3  * INET		An implementation of the TCP Authentication Option (TCP-AO).
54 	struct tcp_ao_info *ao;  in tcp_ao_ignore_icmp()  local
60 	 * >> A TCP-AO implementation MUST default to ignore incoming ICMPv4  in tcp_ao_ignore_icmp()
83 		ao = rcu_dereference(tcp_twsk(sk)->ao_info);  in tcp_ao_ignore_icmp()
95 		ao = rcu_dereference(tcp_sk(sk)->ao_info);  in tcp_ao_ignore_icmp()
98 	if (ao && !ao->accept_icmps) {  in tcp_ao_ignore_icmp()
101 		atomic64_inc(&ao->counters.dropped_icmp);  in tcp_ao_ignore_icmp()
112 struct tcp_ao_key *tcp_ao_established_key(struct tcp_ao_info *ao,  in tcp_ao_established_key()  argument
117 	hlist_for_each_entry_rcu(key, &ao->head, node) {  in tcp_ao_established_key()
198 	struct tcp_ao_info *ao;  in __tcp_ao_do_lookup()  local
203 	ao = rcu_dereference_check(tcp_sk(sk)->ao_info,  in __tcp_ao_do_lookup()
205 	if (!ao)  in __tcp_ao_do_lookup()
208 	hlist_for_each_entry_rcu(key, &ao->head, node) {  in __tcp_ao_do_lookup()
227 	struct tcp_ao_info *ao;  in tcp_ao_alloc_info()  local
229 	ao = kzalloc(sizeof(*ao), flags);  in tcp_ao_alloc_info()
230 	if (!ao)  in tcp_ao_alloc_info()
232 	INIT_HLIST_HEAD(&ao->head);  in tcp_ao_alloc_info()
233 	refcount_set(&ao->refcnt, 1);  in tcp_ao_alloc_info()
235 	return ao;  in tcp_ao_alloc_info()
238 static void tcp_ao_link_mkt(struct tcp_ao_info *ao, struct tcp_ao_key *mkt)  in tcp_ao_link_mkt()  argument
240 	hlist_add_head_rcu(&mkt->node, &ao->head);  in tcp_ao_link_mkt()
272 	struct tcp_ao_info *ao = container_of(head, struct tcp_ao_info, rcu);  in tcp_ao_info_free_rcu()  local
276 	hlist_for_each_entry_safe(key, n, &ao->head, node) {  in tcp_ao_info_free_rcu()
281 	kfree(ao);  in tcp_ao_info_free_rcu()
285 static void tcp_ao_sk_omem_free(struct sock *sk, struct tcp_ao_info *ao)  in tcp_ao_sk_omem_free()  argument
290 	hlist_for_each_entry(key,  &ao->head, node)  in tcp_ao_sk_omem_free()
297 	struct tcp_ao_info *ao;  in tcp_ao_destroy_sock()  local
300 		ao = rcu_dereference_protected(tcp_twsk(sk)->ao_info, 1);  in tcp_ao_destroy_sock()
303 		ao = rcu_dereference_protected(tcp_sk(sk)->ao_info, 1);  in tcp_ao_destroy_sock()
307 	if (!ao || !refcount_dec_and_test(&ao->refcnt))  in tcp_ao_destroy_sock()
311 		tcp_ao_sk_omem_free(sk, ao);  in tcp_ao_destroy_sock()
312 	call_rcu(&ao->rcu, tcp_ao_info_free_rcu);  in tcp_ao_destroy_sock()
358 	memcpy(tmp->label, "TCP-AO", 6);  in tcp_v4_ao_calc_key()
547 		/* zero out tcp-ao hash */  in tcp_ao_hash_header()
736 	 * Linux TCP-AO support provides TCP_AO_ADD_KEY and TCP_AO_REPAIR  in tcp_ao_prepare_reset()
814 	struct tcp_ao_info *ao;  in tcp_ao_transmit_skb()  local
819 	ao = rcu_dereference_protected(tcp_sk(sk)->ao_info,  in tcp_ao_transmit_skb()
832 			disn = ao->risn;  in tcp_ao_transmit_skb()
835 						sk, ao->lisn, disn, true);  in tcp_ao_transmit_skb()
837 	sne = tcp_ao_compute_sne(READ_ONCE(ao->snd_sne), READ_ONCE(tp->snd_una),  in tcp_ao_transmit_skb()
891 		/* Key not found, continue without TCP-AO */  in tcp_ao_syncookie()
1054 		WARN_ONCE(1, "TCP-AO: Unexpected sk_state %d", state);  in tcp_inbound_ao_hash()
1076 				     struct tcp_ao_info *ao,  in tcp_ao_cache_traffic_keys()  argument
1083 				 ao->lisn, ao->risn, true);  in tcp_ao_cache_traffic_keys()
1089 				 ao->lisn, ao->risn, false);  in tcp_ao_cache_traffic_keys()
1148 		 * at least one tcp-ao key that matches the remote peer.  in tcp_ao_connect_init()
1158 	struct tcp_ao_info *ao;  in tcp_ao_established()  local
1161 	ao = rcu_dereference_protected(tcp_sk(sk)->ao_info,  in tcp_ao_established()
1163 	if (!ao)  in tcp_ao_established()
1166 	hlist_for_each_entry_rcu(key, &ao->head, node)  in tcp_ao_established()
1167 		tcp_ao_cache_traffic_keys(sk, ao, key);  in tcp_ao_established()
1172 	struct tcp_ao_info *ao;  in tcp_ao_finish_connect()  local
1175 	ao = rcu_dereference_protected(tcp_sk(sk)->ao_info,  in tcp_ao_finish_connect()
1177 	if (!ao)  in tcp_ao_finish_connect()
