162306a36Sopenharmony_ci// SPDX-License-Identifier: GPL-2.0-or-later 262306a36Sopenharmony_ci/* 362306a36Sopenharmony_ci * IPv6 Syncookies implementation for the Linux kernel 462306a36Sopenharmony_ci * 562306a36Sopenharmony_ci * Authors: 662306a36Sopenharmony_ci * Glenn Griffin <ggriffin.kernel@gmail.com> 762306a36Sopenharmony_ci * 862306a36Sopenharmony_ci * Based on IPv4 implementation by Andi Kleen 962306a36Sopenharmony_ci * linux/net/ipv4/syncookies.c 1062306a36Sopenharmony_ci */ 1162306a36Sopenharmony_ci 1262306a36Sopenharmony_ci#include <linux/tcp.h> 1362306a36Sopenharmony_ci#include <linux/random.h> 1462306a36Sopenharmony_ci#include <linux/siphash.h> 1562306a36Sopenharmony_ci#include <linux/kernel.h> 1662306a36Sopenharmony_ci#include <net/secure_seq.h> 1762306a36Sopenharmony_ci#include <net/ipv6.h> 1862306a36Sopenharmony_ci#include <net/tcp.h> 1962306a36Sopenharmony_ci 2062306a36Sopenharmony_ci#define COOKIEBITS 24 /* Upper bits store count */ 2162306a36Sopenharmony_ci#define COOKIEMASK (((__u32)1 << COOKIEBITS) - 1) 2262306a36Sopenharmony_ci 2362306a36Sopenharmony_cistatic siphash_aligned_key_t syncookie6_secret[2]; 2462306a36Sopenharmony_ci 2562306a36Sopenharmony_ci/* RFC 2460, Section 8.3: 2662306a36Sopenharmony_ci * [ipv6 tcp] MSS must be computed as the maximum packet size minus 60 [..] 2762306a36Sopenharmony_ci * 2862306a36Sopenharmony_ci * Due to IPV6_MIN_MTU=1280 the lowest possible MSS is 1220, which allows 2962306a36Sopenharmony_ci * using higher values than ipv4 tcp syncookies. 3062306a36Sopenharmony_ci * The other values are chosen based on ethernet (1500 and 9k MTU), plus 3162306a36Sopenharmony_ci * one that accounts for common encap (PPPoe) overhead. Table must be sorted. 3262306a36Sopenharmony_ci */ 3362306a36Sopenharmony_cistatic __u16 const msstab[] = { 3462306a36Sopenharmony_ci 1280 - 60, /* IPV6_MIN_MTU - 60 */ 3562306a36Sopenharmony_ci 1480 - 60, 3662306a36Sopenharmony_ci 1500 - 60, 3762306a36Sopenharmony_ci 9000 - 60, 3862306a36Sopenharmony_ci}; 3962306a36Sopenharmony_ci 4062306a36Sopenharmony_cistatic u32 cookie_hash(const struct in6_addr *saddr, 4162306a36Sopenharmony_ci const struct in6_addr *daddr, 4262306a36Sopenharmony_ci __be16 sport, __be16 dport, u32 count, int c) 4362306a36Sopenharmony_ci{ 4462306a36Sopenharmony_ci const struct { 4562306a36Sopenharmony_ci struct in6_addr saddr; 4662306a36Sopenharmony_ci struct in6_addr daddr; 4762306a36Sopenharmony_ci u32 count; 4862306a36Sopenharmony_ci __be16 sport; 4962306a36Sopenharmony_ci __be16 dport; 5062306a36Sopenharmony_ci } __aligned(SIPHASH_ALIGNMENT) combined = { 5162306a36Sopenharmony_ci .saddr = *saddr, 5262306a36Sopenharmony_ci .daddr = *daddr, 5362306a36Sopenharmony_ci .count = count, 5462306a36Sopenharmony_ci .sport = sport, 5562306a36Sopenharmony_ci .dport = dport 5662306a36Sopenharmony_ci }; 5762306a36Sopenharmony_ci 