xref: /freebsd/sys/netinet/tcp_syncache.c (revision 0b3105a37d7adcadcb720112fed4dc4e8040be99)
1 /*-
2  * Copyright (c) 2001 McAfee, Inc.
3  * Copyright (c) 2006,2013 Andre Oppermann, Internet Business Solutions AG
4  * All rights reserved.
5  *
6  * This software was developed for the FreeBSD Project by Jonathan Lemon
7  * and McAfee Research, the Security Research Division of McAfee, Inc. under
8  * DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"), as part of the
9  * DARPA CHATS research program. [2001 McAfee, Inc.]
10  *
11  * Redistribution and use in source and binary forms, with or without
12  * modification, are permitted provided that the following conditions
13  * are met:
14  * 1. Redistributions of source code must retain the above copyright
15  *    notice, this list of conditions and the following disclaimer.
16  * 2. Redistributions in binary form must reproduce the above copyright
17  *    notice, this list of conditions and the following disclaimer in the
18  *    documentation and/or other materials provided with the distribution.
19  *
20  * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
21  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
22  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
23  * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
24  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
25  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
26  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
27  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
28  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
29  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
30  * SUCH DAMAGE.
31  */
32 
33 #include <sys/cdefs.h>
34 __FBSDID("$FreeBSD$");
35 
36 #include "opt_inet.h"
37 #include "opt_inet6.h"
38 #include "opt_ipsec.h"
39 #include "opt_pcbgroup.h"
40 
41 #include <sys/param.h>
42 #include <sys/systm.h>
43 #include <sys/hash.h>
44 #include <sys/refcount.h>
45 #include <sys/kernel.h>
46 #include <sys/sysctl.h>
47 #include <sys/limits.h>
48 #include <sys/lock.h>
49 #include <sys/mutex.h>
50 #include <sys/malloc.h>
51 #include <sys/mbuf.h>
52 #include <sys/proc.h>		/* for proc0 declaration */
53 #include <sys/random.h>
54 #include <sys/socket.h>
55 #include <sys/socketvar.h>
56 #include <sys/syslog.h>
57 #include <sys/ucred.h>
58 
59 #include <sys/md5.h>
60 #include <crypto/siphash/siphash.h>
61 
62 #include <vm/uma.h>
63 
64 #include <net/if.h>
65 #include <net/if_var.h>
66 #include <net/route.h>
67 #include <net/vnet.h>
68 
69 #include <netinet/in.h>
70 #include <netinet/in_systm.h>
71 #include <netinet/ip.h>
72 #include <netinet/in_var.h>
73 #include <netinet/in_pcb.h>
74 #include <netinet/ip_var.h>
75 #include <netinet/ip_options.h>
76 #ifdef INET6
77 #include <netinet/ip6.h>
78 #include <netinet/icmp6.h>
79 #include <netinet6/nd6.h>
80 #include <netinet6/ip6_var.h>
81 #include <netinet6/in6_pcb.h>
82 #endif
83 #include <netinet/tcp.h>
84 #ifdef TCP_RFC7413
85 #include <netinet/tcp_fastopen.h>
86 #endif
87 #include <netinet/tcp_fsm.h>
88 #include <netinet/tcp_seq.h>
89 #include <netinet/tcp_timer.h>
90 #include <netinet/tcp_var.h>
91 #include <netinet/tcp_syncache.h>
92 #ifdef INET6
93 #include <netinet6/tcp6_var.h>
94 #endif
95 #ifdef TCP_OFFLOAD
96 #include <netinet/toecore.h>
97 #endif
98 
99 #ifdef IPSEC
100 #include <netipsec/ipsec.h>
101 #ifdef INET6
102 #include <netipsec/ipsec6.h>
103 #endif
104 #include <netipsec/key.h>
105 #endif /*IPSEC*/
106 
107 #include <machine/in_cksum.h>
108 
109 #include <security/mac/mac_framework.h>
110 
111 static VNET_DEFINE(int, tcp_syncookies) = 1;
112 #define	V_tcp_syncookies		VNET(tcp_syncookies)
113 SYSCTL_INT(_net_inet_tcp, OID_AUTO, syncookies, CTLFLAG_VNET | CTLFLAG_RW,
114     &VNET_NAME(tcp_syncookies), 0,
115     "Use TCP SYN cookies if the syncache overflows");
116 
117 static VNET_DEFINE(int, tcp_syncookiesonly) = 0;
118 #define	V_tcp_syncookiesonly		VNET(tcp_syncookiesonly)
119 SYSCTL_INT(_net_inet_tcp, OID_AUTO, syncookies_only, CTLFLAG_VNET | CTLFLAG_RW,
120     &VNET_NAME(tcp_syncookiesonly), 0,
121     "Use only TCP SYN cookies");
122 
123 #ifdef TCP_OFFLOAD
124 #define ADDED_BY_TOE(sc) ((sc)->sc_tod != NULL)
125 #endif
126 
127 static void	 syncache_drop(struct syncache *, struct syncache_head *);
128 static void	 syncache_free(struct syncache *);
129 static void	 syncache_insert(struct syncache *, struct syncache_head *);
130 static int	 syncache_respond(struct syncache *, struct syncache_head *, int);
131 static struct	 socket *syncache_socket(struct syncache *, struct socket *,
132 		    struct mbuf *m);
133 static void	 syncache_timeout(struct syncache *sc, struct syncache_head *sch,
134 		    int docallout);
135 static void	 syncache_timer(void *);
136 
137 static uint32_t	 syncookie_mac(struct in_conninfo *, tcp_seq, uint8_t,
138 		    uint8_t *, uintptr_t);
139 static tcp_seq	 syncookie_generate(struct syncache_head *, struct syncache *);
140 static struct syncache
141 		*syncookie_lookup(struct in_conninfo *, struct syncache_head *,
142 		    struct syncache *, struct tcphdr *, struct tcpopt *,
143 		    struct socket *);
144 static void	 syncookie_reseed(void *);
145 #ifdef INVARIANTS
146 static int	 syncookie_cmp(struct in_conninfo *inc, struct syncache_head *sch,
147 		    struct syncache *sc, struct tcphdr *th, struct tcpopt *to,
148 		    struct socket *lso);
149 #endif
150 
151 /*
152  * Transmit the SYN,ACK fewer times than TCP_MAXRXTSHIFT specifies.
153  * 3 retransmits corresponds to a timeout of 3 * (1 + 2 + 4 + 8) == 45 seconds,
154  * the odds are that the user has given up attempting to connect by then.
155  */
156 #define SYNCACHE_MAXREXMTS		3
157 
158 /* Arbitrary values */
159 #define TCP_SYNCACHE_HASHSIZE		512
160 #define TCP_SYNCACHE_BUCKETLIMIT	30
161 
162 static VNET_DEFINE(struct tcp_syncache, tcp_syncache);
163 #define	V_tcp_syncache			VNET(tcp_syncache)
164 
165 static SYSCTL_NODE(_net_inet_tcp, OID_AUTO, syncache, CTLFLAG_RW, 0,
166     "TCP SYN cache");
167 
168 SYSCTL_UINT(_net_inet_tcp_syncache, OID_AUTO, bucketlimit, CTLFLAG_VNET | CTLFLAG_RDTUN,
169     &VNET_NAME(tcp_syncache.bucket_limit), 0,
170     "Per-bucket hash limit for syncache");
171 
172 SYSCTL_UINT(_net_inet_tcp_syncache, OID_AUTO, cachelimit, CTLFLAG_VNET | CTLFLAG_RDTUN,
173     &VNET_NAME(tcp_syncache.cache_limit), 0,
174     "Overall entry limit for syncache");
175 
176 SYSCTL_UMA_CUR(_net_inet_tcp_syncache, OID_AUTO, count, CTLFLAG_VNET,
177     &VNET_NAME(tcp_syncache.zone), "Current number of entries in syncache");
178 
179 SYSCTL_UINT(_net_inet_tcp_syncache, OID_AUTO, hashsize, CTLFLAG_VNET | CTLFLAG_RDTUN,
180     &VNET_NAME(tcp_syncache.hashsize), 0,
181     "Size of TCP syncache hashtable");
182 
183 SYSCTL_UINT(_net_inet_tcp_syncache, OID_AUTO, rexmtlimit, CTLFLAG_VNET | CTLFLAG_RW,
184     &VNET_NAME(tcp_syncache.rexmt_limit), 0,
185     "Limit on SYN/ACK retransmissions");
186 
187 VNET_DEFINE(int, tcp_sc_rst_sock_fail) = 1;
188 SYSCTL_INT(_net_inet_tcp_syncache, OID_AUTO, rst_on_sock_fail,
189     CTLFLAG_VNET | CTLFLAG_RW, &VNET_NAME(tcp_sc_rst_sock_fail), 0,
190     "Send reset on socket allocation failure");
191 
192 static MALLOC_DEFINE(M_SYNCACHE, "syncache", "TCP syncache");
193 
194 #define	SCH_LOCK(sch)		mtx_lock(&(sch)->sch_mtx)
195 #define	SCH_UNLOCK(sch)		mtx_unlock(&(sch)->sch_mtx)
196 #define	SCH_LOCK_ASSERT(sch)	mtx_assert(&(sch)->sch_mtx, MA_OWNED)
197 
198 /*
199  * Requires the syncache entry to be already removed from the bucket list.
200  */
201 static void
202 syncache_free(struct syncache *sc)
203 {
204 
205 	if (sc->sc_ipopts)
206 		(void) m_free(sc->sc_ipopts);
207 	if (sc->sc_cred)
208 		crfree(sc->sc_cred);
209 #ifdef MAC
210 	mac_syncache_destroy(&sc->sc_label);
211 #endif
212 
213 	uma_zfree(V_tcp_syncache.zone, sc);
214 }
215 
216 void
217 syncache_init(void)
218 {
219 	int i;
220 
221 	V_tcp_syncache.hashsize = TCP_SYNCACHE_HASHSIZE;
222 	V_tcp_syncache.bucket_limit = TCP_SYNCACHE_BUCKETLIMIT;
223 	V_tcp_syncache.rexmt_limit = SYNCACHE_MAXREXMTS;
224 	V_tcp_syncache.hash_secret = arc4random();
225 
226 	TUNABLE_INT_FETCH("net.inet.tcp.syncache.hashsize",
227 	    &V_tcp_syncache.hashsize);
228 	TUNABLE_INT_FETCH("net.inet.tcp.syncache.bucketlimit",
229 	    &V_tcp_syncache.bucket_limit);
230 	if (!powerof2(V_tcp_syncache.hashsize) ||
231 	    V_tcp_syncache.hashsize == 0) {
232 		printf("WARNING: syncache hash size is not a power of 2.\n");
233 		V_tcp_syncache.hashsize = TCP_SYNCACHE_HASHSIZE;
234 	}
235 	V_tcp_syncache.hashmask = V_tcp_syncache.hashsize - 1;
236 
237 	/* Set limits. */
238 	V_tcp_syncache.cache_limit =
239 	    V_tcp_syncache.hashsize * V_tcp_syncache.bucket_limit;
240 	TUNABLE_INT_FETCH("net.inet.tcp.syncache.cachelimit",
241 	    &V_tcp_syncache.cache_limit);
242 
243 	/* Allocate the hash table. */
244 	V_tcp_syncache.hashbase = malloc(V_tcp_syncache.hashsize *
245 	    sizeof(struct syncache_head), M_SYNCACHE, M_WAITOK | M_ZERO);
246 
247 #ifdef VIMAGE
248 	V_tcp_syncache.vnet = curvnet;
249 #endif
250 
251 	/* Initialize the hash buckets. */
252 	for (i = 0; i < V_tcp_syncache.hashsize; i++) {
253 		TAILQ_INIT(&V_tcp_syncache.hashbase[i].sch_bucket);
254 		mtx_init(&V_tcp_syncache.hashbase[i].sch_mtx, "tcp_sc_head",
255 			 NULL, MTX_DEF);
256 		callout_init_mtx(&V_tcp_syncache.hashbase[i].sch_timer,
257 			 &V_tcp_syncache.hashbase[i].sch_mtx, 0);
258 		V_tcp_syncache.hashbase[i].sch_length = 0;
259 		V_tcp_syncache.hashbase[i].sch_sc = &V_tcp_syncache;
260 	}
261 
262 	/* Create the syncache entry zone. */
263 	V_tcp_syncache.zone = uma_zcreate("syncache", sizeof(struct syncache),
264 	    NULL, NULL, NULL, NULL, UMA_ALIGN_PTR, 0);
265 	V_tcp_syncache.cache_limit = uma_zone_set_max(V_tcp_syncache.zone,
266 	    V_tcp_syncache.cache_limit);
267 
268 	/* Start the SYN cookie reseeder callout. */
269 	callout_init(&V_tcp_syncache.secret.reseed, 1);
270 	arc4rand(V_tcp_syncache.secret.key[0], SYNCOOKIE_SECRET_SIZE, 0);
271 	arc4rand(V_tcp_syncache.secret.key[1], SYNCOOKIE_SECRET_SIZE, 0);
272 	callout_reset(&V_tcp_syncache.secret.reseed, SYNCOOKIE_LIFETIME * hz,
273 	    syncookie_reseed, &V_tcp_syncache);
274 }
275 
276 #ifdef VIMAGE
277 void
278 syncache_destroy(void)
279 {
280 	struct syncache_head *sch;
281 	struct syncache *sc, *nsc;
282 	int i;
283 
284 	/* Cleanup hash buckets: stop timers, free entries, destroy locks. */
285 	for (i = 0; i < V_tcp_syncache.hashsize; i++) {
286 
287 		sch = &V_tcp_syncache.hashbase[i];
288 		callout_drain(&sch->sch_timer);
289 
290 		SCH_LOCK(sch);
291 		TAILQ_FOREACH_SAFE(sc, &sch->sch_bucket, sc_hash, nsc)
292 			syncache_drop(sc, sch);
293 		SCH_UNLOCK(sch);
294 		KASSERT(TAILQ_EMPTY(&sch->sch_bucket),
295 		    ("%s: sch->sch_bucket not empty", __func__));
296 		KASSERT(sch->sch_length == 0, ("%s: sch->sch_length %d not 0",
297 		    __func__, sch->sch_length));
298 		mtx_destroy(&sch->sch_mtx);
299 	}
300 
301 	KASSERT(uma_zone_get_cur(V_tcp_syncache.zone) == 0,
302 	    ("%s: cache_count not 0", __func__));
303 
304 	/* Free the allocated global resources. */
305 	uma_zdestroy(V_tcp_syncache.zone);
306 	free(V_tcp_syncache.hashbase, M_SYNCACHE);
307 
308 	callout_drain(&V_tcp_syncache.secret.reseed);
309 }
310 #endif
311 
312 /*
313  * Inserts a syncache entry into the specified bucket row.
