lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Fri, 23 Sep 2022 21:13:06 +0100 From: Dmitry Safonov <dima@...sta.com> To: linux-kernel@...r.kernel.org, David Ahern <dsahern@...nel.org>, Eric Dumazet <edumazet@...gle.com> Cc: Dmitry Safonov <dima@...sta.com>, Andy Lutomirski <luto@...capital.net>, Ard Biesheuvel <ardb@...nel.org>, Bob Gilligan <gilligan@...sta.com>, Dan Carpenter <dan.carpenter@...cle.com>, "David S. Miller" <davem@...emloft.net>, Dmitry Safonov <0x7f454c46@...il.com>, Eric Biggers <ebiggers@...nel.org>, "Eric W. Biederman" <ebiederm@...ssion.com>, Francesco Ruggeri <fruggeri@...sta.com>, Herbert Xu <herbert@...dor.apana.org.au>, Hideaki YOSHIFUJI <yoshfuji@...ux-ipv6.org>, Ivan Delalande <colona@...sta.com>, Jakub Kicinski <kuba@...nel.org>, Leonard Crestez <cdleonard@...il.com>, Paolo Abeni <pabeni@...hat.com>, Salam Noureddine <noureddine@...sta.com>, Shuah Khan <shuah@...nel.org>, netdev@...r.kernel.org, linux-crypto@...r.kernel.org Subject: [PATCH v2 22/35] net/tcp: Add option for TCP-AO to (not) hash header Provide setsockopt() key flag that makes TCP-AO exclude hashing TCP header for peers that match the key. This is needed for interraction with middleboxes that may change TCP options, see RFC5925 (9.2). Co-developed-by: Francesco Ruggeri <fruggeri@...sta.com> Signed-off-by: Francesco Ruggeri <fruggeri@...sta.com> Co-developed-by: Salam Noureddine <noureddine@...sta.com> Signed-off-by: Salam Noureddine <noureddine@...sta.com> Signed-off-by: Dmitry Safonov <dima@...sta.com> --- include/uapi/linux/tcp.h | 2 ++ net/ipv4/tcp_ao.c | 8 +++++--- 2 files changed, 7 insertions(+), 3 deletions(-) diff --git a/include/uapi/linux/tcp.h b/include/uapi/linux/tcp.h index 508bedbc6ad8..b60933ee2a27 100644 --- a/include/uapi/linux/tcp.h +++ b/include/uapi/linux/tcp.h @@ -347,6 +347,8 @@ struct tcp_diag_md5sig { #define TCP_AO_MAXKEYLEN 80 +#define TCP_AO_KEYF_EXCLUDE_OPT (1 << 0) + #define TCP_AO_CMDF_CURR (1 << 0) /* Only checks field sndid */ #define TCP_AO_CMDF_NEXT (1 << 1) /* Only checks field rcvid */ #define TCP_AO_CMDF_ACCEPT_ICMP (1 << 2) /* Accept incoming ICMPs */ diff --git a/net/ipv4/tcp_ao.c b/net/ipv4/tcp_ao.c index 5fb36863810d..f5489b73fae0 100644 --- a/net/ipv4/tcp_ao.c +++ b/net/ipv4/tcp_ao.c @@ -603,7 +603,8 @@ int tcp_ao_hash_hdr(unsigned short int family, char *ao_hash, WARN_ON_ONCE(1); goto clear_hash; } - if (tcp_ao_hash_header(&hp, th, false, + if (tcp_ao_hash_header(&hp, th, + !!(key->keyflags & TCP_AO_KEYF_EXCLUDE_OPT), ao_hash, hash_offset, tcp_ao_maclen(key))) goto clear_hash; ahash_request_set_crypt(hp.req, NULL, ao_hash, 0); @@ -645,7 +646,8 @@ int tcp_ao_hash_skb(unsigned short int family, goto clear_hash; if (tcp_ao_hash_pseudoheader(family, sk, skb, &hp, skb->len)) goto clear_hash; - if (tcp_ao_hash_header(&hp, th, false, + if (tcp_ao_hash_header(&hp, th, + !!(key->keyflags & TCP_AO_KEYF_EXCLUDE_OPT), ao_hash, hash_offset, tcp_ao_maclen(key))) goto clear_hash; if (tcp_ao_hash_skb_data(&hp, skb, th->doff << 2)) @@ -1455,7 +1457,7 @@ static inline bool tcp_ao_mkt_overlap_v6(struct tcp_ao *cmd, } #endif -#define TCP_AO_KEYF_ALL (0) +#define TCP_AO_KEYF_ALL (TCP_AO_KEYF_EXCLUDE_OPT) #define TCP_AO_CMDF_ADDMOD_VALID \ (TCP_AO_CMDF_CURR | TCP_AO_CMDF_NEXT | TCP_AO_CMDF_ACCEPT_ICMP) #define TCP_AO_CMDF_DEL_VALID \ -- 2.37.2
Powered by blists - more mailing lists