From patchwork Thu Feb 1 00:07:16 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Christoph Paasch X-Patchwork-Id: 868102 X-Patchwork-Delegate: davem@davemloft.net Return-Path: X-Original-To: patchwork-incoming@ozlabs.org Delivered-To: patchwork-incoming@ozlabs.org Authentication-Results: ozlabs.org; spf=none (mailfrom) smtp.mailfrom=vger.kernel.org (client-ip=209.132.180.67; helo=vger.kernel.org; envelope-from=netdev-owner@vger.kernel.org; receiver=) Authentication-Results: ozlabs.org; dkim=fail reason="signature verification failed" (2048-bit key; unprotected) header.d=apple.com header.i=@apple.com header.b="zkf6O0OH"; dkim-atps=neutral Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by ozlabs.org (Postfix) with ESMTP id 3zX0mt6wQWz9s7M for ; Thu, 1 Feb 2018 11:07:42 +1100 (AEDT) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1754670AbeBAAHk (ORCPT ); Wed, 31 Jan 2018 19:07:40 -0500 Received: from mail-out5.apple.com ([17.151.62.27]:53104 "EHLO mail-in5.apple.com" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP id S1754527AbeBAAHh (ORCPT ); Wed, 31 Jan 2018 19:07:37 -0500 DKIM-Signature: v=1; a=rsa-sha256; d=apple.com; s=mailout2048s; c=relaxed/simple; q=dns/txt; i=@apple.com; t=1517443656; x=2381357256; h=From:Sender:Reply-To:Subject:Date:Message-id:To:Cc:MIME-Version:Content-Type: Content-transfer-encoding:Content-ID:Content-Description:Resent-Date:Resent-From: Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:In-reply-to:References:List-Id: List-Help:List-Unsubscribe:List-Subscribe:List-Post:List-Owner:List-Archive; bh=Az2c3yLF0p0awqPFs4Ng64WsMO/QneET/DD5IWFgF4c=; b=zkf6O0OHgvF9EASxxRtFLBSj2nHxX2A8dSKBgmrAcuu1PvjPx9Mug+gF1iNqJT/5 OJtjq9egvF4jQtZX+u+wyamCe+F3FJ3PnDRlt2zXXKi5JyzeJDFcqT0JIFW5o/Pf mY2/5Y+qEI1/4uBlGVE3Orr5yLvQa/n1pZBJGgWFRt7DAdsaaNaxu/qGB7n6Yt7X W/LPrJ359qzaO+TttcoNv538YpxyrbJhXuQ4VuGdEgW3eOeAUfW0ffBdjksSDCR/ 4P+AEv9KGjeDfTbcmNQbXby0qJ+vfGe5fzsl6OzbmIOcM8BwqHcSPuBW9HTLsvZR kcM50uV9XaUFxyzv2W64qA==; Received: from relay8.apple.com (relay8.apple.com [17.128.113.102]) (using TLS with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mail-in5.apple.com (Apple Secure Mail Relay) with SMTP id 97.EE.14264.84A527A5; Wed, 31 Jan 2018 16:07:36 -0800 (PST) X-AuditID: 11973e13-066cc9e0000037b8-20-5a725a485bd4 Received: from nwk-mmpp-sz13.apple.com (nwk-mmpp-sz13.apple.com [17.128.115.216]) by relay8.apple.com (Apple SCV relay) with SMTP id 34.19.22651.84A527A5; Wed, 31 Jan 2018 16:07:36 -0800 (PST) Content-transfer-encoding: 7BIT Received: from localhost ([17.226.23.225]) by nwk-mmpp-sz13.apple.com (Oracle Communications Messaging Server 8.0.2.1.20180104 64bit (built Jan 4 2018)) with ESMTPSA id <0P3G006EC30O15B0@nwk-mmpp-sz13.apple.com>; Wed, 