3  * INET		An implementation of the TCP Authentication Option (TCP-AO).
53 	struct tcp_ao_info *ao;  in tcp_ao_ignore_icmp()  local
59 	 * >> A TCP-AO implementation MUST default to ignore incoming ICMPv4  in tcp_ao_ignore_icmp()
82 		ao = rcu_dereference(tcp_twsk(sk)->ao_info);  in tcp_ao_ignore_icmp()
94 		ao = rcu_dereference(tcp_sk(sk)->ao_info);  in tcp_ao_ignore_icmp()
97 	if (ao && !ao->accept_icmps) {  in tcp_ao_ignore_icmp()
100 		atomic64_inc(&ao->counters.dropped_icmp);  in tcp_ao_ignore_icmp()
111 struct tcp_ao_key *tcp_ao_established_key(struct tcp_ao_info *ao,  in tcp_ao_established_key()  argument
116 	hlist_for_each_entry_rcu(key, &ao->head, node) {  in tcp_ao_established_key()
197 	struct tcp_ao_info *ao;  in __tcp_ao_do_lookup()  local
202 	ao = rcu_dereference_check(tcp_sk(sk)->ao_info,  in __tcp_ao_do_lookup()
204 	if (!ao)  in __tcp_ao_do_lookup()
207 	hlist_for_each_entry_rcu(key, &ao->head, node) {  in __tcp_ao_do_lookup()
226 	struct tcp_ao_info *ao;  in tcp_ao_alloc_info()  local
228 	ao = kzalloc(sizeof(*ao), flags);  in tcp_ao_alloc_info()
229 	if (!ao)  in tcp_ao_alloc_info()
231 	INIT_HLIST_HEAD(&ao->head);  in tcp_ao_alloc_info()
232 	refcount_set(&ao->refcnt, 1);  in tcp_ao_alloc_info()
234 	return ao;  in tcp_ao_alloc_info()
237 static void tcp_ao_link_mkt(struct tcp_ao_info *ao, struct tcp_ao_key *mkt)  in tcp_ao_link_mkt()  argument
239 	hlist_add_head_rcu(&mkt->node, &ao->head);  in tcp_ao_link_mkt()
271 	struct tcp_ao_info *ao;  in tcp_ao_destroy_sock()  local
276 		ao = rcu_dereference_protected(tcp_twsk(sk)->ao_info, 1);  in tcp_ao_destroy_sock()
279 		ao = rcu_dereference_protected(tcp_sk(sk)->ao_info, 1);  in tcp_ao_destroy_sock()
283 	if (!ao || !refcount_dec_and_test(&ao->refcnt))  in tcp_ao_destroy_sock()
286 	hlist_for_each_entry_safe(key, n, &ao->head, node) {  in tcp_ao_destroy_sock()
293 	kfree_rcu(ao, rcu);  in tcp_ao_destroy_sock()
340 	memcpy(tmp->label, "TCP-AO", 6);  in tcp_v4_ao_calc_key()
529 		/* zero out tcp-ao hash */  in tcp_ao_hash_header()
718 	 * Linux TCP-AO support provides TCP_AO_ADD_KEY and TCP_AO_REPAIR  in tcp_ao_prepare_reset()
796 	struct tcp_ao_info *ao;  in tcp_ao_transmit_skb()  local
801 	ao = rcu_dereference_protected(tcp_sk(sk)->ao_info,  in tcp_ao_transmit_skb()
814 			disn = ao->risn;  in tcp_ao_transmit_skb()
817 						sk, ao->lisn, disn, true);  in tcp_ao_transmit_skb()
819 	sne = tcp_ao_compute_sne(READ_ONCE(ao->snd_sne), READ_ONCE(tp->snd_una),  in tcp_ao_transmit_skb()
873 		/* Key not found, continue without TCP-AO */  in tcp_ao_syncookie()
895 		tcp_hash_fail("AO hash wrong length", family, skb,  in tcp_ao_verify_hash()
912 		tcp_hash_fail("AO hash mismatch", family, skb,  in tcp_ao_verify_hash()
941 		tcp_hash_fail("AO key not found", family, skb,  in tcp_inbound_ao_hash()
1028 		WARN_ONCE(1, "TCP-AO: Unexpected sk_state %d", sk->sk_state);  in tcp_inbound_ao_hash()
1044 	tcp_hash_fail("Requested by the peer AO key id not found",  in tcp_inbound_ao_hash()
1050 				     struct tcp_ao_info *ao,  in tcp_ao_cache_traffic_keys()  argument
1057 				 ao->lisn, ao->risn, true);  in tcp_ao_cache_traffic_keys()
1063 				 ao->lisn, ao->risn, false);  in tcp_ao_cache_traffic_keys()
1121 		 * at least one tcp-ao key that matches the remote peer.  in tcp_ao_connect_init()
1131 	struct tcp_ao_info *ao;  in tcp_ao_established()  local
1134 	ao = rcu_dereference_protected(tcp_sk(sk)->ao_info,  in tcp_ao_established()
1136 	if (!ao)  in tcp_ao_established()
1139 	hlist_for_each_entry_rcu(key, &ao->head, node)  in tcp_ao_established()
1140 		tcp_ao_cache_traffic_keys(sk, ao, key);  in tcp_ao_established()
1145 	struct tcp_ao_info *ao;  in tcp_ao_finish_connect()  local
1148 	ao = rcu_dereference_protected(tcp_sk(sk)->ao_info,  in tcp_ao_finish_connect()
1150 	if (!ao)  in tcp_ao_finish_connect()
