Commit e56fb50f authored by William Allen Simpson's avatar William Allen Simpson Committed by David S. Miller

TCPCT part 1e: implement socket option TCP_COOKIE_TRANSACTIONS

Provide per socket control of the TCP cookie option and SYN/SYNACK data.

This is a straightforward re-implementation of an earlier (year-old)
patch that no longer applies cleanly, with permission of the original
author (Adam Langley):

    http://thread.gmane.org/gmane.linux.network/102586

The principle difference is using a TCP option to carry the cookie nonce,
instead of a user configured offset in the data.

Allocations have been rearranged to avoid requiring GFP_ATOMIC.

Requires:
   net: TCP_MSS_DEFAULT, TCP_MSS_DESIRED
   TCPCT part 1c: sysctl_tcp_cookie_size, socket option TCP_COOKIE_TRANSACTIONS
   TCPCT part 1d: define TCP cookie option, extend existing struct's

Signed-off-by: William.Allen.Simpson@gmail.com
Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
parent 435cf559
...@@ -2085,8 +2085,9 @@ static int do_tcp_setsockopt(struct sock *sk, int level, ...@@ -2085,8 +2085,9 @@ static int do_tcp_setsockopt(struct sock *sk, int level,
int val; int val;
int err = 0; int err = 0;
/* This is a string value all the others are int's */ /* These are data/string values, all the others are ints */
if (optname == TCP_CONGESTION) { switch (optname) {
case TCP_CONGESTION: {
char name[TCP_CA_NAME_MAX]; char name[TCP_CA_NAME_MAX];
if (optlen < 1) if (optlen < 1)
...@@ -2103,6 +2104,93 @@ static int do_tcp_setsockopt(struct sock *sk, int level, ...@@ -2103,6 +2104,93 @@ static int do_tcp_setsockopt(struct sock *sk, int level,
release_sock(sk); release_sock(sk);
return err; return err;
} }
case TCP_COOKIE_TRANSACTIONS: {
struct tcp_cookie_transactions ctd;
struct tcp_cookie_values *cvp = NULL;
if (sizeof(ctd) > optlen)
return -EINVAL;
if (copy_from_user(&ctd, optval, sizeof(ctd)))
return -EFAULT;
if (ctd.tcpct_used > sizeof(ctd.tcpct_value) ||
ctd.tcpct_s_data_desired > TCP_MSS_DESIRED)
return -EINVAL;
if (ctd.tcpct_cookie_desired == 0) {
/* default to global value */
} else if ((0x1 & ctd.tcpct_cookie_desired) ||
ctd.tcpct_cookie_desired > TCP_COOKIE_MAX ||
ctd.tcpct_cookie_desired < TCP_COOKIE_MIN) {
return -EINVAL;
}
if (TCP_COOKIE_OUT_NEVER & ctd.tcpct_flags) {
/* Supercedes all other values */
lock_sock(sk);
if (tp->cookie_values != NULL) {
kref_put(&tp->cookie_values->kref,
tcp_cookie_values_release);
tp->cookie_values = NULL;
}
tp->rx_opt.cookie_in_always = 0; /* false */
tp->rx_opt.cookie_out_never = 1; /* true */
release_sock(sk);
return err;
}
/* Allocate ancillary memory before locking.
*/
if (ctd.tcpct_used > 0 ||
(tp->cookie_values == NULL &&
(sysctl_tcp_cookie_size > 0 ||
ctd.tcpct_cookie_desired > 0 ||
ctd.tcpct_s_data_desired > 0))) {
cvp = kzalloc(sizeof(*cvp) + ctd.tcpct_used,
GFP_KERNEL);
if (cvp == NULL)
return -ENOMEM;
}
lock_sock(sk);
tp->rx_opt.cookie_in_always =
(TCP_COOKIE_IN_ALWAYS & ctd.tcpct_flags);
tp->rx_opt.cookie_out_never = 0; /* false */
if (tp->cookie_values != NULL) {
if (cvp != NULL) {
/* Changed values are recorded by a changed
* pointer, ensuring the cookie will differ,
* without separately hashing each value later.
*/
kref_put(&tp->cookie_values->kref,
tcp_cookie_values_release);
kref_init(&cvp->kref);
tp->cookie_values = cvp;
} else {
cvp = tp->cookie_values;
}
}
if (cvp != NULL) {
cvp->cookie_desired = ctd.tcpct_cookie_desired;
if (ctd.tcpct_used > 0) {
memcpy(cvp->s_data_payload, ctd.tcpct_value,
ctd.tcpct_used);
cvp->s_data_desired = ctd.tcpct_used;
cvp->s_data_constant = 1; /* true */
} else {
/* No constant payload data. */
cvp->s_data_desired = ctd.tcpct_s_data_desired;
cvp->s_data_constant = 0; /* false */
}
}
release_sock(sk);
return err;
}
default:
/* fallthru */
break;
};
if (optlen < sizeof(int)) if (optlen < sizeof(int))
return -EINVAL; return -EINVAL;
...@@ -2427,6 +2515,47 @@ static int do_tcp_getsockopt(struct sock *sk, int level, ...@@ -2427,6 +2515,47 @@ static int do_tcp_getsockopt(struct sock *sk, int level,
if (copy_to_user(optval, icsk->icsk_ca_ops->name, len)) if (copy_to_user(optval, icsk->icsk_ca_ops->name, len))
return -EFAULT; return -EFAULT;
return 0; return 0;
case TCP_COOKIE_TRANSACTIONS: {
struct tcp_cookie_transactions ctd;
struct tcp_cookie_values *cvp = tp->cookie_values;
if (get_user(len, optlen))
return -EFAULT;
if (len < sizeof(ctd))
return -EINVAL;
memset(&ctd, 0, sizeof(ctd));
ctd.tcpct_flags = (tp->rx_opt.cookie_in_always ?
TCP_COOKIE_IN_ALWAYS : 0)
| (tp->rx_opt.cookie_out_never ?
TCP_COOKIE_OUT_NEVER : 0);
if (cvp != NULL) {
ctd.tcpct_flags |= (cvp->s_data_in ?
TCP_S_DATA_IN : 0)
| (cvp->s_data_out ?
TCP_S_DATA_OUT : 0);
ctd.tcpct_cookie_desired = cvp->cookie_desired;
ctd.tcpct_s_data_desired = cvp->s_data_desired;
/* Cookie(s) saved, return as nonce */
if (sizeof(ctd.tcpct_value) < cvp->cookie_pair_size) {
/* impossible? */
return -EINVAL;
}
memcpy(&ctd.tcpct_value[0], &cvp->cookie_pair[0],
cvp->cookie_pair_size);
ctd.tcpct_used = cvp->cookie_pair_size;
}
if (put_user(sizeof(ctd), optlen))
return -EFAULT;
if (copy_to_user(optval, &ctd, sizeof(ctd)))
return -EFAULT;
return 0;
}
default: default:
return -ENOPROTOOPT; return -ENOPROTOOPT;
} }
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment