TCPCT part 1f: Initiator Cookie => Responder

Calculate and format <SYN> TCP_COOKIE option. This is a significantly revised implementation of an earlier (year-old) patch that no longer applies cleanly, with permission of the original author (Adam Langley): http://thread.gmane.org/gmane.linux.network/102586 Requires: TCPCT part 1c: sysctl_tcp_cookie_size, socket option TCP_COOKIE_TRANSACTIONS TCPCT part 1d: define TCP cookie option, extend existing struct's Signed-off-by: William.Allen.Simpson@gmail.com Signed-off-by: David S. Miller <davem@davemloft.net>
author: William Allen Simpson <william.allen.simpson@gmail.com> 2009-12-02 13:23:05 -0500
committer: David S. Miller <davem@davemloft.net> 2009-12-03 01:07:26 -0500
commit: bd0388ae77075026d6a9f9eb6026dfd1d52ce0e9 (patch)
tree: b2262d2bf3f60e42f8c3573c89e6a47042b20122 /net/ipv4
parent: e56fb50f2b7958b931c8a2fc0966061b3f3c8f3a (diff)
1 files changed, 163 insertions, 30 deletions
diff --git a/net/ipv4/tcp_output.c b/net/ipv4/tcp_output.c
index 307f318fe931..35dd983a8a99 100644
--- a/net/ipv4/tcp_output.c
+++ b/net/ipv4/tcp_output.c
@@ -365,15 +365,45 @@ static inline int tcp_urg_mode(const struct tcp_sock *tp)
 #define OPTION_TS               (1 << 1)
 #define OPTION_MD5              (1 << 2)
 #define OPTION_WSCALE           (1 << 3)
+#define OPTION_COOKIE_EXTENSION (1 << 4)
 struct tcp_out_options {
        u8 options;             /* bit field of OPTION_* */
        u8 ws;                  /* window scale, 0 to disable */
        u8 num_sack_blocks;     /* number of SACK blocks to include */
+        u8 hash_size;           /* bytes in hash_location */
        u16 mss;                /* 0 to disable */
        __u32 tsval, tsecr;     /* need to include OPTION_TS */
+        __u8 *hash_location;    /* temporary pointer, overloaded */
 };
+/* The sysctl int routines are generic, so check consistency here.
+ */
+static u8 tcp_cookie_size_check(u8 desired)
+{
+        if (desired > 0) {
+                /* previously specified */
+                return desired;
+        }
+        if (sysctl_tcp_cookie_size <= 0) {
+                /* no default specified */
+                return 0;
+        }
+        if (sysctl_tcp_cookie_size <= TCP_COOKIE_MIN) {
+                /* value too small, specify minimum */
+                return TCP_COOKIE_MIN;
+        }
+        if (sysctl_tcp_cookie_size >= TCP_COOKIE_MAX) {
+                /* value too large, specify maximum */
+                return TCP_COOKIE_MAX;
+        }
+        if (0x1 & sysctl_tcp_cookie_size) {
+                /* 8-bit multiple, illegal, fix it */
+                return (u8)(sysctl_tcp_cookie_size + 0x1);
+        }
+        return (u8)sysctl_tcp_cookie_size;
+}
 /* Write previously computed TCP options to the packet.
 *
 * Beware: Something in the Internet is very sensitive to the ordering of
@@ -388,17 +418,34 @@ struct tcp_out_options {
 * (but it may well be that other scenarios fail similarly).
 */
 static void tcp_options_write(__be32 *ptr, struct tcp_sock *tp,
-                              const struct tcp_out_options *opts,
+                              struct tcp_out_options *opts)
-                              __u8 **md5_hash) {
+{
-        if (unlikely(OPTION_MD5 & opts->options)) {
+        u8 options = opts->options;     /* mungable copy */
-                *ptr++ = htonl((TCPOPT_NOP << 24) |
-                               (TCPOPT_NOP << 16) |
+        /* Having both authentication and cookies for security is redundant,
-                               (TCPOPT_MD5SIG << 8) |
+         * and there's certainly not enough room.  Instead, the cookie-less
-                               TCPOLEN_MD5SIG);
+         * extension variant is proposed.
