From: Dmitry Safonov <dima@arista.com>
To: linux-kernel@vger.kernel.org, David Ahern <dsahern@kernel.org>,
Eric Dumazet <edumazet@google.com>
Cc: Dmitry Safonov <dima@arista.com>,
Andy Lutomirski <luto@amacapital.net>,
Ard Biesheuvel <ardb@kernel.org>,
Bob Gilligan <gilligan@arista.com>,
Dan Carpenter <dan.carpenter@oracle.com>,
"David S. Miller" <davem@davemloft.net>,
Dmitry Safonov <0x7f454c46@gmail.com>,
Eric Biggers <ebiggers@kernel.org>,
"Eric W. Biederman" <ebiederm@xmission.com>,
Francesco Ruggeri <fruggeri@arista.com>,
Herbert Xu <herbert@gondor.apana.org.au>,
Hideaki YOSHIFUJI <yoshfuji@linux-ipv6.org>,
Ivan Delalande <colona@arista.com>,
Jakub Kicinski <kuba@kernel.org>,
Leonard Crestez <cdleonard@gmail.com>,
Paolo Abeni <pabeni@redhat.com>,
Salam Noureddine <noureddine@arista.com>,
Shuah Khan <shuah@kernel.org>,
netdev@vger.kernel.org, linux-crypto@vger.kernel.org
Subject: [PATCH v3 12/36] net/tcp: Add tcp_parse_auth_options()
Date: Thu, 27 Oct 2022 21:43:23 +0100 [thread overview]
Message-ID: <20221027204347.529913-13-dima@arista.com> (raw)
In-Reply-To: <20221027204347.529913-1-dima@arista.com>
Introduce a helper that:
(1) shares the common code with TCP-MD5 header options parsing
(2) looks for hash signature only once for both TCP-MD5 and TCP-AO
(3) fails with -EEXIST if any TCP sign option is present twice, see
RFC5925 (2.2):
">> A single TCP segment MUST NOT have more than one TCP-AO in its
options sequence. When multiple TCP-AOs appear, TCP MUST discard
the segment."
Co-developed-by: Francesco Ruggeri <fruggeri@arista.com>
Signed-off-by: Francesco Ruggeri <fruggeri@arista.com>
Co-developed-by: Salam Noureddine <noureddine@arista.com>
Signed-off-by: Salam Noureddine <noureddine@arista.com>
Signed-off-by: Dmitry Safonov <dima@arista.com>
---
include/net/tcp.h | 24 +++++++++++++++++++++++-
include/net/tcp_ao.h | 17 ++++++++++++++++-
net/ipv4/tcp.c | 3 ++-
net/ipv4/tcp_input.c | 39 +++++++++++++++++++++++++++++----------
net/ipv4/tcp_ipv4.c | 15 ++++++++++-----
net/ipv6/tcp_ipv6.c | 11 +++++++----
6 files changed, 87 insertions(+), 22 deletions(-)
diff --git a/include/net/tcp.h b/include/net/tcp.h
index f3d1e7370461..d2395ae7484c 100644
--- a/include/net/tcp.h
+++ b/include/net/tcp.h
@@ -435,7 +435,6 @@ int tcp_mmap(struct file *file, struct socket *sock,
void tcp_parse_options(const struct net *net, const struct sk_buff *skb,
struct tcp_options_received *opt_rx,
int estab, struct tcp_fastopen_cookie *foc);
-const u8 *tcp_parse_md5sig_option(const struct tcphdr *th);
/*
* BPF SKB-less helpers
@@ -2477,4 +2476,27 @@ static inline u64 tcp_transmit_time(const struct sock *sk)
return 0;
}
+static inline int tcp_parse_auth_options(const struct tcphdr *th,
+ const u8 **md5_hash, const struct tcp_ao_hdr **aoh)
+{
+ const u8 *md5_tmp, *ao_tmp;
+ int ret;
+
+ ret = tcp_do_parse_auth_options(th, &md5_tmp, &ao_tmp);
+ if (ret)
+ return ret;
+
+ if (md5_hash)
