From nobody Fri Apr 10 21:51:38 2026 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 7DC72C00140 for ; Thu, 18 Aug 2022 17:01:10 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1344866AbiHRRBH (ORCPT ); Thu, 18 Aug 2022 13:01:07 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:35032 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1345300AbiHRRAY (ORCPT ); Thu, 18 Aug 2022 13:00:24 -0400 Received: from mail-wr1-x42c.google.com (mail-wr1-x42c.google.com [IPv6:2a00:1450:4864:20::42c]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id A76A6C9EBC for ; Thu, 18 Aug 2022 10:00:16 -0700 (PDT) Received: by mail-wr1-x42c.google.com with SMTP id n4so2403884wrp.10 for ; Thu, 18 Aug 2022 10:00:16 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=arista.com; s=google; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc; bh=MxOasEDeE+/u/o1zT6tGAu0EkjWfYJCMGyOsK4PePlw=; b=j5qyvmJnsN5/vjP5AUZCBs+iUXItBSmsl6Q1hJlyoXpC2N0iuAAeKWCx3PtAReBbT3 RYD/uoo1HqWy4/hVVtmnGzFgW63u10qbgNJFBwDdLqP7E5HFJcujJPCj/HLrCbitYRNH 0Bxr5TpEWA3amo/oFs7udtx+x+hZWszbAvOYTkTJClDtgT0iQW8ER3UkCeweSAphSdeH zAXi2ZuExMVPc/t4Ltf6KIsbrqjf0qGfMUbzpDWOyAme1f7HbSpntnE1676fBQWMvOu7 3sHHcJ/+KHJ5STb7FOQ0bKgoCSrQ8aVlmA8oSuCVulZeck+rJEqFHUQSwUOu4tpDPopu Na0w== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc; bh=MxOasEDeE+/u/o1zT6tGAu0EkjWfYJCMGyOsK4PePlw=; b=bVA+xxInSYO58c1mK3VzxKXqQp2AUc0uchcbrDrsJ/drIdXlTR+HWUqFc5U9quzNM0 TwcfBmS7Hzd5gDH41LVvXmpeiJvkWRC/C6kHWHcoxUB+XZKeeqwoxcJ8ZqXvPWch/Pqo fjSjPyzlzIU2RDBvzWkCXWkSwNa9/BY427//fHjOrr4JNZ7fDvIQFr/cRvBJi24tx5cO 4Pf2fqpp0+3/o6QStrZI8ffeit+cF25zjH9+jODlC3t69Xii8FQxSR4fjW55ESgsKblc MM7f4pNukqEOleyTMuidblgVJMV+kmCOtDHhUP6MIogDly4XCvNvyyUIWvQWCA9fpwuZ xBzg== X-Gm-Message-State: ACgBeo2c1d8mIVDlUUqEAmUquxWm5wlJE3YLO8PulyJw1MKOv1QfDwix CmTZ48z4vD4+HR7OLkuwC/gUPw== X-Google-Smtp-Source: AA6agR5qq3AZlS5BWazkdfCzm9ILDF8fg5izYR8N2g99VC9HKTBuDmPB72bT/DqT0TtDBWAFKJT0vA== X-Received: by 2002:a5d:6445:0:b0:225:1a75:7754 with SMTP id d5-20020a5d6445000000b002251a757754mr2124275wrw.239.1660842014652; Thu, 18 Aug 2022 10:00:14 -0700 (PDT) Received: from Mindolluin.ire.aristanetworks.com ([217.173.96.166]) by smtp.gmail.com with ESMTPSA id be13-20020a05600c1e8d00b003a511e92abcsm2662169wmb.34.2022.08.18.10.00.13 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 18 Aug 2022 10:00:14 -0700 (PDT) From: Dmitry Safonov To: Eric Dumazet , "David S. Miller" , linux-kernel@vger.kernel.org Cc: Dmitry Safonov , Andy Lutomirski , Ard Biesheuvel , Bob Gilligan , David Ahern , Dmitry Safonov <0x7f454c46@gmail.com>, Eric Biggers , Francesco Ruggeri , Herbert Xu , Hideaki YOSHIFUJI , Ivan Delalande , Jakub Kicinski , Leonard Crestez , Paolo Abeni , Salam Noureddine , Shuah Khan , netdev@vger.kernel.org, linux-crypto@vger.kernel.org Subject: [PATCH 01/31] crypto: Introduce crypto_pool Date: Thu, 18 Aug 2022 17:59:35 +0100 Message-Id: <20220818170005.747015-2-dima@arista.com> X-Mailer: git-send-email 2.37.2 In-Reply-To: <20220818170005.747015-1-dima@arista.com> References: <20220818170005.747015-1-dima@arista.com> MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Type: text/plain; charset="utf-8" Introduce a per-CPU pool of async crypto requests that can be used in bh-disabled contexts (designed with net RX/TX softirqs as users in mind). Allocation can sleep and is a slow-path. Initial implementation has only ahash as a backend and a fix-sized array of possible algorithms used in parallel. Signed-off-by: Dmitry Safonov --- crypto/Kconfig | 6 + crypto/Makefile | 1 + crypto/crypto_pool.c | 291 ++++++++++++++++++++++++++++++++++++++++++ include/crypto/pool.h | 34 +++++ 4 files changed, 332 insertions(+) create mode 100644 crypto/crypto_pool.c create mode 100644 include/crypto/pool.h diff --git a/crypto/Kconfig b/crypto/Kconfig index bb427a835e44..aeddaa3dcc77 100644 --- a/crypto/Kconfig +++ b/crypto/Kconfig @@ -2128,6 +2128,12 @@ config CRYPTO_STATS config CRYPTO_HASH_INFO bool =20 +config CRYPTO_POOL + tristate "Per-CPU crypto pool" + default n + help + Per-CPU pool of crypto requests ready for usage in atomic contexts. + source "drivers/crypto/Kconfig" source "crypto/asymmetric_keys/Kconfig" source "certs/Kconfig" diff --git a/crypto/Makefile b/crypto/Makefile index a6f94e04e1da..b0f54cb9cea1 100644 --- a/crypto/Makefile +++ b/crypto/Makefile @@ -63,6 +63,7 @@ obj-$(CONFIG_CRYPTO_ACOMP2) +=3D crypto_acompress.o cryptomgr-y :=3D algboss.o testmgr.o =20 obj-$(CONFIG_CRYPTO_MANAGER2) +=3D cryptomgr.o +obj-$(CONFIG_CRYPTO_POOL) +=3D crypto_pool.o obj-$(CONFIG_CRYPTO_USER) +=3D crypto_user.o crypto_user-y :=3D crypto_user_base.o crypto_user-$(CONFIG_CRYPTO_STATS) +=3D crypto_user_stat.o diff --git a/crypto/crypto_pool.c b/crypto/crypto_pool.c new file mode 100644 index 000000000000..a5b6e6cf818a --- /dev/null +++ b/crypto/crypto_pool.c @@ -0,0 +1,291 @@ +// SPDX-License-Identifier: GPL-2.0-or-later + +#include +#include +#include +#include +#include +#include + +static unsigned long scratch_size =3D DEFAULT_CRYPTO_POOL_SCRATCH_SZ; +static DEFINE_PER_CPU(void *, crypto_pool_scratch); + +struct crypto_pool_entry { + struct ahash_request * __percpu *req; + const char *alg; + struct kref kref; + bool needs_key; +}; + +#define CPOOL_SIZE (PAGE_SIZE/sizeof(struct crypto_pool_entry)) +static struct crypto_pool_entry cpool[CPOOL_SIZE]; +static int last_allocated; +static DEFINE_MUTEX(cpool_mutex); + +static int crypto_pool_scratch_alloc(void) +{ + int cpu; + + lockdep_assert_held(&cpool_mutex); + + for_each_possible_cpu(cpu) { + void *scratch =3D per_cpu(crypto_pool_scratch, cpu); + + if (scratch) + continue; + + scratch =3D kmalloc_node(scratch_size, GFP_KERNEL, + cpu_to_node(cpu)); + if (!scratch) + return -ENOMEM; + per_cpu(crypto_pool_scratch, cpu) =3D scratch; + } + return 0; +} + +static void crypto_pool_scratch_free(void) +{ + int cpu; + + lockdep_assert_held(&cpool_mutex); + + for_each_possible_cpu(cpu) { + void *scratch =3D per_cpu(crypto_pool_scratch, cpu); + + if (!scratch) + continue; + per_cpu(crypto_pool_scratch, cpu) =3D NULL; + kfree(scratch); + } +} + +static int __cpool_alloc_ahash(struct crypto_pool_entry *e, const char *al= g) +{ + struct crypto_ahash *hash; + int cpu, ret =3D -ENOMEM; + + e->alg =3D kstrdup(alg, GFP_KERNEL); + if (!e->alg) + return -ENOMEM; + + e->req =3D alloc_percpu(struct ahash_request *); + if (!e->req) + goto out_free_alg; + + hash =3D crypto_alloc_ahash(alg, 0, CRYPTO_ALG_ASYNC); + if (IS_ERR(hash)) { + ret =3D PTR_ERR(hash); + goto out_free_req; + } + + /* If hash has .setkey(), allocate ahash per-cpu, not only request */ + e->needs_key =3D crypto_ahash_get_flags(hash) & CRYPTO_TFM_NEED_KEY; + + for_each_possible_cpu(cpu) { + struct ahash_request *req; + + if (!hash) + hash =3D crypto_alloc_ahash(alg, 0, CRYPTO_ALG_ASYNC); + if (IS_ERR(hash)) + goto out_free; + + req =3D ahash_request_alloc(hash, GFP_KERNEL); + if (!req) + goto out_free; + + ahash_request_set_callback(req, 0, NULL, NULL); + + *per_cpu_ptr(e->req, cpu) =3D req; + + if (e->needs_key) + hash =3D NULL; + } + kref_init(&e->kref); + return 0; + +out_free: + if (!IS_ERR_OR_NULL(hash) && e->needs_key) + crypto_free_ahash(hash); + + for_each_possible_cpu(cpu) { + if (*per_cpu_ptr(e->req, cpu) =3D=3D NULL) + break; + hash =3D crypto_ahash_reqtfm(*per_cpu_ptr(e->req, cpu)); + ahash_request_free(*per_cpu_ptr(e->req, cpu)); + if (e->needs_key) { + crypto_free_ahash(hash); + hash =3D NULL; + } + } + + if (hash) + crypto_free_ahash(hash); +out_free_req: + free_percpu(e->req); +out_free_alg: + kfree(e->alg); + e->alg =3D NULL; + return ret; +} + +/** + * crypto_pool_alloc_ahash - allocates pool for ahash requests + * @alg: name of async hash algorithm + */ +int crypto_pool_alloc_ahash(const char *alg) +{ + unsigned int i; + int err; + + /* slow-path */ + mutex_lock(&cpool_mutex); + err =3D crypto_pool_scratch_alloc(); + if (err) + goto out; + + for (i =3D 0; i < last_allocated; i++) { + if (cpool[i].alg && !strcmp(cpool[i].alg, alg)) { + if (kref_read(&cpool[i].kref) > 0) { + kref_get(&cpool[i].kref); + goto out; + } else { + break; + } + } + } + + for (i =3D 0; i < last_allocated; i++) { + if (!cpool[i].alg) + break; + } + if (i >=3D CPOOL_SIZE) { + err =3D -ENOSPC; + goto out; + } + + err =3D __cpool_alloc_ahash(&cpool[i], alg); + if (!err && last_allocated <=3D i) + last_allocated++; +out: + mutex_unlock(&cpool_mutex); + return err ?: (int)i; +} +EXPORT_SYMBOL_GPL(crypto_pool_alloc_ahash); + +static void __cpool_free_entry(struct crypto_pool_entry *e) +{ + struct crypto_ahash *hash =3D NULL; + int cpu; + + for_each_possible_cpu(cpu) { + if (*per_cpu_ptr(e->req, cpu) =3D=3D NULL) + continue; + + hash =3D crypto_ahash_reqtfm(*per_cpu_ptr(e->req, cpu)); + ahash_request_free(*per_cpu_ptr(e->req, cpu)); + if (e->needs_key) { + crypto_free_ahash(hash); + hash =3D NULL; + } + } + if (hash) + crypto_free_ahash(hash); + free_percpu(e->req); + kfree(e->alg); + memset(e, 0, sizeof(*e)); +} + +static void cpool_cleanup_work_cb(struct work_struct *work) +{ + unsigned int i; + bool free_scratch =3D true; + + mutex_lock(&cpool_mutex); + for (i =3D 0; i < last_allocated; i++) { + if (kref_read(&cpool[i].kref) > 0) { + free_scratch =3D false; + continue; + } + if (!cpool[i].alg) + continue; + __cpool_free_entry(&cpool[i]); + } + if (free_scratch) + crypto_pool_scratch_free(); + mutex_unlock(&cpool_mutex); +} + +static DECLARE_WORK(cpool_cleanup_work, cpool_cleanup_work_cb); +static void cpool_schedule_cleanup(struct kref *kref) +{ + schedule_work(&cpool_cleanup_work); +} + +/** + * crypto_pool_release - decreases number of users for a pool. If it was + * the last user of the pool, releases any memory that was consumed. + * @id: crypto_pool that was previously allocated by crypto_pool_alloc_aha= sh() + */ +void crypto_pool_release(unsigned int id) +{ + if (WARN_ON_ONCE(id > last_allocated || !cpool[id].alg)) + return; + + /* slow-path */ + kref_put(&cpool[id].kref, cpool_schedule_cleanup); +} +EXPORT_SYMBOL_GPL(crypto_pool_release); + +/** + * crypto_pool_add - increases number of users (refcounter) for a pool + * @id: crypto_pool that was previously allocated by crypto_pool_alloc_aha= sh() + */ +void crypto_pool_add(unsigned int id) +{ + if (WARN_ON_ONCE(id > last_allocated || !cpool[id].alg)) + return; + kref_get(&cpool[id].kref); +} +EXPORT_SYMBOL_GPL(crypto_pool_add); + +/** + * crypto_pool_get - disable bh and start using crypto_pool + * @id: crypto_pool that was previously allocated by crypto_pool_alloc_aha= sh() + * @c: returned crypto_pool for usage (uninitialized on failure) + */ +int crypto_pool_get(unsigned int id, struct crypto_pool *c) +{ + struct crypto_pool_ahash *ret =3D (struct crypto_pool_ahash *)c; + + local_bh_disable(); + if (WARN_ON_ONCE(id > last_allocated || !cpool[id].alg)) { + local_bh_enable(); + return -EINVAL; + } + ret->req =3D *this_cpu_ptr(cpool[id].req); + ret->base.scratch =3D this_cpu_read(crypto_pool_scratch); + return 0; +} +EXPORT_SYMBOL_GPL(crypto_pool_get); + +/** + * crypto_pool_algo - return algorithm of crypto_pool + * @id: crypto_pool that was previously allocated by crypto_pool_alloc_aha= sh() + * @buf: buffer to return name of algorithm + * @buf_len: size of @buf + */ +size_t crypto_pool_algo(unsigned int id, char *buf, size_t buf_len) +{ + size_t ret =3D 0; + + /* slow-path */ + mutex_lock(&cpool_mutex); + if (cpool[id].alg) + ret =3D strscpy(buf, cpool[id].alg, buf_len); + mutex_unlock(&cpool_mutex); + return ret; +} +EXPORT_SYMBOL_GPL(crypto_pool_algo); + +MODULE_LICENSE("GPL"); +MODULE_DESCRIPTION("Per-CPU pool of crypto requests"); diff --git a/include/crypto/pool.h b/include/crypto/pool.h new file mode 100644 index 000000000000..2c61aa45faff --- /dev/null +++ b/include/crypto/pool.h @@ -0,0 +1,34 @@ +/* SPDX-License-Identifier: GPL-2.0-or-later */ +#ifndef _CRYPTO_POOL_H +#define _CRYPTO_POOL_H + +#include + +#define DEFAULT_CRYPTO_POOL_SCRATCH_SZ 128 + +struct crypto_pool { + void *scratch; +}; + +/* + * struct crypto_pool_ahash - per-CPU pool of ahash_requests + * @base: common members that can be used by any async crypto ops + * @req: pre-allocated ahash request + */ +struct crypto_pool_ahash { + struct crypto_pool base; + struct ahash_request *req; +}; + +int crypto_pool_alloc_ahash(const char *alg); +void crypto_pool_add(unsigned int id); +void crypto_pool_release(unsigned int id); + +int crypto_pool_get(unsigned int id, struct crypto_pool *c); +static inline void crypto_pool_put(void) +{ + local_bh_enable(); +} +size_t crypto_pool_algo(unsigned int id, char *buf, size_t buf_len); + +#endif /* _CRYPTO_POOL_H */ --=20 2.37.2 From nobody Fri Apr 10 21:51:38 2026 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id E2DFFC00140 for ; Thu, 18 Aug 2022 17:01:04 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S245445AbiHRRBB (ORCPT ); Thu, 18 Aug 2022 13:01:01 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:35046 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1345304AbiHRRAZ (ORCPT ); Thu, 18 Aug 2022 13:00:25 -0400 Received: from mail-wr1-x431.google.com (mail-wr1-x431.google.com [IPv6:2a00:1450:4864:20::431]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id E81DFC0E6F for ; Thu, 18 Aug 2022 10:00:17 -0700 (PDT) Received: by mail-wr1-x431.google.com with SMTP id h24so2417756wrb.8 for ; Thu, 18 Aug 2022 10:00:17 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=arista.com; s=google; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc; bh=3fqnnsku3QxqTPl7elY558LSX4G3DY2EK2AyDbfNKys=; b=eVNM23MWi9DGYRreT1Nrk6LL+8eemUOGXLdX/+2z0h/XQMBbWnHaTv/s3uLL5/wJcP GUlYU+UcUZC2PQy6WafyHBC8ML7z7hwLxRbSlXYzrbKcETADFqh2Du3E9RFvuB0wfTtK SVnzsKUN01KygW3EDRX6b8h9VNL7U8b5+l4SDUYtvbrUCIPYWk9+kMJPQzPSKQhv6I+/ HK7sMarLoHfei+H89sUEq8er1cUICUZj/BRVINBhTtDTG2kSUgr9EtBfFe0CzFk2Jbiw i+N78+98kjtGuUOY0akVjppp7Q2EobDsr/6+nKJeiEZH4T1DnVaCVcaGTsUefEP2JhKn 8sfA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc; bh=3fqnnsku3QxqTPl7elY558LSX4G3DY2EK2AyDbfNKys=; b=zSxOBhrraTEPxkX1o7aKQ4Dy4xsBTSFaOqzN/L9+5nmy1wBIg1m9pufDd6sVQBWUDF 8qEvIPMuKedPYBotYv6dY9W5u+52uyFsXBeItsLbiR9Ohm0Vx4LdVkF7NivQ3/FGzoVN xfeisgoN/eCZ860/9MlvD0VMlewN1kpJ7miLQ1h0msI9svp8N/RB6okrpmRNG5kd5Ssn H6itUpww2eHzNr1C92ZyjBrnXpqPCw4MKoM9MSXPRC7eziEmJmCPY8G9jnuRphy37+ua b2hqE6/F6JJtvZK66FGXOvHYa8ltx+74Qmmzgu1Yx+n0LkHqeR1IoFWsza1HNq/S8D/Z rMLw== X-Gm-Message-State: ACgBeo18cQO25ogyRGXPuKoojkN8pdkYiA28qpW3E/bnGHZSbn4gMxub h29sbr5JdOvxXy80pIbtWZybng== X-Google-Smtp-Source: AA6agR6pHX0KBrrBFjoZxk7gXB7J2ga3HP4VqeEj9R1te3T+j/h8xDu+EWr/NPk37fBxiW8/DgnAYg== X-Received: by 2002:a05:6000:80b:b0:21e:d62e:b282 with SMTP id bt11-20020a056000080b00b0021ed62eb282mr2121768wrb.557.1660842016009; Thu, 18 Aug 2022 10:00:16 -0700 (PDT) Received: from Mindolluin.ire.aristanetworks.com ([217.173.96.166]) by smtp.gmail.com with ESMTPSA id be13-20020a05600c1e8d00b003a511e92abcsm2662169wmb.34.2022.08.18.10.00.14 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 18 Aug 2022 10:00:15 -0700 (PDT) From: Dmitry Safonov To: Eric Dumazet , "David S. Miller" , linux-kernel@vger.kernel.org Cc: Dmitry Safonov , Andy Lutomirski , Ard Biesheuvel , Bob Gilligan , David Ahern , Dmitry Safonov <0x7f454c46@gmail.com>, Eric Biggers , Francesco Ruggeri , Herbert Xu , Hideaki YOSHIFUJI , Ivan Delalande , Jakub Kicinski , Leonard Crestez , Paolo Abeni , Salam Noureddine , Shuah Khan , netdev@vger.kernel.org, linux-crypto@vger.kernel.org Subject: [PATCH 02/31] crypto_pool: Add crypto_pool_reserve_scratch() Date: Thu, 18 Aug 2022 17:59:36 +0100 Message-Id: <20220818170005.747015-3-dima@arista.com> X-Mailer: git-send-email 2.37.2 In-Reply-To: <20220818170005.747015-1-dima@arista.com> References: <20220818170005.747015-1-dima@arista.com> MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Type: text/plain; charset="utf-8" Instead of having build-time hardcoded constant, reallocate scratch area, if needed by user. Different algos, different users may need different size of temp per-CPU buffer. Only up-sizing supported for simplicity. Signed-off-by: Dmitry Safonov Reported-by: Dan Carpenter Reported-by: kernel test robot --- crypto/Kconfig | 6 ++++ crypto/crypto_pool.c | 68 +++++++++++++++++++++++++++++++------------ include/crypto/pool.h | 3 +- 3 files changed, 57 insertions(+), 20 deletions(-) diff --git a/crypto/Kconfig b/crypto/Kconfig index aeddaa3dcc77..e5865be483be 100644 --- a/crypto/Kconfig +++ b/crypto/Kconfig @@ -2134,6 +2134,12 @@ config CRYPTO_POOL help Per-CPU pool of crypto requests ready for usage in atomic contexts. =20 +config CRYPTO_POOL_DEFAULT_SCRATCH_SIZE + hex "Per-CPU default scratch area size" + depends on CRYPTO_POOL + default 0x100 + range 0x100 0x10000 + source "drivers/crypto/Kconfig" source "crypto/asymmetric_keys/Kconfig" source "certs/Kconfig" diff --git a/crypto/crypto_pool.c b/crypto/crypto_pool.c index a5b6e6cf818a..9e2ac4eb1138 100644 --- a/crypto/crypto_pool.c +++ b/crypto/crypto_pool.c @@ -1,13 +1,14 @@ // SPDX-License-Identifier: GPL-2.0-or-later =20 #include +#include #include #include #include #include #include =20 -static unsigned long scratch_size =3D DEFAULT_CRYPTO_POOL_SCRATCH_SZ; +static unsigned long scratch_size =3D CONFIG_CRYPTO_POOL_DEFAULT_SCRATCH_S= IZE; static DEFINE_PER_CPU(void *, crypto_pool_scratch); =20 struct crypto_pool_entry { @@ -19,29 +20,64 @@ struct crypto_pool_entry { =20 #define CPOOL_SIZE (PAGE_SIZE/sizeof(struct crypto_pool_entry)) static struct crypto_pool_entry cpool[CPOOL_SIZE]; -static int last_allocated; +static unsigned int last_allocated; static DEFINE_MUTEX(cpool_mutex); =20 -static int crypto_pool_scratch_alloc(void) +static void __set_scratch(void *scratch) { - int cpu; + kfree(this_cpu_read(crypto_pool_scratch)); + this_cpu_write(crypto_pool_scratch, scratch); +} =20 - lockdep_assert_held(&cpool_mutex); +/* Slow-path */ +/** + * crypto_pool_reserve_scratch - re-allocates scratch buffer, slow-path + * @size: request size for the scratch/temp buffer + */ +int crypto_pool_reserve_scratch(unsigned long size) +{ + int cpu, err =3D 0; =20 + mutex_lock(&cpool_mutex); + if (size =3D=3D scratch_size) { + for_each_possible_cpu(cpu) { + if (per_cpu(crypto_pool_scratch, cpu)) + continue; + goto allocate_scratch; + } + mutex_unlock(&cpool_mutex); + return 0; + } +allocate_scratch: + size =3D max(size, scratch_size); + cpus_read_lock(); for_each_possible_cpu(cpu) { - void *scratch =3D per_cpu(crypto_pool_scratch, cpu); + void *scratch; =20 - if (scratch) - continue; + scratch =3D kmalloc_node(size, GFP_KERNEL, cpu_to_node(cpu)); + if (!scratch) { + err =3D -ENOMEM; + break; + } =20 - scratch =3D kmalloc_node(scratch_size, GFP_KERNEL, - cpu_to_node(cpu)); - if (!scratch) - return -ENOMEM; - per_cpu(crypto_pool_scratch, cpu) =3D scratch; + if (!cpu_online(cpu)) { + kfree(per_cpu(crypto_pool_scratch, cpu)); + per_cpu(crypto_pool_scratch, cpu) =3D scratch; + continue; + } + err =3D smp_call_function_single(cpu, __set_scratch, scratch, 1); + if (err) { + kfree(scratch); + break; + } } - return 0; + + cpus_read_unlock(); + scratch_size =3D size; + mutex_unlock(&cpool_mutex); + return err; } +EXPORT_SYMBOL_GPL(crypto_pool_reserve_scratch); =20 static void crypto_pool_scratch_free(void) { @@ -139,10 +175,6 @@ int crypto_pool_alloc_ahash(const char *alg) =20 /* slow-path */ mutex_lock(&cpool_mutex); - err =3D crypto_pool_scratch_alloc(); - if (err) - goto out; - for (i =3D 0; i < last_allocated; i++) { if (cpool[i].alg && !strcmp(cpool[i].alg, alg)) { if (kref_read(&cpool[i].kref) > 0) { diff --git a/include/crypto/pool.h b/include/crypto/pool.h index 2c61aa45faff..c7d817860cc3 100644 --- a/include/crypto/pool.h +++ b/include/crypto/pool.h @@ -4,8 +4,6 @@ =20 #include =20 -#define DEFAULT_CRYPTO_POOL_SCRATCH_SZ 128 - struct crypto_pool { void *scratch; }; @@ -20,6 +18,7 @@ struct crypto_pool_ahash { struct ahash_request *req; }; =20 +int crypto_pool_reserve_scratch(unsigned long size); int crypto_pool_alloc_ahash(const char *alg); void crypto_pool_add(unsigned int id); void crypto_pool_release(unsigned int id); --=20 2.37.2 From nobody Fri Apr 10 21:51:38 2026 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 68450C00140 for ; Thu, 18 Aug 2022 17:01:26 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1345299AbiHRRBY (ORCPT ); Thu, 18 Aug 2022 13:01:24 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:33692 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1345318AbiHRRA0 (ORCPT ); Thu, 18 Aug 2022 13:00:26 -0400 Received: from mail-wm1-x335.google.com (mail-wm1-x335.google.com [IPv6:2a00:1450:4864:20::335]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 5380EC9E9A for ; Thu, 18 Aug 2022 10:00:19 -0700 (PDT) Received: by mail-wm1-x335.google.com with SMTP id ay12so1132909wmb.1 for ; Thu, 18 Aug 2022 10:00:19 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=arista.com; s=google; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc; bh=xSHEKKWkN852PeSeoo9ORaeQTI8EOweWE++J7xZUzqQ=; b=UYE0G8c63YZhL5AL11H6DPfD/fLeTPP7tteq56sbhxy43WK3NTk6AoI2rgcEqhf0Sm qBWbR+bRdQiU6AeCOvKVb9FfQqGRtnpcnCmPSJluxSKE5JCdF2wKeAB8cKpPkosMZdyG PDHxTT7wnAsm9RBXeLzN7ZQ6jB8mO/rnKLXLE60zBZWXyb2DgSIZrYuwmgFviepdgJ59 SG6qQLhcQuI+CoiJD0PbBRCqYyN9rwFVp/E8CRpFVgJ7g4s+k6zyssSS7Bn9yxaLxBkc FxGS81bXRsugW7QfwQ0EL/UY4RCeIHlEhctma0lgwyfUzP39dR4LY8zfZHXX2YltvaOJ qQPw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc; bh=xSHEKKWkN852PeSeoo9ORaeQTI8EOweWE++J7xZUzqQ=; b=2QrzcF10rGFpRlub0UuTJb+1GeIRAAAgQP/PbiQGvsWPWEK39nS96VrwUmqWe+9fez lXVun7hP74I+Rr6+yCPDTvxoqHCJBGJlIL2CjMyq91UkSLFWUKHLVpTWB4CjC6TuV5A9 PXyxCwJpPeVf+k8PBe5VE/SFzUGT7LUpB7W8qqkGGxW+qJD5yCnefSokCpE9EjDdzeD4 ItjGvyxEQX/MDLazAzmY8X8CX/XwJdrfdXtSAQ/OZrd4Y0gmml/bP03EWFnQO7dnPn3V MUQzkfgVKsMbH1G2iMfxkEo9jQsmKU4yVSvuNPhGwyxR2HGTgFTpkKkADT8/ojRzVchY Vr7A== X-Gm-Message-State: ACgBeo1Cfh0luN1/s/YKAB1YXoDqpLRHHJNVnngtaMx0cDf1vUFDovwa HF0X57KgQZxxp7aD7EXBrwqR5g== X-Google-Smtp-Source: AA6agR4OFtLFcq8eExbn7fg8jNUpt8XDTqihJ0k0SNAEUte+cLKR6kHRNsvx+gk10kswPzzAP3iW/Q== X-Received: by 2002:a1c:7907:0:b0:3a5:a965:95e6 with SMTP id l7-20020a1c7907000000b003a5a96595e6mr5740748wme.75.1660842017436; Thu, 18 Aug 2022 10:00:17 -0700 (PDT) Received: from Mindolluin.ire.aristanetworks.com ([217.173.96.166]) by smtp.gmail.com with ESMTPSA id be13-20020a05600c1e8d00b003a511e92abcsm2662169wmb.34.2022.08.18.10.00.16 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 18 Aug 2022 10:00:17 -0700 (PDT) From: Dmitry Safonov To: Eric Dumazet , "David S. Miller" , linux-kernel@vger.kernel.org Cc: Dmitry Safonov , Andy Lutomirski , Ard Biesheuvel , Bob Gilligan , David Ahern , Dmitry Safonov <0x7f454c46@gmail.com>, Eric Biggers , Francesco Ruggeri , Herbert Xu , Hideaki YOSHIFUJI , Ivan Delalande , Jakub Kicinski , Leonard Crestez , Paolo Abeni , Salam Noureddine , Shuah Khan , netdev@vger.kernel.org, linux-crypto@vger.kernel.org Subject: [PATCH 03/31] net/tcp: Separate tcp_md5sig_info allocation into tcp_md5sig_info_add() Date: Thu, 18 Aug 2022 17:59:37 +0100 Message-Id: <20220818170005.747015-4-dima@arista.com> X-Mailer: git-send-email 2.37.2 In-Reply-To: <20220818170005.747015-1-dima@arista.com> References: <20220818170005.747015-1-dima@arista.com> MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Type: text/plain; charset="utf-8" Add a helper to allocate tcp_md5sig_info, that will help later to do/allocate things when info allocated, once per socket. Signed-off-by: Dmitry Safonov --- net/ipv4/tcp_ipv4.c | 30 +++++++++++++++++++++--------- 1 file changed, 21 insertions(+), 9 deletions(-) diff --git a/net/ipv4/tcp_ipv4.c b/net/ipv4/tcp_ipv4.c index 0c83780dc9bf..55e4092209a5 100644 --- a/net/ipv4/tcp_ipv4.c +++ b/net/ipv4/tcp_ipv4.c @@ -1152,6 +1152,24 @@ struct tcp_md5sig_key *tcp_v4_md5_lookup(const struc= t sock *sk, } EXPORT_SYMBOL(tcp_v4_md5_lookup); =20 +static int tcp_md5sig_info_add(struct sock *sk, gfp_t gfp) +{ + struct tcp_sock *tp =3D tcp_sk(sk); + struct tcp_md5sig_info *md5sig; + + if (rcu_dereference_protected(tp->md5sig_info, lockdep_sock_is_held(sk))) + return 0; + + md5sig =3D kmalloc(sizeof(*md5sig), gfp); + if (!md5sig) + return -ENOMEM; + + sk_gso_disable(sk); + INIT_HLIST_HEAD(&md5sig->head); + rcu_assign_pointer(tp->md5sig_info, md5sig); + return 0; +} + /* This can be called on a newly created socket, from other files */ int tcp_md5_do_add(struct sock *sk, const union tcp_md5_addr *addr, int family, u8 prefixlen, int l3index, u8 flags, @@ -1182,17 +1200,11 @@ int tcp_md5_do_add(struct sock *sk, const union tcp= _md5_addr *addr, return 0; } =20 + if (tcp_md5sig_info_add(sk, gfp)) + return -ENOMEM; + md5sig =3D rcu_dereference_protected(tp->md5sig_info, lockdep_sock_is_held(sk)); - if (!md5sig) { - md5sig =3D kmalloc(sizeof(*md5sig), gfp); - if (!md5sig) - return -ENOMEM; - - sk_gso_disable(sk); - INIT_HLIST_HEAD(&md5sig->head); - rcu_assign_pointer(tp->md5sig_info, md5sig); - } =20 key =3D sock_kmalloc(sk, sizeof(*key), gfp | __GFP_ZERO); if (!key) --=20 2.37.2 From nobody Fri Apr 10 21:51:38 2026 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id C27E9C3F6B0 for ; Thu, 18 Aug 2022 17:00:59 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1345237AbiHRRA4 (ORCPT ); Thu, 18 Aug 2022 13:00:56 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:35278 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1345337AbiHRRA3 (ORCPT ); Thu, 18 Aug 2022 13:00:29 -0400 Received: from mail-wm1-x333.google.com (mail-wm1-x333.google.com [IPv6:2a00:1450:4864:20::333]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id F1CCDBA9D1 for ; Thu, 18 Aug 2022 10:00:20 -0700 (PDT) Received: by mail-wm1-x333.google.com with SMTP id r83-20020a1c4456000000b003a5cb389944so2884914wma.4 for ; Thu, 18 Aug 2022 10:00:20 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=arista.com; s=google; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc; bh=W3FIJ8g31EbilY5bWwqxn3k37XIrYW13mo9mOBDo56Q=; b=LceZ1GY4uU3GNJ9Xao3bunKwN7uU2QqUCzIweH/OuAdV1WC61RFR302HfmtRUaOl0N nKG/O3O14/pJjeOG8gmrqX585PWnLrNxn8IMKeDgKbY90fGd6INN4ANzMOZbNPelj0Wj a147X/VJTdAW0mR5wP5QpRlro+QySAbX/4BCyHLAGUdTbhFB5hdGWLHNITKp6cXth80d 41Kbx0GE2Bs0zBRgsQXi42Ek9PyqNE/XBQDQEH5U/6fvM9o+0K/FlrDFY07Jdz00LDtM F3B49it8FV2Er0hZf7rvAyQiw6uFWCs3Jy3ag4zMxsBcAv1PYlKhMzA1ARbXWYXgoQI5 toyQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc; bh=W3FIJ8g31EbilY5bWwqxn3k37XIrYW13mo9mOBDo56Q=; b=itD1w1SVxbk+Vmu+UNfPUwgU4fdZEpD/jJlF+BvL8t0d0Em+m0zhx51667tD4uyaDZ LgI7b6fDHNLO9rBL6DYpyPx7LPMzZfHolvmZXkf8/xEc9yS/SWFk90G1hJY3vBHnajG2 KGzq42VV2EQ/wiktnBpukP69RvgYSwNh6kLOceEZWZqqaCat6KmInt7JGkL8Q7UXIGAt npq+53uH2yW13nCXZg4aTJ0waEc68Av+Y8rFbA9rhdOpS2qa1hXVaL/+5fJA/BEkr5uJ mkFvZ4vk0K418I8HWz2PDLL26oNaVxNql0GvqF7dgzMlvnXF+iajJ6/lpwsDf5PWckZ8 QKtg== X-Gm-Message-State: ACgBeo36l8ivsynVKFXUA+MZHqe2CP32Z7f0VokgDacsUjtUyccAAKNi ahrealkGu1+mYPD2SoAbySTGbg== X-Google-Smtp-Source: AA6agR704O/vDsEKgD/w+5ZPix/bkBBnqq4F9NYXUTMOaW0GUovCTQ+qWF5JxVkbWqAcrWdyJdYObg== X-Received: by 2002:a1c:2585:0:b0:3a5:2163:f33b with SMTP id l127-20020a1c2585000000b003a52163f33bmr2482052wml.189.1660842018893; Thu, 18 Aug 2022 10:00:18 -0700 (PDT) Received: from Mindolluin.ire.aristanetworks.com ([217.173.96.166]) by smtp.gmail.com with ESMTPSA id be13-20020a05600c1e8d00b003a511e92abcsm2662169wmb.34.2022.08.18.10.00.17 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 18 Aug 2022 10:00:18 -0700 (PDT) From: Dmitry Safonov To: Eric Dumazet , "David S. Miller" , linux-kernel@vger.kernel.org Cc: Dmitry Safonov , Andy Lutomirski , Ard Biesheuvel , Bob Gilligan , David Ahern , Dmitry Safonov <0x7f454c46@gmail.com>, Eric Biggers , Francesco Ruggeri , Herbert Xu , Hideaki YOSHIFUJI , Ivan Delalande , Jakub Kicinski , Leonard Crestez , Paolo Abeni , Salam Noureddine , Shuah Khan , netdev@vger.kernel.org, linux-crypto@vger.kernel.org Subject: [PATCH 04/31] net/tcp: Disable TCP-MD5 static key on tcp_md5sig_info destruction Date: Thu, 18 Aug 2022 17:59:38 +0100 Message-Id: <20220818170005.747015-5-dima@arista.com> X-Mailer: git-send-email 2.37.2 In-Reply-To: <20220818170005.747015-1-dima@arista.com> References: <20220818170005.747015-1-dima@arista.com> MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Type: text/plain; charset="utf-8" To do that, separate two scenarios: - where it's the first MD5 key on the system, which means that enabling of the static key may need to sleep; - copying of an existing key from a listening socket to the request socket upon receiving a signed TCP segment, where static key was already enabled (when the key was added to the listening socket). Now the life-time of the static branch for TCP-MD5 is until: - last tcp_md5sig_info is destroyed - last socket in time-wait state with MD5 key is closed. Which means that after all sockets with TCP-MD5 keys are gone, the system gets back the performance of disabled md5-key static branch. Signed-off-by: Dmitry Safonov --- include/net/tcp.h | 10 ++++++--- net/ipv4/tcp.c | 5 +---- net/ipv4/tcp_ipv4.c | 45 +++++++++++++++++++++++++++++++--------- net/ipv4/tcp_minisocks.c | 9 +++++--- net/ipv4/tcp_output.c | 4 ++-- net/ipv6/tcp_ipv6.c | 10 ++++----- 6 files changed, 55 insertions(+), 28 deletions(-) diff --git a/include/net/tcp.h b/include/net/tcp.h index d10962b9f0d0..831cd1e24687 100644 --- a/include/net/tcp.h +++ b/include/net/tcp.h @@ -1665,7 +1665,11 @@ int tcp_v4_md5_hash_skb(char *md5_hash, const struct= tcp_md5sig_key *key, const struct sock *sk, const struct sk_buff *skb); int tcp_md5_do_add(struct sock *sk, const union tcp_md5_addr *addr, int family, u8 prefixlen, int l3index, u8 flags, - const u8 *newkey, u8 newkeylen, gfp_t gfp); + const u8 *newkey, u8 newkeylen); +int tcp_md5_key_copy(struct sock *sk, const union tcp_md5_addr *addr, + int family, u8 prefixlen, int l3index, + struct tcp_md5sig_key *key); + int tcp_md5_do_del(struct sock *sk, const union tcp_md5_addr *addr, int family, u8 prefixlen, int l3index, u8 flags); struct tcp_md5sig_key *tcp_v4_md5_lookup(const struct sock *sk, @@ -1673,7 +1677,7 @@ struct tcp_md5sig_key *tcp_v4_md5_lookup(const struct= sock *sk, =20 #ifdef CONFIG_TCP_MD5SIG #include -extern struct static_key_false tcp_md5_needed; +extern struct static_key_false_deferred tcp_md5_needed; struct tcp_md5sig_key *__tcp_md5_do_lookup(const struct sock *sk, int l3in= dex, const union tcp_md5_addr *addr, int family); @@ -1681,7 +1685,7 @@ static inline struct tcp_md5sig_key * tcp_md5_do_lookup(const struct sock *sk, int l3index, const union tcp_md5_addr *addr, int family) { - if (!static_branch_unlikely(&tcp_md5_needed)) + if (!static_branch_unlikely(&tcp_md5_needed.key)) return NULL; return __tcp_md5_do_lookup(sk, l3index, addr, family); } diff --git a/net/ipv4/tcp.c b/net/ipv4/tcp.c index 970e9a2cca4a..a4a171656d7d 100644 --- a/net/ipv4/tcp.c +++ b/net/ipv4/tcp.c @@ -4444,11 +4444,8 @@ bool tcp_alloc_md5sig_pool(void) if (unlikely(!tcp_md5sig_pool_populated)) { mutex_lock(&tcp_md5sig_mutex); =20 - if (!tcp_md5sig_pool_populated) { + if (!tcp_md5sig_pool_populated) __tcp_alloc_md5sig_pool(); - if (tcp_md5sig_pool_populated) - static_branch_inc(&tcp_md5_needed); - } =20 mutex_unlock(&tcp_md5sig_mutex); } diff --git a/net/ipv4/tcp_ipv4.c b/net/ipv4/tcp_ipv4.c index 55e4092209a5..72feb74706e6 100644 --- a/net/ipv4/tcp_ipv4.c +++ b/net/ipv4/tcp_ipv4.c @@ -1044,7 +1044,7 @@ static void tcp_v4_reqsk_destructor(struct request_so= ck *req) * We need to maintain these in the sk structure. */ =20 -DEFINE_STATIC_KEY_FALSE(tcp_md5_needed); +DEFINE_STATIC_KEY_DEFERRED_FALSE(tcp_md5_needed, HZ); EXPORT_SYMBOL(tcp_md5_needed); =20 static bool better_md5_match(struct tcp_md5sig_key *old, struct tcp_md5sig= _key *new) @@ -1171,9 +1171,9 @@ static int tcp_md5sig_info_add(struct sock *sk, gfp_t= gfp) } =20 /* This can be called on a newly created socket, from other files */ -int tcp_md5_do_add(struct sock *sk, const union tcp_md5_addr *addr, - int family, u8 prefixlen, int l3index, u8 flags, - const u8 *newkey, u8 newkeylen, gfp_t gfp) +static int __tcp_md5_do_add(struct sock *sk, const union tcp_md5_addr *add= r, + int family, u8 prefixlen, int l3index, u8 flags, + const u8 *newkey, u8 newkeylen, gfp_t gfp) { /* Add Key to the list */ struct tcp_md5sig_key *key; @@ -1200,9 +1200,6 @@ int tcp_md5_do_add(struct sock *sk, const union tcp_m= d5_addr *addr, return 0; } =20 - if (tcp_md5sig_info_add(sk, gfp)) - return -ENOMEM; - md5sig =3D rcu_dereference_protected(tp->md5sig_info, lockdep_sock_is_held(sk)); =20 @@ -1226,8 +1223,36 @@ int tcp_md5_do_add(struct sock *sk, const union tcp_= md5_addr *addr, hlist_add_head_rcu(&key->node, &md5sig->head); return 0; } + +int tcp_md5_do_add(struct sock *sk, const union tcp_md5_addr *addr, + int family, u8 prefixlen, int l3index, u8 flags, + const u8 *newkey, u8 newkeylen) +{ + if (tcp_md5sig_info_add(sk, GFP_KERNEL)) + return -ENOMEM; + + static_branch_inc(&tcp_md5_needed.key); + + return __tcp_md5_do_add(sk, addr, family, prefixlen, l3index, flags, + newkey, newkeylen, GFP_KERNEL); +} EXPORT_SYMBOL(tcp_md5_do_add); =20 +int tcp_md5_key_copy(struct sock *sk, const union tcp_md5_addr *addr, + int family, u8 prefixlen, int l3index, + struct tcp_md5sig_key *key) +{ + if (tcp_md5sig_info_add(sk, sk_gfp_mask(sk, GFP_ATOMIC))) + return -ENOMEM; + + atomic_inc(&tcp_md5_needed.key.key.enabled); + + return __tcp_md5_do_add(sk, addr, family, prefixlen, l3index, + key->flags, key->key, key->keylen, + sk_gfp_mask(sk, GFP_ATOMIC)); +} +EXPORT_SYMBOL(tcp_md5_key_copy); + int tcp_md5_do_del(struct sock *sk, const union tcp_md5_addr *addr, int fa= mily, u8 prefixlen, int l3index, u8 flags) { @@ -1314,7 +1339,7 @@ static int tcp_v4_parse_md5_keys(struct sock *sk, int= optname, return -EINVAL; =20 return tcp_md5_do_add(sk, addr, AF_INET, prefixlen, l3index, flags, - cmd.tcpm_key, cmd.tcpm_keylen, GFP_KERNEL); + cmd.tcpm_key, cmd.tcpm_keylen); } =20 static int tcp_v4_md5_hash_headers(struct tcp_md5sig_pool *hp, @@ -1571,8 +1596,7 @@ struct sock *tcp_v4_syn_recv_sock(const struct sock *= sk, struct sk_buff *skb, * memory, then we end up not copying the key * across. Shucks. */ - tcp_md5_do_add(newsk, addr, AF_INET, 32, l3index, key->flags, - key->key, key->keylen, GFP_ATOMIC); + tcp_md5_key_copy(newsk, addr, AF_INET, 32, l3index, key); sk_gso_disable(newsk); } #endif @@ -2260,6 +2284,7 @@ void tcp_v4_destroy_sock(struct sock *sk) tcp_clear_md5_list(sk); kfree_rcu(rcu_dereference_protected(tp->md5sig_info, 1), rcu); tp->md5sig_info =3D NULL; + static_branch_slow_dec_deferred(&tcp_md5_needed); } #endif =20 diff --git a/net/ipv4/tcp_minisocks.c b/net/ipv4/tcp_minisocks.c index cb95d88497ae..5d475a45a478 100644 --- a/net/ipv4/tcp_minisocks.c +++ b/net/ipv4/tcp_minisocks.c @@ -291,13 +291,14 @@ void tcp_time_wait(struct sock *sk, int state, int ti= meo) */ do { tcptw->tw_md5_key =3D NULL; - if (static_branch_unlikely(&tcp_md5_needed)) { + if (static_branch_unlikely(&tcp_md5_needed.key)) { struct tcp_md5sig_key *key; =20 key =3D tp->af_specific->md5_lookup(sk, sk); if (key) { tcptw->tw_md5_key =3D kmemdup(key, sizeof(*key), GFP_ATOMIC); BUG_ON(tcptw->tw_md5_key && !tcp_alloc_md5sig_pool()); + atomic_inc(&tcp_md5_needed.key.key.enabled); } } } while (0); @@ -337,11 +338,13 @@ EXPORT_SYMBOL(tcp_time_wait); void tcp_twsk_destructor(struct sock *sk) { #ifdef CONFIG_TCP_MD5SIG - if (static_branch_unlikely(&tcp_md5_needed)) { + if (static_branch_unlikely(&tcp_md5_needed.key)) { struct tcp_timewait_sock *twsk =3D tcp_twsk(sk); =20 - if (twsk->tw_md5_key) + if (twsk->tw_md5_key) { kfree_rcu(twsk->tw_md5_key, rcu); + static_branch_slow_dec_deferred(&tcp_md5_needed); + } } #endif } diff --git a/net/ipv4/tcp_output.c b/net/ipv4/tcp_output.c index 78b654ff421b..9e12845a8758 100644 --- a/net/ipv4/tcp_output.c +++ b/net/ipv4/tcp_output.c @@ -766,7 +766,7 @@ static unsigned int tcp_syn_options(struct sock *sk, st= ruct sk_buff *skb, =20 *md5 =3D NULL; #ifdef CONFIG_TCP_MD5SIG - if (static_branch_unlikely(&tcp_md5_needed) && + if (static_branch_unlikely(&tcp_md5_needed.key) && rcu_access_pointer(tp->md5sig_info)) { *md5 =3D tp->af_specific->md5_lookup(sk, sk); if (*md5) { @@ -922,7 +922,7 @@ static unsigned int tcp_established_options(struct sock= *sk, struct sk_buff *skb =20 *md5 =3D NULL; #ifdef CONFIG_TCP_MD5SIG - if (static_branch_unlikely(&tcp_md5_needed) && + if (static_branch_unlikely(&tcp_md5_needed.key) && rcu_access_pointer(tp->md5sig_info)) { *md5 =3D tp->af_specific->md5_lookup(sk, sk); if (*md5) { diff --git a/net/ipv6/tcp_ipv6.c b/net/ipv6/tcp_ipv6.c index e54eee80ce5f..cb891a71db0d 100644 --- a/net/ipv6/tcp_ipv6.c +++ b/net/ipv6/tcp_ipv6.c @@ -658,12 +658,11 @@ static int tcp_v6_parse_md5_keys(struct sock *sk, int= optname, if (ipv6_addr_v4mapped(&sin6->sin6_addr)) return tcp_md5_do_add(sk, (union tcp_md5_addr *)&sin6->sin6_addr.s6_addr= 32[3], AF_INET, prefixlen, l3index, flags, - cmd.tcpm_key, cmd.tcpm_keylen, - GFP_KERNEL); + cmd.tcpm_key, cmd.tcpm_keylen); =20 return tcp_md5_do_add(sk, (union tcp_md5_addr *)&sin6->sin6_addr, AF_INET6, prefixlen, l3index, flags, - cmd.tcpm_key, cmd.tcpm_keylen, GFP_KERNEL); + cmd.tcpm_key, cmd.tcpm_keylen); } =20 static int tcp_v6_md5_hash_headers(struct tcp_md5sig_pool *hp, @@ -1359,9 +1358,8 @@ static struct sock *tcp_v6_syn_recv_sock(const struct= sock *sk, struct sk_buff * * memory, then we end up not copying the key * across. Shucks. */ - tcp_md5_do_add(newsk, (union tcp_md5_addr *)&newsk->sk_v6_daddr, - AF_INET6, 128, l3index, key->flags, key->key, key->keylen, - sk_gfp_mask(sk, GFP_ATOMIC)); + tcp_md5_key_copy(newsk, (union tcp_md5_addr *)&newsk->sk_v6_daddr, + AF_INET6, 128, l3index, key); } #endif =20 --=20 2.37.2 From nobody Fri Apr 10 21:51:38 2026 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id BFED0C32773 for ; Thu, 18 Aug 2022 17:01:23 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1345295AbiHRRBW (ORCPT ); Thu, 18 Aug 2022 13:01:22 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:35276 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1345339AbiHRRA3 (ORCPT ); Thu, 18 Aug 2022 13:00:29 -0400 Received: from mail-wm1-x336.google.com (mail-wm1-x336.google.com [IPv6:2a00:1450:4864:20::336]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 6D6F9CAC84 for ; Thu, 18 Aug 2022 10:00:21 -0700 (PDT) Received: by mail-wm1-x336.google.com with SMTP id k6-20020a05600c1c8600b003a54ecc62f6so1251671wms.5 for ; Thu, 18 Aug 2022 10:00:21 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=arista.com; s=google; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc; bh=L90WBYS3C60aaBnYTHmtkcCSIx2kDWekzsfS4mQsNSY=; b=HU96OM3Z5VzLoORJIFvHYxlRG0o+lr/JjMn01/psIAnXn5nPMh+SSVML8zirIFlH2R C4Y9yO1Hu6M+rr9aeA8ru1LsHe3OLxf2vn0L1kBV1ksId09AMOZqQO7CWeaPHoNdesG2 DHFDaPStrSa0XdofkFnzmpGyLJ4tTx9Uu1ErMG1G92mIBRVBO0TWO0tzIJexJPUeC6zq S5dk6lvabGJqyVhdo6lNQ/TbOgLWZrIWUuro9/bCvbcptoeYC+Zc5n8RjtTvSeRYT7Hk WyoNfjDPID6TSt1Zz5c7FxOW3WfPxpXOfh95YIBXmFTiUegtMThgyCuxKz+IhdNsdHyz gajg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc; bh=L90WBYS3C60aaBnYTHmtkcCSIx2kDWekzsfS4mQsNSY=; b=RckPEjqSo+pZ6KZ8/qnhVSSZZFjxltCp2M3lw5o4PGl9FsrcgnZd0L9PZvm8Xjm70F nKsG2z5BAwcChugKvA5EOfKId08YQAKX7+ML6Q/I7MISmXsBJN33dc8F4gd/tmR7ZoGj YTVZEQLfzSJ50nw2Vne0HUvOWZbNpGml8LmAEa8zX5B9mO/gQHPHxPno7n6WdERnYCJ7 5umKV3E75lLDy2327G1AR+EwkOE2omytOZ42uARq+wpnRHpasGdOlaVaK9FE4MToM4rQ hxiWzsLQSqEZpKUhQeLbURTn3vt0Evkp4/ue1lBUq5gTz5GAHfsoe4rRYaC2wihBFOQr mf/w== X-Gm-Message-State: ACgBeo09Awom24tglkQmk0MiEshebZV4nn9nuFbPCrCUzwt+LbneFyZi TWXAA9WCTWE11/5ZDltOEQdCgQ== X-Google-Smtp-Source: AA6agR4Nma0C2vf8UbANGAZdbtriinSGm8AskQyzE2xuoLZvT25JBwHYXunZTBt8HmvHOlu1Reya+w== X-Received: by 2002:a05:600c:3b92:b0:3a6:8d6:9a2f with SMTP id n18-20020a05600c3b9200b003a608d69a2fmr5784416wms.159.1660842020572; Thu, 18 Aug 2022 10:00:20 -0700 (PDT) Received: from Mindolluin.ire.aristanetworks.com ([217.173.96.166]) by smtp.gmail.com with ESMTPSA id be13-20020a05600c1e8d00b003a511e92abcsm2662169wmb.34.2022.08.18.10.00.19 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 18 Aug 2022 10:00:20 -0700 (PDT) From: Dmitry Safonov To: Eric Dumazet , "David S. Miller" , linux-kernel@vger.kernel.org Cc: Dmitry Safonov , Andy Lutomirski , Ard Biesheuvel , Bob Gilligan , David Ahern , Dmitry Safonov <0x7f454c46@gmail.com>, Eric Biggers , Francesco Ruggeri , Herbert Xu , Hideaki YOSHIFUJI , Ivan Delalande , Jakub Kicinski , Leonard Crestez , Paolo Abeni , Salam Noureddine , Shuah Khan , netdev@vger.kernel.org, linux-crypto@vger.kernel.org Subject: [PATCH 05/31] net/tcp: Use crypto_pool for TCP-MD5 Date: Thu, 18 Aug 2022 17:59:39 +0100 Message-Id: <20220818170005.747015-6-dima@arista.com> X-Mailer: git-send-email 2.37.2 In-Reply-To: <20220818170005.747015-1-dima@arista.com> References: <20220818170005.747015-1-dima@arista.com> MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Type: text/plain; charset="utf-8" Use crypto_pool API that was designed with tcp_md5sig_pool in mind. The conversion to use crypto_pool will allow: - to reuse ahash_request(s) for different users - to allocate only one per-CPU scratch buffer rather than a new one for each user - to have a common API for net/ users that need ahash on RX/TX fast path Signed-off-by: Dmitry Safonov --- include/net/tcp.h | 22 +++------ net/ipv4/Kconfig | 2 +- net/ipv4/tcp.c | 99 +++++++++++----------------------------- net/ipv4/tcp_ipv4.c | 90 +++++++++++++++++++++--------------- net/ipv4/tcp_minisocks.c | 22 +++++++-- net/ipv6/tcp_ipv6.c | 53 ++++++++++----------- 6 files changed, 128 insertions(+), 160 deletions(-) diff --git a/include/net/tcp.h b/include/net/tcp.h index 831cd1e24687..75bb817928c1 100644 --- a/include/net/tcp.h +++ b/include/net/tcp.h @@ -1654,12 +1654,6 @@ union tcp_md5sum_block { #endif }; =20 -/* - pool: digest algorithm, hash description and scratch buffer */ -struct tcp_md5sig_pool { - struct ahash_request *md5_req; - void *scratch; -}; - /* - functions */ int tcp_v4_md5_hash_skb(char *md5_hash, const struct tcp_md5sig_key *key, const struct sock *sk, const struct sk_buff *skb); @@ -1715,17 +1709,15 @@ tcp_inbound_md5_hash(const struct sock *sk, const s= truct sk_buff *skb, #define tcp_twsk_md5_key(twsk) NULL #endif =20 -bool tcp_alloc_md5sig_pool(void); - -struct tcp_md5sig_pool *tcp_get_md5sig_pool(void); -static inline void tcp_put_md5sig_pool(void) -{ - local_bh_enable(); -} +struct crypto_pool_ahash; +int tcp_md5_alloc_crypto_pool(void); +void tcp_md5_release_crypto_pool(void); +void tcp_md5_add_crypto_pool(void); +extern int tcp_md5_crypto_pool_id; =20 -int tcp_md5_hash_skb_data(struct tcp_md5sig_pool *, const struct sk_buff *, +int tcp_md5_hash_skb_data(struct crypto_pool_ahash *, const struct sk_buff= *, unsigned int header_len); -int tcp_md5_hash_key(struct tcp_md5sig_pool *hp, +int tcp_md5_hash_key(struct crypto_pool_ahash *hp, const struct tcp_md5sig_key *key); =20 /* From tcp_fastopen.c */ diff --git a/net/ipv4/Kconfig b/net/ipv4/Kconfig index e983bb0c5012..c341864e4398 100644 --- a/net/ipv4/Kconfig +++ b/net/ipv4/Kconfig @@ -733,7 +733,7 @@ config DEFAULT_TCP_CONG =20 config TCP_MD5SIG bool "TCP: MD5 Signature Option support (RFC2385)" - select CRYPTO + select CRYPTO_POOL select CRYPTO_MD5 help RFC2385 specifies a method of giving MD5 protection to TCP sessions. diff --git a/net/ipv4/tcp.c b/net/ipv4/tcp.c index a4a171656d7d..7c54b47e848f 100644 --- a/net/ipv4/tcp.c +++ b/net/ipv4/tcp.c @@ -244,6 +244,7 @@ #define pr_fmt(fmt) "TCP: " fmt =20 #include +#include #include #include #include @@ -4395,92 +4396,45 @@ int tcp_getsockopt(struct sock *sk, int level, int = optname, char __user *optval, EXPORT_SYMBOL(tcp_getsockopt); =20 #ifdef CONFIG_TCP_MD5SIG -static DEFINE_PER_CPU(struct tcp_md5sig_pool, tcp_md5sig_pool); -static DEFINE_MUTEX(tcp_md5sig_mutex); -static bool tcp_md5sig_pool_populated =3D false; +int tcp_md5_crypto_pool_id =3D -1; +EXPORT_SYMBOL(tcp_md5_crypto_pool_id); =20 -static void __tcp_alloc_md5sig_pool(void) +int tcp_md5_alloc_crypto_pool(void) { - struct crypto_ahash *hash; - int cpu; - - hash =3D crypto_alloc_ahash("md5", 0, CRYPTO_ALG_ASYNC); - if (IS_ERR(hash)) - return; - - for_each_possible_cpu(cpu) { - void *scratch =3D per_cpu(tcp_md5sig_pool, cpu).scratch; - struct ahash_request *req; - - if (!scratch) { - scratch =3D kmalloc_node(sizeof(union tcp_md5sum_block) + - sizeof(struct tcphdr), - GFP_KERNEL, - cpu_to_node(cpu)); - if (!scratch) - return; - per_cpu(tcp_md5sig_pool, cpu).scratch =3D scratch; - } - if (per_cpu(tcp_md5sig_pool, cpu).md5_req) - continue; - - req =3D ahash_request_alloc(hash, GFP_KERNEL); - if (!req) - return; + int ret; =20 - ahash_request_set_callback(req, 0, NULL, NULL); + ret =3D crypto_pool_reserve_scratch(sizeof(union tcp_md5sum_block) + + sizeof(struct tcphdr)); + if (ret) + return ret; =20 - per_cpu(tcp_md5sig_pool, cpu).md5_req =3D req; + ret =3D crypto_pool_alloc_ahash("md5"); + if (ret >=3D 0) { + tcp_md5_crypto_pool_id =3D ret; + return 0; } - /* before setting tcp_md5sig_pool_populated, we must commit all writes - * to memory. See smp_rmb() in tcp_get_md5sig_pool() - */ - smp_wmb(); - tcp_md5sig_pool_populated =3D true; + return ret; } +EXPORT_SYMBOL(tcp_md5_alloc_crypto_pool); =20 -bool tcp_alloc_md5sig_pool(void) +void tcp_md5_release_crypto_pool(void) { - if (unlikely(!tcp_md5sig_pool_populated)) { - mutex_lock(&tcp_md5sig_mutex); - - if (!tcp_md5sig_pool_populated) - __tcp_alloc_md5sig_pool(); - - mutex_unlock(&tcp_md5sig_mutex); - } - return tcp_md5sig_pool_populated; + crypto_pool_release(tcp_md5_crypto_pool_id); } -EXPORT_SYMBOL(tcp_alloc_md5sig_pool); +EXPORT_SYMBOL(tcp_md5_release_crypto_pool); =20 - -/** - * tcp_get_md5sig_pool - get md5sig_pool for this user - * - * We use percpu structure, so if we succeed, we exit with preemption - * and BH disabled, to make sure another thread or softirq handling - * wont try to get same context. - */ -struct tcp_md5sig_pool *tcp_get_md5sig_pool(void) +void tcp_md5_add_crypto_pool(void) { - local_bh_disable(); - - if (tcp_md5sig_pool_populated) { - /* coupled with smp_wmb() in __tcp_alloc_md5sig_pool() */ - smp_rmb(); - return this_cpu_ptr(&tcp_md5sig_pool); - } - local_bh_enable(); - return NULL; + crypto_pool_add(tcp_md5_crypto_pool_id); } -EXPORT_SYMBOL(tcp_get_md5sig_pool); +EXPORT_SYMBOL(tcp_md5_add_crypto_pool); =20 -int tcp_md5_hash_skb_data(struct tcp_md5sig_pool *hp, +int tcp_md5_hash_skb_data(struct crypto_pool_ahash *hp, const struct sk_buff *skb, unsigned int header_len) { struct scatterlist sg; const struct tcphdr *tp =3D tcp_hdr(skb); - struct ahash_request *req =3D hp->md5_req; + struct ahash_request *req =3D hp->req; unsigned int i; const unsigned int head_data_len =3D skb_headlen(skb) > header_len ? skb_headlen(skb) - header_len : 0; @@ -4514,16 +4468,17 @@ int tcp_md5_hash_skb_data(struct tcp_md5sig_pool *h= p, } EXPORT_SYMBOL(tcp_md5_hash_skb_data); =20 -int tcp_md5_hash_key(struct tcp_md5sig_pool *hp, const struct tcp_md5sig_k= ey *key) +int tcp_md5_hash_key(struct crypto_pool_ahash *hp, + const struct tcp_md5sig_key *key) { u8 keylen =3D READ_ONCE(key->keylen); /* paired with WRITE_ONCE() in tcp_= md5_do_add */ struct scatterlist sg; =20 sg_init_one(&sg, key->key, keylen); - ahash_request_set_crypt(hp->md5_req, &sg, NULL, keylen); + ahash_request_set_crypt(hp->req, &sg, NULL, keylen); =20 /* We use data_race() because tcp_md5_do_add() might change key->key unde= r us */ - return data_race(crypto_ahash_update(hp->md5_req)); + return data_race(crypto_ahash_update(hp->req)); } EXPORT_SYMBOL(tcp_md5_hash_key); =20 diff --git a/net/ipv4/tcp_ipv4.c b/net/ipv4/tcp_ipv4.c index 72feb74706e6..6bafe7429902 100644 --- a/net/ipv4/tcp_ipv4.c +++ b/net/ipv4/tcp_ipv4.c @@ -79,6 +79,7 @@ #include =20 #include +#include #include =20 #include @@ -1206,10 +1207,6 @@ static int __tcp_md5_do_add(struct sock *sk, const u= nion tcp_md5_addr *addr, key =3D sock_kmalloc(sk, sizeof(*key), gfp | __GFP_ZERO); if (!key) return -ENOMEM; - if (!tcp_alloc_md5sig_pool()) { - sock_kfree_s(sk, key, sizeof(*key)); - return -ENOMEM; - } =20 memcpy(key->key, newkey, newkeylen); key->keylen =3D newkeylen; @@ -1228,8 +1225,13 @@ int tcp_md5_do_add(struct sock *sk, const union tcp_= md5_addr *addr, int family, u8 prefixlen, int l3index, u8 flags, const u8 *newkey, u8 newkeylen) { - if (tcp_md5sig_info_add(sk, GFP_KERNEL)) + if (tcp_md5_alloc_crypto_pool()) + return -ENOMEM; + + if (tcp_md5sig_info_add(sk, GFP_KERNEL)) { + tcp_md5_release_crypto_pool(); return -ENOMEM; + } =20 static_branch_inc(&tcp_md5_needed.key); =20 @@ -1242,8 +1244,12 @@ int tcp_md5_key_copy(struct sock *sk, const union tc= p_md5_addr *addr, int family, u8 prefixlen, int l3index, struct tcp_md5sig_key *key) { - if (tcp_md5sig_info_add(sk, sk_gfp_mask(sk, GFP_ATOMIC))) + tcp_md5_add_crypto_pool(); + + if (tcp_md5sig_info_add(sk, sk_gfp_mask(sk, GFP_ATOMIC))) { + tcp_md5_release_crypto_pool(); return -ENOMEM; + } =20 atomic_inc(&tcp_md5_needed.key.key.enabled); =20 @@ -1342,7 +1348,7 @@ static int tcp_v4_parse_md5_keys(struct sock *sk, int= optname, cmd.tcpm_key, cmd.tcpm_keylen); } =20 -static int tcp_v4_md5_hash_headers(struct tcp_md5sig_pool *hp, +static int tcp_v4_md5_hash_headers(struct crypto_pool_ahash *hp, __be32 daddr, __be32 saddr, const struct tcphdr *th, int nbytes) { @@ -1350,7 +1356,7 @@ static int tcp_v4_md5_hash_headers(struct tcp_md5sig_= pool *hp, struct scatterlist sg; struct tcphdr *_th; =20 - bp =3D hp->scratch; + bp =3D hp->base.scratch; bp->saddr =3D saddr; bp->daddr =3D daddr; bp->pad =3D 0; @@ -1362,37 +1368,34 @@ static int tcp_v4_md5_hash_headers(struct tcp_md5si= g_pool *hp, _th->check =3D 0; =20 sg_init_one(&sg, bp, sizeof(*bp) + sizeof(*th)); - ahash_request_set_crypt(hp->md5_req, &sg, NULL, + ahash_request_set_crypt(hp->req, &sg, NULL, sizeof(*bp) + sizeof(*th)); - return crypto_ahash_update(hp->md5_req); + return crypto_ahash_update(hp->req); } =20 static int tcp_v4_md5_hash_hdr(char *md5_hash, const struct tcp_md5sig_key= *key, __be32 daddr, __be32 saddr, const struct tcphdr *th) { - struct tcp_md5sig_pool *hp; - struct ahash_request *req; + struct crypto_pool_ahash hp; =20 - hp =3D tcp_get_md5sig_pool(); - if (!hp) + if (crypto_pool_get(tcp_md5_crypto_pool_id, (struct crypto_pool *)&hp)) goto clear_hash_noput; - req =3D hp->md5_req; =20 - if (crypto_ahash_init(req)) + if (crypto_ahash_init(hp.req)) goto clear_hash; - if (tcp_v4_md5_hash_headers(hp, daddr, saddr, th, th->doff << 2)) + if (tcp_v4_md5_hash_headers(&hp, daddr, saddr, th, th->doff << 2)) goto clear_hash; - if (tcp_md5_hash_key(hp, key)) + if (tcp_md5_hash_key(&hp, key)) goto clear_hash; - ahash_request_set_crypt(req, NULL, md5_hash, 0); - if (crypto_ahash_final(req)) + ahash_request_set_crypt(hp.req, NULL, md5_hash, 0); + if (crypto_ahash_final(hp.req)) goto clear_hash; =20 - tcp_put_md5sig_pool(); + crypto_pool_put(); return 0; =20 clear_hash: - tcp_put_md5sig_pool(); + crypto_pool_put(); clear_hash_noput: memset(md5_hash, 0, 16); return 1; @@ -1402,8 +1405,7 @@ int tcp_v4_md5_hash_skb(char *md5_hash, const struct = tcp_md5sig_key *key, const struct sock *sk, const struct sk_buff *skb) { - struct tcp_md5sig_pool *hp; - struct ahash_request *req; + struct crypto_pool_ahash hp; const struct tcphdr *th =3D tcp_hdr(skb); __be32 saddr, daddr; =20 @@ -1416,29 +1418,27 @@ int tcp_v4_md5_hash_skb(char *md5_hash, const struc= t tcp_md5sig_key *key, daddr =3D iph->daddr; } =20 - hp =3D tcp_get_md5sig_pool(); - if (!hp) + if (crypto_pool_get(tcp_md5_crypto_pool_id, (struct crypto_pool *)&hp)) goto clear_hash_noput; - req =3D hp->md5_req; =20 - if (crypto_ahash_init(req)) + if (crypto_ahash_init(hp.req)) goto clear_hash; =20 - if (tcp_v4_md5_hash_headers(hp, daddr, saddr, th, skb->len)) + if (tcp_v4_md5_hash_headers(&hp, daddr, saddr, th, skb->len)) goto clear_hash; - if (tcp_md5_hash_skb_data(hp, skb, th->doff << 2)) + if (tcp_md5_hash_skb_data(&hp, skb, th->doff << 2)) goto clear_hash; - if (tcp_md5_hash_key(hp, key)) + if (tcp_md5_hash_key(&hp, key)) goto clear_hash; - ahash_request_set_crypt(req, NULL, md5_hash, 0); - if (crypto_ahash_final(req)) + ahash_request_set_crypt(hp.req, NULL, md5_hash, 0); + if (crypto_ahash_final(hp.req)) goto clear_hash; =20 - tcp_put_md5sig_pool(); + crypto_pool_put(); return 0; =20 clear_hash: - tcp_put_md5sig_pool(); + crypto_pool_put(); clear_hash_noput: memset(md5_hash, 0, 16); return 1; @@ -2257,6 +2257,18 @@ static int tcp_v4_init_sock(struct sock *sk) return 0; } =20 +#ifdef CONFIG_TCP_MD5SIG +static void tcp_md5sig_info_free_rcu(struct rcu_head *head) +{ + struct tcp_md5sig_info *md5sig; + + md5sig =3D container_of(head, struct tcp_md5sig_info, rcu); + kfree(md5sig); + static_branch_slow_dec_deferred(&tcp_md5_needed); + tcp_md5_release_crypto_pool(); +} +#endif + void tcp_v4_destroy_sock(struct sock *sk) { struct tcp_sock *tp =3D tcp_sk(sk); @@ -2281,10 +2293,12 @@ void tcp_v4_destroy_sock(struct sock *sk) #ifdef CONFIG_TCP_MD5SIG /* Clean up the MD5 key list, if any */ if (tp->md5sig_info) { + struct tcp_md5sig_info *md5sig; + + md5sig =3D rcu_dereference_protected(tp->md5sig_info, 1); tcp_clear_md5_list(sk); - kfree_rcu(rcu_dereference_protected(tp->md5sig_info, 1), rcu); - tp->md5sig_info =3D NULL; - static_branch_slow_dec_deferred(&tcp_md5_needed); + call_rcu(&md5sig->rcu, tcp_md5sig_info_free_rcu); + rcu_assign_pointer(tp->md5sig_info, NULL); } #endif =20 diff --git a/net/ipv4/tcp_minisocks.c b/net/ipv4/tcp_minisocks.c index 5d475a45a478..d1d30337ffec 100644 --- a/net/ipv4/tcp_minisocks.c +++ b/net/ipv4/tcp_minisocks.c @@ -297,8 +297,10 @@ void tcp_time_wait(struct sock *sk, int state, int tim= eo) key =3D tp->af_specific->md5_lookup(sk, sk); if (key) { tcptw->tw_md5_key =3D kmemdup(key, sizeof(*key), GFP_ATOMIC); - BUG_ON(tcptw->tw_md5_key && !tcp_alloc_md5sig_pool()); + if (WARN_ON(!tcptw->tw_md5_key)) + break; atomic_inc(&tcp_md5_needed.key.key.enabled); + tcp_md5_add_crypto_pool(); } } } while (0); @@ -335,16 +337,26 @@ void tcp_time_wait(struct sock *sk, int state, int ti= meo) } EXPORT_SYMBOL(tcp_time_wait); =20 +#ifdef CONFIG_TCP_MD5SIG +static void tcp_md5_twsk_free_rcu(struct rcu_head *head) +{ + struct tcp_md5sig_key *key; + + key =3D container_of(head, struct tcp_md5sig_key, rcu); + kfree(key); + static_branch_slow_dec_deferred(&tcp_md5_needed); + tcp_md5_release_crypto_pool(); +} +#endif + void tcp_twsk_destructor(struct sock *sk) { #ifdef CONFIG_TCP_MD5SIG if (static_branch_unlikely(&tcp_md5_needed.key)) { struct tcp_timewait_sock *twsk =3D tcp_twsk(sk); =20 - if (twsk->tw_md5_key) { - kfree_rcu(twsk->tw_md5_key, rcu); - static_branch_slow_dec_deferred(&tcp_md5_needed); - } + if (twsk->tw_md5_key) + call_rcu(&twsk->tw_md5_key->rcu, tcp_md5_twsk_free_rcu); } #endif } diff --git a/net/ipv6/tcp_ipv6.c b/net/ipv6/tcp_ipv6.c index cb891a71db0d..f75569f889e7 100644 --- a/net/ipv6/tcp_ipv6.c +++ b/net/ipv6/tcp_ipv6.c @@ -64,6 +64,7 @@ #include =20 #include +#include #include =20 #include @@ -665,7 +666,7 @@ static int tcp_v6_parse_md5_keys(struct sock *sk, int o= ptname, cmd.tcpm_key, cmd.tcpm_keylen); } =20 -static int tcp_v6_md5_hash_headers(struct tcp_md5sig_pool *hp, +static int tcp_v6_md5_hash_headers(struct crypto_pool_ahash *hp, const struct in6_addr *daddr, const struct in6_addr *saddr, const struct tcphdr *th, int nbytes) @@ -674,7 +675,7 @@ static int tcp_v6_md5_hash_headers(struct tcp_md5sig_po= ol *hp, struct scatterlist sg; struct tcphdr *_th; =20 - bp =3D hp->scratch; + bp =3D hp->base.scratch; /* 1. TCP pseudo-header (RFC2460) */ bp->saddr =3D *saddr; bp->daddr =3D *daddr; @@ -686,38 +687,35 @@ static int tcp_v6_md5_hash_headers(struct tcp_md5sig_= pool *hp, _th->check =3D 0; =20 sg_init_one(&sg, bp, sizeof(*bp) + sizeof(*th)); - ahash_request_set_crypt(hp->md5_req, &sg, NULL, + ahash_request_set_crypt(hp->req, &sg, NULL, sizeof(*bp) + sizeof(*th)); - return crypto_ahash_update(hp->md5_req); + return crypto_ahash_update(hp->req); } =20 static int tcp_v6_md5_hash_hdr(char *md5_hash, const struct tcp_md5sig_key= *key, const struct in6_addr *daddr, struct in6_addr *saddr, const struct tcphdr *th) { - struct tcp_md5sig_pool *hp; - struct ahash_request *req; + struct crypto_pool_ahash hp; =20 - hp =3D tcp_get_md5sig_pool(); - if (!hp) + if (crypto_pool_get(tcp_md5_crypto_pool_id, (struct crypto_pool *)&hp)) goto clear_hash_noput; - req =3D hp->md5_req; =20 - if (crypto_ahash_init(req)) + if (crypto_ahash_init(hp.req)) goto clear_hash; - if (tcp_v6_md5_hash_headers(hp, daddr, saddr, th, th->doff << 2)) + if (tcp_v6_md5_hash_headers(&hp, daddr, saddr, th, th->doff << 2)) goto clear_hash; - if (tcp_md5_hash_key(hp, key)) + if (tcp_md5_hash_key(&hp, key)) goto clear_hash; - ahash_request_set_crypt(req, NULL, md5_hash, 0); - if (crypto_ahash_final(req)) + ahash_request_set_crypt(hp.req, NULL, md5_hash, 0); + if (crypto_ahash_final(hp.req)) goto clear_hash; =20 - tcp_put_md5sig_pool(); + crypto_pool_put(); return 0; =20 clear_hash: - tcp_put_md5sig_pool(); + crypto_pool_put(); clear_hash_noput: memset(md5_hash, 0, 16); return 1; @@ -729,8 +727,7 @@ static int tcp_v6_md5_hash_skb(char *md5_hash, const struct sk_buff *skb) { const struct in6_addr *saddr, *daddr; - struct tcp_md5sig_pool *hp; - struct ahash_request *req; + struct crypto_pool_ahash hp; const struct tcphdr *th =3D tcp_hdr(skb); =20 if (sk) { /* valid for establish/request sockets */ @@ -742,29 +739,27 @@ static int tcp_v6_md5_hash_skb(char *md5_hash, daddr =3D &ip6h->daddr; } =20 - hp =3D tcp_get_md5sig_pool(); - if (!hp) + if (crypto_pool_get(tcp_md5_crypto_pool_id, (struct crypto_pool *)&hp)) goto clear_hash_noput; - req =3D hp->md5_req; =20 - if (crypto_ahash_init(req)) + if (crypto_ahash_init(hp.req)) goto clear_hash; =20 - if (tcp_v6_md5_hash_headers(hp, daddr, saddr, th, skb->len)) + if (tcp_v6_md5_hash_headers(&hp, daddr, saddr, th, skb->len)) goto clear_hash; - if (tcp_md5_hash_skb_data(hp, skb, th->doff << 2)) + if (tcp_md5_hash_skb_data(&hp, skb, th->doff << 2)) goto clear_hash; - if (tcp_md5_hash_key(hp, key)) + if (tcp_md5_hash_key(&hp, key)) goto clear_hash; - ahash_request_set_crypt(req, NULL, md5_hash, 0); - if (crypto_ahash_final(req)) + ahash_request_set_crypt(hp.req, NULL, md5_hash, 0); + if (crypto_ahash_final(hp.req)) goto clear_hash; =20 - tcp_put_md5sig_pool(); + crypto_pool_put(); return 0; =20 clear_hash: - tcp_put_md5sig_pool(); + crypto_pool_put(); clear_hash_noput: memset(md5_hash, 0, 16); return 1; --=20 2.37.2 From nobody