netdev.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
From: Leonard Crestez <cdleonard@gmail.com>
To: David Ahern <dsahern@kernel.org>,
	Eric Dumazet <edumazet@google.com>,
	Philip Paeps <philip@trouble.is>
Cc: Dmitry Safonov <0x7f454c46@gmail.com>,
	Shuah Khan <shuah@kernel.org>,
	"David S. Miller" <davem@davemloft.net>,
	Herbert Xu <herbert@gondor.apana.org.au>,
	Kuniyuki Iwashima <kuniyu@amazon.co.jp>,
	Hideaki YOSHIFUJI <yoshfuji@linux-ipv6.org>,
	Jakub Kicinski <kuba@kernel.org>,
	Yuchung Cheng <ycheng@google.com>,
	Francesco Ruggeri <fruggeri@arista.com>,
	Mat Martineau <mathew.j.martineau@linux.intel.com>,
	Christoph Paasch <cpaasch@apple.com>,
	Ivan Delalande <colona@arista.com>,
	Caowangbao <caowangbao@huawei.com>,
	Priyaranjan Jha <priyarjha@google.com>,
	netdev@vger.kernel.org, linux-crypto@vger.kernel.org,
	linux-kselftest@vger.kernel.org, linux-kernel@vger.kernel.org
Subject: [PATCH v6 23/26] tcp: authopt: tcp_authopt_lookup_send: Add anykey output param
Date: Tue, 26 Jul 2022 09:15:25 +0300	[thread overview]
Message-ID: <41bf8fc3faad75a520cd786af14f6924625dcc3e.1658815925.git.cdleonard@gmail.com> (raw)
In-Reply-To: <cover.1658815925.git.cdleonard@gmail.com>

The anykey param can be used to distinguish between "no keys configured"
and "no keys valid". The former case should result in unsigned traffic
while the latter should result in an error.

Signed-off-by: Leonard Crestez <cdleonard@gmail.com>
---
 net/ipv4/tcp_authopt.c | 28 ++++++++++++++++++----------
 1 file changed, 18 insertions(+), 10 deletions(-)

diff --git a/net/ipv4/tcp_authopt.c b/net/ipv4/tcp_authopt.c
index 3596fc1fb770..1fd665c43b5d 100644
--- a/net/ipv4/tcp_authopt.c
+++ b/net/ipv4/tcp_authopt.c
@@ -378,38 +378,42 @@ static bool better_key_match(struct tcp_authopt_key_info *old, struct tcp_authop
  * tcp_authopt_lookup_send - lookup key for sending
  *
  * @net: Per-namespace information containing keys
  * @addr_sk: Socket used for destination address lookup
  * @send_id: Optional send_id. If >= 0 then only return keys that match
+ * @anykey: Set to true if any keys are present for the peer
  *
  * If anykey is false then authentication is not required for peer.
  *
  * If anykey is true but no key was found then all our keys must be expired and sending should fail.
  */
 static struct tcp_authopt_key_info *tcp_authopt_lookup_send(struct netns_tcp_authopt *net,
 							    const struct sock *addr_sk,
-							    int send_id)
+							    int send_id,
+							    bool *anykey)
 {
 	struct tcp_authopt_key_info *result = NULL;
 	struct tcp_authopt_key_info *key;
 	int l3index = -1;
 
