From nobody Fri Jan 2 19:04:40 2026 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 55979E81E18 for ; Mon, 9 Oct 2023 23:08:39 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1379027AbjJIXIh (ORCPT ); Mon, 9 Oct 2023 19:08:37 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:35004 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1379035AbjJIXIG (ORCPT ); Mon, 9 Oct 2023 19:08:06 -0400 Received: from mail-wm1-x32c.google.com (mail-wm1-x32c.google.com [IPv6:2a00:1450:4864:20::32c]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 8F47AAF for ; Mon, 9 Oct 2023 16:07:48 -0700 (PDT) Received: by mail-wm1-x32c.google.com with SMTP id 5b1f17b1804b1-406618d0991so47132765e9.2 for ; Mon, 09 Oct 2023 16:07:48 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=arista.com; s=google; t=1696892866; x=1697497666; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=rJ6k3FDASmdDw32dUjRwAQMn50yHzpCiIrbWeJwuCKo=; b=IQa0Mp22YHSXqcdZrMW0Hfc9kYflFp3KUaPmYtn4k1d42dlAYQD1Tkx6Plh7d3L10q w3yUpB0UJJZ/oLxbztznIFCKsfqrp7tDTeaIOGLHfh0zao+tjAhOcWh5wzYqgNcYdGkz aMfbM6O29rv+4aLYzzA36aI98x4n3KesD5gNMWickJXXns2Gq43jqMkmZU60pV/MtVgS PEw/R6mCFCyEXdLd66vMBc3vEmzkNc8Rwfow9PBLiYjySiG/JkyUPy3b7MLuT2LWzrTJ VF0rXaJMFF6zIFtLtF6Zay952i/xLmjjRb2zBj8PUv4l6xW0bJMM1kMfgpsuzrQn79Cm Y3sA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1696892866; x=1697497666; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=rJ6k3FDASmdDw32dUjRwAQMn50yHzpCiIrbWeJwuCKo=; b=X6OC/C5yueAXR6UI8V3fi0JcqiwZDnmX+2icliCQ9T8gBeUWldgY6S3F+OStVyFhqF kB5/BGEO5VfXzPs9+XmZONbwrshvU/fp4gTr9Vx9RuviKMtmE1nHkVtywxtDFtxrXfl2 HgZRFpgDPdQXVweNRPEscm8rGxITwyciBSSuIOKmogbFiSqHNO/r82D3w+22EqCdTotV jtm8hEhpIYiCnzUwjhn9d8sLGIpkGF8TmQy4nusb02rrjjnSWglzf5nd14sBzP0wGMIA DnjKzfmATib1CovjFxgVXb16nzi/X1DFsFdn6j+k66H49RsLwgCAtI+EStx/5CFs2YTF EaUA== X-Gm-Message-State: AOJu0YyK888VQQXNdS1ukfWez8hSHMUtgACxfPCIRjS+U2IgB/ag3O6k dSd9yW+7SeL01/CGT77C0MGyPw== X-Google-Smtp-Source: AGHT+IFkGlxtHvpsn+4Q+OInOGew+cz1U3kNDnjhjOfNJ9QJHzcEMUtzyuyyJtFPH7EoCKM8PRpSGg== X-Received: by 2002:a05:600c:2210:b0:405:3cc5:1105 with SMTP id z16-20020a05600c221000b004053cc51105mr14420078wml.8.1696892866618; Mon, 09 Oct 2023 16:07:46 -0700 (PDT) Received: from Mindolluin.ire.aristanetworks.com ([217.173.96.166]) by smtp.gmail.com with ESMTPSA id t24-20020a7bc3d8000000b004042dbb8925sm14592104wmj.38.2023.10.09.16.07.45 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 09 Oct 2023 16:07:46 -0700 (PDT) From: Dmitry Safonov To: David Ahern , Eric Dumazet , Paolo Abeni , Jakub Kicinski , "David S. Miller" Cc: linux-kernel@vger.kernel.org, Dmitry Safonov , Andy Lutomirski , Ard Biesheuvel , Bob Gilligan , Dan Carpenter , David Laight , Dmitry Safonov <0x7f454c46@gmail.com>, Donald Cassidy , Eric Biggers , "Eric W. Biederman" , Francesco Ruggeri , "Gaillardetz, Dominik" , Herbert Xu , Hideaki YOSHIFUJI , Ivan Delalande , Leonard Crestez , "Nassiri, Mohammad" , Salam Noureddine , Simon Horman , "Tetreault, Francois" , netdev@vger.kernel.org Subject: [PATCH v14 net-next 11/23] net/tcp: Sign SYN-ACK segments with TCP-AO Date: Tue, 10 Oct 2023 00:07:02 +0100 Message-ID: <20231009230722.76268-12-dima@arista.com> X-Mailer: git-send-email 2.42.0 In-Reply-To: <20231009230722.76268-1-dima@arista.com> References: <20231009230722.76268-1-dima@arista.com> MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Type: text/plain; charset="utf-8" Similarly to RST segments, wire SYN-ACKs to TCP-AO. tcp_rsk_used_ao() is handy here to check if the request socket used AO and needs a signature on the outgoing segments. Co-developed-by: Francesco Ruggeri Signed-off-by: Francesco Ruggeri Co-developed-by: Salam Noureddine Signed-off-by: Salam Noureddine Signed-off-by: Dmitry Safonov Acked-by: David Ahern --- include/net/tcp.h | 3 ++ include/net/tcp_ao.h | 6 ++++ net/ipv4/tcp_ao.c | 22 +++++++++++++ net/ipv4/tcp_ipv4.c | 1 + net/ipv4/tcp_output.c | 72 +++++++++++++++++++++++++++++++++---------- net/ipv6/tcp_ao.c | 22 +++++++++++++ net/ipv6/tcp_ipv6.c | 1 + 7 files changed, 111 insertions(+), 16 deletions(-) diff --git a/include/net/tcp.h b/include/net/tcp.h index 13657b70d5d7..717887c3d76d 100644 --- a/include/net/tcp.h +++ b/include/net/tcp.h @@ -2183,6 +2183,9 @@ struct tcp_request_sock_ops { struct request_sock *req, int sndid, int rcvid); int (*ao_calc_key)(struct tcp_ao_key *mkt, u8 *key, struct request_sock *= sk); + int (*ao_synack_hash)(char *ao_hash, struct tcp_ao_key *mkt, + struct request_sock *req, const struct sk_buff *skb, + int hash_offset, u32 sne); #endif #ifdef CONFIG_SYN_COOKIES __u32 (*cookie_init_seq)(const struct sk_buff *skb, diff --git a/include/net/tcp_ao.h b/include/net/tcp_ao.h index d04b17971c3c..56c2e34ad7d2 100644 --- a/include/net/tcp_ao.h +++ b/include/net/tcp_ao.h @@ -147,6 +147,9 @@ int tcp_ao_prepare_reset(const struct sock *sk, struct = sk_buff *skb, int tcp_v4_parse_ao(struct sock *sk, int cmd, sockptr_t optval, int optlen= ); struct tcp_ao_key *tcp_v4_ao_lookup(const struct sock *sk, struct sock *ad= dr_sk, int sndid, int rcvid); +int tcp_v4_ao_synack_hash(char *ao_hash, struct tcp_ao_key *mkt, + struct request_sock *req, const struct sk_buff *skb, + int hash_offset, u32 sne); int tcp_v4_ao_calc_key_sk(struct tcp_ao_key *mkt, u8 *key, const struct sock *sk, __be32 sisn, __be32 disn, bool send); @@ -181,6 +184,9 @@ int tcp_v6_ao_hash_skb(char *ao_hash, struct tcp_ao_key= *key, const struct sock *sk, const struct sk_buff *skb, const u8 *tkey, int hash_offset, u32 sne); int tcp_v6_parse_ao(struct sock *sk, int cmd, sockptr_t optval, int optlen= ); +int tcp_v6_ao_synack_hash(char *ao_hash, struct tcp_ao_key *ao_key, + struct request_sock *req, const struct sk_buff *skb, + int hash_offset, u32 sne); void tcp_ao_established(struct sock *sk); void tcp_ao_finish_connect(struct sock *sk, struct sk_buff *skb); void tcp_ao_connect_init(struct sock *sk); diff --git a/net/ipv4/tcp_ao.c b/net/ipv4/tcp_ao.c index c8006b0cbb8a..0102d0662fca 100644 --- a/net/ipv4/tcp_ao.c +++ b/net/ipv4/tcp_ao.c @@ -568,6 +568,28 @@ int tcp_v4_ao_hash_skb(char *ao_hash, struct tcp_ao_ke= y *key, tkey, hash_offset, sne); } =20 +int tcp_v4_ao_synack_hash(char *ao_hash, struct tcp_ao_key *ao_key, + struct request_sock *req, const struct sk_buff *skb, + int hash_offset, u32 sne) +{ + void *hash_buf =3D NULL; + int err; + + hash_buf =3D kmalloc(tcp_ao_digest_size(ao_key), GFP_ATOMIC); + if (!hash_buf) + return -ENOMEM; + + err =3D tcp_v4_ao_calc_key_rsk(ao_key, hash_buf, req); + if (err) + goto out; + + err =3D tcp_ao_hash_skb(AF_INET, ao_hash, ao_key, req_to_sk(req), skb, + hash_buf, hash_offset, sne); +out: + kfree(hash_buf); + return err; +} + struct tcp_ao_key *tcp_v4_ao_lookup_rsk(const struct sock *sk, struct request_sock *req, int sndid, int rcvid) diff --git a/net/ipv4/tcp_ipv4.c b/net/ipv4/tcp_ipv4.c index c332a86c22c5..b4d26d893f9d 100644 --- a/net/ipv4/tcp_ipv4.c +++ b/net/ipv4/tcp_ipv4.c @@ -1680,6 +1680,7 @@ const struct tcp_request_sock_ops tcp_request_sock_ip= v4_ops =3D { #ifdef CONFIG_TCP_AO .ao_lookup =3D tcp_v4_ao_lookup_rsk, .ao_calc_key =3D tcp_v4_ao_calc_key_rsk, + .ao_synack_hash =3D tcp_v4_ao_synack_hash, #endif #ifdef CONFIG_SYN_COOKIES .cookie_init_seq =3D cookie_v4_init_sequence, diff --git a/net/ipv4/tcp_output.c b/net/ipv4/tcp_output.c index 4984e654be65..8d110ee705a4 100644 --- a/net/ipv4/tcp_output.c +++ b/net/ipv4/tcp_output.c @@ -886,7 +886,7 @@ static unsigned int tcp_synack_options(const struct soc= k *sk, struct request_sock *req, unsigned int mss, struct sk_buff *skb, struct tcp_out_options *opts, - const struct tcp_md5sig_key *md5, + const struct tcp_key *key, struct tcp_fastopen_cookie *foc, enum tcp_synack_type synack_type, struct sk_buff *syn_skb) @@ -894,8 +894,7 @@ static unsigned int tcp_synack_options(const struct soc= k *sk, struct inet_request_sock *ireq =3D inet_rsk(req); unsigned int remaining =3D MAX_TCP_OPTION_SPACE; =20 -#ifdef CONFIG_TCP_MD5SIG - if (md5) { + if (tcp_key_is_md5(key)) { opts->options |=3D OPTION_MD5; remaining -=3D TCPOLEN_MD5SIG_ALIGNED; =20 @@ -906,8 +905,11 @@ static unsigned int tcp_synack_options(const struct so= ck *sk, */ if (synack_type !=3D TCP_SYNACK_COOKIE) ireq->tstamp_ok &=3D !ireq->sack_ok; + } else if (tcp_key_is_ao(key)) { + opts->options |=3D OPTION_AO; + remaining -=3D tcp_ao_len(key->ao_key); + ireq->tstamp_ok &=3D !ireq->sack_ok; } -#endif =20 /* We always send an MSS option. */ opts->mss =3D mss; @@ -3655,7 +3657,6 @@ struct sk_buff *tcp_make_synack(const struct sock *sk= , struct dst_entry *dst, { struct inet_request_sock *ireq =3D inet_rsk(req); const struct tcp_sock *tp =3D tcp_sk(sk); - struct tcp_md5sig_key *md5 =3D NULL; struct tcp_out_options opts; struct tcp_key key =3D {}; struct sk_buff *skb; @@ -3707,18 +3708,48 @@ struct sk_buff *tcp_make_synack(const struct sock *= sk, struct dst_entry *dst, tcp_rsk(req)->snt_synack =3D tcp_skb_timestamp_us(skb); } =20 -#ifdef CONFIG_TCP_MD5SIG +#if defined(CONFIG_TCP_MD5SIG) || defined(CONFIG_TCP_AO) rcu_read_lock(); - md5 =3D tcp_rsk(req)->af_specific->req_md5_lookup(sk, req_to_sk(req)); - if (md5) - key.type =3D TCP_KEY_MD5; #endif + if (tcp_rsk_used_ao(req)) { +#ifdef CONFIG_TCP_AO + struct tcp_ao_key *ao_key =3D NULL; + u8 maclen =3D tcp_rsk(req)->maclen; + u8 keyid =3D tcp_rsk(req)->ao_keyid; + + ao_key =3D tcp_sk(sk)->af_specific->ao_lookup(sk, req_to_sk(req), + keyid, -1); + /* If there is no matching key - avoid sending anything, + * especially usigned segments. It could try harder and lookup + * for another peer-matching key, but the peer has requested + * ao_keyid (RFC5925 RNextKeyID), so let's keep it simple here. + */ + if (unlikely(!ao_key || tcp_ao_maclen(ao_key) !