+ *md5_hash = md5_tmp;
+
+ if (aoh) {
+ if (!ao_tmp)
+ *aoh = NULL;
+ else
+ *aoh = (struct tcp_ao_hdr *)(ao_tmp - 2);
+ }
+
+ return 0;
+}
+
#endif /* _TCP_H */
diff --git a/include/net/tcp_ao.h b/include/net/tcp_ao.h
index f840b693d038..7b38ac70416f 100644
--- a/include/net/tcp_ao.h
+++ b/include/net/tcp_ao.h
@@ -150,7 +150,9 @@ int tcp_v6_parse_ao(struct sock *sk, int cmd,
sockptr_t optval, int optlen);
void tcp_ao_finish_connect(struct sock *sk, struct sk_buff *skb);
void tcp_ao_connect_init(struct sock *sk);
-
+void tcp_ao_syncookie(struct sock *sk, const struct sk_buff *skb,
+ struct tcp_request_sock *treq,
+ unsigned short int family);
#else /* CONFIG_TCP_AO */
static inline struct tcp_ao_key *tcp_ao_do_lookup(const struct sock *sk,
@@ -173,4 +175,17 @@ static inline void tcp_ao_connect_init(struct sock *sk)
}
#endif
+#if defined(CONFIG_TCP_MD5SIG) || defined(CONFIG_TCP_AO)
+int tcp_do_parse_auth_options(const struct tcphdr *th,
+ const u8 **md5_hash, const u8 **ao_hash);
+#else
+static int tcp_do_parse_auth_options(const struct tcphdr *th,
+ const u8 **md5_hash, const u8 **ao_hash)
+{
+ *md5_hash = NULL;
+ *ao_hash = NULL;
+ return 0;
+}
+#endif
+
#endif /* _TCP_AO_H */
diff --git a/net/ipv4/tcp.c b/net/ipv4/tcp.c
index 27662c9b0870..875149817036 100644
--- a/net/ipv4/tcp.c
+++ b/net/ipv4/tcp.c
@@ -4538,7 +4538,8 @@ tcp_inbound_md5_hash(const struct sock *sk, const struct sk_buff *skb,
l3index = sdif ? dif : 0;
hash_expected = tcp_md5_do_lookup(sk, l3index, saddr, family);
- hash_location = tcp_parse_md5sig_option(th);
+ if (tcp_parse_auth_options(th, &hash_location, NULL))
+ return true;
/* We've parsed the options - do we have a hash? */
if (!hash_expected && !hash_location)
diff --git a/net/ipv4/tcp_input.c b/net/ipv4/tcp_input.c
index 0e753a2f84e4..a7c3823cd052 100644
--- a/net/ipv4/tcp_input.c
+++ b/net/ipv4/tcp_input.c
@@ -4201,39 +4201,58 @@ static bool tcp_fast_parse_options(const struct net *net,
return true;
}
-#ifdef CONFIG_TCP_MD5SIG
+#if defined(CONFIG_TCP_MD5SIG) || defined(CONFIG_TCP_AO)
/*
- * Parse MD5 Signature option
+ * Parse Signature options
*/
-const u8 *tcp_parse_md5sig_option(const struct tcphdr *th)
+int tcp_do_parse_auth_options(const struct tcphdr *th,
+ const u8 **md5_hash, const u8 **ao_hash)
{
int length = (th->doff << 2) - sizeof(*th);
const u8 *ptr = (const u8 *)(th + 1);
+ unsigned int minlen = TCPOLEN_MD5SIG;
+
+ if (IS_ENABLED(CONFIG_TCP_AO))
+ minlen = sizeof(struct tcp_ao_hdr) + 1;
+
+ *md5_hash = NULL;
+ *ao_hash = NULL;
/* If not enough data remaining, we can short cut */
- while (length >= TCPOLEN_MD5SIG) {
+ while (length >= minlen) {
int opcode = *ptr++;
int opsize;
switch (opcode) {
case TCPOPT_EOL:
- return NULL;
+ return 0;
case TCPOPT_NOP:
length--;
continue;
default:
opsize = *ptr++;
if (opsize < 2 || opsize > length)
- return NULL;
- if (opcode == TCPOPT_MD5SIG)
- return opsize == TCPOLEN_MD5SIG ? ptr : NULL;
