From patchwork Mon Dec 18 21:51:09 2017 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Christoph Paasch X-Patchwork-Id: 850426 X-Patchwork-Delegate: davem@davemloft.net Return-Path: X-Original-To: patchwork-incoming@ozlabs.org Delivered-To: patchwork-incoming@ozlabs.org Authentication-Results: ozlabs.org; spf=none (mailfrom) smtp.mailfrom=vger.kernel.org (client-ip=209.132.180.67; helo=vger.kernel.org; envelope-from=netdev-owner@vger.kernel.org; receiver=) Authentication-Results: ozlabs.org; dkim=fail reason="signature verification failed" (2048-bit key; unprotected) header.d=apple.com header.i=@apple.com header.b="Y8fF4YBj"; dkim-atps=neutral Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by ozlabs.org (Postfix) with ESMTP id 3z0vrc2YyTz9s7v for ; Tue, 19 Dec 2017 08:52:00 +1100 (AEDT) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S937614AbdLRVv6 (ORCPT ); Mon, 18 Dec 2017 16:51:58 -0500 Received: from mail-out2.apple.com ([17.151.62.25]:53894 "EHLO mail-in2.apple.com" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP id S937543AbdLRVvq (ORCPT ); Mon, 18 Dec 2017 16:51:46 -0500 DKIM-Signature: v=1; a=rsa-sha256; d=apple.com; s=mailout2048s; c=relaxed/simple; q=dns/txt; i=@apple.com; t=1513633900; h=From:Sender:Reply-To:Subject:Date:Message-id:To:Cc:MIME-Version:Content-Type: Content-transfer-encoding:Content-ID:Content-Description:Resent-Date:Resent-From: Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:In-reply-to:References:List-Id: List-Help:List-Unsubscribe:List-Subscribe:List-Post:List-Owner:List-Archive; bh=4cEGMDQl7LZWl7qnJIixz9oLce9Do75k7xQ9DxaFtfU=; b=Y8fF4YBj/OP0NG+i3DnI6OlUc7kbhhPLImRDb+hkF38qBDYaq4u29OLGBglwD+uX OkchrLUu7jffhri4u0nWXOWC0Ou7dp9yD4mMyte7VkJr9Fvh+8iesxRxudmGbP0w G3ZWy4hAcR5ptz8Tp8g9VYNdj5s1MdGtZPGldQsondscOG6MAMOY2ZBgnZH+PtGl PJrBXcMm/TUjLvWGrsJMn5wYUvZb9zUd8/IyqVd2v2TZhA+YbHNPH/R7v1pR+QBT m8O1THFpgFPkHB5hjAPaXgrPU/ATUkG0YJB5xupNgHZNwrPz1Er6v3qUonxObIWO axO3qViYKkbI3xdxdDd3MA==; Received: from relay2.apple.com (relay2.apple.com [17.128.113.67]) (using TLS with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mail-in2.apple.com (Apple Secure Mail Relay) with SMTP id DD.62.22347.C68383A5; Mon, 18 Dec 2017 13:51:40 -0800 (PST) X-AuditID: 11973e11-163b19c00000574b-fa-5a38386cffea Received: from nwk-mmpp-sz13.apple.com (nwk-mmpp-sz13.apple.com [17.128.115.216]) by relay2.apple.com (Apple SCV relay) with SMTP id 1C.5C.07440.C68383A5; Mon, 18 Dec 2017 13:51:40 -0800 (PST) Content-transfer-encoding: 7BIT Received: from localhost ([17.226.23.135]) by nwk-mmpp-sz13.apple.com (Oracle Communications Messaging Server 8.0.2.1.20171204 64bit (built Dec 4 2017)) with ESMTPSA id <0P1600LCLFE4YT00@nwk-mmpp-sz13.apple.com>; Mon, 