314  * Locks and unlocks the syncache_head autonomously.
315  */
316 static void
317 syncache_insert(struct syncache *sc, struct syncache_head *sch)
318 {
319 	struct syncache *sc2;
320 
321 	SCH_LOCK(sch);
322 
323 	/*
324 	 * Make sure that we don't overflow the per-bucket limit.
325 	 * If the bucket is full, toss the oldest element.
326 	 */
327 	if (sch->sch_length >= V_tcp_syncache.bucket_limit) {
328 		KASSERT(!TAILQ_EMPTY(&sch->sch_bucket),
329 			("sch->sch_length incorrect"));
330 		sc2 = TAILQ_LAST(&sch->sch_bucket, sch_head);
331 		syncache_drop(sc2, sch);
332 		TCPSTAT_INC(tcps_sc_bucketoverflow);
333 	}
334 
335 	/* Put it into the bucket. */
336 	TAILQ_INSERT_HEAD(&sch->sch_bucket, sc, sc_hash);
337 	sch->sch_length++;
338 
339 #ifdef TCP_OFFLOAD
340 	if (ADDED_BY_TOE(sc)) {
341 		struct toedev *tod = sc->sc_tod;
342 
343 		tod->tod_syncache_added(tod, sc->sc_todctx);
344 	}
345 #endif
346 
347 	/* Reinitialize the bucket row's timer. */
348 	if (sch->sch_length == 1)
349 		sch->sch_nextc = ticks + INT_MAX;
350 	syncache_timeout(sc, sch, 1);
351 
352 	SCH_UNLOCK(sch);
353 
354 	TCPSTAT_INC(tcps_states[TCPS_SYN_RECEIVED]);
355 	TCPSTAT_INC(tcps_sc_added);
356 }
357 
358 /*
359  * Remove and free entry from syncache bucket row.
360  * Expects locked syncache head.
361  */
362 static void
363 syncache_drop(struct syncache *sc, struct syncache_head *sch)
364 {
365 
366 	SCH_LOCK_ASSERT(sch);
367 
368 	TCPSTAT_DEC(tcps_states[TCPS_SYN_RECEIVED]);
369 	TAILQ_REMOVE(&sch->sch_bucket, sc, sc_hash);
370 	sch->sch_length--;
371 
372 #ifdef TCP_OFFLOAD
373 	if (ADDED_BY_TOE(sc)) {
374 		struct toedev *tod = sc->sc_tod;
375 
376 		tod->tod_syncache_removed(tod, sc->sc_todctx);
377 	}
378 #endif
379 
380 	syncache_free(sc);
381 }
382 
383 /*
384  * Engage/reengage time on bucket row.
385  */
386 static void
387 syncache_timeout(struct syncache *sc, struct syncache_head *sch, int docallout)
388 {
389 	sc->sc_rxttime = ticks +
390 		TCPTV_RTOBASE * (tcp_syn_backoff[sc->sc_rxmits]);
391 	sc->sc_rxmits++;
392 	if (TSTMP_LT(sc->sc_rxttime, sch->sch_nextc)) {
393 		sch->sch_nextc = sc->sc_rxttime;
394 		if (docallout)
395 			callout_reset(&sch->sch_timer, sch->sch_nextc - ticks,
396 			    syncache_timer, (void *)sch);
397 	}
398 }
399 
400 /*
401  * Walk the timer queues, looking for SYN,ACKs that need to be retransmitted.
402  * If we have retransmitted an entry the maximum number of times, expire it.
403  * One separate timer for each bucket row.
404  */
405 static void
406 syncache_timer(void *xsch)
407 {
408 	struct syncache_head *sch = (struct syncache_head *)xsch;
409 	struct syncache *sc, *nsc;
410 	int tick = ticks;
411 	char *s;
412 
413 	CURVNET_SET(sch->sch_sc->vnet);
414 
415 	/* NB: syncache_head has already been locked by the callout. */
416 	SCH_LOCK_ASSERT(sch);
417 
418 	/*
419 	 * In the following cycle we may remove some entries and/or
420 	 * advance some timeouts, so re-initialize the bucket timer.
421 	 */
422 	sch->sch_nextc = tick + INT_MAX;
423 
424 	TAILQ_FOREACH_SAFE(sc, &sch->sch_bucket, sc_hash, nsc) {
425 		/*
426 		 * We do not check if the listen socket still exists
427 		 * and accept the case where the listen socket may be
428 		 * gone by the time we resend the SYN/ACK.  We do
429 		 * not expect this to happens often. If it does,
430 		 * then the RST will be sent by the time the remote
431 		 * host does the SYN/ACK->ACK.
432 		 */
433 		if (TSTMP_GT(sc->sc_rxttime, tick)) {
434 			if (TSTMP_LT(sc->sc_rxttime, sch->sch_nextc))
435 				sch->sch_nextc = sc->sc_rxttime;
436 			continue;
437 		}
438 		if (sc->sc_rxmits > V_tcp_syncache.rexmt_limit) {
439 			if ((s = tcp_log_addrs(&sc->sc_inc, NULL, NULL, NULL))) {
440 				log(LOG_DEBUG, "%s; %s: Retransmits exhausted, "
441 				    "giving up and removing syncache entry\n",
442 				    s, __func__);
443 				free(s, M_TCPLOG);
444 			}
445 			syncache_drop(sc, sch);
446 			TCPSTAT_INC(tcps_sc_stale);
447 			continue;
448 		}
449 		if ((s = tcp_log_addrs(&sc->sc_inc, NULL, NULL, NULL))) {
450 			log(LOG_DEBUG, "%s; %s: Response timeout, "
451 			    "retransmitting (%u) SYN|ACK\n",
452 			    s, __func__, sc->sc_rxmits);
453 			free(s, M_TCPLOG);
454 		}
455 
456 		syncache_respond(sc, sch, 1);
457 		TCPSTAT_INC(tcps_sc_retransmitted);
458 		syncache_timeout(sc, sch, 0);
459 	}
460 	if (!TAILQ_EMPTY(&(sch)->sch_bucket))
461 		callout_reset(&(sch)->sch_timer, (sch)->sch_nextc - tick,
462 			syncache_timer, (void *)(sch));
463 	CURVNET_RESTORE();
464 }
465 
466 /*
467  * Find an entry in the syncache.
468  * Returns always with locked syncache_head plus a matching entry or NULL.
469  */
470 static struct syncache *
471 syncache_lookup(struct in_conninfo *inc, struct syncache_head **schp)
472 {
473 	struct syncache *sc;
474 	struct syncache_head *sch;
475 	uint32_t hash;
476 
477 	/*
478 	 * The hash is built on foreign port + local port + foreign address.
479 	 * We rely on the fact that struct in_conninfo starts with 16 bits
480 	 * of foreign port, then 16 bits of local port then followed by 128
481 	 * bits of foreign address.  In case of IPv4 address, the first 3
482 	 * 32-bit words of the address always are zeroes.
483 	 */
484 	hash = jenkins_hash32((uint32_t *)&inc->inc_ie, 5,
485 	    V_tcp_syncache.hash_secret) & V_tcp_syncache.hashmask;
486 
487 	sch = &V_tcp_syncache.hashbase[hash];
488 	*schp = sch;
489 	SCH_LOCK(sch);
490 
491 	/* Circle through bucket row to find matching entry. */
492 	TAILQ_FOREACH(sc, &sch->sch_bucket, sc_hash)
493 		if (bcmp(&inc->inc_ie, &sc->sc_inc.inc_ie,
494 		    sizeof(struct in_endpoints)) == 0)
495 			break;
496 
497 	return (sc);	/* Always returns with locked sch. */
498 }
499 
500 /*
501  * This function is called when we get a RST for a
502  * non-existent connection, so that we can see if the
503  * connection is in the syn cache.  If it is, zap it.
504  */
505 void
506 syncache_chkrst(struct in_conninfo *inc, struct tcphdr *th)
507 {
508 	struct syncache *sc;
509 	struct syncache_head *sch;
510 	char *s = NULL;
511 
512 	sc = syncache_lookup(inc, &sch);	/* returns locked sch */
513 	SCH_LOCK_ASSERT(sch);
514 
515 	/*
516 	 * Any RST to our SYN|ACK must not carry ACK, SYN or FIN flags.
517 	 * See RFC 793 page 65, section SEGMENT ARRIVES.
518 	 */
519 	if (th->th_flags & (TH_ACK|TH_SYN|TH_FIN)) {
520 		if ((s = tcp_log_addrs(inc, th, NULL, NULL)))
521 			log(LOG_DEBUG, "%s; %s: Spurious RST with ACK, SYN or "
522 			    "FIN flag set, segment ignored\n", s, __func__);
523 		TCPSTAT_INC(tcps_badrst);
524 		goto done;
525 	}
526 
527 	/*
528 	 * No corresponding connection was found in syncache.
529 	 * If syncookies are enabled and possibly exclusively
530 	 * used, or we are under memory pressure, a valid RST
531 	 * may not find a syncache entry.  In that case we're
532 	 * done and no SYN|ACK retransmissions will happen.
533 	 * Otherwise the RST was misdirected or spoofed.
534 	 */
535 	if (sc == NULL) {
536 		if ((s = tcp_log_addrs(inc, th, NULL, NULL)))
537 			log(LOG_DEBUG, "%s; %s: Spurious RST without matching "
538 			    "syncache entry (possibly syncookie only), "
539 			    "segment ignored\n", s, __func__);
540 		TCPSTAT_INC(tcps_badrst);
541 		goto done;
542 	}
543 
544 	/*
545 	 * If the RST bit is set, check the sequence number to see
546 	 * if this is a valid reset segment.
