net/tcp: Sign SYN-ACK segments with TCP-AO

Similarly to RST segments, wire SYN-ACKs to TCP-AO.
tcp_rsk_used_ao() is handy here to check if the request socket used AO
and needs a signature on the outgoing segments.

Co-developed-by: Francesco Ruggeri <fruggeri@arista.com>
Signed-off-by: Francesco Ruggeri <fruggeri@arista.com>
Co-developed-by: Salam Noureddine <noureddine@arista.com>
Signed-off-by: Salam Noureddine <noureddine@arista.com>
Signed-off-by: Dmitry Safonov <dima@arista.com>
Acked-by: David Ahern <dsahern@kernel.org>
Signed-off-by: David S. Miller <davem@davemloft.net>

diff --git a/include/net/tcp.h b/include/net/tcp.h
index d0bea102b52365298744bf64ab944f580ae5151f..c7f80cc94d718c33796fd1bea8464857e179d9c9 100644 (file)
--- a/include/net/tcp.h
+++ b/include/net/tcp.h
@@ -2221,6 +2221,9 @@ struct tcp_request_sock_ops {
                                        struct request_sock *req,
                                        int sndid, int rcvid);
        int (*ao_calc_key)(struct tcp_ao_key *mkt, u8 *key, struct request_sock *sk);
+       int (*ao_synack_hash)(char *ao_hash, struct tcp_ao_key *mkt,
+                             struct request_sock *req, const struct sk_buff *skb,
+                             int hash_offset, u32 sne);
 #endif
 #ifdef CONFIG_SYN_COOKIES
        __u32 (*cookie_init_seq)(const struct sk_buff *skb,

diff --git a/include/net/tcp_ao.h b/include/net/tcp_ao.h
index d2c1ee8bf7b0c1c5e9f2cd2bc62387efe9acaa89..1d69978e349a7e0797998eb700a84b53a67538d5 100644 (file)
--- a/include/net/tcp_ao.h
+++ b/include/net/tcp_ao.h
@@ -147,6 +147,9 @@ int tcp_ao_prepare_reset(const struct sock *sk, struct sk_buff *skb,
 int tcp_v4_parse_ao(struct sock *sk, int cmd, sockptr_t optval, int optlen);
 struct tcp_ao_key *tcp_v4_ao_lookup(const struct sock *sk, struct sock *addr_sk,
                                    int sndid, int rcvid);
+int tcp_v4_ao_synack_hash(char *ao_hash, struct tcp_ao_key *mkt,
+                         struct request_sock *req, const struct sk_buff *skb,
+                         int hash_offset, u32 sne);
 int tcp_v4_ao_calc_key_sk(struct tcp_ao_key *mkt, u8 *key,
                          const struct sock *sk,
                          __be32 sisn, __be32 disn, bool send);
@@ -181,6 +184,9 @@ int tcp_v6_ao_hash_skb(char *ao_hash, struct tcp_ao_key *key,
                       const struct sock *sk, const struct sk_buff *skb,
                       const u8 *tkey, int hash_offset, u32 sne);
 int tcp_v6_parse_ao(struct sock *sk, int cmd, sockptr_t optval, int optlen);
+int tcp_v6_ao_synack_hash(char *ao_hash, struct tcp_ao_key *ao_key,
+                         struct request_sock *req, const struct sk_buff *skb,
+                         int hash_offset, u32 sne);
 void tcp_ao_established(struct sock *sk);
 void tcp_ao_finish_connect(struct sock *sk, struct sk_buff *skb);
 void tcp_ao_connect_init(struct sock *sk);

diff --git a/net/ipv4/tcp_ao.c b/net/ipv4/tcp_ao.c
index 68d81704e14ef0e5bad09fbe0fdef58a4b297875..de3710758d55ee394e0f33a33d5e0bf79529ab32 100644 (file)
--- a/net/ipv4/tcp_ao.c
+++ b/net/ipv4/tcp_ao.c
@@ -568,6 +568,28 @@ int tcp_v4_ao_hash_skb(char *ao_hash, struct tcp_ao_key *key,
                               tkey, hash_offset, sne);
 }
 
+int tcp_v4_ao_synack_hash(char *ao_hash, struct tcp_ao_key *ao_key,
+                         struct request_sock *req, const struct sk_buff *skb,
+                         int hash_offset, u32 sne)
+{
+       void *hash_buf = NULL;
+       int err;
+
+       hash_buf = kmalloc(tcp_ao_digest_size(ao_key), GFP_ATOMIC);
+       if (!hash_buf)
+               return -ENOMEM;
+
+       err = tcp_v4_ao_calc_key_rsk(ao_key, hash_buf, req);
+       if (err)
+               goto out;
+
+       err = tcp_ao_hash_skb(AF_INET, ao_hash, ao_key, req_to_sk(req), skb,
+                             hash_buf, hash_offset, sne);
+out:
+       kfree(hash_buf);
+       return err;
+}
+
 struct tcp_ao_key *tcp_v4_ao_lookup_rsk(const struct sock *sk,
                                        struct request_sock *req,
                                        int sndid, int rcvid)

diff --git a/net/ipv4/tcp_ipv4.c b/net/ipv4/tcp_ipv4.c
index 2bd56b57f3c9d0320d262cead0c7e9d4be1c905f..bdf0224ae827536104c8bc5c9d0dbf00bec67c84 100644 (file)
--- a/net/ipv4/tcp_ipv4.c
+++ b/net/ipv4/tcp_ipv4.c
@@ -1681,6 +1681,7 @@ const struct tcp_request_sock_ops tcp_request_sock_ipv4_ops = {
 #ifdef CONFIG_TCP_AO
        .ao_lookup      =       tcp_v4_ao_lookup_rsk,
        .ao_calc_key    =       tcp_v4_ao_calc_key_rsk,
+       .ao_synack_hash =       tcp_v4_ao_synack_hash,
 #endif
 #ifdef CONFIG_SYN_COOKIES
        .cookie_init_seq =      cookie_v4_init_sequence,

diff --git a/net/ipv4/tcp_output.c b/net/ipv4/tcp_output.c
index d44ef88025fb299274e68e8514db1c2207959e7e..f558c054cf6e7538ecc3d711637af0bd44872318 100644 (file)
--- a/net/ipv4/tcp_output.c
+++ b/net/ipv4/tcp_output.c
@@ -886,7 +886,7 @@ static unsigned int tcp_synack_options(const struct sock *sk,
                                       struct request_sock *req,
                                       unsigned int mss, struct sk_buff *skb,
                                       struct tcp_out_options *opts,
-                                      const struct tcp_md5sig_key *md5,
+                                      const struct tcp_key *key,
                                       struct tcp_fastopen_cookie *foc,
                                       enum tcp_synack_type synack_type,
                                       struct sk_buff *syn_skb)
@@ -894,8 +894,7 @@ static unsigned int tcp_synack_options(const struct sock *sk,
        struct inet_request_sock *ireq = inet_rsk(req);
        unsigned int remaining = MAX_TCP_OPTION_SPACE;
 
-#ifdef CONFIG_TCP_MD5SIG
-       if (md5) {
+       if (tcp_key_is_md5(key)) {
                opts->options |= OPTION_MD5;
                remaining -= TCPOLEN_MD5SIG_ALIGNED;
 
@@ -906,8 +905,11 @@ static unsigned int tcp_synack_options(const struct sock *sk,
                 */
                if (synack_type != TCP_SYNACK_COOKIE)
                        ireq->tstamp_ok &= !ireq->sack_ok;
+       } else if (tcp_key_is_ao(key)) {
+               opts->options |= OPTION_AO;
+               remaining -= tcp_ao_len(key->ao_key);
+               ireq->tstamp_ok &= !ireq->sack_ok;
        }
-#endif
 
        /* We always send an MSS option. */
        opts->mss = mss;
@@ -3653,7 +3655,6 @@ struct sk_buff *tcp_make_synack(const struct sock *sk, struct dst_entry *dst,
 {
        struct inet_request_sock *ireq = inet_rsk(req);
        const struct tcp_sock *tp = tcp_sk(sk);
-       struct tcp_md5sig_key *md5 = NULL;
        struct tcp_out_options opts;
        struct tcp_key key = {};
        struct sk_buff *skb;
@@ -3707,18 +3708,48 @@ struct sk_buff *tcp_make_synack(const struct sock *sk, struct dst_entry *dst,
                        tcp_rsk(req)->snt_synack = tcp_skb_timestamp_us(skb);
        }
 
-#ifdef CONFIG_TCP_MD5SIG
+#if defined(CONFIG_TCP_MD5SIG) || defined(CONFIG_TCP_AO)
        rcu_read_lock();
-       md5 = tcp_rsk(req)->af_specific->req_md5_lookup(sk, req_to_sk(req));
-       if (md5)
-               key.type = TCP_KEY_MD5;
 #endif
+       if (tcp_rsk_used_ao(req)) {
+#ifdef CONFIG_TCP_AO
+               struct tcp_ao_key *ao_key = NULL;
+               u8 maclen = tcp_rsk(req)->maclen;
+               u8 keyid = tcp_rsk(req)->ao_keyid;
+
+               ao_key = tcp_sk(sk)->af_specific->ao_lookup(sk, req_to_sk(req),
+                                                           keyid, -1);
+               /* If there is no matching key - avoid sending anything,
+                * especially usigned segments. It could try harder and lookup
+                * for another peer-matching key, but the peer has requested
+                * ao_keyid (RFC5925 RNextKeyID), so let's keep it simple here.
+                */
+               if (unlikely(!ao_key || tcp_ao_maclen(ao_key) != maclen)) {
+                       u8 key_maclen = ao_key ? tcp_ao_maclen(ao_key) : 0;
+
+                       rcu_read_unlock();
+                       kfree_skb(skb);
+                       net_warn_ratelimited("TCP-AO: the keyid %u with maclen %u|%u from SYN packet is not present - not sending SYNACK\n",
+                                            keyid, maclen, key_maclen);
+                       return NULL;
+               }
+               key.ao_key = ao_key;
+               key.type = TCP_KEY_AO;
+#endif
+       } else {
+#ifdef CONFIG_TCP_MD5SIG
+               key.md5_key = tcp_rsk(req)->af_specific->req_md5_lookup(sk,
+                                       req_to_sk(req));
+               if (key.md5_key)
+                       key.type = TCP_KEY_MD5;
+#endif
+       }
        skb_set_hash(skb, READ_ONCE(tcp_rsk(req)->txhash), PKT_HASH_TYPE_L4);
        /* bpf program will be interested in the tcp_flags */
        TCP_SKB_CB(skb)->tcp_flags = TCPHDR_SYN | TCPHDR_ACK;
-       tcp_header_size = tcp_synack_options(sk, req, mss, skb, &opts, md5,
-                                            foc, synack_type,
-                                            syn_skb) + sizeof(*th);
+       tcp_header_size = tcp_synack_options(sk, req, mss, skb, &opts,
+                                            &key, foc, synack_type, syn_skb)
+                                       + sizeof(*th);
 
        skb_push(skb, tcp_header_size);
        skb_reset_transport_header(skb);
@@ -3738,15 +3769,24 @@ struct sk_buff *tcp_make_synack(const struct sock *sk, struct dst_entry *dst,
 
        /* RFC1323: The window in SYN & SYN/ACK segments is never scaled. */
        th->window = htons(min(req->rsk_rcv_wnd, 65535U));
-       tcp_options_write(th, NULL, NULL, &opts, &key);
+       tcp_options_write(th, NULL, tcp_rsk(req), &opts, &key);
        th->doff = (tcp_header_size >> 2);
        TCP_INC_STATS(sock_net(sk), TCP_MIB_OUTSEGS);
 
-#ifdef CONFIG_TCP_MD5SIG
        /* Okay, we have all we need - do the md5 hash if needed */
-       if (md5)
+       if (tcp_key_is_md5(&key)) {
+#ifdef CONFIG_TCP_MD5SIG
                tcp_rsk(req)->af_specific->calc_md5_hash(opts.hash_location,
-                                              md5, req_to_sk(req), skb);
+                                       key.md5_key, req_to_sk(req), skb);
+#endif
+       } else if (tcp_key_is_ao(&key)) {
+#ifdef CONFIG_TCP_AO
+               tcp_rsk(req)->af_specific->ao_synack_hash(opts.hash_location,
+                                       key.ao_key, req, skb,
+                                       opts.hash_location - (u8 *)th, 0);
+#endif
+       }
+#if defined(CONFIG_TCP_MD5SIG) || defined(CONFIG_TCP_AO)
        rcu_read_unlock();
 #endif
 

diff --git a/net/ipv6/tcp_ao.c b/net/ipv6/tcp_ao.c
index c9a6fa84f6ce2aa8756f9b77dd3ad29cdf0430c5..99753e12c08c5bd98afdad7ebd3a7f97cfca7370 100644 (file)
--- a/net/ipv6/tcp_ao.c
+++ b/net/ipv6/tcp_ao.c
@@ -144,3 +144,25 @@ int tcp_v6_parse_ao(struct sock *sk, int cmd,
 {
        return tcp_parse_ao(sk, cmd, AF_INET6, optval, optlen);
 }
+
+int tcp_v6_ao_synack_hash(char *ao_hash, struct tcp_ao_key *ao_key,
+                         struct request_sock *req, const struct sk_buff *skb,
+                         int hash_offset, u32 sne)
+{
+       void *hash_buf = NULL;
+       int err;
+
+       hash_buf = kmalloc(tcp_ao_digest_size(ao_key), GFP_ATOMIC);
+       if (!hash_buf)
+               return -ENOMEM;
+
+       err = tcp_v6_ao_calc_key_rsk(ao_key, hash_buf, req);
+       if (err)
+               goto out;
+
+       err = tcp_ao_hash_skb(AF_INET6, ao_hash, ao_key, req_to_sk(req), skb,
+                             hash_buf, hash_offset, sne);
+out:
+       kfree(hash_buf);
+       return err;
+}

diff --git a/net/ipv6/tcp_ipv6.c b/net/ipv6/tcp_ipv6.c
index b08b177847da3f071cdf8d2bb7305722d8f07a16..8c5c96187a72812e4a7c62f121d2beef08946ed1 100644 (file)
--- a/net/ipv6/tcp_ipv6.c
+++ b/net/ipv6/tcp_ipv6.c
@@ -839,6 +839,7 @@ const struct tcp_request_sock_ops tcp_request_sock_ipv6_ops = {
 #ifdef CONFIG_TCP_AO
        .ao_lookup      =       tcp_v6_ao_lookup_rsk,
        .ao_calc_key    =       tcp_v6_ao_calc_key_rsk,
+       .ao_synack_hash =       tcp_v6_ao_synack_hash,
 #endif
 #ifdef CONFIG_SYN_COOKIES
        .cookie_init_seq =      cookie_v6_init_sequence,