From nobody Fri Sep 12 00:45:14 2025 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id AA169C25B45 for ; Mon, 23 Oct 2023 19:23:01 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S231897AbjJWTXA (ORCPT ); Mon, 23 Oct 2023 15:23:00 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:38218 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S230237AbjJWTWy (ORCPT ); Mon, 23 Oct 2023 15:22:54 -0400 Received: from mail-wm1-x331.google.com (mail-wm1-x331.google.com [IPv6:2a00:1450:4864:20::331]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 7F5A6103 for ; Mon, 23 Oct 2023 12:22:41 -0700 (PDT) Received: by mail-wm1-x331.google.com with SMTP id 5b1f17b1804b1-40806e4106dso21276015e9.1 for ; Mon, 23 Oct 2023 12:22:41 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=arista.com; s=google; t=1698088960; x=1698693760; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=NTqNWRBS0zcUrotNdMsrwLpg176RJ9k1BahaqjErmhM=; b=EXPqXgPSaGlT6KJwMy8WwTY/A5uLT+vDoJXQ/x0reVzmPMxARuxstHfPJ/QSOEjDYs 5jnNaOGhGtsCUkEFPzAmzu/6eY3apotBGp3RlTwcYEKZGTcNgLfC4+ZTBHMSZbwQiN0p a388uhQLDQfr+zvyD5BA+61vKiVPpKLLieXYuj/CKkYP9HNyzrJR1m4F5TMUtMU0a+Zw tDUcg/tT5Qim8WhRrYl6s6Vn2k+X5K6ih+0pFmCouGNG40CLRmjAmvtcQpdazBIFO10i 6x10OD/N5YBb7/6i74q0Kgyp99s1kBGl4U0yDkNR1RnM5l3PBZ3yb+ndNsB7Zzz/GTQv pSgg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1698088960; x=1698693760; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=NTqNWRBS0zcUrotNdMsrwLpg176RJ9k1BahaqjErmhM=; b=DBV+IjDsRvdyJ2hx0jWjKa9tWKp88E2Xu1VnVKuiL8EvRmy3TPWWMCXUshB8/+lM63 2fUauHVfxz+W/NNDqwIaSecIOKyUAEF5o9kvsQFD1+scr86ijdjRK5vcbnxqLEo3Vkb3 nig541C116m3MR1QsQTHXjvi1S/kcJ5PuS0iSQaoZWHu5q88CWPxoQmFQ+1JrEZ4QroP gMZNtwxBPGf+4EQ7BujM4zQRjecHHMpwSgOlplYrxTQCe8zYyeaDvpC7GtWi9z8cJIyx m2J1ffsnvinnlEbHIDOzsfmBMjOr2dUpi+kJCXBuCDA5lnmVMrzURWouO7b1lHSHAZ/K CYPw== X-Gm-Message-State: AOJu0Yy4v/BHpvTeANZTj2x83aGvAdzw9mwmZHSrTA3Ou1jw26m5hAMT WVbST/gR9/1dZaBTWNov7gJKBQ== X-Google-Smtp-Source: AGHT+IEVDiF/PCx61gvFmd9XLkI5Mc1QmekR5mxPcX5WRlfwEOZmtByO6hC0zXUnekkn8fr+x83YMw== X-Received: by 2002:a05:600c:3414:b0:401:c7ec:b930 with SMTP id y20-20020a05600c341400b00401c7ecb930mr12126542wmp.10.1698088959788; Mon, 23 Oct 2023 12:22:39 -0700 (PDT) Received: from Mindolluin.ire.aristanetworks.com ([217.173.96.166]) by smtp.gmail.com with ESMTPSA id ay20-20020a05600c1e1400b00407460234f9sm10142088wmb.21.2023.10.23.12.22.38 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 23 Oct 2023 12:22:39 -0700 (PDT) From: Dmitry Safonov To: David Ahern , Eric Dumazet , Paolo Abeni , Jakub Kicinski , "David S. Miller" Cc: linux-kernel@vger.kernel.org, Dmitry Safonov , Andy Lutomirski , Ard Biesheuvel , Bob Gilligan , Dan Carpenter , David Laight , Dmitry Safonov <0x7f454c46@gmail.com>, Donald Cassidy , Eric Biggers , "Eric W. Biederman" , Francesco Ruggeri , "Gaillardetz, Dominik" , Herbert Xu , Hideaki YOSHIFUJI , Ivan Delalande , Leonard Crestez , "Nassiri, Mohammad" , Salam Noureddine , Simon Horman , "Tetreault, Francois" , netdev@vger.kernel.org Subject: [PATCH v16 net-next 07/23] net/tcp: Add tcp_parse_auth_options() Date: Mon, 23 Oct 2023 20:21:59 +0100 Message-ID: <20231023192217.426455-8-dima@arista.com> X-Mailer: git-send-email 2.42.0 In-Reply-To: <20231023192217.426455-1-dima@arista.com> References: <20231023192217.426455-1-dima@arista.com> MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Type: text/plain; charset="utf-8" Introduce a helper that: (1) shares the common code with TCP-MD5 header options parsing (2) looks for hash signature only once for both TCP-MD5 and TCP-AO (3) fails with -EEXIST if any TCP sign option is present twice, see RFC5925 (2.2): ">> A single TCP segment MUST NOT have more than one TCP-AO in its options sequence. When multiple TCP-AOs appear, TCP MUST discard the segment." Co-developed-by: Francesco Ruggeri Signed-off-by: Francesco Ruggeri Co-developed-by: Salam Noureddine Signed-off-by: Salam Noureddine Signed-off-by: Dmitry Safonov Acked-by: David Ahern --- include/net/dropreason-core.h | 6 ++++++ include/net/tcp.h | 24 ++++++++++++++++++++- include/net/tcp_ao.h | 17 ++++++++++++++- net/ipv4/tcp.c | 3 ++- net/ipv4/tcp_input.c | 39 ++++++++++++++++++++++++++--------- net/ipv4/tcp_ipv4.c | 15 +++++++++----- net/ipv6/tcp_ipv6.c | 11 ++++++---- 7 files changed, 93 insertions(+), 22 deletions(-) diff --git a/include/net/dropreason-core.h b/include/net/dropreason-core.h index 845dce805de7..3af4464a9c5b 100644 --- a/include/net/dropreason-core.h +++ b/include/net/dropreason-core.h @@ -20,6 +20,7 @@ FN(IP_NOPROTO) \ FN(SOCKET_RCVBUFF) \ FN(PROTO_MEM) \ + FN(TCP_AUTH_HDR) \ FN(TCP_MD5NOTFOUND) \ FN(TCP_MD5UNEXPECTED) \ FN(TCP_MD5FAILURE) \ @@ -142,6 +143,11 @@ enum skb_drop_reason { * drop out of udp_memory_allocated. */ SKB_DROP_REASON_PROTO_MEM, + /** + * @SKB_DROP_REASON_TCP_AUTH_HDR: TCP-MD5 or TCP-AO hashes are met + * twice or set incorrectly. + */ + SKB_DROP_REASON_TCP_AUTH_HDR, /** * @SKB_DROP_REASON_TCP_MD5NOTFOUND: no MD5 hash and one expected, * corresponding to LINUX_MIB_TCPMD5NOTFOUND diff --git a/include/net/tcp.h b/include/net/tcp.h index 9a996834699d..ba30fcc89830 100644 --- a/include/net/tcp.h +++ b/include/net/tcp.h @@ -438,7 +438,6 @@ int tcp_mmap(struct file *file, struct socket *sock, void tcp_parse_options(const struct net *net, const struct sk_buff *skb, struct tcp_options_received *opt_rx, int estab, struct tcp_fastopen_cookie *foc); -const u8 *tcp_parse_md5sig_option(const struct tcphdr *th); =20 /* * BPF SKB-less helpers @@ -2673,6 +2672,29 @@ static inline u64 tcp_transmit_time(const struct soc= k *sk) return 0; } =20 +static inline int tcp_parse_auth_options(const struct tcphdr *th, + const u8 **md5_hash, const struct tcp_ao_hdr **aoh) +{ + const u8 *md5_tmp, *ao_tmp; + int ret; + + ret =3D tcp_do_parse_auth_options(th, &md5_tmp, &ao_tmp); + if (ret) + return ret; + + if (md5_hash) + *md5_hash =3D md5_tmp; + + if (aoh) { + if (!ao_tmp) + *aoh =3D NULL; + else + *aoh =3D (struct tcp_ao_hdr *)(ao_tmp - 2); + } + + return 0; +} + static inline bool tcp_ao_required(struct sock *sk, const void *saddr, int family) { diff --git a/include/net/tcp_ao.h b/include/net/tcp_ao.h index 0b86bc05d8cf..fdd2f5091b98 100644 --- a/include/net/tcp_ao.h +++ b/include/net/tcp_ao.h @@ -152,7 +152,9 @@ int tcp_v6_parse_ao(struct sock *sk, int cmd, sockptr_t= optval, int optlen); void tcp_ao_established(struct sock *sk); void tcp_ao_finish_connect(struct sock *sk, struct sk_buff *skb); void tcp_ao_connect_init(struct sock *sk); - +void tcp_ao_syncookie(struct sock *sk, const struct sk_buff *skb, + struct tcp_request_sock *treq, + unsigned short int family); #else /* CONFIG_TCP_AO */ =20 static inline int tcp_ao_transmit_skb(struct sock *sk, struct sk_buff *skb, @@ -185,4 +187,17 @@ static inline void tcp_ao_connect_init(struct sock *sk) } #endif =20 +#if defined(CONFIG_TCP_MD5SIG) || defined(CONFIG_TCP_AO) +int tcp_do_parse_auth_options(const struct tcphdr *th, + const u8 **md5_hash, const u8 **ao_hash); +#else +static inline int tcp_do_parse_auth_options(const struct tcphdr *th, + const u8 **md5_hash, const u8 **ao_hash) +{ + *md5_hash =3D NULL; + *ao_hash =3D NULL; + return 0; +} +#endif + #endif /* _TCP_AO_H */ diff --git a/net/ipv4/tcp.c b/net/ipv4/tcp.c index 0e3372265cf4..b44b9ef99e60 100644 --- a/net/ipv4/tcp.c +++ b/net/ipv4/tcp.c @@ -4396,7 +4396,8 @@ tcp_inbound_md5_hash(const struct sock *sk, const str= uct sk_buff *skb, l3index =3D sdif ? dif : 0; =20 hash_expected =3D tcp_md5_do_lookup(sk, l3index, saddr, family); - hash_location =3D tcp_parse_md5sig_option(th); + if (tcp_parse_auth_options(th, &hash_location, NULL)) + return SKB_DROP_REASON_TCP_AUTH_HDR; =20 /* We've parsed the options - do we have a hash? */ if (!hash_expected && !hash_location) diff --git a/net/ipv4/tcp_input.c b/net/ipv4/tcp_input.c index 64795a79a4a4..7e5e16d2e65c 100644 --- a/net/ipv4/tcp_input.c +++ b/net/ipv4/tcp_input.c @@ -4254,39 +4254,58 @@ static bool tcp_fast_parse_options(const struct net= *net, return true; } =20 -#ifdef CONFIG_TCP_MD5SIG +#if defined(CONFIG_TCP_MD5SIG) || defined(CONFIG_TCP_AO) /* - * Parse MD5 Signature option + * Parse Signature options */ -const u8 *tcp_parse_md5sig_option(const struct tcphdr *th) +int tcp_do_parse_auth_options(const struct tcphdr *th, + const u8 **md5_hash, const u8 **ao_hash) { int length =3D (th->doff << 2) - sizeof(*th); const u8 *ptr =3D (const u8 *)(th + 1); + unsigned int minlen =3D TCPOLEN_MD5SIG; + + if (IS_ENABLED(CONFIG_TCP_AO)) + minlen =3D sizeof(struct tcp_ao_hdr) + 1; + + *md5_hash =3D NULL; + *ao_hash =3D NULL; =20 /* If not enough data remaining, we can short cut */ - while (length >=3D TCPOLEN_MD5SIG) { + while (length >=3D minlen) { int opcode =3D *ptr++; int opsize; =20 switch (opcode) { case TCPOPT_EOL: - return NULL; + return 0; case TCPOPT_NOP: length--; continue; default: opsize =3D *ptr++; if (opsize < 2 || opsize > length) - return NULL; - if (opcode =3D=3D TCPOPT_MD5SIG) - return opsize =3D=3D TCPOLEN_MD5SIG ? ptr : NULL; + return -EINVAL; + if (opcode =3D=3D TCPOPT_MD5SIG) { + if (opsize !=3D TCPOLEN_MD5SIG) + return -EINVAL; + if (unlikely(*md5_hash || *ao_hash)) + return -EEXIST; + *md5_hash =3D ptr; + } else if (opcode =3D=3D TCPOPT_AO) { + if (opsize <=3D sizeof(struct tcp_ao_hdr)) + return -EINVAL; + if (unlikely(*md5_hash || *ao_hash)) + return -EEXIST; + *ao_hash =3D ptr; + } } ptr +=3D opsize - 2; length -=3D opsize; } - return NULL; + return 0; } -EXPORT_SYMBOL(tcp_parse_md5sig_option); +EXPORT_SYMBOL(tcp_do_parse_auth_options); #endif =20 /* Sorry, PAWS as specified is broken wrt. pure-ACKs -DaveM diff --git a/net/ipv4/tcp_ipv4.c b/net/ipv4/tcp_ipv4.c index b002f6497d19..83e069d0f778 100644 --- a/net/ipv4/tcp_ipv4.c +++ b/net/ipv4/tcp_ipv4.c @@ -670,7 +670,9 @@ EXPORT_SYMBOL(tcp_v4_send_check); * Exception: precedence violation. We do not implement it in any case. */ =20 -#ifdef