Re: [PATCH v7 01/22] net/tcp: Prepare tcp_md5sig_pool for TCP-AO

[PATCH v7 00/22] net/tcp: Add TCP-AO support · Dmitry Safonov <hidden> · 2023-06-14
[PATCH v7 02/22] net/tcp: Add TCP-AO config and structures · Dmitry Safonov <hidden> · 2023-06-14
[PATCH v7 01/22] net/tcp: Prepare tcp_md5sig_pool for TCP-AO · Dmitry Safonov <hidden> · 2023-06-14
Re: [PATCH v7 01/22] net/tcp: Prepare tcp_md5sig_pool for TCP-AO · Steen Hegelund <steen.hegelund@microchip.com> · 2023-06-15
Re: [PATCH v7 01/22] net/tcp: Prepare tcp_md5sig_pool for TCP-AO · Dmitry Safonov <hidden> · 2023-06-15
Re: [PATCH v7 01/22] net/tcp: Prepare tcp_md5sig_pool for TCP-AO · Steen Hegelund <steen.hegelund@microchip.com> · 2023-06-16
[PATCH v7 03/22] net/tcp: Introduce TCP_AO setsockopt()s · Dmitry Safonov <hidden> · 2023-06-14
[PATCH v7 04/22] net/tcp: Prevent TCP-MD5 with TCP-AO being set · Dmitry Safonov <hidden> · 2023-06-14
Re: [PATCH v7 04/22] net/tcp: Prevent TCP-MD5 with TCP-AO being set · David Ahern <dsahern@kernel.org> · 2023-06-18
Re: [PATCH v7 04/22] net/tcp: Prevent TCP-MD5 with TCP-AO being set · Dmitry Safonov <hidden> · 2023-06-19
Re: [PATCH v7 04/22] net/tcp: Prevent TCP-MD5 with TCP-AO being set · Dmitry Safonov <hidden> · 2023-06-19
Re: [PATCH v7 04/22] net/tcp: Prevent TCP-MD5 with TCP-AO being set · Dmitry Safonov <hidden> · 2023-06-19
[PATCH v7 05/22] net/tcp: Calculate TCP-AO traffic keys · Dmitry Safonov <hidden> · 2023-06-14
[PATCH v7 06/22] net/tcp: Add TCP-AO sign to outgoing packets · Dmitry Safonov <hidden> · 2023-06-14
[PATCH v7 07/22] net/tcp: Add tcp_parse_auth_options() · Dmitry Safonov <hidden> · 2023-06-14
[PATCH v7 08/22] net/tcp: Add AO sign to RST packets · Dmitry Safonov <hidden> · 2023-06-14
Re: [PATCH v7 08/22] net/tcp: Add AO sign to RST packets · kernel test robot <hidden> · 2023-06-15
Re: [PATCH v7 08/22] net/tcp: Add AO sign to RST packets · kernel test robot <hidden> · 2023-06-15
Re: [PATCH v7 08/22] net/tcp: Add AO sign to RST packets · kernel test robot <hidden> · 2023-06-15
[PATCH v7 09/22] net/tcp: Add TCP-AO sign to twsk · Dmitry Safonov <hidden> · 2023-06-14
[PATCH v7 10/22] net/tcp: Wire TCP-AO to request sockets · Dmitry Safonov <hidden> · 2023-06-14
[PATCH v7 11/22] net/tcp: Sign SYN-ACK segments with TCP-AO · Dmitry Safonov <hidden> · 2023-06-14
[PATCH v7 12/22] net/tcp: Verify inbound TCP-AO signed segments · Dmitry Safonov <hidden> · 2023-06-14
[PATCH v7 13/22] net/tcp: Add TCP-AO segments counters · Dmitry Safonov <hidden> · 2023-06-14
[PATCH v7 14/22] net/tcp: Add TCP-AO SNE support · Dmitry Safonov <hidden> · 2023-06-14
[PATCH v7 15/22] net/tcp: Add tcp_hash_fail() ratelimited logs · Dmitry Safonov <hidden> · 2023-06-14
[PATCH v7 16/22] net/tcp: Ignore specific ICMPs for TCP-AO connections · Dmitry Safonov <hidden> · 2023-06-14
[PATCH v7 17/22] net/tcp: Add option for TCP-AO to (not) hash header · Dmitry Safonov <hidden> · 2023-06-14
[PATCH v7 18/22] net/tcp: Add TCP-AO getsockopt()s · Dmitry Safonov <hidden> · 2023-06-14
[PATCH v7 19/22] net/tcp: Allow asynchronous delete for TCP-AO keys (MKTs) · Dmitry Safonov <hidden> · 2023-06-14
[PATCH v7 20/22] net/tcp: Add static_key for TCP-AO · Dmitry Safonov <hidden> · 2023-06-14
[PATCH v7 21/22] net/tcp: Wire up l3index to TCP-AO · Dmitry Safonov <hidden> · 2023-06-14
[PATCH v7 22/22] net/tcp: Add TCP_AO_REPAIR · Dmitry Safonov <hidden> · 2023-06-14

