1 // SPDX-License-Identifier: GPL-2.0-or-later
3 * IPv6 Syncookies implementation for the Linux kernel
6 * Glenn Griffin <ggriffin.kernel@gmail.com>
8 * Based on IPv4 implementation by Andi Kleen
9 * linux/net/ipv4/syncookies.c
12 #include <linux/tcp.h>
13 #include <linux/random.h>
14 #include <linux/siphash.h>
15 #include <linux/kernel.h>
16 #include <net/secure_seq.h>
20 #define COOKIEBITS 24 /* Upper bits store count */
21 #define COOKIEMASK (((__u32)1 << COOKIEBITS) - 1)
23 static siphash_key_t syncookie6_secret
[2] __read_mostly
;
25 /* RFC 2460, Section 8.3:
26 * [ipv6 tcp] MSS must be computed as the maximum packet size minus 60 [..]
28 * Due to IPV6_MIN_MTU=1280 the lowest possible MSS is 1220, which allows
29 * using higher values than ipv4 tcp syncookies.
30 * The other values are chosen based on ethernet (1500 and 9k MTU), plus
31 * one that accounts for common encap (PPPoe) overhead. Table must be sorted.
33 static __u16
const msstab
[] = {
34 1280 - 60, /* IPV6_MIN_MTU - 60 */
40 static u32
cookie_hash(const struct in6_addr
*saddr
,
41 const struct in6_addr
*daddr
,
42 __be16 sport
, __be16 dport
, u32 count
, int c
)
45 struct in6_addr saddr
;
46 struct in6_addr daddr
;
50 } __aligned(SIPHASH_ALIGNMENT
) combined
= {
58 net_get_random_once(syncookie6_secret
, sizeof(syncookie6_secret
));
59 return siphash(&combined
, offsetofend(typeof(combined
), dport
),
60 &syncookie6_secret
[c
]);
63 static __u32
secure_tcp_syn_cookie(const struct in6_addr
*saddr
,
64 const struct in6_addr
*daddr
,
65 __be16 sport
, __be16 dport
, __u32 sseq
,
68 u32 count
= tcp_cookie_time();
69 return (cookie_hash(saddr
, daddr
, sport
, dport
, 0, 0) +
70 sseq
+ (count
<< COOKIEBITS
) +
71 ((cookie_hash(saddr
, daddr
, sport
, dport
, count
, 1) + data
)
75 static __u32
check_tcp_syn_cookie(__u32 cookie
, const struct in6_addr
*saddr
,
76 const struct in6_addr
*daddr
, __be16 sport
,
77 __be16 dport
, __u32 sseq
)
79 __u32 diff
, count
= tcp_cookie_time();
81 cookie
-= cookie_hash(saddr
, daddr
, sport
, dport
, 0, 0) + sseq
;
83 diff
= (count
- (cookie
>> COOKIEBITS
)) & ((__u32
) -1 >> COOKIEBITS
);
84 if (diff
>= MAX_SYNCOOKIE_AGE
)
88 cookie_hash(saddr
, daddr
, sport
, dport
, count
- diff
, 1))
92 u32
__cookie_v6_init_sequence(const struct ipv6hdr
*iph
,
93 const struct tcphdr
*th
, __u16
*mssp
)
96 const __u16 mss
= *mssp
;
98 for (mssind
= ARRAY_SIZE(msstab
) - 1; mssind
; mssind
--)
99 if (mss
>= msstab
[mssind
])
102 *mssp
= msstab
[mssind
];
104 return secure_tcp_syn_cookie(&iph
->saddr
, &iph
->daddr
, th
->source
,
105 th
->dest
, ntohl(th
->seq
), mssind
);
107 EXPORT_SYMBOL_GPL(__cookie_v6_init_sequence
);
109 __u32
cookie_v6_init_sequence(const struct sk_buff
*skb
, __u16
*mssp
)
111 const struct ipv6hdr
*iph
= ipv6_hdr(skb
);
112 const struct tcphdr
*th
= tcp_hdr(skb
);
114 return __cookie_v6_init_sequence(iph
, th
, mssp
);
117 int __cookie_v6_check(const struct ipv6hdr
*iph
, const struct tcphdr
*th
,
120 __u32 seq
= ntohl(th
->seq
) - 1;
121 __u32 mssind
= check_tcp_syn_cookie(cookie
, &iph
->saddr
, &iph
->daddr
,
122 th
->source
, th
->dest
, seq
);
124 return mssind
< ARRAY_SIZE(msstab
) ? msstab
[mssind
] : 0;
126 EXPORT_SYMBOL_GPL(__cookie_v6_check
);
128 struct sock
*cookie_v6_check(struct sock
*sk
, struct sk_buff
*skb
)
130 struct tcp_options_received tcp_opt
;
131 struct inet_request_sock
*ireq
;
132 struct tcp_request_sock
*treq
;
133 struct ipv6_pinfo
*np
= inet6_sk(sk
);
134 struct tcp_sock
*tp
= tcp_sk(sk
);
135 const struct tcphdr
*th
= tcp_hdr(skb
);
136 __u32 cookie
= ntohl(th
->ack_seq
) - 1;
137 struct sock
*ret
= sk
;