547 	 * RFC 793 page 37:
548 	 *   In all states except SYN-SENT, all reset (RST) segments
549 	 *   are validated by checking their SEQ-fields.  A reset is
550 	 *   valid if its sequence number is in the window.
551 	 *
552 	 *   The sequence number in the reset segment is normally an
553 	 *   echo of our outgoing acknowlegement numbers, but some hosts
554 	 *   send a reset with the sequence number at the rightmost edge
555 	 *   of our receive window, and we have to handle this case.
556 	 */
557 	if (SEQ_GEQ(th->th_seq, sc->sc_irs) &&
558 	    SEQ_LEQ(th->th_seq, sc->sc_irs + sc->sc_wnd)) {
559 		syncache_drop(sc, sch);
560 		if ((s = tcp_log_addrs(inc, th, NULL, NULL)))
561 			log(LOG_DEBUG, "%s; %s: Our SYN|ACK was rejected, "
562 			    "connection attempt aborted by remote endpoint\n",
563 			    s, __func__);
564 		TCPSTAT_INC(tcps_sc_reset);
565 	} else {
566 		if ((s = tcp_log_addrs(inc, th, NULL, NULL)))
567 			log(LOG_DEBUG, "%s; %s: RST with invalid SEQ %u != "
568 			    "IRS %u (+WND %u), segment ignored\n",
569 			    s, __func__, th->th_seq, sc->sc_irs, sc->sc_wnd);
570 		TCPSTAT_INC(tcps_badrst);
571 	}
572 
573 done:
574 	if (s != NULL)
575 		free(s, M_TCPLOG);
576 	SCH_UNLOCK(sch);
577 }
578 
579 void
580 syncache_badack(struct in_conninfo *inc)
581 {
582 	struct syncache *sc;
583 	struct syncache_head *sch;
584 
585 	sc = syncache_lookup(inc, &sch);	/* returns locked sch */
586 	SCH_LOCK_ASSERT(sch);
587 	if (sc != NULL) {
588 		syncache_drop(sc, sch);
589 		TCPSTAT_INC(tcps_sc_badack);
590 	}
591 	SCH_UNLOCK(sch);
592 }
593 
594 void
595 syncache_unreach(struct in_conninfo *inc, struct tcphdr *th)
596 {
597 	struct syncache *sc;
598 	struct syncache_head *sch;
599 
600 	sc = syncache_lookup(inc, &sch);	/* returns locked sch */
601 	SCH_LOCK_ASSERT(sch);
602 	if (sc == NULL)
603 		goto done;
604 
605 	/* If the sequence number != sc_iss, then it's a bogus ICMP msg */
606 	if (ntohl(th->th_seq) != sc->sc_iss)
607 		goto done;
608 
609 	/*
610 	 * If we've rertransmitted 3 times and this is our second error,
611 	 * we remove the entry.  Otherwise, we allow it to continue on.
612 	 * This prevents us from incorrectly nuking an entry during a
613 	 * spurious network outage.
614 	 *
615 	 * See tcp_notify().
616 	 */
617 	if ((sc->sc_flags & SCF_UNREACH) == 0 || sc->sc_rxmits < 3 + 1) {
618 		sc->sc_flags |= SCF_UNREACH;
619 		goto done;
620 	}
621 	syncache_drop(sc, sch);
622 	TCPSTAT_INC(tcps_sc_unreach);
623 done:
624 	SCH_UNLOCK(sch);
625 }
626 
627 /*
628  * Build a new TCP socket structure from a syncache entry.
629  *
630  * On success return the newly created socket with its underlying inp locked.
631  */
632 static struct socket *
633 syncache_socket(struct syncache *sc, struct socket *lso, struct mbuf *m)
634 {
635 	struct tcp_function_block *blk;
636 	struct inpcb *inp = NULL;
637 	struct socket *so;
638 	struct tcpcb *tp;
639 	int error;
640 	char *s;
641 
642 	INP_INFO_RLOCK_ASSERT(&V_tcbinfo);
643 
644 	/*
645 	 * Ok, create the full blown connection, and set things up
646 	 * as they would have been set up if we had created the
647 	 * connection when the SYN arrived.  If we can't create
648 	 * the connection, abort it.
649 	 */
650 	so = sonewconn(lso, 0);
651 	if (so == NULL) {
652 		/*
653 		 * Drop the connection; we will either send a RST or
654 		 * have the peer retransmit its SYN again after its
655 		 * RTO and try again.
656 		 */
657 		TCPSTAT_INC(tcps_listendrop);
658 		if ((s = tcp_log_addrs(&sc->sc_inc, NULL, NULL, NULL))) {
659 			log(LOG_DEBUG, "%s; %s: Socket create failed "
660 			    "due to limits or memory shortage\n",
661 			    s, __func__);
662 			free(s, M_TCPLOG);
663 		}
664 		goto abort2;
665 	}
666 #ifdef MAC
667 	mac_socketpeer_set_from_mbuf(m, so);
668 #endif
669 
670 	inp = sotoinpcb(so);
671 	inp->inp_inc.inc_fibnum = so->so_fibnum;
672 	INP_WLOCK(inp);
673 	/*
674 	 * Exclusive pcbinfo lock is not required in syncache socket case even
675 	 * if two inpcb locks can be acquired simultaneously:
676 	 *  - the inpcb in LISTEN state,
677 	 *  - the newly created inp.
678 	 *
679 	 * In this case, an inp cannot be at same time in LISTEN state and
680 	 * just created by an accept() call.
681 	 */
682 	INP_HASH_WLOCK(&V_tcbinfo);
683 
684 	/* Insert new socket into PCB hash list. */
685 	inp->inp_inc.inc_flags = sc->sc_inc.inc_flags;
686 #ifdef INET6
687 	if (sc->sc_inc.inc_flags & INC_ISIPV6) {
688 		inp->in6p_laddr = sc->sc_inc.inc6_laddr;
689 	} else {
690 		inp->inp_vflag &= ~INP_IPV6;
691 		inp->inp_vflag |= INP_IPV4;
692 #endif
693 		inp->inp_laddr = sc->sc_inc.inc_laddr;
694 #ifdef INET6
695 	}
696 #endif
697 
698 	/*
699 	 * If there's an mbuf and it has a flowid, then let's initialise the
700 	 * inp with that particular flowid.
701 	 */
702 	if (m != NULL && M_HASHTYPE_GET(m) != M_HASHTYPE_NONE) {
703 		inp->inp_flowid = m->m_pkthdr.flowid;
704 		inp->inp_flowtype = M_HASHTYPE_GET(m);
705 	}
706 
707 	/*
708 	 * Install in the reservation hash table for now, but don't yet
709 	 * install a connection group since the full 4-tuple isn't yet
710 	 * configured.
711 	 */
712 	inp->inp_lport = sc->sc_inc.inc_lport;
713 	if ((error = in_pcbinshash_nopcbgroup(inp)) != 0) {
714 		/*
715 		 * Undo the assignments above if we failed to
716 		 * put the PCB on the hash lists.
717 		 */
718 #ifdef INET6
719 		if (sc->sc_inc.inc_flags & INC_ISIPV6)
720 			inp->in6p_laddr = in6addr_any;
721 		else
722 #endif
723 			inp->inp_laddr.s_addr = INADDR_ANY;
724 		inp->inp_lport = 0;
725 		if ((s = tcp_log_addrs(&sc->sc_inc, NULL, NULL, NULL))) {
726 			log(LOG_DEBUG, "%s; %s: in_pcbinshash failed "
727 			    "with error %i\n",
728 			    s, __func__, error);
729 			free(s, M_TCPLOG);
730 		}
731 		INP_HASH_WUNLOCK(&V_tcbinfo);
732 		goto abort;
733 	}
734 #ifdef IPSEC
735 	/* Copy old policy into new socket's. */
736 	if (ipsec_copy_policy(sotoinpcb(lso)->inp_sp, inp->inp_sp))
737 		printf("syncache_socket: could not copy policy\n");
738 #endif
739 #ifdef INET6
740 	if (sc->sc_inc.inc_flags & INC_ISIPV6) {
741 		struct inpcb *oinp = sotoinpcb(lso);
742 		struct in6_addr laddr6;
743 		struct sockaddr_in6 sin6;
744 		/*
745 		 * Inherit socket options from the listening socket.
746 		 * Note that in6p_inputopts are not (and should not be)
747 		 * copied, since it stores previously received options and is
748 		 * used to detect if each new option is different than the
749 		 * previous one and hence should be passed to a user.
750 		 * If we copied in6p_inputopts, a user would not be able to
751 		 * receive options just after calling the accept system call.
752 		 */
753 		inp->inp_flags |= oinp->inp_flags & INP_CONTROLOPTS;
754 		if (oinp->in6p_outputopts)
755 			inp->in6p_outputopts =
756 			    ip6_copypktopts(oinp->in6p_outputopts, M_NOWAIT);
757 
758 		sin6.sin6_family = AF_INET6;
759 		sin6.sin6_len = sizeof(sin6);
760 		sin6.sin6_addr = sc->sc_inc.inc6_faddr;
761 		sin6.sin6_port = sc->sc_inc.inc_fport;
762 		sin6.sin6_flowinfo = sin6.sin6_scope_id = 0;
763 		laddr6 = inp->in6p_laddr;
764 		if (IN6_IS_ADDR_UNSPECIFIED(&inp->in6p_laddr))
765 			inp->in6p_laddr = sc->sc_inc.inc6_laddr;
766 		if ((error = in6_pcbconnect_mbuf(inp, (struct sockaddr *)&sin6,
767 		    thread0.td_ucred, m)) != 0) {
768 			inp->in6p_laddr = laddr6;
769 			if ((s = tcp_log_addrs(&sc->sc_inc, NULL, NULL, NULL))) {
770 				log(LOG_DEBUG, "%s; %s: in6_pcbconnect failed "
771 				    "with error %i\n",
772 				    s, __func__, error);
773 				free(s, M_TCPLOG);
774 			}
775 			INP_HASH_WUNLOCK(&V_tcbinfo);
776 			goto abort;
777 		}
778 		/* Override flowlabel from in6_pcbconnect. */
779 		inp->inp_flow &= ~IPV6_FLOWLABEL_MASK;
780 		inp->inp_flow |= sc->sc_flowlabel;
781 	}
782 #endif /* INET6 */
783 #if defined(INET) && defined(INET6)
784 	else
785 #endif
786 #ifdef INET
787 	{
788 		struct in_addr laddr;
789 		struct sockaddr_in sin;
790 
791 		inp->inp_options = (m) ? ip_srcroute(m) : NULL;
792 
793 		if (inp->inp_options == NULL) {
794 			inp->inp_options = sc->sc_ipopts;
795 			sc->sc_ipopts = NULL;
796 		}
797 
798 		sin.sin_family = AF_INET;
799 		sin.sin_len = sizeof(sin);
800 		sin.sin_addr = sc->sc_inc.inc_faddr;
801 		sin.sin_port = sc->sc_inc.inc_fport;
802 		bzero((caddr_t)sin.sin_zero, sizeof(sin.sin_zero));
803 		laddr = inp->inp_laddr;
804 		if (inp->inp_laddr.s_addr == INADDR_ANY)
805 			inp->inp_laddr = sc->sc_inc.inc_laddr;
806 		if ((error = in_pcbconnect_mbuf(inp, (struct sockaddr *)&sin,
807 		    thread0.td_ucred, m)) != 0) {
808 			inp->inp_laddr = laddr;
809 			if ((s = tcp_log_addrs(&sc->sc_inc, NULL, NULL, NULL))) {
810 				log(LOG_DEBUG, "%s; %s: in_pcbconnect failed "
811 				    "with error %i\n",
812 				    s, __func__, error);
813 				free(s, M_TCPLOG);
814 			}
815 			INP_HASH_WUNLOCK(&V_tcbinfo);
816 			goto abort;
817 		}
818 	}
819 #endif /* INET */
820 	INP_HASH_WUNLOCK(&V_tcbinfo);
821 	tp = intotcpcb(inp);
822 	tcp_state_change(tp, TCPS_SYN_RECEIVED);
823 	tp->iss = sc->sc_iss;
824 	tp->irs = sc->sc_irs;
825 	tcp_rcvseqinit(tp);
826 	tcp_sendseqinit(tp);
827 	blk = sototcpcb(lso)->t_fb;
828 	if (blk != tp->t_fb) {
829 		/*
830 		 * Our parents t_fb was not the default,
831 		 * we need to release our ref on tp->t_fb and
832 		 * pickup one on the new entry.
