[RFCv2,1/9] tcp: authopt: Initial support and key management

This commit add support to add and remove keys but does not use them
further.

Similar to tcp md5 a single point to a struct tcp_authopt_info* struct
is added to struct tcp_sock in order to avoid increasing memory usage
for everybody. The data structures related to tcp_authopt are
initialized on setsockopt and only removed on socket close.

Signed-off-by: Leonard Crestez <cdleonard@gmail.com>
---
 include/linux/tcp.h       |   6 ++
 include/net/tcp.h         |   1 +
 include/net/tcp_authopt.h |  55 ++++++++++++
 include/uapi/linux/tcp.h  |  72 ++++++++++++++++
 net/ipv4/Kconfig          |  14 ++++
 net/ipv4/Makefile         |   1 +
 net/ipv4/tcp.c            |  27 ++++++
 net/ipv4/tcp_authopt.c    | 172 ++++++++++++++++++++++++++++++++++++++
 net/ipv4/tcp_ipv4.c       |   2 +
 9 files changed, 350 insertions(+)
 create mode 100644 include/net/tcp_authopt.h
 create mode 100644 net/ipv4/tcp_authopt.c

Hi Leonard,

On Tue, 10 Aug 2021 at 02:50, Leonard Crestez <cdleonard@gmail.com> wrote:
[..]
> +/* Representation of a Master Key Tuple as per RFC5925 */

> +struct tcp_authopt_key_info {

> +       struct hlist_node node;

> +       /* Local identifier */

> +       u32 local_id;


There is no local_id in RFC5925, what's that?
An MKT is identified by (send_id, recv_id), together with
(src_addr/src_port, dst_addr/dst_port).
Why introducing something new to already complicated RFC?

> +       u32 flags;

> +       /* Wire identifiers */

> +       u8 send_id, recv_id;

> +       u8 alg_id;

> +       u8 keylen;

> +       u8 key[TCP_AUTHOPT_MAXKEYLEN];

> +       struct rcu_head rcu;


This is unaligned and will add padding.
I wonder if it's also worth saving some bytes by something like
struct tcp_ao_key *key;

With
struct tcp_ao_key {
      u8 keylen;
      u8 key[0];
};

Hmm?

> +       struct sockaddr_storage addr;

> +};

> +

> +/* Per-socket information regarding tcp_authopt */

> +struct tcp_authopt_info {

> +       /* List of tcp_authopt_key_info */

> +       struct hlist_head head;

> +       u32 flags;

> +       u32 src_isn;

> +       u32 dst_isn;

> +       struct rcu_head rcu;


Ditto, adds padding on 64-bit.

[..]
> +++ b/include/uapi/linux/tcp.h

> @@ -126,10 +126,12 @@ enum {

>  #define TCP_INQ                        36      /* Notify bytes available to read as a cmsg on read */

>

>  #define TCP_CM_INQ             TCP_INQ

>

>  #define TCP_TX_DELAY           37      /* delay outgoing packets by XX usec */

> +#define TCP_AUTHOPT                    38      /* TCP Authentication Option (RFC2385) */

> +#define TCP_AUTHOPT_KEY                39      /* TCP Authentication Option update key (RFC2385) */


RFC2385 is md5 one.
Also, should there be TCP_AUTHOPT_ADD_KEY, TCP_AUTHOPT_DELTE_KEY
instead of using flags inside setsocketopt()? (no hard feelings)

[..]
> +/**

> + * enum tcp_authopt_flag - flags for `tcp_authopt.flags`

> + */

> +enum tcp_authopt_flag {

> +       /**

> +        * @TCP_AUTHOPT_FLAG_REJECT_UNEXPECTED:

> +        *      Configure behavior of segments with TCP-AO coming from hosts for which no

> +        *      key is configured. The default recommended by RFC is to silently accept

> +        *      such connections.

> +        */

> +       TCP_AUTHOPT_FLAG_REJECT_UNEXPECTED = (1 << 2),

> +};

> +

> +/**

> + * struct tcp_authopt - Per-socket options related to TCP Authentication Option

> + */

> +struct tcp_authopt {

> +       /** @flags: Combination of &enum tcp_authopt_flag */

> +       __u32   flags;

> +};


I'm not sure what's the use of enum here, probably:
#define TCP_AUTHOPT_FLAG_REJECT_UNEXPECTED BIT(2)

[..]
> +struct tcp_authopt_key {

> +       /** @flags: Combination of &enum tcp_authopt_key_flag */

> +       __u32   flags;

> +       /** @local_id: Local identifier */

> +       __u32   local_id;

> +       /** @send_id: keyid value for send */

> +       __u8    send_id;

> +       /** @recv_id: keyid value for receive */

> +       __u8    recv_id;

> +       /** @alg: One of &enum tcp_authopt_alg */

> +       __u8    alg;

> +       /** @keylen: Length of the key buffer */

> +       __u8    keylen;

> +       /** @key: Secret key */

> +       __u8    key[TCP_AUTHOPT_MAXKEYLEN];

> +       /**

> +        * @addr: Key is only valid for this address

> +        *

> +        * Ignored unless TCP_AUTHOPT_KEY_ADDR_BIND flag is set

> +        */

> +       struct __kernel_sockaddr_storage addr;

> +};


It'll be an ABI if this is accepted. As it is - it can't support RFC5925 fully.
Extending syscall ABI is painful. I think, even the initial ABI *must* support
all possible features of the RFC.
In other words, there must be src_addr, src_port, dst_addr and dst_port.
I can see from docs you've written you don't want to support a mix of different
addr/port MKTs, so you can return -EINVAL or -ENOTSUPP for any value
but zero.
This will create an ABI that can be later extended to fully support RFC.

The same is about key: I don't think you need to define/use tcp_authopt_alg.
Just use algo name - that way TCP-AO will automatically be able to use
any algo supported by crypto engine.
See how xfrm does it, e.g.:
struct xfrm_algo_auth {
    char        alg_name[64];
    unsigned int    alg_key_len;    /* in bits */
    unsigned int    alg_trunc_len;  /* in bits */
    char        alg_key[0];
};

So you can let a user chose maclen instead of hard-coding it.
Much more extendable than what you propose.

[..]
> +#ifdef CONFIG_TCP_AUTHOPT

> +       case TCP_AUTHOPT: {

> +               struct tcp_authopt info;

> +

> +               if (get_user(len, optlen))

> +                       return -EFAULT;

> +

> +               lock_sock(sk);

> +               tcp_get_authopt_val(sk, &info);

> +               release_sock(sk);

> +

> +               len = min_t(unsigned int, len, sizeof(info));

> +               if (put_user(len, optlen))

> +                       return -EFAULT;

> +               if (copy_to_user(optval, &info, len))

> +                       return -EFAULT;

> +               return 0;

> +       }


I'm pretty sure it's not a good choice to write partly tcp_authopt.
And a user has no way to check what's the correct len on this kernel.
Instead of len = min_t(unsigned int, len, sizeof(info)), it should be
if (len != sizeof(info))
    return -EINVAL;

[..]
> +int tcp_set_authopt(struct sock *sk, sockptr_t optval, unsigned int optlen)

> +{

> +       struct tcp_authopt opt;

> +       struct tcp_authopt_info *info;

> +

> +       WARN_ON(!lockdep_sock_is_held(sk));


sock_owned_by_me(sk)

> +

> +       /* If userspace optlen is too short fill the rest with zeros */

> +       if (optlen > sizeof(opt))

> +               return -EINVAL;

> +       memset(&opt, 0, sizeof(opt));


it's 4 bytes, why not just (optlen != sizeof(opt))?

