From patchwork Mon Apr 3 21:34:06 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Dmitry Safonov X-Patchwork-Id: 78759 Return-Path: Delivered-To: ouuuleilei@gmail.com Received: by 2002:a59:b0ea:0:b0:3b6:4342:cba0 with SMTP id b10csp2598484vqo; Mon, 3 Apr 2023 14:37:18 -0700 (PDT) X-Google-Smtp-Source: AKy350ZRoqPVLWEJJvCAZfQxLuHWF8pmnMFcp81xjLxbdDiaoSoNYn5+3rpAnXBpkIyUHrLk7y2i X-Received: by 2002:a05:6a20:b725:b0:da:2dc:5642 with SMTP id fg37-20020a056a20b72500b000da02dc5642mr73878pzb.58.1680557837843; Mon, 03 Apr 2023 14:37:17 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1680557837; cv=none; d=google.com; s=arc-20160816; b=wzVqL2IXy9ysQjpLaB7y3qlIdkFGW2ck2mFthlmqAad1XXdCE1Ii3/klbHWPaIf3ab nl68Xx228g75jFa8SBr7I5cj6ggwV00SBSMNZSAkaeANQQRO4Z1Vp96xuy6/HBx8xqkm +5iAdiZPylkveRD8ecbWGWF6OkGWzm2yqQ3fEn/+3XolpEsQDsJcp50AiDxAUJvBPuvN xGaH+A+pMw4pJBw+B7rtPWqSz8Yrb+PH8s4SydyydT22qOcwnkOq8UcS9hF5gZpMok97 rxWFY/828YfKuE9GebSR4+jzENyxFc+12kTVX8o1EE4RMNvlTDEObWdyWcD2xH/td4h5 Dj/A== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :references:in-reply-to:message-id:date:subject:cc:to:from :dkim-signature; bh=hkkouImanIMt3uEEr+qTNS7Gn2gBzCIixSUkmejXDH0=; b=lxcV7T/kJujxi+JMt/JRRh/2dJcu31Adfo8KAjc4XKil8tusmwrilDGLpQTyX5SYoF KjJEqK3kEt+RkxkESBgEHUPQSz2Vi1sCYVxuCUVJDEHiGWb3hPFQxdTFVmXoBchOD6En Ru74ocZyF+nVaeyLXrRTd8rBft8Yj/393zsLvbpAIATp5EBzEYjGhNG33OKk8zA4XSF/ ReOHLL6lI9VU9WLiZMnrmL2jWc8SJH7Bzfrwfk8umC5q45YRWRU5Fm/hve4sE8K8Z4nc NprqvkmCVGV+Hp+cP6ORx3K4MthD8MSnFcaINDpusPjIpqeyzy5WoG0PrH3T4SAmylnZ c0OQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@arista.com header.s=google header.b=XX9wgJvj; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=arista.com Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id a14-20020aa794ae000000b006262531b3e2si8855964pfl.361.2023.04.03.14.37.05; Mon, 03 Apr 2023 14:37:17 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@arista.com header.s=google header.b=XX9wgJvj; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=arista.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S233554AbjDCVfQ (ORCPT + 99 others); Mon, 3 Apr 2023 17:35:16 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:51214 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S233526AbjDCVex (ORCPT ); Mon, 3 Apr 2023 17:34:53 -0400 Received: from mail-wr1-x42d.google.com (mail-wr1-x42d.google.com [IPv6:2a00:1450:4864:20::42d]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 6DE343C07 for ; Mon, 3 Apr 2023 14:34:39 -0700 (PDT) Received: by mail-wr1-x42d.google.com with SMTP id h17so30769736wrt.8 for ; Mon, 03 Apr 2023 14:34:39 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=arista.com; s=google; t=1680557677; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=hkkouImanIMt3uEEr+qTNS7Gn2gBzCIixSUkmejXDH0=; b=XX9wgJvj7TnJDFyzolwE6c7J9CMUIWxsPlxvDz+MQ6SPINbHYfvyW4+NvEOVtB/or4 