[v8,18/26] tcp: authopt: Add v4mapped ipv6 address support

Message ID	2830d885ea3ab71db10a5ca7f28e1c5556e32d43.1662361354.git.cdleonard@gmail.com
State	New
Headers	show Return-Path: <linux-crypto-owner@kernel.org> From: Leonard Crestez <cdleonard@gmail.com> To: David Ahern <dsahern@kernel.org>, Eric Dumazet <edumazet@google.com>, Dmitry Safonov <0x7f454c46@gmail.com> Cc: Francesco Ruggeri <fruggeri@arista.com>, Salam Noureddine <noureddine@arista.com>, Philip Paeps <philip@trouble.is>, Shuah Khan <shuah@kernel.org>, "David S. Miller" <davem@davemloft.net>, Herbert Xu <herbert@gondor.apana.org.au>, Kuniyuki Iwashima <kuniyu@amazon.co.jp>, Hideaki YOSHIFUJI <yoshfuji@linux-ipv6.org>, Jakub Kicinski <kuba@kernel.org>, Yuchung Cheng <ycheng@google.com>, Mat Martineau <mathew.j.martineau@linux.intel.com>, Christoph Paasch <cpaasch@apple.com>, Ivan Delalande <colona@arista.com>, Caowangbao <caowangbao@huawei.com>, Priyaranjan Jha <priyarjha@google.com>, netdev@vger.kernel.org, linux-crypto@vger.kernel.org, linux-kselftest@vger.kernel.org, linux-kernel@vger.kernel.org Subject: [PATCH v8 18/26] tcp: authopt: Add v4mapped ipv6 address support Date: Mon, 5 Sep 2022 10:05:54 +0300 Message-Id: <2830d885ea3ab71db10a5ca7f28e1c5556e32d43.1662361354.git.cdleonard@gmail.com> In-Reply-To: <cover.1662361354.git.cdleonard@gmail.com> References: <cover.1662361354.git.cdleonard@gmail.com> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Precedence: bulk
Series	tcp: Initial support for RFC5925 auth option \| expand [v8,00/26] tcp: Initial support for RFC5925 auth option [v8,01/26] tcp: authopt: Initial support and key management [v8,02/26] docs: Add user documentation for tcp_authopt [v8,03/26] tcp: authopt: Add crypto initialization [v8,04/26] tcp: Refactor tcp_sig_hash_skb_data for AO [v8,05/26] tcp: authopt: Compute packet signatures [v8,06/26] tcp: Refactor tcp_inbound_md5_hash into tcp_inbound_sig_hash [v8,07/26] tcp: authopt: Hook into tcp core [v8,08/26] tcp: authopt: Disable via sysctl by default [v8,09/26] tcp: authopt: Implement Sequence Number Extension [v8,10/26] tcp: ipv6: Add AO signing for tcp_v6_send_response [v8,11/26] tcp: authopt: Add support for signing skb-less replies [v8,12/26] tcp: ipv4: Add AO signing for skb-less replies [v8,13/26] tcp: authopt: Add NOSEND/NORECV flags [v8,14/26] tcp: authopt: Add initial l3index support [v8,15/26] tcp: authopt: Add prefixlen support [v8,16/26] tcp: authopt: Add send/recv lifetime support [v8,17/26] tcp: authopt: Add key selection controls [v8,18/26] tcp: authopt: Add v4mapped ipv6 address support [v8,19/26] tcp: authopt: Add /proc/net/tcp_authopt listing all keys [v8,20/26] tcp: authopt: If no keys are valid for send report an error [v8,21/26] tcp: authopt: Try to respect rnextkeyid from SYN on SYNACK [v8,22/26] tcp: authopt: Initial support for TCP_AUTHOPT_FLAG_ACTIVE [v8,23/26] tcp: authopt: Initial implementation of TCP_REPAIR_AUTHOPT [v8,24/26] selftests: nettest: Rename md5_prefix to key_addr_prefix [v8,25/26] selftests: nettest: Initial tcp_authopt support [v8,26/26] selftests: net/fcnal: Initial tcp_authopt support

Message ID

2830d885ea3ab71db10a5ca7f28e1c5556e32d43.1662361354.git.cdleonard@gmail.com

State

New

Headers

From: Leonard Crestez <cdleonard@gmail.com>
To: David Ahern <dsahern@kernel.org>,
        Eric Dumazet <edumazet@google.com>,
        Dmitry Safonov <0x7f454c46@gmail.com>
Cc: Francesco Ruggeri <fruggeri@arista.com>,
        Salam Noureddine <noureddine@arista.com>,
        Philip Paeps <philip@trouble.is>,
        Shuah Khan <shuah@kernel.org>,
        "David S. Miller" <davem@davemloft.net>,
        Herbert Xu <herbert@gondor.apana.org.au>,
        Kuniyuki Iwashima <kuniyu@amazon.co.jp>,
        Hideaki YOSHIFUJI <yoshfuji@linux-ipv6.org>,
        Jakub Kicinski <kuba@kernel.org>,
        Yuchung Cheng <ycheng@google.com>,
        Mat Martineau <mathew.j.martineau@linux.intel.com>,
        Christoph Paasch <cpaasch@apple.com>,
        Ivan Delalande <colona@arista.com>,
        Caowangbao <caowangbao@huawei.com>,
        Priyaranjan Jha <priyarjha@google.com>, netdev@vger.kernel.org,
        linux-crypto@vger.kernel.org, linux-kselftest@vger.kernel.org,
        linux-kernel@vger.kernel.org
Subject: [PATCH v8 18/26] tcp: authopt: Add v4mapped ipv6 address support
Date: Mon,  5 Sep 2022 10:05:54 +0300
Message-Id: 
 <2830d885ea3ab71db10a5ca7f28e1c5556e32d43.1662361354.git.cdleonard@gmail.com>
In-Reply-To: <cover.1662361354.git.cdleonard@gmail.com>
References: <cover.1662361354.git.cdleonard@gmail.com>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
Precedence: bulk

Series

tcp: Initial support for RFC5925 auth option | expand

Commit Message

Leonard Crestez Sept. 5, 2022, 7:05 a.m. UTC

Keys that are added with v4mapped ipv6 addresses will now be used for
ipv4 packets. This outward behavior is similar to how MD5 support
currently works.

The implementation is different - v4mapped keys are still stored with
ipv6 addresses.

Signed-off-by: Leonard Crestez <cdleonard@gmail.com>
---
 net/ipv4/tcp_authopt.c | 35 +++++++++++++++++++++++++----------
 1 file changed, 25 insertions(+), 10 deletions(-)

diff --git a/net/ipv4/tcp_authopt.c b/net/ipv4/tcp_authopt.c
index 6db06e1edcc7..28c10a916fb3 100644
--- a/net/ipv4/tcp_authopt.c
+++ b/net/ipv4/tcp_authopt.c
@@ -324,27 +324,30 @@  static bool tcp_authopt_key_match_skb_addr(struct tcp_authopt_key_info *key,
 		struct sockaddr_in6 *key_addr = (struct sockaddr_in6 *)&key->addr;
 
 		return ipv6_prefix_equal(&ip6h->saddr,
 					 &key_addr->sin6_addr,
 					 key->prefixlen);
+	} else if (keyaf == AF_INET6 && iph->version == 4) {
+		struct sockaddr_in6 *key_addr = (struct sockaddr_in6 *)&key->addr;
+
+		/* handle ipv6-mapped-ipv4-addresses */
+		if (ipv6_addr_v4mapped(&key_addr->sin6_addr)) {
+			__be32 mask = inet_make_mask(key->prefixlen);
+			__be32 ipv4 = key_addr->sin6_addr.s6_addr32[3];
+
+			return (ipv4 & mask) == ipv4;
+		}
 	}
 
-	/* This actually happens with ipv6-mapped-ipv4-addresses
-	 * IPv6 listen sockets will be asked to validate ipv4 packets.
-	 */
 	return false;
 }
 
 static bool tcp_authopt_key_match_sk_addr(struct tcp_authopt_key_info *key,
 					  const struct sock *addr_sk)
 {
 	u16 keyaf = key->addr.ss_family;
 
-	/* This probably can't happen even with ipv4-mapped-ipv6 */
-	if (keyaf != addr_sk->sk_family)
-		return false;
-
 	if (keyaf == AF_INET) {
 		struct sockaddr_in *key_addr = (struct sockaddr_in *)&key->addr;
 		__be32 mask = inet_make_mask(key->prefixlen);
 
 		return (addr_sk->sk_daddr & mask) == key_addr->sin_addr.s_addr;
@@ -353,10 +356,16 @@  static bool tcp_authopt_key_match_sk_addr(struct tcp_authopt_key_info *key,
 		struct sockaddr_in6 *key_addr = (struct sockaddr_in6 *)&key->addr;
 
 		return ipv6_prefix_equal(&addr_sk->sk_v6_daddr,
 					 &key_addr->sin6_addr,
 					 key->prefixlen);
+	} else if (keyaf == AF_INET6 && addr_sk->sk_family == AF_INET) {
+		struct sockaddr_in6 *key_addr = (struct sockaddr_in6 *)&key->addr;
+		__be32 mask = inet_make_mask(key->prefixlen);
+		__be32 ipv4 = key_addr->sin6_addr.s6_addr32[3];
+
+		return (addr_sk->sk_daddr & mask) == ipv4;
 #endif
 	}
 
 	return false;
 }
@@ -1475,14 +1484,20 @@  static int __tcp_authopt_calc_mac(struct sock *sk,
 				  char *macbuf)
 {
 	struct tcp_authopt_alg_pool *mac_pool;
 	u8 traffic_key[TCP_AUTHOPT_MAX_TRAFFIC_KEY_LEN];
 	int err;
-	bool ipv6 = (sk->sk_family != AF_INET);
+	bool ipv6;
 
-	if (sk->sk_family != AF_INET && sk->sk_family != AF_INET6)
-		return -EINVAL;
+#if IS_ENABLED(CONFIG_IPV6)
+	if (input)
+		ipv6 = (skb->protocol == htons(ETH_P_IPV6));
+	else
+		ipv6 = (sk->sk_family == AF_INET6) && !ipv6_addr_v4mapped(&sk->sk_v6_daddr);
+#else
+	ipv6 = false;
+#endif
 
 	err = tcp_authopt_get_traffic_key(sk, skb, key, info, input, ipv6, traffic_key);
 	if (err)
 		return err;

[v8,18/26] tcp: authopt: Add v4mapped ipv6 address support

Commit Message

Patch