Fri Apr 10 21:51:38 2026 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id DAE99C32772 for ; Thu, 18 Aug 2022 17:01:40 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1345308AbiHRRBj (ORCPT ); Thu, 18 Aug 2022 13:01:39 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:34864 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1345354AbiHRRAc (ORCPT ); Thu, 18 Aug 2022 13:00:32 -0400 Received: from mail-wm1-x32e.google.com (mail-wm1-x32e.google.com [IPv6:2a00:1450:4864:20::32e]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id DB6BD270 for ; Thu, 18 Aug 2022 10:00:23 -0700 (PDT) Received: by mail-wm1-x32e.google.com with SMTP id i129-20020a1c3b87000000b003a62f19b453so348364wma.3 for ; Thu, 18 Aug 2022 10:00:23 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=arista.com; s=google; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc; bh=R5vc7GzcNWumOn9JquR429nbSMPLXQ9P0kN3Q20wPUs=; b=fn9uEdA5s99SWlPIZ9yzvDZ6XG4grd7Osb95QfV38sHKteVwmelB+SJpJwvpUE/tJU Ghti1+Tqi5ZnbB7Mv7wyYYoXdnQFvRY7HBRrJHvoyuyQRZceh9poBiK4yeoU6dEJ1mKq 9eFy4BtffMrSt1hNqTfLo80If5oKmRzsGQnvtPINNEIETsNnoi/7wkwhVDttLDMs6TfL KDfB8cjT8bjEq27Zq3TDhSoQVJMH59QEm7gQVSRtyoncPJE8U9E331p0pPwE/uj98emM rOSb4ujV5SV1ACDBV2Dz5/zqdfNRvasbmKHoE19O3WYLig3XZfvrs+jVzc0J1wrCBOvp YZNw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc; bh=R5vc7GzcNWumOn9JquR429nbSMPLXQ9P0kN3Q20wPUs=; b=xdjr+9XyiEkVQcN2IL1xxQSdE+UeYIpVtsa2yRyAcKexGDWKuZfWz+2jLCespdVTm5 BMGqHbXDKLGF0lYA0l0epLZ74GMJ1+iy8/1hXlvkS4XEvgLD4afV38QTRbviCIsrAOpo +s+xvRzPJCl6pRKuE6/vzuRZ6mJAXGlmCQBHg2HkCMySJA7m+jepFi8surtCtLNF85TJ DggnASYT+lNnFynwac3SWXKU5nBDXMQK8rskbKOeRIbOqvS/QnByJ8DdZ8tim7wOoAqM DaTuB3wTxZ4z43Ym+RBclKthiydfTMYd8fX3VBPaCLZlVQNwRgDcsspevOOSC9SpwhlA 6nQA== X-Gm-Message-State: ACgBeo0NLpecW+7ThJzqZQdjwhhkeqH1EIVPp0FT765OLs3bdmau4o+6 ++p+j4GWf0zvUWBmAl7CA+Z2zg== X-Google-Smtp-Source: AA6agR62r1WlDfKmuAHByWBLF9d2NE41yBu/QbmDx85WTMW77UasaJu/SMTq1McVnurK321xrfY2OQ== X-Received: by 2002:a7b:c007:0:b0:3a5:f600:4ff5 with SMTP id c7-20020a7bc007000000b003a5f6004ff5mr2528338wmb.110.1660842022025; Thu, 18 Aug 2022 10:00:22 -0700 (PDT) Received: from Mindolluin.ire.aristanetworks.com ([217.173.96.166]) by smtp.gmail.com with ESMTPSA id be13-20020a05600c1e8d00b003a511e92abcsm2662169wmb.34.2022.08.18.10.00.20 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 18 Aug 2022 10:00:21 -0700 (PDT) From: Dmitry Safonov To: Eric Dumazet , "David S. Miller" , linux-kernel@vger.kernel.org Cc: Dmitry Safonov , Andy Lutomirski , Ard Biesheuvel , Bob Gilligan , David Ahern , Dmitry Safonov <0x7f454c46@gmail.com>, Eric Biggers , Francesco Ruggeri , Herbert Xu , Hideaki YOSHIFUJI , Ivan Delalande , Jakub Kicinski , Leonard Crestez , Paolo Abeni , Salam Noureddine , Shuah Khan , netdev@vger.kernel.org, linux-crypto@vger.kernel.org Subject: [PATCH 06/31] net/ipv6: sr: Switch to using crypto_pool Date: Thu, 18 Aug 2022 17:59:40 +0100 Message-Id: <20220818170005.747015-7-dima@arista.com> X-Mailer: git-send-email 2.37.2 In-Reply-To: <20220818170005.747015-1-dima@arista.com> References: <20220818170005.747015-1-dima@arista.com> MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Type: text/plain; charset="utf-8" The conversion to use crypto_pool has the following upsides: - now SR uses asynchronous API which may potentially free CPU cycles and improve performance for of CPU crypto algorithm providers; - hash descriptors now don't have to be allocated on boot, but only at the moment SR starts using HMAC and until the last HMAC secret is deleted; - potentially reuse ahash_request(s) for different users - allocate only one per-CPU scratch buffer rather than a new one for each user - have a common API for net/ users that need ahash on RX/TX fast path Signed-off-by: Dmitry Safonov --- include/net/seg6_hmac.h | 7 -- net/ipv6/Kconfig | 2 +- net/ipv6/seg6.c | 3 - net/ipv6/seg6_hmac.c | 204 ++++++++++++++++------------------------ 4 files changed, 80 insertions(+), 136 deletions(-) diff --git a/include/net/seg6_hmac.h b/include/net/seg6_hmac.h index 2b5d2ee5613e..d6b7820ecda2 100644 --- a/include/net/seg6_hmac.h +++ b/include/net/seg6_hmac.h @@ -32,13 +32,6 @@ struct seg6_hmac_info { u8 alg_id; }; =20 -struct seg6_hmac_algo { - u8 alg_id; - char name[64]; - struct crypto_shash * __percpu *tfms; - struct shash_desc * __percpu *shashs; -}; - extern int seg6_hmac_compute(struct seg6_hmac_info *hinfo, struct ipv6_sr_hdr *hdr, struct in6_addr *saddr, u8 *output); diff --git a/net/ipv6/Kconfig b/net/ipv6/Kconfig index 658bfed1df8b..5be1dab0f178 100644 --- a/net/ipv6/Kconfig +++ b/net/ipv6/Kconfig @@ -304,7 +304,7 @@ config IPV6_SEG6_LWTUNNEL config IPV6_SEG6_HMAC bool "IPv6: Segment Routing HMAC support" depends on IPV6 - select CRYPTO + select CRYPTO_POOL select CRYPTO_HMAC select CRYPTO_SHA1 select CRYPTO_SHA256 diff --git a/net/ipv6/seg6.c b/net/ipv6/seg6.c index 73aaabf0e966..96b80e1d04c1 100644 --- a/net/ipv6/seg6.c +++ b/net/ipv6/seg6.c @@ -552,9 +552,6 @@ int __init seg6_init(void) =20 void seg6_exit(void) { -#ifdef CONFIG_IPV6_SEG6_HMAC - seg6_hmac_exit(); -#endif #ifdef CONFIG_IPV6_SEG6_LWTUNNEL seg6_iptunnel_exit(); #endif diff --git a/net/ipv6/seg6_hmac.c b/net/ipv6/seg6_hmac.c index d43c50a7310d..3732dd993925 100644 --- a/net/ipv6/seg6_hmac.c +++ b/net/ipv6/seg6_hmac.c @@ -35,6 +35,7 @@ #include =20 #include +#include #include #include #include @@ -70,6 +71,12 @@ static const struct rhashtable_params rht_params =3D { .obj_cmpfn =3D seg6_hmac_cmpfn, }; =20 +struct seg6_hmac_algo { + u8 alg_id; + char name[64]; + int crypto_pool_id; +}; + static struct seg6_hmac_algo hmac_algos[] =3D { { .alg_id =3D SEG6_HMAC_ALGO_SHA1, @@ -115,55 +122,17 @@ static struct seg6_hmac_algo *__hmac_get_algo(u8 alg_= id) return NULL; } =20 -static int __do_hmac(struct seg6_hmac_info *hinfo, const char *text, u8 ps= ize, - u8 *output, int outlen) -{ - struct seg6_hmac_algo *algo; - struct crypto_shash *tfm; - struct shash_desc *shash; - int ret, dgsize; - - algo =3D __hmac_get_algo(hinfo->alg_id); - if (!algo) - return -ENOENT; - - tfm =3D *this_cpu_ptr(algo->tfms); - - dgsize =3D crypto_shash_digestsize(tfm); - if (dgsize > outlen) { - pr_debug("sr-ipv6: __do_hmac: digest size too big (%d / %d)\n", - dgsize, outlen); - return -ENOMEM; - } - - ret =3D crypto_shash_setkey(tfm, hinfo->secret, hinfo->slen); - if (ret < 0) { - pr_debug("sr-ipv6: crypto_shash_setkey failed: err %d\n", ret); - goto failed; - } - - shash =3D *this_cpu_ptr(algo->shashs); - shash->tfm =3D tfm; - - ret =3D crypto_shash_digest(shash, text, psize, output); - if (ret < 0) { - pr_debug("sr-ipv6: crypto_shash_digest failed: err %d\n", ret); - goto failed; - } - - return dgsize; - -failed: - return ret; -} - int seg6_hmac_compute(struct seg6_hmac_info *hinfo, struct ipv6_sr_hdr *hd= r, struct in6_addr *saddr, u8 *output) { __be32 hmackeyid =3D cpu_to_be32(hinfo->hmackeyid); - u8 tmp_out[SEG6_HMAC_MAX_DIGESTSIZE]; + struct crypto_pool_ahash hp; + struct seg6_hmac_algo *algo; int plen, i, dgsize, wrsize; + struct crypto_ahash *tfm; + struct scatterlist sg; char *ring, *off; + int err; =20 /* a 160-byte buffer for digest output allows to store highest known * hash function (RadioGatun) with up to 1216 bits @@ -176,6 +145,10 @@ int seg6_hmac_compute(struct seg6_hmac_info *hinfo, st= ruct ipv6_sr_hdr *hdr, if (plen >=3D SEG6_HMAC_RING_SIZE) return -EMSGSIZE; =20 + algo =3D __hmac_get_algo(hinfo->alg_id); + if (!algo) + return -ENOENT; + /* Let's build the HMAC text on the ring buffer. The text is composed * as follows, in order: * @@ -186,8 +159,36 @@ int seg6_hmac_compute(struct seg6_hmac_info *hinfo, st= ruct ipv6_sr_hdr *hdr, * 5. All segments in the segments list (n * 128 bits) */ =20 - local_bh_disable(); + err =3D crypto_pool_get(algo->crypto_pool_id, (struct crypto_pool *)&hp); + if (err) + return err; + ring =3D this_cpu_ptr(hmac_ring); + + sg_init_one(&sg, ring, plen); + + tfm =3D crypto_ahash_reqtfm(hp.req); + dgsize =3D crypto_ahash_digestsize(tfm); + if (dgsize > SEG6_HMAC_MAX_DIGESTSIZE) { + pr_debug("digest size too big (%d / %d)\n", + dgsize, SEG6_HMAC_MAX_DIGESTSIZE); + err =3D -ENOMEM; + goto err_put_pool; + } + + err =3D crypto_ahash_setkey(tfm, hinfo->secret, hinfo->slen); + if (err) { + pr_debug("crypto_ahash_setkey failed: err %d\n", err); + goto err_put_pool; + } + + err =3D crypto_ahash_init(hp.req); + if (err) + goto err_put_pool; + + ahash_request_set_crypt(hp.req, &sg, + hp.base.scratch, SEG6_HMAC_MAX_DIGESTSIZE); + off =3D ring; =20 /* source address */ @@ -210,21 +211,25 @@ int seg6_hmac_compute(struct seg6_hmac_info *hinfo, s= truct ipv6_sr_hdr *hdr, off +=3D 16; } =20 - dgsize =3D __do_hmac(hinfo, ring, plen, tmp_out, - SEG6_HMAC_MAX_DIGESTSIZE); - local_bh_enable(); + err =3D crypto_ahash_update(hp.req); + if (err) + goto err_put_pool; =20 - if (dgsize < 0) - return dgsize; + err =3D crypto_ahash_final(hp.req); + if (err) + goto err_put_pool; =20 wrsize =3D SEG6_HMAC_FIELD_LEN; if (wrsize > dgsize) wrsize =3D dgsize; =20 memset(output, 0, SEG6_HMAC_FIELD_LEN); - memcpy(output, tmp_out, wrsize); + memcpy(output, hp.base.scratch, wrsize); =20 - return 0; +err_put_pool: + crypto_pool_put(); + + return err; } EXPORT_SYMBOL(seg6_hmac_compute); =20 @@ -291,12 +296,24 @@ EXPORT_SYMBOL(seg6_hmac_info_lookup); int seg6_hmac_info_add(struct net *net, u32 key, struct seg6_hmac_info *hi= nfo) { struct seg6_pernet_data *sdata =3D seg6_pernet(net); - int err; + struct seg6_hmac_algo *algo; + int ret; =20 - err =3D rhashtable_lookup_insert_fast(&sdata->hmac_infos, &hinfo->node, + algo =3D __hmac_get_algo(hinfo->alg_id); + if (!algo) + return -ENOENT; + + ret =3D crypto_pool_alloc_ahash(algo->name); + if (ret < 0) + return ret; + algo->crypto_pool_id =3D ret; + + ret =3D rhashtable_lookup_insert_fast(&sdata->hmac_infos, &hinfo->node, rht_params); + if (ret) + crypto_pool_release(algo->crypto_pool_id); =20 - return err; + return ret; } EXPORT_SYMBOL(seg6_hmac_info_add); =20 @@ -304,6 +321,7 @@ int seg6_hmac_info_del(struct net *net, u32 key) { struct seg6_pernet_data *sdata =3D seg6_pernet(net); struct seg6_hmac_info *hinfo; + struct seg6_hmac_algo *algo; int err =3D -ENOENT; =20 hinfo =3D rhashtable_lookup_fast(&sdata->hmac_infos, &key, rht_params); @@ -315,6 +333,12 @@ int seg6_hmac_info_del(struct net *net, u32 key) if (err) goto out; =20 + algo =3D __hmac_get_algo(hinfo->alg_id); + if (algo) + crypto_pool_release(algo->crypto_pool_id); + else + WARN_ON_ONCE(1); + seg6_hinfo_release(hinfo); =20 out: @@ -348,56 +372,9 @@ int seg6_push_hmac(struct net *net, struct in6_addr *s= addr, } EXPORT_SYMBOL(seg6_push_hmac); =20 -static int seg6_hmac_init_algo(void) -{ - struct seg6_hmac_algo *algo; - struct crypto_shash *tfm; - struct shash_desc *shash; - int i, alg_count, cpu; - - alg_count =3D ARRAY_SIZE(hmac_algos); - - for (i =3D 0; i < alg_count; i++) { - struct crypto_shash **p_tfm; - int shsize; - - algo =3D &hmac_algos[i]; - algo->tfms =3D alloc_percpu(struct crypto_shash *); - if (!algo->tfms) - return -ENOMEM; - - for_each_possible_cpu(cpu) { - tfm =3D crypto_alloc_shash(algo->name, 0, 0); - if (IS_ERR(tfm)) - return PTR_ERR(tfm); - p_tfm =3D per_cpu_ptr(algo->tfms, cpu); - *p_tfm =3D tfm; - } - - p_tfm =3D raw_cpu_ptr(algo->tfms); - tfm =3D *p_tfm; - - shsize =3D sizeof(*shash) + crypto_shash_descsize(tfm); - - algo->shashs =3D alloc_percpu(struct shash_desc *); - if (!algo->shashs) - return -ENOMEM; - - for_each_possible_cpu(cpu) { - shash =3D kzalloc_node(shsize, GFP_KERNEL, - cpu_to_node(cpu)); - if (!shash) - return -ENOMEM; - *per_cpu_ptr(algo->shashs, cpu) =3D shash; - } - } - - return 0; -} - int __init seg6_hmac_init(void) { - return seg6_hmac_init_algo(); + return crypto_pool_reserve_scratch(SEG6_HMAC_MAX_DIGESTSIZE); } =20 int __net_init seg6_hmac_net_init(struct net *net) @@ -407,29 +384,6 @@ int __net_init seg6_hmac_net_init(struct net *net) return rhashtable_init(&sdata->hmac_infos, &rht_params); } =20 -void seg6_hmac_exit(void) -{ - struct seg6_hmac_algo *algo =3D NULL; - int i, alg_count, cpu; - - alg_count =3D ARRAY_SIZE(hmac_algos); - for (i =3D 0; i < alg_count; i++) { - algo =3D &hmac_algos[i]; - for_each_possible_cpu(cpu) { - struct crypto_shash *tfm; - struct shash_desc *shash; - - shash =3D *per_cpu_ptr(algo->shashs, cpu); - kfree(shash); - tfm =3D *per_cpu_ptr(algo->tfms, cpu); - crypto_free_shash(tfm); - } - free_percpu(algo->tfms); - free_percpu(algo->shashs); - } -} -EXPORT_SYMBOL(seg6_hmac_exit); - void __net_exit seg6_hmac_net_exit(struct net *net) { struct seg6_pernet_data *sdata =3D seg6_pernet(net); --=20 2.37.2 From nobody Fri Apr 10 21:51:38 2026 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 9E763C32773 for ; Thu, 18 Aug 2022 17:01:37 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1344630AbiHRRBe (ORCPT ); Thu, 18 Aug 2022 13:01:34 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:34380 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1345348AbiHRRAc (ORCPT ); Thu, 18 Aug 2022 13:00:32 -0400 Received: from mail-wr1-x42c.google.com (mail-wr1-x42c.google.com [IPv6:2a00:1450:4864:20::42c]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id F2830C00CA for ; Thu, 18 Aug 2022 10:00:23 -0700 (PDT) Received: by mail-wr1-x42c.google.com with SMTP id n7so2429978wrv.4 for ; Thu, 18 Aug 2022 10:00:23 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=arista.com; s=google; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc; bh=TTM1N0pozEi1ZwuAicctDY4Ebesq3/EO1cjWgF0hb64=; b=fOo3VI1g9BmPPgN7rpnPW1lV2d3KC1BwBi5fU8pOlu6RdoUYKuCo0aE+lbpHzCMnSl zuliEMyU7akY6nN8Qbgwu5pYNHu4/S1ka9vxrr866PUnfGe6iRAz//I7V2gi0Jo5q6tA Ewe4e4MQs+3XeGZZjnthnQI8/W3ckjY05miknqoVGod6S50gp2QZnY93XOjmfNRo83UP ueBK3mW0DuB74cU0fhC+9y6scMaVbnEB1W2Z6TFV2QUERh/i36VZkIHH5NKDyjyRgk4n 0zsgbQZOPZ7woDCrclDYj6J2uOk64Nb+zBKx968J3azSNrgEgJyk8zvSGGjXIRF9ZKp8 44ag== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc; bh=TTM1N0pozEi1ZwuAicctDY4Ebesq3/EO1cjWgF0hb64=; b=WIliFUm+A9GbDswR2wdEG/OaVxng9cTHaFT5YW/2Xowv/i0iyXwdKYzdJwY513b1+d JC9apvfjIB3L9MbxOkr/dfedx6pmIoGvLe+ofvWChnCbJQh/ItLmc3ijDy7SJa9MW4H8 2kxM+OpKw9Y7MrYlEToUrffkgwChZrP5Iy0XDpEnczReqA/bqzuDf3P67FUJEBzIgpfk izXNcFJAp3SMV/NJPyP2twst+gXN/muM9PsBSlo+2cA4H6esc4exdItvyMaCfqqj7OK+ Y9zoQzxib8FBHkm1aGSDTerDkd2bQeBAugtl3YjR2rC4r5ozmv//1ZhhICPkAPtah9Sz 7vHQ== X-Gm-Message-State: ACgBeo25OwwhfHZssGB7ceud3wbnhqCtEHTIxo4Nf39HBWas7Ddl4/RN Cj16zXwPSCPupenLrisbaqHouw== X-Google-Smtp-Source: AA6agR4Bi9FWueEdfgfnGm3vffmOECSbA/4skiRs1lc76RzCakmLtMT7McffTq5GWOmP9g5CS6QkFA== X-Received: by 2002:a05:6000:11c8:b0:225:3316:6957 with SMTP id i8-20020a05600011c800b0022533166957mr998191wrx.218.1660842023450; Thu, 18 Aug 2022 10:00:23 -0700 (PDT) Received: from Mindolluin.ire.aristanetworks.com ([217.173.96.166]) by smtp.gmail.com with ESMTPSA id be13-20020a05600c1e8d00b003a511e92abcsm2662169wmb.34.2022.08.18.10.00.22 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 18 Aug 2022 10:00:23 -0700 (PDT) From: Dmitry Safonov To: Eric Dumazet , "David S. Miller" , linux-kernel@vger.kernel.org Cc: Dmitry Safonov , Andy Lutomirski , Ard Biesheuvel , Bob Gilligan , David Ahern , Dmitry Safonov <0x7f454c46@gmail.com>, Eric Biggers , Francesco Ruggeri , Herbert Xu , Hideaki YOSHIFUJI , Ivan Delalande , Jakub Kicinski , Leonard Crestez , Paolo Abeni , Salam Noureddine , Shuah Khan , netdev@vger.kernel.org, linux-crypto@vger.kernel.org Subject: [PATCH 07/31] tcp: Add TCP-AO config and structures Date: Thu, 18 Aug 2022 17:59:41 +0100 Message-Id: <20220818170005.747015-8-dima@arista.com> X-Mailer: git-send-email 2.37.2 In-Reply-To: <20220818170005.747015-1-dima@arista.com> References: <20220818170005.747015-1-dima@arista.com> MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Type: text/plain; charset="utf-8" Introduce new kernel config option and common structures as well as helpers to be used by TCP-AO code. Co-developed-by: Francesco Ruggeri Signed-off-by: Francesco Ruggeri Co-developed-by: Salam Noureddine Signed-off-by: Salam Noureddine Signed-off-by: Dmitry Safonov --- include/linux/tcp.h | 3 ++ include/net/tcp.h | 8 +--- include/net/tcp_ao.h | 90 ++++++++++++++++++++++++++++++++++++++++ include/uapi/linux/tcp.h | 2 + net/ipv4/Kconfig | 13 ++++++ 5 files changed, 110 insertions(+), 6 deletions(-) create mode 100644 include/net/tcp_ao.h diff --git a/include/linux/tcp.h b/include/linux/tcp.h index a9fbe22732c3..c8a8aaaf725b 100644 --- a/include/linux/tcp.h +++ b/include/linux/tcp.h @@ -435,6 +435,9 @@ struct tcp_sock { /* TCP MD5 Signature Option information */ struct tcp_md5sig_info __rcu *md5sig_info; #endif +#ifdef CONFIG_TCP_AO + struct tcp_ao_info __rcu *ao_info; +#endif =20 /* TCP fastopen related information */ struct tcp_fastopen_request *fastopen_req; diff --git a/include/net/tcp.h b/include/net/tcp.h index 75bb817928c1..b4b009094bf6 100644 --- a/include/net/tcp.h +++ b/include/net/tcp.h @@ -37,6 +37,7 @@ #include #include #include +#include #include #include #include @@ -1605,12 +1606,7 @@ static inline void tcp_clear_all_retrans_hints(struc= t tcp_sock *tp) tp->retransmit_skb_hint =3D NULL; } =20 -union tcp_md5_addr { - struct in_addr a4; -#if IS_ENABLED(CONFIG_IPV6) - struct in6_addr a6; -#endif -}; +#define tcp_md5_addr tcp_ao_addr =20 /* - key database */ struct tcp_md5sig_key { diff --git a/include/net/tcp_ao.h b/include/net/tcp_ao.h new file mode 100644 index 000000000000..39b3fc31e5a1 --- /dev/null +++ b/include/net/tcp_ao.h @@ -0,0 +1,90 @@ +/* SPDX-License-Identifier: GPL-2.0-or-later */ +#ifndef _TCP_AO_H +#define _TCP_AO_H + +#define TCP_AO_MAX_HASH_SIZE 64 +#define TCP_AO_KEY_ALIGN 1 +#define __tcp_ao_key_align __aligned(TCP_AO_KEY_ALIGN) + +union tcp_ao_addr { + struct in_addr a4; +#if IS_ENABLED(CONFIG_IPV6) + struct in6_addr a6; +#endif +}; + +struct tcp_ao_hdr { + u8 kind; + u8 length; + u8 keyid; + u8 rnext_keyid; +}; + +struct tcp_ao_key { + struct hlist_node node; + union tcp_ao_addr addr; + u8 key[TCP_AO_MAXKEYLEN] __tcp_ao_key_align; + unsigned int crypto_pool_id; + u16 port; + u8 prefixlen; + u8 family; + u8 keylen; + u8 keyflags; + u8 sndid; + u8 rcvid; + u8 maclen; + u8 digest_size; + struct rcu_head rcu; + u8 traffic_keys[]; +}; + +static inline u8 *rcv_other_key(struct tcp_ao_key *key) +{ + return key->traffic_keys; +} + +static inline u8 *snd_other_key(struct tcp_ao_key *key) +{ + return key->traffic_keys + key->digest_size; +} + +static inline int tcp_ao_maclen(const struct tcp_ao_key *key) +{ + return key->maclen; +} + +static inline int tcp_ao_sizeof_key(const struct tcp_ao_key *key) +{ + return sizeof(struct tcp_ao_key) + (TCP_AO_MAX_HASH_SIZE << 1); +} + +static inline int tcp_ao_len(const struct tcp_ao_key *key) +{ + return tcp_ao_maclen(key) + sizeof(struct tcp_ao_hdr); +} + +static inline unsigned int tcp_ao_digest_size(struct tcp_ao_key *key) +{ + return key->digest_size; +} + +struct tcp_ao_info { + struct hlist_head head; + struct rcu_head rcu; + /* current_key and rnext_key aren't maintained on listen sockets. + * Their purpose is to cache keys on established connections, + * saving needless lookups. Never dereference any of them from + * listen sockets. + */ + struct tcp_ao_key *volatile current_key; + struct tcp_ao_key *rnext_key; + u8 ao_flags; + __be32 lisn; + __be32 risn; + u32 snd_sne; + u32 snd_sne_seq; + u32 rcv_sne; + u32 rcv_sne_seq; +}; + +#endif /* _TCP_AO_H */ diff --git a/include/uapi/linux/tcp.h b/include/uapi/linux/tcp.h index 8fc09e8638b3..849bbf2d3c38 100644 --- a/include/uapi/linux/tcp.h +++ b/include/uapi/linux/tcp.h @@ -342,6 +342,8 @@ struct tcp_diag_md5sig { __u8 tcpm_key[TCP_MD5SIG_MAXKEYLEN]; }; =20 +#define TCP_AO_MAXKEYLEN 80 + /* setsockopt(fd, IPPROTO_TCP, TCP_ZEROCOPY_RECEIVE, ...) */ =20 #define TCP_RECEIVE_ZEROCOPY_FLAG_TLB_CLEAN_HINT 0x1 diff --git a/net/ipv4/Kconfig b/net/ipv4/Kconfig index c341864e4398..89bd0e9d97fe 100644 --- a/net/ipv4/Kconfig +++ b/net/ipv4/Kconfig @@ -731,6 +731,19 @@ config DEFAULT_TCP_CONG default "bbr" if DEFAULT_BBR default "cubic" =20 +config TCP_AO + bool "TCP: Authentication Option (rfc5925)" + select CRYPTO + select CRYPTO_POOL + select TCP_MD5SIG + depends on 64BIT # seq-number extension needs WRITE_ONCE(u64) + default y + help + TCP-AO specifies the use of stronger Message Authentication Codes (MACs= ), + protects against replays for long-lived TCP connections, and + provides more details on the association of security with TCP + connections than TCP MD5 (See RFC5925) + config TCP_MD5SIG bool "TCP: MD5 Signature Option support (RFC2385)" select CRYPTO_POOL --=20 2.37.2 From nobody Fri Apr 10 21:51:38 2026 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 548AEC00140 for ; Thu, 18 Aug 2022 17:01:52 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1345321AbiHRRBt (ORCPT ); Thu, 18 Aug 2022 13:01:49 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:33620 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1345391AbiHRRAk (ORCPT ); Thu, 18 Aug 2022 13:00:40 -0400 Received: from mail-wr1-x42b.google.com (mail-wr1-x42b.google.com [IPv6:2a00:1450:4864:20::42b]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 45C84C888F for ; Thu, 18 Aug 2022 10:00:26 -0700 (PDT) Received: by mail-wr1-x42b.google.com with SMTP id n7so2430075wrv.4 for ; Thu, 18 Aug 2022 10:00:26 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=arista.com; s=google; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc; bh=Dq/USFzCEiBZjj7h90jqqSbylHQnOyq/ohhBdXrYBkE=; b=Pp4E+0wt84lr0sV/UxkwTyy8lIjy09e2G7EItQDW3xH1FoIU/ODBYD9sTyIuXjNx3D QCsNPn8t5YNYLfW2qTIzYJ8dEdO9cjbiQdM6LztlnzwkvmpoiZaFHCTDtV2ynaUFbko6 U1IKsThOdGKx+WJq8xIgab0nLNesxV8KplrEQm+N+wqIkS77OTmY65dlDQosxnD+G/Ww EtX7anRpRWtYRj6lshQK+WQmI1UlFlQbR/nHFb/I6S5mJCFlpc5FBB708/9ew6eSo3kv lSi1eX961HXKrWfOR7qpig4wpe6fazoVjjdRTttHvwmw/Kd5isHvI9Cr7GKXyFpovs7M Nx1w== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc; bh=Dq/USFzCEiBZjj7h90jqqSbylHQnOyq/ohhBdXrYBkE=; b=fExotBD1a0tXGrOm0pyFv5zOMOup5jdclknzzr9QafJPXsv8tTgTxYjl86ljgH5or7 4f0rnWvwRVMVZ4H5ZtQOR6en4yDVovZ1kpM4lO8+qAwQiCOVq1rh9t0EOUOgpGpRZA+C 5pHzi/JIUxaatkpv95/IA5pPg4o64ZFxTOruW6dB/c0bBae6BmLLT0kF/wmygoUZcusn Zd/wuKA3Y0TFktcZ0+AtsrVZh1FOCejxlmhHmfXUIp+hzBbFnOeoCsjzWfKpi+zpaYHQ DcVPQPep6lJVbAC+/C0aqsriwm8qhsHakaasTg4+WlgIebWDd+PesLVUzF9z9HT9t+D3 HSHA== X-Gm-Message-State: ACgBeo3XOET48HTiDLolE8kr+Z7EJKXJoDh4JOIbK+nAy2Ll6AyyzsIS RzQdJDf190Sznz1TZJjwTbNzCA== X-Google-Smtp-Source: AA6agR5lyK0/ZHEwMHBnjsOetJ4vQgTERbZ6jK1kKGjvfSTNEVZ52IWPBUd1kRip4S196O+kJen08A== X-Received: by 2002:a5d:6b12:0:b0:21f:1568:c7e1 with SMTP id v18-20020a5d6b12000000b0021f1568c7e1mr2151720wrw.532.1660842025030; Thu, 18 Aug 2022 10:00:25 -0700 (PDT) Received: from Mindolluin.ire.aristanetworks.com ([217.173.96.166]) by smtp.gmail.com with ESMTPSA id be13-20020a05600c1e8d00b003a511e92abcsm2662169wmb.34.2022.08.18.10.00.23 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 18 Aug 2022 10:00:24 -0700 (PDT) From: Dmitry Safonov To: Eric Dumazet , "David S. Miller" , linux-kernel@vger.kernel.org Cc: Dmitry Safonov , Andy Lutomirski , Ard Biesheuvel , Bob Gilligan , David Ahern , Dmitry Safonov <0x7f454c46@gmail.com>, Eric Biggers , Francesco Ruggeri , Herbert Xu , Hideaki YOSHIFUJI , Ivan Delalande , Jakub Kicinski , Leonard Crestez , Paolo Abeni , Salam Noureddine , Shuah Khan , netdev@vger.kernel.org, linux-crypto@vger.kernel.org Subject: [PATCH 08/31] net/tcp: Introduce TCP_AO setsockopt()s Date: Thu, 18 Aug 2022 17:59:42 +0100 Message-Id: <20220818170005.747015-9-dima@arista.com> X-Mailer: git-send-email 2.37.2 In-Reply-To: <20220818170005.747015-1-dima@arista.com> References: <20220818170005.747015-1-dima@arista.com> MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Add 3 setsockopt()s: 1. to add a new Master Key Tuple (MKT) on a socket 2. to delete present MKT from a socket 3. to change flags of an MKT Userspace has to introduce keys on every socket it wants to use TCP-AO option on, similarly to TCP_MD5SIG/TCP_MD5SIG_EXT. RFC5925 prohibits definition of MKTs that would match the same peer, so do sanity checks on the data provided by userspace. Be as conservative as possible, including refusal of defining MKT on an established connection with no AO, removing the key in-use and etc. (1) and (2) are to be used by userspace key manager to add/remove keys. (3) main purpose is to set rnext_key, which (as prescribed by RFC5925) is the key id that will be requested in TCP-AO header from the peer to sign their segments with. At this moment the life of ao_info ends in tcp_v4_destroy_sock(). Co-developed-by: Francesco Ruggeri Signed-off-by: Francesco Ruggeri Co-developed-by: Salam Noureddine Signed-off-by: Salam Noureddine Signed-off-by: Dmitry Safonov Reported-by: kernel test robot --- include/linux/sockptr.h | 23 ++ include/net/tcp.h | 6 + include/net/tcp_ao.h | 15 + include/uapi/linux/tcp.h | 35 ++ net/ipv4/Makefile | 1 + net/ipv4/tcp.c | 17 + net/ipv4/tcp_ao.c | 828 +++++++++++++++++++++++++++++++++++++++ net/ipv4/tcp_ipv4.c | 8 +- net/ipv6/Makefile | 1 + net/ipv6/tcp_ao.c | 20 + net/ipv6/tcp_ipv6.c | 14 +- 11 files changed, 965 insertions(+), 3 deletions(-) create mode 100644 net/ipv4/tcp_ao.c create mode 100644 net/ipv6/tcp_ao.c diff --git a/include/linux/sockptr.h b/include/linux/sockptr.h index d45902fb4cad..f42575ffda53 100644 --- a/include/linux/sockptr.h +++ b/include/linux/sockptr.h @@ -55,6 +55,29 @@ static inline int copy_from_sockptr(void *dst, sockptr_t= src, size_t size) return copy_from_sockptr_offset(dst, src, 0, size); } =20 +static inline int copy_struct_from_sockptr(void *dst, size_t ksize, + sockptr_t src, size_t usize) +{ + size_t size =3D min(ksize, usize); + size_t rest =3D max(ksize, usize) - size; + + if (!sockptr_is_kernel(src)) + return copy_struct_from_user(dst, ksize, src.user, size); + + if (usize < ksize) { + memset(dst + size, 0, rest); + } else if (usize > ksize) { + char *p =3D src.kernel; + + while (rest--) { + if (*p++) + return -E2BIG; + } + } + memcpy(dst, src.kernel, size); + return 0; +} + static inline int copy_to_sockptr_offset(sockptr_t dst, size_t offset, const void *src, size_t size) { diff --git a/include/net/tcp.h b/include/net/tcp.h index b4b009094bf6..278d0ab81796 100644 --- a/include/net/tcp.h +++ b/include/net/tcp.h @@ -2054,6 +2054,12 @@ struct tcp_sock_af_ops { sockptr_t optval, int optlen); #endif +#ifdef CONFIG_TCP_AO + int (*ao_parse)(struct sock *sk, + int optname, + sockptr_t optval, + int optlen); +#endif }; =20 struct tcp_request_sock_ops { diff --git a/include/net/tcp_ao.h b/include/net/tcp_ao.h index 39b3fc31e5a1..6d0d30e5542b 100644 --- a/include/net/tcp_ao.h +++ b/include/net/tcp_ao.h @@ -87,4 +87,19 @@ struct tcp_ao_info { u32 rcv_sne_seq; }; =20 +#ifdef CONFIG_TCP_AO +int tcp_parse_ao(struct sock *sk, int cmd, unsigned short int family, + sockptr_t optval, int optlen); +void tcp_ao_destroy_sock(struct sock *sk); +/* ipv4 specific functions */ +int tcp_v4_parse_ao(struct sock *sk, int optname, sockptr_t optval, int op= tlen); +/* ipv6 specific functions */ +int tcp_v6_parse_ao(struct sock *sk, int cmd, + sockptr_t optval, int optlen); +#else +static inline void tcp_ao_destroy_sock(struct sock *sk) +{ +} +#endif + #endif /* _TCP_AO_H */ diff --git a/include/uapi/linux/tcp.h b/include/uapi/linux/tcp.h index 849bbf2d3c38..5369458ae89f 100644 --- a/include/uapi/linux/tcp.h +++ b/include/uapi/linux/tcp.h @@ -129,6 +129,9 @@ enum { =20 #define TCP_TX_DELAY 37 /* delay outgoing packets by XX usec */ =20 +#define TCP_AO 38 /* (Add/Set MKT) */ +#define TCP_AO_DEL 39 /* (Delete MKT) */ +#define TCP_AO_MOD 40 /* (Modify MKT) */ =20 #define TCP_REPAIR_ON 1 #define TCP_REPAIR_OFF 0 @@ -344,6 +347,38 @@ struct tcp_diag_md5sig { =20 #define TCP_AO_MAXKEYLEN 80 =20 +#define TCP_AO_CMDF_CURR (1 << 0) /* Only checks field sndid */ +#define TCP_AO_CMDF_NEXT (1 << 1) /* Only checks field rcvid */ + +struct tcp_ao { /* setsockopt(TCP_AO) */ + struct __kernel_sockaddr_storage tcpa_addr; + char tcpa_alg_name[64]; + __u16 tcpa_flags; + __u8 tcpa_prefix; + __u8 tcpa_sndid; + __u8 tcpa_rcvid; + __u8 tcpa_maclen; + __u8 tcpa_keyflags; + __u8 tcpa_keylen; + __u8 tcpa_key[TCP_AO_MAXKEYLEN]; +} __attribute__((aligned(8))); + +struct tcp_ao_del { /* setsockopt(TCP_AO_DEL) */ + struct __kernel_sockaddr_storage tcpa_addr; + __u16 tcpa_flags; + __u8 tcpa_prefix; + __u8 tcpa_sndid; + __u8 tcpa_rcvid; + __u8 tcpa_current; + __u8 tcpa_rnext; +} __attribute__((aligned(8))); + +struct tcp_ao_mod { /* setsockopt(TCP_AO_MOD) */ + __u16 tcpa_flags; + __u8 tcpa_current; + __u8 tcpa_rnext; +} __attribute__((aligned(8))); + /* setsockopt(fd, IPPROTO_TCP, TCP_ZEROCOPY_RECEIVE, ...) */ =20 #define TCP_RECEIVE_ZEROCOPY_FLAG_TLB_CLEAN_HINT 0x1 diff --git a/net/ipv4/Makefile b/net/ipv4/Makefile index bbdd9c44f14e..6d0b3e228b8a 100644 --- a/net/ipv4/Makefile +++ b/net/ipv4/Makefile @@ -67,6 +67,7 @@ obj-$(CONFIG_NETLABEL) +=3D cipso_ipv4.o =20 obj-$(CONFIG_XFRM) +=3D xfrm4_policy.o xfrm4_state.o xfrm4_input.o \ xfrm4_output.o xfrm4_protocol.o +obj-$(CONFIG_TCP_AO) +=3D tcp_ao.o =20 ifeq ($(CONFIG_BPF_JIT),y) obj-$(CONFIG_BPF_SYSCALL) +=3D bpf_tcp_ca.o diff --git a/net/ipv4/tcp.c b/net/ipv4/tcp.c index 7c54b47e848f..85854b8afc47 100644 --- a/net/ipv4/tcp.c +++ b/net/ipv4/tcp.c @@ -3704,6 +3704,23 @@ static int do_tcp_setsockopt(struct sock *sk, int le= vel, int optname, __tcp_sock_set_quickack(sk, val); break; =20 +#ifdef CONFIG_TCP_AO + case TCP_AO: + case TCP_AO_DEL: + case TCP_AO_MOD: { + u32 state =3D (1 << sk->sk_state) & + (TCPF_CLOSE | TCPF_ESTABLISHED | TCPF_LISTEN); + + if (!state || (state =3D=3D TCPF_ESTABLISHED && + !rcu_dereference_protected(tcp_sk(sk)->ao_info, + lockdep_sock_is_held(sk)))) + err =3D -EINVAL; + else + err =3D tp->af_specific->ao_parse(sk, optname, optval, + optlen); + break; + } +#endif #ifdef CONFIG_TCP_MD5SIG case TCP_MD5SIG: case TCP_MD5SIG_EXT: diff --git a/net/ipv4/tcp_ao.c b/net/ipv4/tcp_ao.c new file mode 100644 index 000000000000..7f53417ebdf7 --- /dev/null +++ b/net/ipv4/tcp_ao.c @@ -0,0 +1,828 @@ +// SPDX-License-Identifier: GPL-2.0-or-later +/* + * INET An implementation of the TCP Authentication Option (TCP-AO). + * See RFC5925. + * + * Authors: Dmitry Safonov + * Francesco Ruggeri + * Salam Noureddine + */ +#define pr_fmt(fmt) "TCP: " fmt + +#include +#include +#include + +#include +#include + +struct tcp_ao_key *tcp_ao_do_lookup_rcvid(struct sock *sk, u8 keyid) +{ + struct tcp_sock *tp =3D tcp_sk(sk); + struct tcp_ao_key *key; + struct tcp_ao_info *ao; + + ao =3D rcu_dereference_check(tp->ao_info, lockdep_sock_is_held(sk)); + + if (!ao) + return NULL; + + hlist_for_each_entry_rcu(key, &ao->head, node) { + if (key->rcvid =3D=3D keyid) + return key; + } + return NULL; +} + +struct tcp_ao_key *tcp_ao_do_lookup_sndid(const struct sock *sk, u8 keyid) +{ + struct tcp_ao_key *key; + struct tcp_ao_info *ao; + + ao =3D rcu_dereference_check(tcp_sk(sk)->ao_info, + lockdep_sock_is_held(sk)); + if (!ao) + return NULL; + + hlist_for_each_entry_rcu(key, &ao->head, node) { + if (key->sndid =3D=3D keyid) + return key; + } + return NULL; +} + +static inline int ipv4_prefix_cmp(const struct in_addr *addr1, + const struct in_addr *addr2, + unsigned int prefixlen) +{ + __be32 mask =3D inet_make_mask(prefixlen); + + if ((addr1->s_addr & mask) =3D=3D (addr2->s_addr & mask)) + return 0; + return ((addr1->s_addr & mask) > (addr2->s_addr & mask)) ? 1 : -1; +} + +static int __tcp_ao_key_cmp(const struct tcp_ao_key *key, + const union tcp_ao_addr *addr, u8 prefixlen, + int family, int sndid, int rcvid, u16 port) +{ + if (sndid >=3D 0 && key->sndid !=3D sndid) + return (key->sndid > sndid) ? 1 : -1; + if (rcvid >=3D 0 && key->rcvid !=3D rcvid) + return (key->rcvid > rcvid) ? 1 : -1; + if (port !=3D 0 && key->port !=3D 0 && port !=3D key->port) + return (key->port > port) ? 1 : -1; + + if (family =3D=3D AF_UNSPEC) + return 0; + if (key->family !=3D family) + return (key->family > family) ? 1 : -1; + + if (family =3D=3D AF_INET) { + if (key->addr.a4.s_addr =3D=3D INADDR_ANY) + return 0; + if (addr->a4.s_addr =3D=3D INADDR_ANY) + return 0; + return ipv4_prefix_cmp(&key->addr.a4, &addr->a4, prefixlen); + } else { + if (ipv6_addr_any(&key->addr.a6) || ipv6_addr_any(&addr->a6)) + return 0; + if (ipv6_prefix_equal(&key->addr.a6, &addr->a6, prefixlen)) + return 0; + return memcmp(&key->addr.a6, &addr->a6, prefixlen); + } +} + +int tcp_ao_key_cmp(const struct tcp_ao_key *key, + const union tcp_ao_addr *addr, u8 prefixlen, + int family, int sndid, int rcvid, u16 port) +{ + if (family =3D=3D AF_INET6 && ipv6_addr_v4mapped(&addr->a6)) { + __be32 addr4 =3D addr->a6.s6_addr32[3]; + + return __tcp_ao_key_cmp(key, (union tcp_ao_addr *)&addr4, + prefixlen, AF_INET, sndid, rcvid, port); + } + return __tcp_ao_key_cmp(key, addr, prefixlen, family, sndid, rcvid, port); +} + +struct tcp_ao_key *tcp_ao_do_lookup(const struct sock *sk, + const union tcp_ao_addr *addr, + int family, int sndid, int rcvid, u16 port) +{ + struct tcp_ao_key *key; + struct tcp_ao_info *ao; + + ao =3D rcu_dereference_check(tcp_sk(sk)->ao_info, + lockdep_sock_is_held(sk)); + if (!ao) + return NULL; + + hlist_for_each_entry_rcu(key, &ao->head, node) { + if (!tcp_ao_key_cmp(key, addr, key->prefixlen, + family, sndid, rcvid, port)) + return key; + } + return NULL; +} +EXPORT_SYMBOL(tcp_ao_do_lookup); + +static struct tcp_ao_info *tcp_ao_alloc_info(gfp_t flags, + struct tcp_ao_info *cloned_from) +{ + struct tcp_ao_info *ao; + + ao =3D kzalloc(sizeof(*ao), flags); + if (!ao) + return NULL; + INIT_HLIST_HEAD(&ao->head); + + if (cloned_from) + ao->ao_flags =3D cloned_from->ao_flags; + return ao; +} + +void tcp_ao_link_mkt(struct tcp_ao_info *ao, struct tcp_ao_key *mkt) +{ + hlist_add_head_rcu(&mkt->node, &ao->head); +} + +static void tcp_ao_key_free_rcu(struct rcu_head *head) +{ + struct tcp_ao_key *key =3D container_of(head, struct tcp_ao_key, rcu); + + crypto_pool_release(key->crypto_pool_id); + kfree(key); +} + +void tcp_ao_destroy_sock(struct sock *sk) +{ + struct tcp_ao_info *ao; + struct tcp_ao_key *key; + struct hlist_node *n; + + ao =3D rcu_dereference_protected(tcp_sk(sk)->ao_info, 1); + tcp_sk(sk)->ao_info =3D NULL; + + if (!ao) + return; + + hlist_for_each_entry_safe(key, n, &ao->head, node) { + hlist_del_rcu(&key->node); + atomic_sub(tcp_ao_sizeof_key(key), &sk->sk_omem_alloc); + call_rcu(&key->rcu, tcp_ao_key_free_rcu); + } + + kfree_rcu(ao, rcu); +} + +static int tcp_ao_current_rnext(struct sock *sk, u16 tcpa_flags, + u8 tcpa_sndid, u8 tcpa_rcvid) +{ + struct tcp_ao_info *ao_info; + struct tcp_ao_key *key; + + ao_info =3D rcu_dereference_protected(tcp_sk(sk)->ao_info, + lockdep_sock_is_held(sk)); + if ((tcpa_flags & (TCP_AO_CMDF_CURR | TCP_AO_CMDF_NEXT)) && !ao_info) + return -EINVAL; + + if (tcpa_flags & TCP_AO_CMDF_CURR) { + key =3D tcp_ao_do_lookup_sndid(sk, tcpa_sndid); + if (!key) + return -ENOENT; + if (ao_info->current_key !=3D key) + WRITE_ONCE(ao_info->current_key, key); + } + + if (tcpa_flags & TCP_AO_CMDF_NEXT) { + key =3D tcp_ao_do_lookup_rcvid(sk, tcpa_rcvid); + if (!key) + return -ENOENT; + if (ao_info->rnext_key !=3D key) + WRITE_ONCE(ao_info->rnext_key, key); + } + + return 0; +} + +static int tcp_ao_verify_port(struct sock *sk, u16 port) +{ + struct inet_sock *inet =3D inet_sk(sk); + + if (port !=3D 0) /* FIXME */ + return -EINVAL; + + /* Check that MKT port is consistent with socket */ + if (port !=3D 0 && inet->inet_dport !=3D 0 && port !=3D inet->inet_dport) + return -EINVAL; + + return 0; +} + +static int tcp_ao_verify_ipv4(struct sock *sk, struct tcp_ao *cmd, + union tcp_md5_addr **addr, u16 *port) +{ + struct sockaddr_in *sin =3D (struct sockaddr_in *)&cmd->tcpa_addr; + struct inet_sock *inet =3D inet_sk(sk); + + if (sin->sin_family !=3D AF_INET) + return -EINVAL; + + if (tcp_ao_verify_port(sk, ntohs(sin->sin_port))) + return -EINVAL; + + /* Check prefix and trailing 0's in addr */ + if (cmd->tcpa_prefix !=3D 0) { + __be32 mask; + + if (sin->sin_addr.s_addr =3D=3D INADDR_ANY) + return -EINVAL; + if (cmd->tcpa_prefix > 32) + return -EINVAL; + + mask =3D inet_make_mask(cmd->tcpa_prefix); + if (sin->sin_addr.s_addr & ~mask) + return -EINVAL; + + /* Check that MKT address is consistent with socket */ + if (inet->inet_daddr !=3D INADDR_ANY && + (inet->inet_daddr & mask) !=3D sin->sin_addr.s_addr) + return -EINVAL; + } else { + if (sin->sin_addr.s_addr !=3D INADDR_ANY) + return -EINVAL; + } + + *addr =3D (union tcp_md5_addr *)&sin->sin_addr; + *port =3D ntohs(sin->sin_port); + return 0; +} + +static int tcp_ao_verify_ipv6(struct sock *sk, struct tcp_ao *cmd, + union tcp_md5_addr **paddr, u16 *port, + unsigned short int *family) +{ + struct sockaddr_in6 *sin6 =3D (struct sockaddr_in6 *)&cmd->tcpa_addr; + struct in6_addr *addr =3D &sin6->sin6_addr; + u8 prefix =3D cmd->tcpa_prefix; + + if (sin6->sin6_family !=3D AF_INET6) + return -EINVAL; + /* Not supposed to happen: here from af-specific callback */ + if (WARN_ON_ONCE(!sk_fullsock(sk))) + return -EINVAL; + + if (tcp_ao_verify_port(sk, ntohs(sin6->sin6_port))) + return -EINVAL; + + /* Check prefix and trailing 0's in addr */ + if (cmd->tcpa_prefix !=3D 0 && ipv6_addr_v4mapped(addr)) { + __be32 addr4 =3D addr->s6_addr32[3]; + __be32 mask; + + if (prefix > 32 || addr4 =3D=3D INADDR_ANY) + return -EINVAL; + + mask =3D inet_make_mask(prefix); + if (addr4 & ~mask) + return -EINVAL; + + /* Check that MKT address is consistent with socket */ + if (!ipv6_addr_any(&sk->sk_v6_daddr)) { + __be32 daddr4 =3D sk->sk_v6_daddr.s6_addr32[3]; + + if (!ipv6_addr_v4mapped(&sk->sk_v6_daddr)) + return -EINVAL; + if ((daddr4 & mask) !=3D addr4) + return -EINVAL; + } + + *paddr =3D (union tcp_md5_addr *)&addr->s6_addr32[3]; + *family =3D AF_INET; + *port =3D ntohs(sin6->sin6_port); + return 0; + } else if (cmd->tcpa_prefix !=3D 0) { + struct in6_addr pfx; + + if (ipv6_addr_any(addr) || prefix > 128) + return -EINVAL; + + ipv6_addr_prefix(&pfx, addr, prefix); + if (ipv6_addr_cmp(&pfx, addr)) + return -EINVAL; + + /* Check that MKT address is consistent with socket */ + if (!ipv6_addr_any(&sk->sk_v6_daddr) && + !ipv6_prefix_equal(&sk->sk_v6_daddr, addr, prefix)) + + return -EINVAL; + } else { + if (!ipv6_addr_any(addr)) + return -EINVAL; + } + + *paddr =3D (union tcp_md5_addr *)addr; + *port =3D ntohs(sin6->sin6_port); + return 0; +} + +static int tcp_ao_parse_crypto(struct tcp_ao *cmd, struct tcp_ao_key *key) +{ + unsigned int syn_tcp_option_space; + struct crypto_pool_ahash hp; + bool is_kdf_aes_128_cmac =3D false; + struct crypto_ahash *tfm; + int err, pool_id; + + /* Force null-termination of tcpa_alg_name */ + cmd->tcpa_alg_name[ARRAY_SIZE(cmd->tcpa_alg_name) - 1] =3D '\0'; + + /* RFC5926, 3.1.1.2. KDF_AES_128_CMAC */ + if (!strcmp("cmac(aes128)", cmd->tcpa_alg_name)) { + strcpy(cmd->tcpa_alg_name, "cmac(aes)"); + is_kdf_aes_128_cmac =3D (cmd->tcpa_keylen !=3D 16); + } + + key->maclen =3D cmd->tcpa_maclen ?: 12; /* 12 is the default in RFC5925 */ + + /* Check: maclen + tcp-ao header <=3D (MAX_TCP_OPTION_SPACE - mss + * - tstamp - wscale - sackperm), + * see tcp_syn_options(), tcp_synack_options(), commit 33ad798c924b. + * + * In order to allow D-SACK with TCP-AO, the header size should be: + * (MAX_TCP_OPTION_SPACE - TCPOLEN_TSTAMP_ALIGNED + * - TCPOLEN_SACK_BASE_ALIGNED + * - 2 * TCPOLEN_SACK_PERBLOCK) =3D 8 (maclen =3D 4), + * see tcp_established_options(). + * + * RFC5925, 2.2: + * Typical MACs are 96-128 bits (12-16 bytes), but any length + * that fits in the header of the segment being authenticated + * is allowed. + * + * RFC5925, 7.6: + * TCP-AO continues to consume 16 bytes in non-SYN segments, + * leaving a total of 24 bytes for other options, of which + * the timestamp consumes 10. This leaves 14 bytes, of which 10 + * are used for a single SACK block. When two SACK blocks are used, + * such as to handle D-SACK, a smaller TCP-AO MAC would be required + * to make room for the additional SACK block (i.e., to leave 18 + * bytes for the D-SACK variant of the SACK option) [RFC2883]. + * Note that D-SACK is not supportable in TCP MD5 in the presence + * of timestamps, because TCP MD5=E2=80=99s MAC length is fixed and too + * large to leave sufficient option space. + */ + syn_tcp_option_space =3D MAX_TCP_OPTION_SPACE; + syn_tcp_option_space -=3D TCPOLEN_TSTAMP_ALIGNED; + syn_tcp_option_space -=3D TCPOLEN_WSCALE_ALIGNED; + syn_tcp_option_space -=3D TCPOLEN_SACKPERM_ALIGNED; + if (tcp_ao_len(key) > syn_tcp_option_space) + return -EMSGSIZE; + + key->keylen =3D cmd->tcpa_keylen; + memcpy(key->key, cmd->tcpa_key, cmd->tcpa_keylen); + + pool_id =3D crypto_pool_alloc_ahash(cmd->tcpa_alg_name); + if (pool_id < 0) + return pool_id; + + if (is_kdf_aes_128_cmac) { + err =3D crypto_pool_reserve_scratch(16); + if (err) + goto err_free_pool; + } + + err =3D crypto_pool_get(pool_id, (struct crypto_pool *)&hp); + if (err) + goto err_free_pool; + + tfm =3D crypto_ahash_reqtfm(hp.req); + if (crypto_ahash_alignmask(tfm) > TCP_AO_KEY_ALIGN) { + err =3D -EOPNOTSUPP; + goto err_put_pool; + } + + if (is_kdf_aes_128_cmac) { + void *scratch =3D hp.base.scratch; + struct scatterlist sg; + + /* Using zero-key of 16 bytes as described in RFC5926 */ + memset(scratch, 0, 16); + sg_init_one(&sg, cmd->tcpa_key, cmd->tcpa_keylen); + + err =3D crypto_ahash_setkey(tfm, scratch, 16); + if (err) + goto err_put_pool; + + err =3D crypto_ahash_init(hp.req); + if (err) + goto err_put_pool; + + ahash_request_set_crypt(hp.req, &sg, key->key, cmd->tcpa_keylen); + err =3D crypto_ahash_update(hp.req); + if (err) + goto err_put_pool; + + err |=3D crypto_ahash_final(hp.req); + if (err) + goto err_put_pool; + key->keylen =3D 16; + } + + err =3D crypto_ahash_setkey(tfm, key->key, key->keylen); + if (err) + goto err_put_pool; + + key->digest_size =3D crypto_ahash_digestsize(tfm); + crypto_pool_put(); + + err =3D crypto_pool_reserve_scratch(sizeof(struct tcphdr) + + sizeof(struct tcp_ao_hdr) + + key->digest_size); + if (err) + goto err_free_pool; + + if (key->digest_size > TCP_AO_MAX_HASH_SIZE) { + err =3D -ENOBUFS; + goto err_free_pool; + } + if (key->maclen > key->digest_size) { + err =3D -EINVAL; + goto err_free_pool; + } + + key->crypto_pool_id =3D pool_id; + return 0; + +err_put_pool: + crypto_pool_put(); +err_free_pool: + crypto_pool_release(pool_id); + return err; +} + +/* tcp_ao_mkt_overlap_v4() assumes cmd already went through tcp_ao_verify_= ipv4. + * RFC5925 3.1 The IDs of MKTs MUST NOT overlap where their TCP connection + * identifiers overlap. + */ +static bool tcp_ao_mkt_overlap_v4(struct tcp_ao *cmd, + struct tcp_ao_info *ao_info) +{ + struct sockaddr_in *sin =3D (struct sockaddr_in *)&cmd->tcpa_addr; + __be32 addr =3D sin->sin_addr.s_addr; + __u8 prefix =3D cmd->tcpa_prefix; + __u16 port =3D ntohs(sin->sin_port); + __u8 sndid =3D cmd->tcpa_sndid; + __u8 rcvid =3D cmd->tcpa_rcvid; + struct tcp_ao_key *key; + + /* Check for TCP connection identifiers overlap */ + + hlist_for_each_entry_rcu(key, &ao_info->head, node) { + __be32 key_addr; + __be32 mask; + + /* Check for overlapping ids */ + if (key->sndid !=3D sndid && key->rcvid !=3D rcvid) + continue; + + key_addr =3D key->addr.a4.s_addr; + mask =3D inet_make_mask(min(prefix, key->prefixlen)); + + /* Check for overlapping addresses */ + if (addr =3D=3D INADDR_ANY || key_addr =3D=3D INADDR_ANY || + (addr & mask) =3D=3D (key_addr & mask)) { + /* Check for overlapping ports */ + if (port =3D=3D 0 || key->port =3D=3D 0 || port =3D=3D key->port) + return true; + } + } + + return false; +} + +/* tcp_ao_mkt_overlap_v6() assumes cmd already went through tcp_ao_verify_= ipv6. + * RFC5925 3.1 The IDs of MKTs MUST NOT overlap where their TCP connection + * identifiers overlap. + */ +static bool tcp_ao_mkt_overlap_v6(struct tcp_ao *cmd, + struct tcp_ao_info *ao_info) +{ + struct sockaddr_in6 *sin6 =3D (struct sockaddr_in6 *)&cmd->tcpa_addr; + struct in6_addr *addr =3D &sin6->sin6_addr; + bool v4_mapped =3D ipv6_addr_v4mapped(addr); + __u8 prefix =3D cmd->tcpa_prefix; + __u16 port =3D ntohs(sin6->sin6_port); + __u8 sndid =3D cmd->tcpa_sndid; + __u8 rcvid =3D cmd->tcpa_rcvid; + struct tcp_ao_key *key; + __be32 addr4 =3D v4_mapped ? addr->s6_addr32[3] : 0; + + hlist_for_each_entry_rcu(key, &ao_info->head, node) { + struct in6_addr pfx, key_pfx; + struct in6_addr *key_addr; + int min_prefixlen; + + /* Check for overlapping ids */ + if (key->sndid !=3D sndid && key->rcvid !=3D rcvid) + continue; + + key_addr =3D &key->addr.a6; + + if (v4_mapped) { + __be32 key_addr4; + __be32 mask; + + if (!ipv6_addr_v4mapped(key_addr)) + continue; + + key_addr4 =3D key_addr->s6_addr32[3]; + mask =3D inet_make_mask(min(prefix, key->prefixlen)); + + /* Check for overlapping addresses */ + if (addr4 =3D=3D INADDR_ANY || key_addr4 =3D=3D INADDR_ANY || + (addr4 & mask) =3D=3D (key_addr4 & mask)) { + /* Check for overlapping ports */ + if (port =3D=3D 0 || key->port =3D=3D 0 || + port =3D=3D key->port) + return true; + } + } else { + min_prefixlen =3D min(prefix, key->prefixlen); + ipv6_addr_prefix(&pfx, addr, min_prefixlen); + ipv6_addr_prefix(&key_pfx, key_addr, min_prefixlen); + + /* Check for overlapping addresses */ + if (ipv6_addr_any(addr) || ipv6_addr_any(key_addr) || + !ipv6_addr_cmp(&pfx, &key_pfx)) { + /* Check for overlapping ports */ + if (port =3D=3D 0 || key->port =3D=3D 0 || + port =3D=3D key->port) + return true; + } + } + } + + return false; +} + +#define TCP_AO_KEYF_ALL (0) +#define TCP_AO_CMDF_ADDMOD_VALID \ + (TCP_AO_CMDF_CURR | TCP_AO_CMDF_NEXT) +#define TCP_AO_CMDF_DEL_VALID \ + (TCP_AO_CMDF_CURR | TCP_AO_CMDF_NEXT) + +static int tcp_ao_add_cmd(struct sock *sk, unsigned short int family, + sockptr_t optval, int optlen) +{ + struct tcp_ao_info *ao_info; + union tcp_md5_addr *addr; + struct tcp_ao_key *key; + bool first =3D false; + struct tcp_ao cmd; + int ret, size; + u16 port; + + if (optlen < sizeof(cmd)) + return -EINVAL; + + ret =3D copy_struct_from_sockptr(&cmd, sizeof(cmd), optval, optlen); + if (ret) + return ret; + + if (cmd.tcpa_keylen > TCP_AO_MAXKEYLEN) + return -EINVAL; + + if (cmd.tcpa_flags & ~TCP_AO_CMDF_ADDMOD_VALID) + return -EINVAL; + + if (family =3D=3D AF_INET) + ret =3D tcp_ao_verify_ipv4(sk, &cmd, &addr, &port); + else + ret =3D tcp_ao_verify_ipv6(sk, &cmd, &addr, &port, &family); + if (ret) + return ret; + + if (cmd.tcpa_keyflags & ~TCP_AO_KEYF_ALL) + return -EINVAL; + + ao_info =3D rcu_dereference_protected(tcp_sk(sk)->ao_info, + lockdep_sock_is_held(sk)); + + if (!ao_info) { + ao_info =3D tcp_ao_alloc_info(GFP_KERNEL, NULL); + if (!ao_info) + return -ENOMEM; + first =3D true; + } else { + if (family =3D=3D AF_INET) { + if (tcp_ao_mkt_overlap_v4(&cmd, ao_info)) + return -EEXIST; + } else { + if (tcp_ao_mkt_overlap_v6(&cmd, ao_info)) + return -EEXIST; + } + } + + /* TODO: We should add twice the key->diget_size instead of the max + * so rework this in a way to know the digest_size before allocating + * the tcp_ao_key struct. + */ + size =3D sizeof(struct tcp_ao_key) + (TCP_AO_MAX_HASH_SIZE << 1); + key =3D sock_kmalloc(sk, size, GFP_KERNEL); + if (!key) { + ret =3D -ENOMEM; + goto err_free_ao; + } + + INIT_HLIST_NODE(&key->node); + memcpy(&key->addr, addr, (family =3D=3D AF_INET) ? sizeof(struct in_addr)= : + sizeof(struct in6_addr)); + key->port =3D port; + key->prefixlen =3D cmd.tcpa_prefix; + key->family =3D family; + key->keyflags =3D cmd.tcpa_keyflags; + key->sndid =3D cmd.tcpa_sndid; + key->rcvid =3D cmd.tcpa_rcvid; + + ret =3D tcp_ao_parse_crypto(&cmd, key); + if (ret < 0) + goto err_free_sock; + + tcp_ao_link_mkt(ao_info, key); + if (first) { + sk_gso_disable(sk); + rcu_assign_pointer(tcp_sk(sk)->ao_info, ao_info); + } + + /* Can't fail: the key with sndid/rcvid was just added */ + WARN_ON_ONCE(tcp_ao_current_rnext(sk, cmd.tcpa_flags, + cmd.tcpa_sndid, cmd.tcpa_rcvid)); + return 0; + +err_free_sock: + atomic_sub(tcp_ao_sizeof_key(key), &sk->sk_omem_alloc); + kfree(key); +err_free_ao: + if (first) + kfree(ao_info); + return ret; +} + +static int tcp_ao_delete_key(struct sock *sk, struct tcp_ao_key *key, + struct tcp_ao_info *ao_info, struct tcp_ao_del *cmd) +{ + int err; + + hlist_del_rcu(&key->node); + + /* At this moment another CPU could have looked this key up + * while it was unlinked from the list. Wait for RCU grace period, + * after which the key is off-list and can't be looked up again; + * the rx path [just before RCU came] might have used it and set it + * as current_key (very unlikely). + */ + synchronize_rcu(); + err =3D tcp_ao_current_rnext(sk, cmd->tcpa_flags, + cmd->tcpa_current, cmd->tcpa_rnext); + if (err) + goto add_key; + + if (unlikely(READ_ONCE(ao_info->current_key) =3D=3D key || + READ_ONCE(ao_info->rnext_key) =3D=3D key)) { + err =3D -EBUSY; + goto add_key; + } + + atomic_sub(tcp_ao_sizeof_key(key), &sk->sk_omem_alloc); + call_rcu(&key->rcu, tcp_ao_key_free_rcu); + + return 0; +add_key: + hlist_add_head_rcu(&key->node, &ao_info->head); + return err; +} + +static int tcp_ao_del_cmd(struct sock *sk, unsigned short int family, + sockptr_t optval, int optlen) +{ + struct tcp_ao_info *ao_info; + struct tcp_ao_key *key; + struct tcp_ao_del cmd; + int err; + union tcp_md5_addr *addr; + __u8 prefix; + __be16 port; + int addr_len; + + if (optlen < sizeof(cmd)) + return -EINVAL; + + err =3D copy_struct_from_sockptr(&cmd, sizeof(cmd), optval, optlen); + if (err) + return err; + + if (cmd.tcpa_flags & ~TCP_AO_CMDF_DEL_VALID) + return -EINVAL; + + ao_info =3D rcu_dereference_protected(tcp_sk(sk)->ao_info, + lockdep_sock_is_held(sk)); + if (!ao_info) + return -ENOENT; + + if (family =3D=3D AF_INET) { + struct sockaddr_in *sin =3D (struct sockaddr_in *)&cmd.tcpa_addr; + + addr =3D (union tcp_md5_addr *)&sin->sin_addr; + addr_len =3D sizeof(struct in_addr); + port =3D ntohs(sin->sin_port); + } else { + struct sockaddr_in6 *sin6 =3D (struct sockaddr_in6 *)&cmd.tcpa_addr; + struct in6_addr *addr6 =3D &sin6->sin6_addr; + + if (ipv6_addr_v4mapped(addr6)) { + addr =3D (union tcp_md5_addr *)&addr6->s6_addr32[3]; + addr_len =3D sizeof(struct in_addr); + family =3D AF_INET; + } else { + addr =3D (union tcp_md5_addr *)addr6; + addr_len =3D sizeof(struct in6_addr); + } + port =3D ntohs(sin6->sin6_port); + } + prefix =3D cmd.tcpa_prefix; + + /* We could choose random present key here for current/rnext + * but that's less predictable. Let's be strict and don't + * allow removing a key that's in use. RFC5925 doesn't + * specify how-to coordinate key removal, but says: + * "It is presumed that an MKT affecting a particular + * connection cannot be destroyed during an active connection" + */ + hlist_for_each_entry_rcu(key, &ao_info->head, node) { + if (cmd.tcpa_sndid !=3D key->sndid || + cmd.tcpa_rcvid !=3D key->rcvid) + continue; + + if (family !=3D key->family || + prefix !=3D key->prefixlen || + port !=3D key->port || + memcmp(addr, &key->addr, addr_len)) + continue; + + return tcp_ao_delete_key(sk, key, ao_info, &cmd); + } + return -ENOENT; +} + +static int tcp_ao_mod_cmd(struct sock *sk, unsigned short int family, + sockptr_t optval, int optlen) +{ + struct tcp_ao_info *ao_info; + struct tcp_ao_mod cmd; + int err; + + if (optlen < sizeof(cmd)) + return -EINVAL; + + err =3D copy_struct_from_sockptr(&cmd, sizeof(cmd), optval, optlen); + if (err) + return err; + + if (cmd.tcpa_flags & ~TCP_AO_CMDF_ADDMOD_VALID) + return -EINVAL; + + ao_info =3D rcu_dereference_protected(tcp_sk(sk)->ao_info, + lockdep_sock_is_held(sk)); + if (!ao_info) + return -ENOENT; + /* TODO: make tcp_ao_current_rnext() and flags set atomic */ + return tcp_ao_current_rnext(sk, cmd.tcpa_flags, + cmd.tcpa_current, cmd.tcpa_rnext); +} + +int tcp_parse_ao(struct sock *sk, int cmd, unsigned short int family, + sockptr_t optval, int optlen) +{ + if (WARN_ON_ONCE(family !=3D AF_INET && family !=3D AF_INET6)) + return -EOPNOTSUPP; + + switch (cmd) { + case TCP_AO: + return tcp_ao_add_cmd(sk, family, optval, optlen); + case TCP_AO_DEL: + return tcp_ao_del_cmd(sk, family, optval, optlen); + case TCP_AO_MOD: + return tcp_ao_mod_cmd(sk, family, optval, optlen); + default: + WARN_ON_ONCE(1); + return -EINVAL; + } +} + +int tcp_v4_parse_ao(struct sock *sk, int cmd, sockptr_t optval, int optlen) +{ + return tcp_parse_ao(sk, cmd, AF_INET, optval, optlen); +} + diff --git a/net/ipv4/tcp_ipv4.c b/net/ipv4/tcp_ipv4.c index 6bafe7429902..755154523ffc 100644 --- a/net/ipv4/tcp_ipv4.c +++ b/net/ipv4/tcp_ipv4.c @@ -2231,11 +2231,16 @@ const struct inet_connection_sock_af_ops ipv4_speci= fic =3D { }; EXPORT_SYMBOL(ipv4_specific); =20 -#ifdef CONFIG_TCP_MD5SIG +#if defined(CONFIG_TCP_MD5SIG) || defined(CONFIG_TCP_AO) static const struct tcp_sock_af_ops tcp_sock_ipv4_specific =3D { +#ifdef CONFIG_TCP_MD5SIG .md5_lookup =3D tcp_v4_md5_lookup, .calc_md5_hash =3D tcp_v4_md5_hash_skb, .md5_parse =3D tcp_v4_parse_md5_keys, +#endif +#ifdef CONFIG_TCP_AO + .ao_parse =3D tcp_v4_parse_ao, +#endif }; #endif =20 @@ -2301,6 +2306,7 @@ void tcp_v4_destroy_sock(struct sock *sk) rcu_assign_pointer(tp->md5sig_info, NULL); } #endif + tcp_ao_destroy_sock(sk); =20 /* Clean up a referenced TCP bind bucket. */ if (inet_csk(sk)->icsk_bind_hash) diff --git a/net/ipv6/Makefile b/net/ipv6/Makefile index 3036a45e8a1e..68a991499e63 100644 --- a/net/ipv6/Makefile +++ b/net/ipv6/Makefile @@ -53,3 +53,4 @@ ifneq ($(CONFIG_IPV6),) obj-$(CONFIG_NET_UDP_TUNNEL) +=3D ip6_udp_tunnel.o obj-y +=3D mcast_snoop.o endif +obj-$(CONFIG_TCP_AO) +=3D tcp_ao.o diff --git a/net/ipv6/tcp_ao.c b/net/ipv6/tcp_ao.c new file mode 100644 index 000000000000..f9f242a7e0f2 --- /dev/null +++ b/net/ipv6/tcp_ao.c @@ -0,0 +1,20 @@ +// SPDX-License-Identifier: GPL-2.0-or-later +/* + * INET An implementation of the TCP Authentication Option (TCP-AO). + * See RFC5925. + * + * Authors: Dmitry Safonov + * Francesco Ruggeri + * Salam Noureddine + */ +#include +#include + +#include +#include + +int tcp_v6_parse_ao(struct sock *sk, int cmd, + sockptr_t optval, int optlen) +{ + return tcp_parse_ao(sk, cmd, AF_INET6, optval, optlen); +} diff --git a/net/ipv6/tcp_ipv6.c b/net/ipv6/tcp_ipv6.c index f75569f889e7..741cbeb52117 100644 --- a/net/ipv6/tcp_ipv6.c +++ b/net/ipv6/tcp_ipv6.c @@ -1883,11 +1883,16 @@ const struct inet_connection_sock_af_ops ipv6_speci= fic =3D { .mtu_reduced =3D tcp_v6_mtu_reduced, }; =20 -#ifdef CONFIG_TCP_MD5SIG +#if defined(CONFIG_TCP_MD5SIG) || defined(CONFIG_TCP_AO) static const struct tcp_sock_af_ops tcp_sock_ipv6_specific =3D { +#ifdef CONFIG_TCP_MD5SIG .md5_lookup =3D tcp_v6_md5_lookup, .calc_md5_hash =3D tcp_v6_md5_hash_skb, .md5_parse =3D tcp_v6_parse_md5_keys, +#endif +#ifdef CONFIG_TCP_AO + .ao_parse =3D tcp_v6_parse_ao, +#endif }; #endif =20 @@ -1909,11 +1914,16 @@ static const struct inet_connection_sock_af_ops ipv= 6_mapped =3D { .mtu_reduced =3D tcp_v4_mtu_reduced, }; =20 -#ifdef CONFIG_TCP_MD5SIG +#if defined(CONFIG_TCP_MD5SIG) || defined(CONFIG_TCP_AO) static const struct tcp_sock_af_ops tcp_sock_ipv6_mapped_specific =3D { +#ifdef CONFIG_TCP_MD5SIG .md5_lookup =3D tcp_v4_md5_lookup, .calc_md5_hash =3D tcp_v4_md5_hash_skb, .md5_parse =3D tcp_v6_parse_md5_keys, +#endif +#ifdef CONFIG_TCP_AO + .ao_parse =3D tcp_v6_parse_ao, +#endif }; #endif =20 --=20 2.37.2 From nobody Fri Apr 10 21:51:38 2026 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 829E6C00140 for ; Thu, 18 Aug 2022 17:01:48 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1345317AbiHRRBp (ORCPT ); Thu, 18 Aug 2022 13:01:45 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:34938 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1345380AbiHRRAh (ORCPT ); Thu, 18 Aug 2022 13:00:37 -0400 Received: from mail-wm1-x333.google.com (mail-wm1-x333.google.com [IPv6:2a00:1450:4864:20::333]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 1F66DC2FA0 for ; Thu, 18 Aug 2022 10:00:27 -0700 (PDT) Received: by mail-wm1-x333.google.com with SMTP id r83-20020a1c4456000000b003a5cb389944so2885089wma.4 for ; Thu, 18 Aug 2022 10:00:26 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=arista.com; s=google; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc; bh=GpJcAhUzIqJ/nh6finvZBG1hpGU8WgtzwtpT9vG6KfI=; b=OCD6rZcyG4r3ExcMl2zzEWZ99Xi2pAf0CWrrIHbMMaSlCfxWxlttHODdBg9xvTKKx5 /VgPfOfonkBC/xDqImDlisv6Zwga38Xv0uffM2hv/8uQE9/E4/0i9h/hmmzvY7d/zrC1 m01LN1vkZAT8LyakrpWrA51KTxjGPcfL+m2HlN04OESKpnzLfSuFlco2PbI//8GIKRv0 Nuf4TZ+xqzUjEjxMStoH0A7oHJ2EFyv7+V2PMS19S4NYqLev7LSu4pbzbGPdm7J2oFQS XQ7N+LiBOWUFwhBjM9qfHdLi7B8qMi8pK8EA7C776TZUR5EFMw4hMgtcNrF0fZvX1DKH tgfg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc; bh=GpJcAhUzIqJ/nh6finvZBG1hpGU8WgtzwtpT9vG6KfI=; b=gGZ8Sondile/5C6KL979U921w2+dE6dllzepyB9ulAbCphun8PAzAgsQVfb8iabzAJ 6lAERsB+ybHzOmD09obsFhzBBPUGqvPpGx9ADwDY9qNQxdPXLkz/qm6pCULv/N/vGglj uhnGgXAAeUKZQBKX5QezsggjETbldPqd2pfmbB684msJYDlZwF5nTDd3ekMpKMELx8eb cIn2OcgTf5uVE9U4KPXI6iC+KfU9A9y2KuPAzBVGh4U1ePZA6F2eraVe5x2UZ9zgfwKU IJapMK51XiI0Eg5YvcQsSLJIFmy5hfFWKJry5mW/TkSvN+kPJ8xbQzwTkzQVRS8g9+iU JcCQ== X-Gm-Message-State: ACgBeo1+E3DdKmbUGuQuUdQ7WWaFVw6chCuyB5bqJEjTVQ7HJiZ+rgcH 9WoDjwat+JQfACqCJVQ7fHyiKA== X-Google-Smtp-Source: AA6agR4eeRBCZ9QZBpReiG5l6h9phzvCNM6CvfWddXUE6/Z9Y7aIsFOxg0Y8nV4Fo2XAd+2Auh8hWQ== X-Received: by 2002:a05:600c:4ec9:b0:3a5:a567:137f with SMTP id g9-20020a05600c4ec900b003a5a567137fmr5724370wmq.46.1660842026531; Thu, 18 Aug 2022 10:00:26 -0700 (PDT) Received: from Mindolluin.ire.aristanetworks.com ([217.173.96.166]) by smtp.gmail.com with ESMTPSA id be13-20020a05600c1e8d00b003a511e92abcsm2662169wmb.34.2022.08.18.10.00.25 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 18 Aug 2022 10:00:26 -0700 (PDT) From: Dmitry Safonov To: Eric Dumazet , "David S. Miller" , linux-kernel@vger.kernel.org Cc: Dmitry Safonov , Andy Lutomirski , Ard Biesheuvel , Bob Gilligan , David Ahern , Dmitry Safonov <0x7f454c46@gmail.com>, Eric Biggers , Francesco Ruggeri , Herbert Xu , Hideaki YOSHIFUJI , Ivan Delalande , Jakub Kicinski , Leonard Crestez , Paolo Abeni , Salam Noureddine , Shuah Khan , netdev@vger.kernel.org, linux-crypto@vger.kernel.org Subject: [PATCH 09/31] net/tcp: Prevent TCP-MD5 with TCP-AO being set Date: Thu, 18 Aug 2022 17:59:43 +0100 Message-Id: <20220818170005.747015-10-dima@arista.com> X-Mailer: git-send-email 2.37.2 In-Reply-To: <20220818170005.747015-1-dima@arista.com> References: <20220818170005.747015-1-dima@arista.com> MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Type: text/plain; charset="utf-8" Be as conservative as possible: if there is TCP-MD5 key for a given peer regardless of L3 interface - don't allow setting TCP-AO key for the same peer. According to RFC5925, TCP-AO is supposed to replace TCP-MD5 and there can't be any switch between both on any connected tuple. Later it can be relaxed, if there's a use, but in the beginning restrict any intersection. Note: it's still should be possible to set both TCP-MD5 and TCP-AO keys on a listening socket for *different* peers. Co-developed-by: Francesco Ruggeri Signed-off-by: Francesco Ruggeri Co-developed-by: Salam Noureddine Signed-off-by: Salam Noureddine Signed-off-by: Dmitry Safonov --- include/net/tcp.h | 23 +++++++++++++++++++++-- include/net/tcp_ao.h | 15 +++++++++++++++ net/ipv4/tcp_ao.c | 12 ++++++++++++ net/ipv4/tcp_ipv4.c | 10 ++++++++-- net/ipv4/tcp_output.c | 22 ++++++++++++++++++++++ net/ipv6/tcp_ao.c | 17 +++++++++++++++++ net/ipv6/tcp_ipv6.c | 22 ++++++++++++++++++---- 7 files changed, 113 insertions(+), 8 deletions(-) diff --git a/include/net/tcp.h b/include/net/tcp.h index 278d0ab81796..9c71f48cc99c 100644 --- a/include/net/tcp.h +++ b/include/net/tcp.h @@ -1670,14 +1670,23 @@ struct tcp_md5sig_key *tcp_v4_md5_lookup(const stru= ct sock *sk, extern struct static_key_false_deferred tcp_md5_needed; struct tcp_md5sig_key *__tcp_md5_do_lookup(const struct sock *sk, int l3in= dex, const union tcp_md5_addr *addr, - int family); + int family, bool any_l3index); static inline struct tcp_md5sig_key * tcp_md5_do_lookup(const struct sock *sk, int l3index, const union tcp_md5_addr *addr, int family) { if (!static_branch_unlikely(&tcp_md5_needed.key)) return NULL; - return __tcp_md5_do_lookup(sk, l3index, addr, family); + return __tcp_md5_do_lookup(sk, l3index, addr, family, false); +} + +static inline struct tcp_md5sig_key * +tcp_md5_do_lookup_any_l3index(const struct sock *sk, + const union tcp_md5_addr *addr, int family) +{ + if (!static_branch_unlikely(&tcp_md5_needed.key)) + return NULL; + return __tcp_md5_do_lookup(sk, 0, addr, family, true); } =20 enum skb_drop_reason @@ -1695,6 +1704,13 @@ tcp_md5_do_lookup(const struct sock *sk, int l3index, return NULL; } =20 +static inline struct tcp_md5sig_key * +tcp_md5_do_lookup_any_l3index(const struct sock *sk, + const union tcp_md5_addr *addr, int family) +{ + return NULL; +} + static inline enum skb_drop_reason tcp_inbound_md5_hash(const struct sock *sk, const struct sk_buff *skb, const void *saddr, const void *daddr, @@ -2059,6 +2075,9 @@ struct tcp_sock_af_ops { int optname, sockptr_t optval, int optlen); + struct tcp_ao_key *(*ao_lookup)(const struct sock *sk, + struct sock *addr_sk, + int sndid, int rcvid); #endif }; =20 diff --git a/include/net/tcp_ao.h b/include/net/tcp_ao.h index 6d0d30e5542b..c550f1a6f5fd 100644 --- a/include/net/tcp_ao.h +++ b/include/net/tcp_ao.h @@ -91,12 +91,27 @@ struct tcp_ao_info { int tcp_parse_ao(struct sock *sk, int cmd, unsigned short int family, sockptr_t optval, int optlen); void tcp_ao_destroy_sock(struct sock *sk); +struct tcp_ao_key *tcp_ao_do_lookup(const struct sock *sk, + const union tcp_ao_addr *addr, + int family, int sndid, int rcvid, u16 port); /* ipv4 specific functions */ int tcp_v4_parse_ao(struct sock *sk, int optname, sockptr_t optval, int op= tlen); +struct tcp_ao_key *tcp_v4_ao_lookup(const struct sock *sk, struct sock *ad= dr_sk, + int sndid, int rcvid); /* ipv6 specific functions */ +struct tcp_ao_key *tcp_v6_ao_lookup(const struct sock *sk, + struct sock *addr_sk, + int sndid, int rcvid); int tcp_v6_parse_ao(struct sock *sk, int cmd, sockptr_t optval, int optlen); #else +static inline struct tcp_ao_key *tcp_ao_do_lookup(const struct sock *sk, + const union tcp_ao_addr *addr, + int family, int sndid, int rcvid, u16 port) +{ + return NULL; +} + static inline void tcp_ao_destroy_sock(struct sock *sk) { } diff --git a/net/ipv4/tcp_ao.c b/net/ipv4/tcp_ao.c index 7f53417ebdf7..be68eb6b4a92 100644 --- a/net/ipv4/tcp_ao.c +++ b/net/ipv4/tcp_ao.c @@ -176,6 +176,14 @@ void tcp_ao_destroy_sock(struct sock *sk) kfree_rcu(ao, rcu); } =20 +struct tcp_ao_key *tcp_v4_ao_lookup(const struct sock *sk, struct sock *ad= dr_sk, + int sndid, int rcvid) +{ + union tcp_ao_addr *addr =3D (union tcp_ao_addr *)&addr_sk->sk_daddr; + + return tcp_ao_do_lookup(sk, addr, AF_INET, sndid, rcvid, 0); +} + static int tcp_ao_current_rnext(struct sock *sk, u16 tcpa_flags, u8 tcpa_sndid, u8 tcpa_rcvid) { @@ -607,6 +615,10 @@ static int tcp_ao_add_cmd(struct sock *sk, unsigned sh= ort int family, if (cmd.tcpa_keyflags & ~TCP_AO_KEYF_ALL) return -EINVAL; =20 + /* Don't allow keys for peers that have a matching TCP-MD5 key */ + if (tcp_md5_do_lookup_any_l3index(sk, addr, family)) + return -EKEYREJECTED; + ao_info =3D rcu_dereference_protected(tcp_sk(sk)->ao_info, lockdep_sock_is_held(sk)); =20 diff --git a/net/ipv4/tcp_ipv4.c b/net/ipv4/tcp_ipv4.c index 755154523ffc..fc65d64b9570 100644 --- a/net/ipv4/tcp_ipv4.c +++ b/net/ipv4/tcp_ipv4.c @@ -1065,7 +1065,7 @@ static bool better_md5_match(struct tcp_md5sig_key *o= ld, struct tcp_md5sig_key * /* Find the Key structure for an address. */ struct tcp_md5sig_key *__tcp_md5_do_lookup(const struct sock *sk, int l3in= dex, const union tcp_md5_addr *addr, - int family) + int family, bool any_l3index) { const struct tcp_sock *tp =3D tcp_sk(sk); struct tcp_md5sig_key *key; @@ -1084,7 +1084,8 @@ struct tcp_md5sig_key *__tcp_md5_do_lookup(const stru= ct sock *sk, int l3index, lockdep_sock_is_held(sk)) { if (key->family !