=3D maclen)) { + u8 key_maclen =3D ao_key ? tcp_ao_maclen(ao_key) : 0; + + rcu_read_unlock(); + kfree_skb(skb); + net_warn_ratelimited("TCP-AO: the keyid %u with maclen %u|%u from SYN p= acket is not present - not sending SYNACK\n", + keyid, maclen, key_maclen); + return NULL; + } + key.ao_key =3D ao_key; + key.type =3D TCP_KEY_AO; +#endif + } else { +#ifdef CONFIG_TCP_MD5SIG + key.md5_key =3D tcp_rsk(req)->af_specific->req_md5_lookup(sk, + req_to_sk(req)); + if (key.md5_key) + key.type =3D TCP_KEY_MD5; +#endif + } skb_set_hash(skb, READ_ONCE(tcp_rsk(req)->txhash), PKT_HASH_TYPE_L4); /* bpf program will be interested in the tcp_flags */ TCP_SKB_CB(skb)->tcp_flags =3D TCPHDR_SYN | TCPHDR_ACK; - tcp_header_size =3D tcp_synack_options(sk, req, mss, skb, &opts, md5, - foc, synack_type, - syn_skb) + sizeof(*th); + tcp_header_size =3D tcp_synack_options(sk, req, mss, skb, &opts, + &key, foc, synack_type, syn_skb) + + sizeof(*th); =20 skb_push(skb, tcp_header_size); skb_reset_transport_header(skb); @@ -3738,15 +3769,24 @@ struct sk_buff *tcp_make_synack(const struct sock *= sk, struct dst_entry *dst, =20 /* RFC1323: The window in SYN & SYN/ACK segments is never scaled. */ th->window =3D htons(min(req->rsk_rcv_wnd, 65535U)); - tcp_options_write(th, NULL, NULL, &opts, &key); + tcp_options_write(th, NULL, tcp_rsk(req), &opts, &key); th->doff =3D (tcp_header_size >> 2); TCP_INC_STATS(sock_net(sk), TCP_MIB_OUTSEGS); =20 -#ifdef CONFIG_TCP_MD5SIG /* Okay, we have all we need - do the md5 hash if needed */ - if (md5) + if (tcp_key_is_md5(&key)) { +#ifdef CONFIG_TCP_MD5SIG tcp_rsk(req)->af_specific->calc_md5_hash(opts.hash_location, - md5, req_to_sk(req), skb); + key.md5_key, req_to_sk(req), skb); +#endif + } else if (tcp_key_is_ao(&key)) { +#ifdef CONFIG_TCP_AO + tcp_rsk(req)->af_specific->ao_synack_hash(opts.hash_location, + key.ao_key, req, skb, + opts.hash_location - (u8 *)th, 0); +#endif + } +#if defined(CONFIG_TCP_MD5SIG) || defined(CONFIG_TCP_AO) rcu_read_unlock(); #endif =20 diff --git a/net/ipv6/tcp_ao.c b/net/ipv6/tcp_ao.c index c9a6fa84f6ce..99753e12c08c 100644 --- a/net/ipv6/tcp_ao.c +++ b/net/ipv6/tcp_ao.c @@ -144,3 +144,25 @@ int tcp_v6_parse_ao(struct sock *sk, int cmd, { return tcp_parse_ao(sk, cmd, AF_INET6, optval, optlen); } + +int tcp_v6_ao_synack_hash(char *ao_hash, struct tcp_ao_key *ao_key, + struct request_sock *req, const struct sk_buff *skb, + int hash_offset, u32 sne) +{ + void *hash_buf =3D NULL; + int err; + + hash_buf =3D kmalloc(tcp_ao_digest_size(ao_key), GFP_ATOMIC); + if (!hash_buf) + return -ENOMEM; + + err =3D tcp_v6_ao_calc_key_rsk(ao_key, hash_buf, req); + if (err) + goto out; + + err =3D tcp_ao_hash_skb(AF_INET6, ao_hash, ao_key, req_to_sk(req), skb, + hash_buf, hash_offset, sne); +out: + kfree(hash_buf); + return err; +} diff --git a/net/ipv6/tcp_ipv6.c b/net/ipv6/tcp_ipv6.c index 7d8dcbfe09ea..05d9ded5a413 100644 --- a/net/ipv6/tcp_ipv6.c +++ b/net/ipv6/tcp_ipv6.c @@ -838,6 +838,7 @@ const struct tcp_request_sock_ops tcp_request_sock_ipv6= _ops =3D { #ifdef CONFIG_TCP_AO .ao_lookup =3D tcp_v6_ao_lookup_rsk, .ao_calc_key =3D tcp_v6_ao_calc_key_rsk, + .ao_synack_hash =3D tcp_v6_ao_synack_hash, #endif #ifdef CONFIG_SYN_COOKIES .cookie_init_seq =3D cookie_v6_init_sequence, --=20 2.42.0