From: Leonard Crestez <cdleonard@gmail.com>
To: David Ahern <dsahern@kernel.org>,
Eric Dumazet <edumazet@google.com>,
Philip Paeps <philip@trouble.is>
Cc: Dmitry Safonov <0x7f454c46@gmail.com>,
Shuah Khan <shuah@kernel.org>,
"David S. Miller" <davem@davemloft.net>,
Herbert Xu <herbert@gondor.apana.org.au>,
Kuniyuki Iwashima <kuniyu@amazon.co.jp>,
Hideaki YOSHIFUJI <yoshfuji@linux-ipv6.org>,
Jakub Kicinski <kuba@kernel.org>,
Yuchung Cheng <ycheng@google.com>,
Francesco Ruggeri <fruggeri@arista.com>,
Mat Martineau <mathew.j.martineau@linux.intel.com>,
Christoph Paasch <cpaasch@apple.com>,
Ivan Delalande <colona@arista.com>,
Caowangbao <caowangbao@huawei.com>,
Priyaranjan Jha <priyarjha@google.com>,
netdev@vger.kernel.org, linux-crypto@vger.kernel.org,
linux-kselftest@vger.kernel.org, linux-kernel@vger.kernel.org
Subject: [PATCH v7 24/26] tcp: authopt: Initial support for TCP_AUTHOPT_FLAG_ACTIVE
Date: Thu, 18 Aug 2022 22:59:58 +0300 [thread overview]
Message-ID: <90190ecf8d995e662e43da21f33147ffcb4e5ad5.1660852705.git.cdleonard@gmail.com> (raw)
In-Reply-To: <cover.1660852705.git.cdleonard@gmail.com>
This can be used to determine if tcp authentication option is actually
active on the current connection.
TCP Authentication can be enabled but inactive on a socket if keys are
only configured for destinations other than the peer.
A listen socket with authentication enabled will return other sockets
with authentication enabled on accept(). If no key is configured for the
peer of an accepted socket then authentication will be inactive.
Signed-off-by: Leonard Crestez <cdleonard@gmail.com>
---
include/uapi/linux/tcp.h | 13 +++++++++++++
net/ipv4/tcp_authopt.c | 22 +++++++++++++++++++---
2 files changed, 32 insertions(+), 3 deletions(-)
diff --git a/include/uapi/linux/tcp.h b/include/uapi/linux/tcp.h
index b1063e1e1b9f..5ca8aa9d5e43 100644
--- a/include/uapi/linux/tcp.h
+++ b/include/uapi/linux/tcp.h
@@ -367,10 +367,23 @@ enum tcp_authopt_flag {
* Configure behavior of segments with TCP-AO coming from hosts for which no
* key is configured. The default recommended by RFC is to silently accept
* such connections.
*/
TCP_AUTHOPT_FLAG_REJECT_UNEXPECTED = (1 << 2),
+ /**
+ * @TCP_AUTHOPT_FLAG_ACTIVE: If authentication is active for a specific socket.
+ *
+ * TCP Authentication can be enabled but inactive on a socket if keys are
+ * only configured for destinations other than the peer.
+ *
+ * A listen socket with authentication enabled will return other sockets
+ * with authentication enabled on accept(). If no key is configured for the
+ * peer of an accepted socket then authentication will be inactive.
+ *
+ * This flag is readonly and the value is determined at connection establishment time.