5862306a36Sopenharmony_ci net_get_random_once(syncookie6_secret, sizeof(syncookie6_secret)); 5962306a36Sopenharmony_ci return siphash(&combined, offsetofend(typeof(combined), dport), 6062306a36Sopenharmony_ci &syncookie6_secret[c]); 6162306a36Sopenharmony_ci} 6262306a36Sopenharmony_ci 6362306a36Sopenharmony_cistatic __u32 secure_tcp_syn_cookie(const struct in6_addr *saddr, 6462306a36Sopenharmony_ci const struct in6_addr *daddr, 6562306a36Sopenharmony_ci __be16 sport, __be16 dport, __u32 sseq, 6662306a36Sopenharmony_ci __u32 data) 6762306a36Sopenharmony_ci{ 6862306a36Sopenharmony_ci u32 count = tcp_cookie_time(); 6962306a36Sopenharmony_ci return (cookie_hash(saddr, daddr, sport, dport, 0, 0) + 7062306a36Sopenharmony_ci sseq + (count << COOKIEBITS) + 7162306a36Sopenharmony_ci ((cookie_hash(saddr, daddr, sport, dport, count, 1) + data) 7262306a36Sopenharmony_ci & COOKIEMASK)); 7362306a36Sopenharmony_ci} 7462306a36Sopenharmony_ci 7562306a36Sopenharmony_cistatic __u32 check_tcp_syn_cookie(__u32 cookie, const struct in6_addr *saddr, 7662306a36Sopenharmony_ci const struct in6_addr *daddr, __be16 sport, 7762306a36Sopenharmony_ci __be16 dport, __u32 sseq) 7862306a36Sopenharmony_ci{ 7962306a36Sopenharmony_ci __u32 diff, count = tcp_cookie_time(); 8062306a36Sopenharmony_ci 8162306a36Sopenharmony_ci cookie -= cookie_hash(saddr, daddr, sport, dport, 0, 0) + sseq; 8262306a36Sopenharmony_ci 8362306a36Sopenharmony_ci diff = (count - (cookie >> COOKIEBITS)) & ((__u32) -1 >> COOKIEBITS); 8462306a36Sopenharmony_ci if (diff >= MAX_SYNCOOKIE_AGE) 8562306a36Sopenharmony_ci return (__u32)-1; 8662306a36Sopenharmony_ci 8762306a36Sopenharmony_ci return (cookie - 8862306a36Sopenharmony_ci cookie_hash(saddr, daddr, sport, dport, count - diff, 1)) 8962306a36Sopenharmony_ci & COOKIEMASK; 9062306a36Sopenharmony_ci} 9162306a36Sopenharmony_ci 9262306a36Sopenharmony_ciu32 __cookie_v6_init_sequence(const struct ipv6hdr *iph, 9362306a36Sopenharmony_ci const struct tcphdr *th, __u16 *mssp) 9462306a36Sopenharmony_ci{ 9562306a36Sopenharmony_ci int mssind; 9662306a36Sopenharmony_ci const __u16 mss = *mssp; 9762306a36Sopenharmony_ci 9862306a36Sopenharmony_ci for (mssind = ARRAY_SIZE(msstab) - 1; mssind ; mssind--) 9962306a36Sopenharmony_ci if (mss >= msstab[mssind]) 10062306a36Sopenharmony_ci break; 10162306a36Sopenharmony_ci 10262306a36Sopenharmony_ci *mssp = msstab[mssind]; 10362306a36Sopenharmony_ci 10462306a36Sopenharmony_ci return secure_tcp_syn_cookie(&iph->saddr, &iph->daddr, th->source, 10562306a36Sopenharmony_ci th->dest, ntohl(th->seq), mssind); 10662306a36Sopenharmony_ci} 10762306a36Sopenharmony_ciEXPORT_SYMBOL_GPL(__cookie_v6_init_sequence); 10862306a36Sopenharmony_ci 10962306a36Sopenharmony_ci__u32 cookie_v6_init_sequence(const struct sk_buff *skb, __u16 *mssp) 11062306a36Sopenharmony_ci{ 11162306a36Sopenharmony_ci const