-                *md5_hash = (__u8 *)ptr;
+         *
+         * Consider the pessimal case with authentication.  The options
+         * could look like:
+         *   COOKIE|MD5(20) + MSS(4) + SACK|TS(12) + WSCALE(4) == 40
+         */
+        if (unlikely(OPTION_MD5 & options)) {
+                if (unlikely(OPTION_COOKIE_EXTENSION & options)) {
+                        *ptr++ = htonl((TCPOPT_COOKIE << 24) |
+                                       (TCPOLEN_COOKIE_BASE << 16) |
+                                       (TCPOPT_MD5SIG << 8) |
+                                       TCPOLEN_MD5SIG);
+                } else {
+                        *ptr++ = htonl((TCPOPT_NOP << 24) |
+                                       (TCPOPT_NOP << 16) |
+                                       (TCPOPT_MD5SIG << 8) |
+                                       TCPOLEN_MD5SIG);
+                }
+                options &= ~OPTION_COOKIE_EXTENSION;
+                /* overload cookie hash location */
+                opts->hash_location = (__u8 *)ptr;
                ptr += 4;
-        } else {
-                *md5_hash = NULL;
        }
        if (unlikely(opts->mss)) {
@@ -407,12 +454,13 @@ static void tcp_options_write(__be32 *ptr, struct tcp_sock *tp,
                               opts->mss);
        }
-        if (likely(OPTION_TS & opts->options)) {
+        if (likely(OPTION_TS & options)) {
-                if (unlikely(OPTION_SACK_ADVERTISE & opts->options)) {
+                if (unlikely(OPTION_SACK_ADVERTISE & options)) {
                        *ptr++ = htonl((TCPOPT_SACK_PERM << 24) |
                                       (TCPOLEN_SACK_PERM << 16) |
                                       (TCPOPT_TIMESTAMP << 8) |
                                       TCPOLEN_TIMESTAMP);
+                        options &= ~OPTION_SACK_ADVERTISE;
                } else {
                        *ptr++ = htonl((TCPOPT_NOP << 24) |
                                       (TCPOPT_NOP << 16) |
@@ -423,15 +471,52 @@ static void tcp_options_write(__be32 *ptr, struct tcp_sock *tp,
                *ptr++ = htonl(opts->tsecr);
        }
-        if (unlikely(OPTION_SACK_ADVERTISE & opts->options &&
+        /* Specification requires after timestamp, so do it now.
-                     !(OPTION_TS & opts->options))) {
+         *
+         * Consider the pessimal case without authentication.  The options
+         * could look like:
+         *   MSS(4) + SACK|TS(12) + COOKIE(20) + WSCALE(4) == 40
+         */
+        if (unlikely(OPTION_COOKIE_EXTENSION & options)) {
+                __u8 *cookie_copy = opts->hash_location;
+                u8 cookie_size = opts->hash_size;
+                /* 8-bit multiple handled in tcp_cookie_size_check() above,
+                 * and elsewhere.
+                 */
+                if (0x2 & cookie_size) {
+                        __u8 *p = (__u8 *)ptr;
+                        /* 16-bit multiple */
+                        *p++ = TCPOPT_COOKIE;
+                        *p++ = TCPOLEN_COOKIE_BASE + cookie_size;
+                        *p++ = *cookie_copy++;
+                        *p++ = *cookie_copy++;
+                        ptr++;
+                        cookie_size -= 2;
+                } else {
+                        /* 32-bit multiple */
+                        *ptr++ = htonl(((TCPOPT_NOP << 24) |
+                                        (TCPOPT_NOP << 16) |
+                                        (TCPOPT_COOKIE << 8) |
+                                        TCPOLEN_COOKIE_BASE) +
+                                       cookie_size);
+                }
+                if (cookie_size > 0) {
+                        memcpy(ptr, cookie_copy, cookie_size);
+                        ptr += (cookie_size / 4);
+                }
+        }
+        if (unlikely(OPTION_SACK_ADVERTISE & options)) {
                *ptr++ = htonl((TCPOPT_NOP << 24) |
                               (TCPOPT_NOP << 16) |
                               (TCPOPT_SACK_PERM << 8) |
                               TCPOLEN_SACK_PERM);
        }
-        if (unlikely(OPTION_WSCALE & opts->options)) {
+        if (unlikely(OPTION_WSCALE & options)) {
                *ptr++ = htonl((TCPOPT_NOP << 24) |
                               (TCPOPT_WINDOW << 16) |
                               (TCPOLEN_WINDOW << 8) |
@@ -466,14 +551,18 @@ static unsigned tcp_syn_options(struct sock *sk, struct sk_buff *skb,
                                struct tcp_out_options *opts,
                                struct tcp_md5sig_key **md5) {
        struct tcp_sock *tp = tcp_sk(sk);
-        unsigned size = 0;
+        struct tcp_cookie_values *cvp = tp->cookie_values;
        struct dst_entry *dst = __sk_dst_get(sk);
+        unsigned remaining = MAX_TCP_OPTION_SPACE;
+        u8 cookie_size = (!tp->rx_opt.cookie_out_never && cvp != NULL) ?
