| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <1496808502.736.23.camel@edumazet-glaptop3.roam.corp.google.com>
Date: Tue, 06 Jun 2017 21:08:22 -0700
From: Eric Dumazet <eric.dumazet@...il.com>
To: Ivan Delalande <colona@...sta.com>
Cc: David Miller <davem@...emloft.net>, netdev@...r.kernel.org,
linux-kernel@...r.kernel.org
Subject: Re: [PATCH 2/2] tcp: md5: add fields to the tcp_md5sig struct to
set a key address prefix
On Tue, 2017-06-06 at 17:54 -0700, Ivan Delalande wrote:
> Replace padding in the socket option structure tcp_md5sig with a new
> flag field and address prefix length so it can be specified when
> configuring a new key with the TCP_MD5SIG socket option.
>
> Signed-off-by: Bob Gilligan <gilligan@...sta.com>
> Signed-off-by: Eric Mowat <mowat@...sta.com>
> Signed-off-by: Ivan Delalande <colona@...sta.com>
> ---
> include/uapi/linux/tcp.h | 6 +++++-
> net/ipv4/tcp_ipv4.c | 13 +++++++++++--
> net/ipv6/tcp_ipv6.c | 20 +++++++++++++++-----
> 3 files changed, 31 insertions(+), 8 deletions(-)
>
> diff --git a/include/uapi/linux/tcp.h b/include/uapi/linux/tcp.h
> index 38a2b07afdff..52ac30aa0652 100644
> --- a/include/uapi/linux/tcp.h
> +++ b/include/uapi/linux/tcp.h
> @@ -234,9 +234,13 @@ enum {
> /* for TCP_MD5SIG socket option */
> #define TCP_MD5SIG_MAXKEYLEN 80
>
> +/* tcp_md5sig flags */
> +#define TCP_MD5SIG_FLAG_PREFIX 1 /* address prefix length */
> +
> struct tcp_md5sig {
> struct __kernel_sockaddr_storage tcpm_addr; /* address associated */
> - __u16 __tcpm_pad1; /* zero */
> + __u8 tcpm_flags; /* flags */
> + __u8 tcpm_prefixlen; /* address prefix */
> __u16 tcpm_keylen; /* key length */
> __u32 __tcpm_pad2; /* zero */
> __u8 tcpm_key[TCP_MD5SIG_MAXKEYLEN]; /* key (binary) */
> diff --git a/net/ipv4/tcp_ipv4.c b/net/ipv4/tcp_ipv4.c
> index 51ca3bd5a8a3..2b1bb67b3388 100644
> --- a/net/ipv4/tcp_ipv4.c
> +++ b/net/ipv4/tcp_ipv4.c
> @@ -1069,6 +1069,7 @@ static int tcp_v4_parse_md5_keys(struct sock *sk, char __user *optval,
> {
> struct tcp_md5sig cmd;
> struct sockaddr_in *sin = (struct sockaddr_in *)&cmd.tcpm_addr;
> + u8 prefixlen;
>
> if (optlen < sizeof(cmd))
> return -EINVAL;
> @@ -1079,15 +1080,23 @@ static int tcp_v4_parse_md5_keys(struct sock *sk, char __user *optval,
> if (sin->sin_family != AF_INET)
> return -EINVAL;
>
> + if (cmd.tcpm_flags & TCP_MD5SIG_FLAG_PREFIX) {
> + prefixlen = cmd.tcpm_prefixlen;
> + if (prefixlen > 32)
> + return -EINVAL;
> + } else {
> + prefixlen = 32;
> + }
This will break some applications that maybe did not clear the
__tcpm_pad1 field ?
You need to find another way to maintain compatibility with old
applications.
Powered by blists - more mailing lists