+ return -EINVAL;
+ if (opcode == TCPOPT_MD5SIG) {
+ if (opsize != TCPOLEN_MD5SIG)
+ return -EINVAL;
+ if (unlikely(*md5_hash || *ao_hash))
+ return -EEXIST;
+ *md5_hash = ptr;
+ } else if (opcode == TCPOPT_AO) {
+ if (opsize <= sizeof(struct tcp_ao_hdr))
+ return -EINVAL;
+ if (unlikely(*md5_hash || *ao_hash))
+ return -EEXIST;
+ *ao_hash = ptr;
+ }
}
ptr += opsize - 2;
length -= opsize;
}
- return NULL;
+ return 0;
}
-EXPORT_SYMBOL(tcp_parse_md5sig_option);
+EXPORT_SYMBOL(tcp_do_parse_auth_options);
#endif
/* Sorry, PAWS as specified is broken wrt. pure-ACKs -DaveM
diff --git a/net/ipv4/tcp_ipv4.c b/net/ipv4/tcp_ipv4.c
index ee9efaa9d8d5..1c014b326ee6 100644
--- a/net/ipv4/tcp_ipv4.c
+++ b/net/ipv4/tcp_ipv4.c
@@ -680,7 +680,9 @@ EXPORT_SYMBOL(tcp_v4_send_check);
* Exception: precedence violation. We do not implement it in any case.
*/
-#ifdef CONFIG_TCP_MD5SIG
+#ifdef CONFIG_TCP_AO
+#define OPTION_BYTES MAX_TCP_OPTION_SPACE
+#elif defined(CONFIG_TCP_MD5SIG)
#define OPTION_BYTES TCPOLEN_MD5SIG_ALIGNED
#else
#define OPTION_BYTES sizeof(__be32)
@@ -696,7 +698,7 @@ static void tcp_v4_send_reset(const struct sock *sk, struct sk_buff *skb)
struct ip_reply_arg arg;
#ifdef CONFIG_TCP_MD5SIG
struct tcp_md5sig_key *key = NULL;
- const __u8 *hash_location = NULL;
+ const __u8 *md5_hash_location = NULL;
unsigned char newhash[16];
int genhash;
struct sock *sk1 = NULL;
@@ -736,8 +738,11 @@ static void tcp_v4_send_reset(const struct sock *sk, struct sk_buff *skb)
net = sk ? sock_net(sk) : dev_net(skb_dst(skb)->dev);
#ifdef CONFIG_TCP_MD5SIG
+ /* Invalid TCP option size or twice included auth */
+ if (tcp_parse_auth_options(tcp_hdr(skb), &md5_hash_location, NULL))
+ return;
+
rcu_read_lock();
- hash_location = tcp_parse_md5sig_option(th);
if (sk && sk_fullsock(sk)) {
const union tcp_md5_addr *addr;
int l3index;
@@ -748,7 +753,7 @@ static void tcp_v4_send_reset(const struct sock *sk, struct sk_buff *skb)
l3index = tcp_v4_sdif(skb) ? inet_iif(skb) : 0;
addr = (union tcp_md5_addr *)&ip_hdr(skb)->saddr;
key = tcp_md5_do_lookup(sk, l3index, addr, AF_INET);
- } else if (hash_location) {
+ } else if (md5_hash_location) {
const union tcp_md5_addr *addr;
int sdif = tcp_v4_sdif(skb);
int dif = inet_iif(skb);
@@ -780,7 +785,7 @@ static void tcp_v4_send_reset(const struct sock *sk, struct sk_buff *skb)
genhash = tcp_v4_md5_hash_skb(newhash, key, NULL, skb);
- if (genhash || memcmp(hash_location, newhash, 16) != 0)
+ if (genhash || memcmp(md5_hash_location, newhash, 16) != 0)
goto out;
}
diff --git a/net/ipv6/tcp_ipv6.c b/net/ipv6/tcp_ipv6.c
index bb2b21965911..58a77515aa27 100644
--- a/net/ipv6/tcp_ipv6.c
+++ b/net/ipv6/tcp_ipv6.c
@@ -1000,7 +1000,7 @@ static void tcp_v6_send_reset(const struct sock *sk, struct sk_buff *skb)
u32 seq = 0, ack_seq = 0;
struct tcp_md5sig_key *key = NULL;
#ifdef CONFIG_TCP_MD5SIG
- const __u8 *hash_location = NULL;
