search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
Merge tag 'iommu-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux
[linux/fpc-iii.git] / net / ipv6 / seg6_hmac.c
blob687d95dce08522bebf6d0c3b0473cb8eb3f2a17d
1 // SPDX-License-Identifier: GPL-2.0-or-later
2 /*
3 * SR-IPv6 implementation -- HMAC functions
4 *
5 * Author:
6 * David Lebrun <david.lebrun@uclouvain.be>
7 */
8
9 #include <linux/errno.h>
10 #include <linux/kernel.h>
11 #include <linux/types.h>
12 #include <linux/socket.h>
13 #include <linux/sockios.h>
14 #include <linux/net.h>
15 #include <linux/netdevice.h>
16 #include <linux/in6.h>
17 #include <linux/icmpv6.h>
18 #include <linux/mroute6.h>
19 #include <linux/slab.h>
20 #include <linux/rhashtable.h>
21
22 #include <linux/netfilter.h>
23 #include <linux/netfilter_ipv6.h>
24
25 #include <net/sock.h>
26 #include <net/snmp.h>
27
28 #include <net/ipv6.h>
29 #include <net/protocol.h>
30 #include <net/transp_v6.h>
31 #include <net/rawv6.h>
32 #include <net/ndisc.h>
33 #include <net/ip6_route.h>
34 #include <net/addrconf.h>
35 #include <net/xfrm.h>
36
37 #include <crypto/hash.h>
38 #include <net/seg6.h>
39 #include <net/genetlink.h>
40 #include <net/seg6_hmac.h>
41 #include <linux/random.h>
42
43 static DEFINE_PER_CPU(char [SEG6_HMAC_RING_SIZE], hmac_ring);
44
45 static int seg6_hmac_cmpfn(struct rhashtable_compare_arg *arg, const void *obj)
46 {
47 const struct seg6_hmac_info *hinfo = obj;
48
49 return (hinfo->hmackeyid != *(__u32 *)arg->key);
50 }
51
52 static inline void seg6_hinfo_release(struct seg6_hmac_info *hinfo)
53 {
54 kfree_rcu(hinfo, rcu);
55 }
56
57 static void seg6_free_hi(void *ptr, void *arg)
58 {
59 struct seg6_hmac_info *hinfo = (struct seg6_hmac_info *)ptr;
60
61 if (hinfo)
62 seg6_hinfo_release(hinfo);
63 }
64
65 static const struct rhashtable_params rht_params = {
66 .head_offset = offsetof(struct seg6_hmac_info, node),
67 .key_offset = offsetof(struct seg6_hmac_info, hmackeyid),
68 .key_len = sizeof(u32),
69 .automatic_shrinking = true,
70 .obj_cmpfn = seg6_hmac_cmpfn,
71 };
72
73 static struct seg6_hmac_algo hmac_algos[] = {
74 {
75 .alg_id = SEG6_HMAC_ALGO_SHA1,
76 .name = "hmac(sha1)",
77 },
78 {
79 .alg_id = SEG6_HMAC_ALGO_SHA256,
80 .name = "hmac(sha256)",
81 },
82 };
83
84 static struct sr6_tlv_hmac *seg6_get_tlv_hmac(struct ipv6_sr_hdr *srh)
85 {
86 struct sr6_tlv_hmac *tlv;
87
88 if (srh->hdrlen < (srh->first_segment + 1) * 2 + 5)
89 return NULL;
90
91 if (!sr_has_hmac(srh))
92 return NULL;
93
94 tlv = (struct sr6_tlv_hmac *)
95 ((char *)srh + ((srh->hdrlen + 1) << 3) - 40);
96
97 if (tlv->tlvhdr.type != SR6_TLV_HMAC || tlv->tlvhdr.len != 38)
98 return NULL;
99
100 return tlv;
101 }
102
103 static struct seg6_hmac_algo *__hmac_get_algo(u8 alg_id)
104 {
105 struct seg6_hmac_algo *algo;
106 int i, alg_count;
107
108 alg_count = ARRAY_SIZE(hmac_algos);
109 for (i = 0; i < alg_count; i++) {
110 algo = &hmac_algos[i];
111 if (algo->alg_id == alg_id)
112 return algo;
113 }
114
