[PATCHv2] tcp: Fix MD5 signature checking on IPv4 mapped sockets

[PATCHv2] tcp: Fix MD5 signature checking on IPv4 mapped sockets

[John Dykstra]

This revision to the patch removes a misplaced
blank line.

---
Fix MD5 signature checking so that an IPv4 active open
to an IPv6 socket can succeed.  In particular, use the
correct address family's signature generation function
for the SYN/ACK.

Reported-by:   Stephen Hemminger <shemminger@vyatta.com>
Signed-off-by: John Dykstra <john.dykstra1@gmail.com>
---
 include/net/tcp.h     |    5 +++++
 net/ipv4/tcp_ipv4.c   |    1 +
 net/ipv4/tcp_output.c |    2 +-
 net/ipv6/tcp_ipv6.c   |    1 +
 4 files changed, 8 insertions(+), 1 deletions(-)

diff --git a/include/net/tcp.h b/include/net/tcp.h
index 19f4150..88af843 100644
--- a/include/net/tcp.h
+++ b/include/net/tcp.h
@@ -1425,6 +1425,11 @@ struct tcp_request_sock_ops {
 #ifdef CONFIG_TCP_MD5SIG
 	struct tcp_md5sig_key	*(*md5_lookup) (struct sock *sk,
 						struct request_sock *req);
+	int			(*calc_md5_hash) (char *location,
+						  struct tcp_md5sig_key *md5,
+						  struct sock *sk,
+						  struct request_sock *req,
+						  struct sk_buff *skb);
 #endif
 };
 
diff --git a/net/ipv4/tcp_ipv4.c b/net/ipv4/tcp_ipv4.c
index 5a1ca26..7c107eb 100644
--- a/net/ipv4/tcp_ipv4.c
+++ b/net/ipv4/tcp_ipv4.c
@@ -1160,6 +1160,7 @@ struct request_sock_ops tcp_request_sock_ops __read_mostly = {
 #ifdef CONFIG_TCP_MD5SIG
 static struct tcp_request_sock_ops tcp_request_sock_ipv4_ops = {
 	.md5_lookup	=	tcp_v4_reqsk_md5_lookup,
+	.calc_md5_hash	=	tcp_v4_md5_hash_skb,
 };
 #endif
 
diff --git a/net/ipv4/tcp_output.c b/net/ipv4/tcp_output.c
index 5bdf08d..bd62712 100644
--- a/net/ipv4/tcp_output.c
+++ b/net/ipv4/tcp_output.c
@@ -2261,7 +2261,7 @@ struct sk_buff *tcp_make_synack(struct sock *sk, struct dst_entry *dst,
 #ifdef CONFIG_TCP_MD5SIG
 	/* Okay, we have all we need - do the md5 hash if needed */
 	if (md5) {
-		tp->af_specific->calc_md5_hash(md5_hash_location,
+		tcp_rsk(req)->af_specific->calc_md5_hash(md5_hash_location,
 					       md5, NULL, req, skb);
 	}
 #endif
diff --git a/net/ipv6/tcp_ipv6.c b/net/ipv6/tcp_ipv6.c
index 58810c6..ae3d657 100644
--- a/net/ipv6/tcp_ipv6.c
+++ b/net/ipv6/tcp_ipv6.c
@@ -896,6 +896,7 @@ struct request_sock_ops tcp6_request_sock_ops __read_mostly = {
 #ifdef CONFIG_TCP_MD5SIG
 static struct tcp_request_sock_ops tcp_request_sock_ipv6_ops = {
 	.md5_lookup	=	tcp_v6_reqsk_md5_lookup,
+	.calc_md5_hash	=	tcp_v6_md5_hash_skb,
 };
 #endif
 
-- 
1.5.4.3

Re: [PATCHv2] tcp: Fix MD5 signature checking on IPv4 mapped sockets

[Stephen Hemminger]

On Thu, 16 Jul 2009 10:04:51 -0500
John Dykstra <john.dykstra1@gmail.com> wrote:

> This revision to the patch removes a misplaced
> blank line.
> 
> ---
> Fix MD5 signature checking so that an IPv4 active open
> to an IPv6 socket can succeed.  In particular, use the
> correct address family's signature generation function
> for the SYN/ACK.
> 
> Reported-by:   Stephen Hemminger <shemminger@vyatta.com>
> Signed-off-by: John Dykstra <john.dykstra1@gmail.com>

This fixes the syn-ack, but data does not flow.
I had a simpler attempt that had same problem:


--- a/net/ipv6/tcp_ipv6.c	2009-07-15 18:08:11.042505387 -0700
+++ b/net/ipv6/tcp_ipv6.c	2009-07-15 20:05:56.270009553 -0700
@@ -1169,8 +1169,17 @@ static int tcp_v6_conn_request(struct so
 #define want_cookie 0
 #endif
 
