[19/31] net/tcp: Add TCP-AO SNE support

Message ID	20220818170005.747015-20-dima@arista.com
State	Superseded
Headers	show Return-Path: <linux-crypto-owner@kernel.org> From: Dmitry Safonov <dima@arista.com> To: Eric Dumazet <edumazet@google.com>, "David S. Miller" <davem@davemloft.net>, linux-kernel@vger.kernel.org Cc: Dmitry Safonov <dima@arista.com>, Andy Lutomirski <luto@amacapital.net>, Ard Biesheuvel <ardb@kernel.org>, Bob Gilligan <gilligan@arista.com>, David Ahern <dsahern@kernel.org>, Dmitry Safonov <0x7f454c46@gmail.com>, Eric Biggers <ebiggers@kernel.org>, Francesco Ruggeri <fruggeri@arista.com>, Herbert Xu <herbert@gondor.apana.org.au>, Hideaki YOSHIFUJI <yoshfuji@linux-ipv6.org>, Ivan Delalande <colona@arista.com>, Jakub Kicinski <kuba@kernel.org>, Leonard Crestez <cdleonard@gmail.com>, Paolo Abeni <pabeni@redhat.com>, Salam Noureddine <noureddine@arista.com>, Shuah Khan <shuah@kernel.org>, netdev@vger.kernel.org, linux-crypto@vger.kernel.org Subject: [PATCH 19/31] net/tcp: Add TCP-AO SNE support Date: Thu, 18 Aug 2022 17:59:53 +0100 Message-Id: <20220818170005.747015-20-dima@arista.com> In-Reply-To: <20220818170005.747015-1-dima@arista.com> References: <20220818170005.747015-1-dima@arista.com> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Precedence: bulk
Series	net/tcp: Add TCP-AO support \| expand [00/31] net/tcp: Add TCP-AO support [01/31] crypto: Introduce crypto_pool [02/31] crypto_pool: Add crypto_pool_reserve_scratch() [03/31] net/tcp: Separate tcp_md5sig_info allocation into tcp_md5sig_info_add() [04/31] net/tcp: Disable TCP-MD5 static key on tcp_md5sig_info destruction [05/31] net/tcp: Use crypto_pool for TCP-MD5 [06/31] net/ipv6: sr: Switch to using crypto_pool [07/31] tcp: Add TCP-AO config and structures [08/31] net/tcp: Introduce TCP_AO setsockopt()s [09/31] net/tcp: Prevent TCP-MD5 with TCP-AO being set [10/31] net/tcp: Calculate TCP-AO traffic keys [12/31] net/tcp: Add tcp_parse_auth_options() [13/31] net/tcp: Add AO sign to RST packets [14/31] net/tcp: Add TCP-AO sign to twsk [15/31] net/tcp: Wire TCP-AO to request sockets [16/31] net/tcp: Sign SYN-ACK segments with TCP-AO [17/31] net/tcp: Verify inbound TCP-AO signed segments [18/31] net/tcp: Add TCP-AO segments counters [19/31] net/tcp: Add TCP-AO SNE support [20/31] net/tcp: Add tcp_hash_fail() ratelimited logs [21/31] net/tcp: Ignore specific ICMPs for TCP-AO connections [22/31] net/tcp: Add option for TCP-AO to (not) hash header [23/31] net/tcp: Add getsockopt(TCP_AO_GET) [24/31] net/tcp: Allow asynchronous delete for TCP-AO keys (MKTs) [25/31] selftests/net: Add TCP-AO library [26/31] selftests/net: Verify that TCP-AO complies with ignoring ICMPs [27/31] selftest/net: Add TCP-AO ICMPs accept test [28/31] selftest/tcp-ao: Add a test for MKT matching [29/31] selftest/tcp-ao: Add test for TCP-AO add setsockopt() command [30/31] selftests/tcp-ao: Add TCP-AO + TCP-MD5 + no sign listen socket tests

