From patchwork Tue May 9 22:16:04 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Dmitry Safonov X-Patchwork-Id: 91772 Return-Path: Delivered-To: ouuuleilei@gmail.com Received: by 2002:a59:b0ea:0:b0:3b6:4342:cba0 with SMTP id b10csp3205741vqo; Tue, 9 May 2023 15:18:46 -0700 (PDT) X-Google-Smtp-Source: ACHHUZ5u7dWJ/Mms6C+HrerWPlEYLuGI50l/4p2lUGNqiPnwxqmfX75L7JYfDgDUDpvSM8J/WDud X-Received: by 2002:a05:6a20:54a2:b0:100:8592:9a7f with SMTP id i34-20020a056a2054a200b0010085929a7fmr10823410pzk.45.1683670726533; Tue, 09 May 2023 15:18:46 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1683670726; cv=none; d=google.com; s=arc-20160816; b=nZL+XCEP/xVpgpfkoMLBuHB6Go/7dDoMtIgAUs74xOi69i/2UFOH8xqvHogRzBn/iA 0xjwzxzQCr3MZo85GWTvkTniljnsLL0Le9kvwGvD7uo4gtgjmiJkQuAeux9yJRk3qf6T lmOgq8Akub9rys7DUYT5vL/GZWKgTdGABHQoKJB1FAfab77eZrUCszaTRmJIBjxP4g5Z bKovdxCixcTk9PrTApz/n/mQEU0BRPET/1REOZPRiJIcrHGF55VsPp8y4nkrxe7MZnpK hRU5jC702EFhdeCky0oW1B3DztNbbonJBcdW6xR7Cc9arF9O0w5+ayNLlS7ASKQn89ab ZDFw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :references:in-reply-to:message-id:date:subject:cc:to:from :dkim-signature; bh=Y6EGYjnQ/WyZ5lGG/G0UzhGu7aE+rdmJ2jNh/CB1dks=; b=AN2Z9Wze4NNEL5mJKrusrL/WAwO2OqFRYmgEj+VBaxXH+dXIaFUDo4+IL3IpQESnay V6vj929pObRJhYYLHHuuGlRo52APoIociA4vAc+l27AN/KXNYZNPdD9LyW5AGQjCJUEw 79wTnazFVi3mnfd6ddWikk1viazasBvmD5/oh2FjMgktslnZBS/ORWESDCrLrxaTNLHO pX9uGdyR+jjt5Z70nK5Htk4cijcg9ZcpGIryRT8ZhCXuqtSFYI+c3cNy9HdTxrtWegx6 GiPWGGkvGuj+EHDz6AmRCRmfDtGLy9ZiKfqhsHms5GUSQNFXYnXPV5fCcO3l4SmRD928 RVeA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@arista.com header.s=google header.b=RLcV9kBT; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=arista.com Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id z10-20020aa79f8a000000b0064762d151fcsi1522307pfr.183.2023.05.09.15.18.34; Tue, 09 May 2023 15:18:46 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@arista.com header.s=google header.b=RLcV9kBT; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=arista.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S235188AbjEIWQW (ORCPT + 99 others); Tue, 9 May 2023 18:16:22 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:53600 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S235018AbjEIWQU (ORCPT ); Tue, 9 May 2023 18:16:20 -0400 Received: from mail-wm1-x32b.google.com (mail-wm1-x32b.google.com [IPv6:2a00:1450:4864:20::32b]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 7135D3A8D for ; Tue, 9 May 2023 15:16:18 -0700 (PDT) Received: by mail-wm1-x32b.google.com with SMTP id 5b1f17b1804b1-3f417ea5252so27833245e9.0 for ; Tue, 09 May 2023 15:16:18 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=arista.com; s=google; t=1683670577; x=1686262577; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=Y6EGYjnQ/WyZ5lGG/G0UzhGu7aE+rdmJ2jNh/CB1dks=; b=RLcV9kBTmM0ms/dV9Q+Kz1njzs2zTjAcvgDTRRAJoTYQaD+6u1/81mYky4/NWOlPVl U+PFv6QhGWcat+FRsZhjBlRjc1A4s7Bpn2o2ux6lyD1J/tVjWChZgjK/pM0q/LWVzwgq RorYb1Pxwx+i4qMJMmUddHcjbS4jBpag7BdGBLR7gJT5T2HejFSdYSLG34MgqVcTvH9U D6vdYvVtditjO+R4guAOf8WavmkHJhMKASPP3RDVSi4cCzlJky2THm+GDZSQQQd6jCXH +AdKi5oO3+EfDy4Ms7a6Hy2krjb1HGJRwBSMGOPQpF3pw02Er48skcq4HllK4iqfwRK4 zqDQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1683670577; x=1686262577; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=Y6EGYjnQ/WyZ5lGG/G0UzhGu7aE+rdmJ2jNh/CB1dks=; b=AYXI8MpM7xEefns5+Vd5fxn+e7UMlkAyvPhO4y7wZuqFVgQXJWu3h6zVidcGCg89QG RlAbPBAYUPRw3WN+7j1aYRW49Mh85HU3ZznADf9zUAs8OwXZQmsbf2QSslOuKCHnebO5 x/HHaZUoCKSkDvON2KBpW0DtGct8ELfUwK1cuV4DNXLY9tgwnbBFzsLBzk9ZJC9qYmMS JrHmH3JRyzIg8bgGkah7ZIZBOt1QUmriqBQeIC86eVIlQB1QRsEhbEBttJ8UuqUZeSpX FHU/WfMzmRLdlg2t9eMRPplhb6HTBtmXSbxJyL+ZGIoYurviwsXqT2Ugdz6rBqnHUu6q HtgQ== X-Gm-Message-State: AC+VfDwuJbtvsRLSPeUCLRlDH4SvSb/f+ZdA1JP324LshMox3o9xuyzD zGGJLjyeVEVhRU2yrmgcix2wcZWH6JA1k/71TZY= X-Received: by 2002:a1c:7c10:0:b0:3f4:253b:92b3 with SMTP id x16-20020a1c7c10000000b003f4253b92b3mr5795825wmc.18.1683670576558; Tue, 09 May 2023 15:16:16 -0700 (PDT) Received: from Mindolluin.ire.aristanetworks.com ([217.173.96.166]) by smtp.gmail.com with ESMTPSA id t25-20020a7bc3d9000000b003f42d3111b8sm2052888wmj.30.2023.05.09.15.16.15 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 09 May 2023 15:16:16 -0700 (PDT) From: Dmitry Safonov To: linux-kernel@vger.kernel.org, David Ahern , Eric Dumazet , Paolo Abeni , Jakub Kicinski , "David S. Miller" Cc: Dmitry Safonov , Dmitry Safonov <0x7f454c46@gmail.com>, Hideaki YOSHIFUJI , Leonard Crestez , Salam Noureddine , netdev@vger.kernel.org Subject: [PATCH 1/5] net/tcp: Separate TCP-MD5 signing from tcp_v{4,6}_send_reset() Date: Tue, 9 May 2023 23:16:04 +0100 Message-Id: <20230509221608.2569333-2-dima@arista.com> X-Mailer: git-send-email 2.40.0 In-Reply-To: <20230509221608.2569333-1-dima@arista.com> References: <20230509221608.2569333-1-dima@arista.com> MIME-Version: 1.0 X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_NONE, SPF_HELO_NONE,SPF_NONE,T_SCC_BODY_TEXT_LINE,URIBL_BLOCKED autolearn=unavailable autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org X-getmail-retrieved-from-mailbox: =?utf-8?q?INBOX?= X-GMAIL-THRID: =?utf-8?q?1765456715470402273?= X-GMAIL-MSGID: =?utf-8?q?1765456715470402273?