[..]
> +int tcp_get_authopt_val(struct sock *sk, struct tcp_authopt *opt)

> +{

> +       struct tcp_sock *tp = tcp_sk(sk);

> +       struct tcp_authopt_info *info;

> +

> +       WARN_ON(!lockdep_sock_is_held(sk));


sock_owned_by_me(sk)

[..]
> +int tcp_set_authopt_key(struct sock *sk, sockptr_t optval, unsigned int optlen)

> +{

> +       struct tcp_authopt_key opt;

> +       struct tcp_authopt_info *info;

> +       struct tcp_authopt_key_info *key_info;

> +

> +       /* If userspace optlen is too short fill the rest with zeros */

> +       if (optlen > sizeof(opt))

> +               return -EINVAL;

> +       memset(&opt, 0, sizeof(opt));

> +       if (copy_from_sockptr(&opt, optval, optlen))

> +               return -EFAULT;


Again, not a good practice to zero-extend struct. Enforce proper size
with -EINVAL.

[..]
> +       /* Initialize tcp_authopt_info if not already set */

> +       info = __tcp_authopt_info_get_or_create(sk);

> +       if (IS_ERR(info))

> +               return PTR_ERR(info);

> +

> +       /* check key family */

> +       if (opt.flags & TCP_AUTHOPT_KEY_ADDR_BIND) {

> +               if (sk->sk_family != opt.addr.ss_family)

> +                       return -EINVAL;

> +       }


Probably, can be in the reverse order, so that
__tcp_authopt_info_get_or_create()
won't allocate memory.

> +       /* If an old value exists for same local_id it is deleted */

> +       key_info = __tcp_authopt_key_info_lookup(sk, info, opt.local_id);

> +       if (key_info)

> +               tcp_authopt_key_del(sk, info, key_info);

> +       key_info = sock_kmalloc(sk, sizeof(*key_info), GFP_KERNEL | __GFP_ZERO);

> +       if (!key_info)

> +               return -ENOMEM;


1. You don't need sock_kmalloc() together with tcp_authopt_key_del().
    It just frees the memory and allocates it back straight away - no
sense in doing that.
2. I think RFC says you must not allow a user to change an existing key:
> MKT parameters are not changed. Instead, new MKTs can be installed, and a connection

> can change which MKT it uses.


IIUC, it means that one can't just change an existing MKT, but one can
remove and later
add MKT with the same (send_id, recv_id, src_addr/port, dst_addr/port).

So, a reasonable thing to do:
if (key_info)
    return -EEXIST.

Thanks,
             Dmitry

On 8/10/21 11:41 PM, Dmitry Safonov wrote:
> Hi Leonard,

> 

> On Tue, 10 Aug 2021 at 02:50, Leonard Crestez <cdleonard@gmail.com> wrote:

> [..]

>> +/* Representation of a Master Key Tuple as per RFC5925 */

>> +struct tcp_authopt_key_info {

>> +       struct hlist_node node;

>> +       /* Local identifier */

>> +       u32 local_id;

> 

> There is no local_id in RFC5925, what's that?

> An MKT is identified by (send_id, recv_id), together with

> (src_addr/src_port, dst_addr/dst_port).

> Why introducing something new to already complicated RFC?


It was there to simplify user interface and initial implementation.

But it seems that BGP listeners already needs to support multiple 
keychains for different peers so identifying the key by (send_id, 
recv_id, binding) is easier for userspace to work with. Otherwise they 
need to create their own local_id mapping internally.

>> +       u32 flags;

>> +       /* Wire identifiers */

>> +       u8 send_id, recv_id;

>> +       u8 alg_id;

>> +       u8 keylen;

>> +       u8 key[TCP_AUTHOPT_MAXKEYLEN];

>> +       struct rcu_head rcu;

> 

> This is unaligned and will add padding.


Not clear padding matters. Moving rcu_head higher would avoid it, is 
that what you're suggesting.

> I wonder if it's also worth saving some bytes by something like

> struct tcp_ao_key *key;

> 

> With

> struct tcp_ao_key {

>        u8 keylen;

>        u8 key[0];

> };

> 

> Hmm?


This increases memory management complexity for very minor gains. Very 
few tcp_authopt_key will ever be created.

>> +       struct sockaddr_storage addr;

>> +};

>> +

>> +/* Per-socket information regarding tcp_authopt */

>> +struct tcp_authopt_info {

>> +       /* List of tcp_authopt_key_info */

>> +       struct hlist_head head;

>> +       u32 flags;

>> +       u32 src_isn;

>> +       u32 dst_isn;

>> +       struct rcu_head rcu;

> 

> Ditto, adds padding on 64-bit.

> 

> [..]

>> +++ b/include/uapi/linux/tcp.h

>> @@ -126,10 +126,12 @@ enum {

>>   #define TCP_INQ                        36      /* Notify bytes available to read as a cmsg on read */

>>

>>   #define TCP_CM_INQ             TCP_INQ

>>

>>   #define TCP_TX_DELAY           37      /* delay outgoing packets by XX usec */

>> +#define TCP_AUTHOPT                    38      /* TCP Authentication Option (RFC2385) */

>> +#define TCP_AUTHOPT_KEY                39      /* TCP Authentication Option update key (RFC2385) */

> 

> RFC2385 is md5 one.

> Also, should there be TCP_AUTHOPT_ADD_KEY, TCP_AUTHOPT_DELTE_KEY

> instead of using flags inside setsocketopt()? (no hard feelings)


Fixed RFC reference.

TCP_AUTHOPT_DELETE_KEY could be clearer, I just wanted to avoid bloating 
the sockopt space. But there's not any scarcity.

For reference tcp_md5 handles key deletion based on keylen == 0. This 
seems wrong to me, an empty key is in fact valid though not realistic.

If local_id is removed in favor of "full match on id and binding" then 
the delete sockopt would still need most of a full struct 
tcp_authopt_key anyway.

> [..]

>> +/**

>> + * enum tcp_authopt_flag - flags for `tcp_authopt.flags`

>> + */

>> +enum tcp_authopt_flag {

>> +       /**

>> +        * @TCP_AUTHOPT_FLAG_REJECT_UNEXPECTED:

>> +        *      Configure behavior of segments with TCP-AO coming from hosts for which no

>> +        *      key is configured. The default recommended by RFC is to silently accept

>> +        *      such connections.

>> +        */

>> +       TCP_AUTHOPT_FLAG_REJECT_UNEXPECTED = (1 << 2),

>> +};

>> +

>> +/**

>> + * struct tcp_authopt - Per-socket options related to TCP Authentication Option

>> + */

>> +struct tcp_authopt {

>> +       /** @flags: Combination of &enum tcp_authopt_flag */

>> +       __u32   flags;

>> +};

> 

> I'm not sure what's the use of enum here, probably: > #define TCP_AUTHOPT_FLAG_REJECT_UNEXPECTED BIT(2)


This is an enum because it looks nice in kernel-doc. I couldn't find a 
way to attach docs to a macro and include it somewhere else. BTW, the 
enum gains more members later.

As for BIT() it doesn't see to be allowed in uapi and there were recent 
changes removing such usage.

> [..]

>> +struct tcp_authopt_key {

>> +       /** @flags: Combination of &enum tcp_authopt_key_flag */

>> +       __u32   flags;

>> +       /** @local_id: Local identifier */

>> +       __u32   local_id;

>> +       /** @send_id: keyid value for send */

>> +       __u8    send_id;

>> +       /** @recv_id: keyid value for receive */

>> +       __u8    recv_id;

>> +       /** @alg: One of &enum tcp_authopt_alg */

>> +       __u8    alg;

>> +       /** @keylen: Length of the key buffer */

>> +       __u8    keylen;

>> +       /** @key: Secret key */

>> +       __u8    key[TCP_AUTHOPT_MAXKEYLEN];

>> +       /**

>> +        * @addr: Key is only valid for this address

>> +        *

>> +        * Ignored unless TCP_AUTHOPT_KEY_ADDR_BIND flag is set

>> +        */

>> +       struct __kernel_sockaddr_storage addr;

>> +};

> 

> It'll be an ABI if this is accepted. As it is - it can't support RFC5925 fully.

