1 /* SPDX-License-Identifier: GPL-2.0-or-later */ 2 #ifndef _TCP_AO_H 3 #define _TCP_AO_H 4 5 #define TCP_AO_KEY_ALIGN 1 6 #define __tcp_ao_key_align __aligned(TCP_AO_KEY_ALIGN) 7 8 union tcp_ao_addr { 9 struct in_addr a4; 10 #if IS_ENABLED(CONFIG_IPV6) 11 struct in6_addr a6; 12 #endif 13 }; 14 15 struct tcp_ao_hdr { 16 u8 kind; 17 u8 length; 18 u8 keyid; 19 u8 rnext_keyid; 20 }; 21 22 struct tcp_ao_counters { 23 atomic64_t pkt_good; 24 atomic64_t pkt_bad; 25 atomic64_t key_not_found; 26 atomic64_t ao_required; 27 atomic64_t dropped_icmp; 28 }; 29 30 struct tcp_ao_key { 31 struct hlist_node node; 32 union tcp_ao_addr addr; 33 u8 key[TCP_AO_MAXKEYLEN] __tcp_ao_key_align; 34 unsigned int tcp_sigpool_id; 35 unsigned int digest_size; 36 int l3index; 37 u8 prefixlen; 38 u8 family; 39 u8 keylen; 40 u8 keyflags; 41 u8 sndid; 42 u8 rcvid; 43 u8 maclen; 44 struct rcu_head rcu; 45 atomic64_t pkt_good; 46 atomic64_t pkt_bad; 47 u8 traffic_keys[]; 48 }; 49 50 static inline u8 *rcv_other_key(struct tcp_ao_key *key) 51 { 52 return key->traffic_keys; 53 } 54 55 static inline u8 *snd_other_key(struct tcp_ao_key *key) 56 { 57 return key->traffic_keys + key->digest_size; 58 } 59 60 static inline int tcp_ao_maclen(const struct tcp_ao_key *key) 61 { 62 return key->maclen; 63 } 64 65 static inline int tcp_ao_len(const struct tcp_ao_key *key) 66 { 67 return tcp_ao_maclen(key) + sizeof(struct tcp_ao_hdr); 68 } 69 70 static inline unsigned int tcp_ao_digest_size(struct tcp_ao_key *key) 71 { 72 return key->digest_size; 73 } 74 75 static inline int tcp_ao_sizeof_key(const struct tcp_ao_key *key) 76 { 77 return sizeof(struct tcp_ao_key) + (key->digest_size << 1); 78 } 79 80 struct tcp_ao_info { 81 /* List of tcp_ao_key's */ 82 struct hlist_head head; 83 /* current_key and rnext_key aren't maintained on listen sockets. 84 * Their purpose is to cache keys on established connections, 85 * saving needless lookups. Never dereference any of them from 86 * listen sockets. 87 * ::current_key may change in RX to the key that was requested by 88 * the peer, please use READ_ONCE()/WRITE_ONCE() in order to avoid 89 * load/store tearing. 90 * Do the same for ::rnext_key, if you don't hold socket lock 91 * (it's changed only by userspace request in setsockopt()). 92 */ 93 struct tcp_ao_key *current_key; 94 struct tcp_ao_key *rnext_key; 95 struct tcp_ao_counters counters; 96 u32 ao_required :1, 97 accept_icmps :1, 98 __unused :30; 99 __be32 lisn; 100 __be32 risn; 101 /* Sequence Number Extension (SNE) are upper 4 bytes for SEQ, 102 * that protect TCP-AO connection from replayed old TCP segments. 103 * See RFC5925 (6.2). 104 * In order to get correct SNE, there's a helper tcp_ao_compute_sne(). 105 * It needs SEQ basis to understand whereabouts are lower SEQ numbers. 106 * According to that basis vector, it can provide incremented SNE 107 * when SEQ rolls over or provide decremented SNE when there's 108 * a retransmitted segment from before-rolling over. 109 * - for request sockets such basis is rcv_isn/snt_isn, which seems 110 * good enough as it's unexpected to receive 4 Gbytes on reqsk. 