138 struct request_sock
*req
;
140 struct dst_entry
*dst
;
144 if (!sock_net(sk
)->ipv4
.sysctl_tcp_syncookies
|| !th
->ack
|| th
->rst
)
147 if (tcp_synq_no_recent_overflow(sk
))
150 mss
= __cookie_v6_check(ipv6_hdr(skb
), th
, cookie
);
152 __NET_INC_STATS(sock_net(sk
), LINUX_MIB_SYNCOOKIESFAILED
);
156 __NET_INC_STATS(sock_net(sk
), LINUX_MIB_SYNCOOKIESRECV
);
158 /* check for timestamp cookie support */
159 memset(&tcp_opt
, 0, sizeof(tcp_opt
));
160 tcp_parse_options(sock_net(sk
), skb
, &tcp_opt
, 0, NULL
);
162 if (tcp_opt
.saw_tstamp
&& tcp_opt
.rcv_tsecr
) {
163 tsoff
= secure_tcpv6_ts_off(sock_net(sk
),
164 ipv6_hdr(skb
)->daddr
.s6_addr32
,
165 ipv6_hdr(skb
)->saddr
.s6_addr32
);
166 tcp_opt
.rcv_tsecr
-= tsoff
;
169 if (!cookie_timestamp_decode(sock_net(sk
), &tcp_opt
))
173 req
= cookie_tcp_reqsk_alloc(&tcp6_request_sock_ops
, sk
, skb
);
177 ireq
= inet_rsk(req
);
179 treq
->tfo_listener
= false;
181 if (security_inet_conn_request(sk
, skb
, req
))
185 ireq
->ir_rmt_port
= th
->source
;
186 ireq
->ir_num
= ntohs(th
->dest
);
187 ireq
->ir_v6_rmt_addr
= ipv6_hdr(skb
)->saddr
;
188 ireq
->ir_v6_loc_addr
= ipv6_hdr(skb
)->daddr
;
189 if (ipv6_opt_accepted(sk
, skb
, &TCP_SKB_CB(skb
)->header
.h6
) ||
190 np
->rxopt
.bits
.rxinfo
|| np
->rxopt
.bits
.rxoinfo
||
191 np
->rxopt
.bits
.rxhlim
|| np
->rxopt
.bits
.rxohlim
) {
192 refcount_inc(&skb
->users
);
196 ireq
->ir_iif
= inet_request_bound_dev_if(sk
, skb
);
197 /* So that link locals have meaning */
198 if (!sk
->sk_bound_dev_if
&&
199 ipv6_addr_type(&ireq
->ir_v6_rmt_addr
) & IPV6_ADDR_LINKLOCAL
)
200 ireq
->ir_iif
= tcp_v6_iif(skb
);
202 ireq
->ir_mark
= inet_request_mark(sk
, skb
);
204 req
->num_retrans
= 0;
205 ireq
->snd_wscale
= tcp_opt
.snd_wscale
;
206 ireq
->sack_ok
= tcp_opt
.sack_ok
;
207 ireq
->wscale_ok
= tcp_opt
.wscale_ok
;
208 ireq
->tstamp_ok
= tcp_opt
.saw_tstamp
;
209 req
->ts_recent
= tcp_opt
.saw_tstamp
? tcp_opt
.rcv_tsval
: 0;
210 treq
->snt_synack
= 0;
211 treq
->rcv_isn
= ntohl(th
->seq
) - 1;
212 treq
->snt_isn
= cookie
;
214 treq
->txhash
= net_tx_rndhash();
215 if (IS_ENABLED(CONFIG_SMC
))
219 * We need to lookup the dst_entry to get the correct window size.
220 * This is taken from tcp_v6_syn_recv_sock. Somebody please enlighten
221 * me if there is a preferred way.
224 struct in6_addr
*final_p
, final
;
226 memset(&fl6
, 0, sizeof(fl6
));
227 fl6
.flowi6_proto
= IPPROTO_TCP
;
228 fl6
.daddr
= ireq
->ir_v6_rmt_addr
;
229 final_p
= fl6_update_dst(&fl6
, rcu_dereference(np
->opt
), &final
);
230 fl6
.saddr
= ireq
->ir_v6_loc_addr
;
231 fl6
.flowi6_oif
= ireq
->ir_iif
;
232 fl6
.flowi6_mark
= ireq
->ir_mark
;
233 fl6
.fl6_dport
= ireq
->ir_rmt_port
;
234 fl6
.fl6_sport
= inet_sk(sk
)->inet_sport
;
235 fl6
.flowi6_uid
= sk
->sk_uid
;
236 security_req_classify_flow(req
, flowi6_to_flowi_common(&fl6
));
238 dst
= ip6_dst_lookup_flow(sock_net(sk
), sk
, &fl6
, final_p
);
243 req
->rsk_window_clamp
= tp
->window_clamp
? :dst_metric(dst
, RTAX_WINDOW
);
244 /* limit the window selection if the user enforce a smaller rx buffer */
245 full_space
= tcp_full_space(sk
);
246 if (sk
->sk_userlocks
& SOCK_RCVBUF_LOCK
&&
247 (req
->rsk_window_clamp
> full_space
|| req
->rsk_window_clamp
== 0))
248 req
->rsk_window_clamp
= full_space
;
250 tcp_select_initial_window(sk
, full_space
, req
->mss
,
251 &req
->rsk_rcv_wnd
, &req
->rsk_window_clamp
,
252 ireq
->wscale_ok
, &rcv_wscale
,
253 dst_metric(dst
, RTAX_INITRWND
));
255 ireq
->rcv_wscale
= rcv_wscale
;
256 ireq
->ecn_ok
= cookie_ecn_ok(&tcp_opt
, sock_net(sk
), dst
);
258 ret
= tcp_get_cookie_sock(sk
, skb
, req
, dst
, tsoff
);