From: Leonard Crestez <cdleonard@gmail.com>
To: David Ahern <dsahern@kernel.org>,
Eric Dumazet <edumazet@google.com>,
Philip Paeps <philip@trouble.is>
Cc: Dmitry Safonov <0x7f454c46@gmail.com>,
Shuah Khan <shuah@kernel.org>,
"David S. Miller" <davem@davemloft.net>,
Herbert Xu <herbert@gondor.apana.org.au>,
Kuniyuki Iwashima <kuniyu@amazon.co.jp>,
Hideaki YOSHIFUJI <yoshfuji@linux-ipv6.org>,
Jakub Kicinski <kuba@kernel.org>,
Yuchung Cheng <ycheng@google.com>,
Francesco Ruggeri <fruggeri@arista.com>,
Mat Martineau <mathew.j.martineau@linux.intel.com>,
Christoph Paasch <cpaasch@apple.com>,
Ivan Delalande <colona@arista.com>,
Caowangbao <caowangbao@huawei.com>,
Priyaranjan Jha <priyarjha@google.com>,
netdev@vger.kernel.org, linux-crypto@vger.kernel.org,
linux-kselftest@vger.kernel.org, linux-kernel@vger.kernel.org
Subject: [PATCH v6 22/26] tcp: authopt: Try to respect rnextkeyid from SYN on SYNACK
Date: Tue, 26 Jul 2022 09:15:24 +0300 [thread overview]
Message-ID: <c91e0c713650f24dc31924034189990b4ef2970f.1658815925.git.cdleonard@gmail.com> (raw)
In-Reply-To: <cover.1658815925.git.cdleonard@gmail.com>
According to the RFC we should use the key that the peer suggests via
rnextkeyid.
This is currently done by storing recv_rnextkeyid in tcp_authopt_info
but this does not work for the SYNACK case because the tcp_request_sock
does not hold an info pointer for reasons of memory usage.
Handle this by storing recv_rnextkeyid inside tcp_request_sock. This
doesn't increase the memory usage because there are unused bytes at the
end.
Signed-off-by: Leonard Crestez <cdleonard@gmail.com>
---
include/linux/tcp.h | 6 ++++++
net/ipv4/tcp_authopt.c | 26 ++++++++++++++++++++------
net/ipv4/tcp_input.c | 12 ++++++++++++
3 files changed, 38 insertions(+), 6 deletions(-)
diff --git a/include/linux/tcp.h b/include/linux/tcp.h
index 551942883f06..6a4ff0ed55c6 100644
--- a/include/linux/tcp.h
+++ b/include/linux/tcp.h
@@ -125,10 +125,13 @@ struct tcp_options_received {
u8 saw_unknown:1, /* Received unknown option */
unused:7;
u8 num_sacks; /* Number of SACK blocks */
u16 user_mss; /* mss requested by user in ioctl */
u16 mss_clamp; /* Maximal mss, negotiated at connection setup */
+#if IS_ENABLED(CONFIG_TCP_AUTHOPT)
+ u8 rnextkeyid;
+#endif
};
static inline void tcp_clear_options(struct tcp_options_received *rx_opt)
{
rx_opt->tstamp_ok = rx_opt->sack_ok = 0;
@@ -163,10 +166,13 @@ struct tcp_request_sock {
u32 rcv_nxt; /* the ack # by SYNACK. For
* FastOpen it's the seq#
* after data-in-SYN.
*/
u8 syn_tos;
+#if IS_ENABLED(CONFIG_TCP_AUTHOPT)
+ u8 recv_rnextkeyid;
+#endif
};
static inline struct tcp_request_sock *tcp_rsk(const struct request_sock *req)
{
return (struct tcp_request_sock *)req;
diff --git a/net/ipv4/tcp_authopt.c b/net/ipv4/tcp_authopt.c
index 00d749aa1025..3596fc1fb770 100644
--- a/net/ipv4/tcp_authopt.c
+++ b/net/ipv4/tcp_authopt.c
@@ -1,7 +1,9 @@
// SPDX-License-Identifier: GPL-2.0-or-later
+#include "linux/tcp.h"
+#include "net/tcp_states.h"
#include <net/tcp_authopt.h>
#include <net/ip.h>
#include <net/ipv6.h>
#include <net/tcp.h>
#include <linux/kref.h>
@@ -435,21 +437,33 @@ struct tcp_authopt_key_info *__tcp_authopt_select_key(const struct sock *sk,
{
struct tcp_authopt_key_info *key, *new_key = NULL;
struct netns_tcp_authopt *net = sock_net_tcp_authopt(sk);
/* Listen sockets don't refer to any specific connection so we don't try
- * to keep using the same key and ignore any received keyids.
