kpriv/linux-hardened
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

esp6: Add support for IPsec extended sequence numbers

Browse source 
This patch adds IPsec extended sequence numbers support to esp6.
We use the authencesn crypto algorithm to handle esp with separate
encryption/authentication algorithms.

Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
Acked-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: David S. Miller <davem@davemloft.net>
This commit is contained in:
Steffen Klassert 2011-03-08 00:07:51 +00:00 committed by David S. Miller
parent 0dc49e9b28
commit d212a4c290
1 changed files with 86 additions and 19 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

95
net/ipv6/esp6.c
View file

@ -54,16 +54,20 @@ static u32 esp6_get_mtu(struct xfrm_state *x, int mtu);
/* /*
* Allocate an AEAD request structure with extra space for SG and IV. * Allocate an AEAD request structure with extra space for SG and IV.
* *
* For alignment considerations the IV is placed at the front, followed * For alignment considerations the upper 32 bits of the sequence number are
* by the request and finally the SG list. * placed at the front, if present. Followed by the IV, the request and finally
* the SG list.
* *
* TODO: Use spare space in skb for this where possible. * TODO: Use spare space in skb for this where possible.
*/ */
static void *esp_alloc_tmp(struct crypto_aead *aead, int nfrags) static void *esp_alloc_tmp(struct crypto_aead *aead, int nfrags, int seqihlen)
{ {
unsigned int len; unsigned int len;
len = crypto_aead_ivsize(aead); len = seqihlen;
len += crypto_aead_ivsize(aead);
if (len) { if (len) {
len += crypto_aead_alignmask(aead) & len += crypto_aead_alignmask(aead) &
~(crypto_tfm_ctx_alignment() - 1); ~(crypto_tfm_ctx_alignment() - 1);
@ -78,10 +82,16 @@ static void *esp_alloc_tmp(struct crypto_aead *aead, int nfrags)
return kmalloc(len, GFP_ATOMIC); return kmalloc(len, GFP_ATOMIC);
} }
static inline u8 *esp_tmp_iv(struct crypto_aead *aead, void *tmp) static inline __be32 *esp_tmp_seqhi(void *tmp)
{
return PTR_ALIGN((__be32 *)tmp, __alignof__(__be32));
}
static inline u8 *esp_tmp_iv(struct crypto_aead *aead, void *tmp, int seqhilen)
{ {
return crypto_aead_ivsize(aead) ? return crypto_aead_ivsize(aead) ?
PTR_ALIGN((u8 *)tmp, crypto_aead_alignmask(aead) + 1) : tmp; PTR_ALIGN((u8 *)tmp + seqhilen,
crypto_aead_alignmask(aead) + 1) : tmp + seqhilen;
} }
static inline struct aead_givcrypt_request *esp_tmp_givreq( static inline struct aead_givcrypt_request *esp_tmp_givreq(
@ -145,8 +155,12 @@ static int esp6_output(struct xfrm_state *x, struct sk_buff *skb)
int plen; int plen;
int tfclen; int tfclen;
int nfrags; int nfrags;
int assoclen;
int sglists;
int seqhilen;
u8 *iv; u8 *iv;
u8 *tail; u8 *tail;
__be32 *seqhi;
struct esp_data *esp = x->data; struct esp_data *esp = x->data;
/* skb is pure payload to encrypt */ /* skb is pure payload to encrypt */
@ -175,14 +189,25 @@ static int esp6_output(struct xfrm_state *x, struct sk_buff *skb)
goto error; goto error;
nfrags = err; nfrags = err;
tmp = esp_alloc_tmp(aead, nfrags + 1); assoclen = sizeof(*esph);
sglists = 1;
seqhilen = 0;
if (x->props.flags & XFRM_STATE_ESN) {
sglists += 2;
seqhilen += sizeof(__be32);
assoclen += seqhilen;
}
tmp = esp_alloc_tmp(aead, nfrags + sglists, seqhilen);
if (!tmp) if (!tmp)
goto error; goto error;
iv = esp_tmp_iv(aead, tmp); seqhi = esp_tmp_seqhi(tmp);
iv = esp_tmp_iv(aead, tmp, seqhilen);
req = esp_tmp_givreq(aead, iv); req = esp_tmp_givreq(aead, iv);
asg = esp_givreq_sg(aead, req); asg = esp_givreq_sg(aead, req);
sg = asg + 1; sg = asg + sglists;
/* Fill padding... */ /* Fill padding... */
tail = skb_tail_pointer(trailer); tail = skb_tail_pointer(trailer);
@ -210,11 +235,19 @@ static int esp6_output(struct xfrm_state *x, struct sk_buff *skb)
skb_to_sgvec(skb, sg, skb_to_sgvec(skb, sg,
esph->enc_data + crypto_aead_ivsize(aead) - skb->data, esph->enc_data + crypto_aead_ivsize(aead) - skb->data,