115 return NULL;
116 }
117
118 static int __do_hmac(struct seg6_hmac_info *hinfo, const char *text, u8 psize,
119 u8 *output, int outlen)
120 {
121 struct seg6_hmac_algo *algo;
122 struct crypto_shash *tfm;
123 struct shash_desc *shash;
124 int ret, dgsize;
125
126 algo = __hmac_get_algo(hinfo->alg_id);
127 if (!algo)
128 return -ENOENT;
129
130 tfm = *this_cpu_ptr(algo->tfms);
131
132 dgsize = crypto_shash_digestsize(tfm);
133 if (dgsize > outlen) {
134 pr_debug("sr-ipv6: __do_hmac: digest size too big (%d / %d)\n",
135 dgsize, outlen);
136 return -ENOMEM;
137 }
138
139 ret = crypto_shash_setkey(tfm, hinfo->secret, hinfo->slen);
140 if (ret < 0) {
141 pr_debug("sr-ipv6: crypto_shash_setkey failed: err %d\n", ret);
142 goto failed;
143 }
144
145 shash = *this_cpu_ptr(algo->shashs);
146 shash->tfm = tfm;
147
148 ret = crypto_shash_digest(shash, text, psize, output);
149 if (ret < 0) {
150 pr_debug("sr-ipv6: crypto_shash_digest failed: err %d\n", ret);
151 goto failed;
152 }
153
154 return dgsize;
155
156 failed:
157 return ret;
158 }
159
160 int seg6_hmac_compute(struct seg6_hmac_info *hinfo, struct ipv6_sr_hdr *hdr,
161 struct in6_addr *saddr, u8 *output)
162 {
163 __be32 hmackeyid = cpu_to_be32(hinfo->hmackeyid);
164 u8 tmp_out[SEG6_HMAC_MAX_DIGESTSIZE];
165 int plen, i, dgsize, wrsize;
166 char *ring, *off;
167
168 /* a 160-byte buffer for digest output allows to store highest known
169 * hash function (RadioGatun) with up to 1216 bits
170 */
171
172 /* saddr(16) + first_seg(1) + flags(1) + keyid(4) + seglist(16n) */
173 plen = 16 + 1 + 1 + 4 + (hdr->first_segment + 1) * 16;
174
175 /* this limit allows for 14 segments */
176 if (plen >= SEG6_HMAC_RING_SIZE)
177 return -EMSGSIZE;
178
179 /* Let's build the HMAC text on the ring buffer. The text is composed
180 * as follows, in order:
181 *
182 * 1. Source IPv6 address (128 bits)
183 * 2. first_segment value (8 bits)
184 * 3. Flags (8 bits)
185 * 4. HMAC Key ID (32 bits)
186 * 5. All segments in the segments list (n * 128 bits)
187 */
188
189 local_bh_disable();
190 ring = this_cpu_ptr(hmac_ring);
191 off = ring;
192
193 /* source address */
194 memcpy(off, saddr, 16);
195 off += 16;
196
197 /* first_segment value */
198 *off++ = hdr->first_segment;
199
200 /* flags */
201 *off++ = hdr->flags;
202
203 /* HMAC Key ID */
204 memcpy(off, &hmackeyid, 4);
205 off += 4;
206
207 /* all segments in the list */
208 for (i = 0; i < hdr->first_segment + 1; i++) {
209 memcpy(off, hdr->segments + i, 16);
210 off += 16;
211 }
212
213 dgsize = __do_hmac(hinfo, ring, plen, tmp_out,
214 SEG6_HMAC_MAX_DIGESTSIZE);
215 local_bh_enable();
216
217 if (dgsize < 0)
218 return dgsize;
219
220 wrsize = SEG6_HMAC_FIELD_LEN;
221 if (wrsize > dgsize)
222 wrsize = dgsize;
223
224 memset(output, 0, SEG6_HMAC_FIELD_LEN);
225 memcpy(output, tmp_out, wrsize);
226
227 return 0;
228 }
229 EXPORT_SYMBOL(seg6_hmac_compute);
230
231 /* checks if an incoming SR-enabled packet's HMAC status matches
232 * the incoming policy.