Za05muo31pLDM4VtmQLO9KMjkBxjq+gIHnm+yC5GgHT8cyBVDRzElCn1gTBPDGl0XE/h GKxhUfMaNpjtKIdG6H6FycQUfXEkH0MWz2cSCjbENkAMu9+BpvICVPKvANwBIBsqKw/Z 6XATtUYKTc9ApR4DQ2BYOVqlEqT7GeGfRVv5G2vNQf+Q78B06oUV6ArURo74vMnpFMDn hDLUWRxUp7usVU5pQNDRktYx8MkBSR2EuWEEOSracra9lE51EGDRpNlr2w/nUf5Uy0L/ efaQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; t=1680557677; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=hkkouImanIMt3uEEr+qTNS7Gn2gBzCIixSUkmejXDH0=; b=OT5mebtU4ZDbkLWk1qrl/iFNLFfH3bDRiYbFFj9FxxeuYPhSffLan/f3IBtNMyf1mY dBPE/lFA8hXCmH4lVr+9hQvc/JO0+ZhNlM0IPv+YWuloQJKh1p/eDX5//2rDRNK34yMZ FKyP9hvfIW+774jRVMafvFKgbmhR4qm8hMqeEhAy2LG0hQX6VST5flsi7FxlM9isMUJk TpfWzYm+D7d2tidw3ZEMNZHtAzxj72SdMx6lprflUWDs+VBVvLVhIuroY9Ser2kieuhD qcXa+6PnSqezGyhIwZJe+BSbiuWo9iofTwgZNy4N34uN6gQ1LZS16BzzHtszaT5cPRXQ GZWQ== X-Gm-Message-State: AAQBX9erFy+Bnk1bQDjipNYGokT9HrPKFkdfp7O+2IZ45bn2RdlEVtSs Ubn9vVQ43mD1rflZZdqiPUKtH596Cng5NG0sBog= X-Received: by 2002:a5d:6441:0:b0:2ce:a8e9:bb3c with SMTP id d1-20020a5d6441000000b002cea8e9bb3cmr10393wrw.15.1680557677266; Mon, 03 Apr 2023 14:34:37 -0700 (PDT) Received: from Mindolluin.ire.aristanetworks.com ([217.173.96.166]) by smtp.gmail.com with ESMTPSA id o5-20020a5d4a85000000b002c3f9404c45sm10682740wrq.7.2023.04.03.14.34.35 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 03 Apr 2023 14:34:36 -0700 (PDT) From: Dmitry Safonov To: linux-kernel@vger.kernel.org, David Ahern , Eric Dumazet , Paolo Abeni , Jakub Kicinski , "David S. Miller" Cc: Dmitry Safonov , Andy Lutomirski , Ard Biesheuvel , Bob Gilligan , Dan Carpenter , David Laight , Dmitry Safonov <0x7f454c46@gmail.com>, Eric Biggers , "Eric W. Biederman" , Francesco Ruggeri , Herbert Xu , Hideaki YOSHIFUJI , Ivan Delalande , Leonard Crestez , Salam Noureddine , netdev@vger.kernel.org, Francesco Ruggeri Subject: [PATCH v5 07/21] net/tcp: Add tcp_parse_auth_options() Date: Mon, 3 Apr 2023 22:34:06 +0100 Message-Id: <20230403213420.1576559-8-dima@arista.com> X-Mailer: git-send-email 2.40.0 In-Reply-To: <20230403213420.1576559-1-dima@arista.com> References: <20230403213420.1576559-1-dima@arista.com> MIME-Version: 1.0 X-Spam-Status: No, score=-0.2 required=5.0 tests=DKIMWL_WL_HIGH,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_NONE, SPF_HELO_NONE,SPF_NONE autolearn=unavailable autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org X-getmail-retrieved-from-mailbox: =?utf-8?q?INBOX?= X-GMAIL-THRID: =?utf-8?q?1762192615314679959?= X-GMAIL-MSGID: =?utf-8?q?1762192615314679959?