=3D family) continue; - if (key->flags & TCP_MD5SIG_FLAG_IFINDEX && key->l3index !=3D l3index) + if (!any_l3index && key->flags & TCP_MD5SIG_FLAG_IFINDEX && + key->l3index !=3D l3index) continue; if (family =3D=3D AF_INET) { mask =3D inet_make_mask(key->prefixlen); @@ -1344,6 +1345,10 @@ static int tcp_v4_parse_md5_keys(struct sock *sk, in= t optname, if (cmd.tcpm_keylen > TCP_MD5SIG_MAXKEYLEN) return -EINVAL; =20 + /* Don't allow keys for peers that have a matching TCP-AO key */ + if (tcp_ao_do_lookup(sk, addr, AF_INET, -1, -1, 0)) + return -EKEYREJECTED; + return tcp_md5_do_add(sk, addr, AF_INET, prefixlen, l3index, flags, cmd.tcpm_key, cmd.tcpm_keylen); } @@ -2239,6 +2244,7 @@ static const struct tcp_sock_af_ops tcp_sock_ipv4_spe= cific =3D { .md5_parse =3D tcp_v4_parse_md5_keys, #endif #ifdef CONFIG_TCP_AO + .ao_lookup =3D tcp_v4_ao_lookup, .ao_parse =3D tcp_v4_parse_ao, #endif }; diff --git a/net/ipv4/tcp_output.c b/net/ipv4/tcp_output.c index 9e12845a8758..243ff6b99d17 100644 --- a/net/ipv4/tcp_output.c +++ b/net/ipv4/tcp_output.c @@ -3837,6 +3837,28 @@ int tcp_connect(struct sock *sk) =20 tcp_call_bpf(sk, BPF_SOCK_OPS_TCP_CONNECT_CB, 0, NULL); =20 +#if defined(CONFIG_TCP_MD5SIG) && defined(CONFIG_TCP_AO) + /* Has to be checked late, after setting daddr/saddr/ops */ + if (unlikely(rcu_dereference_protected(tp->md5sig_info, + lockdep_sock_is_held(sk)))) { + bool needs_md5 =3D !!tp->af_specific->md5_lookup(sk, sk); + bool needs_ao =3D !!tp->af_specific->ao_lookup(sk, sk, -1, -1); + + if (needs_md5 && needs_ao) + return -EKEYREJECTED; + } +#endif +#ifdef CONFIG_TCP_AO + if (unlikely(rcu_dereference_protected(tp->ao_info, + lockdep_sock_is_held(sk)))) { + /* Don't allow connecting if ao is configured but no + * matching key is found. + */ + if (tp->af_specific->ao_lookup(sk, sk, -1, -1) =3D=3D NULL) + return -EKEYREJECTED; + } +#endif + if (inet_csk(sk)->icsk_af_ops->rebuild_header(sk)) return -EHOSTUNREACH; /* Routing failure or similar. */ =20 diff --git a/net/ipv6/tcp_ao.c b/net/ipv6/tcp_ao.c index f9f242a7e0f2..221b8adb4f73 100644 --- a/net/ipv6/tcp_ao.c +++ b/net/ipv6/tcp_ao.c @@ -13,6 +13,23 @@ #include #include =20 +struct tcp_ao_key *tcp_v6_ao_do_lookup(const struct sock *sk, + const struct in6_addr *addr, + int sndid, int rcvid) +{ + return tcp_ao_do_lookup(sk, (union tcp_ao_addr *)addr, AF_INET6, + sndid, rcvid, 0); +} + +struct tcp_ao_key *tcp_v6_ao_lookup(const struct sock *sk, + struct sock *addr_sk, + int sndid, int rcvid) +{ + struct in6_addr *addr =3D &addr_sk->sk_v6_daddr; + + return tcp_v6_ao_do_lookup(sk, addr, sndid, rcvid); +} + int tcp_v6_parse_ao(struct sock *sk, int cmd, sockptr_t optval, int optlen) { diff --git a/net/ipv6/tcp_ipv6.c b/net/ipv6/tcp_ipv6.c index 741cbeb52117..f5780a3fbd1b 100644 --- a/net/ipv6/tcp_ipv6.c +++ b/net/ipv6/tcp_ipv6.c @@ -602,6 +602,7 @@ static int tcp_v6_parse_md5_keys(struct sock *sk, int o= ptname, { struct tcp_md5sig cmd; struct sockaddr_in6 *sin6 =3D (struct sockaddr_in6 *)&cmd.tcpm_addr; + union tcp_ao_addr *addr; int l3index =3D 0; u8 prefixlen; u8 flags; @@ -656,13 +657,24 @@ static int tcp_v6_parse_md5_keys(struct sock *sk, int= optname, if (cmd.tcpm_keylen > TCP_MD5SIG_MAXKEYLEN) return -EINVAL; =20 - if (ipv6_addr_v4mapped(&sin6->sin6_addr)) - return tcp_md5_do_add(sk, (union tcp_md5_addr *)&sin6->sin6_addr.s6_addr= 32[3], + if (ipv6_addr_v4mapped(&sin6->sin6_addr)) { + addr =3D (union tcp_md5_addr *)&sin6->sin6_addr.s6_addr32[3]; + + /* Don't allow keys for peers that have a matching TCP-AO key */ + if (tcp_ao_do_lookup(sk, addr, AF_INET, -1, -1, 0)) + return -EKEYREJECTED; + return tcp_md5_do_add(sk, addr, AF_INET, prefixlen, l3index, flags, cmd.tcpm_key, cmd.tcpm_keylen); + } + + addr =3D (union tcp_md5_addr *)&sin6->sin6_addr; + + /* Don't allow keys for peers that have a matching TCP-AO key */ + if (tcp_ao_do_lookup(sk, addr, AF_INET6, -1, -1, 0)) + return -EKEYREJECTED; =20 - return tcp_md5_do_add(sk, (union tcp_md5_addr *)&sin6->sin6_addr, - AF_INET6, prefixlen, l3index, flags, + return tcp_md5_do_add(sk, addr, AF_INET6, prefixlen, l3index, flags, cmd.tcpm_key, cmd.tcpm_keylen); } =20 @@ -1891,6 +1903,7 @@ static const struct tcp_sock_af_ops tcp_sock_ipv6_spe= cific =3D { .md5_parse =3D tcp_v6_parse_md5_keys, #endif #ifdef CONFIG_TCP_AO + .ao_lookup =3D tcp_v6_ao_lookup, .ao_parse =3D tcp_v6_parse_ao, #endif }; @@ -1922,6 +1935,7 @@ static const struct tcp_sock_af_ops tcp_sock_ipv6_map= ped_specific =3D { .md5_parse =3D tcp_v6_parse_md5_keys, #endif #ifdef CONFIG_TCP_AO + .ao_lookup =3D tcp_v6_ao_lookup, .ao_parse =3D tcp_v6_parse_ao, #endif }; --=20 2.37.2 From nobody Fri Apr 10 21:51:38 2026 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 56BB4C32772 for ; Thu, 18 Aug 2022 17:02:09 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1345343AbiHRRCH (ORCPT ); Thu, 18 Aug 2022 13:02:07 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:60772 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1345396AbiHRRAm (ORCPT ); Thu, 18 Aug 2022 13:00:42 -0400 Received: from mail-wm1-x335.google.com (mail-wm1-x335.google.com [IPv6:2a00:1450:4864:20::335]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id AE05DBA9C7 for ; Thu, 18 Aug 2022 10:00:29 -0700 (PDT) Received: by mail-wm1-x335.google.com with SMTP id s23so1125034wmj.4 for ; Thu, 18 Aug 2022 10:00:29 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=arista.com; s=google; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc; bh=NaAMdxikwdCASFx+O2wuQD5WHNH6NeVbcXC6Hzk5+Vo=; b=DeKq6CJh9m11i3wXpmJfo3O3SCu+gwNAuOrOJNtU2YkkmuKS3QsVqBvjUtet0CTLnq Rm+jRqzuqaEC1QMHBSH2i5FsnSbubGXB8N39P+cDvIdMBMn3kwi9nbtCMKUwiGm40+xX y6IXQpsUd+4c3YNzXKesk5t0kIhTJyymjIpSbP98i6fXUxPsE0QGdE4SpIQMbmEZu0Na gX17WsX9yaL1aRiNy1HbIfgFk4oij15fEe2wDmIlryp4oHRj/pqQmApTaOXFygSN0jSM 0P4yRdxcLPEpB22l6PmclliDU8tQVv7F+PEtslAuWqWZx9169urdxut48dVTMcYgjoju qmXQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc; bh=NaAMdxikwdCASFx+O2wuQD5WHNH6NeVbcXC6Hzk5+Vo=; b=sCrLNvqyrFSD51n8Rjlc2DVH/BMEJ6oIOeHm97Pb8CwTdp8Hyis4N6Nf/Dg6seK+CR uHgjT6OKv/XZhqvn9mB4BLXLrLfawlFCOEqxx4nhF2N0b5ReKjp66ME7ec+sZ3m7I0Zy fqPzyU1kBidBDg9XA20TLDo0B5yn89h53y8kejvI3ZNBrPfxSVxdnrfaE5gpUvbFhI8r 6AyBYwIsnAAYlfXvXS69mIYW28Zsd6IxBreQ8ysTdEZ4OpS6Xfm46PLr+rO3UL667ZUu KFXFyO6vk21JB9aEvIPpsqLKhZ7xYDP0pB+smV6SOxeZKW6VvhYvQq98aIseMvopD/rZ 3VbA== X-Gm-Message-State: ACgBeo1GAneAtNkLx8+W4yU2Thgd/qFVDAnxS0Bml2Q+biT9TP58YUWO f1wL2JNUQ5vGq919D/ycV1/wsw== X-Google-Smtp-Source: AA6agR6nSFtmOwMzjZypU/cmhUh8S++/ZW71oMWDX9rz4W5zDIPXaYu/xmVsua7s7YijKpo76oi3HA== X-Received: by 2002:a05:600c:198e:b0:3a6:2a00:3df3 with SMTP id t14-20020a05600c198e00b003a62a003df3mr1718558wmq.79.1660842028184; Thu, 18 Aug 2022 10:00:28 -0700 (PDT) Received: from Mindolluin.ire.aristanetworks.com ([217.173.96.166]) by smtp.gmail.com with ESMTPSA id be13-20020a05600c1e8d00b003a511e92abcsm2662169wmb.34.2022.08.18.10.00.26 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 18 Aug 2022 10:00:27 -0700 (PDT) From: Dmitry Safonov To: Eric Dumazet , "David S. Miller" , linux-kernel@vger.kernel.org Cc: Dmitry Safonov , Andy Lutomirski , Ard Biesheuvel , Bob Gilligan , David Ahern , Dmitry Safonov <0x7f454c46@gmail.com>, Eric Biggers , Francesco Ruggeri , Herbert Xu , Hideaki YOSHIFUJI , Ivan Delalande , Jakub Kicinski , Leonard Crestez , Paolo Abeni , Salam Noureddine , Shuah Khan , netdev@vger.kernel.org, linux-crypto@vger.kernel.org Subject: [PATCH 10/31] net/tcp: Calculate TCP-AO traffic keys Date: Thu, 18 Aug 2022 17:59:44 +0100 Message-Id: <20220818170005.747015-11-dima@arista.com> X-Mailer: git-send-email 2.37.2 In-Reply-To: <20220818170005.747015-1-dima@arista.com> References: <20220818170005.747015-1-dima@arista.com> MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Type: text/plain; charset="utf-8" Add traffic key calculation the way it's described in RFC5926. Wire it up to tcp_finish_connect() and cache the new keys straight away on already established TCP connections. Co-developed-by: Francesco Ruggeri Signed-off-by: Francesco Ruggeri Co-developed-by: Salam Noureddine Signed-off-by: Salam Noureddine Signed-off-by: Dmitry Safonov --- include/net/tcp.h | 5 ++ include/net/tcp_ao.h | 44 ++++++++++- net/ipv4/tcp_ao.c | 176 ++++++++++++++++++++++++++++++++++++++++++ net/ipv4/tcp_input.c | 1 + net/ipv4/tcp_ipv4.c | 1 + net/ipv4/tcp_output.c | 1 + net/ipv6/tcp_ao.c | 40 ++++++++++ net/ipv6/tcp_ipv6.c | 1 + 8 files changed, 268 insertions(+), 1 deletion(-) diff --git a/include/net/tcp.h b/include/net/tcp.h index 9c71f48cc99c..e140ae4fe653 100644 --- a/include/net/tcp.h +++ b/include/net/tcp.h @@ -2078,6 +2078,11 @@ struct tcp_sock_af_ops { struct tcp_ao_key *(*ao_lookup)(const struct sock *sk, struct sock *addr_sk, int sndid, int rcvid); + int (*ao_calc_key_sk)(struct tcp_ao_key *mkt, + u8 *key, + const struct sock *sk, + __be32 sisn, __be32 disn, + bool send); #endif }; =20 diff --git a/include/net/tcp_ao.h b/include/net/tcp_ao.h index c550f1a6f5fd..f83a4d09a4ce 100644 --- a/include/net/tcp_ao.h +++ b/include/net/tcp_ao.h @@ -88,9 +88,33 @@ struct tcp_ao_info { }; =20 #ifdef CONFIG_TCP_AO +/* TCP-AO structures and functions */ + +struct tcp4_ao_context { + __be32 saddr; + __be32 daddr; + __be16 sport; + __be16 dport; + __be32 sisn; + __be32 disn; +}; + +struct tcp6_ao_context { + struct in6_addr saddr; + struct in6_addr daddr; + __be16 sport; + __be16 dport; + __be32 sisn; + __be32 disn; +}; + int tcp_parse_ao(struct sock *sk, int cmd, unsigned short int family, sockptr_t optval, int optlen); +int tcp_ao_calc_traffic_key(struct tcp_ao_key *mkt, u8 *key, void *ctx, + unsigned int len); void tcp_ao_destroy_sock(struct sock *sk); +int tcp_ao_cache_traffic_keys(const struct sock *sk, struct tcp_ao_info *a= o, + struct tcp_ao_key *ao_key); struct tcp_ao_key *tcp_ao_do_lookup(const struct sock *sk, const union tcp_ao_addr *addr, int family, int sndid, int rcvid, u16 port); @@ -98,13 +122,23 @@ struct tcp_ao_key *tcp_ao_do_lookup(const struct sock = *sk, int tcp_v4_parse_ao(struct sock *sk, int optname, sockptr_t optval, int op= tlen); struct tcp_ao_key *tcp_v4_ao_lookup(const struct sock *sk, struct sock *ad= dr_sk, int sndid, int rcvid); +int tcp_v4_ao_calc_key_sk(struct tcp_ao_key *mkt, u8 *key, + const struct sock *sk, + __be32 sisn, __be32 disn, bool send); /* ipv6 specific functions */ +int tcp_v6_ao_calc_key_sk(struct tcp_ao_key *mkt, u8 *key, + const struct sock *sk, __be32 sisn, + __be32 disn, bool send); struct tcp_ao_key *tcp_v6_ao_lookup(const struct sock *sk, struct sock *addr_sk, int sndid, int rcvid); int tcp_v6_parse_ao(struct sock *sk, int cmd, sockptr_t optval, int optlen); -#else +void tcp_ao_finish_connect(struct sock *sk, struct sk_buff *skb); +void tcp_ao_connect_init(struct sock *sk); + +#else /* CONFIG_TCP_AO */ + static inline struct tcp_ao_key *tcp_ao_do_lookup(const struct sock *sk, const union tcp_ao_addr *addr, int family, int sndid, int rcvid, u16 port) @@ -115,6 +149,14 @@ static inline struct tcp_ao_key *tcp_ao_do_lookup(cons= t struct sock *sk, static inline void tcp_ao_destroy_sock(struct sock *sk) { } + +static inline void tcp_ao_finish_connect(struct sock *sk, struct sk_buff *= skb) +{ +} + +static inline void tcp_ao_connect_init(struct sock *sk) +{ +} #endif =20 #endif /* _TCP_AO_H */ diff --git a/net/ipv4/tcp_ao.c b/net/ipv4/tcp_ao.c index be68eb6b4a92..60fe385fda1c 100644 --- a/net/ipv4/tcp_ao.c +++ b/net/ipv4/tcp_ao.c @@ -16,6 +16,42 @@ #include #include =20 +int tcp_ao_calc_traffic_key(struct tcp_ao_key *mkt, u8 *key, void *ctx, + unsigned int len) +{ + struct crypto_pool_ahash hp; + struct scatterlist sg; + int ret; + + if (crypto_pool_get(mkt->crypto_pool_id, (struct crypto_pool *)&hp)) + goto clear_hash_noput; + + if (crypto_ahash_setkey(crypto_ahash_reqtfm(hp.req), + mkt->key, mkt->keylen)) + goto clear_hash; + + ret =3D crypto_ahash_init(hp.req); + if (ret) + goto clear_hash; + + sg_init_one(&sg, ctx, len); + ahash_request_set_crypt(hp.req, &sg, key, len); + crypto_ahash_update(hp.req); + + /* TODO: Revisit on how to get different output length */ + ret =3D crypto_ahash_final(hp.req); + if (ret) + goto clear_hash; + + crypto_pool_put(); + return 0; +clear_hash: + crypto_pool_put(); +clear_hash_noput: + memset(key, 0, tcp_ao_digest_size(mkt)); + return 1; +} + struct tcp_ao_key *tcp_ao_do_lookup_rcvid(struct sock *sk, u8 keyid) { struct tcp_sock *tp =3D tcp_sk(sk); @@ -176,6 +212,47 @@ void tcp_ao_destroy_sock(struct sock *sk) kfree_rcu(ao, rcu); } =20 +/* 4 tuple and ISNs are expected in NBO */ +static int tcp_v4_ao_calc_key(struct tcp_ao_key *mkt, u8 *key, + __be32 saddr, __be32 daddr, + __be16 sport, __be16 dport, + __be32 sisn, __be32 disn) +{ + /* See RFC5926 3.1.1 */ + struct kdf_input_block { + u8 counter; + u8 label[6]; + struct tcp4_ao_context ctx; + __be16 outlen; + } __packed tmp; + + tmp.counter =3D 1; + memcpy(tmp.label, "TCP-AO", 6); + tmp.ctx.saddr =3D saddr; + tmp.ctx.daddr =3D daddr; + tmp.ctx.sport =3D sport; + tmp.ctx.dport =3D dport; + tmp.ctx.sisn =3D sisn; + tmp.ctx.disn =3D disn; + tmp.outlen =3D htons(tcp_ao_digest_size(mkt) * 8); /* in bits */ + + return tcp_ao_calc_traffic_key(mkt, key, &tmp, sizeof(tmp)); +} + +int tcp_v4_ao_calc_key_sk(struct tcp_ao_key *mkt, u8 *key, + const struct sock *sk, + __be32 sisn, __be32 disn, bool send) +{ + if (send) + return tcp_v4_ao_calc_key(mkt, key, sk->sk_rcv_saddr, + sk->sk_daddr, htons(sk->sk_num), + sk->sk_dport, sisn, disn); + else + return tcp_v4_ao_calc_key(mkt, key, sk->sk_daddr, + sk->sk_rcv_saddr, sk->sk_dport, + htons(sk->sk_num), disn, sisn); +} + struct tcp_ao_key *tcp_v4_ao_lookup(const struct sock *sk, struct sock *ad= dr_sk, int sndid, int rcvid) { @@ -184,6 +261,99 @@ struct tcp_ao_key *tcp_v4_ao_lookup(const struct sock = *sk, struct sock *addr_sk, return tcp_ao_do_lookup(sk, addr, AF_INET, sndid, rcvid, 0); } =20 +int tcp_ao_cache_traffic_keys(const struct sock *sk, struct tcp_ao_info *a= o, + struct tcp_ao_key *ao_key) +{ + u8 *traffic_key =3D snd_other_key(ao_key); + int ret; + + ret =3D tcp_sk(sk)->af_specific->ao_calc_key_sk(ao_key, traffic_key, sk, + ao->lisn, ao->risn, true); + if (ret) + return ret; + + traffic_key =3D rcv_other_key(ao_key); + return tcp_sk(sk)->af_specific->ao_calc_key_sk(ao_key, traffic_key, sk, + ao->lisn, ao->risn, + false); +} + +void tcp_ao_connect_init(struct sock *sk) +{ + struct tcp_ao_info *ao_info; + struct tcp_ao_key *key; + struct tcp_sock *tp =3D tcp_sk(sk); + union tcp_ao_addr *addr; + int family; + + ao_info =3D rcu_dereference_protected(tp->ao_info, + lockdep_sock_is_held(sk)); + if (!ao_info) + return; + + /* Remove all keys that don't match the peer */ + family =3D sk->sk_family; + if (family =3D=3D AF_INET) + addr =3D (union tcp_ao_addr *)&sk->sk_daddr; + else + addr =3D (union tcp_ao_addr *)&sk->sk_v6_daddr; + + hlist_for_each_entry_rcu(key, &ao_info->head, node) { + if (tcp_ao_key_cmp(key, addr, key->prefixlen, family, + -1, -1, sk->sk_dport) =3D=3D 0) + continue; + + if (key =3D=3D ao_info->current_key) + ao_info->current_key =3D NULL; + if (key =3D=3D ao_info->rnext_key) + ao_info->rnext_key =3D NULL; + hlist_del_rcu(&key->node); + crypto_pool_release(key->crypto_pool_id); + atomic_sub(tcp_ao_sizeof_key(key), &sk->sk_omem_alloc); + kfree_rcu(key, rcu); + } + + key =3D tp->af_specific->ao_lookup(sk, sk, -1, -1); + if (key) { + /* if current_key or rnext_key were not provided, + * use the first key matching the peer + */ + if (!ao_info->current_key) + ao_info->current_key =3D key; + if (!ao_info->rnext_key) + ao_info->rnext_key =3D key; + tp->tcp_header_len +=3D tcp_ao_len(key); + + ao_info->lisn =3D htonl(tp->write_seq); + ao_info->snd_sne =3D 0; + ao_info->snd_sne_seq =3D tp->write_seq; + } else { + WARN_ON_ONCE(1); + kfree(tp->ao_info); + rcu_assign_pointer(tp->ao_info, NULL); + } +} + +void tcp_ao_finish_connect(struct sock *sk, struct sk_buff *skb) +{ + struct tcp_ao_info *ao; + struct tcp_ao_key *key; + + ao =3D rcu_dereference_protected(tcp_sk(sk)->ao_info, + lockdep_sock_is_held(sk)); + if (!ao) + return; + + ao->risn =3D tcp_hdr(skb)->seq; + + ao->rcv_sne =3D 0; + ao->rcv_sne_seq =3D ntohl(tcp_hdr(skb)->seq); + + hlist_for_each_entry_rcu(key, &ao->head, node) { + tcp_ao_cache_traffic_keys(sk, ao, key); + } +} + static int tcp_ao_current_rnext(struct sock *sk, u16 tcpa_flags, u8 tcpa_sndid, u8 tcpa_rcvid) { @@ -662,6 +832,12 @@ static int tcp_ao_add_cmd(struct sock *sk, unsigned sh= ort int family, if (ret < 0) goto err_free_sock; =20 + /* Change this condition if we allow adding keys in states + * like close_wait, syn_sent or fin_wait... + */ + if (sk->sk_state =3D=3D TCP_ESTABLISHED) + tcp_ao_cache_traffic_keys(sk, ao_info, key); + tcp_ao_link_mkt(ao_info, key); if (first) { sk_gso_disable(sk); diff --git a/net/ipv4/tcp_input.c b/net/ipv4/tcp_input.c index ab5f0ea166f1..a5d6c7f1ead3 100644 --- a/net/ipv4/tcp_input.c +++ b/net/ipv4/tcp_input.c @@ -6039,6 +6039,7 @@ void tcp_finish_connect(struct sock *sk, struct sk_bu= ff *skb) struct tcp_sock *tp =3D tcp_sk(sk); struct inet_connection_sock *icsk =3D inet_csk(sk); =20 + tcp_ao_finish_connect(sk, skb); tcp_set_state(sk, TCP_ESTABLISHED); icsk->icsk_ack.lrcvtime =3D tcp_jiffies32; =20 diff --git a/net/ipv4/tcp_ipv4.c b/net/ipv4/tcp_ipv4.c index fc65d64b9570..64fea0945901 100644 --- a/net/ipv4/tcp_ipv4.c +++ b/net/ipv4/tcp_ipv4.c @@ -2246,6 +2246,7 @@ static const struct tcp_sock_af_ops tcp_sock_ipv4_spe= cific =3D { #ifdef CONFIG_TCP_AO .ao_lookup =3D tcp_v4_ao_lookup, .ao_parse =3D tcp_v4_parse_ao, + .ao_calc_key_sk =3D tcp_v4_ao_calc_key_sk, #endif }; #endif diff --git a/net/ipv4/tcp_output.c b/net/ipv4/tcp_output.c index 243ff6b99d17..ee0c642a87e5 100644 --- a/net/ipv4/tcp_output.c +++ b/net/ipv4/tcp_output.c @@ -3661,6 +3661,7 @@ static void tcp_connect_init(struct sock *sk) if (tp->af_specific->md5_lookup(sk, sk)) tp->tcp_header_len +=3D TCPOLEN_MD5SIG_ALIGNED; #endif + tcp_ao_connect_init(sk); =20 /* If user gave his TCP_MAXSEG, record it to clamp */ if (tp->rx_opt.user_mss) diff --git a/net/ipv6/tcp_ao.c b/net/ipv6/tcp_ao.c index 221b8adb4f73..888ee6242334 100644 --- a/net/ipv6/tcp_ao.c +++ b/net/ipv6/tcp_ao.c @@ -13,6 +13,46 @@ #include #include =20 +int tcp_v6_ao_calc_key(struct tcp_ao_key *mkt, u8 *key, + const struct in6_addr *saddr, + const struct in6_addr *daddr, + __be16 sport, __be16 dport, + __be32 sisn, __be32 disn) +{ + struct kdf_input_block { + u8 counter; + u8 label[6]; + struct tcp6_ao_context ctx; + __be16 outlen; + } __packed tmp; + + tmp.counter =3D 1; + memcpy(tmp.label, "TCP-AO", 6); + tmp.ctx.saddr =3D *saddr; + tmp.ctx.daddr =3D *daddr; + tmp.ctx.sport =3D sport; + tmp.ctx.dport =3D dport; + tmp.ctx.sisn =3D sisn; + tmp.ctx.disn =3D disn; + tmp.outlen =3D htons(tcp_ao_digest_size(mkt) * 8); /* in bits */ + + return tcp_ao_calc_traffic_key(mkt, key, &tmp, sizeof(tmp)); +} + +int tcp_v6_ao_calc_key_sk(struct tcp_ao_key *mkt, u8 *key, + const struct sock *sk, __be32 sisn, + __be32 disn, bool send) +{ + if (send) + return tcp_v6_ao_calc_key(mkt, key, &sk->sk_v6_rcv_saddr, + &sk->sk_v6_daddr, htons(sk->sk_num), + sk->sk_dport, sisn, disn); + else + return tcp_v6_ao_calc_key(mkt, key, &sk->sk_v6_daddr, + &sk->sk_v6_rcv_saddr, sk->sk_dport, + htons(sk->sk_num), disn, sisn); +} + struct tcp_ao_key *tcp_v6_ao_do_lookup(const struct sock *sk, const struct in6_addr *addr, int sndid, int rcvid) diff --git a/net/ipv6/tcp_ipv6.c b/net/ipv6/tcp_ipv6.c index f5780a3fbd1b..c6d2389030f2 100644 --- a/net/ipv6/tcp_ipv6.c +++ b/net/ipv6/tcp_ipv6.c @@ -1905,6 +1905,7 @@ static const struct tcp_sock_af_ops tcp_sock_ipv6_spe= cific =3D { #ifdef CONFIG_TCP_AO .ao_lookup =3D tcp_v6_ao_lookup, .ao_parse =3D tcp_v6_parse_ao, + .ao_calc_key_sk =3D tcp_v6_ao_calc_key_sk, #endif }; #endif --=20 2.37.2 From nobody Fri Apr 10 21:51:38 2026 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 8EB41C32772 for ; Thu, 18 Aug 2022 17:02:12 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1345347AbiHRRCK (ORCPT ); Thu, 18 Aug 2022 13:02:10 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:35046 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1345406AbiHRRAo (ORCPT ); Thu, 18 Aug 2022 13:00:44 -0400 Received: from mail-wm1-x32a.google.com (mail-wm1-x32a.google.com [IPv6:2a00:1450:4864:20::32a]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 975ABBBA6D for ; Thu, 18 Aug 2022 10:00:31 -0700 (PDT) Received: by mail-wm1-x32a.google.com with SMTP id h1so1125715wmd.3 for ; Thu, 18 Aug 2022 10:00:31 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=arista.com; s=google; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc; bh=adOPuyKa6ZODuX7l8SnRWAbP8TLtKoVjWpgOTZ6hMSA=; b=Wvqr3G8TY1q22UlHeczcDC/IpVJCdZQX9TwwSrV+UNMqeibM1jRh8Hcq81/QXCarSe GllBn3o1ZEXAdD+gfIh3A2LBxrO7cmaFWS3YJC5y3KGujmNljvrzj9tKgYx4V6Os0Zxd ZZfDh4g7A18Nv8CH836Fn4MqptLTO/THy+A+tUio0FMR27lBTNxd9GK3behKOdOwUGfH VJ2IUg4M6yMTAfKtT6+hqlwvtbLxxdmS+e34rQWCYuVWu2Sve4v6K+GSjYL+brDbUQga Ad1o7yEm55Rzn4cHCr/vhJbdQhV0L/Fgy0d1SwYqpIYkNn8A5KiJgaByHctTU3x8KF7V 0+Fg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc; bh=adOPuyKa6ZODuX7l8SnRWAbP8TLtKoVjWpgOTZ6hMSA=; b=R398p5zP2uQCI9MTxPrOWE9wiTYnp1jYTDx0NhCig7CIQ+1aGX3Ts8t85jxcEtZTmp oaiz91A+LYgGwZetdWUHtUCAcuxTB0ufzkYVQatVx0fXP0/Hzgt7wHot5JneTJYvMlY/ tLcsNqemox7/MskHckXQEdg32YcqZtFIQ+CwYLoY+cgcv8JK8q0A2Z0ll5tcRfgu2mFN dQ6D37LdLaMt3sQLc4M+vyZMehumuMbNzX49rewiQI0hamcGdp8FZ1lOJnE/AKsbNWSq ytmPA9l+fsHfzkwCANWkhyxwNXh6ev7KrYw5TdUBkcfkpHQvWgonrHElFBC+vSVZgMNa MEvw== X-Gm-Message-State: ACgBeo2sGyR6GsL+X/b8sfkqx7q34JPR1IfZL4QPcNq5mbH6ZoWRhrH7 oBSNCFKiNP+oTfmNTRZpJR3ahA== X-Google-Smtp-Source: AA6agR7LrCLnDZhJ8O10uqXvX6CuIjSY23Gv990WF1xvfiG/iXndpbYl/pZBlalS78JT+G0XPEmmGA== X-Received: by 2002:a05:600c:4ed0:b0:3a6:de8:5e7d with SMTP id g16-20020a05600c4ed000b003a60de85e7dmr5645805wmq.181.1660842029646; Thu, 18 Aug 2022 10:00:29 -0700 (PDT) Received: from Mindolluin.ire.aristanetworks.com ([217.173.96.166]) by smtp.gmail.com with ESMTPSA id be13-20020a05600c1e8d00b003a511e92abcsm2662169wmb.34.2022.08.18.10.00.28 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 18 Aug 2022 10:00:29 -0700 (PDT) From: Dmitry Safonov To: Eric Dumazet , "David S. Miller" , linux-kernel@vger.kernel.org Cc: Dmitry Safonov , Andy Lutomirski , Ard Biesheuvel , Bob Gilligan , David Ahern , Dmitry Safonov <0x7f454c46@gmail.com>, Eric Biggers , Francesco Ruggeri , Herbert Xu , Hideaki YOSHIFUJI , Ivan Delalande , Jakub Kicinski , Leonard Crestez , Paolo Abeni , Salam Noureddine , Shuah Khan , netdev@vger.kernel.org, linux-crypto@vger.kernel.org Subject: [PATCH 11/31] net/tcp: Add TCP-AO sign to outgoing packets Date: Thu, 18 Aug 2022 17:59:45 +0100 Message-Id: <20220818170005.747015-12-dima@arista.com> X-Mailer: git-send-email 2.37.2 In-Reply-To: <20220818170005.747015-1-dima@arista.com> References: <20220818170005.747015-1-dima@arista.com> MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Type: text/plain; charset="utf-8" Using precalculated traffic keys, sign TCP segments as prescribed by RFC5925. Per RFC, TCP header options are included in sign calculation: "The TCP header, by default including options, and where the TCP checksum and TCP-AO MAC fields are set to zero, all in network- byte order." (5.1.3) tcp_ao_hash_header() has exclude_options parameter to optionally exclude TCP header from hash calculation, as described in RFC5925 (9.1), this is needed for interaction with middleboxes that may change "some TCP options". This is wired up to AO key flags and setsockopt() later. Similarly to TCP-MD5 hash TCP segment fragments. From this moment a user can start sending TCP-AO signed segments with one of crypto ahash algorithms from supported by Linux kernel. It can have a user-specified MAC length, to either save TCP option header space or provide higher protection using a longer signature. The inbound segments are not yet verified, TCP-AO option is ignored and they are accepted. Co-developed-by: Francesco Ruggeri Signed-off-by: Francesco Ruggeri Co-developed-by: Salam Noureddine Signed-off-by: Salam Noureddine Signed-off-by: Dmitry Safonov Reported-by: Dan Carpenter Reported-by: kernel test robot --- include/net/tcp.h | 8 ++ include/net/tcp_ao.h | 14 +++ net/ipv4/tcp_ao.c | 209 ++++++++++++++++++++++++++++++++++++++++++ net/ipv4/tcp_ipv4.c | 1 + net/ipv4/tcp_output.c | 121 +++++++++++++++++++++--- net/ipv6/tcp_ao.c | 27 ++++++ net/ipv6/tcp_ipv6.c | 2 + 7 files changed, 371 insertions(+), 11 deletions(-) diff --git a/include/net/tcp.h b/include/net/tcp.h index e140ae4fe653..d91a963f430d 100644 --- a/include/net/tcp.h +++ b/include/net/tcp.h @@ -26,6 +26,7 @@ #include #include #include +#include =20 #include #include @@ -187,6 +188,7 @@ void tcp_time_wait(struct sock *sk, int state, int time= o); #define TCPOPT_SACK 5 /* SACK Block */ #define TCPOPT_TIMESTAMP 8 /* Better RTT estimations/PAWS */ #define TCPOPT_MD5SIG 19 /* MD5 Signature (RFC2385) */ +#define TCPOPT_AO 29 /* Authentication Option (RFC5925) */ #define TCPOPT_MPTCP 30 /* Multipath TCP (RFC6824) */ #define TCPOPT_FASTOPEN 34 /* Fast open (RFC7413) */ #define TCPOPT_EXP 254 /* Experimental */ @@ -2078,6 +2080,12 @@ struct tcp_sock_af_ops { struct tcp_ao_key *(*ao_lookup)(const struct sock *sk, struct sock *addr_sk, int sndid, int rcvid); + int (*calc_ao_hash)(char *location, + struct tcp_ao_key *ao, + const struct sock *sk, + const struct sk_buff *skb, + const u8 *tkey, + int hash_offset, u32 sne); int (*ao_calc_key_sk)(struct tcp_ao_key *mkt, u8 *key, const struct sock *sk, diff --git a/include/net/tcp_ao.h b/include/net/tcp_ao.h index f83a4d09a4ce..f840b693d038 100644 --- a/include/net/tcp_ao.h +++ b/include/net/tcp_ao.h @@ -108,11 +108,16 @@ struct tcp6_ao_context { __be32 disn; }; =20 +int tcp_ao_hash_skb(unsigned short int family, + char *ao_hash, struct tcp_ao_key *key, + const struct sock *sk, const struct sk_buff *skb, + const u8 *tkey, int hash_offset, u32 sne); int tcp_parse_ao(struct sock *sk, int cmd, unsigned short int family, sockptr_t optval, int optlen); int tcp_ao_calc_traffic_key(struct tcp_ao_key *mkt, u8 *key, void *ctx, unsigned int len); void tcp_ao_destroy_sock(struct sock *sk); +u32 tcp_ao_compute_sne(u32 sne, u32 seq, u32 new_seq); int tcp_ao_cache_traffic_keys(const struct sock *sk, struct tcp_ao_info *a= o, struct tcp_ao_key *ao_key); struct tcp_ao_key *tcp_ao_do_lookup(const struct sock *sk, @@ -125,13 +130,22 @@ struct tcp_ao_key *tcp_v4_ao_lookup(const struct sock= *sk, struct sock *addr_sk, int tcp_v4_ao_calc_key_sk(struct tcp_ao_key *mkt, u8 *key, const struct sock *sk, __be32 sisn, __be32 disn, bool send); +int tcp_v4_ao_hash_skb(char *ao_hash, struct tcp_ao_key *key, + const struct sock *sk, const struct sk_buff *skb, + const u8 *tkey, int hash_offset, u32 sne); /* ipv6 specific functions */ +int tcp_v6_ao_hash_pseudoheader(struct crypto_pool_ahash *hp, + const struct in6_addr *daddr, + const struct in6_addr *saddr, int nbytes); int tcp_v6_ao_calc_key_sk(struct tcp_ao_key *mkt, u8 *key, const struct sock *sk, __be32 sisn, __be32 disn, bool send); struct tcp_ao_key *tcp_v6_ao_lookup(const struct sock *sk, struct sock *addr_sk, int sndid, int rcvid); +int tcp_v6_ao_hash_skb(char *ao_hash, struct tcp_ao_key *key, + const struct sock *sk, const struct sk_buff *skb, + const u8 *tkey, int hash_offset, u32 sne); int tcp_v6_parse_ao(struct sock *sk, int cmd, sockptr_t optval, int optlen); void tcp_ao_finish_connect(struct sock *sk, struct sk_buff *skb); diff --git a/net/ipv4/tcp_ao.c b/net/ipv4/tcp_ao.c index 60fe385fda1c..ec3ab0c3dc77 100644 --- a/net/ipv4/tcp_ao.c +++ b/net/ipv4/tcp_ao.c @@ -253,6 +253,215 @@ int tcp_v4_ao_calc_key_sk(struct tcp_ao_key *mkt, u8 = *key, htons(sk->sk_num), disn, sisn); } =20 +static int tcp_v4_ao_hash_pseudoheader(struct crypto_pool_ahash *hp, + __be32 daddr, __be32 saddr, + int nbytes) +{ + struct tcp4_pseudohdr *bp; + struct scatterlist sg; + + bp =3D hp->base.scratch; + bp->saddr =3D saddr; + bp->daddr =3D daddr; + bp->pad =3D 0; + bp->protocol =3D IPPROTO_TCP; + bp->len =3D cpu_to_be16(nbytes); + + sg_init_one(&sg, bp, sizeof(*bp)); + ahash_request_set_crypt(hp->req, &sg, NULL, sizeof(*bp)); + return crypto_ahash_update(hp->req); +} + +static int tcp_ao_hash_pseudoheader(unsigned short int family, + const struct sock *sk, + const struct sk_buff *skb, + struct crypto_pool_ahash *hp, int nbytes) +{ + const struct tcphdr *th =3D tcp_hdr(skb); + + /* TODO: Can we rely on checksum being zero to mean outbound pkt? */ + if (!th->check) { + if (family =3D=3D AF_INET) + return tcp_v4_ao_hash_pseudoheader(hp, sk->sk_daddr, + sk->sk_rcv_saddr, skb->len); + else + return tcp_v6_ao_hash_pseudoheader(hp, &sk->sk_v6_daddr, + &sk->sk_v6_rcv_saddr, skb->len); + } + + if (family =3D=3D AF_INET) { + const struct iphdr *iph =3D ip_hdr(skb); + + return tcp_v4_ao_hash_pseudoheader(hp, iph->daddr, + iph->saddr, skb->len); + } else { + const struct ipv6hdr *iph =3D ipv6_hdr(skb); + + return tcp_v6_ao_hash_pseudoheader(hp, &iph->daddr, + &iph->saddr, skb->len); + } +} + +u32 tcp_ao_compute_sne(u32 prev_sne, u32 prev_seq, u32 seq) +{ + u32 sne =3D prev_sne; + + if (before(seq, prev_seq)) { + if (seq > prev_seq) + sne--; + } else { + if (seq < prev_seq) + sne++; + } + + return sne; +} + +/* tcp_ao_hash_sne(struct crypto_pool_ahash *hp) + * @hp - used for hashing + * @sne - sne value + */ +static int tcp_ao_hash_sne(struct crypto_pool_ahash *hp, u32 sne) +{ + struct scatterlist sg; + __be32 *bp; + + bp =3D (__be32 *)hp->base.scratch; + *bp =3D htonl(sne); + + sg_init_one(&sg, bp, sizeof(*bp)); + ahash_request_set_crypt(hp->req, &sg, NULL, sizeof(*bp)); + return crypto_ahash_update(hp->req); +} + +static int tcp_ao_hash_header(struct crypto_pool_ahash *hp, + const struct tcphdr *th, + bool exclude_options, u8 *hash, + int hash_offset, int hash_len) +{ + struct scatterlist sg; + u8 *hdr =3D hp->base.scratch; + int err, len =3D th->doff << 2; + + /* We are not allowed to change tcphdr, make a local copy */ + if (exclude_options) { + len =3D sizeof(*th) + sizeof(struct tcp_ao_hdr) + hash_len; + memcpy(hdr, th, sizeof(*th)); + memcpy(hdr + sizeof(*th), + (u8 *)th + hash_offset - sizeof(struct tcp_ao_hdr), + sizeof(struct tcp_ao_hdr)); + memset(hdr + sizeof(*th) + sizeof(struct tcp_ao_hdr), + 0, hash_len); + ((struct tcphdr *)hdr)->check =3D 0; + } else { + len =3D th->doff << 2; + memcpy(hdr, th, len); + /* zero out tcp-ao hash */ + ((struct tcphdr *)hdr)->check =3D 0; + memset(hdr + hash_offset, 0, hash_len); + } + + sg_init_one(&sg, hdr, len); + ahash_request_set_crypt(hp->req, &sg, NULL, len); + err =3D crypto_ahash_update(hp->req); + WARN_ON_ONCE(err !=3D 0); + return err; +} + +static int tcp_ao_hash_skb_data(struct crypto_pool_ahash *hp, + const struct sk_buff *skb, + unsigned int header_len) +{ + struct scatterlist sg; + const struct tcphdr *tp =3D tcp_hdr(skb); + struct ahash_request *req =3D hp->req; + unsigned int i; + const unsigned int head_data_len =3D skb_headlen(skb) > header_len ? + skb_headlen(skb) - header_len : 0; + const struct skb_shared_info *shi =3D skb_shinfo(skb); + struct sk_buff *frag_iter; + + WARN_ON(skb_headlen(skb) < header_len); + + sg_init_table(&sg, 1); + + sg_set_buf(&sg, ((u8 *)tp) + header_len, head_data_len); + ahash_request_set_crypt(req, &sg, NULL, head_data_len); + if (crypto_ahash_update(req)) + return 1; + + for (i =3D 0; i < shi->nr_frags; ++i) { + const skb_frag_t *f =3D &shi->frags[i]; + unsigned int offset =3D skb_frag_off(f); + struct page *page =3D skb_frag_page(f) + (offset >> PAGE_SHIFT); + + sg_set_page(&sg, page, skb_frag_size(f), + offset_in_page(offset)); + ahash_request_set_crypt(req, &sg, NULL, skb_frag_size(f)); + if (crypto_ahash_update(req)) + return 1; + } + + skb_walk_frags(skb, frag_iter) + if (tcp_ao_hash_skb_data(hp, frag_iter, 0)) + return 1; + + return 0; +} + +int tcp_ao_hash_skb(unsigned short int family, + char *ao_hash, struct tcp_ao_key *key, + const struct sock *sk, const struct sk_buff *skb, + const u8 *tkey, int hash_offset, u32 sne) +{ + const struct tcphdr *th =3D tcp_hdr(skb); + int tkey_len =3D tcp_ao_digest_size(key); + __u8 tmp_hash[TCP_AO_MAX_HASH_SIZE] __tcp_ao_key_align; + struct crypto_pool_ahash hp; + + if (crypto_pool_get(key->crypto_pool_id, (struct crypto_pool *)&hp)) + goto clear_hash_noput; + + if (crypto_ahash_setkey(crypto_ahash_reqtfm(hp.req), tkey, tkey_len)) + goto clear_hash; + + /* For now use sha1 by default. Depends on alg in tcp_ao_key */ + if (crypto_ahash_init(hp.req)) + goto clear_hash; + + if (tcp_ao_hash_sne(&hp, sne)) + goto clear_hash; + if (tcp_ao_hash_pseudoheader(family, sk, skb, &hp, skb->len)) + goto clear_hash; + if (tcp_ao_hash_header(&hp, th, false, + ao_hash, hash_offset, tcp_ao_maclen(key))) + goto clear_hash; + if (tcp_ao_hash_skb_data(&hp, skb, th->doff << 2)) + goto clear_hash; + ahash_request_set_crypt(hp.req, NULL, tmp_hash, 0); + if (crypto_ahash_final(hp.req)) + goto clear_hash; + + memcpy(ao_hash, tmp_hash, tcp_ao_maclen(key)); + crypto_pool_put(); + return 0; + +clear_hash: + crypto_pool_put(); +clear_hash_noput: + memset(ao_hash, 0, tcp_ao_maclen(key)); + return 1; +} +EXPORT_SYMBOL(tcp_ao_hash_skb); + +int tcp_v4_ao_hash_skb(char *ao_hash, struct tcp_ao_key *key, + const struct sock *sk, const struct sk_buff *skb, + const u8 *tkey, int hash_offset, u32 sne) +{ + return tcp_ao_hash_skb(AF_INET, ao_hash, key, sk, skb, + tkey, hash_offset, sne); +} + struct tcp_ao_key *tcp_v4_ao_lookup(const struct sock *sk, struct sock *ad= dr_sk, int sndid, int rcvid) { diff --git a/net/ipv4/tcp_ipv4.c b/net/ipv4/tcp_ipv4.c index 64fea0945901..f6fe9ec1c99d 100644 --- a/net/ipv4/tcp_ipv4.c +++ b/net/ipv4/tcp_ipv4.c @@ -2245,6 +2245,7 @@ static const struct tcp_sock_af_ops tcp_sock_ipv4_spe= cific =3D { #endif #ifdef CONFIG_TCP_AO .ao_lookup =3D tcp_v4_ao_lookup, + .calc_ao_hash =3D tcp_v4_ao_hash_skb, .ao_parse =3D tcp_v4_parse_ao, .ao_calc_key_sk =3D tcp_v4_ao_calc_key_sk, #endif diff --git a/net/ipv4/tcp_output.c b/net/ipv4/tcp_output.c index ee0c642a87e5..26315cac09dd 100644 --- a/net/ipv4/tcp_output.c +++ b/net/ipv4/tcp_output.c @@ -413,6 +413,7 @@ static inline bool tcp_urg_mode(const struct tcp_sock *= tp) #define OPTION_FAST_OPEN_COOKIE BIT(8) #define OPTION_SMC BIT(9) #define OPTION_MPTCP BIT(10) +#define OPTION_AO BIT(11) =20 static void smc_options_write(__be32 *ptr, u16 *options) { @@ -605,7 +606,8 @@ static void bpf_skops_write_hdr_opt(struct sock *sk, st= ruct sk_buff *skb, * (but it may well be that other scenarios fail similarly). */ static void tcp_options_write(struct tcphdr *th, struct tcp_sock *tp, - struct tcp_out_options *opts) + struct tcp_out_options *opts, + struct tcp_ao_key *ao_key) { __be32 *ptr =3D (__be32 *)(th + 1); u16 options =3D opts->options; /* mungable copy */ @@ -617,7 +619,32 @@ static void tcp_options_write(struct tcphdr *th, struc= t tcp_sock *tp, opts->hash_location =3D (__u8 *)ptr; ptr +=3D 4; } - +#ifdef CONFIG_TCP_AO + if (unlikely(OPTION_AO & options)) { + u8 maclen; + + if (tp) { + struct tcp_ao_info *ao_info; + + ao_info =3D rcu_dereference_check(tp->ao_info, + lockdep_sock_is_held(&tp->inet_conn.icsk_inet.sk)); + if (WARN_ON_ONCE(!ao_key || !ao_info || !ao_info->rnext_key)) + goto out_ao; + maclen =3D tcp_ao_maclen(ao_key); + *ptr++ =3D htonl((TCPOPT_AO << 24) | + (tcp_ao_len(ao_key) << 16) | + (ao_key->sndid << 8) | + (ao_info->rnext_key->rcvid)); + } + opts->hash_location =3D (__u8 *)ptr; + ptr +=3D maclen / sizeof(*ptr); + if (unlikely(maclen % sizeof(*ptr))) { + memset(ptr, TCPOPT_NOP, sizeof(*ptr)); + ptr++; + } + } +out_ao: +#endif if (unlikely(opts->mss)) { *ptr++ =3D htonl((TCPOPT_MSS << 24) | (TCPOLEN_MSS << 16) | @@ -758,7 +785,8 @@ static void mptcp_set_option_cond(const struct request_= sock *req, */ static unsigned int tcp_syn_options(struct sock *sk, struct sk_buff *skb, struct tcp_out_options *opts, - struct tcp_md5sig_key **md5) + struct tcp_md5sig_key **md5, + struct tcp_ao_key *ao_key) { struct tcp_sock *tp =3D tcp_sk(sk); unsigned int remaining =3D MAX_TCP_OPTION_SPACE; @@ -775,6 +803,12 @@ static unsigned int tcp_syn_options(struct sock *sk, s= truct sk_buff *skb, } } #endif +#ifdef CONFIG_TCP_AO + if (ao_key) { + opts->options |=3D OPTION_AO; + remaining -=3D tcp_ao_len(ao_key); + } +#endif =20 /* We always get an MSS option. The option bytes which will be seen in * normal data packets should timestamps be used, must be in the MSS @@ -842,6 +876,7 @@ static unsigned int tcp_synack_options(const struct soc= k *sk, unsigned int mss, struct sk_buff *skb, struct tcp_out_options *opts, const struct tcp_md5sig_key *md5, + const struct tcp_ao_key *ao, struct tcp_fastopen_cookie *foc, enum tcp_synack_type synack_type, struct sk_buff *syn_skb) @@ -863,6 +898,14 @@ static unsigned int tcp_synack_options(const struct so= ck *sk, ireq->tstamp_ok &=3D !ireq->sack_ok; } #endif +#ifdef CONFIG_TCP_AO + if (ao) { + opts->options |=3D OPTION_AO; + remaining -=3D tcp_ao_len(ao); + ireq->tstamp_ok &=3D !ireq->sack_ok; + } +#endif + WARN_ON_ONCE(md5 && ao); =20 /* We always send an MSS option. */ opts->mss =3D mss; @@ -912,7 +955,8 @@ static unsigned int tcp_synack_options(const struct soc= k *sk, */ static unsigned int tcp_established_options(struct sock *sk, struct sk_buf= f *skb, struct tcp_out_options *opts, - struct tcp_md5sig_key **md5) + struct tcp_md5sig_key **md5, + struct tcp_ao_key *ao_key) { struct tcp_sock *tp =3D tcp_sk(sk); unsigned int size =3D 0; @@ -931,6 +975,12 @@ static unsigned int tcp_established_options(struct soc= k *sk, struct sk_buff *skb } } #endif +#ifdef CONFIG_TCP_AO + if (ao_key) { + opts->options |=3D OPTION_AO; + size +=3D tcp_ao_len(ao_key); + } +#endif =20 if (likely(tp->rx_opt.tstamp_ok)) { opts->options |=3D OPTION_TS; @@ -1245,6 +1295,10 @@ static int __tcp_transmit_skb(struct sock *sk, struc= t sk_buff *skb, unsigned int tcp_options_size, tcp_header_size; struct sk_buff *oskb =3D NULL; struct tcp_md5sig_key *md5; +#ifdef CONFIG_TCP_AO + struct tcp_ao_info *ao; +#endif + struct tcp_ao_key *ao_key =3D NULL; struct tcphdr *th; u64 prior_wstamp; int err; @@ -1276,11 +1330,17 @@ static int __tcp_transmit_skb(struct sock *sk, stru= ct sk_buff *skb, tcb =3D TCP_SKB_CB(skb); memset(&opts, 0, sizeof(opts)); =20 +#ifdef CONFIG_TCP_AO + ao =3D rcu_dereference_protected(tcp_sk(sk)->ao_info, + lockdep_sock_is_held(sk)); + if (ao) + ao_key =3D ao->current_key; +#endif if (unlikely(tcb->tcp_flags & TCPHDR_SYN)) { - tcp_options_size =3D tcp_syn_options(sk, skb, &opts, &md5); + tcp_options_size =3D tcp_syn_options(sk, skb, &opts, &md5, ao_key); } else { tcp_options_size =3D tcp_established_options(sk, skb, &opts, - &md5); + &md5, ao_key); /* Force a PSH flag on all (GSO) packets to expedite GRO flush * at receiver : This slightly improve GRO performance. * Note that we do not force the PSH flag for non GSO packets, @@ -1354,7 +1414,7 @@ static int __tcp_transmit_skb(struct sock *sk, struct= sk_buff *skb, th->window =3D htons(min(tp->rcv_wnd, 65535U)); } =20 - tcp_options_write(th, tp, &opts); + tcp_options_write(th, tp, &opts, ao_key); =20 #ifdef CONFIG_TCP_MD5SIG /* Calculate the MD5 hash, as we have all we need now */ @@ -1364,6 +1424,32 @@ static int __tcp_transmit_skb(struct sock *sk, struc= t sk_buff *skb, md5, sk, skb); } #endif +#ifdef CONFIG_TCP_AO + if (ao) { + u8 *traffic_key; + u8 key_buf[TCP_AO_MAX_HASH_SIZE]; + u32 sne; + __u32 disn; + + sk_gso_disable(sk); + if (unlikely(tcb->tcp_flags & TCPHDR_SYN)) { + if (tcb->tcp_flags & TCPHDR_ACK) + disn =3D ao->risn; + else + disn =3D 0; + traffic_key =3D key_buf; + tp->af_specific->ao_calc_key_sk(ao_key, traffic_key, + sk, ao->lisn, disn, true); + } else { + traffic_key =3D snd_other_key(ao_key); + } + sne =3D tcp_ao_compute_sne(ao->snd_sne, ao->snd_sne_seq, + ntohl(th->seq)); + tp->af_specific->calc_ao_hash(opts.hash_location, ao_key, sk, skb, + traffic_key, + opts.hash_location - (u8 *)th, sne); + } +#endif =20 /* BPF prog is the last one writing header option */ bpf_skops_write_hdr_opt(sk, skb, NULL, NULL, 0, &opts); @@ -1825,6 +1911,10 @@ unsigned int tcp_current_mss(struct sock *sk) unsigned int header_len; struct tcp_out_options opts; struct tcp_md5sig_key *md5; + struct tcp_ao_key *ao_key =3D NULL; +#ifdef CONFIG_TCP_AO + struct tcp_ao_info *ao_info; +#endif =20 mss_now =3D tp->mss_cache; =20 @@ -1833,8 +1923,17 @@ unsigned int tcp_current_mss(struct sock *sk) if (mtu !=3D inet_csk(sk)->icsk_pmtu_cookie) mss_now =3D tcp_sync_mss(sk, mtu); } - - header_len =3D tcp_established_options(sk, NULL, &opts, &md5) + +#ifdef CONFIG_TCP_AO + ao_info =3D rcu_dereference_check(tp->ao_info, lockdep_sock_is_held(sk)); + if (ao_info) + /* TODO: verify if we can access current_key or we need to pass + * it from every caller of tcp_current_mss instead. The reason + * is that the current_key pointer can change asynchronously + * from the rx path. + */ + ao_key =3D ao_info->current_key; +#endif + header_len =3D tcp_established_options(sk, NULL, &opts, &md5, ao_key) + sizeof(struct tcphdr); /* The mss_cache is sized based on tp->tcp_header_len, which assumes * some common options. If this is an odd packet (because we have SACK @@ -3580,7 +3679,7 @@ struct sk_buff *tcp_make_synack(const struct sock *sk= , struct dst_entry *dst, /* bpf program will be interested in the tcp_flags */ TCP_SKB_CB(skb)->tcp_flags =3D TCPHDR_SYN | TCPHDR_ACK; tcp_header_size =3D tcp_synack_options(sk, req, mss, skb, &opts, md5, - foc, synack_type, + NULL, foc, synack_type, syn_skb) + sizeof(*th); =20 skb_push(skb, tcp_header_size); @@ -3601,7 +3700,7 @@ struct sk_buff *tcp_make_synack(const struct sock *sk= , struct dst_entry *dst, =20 /* RFC1323: The window in SYN & SYN/ACK segments is never scaled. */ th->window =3D htons(min(req->rsk_rcv_wnd, 65535U)); - tcp_options_write(th, NULL, &opts); + tcp_options_write(th, NULL, &opts, NULL); th->doff =3D (tcp_header_size >> 2); __TCP_INC_STATS(sock_net(sk), TCP_MIB_OUTSEGS); =20 diff --git a/net/ipv6/tcp_ao.c b/net/ipv6/tcp_ao.c index 888ee6242334..7fd31c60488a 100644 --- a/net/ipv6/tcp_ao.c +++ b/net/ipv6/tcp_ao.c @@ -70,6 +70,33 @@ struct tcp_ao_key *tcp_v6_ao_lookup(const struct sock *s= k, return tcp_v6_ao_do_lookup(sk, addr, sndid, rcvid); } =20 +int tcp_v6_ao_hash_pseudoheader(struct crypto_pool_ahash *hp, + const struct in6_addr *daddr, + const struct in6_addr *saddr, int nbytes) +{ + struct tcp6_pseudohdr *bp; + struct scatterlist sg; + + bp =3D hp->base.scratch; + /* 1. TCP pseudo-header (RFC2460) */ + bp->saddr =3D *saddr; + bp->daddr =3D *daddr; + bp->len =3D cpu_to_be32(nbytes); + bp->protocol =3D cpu_to_be32(IPPROTO_TCP); + + sg_init_one(&sg, bp, sizeof(*bp)); + ahash_request_set_crypt(hp->req, &sg, NULL, sizeof(*bp)); + return crypto_ahash_update(hp->req); +} + +int tcp_v6_ao_hash_skb(char *ao_hash, struct tcp_ao_key *key, + const struct sock *sk, const struct sk_buff *skb, + const u8 *tkey, int hash_offset, u32 sne) +{ + return tcp_ao_hash_skb(AF_INET6, ao_hash, key, sk, skb, tkey, + hash_offset, sne); +} + int tcp_v6_parse_ao(struct sock *sk, int cmd, sockptr_t optval, int optlen) { diff --git a/net/ipv6/tcp_ipv6.c b/net/ipv6/tcp_ipv6.c index c6d2389030f2..b5fa5ae53a47 100644 --- a/net/ipv6/tcp_ipv6.c +++ b/net/ipv6/tcp_ipv6.c @@ -1904,6 +1904,7 @@ static const struct tcp_sock_af_ops tcp_sock_ipv6_spe= cific =3D { #endif #ifdef CONFIG_TCP_AO .ao_lookup =3D tcp_v6_ao_lookup, + .calc_ao_hash =3D tcp_v6_ao_hash_skb, .ao_parse =3D tcp_v6_parse_ao, .ao_calc_key_sk =3D tcp_v6_ao_calc_key_sk, #endif @@ -1937,6 +1938,7 @@ static const struct tcp_sock_af_ops tcp_sock_ipv6_map= ped_specific =3D { #endif #ifdef CONFIG_TCP_AO .ao_lookup =3D tcp_v6_ao_lookup, + .calc_ao_hash =3D tcp_v6_ao_hash_skb, .ao_parse =3D tcp_v6_parse_ao, #endif }; --=20 2.37.2 From nobody Fri Apr 10 21:51:38 2026 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 4BBDBC32772 for ; Thu, 18 Aug 2022 17:02:33 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1345350AbiHRRCb (ORCPT ); Thu, 18 Aug 2022 13:02:31 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:60814 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1345411AbiHRRAp (ORCPT ); Thu, 18 Aug 2022 13:00:45 -0400 Received: from mail-wm1-x32d.google.com (mail-wm1-x32d.google.com [IPv6:2a00:1450:4864:20::32d]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 8F069C697E for ; Thu, 18 Aug 2022 10:00:32 -0700 (PDT) Received: by mail-wm1-x32d.google.com with SMTP id h1so1125749wmd.3 for ; Thu, 18 Aug 2022 10:00:32 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=arista.com; s=google; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc; bh=ucIkbr5pakBiR2TacO+yVhlQffxrHozaVQKUUYy+noE=; b=SfHc/nulc5vwGhsDjWwmvyb7SUvYd0Kq6IRkfHBJPbBYIGSCYShfh8tWkufYtfp5bP XqK6PE/RABZarTSlICpPj/8NEnhTePjnH2uBdwa2+Tq/l17Zg3zik/PAxRxHWKMYjmwm wCDLv/v7tdGt0POKVaf6Za/9IaZUZEmCBW62iupfQNOTCMdFtCtqNUgCol7S43Y2jhKB KQauupqqXYwP/ACd4Vpu0YhHXocXLhpxRv+aCBT+aNHd+7RqLZ4zzlBiYFbxzgUu4VnQ 2T5Q/f3FffbgHyM7MnaP1+RjHWygZLpBfzjJrKlMXng+bzDTh4Ap/h+Lu7qe+takdg9q x/kg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc; bh=ucIkbr5pakBiR2TacO+yVhlQffxrHozaVQKUUYy+noE=; b=zT5i+XuMVjg7vHi7qncR8CGHso0yJPmokQsT2f68GeSbFCoR754Cs6oGTqmtINM1Fo VeH0/H8NOodAuTbV0Tq91syKdtCstkY3a0ixmPFECvxLBlwC150I+SN61egoEPk+9QoZ 2RO5E5+KlyhMZSj2bTRdkdWPKRyRmgQjS+Bk7kIXgQseThbSVmdOOZFXA/1OSnY/lsWk Or9a50I583qjgdUVWz81mAq1oN7yShORxKLWLP23g6ExB/MB+HrJy/rU/DndgZ0sXQYi iqJMooyOePoRrQXULVDL4Pyl7LbxnDPhurE4E+NZ5LT06/5PLbUytbQD++ybGWPuArzq 3KIw== X-Gm-Message-State: ACgBeo3lySX1a3oDw/HVhBg4zxaScwsZm7Y5nuToqeZazxFTywnQWptT gAgmBvmuG5AI0xlXMhFQfmhpJQ== X-Google-Smtp-Source: AA6agR6lilmPQDSbc5GoriEsdw7v5HePPlXwHstI+DbqMzJRo+B52RQbsu5Hdj7NLk6bnn3mLMdIlg== X-Received: by 2002:a1c:a187:0:b0:3a5:e055:715b with SMTP id k129-20020a1ca187000000b003a5e055715bmr2514610wme.171.1660842031048; Thu, 18 Aug 2022 10:00:31 -0700 (PDT) Received: from Mindolluin.ire.aristanetworks.com ([217.173.96.166]) by smtp.gmail.com with ESMTPSA id be13-20020a05600c1e8d00b003a511e92abcsm2662169wmb.34.2022.08.18.10.00.29 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 18 Aug 2022 10:00:30 -0700 (PDT) From: Dmitry Safonov To: Eric Dumazet , "David S. Miller" , linux-kernel@vger.kernel.org Cc: Dmitry Safonov , Andy Lutomirski , Ard Biesheuvel , Bob Gilligan , David Ahern , Dmitry Safonov <0x7f454c46@gmail.com>, Eric Biggers , Francesco Ruggeri , Herbert Xu , Hideaki YOSHIFUJI , Ivan Delalande , Jakub Kicinski , Leonard Crestez , Paolo Abeni , Salam Noureddine , Shuah Khan , netdev@vger.kernel.org, linux-crypto@vger.kernel.org Subject: [PATCH 12/31] net/tcp: Add tcp_parse_auth_options() Date: Thu, 18 Aug 2022 17:59:46 +0100 Message-Id: <20220818170005.747015-13-dima@arista.com> X-Mailer: git-send-email 2.37.2 In-Reply-To: <20220818170005.747015-1-dima@arista.com> References: <20220818170005.747015-1-dima@arista.com> MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Type: text/plain; charset="utf-8" Introduce a helper that: (1) shares the common code with TCP-MD5 header options parsing (2) looks for hash signature only once for both TCP-MD5 and TCP-AO (3) fails with -EEXIST if any TCP sign option is present twice, see RFC5925 (2.2): ">> A single TCP segment MUST NOT have more than one TCP-AO in its options sequence. When multiple TCP-AOs appear, TCP MUST discard the segment." Co-developed-by: Francesco Ruggeri Signed-off-by: Francesco Ruggeri Co-developed-by: Salam Noureddine Signed-off-by: Salam Noureddine Signed-off-by: Dmitry Safonov Reported-by: kernel test robot --- include/net/tcp.h | 24 +++++++++++++++++++++++- include/net/tcp_ao.h | 3 +++ net/ipv4/tcp.c | 3 ++- net/ipv4/tcp_input.c | 39 +++++++++++++++++++++++++++++---------- net/ipv4/tcp_ipv4.c | 21 ++++++++++++++------- net/ipv6/tcp_ipv6.c | 17 +++++++++++------ 6 files changed, 82 insertions(+), 25 deletions(-) diff --git a/include/net/tcp.h b/include/net/tcp.h index d91a963f430d..061fe8471bfc 100644 --- a/include/net/tcp.h +++ b/include/net/tcp.h @@ -428,7 +428,6 @@ int tcp_mmap(struct file *file, struct socket *sock, void tcp_parse_options(const struct net *net, const struct sk_buff *skb, struct tcp_options_received *opt_rx, int estab, struct tcp_fastopen_cookie *foc); -const u8 *tcp_parse_md5sig_option(const struct tcphdr *th); =20 /* * BPF SKB-less helpers @@ -2467,4 +2466,27 @@ static inline u64 tcp_transmit_time(const struct soc= k *sk) return 0; } =20 +static inline int tcp_parse_auth_options(const struct tcphdr *th, + const u8 **md5_hash, const struct tcp_ao_hdr **aoh) +{ + const u8 *md5_tmp, *ao_tmp; + int ret; + + ret =3D tcp_do_parse_auth_options(th, &md5_tmp, &ao_tmp); + if (ret) + return ret; + + if (md5_hash) + *md5_hash =3D md5_tmp; + + if (aoh) { + if (!ao_tmp) + *aoh =3D NULL; + else + *aoh =3D (struct tcp_ao_hdr *)(ao_tmp - 2); + } + + return 0; +} + #endif /* _TCP_H */ diff --git a/include/net/tcp_ao.h b/include/net/tcp_ao.h index f840b693d038..b5516c83e489 100644 --- a/include/net/tcp_ao.h +++ b/include/net/tcp_ao.h @@ -87,6 +87,9 @@ struct tcp_ao_info { u32 rcv_sne_seq; }; =20 +int tcp_do_parse_auth_options(const struct tcphdr *th, + const u8 **md5_hash, const u8 **ao_hash); + #ifdef CONFIG_TCP_AO /* TCP-AO structures and functions */ =20 diff --git a/net/ipv4/tcp.c b/net/ipv4/tcp.c index 85854b8afc47..a5e94d8e8450 100644 --- a/net/ipv4/tcp.c +++ b/net/ipv4/tcp.c @@ -4526,7 +4526,8 @@ tcp_inbound_md5_hash(const struct sock *sk, const str= uct sk_buff *skb, l3index =3D sdif ? dif : 0; =20 hash_expected =3D tcp_md5_do_lookup(sk, l3index, saddr, family); - hash_location =3D tcp_parse_md5sig_option(th); + if (tcp_parse_auth_options(th, &hash_location, NULL)) + return true; =20 /* We've parsed the options - do we have a hash? */ if (!hash_expected && !hash_location) diff --git a/net/ipv4/tcp_input.c b/net/ipv4/tcp_input.c index a5d6c7f1ead3..27e95876cba1 100644 --- a/net/ipv4/tcp_input.c +++ b/net/ipv4/tcp_input.c @@ -4188,39 +4188,58 @@ static bool tcp_fast_parse_options(const struct net= *net, return true; } =20 -#ifdef CONFIG_TCP_MD5SIG +#if defined(CONFIG_TCP_MD5SIG) || defined(CONFIG_TCP_AO) /* - * Parse MD5 Signature option + * Parse Signature options */ -const u8 *tcp_parse_md5sig_option(const struct tcphdr *th) +int tcp_do_parse_auth_options(const struct tcphdr *th, + const u8 **md5_hash, const u8 **ao_hash) { int length =3D (th->doff << 2) - sizeof(*th); const u8 *ptr =3D (const u8 *)(th + 1); + unsigned int minlen =3D TCPOLEN_MD5SIG; + + if (IS_ENABLED(CONFIG_TCP_AO)) + minlen =3D sizeof(struct tcp_ao_hdr) + 1; + + *md5_hash =3D NULL; + *ao_hash =3D NULL; =20 /* If not enough data remaining, we can short cut */ - while (length >=3D TCPOLEN_MD5SIG) { + while (length >=3D minlen) { int opcode =3D *ptr++; int opsize; =20 switch (opcode) { case TCPOPT_EOL: - return NULL; + return 0; case TCPOPT_NOP: length--; continue; default: opsize =3D *ptr++; if (opsize < 2 || opsize > length) - return NULL; - if (opcode =3D=3D TCPOPT_MD5SIG) - return opsize =3D=3D TCPOLEN_MD5SIG ? ptr : NULL; + return -EINVAL; + if (opcode =3D=3D TCPOPT_MD5SIG) { + if (opsize !=3D TCPOLEN_MD5SIG) + return -EINVAL; + if (unlikely(*md5_hash || *ao_hash)) + return -EEXIST; + *md5_hash =3D ptr; + } else if (opcode =3D=3D TCPOPT_AO) { + if (opsize <=3D sizeof(struct tcp_ao_hdr)) + return -EINVAL; + if (unlikely(*md5_hash || *ao_hash)) + return -EEXIST; + *ao_hash =3D ptr; + } } ptr +=3D opsize - 2; length -=3D opsize; } - return NULL; + return 0; } -EXPORT_SYMBOL(tcp_parse_md5sig_option); +EXPORT_SYMBOL(tcp_do_parse_auth_options); #endif =20 /* Sorry, PAWS as specified is broken wrt. pure-ACKs -DaveM diff --git a/net/ipv4/tcp_ipv4.c b/net/ipv4/tcp_ipv4.c index f6fe9ec1c99d..034549c73beb 100644 --- a/net/ipv4/tcp_ipv4.c +++ b/net/ipv4/tcp_ipv4.c @@ -660,7 +660,9 @@ EXPORT_SYMBOL(tcp_v4_send_check); * Exception: precedence violation. We do not implement it in any case. */ =20 -#ifdef CONFIG_TCP_MD5SIG +#ifdef CONFIG_TCP_AO +#define OPTION_BYTES MAX_TCP_OPTION_SPACE +#elif CONFIG_TCP_MD5SIG #define OPTION_BYTES TCPOLEN_MD5SIG_ALIGNED #else #define OPTION_BYTES sizeof(__be32) @@ -676,7 +678,7 @@ static void tcp_v4_send_reset(const struct sock *sk, st= ruct sk_buff *skb) struct ip_reply_arg arg; #ifdef CONFIG_TCP_MD5SIG struct tcp_md5sig_key *key =3D NULL; - const __u8 *hash_location =3D NULL; + const __u8 *md5_hash_location =3D NULL; unsigned char newhash[16]; int genhash; struct sock *sk1 =3D NULL; @@ -715,9 +717,14 @@ static void tcp_v4_send_reset(const struct sock *sk, s= truct sk_buff *skb) arg.iov[0].iov_len =3D sizeof(rep.th); =20 net =3D sk ? sock_net(sk) : dev_net(skb_dst(skb)->dev); -#ifdef CONFIG_TCP_MD5SIG +#if defined(CONFIG_TCP_MD5SIG) || defined(CONFIG_TCP_AO) + /* Invalid TCP option size or twice included auth */ + if (tcp_parse_auth_options(tcp_hdr(skb), &md5_hash_location, NULL)) + return; + rcu_read_lock(); - hash_location =3D tcp_parse_md5sig_option(th); +#endif +#ifdef CONFIG_TCP_MD5SIG if (sk && sk_fullsock(sk)) { const union tcp_md5_addr *addr; int l3index; @@ -728,7 +735,7 @@ static void tcp_v4_send_reset(const struct sock *sk, st= ruct sk_buff *skb) l3index =3D tcp_v4_sdif(skb) ? inet_iif(skb) : 0; addr =3D (union tcp_md5_addr *)&ip_hdr(skb)->saddr; key =3D tcp_md5_do_lookup(sk, l3index, addr, AF_INET); - } else if (hash_location) { + } else if (md5_hash_location) { const union tcp_md5_addr *addr; int sdif =3D tcp_v4_sdif(skb); int dif =3D inet_iif(skb); @@ -760,7 +767,7 @@ static void tcp_v4_send_reset(const struct sock *sk, st= ruct sk_buff *skb) =20 =20 genhash =3D tcp_v4_md5_hash_skb(newhash, key, NULL, skb); - if (genhash || memcmp(hash_location, newhash, 16) !