1153 	WRITE_ONCE(ao->risn, tcp_hdr(skb)->seq);  in tcp_ao_finish_connect()
1154 	ao->rcv_sne = 0;  in tcp_ao_finish_connect()
1156 	hlist_for_each_entry_rcu(key, &ao->head, node)  in tcp_ao_finish_connect()
1157 		tcp_ao_cache_traffic_keys(sk, ao, key);  in tcp_ao_finish_connect()
1165 	struct tcp_ao_info *new_ao, *ao;  in tcp_ao_copy_all_matching()  local
1171 	ao = rcu_dereference(tcp_sk(sk)->ao_info);  in tcp_ao_copy_all_matching()
1172 	if (!ao)  in tcp_ao_copy_all_matching()
1175 	/* New socket without TCP-AO on it */  in tcp_ao_copy_all_matching()
1184 	new_ao->ao_required = ao->ao_required;  in tcp_ao_copy_all_matching()
1185 	new_ao->accept_icmps = ao->accept_icmps;  in tcp_ao_copy_all_matching()
1200 	hlist_for_each_entry_rcu(key, &ao->head, node) {  in tcp_ao_copy_all_matching()
1214 		/* RFC5925 (7.4.1) specifies that the TCP-AO status  in tcp_ao_copy_all_matching()
1216 		 * At this point the connection was TCP-AO enabled, so  in tcp_ao_copy_all_matching()
1329 	/* Check: maclen + tcp-ao header <= (MAX_TCP_OPTION_SPACE - mss  in tcp_ao_parse_crypto()
1334 	 * In order to allow D-SACK with TCP-AO, the header size should be:  in tcp_ao_parse_crypto()
1346 	 * TCP-AO continues to consume 16 bytes in non-SYN segments,  in tcp_ao_parse_crypto()
1350 	 * such as to handle D-SACK, a smaller TCP-AO MAC would be required  in tcp_ao_parse_crypto()
1625 			 * non peer-matching key on an established TCP-AO  in tcp_ao_add_cmd()
1638 			net_warn_ratelimited("AO key ifindex %d != sk bound ifindex %d\n",  in tcp_ao_add_cmd()
1646 		 * (that will make them match AO key with  in tcp_ao_add_cmd()
1904 /* cmd.ao_required makes a socket TCP-AO only.
2290 	struct tcp_ao_info *ao;  in tcp_ao_get_sock_info()  local
2310 	ao = setsockopt_ao_info(sk);  in tcp_ao_get_sock_info()
2311 	if (IS_ERR(ao))  in tcp_ao_get_sock_info()
2312 		return PTR_ERR(ao);  in tcp_ao_get_sock_info()
2313 	if (!ao)  in tcp_ao_get_sock_info()
2317 	out.ao_required		= ao->ao_required;  in tcp_ao_get_sock_info()
2318 	out.accept_icmps	= ao->accept_icmps;  in tcp_ao_get_sock_info()
2319 	out.pkt_good		= atomic64_read(&ao->counters.pkt_good);  in tcp_ao_get_sock_info()
2320 	out.pkt_bad		= atomic64_read(&ao->counters.pkt_bad);  in tcp_ao_get_sock_info()
2321 	out.pkt_key_not_found	= atomic64_read(&ao->counters.key_not_found);  in tcp_ao_get_sock_info()
2322 	out.pkt_ao_required	= atomic64_read(&ao->counters.ao_required);  in tcp_ao_get_sock_info()
2323 	out.pkt_dropped_icmp	= atomic64_read(&ao->counters.dropped_icmp);  in tcp_ao_get_sock_info()
2325 	current_key = READ_ONCE(ao->current_key);  in tcp_ao_get_sock_info()
2330 	if (ao->rnext_key) {  in tcp_ao_get_sock_info()
2332 		out.rnext = ao->rnext_key->rcvid;  in tcp_ao_get_sock_info()
2346 	struct tcp_ao_info *ao;  in tcp_ao_set_repair()  local
2359 	ao = setsockopt_ao_info(sk);  in tcp_ao_set_repair()
2360 	if (IS_ERR(ao))  in tcp_ao_set_repair()
2361 		return PTR_ERR(ao);  in tcp_ao_set_repair()
2362 	if (!ao)  in tcp_ao_set_repair()
2365 	WRITE_ONCE(ao->lisn, cmd.snt_isn);  in tcp_ao_set_repair()
2366 	WRITE_ONCE(ao->risn, cmd.rcv_isn);  in tcp_ao_set_repair()
2367 	WRITE_ONCE(ao->snd_sne, cmd.snd_sne);  in tcp_ao_set_repair()
2368 	WRITE_ONCE(ao->rcv_sne, cmd.rcv_sne);  in tcp_ao_set_repair()
2370 	hlist_for_each_entry_rcu(key, &ao->head, node)  in tcp_ao_set_repair()
2371 		tcp_ao_cache_traffic_keys(sk, ao, key);  in tcp_ao_set_repair()
2380 	struct tcp_ao_info *ao;  in tcp_ao_get_repair()  local
2393 	ao = getsockopt_ao_info(sk);  in tcp_ao_get_repair()
2394 	if (IS_ERR_OR_NULL(ao)) {  in tcp_ao_get_repair()
2396 		return ao ? PTR_ERR(ao) : -ENOENT;  in tcp_ao_get_repair()
2399 	opt.snt_isn	= ao->lisn;  in tcp_ao_get_repair()
2400 	opt.rcv_isn	= ao->risn;  in tcp_ao_get_repair()
2401 	opt.snd_sne	= READ_ONCE(ao->snd_sne);  in tcp_ao_get_repair()
2402 	opt.rcv_sne	= READ_ONCE(ao->rcv_sne);  in tcp_ao_get_repair()