From patchwork Tue Nov 21 02:01:05 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Dmitry Safonov X-Patchwork-Id: 13462399 X-Patchwork-Delegate: kuba@kernel.org Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=arista.com header.i=@arista.com header.b="fL8c107b" Received: from mail-wm1-x336.google.com (mail-wm1-x336.google.com [IPv6:2a00:1450:4864:20::336]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 96744ED for ; Mon, 20 Nov 2023 18:01:21 -0800 (PST) Received: by mail-wm1-x336.google.com with SMTP id 5b1f17b1804b1-40839652b97so19539705e9.3 for ; Mon, 20 Nov 2023 18:01:21 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=arista.com; s=google; t=1700532080; x=1701136880; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=tx+xbR7vEy8WvypRwvrmxjfGzTQ6Jn5Kk2hdbYBJd1Q=; b=fL8c107bXMmME29r9Xb1RTi6RMMSXEhkw+rLp7U2zQhu85/QVhH71RNmBuK2EBpkYd ygdJ7KiN9QhI3AC+kjseww52CcUhpmq2z3Q5uCigxgCzPPjPkoH/G45Bzfz398/VNi3N ulNxk/tW03fAmU7852yNBIoF+YwauXcmDzmNW/gbYp09XYOI5lhV9bCuYf8+F9l+reNU zS04aatpJSkHZ6p2bPTTnFikRrSoatV+Hw6ZdvRAy7aryd4lbv9kH/tLCiC3uQL4/BO3 nOmlFMFrqvl/QYn8cdbOmpAEvYWAVQDu8H/LdoG7s8HuATOU9ZGm47o8B6ljyH1u90Jr 3/PA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1700532080; x=1701136880; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=tx+xbR7vEy8WvypRwvrmxjfGzTQ6Jn5Kk2hdbYBJd1Q=; b=IkSp27tmVP1TlkvPpUvYGALIsAvHf6/k7mcX1wbSDMGfpd9upoN3LhptWkEYmel1sO UafBtnSPHmc6x+20IbQKTe/cyxjpboHh3XQTrC9+y5iSuXFSnuZTdyNqciOlXghP2H0a ZUcJsgN0rv61xEk62jxUfg+Qj4crBlUN7zasNv6sqNW9+pD5JdvnU6KOOLJiuEki3DlK anhWAQDvm+SVcwJv104XLHbeYWvnJKvRlM5ZIuzbnMf5MUbPSTBZs1yOMXOLGAu1mSw7 HVwx+dSfEEPaieJ6gFS5f/wnDh9lc64ddRs/OjBKCma01W11IrWKy0HGTZx0IgRN85+S 1b/w== X-Gm-Message-State: AOJu0Yxneo6FGvx47EjHD9B6Xz/2ctUFu0BAZP+pNVA4yi6CkZQ/d4kG uyA8kmwUJNOiKmQN9UZwMucb3Q== X-Google-Smtp-Source: AGHT+IFKYDDZbYD7cqEdBrYbT7HZyrZmC0KpUYqH0Iwjou5g1nBYVJ4Qi5oQbDlIMr0oJ/5Pz+iE2Q== X-Received: by 2002:a05:600c:4fcc:b0:408:5ba9:d707 with SMTP id o12-20020a05600c4fcc00b004085ba9d707mr8592956wmq.16.1700532079960; Mon, 20 Nov 2023 18:01:19 -0800 (PST) Received: from Mindolluin.ire.aristanetworks.com ([217.173.96.166]) by smtp.gmail.com with ESMTPSA id c13-20020a056000184d00b00332cb846f21sm2617105wri.27.2023.11.20.18.01.18 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 20 Nov 2023 18:01:19 -0800 (PST) From: Dmitry Safonov To: David Ahern , Eric Dumazet , Paolo Abeni , Jakub Kicinski , "David S. Miller" Cc: linux-kernel@vger.kernel.org, Dmitry Safonov , Dmitry Safonov <0x7f454c46@gmail.com>, Francesco Ruggeri , Salam Noureddine , Simon Horman , netdev@vger.kernel.org, Markus Elfring , Jonathan Corbet , linux-doc@vger.kernel.org Subject: [PATCH 1/7] Documentation/tcp: Fix an obvious typo Date: Tue, 21 Nov 2023 02:01:05 +0000 Message-ID: <20231121020111.1143180-2-dima@arista.com> X-Mailer: git-send-email 2.42.0 In-Reply-To: <20231121020111.1143180-1-dima@arista.com> References: <20231121020111.1143180-1-dima@arista.com> Precedence: bulk X-Mailing-List: netdev@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-Patchwork-Delegate: kuba@kernel.org Yep, my VIM spellchecker is not good enough for typos like this one. Fixes: 7fe0e38bb669 ("Documentation/tcp: Add TCP-AO documentation") Cc: Jonathan Corbet Cc: linux-doc@vger.kernel.org Reported-by: Markus Elfring Closes: https://lore.kernel.org/all/2745ab4e-acac-40d4-83bf-37f2600d0c3d@web.de/ Signed-off-by: Dmitry Safonov --- Documentation/networking/tcp_ao.rst | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Documentation/networking/tcp_ao.rst b/Documentation/networking/tcp_ao.rst index cfa5bf1cc542..8a58321acce7 100644 --- a/Documentation/networking/tcp_ao.rst +++ b/Documentation/networking/tcp_ao.rst @@ -99,7 +99,7 @@ also [6.1]:: when it is no longer considered permitted. Linux TCP-AO will try its best to prevent you from removing a key that's -being used, considering it a key management failure. But sine keeping +being used, considering it a key management failure. But since keeping an outdated key may become a security issue and as a peer may unintentionally prevent the removal of an old key by always setting it as RNextKeyID - a forced key removal mechanism is provided, where From patchwork Tue Nov 21 02:01:06 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Dmitry Safonov X-Patchwork-Id: 13462401 X-Patchwork-Delegate: kuba@kernel.org Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=arista.com header.i=@arista.com header.b="IdXAYHPd" Received: from mail-wr1-x42b.google.com (mail-wr1-x42b.google.com [IPv6:2a00:1450:4864:20::42b]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 033D2F4 for ; Mon, 20 Nov 2023 18:01:23 -0800 (PST) Received: by mail-wr1-x42b.google.com with SMTP id