833 		 */
834 		struct tcp_function_block *rblk;
835 
836 		rblk = find_and_ref_tcp_fb(blk);
837 		KASSERT(rblk != NULL,
838 		    ("cannot find blk %p out of syncache?", blk));
839 		if (tp->t_fb->tfb_tcp_fb_fini)
840 			(*tp->t_fb->tfb_tcp_fb_fini)(tp);
841 		refcount_release(&tp->t_fb->tfb_refcnt);
842 		tp->t_fb = rblk;
843 		if (tp->t_fb->tfb_tcp_fb_init) {
844 			(*tp->t_fb->tfb_tcp_fb_init)(tp);
845 		}
846 	}
847 	tp->snd_wl1 = sc->sc_irs;
848 	tp->snd_max = tp->iss + 1;
849 	tp->snd_nxt = tp->iss + 1;
850 	tp->rcv_up = sc->sc_irs + 1;
851 	tp->rcv_wnd = sc->sc_wnd;
852 	tp->rcv_adv += tp->rcv_wnd;
853 	tp->last_ack_sent = tp->rcv_nxt;
854 
855 	tp->t_flags = sototcpcb(lso)->t_flags & (TF_NOPUSH|TF_NODELAY);
856 	if (sc->sc_flags & SCF_NOOPT)
857 		tp->t_flags |= TF_NOOPT;
858 	else {
859 		if (sc->sc_flags & SCF_WINSCALE) {
860 			tp->t_flags |= TF_REQ_SCALE|TF_RCVD_SCALE;
861 			tp->snd_scale = sc->sc_requested_s_scale;
862 			tp->request_r_scale = sc->sc_requested_r_scale;
863 		}
864 		if (sc->sc_flags & SCF_TIMESTAMP) {
865 			tp->t_flags |= TF_REQ_TSTMP|TF_RCVD_TSTMP;
866 			tp->ts_recent = sc->sc_tsreflect;
867 			tp->ts_recent_age = tcp_ts_getticks();
868 			tp->ts_offset = sc->sc_tsoff;
869 		}
870 #ifdef TCP_SIGNATURE
871 		if (sc->sc_flags & SCF_SIGNATURE)
872 			tp->t_flags |= TF_SIGNATURE;
873 #endif
874 		if (sc->sc_flags & SCF_SACK)
875 			tp->t_flags |= TF_SACK_PERMIT;
876 	}
877 
878 	if (sc->sc_flags & SCF_ECN)
879 		tp->t_flags |= TF_ECN_PERMIT;
880 
881 	/*
882 	 * Set up MSS and get cached values from tcp_hostcache.
883 	 * This might overwrite some of the defaults we just set.
884 	 */
885 	tcp_mss(tp, sc->sc_peer_mss);
886 
887 	/*
888 	 * If the SYN,ACK was retransmitted, indicate that CWND to be
889 	 * limited to one segment in cc_conn_init().
890 	 * NB: sc_rxmits counts all SYN,ACK transmits, not just retransmits.
891 	 */
892 	if (sc->sc_rxmits > 1)
893 		tp->snd_cwnd = 1;
894 
895 #ifdef TCP_OFFLOAD
896 	/*
897 	 * Allow a TOE driver to install its hooks.  Note that we hold the
898 	 * pcbinfo lock too and that prevents tcp_usr_accept from accepting a
899 	 * new connection before the TOE driver has done its thing.
900 	 */
901 	if (ADDED_BY_TOE(sc)) {
902 		struct toedev *tod = sc->sc_tod;
903 
904 		tod->tod_offload_socket(tod, sc->sc_todctx, so);
905 	}
906 #endif
907 	/*
908 	 * Copy and activate timers.
909 	 */
910 	tp->t_keepinit = sototcpcb(lso)->t_keepinit;
911 	tp->t_keepidle = sototcpcb(lso)->t_keepidle;
912 	tp->t_keepintvl = sototcpcb(lso)->t_keepintvl;
913 	tp->t_keepcnt = sototcpcb(lso)->t_keepcnt;
914 	tcp_timer_activate(tp, TT_KEEP, TP_KEEPINIT(tp));
915 
916 	soisconnected(so);
917 
918 	TCPSTAT_INC(tcps_accepts);
919 	return (so);
920 
921 abort:
922 	INP_WUNLOCK(inp);
923 abort2:
924 	if (so != NULL)
925 		soabort(so);
926 	return (NULL);
927 }
928 
929 /*
930  * This function gets called when we receive an ACK for a
931  * socket in the LISTEN state.  We look up the connection
932  * in the syncache, and if its there, we pull it out of
933  * the cache and turn it into a full-blown connection in
934  * the SYN-RECEIVED state.
935  *
936  * On syncache_socket() success the newly created socket
937  * has its underlying inp locked.
938  */
939 int
940 syncache_expand(struct in_conninfo *inc, struct tcpopt *to, struct tcphdr *th,
941     struct socket **lsop, struct mbuf *m)
942 {
943 	struct syncache *sc;
944 	struct syncache_head *sch;
945 	struct syncache scs;
946 	char *s;
947 
948 	/*
949 	 * Global TCP locks are held because we manipulate the PCB lists
950 	 * and create a new socket.
951 	 */
952 	INP_INFO_RLOCK_ASSERT(&V_tcbinfo);
953 	KASSERT((th->th_flags & (TH_RST|TH_ACK|TH_SYN)) == TH_ACK,
954 	    ("%s: can handle only ACK", __func__));
955 
956 	sc = syncache_lookup(inc, &sch);	/* returns locked sch */
957 	SCH_LOCK_ASSERT(sch);
958 
959 #ifdef INVARIANTS
960 	/*
961 	 * Test code for syncookies comparing the syncache stored
962 	 * values with the reconstructed values from the cookie.
963 	 */
964 	if (sc != NULL)
965 		syncookie_cmp(inc, sch, sc, th, to, *lsop);
966 #endif
967 
968 	if (sc == NULL) {
969 		/*
970 		 * There is no syncache entry, so see if this ACK is
971 		 * a returning syncookie.  To do this, first:
972 		 *  A. See if this socket has had a syncache entry dropped in
973 		 *     the past.  We don't want to accept a bogus syncookie
974 		 *     if we've never received a SYN.
975 		 *  B. check that the syncookie is valid.  If it is, then
976 		 *     cobble up a fake syncache entry, and return.
977 		 */
978 		if (!V_tcp_syncookies) {
979 			SCH_UNLOCK(sch);
980 			if ((s = tcp_log_addrs(inc, th, NULL, NULL)))
981 				log(LOG_DEBUG, "%s; %s: Spurious ACK, "
982 				    "segment rejected (syncookies disabled)\n",
983 				    s, __func__);
984 			goto failed;
985 		}
986 		bzero(&scs, sizeof(scs));
987 		sc = syncookie_lookup(inc, sch, &scs, th, to, *lsop);
988 		SCH_UNLOCK(sch);
989 		if (sc == NULL) {
990 			if ((s = tcp_log_addrs(inc, th, NULL, NULL)))
991 				log(LOG_DEBUG, "%s; %s: Segment failed "
992 				    "SYNCOOKIE authentication, segment rejected "
993 				    "(probably spoofed)\n", s, __func__);
994 			goto failed;
995 		}
996 	} else {
997 		/*
998 		 * Pull out the entry to unlock the bucket row.
999 		 *
1000 		 * NOTE: We must decrease TCPS_SYN_RECEIVED count here, not
1001 		 * tcp_state_change().  The tcpcb is not existent at this
1002 		 * moment.  A new one will be allocated via syncache_socket->
1003 		 * sonewconn->tcp_usr_attach in TCPS_CLOSED state, then
1004 		 * syncache_socket() will change it to TCPS_SYN_RECEIVED.
1005 		 */
1006 		TCPSTAT_DEC(tcps_states[TCPS_SYN_RECEIVED]);
1007 		TAILQ_REMOVE(&sch->sch_bucket, sc, sc_hash);
1008 		sch->sch_length--;
1009 #ifdef TCP_OFFLOAD
1010 		if (ADDED_BY_TOE(sc)) {
1011 			struct toedev *tod = sc->sc_tod;
1012 
1013 			tod->tod_syncache_removed(tod, sc->sc_todctx);
1014 		}
1015 #endif
1016 		SCH_UNLOCK(sch);
1017 	}
1018 
1019 	/*
1020 	 * Segment validation:
1021 	 * ACK must match our initial sequence number + 1 (the SYN|ACK).
1022 	 */
1023 	if (th->th_ack != sc->sc_iss + 1) {
1024 		if ((s = tcp_log_addrs(inc, th, NULL, NULL)))
1025 			log(LOG_DEBUG, "%s; %s: ACK %u != ISS+1 %u, segment "
1026 			    "rejected\n", s, __func__, th->th_ack, sc->sc_iss);
1027 		goto failed;
1028 	}
1029 
1030 	/*
1031 	 * The SEQ must fall in the window starting at the received
1032 	 * initial receive sequence number + 1 (the SYN).
1033 	 */
1034 	if (SEQ_LEQ(th->th_seq, sc->sc_irs) ||
1035 	    SEQ_GT(th->th_seq, sc->sc_irs + sc->sc_wnd)) {
1036 		if ((s = tcp_log_addrs(inc, th, NULL, NULL)))
1037 			log(LOG_DEBUG, "%s; %s: SEQ %u != IRS+1 %u, segment "
1038 			    "rejected\n", s, __func__, th->th_seq, sc->sc_irs);
1039 		goto failed;
1040 	}
1041 
1042 	/*
1043 	 * If timestamps were not negotiated during SYN/ACK they
1044 	 * must not appear on any segment during this session.
1045 	 */
1046 	if (!(sc->sc_flags & SCF_TIMESTAMP) && (to->to_flags & TOF_TS)) {
1047 		if ((s = tcp_log_addrs(inc, th, NULL, NULL)))
1048 			log(LOG_DEBUG, "%s; %s: Timestamp not expected, "
1049 			    "segment rejected\n", s, __func__);
1050 		goto failed;
1051 	}
1052 
1053 	/*
1054 	 * If timestamps were negotiated during SYN/ACK they should
1055 	 * appear on every segment during this session.
1056 	 * XXXAO: This is only informal as there have been unverified
1057 	 * reports of non-compliants stacks.
1058 	 */
1059 	if ((sc->sc_flags & SCF_TIMESTAMP) && !(to->to_flags & TOF_TS)) {
1060 		if ((s = tcp_log_addrs(inc, th, NULL, NULL))) {
1061 			log(LOG_DEBUG, "%s; %s: Timestamp missing, "
1062 			    "no action\n", s, __func__);
1063 			free(s, M_TCPLOG);
1064 			s = NULL;
1065 		}
1066 	}
1067 
1068 	/*
1069 	 * If timestamps were negotiated the reflected timestamp
1070 	 * must be equal to what we actually sent in the SYN|ACK.
1071 	 */
1072 	if ((to->to_flags & TOF_TS) && to->to_tsecr != sc->sc_ts) {
1073 		if ((s = tcp_log_addrs(inc, th, NULL, NULL)))
1074 			log(LOG_DEBUG, "%s; %s: TSECR %u != TS %u, "
1075 			    "segment rejected\n",
1076 			    s, __func__, to->to_tsecr, sc->sc_ts);
1077 		goto failed;
1078 	}
1079 
1080 	*lsop = syncache_socket(sc, *lsop, m);
1081 
1082 	if (*lsop == NULL)
1083 		TCPSTAT_INC(tcps_sc_aborted);
1084 	else
1085 		TCPSTAT_INC(tcps_sc_completed);
1086 
1087 /* how do we find the inp for the new socket? */
1088 	if (sc != &scs)
1089 		syncache_free(sc);
1090 	return (1);
1091 failed:
1092 	if (sc != NULL && sc != &scs)
1093 		syncache_free(sc);
1094 	if (s != NULL)
1095 		free(s, M_TCPLOG);
1096 	*lsop = NULL;
1097 	return (0);
1098 }
1099 
1100 #ifdef TCP_RFC7413
1101 static void
1102 syncache_tfo_expand(struct syncache *sc, struct socket **lsop, struct mbuf *m,
1103     uint64_t response_cookie)
1104 {
1105 	struct inpcb *inp;
1106 	struct tcpcb *tp;
1107 	unsigned int *pending_counter;
1108 
1109 	/*
1110 	 * Global TCP locks are held because we manipulate the PCB lists
1111 	 * and create a new socket.
