[{"id":1760635,"web_url":"http://patchwork.ozlabs.org/comment/1760635/","msgid":"<1504152643.15310.3.camel@edumazet-glaptop3.roam.corp.google.com>","list_archive_url":null,"date":"2017-08-31T04:10:43","subject":"Re: [PATCH net-next v4 2/2] tcp_diag: report TCP MD5 signing keys\n\tand addresses","submitter":{"id":2404,"url":"http://patchwork.ozlabs.org/api/people/2404/","name":"Eric Dumazet","email":"eric.dumazet@gmail.com"},"content":"On Wed, 2017-08-30 at 18:33 -0700, Ivan Delalande wrote:\n> Report TCP MD5 (RFC2385) signing keys, addresses and address prefixes to\n> processes with CAP_NET_ADMIN requesting INET_DIAG_INFO. Currently it is\n> not possible to retrieve these from the kernel once they have been\n> configured on sockets.\n> \n> Signed-off-by: Ivan Delalande <colona@arista.com>\n> ---\n>  include/uapi/linux/inet_diag.h |   1 +\n>  include/uapi/linux/tcp.h       |   9 ++++\n>  net/ipv4/tcp_diag.c            | 110 ++++++++++++++++++++++++++++++++++++++---\n>  3 files changed, 114 insertions(+), 6 deletions(-)\n> \n> diff --git a/include/uapi/linux/inet_diag.h b/include/uapi/linux/inet_diag.h\n> index 678496897a68..f52ff62bfabe 100644\n> --- a/include/uapi/linux/inet_diag.h\n> +++ b/include/uapi/linux/inet_diag.h\n> @@ -143,6 +143,7 @@ enum {\n>  \tINET_DIAG_MARK,\n>  \tINET_DIAG_BBRINFO,\n>  \tINET_DIAG_CLASS_ID,\n> +\tINET_DIAG_MD5SIG,\n>  \t__INET_DIAG_MAX,\n>  };\n>  \n> diff --git a/include/uapi/linux/tcp.h b/include/uapi/linux/tcp.h\n> index 030e594bab45..15c25eccab2b 100644\n> --- a/include/uapi/linux/tcp.h\n> +++ b/include/uapi/linux/tcp.h\n> @@ -256,4 +256,13 @@ struct tcp_md5sig {\n>  \t__u8\ttcpm_key[TCP_MD5SIG_MAXKEYLEN];\t\t/* key (binary) */\n>  };\n>  \n> +/* INET_DIAG_MD5SIG */\n> +struct tcp_diag_md5sig {\n> +\t__u8\ttcpm_family;\n> +\t__u8\ttcpm_prefixlen;\n> +\t__u16\ttcpm_keylen;\n> +\t__be32\ttcpm_addr[4];\n> +\t__u8\ttcpm_key[TCP_MD5SIG_MAXKEYLEN];\n> +};\n> +\n>  #endif /* _UAPI_LINUX_TCP_H */\n> diff --git a/net/ipv4/tcp_diag.c b/net/ipv4/tcp_diag.c\n> index a748c74aa8b7..65d0c34a76ee 100644\n> --- a/net/ipv4/tcp_diag.c\n> +++ b/net/ipv4/tcp_diag.c\n> @@ -16,6 +16,7 @@\n>  \n>  #include <linux/tcp.h>\n>  \n> +#include <net/netlink.h>\n>  #include <net/tcp.h>\n>  \n>  static void tcp_diag_get_info(struct sock *sk, struct inet_diag_msg *r,\n> @@ -36,6 +37,101 @@ static void tcp_diag_get_info(struct sock *sk, struct inet_diag_msg *r,\n>  \t\ttcp_get_info(sk, info);\n>  }\n>  \n> +#ifdef CONFIG_TCP_MD5SIG\n> +static void tcp_diag_md5sig_fill(struct tcp_diag_md5sig *info,\n> +\t\t\t\t const struct tcp_md5sig_key *key)\n> +{\n> +\tinfo->tcpm_family = key->family;\n> +\tinfo->tcpm_prefixlen = key->prefixlen;\n> +\tinfo->tcpm_keylen = key->keylen;\n> +\tmemcpy(info->tcpm_key, key->key, key->keylen);\n\n\nif (key->keylen < TCP_MD5SIG_MAXKEYLEN), \nthen you'll leak sensitive kernel data to user space.\n\nSince I doubt many sockets are using MD5SIG, you could simply do at the\nbeginning of this function :\n\nmemset(info, 0, sizeof(*info));\n\n> +\n> +\tif (key->family == AF_INET) {\n> +\t\tmemset(info->tcpm_addr, 0, sizeof(info->tcpm_addr));\n\nthen also remove this memset() since the prior memset would do this\nalready.