Skip to content

Commit

Permalink
ipv6: sr: add calls to verify and insert HMAC signatures
Browse files Browse the repository at this point in the history 
This patch enables the verification of the HMAC signature for transiting
SR-enabled packets, and its insertion on encapsulated/injected SRH.

Signed-off-by: David Lebrun <david.lebrun@uclouvain.be>
Signed-off-by: David S. Miller <davem@davemloft.net>
  • Loading branch information
David Lebrun authored and David S. Miller committed Nov 10, 2016
1 parent 4f4853d commit 9baee83
Show file tree
Hide file tree
Showing 2 changed files with 31 additions and 0 deletions.
10 changes: 10 additions & 0 deletions net/ipv6/exthdrs.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -49,6 +49,9 @@
#endif
#include <linux/seg6.h>
#include <net/seg6.h>
#ifdef CONFIG_IPV6_SEG6_HMAC
#include <net/seg6_hmac.h>
#endif

#include <linux/uaccess.h>

Expand Down Expand Up @@ -340,6 +343,13 @@ static int ipv6_srh_rcv(struct sk_buff *skb)
return -1;
}

#ifdef CONFIG_IPV6_SEG6_HMAC
if (!seg6_hmac_validate_skb(skb)) {
kfree_skb(skb);
return -1;
}
#endif

looped_back:
if (hdr->segments_left > 0) {
if (hdr->nexthdr != NEXTHDR_IPV6 && hdr->segments_left == 1 &&
Expand Down
21 changes: 21 additions & 0 deletions net/ipv6/seg6_iptunnel.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -29,6 +29,9 @@
#ifdef CONFIG_DST_CACHE
#include <net/dst_cache.h>
#endif
#ifdef CONFIG_IPV6_SEG6_HMAC
#include <net/seg6_hmac.h>
#endif

struct seg6_lwt {
#ifdef CONFIG_DST_CACHE
Expand Down Expand Up @@ -130,6 +133,14 @@ static int seg6_do_srh_encap(struct sk_buff *skb, struct ipv6_sr_hdr *osrh)
hdr->daddr = isrh->segments[isrh->first_segment];
set_tun_src(net, skb->dev, &hdr->daddr, &hdr->saddr);

#ifdef CONFIG_IPV6_SEG6_HMAC
if (sr_has_hmac(isrh)) {
err = seg6_push_hmac(net, &hdr->saddr, isrh);
if (unlikely(err))
return err;
}
#endif

skb_postpush_rcsum(skb, hdr, tot_len);

return 0;
Expand Down Expand Up @@ -172,6 +183,16 @@ static int seg6_do_srh_inline(struct sk_buff *skb, struct ipv6_sr_hdr *osrh)
isrh->segments[0] = hdr->daddr;
hdr->daddr = isrh->segments[isrh->first_segment];

#ifdef CONFIG_IPV6_SEG6_HMAC
if (sr_has_hmac(isrh)) {
struct net *net = dev_net(skb_dst(skb)->dev);

err = seg6_push_hmac(net, &hdr->saddr, isrh);
if (unlikely(err))
return err;
}
#endif

skb_postpush_rcsum(skb, hdr, sizeof(struct ipv6hdr) + hdrlen);

return 0;
Expand Down

0 comments on commit 9baee83

Please sign in to comment.