= Separate TCP-MD5 part from the generic TCP code, cleaning it up from MD5-related ifdeffery (this is most noticeable on ipv4 part). Mostly, it is refactoring, but with a small bonus: now RST sending functions can nicely get tcp_md5_needed static key check, making them faster on systems without TCP-MD5 keys. Signed-off-by: Dmitry Safonov --- net/ipv4/tcp_ipv4.c | 177 +++++++++++++++++++++++--------------------- net/ipv6/tcp_ipv6.c | 106 ++++++++++++++------------ 2 files changed, 152 insertions(+), 131 deletions(-) diff --git a/net/ipv4/tcp_ipv4.c b/net/ipv4/tcp_ipv4.c index 39bda2b1066e..b1056a4af60f 100644 --- a/net/ipv4/tcp_ipv4.c +++ b/net/ipv4/tcp_ipv4.c @@ -655,6 +655,97 @@ void tcp_v4_send_check(struct sock *sk, struct sk_buff *skb) } EXPORT_SYMBOL(tcp_v4_send_check); +#define REPLY_OPTIONS_LEN (MAX_TCP_OPTION_SPACE / sizeof(__be32)) + +static bool tcp_v4_md5_sign_reset(struct net *net, const struct sock *sk, + struct sk_buff *skb, struct ip_reply_arg *arg, + struct tcphdr *reply, + __be32 reply_options[REPLY_OPTIONS_LEN]) +{ +#ifdef CONFIG_TCP_MD5SIG + const struct tcphdr *th = tcp_hdr(skb); + struct tcp_md5sig_key *key = NULL; + const __u8 *hash_location = NULL; + unsigned char newhash[16]; + struct sock *sk1 = NULL; + int genhash; + + hash_location = tcp_parse_md5sig_option(th); + /* Fastpath: no keys in system, don't send RST iff segment is signed */ + if (!static_branch_unlikely(&tcp_md5_needed.key)) + return !!hash_location; + + rcu_read_lock(); + if (sk && sk_fullsock(sk)) { + const union tcp_md5_addr *addr; + int l3index; + + /* sdif set, means packet ingressed via a device + * in an L3 domain and inet_iif is set to it. + */ + l3index = tcp_v4_sdif(skb) ? inet_iif(skb) : 0; + addr = (union tcp_md5_addr *)&ip_hdr(skb)->saddr; + key = tcp_md5_do_lookup(sk, l3index, addr, AF_INET); + } else if (hash_location) { + const union tcp_md5_addr *addr; + int sdif = tcp_v4_sdif(skb); + int dif = inet_iif(skb); + int l3index; + + /* + * active side is lost. Try to find listening socket through + * source port, and then find md5 key through listening socket. + * we are not loose security here: + * Incoming packet is checked with md5 hash with finding key, + * no RST generated if md5 hash doesn't match. + */ + sk1 = __inet_lookup_listener(net, net->ipv4.tcp_death_row.hashinfo, + NULL, 0, ip_hdr(skb)->saddr, + th->source, ip_hdr(skb)->daddr, + ntohs(th->source), dif, sdif); + /* don't send rst if it can't find key */ + if (!sk1) { + rcu_read_unlock(); + return true; + } + + /* sdif set, means packet ingressed via a device + * in an L3 domain and dif is set to it. + */ + l3index = sdif ? dif : 0; + addr = (union tcp_md5_addr *)&ip_hdr(skb)->saddr; + key = tcp_md5_do_lookup(sk1, l3index, addr, AF_INET); + if (!key) { + rcu_read_unlock(); + return true; + } + + genhash = tcp_v4_md5_hash_skb(newhash, key, NULL, skb); + if (genhash || memcmp(hash_location, newhash, 16) != 0) { + rcu_read_unlock(); + return true; + } + } + + if (key) { + reply_options[0] = htonl((TCPOPT_NOP << 24) | + (TCPOPT_NOP << 16) | + (TCPOPT_MD5SIG << 8) | + TCPOLEN_MD5SIG); + /* Update length and the length the header thinks exists */ + arg->iov[0].iov_len += TCPOLEN_MD5SIG_ALIGNED; + reply->doff = arg->iov[0].iov_len / 4; + + tcp_v4_md5_hash_hdr((__u8 *)&reply_options[1], + key, ip_hdr(skb)->saddr, + ip_hdr(skb)->daddr, reply); + } + rcu_read_unlock(); +#endif + + return false; +} + /* * This routine will send an RST to the other tcp. * @@ -668,27 +759,14 @@ EXPORT_SYMBOL(tcp_v4_send_check); * Exception: precedence violation. We do not implement it in any case. */ -#ifdef CONFIG_TCP_MD5SIG -#define OPTION_BYTES TCPOLEN_MD5SIG_ALIGNED -#else -#define OPTION_BYTES sizeof(__be32) -#endif - static void tcp_v4_send_reset(const struct sock *sk, struct sk_buff *skb) { const struct tcphdr *th = tcp_hdr(skb); struct { struct tcphdr th; - __be32 opt[OPTION_BYTES / sizeof(__be32)]; + __be32 opt[REPLY_OPTIONS_LEN]; } rep; struct ip_reply_arg arg; -#ifdef CONFIG_TCP_MD5SIG - struct tcp_md5sig_key *key = NULL; - const __u8 *hash_location = NULL; - unsigned char newhash[16]; - int genhash; - struct sock *sk1 = NULL; -#endif u64 transmit_time = 0; struct sock *ctl_sk; struct net *net; @@ -723,70 +801,8 @@ static void tcp_v4_send_reset(const struct sock *sk, struct sk_buff *skb) arg.iov[0].iov_len = sizeof(rep.th); net = sk ? sock_net(sk) : dev_net(skb_dst(skb)->dev); -#ifdef CONFIG_TCP_MD5SIG - rcu_read_lock(); - hash_location = tcp_parse_md5sig_option(th); - if (sk && sk_fullsock(sk)) { - const union tcp_md5_addr *addr; - int l3index; - - /* sdif set, means packet ingressed via a device - * in an L3 domain and inet_iif is set to it. - */ - l3index = tcp_v4_sdif(skb) ? inet_iif(skb) : 0; - addr = (union tcp_md5_addr *)&ip_hdr(skb)->saddr; - key = tcp_md5_do_lookup(sk, l3index, addr, AF_INET); - } else if (hash_location) { - const union tcp_md5_addr *addr; - int sdif = tcp_v4_sdif(skb); - int dif = inet_iif(skb); - int l3index; - - /* - * active side is lost. Try to find listening socket through - * source port, and then find md5 key through listening socket. - * we are not loose security here: - * Incoming packet is checked with md5 hash with finding key, - * no RST generated if md5 hash doesn't match. - */ - sk1 = __inet_lookup_listener(net, net->ipv4.tcp_death_row.hashinfo, - NULL, 0, ip_hdr(skb)->saddr, - th->source, ip_hdr(skb)->daddr, - ntohs(th->source), dif, sdif); - /* don't send rst if it can't find key */ - if (!sk1) - goto out; - - /* sdif set, means packet ingressed via a device - * in an L3 domain and dif is set to it. - */ - l3index = sdif ? dif : 0; - addr = (union tcp_md5_addr *)&ip_hdr(skb)->saddr; - key = tcp_md5_do_lookup(sk1, l3index, addr, AF_INET); - if (!key) - goto out; - - - genhash = tcp_v4_md5_hash_skb(newhash, key, NULL, skb); - if (genhash || memcmp(hash_location, newhash, 16) != 0) - goto out; - - } - - if (key) { - rep.opt[0] = htonl((TCPOPT_NOP << 24) | - (TCPOPT_NOP << 16) | - (TCPOPT_MD5SIG << 8) | - TCPOLEN_MD5SIG); - /* Update length and the length the header thinks exists */ - arg.iov[0].iov_len += TCPOLEN_MD5SIG_ALIGNED; - rep.th.doff = arg.iov[0].iov_len / 4; - - tcp_v4_md5_hash_hdr((__u8 *) &rep.opt[1], - key, ip_hdr(skb)->saddr, - ip_hdr(skb)->daddr, &rep.th); - } -#endif + if (tcp_v4_md5_sign_reset(net, sk, skb, &arg, &rep.th, rep.opt)) + return; /* Can't co-exist with TCPMD5, hence check rep.opt[0] */ if (rep.opt[0] == 0) { __be32 mrst = mptcp_reset_option(skb); @@ -842,11 +858,6 @@ static void tcp_v4_send_reset(const struct sock *sk, struct sk_buff *skb) __TCP_INC_STATS(net, TCP_MIB_OUTSEGS); __TCP_INC_STATS(net, TCP_MIB_OUTRSTS); local_bh_enable(); - -#ifdef CONFIG_TCP_MD5SIG -out: - rcu_read_unlock(); -#endif } /* The code following below sending ACKs in SYN-RECV and TIME-WAIT states diff --git a/net/ipv6/tcp_ipv6.c b/net/ipv6/tcp_ipv6.c index 7132eb213a7a..42792bc5b9bf 100644 --- a/net/ipv6/tcp_ipv6.c +++ b/net/ipv6/tcp_ipv6.c @@ -977,18 +977,67 @@ static void tcp_v6_send_response(const struct sock *sk, struct sk_buff *skb, u32 kfree_skb(buff); } +#ifdef CONFIG_TCP_MD5SIG +static int tcp_v6_md5_lookup_reset_key(struct net *net, const struct sock *sk, + struct sk_buff *skb, struct tcp_md5sig_key **key, + const struct tcphdr *th, struct ipv6hdr *ipv6h) +{ + const __u8 *hash_location = NULL; + int genhash, l3index; + + hash_location = tcp_parse_md5sig_option(th); + if (!static_branch_unlikely(&tcp_md5_needed.key)) + return !!hash_location; + + if (sk && sk_fullsock(sk)) { + /* sdif set, means packet ingressed via a device + * in an L3 domain and inet_iif is set to it. + */ + l3index = tcp_v6_sdif(skb) ? tcp_v6_iif_l3_slave(skb) : 0; + *key = tcp_v6_md5_do_lookup(sk, &ipv6h->saddr, l3index); + } else if (hash_location) { + int dif = tcp_v6_iif_l3_slave(skb); + int sdif = tcp_v6_sdif(skb); + unsigned char newhash[16]; + struct sock *sk1; + + /* + * active side is lost. Try to find listening socket through + * source port, and then find md5 key through listening socket. + * we are not loose security here: + * Incoming packet is checked with md5 hash with finding key, + * no RST generated if md5 hash doesn't match. + */ + sk1 = inet6_lookup_listener(net, net->ipv4.tcp_death_row.hashinfo, + NULL, 0, &ipv6h->saddr, th->source, + &ipv6h->daddr, ntohs(th->source), + dif, sdif); + if (!sk1) + return -ENOKEY; + + /* sdif set, means packet ingressed via a device + * in an L3 domain and dif is set to it. + */ + l3index = tcp_v6_sdif(skb) ? dif : 0; + + *key = tcp_v6_md5_do_lookup(sk1, &ipv6h->saddr, l3index); + if (!*key) + return -ENOKEY; + + genhash = tcp_v6_md5_hash_skb(newhash, *key, NULL, skb); + if (genhash || memcmp(hash_location, newhash, 16) != 0) + return -EKEYREJECTED; + } + return 0; +} +#endif + static void tcp_v6_send_reset(const struct sock *sk, struct sk_buff *skb) { const struct tcphdr *th = tcp_hdr(skb); struct ipv6hdr *ipv6h = ipv6_hdr(skb); - u32 seq = 0, ack_seq = 0; struct tcp_md5sig_key *key = NULL; -#ifdef CONFIG_TCP_MD5SIG - const __u8 *hash_location = NULL; - unsigned char newhash[16]; - int genhash; - struct sock *sk1 = NULL; -#endif + u32 seq = 0, ack_seq = 0; __be32 label = 0; u32 priority = 0; struct net *net; @@ -1007,47 +1056,8 @@ static void tcp_v6_send_reset(const struct sock *sk, struct sk_buff *skb) net = sk ? sock_net(sk) : dev_net(skb_dst(skb)->dev); #ifdef CONFIG_TCP_MD5SIG rcu_read_lock(); - hash_location = tcp_parse_md5sig_option(th); - if (sk && sk_fullsock(sk)) { - int l3index; - - /* sdif set, means packet ingressed via a device - * in an L3 domain and inet_iif is set to it. - */ - l3index = tcp_v6_sdif(skb) ? tcp_v6_iif_l3_slave(skb) : 0; - key = tcp_v6_md5_do_lookup(sk, &ipv6h->saddr, l3index); - } else if (hash_location) { - int dif = tcp_v6_iif_l3_slave(skb); - int sdif = tcp_v6_sdif(skb); - int l3index; - - /* - * active side is lost. Try to find listening socket through - * source port, and then find md5 key through listening socket. - * we are not loose security here: - * Incoming packet is checked with md5 hash with finding key, - * no RST generated if md5 hash doesn't match. - */ - sk1 = inet6_lookup_listener(net, net->ipv4.tcp_death_row.hashinfo, - NULL, 0, &ipv6h->saddr, th->source, - &ipv6h->daddr, ntohs(th->source), - dif, sdif); - if (!sk1) - goto out; - - /* sdif set, means packet ingressed via a device - * in an L3 domain and dif is set to it. - */ - l3index = tcp_v6_sdif(skb) ? dif : 0; - - key = tcp_v6_md5_do_lookup(sk1, &ipv6h->saddr, l3index); - if (!key) - goto out; - - genhash = tcp_v6_md5_hash_skb(newhash, key, NULL, skb); - if (genhash || memcmp(hash_location, newhash, 16) != 0) - goto out; - } + if (tcp_v6_md5_lookup_reset_key(net, sk, skb, &key, th, ipv6h)) + goto out; #endif if (th->ack) From patchwork Tue May 9 22:16:05 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Dmitry Safonov X-Patchwork-Id: 91773 Return-Path: Delivered-To: ouuuleilei@gmail.com Received: by 2002:a59:b0ea:0:b0:3b6:4342:cba0 with SMTP id b10csp3205809vqo; Tue, 9 May 2023 15:18:55 -0700 (PDT) X-Google-Smtp-Source: ACHHUZ4k8hNKFir9dO29TdRumPGHaNHvbd02zO6loDaJiWusJfSHxnOSv7Rmy0vEul/dlWLEQLNc X-Received: by 2002:a05:6a20:394c:b0:ff:b564:c532 with SMTP id r12-20020a056a20394c00b000ffb564c532mr14812716pzg.43.1683670734682; Tue, 09 May 2023 15:18:54 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1683670734; cv=none; d=google.com; s=arc-20160816; b=uMZIkIY8hbZexCyFcJ3Xy+VS1gMaxf32X9B5wAsjNQHjM8tDgHXLHGf/tNHEJ1q96P Af3dorxv+eZ1BsYmjbaod2g0ToeWqFFSrA+kw0UTRzs1lCIvEPykdKC6MPDtK8vmf+gi ZJ5j2a9fhVCgcyC3ISNhPiya9JgfO2kQXylNESM2pritlJ8hJn3+ylIryzTNWEV2qCKk dxgxkG/E3+ZHP3PTLOPHk4VS5yUDicdakXtbWdMQklRejBgCgFSrtVCmWu6Ud+hMOfLq 4tAJxcEkkfxr5KjS+2dfJhhvg5UkninK0P5ISf5p+CwCM5KFN3bV+LRmPyFkkat2yQmw vHbA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :references:in-reply-to:message-id:date:subject:cc:to:from :dkim-signature; bh=TNaNVg3b0b9p/yqj32LHesflwoL6NjpvZvYZ6iwGQ4U=; b=IG/Wqz4QqBxdhZEUL6HcFDaEVlZr1nq5t8c4W0tPd5DA+oZZKOF6bPlbn0HN+f3ki3 OtqjhgRxsjQjqxMkbL2fHtVO/RAiQnulR8Orfbds6OcmDHxgXHF3J0BcajyrgHF0175z W4RCwbwxD11navvdpyLmWs7A00T7Y8lopUWvXXZ7OqKu+N4DfJhsv5BOR0TieRmgwbD7 SYuxAXRxy4O2Aimz2418JGdoVWUN55sDKR9Wg0iR5wnrI7f1Rb6InWGUIhdzohVlJgOp l4W3jf30o74SJuiJBKg0mU5k5Imzlq/gln5YU8zUEv/Gim45IiRseFJO61bpLckSpClJ tsBA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@arista.com header.s=google header.b="M7PTN/jP"; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=arista.com Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id z19-20020a63e113000000b0052c4fdb2c7fsi2456677pgh.635.2023.05.09.15.18.42; Tue, 09 May 2023 15:18:54 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@arista.com header.s=google header.b="M7PTN/jP"; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=arista.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S235450AbjEIWQ1 (ORCPT + 99 others); Tue, 9 May 2023 18:16:27 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:53630 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S235134AbjEIWQV (ORCPT ); Tue, 9 May 2023 18:16:21 -0400 Received: from mail-wm1-x32b.google.com (mail-wm1-x32b.google.com [IPv6:2a00:1450:4864:20::32b]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 918F63A91 for ; Tue, 9 May 2023 15:16:19 -0700 (PDT) Received: by mail-wm1-x32b.google.com with SMTP id 5b1f17b1804b1-3f42c86543bso8570585e9.3 for ; Tue, 09 May 2023 15:16:19 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=arista.com; s=google; t=1683670578; x=1686262578; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=TNaNVg3b0b9p/yqj32LHesflwoL6NjpvZvYZ6iwGQ4U=; b=M7PTN/jPtZaCbndrgKXB5fUCiuP/OVHWsN+jZdRGTMrM92yC/uBuA2QYkvFzTEhkgy a8lC+CIRThgZOMqbBUhknW9IB1HHR7iRUa64Eunab591Iahlk2tzjuEI5L4cDcYj4oA4 2JWmYcEBwsrPQE/8sTHxNUeBh3n618jO2ybsjbQdXiIeKcC5RNHNPK5Gn49bsx0BFGbv nyEdnlNxhDL2arE8+9mn41l+RC+anZPWyzKH8iAsyg/EPbD/YrHzxW8dqMtT+nX0BHYw ZYsQcxIt2tYSetXfh29BtDqXLzGEfSuhvtzL5WhBbV2wgKDUOaa123gVyZBNHGAQUyEf KCwQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1683670578; x=1686262578; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=TNaNVg3b0b9p/yqj32LHesflwoL6NjpvZvYZ6iwGQ4U=; b=agoAmTuBqlkYjOhi8aOzIq3DQ29AKAfUFEEOHL7/Dg6BOTegCoVdap7wlBDB5T7DYD jEMDnN49Q5XBbCuYez43c9rboMfhOs6NOuck1J/pr5fI2NljkwBQeLUqfU2svUIeno4O mJyiwFk241h1l2+5jRPpMvr3m/uIR6FA+WX4i9Nw9H3s2LUwOTfxWOJ43hw8YpobKxyD aCiq9pK4LpeKBycOSUCqWXi3u4NCOZ/dl73NS3axPZtjBxxkzc6zuoqAs7p27P2vyksi dZ4glB17cDOvfUqYQdQwEJtzFITywzAYpiNHtDk1GLg3aTsAvVA6DbvA5RkOrQKhruDg 25Yw== X-Gm-Message-State: AC+VfDy5xaqI6dcSCA1A+NzGP8sP/Aw4evF+pQAoB1Gmsg0nEf7W5cJi G0QmhbR+QpqaqilHXV/4iQCbQ8YJyoQBkSPLc4A= X-Received: by 2002:a7b:c8d9:0:b0:3f4:2174:b284 with SMTP id f25-20020a7bc8d9000000b003f42174b284mr6687645wml.28.1683670577699; Tue, 09 May 2023 15:16:17 -0700 (PDT) Received: from Mindolluin.ire.aristanetworks.com ([217.173.96.166]) by smtp.gmail.com with ESMTPSA id t25-20020a7bc3d9000000b003f42d3111b8sm2052888wmj.30.2023.05.09.15.16.16 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 09 May 2023 15:16:17 -0700 (PDT) From: Dmitry Safonov To: linux-kernel@vger.kernel.org, David Ahern , Eric Dumazet , Paolo Abeni , Jakub Kicinski , "David S. Miller" Cc: Dmitry Safonov , Dmitry Safonov <0x7f454c46@gmail.com>, Hideaki YOSHIFUJI , Leonard Crestez , Salam Noureddine , netdev@vger.kernel.org Subject: [PATCH 2/5] net/tcp: Use tcp_v6_md5_hash_skb() instead of .calc_md5_hash() Date: Tue, 9 May 2023 23:16:05 +0100 Message-Id: <20230509221608.2569333-3-dima@arista.com> X-Mailer: git-send-email 2.40.0 In-Reply-To: <20230509221608.2569333-1-dima@arista.com> References: <20230509221608.2569333-1-dima@arista.com> MIME-Version: 1.0 X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_NONE, SPF_HELO_NONE,SPF_NONE,T_SCC_BODY_TEXT_LINE,URIBL_BLOCKED autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org X-getmail-retrieved-from-mailbox: =?utf-8?q?INBOX?= X-GMAIL-THRID: =?utf-8?q?1765456724085017444?= X-GMAIL-MSGID: =?utf-8?q?1765456724085017444?= Using af-specific callback requires the socket to be full (struct tcp_sock). Using tcp_v6_md5_hash_skb() instead, depending on passed family parameter makes it possible to use it for non-full sockets as well (if key-lookup succeeds). Next commit uses tcp_inbound_md5_hash() to verify segments on twsk. This seems quite safe to do, as pre-commit 7bbb765b7349 ("net/tcp: Merge TCP-MD5 inbound callbacks") ip-version-specific functions tcp_v{4,6}_inbound_md5_hash were calling tcp_v4_md5_hash_skb()/tcp_v6_md5_hash_skb(). Signed-off-by: Dmitry Safonov --- include/net/tcp.h | 11 +++++++++++ net/ipv4/tcp.c | 9 +++------ net/ipv6/tcp_ipv6.c | 6 ++---- 3 files changed, 16 insertions(+), 10 deletions(-) diff --git a/include/net/tcp.h b/include/net/tcp.h index 04a31643cda3..e127fc685ca6 100644 --- a/include/net/tcp.h +++ b/include/net/tcp.h @@ -1676,6 +1676,17 @@ struct tcp_md5sig_pool { /* - functions */ int tcp_v4_md5_hash_skb(char *md5_hash, const struct tcp_md5sig_key *key, const struct sock *sk, const struct sk_buff *skb); +#if IS_ENABLED(CONFIG_IPV6) +int tcp_v6_md5_hash_skb(char *md5_hash, const struct tcp_md5sig_key *key, + const struct sock *sk, const struct sk_buff *skb); +#else +static inline int tcp_v6_md5_hash_skb(char *md5_hash, + const struct tcp_md5sig_key *key, + const struct sock *sk, const struct sk_buff *skb) +{ + return -EPROTONOSUPPORT; +} +#endif int tcp_md5_do_add(struct sock *sk, const union tcp_md5_addr *addr, int family, u8 prefixlen, int l3index, u8 flags, const u8 *newkey, u8 newkeylen); diff --git a/net/ipv4/tcp.c b/net/ipv4/tcp.c index 20db115c38c4..c1897a039ff5 100644 --- a/net/ipv4/tcp.c +++ b/net/ipv4/tcp.c @@ -4570,7 +4570,6 @@ tcp_inbound_md5_hash(const struct sock *sk, const struct sk_buff *skb, const __u8 *hash_location = NULL; struct tcp_md5sig_key *hash_expected; const struct tcphdr *th = tcp_hdr(skb); - const struct tcp_sock *tp = tcp_sk(sk); int genhash, l3index; u8 newhash[16]; @@ -4601,13 +4600,11 @@ tcp_inbound_md5_hash(const struct sock *sk, const struct sk_buff *skb, * IPv4-mapped case. */ if (family == AF_INET) - genhash = tcp_v4_md5_hash_skb(newhash, - hash_expected, + genhash = tcp_v4_md5_hash_skb(newhash, hash_expected, NULL, skb); else - genhash = tp->af_specific->calc_md5_hash(newhash, - hash_expected, - NULL, skb); + genhash = tcp_v6_md5_hash_skb(newhash, hash_expected, + NULL, skb); if (genhash || memcmp(hash_location, newhash, 16) != 0) { NET_INC_STATS(sock_net(sk), LINUX_MIB_TCPMD5FAILURE); diff --git a/net/ipv6/tcp_ipv6.c b/net/ipv6/tcp_ipv6.c index 42792bc5b9bf..574398a89970 100644 --- a/net/ipv6/tcp_ipv6.c +++ b/net/ipv6/tcp_ipv6.c @@ -732,10 +732,8 @@ static int tcp_v6_md5_hash_hdr(char *md5_hash, const struct tcp_md5sig_key *key, return 1; } -static int tcp_v6_md5_hash_skb(char *md5_hash, - const struct tcp_md5sig_key *key, - const struct sock *sk, - const struct sk_buff *skb) +int tcp_v6_md5_hash_skb(char *md5_hash, const struct tcp_md5sig_key *key, + const struct sock *sk, const struct sk_buff *skb) { const struct in6_addr *saddr, *daddr; struct tcp_md5sig_pool *hp; From patchwork Tue May 9 22:16:06 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Dmitry Safonov X-Patchwork-Id: 91776 Return-Path: Delivered-To: ouuuleilei@gmail.com Received: by 2002:a59:b0ea:0:b0:3b6:4342:cba0 with SMTP id b10csp3213320vqo; Tue, 9 May 2023 15:35:12 -0700 (PDT) X-Google-Smtp-Source: ACHHUZ5qF4qGcnG9MtRL5+NqBnssn0JwQLTzBnl3z/wQLBIAYXSETvFH8MwQbqo4cUsIvRVzrDeJ X-Received: by 2002:a05:6a00:140f:b0:63d:24d0:2c32 with SMTP id l15-20020a056a00140f00b0063d24d02c32mr18462945pfu.33.1683671712332; Tue, 09 May 2023 15:35:12 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1683671712; cv=none; d=google.com; s=arc-20160816; b=BFk6aHJFT8FkzFwcOCNARviOGsL8xdXzBuIs5badVhvcoN2PoE9pRhuYfpqp4hng5N Moe1wj9uqJ1ACvQdS0rbgBRBcGwLGebLU1r8D1p77LGUXUd2cbrVtrIbhzxpHthFHQ7I OJlGQwX3zl4ISGkmb5QHpcbYsJoSLnUGC/Gu0h4igLNPQOUycxsem6M5RD3a0eDYomt8 6tVdgsxbG4pbPNcX/4O4sH2p9gNjflqmXLPoNn/nW5IDZ4zoSJl613Oc5bGgLmK+HtYt 2ZqGVAShqEDKa9wbvt4ddzurMovoik7BzcGqHUs/+mDE/OaMYohIdE+n/wIgZxsBi4YZ xLaA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :references:in-reply-to:message-id:date:subject:cc:to:from :dkim-signature; bh=5EJY8QyVbpJhiPPm5kdYZASszxMCuGSjGBPUFVMUXvI=; b=pnOFoKnmBnmLV25ssz9eRQHBB30dGqnP4LHDNeqKdPkBv+ZLGJAW4u+Wk0NdzvPf/H HgieJHzu9395XDckZZVF0nNIJQtkbE6t7J7LVUPhf9nXh25ISQq8hySndNQieWmIlEUc IKr7Usw/a1qt45dBRmTan5rH3ubi1otn2d5Z838U3Ox31V4dXInwrNnJ6ULKIXgTFveQ NbeHRotkBUu73Tc7RNK50Qn2yH9wPyBm+o3gFdoWwjjdgRIXzxmUhIl+2K6vj5XtQIY7 /hthcb1xjw23+sICujLixz4v5XqrwVb3wwW25eIc5XOvNGBu7SPTukxi4XaTrQuIx/tm 8djQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@arista.com header.s=google header.b=FcjLRwJP; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=arista.com Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id g16-20020aa796b0000000b00641265d7890si3450392pfk.176.2023.05.09.15.35.00; Tue, 09 May 2023 15:35:12 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@arista.com header.s=google header.b=FcjLRwJP; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=arista.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S235421AbjEIWQb (ORCPT + 99 others); Tue, 9 May 2023 18:16:31 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:53646 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S235163AbjEIWQW (ORCPT ); Tue, 9 May 2023 18:16:22 -0400 Received: from mail-wm1-x331.google.com (mail-wm1-x331.google.com [IPv6:2a00:1450:4864:20::331]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 8EDE93AA3 for ; Tue, 9 May 2023 15:16:20 -0700 (PDT) Received: by mail-wm1-x331.google.com with SMTP id 5b1f17b1804b1-3f315712406so225563695e9.0 for ; Tue, 09 May 2023 15:16:20 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=arista.com; s=google; t=1683670579; x=1686262579; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=5EJY8QyVbpJhiPPm5kdYZASszxMCuGSjGBPUFVMUXvI=; b=FcjLRwJPwp06s9w82pX/hEkZrz5VOfCVr8glc6TOnWPf+LMM++AznMYK87XQS5co7y +4+YmedtGpd3XT+lF2S5FOOFzFcD1jLk/tEjfMVh5b5X9Lup1KkvIQRepDVQ7GHSYrJN rZNg3MXT522o93w68sSY3QzKK1RRscQorcBZXU2gEddOWpJt+W10X/6Pg7Anh1MbDD07 nFjJWAnW6d3kc1vddRzE5N9cipB5louiR7A4DfMMh58WzS38lnfV6v/WOgdTspHz6t3Y +TvoKX6KWNt07ETKyePmGCg2deRczsaKd5qPyQqWPq7feqFebU6KbWBtXfO4KPLjFTGM qruw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1683670579; x=1686262579; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=5EJY8QyVbpJhiPPm5kdYZASszxMCuGSjGBPUFVMUXvI=; b=OCn2CPynjXHijmH5PoGfB9uRwqNX33j08ABB3kqMzxmF/S09dhqPe2Oh987RraQNEb LtLMDv+3KJRn8X8z/2vInrLM+nkh6GT0ZJf0G+7x+rPB/tBTwcEojJVI0+WaQqvmWWux 5QQ9abYKZeoHL8ZFjht8GuSYQKVJmhRqPteohYod55ZmEyy8F6JCLeyZ3UhVsdF41ECg 3KoDZksdSbd/mgu+sLsX+gNsfRQxhFeSvoEbPAGb/qOCGJXE4wp/LJmtbI5SwCMrIYlY I3xJS1D0IzZIT3YbecQh2jLzJR35blsI7xunjclWj+Iy1PP/UsW+Bzpm4HrAjl81zk39 hi0A== X-Gm-Message-State: AC+VfDyvYqvRzV/U8sTZXOHGqSJNQkoXwLPVu2DpK5+kFuOksv7j/sTc YtqIVh7/s3rlV1yLnDWHhb0qfPqXRSH3+eErX64= X-Received: by 2002:adf:f2ca:0:b0:307:8b6f:dcf1 with SMTP id d10-20020adff2ca000000b003078b6fdcf1mr8185594wrp.25.1683670578783; Tue, 09 May 2023 15:16:18 -0700 (PDT) Received: from Mindolluin.ire.aristanetworks.com ([217.173.96.166]) by smtp.gmail.com with ESMTPSA id t25-20020a7bc3d9000000b003f42d3111b8sm2052888wmj.30.2023.05.09.15.16.17 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 09 May 2023 15:16:18 -0700 (PDT) From: Dmitry Safonov To: linux-kernel@vger.kernel.org, David Ahern , Eric Dumazet , Paolo Abeni , Jakub Kicinski , "David S. Miller" Cc: Dmitry Safonov , Dmitry Safonov <0x7f454c46@gmail.com>, Hideaki YOSHIFUJI , Leonard Crestez , Salam Noureddine , netdev@vger.kernel.org Subject: [RFC 3/5] net/tcp-md5: Verify inbound segments on twsk Date: Tue, 9 May 2023 23:16:06 +0100 Message-Id: <20230509221608.2569333-4-dima@arista.com> X-Mailer: git-send-email 2.40.0 In-Reply-To: <20230509221608.2569333-1-dima@arista.com> References: <20230509221608.2569333-1-dima@arista.com> MIME-Version: 1.0 X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_NONE, SPF_HELO_NONE,SPF_NONE,T_SCC_BODY_TEXT_LINE,URIBL_BLOCKED autolearn=unavailable autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org X-getmail-retrieved-from-mailbox: =?utf-8?q?INBOX?= X-GMAIL-THRID: =?utf-8?q?1765457749446739903?= X-GMAIL-MSGID: =?utf-8?q?1765457749446739903?= It seems rare for BGP to have twsk socket and quite unlikely on server side, in addition I don't see any major concern of destroying twsk early by unsigned segments. But on the other hand, it seems better not to change TCP state by unsigned inbound segments and fixing this seems not hard. So, lets avoid replying or doing any TCP state changes as long as the segments weren't verified. Signed-off-by: Dmitry Safonov --- include/net/tcp.h | 7 ++++--- net/ipv4/tcp_ipv4.c | 9 +++++++-- net/ipv6/tcp_ipv6.c | 10 ++++++++-- 3 files changed, 19 insertions(+), 7 deletions(-) diff --git a/include/net/tcp.h b/include/net/tcp.h index e127fc685ca6..db13dc7558f4 100644 --- a/include/net/tcp.h +++ b/include/net/tcp.h @@ -1705,12 +1705,16 @@ extern struct static_key_false_deferred tcp_md5_needed; struct tcp_md5sig_key *__tcp_md5_do_lookup(const struct sock *sk, int l3index, const union tcp_md5_addr *addr, int family); + +#define tcp_twsk_md5_key(twsk) ((twsk)->tw_md5_key) static inline struct tcp_md5sig_key * tcp_md5_do_lookup(const struct sock *sk, int l3index, const union tcp_md5_addr *addr, int family) { if (!static_branch_unlikely(&tcp_md5_needed.key)) return NULL; + if (unlikely(sk->sk_state == TCP_TIME_WAIT)) + return tcp_twsk_md5_key(tcp_twsk(sk)); return __tcp_md5_do_lookup(sk, l3index, addr, family); } @@ -1718,9 +1722,6 @@ enum skb_drop_reason tcp_inbound_md5_hash(const struct sock *sk, const struct sk_buff *skb, const void *saddr, const void *daddr, int family, int dif, int sdif); - - -#define tcp_twsk_md5_key(twsk) ((twsk)->tw_md5_key) #else static inline struct tcp_md5sig_key * tcp_md5_do_lookup(const struct sock *sk, int l3index, diff --git a/net/ipv4/tcp_ipv4.c b/net/ipv4/tcp_ipv4.c index b1056a4af60f..f5b870943dcb 100644 --- a/net/ipv4/tcp_ipv4.c +++ b/net/ipv4/tcp_ipv4.c @@ -676,7 +676,7 @@ static bool tcp_v4_md5_sign_reset(struct net *net, const struct sock *sk, return !!hash_location; rcu_read_lock(); - if (sk && sk_fullsock(sk)) { + if (sk && sk->sk_state != TCP_NEW_SYN_RECV) { const union tcp_md5_addr *addr; int l3index; @@ -2195,8 +2195,13 @@ int tcp_v4_rcv(struct sk_buff *skb) goto discard_it; do_time_wait: - if (!xfrm4_policy_check(NULL, XFRM_POLICY_IN, skb)) { + if (!xfrm4_policy_check(NULL, XFRM_POLICY_IN, skb)) drop_reason = SKB_DROP_REASON_XFRM_POLICY; + else + drop_reason = tcp_inbound_md5_hash(sk, skb, + &iph->saddr, &iph->daddr, + AF_INET, dif, sdif); + if (drop_reason) { inet_twsk_put(inet_twsk(sk)); goto discard_it; } diff --git a/net/ipv6/tcp_ipv6.c b/net/ipv6/tcp_ipv6.c index 574398a89970..3756a43367a3 100644 --- a/net/ipv6/tcp_ipv6.c +++ b/net/ipv6/tcp_ipv6.c @@ -987,7 +987,7 @@ static int tcp_v6_md5_lookup_reset_key(struct net *net, const struct sock *sk, if (!static_branch_unlikely(&tcp_md5_needed.key)) return !!hash_location; - if (sk && sk_fullsock(sk)) { + if (sk && sk->sk_state != TCP_NEW_SYN_RECV) { /* sdif set, means packet ingressed via a device * in an L3 domain and inet_iif is set to it. */ @@ -1795,8 +1795,14 @@ INDIRECT_CALLABLE_SCOPE int tcp_v6_rcv(struct sk_buff *skb) goto discard_it; do_time_wait: - if (!xfrm6_policy_check(NULL, XFRM_POLICY_IN, skb)) { + if (!xfrm6_policy_check(NULL, XFRM_POLICY_IN, skb)) drop_reason = SKB_DROP_REASON_XFRM_POLICY; + else + drop_reason = tcp_inbound_md5_hash(sk, skb, + &hdr->saddr, &hdr->daddr, + AF_INET6, dif, sdif); + + if (drop_reason) { inet_twsk_put(inet_twsk(sk)); goto discard_it; } From patchwork Tue May 9 22:16:07 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Dmitry Safonov X-Patchwork-Id: 91774 Return-Path: Delivered-To: ouuuleilei@gmail.com Received: by 2002:a59:b0ea:0:b0:3b6:4342:cba0 with SMTP id b10csp3212422vqo; Tue, 9 May 2023 15:33:28 -0700 (PDT) X-Google-Smtp-Source: ACHHUZ4YXymL5O76dBx8ukut5/HO3rIQ+8G9LFxmAoWZPh9CadeNNn4uOPXUT61lNdk6bEc1feFL X-Received: by 2002:a17:90a:db4d:b0:250:8258:1a5 with SMTP id u13-20020a17090adb4d00b00250825801a5mr9462071pjx.33.1683671608312; Tue, 09 May 2023 15:33:28 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1683671608; cv=none; d=google.com; s=arc-20160816; b=NTAe5QyW/ChXnw9nq60RDF+O/VPpzA/3H3w4onpRSRMoRVomY/ri435WhmY/4klDL3 TBYQEsXGMJ7vP/nC3xAcAKSdKAI3KGthLVnSHZ+GT0ugsF9a1fASyvXUzcogPF+TPlDd 9xBUVL2rfNR78UYvKInPZRyXCpMvzfM/xwUNr1+Wl/xvkbODa6H+S30/aiRjJAQtrxgi KsiGIOidU2gkItvby0EGZM1eiZPnQL9BZzsKa/k/MJFNdnXbHdIb33DqV5hANgNmy+G1 NVK3UNiw+rk+a6TXshynnzYH9QKdCZKANYkpWN0hnkYXsTKIAsrDUShUzxCbYIQRl/nl xMRw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :references:in-reply-to:message-id:date:subject:cc:to:from :dkim-signature; bh=a/2L5rqcnCY6pJiEs4sYnqk/1S9TSMsv5FXuRy9b2gE=; b=LSFqXuR05YInjZSc6P8oFXjG3JwwN9XrIKWVMuFX660IrBG+mcwJvRrxtks0I7vqqW wUzZLPpAwrn3NgVuZ16GaFipOP2hxxS1qr2R1WrE4C5J24o8idwcN7QM2uRpi5rBZl5u jBlB138Hpg1IC+TZgeIDGI01HX0v2ypHWp8wXX6Hd4nggSr3Xh1w3C+KOeXxcDdNLbb2 ubvc3a7tFepyenwhI2pcza2halZHb66VxkKUAP086QZTN51FAF2QZlvISqhPD2cD3XJP 0av8LbyyN43MKKS1KwGvx/VohhF2Aaw2ntpG+Ri2PtFDEVme03nUKmgeBDMYQ3n3GurP tX0w== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@arista.com header.s=google header.b=beOko3by; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=arista.com Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id oa4-20020a17090b1bc400b002496cedea8esi202939pjb.24.2023.05.09.15.33.15; Tue, 09 May 2023 15:33:28 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@arista.com header.s=google header.b=beOko3by; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=arista.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S235558AbjEIWQe (ORCPT + 99 others); Tue, 9 May 2023 18:16:34 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:53690 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S235195AbjEIWQW (ORCPT ); Tue, 9 May 2023 18:16:22 -0400 Received: from mail-wm1-x32b.google.com (mail-wm1-x32b.google.com [IPv6:2a00:1450:4864:20::32b]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 902DC3C0C for ; Tue, 9 May 2023 15:16:21 -0700 (PDT) Received: by mail-wm1-x32b.google.com with SMTP id 5b1f17b1804b1-3f41d087b24so26668985e9.1 for ; Tue, 09 May 2023 15:16:21 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=arista.com; s=google; t=1683670580; x=1686262580; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=a/2L5rqcnCY6pJiEs4sYnqk/1S9TSMsv5FXuRy9b2gE=; b=beOko3byXbdOnNTmosIZ66QrQuc7sGYZ1Hb4jRKE0TRj+CwIdJ1NsLQPcPJY2tA3yd iZtEbrPF2PiOhDJ+SGX8Q/eMIFsJW4MpBdKyifrhpNZn40mbfMUqKRdfKKYpCXPlNcGB IuEkSj9NRDVLKmrBC4j3z0xCegPt/y3Lmkr/oXFQvIdwygSyEdR4M4CR5Kjm5A93rqKy F5EDPsDFYgKUwVOa7e/CSxma6pFk3rPUXgLeMMblSqHBC6CYMzgwM9qU406EYwk6X8LC FV6Mksp9h48SK4X1mBgzZo2XFPDz3Fnb4NLdsKzN0f9c9cRHFuPHzWF9Sed2w2vrZBTC yopQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1683670580; x=1686262580; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=a/2L5rqcnCY6pJiEs4sYnqk/1S9TSMsv5FXuRy9b2gE=; b=bt7MOl+8pYUUHngf8zThJq6Y03wZJzAfzgKRTZpt0hjE/P8nseIuhFTAGVi9LClcBS ao+kKnV+WDCnsUqYbJO3U5UZPSjYVJlPqOty4FICxB2s1YJOluTsidc6QoXROXj6lcRi M+7uKXxxlDRAfxW+4D85+4kNvmTtVqzgNomvLd/KGZAbEJPzngt2H6qNKwBBwOot4IsX gKT9IkWgw2hGVUbwYqHSgDLRyH4N72624Z5d0S8QhZ9xqP1D3f431od/lbBPaq66V7cO KLCXHUMjZ/BbajqwZBLSFbIamENHlDwgbfANKrNDY4RHMkJLwPlYn0V30vyVPIqe48kx HvIg== X-Gm-Message-State: AC+VfDzOarUduXVriDtO0Tq/ecVLNqnPrz0mqX9JKO+ddW4QlGjcWxpC sMLYD211gCDi3vGs9k4+l+4fglKKwUQNUhmotZM= X-Received: by 2002:a1c:f711:0:b0:3ee:775:c573 with SMTP id v17-20020a1cf711000000b003ee0775c573mr10201854wmh.20.1683670579827; Tue, 09 May 2023 15:16:19 -0700 (PDT) Received: from Mindolluin.ire.aristanetworks.com ([217.173.96.166]) by smtp.gmail.com with ESMTPSA id t25-20020a7bc3d9000000b003f42d3111b8sm2052888wmj.30.2023.05.09.15.16.18 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 09 May 2023 15:16:19 -0700 (PDT) From: Dmitry Safonov To: linux-kernel@vger.kernel.org, David Ahern , Eric Dumazet , Paolo Abeni , Jakub Kicinski , "David S. Miller" Cc: Dmitry Safonov , Dmitry Safonov <0x7f454c46@gmail.com>, Hideaki YOSHIFUJI , Leonard Crestez , Salam Noureddine , netdev@vger.kernel.org Subject: [RFC 4/5] net/tcp-md5: Don't send RST if key (dis)appeared Date: Tue, 9 May 2023 23:16:07 +0100 Message-Id: <20230509221608.2569333-5-dima@arista.com> X-Mailer: git-send-email 2.40.0 In-Reply-To: <20230509221608.2569333-1-dima@arista.com> References: <20230509221608.2569333-1-dima@arista.com> MIME-Version: 1.0 X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_NONE, SPF_HELO_NONE,SPF_NONE,T_SCC_BODY_TEXT_LINE,URIBL_BLOCKED autolearn=unavailable autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org X-getmail-retrieved-from-mailbox: =?utf-8?q?INBOX?= X-GMAIL-THRID: =?utf-8?q?1765457639943787788?= X-GMAIL-MSGID: =?utf-8?q?1765457639943787788?= Seems cheap at this place as both key and hash_location were looked up until now. Signed-off-by: Dmitry Safonov --- net/ipv4/tcp_ipv4.c | 10 ++++++++++ net/ipv6/tcp_ipv6.c | 8 ++++++++ 2 files changed, 18 insertions(+) diff --git a/net/ipv4/tcp_ipv4.c b/net/ipv4/tcp_ipv4.c index f5b870943dcb..d94cd5e70d58 100644 --- a/net/ipv4/tcp_ipv4.c +++ b/net/ipv4/tcp_ipv4.c @@ -686,6 +686,16 @@ static bool tcp_v4_md5_sign_reset(struct net *net, const struct sock *sk, l3index = tcp_v4_sdif(skb) ? inet_iif(skb) : 0; addr = (union tcp_md5_addr *)&ip_hdr(skb)->saddr; key = tcp_md5_do_lookup(sk, l3index, addr, AF_INET); + /* This segment should have been already verified by + * tcp_inbound_md5_hash(). But that might raced with userspace + * adding or deleting keys. So, follow the logic of + * tcp_inbound_md5_hash() and avoid replying with TCP-MD5 sign + * on non-signed segments and vice-versa. + */ + if (unlikely(!!key != !!hash_location)) { + rcu_read_unlock(); + return true; + } } else if (hash_location) { const union tcp_md5_addr *addr; int sdif = tcp_v4_sdif(skb); diff --git a/net/ipv6/tcp_ipv6.c b/net/ipv6/tcp_ipv6.c index 3756a43367a3..498dfa194b8b 100644 --- a/net/ipv6/tcp_ipv6.c +++ b/net/ipv6/tcp_ipv6.c @@ -993,6 +993,14 @@ static int tcp_v6_md5_lookup_reset_key(struct net *net, const struct sock *sk, */ l3index = tcp_v6_sdif(skb) ? tcp_v6_iif_l3_slave(skb) : 0; *key = tcp_v6_md5_do_lookup(sk, &ipv6h->saddr, l3index); + /* This segment should have been already verified by + * tcp_inbound_md5_hash(). But that might raced with userspace + * adding or deleting keys. So, follow the logic of + * tcp_inbound_md5_hash() and avoid replying with TCP-MD5 sign + * on non-signed segments and vice-versa. + */ + if (unlikely(!!*key != !!hash_location)) + return -ENOKEY; } else if (hash_location) { int dif = tcp_v6_iif_l3_slave(skb); int sdif = tcp_v6_sdif(skb); From patchwork Tue May 9 22:16:08 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Dmitry Safonov X-Patchwork-Id: 91777 Return-Path: Delivered-To: ouuuleilei@gmail.com Received: by 2002:a59:b0ea:0:b0:3b6:4342:cba0 with SMTP id b10csp3213808vqo; Tue, 9 May 2023 15:36:12 -0700 (PDT) X-Google-Smtp-Source: ACHHUZ6jD6RCSI/m3TWyb0nepMKf4S1bFvfeqo3byfk1DoWLtvxL/wf1QKWYwr23h/HsNe2ibVUf X-Received: by 2002:a05:6a20:7348:b0:f0:98ff:97e2 with SMTP id v8-20020a056a20734800b000f098ff97e2mr19893281pzc.24.1683671771806; Tue, 09 May 2023 15:36:11 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1683671771; cv=none; d=google.com; s=arc-20160816; b=e+XHFsVfMXDqQEtu18eCQUlpDtqTI9RdiRUZ9Q36sHHHeFhOMn2GFOYyh1DQzwmJhz qp9syG0RocEyJRbaDzbg35ltCln//SFDI16xKnX2dC3xQyCXw1yStDbV6Nrho2zsFwF5 gWidkXVlmguVK+E/+rcehbcIDdhmQfqDxktqP1Jxdm9+RXzj8VCwb2v0sMIjE4k4Jopy 6hoMADRsO92of7UMdffNjp36pfhuLcoXTVS0ErR7DWvBlr673+wMTW/2lI4nJ/HU7kOj Lx5NGFs4DrxDohwuOPSTdherLPGPb/qdnWZUc96NAlE8b/C04gAIc4p5gFRO6X5WjZO3 6XMg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :references:in-reply-to:message-id:date:subject:cc:to:from :dkim-signature; bh=Lc+xA7tlcC6A/HLIGYglx4S12hhfgqdXTKqlDOHD+8g=; b=rGk9UbtzprLNK/0rpSix6nvjWGvQvy+io66rrUMX79kgEwgAaMT6RkEpCKaoqRKPYb 7wQv91bMJNQFAcJnx9Zh3rUupkm8Q6kFrGbFu2h3R6XwPcCbdL7eUJDYASMaQmj+Xq6L zIZM/7/aTkqM1pvlUhozHUXFr0tmzsOjNtGyn2fodsXvz9fY7ldZ3nDMONGcksCJXqaM DDqs11cMOU4IMd497jDmWcCVl31P+F0COv0w5kWdqgtlvjMMSJAtntp2YPRt/1DPWo5g CCNcFs41V23w5s8renzSv3YTfzgHP4qXu6zXUo2zceJ7jgPRY6HoZ9gQVSOwGVK/s3MG WgjA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@arista.com header.s=google header.b=MzlgfUUA; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=arista.com Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id h26-20020aa796da000000b0063b630df52asi3404033pfq.252.2023.05.09.15.35.54; Tue, 09 May 2023 15:36:11 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@arista.com header.s=google header.b=MzlgfUUA; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=arista.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S235637AbjEIWQh (ORCPT + 99 others); Tue, 9 May 2023 18:16:37 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:53732 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S235281AbjEIWQX (ORCPT ); Tue, 9 May 2023 18:16:23 -0400 Received: from mail-wm1-x329.google.com (mail-wm1-x329.google.com [IPv6:2a00:1450:4864:20::329]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 7D3B046A2 for ; Tue, 9 May 2023 15:16:22 -0700 (PDT) Received: by mail-wm1-x329.google.com with SMTP id 5b1f17b1804b1-3f42b984405so9829655e9.3 for ; Tue, 09 May 2023 15:16:22 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=arista.com; s=google; t=1683670581; x=1686262581; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=Lc+xA7tlcC6A/HLIGYglx4S12hhfgqdXTKqlDOHD+8g=; b=MzlgfUUAYES98I8Blt0uDfqbqzdhCiYd3z2QxUhekOknoxQbNIgpLRyzMq1Xmch7h8 HItqYCSavUCqWy6kHsNZ0BcKI0OVSRDn6fwwYEQTXfplkFaQkswuICiX2I3//M9E6kAB P2nMX2EJLEkjUiRmfAAJoiyX555vwsTfgrWbc6FYyR/Pab9SfAR5yRxBmcBmTuaTDhmf jz/2BVV0PIEB5rr4S6tBalg4PrONuoUJJVDKZoAR+ajpq3NwV9XoZ8Lq2Nc2Avbp4q9O tXCn4Yl6HwngLAP+Lu+i6S3wv4Uhh/lPDtEwx1EtJpazHkWWT3scsIQqIIemzg+mHVwv Jrdg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1683670581; x=1686262581; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=Lc+xA7tlcC6A/HLIGYglx4S12hhfgqdXTKqlDOHD+8g=; b=e7nboUehhW3eh8B3RnjK1JuJ852PomWzmK3d/M29BQKxUQ/jaRqDneduDL4kLZynnY 1ZOzv3uoWhEkb1A9/3x0EW2cTCrg/bgtn+M0jFiuHIxFL3TyDN4H0tFYan8iVpex02O8 9uAE3pUo0PTaylvuwU/+xWUhbjt0TpYwb+v9rq0Z22s6BuJia7IRRxEFI8S33wb/H2lI MdZ9aoK36Xt/ot1iRdtZz77LQak0xXouxIH3yg5u/NBlXQjlg5OQI4ny1ptBNPTgh8D6 cs3mGHICS0gHc9TOjb9Cm0syXxI1vauqcFfXdVW64gsLcC6VOLsLVGKHxphTzEfHNlB/ Utqg== X-Gm-Message-State: AC+VfDzckS2F/HYHEUlTIbP97WYaHiOE5C6/uTzPrKCvo/rPJeiBLJQ7 w1Sk0RlPpWcofQQBry9D5KKRS561cf5xecwAW7c= X-Received: by 2002:a1c:f20a:0:b0:3f1:819d:d050 with SMTP id s10-20020a1cf20a000000b003f1819dd050mr10537973wmc.37.1683670580862; Tue, 09 May 2023 15:16:20 -0700 (PDT) Received: from Mindolluin.ire.aristanetworks.com ([217.173.96.166]) by smtp.gmail.com with ESMTPSA id t25-20020a7bc3d9000000b003f42d3111b8sm2052888wmj.30.2023.05.09.15.16.19 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 09 May 2023 15:16:20 -0700 (PDT) From: Dmitry Safonov To: linux-kernel@vger.kernel.org, David Ahern , Eric Dumazet , Paolo Abeni , Jakub Kicinski , "David S. Miller" Cc: Dmitry Safonov , Dmitry Safonov <0x7f454c46@gmail.com>, Hideaki YOSHIFUJI , Leonard Crestez , Salam Noureddine , netdev@vger.kernel.org Subject: [RFC 5/5] net/tcp-md5: Don't send ACK if key (dis)appears Date: Tue, 9 May 2023 23:16:08 +0100 Message-Id: <20230509221608.2569333-6-dima@arista.com> X-Mailer: git-send-email 2.40.0 In-Reply-To: <20230509221608.2569333-1-dima@arista.com> References: <20230509221608.2569333-1-dima@arista.com> MIME-Version: 1.0 X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_NONE, SPF_HELO_NONE,SPF_NONE,T_SCC_BODY_TEXT_LINE,URIBL_BLOCKED autolearn=unavailable autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org X-getmail-retrieved-from-mailbox: =?utf-8?q?INBOX?= X-GMAIL-THRID: =?utf-8?q?1765457812119724224?= X-GMAIL-MSGID: =?utf-8?q?1765457812119724224?= To mirror RST paranoid checks and tcp_inbound_md5_hash(). Signed-off-by: Dmitry Safonov --- net/ipv4/tcp_ipv4.c | 2 ++ net/ipv6/tcp_ipv6.c | 2 ++ 2 files changed, 4 insertions(+) diff --git a/net/ipv4/tcp_ipv4.c b/net/ipv4/tcp_ipv4.c index d94cd5e70d58..0c8893240f70 100644 --- a/net/ipv4/tcp_ipv4.c +++ b/net/ipv4/tcp_ipv4.c @@ -918,6 +918,8 @@ static void tcp_v4_send_ack(const struct sock *sk, rep.th.window = htons(win); #ifdef CONFIG_TCP_MD5SIG + if (unlikely(!!key != !!tcp_parse_md5sig_option(th))) + return; if (key) { int offset = (tsecr) ? 3 : 0; diff --git a/net/ipv6/tcp_ipv6.c b/net/ipv6/tcp_ipv6.c index 498dfa194b8b..4131ada9fabf 100644 --- a/net/ipv6/tcp_ipv6.c +++ b/net/ipv6/tcp_ipv6.c @@ -863,6 +863,8 @@ static void tcp_v6_send_response(const struct sock *sk, struct sk_buff *skb, u32 if (tsecr) tot_len += TCPOLEN_TSTAMP_ALIGNED; #ifdef CONFIG_TCP_MD5SIG + if (!rst && unlikely(!!key != !!tcp_parse_md5sig_option(th))) + return; if (key) tot_len += TCPOLEN_MD5SIG_ALIGNED; #endif