ffacd0b85a97d-32d9d8284abso3353484f8f.3 for ; Mon, 20 Nov 2023 18:01:22 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=arista.com; s=google; t=1700532081; x=1701136881; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=ZFZtrO5Vu1kU3sumxlKrsDROc9NCJqMerSFSCRsFvqU=; b=IdXAYHPdFEu2I70RRh8wAb1p+44QUfqxJFNvF5bujMFc69YLrKSaLbZMXl5yMZjYZD tQCKNQb9+qKWnBp2e1BcvXrFHTSSbYKHFjqzys4HRyAtqkyZ6wYswjEXregJV5X3xbs0 6sgoxQfT6+xPwQFJx+IkiC4ztPfLAznKl7vPCHYg8sQ7tHfrnIh37pOxpaFJacUIL5VG Wj3l+sPuyXbqkUpeT2mzKSmh3bdYFh0Yw41S0rbL+YJglEFgQi53OR9K7mPzEG3M4Uc5 IlG2xRNX5mdo5RpiM3+67+zXhAOX+2ZAp8IFNsM3mjVtHB7adEGg9cwX4/6NWJvHE3X2 eBBA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1700532081; x=1701136881; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=ZFZtrO5Vu1kU3sumxlKrsDROc9NCJqMerSFSCRsFvqU=; b=aHTVFo3x4B8VuoJ8+WSpxmR5LniMMT/jrjDA3vEQCHixyJgwStMj/cDZA8dqnK8Lnv 8yw7h4/6RrldfAdQPd49iveCrXivffQzkxwxVlEP54zEDLgUK6D7dE414iLRkV9pevga AzBtYbAVwRHxdrZIN3rV2HIeIhqdTU0WiNKVVlnn90p0cA+5aA161ZJl8EnUg89TSppU GpUiENmGYpjgnzuEJVaX0JhfGGUJ4VMNsnPvHrFKugWYdkCJmtuK5KstO1mlczxgAT6P /IeCaE69i0//msPUoERc8On0CQmCHOm6Wkcn5caef31WH8RmGgdH+w4WGM3+bTRaYbdU QAhg== X-Gm-Message-State: AOJu0YyTrKMTvUSd5MrMBmWFzhw7vJx2BUSXDsejPjchC7Waq2l389oI FP1Not/5nPXlx6TMgTJJ4jzhcw== X-Google-Smtp-Source: AGHT+IFBQpKxdPLT7Lq6AImEMVZRVJrwJSSLQODAOkgS6uC4i8WO9TJyfW+MtQhpShe85Cl7Aptmtw== X-Received: by 2002:a05:6000:1563:b0:32f:7fb0:de13 with SMTP id 3-20020a056000156300b0032f7fb0de13mr6501871wrz.5.1700532081349; Mon, 20 Nov 2023 18:01:21 -0800 (PST) Received: from Mindolluin.ire.aristanetworks.com ([217.173.96.166]) by smtp.gmail.com with ESMTPSA id c13-20020a056000184d00b00332cb846f21sm2617105wri.27.2023.11.20.18.01.20 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 20 Nov 2023 18:01:20 -0800 (PST) From: Dmitry Safonov To: David Ahern , Eric Dumazet , Paolo Abeni , Jakub Kicinski , "David S. Miller" Cc: linux-kernel@vger.kernel.org, Dmitry Safonov , Dmitry Safonov <0x7f454c46@gmail.com>, Francesco Ruggeri , Salam Noureddine , Simon Horman , netdev@vger.kernel.org Subject: [PATCH 2/7] net/tcp: Consistently align TCP-AO option in the header Date: Tue, 21 Nov 2023 02:01:06 +0000 Message-ID: <20231121020111.1143180-3-dima@arista.com> X-Mailer: git-send-email 2.42.0 In-Reply-To: <20231121020111.1143180-1-dima@arista.com> References: <20231121020111.1143180-1-dima@arista.com> Precedence: bulk X-Mailing-List: netdev@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-Patchwork-Delegate: kuba@kernel.org Currently functions that pre-calculate TCP header options length use unaligned TCP-AO header + MAC-length for skb reservation. And the functions that actually write TCP-AO options into skb do align the header. Nothing good can come out of this for ((maclen % 4) != 0). Provide tcp_ao_len_aligned() helper and use it everywhere for TCP header options space calculations. Fixes: 1e03d32bea8e ("net/tcp: Add TCP-AO sign to outgoing packets") Signed-off-by: Dmitry Safonov --- include/net/tcp_ao.h | 6 ++++++ net/ipv4/tcp_ao.c | 4 ++-- net/ipv4/tcp_ipv4.c | 4 ++-- net/ipv4/tcp_minisocks.c | 2 +- net/ipv4/tcp_output.c | 6 +++--- net/ipv6/tcp_ipv6.c | 2 +- 6 files changed, 15 insertions(+), 9 deletions(-) diff --git a/include/net/tcp_ao.h b/include/net/tcp_ao.h index b56be10838f0..647781080613 100644 --- a/include/net/tcp_ao.h +++ b/include/net/tcp_ao.h @@ -62,11 +62,17 @@ static inline int tcp_ao_maclen(const struct tcp_ao_key *key) return key->maclen; } +/* Use tcp_ao_len_aligned() for TCP header calculations */ static inline int tcp_ao_len(const struct tcp_ao_key *key) { return tcp_ao_maclen(key) + sizeof(struct tcp_ao_hdr); } +static inline int tcp_ao_len_aligned(const struct tcp_ao_key *key) +{ + return round_up(tcp_ao_len(key), 4); +} + static inline unsigned int tcp_ao_digest_size(struct tcp_ao_key *key) { return key->digest_size; diff --git a/net/ipv4/tcp_ao.c b/net/ipv4/tcp_ao.c index 7696417d0640..c8be1d526eac 100644 --- a/net/ipv4/tcp_ao.c +++ b/net/ipv4/tcp_ao.c @@ -1100,7 +1100,7 @@ void tcp_ao_connect_init(struct sock *sk) ao_info->current_key = key; if (!ao_info->rnext_key) ao_info->rnext_key = key; - tp->tcp_header_len += tcp_ao_len(key); + tp->tcp_header_len += tcp_ao_len_aligned(key); ao_info->lisn = htonl(tp->write_seq); ao_info->snd_sne = 0; @@ -1346,7 +1346,7 @@ static int tcp_ao_parse_crypto(struct tcp_ao_add *cmd, struct tcp_ao_key *key) syn_tcp_option_space -= TCPOLEN_MSS_ALIGNED; syn_tcp_option_space -= TCPOLEN_TSTAMP_ALIGNED; syn_tcp_option_space -= TCPOLEN_WSCALE_ALIGNED; - if (tcp_ao_len(key) > syn_tcp_option_space) { + if (tcp_ao_len_aligned(key) > syn_tcp_option_space) { err = -EMSGSIZE; goto err_kfree; } diff --git a/net/ipv4/tcp_ipv4.c