[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <20231023192217.426455-1-dima@arista.com>
Date: Mon, 23 Oct 2023 20:21:52 +0100
From: Dmitry Safonov <dima@...sta.com>
To: David Ahern <dsahern@...nel.org>,
Eric Dumazet <edumazet@...gle.com>,
Paolo Abeni <pabeni@...hat.com>,
Jakub Kicinski <kuba@...nel.org>,
"David S. Miller" <davem@...emloft.net>
Cc: linux-kernel@...r.kernel.org, Dmitry Safonov <dima@...sta.com>,
Andy Lutomirski <luto@...capital.net>,
Ard Biesheuvel <ardb@...nel.org>,
Bob Gilligan <gilligan@...sta.com>,
Dan Carpenter <error27@...il.com>,
David Laight <David.Laight@...lab.com>,
Dmitry Safonov <0x7f454c46@...il.com>,
Donald Cassidy <dcassidy@...hat.com>,
Eric Biggers <ebiggers@...nel.org>,
"Eric W. Biederman" <ebiederm@...ssion.com>,
Francesco Ruggeri <fruggeri05@...il.com>,
"Gaillardetz, Dominik" <dgaillar@...na.com>,
Herbert Xu <herbert@...dor.apana.org.au>,
Hideaki YOSHIFUJI <yoshfuji@...ux-ipv6.org>,
Ivan Delalande <colona@...sta.com>,
Leonard Crestez <cdleonard@...il.com>,
"Nassiri, Mohammad" <mnassiri@...na.com>,
Salam Noureddine <noureddine@...sta.com>,
Simon Horman <horms@...nel.org>,
"Tetreault, Francois" <ftetreau@...na.com>, netdev@...r.kernel.org,
Steen Hegelund <Steen.Hegelund@...rochip.com>,
Jonathan Corbet <corbet@....net>, linux-doc@...r.kernel.org
Subject: [PATCH v16 net-next 00/23] net/tcp: Add TCP-AO support
Hi,
This is version 16 of TCP-AO support. It addresses the build warning
in the middle of patch set, reported by kernel test robot.
There's one Sparse warning introduced by tcp_sigpool_start():
__cond_acquires() seems to currently being broken. I've described
the reasoning for it on v9 cover letter. Also, checkpatch.pl warnings
were addressed, but yet I've left the ones that are more personal
preferences (i.e. 80 columns limit). Please, ping me if you have
a strong feeling about one of them.
The following changes since commit d6e48462e88fe7efc78b455ecde5b0ca43ec50b7:
net: mdio: xgene: Fix unused xgene_mdio_of_match warning for !CONFIG_OF (2023-10-23 10:16:47 -0700)
are available in the Git repository at:
git@...hub.com:0x7f454c46/linux.git tcp-ao-v16
for you to fetch changes up to 4d4eb816c47537ba31912dd5c8d7a68a69694fc6:
Documentation/tcp: Add TCP-AO documentation (2023-10-23 18:49:17 +0100)
----------------------------------------------------------------
And another branch with selftests, that will be sent later separately:
git@...hub.com:0x7f454c46/linux.git tcp-ao-v16-with-selftests
Thanks for your time and reviews,
Dmitry
--- Changelog ---
Changes from v15:
- Fix build warning on RST patch in tcp_ao_prepare_reset(), now 'else'
is dropped. Added back by later patch that wires up reqsk.