Message ID

20220818170005.747015-20-dima@arista.com

State

Superseded

Headers

From: Dmitry Safonov <dima@arista.com>
To: Eric Dumazet <edumazet@google.com>,
        "David S. Miller" <davem@davemloft.net>,
        linux-kernel@vger.kernel.org
Cc: Dmitry Safonov <dima@arista.com>,
        Andy Lutomirski <luto@amacapital.net>,
        Ard Biesheuvel <ardb@kernel.org>,
        Bob Gilligan <gilligan@arista.com>,
        David Ahern <dsahern@kernel.org>,
        Dmitry Safonov <0x7f454c46@gmail.com>,
        Eric Biggers <ebiggers@kernel.org>,
        Francesco Ruggeri <fruggeri@arista.com>,
        Herbert Xu <herbert@gondor.apana.org.au>,
        Hideaki YOSHIFUJI <yoshfuji@linux-ipv6.org>,
        Ivan Delalande <colona@arista.com>,
        Jakub Kicinski <kuba@kernel.org>,
        Leonard Crestez <cdleonard@gmail.com>,
        Paolo Abeni <pabeni@redhat.com>,
        Salam Noureddine <noureddine@arista.com>,
        Shuah Khan <shuah@kernel.org>, netdev@vger.kernel.org,
        linux-crypto@vger.kernel.org
Subject: [PATCH 19/31] net/tcp: Add TCP-AO SNE support
Date: Thu, 18 Aug 2022 17:59:53 +0100
Message-Id: <20220818170005.747015-20-dima@arista.com>
In-Reply-To: <20220818170005.747015-1-dima@arista.com>
References: <20220818170005.747015-1-dima@arista.com>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
Precedence: bulk

Series

net/tcp: Add TCP-AO support | expand

Commit Message

Dmitry Safonov Aug. 18, 2022, 4:59 p.m. UTC

Add Sequence Number Extension (SNE) extension for TCP-AO.
This is needed to protect long-living TCP-AO connections from replaying
attacks after sequence number roll-over, see RFC5925 (6.2).

Co-developed-by: Francesco Ruggeri <fruggeri@arista.com>
Signed-off-by: Francesco Ruggeri <fruggeri@arista.com>
Co-developed-by: Salam Noureddine <noureddine@arista.com>
Signed-off-by: Salam Noureddine <noureddine@arista.com>
Signed-off-by: Dmitry Safonov <dima@arista.com>
---
 net/ipv4/tcp_input.c | 35 +++++++++++++++++++++++++++++++++++
 1 file changed, 35 insertions(+)

Comments

Leonard Crestez Aug. 23, 2022, 2:50 p.m. UTC | #1

On 8/18/22 19:59, Dmitry Safonov wrote:
> Add Sequence Number Extension (SNE) extension for TCP-AO.
> This is needed to protect long-living TCP-AO connections from replaying
> attacks after sequence number roll-over, see RFC5925 (6.2).

> +#ifdef CONFIG_TCP_AO
> +	ao = rcu_dereference_protected(tp->ao_info,
> +				       lockdep_sock_is_held((struct sock *)tp));
> +	if (ao) {
> +		if (ack < ao->snd_sne_seq)
> +			ao->snd_sne++;
> +		ao->snd_sne_seq = ack;
> +	}
> +#endif
>   	tp->snd_una = ack;
>   }

... snip ...

> +#ifdef CONFIG_TCP_AO
> +	ao = rcu_dereference_protected(tp->ao_info,
> +				       lockdep_sock_is_held((struct sock *)tp));
> +	if (ao) {
> +		if (seq < ao->rcv_sne_seq)
> +			ao->rcv_sne++;
> +		ao->rcv_sne_seq = seq;
> +	}
> +#endif
>   	WRITE_ONCE(tp->rcv_nxt, seq);

It should always be the case that (rcv_nxt == rcv_sne_seq) and (snd_una 
== snd_sne_seq) so the _sne_seq fields are redundant. It's possible to 
avoid those extra fields.

However 8 bytes per TCP-AO socket is inconsequential.