31 Jan 2018 16:07:36 -0800 (PST) From: Christoph Paasch To: netdev@vger.kernel.org Cc: Eric Dumazet , Mat Martineau , Ivan Delalande Subject: [RFC v2 14/14] tcp_md5: Use TCP extra-options on the input path Date: Wed, 31 Jan 2018 16:07:16 -0800 Message-id: <20180201000716.69301-15-cpaasch@apple.com> X-Mailer: git-send-email 2.16.1 In-reply-to: <20180201000716.69301-1-cpaasch@apple.com> References: <20180201000716.69301-1-cpaasch@apple.com> X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFprFLMWRmVeSWpSXmKPExsUi2FCYpusRVRRlMH+1mMXuu+EWT489Yrf4 29LPYnFsgZgDi8fu6U2MHgs2lXrMOxno8XmTXABLFJdNSmpOZllqkb5dAlfGsosPGQumm1bs +XKWuYFxinYXIyeHhICJxNXJ15i7GLk4hATWMEks//OMFSZxYv5MRojEIUaJUzemsXUxcnAw C8hLHDwvC1IjJNDIJHGqox7EFhaQlOi+c4cZxGYT0JJ4e7sdbI6IgJTExx3b2UHmMAs0MUo8 WniOBaLBQ2L1zHVsIDaLgKrE+kPPwOK8AuYSMzc+Y4Y4Ql7i8JsmsEGcQPGGXXPYIRabSXy+ vhjsagmBE2wSd//9ZJ/AKDgL4b4FjIyrGIVyEzNzdDPzTPUSCwpyUvWS83M3MYICc7qd8A7G 06usDjEKcDAq8fBOuFAYJcSaWFZcmXuIUZqDRUmc11O0KEpIID2xJDU7NbUgtSi+qDQntfgQ IxMHp1QDI7cGe2Vn+jpWtq2qwmbXfZt3lNszzf82S32CkEvs3VPH9IR03wbOFnf+OFPA53tC p+SzJ5fEfBZoPeb89X3y4k7/qRvYuQWFXobltPz86RbXdeuI+dGwiw87U7ffa/nYFCb5t+mx psq9g247jrvqpDUcnO5+VHbyA/m3Qs2HF19hUmsyE42bqsRSnJFoqMVcVJwIANhB8iQtAgAA X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFnrKLMWRmVeSWpSXmKPExsUi2FB8Q9cjqijK4O1KYYvdd8Mtnh57xG7x t6WfxeLYAjEHFo/d05sYPRZsKvWYdzLQ4/MmuQCWKEObtPyi8sSiFIWi5IISW6XijMSU/PJ4 S2MjU4fEgoKcVL3k/FwlfTublNSczLLUIn27BMOMZRcfMhZMN63Y8+UscwPjFO0uRk4OCQET iRPzZzJ2MXJxCAkcYpQ4dWMaWxcjBwezgLzEwfOyIDVCAo1MEqc66kFsYQFJie47d5hBbDYB LYm3t9tZQWwRASmJjzu2s4PMYRZoYpR4tPAcC0SDh8TqmevYQGwWAVWJ9YeegcV5BcwlZm58 xgxxhLzE4TdNYIM4geINu+awQyw2k/h8fTHzBEa+WQgnLWBkXMUoUJSak1hpoQf37CZGcFgW pu1gbFpudYhRgINRiYf3xaXCKCHWxLLiylyg3ziYlUR4N4oURQnxpiRWVqUW5ccXleakFh9i 9AG6bSKzlGhyPjBm8kriDY0tjC1NLAwMTCzNTHAIK4nzHlECmiWQnliSmp2aWpBaBDOOiYNT qoHxSjJjXbuw74+LIvEuGiorpqYnlD+2VZ6r137L4IDJq4WvVzdJ1i+Zrf//RtEBlnUd5/c6 MZ9srd/yxuTZdYOAz2yuYj4HvUONbzS8jVXOTonj5jmSrhokzDc9aQ1LvpiwfNmf4+dFZ35u 1Az2sYhf1Bjxz+ToBd/ErNd/IldcCWPh+Df9fIsSCzBZGGoxFxUnAgCVyzzIeAIAAA== Sender: netdev-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: netdev@vger.kernel.org The checks are now being done through the extra-option framework. For TCP MD5 this means that the check happens a bit later than usual. Cc: Ivan Delalande Signed-off-by: Christoph Paasch Reviewed-by: Mat Martineau --- include/linux/tcp_md5.h | 23 +---------------------- net/ipv4/tcp_input.c | 8 -------- net/ipv4/tcp_ipv4.c | 9 --------- net/ipv4/tcp_md5.c | 29 ++++++++++++++++++++++++----- net/ipv6/tcp_ipv6.c | 9 --------- 5 files changed, 25 insertions(+), 53 deletions(-) diff --git a/include/linux/tcp_md5.h b/include/linux/tcp_md5.h index 