> Extending syscall ABI is painful. I think, even the initial ABI *must* support

> all possible features of the RFC.

> In other words, there must be src_addr, src_port, dst_addr and dst_port.

> I can see from docs you've written you don't want to support a mix of different

> addr/port MKTs, so you can return -EINVAL or -ENOTSUPP for any value

> but zero.

> This will create an ABI that can be later extended to fully support RFC.


RFC states that MKT connection identifiers can be specified using ranges 
and wildcards and the details are up to the implementation. Keys are 
*NOT* just bound to a classical TCP 4-tuple.

* src_addr and src_port is implicit in socket binding. Maybe in theory 
src_addr they could apply for a server socket bound to 0.0.0.0:PORT but 
userspace can just open more sockets.
* dst_port is not supported by MD5 and I can't think of any useful 
usecase. This is either well known (179 for BGP) or auto-allocated.
* tcp_md5 was recently enhanced allow a "prefixlen" for addr and 
"l3mdev" ifindex binding.

This last point shows that the binding features people require can't be 
easily predicted in advance so it's better to allow the rules to be 
extended.

> The same is about key: I don't think you need to define/use tcp_authopt_alg.

> Just use algo name - that way TCP-AO will automatically be able to use

> any algo supported by crypto engine.

> See how xfrm does it, e.g.:

> struct xfrm_algo_auth {

>      char        alg_name[64];

>      unsigned int    alg_key_len;    /* in bits */

>      unsigned int    alg_trunc_len;  /* in bits */

>      char        alg_key[0];

> };

> 

> So you can let a user chose maclen instead of hard-coding it.

> Much more extendable than what you propose.


This complicates ABI and implementation with features that are not 
needed. I'd much rather only expose an enum of real-world tcp-ao algorithms.

> [..]

>> +#ifdef CONFIG_TCP_AUTHOPT

>> +       case TCP_AUTHOPT: {

>> +               struct tcp_authopt info;

>> +

>> +               if (get_user(len, optlen))

>> +                       return -EFAULT;

>> +

>> +               lock_sock(sk);

>> +               tcp_get_authopt_val(sk, &info);

>> +               release_sock(sk);

>> +

>> +               len = min_t(unsigned int, len, sizeof(info));

>> +               if (put_user(len, optlen))

>> +                       return -EFAULT;

>> +               if (copy_to_user(optval, &info, len))

>> +                       return -EFAULT;

>> +               return 0;

>> +       }

> 

> I'm pretty sure it's not a good choice to write partly tcp_authopt.

> And a user has no way to check what's the correct len on this kernel.

> Instead of len = min_t(unsigned int, len, sizeof(info)), it should be

> if (len != sizeof(info))

>      return -EINVAL;


Purpose is to allow sockopts to grow as md5 has grown.

> [..]

>> +int tcp_set_authopt(struct sock *sk, sockptr_t optval, unsigned int optlen)

>> +{

>> +       struct tcp_authopt opt;

>> +       struct tcp_authopt_info *info;

>> +

>> +       WARN_ON(!lockdep_sock_is_held(sk));

> 

> sock_owned_by_me(sk)


Yes, this seems better. I think there are several socket locking 
mistakes in later commits. The patch adding support for detailed keyid 
control probably needs bh_lock_sock to avoid races between key selection 
and caching on send and key manipulation by userspace.

>> +       /* If userspace optlen is too short fill the rest with zeros */

>> +       if (optlen > sizeof(opt))

>> +               return -EINVAL;

>> +       memset(&opt, 0, sizeof(opt));

> 

> it's 4 bytes, why not just (optlen != sizeof(opt))?


It's extended in a later commit to add detailed keyid control.

> [..]

>> +int tcp_get_authopt_val(struct sock *sk, struct tcp_authopt *opt)

>> +{

>> +       struct tcp_sock *tp = tcp_sk(sk);

>> +       struct tcp_authopt_info *info;

>> +

>> +       WARN_ON(!lockdep_sock_is_held(sk));

> 

> sock_owned_by_me(sk)

> 

> [..]

>> +int tcp_set_authopt_key(struct sock *sk, sockptr_t optval, unsigned int optlen)

>> +{

>> +       struct tcp_authopt_key opt;

>> +       struct tcp_authopt_info *info;

>> +       struct tcp_authopt_key_info *key_info;

>> +

>> +       /* If userspace optlen is too short fill the rest with zeros */

>> +       if (optlen > sizeof(opt))

>> +               return -EINVAL;

>> +       memset(&opt, 0, sizeof(opt));

>> +       if (copy_from_sockptr(&opt, optval, optlen))

>> +               return -EFAULT;

> 

> Again, not a good practice to zero-extend struct. Enforce proper size

> with -EINVAL.

> 

> [..]

>> +       /* Initialize tcp_authopt_info if not already set */

>> +       info = __tcp_authopt_info_get_or_create(sk);

>> +       if (IS_ERR(info))

>> +               return PTR_ERR(info);

>> +

>> +       /* check key family */

>> +       if (opt.flags & TCP_AUTHOPT_KEY_ADDR_BIND) {

>> +               if (sk->sk_family != opt.addr.ss_family)

>> +                       return -EINVAL;

>> +       }

> 

> Probably, can be in the reverse order, so that

> __tcp_authopt_info_get_or_create()

> won't allocate memory.


OK. It only saves a tiny bit of memory on API misuse.

>> +       /* If an old value exists for same local_id it is deleted */

>> +       key_info = __tcp_authopt_key_info_lookup(sk, info, opt.local_id);

>> +       if (key_info)

>> +               tcp_authopt_key_del(sk, info, key_info);

>> +       key_info = sock_kmalloc(sk, sizeof(*key_info), GFP_KERNEL | __GFP_ZERO);

>> +       if (!key_info)

>> +               return -ENOMEM;

> 

> 1. You don't need sock_kmalloc() together with tcp_authopt_key_del().

>      It just frees the memory and allocates it back straight away - no

> sense in doing that.


The list is scanned in multiple places in later commits using nothing 
but an rcu_read_lock, this means that keys can't be updated in-place.

> 2. I think RFC says you must not allow a user to change an existing key:

>> MKT parameters are not changed. Instead, new MKTs can be installed, and a connection

>> can change which MKT it uses.

> 

> IIUC, it means that one can't just change an existing MKT, but one can

> remove and later

> add MKT with the same (send_id, recv_id, src_addr/port, dst_addr/port).

> 

> So, a reasonable thing to do:

> if (key_info)

>      return -EEXIST.


You're right, making the user delete keys explicitly is better.

--
Regards,
Leonard

On 8/11/21 2:29 AM, Leonard Crestez wrote:
> On 8/10/21 11:41 PM, Dmitry Safonov wrote:

>> Hi Leonard,

>>

>> On Tue, 10 Aug 2021 at 02:50, Leonard Crestez <cdleonard@gmail.com>

>> wrote:

>> [..]

>>> +/* Representation of a Master Key Tuple as per RFC5925 */

>>> +struct tcp_authopt_key_info {

>>> +       struct hlist_node node;

>>> +       /* Local identifier */

>>> +       u32 local_id;

>>

>> There is no local_id in RFC5925, what's that?

>> An MKT is identified by (send_id, recv_id), together with

>> (src_addr/src_port, dst_addr/dst_port).

>> Why introducing something new to already complicated RFC?

> 

> It was there to simplify user interface and initial implementation.

> 

> But it seems that BGP listeners already needs to support multiple

> keychains for different peers so identifying the key by (send_id,

> recv_id, binding) is easier for userspace to work with. Otherwise they

> need to create their own local_id mapping internally.

> 


any proposed simplification needs to be well explained and how it
relates to the RFC spec.

On 8/11/21 9:29 AM, Leonard Crestez wrote:
> On 8/10/21 11:41 PM, Dmitry Safonov wrote:

[..]
>>> +       u32 flags;

>>> +       /* Wire identifiers */

>>> +       u8 send_id, recv_id;

>>> +       u8 alg_id;

>>> +       u8 keylen;

>>> +       u8 key[TCP_AUTHOPT_MAXKEYLEN];

>>> +       struct rcu_head rcu;

>>

>> This is unaligned and will add padding.

