From patchwork Fri Dec 14 22:40:03 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Christoph Paasch X-Patchwork-Id: 1013752 X-Patchwork-Delegate: davem@davemloft.net Return-Path: X-Original-To: patchwork-incoming-netdev@ozlabs.org Delivered-To: patchwork-incoming-netdev@ozlabs.org Authentication-Results: ozlabs.org; spf=none (mailfrom) smtp.mailfrom=vger.kernel.org (client-ip=209.132.180.67; helo=vger.kernel.org; envelope-from=netdev-owner@vger.kernel.org; receiver=) Authentication-Results: ozlabs.org; dmarc=fail (p=quarantine dis=none) header.from=apple.com Authentication-Results: ozlabs.org; dkim=fail reason="signature verification failed" (2048-bit key; unprotected) header.d=apple.com header.i=@apple.com header.b="mpMaxkJa"; dkim-atps=neutral Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by ozlabs.org (Postfix) with ESMTP id 43GlrC5NQpz9s47 for ; Sat, 15 Dec 2018 09:40:43 +1100 (AEDT) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1730521AbeLNWkm (ORCPT ); Fri, 14 Dec 2018 17:40:42 -0500 Received: from nwk-aaemail-lapp02.apple.com ([17.151.62.67]:49968 "EHLO nwk-aaemail-lapp02.apple.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1730290AbeLNWkl (ORCPT ); Fri, 14 Dec 2018 17:40:41 -0500 Received: from pps.filterd (nwk-aaemail-lapp02.apple.com [127.0.0.1]) by nwk-aaemail-lapp02.apple.com (8.16.0.22/8.16.0.22) with SMTP id wBEMVwMQ033711; Fri, 14 Dec 2018 14:40:37 -0800 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=apple.com; h=content-transfer-encoding : sender : from : to : cc : subject : date : message-id : in-reply-to : references; s=20180706; bh=6X2F39nqN0PbDSZIW3nyX0dhUBwAtf/7Vwh99bA6hWY=; b=mpMaxkJasxAXyqmuyL4kiwdSM5H9e+sqd+y+VfNk9MkH5KZX22U83Hh/3WK+Qpz7QcHH pOfWgDZN/p6ytmtPbilZrlcFHdlL/UpnjN8rSyC6TCSAtjCyjVFEftftZaFPT9Jrz8zF PgAx6Ntkdx5zjr/hUEMXrOnrcz9uuzyZz2vxvcaU6ohb96n9S0wHlNHsxq5264hlmOK0 B7FH7LpS9jGRqOsl16DEPWgwFWIXruTl8C13wKILNrls6GtXe16vHBKtuYxEg7T95pnq Pn55OyWm5kCe+XfkPla0f71s7adGXPq2n8C1C6Q/JktJ3vNfmlQsWuoEy2jvt54VAWbf Sg== Received: from ma1-mtap-s03.corp.apple.com (ma1-mtap-s03.corp.apple.com [17.40.76.7]) by nwk-aaemail-lapp02.apple.com with ESMTP id 2p8bdughae-2 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128 verify=NO); Fri, 14 Dec 2018 14:40:37 -0800 Content-transfer-encoding: 7BIT Received: from nwk-mmpp-sz09.apple.com (nwk-mmpp-sz09.apple.com [17.128.115.80]) by ma1-mtap-s03.corp.apple.com (Oracle Communications Messaging Server 8.0.2.3.20181024 64bit (built Oct 24 2018)) with ESMTPS id <0PJR0038Q0BMQOE0@ma1-mtap-s03.corp.apple.com>; Fri, 14 Dec 2018 14:40:37 -0800 (PST) Received: from process_viserion-daemon.nwk-mmpp-sz09.apple.com by nwk-mmpp-sz09.apple.com (Oracle Communications Messaging Server 8.0.2.3.20181024 64bit (built Oct 24 2018)) id <0PJQ00B00Z1EGV00@nwk-mmpp-sz09.apple.com>; Fri, 14 Dec 2018 14:40:35 -0800 (PST) X-Va-A: X-Va-T-CD: 4b1e0bf36502e052fc75ad21b706ed24 X-Va-E-CD: 2220b41b2fa085f978ce4c8f42ce3afe X-Va-R-CD: c27d5d25666a82938630933173ed2f02 X-Va-CD: 0 X-Va-ID: 2ad839ac-0eba-4402-9092-0f2d5640bee4 X-V-A: X-V-T-CD: 5c1d590bbb3e9640019563b4ec412a7e X-V-E-CD: 2220b41b2fa085f978ce4c8f42ce3afe X-V-R-CD: c27d5d25666a82938630933173ed2f02 X-V-CD: 0 X-V-ID: fe3ec399-f104-46f8-8b7b-a221a03aedb1 Received: from process_milters-daemon.nwk-mmpp-sz09.apple.com by nwk-mmpp-sz09.apple.com (Oracle Communications Messaging Server 8.0.2.3.20181024 64bit (built Oct 24 2018)) id <0PJR00F0009AI500@nwk-mmpp-sz09.apple.com>; Fri, 14 Dec 2018 14:40:30 -0800 (PST) X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:,, definitions=2018-12-14_13:,, signatures=0 Received: from localhost ([17.192.155.217]) by nwk-mmpp-sz09.apple.com (Oracle Communications Messaging Server 8.0.2.3.20181024 64bit (built Oct 24 2018)) with ESMTPSA id <0PJR00GB00BISV00@nwk-mmpp-sz09.apple.com>; Fri, 14 Dec 2018 14:40:30 -0800 (PST) From: Christoph Paasch To: netdev@vger.kernel.org Cc: Eric Dumazet , Yuchung Cheng , David Miller