3  * INET		An implementation of the TCP Authentication Option (TCP-AO).
54 	struct tcp_ao_info *ao;  in tcp_ao_ignore_icmp()  local
60 	 * >> A TCP-AO implementation MUST default to ignore incoming ICMPv4  in tcp_ao_ignore_icmp()
83 		ao = rcu_dereference(tcp_twsk(sk)->ao_info);  in tcp_ao_ignore_icmp()
95 		ao = rcu_dereference(tcp_sk(sk)->ao_info);  in tcp_ao_ignore_icmp()
98 	if (ao && !ao->accept_icmps) {  in tcp_ao_ignore_icmp()
101 		atomic64_inc(&ao->counters.dropped_icmp);  in tcp_ao_ignore_icmp()
113 					  struct tcp_ao_info *ao,  in tcp_ao_established_key()  argument
118 	hlist_for_each_entry_rcu(key, &ao->head, node, lockdep_sock_is_held(sk)) {  in tcp_ao_established_key()
199 	struct tcp_ao_info *ao;  in __tcp_ao_do_lookup()  local
204 	ao = rcu_dereference_check(tcp_sk(sk)->ao_info,  in __tcp_ao_do_lookup()
206 	if (!ao)  in __tcp_ao_do_lookup()
209 	hlist_for_each_entry_rcu(key, &ao->head, node, lockdep_sock_is_held(sk)) {  in __tcp_ao_do_lookup()
228 	struct tcp_ao_info *ao;  in tcp_ao_alloc_info()  local
230 	ao = kzalloc(sizeof(*ao), flags);  in tcp_ao_alloc_info()
231 	if (!ao)  in tcp_ao_alloc_info()
233 	INIT_HLIST_HEAD(&ao->head);  in tcp_ao_alloc_info()
234 	refcount_set(&ao->refcnt, 1);  in tcp_ao_alloc_info()
236 	return ao;  in tcp_ao_alloc_info()
239 static void tcp_ao_link_mkt(struct tcp_ao_info *ao, struct tcp_ao_key *mkt)  in tcp_ao_link_mkt()  argument
241 	hlist_add_head_rcu(&mkt->node, &ao->head);  in tcp_ao_link_mkt()
273 	struct tcp_ao_info *ao = container_of(head, struct tcp_ao_info, rcu);  in tcp_ao_info_free_rcu()  local
277 	hlist_for_each_entry_safe(key, n, &ao->head, node) {  in tcp_ao_info_free_rcu()
282 	kfree(ao);  in tcp_ao_info_free_rcu()
286 static void tcp_ao_sk_omem_free(struct sock *sk, struct tcp_ao_info *ao)  in tcp_ao_sk_omem_free()  argument
291 	hlist_for_each_entry(key,  &ao->head, node)  in tcp_ao_sk_omem_free()
298 	struct tcp_ao_info *ao;  in tcp_ao_destroy_sock()  local
301 		ao = rcu_dereference_protected(tcp_twsk(sk)->ao_info, 1);  in tcp_ao_destroy_sock()
304 		ao = rcu_dereference_protected(tcp_sk(sk)->ao_info, 1);  in tcp_ao_destroy_sock()
308 	if (!ao || !refcount_dec_and_test(&ao->refcnt))  in tcp_ao_destroy_sock()
312 		tcp_ao_sk_omem_free(sk, ao);  in tcp_ao_destroy_sock()
313 	call_rcu(&ao->rcu, tcp_ao_info_free_rcu);  in tcp_ao_destroy_sock()
359 	memcpy(tmp->label, "TCP-AO", 6);  in tcp_v4_ao_calc_key()
548 		/* zero out tcp-ao hash */  in tcp_ao_hash_header()
737 	 * Linux TCP-AO support provides TCP_AO_ADD_KEY and TCP_AO_REPAIR  in tcp_ao_prepare_reset()
815 	struct tcp_ao_info *ao;  in tcp_ao_transmit_skb()  local
820 	ao = rcu_dereference_protected(tcp_sk(sk)->ao_info,  in tcp_ao_transmit_skb()
833 			disn = ao->risn;  in tcp_ao_transmit_skb()
836 						sk, ao->lisn, disn, true);  in tcp_ao_transmit_skb()
