Received: by 2002:a05:6a10:5bc5:0:0:0:0 with SMTP id os5csp2577760pxb; Fri, 5 Nov 2021 00:33:32 -0700 (PDT) X-Google-Smtp-Source: ABdhPJw7oToZmseSLsb+bZtQlYU3yiOCWvbGSsT8wOOKzzZF9kzQpvP+PlFzT67WVLKCf5oyOnka X-Received: by 2002:a05:6e02:1d8a:: with SMTP id h10mr25426593ila.51.1636097612489; Fri, 05 Nov 2021 00:33:32 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1636097612; cv=none; d=google.com; s=arc-20160816; b=lg1Gxzy3sMltpcCzVbd2KHfZWH4FhkgMfU5QSpict9BJMto79Wyd+bOmVYh2aLoKVq NYvZC7maN+CA+QSCxgarvSwUi++yL2ectzDuI24VewhWcDmobSNbXy0CVrNbM6AWM4f5 sBa0CSgRxHi/AwVMkR9xs7sus/h5ZBd4jjurMNsSPtWsjsU5dGBhImM067aGvNQ6p07v mtJlG+AX+C9I7uEW+2hWzHALCkPaB/iemvhQWwbJ0L8Xjs4wAsA31OCOIw5T1vVHf8+b bVJkB7xu3W89M6R170u2HgZPNq3JvfPZu0oyLwj/1jGuQSHOCD8jEC2lDP729RK59hlW xR/g== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:content-language :in-reply-to:mime-version:user-agent:date:message-id:from:references :cc:to:subject:dkim-signature; bh=SvWkC8sIKWk2uTn2LDUiYL203o6lBq4o2a+zBxr/B5Q=; b=Vjq7qNa8mKAuCFhty+iDWExl/7HzHJ4oHyymA3YYH2hft697PxVFI683+b75hFWof/ 0lHaTjH+TY2YX8p1C7Qx9FsNGuv8GQ3A9Bbh0T/rKVjIx7DWQYfD71YJPHyv/ZgTr+hQ Bm7RUIpo6Q3/mkHbofknDd3p9P6xXtAUZY/8dfcGSv8rLcQsbYe+GlLXutyOcK9dkiX5 PTM0YhJakasFWwVNYXT0CPmWP5Hv6S9cad+LBhBbYC+MuQHBflYlCz7wJcjSDO3xMybG YgVspF/UMMjkkXl9f5Ibc6R+S3loYoOcuIcYr4u7U0iEIVDYk1hb1zYOapyrFfj7iJG1 mG1w== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@gmail.com header.s=20210112 header.b=B+q8GpPZ; spf=pass (google.com: domain of linux-crypto-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-crypto-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id k13si13446188ilv.35.2021.11.05.00.33.09; Fri, 05 Nov 2021 00:33:32 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-crypto-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@gmail.com header.s=20210112 header.b=B+q8GpPZ; spf=pass (google.com: domain of linux-crypto-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-crypto-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S229470AbhKEGMS (ORCPT + 99 others); Fri, 5 Nov 2021 02:12:18 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:56102 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229456AbhKEGMR (ORCPT ); Fri, 5 Nov 2021 02:12:17 -0400 Received: from mail-ed1-x52d.google.com (mail-ed1-x52d.google.com [IPv6:2a00:1450:4864:20::52d]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 28013C061714; Thu, 4 Nov 2021 23:09:38 -0700 (PDT) Received: by mail-ed1-x52d.google.com with SMTP id m14so28753265edd.0; Thu, 04 Nov 2021 23:09:38 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=subject:to:cc:references:from:message-id:date:user-agent :mime-version:in-reply-to:content-language:content-transfer-encoding; bh=SvWkC8sIKWk2uTn2LDUiYL203o6lBq4o2a+zBxr/B5Q=; b=B+q8GpPZ2cb+9OPUWfZXV2d5lT3UQD6tMtTtx1xWRb7EIYU3qTVwn8hxOL84Mmzg0y TUiocdG10Fx/oUBWLx2Rtsm8gjKaKNiSsXPs0M8NRXdKD52fSV2pg6jYG/i2JHMOvwjp EYmg7ezoB6VZ26Zvg4AUOVOczRUkMzwRCHuTtVOMfmT29PtvlFIEt8aXbz/QXVKc+KU6 0+RDP7RKfG82xinKbkDztyGVFdWeDHgmojvy4erx1cWwRtoAJWY2bs9jBcV+KEaPPbK3 C+JClIXAMpRV8USbz57JOiPf7jbredFdrlDq7mXO8czv4WfNGYeZkVglALBloL7wFYSS vMQA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:subject:to:cc:references:from:message-id:date :user-agent:mime-version:in-reply-to:content-language :content-transfer-encoding; bh=SvWkC8sIKWk2uTn2LDUiYL203o6lBq4o2a+zBxr/B5Q=; b=6ekBzmcnqIgnM1js00gfpDiY1B70bWKipt6Pe2t67IgNunnp4WAf5f10zt43C3lYw6 PFrh7bNalAR/lorpOicgjeqcbQNuat0O308fnp7oUyPJl8A1/elRBGGRK1OMKp5wfyGg 0NFXarvfpIDg1KwoN4p5FI2EUPG76Xf8//qELLzxtBgkJx7jI/K8VM/be5Qq4+s53N8U UdODtHNYWuEku7M0qgOtP6veTtV0lK8/h8VW5QDMkXy5HJ0WsiY0yUE9NxlgHgZKrzo3 gbgE6S4YGCQmJum77FyerpwI7KfW+z8X1CtpwUY6af3X/DvM5tHnlUOrFDl/lHPTpc3r QFQA== X-Gm-Message-State: AOAM531/WsI4AHajb/mnp4L6p6e/7myh80C14mLfmKQ24UswHgcX3gPR mJyzJ6dFFQKzxB2zUMCOkNM= X-Received: by 2002:a17:906:6acd:: with SMTP id q13mr19642510ejs.426.1636092576664; Thu, 04 Nov 2021 23:09:36 -0700 (PDT) Received: from ?IPv6:2a04:241e:501:3800:fafc:6a7c:c046:18f4? ([2a04:241e:501:3800:fafc:6a7c:c046:18f4]) by smtp.gmail.com with ESMTPSA id i13sm3417479edc.62.2021.11.04.23.09.35 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Thu, 04 Nov 2021 23:09:36 -0700 (PDT) Subject: Re: [PATCH v2 06/25] tcp: authopt: Compute packet signatures To: Dmitry Safonov <0x7f454c46@gmail.com> Cc: "David S. Miller" , Herbert Xu , Kuniyuki Iwashima , Hideaki YOSHIFUJI , Jakub Kicinski , Yuchung Cheng , Francesco Ruggeri , Mat Martineau , Christoph Paasch , Ivan Delalande , Priyaranjan Jha , netdev@vger.kernel.org, linux-crypto@vger.kernel.org, linux-kselftest@vger.kernel.org, linux-kernel@vger.kernel.org, Shuah Khan , Eric Dumazet , David Ahern References: <5245f35901015acc6a41d1da92deb96f3e593b7c.1635784253.git.cdleonard@gmail.com> <7a32f18e-aa92-8fd8-4f53-72b4ef8b0ffc@gmail.com> From: Leonard Crestez Message-ID: Date: Fri, 5 Nov 2021 08:09:34 +0200 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Thunderbird/78.13.0 MIME-Version: 1.0 In-Reply-To: <7a32f18e-aa92-8fd8-4f53-72b4ef8b0ffc@gmail.com> Content-Type: text/plain; charset=utf-8; format=flowed Content-Language: en-US Content-Transfer-Encoding: 7bit Precedence: bulk List-ID: X-Mailing-List: linux-crypto@vger.kernel.org On 11/5/21 4:08 AM, Dmitry Safonov wrote: > On 11/1/21 16:34, Leonard Crestez wrote: > [..] >> +/* Find TCP_AUTHOPT in header. >> + * >> + * Returns pointer to TCP_AUTHOPT or NULL if not found. >> + */ >> +static u8 *tcp_authopt_find_option(struct tcphdr *th) >> +{ >> + int length = (th->doff << 2) - sizeof(*th); >> + u8 *ptr = (u8 *)(th + 1); >> + >> + while (length >= 2) { >> + int opcode = *ptr++; >> + int opsize; >> + >> + switch (opcode) { >> + case TCPOPT_EOL: >> + return NULL; >> + case TCPOPT_NOP: >> + length--; >> + continue; >> + default: >> + if (length < 2) >> + return NULL; > > ^ never true, as checked by the loop condition > >> + opsize = *ptr++; >> + if (opsize < 2) >> + return NULL; >> + if (opsize > length) >> + return NULL; >> + if (opcode == TCPOPT_AUTHOPT) >> + return ptr - 2; >> + } >> + ptr += opsize - 2; >> + length -= opsize; >> + } >> + return NULL; >> +} > > Why copy'n'pasting tcp_parse_md5sig_option(), rather than adding a new > argument to the function? No good reason. There is a requirement in RFC5925 that packets with both AO and MD5 signatures be dropped. This currently works but the implementation is convoluted: after an AO signature is found an error is returned if MD5 is also present. A better solution would be to do a single scan for both options up front, for example in tcp_{v4,v6}_auth_inbound_check -- Regards, Leonard