From: Dmitry Safonov <dima@arista.com>
To: linux-kernel@vger.kernel.org, David Ahern <dsahern@kernel.org>,
Eric Dumazet <edumazet@google.com>,
Paolo Abeni <pabeni@redhat.com>, Jakub Kicinski <kuba@kernel.org>,
"David S. Miller" <davem@davemloft.net>
Cc: Dmitry Safonov <dima@arista.com>,
Andy Lutomirski <luto@amacapital.net>,
Ard Biesheuvel <ardb@kernel.org>,
Bob Gilligan <gilligan@arista.com>,
Dan Carpenter <error27@gmail.com>,
David Laight <David.Laight@aculab.com>,
Dmitry Safonov <0x7f454c46@gmail.com>,
Eric Biggers <ebiggers@kernel.org>,
"Eric W. Biederman" <ebiederm@xmission.com>,
Francesco Ruggeri <fruggeri05@gmail.com>,
Herbert Xu <herbert@gondor.apana.org.au>,
Hideaki YOSHIFUJI <yoshfuji@linux-ipv6.org>,
Ivan Delalande <colona@arista.com>,
Leonard Crestez <cdleonard@gmail.com>,
Salam Noureddine <noureddine@arista.com>,
netdev@vger.kernel.org
Subject: [PATCH v6 11/21] net/tcp: Sign SYN-ACK segments with TCP-AO
Date: Fri, 12 May 2023 21:23:01 +0100 [thread overview]
Message-ID: <20230512202311.2845526-12-dima@arista.com> (raw)
In-Reply-To: <20230512202311.2845526-1-dima@arista.com>
Similarly to RST segments, wire SYN-ACKs to TCP-AO.
tcp_rsk_used_ao() is handy here to check if the request socket used AO
and needs a signature on the outgoing segments.
Co-developed-by: Francesco Ruggeri <fruggeri@arista.com>
Signed-off-by: Francesco Ruggeri <fruggeri@arista.com>
Co-developed-by: Salam Noureddine <noureddine@arista.com>
Signed-off-by: Salam Noureddine <noureddine@arista.com>
Signed-off-by: Dmitry Safonov <dima@arista.com>
---
include/net/tcp.h | 4 ++++
include/net/tcp_ao.h | 6 ++++++
net/ipv4/tcp_ao.c | 14 +++++++++++++
net/ipv4/tcp_ipv4.c | 1 +
net/ipv4/tcp_output.c | 48 +++++++++++++++++++++++++++++++++++++------
net/ipv6/tcp_ao.c | 15 ++++++++++++++
net/ipv6/tcp_ipv6.c | 1 +
7 files changed, 83 insertions(+), 6 deletions(-)
diff --git a/include/net/tcp.h b/include/net/tcp.h
index 08b7a603f90d..433e9c83e4ae 100644
--- a/include/net/tcp.h
+++ b/include/net/tcp.h
@@ -2149,6 +2149,10 @@ struct tcp_request_sock_ops {
int sndid, int rcvid);
int (*ao_calc_key)(struct tcp_ao_key *mkt, u8 *key,
struct request_sock *sk);
+ int (*ao_synack_hash)(char *ao_hash, struct tcp_ao_key *mkt,
+ struct request_sock *req,
+ const struct sk_buff *skb,
+ int hash_offset, u32 sne);
#endif
#ifdef CONFIG_SYN_COOKIES
__u32 (*cookie_init_seq)(const struct sk_buff *skb,
diff --git a/include/net/tcp_ao.h b/include/net/tcp_ao.h
index 2faeaa3a857a..eacb4925f4a9 100644
--- a/include/net/tcp_ao.h
+++ b/include/net/tcp_ao.h
@@ -145,6 +145,9 @@ int tcp_ao_hash_hdr(unsigned short family, char *ao_hash,
int tcp_v4_parse_ao(struct sock *sk, int optname, sockptr_t optval, int optlen);
struct tcp_ao_key *tcp_v4_ao_lookup(const struct sock *sk, struct sock *addr_sk,
int sndid, int rcvid);
+int tcp_v4_ao_synack_hash(char *ao_hash, struct tcp_ao_key *mkt,
+ struct request_sock *req, const struct sk_buff *skb,
+ int hash_offset, u32 sne);
int tcp_v4_ao_calc_key_sk(struct tcp_ao_key *mkt, u8 *key,
const struct sock *sk,
