Re: [PATCH v6 21/26] selftests: net/fcnal: Initial tcp_authopt support

From: Eric Dumazet
Date: Tue Jul 26 2022 - 03:33:14 EST


On Tue, Jul 26, 2022 at 9:06 AM Eric Dumazet <edumazet@xxxxxxxxxx> wrote:
>
> On Tue, Jul 26, 2022 at 8:16 AM Leonard Crestez <cdleonard@xxxxxxxxx> wrote:
> >
> > Tests are mostly copied from tcp_md5 with minor changes.
> >
> > It covers VRF support but only based on binding multiple servers: not
> > multiple keys bound to different interfaces.
> >
> > Also add a specific -t tcp_authopt to run only these tests specifically.
> >
>
> Thanks for the test.
>
> Could you amend the existing TCP MD5 test to make sure dual sockets
> mode is working ?
>
> Apparently, if we have a dual stack listener socket (AF_INET6),
> correct incoming IPV4 SYNs are dropped.
>
> If this is the case, fixing MD5 should happen first ;)
>
> I think that we are very late in the cycle (linux-5.19 should be
> released in 5 days), and your patch set should not be merged so late.

I suspect bug was added in

commit 7bbb765b73496699a165d505ecdce962f903b422
Author: Dmitry Safonov <0x7f454c46@xxxxxxxxx>
Date: Wed Feb 23 17:57:40 2022 +0000

net/tcp: Merge TCP-MD5 inbound callbacks

a possible fix (also removing an indirect call for IPV4) could be:

diff --git a/net/ipv4/tcp.c b/net/ipv4/tcp.c
index ba2bdc81137490bd1748cde95789f8d2bff3ab0f..66b883d1683ddf7de6a8959a2b4e025a74c830b1
100644
--- a/net/ipv4/tcp.c
+++ b/net/ipv4/tcp.c
@@ -4534,8 +4534,14 @@ tcp_inbound_md5_hash(const struct sock *sk,
const struct sk_buff *skb,
}

/* check the signature */
- genhash = tp->af_specific->calc_md5_hash(newhash, hash_expected,
- NULL, skb);
+ if (family == AF_INET)
+ genhash = tcp_v4_md5_hash_skb(newhash,
+ hash_expected,
+ NULL, skb);
+ else
+ genhash = tp->af_specific->calc_md5_hash(newhash,
+ hash_expected,
+ NULL, skb);

if (genhash || memcmp(hash_location, newhash, 16) != 0) {
NET_INC_STATS(sock_net(sk), LINUX_MIB_TCPMD5FAILURE);