forked from truenas/linux
-
Notifications
You must be signed in to change notification settings - Fork 2
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
ipv6: sr: add core files for SR HMAC support
This patch adds the necessary functions to compute and check the HMAC signature of an SR-enabled packet. Two HMAC algorithms are supported: hmac(sha1) and hmac(sha256). In order to avoid dynamic memory allocation for each HMAC computation, a per-cpu ring buffer is allocated for this purpose. A new per-interface sysctl called seg6_require_hmac is added, allowing a user-defined policy for processing HMAC-signed SR-enabled packets. A value of -1 means that the HMAC field will always be ignored. A value of 0 means that if an HMAC field is present, its validity will be enforced (the packet is dropped is the signature is incorrect). Finally, a value of 1 means that any SR-enabled packet that does not contain an HMAC signature or whose signature is incorrect will be dropped. Signed-off-by: David Lebrun <[email protected]> Signed-off-by: David S. Miller <[email protected]>
- Loading branch information
Showing
10 changed files
with
612 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,6 @@ | ||
#ifndef _LINUX_SEG6_HMAC_H | ||
#define _LINUX_SEG6_HMAC_H | ||
|
||
#include <uapi/linux/seg6_hmac.h> | ||
|
||
#endif |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,62 @@ | ||
/* | ||
* SR-IPv6 implementation | ||
* | ||
* Author: | ||
* David Lebrun <[email protected]> | ||
* | ||
* | ||
* This program is free software; you can redistribute it and/or | ||
* modify it under the terms of the GNU General Public License | ||
* as published by the Free Software Foundation; either version | ||
* 2 of the License, or (at your option) any later version. | ||
*/ | ||
|
||
#ifndef _NET_SEG6_HMAC_H | ||
#define _NET_SEG6_HMAC_H | ||
|
||
#include <net/flow.h> | ||
#include <net/ip6_fib.h> | ||
#include <net/sock.h> | ||
#include <linux/ip.h> | ||
#include <linux/ipv6.h> | ||
#include <linux/route.h> | ||
#include <net/seg6.h> | ||
#include <linux/seg6_hmac.h> | ||
#include <linux/rhashtable.h> | ||
|
||
#define SEG6_HMAC_MAX_DIGESTSIZE 160 | ||
#define SEG6_HMAC_RING_SIZE 256 | ||
|
||
struct seg6_hmac_info { | ||
struct rhash_head node; | ||
struct rcu_head rcu; | ||
|
||
u32 hmackeyid; | ||
char secret[SEG6_HMAC_SECRET_LEN]; | ||
u8 slen; | ||
u8 alg_id; | ||
}; | ||
|
||
struct seg6_hmac_algo { | ||
u8 alg_id; | ||
char name[64]; | ||
struct crypto_shash * __percpu *tfms; | ||
struct shash_desc * __percpu *shashs; | ||
}; | ||
|
||
extern int seg6_hmac_compute(struct seg6_hmac_info *hinfo, | ||
struct ipv6_sr_hdr *hdr, struct in6_addr *saddr, | ||
u8 *output); | ||
extern struct seg6_hmac_info *seg6_hmac_info_lookup(struct net *net, u32 key); | ||
extern int seg6_hmac_info_add(struct net *net, u32 key, | ||
struct seg6_hmac_info *hinfo); | ||
extern int seg6_hmac_info_del(struct net *net, u32 key); | ||
extern int seg6_push_hmac(struct net *net, struct in6_addr *saddr, | ||
struct ipv6_sr_hdr *srh); | ||
extern bool seg6_hmac_validate_skb(struct sk_buff *skb); | ||
extern int seg6_hmac_init(void); | ||
extern void seg6_hmac_exit(void); | ||
extern int seg6_hmac_net_init(struct net *net); | ||
extern void seg6_hmac_net_exit(struct net *net); | ||
|
||
#endif |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,21 @@ | ||
#ifndef _UAPI_LINUX_SEG6_HMAC_H | ||
#define _UAPI_LINUX_SEG6_HMAC_H | ||
|
||
#include <linux/seg6.h> | ||
|
||
#define SEG6_HMAC_SECRET_LEN 64 | ||
#define SEG6_HMAC_FIELD_LEN 32 | ||
|
||
struct sr6_tlv_hmac { | ||
struct sr6_tlv tlvhdr; | ||
__u16 reserved; | ||
__be32 hmackeyid; | ||
__u8 hmac[SEG6_HMAC_FIELD_LEN]; | ||
}; | ||
|
||
enum { | ||
SEG6_HMAC_ALGO_SHA1 = 1, | ||
SEG6_HMAC_ALGO_SHA256 = 2, | ||
}; | ||
|
||
#endif |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.