b/net/ipv4/tcp_ipv4.c index 5f693bbd578d..0c50c5a32b84 100644 --- a/net/ipv4/tcp_ipv4.c +++ b/net/ipv4/tcp_ipv4.c @@ -690,7 +690,7 @@ static bool tcp_v4_ao_sign_reset(const struct sock *sk, struct sk_buff *skb, reply_options[0] = htonl((TCPOPT_AO << 24) | (tcp_ao_len(key) << 16) | (aoh->rnext_keyid << 8) | keyid); - arg->iov[0].iov_len += round_up(tcp_ao_len(key), 4); + arg->iov[0].iov_len += tcp_ao_len_aligned(key); reply->doff = arg->iov[0].iov_len / 4; if (tcp_ao_hash_hdr(AF_INET, (char *)&reply_options[1], @@ -978,7 +978,7 @@ static void tcp_v4_send_ack(const struct sock *sk, (tcp_ao_len(key->ao_key) << 16) | (key->ao_key->sndid << 8) | key->rcv_next); - arg.iov[0].iov_len += round_up(tcp_ao_len(key->ao_key), 4); + arg.iov[0].iov_len += tcp_ao_len_aligned(key->ao_key); rep.th.doff = arg.iov[0].iov_len / 4; tcp_ao_hash_hdr(AF_INET, (char *)&rep.opt[offset], diff --git a/net/ipv4/tcp_minisocks.c b/net/ipv4/tcp_minisocks.c index a9807eeb311c..9e85f2a0bddd 100644 --- a/net/ipv4/tcp_minisocks.c +++ b/net/ipv4/tcp_minisocks.c @@ -615,7 +615,7 @@ struct sock *tcp_create_openreq_child(const struct sock *sk, ao_key = treq->af_specific->ao_lookup(sk, req, tcp_rsk(req)->ao_keyid, -1); if (ao_key) - newtp->tcp_header_len += tcp_ao_len(ao_key); + newtp->tcp_header_len += tcp_ao_len_aligned(ao_key); #endif if (skb->len >= TCP_MSS_DEFAULT + newtp->tcp_header_len) newicsk->icsk_ack.last_seg_size = skb->len - newtp->tcp_header_len; diff --git a/net/ipv4/tcp_output.c b/net/ipv4/tcp_output.c index eb13a55d660c..93eef1dbbc55 100644 --- a/net/ipv4/tcp_output.c +++ b/net/ipv4/tcp_output.c @@ -825,7 +825,7 @@ static unsigned int tcp_syn_options(struct sock *sk, struct sk_buff *skb, timestamps = READ_ONCE(sock_net(sk)->ipv4.sysctl_tcp_timestamps); if (tcp_key_is_ao(key)) { opts->options |= OPTION_AO; - remaining -= tcp_ao_len(key->ao_key); + remaining -= tcp_ao_len_aligned(key->ao_key); } } @@ -915,7 +915,7 @@ static unsigned int tcp_synack_options(const struct sock *sk, ireq->tstamp_ok &= !ireq->sack_ok; } else if (tcp_key_is_ao(key)) { opts->options |= OPTION_AO; - remaining -= tcp_ao_len(key->ao_key); + remaining -= tcp_ao_len_aligned(key->ao_key); ireq->tstamp_ok &= !ireq->sack_ok; } @@ -982,7 +982,7 @@ static unsigned int tcp_established_options(struct sock *sk, struct sk_buff *skb size += TCPOLEN_MD5SIG_ALIGNED; } else if (tcp_key_is_ao(key)) { opts->options |= OPTION_AO; - size += tcp_ao_len(key->ao_key); + size += tcp_ao_len_aligned(key->ao_key); } if (likely(tp->rx_opt.tstamp_ok)) { diff --git a/net/ipv6/tcp_ipv6.c b/net/ipv6/tcp_ipv6.c index 937a02c2e534..8c6623496dd7 100644 --- a/net/ipv6/tcp_ipv6.c +++ b/net/ipv6/tcp_ipv6.c @@ -881,7 +881,7 @@ static void tcp_v6_send_response(const struct sock *sk, struct sk_buff *skb, u32 if (tcp_key_is_md5(key)) tot_len += TCPOLEN_MD5SIG_ALIGNED; if (tcp_key_is_ao(key)) - tot_len += tcp_ao_len(key->ao_key); + tot_len += tcp_ao_len_aligned(key->ao_key); #ifdef CONFIG_MPTCP if (rst && !tcp_key_is_md5(key)) { From patchwork Tue Nov 21 02:01:07 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Dmitry Safonov X-Patchwork-Id: 13462402 X-Patchwork-Delegate: kuba@kernel.org Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=arista.com header.i=@arista.com header.b="BwUvv7uK" Received: from mail-wm1-x336.google.com (mail-wm1-x336.google.com [IPv6:2a00:1450:4864:20::336]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id C3E60CA for ; Mon, 20 Nov 2023 18:01:24 -0800 (PST) Received: by mail-wm1-x336.google.com with SMTP id 5b1f17b1804b1-40806e4106dso14669635e9.1 for ; Mon, 20 Nov 2023 18:01:24 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=arista.com; s=google; t=1700532083; x=1701136883; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=ZExWn2HUbFMStGLP1W6Y7/MeyCrX5kAskFZ5sfppJnI=; b=BwUvv7uKuMsQtrhs3/FuJhn+wgU99uTqAWBF9cI3uv67Y7zmJPNmxPKi0Giq7eqrl7 hHgfWQVdS5+TfbbOp67ladHgt2VJilm8JUNvdl7bySl1/vwNLEeXWvUkExdvZBg0a+kg yfBAOqxIuybZsz1YwMBnNIiaiISOg5ybONGvxnXwpBryWNXVsEso+ghQcqECwJPlxdkZ UofSjY6mqd+BImvkYXQtGO0MeBMrsSiuKCRUrP4fZzA2UfOo74W+9Henlp3dSLvUKTPW LqaH2vBRakc4d5ZyigWcX7cNwk4FAuna3w8MYSN4a79ym3jdqs1ON6EXnqg3lyeJOS4I mc5g== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1700532083; x=1701136883; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=ZExWn2HUbFMStGLP1W6Y7/MeyCrX5kAskFZ5sfppJnI=; b=RCuMt0TDN5/q61mzigU0sjebblIJNtvQqev1+/x1dFFZYx2s/l5fPwTqjRAHxe5/Pf XmD69qHSz1GRFAL9XgvE0uIBCR9bnZUg3nRX02dy4VwX3zc8ajTvrGtY064y38KmHm/N 0BWiAvbEqfyq5i58w8P5Bas3gqsaLAUUlMuo1Jrjy/FAOxiC67dZ2zd91UhYIULs69Ip H8JrAfaiZxFRnbxFx2S5lSxaLh5M4YsP2uL7gPkJLHeZ3BRd3wOiq3zYKKP6IuN/fL6N b2ki5TOWAkVaSYVTyN69taHZHK3KMg46ZQnShPL5I61utgtTgXZw7C7smBKrSWTB+WCL C/7g== X-Gm-Message-State: AOJu0YxAk9adW3tS5VRCsSi4U5+fIZLbm0JeKeu9sTxHlp4aoOv85cDQ aNaKIacAlgWfiR5kIXpUQVFBiQ== X-Google-Smtp-Source: AGHT+IGwH+Jm3fhAA2Y4A+PtIJ/Xkb9mBkTjQwrh6HTcGOyrbjlcqDCPoP+VO0DQh3tKq4GMTPx0eg== X-Received: by 2002:a1c:4c09:0:b0:407:73fc:6818 with SMTP id z9-20020a1c4c09000000b0040773fc6818mr893800wmf.2.1700532082945; Mon, 20 Nov 2023 18:01:22 -0800 (PST) Received: from Mindolluin.ire.aristanetworks.com ([217.173.96.166]) by smtp.gmail.com with ESMTPSA id c13-20020a056000184d00b00332cb846f21sm2617105wri.27.2023.11.20.18.01.21 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 20 Nov 2023 18:01:22 -0800 (PST) From: Dmitry Safonov To: David Ahern , Eric Dumazet , Paolo Abeni , Jakub Kicinski , "David S. Miller" Cc: linux-kernel@vger.kernel.org, Dmitry Safonov , Dmitry Safonov <0x7f454c46@gmail.com>, Francesco Ruggeri , Salam Noureddine , Simon Horman , netdev@vger.kernel.org Subject: [PATCH 3/7] net/tcp: Limit TCP_AO_REPAIR to non-listen sockets Date: Tue, 21 Nov 2023 02:01:07 +0000 Message-ID: <20231121020111.1143180-4-dima@arista.com> X-Mailer: git-send-email 2.42.0 In-Reply-To: <20231121020111.1143180-1-dima@arista.com> References: <20231121020111.1143180-1-dima@arista.com> Precedence: bulk X-Mailing-List: netdev@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-Patchwork-Delegate: kuba@kernel.org Listen socket is not an established TCP connection, so setsockopt(TCP_AO_REPAIR) doesn't have any impact. Restrict this uAPI for listen sockets. Fixes: faadfaba5e01 ("net/tcp: Add TCP_AO_REPAIR") Signed-off-by: Dmitry Safonov --- net/ipv4/tcp.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/net/ipv4/tcp.c b/net/ipv4/tcp.c index 53bcc17c91e4..2836515ab3d7 100644 --- a/net/ipv4/tcp.c +++ b/net/ipv4/tcp.c @@ -3594,6 +3594,10 @@ int do_tcp_setsockopt(struct sock *sk, int level, int optname, break; case TCP_AO_REPAIR: + if (sk->sk_state == TCP_LISTEN) { + err = -ENOSTR; + break; + } err = tcp_ao_set_repair(sk, optval, optlen); break; #ifdef CONFIG_TCP_AO @@ -4293,6 +4297,8 @@ int do_tcp_getsockopt(struct sock *sk, int level, } #endif case TCP_AO_REPAIR: + if (sk->sk_state == TCP_LISTEN) + return -ENOSTR; return tcp_ao_get_repair(sk, optval, optlen); case TCP_AO_GET_KEYS: case TCP_AO_INFO: { From patchwork Tue Nov 21 02:01:08 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Dmitry Safonov X-Patchwork-Id: 13462403 X-Patchwork-Delegate: kuba@kernel.org Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=arista.com header.i=@arista.com header.b="ULYOegoU" Received: from mail-wm1-x32b.google.com (mail-wm1-x32b.google.com [IPv6:2a00:1450:4864:20::32b]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 05A02110 for ; Mon, 20 Nov 2023 18:01:26 -0800 (PST) Received: by mail-wm1-x32b.google.com with SMTP id 5b1f17b1804b1-40839652b97so19540175e9.3 for ; Mon, 20 Nov 2023 18:01:25 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=arista.com; s=google; t=1700532084; x=1701136884; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=ig/YC8MojIs+gaKRoOQN47DED/hcFn6cM8MDHgjia40=; b=ULYOegoUtmLrixADn3fPF85w6jcWSsLHj8iyJJtr5d3dER7Y2N3ABdo5RaWu1bXGl0 njWrQI8sNEb+8Mlwb1F00H780kw7C7k1HwDM8f3u2saXg7ajX4ClwZsRZqQsupib5ljO OD031rHf020Iau1GdVibAder1J7jDUxdXJvmxBdViwIAlOuY7lsKQSeWQ/L2nbSKxNp8 8wzWI41FHzX3Y/L+NChoLQjh2/9EggiW5fJSFJGoWMUDuoIICKnDeE2a16oR/qUQcoGq 6hx5OGdq36zph1NHuFCGfBt4sPP4ABWU/mAMraNGANQbBV1IIsB0Miix6ZbqUjVrz+Ql esdA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1700532084; x=1701136884; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=ig/YC8MojIs+gaKRoOQN47DED/hcFn6cM8MDHgjia40=; b=t+Ri7ARhGuI8pcGMiLxBrET9NexNC9lBqvctUrfXRrR8VOMPK9taIgK5W4VwU9NpZ5 W3QS9L1MBLWWYBFREDCKeEgxsY1CZrDVyltFj7EeDMClGlSiVd/G/utT3RNMHiep1oVL j29xPNg43CzmpcRWTHHXuKSOFJLq4UVSH0k1ZOQQMZc1y9tlrma5YNu8JbMvu+ZtI1W2 4q8pP2Neb5IsVRSbSMbyWogZt+dMewqoiTVfuivBzDjb6j0P6pCeDj4zz5BSivQwTq1x XmkBBO1TpdJaCoeHQDuDcMNm4+ZevI8UwauMzcSW9zBoQ63vS97bnglhsUG/lE3U0KtS t4Rw== X-Gm-Message-State: AOJu0YwI2sUOiOQTlOaXJu5JYuyJup4Bufuc8+cQ1RABG/3BrHET3m0B r1hpI0+mcSGa09Rq3+LNBhVmCw== X-Google-Smtp-Source: AGHT+IGTE0K1/edXTf0O51i9Tw3EvycRAYv6DgDyjQ4Bsdh3s32+/vUzUMqBl4qVDwqoTTeEuFgr1Q== X-Received: by 2002:a05:600c:4510:b0:409:6f6e:d257 with SMTP id t16-20020a05600c451000b004096f6ed257mr8196932wmo.17.1700532084385; Mon, 20 Nov 2023 18:01:24 -0800 (PST) Received: from Mindolluin.ire.aristanetworks.com ([217.173.96.166]) by smtp.gmail.com with ESMTPSA id c13-20020a056000184d00b00332cb846f21sm2617105wri.27.2023.11.20.18.01.23 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 20 Nov 2023 18:01:23 -0800 (PST) From: Dmitry Safonov To: David Ahern , Eric Dumazet , Paolo Abeni , Jakub Kicinski , "David S. Miller" Cc: linux-kernel@vger.kernel.org, Dmitry Safonov , Dmitry Safonov <0x7f454c46@gmail.com>, Francesco