xref: /freebsd/sys/netinet/tcp_syncache.c (revision bb15ca603fa442c72dde3f3cb8b46db6970e3950)
1 /*-
2  * Copyright (c) 2001 McAfee, Inc.
3  * Copyright (c) 2006 Andre Oppermann, Internet Business Solutions AG
4  * All rights reserved.
5  *
6  * This software was developed for the FreeBSD Project by Jonathan Lemon
7  * and McAfee Research, the Security Research Division of McAfee, Inc. under
8  * DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"), as part of the
9  * DARPA CHATS research program.
10  *
11  * Redistribution and use in source and binary forms, with or without
12  * modification, are permitted provided that the following conditions
13  * are met:
14  * 1. Redistributions of source code must retain the above copyright
15  *    notice, this list of conditions and the following disclaimer.
16  * 2. Redistributions in binary form must reproduce the above copyright
17  *    notice, this list of conditions and the following disclaimer in the
18  *    documentation and/or other materials provided with the distribution.
19  *
20  * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
21  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
22  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
23  * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
24  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
25  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
26  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
27  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
28  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
29  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
30  * SUCH DAMAGE.
31  */
32 
33 #include <sys/cdefs.h>
34 __FBSDID("$FreeBSD$");
35 
36 #include "opt_inet.h"
37 #include "opt_inet6.h"
38 #include "opt_ipsec.h"
39 #include "opt_pcbgroup.h"
40 
41 #include <sys/param.h>
42 #include <sys/systm.h>
43 #include <sys/kernel.h>
44 #include <sys/sysctl.h>
45 #include <sys/limits.h>
46 #include <sys/lock.h>
47 #include <sys/mutex.h>
48 #include <sys/malloc.h>
49 #include <sys/mbuf.h>
50 #include <sys/md5.h>
51 #include <sys/proc.h>		/* for proc0 declaration */
52 #include <sys/random.h>
53 #include <sys/socket.h>
54 #include <sys/socketvar.h>
55 #include <sys/syslog.h>
56 #include <sys/ucred.h>
57 
58 #include <vm/uma.h>
59 
60 #include <net/if.h>
61 #include <net/route.h>
62 #include <net/vnet.h>
63 
64 #include <netinet/in.h>
65 #include <netinet/in_systm.h>
66 #include <netinet/ip.h>
67 #include <netinet/in_var.h>
68 #include <netinet/in_pcb.h>
69 #include <netinet/ip_var.h>
70 #include <netinet/ip_options.h>
71 #ifdef INET6
72 #include <netinet/ip6.h>
73 #include <netinet/icmp6.h>
74 #include <netinet6/nd6.h>
75 #include <netinet6/ip6_var.h>
76 #include <netinet6/in6_pcb.h>
77 #endif
78 #include <netinet/tcp.h>
79 #include <netinet/tcp_fsm.h>
80 #include <netinet/tcp_seq.h>
81 #include <netinet/tcp_timer.h>
82 #include <netinet/tcp_var.h>
83 #include <netinet/tcp_syncache.h>
84 #include <netinet/tcp_offload.h>
85 #ifdef INET6
86 #include <netinet6/tcp6_var.h>
87 #endif
88 
89 #ifdef IPSEC
90 #include <netipsec/ipsec.h>
91 #ifdef INET6
92 #include <netipsec/ipsec6.h>
93 #endif
94 #include <netipsec/key.h>
95 #endif /*IPSEC*/
96 
97 #include <machine/in_cksum.h>
98 
99 #include <security/mac/mac_framework.h>
100 
101 static VNET_DEFINE(int, tcp_syncookies) = 1;
102 #define	V_tcp_syncookies		VNET(tcp_syncookies)
103 SYSCTL_VNET_INT(_net_inet_tcp, OID_AUTO, syncookies, CTLFLAG_RW,