+ const __u8 *md5_hash_location = NULL;
unsigned char newhash[16];
int genhash;
struct sock *sk1 = NULL;
@@ -1022,8 +1022,11 @@ static void tcp_v6_send_reset(const struct sock *sk, struct sk_buff *skb)
net = sk ? sock_net(sk) : dev_net(skb_dst(skb)->dev);
#ifdef CONFIG_TCP_MD5SIG
+ /* Invalid TCP option size or twice included auth */
+ if (tcp_parse_auth_options(th, &md5_hash_location, NULL))
+ return;
+
rcu_read_lock();
- hash_location = tcp_parse_md5sig_option(th);
if (sk && sk_fullsock(sk)) {
int l3index;
@@ -1032,7 +1035,7 @@ static void tcp_v6_send_reset(const struct sock *sk, struct sk_buff *skb)
*/
l3index = tcp_v6_sdif(skb) ? tcp_v6_iif_l3_slave(skb) : 0;
key = tcp_v6_md5_do_lookup(sk, &ipv6h->saddr, l3index);
- } else if (hash_location) {
+ } else if (md5_hash_location) {
int dif = tcp_v6_iif_l3_slave(skb);
int sdif = tcp_v6_sdif(skb);
int l3index;
@@ -1061,7 +1064,7 @@ static void tcp_v6_send_reset(const struct sock *sk, struct sk_buff *skb)
goto out;
genhash = tcp_v6_md5_hash_skb(newhash, key, NULL, skb);
- if (genhash || memcmp(hash_location, newhash, 16) != 0)
+ if (genhash || memcmp(md5_hash_location, newhash, 16) != 0)
goto out;
}
#endif
--
2.38.1
next prev parent reply other threads:[~2022-10-27 20:47 UTC|newest]
Thread overview: 42+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-10-27 20:43 [PATCH v3 00/36] net/tcp: Add TCP-AO support Dmitry Safonov
2022-10-27 20:43 ` [PATCH v3 01/36] crypto: Introduce crypto_pool Dmitry Safonov
2022-10-27 20:43 ` [PATCH v3 02/36] crypto_pool: Add crypto_pool_reserve_scratch() Dmitry Safonov
2022-10-28 7:06 ` kernel test robot
2022-10-27 20:43 ` [PATCH v3 03/36] net/tcp: Separate tcp_md5sig_info allocation into tcp_md5sig_info_add() Dmitry Safonov
2022-10-27 20:43 ` [PATCH v3 04/36] net/tcp: Disable TCP-MD5 static key on tcp_md5sig_info destruction Dmitry Safonov
2022-10-27 20:43 ` [PATCH v3 05/36] net/tcp: Use crypto_pool for TCP-MD5 Dmitry Safonov
2022-10-27 20:43 ` [PATCH v3 06/36] net/ipv6: sr: Switch to using crypto_pool Dmitry Safonov
2022-10-27 20:43 ` [PATCH v3 07/36] tcp: Add TCP-AO config and structures Dmitry Safonov
2022-10-27 20:43 ` [PATCH v3 08/36] net/tcp: Introduce TCP_AO setsockopt()s Dmitry Safonov
2022-10-27 20:43 ` [PATCH v3 09/36] net/tcp: Prevent TCP-MD5 with TCP-AO being set Dmitry Safonov
2022-10-27 20:43 ` [PATCH v3 10/36] net/tcp: Calculate TCP-AO traffic keys Dmitry Safonov
2022-10-28 8:07 ` kernel test robot
2022-10-27 20:43 ` [PATCH v3 11/36] net/tcp: Add TCP-AO sign to outgoing packets Dmitry Safonov
2022-10-27 20:43 ` Dmitry Safonov [this message]
2022-10-27 20:43 ` [PATCH v3 13/36] net/tcp: Add AO sign to RST packets Dmitry Safonov
2022-10-27 20:43 ` [PATCH v3 14/36] net/tcp: Add TCP-AO sign to twsk Dmitry Safonov
2022-10-27 20:43 ` [PATCH v3 15/36] net/tcp: Wire TCP-AO to request sockets Dmitry Safonov
2022-10-27 20:43 ` [PATCH v3 16/36] net/tcp: Sign SYN-ACK segments with TCP-AO Dmitry Safonov
