From: Leonard Crestez <cdleonard@gmail.com>
To: David Ahern <dsahern@kernel.org>,
Eric Dumazet <edumazet@google.com>,
Philip Paeps <philip@trouble.is>
Cc: Dmitry Safonov <0x7f454c46@gmail.com>,
Shuah Khan <shuah@kernel.org>,
"David S. Miller" <davem@davemloft.net>,
Herbert Xu <herbert@gondor.apana.org.au>,
Kuniyuki Iwashima <kuniyu@amazon.co.jp>,
Hideaki YOSHIFUJI <yoshfuji@linux-ipv6.org>,
Jakub Kicinski <kuba@kernel.org>,
Yuchung Cheng <ycheng@google.com>,
Francesco Ruggeri <fruggeri@arista.com>,
Mat Martineau <mathew.j.martineau@linux.intel.com>,
Christoph Paasch <cpaasch@apple.com>,
Ivan Delalande <colona@arista.com>,
Caowangbao <caowangbao@huawei.com>,
Priyaranjan Jha <priyarjha@google.com>,
netdev@vger.kernel.org, linux-crypto@vger.kernel.org,
linux-kselftest@vger.kernel.org, linux-kernel@vger.kernel.org
Subject: [PATCH v6 10/26] tcp: authopt: Implement Sequence Number Extension
Date: Tue, 26 Jul 2022 09:15:12 +0300 [thread overview]
Message-ID: <aea9d67860fef6be1e6bee17345dc41417c79ea3.1658815925.git.cdleonard@gmail.com> (raw)
In-Reply-To: <cover.1658815925.git.cdleonard@gmail.com>
Add a compute_sne function which finds the value of SNE for a certain
SEQ given an already known "recent" SNE/SEQ. This is implemented using
the standard tcp before/after macro and will work for SEQ values that
are without 2^31 of the SEQ for which we know the SNE.
For updating we advance the value for rcv_sne at the same time as
rcv_nxt and for snd_sne at the same time as snd_nxt. We could track
other values (for example snd_una) but this is good enough and works
very easily for timewait socket.
This implementation is different from RFC suggestions and doesn't
require additional flags. It does pass tests from this draft:
https://datatracker.ietf.org/doc/draft-touch-sne/
Signed-off-by: Leonard Crestez <cdleonard@gmail.com>
---
include/net/tcp_authopt.h | 34 ++++++++++++++
net/ipv4/tcp_authopt.c | 98 ++++++++++++++++++++++++++++++++++++++-
net/ipv4/tcp_input.c | 1 +
net/ipv4/tcp_output.c | 1 +
4 files changed, 132 insertions(+), 2 deletions(-)
diff --git a/include/net/tcp_authopt.h b/include/net/tcp_authopt.h
index 1f5020b790dd..1fa1b968c80c 100644
--- a/include/net/tcp_authopt.h
+++ b/include/net/tcp_authopt.h
@@ -66,10 +66,14 @@ struct tcp_authopt_info {
u32 flags;
/** @src_isn: Local Initial Sequence Number */
u32 src_isn;
/** @dst_isn: Remote Initial Sequence Number */
u32 dst_isn;
+ /** @rcv_sne: Recv-side Sequence Number Extension tracking tcp_sock.rcv_nxt */
+ u32 rcv_sne;
+ /** @snd_sne: Send-side Sequence Number Extension tracking tcp_sock.snd_nxt */
+ u32 snd_sne;
};
/* TCP authopt as found in header */
struct tcphdr_authopt {
u8 num;
@@ -156,10 +160,34 @@ static inline void tcp_authopt_time_wait(
int __tcp_authopt_inbound_check(
struct sock *sk,
struct sk_buff *skb,
struct tcp_authopt_info *info,
const u8 *opt);
+void __tcp_authopt_update_rcv_sne(struct tcp_sock *tp, struct tcp_authopt_info *info, u32 seq);
+static inline void tcp_authopt_update_rcv_sne(struct tcp_sock *tp, u32 seq)
+{
+ struct tcp_authopt_info *info;
+
+ if (tcp_authopt_needed) {
+ info = rcu_dereference_protected(tp->authopt_info,