> 

> Not clear padding matters. Moving rcu_head higher would avoid it, is

> that what you're suggesting.


Yes.

>> I wonder if it's also worth saving some bytes by something like

>> struct tcp_ao_key *key;

>>

>> With

>> struct tcp_ao_key {

>>        u8 keylen;

>>        u8 key[0];

>> };

>>

>> Hmm?

> 

> This increases memory management complexity for very minor gains. Very

> few tcp_authopt_key will ever be created.


The change doesn't seem to be big, like:
--- a/net/ipv4/tcp_authopt.c
+++ b/net/ipv4/tcp_authopt.c
@@ -422,8 +422,16 @@ int tcp_set_authopt_key(struct sock *sk, sockptr_t
optval, unsig>
        key_info = __tcp_authopt_key_info_lookup(sk, info, opt.local_id);
        if (key_info)
                tcp_authopt_key_del(sk, info, key_info);
+
+       key = sock_kmalloc(sk, sizeof(*key) + opt.keylen, GFP_KERNEL |
__GFP_ZERO);
+       if (!key) {
+               tcp_authopt_alg_release(alg);
+               return -ENOMEM;
+       }
+
        key_info = sock_kmalloc(sk, sizeof(*key_info), GFP_KERNEL |
__GFP_ZERO);
        if (!key_info) {
+               sock_kfree_s(sk, key, sizeof(*key) + opt.keylen);
                tcp_authopt_alg_release(alg);
                return -ENOMEM;
        }

I don't know, probably it'll be enough for every user to limit their
keys by length of 80, but if one day it won't be enough - this ABI will
be painful to extend.

[..]
>>> +#define TCP_AUTHOPT                    38      /* TCP Authentication

>>> Option (RFC2385) */

>>> +#define TCP_AUTHOPT_KEY                39      /* TCP Authentication

>>> Option update key (RFC2385) */

>>

>> RFC2385 is md5 one.

>> Also, should there be TCP_AUTHOPT_ADD_KEY, TCP_AUTHOPT_DELTE_KEY

>> instead of using flags inside setsocketopt()? (no hard feelings)

> 

> Fixed RFC reference.

> 

> TCP_AUTHOPT_DELETE_KEY could be clearer, I just wanted to avoid bloating

> the sockopt space. But there's not any scarcity.

> 

> For reference tcp_md5 handles key deletion based on keylen == 0. This

> seems wrong to me, an empty key is in fact valid though not realistic.

> 

> If local_id is removed in favor of "full match on id and binding" then

> the delete sockopt would still need most of a full struct

> tcp_authopt_key anyway.


Sounds like a plan.

[..]>> I'm not sure what's the use of enum here, probably: > #define
>> TCP_AUTHOPT_FLAG_REJECT_UNEXPECTED BIT(2)

> 

> This is an enum because it looks nice in kernel-doc. I couldn't find a

> way to attach docs to a macro and include it somewhere else.


Yeah, ok, seems like good justification.

> BTW, the enum gains more members later.

> 

> As for BIT() it doesn't see to be allowed in uapi and there were recent

> changes removing such usage.


Ok, I just saw it's still used in include/uapi, but not aware of the
removal.

> 

>> [..]

>>> +struct tcp_authopt_key {

>>> +       /** @flags: Combination of &enum tcp_authopt_key_flag */

>>> +       __u32   flags;

>>> +       /** @local_id: Local identifier */

>>> +       __u32   local_id;

>>> +       /** @send_id: keyid value for send */

>>> +       __u8    send_id;

>>> +       /** @recv_id: keyid value for receive */

>>> +       __u8    recv_id;

>>> +       /** @alg: One of &enum tcp_authopt_alg */

>>> +       __u8    alg;

>>> +       /** @keylen: Length of the key buffer */

>>> +       __u8    keylen;

>>> +       /** @key: Secret key */

>>> +       __u8    key[TCP_AUTHOPT_MAXKEYLEN];

>>> +       /**

>>> +        * @addr: Key is only valid for this address

>>> +        *

>>> +        * Ignored unless TCP_AUTHOPT_KEY_ADDR_BIND flag is set

>>> +        */

>>> +       struct __kernel_sockaddr_storage addr;

>>> +};

>>

>> It'll be an ABI if this is accepted. As it is - it can't support

>> RFC5925 fully.

>> Extending syscall ABI is painful. I think, even the initial ABI *must*

>> support

>> all possible features of the RFC.

>> In other words, there must be src_addr, src_port, dst_addr and dst_port.

>> I can see from docs you've written you don't want to support a mix of

>> different

>> addr/port MKTs, so you can return -EINVAL or -ENOTSUPP for any value

>> but zero.

>> This will create an ABI that can be later extended to fully support RFC.

> 

> RFC states that MKT connection identifiers can be specified using ranges

> and wildcards and the details are up to the implementation. Keys are

> *NOT* just bound to a classical TCP 4-tuple.

> 

> * src_addr and src_port is implicit in socket binding. Maybe in theory

> src_addr they could apply for a server socket bound to 0.0.0.0:PORT but

> userspace can just open more sockets.

> * dst_port is not supported by MD5 and I can't think of any useful

> usecase. This is either well known (179 for BGP) or auto-allocated.

> * tcp_md5 was recently enhanced allow a "prefixlen" for addr and

> "l3mdev" ifindex binding.

> 

> This last point shows that the binding features people require can't be

> easily predicted in advance so it's better to allow the rules to be

> extended.


Yeah, I see both changes you mention went on easy way as they reused
existing paddings in the ABI structures.
Ok, if you don't want to reserve src_addr/src_port/dst_addr/dst_port,
than how about reserving some space for those instead?

>> The same is about key: I don't think you need to define/use

>> tcp_authopt_alg.

>> Just use algo name - that way TCP-AO will automatically be able to use

>> any algo supported by crypto engine.

>> See how xfrm does it, e.g.:

>> struct xfrm_algo_auth {

>>      char        alg_name[64];

>>      unsigned int    alg_key_len;    /* in bits */

>>      unsigned int    alg_trunc_len;  /* in bits */

>>      char        alg_key[0];

>> };

>>

>> So you can let a user chose maclen instead of hard-coding it.

>> Much more extendable than what you propose.

> 

> This complicates ABI and implementation with features that are not

> needed. I'd much rather only expose an enum of real-world tcp-ao

> algorithms.


I see it exactly the opposite way: a new enum unnecessary complicates
ABI, instead of passing alg_name[] to crypto engine. No need to add any
support in tcp-ao as the algorithms are already provided by kernel.
That is how it transparently works for ipsec, why not for tcp-ao?

> 

>> [..]

>>> +#ifdef CONFIG_TCP_AUTHOPT

>>> +       case TCP_AUTHOPT: {

>>> +               struct tcp_authopt info;

>>> +

>>> +               if (get_user(len, optlen))

>>> +                       return -EFAULT;

>>> +

>>> +               lock_sock(sk);

>>> +               tcp_get_authopt_val(sk, &info);

>>> +               release_sock(sk);

>>> +

>>> +               len = min_t(unsigned int, len, sizeof(info));

>>> +               if (put_user(len, optlen))

>>> +                       return -EFAULT;

>>> +               if (copy_to_user(optval, &info, len))

>>> +                       return -EFAULT;

>>> +               return 0;

>>> +       }

>>

>> I'm pretty sure it's not a good choice to write partly tcp_authopt.

>> And a user has no way to check what's the correct len on this kernel.

>> Instead of len = min_t(unsigned int, len, sizeof(info)), it should be

>> if (len != sizeof(info))

>>      return -EINVAL;

> 

> Purpose is to allow sockopts to grow as md5 has grown.


md5 has not grown. See above.