18 Dec 2017 13:51:40 -0800 (PST) From: Christoph Paasch To: netdev@vger.kernel.org Cc: Eric Dumazet , Mat Martineau , Alexei Starovoitov Subject: [RFC 14/14] tcp_md5: Use TCP extra-options on the input path Date: Mon, 18 Dec 2017 13:51:09 -0800 Message-id: <20171218215109.38700-15-cpaasch@apple.com> X-Mailer: git-send-email 2.15.0 In-reply-to: <20171218215109.38700-1-cpaasch@apple.com> References: <20171218215109.38700-1-cpaasch@apple.com> X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFprFLMWRmVeSWpSXmKPExsUi2FDorJtjYRFlsHyascWXn7fZLZ4ee8Ru 8beln8Xi2AIxBxaPBZtKPTat6mTzmHcy0OPzJrkAligum5TUnMyy1CJ9uwSujJZDmxkL3ptU XOrnbGD8qNXFyMkhIWAisWbpMaYuRi4OIYHVTBI3jj1hgkn8beqHShxilHh56iRbFyMHB7OA vMTB87IQ8UYmiUOLF7KCNAgLSEp037nDDGKzCWhJvL3dDhYXEZCS+LhjOzuIzSzQzCixc44I RL2rxMX/TWD1LAKqElc/rGUBsXkFzCW2fJnODHGEvMTi7zvZQGxOoHjP10dgc4QEzCTO/3wJ dpyEwBE2ie/T+xgnMArOQrhvASPjKkah3MTMHN3MPCO9xIKCnFS95PzcTYygwJxuJ7iD8fgq q0OMAhyMSjy8M66aRwmxJpYVV+YeYpTmYFES571YbRIlJJCeWJKanZpakFoUX1Sak1p8iJGJ g1OqgfG+VoLCToX73IZcn6dsENs4bdrXaRNmd2hN4jZvqOUt6ZdO1nO04tKoZtbZ5X8jvt3V yOLEpIw/Ej6sdcvC7641+DqBUdtI0cG+9N+RjLmzZt5et2dvjeydgCVye16f3smSt+eTplnm ESXe+PDErrYbRr+nfWv5+GVOYezjDTkHOjeW3G448VSJpTgj0VCLuag4EQDwdAVmLQIAAA== X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFnrKLMWRmVeSWpSXmKPExsUi2FB8QzfHwiLK4PhBfYsvP2+zWzw99ojd 4m9LP4vFsQViDiweCzaVemxa1cnmMe9koMfnTXIBLFGGNmn5ReWJRSkKRckFJbZKxRmJKfnl 8ZbGRqYOiQUFOal6yfm5Svp2NimpOZllqUX6dgmGGS2HNjMWvDepuNTP2cD4UauLkZNDQsBE 4m9TP1MXIxeHkMAhRomXp06ydTFycDALyEscPC8LEW9kkji0eCErSIOwgKRE9507zCA2m4CW xNvb7WBxEQEpiY87trOD2MwCzYwSO+eIQNS7Slz83wRWzyKgKnH1w1oWEJtXwFxiy5fpzBBH yEss/r6TDcTmBIr3fH0ENkdIwEzi/M+XTBMY+WYhnLSAkXEVo0BRak5ipZEe3K+bGMFhWei8 g/HYMqtDjAIcjEo8vDOumkcJsSaWFVfmAv3Gwawkwut3FijEm5JYWZValB9fVJqTWnyI0Qfo tonMUqLJ+cCYySuJNzS2MLY0sTAwMLE0M8EhrCTO674KaJZAemJJanZqakFqEcw4Jg5OqQbG pPM8ptGrcuRnHc2TfGXy6e89hhN3Z3smHTn04V/aln6Lz/e+c31Vvmt57abwxEvuBuEprL+O e6rEJv5TPenckXcwbWZe25c7EjP2rDvm2r/Z4P2m9o2ir1g+9OikbI73yvNSSdSXjimYN19j auac+I3uK/wf8M6a3Wbxyerh3L8dyxaY6u9LU2IBpgpDLeai4kQAjXWmnXgCAAA= Sender: netdev-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: netdev@vger.kernel.org The checks are now being done through the extra-option framework. For TCP MD5 this means that the check happens a bit later than usual. Signed-off-by: Christoph Paasch Reviewed-by: Mat Martineau --- include/linux/tcp_md5.h | 23 +---------------------- net/ipv4/tcp_input.c | 8 -------- net/ipv4/tcp_ipv4.c | 9 --------- net/ipv4/tcp_md5.c | 29 ++++++++++++++++++++++++----- net/ipv6/tcp_ipv6.c | 9 --------- 5 files changed, 25 insertions(+), 53 deletions(-) diff --git a/include/linux/tcp_md5.h b/include/linux/tcp_md5.h index 509fc36335e7..bef277f55b36 100644 --- a/include/linux/tcp_md5.h +++ b/include/linux/tcp_md5.h @@ -31,30 +31,9 @@ struct tcp_md5sig_key { int tcp_md5_parse_keys(struct sock *sk, int optname, char __user *optval, int optlen); -bool tcp_v4_inbound_md5_hash(const struct sock *sk, - const struct sk_buff *skb); - -bool tcp_v6_inbound_md5_hash(const struct sock *sk, - const struct sk_buff *skb); - int tcp_md5_diag_get_aux(struct sock *sk, bool net_admin, struct sk_buff *skb); int tcp_md5_diag_get_aux_size(struct sock *sk, bool net_admin); -#else - -static inline bool tcp_v4_inbound_md5_hash(const struct sock *sk, - const struct sk_buff *skb) -{ - return false; -} - -static inline bool tcp_v6_inbound_md5_hash(const struct sock *sk, - const struct sk_buff *skb) -{ - return false; -} - -#endif - +#endif /* CONFIG_TCP_MD5SIG */ #endif /* _LINUX_TCP_MD5_H */ diff --git a/net/ipv4/tcp_input.c b/net/ipv4/tcp_input.c index db54bdbdee51..e4de06e28a85 100644 --- a/net/ipv4/tcp_input.c +++ b/net/ipv4/tcp_input.c @@ -3754,14 +3754,6 @@ void tcp_parse_options(const struct net *net, TCP_SKB_CB(skb)->sacked = (ptr - 2) - (unsigned char *)th; } break; -#ifdef CONFIG_TCP_MD5SIG - case TCPOPT_MD5SIG: - /* - * The MD5 Hash has already been - * checked (see tcp_v{4,6}_do_rcv()). - */ - break; -#endif case TCPOPT_FASTOPEN: tcp_parse_fastopen_option( opsize - TCPOLEN_FASTOPEN_BASE, diff --git a/net/ipv4/tcp_ipv4.c b/net/ipv4/tcp_ipv4.c index 670d7751f814..707ad1a343ba 100644 --- a/net/ipv4/tcp_ipv4.c +++ b/net/ipv4/tcp_ipv4.c @@ -62,7 +62,6 @@ #include #include #include -#include #include #include @@ -1249,11 +1248,6 @@ int tcp_v4_rcv(struct sk_buff *skb) struct sock *nsk; sk = req->rsk_listener; - if (unlikely(tcp_v4_inbound_md5_hash(sk, skb))) { - sk_drops_add(sk, skb); - reqsk_put(req); - goto discard_it; - } if (unlikely(sk->sk_state != TCP_LISTEN)) { inet_csk_reqsk_queue_drop_and_put(sk, req); goto lookup; @@ -1293,9 +1287,6 @@ int tcp_v4_rcv(struct sk_buff *skb) if (!xfrm4_policy_check(sk, XFRM_POLICY_IN, skb)) goto discard_and_relse; - if (tcp_v4_inbound_md5_hash(sk, skb)) - goto discard_and_relse; - nf_reset(skb); if (tcp_filter(sk, skb)) diff --git a/net/ipv4/tcp_md5.c b/net/ipv4/tcp_md5.c index 052f5a587783..723320d0741a 100644 --- a/net/ipv4/tcp_md5.c +++ b/net/ipv4/tcp_md5.c @@ -29,6 +29,10 @@ static DEFINE_PER_CPU(struct tcp_md5sig_pool, tcp_md5sig_pool); static DEFINE_MUTEX(tcp_md5sig_mutex); static bool tcp_md5sig_pool_populated; +static bool tcp_inbound_md5_hash(struct sock *sk, const struct sk_buff *skb, + struct tcp_options_received *opt_rx, + struct tcp_extopt_store *store); + static unsigned int tcp_md5_extopt_prepare(struct sk_buff *skb, u8 flags, unsigned int remaining, struct tcp_out_options *opts, @@ -76,6 +80,7 @@ struct tcp_md5_extopt { static const struct tcp_extopt_ops tcp_md5_extra_ops = { .option_kind = TCPOPT_MD5SIG, + .check = tcp_inbound_md5_hash, .prepare = tcp_md5_extopt_prepare, .write = tcp_md5_extopt_write, .response_prepare = tcp_md5_send_response_prepare, @@ -863,8 +868,8 @@ static struct tcp_md5sig_key *tcp_v4_md5_lookup(const struct sock *sk, } /* Called with rcu_read_lock() */ -bool tcp_v4_inbound_md5_hash(const struct sock *sk, - const struct sk_buff *skb) +static bool tcp_v4_inbound_md5_hash(const struct sock *sk, + const struct sk_buff *skb) { /* This gets called for each TCP segment that arrives * so we want to be efficient. @@ -918,8 +923,8 @@ bool tcp_v4_inbound_md5_hash(const struct sock *sk, } #if IS_ENABLED(CONFIG_IPV6) -bool tcp_v6_inbound_md5_hash(const struct sock *sk, - const struct sk_buff *skb) +static bool tcp_v6_inbound_md5_hash(const struct sock *sk, + const struct sk_buff *skb) { const __u8 *hash_location = NULL; struct tcp_md5sig_key *hash_expected; @@ -961,7 +966,6 @@ bool tcp_v6_inbound_md5_hash(const struct sock *sk, return false; } -EXPORT_SYMBOL_GPL(tcp_v6_inbound_md5_hash); static struct tcp_md5sig_key *tcp_v6_md5_lookup(const struct sock *sk, const struct sock *addr_sk) @@ -971,6 +975,21 @@ static struct tcp_md5sig_key *tcp_v6_md5_lookup(const struct sock *sk, EXPORT_SYMBOL_GPL(tcp_v6_md5_lookup); #endif +static bool tcp_inbound_md5_hash(struct sock *sk, const struct sk_buff *skb, + struct tcp_options_received *opt_rx, + struct tcp_extopt_store *store) +{ + if (skb->protocol == htons(ETH_P_IP)) { + return tcp_v4_inbound_md5_hash(sk, skb); +#if IS_ENABLED(CONFIG_IPV6) + } else { + return tcp_v6_inbound_md5_hash(sk, skb); +#endif + } + + return false; +} + static void tcp_diag_md5sig_fill(struct tcp_diag_md5sig *info, const struct tcp_md5sig_key *key) { diff --git a/net/ipv6/tcp_ipv6.c b/net/ipv6/tcp_ipv6.c index 890616fc5591..f5dc730d3abc 100644 --- a/net/ipv6/tcp_ipv6.c +++ b/net/ipv6/tcp_ipv6.c @@ -43,7 +43,6 @@ #include #include #include -#include #include #include @@ -1173,11 +1172,6 @@ static int tcp_v6_rcv(struct sk_buff *skb) struct sock *nsk; sk = req->rsk_listener; - if (tcp_v6_inbound_md5_hash(sk, skb)) { - sk_drops_add(sk, skb); - reqsk_put(req); - goto discard_it; - } if (unlikely(sk->sk_state != TCP_LISTEN)) { inet_csk_reqsk_queue_drop_and_put(sk, req); goto lookup; @@ -1214,9 +1208,6 @@ static int tcp_v6_rcv(struct sk_buff *skb) if (!xfrm6_policy_check(sk, XFRM_POLICY_IN, skb)) goto discard_and_relse; - if (tcp_v6_inbound_md5_hash(sk, skb)) - goto discard_and_relse; - if (tcp_filter(sk, skb)) goto discard_and_relse; th = (const struct tcphdr *)skb->data;