__be32 sisn, __be32 disn, bool send);
@@ -180,6 +183,9 @@ int tcp_v6_ao_hash_skb(char *ao_hash, struct tcp_ao_key *key,
const u8 *tkey, int hash_offset, u32 sne);
int tcp_v6_parse_ao(struct sock *sk, int cmd,
sockptr_t optval, int optlen);
+int tcp_v6_ao_synack_hash(char *ao_hash, struct tcp_ao_key *ao_key,
+ struct request_sock *req, const struct sk_buff *skb,
+ int hash_offset, u32 sne);
void tcp_ao_finish_connect(struct sock *sk, struct sk_buff *skb);
void tcp_ao_connect_init(struct sock *sk);
void tcp_ao_syncookie(struct sock *sk, const struct sk_buff *skb,
diff --git a/net/ipv4/tcp_ao.c b/net/ipv4/tcp_ao.c
index 92485f7bc4cd..bfd944fa4483 100644
--- a/net/ipv4/tcp_ao.c
+++ b/net/ipv4/tcp_ao.c
@@ -554,6 +554,20 @@ int tcp_v4_ao_hash_skb(char *ao_hash, struct tcp_ao_key *key,
}
EXPORT_SYMBOL_GPL(tcp_v4_ao_hash_skb);
+int tcp_v4_ao_synack_hash(char *ao_hash, struct tcp_ao_key *ao_key,
+ struct request_sock *req, const struct sk_buff *skb,
+ int hash_offset, u32 sne)
+{
+ char traffic_key[TCP_AO_MAX_HASH_SIZE] __tcp_ao_key_align;
+
+ tcp_v4_ao_calc_key_rsk(ao_key, traffic_key, req);
+
+ tcp_ao_hash_skb(AF_INET, ao_hash, ao_key, req_to_sk(req), skb,
+ traffic_key, hash_offset, sne);
+
+ return 0;
+}
+
struct tcp_ao_key *tcp_v4_ao_lookup_rsk(const struct sock *sk,
struct request_sock *req,
int sndid, int rcvid)
diff --git a/net/ipv4/tcp_ipv4.c b/net/ipv4/tcp_ipv4.c
index 40c7c568a84e..ca28517644d5 100644
--- a/net/ipv4/tcp_ipv4.c
+++ b/net/ipv4/tcp_ipv4.c
@@ -1696,6 +1696,7 @@ const struct tcp_request_sock_ops tcp_request_sock_ipv4_ops = {
#ifdef CONFIG_TCP_AO
.ao_lookup = tcp_v4_ao_lookup_rsk,
.ao_calc_key = tcp_v4_ao_calc_key_rsk,
+ .ao_synack_hash = tcp_v4_ao_synack_hash,
#endif
#ifdef CONFIG_SYN_COOKIES
.cookie_init_seq = cookie_v4_init_sequence,
diff --git a/net/ipv4/tcp_output.c b/net/ipv4/tcp_output.c
index 5344e6564b56..f055ef225c37 100644
--- a/net/ipv4/tcp_output.c
+++ b/net/ipv4/tcp_output.c
@@ -3638,6 +3638,7 @@ struct sk_buff *tcp_make_synack(const struct sock *sk, struct dst_entry *dst,
struct inet_request_sock *ireq = inet_rsk(req);
const struct tcp_sock *tp = tcp_sk(sk);
struct tcp_md5sig_key *md5 = NULL;
+ struct tcp_ao_key *ao_key = NULL;
struct tcp_out_options opts;
struct sk_buff *skb;
int tcp_header_size;
@@ -3688,16 +3689,43 @@ struct sk_buff *tcp_make_synack(const struct sock *sk, struct dst_entry *dst,
tcp_rsk(req)->snt_synack = tcp_skb_timestamp_us(skb);
}
-#ifdef CONFIG_TCP_MD5SIG
+#if defined(CONFIG_TCP_MD5SIG) || defined(CONFIG_TCP_AO)
rcu_read_lock();
- md5 = tcp_rsk(req)->af_specific->req_md5_lookup(sk, req_to_sk(req));
#endif
+ if (tcp_rsk_used_ao(req)) {
+#ifdef CONFIG_TCP_AO
+ u8 maclen = tcp_rsk(req)->maclen;
+ u8 keyid = tcp_rsk(req)->ao_keyid;
+
+ ao_key = tcp_sk(sk)->af_specific->ao_lookup(sk, req_to_sk(req),
+ keyid, -1);
+ /* If there is no matching key - avoid sending anything,
+ * especially usigned segments. It could try harder and lookup
+ * for another peer-matching key, but the peer has requested
+ * ao_keyid (RFC5925 RNextKeyID), so let's keep it simple here.