Another issue with your approach

+       /* If userspace optlen is too short fill the rest with zeros */
+       if (optlen > sizeof(opt))
+               return -EINVAL;
+       memset(&opt, 0, sizeof(opt));
+       if (copy_from_sockptr(&opt, optval, optlen))
+               return -EFAULT;

is that userspace compiled with updated/grew structure will fail on
older kernel. So, no extension without breaking something is possible.
Which also reminds me that currently you don't validate (opt.flags) for
unknown by kernel flags.

Extending syscalls is impossible without breaking userspace if ABI is
not designed with extensibility in mind. That was quite a big problem,
and still is. Please, read this carefully:
https://lwn.net/Articles/830666/

That is why I'm suggesting you all those changes that will be harder to
fix when/if your patches get accepted.
As an example how it should work see in copy_clone_args_from_user().

[..]

Thanks,
         Dmitry

On 8/11/21 8:31 AM, Dmitry Safonov wrote:
> On 8/11/21 9:29 AM, Leonard Crestez wrote:

>> On 8/10/21 11:41 PM, Dmitry Safonov wrote:

> [..]

>>>> +       u32 flags;

>>>> +       /* Wire identifiers */

>>>> +       u8 send_id, recv_id;

>>>> +       u8 alg_id;

>>>> +       u8 keylen;

>>>> +       u8 key[TCP_AUTHOPT_MAXKEYLEN];

>>>> +       struct rcu_head rcu;

>>>

>>> This is unaligned and will add padding.

>>

>> Not clear padding matters. Moving rcu_head higher would avoid it, is

>> that what you're suggesting.

> 

> Yes.

> 

>>> I wonder if it's also worth saving some bytes by something like

>>> struct tcp_ao_key *key;

>>>

>>> With

>>> struct tcp_ao_key {

>>>        u8 keylen;

>>>        u8 key[0];

>>> };

>>>

>>> Hmm?

>>

>> This increases memory management complexity for very minor gains. Very

>> few tcp_authopt_key will ever be created.

> 

> The change doesn't seem to be big, like:

> --- a/net/ipv4/tcp_authopt.c

> +++ b/net/ipv4/tcp_authopt.c

> @@ -422,8 +422,16 @@ int tcp_set_authopt_key(struct sock *sk, sockptr_t

> optval, unsig>

>         key_info = __tcp_authopt_key_info_lookup(sk, info, opt.local_id);

>         if (key_info)

>                 tcp_authopt_key_del(sk, info, key_info);

> +

> +       key = sock_kmalloc(sk, sizeof(*key) + opt.keylen, GFP_KERNEL |

> __GFP_ZERO);

> +       if (!key) {

> +               tcp_authopt_alg_release(alg);

> +               return -ENOMEM;

> +       }

> +

>         key_info = sock_kmalloc(sk, sizeof(*key_info), GFP_KERNEL |

> __GFP_ZERO);

>         if (!key_info) {

> +               sock_kfree_s(sk, key, sizeof(*key) + opt.keylen);

>                 tcp_authopt_alg_release(alg);

>                 return -ENOMEM;

>         }

> 

> I don't know, probably it'll be enough for every user to limit their

> keys by length of 80, but if one day it won't be enough - this ABI will

> be painful to extend.

> 

> [..]

>>>> +#define TCP_AUTHOPT                    38      /* TCP Authentication

>>>> Option (RFC2385) */

>>>> +#define TCP_AUTHOPT_KEY                39      /* TCP Authentication

>>>> Option update key (RFC2385) */

>>>

>>> RFC2385 is md5 one.

>>> Also, should there be TCP_AUTHOPT_ADD_KEY, TCP_AUTHOPT_DELTE_KEY

>>> instead of using flags inside setsocketopt()? (no hard feelings)

>>

>> Fixed RFC reference.

>>

>> TCP_AUTHOPT_DELETE_KEY could be clearer, I just wanted to avoid bloating

>> the sockopt space. But there's not any scarcity.

>>

>> For reference tcp_md5 handles key deletion based on keylen == 0. This

>> seems wrong to me, an empty key is in fact valid though not realistic.

>>

>> If local_id is removed in favor of "full match on id and binding" then

>> the delete sockopt would still need most of a full struct

>> tcp_authopt_key anyway.

> 

> Sounds like a plan.

> 

> [..]>> I'm not sure what's the use of enum here, probably: > #define

>>> TCP_AUTHOPT_FLAG_REJECT_UNEXPECTED BIT(2)

>>

>> This is an enum because it looks nice in kernel-doc. I couldn't find a

>> way to attach docs to a macro and include it somewhere else.

> 

> Yeah, ok, seems like good justification.

> 

>> BTW, the enum gains more members later.

>>

>> As for BIT() it doesn't see to be allowed in uapi and there were recent

>> changes removing such usage.

> 

> Ok, I just saw it's still used in include/uapi, but not aware of the

> removal.

> 

>>

>>> [..]

>>>> +struct tcp_authopt_key {

>>>> +       /** @flags: Combination of &enum tcp_authopt_key_flag */

>>>> +       __u32   flags;

>>>> +       /** @local_id: Local identifier */

>>>> +       __u32   local_id;

>>>> +       /** @send_id: keyid value for send */

>>>> +       __u8    send_id;

>>>> +       /** @recv_id: keyid value for receive */

>>>> +       __u8    recv_id;

>>>> +       /** @alg: One of &enum tcp_authopt_alg */

>>>> +       __u8    alg;

>>>> +       /** @keylen: Length of the key buffer */

>>>> +       __u8    keylen;

>>>> +       /** @key: Secret key */

>>>> +       __u8    key[TCP_AUTHOPT_MAXKEYLEN];

>>>> +       /**

>>>> +        * @addr: Key is only valid for this address

>>>> +        *

>>>> +        * Ignored unless TCP_AUTHOPT_KEY_ADDR_BIND flag is set

>>>> +        */

>>>> +       struct __kernel_sockaddr_storage addr;

>>>> +};

>>>

>>> It'll be an ABI if this is accepted. As it is - it can't support

>>> RFC5925 fully.

>>> Extending syscall ABI is painful. I think, even the initial ABI *must*

>>> support

>>> all possible features of the RFC.

>>> In other words, there must be src_addr, src_port, dst_addr and dst_port.

>>> I can see from docs you've written you don't want to support a mix of

>>> different

>>> addr/port MKTs, so you can return -EINVAL or -ENOTSUPP for any value

>>> but zero.

>>> This will create an ABI that can be later extended to fully support RFC.

>>

>> RFC states that MKT connection identifiers can be specified using ranges

>> and wildcards and the details are up to the implementation. Keys are

>> *NOT* just bound to a classical TCP 4-tuple.

>>

>> * src_addr and src_port is implicit in socket binding. Maybe in theory

>> src_addr they could apply for a server socket bound to 0.0.0.0:PORT but

>> userspace can just open more sockets.

>> * dst_port is not supported by MD5 and I can't think of any useful

>> usecase. This is either well known (179 for BGP) or auto-allocated.

>> * tcp_md5 was recently enhanced allow a "prefixlen" for addr and

>> "l3mdev" ifindex binding.

>>

>> This last point shows that the binding features people require can't be

>> easily predicted in advance so it's better to allow the rules to be

>> extended.

> 

> Yeah, I see both changes you mention went on easy way as they reused

> existing paddings in the ABI structures.

> Ok, if you don't want to reserve src_addr/src_port/dst_addr/dst_port,

> than how about reserving some space for those instead?

> 

>>> The same is about key: I don't think you need to define/use

>>> tcp_authopt_alg.

>>> Just use algo name - that way TCP-AO will automatically be able to use

>>> any algo supported by crypto engine.

>>> See how xfrm does it, e.g.:

>>> struct xfrm_algo_auth {

>>>      char        alg_name[64];

>>>      unsigned int    alg_key_len;    /* in bits */

>>>      unsigned int    alg_trunc_len;  /* in bits */

>>>      char        alg_key[0];

>>> };

>>>

>>> So you can let a user chose maclen instead of hard-coding it.