clen + alen); clen + alen);
if ((x->props.flags & XFRM_STATE_ESN)) {
sg_init_table(asg, 3);
sg_set_buf(asg, &esph->spi, sizeof(__be32));
*seqhi = htonl(XFRM_SKB_CB(skb)->seq.output.hi);
sg_set_buf(asg + 1, seqhi, seqhilen);
sg_set_buf(asg + 2, &esph->seq_no, sizeof(__be32));
} else
sg_init_one(asg, esph, sizeof(*esph)); sg_init_one(asg, esph, sizeof(*esph));
aead_givcrypt_set_callback(req, 0, esp_output_done, skb); aead_givcrypt_set_callback(req, 0, esp_output_done, skb);
aead_givcrypt_set_crypt(req, sg, sg, clen, iv); aead_givcrypt_set_crypt(req, sg, sg, clen, iv);
aead_givcrypt_set_assoc(req, asg, sizeof(*esph)); aead_givcrypt_set_assoc(req, asg, assoclen);
aead_givcrypt_set_giv(req, esph->enc_data, aead_givcrypt_set_giv(req, esph->enc_data,
XFRM_SKB_CB(skb)->seq.output.low); XFRM_SKB_CB(skb)->seq.output.low);
@ -292,8 +325,12 @@ static int esp6_input(struct xfrm_state *x, struct sk_buff *skb)
struct sk_buff *trailer; struct sk_buff *trailer;
int elen = skb->len - sizeof(*esph) - crypto_aead_ivsize(aead); int elen = skb->len - sizeof(*esph) - crypto_aead_ivsize(aead);
int nfrags; int nfrags;
int assoclen;
int sglists;
int seqhilen;
int ret = 0; int ret = 0;
void *tmp; void *tmp;
__be32 *seqhi;
u8 *iv; u8 *iv;
struct scatterlist *sg; struct scatterlist *sg;
struct scatterlist *asg; struct scatterlist *asg;
@ -314,12 +351,24 @@ static int esp6_input(struct xfrm_state *x, struct sk_buff *skb)
} }
ret = -ENOMEM; ret = -ENOMEM;
tmp = esp_alloc_tmp(aead, nfrags + 1);
assoclen = sizeof(*esph);
sglists = 1;
seqhilen = 0;
if (x->props.flags & XFRM_STATE_ESN) {
sglists += 2;
seqhilen += sizeof(__be32);
assoclen += seqhilen;
}
tmp = esp_alloc_tmp(aead, nfrags + sglists, seqhilen);
if (!tmp) if (!tmp)
goto out; goto out;
ESP_SKB_CB(skb)->tmp = tmp; ESP_SKB_CB(skb)->tmp = tmp;
iv = esp_tmp_iv(aead, tmp); seqhi = esp_tmp_seqhi(tmp);
iv = esp_tmp_iv(aead, tmp, seqhilen);
req = esp_tmp_req(aead, iv); req = esp_tmp_req(aead, iv);
asg = esp_req_sg(aead, req); asg = esp_req_sg(aead, req);
sg = asg + 1; sg = asg + 1;
@ -333,11 +382,19 @@ static int esp6_input(struct xfrm_state *x, struct sk_buff *skb)
sg_init_table(sg, nfrags); sg_init_table(sg, nfrags);
skb_to_sgvec(skb, sg, sizeof(*esph) + crypto_aead_ivsize(aead), elen); skb_to_sgvec(skb, sg, sizeof(*esph) + crypto_aead_ivsize(aead), elen);
if ((x->props.flags & XFRM_STATE_ESN)) {
sg_init_table(asg, 3);
sg_set_buf(asg, &esph->spi, sizeof(__be32));
*seqhi = XFRM_SKB_CB(skb)->seq.input.hi;
sg_set_buf(asg + 1, seqhi, seqhilen);
sg_set_buf(asg + 2, &esph->seq_no, sizeof(__be32));
} else
sg_init_one(asg, esph, sizeof(*esph)); sg_init_one(asg, esph, sizeof(*esph));
aead_request_set_callback(req, 0, esp_input_done, skb); aead_request_set_callback(req, 0, esp_input_done, skb);
aead_request_set_crypt(req, sg, sg, elen, iv); aead_request_set_crypt(req, sg, sg, elen, iv);
aead_request_set_assoc(req, asg, sizeof(*esph)); aead_request_set_assoc(req, asg, assoclen);
ret = crypto_aead_decrypt(req); ret = crypto_aead_decrypt(req);
if (ret == -EINPROGRESS) if (ret == -EINPROGRESS)
@ -443,10 +500,20 @@ static int esp_init_authenc(struct xfrm_state *x)
goto error; goto error;
err = -ENAMETOOLONG; err = -ENAMETOOLONG;
if (snprintf(authenc_name, CRYPTO_MAX_ALG_NAME, "authenc(%s,%s)",
if ((x->props.flags & XFRM_STATE_ESN)) {
if (snprintf(authenc_name, CRYPTO_MAX_ALG_NAME,
"authencesn(%s,%s)",
x->aalg ? x->aalg->alg_name : "digest_null", x->aalg ? x->aalg->alg_name : "digest_null",
x->ealg->alg_name) >= CRYPTO_MAX_ALG_NAME) x->ealg->alg_name) >= CRYPTO_MAX_ALG_NAME)
goto error; goto error;
} else {
if (snprintf(authenc_name, CRYPTO_MAX_ALG_NAME,
"authenc(%s,%s)",
x->aalg ? x->aalg->alg_name : "digest_null",
x->ealg->alg_name) >= CRYPTO_MAX_ALG_NAME)
goto error;
}
aead = crypto_alloc_aead(authenc_name, 0, 0); aead = crypto_alloc_aead(authenc_name, 0, 0);
err = PTR_ERR(aead); err = PTR_ERR(aead);