1180 	WRITE_ONCE(ao->risn, tcp_hdr(skb)->seq);  in tcp_ao_finish_connect()
1181 	ao->rcv_sne = 0;  in tcp_ao_finish_connect()
1183 	hlist_for_each_entry_rcu(key, &ao->head, node)  in tcp_ao_finish_connect()
1184 		tcp_ao_cache_traffic_keys(sk, ao, key);  in tcp_ao_finish_connect()
1192 	struct tcp_ao_info *new_ao, *ao;  in tcp_ao_copy_all_matching()  local
1198 	ao = rcu_dereference(tcp_sk(sk)->ao_info);  in tcp_ao_copy_all_matching()
1199 	if (!ao)  in tcp_ao_copy_all_matching()
1202 	/* New socket without TCP-AO on it */  in tcp_ao_copy_all_matching()
1211 	new_ao->ao_required = ao->ao_required;  in tcp_ao_copy_all_matching()
1212 	new_ao->accept_icmps = ao->accept_icmps;  in tcp_ao_copy_all_matching()
1227 	hlist_for_each_entry_rcu(key, &ao->head, node) {  in tcp_ao_copy_all_matching()
1241 		/* RFC5925 (7.4.1) specifies that the TCP-AO status  in tcp_ao_copy_all_matching()
1243 		 * At this point the connection was TCP-AO enabled, so  in tcp_ao_copy_all_matching()
1356 	/* Check: maclen + tcp-ao header <= (MAX_TCP_OPTION_SPACE - mss  in tcp_ao_parse_crypto()
1361 	 * In order to allow D-SACK with TCP-AO, the header size should be:  in tcp_ao_parse_crypto()
1373 	 * TCP-AO continues to consume 16 bytes in non-SYN segments,  in tcp_ao_parse_crypto()
1377 	 * such as to handle D-SACK, a smaller TCP-AO MAC would be required  in tcp_ao_parse_crypto()
1652 			 * non peer-matching key on an established TCP-AO  in tcp_ao_add_cmd()
1665 			net_warn_ratelimited("AO key ifindex %d != sk bound ifindex %d\n",  in tcp_ao_add_cmd()
1673 		 * (that will make them match AO key with  in tcp_ao_add_cmd()
1931 /* cmd.ao_required makes a socket TCP-AO only.
2319 	struct tcp_ao_info *ao;  in tcp_ao_get_sock_info()  local
2339 	ao = setsockopt_ao_info(sk);  in tcp_ao_get_sock_info()
2340 	if (IS_ERR(ao))  in tcp_ao_get_sock_info()
2341 		return PTR_ERR(ao);  in tcp_ao_get_sock_info()
2342 	if (!ao)  in tcp_ao_get_sock_info()
2346 	out.ao_required		= ao->ao_required;  in tcp_ao_get_sock_info()
2347 	out.accept_icmps	= ao->accept_icmps;  in tcp_ao_get_sock_info()
2348 	out.pkt_good		= atomic64_read(&ao->counters.pkt_good);  in tcp_ao_get_sock_info()
2349 	out.pkt_bad		= atomic64_read(&ao->counters.pkt_bad);  in tcp_ao_get_sock_info()
2350 	out.pkt_key_not_found	= atomic64_read(&ao->counters.key_not_found);  in tcp_ao_get_sock_info()
2351 	out.pkt_ao_required	= atomic64_read(&ao->counters.ao_required);  in tcp_ao_get_sock_info()
2352 	out.pkt_dropped_icmp	= atomic64_read(&ao->counters.dropped_icmp);  in tcp_ao_get_sock_info()
2354 	current_key = READ_ONCE(ao->current_key);  in tcp_ao_get_sock_info()
2359 	if (ao->rnext_key) {  in tcp_ao_get_sock_info()
2361 		out.rnext = ao->rnext_key->rcvid;  in tcp_ao_get_sock_info()
2375 	struct tcp_ao_info *ao;  in tcp_ao_set_repair()  local
2388 	ao = setsockopt_ao_info(sk);  in tcp_ao_set_repair()
2389 	if (IS_ERR(ao))  in tcp_ao_set_repair()
2390 		return PTR_ERR(ao);  in tcp_ao_set_repair()
2391 	if (!ao)  in tcp_ao_set_repair()
2394 	WRITE_ONCE(ao->lisn, cmd.snt_isn);  in tcp_ao_set_repair()
2395 	WRITE_ONCE(ao->risn, cmd.rcv_isn);  in tcp_ao_set_repair()
2396 	WRITE_ONCE(ao->snd_sne, cmd.snd_sne);  in tcp_ao_set_repair()
2397 	WRITE_ONCE(ao->rcv_sne, cmd.rcv_sne);  in tcp_ao_set_repair()
2399 	hlist_for_each_entry_rcu(key, &ao->head, node)  in tcp_ao_set_repair()
2400 		tcp_ao_cache_traffic_keys(sk, ao, key);  in tcp_ao_set_repair()
2409 	struct tcp_ao_info *ao;  in tcp_ao_get_repair()  local
2422 	ao = getsockopt_ao_info(sk);  in tcp_ao_get_repair()
2423 	if (IS_ERR_OR_NULL(ao)) {  in tcp_ao_get_repair()
2425 		return ao ? PTR_ERR(ao) : -ENOENT;  in tcp_ao_get_repair()
2428 	opt.snt_isn	= ao->lisn;  in tcp_ao_get_repair()
2429 	opt.rcv_isn	= ao->risn;  in tcp_ao_get_repair()
2430 	opt.snd_sne	= READ_ONCE(ao->snd_sne);  in tcp_ao_get_repair()
2431 	opt.rcv_sne	= READ_ONCE(ao->rcv_sne);  in tcp_ao_get_repair()