From patchwork Fri Dec 14 22:40:04 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Christoph Paasch X-Patchwork-Id: 1013749 X-Patchwork-Delegate: davem@davemloft.net Return-Path: X-Original-To: patchwork-incoming-netdev@ozlabs.org Delivered-To: patchwork-incoming-netdev@ozlabs.org Authentication-Results: ozlabs.org; spf=none (mailfrom) smtp.mailfrom=vger.kernel.org (client-ip=209.132.180.67; helo=vger.kernel.org; envelope-from=netdev-owner@vger.kernel.org; receiver=) Authentication-Results: ozlabs.org; dmarc=fail (p=quarantine dis=none) header.from=apple.com Authentication-Results: ozlabs.org; dkim=fail reason="signature verification failed" (2048-bit key; unprotected) header.d=apple.com header.i=@apple.com header.b="ssfBkqQM"; dkim-atps=neutral Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by ozlabs.org (Postfix) with ESMTP id 43Glr640fwz9s1c for ; Sat, 15 Dec 2018 09:40:38 +1100 (AEDT) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1730020AbeLNWkg (ORCPT ); Fri, 14 Dec 2018 17:40:36 -0500 Received: from nwk-aaemail-lapp02.apple.com ([17.151.62.67]:49648 "EHLO nwk-aaemail-lapp02.apple.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1729789AbeLNWkg (ORCPT ); Fri, 14 Dec 2018 17:40:36 -0500 Received: from pps.filterd (nwk-aaemail-lapp02.apple.com [127.0.0.1]) by nwk-aaemail-lapp02.apple.com (8.16.0.22/8.16.0.22) with SMTP id wBEMW15X033823; Fri, 14 Dec 2018 14:40:33 -0800 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=apple.com; h=content-transfer-encoding : sender : from : to : cc : subject : date : message-id : in-reply-to : references; s=20180706; bh=DB3btjJbYEVJoQj28S5WiwhdU9YmGcJfSdXwWvEDIKg=; b=ssfBkqQM/QOEWMGYBr0rrrJqJTetuywDWCb6FVtMOo7dZwzvGnYzVl+Wad/9/D2+2YVn MVvR1pXLLFtF0qDw7LIfvC6g5nA54RRhRzgSevTGUXe8zqt1VLoszfyQTUjqUa6eQF7g cfspFHTCuMM27i6yw8bPcYBgx+BHQwCFbuEfEpkT8GfA5v2NwmxxU74ctsPw28zSvWqD 8gAufUagwM0f8wPgzQga9jvzlUKlUvAnbpj/OY2ZXKm5UWHNGE2tfW7Um914FdOIHuJq u/JxiuQVm3UxLiO4GUq6dg3gvvq3FtxMk/yZa8ZXV+cnlm4Yg01TDiQkYnQdMNWsJTm5 cg== Received: from ma1-mtap-s02.corp.apple.com (ma1-mtap-s02.corp.apple.com [17.40.76.6]) by nwk-aaemail-lapp02.apple.com with ESMTP id 2p8bdugh91-4 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128 verify=NO); Fri, 14 Dec 2018 14:40:32 -0800 Content-transfer-encoding: 7BIT Received: from nwk-mmpp-sz09.apple.com (nwk-mmpp-sz09.apple.com [17.128.115.80]) by ma1-mtap-s02.corp.apple.com (Oracle Communications Messaging Server 8.0.2.3.20181024 64bit (built Oct 24 2018)) with ESMTPS id <0PJR00D760BJJ0J0@ma1-mtap-s02.corp.apple.com>; Fri, 14 Dec 2018 14:40:31 -0800 (PST) Received: from process_viserion-daemon.nwk-mmpp-sz09.apple.com by nwk-mmpp-sz09.apple.com (Oracle Communications Messaging Server 8.0.2.3.20181024 64bit (built Oct 24 2018)) id <0PJQ00B00Z1EGU00@nwk-mmpp-sz09.apple.com>; Fri, 14 Dec 2018 14:40:31 -0800 (PST) X-Va-A: X-Va-T-CD: 4b1e0bf36502e052fc75ad21b706ed24 X-Va-E-CD: e5adcf83639db5aa229108b86e1c1dc8 X-Va-R-CD: ec8d22edb8622147b2063e6e967f4fba X-Va-CD: 0 X-Va-ID: 5843ae77-5e92-4703-a746-17ba99708b7b X-V-A: X-V-T-CD: 5c1d590bbb3e9640019563b4ec412a7e X-V-E-CD: e5adcf83639db5aa229108b86e1c1dc8 X-V-R-CD: ec8d22edb8622147b2063e6e967f4fba X-V-CD: 0 X-V-ID: 4e9b2517-7738-4236-bc50-7e9382acefa9 Received: from process_milters-daemon.nwk-mmpp-sz09.apple.com