diff options
| author | Paolo Abeni <pabeni@redhat.com> | 2023-12-06 12:36:59 +0100 |
|---|---|---|
| committer | Paolo Abeni <pabeni@redhat.com> | 2023-12-06 12:43:55 +0100 |
| commit | 3142dbf084cb66080b111673148192906a4c037c (patch) | |
| tree | a6e57c26d2932ea1ac186211eb02f92c34751d89 /net/ipv4/tcp_input.c | |
| parent | 6b07b5225d87f1ff212be9f95d527a3bb6b99adb (diff) | |
| parent | 9396c4ee93f9ac03cd0cea0bb345fbc657772943 (diff) | |
| download | linux-3142dbf084cb66080b111673148192906a4c037c.tar.gz linux-3142dbf084cb66080b111673148192906a4c037c.tar.bz2 linux-3142dbf084cb66080b111673148192906a4c037c.zip | |
Merge branch 'tcp-ao-fixes'
Dmitry Safonov says:
====================
TCP-AO fixes
Changes from v4:
- Dropped 2 patches on which there's no consensus. They will require
more work TBD if they may made acceptable. Those are:
o "net/tcp: Allow removing current/rnext TCP-AO keys on TCP_LISTEN sockets"
o "net/tcp: Store SNEs + SEQs on ao_info"
Changes from v3:
- Don't restrict adding any keys on TCP-AO connection in VRF, but only
the ones that don't match l3index (David)
Changes from v2:
- rwlocks are problematic in net code (Paolo)
Changed the SNE code to avoid spin/rw locks on RX/TX fastpath by
double-accounting SEQ numbers for TCP-AO enabled connections.
Changes from v1:
- Use tcp_can_repair_sock() helper to limit TCP_AO_REPAIR (Eric)
- Instead of hook to listen() syscall, allow removing current/rnext keys
on TCP_LISTEN (addressing Eric's objection)
- Add sne_lock to protect snd_sne/rcv_sne
- Don't move used_tcp_ao in struct tcp_request_sock (Eric)
I've been working on TCP-AO key-rotation selftests and as a result
exercised some corner-cases that are not usually met in production.
Here are a bunch of semi-related fixes:
- Documentation typo (reported by Markus Elfring)
- Proper alignment for TCP-AO option in TCP header that has MAC length
of non 4 bytes (now a selftest with randomized maclen/algorithm/etc
passes)
- 3 uAPI restricting patches that disallow more things to userspace in
order to prevent it shooting itself in any parts of the body
- SNEs READ_ONCE()/WRITE_ONCE() that went missing by my human factor
- Avoid storing MAC length from SYN header as SYN-ACK will use
rnext_key.maclen (drops an extra check that fails on new selftests)
====================
Link: https://lore.kernel.org/r/
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Diffstat (limited to 'net/ipv4/tcp_input.c')
| -rw-r--r-- | net/ipv4/tcp_input.c | 5 |
1 files changed, 3 insertions, 2 deletions
diff --git a/net/ipv4/tcp_input.c b/net/ipv4/tcp_input.c index bcb55d98004c..337c8bb07ccc 100644 --- a/net/ipv4/tcp_input.c +++ b/net/ipv4/tcp_input.c @@ -7182,11 +7182,12 @@ int tcp_conn_request(struct request_sock_ops *rsk_ops, if (tcp_parse_auth_options(tcp_hdr(skb), NULL, &aoh)) goto drop_and_release; /* Invalid TCP options */ if (aoh) { - tcp_rsk(req)->maclen = aoh->length - sizeof(struct tcp_ao_hdr); + tcp_rsk(req)->used_tcp_ao = true; tcp_rsk(req)->ao_rcv_next = aoh->keyid; tcp_rsk(req)->ao_keyid = aoh->rnext_keyid; + } else { - tcp_rsk(req)->maclen = 0; + tcp_rsk(req)->used_tcp_ao = false; } #endif tcp_rsk(req)->snt_isn = isn; |