=3D 0) + if (genhash || memcmp(md5_hash_location, newhash, 16) !=3D 0) goto out; =20 } @@ -835,7 +842,7 @@ static void tcp_v4_send_reset(const struct sock *sk, st= ruct sk_buff *skb) __TCP_INC_STATS(net, TCP_MIB_OUTRSTS); local_bh_enable(); =20 -#ifdef CONFIG_TCP_MD5SIG +#if defined(CONFIG_TCP_MD5SIG) || defined(CONFIG_TCP_AO) out: rcu_read_unlock(); #endif diff --git a/net/ipv6/tcp_ipv6.c b/net/ipv6/tcp_ipv6.c index b5fa5ae53a47..ba968e856ca9 100644 --- a/net/ipv6/tcp_ipv6.c +++ b/net/ipv6/tcp_ipv6.c @@ -982,7 +982,7 @@ static void tcp_v6_send_reset(const struct sock *sk, st= ruct sk_buff *skb) u32 seq =3D 0, ack_seq =3D 0; struct tcp_md5sig_key *key =3D NULL; #ifdef CONFIG_TCP_MD5SIG - const __u8 *hash_location =3D NULL; + const __u8 *md5_hash_location =3D NULL; unsigned char newhash[16]; int genhash; struct sock *sk1 =3D NULL; @@ -1002,9 +1002,14 @@ static void tcp_v6_send_reset(const struct sock *sk,= struct sk_buff *skb) return; =20 net =3D sk ? sock_net(sk) : dev_net(skb_dst(skb)->dev); -#ifdef CONFIG_TCP_MD5SIG +#if defined(CONFIG_TCP_MD5SIG) || defined(CONFIG_TCP_AO) + /* Invalid TCP option size or twice included auth */ + if (tcp_parse_auth_options(th, &md5_hash_location, NULL)) + return; + rcu_read_lock(); - hash_location =3D tcp_parse_md5sig_option(th); +#endif +#ifdef CONFIG_TCP_MD5SIG if (sk && sk_fullsock(sk)) { int l3index; =20 @@ -1013,7 +1018,7 @@ static void tcp_v6_send_reset(const struct sock *sk, = struct sk_buff *skb) */ l3index =3D tcp_v6_sdif(skb) ? tcp_v6_iif_l3_slave(skb) : 0; key =3D tcp_v6_md5_do_lookup(sk, &ipv6h->saddr, l3index); - } else if (hash_location) { + } else if (md5_hash_location) { int dif =3D tcp_v6_iif_l3_slave(skb); int sdif =3D tcp_v6_sdif(skb); int l3index; @@ -1043,7 +1048,7 @@ static void tcp_v6_send_reset(const struct sock *sk, = struct sk_buff *skb) goto out; =20 genhash =3D tcp_v6_md5_hash_skb(newhash, key, NULL, skb); - if (genhash || memcmp(hash_location, newhash, 16) !=3D 0) + if (genhash || memcmp(md5_hash_location, newhash, 16) !=3D 0) goto out; } #endif @@ -1076,7 +1081,7 @@ static void tcp_v6_send_reset(const struct sock *sk, = struct sk_buff *skb) tcp_v6_send_response(sk, skb, seq, ack_seq, 0, 0, 0, oif, key, 1, ipv6_get_dsfield(ipv6h), label, priority); =20 -#ifdef CONFIG_TCP_MD5SIG +#if defined(CONFIG_TCP_MD5SIG) || defined(CONFIG_TCP_AO) out: rcu_read_unlock(); #endif --=20 2.37.2 From nobody Fri Apr 10 21:51:38 2026 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 75345C32773 for ; Thu, 18 Aug 2022 17:02:52 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1345379AbiHRRCu (ORCPT ); Thu, 18 Aug 2022 13:02:50 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:35076 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1345419AbiHRRAq (ORCPT ); Thu, 18 Aug 2022 13:00:46 -0400 Received: from mail-wm1-x334.google.com (mail-wm1-x334.google.com [IPv6:2a00:1450:4864:20::334]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 2B25E8D3F9 for ; Thu, 18 Aug 2022 10:00:34 -0700 (PDT) Received: by mail-wm1-x334.google.com with SMTP id c187-20020a1c35c4000000b003a30d88fe8eso2893919wma.2 for ; Thu, 18 Aug 2022 10:00:34 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=arista.com; s=google; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc; bh=bzvAjIxqsbuSWxvVQYwB/ai2bQg4sPuUV1WP6zstQl0=; b=cwNvhXU7InYzfNASws0ay4KNDcuppRcdF5xpDLQ2qIZga5uP8NYThnyjYeeOG2G6Im 7Axen5bPQPzh1pqDft1fU5ixmy+i0yXGzQqBVIMR7MGHLUThFRJ09MXfwBnSAPzb7Vkq x5U9hXnwbcK+F/VPE0rdWJvRQNMn35a6vfdiBzoRKlIcd9+I9Z98w+SxZLqnxDKMYoX8 lBfaje/9mwPFGBP3lPsa7PRFvKdc7AaTMncrAFwH7dNEN6hWQmNX/0S4GCq4v/j/4ffe tlLcDSJdzqAiElRpxHHnswRD9MSp72uenMUM4JmjsAzEz/1Ah9IrtB63jpoDEDCaW+n+ +WlA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc; bh=bzvAjIxqsbuSWxvVQYwB/ai2bQg4sPuUV1WP6zstQl0=; b=atF573+WodTIVh1trULwroJG83/QkIO++/+VY4HEszvQgtS8mPxgjbJ5z+8mySLtiR nysHn408VceRLLSyTQPTAN7e8DKfADRCe7HhRX7SMHJNRi5vkdLlaAHaXCsjci5KU5ol 29BBthtju7FJv++m3ZDluDzzH8l3BEijhytDG9HRlejPvHGY2fH9ZmUL6ojfRR6P8rGS uOgTaX/N9Eow6j3NcZn6R7FsxWfWJZCwtmOip0+rSBxd0zRY8bdG7WthmCOTH263LiEs SKMG66xj9TDYb0EeIp6QTcMZuM90lYbTVPxQjXYz/AEmRQRcioTYriiunjzR1M5Ygo04 nNwQ== X-Gm-Message-State: ACgBeo26FWgpeKJUQCMj5cmjTlycXKgKN7CjBHGf830RHuxzOGpE1liS qiv0/wsbWsXl6DzP5FHnkx+oSGZ8zoct2w== X-Google-Smtp-Source: AA6agR4ikO3e5wFLelRRA7cWBk7gL71dDmsR/8QX7hoiJu8u3X7tc1SpgiF59wdyD5s1GgU3jgzIFQ== X-Received: by 2002:a05:600c:3c90:b0:3a3:8606:2df3 with SMTP id bg16-20020a05600c3c9000b003a386062df3mr5665462wmb.132.1660842032621; Thu, 18 Aug 2022 10:00:32 -0700 (PDT) Received: from Mindolluin.ire.aristanetworks.com ([217.173.96.166]) by smtp.gmail.com with ESMTPSA id be13-20020a05600c1e8d00b003a511e92abcsm2662169wmb.34.2022.08.18.10.00.31 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 18 Aug 2022 10:00:32 -0700 (PDT) From: Dmitry Safonov To: Eric Dumazet , "David S. Miller" , linux-kernel@vger.kernel.org Cc: Dmitry Safonov , Andy Lutomirski , Ard Biesheuvel , Bob Gilligan , David Ahern , Dmitry Safonov <0x7f454c46@gmail.com>, Eric Biggers , Francesco Ruggeri , Herbert Xu , Hideaki YOSHIFUJI , Ivan Delalande , Jakub Kicinski , Leonard Crestez , Paolo Abeni , Salam Noureddine , Shuah Khan , netdev@vger.kernel.org, linux-crypto@vger.kernel.org Subject: [PATCH 13/31] net/tcp: Add AO sign to RST packets Date: Thu, 18 Aug 2022 17:59:47 +0100 Message-Id: <20220818170005.747015-14-dima@arista.com> X-Mailer: git-send-email 2.37.2 In-Reply-To: <20220818170005.747015-1-dima@arista.com> References: <20220818170005.747015-1-dima@arista.com> MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Type: text/plain; charset="utf-8" Wire up sending resets to TCP-AO hashing. Co-developed-by: Francesco Ruggeri Signed-off-by: Francesco Ruggeri Co-developed-by: Salam Noureddine Signed-off-by: Salam Noureddine Signed-off-by: Dmitry Safonov --- include/net/tcp_ao.h | 7 ++++ net/ipv4/tcp_ao.c | 48 +++++++++++++++++++++++++++ net/ipv4/tcp_ipv4.c | 48 ++++++++++++++++++++++++++- net/ipv6/tcp_ipv6.c | 77 ++++++++++++++++++++++++++++++++++++++++++-- 4 files changed, 176 insertions(+), 4 deletions(-) diff --git a/include/net/tcp_ao.h b/include/net/tcp_ao.h index b5516c83e489..35c33f7e9c27 100644 --- a/include/net/tcp_ao.h +++ b/include/net/tcp_ao.h @@ -117,6 +117,7 @@ int tcp_ao_hash_skb(unsigned short int family, const u8 *tkey, int hash_offset, u32 sne); int tcp_parse_ao(struct sock *sk, int cmd, unsigned short int family, sockptr_t optval, int optlen); +struct tcp_ao_key *tcp_ao_do_lookup_sndid(const struct sock *sk, u8 keyid); int tcp_ao_calc_traffic_key(struct tcp_ao_key *mkt, u8 *key, void *ctx, unsigned int len); void tcp_ao_destroy_sock(struct sock *sk); @@ -126,6 +127,12 @@ int tcp_ao_cache_traffic_keys(const struct sock *sk, s= truct tcp_ao_info *ao, struct tcp_ao_key *tcp_ao_do_lookup(const struct sock *sk, const union tcp_ao_addr *addr, int family, int sndid, int rcvid, u16 port); +int tcp_ao_hash_hdr(unsigned short family, char *ao_hash, + struct tcp_ao_key *key, const u8 *tkey, + const union tcp_ao_addr *daddr, + const union tcp_ao_addr *saddr, + const struct tcphdr *th, u32 sne); + /* ipv4 specific functions */ int tcp_v4_parse_ao(struct sock *sk, int optname, sockptr_t optval, int op= tlen); struct tcp_ao_key *tcp_v4_ao_lookup(const struct sock *sk, struct sock *ad= dr_sk, diff --git a/net/ipv4/tcp_ao.c b/net/ipv4/tcp_ao.c index ec3ab0c3dc77..4bdd97536610 100644 --- a/net/ipv4/tcp_ao.c +++ b/net/ipv4/tcp_ao.c @@ -409,6 +409,54 @@ static int tcp_ao_hash_skb_data(struct crypto_pool_aha= sh *hp, return 0; } =20 +int tcp_ao_hash_hdr(unsigned short int family, char *ao_hash, + struct tcp_ao_key *key, const u8 *tkey, + const union tcp_ao_addr *daddr, + const union tcp_ao_addr *saddr, + const struct tcphdr *th, u32 sne) +{ + struct crypto_pool_ahash hp; + int tkey_len =3D tcp_ao_digest_size(key); + int hash_offset =3D ao_hash - (char *)th; + + if (crypto_pool_get(key->crypto_pool_id, (struct crypto_pool *)&hp)) + goto clear_hash_noput; + + if (crypto_ahash_setkey(crypto_ahash_reqtfm(hp.req), tkey, tkey_len)) + goto clear_hash; + + if (crypto_ahash_init(hp.req)) + goto clear_hash; + + if (tcp_ao_hash_sne(&hp, sne)) + goto clear_hash; + if (family =3D=3D AF_INET) { + if (tcp_v4_ao_hash_pseudoheader(&hp, daddr->a4.s_addr, + saddr->a4.s_addr, th->doff * 4)) + goto clear_hash; + } else if (family =3D=3D AF_INET6) { + if (tcp_v6_ao_hash_pseudoheader(&hp, &daddr->a6, + &saddr->a6, th->doff * 4)) + goto clear_hash; + } + if (tcp_ao_hash_header(&hp, th, false, + ao_hash, hash_offset, tcp_ao_maclen(key))) + goto clear_hash; + ahash_request_set_crypt(hp.req, NULL, ao_hash, 0); + if (crypto_ahash_final(hp.req)) + goto clear_hash; + + crypto_pool_put(); + return 0; + +clear_hash: + crypto_pool_put(); +clear_hash_noput: + memset(ao_hash, 0, tcp_ao_maclen(key)); + return 1; +} +EXPORT_SYMBOL(tcp_ao_hash_hdr); + int tcp_ao_hash_skb(unsigned short int family, char *ao_hash, struct tcp_ao_key *key, const struct sock *sk, const struct sk_buff *skb, diff --git a/net/ipv4/tcp_ipv4.c b/net/ipv4/tcp_ipv4.c index 034549c73beb..c0add782d7af 100644 --- a/net/ipv4/tcp_ipv4.c +++ b/net/ipv4/tcp_ipv4.c @@ -679,11 +679,17 @@ static void tcp_v4_send_reset(const struct sock *sk, = struct sk_buff *skb) #ifdef CONFIG_TCP_MD5SIG struct tcp_md5sig_key *key =3D NULL; const __u8 *md5_hash_location =3D NULL; + const struct tcp_ao_hdr *aoh; unsigned char newhash[16]; int genhash; struct sock *sk1 =3D NULL; #endif u64 transmit_time =3D 0; +#ifdef CONFIG_TCP_AO + struct tcp_ao_key *ao_key =3D NULL; + char traffic_key[TCP_AO_MAX_HASH_SIZE] __tcp_ao_key_align; + u32 ao_sne; +#endif struct sock *ctl_sk; struct net *net; =20 @@ -719,7 +725,7 @@ static void tcp_v4_send_reset(const struct sock *sk, st= ruct sk_buff *skb) net =3D sk ? sock_net(sk) : dev_net(skb_dst(skb)->dev); #if defined(CONFIG_TCP_MD5SIG) || defined(CONFIG_TCP_AO) /* Invalid TCP option size or twice included auth */ - if (tcp_parse_auth_options(tcp_hdr(skb), &md5_hash_location, NULL)) + if (tcp_parse_auth_options(tcp_hdr(skb), &md5_hash_location, &aoh)) return; =20 rcu_read_lock(); @@ -785,6 +791,46 @@ static void tcp_v4_send_reset(const struct sock *sk, s= truct sk_buff *skb) key, ip_hdr(skb)->saddr, ip_hdr(skb)->daddr, &rep.th); } +#endif +#ifdef CONFIG_TCP_AO + if (sk && aoh && sk->sk_state !=3D TCP_LISTEN) { + /* lookup key based on peer address and rcv_next*/ + ao_key =3D tcp_ao_do_lookup_sndid(sk, aoh->rnext_keyid); + + if (ao_key) { + struct tcp_ao_info *ao_info; + u8 keyid; + + ao_info =3D rcu_dereference(tcp_sk(sk)->ao_info); + + /* XXX: optimize by using cached traffic key depending + * on socket state + */ + tcp_v4_ao_calc_key_sk(ao_key, traffic_key, sk, + ao_info->lisn, ao_info->risn, + true); + + /* rcv_next holds the rcv_next of the peer, make keyid + * hold our rcv_next + */ + keyid =3D ao_info->rnext_key->rcvid; + ao_sne =3D tcp_ao_compute_sne(ao_info->snd_sne, + ao_info->snd_sne_seq, + ntohl(rep.th.seq)); + + rep.opt[0] =3D htonl((TCPOPT_AO << 24) | + (tcp_ao_len(ao_key) << 16) | + (aoh->rnext_keyid << 8) | keyid); + arg.iov[0].iov_len +=3D round_up(tcp_ao_len(ao_key), 4); + rep.th.doff =3D arg.iov[0].iov_len / 4; + + tcp_ao_hash_hdr(AF_INET, (char *)&rep.opt[1], + ao_key, traffic_key, + (union tcp_ao_addr *)&ip_hdr(skb)->saddr, + (union tcp_ao_addr *)&ip_hdr(skb)->daddr, + &rep.th, ao_sne); + } + } #endif /* Can't co-exist with TCPMD5, hence check rep.opt[0] */ if (rep.opt[0] =3D=3D 0) { diff --git a/net/ipv6/tcp_ipv6.c b/net/ipv6/tcp_ipv6.c index ba968e856ca9..f5d339d5291a 100644 --- a/net/ipv6/tcp_ipv6.c +++ b/net/ipv6/tcp_ipv6.c @@ -847,7 +847,9 @@ const struct tcp_request_sock_ops tcp_request_sock_ipv6= _ops =3D { static void tcp_v6_send_response(const struct sock *sk, struct sk_buff *sk= b, u32 seq, u32 ack, u32 win, u32 tsval, u32 tsecr, int oif, struct tcp_md5sig_key *key, int rst, - u8 tclass, __be32 label, u32 priority) + u8 tclass, __be32 label, u32 priority, + struct tcp_ao_key *ao_key, char *tkey, + u8 rcv_next, u32 ao_sne) { const struct tcphdr *th =3D tcp_hdr(skb); struct tcphdr *t1; @@ -866,6 +868,13 @@ static void tcp_v6_send_response(const struct sock *sk= , struct sk_buff *skb, u32 if (key) tot_len +=3D TCPOLEN_MD5SIG_ALIGNED; #endif +#ifdef CONFIG_TCP_AO + if (ao_key) + tot_len +=3D tcp_ao_len(ao_key); +#endif +#if defined(CONFIG_TCP_MD5SIG) && defined(CONFIG_TCP_AO) + WARN_ON_ONCE(key && ao_key); +#endif =20 #ifdef CONFIG_MPTCP if (rst && !key) { @@ -917,6 +926,21 @@ static void tcp_v6_send_response(const struct sock *sk= , struct sk_buff *skb, u32 &ipv6_hdr(skb)->daddr, t1); } #endif +#ifdef CONFIG_TCP_AO + if (ao_key) { + *topt++ =3D htonl((TCPOPT_AO << 24) | (tcp_ao_len(ao_key) << 16) | + (ao_key->sndid << 8) | (rcv_next)); + + /* TODO: this is right now not going to work for listening + * sockets since the socket won't have the needed ipv6 + * addresses + */ + tcp_ao_hash_hdr(AF_INET6, (char *)topt, ao_key, tkey, + (union tcp_ao_addr *)&ipv6_hdr(skb)->saddr, + (union tcp_ao_addr *)&ipv6_hdr(skb)->daddr, + t1, ao_sne); + } +#endif =20 memset(&fl6, 0, sizeof(fl6)); fl6.daddr =3D ipv6_hdr(skb)->saddr; @@ -990,6 +1014,15 @@ static void tcp_v6_send_reset(const struct sock *sk, = struct sk_buff *skb) __be32 label =3D 0; u32 priority =3D 0; struct net *net; + struct tcp_ao_key *ao_key =3D NULL; + u8 rcv_next =3D 0; + u32 ao_sne =3D 0; +#ifdef CONFIG_TCP_AO + char traffic_key[TCP_AO_MAX_HASH_SIZE] __tcp_ao_key_align; + const struct tcp_ao_hdr *aoh; +#else + u8 *traffic_key =3D NULL; +#endif int oif =3D 0; =20 if (th->rst) @@ -1004,8 +1037,13 @@ static void tcp_v6_send_reset(const struct sock *sk,= struct sk_buff *skb) net =3D sk ? sock_net(sk) : dev_net(skb_dst(skb)->dev); #if defined(CONFIG_TCP_MD5SIG) || defined(CONFIG_TCP_AO) /* Invalid TCP option size or twice included auth */ +#if defined(CONFIG_TCP_AO) + if (tcp_parse_auth_options(th, &md5_hash_location, &aoh)) + return; +#else if (tcp_parse_auth_options(th, &md5_hash_location, NULL)) return; +#endif =20 rcu_read_lock(); #endif @@ -1059,6 +1097,38 @@ static void tcp_v6_send_reset(const struct sock *sk,= struct sk_buff *skb) ack_seq =3D ntohl(th->seq) + th->syn + th->fin + skb->len - (th->doff << 2); =20 +#ifdef CONFIG_TCP_AO + /* XXX: Not implemented for listening sockets yet. How do we + * get the initial sequence numbers? Might need to pass in + * the request socket. + */ + if (sk && aoh && sk->sk_state !=3D TCP_LISTEN) { + struct tcp_ao_info *ao_info; + + if (WARN_ON_ONCE(sk->sk_state =3D=3D TCP_NEW_SYN_RECV)) + goto out; + + /* rcv_next is the peer's here */ + ao_key =3D tcp_ao_do_lookup_sndid(sk, aoh->rnext_keyid); + + if (ao_key) { + ao_info =3D rcu_dereference(tcp_sk(sk)->ao_info); + + /* XXX: optimize by using cached traffic key depending + * on socket state + */ + tcp_v6_ao_calc_key_sk(ao_key, traffic_key, sk, + ao_info->lisn, ao_info->risn, + true); + + /* rcv_next switches to our rcv_next */ + rcv_next =3D ao_info->rnext_key->rcvid; + ao_sne =3D tcp_ao_compute_sne(ao_info->snd_sne, + ao_info->snd_sne_seq, seq); + } + } +#endif + if (sk) { oif =3D sk->sk_bound_dev_if; if (sk_fullsock(sk)) { @@ -1079,7 +1149,8 @@ static void tcp_v6_send_reset(const struct sock *sk, = struct sk_buff *skb) } =20 tcp_v6_send_response(sk, skb, seq, ack_seq, 0, 0, 0, oif, key, 1, - ipv6_get_dsfield(ipv6h), label, priority); + ipv6_get_dsfield(ipv6h), label, priority, + ao_key, traffic_key, rcv_next, ao_sne); =20 #if defined(CONFIG_TCP_MD5SIG) || defined(CONFIG_TCP_AO) out: @@ -1093,7 +1164,7 @@ static void tcp_v6_send_ack(const struct sock *sk, st= ruct sk_buff *skb, u32 seq, __be32 label, u32 priority) { tcp_v6_send_response(sk, skb, seq, ack, win, tsval, tsecr, oif, key, 0, - tclass, label, priority); + tclass, label, priority, NULL, NULL, 0, 0); } =20 static void tcp_v6_timewait_ack(struct sock *sk, struct sk_buff *skb) --=20 2.37.2 From nobody Fri Apr 10 21:51:38 2026 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 4A942C32773 for ; Thu, 18 Aug 2022 17:02:57 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1345386AbiHRRCy (ORCPT ); Thu, 18 Aug 2022 13:02:54 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:33710 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1345423AbiHRRAq (ORCPT ); Thu, 18 Aug 2022 13:00:46 -0400 Received: from mail-wr1-x42a.google.com (mail-wr1-x42a.google.com [IPv6:2a00:1450:4864:20::42a]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id D9345C12CF for ; Thu, 18 Aug 2022 10:00:35 -0700 (PDT) Received: by mail-wr1-x42a.google.com with SMTP id n4so2404932wrp.10 for ; Thu, 18 Aug 2022 10:00:35 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=arista.com; s=google; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc; bh=dnY3nr+T35+brXYSLtpZVnZvLE9RFWI6JUbZ52pAvkM=; b=k6U/U7v4NK0Y6HT8bpr1F5LjtIaZJXlioK7NV+9bCtDJRm+y/OuGUItcdExN0FpRYx DLsb6IMrOSaqRimaNmsNKfvFmbDfdNSP8Z4L172xfAFWM8P+bp4opxpkVmTE75Oj+MMf PCcbVTF/YzkEhNjR9PvFIF63bXCY9Nz3rNpcUHHxs3bI+509ZxDAvzvDcsKI57I1fwmS X7znSrY10jHv+Ijmw3QaF9YnuVQIwL4OdgnlF+uspnS9eVxBXFkodS+S6xDddIxsCviu vQ9Ydy5fQFPgaVbOxguuiXr1bdOmKakRWjpO6BmFd2c6VgtbnEqjy+82kafiA4blg5Qq 9GqA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc; bh=dnY3nr+T35+brXYSLtpZVnZvLE9RFWI6JUbZ52pAvkM=; b=L4fsc5zeSIPcYKA2yrK+jWmnjsB2vUF8lggcyOumMe2otWEMV47LvOIrW8hRDdWoZ4 UVFbpwcJgMzykI8mVmBdt22LZt9DIvePSjcVlbeV803DuOf/IjTFIB1EYZH0LrLA2yoN SBHmaxpH4tw5KPVvXTE3yLJ+shiT2ZskrXrCDZDqjH7q5gtON9I11JAzTXX4LDMJRKwD LNO7l7QdCBXkJrumLTRwSlu2I7pHRL4UKKtic50LSoU+Tu1btLgIgkKgiiEKqKskoBbr n1/UusnseWD2Mms0jA/Grpw0KcusDwJHypZw/wnk+lSy7QpOzl9SXyIGFJ5Vq3XGlXEQ 81JA== X-Gm-Message-State: ACgBeo3z8qCLJnvXdr+dVa2EKMjxVtrR6lMRzF8cQk7sNVwR3fOic3+K ddTG6/gyryCUCz67KCTxbHV+hg== X-Google-Smtp-Source: AA6agR4j7YZF2XQr51+rmZppxT3/MqIcR1lsbmGr7Zzd+OuaYtWXvfwvkENM3wcs1V3qEJGCBy98vQ== X-Received: by 2002:a05:6000:1883:b0:205:c0cb:33c6 with SMTP id a3-20020a056000188300b00205c0cb33c6mr2258080wri.39.1660842034098; Thu, 18 Aug 2022 10:00:34 -0700 (PDT) Received: from Mindolluin.ire.aristanetworks.com ([217.173.96.166]) by smtp.gmail.com with ESMTPSA id be13-20020a05600c1e8d00b003a511e92abcsm2662169wmb.34.2022.08.18.10.00.32 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 18 Aug 2022 10:00:33 -0700 (PDT) From: Dmitry Safonov To: Eric Dumazet , "David S. Miller" , linux-kernel@vger.kernel.org Cc: Dmitry Safonov , Andy Lutomirski , Ard Biesheuvel , Bob Gilligan , David Ahern , Dmitry Safonov <0x7f454c46@gmail.com>, Eric Biggers , Francesco Ruggeri , Herbert Xu , Hideaki YOSHIFUJI , Ivan Delalande , Jakub Kicinski , Leonard Crestez , Paolo Abeni , Salam Noureddine , Shuah Khan , netdev@vger.kernel.org, linux-crypto@vger.kernel.org Subject: [PATCH 14/31] net/tcp: Add TCP-AO sign to twsk Date: Thu, 18 Aug 2022 17:59:48 +0100 Message-Id: <20220818170005.747015-15-dima@arista.com> X-Mailer: git-send-email 2.37.2 In-Reply-To: <20220818170005.747015-1-dima@arista.com> References: <20220818170005.747015-1-dima@arista.com> MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Type: text/plain; charset="utf-8" Add support for sockets in time-wait state. ao_info as well as all keys are inherited on transition to time-wait socket. The lifetime of ao_info is now protected by ref counter, so that tcp_ao_destroy_sock() will destruct it only when the last user is gone. Co-developed-by: Francesco Ruggeri Signed-off-by: Francesco Ruggeri Co-developed-by: Salam Noureddine Signed-off-by: Salam Noureddine Signed-off-by: Dmitry Safonov --- include/linux/tcp.h | 3 ++ include/net/tcp_ao.h | 11 +++++-- net/ipv4/tcp_ao.c | 47 ++++++++++++++++++++++---- net/ipv4/tcp_ipv4.c | 71 ++++++++++++++++++++++++++++++++++++---- net/ipv4/tcp_minisocks.c | 4 ++- net/ipv6/tcp_ipv6.c | 47 +++++++++++++++++++++++--- 6 files changed, 161 insertions(+), 22 deletions(-) diff --git a/include/linux/tcp.h b/include/linux/tcp.h index c8a8aaaf725b..8031995b58a2 100644 --- a/include/linux/tcp.h +++ b/include/linux/tcp.h @@ -489,6 +489,9 @@ struct tcp_timewait_sock { #ifdef CONFIG_TCP_MD5SIG struct tcp_md5sig_key *tw_md5_key; #endif +#ifdef CONFIG_TCP_AO + struct tcp_ao_info *ao_info; +#endif }; =20 static inline struct tcp_timewait_sock *tcp_twsk(const struct sock *sk) diff --git a/include/net/tcp_ao.h b/include/net/tcp_ao.h index 35c33f7e9c27..af82b4aeef11 100644 --- a/include/net/tcp_ao.h +++ b/include/net/tcp_ao.h @@ -85,6 +85,7 @@ struct tcp_ao_info { u32 snd_sne_seq; u32 rcv_sne; u32 rcv_sne_seq; + atomic_t refcnt; /* Protects twsk destruction */ }; =20 int tcp_do_parse_auth_options(const struct tcphdr *th, @@ -120,8 +121,9 @@ int tcp_parse_ao(struct sock *sk, int cmd, unsigned sho= rt int family, struct tcp_ao_key *tcp_ao_do_lookup_sndid(const struct sock *sk, u8 keyid); int tcp_ao_calc_traffic_key(struct tcp_ao_key *mkt, u8 *key, void *ctx, unsigned int len); -void tcp_ao_destroy_sock(struct sock *sk); +void tcp_ao_destroy_sock(struct sock *sk, bool twsk); u32 tcp_ao_compute_sne(u32 sne, u32 seq, u32 new_seq); +void tcp_ao_time_wait(struct tcp_timewait_sock *tcptw, struct tcp_sock *tp= ); int tcp_ao_cache_traffic_keys(const struct sock *sk, struct tcp_ao_info *a= o, struct tcp_ao_key *ao_key); struct tcp_ao_key *tcp_ao_do_lookup(const struct sock *sk, @@ -170,7 +172,7 @@ static inline struct tcp_ao_key *tcp_ao_do_lookup(const= struct sock *sk, return NULL; } =20 -static inline void tcp_ao_destroy_sock(struct sock *sk) +static inline void tcp_ao_destroy_sock(struct sock *sk, bool twsk) { } =20 @@ -178,6 +180,11 @@ static inline void tcp_ao_finish_connect(struct sock *= sk, struct sk_buff *skb) { } =20 +static inline void tcp_ao_time_wait(struct tcp_timewait_sock *tcptw, + struct tcp_sock *tp) +{ +} + static inline void tcp_ao_connect_init(struct sock *sk) { } diff --git a/net/ipv4/tcp_ao.c b/net/ipv4/tcp_ao.c index 4bdd97536610..528b6650c72c 100644 --- a/net/ipv4/tcp_ao.c +++ b/net/ipv4/tcp_ao.c @@ -75,8 +75,13 @@ struct tcp_ao_key *tcp_ao_do_lookup_sndid(const struct s= ock *sk, u8 keyid) struct tcp_ao_key *key; struct tcp_ao_info *ao; =20 - ao =3D rcu_dereference_check(tcp_sk(sk)->ao_info, - lockdep_sock_is_held(sk)); + if (sk->sk_state =3D=3D TCP_TIME_WAIT) + ao =3D rcu_dereference_check(tcp_twsk(sk)->ao_info, + lockdep_sock_is_held(sk)); + else + ao =3D rcu_dereference_check(tcp_sk(sk)->ao_info, + lockdep_sock_is_held(sk)); + if (!ao) return NULL; =20 @@ -172,6 +177,7 @@ static struct tcp_ao_info *tcp_ao_alloc_info(gfp_t flag= s, if (!ao) return NULL; INIT_HLIST_HEAD(&ao->head); + atomic_set(&ao->refcnt, 1); =20 if (cloned_from) ao->ao_flags =3D cloned_from->ao_flags; @@ -191,27 +197,54 @@ static void tcp_ao_key_free_rcu(struct rcu_head *head) kfree(key); } =20 -void tcp_ao_destroy_sock(struct sock *sk) +void tcp_ao_destroy_sock(struct sock *sk, bool twsk) { struct tcp_ao_info *ao; struct tcp_ao_key *key; struct hlist_node *n; =20 - ao =3D rcu_dereference_protected(tcp_sk(sk)->ao_info, 1); - tcp_sk(sk)->ao_info =3D NULL; + if (twsk) { + ao =3D rcu_dereference_protected(tcp_twsk(sk)->ao_info, 1); + tcp_twsk(sk)->ao_info =3D NULL; + } else { + ao =3D rcu_dereference_protected(tcp_sk(sk)->ao_info, 1); + tcp_sk(sk)->ao_info =3D NULL; + } =20 - if (!ao) + if (!ao || !atomic_dec_and_test(&ao->refcnt)) return; =20 hlist_for_each_entry_safe(key, n, &ao->head, node) { hlist_del_rcu(&key->node); - atomic_sub(tcp_ao_sizeof_key(key), &sk->sk_omem_alloc); + if (!twsk) + atomic_sub(tcp_ao_sizeof_key(key), &sk->sk_omem_alloc); call_rcu(&key->rcu, tcp_ao_key_free_rcu); } =20 kfree_rcu(ao, rcu); } =20 +void tcp_ao_time_wait(struct tcp_timewait_sock *tcptw, struct tcp_sock *tp) +{ + struct tcp_ao_info *ao_info =3D rcu_dereference_protected(tp->ao_info, 1); + + if (ao_info) { + struct tcp_ao_key *key; + struct hlist_node *n; + int omem =3D 0; + + hlist_for_each_entry_safe(key, n, &ao_info->head, node) { + omem +=3D tcp_ao_sizeof_key(key); + } + + atomic_inc(&ao_info->refcnt); + atomic_sub(omem, &(((struct sock *)tp)->sk_omem_alloc)); + rcu_assign_pointer(tcptw->ao_info, ao_info); + } else { + tcptw->ao_info =3D NULL; + } +} + /* 4 tuple and ISNs are expected in NBO */ static int tcp_v4_ao_calc_key(struct tcp_ao_key *mkt, u8 *key, __be32 saddr, __be32 daddr, diff --git a/net/ipv4/tcp_ipv4.c b/net/ipv4/tcp_ipv4.c index c0add782d7af..003c5f320bfc 100644 --- a/net/ipv4/tcp_ipv4.c +++ b/net/ipv4/tcp_ipv4.c @@ -801,7 +801,10 @@ static void tcp_v4_send_reset(const struct sock *sk, s= truct sk_buff *skb) struct tcp_ao_info *ao_info; u8 keyid; =20 - ao_info =3D rcu_dereference(tcp_sk(sk)->ao_info); + if (sk->sk_state =3D=3D TCP_TIME_WAIT) + ao_info =3D rcu_dereference(tcp_twsk(sk)->ao_info); + else + ao_info =3D rcu_dereference(tcp_sk(sk)->ao_info); =20 /* XXX: optimize by using cached traffic key depending * on socket state @@ -902,16 +905,16 @@ static void tcp_v4_send_ack(const struct sock *sk, struct sk_buff *skb, u32 seq, u32 ack, u32 win, u32 tsval, u32 tsecr, int oif, struct tcp_md5sig_key *key, + struct tcp_ao_key *ao_key, + u8 *traffic_key, + u8 rcv_next, + u32 ao_sne, int reply_flags, u8 tos) { const struct tcphdr *th =3D tcp_hdr(skb); struct { struct tcphdr th; - __be32 opt[(TCPOLEN_TSTAMP_ALIGNED >> 2) -#ifdef CONFIG_TCP_MD5SIG - + (TCPOLEN_MD5SIG_ALIGNED >> 2) -#endif - ]; + __be32 opt[(MAX_TCP_OPTION_SPACE >> 2)]; } rep; struct net *net =3D sock_net(sk); struct ip_reply_arg arg; @@ -957,6 +960,25 @@ static void tcp_v4_send_ack(const struct sock *sk, ip_hdr(skb)->daddr, &rep.th); } #endif +#ifdef CONFIG_TCP_AO + if (ao_key) { + int offset =3D (tsecr) ? 3 : 0; + + rep.opt[offset++] =3D htonl((TCPOPT_AO << 24) | + (tcp_ao_len(ao_key) << 16) | + (ao_key->sndid << 8) | rcv_next); + arg.iov[0].iov_len +=3D round_up(tcp_ao_len(ao_key), 4); + rep.th.doff =3D arg.iov[0].iov_len / 4; + + tcp_ao_hash_hdr(AF_INET, (char *)&rep.opt[offset], + ao_key, traffic_key, + (union tcp_ao_addr *)&ip_hdr(skb)->saddr, + (union tcp_ao_addr *)&ip_hdr(skb)->daddr, + &rep.th, ao_sne); + } + WARN_ON_ONCE(key && ao_key); +#endif + /* XXX: TCP-AO: hash ACK header */ arg.flags =3D reply_flags; arg.csum =3D csum_tcpudp_nofold(ip_hdr(skb)->daddr, ip_hdr(skb)->saddr, /* XXX */ @@ -990,6 +1012,36 @@ static void tcp_v4_timewait_ack(struct sock *sk, stru= ct sk_buff *skb) { struct inet_timewait_sock *tw =3D inet_twsk(sk); struct tcp_timewait_sock *tcptw =3D tcp_twsk(sk); + struct tcp_ao_key *ao_key =3D NULL; + u8 *traffic_key =3D NULL; + u8 rcv_next =3D 0; + u32 ao_sne =3D 0; +#ifdef CONFIG_TCP_AO + struct tcp_ao_info *ao_info =3D NULL; + const struct tcp_ao_hdr *aoh; +#endif + +#ifdef CONFIG_TCP_AO + if (tcp_parse_auth_options(tcp_hdr(skb), NULL, &aoh)) + goto out; /* something is wrong with the sign */ + + /* FIXME: we haven't verified the segment to-be-acked */ + if (aoh) + ao_key =3D tcp_ao_do_lookup_sndid(sk, aoh->rnext_keyid); + + if (ao_key) { + traffic_key =3D snd_other_key(ao_key); + ao_info =3D rcu_dereference(tcptw->ao_info); + /* It's possible we can get rid of computing the sne + * below since sne probably doesn't change once we are + * in timewait state. + */ + ao_sne =3D tcp_ao_compute_sne(ao_info->snd_sne, + ao_info->snd_sne_seq, + tcptw->tw_snd_nxt); + rcv_next =3D ao_info->rnext_key->rcvid; + } +#endif =20 tcp_v4_send_ack(sk, skb, tcptw->tw_snd_nxt, tcptw->tw_rcv_nxt, @@ -998,10 +1050,14 @@ static void tcp_v4_timewait_ack(struct sock *sk, str= uct sk_buff *skb) tcptw->tw_ts_recent, tw->tw_bound_dev_if, tcp_twsk_md5_key(tcptw), + ao_key, traffic_key, rcv_next, ao_sne, tw->tw_transparent ? IP_REPLY_ARG_NOSRCCHECK : 0, tw->tw_tos ); =20 +#ifdef CONFIG_TCP_AO +out: +#endif inet_twsk_put(tw); } =20 @@ -1031,6 +1087,7 @@ static void tcp_v4_reqsk_send_ack(const struct sock *= sk, struct sk_buff *skb, req->ts_recent, 0, tcp_md5_do_lookup(sk, l3index, addr, AF_INET), + NULL, NULL, 0, 0, inet_rsk(req)->no_srccheck ? IP_REPLY_ARG_NOSRCCHECK : 0, ip_hdr(skb)->tos); } @@ -2367,7 +2424,7 @@ void tcp_v4_destroy_sock(struct sock *sk) rcu_assign_pointer(tp->md5sig_info, NULL); } #endif - tcp_ao_destroy_sock(sk); + tcp_ao_destroy_sock(sk, false); =20 /* Clean up a referenced TCP bind bucket. */ if (inet_csk(sk)->icsk_bind_hash) diff --git a/net/ipv4/tcp_minisocks.c b/net/ipv4/tcp_minisocks.c index d1d30337ffec..94012a015bd0 100644 --- a/net/ipv4/tcp_minisocks.c +++ b/net/ipv4/tcp_minisocks.c @@ -246,7 +246,7 @@ EXPORT_SYMBOL(tcp_timewait_state_process); void tcp_time_wait(struct sock *sk, int state, int timeo) { const struct inet_connection_sock *icsk =3D inet_csk(sk); - const struct tcp_sock *tp =3D tcp_sk(sk); + struct tcp_sock *tp =3D tcp_sk(sk); struct inet_timewait_sock *tw; struct inet_timewait_death_row *tcp_death_row =3D sock_net(sk)->ipv4.tcp_= death_row; =20 @@ -305,6 +305,7 @@ void tcp_time_wait(struct sock *sk, int state, int time= o) } } while (0); #endif + tcp_ao_time_wait(tcptw, tp); =20 /* Get the TIME_WAIT timeout firing. */ if (timeo < rto) @@ -359,6 +360,7 @@ void tcp_twsk_destructor(struct sock *sk) call_rcu(&twsk->tw_md5_key->rcu, tcp_md5_twsk_free_rcu); } #endif + tcp_ao_destroy_sock(sk, true); } EXPORT_SYMBOL_GPL(tcp_twsk_destructor); =20 diff --git a/net/ipv6/tcp_ipv6.c b/net/ipv6/tcp_ipv6.c index f5d339d5291a..bab4a1883b3c 100644 --- a/net/ipv6/tcp_ipv6.c +++ b/net/ipv6/tcp_ipv6.c @@ -1112,7 +1112,10 @@ static void tcp_v6_send_reset(const struct sock *sk,= struct sk_buff *skb) ao_key =3D tcp_ao_do_lookup_sndid(sk, aoh->rnext_keyid); =20 if (ao_key) { - ao_info =3D rcu_dereference(tcp_sk(sk)->ao_info); + if (sk->sk_state =3D=3D TCP_TIME_WAIT) + ao_info =3D rcu_dereference(tcp_twsk(sk)->ao_info); + else + ao_info =3D rcu_dereference(tcp_sk(sk)->ao_info); =20 /* XXX: optimize by using cached traffic key depending * on socket state @@ -1161,23 +1164,56 @@ static void tcp_v6_send_reset(const struct sock *sk= , struct sk_buff *skb) static void tcp_v6_send_ack(const struct sock *sk, struct sk_buff *skb, u3= 2 seq, u32 ack, u32 win, u32 tsval, u32 tsecr, int oif, struct tcp_md5sig_key *key, u8 tclass, - __be32 label, u32 priority) + __be32 label, u32 priority, + struct tcp_ao_key *ao_key, char *tkey, + u8 rcv_next, u32 ao_sne) { tcp_v6_send_response(sk, skb, seq, ack, win, tsval, tsecr, oif, key, 0, - tclass, label, priority, NULL, NULL, 0, 0); + tclass, label, priority, + ao_key, tkey, rcv_next, ao_sne); } =20 static void tcp_v6_timewait_ack(struct sock *sk, struct sk_buff *skb) { struct inet_timewait_sock *tw =3D inet_twsk(sk); struct tcp_timewait_sock *tcptw =3D tcp_twsk(sk); + struct tcp_ao_key *ao_key =3D NULL; + u8 *traffic_key =3D NULL; + u8 rcv_next =3D 0; + u32 ao_sne =3D 0; +#ifdef CONFIG_TCP_AO + struct tcp_ao_info *ao_info; + const struct tcp_ao_hdr *aoh; + + ao_info =3D rcu_dereference(tcptw->ao_info); + if (ao_info) { + /* Invalid TCP option size or twice included auth */ + if (tcp_parse_auth_options(tcp_hdr(skb), NULL, &aoh)) + goto out; + /* FIXME: we haven't verified the segment to-be-acked */ + if (aoh) + ao_key =3D tcp_ao_do_lookup_sndid(sk, aoh->rnext_keyid); + if (ao_key) { + traffic_key =3D snd_other_key(ao_key); + /* rcv_next switches to our rcv_next */ + rcv_next =3D ao_info->rnext_key->rcvid; + ao_sne =3D tcp_ao_compute_sne(ao_info->snd_sne, + ao_info->snd_sne_seq, + tcptw->tw_snd_nxt); + } + } +#endif =20 tcp_v6_send_ack(sk, skb, tcptw->tw_snd_nxt, tcptw->tw_rcv_nxt, tcptw->tw_rcv_wnd >> tw->tw_rcv_wscale, tcp_time_stamp_raw() + tcptw->tw_ts_offset, tcptw->tw_ts_recent, tw->tw_bound_dev_if, tcp_twsk_md5_key(tcptw), - tw->tw_tclass, cpu_to_be32(tw->tw_flowlabel), tw->tw_priority); + tw->tw_tclass, cpu_to_be32(tw->tw_flowlabel), tw->tw_priority, + ao_key, traffic_key, rcv_next, ao_sne); =20 +#ifdef CONFIG_TCP_AO +out: +#endif inet_twsk_put(tw); } =20 @@ -1203,7 +1239,8 @@ static void tcp_v6_reqsk_send_ack(const struct sock *= sk, struct sk_buff *skb, tcp_time_stamp_raw() + tcp_rsk(req)->ts_off, req->ts_recent, sk->sk_bound_dev_if, tcp_v6_md5_do_lookup(sk, &ipv6_hdr(skb)->saddr, l3index), - ipv6_get_dsfield(ipv6_hdr(skb)), 0, sk->sk_priority); + ipv6_get_dsfield(ipv6_hdr(skb)), 0, sk->sk_priority, + NULL, NULL, 0, 0); } =20 =20 --=20 2.37.2 From nobody Fri Apr 10 21:51:38 2026 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 8230DC32774 for ; Thu, 18 Aug 2022 17:03:09 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1345394AbiHRRDH (ORCPT ); Thu, 18 Aug 2022 13:03:07 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:35150 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1345431AbiHRRAr (ORCPT ); Thu, 18 Aug 2022 13:00:47 -0400 Received: from mail-wr1-x430.google.com (mail-wr1-x430.google.com [IPv6:2a00:1450:4864:20::430]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 6A45DC992F for ; Thu, 18 Aug 2022 10:00:37 -0700 (PDT) Received: by mail-wr1-x430.google.com with SMTP id a4so2441729wrq.1 for ; Thu, 18 Aug 2022 10:00:37 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=arista.com; s=google; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc; bh=jymZs1bEQZV6mI0afAkvYGo5xW1dQ568muR+SHQcqCE=; b=R0yLXLKya+piZY1ZjoFgbmL0iUuotMQUYnfUJKbl1vkM8aToMfcw8vgcM1im51mgof eXHPaVSvUccoEsLFUljz4TUm+q8yuaL6SjqjINUcS4e356xcsFPN4/miAEhH3eccb8BH Q8n8Jc12qCXDL2i9rqtp4XYZD9EAlNcNdr5sFdzZLCD6B6PvrqTZxm5cYjHIm3UH+5bw EKMgZY7mvc2yYNpcatXLI74hwlozrDCTp0Lr3zoTpwtmBJFjsRMrGjG127+E1bkldDY3 8ToIKipVQni9+9ptFwcU7i88TGC/jKv2boz0cBEpmSehrF/bdqZcwjha59bf3WGKmHmg 1F3w== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc; bh=jymZs1bEQZV6mI0afAkvYGo5xW1dQ568muR+SHQcqCE=; b=WYrbOiF2VdzZ6k84DeWktT/sBfF9Tde9T94ACm5DihzvdW8AWFGI7uO3c2iLaZlPy8 k3hfcIHRP3Y1NCSCNVTNGnE9EXoPXEltIOUCXCoduvJYkcE16Bfv6+zbtYvDP88qqOJi fwdhsTnwezp1WOw4ifzeWtOWH2sh81ZIoURfMnw+HOJPIS/ezk4+qWUGz2QPCMT1GL4j U3/t+TUGO3q5GUDITPjEDW0rfdts7ytglZJmTBNJPkqAcv4DdeMZnq9nMASAeifugqsJ QG/35cexjHaPO5NSbln2Oq0XuTcqeP+Ko1WGudxINUrVLi/fLpGk2wx04tqsOB5VOrYF PaHQ== X-Gm-Message-State: ACgBeo0vZwAhqVZtKGBctdAEs15tVIupeb3LXZz+bkFHdP+/zlmhnJqG E9nKbrDQXj82h0zap2gi78CBzw== X-Google-Smtp-Source: AA6agR43pnvd6ejItYGU464pB53N4Y4ZOW7k7b5RosF61XWgm2T9f4IWEXtrBsgxLG/DGEA11EFHpQ== X-Received: by 2002:a05:6000:178b:b0:222:c6c4:b42e with SMTP id e11-20020a056000178b00b00222c6c4b42emr2287328wrg.275.1660842035690; Thu, 18 Aug 2022 10:00:35 -0700 (PDT) Received: from Mindolluin.ire.aristanetworks.com ([217.173.96.166]) by smtp.gmail.com with ESMTPSA id be13-20020a05600c1e8d00b003a511e92abcsm2662169wmb.34.2022.08.18.10.00.34 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 18 Aug 2022 10:00:35 -0700 (PDT) From: Dmitry Safonov To: Eric Dumazet , "David S. Miller" , linux-kernel@vger.kernel.org Cc: Dmitry Safonov , Andy Lutomirski , Ard Biesheuvel , Bob Gilligan , David Ahern , Dmitry Safonov <0x7f454c46@gmail.com>, Eric Biggers , Francesco Ruggeri , Herbert Xu , Hideaki YOSHIFUJI , Ivan Delalande , Jakub Kicinski , Leonard Crestez , Paolo Abeni , Salam Noureddine , Shuah Khan , netdev@vger.kernel.org, linux-crypto@vger.kernel.org Subject: [PATCH 15/31] net/tcp: Wire TCP-AO to request sockets Date: Thu, 18 Aug 2022 17:59:49 +0100 Message-Id: <20220818170005.747015-16-dima@arista.com> X-Mailer: git-send-email 2.37.2 In-Reply-To: <20220818170005.747015-1-dima@arista.com> References: <20220818170005.747015-1-dima@arista.com> MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Type: text/plain; charset="utf-8" Now when the new request socket is created from the listening socket, it's recorded what MKT was used by the peer. tcp_rsk_used_ao() is a new helper for checking if TCP-AO option was used to create the request socket. tcp_ao_copy_all_matching() will copy all keys that match the peer on the request socket, as well as preparing them for the usage (creating traffic keys). Co-developed-by: Francesco Ruggeri Signed-off-by: Francesco Ruggeri Co-developed-by: Salam Noureddine Signed-off-by: Salam Noureddine Signed-off-by: Dmitry Safonov --- include/linux/tcp.h | 18 +++++ include/net/tcp.h | 7 ++ include/net/tcp_ao.h | 16 +++++ net/ipv4/tcp_ao.c | 137 +++++++++++++++++++++++++++++++++++++++ net/ipv4/tcp_input.c | 19 +++++- net/ipv4/tcp_ipv4.c | 63 ++++++++++++++++-- net/ipv4/tcp_minisocks.c | 10 +++ net/ipv4/tcp_output.c | 13 +++- net/ipv6/tcp_ao.c | 21 ++++++ net/ipv6/tcp_ipv6.c | 78 ++++++++++++++++++---- 10 files changed, 361 insertions(+), 21 deletions(-) diff --git a/include/linux/tcp.h b/include/linux/tcp.h index 8031995b58a2..0e0f07d12f7b 100644 --- a/include/linux/tcp.h +++ b/include/linux/tcp.h @@ -165,6 +165,11 @@ struct tcp_request_sock { * after data-in-SYN. */ u8 syn_tos; +#ifdef CONFIG_TCP_AO + u8 ao_keyid; + u8 ao_rcv_next; + u8 maclen; +#endif }; =20 static inline struct tcp_request_sock *tcp_rsk(const struct request_sock *= req) @@ -172,6 +177,19 @@ static inline struct tcp_request_sock *tcp_rsk(const s= truct request_sock *req) return (struct tcp_request_sock *)req; } =20 +static inline bool tcp_rsk_used_ao(const struct request_sock *req) +{ + /* The real length of MAC is saved in the request socket, + * signing anything with zero-length makes no sense, so here is + * a little hack.. + */ +#ifndef CONFIG_TCP_AO + return false; +#else + return tcp_rsk(req)->maclen !=3D 0; +#endif +} + struct tcp_sock { /* inet_connection_sock has to be the first member of tcp_sock */ struct inet_connection_sock inet_conn; diff --git a/include/net/tcp.h b/include/net/tcp.h index 061fe8471bfc..f21898bb31bd 100644 --- a/include/net/tcp.h +++ b/include/net/tcp.h @@ -2103,6 +2103,13 @@ struct tcp_request_sock_ops { const struct sock *sk, const struct sk_buff *skb); #endif +#ifdef CONFIG_TCP_AO + struct tcp_ao_key *(*ao_lookup)(const struct sock *sk, + struct request_sock *req, + int sndid, int rcvid); + int (*ao_calc_key)(struct tcp_ao_key *mkt, u8 *key, + struct request_sock *sk); +#endif #ifdef CONFIG_SYN_COOKIES __u32 (*cookie_init_seq)(const struct sk_buff *skb, __u16 *mss); diff --git a/include/net/tcp_ao.h b/include/net/tcp_ao.h index af82b4aeef11..a1d26e1a0b82 100644 --- a/include/net/tcp_ao.h +++ b/include/net/tcp_ao.h @@ -119,6 +119,9 @@ int tcp_ao_hash_skb(unsigned short int family, int tcp_parse_ao(struct sock *sk, int cmd, unsigned short int family, sockptr_t optval, int optlen); struct tcp_ao_key *tcp_ao_do_lookup_sndid(const struct sock *sk, u8 keyid); +int tcp_ao_copy_all_matching(const struct sock *sk, struct sock *newsk, + struct request_sock *req, struct sk_buff *skb, + int family); int tcp_ao_calc_traffic_key(struct tcp_ao_key *mkt, u8 *key, void *ctx, unsigned int len); void tcp_ao_destroy_sock(struct sock *sk, bool twsk); @@ -142,6 +145,11 @@ struct tcp_ao_key *tcp_v4_ao_lookup(const struct sock = *sk, struct sock *addr_sk, int tcp_v4_ao_calc_key_sk(struct tcp_ao_key *mkt, u8 *key, const struct sock *sk, __be32 sisn, __be32 disn, bool send); +int tcp_v4_ao_calc_key_rsk(struct tcp_ao_key *mkt, u8 *key, + struct request_sock *req); +struct tcp_ao_key *tcp_v4_ao_lookup_rsk(const struct sock *sk, + struct request_sock *req, + int sndid, int rcvid); int tcp_v4_ao_hash_skb(char *ao_hash, struct tcp_ao_key *key, const struct sock *sk, const struct sk_buff *skb, const u8 *tkey, int hash_offset, u32 sne); @@ -152,9 +160,17 @@ int tcp_v6_ao_hash_pseudoheader(struct crypto_pool_aha= sh *hp, int tcp_v6_ao_calc_key_sk(struct tcp_ao_key *mkt, u8 *key, const struct sock *sk, __be32 sisn, __be32 disn, bool send); +int tcp_v6_ao_calc_key_rsk(struct tcp_ao_key *mkt, u8 *key, + struct request_sock *req); +struct tcp_ao_key *tcp_v6_ao_do_lookup(const struct sock *sk, + const struct in6_addr *addr, + int sndid, int rcvid); struct tcp_ao_key *tcp_v6_ao_lookup(const struct sock *sk, struct sock *addr_sk, int sndid, int rcvid); +struct tcp_ao_key *tcp_v6_ao_lookup_rsk(const struct sock *sk, + struct request_sock *req, + int sndid, int rcvid); int tcp_v6_ao_hash_skb(char *ao_hash, struct tcp_ao_key *key, const struct sock *sk, const struct sk_buff *skb, const u8 *tkey, int hash_offset, u32 sne); diff --git a/net/ipv4/tcp_ao.c b/net/ipv4/tcp_ao.c index 528b6650c72c..a797eedfbcdf 100644 --- a/net/ipv4/tcp_ao.c +++ b/net/ipv4/tcp_ao.c @@ -52,6 +52,21 @@ int tcp_ao_calc_traffic_key(struct tcp_ao_key *mkt, u8 *= key, void *ctx, return 1; } =20 +struct tcp_ao_key *tcp_ao_do_lookup_keyid(struct tcp_ao_info *ao, + int sndid, int rcvid) +{ + struct tcp_ao_key *key; + + hlist_for_each_entry_rcu(key, &ao->head, node) { + if ((sndid >=3D 0 && key->sndid !=3D sndid) || + (rcvid >=3D 0 && key->rcvid !=3D rcvid)) + continue; + return key; + } + + return NULL; +} + struct tcp_ao_key *tcp_ao_do_lookup_rcvid(struct sock *sk, u8 keyid) { struct tcp_sock *tp =3D tcp_sk(sk); @@ -189,6 +204,22 @@ void tcp_ao_link_mkt(struct tcp_ao_info *ao, struct tc= p_ao_key *mkt) hlist_add_head_rcu(&mkt->node, &ao->head); } =20 +struct tcp_ao_key *tcp_ao_copy_key(struct sock *sk, struct tcp_ao_key *key) +{ + struct tcp_ao_key *new_key; + + new_key =3D sock_kmalloc(sk, tcp_ao_sizeof_key(key), + GFP_ATOMIC); + if (!new_key) + return NULL; + + *new_key =3D *key; + INIT_HLIST_NODE(&new_key->node); + crypto_pool_add(new_key->crypto_pool_id); + + return new_key; +} + static void tcp_ao_key_free_rcu(struct rcu_head *head) { struct tcp_ao_key *key =3D container_of(head, struct tcp_ao_key, rcu); @@ -286,6 +317,18 @@ int tcp_v4_ao_calc_key_sk(struct tcp_ao_key *mkt, u8 *= key, htons(sk->sk_num), disn, sisn); } =20 +int tcp_v4_ao_calc_key_rsk(struct tcp_ao_key *mkt, u8 *key, + struct request_sock *req) +{ + struct inet_request_sock *ireq =3D inet_rsk(req); + + return tcp_v4_ao_calc_key(mkt, key, + ireq->ir_loc_addr, ireq->ir_rmt_addr, + htons(ireq->ir_num), ireq->ir_rmt_port, + htonl(tcp_rsk(req)->snt_isn), + htonl(tcp_rsk(req)->rcv_isn)); +} + static int tcp_v4_ao_hash_pseudoheader(struct crypto_pool_ahash *hp, __be32 daddr, __be32 saddr, int nbytes) @@ -543,6 +586,16 @@ int tcp_v4_ao_hash_skb(char *ao_hash, struct tcp_ao_ke= y *key, tkey, hash_offset, sne); } =20 +struct tcp_ao_key *tcp_v4_ao_lookup_rsk(const struct sock *sk, + struct request_sock *req, + int sndid, int rcvid) +{ + union tcp_ao_addr *addr =3D + (union tcp_ao_addr *)&inet_rsk(req)->ir_rmt_addr; + + return tcp_ao_do_lookup(sk, addr, AF_INET, sndid, rcvid, 0); +} + struct tcp_ao_key *tcp_v4_ao_lookup(const struct sock *sk, struct sock *ad= dr_sk, int sndid, int rcvid) { @@ -644,6 +697,90 @@ void tcp_ao_finish_connect(struct sock *sk, struct sk_= buff *skb) } } =20 +int tcp_ao_copy_all_matching(const struct sock *sk, struct sock *newsk, + struct request_sock *req, struct sk_buff *skb, + int family) +{ + struct tcp_ao_info *ao; + struct tcp_ao_info *new_ao; + struct tcp_ao_key *key, *new_key, *first_key; + struct hlist_node *n; + union tcp_ao_addr *addr; + bool match =3D false; + + ao =3D rcu_dereference(tcp_sk(sk)->ao_info); + if (!ao) + return 0; + + /* New socket without TCP-AO on it */ + if (!tcp_rsk_used_ao(req)) + return 0; + + new_ao =3D tcp_ao_alloc_info(GFP_ATOMIC, ao); + if (!new_ao) + return -ENOMEM; + new_ao->lisn =3D htonl(tcp_rsk(req)->snt_isn); + new_ao->risn =3D htonl(tcp_rsk(req)->rcv_isn); + + if (family =3D=3D AF_INET) + addr =3D (union tcp_ao_addr *)&newsk->sk_daddr; + else + addr =3D (union tcp_ao_addr *)&newsk->sk_v6_daddr; + + hlist_for_each_entry_rcu(key, &ao->head, node) { + if (tcp_ao_key_cmp(key, addr, key->prefixlen, family, + -1, -1, 0)) + continue; + + new_key =3D tcp_ao_copy_key(newsk, key); + if (!new_key) + goto free_and_exit; + + tcp_ao_cache_traffic_keys(newsk, new_ao, new_key); + tcp_ao_link_mkt(new_ao, new_key); + match =3D true; + } + + if (match) { + struct hlist_node *key_head; + + key_head =3D rcu_dereference(hlist_first_rcu(&new_ao->head)); + first_key =3D hlist_entry_safe(key_head, struct tcp_ao_key, node); + + /* set current_key */ + key =3D tcp_ao_do_lookup_keyid(new_ao, tcp_rsk(req)->ao_keyid, -1); + if (key) + new_ao->current_key =3D key; + else + new_ao->current_key =3D first_key; + + /* set rnext_key */ + key =3D tcp_ao_do_lookup_keyid(new_ao, -1, tcp_rsk(req)->ao_rcv_next); + if (key) + new_ao->rnext_key =3D key; + else + new_ao->rnext_key =3D first_key; + + new_ao->snd_sne_seq =3D tcp_rsk(req)->snt_isn; + new_ao->rcv_sne_seq =3D tcp_rsk(req)->rcv_isn; + + sk_gso_disable(newsk); + rcu_assign_pointer(tcp_sk(newsk)->ao_info, new_ao); + } + + return 0; + +free_and_exit: + hlist_for_each_entry_safe(key, n, &new_ao->head, node) { + hlist_del(&key->node); + crypto_pool_release(key->crypto_pool_id); + atomic_sub(tcp_ao_sizeof_key(key), &newsk->sk_omem_alloc); + kfree(key); + } + kfree(new_ao); + return -ENOMEM; +} + static int tcp_ao_current_rnext(struct sock *sk, u16 tcpa_flags, u8 tcpa_sndid, u8 tcpa_rcvid) { diff --git a/net/ipv4/tcp_input.c b/net/ipv4/tcp_input.c index 27e95876cba1..b8175ded8a70 100644 --- a/net/ipv4/tcp_input.c +++ b/net/ipv4/tcp_input.c @@ -6921,6 +6921,14 @@ int tcp_conn_request(struct request_sock_ops *rsk_op= s, struct dst_entry *dst; struct flowi fl; u8 syncookies; + const struct tcp_ao_hdr *aoh =3D NULL; + +#ifdef CONFIG_TCP_AO + /* TODO: Add an option to require TCP-AO signature */ + /* Packet was already validated in tcp_v[46]_rcv */ + if (tcp_parse_auth_options(tcp_hdr(skb), NULL, &aoh)) + goto drop; /* Invalid TCP options */ +#endif =20 syncookies =3D READ_ONCE(net->ipv4.sysctl_tcp_syncookies); =20 @@ -6928,7 +6936,7 @@ int tcp_conn_request(struct request_sock_ops *rsk_ops, * limitations, they conserve resources and peer is * evidently real one. */ - if ((syncookies =3D=3D 2 || inet_csk_reqsk_queue_is_full(sk)) && !isn) { + if (!aoh && (syncookies =3D=3D 2 || inet_csk_reqsk_queue_is_full(sk)) && = !isn) { want_cookie =3D tcp_syn_flood_action(sk, rsk_ops->slab_name); if (!want_cookie) goto drop; @@ -7007,6 +7015,15 @@ int tcp_conn_request(struct request_sock_ops *rsk_op= s, inet_rsk(req)->ecn_ok =3D 0; } =20 +#ifdef CONFIG_TCP_AO + if (aoh) { + tcp_rsk(req)->maclen =3D aoh->length - sizeof(struct tcp_ao_hdr); + tcp_rsk(req)->ao_rcv_next =3D aoh->keyid; + tcp_rsk(req)->ao_keyid =3D aoh->rnext_keyid; + } else { + tcp_rsk(req)->maclen =3D 0; + } +#endif tcp_rsk(req)->snt_isn =3D isn; tcp_rsk(req)->txhash =3D net_tx_rndhash(); tcp_rsk(req)->syn_tos =3D TCP_SKB_CB(skb)->ip_dsfield; diff --git a/net/ipv4/tcp_ipv4.c b/net/ipv4/tcp_ipv4.c index 003c5f320bfc..55c763b8bf24 100644 --- a/net/ipv4/tcp_ipv4.c +++ b/net/ipv4/tcp_ipv4.c @@ -1064,30 +1064,73 @@ static void tcp_v4_timewait_ack(struct sock *sk, st= ruct sk_buff *skb) static void tcp_v4_reqsk_send_ack(const struct sock *sk, struct sk_buff *s= kb, struct request_sock *req) { + struct tcp_md5sig_key *md5_key =3D NULL; + struct tcp_ao_key *ao_key =3D NULL; const union tcp_md5_addr *addr; - int l3index; + u8 keyid =3D 0; +#ifdef CONFIG_TCP_AO + u8 traffic_key[TCP_AO_MAX_HASH_SIZE] __tcp_ao_key_align; + const struct tcp_ao_hdr *aoh; +#else + u8 *traffic_key =3D NULL; +#endif =20 /* sk->sk_state =3D=3D TCP_LISTEN -> for regular TCP_SYN_RECV * sk->sk_state =3D=3D TCP_SYN_RECV -> for Fast Open. */ u32 seq =3D (sk->sk_state =3D=3D TCP_LISTEN) ? tcp_rsk(req)->snt_isn + 1 : tcp_sk(sk)->snd_nxt; + addr =3D (union tcp_md5_addr *)&ip_hdr(skb)->saddr; + + if (tcp_rsk_used_ao(req)) { +#ifdef CONFIG_TCP_AO + /* Invalid TCP option size or twice included auth */ + if (tcp_parse_auth_options(tcp_hdr(skb), NULL, &aoh)) + return; + + if (!aoh) + return; + + ao_key =3D tcp_ao_do_lookup(sk, addr, AF_INET, + aoh->rnext_keyid, -1, 0); + if (unlikely(!ao_key)) { + /* Send ACK with any matching MKT for the peer */ + ao_key =3D tcp_ao_do_lookup(sk, addr, + AF_INET, -1, -1, 0); + /* Matching key disappeared (user removed the key?) + * let the handshake timeout. + */ + if (!ao_key) { + net_info_ratelimited("TCP-AO key for (%pI4, %d)->(%pI4, %d) suddenly d= isappeared, won't ACK new connection\n", + addr, + ntohs(tcp_hdr(skb)->source), + &ip_hdr(skb)->daddr, + ntohs(tcp_hdr(skb)->dest)); + return; + } + } =20 + keyid =3D aoh->keyid; + tcp_v4_ao_calc_key_rsk(ao_key, traffic_key, req); +#endif + } else { + int l3index; + + l3index =3D tcp_v4_sdif(skb) ? inet_iif(skb) : 0; + md5_key =3D tcp_md5_do_lookup(sk, l3index, addr, AF_INET); + } /* RFC 7323 2.3 * The window field (SEG.WND) of every outgoing segment, with the * exception of segments, MUST be right-shifted by * Rcv.Wind.Shift bits: */ - addr =3D (union tcp_md5_addr *)&ip_hdr(skb)->saddr; - l3index =3D tcp_v4_sdif(skb) ? inet_iif(skb) : 0; tcp_v4_send_ack(sk, skb, seq, tcp_rsk(req)->rcv_nxt, req->rsk_rcv_wnd >> inet_rsk(req)->rcv_wscale, tcp_time_stamp_raw() + tcp_rsk(req)->ts_off, req->ts_recent, 0, - tcp_md5_do_lookup(sk, l3index, addr, AF_INET), - NULL, NULL, 0, 0, + md5_key, ao_key, traffic_key, keyid, 0, inet_rsk(req)->no_srccheck ? IP_REPLY_ARG_NOSRCCHECK : 0, ip_hdr(skb)->tos); } @@ -1603,6 +1646,10 @@ const struct tcp_request_sock_ops tcp_request_sock_i= pv4_ops =3D { .req_md5_lookup =3D tcp_v4_md5_lookup, .calc_md5_hash =3D tcp_v4_md5_hash_skb, #endif +#ifdef CONFIG_TCP_AO + .ao_lookup =3D tcp_v4_ao_lookup_rsk, + .ao_calc_key =3D tcp_v4_ao_calc_key_rsk, +#endif #ifdef CONFIG_SYN_COOKIES .cookie_init_seq =3D cookie_v4_init_sequence, #endif @@ -1704,7 +1751,7 @@ struct sock *tcp_v4_syn_recv_sock(const struct sock *= sk, struct sk_buff *skb, /* Copy over the MD5 key from the original socket */ addr =3D (union tcp_md5_addr *)&newinet->inet_daddr; key =3D tcp_md5_do_lookup(sk, l3index, addr, AF_INET); - if (key) { + if (key && !tcp_rsk_used_ao(req)) { /* * We're using one, so create a matching key * on the newsk structure. If we fail to get @@ -1715,6 +1762,10 @@ struct sock *tcp_v4_syn_recv_sock(const struct sock = *sk, struct sk_buff *skb, sk_gso_disable(newsk); } #endif +#ifdef CONFIG_TCP_AO + if (tcp_ao_copy_all_matching(sk, newsk, req, skb, AF_INET)) + goto put_and_exit; /* OOM, release back memory */ +#endif =20 if (__inet_inherit_port(sk, newsk) < 0) goto put_and_exit; diff --git a/net/ipv4/tcp_minisocks.c b/net/ipv4/tcp_minisocks.c index 94012a015bd0..03f1b809866b 100644 --- a/net/ipv4/tcp_minisocks.c +++ b/net/ipv4/tcp_minisocks.c @@ -473,6 +473,9 @@ struct sock *tcp_create_openreq_child(const struct sock= *sk, struct inet_connection_sock *newicsk; struct tcp_sock *oldtp, *newtp; u32 seq; +#ifdef CONFIG_TCP_AO + struct tcp_ao_key *ao_key; +#endif =20 if (!newsk) return NULL; @@ -551,6 +554,13 @@ struct sock *tcp_create_openreq_child(const struct soc= k *sk, if (treq->af_specific->req_md5_lookup(sk, req_to_sk(req))) newtp->tcp_header_len +=3D TCPOLEN_MD5SIG_ALIGNED; #endif +#ifdef CONFIG_TCP_AO + newtp->ao_info =3D NULL; + ao_key =3D treq->af_specific->ao_lookup(sk, req, + tcp_rsk(req)->ao_keyid, -1); + if (ao_key) + newtp->tcp_header_len +=3D tcp_ao_len(ao_key); + #endif if (skb->len >=3D TCP_MSS_DEFAULT + newtp->tcp_header_len) newicsk->icsk_ack.last_seg_size =3D skb->len - newtp->tcp_header_len; newtp->rx_opt.mss_clamp =3D req->mss; diff --git a/net/ipv4/tcp_output.c b/net/ipv4/tcp_output.c index 26315cac09dd..81f897f95147 100644 --- a/net/ipv4/tcp_output.c +++ b/net/ipv4/tcp_output.c @@ -606,6 +606,7 @@ static void bpf_skops_write_hdr_opt(struct sock *sk, st= ruct sk_buff *skb, * (but it may well be that other scenarios fail similarly). */ static void tcp_options_write(struct tcphdr *th, struct tcp_sock *tp, + const struct tcp_request_sock *tcprsk, struct tcp_out_options *opts, struct tcp_ao_key *ao_key) { @@ -636,6 +637,14 @@ static void tcp_options_write(struct tcphdr *th, struc= t tcp_sock *tp, (ao_key->sndid << 8) | (ao_info->rnext_key->rcvid)); } + if (tcprsk) { + u8 aolen =3D tcprsk->maclen + sizeof(struct tcp_ao_hdr); + + maclen =3D tcprsk->maclen; + *ptr++ =3D htonl((TCPOPT_AO << 24) | (aolen << 16) | + (tcprsk->ao_keyid << 8) | + (tcprsk->ao_rcv_next)); + } opts->hash_location =3D (__u8 *)ptr; ptr +=3D maclen / sizeof(*ptr); if (unlikely(maclen % sizeof(*ptr))) { @@ -1414,7 +1423,7 @@ static int __tcp_transmit_skb(struct sock *sk, struct= sk_buff *skb, th->window =3D htons(min(tp->rcv_wnd, 65535U)); } =20 - tcp_options_write(th, tp, &opts, ao_key); + tcp_options_write(th, tp, NULL, &opts, ao_key); =20 #ifdef CONFIG_TCP_MD5SIG /* Calculate the MD5 hash, as we have all we need now */ @@ -3700,7 +3709,7 @@ struct sk_buff *tcp_make_synack(const struct sock *sk= , struct dst_entry *dst, =20 /* RFC1323: The window in SYN & SYN/ACK segments is never scaled. */ th->window =3D htons(min(req->rsk_rcv_wnd, 65535U)); - tcp_options_write(th, NULL, &opts, NULL); + tcp_options_write(th, NULL, NULL, &opts, NULL); th->doff =3D (tcp_header_size >> 2); __TCP_INC_STATS(sock_net(sk), TCP_MIB_OUTSEGS); =20 diff --git a/net/ipv6/tcp_ao.c b/net/ipv6/tcp_ao.c index 7fd31c60488a..31ae504af8e6 100644 --- a/net/ipv6/tcp_ao.c +++ b/net/ipv6/tcp_ao.c @@ -53,6 +53,18 @@ int tcp_v6_ao_calc_key_sk(struct tcp_ao_key *mkt, u8 *ke= y, htons(sk->sk_num), disn, sisn); } =20 +int tcp_v6_ao_calc_key_rsk(struct tcp_ao_key *mkt, u8 *key, + struct request_sock *req) +{ + struct inet_request_sock *ireq =3D inet_rsk(req); + + return tcp_v6_ao_calc_key(mkt, key, + &ireq->ir_v6_loc_addr, &ireq->ir_v6_rmt_addr, + htons(ireq->ir_num), ireq->ir_rmt_port, + htonl(tcp_rsk(req)->snt_isn), + htonl(tcp_rsk(req)->rcv_isn)); +} + struct tcp_ao_key *tcp_v6_ao_do_lookup(const struct sock *sk, const struct in6_addr *addr, int sndid, int rcvid) @@ -70,6 +82,15 @@ struct tcp_ao_key *tcp_v6_ao_lookup(const struct sock *s= k, return tcp_v6_ao_do_lookup(sk, addr, sndid, rcvid); } =20 +struct tcp_ao_key *tcp_v6_ao_lookup_rsk(const struct sock *sk, + struct request_sock *req, + int sndid, int rcvid) +{ + struct in6_addr *addr =3D &inet_rsk(req)->ir_v6_rmt_addr; + + return tcp_v6_ao_do_lookup(sk, addr, sndid, rcvid); +} + int tcp_v6_ao_hash_pseudoheader(struct crypto_pool_ahash *hp, const struct in6_addr *daddr, const struct in6_addr *saddr, int nbytes) diff --git a/net/ipv6/tcp_ipv6.c b/net/ipv6/tcp_ipv6.c index bab4a1883b3c..7610fdf5d519 100644 --- a/net/ipv6/tcp_ipv6.c +++ b/net/ipv6/tcp_ipv6.c @@ -835,6 +835,10 @@ const struct tcp_request_sock_ops tcp_request_sock_ipv= 6_ops =3D { .req_md5_lookup =3D tcp_v6_md5_lookup, .calc_md5_hash =3D tcp_v6_md5_hash_skb, #endif +#ifdef CONFIG_TCP_AO + .ao_lookup =3D tcp_v6_ao_lookup_rsk, + .ao_calc_key =3D tcp_v6_ao_calc_key_rsk, +#endif #ifdef CONFIG_SYN_COOKIES .cookie_init_seq =3D cookie_v6_init_sequence, #endif @@ -1220,9 +1224,51 @@ static void tcp_v6_timewait_ack(struct sock *sk, str= uct sk_buff *skb) static void tcp_v6_reqsk_send_ack(const struct sock *sk, struct sk_buff *s= kb, struct request_sock *req) { + struct tcp_md5sig_key *md5_key =3D NULL; + struct tcp_ao_key *ao_key =3D NULL; + const struct in6_addr *addr; + u8 keyid =3D 0; +#ifdef CONFIG_TCP_AO + char traffic_key[TCP_AO_MAX_HASH_SIZE] __tcp_ao_key_align; + const struct tcp_ao_hdr *aoh; +#else + u8 *traffic_key =3D NULL; +#endif int l3index; =20 l3index =3D tcp_v6_sdif(skb) ? tcp_v6_iif_l3_slave(skb) : 0; + addr =3D &ipv6_hdr(skb)->saddr; + + if (tcp_rsk_used_ao(req)) { +#ifdef CONFIG_TCP_AO + /* Invalid TCP option size or twice included auth */ + if (tcp_parse_auth_options(tcp_hdr(skb), NULL, &aoh)) + return; + if (!aoh) + return; + ao_key =3D tcp_v6_ao_do_lookup(sk, addr, aoh->rnext_keyid, -1); + if (unlikely(!ao_key)) { + /* Send ACK with any matching MKT for the peer */ + ao_key =3D tcp_v6_ao_do_lookup(sk, addr, -1, -1); + /* Matching key disappeared (user removed the key?) + * let the handshake timeout. + */ + if (!ao_key) { + net_info_ratelimited("TCP-AO key for (%pI6, %d)->(%pI6, %d) suddenly d= isappeared, won't ACK new connection\n", + addr, + ntohs(tcp_hdr(skb)->source), + &ipv6_hdr(skb)->daddr, + ntohs(tcp_hdr(skb)->dest)); + return; + } + } + + keyid =3D aoh->keyid; + tcp_v6_ao_calc_key_rsk(ao_key, traffic_key, req); +#endif + } else { + md5_key =3D tcp_v6_md5_do_lookup(sk, addr, l3index); + } =20 /* sk->sk_state =3D=3D TCP_LISTEN -> for regular TCP_SYN_RECV * sk->sk_state =3D=3D TCP_SYN_RECV -> for Fast Open. @@ -1238,9 +1284,9 @@ static void tcp_v6_reqsk_send_ack(const struct sock *= sk, struct sk_buff *skb, req->rsk_rcv_wnd >> inet_rsk(req)->rcv_wscale, tcp_time_stamp_raw() + tcp_rsk(req)->ts_off, req->ts_recent, sk->sk_bound_dev_if, - tcp_v6_md5_do_lookup(sk, &ipv6_hdr(skb)->saddr, l3index), + md5_key, ipv6_get_dsfield(ipv6_hdr(skb)), 0, sk->sk_priority, - NULL, NULL, 0, 0); + ao_key, traffic_key, keyid, 0); } =20 =20 @@ -1470,18 +1516,26 @@ static struct sock *tcp_v6_syn_recv_sock(const stru= ct sock *sk, struct sk_buff * #ifdef CONFIG_TCP_MD5SIG l3index =3D l3mdev_master_ifindex_by_index(sock_net(sk), ireq->ir_iif); =20 - /* Copy over the MD5 key from the original socket */ - key =3D tcp_v6_md5_do_lookup(sk, &newsk->sk_v6_daddr, l3index); - if (key) { - /* We're using one, so create a matching key - * on the newsk structure. If we fail to get - * memory, then we end up not copying the key - * across. Shucks. - */ - tcp_md5_key_copy(newsk, (union tcp_md5_addr *)&newsk->sk_v6_daddr, - AF_INET6, 128, l3index, key); + if (!tcp_rsk_used_ao(req)) { + const struct in6_addr *daddr =3D &newsk->sk_v6_daddr; + /* Copy over the MD5 key from the original socket */ + key =3D tcp_v6_md5_do_lookup(sk, daddr, l3index); + if (key) { + /* We're using one, so create a matching key + * on the newsk structure. If we fail to get + * memory, then we end up not copying the key + * across. Shucks. + */ + tcp_md5_key_copy(newsk, (union tcp_md5_addr *)daddr, + AF_INET6, 128, l3index, key); + } } #endif +#ifdef CONFIG_TCP_AO + /* Copy over tcp_ao_info if any */ + if (tcp_ao_copy_all_matching(sk, newsk, req, skb, AF_INET6)) + goto out; /* OOM */ +#endif =20 if (__inet_inherit_port(sk, newsk) < 0) { inet_csk_prepare_forced_close(newsk); --=20 2.37.2 From nobody Fri Apr 10 21:51:38 2026 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id E7258C00140 for ; Thu, 18 Aug 2022 17:03:18 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1344574AbiHRRDP (ORCPT ); Thu, 18 Aug 2022 13:03:15 