+ */
+ TCP_AUTHOPT_FLAG_ACTIVE = (1 << 3),
};
/**
* struct tcp_authopt - Per-socket options related to TCP Authentication Option
*/
diff --git a/net/ipv4/tcp_authopt.c b/net/ipv4/tcp_authopt.c
index 9aa3aea25a97..bbdc5f68ab56 100644
--- a/net/ipv4/tcp_authopt.c
+++ b/net/ipv4/tcp_authopt.c
@@ -554,15 +554,23 @@ static struct tcp_authopt_info *__tcp_authopt_info_get_or_create(struct sock *sk
rcu_assign_pointer(tp->authopt_info, info);
return info;
}
-#define TCP_AUTHOPT_KNOWN_FLAGS ( \
+/* Flags fully controlled by user: */
+#define TCP_AUTHOPT_USER_FLAGS ( \
TCP_AUTHOPT_FLAG_LOCK_KEYID | \
TCP_AUTHOPT_FLAG_LOCK_RNEXTKEYID | \
TCP_AUTHOPT_FLAG_REJECT_UNEXPECTED)
+/* All known flags */
+#define TCP_AUTHOPT_KNOWN_FLAGS ( \
+ TCP_AUTHOPT_FLAG_LOCK_KEYID | \
+ TCP_AUTHOPT_FLAG_LOCK_RNEXTKEYID | \
+ TCP_AUTHOPT_FLAG_REJECT_UNEXPECTED | \
+ TCP_AUTHOPT_FLAG_ACTIVE)
+
/* Like copy_from_sockptr except tolerate different optlen for compatibility reasons
*
* If the src is shorter then it's from an old userspace and the rest of dst is
* filled with zeros.
*
@@ -627,11 +635,11 @@ int tcp_set_authopt(struct sock *sk, sockptr_t optval, unsigned int optlen)
info = __tcp_authopt_info_get_or_create(sk);
if (IS_ERR(info))
return PTR_ERR(info);
- info->flags = opt.flags & TCP_AUTHOPT_KNOWN_FLAGS;
+ info->flags = opt.flags & TCP_AUTHOPT_USER_FLAGS;
if (opt.flags & TCP_AUTHOPT_FLAG_LOCK_KEYID)
info->send_keyid = opt.send_keyid;
if (opt.flags & TCP_AUTHOPT_FLAG_LOCK_RNEXTKEYID)
info->send_rnextkeyid = opt.send_rnextkeyid;
@@ -641,10 +649,11 @@ int tcp_set_authopt(struct sock *sk, sockptr_t optval, unsigned int optlen)
int tcp_get_authopt_val(struct sock *sk, struct tcp_authopt *opt)
{
struct tcp_sock *tp = tcp_sk(sk);
struct tcp_authopt_info *info;
struct tcp_authopt_key_info *send_key;
+ bool anykey = false;
int err;
memset(opt, 0, sizeof(*opt));
sock_owned_by_me(sk);
err = check_sysctl_tcp_authopt();
@@ -653,11 +662,18 @@ int tcp_get_authopt_val(struct sock *sk, struct tcp_authopt *opt)
info = rcu_dereference_check(tp->authopt_info, lockdep_sock_is_held(sk));
if (!info)
return -ENOENT;
- opt->flags = info->flags & TCP_AUTHOPT_KNOWN_FLAGS;
+ opt->flags = info->flags & TCP_AUTHOPT_USER_FLAGS;
+
+ rcu_read_lock();
+ tcp_authopt_lookup_send(sock_net_tcp_authopt(sk), sk, -1, &anykey);
+ if (anykey)
+ opt->flags |= TCP_AUTHOPT_FLAG_ACTIVE;
+ rcu_read_unlock();
+
/* These keyids might be undefined, for example before connect.
* Reporting zero is not strictly correct because there are no reserved
* values.