111 * - for full sockets the basis is rcv_nxt/snd_una. snd_una is 112 * taken instead of snd_nxt as currently it's easier to track 113 * in tcp_snd_una_update(), rather than updating SNE in all 114 * WRITE_ONCE(tp->snd_nxt, ...) 115 * - for time-wait sockets the basis is tw_rcv_nxt/tw_snd_nxt. 116 * tw_snd_nxt is not expected to change, while tw_rcv_nxt may. 117 */ 118 u32 snd_sne; 119 u32 rcv_sne; 120 refcount_t refcnt; /* Protects twsk destruction */ 121 struct rcu_head rcu; 122 }; 123 124 #define tcp_hash_fail(msg, family, skb, fmt, ...) \ 125 do { \ 126 const struct tcphdr *th = tcp_hdr(skb); \ 127 char hdr_flags[5] = {}; \ 128 char *f = hdr_flags; \ 129 \ 130 if (th->fin) \ 131 *f++ = 'F'; \ 132 if (th->syn) \ 133 *f++ = 'S'; \ 134 if (th->rst) \ 135 *f++ = 'R'; \ 136 if (th->ack) \ 137 *f++ = 'A'; \ 138 if (f != hdr_flags) \ 139 *f = ' '; \ 140 if ((family) == AF_INET) { \ 141 net_info_ratelimited("%s for (%pI4, %d)->(%pI4, %d) %s" fmt "\n", \ 142 msg, &ip_hdr(skb)->saddr, ntohs(th->source), \ 143 &ip_hdr(skb)->daddr, ntohs(th->dest), \ 144 hdr_flags, ##__VA_ARGS__); \ 145 } else { \ 146 net_info_ratelimited("%s for [%pI6c]:%u->[%pI6c]:%u %s" fmt "\n", \ 147 msg, &ipv6_hdr(skb)->saddr, ntohs(th->source), \ 148 &ipv6_hdr(skb)->daddr, ntohs(th->dest), \ 149 hdr_flags, ##__VA_ARGS__); \ 150 } \ 151 } while (0) 152 153 #ifdef CONFIG_TCP_AO 154 /* TCP-AO structures and functions */ 155 #include <linux/jump_label.h> 156 extern struct static_key_false_deferred tcp_ao_needed; 157 158 struct tcp4_ao_context { 159 __be32 saddr; 160 __be32 daddr; 161 __be16 sport; 162 __be16 dport; 163 __be32 sisn; 164 __be32 disn; 165 }; 166 167 struct tcp6_ao_context { 168 struct in6_addr saddr; 169 struct in6_addr daddr; 170 __be16 sport; 171 __be16 dport; 172 __be32 sisn; 173 __be32 disn; 174 }; 175 176 struct tcp_sigpool; 177 #define TCP_AO_ESTABLISHED (TCPF_ESTABLISHED | TCPF_FIN_WAIT1 | TCPF_FIN_WAIT2 | \ 178 TCPF_CLOSE | TCPF_CLOSE_WAIT | \ 179 TCPF_LAST_ACK | TCPF_CLOSING) 180 181 int tcp_ao_transmit_skb(struct sock *sk, struct sk_buff *skb, 182 struct tcp_ao_key *key, struct tcphdr *th, 183 __u8 *hash_location); 184 int tcp_ao_hash_skb(unsigned short int family, 185 char *ao_hash, struct tcp_ao_key *key, 186 const struct sock *sk, const struct sk_buff *skb, 187 const u8 *tkey, int hash_offset, u32 sne); 188 int tcp_parse_ao(struct sock *sk, int cmd, unsigned short int family, 189 sockptr_t optval, int optlen); 190 struct tcp_ao_key *tcp_ao_established_key(struct tcp_ao_info *ao, 191 int sndid, int rcvid); 192 int tcp_ao_copy_all_matching(const struct sock *sk, struct sock *newsk, 193 struct request_sock *req, struct sk_buff *skb, 194 int family); 195 int tcp_ao_calc_traffic_key(struct tcp_ao_key *mkt, u8 *key, void *ctx, 196 unsigned int len, struct tcp_sigpool *hp); 197 void tcp_ao_destroy_sock(struct sock *sk, bool twsk); 198 void tcp_ao_time_wait(struct tcp_timewait_sock *tcptw, struct tcp_sock *tp); 199 bool