Subject: [PATCH net-next 1/5] tcp: Create list of TFO-contexts Date: Fri, 14 Dec 2018 14:40:03 -0800 Message-id: <20181214224007.54813-2-cpaasch@apple.com> X-Mailer: git-send-email 2.16.2 In-reply-to: <20181214224007.54813-1-cpaasch@apple.com> References: <20181214224007.54813-1-cpaasch@apple.com> X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:, , definitions=2018-12-14_13:, , signatures=0 Sender: netdev-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: netdev@vger.kernel.org Instead of having a single TFO-context, we now have a list of tcp_fastopen_context, bounded by TCP_FASTOPEN_CTXT_LEN (set to 2). This enables us to do a rolling TFO-key update that allows the server to accept old cookies and at the same time announce new ones to the client (see follow-up patch). Signed-off-by: Christoph Paasch --- include/net/tcp.h | 2 ++ net/ipv4/tcp_fastopen.c | 52 +++++++++++++++++++++++++++++++++++++++++++++---- 2 files changed, 50 insertions(+), 4 deletions(-) diff --git a/include/net/tcp.h b/include/net/tcp.h index e0a65c067662..e629ea2e6c9d 100644 --- a/include/net/tcp.h +++ b/include/net/tcp.h @@ -1622,9 +1622,11 @@ bool tcp_fastopen_cookie_check(struct sock *sk, u16 *mss, struct tcp_fastopen_cookie *cookie); bool tcp_fastopen_defer_connect(struct sock *sk, int *err); #define TCP_FASTOPEN_KEY_LENGTH 16 +#define TCP_FASTOPEN_CTXT_LEN 2 /* Fastopen key context */ struct tcp_fastopen_context { + struct tcp_fastopen_context __rcu *next; struct crypto_cipher *tfm; __u8 key[TCP_FASTOPEN_KEY_LENGTH]; struct rcu_head rcu; diff --git a/net/ipv4/tcp_fastopen.c b/net/ipv4/tcp_fastopen.c index 018a48477355..c52d5b8eabf0 100644 --- a/net/ipv4/tcp_fastopen.c +++ b/net/ipv4/tcp_fastopen.c @@ -37,8 +37,14 @@ static void tcp_fastopen_ctx_free(struct rcu_head *head) { struct tcp_fastopen_context *ctx = container_of(head, struct tcp_fastopen_context, rcu); - crypto_free_cipher(ctx->tfm); - kfree(ctx); + + while (ctx) { + struct tcp_fastopen_context *prev = ctx; + /* We own ctx, thus no need to hold the Fastopen-lock */ + ctx = rcu_dereference_protected(ctx->next, 1); + crypto_free_cipher(prev->tfm); + kfree(prev); + } } void tcp_fastopen_destroy_cipher(struct sock *sk) @@ -66,6 +72,35 @@ void tcp_fastopen_ctx_destroy(struct net *net) call_rcu(&ctxt->rcu, tcp_fastopen_ctx_free); } +static struct tcp_fastopen_context * +tcp_fastopen_cut_keypool(struct tcp_fastopen_context *ctx, + spinlock_t *lock) +{ + int cnt = 0; + + while (ctx) { + /* We iterate the list to see if we have more than + * TCP_FASTOPEN_CTXT_LEN contexts. If we do, we remove the rest + * of the list and free it later + */ + + cnt++; + if (cnt >= TCP_FASTOPEN_CTXT_LEN) { + /* It's the last one, return the rest so it gets freed */ + struct tcp_fastopen_context *prev = ctx; + + ctx = rcu_dereference_protected(ctx->next, + lockdep_is_held(lock)); + rcu_assign_pointer(prev->next, NULL); + break; + } + ctx = rcu_dereference_protected(ctx->next, + lockdep_is_held(lock)); + } + + return ctx; +} + int tcp_fastopen_reset_cipher(struct net *net, struct sock *sk, void *key, unsigned int len) { @@ -96,13 +131,22 @@ error: kfree(ctx); spin_lock(&net->ipv4.tcp_fastopen_ctx_lock); if (sk) { q = &inet_csk(sk)->icsk_accept_queue.fastopenq; + rcu_assign_pointer(ctx->next, q->ctx); + rcu_assign_pointer(q->ctx, ctx); + octx = rcu_dereference_protected(q->ctx, lockdep_is_held(&net->ipv4.tcp_fastopen_ctx_lock)); - rcu_assign_pointer(q->ctx, ctx); + + octx = tcp_fastopen_cut_keypool(octx, &net->ipv4.tcp_fastopen_ctx_lock); } else { + rcu_assign_pointer(ctx->next, net->ipv4.tcp_fastopen_ctx); + rcu_assign_pointer(net->ipv4.tcp_fastopen_ctx, ctx); + octx = rcu_dereference_protected(net->ipv4.tcp_fastopen_ctx, lockdep_is_held(&net->ipv4.tcp_fastopen_ctx_lock)); - rcu_assign_pointer(net->ipv4.tcp_fastopen_ctx, ctx); + + octx = tcp_fastopen_cut_keypool(octx, + &net->ipv4.tcp_fastopen_ctx_lock); } spin_unlock(&net->ipv4.tcp_fastopen_ctx_lock);