From: Leonard Crestez <cdleonard@gmail.com>
To: David Ahern <dsahern@kernel.org>,
Eric Dumazet <edumazet@google.com>,
Dmitry Safonov <0x7f454c46@gmail.com>
Cc: Francesco Ruggeri <fruggeri@arista.com>,
Salam Noureddine <noureddine@arista.com>,
Philip Paeps <philip@trouble.is>, Shuah Khan <shuah@kernel.org>,
"David S. Miller" <davem@davemloft.net>,
Herbert Xu <herbert@gondor.apana.org.au>,
Kuniyuki Iwashima <kuniyu@amazon.co.jp>,
Hideaki YOSHIFUJI <yoshfuji@linux-ipv6.org>,
Jakub Kicinski <kuba@kernel.org>,
Yuchung Cheng <ycheng@google.com>,
Mat Martineau <mathew.j.martineau@linux.intel.com>,
Christoph Paasch <cpaasch@apple.com>,
Ivan Delalande <colona@arista.com>,
Caowangbao <caowangbao@huawei.com>,
Priyaranjan Jha <priyarjha@google.com>,
netdev@vger.kernel.org, linux-crypto@vger.kernel.org,
linux-kselftest@vger.kernel.org, linux-kernel@vger.kernel.org
Subject: [PATCH v8 20/26] tcp: authopt: If no keys are valid for send report an error
Date: Mon, 5 Sep 2022 10:05:56 +0300 [thread overview]
Message-ID: <f302529ecfece72f1d599bb614e3358789c36aed.1662361354.git.cdleonard@gmail.com> (raw)
In-Reply-To: <cover.1662361354.git.cdleonard@gmail.com>
If this is not treated specially then when all keys are removed or
expired then TCP will start sending unsigned packets which is
undesirable. Instead try to report an error on key selection and
propagate it to userspace.
The error is assigned to sk_err and propagate it as soon as possible.
In theory we could try to make the error "soft" and even let the
connection continue if userspace adds a new key but the advantages are
unclear.
Since userspace is responsible for managing keys it can also avoid
sending unsigned packets by always closing the socket before removing
the active last key.
The specific error reported is ENOKEY.
This requires changes inside TCP option write code to support aborting
the actual packet send, until this point this did not happen in any
scenario.
Signed-off-by: Leonard Crestez <cdleonard@gmail.com>
---
net/ipv4/tcp_authopt.c | 4 ++++
net/ipv4/tcp_output.c | 20 ++++++++++++++++++++
2 files changed, 24 insertions(+)
diff --git a/net/ipv4/tcp_authopt.c b/net/ipv4/tcp_authopt.c
index ba16b8c50565..2a1ddae69b27 100644
--- a/net/ipv4/tcp_authopt.c
+++ b/net/ipv4/tcp_authopt.c
@@ -555,10 +555,12 @@ struct tcp_authopt_key_info *__tcp_authopt_select_key(const struct sock *sk,
if (info->flags & TCP_AUTHOPT_FLAG_LOCK_KEYID)
pref_send_id = info->user_pref_send_keyid;
else
pref_send_id = -1;
key = tcp_authopt_lookup_send(net, addr_sk, pref_send_id, rnextkeyid, &anykey);
+ if (!key && anykey)
+ return ERR_PTR(-ENOKEY);
return key;
}
/* Try to keep the same sending key unless user or peer requires a different key
@@ -569,10 +571,12 @@ struct tcp_authopt_key_info *__tcp_authopt_select_key(const struct sock *sk,
else
pref_send_id = info->recv_rnextkeyid;
key = tcp_authopt_lookup_send(net, addr_sk, pref_send_id, rnextkeyid, &anykey);
+ if (!key && anykey)
+ return ERR_PTR(-ENOKEY);
if (!key)
return NULL;
info->send_keyid = key->send_id;
if (rnextkeyid) {
diff --git a/net/ipv4/tcp_output.c b/net/ipv4/tcp_output.c