(kernel test robot <lkp@...el.com>)
Version 15: https://lore.kernel.org/all/20231018205806.322831-1-dima@arista.com/
Changes from v14:
- selftests: Refactored (enum test_fault) into tcp_ao selftest's lib/
- selftests: Refactored should_skip_test(), TEST_NEEDS_MD5,
TEST_NEEDS_VRF, check_*_support() into lib/kconfig.c
- selftests: checked that tests are properly SKIPed when kernel config
doesn't have required options enabled: net_ns, veth, tcp_ao and
optionally tcp_md5, net_vrf
- Corrected Simon's email as his corigine address bounces back
- Fix missed ifdeffery for rcu_read_lock() in tcp_v6_send_reset()
(kernel test robot <oliver.sang@...el.com>)
- Move tcp_key::sne after tcp_key::traffic_key to avoid a hole (Eric)
- In patch that wires up RST packets move TCPF_TIME_WAIT sk_state check
to (TCPF_LISTEN | TCPF_NEW_SYN_RECV) checks in
tcp_ao_prepare_reset(). (Eric)
- Converted tcp_ao_info::refcnt from atomic_t to refcount_t (Eric)
- Removed TODO comment in tcp_ao_connect_init(): can't happen because of
the checks in tcp_connect(). Added WARN_ON_ONCE() if anything gets
broken.
Version 14: https://lore.kernel.org/all/20231009230722.76268-1-dima@arista.com/T/#u
Changes from v13:
- Converted Documentation/ page from human unreadable list-table::
to grid-table(s) (Jonathan)
Version 13: https://lore.kernel.org/all/20231004223629.166300-1-dima@arista.com/T/#u
Changes from v12:
- Separate TCP-AO sign from __tcp_transmit_skb() into a separate
function for code locality and readability (Paolo)
- Add TCP-AO self-connect selftest, which by its nature is a selftest
for TCP simultaneous open, use different keyids and check tcp repair
- Fix simultaneous open: take correct ISNs for verification,
pre-calculate sending traffic key on SYN-ACK, calculate receiving
traffic key before going into TCP_ESTABLISHED
- Use kfree_sensitive() for hardening purposes
- Use READ_ONCE() on sk->sk_family when not under socket lock to prevent
any possible race with IPV6_ADDRFORM
Version 12: https://lore.kernel.org/all/20230918190027.613430-1-dima@arista.com/T/#u
Changes from v11:
- Define (struct tcp_key) for tcp-fast path and detect by type what key
was used. This also benefits from TCP-MD5/TCP-AO static branches (Eric)
- Remove sk_gso_disable() from TCP-AO fast-path in __tcp_transmit_skb()
(Eric)
- Don't leak skb on failed kmalloc() in __tcp_transmit_skb() (Eric)
- skb_dst_drop() is not necessary as kfree_skb() calls it (Eric)
- Don't dereference tcp_ao_key in net_warn_ratelimited(), outside of
rcu_read_lock() (Eric)
Version 11: https://lore.kernel.org/all/20230911210346.301750-1-dima@arista.com/T/#u
Changes from v10:
- Make seq (u32) in tcp_ao_prepare_reset() and declare the argument
in "net/tcp: Add TCP-AO SNE support", where it gets used (Simon)
- Fix rebase artifact in tcp_v6_reqsk_send_ack(), which adds
compile-error on a patch in the middle of series (Simon)
- Another rebase artifact in tcp_v6_reqsk_send_ack() that makes
keyid, requested by peer on ipv6 reqsk ACKs not respected (Simon)
Version 10: https://lore.kernel.org/all/20230815191455.1872316-1-dima@arista.com/T/#u
The pre-v10 changelog is on version 10 cover-letter.
Cc: Andy Lutomirski <luto@...capital.net>
Cc: Ard Biesheuvel <ardb@...nel.org>
Cc: Bob Gilligan <gilligan@...sta.com>
Cc: Dan Carpenter <error27@...il.com>
Cc: David Ahern <dsahern@...nel.org>
Cc: David Laight <David.Laight@...lab.com>
Cc: "David S. Miller" <davem@...emloft.net>
Cc: Dmitry Safonov <0x7f454c46@...il.com>
Cc: Donald Cassidy <dcassidy@...hat.com>
Cc: Eric Biggers <ebiggers@...nel.org>
Cc: Eric Dumazet <edumazet@...gle.com>
Cc: "Eric W. Biederman" <ebiederm@...ssion.com>
Cc: Francesco Ruggeri <fruggeri05@...il.com>
Cc: Gaillardetz, Dominik <dgaillar@...na.com>
Cc: Herbert Xu <herbert@...dor.apana.org.au>
Cc: Hideaki YOSHIFUJI <yoshfuji@...ux-ipv6.org>
Cc: Ivan Delalande <colona@...sta.com>
Cc: Jakub Kicinski <kuba@...nel.org>
Cc: Leonard Crestez <cdleonard@...il.com>
Cc: Nassiri, Mohammad <mnassiri@...na.com>
Cc: Paolo Abeni <pabeni@...hat.com>
Cc: Salam Noureddine <noureddine@...sta.com>
Cc: Simon Horman <horms@...nel.org>
Cc: Tetreault, Francois <ftetreau@...na.com>
Cc: netdev@...r.kernel.org
Cc: linux-kernel@...r.kernel.org
Dmitry Safonov (23):
net/tcp: Prepare tcp_md5sig_pool for TCP-AO
net/tcp: Add TCP-AO config and structures
net/tcp: Introduce TCP_AO setsockopt()s
net/tcp: Prevent TCP-MD5 with TCP-AO being set
net/tcp: Calculate TCP-AO traffic keys
net/tcp: Add TCP-AO sign to outgoing packets
net/tcp: Add tcp_parse_auth_options()
net/tcp: Add AO sign to RST packets
net/tcp: Add TCP-AO sign to twsk
net/tcp: Wire TCP-AO to request sockets
net/tcp: Sign SYN-ACK segments with TCP-AO
net/tcp: Verify inbound TCP-AO signed segments
net/tcp: Add TCP-AO segments counters
net/tcp: Add TCP-AO SNE support
net/tcp: Add tcp_hash_fail() ratelimited logs
net/tcp: Ignore specific ICMPs for TCP-AO connections
net/tcp: Add option for TCP-AO to (not) hash header
net/tcp: Add TCP-AO getsockopt()s
net/tcp: Allow asynchronous delete for TCP-AO keys (MKTs)
net/tcp: Add static_key for TCP-AO
net/tcp: Wire up l3index to TCP-AO
net/tcp: Add TCP_AO_REPAIR
Documentation/tcp: Add TCP-AO documentation
Documentation/networking/index.rst | 1 +
Documentation/networking/tcp_ao.rst | 444 +++++
include/linux/sockptr.h | 23 +
include/linux/tcp.h | 30 +-
include/net/dropreason-core.h | 30 +
include/net/tcp.h | 288 +++-
include/net/tcp_ao.h | 362 ++++
include/uapi/linux/snmp.h | 5 +
include/uapi/linux/tcp.h | 105 ++
net/ipv4/Kconfig | 17 +
net/ipv4/Makefile | 2 +
net/ipv4/proc.c | 5 +
net/ipv4/syncookies.c | 4 +
net/ipv4/tcp.c | 246 +--
net/ipv4/tcp_ao.c | 2392 +++++++++++++++++++++++++++
net/ipv4/tcp_input.c | 98 +-
net/ipv4/tcp_ipv4.c | 363 +++-
net/ipv4/tcp_minisocks.c | 50 +-
net/ipv4/tcp_output.c | 236 ++-
net/ipv4/tcp_sigpool.c | 358 ++++
net/ipv6/Makefile | 1 +
net/ipv6/syncookies.c | 5 +
net/ipv6/tcp_ao.c | 168 ++
net/ipv6/tcp_ipv6.c | 376 +++--
24 files changed, 5174 insertions(+), 435 deletions(-)
create mode 100644 Documentation/networking/tcp_ao.rst
create mode 100644 include/net/tcp_ao.h
create mode 100644 net/ipv4/tcp_ao.c
create mode 100644 net/ipv4/tcp_sigpool.c
create mode 100644 net/ipv6/tcp_ao.c
base-commit: d6e48462e88fe7efc78b455ecde5b0ca43ec50b7
--
2.42.0
Powered by blists - more mailing lists