>>> Much more extendable than what you propose.

>>

>> This complicates ABI and implementation with features that are not

>> needed. I'd much rather only expose an enum of real-world tcp-ao

>> algorithms.

> 

> I see it exactly the opposite way: a new enum unnecessary complicates

> ABI, instead of passing alg_name[] to crypto engine. No need to add any

> support in tcp-ao as the algorithms are already provided by kernel.

> That is how it transparently works for ipsec, why not for tcp-ao?

> 

>>

>>> [..]

>>>> +#ifdef CONFIG_TCP_AUTHOPT

>>>> +       case TCP_AUTHOPT: {

>>>> +               struct tcp_authopt info;

>>>> +

>>>> +               if (get_user(len, optlen))

>>>> +                       return -EFAULT;

>>>> +

>>>> +               lock_sock(sk);

>>>> +               tcp_get_authopt_val(sk, &info);

>>>> +               release_sock(sk);

>>>> +

>>>> +               len = min_t(unsigned int, len, sizeof(info));

>>>> +               if (put_user(len, optlen))

>>>> +                       return -EFAULT;

>>>> +               if (copy_to_user(optval, &info, len))

>>>> +                       return -EFAULT;

>>>> +               return 0;

>>>> +       }

>>>

>>> I'm pretty sure it's not a good choice to write partly tcp_authopt.

>>> And a user has no way to check what's the correct len on this kernel.

>>> Instead of len = min_t(unsigned int, len, sizeof(info)), it should be

>>> if (len != sizeof(info))

>>>      return -EINVAL;

>>

>> Purpose is to allow sockopts to grow as md5 has grown.

> 

> md5 has not grown. See above.


MD5 uapi has - e.g., 8917a777be3ba and  6b102db50cdde. We want similar
capabilities for growth with this API.

> 

> Another issue with your approach

> 

> +       /* If userspace optlen is too short fill the rest with zeros */

> +       if (optlen > sizeof(opt))

> +               return -EINVAL;

> +       memset(&opt, 0, sizeof(opt));

> +       if (copy_from_sockptr(&opt, optval, optlen))

> +               return -EFAULT;

> 

> is that userspace compiled with updated/grew structure will fail on

> older kernel. So, no extension without breaking something is possible.

> Which also reminds me that currently you don't validate (opt.flags) for

> unknown by kernel flags.

> 

> Extending syscalls is impossible without breaking userspace if ABI is

> not designed with extensibility in mind. That was quite a big problem,

> and still is. Please, read this carefully:

> https://lwn.net/Articles/830666/

> 

> That is why I'm suggesting you all those changes that will be harder to

> fix when/if your patches get accepted.

> As an example how it should work see in copy_clone_args_from_user().

> 


Look at how TCP_ZEROCOPY_RECEIVE has grown over releases as an example
of how to properly handle this.

On 11.08.2021 17:31, Dmitry Safonov wrote:
> On 8/11/21 9:29 AM, Leonard Crestez wrote:

>> On 8/10/21 11:41 PM, Dmitry Safonov wrote:

>>> I wonder if it's also worth saving some bytes by something like

>>> struct tcp_ao_key *key;

>>>

>>> With

>>> struct tcp_ao_key {

>>>         u8 keylen;

>>>         u8 key[0];

>>> };

>>>

>>> Hmm?

>>

>> This increases memory management complexity for very minor gains. Very

>> few tcp_authopt_key will ever be created.

> 

> The change doesn't seem to be big, like:

> --- a/net/ipv4/tcp_authopt.c

> +++ b/net/ipv4/tcp_authopt.c

> @@ -422,8 +422,16 @@ int tcp_set_authopt_key(struct sock *sk, sockptr_t

> optval, unsig>

>          key_info = __tcp_authopt_key_info_lookup(sk, info, opt.local_id);

>          if (key_info)

>                  tcp_authopt_key_del(sk, info, key_info);

> +

> +       key = sock_kmalloc(sk, sizeof(*key) + opt.keylen, GFP_KERNEL |

> __GFP_ZERO);

> +       if (!key) {

> +               tcp_authopt_alg_release(alg);

> +               return -ENOMEM;

> +       }

> +

>          key_info = sock_kmalloc(sk, sizeof(*key_info), GFP_KERNEL |

> __GFP_ZERO);

>          if (!key_info) {

> +               sock_kfree_s(sk, key, sizeof(*key) + opt.keylen);

>                  tcp_authopt_alg_release(alg);

>                  return -ENOMEM;

>          }

> 

> I don't know, probably it'll be enough for every user to limit their

> keys by length of 80, but if one day it won't be enough - this ABI will

> be painful to extend.


struct tcp_authopt_key also needs to be modified and a separate 
copy_from_user is required. It's not very complicated but not very 
useful either.

>>>> +struct tcp_authopt_key {

>>>> +       /** @flags: Combination of &enum tcp_authopt_key_flag */

>>>> +       __u32   flags;

>>>> +       /** @local_id: Local identifier */

>>>> +       __u32   local_id;

>>>> +       /** @send_id: keyid value for send */

>>>> +       __u8    send_id;

>>>> +       /** @recv_id: keyid value for receive */

>>>> +       __u8    recv_id;

>>>> +       /** @alg: One of &enum tcp_authopt_alg */

>>>> +       __u8    alg;

>>>> +       /** @keylen: Length of the key buffer */

>>>> +       __u8    keylen;

>>>> +       /** @key: Secret key */

>>>> +       __u8    key[TCP_AUTHOPT_MAXKEYLEN];

>>>> +       /**

>>>> +        * @addr: Key is only valid for this address

>>>> +        *

>>>> +        * Ignored unless TCP_AUTHOPT_KEY_ADDR_BIND flag is set

>>>> +        */

>>>> +       struct __kernel_sockaddr_storage addr;

>>>> +};

>>>

>>> It'll be an ABI if this is accepted. As it is - it can't support

>>> RFC5925 fully.

>>> Extending syscall ABI is painful. I think, even the initial ABI *must*

>>> support

>>> all possible features of the RFC.

>>> In other words, there must be src_addr, src_port, dst_addr and dst_port.

>>> I can see from docs you've written you don't want to support a mix of

>>> different

>>> addr/port MKTs, so you can return -EINVAL or -ENOTSUPP for any value

>>> but zero.

>>> This will create an ABI that can be later extended to fully support RFC.

>>

>> RFC states that MKT connection identifiers can be specified using ranges

>> and wildcards and the details are up to the implementation. Keys are

>> *NOT* just bound to a classical TCP 4-tuple.

>>

>> * src_addr and src_port is implicit in socket binding. Maybe in theory

>> src_addr they could apply for a server socket bound to 0.0.0.0:PORT but

>> userspace can just open more sockets.

>> * dst_port is not supported by MD5 and I can't think of any useful

>> usecase. This is either well known (179 for BGP) or auto-allocated.

>> * tcp_md5 was recently enhanced allow a "prefixlen" for addr and

>> "l3mdev" ifindex binding.

>>

>> This last point shows that the binding features people require can't be

>> easily predicted in advance so it's better to allow the rules to be

>> extended.

> 

> Yeah, I see both changes you mention went on easy way as they reused

> existing paddings in the ABI structures.

> Ok, if you don't want to reserve src_addr/src_port/dst_addr/dst_port,

> than how about reserving some space for those instead?


My idea was that each additional binding featurs can be added as a new 
bit flag in tcp_authopt_key_flag and the structure extended. Older 
applications won't pass the flag and kernel will silently accept the 
shorter optval and you get compatibility.

As far as I can tell MD5 supports binding in 3 ways:

1) By dst ip address
2) By dst ip address and prefixlen
3) By ifindex for vrfs

Current version of tcp_authopt only supports (1) but I think adding the 
other methods isn't actually difficult at all.

I'd rather not guess at future features by adding unused fields.

>>> The same is about key: I don't think you need to define/use

>>> tcp_authopt_alg.

>>> Just use algo name - that way TCP-AO will automatically be able to use

>>> any algo supported by crypto engine.

>>> See how xfrm does it, e.g.:

>>> struct xfrm_algo_auth {

>>>       char        alg_name[64];

>>>       unsigned int    alg_key_len;    /* in bits */

>>>       unsigned int    alg_trunc_len;  /* in bits */

>>>       char        alg_key[0];

>>> };

>>>

>>> So you can let a user chose maclen instead of hard-coding it.

>>> Much more extendable than what you propose.

>>

>> This complicates ABI and implementation with features that are not

>> needed. I'd much rather only expose an enum of real-world tcp-ao

>> algorithms.

> 

> I see it exactly the opposite way: a new enum unnecessary complicates

> ABI, instead of passing alg_name[] to crypto engine. No need to add any

> support in tcp-ao as the algorithms are already provided by kernel.

> That is how it transparently works for ipsec, why not for tcp-ao?


The TCP Authentication Option standard has been out there for many many 
years now and alternative algorithms are not widely used. I think cisco 
has a third algorithm? What you're asking for is a large extension of 
the IETF standard.

If you look at the rest of this series I had a lot of trouble with 
crypto tfm allocation context so I had to create per-cpu pool, similar 
to tcp-md5. Should I potentially create a pool for each alg known to 
crypto-api?

Letting use control algorithms and traffickey and mac lengths creates 
new potential avenues for privilege escalation that need to be checked.

As much as possible I would like to avoid exposing the linux crypto api 
through TCP sockopts.

I was also thinking of having a non-namespaced sysctl to disable 
tcp_authopt by default for security reasons. Unless you're running a 
router you should never let userspace touch these options.

>>> [..]

>>>> +#ifdef CONFIG_TCP_AUTHOPT

>>>> +       case TCP_AUTHOPT: {

>>>> +               struct tcp_authopt info;

>>>> +

>>>> +               if (get_user(len, optlen))

>>>> +                       return -EFAULT;

>>>> +

>>>> +               lock_sock(sk);

>>>> +               tcp_get_authopt_val(sk, &info);

>>>> +               release_sock(sk);

>>>> +

>>>> +               len = min_t(unsigned int, len, sizeof(info));

>>>> +               if (put_user(len, optlen))

>>>> +                       return -EFAULT;

>>>> +               if (copy_to_user(optval, &info, len))

>>>> +                       return -EFAULT;

>>>> +               return 0;

>>>> +       }

>>>

>>> I'm pretty sure it's not a good choice to write partly tcp_authopt.

>>> And a user has no way to check what's the correct len on this kernel.

>>> Instead of len = min_t(unsigned int, len, sizeof(info)), it should be

>>> if (len != sizeof(info))

>>>       return -EINVAL;

>>

>> Purpose is to allow sockopts to grow as md5 has grown.

> 

> md5 has not grown. See above.

> 

> Another issue with your approach

> 

> +       /* If userspace optlen is too short fill the rest with zeros */

> +       if (optlen > sizeof(opt))

> +               return -EINVAL;

> +       memset(&opt, 0, sizeof(opt));

> +       if (copy_from_sockptr(&opt, optval, optlen))

> +               return -EFAULT;

> 

> is that userspace compiled with updated/grew structure will fail on

> older kernel. So, no extension without breaking something is possible.


Userspace that needs new features and also compatibility with older 
kernels could check something like uname.

I think this is already a problem with md5: passing 
TCP_MD5SIG_FLAG_PREFIX on an old kernel simply won't take effect and 
that's fine.

The bigger concern is to ensure that old binaries work without changes.

> Which also reminds me that currently you don't validate (opt.flags) for

> unknown by kernel flags.


Not sure what you mean, it is explicitly only known flags that are 
copied from userspace. I can make setsockopt return an error on unknown 
flags, this will make new apps fail more explicitly on old kernels.

> Extending syscalls is impossible without breaking userspace if ABI is

> not designed with extensibility in mind. That was quite a big problem,

> and still is. Please, read this carefully:

> https://lwn.net/Articles/830666/

> 

> That is why I'm suggesting you all those changes that will be harder to

> fix when/if your patches get accepted.


Both of the sockopt structs have a "flags" field and structure expansion 
will be accompanied by new flags. Is this not sufficient for compatibility?

On 11.08.2021 16:42, David Ahern wrote:
> On 8/11/21 2:29 AM, Leonard Crestez wrote:

>> On 8/10/21 11:41 PM, Dmitry Safonov wrote:

>>> Hi Leonard,

>>>

>>> On Tue, 10 Aug 2021 at 02:50, Leonard Crestez <cdleonard@gmail.com>

>>> wrote:

>>> [..]

>>>> +/* Representation of a Master Key Tuple as per RFC5925 */

>>>> +struct tcp_authopt_key_info {

>>>> +       struct hlist_node node;

>>>> +       /* Local identifier */

>>>> +       u32 local_id;

>>>

>>> There is no local_id in RFC5925, what's that?

>>> An MKT is identified by (send_id, recv_id), together with

>>> (src_addr/src_port, dst_addr/dst_port).

>>> Why introducing something new to already complicated RFC?

>>

>> It was there to simplify user interface and initial implementation.

>>

>> But it seems that BGP listeners already needs to support multiple

>> keychains for different peers so identifying the key by (send_id,

>> recv_id, binding) is easier for userspace to work with. Otherwise they

>> need to create their own local_id mapping internally.

>>

> 

> any proposed simplification needs to be well explained and how it

> relates to the RFC spec.


The local_id only exists between userspace and kernel so it's not really 
covered by the RFC.

There are objections to this and it seems to be unhelpful for userspace 
zo I will replace it with match by binding.

BTW: another somewhat dubious simplification is that I offloaded the RFC 
requirement to never add overlapping keys to userspace. So if userspace 
adds keys with same recvid that match the same TCP 4-tuple then 
connections will just start failing.

It's arguably fine to allow userspace misconfiguration to cause failures.

--
Regards,
Leonard

Hi David,

On 8/11/21 6:15 PM, David Ahern wrote:
> On 8/11/21 8:31 AM, Dmitry Safonov wrote:

>> On 8/11/21 9:29 AM, Leonard Crestez wrote:

>>> On 8/10/21 11:41 PM, Dmitry Safonov wrote:

[..]
>>>> I'm pretty sure it's not a good choice to write partly tcp_authopt.

>>>> And a user has no way to check what's the correct len on this kernel.

>>>> Instead of len = min_t(unsigned int, len, sizeof(info)), it should be

>>>> if (len != sizeof(info))

>>>>      return -EINVAL;

>>>

>>> Purpose is to allow sockopts to grow as md5 has grown.

>>

>> md5 has not grown. See above.

> 

> MD5 uapi has - e.g., 8917a777be3ba and  6b102db50cdde. We want similar

> capabilities for growth with this API.


So, you mean adding a new setsockopt when the struct has to be extended?
Like TCP_AUTHOPT_EXT?

It can work, but sounds like adding a new syscall every time the old one
can't be extended. I can see that with current limitations on TCP-AO RFC
the ABI in these patches will have to be extended.

The second commit started using new cmd.tcpm_flags, where unknown flags
are still at this moment silently ignored by the kernel. So 6b102db50cdd
could have introduced a regression in userspace. By luck and by reason
that md5 isn't probably frequently used it didn't.
Not nice at all example for newer APIs.

>> Another issue with your approach

>>

>> +       /* If userspace optlen is too short fill the rest with zeros */

>> +       if (optlen > sizeof(opt))

>> +               return -EINVAL;

>> +       memset(&opt, 0, sizeof(opt));

>> +       if (copy_from_sockptr(&opt, optval, optlen))

>> +               return -EFAULT;

>>

>> is that userspace compiled with updated/grew structure will fail on

>> older kernel. So, no extension without breaking something is possible.