233 *
234 * called with rcu_read_lock()
235 */
236 bool seg6_hmac_validate_skb(struct sk_buff *skb)
237 {
238 u8 hmac_output[SEG6_HMAC_FIELD_LEN];
239 struct net *net = dev_net(skb->dev);
240 struct seg6_hmac_info *hinfo;
241 struct sr6_tlv_hmac *tlv;
242 struct ipv6_sr_hdr *srh;
243 struct inet6_dev *idev;
244
245 idev = __in6_dev_get(skb->dev);
246
247 srh = (struct ipv6_sr_hdr *)skb_transport_header(skb);
248
249 tlv = seg6_get_tlv_hmac(srh);
250
251 /* mandatory check but no tlv */
252 if (idev->cnf.seg6_require_hmac > 0 && !tlv)
253 return false;
254
255 /* no check */
256 if (idev->cnf.seg6_require_hmac < 0)
257 return true;
258
259 /* check only if present */
260 if (idev->cnf.seg6_require_hmac == 0 && !tlv)
261 return true;
262
263 /* now, seg6_require_hmac >= 0 && tlv */
264
265 hinfo = seg6_hmac_info_lookup(net, be32_to_cpu(tlv->hmackeyid));
266 if (!hinfo)
267 return false;
268
269 if (seg6_hmac_compute(hinfo, srh, &ipv6_hdr(skb)->saddr, hmac_output))
270 return false;
271
272 if (memcmp(hmac_output, tlv->hmac, SEG6_HMAC_FIELD_LEN) != 0)
273 return false;
274
275 return true;
276 }
277 EXPORT_SYMBOL(seg6_hmac_validate_skb);
278
279 /* called with rcu_read_lock() */
280 struct seg6_hmac_info *seg6_hmac_info_lookup(struct net *net, u32 key)
281 {
282 struct seg6_pernet_data *sdata = seg6_pernet(net);
283 struct seg6_hmac_info *hinfo;
284
285 hinfo = rhashtable_lookup_fast(&sdata->hmac_infos, &key, rht_params);
286
287 return hinfo;
288 }
289 EXPORT_SYMBOL(seg6_hmac_info_lookup);
290
291 int seg6_hmac_info_add(struct net *net, u32 key, struct seg6_hmac_info *hinfo)
292 {
293 struct seg6_pernet_data *sdata = seg6_pernet(net);
294 int err;
295
296 err = rhashtable_lookup_insert_fast(&sdata->hmac_infos, &hinfo->node,
297 rht_params);
298
299 return err;
300 }
301 EXPORT_SYMBOL(seg6_hmac_info_add);
302
303 int seg6_hmac_info_del(struct net *net, u32 key)
304 {
305 struct seg6_pernet_data *sdata = seg6_pernet(net);
306 struct seg6_hmac_info *hinfo;
307 int err = -ENOENT;
308
309 hinfo = rhashtable_lookup_fast(&sdata->hmac_infos, &key, rht_params);
310 if (!hinfo)
311 goto out;
312
313 err = rhashtable_remove_fast(&sdata->hmac_infos, &hinfo->node,
314 rht_params);
315 if (err)
316 goto out;
317
318 seg6_hinfo_release(hinfo);
319
320 out:
321 return err;
322 }
323 EXPORT_SYMBOL(seg6_hmac_info_del);
324
325 int seg6_push_hmac(struct net *net, struct in6_addr *saddr,
326 struct ipv6_sr_hdr *srh)
327 {
328 struct seg6_hmac_info *hinfo;
329 struct sr6_tlv_hmac *tlv;
330 int err = -ENOENT;
331
332 tlv = seg6_get_tlv_hmac(srh);
333 if (!tlv)
334 return -EINVAL;
