Re: [PATCH net-next] xfrm: no-anti-replay protection flag
From: Christophe Gouault <hidden>
Date: 2020-05-27 17:11:34
Also in:
lkml
Hi Petr, This patch is useful, however I think you should change the name of the option and amend its description: the option does not disable anti-replay in output (it can only be disabled in input), it allows the output sequence number to wrap, and it assumes that the remote peer disabled anti-replay in input. So you I suggest you change the name of the option to something like XFRM_SA_XFLAG_OSEQ_MAY_WRAP or XFRM_SA_XFLAG_ALLOW_OSEQ_WRAP. Best regards, Christophe Le lun. 25 mai 2020 à 17:53, Petr Vaněk [off-list ref] a écrit :
quoted hunk ↗ jump to hunk
RFC 4303 in section 3.3.3 suggests to disable anti-replay for manually distributed ICVs. This patch introduces new extra_flag XFRM_SA_XFLAG_NO_ANTI_REPLAY which disables anti-replay for outbound packets if set. The flag is used only in legacy and bmp code, because esn should not be negotiated if anti-replay is disabled (see note in 3.3.3 section). Signed-off-by: Petr Vaněk <redacted> --- include/uapi/linux/xfrm.h | 1 + net/xfrm/xfrm_replay.c | 12 ++++++++---- 2 files changed, 9 insertions(+), 4 deletions(-)diff --git a/include/uapi/linux/xfrm.h b/include/uapi/linux/xfrm.h index 5f3b9fec7b5f..4842b1ed49e9 100644 --- a/include/uapi/linux/xfrm.h +++ b/include/uapi/linux/xfrm.h@@ -387,6 +387,7 @@ struct xfrm_usersa_info { }; #define XFRM_SA_XFLAG_DONT_ENCAP_DSCP 1 +#define XFRM_SA_XFLAG_NO_ANTI_REPLAY 2 struct xfrm_usersa_id { xfrm_address_t daddr;diff --git a/net/xfrm/xfrm_replay.c b/net/xfrm/xfrm_replay.c index 98943f8d01aa..1602843aa2ec 100644 --- a/net/xfrm/xfrm_replay.c +++ b/net/xfrm/xfrm_replay.c@@ -89,7 +89,8 @@ static int xfrm_replay_overflow(struct xfrm_state *x, struct sk_buff *skb) if (x->type->flags & XFRM_TYPE_REPLAY_PROT) { XFRM_SKB_CB(skb)->seq.output.low = ++x->replay.oseq; XFRM_SKB_CB(skb)->seq.output.hi = 0; - if (unlikely(x->replay.oseq == 0)) { + if (unlikely(x->replay.oseq == 0) && + !(x->props.extra_flags & XFRM_SA_XFLAG_NO_ANTI_REPLAY)) { x->replay.oseq--; xfrm_audit_state_replay_overflow(x, skb); err = -EOVERFLOW;@@ -168,7 +169,8 @@ static int xfrm_replay_overflow_bmp(struct xfrm_state *x, struct sk_buff *skb) if (x->type->flags & XFRM_TYPE_REPLAY_PROT) { XFRM_SKB_CB(skb)->seq.output.low = ++replay_esn->oseq; XFRM_SKB_CB(skb)->seq.output.hi = 0; - if (unlikely(replay_esn->oseq == 0)) { + if (unlikely(replay_esn->oseq == 0) && + !(x->props.extra_flags & XFRM_SA_XFLAG_NO_ANTI_REPLAY)) { replay_esn->oseq--; xfrm_audit_state_replay_overflow(x, skb); err = -EOVERFLOW;@@ -572,7 +574,8 @@ static int xfrm_replay_overflow_offload(struct xfrm_state *x, struct sk_buff *sk XFRM_SKB_CB(skb)->seq.output.hi = 0; xo->seq.hi = 0; - if (unlikely(oseq < x->replay.oseq)) { + if (unlikely(oseq < x->replay.oseq) && + !(x->props.extra_flags & XFRM_SA_XFLAG_NO_ANTI_REPLAY)) { xfrm_audit_state_replay_overflow(x, skb); err = -EOVERFLOW;@@ -611,7 +614,8 @@ static int xfrm_replay_overflow_offload_bmp(struct xfrm_state *x, struct sk_buff XFRM_SKB_CB(skb)->seq.output.hi = 0; xo->seq.hi = 0; - if (unlikely(oseq < replay_esn->oseq)) { + if (unlikely(oseq < replay_esn->oseq) && + !(x->props.extra_flags & XFRM_SA_XFLAG_NO_ANTI_REPLAY)) { xfrm_audit_state_replay_overflow(x, skb); err = -EOVERFLOW; --2.26.2