838 	sne = tcp_ao_compute_sne(READ_ONCE(ao->snd_sne), READ_ONCE(tp->snd_una),  in tcp_ao_transmit_skb()
892 		/* Key not found, continue without TCP-AO */  in tcp_ao_syncookie()
1055 		WARN_ONCE(1, "TCP-AO: Unexpected sk_state %d", state);  in tcp_inbound_ao_hash()
1077 				     struct tcp_ao_info *ao,  in tcp_ao_cache_traffic_keys()  argument
1084 				 ao->lisn, ao->risn, true);  in tcp_ao_cache_traffic_keys()
1090 				 ao->lisn, ao->risn, false);  in tcp_ao_cache_traffic_keys()
1149 		 * at least one tcp-ao key that matches the remote peer.  in tcp_ao_connect_init()
1159 	struct tcp_ao_info *ao;  in tcp_ao_established()  local
1162 	ao = rcu_dereference_protected(tcp_sk(sk)->ao_info,  in tcp_ao_established()
1164 	if (!ao)  in tcp_ao_established()
1167 	hlist_for_each_entry_rcu(key, &ao->head, node, lockdep_sock_is_held(sk))  in tcp_ao_established()
1168 		tcp_ao_cache_traffic_keys(sk, ao, key);  in tcp_ao_established()
1173 	struct tcp_ao_info *ao;  in tcp_ao_finish_connect()  local
1176 	ao = rcu_dereference_protected(tcp_sk(sk)->ao_info,  in tcp_ao_finish_connect()
1178 	if (!ao)  in tcp_ao_finish_connect()
1181 	WRITE_ONCE(ao->risn, tcp_hdr(skb)->seq);  in tcp_ao_finish_connect()
1182 	ao->rcv_sne = 0;  in tcp_ao_finish_connect()
1184 	hlist_for_each_entry_rcu(key, &ao->head, node, lockdep_sock_is_held(sk))  in tcp_ao_finish_connect()
1185 		tcp_ao_cache_traffic_keys(sk, ao, key);  in tcp_ao_finish_connect()
1193 	struct tcp_ao_info *new_ao, *ao;  in tcp_ao_copy_all_matching()  local
1199 	ao = rcu_dereference(tcp_sk(sk)->ao_info);  in tcp_ao_copy_all_matching()
1200 	if (!ao)  in tcp_ao_copy_all_matching()
1203 	/* New socket without TCP-AO on it */  in tcp_ao_copy_all_matching()
1212 	new_ao->ao_required = ao->ao_required;  in tcp_ao_copy_all_matching()
1213 	new_ao->accept_icmps = ao->accept_icmps;  in tcp_ao_copy_all_matching()
1228 	hlist_for_each_entry_rcu(key, &ao->head, node) {  in tcp_ao_copy_all_matching()
1242 		/* RFC5925 (7.4.1) specifies that the TCP-AO status  in tcp_ao_copy_all_matching()
1244 		 * At this point the connection was TCP-AO enabled, so  in tcp_ao_copy_all_matching()
1357 	/* Check: maclen + tcp-ao header <= (MAX_TCP_OPTION_SPACE - mss  in tcp_ao_parse_crypto()
1362 	 * In order to allow D-SACK with TCP-AO, the header size should be:  in tcp_ao_parse_crypto()
1374 	 * TCP-AO continues to consume 16 bytes in non-SYN segments,  in tcp_ao_parse_crypto()
1378 	 * such as to handle D-SACK, a smaller TCP-AO MAC would be required  in tcp_ao_parse_crypto()
1653 			 * non peer-matching key on an established TCP-AO  in tcp_ao_add_cmd()
1666 			net_warn_ratelimited("AO key ifindex %d != sk bound ifindex %d\n",  in tcp_ao_add_cmd()
1674 		 * (that will make them match AO key with  in tcp_ao_add_cmd()
1933 /* cmd.ao_required makes a socket TCP-AO only.
