From: Leonard Crestez <cdleonard@gmail.com>
To: David Ahern <dsahern@kernel.org>,
Dmitry Safonov <0x7f454c46@gmail.com>,
Eric Dumazet <edumazet@google.com>
Cc: Francesco Ruggeri <fruggeri@arista.com>,
Shuah Khan <shuah@kernel.org>,
"David S. Miller" <davem@davemloft.net>,
Herbert Xu <herbert@gondor.apana.org.au>,
Kuniyuki Iwashima <kuniyu@amazon.co.jp>,
Hideaki YOSHIFUJI <yoshfuji@linux-ipv6.org>,
Jakub Kicinski <kuba@kernel.org>,
Yuchung Cheng <ycheng@google.com>,
Mat Martineau <mathew.j.martineau@linux.intel.com>,
Christoph Paasch <cpaasch@apple.com>,
Ivan Delalande <colona@arista.com>,
Priyaranjan Jha <priyarjha@google.com>,
netdev@vger.kernel.org, linux-crypto@vger.kernel.org,
linux-kselftest@vger.kernel.org, linux-kernel@vger.kernel.org
Subject: [PATCH v3 09/18] tcp: ipv6: Add AO signing for tcp_v6_send_response
Date: Wed, 8 Dec 2021 13:37:24 +0200 [thread overview]
Message-ID: <0df999535ac5c76b75abcf8a0b0f40fa64c27a7f.1638962992.git.cdleonard@gmail.com> (raw)
In-Reply-To: <cover.1638962992.git.cdleonard@gmail.com>
This is a special code path for acks and resets outside of normal
connection establishment and closing.
Signed-off-by: Leonard Crestez <cdleonard@gmail.com>
---
net/ipv4/tcp_authopt.c | 2 ++
net/ipv6/tcp_ipv6.c | 57 ++++++++++++++++++++++++++++++++++++++++++
2 files changed, 59 insertions(+)
diff --git a/net/ipv4/tcp_authopt.c b/net/ipv4/tcp_authopt.c
index 05234923cb9f..f1213c7db63b 100644
--- a/net/ipv4/tcp_authopt.c
+++ b/net/ipv4/tcp_authopt.c
@@ -320,10 +320,11 @@ struct tcp_authopt_key_info *__tcp_authopt_select_key(const struct sock *sk,
const struct sock *addr_sk,
u8 *rnextkeyid)
{
return tcp_authopt_lookup_send(info, addr_sk, -1);
}
+EXPORT_SYMBOL(__tcp_authopt_select_key);
static struct tcp_authopt_info *__tcp_authopt_info_get_or_create(struct sock *sk)
{
struct tcp_sock *tp = tcp_sk(sk);
struct tcp_authopt_info *info;
@@ -1195,10 +1196,11 @@ int tcp_authopt_hash(char *hash_location,
* try to make it obvious inside the packet.