index d48d5dc36916..e8a6fec22fbf 100644
--- a/net/ipv4/tcp_output.c
+++ b/net/ipv4/tcp_output.c
@@ -411,10 +411,11 @@ static inline bool tcp_urg_mode(const struct tcp_sock *tp)
#define OPTION_SACK_ADVERTISE BIT(0)
#define OPTION_TS BIT(1)
#define OPTION_MD5 BIT(2)
#define OPTION_WSCALE BIT(3)
#define OPTION_AUTHOPT BIT(4)
+#define OPTION_AUTHOPT_FAIL BIT(5)
#define OPTION_FAST_OPEN_COOKIE BIT(8)
#define OPTION_SMC BIT(9)
#define OPTION_MPTCP BIT(10)
static void smc_options_write(__be32 *ptr, u16 *options)
@@ -783,10 +784,14 @@ static int tcp_authopt_init_options(const struct sock *sk,
{
#ifdef CONFIG_TCP_AUTHOPT
struct tcp_authopt_key_info *key;
key = tcp_authopt_select_key(sk, addr_sk, &opts->authopt_info, &opts->authopt_rnextkeyid);
+ if (IS_ERR(key)) {
+ opts->options |= OPTION_AUTHOPT_FAIL;
+ return TCPOLEN_AUTHOPT_OUTPUT;
+ }
if (key) {
opts->options |= OPTION_AUTHOPT;
opts->authopt_key = key;
return TCPOLEN_AUTHOPT_OUTPUT;
}
@@ -1342,10 +1347,18 @@ static int __tcp_transmit_skb(struct sock *sk, struct sk_buff *skb,
* release the following packet.
*/
if (tcp_skb_pcount(skb) > 1)
tcb->tcp_flags |= TCPHDR_PSH;
}
+#ifdef CONFIG_TCP_AUTHOPT
+ if (opts.options & OPTION_AUTHOPT_FAIL) {
+ rcu_read_unlock();
+ sk->sk_err = ENOKEY;
+ sk_error_report(sk);
+ return -ENOKEY;
+ }
+#endif
tcp_header_size = tcp_options_size + sizeof(struct tcphdr);
/* if no packet is in qdisc/device queue, then allow XPS to select
* another queue. We can be called from tcp_tsq_handler()
* which holds one reference to sk.
@@ -3652,10 +3665,17 @@ struct sk_buff *tcp_make_synack(const struct sock *sk, struct dst_entry *dst,
/* bpf program will be interested in the tcp_flags */
TCP_SKB_CB(skb)->tcp_flags = TCPHDR_SYN | TCPHDR_ACK;
tcp_header_size = tcp_synack_options(sk, req, mss, skb, &opts, md5,
foc, synack_type,
syn_skb) + sizeof(*th);
+#ifdef CONFIG_TCP_AUTHOPT
+ if (opts.options & OPTION_AUTHOPT_FAIL) {
+ rcu_read_unlock();
+ kfree_skb(skb);
+ return NULL;
+ }
+#endif
skb_push(skb, tcp_header_size);
skb_reset_transport_header(skb);
th = (struct tcphdr *)skb->data;
--
2.25.1
next prev parent reply other threads:[~2022-09-05 7:09 UTC|newest]
Thread overview: 42+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-09-05 7:05 [PATCH v8 00/26] tcp: Initial support for RFC5925 auth option Leonard Crestez
2022-09-05 7:05 ` [PATCH v8 01/26] tcp: authopt: Initial support and key management Leonard Crestez
2022-09-06 22:57 ` Eric Dumazet
2022-09-07 16:19 ` Leonard Crestez
2022-09-07 16:28 ` Eric Dumazet
2022-09-07 18:09 ` Leonard Crestez
2022-09-08 6:35 ` Paolo Abeni
2022-09-08 10:47 ` Leonard Crestez
2022-09-08 10:53 ` David Ahern
2022-09-05 7:05 ` [PATCH v8 02/26] docs: Add user documentation for tcp_authopt Leonard Crestez
2022-09-05 7:05 ` [PATCH v8 03/26] tcp: authopt: Add crypto initialization Leonard Crestez
2022-09-05 7:05 ` [PATCH v8 04/26] tcp: Refactor tcp_sig_hash_skb_data for AO Leonard Crestez
2022-09-05 7:05 ` [PATCH v8 05/26] tcp: authopt: Compute packet signatures Leonard Crestez
2022-09-05 7:05 ` [PATCH v8 06/26] tcp: Refactor tcp_inbound_md5_hash into tcp_inbound_sig_hash Leonard Crestez
