Received: by 2002:a05:7412:3784:b0:e2:908c:2ebd with SMTP id jk4csp2903743rdb; Wed, 4 Oct 2023 15:36:47 -0700 (PDT) X-Google-Smtp-Source: AGHT+IGCJIK9ooK6+auxxHRiHJW70Z3welM8JmEtCVSNsyASRtgUpZKRYSsyJshXHg0WqEtuaGpC X-Received: by 2002:a05:6a20:1589:b0:15b:b83c:9b48 with SMTP id h9-20020a056a20158900b0015bb83c9b48mr1203564pzj.24.1696459006978; Wed, 04 Oct 2023 15:36:46 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1696459006; cv=none; d=google.com; s=arc-20160816; b=yIPgF77ax7ynITmaUb2UVHynzanUMHFWcAHbNif65onr+jIG5Klq1MsRQPpoE/G4Qg J5uFX6D4PQDY3yO73KP43uBkEYc06uww//lnV+P5uAM8Nu5daBUf7wgf//vUspzht4ir Qgm7w0RNXeKwlBocQfJ70oHbCLW7OMUbR0oblRGFSVkyfiidxUegM7bZRs40uQdFYjjB N2Oa36mvkTgIhNuspZVnaAqMBxevkyhZDmaPWbeKsf41zzNK2mXnuKvxKMYnjCCz0jBH g1jYeXo2HvjB7GKKk3G8FhqSnIYRG+UJZawG+uTEoBjZfuiDVUr08LiKYJVCoHTfDNno iSzA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :message-id:date:subject:cc:to:from:dkim-signature; bh=MoFsOouNLsiRSc0IkOSoU7t8c12ZxAQ0uDmkn8wVHwA=; fh=QryqvAn9CpbSDwwRensfsZ3wJIRZj/gC+p5DlooXiiI=; b=PeV2ahhZJrjftZCU4hWxI18Vf9Cggx75WwmMtLy1O7v0dzsDHWewzBJpSs6Ksjqqmj /HOeZoCI+/0wWd9NIkKf2BA9vA564DRMb4VoYWdcFEvIoPYjJ1fAfa2EGPBTnTRaKpZM ltankb1Ec/QSC3AyJSVafK8MyibdeyI4UgKOzDCBsAVmyngAOMNrf8yvUZrIv9itIyie xfrCrgHJZWLkZB/ZEFz9Suoyr6H8Ia9Ag4+UcZq0+vTDigQ4kJGb2E6I/ORoyI3ydESm NvGVZHfHvzAAaE2SGK4eafmPbt0aQx9+nw7G7ZJSa1m68kf1IAVw7+nAvj4U8HGSUnH7 eqBQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@arista.com header.s=google header.b="Vz/Hwh4D"; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::3:4 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=arista.com Return-Path: Received: from howler.vger.email (howler.vger.email. [2620:137:e000::3:4]) by mx.google.com with ESMTPS id f20-20020a63f114000000b0056c55eb251csi121050pgi.123.2023.10.04.15.36.46 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 04 Oct 2023 15:36:46 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::3:4 as permitted sender) client-ip=2620:137:e000::3:4; Authentication-Results: mx.google.com; dkim=pass header.i=@arista.com header.s=google header.b="Vz/Hwh4D"; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::3:4 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=arista.com Received: from out1.vger.email (depot.vger.email [IPv6:2620:137:e000::3:0]) by howler.vger.email (Postfix) with ESMTP id 1035784DB79E; Wed, 4 Oct 2023 15:36:46 -0700 (PDT) X-Virus-Status: Clean X-Virus-Scanned: clamav-milter 0.103.10 at howler.vger.email Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S233709AbjJDWgp (ORCPT + 99 others); Wed, 4 Oct 2023 18:36:45 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:38596 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S232108AbjJDWgn (ORCPT ); Wed, 4 Oct 2023 18:36:43 -0400 Received: from mail-wr1-x433.google.com (mail-wr1-x433.google.com [IPv6:2a00:1450:4864:20::433]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id