CONFIG_TCP_MD5SIG +#ifdef CONFIG_TCP_AO +#define OPTION_BYTES MAX_TCP_OPTION_SPACE +#elif defined(CONFIG_TCP_MD5SIG) #define OPTION_BYTES TCPOLEN_MD5SIG_ALIGNED #else #define OPTION_BYTES sizeof(__be32) @@ -685,8 +687,8 @@ static void tcp_v4_send_reset(const struct sock *sk, st= ruct sk_buff *skb) } rep; struct ip_reply_arg arg; #ifdef CONFIG_TCP_MD5SIG + const __u8 *md5_hash_location =3D NULL; struct tcp_md5sig_key *key =3D NULL; - const __u8 *hash_location =3D NULL; unsigned char newhash[16]; int genhash; struct sock *sk1 =3D NULL; @@ -727,8 +729,11 @@ static void tcp_v4_send_reset(const struct sock *sk, s= truct sk_buff *skb) =20 net =3D sk ? sock_net(sk) : dev_net(skb_dst(skb)->dev); #ifdef CONFIG_TCP_MD5SIG + /* Invalid TCP option size or twice included auth */ + if (tcp_parse_auth_options(tcp_hdr(skb), &md5_hash_location, NULL)) + return; + rcu_read_lock(); - hash_location =3D tcp_parse_md5sig_option(th); if (sk && sk_fullsock(sk)) { const union tcp_md5_addr *addr; int l3index; @@ -739,7 +744,7 @@ static void tcp_v4_send_reset(const struct sock *sk, st= ruct sk_buff *skb) l3index =3D tcp_v4_sdif(skb) ? inet_iif(skb) : 0; addr =3D (union tcp_md5_addr *)&ip_hdr(skb)->saddr; key =3D tcp_md5_do_lookup(sk, l3index, addr, AF_INET); - } else if (hash_location) { + } else if (md5_hash_location) { const union tcp_md5_addr *addr; int sdif =3D tcp_v4_sdif(skb); int dif =3D inet_iif(skb); @@ -771,7 +776,7 @@ static void tcp_v4_send_reset(const struct sock *sk, st= ruct sk_buff *skb) =20 =20 genhash =3D tcp_v4_md5_hash_skb(newhash, key, NULL, skb); - if (genhash || memcmp(hash_location, newhash, 16) !=3D 0) + if (genhash || memcmp(md5_hash_location, newhash, 16) !=3D 0) goto out; =20 } diff --git a/net/ipv6/tcp_ipv6.c b/net/ipv6/tcp_ipv6.c index f52656bdf13a..309f5993b1ca 100644 --- a/net/ipv6/tcp_ipv6.c +++ b/net/ipv6/tcp_ipv6.c @@ -990,7 +990,7 @@ static void tcp_v6_send_reset(const struct sock *sk, st= ruct sk_buff *skb) u32 seq =3D 0, ack_seq =3D 0; struct tcp_md5sig_key *key =3D NULL; #ifdef CONFIG_TCP_MD5SIG - const __u8 *hash_location =3D NULL; + const __u8 *md5_hash_location =3D NULL; unsigned char newhash[16]; int genhash; struct sock *sk1 =3D NULL; @@ -1012,8 +1012,11 @@ static void tcp_v6_send_reset(const struct sock *sk,= struct sk_buff *skb) =20 net =3D sk ? sock_net(sk) : dev_net(skb_dst(skb)->dev); #ifdef CONFIG_TCP_MD5SIG + /* Invalid TCP option size or twice included auth */ + if (tcp_parse_auth_options(th, &md5_hash_location, NULL)) + return; + rcu_read_lock(); - hash_location =3D tcp_parse_md5sig_option(th); if (sk && sk_fullsock(sk)) { int l3index; =20 @@ -1022,7 +1025,7 @@ static void tcp_v6_send_reset(const struct sock *sk, = struct sk_buff *skb) */ l3index =3D tcp_v6_sdif(skb) ? tcp_v6_iif_l3_slave(skb) : 0; key =3D tcp_v6_md5_do_lookup(sk, &ipv6h->saddr, l3index); - } else if (hash_location) { + } else if (md5_hash_location) { int dif =3D tcp_v6_iif_l3_slave(skb); int sdif =3D tcp_v6_sdif(skb); int l3index; @@ -1051,7 +1054,7 @@ static void tcp_v6_send_reset(const struct sock *sk, = struct sk_buff *skb) goto out; =20 genhash =3D tcp_v6_md5_hash_skb(newhash, key, NULL, skb); - if (genhash || memcmp(hash_location, newhash, 16) !=3D 0) + if (genhash || memcmp(md5_hash_location, newhash, 16) !=3D 0) goto out; } #endif --=20 2.42.0