bf355b8d2c
This patch adds the necessary functions to compute and check the HMAC signature of an SR-enabled packet. Two HMAC algorithms are supported: hmac(sha1) and hmac(sha256). In order to avoid dynamic memory allocation for each HMAC computation, a per-cpu ring buffer is allocated for this purpose. A new per-interface sysctl called seg6_require_hmac is added, allowing a user-defined policy for processing HMAC-signed SR-enabled packets. A value of -1 means that the HMAC field will always be ignored. A value of 0 means that if an HMAC field is present, its validity will be enforced (the packet is dropped is the signature is incorrect). Finally, a value of 1 means that any SR-enabled packet that does not contain an HMAC signature or whose signature is incorrect will be dropped. Signed-off-by: David Lebrun <david.lebrun@uclouvain.be> Signed-off-by: David S. Miller <davem@davemloft.net>
63 lines
1.4 KiB
C
63 lines
1.4 KiB
C
/*
|
|
* SR-IPv6 implementation
|
|
*
|
|
* Author:
|
|
* David Lebrun <david.lebrun@uclouvain.be>
|
|
*
|
|
*
|
|
* This program is free software; you can redistribute it and/or
|
|
* modify it under the terms of the GNU General Public License
|
|
* as published by the Free Software Foundation; either version
|
|
* 2 of the License, or (at your option) any later version.
|
|
*/
|
|
|
|
#ifndef _NET_SEG6_H
|
|
#define _NET_SEG6_H
|
|
|
|
#include <linux/net.h>
|
|
#include <linux/ipv6.h>
|
|
#include <net/lwtunnel.h>
|
|
#include <linux/seg6.h>
|
|
#include <linux/rhashtable.h>
|
|
|
|
static inline void update_csum_diff4(struct sk_buff *skb, __be32 from,
|
|
__be32 to)
|
|
{
|
|
__be32 diff[] = { ~from, to };
|
|
|
|
skb->csum = ~csum_partial((char *)diff, sizeof(diff), ~skb->csum);
|
|
}
|
|
|
|
static inline void update_csum_diff16(struct sk_buff *skb, __be32 *from,
|
|
__be32 *to)
|
|
{
|
|
__be32 diff[] = {
|
|
~from[0], ~from[1], ~from[2], ~from[3],
|
|
to[0], to[1], to[2], to[3],
|
|
};
|
|
|
|
skb->csum = ~csum_partial((char *)diff, sizeof(diff), ~skb->csum);
|
|
}
|
|
|
|
struct seg6_pernet_data {
|
|
struct mutex lock;
|
|
struct in6_addr __rcu *tun_src;
|
|
#ifdef CONFIG_IPV6_SEG6_HMAC
|
|
struct rhashtable hmac_infos;
|
|
#endif
|
|
};
|
|
|
|
static inline struct seg6_pernet_data *seg6_pernet(struct net *net)
|
|
{
|
|
return net->ipv6.seg6_data;
|
|
}
|
|
|
|
extern int seg6_init(void);
|
|
extern void seg6_exit(void);
|
|
extern int seg6_iptunnel_init(void);
|
|
extern void seg6_iptunnel_exit(void);
|
|
|
|
extern bool seg6_validate_srh(struct ipv6_sr_hdr *srh, int len);
|
|
|
|
#endif
|