+                         tcp_cookie_size_check(cvp->cookie_desired) :
+                         0;
 #ifdef CONFIG_TCP_MD5SIG
        *md5 = tp->af_specific->md5_lookup(sk, sk);
        if (*md5) {
                opts->options |= OPTION_MD5;
-                size += TCPOLEN_MD5SIG_ALIGNED;
+                remaining -= TCPOLEN_MD5SIG_ALIGNED;
        }
 #else
        *md5 = NULL;
@@ -489,7 +578,7 @@ static unsigned tcp_syn_options(struct sock *sk, struct sk_buff *skb,
         * SACKs don't matter, we never delay an ACK when we have any of those
         * going out.  */
        opts->mss = tcp_advertise_mss(sk);
-        size += TCPOLEN_MSS_ALIGNED;
+        remaining -= TCPOLEN_MSS_ALIGNED;
        if (likely(sysctl_tcp_timestamps &&
                   !dst_feature(dst, RTAX_FEATURE_NO_TSTAMP) &&
@@ -497,22 +586,68 @@ static unsigned tcp_syn_options(struct sock *sk, struct sk_buff *skb,
                opts->options |= OPTION_TS;
                opts->tsval = TCP_SKB_CB(skb)->when;
                opts->tsecr = tp->rx_opt.ts_recent;
-                size += TCPOLEN_TSTAMP_ALIGNED;
+                remaining -= TCPOLEN_TSTAMP_ALIGNED;
        }
        if (likely(sysctl_tcp_window_scaling &&
                   !dst_feature(dst, RTAX_FEATURE_NO_WSCALE))) {
                opts->ws = tp->rx_opt.rcv_wscale;
                opts->options |= OPTION_WSCALE;
-                size += TCPOLEN_WSCALE_ALIGNED;
+                remaining -= TCPOLEN_WSCALE_ALIGNED;
        }
        if (likely(sysctl_tcp_sack &&
                   !dst_feature(dst, RTAX_FEATURE_NO_SACK))) {
                opts->options |= OPTION_SACK_ADVERTISE;
                if (unlikely(!(OPTION_TS & opts->options)))
-                        size += TCPOLEN_SACKPERM_ALIGNED;
+                        remaining -= TCPOLEN_SACKPERM_ALIGNED;
        }
-        return size;
+        /* Note that timestamps are required by the specification.
+         *
+         * Odd numbers of bytes are prohibited by the specification, ensuring
+         * that the cookie is 16-bit aligned, and the resulting cookie pair is
+         * 32-bit aligned.
+         */
+        if (*md5 == NULL &&
+            (OPTION_TS & opts->options) &&
+            cookie_size > 0) {
+                int need = TCPOLEN_COOKIE_BASE + cookie_size;
+                if (0x2 & need) {
+                        /* 32-bit multiple */
+                        need += 2; /* NOPs */
+                        if (need > remaining) {
+                                /* try shrinking cookie to fit */
+                                cookie_size -= 2;
+                                need -= 4;
+                        }
+                }
+                while (need > remaining && TCP_COOKIE_MIN <= cookie_size) {
+                        cookie_size -= 4;
+                        need -= 4;
+                }
+                if (TCP_COOKIE_MIN <= cookie_size) {
+                        opts->options |= OPTION_COOKIE_EXTENSION;
+                        opts->hash_location = (__u8 *)&cvp->cookie_pair[0];
+                        opts->hash_size = cookie_size;
+                        /* Remember for future incarnations. */
+                        cvp->cookie_desired = cookie_size;
+                        if (cvp->cookie_desired != cvp->cookie_pair_size) {
+                                /* Currently use random bytes as a nonce,
+                                 * assuming these are completely unpredictable
+                                 * by hostile users of the same system.