2323 	struct tcp_ao_info *ao;  in tcp_ao_get_sock_info()  local
2343 	ao = setsockopt_ao_info(sk);  in tcp_ao_get_sock_info()
2344 	if (IS_ERR(ao))  in tcp_ao_get_sock_info()
2345 		return PTR_ERR(ao);  in tcp_ao_get_sock_info()
2346 	if (!ao)  in tcp_ao_get_sock_info()
2350 	out.ao_required		= ao->ao_required;  in tcp_ao_get_sock_info()
2351 	out.accept_icmps	= ao->accept_icmps;  in tcp_ao_get_sock_info()
2352 	out.pkt_good		= atomic64_read(&ao->counters.pkt_good);  in tcp_ao_get_sock_info()
2353 	out.pkt_bad		= atomic64_read(&ao->counters.pkt_bad);  in tcp_ao_get_sock_info()
2354 	out.pkt_key_not_found	= atomic64_read(&ao->counters.key_not_found);  in tcp_ao_get_sock_info()
2355 	out.pkt_ao_required	= atomic64_read(&ao->counters.ao_required);  in tcp_ao_get_sock_info()
2356 	out.pkt_dropped_icmp	= atomic64_read(&ao->counters.dropped_icmp);  in tcp_ao_get_sock_info()
2358 	current_key = READ_ONCE(ao->current_key);  in tcp_ao_get_sock_info()
2363 	if (ao->rnext_key) {  in tcp_ao_get_sock_info()
2365 		out.rnext = ao->rnext_key->rcvid;  in tcp_ao_get_sock_info()
2379 	struct tcp_ao_info *ao;  in tcp_ao_set_repair()  local
2392 	ao = setsockopt_ao_info(sk);  in tcp_ao_set_repair()
2393 	if (IS_ERR(ao))  in tcp_ao_set_repair()
2394 		return PTR_ERR(ao);  in tcp_ao_set_repair()
2395 	if (!ao)  in tcp_ao_set_repair()
2398 	WRITE_ONCE(ao->lisn, cmd.snt_isn);  in tcp_ao_set_repair()
2399 	WRITE_ONCE(ao->risn, cmd.rcv_isn);  in tcp_ao_set_repair()
2400 	WRITE_ONCE(ao->snd_sne, cmd.snd_sne);  in tcp_ao_set_repair()
2401 	WRITE_ONCE(ao->rcv_sne, cmd.rcv_sne);  in tcp_ao_set_repair()
2403 	hlist_for_each_entry_rcu(key, &ao->head, node, lockdep_sock_is_held(sk))  in tcp_ao_set_repair()
2404 		tcp_ao_cache_traffic_keys(sk, ao, key);  in tcp_ao_set_repair()
2413 	struct tcp_ao_info *ao;  in tcp_ao_get_repair()  local
2426 	ao = getsockopt_ao_info(sk);  in tcp_ao_get_repair()
2427 	if (IS_ERR_OR_NULL(ao)) {  in tcp_ao_get_repair()
2429 		return ao ? PTR_ERR(ao) : -ENOENT;  in tcp_ao_get_repair()
2432 	opt.snt_isn	= ao->lisn;  in tcp_ao_get_repair()
2433 	opt.rcv_isn	= ao->risn;  in tcp_ao_get_repair()
2434 	opt.snd_sne	= READ_ONCE(ao->snd_sne);  in tcp_ao_get_repair()
2435 	opt.rcv_sne	= READ_ONCE(ao->rcv_sne);  in tcp_ao_get_repair()