2022-10-27 20:43 ` [PATCH v3 17/36] net/tcp: Verify inbound TCP-AO signed segments Dmitry Safonov
2022-10-28 5:15 ` kernel test robot
2022-10-27 20:43 ` [PATCH v3 18/36] net/tcp: Add TCP-AO segments counters Dmitry Safonov
2022-10-27 20:43 ` [PATCH v3 19/36] net/tcp: Add TCP-AO SNE support Dmitry Safonov
2022-10-27 20:43 ` [PATCH v3 20/36] net/tcp: Add tcp_hash_fail() ratelimited logs Dmitry Safonov
2022-10-27 20:43 ` [PATCH v3 21/36] net/tcp: Ignore specific ICMPs for TCP-AO connections Dmitry Safonov
2022-10-27 20:43 ` [PATCH v3 22/36] net/tcp: Add option for TCP-AO to (not) hash header Dmitry Safonov
2022-10-27 20:43 ` [PATCH v3 23/36] net/tcp: Add getsockopt(TCP_AO_GET) Dmitry Safonov
2022-10-27 20:43 ` [PATCH v3 24/36] net/tcp: Allow asynchronous delete for TCP-AO keys (MKTs) Dmitry Safonov
2022-10-27 20:43 ` [PATCH v3 25/36] net/tcp-ao: Add static_key for TCP-AO Dmitry Safonov
2022-10-27 20:43 ` [PATCH v3 26/36] selftests/net: Add TCP-AO library Dmitry Safonov
2022-10-27 20:43 ` [PATCH v3 27/36] selftests/net: Verify that TCP-AO complies with ignoring ICMPs Dmitry Safonov
2022-10-27 20:43 ` [PATCH v3 28/36] selftest/net: Add TCP-AO ICMPs accept test Dmitry Safonov
2022-10-27 20:43 ` [PATCH v3 29/36] selftest/tcp-ao: Add a test for MKT matching Dmitry Safonov
2022-10-27 20:43 ` [PATCH v3 30/36] selftest/tcp-ao: Add test for TCP-AO add setsockopt() command Dmitry Safonov
2022-10-27 20:43 ` [PATCH v3 31/36] selftests/tcp-ao: Add TCP-AO + TCP-MD5 + no sign listen socket tests Dmitry Safonov
2022-10-27 20:43 ` [PATCH v3 32/36] selftests/aolib: Add test/benchmark for removing MKTs Dmitry Safonov
2022-10-27 20:43 ` [PATCH v3 33/36] selftests/nettest: Remove client_pw Dmitry Safonov
2022-10-27 20:43 ` [PATCH v3 34/36] selftest/nettest: Rename md5_prefix* => auth_prefix* Dmitry Safonov
2022-10-27 20:43 ` [PATCH v3 35/36] selftests/nettest: Add TCP-AO support Dmitry Safonov
2022-10-27 20:43 ` [PATCH v3 36/36] selftests/fcnal-test.sh: Add TCP-AO tests Dmitry Safonov
2022-11-01 2:22 ` [PATCH v3 00/36] net/tcp: Add TCP-AO support David Ahern
2022-11-01 17:35 ` Dmitry Safonov
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20221027204347.529913-13-dima@arista.com \
--to=dima@arista.com \
--cc=0x7f454c46@gmail.com \
--cc=ardb@kernel.org \
--cc=cdleonard@gmail.com \
--cc=colona@arista.com \
--cc=dan.carpenter@oracle.com \
--cc=davem@davemloft.net \
--cc=dsahern@kernel.org \
--cc=ebiederm@xmission.com \
--cc=ebiggers@kernel.org \
--cc=edumazet@google.com \
--cc=fruggeri@arista.com \
--cc=gilligan@arista.com \
--cc=herbert@gondor.apana.org.au \
--cc=kuba@kernel.org \
--cc=linux-crypto@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=luto@amacapital.net \
--cc=netdev@vger.kernel.org \
--cc=noureddine@arista.com \
--cc=pabeni@redhat.com \
--cc=shuah@kernel.org \
--cc=yoshfuji@linux-ipv6.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).