+                                 */
+                                get_random_bytes(&cvp->cookie_pair[0],
+                                                 cookie_size);
+                                cvp->cookie_pair_size = cookie_size;
+                        }
+                        remaining -= need;
+                }
+        }
+        return MAX_TCP_OPTION_SPACE - remaining;
 }
 /* Set up TCP options for SYN-ACKs. */
@@ -627,7 +762,6 @@ static int tcp_transmit_skb(struct sock *sk, struct sk_buff *skb, int clone_it,
        struct tcp_out_options opts;
        unsigned tcp_options_size, tcp_header_size;
        struct tcp_md5sig_key *md5;
-        __u8 *md5_hash_location;
        struct tcphdr *th;
        int err;
@@ -698,7 +832,7 @@ static int tcp_transmit_skb(struct sock *sk, struct sk_buff *skb, int clone_it,
                }
        }
-        tcp_options_write((__be32 *)(th + 1), tp, &opts, &md5_hash_location);
+        tcp_options_write((__be32 *)(th + 1), tp, &opts);
        if (likely((tcb->flags & TCPCB_FLAG_SYN) == 0))
                TCP_ECN_send(sk, skb, tcp_header_size);
@@ -706,7 +840,7 @@ static int tcp_transmit_skb(struct sock *sk, struct sk_buff *skb, int clone_it,
        /* Calculate the MD5 hash, as we have all we need now */
        if (md5) {
                sk->sk_route_caps &= ~NETIF_F_GSO_MASK;
-                tp->af_specific->calc_md5_hash(md5_hash_location,
+                tp->af_specific->calc_md5_hash(opts.hash_location,
                                               md5, sk, NULL, skb);
        }
 #endif
@@ -2230,14 +2364,13 @@ struct sk_buff *tcp_make_synack(struct sock *sk, struct dst_entry *dst,
                                struct request_sock *req,
                                struct request_values *rvp)
 {
+        struct tcp_out_options opts;
        struct inet_request_sock *ireq = inet_rsk(req);
        struct tcp_sock *tp = tcp_sk(sk);
        struct tcphdr *th;
-        int tcp_header_size;
-        struct tcp_out_options opts;
        struct sk_buff *skb;
        struct tcp_md5sig_key *md5;
-        __u8 *md5_hash_location;
+        int tcp_header_size;
        int mss;
        skb = sock_wmalloc(sk, MAX_TCP_HEADER + 15, 1, GFP_ATOMIC);
@@ -2298,14 +2431,14 @@ struct sk_buff *tcp_make_synack(struct sock *sk, struct dst_entry *dst,
        /* RFC1323: The window in SYN & SYN/ACK segments is never scaled. */
        th->window = htons(min(req->rcv_wnd, 65535U));
-        tcp_options_write((__be32 *)(th + 1), tp, &opts, &md5_hash_location);
+        tcp_options_write((__be32 *)(th + 1), tp, &opts);
        th->doff = (tcp_header_size >> 2);
        TCP_INC_STATS(sock_net(sk), TCP_MIB_OUTSEGS);
 #ifdef CONFIG_TCP_MD5SIG
        /* Okay, we have all we need - do the md5 hash if needed */
        if (md5) {
-                tcp_rsk(req)->af_specific->calc_md5_hash(md5_hash_location,
+                tcp_rsk(req)->af_specific->calc_md5_hash(opts.hash_location,
                                               md5, NULL, req, skb);
        }
 #endif
author	William Allen Simpson <william.allen.simpson@gmail.com>	2009-12-02 13:23:05 -0500
committer	David S. Miller <davem@davemloft.net>	2009-12-03 01:07:26 -0500
commit	bd0388ae77075026d6a9f9eb6026dfd1d52ce0e9 (patch)
tree	b2262d2bf3f60e42f8c3573c89e6a47042b20122 /net/ipv4
parent	e56fb50f2b7958b931c8a2fc0966061b3f3c8f3a (diff)

diff --git a/net/ipv4/tcp_output.c b/net/ipv4/tcp_output.c index 307f318fe931..35dd983a8a99 100644 --- a/net/ipv4/tcp_output.c +++ b/net/ipv4/tcp_output.c
@@ -365,15 +365,45 @@ static inline int tcp_urg_mode(const struct tcp_sock *tp)
365	#define OPTION_TS (1 << 1)	365	#define OPTION_TS (1 << 1)
366	#define OPTION_MD5 (1 << 2)	366	#define OPTION_MD5 (1 << 2)
367	#define OPTION_WSCALE (1 << 3)	367	#define OPTION_WSCALE (1 << 3)
		368	#define OPTION_COOKIE_EXTENSION (1 << 4)
368		369
369	struct tcp_out_options {	370	struct tcp_out_options {
370	u8 options; /* bit field of OPTION_* */	371	u8 options; /* bit field of OPTION_* */
371	u8 ws; /* window scale, 0 to disable */	372	u8 ws; /* window scale, 0 to disable */
372	u8 num_sack_blocks; /* number of SACK blocks to include */	373	u8 num_sack_blocks; /* number of SACK blocks to include */
		374	u8 hash_size; /* bytes in hash_location */
373	u16 mss; /* 0 to disable */	375	u16 mss; /* 0 to disable */
374	__u32 tsval, tsecr; /* need to include OPTION_TS */	376	__u32 tsval, tsecr; /* need to include OPTION_TS */
		377	__u8 hash_location; / temporary pointer, overloaded */
375	};	378	};
376		379
		380	/* The sysctl int routines are generic, so check consistency here.
