git.kernel.dk Git - linux-2.6-block.git/commit

author	Dmitry Safonov <dima@arista.com>
	Mon, 23 Oct 2023 19:21:56 +0000 (20:21 +0100)
committer	David S. Miller <davem@davemloft.net>
	Fri, 27 Oct 2023 09:35:44 +0000 (10:35 +0100)
commit	0aadc73995d08f6b0dc061c14a564ffa46f5914e
tree	d104c5c1772bec3362f2aababc1b5a79ec3e44bc	tree \| snapshot
parent	4954f17ddefc51d218625dcdfaf422a253dad3fa	commit \| diff

net/tcp: Prevent TCP-MD5 with TCP-AO being set

Be as conservative as possible: if there is TCP-MD5 key for a given peer
regardless of L3 interface - don't allow setting TCP-AO key for the same
peer. According to RFC5925, TCP-AO is supposed to replace TCP-MD5 and
there can't be any switch between both on any connected tuple.
Later it can be relaxed, if there's a use, but in the beginning restrict
any intersection.

Note: it's still should be possible to set both TCP-MD5 and TCP-AO keys
on a listening socket for *different* peers.

Co-developed-by: Francesco Ruggeri <fruggeri@arista.com>
Signed-off-by: Francesco Ruggeri <fruggeri@arista.com>
Co-developed-by: Salam Noureddine <noureddine@arista.com>
Signed-off-by: Salam Noureddine <noureddine@arista.com>
Signed-off-by: Dmitry Safonov <dima@arista.com>
Acked-by: David Ahern <dsahern@kernel.org>
Signed-off-by: David S. Miller <davem@davemloft.net>

include/net/tcp.h		diff \| blob \| blame \| history
include/net/tcp_ao.h		diff \| blob \| blame \| history
net/ipv4/tcp_ao.c		diff \| blob \| blame \| history
net/ipv4/tcp_ipv4.c		diff \| blob \| blame \| history
net/ipv4/tcp_output.c		diff \| blob \| blame \| history
net/ipv6/tcp_ao.c		diff \| blob \| blame \| history
net/ipv6/tcp_ipv6.c		diff \| blob \| blame \| history