Hi Petr,
This patch is useful, however I think you should change the name of
the option and amend its description:
the option does not disable anti-replay in output (it can only be
disabled in input), it allows the output sequence number to wrap, and
it assumes that the remote peer disabled anti-replay in input.
So you I suggest you change the name of the option to something like
XFRM_SA_XFLAG_OSEQ_MAY_WRAP or XFRM_SA_XFLAG_ALLOW_OSEQ_WRAP.
Best regards,
Christophe
Le lun. 25 mai 2020 à 17:53, Petr Vaněk <p...@excello.cz> a écrit :
>
> RFC 4303 in section 3.3.3 suggests to disable anti-replay for manually
> distributed ICVs.
>
> This patch introduces new extra_flag XFRM_SA_XFLAG_NO_ANTI_REPLAY which
> disables anti-replay for outbound packets if set. The flag is used only
> in legacy and bmp code, because esn should not be negotiated if
> anti-replay is disabled (see note in 3.3.3 section).
>
> Signed-off-by: Petr Vaněk <p...@excello.cz>
> ---
> include/uapi/linux/xfrm.h | 1 +
> net/xfrm/xfrm_replay.c | 12 ++++++++----
> 2 files changed, 9 insertions(+), 4 deletions(-)
>
> diff --git a/include/uapi/linux/xfrm.h b/include/uapi/linux/xfrm.h
> index 5f3b9fec7b5f..4842b1ed49e9 100644
> --- a/include/uapi/linux/xfrm.h
> +++ b/include/uapi/linux/xfrm.h
> @@ -387,6 +387,7 @@ struct xfrm_usersa_info {
> };
>
> #define XFRM_SA_XFLAG_DONT_ENCAP_DSCP 1
> +#define XFRM_SA_XFLAG_NO_ANTI_REPLAY 2
>
> struct xfrm_usersa_id {
> xfrm_address_t daddr;
> diff --git a/net/xfrm/xfrm_replay.c b/net/xfrm/xfrm_replay.c
> index 98943f8d01aa..1602843aa2ec 100644
> --- a/net/xfrm/xfrm_replay.c
> +++ b/net/xfrm/xfrm_replay.c
> @@ -89,7 +89,8 @@ static int xfrm_replay_overflow(struct xfrm_state *x,
> struct sk_buff *skb)
> if (x->type->flags & XFRM_TYPE_REPLAY_PROT) {
> XFRM_SKB_CB(skb)->seq.output.low = ++x->replay.oseq;
> XFRM_SKB_CB(skb)->seq.output.hi = 0;
> - if (unlikely(x->replay.oseq == 0)) {
> + if (unlikely(x->replay.oseq == 0) &&
> + !(x->props.extra_flags & XFRM_SA_XFLAG_NO_ANTI_REPLAY)) {
> x->replay.oseq--;
> xfrm_audit_state_replay_overflow(x, skb);
> err = -EOVERFLOW;
> @@ -168,7 +169,8 @@ static int xfrm_replay_overflow_bmp(struct xfrm_state *x,
> struct sk_buff *skb)
> if (x->type->flags & XFRM_TYPE_REPLAY_PROT) {
> XFRM_SKB_CB(skb)->seq.output.low = ++replay_esn->oseq;
> XFRM_SKB_CB(skb)->seq.output.hi = 0;
> - if (unlikely(replay_esn->oseq == 0)) {
> + if (unlikely(replay_esn->oseq == 0) &&
> + !(x->props.extra_flags & XFRM_SA_XFLAG_NO_ANTI_REPLAY)) {
> replay_esn->oseq--;
> xfrm_audit_state_replay_overflow(x, skb);
> err = -EOVERFLOW;
> @@ -572,7 +574,8 @@ static int xfrm_replay_overflow_offload(struct xfrm_state
> *x, struct sk_buff *sk
>
> XFRM_SKB_CB(skb)->seq.output.hi = 0;
> xo->seq.hi = 0;
> - if (unlikely(oseq < x->replay.oseq)) {
> + if (unlikely(oseq < x->replay.oseq) &&
> + !(x->props.extra_flags & XFRM_SA_XFLAG_NO_ANTI_REPLAY)) {
> xfrm_audit_state_replay_overflow(x, skb);
> err = -EOVERFLOW;
>
> @@ -611,7 +614,8 @@ static int xfrm_replay_overflow_offload_bmp(struct
> xfrm_state *x, struct sk_buff
>
> XFRM_SKB_CB(skb)->seq.output.hi = 0;
> xo->seq.hi = 0;
> - if (unlikely(oseq < replay_esn->oseq)) {
> + if (unlikely(oseq < replay_esn->oseq) &&
> + !(x->props.extra_flags & XFRM_SA_XFLAG_NO_ANTI_REPLAY)) {
> xfrm_audit_state_replay_overflow(x, skb);
> err = -EOVERFLOW;
>
> --
> 2.26.2
>