+ lockdep_sock_is_held((struct sock *)tp));
+ if (info)
+ __tcp_authopt_update_rcv_sne(tp, info, seq);
+ }
+}
+void __tcp_authopt_update_snd_sne(struct tcp_sock *tp, struct tcp_authopt_info *info, u32 seq);
+static inline void tcp_authopt_update_snd_sne(struct tcp_sock *tp, u32 seq)
+{
+ struct tcp_authopt_info *info;
+
+ if (tcp_authopt_needed) {
+ info = rcu_dereference_protected(tp->authopt_info,
+ lockdep_sock_is_held((struct sock *)tp));
+ if (info)
+ __tcp_authopt_update_snd_sne(tp, info, seq);
+ }
+}
#else
static inline void tcp_authopt_clear(struct sock *sk)
{
}
static inline int tcp_authopt_openreq(struct sock *newsk,
@@ -174,8 +202,14 @@ static inline void tcp_authopt_finish_connect(struct sock *sk, struct sk_buff *s
static inline void tcp_authopt_time_wait(
struct tcp_timewait_sock *tcptw,
struct tcp_sock *tp)
{
}
+static inline void tcp_authopt_update_rcv_sne(struct tcp_sock *tp, u32 seq)
+{
+}
+static inline void tcp_authopt_update_snd_sne(struct tcp_sock *tp, u32 seq)
+{
+}
#endif
#endif /* _LINUX_TCP_AUTHOPT_H */
diff --git a/net/ipv4/tcp_authopt.c b/net/ipv4/tcp_authopt.c
index c470fce52f78..e64b97db927e 100644
--- a/net/ipv4/tcp_authopt.c
+++ b/net/ipv4/tcp_authopt.c
@@ -660,10 +660,97 @@ static int tcp_authopt_get_isn(struct sock *sk,
*disn = htonl(info->dst_isn);
}
return 0;
}
+/* compute_sne - Calculate Sequence Number Extension
+ *
+ * Give old upper/lower 32bit values and a new lower 32bit value determine the
+ * new value of the upper 32 bit. The new sequence number can be 2^31 before or
+ * after prev_seq but TCP window scaling should limit this further.
+ *
+ * For correct accounting the stored SNE value should be only updated together
+ * with the SEQ.
+ */
+static u32 compute_sne(u32 sne, u32 prev_seq, u32 seq)
+{
+ if (before(seq, prev_seq)) {
+ if (seq > prev_seq)
+ --sne;
+ } else {
+ if (seq < prev_seq)
+ ++sne;
+ }
+
+ return sne;
+}
+
+/* Update rcv_sne, must be called immediately before rcv_nxt update */
+void __tcp_authopt_update_rcv_sne(struct tcp_sock *tp,
+ struct tcp_authopt_info *info, u32 seq)
+{
+ info->rcv_sne = compute_sne(info->rcv_sne, tp->rcv_nxt, seq);
+}
+
+/* Update snd_sne, must be called immediately before snd_nxt update */
+void __tcp_authopt_update_snd_sne(struct tcp_sock *tp,
+ struct tcp_authopt_info *info, u32 seq)
+{
+ info->snd_sne = compute_sne(info->snd_sne, tp->snd_nxt, seq);
+}
+
+/* Compute SNE for a specific packet (by seq). */
+static int compute_packet_sne(struct sock *sk, struct tcp_authopt_info *info,
+ u32 seq, bool input, __be32 *sne)
+{
+ u32 rcv_nxt, snd_nxt;
+
+ // For TCP_NEW_SYN_RECV we have no tcp_authopt_info but tcp_request_sock holds ISN.
+ if (sk->sk_state == TCP_NEW_SYN_RECV) {
+ struct tcp_request_sock *rsk = tcp_rsk((struct request_sock *)sk);
+
+ if (input)
+ *sne = htonl(compute_sne(0, rsk->rcv_isn, seq));
+ else
+ *sne = htonl(compute_sne(0, rsk->snt_isn, seq));
+ return 0;
+ }
+
+ /* TCP_LISTEN only receives SYN */
+ if (sk->sk_state == TCP_LISTEN && input)
+ return 0;
+
+ /* TCP_SYN_SENT only sends SYN and receives SYN/ACK
+ * For the input case rcv_nxt is initialized after the packet is
+ * validated so tcp_sk(sk)->rcv_nxt is not initialized.