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:35180 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1345434AbiHRRAs (ORCPT ); Thu, 18 Aug 2022 13:00:48 -0400 Received: from mail-wr1-x430.google.com (mail-wr1-x430.google.com [IPv6:2a00:1450:4864:20::430]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id BF5A2BB017 for ; Thu, 18 Aug 2022 10:00:38 -0700 (PDT) Received: by mail-wr1-x430.google.com with SMTP id k9so2454003wri.0 for ; Thu, 18 Aug 2022 10:00:38 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=arista.com; s=google; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc; bh=Wbc32LplcthNECwQ3XSLnSTtNoYHvDa/GfoZYIXw7pQ=; b=FqgYhAtjkpP9V0t6e7qUWtsKI24bIP9QEPsJhtLEkWiUKCCLSB6i9FJj3MWSkQyH2n htInieB/sU7YcdgZvmSe97U6SBnTJVShz9RbbN7Mge5U7KY/v6MATChIPwI2rg8lEJyv yLiAeE2s+cubjjUC6S5KVpv7S5gxVTvQEUW9psXZP4Ls0cavx8SJkuRln2tt5cuSoXCw t2xhsDOxIEj0NsXg8ctda/BTiw6myCLFLk806MXn1XMt0GO0UG1+2LpoXgjXzb/Oo2Eq R1ldO5ZM3mcM7sWi1I0d+V7lssCONyqF6k3x5iFfapGfnRZ5g1nZWBaKoTJjv0JxqVDt WgPA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc; bh=Wbc32LplcthNECwQ3XSLnSTtNoYHvDa/GfoZYIXw7pQ=; b=R9U3/HHwaHtKG04ZFC8niyaBy0DhmMXOhFaB3nQzr+xb83dbTx2opOt0fXZfnPWIuT x7uoaFu9/J0rqORLxdO7k5OPwdjlUdQ3LpJeEFRqSFYswGfg5ekwCe9hOGjQsX0sBneN Bgsi01DbP4API+HoSQusOjf0guzCAYDjo2F8DWfUKXhfwIYBcqYUv9L2uRFYoIumapOq DrUlqYn6f9aICB4iwwKvUfOpXvbU0a2PEJ4XVgOrxysYDbqPYaITL6bkpI1lOQge62td cnA5O2f00D9xYThIIJZaTX1CRbhU2tApbfIN4faizwEV9ebEINH6REghfijXSvTtSdK6 CdRg== X-Gm-Message-State: ACgBeo24PGGd0pdc7j1PUMiCfLzCs+kSOjKfpPAv9UIDnHVJZ9l5xRIt YxdKqbZf9oqb4hznwoff4vkqOA== X-Google-Smtp-Source: AA6agR6kQTuVQKDI0NgRLJXKI8D/0Nzh6aotUFJbRV01HbOeEjfSnxLBzOVp8G7Q9iBHJUHQugFHkg== X-Received: by 2002:a05:6000:80b:b0:21e:d62e:b282 with SMTP id bt11-20020a056000080b00b0021ed62eb282mr2122675wrb.557.1660842037192; Thu, 18 Aug 2022 10:00:37 -0700 (PDT) Received: from Mindolluin.ire.aristanetworks.com ([217.173.96.166]) by smtp.gmail.com with ESMTPSA id be13-20020a05600c1e8d00b003a511e92abcsm2662169wmb.34.2022.08.18.10.00.35 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 18 Aug 2022 10:00:36 -0700 (PDT) From: Dmitry Safonov To: Eric Dumazet , "David S. Miller" , linux-kernel@vger.kernel.org Cc: Dmitry Safonov , Andy Lutomirski , Ard Biesheuvel , Bob Gilligan , David Ahern , Dmitry Safonov <0x7f454c46@gmail.com>, Eric Biggers , Francesco Ruggeri , Herbert Xu , Hideaki YOSHIFUJI , Ivan Delalande , Jakub Kicinski , Leonard Crestez , Paolo Abeni , Salam Noureddine , Shuah Khan , netdev@vger.kernel.org, linux-crypto@vger.kernel.org Subject: [PATCH 16/31] net/tcp: Sign SYN-ACK segments with TCP-AO Date: Thu, 18 Aug 2022 17:59:50 +0100 Message-Id: <20220818170005.747015-17-dima@arista.com> X-Mailer: git-send-email 2.37.2 In-Reply-To: <20220818170005.747015-1-dima@arista.com> References: <20220818170005.747015-1-dima@arista.com> MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Type: text/plain; charset="utf-8" Similarly to RST segments, wire SYN-ACKs to TCP-AO. tcp_rsk_used_ao() is handy here to check if the request socket used AO and needs a signature on the outgoing segments. Co-developed-by: Francesco Ruggeri Signed-off-by: Francesco Ruggeri Co-developed-by: Salam Noureddine Signed-off-by: Salam Noureddine Signed-off-by: Dmitry Safonov --- include/net/tcp.h | 4 ++++ include/net/tcp_ao.h | 6 ++++++ net/ipv4/tcp_ao.c | 14 ++++++++++++++ net/ipv4/tcp_ipv4.c | 1 + net/ipv4/tcp_output.c | 37 +++++++++++++++++++++++++++++++------ net/ipv6/tcp_ao.c | 14 ++++++++++++++ net/ipv6/tcp_ipv6.c | 1 + 7 files changed, 71 insertions(+), 6 deletions(-) diff --git a/include/net/tcp.h b/include/net/tcp.h index f21898bb31bd..19549be29265 100644 --- a/include/net/tcp.h +++ b/include/net/tcp.h @@ -2109,6 +2109,10 @@ struct tcp_request_sock_ops { int sndid, int rcvid); int (*ao_calc_key)(struct tcp_ao_key *mkt, u8 *key, struct request_sock *sk); + int (*ao_synack_hash)(char *ao_hash, struct tcp_ao_key *mkt, + struct request_sock *req, + const struct sk_buff *skb, + int hash_offset, u32 sne); #endif #ifdef CONFIG_SYN_COOKIES __u32 (*cookie_init_seq)(const struct sk_buff *skb, diff --git a/include/net/tcp_ao.h b/include/net/tcp_ao.h index a1d26e1a0b82..cc3f6686d5c9 100644 --- a/include/net/tcp_ao.h +++ b/include/net/tcp_ao.h @@ -142,6 +142,9 @@ int tcp_ao_hash_hdr(unsigned short family, char *ao_has= h, int tcp_v4_parse_ao(struct sock *sk, int optname, sockptr_t optval, int op= tlen); struct tcp_ao_key *tcp_v4_ao_lookup(const struct sock *sk, struct sock *ad= dr_sk, int sndid, int rcvid); +int tcp_v4_ao_synack_hash(char *ao_hash, struct tcp_ao_key *mkt, + struct request_sock *req, const struct sk_buff *skb, + int hash_offset, u32 sne); int tcp_v4_ao_calc_key_sk(struct tcp_ao_key *mkt, u8 *key, const struct sock *sk, __be32 sisn, __be32 disn, bool send); @@ -176,6 +179,9 @@ int tcp_v6_ao_hash_skb(char *ao_hash, struct tcp_ao_key= *key, const u8 *tkey, int hash_offset, u32 sne); int tcp_v6_parse_ao(struct sock *sk, int cmd, sockptr_t optval, int optlen); +int tcp_v6_ao_synack_hash(char *ao_hash, struct tcp_ao_key *ao_key, + struct request_sock *req, const struct sk_buff *skb, + int hash_offset, u32 sne); void tcp_ao_finish_connect(struct sock *sk, struct sk_buff *skb); void tcp_ao_connect_init(struct sock *sk); =20 diff --git a/net/ipv4/tcp_ao.c b/net/ipv4/tcp_ao.c index a797eedfbcdf..78c24ade9a03 100644 --- a/net/ipv4/tcp_ao.c +++ b/net/ipv4/tcp_ao.c @@ -586,6 +586,20 @@ int tcp_v4_ao_hash_skb(char *ao_hash, struct tcp_ao_ke= y *key, tkey, hash_offset, sne); } =20 +int tcp_v4_ao_synack_hash(char *ao_hash, struct tcp_ao_key *ao_key, + struct request_sock *req, const struct sk_buff *skb, + int hash_offset, u32 sne) +{ + char traffic_key[TCP_AO_MAX_HASH_SIZE] __tcp_ao_key_align; + + tcp_v4_ao_calc_key_rsk(ao_key, traffic_key, req); + + tcp_ao_hash_skb(AF_INET, ao_hash, ao_key, req_to_sk(req), skb, + traffic_key, hash_offset, sne); + + return 0; +} + struct tcp_ao_key *tcp_v4_ao_lookup_rsk(const struct sock *sk, struct request_sock *req, int sndid, int rcvid) diff --git a/net/ipv4/tcp_ipv4.c b/net/ipv4/tcp_ipv4.c index 55c763b8bf24..02ab94461e86 100644 --- a/net/ipv4/tcp_ipv4.c +++ b/net/ipv4/tcp_ipv4.c @@ -1649,6 +1649,7 @@ const struct tcp_request_sock_ops tcp_request_sock_ip= v4_ops =3D { #ifdef CONFIG_TCP_AO .ao_lookup =3D tcp_v4_ao_lookup_rsk, .ao_calc_key =3D tcp_v4_ao_calc_key_rsk, + .ao_synack_hash =3D tcp_v4_ao_synack_hash, #endif #ifdef CONFIG_SYN_COOKIES .cookie_init_seq =3D cookie_v4_init_sequence, diff --git a/net/ipv4/tcp_output.c b/net/ipv4/tcp_output.c index 81f897f95147..43111e39b6e1 100644 --- a/net/ipv4/tcp_output.c +++ b/net/ipv4/tcp_output.c @@ -3630,6 +3630,7 @@ struct sk_buff *tcp_make_synack(const struct sock *sk= , struct dst_entry *dst, struct inet_request_sock *ireq =3D inet_rsk(req); const struct tcp_sock *tp =3D tcp_sk(sk); struct tcp_md5sig_key *md5 =3D NULL; + struct tcp_ao_key *ao_key =3D NULL; struct tcp_out_options opts; struct sk_buff *skb; int tcp_header_size; @@ -3680,16 +3681,32 @@ struct sk_buff *tcp_make_synack(const struct sock *= sk, struct dst_entry *dst, tcp_rsk(req)->snt_synack =3D tcp_skb_timestamp_us(skb); } =20 -#ifdef CONFIG_TCP_MD5SIG +#if defined(CONFIG_TCP_MD5SIG) || defined(CONFIG_TCP_AO) rcu_read_lock(); - md5 =3D tcp_rsk(req)->af_specific->req_md5_lookup(sk, req_to_sk(req)); #endif + if (tcp_rsk_used_ao(req)) { +#ifdef CONFIG_TCP_AO + /* TODO: what should we do if the key is no longer available on + * the listening socket? Maybe we can try a different matching + * key (without sndid match). If that also fails what should + * we do? We currently send an unsigned synack. It's probably + * better to not send anything. + */ + ao_key =3D tcp_sk(sk)->af_specific->ao_lookup(sk, req_to_sk(req), + tcp_rsk(req)->ao_keyid, -1); +#endif + } else { +#ifdef CONFIG_TCP_MD5SIG + md5 =3D tcp_rsk(req)->af_specific->req_md5_lookup(sk, + req_to_sk(req)); +#endif + } skb_set_hash(skb, tcp_rsk(req)->txhash, PKT_HASH_TYPE_L4); /* bpf program will be interested in the tcp_flags */ TCP_SKB_CB(skb)->tcp_flags =3D TCPHDR_SYN | TCPHDR_ACK; tcp_header_size =3D tcp_synack_options(sk, req, mss, skb, &opts, md5, - NULL, foc, synack_type, - syn_skb) + sizeof(*th); + ao_key, foc, synack_type, syn_skb) + + sizeof(*th); =20 skb_push(skb, tcp_header_size); skb_reset_transport_header(skb); @@ -3709,7 +3726,7 @@ struct sk_buff *tcp_make_synack(const struct sock *sk= , struct dst_entry *dst, =20 /* RFC1323: The window in SYN & SYN/ACK segments is never scaled. */ th->window =3D htons(min(req->rsk_rcv_wnd, 65535U)); - tcp_options_write(th, NULL, NULL, &opts, NULL); + tcp_options_write(th, NULL, tcp_rsk(req), &opts, NULL); th->doff =3D (tcp_header_size >> 2); __TCP_INC_STATS(sock_net(sk), TCP_MIB_OUTSEGS); =20 @@ -3717,7 +3734,15 @@ struct sk_buff *tcp_make_synack(const struct sock *s= k, struct dst_entry *dst, /* Okay, we have all we need - do the md5 hash if needed */ if (md5) tcp_rsk(req)->af_specific->calc_md5_hash(opts.hash_location, - md5, req_to_sk(req), skb); + md5, req_to_sk(req), skb); +#endif +#ifdef CONFIG_TCP_AO + if (ao_key) + tcp_rsk(req)->af_specific->ao_synack_hash(opts.hash_location, + ao_key, req, skb, + opts.hash_location - (u8 *)th, 0); +#endif +#if defined(CONFIG_TCP_MD5SIG) || defined(CONFIG_TCP_AO) rcu_read_unlock(); #endif =20 diff --git a/net/ipv6/tcp_ao.c b/net/ipv6/tcp_ao.c index 31ae504af8e6..526bbe232a64 100644 --- a/net/ipv6/tcp_ao.c +++ b/net/ipv6/tcp_ao.c @@ -123,3 +123,17 @@ int tcp_v6_parse_ao(struct sock *sk, int cmd, { return tcp_parse_ao(sk, cmd, AF_INET6, optval, optlen); } + +int tcp_v6_ao_synack_hash(char *ao_hash, struct tcp_ao_key *ao_key, + struct request_sock *req, const struct sk_buff *skb, + int hash_offset, u32 sne) +{ + char traffic_key[TCP_AO_MAX_HASH_SIZE] __tcp_ao_key_align; + + tcp_v6_ao_calc_key_rsk(ao_key, traffic_key, req); + + tcp_ao_hash_skb(AF_INET6, ao_hash, ao_key, req_to_sk(req), skb, + traffic_key, hash_offset, sne); + + return 0; +} diff --git a/net/ipv6/tcp_ipv6.c b/net/ipv6/tcp_ipv6.c index 7610fdf5d519..16cea7de0851 100644 --- a/net/ipv6/tcp_ipv6.c +++ b/net/ipv6/tcp_ipv6.c @@ -838,6 +838,7 @@ const struct tcp_request_sock_ops tcp_request_sock_ipv6= _ops =3D { #ifdef CONFIG_TCP_AO .ao_lookup =3D tcp_v6_ao_lookup_rsk, .ao_calc_key =3D tcp_v6_ao_calc_key_rsk, + .ao_synack_hash =3D tcp_v6_ao_synack_hash, #endif #ifdef CONFIG_SYN_COOKIES .cookie_init_seq =3D cookie_v6_init_sequence, --=20 2.37.2 From nobody Fri Apr 10 21:51:38 2026 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 91C27C32772 for ; Thu, 18 Aug 2022 17:03:23 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1344638AbiHRRDW (ORCPT ); Thu, 18 Aug 2022 13:03:22 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:33772 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1345438AbiHRRAt (ORCPT ); Thu, 18 Aug 2022 13:00:49 -0400 Received: from mail-wr1-x42f.google.com (mail-wr1-x42f.google.com [IPv6:2a00:1450:4864:20::42f]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 5436FC993F for ; Thu, 18 Aug 2022 10:00:40 -0700 (PDT) Received: by mail-wr1-x42f.google.com with SMTP id z16so2409255wrh.12 for ; Thu, 18 Aug 2022 10:00:40 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=arista.com; s=google; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc; bh=O62Wiqg8kKBA1iTPKC033PpVfS8OPxrE1Vk4Mbe3bnQ=; b=KTbr/a//oLCrzeM4NST2v0Tb+QuZs0Tj+lPqG7jjGr5J9EQTx7iXJ3GNrV+XuAhyf0 KV7ol7lEsopkqUs5UKnAz844fMKg8lx+u3x9iVRxx4zftRdRwIqN6vQJQCBCzFEAU8Pd hOLOYXOPnBWpySSpxss/qcQ0hKczX9i22H1k8XEiGawR7/ig4Ri5aPbOkxfnDopS/8cd 6kcwaOyQoRwtuVPMbP14/tM2ZoAegZtkQBKIqRjWNReOBl1bF4mOIazSl8jF7lVOPF5R /kq9nHOFTQBszYnpLFy8QAi+x3RXp2zIBEDXeYelYvWj9iHMJqJJ/4xJPQEFGvTnMXWt YrLQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc; bh=O62Wiqg8kKBA1iTPKC033PpVfS8OPxrE1Vk4Mbe3bnQ=; b=IGINVFnhc/ALJzB8RXxvB/xRAVZ5hJymetubtatbMPN9Tjck8Kk3X3LkJ3q3JHGxbk K3QktCrhmM4v5t5HpCeD7O7QRQBYHIKsPb4dUlSw4P2pklydJwQGIgofEsxAhUk78LG6 9h4yVYA1TfFyqEqAsBLXnuOKjBe3f5L4cHvXdkosFBYw2Q94qymLXivRmbIEJ6uEHg9G DBuLU+tXvyA/AI7gQSH0Xc3LOlNDvVFuLVHVE4FfGYuVLH9mFI8EFvH6+gYABeRz4Kmy xwyqyfO8QBVunucMbkyIono3W/I5j+azdcWCn1LvbeV1aytIsAygaewzBMYnl9IMJOW6 yhow== X-Gm-Message-State: ACgBeo0+kfVuCK6l4kTYNq7Tg9Rk+Y/C9tBvEiDF6xNGyVIwR157wS2+ e9SrZmEfmQ/r0eDHTKfg9qm8Nw== X-Google-Smtp-Source: AA6agR6baxbzTbsv2Q/YuiAjUR+hdiDT8zqEI/xsFqtQhPZpSiQSGOG3eeDrH7K4GNQw7NBvMLX00w== X-Received: by 2002:a05:6000:22e:b0:225:33a9:3aa8 with SMTP id l14-20020a056000022e00b0022533a93aa8mr729598wrz.6.1660842038787; Thu, 18 Aug 2022 10:00:38 -0700 (PDT) Received: from Mindolluin.ire.aristanetworks.com ([217.173.96.166]) by smtp.gmail.com with ESMTPSA id be13-20020a05600c1e8d00b003a511e92abcsm2662169wmb.34.2022.08.18.10.00.37 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 18 Aug 2022 10:00:38 -0700 (PDT) From: Dmitry Safonov To: Eric Dumazet , "David S. Miller" , linux-kernel@vger.kernel.org Cc: Dmitry Safonov , Andy Lutomirski , Ard Biesheuvel , Bob Gilligan , David Ahern , Dmitry Safonov <0x7f454c46@gmail.com>, Eric Biggers , Francesco Ruggeri , Herbert Xu , Hideaki YOSHIFUJI , Ivan Delalande , Jakub Kicinski , Leonard Crestez , Paolo Abeni , Salam Noureddine , Shuah Khan , netdev@vger.kernel.org, linux-crypto@vger.kernel.org Subject: [PATCH 17/31] net/tcp: Verify inbound TCP-AO signed segments Date: Thu, 18 Aug 2022 17:59:51 +0100 Message-Id: <20220818170005.747015-18-dima@arista.com> X-Mailer: git-send-email 2.37.2 In-Reply-To: <20220818170005.747015-1-dima@arista.com> References: <20220818170005.747015-1-dima@arista.com> MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Type: text/plain; charset="utf-8" Now there is a common function to verify signature on TCP segments: tcp_inbound_hash(). It has checks for all possible cross-interactions with MD5 signs as well as with unsigned segments. The rules from RFC5925 are: (1) Any TCP segment can have at max only one signature. (2) TCP connections can't switch between using TCP-MD5 and TCP-AO. (3) TCP-AO connections can't stop using AO, as well as unsigned connections can't suddenly start using AO. Co-developed-by: Francesco Ruggeri Signed-off-by: Francesco Ruggeri Co-developed-by: Salam Noureddine Signed-off-by: Salam Noureddine Signed-off-by: Dmitry Safonov --- include/net/dropreason.h | 18 +++++ include/net/tcp.h | 59 +++++++++++++++- include/net/tcp_ao.h | 21 ++++++ net/ipv4/tcp.c | 39 +++-------- net/ipv4/tcp_ao.c | 148 +++++++++++++++++++++++++++++++++++++++ net/ipv4/tcp_ipv4.c | 11 +-- net/ipv6/tcp_ao.c | 12 ++++ net/ipv6/tcp_ipv6.c | 11 +-- 8 files changed, 276 insertions(+), 43 deletions(-) diff --git a/include/net/dropreason.h b/include/net/dropreason.h index fae9b40e54fa..b4906323b9a7 100644 --- a/include/net/dropreason.h +++ b/include/net/dropreason.h @@ -60,6 +60,11 @@ enum skb_drop_reason { * drop out of udp_memory_allocated. */ SKB_DROP_REASON_PROTO_MEM, + /** + * @SKB_DROP_REASON_TCP_AUTH_HDR: TCP-MD5 or TCP-AO hashes are met + * twice or set incorrectly. + */ + SKB_DROP_REASON_TCP_AUTH_HDR, /** * @SKB_DROP_REASON_TCP_MD5NOTFOUND: no MD5 hash and one expected, * corresponding to LINUX_MIB_TCPMD5NOTFOUND @@ -75,6 +80,19 @@ enum skb_drop_reason { * to LINUX_MIB_TCPMD5FAILURE */ SKB_DROP_REASON_TCP_MD5FAILURE, + /** + * @SKB_DROP_REASON_TCP_AONOTFOUND: no TCP-AO hash and one was expected + */ + SKB_DROP_REASON_TCP_AONOTFOUND, + /** + * @SKB_DROP_REASON_TCP_AOUNEXPECTED: TCP-AO hash is present and it + * was not expected. + */ + SKB_DROP_REASON_TCP_AOUNEXPECTED, + /** @SKB_DROP_REASON_TCP_AOKEYNOTFOUND: TCP-AO key is unknown */ + SKB_DROP_REASON_TCP_AOKEYNOTFOUND, + /** @SKB_DROP_REASON_TCP_AOFAILURE: TCP-AO hash is wrong */ + SKB_DROP_REASON_TCP_AOFAILURE, /** * @SKB_DROP_REASON_SOCKET_BACKLOG: failed to add skb to socket backlog ( * see LINUX_MIB_TCPBACKLOGDROP) diff --git a/include/net/tcp.h b/include/net/tcp.h index 19549be29265..2e75c542e7ed 100644 --- a/include/net/tcp.h +++ b/include/net/tcp.h @@ -1693,7 +1693,7 @@ tcp_md5_do_lookup_any_l3index(const struct sock *sk, enum skb_drop_reason tcp_inbound_md5_hash(const struct sock *sk, const struct sk_buff *skb, const void *saddr, const void *daddr, - int family, int dif, int sdif); + int family, int l3index, const __u8 *hash_location); =20 =20 #define tcp_twsk_md5_key(twsk) ((twsk)->tw_md5_key) @@ -1715,7 +1715,7 @@ tcp_md5_do_lookup_any_l3index(const struct sock *sk, static inline enum skb_drop_reason tcp_inbound_md5_hash(const struct sock *sk, const struct sk_buff *skb, const void *saddr, const void *daddr, - int family, int dif, int sdif) + int family, int l3index, const __u8 *hash_location) { return SKB_NOT_DROPPED_YET; } @@ -2090,6 +2090,10 @@ struct tcp_sock_af_ops { const struct sock *sk, __be32 sisn, __be32 disn, bool send); + int (*ao_calc_key_skb)(struct tcp_ao_key *mkt, + u8 *key, + const struct sk_buff *skb, + __be32 sisn, __be32 disn); #endif }; =20 @@ -2500,4 +2504,55 @@ static inline int tcp_parse_auth_options(const struc= t tcphdr *th, return 0; } =20 +/* Called with rcu_read_lock() */ +static inline enum skb_drop_reason +tcp_inbound_hash(struct sock *sk, const struct request_sock *req, + const struct sk_buff *skb, + const void *saddr, const void *daddr, + int family, int dif, int sdif) +{ + const struct tcphdr *th =3D tcp_hdr(skb); + const struct tcp_ao_hdr *aoh; + const __u8 *md5_location; + int l3index; + + /* Invalid option or two times meet any of auth options */ + if (tcp_parse_auth_options(th, &md5_location, &aoh)) + return SKB_DROP_REASON_TCP_AUTH_HDR; + + if (req) { + if (tcp_rsk_used_ao(req) !=3D !!aoh) + return SKB_DROP_REASON_TCP_AOFAILURE; + } + + /* sdif set, means packet ingressed via a device + * in an L3 domain and dif is set to the l3mdev + */ + l3index =3D sdif ? dif : 0; + + /* Fast path: unsigned segments */ + if (likely(!md5_location && !aoh)) { + /* Drop if there's TCP-MD5 or TCP-AO key with any rcvid/sndid + * for the remote peer. On TCP-AO established connection + * the last key is impossible to remove, so there's + * always at least one current_key. + */ +#ifdef CONFIG_TCP_AO + if (unlikely(tcp_ao_do_lookup(sk, saddr, family, -1, -1, 0))) + return SKB_DROP_REASON_TCP_AONOTFOUND; +#endif + if (unlikely(tcp_md5_do_lookup(sk, l3index, saddr, family))) { + NET_INC_STATS(sock_net(sk), LINUX_MIB_TCPMD5NOTFOUND); + return SKB_DROP_REASON_TCP_MD5NOTFOUND; + } + return SKB_NOT_DROPPED_YET; + } + + if (aoh) + return tcp_inbound_ao_hash(sk, skb, family, req, aoh); + + return tcp_inbound_md5_hash(sk, skb, saddr, daddr, family, + l3index, md5_location); +} + #endif /* _TCP_H */ diff --git a/include/net/tcp_ao.h b/include/net/tcp_ao.h index cc3f6686d5c9..7cb802de49ba 100644 --- a/include/net/tcp_ao.h +++ b/include/net/tcp_ao.h @@ -112,6 +112,9 @@ struct tcp6_ao_context { __be32 disn; }; =20 +#define TCP_AO_ESTABLISHED (TCPF_ESTABLISHED|TCPF_FIN_WAIT1|TCPF_FIN_WAIT2= |\ + TCPF_CLOSE|TCPF_CLOSE_WAIT|TCPF_LAST_ACK|TCPF_CLOSING) + int tcp_ao_hash_skb(unsigned short int family, char *ao_hash, struct tcp_ao_key *key, const struct sock *sk, const struct sk_buff *skb, @@ -129,6 +132,10 @@ u32 tcp_ao_compute_sne(u32 sne, u32 seq, u32 new_seq); void tcp_ao_time_wait(struct tcp_timewait_sock *tcptw, struct tcp_sock *tp= ); int tcp_ao_cache_traffic_keys(const struct sock *sk, struct tcp_ao_info *a= o, struct tcp_ao_key *ao_key); +enum skb_drop_reason tcp_inbound_ao_hash(struct sock *sk, + const struct sk_buff *skb, unsigned short int family, + const struct request_sock *req, + const struct tcp_ao_hdr *aoh); struct tcp_ao_key *tcp_ao_do_lookup(const struct sock *sk, const union tcp_ao_addr *addr, int family, int sndid, int rcvid, u16 port); @@ -150,9 +157,14 @@ int tcp_v4_ao_calc_key_sk(struct tcp_ao_key *mkt, u8 *= key, __be32 sisn, __be32 disn, bool send); int tcp_v4_ao_calc_key_rsk(struct tcp_ao_key *mkt, u8 *key, struct request_sock *req); +int tcp_v4_ao_calc_key_skb(struct tcp_ao_key *mkt, u8 *key, + const struct sk_buff *skb, __be32 sisn, __be32 disn); struct tcp_ao_key *tcp_v4_ao_lookup_rsk(const struct sock *sk, struct request_sock *req, int sndid, int rcvid); +bool tcp_v4_inbound_ao_hash(struct sock *sk, + struct request_sock *req, + const struct sk_buff *skb); int tcp_v4_ao_hash_skb(char *ao_hash, struct tcp_ao_key *key, const struct sock *sk, const struct sk_buff *skb, const u8 *tkey, int hash_offset, u32 sne); @@ -160,6 +172,9 @@ int tcp_v4_ao_hash_skb(char *ao_hash, struct tcp_ao_key= *key, int tcp_v6_ao_hash_pseudoheader(struct crypto_pool_ahash *hp, const struct in6_addr *daddr, const struct in6_addr *saddr, int nbytes); +int tcp_v6_ao_calc_key_skb(struct tcp_ao_key *mkt, u8 *key, + const struct sk_buff *skb, __be32 sisn, + __be32 disn); int tcp_v6_ao_calc_key_sk(struct tcp_ao_key *mkt, u8 *key, const struct sock *sk, __be32 sisn, __be32 disn, bool send); @@ -187,6 +202,12 @@ void tcp_ao_connect_init(struct sock *sk); =20 #else /* CONFIG_TCP_AO */ =20 +static inline enum skb_drop_reason tcp_inbound_ao_hash(struct sock *sk, + const struct sk_buff *skb, unsigned short int family, + const struct request_sock *req, const struct tcp_ao_hdr *aoh) +{ + return SKB_NOT_DROPPED_YET; +} static inline struct tcp_ao_key *tcp_ao_do_lookup(const struct sock *sk, const union tcp_ao_addr *addr, int family, int sndid, int rcvid, u16 port) diff --git a/net/ipv4/tcp.c b/net/ipv4/tcp.c index a5e94d8e8450..8df03d456ebb 100644 --- a/net/ipv4/tcp.c +++ b/net/ipv4/tcp.c @@ -4503,42 +4503,23 @@ EXPORT_SYMBOL(tcp_md5_hash_key); enum skb_drop_reason tcp_inbound_md5_hash(const struct sock *sk, const struct sk_buff *skb, const void *saddr, const void *daddr, - int family, int dif, int sdif) + int family, int l3index, const __u8 *hash_location) { - /* - * This gets called for each TCP segment that arrives - * so we want to be efficient. + /* This gets called for each TCP segment that has TCP-MD5 option. * We have 3 drop cases: * o No MD5 hash and one expected. * o MD5 hash and we're not expecting one. * o MD5 hash and its wrong. */ - const __u8 *hash_location =3D NULL; - struct tcp_md5sig_key *hash_expected; const struct tcphdr *th =3D tcp_hdr(skb); struct tcp_sock *tp =3D tcp_sk(sk); - int genhash, l3index; + struct tcp_md5sig_key *key; + int genhash; u8 newhash[16]; =20 - /* sdif set, means packet ingressed via a device - * in an L3 domain and dif is set to the l3mdev - */ - l3index =3D sdif ? dif : 0; - - hash_expected =3D tcp_md5_do_lookup(sk, l3index, saddr, family); - if (tcp_parse_auth_options(th, &hash_location, NULL)) - return true; - - /* We've parsed the options - do we have a hash? */ - if (!hash_expected && !hash_location) - return SKB_NOT_DROPPED_YET; - - if (hash_expected && !hash_location) { - NET_INC_STATS(sock_net(sk), LINUX_MIB_TCPMD5NOTFOUND); - return SKB_DROP_REASON_TCP_MD5NOTFOUND; - } + key =3D tcp_md5_do_lookup(sk, l3index, saddr, family); =20 - if (!hash_expected && hash_location) { + if (!key && hash_location) { NET_INC_STATS(sock_net(sk), LINUX_MIB_TCPMD5UNEXPECTED); return SKB_DROP_REASON_TCP_MD5UNEXPECTED; } @@ -4548,14 +4529,10 @@ tcp_inbound_md5_hash(const struct sock *sk, const s= truct sk_buff *skb, * IPv4-mapped case. */ if (family =3D=3D AF_INET) - genhash =3D tcp_v4_md5_hash_skb(newhash, - hash_expected, - NULL, skb); + genhash =3D tcp_v4_md5_hash_skb(newhash, key, NULL, skb); else - genhash =3D tp->af_specific->calc_md5_hash(newhash, - hash_expected, + genhash =3D tp->af_specific->calc_md5_hash(newhash, key, NULL, skb); - if (genhash || memcmp(hash_location, newhash, 16) !=3D 0) { NET_INC_STATS(sock_net(sk), LINUX_MIB_TCPMD5FAILURE); if (family =3D=3D AF_INET) { diff --git a/net/ipv4/tcp_ao.c b/net/ipv4/tcp_ao.c index 78c24ade9a03..10cd6af3c45f 100644 --- a/net/ipv4/tcp_ao.c +++ b/net/ipv4/tcp_ao.c @@ -329,6 +329,17 @@ int tcp_v4_ao_calc_key_rsk(struct tcp_ao_key *mkt, u8 = *key, htonl(tcp_rsk(req)->rcv_isn)); } =20 +int tcp_v4_ao_calc_key_skb(struct tcp_ao_key *mkt, u8 *key, + const struct sk_buff *skb, __be32 sisn, + __be32 disn) +{ + const struct iphdr *iph =3D ip_hdr(skb); + const struct tcphdr *th =3D tcp_hdr(skb); + + return tcp_v4_ao_calc_key(mkt, key, iph->saddr, iph->daddr, + th->source, th->dest, sisn, disn); +} + static int tcp_v4_ao_hash_pseudoheader(struct crypto_pool_ahash *hp, __be32 daddr, __be32 saddr, int nbytes) @@ -618,6 +629,143 @@ struct tcp_ao_key *tcp_v4_ao_lookup(const struct sock= *sk, struct sock *addr_sk, return tcp_ao_do_lookup(sk, addr, AF_INET, sndid, rcvid, 0); } =20 +static struct tcp_ao_key *tcp_ao_inbound_lookup(unsigned short int family, + const struct sock *sk, const struct sk_buff *skb, + int sndid, int rcvid) +{ + if (family =3D=3D AF_INET) { + const struct iphdr *iph =3D ip_hdr(skb); + + return tcp_ao_do_lookup(sk, (union tcp_md5_addr *)&iph->saddr, + AF_INET, sndid, rcvid, 0); + } else { + const struct ipv6hdr *iph =3D ipv6_hdr(skb); + + return tcp_ao_do_lookup(sk, (union tcp_md5_addr *)&iph->saddr, + AF_INET6, sndid, rcvid, 0); + } +} + +static enum skb_drop_reason +tcp_ao_verify_hash(const struct sock *sk, const struct sk_buff *skb, + unsigned short int family, struct tcp_ao_info *info, + const struct tcp_ao_hdr *aoh, struct tcp_ao_key *key, + u8 *traffic_key, u8 *phash, u32 sne) +{ + unsigned char newhash[TCP_AO_MAX_HASH_SIZE] __tcp_ao_key_align; + u8 maclen =3D aoh->length - sizeof(struct tcp_ao_hdr); + const struct tcphdr *th =3D tcp_hdr(skb); + + if (maclen !=3D tcp_ao_maclen(key)) + return SKB_DROP_REASON_TCP_AOFAILURE; + + /* XXX: make it per-AF callback? */ + tcp_ao_hash_skb(family, newhash, key, sk, skb, traffic_key, + (phash - (u8 *)th), sne); + if (memcmp(phash, newhash, maclen)) + return SKB_DROP_REASON_TCP_AOFAILURE; + return SKB_NOT_DROPPED_YET; +} + +enum skb_drop_reason +tcp_inbound_ao_hash(struct sock *sk, const struct sk_buff *skb, + unsigned short int family, const struct request_sock *req, + const struct tcp_ao_hdr *aoh) +{ + const struct tcp_sock_af_ops *ops =3D tcp_sk(sk)->af_specific; + u8 key_buf[TCP_AO_MAX_HASH_SIZE] __tcp_ao_key_align; + const struct tcphdr *th =3D tcp_hdr(skb); + u8 *phash =3D (u8 *)(aoh + 1); /* hash goes just after the header */ + struct tcp_ao_info *info; + struct tcp_ao_key *key; + __be32 sisn, disn; + u8 *traffic_key; + u32 sne; + + info =3D rcu_dereference(tcp_sk(sk)->ao_info); + if (!info) + return SKB_DROP_REASON_TCP_AOUNEXPECTED; + + /* Fast-path */ + /* TODO: fix fastopen and simultaneous open (TCPF_SYN_RECV) */ + if (likely((1 << sk->sk_state) & (TCP_AO_ESTABLISHED | TCPF_SYN_RECV))) { + enum skb_drop_reason err; + + /* Check if this socket's rnext_key matches the keyid in the + * packet. If not we lookup the key based on the keyid + * matching the rcvid in the mkt. + */ + key =3D info->rnext_key; + if (key->rcvid !=3D aoh->keyid) { + key =3D tcp_ao_do_lookup_rcvid(sk, aoh->keyid); + if (!key) + goto key_not_found; + } + sne =3D tcp_ao_compute_sne(info->rcv_sne, info->rcv_sne_seq, + ntohl(th->seq)); + /* Established socket, traffic key are cached */ + traffic_key =3D rcv_other_key(key); + err =3D tcp_ao_verify_hash(sk, skb, family, info, aoh, key, + traffic_key, phash, sne); + if (err) + return err; + /* Key rotation: the peer asks us to use new key (RNext) */ + if (unlikely(aoh->rnext_keyid !=3D info->current_key->sndid)) { + /* If the key is not found we do nothing. */ + key =3D tcp_ao_do_lookup_sndid(sk, aoh->rnext_keyid); + if (key) + /* pairs with tcp_ao_del_cmd */ + WRITE_ONCE(info->current_key, key); + } + return SKB_NOT_DROPPED_YET; + } + + sne =3D 0; + /* Lookup key based on peer address and keyid. + * current_key and rnext_key must not be used on tcp listen + * sockets as otherwise: + * - request sockets would race on those key pointers + * - tcp_ao_del_cmd() allows async key removal + */ + key =3D tcp_ao_inbound_lookup(family, sk, skb, -1, aoh->keyid); + if (!key) + goto key_not_found; + + if (sk->sk_state =3D=3D TCP_LISTEN) { + /* Make the initial syn the likely case here */ + if (unlikely(req)) { + sne =3D tcp_ao_compute_sne(0, tcp_rsk(req)->rcv_isn, + ntohl(th->seq)); + sisn =3D htonl(tcp_rsk(req)->rcv_isn); + disn =3D htonl(tcp_rsk(req)->snt_isn); + } else { + sisn =3D th->seq; + disn =3D 0; + } + } else if (sk->sk_state =3D=3D TCP_SYN_SENT) { + disn =3D info->lisn; + if (th->syn) { + sisn =3D th->seq; + if (!th->ack) { + /* Simultaneous connect */ + disn =3D 0; + } + } else { + sisn =3D info->risn; + } + } else { + WARN_ONCE(1, "TCP-AO: Unknown sk_state %d", sk->sk_state); + return SKB_DROP_REASON_TCP_AOFAILURE; + } + traffic_key =3D key_buf; + ops->ao_calc_key_skb(key, traffic_key, skb, sisn, disn); + return tcp_ao_verify_hash(sk, skb, family, info, aoh, key, + traffic_key, phash, sne); + +key_not_found: + return SKB_DROP_REASON_TCP_AOKEYNOTFOUND; +} + int tcp_ao_cache_traffic_keys(const struct sock *sk, struct tcp_ao_info *a= o, struct tcp_ao_key *ao_key) { diff --git a/net/ipv4/tcp_ipv4.c b/net/ipv4/tcp_ipv4.c index 02ab94461e86..a1e1a23abfea 100644 --- a/net/ipv4/tcp_ipv4.c +++ b/net/ipv4/tcp_ipv4.c @@ -2172,9 +2172,9 @@ int tcp_v4_rcv(struct sk_buff *skb) if (!xfrm4_policy_check(sk, XFRM_POLICY_IN, skb)) drop_reason =3D SKB_DROP_REASON_XFRM_POLICY; else - drop_reason =3D tcp_inbound_md5_hash(sk, skb, - &iph->saddr, &iph->daddr, - AF_INET, dif, sdif); + drop_reason =3D tcp_inbound_hash(sk, req, skb, + &iph->saddr, &iph->daddr, + AF_INET, dif, sdif); if (unlikely(drop_reason)) { sk_drops_add(sk, skb); reqsk_put(req); @@ -2250,8 +2250,8 @@ int tcp_v4_rcv(struct sk_buff *skb) goto discard_and_relse; } =20 - drop_reason =3D tcp_inbound_md5_hash(sk, skb, &iph->saddr, - &iph->daddr, AF_INET, dif, sdif); + drop_reason =3D tcp_inbound_hash(sk, NULL, skb, &iph->saddr, &iph->daddr, + AF_INET, dif, sdif); if (drop_reason) goto discard_and_relse; =20 @@ -2410,6 +2410,7 @@ static const struct tcp_sock_af_ops tcp_sock_ipv4_spe= cific =3D { .calc_ao_hash =3D tcp_v4_ao_hash_skb, .ao_parse =3D tcp_v4_parse_ao, .ao_calc_key_sk =3D tcp_v4_ao_calc_key_sk, + .ao_calc_key_skb =3D tcp_v4_ao_calc_key_skb, #endif }; #endif diff --git a/net/ipv6/tcp_ao.c b/net/ipv6/tcp_ao.c index 526bbe232a64..f23c817166bb 100644 --- a/net/ipv6/tcp_ao.c +++ b/net/ipv6/tcp_ao.c @@ -39,6 +39,18 @@ int tcp_v6_ao_calc_key(struct tcp_ao_key *mkt, u8 *key, return tcp_ao_calc_traffic_key(mkt, key, &tmp, sizeof(tmp)); } =20 +int tcp_v6_ao_calc_key_skb(struct tcp_ao_key *mkt, u8 *key, + const struct sk_buff *skb, + __be32 sisn, __be32 disn) +{ + const struct ipv6hdr *iph =3D ipv6_hdr(skb); + const struct tcphdr *th =3D tcp_hdr(skb); + + return tcp_v6_ao_calc_key(mkt, key, &iph->saddr, + &iph->daddr, th->source, + th->dest, sisn, disn); +} + int tcp_v6_ao_calc_key_sk(struct tcp_ao_key *mkt, u8 *key, const struct sock *sk, __be32 sisn, __be32 disn, bool send) diff --git a/net/ipv6/tcp_ipv6.c b/net/ipv6/tcp_ipv6.c index 16cea7de0851..8a27408549cd 100644 --- a/net/ipv6/tcp_ipv6.c +++ b/net/ipv6/tcp_ipv6.c @@ -1808,9 +1808,9 @@ INDIRECT_CALLABLE_SCOPE int tcp_v6_rcv(struct sk_buff= *skb) struct sock *nsk; =20 sk =3D req->rsk_listener; - drop_reason =3D tcp_inbound_md5_hash(sk, skb, - &hdr->saddr, &hdr->daddr, - AF_INET6, dif, sdif); + drop_reason =3D tcp_inbound_hash(sk, req, skb, + &hdr->saddr, &hdr->daddr, + AF_INET6, dif, sdif); if (drop_reason) { sk_drops_add(sk, skb); reqsk_put(req); @@ -1882,8 +1882,8 @@ INDIRECT_CALLABLE_SCOPE int tcp_v6_rcv(struct sk_buff= *skb) goto discard_and_relse; } =20 - drop_reason =3D tcp_inbound_md5_hash(sk, skb, &hdr->saddr, &hdr->daddr, - AF_INET6, dif, sdif); + drop_reason =3D tcp_inbound_hash(sk, NULL, skb, &hdr->saddr, &hdr->daddr, + AF_INET6, dif, sdif); if (drop_reason) goto discard_and_relse; =20 @@ -2075,6 +2075,7 @@ static const struct tcp_sock_af_ops tcp_sock_ipv6_spe= cific =3D { .calc_ao_hash =3D tcp_v6_ao_hash_skb, .ao_parse =3D tcp_v6_parse_ao, .ao_calc_key_sk =3D tcp_v6_ao_calc_key_sk, + .ao_calc_key_skb =3D tcp_v6_ao_calc_key_skb, #endif }; #endif --=20 2.37.2 From nobody Fri Apr 10 21:51:38 2026 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 58D2FC00140 for ; Thu, 18 Aug 2022 17:03:37 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1345375AbiHRRDe (ORCPT ); Thu, 18 Aug 2022 13:03:34 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:32968 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1345446AbiHRRAv (ORCPT ); Thu, 18 Aug 2022 13:00:51 -0400 Received: from mail-wr1-x432.google.com (mail-wr1-x432.google.com [IPv6:2a00:1450:4864:20::432]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id F3C59BA9DB for ; Thu, 18 Aug 2022 10:00:40 -0700 (PDT) Received: by mail-wr1-x432.google.com with SMTP id r16so2424310wrm.6 for ; Thu, 18 Aug 2022 10:00:40 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=arista.com; s=google; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc; bh=Vl3yGL/PUaCIxre193KL2lb6Hcy5Glf78MX+zPmFUzs=; b=Ie4SYam5PwhmHTZToBLLVZBDuFDHvvr32ZMUj4Q2syjfZlxLvU3X8grU2uxi4H+7+X TuLsYtHOTvEFIor/cOf3rI7hXWWxs+XGfLsGan85GUfF/2fbFx3LkOPW7wx3t5KfjIWr HSzQcvNHW06PcQG/DbDlMXnsDa2JuL5kaEX69Hlzs4DDa/QJmJJsyn3wzyMSYUlzQ0Fm VEdegkikb2njM2vu57PTUvTyCKpRUYzOM/c9eZg0S8G97Lo3DUg7sP3NvYRVlNxlDynx F6yjl2byasM02fdi2FlNaiGejGGpBUlOs1N8LPbig5RRFq8CHQvyCR3MHERZ/IHMlOeI S2bQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc; bh=Vl3yGL/PUaCIxre193KL2lb6Hcy5Glf78MX+zPmFUzs=; b=GLwo/QgJPdng4S+YOCL2/RasSDrcx8TluvSgrb3aLusjQpeANxlTdLF5KhyAEbC5IF MDgRMaGgUckx+vP3MRxRxPGgpmnnhyrzAMLiuJ4wb0Mrl0ru2j/F065Kd8SZDN1iUldc 0Klqx0jNE8Eun2CY2oB/xk7w7NB7azxeGcUKHjKASIUlAj9T2sJyKOMhL4yfAPclx5Dx CaO19eMoawhKcwN3HeVNwmfi33mWAevc6XUQSj1Y/Xk4gef66Nj8fFdrSmpwuydpQ7AE r1iFIaPHvbOfQnExLjaAPrQetfrWsZkhqpjoH+1Ip4ikvbmNeit2ThpWVdxwmTLGcS/G FgZg== X-Gm-Message-State: ACgBeo2ktkVHasIHTFKqB4Psz16T8N2Lj27dHauChJ2FDjTW92aEnbCV kcicXOGd6WPVfsa6dm8gXdblUQ== X-Google-Smtp-Source: AA6agR6+5D0a9Xx14dQ7kPxF8PcZW9AFWmJ5SzJa/C+s7AY/zMXSCcX3So4yeHtKzO9g0xeou5lbzw== X-Received: by 2002:a05:6000:18a2:b0:221:7db8:de02 with SMTP id b2-20020a05600018a200b002217db8de02mr2162370wri.132.1660842040330; Thu, 18 Aug 2022 10:00:40 -0700 (PDT) Received: from Mindolluin.ire.aristanetworks.com ([217.173.96.166]) by smtp.gmail.com with ESMTPSA id be13-20020a05600c1e8d00b003a511e92abcsm2662169wmb.34.2022.08.18.10.00.38 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 18 Aug 2022 10:00:39 -0700 (PDT) From: Dmitry Safonov To: Eric Dumazet , "David S. Miller" , linux-kernel@vger.kernel.org Cc: Dmitry Safonov , Andy Lutomirski , Ard Biesheuvel , Bob Gilligan , David Ahern , Dmitry Safonov <0x7f454c46@gmail.com>, Eric Biggers , Francesco Ruggeri , Herbert Xu , Hideaki YOSHIFUJI , Ivan Delalande , Jakub Kicinski , Leonard Crestez , Paolo Abeni , Salam Noureddine , Shuah Khan , netdev@vger.kernel.org, linux-crypto@vger.kernel.org Subject: [PATCH 18/31] net/tcp: Add TCP-AO segments counters Date: Thu, 18 Aug 2022 17:59:52 +0100 Message-Id: <20220818170005.747015-19-dima@arista.com> X-Mailer: git-send-email 2.37.2 In-Reply-To: <20220818170005.747015-1-dima@arista.com> References: <20220818170005.747015-1-dima@arista.com> MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Type: text/plain; charset="utf-8" Introduce segment counters that are useful for troubleshooting/debugging as well as for writing tests. Now there are global snmp counters as well as per-socket and per-key. Co-developed-by: Francesco Ruggeri Signed-off-by: Francesco Ruggeri Co-developed-by: Salam Noureddine Signed-off-by: Salam Noureddine Signed-off-by: Dmitry Safonov --- include/net/dropreason.h | 15 +++++++++++---- include/net/tcp.h | 9 ++++++++- include/net/tcp_ao.h | 10 ++++++++++ include/uapi/linux/snmp.h | 4 ++++ net/ipv4/proc.c | 4 ++++ net/ipv4/tcp_ao.c | 25 ++++++++++++++++++++++--- 6 files changed, 59 insertions(+), 8 deletions(-) diff --git a/include/net/dropreason.h b/include/net/dropreason.h index b4906323b9a7..dd90cca282eb 100644 --- a/include/net/dropreason.h +++ b/include/net/dropreason.h @@ -81,17 +81,24 @@ enum skb_drop_reason { */ SKB_DROP_REASON_TCP_MD5FAILURE, /** - * @SKB_DROP_REASON_TCP_AONOTFOUND: no TCP-AO hash and one was expected + * @SKB_DROP_REASON_TCP_AONOTFOUND: no TCP-AO hash and one was expected, + * corresponding to LINUX_MIB_TCPAOREQUIRED */ SKB_DROP_REASON_TCP_AONOTFOUND, /** * @SKB_DROP_REASON_TCP_AOUNEXPECTED: TCP-AO hash is present and it - * was not expected. + * was not expected, corresponding to LINUX_MIB_TCPAOKEYNOTFOUND */ SKB_DROP_REASON_TCP_AOUNEXPECTED, - /** @SKB_DROP_REASON_TCP_AOKEYNOTFOUND: TCP-AO key is unknown */ + /** + * @SKB_DROP_REASON_TCP_AOKEYNOTFOUND: TCP-AO key is unknown, + * corresponding to LINUX_MIB_TCPAOKEYNOTFOUND + */ SKB_DROP_REASON_TCP_AOKEYNOTFOUND, - /** @SKB_DROP_REASON_TCP_AOFAILURE: TCP-AO hash is wrong */ + /** + * @SKB_DROP_REASON_TCP_AOFAILURE: TCP-AO hash is wrong, + * corresponding to LINUX_MIB_TCPAOBAD + */ SKB_DROP_REASON_TCP_AOFAILURE, /** * @SKB_DROP_REASON_SOCKET_BACKLOG: failed to add skb to socket backlog ( diff --git a/include/net/tcp.h b/include/net/tcp.h index 2e75c542e7ed..94573219f58d 100644 --- a/include/net/tcp.h +++ b/include/net/tcp.h @@ -2538,8 +2538,15 @@ tcp_inbound_hash(struct sock *sk, const struct reque= st_sock *req, * always at least one current_key. */ #ifdef CONFIG_TCP_AO - if (unlikely(tcp_ao_do_lookup(sk, saddr, family, -1, -1, 0))) + if (unlikely(tcp_ao_do_lookup(sk, saddr, family, -1, -1, 0))) { + struct tcp_ao_info *ao_info; + + ao_info =3D rcu_dereference_check(tcp_sk(sk)->ao_info, + lockdep_sock_is_held(sk)); + NET_INC_STATS(sock_net(sk), LINUX_MIB_TCPAOREQUIRED); + atomic64_inc(&ao_info->counters.ao_required); return SKB_DROP_REASON_TCP_AONOTFOUND; + } #endif if (unlikely(tcp_md5_do_lookup(sk, l3index, saddr, family))) { NET_INC_STATS(sock_net(sk), LINUX_MIB_TCPMD5NOTFOUND); diff --git a/include/net/tcp_ao.h b/include/net/tcp_ao.h index 7cb802de49ba..dbeaa7d4e212 100644 --- a/include/net/tcp_ao.h +++ b/include/net/tcp_ao.h @@ -20,6 +20,13 @@ struct tcp_ao_hdr { u8 rnext_keyid; }; =20 +struct tcp_ao_counters { + atomic64_t pkt_good; + atomic64_t pkt_bad; + atomic64_t key_not_found; + atomic64_t ao_required; +}; + struct tcp_ao_key { struct hlist_node node; union tcp_ao_addr addr; @@ -35,6 +42,8 @@ struct tcp_ao_key { u8 maclen; u8 digest_size; struct rcu_head rcu; + atomic64_t pkt_good; + atomic64_t pkt_bad; u8 traffic_keys[]; }; =20 @@ -78,6 +87,7 @@ struct tcp_ao_info { */ struct tcp_ao_key *volatile current_key; struct tcp_ao_key *rnext_key; + struct tcp_ao_counters counters; u8 ao_flags; __be32 lisn; __be32 risn; diff --git a/include/uapi/linux/snmp.h b/include/uapi/linux/snmp.h index 4d7470036a8b..f09119db8b40 100644 --- a/include/uapi/linux/snmp.h +++ b/include/uapi/linux/snmp.h @@ -292,6 +292,10 @@ enum LINUX_MIB_TCPDSACKIGNOREDDUBIOUS, /* TCPDSACKIgnoredDubious */ LINUX_MIB_TCPMIGRATEREQSUCCESS, /* TCPMigrateReqSuccess */ LINUX_MIB_TCPMIGRATEREQFAILURE, /* TCPMigrateReqFailure */ + LINUX_MIB_TCPAOREQUIRED, /* TCPAORequired */ + LINUX_MIB_TCPAOBAD, /* TCPAOBad */ + LINUX_MIB_TCPAOKEYNOTFOUND, /* TCPAOKeyNotFound */ + LINUX_MIB_TCPAOGOOD, /* TCPAOGood */ __LINUX_MIB_MAX }; =20 diff --git a/net/ipv4/proc.c b/net/ipv4/proc.c index 0088a4c64d77..1b5a078adcf1 100644 --- a/net/ipv4/proc.c +++ b/net/ipv4/proc.c @@ -297,6 +297,10 @@ static const struct snmp_mib snmp4_net_list[] =3D { SNMP_MIB_ITEM("TCPDSACKIgnoredDubious", LINUX_MIB_TCPDSACKIGNOREDDUBIOUS), SNMP_MIB_ITEM("TCPMigrateReqSuccess", LINUX_MIB_TCPMIGRATEREQSUCCESS), SNMP_MIB_ITEM("TCPMigrateReqFailure", LINUX_MIB_TCPMIGRATEREQFAILURE), + SNMP_MIB_ITEM("TCPAORequired", LINUX_MIB_TCPAOREQUIRED), + SNMP_MIB_ITEM("TCPAOBad", LINUX_MIB_TCPAOBAD), + SNMP_MIB_ITEM("TCPAOKeyNotFound", LINUX_MIB_TCPAOKEYNOTFOUND), + SNMP_MIB_ITEM("TCPAOGood", LINUX_MIB_TCPAOGOOD), SNMP_MIB_SENTINEL }; =20 diff --git a/net/ipv4/tcp_ao.c b/net/ipv4/tcp_ao.c index 10cd6af3c45f..3a33733a714d 100644 --- a/net/ipv4/tcp_ao.c +++ b/net/ipv4/tcp_ao.c @@ -216,6 +216,8 @@ struct tcp_ao_key *tcp_ao_copy_key(struct sock *sk, str= uct tcp_ao_key *key) *new_key =3D *key; INIT_HLIST_NODE(&new_key->node); crypto_pool_add(new_key->crypto_pool_id); + atomic64_set(&new_key->pkt_good, 0); + atomic64_set(&new_key->pkt_bad, 0); =20 return new_key; } @@ -656,14 +658,25 @@ tcp_ao_verify_hash(const struct sock *sk, const struc= t sk_buff *skb, u8 maclen =3D aoh->length - sizeof(struct tcp_ao_hdr); const struct tcphdr *th =3D tcp_hdr(skb); =20 - if (maclen !=3D tcp_ao_maclen(key)) + if (maclen !=3D tcp_ao_maclen(key)) { + NET_INC_STATS(sock_net(sk), LINUX_MIB_TCPAOBAD); + atomic64_inc(&info->counters.pkt_bad); + atomic64_inc(&key->pkt_bad); return SKB_DROP_REASON_TCP_AOFAILURE; + } =20 /* XXX: make it per-AF callback? */ tcp_ao_hash_skb(family, newhash, key, sk, skb, traffic_key, (phash - (u8 *)th), sne); - if (memcmp(phash, newhash, maclen)) + if (memcmp(phash, newhash, maclen)) { + NET_INC_STATS(sock_net(sk), LINUX_MIB_TCPAOBAD); + atomic64_inc(&info->counters.pkt_bad); + atomic64_inc(&key->pkt_bad); return SKB_DROP_REASON_TCP_AOFAILURE; + } + NET_INC_STATS(sock_net(sk), LINUX_MIB_TCPAOGOOD); + atomic64_inc(&info->counters.pkt_good); + atomic64_inc(&key->pkt_good); return SKB_NOT_DROPPED_YET; } =20 @@ -683,8 +696,10 @@ tcp_inbound_ao_hash(struct sock *sk, const struct sk_b= uff *skb, u32 sne; =20 info =3D rcu_dereference(tcp_sk(sk)->ao_info); - if (!info) + if (!info) { + NET_INC_STATS(sock_net(sk), LINUX_MIB_TCPAOKEYNOTFOUND); return SKB_DROP_REASON_TCP_AOUNEXPECTED; + } =20 /* Fast-path */ /* TODO: fix fastopen and simultaneous open (TCPF_SYN_RECV) */ @@ -763,6 +778,8 @@ tcp_inbound_ao_hash(struct sock *sk, const struct sk_bu= ff *skb, traffic_key, phash, sne); =20 key_not_found: + NET_INC_STATS(sock_net(sk), LINUX_MIB_TCPAOKEYNOTFOUND); + atomic64_inc(&info->counters.key_not_found); return SKB_DROP_REASON_TCP_AOKEYNOTFOUND; } =20 @@ -1416,6 +1433,8 @@ static int tcp_ao_add_cmd(struct sock *sk, unsigned s= hort int family, key->keyflags =3D cmd.tcpa_keyflags; key->sndid =3D cmd.tcpa_sndid; key->rcvid =3D cmd.tcpa_rcvid; + atomic64_set(&key->pkt_good, 0); + atomic64_set(&key->pkt_bad, 0); =20 ret =3D tcp_ao_parse_crypto(&cmd, key); if (ret < 0) --=20 2.37.2 From nobody Fri Apr 10 21:51:38 2026 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 9D65AC32772 for ; Thu, 18 Aug 2022 17:03:31 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1345457AbiHRRD2 (ORCPT ); Thu, 18 Aug 2022 13:03:28 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:35266 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1345448AbiHRRAw (ORCPT ); Thu, 18 Aug 2022 13:00:52 -0400 Received: from mail-wr1-x433.google.com (mail-wr1-x433.google.com [IPv6:2a00:1450:4864:20::433]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 29501C9E8F for ; Thu, 18 Aug 2022 10:00:42 -0700 (PDT) Received: by mail-wr1-x433.google.com with SMTP id j7so2437224wrh.3 for ; Thu, 18 Aug 2022 10:00:42 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=arista.com; s=google; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc; bh=GNv1RskNujyBLlEJZ/l2OkjVUhos86+Endv5PP7heCA=; b=V7B4qDLspyMNioIqNcce76DZkwGXmeAqHLvPpeYHyMY38Eh4dEcY9CZY/1z6evNTv0 qDwdpqtzTWDUE2EDNhapkcvgGam8pPGLbhJyIFY4jfztmWhbkiyhMSFtvo9+ajAi2GwB 4ihpXweGFVY8TrkPwzQ4XHzXnhLmqsxuHIyILH15ufQE/vgUUeKvS0T7LYfY3VrndZcY CvVi8H/f5shpwSA8sqA8JYBEF8QA/j2VNWLISQ+9C6sJmkuwj2QJdcymOyWOrSfHeFhn HHISisxYUfg3cVl7di5oXw4XANtL+W0Eb47RYd3ZUkOU9gUUc4BFIAYgJzFmAGKQM+2R uUBg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc; bh=GNv1RskNujyBLlEJZ/l2OkjVUhos86+Endv5PP7heCA=; b=Lw+kzRS0XUuKpZ0fCI3FwBTjgPIHetkgdIaykmhD9ievdw0jPBUgNSGk3+Y5YbgBQu no975KlJNOomJjkNUfnACS2AGO02AqfkmG1D0p7FjxCJcnn/Bzx0dX5/DMg9wD1u7BF/ uAbwYLBs5bEqsGQcRQIKSCZwYkg53v4oALe3fIx1V5yssxvjdliim55RSyzlVUREGe3j kKhT/6FhB7zl5rx+Vjbruwpt6HJPJqUnselrXLIWW6TNjjyzdtuInJ/e1H4qnbuG4S4E qjEdBs+yRIlyCPtk6A55L0u/iuS4/DShgy/nLIhQDalTJFKF8+pJY7kxKq30Yd9zdigU KOiA== X-Gm-Message-State: ACgBeo3eOfMlxLKUk0iT1D5JyshRUf+mqcFeGcBBUWTg/tUyOhooV42d BUu6O+d92Fmfw8ehpD6jMvuOXw== X-Google-Smtp-Source: AA6agR7hcC47yzehMcstwrPMELLbYsiLv869zPn2gYRwkgFethD1Vgf6vR5HtCO7Fyr4cGpETlVFOg== X-Received: by 2002:a05:6000:1f1d:b0:221:6c4c:4995 with SMTP id bv29-20020a0560001f1d00b002216c4c4995mr2209810wrb.675.1660842041703; Thu, 18 Aug 2022 10:00:41 -0700 (PDT) Received: from Mindolluin.ire.aristanetworks.com ([217.173.96.166]) by smtp.gmail.com with ESMTPSA id be13-20020a05600c1e8d00b003a511e92abcsm2662169wmb.34.2022.08.18.10.00.40 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 18 Aug 2022 10:00:41 -0700 (PDT) From: Dmitry Safonov To: Eric Dumazet , "David S. Miller" , linux-kernel@vger.kernel.org Cc: Dmitry Safonov , Andy Lutomirski , Ard Biesheuvel , Bob Gilligan , David Ahern , Dmitry Safonov <0x7f454c46@gmail.com>, Eric Biggers , Francesco Ruggeri , Herbert Xu , Hideaki YOSHIFUJI , Ivan Delalande , Jakub Kicinski , Leonard Crestez , Paolo Abeni , Salam Noureddine , Shuah Khan , netdev@vger.kernel.org, linux-crypto@vger.kernel.org Subject: [PATCH 19/31] net/tcp: Add TCP-AO SNE support Date: Thu, 18 Aug 2022 17:59:53 +0100 Message-Id: <20220818170005.747015-20-dima@arista.com> X-Mailer: git-send-email 2.37.2 In-Reply-To: <20220818170005.747015-1-dima@arista.com> References: <20220818170005.747015-1-dima@arista.com> MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Type: text/plain; charset="utf-8" Add Sequence Number Extension (SNE) extension for TCP-AO. This is needed to protect long-living TCP-AO connections from replaying attacks after sequence number roll-over, see RFC5925 (6.2). Co-developed-by: Francesco Ruggeri Signed-off-by: Francesco Ruggeri Co-developed-by: Salam Noureddine Signed-off-by: Salam Noureddine Signed-off-by: Dmitry Safonov --- net/ipv4/tcp_input.c | 35 +++++++++++++++++++++++++++++++++++ 1 file changed, 35 insertions(+) diff --git a/net/ipv4/tcp_input.c b/net/ipv4/tcp_input.c index b8175ded8a70..8d326994d1a1 100644 --- a/net/ipv4/tcp_input.c +++ b/net/ipv4/tcp_input.c @@ -3516,9 +3516,21 @@ static inline bool tcp_may_update_window(const struc= t tcp_sock *tp, static void tcp_snd_una_update(struct tcp_sock *tp, u32 ack) { u32 delta =3D ack - tp->snd_una; +#ifdef CONFIG_TCP_AO + struct tcp_ao_info *ao; +#endif =20 sock_owned_by_me((struct sock *)tp); tp->bytes_acked +=3D delta; +#ifdef CONFIG_TCP_AO + ao =3D rcu_dereference_protected(tp->ao_info, + lockdep_sock_is_held((struct sock *)tp)); + if (ao) { + if (ack < ao->snd_sne_seq) + ao->snd_sne++; + ao->snd_sne_seq =3D ack; + } +#endif tp->snd_una =3D ack; } =20 @@ -3526,9 +3538,21 @@ static void tcp_snd_una_update(struct tcp_sock *tp, = u32 ack) static void tcp_rcv_nxt_update(struct tcp_sock *tp, u32 seq) { u32 delta =3D seq - tp->rcv_nxt; +#ifdef CONFIG_TCP_AO + struct tcp_ao_info *ao; +#endif =20 sock_owned_by_me((struct sock *)tp); tp->bytes_received +=3D delta; +#ifdef CONFIG_TCP_AO + ao =3D rcu_dereference_protected(tp->ao_info, + lockdep_sock_is_held((struct sock *)tp)); + if (ao) { + if (seq < ao->rcv_sne_seq) + ao->rcv_sne++; + ao->rcv_sne_seq =3D seq; + } +#endif WRITE_ONCE(tp->rcv_nxt, seq); } =20 @@ -6344,6 +6368,17 @@ static int tcp_rcv_synsent_state_process(struct sock= *sk, struct sk_buff *skb, * simultaneous connect with crossed SYNs. * Particularly, it can be connect to self. */ +#ifdef CONFIG_TCP_AO + struct tcp_ao_info *ao; + + ao =3D rcu_dereference_protected(tp->ao_info, + lockdep_sock_is_held(sk)); + if (ao) { + ao->risn =3D th->seq; + ao->rcv_sne =3D 0; + ao->rcv_sne_seq =3D ntohl(th->seq); + } +#endif tcp_set_state(sk, TCP_SYN_RECV); =20 if (tp->rx_opt.saw_tstamp) { --=20 2.37.2 From nobody Fri Apr 10 21:51:38 2026 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 8A0BCC00140 for ; Thu, 18 Aug 2022 17:04:27 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1345372AbiHRREZ (ORCPT ); Thu, 18 Aug 2022 13:04:25 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:34738 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1345195AbiHRRAx (ORCPT ); Thu, 18 Aug 2022 13:00:53 -0400 Received: from mail-wr1-x42f.google.com (mail-wr1-x42f.google.com [IPv6:2a00:1450:4864:20::42f]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 902E7C9E9C for ; Thu, 18 Aug 2022 10:00:43 -0700 (PDT) Received: by mail-wr1-x42f.google.com with SMTP id z16so2409459wrh.12 for ; Thu, 18 Aug 2022 10:00:43 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=arista.com; s=google; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc; bh=eLy87IRVh4b6Em0nmlrAVYIKhrkSltNj2ViSGS4UTfA=; b=XeSwAr9n/Pw5Fm5O7zSRaI6sLWfJJvFQzX9m5oz3ag1QJcf6ZYTV2ZvwG+utKZUWiH 0Ip4YOxZs6/cR6joQTCf4XbSlbnIdDIr0lyYowO6/cQLJVSzjKw8351B6vQFRELXcT6j 0Ln3/LwasJ/0jH96ZTUWY3vyu2LfwmREYmS+v++7BHaC2m3EtWRnX10RFm7KfP+sFuBS O1bbaAlfSJWb02jRZvhXPAwdYGrmVYCNyW8sEeSbXvte9cUsFepUsfRrMUsDQb55C4SY sCHmBpoHgKuQ699QNzWfZfspdizqugGaxKA9sBPOZEv2QTEvkr0VBRqLcIerGSTIOpYD Zi6A== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc; bh=eLy87IRVh4b6Em0nmlrAVYIKhrkSltNj2ViSGS4UTfA=; b=3QvqxZt9Q4r/oWR+iCNGe9sdx1yxQXntDhu1fT0s2OjEn2zY7l2OhvK3MDWLeRVJuY 6dlXT0Z3h2qq8E63nE+n4ca8v7rGfgDkRHuI+dXdQnJBu1zwf6zB/2T2NQYvx57ZkE2t aFdfIlTnIakruheUfLlMPW1HmGMq1WmrAueIkE40g+WjQn8JxXSbHqOPjKuCsckrc63X ERG4hMWmgGhxPkUTEddQclwbA8Sq774+xLWi+s40fTTp382CSUeeRU8grfYfL2MAuFAb uelnSiVzcIfHooIvg+oMbb5Hx/ZaQET/L8njN4L0VDHLXCe6Vo+jyX83TwYe1gCdMa+z +00w== X-Gm-Message-State: ACgBeo2FB37KOHjiZjtuFwQb8Jv+6MbrCy+ZXjrh9QLMK7PY5bnfK9r4 YwE76EEgLtlOhecVNnvadMMO3w== X-Google-Smtp-Source: AA6agR4X1BygOh0f0Cqxna994IJRWQXJvGsePjkD+zeM92ZTlISux/tL5Ag/OSRUJQSYUVA6AzNqpQ== X-Received: by 2002:a05:6000:1704:b0:220:69a7:ec2b with SMTP id n4-20020a056000170400b0022069a7ec2bmr2234469wrc.436.1660842043096; Thu, 18 Aug 2022 10:00:43 -0700 (PDT) Received: from Mindolluin.ire.aristanetworks.com ([217.173.96.166]) by smtp.gmail.com with ESMTPSA id be13-20020a05600c1e8d00b003a511e92abcsm2662169wmb.34.2022.08.18.10.00.41 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 18 Aug 2022 10:00:42 -0700 (PDT) From: Dmitry Safonov To: Eric Dumazet , "David S. Miller" , linux-kernel@vger.kernel.org Cc: Dmitry Safonov , Andy Lutomirski , Ard Biesheuvel , Bob Gilligan , David Ahern , Dmitry Safonov <0x7f454c46@gmail.com>, Eric Biggers , Francesco Ruggeri , Herbert Xu , Hideaki YOSHIFUJI , Ivan Delalande , Jakub Kicinski , Leonard Crestez , Paolo Abeni , Salam Noureddine , Shuah Khan , netdev@vger.kernel.org, linux-crypto@vger.kernel.org Subject: [PATCH 20/31] net/tcp: Add tcp_hash_fail() ratelimited logs Date: Thu, 18 Aug 2022 17:59:54 +0100 Message-Id: <20220818170005.747015-21-dima@arista.com> X-Mailer: git-send-email 2.37.2 In-Reply-To: <20220818170005.747015-1-dima@arista.com> References: <20220818170005.747015-1-dima@arista.com> MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Type: text/plain; charset="utf-8" Add a helper for logging connection-detailed messages for failed TCP hash verification (both MD5 and AO). Co-developed-by: Francesco Ruggeri Signed-off-by: Francesco Ruggeri Co-developed-by: Salam Noureddine Signed-off-by: Salam Noureddine Signed-off-by: Dmitry Safonov --- include/net/tcp.h | 14 ++++++++++++-- include/net/tcp_ao.h | 27 +++++++++++++++++++++++++++ net/ipv4/tcp.c | 23 +++++++++++++---------- net/ipv4/tcp_ao.c | 7 +++++++ 4 files changed, 59 insertions(+), 12 deletions(-) diff --git a/include/net/tcp.h b/include/net/tcp.h index 94573219f58d..896db7ba0670 100644 --- a/include/net/tcp.h +++ b/include/net/tcp.h @@ -2517,12 +2517,19 @@ tcp_inbound_hash(struct sock *sk, const struct requ= est_sock *req, int l3index; =20 /* Invalid option or two times meet any of auth options */ - if (tcp_parse_auth_options(th, &md5_location, &aoh)) + if (tcp_parse_auth_options(th, &md5_location, &aoh)) { + tcp_hash_fail("TCP segment has incorrect auth options set", + family, skb, ""); return SKB_DROP_REASON_TCP_AUTH_HDR; + } =20 if (req) { - if (tcp_rsk_used_ao(req) !=3D !!aoh) + if (tcp_rsk_used_ao(req) !=3D !!aoh) { + tcp_hash_fail("TCP connection can't start/end using TCP-AO", + family, skb, " %s", + !aoh ? "missing AO" : "AO signed"); return SKB_DROP_REASON_TCP_AOFAILURE; + } } =20 /* sdif set, means packet ingressed via a device @@ -2545,11 +2552,14 @@ tcp_inbound_hash(struct sock *sk, const struct requ= est_sock *req, lockdep_sock_is_held(sk)); NET_INC_STATS(sock_net(sk), LINUX_MIB_TCPAOREQUIRED); atomic64_inc(&ao_info->counters.ao_required); + tcp_hash_fail("AO hash is required, but not found", + family, skb, ""); return SKB_DROP_REASON_TCP_AONOTFOUND; } #endif if (unlikely(tcp_md5_do_lookup(sk, l3index, saddr, family))) { NET_INC_STATS(sock_net(sk), LINUX_MIB_TCPMD5NOTFOUND); + tcp_hash_fail("MD5 Hash not found", family, skb, ""); return SKB_DROP_REASON_TCP_MD5NOTFOUND; } return SKB_NOT_DROPPED_YET; diff --git a/include/net/tcp_ao.h b/include/net/tcp_ao.h index dbeaa7d4e212..e99c8f300a5a 100644 --- a/include/net/tcp_ao.h +++ b/include/net/tcp_ao.h @@ -101,6 +101,33 @@ struct tcp_ao_info { int tcp_do_parse_auth_options(const struct tcphdr *th, const u8 **md5_hash, const u8 **ao_hash); =20 +#define tcp_hash_fail(msg, family, skb, fmt, ...) \ +do { \ + const struct tcphdr *th =3D tcp_hdr(skb); \ + char hdr_flags[5] =3D {}; \ + char *f =3D hdr_flags; \ + \ + if (th->fin) \ + *f++ =3D 'F'; \ + if (th->syn) \ + *f++ =3D 'S'; \ + if (th->rst) \ + *f++ =3D 'R'; \ + if (th->ack) \ + *f =3D 'A'; \ + if (family =3D=3D AF_INET) { \ + net_info_ratelimited("%s for (%pI4, %d)->(%pI4, %d) %s" fmt "\n", \ + msg, &ip_hdr(skb)->saddr, ntohs(th->source), \ + &ip_hdr(skb)->daddr, ntohs(th->dest), \ + hdr_flags, ##__VA_ARGS__); \ + } else { \ + net_info_ratelimited("%s for [%pI6c]:%u->[%pI6c]:%u %s" fmt "\n", \ + msg, &ipv6_hdr(skb)->saddr, ntohs(th->source), \ + &ipv6_hdr(skb)->daddr, ntohs(th->dest), \ + hdr_flags, ##__VA_ARGS__); \ + } \ +} while (0) + #ifdef CONFIG_TCP_AO /* TCP-AO structures and functions */ =20 diff --git a/net/ipv4/tcp.c b/net/ipv4/tcp.c index 8df03d456ebb..3ef9d69fa561 100644 --- a/net/ipv4/tcp.c +++ b/net/ipv4/tcp.c @@ -4511,7 +4511,6 @@ tcp_inbound_md5_hash(const struct sock *sk, const str= uct sk_buff *skb, * o MD5 hash and we're not expecting one. * o MD5 hash and its wrong. */ - const struct tcphdr *th =3D tcp_hdr(skb); struct tcp_sock *tp =3D tcp_sk(sk); struct tcp_md5sig_key *key; int genhash; @@ -4521,6 +4520,7 @@ tcp_inbound_md5_hash(const struct sock *sk, const str= uct sk_buff *skb, =20 if (!key && hash_location) { NET_INC_STATS(sock_net(sk), LINUX_MIB_TCPMD5UNEXPECTED); + tcp_hash_fail("Unexpected MD5 Hash found", family, skb, ""); return SKB_DROP_REASON_TCP_MD5UNEXPECTED; } =20 @@ -4536,16 +4536,19 @@ tcp_inbound_md5_hash(const struct sock *sk, const s= truct sk_buff *skb, if (genhash || memcmp(hash_location, newhash, 16) !=3D 0) { NET_INC_STATS(sock_net(sk), LINUX_MIB_TCPMD5FAILURE); if (family =3D=3D AF_INET) { - net_info_ratelimited("MD5 Hash failed for (%pI4, %d)->(%pI4, %d)%s L3 i= ndex %d\n", - saddr, ntohs(th->source), - daddr, ntohs(th->dest), - genhash ? " tcp_v4_calc_md5_hash failed" - : "", l3index); + tcp_hash_fail("MD5 Hash failed", AF_INET, skb, "%s L3 index %d", + genhash ? " tcp_v4_calc_md5_hash failed" + : "", l3index); } else { - net_info_ratelimited("MD5 Hash %s for [%pI6c]:%u->[%pI6c]:%u L3 index %= d\n", - genhash ? "failed" : "mismatch", - saddr, ntohs(th->source), - daddr, ntohs(th->dest), l3index); + if (genhash) { + tcp_hash_fail("MD5 Hash failed", + AF_INET6, skb, " L3 index %d", + l3index); + } else { + tcp_hash_fail("MD5 Hash mismatch", + AF_INET6, skb, " L3 index %d", + l3index); + } } return SKB_DROP_REASON_TCP_MD5FAILURE; } diff --git a/net/ipv4/tcp_ao.c b/net/ipv4/tcp_ao.c index 3a33733a714d..4283e0193e2a 100644 --- a/net/ipv4/tcp_ao.c +++ b/net/ipv4/tcp_ao.c @@ -662,6 +662,8 @@ tcp_ao_verify_hash(const struct sock *sk, const struct = sk_buff *skb, NET_INC_STATS(sock_net(sk), LINUX_MIB_TCPAOBAD); atomic64_inc(&info->counters.pkt_bad); atomic64_inc(&key->pkt_bad); + tcp_hash_fail("AO hash wrong length", family, skb, + " %u !