tcp_ao_ignore_icmp(const struct sock *sk, int family, int type, int code); 200 int tcp_ao_get_mkts(struct sock *sk, sockptr_t optval, sockptr_t optlen); 201 int tcp_ao_get_sock_info(struct sock *sk, sockptr_t optval, sockptr_t optlen); 202 int tcp_ao_get_repair(struct sock *sk, sockptr_t optval, sockptr_t optlen); 203 int tcp_ao_set_repair(struct sock *sk, sockptr_t optval, unsigned int optlen); 204 enum skb_drop_reason tcp_inbound_ao_hash(struct sock *sk, 205 const struct sk_buff *skb, unsigned short int family, 206 const struct request_sock *req, int l3index, 207 const struct tcp_ao_hdr *aoh); 208 u32 tcp_ao_compute_sne(u32 next_sne, u32 next_seq, u32 seq); 209 struct tcp_ao_key *tcp_ao_do_lookup(const struct sock *sk, int l3index, 210 const union tcp_ao_addr *addr, 211 int family, int sndid, int rcvid); 212 int tcp_ao_hash_hdr(unsigned short family, char *ao_hash, 213 struct tcp_ao_key *key, const u8 *tkey, 214 const union tcp_ao_addr *daddr, 215 const union tcp_ao_addr *saddr, 216 const struct tcphdr *th, u32 sne); 217 int tcp_ao_prepare_reset(const struct sock *sk, struct sk_buff *skb, 218 const struct tcp_ao_hdr *aoh, int l3index, u32 seq, 219 struct tcp_ao_key **key, char **traffic_key, 220 bool *allocated_traffic_key, u8 *keyid, u32 *sne); 221 222 /* ipv4 specific functions */ 223 int tcp_v4_parse_ao(struct sock *sk, int cmd, sockptr_t optval, int optlen); 224 struct tcp_ao_key *tcp_v4_ao_lookup(const struct sock *sk, struct sock *addr_sk, 225 int sndid, int rcvid); 226 int tcp_v4_ao_synack_hash(char *ao_hash, struct tcp_ao_key *mkt, 227 struct request_sock *req, const struct sk_buff *skb, 228 int hash_offset, u32 sne); 229 int tcp_v4_ao_calc_key_sk(struct tcp_ao_key *mkt, u8 *key, 230 const struct sock *sk, 231 __be32 sisn, __be32 disn, bool send); 232 int tcp_v4_ao_calc_key_rsk(struct tcp_ao_key *mkt, u8 *key, 233 struct request_sock *req); 234 struct tcp_ao_key *tcp_v4_ao_lookup_rsk(const struct sock *sk, 235 struct request_sock *req, 236 int sndid, int rcvid); 237 int tcp_v4_ao_hash_skb(char *ao_hash, struct tcp_ao_key *key, 238 const struct sock *sk, const struct sk_buff *skb, 239 const u8 *tkey, int hash_offset, u32 sne); 240 /* ipv6 specific functions */ 241 int tcp_v6_ao_hash_pseudoheader(struct tcp_sigpool *hp, 242 const struct in6_addr *daddr, 243 const struct in6_addr *saddr, int nbytes); 244 int tcp_v6_ao_calc_key_skb(struct tcp_ao_key *mkt, u8 *key, 245 const struct sk_buff *skb, __be32 sisn, __be32 disn); 246 int tcp_v6_ao_calc_key_sk(struct tcp_ao_key *mkt, u8 *key, 247 const struct sock *sk, __be32 sisn, 248 __be32 disn, bool send); 249 int tcp_v6_ao_calc_key_rsk(struct tcp_ao_key *mkt, u8 *key, 250 struct request_sock *req); 251 struct tcp_ao_key *tcp_v6_ao_lookup(const struct sock *sk, 252 struct sock *addr_sk, int sndid, int rcvid); 253 struct tcp_ao_key *tcp_v6_ao_lookup_rsk(const struct sock *sk, 254 struct request_sock *req, 255 int sndid, int rcvid); 256 int tcp_v6_ao_hash_skb(char *ao_hash, struct tcp_ao_key *key, 257 const struct sock *sk, const