*/
send_key = rcu_dereference_check(info->send_key, lockdep_sock_is_held(sk));
--
2.25.1
next prev parent reply other threads:[~2022-08-18 20:05 UTC|newest]
Thread overview: 27+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-08-18 19:59 [PATCH v7 00/26] tcp: Initial support for RFC5925 auth option Leonard Crestez
2022-08-18 19:59 ` [PATCH v7 01/26] tcp: authopt: Initial support and key management Leonard Crestez
2022-08-18 19:59 ` [PATCH v7 02/26] docs: Add user documentation for tcp_authopt Leonard Crestez
2022-08-18 19:59 ` [PATCH v7 03/26] tcp: authopt: Add crypto initialization Leonard Crestez
2022-08-18 19:59 ` [PATCH v7 04/26] tcp: Refactor tcp_sig_hash_skb_data for AO Leonard Crestez
2022-08-18 19:59 ` [PATCH v7 05/26] tcp: authopt: Compute packet signatures Leonard Crestez
2022-08-18 19:59 ` [PATCH v7 06/26] tcp: Refactor tcp_inbound_md5_hash into tcp_inbound_sig_hash Leonard Crestez
2022-08-18 19:59 ` [PATCH v7 07/26] tcp: authopt: Hook into tcp core Leonard Crestez
2022-08-18 19:59 ` [PATCH v7 08/26] tcp: authopt: Disable via sysctl by default Leonard Crestez
2022-08-18 19:59 ` [PATCH v7 09/26] tcp: authopt: Implement Sequence Number Extension Leonard Crestez
2022-08-18 19:59 ` [PATCH v7 10/26] tcp: ipv6: Add AO signing for tcp_v6_send_response Leonard Crestez
2022-08-18 19:59 ` [PATCH v7 11/26] tcp: authopt: Add support for signing skb-less replies Leonard Crestez
2022-08-18 19:59 ` [PATCH v7 12/26] tcp: ipv4: Add AO signing for " Leonard Crestez
2022-08-18 19:59 ` [PATCH v7 13/26] tcp: authopt: Add key selection controls Leonard Crestez
2022-08-18 19:59 ` [PATCH v7 14/26] tcp: authopt: Add initial l3index support Leonard Crestez
2022-08-18 19:59 ` [PATCH v7 15/26] tcp: authopt: Add NOSEND/NORECV flags Leonard Crestez
2022-08-18 19:59 ` [PATCH v7 16/26] tcp: authopt: Add prefixlen support Leonard Crestez
2022-08-18 19:59 ` [PATCH v7 17/26] tcp: authopt: Add v4mapped ipv6 address support Leonard Crestez
2022-08-18 19:59 ` [PATCH v7 18/26] tcp: authopt: Add /proc/net/tcp_authopt listing all keys Leonard Crestez
2022-08-18 19:59 ` [PATCH v7 19/26] selftests: nettest: Rename md5_prefix to key_addr_prefix Leonard Crestez
2022-08-18 19:59 ` [PATCH v7 20/26] selftests: nettest: Initial tcp_authopt support Leonard Crestez
2022-08-18 19:59 ` [PATCH v7 21/26] selftests: net/fcnal: " Leonard Crestez
2022-08-18 19:59 ` [PATCH v7 22/26] tcp: authopt: Try to respect rnextkeyid from SYN on SYNACK Leonard Crestez
2022-08-18 19:59 ` [PATCH v7 23/26] tcp: authopt: tcp_authopt_lookup_send: Add anykey output param Leonard Crestez
2022-08-18 19:59 ` Leonard Crestez [this message]
2022-08-18 19:59 ` [PATCH v7 25/26] tcp: authopt: If no keys are valid for send report an error Leonard Crestez
2022-08-18 20:00 ` [PATCH v7 26/26] tcp: authopt: Initial implementation of TCP_REPAIR_AUTHOPT Leonard Crestez
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=90190ecf8d995e662e43da21f33147ffcb4e5ad5.1660852705.git.cdleonard@gmail.com \
--to=cdleonard@gmail.com \
--cc=0x7f454c46@gmail.com \
--cc=caowangbao@huawei.com \
--cc=colona@arista.com \
--cc=cpaasch@apple.com \
--cc=davem@davemloft.net \
--cc=dsahern@kernel.org \
--cc=edumazet@google.com \
--cc=fruggeri@arista.com \
--cc=herbert@gondor.apana.org.au \
--cc=kuba@kernel.org \
--cc=kuniyu@amazon.co.jp \
--cc=linux-crypto@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-kselftest@vger.kernel.org \
--cc=mathew.j.martineau@linux.intel.com \
--cc=netdev@vger.kernel.org \
--cc=philip@trouble.is \
--cc=priyarjha@google.com \
--cc=shuah@kernel.org \
--cc=ycheng@google.com \
--cc=yoshfuji@linux-ipv6.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).