On 9/21/23 12:23, Paolo Abeni wrote:

On Mon, 2023-09-18 at 20:00 +0100, Dmitry Safonov wrote:

quoted

@@ -1361,16 +1385,48 @@ static int __tcp_transmit_skb(struct sock *sk, struct sk_buff *skb,
 		th->window	= htons(min(tp->rcv_wnd, 65535U));
 	}
 
-	tcp_options_write(th, tp, &opts);
+	tcp_options_write(th, tp, &opts, &key);
 
+	if (tcp_key_is_md5(&key)) {
 #ifdef CONFIG_TCP_MD5SIG
-	/* Calculate the MD5 hash, as we have all we need now */
-	if (md5) {
+		/* Calculate the MD5 hash, as we have all we need now */
 		sk_gso_disable(sk);
 		tp->af_specific->calc_md5_hash(opts.hash_location,
-					       md5, sk, skb);
-	}
+					       key.md5_key, sk, skb);
 #endif
+	} else if (tcp_key_is_ao(&key)) {
+#ifdef CONFIG_TCP_AO
+		struct tcp_ao_info *ao;
+		void *tkey_buf = NULL;
+		u8 *traffic_key;
+		__be32 disn;
+
+		ao = rcu_dereference_protected(tcp_sk(sk)->ao_info,
+					       lockdep_sock_is_held(sk));
+		if (unlikely(tcb->tcp_flags & TCPHDR_SYN)) {
+			if (tcb->tcp_flags & TCPHDR_ACK)
+				disn = ao->risn;
+			else
+				disn = 0;
+
+			tkey_buf = kmalloc(tcp_ao_digest_size(key.ao_key),
+					   GFP_ATOMIC);
+			if (!tkey_buf) {
+				kfree_skb_reason(skb, SKB_DROP_REASON_NOMEM);
+				return -ENOMEM;
+			}
+			traffic_key = tkey_buf;
+			tp->af_specific->ao_calc_key_sk(key.ao_key, traffic_key,
+							sk, ao->lisn, disn, true);
+		} else {
+			traffic_key = snd_other_key(key.ao_key);
+		}
+		tp->af_specific->calc_ao_hash(opts.hash_location, key.ao_key,
+					      sk, skb, traffic_key,
+					      opts.hash_location - (u8 *)th, 0);
+		kfree(tkey_buf);
+#endif

I'm sorry for the incremental feedback.

The above could possibly deserve being moved to a specific helper, for
both readability and code locality when TCP_AO is enabled at compile
time but not used.

Sure, will do for the v13.

Thanks,
           Dmitry