net/tcp: Wire TCP-AO to request sockets

						  * after data-in-SYN.

						  */

	u8				syn_tos;

#ifdef CONFIG_TCP_AO

	u8				ao_keyid;

	u8				ao_rcv_next;

	u8				maclen;

#endif

};

static inline struct tcp_request_sock *tcp_rsk(const struct request_sock *req)

	return (struct tcp_request_sock *)req;

}

static inline bool tcp_rsk_used_ao(const struct request_sock *req)

{

	/* The real length of MAC is saved in the request socket,

	 * signing anything with zero-length makes no sense, so here is

	 * a little hack..

	 */

#ifndef CONFIG_TCP_AO

	return false;

#else

	return tcp_rsk(req)->maclen != 0;

#endif

}

#define TCP_RMEM_TO_WIN_SCALE 8

struct tcp_sock {

					  const struct sock *sk,

					  const struct sk_buff *skb);

#endif

#ifdef CONFIG_TCP_AO

	struct tcp_ao_key *(*ao_lookup)(const struct sock *sk,

					struct request_sock *req,

					int sndid, int rcvid);

	int (*ao_calc_key)(struct tcp_ao_key *mkt, u8 *key, struct request_sock *sk);

#endif

#ifdef CONFIG_SYN_COOKIES

	__u32 (*cookie_init_seq)(const struct sk_buff *skb,

				 __u16 *mss);

		 sockptr_t optval, int optlen);

struct tcp_ao_key *tcp_ao_established_key(struct tcp_ao_info *ao,

					  int sndid, int rcvid);

int tcp_ao_copy_all_matching(const struct sock *sk, struct sock *newsk,

			     struct request_sock *req, struct sk_buff *skb,

			     int family);

int tcp_ao_calc_traffic_key(struct tcp_ao_key *mkt, u8 *key, void *ctx,

			    unsigned int len, struct tcp_sigpool *hp);

void tcp_ao_destroy_sock(struct sock *sk, bool twsk);

int tcp_v4_ao_calc_key_sk(struct tcp_ao_key *mkt, u8 *key,

			  const struct sock *sk,

			  __be32 sisn, __be32 disn, bool send);

int tcp_v4_ao_calc_key_rsk(struct tcp_ao_key *mkt, u8 *key,

			   struct request_sock *req);

struct tcp_ao_key *tcp_v4_ao_lookup_rsk(const struct sock *sk,

					struct request_sock *req,

					int sndid, int rcvid);

int tcp_v4_ao_hash_skb(char *ao_hash, struct tcp_ao_key *key,

		       const struct sock *sk, const struct sk_buff *skb,

		       const u8 *tkey, int hash_offset, u32 sne);

int tcp_v6_ao_hash_pseudoheader(struct tcp_sigpool *hp,

				const struct in6_addr *daddr,

				const struct in6_addr *saddr, int nbytes);

int tcp_v6_ao_calc_key_skb(struct tcp_ao_key *mkt, u8 *key,

			   const struct sk_buff *skb, __be32 sisn, __be32 disn);

int tcp_v6_ao_calc_key_sk(struct tcp_ao_key *mkt, u8 *key,

			  const struct sock *sk, __be32 sisn,

			  __be32 disn, bool send);

int tcp_v6_ao_calc_key_rsk(struct tcp_ao_key *mkt, u8 *key,

			   struct request_sock *req);

struct tcp_ao_key *tcp_v6_ao_do_lookup(const struct sock *sk,

				       const struct in6_addr *addr,

				       int sndid, int rcvid);

struct tcp_ao_key *tcp_v6_ao_lookup(const struct sock *sk,

				    struct sock *addr_sk, int sndid, int rcvid);

struct tcp_ao_key *tcp_v6_ao_lookup_rsk(const struct sock *sk,

					struct request_sock *req,

					int sndid, int rcvid);

int tcp_v6_ao_hash_skb(char *ao_hash, struct tcp_ao_key *key,

		       const struct sock *sk, const struct sk_buff *skb,

		       const u8 *tkey, int hash_offset, u32 sne);

	return 0;

}

static inline void tcp_ao_syncookie(struct sock *sk, const struct sk_buff *skb,

				    struct tcp_request_sock *treq,

				    unsigned short int family)

{

}

static inline struct tcp_ao_key *tcp_ao_do_lookup(const struct sock *sk,

		const union tcp_ao_addr *addr, int family, int sndid, int rcvid)

{

	treq->snt_synack	= 0;

	treq->tfo_listener	= false;

	tcp_ao_syncookie(sk, skb, treq, AF_INET);

	if (IS_ENABLED(CONFIG_SMC))

		ireq->smc_ok = 0;

	hlist_add_head_rcu(&mkt->node, &ao->head);

}

static struct tcp_ao_key *tcp_ao_copy_key(struct sock *sk,

					  struct tcp_ao_key *key)

{

	struct tcp_ao_key *new_key;

	new_key = sock_kmalloc(sk, tcp_ao_sizeof_key(key),

			       GFP_ATOMIC);

	if (!new_key)

		return NULL;

	*new_key = *key;

