[v7,15/26] tcp: authopt: Add NOSEND/NORECV flags

Message ID	747981be06c06a5415d22cbd29a9b7c03706a913.1660852705.git.cdleonard@gmail.com
State	New
Headers	show Return-Path: <linux-crypto-owner@kernel.org> From: Leonard Crestez <cdleonard@gmail.com> To: David Ahern <dsahern@kernel.org>, Eric Dumazet <edumazet@google.com>, Philip Paeps <philip@trouble.is> Cc: Dmitry Safonov <0x7f454c46@gmail.com>, Shuah Khan <shuah@kernel.org>, "David S. Miller" <davem@davemloft.net>, Herbert Xu <herbert@gondor.apana.org.au>, Kuniyuki Iwashima <kuniyu@amazon.co.jp>, Hideaki YOSHIFUJI <yoshfuji@linux-ipv6.org>, Jakub Kicinski <kuba@kernel.org>, Yuchung Cheng <ycheng@google.com>, Francesco Ruggeri <fruggeri@arista.com>, Mat Martineau <mathew.j.martineau@linux.intel.com>, Christoph Paasch <cpaasch@apple.com>, Ivan Delalande <colona@arista.com>, Caowangbao <caowangbao@huawei.com>, Priyaranjan Jha <priyarjha@google.com>, netdev@vger.kernel.org, linux-crypto@vger.kernel.org, linux-kselftest@vger.kernel.org, linux-kernel@vger.kernel.org Subject: [PATCH v7 15/26] tcp: authopt: Add NOSEND/NORECV flags Date: Thu, 18 Aug 2022 22:59:49 +0300 Message-Id: <747981be06c06a5415d22cbd29a9b7c03706a913.1660852705.git.cdleonard@gmail.com> In-Reply-To: <cover.1660852705.git.cdleonard@gmail.com> References: <cover.1660852705.git.cdleonard@gmail.com> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Precedence: bulk
Series	tcp: Initial support for RFC5925 auth option \| expand [v7,00/26] tcp: Initial support for RFC5925 auth option [v7,01/26] tcp: authopt: Initial support and key management [v7,02/26] docs: Add user documentation for tcp_authopt [v7,03/26] tcp: authopt: Add crypto initialization [v7,04/26] tcp: Refactor tcp_sig_hash_skb_data for AO [v7,05/26] tcp: authopt: Compute packet signatures [v7,06/26] tcp: Refactor tcp_inbound_md5_hash into tcp_inbound_sig_hash [v7,07/26] tcp: authopt: Hook into tcp core [v7,08/26] tcp: authopt: Disable via sysctl by default [v7,09/26] tcp: authopt: Implement Sequence Number Extension [v7,10/26] tcp: ipv6: Add AO signing for tcp_v6_send_response [v7,11/26] tcp: authopt: Add support for signing skb-less replies [v7,12/26] tcp: ipv4: Add AO signing for skb-less replies [v7,13/26] tcp: authopt: Add key selection controls [v7,14/26] tcp: authopt: Add initial l3index support [v7,15/26] tcp: authopt: Add NOSEND/NORECV flags [v7,16/26] tcp: authopt: Add prefixlen support [v7,17/26] tcp: authopt: Add v4mapped ipv6 address support [v7,18/26] tcp: authopt: Add /proc/net/tcp_authopt listing all keys [v7,19/26] selftests: nettest: Rename md5_prefix to key_addr_prefix [v7,20/26] selftests: nettest: Initial tcp_authopt support [v7,21/26] selftests: net/fcnal: Initial tcp_authopt support [v7,22/26] tcp: authopt: Try to respect rnextkeyid from SYN on SYNACK [v7,23/26] tcp: authopt: tcp_authopt_lookup_send: Add anykey output param [v7,24/26] tcp: authopt: Initial support for TCP_AUTHOPT_FLAG_ACTIVE [v7,25/26] tcp: authopt: If no keys are valid for send report an error [v7,26/26] tcp: authopt: Initial implementation of TCP_REPAIR_AUTHOPT

Message ID

747981be06c06a5415d22cbd29a9b7c03706a913.1660852705.git.cdleonard@gmail.com

State

New

Headers

From: Leonard Crestez <cdleonard@gmail.com>
To: David Ahern <dsahern@kernel.org>,
        Eric Dumazet <edumazet@google.com>,
        Philip Paeps <philip@trouble.is>
Cc: Dmitry Safonov <0x7f454c46@gmail.com>,
        Shuah Khan <shuah@kernel.org>,
        "David S. Miller" <davem@davemloft.net>,
        Herbert Xu <herbert@gondor.apana.org.au>,
        Kuniyuki Iwashima <kuniyu@amazon.co.jp>,
        Hideaki YOSHIFUJI <yoshfuji@linux-ipv6.org>,
        Jakub Kicinski <kuba@kernel.org>,
        Yuchung Cheng <ycheng@google.com>,
        Francesco Ruggeri <fruggeri@arista.com>,
        Mat Martineau <mathew.j.martineau@linux.intel.com>,
        Christoph Paasch <cpaasch@apple.com>,
        Ivan Delalande <colona@arista.com>,
        Caowangbao <caowangbao@huawei.com>,
        Priyaranjan Jha <priyarjha@google.com>, netdev@vger.kernel.org,
        linux-crypto@vger.kernel.org, linux-kselftest@vger.kernel.org,
        linux-kernel@vger.kernel.org
Subject: [PATCH v7 15/26] tcp: authopt: Add NOSEND/NORECV flags
Date: Thu, 18 Aug 2022 22:59:49 +0300
Message-Id: 
 <747981be06c06a5415d22cbd29a9b7c03706a913.1660852705.git.cdleonard@gmail.com>
In-Reply-To: <cover.1660852705.git.cdleonard@gmail.com>
References: <cover.1660852705.git.cdleonard@gmail.com>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
Precedence: bulk

Series

tcp: Initial support for RFC5925 auth option | expand

Commit Message

Leonard Crestez Aug. 18, 2022, 7:59 p.m. UTC

Add flags to allow marking individual keys and invalid for send or recv.
Making keys assymetric this way is not mentioned in RFC5925 but RFC8177
requires that keys inside a keychain have independent "accept" and
"send" lifetimes.

Flag names are negative so that the default behavior is for keys to be
valid for both send and recv.

Setting both NOSEND and NORECV for a certain peer address can be used on
a listen socket can be used to mean "TCP-AO is required from this peer
but no keys are currently valid".

Signed-off-by: Leonard Crestez <cdleonard@gmail.com>
---
 include/uapi/linux/tcp.h | 4 ++++
 net/ipv4/tcp_authopt.c   | 9 ++++++++-
 2 files changed, 12 insertions(+), 1 deletion(-)

diff --git a/include/uapi/linux/tcp.h b/include/uapi/linux/tcp.h
index a7f5f918ed5a..ed27feb93b0e 100644
--- a/include/uapi/linux/tcp.h
+++ b/include/uapi/linux/tcp.h
@@ -401,16 +401,20 @@  struct tcp_authopt {
  *
  * @TCP_AUTHOPT_KEY_DEL: Delete the key and ignore non-id fields
  * @TCP_AUTHOPT_KEY_EXCLUDE_OPTS: Exclude TCP options from signature
  * @TCP_AUTHOPT_KEY_ADDR_BIND: Key only valid for `tcp_authopt.addr`
  * @TCP_AUTHOPT_KEY_IFINDEX: Key only valid for `tcp_authopt.ifindex`
+ * @TCP_AUTHOPT_KEY_NOSEND: Key invalid for send (expired)
+ * @TCP_AUTHOPT_KEY_NORECV: Key invalid for recv (expired)
  */
 enum tcp_authopt_key_flag {
 	TCP_AUTHOPT_KEY_DEL = (1 << 0),
 	TCP_AUTHOPT_KEY_EXCLUDE_OPTS = (1 << 1),
 	TCP_AUTHOPT_KEY_ADDR_BIND = (1 << 2),
 	TCP_AUTHOPT_KEY_IFINDEX = (1 << 3),
+	TCP_AUTHOPT_KEY_NOSEND = (1 << 4),
+	TCP_AUTHOPT_KEY_NORECV = (1 << 5),
 };
 
 /**
  * enum tcp_authopt_alg - Algorithms for TCP Authentication Option
  */
diff --git a/net/ipv4/tcp_authopt.c b/net/ipv4/tcp_authopt.c
index bb26fb1c8af2..0ead961fcfe0 100644
--- a/net/ipv4/tcp_authopt.c
+++ b/net/ipv4/tcp_authopt.c
@@ -374,10 +374,12 @@  static struct tcp_authopt_key_info *tcp_authopt_lookup_send(struct netns_tcp_aut
 	int l3index = -1;
 
 	hlist_for_each_entry_rcu(key, &net->head, node, 0) {
 		if (send_id >= 0 && key->send_id != send_id)
 			continue;
+		if (key->flags & TCP_AUTHOPT_KEY_NOSEND)
+			continue;
 		if (key->flags & TCP_AUTHOPT_KEY_ADDR_BIND)
 			if (!tcp_authopt_key_match_sk_addr(key, addr_sk))
 				continue;
 		if (key->flags & TCP_AUTHOPT_KEY_IFINDEX) {
 			if (l3index < 0)
@@ -623,11 +625,13 @@  int tcp_get_authopt_val(struct sock *sk, struct tcp_authopt *opt)
 
 #define TCP_AUTHOPT_KEY_KNOWN_FLAGS ( \
 	TCP_AUTHOPT_KEY_DEL | \
 	TCP_AUTHOPT_KEY_EXCLUDE_OPTS | \
 	TCP_AUTHOPT_KEY_ADDR_BIND | \
-	TCP_AUTHOPT_KEY_IFINDEX)
+	TCP_AUTHOPT_KEY_IFINDEX | \
+	TCP_AUTHOPT_KEY_NOSEND | \
+	TCP_AUTHOPT_KEY_NORECV)
 
 int tcp_set_authopt_key(struct sock *sk, sockptr_t optval, unsigned int optlen)
 {
 	struct tcp_authopt_key opt;
 	struct tcp_authopt_info *info;
@@ -1534,10 +1538,13 @@  static struct tcp_authopt_key_info *tcp_authopt_lookup_recv(struct sock *sk,
 
 			if (l3index != key->l3index)
 				continue;
 		}
 		*anykey = true;
+		// If only keys with norecv flag are present still consider that
+		if (key->flags & TCP_AUTHOPT_KEY_NORECV)
+			continue;
 		if (recv_id >= 0 && key->recv_id != recv_id)
 			continue;
 		if (better_key_match(result, key))
 			result = key;
 		else if (result)

[v7,15/26] tcp: authopt: Add NOSEND/NORECV flags

Commit Message

Patch