1 files changed, 82 insertions, 1 deletions
diff --git a/net/ipv4/tcp_fastopen.c b/net/ipv4/tcp_fastopen.c
index a7f729c409d7..8f7ef0ad80e5 100644
--- a/net/ipv4/tcp_fastopen.c
+++ b/net/ipv4/tcp_fastopen.c
@@ -1,10 +1,91 @@
+#include <linux/err.h>
 #include <linux/init.h>
 #include <linux/kernel.h>
+#include <linux/list.h>
+#include <linux/tcp.h>
+#include <linux/rcupdate.h>
+#include <linux/rculist.h>
+#include <net/inetpeer.h>
+#include <net/tcp.h>
-int sysctl_tcp_fastopen;
+int sysctl_tcp_fastopen __read_mostly;
+struct tcp_fastopen_context __rcu *tcp_fastopen_ctx;
+static DEFINE_SPINLOCK(tcp_fastopen_ctx_lock);
+static void tcp_fastopen_ctx_free(struct rcu_head *head)
+{
+        struct tcp_fastopen_context *ctx =
+            container_of(head, struct tcp_fastopen_context, rcu);
+        crypto_free_cipher(ctx->tfm);
+        kfree(ctx);
+}
+int tcp_fastopen_reset_cipher(void *key, unsigned int len)
+{
+        int err;
+        struct tcp_fastopen_context *ctx, *octx;
+        ctx = kmalloc(sizeof(*ctx), GFP_KERNEL);
+        if (!ctx)
+                return -ENOMEM;
+        ctx->tfm = crypto_alloc_cipher("aes", 0, 0);
+        if (IS_ERR(ctx->tfm)) {
+                err = PTR_ERR(ctx->tfm);
+error:          kfree(ctx);
+                pr_err("TCP: TFO aes cipher alloc error: %d\n", err);
+                return err;
+        }
+        err = crypto_cipher_setkey(ctx->tfm, key, len);
+        if (err) {
+                pr_err("TCP: TFO cipher key error: %d\n", err);
+                crypto_free_cipher(ctx->tfm);
+                goto error;
+        }
+        memcpy(ctx->key, key, len);
+        spin_lock(&tcp_fastopen_ctx_lock);
+        octx = rcu_dereference_protected(tcp_fastopen_ctx,
+                                lockdep_is_held(&tcp_fastopen_ctx_lock));
+        rcu_assign_pointer(tcp_fastopen_ctx, ctx);
+        spin_unlock(&tcp_fastopen_ctx_lock);
+        if (octx)
+                call_rcu(&octx->rcu, tcp_fastopen_ctx_free);
+        return err;
+}
+/* Computes the fastopen cookie for the peer.
+ * The peer address is a 128 bits long (pad with zeros for IPv4).
+ *
+ * The caller must check foc->len to determine if a valid cookie
+ * has been generated successfully.