1112 	 */
1113 	INP_INFO_RLOCK_ASSERT(&V_tcbinfo);
1114 
1115 	pending_counter = intotcpcb(sotoinpcb(*lsop))->t_tfo_pending;
1116 	*lsop = syncache_socket(sc, *lsop, m);
1117 	if (*lsop == NULL) {
1118 		TCPSTAT_INC(tcps_sc_aborted);
1119 		atomic_subtract_int(pending_counter, 1);
1120 	} else {
1121 		inp = sotoinpcb(*lsop);
1122 		tp = intotcpcb(inp);
1123 		tp->t_flags |= TF_FASTOPEN;
1124 		tp->t_tfo_cookie = response_cookie;
1125 		tp->snd_max = tp->iss;
1126 		tp->snd_nxt = tp->iss;
1127 		tp->t_tfo_pending = pending_counter;
1128 		TCPSTAT_INC(tcps_sc_completed);
1129 	}
1130 }
1131 #endif /* TCP_RFC7413 */
1132 
1133 /*
1134  * Given a LISTEN socket and an inbound SYN request, add
1135  * this to the syn cache, and send back a segment:
1136  *	<SEQ=ISS><ACK=RCV_NXT><CTL=SYN,ACK>
1137  * to the source.
1138  *
1139  * IMPORTANT NOTE: We do _NOT_ ACK data that might accompany the SYN.
1140  * Doing so would require that we hold onto the data and deliver it
1141  * to the application.  However, if we are the target of a SYN-flood
1142  * DoS attack, an attacker could send data which would eventually
1143  * consume all available buffer space if it were ACKed.  By not ACKing
1144  * the data, we avoid this DoS scenario.
1145  *
1146  * The exception to the above is when a SYN with a valid TCP Fast Open (TFO)
1147  * cookie is processed, V_tcp_fastopen_enabled set to true, and the
1148  * TCP_FASTOPEN socket option is set.  In this case, a new socket is created
1149  * and returned via lsop, the mbuf is not freed so that tcp_input() can
1150  * queue its data to the socket, and 1 is returned to indicate the
1151  * TFO-socket-creation path was taken.
1152  */
1153 int
1154 syncache_add(struct in_conninfo *inc, struct tcpopt *to, struct tcphdr *th,
1155     struct inpcb *inp, struct socket **lsop, struct mbuf *m, void *tod,
1156     void *todctx)
1157 {
1158 	struct tcpcb *tp;
1159 	struct socket *so;
1160 	struct syncache *sc = NULL;
1161 	struct syncache_head *sch;
1162 	struct mbuf *ipopts = NULL;
1163 	u_int ltflags;
1164 	int win, sb_hiwat, ip_ttl, ip_tos;
1165 	char *s;
1166 	int rv = 0;
1167 #ifdef INET6
1168 	int autoflowlabel = 0;
1169 #endif
1170 #ifdef MAC
1171 	struct label *maclabel;
1172 #endif
1173 	struct syncache scs;
1174 	struct ucred *cred;
1175 #ifdef TCP_RFC7413
1176 	uint64_t tfo_response_cookie;
1177 	int tfo_cookie_valid = 0;
1178 	int tfo_response_cookie_valid = 0;
1179 #endif
1180 
1181 	INP_WLOCK_ASSERT(inp);			/* listen socket */
1182 	KASSERT((th->th_flags & (TH_RST|TH_ACK|TH_SYN)) == TH_SYN,
1183 	    ("%s: unexpected tcp flags", __func__));
1184 
1185 	/*
1186 	 * Combine all so/tp operations very early to drop the INP lock as
1187 	 * soon as possible.
1188 	 */
1189 	so = *lsop;
1190 	tp = sototcpcb(so);
1191 	cred = crhold(so->so_cred);
1192 
1193 #ifdef INET6
1194 	if ((inc->inc_flags & INC_ISIPV6) &&
1195 	    (inp->inp_flags & IN6P_AUTOFLOWLABEL))
1196 		autoflowlabel = 1;
1197 #endif
1198 	ip_ttl = inp->inp_ip_ttl;
1199 	ip_tos = inp->inp_ip_tos;
1200 	win = sbspace(&so->so_rcv);
1201 	sb_hiwat = so->so_rcv.sb_hiwat;
1202 	ltflags = (tp->t_flags & (TF_NOOPT | TF_SIGNATURE));
1203 
1204 #ifdef TCP_RFC7413
1205 	if (V_tcp_fastopen_enabled && (tp->t_flags & TF_FASTOPEN) &&
1206 	    (tp->t_tfo_pending != NULL) && (to->to_flags & TOF_FASTOPEN)) {
1207 		/*
1208 		 * Limit the number of pending TFO connections to
1209 		 * approximately half of the queue limit.  This prevents TFO
1210 		 * SYN floods from starving the service by filling the
1211 		 * listen queue with bogus TFO connections.
1212 		 */
1213 		if (atomic_fetchadd_int(tp->t_tfo_pending, 1) <=
1214 		    (so->so_qlimit / 2)) {
1215 			int result;
1216 
1217 			result = tcp_fastopen_check_cookie(inc,
1218 			    to->to_tfo_cookie, to->to_tfo_len,
1219 			    &tfo_response_cookie);
1220 			tfo_cookie_valid = (result > 0);
1221 			tfo_response_cookie_valid = (result >= 0);
1222 		} else
1223 			atomic_subtract_int(tp->t_tfo_pending, 1);
1224 	}
1225 #endif
1226 
1227 	/* By the time we drop the lock these should no longer be used. */
1228 	so = NULL;
1229 	tp = NULL;
1230 
1231 #ifdef MAC
1232 	if (mac_syncache_init(&maclabel) != 0) {
1233 		INP_WUNLOCK(inp);
1234 		goto done;
1235 	} else
1236 		mac_syncache_create(maclabel, inp);
1237 #endif
1238 #ifdef TCP_RFC7413
1239 	if (!tfo_cookie_valid)
1240 #endif
1241 		INP_WUNLOCK(inp);
1242 
1243 	/*
1244 	 * Remember the IP options, if any.
1245 	 */
1246 #ifdef INET6
1247 	if (!(inc->inc_flags & INC_ISIPV6))
1248 #endif
1249 #ifdef INET
1250 		ipopts = (m) ? ip_srcroute(m) : NULL;
1251 #else
1252 		ipopts = NULL;
1253 #endif
1254 
1255 	/*
1256 	 * See if we already have an entry for this connection.
1257 	 * If we do, resend the SYN,ACK, and reset the retransmit timer.
1258 	 *
1259 	 * XXX: should the syncache be re-initialized with the contents
1260 	 * of the new SYN here (which may have different options?)
1261 	 *
1262 	 * XXX: We do not check the sequence number to see if this is a
1263 	 * real retransmit or a new connection attempt.  The question is
1264 	 * how to handle such a case; either ignore it as spoofed, or
1265 	 * drop the current entry and create a new one?
1266 	 */
1267 	sc = syncache_lookup(inc, &sch);	/* returns locked entry */
1268 	SCH_LOCK_ASSERT(sch);
1269 	if (sc != NULL) {
1270 #ifdef TCP_RFC7413
1271 		if (tfo_cookie_valid)
1272 			INP_WUNLOCK(inp);
1273 #endif
1274 		TCPSTAT_INC(tcps_sc_dupsyn);
1275 		if (ipopts) {
1276 			/*
1277 			 * If we were remembering a previous source route,
1278 			 * forget it and use the new one we've been given.
1279 			 */
1280 			if (sc->sc_ipopts)
1281 				(void) m_free(sc->sc_ipopts);
1282 			sc->sc_ipopts = ipopts;
1283 		}
1284 		/*
1285 		 * Update timestamp if present.
1286 		 */
1287 		if ((sc->sc_flags & SCF_TIMESTAMP) && (to->to_flags & TOF_TS))
1288 			sc->sc_tsreflect = to->to_tsval;
1289 		else
1290 			sc->sc_flags &= ~SCF_TIMESTAMP;
1291 #ifdef MAC
1292 		/*
1293 		 * Since we have already unconditionally allocated label
1294 		 * storage, free it up.  The syncache entry will already
1295 		 * have an initialized label we can use.
1296 		 */
1297 		mac_syncache_destroy(&maclabel);
1298 #endif
1299 		/* Retransmit SYN|ACK and reset retransmit count. */
1300 		if ((s = tcp_log_addrs(&sc->sc_inc, th, NULL, NULL))) {
1301 			log(LOG_DEBUG, "%s; %s: Received duplicate SYN, "
1302 			    "resetting timer and retransmitting SYN|ACK\n",
1303 			    s, __func__);
1304 			free(s, M_TCPLOG);
1305 		}
1306 		if (syncache_respond(sc, sch, 1) == 0) {
1307 			sc->sc_rxmits = 0;
1308 			syncache_timeout(sc, sch, 1);
1309 			TCPSTAT_INC(tcps_sndacks);
1310 			TCPSTAT_INC(tcps_sndtotal);
1311 		}
1312 		SCH_UNLOCK(sch);
1313 		goto done;
1314 	}
1315 
1316 #ifdef TCP_RFC7413
1317 	if (tfo_cookie_valid) {
1318 		bzero(&scs, sizeof(scs));
1319 		sc = &scs;
1320 		goto skip_alloc;
1321 	}
1322 #endif
1323 
1324 	sc = uma_zalloc(V_tcp_syncache.zone, M_NOWAIT | M_ZERO);
1325 	if (sc == NULL) {
1326 		/*
1327 		 * The zone allocator couldn't provide more entries.
1328 		 * Treat this as if the cache was full; drop the oldest
1329 		 * entry and insert the new one.
1330 		 */
1331 		TCPSTAT_INC(tcps_sc_zonefail);
1332 		if ((sc = TAILQ_LAST(&sch->sch_bucket, sch_head)) != NULL)
1333 			syncache_drop(sc, sch);
1334 		sc = uma_zalloc(V_tcp_syncache.zone, M_NOWAIT | M_ZERO);
1335 		if (sc == NULL) {
1336 			if (V_tcp_syncookies) {
1337 				bzero(&scs, sizeof(scs));
1338 				sc = &scs;
1339 			} else {
1340 				SCH_UNLOCK(sch);
1341 				if (ipopts)
1342 					(void) m_free(ipopts);
1343 				goto done;
1344 			}
1345 		}
1346 	}
1347 
1348 #ifdef TCP_RFC7413
1349 skip_alloc:
1350 	if (!tfo_cookie_valid && tfo_response_cookie_valid)
1351 		sc->sc_tfo_cookie = &tfo_response_cookie;
1352 #endif
1353 
1354 	/*
1355 	 * Fill in the syncache values.
1356 	 */
1357 #ifdef MAC
1358 	sc->sc_label = maclabel;
1359 #endif
1360 	sc->sc_cred = cred;
1361 	cred = NULL;
1362 	sc->sc_ipopts = ipopts;
1363 	bcopy(inc, &sc->sc_inc, sizeof(struct in_conninfo));
1364 #ifdef INET6
1365 	if (!(inc->inc_flags & INC_ISIPV6))
1366 #endif
1367 	{
1368 		sc->sc_ip_tos = ip_tos;
1369 		sc->sc_ip_ttl = ip_ttl;
1370 	}
1371 #ifdef TCP_OFFLOAD
1372 	sc->sc_tod = tod;
1373 	sc->sc_todctx = todctx;
1374 #endif
1375 	sc->sc_irs = th->th_seq;
1376 	sc->sc_iss = arc4random();
1377 	sc->sc_flags = 0;
1378 	sc->sc_flowlabel = 0;
1379 
1380 	/*
1381 	 * Initial receive window: clip sbspace to [0 .. TCP_MAXWIN].