struct ipv6hdr *iph = ipv6_hdr(skb); 11262306a36Sopenharmony_ci const struct tcphdr *th = tcp_hdr(skb); 11362306a36Sopenharmony_ci 11462306a36Sopenharmony_ci return __cookie_v6_init_sequence(iph, th, mssp); 11562306a36Sopenharmony_ci} 11662306a36Sopenharmony_ci 11762306a36Sopenharmony_ciint __cookie_v6_check(const struct ipv6hdr *iph, const struct tcphdr *th, 11862306a36Sopenharmony_ci __u32 cookie) 11962306a36Sopenharmony_ci{ 12062306a36Sopenharmony_ci __u32 seq = ntohl(th->seq) - 1; 12162306a36Sopenharmony_ci __u32 mssind = check_tcp_syn_cookie(cookie, &iph->saddr, &iph->daddr, 12262306a36Sopenharmony_ci th->source, th->dest, seq); 12362306a36Sopenharmony_ci 12462306a36Sopenharmony_ci return mssind < ARRAY_SIZE(msstab) ? msstab[mssind] : 0; 12562306a36Sopenharmony_ci} 12662306a36Sopenharmony_ciEXPORT_SYMBOL_GPL(__cookie_v6_check); 12762306a36Sopenharmony_ci 12862306a36Sopenharmony_cistruct sock *cookie_v6_check(struct sock *sk, struct sk_buff *skb) 12962306a36Sopenharmony_ci{ 13062306a36Sopenharmony_ci struct tcp_options_received tcp_opt; 13162306a36Sopenharmony_ci struct inet_request_sock *ireq; 13262306a36Sopenharmony_ci struct tcp_request_sock *treq; 13362306a36Sopenharmony_ci struct ipv6_pinfo *np = inet6_sk(sk); 13462306a36Sopenharmony_ci struct tcp_sock *tp = tcp_sk(sk); 13562306a36Sopenharmony_ci const struct tcphdr *th = tcp_hdr(skb); 13662306a36Sopenharmony_ci __u32 cookie = ntohl(th->ack_seq) - 1; 13762306a36Sopenharmony_ci struct sock *ret = sk; 13862306a36Sopenharmony_ci struct request_sock *req; 13962306a36Sopenharmony_ci int full_space, mss; 14062306a36Sopenharmony_ci struct dst_entry *dst; 14162306a36Sopenharmony_ci __u8 rcv_wscale; 14262306a36Sopenharmony_ci u32 tsoff = 0; 14362306a36Sopenharmony_ci 14462306a36Sopenharmony_ci if (!READ_ONCE(sock_net(sk)->ipv4.sysctl_tcp_syncookies) || 14562306a36Sopenharmony_ci !th->ack || th->rst) 14662306a36Sopenharmony_ci goto out; 14762306a36Sopenharmony_ci 14862306a36Sopenharmony_ci if (tcp_synq_no_recent_overflow(sk)) 14962306a36Sopenharmony_ci goto out; 15062306a36Sopenharmony_ci 15162306a36Sopenharmony_ci mss = __cookie_v6_check(ipv6_hdr(skb), th, cookie); 15262306a36Sopenharmony_ci if (mss == 0) { 15362306a36Sopenharmony_ci __NET_INC_STATS(sock_net(sk), LINUX_MIB_SYNCOOKIESFAILED); 15462306a36Sopenharmony_ci goto out; 15562306a36Sopenharmony_ci } 15662306a36Sopenharmony_ci 15762306a36Sopenharmony_ci __NET_INC_STATS(sock_net(sk), LINUX_MIB_SYNCOOKIESRECV); 15862306a36Sopenharmony_ci 15962306a36Sopenharmony_ci /* check for timestamp cookie support */ 16062306a36Sopenharmony_ci memset(&tcp_opt, 0, sizeof(tcp_opt)); 16162306a36Sopenharmony_ci tcp_parse_options(sock_net(sk), skb, &tcp_opt, 0, NULL); 16262306a36Sopenharmony_ci 16362306a36Sopenharmony_ci if (tcp_opt.saw_tstamp && tcp_opt.rcv_tsecr) { 16462306a36Sopenharmony_ci tsoff = secure_tcpv6_ts_off(sock_net(sk), 16562306a36Sopenharmony_ci ipv6_hdr(skb)->daddr.s6_addr32, 16662306a36Sopenharmony_ci ipv6_hdr(skb)->saddr.s6_addr32); 16762306a36Sopenharmony_ci tcp_opt.rcv_tsecr -= tsoff; 16862306a36Sopenharmony_ci } 16962306a36Sopenharmony_ci 17062306a36Sopenharmony_ci if (!cookie_timestamp_decode(sock_net(sk), &tcp_opt)) 17162306a36Sopenharmony_ci goto out; 17262306a36Sopenharmony_ci 17362306a36Sopenharmony_ci ret = NULL; 17462306a36Sopenharmony_ci req = cookie_tcp_reqsk_alloc(&tcp6_request_sock_ops, 17562306a36Sopenharmony_ci &tcp_request_sock_ipv6_ops, sk, skb); 17662306a36Sopenharmony_ci if (!req) 17762306a36Sopenharmony_ci goto out; 17862306a36Sopenharmony_ci 17962306a36Sopenharmony_ci ireq = inet_rsk(req); 18062306a36Sopenharmony_ci treq = tcp_rsk(req); 18162306a36Sopenharmony_ci treq->tfo_listener = false; 18262306a36Sopenharmony_ci 18362306a36Sopenharmony_ci req->mss = mss; 18462306a36Sopenharmony_ci ireq->ir_rmt_port = th->source; 18562306a36Sopenharmony_ci ireq->ir_num = ntohs(th->dest); 18662306a36Sopenharmony_ci ireq->ir_v6_rmt_addr = ipv6_hdr(skb)->saddr; 18762306a36Sopenharmony_ci ireq->ir_v6_loc_addr = ipv6_hdr(skb)->daddr; 18862306a36Sopenharmony_ci 18962306a36Sopenharmony_ci if (security_inet_conn_request(sk, skb, req)) 19062306a36Sopenharmony_ci goto out_free; 19162306a36Sopenharmony_ci 19262306a36Sopenharmony_ci if (ipv6_opt_accepted(sk, skb, &TCP_SKB_CB(skb)->header.h6) || 19362306a36Sopenharmony_ci np->rxopt.bits.rxinfo || np->rxopt.bits.rxoinfo || 19462306a36Sopenharmony_ci np->rxopt.bits.rxhlim || np->rxopt.bits.rxohlim) { 19562306a36Sopenharmony_ci refcount_inc(&skb->users); 19662306a36Sopenharmony_ci ireq->pktopts = skb; 19762306a36Sopenharmony_ci } 19862306a36Sopenharmony_ci 19962306a36Sopenharmony_ci ireq->ir_iif = inet_request_bound_dev_if(sk, skb); 20062306a36Sopenharmony_ci /* So that link locals have meaning */ 20162306a36Sopenharmony_ci if (!sk->sk_bound_dev_if && 20262306a36Sopenharmony_ci ipv6_addr_type(&ireq->ir_v6_rmt_addr) & IPV6_ADDR_LINKLOCAL) 20362306a36Sopenharmony_ci ireq->ir_iif = tcp_v6_iif(skb); 20462306a36Sopenharmony_ci 20562306a36Sopenharmony_ci ireq->ir_mark = inet_request_mark(sk, skb); 20662306a36Sopenharmony_ci 20762306a36Sopenharmony_ci req->num_retrans = 0; 20862306a36Sopenharmony_ci ireq->snd_wscale = tcp_opt.snd_wscale; 20962306a36Sopenharmony_ci ireq->sack_ok = tcp_opt.sack_ok; 21062306a36Sopenharmony_ci ireq->wscale_ok = tcp_opt.wscale_ok; 21162306a36Sopenharmony_ci ireq->tstamp_ok = tcp_opt.saw_tstamp; 21262306a36Sopenharmony_ci req->ts_recent = tcp_opt.saw_tstamp ? tcp_opt.rcv_tsval : 0; 21362306a36Sopenharmony_ci treq->snt_synack = 0; 21462306a36Sopenharmony_ci treq->rcv_isn = ntohl(th->seq) - 1; 21562306a36Sopenharmony_ci treq->snt_isn = cookie; 21662306a36Sopenharmony_ci treq->ts_off = 0; 21762306a36Sopenharmony_ci treq->txhash = net_tx_rndhash(); 21862306a36Sopenharmony_ci if (IS_ENABLED(CONFIG_SMC)) 21962306a36Sopenharmony_ci ireq->smc_ok = 0; 22062306a36Sopenharmony_ci 22162306a36Sopenharmony_ci /* 22262306a36Sopenharmony_ci * We need to lookup the dst_entry to get the correct window size. 22362306a36Sopenharmony_ci * This is taken from tcp_v6_syn_recv_sock. Somebody please enlighten 22462306a36Sopenharmony_ci * me if there is a preferred way. 22562306a36Sopenharmony_ci */ 22662306a36Sopenharmony_ci { 22762306a36Sopenharmony_ci struct in6_addr *final_p, final; 22862306a36Sopenharmony_ci struct flowi6 fl6; 22962306a36Sopenharmony_ci memset(&fl6, 0, sizeof(fl6)); 23062306a36Sopenharmony_ci fl6.flowi6_proto = IPPROTO_TCP; 23162306a36Sopenharmony_ci fl6.daddr = ireq->ir_v6_rmt_addr; 23262306a36Sopenharmony_ci final_p = fl6_update_dst(&fl6, rcu_dereference(np->opt), &final); 23362306a36Sopenharmony_ci fl6.saddr = ireq->ir_v6_loc_addr; 23462306a36Sopenharmony_ci fl6.flowi6_oif = ireq->ir_iif; 23562306a36Sopenharmony_ci fl6.flowi6_mark = ireq->ir_mark; 23662306a36Sopenharmony_ci fl6.fl6_dport = ireq->ir_rmt_port; 23762306a36Sopenharmony_ci fl6.fl6_sport = inet_sk(sk)->inet_sport; 23862306a36Sopenharmony_ci fl6.flowi6_uid = sk->sk_uid; 23962306a36Sopenharmony_ci security_req_classify_flow(req, flowi6_to_flowi_common(&fl6)); 24062306a36Sopenharmony_ci 24162306a36Sopenharmony_ci dst = ip6_dst_lookup_flow(sock_net(sk), sk, &fl6, final_p); 24262306a36Sopenharmony_ci if (IS_ERR(dst)) 24362306a36Sopenharmony_ci goto out_free; 24462306a36Sopenharmony_ci } 24562306a36Sopenharmony_ci 24662306a36Sopenharmony_ci req->rsk_window_clamp = tp->window_clamp ? :dst_metric(dst, RTAX_WINDOW); 24762306a36Sopenharmony_ci /* limit the window selection if the user enforce a smaller rx buffer */ 24862306a36Sopenharmony_ci full_space = tcp_full_space(sk); 24962306a36Sopenharmony_ci if (sk->sk_userlocks & SOCK_RCVBUF_LOCK && 25062306a36Sopenharmony_ci (req->rsk_window_clamp > full_space || req->rsk_window_clamp == 0)) 25162306a36Sopenharmony_ci req->rsk_window_clamp = full_space; 25262306a36Sopenharmony_ci 25362306a36Sopenharmony_ci tcp_select_initial_window(sk, full_space, req->mss, 25462306a36Sopenharmony_ci &req->rsk_rcv_wnd, &req->rsk_window_clamp, 25562306a36Sopenharmony_ci ireq->wscale_ok, &rcv_wscale, 25662306a36Sopenharmony_ci dst_metric(dst, RTAX_INITRWND)); 25762306a36Sopenharmony_ci 25862306a36Sopenharmony_ci ireq->rcv_wscale = rcv_wscale; 25962306a36Sopenharmony_ci ireq->ecn_ok = cookie_ecn_ok(&tcp_opt, sock_net(sk), dst); 26062306a36Sopenharmony_ci 26162306a36Sopenharmony_ci ret = tcp_get_cookie_sock(sk, skb, req, dst, tsoff); 26262306a36Sopenharmony_ciout: 26362306a36Sopenharmony_ci return ret; 26462306a36Sopenharmony_ciout_free: 26562306a36Sopenharmony_ci reqsk_free(req); 26662306a36Sopenharmony_ci return NULL; 26762306a36Sopenharmony_ci} 268