz (out1.virusfree.cz [IPv6:2001:67c:15a0:4000::e1]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 87AC1C05BD43 for ; Mon, 25 May 2020 08:53:19 -0700 (PDT) Received: (qmail 29040 invoked from network); 25 May 2020 17:46:37 +0200 Received: from out1.virusfree.cz by out1.virusfree.cz (VF-Scanner: Clear:RC:0(2001:67c:1591::6):SC:0(-3.0/5.0):CC:0:; processed in 1.6 s); 25 May 2020 15:46:37 +0000 X-VF-Scanner-Mail-From: pv@excello.cz X-VF-Scanner-Rcpt-To: linux-kernel@vger.kernel.org X-VF-Scanner-ID: 20200525154636.224449.28987.out1.virusfree.cz.0 X-Spam-Status: No, hits=-3.0, required=5.0 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=excello.cz; h= date:message-id:from:to:subject:reply-to; q=dns/txt; s=default; t=1590421596; bh=D2NB0B1nNWW9+PqZLh+XgusboSNLV3L95Jp2Llp9dRA=; b= TWu/nraiJ833vNIHSVxF2AYVUm6l0hYj/a3eqIYaAUgxXl27yO5ru2gCtJ3Epk9i vB0N2hEFhzPaNIhvYOOLJPOdgIbPjxHkB/KeIqAafX6kWVYDW0KVRl/yO8T+Uph5 g7sRSa+VzuvtlFkiG2jUIJHf8+SN2fjQmEqwJt7YyIw= Received: from posta.excello.cz (2001:67c:1591::6) by out1.virusfree.cz with ESMTPS (TLSv1.3, TLS_AES_256_GCM_SHA384); 25 May 2020 17:46:35 +0200 Received: from atlantis (unknown [IPv6:2001:67c:1590::2c8]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-256) server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by posta.excello.cz (Postfix) with ESMTPSA id 38B8C9D7484; Mon, 25 May 2020 17:46:35 +0200 (CEST) Date: Mon, 25 May 2020 17:46:33 +0200 From: Petr =?utf-8?B?VmFuxJtr?= To: Steffen Klassert , Herbert Xu , "David S. Miller" , Jakub Kicinski , netdev@vger.kernel.org, linux-kernel@vger.kernel.org Cc: Petr =?utf-8?B?VmFuxJtr?= Subject: [PATCH net-next] xfrm: no-anti-replay protection flag Message-ID: <20200525154633.GB22403@atlantis> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org RFC 4303 in section 3.3.3 suggests to disable anti-replay for manually distributed ICVs. This patch introduces new extra_flag XFRM_SA_XFLAG_NO_ANTI_REPLAY which disables anti-replay for outbound packets if set. The flag is used only in legacy and bmp code, because esn should not be negotiated if anti-replay is disabled (see note in 3.3.3 section). Signed-off-by: Petr Vaněk --- include/uapi/linux/xfrm.h | 1 + net/xfrm/xfrm_replay.c | 12 ++++++++---- 2 files changed, 9 insertions(+), 4 deletions(-) diff --git a/include/uapi/linux/xfrm.h b/include/uapi/linux/xfrm.h index 5f3b9fec7b5f..4842b1ed49e9 100644 --- a/include/uapi/linux/xfrm.h +++ b/include/uapi/linux/xfrm.h @@ -387,6 +387,7 @@ struct xfrm_usersa_info { }; #define XFRM_SA_XFLAG_DONT_ENCAP_DSCP 1 +#define XFRM_SA_XFLAG_NO_ANTI_REPLAY 2 struct xfrm_usersa_id { xfrm_address_t daddr; diff --git a/net/xfrm/xfrm_replay.c b/net/xfrm/xfrm_replay.c index 98943f8d01aa..1602843aa2ec 100644 --- a/net/xfrm/xfrm_replay.c +++ b/net/xfrm/xfrm_replay.c @@ -89,7 +89,8 @@ static int xfrm_replay_overflow(struct xfrm_state *x, struct sk_buff *skb) if (x->type->flags & XFRM_TYPE_REPLAY_PROT) { XFRM_SKB_CB(skb)->seq.output.low = ++x->replay.oseq; XFRM_SKB_CB(skb)->seq.output.hi = 0; - if (unlikely(x->replay.oseq == 0)) { + if (unlikely(x->replay.oseq == 0) && + !(x->props.extra_flags & XFRM_SA_XFLAG_NO_ANTI_REPLAY)) { x->replay.oseq--; xfrm_audit_state_replay_overflow(x, skb); err = -EOVERFLOW; @@ -168,7 +169,8 @@ static int xfrm_replay_overflow_bmp(struct xfrm_state *x, struct sk_buff *skb) if (x->type->flags & XFRM_TYPE_REPLAY_PROT) { XFRM_SKB_CB(skb)->seq.output.low = ++replay_esn->oseq; XFRM_SKB_CB(skb)->seq.output.hi = 0; - if (unlikely(replay_esn->oseq == 0)) { + if (unlikely(replay_esn->oseq == 0) && + !(x->props.extra_flags & XFRM_SA_XFLAG_NO_ANTI_REPLAY)) { replay_esn->oseq--; xfrm_audit_state_replay_overflow(x, skb); err = -EOVERFLOW; @@ -572,7 +574,8 @@ static int xfrm_replay_overflow_offload(struct xfrm_state *x, struct sk_buff *sk XFRM_SKB_CB(skb)->seq.output.hi = 0; xo->seq.hi = 0; - if (unlikely(oseq < x->replay.oseq)) { + if (unlikely(oseq < x->replay.oseq) && + !(x->props.extra_flags & XFRM_SA_XFLAG_NO_ANTI_REPLAY)) { xfrm_audit_state_replay_overflow(x, skb); err = -EOVERFLOW; @@ -611,7 +614,8 @@ static int xfrm_replay_overflow_offload_bmp(struct xfrm_state *x, struct sk_buff XFRM_SKB_CB(skb)->seq.output.hi = 0; xo->seq.hi = 0; - if (unlikely(oseq < replay_esn->oseq)) { + if (unlikely(oseq < replay_esn->oseq) && + !(x->props.extra_flags & XFRM_SA_XFLAG_NO_ANTI_REPLAY)) { xfrm_audit_state_replay_overflow(x, skb); err = -EOVERFLOW; -- 2.26.2