		381	*/
		382	static u8 tcp_cookie_size_check(u8 desired)
		383	{
		384	if (desired > 0) {
		385	/* previously specified */
		386	return desired;
		387	}
		388	if (sysctl_tcp_cookie_size <= 0) {
		389	/* no default specified */
		390	return 0;
		391	}
		392	if (sysctl_tcp_cookie_size <= TCP_COOKIE_MIN) {
		393	/* value too small, specify minimum */
		394	return TCP_COOKIE_MIN;
		395	}
		396	if (sysctl_tcp_cookie_size >= TCP_COOKIE_MAX) {
		397	/* value too large, specify maximum */
		398	return TCP_COOKIE_MAX;
		399	}
		400	if (0x1 & sysctl_tcp_cookie_size) {
		401	/* 8-bit multiple, illegal, fix it */
		402	return (u8)(sysctl_tcp_cookie_size + 0x1);
		403	}
		404	return (u8)sysctl_tcp_cookie_size;
		405	}
		406
377	/* Write previously computed TCP options to the packet.	407	/* Write previously computed TCP options to the packet.
378	*	408	*
379	* Beware: Something in the Internet is very sensitive to the ordering of	409	* Beware: Something in the Internet is very sensitive to the ordering of
@@ -388,17 +418,34 @@ struct tcp_out_options {
388	* (but it may well be that other scenarios fail similarly).	418	* (but it may well be that other scenarios fail similarly).
389	*/	419	*/
390	static void tcp_options_write(__be32 ptr, struct tcp_sock tp,	420	static void tcp_options_write(__be32 ptr, struct tcp_sock tp,
391	const struct tcp_out_options *opts,	421	struct tcp_out_options *opts)
392	__u8 **md5_hash) {	422	{
393	if (unlikely(OPTION_MD5 & opts->options)) {	423	u8 options = opts->options; /* mungable copy */
394	*ptr++ = htonl((TCPOPT_NOP << 24) \|	424
395	(TCPOPT_NOP << 16) \|	425	/* Having both authentication and cookies for security is redundant,
396	(TCPOPT_MD5SIG << 8) \|	426	* and there's certainly not enough room. Instead, the cookie-less
397	TCPOLEN_MD5SIG);	427	* extension variant is proposed.
398	md5_hash = (__u8 )ptr;	428	*
		429	* Consider the pessimal case with authentication. The options
		430	* could look like:
		431	* COOKIE\|MD5(20) + MSS(4) + SACK\|TS(12) + WSCALE(4) == 40
		432	*/
		433	if (unlikely(OPTION_MD5 & options)) {
		434	if (unlikely(OPTION_COOKIE_EXTENSION & options)) {
		435	*ptr++ = htonl((TCPOPT_COOKIE << 24) \|
		436	(TCPOLEN_COOKIE_BASE << 16) \|
		437	(TCPOPT_MD5SIG << 8) \|
		438	TCPOLEN_MD5SIG);
		439	} else {
		440	*ptr++ = htonl((TCPOPT_NOP << 24) \|
		441	(TCPOPT_NOP << 16) \|
		442	(TCPOPT_MD5SIG << 8) \|
		443	TCPOLEN_MD5SIG);
		444	}
		445	options &= ~OPTION_COOKIE_EXTENSION;
		446	/* overload cookie hash location */
		447	opts->hash_location = (__u8 *)ptr;
399	ptr += 4;	448	ptr += 4;
400	} else {
401	*md5_hash = NULL;
402	}	449	}
403		450
404	if (unlikely(opts->mss)) {	451	if (unlikely(opts->mss)) {
@@ -407,12 +454,13 @@ static void tcp_options_write(__be32 ptr, struct tcp_sock tp,
407	opts->mss);	454	opts->mss);
408	}	455	}
409		456
410	if (likely(OPTION_TS & opts->options)) {	457	if (likely(OPTION_TS & options)) {
411	if (unlikely(OPTION_SACK_ADVERTISE & opts->options)) {	458	if (unlikely(OPTION_SACK_ADVERTISE & options)) {
412	*ptr++ = htonl((TCPOPT_SACK_PERM << 24) \|	459	*ptr++ = htonl((TCPOPT_SACK_PERM << 24) \|
413	(TCPOLEN_SACK_PERM << 16) \|	460	(TCPOLEN_SACK_PERM << 16) \|
414	(TCPOPT_TIMESTAMP << 8) \|	461	(TCPOPT_TIMESTAMP << 8) \|
415	TCPOLEN_TIMESTAMP);	462	TCPOLEN_TIMESTAMP);
		463	options &= ~OPTION_SACK_ADVERTISE;
416	} else {	464	} else {
417	*ptr++ = htonl((TCPOPT_NOP << 24) \|	465	*ptr++ = htonl((TCPOPT_NOP << 24) \|
418	(TCPOPT_NOP << 16) \|	466	(TCPOPT_NOP << 16) \|
@@ -423,15 +471,52 @@ static void tcp_options_write(__be32 ptr, struct tcp_sock tp,
423	*ptr++ = htonl(opts->tsecr);	471	*ptr++ = htonl(opts->tsecr);
424	}	472	}
425		473
426	if (unlikely(OPTION_SACK_ADVERTISE & opts->options &&	474	/* Specification requires after timestamp, so do it now.
427	!(OPTION_TS & opts->options))) {	475	*
		476	* Consider the pessimal case without authentication. The options
		477	* could look like:
		478	* MSS(4) + SACK\|TS(12) + COOKIE(20) + WSCALE(4) == 40
		479	*/
		480	if (unlikely(OPTION_COOKIE_EXTENSION & options)) {
		481	__u8 *cookie_copy = opts->hash_location;
		482	u8 cookie_size = opts->hash_size;
		483
		484	/* 8-bit multiple handled in tcp_cookie_size_check() above,
		485	* and elsewhere.
		486	*/
		487	if (0x2 & cookie_size) {
		488	__u8 p = (__u8 )ptr;
		489
		490	/* 16-bit multiple */
		491	*p++ = TCPOPT_COOKIE;
		492	*p++ = TCPOLEN_COOKIE_BASE + cookie_size;
		493	p++ = cookie_copy++;
		494	p++ = cookie_copy++;
		495	ptr++;
		496	cookie_size -= 2;
		497	} else {
		498	/* 32-bit multiple */
		499	*ptr++ = htonl(((TCPOPT_NOP << 24) \|
		500	(TCPOPT_NOP << 16) \|
		501	(TCPOPT_COOKIE << 8) \|
		502	TCPOLEN_COOKIE_BASE) +
		503	cookie_size);
		504	}
		505
		506	if (cookie_size > 0) {
		507	memcpy(ptr, cookie_copy, cookie_size);
		508	ptr += (cookie_size / 4);
		509	}
		510	}
		511
		512	if (unlikely(OPTION_SACK_ADVERTISE & options)) {
428	*ptr++ = htonl((TCPOPT_NOP << 24) \|	513	*ptr++ = htonl((TCPOPT_NOP << 24) \|
429	(TCPOPT_NOP << 16) \|	514	(TCPOPT_NOP << 16) \|
430	(TCPOPT_SACK_PERM << 8) \|	515	(TCPOPT_SACK_PERM << 8) \|
431	TCPOLEN_SACK_PERM);	516	TCPOLEN_SACK_PERM);
432	}	517	}
433		518
434	if (unlikely(OPTION_WSCALE & opts->options)) {	519	if (unlikely(OPTION_WSCALE & options)) {
435	*ptr++ = htonl((TCPOPT_NOP << 24) \|	520	*ptr++ = htonl((TCPOPT_NOP << 24) \|
436	(TCPOPT_WINDOW << 16) \|	521	(TCPOPT_WINDOW << 16) \|
437	(TCPOLEN_WINDOW << 8) \|	522	(TCPOLEN_WINDOW << 8) \|
@@ -466,14 +551,18 @@ static unsigned tcp_syn_options(struct sock sk, struct sk_buff skb,
466	struct tcp_out_options *opts,	551	struct tcp_out_options *opts,
467	struct tcp_md5sig_key **md5) {	552	struct tcp_md5sig_key **md5) {
468	struct tcp_sock *tp = tcp_sk(sk);	553	struct tcp_sock *tp = tcp_sk(sk);
469	unsigned size = 0;	554	struct tcp_cookie_values *cvp = tp->cookie_values;
470	struct dst_entry *dst = __sk_dst_get(sk);	555	struct dst_entry *dst = __sk_dst_get(sk);
		556	unsigned remaining = MAX_TCP_OPTION_SPACE;
		557	u8 cookie_size = (!tp->rx_opt.cookie_out_never && cvp != NULL) ?
		558	tcp_cookie_size_check(cvp->cookie_desired) :
		559	0;
471		560
472	#ifdef CONFIG_TCP_MD5SIG	561	#ifdef CONFIG_TCP_MD5SIG
473	*md5 = tp->af_specific->md5_lookup(sk, sk);	562	*md5 = tp->af_specific->md5_lookup(sk, sk);
474	if (*md5) {	563	if (*md5) {
475	opts->options \|= OPTION_MD5;	564	opts->options \|= OPTION_MD5;
476	size += TCPOLEN_MD5SIG_ALIGNED;	565	remaining -= TCPOLEN_MD5SIG_ALIGNED;
477	}	566	}
478	#else	567	#else
479	*md5 = NULL;	568	*md5 = NULL;
@@ -489,7 +578,7 @@ static unsigned tcp_syn_options(struct sock sk, struct sk_buff skb,
489	* SACKs don't matter, we never delay an ACK when we have any of those	578	* SACKs don't matter, we never delay an ACK when we have any of those
490	* going out. */	579	* going out. */
491	opts->mss = tcp_advertise_mss(sk);	580	opts->mss = tcp_advertise_mss(sk);
492	size += TCPOLEN_MSS_ALIGNED;	581	remaining -= TCPOLEN_MSS_ALIGNED;
493		582
494	if (likely(sysctl_tcp_timestamps &&	583	if (likely(sysctl_tcp_timestamps &&
495	!dst_feature(dst, RTAX_FEATURE_NO_TSTAMP) &&	584	!dst_feature(dst, RTAX_FEATURE_NO_TSTAMP) &&
@@ -497,22 +586,68 @@ static unsigned tcp_syn_options(struct sock sk, struct sk_buff skb,
497	opts->options \|= OPTION_TS;	586	opts->options \|= OPTION_TS;
498	opts->tsval = TCP_SKB_CB(skb)->when;	587	opts->tsval = TCP_SKB_CB(skb)->when;
499	opts->tsecr = tp->rx_opt.ts_recent;	588	opts->tsecr = tp->rx_opt.ts_recent;
500	size += TCPOLEN_TSTAMP_ALIGNED;	589	remaining -= TCPOLEN_TSTAMP_ALIGNED;
501	}	590	}
502	if (likely(sysctl_tcp_window_scaling &&	591	if (likely(sysctl_tcp_window_scaling &&
503	!dst_feature(dst, RTAX_FEATURE_NO_WSCALE))) {	592	!dst_feature(dst, RTAX_FEATURE_NO_WSCALE))) {
504	opts->ws = tp->rx_opt.rcv_wscale;	593	opts->ws = tp->rx_opt.rcv_wscale;
505	opts->options \|= OPTION_WSCALE;	594	opts->options \|= OPTION_WSCALE;
506	size += TCPOLEN_WSCALE_ALIGNED;	595	remaining -= TCPOLEN_WSCALE_ALIGNED;
507	}	596	}
508	if (likely(sysctl_tcp_sack &&	597	if (likely(sysctl_tcp_sack &&
509	!dst_feature(dst, RTAX_FEATURE_NO_SACK))) {	598	!dst_feature(dst, RTAX_FEATURE_NO_SACK))) {
510	opts->options \|= OPTION_SACK_ADVERTISE;	599	opts->options \|= OPTION_SACK_ADVERTISE;
511	if (unlikely(!(OPTION_TS & opts->options)))	600	if (unlikely(!(OPTION_TS & opts->options)))
512	size += TCPOLEN_SACKPERM_ALIGNED;	601	remaining -= TCPOLEN_SACKPERM_ALIGNED;
513	}	602	}
514		603
515	return size;	604	/* Note that timestamps are required by the specification.
		605	*
		606	* Odd numbers of bytes are prohibited by the specification, ensuring
		607	* that the cookie is 16-bit aligned, and the resulting cookie pair is
		608	* 32-bit aligned.
		609	*/
		610	if (*md5 == NULL &&
		611	(OPTION_TS & opts->options) &&
		612	cookie_size > 0) {
		613	int need = TCPOLEN_COOKIE_BASE + cookie_size;
		614
		615	if (0x2 & need) {
		616	/* 32-bit multiple */
		617	need += 2; /* NOPs */
		618
		619	if (need > remaining) {
		620	/* try shrinking cookie to fit */
		621	cookie_size -= 2;
		622	need -= 4;
		623	}
		624	}
		625	while (need > remaining && TCP_COOKIE_MIN <= cookie_size) {
		626	cookie_size -= 4;
		627	need -= 4;
		628	}
		629	if (TCP_COOKIE_MIN <= cookie_size) {
		630	opts->options \|= OPTION_COOKIE_EXTENSION;
		631	opts->hash_location = (__u8 *)&cvp->cookie_pair[0];
		632	opts->hash_size = cookie_size;
		633
		634	/* Remember for future incarnations. */
		635	cvp->cookie_desired = cookie_size;
		636
		637	if (cvp->cookie_desired != cvp->cookie_pair_size) {
		638	/* Currently use random bytes as a nonce,
		639	* assuming these are completely unpredictable
		640	* by hostile users of the same system.
		641	*/
		642	get_random_bytes(&cvp->cookie_pair[0],
		643	cookie_size);
		644	cvp->cookie_pair_size = cookie_size;
		645	}
		646
		647	remaining -= need;
		648	}
		649	}
		650	return MAX_TCP_OPTION_SPACE - remaining;
516	}	651	}
517		652
518	/* Set up TCP options for SYN-ACKs. */	653	/* Set up TCP options for SYN-ACKs. */
@@ -627,7 +762,6 @@ static int tcp_transmit_skb(struct sock sk, struct sk_buff skb, int clone_it,
627	struct tcp_out_options opts;	762	struct tcp_out_options opts;
628	unsigned tcp_options_size, tcp_header_size;	763	unsigned tcp_options_size, tcp_header_size;
629	struct tcp_md5sig_key *md5;	764	struct tcp_md5sig_key *md5;
630	__u8 *md5_hash_location;
631	struct tcphdr *th;	765	struct tcphdr *th;
632	int err;	766	int err;
633		767
@@ -698,7 +832,7 @@ static int tcp_transmit_skb(struct sock sk, struct sk_buff skb, int clone_it,
698	}	832	}
699	}	833	}
700		834
701	tcp_options_write((__be32 *)(th + 1), tp, &opts, &md5_hash_location);	835	tcp_options_write((__be32 *)(th + 1), tp, &opts);
702	if (likely((tcb->flags & TCPCB_FLAG_SYN) == 0))	836	if (likely((tcb->flags & TCPCB_FLAG_SYN) == 0))
703	TCP_ECN_send(sk, skb, tcp_header_size);	837	TCP_ECN_send(sk, skb, tcp_header_size);
704		838
@@ -706,7 +840,7 @@ static int tcp_transmit_skb(struct sock sk, struct sk_buff skb, int clone_it,
706	/* Calculate the MD5 hash, as we have all we need now */	840	/* Calculate the MD5 hash, as we have all we need now */
707	if (md5) {	841	if (md5) {
708	sk->sk_route_caps &= ~NETIF_F_GSO_MASK;	842	sk->sk_route_caps &= ~NETIF_F_GSO_MASK;
709	tp->af_specific->calc_md5_hash(md5_hash_location,	843	tp->af_specific->calc_md5_hash(opts.hash_location,
710	md5, sk, NULL, skb);	844	md5, sk, NULL, skb);
711	}	845	}
712	#endif	846	#endif
@@ -2230,14 +2364,13 @@ struct sk_buff tcp_make_synack(struct sock sk, struct dst_entry *dst,
2230	struct request_sock *req,	2364	struct request_sock *req,
2231	struct request_values *rvp)	2365	struct request_values *rvp)
2232	{	2366	{
		2367	struct tcp_out_options opts;
2233	struct inet_request_sock *ireq = inet_rsk(req);	2368	struct inet_request_sock *ireq = inet_rsk(req);
2234	struct tcp_sock *tp = tcp_sk(sk);	2369	struct tcp_sock *tp = tcp_sk(sk);
2235	struct tcphdr *th;	2370	struct tcphdr *th;
2236	int tcp_header_size;
2237	struct tcp_out_options opts;
2238	struct sk_buff *skb;	2371	struct sk_buff *skb;
2239	struct tcp_md5sig_key *md5;	2372	struct tcp_md5sig_key *md5;
2240	__u8 *md5_hash_location;	2373	int tcp_header_size;
2241	int mss;	2374	int mss;
2242		2375
2243	skb = sock_wmalloc(sk, MAX_TCP_HEADER + 15, 1, GFP_ATOMIC);	2376	skb = sock_wmalloc(sk, MAX_TCP_HEADER + 15, 1, GFP_ATOMIC);
@@ -2298,14 +2431,14 @@ struct sk_buff tcp_make_synack(struct sock sk, struct dst_entry *dst,
2298		2431
2299	/* RFC1323: The window in SYN & SYN/ACK segments is never scaled. */	2432	/* RFC1323: The window in SYN & SYN/ACK segments is never scaled. */
2300	th->window = htons(min(req->rcv_wnd, 65535U));	2433	th->window = htons(min(req->rcv_wnd, 65535U));
2301	tcp_options_write((__be32 *)(th + 1), tp, &opts, &md5_hash_location);	2434	tcp_options_write((__be32 *)(th + 1), tp, &opts);
2302	th->doff = (tcp_header_size >> 2);	2435	th->doff = (tcp_header_size >> 2);
2303	TCP_INC_STATS(sock_net(sk), TCP_MIB_OUTSEGS);	2436	TCP_INC_STATS(sock_net(sk), TCP_MIB_OUTSEGS);
2304		2437
2305	#ifdef CONFIG_TCP_MD5SIG	2438	#ifdef CONFIG_TCP_MD5SIG
2306	/* Okay, we have all we need - do the md5 hash if needed */	2439	/* Okay, we have all we need - do the md5 hash if needed */
2307	if (md5) {	2440	if (md5) {
2308	tcp_rsk(req)->af_specific->calc_md5_hash(md5_hash_location,	2441	tcp_rsk(req)->af_specific->calc_md5_hash(opts.hash_location,
2309	md5, NULL, req, skb);	2442	md5, NULL, req, skb);
2310	}	2443	}
2311	#endif	2444	#endif