From: Dmitry Safonov <hidden>
Date: 2023-06-15 16:45:06
Also in: lkml

Hi Steen,

On 6/15/23 11:45, Steen Hegelund wrote:

Hi Dmitry,

On Thu, 2023-06-15 at 00:09 +0100, Dmitry Safonov wrote:

[..]

quoted

+/**
+ * tcp_sigpool_alloc_ahash - allocates pool for ahash requests
+ * @alg: name of async hash algorithm
+ * @scratch_size: reserve a tcp_sigpool::scratch buffer of this size
+ */
+int tcp_sigpool_alloc_ahash(const char *alg, size_t scratch_size)
+{
+       int i, ret;
+
+       /* slow-path */
+       mutex_lock(&cpool_mutex);
+       ret = sigpool_reserve_scratch(scratch_size);
+       if (ret)
+               goto out;
+       for (i = 0; i < cpool_populated; i++) {
+               if (!cpool[i].alg)
+                       continue;
+               if (strcmp(cpool[i].alg, alg))
+                       continue;
+
+               if (kref_read(&cpool[i].kref) > 0)
+                       kref_get(&cpool[i].kref);
+               else
+                       kref_init(&cpool[i].kref);
+               ret = i;
+               goto out;
+       }

Here it looks to me like you will never get to this part of the code since you
always end up going to the out label in the previous loop.

Well, not exactly: this part is looking if the crypto algorithm is
already in this pool, so that it can increment refcounter rather than
initialize a new tfm. In case strcmp(cpool[i].alg, alg) fails, this loop
will never goto out.

I.e., you issued previously setsockopt()s for TCP-MD5 and TCP-AO with
HMAC-SHA1, so in this pool there'll be two algorithms: "md5" and
"hmac(sha1)". Now if you want to use TCP-AO with "cmac(aes128)" or
"hmac(sha256)", you won't find them in the pool yet.

quoted

+
+       for (i = 0; i < cpool_populated; i++) {
+               if (!cpool[i].alg)
+                       break;
+       }
+       if (i >= CPOOL_SIZE) {
+               ret = -ENOSPC;
+               goto out;
+       }
+
+       ret = __cpool_alloc_ahash(&cpool[i], alg);
+       if (!ret) {
+               ret = i;
+               if (i == cpool_populated)
+                       cpool_populated++;
+       }
+out:
+       mutex_unlock(&cpool_mutex);
+       return ret;
+}
+EXPORT_SYMBOL_GPL(tcp_sigpool_alloc_ahash);
+

... snip ...

quoted

 clear_hash:
-       tcp_put_md5sig_pool();
-clear_hash_noput:
+       tcp_sigpool_end(&hp);
+clear_hash_nostart:
        memset(md5_hash, 0, 16);
        return 1;
 }

Thanks,
            Dmitry

`h`	back out one level
`j`	next message in thread
`k`	previous message in thread
`l`	drill in
`Esc`	close help / fold thread tree
`?`	toggle this help