Received: by 2002:ac0:e34a:0:0:0:0:0 with SMTP id g10csp452673imn; Mon, 25 Jul 2022 23:21:09 -0700 (PDT) X-Google-Smtp-Source: AGRyM1tlBWpbkMzK/vYamdRzCD8qpoQ+xyjJyC3Hyf2aUmsemPrWO9ndCjD3ro9tVqm0wvawxLk9 X-Received: by 2002:a17:903:2302:b0:16d:3e89:2152 with SMTP id d2-20020a170903230200b0016d3e892152mr15650906plh.46.1658816468813; Mon, 25 Jul 2022 23:21:08 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1658816468; cv=none; d=google.com; s=arc-20160816; b=0NV/isuoBNU3TpoBgy9r1x6xz5w/ahbC+C0WQUWc8RfQJBckrmmB3P/R4Ww4cBGpIz Jn85vmPTcdkCxjm+SAFjvXDmUgldd5FCdGhpW9Voqn1hfHBBni3X38vgg2SRJQSYXaAi 63hA5nE50VhdEKO/gbS0Zt/mEn3+TONzhkbFYZYSaCcFPdiBsE9T9e7ooAE9ae/+YTli WU1WjQG2VGEMgq0yzx/oFp3Rvdl8W3UFxX7aKlRfmeo66hAjW5ef3kMGvwSNIWZORcpJ kaT2Mt1QxL1vYYhDEgfIZED8Q0+Hg9EdwlRr2JQlfjSvvps0zdrDmBbNn+ZAIT9XiZFY ZN1A== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :references:in-reply-to:message-id:date:subject:cc:to:from :dkim-signature; bh=wdFII6qQU+Iin/k1IIhKoYA48TRM0jxAhX1ua5DXTCg=; b=YF+sqwApy4EpiSMnrlXqBqUXiUFB8GjZ2Pg/QpBslUNCIboja+eiBHSZHEXyDtBayM CwPreBJGDADlChSG4xMydOS/LiJgCTAB+6z3FXhEgz37XN5lgLHpjzYNlPVl1C8gLFMR TKF6F7iIt27Q+1XQO8a9MCOiFqxGn5lI/sDTLywGvX4ngacB6quJrx7QmUIugHWVS8eO Is6VSwLn9de9PSy+jHcNFWNepe7/hXjtwk+1PGg2Y4olYhTull0gHNJmQ8fOBg0WMIGF s6rCPDxD3vszZXxkP0QZJxH9lwHXQhTf3xgvUC5gnUH+3jySvj2VUlnmhDbeM6lPjhRB SMgw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@gmail.com header.s=20210112 header.b=Vqr7nIRS; spf=pass (google.com: domain of linux-crypto-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-crypto-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id e8-20020a63f548000000b00411442a950fsi15344102pgk.726.2022.07.25.23.20.53; Mon, 25 Jul 2022 23:21:08 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-crypto-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@gmail.com header.s=20210112 header.b=Vqr7nIRS; spf=pass (google.com: domain of linux-crypto-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-crypto-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S237833AbiGZGTz (ORCPT + 99 others); Tue, 26 Jul 2022 02:19:55 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:59862 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S237846AbiGZGS0 (ORCPT ); Tue, 26 Jul 2022 02:18:26 -0400 Received: from mail-ej1-x62b.google.com (mail-ej1-x62b.google.com [IPv6:2a00:1450:4864:20::62b]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 9825C1F2DC; Mon, 25 Jul 2022 23:16:22 -0700 (PDT) Received: by mail-ej1-x62b.google.com with SMTP id z23so24092934eju.8; Mon, 25 Jul 2022 23:16:22 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=wdFII6qQU+Iin/k1IIhKoYA48TRM0jxAhX1ua5DXTCg=; b=Vqr7nIRStGrO4sPzXhcl6qm2ImkLeVg3Gq0uz7tQEpNAJXf3PImOMGU0t/3Z2H2WHu VyV9a9xtR1XYqWNajqWo2ei4xw6sf6SM9MwXVFGwDfsaPum7adoIjFmjohKBxBgEIueU qfvZvFFO6j+w1y3hYFCzigcAhKdFyBlxbYbAo90Tv4KUwAnY2OPpxpQYQGJ8A4lyL9wa IlP4d0SDtTQEoMu2MerhPGIO9l6TbLuJndTrsIOSekAs1qA1w7zwmC0gMkf+J81Xq5Jy 6z1jgt+iqYXd1oLPzI3bqnvihMb4roD9JWLXq+q/2pXDWZg9w0X6E6mT7vEdVYXDaCdU pgag== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=wdFII6qQU+Iin/k1IIhKoYA48TRM0jxAhX1ua5DXTCg=; b=Gb11JjJ5fET/Hhx2bpazpXj0OIRZ5RAqEXKypzUL6+N+L7z+0WFTVrlEeRPGvD3rFE C+pyLELKvhtaiZW1KYDwk27+KPDbJfcoSAyHG93W85/49RJwg7kAH7HN8f7swdVF3pOu byBLIl1OxJAdd2P8LLvN/gODDxocPQWI47hgJHLkwgVi9T+OghgPq8ZsTrDHY/CIySAd DCLPMgiiI8/vFUoOXscS1E2Q0ldNzQPo/I5+5zZC7DrW/1lKU7I5tJDExdnhfCgEKWxc OJJECmzQZ12zprgx4YI7Kt3BM3cMPGsswujLc8yvAMkuW+wbgGur9npunJsgsEkEsaKS DAWw== X-Gm-Message-State: AJIora8pS6jWpnoBPHIJvYvybjXJtlIkg5d4KqnuXVjujUe0baJG3+n1 IrEayKo1l2FhrJZlzsbyzFs= X-Received: by 2002:a17:906:846d:b0:72f:3901:de1c with SMTP id hx13-20020a170906846d00b0072f3901de1cmr12670979ejc.199.1658816181765; Mon, 25 Jul 2022 23:16:21 -0700 (PDT) Received: from localhost.localdomain ([2a04:241e:502:a080:2b68:36a:5a94:4ba1]) by smtp.gmail.com with ESMTPSA id l23-20020a056402345700b0043ba7df7a42sm8133067edc.26.2022.07.25.23.16.20 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 25 Jul 2022 23:16:21 -0700 (PDT) From: Leonard Crestez To: David Ahern , Eric Dumazet , Philip Paeps Cc: Dmitry Safonov <0x7f454c46@gmail.com>, Shuah Khan , "David S. Miller" , Herbert Xu , Kuniyuki Iwashima , Hideaki YOSHIFUJI , Jakub Kicinski , Yuchung Cheng , Francesco Ruggeri , Mat Martineau , Christoph Paasch , Ivan Delalande , Caowangbao , Priyaranjan Jha , netdev@vger.kernel.org, linux-crypto@vger.kernel.org, linux-kselftest@vger.kernel.org, linux-kernel@vger.kernel.org Subject: [PATCH v6 23/26] tcp: authopt: tcp_authopt_lookup_send: Add anykey output param Date: Tue, 26 Jul 2022 09:15:25 +0300 Message-Id: <41bf8fc3faad75a520cd786af14f6924625dcc3e.1658815925.git.cdleonard@gmail.com> X-Mailer: git-send-email 2.25.1 In-Reply-To: References: MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,FREEMAIL_FROM, RCVD_IN_DNSWL_NONE,SPF_HELO_NONE,SPF_PASS autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-crypto@vger.kernel.org The anykey param can be used to distinguish between "no keys configured" and "no keys valid". The former case should result in unsigned traffic while the latter should result in an error. Signed-off-by: Leonard Crestez --- net/ipv4/tcp_authopt.c | 28 ++++++++++++++++++---------- 1 file changed, 18 insertions(+), 10 deletions(-) diff --git a/net/ipv4/tcp_authopt.c b/net/ipv4/tcp_authopt.c index 3596fc1fb770..1fd665c43b5d 100644 --- a/net/ipv4/tcp_authopt.c +++ b/net/ipv4/tcp_authopt.c @@ -378,38 +378,42 @@ static bool better_key_match(struct tcp_authopt_key_info *old, struct tcp_authop * tcp_authopt_lookup_send - lookup key for sending * * @net: Per-namespace information containing keys * @addr_sk: Socket used for destination address lookup * @send_id: Optional send_id. If >= 0 then only return keys that match + * @anykey: Set to true if any keys are present for the peer * * If anykey is false then authentication is not required for peer. * * If anykey is true but no key was found then all our keys must be expired and sending should fail. */ static struct tcp_authopt_key_info *tcp_authopt_lookup_send(struct netns_tcp_authopt *net, const struct sock *addr_sk, - int send_id) + int send_id, + bool *anykey) { struct tcp_authopt_key_info *result = NULL; struct tcp_authopt_key_info *key; int l3index = -1; hlist_for_each_entry_rcu(key, &net->head, node, 0) { - if (send_id >= 0 && key->send_id != send_id) - continue; - if (key->flags & TCP_AUTHOPT_KEY_NOSEND) - continue; if (key->flags & TCP_AUTHOPT_KEY_ADDR_BIND) if (!tcp_authopt_key_match_sk_addr(key, addr_sk)) continue; if (key->flags & TCP_AUTHOPT_KEY_IFINDEX) { if (l3index < 0) l3index = l3mdev_master_ifindex_by_index(sock_net(addr_sk), addr_sk->sk_bound_dev_if); if (l3index != key->l3index) continue; } + if (anykey) + *anykey = true; + if (key->flags & TCP_AUTHOPT_KEY_NOSEND) + continue; + if (send_id >= 0 && key->send_id != send_id) + continue; if (better_key_match(result, key)) result = key; else if (result) net_warn_ratelimited("ambiguous tcp authentication keys configured for send\n"); } @@ -454,14 +458,14 @@ struct tcp_authopt_key_info *__tcp_authopt_select_key(const struct sock *sk, */ if (info->flags & TCP_AUTHOPT_FLAG_LOCK_KEYID) send_id = info->send_keyid; else send_id = rsk->recv_rnextkeyid; - key = tcp_authopt_lookup_send(net, addr_sk, send_id); + key = tcp_authopt_lookup_send(net, addr_sk, send_id, NULL); /* If no key found with specific send_id try anything else. */ if (!key) - key = tcp_authopt_lookup_send(net, addr_sk, -1); + key = tcp_authopt_lookup_send(net, addr_sk, -1, NULL); if (key) *rnextkeyid = key->recv_id; return key; } @@ -482,18 +486,22 @@ struct tcp_authopt_key_info *__tcp_authopt_select_key(const struct sock *sk, */ if (info->flags & TCP_AUTHOPT_FLAG_LOCK_KEYID) { int send_keyid = info->send_keyid; if (!key || key->send_id != send_keyid) - new_key = tcp_authopt_lookup_send(net, addr_sk, send_keyid); + new_key = tcp_authopt_lookup_send(net, addr_sk, + send_keyid, + NULL); } else { if (!key || key->send_id != info->recv_rnextkeyid) - new_key = tcp_authopt_lookup_send(net, addr_sk, info->recv_rnextkeyid); + new_key = tcp_authopt_lookup_send(net, addr_sk, + info->recv_rnextkeyid, + NULL); } /* If no key found with specific send_id try anything else. */ if (!key && !new_key) - new_key = tcp_authopt_lookup_send(net, addr_sk, -1); + new_key = tcp_authopt_lookup_send(net, addr_sk, -1, NULL); /* Update current key only if we hold the socket lock. */ if (new_key && key != new_key) { if (locked) { if (kref_get_unless_zero(&new_key->ref)) { -- 2.25.1