+ * to keep using the same key.
+ * The rnextkeyid is stored in tcp_request_sock
*/
if (sk->sk_state == TCP_LISTEN) {
- int send_keyid = -1;
-
+ int send_id = -1;
+ struct tcp_request_sock *rsk;
+
+ if (WARN_ONCE(addr_sk->sk_state != TCP_NEW_SYN_RECV, "bad socket state"))
+ return NULL;
+ rsk = tcp_rsk((struct request_sock *)addr_sk);
+ /* Forcing a specific send_keyid on a listen socket forces it for
+ * all clients so is unlikely to be useful.
+ */
if (info->flags & TCP_AUTHOPT_FLAG_LOCK_KEYID)
- send_keyid = info->send_keyid;
- key = tcp_authopt_lookup_send(net, addr_sk, send_keyid);
+ send_id = info->send_keyid;
+ else
+ send_id = rsk->recv_rnextkeyid;
+ key = tcp_authopt_lookup_send(net, addr_sk, send_id);
+ /* If no key found with specific send_id try anything else. */
+ if (!key)
+ key = tcp_authopt_lookup_send(net, addr_sk, -1);
if (key)
*rnextkeyid = key->recv_id;
-
return key;
}
if (locked) {
sock_owned_by_me(sk);
diff --git a/net/ipv4/tcp_input.c b/net/ipv4/tcp_input.c
index c09d42614b2b..6f2af45f4271 100644
--- a/net/ipv4/tcp_input.c
+++ b/net/ipv4/tcp_input.c
@@ -4105,10 +4105,18 @@ void tcp_parse_options(const struct net *net,
/*
* The MD5 Hash has already been
* checked (see tcp_v{4,6}_do_rcv()).
*/
break;
+#endif
+#ifdef CONFIG_TCP_AUTHOPT
+ case TCPOPT_AUTHOPT:
+ /* Hash has already been checked.
+ * We parse rnextkeyid here so we can match it on synack
+ */
+ opt_rx->rnextkeyid = ptr[1];
+ break;
#endif
case TCPOPT_FASTOPEN:
tcp_parse_fastopen_option(
opsize - TCPOLEN_FASTOPEN_BASE,
ptr, th->syn, foc, false);
@@ -6958,10 +6966,14 @@ int tcp_conn_request(struct request_sock_ops *rsk_ops,
tcp_clear_options(&tmp_opt);
if (IS_ENABLED(CONFIG_SMC) && want_cookie)
tmp_opt.smc_ok = 0;
+#if IS_ENABLED(CONFIG_TCP_AUTHOPT)
+ tcp_rsk(req)->recv_rnextkeyid = tmp_opt.rnextkeyid;
+#endif
+
tmp_opt.tstamp_ok = tmp_opt.saw_tstamp;
tcp_openreq_init(req, &tmp_opt, skb, sk);
inet_rsk(req)->no_srccheck = inet_sk(sk)->transparent;
/* Note: tcp_v6_init_req() might override ir_iif for link locals */
--
2.25.1
next prev parent reply other threads:[~2022-07-26 6:21 UTC|newest]
Thread overview: 33+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-07-26 6:15 [PATCH v6 00/26] tcp: Initial support for RFC5925 auth option Leonard Crestez
2022-07-26 6:15 ` [PATCH v6 01/26] tcp: authopt: Initial support and key management Leonard Crestez
2022-07-26 6:15 ` [PATCH v6 02/26] tcp: authopt: Remove more unused noops Leonard Crestez
2022-07-27 1:17 ` David Ahern
2022-07-27 8:49 ` Leonard Crestez
2022-07-26 6:15 ` [PATCH v6 03/26] docs: Add user documentation for tcp_authopt Leonard Crestez
2022-07-26 6:15 ` [PATCH v6 04/26] tcp: authopt: Add crypto initialization Leonard Crestez
2022-07-26 6:15 ` [PATCH v6 05/26] tcp: Refactor tcp_sig_hash_skb_data for AO Leonard Crestez
2022-07-26 6:15 ` [PATCH v6 06/26] tcp: authopt: Compute packet signatures Leonard Crestez