Ruggeri , Salam Noureddine , Simon Horman , netdev@vger.kernel.org Subject: [PATCH 4/7] net/tcp: Reset TCP-AO cached keys on listen() syscall Date: Tue, 21 Nov 2023 02:01:08 +0000 Message-ID: <20231121020111.1143180-5-dima@arista.com> X-Mailer: git-send-email 2.42.0 In-Reply-To: <20231121020111.1143180-1-dima@arista.com> References: <20231121020111.1143180-1-dima@arista.com> Precedence: bulk X-Mailing-List: netdev@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-Patchwork-Delegate: kuba@kernel.org TCP_LISTEN sockets are not connected to any peer, so having current_key/rnext_key doesn't make sense. The userspace may falter over this issue by setting current or rnext TCP-AO key before listen() syscall. setsockopt(TCP_AO_DEL_KEY) doesn't allow removing a key that is in use (in accordance to RFC 5925), so it might be inconvenient to have keys that can be destroyed only with listener socket. Fixes: 4954f17ddefc ("net/tcp: Introduce TCP_AO setsockopt()s") Signed-off-by: Dmitry Safonov --- include/net/tcp_ao.h | 5 +++++ net/ipv4/af_inet.c | 1 + net/ipv4/tcp_ao.c | 14 ++++++++++++++ 3 files changed, 20 insertions(+) diff --git a/include/net/tcp_ao.h b/include/net/tcp_ao.h index 647781080613..e36057ca5ed8 100644 --- a/include/net/tcp_ao.h +++ b/include/net/tcp_ao.h @@ -270,6 +270,7 @@ int tcp_v6_ao_synack_hash(char *ao_hash, struct tcp_ao_key *ao_key, void tcp_ao_established(struct sock *sk); void tcp_ao_finish_connect(struct sock *sk, struct sk_buff *skb); void tcp_ao_connect_init(struct sock *sk); +void tcp_ao_listen(struct sock *sk); void tcp_ao_syncookie(struct sock *sk, const struct sk_buff *skb, struct tcp_request_sock *treq, unsigned short int family, int l3index); @@ -330,6 +331,10 @@ static inline void tcp_ao_connect_init(struct sock *sk) { } +static inline void tcp_ao_listen(struct sock *sk) +{ +} + static inline int tcp_ao_get_mkts(struct sock *sk, sockptr_t optval, sockptr_t optlen) { return -ENOPROTOOPT; diff --git a/net/ipv4/af_inet.c b/net/ipv4/af_inet.c index fb81de10d332..a08d1266344f 100644 --- a/net/ipv4/af_inet.c +++ b/net/ipv4/af_inet.c @@ -200,6 +200,7 @@ int __inet_listen_sk(struct sock *sk, int backlog) * we can only allow the backlog to be adjusted. */ if (old_state != TCP_LISTEN) { + tcp_ao_listen(sk); /* Enable TFO w/o requiring TCP_FASTOPEN socket option. * Note that only TCP sockets (SOCK_STREAM) will reach here. * Also fastopen backlog may already been set via the option diff --git a/net/ipv4/tcp_ao.c b/net/ipv4/tcp_ao.c index c8be1d526eac..71c8c9c59642 100644 --- a/net/ipv4/tcp_ao.c +++ b/net/ipv4/tcp_ao.c @@ -1052,6 +1052,20 @@ static int tcp_ao_cache_traffic_keys(const struct sock *sk, return ret; } +void tcp_ao_listen(struct sock *sk) +{ + struct tcp_sock *tp = tcp_sk(sk); + struct tcp_ao_info *ao_info; + + ao_info = rcu_dereference_protected(tp->ao_info, + lockdep_sock_is_held(sk)); + if (!ao_info) + return; + + WRITE_ONCE(ao_info->current_key, NULL); + WRITE_ONCE(ao_info->rnext_key, NULL); +} + void tcp_ao_connect_init(struct sock *sk) { struct tcp_sock *tp = tcp_sk(sk); From patchwork Tue Nov 21 02:01:09 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Dmitry Safonov X-Patchwork-Id: 13462404 X-Patchwork-Delegate: kuba@kernel.org Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=arista.com header.i=@arista.com header.b="dm8J7qBS" Received: from mail-wm1-x32d.google.com (mail-wm1-x32d.google.com [IPv6:2a00:1450:4864:20::32d]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 49398E7 for ; Mon, 20 Nov 2023 18:01:27 -0800 (PST) Received: by mail-wm1-x32d.google.com with SMTP id 5b1f17b1804b1-40859dee28cso23817205e9.0 for ; Mon, 20 Nov 2023 18:01:27 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=arista.com; s=google; t=1700532085; x=1701136885; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=vRv390KZg85B3wbZ2TCp60L17ZYyL9mQWzXIk/oqbtw=; b=dm8J7qBSgjKUheRrTjDGEdwDRR/0fWw05/DnqQugslvUNkacXpJtXUS0IT8iJGb1Mw 1NSHzihLf9h6y3oKNygxigaS+wqy+P7IfFZ5kQX25qvz+AiAkYNd3IvEXpoGpoh5koW3 Q/rrR9Ewb+2LZXEW5MeTh29mNYU2aKzou37pHVDBhKXUUZMNb6djJT+7abDGihCC1fep 2637JzWf+8cf+ob/GQlJoNi+XY5C3jbXXFE6/S8hMYBWjCqMYmw1DkfWTi5lOaQWNR/Y XDYY0OozDJO4W2axIBtzrn7D/aDzbSV5U4bzk+VYWrYcijdJ3ePqxtW4oPRm/BoWBMyP uocg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1700532085; x=1701136885; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=vRv390KZg85B3wbZ2TCp60L17ZYyL9mQWzXIk/oqbtw=; b=MGhNcQ82LSiS5lf7sLsXPF6340gK28R+uStkDFrk1Z2p7e/zK/DcFo4xW3BchKVGJ8 KhiyK71gyxIEcgA4vuszfrQZCQsoE3h2ih5Yncb7C1kneaPdybFPu/ZTSAPajNitrU81 uDDwzChVk/BEXKXXrkYoxMxj94/Yds1JZ7NBcs9J83UKXmFjQwruNacacd74wbTU5p9V RyI6v1EG6W3G9NuqsTf8memxq0QKBoMmWFJPBcb9C9PXk4gK7iDzuv/NGaXRtntqFVXu 