search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
Linux 5.1.5
[linux/fpc-iii.git] / net / ipv6 / seg6_hmac.c
blob8546f94f30d47a203f3d2f4d73f3ece462bb4e4e
1 /*
2 * SR-IPv6 implementation -- HMAC functions
3 *
4 * Author:
5 * David Lebrun <david.lebrun@uclouvain.be>
6 *
7 *
8 * This program is free software; you can redistribute it and/or
9 * modify it under the terms of the GNU General Public License
10 * as published by the Free Software Foundation; either version
11 * 2 of the License, or (at your option) any later version.
12 */
13
14 #include <linux/errno.h>
15 #include <linux/kernel.h>
16 #include <linux/types.h>
17 #include <linux/socket.h>
18 #include <linux/sockios.h>
19 #include <linux/net.h>
20 #include <linux/netdevice.h>
21 #include <linux/in6.h>
22 #include <linux/icmpv6.h>
23 #include <linux/mroute6.h>
24 #include <linux/slab.h>
25 #include <linux/rhashtable.h>
26
27 #include <linux/netfilter.h>
28 #include <linux/netfilter_ipv6.h>
29
30 #include <net/sock.h>
31 #include <net/snmp.h>
32
33 #include <net/ipv6.h>
34 #include <net/protocol.h>
35 #include <net/transp_v6.h>
36 #include <net/rawv6.h>
37 #include <net/ndisc.h>
38 #include <net/ip6_route.h>
39 #include <net/addrconf.h>
40 #include <net/xfrm.h>
41
42 #include <linux/cryptohash.h>
43 #include <crypto/hash.h>
44 #include <crypto/sha.h>
45 #include <net/seg6.h>
46 #include <net/genetlink.h>
47 #include <net/seg6_hmac.h>
48 #include <linux/random.h>
49
50 static DEFINE_PER_CPU(char [SEG6_HMAC_RING_SIZE], hmac_ring);
51
52 static int seg6_hmac_cmpfn(struct rhashtable_compare_arg *arg, const void *obj)
53 {
54 const struct seg6_hmac_info *hinfo = obj;
55
56 return (hinfo->hmackeyid != *(__u32 *)arg->key);
57 }
58
59 static inline void seg6_hinfo_release(struct seg6_hmac_info *hinfo)
60 {
61 kfree_rcu(hinfo, rcu);
62 }
63
64 static void seg6_free_hi(void *ptr, void *arg)
65 {
66 struct seg6_hmac_info *hinfo = (struct seg6_hmac_info *)ptr;
67
68 if (hinfo)
69 seg6_hinfo_release(hinfo);
70 }
71
72 static const struct rhashtable_params rht_params = {
73 .head_offset = offsetof(struct seg6_hmac_info, node),
74 .key_offset = offsetof(struct seg6_hmac_info, hmackeyid),
75 .key_len = sizeof(u32),
76 .automatic_shrinking = true,
77 .obj_cmpfn = seg6_hmac_cmpfn,
78 };
79
80 static struct seg6_hmac_algo hmac_algos[] = {
81 {
82 .alg_id = SEG6_HMAC_ALGO_SHA1,
83 .name = "hmac(sha1)",
84 },
85 {
86 .alg_id = SEG6_HMAC_ALGO_SHA256,
87 .name = "hmac(sha256)",
88 },
89 };
90
91 static struct sr6_tlv_hmac *seg6_get_tlv_hmac(struct ipv6_sr_hdr *srh)
92 {
93 struct sr6_tlv_hmac *tlv;
94
95 if (srh->hdrlen < (srh->first_segment + 1) * 2 + 5)
96 return NULL;
97
98 if (!sr_has_hmac(srh))
99 return NULL;
100
101 tlv = (struct sr6_tlv_hmac *)
102 ((char *)srh + ((srh->hdrlen + 1) << 3) - 40);
103
104 if (tlv->tlvhdr.type != SR6_TLV_HMAC || tlv->tlvhdr.len != 38)
105 return NULL;
106
107 return tlv;
108 }
109
110 static struct seg6_hmac_algo *__hmac_get_algo(u8 alg_id)
111 {
112 struct seg6_hmac_algo *algo;
113 int i, alg_count;
114
115 alg_count = ARRAY_SIZE(hmac_algos);
116 for (i = 0; i < alg_count; i++) {
117 algo = &hmac_algos[i];
118 if (algo->alg_id == alg_id)
119 return algo;
120 }
121
122 return NULL;
123 }
124
125 static int __do_hmac(struct seg6_hmac_info *hinfo, const char *text, u8 psize,
126 u8 *output, int outlen)
127 {
128 struct seg6_hmac_algo *algo;
129 struct crypto_shash *tfm;
130 struct shash_desc *shash;
131 int ret, dgsize;
132
133 algo = __hmac_get_algo(hinfo->alg_id);
134 if (!algo)
135 return -ENOENT;
136
137 tfm = *this_cpu_ptr(algo->tfms);
138
139 dgsize = crypto_shash_digestsize(tfm);
140 if (dgsize > outlen) {
141 pr_debug("sr-ipv6: __do_hmac: digest size too big (%d / %d)\n",
142 dgsize, outlen);
143 return -ENOMEM;
144 }
145
146 ret = crypto_shash_setkey(tfm, hinfo->secret, hinfo->slen);
147 if (ret < 0) {
148 pr_debug("sr-ipv6: crypto_shash_setkey failed: err %d\n", ret);
149 goto failed;
150 }
151
152 shash = *this_cpu_ptr(algo->shashs);
153 shash->tfm = tfm;
154
155 ret = crypto_shash_digest(shash, text, psize, output);
156 if (ret < 0) {
157 pr_debug("sr-ipv6: crypto_shash_digest failed: err %d\n", ret);
158 goto failed;
159 }
160
161 return dgsize;
162
163 failed:
164 return ret;
165 }
166
167 int seg6_hmac_compute(struct seg6_hmac_info *hinfo, struct ipv6_sr_hdr *hdr,
168 struct in6_addr *saddr, u8 *output)
169 {
170 __be32 hmackeyid = cpu_to_be32(hinfo->hmackeyid);
171 u8 tmp_out[SEG6_HMAC_MAX_DIGESTSIZE];
172 int plen, i, dgsize, wrsize;
173 char *ring, *off;
174
175 /* a 160-byte buffer for digest output allows to store highest known
176 * hash function (RadioGatun) with up to 1216 bits
177 */
178
179 /* saddr(16) + first_seg(1) + flags(1) + keyid(4) + seglist(16n) */
180 plen = 16 + 1 + 1 + 4 + (hdr->first_segment + 1) * 16;
181
182 /* this limit allows for 14 segments */
183 if (plen >= SEG6_HMAC_RING_SIZE)
184 return -EMSGSIZE;
185
186 /* Let's build the HMAC text on the ring buffer. The text is composed
187 * as follows, in order:
188 *
189 * 1. Source IPv6 address (128 bits)
190 * 2. first_segment value (8 bits)
191 * 3. Flags (8 bits)
192 * 4. HMAC Key ID (32 bits)
193 * 5. All segments in the segments list (n * 128 bits)
194 */
195
196 local_bh_disable();
197 ring = this_cpu_ptr(hmac_ring);
198 off = ring;
199
200 /* source address */
201 memcpy(off, saddr, 16);
202 off += 16;
203
204 /* first_segment value */
205 *off++ = hdr->first_segment;
206
207 /* flags */
208 *off++ = hdr->flags;
209
210 /* HMAC Key ID */
211 memcpy(off, &hmackeyid, 4);
212 off += 4;
213
214 /* all segments in the list */
215 for (i = 0; i < hdr->first_segment + 1; i++) {
216 memcpy(off, hdr->segments + i, 16);
217 off += 16;
218 }
219
220 dgsize = __do_hmac(hinfo, ring, plen, tmp_out,
221 SEG6_HMAC_MAX_DIGESTSIZE);
222 local_bh_enable();
223
224 if (dgsize < 0)
225 return dgsize;
226
227 wrsize = SEG6_HMAC_FIELD_LEN;
228 if (wrsize > dgsize)
229 wrsize = dgsize;
230
231 memset(output, 0, SEG6_HMAC_FIELD_LEN);
232 memcpy(output, tmp_out, wrsize);
233
234 return 0;
235 }
236 EXPORT_SYMBOL(seg6_hmac_compute);
237
238 /* checks if an incoming SR-enabled packet's HMAC status matches
239 * the incoming policy.
