Merge branch 'tcp-Add-support-for-L3-domains-to-MD5-auth'

	struct hlist_node	node;

	u8			keylen;

	u8			family; /* AF_INET or AF_INET6 */

	union tcp_md5_addr	addr;

	u8			prefixlen;

	union tcp_md5_addr	addr;

	int			l3index; /* set if key added with L3 scope */

	u8			key[TCP_MD5SIG_MAXKEYLEN];

	struct rcu_head		rcu;

};

int tcp_v4_md5_hash_skb(char *md5_hash, const struct tcp_md5sig_key *key,

			const struct sock *sk, const struct sk_buff *skb);

int tcp_md5_do_add(struct sock *sk, const union tcp_md5_addr *addr,

		   int family, u8 prefixlen, const u8 *newkey, u8 newkeylen,

		   gfp_t gfp);

		   int family, u8 prefixlen, int l3index,

		   const u8 *newkey, u8 newkeylen, gfp_t gfp);

int tcp_md5_do_del(struct sock *sk, const union tcp_md5_addr *addr,

		   int family, u8 prefixlen);

		   int family, u8 prefixlen, int l3index);

struct tcp_md5sig_key *tcp_v4_md5_lookup(const struct sock *sk,

					 const struct sock *addr_sk);

#ifdef CONFIG_TCP_MD5SIG

#include <linux/jump_label.h>

extern struct static_key_false tcp_md5_needed;

struct tcp_md5sig_key *__tcp_md5_do_lookup(const struct sock *sk,

struct tcp_md5sig_key *__tcp_md5_do_lookup(const struct sock *sk, int l3index,

					   const union tcp_md5_addr *addr,

					   int family);

static inline struct tcp_md5sig_key *

tcp_md5_do_lookup(const struct sock *sk,

		  const union tcp_md5_addr *addr,

		  int family)

tcp_md5_do_lookup(const struct sock *sk, int l3index,

		  const union tcp_md5_addr *addr, int family)

{

	if (!static_branch_unlikely(&tcp_md5_needed))

		return NULL;

	return __tcp_md5_do_lookup(sk, addr, family);

	return __tcp_md5_do_lookup(sk, l3index, addr, family);

}

#define tcp_twsk_md5_key(twsk)	((twsk)->tw_md5_key)

#else

static inline struct tcp_md5sig_key *tcp_md5_do_lookup(const struct sock *sk,

					 const union tcp_md5_addr *addr,

					 int family)

static inline struct tcp_md5sig_key *

tcp_md5_do_lookup(const struct sock *sk, int l3index,

		  const union tcp_md5_addr *addr, int family)

{

	return NULL;

}

#define TCP_MD5SIG_MAXKEYLEN	80

/* tcp_md5sig extension flags for TCP_MD5SIG_EXT */

#define TCP_MD5SIG_FLAG_PREFIX		1	/* address prefix length */

#define TCP_MD5SIG_FLAG_PREFIX		0x1	/* address prefix length */

#define TCP_MD5SIG_FLAG_IFINDEX		0x2	/* ifindex set */

struct tcp_md5sig {

	struct __kernel_sockaddr_storage tcpm_addr;	/* address associated */

	__u8	tcpm_flags;				/* extension flags */

	__u8	tcpm_prefixlen;				/* address prefix */

	__u16	tcpm_keylen;				/* key length */

	__u32	__tcpm_pad;				/* zero */

	int	tcpm_ifindex;				/* device index for scope */

	__u8	tcpm_key[TCP_MD5SIG_MAXKEYLEN];		/* key (binary) */

};

	rcu_read_lock();

	hash_location = tcp_parse_md5sig_option(th);

	if (sk && sk_fullsock(sk)) {

		key = tcp_md5_do_lookup(sk, (union tcp_md5_addr *)

					&ip_hdr(skb)->saddr, AF_INET);

		const union tcp_md5_addr *addr;

		int l3index;

		/* sdif set, means packet ingressed via a device

		 * in an L3 domain and inet_iif is set to it.

