@@ -53,10 +53,19 @@ struct tcp_authopt_key_info {
int prefixlen;
/** @addr: Same as &tcp_authopt_key.addr */
struct sockaddr_storage addr;
/** @alg: Algorithm implementation matching alg_id */
struct tcp_authopt_alg_imp *alg;
+ /** @alg: Algorithm implementation matching alg_id */
+ /** @send_lifetime_begin: Beginning of send lifetime */
+ u64 send_lifetime_begin;
+ /** @send_lifetime_end: End of send lifetime */
+ u64 send_lifetime_end;
+ /** @recv_lifetime_begin: Beginning of recv lifetime */
+ u64 recv_lifetime_begin;
+ /** @recv_lifetime_end: End of recv lifetime */
+ u64 recv_lifetime_end;
};
/**
* struct tcp_authopt_info - Per-socket information regarding tcp_authopt
*
@@ -373,20 +373,28 @@ struct tcp_authopt {
* @TCP_AUTHOPT_KEY_ADDR_BIND: Key only valid for `tcp_authopt.addr`
* @TCP_AUTHOPT_KEY_IFINDEX: Key only valid for `tcp_authopt.ifindex`
* @TCP_AUTHOPT_KEY_NOSEND: Key invalid for send (expired)
* @TCP_AUTHOPT_KEY_NORECV: Key invalid for recv (expired)
* @TCP_AUTHOPT_KEY_PREFIXLEN: Valid value in `tcp_authopt.prefixlen`, otherwise
- * match full address length
+ * always match full address length
+ * @TCP_AUTHOPT_KEY_SEND_LIFETIME_BEGIN: Valid value in `tcp_authopt.send_lifetime_begin`
+ * @TCP_AUTHOPT_KEY_SEND_LIFETIME_END: Valid value in `tcp_authopt.send_lifetime_end`
+ * @TCP_AUTHOPT_KEY_RECV_LIFETIME_BEGIN: Valid value in `tcp_authopt.recv_lifetime_begin`
+ * @TCP_AUTHOPT_KEY_RECV_LIFETIME_END: Valid value in `tcp_authopt.recv_lifetime_end`
*/
enum tcp_authopt_key_flag {
TCP_AUTHOPT_KEY_DEL = (1 << 0),
TCP_AUTHOPT_KEY_EXCLUDE_OPTS = (1 << 1),
TCP_AUTHOPT_KEY_ADDR_BIND = (1 << 2),
TCP_AUTHOPT_KEY_IFINDEX = (1 << 3),
TCP_AUTHOPT_KEY_NOSEND = (1 << 4),
TCP_AUTHOPT_KEY_NORECV = (1 << 5),
TCP_AUTHOPT_KEY_PREFIXLEN = (1 << 6),
+ TCP_AUTHOPT_KEY_SEND_LIFETIME_BEGIN = (1 << 7),
+ TCP_AUTHOPT_KEY_SEND_LIFETIME_END = (1 << 8),
+ TCP_AUTHOPT_KEY_RECV_LIFETIME_BEGIN = (1 << 9),
+ TCP_AUTHOPT_KEY_RECV_LIFETIME_END = (1 << 10),
};
/**
* enum tcp_authopt_alg - Algorithms for TCP Authentication Option
*/
@@ -408,10 +416,13 @@ enum tcp_authopt_alg {
* - recv_id
* - addr (iff TCP_AUTHOPT_KEY_ADDR_BIND)
*
* RFC5925 requires that key ids must not overlap for the same TCP connection.
* This is not enforced by linux.
+ *
+ * Key validity times are optional. When specified they are interpreted as "wall
+ * time" and compared to CLOCK_REALTIME.
*/
struct tcp_authopt_key {
/** @flags: Combination of &enum tcp_authopt_key_flag */
__u32 flags;
/** @send_id: keyid value for send */
@@ -444,10 +455,18 @@ struct tcp_authopt_key {
*
* Without the TCP_AUTHOPT_KEY_PREFIXLEN flag this is ignored and a full
* address match is performed.