= Introduce a helper that: (1) shares the common code with TCP-MD5 header options parsing (2) looks for hash signature only once for both TCP-MD5 and TCP-AO (3) fails with -EEXIST if any TCP sign option is present twice, see RFC5925 (2.2): ">> A single TCP segment MUST NOT have more than one TCP-AO in its options sequence. When multiple TCP-AOs appear, TCP MUST discard the segment." Co-developed-by: Francesco Ruggeri Signed-off-by: Francesco Ruggeri Co-developed-by: Salam Noureddine Signed-off-by: Salam Noureddine Signed-off-by: Dmitry Safonov --- include/net/tcp.h | 23 ++++++++++++++++++++++- include/net/tcp_ao.h | 17 ++++++++++++++++- net/ipv4/tcp.c | 3 ++- net/ipv4/tcp_input.c | 39 +++++++++++++++++++++++++++++---------- net/ipv4/tcp_ipv4.c | 15 ++++++++++----- net/ipv6/tcp_ipv6.c | 11 +++++++---- 6 files changed, 86 insertions(+), 22 deletions(-) diff --git a/include/net/tcp.h b/include/net/tcp.h index 2625aa091296..6b8af03d0f65 100644 --- a/include/net/tcp.h +++ b/include/net/tcp.h @@ -434,7 +434,6 @@ int tcp_mmap(struct file *file, struct socket *sock, void tcp_parse_options(const struct net *net, const struct sk_buff *skb, struct tcp_options_received *opt_rx, int estab, struct tcp_fastopen_cookie *foc); -const u8 *tcp_parse_md5sig_option(const struct tcphdr *th); /* * BPF SKB-less helpers @@ -2534,6 +2533,28 @@ static inline u64 tcp_transmit_time(const struct sock *sk) return 0; } +static inline int tcp_parse_auth_options(const struct tcphdr *th, + const u8 **md5_hash, const struct tcp_ao_hdr **aoh) +{ + const u8 *md5_tmp, *ao_tmp; + int ret; + + ret = tcp_do_parse_auth_options(th, &md5_tmp, &ao_tmp); + if (ret) + return ret; + + if (md5_hash) + *md5_hash = md5_tmp; + + if (aoh) { + if (!ao_tmp) + *aoh = NULL; + else + *aoh = (struct tcp_ao_hdr *)(ao_tmp - 2); + } + + return 0; +} static inline bool tcp_ao_required(struct sock *sk, const void *saddr, int family) diff --git a/include/net/tcp_ao.h b/include/net/tcp_ao.h index ee32af145bba..72fc87cf58bf 100644 --- a/include/net/tcp_ao.h +++ b/include/net/tcp_ao.h @@ -156,7 +156,9 @@ int tcp_v6_parse_ao(struct sock *sk, int cmd, sockptr_t optval, int optlen); void tcp_ao_finish_connect(struct sock *sk, struct sk_buff *skb); void tcp_ao_connect_init(struct sock *sk); - +void tcp_ao_syncookie(struct sock *sk, const struct sk_buff *skb, + struct tcp_request_sock *treq, + unsigned short int family); #else /* CONFIG_TCP_AO */ static inline struct tcp_ao_key *tcp_ao_do_lookup(const struct sock *sk, @@ -179,4 +181,17 @@ static inline void tcp_ao_connect_init(struct sock *sk) } #endif +#if defined(CONFIG_TCP_MD5SIG) || defined(CONFIG_TCP_AO) +int tcp_do_parse_auth_options(const struct tcphdr *th, + const u8 **md5_hash, const u8 **ao_hash); +#else +static int tcp_do_parse_auth_options(const struct tcphdr *th, + const u8 **md5_hash, const u8 **ao_hash) +{ + *md5_hash = NULL; + *ao_hash = NULL; + return 0; +} +#endif + #endif /* _TCP_AO_H */ diff --git a/net/ipv4/tcp.c b/net/ipv4/tcp.c index 62484cff7089..dd43a903613c 100644 --- a/net/ipv4/tcp.c +++ b/net/ipv4/tcp.c @@ -4499,7 +4499,8 @@ tcp_inbound_md5_hash(const struct sock *sk, const struct sk_buff *skb, l3index = sdif ? dif : 0; hash_expected = tcp_md5_do_lookup(sk, l3index, saddr, family); - hash_location = tcp_parse_md5sig_option(th); + if (tcp_parse_auth_options(th, &hash_location, NULL)) + return true; /* We've parsed the options - do we have a hash? */ if (!hash_expected && !hash_location) diff --git a/net/ipv4/tcp_input.c b/net/ipv4/tcp_input.c index 6baeb3fe4352..78c2f238205f 100644 --- a/net/ipv4/tcp_input.c +++ b/net/ipv4/tcp_input.c @@ -4202,39 +4202,58 @@ static bool tcp_fast_parse_options(const struct net *net, return true; } -#ifdef CONFIG_TCP_MD5SIG +#if defined(CONFIG_TCP_MD5SIG) || defined(CONFIG_TCP_AO) /* - * Parse MD5 Signature option + * Parse Signature options */ -const u8 *tcp_parse_md5sig_option(const struct tcphdr *th) +int tcp_do_parse_auth_options(const struct tcphdr *th, + const u8 **md5_hash, const u8 **ao_hash) { int length = (th->doff << 2) - sizeof(*th); const u8 *ptr = (const u8 *)(th + 1); + unsigned int minlen = TCPOLEN_MD5SIG; + + if (IS_ENABLED(CONFIG_TCP_AO)) + minlen = sizeof(struct tcp_ao_hdr) + 1; + + *md5_hash = NULL; + *ao_hash = NULL; /* If not enough data remaining, we can short cut */ - while (length >= TCPOLEN_MD5SIG) { + while (length >= minlen) { int opcode = *ptr++; int opsize; switch (opcode) { case TCPOPT_EOL: - return NULL; + return 0; case TCPOPT_NOP: length--; continue; default: opsize = *ptr++; if (opsize < 2 || opsize > length) - return NULL; - if (opcode == TCPOPT_MD5SIG) - return opsize == TCPOLEN_MD5SIG ? ptr : NULL; + return -EINVAL; + if (opcode == TCPOPT_MD5SIG) { + if (opsize != TCPOLEN_MD5SIG) + return -EINVAL; + if (unlikely(*md5_hash || *ao_hash)) + return -EEXIST; + *md5_hash = ptr; + } else if (opcode == TCPOPT_AO) { + if (opsize <= sizeof(struct tcp_ao_hdr)) + return -EINVAL; + if (unlikely(*md5_hash || *ao_hash)) + return -EEXIST; + *ao_hash = ptr; + } } ptr += opsize - 2; length -= opsize; } - return NULL; + return 0; } -EXPORT_SYMBOL(tcp_parse_md5sig_option); +EXPORT_SYMBOL(tcp_do_parse_auth_options); #endif /* Sorry, PAWS as specified is broken wrt. pure-ACKs -DaveM diff --git a/net/ipv4/tcp_ipv4.c b/net/ipv4/tcp_ipv4.c index 516b46cdd604..3ffc966868e0 100644 --- a/net/ipv4/tcp_ipv4.c +++ b/net/ipv4/tcp_ipv4.c @@ -668,7 +668,9 @@ EXPORT_SYMBOL(tcp_v4_send_check); * Exception: precedence violation. We do not implement it in any case. */ -#ifdef CONFIG_TCP_MD5SIG +#ifdef CONFIG_TCP_AO +#define OPTION_BYTES MAX_TCP_OPTION_SPACE +#elif defined(CONFIG_TCP_MD5SIG) #define OPTION_BYTES TCPOLEN_MD5SIG_ALIGNED #else #define OPTION_BYTES sizeof(__be32) @@ -684,7 +686,7 @@ static void tcp_v4_send_reset(const struct sock *sk, struct sk_buff *skb) struct ip_reply_arg arg; #ifdef CONFIG_TCP_MD5SIG struct tcp_md5sig_key *key = NULL; - const __u8 *hash_location = NULL; + const __u8 *md5_hash_location = NULL; unsigned char newhash[16]; int genhash; struct sock *sk1 = NULL; @@ -724,8 +726,11 @@ static void tcp_v4_send_reset(const struct sock *sk, struct sk_buff *skb) net = sk ? sock_net(sk) : dev_net(skb_dst(skb)->dev); #ifdef CONFIG_TCP_MD5SIG + /* Invalid TCP option size or twice included auth */ + if (tcp_parse_auth_options(tcp_hdr(skb), &md5_hash_location, NULL)) + return; + rcu_read_lock(); - hash_location = tcp_parse_md5sig_option(th); if (sk && sk_fullsock(sk)) { const union tcp_md5_addr *addr; int l3index; @@ -736,7 +741,7 @@ static void tcp_v4_send_reset(const struct sock *sk, struct sk_buff *skb) l3index = tcp_v4_sdif(skb) ? inet_iif(skb) : 0; addr = (union tcp_md5_addr *)&ip_hdr(skb)->saddr; key = tcp_md5_do_lookup(sk, l3index, addr, AF_INET); - } else if (hash_location) { + } else if (md5_hash_location) { const union tcp_md5_addr *addr; int sdif = tcp_v4_sdif(skb); int dif = inet_iif(skb); @@ -768,7 +773,7 @@ static void tcp_v4_send_reset(const struct sock *sk, struct sk_buff *skb) genhash = tcp_v4_md5_hash_skb(newhash, key, NULL, skb); - if (genhash || memcmp(hash_location, newhash, 16) != 0) + if (genhash || memcmp(md5_hash_location, newhash, 16) != 0) goto out; } diff --git a/net/ipv6/tcp_ipv6.c b/net/ipv6/tcp_ipv6.c index eaf85f233362..519fce8c21f3 100644 --- a/net/ipv6/tcp_ipv6.c +++ b/net/ipv6/tcp_ipv6.c @@ -992,7 +992,7 @@ static void tcp_v6_send_reset(const struct sock *sk, struct sk_buff *skb) u32 seq = 0, ack_seq = 0; struct tcp_md5sig_key *key = NULL; #ifdef CONFIG_TCP_MD5SIG - const __u8 *hash_location = NULL; + const __u8 *md5_hash_location = NULL; unsigned char newhash[16]; int genhash; struct sock *sk1 = NULL; @@ -1014,8 +1014,11 @@ static void tcp_v6_send_reset(const struct sock *sk, struct sk_buff *skb) net = sk ? sock_net(sk) : dev_net(skb_dst(skb)->dev); #ifdef CONFIG_TCP_MD5SIG + /* Invalid TCP option size or twice included auth */ + if (tcp_parse_auth_options(th, &md5_hash_location, NULL)) + return; + rcu_read_lock(); - hash_location = tcp_parse_md5sig_option(th); if (sk && sk_fullsock(sk)) { int l3index; @@ -1024,7 +1027,7 @@ static void tcp_v6_send_reset(const struct sock *sk, struct sk_buff *skb) */ l3index = tcp_v6_sdif(skb) ? tcp_v6_iif_l3_slave(skb) : 0; key = tcp_v6_md5_do_lookup(sk, &ipv6h->saddr, l3index); - } else if (hash_location) { + } else if (md5_hash_location) { int dif = tcp_v6_iif_l3_slave(skb); int sdif = tcp_v6_sdif(skb); int l3index; @@ -1053,7 +1056,7 @@ static void tcp_v6_send_reset(const struct sock *sk, struct sk_buff *skb) goto out; genhash = tcp_v6_md5_hash_skb(newhash, key, NULL, skb); - if (genhash || memcmp(hash_location, newhash, 16) != 0) + if (genhash || memcmp(md5_hash_location, newhash, 16) != 0) goto out; } #endif