+ */
+ if (unlikely(!ao_key || tcp_ao_maclen(ao_key) != maclen)) {
+ rcu_read_unlock();
+ skb_dst_drop(skb);
+ kfree_skb(skb);
+ net_warn_ratelimited("TCP-AO: the keyid %u with maclen %u|%u from SYN packet is not present - not sending SYNACK\n",
+ keyid, maclen,
+ ao_key ? tcp_ao_maclen(ao_key) : 0);
+ return NULL;
+ }
+#endif
+ } else {
+#ifdef CONFIG_TCP_MD5SIG
+ md5 = tcp_rsk(req)->af_specific->req_md5_lookup(sk,
+ req_to_sk(req));
+#endif
+ }
skb_set_hash(skb, tcp_rsk(req)->txhash, PKT_HASH_TYPE_L4);
/* bpf program will be interested in the tcp_flags */
TCP_SKB_CB(skb)->tcp_flags = TCPHDR_SYN | TCPHDR_ACK;
tcp_header_size = tcp_synack_options(sk, req, mss, skb, &opts, md5,
- NULL, foc, synack_type,
- syn_skb) + sizeof(*th);
+ ao_key, foc, synack_type, syn_skb)
+ + sizeof(*th);
skb_push(skb, tcp_header_size);
skb_reset_transport_header(skb);
@@ -3717,7 +3745,7 @@ struct sk_buff *tcp_make_synack(const struct sock *sk, struct dst_entry *dst,
/* RFC1323: The window in SYN & SYN/ACK segments is never scaled. */
th->window = htons(min(req->rsk_rcv_wnd, 65535U));
- tcp_options_write(th, NULL, NULL, &opts, NULL);
+ tcp_options_write(th, NULL, tcp_rsk(req), &opts, ao_key);
th->doff = (tcp_header_size >> 2);
TCP_INC_STATS(sock_net(sk), TCP_MIB_OUTSEGS);
@@ -3725,7 +3753,15 @@ struct sk_buff *tcp_make_synack(const struct sock *sk, struct dst_entry *dst,
/* Okay, we have all we need - do the md5 hash if needed */
if (md5)
tcp_rsk(req)->af_specific->calc_md5_hash(opts.hash_location,
- md5, req_to_sk(req), skb);
+ md5, req_to_sk(req), skb);
+#endif
+#ifdef CONFIG_TCP_AO
+ if (ao_key)
+ tcp_rsk(req)->af_specific->ao_synack_hash(opts.hash_location,
+ ao_key, req, skb,
+ opts.hash_location - (u8 *)th, 0);
+#endif
+#if defined(CONFIG_TCP_MD5SIG) || defined(CONFIG_TCP_AO)
rcu_read_unlock();
#endif
diff --git a/net/ipv6/tcp_ao.c b/net/ipv6/tcp_ao.c
index 17acb2fd5182..bc032e441ef8 100644
--- a/net/ipv6/tcp_ao.c
+++ b/net/ipv6/tcp_ao.c
@@ -128,3 +128,18 @@ int tcp_v6_parse_ao(struct sock *sk, int cmd,
return tcp_parse_ao(sk, cmd, AF_INET6, optval, optlen);
}
EXPORT_SYMBOL_GPL(tcp_v6_parse_ao);
+
+int tcp_v6_ao_synack_hash(char *ao_hash, struct tcp_ao_key *ao_key,
+ struct request_sock *req, const struct sk_buff *skb,
+ int hash_offset, u32 sne)
+{
+ char traffic_key[TCP_AO_MAX_HASH_SIZE] __tcp_ao_key_align;
+
+ tcp_v6_ao_calc_key_rsk(ao_key, traffic_key, req);
+
+ tcp_ao_hash_skb(AF_INET6, ao_hash, ao_key, req_to_sk(req), skb,
+ traffic_key, hash_offset, sne);
+
+ return 0;
+}
+EXPORT_SYMBOL_GPL(tcp_v6_ao_synack_hash);
diff --git a/net/ipv6/tcp_ipv6.c b/net/ipv6/tcp_ipv6.c
index 386160140208..b2f17d6ec5c3 100644
--- a/net/ipv6/tcp_ipv6.c
+++ b/net/ipv6/tcp_ipv6.c
@@ -849,6 +849,7 @@ const struct tcp_request_sock_ops tcp_request_sock_ipv6_ops = {
#ifdef CONFIG_TCP_AO
.ao_lookup = tcp_v6_ao_lookup_rsk,
.ao_calc_key = tcp_v6_ao_calc_key_rsk,
+ .ao_synack_hash = tcp_v6_ao_synack_hash,
#endif
#ifdef CONFIG_SYN_COOKIES
.cookie_init_seq = cookie_v6_init_sequence,
--
2.40.0
next prev parent reply other threads:[~2023-05-12 20:23 UTC|newest]
Thread overview: 38+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-05-12 20:22 [PATCH v6 00/21] net/tcp: Add TCP-AO support Dmitry Safonov
2023-05-12 20:22 ` [PATCH v6 01/21] net/tcp: Prepare tcp_md5sig_pool for TCP-AO Dmitry Safonov
2023-05-12 23:23 ` kernel test robot
2023-05-15 4:48 ` Herbert Xu