		 */

		l3index = tcp_v4_sdif(skb) ? inet_iif(skb) : 0;

		addr = (union tcp_md5_addr *)&ip_hdr(skb)->saddr;

		key = tcp_md5_do_lookup(sk, l3index, addr, AF_INET);

	} else if (hash_location) {

		const union tcp_md5_addr *addr;

		int sdif = tcp_v4_sdif(skb);

		int dif = inet_iif(skb);

		int l3index;

		/*

		 * active side is lost. Try to find listening socket through

		 * source port, and then find md5 key through listening socket.

		sk1 = __inet_lookup_listener(net, &tcp_hashinfo, NULL, 0,

					     ip_hdr(skb)->saddr,

					     th->source, ip_hdr(skb)->daddr,

					     ntohs(th->source), inet_iif(skb),

					     tcp_v4_sdif(skb));

					     ntohs(th->source), dif, sdif);

		/* don't send rst if it can't find key */

		if (!sk1)

			goto out;

		key = tcp_md5_do_lookup(sk1, (union tcp_md5_addr *)

					&ip_hdr(skb)->saddr, AF_INET);

		/* sdif set, means packet ingressed via a device

		 * in an L3 domain and dif is set to it.

		 */

		l3index = sdif ? dif : 0;

		addr = (union tcp_md5_addr *)&ip_hdr(skb)->saddr;

		key = tcp_md5_do_lookup(sk1, l3index, addr, AF_INET);

		if (!key)

			goto out;

static void tcp_v4_reqsk_send_ack(const struct sock *sk, struct sk_buff *skb,

				  struct request_sock *req)

{

	const union tcp_md5_addr *addr;

	int l3index;

	/* sk->sk_state == TCP_LISTEN -> for regular TCP_SYN_RECV

	 * sk->sk_state == TCP_SYN_RECV -> for Fast Open.

	 */

	 * exception of <SYN> segments, MUST be right-shifted by

	 * Rcv.Wind.Shift bits:

	 */

	addr = (union tcp_md5_addr *)&ip_hdr(skb)->saddr;

	l3index = tcp_v4_sdif(skb) ? inet_iif(skb) : 0;

	tcp_v4_send_ack(sk, skb, seq,

			tcp_rsk(req)->rcv_nxt,

			req->rsk_rcv_wnd >> inet_rsk(req)->rcv_wscale,

			tcp_time_stamp_raw() + tcp_rsk(req)->ts_off,

			req->ts_recent,

			0,

			tcp_md5_do_lookup(sk, (union tcp_md5_addr *)&ip_hdr(skb)->saddr,

					  AF_INET),

			tcp_md5_do_lookup(sk, l3index, addr, AF_INET),

			inet_rsk(req)->no_srccheck ? IP_REPLY_ARG_NOSRCCHECK : 0,

			ip_hdr(skb)->tos);

}

EXPORT_SYMBOL(tcp_md5_needed);

/* Find the Key structure for an address.  */

struct tcp_md5sig_key *__tcp_md5_do_lookup(const struct sock *sk,

struct tcp_md5sig_key *__tcp_md5_do_lookup(const struct sock *sk, int l3index,

					   const union tcp_md5_addr *addr,

					   int family)

{

	hlist_for_each_entry_rcu(key, &md5sig->head, node) {

		if (key->family != family)

			continue;

		if (key->l3index && key->l3index != l3index)

			continue;

		if (family == AF_INET) {

			mask = inet_make_mask(key->prefixlen);

			match = (key->addr.a4.s_addr & mask) ==

static struct tcp_md5sig_key *tcp_md5_do_lookup_exact(const struct sock *sk,

						      const union tcp_md5_addr *addr,

						      int family, u8 prefixlen)

						      int family, u8 prefixlen,

						      int l3index)

