Commit d49e3a9f authored by David S. Miller's avatar David S. Miller
Browse files

Merge branch 'inet_diag-TCP-MD5' 



Ivan Delalande says:

====================
inet_diag: report TCP MD5 signing keys and addresses

Allow userspace to retrieve MD5 signature keys and addresses configured
on TCP sockets through inet_diag.

Thanks to Eric Dumazet and Stephen Hemminger for their useful
explanations and feedback.

v5: - memset the whole netlink payload after it has been nla_reserve-d
      in tcp_diag_put_md5sig (a third memset had to be added for
      tcpm_key so we might as well have just one for entire region).
    - move the nla_total_size call from inet_sk_attr_size to the
      idiag_get_aux_size defined by protocols as they could add multiple
      netlink attributes,
    - add check for net_admin in tcp_diag_get_aux_size.

v4: - add new struct tcp_diag_md5sig to report the data instead of
      tcp_md5sig to avoid wasting 112 bytes on every tcpm_addr,
    - memset tcpm_addr on IPv4 addresses to avoid leaks,
    - style fix in inet_diag_dump_one_icsk.

v3: - rename inet_diag_*md5sig in tcp_diag.c to tcp_diag_* for
      consistency,
    - don't lock the socket in tcp_diag_put_md5sig,
    - add checks on md5sig_count in tcp_diag_put_md5sig to not create
      the netlink attribute if the list is empty, and to avoid overflows
      or memory leaks if the list has changed in the meantime.

v2: - move changes to tcp_diag.c and extend inet_diag_handler to allow
      protocols to provide additional data on INET_DIAG_INFO,
    - lock socket before calling tcp_diag_put_md5sig.

I also have a patch for iproute2/ss to test this change, making it print
this new attribute. I'm planning to polish and send it if this series
gets applied.
====================

Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
parents 6391c4f6 c03fa9bc

include/linux/inet_diag.h

+7 −0
Original line number Diff line number Diff line
@@ -25,6 +25,13 @@ struct inet_diag_handler { 
					  struct inet_diag_msg *r,

					  void *info);



	int		(*idiag_get_aux)(struct sock *sk,

					 bool net_admin,

					 struct sk_buff *skb);



	size_t		(*idiag_get_aux_size)(struct sock *sk,

					      bool net_admin);



	int		(*destroy)(struct sk_buff *in_skb,

				   const struct inet_diag_req_v2 *req);

include/uapi/linux/inet_diag.h

+1 −0
Original line number Diff line number Diff line
@@ -143,6 +143,7 @@ enum { 
	INET_DIAG_MARK,

	INET_DIAG_BBRINFO,

	INET_DIAG_CLASS_ID,

	INET_DIAG_MD5SIG,

	__INET_DIAG_MAX,

};

include/uapi/linux/tcp.h

+9 −0
Original line number Diff line number Diff line
@@ -256,4 +256,13 @@ struct tcp_md5sig { 
	__u8	tcpm_key[TCP_MD5SIG_MAXKEYLEN];		/* key (binary) */

};



/* INET_DIAG_MD5SIG */

struct tcp_diag_md5sig {

	__u8	tcpm_family;

	__u8	tcpm_prefixlen;

	__u16	tcpm_keylen;

	__be32	tcpm_addr[4];

	__u8	tcpm_key[TCP_MD5SIG_MAXKEYLEN];

};



#endif /* _UAPI_LINUX_TCP_H */

net/ipv4/inet_diag.c

+18 −4
Original line number Diff line number Diff line
@@ -93,8 +93,17 @@ void inet_diag_msg_common_fill(struct inet_diag_msg *r, struct sock *sk) 
}

EXPORT_SYMBOL_GPL(inet_diag_msg_common_fill);



static size_t inet_sk_attr_size(void)

static size_t inet_sk_attr_size(struct sock *sk,

				const struct inet_diag_req_v2 *req,

				bool net_admin)

{

	const struct inet_diag_handler *handler;

	size_t aux = 0;



	handler = inet_diag_table[req->sdiag_protocol];

	if (handler && handler->idiag_get_aux_size)

		aux = handler->idiag_get_aux_size(sk, net_admin);



	return	  nla_total_size(sizeof(struct tcp_info))

		+ nla_total_size(1) /* INET_DIAG_SHUTDOWN */

		+ nla_total_size(1) /* INET_DIAG_TOS */
@@ -105,6 +114,7 @@ static size_t inet_sk_attr_size(void) 
		+ nla_total_size(SK_MEMINFO_VARS * sizeof(u32))

		+ nla_total_size(TCP_CA_NAME_MAX)

		+ nla_total_size(sizeof(struct tcpvegas_info))

		+ aux

		+ 64;

}
@@ -260,6 +270,10 @@ int inet_sk_diag_fill(struct sock *sk, struct inet_connection_sock *icsk, 


	handler->idiag_get_info(sk, r, info);



	if (ext & (1 << (INET_DIAG_INFO - 1)) && handler->idiag_get_aux)

		if (handler->idiag_get_aux(sk, net_admin, skb) < 0)

			goto errout;



	if (sk->sk_state < TCP_TIME_WAIT) {

		union tcp_cc_info info;

		size_t sz = 0;
@@ -449,6 +463,7 @@ int inet_diag_dump_one_icsk(struct inet_hashinfo *hashinfo, 
			    const struct nlmsghdr *nlh,

			    const struct inet_diag_req_v2 *req)

