Merge branch 'master' of git://git.kernel.org/pub/scm/linux/kernel/git/klassert/ipsec-next
Steffen Klassert says: ==================== pull request (net-next): ipsec-next 2022-01-06 1) Fix some clang_analyzer warnings about never read variables. From luo penghao. 2) Check for pols[0] only once in xfrm_expand_policies(). From Jean Sacren. 3) The SA curlft.use_time was updated only on SA cration time. Update whenever the SA is used. From Antony Antony 4) Add support for SM3 secure hash. From Xu Jia. 5) Add support for SM4 symmetric cipher algorithm. From Xu Jia. 6) Add a rate limit for SA mapping change messages. From Antony Antony. ==================== Signed-off-by: David S. Miller <davem@davemloft.net>
This commit is contained in:
David S. Miller
@ -341,6 +341,26 @@ static struct xfrm_algo_desc aalg_list[] = {
|
||||
|
||||
.pfkey_supported = 0,
|
||||
},
|
||||
{
|
||||
.name = "hmac(sm3)",
|
||||
.compat = "sm3",
|
||||
|
||||
.uinfo = {
|
||||
.auth = {
|
||||
.icv_truncbits = 256,
|
||||
.icv_fullbits = 256,
|
||||
}
|
||||
},
|
||||
|
||||
.pfkey_supported = 1,
|
||||
|
||||
.desc = {
|
||||
.sadb_alg_id = SADB_X_AALG_SM3_256HMAC,
|
||||
.sadb_alg_ivlen = 0,
|
||||
.sadb_alg_minbits = 256,
|
||||
.sadb_alg_maxbits = 256
|
||||
}
|
||||
},
|
||||
};
|
||||
|
||||
static struct xfrm_algo_desc ealg_list[] = {
|
||||
@ -552,6 +572,27 @@ static struct xfrm_algo_desc ealg_list[] = {
|
||||
.sadb_alg_maxbits = 288
|
||||
}
|
||||
},
|
||||
{
|
||||
.name = "cbc(sm4)",
|
||||
.compat = "sm4",
|
||||
|
||||
.uinfo = {
|
||||
.encr = {
|
||||
.geniv = "echainiv",
|
||||
.blockbits = 128,
|
||||
.defkeybits = 128,
|
||||
}
|
||||
},
|
||||
|
||||
.pfkey_supported = 1,
|
||||
|
||||
.desc = {
|
||||
.sadb_alg_id = SADB_X_EALG_SM4CBC,
|
||||
.sadb_alg_ivlen = 16,
|
||||
.sadb_alg_minbits = 128,
|
||||
.sadb_alg_maxbits = 256
|
||||
}
|
||||
},
|
||||
};
|
||||
|
||||
static struct xfrm_algo_desc calg_list[] = {
|
||||
|
||||
@ -127,6 +127,7 @@ static const struct nla_policy compat_policy[XFRMA_MAX+1] = {
|
||||
[XFRMA_SET_MARK] = { .type = NLA_U32 },
|
||||
[XFRMA_SET_MARK_MASK] = { .type = NLA_U32 },
|
||||
[XFRMA_IF_ID] = { .type = NLA_U32 },
|
||||
[XFRMA_MTIMER_THRESH] = { .type = NLA_U32 },
|
||||
};
|
||||
|
||||
static struct nlmsghdr *xfrm_nlmsg_put_compat(struct sk_buff *skb,
|
||||
@ -274,9 +275,10 @@ static int xfrm_xlate64_attr(struct sk_buff *dst, const struct nlattr *src)
|
||||
case XFRMA_SET_MARK:
|
||||
case XFRMA_SET_MARK_MASK:
|
||||
case XFRMA_IF_ID:
|
||||
case XFRMA_MTIMER_THRESH:
|
||||