9IkTjJiH88QgMYu5D3liGEXSMePxM//4FXAzVpmSacDXUKHgi/98eB6fRfm2lM0lbfu0 OG6A== X-Gm-Message-State: AOJu0YwHbsGbnwPiMwk61YkUcT1kKJydRngKb4tgYGGtAKbwcKlK1W34 WwBUZ+k6Cl1ZmbMd0NqkgORyWw== X-Google-Smtp-Source: AGHT+IHmAhpILijZy4DBKFQ50xDkp/1JWygHEaw2KLxD4bp3sk2gYc+RAFu6ZFb9Q4bdj006JBHNtg== X-Received: by 2002:a05:6000:1147:b0:32d:a476:5285 with SMTP id d7-20020a056000114700b0032da4765285mr6146461wrx.31.1700532085689; Mon, 20 Nov 2023 18:01:25 -0800 (PST) Received: from Mindolluin.ire.aristanetworks.com ([217.173.96.166]) by smtp.gmail.com with ESMTPSA id c13-20020a056000184d00b00332cb846f21sm2617105wri.27.2023.11.20.18.01.24 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 20 Nov 2023 18:01:25 -0800 (PST) From: Dmitry Safonov To: David Ahern , Eric Dumazet , Paolo Abeni , Jakub Kicinski , "David S. Miller" Cc: linux-kernel@vger.kernel.org, Dmitry Safonov , Dmitry Safonov <0x7f454c46@gmail.com>, Francesco Ruggeri , Salam Noureddine , Simon Horman , netdev@vger.kernel.org Subject: [PATCH 5/7] net/tcp: Don't add key with non-matching VRF on connected sockets Date: Tue, 21 Nov 2023 02:01:09 +0000 Message-ID: <20231121020111.1143180-6-dima@arista.com> X-Mailer: git-send-email 2.42.0 In-Reply-To: <20231121020111.1143180-1-dima@arista.com> References: <20231121020111.1143180-1-dima@arista.com> Precedence: bulk X-Mailing-List: netdev@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-Patchwork-Delegate: kuba@kernel.org If the connection was established, don't allow adding TCP-AO keys that don't match the peer. Currently, there are checks for ip-address matching, but L3 index check is missing. Add it to restrict userspace shooting itself somewhere. Fixes: 248411b8cb89 ("net/tcp: Wire up l3index to TCP-AO") Signed-off-by: Dmitry Safonov --- net/ipv4/tcp_ao.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/net/ipv4/tcp_ao.c b/net/ipv4/tcp_ao.c index 71c8c9c59642..122ff58168ee 100644 --- a/net/ipv4/tcp_ao.c +++ b/net/ipv4/tcp_ao.c @@ -1622,6 +1622,9 @@ static int tcp_ao_add_cmd(struct sock *sk, unsigned short int family, if (!dev || !l3index) return -EINVAL; + if (!((1 << sk->sk_state) & (TCPF_LISTEN | TCPF_CLOSE))) + return -EINVAL; + /* It's still possible to bind after adding keys or even * re-bind to a different dev (with CAP_NET_RAW). * So, no reason to return error here, rather try to be From patchwork Tue Nov 21 02:01:10 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Dmitry Safonov X-Patchwork-Id: 13462417 X-Patchwork-Delegate: kuba@kernel.org Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=arista.com header.i=@arista.com header.b="TYkx5l5H" Received: from mail-wr1-x434.google.com (mail-wr1-x434.google.com [IPv6:2a00:1450:4864:20::434]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 77F19ED for ; Mon, 20 Nov 2023 18:01:28 -0800 (PST) Received: by mail-wr1-x434.google.com with SMTP id ffacd0b85a97d-332c82400a5so1018926f8f.0 for ; Mon, 20 Nov 2023 18:01:28 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=arista.com; s=google; t=1700532087; x=1701136887; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=Yb/w+BKw85BILJP8CTg75niZjZVcbAJYfunsL97APOE=; b=TYkx5l5HsPBsUxmethudoPU7KItkL6Z9NbWPNmRDNR2pNDYb6J60Tkwn6HqGhmaC7z xP+PYJ8qvTY3R78qTa7IkP5NvASc7cQTwFW+b2Dw1MikmusEOyg/KsD4FJToWSxgnbJ3 tcBUPfJWPe3uSECiyqljJIRoYa+lGZ0cNIsSp/00GqTTiENcXvfXo7i9tcCr96DqLbuW VoZ5NLlbeXNIQgW7A16Yua+K/BwfsKwzEaqp8eJcZ1USLEQKAIQZrj4rymtnRJ0WHnXo Kbw1ABYzEkL/GbqW65tKGak+HgORJaqx63J1Y7C9n8X2vHclhflswHuQfGus2etuDWja CUcA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1700532087; x=1701136887; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=Yb/w+BKw85BILJP8CTg75niZjZVcbAJYfunsL97APOE=; b=eG8brUbImZVSX674yUQW22cmcC3G3LuVeHoveRqblagszPVXKStUVA/pkLZwRFwRd8 RjnvwKDkH7F+o7Pu/+CuvC3CqpweDe76tLQDBoxQF6Hjbb3kh4vav/11XnXO0Q7+59mQ tEFz7aUp4S8XOLZVtsxE49X7K8kRp2lxI7TYX8RjCDUdXL+4WoNgQQwQQVjq7DfuQfFJ 7Ylo3FTRyDhslEYMVHAQYZBAMFXe7LNt6tBBj09jqnCxUADycwxauPvsTs8UBXeHe71a z1RyUOm+BhA3c9UuGHBVBcuIvZSVB7XfePKOilVlTnx8drxy1QCLwmCLSD1lkW4WzF82 baVw== X-Gm-Message-State: AOJu0YzXDaE27g29mq989jxNtm+aJBPCdzwCIsOOo4PknCVGvw0Oe5XI xFw2DX64EfFNBUNpKkfnZmbWUg== X-Google-Smtp-Source: AGHT+IEVaDa9ATxoPYSGDjhsp5Kzj85OQPWhli+6R2u4dfdYhQZgJKQrddrShkTsXOzgbH54ov/2qw== X-Received: by 2002:adf:f0d1:0:b0:317:4ef8:1659 with SMTP id x17-20020adff0d1000000b003174ef81659mr5885838wro.28.1700532087011; Mon, 20 Nov 2023 18:01:27 -0800 (PST) Received: from Mindolluin.ire.aristanetworks.com ([217.173.96.166]) by smtp.gmail.com with ESMTPSA id c13-20020a056000184d00b00332cb846f21sm2617105wri.27.2023.11.20.18.01.25 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 20 Nov 2023 18:01:26 -0800 (PST) From: Dmitry Safonov To: David Ahern , Eric Dumazet , Paolo Abeni , Jakub Kicinski , "David