*/
memset(hash_location, 0, TCP_AUTHOPT_MACLEN);
return err;
}
+EXPORT_SYMBOL(tcp_authopt_hash);
static struct tcp_authopt_key_info *tcp_authopt_lookup_recv(struct sock *sk,
struct sk_buff *skb,
struct tcp_authopt_info *info,
int recv_id,
diff --git a/net/ipv6/tcp_ipv6.c b/net/ipv6/tcp_ipv6.c
index 3105a367d6b5..cd8544d08a36 100644
--- a/net/ipv6/tcp_ipv6.c
+++ b/net/ipv6/tcp_ipv6.c
@@ -886,10 +886,48 @@ const struct tcp_request_sock_ops tcp_request_sock_ipv6_ops = {
.init_seq = tcp_v6_init_seq,
.init_ts_off = tcp_v6_init_ts_off,
.send_synack = tcp_v6_send_synack,
};
+#ifdef CONFIG_TCP_AUTHOPT
+static int tcp_v6_send_response_init_authopt(const struct sock *sk,
+ struct tcp_authopt_info **info,
+ struct tcp_authopt_key_info **key,
+ u8 *rnextkeyid)
+{
+ /* Key lookup before SKB allocation */
+ if (!(tcp_authopt_needed && sk))
+ return 0;
+ if (sk->sk_state == TCP_TIME_WAIT)
+ *info = tcp_twsk(sk)->tw_authopt_info;
+ else
+ *info = rcu_dereference(tcp_sk(sk)->authopt_info);
+ if (!*info)
+ return 0;
+ *key = __tcp_authopt_select_key(sk, *info, sk, rnextkeyid);
+ if (*key)
+ return TCPOLEN_AUTHOPT_OUTPUT;
+ return 0;
+}
+
+static void tcp_v6_send_response_sign_authopt(const struct sock *sk,
+ struct tcp_authopt_info *info,
+ struct tcp_authopt_key_info *key,
+ struct sk_buff *skb,
+ struct tcphdr_authopt *ptr,
+ u8 rnextkeyid)
+{
+ if (!(tcp_authopt_needed && key))
+ return;
+ ptr->num = TCPOPT_AUTHOPT;
+ ptr->len = TCPOLEN_AUTHOPT_OUTPUT;
+ ptr->keyid = key->send_id;
+ ptr->rnextkeyid = rnextkeyid;
+ tcp_authopt_hash(ptr->mac, key, info, (struct sock *)sk, skb);
+}
+#endif
+
static void tcp_v6_send_response(const struct sock *sk, struct sk_buff *skb, u32 seq,
u32 ack, u32 win, u32 tsval, u32 tsecr,
int oif, struct tcp_md5sig_key *key, int rst,
u8 tclass, __be32 label, u32 priority)
{
@@ -901,13 +939,28 @@ static void tcp_v6_send_response(const struct sock *sk, struct sk_buff *skb, u32
struct sock *ctl_sk = net->ipv6.tcp_sk;
unsigned int tot_len = sizeof(struct tcphdr);
__be32 mrst = 0, *topt;
struct dst_entry *dst;
__u32 mark = 0;
+#ifdef CONFIG_TCP_AUTHOPT
+ struct tcp_authopt_info *aoinfo;
+ struct tcp_authopt_key_info *aokey;
+ u8 aornextkeyid;
+ int aolen;
+#endif
if (tsecr)
tot_len += TCPOLEN_TSTAMP_ALIGNED;
+#ifdef CONFIG_TCP_AUTHOPT
+ /* Key lookup before SKB allocation */
+ aolen = tcp_v6_send_response_init_authopt(sk, &aoinfo, &aokey, &aornextkeyid);
+ if (aolen) {
+ tot_len += aolen;
+ /* Don't use MD5 */
+ key = NULL;
+ }
+#endif
#ifdef CONFIG_TCP_MD5SIG
if (key)
tot_len += TCPOLEN_MD5SIG_ALIGNED;
#endif
@@ -960,10 +1013,14 @@ static void tcp_v6_send_response(const struct sock *sk, struct sk_buff *skb, u32
tcp_v6_md5_hash_hdr((__u8 *)topt, key,
&ipv6_hdr(skb)->saddr,
&ipv6_hdr(skb)->daddr, t1);
}
#endif
+#ifdef CONFIG_TCP_AUTHOPT
+ tcp_v6_send_response_sign_authopt(sk, aoinfo, aokey, buff,
+ (struct tcphdr_authopt *)topt, aornextkeyid);
+#endif
memset(&fl6, 0, sizeof(fl6));
fl6.daddr = ipv6_hdr(skb)->saddr;
fl6.saddr = ipv6_hdr(skb)->daddr;
fl6.flowlabel = label;
--
2.25.1
next prev parent reply other threads:[~2021-12-08 11:39 UTC|newest]