	INIT_HLIST_NODE(&new_key->node);

	tcp_sigpool_get(new_key->tcp_sigpool_id);

	return new_key;

}

static void tcp_ao_key_free_rcu(struct rcu_head *head)

{

	struct tcp_ao_key *key = container_of(head, struct tcp_ao_key, rcu);

		return -EOPNOTSUPP;

}

int tcp_v4_ao_calc_key_rsk(struct tcp_ao_key *mkt, u8 *key,

			   struct request_sock *req)

{

	struct inet_request_sock *ireq = inet_rsk(req);

	return tcp_v4_ao_calc_key(mkt, key,

				  ireq->ir_loc_addr, ireq->ir_rmt_addr,

				  htons(ireq->ir_num), ireq->ir_rmt_port,

				  htonl(tcp_rsk(req)->snt_isn),

				  htonl(tcp_rsk(req)->rcv_isn));

}

static int tcp_v4_ao_calc_key_skb(struct tcp_ao_key *mkt, u8 *key,

				  const struct sk_buff *skb,

				  __be32 sisn, __be32 disn)

{

	const struct iphdr *iph = ip_hdr(skb);

	const struct tcphdr *th = tcp_hdr(skb);

	return tcp_v4_ao_calc_key(mkt, key, iph->saddr, iph->daddr,

				  th->source, th->dest, sisn, disn);

}

static int tcp_ao_calc_key_skb(struct tcp_ao_key *mkt, u8 *key,

			       const struct sk_buff *skb,

			       __be32 sisn, __be32 disn, int family)

{

	if (family == AF_INET)

		return tcp_v4_ao_calc_key_skb(mkt, key, skb, sisn, disn);

#if IS_ENABLED(CONFIG_IPV6)

	else if (family == AF_INET6)

		return tcp_v6_ao_calc_key_skb(mkt, key, skb, sisn, disn);

#endif

	return -EAFNOSUPPORT;

}

static int tcp_v4_ao_hash_pseudoheader(struct tcp_sigpool *hp,

				       __be32 daddr, __be32 saddr,

				       int nbytes)

			       tkey, hash_offset, sne);

}

struct tcp_ao_key *tcp_v4_ao_lookup_rsk(const struct sock *sk,

					struct request_sock *req,

					int sndid, int rcvid)

{

	union tcp_ao_addr *addr =

			(union tcp_ao_addr *)&inet_rsk(req)->ir_rmt_addr;

	return tcp_ao_do_lookup(sk, addr, AF_INET, sndid, rcvid);

}

struct tcp_ao_key *tcp_v4_ao_lookup(const struct sock *sk, struct sock *addr_sk,

				    int sndid, int rcvid)

{

			 struct tcp_ao_key **key, char **traffic_key,

			 bool *allocated_traffic_key, u8 *keyid, u32 *sne)

{

	struct tcp_ao_key *rnext_key;

	const struct tcphdr *th = tcp_hdr(skb);

	struct tcp_ao_info *ao_info;

	*allocated_traffic_key = false;

		return -ENOTCONN;

	if ((1 << sk->sk_state) & (TCPF_LISTEN | TCPF_NEW_SYN_RECV)) {

		unsigned int family = READ_ONCE(sk->sk_family);

		union tcp_ao_addr *addr;

		__be32 disn, sisn;

		if (sk->sk_state == TCP_NEW_SYN_RECV) {

			struct request_sock *req = inet_reqsk(sk);

			sisn = htonl(tcp_rsk(req)->rcv_isn);

			disn = htonl(tcp_rsk(req)->snt_isn);

			*sne = 0;

		} else {

			sisn = th->seq;

			disn = 0;

		}

		if (IS_ENABLED(CONFIG_IPV6) && family == AF_INET6)

			addr = (union tcp_md5_addr *)&ipv6_hdr(skb)->saddr;

		else

			addr = (union tcp_md5_addr *)&ip_hdr(skb)->saddr;

#if IS_ENABLED(CONFIG_IPV6)

		if (family == AF_INET6 && ipv6_addr_v4mapped(&sk->sk_v6_daddr))

			family = AF_INET;

#endif

		sk = sk_const_to_full_sk(sk);

		ao_info = rcu_dereference(tcp_sk(sk)->ao_info);

		if (!ao_info)

			return -ENOENT;

		*key = tcp_ao_do_lookup(sk, addr, family, -1, aoh->rnext_keyid);

		if (!*key)

			return -ENOENT;

		*traffic_key = kmalloc(tcp_ao_digest_size(*key), GFP_ATOMIC);

		if (!*traffic_key)

			return -ENOMEM;

		*allocated_traffic_key = true;

		if (tcp_ao_calc_key_skb(*key, *traffic_key, skb,

					sisn, disn, family))

			return -1;

		*keyid = (*key)->rcvid;

	} else {

		struct tcp_ao_key *rnext_key;

		if (sk->sk_state == TCP_TIME_WAIT)

			ao_info = rcu_dereference(tcp_twsk(sk)->ao_info);

		rnext_key = READ_ONCE(ao_info->rnext_key);

		*keyid = rnext_key->rcvid;

		*sne = 0;

	}

	return 0;

}

	return 0;

}

static struct tcp_ao_key *tcp_ao_inbound_lookup(unsigned short int family,

		const struct sock *sk, const struct sk_buff *skb,

		int sndid, int rcvid)

{

	if (family == AF_INET) {

		const struct iphdr *iph = ip_hdr(skb);

		return tcp_ao_do_lookup(sk, (union tcp_ao_addr *)&iph->saddr,

				AF_INET, sndid, rcvid);

	} else {

		const struct ipv6hdr *iph = ipv6_hdr(skb);

		return tcp_ao_do_lookup(sk, (union tcp_ao_addr *)&iph->saddr,

				AF_INET6, sndid, rcvid);

	}

}

void tcp_ao_syncookie(struct sock *sk, const struct sk_buff *skb,

		      struct tcp_request_sock *treq,

		      unsigned short int family)

{

	const struct tcphdr *th = tcp_hdr(skb);

	const struct tcp_ao_hdr *aoh;

	struct tcp_ao_key *key;

	treq->maclen = 0;

	if (tcp_parse_auth_options(th, NULL, &aoh) || !aoh)

		return;

	key = tcp_ao_inbound_lookup(family, sk, skb, -1, aoh->keyid);

	if (!key)

		/* Key not found, continue without TCP-AO */

		return;

	treq->ao_rcv_next = aoh->keyid;

	treq->ao_keyid = aoh->rnext_keyid;

	treq->maclen = tcp_ao_maclen(key);

}

static int tcp_ao_cache_traffic_keys(const struct sock *sk,

				     struct tcp_ao_info *ao,

				     struct tcp_ao_key *ao_key)

		tcp_ao_cache_traffic_keys(sk, ao, key);

}

int tcp_ao_copy_all_matching(const struct sock *sk, struct sock *newsk,

			     struct request_sock *req, struct sk_buff *skb,

			     int family)

{

	struct tcp_ao_key *key, *new_key, *first_key;

	struct tcp_ao_info *new_ao, *ao;

	struct hlist_node *key_head;

	union tcp_ao_addr *addr;

	bool match = false;

	int ret = -ENOMEM;

	ao = rcu_dereference(tcp_sk(sk)->ao_info);

	if (!ao)

		return 0;

	/* New socket without TCP-AO on it */

	if (!tcp_rsk_used_ao(req))

		return 0;

	new_ao = tcp_ao_alloc_info(GFP_ATOMIC);

	if (!new_ao)

		return -ENOMEM;

	new_ao->lisn = htonl(tcp_rsk(req)->snt_isn);

	new_ao->risn = htonl(tcp_rsk(req)->rcv_isn);

	new_ao->ao_required = ao->ao_required;

	if (family == AF_INET) {

		addr = (union tcp_ao_addr *)&newsk->sk_daddr;

#if IS_ENABLED(CONFIG_IPV6)

	} else if (family == AF_INET6) {

		addr = (union tcp_ao_addr *)&newsk->sk_v6_daddr;

#endif

	} else {

		ret = -EAFNOSUPPORT;

		goto free_ao;

	}

	hlist_for_each_entry_rcu(key, &ao->head, node) {

		if (tcp_ao_key_cmp(key, addr, key->prefixlen, family, -1, -1))

			continue;

		new_key = tcp_ao_copy_key(newsk, key);

		if (!new_key)

			goto free_and_exit;

		tcp_ao_cache_traffic_keys(newsk, new_ao, new_key);

		tcp_ao_link_mkt(new_ao, new_key);

		match = true;

	}

	if (!match) {

		/* RFC5925 (7.4.1) specifies that the TCP-AO status

		 * of a connection is determined on the initial SYN.

		 * At this point the connection was TCP-AO enabled, so

		 * it can't switch to being unsigned if peer's key

		 * disappears on the listening socket.

		 */

		ret = -EKEYREJECTED;

		goto free_and_exit;

	}

	key_head = rcu_dereference(hlist_first_rcu(&new_ao->head));

	first_key = hlist_entry_safe(key_head, struct tcp_ao_key, node);

	key = tcp_ao_established_key(new_ao, tcp_rsk(req)->ao_keyid, -1);

	if (key)

		new_ao->current_key = key;

	else

		new_ao->current_key = first_key;

	/* set rnext_key */

	key = tcp_ao_established_key(new_ao, -1, tcp_rsk(req)->ao_rcv_next);

	if (key)

		new_ao->rnext_key = key;

	else

		new_ao->rnext_key = first_key;

	sk_gso_disable(newsk);

	rcu_assign_pointer(tcp_sk(newsk)->ao_info, new_ao);

	return 0;

free_and_exit:

	hlist_for_each_entry_safe(key, key_head, &new_ao->head, node) {

		hlist_del(&key->node);

		tcp_sigpool_release(key->tcp_sigpool_id);

		atomic_sub(tcp_ao_sizeof_key(key), &newsk->sk_omem_alloc);

		kfree_sensitive(key);

	}

free_ao:

	kfree(new_ao);

	return ret;

}

static bool tcp_ao_can_set_current_rnext(struct sock *sk)

{

	/* There aren't current/rnext keys on TCP_LISTEN sockets */