+ */
+ if (sk->sk_state == TCP_SYN_SENT)
+ return 0;
+
+ if (sk->sk_state == TCP_TIME_WAIT) {
+ rcv_nxt = tcp_twsk(sk)->tw_rcv_nxt;
+ snd_nxt = tcp_twsk(sk)->tw_snd_nxt;
+ } else {
+ if (WARN_ONCE(!sk_fullsock(sk),
+ "unexpected minisock sk=%p state=%d", sk,
+ sk->sk_state))
+ return -EINVAL;
+ rcv_nxt = tcp_sk(sk)->rcv_nxt;
+ snd_nxt = tcp_sk(sk)->snd_nxt;
+ }
+
+ if (WARN_ONCE(!info, "unexpected missing info for sk=%p sk_state=%d", sk, sk->sk_state))
+ return -EINVAL;
+
+ if (input)
+ *sne = htonl(compute_sne(info->rcv_sne, rcv_nxt, seq));
+ else
+ *sne = htonl(compute_sne(info->snd_sne, snd_nxt, seq));
+
+ return 0;
+}
+
/* Feed one buffer into ahash
* The buffer is assumed to be DMA-able
*/
static int crypto_ahash_buf(struct ahash_request *req, u8 *buf, uint len)
{
@@ -695,10 +782,13 @@ int __tcp_authopt_openreq(struct sock *newsk, const struct sock *oldsk, struct r
if (!new_info)
return -ENOMEM;
new_info->src_isn = tcp_rsk(req)->snt_isn;
new_info->dst_isn = tcp_rsk(req)->rcv_isn;
+ /* Caller is tcp_create_openreq_child and already initializes snd_nxt/rcv_nxt */
+ new_info->snd_sne = compute_sne(0, new_info->src_isn, tcp_sk(newsk)->snd_nxt);
+ new_info->rcv_sne = compute_sne(0, new_info->dst_isn, tcp_sk(newsk)->rcv_nxt);
sk_gso_disable(newsk);
rcu_assign_pointer(tcp_sk(newsk)->authopt_info, new_info);
return 0;
}
@@ -706,10 +796,12 @@ int __tcp_authopt_openreq(struct sock *newsk, const struct sock *oldsk, struct r
void __tcp_authopt_finish_connect(struct sock *sk, struct sk_buff *skb,
struct tcp_authopt_info *info)
{
info->src_isn = ntohl(tcp_hdr(skb)->ack_seq) - 1;
info->dst_isn = ntohl(tcp_hdr(skb)->seq);
+ info->snd_sne = compute_sne(0, info->src_isn, tcp_sk(sk)->snd_nxt);
+ info->rcv_sne = compute_sne(0, info->dst_isn, tcp_sk(sk)->rcv_nxt);
}
/* feed traffic key into ahash */
static int tcp_authopt_ahash_traffic_key(struct tcp_authopt_alg_pool *pool,
struct sock *sk,
@@ -963,14 +1055,16 @@ static int tcp_authopt_hash_packet(struct tcp_authopt_alg_pool *pool,
bool ipv6,
bool include_options,
u8 *macbuf)
{
struct tcphdr *th = tcp_hdr(skb);
+ __be32 sne = 0;
int err;
- /* NOTE: SNE unimplemented */
- __be32 sne = 0;
+ err = compute_packet_sne(sk, info, ntohl(th->seq), input, &sne);
+ if (err)
+ return err;
err = crypto_ahash_init(pool->req);
if (err)
return err;
diff --git a/net/ipv4/tcp_input.c b/net/ipv4/tcp_input.c
index 8b41c924aa03..c09d42614b2b 100644
--- a/net/ipv4/tcp_input.c
+++ b/net/ipv4/tcp_input.c
@@ -3526,10 +3526,11 @@ static void tcp_snd_una_update(struct tcp_sock *tp, u32 ack)
static void tcp_rcv_nxt_update(struct tcp_sock *tp, u32 seq)
{
u32 delta = seq - tp->rcv_nxt;
sock_owned_by_me((struct sock *)tp);
+ tcp_authopt_update_rcv_sne(tp, seq);
tp->bytes_received += delta;
WRITE_ONCE(tp->rcv_nxt, seq);
}
/* Update our send window.
