[PATCH v13 net-next 00/23] net/tcp: Add TCP-AO support

From: Dmitry Safonov
Date: Wed Oct 04 2023 - 18:36:47 EST

Next message: Dmitry Safonov: "[PATCH v13 net-next 02/23] net/tcp: Add TCP-AO config and structures"
Previous message: Ulf Hansson: "Re: [PATCH] pmdomain: imx: scu-pd: correct DMA2 channel"
Next in thread: Dmitry Safonov: "[PATCH v13 net-next 02/23] net/tcp: Add TCP-AO config and structures"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hi,

This is version 13 of TCP-AO support. It addresses Paolo's review
comments and makes TCP simultaneous open work with AO. In order
to check TCP-AO + simultaneous open, a new TCP self-connect
selftest was written (to be sent later with tcp-ao-selftests
separately).

There's one Sparse warning introduced by tcp_sigpool_start():
__cond_acquires() seems to currently being broken. I've described
the reasoning for it on v9 cover letter. Also, checkpatch.pl warnings
were addressed, but yet I've left the ones that are more personal
preferences (i.e. 80 columns limit). Please, ping me if you have
a strong feeling about one of them.

The following changes since commit 07cf7974a2236a66f989869c301aa0220f33905c:

Merge tag 'nf-next-23-09-28' of https://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf-next (2023-10-04 14:25:37 -0700)

are available in the Git repository at:

git@xxxxxxxxxx:0x7f454c46/linux.git tcp-ao-v13

for you to fetch changes up to dfd8d1df4562cd7a3a94a5e813a902f66a312672:

Documentation/tcp: Add TCP-AO documentation (2023-10-04 23:00:34 +0100)

----------------------------------------------------------------

And another branch with selftests, that will be sent later separately:
git@xxxxxxxxxx:0x7f454c46/linux.git tcp-ao-v13-with-selftests

Thanks for your time and reviews,
Dmitry

--- Changelog ---

Changes from v12:
- Separate TCP-AO sign from __tcp_transmit_skb() into a separate
function for code locality and readability (Paolo)
- Add TCP-AO self-connect selftest, which by its nature is a selftest
for TCP simultaneous open, use different keyids and check tcp repair
- Fix simultaneous open: take correct ISNs for verification,
pre-calculate sending traffic key on SYN-ACK, calculate receiving
traffic key before going into TCP_ESTABLISHED
- Use kfree_sensitive() for hardening purposes
- Use READ_ONCE() on sk->sk_family when not under socket lock to prevent
any possible race with IPV6_ADDRFORM

Version 12: https://lore.kernel.org/all/20230918190027.613430-1-dima@xxxxxxxxxx/T/#u

Changes from v11:
- Define (struct tcp_key) for tcp-fast path and detect by type what key
was used. This also benefits from TCP-MD5/TCP-AO static branches (Eric)
- Remove sk_gso_disable() from TCP-AO fast-path in __tcp_transmit_skb()
(Eric)
- Don't leak skb on failed kmalloc() in __tcp_transmit_skb() (Eric)
- skb_dst_drop() is not necessary as kfree_skb() calls it (Eric)
- Don't dereference tcp_ao_key in net_warn_ratelimited(), outside of
rcu_read_lock() (Eric)

Version 11: https://lore.kernel.org/all/20230911210346.301750-1-dima@xxxxxxxxxx/T/#u

Changes from v10:
- Make seq (u32) in tcp_ao_prepare_reset() and declare the argument
in "net/tcp: Add TCP-AO SNE support", where it gets used (Simon)
- Fix rebase artifact in tcp_v6_reqsk_send_ack(), which adds
compile-error on a patch in the middle of series (Simon)
- Another rebase artifact in tcp_v6_reqsk_send_ack() that makes
keyid, requested by peer on ipv6 reqsk ACKs not respected (Simon)

Version 10: https://lore.kernel.org/all/20230815191455.1872316-1-dima@xxxxxxxxxx/T/#u

The pre-v10 changelog is on version 10 cover-letter.

Cc: Andy Lutomirski <luto@xxxxxxxxxxxxxx>
Cc: Ard Biesheuvel <ardb@xxxxxxxxxx>
Cc: Bob Gilligan <gilligan@xxxxxxxxxx>
Cc: Dan Carpenter <error27@xxxxxxxxx>
Cc: David Ahern <dsahern@xxxxxxxxxx>
Cc: David Laight <David.Laight@xxxxxxxxxx>
Cc: "David S. Miller" <davem@xxxxxxxxxxxxx>
Cc: Dmitry Safonov <0x7f454c46@xxxxxxxxx>
Cc: Donald Cassidy <dcassidy@xxxxxxxxxx>
Cc: Eric Biggers <ebiggers@xxxxxxxxxx>
Cc: Eric Dumazet <edumazet@xxxxxxxxxx>
Cc: "Eric W. Biederman" <ebiederm@xxxxxxxxxxxx>
Cc: Francesco Ruggeri <fruggeri05@xxxxxxxxx>
Cc: Gaillardetz, Dominik <dgaillar@xxxxxxxxx>
Cc: Herbert Xu <herbert@xxxxxxxxxxxxxxxxxxx>
Cc: Hideaki YOSHIFUJI <yoshfuji@xxxxxxxxxxxxxx>
Cc: Ivan Delalande <colona@xxxxxxxxxx>
Cc: Jakub Kicinski <kuba@xxxxxxxxxx>
Cc: Leonard Crestez <cdleonard@xxxxxxxxx>
Cc: Nassiri, Mohammad <mnassiri@xxxxxxxxx>
Cc: Paolo Abeni <pabeni@xxxxxxxxxx>
Cc: Salam Noureddine <noureddine@xxxxxxxxxx>
Cc: Simon Horman <simon.horman@xxxxxxxxxxxx>
Cc: Tetreault, Francois <ftetreau@xxxxxxxxx>
Cc: netdev@xxxxxxxxxxxxxxx
Cc: linux-kernel@xxxxxxxxxxxxxxx

Dmitry Safonov (23):
net/tcp: Prepare tcp_md5sig_pool for TCP-AO
net/tcp: Add TCP-AO config and structures
net/tcp: Introduce TCP_AO setsockopt()s
net/tcp: Prevent TCP-MD5 with TCP-AO being set
net/tcp: Calculate TCP-AO traffic keys
net/tcp: Add TCP-AO sign to outgoing packets
net/tcp: Add tcp_parse_auth_options()
net/tcp: Add AO sign to RST packets
net/tcp: Add TCP-AO sign to twsk
net/tcp: Wire TCP-AO to request sockets
net/tcp: Sign SYN-ACK segments with TCP-AO
net/tcp: Verify inbound TCP-AO signed segments
net/tcp: Add TCP-AO segments counters
net/tcp: Add TCP-AO SNE support
net/tcp: Add tcp_hash_fail() ratelimited logs
net/tcp: Ignore specific ICMPs for TCP-AO connections
net/tcp: Add option for TCP-AO to (not) hash header
net/tcp: Add TCP-AO getsockopt()s
net/tcp: Allow asynchronous delete for TCP-AO keys (MKTs)
net/tcp: Add static_key for TCP-AO
net/tcp: Wire up l3index to TCP-AO
net/tcp: Add TCP_AO_REPAIR
Documentation/tcp: Add TCP-AO documentation

Documentation/networking/index.rst | 1 +
Documentation/networking/tcp_ao.rst | 434 +++++
include/linux/sockptr.h | 23 +
include/linux/tcp.h | 30 +-
include/net/dropreason-core.h | 30 +
include/net/tcp.h | 288 +++-
include/net/tcp_ao.h | 361 ++++
include/uapi/linux/snmp.h | 5 +
include/uapi/linux/tcp.h | 105 ++
net/ipv4/Kconfig | 17 +
net/ipv4/Makefile | 2 +
net/ipv4/proc.c | 5 +
net/ipv4/syncookies.c | 4 +
net/ipv4/tcp.c | 246 +--
net/ipv4/tcp_ao.c | 2389 +++++++++++++++++++++++++++
net/ipv4/tcp_input.c | 98 +-
net/ipv4/tcp_ipv4.c | 363 +++-
net/ipv4/tcp_minisocks.c | 50 +-
net/ipv4/tcp_output.c | 236 ++-
net/ipv4/tcp_sigpool.c | 358 ++++
net/ipv6/Makefile | 1 +
net/ipv6/syncookies.c | 5 +
net/ipv6/tcp_ao.c | 168 ++
net/ipv6/tcp_ipv6.c | 374 +++--
24 files changed, 5158 insertions(+), 435 deletions(-)
create mode 100644 Documentation/networking/tcp_ao.rst
create mode 100644 include/net/tcp_ao.h
create mode 100644 net/ipv4/tcp_ao.c
create mode 100644 net/ipv4/tcp_sigpool.c
create mode 100644 net/ipv6/tcp_ao.c

base-commit: 07cf7974a2236a66f989869c301aa0220f33905c
--
2.42.0

Next message: Dmitry Safonov: "[PATCH v13 net-next 02/23] net/tcp: Add TCP-AO config and structures"
Previous message: Ulf Hansson: "Re: [PATCH] pmdomain: imx: scu-pd: correct DMA2 channel"
Next in thread: Dmitry Safonov: "[PATCH v13 net-next 02/23] net/tcp: Add TCP-AO config and structures"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]