240 *
241 * called with rcu_read_lock()
242 */
243 bool seg6_hmac_validate_skb(struct sk_buff *skb)
244 {
245 u8 hmac_output[SEG6_HMAC_FIELD_LEN];
246 struct net *net = dev_net(skb->dev);
247 struct seg6_hmac_info *hinfo;
248 struct sr6_tlv_hmac *tlv;
249 struct ipv6_sr_hdr *srh;
250 struct inet6_dev *idev;
251
252 idev = __in6_dev_get(skb->dev);
253
254 srh = (struct ipv6_sr_hdr *)skb_transport_header(skb);
255
256 tlv = seg6_get_tlv_hmac(srh);
257
258 /* mandatory check but no tlv */
259 if (idev->cnf.seg6_require_hmac > 0 && !tlv)
260 return false;
261
262 /* no check */
263 if (idev->cnf.seg6_require_hmac < 0)
264 return true;
265
266 /* check only if present */
267 if (idev->cnf.seg6_require_hmac == 0 && !tlv)
268 return true;
269
270 /* now, seg6_require_hmac >= 0 && tlv */
271
272 hinfo = seg6_hmac_info_lookup(net, be32_to_cpu(tlv->hmackeyid));
273 if (!hinfo)
274 return false;
275
276 if (seg6_hmac_compute(hinfo, srh, &ipv6_hdr(skb)->saddr, hmac_output))
277 return false;
278
279 if (memcmp(hmac_output, tlv->hmac, SEG6_HMAC_FIELD_LEN) != 0)
280 return false;
281
282 return true;
283 }
284 EXPORT_SYMBOL(seg6_hmac_validate_skb);
285
286 /* called with rcu_read_lock() */
287 struct seg6_hmac_info *seg6_hmac_info_lookup(struct net *net, u32 key)
288 {
289 struct seg6_pernet_data *sdata = seg6_pernet(net);
290 struct seg6_hmac_info *hinfo;
291
292 hinfo = rhashtable_lookup_fast(&sdata->hmac_infos, &key, rht_params);
293
294 return hinfo;
295 }
296 EXPORT_SYMBOL(seg6_hmac_info_lookup);
297
298 int seg6_hmac_info_add(struct net *net, u32 key, struct seg6_hmac_info *hinfo)
299 {
300 struct seg6_pernet_data *sdata = seg6_pernet(net);
301 int err;
302
303 err = rhashtable_lookup_insert_fast(&sdata->hmac_infos, &hinfo->node,
304 rht_params);
305
306 return err;
307 }
308 EXPORT_SYMBOL(seg6_hmac_info_add);
309
310 int seg6_hmac_info_del(struct net *net, u32 key)
311 {
312 struct seg6_pernet_data *sdata = seg6_pernet(net);
313 struct seg6_hmac_info *hinfo;
314 int err = -ENOENT;
315
316 hinfo = rhashtable_lookup_fast(&sdata->hmac_infos, &key, rht_params);
317 if (!hinfo)
318 goto out;
319
320 err = rhashtable_remove_fast(&sdata->hmac_infos, &hinfo->node,
321 rht_params);
322 if (err)
323 goto out;
324
325 seg6_hinfo_release(hinfo);
326
327 out:
328 return err;
329 }
330 EXPORT_SYMBOL(seg6_hmac_info_del);
331
332 int seg6_push_hmac(struct net *net, struct in6_addr *saddr,
333 struct ipv6_sr_hdr *srh)
334 {
335 struct seg6_hmac_info *hinfo;
336 struct sr6_tlv_hmac *tlv;
337 int err = -ENOENT;
338
339 tlv = seg6_get_tlv_hmac(srh);
340 if (!tlv)
341 return -EINVAL;