 	hlist_for_each_entry_rcu(key, &net->head, node, 0) {
-		if (send_id >= 0 && key->send_id != send_id)
-			continue;
-		if (key->flags & TCP_AUTHOPT_KEY_NOSEND)
-			continue;
 		if (key->flags & TCP_AUTHOPT_KEY_ADDR_BIND)
 			if (!tcp_authopt_key_match_sk_addr(key, addr_sk))
 				continue;
 		if (key->flags & TCP_AUTHOPT_KEY_IFINDEX) {
 			if (l3index < 0)
 				l3index = l3mdev_master_ifindex_by_index(sock_net(addr_sk),
 									 addr_sk->sk_bound_dev_if);
 			if (l3index != key->l3index)
 				continue;
 		}
+		if (anykey)
+			*anykey = true;
+		if (key->flags & TCP_AUTHOPT_KEY_NOSEND)
+			continue;
+		if (send_id >= 0 && key->send_id != send_id)
+			continue;
 		if (better_key_match(result, key))
 			result = key;
 		else if (result)
 			net_warn_ratelimited("ambiguous tcp authentication keys configured for send\n");
 	}
@@ -454,14 +458,14 @@ struct tcp_authopt_key_info *__tcp_authopt_select_key(const struct sock *sk,
 		 */
 		if (info->flags & TCP_AUTHOPT_FLAG_LOCK_KEYID)
 			send_id = info->send_keyid;
 		else
 			send_id = rsk->recv_rnextkeyid;
-		key = tcp_authopt_lookup_send(net, addr_sk, send_id);
+		key = tcp_authopt_lookup_send(net, addr_sk, send_id, NULL);
 		/* If no key found with specific send_id try anything else. */
 		if (!key)
-			key = tcp_authopt_lookup_send(net, addr_sk, -1);
+			key = tcp_authopt_lookup_send(net, addr_sk, -1, NULL);
 		if (key)
 			*rnextkeyid = key->recv_id;
 		return key;
 	}
 
@@ -482,18 +486,22 @@ struct tcp_authopt_key_info *__tcp_authopt_select_key(const struct sock *sk,
 	 */
 	if (info->flags & TCP_AUTHOPT_FLAG_LOCK_KEYID) {
 		int send_keyid = info->send_keyid;
 
 		if (!key || key->send_id != send_keyid)
-			new_key = tcp_authopt_lookup_send(net, addr_sk, send_keyid);
+			new_key = tcp_authopt_lookup_send(net, addr_sk,
+							  send_keyid,
+							  NULL);
 	} else {
 		if (!key || key->send_id != info->recv_rnextkeyid)
-			new_key = tcp_authopt_lookup_send(net, addr_sk, info->recv_rnextkeyid);
+			new_key = tcp_authopt_lookup_send(net, addr_sk,
+							  info->recv_rnextkeyid,
+							  NULL);
 	}
 	/* If no key found with specific send_id try anything else. */
 	if (!key && !new_key)
-		new_key = tcp_authopt_lookup_send(net, addr_sk, -1);
+		new_key = tcp_authopt_lookup_send(net, addr_sk, -1, NULL);
 
 	/* Update current key only if we hold the socket lock. */
 	if (new_key && key != new_key) {
 		if (locked) {
 			if (kref_get_unless_zero(&new_key->ref)) {
-- 
2.25.1


  parent reply	other threads:[~2022-07-26  6:19 UTC|newest]