441be65ec893..fe84c706299c 100644 --- a/include/linux/tcp_md5.h +++ b/include/linux/tcp_md5.h @@ -32,30 +32,9 @@ struct tcp_md5sig_key { int tcp_md5_parse_keys(struct sock *sk, int optname, char __user *optval, int optlen); -bool tcp_v4_inbound_md5_hash(const struct sock *sk, - const struct sk_buff *skb); - -bool tcp_v6_inbound_md5_hash(const struct sock *sk, - const struct sk_buff *skb); - int tcp_md5_diag_get_aux(struct sock *sk, bool net_admin, struct sk_buff *skb); int tcp_md5_diag_get_aux_size(struct sock *sk, bool net_admin); -#else - -static inline bool tcp_v4_inbound_md5_hash(const struct sock *sk, - const struct sk_buff *skb) -{ - return false; -} - -static inline bool tcp_v6_inbound_md5_hash(const struct sock *sk, - const struct sk_buff *skb) -{ - return false; -} - -#endif - +#endif /* CONFIG_TCP_MD5SIG */ #endif /* _LINUX_TCP_MD5_H */ diff --git a/net/ipv4/tcp_input.c b/net/ipv4/tcp_input.c index 1ac1d8d431ad..56cdc3093d6a 100644 --- a/net/ipv4/tcp_input.c +++ b/net/ipv4/tcp_input.c @@ -3774,14 +3774,6 @@ void tcp_parse_options(const struct net *net, TCP_SKB_CB(skb)->sacked = (ptr - 2) - (unsigned char *)th; } break; -#ifdef CONFIG_TCP_MD5SIG - case TCPOPT_MD5SIG: - /* - * The MD5 Hash has already been - * checked (see tcp_v{4,6}_do_rcv()). - */ - break; -#endif case TCPOPT_FASTOPEN: tcp_parse_fastopen_option( opsize - TCPOLEN_FASTOPEN_BASE, diff --git a/net/ipv4/tcp_ipv4.c b/net/ipv4/tcp_ipv4.c index 6a839c1280b3..c5405bd62322 100644 --- a/net/ipv4/tcp_ipv4.c +++ b/net/ipv4/tcp_ipv4.c @@ -62,7 +62,6 @@ #include #include #include -#include #include #include @@ -1249,11 +1248,6 @@ int tcp_v4_rcv(struct sk_buff *skb) struct sock *nsk; sk = req->rsk_listener; - if (unlikely(tcp_v4_inbound_md5_hash(sk, skb))) { - sk_drops_add(sk, skb); - reqsk_put(req); - goto discard_it; - } if (unlikely(sk->sk_state != TCP_LISTEN)) { inet_csk_reqsk_queue_drop_and_put(sk, req); goto lookup; @@ -1293,9 +1287,6 @@ int tcp_v4_rcv(struct sk_buff *skb) if (!xfrm4_policy_check(sk, XFRM_POLICY_IN, skb)) goto discard_and_relse; - if (tcp_v4_inbound_md5_hash(sk, skb)) - goto discard_and_relse; - nf_reset(skb); if (tcp_filter(sk, skb)) diff --git a/net/ipv4/tcp_md5.c b/net/ipv4/tcp_md5.c index e05db5af06ee..ad41b9fd6f88 100644 --- a/net/ipv4/tcp_md5.c +++ b/net/ipv4/tcp_md5.c @@ -30,6 +30,10 @@ static DEFINE_PER_CPU(struct tcp_md5sig_pool, tcp_md5sig_pool); static DEFINE_MUTEX(tcp_md5sig_mutex); static bool tcp_md5sig_pool_populated; +static bool tcp_inbound_md5_hash(struct sock *sk, const struct sk_buff *skb, + struct tcp_options_received *opt_rx, + struct tcp_extopt_store *store); + static unsigned int tcp_md5_extopt_prepare(struct sk_buff *skb, u8 flags, unsigned int