{

	const struct tcp_sock *tp = tcp_sk(sk);

	struct tcp_md5sig_key *key;

	hlist_for_each_entry_rcu(key, &md5sig->head, node) {

		if (key->family != family)

			continue;

		if (key->l3index && key->l3index != l3index)

			continue;

		if (!memcmp(&key->addr, addr, size) &&

		    key->prefixlen == prefixlen)

			return key;

					 const struct sock *addr_sk)

{

	const union tcp_md5_addr *addr;

	int l3index;

	l3index = l3mdev_master_ifindex_by_index(sock_net(sk),

						 addr_sk->sk_bound_dev_if);

	addr = (const union tcp_md5_addr *)&addr_sk->sk_daddr;

	return tcp_md5_do_lookup(sk, addr, AF_INET);

	return tcp_md5_do_lookup(sk, l3index, addr, AF_INET);

}

EXPORT_SYMBOL(tcp_v4_md5_lookup);

/* This can be called on a newly created socket, from other files */

int tcp_md5_do_add(struct sock *sk, const union tcp_md5_addr *addr,

		   int family, u8 prefixlen, const u8 *newkey, u8 newkeylen,

		   gfp_t gfp)

		   int family, u8 prefixlen, int l3index,

		   const u8 *newkey, u8 newkeylen, gfp_t gfp)

{

	/* Add Key to the list */

	struct tcp_md5sig_key *key;

	struct tcp_sock *tp = tcp_sk(sk);

	struct tcp_md5sig_info *md5sig;

	key = tcp_md5_do_lookup_exact(sk, addr, family, prefixlen);

	key = tcp_md5_do_lookup_exact(sk, addr, family, prefixlen, l3index);

	if (key) {

		/* Pre-existing entry - just update that one. */

		memcpy(key->key, newkey, newkeylen);

	key->keylen = newkeylen;

	key->family = family;

	key->prefixlen = prefixlen;

	key->l3index = l3index;

	memcpy(&key->addr, addr,

	       (family == AF_INET6) ? sizeof(struct in6_addr) :

				      sizeof(struct in_addr));

EXPORT_SYMBOL(tcp_md5_do_add);

int tcp_md5_do_del(struct sock *sk, const union tcp_md5_addr *addr, int family,

		   u8 prefixlen)

		   u8 prefixlen, int l3index)

{

	struct tcp_md5sig_key *key;

	key = tcp_md5_do_lookup_exact(sk, addr, family, prefixlen);

	key = tcp_md5_do_lookup_exact(sk, addr, family, prefixlen, l3index);

	if (!key)

		return -ENOENT;

	hlist_del_rcu(&key->node);

{

	struct tcp_md5sig cmd;

	struct sockaddr_in *sin = (struct sockaddr_in *)&cmd.tcpm_addr;

	const union tcp_md5_addr *addr;

	u8 prefixlen = 32;

	int l3index = 0;

	if (optlen < sizeof(cmd))

		return -EINVAL;

			return -EINVAL;

	}

	if (optname == TCP_MD5SIG_EXT &&

	    cmd.tcpm_flags & TCP_MD5SIG_FLAG_IFINDEX) {

		struct net_device *dev;

		rcu_read_lock();

		dev = dev_get_by_index_rcu(sock_net(sk), cmd.tcpm_ifindex);

		if (dev && netif_is_l3_master(dev))

			l3index = dev->ifindex;

		rcu_read_unlock();

		/* ok to reference set/not set outside of rcu;

		 * right now device MUST be an L3 master

		 */

		if (!dev || !l3index)

			return -EINVAL;

	}

	addr = (union tcp_md5_addr *)&sin->sin_addr.s_addr;

	if (!cmd.tcpm_keylen)

		return tcp_md5_do_del(sk, (union tcp_md5_addr *)&sin->sin_addr.s_addr,

				      AF_INET, prefixlen);

		return tcp_md5_do_del(sk, addr, AF_INET, prefixlen, l3index);

	if (cmd.tcpm_keylen > TCP_MD5SIG_MAXKEYLEN)

		return -EINVAL;

	return tcp_md5_do_add(sk, (union tcp_md5_addr *)&sin->sin_addr.s_addr,

			      AF_INET, prefixlen, cmd.tcpm_key, cmd.tcpm_keylen,

			      GFP_KERNEL);

	return tcp_md5_do_add(sk, addr, AF_INET, prefixlen, l3index,

			      cmd.tcpm_key, cmd.tcpm_keylen, GFP_KERNEL);

