{"id":808316,"url":"http://patchwork.ozlabs.org/api/1.0/patches/808316/?format=json","project":{"id":7,"url":"http://patchwork.ozlabs.org/api/1.0/projects/7/?format=json","name":"Linux network development","link_name":"netdev","list_id":"netdev.vger.kernel.org","list_email":"netdev@vger.kernel.org","web_url":null,"scm_url":null,"webscm_url":null},"msgid":"<20170831165939.5121-3-colona@arista.com>","date":"2017-08-31T16:59:39","name":"[net-next,v5,2/2] tcp_diag: report TCP MD5 signing keys and addresses","commit_ref":null,"pull_url":null,"state":"accepted","archived":true,"hash":"6b5296b27890f5d564dde678ad96a2fa55e7e16c","submitter":{"id":65664,"url":"http://patchwork.ozlabs.org/api/1.0/people/65664/?format=json","name":"Ivan Delalande","email":"colona@arista.com"},"delegate":{"id":34,"url":"http://patchwork.ozlabs.org/api/1.0/users/34/?format=json","username":"davem","first_name":"David","last_name":"Miller","email":"davem@davemloft.net"},"mbox":"http://patchwork.ozlabs.org/project/netdev/patch/20170831165939.5121-3-colona@arista.com/mbox/","series":[{"id":881,"url":"http://patchwork.ozlabs.org/api/1.0/series/881/?format=json","date":"2017-08-31T16:59:39","name":"report TCP MD5 signing keys and addresses","version":5,"mbox":"http://patchwork.ozlabs.org/series/881/mbox/"}],"check":"pending","checks":"http://patchwork.ozlabs.org/api/patches/808316/checks/","tags":{},"headers":{"Return-Path":"<netdev-owner@vger.kernel.org>","X-Original-To":"patchwork-incoming@ozlabs.org","Delivered-To":"patchwork-incoming@ozlabs.org","Authentication-Results":["ozlabs.org;\n\tspf=none (mailfrom) smtp.mailfrom=vger.kernel.org\n\t(client-ip=209.132.180.67; helo=vger.kernel.org;\n\tenvelope-from=netdev-owner@vger.kernel.org;\n\treceiver=<UNKNOWN>)","ozlabs.org; dkim=pass (1024-bit key;\n\tunprotected) header.d=arista.com header.i=@arista.com\n\theader.b=\"DfV73n9W\"; dkim-atps=neutral"],"Received":["from vger.kernel.org (vger.kernel.org [209.132.180.67])\n\tby ozlabs.org (Postfix) with ESMTP id 3xjpWh54Nwz9s81\n\tfor <patchwork-incoming@ozlabs.org>;\n\tFri,  1 Sep 2017 02:59:44 +1000 (AEST)","(majordomo@vger.kernel.org) by vger.kernel.org via listexpand\n\tid S1751985AbdHaQ7n (ORCPT <rfc822;patchwork-incoming@ozlabs.org>);\n\tThu, 31 Aug 2017 12:59:43 -0400","from prod-mx.aristanetworks.com ([162.210.130.12]:60500 \"EHLO\n\tprod-mx.aristanetworks.com\" rhost-flags-OK-OK-OK-OK)\n\tby vger.kernel.org with ESMTP id S1751956AbdHaQ7k (ORCPT\n\t<rfc822;netdev@vger.kernel.org>); Thu, 31 Aug 2017 12:59:40 -0400","from prod-mx.aristanetworks.com (localhost [127.0.0.1])\n\tby prod-mx.aristanetworks.com (Postfix) with ESMTP id E8B0A9603;\n\tThu, 31 Aug 2017 09:59:39 -0700 (PDT)","from visor.sjc.aristanetworks.com\n\t(manila-157.sjc.aristanetworks.com [172.20.135.157])\n\tby prod-mx.aristanetworks.com (Postfix) with ESMTP id DC2B99602;\n\tThu, 31 Aug 2017 09:59:39 -0700 (PDT)"],"DKIM-Signature":"v=1; a=rsa-sha256; c=relaxed/relaxed; d=arista.com;\n\ts=AristaCom; t=1504198779;\n\tbh=Lb2ho7nsXhY3boAKSQQhXY3geKfDl5pJgCPpNgtPH98=;\n\th=From:To:Cc:Subject:Date:In-Reply-To:References;\n\tb=DfV73n9W+ikyynB7URVskLZIEzYW+H96H3+PlXe5wyoYzELYP5eAU6FVQQTO9c/z4\n\tMasRGiNrweQQm1wt1W3zDauN2AYe2ZoU2Oewe8GTpAXsVz1SH94pfSvb7E78mkzgFN\n\t374S0w4fulFBrSs9d/dFIZuTztGu/noxn1Ld5RFQ=","From":"Ivan Delalande <colona@arista.com>","To":"David Miller <davem@davemloft.net>","Cc":"Eric Dumazet <eric.dumazet@gmail.com>, netdev@vger.kernel.org,\n\tIvan Delalande <colona@arista.com>","Subject":"[PATCH net-next v5 2/2] tcp_diag: report TCP MD5 signing keys and\n\taddresses","Date":"Thu, 31 Aug 2017 09:59:39 -0700","Message-Id":"<20170831165939.5121-3-colona@arista.com>","X-Mailer":"git-send-email 2.14.1","In-Reply-To":"<20170831165939.5121-1-colona@arista.com>","References":"<20170831165939.5121-1-colona@arista.com>","Sender":"netdev-owner@vger.kernel.org","Precedence":"bulk","List-ID":"<netdev.vger.kernel.org>","X-Mailing-List":"netdev@vger.kernel.org"},"content":"Report TCP MD5 (RFC2385) signing keys, addresses and address prefixes to\nprocesses with CAP_NET_ADMIN requesting INET_DIAG_INFO. Currently it is\nnot possible to retrieve these from the kernel once they have been\nconfigured on sockets.\n\nSigned-off-by: Ivan Delalande <colona@arista.com>\n---\n include/uapi/linux/inet_diag.h |   1 +\n include/uapi/linux/tcp.h       |   9 ++++\n net/ipv4/tcp_diag.c            | 109 ++++++++++++++++++++++++++++++++++++++---\n 3 files changed, 113 insertions(+), 6 deletions(-)","diff":"diff --git a/include/uapi/linux/inet_diag.h b/include/uapi/linux/inet_diag.h\nindex 678496897a68..f52ff62bfabe 100644\n--- a/include/uapi/linux/inet_diag.h\n+++ b/include/uapi/linux/inet_diag.h\n@@ -143,6 +143,7 @@ enum {\n \tINET_DIAG_MARK,\n \tINET_DIAG_BBRINFO,\n \tINET_DIAG_CLASS_ID,\n+\tINET_DIAG_MD5SIG,\n \t__INET_DIAG_MAX,\n };\n \ndiff --git a/include/uapi/linux/tcp.h b/include/uapi/linux/tcp.h\nindex 030e594bab45..15c25eccab2b 100644\n--- a/include/uapi/linux/tcp.h\n+++ b/include/uapi/linux/tcp.h\n@@ -256,4 +256,13 @@ struct tcp_md5sig {\n \t__u8\ttcpm_key[TCP_MD5SIG_MAXKEYLEN];\t\t/* key (binary) */\n };\n \n+/* INET_DIAG_MD5SIG */\n+struct tcp_diag_md5sig {\n+\t__u8\ttcpm_family;\n+\t__u8\ttcpm_prefixlen;\n+\t__u16\ttcpm_keylen;\n+\t__be32\ttcpm_addr[4];\n+\t__u8\ttcpm_key[TCP_MD5SIG_MAXKEYLEN];\n+};\n+\n #endif /* _UAPI_LINUX_TCP_H */\ndiff --git a/net/ipv4/tcp_diag.c b/net/ipv4/tcp_diag.c\nindex a748c74aa8b7..abbf0edcf6c2 100644\n--- a/net/ipv4/tcp_diag.c\n+++ b/net/ipv4/tcp_diag.c\n@@ -16,6 +16,7 @@\n \n #include <linux/tcp.h>\n \n+#include <net/netlink.h>\n #include <net/tcp.h>\n \n static void tcp_diag_get_info(struct sock *sk, struct inet_diag_msg *r,\n@@ -36,6 +37,100 @@ static void tcp_diag_get_info(struct sock *sk, struct inet_diag_msg *r,\n \t\ttcp_get_info(sk, info);\n }\n \n+#ifdef CONFIG_TCP_MD5SIG\n+static void tcp_diag_md5sig_fill(struct tcp_diag_md5sig *info,\n+\t\t\t\t const struct tcp_md5sig_key *key)\n+{\n+\tinfo->tcpm_family = key->family;\n+\tinfo->tcpm_prefixlen = key->prefixlen;\n+\tinfo->tcpm_keylen = key->keylen;\n+\tmemcpy(info->tcpm_key, key->key, key->keylen);\n+\n+\tif (key->family == AF_INET)\n+\t\tinfo->tcpm_addr[0] = key->addr.a4.s_addr;\n+\t#if IS_ENABLED(CONFIG_IPV6)\n+\telse if (key->family == AF_INET6)\n+\t\tmemcpy(&info->tcpm_addr, &key->addr.a6,\n+\t\t       sizeof(info->tcpm_addr));\n+\t#endif\n+}\n+\n+static int tcp_diag_put_md5sig(struct sk_buff *skb,\n+\t\t\t       const struct tcp_md5sig_info *md5sig)\n+{\n+\tconst struct tcp_md5sig_key *key;\n+\tstruct tcp_diag_md5sig *info;\n+\tstruct nlattr *attr;\n+\tint md5sig_count = 0;\n+\n+\thlist_for_each_entry_rcu(key, &md5sig->head, node)\n+\t\tmd5sig_count++;\n+\tif (md5sig_count == 0)\n+\t\treturn 0;\n+\n+\tattr = nla_reserve(skb, INET_DIAG_MD5SIG,\n+\t\t\t   md5sig_count * sizeof(struct tcp_diag_md5sig));\n+\tif (!attr)\n+\t\treturn -EMSGSIZE;\n+\n+\tinfo = nla_data(attr);\n+\tmemset(info, 0, md5sig_count * sizeof(struct tcp_diag_md5sig));\n+\thlist_for_each_entry_rcu(key, &md5sig->head, node) {\n+\t\ttcp_diag_md5sig_fill(info++, key);\n+\t\tif (--md5sig_count == 0)\n+\t\t\tbreak;\n+\t}\n+\n+\treturn 0;\n+}\n+#endif\n+\n+static int tcp_diag_get_aux(struct sock *sk, bool net_admin,\n+\t\t\t    struct sk_buff *skb)\n+{\n+#ifdef CONFIG_TCP_MD5SIG\n+\tif (net_admin) {\n+\t\tstruct tcp_md5sig_info *md5sig;\n+\t\tint err = 0;\n+\n+\t\trcu_read_lock();\n+\t\tmd5sig = rcu_dereference(tcp_sk(sk)->md5sig_info);\n+\t\tif (md5sig)\n+\t\t\terr = tcp_diag_put_md5sig(skb, md5sig);\n+\t\trcu_read_unlock();\n+\t\tif (err < 0)\n+\t\t\treturn err;\n+\t}\n+#endif\n+\n+\treturn 0;\n+}\n+\n+static size_t tcp_diag_get_aux_size(struct sock *sk, bool net_admin)\n+{\n+\tsize_t size = 0;\n+\n+#ifdef CONFIG_TCP_MD5SIG\n+\tif (net_admin && sk_fullsock(sk)) {\n+\t\tconst struct tcp_md5sig_info *md5sig;\n+\t\tconst struct tcp_md5sig_key *key;\n+\t\tsize_t md5sig_count = 0;\n+\n+\t\trcu_read_lock();\n+\t\tmd5sig = rcu_dereference(tcp_sk(sk)->md5sig_info);\n+\t\tif (md5sig) {\n+\t\t\thlist_for_each_entry_rcu(key, &md5sig->head, node)\n+\t\t\t\tmd5sig_count++;\n+\t\t}\n+\t\trcu_read_unlock();\n+\t\tsize += nla_total_size(md5sig_count *\n+\t\t\t\t       sizeof(struct tcp_diag_md5sig));\n+\t}\n+#endif\n+\n+\treturn size;\n+}\n+\n static void tcp_diag_dump(struct sk_buff *skb, struct netlink_callback *cb,\n \t\t\t  const struct inet_diag_req_v2 *r, struct nlattr *bc)\n {\n@@ -68,13 +163,15 @@ static int tcp_diag_destroy(struct sk_buff *in_skb,\n #endif\n \n static const struct inet_diag_handler tcp_diag_handler = {\n-\t.dump\t\t = tcp_diag_dump,\n-\t.dump_one\t = tcp_diag_dump_one,\n-\t.idiag_get_info\t = tcp_diag_get_info,\n-\t.idiag_type\t = IPPROTO_TCP,\n-\t.idiag_info_size = sizeof(struct tcp_info),\n+\t.dump\t\t\t= tcp_diag_dump,\n+\t.dump_one\t\t= tcp_diag_dump_one,\n+\t.idiag_get_info\t\t= tcp_diag_get_info,\n+\t.idiag_get_aux\t\t= tcp_diag_get_aux,\n+\t.idiag_get_aux_size\t= tcp_diag_get_aux_size,\n+\t.idiag_type\t\t= IPPROTO_TCP,\n+\t.idiag_info_size\t= sizeof(struct tcp_info),\n #ifdef CONFIG_INET_DIAG_DESTROY\n-\t.destroy\t = tcp_diag_destroy,\n+\t.destroy\t\t= tcp_diag_destroy,\n #endif\n };\n \n","prefixes":["net-next","v5","2/2"]}