{

	bool net_admin = netlink_net_capable(in_skb, CAP_NET_ADMIN);

	struct net *net = sock_net(in_skb->sk);

	struct sk_buff *rep;

	struct sock *sk;
@@ -458,7 +473,7 @@ int inet_diag_dump_one_icsk(struct inet_hashinfo *hashinfo, 
	if (IS_ERR(sk))

		return PTR_ERR(sk);



	rep = nlmsg_new(inet_sk_attr_size(), GFP_KERNEL);

	rep = nlmsg_new(inet_sk_attr_size(sk, req, net_admin), GFP_KERNEL);

	if (!rep) {

		err = -ENOMEM;

		goto out;
@@ -467,8 +482,7 @@ int inet_diag_dump_one_icsk(struct inet_hashinfo *hashinfo, 
	err = sk_diag_fill(sk, rep, req,

			   sk_user_ns(NETLINK_CB(in_skb).sk),

			   NETLINK_CB(in_skb).portid,

			   nlh->nlmsg_seq, 0, nlh,

			   netlink_net_capable(in_skb, CAP_NET_ADMIN));

			   nlh->nlmsg_seq, 0, nlh, net_admin);

	if (err < 0) {

		WARN_ON(err == -EMSGSIZE);

		nlmsg_free(rep);

net/ipv4/tcp_diag.c

+103 −6
Original line number Diff line number Diff line
@@ -16,6 +16,7 @@ 


#include <linux/tcp.h>



#include <net/netlink.h>

#include <net/tcp.h>



static void tcp_diag_get_info(struct sock *sk, struct inet_diag_msg *r,
@@ -36,6 +37,100 @@ static void tcp_diag_get_info(struct sock *sk, struct inet_diag_msg *r, 
		tcp_get_info(sk, info);

}



#ifdef CONFIG_TCP_MD5SIG

static void tcp_diag_md5sig_fill(struct tcp_diag_md5sig *info,

				 const struct tcp_md5sig_key *key)

{

	info->tcpm_family = key->family;

	info->tcpm_prefixlen = key->prefixlen;

	info->tcpm_keylen = key->keylen;

	memcpy(info->tcpm_key, key->key, key->keylen);



	if (key->family == AF_INET)

		info->tcpm_addr[0] = key->addr.a4.s_addr;

	#if IS_ENABLED(CONFIG_IPV6)

	else if (key->family == AF_INET6)

		memcpy(&info->tcpm_addr, &key->addr.a6,

		       sizeof(info->tcpm_addr));

	#endif

}



static int tcp_diag_put_md5sig(struct sk_buff *skb,

			       const struct tcp_md5sig_info *md5sig)

{

	const struct tcp_md5sig_key *key;

	struct tcp_diag_md5sig *info;

	struct nlattr *attr;

	int md5sig_count = 0;



	hlist_for_each_entry_rcu(key, &md5sig->head, node)

		md5sig_count++;

	if (md5sig_count == 0)

		return 0;



	attr = nla_reserve(skb, INET_DIAG_MD5SIG,

			   md5sig_count * sizeof(struct tcp_diag_md5sig));

	if (!attr)

		return -EMSGSIZE;



	info = nla_data(attr);

	memset(info, 0, md5sig_count * sizeof(struct tcp_diag_md5sig));

	hlist_for_each_entry_rcu(key, &md5sig->head, node) {

		tcp_diag_md5sig_fill(info++, key);

		if (--md5sig_count == 0)

			break;

	}



	return 0;

}

#endif



static int tcp_diag_get_aux(struct sock *sk, bool net_admin,

			    struct sk_buff *skb)

{

#ifdef CONFIG_TCP_MD5SIG

	if (net_admin) {

		struct tcp_md5sig_info *md5sig;

		int err = 0;



		rcu_read_lock();

		md5sig = rcu_dereference(tcp_sk(sk)->md5sig_info);

		if (md5sig)

			err = tcp_diag_put_md5sig(skb, md5sig);

		rcu_read_unlock();

		if (err < 0)

			return err;

	}

#endif



	return 0;

}



static size_t tcp_diag_get_aux_size(struct sock *sk, bool net_admin)

{

	size_t size = 0;



#ifdef CONFIG_TCP_MD5SIG

	if (net_admin && sk_fullsock(sk)) {

		const struct tcp_md5sig_info *md5sig;

		const struct tcp_md5sig_key *key;

		size_t md5sig_count = 0;



		rcu_read_lock();

		md5sig = rcu_dereference(tcp_sk(sk)->md5sig_info);

		if (md5sig) {

			hlist_for_each_entry_rcu(key, &md5sig->head, node)

				md5sig_count++;

		}

		rcu_read_unlock();

		size += nla_total_size(md5sig_count *

				       sizeof(struct tcp_diag_md5sig));

	}

#endif



	return size;

}



static void tcp_diag_dump(struct sk_buff *skb, struct netlink_callback *cb,

			  const struct inet_diag_req_v2 *r, struct nlattr *bc)

{
@@ -71,6 +166,8 @@ static const struct inet_diag_handler tcp_diag_handler = { 
	.dump			= tcp_diag_dump,

	.dump_one		= tcp_diag_dump_one,

	.idiag_get_info		= tcp_diag_get_info,

	.idiag_get_aux		= tcp_diag_get_aux,

	.idiag_get_aux_size	= tcp_diag_get_aux_size,

	.idiag_type		= IPPROTO_TCP,

	.idiag_info_size	= sizeof(struct tcp_info),

#ifdef CONFIG_INET_DIAG_DESTROY

CRA Git | Maintained and supported by SUSTech CRA and CCSE