lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Date:   Mon, 28 Jan 2019 10:22:50 -0800
From:   Tom Herbert <tom@...bertland.com>
To:     davem@...emloft.net, netdev@...r.kernel.org
Cc:     Tom Herbert <tom@...ntonium.net>
Subject: [PATCH v2 net-next 0/5] ipv6: Rework infrastructure for TLV options in extension headers

This patch set implements an infrastructure to allow fine grained
control over IPv6 Destination and Hop-by-Hop TLV options. This
includes being able to registers handlers for receiving options as
well as a set of parameters that sets permissions for who may send a
TLV option and the preferred format of a list of options.

The goal of the patch is to enable broader use cases of IPv6 options,
including those for which non-privileged users can send options. In
order to curtail misuse of options in such cases, a number of
requirements on how the option may be sent and formatted is
enforced.

Particular features are:

- A single TLV paramters table containing the information about each
  TLV is defined. Lookups are simple offset accesses to the table
  based on TLV type. Both receiving and sending properties of TLVs
  are maintained in the table.
- Allow registration/deregistration of receive handlers for specific
  TLVs.
- Describe the properties of sending different TLVs in a TLV parameter
  table. The parameter table can be managed via netlink.
- Allow non-privileged users to send TLVs for which they have been
  granted permission.
- Provide a deep validation of TLVs and TLV lists to enforce specific
  limits and permission in order to thwart misuse of TLVs.
- Define a canonical format for sending TLVs that includes a
  preferred order, option alignment, minimal padding between TLVs.
- Allow individual TLVs to be added or set in txoptions list on a
  socket.

Tested: Write and read different TLVs on a socket via setsockopt
and getsockopt. Flow is add individual TLV, read back options,
set read option on new socket as a list. Verify options are
properly sent and received. Used a modified ip command in iproute2
to test managing the TLV parameter via netlink.

v2:
   - Change the TLV parameters table to be an array of u8s as
     opposed to pointers. Each entry gives the offset into
     a second array of TLV parameters structures. This reduces
     the memory footprint needed for the table but still allows
     O(1) lookups on TLV type.


Tom Herbert (5):
  exthdrs: Create exthdrs_options.c
  exthdrs: Registration of TLV handlers and parameters
  ip6tlvs: Add netlink interface
  ip6tlvs: Validation of TX Destination and Hop-by-Hop options
  ip6tlvs: API to set and remove individual TLVs from DO or HBH EH

 include/net/ipv6.h         |   82 ++
 include/uapi/linux/in6.h   |   58 ++
 net/ipv6/Makefile          |    2 +-
 net/ipv6/datagram.c        |   27 +-
 net/ipv6/exthdrs.c         |  389 +---------
 net/ipv6/exthdrs_options.c | 1798 ++++++++++++++++++++++++++++++++++++++++++++
 net/ipv6/ipv6_sockglue.c   |  110 ++-
 7 files changed, 2089 insertions(+), 377 deletions(-)
 create mode 100644 net/ipv6/exthdrs_options.c

-- 
2.7.4

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