2022-07-26 6:15 ` [PATCH v6 07/26] tcp: Refactor tcp_inbound_md5_hash into tcp_inbound_sig_hash Leonard Crestez
2022-07-26 6:15 ` [PATCH v6 08/26] tcp: authopt: Hook into tcp core Leonard Crestez
2022-07-26 6:15 ` [PATCH v6 09/26] tcp: authopt: Disable via sysctl by default Leonard Crestez
2022-07-26 6:15 ` [PATCH v6 10/26] tcp: authopt: Implement Sequence Number Extension Leonard Crestez
2022-07-26 6:15 ` [PATCH v6 11/26] tcp: ipv6: Add AO signing for tcp_v6_send_response Leonard Crestez
2022-07-26 6:15 ` [PATCH v6 12/26] tcp: authopt: Add support for signing skb-less replies Leonard Crestez
2022-07-26 6:15 ` [PATCH v6 13/26] tcp: ipv4: Add AO signing for " Leonard Crestez
2022-07-26 6:15 ` [PATCH v6 14/26] tcp: authopt: Add key selection controls Leonard Crestez
2022-07-26 6:15 ` [PATCH v6 15/26] tcp: authopt: Add initial l3index support Leonard Crestez
2022-07-26 6:15 ` [PATCH v6 16/26] tcp: authopt: Add NOSEND/NORECV flags Leonard Crestez
2022-07-26 6:15 ` [PATCH v6 17/26] tcp: authopt: Add prefixlen support Leonard Crestez
2022-07-26 6:15 ` [PATCH v6 18/26] tcp: authopt: Add /proc/net/tcp_authopt listing all keys Leonard Crestez
2022-07-26 6:15 ` [PATCH v6 19/26] selftests: nettest: Rename md5_prefix to key_addr_prefix Leonard Crestez
2022-07-26 6:15 ` [PATCH v6 20/26] selftests: nettest: Initial tcp_authopt support Leonard Crestez
2022-07-26 6:15 ` [PATCH v6 21/26] selftests: net/fcnal: " Leonard Crestez
2022-07-26 7:06 ` Eric Dumazet
2022-07-26 7:27 ` Eric Dumazet
2022-07-27 8:29 ` Leonard Crestez
2022-07-27 9:27 ` Eric Dumazet
2022-07-26 6:15 ` Leonard Crestez [this message]
2022-07-26 6:15 ` [PATCH v6 23/26] tcp: authopt: tcp_authopt_lookup_send: Add anykey output param Leonard Crestez
2022-07-26 6:15 ` [PATCH v6 24/26] tcp: authopt: Initial support for TCP_AUTHOPT_FLAG_ACTIVE Leonard Crestez
2022-07-26 6:15 ` [PATCH v6 25/26] tcp: authopt: If no keys are valid for send report an error Leonard Crestez
2022-07-26 6:15 ` [PATCH v6 26/26] tcp: authopt: Initial implementation of TCP_REPAIR_AUTHOPT Leonard Crestez
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=c91e0c713650f24dc31924034189990b4ef2970f.1658815925.git.cdleonard@gmail.com \
--to=cdleonard@gmail.com \
--cc=0x7f454c46@gmail.com \
--cc=caowangbao@huawei.com \
--cc=colona@arista.com \
--cc=cpaasch@apple.com \
--cc=davem@davemloft.net \
--cc=dsahern@kernel.org \
--cc=edumazet@google.com \
--cc=fruggeri@arista.com \
--cc=herbert@gondor.apana.org.au \
--cc=kuba@kernel.org \
--cc=kuniyu@amazon.co.jp \
--cc=linux-crypto@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-kselftest@vger.kernel.org \
--cc=mathew.j.martineau@linux.intel.com \
--cc=netdev@vger.kernel.org \
--cc=philip@trouble.is \
--cc=priyarjha@google.com \
--cc=shuah@kernel.org \
--cc=ycheng@google.com \
--cc=yoshfuji@linux-ipv6.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).