=3D %d", maclen, tcp_ao_maclen(key)); return SKB_DROP_REASON_TCP_AOFAILURE; } =20 @@ -672,6 +674,7 @@ tcp_ao_verify_hash(const struct sock *sk, const struct = sk_buff *skb, NET_INC_STATS(sock_net(sk), LINUX_MIB_TCPAOBAD); atomic64_inc(&info->counters.pkt_bad); atomic64_inc(&key->pkt_bad); + tcp_hash_fail("AO hash mismatch", family, skb, ""); return SKB_DROP_REASON_TCP_AOFAILURE; } NET_INC_STATS(sock_net(sk), LINUX_MIB_TCPAOGOOD); @@ -698,6 +701,8 @@ tcp_inbound_ao_hash(struct sock *sk, const struct sk_bu= ff *skb, info =3D rcu_dereference(tcp_sk(sk)->ao_info); if (!info) { NET_INC_STATS(sock_net(sk), LINUX_MIB_TCPAOKEYNOTFOUND); + tcp_hash_fail("AO key not found", family, skb, + " keyid: %u", aoh->keyid); return SKB_DROP_REASON_TCP_AOUNEXPECTED; } =20 @@ -780,6 +785,8 @@ tcp_inbound_ao_hash(struct sock *sk, const struct sk_bu= ff *skb, key_not_found: NET_INC_STATS(sock_net(sk), LINUX_MIB_TCPAOKEYNOTFOUND); atomic64_inc(&info->counters.key_not_found); + tcp_hash_fail("Requested by the peer AO key id not found", + family, skb, ""); return SKB_DROP_REASON_TCP_AOKEYNOTFOUND; } =20 --=20 2.37.2 From nobody Fri Apr 10 21:51:38 2026 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 83A5CC00140 for ; Thu, 18 Aug 2022 17:04:18 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1345485AbiHRRER (ORCPT ); Thu, 18 Aug 2022 13:04:17 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:60320 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1345203AbiHRRAy (ORCPT ); Thu, 18 Aug 2022 13:00:54 -0400 Received: from mail-wr1-x42b.google.com (mail-wr1-x42b.google.com [IPv6:2a00:1450:4864:20::42b]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 10096C9EBA for ; Thu, 18 Aug 2022 10:00:45 -0700 (PDT) Received: by mail-wr1-x42b.google.com with SMTP id bs25so2436816wrb.2 for ; Thu, 18 Aug 2022 10:00:44 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=arista.com; s=google; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc; bh=3hTVNlZO4jE6tEhsq0GejCEG2lc+5LPQ2bOFsoDFWyg=; b=kip3Q2jf2oIznTac2Yf76SyTOV49baVrjWDBMftNRWsFj7pMsBsGbrwJlbmdSap8+V qMwY9EDQ8FMU4ls9KthKfw0Hg0Dkz5PW/SzjdYDyoyTuxyl/X4t3dBzoCeoFbss0R07e vTKBWMqgEdoeD1of6zw8HxIUv8wGFkuJgCOqhie5VHvyp+Ki9RwW9KW11tqpnfnebr/B FjPBd2k27B8a00SfhrxH7r5mg/BFSrOvHSQATfOf4ZST2p6HZAvKoFpEw71ynHIoPYMO w+9p7Bl2CKQeAgYjw0yTZIbSST8arbFk5aXmNhmIG0mFxWETwirwForUt00ChM27cq3M YUyA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc; bh=3hTVNlZO4jE6tEhsq0GejCEG2lc+5LPQ2bOFsoDFWyg=; b=oHxSheLoP2NHf1epQkrZR8LyRblzXiJnZo+e6dFwB99DjY0neZN0AfCnjcMQHJzLwN MEVPT/djCFDx/VlXS5+AAOujCyzXW0yvikZIuVWNEvOqoXEqcuqELHPxJSVaXXYrlCDK 4FsXMtB/7DfnezxHQ1ejKQ4qYxJCxcYZhABJML74QoKMDwOiYzaI1TRCtipa9nPjQb51 B+ThbfoQwrnVfRWNCzbBHRP3MaXbJxIo3bcIpxc8D31zmUQAwjL2fxZZE5N+B8PbPew8 e8lHOSxfEqpcENywwdA/pZ6y9vPB3QmjwnZMnIoQHlcU63Zn+kXbIQf0dZR+sG2F171a 2JDg== X-Gm-Message-State: ACgBeo2XoHXuIARTY+1TcKPq2JYc5alnAP1cxxVwqy5kfvSAcbxN+NFc 3ND9/zbBWdmLIdMNHHkRC4jesA== X-Google-Smtp-Source: AA6agR7x3kNAyhJy7k6y5jahsTZurXrj9bcTnnSWcZXXwTswCwIwFXAgkLG4/om7CJtQEvr2T3JjtA== X-Received: by 2002:a05:6000:1681:b0:21f:16a6:626f with SMTP id y1-20020a056000168100b0021f16a6626fmr2103200wrd.717.1660842044501; Thu, 18 Aug 2022 10:00:44 -0700 (PDT) Received: from Mindolluin.ire.aristanetworks.com ([217.173.96.166]) by smtp.gmail.com with ESMTPSA id be13-20020a05600c1e8d00b003a511e92abcsm2662169wmb.34.2022.08.18.10.00.43 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 18 Aug 2022 10:00:44 -0700 (PDT) From: Dmitry Safonov To: Eric Dumazet , "David S. Miller" , linux-kernel@vger.kernel.org Cc: Dmitry Safonov , Andy Lutomirski , Ard Biesheuvel , Bob Gilligan , David Ahern , Dmitry Safonov <0x7f454c46@gmail.com>, Eric Biggers , Francesco Ruggeri , Herbert Xu , Hideaki YOSHIFUJI , Ivan Delalande , Jakub Kicinski , Leonard Crestez , Paolo Abeni , Salam Noureddine , Shuah Khan , netdev@vger.kernel.org, linux-crypto@vger.kernel.org Subject: [PATCH 21/31] net/tcp: Ignore specific ICMPs for TCP-AO connections Date: Thu, 18 Aug 2022 17:59:55 +0100 Message-Id: <20220818170005.747015-22-dima@arista.com> X-Mailer: git-send-email 2.37.2 In-Reply-To: <20220818170005.747015-1-dima@arista.com> References: <20220818170005.747015-1-dima@arista.com> MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Similarly to IPsec, RFC5925 prescribes: ">> A TCP-AO implementation MUST default to ignore incoming ICMPv4 messages of Type 3 (destination unreachable), Codes 2-4 (protocol unreachable, port unreachable, and fragmentation needed -- =E2=80=99hard errors=E2=80=99), and ICMPv6 Type 1 (destination unreachable), Code 1 (administratively prohibited) and Code 4 (port unreachable) intended for connections in synchronized states (ESTABLISHED, FIN-WAIT-1, FIN- WAIT-2, CLOSE-WAIT, CLOSING, LAST-ACK, TIME-WAIT) that match MKTs." A selftest (later in patch series) verifies that this attack is not possible in this TCP-AO implementation. Co-developed-by: Francesco Ruggeri Signed-off-by: Francesco Ruggeri Co-developed-by: Salam Noureddine Signed-off-by: Salam Noureddine Signed-off-by: Dmitry Safonov --- include/net/tcp_ao.h | 9 +++++ include/uapi/linux/snmp.h | 1 + include/uapi/linux/tcp.h | 1 + net/ipv4/proc.c | 1 + net/ipv4/tcp_ao.c | 70 ++++++++++++++++++++++++++++++++++++++- net/ipv4/tcp_ipv4.c | 5 +++ net/ipv6/tcp_ipv6.c | 4 +++ 7 files changed, 90 insertions(+), 1 deletion(-) diff --git a/include/net/tcp_ao.h b/include/net/tcp_ao.h index e99c8f300a5a..743a910ba508 100644 --- a/include/net/tcp_ao.h +++ b/include/net/tcp_ao.h @@ -25,6 +25,7 @@ struct tcp_ao_counters { atomic64_t pkt_bad; atomic64_t key_not_found; atomic64_t ao_required; + atomic64_t dropped_icmp; }; =20 struct tcp_ao_key { @@ -77,6 +78,9 @@ static inline unsigned int tcp_ao_digest_size(struct tcp_= ao_key *key) return key->digest_size; } =20 +/* bits in 'ao_flags' */ +#define AO_ACCEPT_ICMPS BIT(0) + struct tcp_ao_info { struct hlist_head head; struct rcu_head rcu; @@ -169,6 +173,7 @@ u32 tcp_ao_compute_sne(u32 sne, u32 seq, u32 new_seq); void tcp_ao_time_wait(struct tcp_timewait_sock *tcptw, struct tcp_sock *tp= ); int tcp_ao_cache_traffic_keys(const struct sock *sk, struct tcp_ao_info *a= o, struct tcp_ao_key *ao_key); +bool tcp_ao_ignore_icmp(struct sock *sk, int type, int code); enum skb_drop_reason tcp_inbound_ao_hash(struct sock *sk, const struct sk_buff *skb, unsigned short int family, const struct request_sock *req, @@ -239,6 +244,10 @@ void tcp_ao_connect_init(struct sock *sk); =20 #else /* CONFIG_TCP_AO */ =20 +static inline bool tcp_ao_ignore_icmp(struct sock *sk, int type, int code) +{ + return false; +} static inline enum skb_drop_reason tcp_inbound_ao_hash(struct sock *sk, const struct sk_buff *skb, unsigned short int family, const struct request_sock *req, const struct tcp_ao_hdr *aoh) diff --git a/include/uapi/linux/snmp.h b/include/uapi/linux/snmp.h index f09119db8b40..bc7655394e9a 100644 --- a/include/uapi/linux/snmp.h +++ b/include/uapi/linux/snmp.h @@ -296,6 +296,7 @@ enum LINUX_MIB_TCPAOBAD, /* TCPAOBad */ LINUX_MIB_TCPAOKEYNOTFOUND, /* TCPAOKeyNotFound */ LINUX_MIB_TCPAOGOOD, /* TCPAOGood */ + LINUX_MIB_TCPAODROPPEDICMPS, /* TCPAODroppedIcmps */ __LINUX_MIB_MAX }; =20 diff --git a/include/uapi/linux/tcp.h b/include/uapi/linux/tcp.h index 5369458ae89f..508bedbc6ad8 100644 --- a/include/uapi/linux/tcp.h +++ b/include/uapi/linux/tcp.h @@ -349,6 +349,7 @@ struct tcp_diag_md5sig { =20 #define TCP_AO_CMDF_CURR (1 << 0) /* Only checks field sndid */ #define TCP_AO_CMDF_NEXT (1 << 1) /* Only checks field rcvid */ +#define TCP_AO_CMDF_ACCEPT_ICMP (1 << 2) /* Accept incoming ICMPs */ =20 struct tcp_ao { /* setsockopt(TCP_AO) */ struct __kernel_sockaddr_storage tcpa_addr; diff --git a/net/ipv4/proc.c b/net/ipv4/proc.c index 1b5a078adcf1..ccfb7f51e82f 100644 --- a/net/ipv4/proc.c +++ b/net/ipv4/proc.c @@ -301,6 +301,7 @@ static const struct snmp_mib snmp4_net_list[] =3D { SNMP_MIB_ITEM("TCPAOBad", LINUX_MIB_TCPAOBAD), SNMP_MIB_ITEM("TCPAOKeyNotFound", LINUX_MIB_TCPAOKEYNOTFOUND), SNMP_MIB_ITEM("TCPAOGood", LINUX_MIB_TCPAOGOOD), + SNMP_MIB_ITEM("TCPAODroppedIcmps", LINUX_MIB_TCPAODROPPEDICMPS), SNMP_MIB_SENTINEL }; =20 diff --git a/net/ipv4/tcp_ao.c b/net/ipv4/tcp_ao.c index 4283e0193e2a..858295393643 100644 --- a/net/ipv4/tcp_ao.c +++ b/net/ipv4/tcp_ao.c @@ -15,6 +15,7 @@ =20 #include #include +#include =20 int tcp_ao_calc_traffic_key(struct tcp_ao_key *mkt, u8 *key, void *ctx, unsigned int len) @@ -52,6 +53,63 @@ int tcp_ao_calc_traffic_key(struct tcp_ao_key *mkt, u8 *= key, void *ctx, return 1; } =20 +bool tcp_ao_ignore_icmp(struct sock *sk, int type, int code) +{ + struct tcp_ao_info *ao; + bool ignore_icmp =3D false; + + /* RFC5925, 7.8: + * >> A TCP-AO implementation MUST default to ignore incoming ICMPv4 + * messages of Type 3 (destination unreachable), Codes 2-4 (protocol + * unreachable, port unreachable, and fragmentation needed -- =E2=80=99ha= rd + * errors=E2=80=99), and ICMPv6 Type 1 (destination unreachable), Code 1 + * (administratively prohibited) and Code 4 (port unreachable) intended + * for connections in synchronized states (ESTABLISHED, FIN-WAIT-1, FIN- + * WAIT-2, CLOSE-WAIT, CLOSING, LAST-ACK, TIME-WAIT) that match MKTs. + */ + if (sk->sk_family =3D=3D AF_INET) { + if (type !=3D ICMP_DEST_UNREACH) + return false; + if (code < ICMP_PROT_UNREACH || code > ICMP_FRAG_NEEDED) + return false; + } else if (sk->sk_family =3D=3D AF_INET6) { + if (type !=3D ICMPV6_DEST_UNREACH) + return false; + if (code !=3D ICMPV6_ADM_PROHIBITED && code !=3D ICMPV6_PORT_UNREACH) + return false; + } else { + WARN_ON_ONCE(1); + return false; + } + + rcu_read_lock(); + switch (sk->sk_state) { + case TCP_TIME_WAIT: + ao =3D rcu_dereference(tcp_twsk(sk)->ao_info); + break; + case TCP_SYN_SENT: + case TCP_SYN_RECV: + case TCP_LISTEN: + case TCP_NEW_SYN_RECV: + /* RFC5925 specifies to ignore ICMPs *only* on connections + * in synchronized states. + */ + rcu_read_unlock(); + return false; + default: + ao =3D rcu_dereference(tcp_sk(sk)->ao_info); + } + + if (ao && !(ao->ao_flags & AO_ACCEPT_ICMPS)) { + ignore_icmp =3D true; + __NET_INC_STATS(sock_net(sk), LINUX_MIB_TCPAODROPPEDICMPS); + atomic64_inc(&ao->counters.dropped_icmp); + } + rcu_read_unlock(); + + return ignore_icmp; +} + struct tcp_ao_key *tcp_ao_do_lookup_keyid(struct tcp_ao_info *ao, int sndid, int rcvid) { @@ -1360,7 +1418,7 @@ static bool tcp_ao_mkt_overlap_v6(struct tcp_ao *cmd, =20 #define TCP_AO_KEYF_ALL (0) #define TCP_AO_CMDF_ADDMOD_VALID \ - (TCP_AO_CMDF_CURR | TCP_AO_CMDF_NEXT) + (TCP_AO_CMDF_CURR | TCP_AO_CMDF_NEXT | TCP_AO_CMDF_ACCEPT_ICMP) #define TCP_AO_CMDF_DEL_VALID \ (TCP_AO_CMDF_CURR | TCP_AO_CMDF_NEXT) =20 @@ -1443,6 +1501,11 @@ static int tcp_ao_add_cmd(struct sock *sk, unsigned = short int family, atomic64_set(&key->pkt_good, 0); atomic64_set(&key->pkt_bad, 0); =20 + if (cmd.tcpa_flags & TCP_AO_CMDF_ACCEPT_ICMP) + ao_info->ao_flags |=3D AO_ACCEPT_ICMPS; + else + ao_info->ao_flags &=3D ~AO_ACCEPT_ICMPS; + ret =3D tcp_ao_parse_crypto(&cmd, key); if (ret < 0) goto err_free_sock; @@ -1601,6 +1664,11 @@ static int tcp_ao_mod_cmd(struct sock *sk, unsigned = short int family, if (!ao_info) return -ENOENT; /* TODO: make tcp_ao_current_rnext() and flags set atomic */ + if (cmd.tcpa_flags & TCP_AO_CMDF_ACCEPT_ICMP) + ao_info->ao_flags |=3D AO_ACCEPT_ICMPS; + else + ao_info->ao_flags &=3D ~AO_ACCEPT_ICMPS; + return tcp_ao_current_rnext(sk, cmd.tcpa_flags, cmd.tcpa_current, cmd.tcpa_rnext); } diff --git a/net/ipv4/tcp_ipv4.c b/net/ipv4/tcp_ipv4.c index a1e1a23abfea..bb4d208da8a8 100644 --- a/net/ipv4/tcp_ipv4.c +++ b/net/ipv4/tcp_ipv4.c @@ -484,6 +484,8 @@ int tcp_v4_err(struct sk_buff *skb, u32 info) return -ENOENT; } if (sk->sk_state =3D=3D TCP_TIME_WAIT) { + /* To increase the counter of ignored icmps for TCP-AO */ + tcp_ao_ignore_icmp(sk, type, code); inet_twsk_put(inet_twsk(sk)); return 0; } @@ -498,6 +500,9 @@ int tcp_v4_err(struct sk_buff *skb, u32 info) } =20 bh_lock_sock(sk); + if (tcp_ao_ignore_icmp(sk, type, code)) + goto out; + /* If too many ICMPs get dropped on busy * servers this needs to be solved differently. * We do take care of PMTU discovery (RFC1191) special case : diff --git a/net/ipv6/tcp_ipv6.c b/net/ipv6/tcp_ipv6.c index 8a27408549cd..78994d1cbc45 100644 --- a/net/ipv6/tcp_ipv6.c +++ b/net/ipv6/tcp_ipv6.c @@ -399,6 +399,8 @@ static int tcp_v6_err(struct sk_buff *skb, struct inet6= _skb_parm *opt, } =20 if (sk->sk_state =3D=3D TCP_TIME_WAIT) { + /* To increase the counter of ignored icmps for TCP-AO */ + tcp_ao_ignore_icmp(sk, type, code); inet_twsk_put(inet_twsk(sk)); return 0; } @@ -410,6 +412,8 @@ static int tcp_v6_err(struct sk_buff *skb, struct inet6= _skb_parm *opt, } =20 bh_lock_sock(sk); + if (tcp_ao_ignore_icmp(sk, type, code)) + goto out; if (sock_owned_by_user(sk) && type !=3D ICMPV6_PKT_TOOBIG) __NET_INC_STATS(net, LINUX_MIB_LOCKDROPPEDICMPS); =20 --=20 2.37.2 From nobody Fri Apr 10 21:51:38 2026 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 7B793C00140 for ; Thu, 18 Aug 2022 17:03:41 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1345458AbiHRRDj (ORCPT ); Thu, 18 Aug 2022 13:03:39 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:34862 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1345224AbiHRRAz (ORCPT ); Thu, 18 Aug 2022 13:00:55 -0400 Received: from mail-wr1-x42a.google.com (mail-wr1-x42a.google.com [IPv6:2a00:1450:4864:20::42a]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 6231769F71 for ; Thu, 18 Aug 2022 10:00:46 -0700 (PDT) Received: by mail-wr1-x42a.google.com with SMTP id r16so2424602wrm.6 for ; Thu, 18 Aug 2022 10:00:46 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=arista.com; s=google; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc; bh=E96d+BUrTn5halPp8rfKr4BR8z1gBILVpe/NiX4cSOM=; b=eslQLaOzrcgU+TRthmIrk4mKFUgv2ctqWMVMZzQP0h0E239TBd1c7aKhEo7C/YzZ/C n7qHTZ6qwnHwfEsyv3qjq4zdUnTSfph5M85c2pNWOQGAOexNTh9GYAIZFMPu/I222L9d Mj+MEHoAnDCvD4C5aeMu+PBR7/Ka8JntqGQ9nNqXI9KTFsSJg2M5EbK+I6qTeVcf4hVE TaNmgPLUqAEB4woL44kBOYSY5eqB8JRJnDJo4o7VirvB2PPy5MnHrZwXoWOckXR/DmEF wv9LZpATOuEKyUYgXls4Qc48x1Cx/RXWfTZuJcv6SH1tOUV+reeKOAAqF7hL9Hcs4D04 kEig== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc; bh=E96d+BUrTn5halPp8rfKr4BR8z1gBILVpe/NiX4cSOM=; b=rbQ6HP6m7SQBaqZAq4eUKicS+Lf8ueDwoi+/y2sfReS3S/70t3hhHqNqpjtsRHxs20 Fg/MnRhBBV1SyzTZIQQTXWakA9MuHgokLyBPFklEWrb/LQV/olv2MdvANNHTrbSVQUrx AP/xzZ39hyHDCRH1DWQOcdzwpPtZkCi7R95HW4hYwfqOPpdOF0y2I425hEukaiIwrQJH td1zPVuRkMcDRuDVYe96fqvTKQB5UzEadTsYP6pKctQLZZ/qrIytH6jC0GuxjiJCRB1f t8U1k5gZDec5UN+fsxaKiup1NfmdRHdjuXE4bOfddQDjh43dsiXSpKia261bP+5l3Rxp vHXA== X-Gm-Message-State: ACgBeo0TdH86i7k2qdfgHAFZiHvmY33LBRrr1OXtwZsWV+TZavYhWKZ0 JyhefGx10QmoLsyqNvoO52j3Jw== X-Google-Smtp-Source: AA6agR4jWu5q16URuIM703Kk3SvvJ3fM5QAgSFFuhVHEhWOkBCOL26w1vKN1rgalbG1P0R6Kg4uQJw== X-Received: by 2002:adf:e10c:0:b0:225:3168:c261 with SMTP id t12-20020adfe10c000000b002253168c261mr1433771wrz.159.1660842045923; Thu, 18 Aug 2022 10:00:45 -0700 (PDT) Received: from Mindolluin.ire.aristanetworks.com ([217.173.96.166]) by smtp.gmail.com with ESMTPSA id be13-20020a05600c1e8d00b003a511e92abcsm2662169wmb.34.2022.08.18.10.00.44 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 18 Aug 2022 10:00:45 -0700 (PDT) From: Dmitry Safonov To: Eric Dumazet , "David S. Miller" , linux-kernel@vger.kernel.org Cc: Dmitry Safonov , Andy Lutomirski , Ard Biesheuvel , Bob Gilligan , David Ahern , Dmitry Safonov <0x7f454c46@gmail.com>, Eric Biggers , Francesco Ruggeri , Herbert Xu , Hideaki YOSHIFUJI , Ivan Delalande , Jakub Kicinski , Leonard Crestez , Paolo Abeni , Salam Noureddine , Shuah Khan , netdev@vger.kernel.org, linux-crypto@vger.kernel.org Subject: [PATCH 22/31] net/tcp: Add option for TCP-AO to (not) hash header Date: Thu, 18 Aug 2022 17:59:56 +0100 Message-Id: <20220818170005.747015-23-dima@arista.com> X-Mailer: git-send-email 2.37.2 In-Reply-To: <20220818170005.747015-1-dima@arista.com> References: <20220818170005.747015-1-dima@arista.com> MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Type: text/plain; charset="utf-8" Provide setsockopt() key flag that makes TCP-AO exclude hashing TCP header for peers that match the key. This is needed for interraction with middleboxes that may change TCP options, see RFC5925 (9.2). Co-developed-by: Francesco Ruggeri Signed-off-by: Francesco Ruggeri Co-developed-by: Salam Noureddine Signed-off-by: Salam Noureddine Signed-off-by: Dmitry Safonov --- include/uapi/linux/tcp.h | 2 ++ net/ipv4/tcp_ao.c | 8 +++++--- 2 files changed, 7 insertions(+), 3 deletions(-) diff --git a/include/uapi/linux/tcp.h b/include/uapi/linux/tcp.h index 508bedbc6ad8..b60933ee2a27 100644 --- a/include/uapi/linux/tcp.h +++ b/include/uapi/linux/tcp.h @@ -347,6 +347,8 @@ struct tcp_diag_md5sig { =20 #define TCP_AO_MAXKEYLEN 80 =20 +#define TCP_AO_KEYF_EXCLUDE_OPT (1 << 0) + #define TCP_AO_CMDF_CURR (1 << 0) /* Only checks field sndid */ #define TCP_AO_CMDF_NEXT (1 << 1) /* Only checks field rcvid */ #define TCP_AO_CMDF_ACCEPT_ICMP (1 << 2) /* Accept incoming ICMPs */ diff --git a/net/ipv4/tcp_ao.c b/net/ipv4/tcp_ao.c index 858295393643..6e18a8cdee90 100644 --- a/net/ipv4/tcp_ao.c +++ b/net/ipv4/tcp_ao.c @@ -586,7 +586,8 @@ int tcp_ao_hash_hdr(unsigned short int family, char *ao= _hash, &saddr->a6, th->doff * 4)) goto clear_hash; } - if (tcp_ao_hash_header(&hp, th, false, + if (tcp_ao_hash_header(&hp, th, + !!(key->keyflags & TCP_AO_KEYF_EXCLUDE_OPT), ao_hash, hash_offset, tcp_ao_maclen(key))) goto clear_hash; ahash_request_set_crypt(hp.req, NULL, ao_hash, 0); @@ -628,7 +629,8 @@ int tcp_ao_hash_skb(unsigned short int family, goto clear_hash; if (tcp_ao_hash_pseudoheader(family, sk, skb, &hp, skb->len)) goto clear_hash; - if (tcp_ao_hash_header(&hp, th, false, + if (tcp_ao_hash_header(&hp, th, + !!(key->keyflags & TCP_AO_KEYF_EXCLUDE_OPT), ao_hash, hash_offset, tcp_ao_maclen(key))) goto clear_hash; if (tcp_ao_hash_skb_data(&hp, skb, th->doff << 2)) @@ -1416,7 +1418,7 @@ static bool tcp_ao_mkt_overlap_v6(struct tcp_ao *cmd, return false; } =20 -#define TCP_AO_KEYF_ALL (0) +#define TCP_AO_KEYF_ALL (TCP_AO_KEYF_EXCLUDE_OPT) #define TCP_AO_CMDF_ADDMOD_VALID \ (TCP_AO_CMDF_CURR | TCP_AO_CMDF_NEXT | TCP_AO_CMDF_ACCEPT_ICMP) #define TCP_AO_CMDF_DEL_VALID \ --=20 2.37.2 From nobody Fri Apr 10 21:51:38 2026 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 54066C00140 for ; Thu, 18 Aug 2022 17:04:13 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1344249AbiHRREL (ORCPT ); Thu, 18 Aug 2022 13:04:11 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:34402 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1345227AbiHRRAz (ORCPT ); Thu, 18 Aug 2022 13:00:55 -0400 Received: from mail-wr1-x433.google.com (mail-wr1-x433.google.com [IPv6:2a00:1450:4864:20::433]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id EF624C12C0 for ; Thu, 18 Aug 2022 10:00:47 -0700 (PDT) Received: by mail-wr1-x433.google.com with SMTP id j7so2437523wrh.3 for ; Thu, 18 Aug 2022 10:00:47 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=arista.com; s=google; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc; bh=iVbJUPjT1DQbISQ2LcniAEoL1U+YxrD/O962fTHv2S0=; b=N+Rk8D6+rkvejAUXREba+bpSaqDvZydR6lHT44pggi3thtq9BclbvzmcJ0uRocrB4L bDv6pSWoQapBvDpLxSxRD1AJAM3iy4neZXtgcyj7l9EVpcjKy588sueowyWzswrM/UcZ DCwfXxhVI0Htpr2GIxpuPkiVJPXyahAjytbIHGdFtGSAGcLxQsx67neHzb45yswzLBVF e4iqtQ8SnGRzdaSPMeDX5BbVGuiql4FtOmDD0j7lC4aUIM0WjGsvdIMU6blOn0UQIXzT QxQyVTh3xn5wpKci+9gpHZn/8luRzlvpKbycGpK9VaeLzKvtaiAQ+o+E6OiC0x294e99 9xqw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc; bh=iVbJUPjT1DQbISQ2LcniAEoL1U+YxrD/O962fTHv2S0=; b=tOgSyvTQPXr/jqVNvbRGwb59b7KnuL9IH3d84LjE1ddh/mY0kQHCoizW4vtLGOpA8Z qfLpBENtH6xoHGfMj2+Lpbp0WA1StYHOtPPnHQ0yi7dpduGdphxotxS1HVIWKCWqMUlG M6gFIVFpuuAkoN83cKVhKLV6j5XSmoLp6tJh8t3Y2mLRfjLIGOs2vaASMrEoVKpDX8/O /tdzAQc4PBL0NLy/XX1/nZr2s/ibEU6Mq7B0jJuETvode7iPUco69/O26GdMf2omcj1l UDMbwUVhsiiGYWCRxeQb7UPhPMOHSrWFQZBud6H45vniikcBesZvHVp1z5KOc7ERIIim EI6A== X-Gm-Message-State: ACgBeo3DRsYFDTw9W/eiqEjhPrfH7V+4dce7TGZadSAD/SrgGIDJWFon x5MAFTO3SLDClHi0XsrRwDUAQA== X-Google-Smtp-Source: AA6agR7RMR2ob98gixb0r3CwoI0GrpxAoNzORRLkVCxuxDeSdHvWk7oC3tcrtTw+b9fccSNteDSifA== X-Received: by 2002:a05:6000:1f0e:b0:221:6dd6:a2a3 with SMTP id bv14-20020a0560001f0e00b002216dd6a2a3mr2186446wrb.574.1660842047374; Thu, 18 Aug 2022 10:00:47 -0700 (PDT) Received: from Mindolluin.ire.aristanetworks.com ([217.173.96.166]) by smtp.gmail.com with ESMTPSA id be13-20020a05600c1e8d00b003a511e92abcsm2662169wmb.34.2022.08.18.10.00.46 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 18 Aug 2022 10:00:46 -0700 (PDT) From: Dmitry Safonov To: Eric Dumazet , "David S. Miller" , linux-kernel@vger.kernel.org Cc: Dmitry Safonov , Andy Lutomirski , Ard Biesheuvel , Bob Gilligan , David Ahern , Dmitry Safonov <0x7f454c46@gmail.com>, Eric Biggers , Francesco Ruggeri , Herbert Xu , Hideaki YOSHIFUJI , Ivan Delalande , Jakub Kicinski , Leonard Crestez , Paolo Abeni , Salam Noureddine , Shuah Khan , netdev@vger.kernel.org, linux-crypto@vger.kernel.org Subject: [PATCH 23/31] net/tcp: Add getsockopt(TCP_AO_GET) Date: Thu, 18 Aug 2022 17:59:57 +0100 Message-Id: <20220818170005.747015-24-dima@arista.com> X-Mailer: git-send-email 2.37.2 In-Reply-To: <20220818170005.747015-1-dima@arista.com> References: <20220818170005.747015-1-dima@arista.com> MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Type: text/plain; charset="utf-8" Introduce getsockopt() that let user get TCP-AO keys and their properties from a socket. A user can provide a filter to match a specific key to be dumped or TCP_AO_GET_ALL flag may be used to dump all keys in one syscall. Co-developed-by: Francesco Ruggeri Signed-off-by: Francesco Ruggeri Co-developed-by: Salam Noureddine Signed-off-by: Salam Noureddine Signed-off-by: Dmitry Safonov --- include/net/tcp_ao.h | 1 + include/uapi/linux/tcp.h | 19 ++++ net/ipv4/tcp.c | 11 ++ net/ipv4/tcp_ao.c | 223 +++++++++++++++++++++++++++++++++++++++ 4 files changed, 254 insertions(+) diff --git a/include/net/tcp_ao.h b/include/net/tcp_ao.h index 743a910ba508..b5088d4c5587 100644 --- a/include/net/tcp_ao.h +++ b/include/net/tcp_ao.h @@ -174,6 +174,7 @@ void tcp_ao_time_wait(struct tcp_timewait_sock *tcptw, = struct tcp_sock *tp); int tcp_ao_cache_traffic_keys(const struct sock *sk, struct tcp_ao_info *a= o, struct tcp_ao_key *ao_key); bool tcp_ao_ignore_icmp(struct sock *sk, int type, int code); +int tcp_ao_get_mkts(struct sock *sk, char __user *optval, int __user *optl= en); enum skb_drop_reason tcp_inbound_ao_hash(struct sock *sk, const struct sk_buff *skb, unsigned short int family, const struct request_sock *req, diff --git a/include/uapi/linux/tcp.h b/include/uapi/linux/tcp.h index b60933ee2a27..453187d21da8 100644 --- a/include/uapi/linux/tcp.h +++ b/include/uapi/linux/tcp.h @@ -132,6 +132,7 @@ enum { #define TCP_AO 38 /* (Add/Set MKT) */ #define TCP_AO_DEL 39 /* (Delete MKT) */ #define TCP_AO_MOD 40 /* (Modify MKT) */ +#define TCP_AO_GET 41 /* (Get MKTs) */ =20 #define TCP_REPAIR_ON 1 #define TCP_REPAIR_OFF 0 @@ -353,6 +354,10 @@ struct tcp_diag_md5sig { #define TCP_AO_CMDF_NEXT (1 << 1) /* Only checks field rcvid */ #define TCP_AO_CMDF_ACCEPT_ICMP (1 << 2) /* Accept incoming ICMPs */ =20 +#define TCP_AO_GET_CURR TCP_AO_CMDF_CURR +#define TCP_AO_GET_NEXT TCP_AO_CMDF_NEXT +#define TCP_AO_GET_ALL (1 << 2) + struct tcp_ao { /* setsockopt(TCP_AO) */ struct __kernel_sockaddr_storage tcpa_addr; char tcpa_alg_name[64]; @@ -382,6 +387,20 @@ struct tcp_ao_mod { /* setsockopt(TCP_AO_MOD) */ __u8 tcpa_rnext; } __attribute__((aligned(8))); =20 +struct tcp_ao_getsockopt { /* getsockopt(TCP_AO_GET) */ + struct __kernel_sockaddr_storage addr; + __u8 sndid; + __u8 rcvid; + __u32 nkeys; + char alg_name[64]; + __u16 flags; + __u8 prefix; + __u8 maclen; + __u8 keyflags; + __u8 keylen; + __u8 key[TCP_AO_MAXKEYLEN]; +} __attribute__((aligned(8))); + /* setsockopt(fd, IPPROTO_TCP, TCP_ZEROCOPY_RECEIVE, ...) */ =20 #define TCP_RECEIVE_ZEROCOPY_FLAG_TLB_CLEAN_HINT 0x1 diff --git a/net/ipv4/tcp.c b/net/ipv4/tcp.c index 3ef9d69fa561..aa5ce2c738f0 100644 --- a/net/ipv4/tcp.c +++ b/net/ipv4/tcp.c @@ -4376,6 +4376,17 @@ static int do_tcp_getsockopt(struct sock *sk, int le= vel, err =3D -EFAULT; return err; } +#endif +#ifdef CONFIG_TCP_AO + case TCP_AO_GET: { + int err; + + lock_sock(sk); + err =3D tcp_ao_get_mkts(sk, optval, optlen); + release_sock(sk); + + return err; + } #endif default: return -ENOPROTOOPT; diff --git a/net/ipv4/tcp_ao.c b/net/ipv4/tcp_ao.c index 6e18a8cdee90..5ab16b857c29 100644 --- a/net/ipv4/tcp_ao.c +++ b/net/ipv4/tcp_ao.c @@ -1423,6 +1423,8 @@ static bool tcp_ao_mkt_overlap_v6(struct tcp_ao *cmd, (TCP_AO_CMDF_CURR | TCP_AO_CMDF_NEXT | TCP_AO_CMDF_ACCEPT_ICMP) #define TCP_AO_CMDF_DEL_VALID \ (TCP_AO_CMDF_CURR | TCP_AO_CMDF_NEXT) +#define TCP_AO_GETF_VALID \ + (TCP_AO_GET_ALL | TCP_AO_GET_CURR | TCP_AO_GET_NEXT) =20 static int tcp_ao_add_cmd(struct sock *sk, unsigned short int family, sockptr_t optval, int optlen) @@ -1699,3 +1701,224 @@ int tcp_v4_parse_ao(struct sock *sk, int cmd, sockp= tr_t optval, int optlen) return tcp_parse_ao(sk, cmd, AF_INET, optval, optlen); } =20 +/* tcp_ao_copy_mkts_to_user(ao_info, optval, optlen) + * + * @ao_info: struct tcp_ao_info on the socket that + * socket getsockopt(TCP_AO_GET) is executed on + * @optval: pointer to array of tcp_ao_getsockopt structures in user space. + * Must be !=3D NULL. + * @optlen: pointer to size of tcp_ao_getsockopt structure. + * Must be !=3D NULL. + * + * Return value: 0 on success, a negative error number otherwise. + * + * optval points to an array of tcp_ao_getsockopt structures in user space. + * optval[0] is used as both input and output to getsockopt. It determines + * which keys are returned by the kernel. + * optval[0].nkeys is the size of the array in user space. On return it co= ntains + * the number of keys matching the search criteria. + * If TCP_AO_GET_ALL is set in "flags", then all keys in the socket are + * returned, otherwise only keys matching + * in optval[0] are returned. + * optlen is also used as both input and output. The user provides the size + * of struct tcp_ao_getsockopt in user space, and the kernel returns the s= ize + * of the structure in kernel space. + * The size of struct tcp_ao_getsockopt may differ between user and kernel. + * There are three cases to consider: + * * If usize =3D=3D ksize, then keys are copied verbatim. + * * If usize < ksize, then the userspace has passed an old struct to a + * newer kernel. The rest of the trailing bytes in optval[0] + * (ksize - usize) are interpreted as 0 by the kernel. + * * If usize > ksize, then the userspace has passed a new struct to an + * older kernel. The trailing bytes unknown to the kernel (usize - ksiz= e) + * are checked to ensure they are zeroed, otherwise -E2BIG is returned. + * On return the kernel fills in min(usize, ksize) in each entry of the ar= ray. + * The layout of the fields in the user and kernel structures is expected = to + * be the same (including in the 32bit vs 64bit case). + */ +int tcp_ao_copy_mkts_to_user(struct tcp_ao_info *ao_info, + char __user *optval, int __user *optlen) +{ + struct tcp_ao_getsockopt opt_in; + struct tcp_ao_getsockopt opt_out; + struct tcp_ao_getsockopt __user *optval_in; + int user_len; + unsigned int max_keys; /* maximum number of keys to copy to user */ + u32 copied_keys; /* keys copied to user so far */ + int matched_keys; /* keys from ao_info matched so far */ + int bytes_to_write; /* number of bytes to write to user level */ + struct tcp_ao_key *key; + struct sockaddr_in *sin; /* (struct sockaddr_in *)&opt_in.addr */ + struct sockaddr_in6 *sin6; /* (struct sockaddr_in6 *)&opt_in.addr */ + struct in6_addr *addr6; /* &sin6->sin6_addr */ + __kernel_sa_family_t ss_family; + union tcp_ao_addr *addr; + int optlen_out; + u8 prefix_in; + u16 port =3D 0; + bool copy_all, copy_current, copy_next; + int err; + + if (get_user(user_len, optlen)) + return -EFAULT; + + if (user_len <=3D 0) + return -EINVAL; + + memset(&opt_in, 0, sizeof(struct tcp_ao_getsockopt)); + err =3D copy_struct_from_user(&opt_in, sizeof(struct tcp_ao_getsockopt), + optval, user_len); + if (err < 0) + return err; + + optval_in =3D (struct tcp_ao_getsockopt __user *)optval; + ss_family =3D opt_in.addr.ss_family; + + BUILD_BUG_ON(TCP_AO_GET_ALL & (TCP_AO_GET_CURR | TCP_AO_GET_NEXT)); + if (opt_in.flags & ~TCP_AO_GETF_VALID) + return -EINVAL; + + max_keys =3D opt_in.nkeys; + copy_all =3D !!(opt_in.flags & TCP_AO_GET_ALL); + copy_current =3D !!(opt_in.flags & TCP_AO_GET_CURR); + copy_next =3D !!(opt_in.flags & TCP_AO_GET_NEXT); + + if (!(copy_all || copy_current || copy_next)) { + prefix_in =3D opt_in.prefix; + + switch (ss_family) { + case AF_INET: { + sin =3D (struct sockaddr_in *)&opt_in.addr; + port =3D sin->sin_port; + addr =3D (union tcp_ao_addr *)&sin->sin_addr; + + if (prefix_in > 32) + return -EINVAL; + + if (sin->sin_addr.s_addr =3D=3D INADDR_ANY && + prefix_in !=3D 0) + return -EINVAL; + + break; + } + case AF_INET6: { + sin6 =3D (struct sockaddr_in6 *)&opt_in.addr; + addr =3D (union tcp_ao_addr *)&sin6->sin6_addr; + addr6 =3D &sin6->sin6_addr; + port =3D sin6->sin6_port; + + if (prefix_in !=3D 0) { + if (ipv6_addr_v4mapped(addr6)) { + __be32 addr4 =3D addr6->s6_addr32[3]; + + if (prefix_in > 32 || + addr4 =3D=3D INADDR_ANY) + return -EINVAL; + } else { + if (ipv6_addr_any(addr6) || + prefix_in > 128) + return -EINVAL; + } + } else if (!ipv6_addr_any(addr6)) { + return -EINVAL; + } + + break; + } + default: + return -EINVAL; + } + } + + bytes_to_write =3D min(user_len, (int)sizeof(struct tcp_ao_getsockopt)); + copied_keys =3D 0; + matched_keys =3D 0; + + hlist_for_each_entry_rcu(key, &ao_info->head, node) { + if (copy_all) + goto match; + + if (copy_current || copy_next) { + if (copy_current && key =3D=3D ao_info->current_key) + goto match; + if (copy_next && key =3D=3D ao_info->rnext_key) + goto match; + continue; + } + + if (tcp_ao_key_cmp(key, addr, opt_in.prefix, + opt_in.addr.ss_family, + opt_in.sndid, opt_in.rcvid, port) !=3D 0) + continue; +match: + matched_keys++; + if (copied_keys >=3D max_keys) + continue; + + memset(&opt_out, 0, sizeof(struct tcp_ao_getsockopt)); + + if (key->family =3D=3D AF_INET) { + struct sockaddr_in *sin_out =3D (struct sockaddr_in *)&opt_out.addr; + + sin_out->sin_family =3D key->family; + sin_out->sin_port =3D ntohs(key->port); + memcpy(&sin_out->sin_addr, &key->addr, sizeof(struct in_addr)); + } else { + struct sockaddr_in6 *sin6_out =3D (struct sockaddr_in6 *)&opt_out.addr; + + sin6_out->sin6_family =3D key->family; + sin6_out->sin6_port =3D ntohs(key->port); + memcpy(&sin6_out->sin6_addr, &key->addr, sizeof(struct in6_addr)); + } + opt_out.sndid =3D key->sndid; + opt_out.rcvid =3D key->rcvid; + opt_out.prefix =3D key->prefixlen; + opt_out.keyflags =3D key->keyflags; + opt_out.flags =3D 0; + if (key =3D=3D ao_info->current_key) + opt_out.flags |=3D TCP_AO_GET_CURR; + if (key =3D=3D ao_info->rnext_key) + opt_out.flags |=3D TCP_AO_GET_NEXT; + opt_out.nkeys =3D 0; + opt_out.maclen =3D key->maclen; + opt_out.keylen =3D key->keylen; + memcpy(&opt_out.key, key->key, key->keylen); + crypto_pool_algo(key->crypto_pool_id, opt_out.alg_name, 64); + + /* Copy key to user */ + if (copy_to_user(optval, &opt_out, bytes_to_write)) + return -EFAULT; + optval +=3D user_len; + copied_keys++; + } + + optlen_out =3D (int)sizeof(struct tcp_ao_getsockopt); + if (copy_to_user(optlen, &optlen_out, sizeof(int))) + return -EFAULT; + + if (copy_to_user(&optval_in->nkeys, &matched_keys, sizeof(u32))) + return -EFAULT; + + return 0; +} + +int tcp_ao_get_mkts(struct sock *sk, char __user *optval, int __user *optl= en) +{ + struct tcp_ao_info *ao_info; + u32 state; + + /* Check socket state */ + state =3D (1 << sk->sk_state) & + (TCPF_CLOSE | TCPF_ESTABLISHED | TCPF_LISTEN); + if (!state) + return -ESOCKTNOSUPPORT; + + /* Check ao_info */ + ao_info =3D rcu_dereference_protected(tcp_sk(sk)->ao_info, + lockdep_sock_is_held(sk)); + if (!ao_info) + return -ENOENT; + + return tcp_ao_copy_mkts_to_user(ao_info, optval, optlen); +} + --=20 2.37.2 From nobody Fri Apr 10 21:51:38 2026 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id DA093C00140 for ; Thu, 18 Aug 2022 17:03:48 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1344366AbiHRRDr (ORCPT ); Thu, 18 Aug 2022 13:03:47 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:34892 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1345242AbiHRRA5 (ORCPT ); Thu, 18 Aug 2022 13:00:57 -0400 Received: from mail-wr1-x434.google.com (mail-wr1-x434.google.com [IPv6:2a00:1450:4864:20::434]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 78EBCCAC7D for ; Thu, 18 Aug 2022 10:00:50 -0700 (PDT) Received: by mail-wr1-x434.google.com with SMTP id u14so2412968wrq.9 for ; Thu, 18 Aug 2022 10:00:50 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=arista.com; s=google; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc; bh=F0lkibhqVPCxvm3Ppub1hqnowC+kOn1prFBSdpysGnA=; b=OrGuEHr2A8fKjpufJq6HnT8hr0ZAUvIjJ6CLyZhObIJiALHKPBXE9v63L0D4vbjpYs N19JEohxVQ/z1fkpCUt0gjpYskJuig0glIXMEI93daJ97YKRS6C4zZyFy0uLw/kLkxTV CmuCiw+SLLiXW4ieAyQ159nfR+LgPVM2uRTJkAoQKCwLw4L0jmVTAdV0Mknlkj2CQpQo fCs46WTa3RNnl1YgOiJ+svgbCDdze5Q1GIe2Kzw/EDFs+HRBV+8WljTagZ0YSKC7m3y3 kjbsf4DWo2mJkqMAK/QBwNtuvP7x0b5KTlOgPXxhDflkpbZ+9nZS3216GYbw/2Pv/0p3 D14Q== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc; bh=F0lkibhqVPCxvm3Ppub1hqnowC+kOn1prFBSdpysGnA=; b=HxnqL/GrGsfaeSgQwAAWivjVJrXXOoQGKvSMqr8+X5I+v2CHPIu92zjv0XMKzYNeIf KbrK3aQO9p95pRP/NcGjSWteItRd81ytfdNrv6gtZJtTMranaK1vnjMAJbC2yn4ircUp gG2/SMzmOkFwYtiL8XiAnCtnS/4+9F1BfvLKvv/CGRlsEQ7oEWbZlgbyYq8ErzEN3U+0 3xngVyqhQSZ0FhUmjn89/hmQEbcQaR+sUPfFQXUwIIpWTCEhLuKk/p6Dz50n2NrWFX6B y46ohFEriZeZIwVrWghui9d/hTB1n0/Z6+fbcyLbSJ8rkUizVNdTRRTE6mNJ/DN3PeMn GkIA== X-Gm-Message-State: ACgBeo19M5eHVUzXYZi3QZWVNSw1x9HItls/tvVswee+BSEMXw8gPyHa dvT7kNotBWq4Zwo1b1RzuAcMcw== X-Google-Smtp-Source: AA6agR7aVywVC+hUyPavX61ThpyiJr5HTVXdX9EC4bZKCl94tWP2/qyrT4+wqKRzmQysAKCtbIF1Bg== X-Received: by 2002:a5d:5c12:0:b0:225:2993:2b63 with SMTP id cc18-20020a5d5c12000000b0022529932b63mr2232886wrb.294.1660842049011; Thu, 18 Aug 2022 10:00:49 -0700 (PDT) Received: from Mindolluin.ire.aristanetworks.com ([217.173.96.166]) by smtp.gmail.com with ESMTPSA id be13-20020a05600c1e8d00b003a511e92abcsm2662169wmb.34.2022.08.18.10.00.47 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 18 Aug 2022 10:00:48 -0700 (PDT) From: Dmitry Safonov To: Eric Dumazet , "David S. Miller" , linux-kernel@vger.kernel.org Cc: Dmitry Safonov , Andy Lutomirski , Ard Biesheuvel , Bob Gilligan , David Ahern , Dmitry Safonov <0x7f454c46@gmail.com>, Eric Biggers , Francesco Ruggeri , Herbert Xu , Hideaki YOSHIFUJI , Ivan Delalande , Jakub Kicinski , Leonard Crestez , Paolo Abeni , Salam Noureddine , Shuah Khan , netdev@vger.kernel.org, linux-crypto@vger.kernel.org Subject: [PATCH 24/31] net/tcp: Allow asynchronous delete for TCP-AO keys (MKTs) Date: Thu, 18 Aug 2022 17:59:58 +0100 Message-Id: <20220818170005.747015-25-dima@arista.com> X-Mailer: git-send-email 2.37.2 In-Reply-To: <20220818170005.747015-1-dima@arista.com> References: <20220818170005.747015-1-dima@arista.com> MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Type: text/plain; charset="utf-8" Delete becomes very, very fast - almost free, but after setsockopt() syscall returns, the key is still alive until next RCU grace period. Which is fine for listen sockets as userspace needs to be aware of setsockopt(TCP_AO) and accept() race and resolve it with verification by getsockopt() after TCP connection was accepted. The benchmark results (on non-loaded box, worse with more RCU work pending): > ok 33 Worst case delete 16384 keys: min=3D5ms max=3D10ms mean=3D6.9= 3904ms stddev=3D0.263421 > ok 34 Add a new key 16384 keys: min=3D1ms max=3D4ms mean=3D2.17= 751ms stddev=3D0.147564 > ok 35 Remove random-search 16384 keys: min=3D5ms max=3D10ms mean=3D6.5= 0243ms stddev=3D0.254999 > ok 36 Remove async 16384 keys: min=3D0ms max=3D0ms mean=3D0.02= 96107ms stddev=3D0.0172078 Co-developed-by: Francesco Ruggeri Signed-off-by: Francesco Ruggeri Co-developed-by: Salam Noureddine Signed-off-by: Salam Noureddine Signed-off-by: Dmitry Safonov --- include/uapi/linux/tcp.h | 3 +++ net/ipv4/tcp_ao.c | 17 ++++++++++++++++- 2 files changed, 19 insertions(+), 1 deletion(-) diff --git a/include/uapi/linux/tcp.h b/include/uapi/linux/tcp.h index 453187d21da8..42850ae6e99d 100644 --- a/include/uapi/linux/tcp.h +++ b/include/uapi/linux/tcp.h @@ -353,6 +353,9 @@ struct tcp_diag_md5sig { #define TCP_AO_CMDF_CURR (1 << 0) /* Only checks field sndid */ #define TCP_AO_CMDF_NEXT (1 << 1) /* Only checks field rcvid */ #define TCP_AO_CMDF_ACCEPT_ICMP (1 << 2) /* Accept incoming ICMPs */ +#define TCP_AO_CMDF_DEL_ASYNC (1 << 3) /* Asynchronious delete, valid + * only for listen sockets + */ =20 #define TCP_AO_GET_CURR TCP_AO_CMDF_CURR #define TCP_AO_GET_NEXT TCP_AO_CMDF_NEXT diff --git a/net/ipv4/tcp_ao.c b/net/ipv4/tcp_ao.c index 5ab16b857c29..8e75432c0cc8 100644 --- a/net/ipv4/tcp_ao.c +++ b/net/ipv4/tcp_ao.c @@ -1422,7 +1422,7 @@ static bool tcp_ao_mkt_overlap_v6(struct tcp_ao *cmd, #define TCP_AO_CMDF_ADDMOD_VALID \ (TCP_AO_CMDF_CURR | TCP_AO_CMDF_NEXT | TCP_AO_CMDF_ACCEPT_ICMP) #define TCP_AO_CMDF_DEL_VALID \ - (TCP_AO_CMDF_CURR | TCP_AO_CMDF_NEXT) + (TCP_AO_CMDF_CURR | TCP_AO_CMDF_NEXT | TCP_AO_CMDF_DEL_ASYNC) #define TCP_AO_GETF_VALID \ (TCP_AO_GET_ALL | TCP_AO_GET_CURR | TCP_AO_GET_NEXT) =20 @@ -1547,11 +1547,26 @@ static int tcp_ao_delete_key(struct sock *sk, struc= t tcp_ao_key *key, =20 hlist_del_rcu(&key->node); =20 + /* Support for async delete on listening sockets: as they don't + * need current_key/rnext_key maintaining, we don't need to check + * them and we can just free all resources in RCU fashion. + */ + if (cmd->tcpa_flags & TCP_AO_CMDF_DEL_ASYNC) { + if (sk->sk_state !=3D TCP_LISTEN) + return -EINVAL; + atomic_sub(tcp_ao_sizeof_key(key), &sk->sk_omem_alloc); + call_rcu(&key->rcu, tcp_ao_key_free_rcu); + return 0; + } + /* At this moment another CPU could have looked this key up * while it was unlinked from the list. Wait for RCU grace period, * after which the key is off-list and can't be looked up again; * the rx path [just before RCU came] might have used it and set it * as current_key (very unlikely). + * Free the key with next RCU grace period (in case it was + * current_key before tcp_ao_current_rnext() might have + * changed it in forced-delete). */ synchronize_rcu(); err =3D tcp_ao_current_rnext(sk, cmd->tcpa_flags, --=20 2.37.2 From nobody Fri Apr 10 21:51:38 2026 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 06A2BC00140 for ; Thu, 18 Aug 2022 17:03:55 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S245756AbiHRRDw (ORCPT ); Thu, 18 Aug 2022 13:03:52 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:33142 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1345254AbiHRRA7 (ORCPT ); Thu, 18 Aug 2022 13:00:59 -0400 Received: from mail-wm1-x336.google.com (mail-wm1-x336.google.com [IPv6:2a00:1450:4864:20::336]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 49E88B7EEE for ; Thu, 18 Aug 2022 10:00:52 -0700 (PDT) Received: by mail-wm1-x336.google.com with SMTP id ay12so1133785wmb.1 for ; Thu, 18 Aug 2022 10:00:52 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=arista.com; s=google; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc; bh=BZ/KkwshPnqMAFI0Wk3QXC0kmGplRHjwXvozYXgAG7s=; b=DY6x2vi43c3UKwxxIdBXAWcY8XOs2yGrLG1onKuxvp2BZ42w+xdHn83RNBA7PURGO/ F2drXWZ3FW/nnzh3w4DEBxG0PDTp8dFv62JRUBXoTVxiLd/kbPIdwRtl8l4S3CwnJ8+D dBpDJuKtNG+15Rbc4X5vh+ApvzUCelwTiOmtIcxC47+TkyaPEN3HBJkO0WAZ/1g9h2ab 6mRSfiZjnfYqa+8VXdoo/cVsaCUxHHYPmEK33yTI+LwyzRiwC0yK8E+npLNepgX1X6zN ivscMOvHYmfCjAqUyodhzl3QqBpeiFmzi31gkWj9AN2P5hkKLqc0XB3LzL5gJlTLwKfr 9O/Q== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc; bh=BZ/KkwshPnqMAFI0Wk3QXC0kmGplRHjwXvozYXgAG7s=; b=tUp2GbvxBDB9nwdKiSoaM8XvuV2Vo8UavbdjudLgI8fwmMqrFILkMkiv4I8ih5s96A JFPtrwUkxvZj/SM8E/2B4WrTElyvE335lQ/7JdZ2k4ZFI7w3CCoNZ8NiHGkGc/Vtxo5l uozb7avqOJx0wLPhEu2flqetLAlo9/tIEsGU/uVCkVcHchhtTvvNlAYYj9YaSiBijmT6 pi1f5r4Udo7Annd5LhubZO9USHrZj/jn9nnfgvUQbPcRr4qpfENHhPqBN5fyoyYFkYs1 J11sDmwqsl6jFCloN6iqgDwZeYT7j3owFt69w4qjU3zFukjOVfAv3TUhSGvQH2jHv2d1 p/BQ== X-Gm-Message-State: ACgBeo34iYCOcB/rHv+KG9C013qPQltJBgwFl9/G2GVp8EmfoGpebQJv e2HDL9DWWrKqX7RSWKJZ+qxKiX5nCLH9MA== X-Google-Smtp-Source: AA6agR5nz+PdufVjd+kScX5hdTE8c6RiGi8PqjeQDkYUlEReFdBD7TK/jaHHc/kqxGiJe0ZBoS4KIg== X-Received: by 2002:a1c:2585:0:b0:3a5:2163:f33b with SMTP id l127-20020a1c2585000000b003a52163f33bmr2483555wml.189.1660842050541; Thu, 18 Aug 2022 10:00:50 -0700 (PDT) Received: from Mindolluin.ire.aristanetworks.com ([217.173.96.166]) by smtp.gmail.com with ESMTPSA id be13-20020a05600c1e8d00b003a511e92abcsm2662169wmb.34.2022.08.18.10.00.49 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 18 Aug 2022 10:00:50 -0700 (PDT) From: Dmitry Safonov To: Eric Dumazet , "David S. Miller" , linux-kernel@vger.kernel.org Cc: Dmitry Safonov , Andy Lutomirski , Ard Biesheuvel , Bob Gilligan , David Ahern , Dmitry Safonov <0x7f454c46@gmail.com>, Eric Biggers , Francesco Ruggeri , Herbert Xu , Hideaki YOSHIFUJI , Ivan Delalande , Jakub Kicinski , Leonard Crestez , Paolo Abeni , Salam Noureddine , Shuah Khan , netdev@vger.kernel.org, linux-crypto@vger.kernel.org Subject: [PATCH 25/31] selftests/net: Add TCP-AO library Date: Thu, 18 Aug 2022 17:59:59 +0100 Message-Id: <20220818170005.747015-26-dima@arista.com> X-Mailer: git-send-email 2.37.2 In-Reply-To: <20220818170005.747015-1-dima@arista.com> References: <20220818170005.747015-1-dima@arista.com> MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Type: text/plain; charset="utf-8" Provide functions to create selftests dedicated to TCP-AO. They can run in parallel, as they use temporary net namespaces. They can be very specific to the feature being tested. This will allow to create a lot of TCP-AO tests, without complicating one binary with many --options and to create scenarios, that are hard to put in bash script that uses one binary. Signed-off-by: Dmitry Safonov --- tools/testing/selftests/Makefile | 1 + tools/testing/selftests/net/tcp_ao/.gitignore | 2 + tools/testing/selftests/net/tcp_ao/Makefile | 45 +++ tools/testing/selftests/net/tcp_ao/connect.c | 81 +++++ .../testing/selftests/net/tcp_ao/lib/aolib.h | 333 +++++++++++++++++ .../selftests/net/tcp_ao/lib/netlink.c | 341 ++++++++++++++++++ tools/testing/selftests/net/tcp_ao/lib/proc.c | 267 ++++++++++++++ .../testing/selftests/net/tcp_ao/lib/setup.c | 297 +++++++++++++++ tools/testing/selftests/net/tcp_ao/lib/sock.c | 294 +++++++++++++++ .../testing/selftests/net/tcp_ao/lib/utils.c | 30 ++ 10 files changed, 1691 insertions(+) create mode 100644 tools/testing/selftests/net/tcp_ao/.gitignore create mode 100644 tools/testing/selftests/net/tcp_ao/Makefile create mode 100644 tools/testing/selftests/net/tcp_ao/connect.c create mode 100644 tools/testing/selftests/net/tcp_ao/lib/aolib.h create mode 100644 tools/testing/selftests/net/tcp_ao/lib/netlink.c create mode 100644 tools/testing/selftests/net/tcp_ao/lib/proc.c create mode 100644 tools/testing/selftests/net/tcp_ao/lib/setup.c create mode 100644 tools/testing/selftests/net/tcp_ao/lib/sock.c create mode 100644 tools/testing/selftests/net/tcp_ao/lib/utils.c diff --git a/tools/testing/selftests/Makefile b/tools/testing/selftests/Mak= efile index 10b34bb03bc1..2a3b15a13ccb 100644 --- a/tools/testing/selftests/Makefile +++ b/tools/testing/selftests/Makefile @@ -46,6 +46,7 @@ TARGETS +=3D net TARGETS +=3D net/af_unix TARGETS +=3D net/forwarding TARGETS +=3D net/mptcp +TARGETS +=3D net/tcp_ao TARGETS +=3D netfilter TARGETS +=3D nsfs TARGETS +=3D pidfd diff --git a/tools/testing/selftests/net/tcp_ao/.gitignore b/tools/testing/= selftests/net/tcp_ao/.gitignore new file mode 100644 index 000000000000..e8bb81b715b7 --- /dev/null +++ b/tools/testing/selftests/net/tcp_ao/.gitignore @@ -0,0 +1,2 @@ +*_ipv4 +*_ipv6 diff --git a/tools/testing/selftests/net/tcp_ao/Makefile b/tools/testing/se= lftests/net/tcp_ao/Makefile new file mode 100644 index 000000000000..cb23d67944d7 --- /dev/null +++ b/tools/testing/selftests/net/tcp_ao/Makefile @@ -0,0 +1,45 @@ +# SPDX-License-Identifier: GPL-2.0 +TEST_BOTH_AF :=3D connect + +TEST_IPV4_PROGS :=3D $(TEST_BOTH_AF:%=3D%_ipv4) +TEST_IPV6_PROGS :=3D $(TEST_BOTH_AF:%=3D%_ipv6) + +TEST_GEN_PROGS :=3D $(TEST_IPV4_PROGS) $(TEST_IPV6_PROGS) + +top_srcdir :=3D ../../../../.. +KSFT_KHDR_INSTALL :=3D 1 +include ../../lib.mk + +HOSTAR ?=3D ar + +# Drop it on port to linux/master with commit 8ce72dc32578 +.DEFAULT_GOAL :=3D all + +LIBDIR :=3D $(OUTPUT)/lib +LIB :=3D $(LIBDIR)/libaotst.a +LDLIBS +=3D $(LIB) -pthread +LIBDEPS :=3D lib/aolib.h Makefile + +CFLAGS :=3D -Wall -O2 -g -D_GNU_SOURCE -fno-strict-aliasing +CFLAGS +=3D -I ../../../../../usr/include/ -iquote $(LIBDIR) +CFLAGS +=3D -I ../../../../include/ + +# Library +LIBSRC :=3D setup.c netlink.c utils.c sock.c proc.c +LIBOBJ :=3D $(LIBSRC:%.c=3D$(LIBDIR)/%.o) +EXTRA_CLEAN +=3D $(LIBOBJ) $(LIB) + +$(LIB): $(LIBOBJ) + $(HOSTAR) rcs $@ $^ + +$(LIBDIR)/%.o: ./lib/%.c $(LIBDEPS) + $(CC) $< $(CFLAGS) $(CPPFLAGS) -o $@ -c + +$(TEST_GEN_PROGS): $(LIB) + +$(OUTPUT)/%_ipv4: %.c + $(LINK.c) $^ $(LDLIBS) -o $@ + +$(OUTPUT)/%_ipv6: %.c + $(LINK.c) -DIPV6_TEST $^ $(LDLIBS) -o $@ + diff --git a/tools/testing/selftests/net/tcp_ao/connect.c b/tools/testing/s= elftests/net/tcp_ao/connect.c new file mode 100644 index 000000000000..02aa50f0266c --- /dev/null +++ b/tools/testing/selftests/net/tcp_ao/connect.c @@ -0,0 +1,81 @@ +// SPDX-License-Identifier: GPL-2.0 +/* Author: Dmitry Safonov */ +#include +#include "aolib.h" + +static void *server_fn(void *arg) +{ + int err, sk, lsk; + ssize_t bytes; + + lsk =3D test_listen_socket(this_ip_addr, test_server_port, 1); + + if (test_set_ao(lsk, "password", 0, this_ip_dest, -1, 100, 100)) + test_error("setsockopt(TCP_AO)"); + synchronize_threads(); + + err =3D test_wait_fd(lsk, TEST_TIMEOUT_SEC, 0); + if (!err) + test_error("timeouted for accept()"); + else if (err < 0) + test_error("test_wait_fd()"); + + sk =3D accept(lsk, NULL, NULL); + if (sk < 0) + test_error("accept()"); + + synchronize_threads(); + + bytes =3D test_server_run(sk, 0, 0); + + test_fail("server served: %zd", bytes); + return NULL; +} + +static void *client_fn(void *arg) +{ + int sk =3D socket(test_family, SOCK_STREAM, IPPROTO_TCP); + uint64_t before_aogood, after_aogood; + const size_t nr_packets =3D 20; + struct netstat *ns_before, *ns_after; + + if (sk < 0) + test_error("socket()"); + + if (test_set_ao(sk, "password", 0, this_ip_dest, -1, 100, 100)) + test_error("setsockopt(TCP_AO)"); + + synchronize_threads(); + if (test_connect_socket(sk, this_ip_dest, test_server_port) <=3D 0) + test_error("failed to connect()"); + synchronize_threads(); + + ns_before =3D netstat_read(); + before_aogood =3D netstat_get(ns_before, "TCPAOGood", NULL); + if (test_client_verify(sk, 100, nr_packets, TEST_TIMEOUT_SEC)) { + test_fail("verify failed"); + return NULL; + } + + ns_after =3D netstat_read(); + after_aogood =3D netstat_get(ns_after, "TCPAOGood", NULL); + netstat_print_diff(ns_before, ns_after); + netstat_free(ns_before); + netstat_free(ns_after); + + if (nr_packets > (after_aogood - before_aogood)) { + test_fail("TCPAOGood counter mismatch: %zu > (%zu - %zu)", + nr_packets, after_aogood, before_aogood); + return NULL; + } + + test_ok("connect TCPAOGood %" PRIu64 " =3D> %" PRIu64 ", sent %" PRIu64, + before_aogood, after_aogood, nr_packets); + return NULL; +} + +int main(int argc, char *argv[]) +{ + test_init(1, server_fn, client_fn); + return 0; +} diff --git a/tools/testing/selftests/net/tcp_ao/lib/aolib.h b/tools/testing= /selftests/net/tcp_ao/lib/aolib.h new file mode 100644 index 000000000000..d5810fd04816 --- /dev/null +++ b/tools/testing/selftests/net/tcp_ao/lib/aolib.h @@ -0,0 +1,333 @@ +/* SPDX-License-Identifier: GPL-2.0 */ +/* + * TCP-AO selftest library. Provides helpers to unshare network + * namespaces, create veth, assign ip addresses, set routes, + * manipulate socket options, read network counter and etc. + * Author: Dmitry Safonov + */ +#ifndef _AOLIB_H_ +#define _AOLIB_H_ + +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include + +#include "../../../../../include/linux/stringify.h" + +/* Working around ksft, see the comment in lib/setup.c */ +extern void __test_msg(const char *buf); +extern void __test_ok(const char *buf); +extern void __test_fail(const char *buf); +extern void __test_error(const char *buf); + +__attribute__((__format__(__printf__, 2, 3))) +static inline void __test_print(void (*fn)(const char *), const char *fmt,= ...) +{ +#define TEST_MSG_BUFFER_SIZE 4096 + char buf[TEST_MSG_BUFFER_SIZE]; + va_list arg; + + va_start(arg, fmt); + vsnprintf(buf, sizeof(buf), fmt, arg); + va_end(arg); + fn(buf); +} + +#define test_print(fmt, ...) \ + __test_print(__test_msg, "%ld[%s:%u] " fmt "\n", \ + syscall(SYS_gettid), \ + __FILE__, __LINE__, ##__VA_ARGS__) + +#define test_ok(fmt, ...) \ + __test_print(__test_ok, fmt "\n", ##__VA_ARGS__) + +#define test_fail(fmt, ...) \ +do { \ + if (errno) \ + __test_print(__test_fail, fmt ": %m\n", ##__VA_ARGS__); \ + else \ + __test_print(__test_fail, fmt "\n", ##__VA_ARGS__); \ + test_failed(); \ +} while(0) + +#define KSFT_FAIL 1 +#define test_error(fmt, ...) \ +do { \ + if (errno) \ + __test_print(__test_error, "%ld[%s:%u] " fmt ": %m\n", \ + syscall(SYS_gettid), __FILE__, __LINE__, \ + ##__VA_ARGS__); \ + else \ + __test_print(__test_error, "%ld[%s:%u] " fmt "\n", \ + syscall(SYS_gettid), __FILE__, __LINE__, \ + ##__VA_ARGS__); \ + exit(KSFT_FAIL); \ +} while(0) + +union tcp_addr { + struct in_addr a4; + struct in6_addr a6; +}; + +typedef void *(*thread_fn)(void*); +extern void test_failed(void); +extern void __test_init(unsigned int ntests, int family, unsigned prefix, + union tcp_addr addr1, union tcp_addr addr2, + thread_fn peer1, thread_fn peer2); + +static inline void test_init2(unsigned int ntests, + thread_fn peer1, thread_fn peer2, + int family, unsigned prefix, + const char *addr1, const char *addr2) +{ + union tcp_addr taddr1, taddr2; + + if (inet_pton(family, addr1, &taddr1) !=3D 1) + test_error("Can't convert ip address %s", addr1); + if (inet_pton(family, addr2, &taddr2) !=3D 1) + test_error("Can't convert ip address %s", addr2); + + __test_init(ntests, family, prefix, taddr1, taddr2, peer1, peer2); +} +extern void test_add_destructor(void (*d)(void)); +extern void test_set_optmem(size_t value); + +extern const struct sockaddr_in6 addr_any6; +extern const struct sockaddr_in addr_any4; + +#ifdef IPV6_TEST +# define __TEST_CLIENT_IP(n) ("2001:db8:" __stringify(n) "::1") +# define TEST_CLIENT_IP __TEST_CLIENT_IP(1) +# define TEST_WRONG_IP "2001:db8:253::1" +# define TEST_SERVER_IP "2001:db8:254::1" +# define TEST_NETWORK "2001::" +# define TEST_PREFIX 128 +# define TEST_FAMILY AF_INET6 +# define SOCKADDR_ANY addr_any6 +#else +# define __TEST_CLIENT_IP(n) ("10.0." __stringify(n) ".1") +# define TEST_CLIENT_IP __TEST_CLIENT_IP(1) +# define TEST_WRONG_IP "10.0.253.1" +# define TEST_SERVER_IP "10.0.254.1" +# define TEST_NETWORK "10.0.0.0" +# define TEST_PREFIX 32 +# define TEST_FAMILY AF_INET +# define SOCKADDR_ANY addr_any4 +#endif + +static inline void test_init(unsigned int ntests, + thread_fn peer1, thread_fn peer2) +{ + test_init2(ntests, peer1, peer2, TEST_FAMILY, TEST_PREFIX, + TEST_SERVER_IP, TEST_CLIENT_IP); +} +extern void synchronize_threads(void); +extern void switch_ns(int fd); + +extern __thread union tcp_addr this_ip_addr; +extern __thread union tcp_addr this_ip_dest; +extern int test_family; + +extern void randomize_buffer(void *buf, size_t buflen); +extern const char veth_name[]; +extern int add_veth(const char *name, int nsfda, int nsfdb); +extern int ip_addr_add(const char *intf, int family, + union tcp_addr addr, uint8_t prefix); +extern int ip_route_add(const char *intf, int family, + union tcp_addr src, union tcp_addr dst); +extern int link_set_up(const char *intf); + +extern const unsigned test_server_port; +extern int test_wait_fd(int sk, time_t sec, bool write); +extern int __test_connect_socket(int sk, void *addr, size_t addr_sz, + time_t timeout); +extern int __test_listen_socket(int backlog, void *addr, size_t addr_sz); + +static inline int test_listen_socket(const union tcp_addr taddr, unsigned = port, + int backlog) +{ +#ifdef IPV6_TEST + struct sockaddr_in6 addr =3D { + .sin6_family =3D AF_INET6, + .sin6_port =3D htons(port), + .sin6_addr =3D taddr.a6, + }; +#else + struct sockaddr_in addr =3D { + .sin_family =3D AF_INET, + .sin_port =3D htons(port), + .sin_addr =3D taddr.a4, + }; +#endif + return __test_listen_socket(backlog, (void *)&addr, sizeof(addr)); +} + +#ifndef DEFAULT_TEST_ALGO +#define DEFAULT_TEST_ALGO "cmac(aes128)" +#endif + +#ifdef IPV6_TEST +#define DEFAULT_TEST_PREFIX 128 +#else +#define DEFAULT_TEST_PREFIX 32 +#endif + +/* + * Timeout on syscalls where failure is not expected. + * You may want to rise it if the test machine is very busy. + */ +#ifndef TEST_TIMEOUT_SEC +#define TEST_TIMEOUT_SEC 5 +#endif + +/* + * Timeout on connect() where a failure is expected. + * If set to 0 - kernel will try to retransmit SYN number of times, set in + * /proc/sys/net/ipv4/tcp_syn_retries + * By default set to 1 to make tests pass faster on non-busy machine. + */ +#ifndef TEST_RETRANSMIT_SEC +#define TEST_RETRANSMIT_SEC 1 +#endif + + +static inline int _test_connect_socket(int sk, const union tcp_addr taddr, + unsigned port, time_t timeout) +{ +#ifdef IPV6_TEST + struct sockaddr_in6 addr =3D { + .sin6_family =3D AF_INET6, + .sin6_port =3D htons(port), + .sin6_addr =3D taddr.a6, + }; +#else + struct sockaddr_in addr =3D { + .sin_family =3D AF_INET, + .sin_port =3D htons(port), + .sin_addr =3D taddr.a4, + }; +#endif + return __test_connect_socket(sk, (void *)&addr, sizeof(addr), timeout); +} + +static inline int test_connect_socket(int sk, + const union tcp_addr taddr, unsigned port) +{ + return _test_connect_socket(sk, taddr, port, TEST_TIMEOUT_SEC); +} + +extern int test_prepare_ao_sockaddr(struct tcp_ao *ao, + const char *alg, uint16_t flags, + void *addr, size_t addr_sz, uint8_t prefix, + uint8_t sndid, uint8_t rcvid, uint8_t maclen, + uint8_t keyflags, uint8_t keylen, const char *key); + +static inline int test_prepare_ao(struct tcp_ao *ao, + const char *alg, uint16_t flags, + union tcp_addr in_addr, uint8_t prefix, + uint8_t sndid, uint8_t rcvid, uint8_t maclen, + uint8_t keyflags, uint8_t keylen, const char *key) +{ +#ifdef IPV6_TEST + struct sockaddr_in6 addr =3D { + .sin6_family =3D AF_INET6, + .sin6_port =3D 0, + .sin6_addr =3D in_addr.a6, + }; +#else + struct sockaddr_in addr =3D { + .sin_family =3D AF_INET, + .sin_port =3D 0, + .sin_addr =3D in_addr.a4, + }; +#endif + + return test_prepare_ao_sockaddr(ao, alg, flags, + (void *)&addr, sizeof(addr), prefix, sndid, rcvid, + maclen, keyflags, keylen, key); +} + +static inline int test_prepare_def_ao(struct tcp_ao *ao, + const char *key, uint16_t flags, + union tcp_addr in_addr, uint8_t prefix, + uint8_t sndid, uint8_t rcvid) +{ + if (prefix > DEFAULT_TEST_PREFIX) + prefix =3D DEFAULT_TEST_PREFIX; + + return test_prepare_ao(ao, DEFAULT_TEST_ALGO, flags, in_addr, + prefix, sndid, rcvid, 0, 0, strlen(key), key); +} + +extern int test_get_one_ao(int sk, struct tcp_ao_getsockopt *out, + uint16_t flags, void *addr, size_t addr_sz, + uint8_t prefix, uint8_t sndid, uint8_t rcvid); +extern int test_cmp_getsockopt_setsockopt(const struct tcp_ao *a, + const struct tcp_ao_getsockopt *b); + +static inline int test_verify_socket_ao(int sk, struct tcp_ao *ao) +{ + struct tcp_ao_getsockopt tmp; + int err; + + err =3D test_get_one_ao(sk, &tmp, 0, &ao->tcpa_addr, + sizeof(ao->tcpa_addr), ao->tcpa_prefix, + ao->tcpa_sndid, ao->tcpa_rcvid); + if (err) + return err; + + return test_cmp_getsockopt_setsockopt(ao, &tmp); +} + +static inline int test_set_ao(int sk, const char *key, uint16_t flags, + union tcp_addr in_addr, uint8_t prefix, + uint8_t sndid, uint8_t rcvid) +{ + struct tcp_ao tmp; + int err; + + err =3D test_prepare_def_ao(&tmp, key, flags, in_addr, + prefix, sndid, rcvid); + if (err) + return err; + + if (setsockopt(sk, IPPROTO_TCP, TCP_AO, &tmp, sizeof(tmp)) < 0) + return -errno; + + return test_verify_socket_ao(sk, &tmp); +} + +extern ssize_t test_server_run(int sk, ssize_t quota, time_t timeout_sec); +extern ssize_t test_client_loop(int sk, char *buf, size_t buf_sz, + const size_t msg_len, time_t timeout_sec); +extern int test_client_verify(int sk, const size_t msg_len, const size_t n= r, + time_t timeout_sec); + +struct netstat; +extern struct netstat *netstat_read(void); +extern void netstat_free(struct netstat *ns); +extern void netstat_print_diff(struct netstat *nsa, struct netstat *nsb); +extern uint64_t netstat_get(struct netstat *ns, + const char *name, bool *not_found); + +static inline uint64_t netstat_get_one(const char *name, bool *not_found) +{ + struct netstat *ns =3D netstat_read(); + uint64_t ret; + + ret =3D netstat_get(ns, name, not_found); + + netstat_free(ns); + return ret; +} + +#endif /* _AOLIB_H_ */ diff --git a/tools/testing/selftests/net/tcp_ao/lib/netlink.c b/tools/testi= ng/selftests/net/tcp_ao/lib/netlink.c new file mode 100644 index 000000000000..f04757c921d0 --- /dev/null +++ b/tools/testing/selftests/net/tcp_ao/lib/netlink.c @@ -0,0 +1,341 @@ +// SPDX-License-Identifier: GPL-2.0 +/* Original from tools/testing/selftests/net/ipsec.c */ +#include +#include +#include +#include +#include +#include +#include +#include + +#include "aolib.h" + +#define MAX_PAYLOAD 2048 + +static int netlink_sock(int *sock, uint32_t *seq_nr, int proto) +{ + if (*sock > 0) { + seq_nr++; + return 0; + } + + *sock =3D socket(AF_NETLINK, SOCK_RAW | SOCK_CLOEXEC, proto); + if (*sock <=3D 0) { + test_print("socket(AF_NETLINK)"); + return -1; + } + + randomize_buffer(seq_nr, sizeof(*seq_nr)); + + return 0; +} + +static int netlink_check_answer(int sock, bool quite) +{ + struct nlmsgerror { + struct nlmsghdr hdr; + int error; + struct nlmsghdr orig_msg; + } answer; + + if (recv(sock, &answer, sizeof(answer), 0) < 0) { + test_print("recv()"); + return -1; + } else if (answer.hdr.nlmsg_type !