Thread overview: 29+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-12-08 11:37 [PATCH v3 00/18] tcp: Initial support for RFC5925 auth option Leonard Crestez
2021-12-08 11:37 ` [PATCH v3 01/18] tcp: authopt: Initial support and key management Leonard Crestez
2021-12-08 11:37 ` [PATCH v3 02/18] docs: Add user documentation for tcp_authopt Leonard Crestez
2021-12-08 11:37 ` [PATCH v3 03/18] tcp: authopt: Add crypto initialization Leonard Crestez
2021-12-08 11:37 ` [PATCH v3 04/18] tcp: md5: Refactor tcp_sig_hash_skb_data for AO Leonard Crestez
2021-12-08 11:37 ` [PATCH v3 05/18] tcp: authopt: Compute packet signatures Leonard Crestez
2021-12-08 11:37 ` [PATCH v3 06/18] tcp: authopt: Hook into tcp core Leonard Crestez
2021-12-08 16:45 ` kernel test robot
2021-12-08 20:39 ` kernel test robot
2021-12-08 20:39 ` kernel test robot
2021-12-09 12:58 ` kernel test robot
2021-12-08 11:37 ` [PATCH v3 07/18] tcp: authopt: Disable via sysctl by default Leonard Crestez
2021-12-08 11:37 ` [PATCH v3 08/18] tcp: authopt: Implement Sequence Number Extension Leonard Crestez
2021-12-08 11:37 ` Leonard Crestez [this message]
2021-12-08 21:30 ` [PATCH v3 09/18] tcp: ipv6: Add AO signing for tcp_v6_send_response kernel test robot
2021-12-08 11:37 ` [PATCH v3 10/18] tcp: authopt: Add support for signing skb-less replies Leonard Crestez
2021-12-08 11:37 ` [PATCH v3 11/18] tcp: ipv4: Add AO signing for " Leonard Crestez
2021-12-08 23:37 ` kernel test robot
2021-12-09 15:02 ` kernel test robot
2021-12-08 11:37 ` [PATCH v3 12/18] tcp: authopt: Add key selection controls Leonard Crestez
2021-12-09 16:57 ` kernel test robot
2021-12-08 11:37 ` [PATCH v3 13/18] tcp: authopt: Add initial l3index support Leonard Crestez
2021-12-08 11:37 ` [PATCH v3 14/18] tcp: authopt: Add NOSEND/NORECV flags Leonard Crestez
2021-12-08 11:37 ` [PATCH v3 15/18] tcp: authopt: Add prefixlen support Leonard Crestez
2021-12-09 19:01 ` kernel test robot
2021-12-08 11:37 ` [PATCH v3 16/18] selftests: nettest: Rename md5_prefix to key_addr_prefix Leonard Crestez
2021-12-08 11:37 ` [PATCH v3 17/18] selftests: nettest: Initial tcp_authopt support Leonard Crestez
2021-12-08 11:37 ` [PATCH v3 18/18] selftests: net/fcnal: " Leonard Crestez
2021-12-13 10:31 ` [PATCH v3 00/18] tcp: Initial support for RFC5925 auth option Leonard Crestez
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=0df999535ac5c76b75abcf8a0b0f40fa64c27a7f.1638962992.git.cdleonard@gmail.com \
--to=cdleonard@gmail.com \
--cc=0x7f454c46@gmail.com \
--cc=colona@arista.com \
--cc=cpaasch@apple.com \
--cc=davem@davemloft.net \
--cc=dsahern@kernel.org \
--cc=edumazet@google.com \
--cc=fruggeri@arista.com \
--cc=herbert@gondor.apana.org.au \
--cc=kuba@kernel.org \
--cc=kuniyu@amazon.co.jp \
--cc=linux-crypto@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-kselftest@vger.kernel.org \
--cc=mathew.j.martineau@linux.intel.com \
--cc=netdev@vger.kernel.org \
--cc=priyarjha@google.com \
--cc=shuah@kernel.org \
--cc=ycheng@google.com \
--cc=yoshfuji@linux-ipv6.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.