diff options
Diffstat (limited to 'net/ipv4/syncookies.c')
-rw-r--r-- | net/ipv4/syncookies.c | 279 |
1 files changed, 279 insertions, 0 deletions
diff --git a/net/ipv4/syncookies.c b/net/ipv4/syncookies.c new file mode 100644 index 000000000000..e923d2f021aa --- /dev/null +++ b/net/ipv4/syncookies.c | |||
@@ -0,0 +1,279 @@ | |||
1 | /* | ||
2 | * Syncookies implementation for the Linux kernel | ||
3 | * | ||
4 | * Copyright (C) 1997 Andi Kleen | ||
5 | * Based on ideas by D.J.Bernstein and Eric Schenk. | ||
6 | * | ||
7 | * This program is free software; you can redistribute it and/or | ||
8 | * modify it under the terms of the GNU General Public License | ||
9 | * as published by the Free Software Foundation; either version | ||
10 | * 2 of the License, or (at your option) any later version. | ||
11 | * | ||
12 | * $Id: syncookies.c,v 1.18 2002/02/01 22:01:04 davem Exp $ | ||
13 | * | ||
14 | * Missing: IPv6 support. | ||
15 | */ | ||
16 | |||
17 | #include <linux/tcp.h> | ||
18 | #include <linux/slab.h> | ||
19 | #include <linux/random.h> | ||
20 | #include <linux/cryptohash.h> | ||
21 | #include <linux/kernel.h> | ||
22 | #include <net/tcp.h> | ||
23 | |||
24 | extern int sysctl_tcp_syncookies; | ||
25 | |||
26 | static __u32 syncookie_secret[2][16-3+SHA_DIGEST_WORDS]; | ||
27 | |||
28 | static __init int init_syncookies(void) | ||
29 | { | ||
30 | get_random_bytes(syncookie_secret, sizeof(syncookie_secret)); | ||
31 | return 0; | ||
32 | } | ||
33 | module_init(init_syncookies); | ||
34 | |||
35 | #define COOKIEBITS 24 /* Upper bits store count */ | ||
36 | #define COOKIEMASK (((__u32)1 << COOKIEBITS) - 1) | ||
37 | |||
38 | static u32 cookie_hash(u32 saddr, u32 daddr, u32 sport, u32 dport, | ||
39 | u32 count, int c) | ||
40 | { | ||
41 | __u32 tmp[16 + 5 + SHA_WORKSPACE_WORDS]; | ||
42 | |||
43 | memcpy(tmp + 3, syncookie_secret[c], sizeof(syncookie_secret[c])); | ||
44 | tmp[0] = saddr; | ||
45 | tmp[1] = daddr; | ||
46 | tmp[2] = (sport << 16) + dport; | ||
47 | tmp[3] = count; | ||
48 | sha_transform(tmp + 16, (__u8 *)tmp, tmp + 16 + 5); | ||
49 | |||
50 | return tmp[17]; | ||
51 | } | ||
52 | |||
53 | static __u32 secure_tcp_syn_cookie(__u32 saddr, __u32 daddr, __u16 sport, | ||
54 | __u16 dport, __u32 sseq, __u32 count, | ||
55 | __u32 data) | ||
56 | { | ||
57 | /* | ||
58 | * Compute the secure sequence number. | ||
59 | * The output should be: | ||
60 | * HASH(sec1,saddr,sport,daddr,dport,sec1) + sseq + (count * 2^24) | ||
61 | * + (HASH(sec2,saddr,sport,daddr,dport,count,sec2) % 2^24). | ||
62 | * Where sseq is their sequence number and count increases every | ||
63 | * minute by 1. | ||
64 | * As an extra hack, we add a small "data" value that encodes the | ||
65 | * MSS into the second hash value. | ||
66 | */ | ||
67 | |||
68 | return (cookie_hash(saddr, daddr, sport, dport, 0, 0) + | ||
69 | sseq + (count << COOKIEBITS) + | ||
70 | ((cookie_hash(saddr, daddr, sport, dport, count, 1) + data) | ||
71 | & COOKIEMASK)); | ||
72 | } | ||
73 | |||
74 | /* | ||
75 | * This retrieves the small "data" value from the syncookie. | ||
76 | * If the syncookie is bad, the data returned will be out of | ||
77 | * range. This must be checked by the caller. | ||
78 | * | ||
79 | * The count value used to generate the cookie must be within | ||
80 | * "maxdiff" if the current (passed-in) "count". The return value | ||
81 | * is (__u32)-1 if this test fails. | ||
82 | */ | ||
83 | static __u32 check_tcp_syn_cookie(__u32 cookie, __u32 saddr, __u32 daddr, | ||
