git.kernel.dk Git - linux-block.git/commit

author	Dmitry Safonov <dima@arista.com>
	Mon, 23 Oct 2023 19:22:04 +0000 (20:22 +0100)
committer	David S. Miller <davem@davemloft.net>
	Fri, 27 Oct 2023 09:35:45 +0000 (10:35 +0100)
commit	0a3a809089eb1d4a0a2fd0c16b520d603988c859
tree	b584ef3c79e149b5f9986ed02258d29a48569df8	tree \| snapshot
parent	9427c6aa3ec92f66b3d38f5d5f7af6b94b648a66	commit \| diff

net/tcp: Verify inbound TCP-AO signed segments

Now there is a common function to verify signature on TCP segments:
tcp_inbound_hash(). It has checks for all possible cross-interactions
with MD5 signs as well as with unsigned segments.

The rules from RFC5925 are:
(1) Any TCP segment can have at max only one signature.
(2) TCP connections can't switch between using TCP-MD5 and TCP-AO.
(3) TCP-AO connections can't stop using AO, as well as unsigned
connections can't suddenly start using AO.

Co-developed-by: Francesco Ruggeri <fruggeri@arista.com>
Signed-off-by: Francesco Ruggeri <fruggeri@arista.com>
Co-developed-by: Salam Noureddine <noureddine@arista.com>
Signed-off-by: Salam Noureddine <noureddine@arista.com>
Signed-off-by: Dmitry Safonov <dima@arista.com>
Acked-by: David Ahern <dsahern@kernel.org>
Signed-off-by: David S. Miller <davem@davemloft.net>

include/net/dropreason-core.h		diff \| blob \| blame \| history
include/net/tcp.h		diff \| blob \| blame \| history
include/net/tcp_ao.h		diff \| blob \| blame \| history
net/ipv4/tcp.c		diff \| blob \| blame \| history
net/ipv4/tcp_ao.c		diff \| blob \| blame \| history
net/ipv4/tcp_ipv4.c		diff \| blob \| blame \| history
net/ipv6/tcp_ao.c		diff \| blob \| blame \| history
net/ipv6/tcp_ipv6.c		diff \| blob \| blame \| history