335
336 rcu_read_lock();
337
338 hinfo = seg6_hmac_info_lookup(net, be32_to_cpu(tlv->hmackeyid));
339 if (!hinfo)
340 goto out;
341
342 memset(tlv->hmac, 0, SEG6_HMAC_FIELD_LEN);
343 err = seg6_hmac_compute(hinfo, srh, saddr, tlv->hmac);
344
345 out:
346 rcu_read_unlock();
347 return err;
348 }
349 EXPORT_SYMBOL(seg6_push_hmac);
350
351 static int seg6_hmac_init_algo(void)
352 {
353 struct seg6_hmac_algo *algo;
354 struct crypto_shash *tfm;
355 struct shash_desc *shash;
356 int i, alg_count, cpu;
357
358 alg_count = ARRAY_SIZE(hmac_algos);
359
360 for (i = 0; i < alg_count; i++) {
361 struct crypto_shash **p_tfm;
362 int shsize;
363
364 algo = &hmac_algos[i];
365 algo->tfms = alloc_percpu(struct crypto_shash *);
366 if (!algo->tfms)
367 return -ENOMEM;
368
369 for_each_possible_cpu(cpu) {
370 tfm = crypto_alloc_shash(algo->name, 0, 0);
371 if (IS_ERR(tfm))
372 return PTR_ERR(tfm);
373 p_tfm = per_cpu_ptr(algo->tfms, cpu);
374 *p_tfm = tfm;
375 }
376
377 p_tfm = raw_cpu_ptr(algo->tfms);
378 tfm = *p_tfm;
379
380 shsize = sizeof(*shash) + crypto_shash_descsize(tfm);
381
382 algo->shashs = alloc_percpu(struct shash_desc *);
383 if (!algo->shashs)
384 return -ENOMEM;
385
386 for_each_possible_cpu(cpu) {
387 shash = kzalloc_node(shsize, GFP_KERNEL,
388 cpu_to_node(cpu));
389 if (!shash)
390 return -ENOMEM;
391 *per_cpu_ptr(algo->shashs, cpu) = shash;
392 }
393 }
394
395 return 0;
396 }
397
398 int __init seg6_hmac_init(void)
399 {
400 return seg6_hmac_init_algo();
401 }
402 EXPORT_SYMBOL(seg6_hmac_init);
403
404 int __net_init seg6_hmac_net_init(struct net *net)
405 {
406 struct seg6_pernet_data *sdata = seg6_pernet(net);
407
408 rhashtable_init(&sdata->hmac_infos, &rht_params);
409
410 return 0;
411 }
412 EXPORT_SYMBOL(seg6_hmac_net_init);
413
414 void seg6_hmac_exit(void)
415 {
416 struct seg6_hmac_algo *algo = NULL;
417 int i, alg_count, cpu;
418
419 alg_count = ARRAY_SIZE(hmac_algos);
420 for (i = 0; i < alg_count; i++) {
421 algo = &hmac_algos[i];
422 for_each_possible_cpu(cpu) {
423 struct crypto_shash *tfm;
424 struct shash_desc *shash;
425
426 shash = *per_cpu_ptr(algo->shashs, cpu);
427 kfree(shash);
428 tfm = *per_cpu_ptr(algo->tfms, cpu);
429 crypto_free_shash(tfm);
430 }
431 free_percpu(algo->tfms);
432 free_percpu(algo->shashs);
433 }
434 }
435 EXPORT_SYMBOL(seg6_hmac_exit);
436
437 void __net_exit seg6_hmac_net_exit(struct net *net)
438 {
439 struct seg6_pernet_data *sdata = seg6_pernet(net);
440
441 rhashtable_free_and_destroy(&sdata->hmac_infos, seg6_free_hi, NULL);
442 }
443 EXPORT_SYMBOL(seg6_hmac_net_exit);
Linux with added FPC-III support