net/tcp: Add tcp_parse_auth_options()

Introduce a helper that: (1) shares the common code with TCP-MD5 header options parsing (2) looks for hash signature only once for both TCP-MD5 and TCP-AO (3) fails with -EEXIST if any TCP sign option is present twice, see RFC5925 (2.2): ">> A single TCP segment MUST NOT have more than one TCP-AO in its options sequence. When multiple TCP-AOs appear, TCP MUST discard the segment." Co-developed-by: Francesco Ruggeri <fruggeri@arista.com> Signed-off-by: Francesco Ruggeri <fruggeri@arista.com> Co-developed-by: Salam Noureddine <noureddine@arista.com> Signed-off-by: Salam Noureddine <noureddine@arista.com> Signed-off-by: Dmitry Safonov <dima@arista.com> Acked-by: David Ahern <dsahern@kernel.org> Signed-off-by: David S. Miller <davem@davemloft.net>
author: Dmitry Safonov <dima@arista.com> 2023-10-23 20:21:59 +0100
committer: David S. Miller <davem@davemloft.net> 2023-10-27 10:35:44 +0100
commit: f7dca36fc54afa2eb76bff8d0589a2ef18caea91 (patch)
tree: 318f2f477d23c115b66a9a1ea136f562ed588430 /net/ipv4/tcp.c
parent: 1e03d32bea8e782b7d31769c25a5fae8a5044488 (diff)
1 files changed, 2 insertions, 1 deletions
diff --git a/net/ipv4/tcp.c b/net/ipv4/tcp.c
index b6faee8a1e67..369e2a41bc1b 100644
--- a/net/ipv4/tcp.c
+++ b/net/ipv4/tcp.c
@@ -4398,7 +4398,8 @@ tcp_inbound_md5_hash(const struct sock *sk, const struct sk_buff *skb,
 	l3index = sdif ? dif : 0;
 
 	hash_expected = tcp_md5_do_lookup(sk, l3index, saddr, family);
-	hash_location = tcp_parse_md5sig_option(th);
+	if (tcp_parse_auth_options(th, &hash_location, NULL))
+		return SKB_DROP_REASON_TCP_AUTH_HDR;
 
 	/* We've parsed the options - do we have a hash? */
 	if (!hash_expected && !hash_location)
author	Dmitry Safonov <dima@arista.com>	2023-10-23 20:21:59 +0100
committer	David S. Miller <davem@davemloft.net>	2023-10-27 10:35:44 +0100
commit	f7dca36fc54afa2eb76bff8d0589a2ef18caea91 (patch)
tree	318f2f477d23c115b66a9a1ea136f562ed588430 /net/ipv4/tcp.c
parent	1e03d32bea8e782b7d31769c25a5fae8a5044488 (diff)