-	if (skb->protocol == htons(ETH_P_IP))
-		return tcp_v4_conn_request(sk, skb);
+	if (skb->protocol == htons(ETH_P_IP)) {
+		int err;
+#ifdef CONFIG_TCP_MD5SIG
+		tp->af_specific = &tcp_sock_ipv6_mapped_specific;
+#endif
+		err = tcp_v4_conn_request(sk, skb);
+#ifdef CONFIG_TCP_MD5SIG
+		tp->af_specific = &tcp_sock_ipv6_specific;
+#endif
+		return err;
+	}
 
 	if (!ipv6_unicast_destination(skb))
 		goto drop;

[PATCH] tcp: Use correct peer adr when copying MD5 keys (WAS: [PATCHv2] tcp: Fix MD5 signature checking on IPv4 mapped sockets)

[John Dykstra]

On Thu, 2009-07-16 at 11:36 -0700, Stephen Hemminger wrote:
> On Thu, 16 Jul 2009 10:04:51 -0500
> John Dykstra <john.dykstra1@gmail.com> wrote:
> 
> > This revision to the patch removes a misplaced
> > blank line.
> > 
> > ---
> > Fix MD5 signature checking so that an IPv4 active open
> > to an IPv6 socket can succeed.  In particular, use the
> > correct address family's signature generation function
> > for the SYN/ACK.
> > 
> > Reported-by:   Stephen Hemminger <shemminger@vyatta.com>
> > Signed-off-by: John Dykstra <john.dykstra1@gmail.com>
> 
> This fixes the syn-ack, but data does not flow.

The following patch is _in addition_ to the one I sent out yesterday.
Since they are independent, and fix different bugs, I'm leaving them
separate.

I guess it's clear not many people are running authenticated BGP
sessions on Linux...

---

[PATCH] tcp:  Use correct peer adr when copying MD5 keys

When the TCP connection handshake completes on the passive
side, a variety of state must be set up in the "child" sock,
including the key if MD5 authentication is being used.  Fix TCP
for both address families to label the key with the peer's
destination address, rather than the address from the listening
sock, which is usually the wildcard.

Reported-by:   Stephen Hemminger <shemminger@vyatta.com>
Signed-off-by: John Dykstra <john.dykstra1@gmail.com>
---
 net/ipv4/tcp_ipv4.c |    2 +-
 net/ipv6/tcp_ipv6.c |    2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/net/ipv4/tcp_ipv4.c b/net/ipv4/tcp_ipv4.c
index 7c107eb..6d88219 100644
--- a/net/ipv4/tcp_ipv4.c
+++ b/net/ipv4/tcp_ipv4.c
@@ -1374,7 +1374,7 @@ struct sock *tcp_v4_syn_recv_sock(struct sock *sk, struct sk_buff *skb,
 		 */
 		char *newkey = kmemdup(key->key, key->keylen, GFP_ATOMIC);
 		if (newkey != NULL)
-			tcp_v4_md5_do_add(newsk, inet_sk(sk)->daddr,
+			tcp_v4_md5_do_add(newsk, newinet->daddr,
 					  newkey, key->keylen);
 		newsk->sk_route_caps &= ~NETIF_F_GSO_MASK;
 	}
diff --git a/net/ipv6/tcp_ipv6.c b/net/ipv6/tcp_ipv6.c
index ae3d657..d849dd5 100644
--- a/net/ipv6/tcp_ipv6.c
+++ b/net/ipv6/tcp_ipv6.c
@@ -1442,7 +1442,7 @@ static struct sock * tcp_v6_syn_recv_sock(struct sock *sk, struct sk_buff *skb,
 		 */
 		char *newkey = kmemdup(key->key, key->keylen, GFP_ATOMIC);
 		if (newkey != NULL)
-			tcp_v6_md5_do_add(newsk, &inet6_sk(sk)->daddr,
+			tcp_v6_md5_do_add(newsk, &newnp->daddr,
 					  newkey, key->keylen);
 	}
 #endif
-- 
1.5.4.3

Re: [PATCHv2] tcp: Fix MD5 signature checking on IPv4 mapped sockets

[David Miller]

From: John Dykstra <john.dykstra1@gmail.com>
Date: Thu, 16 Jul 2009 10:04:51 -0500

> Fix MD5 signature checking so that an IPv4 active open
> to an IPv6 socket can succeed.  In particular, use the
> correct address family's signature generation function
> for the SYN/ACK.
> 
> Reported-by:   Stephen Hemminger <shemminger@vyatta.com>
> Signed-off-by: John Dykstra <john.dykstra1@gmail.com>

Applied.

Re: [PATCH] tcp: Use correct peer adr when copying MD5 keys

[David Miller]

From: John Dykstra <john.dykstra1@gmail.com>
Date: Fri, 17 Jul 2009 19:23:22 +0000

> [PATCH] tcp:  Use correct peer adr when copying MD5 keys
> 
> When the TCP connection handshake completes on the passive
> side, a variety of state must be set up in the "child" sock,
> including the key if MD5 authentication is being used.  Fix TCP
> for both address families to label the key with the peer's
> destination address, rather than the address from the listening
> sock, which is usually the wildcard.
> 
> Reported-by:   Stephen Hemminger <shemminger@vyatta.com>
> Signed-off-by: John Dykstra <john.dykstra1@gmail.com>

Also applied, thanks!