return xfrm_nla_cpy(dst, src, nla_len(src));
|
||||
default:
|
||||
BUILD_BUG_ON(XFRMA_MAX != XFRMA_IF_ID);
|
||||
BUILD_BUG_ON(XFRMA_MAX != XFRMA_MTIMER_THRESH);
|
||||
pr_warn_once("unsupported nla_type %d\n", src->nla_type);
|
||||
return -EOPNOTSUPP;
|
||||
}
|
||||
@ -431,7 +433,7 @@ static int xfrm_xlate32_attr(void *dst, const struct nlattr *nla,
|
||||
int err;
|
||||
|
||||
if (type > XFRMA_MAX) {
|
||||
BUILD_BUG_ON(XFRMA_MAX != XFRMA_IF_ID);
|
||||
BUILD_BUG_ON(XFRMA_MAX != XFRMA_MTIMER_THRESH);
|
||||
NL_SET_ERR_MSG(extack, "Bad attribute");
|
||||
return -EOPNOTSUPP;
|
||||
}
|
||||
|
||||
@ -669,6 +669,7 @@ resume:
|
||||
|
||||
x->curlft.bytes += skb->len;
|
||||
x->curlft.packets++;
|
||||
x->curlft.use_time = ktime_get_real_seconds();
|
||||
|
||||
spin_unlock(&x->lock);
|
||||
|
||||
|
||||
@ -533,6 +533,7 @@ static int xfrm_output_one(struct sk_buff *skb, int err)
|
||||
|
||||
x->curlft.bytes += skb->len;
|
||||
x->curlft.packets++;
|
||||
x->curlft.use_time = ktime_get_real_seconds();
|
||||
|
||||
spin_unlock_bh(&x->lock);
|
||||
|
||||
|
||||
@ -2680,7 +2680,7 @@ static int xfrm_expand_policies(const struct flowi *fl, u16 family,
|
||||
*num_xfrms = pols[0]->xfrm_nr;
|
||||
|
||||
#ifdef CONFIG_XFRM_SUB_POLICY
|
||||
if (pols[0] && pols[0]->action == XFRM_POLICY_ALLOW &&
|
||||
if (pols[0]->action == XFRM_POLICY_ALLOW &&
|
||||
pols[0]->type != XFRM_POLICY_TYPE_MAIN) {
|
||||
pols[1] = xfrm_policy_lookup_bytype(xp_net(pols[0]),
|
||||
XFRM_POLICY_TYPE_MAIN,
|
||||
@ -3392,7 +3392,6 @@ decode_session6(struct sk_buff *skb, struct flowi *fl, bool reverse)
|
||||
case NEXTHDR_DEST:
|
||||
offset += ipv6_optlen(exthdr);
|
||||
nexthdr = exthdr->nexthdr;
|
||||
exthdr = (struct ipv6_opt_hdr *)(nh + offset);
|
||||
break;
|
||||
case IPPROTO_UDP:
|
||||
case IPPROTO_UDPLITE:
|
||||
|
||||
@ -1594,6 +1594,9 @@ static struct xfrm_state *xfrm_state_clone(struct xfrm_state *orig,
|
||||
x->km.seq = orig->km.seq;
|
||||
x->replay = orig->replay;
|
||||
x->preplay = orig->preplay;
|
||||
x->mapping_maxage = orig->mapping_maxage;
|
||||
x->new_mapping = 0;
|
||||
x->new_mapping_sport = 0;
|
||||
|
||||
return x;
|
||||
|
||||
@ -2243,7 +2246,7 @@ int km_query(struct xfrm_state *x, struct xfrm_tmpl *t, struct xfrm_policy *pol)
|
||||
}
|
||||
EXPORT_SYMBOL(km_query);
|
||||
|
||||
int km_new_mapping(struct xfrm_state *x, xfrm_address_t *ipaddr, __be16 sport)
|
||||
static int __km_new_mapping(struct xfrm_state *x, xfrm_address_t *ipaddr, __be16 sport)
|
||||
{
|
||||
int err = -EINVAL;
|
||||
struct xfrm_mgr *km;
|
||||