Thread overview: 33+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2022-07-26  6:15 [PATCH v6 00/26] tcp: Initial support for RFC5925 auth option Leonard Crestez
2022-07-26  6:15 ` [PATCH v6 01/26] tcp: authopt: Initial support and key management Leonard Crestez
2022-07-26  6:15 ` [PATCH v6 02/26] tcp: authopt: Remove more unused noops Leonard Crestez
2022-07-27  1:17   ` David Ahern
2022-07-27  8:49     ` Leonard Crestez
2022-07-26  6:15 ` [PATCH v6 03/26] docs: Add user documentation for tcp_authopt Leonard Crestez
2022-07-26  6:15 ` [PATCH v6 04/26] tcp: authopt: Add crypto initialization Leonard Crestez
2022-07-26  6:15 ` [PATCH v6 05/26] tcp: Refactor tcp_sig_hash_skb_data for AO Leonard Crestez
2022-07-26  6:15 ` [PATCH v6 06/26] tcp: authopt: Compute packet signatures Leonard Crestez
2022-07-26  6:15 ` [PATCH v6 07/26] tcp: Refactor tcp_inbound_md5_hash into tcp_inbound_sig_hash Leonard Crestez
2022-07-26  6:15 ` [PATCH v6 08/26] tcp: authopt: Hook into tcp core Leonard Crestez
2022-07-26  6:15 ` [PATCH v6 09/26] tcp: authopt: Disable via sysctl by default Leonard Crestez
2022-07-26  6:15 ` [PATCH v6 10/26] tcp: authopt: Implement Sequence Number Extension Leonard Crestez
2022-07-26  6:15 ` [PATCH v6 11/26] tcp: ipv6: Add AO signing for tcp_v6_send_response Leonard Crestez
2022-07-26  6:15 ` [PATCH v6 12/26] tcp: authopt: Add support for signing skb-less replies Leonard Crestez
2022-07-26  6:15 ` [PATCH v6 13/26] tcp: ipv4: Add AO signing for " Leonard Crestez
2022-07-26  6:15 ` [PATCH v6 14/26] tcp: authopt: Add key selection controls Leonard Crestez
2022-07-26  6:15 ` [PATCH v6 15/26] tcp: authopt: Add initial l3index support Leonard Crestez
2022-07-26  6:15 ` [PATCH v6 16/26] tcp: authopt: Add NOSEND/NORECV flags Leonard Crestez
2022-07-26  6:15 ` [PATCH v6 17/26] tcp: authopt: Add prefixlen support Leonard Crestez
2022-07-26  6:15 ` [PATCH v6 18/26] tcp: authopt: Add /proc/net/tcp_authopt listing all keys Leonard Crestez
2022-07-26  6:15 ` [PATCH v6 19/26] selftests: nettest: Rename md5_prefix to key_addr_prefix Leonard Crestez
2022-07-26  6:15 ` [PATCH v6 20/26] selftests: nettest: Initial tcp_authopt support Leonard Crestez
2022-07-26  6:15 ` [PATCH v6 21/26] selftests: net/fcnal: " Leonard Crestez
2022-07-26  7:06   ` Eric Dumazet
2022-07-26  7:27     ` Eric Dumazet
2022-07-27  8:29       ` Leonard Crestez
2022-07-27  9:27         ` Eric Dumazet
2022-07-26  6:15 ` [PATCH v6 22/26] tcp: authopt: Try to respect rnextkeyid from SYN on SYNACK Leonard Crestez
2022-07-26  6:15 ` Leonard Crestez [this message]
2022-07-26  6:15 ` [PATCH v6 24/26] tcp: authopt: Initial support for TCP_AUTHOPT_FLAG_ACTIVE Leonard Crestez
2022-07-26  6:15 ` [PATCH v6 25/26] tcp: authopt: If no keys are valid for send report an error Leonard Crestez
2022-07-26  6:15 ` [PATCH v6 26/26] tcp: authopt: Initial implementation of TCP_REPAIR_AUTHOPT Leonard Crestez

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=41bf8fc3faad75a520cd786af14f6924625dcc3e.1658815925.git.cdleonard@gmail.com \
    --to=cdleonard@gmail.com \
    --cc=0x7f454c46@gmail.com \
    --cc=caowangbao@huawei.com \
    --cc=colona@arista.com \
    --cc=cpaasch@apple.com \
    --cc=davem@davemloft.net \
    --cc=dsahern@kernel.org \
    --cc=edumazet@google.com \
    --cc=fruggeri@arista.com \
    --cc=herbert@gondor.apana.org.au \
    --cc=kuba@kernel.org \
    --cc=kuniyu@amazon.co.jp \
    --cc=linux-crypto@vger.kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=linux-kselftest@vger.kernel.org \
    --cc=mathew.j.martineau@linux.intel.com \
    --cc=netdev@vger.kernel.org \
    --cc=philip@trouble.is \
    --cc=priyarjha@google.com \
    --cc=shuah@kernel.org \
    --cc=ycheng@google.com \
    --cc=yoshfuji@linux-ipv6.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).