\n\n> +\t\tinfo->tcpm_addr[0] = key->addr.a4.s_addr;\n> +\t}\n> +\t#if IS_ENABLED(CONFIG_IPV6)\n> +\telse if (key->family == AF_INET6) {\n> +\t\tmemcpy(&info->tcpm_addr, &key->addr.a6,\n> +\t\t       sizeof(info->tcpm_addr));\n> +\t}\n> +\t#endif\n> +}\n> +","headers":{"Return-Path":"<netdev-owner@vger.kernel.org>","X-Original-To":"patchwork-incoming@ozlabs.org","Delivered-To":"patchwork-incoming@ozlabs.org","Authentication-Results":["ozlabs.org;\n\tspf=none (mailfrom) smtp.mailfrom=vger.kernel.org\n\t(client-ip=209.132.180.67; helo=vger.kernel.org;\n\tenvelope-from=netdev-owner@vger.kernel.org;\n\treceiver=<UNKNOWN>)","ozlabs.org; dkim=pass (2048-bit key;\n\tunprotected) header.d=gmail.com header.i=@gmail.com\n\theader.b=\"bZfhmSf+\"; dkim-atps=neutral"],"Received":["from vger.kernel.org (vger.kernel.org [209.132.180.67])\n\tby ozlabs.org (Postfix) with ESMTP id 3xjTSV4gLdz9s71\n\tfor <patchwork-incoming@ozlabs.org>;\n\tThu, 31 Aug 2017 14:10:50 +1000 (AEST)","(majordomo@vger.kernel.org) by vger.kernel.org via listexpand\n\tid S1751227AbdHaEKs (ORCPT <rfc822;patchwork-incoming@ozlabs.org>);\n\tThu, 31 Aug 2017 00:10:48 -0400","from mail-pg0-f67.google.com ([74.125.83.67]:35685 \"EHLO\n\tmail-pg0-f67.google.com\" rhost-flags-OK-OK-OK-OK) by vger.kernel.org\n\twith ESMTP id S1751053AbdHaEKp (ORCPT\n\t<rfc822;netdev@vger.kernel.org>); Thu, 31 Aug 2017 00:10:45 -0400","by mail-pg0-f67.google.com with SMTP id r133so6476952pgr.2\n\tfor <netdev@vger.kernel.org>; Wed, 30 Aug 2017 21:10:45 -0700 (PDT)","from [192.168.86.171] (c-67-180-167-114.hsd1.ca.comcast.net.\n\t[67.180.167.114]) by smtp.googlemail.com with ESMTPSA id\n\td11sm10230003pgf.21.2017.08.30.21.10.44\n\t(version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);\n\tWed, 30 Aug 2017 21:10:44 -0700 (PDT)"],"DKIM-Signature":"v=1; a=rsa-sha256; c=relaxed/relaxed;\n\td=gmail.com; s=20161025;\n\th=message-id:subject:from:to:cc:date:in-reply-to:references\n\t:mime-version:content-transfer-encoding;\n\tbh=U5LldQw8/xn2ze6BhSLhu2J9D90SOJjeY4GEi/AdKbE=;\n\tb=bZfhmSf+qP/vYZhbs2nvK589Fh6XYbmJH6BxFzwms5T5+6kw/IlB9R4xFUfCYQopV5\n\teRb8IG0ShNbrSoQ0DSTz3lNR0/vmEbc0v0fmiEHWV/db6NdXGFoWovM9m35Xq2EzBPnG\n\toM3st2oernbt2GcGCTQJRu/XcC2XA/vKpwBb4CskZzM1forThm59mYATnuMDMjKrXHW6\n\thViKfZLF/RwJfG7yc8nLswqIEtCC+OiE7ZiLm9foaSnHez+1d7dB/zPMkUvywmxj5VRy\n\tk7Hs8OJLmXv2tA30AaeIOuL2/XL2twD7vpL9N6IjvxaM9FVZ7yx4yzWfK+oFPx7/Sp0b\n\t5eFg==","X-Google-DKIM-Signature":"v=1; a=rsa-sha256; c=relaxed/relaxed;\n\td=1e100.net; s=20161025;\n\th=x-gm-message-state:message-id:subject:from:to:cc:date:in-reply-to\n\t:references:mime-version:content-transfer-encoding;\n\tbh=U5LldQw8/xn2ze6BhSLhu2J9D90SOJjeY4GEi/AdKbE=;\n\tb=GJImC7Sw/q8Ghq32qHdSaAmphtY9ZeQQc5jzYi4DxrLEfdEPpbUHqpHfn0MZLAmWRt\n\tWgrTWE3N7Z5lcwYfiVENshRZ/lZilWyq84DcJVtUqqQysMxr+NlkXNIF6PPBKdIzfmhf\n\tzw9OKHREeD2GgWS7Oa2c2Vec1iEVrGiFfggesu+wrNR4M97WMHgt3BmfgsBr3b/8ZeXC\n\tVsKJj3DH9tR6BgChOc85MPa3aQo0+S44qHmyOFca8iub21AV61j6wYIBANRZ1E3UyArb\n\tSuSXtPvBKZKPktfIRVnk1bkIEKN4pk+qWpyAPGSzF3o59XA1TQjx8zT5sT3EKYIFPAoM\n\tvTig==","X-Gm-Message-State":"AHYfb5hgBQbPSmi+Xpr+RUlMihq0IDSRSFs4/LCissW3NZ+jMurFkDGS\n\tXAgs/OgTvQvjPQ==","X-Received":"by 10.98.71.14 with SMTP id u14mr901201pfa.315.1504152645105;\n\tWed, 30 Aug 2017 21:10:45 -0700 (PDT)","Message-ID":"<1504152643.15310.3.camel@edumazet-glaptop3.roam.corp.google.com>","Subject":"Re: [PATCH net-next v4 2/2] tcp_diag: report TCP MD5 signing keys\n\tand addresses","From":"Eric Dumazet <eric.dumazet@gmail.com>","To":"Ivan Delalande <colona@arista.com>","Cc":"David Miller <davem@davemloft.net>, netdev@vger.kernel.org","Date":"Wed, 30 Aug 2017 21:10:43 -0700","In-Reply-To":"<20170831013312.29142-3-colona@arista.com>","References":"<20170831013312.29142-1-colona@arista.com>\n\t<20170831013312.29142-3-colona@arista.com>","Content-Type":"text/plain; charset=\"UTF-8\"","X-Mailer":"Evolution 3.10.4-0ubuntu2 ","Mime-Version":"1.0","Content-Transfer-Encoding":"7bit","Sender":"netdev-owner@vger.kernel.org","Precedence":"bulk","List-ID":"<netdev.vger.kernel.org>","X-Mailing-List":"netdev@vger.kernel.org"}}]