@ -2258,6 +2261,24 @@ int km_new_mapping(struct xfrm_state *x, xfrm_address_t *ipaddr, __be16 sport)
|
||||
rcu_read_unlock();
|
||||
return err;
|
||||
}
|
||||
|
||||
int km_new_mapping(struct xfrm_state *x, xfrm_address_t *ipaddr, __be16 sport)
|
||||
{
|
||||
int ret = 0;
|
||||
|
||||
if (x->mapping_maxage) {
|
||||
if ((jiffies / HZ - x->new_mapping) > x->mapping_maxage ||
|
||||
x->new_mapping_sport != sport) {
|
||||
x->new_mapping_sport = sport;
|
||||
x->new_mapping = jiffies / HZ;
|
||||
ret = __km_new_mapping(x, ipaddr, sport);
|
||||
}
|
||||
} else {
|
||||
ret = __km_new_mapping(x, ipaddr, sport);
|
||||
}
|
||||
|
||||
return ret;
|
||||
}
|
||||
EXPORT_SYMBOL(km_new_mapping);
|
||||
|
||||
void km_policy_expired(struct xfrm_policy *pol, int dir, int hard, u32 portid)
|
||||
|
||||
@ -283,6 +283,10 @@ static int verify_newsa_info(struct xfrm_usersa_info *p,
|
||||
|
||||
err = 0;
|
||||
|
||||
if (attrs[XFRMA_MTIMER_THRESH])
|
||||
if (!attrs[XFRMA_ENCAP])
|
||||
err = -EINVAL;
|
||||
|
||||
out:
|
||||
return err;
|
||||
}
|
||||
@ -522,6 +526,7 @@ static void xfrm_update_ae_params(struct xfrm_state *x, struct nlattr **attrs,
|
||||
struct nlattr *lt = attrs[XFRMA_LTIME_VAL];
|
||||
struct nlattr *et = attrs[XFRMA_ETIMER_THRESH];
|
||||
struct nlattr *rt = attrs[XFRMA_REPLAY_THRESH];
|
||||
struct nlattr *mt = attrs[XFRMA_MTIMER_THRESH];
|
||||
|
||||
if (re) {
|
||||
struct xfrm_replay_state_esn *replay_esn;
|
||||
@ -553,6 +558,9 @@ static void xfrm_update_ae_params(struct xfrm_state *x, struct nlattr **attrs,
|
||||
|
||||
if (rt)
|
||||
x->replay_maxdiff = nla_get_u32(rt);
|
||||
|
||||
if (mt)
|
||||
x->mapping_maxage = nla_get_u32(mt);
|
||||
}
|
||||
|
||||
static void xfrm_smark_init(struct nlattr **attrs, struct xfrm_mark *m)
|
||||
@ -1025,8 +1033,13 @@ static int copy_to_user_state_extra(struct xfrm_state *x,
|
||||
if (ret)
|
||||
goto out;
|
||||
}
|
||||
if (x->security)
|
||||
if (x->security) {
|
||||
ret = copy_sec_ctx(x->security, skb);
|
||||
if (ret)
|
||||
goto out;
|
||||
}
|
||||
if (x->mapping_maxage)
|
||||
ret = nla_put_u32(skb, XFRMA_MTIMER_THRESH, x->mapping_maxage);
|
||||
out:
|
||||
return ret;
|
||||
}
|
||||
@ -3070,6 +3083,9 @@ static inline unsigned int xfrm_sa_len(struct xfrm_state *x)
|
||||
/* Must count x->lastused as it may become non-zero behind our back. */
|
||||
l += nla_total_size_64bit(sizeof(u64));
|
||||
|
||||
if (x->mapping_maxage)
|
||||
l += nla_total_size(sizeof(x->mapping_maxage));
|
||||
|
||||
return l;
|
||||
}
|
||||
|
||||
|
||||
Reference in New Issue
Block a user