--
Regards,
Leonard

Francesco Ruggeri Aug. 23, 2022, 10:40 p.m. UTC | #2

On Tue, Aug 23, 2022 at 7:50 AM Leonard Crestez <cdleonard@gmail.com> wrote:
>
> On 8/18/22 19:59, Dmitry Safonov wrote:
> > Add Sequence Number Extension (SNE) extension for TCP-AO.
> > This is needed to protect long-living TCP-AO connections from replaying
> > attacks after sequence number roll-over, see RFC5925 (6.2).
>
> > +#ifdef CONFIG_TCP_AO
> > +     ao = rcu_dereference_protected(tp->ao_info,
> > +                                    lockdep_sock_is_held((struct sock *)tp));
> > +     if (ao) {
> > +             if (ack < ao->snd_sne_seq)
> > +                     ao->snd_sne++;
> > +             ao->snd_sne_seq = ack;
> > +     }
> > +#endif
> >       tp->snd_una = ack;
> >   }
>
> ... snip ...
>
> > +#ifdef CONFIG_TCP_AO
> > +     ao = rcu_dereference_protected(tp->ao_info,
> > +                                    lockdep_sock_is_held((struct sock *)tp));
> > +     if (ao) {
> > +             if (seq < ao->rcv_sne_seq)
> > +                     ao->rcv_sne++;
> > +             ao->rcv_sne_seq = seq;
> > +     }
> > +#endif
> >       WRITE_ONCE(tp->rcv_nxt, seq);
>
> It should always be the case that (rcv_nxt == rcv_sne_seq) and (snd_una
> == snd_sne_seq) so the _sne_seq fields are redundant. It's possible to
> avoid those extra fields.

There are cases where rcv_nxt and snd_una are set outside of
tcp_rcv_nxt_update() and tcp_snd_una_update(), mostly during the
initial handshake, so those cases would have to be taken care of
explicitly, especially wrt rollovers.
I see your point though, there may be a potential for some cleaning
up here.

Francesco

diff --git a/net/ipv4/tcp_input.c b/net/ipv4/tcp_input.c
index b8175ded8a70..8d326994d1a1 100644
--- a/net/ipv4/tcp_input.c
+++ b/net/ipv4/tcp_input.c
@@ -3516,9 +3516,21 @@  static inline bool tcp_may_update_window(const struct tcp_sock *tp,
 static void tcp_snd_una_update(struct tcp_sock *tp, u32 ack)
 {
 	u32 delta = ack - tp->snd_una;
+#ifdef CONFIG_TCP_AO
+	struct tcp_ao_info *ao;
+#endif
 
 	sock_owned_by_me((struct sock *)tp);
 	tp->bytes_acked += delta;
+#ifdef CONFIG_TCP_AO
+	ao = rcu_dereference_protected(tp->ao_info,
+				       lockdep_sock_is_held((struct sock *)tp));
+	if (ao) {
+		if (ack < ao->snd_sne_seq)
+			ao->snd_sne++;
+		ao->snd_sne_seq = ack;
+	}
+#endif
 	tp->snd_una = ack;
 }
 
@@ -3526,9 +3538,21 @@  static void tcp_snd_una_update(struct tcp_sock *tp, u32 ack)
 static void tcp_rcv_nxt_update(struct tcp_sock *tp, u32 seq)
 {
 	u32 delta = seq - tp->rcv_nxt;
+#ifdef CONFIG_TCP_AO
+	struct tcp_ao_info *ao;
+#endif
 
 	sock_owned_by_me((struct sock *)tp);
 	tp->bytes_received += delta;
+#ifdef CONFIG_TCP_AO
+	ao = rcu_dereference_protected(tp->ao_info,
+				       lockdep_sock_is_held((struct sock *)tp));
+	if (ao) {
+		if (seq < ao->rcv_sne_seq)
+			ao->rcv_sne++;
+		ao->rcv_sne_seq = seq;
+	}
+#endif
 	WRITE_ONCE(tp->rcv_nxt, seq);
 }
 
@@ -6344,6 +6368,17 @@  static int tcp_rcv_synsent_state_process(struct sock *sk, struct sk_buff *skb,
 		 * simultaneous connect with crossed SYNs.
 		 * Particularly, it can be connect to self.
 		 */
+#ifdef CONFIG_TCP_AO
+		struct tcp_ao_info *ao;
+
+		ao = rcu_dereference_protected(tp->ao_info,
+					       lockdep_sock_is_held(sk));
+		if (ao) {
+			ao->risn = th->seq;
+			ao->rcv_sne = 0;
+			ao->rcv_sne_seq = ntohl(th->seq);
+		}
+#endif
 		tcp_set_state(sk, TCP_SYN_RECV);
 
 		if (tp->rx_opt.saw_tstamp) {

[19/31] net/tcp: Add TCP-AO SNE support

Commit Message

Comments

Patch