by nwk-mmpp-sz09.apple.com (Oracle Communications Messaging Server 8.0.2.3.20181024 64bit (built Oct 24 2018)) id <0PJR00F0009AI500@nwk-mmpp-sz09.apple.com>; Fri, 14 Dec 2018 14:40:30 -0800 (PST) X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:,, definitions=2018-12-14_13:,, signatures=0 Received: from localhost ([17.192.155.217]) by nwk-mmpp-sz09.apple.com (Oracle Communications Messaging Server 8.0.2.3.20181024 64bit (built Oct 24 2018)) with ESMTPSA id <0PJR00GB30BISV00@nwk-mmpp-sz09.apple.com>; Fri, 14 Dec 2018 14:40:30 -0800 (PST) From: Christoph Paasch To: netdev@vger.kernel.org Cc: Eric Dumazet , Yuchung Cheng , David Miller Subject: [PATCH net-next 2/5] tcp: TFO: search for correct cookie and accept data Date: Fri, 14 Dec 2018 14:40:04 -0800 Message-id: <20181214224007.54813-3-cpaasch@apple.com> X-Mailer: git-send-email 2.16.2 In-reply-to: <20181214224007.54813-1-cpaasch@apple.com> References: <20181214224007.54813-1-cpaasch@apple.com> X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:, , definitions=2018-12-14_13:, , signatures=0 Sender: netdev-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: netdev@vger.kernel.org This change allows to search for the right cookie and accepts old ones (announcing a new one if it has changed). __tcp_fastopen_cookie_gen_with_ctx() allows to generate a cookie based on a given TFO-context. A later patch will cleanup the duplicate code. Signed-off-by: Christoph Paasch --- include/uapi/linux/snmp.h | 1 + net/ipv4/proc.c | 1 + net/ipv4/tcp_fastopen.c | 105 +++++++++++++++++++++++++++++++++++++++++++--- 3 files changed, 101 insertions(+), 6 deletions(-) diff --git a/include/uapi/linux/snmp.h b/include/uapi/linux/snmp.h index 86dc24a96c90..74904e9d1b72 100644 --- a/include/uapi/linux/snmp.h +++ b/include/uapi/linux/snmp.h @@ -283,6 +283,7 @@ enum LINUX_MIB_TCPACKCOMPRESSED, /* TCPAckCompressed */ LINUX_MIB_TCPZEROWINDOWDROP, /* TCPZeroWindowDrop */ LINUX_MIB_TCPRCVQDROP, /* TCPRcvQDrop */ + LINUX_MIB_TCPFASTOPENPASSIVEALTKEY, /* TCPFastOpenPassiveAltKey */ __LINUX_MIB_MAX }; diff --git a/net/ipv4/proc.c b/net/ipv4/proc.c index c3610b37bb4c..58daef27a560 100644 --- a/net/ipv4/proc.c +++ b/net/ipv4/proc.c @@ -291,6 +291,7 @@ static const struct snmp_mib snmp4_net_list[] = { SNMP_MIB_ITEM("TCPAckCompressed", LINUX_MIB_TCPACKCOMPRESSED), SNMP_MIB_ITEM("TCPZeroWindowDrop", LINUX_MIB_TCPZEROWINDOWDROP), SNMP_MIB_ITEM("TCPRcvQDrop", LINUX_MIB_TCPRCVQDROP), + SNMP_MIB_ITEM("TCPFastOpenPassiveAltKey", LINUX_MIB_TCPFASTOPENPASSIVEALTKEY), SNMP_MIB_SENTINEL }; diff --git a/net/ipv4/tcp_fastopen.c b/net/ipv4/tcp_fastopen.c index c52d5b8eabf0..e856262ef4c2 100644 --- a/net/ipv4/tcp_fastopen.c +++ b/net/ipv4/tcp_fastopen.c @@ -176,6 +176,41 @@ static bool __tcp_fastopen_cookie_gen(struct sock *sk, const void *path, return ok; } +static void __tcp_fastopen_cookie_gen_with_ctx(struct request_sock *req, + struct sk_buff *syn, + struct tcp_fastopen_cookie *foc, + struct tcp_fastopen_context *ctx) +{ + if (req->rsk_ops->family == AF_INET) { + const struct iphdr *iph = ip_hdr(syn); + __be32 path[4] = { iph->saddr, iph->daddr, 0, 0 }; + + crypto_cipher_encrypt_one(ctx->tfm, foc->val, (void *)path); + foc->len = TCP_FASTOPEN_COOKIE_SIZE; + return; + } + +#if IS_ENABLED(CONFIG_IPV6) + if (req->rsk_ops->family == AF_INET6) { + const struct ipv6hdr *ip6h = ipv6_hdr(syn); + struct tcp_fastopen_cookie tmp; + struct in6_addr *buf; + int i; + + crypto_cipher_encrypt_one(ctx->tfm, tmp.val, (void *)&ip6h->saddr); + + buf = &tmp.addr; + for (i = 0; i < 4; i++) + buf->s6_addr32[i] ^= ip6h->daddr.s6_addr32[i]; + + crypto_cipher_encrypt_one(ctx->tfm, foc->val, (void *)buf); + foc->len = TCP_FASTOPEN_COOKIE_SIZE; + + return; + } +#endif +} + /* Generate the fastopen cookie by doing aes128 encryption on both * the source and destination addresses. Pad 0s for IPv4 or IPv4-mapped-IPv6 * addresses. For the longer IPv6 addresses use CBC-MAC. @@ -256,6 +291,55 @@ void tcp_fastopen_add_skb(struct sock *sk, struct sk_buff *skb) tcp_fin(sk); } +static bool tcp_fastopen_cookie_gen_search(struct sock *sk, + struct request_sock *req, + struct sk_buff *syn, + struct tcp_fastopen_cookie *valid_foc, + struct tcp_fastopen_cookie *orig) +{ + struct tcp_fastopen_cookie search_foc = { .len = -1 }; + struct tcp_fastopen_cookie *foc = &search_foc; + struct tcp_fastopen_context *ctx; + int copied = 0; + + rcu_read_lock(); + + ctx = rcu_dereference(inet_csk(sk)->icsk_accept_queue.fastopenq.ctx); + if (!ctx) + ctx = rcu_dereference(sock_net(sk)->ipv4.tcp_fastopen_ctx); + + while (ctx) { + __tcp_fastopen_cookie_gen_with_ctx(req, syn, foc, ctx); + + if (foc->len == orig->len && + !memcmp(foc->val, orig->val, foc->len)) { + rcu_read_unlock(); + + if (copied) { + struct net *net = read_pnet(&inet_rsk(req)->ireq_net); + + NET_INC_STATS(net, + LINUX_MIB_TCPFASTOPENPASSIVEALTKEY); + } + return true; + } + + /* We need to check older possible cookies, thus set valid_foc + * so that the latest one will be announced to the peer. + */ + if (!copied) { + memcpy(valid_foc, foc, sizeof(*foc)); + copied = 1; + } + + ctx = rcu_dereference(ctx->next); + } + + rcu_read_unlock(); + + return false; +} + static struct sock *tcp_fastopen_create_child(struct sock *sk, struct sk_buff *skb, struct request_sock *req) @@ -390,11 +474,11 @@ struct sock *tcp_try_fastopen(struct sock *sk, struct sk_buff *skb, tcp_fastopen_no_cookie(sk, dst, TFO_SERVER_COOKIE_NOT_REQD)) goto fastopen; - if (foc->len >= 0 && /* Client presents or requests a cookie */ - tcp_fastopen_cookie_gen(sk, req, skb, &valid_foc) && - foc->len == TCP_FASTOPEN_COOKIE_SIZE && - foc->len == valid_foc.len && - !memcmp(foc->val, valid_foc.val, foc->len)) { + if (foc->len == 0) { + /* Client requests a cookie. */ + tcp_fastopen_cookie_gen(sk, req, skb, &valid_foc); + } else if (foc->len > 0 && + tcp_fastopen_cookie_gen_search(sk, req, skb, &valid_foc, foc)) { /* Cookie is valid. Create a (full) child socket to accept * the data in SYN before returning a SYN-ACK to ack the * data. If we fail to create the socket, fall back and @@ -406,7 +490,16 @@ struct sock *tcp_try_fastopen(struct sock *sk, struct sk_buff *skb, fastopen: child = tcp_fastopen_create_child(sk, skb, req); if (child) { - foc->len = -1; + if (valid_foc.len != -1) { + /* Client used an old cookie, we announce the + * latests one to the client. + */ + valid_foc.exp = foc->exp; + *foc = valid_foc; + } else { + foc->len = -1; + } + NET_INC_STATS(sock_net(sk), LINUX_MIB_TCPFASTOPENPASSIVE); return child;