Re: [PATCH 00/19] tcp: Initial support for RFC5925 auth option
From: Leonard Crestez
Date: Thu Sep 23 2021 - 03:50:05 EST
On 9/22/21 2:13 AM, Jakub Kicinski wrote:
On Tue, 21 Sep 2021 19:14:43 +0300 Leonard Crestez wrote:
This is similar to TCP MD5 in functionality but it's sufficiently
different that wire formats are incompatible. Compared to TCP-MD5 more
algorithms are supported and multiple keys can be used on the same
connection but there is still no negotiation mechanism.
Hopefully there will be some feedback / discussion, but even if
everyone acks this you'll need to fix all the transient build
failures, and kdoc warnings added - and repost.
git rebase --exec='make' and scripts/kernel-doc are your allies.
Hello,
I already went through several round of testing with git rebase
--exec='$test' but it seems I introduced a few new failures after
several rounds of squashing fixes. I'll need to check kernel-doc
comments for source files not referenced in documenation.
Many of the patch splits were artificially created in order to ease
review, for example "signing packets" doesn't do anything without also
"hooking in the tcp stack". Some static functions will trigger warnings
because they're unused until the next patch, not clear what the
preferred solution would be here. I could remove the "static" marker
until the next patch or reverse the order and have the initial "tcp
integration" patches call crypto code that just returns an error and
fills-in a signature of zeros.
A large amount of the code is just selftests and much of it is not
completely specific to TCP-AO. Maybe I could try to repost the parts
that verify handling of timewait corners and resets in a variant that
only handles "md5" and "unsigned"?
I already tried posting my scapy implementation of TCP-AO and MD5 to
scapy upstream because it is not specific to linux .
--
Regards,
Leonard