Commit 4954f17d authored by Dmitry Safonov's avatar Dmitry Safonov Committed by David S. Miller
Browse files

net/tcp: Introduce TCP_AO setsockopt()s 



Add 3 setsockopt()s:
1. TCP_AO_ADD_KEY to add a new Master Key Tuple (MKT) on a socket
2. TCP_AO_DEL_KEY to delete present MKT from a socket
3. TCP_AO_INFO to change flags, Current_key/RNext_key on a TCP-AO sk

Userspace has to introduce keys on every socket it wants to use TCP-AO
option on, similarly to TCP_MD5SIG/TCP_MD5SIG_EXT.
RFC5925 prohibits definition of MKTs that would match the same peer,
so do sanity checks on the data provided by userspace. Be as
conservative as possible, including refusal of defining MKT on
an established connection with no AO, removing the key in-use and etc.

(1) and (2) are to be used by userspace key manager to add/remove keys.
(3) main purpose is to set RNext_key, which (as prescribed by RFC5925)
is the KeyID that will be requested in TCP-AO header from the peer to
sign their segments with.

At this moment the life of ao_info ends in tcp_v4_destroy_sock().

Co-developed-by: default avatarFrancesco Ruggeri <fruggeri@arista.com>
Signed-off-by: default avatarFrancesco Ruggeri <fruggeri@arista.com>
Co-developed-by: default avatarSalam Noureddine <noureddine@arista.com>
Signed-off-by: default avatarSalam Noureddine <noureddine@arista.com>
Signed-off-by: default avatarDmitry Safonov <dima@arista.com>
Acked-by: default avatarDavid Ahern <dsahern@kernel.org>
Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
parent c845f5f3

include/linux/sockptr.h

+23 −0
Original line number Diff line number Diff line
@@ -55,6 +55,29 @@ static inline int copy_from_sockptr(void *dst, sockptr_t src, size_t size) 
	return copy_from_sockptr_offset(dst, src, 0, size);

}



static inline int copy_struct_from_sockptr(void *dst, size_t ksize,

		sockptr_t src, size_t usize)

{

	size_t size = min(ksize, usize);

	size_t rest = max(ksize, usize) - size;



	if (!sockptr_is_kernel(src))

		return copy_struct_from_user(dst, ksize, src.user, size);



	if (usize < ksize) {

		memset(dst + size, 0, rest);

	} else if (usize > ksize) {

		char *p = src.kernel;



		while (rest--) {

			if (*p++)

				return -E2BIG;

		}

	}

	memcpy(dst, src.kernel, size);

	return 0;

}



static inline int copy_to_sockptr_offset(sockptr_t dst, size_t offset,

		const void *src, size_t size)

{

include/net/tcp.h

+3 −0
Original line number Diff line number Diff line
@@ -2175,6 +2175,9 @@ struct tcp_sock_af_ops { 
				     sockptr_t optval,

				     int optlen);

#endif

#ifdef CONFIG_TCP_AO

	int (*ao_parse)(struct sock *sk, int optname, sockptr_t optval, int optlen);

#endif

};



struct tcp_request_sock_ops {

include/net/tcp_ao.h

+16 −1
Original line number Diff line number Diff line
@@ -81,10 +81,25 @@ struct tcp_ao_info { 
	 */

	struct tcp_ao_key	*current_key;

	struct tcp_ao_key	*rnext_key;

	u32			flags;

	u32			ao_required	:1,

				__unused	:31;

	__be32			lisn;

	__be32			risn;

	struct rcu_head		rcu;

};



#ifdef CONFIG_TCP_AO

int tcp_parse_ao(struct sock *sk, int cmd, unsigned short int family,

		 sockptr_t optval, int optlen);

void tcp_ao_destroy_sock(struct sock *sk);

/* ipv4 specific functions */

int tcp_v4_parse_ao(struct sock *sk, int cmd, sockptr_t optval, int optlen);

/* ipv6 specific functions */

int tcp_v6_parse_ao(struct sock *sk, int cmd, sockptr_t optval, int optlen);

#else

static inline void tcp_ao_destroy_sock(struct sock *sk)

{

}

#endif



#endif /* _TCP_AO_H */

include/uapi/linux/tcp.h

+46 −0
Original line number Diff line number Diff line
@@ -129,6 +129,9 @@ enum { 


#define TCP_TX_DELAY		37	/* delay outgoing packets by XX usec */



#define TCP_AO_ADD_KEY		38	/* Add/Set MKT */

#define TCP_AO_DEL_KEY		39	/* Delete MKT */

#define TCP_AO_INFO		40	/* Modify TCP-AO per-socket options */



#define TCP_REPAIR_ON		1

#define TCP_REPAIR_OFF		0
@@ -363,6 +366,49 @@ struct tcp_diag_md5sig { 


#define TCP_AO_MAXKEYLEN	80



#define TCP_AO_KEYF_IFINDEX	(1 << 0)	/* L3 ifindex for VRF */



struct tcp_ao_add { /* setsockopt(TCP_AO_ADD_KEY) */

	struct __kernel_sockaddr_storage addr;	/* peer's address for the key */

	char	alg_name[64];		/* crypto hash algorithm to use */

	__s32	ifindex;		/* L3 dev index for VRF */

	__u32   set_current	:1,	/* set key as Current_key at once */

		set_rnext	:1,	/* request it from peer with RNext_key */

		reserved	:30;	/* must be 0 */

	__u16	reserved2;		/* padding, must be 0 */

	__u8	prefix;			/* peer's address prefix */

	__u8	sndid;			/* SendID for outgoing segments */

	__u8	rcvid;			/* RecvID to match for incoming seg */

	__u8	maclen;			/* length of authentication code (hash) */

	__u8	keyflags;		/* see TCP_AO_KEYF_ */

	__u8	keylen;			/* length of ::key */

	__u8	key[TCP_AO_MAXKEYLEN];

} __attribute__((aligned(8)));



struct tcp_ao_del { /* setsockopt(TCP_AO_DEL_KEY) */

	struct __kernel_sockaddr_storage addr;	/* peer's address for the key */

	__s32	ifindex;		/* L3 dev index for VRF */

	__u32   set_current	:1,	/* corresponding ::current_key */

		set_rnext	:1,	/* corresponding ::rnext */

		reserved	:30;	/* must be 0 */

	__u16	reserved2;		/* padding, must be 0 */

	__u8	prefix;			/* peer's address prefix */

	__u8	sndid;			/* SendID for outgoing segments */

	__u8	rcvid;			/* RecvID to match for incoming seg */

	__u8	current_key;		/* KeyID to set as Current_key */

	__u8	rnext;			/* KeyID to set as Rnext_key */

	__u8	keyflags;		/* see TCP_AO_KEYF_ */

} __attribute__((aligned(8)));



struct tcp_ao_info_opt { /* setsockopt(TCP_AO_INFO) */

	__u32   set_current	:1,	/* corresponding ::current_key */

		set_rnext	:1,	/* corresponding ::rnext */

		ao_required	:1,	/* don't accept non-AO connects */

		reserved	:29;	/* must be 0 */

	__u8	current_key;		/* KeyID to set as Current_key */

	__u8	rnext;			/* KeyID to set as Rnext_key */

} __attribute__((aligned(8)));



/* setsockopt(fd, IPPROTO_TCP, TCP_ZEROCOPY_RECEIVE, ...) */



#define TCP_RECEIVE_ZEROCOPY_FLAG_TLB_CLEAN_HINT 0x1

net/ipv4/Makefile

+1 −0
Original line number Diff line number Diff line
@@ -69,6 +69,7 @@ obj-$(CONFIG_NETLABEL) += cipso_ipv4.o 


obj-$(CONFIG_XFRM) += xfrm4_policy.o xfrm4_state.o xfrm4_input.o \

		      xfrm4_output.o xfrm4_protocol.o

obj-$(CONFIG_TCP_AO) += tcp_ao.o



ifeq ($(CONFIG_BPF_JIT),y)

obj-$(CONFIG_BPF_SYSCALL) += bpf_tcp_ca.o