S. Miller" Cc: linux-kernel@vger.kernel.org, Dmitry Safonov , Dmitry Safonov <0x7f454c46@gmail.com>, Francesco Ruggeri , Salam Noureddine , Simon Horman , netdev@vger.kernel.org Subject: [PATCH 6/7] net/tcp: ACCESS_ONCE() on snd/rcv SNEs Date: Tue, 21 Nov 2023 02:01:10 +0000 Message-ID: <20231121020111.1143180-7-dima@arista.com> X-Mailer: git-send-email 2.42.0 In-Reply-To: <20231121020111.1143180-1-dima@arista.com> References: <20231121020111.1143180-1-dima@arista.com> Precedence: bulk X-Mailing-List: netdev@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-Patchwork-Delegate: kuba@kernel.org SNEs need READ_ONCE()/WRITE_ONCE() for access as they can be written and read at the same time. This is actually a shame: I planned to send it in TCP-AO patches, but it seems I've chosen a wrong commit to git-commit-fixup some time ago. It ended up in a commit that adds a selftest. Human factor. Fixes: 64382c71a557 ("net/tcp: Add TCP-AO SNE support") Signed-off-by: Dmitry Safonov --- net/ipv4/tcp_ao.c | 4 ++-- net/ipv4/tcp_input.c | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/net/ipv4/tcp_ao.c b/net/ipv4/tcp_ao.c index 122ff58168ee..9b7f1970c2e9 100644 --- a/net/ipv4/tcp_ao.c +++ b/net/ipv4/tcp_ao.c @@ -956,8 +956,8 @@ tcp_inbound_ao_hash(struct sock *sk, const struct sk_buff *skb, if (unlikely(th->syn && !th->ack)) goto verify_hash; - sne = tcp_ao_compute_sne(info->rcv_sne, tcp_sk(sk)->rcv_nxt, - ntohl(th->seq)); + sne = tcp_ao_compute_sne(READ_ONCE(info->rcv_sne), + tcp_sk(sk)->rcv_nxt, ntohl(th->seq)); /* Established socket, traffic key are cached */ traffic_key = rcv_other_key(key); err = tcp_ao_verify_hash(sk, skb, family, info, aoh, key, diff --git a/net/ipv4/tcp_input.c b/net/ipv4/tcp_input.c index bcb55d98004c..78896c8be0d4 100644 --- a/net/ipv4/tcp_input.c +++ b/net/ipv4/tcp_input.c @@ -3583,7 +3583,7 @@ static void tcp_snd_sne_update(struct tcp_sock *tp, u32 ack) ao = rcu_dereference_protected(tp->ao_info, lockdep_sock_is_held((struct sock *)tp)); if (ao && ack < tp->snd_una) - ao->snd_sne++; + WRITE_ONCE(ao->snd_sne, ao->snd_sne + 1); #endif } @@ -3609,7 +3609,7 @@ static void tcp_rcv_sne_update(struct tcp_sock *tp, u32 seq) ao = rcu_dereference_protected(tp->ao_info, lockdep_sock_is_held((struct sock *)tp)); if (ao && seq < tp->rcv_nxt) - ao->rcv_sne++; + WRITE_ONCE(ao->rcv_sne, ao->rcv_sne + 1); #endif } From patchwork Tue Nov 21 02:01:11 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Dmitry Safonov X-Patchwork-Id: 13462418 X-Patchwork-Delegate: kuba@kernel.org Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=arista.com header.i=@arista.com header.b="X10eg7GW" Received: from mail-wr1-x436.google.com (mail-wr1-x436.google.com [IPv6:2a00:1450:4864:20::436]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id D3125F4 for ; Mon, 20 Nov 2023 18:01:29 -0800 (PST) Received: by mail-wr1-x436.google.com with SMTP id ffacd0b85a97d-32d895584f1so3589311f8f.1 for ; Mon, 20 Nov 2023 18:01:29 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=arista.com; s=google; t=1700532088; x=1701136888; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=pBOOKbt8qYeu3I6qmruIZOshMMipjUc2q0LuWEyo1Tk=; b=X10eg7GW7jMUjWFbHr1w/Od1YyGMrWLempQxTyyVmH/D2qS1vlbLo/wlLSopElquH3 JHz5kQgRW/g4HyaOSEvCQ834osJnFAtAI3fcPGr6eJny9qWw6MnMtQeRrSwh0zuZ9sXD J5V6KlWq7+teyUnq/3xWbEvzlJ3ll7WSF+2gN8BT9KRsyevhC7HUulUV0EoL/81epit5 p1RZ/yDxc1qV0zn3auvnjY6FVB2jdP6LenrvnRy7I0/LXD/4+aleNUBb2V4xGh2Wka/p jgrh9fiBM4OU/gGPjjaMHtZNhGUiyCUmJ3I/i7V20LR3z9B2SbUimxKJTPSF0nbI6U+A T0bA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1700532088; x=1701136888; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=pBOOKbt8qYeu3I6qmruIZOshMMipjUc2q0LuWEyo1Tk=; b=jkhi8BfHaAiqqucU7h24E9r+DNbvVlfArjsrEL2OjlMUaIlfpSiPHfEqnobrECBKmk g1FthcvgF1/tnW6kN2tO1E/039VSf4rz0kO22DHwu5dqfsO949VMR3eWxBgaVNeyHmtW RgOzjrGSKwHinGjxV3Rx3//ZEc8T6VLzKSpijPxK82UpdV9N2Z8KWvSXdfAcPVB4BdeK sTAJ6DYv5DDxx4KIGPY6Xxs7NcoJIooHPIWhzqJXo8ZosPveMMGlcepXY5lisQCLrXn/ tCp6qrNVlVhcdFokgVvOTFP7NxA9niZhQEp3WtwaEWO3GmIPrHfRTYtbyKxzoAsxXzSy IN/w== X-Gm-Message-State: AOJu0YzUCDU8IowNXRKaLDQsxfpG7VlG+mxBr2PXpbjGXWYPPrj3T8Pd JAkmQrqfO9+ZoDbmCKz4R8Hl1Q== X-Google-Smtp-Source: AGHT+IFUb2kPEOqjsQe+RX4pd7eVkewEsSHkT4T1xu2TuDc1YK1Zv+TSvo0MSIAJJf9Mv3tFSbbACw== X-Received: by 2002:adf:e58b:0:b0:32d:b051:9a27 with SMTP id l11-20020adfe58b000000b0032db0519a27mr6193939wrm.20.1700532088379; Mon, 20 Nov 2023 18:01:28 -0800 (PST) Received: from Mindolluin.ire.aristanetworks.com ([217.173.96.166]) by smtp.gmail.com with ESMTPSA id c13-20020a056000184d00b00332cb846f21sm2617105wri.27.2023.11.20.18.01.27 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 20 Nov 2023 18:01:27 -0800 (PST) From: Dmitry Safonov To: David Ahern , Eric Dumazet , Paolo Abeni , Jakub Kicinski , "David S. Miller" Cc: linux-kernel@vger.kernel.org, Dmitry Safonov , Dmitry Safonov <0x7f454c46@gmail.com>, Francesco Ruggeri , Salam Noureddine , Simon Horman , netdev@vger.kernel.org Subject: [PATCH 7/7] net/tcp: Don't store TCP-AO maclen on reqsk Date: Tue, 21 Nov 2023 02:01:11 +0000 Message-ID: <20231121020111.1143180-8-dima@arista.com> X-Mailer: git-send-email 2.42.0 In-Reply-To: <20231121020111.1143180-1-dima@arista.com> References: <20231121020111.1143180-1-dima@arista.com> Precedence: bulk X-Mailing-List: netdev@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-Patchwork-Delegate: kuba@kernel.org This extra check doesn't work for a handshake when SYN segment has (current_key.maclen != rnext_key.maclen). It could be amended to preserve rnext_key.maclen instead of current_key.maclen, but that requires a lookup on listen socket. Originally, this extra maclen check was introduced just because it was cheap. Drop it and convert tcp_request_sock::maclen into boolean tcp_request_sock::used_tcp_ao. Fixes: 06b22ef29591 ("net/tcp: Wire TCP-AO to request sockets") Signed-off-by: Dmitry Safonov --- include/linux/tcp.h | 10 ++++------ net/ipv4/tcp_ao.c | 4 ++-- net/ipv4/tcp_input.c | 5 +++-- net/ipv4/tcp_output.c | 9 +++------ 4 files changed, 12 insertions(+), 16 deletions(-) diff --git a/include/linux/tcp.h b/include/linux/tcp.h index 68f3d315d2e1..3af897b00920 100644 --- a/include/linux/tcp.h +++ b/include/linux/tcp.h @@ -155,6 +155,9 @@ struct tcp_request_sock { bool req_usec_ts; #if IS_ENABLED(CONFIG_MPTCP) bool drop_req; +#endif +#ifdef CONFIG_TCP_AO + bool used_tcp_ao; #endif u32 txhash; u32 rcv_isn; @@ -169,7 +172,6 @@ struct tcp_request_sock { #ifdef CONFIG_TCP_AO u8 ao_keyid; u8 ao_rcv_next; - u8 maclen; #endif }; @@ -180,14 +182,10 @@ static inline struct tcp_request_sock *tcp_rsk(const struct request_sock *req) static inline bool tcp_rsk_used_ao(const struct request_sock *req) { - /* The real length of MAC is saved in the request socket, - * signing anything with zero-length makes no sense, so here is - * a little hack.. - */ #ifndef CONFIG_TCP_AO return false; #else - return tcp_rsk(req)->maclen != 0; + return tcp_rsk(req)->used_tcp_ao; #endif } diff --git a/net/ipv4/tcp_ao.c b/net/ipv4/tcp_ao.c index 9b7f1970c2e9..07221319e8c5 100644 --- a/net/ipv4/tcp_ao.c +++ b/net/ipv4/tcp_ao.c @@ -851,7 +851,7 @@ void tcp_ao_syncookie(struct sock *sk, const struct sk_buff *skb, const struct tcp_ao_hdr *aoh; struct tcp_ao_key *key; - treq->maclen = 0; + treq->used_tcp_ao = false; if (tcp_parse_auth_options(th, NULL, &aoh) || !aoh) return; @@ -863,7 +863,7 @@ void tcp_ao_syncookie(struct sock *sk, const struct sk_buff *skb, treq->ao_rcv_next = aoh->keyid; treq->ao_keyid = aoh->rnext_keyid; - treq->maclen = tcp_ao_maclen(key); + treq->used_tcp_ao = true; } static enum skb_drop_reason diff --git a/net/ipv4/tcp_input.c b/net/ipv4/tcp_input.c index 78896c8be0d4..89cb6912dd91 100644 --- a/net/ipv4/tcp_input.c +++ b/net/ipv4/tcp_input.c @@ -7182,11 +7182,12 @@ int tcp_conn_request(struct request_sock_ops *rsk_ops, if (tcp_parse_auth_options(tcp_hdr(skb), NULL, &aoh)) goto drop_and_release; /* Invalid TCP options */ if (aoh) { - tcp_rsk(req)->maclen = aoh->length - sizeof(struct tcp_ao_hdr); + tcp_rsk(req)->used_tcp_ao = true; tcp_rsk(req)->ao_rcv_next = aoh->keyid; tcp_rsk(req)->ao_keyid = aoh->rnext_keyid; + } else { - tcp_rsk(req)->maclen = 0; + tcp_rsk(req)->used_tcp_ao = false; } #endif tcp_rsk(req)->snt_isn = isn; diff --git a/net/ipv4/tcp_output.c b/net/ipv4/tcp_output.c index 93eef1dbbc55..f5ef15e1d9ac 100644 --- a/net/ipv4/tcp_output.c +++ b/net/ipv4/tcp_output.c @@ -3720,7 +3720,6 @@ struct sk_buff *tcp_make_synack(const struct sock *sk, struct dst_entry *dst, if (tcp_rsk_used_ao(req)) { #ifdef CONFIG_TCP_AO struct tcp_ao_key *ao_key = NULL; - u8 maclen = tcp_rsk(req)->maclen; u8 keyid = tcp_rsk(req)->ao_keyid; ao_key = tcp_sk(sk)->af_specific->ao_lookup(sk, req_to_sk(req), @@ -3730,13 +3729,11 @@ struct sk_buff *tcp_make_synack(const struct sock *sk, struct dst_entry *dst, * for another peer-matching key, but the peer has requested * ao_keyid (RFC5925 RNextKeyID), so let's keep it simple here. */ - if (unlikely(!ao_key || tcp_ao_maclen(ao_key) != maclen)) { - u8 key_maclen = ao_key ? tcp_ao_maclen(ao_key) : 0; - + if (unlikely(!ao_key)) { rcu_read_unlock(); kfree_skb(skb); - net_warn_ratelimited("TCP-AO: the keyid %u with maclen %u|%u from SYN packet is not present - not sending SYNACK\n", - keyid, maclen, key_maclen); + net_warn_ratelimited("TCP-AO: the keyid %u from SYN packet is not present - not sending SYNACK\n", + keyid); return NULL; } key.ao_key = ao_key;