diff --git a/net/ipv4/tcp_output.c b/net/ipv4/tcp_output.c
index 7a58132bba8c..0ab3c7801f33 100644
--- a/net/ipv4/tcp_output.c
+++ b/net/ipv4/tcp_output.c
@@ -67,10 +67,11 @@ static void tcp_event_new_data_sent(struct sock *sk, struct sk_buff *skb)
{
struct inet_connection_sock *icsk = inet_csk(sk);
struct tcp_sock *tp = tcp_sk(sk);
unsigned int prior_packets = tp->packets_out;
+ tcp_authopt_update_snd_sne(tp, TCP_SKB_CB(skb)->end_seq);
WRITE_ONCE(tp->snd_nxt, TCP_SKB_CB(skb)->end_seq);
__skb_unlink(skb, &sk->sk_write_queue);
tcp_rbtree_insert(&sk->tcp_rtx_queue, skb);
--
2.25.1
next prev parent reply other threads:[~2022-07-26 6:18 UTC|newest]
Thread overview: 33+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-07-26 6:15 [PATCH v6 00/26] tcp: Initial support for RFC5925 auth option Leonard Crestez
2022-07-26 6:15 ` [PATCH v6 01/26] tcp: authopt: Initial support and key management Leonard Crestez
2022-07-26 6:15 ` [PATCH v6 02/26] tcp: authopt: Remove more unused noops Leonard Crestez
2022-07-27 1:17 ` David Ahern
2022-07-27 8:49 ` Leonard Crestez
2022-07-26 6:15 ` [PATCH v6 03/26] docs: Add user documentation for tcp_authopt Leonard Crestez
2022-07-26 6:15 ` [PATCH v6 04/26] tcp: authopt: Add crypto initialization Leonard Crestez
2022-07-26 6:15 ` [PATCH v6 05/26] tcp: Refactor tcp_sig_hash_skb_data for AO Leonard Crestez
2022-07-26 6:15 ` [PATCH v6 06/26] tcp: authopt: Compute packet signatures Leonard Crestez
2022-07-26 6:15 ` [PATCH v6 07/26] tcp: Refactor tcp_inbound_md5_hash into tcp_inbound_sig_hash Leonard Crestez
2022-07-26 6:15 ` [PATCH v6 08/26] tcp: authopt: Hook into tcp core Leonard Crestez
2022-07-26 6:15 ` [PATCH v6 09/26] tcp: authopt: Disable via sysctl by default Leonard Crestez
2022-07-26 6:15 ` Leonard Crestez [this message]
2022-07-26 6:15 ` [PATCH v6 11/26] tcp: ipv6: Add AO signing for tcp_v6_send_response Leonard Crestez
2022-07-26 6:15 ` [PATCH v6 12/26] tcp: authopt: Add support for signing skb-less replies Leonard Crestez
2022-07-26 6:15 ` [PATCH v6 13/26] tcp: ipv4: Add AO signing for " Leonard Crestez
2022-07-26 6:15 ` [PATCH v6 14/26] tcp: authopt: Add key selection controls Leonard Crestez
2022-07-26 6:15 ` [PATCH v6 15/26] tcp: authopt: Add initial l3index support Leonard Crestez
2022-07-26 6:15 ` [PATCH v6 16/26] tcp: authopt: Add NOSEND/NORECV flags Leonard Crestez
2022-07-26 6:15 ` [PATCH v6 17/26] tcp: authopt: Add prefixlen support Leonard Crestez
2022-07-26 6:15 ` [PATCH v6 18/26] tcp: authopt: Add /proc/net/tcp_authopt listing all keys Leonard Crestez
2022-07-26 6:15 ` [PATCH v6 19/26] selftests: nettest: Rename md5_prefix to key_addr_prefix Leonard Crestez
2022-07-26 6:15 ` [PATCH v6 20/26] selftests: nettest: Initial tcp_authopt support Leonard Crestez
2022-07-26 6:15 ` [PATCH v6 21/26] selftests: net/fcnal: " Leonard Crestez
2022-07-26 7:06 ` Eric Dumazet
2022-07-26 7:27 ` Eric Dumazet
2022-07-27 8:29 ` Leonard Crestez
2022-07-27 9:27 ` Eric Dumazet
2022-07-26 6:15 ` [PATCH v6 22/26] tcp: authopt: Try to respect rnextkeyid from SYN on SYNACK Leonard Crestez
2022-07-26 6:15 ` [PATCH v6 23/26] tcp: authopt: tcp_authopt_lookup_send: Add anykey output param Leonard Crestez
2022-07-26 6:15 ` [PATCH v6 24/26] tcp: authopt: Initial support for TCP_AUTHOPT_FLAG_ACTIVE Leonard Crestez
2022-07-26 6:15 ` [PATCH v6 25/26] tcp: authopt: If no keys are valid for send report an error Leonard Crestez
2022-07-26 6:15 ` [PATCH v6 26/26] tcp: authopt: Initial implementation of TCP_REPAIR_AUTHOPT Leonard Crestez
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=aea9d67860fef6be1e6bee17345dc41417c79ea3.1658815925.git.cdleonard@gmail.com \
--to=cdleonard@gmail.com \
--cc=0x7f454c46@gmail.com \
--cc=caowangbao@huawei.com \
--cc=colona@arista.com \
--cc=cpaasch@apple.com \
--cc=davem@davemloft.net \
--cc=dsahern@kernel.org \
--cc=edumazet@google.com \
--cc=fruggeri@arista.com \
--cc=herbert@gondor.apana.org.au \
--cc=kuba@kernel.org \
--cc=kuniyu@amazon.co.jp \
--cc=linux-crypto@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-kselftest@vger.kernel.org \
--cc=mathew.j.martineau@linux.intel.com \
--cc=netdev@vger.kernel.org \
--cc=philip@trouble.is \
--cc=priyarjha@google.com \
--cc=shuah@kernel.org \
--cc=ycheng@google.com \
--cc=yoshfuji@linux-ipv6.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox