[PATCH v8 13/26] tcp: authopt: Add NOSEND/NORECV flags

From: Leonard Crestez
Date: Mon Sep 05 2022 - 03:08:26 EST


Add flags to allow marking individual keys and invalid for send or recv.
Making keys assymetric this way is not mentioned in RFC5925 but RFC8177
requires that keys inside a keychain have independent "accept" and
"send" lifetimes.

Flag names are negative so that the default behavior is for keys to be
valid for both send and recv.

Setting both NOSEND and NORECV for a certain peer address can be used on
a listen socket can be used to mean "TCP-AO is required from this peer
but no keys are currently valid".

Signed-off-by: Leonard Crestez <cdleonard@xxxxxxxxx>
---
include/uapi/linux/tcp.h | 4 ++++
net/ipv4/tcp_authopt.c | 9 ++++++++-
2 files changed, 12 insertions(+), 1 deletion(-)

diff --git a/include/uapi/linux/tcp.h b/include/uapi/linux/tcp.h
index 76d7be6b27f4..75107a7fd935 100644
--- a/include/uapi/linux/tcp.h
+++ b/include/uapi/linux/tcp.h
@@ -369,15 +369,19 @@ struct tcp_authopt {
* enum tcp_authopt_key_flag - flags for `tcp_authopt.flags`
*
* @TCP_AUTHOPT_KEY_DEL: Delete the key and ignore non-id fields
* @TCP_AUTHOPT_KEY_EXCLUDE_OPTS: Exclude TCP options from signature
* @TCP_AUTHOPT_KEY_ADDR_BIND: Key only valid for `tcp_authopt.addr`
+ * @TCP_AUTHOPT_KEY_NOSEND: Key invalid for send (expired)
+ * @TCP_AUTHOPT_KEY_NORECV: Key invalid for recv (expired)
*/
enum tcp_authopt_key_flag {
TCP_AUTHOPT_KEY_DEL = (1 << 0),
TCP_AUTHOPT_KEY_EXCLUDE_OPTS = (1 << 1),
TCP_AUTHOPT_KEY_ADDR_BIND = (1 << 2),
+ TCP_AUTHOPT_KEY_NOSEND = (1 << 4),
+ TCP_AUTHOPT_KEY_NORECV = (1 << 5),
};

/**
* enum tcp_authopt_alg - Algorithms for TCP Authentication Option
*/
diff --git a/net/ipv4/tcp_authopt.c b/net/ipv4/tcp_authopt.c
index 0672a3bf5686..4dc2fe541498 100644
--- a/net/ipv4/tcp_authopt.c
+++ b/net/ipv4/tcp_authopt.c
@@ -353,10 +353,12 @@ static struct tcp_authopt_key_info *tcp_authopt_lookup_send(struct netns_tcp_aut

hlist_for_each_entry_rcu(key, &net->head, node, 0) {
if (key->flags & TCP_AUTHOPT_KEY_ADDR_BIND)
if (!tcp_authopt_key_match_sk_addr(key, addr_sk))
continue;
+ if (key->flags & TCP_AUTHOPT_KEY_NOSEND)
+ continue;
if (result && net_ratelimit())
pr_warn("ambiguous tcp authentication keys configured for send\n");
result = key;
}

@@ -504,11 +506,13 @@ int tcp_get_authopt_val(struct sock *sk, struct tcp_authopt *opt)
}

#define TCP_AUTHOPT_KEY_KNOWN_FLAGS ( \
TCP_AUTHOPT_KEY_DEL | \
TCP_AUTHOPT_KEY_EXCLUDE_OPTS | \
- TCP_AUTHOPT_KEY_ADDR_BIND)
+ TCP_AUTHOPT_KEY_ADDR_BIND | \
+ TCP_AUTHOPT_KEY_NOSEND | \
+ TCP_AUTHOPT_KEY_NORECV)

int tcp_set_authopt_key(struct sock *sk, sockptr_t optval, unsigned int optlen)
{
struct tcp_authopt_key opt;
struct tcp_authopt_info *info;
@@ -1383,10 +1387,13 @@ static struct tcp_authopt_key_info *tcp_authopt_lookup_recv(struct sock *sk,
hlist_for_each_entry_rcu(key, &net->head, node, 0) {
if (key->flags & TCP_AUTHOPT_KEY_ADDR_BIND &&
!tcp_authopt_key_match_skb_addr(key, skb))
continue;
*anykey = true;
+ // If only keys with norecv flag are present still consider that
+ if (key->flags & TCP_AUTHOPT_KEY_NORECV)
+ continue;
if (recv_id >= 0 && key->recv_id != recv_id)
continue;
if (!result)
result = key;
else if (result)
--
2.25.1