+*/
+void tcp_fastopen_cookie_gen(__be32 addr, struct tcp_fastopen_cookie *foc)
+{
+        __be32 peer_addr[4] = { addr, 0, 0, 0 };
+        struct tcp_fastopen_context *ctx;
+        rcu_read_lock();
+        ctx = rcu_dereference(tcp_fastopen_ctx);
+        if (ctx) {
+                crypto_cipher_encrypt_one(ctx->tfm,
+                                          foc->val,
+                                          (__u8 *)peer_addr);
+                foc->len = TCP_FASTOPEN_COOKIE_SIZE;
+        }
+        rcu_read_unlock();
+}
 static int __init tcp_fastopen_init(void)
 {
+        __u8 key[TCP_FASTOPEN_KEY_LENGTH];
+        get_random_bytes(key, sizeof(key));
+        tcp_fastopen_reset_cipher(key, sizeof(key));
        return 0;
 }

diff --git a/net/ipv4/tcp_fastopen.c b/net/ipv4/tcp_fastopen.c index a7f729c409d7..8f7ef0ad80e5 100644 --- a/net/ipv4/tcp_fastopen.c +++ b/net/ipv4/tcp_fastopen.c
@@ -1,10 +1,91 @@
		1	#include <linux/err.h>
1	#include <linux/init.h>	2	#include <linux/init.h>
2	#include <linux/kernel.h>	3	#include <linux/kernel.h>
		4	#include <linux/list.h>
		5	#include <linux/tcp.h>
		6	#include <linux/rcupdate.h>
		7	#include <linux/rculist.h>
		8	#include <net/inetpeer.h>
		9	#include <net/tcp.h>
3		10
4	int sysctl_tcp_fastopen;	11	int sysctl_tcp_fastopen __read_mostly;
		12
		13	struct tcp_fastopen_context __rcu *tcp_fastopen_ctx;
		14
		15	static DEFINE_SPINLOCK(tcp_fastopen_ctx_lock);
		16
		17	static void tcp_fastopen_ctx_free(struct rcu_head *head)
		18	{
		19	struct tcp_fastopen_context *ctx =
		20	container_of(head, struct tcp_fastopen_context, rcu);
		21	crypto_free_cipher(ctx->tfm);
		22	kfree(ctx);
		23	}
		24
		25	int tcp_fastopen_reset_cipher(void *key, unsigned int len)
		26	{
		27	int err;
		28	struct tcp_fastopen_context ctx, octx;
		29
		30	ctx = kmalloc(sizeof(*ctx), GFP_KERNEL);
		31	if (!ctx)
		32	return -ENOMEM;
		33	ctx->tfm = crypto_alloc_cipher("aes", 0, 0);
		34
		35	if (IS_ERR(ctx->tfm)) {
		36	err = PTR_ERR(ctx->tfm);
		37	error: kfree(ctx);
		38	pr_err("TCP: TFO aes cipher alloc error: %d\n", err);
		39	return err;
		40	}
		41	err = crypto_cipher_setkey(ctx->tfm, key, len);
		42	if (err) {
		43	pr_err("TCP: TFO cipher key error: %d\n", err);
		44	crypto_free_cipher(ctx->tfm);
		45	goto error;
		46	}
		47	memcpy(ctx->key, key, len);
		48
		49	spin_lock(&tcp_fastopen_ctx_lock);
		50
		51	octx = rcu_dereference_protected(tcp_fastopen_ctx,
		52	lockdep_is_held(&tcp_fastopen_ctx_lock));
		53	rcu_assign_pointer(tcp_fastopen_ctx, ctx);
		54	spin_unlock(&tcp_fastopen_ctx_lock);
		55
		56	if (octx)
		57	call_rcu(&octx->rcu, tcp_fastopen_ctx_free);
		58	return err;
		59	}
		60
		61	/* Computes the fastopen cookie for the peer.
		62	* The peer address is a 128 bits long (pad with zeros for IPv4).
		63	*
		64	* The caller must check foc->len to determine if a valid cookie
		65	* has been generated successfully.
		66	*/
		67	void tcp_fastopen_cookie_gen(__be32 addr, struct tcp_fastopen_cookie *foc)
		68	{
		69	__be32 peer_addr[4] = { addr, 0, 0, 0 };
		70	struct tcp_fastopen_context *ctx;
		71
		72	rcu_read_lock();
		73	ctx = rcu_dereference(tcp_fastopen_ctx);
		74	if (ctx) {
		75	crypto_cipher_encrypt_one(ctx->tfm,
		76	foc->val,
		77	(__u8 *)peer_addr);
		78	foc->len = TCP_FASTOPEN_COOKIE_SIZE;
		79	}
		80	rcu_read_unlock();
		81	}
5		82
6	static int __init tcp_fastopen_init(void)	83	static int __init tcp_fastopen_init(void)
7	{	84	{
		85	__u8 key[TCP_FASTOPEN_KEY_LENGTH];
		86
		87	get_random_bytes(key, sizeof(key));
		88	tcp_fastopen_reset_cipher(key, sizeof(key));
8	return 0;	89	return 0;
9	}	90	}
10		91