diff options
author | Dmitry Safonov <dima@arista.com> | 2023-10-23 20:21:56 +0100 |
---|---|---|
committer | David S. Miller <davem@davemloft.net> | 2023-10-27 10:35:44 +0100 |
commit | 0aadc73995d08f6b0dc061c14a564ffa46f5914e (patch) | |
tree | d104c5c1772bec3362f2aababc1b5a79ec3e44bc /net/ipv6/tcp_ao.c | |
parent | 4954f17ddefc51d218625dcdfaf422a253dad3fa (diff) | |
download | linux-stable-0aadc73995d08f6b0dc061c14a564ffa46f5914e.tar.gz linux-stable-0aadc73995d08f6b0dc061c14a564ffa46f5914e.tar.bz2 linux-stable-0aadc73995d08f6b0dc061c14a564ffa46f5914e.zip |
net/tcp: Prevent TCP-MD5 with TCP-AO being set
Be as conservative as possible: if there is TCP-MD5 key for a given peer
regardless of L3 interface - don't allow setting TCP-AO key for the same
peer. According to RFC5925, TCP-AO is supposed to replace TCP-MD5 and
there can't be any switch between both on any connected tuple.
Later it can be relaxed, if there's a use, but in the beginning restrict
any intersection.
Note: it's still should be possible to set both TCP-MD5 and TCP-AO keys
on a listening socket for *different* peers.
Co-developed-by: Francesco Ruggeri <fruggeri@arista.com>
Signed-off-by: Francesco Ruggeri <fruggeri@arista.com>
Co-developed-by: Salam Noureddine <noureddine@arista.com>
Signed-off-by: Salam Noureddine <noureddine@arista.com>
Signed-off-by: Dmitry Safonov <dima@arista.com>
Acked-by: David Ahern <dsahern@kernel.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
Diffstat (limited to 'net/ipv6/tcp_ao.c')
-rw-r--r-- | net/ipv6/tcp_ao.c | 17 |
1 files changed, 17 insertions, 0 deletions
diff --git a/net/ipv6/tcp_ao.c b/net/ipv6/tcp_ao.c index 049ddbabe049..0640acaee67b 100644 --- a/net/ipv6/tcp_ao.c +++ b/net/ipv6/tcp_ao.c @@ -12,6 +12,23 @@ #include <net/tcp.h> #include <net/ipv6.h> +static struct tcp_ao_key *tcp_v6_ao_do_lookup(const struct sock *sk, + const struct in6_addr *addr, + int sndid, int rcvid) +{ + return tcp_ao_do_lookup(sk, (union tcp_ao_addr *)addr, AF_INET6, + sndid, rcvid); +} + +struct tcp_ao_key *tcp_v6_ao_lookup(const struct sock *sk, + struct sock *addr_sk, + int sndid, int rcvid) +{ + struct in6_addr *addr = &addr_sk->sk_v6_daddr; + + return tcp_v6_ao_do_lookup(sk, addr, sndid, rcvid); +} + int tcp_v6_parse_ao(struct sock *sk, int cmd, sockptr_t optval, int optlen) { |