>> Which also reminds me that currently you don't validate (opt.flags) for

>> unknown by kernel flags.

>>

>> Extending syscalls is impossible without breaking userspace if ABI is

>> not designed with extensibility in mind. That was quite a big problem,

>> and still is. Please, read this carefully:

>> https://lwn.net/Articles/830666/

>>

>> That is why I'm suggesting you all those changes that will be harder to

>> fix when/if your patches get accepted.

>> As an example how it should work see in copy_clone_args_from_user().

>>

> 

> Look at how TCP_ZEROCOPY_RECEIVE has grown over releases as an example

> of how to properly handle this.


Exactly.

: switch (len) {
:		case offsetofend(...)
:		case offsetofend(...)

And than also:
:		if (unlikely(len > sizeof(zc))) {
:			err = check_zeroed_user(optval + sizeof(zc),
:						len - sizeof(zc));

Does it sound similar to what I've written in my ABI review?
And what the LWN article has in it.
Please, look again at the patch I replied to.

Thanks,
         Dmitry

On 8/11/21 2:12 PM, Dmitry Safonov wrote:
> Hi David,

> 

> On 8/11/21 6:15 PM, David Ahern wrote:

>> On 8/11/21 8:31 AM, Dmitry Safonov wrote:

>>> On 8/11/21 9:29 AM, Leonard Crestez wrote:

>>>> On 8/10/21 11:41 PM, Dmitry Safonov wrote:

> [..]

>>>>> I'm pretty sure it's not a good choice to write partly tcp_authopt.

>>>>> And a user has no way to check what's the correct len on this kernel.

>>>>> Instead of len = min_t(unsigned int, len, sizeof(info)), it should be

>>>>> if (len != sizeof(info))

>>>>>      return -EINVAL;

>>>>

>>>> Purpose is to allow sockopts to grow as md5 has grown.

>>>

>>> md5 has not grown. See above.

>>

>> MD5 uapi has - e.g., 8917a777be3ba and  6b102db50cdde. We want similar

>> capabilities for growth with this API.

> 

> So, you mean adding a new setsockopt when the struct has to be extended?

> Like TCP_AUTHOPT_EXT?


uh, no. That was needed because of failures with the original
implementation wrt checking that all unused bits are 0. If checking is
not done from day 1, that field can never be used in the future.

My point here was only that MD5 uapi was extended.

My second point is more relevant to Leonard as a very recent example of
how to build an extendable struct.


>>

>> Look at how TCP_ZEROCOPY_RECEIVE has grown over releases as an example

>> of how to properly handle this.

> 

> Exactly.

> 

> : switch (len) {

> :		case offsetofend(...)

> :		case offsetofend(...)

> 

> And than also:

> :		if (unlikely(len > sizeof(zc))) {

> :			err = check_zeroed_user(optval + sizeof(zc),

> :						len - sizeof(zc));

> 

> Does it sound similar to what I've written in my ABI review?

> And what the LWN article has in it.

> Please, look again at the patch I replied to.

> 

> Thanks,

>          Dmitry

>

On 8/11/21 8:11 PM, Leonard Crestez wrote:
> On 11.08.2021 16:42, David Ahern wrote:

[..]
>>

>> any proposed simplification needs to be well explained and how it

>> relates to the RFC spec.

> 

> The local_id only exists between userspace and kernel so it's not really

> covered by the RFC.

> 

> There are objections to this and it seems to be unhelpful for userspace

> zo I will replace it with match by binding.

> 

> BTW: another somewhat dubious simplification is that I offloaded the RFC

> requirement to never add overlapping keys to userspace. So if userspace

> adds keys with same recvid that match the same TCP 4-tuple then

> connections will just start failing.

> 

> It's arguably fine to allow userspace misconfiguration to cause failures.


I think it's fine. But worth documenting. Also, keep in mind that
someone in userspace with his funny ideas might start relying on such
behavior in future.

Thanks,
        Dmitry

On 8/11/21 1:11 PM, Leonard Crestez wrote:
> On 11.08.2021 16:42, David Ahern wrote:

>> On 8/11/21 2:29 AM, Leonard Crestez wrote:

>>> On 8/10/21 11:41 PM, Dmitry Safonov wrote:

>>>> Hi Leonard,

>>>>

>>>> On Tue, 10 Aug 2021 at 02:50, Leonard Crestez <cdleonard@gmail.com>

>>>> wrote:

>>>> [..]

>>>>> +/* Representation of a Master Key Tuple as per RFC5925 */

>>>>> +struct tcp_authopt_key_info {

>>>>> +       struct hlist_node node;

>>>>> +       /* Local identifier */

>>>>> +       u32 local_id;

>>>>

>>>> There is no local_id in RFC5925, what's that?

>>>> An MKT is identified by (send_id, recv_id), together with

>>>> (src_addr/src_port, dst_addr/dst_port).

>>>> Why introducing something new to already complicated RFC?

>>>

>>> It was there to simplify user interface and initial implementation.

>>>

>>> But it seems that BGP listeners already needs to support multiple

>>> keychains for different peers so identifying the key by (send_id,

>>> recv_id, binding) is easier for userspace to work with. Otherwise they

>>> need to create their own local_id mapping internally.

>>>

>>

>> any proposed simplification needs to be well explained and how it

>> relates to the RFC spec.

> 

> The local_id only exists between userspace and kernel so it's not really

> covered by the RFC.


My point is that you need to document the uapi (however it ends up) and
how it is used to achieve the intent of the RFC.

> 

> There are objections to this and it seems to be unhelpful for userspace

> zo I will replace it with match by binding.

> 

> BTW: another somewhat dubious simplification is that I offloaded the RFC

> requirement to never add overlapping keys to userspace. So if userspace

> adds keys with same recvid that match the same TCP 4-tuple then

> connections will just start failing.

> 

> It's arguably fine to allow userspace misconfiguration to cause failures.

> 

> -- 

> Regards,

> Leonard

On 8/11/21 11:29 AM, Leonard Crestez wrote:
> On 8/10/21 11:41 PM, Dmitry Safonov wrote:

>> On Tue, 10 Aug 2021 at 02:50, Leonard Crestez <cdleonard@gmail.com> 

>>> +       /* If an old value exists for same local_id it is deleted */

>>> +       key_info = __tcp_authopt_key_info_lookup(sk, info, 

>>> opt.local_id);

>>> +       if (key_info)

>>> +               tcp_authopt_key_del(sk, info, key_info);

>>> +       key_info = sock_kmalloc(sk, sizeof(*key_info), GFP_KERNEL | 

>>> __GFP_ZERO);

>>> +       if (!key_info)

>>> +               return -ENOMEM;

>>

>> 1. You don't need sock_kmalloc() together with tcp_authopt_key_del().

>>      It just frees the memory and allocates it back straight away - no

>> sense in doing that.

> 

> The list is scanned in multiple places in later commits using nothing 

> but an rcu_read_lock, this means that keys can't be updated in-place.

> 

>> 2. I think RFC says you must not allow a user to change an existing key:

>>> MKT parameters are not changed. Instead, new MKTs can be installed, 

>>> and a connection

>>> can change which MKT it uses.

>>

>> IIUC, it means that one can't just change an existing MKT, but one can

>> remove and later

>> add MKT with the same (send_id, recv_id, src_addr/port, dst_addr/port).

>>

>> So, a reasonable thing to do:

>> if (key_info)

>>      return -EEXIST.

> 

> You're right, making the user delete keys explicitly is better.


On a second thought this might be required to mark keys as "send-only" 
and "recv-only" atomically.

Separately from RFC5925 some vendors implement a "keychain" model based 
on RFC8177 where each key has a distinct "accept-lifetime" and a 
"send-lifetime". This could be implemented by adding flags 
"expired_for_send" and "expired_for_recv" but requires the ability to 
set an expiration mark without the key ever being deleted.

--
Regards,
Leonard