Received: by 2002:a25:ab43:0:0:0:0:0 with SMTP id u61csp3572293ybi; Tue, 18 Jun 2019 03:03:50 -0700 (PDT) X-Google-Smtp-Source: APXvYqyM6hhpKGZgU/fF7tpA/kB/I1sb3w2VfrNsbJmOr/yTIE5FupsFKmchFSUqUiW815718L4+ X-Received: by 2002:aa7:825a:: with SMTP id e26mr4155133pfn.255.1560852230421; Tue, 18 Jun 2019 03:03:50 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1560852230; cv=none; d=google.com; s=arc-20160816; b=NT+X55zz6QytuFBKeHd8IsXo5ShArUQOdWq3QJpZarx8Fa2vvf2GKvRGBSVHlh9RJp UMrAUPbKjMJp1x0C08ue1c7IjLazHFmsqtlmL2LZdc1q78vh+4gZ9Ak0sIh21JE4fnma LEIjcNvuoTA4tw4kvcTw091+kq9nJNM/got7wj30YfJwybivCB7Cwl4VWepwkg0dNngd w5DJZoeHXSvKFBWaqpP6PD6OZ+s0tfq8e4tXIajrnCsFxW262D1KD7qCZndDmg4uEOjf rRxia/peuHQ1iTlZCAvTS1Ld3F1nUQuoO2RAeWY6uwzKEQ08+a7HT6ggTa7MrtR4qtUa utNA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:dkim-signature; bh=nJWZTkerYqxZ8gox46rKtBpw5zXrYUkGFpFgduRzBEM=; b=TATYuikC9qpFEtGy3oe8CwvHrJuAXY3eZOeS6F6foj4B6sT8fCCibtY80QTFMV48TK 7hfysuuUlkyF/Ej3PpnQmVfwiGdzouSId9kXZsQekScJuDkzyiIyhfjaiaCijBeyWMFs of3rb4o03aYQo7i79YRJ4aiRz3t3TKbiQux0s1fRNK8LcEib60SU3cb0Acau5DVs4/c3 eNEh7Mdd8Ay+mVcWPh2hX2OTRhALntQGndXBQOKvYjRM0qpgApYKxa1F4Y+TQum3+ErC lzV5OlLRZJSq6HuwBC+a2TfUdTyqmpgRDqRFJWC1xJTUyIm/4W+fTQQmc/CJxzoRyLUg FV5A== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b=Ia2sw0NT; spf=pass (google.com: best guess record for domain of linux-crypto-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-crypto-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id x7si13126222plv.130.2019.06.18.03.03.25; Tue, 18 Jun 2019 03:03:50 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-crypto-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b=Ia2sw0NT; spf=pass (google.com: best guess record for domain of linux-crypto-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-crypto-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1729326AbfFRKDN (ORCPT + 99 others); Tue, 18 Jun 2019 06:03:13 -0400 Received: from mail-io1-f65.google.com ([209.85.166.65]:46969 "EHLO mail-io1-f65.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726023AbfFRKDL (ORCPT ); Tue, 18 Jun 2019 06:03:11 -0400 Received: by mail-io1-f65.google.com with SMTP id i10so28267763iol.13 for ; Tue, 18 Jun 2019 03:03:11 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=nJWZTkerYqxZ8gox46rKtBpw5zXrYUkGFpFgduRzBEM=; b=Ia2sw0NT56vt9MAhKYJr79OAixoaXcvg6diSg0meFCUnwWd/eCu8gUH7+O4ae+rgf1 cdq41wz+PlzpG2b9JAvj481SrxZqhHTebNXphQ96w0Ela7iHjuELF5OWTaWxa7MKS+a9 RsNdIeLuOsSBghpWBf6nxFrsR5gMUMxB/IRtUWLbVOwAR+4nkvTFYPaWkS+N9BfjkHSi wrZY0MV4ZO9JGi/TWadOXa5eI6LcGpIMtp9pNs7VKCUj93tMppy/N9ImARlkHkr5jqzp TQIQ/86hcvWog/4DiaZjEPWCxOyY8K+vD5kQrhEkHoCbQB5APcbYf5zN1Rx14sHx0Qtv K1fA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=nJWZTkerYqxZ8gox46rKtBpw5zXrYUkGFpFgduRzBEM=; b=jHVpMzyGj6WkK+Xcne+w+7QzWjTHbc24N0cdG7bsEaEM/JE2k3HFnn4jK6e6bnEYq5 EjCidF7VRHbKJZXzSGFMXNDrsMrJ4yEXmitRSwYYt4s/ouB/DabqsItTyqMPSL+oX5SW zsvd5rk6xJEaYOXeEAKcW6SXje6lZt9eIo/ouVHnYqMsJd/CWl48BaYSj/OE7RRWGwac fiqadlZtBB9iMvUS14bF1tKQvxuuLw0VhuF5YWR4dkrA+HeAVWJ3GQ3PsCzhjklUhSMH V1lWtfpUn7SLOK93Zl6vRA7PfUv9FpueVqvu0Dn0AF4Z7o3lioVOe2DoCufdPlTWIULI ZBkw== X-Gm-Message-State: APjAAAWhQIxaSW2t+KYLuuMJopamG1SvyMsWSCA/D4Lyvg0GJ2sBw7qx iemXPS5wLOYpX/6rZe0HODzMuEC7Vj+JTPiQtYUTZA== X-Received: by 2002:a02:ce37:: with SMTP id v23mr2244603jar.2.1560852191037; Tue, 18 Jun 2019 03:03:11 -0700 (PDT) MIME-Version: 1.0 References: <20190618093207.13436-1-ard.biesheuvel@linaro.org> <20190618093207.13436-2-ard.biesheuvel@linaro.org> In-Reply-To: From: Ard Biesheuvel Date: Tue, 18 Jun 2019 12:02:59 +0200 Message-ID: Subject: Re: [PATCH 1/2] net: fastopen: make key handling more robust against future changes To: Eric Dumazet Cc: netdev , Eric Biggers , "open list:HARDWARE RANDOM NUMBER GENERATOR CORE" , Herbert Xu , David Miller , Alexey Kuznetsov , Hideaki YOSHIFUJI , Jason Baron , Christoph Paasch , David Laight , Yuchung Cheng Content-Type: text/plain; charset="UTF-8" Sender: linux-crypto-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-crypto@vger.kernel.org On Tue, 18 Jun 2019 at 11:53, Eric Dumazet wrote: > > On Tue, Jun 18, 2019 at 2:41 AM Ard Biesheuvel > wrote: > > > > On Tue, 18 Jun 2019 at 11:39, Eric Dumazet wrote: > > > > > > On Tue, Jun 18, 2019 at 2:32 AM Ard Biesheuvel > > > wrote: > > > > > > > > Some changes to the TCP fastopen code to make it more robust > > > > against future changes in the choice of key/cookie size, etc. > > > > > > > > - Instead of keeping the SipHash key in an untyped u8[] buffer > > > > and casting it to the right type upon use, use the correct > > > > siphash_key_t type directly. This ensures that the key will > > > > appear at the correct alignment if we ever change the way > > > > these data structures are allocated. (Currently, they are > > > > only allocated via kmalloc so they always appear at the > > > > correct alignment) > > > > > > > > - Use DIV_ROUND_UP when sizing the u64[] array to hold the > > > > cookie, so it is always of sufficient size, even when > > > > TCP_FASTOPEN_COOKIE_MAX is no longer a multiple of 8. > > > > > > > > - Add a key length check to tcp_fastopen_reset_cipher(). No > > > > callers exist currently that fail this check (they all pass > > > > compile constant values that equal TCP_FASTOPEN_KEY_LENGTH), > > > > but future changes might create problems, e.g., by leaving part > > > > of the key uninitialized, or overflowing the key buffers. > > > > > > > > Note that none of these are functional changes wrt the current > > > > state of the code. > > > > > > > ... > > > > > > > - memcpy(ctx->key[0], primary_key, len); > > > > + if (unlikely(len != TCP_FASTOPEN_KEY_LENGTH)) { > > > > + pr_err("TCP: TFO key length %u invalid\n", len); > > > > + err = -EINVAL; > > > > + goto out; > > > > + } > > > > > > > > > Why a pr_err() is there ? > > > > > > Can unpriv users flood the syslog ? > > > > They can if they could do so before: there was a call to > > crypto_cipher_setkey() in the original pre-SipHash code which would > > also result in a pr_err() on an invalid key length. That call got > > removed along with the AES cipher handling, and this basically > > reinstates it, as suggested by EricB. > > This tcp_fastopen_reset_cipher() function is internal to TCP stack, all callers > always pass the correct length. > > We could add checks all over the place, and end up having a TCP stack > full of defensive > checks and 10,000 additional lines of code :/ > > I would prefer not reinstating this. Fair enough.