2022-09-05 7:05 ` [PATCH v8 07/26] tcp: authopt: Hook into tcp core Leonard Crestez
2022-09-05 7:05 ` [PATCH v8 08/26] tcp: authopt: Disable via sysctl by default Leonard Crestez
2022-09-06 23:11 ` Eric Dumazet
2022-09-07 16:53 ` Leonard Crestez
2022-09-07 17:04 ` Eric Dumazet
2022-09-07 17:58 ` Leonard Crestez
2022-09-07 22:49 ` Herbert Xu
2022-09-07 22:58 ` Eric Dumazet
2022-09-05 7:05 ` [PATCH v8 09/26] tcp: authopt: Implement Sequence Number Extension Leonard Crestez
2022-09-05 7:05 ` [PATCH v8 10/26] tcp: ipv6: Add AO signing for tcp_v6_send_response Leonard Crestez
2022-09-05 7:05 ` [PATCH v8 11/26] tcp: authopt: Add support for signing skb-less replies Leonard Crestez
2022-09-05 7:05 ` [PATCH v8 12/26] tcp: ipv4: Add AO signing for " Leonard Crestez
2022-09-05 7:05 ` [PATCH v8 13/26] tcp: authopt: Add NOSEND/NORECV flags Leonard Crestez
2022-09-05 7:05 ` [PATCH v8 14/26] tcp: authopt: Add initial l3index support Leonard Crestez
2022-09-05 7:05 ` [PATCH v8 15/26] tcp: authopt: Add prefixlen support Leonard Crestez
2022-09-05 7:05 ` [PATCH v8 16/26] tcp: authopt: Add send/recv lifetime support Leonard Crestez
2022-09-05 7:05 ` [PATCH v8 17/26] tcp: authopt: Add key selection controls Leonard Crestez
2022-09-05 7:05 ` [PATCH v8 18/26] tcp: authopt: Add v4mapped ipv6 address support Leonard Crestez
2022-09-05 7:05 ` [PATCH v8 19/26] tcp: authopt: Add /proc/net/tcp_authopt listing all keys Leonard Crestez
2022-09-05 7:05 ` Leonard Crestez [this message]
2022-09-05 7:05 ` [PATCH v8 21/26] tcp: authopt: Try to respect rnextkeyid from SYN on SYNACK Leonard Crestez
2022-09-05 7:05 ` [PATCH v8 22/26] tcp: authopt: Initial support for TCP_AUTHOPT_FLAG_ACTIVE Leonard Crestez
2022-09-05 7:05 ` [PATCH v8 23/26] tcp: authopt: Initial implementation of TCP_REPAIR_AUTHOPT Leonard Crestez
2022-09-05 7:06 ` [PATCH v8 24/26] selftests: nettest: Rename md5_prefix to key_addr_prefix Leonard Crestez
2022-09-05 7:06 ` [PATCH v8 25/26] selftests: nettest: Initial tcp_authopt support Leonard Crestez
2022-09-05 7:06 ` [PATCH v8 26/26] selftests: net/fcnal: " Leonard Crestez
2022-09-09 21:41 ` [PATCH v8 00/26] tcp: Initial support for RFC5925 auth option Salam Noureddine
2022-11-28 14:06 ` Leonard Crestez
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=f302529ecfece72f1d599bb614e3358789c36aed.1662361354.git.cdleonard@gmail.com \
--to=cdleonard@gmail.com \
--cc=0x7f454c46@gmail.com \
--cc=caowangbao@huawei.com \
--cc=colona@arista.com \
--cc=cpaasch@apple.com \
--cc=davem@davemloft.net \
--cc=dsahern@kernel.org \
--cc=edumazet@google.com \
--cc=fruggeri@arista.com \
--cc=herbert@gondor.apana.org.au \
--cc=kuba@kernel.org \
--cc=kuniyu@amazon.co.jp \
--cc=linux-crypto@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-kselftest@vger.kernel.org \
--cc=mathew.j.martineau@linux.intel.com \
--cc=netdev@vger.kernel.org \
--cc=noureddine@arista.com \
--cc=philip@trouble.is \
--cc=priyarjha@google.com \
--cc=shuah@kernel.org \
--cc=ycheng@google.com \
--cc=yoshfuji@linux-ipv6.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox