From patchwork Fri Nov 24 00:27:14 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Dmitry Safonov X-Patchwork-Id: 13466841 X-Patchwork-Delegate: kuba@kernel.org Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=arista.com header.i=@arista.com header.b="kuZ0+Y15" Received: from mail-lj1-x232.google.com (mail-lj1-x232.google.com [IPv6:2a00:1450:4864:20::232]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id C75E410D9 for ; Thu, 23 Nov 2023 16:27:31 -0800 (PST) Received: by mail-lj1-x232.google.com with SMTP id 38308e7fff4ca-2c871890c12so17892121fa.2 for ; Thu, 23 Nov 2023 16:27:31 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=arista.com; s=google; t=1700785650; x=1701390450; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=haVpn9fvl3FQKPXQqTZq8l5X+Z7fEQLSNTR+x6poikY=; b=kuZ0+Y15aZOHrCN9ILYMuzyTZdieBL7vLkhqKn9r8miQfqXTteHyAKyIrWNKqfIRD0 PcltV302f7NG7g/Ou+M02IdWVYcKpNMCvCLdxFcXyNi1uEtXYg1mI2nCz2U24Zow4Lvt mvtPfh2uN9WRwsiYo1GXP7uiUCs/YClsiwzXKWYfhqRZO7jviNxuuAZ9MknB2jp5Iqgy Q8+9hg8DGYwLkXY/TZUETAVEJ+4QzNXHovp4+ZZqWJKs9UpskErUvXHWgjhEG0IcbDwT rI0IOpQoBlT5kHCtS6PiIRK1RmNRB/T7gav60+N/QsIvjSZ7u+EUbU9TFpDeprbZZY1f W3mw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1700785650; x=1701390450; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=haVpn9fvl3FQKPXQqTZq8l5X+Z7fEQLSNTR+x6poikY=; b=tz+9Yr5Q6ac9k0/flw9UbTc6XeDwi5mxcR5V19P+WwOLd+o0s9rd9C9SMpOm8sIQyB laXlB0SXLYfxXLQufD820fqVBQuifO8wvaG4QytzxWOmRx+6gqB6TiIx72p+sKGjqajI FQf6GcmV1KkpJrmr39bcAvKytNYRR2puhCqmVwH+NQpknl6pwTTBhcLccPhW8w7PgxZt VBG1DM+PFvoWbUM+p93Z5X8OqSSh1wsgFCtBR1P46Zn44rfs/td1jOho3d/vuB+SFuMt JgYlnQc/nymcY2x6uPP4Zbg3zCe/KJKsHisvZy2oynxfGv1rKgroPNdXnFo8ZMV5LDDo Ltcw== X-Gm-Message-State: AOJu0YwJhC1KRP5ySwfSTjHttz37XVWbSbN5cXpihD8i4G18aCFRLIFV CsE8huAKeNvLSXP3epUrj8i+Jri2NU36ByojgcY= X-Google-Smtp-Source: AGHT+IHvSX4dfruCcOgcRtZCAUPbc5qH1FOaW1B+QFPdn0Cp+RKfLN7Aj9D7LHFfPa23KeJI5ynAGQ== X-Received: by 2002:a05:651c:1208:b0:2c8:8813:2e7b with SMTP id i8-20020a05651c120800b002c888132e7bmr649558lja.2.1700785649997; Thu, 23 Nov 2023 16:27:29 -0800 (PST) Received: from Mindolluin.ire.aristanetworks.com ([217.173.96.166]) by smtp.gmail.com with ESMTPSA id g9-20020a05600c310900b004094e565e71sm3453230wmo.23.2023.11.23.16.27.28 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 23 Nov 2023 16:27:29 -0800 (PST) From: Dmitry Safonov To: David Ahern , Eric Dumazet , Paolo Abeni , Jakub Kicinski , "David S. Miller" Cc: linux-kernel@vger.kernel.org, Dmitry Safonov , Dmitry Safonov <0x7f454c46@gmail.com>, Francesco Ruggeri , Salam Noureddine , Simon Horman , netdev@vger.kernel.org, Markus Elfring , Jonathan Corbet , linux-doc@vger.kernel.org Subject: [PATCH v2 1/7] Documentation/tcp: Fix an obvious typo Date: Fri, 24 Nov 2023 00:27:14 +0000 Message-ID: <20231124002720.102537-2-dima@arista.com> X-Mailer: git-send-email 2.43.0 In-Reply-To: <20231124002720.102537-1-dima@arista.com> References: <20231124002720.102537-1-dima@arista.com> Precedence: bulk X-Mailing-List: netdev@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-Patchwork-Delegate: kuba@kernel.org Yep, my VIM spellchecker is not good enough for typos like this one. Fixes: 7fe0e38bb669 ("Documentation/tcp: Add TCP-AO documentation") Cc: Jonathan Corbet Cc: linux-doc@vger.kernel.org Reported-by: Markus Elfring Closes: https://lore.kernel.org/all/2745ab4e-acac-40d4-83bf-37f2600d0c3d@web.de/ Signed-off-by: Dmitry Safonov --- Documentation/networking/tcp_ao.rst | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Documentation/networking/tcp_ao.rst b/Documentation/networking/tcp_ao.rst index cfa5bf1cc542..8a58321acce7 100644 --- a/Documentation/networking/tcp_ao.rst +++ b/Documentation/networking/tcp_ao.rst @@ -99,7 +99,7 @@ also [6.1]:: when it is no longer considered permitted. Linux TCP-AO will try its best to prevent you from removing a key that's -being used, considering it a key management failure. But sine keeping +being used, considering it a key management failure. But since keeping an outdated key may become a security issue and as a peer may unintentionally prevent the removal of an old key by always setting it as RNextKeyID - a forced key removal mechanism is provided, where From patchwork Fri Nov 24 00:27:15 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Dmitry Safonov X-Patchwork-Id: 13466842 X-Patchwork-Delegate: kuba@kernel.org Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=arista.com header.i=@arista.com header.b="IG3NDI+0" Received: from mail-lj1-x233.google.com (mail-lj1-x233.google.com [IPv6:2a00:1450:4864:20::233]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 424DA10DC for ; Thu, 23 Nov 2023 16:27:33 -0800 (PST) Received: by mail-lj1-x233.google.com with SMTP id 38308e7fff4ca-2c5b7764016so15661741fa.1 for ; Thu, 23 Nov 2023 16:27:33 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=arista.com; s=google; t=1700785651; x=1701390451; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=zRr0rFRhIAja+Gljgch1Q8003LvnsWZV0PahHhgXGlI=; b=IG3NDI+09K6XuaAP1IfjO+/qnmy/2RtNg73oPRyn1lou9p8f+7IpSPDy3ZvxMFkrbX /JqLgsZDhrK5F6WASpeXpItO+GzMaWGRrN9JdLPS6kZl/gQG9mGtTGtZHuPypei7dEla xWfsGARdMmD2yDjX95Xg8eK7SSVrF/RLsES1Epp/gk8d0+YRIk4Va55DnwJcsFaoSavJ ru0JO97OVDfwq19izDgfmKcV2+pc5dcJI4tlNiqdHRpvRxWtt7rGAFnXqjDd7e0QWeoy l9mbKI3SBlQi1y8BJgDa3TT6kp7c2cLqzNMyVHBk5+u7JnVqp1LmqBEM6/4epag+8Ew3 HccQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1700785651; x=1701390451; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=zRr0rFRhIAja+Gljgch1Q8003LvnsWZV0PahHhgXGlI=; b=SJfEiUIT13Y7k2A9a1t9VBpALDjAHXJFIB26C+0k6vfyvNcRJyFh0hUDRgJMmIGor+ yRNoeOsV7XzvV29DcC0zuevQBXCFakfz69ggqgb21FzcbxifFn5R8xKNSADYYGo9CUCg PpAO8ESrH8+L2kib0UWvEP0iT6MmoiKt9B40KNuM97wmpKUco0t4SL41WY+w+ORES82g geAjucXvko37JsrKzGi9AsZutXCs59HhpcTCLsyH/6hKQ7sfuIcTcAekM0cttEbsdclD doZoXqY3pZbOLTKnefemY0QFLu2GLFao6ax/D+5KY8SwUtGANKRWmt9blrOWqVAd5pHF NzNA== X-Gm-Message-State: AOJu0YyQwdPATfnzlyzqgxJSvSJsElR7xBJD9QYRf4SQlfM0vihn0Hrm D1GQ8irTitUBMmZSNpQSb1ZbUQ== X-Google-Smtp-Source: AGHT+IECNSLVVGbdrioLI0SEhRdQ/Bu8ddJ4oMGkht/Q/SYm0am/9reyIFf79jCbTgCBwH7mtPYWpA== X-Received: by 2002:a2e:7d18:0:b0:2c8:330b:7181 with SMTP id y24-20020a2e7d18000000b002c8330b7181mr632580ljc.38.1700785651438; Thu, 23 Nov 2023 16:27:31 -0800 (PST) Received: from Mindolluin.ire.aristanetworks.com ([217.173.96.166]) by smtp.gmail.com with ESMTPSA id g9-20020a05600c310900b004094e565e71sm3453230wmo.23.2023.11.23.16.27.30 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 23 Nov 2023 16:27:30 -0800 (PST) From: Dmitry Safonov To: David Ahern , Eric Dumazet , Paolo Abeni , Jakub Kicinski , "David S. Miller" Cc: linux-kernel@vger.kernel.org, Dmitry Safonov , Dmitry Safonov <0x7f454c46@gmail.com>, Francesco Ruggeri , Salam Noureddine , Simon Horman , netdev@vger.kernel.org Subject: [PATCH v2 2/7] net/tcp: Consistently align TCP-AO option in the header Date: Fri, 24 Nov 2023 00:27:15 +0000 Message-ID: <20231124002720.102537-3-dima@arista.com> X-Mailer: git-send-email 2.43.0 In-Reply-To: <20231124002720.102537-1-dima@arista.com> References: <20231124002720.102537-1-dima@arista.com> Precedence: bulk X-Mailing-List: netdev@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-Patchwork-Delegate: kuba@kernel.org Currently functions that pre-calculate TCP header options length use unaligned TCP-AO header + MAC-length for skb reservation. And the functions that actually write TCP-AO options into skb do align the header. Nothing good can come out of this for ((maclen % 4) != 0). Provide tcp_ao_len_aligned() helper and use it everywhere for TCP header options space calculations. Fixes: 1e03d32bea8e ("net/tcp: Add TCP-AO sign to outgoing packets") Signed-off-by: Dmitry Safonov --- include/net/tcp_ao.h | 6 ++++++ net/ipv4/tcp_ao.c | 4 ++-- net/ipv4/tcp_ipv4.c | 4 ++-- net/ipv4/tcp_minisocks.c | 2 +- net/ipv4/tcp_output.c | 6 +++--- net/ipv6/tcp_ipv6.c | 2 +- 6 files changed, 15 insertions(+), 9 deletions(-) diff --git a/include/net/tcp_ao.h b/include/net/tcp_ao.h index b56be10838f0..647781080613 100644 --- a/include/net/tcp_ao.h +++ b/include/net/tcp_ao.h @@ -62,11 +62,17 @@ static inline int tcp_ao_maclen(const struct tcp_ao_key *key) return key->maclen; } +/* Use tcp_ao_len_aligned() for TCP header calculations */ static inline int tcp_ao_len(const struct tcp_ao_key *key) { return tcp_ao_maclen(key) + sizeof(struct tcp_ao_hdr); } +static inline int tcp_ao_len_aligned(const struct tcp_ao_key *key) +{ + return round_up(tcp_ao_len(key), 4); +} + static inline unsigned int tcp_ao_digest_size(struct tcp_ao_key *key) { return key->digest_size; diff --git a/net/ipv4/tcp_ao.c b/net/ipv4/tcp_ao.c index 7696417d0640..c8be1d526eac 100644 --- a/net/ipv4/tcp_ao.c +++ b/net/ipv4/tcp_ao.c @@ -1100,7 +1100,7 @@ void tcp_ao_connect_init(struct sock *sk) ao_info->current_key = key; if (!ao_info->rnext_key) ao_info->rnext_key = key; - tp->tcp_header_len += tcp_ao_len(key); + tp->tcp_header_len += tcp_ao_len_aligned(key); ao_info->lisn = htonl(tp->write_seq); ao_info->snd_sne = 0; @@ -1346,7 +1346,7 @@ static int tcp_ao_parse_crypto(struct tcp_ao_add *cmd, struct tcp_ao_key *key) syn_tcp_option_space -= TCPOLEN_MSS_ALIGNED; syn_tcp_option_space -= TCPOLEN_TSTAMP_ALIGNED; syn_tcp_option_space -= TCPOLEN_WSCALE_ALIGNED; - if (tcp_ao_len(key) > syn_tcp_option_space) { + if (tcp_ao_len_aligned(key) > syn_tcp_option_space) { err = -EMSGSIZE; goto err_kfree; } diff --git a/net/ipv4/tcp_ipv4.c b/net/ipv4/tcp_ipv4.c index 5f693bbd578d..0c50c5a32b84 100644 --- a/net/ipv4/tcp_ipv4.c +++ b/net/ipv4/tcp_ipv4.c @@ -690,7 +690,7 @@ static bool tcp_v4_ao_sign_reset(const struct sock *sk, struct sk_buff *skb, reply_options[0] = htonl((TCPOPT_AO << 24) | (tcp_ao_len(key) << 16) | (aoh->rnext_keyid << 8) | keyid); - arg->iov[0].iov_len += round_up(tcp_ao_len(key), 4); + arg->iov[0].iov_len += tcp_ao_len_aligned(key); reply->doff = arg->iov[0].iov_len / 4; if (tcp_ao_hash_hdr(AF_INET, (char *)&reply_options[1], @@ -978,7 +978,7 @@ static void tcp_v4_send_ack(const struct sock *sk, (tcp_ao_len(key->ao_key) << 16) | (key->ao_key->sndid << 8) | key->rcv_next); - arg.iov[0].iov_len += round_up(tcp_ao_len(key->ao_key), 4); + arg.iov[0].iov_len += tcp_ao_len_aligned(key->ao_key); rep.th.doff = arg.iov[0].iov_len / 4; tcp_ao_hash_hdr(AF_INET, (char *)&rep.opt[offset], diff --git a/net/ipv4/tcp_minisocks.c b/net/ipv4/tcp_minisocks.c index a9807eeb311c..9e85f2a0bddd 100644 --- a/net/ipv4/tcp_minisocks.c +++ b/net/ipv4/tcp_minisocks.c @@ -615,7 +615,7 @@ struct sock *tcp_create_openreq_child(const struct sock *sk, ao_key = treq->af_specific->ao_lookup(sk, req, tcp_rsk(req)->ao_keyid, -1); if (ao_key) - newtp->tcp_header_len += tcp_ao_len(ao_key); + newtp->tcp_header_len += tcp_ao_len_aligned(ao_key); #endif if (skb->len >= TCP_MSS_DEFAULT + newtp->tcp_header_len) newicsk->icsk_ack.last_seg_size = skb->len - newtp->tcp_header_len; diff --git a/net/ipv4/tcp_output.c b/net/ipv4/tcp_output.c index eb13a55d660c..93eef1dbbc55 100644 --- a/net/ipv4/tcp_output.c +++ b/net/ipv4/tcp_output.c @@ -825,7 +825,7 @@ static unsigned int tcp_syn_options(struct sock *sk, struct sk_buff *skb, timestamps = READ_ONCE(sock_net(sk)->ipv4.sysctl_tcp_timestamps); if (tcp_key_is_ao(key)) { opts->options |= OPTION_AO; - remaining -= tcp_ao_len(key->ao_key); + remaining -= tcp_ao_len_aligned(key->ao_key); } } @@ -915,7 +915,7 @@ static unsigned int tcp_synack_options(const struct sock *sk, ireq->tstamp_ok &= !ireq->sack_ok; } else if (tcp_key_is_ao(key)) { opts->options |= OPTION_AO; - remaining -= tcp_ao_len(key->ao_key); + remaining -= tcp_ao_len_aligned(key->ao_key); ireq->tstamp_ok &= !ireq->sack_ok; } @@ -982,7 +982,7 @@ static unsigned int tcp_established_options(struct sock *sk, struct sk_buff *skb size += TCPOLEN_MD5SIG_ALIGNED; } else if (tcp_key_is_ao(key)) { opts->options |= OPTION_AO; - size += tcp_ao_len(key->ao_key); + size += tcp_ao_len_aligned(key->ao_key); } if (likely(tp->rx_opt.tstamp_ok)) { diff --git a/net/ipv6/tcp_ipv6.c b/net/ipv6/tcp_ipv6.c index 937a02c2e534..8c6623496dd7 100644 --- a/net/ipv6/tcp_ipv6.c +++ b/net/ipv6/tcp_ipv6.c @@ -881,7 +881,7 @@ static void tcp_v6_send_response(const struct sock *sk, struct sk_buff *skb, u32 if (tcp_key_is_md5(key)) tot_len += TCPOLEN_MD5SIG_ALIGNED; if (tcp_key_is_ao(key)) - tot_len += tcp_ao_len(key->ao_key); + tot_len += tcp_ao_len_aligned(key->ao_key); #ifdef CONFIG_MPTCP if (rst && !tcp_key_is_md5(key)) { From patchwork Fri Nov 24 00:27:16 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Dmitry Safonov X-Patchwork-Id: 13466843 X-Patchwork-Delegate: kuba@kernel.org Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=arista.com header.i=@arista.com header.b="KyTb8XJF" Received: from mail-wr1-x430.google.com (mail-wr1-x430.google.com [IPv6:2a00:1450:4864:20::430]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 96FAE10DD for ; Thu, 23 Nov 2023 16:27:34 -0800 (PST) Received: by mail-wr1-x430.google.com with SMTP id ffacd0b85a97d-32fdc5be26dso789293f8f.2 for ; Thu, 23 Nov 2023 16:27:34 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=arista.com; s=google; t=1700785653; x=1701390453; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=dH55LyAvyZzawnq9+CybIblcEgwIvM5k9Dss3KgMZik=; b=KyTb8XJFTur8dPrC3de1g8Vk/S8ze/Uv/lZ9Ot5vHOscxuoGloR0ffhdznpFeJteLy xMQ56X+X3N8xIhQxt/JaW4WVq73I22bhI0CUC/3ZfPKZ+6VxQO8qVS4K/SXTLKM8eHsQ jrpBsB/0nsoJujnM2XDhnZ3euMZ0RfT2n/nuxm0r7gH2aXNJuBy7bKJ55JJFyP8dvG4p d6A0U7KtoOCTjSLJ/nHbILwtCBXzaBTmAC9CyeBN8yWhJ6A4L0CR1u/npMkvGyH+gaYj b98Vfx+3vZ2kP+1VaxlciXo1sDZC71eZbIIdNTq/i0Bi4E6wI1qsNjwOze7EWSerJWkD SEag== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1700785653; x=1701390453; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=dH55LyAvyZzawnq9+CybIblcEgwIvM5k9Dss3KgMZik=; b=hJ/jwQB6IZ752cIfk6nrbDXy48bFNW97nYCYsHhkqixSLspqpOs6NZ7r3r+32yUwKE P8jNGgg2umFZ4/XSbTNEascVVetR0Y2SN8DH2iSybuXiwOwS3FLbp9p5Bo1COz6N7BiD RXw1k9mWJUnb5scW5aw9cjwGZee/OXvgZgqDg4qLTV0PavjrroRbvEq6PlBaBByecfy3 1enxxbcnOuAuY5xM90n5lopxf1RFAN966GnPSX84Ry7qjl3Y8bed/mSPlFlD0ak9Rpfv 6X5tB/IgREsTJiiynL+th2rMkLlYDoWMa2wLLb8Hsgws5B5Gh2vpQxwlBP/YgeEw+hwN CXVQ== X-Gm-Message-State: AOJu0Yz/6EfCFkGi3ovdXQxUeX18UMx560HVTtZvbi3GavqWBC3uCIbP yxFfGFHWgp/l9qnpujbOlSwHbQ== X-Google-Smtp-Source: AGHT+IFT357fLdv+9VPLUo9JyrvYwmlakZqhgzZ1DUTRUDGIr00buQXKS16JWd7Hv3B31+VpUgT0Qg== X-Received: by 2002:adf:e6c9:0:b0:32f:e1a2:526a with SMTP id y9-20020adfe6c9000000b0032fe1a2526amr649526wrm.67.1700785653098; Thu, 23 Nov 2023 16:27:33 -0800 (PST) Received: from Mindolluin.ire.aristanetworks.com ([217.173.96.166]) by smtp.gmail.com with ESMTPSA id g9-20020a05600c310900b004094e565e71sm3453230wmo.23.2023.11.23.16.27.31 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 23 Nov 2023 16:27:32 -0800 (PST) From: Dmitry Safonov To: David Ahern , Eric Dumazet , Paolo Abeni , Jakub Kicinski , "David S. Miller" Cc: linux-kernel@vger.kernel.org, Dmitry Safonov , Dmitry Safonov <0x7f454c46@gmail.com>, Francesco Ruggeri , Salam Noureddine , Simon Horman , netdev@vger.kernel.org Subject: [PATCH v2 3/7] net/tcp: Limit TCP_AO_REPAIR to non-listen sockets Date: Fri, 24 Nov 2023 00:27:16 +0000 Message-ID: <20231124002720.102537-4-dima@arista.com> X-Mailer: git-send-email 2.43.0 In-Reply-To: <20231124002720.102537-1-dima@arista.com> References: <20231124002720.102537-1-dima@arista.com> Precedence: bulk X-Mailing-List: netdev@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-Patchwork-Delegate: kuba@kernel.org Listen socket is not an established TCP connection, so setsockopt(TCP_AO_REPAIR) doesn't have any impact. Restrict this uAPI for listen sockets. Fixes: faadfaba5e01 ("net/tcp: Add TCP_AO_REPAIR") Signed-off-by: Dmitry Safonov --- net/ipv4/tcp.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/net/ipv4/tcp.c b/net/ipv4/tcp.c index 53bcc17c91e4..b1fe4eb01829 100644 --- a/net/ipv4/tcp.c +++ b/net/ipv4/tcp.c @@ -3594,6 +3594,10 @@ int do_tcp_setsockopt(struct sock *sk, int level, int optname, break; case TCP_AO_REPAIR: + if (!tcp_can_repair_sock(sk)) { + err = -EPERM; + break; + } err = tcp_ao_set_repair(sk, optval, optlen); break; #ifdef CONFIG_TCP_AO @@ -4293,6 +4297,8 @@ int do_tcp_getsockopt(struct sock *sk, int level, } #endif case TCP_AO_REPAIR: + if (!tcp_can_repair_sock(sk)) + return -EPERM; return tcp_ao_get_repair(sk, optval, optlen); case TCP_AO_GET_KEYS: case TCP_AO_INFO: { From patchwork Fri Nov 24 00:27:17 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Dmitry Safonov X-Patchwork-Id: 13466844 X-Patchwork-Delegate: kuba@kernel.org Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=arista.com header.i=@arista.com header.b="kNX70Na8" Received: from mail-wr1-x42a.google.com (mail-wr1-x42a.google.com [IPv6:2a00:1450:4864:20::42a]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 2D3C310E0 for ; Thu, 23 Nov 2023 16:27:36 -0800 (PST) Received: by mail-wr1-x42a.google.com with SMTP id ffacd0b85a97d-32f8441dfb5so931571f8f.0 for ; Thu, 23 Nov 2023 16:27:36 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=arista.com; s=google; t=1700785654; x=1701390454; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=H1xPXn0VYaTrAb1Nt5Hiecyvp9SYb9ivj7o6hsBOhvw=; b=kNX70Na8pKjSa3xGst8Rpujm+GWUhvSGTclIDfRRCyNe8VAGiC0kCFDs2LgBC6QAsi PWMlwGHQjC3/9UhgOpfCnlPzbv5+NDyJY3iVHirdie19HeFLHKsh9i8zgZ4eHaSPHSSs 6LQjHDwNHnX+P0JXGGG2Rfx/NqwuN/9fxgwmMaGq1aruqptUAM6zZM2Mt6IrXe51po3q 6coH0/w8jZrLHxlulDYTy6OLgTPJ4zjybVb6atjr3bOoiIXxlFbTktzWj4cV4v3DWXIw 9JwVYh0yZhKk0cUt0NhoYd8alsx5EMEy4yKs16bvC9Wsmg8wsDazytOou2f5CqFFrC2D DuUg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1700785654; x=1701390454; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=H1xPXn0VYaTrAb1Nt5Hiecyvp9SYb9ivj7o6hsBOhvw=; b=MhMGq0pvnjWDH0JUayNF887RJxA3FunJ9m+RUT5TEd67BXadIKQ6NWvbNs787vs0By GkfSD9pLKDn8Aw33lA3KKJidVTwndPR0BzIgPK7NnuZVcA32EmLDj2MA6Nr+8kFJFWGf D7tCZkgyU1PyNqmc+2ftskGEarPiBDsbqgeYQyMCBbUEeKK1t3tJbk6U4YkOF0+lL+C5 hNeQ5UKNDJK2FfPe0noBlVVwdE9z5mzK7z6tri4dhV7eIzuYGerV5cpOtfywpEGz9Lyw dOdEXYwNFCIP2NgaOS32FdTC1AeZuO6TsEAFxwP/j2dAAJZVjP+jo82r8NDCG6ISAndd d12A== X-Gm-Message-State: AOJu0Yx52H/6ksO8WrherTojsibXZV2QPOfl03eFtc54L70tBgOm3ViG DSjNVHSe7gdMONpfyvI7x3yDxw== X-Google-Smtp-Source: AGHT+IG6PXq1iNo8Vk7aSZGEmmqJsJVa5x8rz0czmMerFM1PyZtMnYrAhUZ5YJhqhvDh+LrGls+v7w== X-Received: by 2002:a5d:5488:0:b0:32f:83e4:50e7 with SMTP id h8-20020a5d5488000000b0032f83e450e7mr596208wrv.12.1700785654680; Thu, 23 Nov 2023 16:27:34 -0800 (PST) Received: from Mindolluin.ire.aristanetworks.com ([217.173.96.166]) by smtp.gmail.com with ESMTPSA id g9-20020a05600c310900b004094e565e71sm3453230wmo.23.2023.11.23.16.27.33 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 23 Nov 2023 16:27:34 -0800 (PST) From: Dmitry Safonov To: David Ahern , Eric Dumazet , Paolo Abeni , Jakub Kicinski , "David S. Miller" Cc: linux-kernel@vger.kernel.org, Dmitry Safonov , Dmitry Safonov <0x7f454c46@gmail.com>, Francesco Ruggeri , Salam Noureddine , Simon Horman , netdev@vger.kernel.org Subject: [PATCH v2 4/7] net/tcp: Allow removing current/rnext TCP-AO keys on TCP_LISTEN sockets Date: Fri, 24 Nov 2023 00:27:17 +0000 Message-ID: <20231124002720.102537-5-dima@arista.com> X-Mailer: git-send-email 2.43.0 In-Reply-To: <20231124002720.102537-1-dima@arista.com> References: <20231124002720.102537-1-dima@arista.com> Precedence: bulk X-Mailing-List: netdev@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-Patchwork-Delegate: kuba@kernel.org TCP_LISTEN sockets are not connected to any peer, so having current_key/rnext_key doesn't make sense. The userspace may falter over this issue by setting current or rnext TCP-AO key before listen() syscall. setsockopt(TCP_AO_DEL_KEY) doesn't allow removing a key that is in use (in accordance to RFC 5925), so it might be inconvenient to have keys that can be destroyed only with listener socket. Fixes: 4954f17ddefc ("net/tcp: Introduce TCP_AO setsockopt()s") Signed-off-by: Dmitry Safonov --- net/ipv4/tcp_ao.c | 12 ++++++++++-- 1 file changed, 10 insertions(+), 2 deletions(-) diff --git a/net/ipv4/tcp_ao.c b/net/ipv4/tcp_ao.c index c8be1d526eac..bf41be6d4721 100644 --- a/net/ipv4/tcp_ao.c +++ b/net/ipv4/tcp_ao.c @@ -1818,8 +1818,16 @@ static int tcp_ao_del_cmd(struct sock *sk, unsigned short int family, if (!new_rnext) return -ENOENT; } - if (cmd.del_async && sk->sk_state != TCP_LISTEN) - return -EINVAL; + if (sk->sk_state == TCP_LISTEN) { + /* Cleaning up possible "stale" current/rnext keys state, + * that may have preserved from TCP_CLOSE, before sys_listen() + */ + ao_info->current_key = NULL; + ao_info->rnext_key = NULL; + } else { + if (cmd.del_async) + return -EINVAL; + } if (family == AF_INET) { struct sockaddr_in *sin = (struct sockaddr_in *)&cmd.addr; From patchwork Fri Nov 24 00:27:18 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Dmitry Safonov X-Patchwork-Id: 13466845 X-Patchwork-Delegate: kuba@kernel.org Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=arista.com header.i=@arista.com header.b="etBESr/f" Received: from mail-wm1-x32c.google.com (mail-wm1-x32c.google.com [IPv6:2a00:1450:4864:20::32c]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id BA03410DC for ; Thu, 23 Nov 2023 16:27:37 -0800 (PST) Received: by mail-wm1-x32c.google.com with SMTP id 5b1f17b1804b1-40b399314aaso2435725e9.0 for ; Thu, 23 Nov 2023 16:27:37 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=arista.com; s=google; t=1700785656; x=1701390456; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=+1zqOorwszBSy7715/FfAd+B6Hz5TxCnBSal1fxWdU4=; b=etBESr/f2VjgTzn3inyxg6UneJVdC7Fa4+ZseWqcIoQa8GewJeDwQDA3HYFuxRB7fI 0LAxLNIUbwvexclfq8uBGaPwZSXlEiuzScqSyw//F7FjpdlRZ+ClBQ6nNQX/bos2V9j/ JT5/CP6QKt1OJPinehlPoykwSwpt7MBEm/tr/WicarrcBYpV07aZYvetxz/EB98bYH/Z gQMQvCHBY8ldHRySoSojBfgwt3XCJsSrcltFcNMcpxB+Fs/xfF+vQdM2leIW3bTKD8tY 95pj82MZTo9+nwfz8PYDV8HNfDBKrrUY2ozWng3VIafR0GYcaS2BdLZ+Hu/3dwtcmsEp gT0g== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1700785656; x=1701390456; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=+1zqOorwszBSy7715/FfAd+B6Hz5TxCnBSal1fxWdU4=; b=sbW53fi6jXKWkV1xbYuhXtBvdhsqH9KtdmQoduFfgDg1I8M/zlwgKf7vZ7wuPhRClw oII5ZvY3snLGBuCnHhnTxbdWugAl9K3cDnR1J9OWp1MHEXD7sqaKsr7F93BvnB1QZHpK PjCpPLaeWOa5rU2fQq/V2QZCjHOoUfP+6lQD+Ba1kuTGqNPq9huQ4RtkZBVLUL1b4cUj rFOqDba/i15g5eR29r6/HnuoYji2dmmHj+IDwM7BQYmrVPM3fIN0WfLEpkca7Ez7EuWv Q8yOLFfzZOwfiZEBdzZzFnJq4bjLf5TcfWpEGjB97mQbsIJksInVSj1T7zgoaWAP3/o1 0hvg== X-Gm-Message-State: AOJu0Yxqtaeyb74qTPblCWfu4G3nklBZKxYQoHNeJNJcqCUCRa+LGF2Z AteeTsf6c/d7HFCEEQt9MjjtSrCujCfC4G+J6cs= X-Google-Smtp-Source: AGHT+IGZzgd8txvbEnx/qem7XVY1WoQcmi+WWFOs5wKmthWsn/NDewmniq56CwG6us8dLSqITcBg2w== X-Received: by 2002:a05:600c:3ba5:b0:409:325:e499 with SMTP id n37-20020a05600c3ba500b004090325e499mr957416wms.32.1700785656074; Thu, 23 Nov 2023 16:27:36 -0800 (PST) Received: from Mindolluin.ire.aristanetworks.com ([217.173.96.166]) by smtp.gmail.com with ESMTPSA id g9-20020a05600c310900b004094e565e71sm3453230wmo.23.2023.11.23.16.27.34 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 23 Nov 2023 16:27:35 -0800 (PST) From: Dmitry Safonov To: David Ahern , Eric Dumazet , Paolo Abeni , Jakub Kicinski , "David S. Miller" Cc: linux-kernel@vger.kernel.org, Dmitry Safonov , Dmitry Safonov <0x7f454c46@gmail.com>, Francesco Ruggeri , Salam Noureddine , Simon Horman , netdev@vger.kernel.org Subject: [PATCH v2 5/7] net/tcp: Don't add key with non-matching VRF on connected sockets Date: Fri, 24 Nov 2023 00:27:18 +0000 Message-ID: <20231124002720.102537-6-dima@arista.com> X-Mailer: git-send-email 2.43.0 In-Reply-To: <20231124002720.102537-1-dima@arista.com> References: <20231124002720.102537-1-dima@arista.com> Precedence: bulk X-Mailing-List: netdev@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-Patchwork-Delegate: kuba@kernel.org If the connection was established, don't allow adding TCP-AO keys that don't match the peer. Currently, there are checks for ip-address matching, but L3 index check is missing. Add it to restrict userspace shooting itself somewhere. Fixes: 248411b8cb89 ("net/tcp: Wire up l3index to TCP-AO") Signed-off-by: Dmitry Safonov --- net/ipv4/tcp_ao.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/net/ipv4/tcp_ao.c b/net/ipv4/tcp_ao.c index bf41be6d4721..2d000e275ce7 100644 --- a/net/ipv4/tcp_ao.c +++ b/net/ipv4/tcp_ao.c @@ -1608,6 +1608,9 @@ static int tcp_ao_add_cmd(struct sock *sk, unsigned short int family, if (!dev || !l3index) return -EINVAL; + if (!((1 << sk->sk_state) & (TCPF_LISTEN | TCPF_CLOSE))) + return -EINVAL; + /* It's still possible to bind after adding keys or even * re-bind to a different dev (with CAP_NET_RAW). * So, no reason to return error here, rather try to be From patchwork Fri Nov 24 00:27:19 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Dmitry Safonov X-Patchwork-Id: 13466846 X-Patchwork-Delegate: kuba@kernel.org Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=arista.com header.i=@arista.com header.b="C3x6Ua/p" Received: from mail-wm1-x333.google.com (mail-wm1-x333.google.com [IPv6:2a00:1450:4864:20::333]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 2A8B310F0 for ; Thu, 23 Nov 2023 16:27:39 -0800 (PST) Received: by mail-wm1-x333.google.com with SMTP id 5b1f17b1804b1-40b2afd049aso9527895e9.0 for ; Thu, 23 Nov 2023 16:27:39 