-
- Downloads
net/tcp: Verify inbound TCP-AO signed segments
Now there is a common function to verify signature on TCP segments:
tcp_inbound_hash(). It has checks for all possible cross-interactions
with MD5 signs as well as with unsigned segments.
The rules from RFC5925 are:
(1) Any TCP segment can have at max only one signature.
(2) TCP connections can't switch between using TCP-MD5 and TCP-AO.
(3) TCP-AO connections can't stop using AO, as well as unsigned
connections can't suddenly start using AO.
Co-developed-by: 
Francesco Ruggeri <fruggeri@arista.com>
Signed-off-by: Francesco Ruggeri <fruggeri@arista.com>
Co-developed-by: 
Salam Noureddine <noureddine@arista.com>
Signed-off-by: Salam Noureddine <noureddine@arista.com>
Signed-off-by: 
Dmitry Safonov <dima@arista.com>
Acked-by: 
David Ahern <dsahern@kernel.org>
Signed-off-by: 
David S. Miller <davem@davemloft.net>
Showing
- include/net/dropreason-core.h 17 additions, 0 deletionsinclude/net/dropreason-core.h
- include/net/tcp.h 51 additions, 2 deletionsinclude/net/tcp.h
- include/net/tcp_ao.h 14 additions, 0 deletionsinclude/net/tcp_ao.h
- net/ipv4/tcp.c 8 additions, 31 deletionsnet/ipv4/tcp.c
- net/ipv4/tcp_ao.c 142 additions, 0 deletionsnet/ipv4/tcp_ao.c
- net/ipv4/tcp_ipv4.c 5 additions, 5 deletionsnet/ipv4/tcp_ipv4.c
- net/ipv6/tcp_ao.c 5 additions, 4 deletionsnet/ipv6/tcp_ao.c
- net/ipv6/tcp_ipv6.c 6 additions, 5 deletionsnet/ipv6/tcp_ipv6.c
Loading
Please register or sign in to comment