84 | __u16 sport, __u16 dport, __u32 sseq, | ||
85 | __u32 count, __u32 maxdiff) | ||
86 | { | ||
87 | __u32 diff; | ||
88 | |||
89 | /* Strip away the layers from the cookie */ | ||
90 | cookie -= cookie_hash(saddr, daddr, sport, dport, 0, 0) + sseq; | ||
91 | |||
92 | /* Cookie is now reduced to (count * 2^24) ^ (hash % 2^24) */ | ||
93 | diff = (count - (cookie >> COOKIEBITS)) & ((__u32) - 1 >> COOKIEBITS); | ||
94 | if (diff >= maxdiff) | ||
95 | return (__u32)-1; | ||
96 | |||
97 | return (cookie - | ||
98 | cookie_hash(saddr, daddr, sport, dport, count - diff, 1)) | ||
99 | & COOKIEMASK; /* Leaving the data behind */ | ||
100 | } | ||
101 | |||
102 | /* | ||
103 | * This table has to be sorted and terminated with (__u16)-1. | ||
104 | * XXX generate a better table. | ||
105 | * Unresolved Issues: HIPPI with a 64k MSS is not well supported. | ||
106 | */ | ||
107 | static __u16 const msstab[] = { | ||
108 | 64 - 1, | ||
109 | 256 - 1, | ||
110 | 512 - 1, | ||
111 | 536 - 1, | ||
112 | 1024 - 1, | ||
113 | 1440 - 1, | ||
114 | 1460 - 1, | ||
115 | 4312 - 1, | ||
116 | (__u16)-1 | ||
117 | }; | ||
118 | /* The number doesn't include the -1 terminator */ | ||
119 | #define NUM_MSS (ARRAY_SIZE(msstab) - 1) | ||
120 | |||
121 | /* | ||
122 | * Generate a syncookie. mssp points to the mss, which is returned | ||
123 | * rounded down to the value encoded in the cookie. | ||
124 | */ | ||
125 | __u32 cookie_v4_init_sequence(struct sock *sk, struct sk_buff *skb, __u16 *mssp) | ||
126 | { | ||
127 | struct tcp_sock *tp = tcp_sk(sk); | ||
128 | int mssind; | ||
129 | const __u16 mss = *mssp; | ||
130 | |||
131 | |||
132 | tp->last_synq_overflow = jiffies; | ||
133 | |||
134 | /* XXX sort msstab[] by probability? Binary search? */ | ||
135 | for (mssind = 0; mss > msstab[mssind + 1]; mssind++) | ||
136 | ; | ||
137 | *mssp = msstab[mssind] + 1; | ||
138 | |||
139 | NET_INC_STATS_BH(LINUX_MIB_SYNCOOKIESSENT); | ||
140 | |||
141 | return secure_tcp_syn_cookie(skb->nh.iph->saddr, skb->nh.iph->daddr, | ||
142 | skb->h.th->source, skb->h.th->dest, | ||
143 | ntohl(skb->h.th->seq), | ||
144 | jiffies / (HZ * 60), mssind); | ||
145 | } | ||
146 | |||
147 | /* | ||
148 | * This (misnamed) value is the age of syncookie which is permitted. | ||
149 | * Its ideal value should be dependent on TCP_TIMEOUT_INIT and | ||
150 | * sysctl_tcp_retries1. It's a rather complicated formula (exponential | ||
151 | * backoff) to compute at runtime so it's currently hardcoded here. | ||
152 | */ | ||
153 | #define COUNTER_TRIES 4 | ||
154 | /* | ||
155 | * Check if a ack sequence number is a valid syncookie. | ||
156 | * Return the decoded mss if it is, or 0 if not. | ||
157 | */ | ||
158 | static inline int cookie_check(struct sk_buff *skb, __u32 cookie) | ||
159 | { | ||
160 | __u32 seq; | ||
161 | __u32 mssind; | ||
162 | |||
163 | seq = ntohl(skb->h.th->seq)-1; | ||
164 | mssind = check_tcp_syn_cookie(cookie, | ||
165 | skb->nh.iph->saddr, skb->nh.iph->daddr, | ||
166 | skb->h.th->source, skb->h.th->dest, | ||
167 | seq, jiffies / (HZ * 60), COUNTER_TRIES); | ||
168 | |||
169 | return mssind < NUM_MSS ? msstab[mssind] + 1 : 0; | ||
170 | } | ||
171 | |||
172 | extern struct or_calltable or_ipv4; | ||
173 | |||
174 | static inline struct sock *get_cookie_sock(struct sock *sk, struct sk_buff *skb, | ||
175 | struct open_request *req, | ||
176 | struct dst_entry *dst) | ||
177 | { | ||
178 | struct tcp_sock *tp = tcp_sk(sk); | ||
179 | struct sock *child; | ||
180 | |||
181 | child = tp->af_specific->syn_recv_sock(sk, skb, req, dst); | ||
182 | if (child) | ||
183 | tcp_acceptq_queue(sk, req, child); | ||
184 | else | ||
185 | tcp_openreq_free(req); | ||
186 | |||
187 | return child; | ||
188 | } | ||
189 | |||
190 | struct sock *cookie_v4_check(struct sock *sk, struct sk_buff *skb, | ||
191 | struct ip_options *opt) | ||
192 | { | ||
193 | struct tcp_sock *tp = tcp_sk(sk); | ||
194 | __u32 cookie = ntohl(skb->h.th->ack_seq) - 1; | ||
195 | struct sock *ret = sk; | ||
196 | struct open_request *req; | ||
197 | int mss; | ||
198 | struct rtable *rt; | ||
199 | __u8 rcv_wscale; | ||
200 | |||
201 | if (!sysctl_tcp_syncookies || !skb->h.th->ack) | ||
202 | goto out; | ||
203 | |||
204 | if (time_after(jiffies, tp->last_synq_overflow + TCP_TIMEOUT_INIT) || | ||
205 | (mss = cookie_check(skb, cookie)) == 0) { | ||
206 | NET_INC_STATS_BH(LINUX_MIB_SYNCOOKIESFAILED); | ||
207 | goto out; | ||
208 | } | ||
209 | |||
210 | NET_INC_STATS_BH(LINUX_MIB_SYNCOOKIESRECV); | ||
211 | |||
212 | req = tcp_openreq_alloc(); | ||
213 | ret = NULL; | ||
214 | if (!req) | ||
215 | goto out; | ||
216 | |||
217 | req->rcv_isn = htonl(skb->h.th->seq) - 1; | ||
218 | req->snt_isn = cookie; | ||
219 | req->mss = mss; | ||
220 | req->rmt_port = skb->h.th->source; | ||
221 | req->af.v4_req.loc_addr = skb->nh.iph->daddr; | ||
222 | req->af.v4_req.rmt_addr = skb->nh.iph->saddr; | ||
223 | req->class = &or_ipv4; /* for savety */ | ||
224 | req->af.v4_req.opt = NULL; | ||
225 | |||
226 | /* We throwed the options of the initial SYN away, so we hope | ||
227 | * the ACK carries the same options again (see RFC1122 4.2.3.8) | ||
228 | */ | ||
229 | if (opt && opt->optlen) { | ||
230 | int opt_size = sizeof(struct ip_options) + opt->optlen; | ||
231 | |||
232 | req->af.v4_req.opt = kmalloc(opt_size, GFP_ATOMIC); | ||
233 | if (req->af.v4_req.opt) { | ||
234 | if (ip_options_echo(req->af.v4_req.opt, skb)) { | ||
235 | kfree(req->af.v4_req.opt); | ||
236 | req->af.v4_req.opt = NULL; | ||
237 | } | ||
238 | } | ||
239 | } | ||
240 | |||
241 | req->snd_wscale = req->rcv_wscale = req->tstamp_ok = 0; | ||
242 | req->wscale_ok = req->sack_ok = 0; | ||
243 | req->expires = 0UL; | ||
244 | req->retrans = 0; | ||
245 | |||
246 | /* | ||
247 | * We need to lookup the route here to get at the correct | ||
248 | * window size. We should better make sure that the window size | ||
249 | * hasn't changed since we received the original syn, but I see | ||
250 | * no easy way to do this. | ||
251 | */ | ||
252 | { | ||
253 | struct flowi fl = { .nl_u = { .ip4_u = | ||
254 | { .daddr = ((opt && opt->srr) ? | ||
255 | opt->faddr : | ||
256 | req->af.v4_req.rmt_addr), | ||
257 | .saddr = req->af.v4_req.loc_addr, | ||
258 | .tos = RT_CONN_FLAGS(sk) } }, | ||
259 | .proto = IPPROTO_TCP, | ||
260 | .uli_u = { .ports = | ||
261 | { .sport = skb->h.th->dest, | ||
262 | .dport = skb->h.th->source } } }; | ||
263 | if (ip_route_output_key(&rt, &fl)) { | ||
264 | tcp_openreq_free(req); | ||
265 | goto out; | ||
266 | } | ||
267 | } | ||
268 | |||
269 | /* Try to redo what tcp_v4_send_synack did. */ | ||
270 | req->window_clamp = dst_metric(&rt->u.dst, RTAX_WINDOW); | ||
271 | tcp_select_initial_window(tcp_full_space(sk), req->mss, | ||
272 | &req->rcv_wnd, &req->window_clamp, | ||
273 | 0, &rcv_wscale); | ||
274 | /* BTW win scale with syncookies is 0 by definition */ | ||
275 | req->rcv_wscale = rcv_wscale; | ||
276 | |||
277 | ret = get_cookie_sock(sk, skb, req, &rt->u.dst); | ||
278 | out: return ret; | ||
279 | } | ||