*/
int prefixlen;
+ /** @send_lifetime_begin: Beginning of send lifetime */
+ __u64 send_lifetime_begin;
+ /** @send_lifetime_end: End of send lifetime */
+ __u64 send_lifetime_end;
+ /** @recv_lifetime_begin: Beginning of recv lifetime */
+ __u64 recv_lifetime_begin;
+ /** @recv_lifetime_end: End of recv lifetime */
+ __u64 recv_lifetime_end;
};
/* setsockopt(fd, IPPROTO_TCP, TCP_ZEROCOPY_RECEIVE, ...) */
#define TCP_RECEIVE_ZEROCOPY_FLAG_TLB_CLEAN_HINT 0x1
@@ -242,10 +242,33 @@ void tcp_authopt_clear(struct sock *sk)
if (info) {
tcp_authopt_free(sk, info);
tcp_sk(sk)->authopt_info = NULL;
}
}
+
+static bool key_valid_for_send(struct tcp_authopt_key_info *key, ktime_t now)
+{
+ if (key->flags & TCP_AUTHOPT_KEY_NOSEND)
+ return false;
+ if (key->flags & TCP_AUTHOPT_KEY_SEND_LIFETIME_BEGIN && now < key->send_lifetime_begin)
+ return false;
+ if (key->flags & TCP_AUTHOPT_KEY_SEND_LIFETIME_END && now > key->send_lifetime_end)
+ return false;
+ return true;
+}
+
+static bool key_valid_for_recv(struct tcp_authopt_key_info *key, ktime_t now)
+{
+ if (key->flags & TCP_AUTHOPT_KEY_NORECV)
+ return false;
+ if (key->flags & TCP_AUTHOPT_KEY_RECV_LIFETIME_BEGIN && now < key->recv_lifetime_begin)
+ return false;
+ if (key->flags & TCP_AUTHOPT_KEY_RECV_LIFETIME_END && now > key->recv_lifetime_end)
+ return false;
+ return true;
+}
+
/* checks that ipv4 or ipv6 addr matches. */
static bool ipvx_addr_match(struct sockaddr_storage *a1,
struct sockaddr_storage *a2)
{
if (a1->ss_family != a2->ss_family)
@@ -384,10 +407,11 @@ static bool better_key_match(struct tcp_authopt_key_info *old, struct tcp_authop
static struct tcp_authopt_key_info *tcp_authopt_lookup_send(struct netns_tcp_authopt *net,
const struct sock *addr_sk)
{
struct tcp_authopt_key_info *result = NULL;
struct tcp_authopt_key_info *key;
+ time64_t now = ktime_get_real_seconds();
int l3index = -1;
hlist_for_each_entry_rcu(key, &net->head, node, 0) {
if (key->flags & TCP_AUTHOPT_KEY_ADDR_BIND)
if (!tcp_authopt_key_match_sk_addr(key, addr_sk))
@@ -397,11 +421,11 @@ static struct tcp_authopt_key_info *tcp_authopt_lookup_send(struct netns_tcp_aut
l3index = l3mdev_master_ifindex_by_index(sock_net(addr_sk),
addr_sk->sk_bound_dev_if);
if (l3index != key->l3index)
continue;
}
- if (key->flags & TCP_AUTHOPT_KEY_NOSEND)
+ if (!key_valid_for_send(key, now))
continue;
if (better_key_match(result, key))
result = key;
else if (result)
net_warn_ratelimited("ambiguous tcp authentication keys configured for send\n");
@@ -555,11 +579,15 @@ int tcp_get_authopt_val(struct sock *sk, struct tcp_authopt *opt)
TCP_AUTHOPT_KEY_EXCLUDE_OPTS | \
TCP_AUTHOPT_KEY_ADDR_BIND | \
TCP_AUTHOPT_KEY_IFINDEX | \
TCP_AUTHOPT_KEY_PREFIXLEN | \
TCP_AUTHOPT_KEY_NOSEND | \
- TCP_AUTHOPT_KEY_NORECV)
+ TCP_AUTHOPT_KEY_NORECV | \
+ TCP_AUTHOPT_KEY_SEND_LIFETIME_BEGIN | \
+ TCP_AUTHOPT_KEY_SEND_LIFETIME_END | \
+ TCP_AUTHOPT_KEY_RECV_LIFETIME_BEGIN | \
+ TCP_AUTHOPT_KEY_RECV_LIFETIME_END)
static bool ipv6_addr_is_prefix(struct in6_addr *addr, int plen)
{
struct in6_addr copy;
@@ -690,10 +718,14 @@ int tcp_set_authopt_key(struct sock *sk, sockptr_t optval, unsigned int optlen)
key_info->keylen = opt.keylen;
memcpy(key_info->key, opt.key, opt.keylen);
memcpy(&key_info->addr, &opt.addr, sizeof(key_info->addr));
key_info->l3index = l3index;
key_info->prefixlen = prefixlen;
+ key_info->send_lifetime_begin = opt.send_lifetime_begin;
+ key_info->send_lifetime_end = opt.send_lifetime_end;
+ key_info->recv_lifetime_begin = opt.recv_lifetime_begin;
+ key_info->recv_lifetime_end = opt.recv_lifetime_end;
hlist_add_head_rcu(&key_info->node, &net->head);
mutex_unlock(&net->mutex);
return 0;
}
@@ -1480,10 +1512,11 @@ static struct tcp_authopt_key_info *tcp_authopt_lookup_recv(struct sock *sk,
bool *anykey)
{
struct tcp_authopt_key_info *result = NULL;
struct tcp_authopt_key_info *key;
int l3index = -1;
+ time64_t now = ktime_get_real_seconds();
*anykey = false;
/* multiple matches will cause occasional failures */
hlist_for_each_entry_rcu(key, &net->head, node, 0) {
if (key->flags & TCP_AUTHOPT_KEY_ADDR_BIND &&
@@ -1504,11 +1537,11 @@ static struct tcp_authopt_key_info *tcp_authopt_lookup_recv(struct sock *sk,
if (l3index != key->l3index)
continue;
}
*anykey = true;
// If only keys with norecv flag are present still consider that
- if (key->flags & TCP_AUTHOPT_KEY_NORECV)
+ if (!key_valid_for_recv(key, now))
continue;
if (recv_id >= 0 && key->recv_id != recv_id)
continue;
if (better_key_match(result, key))
result = key;
These fields are modeled on RFC8177. This allows the kernel to handle key expiration internally instead of relying on userspace changing the NORECV/NOSEND flags on a timer. Signed-off-by: Leonard Crestez <cdleonard@gmail.com> --- include/net/tcp_authopt.h | 9 +++++++++ include/uapi/linux/tcp.h | 21 ++++++++++++++++++++- net/ipv4/tcp_authopt.c | 39 ++++++++++++++++++++++++++++++++++++--- 3 files changed, 65 insertions(+), 4 deletions(-)