1382 	 * win was derived from socket earlier in the function.
1383 	 */
1384 	win = imax(win, 0);
1385 	win = imin(win, TCP_MAXWIN);
1386 	sc->sc_wnd = win;
1387 
1388 	if (V_tcp_do_rfc1323) {
1389 		/*
1390 		 * A timestamp received in a SYN makes
1391 		 * it ok to send timestamp requests and replies.
1392 		 */
1393 		if (to->to_flags & TOF_TS) {
1394 			sc->sc_tsreflect = to->to_tsval;
1395 			sc->sc_ts = tcp_ts_getticks();
1396 			sc->sc_flags |= SCF_TIMESTAMP;
1397 		}
1398 		if (to->to_flags & TOF_SCALE) {
1399 			int wscale = 0;
1400 
1401 			/*
1402 			 * Pick the smallest possible scaling factor that
1403 			 * will still allow us to scale up to sb_max, aka
1404 			 * kern.ipc.maxsockbuf.
1405 			 *
1406 			 * We do this because there are broken firewalls that
1407 			 * will corrupt the window scale option, leading to
1408 			 * the other endpoint believing that our advertised
1409 			 * window is unscaled.  At scale factors larger than
1410 			 * 5 the unscaled window will drop below 1500 bytes,
1411 			 * leading to serious problems when traversing these
1412 			 * broken firewalls.
1413 			 *
1414 			 * With the default maxsockbuf of 256K, a scale factor
1415 			 * of 3 will be chosen by this algorithm.  Those who
1416 			 * choose a larger maxsockbuf should watch out
1417 			 * for the compatiblity problems mentioned above.
1418 			 *
1419 			 * RFC1323: The Window field in a SYN (i.e., a <SYN>
1420 			 * or <SYN,ACK>) segment itself is never scaled.
1421 			 */
1422 			while (wscale < TCP_MAX_WINSHIFT &&
1423 			    (TCP_MAXWIN << wscale) < sb_max)
1424 				wscale++;
1425 			sc->sc_requested_r_scale = wscale;
1426 			sc->sc_requested_s_scale = to->to_wscale;
1427 			sc->sc_flags |= SCF_WINSCALE;
1428 		}
1429 	}
1430 #ifdef TCP_SIGNATURE
1431 	/*
1432 	 * If listening socket requested TCP digests, OR received SYN
1433 	 * contains the option, flag this in the syncache so that
1434 	 * syncache_respond() will do the right thing with the SYN+ACK.
1435 	 */
1436 	if (to->to_flags & TOF_SIGNATURE || ltflags & TF_SIGNATURE)
1437 		sc->sc_flags |= SCF_SIGNATURE;
1438 #endif
1439 	if (to->to_flags & TOF_SACKPERM)
1440 		sc->sc_flags |= SCF_SACK;
1441 	if (to->to_flags & TOF_MSS)
1442 		sc->sc_peer_mss = to->to_mss;	/* peer mss may be zero */
1443 	if (ltflags & TF_NOOPT)
1444 		sc->sc_flags |= SCF_NOOPT;
1445 	if ((th->th_flags & (TH_ECE|TH_CWR)) && V_tcp_do_ecn)
1446 		sc->sc_flags |= SCF_ECN;
1447 
1448 	if (V_tcp_syncookies)
1449 		sc->sc_iss = syncookie_generate(sch, sc);
1450 #ifdef INET6
1451 	if (autoflowlabel) {
1452 		if (V_tcp_syncookies)
1453 			sc->sc_flowlabel = sc->sc_iss;
1454 		else
1455 			sc->sc_flowlabel = ip6_randomflowlabel();
1456 		sc->sc_flowlabel = htonl(sc->sc_flowlabel) & IPV6_FLOWLABEL_MASK;
1457 	}
1458 #endif
1459 	SCH_UNLOCK(sch);
1460 
1461 #ifdef TCP_RFC7413
1462 	if (tfo_cookie_valid) {
1463 		syncache_tfo_expand(sc, lsop, m, tfo_response_cookie);
1464 		/* INP_WUNLOCK(inp) will be performed by the called */
1465 		rv = 1;
1466 		goto tfo_done;
1467 	}
1468 #endif
1469 
1470 	/*
1471 	 * Do a standard 3-way handshake.
1472 	 */
1473 	if (syncache_respond(sc, sch, 0) == 0) {
1474 		if (V_tcp_syncookies && V_tcp_syncookiesonly && sc != &scs)
1475 			syncache_free(sc);
1476 		else if (sc != &scs)
1477 			syncache_insert(sc, sch);   /* locks and unlocks sch */
1478 		TCPSTAT_INC(tcps_sndacks);
1479 		TCPSTAT_INC(tcps_sndtotal);
1480 	} else {
1481 		if (sc != &scs)
1482 			syncache_free(sc);
1483 		TCPSTAT_INC(tcps_sc_dropped);
1484 	}
1485 
1486 done:
1487 	if (m) {
1488 		*lsop = NULL;
1489 		m_freem(m);
1490 	}
1491 #ifdef TCP_RFC7413
1492 tfo_done:
1493 #endif
1494 	if (cred != NULL)
1495 		crfree(cred);
1496 #ifdef MAC
1497 	if (sc == &scs)
1498 		mac_syncache_destroy(&maclabel);
1499 #endif
1500 	return (rv);
1501 }
1502 
1503 static int
1504 syncache_respond(struct syncache *sc, struct syncache_head *sch, int locked)
1505 {
1506 	struct ip *ip = NULL;
1507 	struct mbuf *m;
1508 	struct tcphdr *th = NULL;
1509 	int optlen, error = 0;	/* Make compiler happy */
1510 	u_int16_t hlen, tlen, mssopt;
1511 	struct tcpopt to;
1512 #ifdef INET6
1513 	struct ip6_hdr *ip6 = NULL;
1514 #endif
1515 #ifdef TCP_SIGNATURE
1516 	struct secasvar *sav;
1517 #endif
1518 
1519 	hlen =
1520 #ifdef INET6
1521 	       (sc->sc_inc.inc_flags & INC_ISIPV6) ? sizeof(struct ip6_hdr) :
1522 #endif
1523 		sizeof(struct ip);
1524 	tlen = hlen + sizeof(struct tcphdr);
1525 
1526 	/* Determine MSS we advertize to other end of connection. */
1527 	mssopt = tcp_mssopt(&sc->sc_inc);
1528 	if (sc->sc_peer_mss)
1529 		mssopt = max( min(sc->sc_peer_mss, mssopt), V_tcp_minmss);
1530 
1531 	/* XXX: Assume that the entire packet will fit in a header mbuf. */
1532 	KASSERT(max_linkhdr + tlen + TCP_MAXOLEN <= MHLEN,
1533 	    ("syncache: mbuf too small"));
1534 
1535 	/* Create the IP+TCP header from scratch. */
1536 	m = m_gethdr(M_NOWAIT, MT_DATA);
1537 	if (m == NULL)
1538 		return (ENOBUFS);
1539 #ifdef MAC
1540 	mac_syncache_create_mbuf(sc->sc_label, m);
1541 #endif
1542 	m->m_data += max_linkhdr;
1543 	m->m_len = tlen;
1544 	m->m_pkthdr.len = tlen;
1545 	m->m_pkthdr.rcvif = NULL;
1546 
1547 #ifdef INET6
1548 	if (sc->sc_inc.inc_flags & INC_ISIPV6) {
1549 		ip6 = mtod(m, struct ip6_hdr *);
1550 		ip6->ip6_vfc = IPV6_VERSION;
1551 		ip6->ip6_nxt = IPPROTO_TCP;
1552 		ip6->ip6_src = sc->sc_inc.inc6_laddr;
1553 		ip6->ip6_dst = sc->sc_inc.inc6_faddr;
1554 		ip6->ip6_plen = htons(tlen - hlen);
1555 		/* ip6_hlim is set after checksum */
1556 		ip6->ip6_flow &= ~IPV6_FLOWLABEL_MASK;
1557 		ip6->ip6_flow |= sc->sc_flowlabel;
1558 
1559 		th = (struct tcphdr *)(ip6 + 1);
1560 	}
1561 #endif
1562 #if defined(INET6) && defined(INET)
1563 	else
1564 #endif
1565 #ifdef INET
1566 	{
1567 		ip = mtod(m, struct ip *);
1568 		ip->ip_v = IPVERSION;
1569 		ip->ip_hl = sizeof(struct ip) >> 2;
1570 		ip->ip_len = htons(tlen);
1571 		ip->ip_id = 0;
1572 		ip->ip_off = 0;
1573 		ip->ip_sum = 0;
1574 		ip->ip_p = IPPROTO_TCP;
1575 		ip->ip_src = sc->sc_inc.inc_laddr;
1576 		ip->ip_dst = sc->sc_inc.inc_faddr;
1577 		ip->ip_ttl = sc->sc_ip_ttl;
1578 		ip->ip_tos = sc->sc_ip_tos;
1579 
1580 		/*
1581 		 * See if we should do MTU discovery.  Route lookups are
1582 		 * expensive, so we will only unset the DF bit if:
1583 		 *
1584 		 *	1) path_mtu_discovery is disabled
1585 		 *	2) the SCF_UNREACH flag has been set
1586 		 */
1587 		if (V_path_mtu_discovery && ((sc->sc_flags & SCF_UNREACH) == 0))
1588 		       ip->ip_off |= htons(IP_DF);
1589 
1590 		th = (struct tcphdr *)(ip + 1);
1591 	}
1592 #endif /* INET */
1593 	th->th_sport = sc->sc_inc.inc_lport;
1594 	th->th_dport = sc->sc_inc.inc_fport;
1595 
1596 	th->th_seq = htonl(sc->sc_iss);
1597 	th->th_ack = htonl(sc->sc_irs + 1);
1598 	th->th_off = sizeof(struct tcphdr) >> 2;
1599 	th->th_x2 = 0;
1600 	th->th_flags = TH_SYN|TH_ACK;
1601 	th->th_win = htons(sc->sc_wnd);
1602 	th->th_urp = 0;
1603 
1604 	if (sc->sc_flags & SCF_ECN) {
1605 		th->th_flags |= TH_ECE;
1606 		TCPSTAT_INC(tcps_ecn_shs);
1607 	}
1608 
1609 	/* Tack on the TCP options. */
1610 	if ((sc->sc_flags & SCF_NOOPT) == 0) {
1611 		to.to_flags = 0;
1612 
1613 		to.to_mss = mssopt;
1614 		to.to_flags = TOF_MSS;
1615 		if (sc->sc_flags & SCF_WINSCALE) {
1616 			to.to_wscale = sc->sc_requested_r_scale;
1617 			to.to_flags |= TOF_SCALE;
1618 		}
1619 		if (sc->sc_flags & SCF_TIMESTAMP) {
1620 			/* Virgin timestamp or TCP cookie enhanced one. */
1621 			to.to_tsval = sc->sc_ts;
1622 			to.to_tsecr = sc->sc_tsreflect;
1623 			to.to_flags |= TOF_TS;
1624 		}
1625 		if (sc->sc_flags & SCF_SACK)
1626 			to.to_flags |= TOF_SACKPERM;
1627 #ifdef TCP_SIGNATURE
1628 		sav = NULL;
1629 		if (sc->sc_flags & SCF_SIGNATURE) {
1630 			sav = tcp_get_sav(m, IPSEC_DIR_OUTBOUND);
1631 			if (sav != NULL)
1632 				to.to_flags |= TOF_SIGNATURE;
1633 			else {
1634 
1635 				/*
1636 				 * We've got SCF_SIGNATURE flag
1637 				 * inherited from listening socket,
1638 				 * but no SADB key for given source
1639 				 * address. Assume signature is not
1640 				 * required and remove signature flag
1641 				 * instead of silently dropping
1642 				 * connection.