remaining, struct tcp_out_options *opts, @@ -77,6 +81,7 @@ struct tcp_md5_extopt { static const struct tcp_extopt_ops tcp_md5_extra_ops = { .option_kind = TCPOPT_MD5SIG, + .check = tcp_inbound_md5_hash, .prepare = tcp_md5_extopt_prepare, .write = tcp_md5_extopt_write, .response_prepare = tcp_md5_send_response_prepare, @@ -863,8 +868,8 @@ static struct tcp_md5sig_key *tcp_v4_md5_lookup(const struct sock *sk, } /* Called with rcu_read_lock() */ -bool tcp_v4_inbound_md5_hash(const struct sock *sk, - const struct sk_buff *skb) +static bool tcp_v4_inbound_md5_hash(const struct sock *sk, + const struct sk_buff *skb) { /* This gets called for each TCP segment that arrives * so we want to be efficient. @@ -918,8 +923,8 @@ bool tcp_v4_inbound_md5_hash(const struct sock *sk, } #if IS_ENABLED(CONFIG_IPV6) -bool tcp_v6_inbound_md5_hash(const struct sock *sk, - const struct sk_buff *skb) +static bool tcp_v6_inbound_md5_hash(const struct sock *sk, + const struct sk_buff *skb) { const __u8 *hash_location = NULL; struct tcp_md5sig_key *hash_expected; @@ -961,7 +966,6 @@ bool tcp_v6_inbound_md5_hash(const struct sock *sk, return false; } -EXPORT_SYMBOL_GPL(tcp_v6_inbound_md5_hash); static struct tcp_md5sig_key *tcp_v6_md5_lookup(const struct sock *sk, const struct sock *addr_sk) @@ -971,6 +975,21 @@ static struct tcp_md5sig_key *tcp_v6_md5_lookup(const struct sock *sk, EXPORT_SYMBOL_GPL(tcp_v6_md5_lookup); #endif +static bool tcp_inbound_md5_hash(struct sock *sk, const struct sk_buff *skb, + struct tcp_options_received *opt_rx, + struct tcp_extopt_store *store) +{ + if (skb->protocol == htons(ETH_P_IP)) { + return tcp_v4_inbound_md5_hash(sk, skb); +#if IS_ENABLED(CONFIG_IPV6) + } else { + return tcp_v6_inbound_md5_hash(sk, skb); +#endif + } + + return false; +} + static void tcp_diag_md5sig_fill(struct tcp_diag_md5sig *info, const struct tcp_md5sig_key *key) { diff --git a/net/ipv6/tcp_ipv6.c b/net/ipv6/tcp_ipv6.c index 8800e5d75677..ab3a77a95cff 100644 --- a/net/ipv6/tcp_ipv6.c +++ b/net/ipv6/tcp_ipv6.c @@ -43,7 +43,6 @@ #include #include #include -#include #include #include @@ -1172,11 +1171,6 @@ static int tcp_v6_rcv(struct sk_buff *skb) struct sock *nsk; sk = req->rsk_listener; - if (tcp_v6_inbound_md5_hash(sk, skb)) { - sk_drops_add(sk, skb); - reqsk_put(req); - goto discard_it; - } if (unlikely(sk->sk_state != TCP_LISTEN)) { inet_csk_reqsk_queue_drop_and_put(sk, req); goto lookup; @@ -1213,9 +1207,6 @@ static int tcp_v6_rcv(struct sk_buff *skb) if (!xfrm6_policy_check(sk, XFRM_POLICY_IN, skb)) goto discard_and_relse; - if (tcp_v6_inbound_md5_hash(sk, skb)) - goto discard_and_relse; - if (tcp_filter(sk, skb)) goto discard_and_relse; th = (const struct tcphdr *)skb->data;