2023-05-15 16:25 ` Dmitry Safonov
2023-05-16 10:15 ` Herbert Xu
2023-05-19 8:26 ` [PATCH 0/3] crypto: cmac - Add cloning support Herbert Xu
2023-05-19 8:28 ` [PATCH 1/3] crypto: cmac - Use modern init_tfm/exit_tfm Herbert Xu
2023-05-19 8:28 ` [PATCH 2/3] crypto: cipher - Add crypto_clone_cipher Herbert Xu
2023-05-19 13:15 ` Simon Horman
2023-05-19 8:28 ` [PATCH 3/3] crypto: cmac - Add support for cloning Herbert Xu
2023-05-19 8:54 ` Ard Biesheuvel
2023-05-19 9:04 ` [PATCH] crypto: shash - Allow cloning on algorithms with no init_tfm Herbert Xu
2023-05-19 9:31 ` Ard Biesheuvel
2023-05-19 9:35 ` Herbert Xu
2023-05-19 14:41 ` [PATCH 3/3] crypto: cmac - Add support for cloning Dmitry Safonov
2023-05-19 9:49 ` [PATCH 0/3] crypto: cmac - Add cloning support Ard Biesheuvel
2023-05-12 20:22 ` [PATCH v6 02/21] net/tcp: Add TCP-AO config and structures Dmitry Safonov
2023-05-12 20:22 ` [PATCH v6 03/21] net/tcp: Introduce TCP_AO setsockopt()s Dmitry Safonov
2023-05-12 20:22 ` [PATCH v6 04/21] net/tcp: Prevent TCP-MD5 with TCP-AO being set Dmitry Safonov
2023-05-12 20:22 ` [PATCH v6 05/21] net/tcp: Calculate TCP-AO traffic keys Dmitry Safonov
2023-05-12 20:22 ` [PATCH v6 06/21] net/tcp: Add TCP-AO sign to outgoing packets Dmitry Safonov
2023-05-12 20:22 ` [PATCH v6 07/21] net/tcp: Add tcp_parse_auth_options() Dmitry Safonov
2023-05-12 23:02 ` kernel test robot
2023-05-12 20:22 ` [PATCH v6 08/21] net/tcp: Add AO sign to RST packets Dmitry Safonov
2023-05-12 20:22 ` [PATCH v6 09/21] net/tcp: Add TCP-AO sign to twsk Dmitry Safonov
2023-05-12 20:23 ` [PATCH v6 10/21] net/tcp: Wire TCP-AO to request sockets Dmitry Safonov
2023-05-12 20:23 ` Dmitry Safonov [this message]
2023-05-12 20:23 ` [PATCH v6 12/21] net/tcp: Verify inbound TCP-AO signed segments Dmitry Safonov
2023-05-12 20:23 ` [PATCH v6 13/21] net/tcp: Add TCP-AO segments counters Dmitry Safonov
2023-05-12 20:23 ` [PATCH v6 14/21] net/tcp: Add TCP-AO SNE support Dmitry Safonov
2023-05-12 20:23 ` [PATCH v6 15/21] net/tcp: Add tcp_hash_fail() ratelimited logs Dmitry Safonov
2023-05-12 20:23 ` [PATCH v6 16/21] net/tcp: Ignore specific ICMPs for TCP-AO connections Dmitry Safonov
2023-05-12 20:23 ` [PATCH v6 17/21] net/tcp: Add option for TCP-AO to (not) hash header Dmitry Safonov
2023-05-12 20:23 ` [PATCH v6 18/21] net/tcp: Add TCP-AO getsockopt()s Dmitry Safonov
2023-05-12 20:23 ` [PATCH v6 19/21] net/tcp: Allow asynchronous delete for TCP-AO keys (MKTs) Dmitry Safonov
2023-05-12 20:23 ` [PATCH v6 20/21] net/tcp: Add static_key for TCP-AO Dmitry Safonov
2023-05-12 20:23 ` [PATCH v6 21/21] net/tcp: Wire up l3index to TCP-AO Dmitry Safonov
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20230512202311.2845526-12-dima@arista.com \
--to=dima@arista.com \
--cc=0x7f454c46@gmail.com \
--cc=David.Laight@aculab.com \
--cc=ardb@kernel.org \
--cc=cdleonard@gmail.com \
--cc=colona@arista.com \
--cc=davem@davemloft.net \
--cc=dsahern@kernel.org \
--cc=ebiederm@xmission.com \
--cc=ebiggers@kernel.org \
--cc=edumazet@google.com \
--cc=error27@gmail.com \
--cc=fruggeri05@gmail.com \
--cc=gilligan@arista.com \
--cc=herbert@gondor.apana.org.au \
--cc=kuba@kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=luto@amacapital.net \
--cc=netdev@vger.kernel.org \
--cc=noureddine@arista.com \
--cc=pabeni@redhat.com \
--cc=yoshfuji@linux-ipv6.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).