=3D NLMSG_ERROR) { + test_print("expected NLMSG_ERROR, got %d", + (int)answer.hdr.nlmsg_type); + return -1; + } else if (answer.error) { + if (!quite) { + test_print("NLMSG_ERROR: %d: %s", + answer.error, strerror(-answer.error)); + } + return answer.error; + } + + return 0; +} + +static inline struct rtattr *rtattr_hdr(struct nlmsghdr *nh) +{ + return (struct rtattr *)((char *)(nh) + RTA_ALIGN((nh)->nlmsg_len)); +} + +static int rtattr_pack(struct nlmsghdr *nh, size_t req_sz, + unsigned short rta_type, const void *payload, size_t size) +{ + /* NLMSG_ALIGNTO =3D=3D RTA_ALIGNTO, nlmsg_len already aligned */ + struct rtattr *attr =3D rtattr_hdr(nh); + size_t nl_size =3D RTA_ALIGN(nh->nlmsg_len) + RTA_LENGTH(size); + + if (req_sz < nl_size) { + test_print("req buf is too small: %zu < %zu", req_sz, nl_size); + return -1; + } + nh->nlmsg_len =3D nl_size; + + attr->rta_len =3D RTA_LENGTH(size); + attr->rta_type =3D rta_type; + memcpy(RTA_DATA(attr), payload, size); + + return 0; +} + +static struct rtattr *_rtattr_begin(struct nlmsghdr *nh, size_t req_sz, + unsigned short rta_type, const void *payload, size_t size) +{ + struct rtattr *ret =3D rtattr_hdr(nh); + + if (rtattr_pack(nh, req_sz, rta_type, payload, size)) + return 0; + + return ret; +} + +static inline struct rtattr *rtattr_begin(struct nlmsghdr *nh, size_t req_= sz, + unsigned short rta_type) +{ + return _rtattr_begin(nh, req_sz, rta_type, 0, 0); +} + +static inline void rtattr_end(struct nlmsghdr *nh, struct rtattr *attr) +{ + char *nlmsg_end =3D (char *)nh + nh->nlmsg_len; + + attr->rta_len =3D nlmsg_end - (char *)attr; +} + +static int veth_pack_peerb(struct nlmsghdr *nh, size_t req_sz, + const char *peer, int ns) +{ + struct ifinfomsg pi; + struct rtattr *peer_attr; + + memset(&pi, 0, sizeof(pi)); + pi.ifi_family =3D AF_UNSPEC; + pi.ifi_change =3D 0xFFFFFFFF; + + peer_attr =3D _rtattr_begin(nh, req_sz, VETH_INFO_PEER, &pi, sizeof(pi)); + if (!peer_attr) + return -1; + + if (rtattr_pack(nh, req_sz, IFLA_IFNAME, peer, strlen(peer))) + return -1; + + if (rtattr_pack(nh, req_sz, IFLA_NET_NS_FD, &ns, sizeof(ns))) + return -1; + + rtattr_end(nh, peer_attr); + + return 0; +} + +static int __add_veth(int sock, uint32_t seq, const char *name, + int ns_a, int ns_b) +{ + uint16_t flags =3D NLM_F_REQUEST | NLM_F_ACK | NLM_F_EXCL | NLM_F_CREATE; + struct { + struct nlmsghdr nh; + struct ifinfomsg info; + char attrbuf[MAX_PAYLOAD]; + } req; + const char veth_type[] =3D "veth"; + struct rtattr *link_info, *info_data; + + memset(&req, 0, sizeof(req)); + req.nh.nlmsg_len =3D NLMSG_LENGTH(sizeof(req.info)); + req.nh.nlmsg_type =3D RTM_NEWLINK; + req.nh.nlmsg_flags =3D flags; + req.nh.nlmsg_seq =3D seq; + req.info.ifi_family =3D AF_UNSPEC; + req.info.ifi_change =3D 0xFFFFFFFF; + + if (rtattr_pack(&req.nh, sizeof(req), IFLA_IFNAME, name, strlen(name))) + return -1; + + if (rtattr_pack(&req.nh, sizeof(req), IFLA_NET_NS_FD, &ns_a, sizeof(ns_a)= )) + return -1; + + link_info =3D rtattr_begin(&req.nh, sizeof(req), IFLA_LINKINFO); + if (!link_info) + return -1; + + if (rtattr_pack(&req.nh, sizeof(req), IFLA_INFO_KIND, veth_type, sizeof(v= eth_type))) + return -1; + + info_data =3D rtattr_begin(&req.nh, sizeof(req), IFLA_INFO_DATA); + if (!info_data) + return -1; + + if (veth_pack_peerb(&req.nh, sizeof(req), name, ns_b)) + return -1; + + rtattr_end(&req.nh, info_data); + rtattr_end(&req.nh, link_info); + + if (send(sock, &req, req.nh.nlmsg_len, 0) < 0) { + test_print("send()"); + return -1; + } + return netlink_check_answer(sock, false); +} + +int add_veth(const char *name, int nsfda, int nsfdb) +{ + int route_sock =3D -1, ret; + uint32_t route_seq; + + if (netlink_sock(&route_sock, &route_seq, NETLINK_ROUTE)) + test_error("Failed to open netlink route socket\n"); + + ret =3D __add_veth(route_sock, route_seq++, name, nsfda, nsfdb); + close(route_sock); + return ret; +} + +static int __ip_addr_add(int sock, uint32_t seq, const char *intf, + int family, union tcp_addr addr, uint8_t prefix) +{ + uint16_t flags =3D NLM_F_REQUEST | NLM_F_ACK | NLM_F_EXCL | NLM_F_CREATE; + struct { + struct nlmsghdr nh; + struct ifaddrmsg info; + char attrbuf[MAX_PAYLOAD]; + } req; + size_t addr_len =3D (family =3D=3D AF_INET) ? sizeof(struct in_addr) : + sizeof(struct in6_addr); + + memset(&req, 0, sizeof(req)); + req.nh.nlmsg_len =3D NLMSG_LENGTH(sizeof(req.info)); + req.nh.nlmsg_type =3D RTM_NEWADDR; + req.nh.nlmsg_flags =3D flags; + req.nh.nlmsg_seq =3D seq; + req.info.ifa_family =3D family; + req.info.ifa_prefixlen =3D prefix; + req.info.ifa_index =3D if_nametoindex(intf); + req.info.ifa_flags =3D IFA_F_NODAD; + + if (rtattr_pack(&req.nh, sizeof(req), IFA_LOCAL, &addr, addr_len)) + return -1; + + if (send(sock, &req, req.nh.nlmsg_len, 0) < 0) { + test_print("send()"); + return -1; + } + return netlink_check_answer(sock, true); +} + +int ip_addr_add(const char *intf, int family, + union tcp_addr addr, uint8_t prefix) +{ + int route_sock =3D -1, ret; + uint32_t route_seq; + + if (netlink_sock(&route_sock, &route_seq, NETLINK_ROUTE)) + test_error("Failed to open netlink route socket\n"); + + ret =3D __ip_addr_add(route_sock, route_seq++, intf, + family, addr, prefix); + + close(route_sock); + return ret; +} + +static int __ip_route_add(int sock, uint32_t seq, const char *intf, int fa= mily, + union tcp_addr src, union tcp_addr dst) +{ + struct { + struct nlmsghdr nh; + struct rtmsg rt; + char attrbuf[MAX_PAYLOAD]; + } req; + unsigned int index =3D if_nametoindex(intf); + size_t addr_len =3D (family =3D=3D AF_INET) ? sizeof(struct in_addr) : + sizeof(struct in6_addr); + + memset(&req, 0, sizeof(req)); + req.nh.nlmsg_len =3D NLMSG_LENGTH(sizeof(req.rt)); + req.nh.nlmsg_type =3D RTM_NEWROUTE; + req.nh.nlmsg_flags =3D NLM_F_REQUEST | NLM_F_ACK | NLM_F_CREATE; + req.nh.nlmsg_seq =3D seq; + req.rt.rtm_family =3D family; + req.rt.rtm_dst_len =3D (family =3D=3D AF_INET) ? 32 : 128; + req.rt.rtm_table =3D RT_TABLE_MAIN; + req.rt.rtm_protocol =3D RTPROT_BOOT; + req.rt.rtm_scope =3D RT_SCOPE_UNIVERSE; + req.rt.rtm_type =3D RTN_UNICAST; + + if (rtattr_pack(&req.nh, sizeof(req), RTA_DST, &dst, addr_len)) + return -1; + + if (rtattr_pack(&req.nh, sizeof(req), RTA_PREFSRC, &src, addr_len)) + return -1; + + if (rtattr_pack(&req.nh, sizeof(req), RTA_OIF, &index, sizeof(index))) + return -1; + + if (send(sock, &req, req.nh.nlmsg_len, 0) < 0) { + test_print("send()"); + return -1; + } + + return netlink_check_answer(sock, true); +} + +int ip_route_add(const char *intf, int family, + union tcp_addr src, union tcp_addr dst) +{ + int route_sock =3D -1, ret; + uint32_t route_seq; + + if (netlink_sock(&route_sock, &route_seq, NETLINK_ROUTE)) + test_error("Failed to open netlink route socket\n"); + + ret =3D __ip_route_add(route_sock, route_seq++, intf, family, src, dst); + if (ret =3D=3D -EEXIST) /* ignoring */ + ret =3D 0; + + close(route_sock); + return ret; +} + +static int __link_set_up(int sock, uint32_t seq, const char *intf) +{ + struct { + struct nlmsghdr nh; + struct ifinfomsg info; + char attrbuf[MAX_PAYLOAD]; + } req; + + memset(&req, 0, sizeof(req)); + req.nh.nlmsg_len =3D NLMSG_LENGTH(sizeof(req.info)); + req.nh.nlmsg_type =3D RTM_NEWLINK; + req.nh.nlmsg_flags =3D NLM_F_REQUEST | NLM_F_ACK; + req.nh.nlmsg_seq =3D seq; + req.info.ifi_family =3D AF_UNSPEC; + req.info.ifi_change =3D 0xFFFFFFFF; + req.info.ifi_index =3D if_nametoindex(intf); + req.info.ifi_flags =3D IFF_UP; + req.info.ifi_change =3D IFF_UP; + + if (send(sock, &req, req.nh.nlmsg_len, 0) < 0) { + test_print("send()"); + return -1; + } + return netlink_check_answer(sock, false); +} + +int link_set_up(const char *intf) +{ + int route_sock =3D -1, ret; + uint32_t route_seq; + + if (netlink_sock(&route_sock, &route_seq, NETLINK_ROUTE)) + test_error("Failed to open netlink route socket\n"); + + ret =3D __link_set_up(route_sock, route_seq++, intf); + + close(route_sock); + return ret; +} diff --git a/tools/testing/selftests/net/tcp_ao/lib/proc.c b/tools/testing/= selftests/net/tcp_ao/lib/proc.c new file mode 100644 index 000000000000..815bb7b5975a --- /dev/null +++ b/tools/testing/selftests/net/tcp_ao/lib/proc.c @@ -0,0 +1,267 @@ +// SPDX-License-Identifier: GPL-2.0 +#include +#include +#include +#include "../../../../../include/linux/compiler.h" +#include "../../../../../include/linux/kernel.h" +#include "aolib.h" + +struct netstat_counter { + uint64_t val; + char *name; +}; + +struct netstat { + char *header_name; + struct netstat *next; + size_t counters_nr; + struct netstat_counter *counters; +}; + +static struct netstat *lookup_type(struct netstat *ns, + const char *type, size_t len) +{ + while (ns !=3D NULL) { + size_t cmp =3D max(len, strlen(ns->header_name)); + + if (!strncmp(ns->header_name, type, cmp)) + return ns; + ns =3D ns->next; + } + return NULL; +} + +static struct netstat *lookup_get(struct netstat *ns, + const char *type, const size_t len) +{ + struct netstat *ret; + + ret =3D lookup_type(ns, type, len); + if (ret !=3D NULL) + return ret; + + ret =3D malloc(sizeof(struct netstat)); + if (!ret) + test_error("malloc()"); + + ret->header_name =3D strndup(type, len); + if (ret->header_name =3D=3D NULL) + test_error("strndup()"); + ret->next =3D ns; + ret->counters_nr =3D 0; + ret->counters =3D NULL; + + return ret; +} + +static struct netstat *lookup_get_column(struct netstat *ns, const char *l= ine) +{ + char *column; + + column =3D strchr(line, ':'); + if (!column) + test_error("can't parse netstat file"); + + return lookup_get(ns, line, column - line); +} + +static void netstat_read_type(FILE *fnetstat, struct netstat **dest, char = *line) +{ + struct netstat *type =3D lookup_get_column(*dest, line); + const char *pos =3D line; + size_t i, nr_elems =3D 0; + char tmp; + + while ((pos =3D strchr(pos, ' '))) { + nr_elems++; + pos++; + } + + *dest =3D type; + type->counters =3D reallocarray(type->counters, + type->counters_nr + nr_elems, + sizeof(struct netstat_counter)); + if (!type->counters) + test_error("reallocarray()"); + + pos =3D strchr(line, ' ') + 1; + + if (fscanf(fnetstat, type->header_name) =3D=3D EOF) + test_error("fscanf(%s)", type->header_name); + if (fread(&tmp, 1, 1, fnetstat) !=3D 1 || tmp !=3D ':') + test_error("Unexpected netstat format (%c)", tmp); + + for (i =3D type->counters_nr; i < type->counters_nr + nr_elems; i++) { + struct netstat_counter *nc =3D &type->counters[i]; + const char *new_pos =3D strchr(pos, ' '); + const char *fmt =3D " %" PRIu64; + + if (new_pos =3D=3D NULL) + new_pos =3D strchr(pos, '\n'); + + nc->name =3D strndup(pos, new_pos - pos); + if (nc->name =3D=3D NULL) + test_error("strndup()"); + + if (unlikely(!strcmp(nc->name, "MaxConn"))) + fmt =3D " %" PRId64; /* MaxConn is signed, RFC 2012 */ + if (fscanf(fnetstat, fmt, &nc->val) !=3D 1) + test_error("fscanf(%s)", nc->name); + pos =3D new_pos + 1; + } + type->counters_nr +=3D nr_elems; + + if (fread(&tmp, 1, 1, fnetstat) !=3D 1 || tmp !=3D '\n') + test_error("Unexpected netstat format"); +} + +static const char *snmp6_name =3D "Snmp6"; +static void snmp6_read(FILE *fnetstat, struct netstat **dest) +{ + struct netstat *type =3D lookup_get(*dest, snmp6_name, strlen(snmp6_name)= ); + char *counter_name; + size_t i; + + for (i =3D type->counters_nr;; i++) { + struct netstat_counter *nc; + uint64_t counter; + + if (fscanf(fnetstat, "%ms", &counter_name) =3D=3D EOF) + break; + if (fscanf(fnetstat, "%" PRIu64, &counter) =3D=3D EOF) + test_error("Unexpected snmp6 format"); + type->counters =3D reallocarray(type->counters, i + 1, + sizeof(struct netstat_counter)); + if (!type->counters) + test_error("reallocarray()"); + nc =3D &type->counters[i]; + nc->name =3D counter_name; + nc->val =3D counter; + } + type->counters_nr =3D i; + *dest =3D type; +} + +struct netstat *netstat_read(void) +{ + struct netstat *ret =3D 0; + size_t line_sz =3D 0; + char *line =3D NULL; + FILE *fnetstat; + + errno =3D 0; + fnetstat =3D fopen("/proc/net/netstat", "r"); + if (fnetstat =3D=3D NULL) + test_error("failed to open /proc/net/netstat"); + + while (getline(&line, &line_sz, fnetstat) !=3D -1) + netstat_read_type(fnetstat, &ret, line); + fclose(fnetstat); + + errno =3D 0; + fnetstat =3D fopen("/proc/net/snmp", "r"); + if (fnetstat =3D=3D NULL) + test_error("failed to open /proc/net/snmp"); + + while (getline(&line, &line_sz, fnetstat) !=3D -1) + netstat_read_type(fnetstat, &ret, line); + fclose(fnetstat); + + errno =3D 0; + fnetstat =3D fopen("/proc/net/snmp6", "r"); + if (fnetstat =3D=3D NULL) + test_error("failed to open /proc/net/snmp6"); + + snmp6_read(fnetstat, &ret); + fclose(fnetstat); + + free(line); + return ret; +} + +void netstat_free(struct netstat *ns) +{ + while (ns !=3D NULL) { + struct netstat *prev =3D ns; + size_t i; + + free(ns->header_name); + for (i =3D 0; i < ns->counters_nr; i++) + free(ns->counters[i].name); + free(ns->counters); + ns =3D ns->next; + free(prev); + } +} + +static void inline +__netstat_print_diff(uint64_t a, struct netstat *nsb, size_t i) +{ + if (unlikely(!strcmp(nsb->header_name, "MaxConn"))) { + test_print("%8s %25s: %" PRId64 " =3D> %" PRId64, + nsb->header_name, nsb->counters[i].name, + a, nsb->counters[i].val); + return; + } + + test_print("%8s %25s: %" PRIu64 " =3D> %" PRIu64, nsb->header_name, + nsb->counters[i].name, a, nsb->counters[i].val); +} + +void netstat_print_diff(struct netstat *nsa, struct netstat *nsb) +{ + size_t i, j; + + while (nsb !=3D NULL) { + if (unlikely(strcmp(nsb->header_name, nsa->header_name))) { + for (i =3D 0; i < nsb->counters_nr; i++) + __netstat_print_diff(0, nsb, i); + nsb =3D nsb->next; + continue; + } + + if (nsb->counters_nr < nsa->counters_nr) + test_error("Unexpected: some counters dissapeared!"); + + for (j =3D 0, i =3D 0; i < nsb->counters_nr; i++) { + if (strcmp(nsb->counters[i].name, nsa->counters[j].name)) { + __netstat_print_diff(0, nsb, i); + continue; + } + + if (nsa->counters[j].val =3D=3D nsb->counters[i].val) { + j++; + continue; + } + + __netstat_print_diff(nsa->counters[j].val, nsb, i); + j++; + } + if (j !=3D nsa->counters_nr) + test_error("Unexpected: some counters dissapeared!"); + + nsb =3D nsb->next; + nsa =3D nsa->next; + } +} + +uint64_t netstat_get(struct netstat *ns, const char *name, bool *not_found) +{ + if (not_found) + *not_found =3D false; + + while (ns !=3D NULL) { + size_t i; + + for (i =3D 0; i < ns->counters_nr; i++) { + if (!strcmp(name, ns->counters[i].name)) + return ns->counters[i].val; + } + + ns =3D ns->next; + } + + if (not_found) + *not_found =3D true; + return 0; +} diff --git a/tools/testing/selftests/net/tcp_ao/lib/setup.c b/tools/testing= /selftests/net/tcp_ao/lib/setup.c new file mode 100644 index 000000000000..b47672a2a5c0 --- /dev/null +++ b/tools/testing/selftests/net/tcp_ao/lib/setup.c @@ -0,0 +1,297 @@ +// SPDX-License-Identifier: GPL-2.0 +#include +#include +#include +#include +#include "aolib.h" + +/* + * Can't be included in the header: it defines static variables which + * will be unique to every object. Let's include it only once here. + */ +#include "../../../kselftest.h" + +/* Prevent overriding of one thread's output by another */ +static pthread_mutex_t ksft_print_lock =3D PTHREAD_MUTEX_INITIALIZER; + +void __test_msg(const char *buf) +{ + pthread_mutex_lock(&ksft_print_lock); + ksft_print_msg(buf); + pthread_mutex_unlock(&ksft_print_lock); +} +void __test_ok(const char *buf) +{ + pthread_mutex_lock(&ksft_print_lock); + ksft_test_result_pass(buf); + pthread_mutex_unlock(&ksft_print_lock); +} +void __test_fail(const char *buf) +{ + pthread_mutex_lock(&ksft_print_lock); + ksft_test_result_fail(buf); + pthread_mutex_unlock(&ksft_print_lock); +} + +void __test_error(const char *buf) +{ + pthread_mutex_lock(&ksft_print_lock); + ksft_test_result_error(buf); + pthread_mutex_unlock(&ksft_print_lock); +} + +static volatile int failed; + +void test_failed(void) +{ + failed =3D 1; +} + +static void test_exit(void) +{ + if (failed) + ksft_exit_fail(); + else + ksft_exit_pass(); +} + +struct dlist_t { + void (*destruct)(void); + struct dlist_t *next; +}; +static struct dlist_t *destructors_list; + +void test_add_destructor(void (*d)(void)) +{ + struct dlist_t *p; + + p =3D malloc(sizeof(struct dlist_t)); + if (p =3D=3D NULL) + test_error("malloc() failed"); + + p->next =3D destructors_list; + p->destruct =3D d; + destructors_list =3D p; +} + +static void test_destructor(void) __attribute__((destructor)); +static void test_destructor(void) +{ + while (destructors_list) { + struct dlist_t *p =3D destructors_list->next; + + destructors_list->destruct(); + free(destructors_list); + destructors_list =3D p; + } + test_exit(); +} + +static void sig_int(int signo) +{ + test_error("Caught SIGINT - exiting"); +} + +static int open_netns(void) +{ + const char *netns_path =3D "/proc/self/ns/net"; + int fd; + + fd =3D open(netns_path, O_RDONLY); + if (fd <=3D 0) + test_error("open(%s)", netns_path); + return fd; +} + +static int unshare_open(void) +{ + if (unshare(CLONE_NEWNET) !=3D 0) + test_error("unshare()"); + + return open_netns(); +} + +void switch_ns(int fd) +{ + if (setns(fd, CLONE_NEWNET)) + test_error("setns()"); +} + +int switch_save_ns(int new_ns) +{ + int ret =3D open_netns(); + + switch_ns(new_ns); + return ret; +} + +static int nsfd_outside =3D -1; +static int nsfd_parent =3D -1; +static int nsfd_child =3D -1; +const char veth_name[] =3D "ktst-veth"; + +static void init_namespaces(void) +{ + nsfd_outside =3D open_netns(); + nsfd_parent =3D unshare_open(); + nsfd_child =3D unshare_open(); +} + +static void link_init(const char *veth, int family, uint8_t prefix, + union tcp_addr addr, union tcp_addr dest) +{ + if (link_set_up(veth)) + test_error("Failed to set link up"); + if (ip_addr_add(veth, family, addr, prefix)) + test_error("Failed to add ip address"); + if (ip_route_add(veth, family, addr, dest)) + test_error("Failed to add route"); +} + +static unsigned nr_threads =3D 1; + +static pthread_mutex_t sync_lock =3D PTHREAD_MUTEX_INITIALIZER; +static pthread_cond_t sync_cond =3D PTHREAD_COND_INITIALIZER; +static volatile unsigned stage_threads[2]; +static volatile unsigned stage_nr; + +/* synchronize all threads in the same stage */ +void synchronize_threads(void) +{ + unsigned q =3D stage_nr; + + pthread_mutex_lock(&sync_lock); + stage_threads[q]++; + if (stage_threads[q] =3D=3D nr_threads) { + stage_nr ^=3D 1; + stage_threads[stage_nr] =3D 0; + pthread_cond_signal(&sync_cond); + } + while (stage_threads[q] < nr_threads) + pthread_cond_wait(&sync_cond, &sync_lock); + pthread_mutex_unlock(&sync_lock); +} + +__thread union tcp_addr this_ip_addr; +__thread union tcp_addr this_ip_dest; +int test_family; + +struct new_pthread_arg { + thread_fn func; + union tcp_addr my_ip; + union tcp_addr dest_ip; +}; +static void *new_pthread_entry(void *arg) +{ + struct new_pthread_arg *p =3D arg; + + this_ip_addr =3D p->my_ip; + this_ip_dest =3D p->dest_ip; + p->func(NULL); /* shouldn't return */ + exit(KSFT_FAIL); +} + +void __test_init(unsigned int ntests, int family, unsigned prefix, + union tcp_addr addr1, union tcp_addr addr2, + thread_fn peer1, thread_fn peer2) +{ + struct sigaction sa =3D { + .sa_handler =3D sig_int, + .sa_flags =3D SA_RESTART, + }; + time_t seed =3D time(NULL); + + test_family =3D family; + ksft_set_plan(ntests); + + test_print("rand seed %u", (unsigned int)seed); + srand(seed); + + sigemptyset(&sa.sa_mask); + if (sigaction(SIGINT, &sa, NULL)) + test_error("Can't set SIGINT handler"); + + ksft_print_header(); + init_namespaces(); + + if (add_veth(veth_name, nsfd_parent, nsfd_child)) + test_error("Failed to add veth"); + + switch_ns(nsfd_child); + link_init(veth_name, family, prefix, addr2, addr1); + if (peer2) { + struct new_pthread_arg targ; + pthread_t t; + + targ.my_ip =3D addr2; + targ.dest_ip =3D addr1; + targ.func =3D peer2; + nr_threads++; + if (pthread_create(&t, NULL, new_pthread_entry, &targ)) + test_error("Failed to create pthread"); + } + switch_ns(nsfd_parent); + link_init(veth_name, family, prefix, addr1, addr2); + + this_ip_addr =3D addr1; + this_ip_dest =3D addr2; + peer1(NULL); + if (failed) + exit(KSFT_FAIL); + else + exit(KSFT_PASS); +} + +/* /proc/sys/net/core/optmem_max artifically limits the amount of memory + * that can be allocated with sock_kmalloc() on each socket in the system. + * It is not virtualized, so it has to written outside test namespaces. + * To be nice a test will revert optmem back to the old value. + * Keeping it simple without any file lock, which means the tests that + * need to set/increase optmem value shouldn't run in parallel. + * Also, not re-entrant. + */ +static const char *optmem_file =3D "/proc/sys/net/core/optmem_max"; +static size_t saved_optmem; + +static void __test_set_optmem(size_t new, size_t *old) +{ + FILE *foptmem; + int old_ns; + + old_ns =3D switch_save_ns(nsfd_outside); + foptmem =3D fopen(optmem_file, "r+"); + if (!foptmem) + test_error("failed to open %s", optmem_file); + + if (old !=3D NULL) { + if (fscanf(foptmem, "%zu", old) !=3D 1) + test_error("can't read from %s", optmem_file); + fclose(foptmem); + foptmem =3D fopen(optmem_file, "w"); + if (!foptmem) + test_error("failed to open %s", optmem_file); + } + + if (fprintf(foptmem, "%zu", new) <=3D 0) + test_error("can't write %zu to %s", new, optmem_file); + fclose(foptmem); + switch_ns(old_ns); +} + +static void test_revert_optmem(void) +{ + if (saved_optmem =3D=3D 0) + return; + + __test_set_optmem(saved_optmem, NULL); +} + +void test_set_optmem(size_t value) +{ + if (saved_optmem =3D=3D 0) { + __test_set_optmem(value, &saved_optmem); + test_add_destructor(test_revert_optmem); + } else { + __test_set_optmem(value, NULL); + } +} diff --git a/tools/testing/selftests/net/tcp_ao/lib/sock.c b/tools/testing/= selftests/net/tcp_ao/lib/sock.c new file mode 100644 index 000000000000..c0b0ac77b644 --- /dev/null +++ b/tools/testing/selftests/net/tcp_ao/lib/sock.c @@ -0,0 +1,294 @@ +// SPDX-License-Identifier: GPL-2.0 +#include +#include +#include +#include "../../../../../include/linux/kernel.h" +#include "../../../../../include/linux/stringify.h" +#include "aolib.h" + +const unsigned test_server_port =3D 7010; +int __test_listen_socket(int backlog, void *addr, size_t addr_sz) +{ + int err, sk =3D socket(test_family, SOCK_STREAM, IPPROTO_TCP); + long flags; + + if (sk < 0) + test_error("socket()"); + + err =3D setsockopt(sk, SOL_SOCKET, SO_BINDTODEVICE, veth_name, + strlen(veth_name) + 1); + if (err < 0) + test_error("setsockopt(SO_BINDTODEVICE)"); + + if (bind(sk, (struct sockaddr *)addr, addr_sz) < 0) + test_error("bind()"); + + flags =3D fcntl(sk, F_GETFL); + if ((flags < 0) || (fcntl(sk, F_SETFL, flags | O_NONBLOCK) < 0)) + test_error("fcntl()"); + + if (listen(sk, backlog)) + test_error("listen()"); + + return sk; +} + +int test_wait_fd(int sk, time_t sec, bool write) +{ + struct timeval tv =3D { .tv_sec =3D sec }; + struct timeval *ptv =3D NULL; + fd_set fds, efds; + int ret; + socklen_t slen =3D sizeof(ret); + + FD_ZERO(&fds); + FD_SET(sk, &fds); + FD_ZERO(&efds); + FD_SET(sk, &efds); + + if (sec) + ptv =3D &tv; + + errno =3D 0; + if (write) + ret =3D select(sk + 1, NULL, &fds, &efds, ptv); + else + ret =3D select(sk + 1, &fds, NULL, &efds, ptv); + if (ret <=3D 0) + return -errno; + + if (getsockopt(sk, SOL_SOCKET, SO_ERROR, &ret, &slen) || ret) + return -ret; + return sk; +} + +int __test_connect_socket(int sk, void *addr, size_t addr_sz, time_t timeo= ut) +{ + long flags; + int err; + + err =3D setsockopt(sk, SOL_SOCKET, SO_BINDTODEVICE, veth_name, + strlen(veth_name) + 1); + if (err < 0) + test_error("setsockopt(SO_BINDTODEVICE)"); + + if (!timeout) { + err =3D connect(sk, addr, addr_sz); + if (err) { + err =3D -errno; + goto out; + } + return 0; + } + + flags =3D fcntl(sk, F_GETFL); + if ((flags < 0) || (fcntl(sk, F_SETFL, flags | O_NONBLOCK) < 0)) + test_error("fcntl()"); + + if (connect(sk, addr, addr_sz) < 0) { + if (errno !=3D EINPROGRESS) { + err =3D -errno; + goto out; + } + err =3D test_wait_fd(sk, timeout, 1); + if (err <=3D 0) + goto out; + } + return sk; + +out: + close(sk); + return err; +} + +int test_prepare_ao_sockaddr(struct tcp_ao *ao, const char *alg, uint16_t = flags, + void *addr, size_t addr_sz, uint8_t prefix, + uint8_t sndid, uint8_t rcvid, uint8_t maclen, + uint8_t keyflags, uint8_t keylen, const char *key) +{ + memset(ao, 0, sizeof(struct tcp_ao)); + + ao->tcpa_flags =3D flags; + ao->tcpa_prefix =3D prefix; + ao->tcpa_sndid =3D sndid; + ao->tcpa_rcvid =3D rcvid; + ao->tcpa_maclen =3D maclen; + ao->tcpa_keyflags =3D keyflags; + ao->tcpa_keylen =3D keylen; + + memcpy(&ao->tcpa_addr, addr, addr_sz); + + if (strlen(alg) > 64) + return -ENOBUFS; + strncpy(ao->tcpa_alg_name, alg, 64); + + memcpy(ao->tcpa_key, key, + (TCP_AO_MAXKEYLEN < keylen) ? TCP_AO_MAXKEYLEN : keylen); + return 0; +} + +int test_get_one_ao(int sk, struct tcp_ao_getsockopt *out, uint16_t flags, + void *addr, size_t addr_sz, uint8_t prefix, + uint8_t sndid, uint8_t rcvid) +{ + struct tcp_ao_getsockopt tmp =3D {}; + socklen_t tmp_sz =3D sizeof(tmp); + int ret; + + memcpy(&tmp.addr, addr, addr_sz); + tmp.prefix =3D prefix; + tmp.sndid =3D sndid; + tmp.rcvid =3D rcvid; + tmp.flags =3D flags; + tmp.nkeys =3D 1; + + ret =3D getsockopt(sk, IPPROTO_TCP, TCP_AO_GET, &tmp, &tmp_sz); + if (ret) + return ret; + if (tmp.nkeys !=3D 1) + return -ENOENT; + *out =3D tmp; + return 0; +} + +int test_cmp_getsockopt_setsockopt(const struct tcp_ao *a, + const struct tcp_ao_getsockopt *b) +{ + bool is_kdf_aes_128_cmac =3D false; + + if (!strcmp("cmac(aes128)", a->tcpa_alg_name)) + is_kdf_aes_128_cmac =3D (a->tcpa_keylen !=3D 16); + +#define __cmp_ao(member) \ + if (b->member !=3D a->tcpa_##member) { \ + test_fail("getsockopt(): " __stringify(member) " %u !=3D %u", \ + b->member, a->tcpa_##member); \ + return -1; \ + } + __cmp_ao(sndid); + __cmp_ao(rcvid); + __cmp_ao(prefix); + __cmp_ao(keyflags); + if (a->tcpa_maclen) { + __cmp_ao(maclen); + } else if (b->maclen !=3D 12) { + test_fail("getsockopt(): expected default maclen 12, but it's %u", + b->maclen); + return -1; + } + if (!is_kdf_aes_128_cmac) { + __cmp_ao(keylen); + } else if (b->keylen !=3D 16) { + test_fail("getsockopt(): expected keylen 16 for cmac(aes128), but it's %= u", + b->keylen); + return -1; + } +#undef __cmp_ao + if (!is_kdf_aes_128_cmac && memcmp(b->key, a->tcpa_key, a->tcpa_keylen)) { + test_fail("getsockopt(): returned key is different `%s' !=3D `%s'", + b->key, a->tcpa_key); + return -1; + } + if (memcmp(&b->addr, &a->tcpa_addr, sizeof(b->addr))) { + test_fail("getsockopt(): returned address is different"); + return -1; + } + if (!is_kdf_aes_128_cmac && strcmp(b->alg_name, a->tcpa_alg_name)) { + test_fail("getsockopt(): returned algorithm is different"); + return -1; + } + if (is_kdf_aes_128_cmac && strcmp(b->alg_name, "cmac(aes)")) { + test_fail("getsockopt(): returned algorithm is different"); + return -1; + } + return 0; +} + +#define TEST_BUF_SIZE 4096 +ssize_t test_server_run(int sk, ssize_t quota, time_t timeout_sec) +{ + ssize_t total =3D 0; + + do { + char buf[TEST_BUF_SIZE]; + ssize_t bytes, sent; + int ret; + + ret =3D test_wait_fd(sk, timeout_sec, 0); + if (ret <=3D 0) + return ret; + + bytes =3D recv(sk, buf, sizeof(buf), 0); + + if (bytes < 0) + test_error("recv(): %zd", bytes); + if (bytes =3D=3D 0) + break; + + ret =3D test_wait_fd(sk, timeout_sec, 1); + if (ret <=3D 0) + return ret; + + sent =3D send(sk, buf, bytes, 0); + if (sent =3D=3D 0) + break; + if (sent !=3D bytes) + test_error("send()"); + total +=3D bytes; + } while (!quota || total < quota); + + return total; +} + +ssize_t test_client_loop(int sk, char *buf, size_t buf_sz, + const size_t msg_len, time_t timeout_sec) +{ + char msg[msg_len]; + int nodelay =3D 1; + size_t i; + + if (setsockopt(sk, IPPROTO_TCP, TCP_NODELAY, &nodelay, sizeof(nodelay))) + test_error("setsockopt(TCP_NODELAY)"); + + for (i =3D 0; i < buf_sz; i +=3D min(msg_len, buf_sz - i)) { + size_t sent, bytes =3D min(msg_len, buf_sz - i); + int ret; + + ret =3D test_wait_fd(sk, timeout_sec, 1); + if (ret <=3D 0) + return ret; + + sent =3D send(sk, buf + i, bytes, 0); + if (sent =3D=3D 0) + break; + if (sent !=3D bytes) + test_error("send()"); + + ret =3D test_wait_fd(sk, timeout_sec, 0); + if (ret <=3D 0) + return ret; + + bytes =3D recv(sk, msg, sizeof(msg), 0); + if (bytes < 0) + test_error("recv(): %zd", bytes); + if (bytes !=3D sent) + test_error("recv(): %zd !=3D %zd", bytes, sent); + if (memcmp(buf + i, msg, bytes) !=3D 0) { + test_fail("received message differs"); + return -1; + } + } + return i; +} + +int test_client_verify(int sk, const size_t msg_len, const size_t nr, + time_t timeout_sec) +{ + size_t buf_sz =3D msg_len * nr; + char *buf =3D alloca(buf_sz); + + randomize_buffer(buf, buf_sz); + if (test_client_loop(sk, buf, buf_sz, msg_len, timeout_sec) !=3D buf_sz) + return -1; + return 0; +} diff --git a/tools/testing/selftests/net/tcp_ao/lib/utils.c b/tools/testing= /selftests/net/tcp_ao/lib/utils.c new file mode 100644 index 000000000000..372daca525f5 --- /dev/null +++ b/tools/testing/selftests/net/tcp_ao/lib/utils.c @@ -0,0 +1,30 @@ +// SPDX-License-Identifier: GPL-2.0 +#include "aolib.h" +#include + +void randomize_buffer(void *buf, size_t buflen) +{ + int *p =3D (int *)buf; + size_t words =3D buflen / sizeof(int); + size_t leftover =3D buflen % sizeof(int); + + if (!buflen) + return; + + while (words--) + *p++ =3D rand(); + + if (leftover) { + int tmp =3D rand(); + + memcpy(buf + buflen - leftover, &tmp, leftover); + } +} + +const struct sockaddr_in6 addr_any6 =3D { + .sin6_family =3D AF_INET6, +}; + +const struct sockaddr_in addr_any4 =3D { + .sin_family =3D AF_INET, +}; --=20 2.37.2 From nobody Fri Apr 10 21:51:38 2026 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 9DB97C32772 for ; Thu, 18 Aug 2022 17:03:58 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1345468AbiHRRD4 (ORCPT ); Thu, 18 Aug 2022 13:03:56 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:34928 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1344407AbiHRRBB (ORCPT ); Thu, 18 Aug 2022 13:01:01 -0400 Received: from mail-wm1-x333.google.com (mail-wm1-x333.google.com [IPv6:2a00:1450:4864:20::333]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id A8E5C84ED1 for ; Thu, 18 Aug 2022 10:00:53 -0700 (PDT) Received: by mail-wm1-x333.google.com with SMTP id m17-20020a7bce11000000b003a5bedec07bso2918051wmc.0 for ; Thu, 18 Aug 2022 10:00:53 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=arista.com; s=google; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc; bh=JFjhAHpFFFmaQQ0V2wacUF3AxKnhpL22mGbabAPp8aE=; b=VS/px4y53y05pjm4YbRj2+kPJz/V4Wg8YNpzyf2G/I8kQRbNS8Y8n1LSshGhaPX3wS fI6DrslCHUHt+nHu3CyIWHxRS/bZBNuyolt+PZcTkkbaML/qtqLv4oYI3L5SFlkhyXlR WUtlsT4gmHcD9FRhVFM36QtYcHKdUweYuwaOEdM3fs36odmG+Tp6yOGeIP03B30qmVkU Qsc9oZdkIcOymnO1OSK6zPUYLpZYh7gz31q0u2uJpgNoMyF/TPiEK4gy/TvKP5pDy+d7 qTyYvPmxYGHG5Vh3rDXgeVme1ShoOIDxx6OyCs5G6wHqjykeHNiA061ujlnkVdXx7z9t Ol9g== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc; bh=JFjhAHpFFFmaQQ0V2wacUF3AxKnhpL22mGbabAPp8aE=; b=R3COHTnk3hAK4gOdtUIUhURds2scixMAYA2X59tn/0z+hXl2sfgK5+LJyWsz0irnNe yARFqvX/+PDmZlO5OnhbGfE568RO5r9ukKOgWlKbtP9TMZ/4X//1GZnaJkMghigf4vcB HCm+iFe74t0MyXgppc5Ute8iXRY+IG7UJQsqpY5dDLUQLgrpE3gYvxKSxvQc3vbRlaCv lLjl7R2Gpz+gctynqD4oj2wBlzGpn8BpoXL2FXq+JSFUWEhPudYdA9/AFxPl2me+FkMi L1gQ/lhQeVoE1qHNfzmis/4v8gmVOAD4YBcNdBV0wtYfjP1PcjxDqbql2WZ+DP6ZrBX4 VBGQ== X-Gm-Message-State: ACgBeo3UfJ01c71N0oAUEYu2ZMSj2fHk302/WBtm4e6VVeR0hU0X5x7U KV5gZMV021b7P7LgwzadCZK7Ww== X-Google-Smtp-Source: AA6agR644uwnp9CfZ4Rb0+T5bbZXJwApW2eJZ5YqBU60qIGvIO51c7FfHTWRF3SI3o+5kuFMIRVIbw== X-Received: by 2002:a05:600c:2317:b0:3a5:a3b7:31f with SMTP id 23-20020a05600c231700b003a5a3b7031fmr5707952wmo.6.1660842052120; Thu, 18 Aug 2022 10:00:52 -0700 (PDT) Received: from Mindolluin.ire.aristanetworks.com ([217.173.96.166]) by smtp.gmail.com with ESMTPSA id be13-20020a05600c1e8d00b003a511e92abcsm2662169wmb.34.2022.08.18.10.00.50 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 18 Aug 2022 10:00:51 -0700 (PDT) From: Dmitry Safonov To: Eric Dumazet , "David S. Miller" , linux-kernel@vger.kernel.org Cc: Dmitry Safonov , Andy Lutomirski , Ard Biesheuvel , Bob Gilligan , David Ahern , Dmitry Safonov <0x7f454c46@gmail.com>, Eric Biggers , Francesco Ruggeri , Herbert Xu , Hideaki YOSHIFUJI , Ivan Delalande , Jakub Kicinski , Leonard Crestez , Paolo Abeni , Salam Noureddine , Shuah Khan , netdev@vger.kernel.org, linux-crypto@vger.kernel.org Subject: [PATCH 26/31] selftests/net: Verify that TCP-AO complies with ignoring ICMPs Date: Thu, 18 Aug 2022 18:00:00 +0100 Message-Id: <20220818170005.747015-27-dima@arista.com> X-Mailer: git-send-email 2.37.2 In-Reply-To: <20220818170005.747015-1-dima@arista.com> References: <20220818170005.747015-1-dima@arista.com> MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Hand-crafted ICMP packets are sent to the server, the server checks for hard/soft errors and fails if any. Expected output for ipv4 version: > # ./icmps-discard_ipv4 > 1..3 > # 3164[lib/setup.c:166] rand seed 1642623745 > TAP version 13 > # 3164[lib/proc.c:207] Snmp6 Ip6InReceives: 0 =3D> 1 > # 3164[lib/proc.c:207] Snmp6 Ip6InNoRoutes: 0 =3D> 1 > # 3164[lib/proc.c:207] Snmp6 Ip6InOctets: 0 =3D> 76 > # 3164[lib/proc.c:207] Snmp6 Ip6InNoECTPkts: 0 =3D> 1 > # 3164[lib/proc.c:207] Tcp InSegs: 2 =3D> 203 > # 3164[lib/proc.c:207] Tcp OutSegs: 1 =3D> 202 > # 3164[lib/proc.c:207] IcmpMsg InType3: 0 =3D> 543 > # 3164[lib/proc.c:207] Icmp InMsgs: 0 =3D> 543 > # 3164[lib/proc.c:207] Icmp InDestUnreachs: 0 =3D> 543 > # 3164[lib/proc.c:207] Ip InReceives: 2 =3D> 746 > # 3164[lib/proc.c:207] Ip InDelivers: 2 =3D> 746 > # 3164[lib/proc.c:207] Ip OutRequests: 1 =3D> 202 > # 3164[lib/proc.c:207] IpExt InOctets: 132 =3D> 61684 > # 3164[lib/proc.c:207] IpExt OutOctets: 68 =3D> 31324 > # 3164[lib/proc.c:207] IpExt InNoECTPkts: 2 =3D> 744 > # 3164[lib/proc.c:207] TcpExt TCPPureAcks: 1 =3D> 2 > # 3164[lib/proc.c:207] TcpExt TCPOrigDataSent: 0 =3D> 200 > # 3164[lib/proc.c:207] TcpExt TCPDelivered: 0 =3D> 199 > # 3164[lib/proc.c:207] TcpExt TCPAOGood: 2 =3D> 203 > # 3164[lib/proc.c:207] TcpExt TCPAODroppedIcmps: 0 =3D> 541 > ok 1 InDestUnreachs delivered 543 > ok 2 Server survived 20000 bytes of traffic > ok 3 ICMPs ignored 541 > # Totals: pass:3 fail:0 xfail:0 xpass:0 skip:0 error:0 Expected output for ipv6 version: > # ./icmps-discard_ipv6 > 1..3 > # 3186[lib/setup.c:166] rand seed 1642623803 > TAP version 13 > # 3186[lib/proc.c:207] Snmp6 Ip6InReceives: 4 =3D> 568 > # 3186[lib/proc.c:207] Snmp6 Ip6InDelivers: 3 =3D> 564 > # 3186[lib/proc.c:207] Snmp6 Ip6OutRequests: 2 =3D> 204 > # 3186[lib/proc.c:207] Snmp6 Ip6InMcastPkts: 1 =3D> 4 > # 3186[lib/proc.c:207] Snmp6 Ip6OutMcastPkts: 0 =3D> 1 > # 3186[lib/proc.c:207] Snmp6 Ip6InOctets: 320 =3D> 70420 > # 3186[lib/proc.c:207] Snmp6 Ip6OutOctets: 160 =3D> 35512 > # 3186[lib/proc.c:207] Snmp6 Ip6InMcastOctets: 72 =3D> 336 > # 3186[lib/proc.c:207] Snmp6 Ip6OutMcastOctets: 0 =3D> 76 > # 3186[lib/proc.c:207] Snmp6 Ip6InNoECTPkts: 4 =3D> 568 > # 3186[lib/proc.c:207] Snmp6 Icmp6InMsgs: 1 =3D> 361 > # 3186[lib/proc.c:207] Snmp6 Icmp6OutMsgs: 1 =3D> 2 > # 3186[lib/proc.c:207] Snmp6 Icmp6InDestUnreachs: 0 =3D> 360 > # 3186[lib/proc.c:207] Snmp6 Icmp6OutMLDv2Reports: 0 =3D> 1 > # 3186[lib/proc.c:207] Snmp6 Icmp6InType1: 0 =3D> 360 > # 3186[lib/proc.c:207] Snmp6 Icmp6OutType143: 0 =3D> 1 > # 3186[lib/proc.c:207] Tcp InSegs: 2 =3D> 203 > # 3186[lib/proc.c:207] Tcp OutSegs: 1 =3D> 202 > # 3186[lib/proc.c:207] TcpExt TCPPureAcks: 1 =3D> 2 > # 3186[lib/proc.c:207] TcpExt TCPOrigDataSent: 0 =3D> 200 > # 3186[lib/proc.c:207] TcpExt TCPDelivered: 0 =3D> 199 > # 3186[lib/proc.c:207] TcpExt TCPAOGood: 2 =3D> 203 > # 3186[lib/proc.c:207] TcpExt TCPAODroppedIcmps: 0 =3D> 360 > ok 1 Icmp6InDestUnreachs delivered 360 > ok 2 Server survived 20000 bytes of traffic > ok 3 ICMPs ignored 360 > # Totals: pass:3 fail:0 xfail:0 xpass:0 skip:0 error:0 Signed-off-by: Dmitry Safonov --- tools/testing/selftests/net/tcp_ao/Makefile | 2 +- .../selftests/net/tcp_ao/icmps-discard.c | 434 ++++++++++++++++++ 2 files changed, 435 insertions(+), 1 deletion(-) create mode 100644 tools/testing/selftests/net/tcp_ao/icmps-discard.c diff --git a/tools/testing/selftests/net/tcp_ao/Makefile b/tools/testing/se= lftests/net/tcp_ao/Makefile index cb23d67944d7..9acfd782c20f 100644 --- a/tools/testing/selftests/net/tcp_ao/Makefile +++ b/tools/testing/selftests/net/tcp_ao/Makefile @@ -1,5 +1,5 @@ # SPDX-License-Identifier: GPL-2.0 -TEST_BOTH_AF :=3D connect +TEST_BOTH_AF :=3D connect icmps-discard =20 TEST_IPV4_PROGS :=3D $(TEST_BOTH_AF:%=3D%_ipv4) TEST_IPV6_PROGS :=3D $(TEST_BOTH_AF:%=3D%_ipv6) diff --git a/tools/testing/selftests/net/tcp_ao/icmps-discard.c b/tools/tes= ting/selftests/net/tcp_ao/icmps-discard.c new file mode 100644 index 000000000000..16d691809567 --- /dev/null +++ b/tools/testing/selftests/net/tcp_ao/icmps-discard.c @@ -0,0 +1,434 @@ +// SPDX-License-Identifier: GPL-2.0 +/* + * Selftest that verifies that incomping ICMPs are ignored, + * the TCP connection stays alive, no hard or soft errors get reported + * to the usespace and the counter for ignored ICMPs is updated. + * + * RFC5925, 7.8: + * >> A TCP-AO implementation MUST default to ignore incoming ICMPv4 + * messages of Type 3 (destination unreachable), Codes 2-4 (protocol + * unreachable, port unreachable, and fragmentation needed -- =E2=80=99hard + * errors=E2=80=99), and ICMPv6 Type 1 (destination unreachable), Code 1 + * (administratively prohibited) and Code 4 (port unreachable) intended + * for connections in synchronized states (ESTABLISHED, FIN-WAIT-1, FIN- + * WAIT-2, CLOSE-WAIT, CLOSING, LAST-ACK, TIME-WAIT) that match MKTs. + * + * Author: Dmitry Safonov + */ +#include +#include +#include +#include +#include +#include +#include +#include "aolib.h" + +#ifndef SOL_TCP +/* can't include as including */ +# define SOL_TCP 6 /* TCP level */ +#endif + +const size_t packets_nr =3D 20; +const size_t packet_size =3D 100; +const char *tcpao_icmps =3D "TCPAODroppedIcmps"; + +#ifdef IPV6_TEST +const char *dst_unreach =3D "Icmp6InDestUnreachs"; +const int sk_ip_level =3D SOL_IPV6; +const int sk_recverr =3D IPV6_RECVERR; +#else +const char *dst_unreach =3D "InDestUnreachs"; +const int sk_ip_level =3D SOL_IP; +const int sk_recverr =3D IP_RECVERR; +#endif + +#define test_icmps_fail test_fail +#define test_icmps_ok test_ok + +static void serve_interfered(int sk) +{ + ssize_t test_quota =3D packet_size * packets_nr * 10; + uint64_t dest_unreach_a, dest_unreach_b; + uint64_t icmp_ignored_a, icmp_ignored_b; + bool counter_not_found; + struct netstat *ns_after, *ns_before; + ssize_t bytes; + + ns_before =3D netstat_read(); + dest_unreach_a =3D netstat_get(ns_before, dst_unreach, NULL); + icmp_ignored_a =3D netstat_get(ns_before, tcpao_icmps, NULL); + bytes =3D test_server_run(sk, test_quota, 0); + ns_after =3D netstat_read(); + netstat_print_diff(ns_before, ns_after); + dest_unreach_b =3D netstat_get(ns_after, dst_unreach, NULL); + icmp_ignored_b =3D netstat_get(ns_after, tcpao_icmps, + &counter_not_found); + + netstat_free(ns_before); + netstat_free(ns_after); + + if (dest_unreach_a >=3D dest_unreach_b) { + test_fail("%s counter didn't change: %" PRIu64 " >=3D %" PRIu64, + dst_unreach, dest_unreach_a, dest_unreach_b); + return; + } else { + test_ok("%s delivered %" PRIu64, + dst_unreach, dest_unreach_b - dest_unreach_a); + } + if (bytes < 0) { + test_icmps_fail("server failed with %zd: %s", bytes, strerrordesc_np(-by= tes)); + } else { + test_icmps_ok("Server survived %zd bytes of traffic", test_quota); + } + if (counter_not_found) { + test_fail("Not found %s counter", tcpao_icmps); + return; + } + if (icmp_ignored_a >=3D icmp_ignored_b) { + test_icmps_fail("%s counter didn't change: %" PRIu64 " >=3D %" PRIu64, + tcpao_icmps, icmp_ignored_a, icmp_ignored_b); + return; + } + test_icmps_ok("ICMPs ignored %" PRIu64, icmp_ignored_b - icmp_ignored_a); +} + +static void *server_fn(void *arg) +{ + int val, err, sk, lsk; + uint16_t flags =3D 0; + + lsk =3D test_listen_socket(this_ip_addr, test_server_port, 1); + + if (test_set_ao(lsk, "password", flags, this_ip_dest, -1, 100, 100)) + test_error("setsockopt(TCP_AO)"); + synchronize_threads(); + + err =3D test_wait_fd(lsk, TEST_TIMEOUT_SEC, 0); + if (!err) + test_error("timeouted for accept()"); + else if (err < 0) + test_error("test_wait_fd()"); + + sk =3D accept(lsk, NULL, NULL); + if (sk < 0) + test_error("accept()"); + + /* Fail on hard ip errors, such as dest unreachable (RFC1122) */ + val =3D 1; + if (setsockopt(sk, sk_ip_level, sk_recverr, &val, sizeof(val))) + test_error("setsockopt()"); + + synchronize_threads(); + + serve_interfered(sk); + return NULL; +} + +static size_t packets_sent; +static size_t icmps_sent; + +static uint32_t checksum4_nofold(void *data, size_t len, uint32_t sum) +{ + uint16_t *words =3D data; + size_t i; + + for (i =3D 0; i < len / sizeof(uint16_t); i++) + sum +=3D words[i]; + if (len & 1) + sum +=3D ((char *)data)[len - 1]; + return sum; +} + +static uint16_t checksum4_fold(void *data, size_t len, uint32_t sum) +{ + sum =3D checksum4_nofold(data, len, sum); + while (sum > 0xFFFF) + sum =3D (sum & 0xFFFF) + (sum >> 16); + return ~sum; +} + +static void set_ip4hdr(struct iphdr *iph, size_t packet_len, int proto, + struct sockaddr_in *src, struct sockaddr_in *dst) +{ + iph->version =3D 4; + iph->ihl =3D 5; + iph->tos =3D 0; + iph->tot_len =3D htons(packet_len); + iph->ttl =3D 2; + iph->protocol =3D proto; + iph->saddr =3D src->sin_addr.s_addr; + iph->daddr =3D dst->sin_addr.s_addr; + iph->check =3D checksum4_fold((void *)iph, iph->ihl << 1, 0); +} + +static void icmp_interfere4(uint8_t type, uint8_t code, uint32_t rcv_nxt, + struct sockaddr_in *src, struct sockaddr_in *dst) +{ + int sk =3D socket(AF_INET, SOCK_RAW, IPPROTO_RAW); + struct { + struct iphdr iph; + struct icmphdr icmph; + struct iphdr iphe; + struct { + uint16_t sport; + uint16_t dport; + uint32_t seq; + } tcph; + } packet =3D {}; + size_t packet_len; + ssize_t bytes; + + if (sk < 0) + test_error("socket(AF_INET, SOCK_RAW, IPPROTO_RAW)"); + + packet_len =3D sizeof(packet); + set_ip4hdr(&packet.iph, packet_len, IPPROTO_ICMP, src, dst); + + packet.icmph.type =3D type; + packet.icmph.code =3D code; + if (code =3D=3D ICMP_FRAG_NEEDED) { + randomize_buffer(&packet.icmph.un.frag.mtu, + sizeof(packet.icmph.un.frag.mtu)); + } + + packet_len =3D sizeof(packet.iphe) + sizeof(packet.tcph); + set_ip4hdr(&packet.iphe, packet_len, IPPROTO_TCP, dst, src); + + packet.tcph.sport =3D dst->sin_port; + packet.tcph.dport =3D src->sin_port; + packet.tcph.seq =3D htonl(rcv_nxt); + + packet_len =3D sizeof(packet) - sizeof(packet.iph); + packet.icmph.checksum =3D checksum4_fold((void *)&packet.icmph, + packet_len, 0); + + bytes =3D sendto(sk, &packet, sizeof(packet), 0, + (struct sockaddr*)dst, sizeof(*dst)); + if (bytes !=3D sizeof(packet)) + test_error("send(): %zd", bytes); + icmps_sent++; + + close(sk); +} + +static void set_ip6hdr(struct ipv6hdr *iph, size_t packet_len, int proto, + struct sockaddr_in6 *src, struct sockaddr_in6 *dst) +{ + iph->version =3D 6; + iph->payload_len =3D htons(packet_len); + iph->nexthdr =3D proto; + iph->hop_limit =3D 2; + iph->saddr =3D src->sin6_addr; + iph->daddr =3D dst->sin6_addr; +} + +static inline uint16_t csum_fold(uint32_t csum) +{ + uint32_t sum =3D csum; + sum =3D (sum & 0xffff) + (sum >> 16); + sum =3D (sum & 0xffff) + (sum >> 16); + return (uint16_t)~sum; +} + +static inline uint32_t csum_add(uint32_t csum, uint32_t addend) +{ + uint32_t res =3D csum; + + res +=3D addend; + return res + (res < addend); +} + +__attribute__ ((noinline)) uint32_t checksum6_nofold(void *data, size_t le= n, uint32_t sum) +{ + uint16_t *words =3D data; + size_t i; + + for (i =3D 0; i < len / sizeof(uint16_t); i++) + sum =3D csum_add(sum, words[i]); + if (len & 1) + sum =3D csum_add(sum, ((char *)data)[len - 1]); + return sum; +} + +__attribute__ ((noinline)) uint16_t icmp6_checksum(struct sockaddr_in6 *sr= c, + struct sockaddr_in6 *dst, + void *ptr, size_t len, uint8_t proto) +{ + struct { + struct in6_addr saddr; + struct in6_addr daddr; + uint32_t payload_len; + uint8_t zero[3]; + uint8_t nexthdr; + } pseudo_header =3D {}; + uint32_t sum; + + pseudo_header.saddr =3D src->sin6_addr; + pseudo_header.daddr =3D dst->sin6_addr; + pseudo_header.payload_len =3D htonl(len); + pseudo_header.nexthdr =3D proto; + + sum =3D checksum6_nofold(&pseudo_header, sizeof(pseudo_header), 0); + sum =3D checksum6_nofold(ptr, len, sum); + + return csum_fold(sum); +} + +static void icmp6_interfere(int type, int code, uint32_t rcv_nxt, + struct sockaddr_in6 *src, struct sockaddr_in6 *dst) +{ + int sk =3D socket(AF_INET6, SOCK_RAW, IPPROTO_RAW); + struct sockaddr_in6 dst_raw =3D *dst; + struct { + struct ipv6hdr iph; + struct icmp6hdr icmph; + struct ipv6hdr iphe; + struct { + uint16_t sport; + uint16_t dport; + uint32_t seq; + } tcph; + } packet =3D {}; + size_t packet_len; + ssize_t bytes; + + + if (sk < 0) + test_error("socket(AF_INET6, SOCK_RAW, IPPROTO_RAW)"); + + packet_len =3D sizeof(packet) - sizeof(packet.iph); + set_ip6hdr(&packet.iph, packet_len, IPPROTO_ICMPV6, src, dst); + + packet.icmph.icmp6_type =3D type; + packet.icmph.icmp6_code =3D code; + + packet_len =3D sizeof(packet.iphe) + sizeof(packet.tcph); + set_ip6hdr(&packet.iphe, packet_len, IPPROTO_TCP, dst, src); + + packet.tcph.sport =3D dst->sin6_port; + packet.tcph.dport =3D src->sin6_port; + packet.tcph.seq =3D htonl(rcv_nxt); + + packet_len =3D sizeof(packet) - sizeof(packet.iph); + + packet.icmph.icmp6_cksum =3D icmp6_checksum(src, dst, + (void *)&packet.icmph, packet_len, IPPROTO_ICMPV6); + + dst_raw.sin6_port =3D htons(IPPROTO_RAW); + bytes =3D sendto(sk, &packet, sizeof(packet), 0, + (struct sockaddr*)&dst_raw, sizeof(dst_raw)); + if (bytes !=3D sizeof(packet)) + test_error("send(): %zd", bytes); + icmps_sent++; + + close(sk); +} + +static uint32_t get_rcv_nxt(int sk) +{ + int val =3D TCP_REPAIR_ON; + uint32_t ret; + socklen_t sz =3D sizeof(ret); + + if (setsockopt(sk, SOL_TCP, TCP_REPAIR, &val, sizeof(val))) + test_error("setsockopt(TCP_REPAIR)"); + val =3D TCP_RECV_QUEUE; + if (setsockopt(sk, SOL_TCP, TCP_REPAIR_QUEUE, &val, sizeof(val))) + test_error("setsockopt(TCP_REPAIR_QUEUE)"); + if (getsockopt(sk, SOL_TCP, TCP_QUEUE_SEQ, &ret, &sz)) + test_error("getsockopt(TCP_QUEUE_SEQ)"); + val =3D TCP_REPAIR_OFF_NO_WP; + if (setsockopt(sk, SOL_TCP, TCP_REPAIR, &val, sizeof(val))) + test_error("setsockopt(TCP_REPAIR)"); + return ret; +} + +static void icmp_interfere(const size_t nr, uint32_t rcv_nxt, void *src, v= oid *dst) +{ + struct sockaddr_in *saddr4 =3D src; + struct sockaddr_in *daddr4 =3D dst; + struct sockaddr_in6 *saddr6 =3D src; + struct sockaddr_in6 *daddr6 =3D dst; + size_t i; + + if (saddr4->sin_family !=3D daddr4->sin_family) + test_error("Different address families"); + + for (i =3D 0; i < nr; i++) { + if (saddr4->sin_family =3D=3D AF_INET) { + icmp_interfere4(ICMP_DEST_UNREACH, ICMP_PROT_UNREACH, + rcv_nxt, saddr4, daddr4); + icmp_interfere4(ICMP_DEST_UNREACH, ICMP_PORT_UNREACH, + rcv_nxt, saddr4, daddr4); + icmp_interfere4(ICMP_DEST_UNREACH, ICMP_FRAG_NEEDED, + rcv_nxt, saddr4, daddr4); + icmps_sent +=3D 3; + } else if (saddr4->sin_family =3D=3D AF_INET6) { + icmp6_interfere(ICMPV6_DEST_UNREACH, + ICMPV6_ADM_PROHIBITED, + rcv_nxt, saddr6, daddr6); + icmp6_interfere(ICMPV6_DEST_UNREACH, + ICMPV6_PORT_UNREACH, + rcv_nxt, saddr6, daddr6); + icmps_sent +=3D 2; + } else { + test_error("Not ip address family"); + } + } +} + +static void send_interfered(int sk) +{ + const unsigned timeout =3D TEST_TIMEOUT_SEC; + struct sockaddr_in6 src, dst; + socklen_t addr_sz; + + addr_sz =3D sizeof(src); + if (getsockname(sk, &src, &addr_sz)) + test_error("getsockname()"); + addr_sz =3D sizeof(dst); + if (getpeername(sk, &dst, &addr_sz)) + test_error("getpeername()"); + + while (1) { + uint32_t rcv_nxt; + + if (test_client_verify(sk, packet_size, packets_nr, timeout)) { + test_fail("client: connection is broken"); + return; + } + packets_sent +=3D packets_nr; + rcv_nxt =3D get_rcv_nxt(sk); + icmp_interfere(packets_nr, rcv_nxt, (void *)&src, (void *)&dst); + } +} + +static void *client_fn(void *arg) +{ + int sk =3D socket(test_family, SOCK_STREAM, IPPROTO_TCP); + + if (sk < 0) + test_error("socket()"); + + if (test_set_ao(sk, "password", 0, this_ip_dest, -1, 100, 100)) + test_error("setsockopt(TCP_AO)"); + + synchronize_threads(); + if (test_connect_socket(sk, this_ip_dest, test_server_port) <=3D 0) + test_error("failed to connect()"); + synchronize_threads(); + + send_interfered(sk); + + /* Not expecting client to quit */ + test_fail("client disconnected"); + + return NULL; +} + +int main(int argc, char *argv[]) +{ + test_init(3, server_fn, client_fn); + return 0; +} --=20 2.37.2 From nobody Fri Apr 10 21:51:38 2026 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id F3C46C00140 for ; Thu, 18 Aug 2022 17:04:06 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1344089AbiHRREC (ORCPT ); Thu, 18 Aug 2022 13:04:02 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:33150 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1345261AbiHRRBB (ORCPT ); Thu, 18 Aug 2022 13:01:01 -0400 Received: from mail-wr1-x42f.google.com (mail-wr1-x42f.google.com [IPv6:2a00:1450:4864:20::42f]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 19D69CAC84 for ; Thu, 18 Aug 2022 10:00:54 -0700 (PDT) Received: by mail-wr1-x42f.google.com with SMTP id z16so2410004wrh.12 for ; Thu, 18 Aug 2022 10:00:54 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=arista.com; s=google; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc; bh=ydw55lqdXmkmsbsCcaoEXopsXmkoCfvtM0sMy2xUSwA=; b=A4kNIh4a42OrHrLFwwapL/3cMO0B3alkeywTxUTypvc1xs5zvzthTXAOYot1Bd+V83 Wuq6ul4GVY84gsN0GdFjh1wUZxCKUodHd2rhfHudhM/o9HoGSDZHKO50ZatuKAMJz2j1 M9QU3rpd5RCBOAKksxadxbD2JxGHThy9IM0rHNBpcGUe4lUBDbgBylytOu5nKKQiiV3o GCfad2OBzp97vHeUIDlDCdFnKDUd+o+dbP/6Bc1jXxhyrK4S5waeBdRkEr8md8BCi8bx K1PPauGb1U4ppn9PiESwwnI2ERPKMvH0cuPWSAGyHwDuvWq8Ij+L6jUALHQvKOdl56tl gkfg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc; bh=ydw55lqdXmkmsbsCcaoEXopsXmkoCfvtM0sMy2xUSwA=; b=0eoxz/j+PgtQTiE7rI9D6oEBs1Mm3BuME1OtOyzoUbrMuJ00IECwC8GWkBCUZ7ew0W qazlI2w3gR1v4VWM0yvsJ6pMVs+hJDUswidw03O/2iGsfPLkGpQFNtxPJDneogGAfuXG bcEqKP9RGZrNxWqPw7iw5wFC+OFmeL6RGyG8ifeM+f0yai/+svpzfGHF+2YdO3Nc0h1i Udi7t6ZBriVgbjjLM7/HcPi75du+WBSK/aQBGbgfNNbBqtdW9C9eHu8RZsL8ScNE77p4 nfZvLUW4mniW593bWZSpXuDwhtJN+YcHzgtfqEa8d5u7JnENiyGKPWQorpX+zQolYVqP 42SQ== X-Gm-Message-State: ACgBeo3gfOWkxzgXqEVUCUnQaYEyFWTAZ4gxkt0L89Q36Cv1LQC3oXaE YnEpMC52cYLLvrzoEru1LN1Kpw== X-Google-Smtp-Source: AA6agR4oUeKv5vE1nk7JqHvpcCL9PkJvna1dtrPDMhYlvbIp0aZZC8UgzQlOeoAkCirjzxSxC8XNPg== X-Received: by 2002:a05:6000:1547:b0:221:7a23:ab67 with SMTP id 7-20020a056000154700b002217a23ab67mr2169728wry.515.1660842053610; Thu, 18 Aug 2022 10:00:53 -0700 (PDT) Received: from Mindolluin.ire.aristanetworks.com ([217.173.96.166]) by smtp.gmail.com with ESMTPSA id be13-20020a05600c1e8d00b003a511e92abcsm2662169wmb.34.2022.08.18.10.00.52 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 18 Aug 2022 10:00:53 -0700 (PDT) From: Dmitry Safonov To: Eric Dumazet , "David S. Miller" , linux-kernel@vger.kernel.org Cc: Dmitry Safonov , Andy Lutomirski , Ard Biesheuvel , Bob Gilligan , David Ahern , Dmitry Safonov <0x7f454c46@gmail.com>, Eric Biggers , Francesco Ruggeri , Herbert Xu , Hideaki YOSHIFUJI , Ivan Delalande , Jakub Kicinski , Leonard Crestez , Paolo Abeni , Salam Noureddine , Shuah Khan , netdev@vger.kernel.org, linux-crypto@vger.kernel.org Subject: [PATCH 27/31] selftest/net: Add TCP-AO ICMPs accept test Date: Thu, 18 Aug 2022 18:00:01 +0100 Message-Id: <20220818170005.747015-28-dima@arista.com> X-Mailer: git-send-email 2.37.2 In-Reply-To: <20220818170005.747015-1-dima@arista.com> References: <20220818170005.747015-1-dima@arista.com> MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Type: text/plain; charset="utf-8" Reverse to icmps-discard test: the server accepts ICMPs, using TCP_AO_CMDF_ACCEPT_ICMP and it is expected to fail under ICMP flood from client. Test that the default pre-TCP-AO behaviour functions when TCP_AO_CMDF_ACCEPT_ICMP is set. Expected output for ipv4 version (in case it receives ICMP_PROT_UNREACH): > # ./icmps-accept_ipv4 > 1..3 > # 3209[lib/setup.c:166] rand seed 1642623870 > TAP version 13 > # 3209[lib/proc.c:207] Snmp6 Ip6InReceives: 0 =3D> 1 > # 3209[lib/proc.c:207] Snmp6 Ip6InNoRoutes: 0 =3D> 1 > # 3209[lib/proc.c:207] Snmp6 Ip6InOctets: 0 =3D> 76 > # 3209[lib/proc.c:207] Snmp6 Ip6InNoECTPkts: 0 =3D> 1 > # 3209[lib/proc.c:207] Tcp InSegs: 3 =3D> 23 > # 3209[lib/proc.c:207] Tcp OutSegs: 2 =3D> 22 > # 3209[lib/proc.c:207] IcmpMsg InType3: 0 =3D> 4 > # 3209[lib/proc.c:207] Icmp InMsgs: 0 =3D> 4 > # 3209[lib/proc.c:207] Icmp InDestUnreachs: 0 =3D> 4 > # 3209[lib/proc.c:207] Ip InReceives: 3 =3D> 27 > # 3209[lib/proc.c:207] Ip InDelivers: 3 =3D> 27 > # 3209[lib/proc.c:207] Ip OutRequests: 2 =3D> 22 > # 3209[lib/proc.c:207] IpExt InOctets: 288 =3D> 3420 > # 3209[lib/proc.c:207] IpExt OutOctets: 124 =3D> 3244 > # 3209[lib/proc.c:207] IpExt InNoECTPkts: 3 =3D> 25 > # 3209[lib/proc.c:207] TcpExt TCPPureAcks: 1 =3D> 2 > # 3209[lib/proc.c:207] TcpExt TCPOrigDataSent: 0 =3D> 20 > # 3209[lib/proc.c:207] TcpExt TCPDelivered: 0 =3D> 19 > # 3209[lib/proc.c:207] TcpExt TCPAOGood: 3 =3D> 23 > ok 1 InDestUnreachs delivered 4 > ok 2 server failed with -92: Protocol not available > ok 3 TCPAODroppedIcmps counter didn't change: 0 >=3D 0 > # Totals: pass:3 fail:0 xfail:0 xpass:0 skip:0 error:0 Expected output for ipv6 version (in case it receives ADM_PROHIBITED): > # ./icmps-accept_ipv6 > 1..3 > # 3277[lib/setup.c:166] rand seed 1642624035 > TAP version 13 > # 3277[lib/proc.c:207] Snmp6 Ip6InReceives: 6 =3D> 31 > # 3277[lib/proc.c:207] Snmp6 Ip6InDelivers: 4 =3D> 29 > # 3277[lib/proc.c:207] Snmp6 Ip6OutRequests: 4 =3D> 24 > # 3277[lib/proc.c:207] Snmp6 Ip6InOctets: 592 =3D> 4492 > # 3277[lib/proc.c:207] Snmp6 Ip6OutOctets: 332 =3D> 3852 > # 3277[lib/proc.c:207] Snmp6 Ip6InNoECTPkts: 6 =3D> 31 > # 3277[lib/proc.c:207] Snmp6 Icmp6InMsgs: 1 =3D> 6 > # 3277[lib/proc.c:207] Snmp6 Icmp6InDestUnreachs: 0 =3D> 5 > # 3277[lib/proc.c:207] Snmp6 Icmp6InType1: 0 =3D> 5 > # 3277[lib/proc.c:207] Tcp InSegs: 3 =3D> 23 > # 3277[lib/proc.c:207] Tcp OutSegs: 2 =3D> 22 > # 3277[lib/proc.c:207] TcpExt TCPPureAcks: 1 =3D> 2 > # 3277[lib/proc.c:207] TcpExt TCPOrigDataSent: 0 =3D> 20 > # 3277[lib/proc.c:207] TcpExt TCPDelivered: 0 =3D> 19 > # 3277[lib/proc.c:207] TcpExt TCPAOGood: 3 =3D> 23 > ok 1 Icmp6InDestUnreachs delivered 5 > ok 2 server failed with -13: Permission denied > ok 3 TCPAODroppedIcmps counter didn't change: 0 >=3D 0 > # Totals: pass:3 fail:0 xfail:0 xpass:0 skip:0 error:0 With some luck the server may fail with ECONNREFUSED (depending on what icmp packet was delivered firstly). For the kernel error handlers see: tab_unreach[] and icmp_err_convert[]. Signed-off-by: Dmitry Safonov --- tools/testing/selftests/net/tcp_ao/Makefile | 4 +++- .../testing/selftests/net/tcp_ao/icmps-accept.c | 1 + .../selftests/net/tcp_ao/icmps-discard.c | 17 +++++++++++++++-- 3 files changed, 19 insertions(+), 3 deletions(-) create mode 120000 tools/testing/selftests/net/tcp_ao/icmps-accept.c diff --git a/tools/testing/selftests/net/tcp_ao/Makefile b/tools/testing/se= lftests/net/tcp_ao/Makefile index 9acfd782c20f..a178bde0af08 100644 --- a/tools/testing/selftests/net/tcp_ao/Makefile +++ b/tools/testing/selftests/net/tcp_ao/Makefile @@ -1,5 +1,5 @@ # SPDX-License-Identifier: GPL-2.0 -TEST_BOTH_AF :=3D connect icmps-discard +TEST_BOTH_AF :=3D connect icmps-discard icmps-accept =20 TEST_IPV4_PROGS :=3D $(TEST_BOTH_AF:%=3D%_ipv4) TEST_IPV6_PROGS :=3D $(TEST_BOTH_AF:%=3D%_ipv6) @@ -43,3 +43,5 @@ $(OUTPUT)/%_ipv4: %.c $(OUTPUT)/%_ipv6: %.c $(LINK.c) -DIPV6_TEST $^ $(LDLIBS) -o $@ =20 +$(OUTPUT)/icmps-accept_ipv4: CFLAGS+=3D -DTEST_ICMPS_ACCEPT +$(OUTPUT)/icmps-accept_ipv6: CFLAGS+=3D -DTEST_ICMPS_ACCEPT diff --git a/tools/testing/selftests/net/tcp_ao/icmps-accept.c b/tools/test= ing/selftests/net/tcp_ao/icmps-accept.c new file mode 120000 index 000000000000..0a5bb85eb260 --- /dev/null +++ b/tools/testing/selftests/net/tcp_ao/icmps-accept.c @@ -0,0 +1 @@ +icmps-discard.c \ No newline at end of file diff --git a/tools/testing/selftests/net/tcp_ao/icmps-discard.c b/tools/tes= ting/selftests/net/tcp_ao/icmps-discard.c index 16d691809567..143571277548 100644 --- a/tools/testing/selftests/net/tcp_ao/icmps-discard.c +++ b/tools/testing/selftests/net/tcp_ao/icmps-discard.c @@ -43,8 +43,17 @@ const int sk_ip_level =3D SOL_IP; const int sk_recverr =3D IP_RECVERR; #endif =20 -#define test_icmps_fail test_fail -#define test_icmps_ok test_ok +/* + * Server is expected to fail with hard error if + * TCP_AO_CMDF_ACCEPT_ICMP is set + */ +#ifdef TEST_ICMPS_ACCEPT +# define test_icmps_fail test_ok +# define test_icmps_ok test_fail +#else +# define test_icmps_fail test_fail +# define test_icmps_ok test_ok +#endif =20 static void serve_interfered(int sk) { @@ -100,6 +109,10 @@ static void *server_fn(void *arg) =20 lsk =3D test_listen_socket(this_ip_addr, test_server_port, 1); =20 +#ifdef TEST_ICMPS_ACCEPT + flags =3D TCP_AO_CMDF_ACCEPT_ICMP; +#endif + if (test_set_ao(lsk, "password", flags, this_ip_dest, -1, 100, 100)) test_error("setsockopt(TCP_AO)"); synchronize_threads(); --=20 2.37.2 From nobody Fri Apr 10 21:51:38 2026 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 85742C00140 for ; Thu, 18 Aug 2022 17:04:33 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1345498AbiHRRE3 (ORCPT ); Thu, 18 Aug 2022 13:04:29 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:33620 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1345284AbiHRRBL (ORCPT ); Thu, 18 Aug 2022 13:01:11 -0400 Received: from mail-wm1-x32e.google.com (mail-wm1-x32e.google.com [IPv6:2a00:1450:4864:20::32e]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 9EEC4C12D3 for ; Thu, 18 Aug 2022 10:00:56 -0700 (PDT) Received: by mail-wm1-x32e.google.com with SMTP id k6-20020a05600c1c8600b003a54ecc62f6so1252497wms.5 for ; Thu, 18 Aug 2022 10:00:56 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=arista.com; s=google; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc; bh=8ma5Ol24QeG3/DDgAehhLNXstU8Od+DxxiWWftpJxi8=; b=Dyyr6Tu3fV/nmKH/FomCr8OnALOmbi2GIry7O4qybdOdRKrpHxUf3haR28ScOq4vQp PRuHFb0LhAH6opVwhabnC1gc7myJ0S96G2KBXU/yAePzNLuJQTPytfZV78KOwfQ6AIY3 70QtzUKcIC4ZVPseBJKndk46EC+b82inP4fUkQGqUt8oRTAbDG4VXCTX385NCKYWyzJi rg/H4INIdsyeEOhrO2sjmH2Hxw6hwKnZztxInsPxd9cWE1A2nlJ+dmPmHrwNDe+8LgNY DME9mr8vak39op+HrvHLhrb3mLkGDzuf/CqR+aK0U4Fj793x+b/cw0Qwxe+2gECW8a2x LLkA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc; bh=8ma5Ol24QeG3/DDgAehhLNXstU8Od+DxxiWWftpJxi8=; b=LJiKygp81/eLUfO3mPouHVdjIzt4zK1CS6S7HfjvASUkZYWnnySoCFmCJ5qKVWDDUr UJjGymNvJow5VBcVFUjACdMhXTW6+uOrDF26AOKeNzEg9cyCfr1v7SzGyTjOahMlUacu rTBJ+6xb8SBtDOAsPxp/ZSZEvflUmJNS15DDvhlRyiB8o/S7LFRU5uXWzcbEtMJCnTKE jh20Q/n1QZqav3bRrImOphi7LgXn7JwHVmOv6ENjtz7nA+LLoHdWIj1Y7gaiLGmm0xZt SrTVICeUn30JJ6UKOEmhUk/y+xnDCg/AxAS8EgvBXHDlGpaJpaokfXGhpujjkorprkQb yOeA== X-Gm-Message-State: ACgBeo1pBMbA4JYrzvJEafRJv+Lcp11xEOLTyEjG0XYaKxyvsiWPeJOO 7RRVQtk7U8QGqE/45f8ZD4L28A== X-Google-Smtp-Source: AA6agR6EGfdN7r5kkm0GTVOJBZVq1ncE/GsFZw3mnOwZ9sBIGabObnZvk3+avhcWA5rIpDtpQxSQrQ== X-Received: by 2002:a05:600c:4ec9:b0:3a5:a567:137f with SMTP id g9-20020a05600c4ec900b003a5a567137fmr5725720wmq.46.1660842055023; Thu, 18 Aug 2022 10:00:55 -0700 (PDT) Received: from Mindolluin.ire.aristanetworks.com ([217.173.96.166]) by smtp.gmail.com with ESMTPSA id be13-20020a05600c1e8d00b003a511e92abcsm2662169wmb.34.2022.08.18.10.00.53 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 18 Aug 2022 10:00:54 -0700 (PDT) From: Dmitry Safonov To: Eric Dumazet , "David S. Miller" , linux-kernel@vger.kernel.org Cc: Dmitry Safonov , Andy Lutomirski , Ard Biesheuvel , Bob Gilligan , David Ahern , Dmitry Safonov <0x7f454c46@gmail.com>, Eric Biggers , Francesco Ruggeri , Herbert Xu , Hideaki YOSHIFUJI , Ivan Delalande , Jakub Kicinski , Leonard Crestez , Paolo Abeni , Salam Noureddine , Shuah Khan , netdev@vger.kernel.org, linux-crypto@vger.kernel.org Subject: [PATCH 28/31] selftest/tcp-ao: Add a test for MKT matching Date: Thu, 18 Aug 2022 18:00:02 +0100 Message-Id: <20220818170005.747015-29-dima@arista.com> X-Mailer: git-send-email 2.37.2 In-Reply-To: <20220818170005.747015-1-dima@arista.com> References: <20220818170005.747015-1-dima@arista.com> MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Type: text/plain; charset="utf-8" Add TCP-AO tests on connect()/accept() pair. SNMP counters exposed by kernel are very useful here to verify the expected behavior of TCP-AO. Signed-off-by: Dmitry Safonov --- tools/testing/selftests/net/tcp_ao/Makefile | 2 +- .../selftests/net/tcp_ao/connect-deny.c | 217 ++++++++++++++++++ 2 files changed, 218 insertions(+), 1 deletion(-) create mode 100644 tools/testing/selftests/net/tcp_ao/connect-deny.c diff --git a/tools/testing/selftests/net/tcp_ao/Makefile b/tools/testing/se= lftests/net/tcp_ao/Makefile index a178bde0af08..5064e34ebe38 100644 --- a/tools/testing/selftests/net/tcp_ao/Makefile +++ b/tools/testing/selftests/net/tcp_ao/Makefile @@ -1,5 +1,5 @@ # SPDX-License-Identifier: GPL-2.0 -TEST_BOTH_AF :=3D connect icmps-discard icmps-accept +TEST_BOTH_AF :=3D connect icmps-discard icmps-accept connect-deny =20 TEST_IPV4_PROGS :=3D $(TEST_BOTH_AF:%=3D%_ipv4) TEST_IPV6_PROGS :=3D $(TEST_BOTH_AF:%=3D%_ipv6) diff --git a/tools/testing/selftests/net/tcp_ao/connect-deny.c b/tools/test= ing/selftests/net/tcp_ao/connect-deny.c new file mode 100644 index 000000000000..cf71dda52c49 --- /dev/null +++ b/tools/testing/selftests/net/tcp_ao/connect-deny.c @@ -0,0 +1,217 @@ +// SPDX-License-Identifier: GPL-2.0 +/* Author: Dmitry Safonov */ +#include +#include "aolib.h" + +typedef uint8_t fault_t; +#define F_TIMEOUT 1 +#define F_KEYREJECT 2 + +#define fault(type) (inj =3D=3D type) + +static void try_accept(const char *tst_name, unsigned port, const char *pw= d, + union tcp_addr addr, uint8_t prefix, + uint8_t sndid, uint8_t rcvid, const char *cnt_name, + fault_t inj) +{ + uint64_t before_cnt, after_cnt; + int lsk, err, sk =3D 0; + time_t timeout; + + lsk =3D test_listen_socket(this_ip_addr, port, 1); + + if (pwd && test_set_ao(lsk, pwd, 0, addr, prefix, sndid, rcvid)) + test_error("setsockopt(TCP_AO)"); + + if (cnt_name) + before_cnt =3D netstat_get_one(cnt_name, NULL); + + synchronize_threads(); /* preparations done */ + + timeout =3D fault(F_TIMEOUT) ? TEST_RETRANSMIT_SEC : TEST_TIMEOUT_SEC; + err =3D test_wait_fd(lsk, timeout, 0); + if (err < 0) + test_error("test_wait_fd()"); + else if (!err) { + if (!fault(F_TIMEOUT)) + test_fail("timeouted for accept()"); + } else { + if (fault(F_TIMEOUT)) + test_fail("ready to accept"); + + sk =3D accept(lsk, NULL, NULL); + if (sk < 0) { + test_error("accept()"); + } else { + if (fault(F_TIMEOUT)) + test_fail("%s: accepted", tst_name); + } + } + + close(lsk); + + if (!cnt_name) + goto out; + + after_cnt =3D netstat_get_one(cnt_name, NULL); + + if (after_cnt <=3D before_cnt) { + test_fail("%s: %s counter did not increase: %zu <=3D %zu", + tst_name, cnt_name, after_cnt, before_cnt); + } else { + test_ok("%s: counter %s increased %zu =3D> %zu", + tst_name, cnt_name, before_cnt, after_cnt); + } + +out: + synchronize_threads(); /* close() */ + if (sk > 0) + close(sk); +} + +static void *server_fn(void *arg) +{ + union tcp_addr wrong_addr, network_addr; + unsigned port =3D test_server_port; + + if (inet_pton(TEST_FAMILY, TEST_WRONG_IP, &wrong_addr) !