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=arista.com; s=google; t=1700785657; x=1701390457; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=LV5EkLuNSBfoQx/kzqLjwykT0kFRG1MCX3eqbiNCe28=; b=C3x6Ua/pj0oOXjgeuzhqWpgjUj23qAaw6dbelQhqM3IsVzzqwA1te5VDD4epFakXLZ 1aLXQ/UP2L8bGB96BEKKYg61xHGbMM43jCYqcg274nF+1ueBozuSaytNxkMTtKT8fXiI wEo2YcX7V3kbybBDzjNYF0UZrI1QTtsUPLYFxgKIRtkajhnzgZ7VT0fpyxj3kHC0BWxS xmHWRPjqWvC+kLwodMl3Q6tZPMk2banA7D3oe7H6FE9hW9IypUz+JjSlzyGeftZk7khl sd+vYCgiqoq6eSHizoc1IeYO22D4kSDYApJvUJYpi9u399avVz/hqUHxazqI57AvkJzc xDqg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1700785657; x=1701390457; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=LV5EkLuNSBfoQx/kzqLjwykT0kFRG1MCX3eqbiNCe28=; b=QCOaU7wdCay+J8p42CsnAOayxIXvTACMjjC+yxRhlevbcFvHvluEn78qBmo3jBhgir zrqCD333la/mKqnAwqxVPa+iyPreSi6qrDX0MAQtrnRn3NKXcvqn6MHCRSbwksWmhGws ryeg/toUcqqS1Q7PHbbJG/XidZvqPeByNzhcZ93cW9a2NMrxh8r4uTX3ofvisSD6gIoO Cavo++IqkV1UwzrZWHv5IcKFnFdyFLfygZKl3/4oGuiHtVTnbEqRdiL+ZsZjaL3jHCGZ 89bxwkAtqoTbhWqKX+b0Uq4Q0KE/26zlOu+XVBPpKdyBK8cRFWrYfQ0TBsYOU1fHar/9 7OuQ== X-Gm-Message-State: AOJu0YyX+SIPzYZL1qJcZl+DaXMZOAT471BUY5A1sbwxZmxCRcCSdgsT /7F2ubKrpEHV1l8B4MLi5SMcBQ== X-Google-Smtp-Source: AGHT+IEtMz34JcW1vswAZ9iuNJ5pIajSVsqMInCxGKXkwHpYb4iNfvC5/PyDF6S/UhnHKNquYq5uBA== X-Received: by 2002:a05:600c:1d1b:b0:40b:36e6:9f15 with SMTP id l27-20020a05600c1d1b00b0040b36e69f15mr928127wms.26.1700785657476; Thu, 23 Nov 2023 16:27:37 -0800 (PST) Received: from Mindolluin.ire.aristanetworks.com ([217.173.96.166]) by smtp.gmail.com with ESMTPSA id g9-20020a05600c310900b004094e565e71sm3453230wmo.23.2023.11.23.16.27.36 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 23 Nov 2023 16:27:36 -0800 (PST) From: Dmitry Safonov To: David Ahern , Eric Dumazet , Paolo Abeni , Jakub Kicinski , "David S. Miller" Cc: linux-kernel@vger.kernel.org, Dmitry Safonov , Dmitry Safonov <0x7f454c46@gmail.com>, Francesco Ruggeri , Salam Noureddine , Simon Horman , netdev@vger.kernel.org Subject: [PATCH v2 6/7] net/tcp: Add sne_lock to access SNEs Date: Fri, 24 Nov 2023 00:27:19 +0000 Message-ID: <20231124002720.102537-7-dima@arista.com> X-Mailer: git-send-email 2.43.0 In-Reply-To: <20231124002720.102537-1-dima@arista.com> References: <20231124002720.102537-1-dima@arista.com> Precedence: bulk X-Mailing-List: netdev@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-Patchwork-Delegate: kuba@kernel.org RFC 5925 (6.2): > TCP-AO emulates a 64-bit sequence number space by inferring when to > increment the high-order 32-bit portion (the SNE) based on > transitions in the low-order portion (the TCP sequence number). snd_sne and rcv_sne are the upper 4 bytes of extended SEQ number. Unfortunately, reading two 4-bytes pointers can't be performed atomically (without synchronization). Let's keep it KISS and add an rwlock - that shouldn't create much contention as SNE are updated every 4Gb of traffic and the atomic region is quite small. Fixes: 64382c71a557 ("net/tcp: Add TCP-AO SNE support") Signed-off-by: Dmitry Safonov --- include/net/tcp_ao.h | 2 +- net/ipv4/tcp_ao.c | 34 +++++++++++++++++++++------------- net/ipv4/tcp_input.c | 16 ++++++++++++++-- 3 files changed, 36 insertions(+), 16 deletions(-) diff --git a/include/net/tcp_ao.h b/include/net/tcp_ao.h index 647781080613..beea3e6b39e2 100644 --- a/include/net/tcp_ao.h +++ b/include/net/tcp_ao.h @@ -123,6 +123,7 @@ struct tcp_ao_info { */ u32 snd_sne; u32 rcv_sne; + rwlock_t sne_lock; refcount_t refcnt; /* Protects twsk destruction */ struct rcu_head rcu; }; @@ -212,7 +213,6 @@ enum skb_drop_reason tcp_inbound_ao_hash(struct sock *sk, const struct sk_buff *skb, unsigned short int family, const struct request_sock *req, int l3index, const struct tcp_ao_hdr *aoh); -u32 tcp_ao_compute_sne(u32 next_sne, u32 next_seq, u32 seq); struct tcp_ao_key *tcp_ao_do_lookup(const struct sock *sk, int l3index, const union tcp_ao_addr *addr, int family, int sndid, int rcvid); diff --git a/net/ipv4/tcp_ao.c b/net/ipv4/tcp_ao.c index 2d000e275ce7..74db80aeeef3 100644 --- a/net/ipv4/tcp_ao.c +++ b/net/ipv4/tcp_ao.c @@ -230,6 +230,7 @@ static struct tcp_ao_info *tcp_ao_alloc_info(gfp_t flags) return NULL; INIT_HLIST_HEAD(&ao->head); refcount_set(&ao->refcnt, 1); + rwlock_init(&ao->sne_lock); return ao; } @@ -472,10 +473,8 @@ static int tcp_ao_hash_pseudoheader(unsigned short int family, return -EAFNOSUPPORT; } -u32 tcp_ao_compute_sne(u32 next_sne, u32 next_seq, u32 seq) +static u32 tcp_ao_compute_sne(u32 sne, u32 next_seq, u32 seq) { - u32 sne = next_sne; - if (before(seq, next_seq)) { if (seq > next_seq) sne--; @@ -483,7 +482,6 @@ u32 tcp_ao_compute_sne(u32 next_sne, u32 next_seq, u32 seq) if (seq < next_seq) sne++; } - return sne; } @@ -763,14 +761,15 @@ int tcp_ao_prepare_reset(const struct sock *sk, struct sk_buff *skb, *keyid = (*key)->rcvid; } else { struct tcp_ao_key *rnext_key; - u32 snd_basis; + const u32 *snd_basis; + unsigned long flags; if (sk->sk_state == TCP_TIME_WAIT) { ao_info = rcu_dereference(tcp_twsk(sk)->ao_info); - snd_basis = tcp_twsk(sk)->tw_snd_nxt; + snd_basis = &tcp_twsk(sk)->tw_snd_nxt; } else { ao_info = rcu_dereference(tcp_sk(sk)->ao_info); - snd_basis = tcp_sk(sk)->snd_una; + snd_basis = &tcp_sk(sk)->snd_una; } if (!ao_info) return -ENOENT; @@ -781,8 +780,10 @@ int tcp_ao_prepare_reset(const struct sock *sk, struct sk_buff *skb, *traffic_key = snd_other_key(*key); rnext_key = READ_ONCE(ao_info->rnext_key); *keyid = rnext_key->rcvid; - *sne = tcp_ao_compute_sne(READ_ONCE(ao_info->snd_sne), - snd_basis, seq); + read_lock_irqsave(&ao_info->sne_lock, flags); + *sne = tcp_ao_compute_sne(ao_info->snd_sne, + READ_ONCE(*snd_basis), seq); + read_unlock_irqrestore(&ao_info->sne_lock, flags); } return 0; } @@ -795,6 +796,7 @@ int tcp_ao_transmit_skb(struct sock *sk, struct sk_buff *skb, struct tcp_sock *tp = tcp_sk(sk); struct tcp_ao_info *ao; void *tkey_buf = NULL; + unsigned long flags; u8 *traffic_key; u32 sne; @@ -816,8 +818,10 @@ int tcp_ao_transmit_skb(struct sock *sk, struct sk_buff *skb, tp->af_specific->ao_calc_key_sk(key, traffic_key, sk, ao->lisn, disn, true); } - sne = tcp_ao_compute_sne(READ_ONCE(ao->snd_sne), READ_ONCE(tp->snd_una), - ntohl(th->seq)); + read_lock_irqsave(&ao->sne_lock, flags); + sne = tcp_ao_compute_sne(ao->snd_sne, + READ_ONCE(tp->snd_una), ntohl(th->seq)); + read_unlock_irqrestore(&ao->sne_lock, flags); tp->af_specific->calc_ao_hash(hash_location, key, sk, skb, traffic_key, hash_location - (u8 *)th, sne); kfree(tkey_buf); @@ -938,8 +942,9 @@ tcp_inbound_ao_hash(struct sock *sk, const struct sk_buff *skb, /* Fast-path */ if (likely((1 << sk->sk_state) & TCP_AO_ESTABLISHED)) { - enum skb_drop_reason err; struct tcp_ao_key *current_key; + enum skb_drop_reason err; + unsigned long flags; /* Check if this socket's rnext_key matches the keyid in the * packet. If not we lookup the key based on the keyid @@ -956,8 +961,11 @@ tcp_inbound_ao_hash(struct sock *sk, const struct sk_buff *skb, if (unlikely(th->syn && !th->ack)) goto verify_hash; - sne = tcp_ao_compute_sne(info->rcv_sne, tcp_sk(sk)->rcv_nxt, + read_lock_irqsave(&info->sne_lock, flags); + sne = tcp_ao_compute_sne(info->rcv_sne, + READ_ONCE(tcp_sk(sk)->rcv_nxt), ntohl(th->seq)); + read_unlock_irqrestore(&info->sne_lock, flags); /* Established socket, traffic key are cached */ traffic_key = rcv_other_key(key); err = tcp_ao_verify_hash(sk, skb, family, info, aoh, key, diff --git a/net/ipv4/tcp_input.c b/net/ipv4/tcp_input.c index bcb55d98004c..fc3c27ce2b73 100644 --- a/net/ipv4/tcp_input.c +++ b/net/ipv4/tcp_input.c @@ -3582,8 +3582,14 @@ static void tcp_snd_sne_update(struct tcp_sock *tp, u32 ack) ao = rcu_dereference_protected(tp->ao_info, lockdep_sock_is_held((struct sock *)tp)); - if (ao && ack < tp->snd_una) + if (ao && ack < tp->snd_una) { + unsigned long flags; + + write_lock_irqsave(&ao->sne_lock, flags); ao->snd_sne++; + tp->snd_una = ack; + write_unlock_irqrestore(&ao->sne_lock, flags); + } #endif } @@ -3608,8 +3614,14 @@ static void tcp_rcv_sne_update(struct tcp_sock *tp, u32 seq) ao = rcu_dereference_protected(tp->ao_info, lockdep_sock_is_held((struct sock *)tp)); - if (ao && seq < tp->rcv_nxt) + if (ao && seq < tp->rcv_nxt) { + unsigned long flags; + + write_lock_irqsave(&ao->sne_lock, flags); ao->rcv_sne++; + WRITE_ONCE(tp->rcv_nxt, seq); + write_unlock_irqrestore(&ao->sne_lock, flags); + } #endif } From patchwork Fri Nov 24 00:27:20 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Dmitry Safonov X-Patchwork-Id: 13466847 X-Patchwork-Delegate: kuba@kernel.org Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=arista.com header.i=@arista.com header.b="K61bA4Dj" Received: from mail-wr1-x430.google.com (mail-wr1-x430.google.com [IPv6:2a00:1450:4864:20::430]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id C0B1A10E4 for ; Thu, 23 Nov 2023 16:27:40 -0800 (PST) Received: by mail-wr1-x430.google.com with SMTP id ffacd0b85a97d-332c0c32d19so904188f8f.3 for ; Thu, 23 Nov 2023 16:27:40 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=arista.com; s=google; t=1700785659; x=1701390459; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=z+xjuCITs6Hv9gSdP5tkhTp9hyYcojUzFzOsLW1PoYI=; b=K61bA4Dj07U41I/enlM+jFWwgf5GrwH1ZZsyd1msZm96/x39u7ygoXCYPYoJj5HucA gti5mIOWAOYwV9JBm9+Z68v7AFTQz/KLi55mw//W35xKY0XMrHWpBWpn23KsFpGlD9QF zcuH22VrdQLkwmfE66nKKS/BwJYZjcCdMQ0hxKmpV1IvCPbBzzrs7MeCg870+z0z0kXC ygSeO5bjPVSDd5c3whYNUMH0LynueDkPtL6wzUgbKs883uoXYoPMWsfrU6Katf1rzNKa MKSRxLUI7lZLXGw0KZVGbOIODNHtZA0V2jVCY+ALaws0JPplOUQ8y0oEzV/jfHorsGF0 UmpA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1700785659; x=1701390459; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=z+xjuCITs6Hv9gSdP5tkhTp9hyYcojUzFzOsLW1PoYI=; b=nbL6orj1V+emx4tUbsZGLhlbxrnI5TDKbMiogov8Iy9zwdZ+xU8AZPIGnO3gGcVjSa IsG9HRzdoW1JSVPY4quUrwyKFubbxaGmazED/koFdRb6oVDZx2AzYgXmIpslEbfrQjB5 paYOnF3OACdOrX5Uf+WVs8ung3bK260cDdJiIGROJhfFgwkZizmYTfx4XGZ2eeaqeFm1 E1w3UsfOlZahh/24YpIUHRf6m0TbpwErxLMKXBJNr6Ecl3HqL0w1gIMwtXh+a5BXCBb0 5RLIDwEbJ34LmttcitvKV1h/JVwkEkyDdq5lZQfM1G745Aw6iirB+RBPE97X3Y23/ONu 1iyA== X-Gm-Message-State: AOJu0Yy9B1lU+vEqRZsm13G8PQClqA4GjKxSgzWa/sssJkxYq8fq8Uq0 L8rWq6QKpVQ+ZWUNcm2gmWI+NA== X-Google-Smtp-Source: AGHT+IHbSUYFXCRpczlpyhRrAyziYifakMY/lsH2oafyE/3Mz23Zj7iFfIe/KGa4ctGfG+6kMqaOkw== X-Received: by 2002:a5d:63d1:0:b0:332:ca10:37f with SMTP id c17-20020a5d63d1000000b00332ca10037fmr643730wrw.43.1700785659176; Thu, 23 Nov 2023 16:27:39 -0800 (PST) Received: from Mindolluin.ire.aristanetworks.com ([217.173.96.166]) by smtp.gmail.com with ESMTPSA id g9-20020a05600c310900b004094e565e71sm3453230wmo.23.2023.11.23.16.27.37 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 23 Nov 2023 16:27:38 -0800 (PST) From: Dmitry Safonov To: David Ahern , Eric Dumazet , Paolo Abeni , Jakub Kicinski , "David S. Miller" Cc: linux-kernel@vger.kernel.org, Dmitry Safonov , Dmitry Safonov <0x7f454c46@gmail.com>, Francesco Ruggeri , Salam Noureddine , Simon Horman , netdev@vger.kernel.org Subject: [PATCH v2 7/7] net/tcp: Don't store TCP-AO maclen on reqsk Date: Fri, 24 Nov 2023 00:27:20 +0000 Message-ID: <20231124002720.102537-8-dima@arista.com> X-Mailer: git-send-email 2.43.0 In-Reply-To: <20231124002720.102537-1-dima@arista.com> References: <20231124002720.102537-1-dima@arista.com> Precedence: bulk X-Mailing-List: netdev@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-Patchwork-Delegate: kuba@kernel.org This extra check doesn't work for a handshake when SYN segment has (current_key.maclen != rnext_key.maclen). It could be amended to preserve rnext_key.maclen instead of current_key.maclen, but that requires a lookup on listen socket. Originally, this extra maclen check was introduced just because it was cheap. Drop it and convert tcp_request_sock::maclen into boolean tcp_request_sock::used_tcp_ao. Fixes: 06b22ef29591 ("net/tcp: Wire TCP-AO to request sockets") Signed-off-by: Dmitry Safonov --- include/linux/tcp.h | 8 ++------ net/ipv4/tcp_ao.c | 4 ++-- net/ipv4/tcp_input.c | 5 +++-- net/ipv4/tcp_output.c | 9 +++------ 4 files changed, 10 insertions(+), 16 deletions(-) diff --git a/include/linux/tcp.h b/include/linux/tcp.h index 68f3d315d2e1..b646b574b060 100644 --- a/include/linux/tcp.h +++ b/include/linux/tcp.h @@ -169,7 +169,7 @@ struct tcp_request_sock { #ifdef CONFIG_TCP_AO u8 ao_keyid; u8 ao_rcv_next; - u8 maclen; + bool used_tcp_ao; #endif }; @@ -180,14 +180,10 @@ static inline struct tcp_request_sock *tcp_rsk(const struct request_sock *req) static inline bool tcp_rsk_used_ao(const struct request_sock *req) { - /* The real length of MAC is saved in the request socket, - * signing anything with zero-length makes no sense, so here is - * a little hack.. - */ #ifndef CONFIG_TCP_AO return false; #else - return tcp_rsk(req)->maclen != 0; + return tcp_rsk(req)->used_tcp_ao; #endif } diff --git a/net/ipv4/tcp_ao.c b/net/ipv4/tcp_ao.c index 74db80aeeef3..cfa264c320a7 100644 --- a/net/ipv4/tcp_ao.c +++ b/net/ipv4/tcp_ao.c @@ -855,7 +855,7 @@ void tcp_ao_syncookie(struct sock *sk, const struct sk_buff *skb, const struct tcp_ao_hdr *aoh; struct tcp_ao_key *key; - treq->maclen = 0; + treq->used_tcp_ao = false; if (tcp_parse_auth_options(th, NULL, &aoh) || !aoh) return; @@ -867,7 +867,7 @@ void tcp_ao_syncookie(struct sock *sk, const struct sk_buff *skb, treq->ao_rcv_next = aoh->keyid; treq->ao_keyid = aoh->rnext_keyid; - treq->maclen = tcp_ao_maclen(key); + treq->used_tcp_ao = true; } static enum skb_drop_reason diff --git a/net/ipv4/tcp_input.c b/net/ipv4/tcp_input.c index fc3c27ce2b73..0135a6c6f600 100644 --- a/net/ipv4/tcp_input.c +++ b/net/ipv4/tcp_input.c @@ -7194,11 +7194,12 @@ int tcp_conn_request(struct request_sock_ops *rsk_ops, if (tcp_parse_auth_options(tcp_hdr(skb), NULL, &aoh)) goto drop_and_release; /* Invalid TCP options */ if (aoh) { - tcp_rsk(req)->maclen = aoh->length - sizeof(struct tcp_ao_hdr); + tcp_rsk(req)->used_tcp_ao = true; tcp_rsk(req)->ao_rcv_next = aoh->keyid; tcp_rsk(req)->ao_keyid = aoh->rnext_keyid; + } else { - tcp_rsk(req)->maclen = 0; + tcp_rsk(req)->used_tcp_ao = false; } #endif tcp_rsk(req)->snt_isn = isn; diff --git a/net/ipv4/tcp_output.c b/net/ipv4/tcp_output.c index 93eef1dbbc55..f5ef15e1d9ac 100644 --- a/net/ipv4/tcp_output.c +++ b/net/ipv4/tcp_output.c @@ -3720,7 +3720,6 @@ struct sk_buff *tcp_make_synack(const struct sock *sk, struct dst_entry *dst, if (tcp_rsk_used_ao(req)) { #ifdef CONFIG_TCP_AO struct tcp_ao_key *ao_key = NULL; - u8 maclen = tcp_rsk(req)->maclen; u8 keyid = tcp_rsk(req)->ao_keyid; ao_key = tcp_sk(sk)->af_specific->ao_lookup(sk, req_to_sk(req), @@ -3730,13 +3729,11 @@ struct sk_buff *tcp_make_synack(const struct sock *sk, struct dst_entry *dst, * for another peer-matching key, but the peer has requested * ao_keyid (RFC5925 RNextKeyID), so let's keep it simple here. */ - if (unlikely(!ao_key || tcp_ao_maclen(ao_key) != maclen)) { - u8 key_maclen = ao_key ? tcp_ao_maclen(ao_key) : 0; - + if (unlikely(!ao_key)) { rcu_read_unlock(); kfree_skb(skb); - net_warn_ratelimited("TCP-AO: the keyid %u with maclen %u|%u from SYN packet is not present - not sending SYNACK\n", - keyid, maclen, key_maclen); + net_warn_ratelimited("TCP-AO: the keyid %u from SYN packet is not present - not sending SYNACK\n", + keyid); return NULL; } key.ao_key = ao_key;