1643 				 */
1644 				if (locked == 0)
1645 					SCH_LOCK(sch);
1646 				sc->sc_flags &= ~SCF_SIGNATURE;
1647 				if (locked == 0)
1648 					SCH_UNLOCK(sch);
1649 			}
1650 		}
1651 #endif
1652 
1653 #ifdef TCP_RFC7413
1654 		if (sc->sc_tfo_cookie) {
1655 			to.to_flags |= TOF_FASTOPEN;
1656 			to.to_tfo_len = TCP_FASTOPEN_COOKIE_LEN;
1657 			to.to_tfo_cookie = sc->sc_tfo_cookie;
1658 			/* don't send cookie again when retransmitting response */
1659 			sc->sc_tfo_cookie = NULL;
1660 		}
1661 #endif
1662 		optlen = tcp_addoptions(&to, (u_char *)(th + 1));
1663 
1664 		/* Adjust headers by option size. */
1665 		th->th_off = (sizeof(struct tcphdr) + optlen) >> 2;
1666 		m->m_len += optlen;
1667 		m->m_pkthdr.len += optlen;
1668 
1669 #ifdef TCP_SIGNATURE
1670 		if (sc->sc_flags & SCF_SIGNATURE)
1671 			tcp_signature_do_compute(m, 0, optlen,
1672 			    to.to_signature, sav);
1673 #endif
1674 #ifdef INET6
1675 		if (sc->sc_inc.inc_flags & INC_ISIPV6)
1676 			ip6->ip6_plen = htons(ntohs(ip6->ip6_plen) + optlen);
1677 		else
1678 #endif
1679 			ip->ip_len = htons(ntohs(ip->ip_len) + optlen);
1680 	} else
1681 		optlen = 0;
1682 
1683 	M_SETFIB(m, sc->sc_inc.inc_fibnum);
1684 	m->m_pkthdr.csum_data = offsetof(struct tcphdr, th_sum);
1685 #ifdef INET6
1686 	if (sc->sc_inc.inc_flags & INC_ISIPV6) {
1687 		m->m_pkthdr.csum_flags = CSUM_TCP_IPV6;
1688 		th->th_sum = in6_cksum_pseudo(ip6, tlen + optlen - hlen,
1689 		    IPPROTO_TCP, 0);
1690 		ip6->ip6_hlim = in6_selecthlim(NULL, NULL);
1691 #ifdef TCP_OFFLOAD
1692 		if (ADDED_BY_TOE(sc)) {
1693 			struct toedev *tod = sc->sc_tod;
1694 
1695 			error = tod->tod_syncache_respond(tod, sc->sc_todctx, m);
1696 
1697 			return (error);
1698 		}
1699 #endif
1700 		error = ip6_output(m, NULL, NULL, 0, NULL, NULL, NULL);
1701 	}
1702 #endif
1703 #if defined(INET6) && defined(INET)
1704 	else
1705 #endif
1706 #ifdef INET
1707 	{
1708 		m->m_pkthdr.csum_flags = CSUM_TCP;
1709 		th->th_sum = in_pseudo(ip->ip_src.s_addr, ip->ip_dst.s_addr,
1710 		    htons(tlen + optlen - hlen + IPPROTO_TCP));
1711 #ifdef TCP_OFFLOAD
1712 		if (ADDED_BY_TOE(sc)) {
1713 			struct toedev *tod = sc->sc_tod;
1714 
1715 			error = tod->tod_syncache_respond(tod, sc->sc_todctx, m);
1716 
1717 			return (error);
1718 		}
1719 #endif
1720 		error = ip_output(m, sc->sc_ipopts, NULL, 0, NULL, NULL);
1721 	}
1722 #endif
1723 	return (error);
1724 }
1725 
1726 /*
1727  * The purpose of syncookies is to handle spoofed SYN flooding DoS attacks
1728  * that exceed the capacity of the syncache by avoiding the storage of any
1729  * of the SYNs we receive.  Syncookies defend against blind SYN flooding
1730  * attacks where the attacker does not have access to our responses.
1731  *
1732  * Syncookies encode and include all necessary information about the
1733  * connection setup within the SYN|ACK that we send back.  That way we
1734  * can avoid keeping any local state until the ACK to our SYN|ACK returns
1735  * (if ever).  Normally the syncache and syncookies are running in parallel
1736  * with the latter taking over when the former is exhausted.  When matching
1737  * syncache entry is found the syncookie is ignored.
1738  *
1739  * The only reliable information persisting the 3WHS is our inital sequence
1740  * number ISS of 32 bits.  Syncookies embed a cryptographically sufficient
1741  * strong hash (MAC) value and a few bits of TCP SYN options in the ISS
1742  * of our SYN|ACK.  The MAC can be recomputed when the ACK to our SYN|ACK
1743  * returns and signifies a legitimate connection if it matches the ACK.
1744  *
1745  * The available space of 32 bits to store the hash and to encode the SYN
1746  * option information is very tight and we should have at least 24 bits for
1747  * the MAC to keep the number of guesses by blind spoofing reasonably high.
1748  *
1749  * SYN option information we have to encode to fully restore a connection:
1750  * MSS: is imporant to chose an optimal segment size to avoid IP level
1751  *   fragmentation along the path.  The common MSS values can be encoded
1752  *   in a 3-bit table.  Uncommon values are captured by the next lower value
1753  *   in the table leading to a slight increase in packetization overhead.
1754  * WSCALE: is necessary to allow large windows to be used for high delay-
1755  *   bandwidth product links.  Not scaling the window when it was initially
1756  *   negotiated is bad for performance as lack of scaling further decreases
1757  *   the apparent available send window.  We only need to encode the WSCALE
1758  *   we received from the remote end.  Our end can be recalculated at any
1759  *   time.  The common WSCALE values can be encoded in a 3-bit table.
1760  *   Uncommon values are captured by the next lower value in the table
1761  *   making us under-estimate the available window size halving our
1762  *   theoretically possible maximum throughput for that connection.
1763  * SACK: Greatly assists in packet loss recovery and requires 1 bit.
1764  * TIMESTAMP and SIGNATURE is not encoded because they are permanent options
1765  *   that are included in all segments on a connection.  We enable them when
1766  *   the ACK has them.
1767  *
1768  * Security of syncookies and attack vectors:
1769  *
1770  * The MAC is computed over (faddr||laddr||fport||lport||irs||flags||secmod)
1771  * together with the gloabl secret to make it unique per connection attempt.
1772  * Thus any change of any of those parameters results in a different MAC output
1773  * in an unpredictable way unless a collision is encountered.  24 bits of the
1774  * MAC are embedded into the ISS.
1775  *
1776  * To prevent replay attacks two rotating global secrets are updated with a
1777  * new random value every 15 seconds.  The life-time of a syncookie is thus
1778  * 15-30 seconds.
1779  *
1780  * Vector 1: Attacking the secret.  This requires finding a weakness in the
1781  * MAC itself or the way it is used here.  The attacker can do a chosen plain
1782  * text attack by varying and testing the all parameters under his control.
1783  * The strength depends on the size and randomness of the secret, and the
1784  * cryptographic security of the MAC function.  Due to the constant updating
1785  * of the secret the attacker has at most 29.999 seconds to find the secret
1786  * and launch spoofed connections.  After that he has to start all over again.
1787  *
1788  * Vector 2: Collision attack on the MAC of a single ACK.  With a 24 bit MAC
1789  * size an average of 4,823 attempts are required for a 50% chance of success
1790  * to spoof a single syncookie (birthday collision paradox).  However the
1791  * attacker is blind and doesn't know if one of his attempts succeeded unless
1792  * he has a side channel to interfere success from.  A single connection setup
1793  * success average of 90% requires 8,790 packets, 99.99% requires 17,578 packets.
1794  * This many attempts are required for each one blind spoofed connection.  For
1795  * every additional spoofed connection he has to launch another N attempts.
1796  * Thus for a sustained rate 100 spoofed connections per second approximately
1797  * 1,800,000 packets per second would have to be sent.
1798  *
1799  * NB: The MAC function should be fast so that it doesn't become a CPU
1800  * exhaustion attack vector itself.
1801  *
1802  * References:
1803  *  RFC4987 TCP SYN Flooding Attacks and Common Mitigations
1804  *  SYN cookies were first proposed by cryptographer Dan J. Bernstein in 1996
1805  *   http://cr.yp.to/syncookies.html    (overview)
1806  *   http://cr.yp.to/syncookies/archive (details)
1807  *
1808  *
1809  * Schematic construction of a syncookie enabled Initial Sequence Number:
1810  *  0        1         2         3
1811  *  12345678901234567890123456789012
1812  * |xxxxxxxxxxxxxxxxxxxxxxxxWWWMMMSP|
1813  *
1814  *  x 24 MAC (truncated)
1815  *  W  3 Send Window Scale index
1816  *  M  3 MSS index
1817  *  S  1 SACK permitted
1818  *  P  1 Odd/even secret
1819  */
1820 
1821 /*
1822  * Distribution and probability of certain MSS values.  Those in between are
1823  * rounded down to the next lower one.
1824  * [An Analysis of TCP Maximum Segment Sizes, S. Alcock and R. Nelson, 2011]
1825  *                            .2%  .3%   5%    7%    7%    20%   15%   45%
1826  */
1827 static int tcp_sc_msstab[] = { 216, 536, 1200, 1360, 1400, 1440, 1452, 1460 };
1828 
1829 /*
1830  * Distribution and probability of certain WSCALE values.  We have to map the
1831  * (send) window scale (shift) option with a range of 0-14 from 4 bits into 3
1832  * bits based on prevalence of certain values.  Where we don't have an exact
1833  * match for are rounded down to the next lower one letting us under-estimate
1834  * the true available window.  At the moment this would happen only for the
1835  * very uncommon values 3, 5 and those above 8 (more than 16MB socket buffer
1836  * and window size).  The absence of the WSCALE option (no scaling in either
1837  * direction) is encoded with index zero.
1838  * [WSCALE values histograms, Allman, 2012]
1839  *                            X 10 10 35  5  6 14 10%   by host
1840  *                            X 11  4  5  5 18 49  3%   by connections
1841  */
1842 static int tcp_sc_wstab[] = { 0, 0, 1, 2, 4, 6, 7, 8 };
1843 
1844 /*
1845  * Compute the MAC for the SYN cookie.  SIPHASH-2-4 is chosen for its speed
1846  * and good cryptographic properties.
1847  */
1848 static uint32_t
1849 syncookie_mac(struct in_conninfo *inc, tcp_seq irs, uint8_t flags,
1850     uint8_t *secbits, uintptr_t secmod)
1851 {
1852 	SIPHASH_CTX ctx;
1853 	uint32_t siphash[2];
1854 
1855 	SipHash24_Init(&ctx);
1856 	SipHash_SetKey(&ctx, secbits);
1857 	switch (inc->inc_flags & INC_ISIPV6) {
1858 #ifdef INET
1859 	case 0:
1860 		SipHash_Update(&ctx, &inc->inc_faddr, sizeof(inc->inc_faddr));
1861 		SipHash_Update(&ctx, &inc->inc_laddr, sizeof(inc->inc_laddr));
1862 		break;
1863 #endif
1864 #ifdef INET6
1865 	case INC_ISIPV6:
1866 		SipHash_Update(&ctx, &inc->inc6_faddr, sizeof(inc->inc6_faddr));
1867 		SipHash_Update(&ctx, &inc->inc6_laddr, sizeof(inc->inc6_laddr));
1868 		break;
1869 #endif
1870 	}
1871 	SipHash_Update(&ctx, &inc->inc_fport, sizeof(inc->inc_fport));
1872 	SipHash_Update(&ctx, &inc->inc_lport, sizeof(inc->inc_lport));
1873 	SipHash_Update(&ctx, &irs, sizeof(irs));
1874 	SipHash_Update(&ctx, &flags, sizeof(flags));
1875 	SipHash_Update(&ctx, &secmod, sizeof(secmod));
1876 	SipHash_Final((u_int8_t *)&siphash, &ctx);
1877 
1878 	return (siphash[0] ^ siphash[1]);
1879 }
1880 
1881 static tcp_seq
1882 syncookie_generate(struct syncache_head *sch, struct syncache *sc)
1883 {
1884 	u_int i, mss, secbit, wscale;
1885 	uint32_t iss, hash;
1886 	uint8_t *secbits;
1887 	union syncookie cookie;
1888 
1889 	SCH_LOCK_ASSERT(sch);
1890 
1891 	cookie.cookie = 0;
1892 
1893 	/* Map our computed MSS into the 3-bit index. */
1894 	mss = min(tcp_mssopt(&sc->sc_inc), max(sc->sc_peer_mss, V_tcp_minmss));
1895 	for (i = sizeof(tcp_sc_msstab) / sizeof(*tcp_sc_msstab) - 1;
1896 	     tcp_sc_msstab[i] > mss && i > 0;
1897 	     i--)
1898 		;
1899 	cookie.flags.mss_idx = i;
1900 
1901 	/*
1902 	 * Map the send window scale into the 3-bit index but only if
1903 	 * the wscale option was received.