=3D 1) + test_error("Can't convert ip address %s", TEST_WRONG_IP); + + try_accept("Non-AO server + AO client", port++, NULL, + this_ip_dest, -1, 100, 100, "TCPAOKeyNotFound", F_TIMEOUT); + + try_accept("AO server + Non-AO client", port++, "password", + this_ip_dest, -1, 100, 100, "TCPAORequired", F_TIMEOUT); + + try_accept("Wrong password", port++, "password2", + this_ip_dest, -1, 100, 100, "TCPAOBad", F_TIMEOUT); + + try_accept("Wrong rcv id", port++, "password", + this_ip_dest, -1, 100, 101, "TCPAOKeyNotFound", F_TIMEOUT); + + try_accept("Wrong snd id", port++, "password", + this_ip_dest, -1, 101, 100, "TCPAOGood", F_TIMEOUT); + + try_accept("Server: Wrong addr", port++, "password", + wrong_addr, -1, 100, 100, "TCPAOKeyNotFound", F_TIMEOUT); + + try_accept("Client: Wrong addr", port++, NULL, + this_ip_dest, -1, 100, 100, NULL, F_TIMEOUT); + + try_accept("rcv id !=3D snd id", port++, "password", + this_ip_dest, -1, 200, 100, "TCPAOGood", 0); + + if (inet_pton(TEST_FAMILY, TEST_NETWORK, &network_addr) !=3D 1) + test_error("Can't convert ip address %s", TEST_NETWORK); + + try_accept("Server: prefix match", port++, "password", + network_addr, 16, 100, 100, "TCPAOGood", 0); + + try_accept("Client: prefix match", port++, "password", + this_ip_dest, -1, 100, 100, "TCPAOGood", 0); + + /* client exits */ + synchronize_threads(); + return NULL; +} + +static void try_connect(const char *tst_name, unsigned port, + const char *pwd, union tcp_addr addr, uint8_t prefix, + uint8_t sndid, uint8_t rcvid, fault_t inj) +{ + time_t timeout; + int sk, ret; + + sk =3D socket(test_family, SOCK_STREAM, IPPROTO_TCP); + if (sk < 0) + test_error("socket()"); + + if (pwd && test_set_ao(sk, pwd, 0, addr, prefix, sndid, rcvid)) + test_error("setsockopt(TCP_AO)"); + + synchronize_threads(); /* preparations done */ + + timeout =3D fault(F_TIMEOUT) ? TEST_RETRANSMIT_SEC : TEST_TIMEOUT_SEC; + ret =3D _test_connect_socket(sk, this_ip_dest, port, timeout); + + if (ret < 0) { + if (fault(F_KEYREJECT) && ret =3D=3D -EKEYREJECTED) { + test_ok("%s: connect() was prevented", tst_name); + goto out; + } else if (ret =3D=3D -ECONNREFUSED && + (fault(F_TIMEOUT) || fault(F_KEYREJECT))) { + test_ok("%s: refused to connect", tst_name); + goto out; + } else { + test_error("%s: connect() returned %d", tst_name, ret); + } + } + + if (ret =3D=3D 0) { + if (fault(F_TIMEOUT)) + test_ok("%s", tst_name); + else + test_fail("%s: failed to connect()", tst_name); + } else { + if (fault(F_TIMEOUT) || fault(F_KEYREJECT)) + test_fail("%s: connected", tst_name); + else + test_ok("%s: connected", tst_name); + } + +out: + synchronize_threads(); /* close() */ + + if (ret > 0) + close(sk); +} + +static void *client_fn(void *arg) +{ + union tcp_addr wrong_addr, network_addr; + unsigned port =3D test_server_port; + + if (inet_pton(TEST_FAMILY, TEST_WRONG_IP, &wrong_addr) !=3D 1) + test_error("Can't convert ip address %s", TEST_WRONG_IP); + + try_connect("Non-AO server + AO client", port++, "password", + this_ip_dest, -1, 100, 100, F_TIMEOUT); + + try_connect("AO server + Non-AO client", port++, NULL, + this_ip_dest, -1, 100, 100, F_TIMEOUT); + + try_connect("Wrong password", port++, "password", + this_ip_dest, -1, 100, 100, F_TIMEOUT); + + try_connect("Wrong rcv id", port++, "password", + this_ip_dest, -1, 100, 100, F_TIMEOUT); + + try_connect("Wrong snd id", port++, "password", + this_ip_dest, -1, 100, 100, F_TIMEOUT); + + try_connect("Server: Wrong addr", port++, "password", + this_ip_dest, -1, 100, 100, F_TIMEOUT); + + try_connect("Client: Wrong addr", port++, "password", + wrong_addr, -1, 100, 100, F_KEYREJECT); + + try_connect("rcv id !=3D snd id", port++, "password", + this_ip_dest, -1, 100, 200, 0); + + if (inet_pton(TEST_FAMILY, TEST_NETWORK, &network_addr) !=3D 1) + test_error("Can't convert ip address %s", TEST_NETWORK); + + try_connect("Server: prefix match", port++, "password", + this_ip_dest, -1, 100, 100, 0); + + try_connect("Client: prefix match", port++, "password", + network_addr, 16, 100, 100, 0); + + return NULL; +} + +int main(int argc, char *argv[]) +{ + test_init(20, server_fn, client_fn); + return 0; +} --=20 2.37.2 From nobody Fri Apr 10 21:51:38 2026 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 997A8C00140 for ; Thu, 18 Aug 2022 17:04:37 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1345284AbiHRREf (ORCPT ); Thu, 18 Aug 2022 13:04:35 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:33872 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1345282AbiHRRBL (ORCPT ); Thu, 18 Aug 2022 13:01:11 -0400 Received: from mail-wr1-x434.google.com (mail-wr1-x434.google.com [IPv6:2a00:1450:4864:20::434]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id D6491CAC89 for ; Thu, 18 Aug 2022 10:00:56 -0700 (PDT) Received: by mail-wr1-x434.google.com with SMTP id u14so2413358wrq.9 for ; Thu, 18 Aug 2022 10:00:56 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=arista.com; s=google; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc; bh=AK4InlvF9B1QaPzw96JloJQ6G3mOJmIdQ9aUwWnWzUc=; b=Teqsh9jPSj29w3+e49qn4nNQqQi4z/uIEiTsRPvsCiYpskb3bEEDMtTPBy37u608BW 6UFd/eXMLnd1KcCJZDwj0HYeIgoh8P+aY5S5WAzqZjpDwGQr4MoZVRPCrxHW9ROETuUu 74ZvD46I/z0z8Zg6Io0sjMB+uC5Y2LEx6vQass4g5heUtzd5W/6T+dGECVMwMFr27s30 3ulendb0AxIcLWV+gY/u19K4dGTPHqtFGOTLQ0Eie6xfv5WKdVcfBnjQM4RdCeK7ozOk OCoxh8CdP5e02ibkREqywDH4hsK1cf3g6xvSek+hwDHM6JPYcG7aSPMDWdyRVtw72FDS yYVQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc; bh=AK4InlvF9B1QaPzw96JloJQ6G3mOJmIdQ9aUwWnWzUc=; b=ESUVVygda7QWE79EHbMVMi/4vxbPgCTy0qoqlOb/lYK4UMSNGGlzbiDXK/rT8hY8J8 2QqVx6RKgCsNfeBnwfK7wHtgn9kI/dGf9wjT0PYP+mD1cYsQb9WS8xnxcbFyLCKIrCNx grnYc1kf2OsXGaaZ+MGQ9+XRZn99zVvnkM4OZZPEmASFeuYxHmoDtXLonKAbQpUtWAWR 4mdh8iF94nQ/jmQkpKjCq9kzKucsgIgElWkDpHm6mub1+AYXk4wbQgWWqgd1bej5jGXr 3ruDY99EALWLVmz7GXCpXyeRiW7n2iPv6xSp5cMt4Up11nC8EHdHeWzQRLPoHTu0jPBb 3ccA== X-Gm-Message-State: ACgBeo0IgAU6+sYVWdXl4fvziCbvUhQZFpFTaX0CqIDu7u8H4AyPupqQ AbFTIKxdWe7KGcvLb5f/PWxz3g== X-Google-Smtp-Source: AA6agR7Vb0bFgoD2qJiyQ23BGlj3voGN/B5kPQxJYXQKMoOSwXHat4SDaw80B88oY6LOmPfkF+HSrQ== X-Received: by 2002:a05:6000:178b:b0:222:c6c4:b42e with SMTP id e11-20020a056000178b00b00222c6c4b42emr2288254wrg.275.1660842056392; Thu, 18 Aug 2022 10:00:56 -0700 (PDT) Received: from Mindolluin.ire.aristanetworks.com ([217.173.96.166]) by smtp.gmail.com with ESMTPSA id be13-20020a05600c1e8d00b003a511e92abcsm2662169wmb.34.2022.08.18.10.00.55 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 18 Aug 2022 10:00:56 -0700 (PDT) From: Dmitry Safonov To: Eric Dumazet , "David S. Miller" , linux-kernel@vger.kernel.org Cc: Dmitry Safonov , Andy Lutomirski , Ard Biesheuvel , Bob Gilligan , David Ahern , Dmitry Safonov <0x7f454c46@gmail.com>, Eric Biggers , Francesco Ruggeri , Herbert Xu , Hideaki YOSHIFUJI , Ivan Delalande , Jakub Kicinski , Leonard Crestez , Paolo Abeni , Salam Noureddine , Shuah Khan , netdev@vger.kernel.org, linux-crypto@vger.kernel.org Subject: [PATCH 29/31] selftest/tcp-ao: Add test for TCP-AO add setsockopt() command Date: Thu, 18 Aug 2022 18:00:03 +0100 Message-Id: <20220818170005.747015-30-dima@arista.com> X-Mailer: git-send-email 2.37.2 In-Reply-To: <20220818170005.747015-1-dima@arista.com> References: <20220818170005.747015-1-dima@arista.com> MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Type: text/plain; charset="utf-8" Verify corner-cases for UAPI. Sample output: > # ./setsockopt-closed_ipv6 > 1..16 > # 9508[lib/setup.c:173] rand seed 1643819055 > TAP version 13 > ok 1 minimum size > ok 2 extended size > ok 3 bad algo > ok 4 bad ao flags > ok 5 empty prefix > ok 6 prefix, any addr > ok 7 no prefix, any addr > ok 8 too short prefix > ok 9 too big prefix > ok 10 too big maclen > ok 11 bad key flags > ok 12 too big keylen > not ok 13 duplicate: full copy: setsockopt() was expected to fail with 17 > ok 14 duplicate: any addr key on the socket > ok 15 duplicate: add any addr key > not ok 16 duplicate: add any addr for the same subnet: setsockopt() was e= xpected to fail with 17 Signed-off-by: Dmitry Safonov --- tools/testing/selftests/net/tcp_ao/Makefile | 3 +- .../selftests/net/tcp_ao/setsockopt-closed.c | 191 ++++++++++++++++++ 2 files changed, 193 insertions(+), 1 deletion(-) create mode 100644 tools/testing/selftests/net/tcp_ao/setsockopt-closed.c diff --git a/tools/testing/selftests/net/tcp_ao/Makefile b/tools/testing/se= lftests/net/tcp_ao/Makefile index 5064e34ebe38..a001dc2aed4e 100644 --- a/tools/testing/selftests/net/tcp_ao/Makefile +++ b/tools/testing/selftests/net/tcp_ao/Makefile @@ -1,5 +1,6 @@ # SPDX-License-Identifier: GPL-2.0 -TEST_BOTH_AF :=3D connect icmps-discard icmps-accept connect-deny +TEST_BOTH_AF :=3D connect icmps-discard icmps-accept connect-deny \ + setsockopt-closed =20 TEST_IPV4_PROGS :=3D $(TEST_BOTH_AF:%=3D%_ipv4) TEST_IPV6_PROGS :=3D $(TEST_BOTH_AF:%=3D%_ipv6) diff --git a/tools/testing/selftests/net/tcp_ao/setsockopt-closed.c b/tools= /testing/selftests/net/tcp_ao/setsockopt-closed.c new file mode 100644 index 000000000000..be2cbc407f60 --- /dev/null +++ b/tools/testing/selftests/net/tcp_ao/setsockopt-closed.c @@ -0,0 +1,191 @@ +// SPDX-License-Identifier: GPL-2.0 +/* Author: Dmitry Safonov */ +#include +#include "../../../../include/linux/kernel.h" +#include "aolib.h" + +static void clean_ao(int sk, struct tcp_ao *ao) +{ + struct tcp_ao_del ao_del =3D {}; + + ao_del.tcpa_sndid =3D ao->tcpa_sndid; + ao_del.tcpa_rcvid =3D ao->tcpa_rcvid; + ao_del.tcpa_prefix =3D ao->tcpa_prefix; + memcpy(&ao_del.tcpa_addr, &ao->tcpa_addr, sizeof(ao->tcpa_addr)); + + if (setsockopt(sk, IPPROTO_TCP, TCP_AO_DEL, &ao_del, sizeof(ao_del))) + test_error("setsockopt(TCP_AO_DEL) failed to clean"); + close(sk); +} + +static void setsockopt_checked(int sk, int optname, struct tcp_ao *ao, + int err, const char *tst) +{ + int ret; + + errno =3D 0; + ret =3D setsockopt(sk, IPPROTO_TCP, optname, ao, sizeof(*ao)); + if (ret =3D=3D -1) { + if (errno =3D=3D err) { + test_ok("%s", tst); + return; + } + test_fail("%s: setsockopt() returned %d", tst, err); + return; + } + + if (err) { + test_fail("%s: setsockopt() was expected to fail with %d", tst, err); + } else { + test_ok("%s", tst); + test_verify_socket_ao(sk, ao); + } + clean_ao(sk, ao); +} + +static int prepare_defs(struct tcp_ao *ao) +{ + int sk =3D socket(test_family, SOCK_STREAM, IPPROTO_TCP); + + if (sk < 0) + test_error("socket()"); + + if (test_prepare_def_ao(ao, "password", 0, this_ip_dest, -1, 100, 100)) + test_error("prepare default tcp_ao"); + + return sk; +} + +static void test_extend(void) +{ + struct tcp_ao ao; + struct { + struct tcp_ao ao; + char *extend[100]; + } ao_big =3D {}; + int ret, sk; + + sk =3D prepare_defs(&ao); + errno =3D 0; + ret =3D setsockopt(sk, IPPROTO_TCP, TCP_AO, + &ao, offsetof(struct tcp_ao, tcpa_key)); + if (!ret) { + test_fail("minminum size: accepted invalid size"); + clean_ao(sk, &ao); + } else if (errno !=3D EINVAL) { + test_fail("minminum size: failed with %d", errno); + } else { + test_ok("minimum size"); + } + + sk =3D prepare_defs(&ao_big.ao); + errno =3D 0; + ret =3D setsockopt(sk, IPPROTO_TCP, TCP_AO, &ao_big.ao, sizeof(ao_big)); + if (ret) { + test_fail("extended size: returned %d", ret); + } else { + test_ok("extended size"); + clean_ao(sk, &ao_big.ao); + } +} + +static void einval_tests(void) +{ + struct tcp_ao ao; + int sk; + + sk =3D prepare_defs(&ao); + strcpy(ao.tcpa_alg_name, "imaginary hash algo"); + setsockopt_checked(sk, TCP_AO, &ao, ENOENT, "bad algo"); + + sk =3D prepare_defs(&ao); + ao.tcpa_flags =3D (uint16_t)(-1); + setsockopt_checked(sk, TCP_AO, &ao, EINVAL, "bad ao flags"); + + sk =3D prepare_defs(&ao); + ao.tcpa_prefix =3D 0; + setsockopt_checked(sk, TCP_AO, &ao, EINVAL, "empty prefix"); + + sk =3D prepare_defs(&ao); + ao.tcpa_prefix =3D 32; + memcpy(&ao.tcpa_addr, &SOCKADDR_ANY, sizeof(SOCKADDR_ANY)); + setsockopt_checked(sk, TCP_AO, &ao, EINVAL, "prefix, any addr"); + + sk =3D prepare_defs(&ao); + ao.tcpa_prefix =3D 0; + memcpy(&ao.tcpa_addr, &SOCKADDR_ANY, sizeof(SOCKADDR_ANY)); + setsockopt_checked(sk, TCP_AO, &ao, 0, "no prefix, any addr"); + + sk =3D prepare_defs(&ao); + ao.tcpa_prefix =3D 2; + setsockopt_checked(sk, TCP_AO, &ao, EINVAL, "too short prefix"); + + sk =3D prepare_defs(&ao); + ao.tcpa_prefix =3D 129; + setsockopt_checked(sk, TCP_AO, &ao, EINVAL, "too big prefix"); + + sk =3D prepare_defs(&ao); + ao.tcpa_maclen =3D 100; + setsockopt_checked(sk, TCP_AO, &ao, EMSGSIZE, "too big maclen"); + + sk =3D prepare_defs(&ao); + ao.tcpa_keyflags =3D (uint8_t)(-1); + setsockopt_checked(sk, TCP_AO, &ao, EINVAL, "bad key flags"); + + sk =3D prepare_defs(&ao); + ao.tcpa_keylen =3D TCP_AO_MAXKEYLEN + 1; + setsockopt_checked(sk, TCP_AO, &ao, EINVAL, "too big keylen"); +} + +static void duplicate_tests(void) +{ + union tcp_addr network_dup; + struct tcp_ao ao, ao2; + int sk; + + sk =3D prepare_defs(&ao); + if (setsockopt(sk, IPPROTO_TCP, TCP_AO, &ao, sizeof(ao))) + test_error("setsockopt()"); + setsockopt_checked(sk, TCP_AO, &ao, EEXIST, "duplicate: full copy"); + + sk =3D prepare_defs(&ao); + ao2 =3D ao; + memcpy(&ao2.tcpa_addr, &SOCKADDR_ANY, sizeof(SOCKADDR_ANY)); + ao2.tcpa_prefix =3D 0; + if (setsockopt(sk, IPPROTO_TCP, TCP_AO, &ao2, sizeof(ao))) + test_error("setsockopt()"); + setsockopt_checked(sk, TCP_AO, &ao, EEXIST, "duplicate: any addr key on t= he socket"); + + sk =3D prepare_defs(&ao); + if (setsockopt(sk, IPPROTO_TCP, TCP_AO, &ao, sizeof(ao))) + test_error("setsockopt()"); + memcpy(&ao.tcpa_addr, &SOCKADDR_ANY, sizeof(SOCKADDR_ANY)); + ao.tcpa_prefix =3D 0; + setsockopt_checked(sk, TCP_AO, &ao, EEXIST, "duplicate: add any addr key"= ); + + + if (inet_pton(TEST_FAMILY, TEST_NETWORK, &network_dup) !=3D 1) + test_error("Can't convert ip address %s", TEST_NETWORK); + sk =3D prepare_defs(&ao); + if (setsockopt(sk, IPPROTO_TCP, TCP_AO, &ao, sizeof(ao))) + test_error("setsockopt()"); + if (test_prepare_def_ao(&ao, "password", 0, network_dup, 16, 100, 100)) + test_error("prepare default tcp_ao"); + setsockopt_checked(sk, TCP_AO, &ao, EEXIST, "duplicate: add any addr for = the same subnet"); +} + + +static void *client_fn(void *arg) +{ + test_extend(); + einval_tests(); + duplicate_tests(); + + return NULL; +} + +int main(int argc, char *argv[]) +{ + test_init(16, client_fn, NULL); + return 0; +} --=20 2.37.2 From nobody Fri Apr 10 21:51:38 2026 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 5427AC00140 for ; Thu, 18 Aug 2022 17:04:43 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1345507AbiHRREl (ORCPT ); Thu, 18 Aug 2022 13:04:41 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:35032 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1345326AbiHRRCC (ORCPT ); Thu, 18 Aug 2022 13:02:02 -0400 Received: from mail-wm1-x32d.google.com (mail-wm1-x32d.google.com [IPv6:2a00:1450:4864:20::32d]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id E3254C7B8D for ; Thu, 18 Aug 2022 10:00:59 -0700 (PDT) Received: by mail-wm1-x32d.google.com with SMTP id v7-20020a1cac07000000b003a6062a4f81so2899081wme.1 for ; Thu, 18 Aug 2022 10:00:59 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=arista.com; s=google; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc; bh=U38qHd/2cGlOOAg9pewo5FAQzc3pYM6VmdaPe+uIwj8=; b=RQd+UFIs0SItVBdpap6AY/bqtkLF6gQ7kPCFT2t/uc6OaxbIMNc0fvu2koX9/fZovt kIuNGj6aqCXoSc8Pzi+cALXicvAV59guElq29dlBWi8B0faouQKgng+Io6oF4tMSuv2Z psxmKmWudXEQLPwPArFDPDI6/ZfjzMA3wxrGk/yNBEHht93btOp7ak+N0Z3rrQudrBu+ 78qN25ylO3h/dWpdPV4R7sUujRI9hWAiBLXNc8LktmLNO1m5X1yoG2cfijbBsqqgJsvX 74t7hbMLY3mBL+gdwmnnPdbSSCUs44TfhCTndomcjyu/0JF9s51rSlavFvGuO6JSHCf7 QemA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc; bh=U38qHd/2cGlOOAg9pewo5FAQzc3pYM6VmdaPe+uIwj8=; b=XtANSP7ZerxQUrs26GbvWPNGH3svuNMtrwce2C2ujgfXqMEGsonDWpNJ/ez0iGibOf jM8WiNvkAksR2c8iOV7DHfFMmYBvwhoJ3G34jEVqDu7xEzzcyNZsu7heDAMt2bdTp23z vLpDU1UPylC4GaF4siWEw/PPbKdpW3BpgzFIW8hu4JG8klJXoblvKQE6IQ9C6FpXIbEB qzDJWpv3Ccr8IpgPRP8XK6ctXLrXLewOQX8jWNXXU9HCBo8VuUv735m7HT6ZSS8lVRSV y8G5t2BiYGJwoGbsOUa0ZrspVbifyOR84EYy/y1AbztPTQ5SNo8FJpLUCWRfJsLb4/IM QmeA== X-Gm-Message-State: ACgBeo3P2AdISZJ36zBqAIXCy+EB2WIo4obrQGmeCTSY0yodpZCSxFzF 3QQi0MVG1t4g3BZzGTeJ8Z8o6A== X-Google-Smtp-Source: AA6agR41YtCFfv/EsSG0bgllPR+qSDHdhEhW2gheQ0gifo1FbARk9CeevXX5xGmRsopK3bRFn2t8lw== X-Received: by 2002:a1c:ed05:0:b0:3a5:3af:f5c3 with SMTP id l5-20020a1ced05000000b003a503aff5c3mr2495651wmh.52.1660842057922; Thu, 18 Aug 2022 10:00:57 -0700 (PDT) Received: from Mindolluin.ire.aristanetworks.com ([217.173.96.166]) by smtp.gmail.com with ESMTPSA id be13-20020a05600c1e8d00b003a511e92abcsm2662169wmb.34.2022.08.18.10.00.56 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 18 Aug 2022 10:00:57 -0700 (PDT) From: Dmitry Safonov To: Eric Dumazet , "David S. Miller" , linux-kernel@vger.kernel.org Cc: Dmitry Safonov , Andy Lutomirski , Ard Biesheuvel , Bob Gilligan , David Ahern , Dmitry Safonov <0x7f454c46@gmail.com>, Eric Biggers , Francesco Ruggeri , Herbert Xu , Hideaki YOSHIFUJI , Ivan Delalande , Jakub Kicinski , Leonard Crestez , Paolo Abeni , Salam Noureddine , Shuah Khan , netdev@vger.kernel.org, linux-crypto@vger.kernel.org Subject: [PATCH 30/31] selftests/tcp-ao: Add TCP-AO + TCP-MD5 + no sign listen socket tests Date: Thu, 18 Aug 2022 18:00:04 +0100 Message-Id: <20220818170005.747015-31-dima@arista.com> X-Mailer: git-send-email 2.37.2 In-Reply-To: <20220818170005.747015-1-dima@arista.com> References: <20220818170005.747015-1-dima@arista.com> MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Type: text/plain; charset="utf-8" The test plan was (most of tests have all 3 client types): 1. TCP-AO listen (INADDR_ANY) 2. TCP-MD5 listen (INADDR_ANY) 3. non-signed listen (INADDR_ANY) 4. TCP-AO + TCP-MD5 listen (prefix) 5. TCP-AO subprefix add failure [checked in setsockopt-closed.c] 6. TCP-AO out of prefix connect [checked in connect-deny.c] 7. TCP-AO + TCP-MD5 on connect() 8. TCP-AO intersect with TCP-MD5 failure 9. Established TCP-AO: add TCP-MD5 key 10. Established TCP-MD5: add TCP-AO key 11. Established non-signed: add TCP-AO key Output produced: 1..42 TAP version 13 ok 1 AO server (INADDR_ANY): AO client: connected ok 2 AO server (INADDR_ANY): AO client: counter TCPAOGood increased 0 =3D> 2 ok 3 AO server (INADDR_ANY): MD5 client ok 4 AO server (INADDR_ANY): MD5 client: counter TCPMD5Unexpected increased= 0 =3D> 1 ok 5 AO server (INADDR_ANY): no sign client: counter TCPAORequired increase= d 0 =3D> 1 ok 6 AO server (INADDR_ANY): unsigned client ok 7 MD5 server (INADDR_ANY): AO client: counter TCPAOKeyNotFound increased= 0 =3D> 1 ok 8 MD5 server (INADDR_ANY): AO client ok 9 MD5 server (INADDR_ANY): MD5 client: connected ok 10 MD5 server (INADDR_ANY): no sign client: counter TCPMD5NotFound incre= ased 0 =3D> 1 ok 11 MD5 server (INADDR_ANY): no sign client ok 12 no sign server: AO client ok 13 no sign server: AO client: counter TCPAOKeyNotFound increased 1 =3D> 2 ok 14 no sign server: MD5 client ok 15 no sign server: MD5 client: counter TCPMD5Unexpected increased 1 =3D>= 2 ok 16 no sign server: no sign client: connected ok 17 no sign server: no sign client: counter CurrEstab increased 0 =3D> 1 ok 18 AO+MD5 server: AO client (matching): connected ok 19 AO+MD5 server: AO client (matching): counter TCPAOGood increased 4 = =3D> 6 ok 20 AO+MD5 server: AO client (misconfig, matching MD5) ok 21 AO+MD5 server: AO client (misconfig, matching MD5): counter TCPAOKeyN= otFound increased 2 =3D> 3 ok 22 AO+MD5 server: AO client (misconfig, non-matching): counter TCPAOKeyN= otFound increased 3 =3D> 4 ok 23 AO+MD5 server: AO client (misconfig, non-matching) ok 24 AO+MD5 server: MD5 client (matching): connected ok 25 AO+MD5 server: MD5 client (misconfig, matching AO) ok 26 AO+MD5 server: MD5 client (misconfig, matching AO): counter TCPMD5Une= xpected increased 2 =3D> 3 ok 27 AO+MD5 server: MD5 client (misconfig, non-matching): counter TCPMD5Un= expected increased 3 =3D> 4 ok 28 AO+MD5 server: MD5 client (misconfig, non-matching) ok 29 AO+MD5 server: no sign client (unmatched): connected ok 30 AO+MD5 server: no sign client (unmatched): counter CurrEstab increase= d 0 =3D> 1 ok 31 AO+MD5 server: no sign client (misconfig, matching AO) ok 32 AO+MD5 server: no sign client (misconfig, matching AO): counter TCPAO= Required increased 1 =3D> 2 ok 33 AO+MD5 server: no sign client (misconfig, matching MD5) ok 34 AO+MD5 server: no sign client (misconfig, matching MD5): counter TCPM= D5NotFound increased 1 =3D> 2 ok 35 AO+MD5 server: client with both [TCP-MD5] and TCP-AO keys: connect() = was prevented ok 36 AO+MD5 server: client with both TCP-MD5 and [TCP-AO] keys: connect() = was prevented ok 37 TCP-AO established: add TCP-MD5 key: postfailed as expected ok 38 TCP-AO established: add TCP-MD5 key: counter TCPAOGood increased 7 = =3D> 9 ok 39 TCP-MD5 established: add TCP-AO key: postfailed as expected ok 40 non-signed established: add TCP-AO key: postfailed as expected ok 41 non-signed established: add TCP-AO key: counter CurrEstab increased 0= =3D> 1 ok 42 TCP-AO key intersects with TCP-MD5 key: prefailed as expected Signed-off-by: Dmitry Safonov --- tools/testing/selftests/net/tcp_ao/Makefile | 2 +- .../selftests/net/tcp_ao/unsigned-md5.c | 483 ++++++++++++++++++ 2 files changed, 484 insertions(+), 1 deletion(-) create mode 100644 tools/testing/selftests/net/tcp_ao/unsigned-md5.c diff --git a/tools/testing/selftests/net/tcp_ao/Makefile b/tools/testing/se= lftests/net/tcp_ao/Makefile index a001dc2aed4e..da44966f3687 100644 --- a/tools/testing/selftests/net/tcp_ao/Makefile +++ b/tools/testing/selftests/net/tcp_ao/Makefile @@ -1,6 +1,6 @@ # SPDX-License-Identifier: GPL-2.0 TEST_BOTH_AF :=3D connect icmps-discard icmps-accept connect-deny \ - setsockopt-closed + setsockopt-closed unsigned-md5 =20 TEST_IPV4_PROGS :=3D $(TEST_BOTH_AF:%=3D%_ipv4) TEST_IPV6_PROGS :=3D $(TEST_BOTH_AF:%=3D%_ipv6) diff --git a/tools/testing/selftests/net/tcp_ao/unsigned-md5.c b/tools/test= ing/selftests/net/tcp_ao/unsigned-md5.c new file mode 100644 index 000000000000..d62c47617dbf --- /dev/null +++ b/tools/testing/selftests/net/tcp_ao/unsigned-md5.c @@ -0,0 +1,483 @@ +// SPDX-License-Identifier: GPL-2.0 +/* Author: Dmitry Safonov */ +#include +#include "aolib.h" +#include "../../../../include/linux/bits.h" + +typedef uint8_t fault_t; +#define F_TIMEOUT 1 +#define F_KEYREJECT 2 +#define F_PREINSTALL 3 +#define F_POSTINSTALL 4 + +#define fault(type) (inj =3D=3D type) + +static const char *md5_password =3D "Some evil genius, enemy to mankind, m= ust have been the first contriver."; +static const char *ao_password =3D "In this hour, I do not believe that an= y darkness will endure."; + +static union tcp_addr client2; +static union tcp_addr client3; + +static int test_set_md5(int sk, const union tcp_addr in_addr, uint8_t pref= ix) +{ + size_t pwd_len =3D strlen(md5_password); + struct tcp_md5sig md5sig =3D {}; +#ifdef IPV6_TEST + struct sockaddr_in6 addr =3D { + .sin6_family =3D AF_INET6, + .sin6_port =3D 0, + .sin6_addr =3D in_addr.a6, + }; +#else + struct sockaddr_in addr =3D { + .sin_family =3D AF_INET, + .sin_port =3D 0, + .sin_addr =3D in_addr.a4, + }; +#endif + + if (prefix > DEFAULT_TEST_PREFIX) + prefix =3D DEFAULT_TEST_PREFIX; + + md5sig.tcpm_keylen =3D pwd_len; + memcpy(md5sig.tcpm_key, md5_password, pwd_len); + md5sig.tcpm_flags =3D TCP_MD5SIG_FLAG_PREFIX; + md5sig.tcpm_prefixlen =3D prefix; + memcpy(&md5sig.tcpm_addr, &addr, sizeof(addr)); + + return setsockopt(sk, IPPROTO_TCP, TCP_MD5SIG_EXT, + &md5sig, sizeof(md5sig)); +} + +static void try_accept(const char *tst_name, unsigned port, + union tcp_addr *md5_addr, uint8_t md5_prefix, + union tcp_addr *ao_addr, uint8_t ao_prefix, + uint8_t sndid, uint8_t rcvid, const char *cnt_name, + fault_t inj) +{ + uint64_t before_cnt, after_cnt; + int lsk, err, sk =3D 0; + time_t timeout; + + lsk =3D test_listen_socket(this_ip_addr, port, 1); + + if (md5_addr && test_set_md5(lsk, *md5_addr, md5_prefix)) + test_error("setsockopt(TCP_MD5SIG_EXT)"); + + if (ao_addr && test_set_ao(lsk, ao_password, 0, *ao_addr, + ao_prefix, sndid, rcvid)) + test_error("setsockopt(TCP_AO)"); + + if (cnt_name) + before_cnt =3D netstat_get_one(cnt_name, NULL); + + synchronize_threads(); /* preparations done */ + + timeout =3D fault(F_TIMEOUT) ? TEST_RETRANSMIT_SEC : TEST_TIMEOUT_SEC; + err =3D test_wait_fd(lsk, timeout, 0); + if (err < 0) + test_error("test_wait_fd()"); + else if (!err) { + if (!fault(F_TIMEOUT)) + test_fail("timeouted for accept()"); + } else { + if (fault(F_TIMEOUT)) + test_fail("ready to accept"); + + sk =3D accept(lsk, NULL, NULL); + if (sk < 0) { + test_error("accept()"); + } else { + if (fault(F_TIMEOUT)) + test_fail("%s: accepted", tst_name); + } + } + + close(lsk); + + if (!cnt_name) + goto out; + + after_cnt =3D netstat_get_one(cnt_name, NULL); + + if (after_cnt <=3D before_cnt) { + test_fail("%s: %s counter did not increase: %zu <=3D %zu", + tst_name, cnt_name, after_cnt, before_cnt); + } else { + test_ok("%s: counter %s increased %zu =3D> %zu", + tst_name, cnt_name, before_cnt, after_cnt); + } + +out: + synchronize_threads(); /* close() */ + if (sk > 0) + close(sk); +} + +static void server_add_routes(void) +{ + int family =3D TEST_FAMILY; + + synchronize_threads(); /* client_add_ips() */ + + if (ip_route_add(veth_name, family, this_ip_addr, client2)) + test_error("Failed to add route"); + if (ip_route_add(veth_name, family, this_ip_addr, client3)) + test_error("Failed to add route"); +} + +static void server_add_fail_tests(unsigned *port) +{ + union tcp_addr addr_any =3D {}; + + try_accept("TCP-AO established: add TCP-MD5 key", (*port)++, NULL, 0, + &addr_any, 0, 100, 100, "TCPAOGood", 0); + try_accept("TCP-MD5 established: add TCP-AO key", (*port)++, &addr_any, 0, + NULL, 0, 0, 0, NULL, 0); + try_accept("non-signed established: add TCP-AO key", (*port)++, NULL, 0, + NULL, 0, 0, 0, "CurrEstab", 0); +} + +static void *server_fn(void *arg) +{ + unsigned port =3D test_server_port; + union tcp_addr addr_any =3D {}; + + server_add_routes(); + + try_accept("AO server (INADDR_ANY): AO client", port++, NULL, 0, + &addr_any, 0, 100, 100, "TCPAOGood", 0); + try_accept("AO server (INADDR_ANY): MD5 client", port++, NULL, 0, + &addr_any, 0, 100, 100, "TCPMD5Unexpected", F_TIMEOUT); + try_accept("AO server (INADDR_ANY): no sign client", port++, NULL, 0, + &addr_any, 0, 100, 100, "TCPAORequired", F_TIMEOUT); + + try_accept("MD5 server (INADDR_ANY): AO client", port++, &addr_any, 0, + NULL, 0, 0, 0, "TCPAOKeyNotFound", F_TIMEOUT); + try_accept("MD5 server (INADDR_ANY): MD5 client", port++, &addr_any, 0, + NULL, 0, 0, 0, NULL, 0); + try_accept("MD5 server (INADDR_ANY): no sign client", port++, &addr_any, = 0, + NULL, 0, 0, 0, "TCPMD5NotFound", F_TIMEOUT); + + try_accept("no sign server: AO client", port++, NULL, 0, + NULL, 0, 0, 0, "TCPAOKeyNotFound", F_TIMEOUT); + try_accept("no sign server: MD5 client", port++, NULL, 0, + NULL, 0, 0, 0, "TCPMD5Unexpected", F_TIMEOUT); + try_accept("no sign server: no sign client", port++, NULL, 0, + NULL, 0, 0, 0, "CurrEstab", 0); + + try_accept("AO+MD5 server: AO client (matching)", port++, + &this_ip_dest, TEST_PREFIX, &client2, TEST_PREFIX, + 100, 100, "TCPAOGood", 0); + try_accept("AO+MD5 server: AO client (misconfig, matching MD5)", port++, + &this_ip_dest, TEST_PREFIX, &client2, TEST_PREFIX, + 100, 100, "TCPAOKeyNotFound", F_TIMEOUT); + try_accept("AO+MD5 server: AO client (misconfig, non-matching)", port++, + &this_ip_dest, TEST_PREFIX, &client2, TEST_PREFIX, + 100, 100, "TCPAOKeyNotFound", F_TIMEOUT); + try_accept("AO+MD5 server: MD5 client (matching)", port++, + &this_ip_dest, TEST_PREFIX, &client2, TEST_PREFIX, + 100, 100, NULL, 0); + try_accept("AO+MD5 server: MD5 client (misconfig, matching AO)", port++, + &this_ip_dest, TEST_PREFIX, &client2, TEST_PREFIX, + 100, 100, "TCPMD5Unexpected", F_TIMEOUT); + try_accept("AO+MD5 server: MD5 client (misconfig, non-matching)", port++, + &this_ip_dest, TEST_PREFIX, &client2, TEST_PREFIX, + 100, 100, "TCPMD5Unexpected", F_TIMEOUT); + try_accept("AO+MD5 server: no sign client (unmatched)", port++, + &this_ip_dest, TEST_PREFIX, &client2, TEST_PREFIX, + 100, 100, "CurrEstab", 0); + try_accept("AO+MD5 server: no sign client (misconfig, matching AO)", + port++, &this_ip_dest, TEST_PREFIX, &client2, TEST_PREFIX, + 100, 100, "TCPAORequired", F_TIMEOUT); + try_accept("AO+MD5 server: no sign client (misconfig, matching MD5)", + port++, &this_ip_dest, TEST_PREFIX, &client2, TEST_PREFIX, + 100, 100, "TCPMD5NotFound", F_TIMEOUT); + + try_accept("AO+MD5 server: client with both [TCP-MD5] and TCP-AO keys", + port++, &this_ip_dest, TEST_PREFIX, &client2, TEST_PREFIX, + 100, 100, NULL, F_TIMEOUT); + try_accept("AO+MD5 server: client with both TCP-MD5 and [TCP-AO] keys", + port++, &this_ip_dest, TEST_PREFIX, &client2, TEST_PREFIX, + 100, 100, NULL, F_TIMEOUT); + + server_add_fail_tests(&port); + + /* client exits */ + synchronize_threads(); + return NULL; +} + +static int client_bind(int sk, union tcp_addr bind_addr) +{ +#ifdef IPV6_TEST + struct sockaddr_in6 addr =3D { + .sin6_family =3D AF_INET6, + .sin6_port =3D 0, + .sin6_addr =3D bind_addr.a6, + }; +#else + struct sockaddr_in addr =3D { + .sin_family =3D AF_INET, + .sin_port =3D 0, + .sin_addr =3D bind_addr.a4, + }; +#endif + return bind(sk, &addr, sizeof(addr)); +} + +static void try_connect(const char *tst_name, unsigned port, + union tcp_addr *md5_addr, uint8_t md5_prefix, + union tcp_addr *ao_addr, uint8_t ao_prefix, + uint8_t sndid, uint8_t rcvid, fault_t inj, + union tcp_addr *bind_addr) +{ + time_t timeout; + int sk, ret; + + sk =3D socket(test_family, SOCK_STREAM, IPPROTO_TCP); + if (sk < 0) + test_error("socket()"); + + if (bind_addr && client_bind(sk, *bind_addr)) + test_error("bind()"); + + if (md5_addr && test_set_md5(sk, *md5_addr, md5_prefix)) + test_error("setsockopt(TCP_MD5SIG_EXT)"); + + if (ao_addr && test_set_ao(sk, ao_password, 0, *ao_addr, + ao_prefix, sndid, rcvid)) + test_error("setsockopt(TCP_AO)"); + + synchronize_threads(); /* preparations done */ + + timeout =3D fault(F_TIMEOUT) ? TEST_RETRANSMIT_SEC : TEST_TIMEOUT_SEC; + ret =3D _test_connect_socket(sk, this_ip_dest, port, timeout); + + if (ret < 0) { + if (fault(F_KEYREJECT) && ret =3D=3D -EKEYREJECTED) { + test_ok("%s: connect() was prevented", tst_name); + goto out; + } else if (ret =3D=3D -ECONNREFUSED && + (fault(F_TIMEOUT) || fault(F_KEYREJECT))) { + test_ok("%s: refused to connect", tst_name); + goto out; + } else { + test_error("%s: connect() returned %d", tst_name, ret); + } + } + + if (ret =3D=3D 0) { + if (fault(F_TIMEOUT)) + test_ok("%s", tst_name); + else + test_fail("%s: failed to connect()", tst_name); + } else { + if (fault(F_TIMEOUT) || fault(F_KEYREJECT)) + test_fail("%s: connected", tst_name); + else + test_ok("%s: connected", tst_name); + } + +out: + synchronize_threads(); /* close() */ + /* _test_connect_socket() cleans up on failure */ + if (ret > 0) + close(sk); +} + +#define PREINSTALL_MD5 BIT(1) +#define POSTINSTALL_MD5 BIT(2) +#define PREINSTALL_AO BIT(3) +#define POSTINSTALL_AO BIT(4) + +static void try_to_add(const char *tst_name, unsigned port, + unsigned strategy, + union tcp_addr md5_addr, uint8_t md5_prefix, + union tcp_addr ao_addr, uint8_t ao_prefix, + uint8_t sndid, uint8_t rcvid, fault_t inj) +{ + time_t timeout; + int sk, ret; + + sk =3D socket(test_family, SOCK_STREAM, IPPROTO_TCP); + if (sk < 0) + test_error("socket()"); + + if (client_bind(sk, this_ip_addr)) + test_error("bind()"); + + if (strategy & PREINSTALL_MD5) { + if (test_set_md5(sk, md5_addr, md5_prefix)) + test_error("setsockopt(TCP_MD5SIG_EXT)"); + } + + if (strategy & PREINSTALL_AO) { + if (test_set_ao(sk, ao_password, 0, ao_addr, + ao_prefix, sndid, rcvid)) { + if (fault(F_PREINSTALL)) { + test_ok("%s: prefailed as expected", tst_name); + goto out_no_sync; + } else { + test_error("setsockopt(TCP_AO)"); + } + } else if (fault(F_PREINSTALL)) { + test_fail("%s: setsockopt()s were expected to fail", tst_name); + goto out_no_sync; + } + } + + synchronize_threads(); /* preparations done */ + + timeout =3D fault(F_TIMEOUT) ? TEST_RETRANSMIT_SEC : TEST_TIMEOUT_SEC; + ret =3D _test_connect_socket(sk, this_ip_dest, port, timeout); + + if (ret <=3D 0) { + test_error("%s: connect() returned %d", tst_name, ret); + goto out; + } + + if (strategy & POSTINSTALL_MD5) { + if (test_set_md5(sk, md5_addr, md5_prefix)) { + if (fault(F_POSTINSTALL)) { + test_ok("%s: postfailed as expected", tst_name); + goto out; + } else { + test_error("setsockopt(TCP_MD5SIG_EXT)"); + } + } else if (fault(F_POSTINSTALL)) { + test_fail("%s: post setsockopt() was expected to fail", tst_name); + goto out; + } + } + + if (strategy & POSTINSTALL_AO) { + if (test_set_ao(sk, ao_password, 0, ao_addr, + ao_prefix, sndid, rcvid)) { + if (fault(F_POSTINSTALL)) { + test_ok("%s: postfailed as expected", tst_name); + goto out; + } else { + test_error("setsockopt(TCP_AO)"); + } + } else if (fault(F_POSTINSTALL)) { + test_fail("%s: post setsockopt() was expected to fail", tst_name); + goto out; + } + } + +out: + synchronize_threads(); /* close() */ +out_no_sync: + /* _test_connect_socket() cleans up on failure */ + if (ret > 0) + close(sk); +} + +static void client_add_ip(union tcp_addr *client, const char *ip) +{ + int family =3D TEST_FAMILY; + + if (inet_pton(family, ip, client) !=3D 1) + test_error("Can't convert ip address %s", ip); + + if (ip_addr_add(veth_name, family, *client, TEST_PREFIX)) + test_error("Failed to add ip address"); + if (ip_route_add(veth_name, family, *client, this_ip_dest)) + test_error("Failed to add route"); +} + +static void client_add_ips(void) +{ + client_add_ip(&client2, __TEST_CLIENT_IP(2)); + client_add_ip(&client3, __TEST_CLIENT_IP(3)); + synchronize_threads(); /* server_add_routes() */ +} + +static void client_add_fail_tests(unsigned *port) +{ + try_to_add("TCP-AO established: add TCP-MD5 key", + (*port)++, POSTINSTALL_MD5 | PREINSTALL_AO, + this_ip_dest, TEST_PREFIX, this_ip_dest, TEST_PREFIX, + 100, 100, F_POSTINSTALL); + try_to_add("TCP-MD5 established: add TCP-AO key", + (*port)++, PREINSTALL_MD5 | POSTINSTALL_AO, + this_ip_dest, TEST_PREFIX, this_ip_dest, TEST_PREFIX, + 100, 100, F_POSTINSTALL); + try_to_add("non-signed established: add TCP-AO key", + (*port)++, POSTINSTALL_AO, + this_ip_dest, TEST_PREFIX, this_ip_dest, TEST_PREFIX, + 100, 100, F_POSTINSTALL); + + try_to_add("TCP-AO key intersects with TCP-MD5 key", + (*port), PREINSTALL_MD5 | PREINSTALL_AO, + this_ip_addr, TEST_PREFIX, this_ip_addr, TEST_PREFIX, + 100, 100, F_PREINSTALL); +} + +static void *client_fn(void *arg) +{ + unsigned port =3D test_server_port; + union tcp_addr addr_any =3D {}; + + client_add_ips(); + + try_connect("AO server (INADDR_ANY): AO client", port++, NULL, 0, + &addr_any, 0, 100, 100, 0, &this_ip_addr); + try_connect("AO server (INADDR_ANY): MD5 client", port++, &addr_any, 0, + NULL, 0, 100, 100, F_TIMEOUT, &this_ip_addr); + try_connect("AO server (INADDR_ANY): unsigned client", port++, NULL, 0, + NULL, 0, 100, 100, F_TIMEOUT, &this_ip_addr); + + try_connect("MD5 server (INADDR_ANY): AO client", port++, NULL, 0, + &addr_any, 0, 100, 100, F_TIMEOUT, &this_ip_addr); + try_connect("MD5 server (INADDR_ANY): MD5 client", port++, &addr_any, 0, + NULL, 0, 100, 100, 0, &this_ip_addr); + try_connect("MD5 server (INADDR_ANY): no sign client", port++, NULL, 0, + NULL, 0, 100, 100, F_TIMEOUT, &this_ip_addr); + + try_connect("no sign server: AO client", port++, NULL, 0, + &addr_any, 0, 100, 100, F_TIMEOUT, &this_ip_addr); + try_connect("no sign server: MD5 client", port++, &addr_any, 0, + NULL, 0, 100, 100, F_TIMEOUT, &this_ip_addr); + try_connect("no sign server: no sign client", port++, NULL, 0, + NULL, 0, 100, 100, 0, &this_ip_addr); + + try_connect("AO+MD5 server: AO client (matching)", port++, NULL, 0, + &addr_any, 0, 100, 100, 0, &client2); + try_connect("AO+MD5 server: AO client (misconfig, matching MD5)", + port++, NULL, 0, &addr_any, 0, 100, 100, + F_TIMEOUT, &this_ip_addr); + try_connect("AO+MD5 server: AO client (misconfig, non-matching)", + port++, NULL, 0, &addr_any, 0, 100, 100, + F_TIMEOUT, &client3); + try_connect("AO+MD5 server: MD5 client (matching)", port++, &addr_any, 0, + NULL, 0, 100, 100, 0, &this_ip_addr); + try_connect("AO+MD5 server: MD5 client (misconfig, matching AO)", + port++, &addr_any, 0, NULL, 0, 100, 100, F_TIMEOUT, &client2); + try_connect("AO+MD5 server: MD5 client (misconfig, non-matching)", + port++, &addr_any, 0, NULL, 0, 100, 100, F_TIMEOUT, &client3); + try_connect("AO+MD5 server: no sign client (unmatched)", + port++, NULL, 0, NULL, 0, 100, 100, 0, &client3); + try_connect("AO+MD5 server: no sign client (misconfig, matching AO)", + port++, NULL, 0, NULL, 0, 100, 100, F_TIMEOUT, &client2); + try_connect("AO+MD5 server: no sign client (misconfig, matching MD5)", + port++, NULL, 0, NULL, 0, 100, 100, F_TIMEOUT, &this_ip_addr); + + try_connect("AO+MD5 server: client with both [TCP-MD5] and TCP-AO keys", + port++, &this_ip_addr, TEST_PREFIX, + &client2, TEST_PREFIX, 100, 100, F_KEYREJECT, &this_ip_addr); + try_connect("AO+MD5 server: client with both TCP-MD5 and [TCP-AO] keys", + port++, &this_ip_addr, TEST_PREFIX, + &client2, TEST_PREFIX, 100, 100, F_KEYREJECT, &client2); + + client_add_fail_tests(&port); + + return NULL; +} + +int main(int argc, char *argv[]) +{ + test_init(42, server_fn, client_fn); + return 0; +} --=20 2.37.2 From nobody Fri Apr 10 21:51:38 2026 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 2306AC00140 for ; Thu, 18 Aug 2022 17:04:50 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1345512AbiHRREr (ORCPT ); Thu, 18 Aug 2022 13:04:47 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:33630 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1345328AbiHRRCC (ORCPT ); Thu, 18 Aug 2022 13:02:02 -0400 Received: from mail-wm1-x336.google.com (mail-wm1-x336.google.com [IPv6:2a00:1450:4864:20::336]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id E3549CAC9F for ; Thu, 18 Aug 2022 10:00:59 -0700 (PDT) Received: by mail-wm1-x336.google.com with SMTP id ay12so1134018wmb.1 for ; Thu, 18 Aug 2022 10:00:59 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=arista.com; s=google; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc; bh=vGJ3kSV/z/TY65CJkdoX1ty3nkbmUWg0sp73bEAPcbA=; b=PAKnbCxzEPjKKW8rQZu8e88trGKV/fqMnjKHbjjMMqV3BcNsDJXiKH2AXuI8XOFruU iRCafCjXQxnb0+POUBqsDg63j21LCUIfjyUij2EiD45SlF5IcZZAwvzzcrBIYZZIgvTc AalNfgI5T7J9WSZ2sbEqK5iW/qjLM28JisLtLK4VgHjR2tHgkUdZ0tm+moXKCMg3Te4c X7VTqIyCgZP5GHTO63jHjyjfzVh9AJIdBM+bhLiMRbXDUh/PXdawezqqJ+FxtqW6lvo9 mrsVrMg1x448DKOsyNdFRqL/bIEIMGbeQhOZ8ZtxW6j4uO6+Tz2cQCSBF/WlEAjRzmd4 WJ3Q== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc; bh=vGJ3kSV/z/TY65CJkdoX1ty3nkbmUWg0sp73bEAPcbA=; b=YJ8UHHiXn9CRqmqvOTqemoK18oBzHjlvOXTbD8nX6EoHu+CnMVDymL9158pWZxYgve SHDOq003yqeHqNVilmZUDhLJyLvQETmEsUiykA7W6revBOrOdn4BdvA7EENr8arDLnNv tEMdIsGKp/KkzFWB9yZ3oXemOr66lL6GzShRG3m7GHdfmSRFlKkM1+DuyhdFNJItp1aL /k33wszDOux70juRMdbAYZH+tWW+GeIgk4HOPEzUS4B5BS/j1Qu02UaprbkD0rGI0McB urf5UIEqJwAlOd5xg8kTgNCnNkiamhHEUo0bQ1Qf2bNVERKQnGnVAuN0uSnMBLT0Yr83 9uLg== X-Gm-Message-State: ACgBeo1VI/cFKJDBvciDPWvJMSVDJKrEtxn5F1oSSd0ZfHeE+/vkeJ4J VjvnImY5NyTJegKHN3p60lo4vA== X-Google-Smtp-Source: AA6agR5JSdaI9bPTfugpkhEIC8ftyWaZ99ZRXRF7BxYWMWvNsktzFJ24qQazTIKhwI6axSPP7UqgFQ== X-Received: by 2002:a1c:a187:0:b0:3a5:e055:715b with SMTP id k129-20020a1ca187000000b003a5e055715bmr2516003wme.171.1660842059332; Thu, 18 Aug 2022 10:00:59 -0700 (PDT) Received: from Mindolluin.ire.aristanetworks.com ([217.173.96.166]) by smtp.gmail.com with ESMTPSA id be13-20020a05600c1e8d00b003a511e92abcsm2662169wmb.34.2022.08.18.10.00.58 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 18 Aug 2022 10:00:58 -0700 (PDT) From: Dmitry Safonov To: Eric Dumazet , "David S. Miller" , linux-kernel@vger.kernel.org Cc: Dmitry Safonov , Andy Lutomirski , Ard Biesheuvel , Bob Gilligan , David Ahern , Dmitry Safonov <0x7f454c46@gmail.com>, Eric Biggers , Francesco Ruggeri , Herbert Xu , Hideaki YOSHIFUJI , Ivan Delalande , Jakub Kicinski , Leonard Crestez , Paolo Abeni , Salam Noureddine , Shuah Khan , netdev@vger.kernel.org, linux-crypto@vger.kernel.org Subject: [PATCH 31/31] selftests/aolib: Add test/benchmark for removing MKTs Date: Thu, 18 Aug 2022 18:00:05 +0100 Message-Id: <20220818170005.747015-32-dima@arista.com> X-Mailer: git-send-email 2.37.2 In-Reply-To: <20220818170005.747015-1-dima@arista.com> References: <20220818170005.747015-1-dima@arista.com> MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Type: text/plain; charset="utf-8" Sample output: > 1..36 > # 1106[lib/setup.c:207] rand seed 1660754406 > TAP version 13 > ok 1 Worst case connect 512 keys: min=3D0ms max=3D1ms mean=3D0.58= 3329ms stddev=3D0.076376 > ok 2 Connect random-search 512 keys: min=3D0ms max=3D1ms mean=3D0.53= 412ms stddev=3D0.0516779 > ok 3 Worst case delete 512 keys: min=3D2ms max=3D11ms mean=3D6.0= 4139ms stddev=3D0.245792 > ok 4 Add a new key 512 keys: min=3D0ms max=3D13ms mean=3D0.6= 73415ms stddev=3D0.0820618 > ok 5 Remove random-search 512 keys: min=3D5ms max=3D9ms mean=3D6.65= 969ms stddev=3D0.258064 > ok 6 Remove async 512 keys: min=3D0ms max=3D0ms mean=3D0.04= 1825ms stddev=3D0.0204512 > ok 7 Worst case connect 1024 keys: min=3D0ms max=3D2ms mean=3D0.5= 20357ms stddev=3D0.0721358 > ok 8 Connect random-search 1024 keys: min=3D0ms max=3D2ms mean=3D0.5= 35312ms stddev=3D0.0517355 > ok 9 Worst case delete 1024 keys: min=3D5ms max=3D9ms mean=3D8.2= 7219ms stddev=3D0.287614 > ok 10 Add a new key 1024 keys: min=3D0ms max=3D1ms mean=3D0.6= 88121ms stddev=3D0.0829531 > ok 11 Remove random-search 1024 keys: min=3D5ms max=3D9ms mean=3D8.3= 7649ms stddev=3D0.289422 > ok 12 Remove async 1024 keys: min=3D0ms max=3D0ms mean=3D0.0= 457096ms stddev=3D0.0213798 > ok 13 Worst case connect 2048 keys: min=3D0ms max=3D2ms mean=3D0.7= 48804ms stddev=3D0.0865335 > ok 14 Connect random-search 2048 keys: min=3D0ms max=3D2ms mean=3D0.7= 82993ms stddev=3D0.0625697 > ok 15 Worst case delete 2048 keys: min=3D5ms max=3D10ms mean=3D8.= 23106ms stddev=3D0.286898 > ok 16 Add a new key 2048 keys: min=3D0ms max=3D1ms mean=3D0.8= 12988ms stddev=3D0.0901658 > ok 17 Remove random-search 2048 keys: min=3D8ms max=3D9ms mean=3D8.8= 4949ms stddev=3D0.297481 > ok 18 Remove async 2048 keys: min=3D0ms max=3D0ms mean=3D0.0= 297223ms stddev=3D0.0172402 > ok 19 Worst case connect 4096 keys: min=3D1ms max=3D5ms mean=3D1.5= 3352ms stddev=3D0.123836 > ok 20 Connect random-search 4096 keys: min=3D1ms max=3D5ms mean=3D1.5= 2226ms stddev=3D0.0872429 > ok 21 Worst case delete 4096 keys: min=3D5ms max=3D9ms mean=3D8.2= 5874ms stddev=3D0.28738 > ok 22 Add a new key 4096 keys: min=3D0ms max=3D3ms mean=3D1.6= 7382ms stddev=3D0.129376 > ok 23 Remove random-search 4096 keys: min=3D5ms max=3D10ms mean=3D8.= 26178ms stddev=3D0.287433 > ok 24 Remove async 4096 keys: min=3D0ms max=3D0ms mean=3D0.0= 340009ms stddev=3D0.0184393 > ok 25 Worst case connect 8192 keys: min=3D2ms max=3D4ms mean=3D2.8= 6208ms stddev=3D0.169177 > ok 26 Connect random-search 8192 keys: min=3D2ms max=3D4ms mean=3D2.8= 7592ms stddev=3D0.119915 > ok 27 Worst case delete 8192 keys: min=3D6ms max=3D11ms mean=3D7.= 55291ms stddev=3D0.274826 > ok 28 Add a new key 8192 keys: min=3D1ms max=3D5ms mean=3D2.5= 6797ms stddev=3D0.160249 > ok 29 Remove random-search 8192 keys: min=3D5ms max=3D10ms mean=3D7.= 14002ms stddev=3D0.267208 > ok 30 Remove async 8192 keys: min=3D0ms max=3D0ms mean=3D0.0= 320066ms stddev=3D0.0178904 > ok 31 Worst case connect 16384 keys: min=3D5ms max=3D6ms mean=3D5.= 55334ms stddev=3D0.235655 > ok 32 Connect random-search 16384 keys: min=3D5ms max=3D6ms mean=3D5.= 52614ms stddev=3D0.166225 > ok 33 Worst case delete 16384 keys: min=3D5ms max=3D11ms mean=3D7= .39109ms stddev=3D0.271866 > ok 34 Add a new key 16384 keys: min=3D2ms max=3D4ms mean=3D3.= 35799ms stddev=3D0.183248 > ok 35 Remove random-search 16384 keys: min=3D5ms max=3D8ms mean=3D6.= 86078ms stddev=3D0.261931 > ok 36 Remove async 16384 keys: min=3D0ms max=3D0ms mean=3D0.= 0302384ms stddev=3D0.0173892 > # Totals: pass:36 fail:0 xfail:0 xpass:0 skip:0 error:0 From it it's visible that the current simplified approach with linked-list of MKTs scales quite fine even for thousands of keys. And that also means that the majority of the time for delete is eaten by synchronize_rcu() [which I can confirm separately by tracing]. Signed-off-by: Dmitry Safonov --- tools/testing/selftests/net/tcp_ao/Makefile | 4 +- .../selftests/net/tcp_ao/bench-lookups.c | 403 ++++++++++++++++++ 2 files changed, 406 insertions(+), 1 deletion(-) create mode 100644 tools/testing/selftests/net/tcp_ao/bench-lookups.c diff --git a/tools/testing/selftests/net/tcp_ao/Makefile b/tools/testing/se= lftests/net/tcp_ao/Makefile index da44966f3687..a4af7d4da169 100644 --- a/tools/testing/selftests/net/tcp_ao/Makefile +++ b/tools/testing/selftests/net/tcp_ao/Makefile @@ -1,6 +1,6 @@ # SPDX-License-Identifier: GPL-2.0 TEST_BOTH_AF :=3D connect icmps-discard icmps-accept connect-deny \ - setsockopt-closed unsigned-md5 + setsockopt-closed unsigned-md5 bench-lookups =20 TEST_IPV4_PROGS :=3D $(TEST_BOTH_AF:%=3D%_ipv4) TEST_IPV6_PROGS :=3D $(TEST_BOTH_AF:%=3D%_ipv6) @@ -46,3 +46,5 @@ $(OUTPUT)/%_ipv6: %.c =20 $(OUTPUT)/icmps-accept_ipv4: CFLAGS+=3D -DTEST_ICMPS_ACCEPT $(OUTPUT)/icmps-accept_ipv6: CFLAGS+=3D -DTEST_ICMPS_ACCEPT +$(OUTPUT)/bench-lookups_ipv4: LDFLAGS+=3D -lm +$(OUTPUT)/bench-lookups_ipv6: LDFLAGS+=3D -lm diff --git a/tools/testing/selftests/net/tcp_ao/bench-lookups.c b/tools/tes= ting/selftests/net/tcp_ao/bench-lookups.c new file mode 100644 index 000000000000..41456d85e06a --- /dev/null +++ b/tools/testing/selftests/net/tcp_ao/bench-lookups.c @@ -0,0 +1,403 @@ +// SPDX-License-Identifier: GPL-2.0 +/* Author: Dmitry Safonov */ +#include +#include +#include +#include +#include +#include + +#include "../../../../include/linux/bits.h" +#include "../../../../include/linux/kernel.h" +#include "aolib.h" + +#define AO_KEY_SZ 300 /* ~=3D sizeof(struct tcp_ao_key) */ +#define NR_ITERS 100 /* number of times to run gathering statistics */ + +#ifdef IPV6_TEST +typedef struct in6_addr ipaddr_t; +static ipaddr_t get_ipaddr_t(ipaddr_t net, size_t n) +{ + ipaddr_t ret =3D net; + + ret.s6_addr32[3] =3D htonl(n & (BIT(32) - 1)); + ret.s6_addr32[2] =3D htonl((n >> 32) & (BIT(32) - 1)); + + return ret; +} +#else +typedef struct in_addr ipaddr_t; +static ipaddr_t get_ipaddr_t(ipaddr_t net, size_t n) +{ + ipaddr_t ret; + + ret.s_addr =3D htonl(ntohl(net.s_addr) + n); + return ret; +} +#endif + +static void gen_test_ips(ipaddr_t *ips, size_t ips_nr, bool use_rand) +{ + ipaddr_t net; + size_t i, j; + + if (inet_pton(TEST_FAMILY, TEST_NETWORK, &net) !=3D 1) + test_error("Can't convert ip address %s", TEST_NETWORK); + + if (!use_rand) { + for (i =3D 0; i < ips_nr; i++) + ips[i] =3D get_ipaddr_t(net, 2 * i + 1); + return; + } + for (i =3D 0; i < ips_nr; i++) { + size_t r =3D (size_t)random() | 0x1; + + ips[i] =3D get_ipaddr_t(net, r); + + for (j =3D i - 1; j > 0 && i > 0; j--) { + if (!memcmp(&ips[i], &ips[j], sizeof(ipaddr_t))) { + i--; /* collision */ + break; + } + } + } +} + +static void test_add_routes(ipaddr_t *ips, size_t ips_nr) +{ + size_t i; + + for (i =3D 0; i < ips_nr; i++) { + union tcp_addr *p =3D (union tcp_addr *)&ips[i]; + + if (ip_route_add(veth_name, TEST_FAMILY, this_ip_addr, *p)) + test_error("Failed to add route"); + } +} + +static void server_apply_keys(int lsk, ipaddr_t *ips, size_t ips_nr) +{ + size_t i; + + for (i =3D 0; i < ips_nr; i++) { + union tcp_addr *p =3D (union tcp_addr *)&ips[i]; + + if (test_set_ao(lsk, "password", 0, *p, -1, 100, 100)) + test_error("setsockopt(TCP_AO)"); + } +} + +static const size_t nr_keys[] =3D { 512, 1024, 2048, 4096, 8192, 16384 }; +static ipaddr_t *test_ips; + +struct bench_stats { + uint64_t min; + uint64_t max; + uint64_t nr; + double mean; + double s2; +}; + +static struct bench_tests { + struct bench_stats delete_last_key; + struct bench_stats add_key; + struct bench_stats delete_rand_key; + struct bench_stats connect_last_key; + struct bench_stats connect_rand_key; + struct bench_stats delete_async; +} bench_results[ARRAY_SIZE(nr_keys)]; + +#define NSEC_PER_SEC 1000000000ULL + +static void measure_call(struct bench_stats *st, + void (*f)(int, void *), int sk, void *arg) +{ + struct timespec start =3D {}, end =3D {}; + double delta; + uint64_t nsec; + + if (clock_gettime(CLOCK_MONOTONIC, &start)) + test_error("clock_gettime()"); + + f(sk, arg); + + if (clock_gettime(CLOCK_MONOTONIC, &end)) + test_error("clock_gettime()"); + + nsec =3D (end.tv_sec - start.tv_sec) * NSEC_PER_SEC; + if (end.tv_nsec >=3D start.tv_nsec) + nsec +=3D end.tv_nsec - start.tv_nsec; + else + nsec -=3D start.tv_nsec - end.tv_nsec; + + if (st->nr =3D=3D 0) { + st->min =3D st->max =3D nsec; + } else { + if (st->min > nsec) + st->min =3D nsec; + if (st->max < nsec) + st->max =3D nsec; + } + + /* Welford-Knuth algorithm */ + st->nr++; + delta =3D (double)nsec - st->mean; + st->mean +=3D delta / st->nr; + st->s2 +=3D delta * ((double)nsec - st->mean); +} + +static void delete_mkt(int sk, void *arg) +{ + struct tcp_ao_del *ao =3D arg; + + if (setsockopt(sk, IPPROTO_TCP, TCP_AO_DEL, ao, sizeof(*ao))) + test_error("setsockopt(TCP_AO_DEL)"); +} + +static void add_back_mkt(int sk, void *arg) +{ + union tcp_addr *p =3D arg; + + if (test_set_ao(sk, "password", 0, *p, -1, 100, 100)) + test_error("setsockopt(TCP_AO)"); +} + +static void memcpy_sockaddr(void *dest, union tcp_addr *in_addr) +{ +#ifdef IPV6_TEST + struct sockaddr_in6 addr =3D { + .sin6_family =3D AF_INET6, + .sin6_port =3D 0, + .sin6_addr =3D in_addr->a6, + }; +#else + struct sockaddr_in addr =3D { + .sin_family =3D AF_INET, + .sin_port =3D 0, + .sin_addr =3D in_addr->a4, + }; +#endif + + memcpy(dest, &addr, sizeof(addr)); +} + +static void bench_delete(int lsk, struct bench_stats *add, + struct bench_stats *del, + ipaddr_t *ips, size_t ips_nr, + bool rand_order, bool async) +{ + struct tcp_ao_del ao_del =3D {}; + union tcp_addr *p; + size_t i; + + ao_del.tcpa_sndid =3D 100; + ao_del.tcpa_rcvid =3D 100; + if (async) + ao_del.tcpa_flags =3D TCP_AO_CMDF_DEL_ASYNC; + ao_del.tcpa_prefix =3D DEFAULT_TEST_PREFIX; + + /* Remove the first added */ + p =3D (union tcp_addr *)&ips[0]; + memcpy_sockaddr(&ao_del.tcpa_addr, p); + + for (i =3D 0; i < NR_ITERS; i++) { + measure_call(del, delete_mkt, lsk, (void *)&ao_del); + + /* Restore it back */ + measure_call(add, add_back_mkt, lsk, (void *)p); + + /* + * Slowest for FILO-linked-list: + * on (i) iteration removing ips[i] element. When it gets + * added to the list back - it becomes first to fetch, so + * on (i + 1) iteration go to ips[i + 1] element. + */ + if (rand_order) + p =3D (union tcp_addr *)&ips[rand() % ips_nr]; + else + p =3D (union tcp_addr *)&ips[i % ips_nr]; + memcpy_sockaddr(&ao_del.tcpa_addr, p); + } +} + +static void bench_connect_srv(int lsk, ipaddr_t *ips, size_t ips_nr) +{ + size_t i; + + for (i =3D 0; i < NR_ITERS; i++) { + int err, sk; + + synchronize_threads(); + + err =3D test_wait_fd(lsk, TEST_TIMEOUT_SEC, 0); + if (!err) + test_error("timeouted for accept()"); + else if (err < 0) + test_error("test_wait_fd()"); + + sk =3D accept(lsk, NULL, NULL); + if (sk < 0) + test_error("accept()"); + + close(sk); + } +} + +static void test_print_stats(const char *desc, size_t nr, struct bench_sta= ts *bs) +{ + test_ok("%20s\t%zu keys: min=3D%" PRIu64 "ms max=3D%" PRIu64 "ms mean=3D%= gms stddev=3D%g", + desc, nr, bs->min / 1000000, bs->max / 1000000, + bs->mean / 1000000, sqrt((bs->mean / 1000000) / bs->nr)); +} + +static void *server_fn(void *arg) +{ + size_t i; + + for (i =3D 0; i < ARRAY_SIZE(nr_keys); i++) { + struct bench_tests *bt =3D &bench_results[i]; + int lsk; + + test_ips =3D malloc(nr_keys[i] * sizeof(ipaddr_t)); + if (!test_ips) + test_error("malloc()"); + + lsk =3D test_listen_socket(this_ip_addr, test_server_port + i, 1); + + gen_test_ips(test_ips, nr_keys[i], false); + test_add_routes(test_ips, nr_keys[i]); + test_set_optmem(AO_KEY_SZ * nr_keys[i]); + server_apply_keys(lsk, test_ips, nr_keys[i]); + + synchronize_threads(); + bench_connect_srv(lsk, test_ips, nr_keys[i]); + bench_connect_srv(lsk, test_ips, nr_keys[i]); + + /* The worst case for FILO-list */ + bench_delete(lsk, &bt->add_key, &bt->delete_last_key, + test_ips, nr_keys[i], false, false); + test_print_stats("Worst case delete", + nr_keys[i], &bt->delete_last_key); + test_print_stats("Add a new key", + nr_keys[i], &bt->add_key); + + bench_delete(lsk, &bt->add_key, &bt->delete_rand_key, + test_ips, nr_keys[i], true, false); + test_print_stats("Remove random-search", + nr_keys[i], &bt->delete_rand_key); + + bench_delete(lsk, &bt->add_key, &bt->delete_async, + test_ips, nr_keys[i], false, true); + test_print_stats("Remove async", nr_keys[i], &bt->delete_async); + + free(test_ips); + close(lsk); + } + + return NULL; +} + +static void connect_client(int sk, void *arg) +{ + size_t *p =3D arg; + + if (test_connect_socket(sk, this_ip_dest, test_server_port + *p) <=3D 0) + test_error("failed to connect()"); +} + +static void client_addr_setup(int sk, union tcp_addr taddr) +{ +#ifdef IPV6_TEST + struct sockaddr_in6 addr =3D { + .sin6_family =3D AF_INET6, + .sin6_port =3D 0, + .sin6_addr =3D taddr.a6, + }; +#else + struct sockaddr_in addr =3D { + .sin_family =3D AF_INET, + .sin_port =3D 0, + .sin_addr =3D taddr.a4, + }; +#endif + int ret; + + ret =3D ip_addr_add(veth_name, TEST_FAMILY, taddr, TEST_PREFIX); + if (ret && ret !=3D -EEXIST) + test_error("Failed to add ip address"); + ret =3D ip_route_add(veth_name, TEST_FAMILY, taddr, this_ip_dest); + if (ret && ret !=3D -EEXIST) + test_error("Failed to add route"); + + if (bind(sk, &addr, sizeof(addr))) + test_error("bind()"); +} + +static void bench_connect_client(size_t port_off, struct bench_tests *bt, + ipaddr_t *ips, size_t ips_nr, bool rand_order) +{ + struct bench_stats *con; + union tcp_addr *p; + size_t i; + + if (rand_order) + con =3D &bt->connect_rand_key; + else + con =3D &bt->connect_last_key; + + p =3D (union tcp_addr *)&ips[0]; + + for (i =3D 0; i < NR_ITERS; i++) { + int sk =3D socket(test_family, SOCK_STREAM, IPPROTO_TCP); + + if (sk < 0) + test_error("socket()"); + + client_addr_setup(sk, *p); + if (test_set_ao(sk, "password", 0, this_ip_dest, -1, 100, 100)) + test_error("setsockopt(TCP_AO)"); + + synchronize_threads(); + + measure_call(con, connect_client, sk, (void *)&port_off); + + close(sk); + + /* + * Slowest for FILO-linked-list: + * on (i) iteration removing ips[i] element. When it gets + * added to the list back - it becomes first to fetch, so + * on (i + 1) iteration go to ips[i + 1] element. + */ + if (rand_order) + p =3D (union tcp_addr *)&ips[rand() % ips_nr]; + else + p =3D (union tcp_addr *)&ips[i % ips_nr]; + } +} + +static void *client_fn(void *arg) +{ + size_t i; + + for (i =3D 0; i < ARRAY_SIZE(nr_keys); i++) { + struct bench_tests *bt =3D &bench_results[i]; + + synchronize_threads(); + bench_connect_client(i, bt, test_ips, nr_keys[i], false); + test_print_stats("Worst case connect", + nr_keys[i], &bt->connect_last_key); + + bench_connect_client(i, bt, test_ips, nr_keys[i], false); + test_print_stats("Connect random-search", + nr_keys[i], &bt->connect_last_key); + } + synchronize_threads(); + return NULL; +} + +int main(int argc, char *argv[]) +{ + test_init(36, server_fn, client_fn); + return 0; +} --=20 2.37.2