net/tcp: Add tcp_parse_auth_options()

	FN(IP_NOPROTO)			\

	FN(SOCKET_RCVBUFF)		\

	FN(PROTO_MEM)			\

	FN(TCP_AUTH_HDR)		\

	FN(TCP_MD5NOTFOUND)		\

	FN(TCP_MD5UNEXPECTED)		\

	FN(TCP_MD5FAILURE)		\

	 * drop out of udp_memory_allocated.

	 */

	SKB_DROP_REASON_PROTO_MEM,

	/**

	 * @SKB_DROP_REASON_TCP_AUTH_HDR: TCP-MD5 or TCP-AO hashes are met

	 * twice or set incorrectly.

	 */

	SKB_DROP_REASON_TCP_AUTH_HDR,

	/**

	 * @SKB_DROP_REASON_TCP_MD5NOTFOUND: no MD5 hash and one expected,

	 * corresponding to LINUX_MIB_TCPMD5NOTFOUND

void tcp_parse_options(const struct net *net, const struct sk_buff *skb,

		       struct tcp_options_received *opt_rx,

		       int estab, struct tcp_fastopen_cookie *foc);

const u8 *tcp_parse_md5sig_option(const struct tcphdr *th);

/*

 *	BPF SKB-less helpers

	return 0;

}

static inline int tcp_parse_auth_options(const struct tcphdr *th,

		const u8 **md5_hash, const struct tcp_ao_hdr **aoh)

{

	const u8 *md5_tmp, *ao_tmp;

	int ret;

	ret = tcp_do_parse_auth_options(th, &md5_tmp, &ao_tmp);

	if (ret)

		return ret;

	if (md5_hash)

		*md5_hash = md5_tmp;

	if (aoh) {

		if (!ao_tmp)

			*aoh = NULL;

		else

			*aoh = (struct tcp_ao_hdr *)(ao_tmp - 2);

	}

	return 0;

}

static inline bool tcp_ao_required(struct sock *sk, const void *saddr,

				   int family)

{

void tcp_ao_established(struct sock *sk);

void tcp_ao_finish_connect(struct sock *sk, struct sk_buff *skb);

void tcp_ao_connect_init(struct sock *sk);

void tcp_ao_syncookie(struct sock *sk, const struct sk_buff *skb,

		      struct tcp_request_sock *treq,

		      unsigned short int family);

#else /* CONFIG_TCP_AO */

static inline int tcp_ao_transmit_skb(struct sock *sk, struct sk_buff *skb,

}

#endif

#if defined(CONFIG_TCP_MD5SIG) || defined(CONFIG_TCP_AO)

int tcp_do_parse_auth_options(const struct tcphdr *th,

			      const u8 **md5_hash, const u8 **ao_hash);

#else

static inline int tcp_do_parse_auth_options(const struct tcphdr *th,

		const u8 **md5_hash, const u8 **ao_hash)

{

	*md5_hash = NULL;

	*ao_hash = NULL;

	return 0;

}

#endif

#endif /* _TCP_AO_H */

	l3index = sdif ? dif : 0;

	hash_expected = tcp_md5_do_lookup(sk, l3index, saddr, family);

	hash_location = tcp_parse_md5sig_option(th);

	if (tcp_parse_auth_options(th, &hash_location, NULL))

		return SKB_DROP_REASON_TCP_AUTH_HDR;

	/* We've parsed the options - do we have a hash? */

	if (!hash_expected && !hash_location)

	return true;

}

#ifdef CONFIG_TCP_MD5SIG

#if defined(CONFIG_TCP_MD5SIG) || defined(CONFIG_TCP_AO)

/*

 * Parse MD5 Signature option

 * Parse Signature options

 */

const u8 *tcp_parse_md5sig_option(const struct tcphdr *th)

int tcp_do_parse_auth_options(const struct tcphdr *th,

			      const u8 **md5_hash, const u8 **ao_hash)

{

	int length = (th->doff << 2) - sizeof(*th);

	const u8 *ptr = (const u8 *)(th + 1);

	unsigned int minlen = TCPOLEN_MD5SIG;

	if (IS_ENABLED(CONFIG_TCP_AO))

		minlen = sizeof(struct tcp_ao_hdr) + 1;

	*md5_hash = NULL;

	*ao_hash = NULL;

	/* If not enough data remaining, we can short cut */

	while (length >= TCPOLEN_MD5SIG) {

	while (length >= minlen) {

		int opcode = *ptr++;

		int opsize;

		switch (opcode) {

		case TCPOPT_EOL:

			return NULL;

			return 0;

		case TCPOPT_NOP:

			length--;

			continue;

		default:

			opsize = *ptr++;

			if (opsize < 2 || opsize > length)

				return NULL;

			if (opcode == TCPOPT_MD5SIG)

				return opsize == TCPOLEN_MD5SIG ? ptr : NULL;

				return -EINVAL;

			if (opcode == TCPOPT_MD5SIG) {

				if (opsize != TCPOLEN_MD5SIG)

					return -EINVAL;

				if (unlikely(*md5_hash || *ao_hash))

					return -EEXIST;

				*md5_hash = ptr;

			} else if (opcode == TCPOPT_AO) {

				if (opsize <= sizeof(struct tcp_ao_hdr))

					return -EINVAL;

				if (unlikely(*md5_hash || *ao_hash))

					return -EEXIST;

				*ao_hash = ptr;

			}

		}

		ptr += opsize - 2;

		length -= opsize;

	}

	return NULL;

	return 0;

}

EXPORT_SYMBOL(tcp_parse_md5sig_option);

EXPORT_SYMBOL(tcp_do_parse_auth_options);

#endif

/* Sorry, PAWS as specified is broken wrt. pure-ACKs -DaveM