1904 	 */
1905 	if (sc->sc_flags & SCF_WINSCALE) {
1906 		wscale = sc->sc_requested_s_scale;
1907 		for (i = sizeof(tcp_sc_wstab) / sizeof(*tcp_sc_wstab) - 1;
1908 		     tcp_sc_wstab[i] > wscale && i > 0;
1909 		     i--)
1910 			;
1911 		cookie.flags.wscale_idx = i;
1912 	}
1913 
1914 	/* Can we do SACK? */
1915 	if (sc->sc_flags & SCF_SACK)
1916 		cookie.flags.sack_ok = 1;
1917 
1918 	/* Which of the two secrets to use. */
1919 	secbit = sch->sch_sc->secret.oddeven & 0x1;
1920 	cookie.flags.odd_even = secbit;
1921 
1922 	secbits = sch->sch_sc->secret.key[secbit];
1923 	hash = syncookie_mac(&sc->sc_inc, sc->sc_irs, cookie.cookie, secbits,
1924 	    (uintptr_t)sch);
1925 
1926 	/*
1927 	 * Put the flags into the hash and XOR them to get better ISS number
1928 	 * variance.  This doesn't enhance the cryptographic strength and is
1929 	 * done to prevent the 8 cookie bits from showing up directly on the
1930 	 * wire.
1931 	 */
1932 	iss = hash & ~0xff;
1933 	iss |= cookie.cookie ^ (hash >> 24);
1934 
1935 	/* Randomize the timestamp. */
1936 	if (sc->sc_flags & SCF_TIMESTAMP) {
1937 		sc->sc_ts = arc4random();
1938 		sc->sc_tsoff = sc->sc_ts - tcp_ts_getticks();
1939 	}
1940 
1941 	TCPSTAT_INC(tcps_sc_sendcookie);
1942 	return (iss);
1943 }
1944 
1945 static struct syncache *
1946 syncookie_lookup(struct in_conninfo *inc, struct syncache_head *sch,
1947     struct syncache *sc, struct tcphdr *th, struct tcpopt *to,
1948     struct socket *lso)
1949 {
1950 	uint32_t hash;
1951 	uint8_t *secbits;
1952 	tcp_seq ack, seq;
1953 	int wnd, wscale = 0;
1954 	union syncookie cookie;
1955 
1956 	SCH_LOCK_ASSERT(sch);
1957 
1958 	/*
1959 	 * Pull information out of SYN-ACK/ACK and revert sequence number
1960 	 * advances.
1961 	 */
1962 	ack = th->th_ack - 1;
1963 	seq = th->th_seq - 1;
1964 
1965 	/*
1966 	 * Unpack the flags containing enough information to restore the
1967 	 * connection.
1968 	 */
1969 	cookie.cookie = (ack & 0xff) ^ (ack >> 24);
1970 
1971 	/* Which of the two secrets to use. */
1972 	secbits = sch->sch_sc->secret.key[cookie.flags.odd_even];
1973 
1974 	hash = syncookie_mac(inc, seq, cookie.cookie, secbits, (uintptr_t)sch);
1975 
1976 	/* The recomputed hash matches the ACK if this was a genuine cookie. */
1977 	if ((ack & ~0xff) != (hash & ~0xff))
1978 		return (NULL);
1979 
1980 	/* Fill in the syncache values. */
1981 	sc->sc_flags = 0;
1982 	bcopy(inc, &sc->sc_inc, sizeof(struct in_conninfo));
1983 	sc->sc_ipopts = NULL;
1984 
1985 	sc->sc_irs = seq;
1986 	sc->sc_iss = ack;
1987 
1988 	switch (inc->inc_flags & INC_ISIPV6) {
1989 #ifdef INET
1990 	case 0:
1991 		sc->sc_ip_ttl = sotoinpcb(lso)->inp_ip_ttl;
1992 		sc->sc_ip_tos = sotoinpcb(lso)->inp_ip_tos;
1993 		break;
1994 #endif
1995 #ifdef INET6
1996 	case INC_ISIPV6:
1997 		if (sotoinpcb(lso)->inp_flags & IN6P_AUTOFLOWLABEL)
1998 			sc->sc_flowlabel = sc->sc_iss & IPV6_FLOWLABEL_MASK;
1999 		break;
2000 #endif
2001 	}
2002 
2003 	sc->sc_peer_mss = tcp_sc_msstab[cookie.flags.mss_idx];
2004 
2005 	/* We can simply recompute receive window scale we sent earlier. */
2006 	while (wscale < TCP_MAX_WINSHIFT && (TCP_MAXWIN << wscale) < sb_max)
2007 		wscale++;
2008 
2009 	/* Only use wscale if it was enabled in the orignal SYN. */
2010 	if (cookie.flags.wscale_idx > 0) {
2011 		sc->sc_requested_r_scale = wscale;
2012 		sc->sc_requested_s_scale = tcp_sc_wstab[cookie.flags.wscale_idx];
2013 		sc->sc_flags |= SCF_WINSCALE;
2014 	}
2015 
2016 	wnd = sbspace(&lso->so_rcv);
2017 	wnd = imax(wnd, 0);
2018 	wnd = imin(wnd, TCP_MAXWIN);
2019 	sc->sc_wnd = wnd;
2020 
2021 	if (cookie.flags.sack_ok)
2022 		sc->sc_flags |= SCF_SACK;
2023 
2024 	if (to->to_flags & TOF_TS) {
2025 		sc->sc_flags |= SCF_TIMESTAMP;
2026 		sc->sc_tsreflect = to->to_tsval;
2027 		sc->sc_ts = to->to_tsecr;
2028 		sc->sc_tsoff = to->to_tsecr - tcp_ts_getticks();
2029 	}
2030 
2031 	if (to->to_flags & TOF_SIGNATURE)
2032 		sc->sc_flags |= SCF_SIGNATURE;
2033 
2034 	sc->sc_rxmits = 0;
2035 
2036 	TCPSTAT_INC(tcps_sc_recvcookie);
2037 	return (sc);
2038 }
2039 
2040 #ifdef INVARIANTS
2041 static int
2042 syncookie_cmp(struct in_conninfo *inc, struct syncache_head *sch,
2043     struct syncache *sc, struct tcphdr *th, struct tcpopt *to,
2044     struct socket *lso)
2045 {
2046 	struct syncache scs, *scx;
2047 	char *s;
2048 
2049 	bzero(&scs, sizeof(scs));
2050 	scx = syncookie_lookup(inc, sch, &scs, th, to, lso);
2051 
2052 	if ((s = tcp_log_addrs(inc, th, NULL, NULL)) == NULL)
2053 		return (0);
2054 
2055 	if (scx != NULL) {
2056 		if (sc->sc_peer_mss != scx->sc_peer_mss)
2057 			log(LOG_DEBUG, "%s; %s: mss different %i vs %i\n",
2058 			    s, __func__, sc->sc_peer_mss, scx->sc_peer_mss);
2059 
2060 		if (sc->sc_requested_r_scale != scx->sc_requested_r_scale)
2061 			log(LOG_DEBUG, "%s; %s: rwscale different %i vs %i\n",
2062 			    s, __func__, sc->sc_requested_r_scale,
2063 			    scx->sc_requested_r_scale);
2064 
2065 		if (sc->sc_requested_s_scale != scx->sc_requested_s_scale)
2066 			log(LOG_DEBUG, "%s; %s: swscale different %i vs %i\n",
2067 			    s, __func__, sc->sc_requested_s_scale,
2068 			    scx->sc_requested_s_scale);
2069 
2070 		if ((sc->sc_flags & SCF_SACK) != (scx->sc_flags & SCF_SACK))
2071 			log(LOG_DEBUG, "%s; %s: SACK different\n", s, __func__);
2072 	}
2073 
2074 	if (s != NULL)
2075 		free(s, M_TCPLOG);
2076 	return (0);
2077 }
2078 #endif /* INVARIANTS */
2079 
2080 static void
2081 syncookie_reseed(void *arg)
2082 {
2083 	struct tcp_syncache *sc = arg;
2084 	uint8_t *secbits;
2085 	int secbit;
2086 
2087 	/*
2088 	 * Reseeding the secret doesn't have to be protected by a lock.
2089 	 * It only must be ensured that the new random values are visible
2090 	 * to all CPUs in a SMP environment.  The atomic with release
2091 	 * semantics ensures that.
2092 	 */
2093 	secbit = (sc->secret.oddeven & 0x1) ? 0 : 1;
2094 	secbits = sc->secret.key[secbit];
2095 	arc4rand(secbits, SYNCOOKIE_SECRET_SIZE, 0);
2096 	atomic_add_rel_int(&sc->secret.oddeven, 1);
2097 
2098 	/* Reschedule ourself. */
2099 	callout_schedule(&sc->secret.reseed, SYNCOOKIE_LIFETIME * hz);
2100 }
2101 
2102 /*
2103  * Exports the syncache entries to userland so that netstat can display
2104  * them alongside the other sockets.  This function is intended to be
2105  * called only from tcp_pcblist.
2106  *
2107  * Due to concurrency on an active system, the number of pcbs exported
2108  * may have no relation to max_pcbs.  max_pcbs merely indicates the
2109  * amount of space the caller allocated for this function to use.
2110  */
2111 int
2112 syncache_pcblist(struct sysctl_req *req, int max_pcbs, int *pcbs_exported)
2113 {
2114 	struct xtcpcb xt;
2115 	struct syncache *sc;
2116 	struct syncache_head *sch;
2117 	int count, error, i;
2118 
2119 	for (count = 0, error = 0, i = 0; i < V_tcp_syncache.hashsize; i++) {
2120 		sch = &V_tcp_syncache.hashbase[i];
2121 		SCH_LOCK(sch);
2122 		TAILQ_FOREACH(sc, &sch->sch_bucket, sc_hash) {
2123 			if (count >= max_pcbs) {
2124 				SCH_UNLOCK(sch);
2125 				goto exit;
2126 			}
2127 			if (cr_cansee(req->td->td_ucred, sc->sc_cred) != 0)
2128 				continue;
2129 			bzero(&xt, sizeof(xt));
2130 			xt.xt_len = sizeof(xt);
2131 			if (sc->sc_inc.inc_flags & INC_ISIPV6)
2132 				xt.xt_inp.inp_vflag = INP_IPV6;
2133 			else
2134 				xt.xt_inp.inp_vflag = INP_IPV4;
2135 			bcopy(&sc->sc_inc, &xt.xt_inp.inp_inc, sizeof (struct in_conninfo));
2136 			xt.xt_tp.t_inpcb = &xt.xt_inp;
2137 			xt.xt_tp.t_state = TCPS_SYN_RECEIVED;
2138 			xt.xt_socket.xso_protocol = IPPROTO_TCP;
2139 			xt.xt_socket.xso_len = sizeof (struct xsocket);
2140 			xt.xt_socket.so_type = SOCK_STREAM;
2141 			xt.xt_socket.so_state = SS_ISCONNECTING;
2142 			error = SYSCTL_OUT(req, &xt, sizeof xt);
2143 			if (error) {
2144 				SCH_UNLOCK(sch);
2145 				goto exit;
2146 			}
2147 			count++;
2148 		}
2149 		SCH_UNLOCK(sch);
2150 	}
2151 exit:
2152 	*pcbs_exported = count;
2153 	return error;
2154 }
2155