struct sk_buff *skb, 258 const u8 *tkey, int hash_offset, u32 sne); 259 int tcp_v6_parse_ao(struct sock *sk, int cmd, sockptr_t optval, int optlen); 260 int tcp_v6_ao_synack_hash(char *ao_hash, struct tcp_ao_key *ao_key, 261 struct request_sock *req, const struct sk_buff *skb, 262 int hash_offset, u32 sne); 263 void tcp_ao_established(struct sock *sk); 264 void tcp_ao_finish_connect(struct sock *sk, struct sk_buff *skb); 265 void tcp_ao_connect_init(struct sock *sk); 266 void tcp_ao_syncookie(struct sock *sk, const struct sk_buff *skb, 267 struct tcp_request_sock *treq, 268 unsigned short int family, int l3index); 269 #else /* CONFIG_TCP_AO */ 270 271 static inline int tcp_ao_transmit_skb(struct sock *sk, struct sk_buff *skb, 272 struct tcp_ao_key *key, struct tcphdr *th, 273 __u8 *hash_location) 274 { 275 return 0; 276 } 277 278 static inline void tcp_ao_syncookie(struct sock *sk, const struct sk_buff *skb, 279 struct tcp_request_sock *treq, 280 unsigned short int family, int l3index) 281 { 282 } 283 284 static inline bool tcp_ao_ignore_icmp(const struct sock *sk, int family, 285 int type, int code) 286 { 287 return false; 288 } 289 290 static inline enum skb_drop_reason tcp_inbound_ao_hash(struct sock *sk, 291 const struct sk_buff *skb, unsigned short int family, 292 const struct request_sock *req, int l3index, 293 const struct tcp_ao_hdr *aoh) 294 { 295 return SKB_NOT_DROPPED_YET; 296 } 297 298 static inline struct tcp_ao_key *tcp_ao_do_lookup(const struct sock *sk, 299 int l3index, const union tcp_ao_addr *addr, 300 int family, int sndid, int rcvid) 301 { 302 return NULL; 303 } 304 305 static inline void tcp_ao_destroy_sock(struct sock *sk, bool twsk) 306 { 307 } 308 309 static inline void tcp_ao_established(struct sock *sk) 310 { 311 } 312 313 static inline void tcp_ao_finish_connect(struct sock *sk, struct sk_buff *skb) 314 { 315 } 316 317 static inline void tcp_ao_time_wait(struct tcp_timewait_sock *tcptw, 318 struct tcp_sock *tp) 319 { 320 } 321 322 static inline void tcp_ao_connect_init(struct sock *sk) 323 { 324 } 325 326 static inline int tcp_ao_get_mkts(struct sock *sk, sockptr_t optval, sockptr_t optlen) 327 { 328 return -ENOPROTOOPT; 329 } 330 331 static inline int tcp_ao_get_sock_info(struct sock *sk, sockptr_t optval, sockptr_t optlen) 332 { 333 return -ENOPROTOOPT; 334 } 335 336 static inline int tcp_ao_get_repair(struct sock *sk, 337 sockptr_t optval, sockptr_t optlen) 338 { 339 return -ENOPROTOOPT; 340 } 341 342 static inline int tcp_ao_set_repair(struct sock *sk, 343 sockptr_t optval, unsigned int optlen) 344 { 345 return -ENOPROTOOPT; 346 } 347 #endif 348 349 #if defined(CONFIG_TCP_MD5SIG) || defined(CONFIG_TCP_AO) 350 int tcp_do_parse_auth_options(const struct tcphdr *th, 351 const u8 **md5_hash, const u8 **ao_hash); 352 #else 353 static inline int tcp_do_parse_auth_options(const struct tcphdr *th, 354 const u8 **md5_hash, const u8 **ao_hash) 355 { 356 *md5_hash = NULL; 357 *ao_hash = NULL; 358 return 0; 359 } 360 #endif 361 362 #endif /* _TCP_AO_H */ 363