tcp: md5: add TCP_MD5SIG_EXT socket option to set a key address prefix

Replace first padding in the tcp_md5sig structure with a new flag field
and address prefix length so it can be specified when configuring a new
key for TCP MD5 signature. The tcpm_flags field will only be used if the
socket option is TCP_MD5SIG_EXT to avoid breaking existing programs, and
tcpm_prefixlen only when the TCP_MD5SIG_FLAG_PREFIX flag is set.

Signed-off-by: Bob Gilligan <gilligan@arista.com>
Signed-off-by: Eric Mowat <mowat@arista.com>
Signed-off-by: Ivan Delalande <colona@arista.com>
Signed-off-by: David S. Miller <davem@davemloft.net>

1 files changed, 18 insertions, 7 deletions

diff --git a/net/ipv6/tcp_ipv6.c b/net/ipv6/tcp_ipv6.c
index 261689310408..68dc7472b44d 100644
--- a/net/ipv6/tcp_ipv6.c
+++ b/net/ipv6/tcp_ipv6.c
@@ -515,11 +515,12 @@ static struct tcp_md5sig_key *tcp_v6_md5_lookup(const struct sock *sk,
         return tcp_v6_md5_do_lookup(sk, &addr_sk->sk_v6_daddr);
 }
 
-static int tcp_v6_parse_md5_keys(struct sock *sk, char __user *optval,
-                                 int optlen)
+static int tcp_v6_parse_md5_keys(struct sock *sk, int optname,
+                                 char __user *optval, int optlen)
 {
         struct tcp_md5sig cmd;
         struct sockaddr_in6 *sin6 = (struct sockaddr_in6 *)&cmd.tcpm_addr;
+        u8 prefixlen;
 
         if (optlen < sizeof(cmd))
                 return -EINVAL;
@@ -530,12 +531,22 @@ static int tcp_v6_parse_md5_keys(struct sock *sk, char __user *optval,
         if (sin6->sin6_family != AF_INET6)
                 return -EINVAL;
 
+        if (optname == TCP_MD5SIG_EXT &&
+            cmd.tcpm_flags & TCP_MD5SIG_FLAG_PREFIX) {
+                prefixlen = cmd.tcpm_prefixlen;
+                if (prefixlen > 128 || (ipv6_addr_v4mapped(&sin6->sin6_addr) &&
+                                        prefixlen > 32))
+                        return -EINVAL;
+        } else {
+                prefixlen = ipv6_addr_v4mapped(&sin6->sin6_addr) ? 32 : 128;
+        }
+
         if (!cmd.tcpm_keylen) {
                 if (ipv6_addr_v4mapped(&sin6->sin6_addr))
                         return tcp_md5_do_del(sk, (union tcp_md5_addr *)&sin6->sin6_addr.s6_addr32[3],
-                                              AF_INET, 32);
+                                              AF_INET, prefixlen);
                 return tcp_md5_do_del(sk, (union tcp_md5_addr *)&sin6->sin6_addr,
-                                      AF_INET6, 128);
+                                      AF_INET6, prefixlen);
         }
 
         if (cmd.tcpm_keylen > TCP_MD5SIG_MAXKEYLEN)
@@ -543,12 +554,12 @@ static int tcp_v6_parse_md5_keys(struct sock *sk, char __user *optval,
 
         if (ipv6_addr_v4mapped(&sin6->sin6_addr))
                 return tcp_md5_do_add(sk, (union tcp_md5_addr *)&sin6->sin6_addr.s6_addr32[3],
-                                      AF_INET, 32, cmd.tcpm_key,
+                                      AF_INET, prefixlen, cmd.tcpm_key,
                                       cmd.tcpm_keylen, GFP_KERNEL);
 
         return tcp_md5_do_add(sk, (union tcp_md5_addr *)&sin6->sin6_addr,
-                              AF_INET6, 128, cmd.tcpm_key, cmd.tcpm_keylen,
-                              GFP_KERNEL);
+                              AF_INET6, prefixlen, cmd.tcpm_key,
+                              cmd.tcpm_keylen, GFP_KERNEL);
 }
 
 static int tcp_v6_md5_hash_headers(struct tcp_md5sig_pool *hp,