}

static int tcp_v4_md5_hash_headers(struct tcp_md5sig_pool *hp,

/* Called with rcu_read_lock() */

static bool tcp_v4_inbound_md5_hash(const struct sock *sk,

				    const struct sk_buff *skb)

				    const struct sk_buff *skb,

				    int dif, int sdif)

{

#ifdef CONFIG_TCP_MD5SIG

	/*

	struct tcp_md5sig_key *hash_expected;

	const struct iphdr *iph = ip_hdr(skb);

	const struct tcphdr *th = tcp_hdr(skb);

	int genhash;

	const union tcp_md5_addr *addr;

	unsigned char newhash[16];

	int genhash, l3index;

	hash_expected = tcp_md5_do_lookup(sk, (union tcp_md5_addr *)&iph->saddr,

					  AF_INET);

	/* sdif set, means packet ingressed via a device

	 * in an L3 domain and dif is set to the l3mdev

	 */

	l3index = sdif ? dif : 0;

	addr = (union tcp_md5_addr *)&iph->saddr;

	hash_expected = tcp_md5_do_lookup(sk, l3index, addr, AF_INET);

	hash_location = tcp_parse_md5sig_option(th);

	/* We've parsed the options - do we have a hash? */

	if (genhash || memcmp(hash_location, newhash, 16) != 0) {

		NET_INC_STATS(sock_net(sk), LINUX_MIB_TCPMD5FAILURE);

		net_info_ratelimited("MD5 Hash failed for (%pI4, %d)->(%pI4, %d)%s\n",

		net_info_ratelimited("MD5 Hash failed for (%pI4, %d)->(%pI4, %d)%s L3 index %d\n",

				     &iph->saddr, ntohs(th->source),

				     &iph->daddr, ntohs(th->dest),

				     genhash ? " tcp_v4_calc_md5_hash failed"

				     : "");

				     : "", l3index);

		return true;

	}

	return false;

	struct tcp_sock *newtp;

	struct sock *newsk;

#ifdef CONFIG_TCP_MD5SIG

	const union tcp_md5_addr *addr;

	struct tcp_md5sig_key *key;

	int l3index;

#endif

	struct ip_options_rcu *inet_opt;

	tcp_initialize_rcv_mss(newsk);

#ifdef CONFIG_TCP_MD5SIG

	l3index = l3mdev_master_ifindex_by_index(sock_net(sk), ireq->ir_iif);

	/* Copy over the MD5 key from the original socket */

	key = tcp_md5_do_lookup(sk, (union tcp_md5_addr *)&newinet->inet_daddr,

				AF_INET);

	addr = (union tcp_md5_addr *)&newinet->inet_daddr;

	key = tcp_md5_do_lookup(sk, l3index, addr, AF_INET);

	if (key) {

		/*

		 * We're using one, so create a matching key

		 * memory, then we end up not copying the key

		 * across. Shucks.

		 */

		tcp_md5_do_add(newsk, (union tcp_md5_addr *)&newinet->inet_daddr,

			       AF_INET, 32, key->key, key->keylen, GFP_ATOMIC);

		tcp_md5_do_add(newsk, addr, AF_INET, 32, l3index,

			       key->key, key->keylen, GFP_ATOMIC);

		sk_nocaps_add(newsk, NETIF_F_GSO_MASK);

	}

#endif

	struct net *net = dev_net(skb->dev);

	struct sk_buff *skb_to_free;

	int sdif = inet_sdif(skb);

	int dif = inet_iif(skb);

	const struct iphdr *iph;

	const struct tcphdr *th;

	bool refcounted;

		struct sock *nsk;

		sk = req->rsk_listener;

		if (unlikely(tcp_v4_inbound_md5_hash(sk, skb))) {

		if (unlikely(tcp_v4_inbound_md5_hash(sk, skb, dif, sdif))) {

			sk_drops_add(sk, skb);

			reqsk_put(req);

			goto discard_it;

	if (!xfrm4_policy_check(sk, XFRM_POLICY_IN, skb))

		goto discard_and_relse;

	if (tcp_v4_inbound_md5_hash(sk, skb))

	if (tcp_v4_inbound_md5_hash(sk, skb, dif, sdif))

		goto discard_and_relse;

	nf_reset_ct(skb);

static const struct tcp_sock_af_ops tcp_sock_ipv6_mapped_specific;

#else

static struct tcp_md5sig_key *tcp_v6_md5_do_lookup(const struct sock *sk,

						   const struct in6_addr *addr)

						   const struct in6_addr *addr,

						   int l3index)

{

	return NULL;

}

#ifdef CONFIG_TCP_MD5SIG

static struct tcp_md5sig_key *tcp_v6_md5_do_lookup(const struct sock *sk,

						   const struct in6_addr *addr)

						   const struct in6_addr *addr,

						   int l3index)

{

	return tcp_md5_do_lookup(sk, (union tcp_md5_addr *)addr, AF_INET6);

	return tcp_md5_do_lookup(sk, l3index,

				 (union tcp_md5_addr *)addr, AF_INET6);

}

static struct tcp_md5sig_key *tcp_v6_md5_lookup(const struct sock *sk,

						const struct sock *addr_sk)

{

	return tcp_v6_md5_do_lookup(sk, &addr_sk->sk_v6_daddr);

	int l3index;

	l3index = l3mdev_master_ifindex_by_index(sock_net(sk),

						 addr_sk->sk_bound_dev_if);

	return tcp_v6_md5_do_lookup(sk, &addr_sk->sk_v6_daddr,

				    l3index);

}

static int tcp_v6_parse_md5_keys(struct sock *sk, int optname,

{

	struct tcp_md5sig cmd;

	struct sockaddr_in6 *sin6 = (struct sockaddr_in6 *)&cmd.tcpm_addr;

	int l3index = 0;

	u8 prefixlen;

	if (optlen < sizeof(cmd))

		prefixlen = ipv6_addr_v4mapped(&sin6->sin6_addr) ? 32 : 128;

	}

	if (optname == TCP_MD5SIG_EXT &&

	    cmd.tcpm_flags & TCP_MD5SIG_FLAG_IFINDEX) {

		struct net_device *dev;

		rcu_read_lock();

		dev = dev_get_by_index_rcu(sock_net(sk), cmd.tcpm_ifindex);

		if (dev && netif_is_l3_master(dev))

			l3index = dev->ifindex;

		rcu_read_unlock();

		/* ok to reference set/not set outside of rcu;

		 * right now device MUST be an L3 master

		 */

		if (!dev || !l3index)

			return -EINVAL;

	}

	if (!cmd.tcpm_keylen) {

		if (ipv6_addr_v4mapped(&sin6->sin6_addr))

			return tcp_md5_do_del(sk, (union tcp_md5_addr *)&sin6->sin6_addr.s6_addr32[3],

					      AF_INET, prefixlen);

					      AF_INET, prefixlen,

					      l3index);

		return tcp_md5_do_del(sk, (union tcp_md5_addr *)&sin6->sin6_addr,

				      AF_INET6, prefixlen);

				      AF_INET6, prefixlen, l3index);

	}

	if (cmd.tcpm_keylen > TCP_MD5SIG_MAXKEYLEN)

	if (ipv6_addr_v4mapped(&sin6->sin6_addr))

		return tcp_md5_do_add(sk, (union tcp_md5_addr *)&sin6->sin6_addr.s6_addr32[3],

				      AF_INET, prefixlen, cmd.tcpm_key,

				      cmd.tcpm_keylen, GFP_KERNEL);

				      AF_INET, prefixlen, l3index,

				      cmd.tcpm_key, cmd.tcpm_keylen,

				      GFP_KERNEL);

	return tcp_md5_do_add(sk, (union tcp_md5_addr *)&sin6->sin6_addr,

			      AF_INET6, prefixlen, cmd.tcpm_key,

			      cmd.tcpm_keylen, GFP_KERNEL);

			      AF_INET6, prefixlen, l3index,

			      cmd.tcpm_key, cmd.tcpm_keylen, GFP_KERNEL);

}

static int tcp_v6_md5_hash_headers(struct tcp_md5sig_pool *hp,

#endif

static bool tcp_v6_inbound_md5_hash(const struct sock *sk,

				    const struct sk_buff *skb)

				    const struct sk_buff *skb,

				    int dif, int sdif)

{

#ifdef CONFIG_TCP_MD5SIG

	const __u8 *hash_location = NULL;

	struct tcp_md5sig_key *hash_expected;

	const struct ipv6hdr *ip6h = ipv6_hdr(skb);

	const struct tcphdr *th = tcp_hdr(skb);

	int genhash;

	int genhash, l3index;

	u8 newhash[16];

	hash_expected = tcp_v6_md5_do_lookup(sk, &ip6h->saddr);

	/* sdif set, means packet ingressed via a device

	 * in an L3 domain and dif is set to the l3mdev

	 */

	l3index = sdif ? dif : 0;

	hash_expected = tcp_v6_md5_do_lookup(sk, &ip6h->saddr, l3index);

	hash_location = tcp_parse_md5sig_option(th);

	/* We've parsed the options - do we have a hash? */

	if (genhash || memcmp(hash_location, newhash, 16) != 0) {

		NET_INC_STATS(sock_net(sk), LINUX_MIB_TCPMD5FAILURE);

		net_info_ratelimited("MD5 Hash %s for [%pI6c]:%u->[%pI6c]:%u\n",

		net_info_ratelimited("MD5 Hash %s for [%pI6c]:%u->[%pI6c]:%u L3 index %d\n",

				     genhash ? "failed" : "mismatch",

				     &ip6h->saddr, ntohs(th->source),

				     &ip6h->daddr, ntohs(th->dest));

				     &ip6h->daddr, ntohs(th->dest), l3index);

		return true;

	}

#endif

	rcu_read_lock();

	hash_location = tcp_parse_md5sig_option(th);

	if (sk && sk_fullsock(sk)) {

		key = tcp_v6_md5_do_lookup(sk, &ipv6h->saddr);

		int l3index;

		/* sdif set, means packet ingressed via a device

		 * in an L3 domain and inet_iif is set to it.

		 */

		l3index = tcp_v6_sdif(skb) ? tcp_v6_iif_l3_slave(skb) : 0;

		key = tcp_v6_md5_do_lookup(sk, &ipv6h->saddr, l3index);

	} else if (hash_location) {

		int dif = tcp_v6_iif_l3_slave(skb);

		int sdif = tcp_v6_sdif(skb);

		int l3index;

		/*

		 * active side is lost. Try to find listening socket through

		 * source port, and then find md5 key through listening socket.

					   &tcp_hashinfo, NULL, 0,

					   &ipv6h->saddr,

					   th->source, &ipv6h->daddr,

					   ntohs(th->source),

					   tcp_v6_iif_l3_slave(skb),

					   tcp_v6_sdif(skb));

					   ntohs(th->source), dif, sdif);

		if (!sk1)

			goto out;

		key = tcp_v6_md5_do_lookup(sk1, &ipv6h->saddr);

		/* sdif set, means packet ingressed via a device

		 * in an L3 domain and dif is set to it.

		 */

		l3index = tcp_v6_sdif(skb) ? dif : 0;

		key = tcp_v6_md5_do_lookup(sk1, &ipv6h->saddr, l3index);

		if (!key)

			goto out;