342
343 rcu_read_lock();
344
345 hinfo = seg6_hmac_info_lookup(net, be32_to_cpu(tlv->hmackeyid));
346 if (!hinfo)
347 goto out;
348
349 memset(tlv->hmac, 0, SEG6_HMAC_FIELD_LEN);
350 err = seg6_hmac_compute(hinfo, srh, saddr, tlv->hmac);
351
352 out:
353 rcu_read_unlock();
354 return err;
355 }
356 EXPORT_SYMBOL(seg6_push_hmac);
357
358 static int seg6_hmac_init_algo(void)
359 {
360 struct seg6_hmac_algo *algo;
361 struct crypto_shash *tfm;
362 struct shash_desc *shash;
363 int i, alg_count, cpu;
364
365 alg_count = ARRAY_SIZE(hmac_algos);
366
367 for (i = 0; i < alg_count; i++) {
368 struct crypto_shash **p_tfm;
369 int shsize;
370
371 algo = &hmac_algos[i];
372 algo->tfms = alloc_percpu(struct crypto_shash *);
373 if (!algo->tfms)
374 return -ENOMEM;
375
376 for_each_possible_cpu(cpu) {
377 tfm = crypto_alloc_shash(algo->name, 0, 0);
378 if (IS_ERR(tfm))
379 return PTR_ERR(tfm);
380 p_tfm = per_cpu_ptr(algo->tfms, cpu);
381 *p_tfm = tfm;
382 }
383
384 p_tfm = raw_cpu_ptr(algo->tfms);
385 tfm = *p_tfm;
386
387 shsize = sizeof(*shash) + crypto_shash_descsize(tfm);
388
389 algo->shashs = alloc_percpu(struct shash_desc *);
390 if (!algo->shashs)
391 return -ENOMEM;
392
393 for_each_possible_cpu(cpu) {
394 shash = kzalloc_node(shsize, GFP_KERNEL,
395 cpu_to_node(cpu));
396 if (!shash)
397 return -ENOMEM;
398 *per_cpu_ptr(algo->shashs, cpu) = shash;
399 }
400 }
401
402 return 0;
403 }
404
405 int __init seg6_hmac_init(void)
406 {
407 return seg6_hmac_init_algo();
408 }
409 EXPORT_SYMBOL(seg6_hmac_init);
410
411 int __net_init seg6_hmac_net_init(struct net *net)
412 {
413 struct seg6_pernet_data *sdata = seg6_pernet(net);
414
415 rhashtable_init(&sdata->hmac_infos, &rht_params);
416
417 return 0;
418 }
419 EXPORT_SYMBOL(seg6_hmac_net_init);
420
421 void seg6_hmac_exit(void)
422 {
423 struct seg6_hmac_algo *algo = NULL;
424 int i, alg_count, cpu;
425
426 alg_count = ARRAY_SIZE(hmac_algos);
427 for (i = 0; i < alg_count; i++) {
428 algo = &hmac_algos[i];
429 for_each_possible_cpu(cpu) {
430 struct crypto_shash *tfm;
431 struct shash_desc *shash;
432
433 shash = *per_cpu_ptr(algo->shashs, cpu);
434 kfree(shash);
435 tfm = *per_cpu_ptr(algo->tfms, cpu);
436 crypto_free_shash(tfm);
437 }
438 free_percpu(algo->tfms);
439 free_percpu(algo->shashs);
440 }
441 }
442 EXPORT_SYMBOL(seg6_hmac_exit);
443
444 void __net_exit seg6_hmac_net_exit(struct net *net)
445 {
446 struct seg6_pernet_data *sdata = seg6_pernet(net);
447
448 rhashtable_free_and_destroy(&sdata->hmac_infos, seg6_free_hi, NULL);
449 }
450 EXPORT_SYMBOL(seg6_hmac_net_exit);
Linux with added FPC-III support