BE8B8C9 for ; Wed, 4 Oct 2023 15:36:38 -0700 (PDT) Received: by mail-wr1-x433.google.com with SMTP id ffacd0b85a97d-3247cefa13aso353606f8f.1 for ; Wed, 04 Oct 2023 15:36:38 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=arista.com; s=google; t=1696458997; x=1697063797; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:from:to:cc:subject:date:message-id:reply-to; bh=MoFsOouNLsiRSc0IkOSoU7t8c12ZxAQ0uDmkn8wVHwA=; b=Vz/Hwh4DDw+n+mCcBSIIWR6ZKjPTN1fvrLUAiH4cUudr4XlhQugAj9v+GwmYvBP6xJ /AGGRCYiCK81b9pXCHuMDNp/+PlT88xH+nbxOwsQwesmgnyF2ON4SaxAG6S5bJc8BO4C +RA7vaA/TlQGi4KZnbw3ESJLA24RoiYZJm6Pj8aTRL22SJPqom/dsuVLRJuQMZy/J/3y +nFNeLihRoiQiDQL1LCK2sPUydPn0hFXfXqpCTr19ZA5Tj5nDQPvqqe1NSzzK+5eq1CH Ppc4YaXJFO6BEiq/oRRLvu+8SdIZ39bWU/Uir/RYD8/H81Br3MPjTNEsMnpjYWRptBfl 8igw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1696458997; x=1697063797; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=MoFsOouNLsiRSc0IkOSoU7t8c12ZxAQ0uDmkn8wVHwA=; b=XFZ5/aFJhjmhhVnLHS7IP+5v1C5AnjDVMWqs0D6iBE4/PSrXj+KIh37OdXEFc1QQPm zKpbidEFTAsB0E/d3l6agyb16chWpy0Zq4fGztmo35IXFzduGh1QOLr0qQFITY7BdtMU LT+LCKBl0i+/oJFHu11bBTVX2j+j60c6eBzn9m9RbRXZ88kZ2bScuDip0/BOe+MivMWU BDwjtEqiwr77l7vVZpjCL/OehCsbkFbvsa+jVtsfgP+BqhpSEOOB7s1DMu8bkFyuAy7c 3/8qWF2eaukOA1fVaNferOVPvhG0fe0lqgcfmOPvu4xM8mRri5WdhqbGP43cskLebEAn OiVA== X-Gm-Message-State: AOJu0YzXBcQ4NboKgNUaG4ZcP2+gIdU41cuR+MOtHqQkhdkT6ujb7E3J JOVeow7QtZnI6VD8P9pYMZj+CUWc2Ug7jJS6Opk= X-Received: by 2002:adf:fac8:0:b0:320:9c8:40af with SMTP id a8-20020adffac8000000b0032009c840afmr2952477wrs.11.1696458997094; Wed, 04 Oct 2023 15:36:37 -0700 (PDT) Received: from Mindolluin.ire.aristanetworks.com ([217.173.96.166]) by smtp.gmail.com with ESMTPSA id z11-20020a5d4d0b000000b0031ff89af0e4sm181412wrt.99.2023.10.04.15.36.35 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 04 Oct 2023 15:36:36 -0700 (PDT) From: Dmitry Safonov To: David Ahern , Eric Dumazet , Paolo Abeni , Jakub Kicinski , "David S. Miller" Cc: linux-kernel@vger.kernel.org, Dmitry Safonov , Andy Lutomirski , Ard Biesheuvel , Bob Gilligan , Dan Carpenter , David Laight , Dmitry Safonov <0x7f454c46@gmail.com>, Donald Cassidy , Eric Biggers , "Eric W. Biederman" , Francesco Ruggeri , "Gaillardetz, Dominik" , Herbert Xu , Hideaki YOSHIFUJI , Ivan Delalande , Leonard Crestez , "Nassiri, Mohammad" , Salam Noureddine , Simon Horman , "Tetreault, Francois" , netdev@vger.kernel.org, Steen Hegelund , Jonathan Corbet , linux-doc@vger.kernel.org Subject: [PATCH v13 net-next 00/23] net/tcp: Add TCP-AO support Date: Wed, 4 Oct 2023 23:36:04 +0100 Message-ID: <20231004223629.166300-1-dima@arista.com> X-Mailer: git-send-email 2.42.0 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF, RCVD_IN_DNSWL_BLOCKED,SPF_HELO_NONE,SPF_NONE,URIBL_BLOCKED autolearn=unavailable autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org X-Greylist: Sender passed SPF test, not delayed by milter-greylist-4.6.4 (howler.vger.email [0.0.0.0]); Wed, 04 Oct 2023 15:36:46 -0700 (PDT) Hi, This is version 13 of TCP-AO support. It addresses Paolo's review comments and makes TCP simultaneous open work with AO. In order to check TCP-AO + simultaneous open, a new TCP self-connect selftest was written (to be sent later with tcp-ao-selftests separately). There's one Sparse warning introduced by tcp_sigpool_start(): __cond_acquires() seems to currently being broken. I've described the reasoning for it on v9 cover letter. Also, checkpatch.pl warnings were addressed, but yet I've left the ones that are more personal preferences (i.e. 80 columns limit). Please, ping me if you have a strong feeling about one of them. The following changes since commit 07cf7974a2236a66f989869c301aa0220f33905c: Merge tag 'nf-next-23-09-28' of https://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf-next (2023-10-04 14:25:37 -0700) are available in the Git repository at: git@github.com:0x7f454c46/linux.git tcp-ao-v13 for you to fetch changes up to dfd8d1df4562cd7a3a94a5e813a902f66a312672: Documentation/tcp: Add TCP-AO documentation (2023-10-04 23:00:34 +0100) ---------------------------------------------------------------- And another branch with selftests, that will be sent later separately: git@github.com:0x7f454c46/linux.git tcp-ao-v13-with-selftests Thanks for your time and reviews, Dmitry --- Changelog --- Changes from v12: - Separate TCP-AO sign from __tcp_transmit_skb() into a separate function for code locality and readability (Paolo) - Add TCP-AO self-connect selftest, which by its nature is a selftest for TCP simultaneous open, use different keyids and check tcp repair - Fix simultaneous open: take correct ISNs for verification, pre-calculate sending traffic key on SYN-ACK, calculate receiving traffic key before going into TCP_ESTABLISHED - Use kfree_sensitive() for hardening purposes - Use READ_ONCE() on sk->sk_family when not under socket lock to prevent any possible race with IPV6_ADDRFORM Version 12: https://lore.kernel.org/all/20230918190027.613430-1-dima@arista.com/T/#u Changes from v11: - Define (struct tcp_key) for tcp-fast path and detect by type what key was used. This also benefits from TCP-MD5/TCP-AO static branches (Eric) - Remove sk_gso_disable() from TCP-AO fast-path in __tcp_transmit_skb() (Eric) - Don't leak skb on failed kmalloc() in __tcp_transmit_skb() (Eric) - skb_dst_drop() is not necessary as kfree_skb() calls it (Eric) - Don't dereference tcp_ao_key in net_warn_ratelimited(), outside of rcu_read_lock() (Eric) Version 11: https://lore.kernel.org/all/20230911210346.301750-1-dima@arista.com/T/#u Changes from v10: - Make seq (u32) in tcp_ao_prepare_reset() and declare the argument in "net/tcp: Add TCP-AO SNE support", where it gets used (Simon) - Fix rebase artifact in tcp_v6_reqsk_send_ack(), which adds compile-error on a patch in the middle of series (Simon) - Another rebase artifact in tcp_v6_reqsk_send_ack() that makes keyid, requested by peer on ipv6 reqsk ACKs not respected (Simon) Version 10: https://lore.kernel.org/all/20230815191455.1872316-1-dima@arista.com/T/#u The pre-v10 changelog is on version 10 cover-letter. Cc: Andy Lutomirski Cc: Ard Biesheuvel Cc: Bob Gilligan Cc: Dan Carpenter Cc: David Ahern Cc: David Laight Cc: "David S. Miller" Cc: Dmitry Safonov <0x7f454c46@gmail.com> Cc: Donald Cassidy Cc: Eric Biggers Cc: Eric Dumazet Cc: "Eric W. Biederman" Cc: Francesco Ruggeri Cc: Gaillardetz, Dominik Cc: Herbert Xu Cc: Hideaki YOSHIFUJI Cc: Ivan Delalande Cc: Jakub Kicinski Cc: Leonard Crestez Cc: Nassiri, Mohammad Cc: Paolo Abeni Cc: Salam Noureddine Cc: Simon Horman Cc: Tetreault, Francois Cc: netdev@vger.kernel.org Cc: linux-kernel@vger.kernel.org Dmitry Safonov (23): net/tcp: Prepare tcp_md5sig_pool for TCP-AO net/tcp: Add TCP-AO config and structures net/tcp: Introduce TCP_AO setsockopt()s net/tcp: Prevent TCP-MD5 with TCP-AO being set net/tcp: Calculate TCP-AO traffic keys net/tcp: Add TCP-AO sign to outgoing packets net/tcp: Add tcp_parse_auth_options() net/tcp: Add AO sign to RST packets net/tcp: Add TCP-AO sign to twsk net/tcp: Wire TCP-AO to request sockets net/tcp: Sign SYN-ACK segments with TCP-AO net/tcp: Verify inbound TCP-AO signed segments net/tcp: Add TCP-AO segments counters net/tcp: Add TCP-AO SNE support net/tcp: Add tcp_hash_fail() ratelimited logs net/tcp: Ignore specific ICMPs for TCP-AO connections net/tcp: Add option for TCP-AO to (not) hash header net/tcp: Add TCP-AO getsockopt()s net/tcp: Allow asynchronous delete for TCP-AO keys (MKTs) net/tcp: Add static_key for TCP-AO net/tcp: Wire up l3index to TCP-AO net/tcp: Add TCP_AO_REPAIR Documentation/tcp: Add TCP-AO documentation Documentation/networking/index.rst | 1 + Documentation/networking/tcp_ao.rst | 434 +++++ include/linux/sockptr.h | 23 + include/linux/tcp.h | 30 +- include/net/dropreason-core.h | 30 + include/net/tcp.h | 288 +++- include/net/tcp_ao.h | 361 ++++ include/uapi/linux/snmp.h | 5 + include/uapi/linux/tcp.h | 105 ++ net/ipv4/Kconfig | 17 + net/ipv4/Makefile | 2 + net/ipv4/proc.c | 5 + net/ipv4/syncookies.c | 4 + net/ipv4/tcp.c | 246 +-- net/ipv4/tcp_ao.c | 2389 +++++++++++++++++++++++++++ net/ipv4/tcp_input.c | 98 +- net/ipv4/tcp_ipv4.c | 363 +++- net/ipv4/tcp_minisocks.c | 50 +- net/ipv4/tcp_output.c | 236 ++- net/ipv4/tcp_sigpool.c | 358 ++++ net/ipv6/Makefile | 1 + net/ipv6/syncookies.c | 5 + net/ipv6/tcp_ao.c | 168 ++ net/ipv6/tcp_ipv6.c | 374 +++-- 24 files changed, 5158 insertions(+), 435 deletions(-) create mode 100644 Documentation/networking/tcp_ao.rst create mode 100644 include/net/tcp_ao.h create mode 100644 net/ipv4/tcp_ao.c create mode 100644 net/ipv4/tcp_sigpool.c create mode 100644 net/ipv6/tcp_ao.c base-commit: 07cf7974a2236a66f989869c301aa0220f33905c -- 2.42.0