104     &VNET_NAME(tcp_syncookies), 0,
105     "Use TCP SYN cookies if the syncache overflows");
106 
107 static VNET_DEFINE(int, tcp_syncookiesonly) = 0;
108 #define	V_tcp_syncookiesonly		VNET(tcp_syncookiesonly)
109 SYSCTL_VNET_INT(_net_inet_tcp, OID_AUTO, syncookies_only, CTLFLAG_RW,
110     &VNET_NAME(tcp_syncookiesonly), 0,
111     "Use only TCP SYN cookies");
112 
113 #ifdef TCP_OFFLOAD_DISABLE
114 #define TOEPCB_ISSET(sc) (0)
115 #else
116 #define TOEPCB_ISSET(sc) ((sc)->sc_toepcb != NULL)
117 #endif
118 
119 static void	 syncache_drop(struct syncache *, struct syncache_head *);
120 static void	 syncache_free(struct syncache *);
121 static void	 syncache_insert(struct syncache *, struct syncache_head *);
122 struct syncache *syncache_lookup(struct in_conninfo *, struct syncache_head **);
123 static int	 syncache_respond(struct syncache *);
124 static struct	 socket *syncache_socket(struct syncache *, struct socket *,
125 		    struct mbuf *m);
126 static void	 syncache_timeout(struct syncache *sc, struct syncache_head *sch,
127 		    int docallout);
128 static void	 syncache_timer(void *);
129 static void	 syncookie_generate(struct syncache_head *, struct syncache *,
130 		    u_int32_t *);
131 static struct syncache
132 		*syncookie_lookup(struct in_conninfo *, struct syncache_head *,
133 		    struct syncache *, struct tcpopt *, struct tcphdr *,
134 		    struct socket *);
135 
136 /*
137  * Transmit the SYN,ACK fewer times than TCP_MAXRXTSHIFT specifies.
138  * 3 retransmits corresponds to a timeout of 3 * (1 + 2 + 4 + 8) == 45 seconds,
139  * the odds are that the user has given up attempting to connect by then.
140  */
141 #define SYNCACHE_MAXREXMTS		3
142 
143 /* Arbitrary values */
144 #define TCP_SYNCACHE_HASHSIZE		512
145 #define TCP_SYNCACHE_BUCKETLIMIT	30
146 
147 static VNET_DEFINE(struct tcp_syncache, tcp_syncache);
148 #define	V_tcp_syncache			VNET(tcp_syncache)
149 
150 static SYSCTL_NODE(_net_inet_tcp, OID_AUTO, syncache, CTLFLAG_RW, 0,
151     "TCP SYN cache");
152 
153 SYSCTL_VNET_UINT(_net_inet_tcp_syncache, OID_AUTO, bucketlimit, CTLFLAG_RDTUN,
154     &VNET_NAME(tcp_syncache.bucket_limit), 0,
155     "Per-bucket hash limit for syncache");
156 
157 SYSCTL_VNET_UINT(_net_inet_tcp_syncache, OID_AUTO, cachelimit, CTLFLAG_RDTUN,
158     &VNET_NAME(tcp_syncache.cache_limit), 0,
159     "Overall entry limit for syncache");
160 
161 SYSCTL_VNET_UINT(_net_inet_tcp_syncache, OID_AUTO, count, CTLFLAG_RD,
162     &VNET_NAME(tcp_syncache.cache_count), 0,
163     "Current number of entries in syncache");
164 
165 SYSCTL_VNET_UINT(_net_inet_tcp_syncache, OID_AUTO, hashsize, CTLFLAG_RDTUN,
166     &VNET_NAME(tcp_syncache.hashsize), 0,
167     "Size of TCP syncache hashtable");
168 
169 SYSCTL_VNET_UINT(_net_inet_tcp_syncache, OID_AUTO, rexmtlimit, CTLFLAG_RW,
170     &VNET_NAME(tcp_syncache.rexmt_limit), 0,
171     "Limit on SYN/ACK retransmissions");
172 
173 VNET_DEFINE(int, tcp_sc_rst_sock_fail) = 1;
174 SYSCTL_VNET_INT(_net_inet_tcp_syncache, OID_AUTO, rst_on_sock_fail,
175     CTLFLAG_RW, &VNET_NAME(tcp_sc_rst_sock_fail), 0,
176     "Send reset on socket allocation failure");
177 
178 static MALLOC_DEFINE(M_SYNCACHE, "syncache", "TCP syncache");
179 
180 #define SYNCACHE_HASH(inc, mask)					\
181 	((V_tcp_syncache.hash_secret ^					\
182 	  (inc)->inc_faddr.s_addr ^					\
183 	  ((inc)->inc_faddr.s_addr >> 16) ^				\
184 	  (inc)->inc_fport ^ (inc)->inc_lport) & mask)
185 
186 #define SYNCACHE_HASH6(inc, mask)					\
187 	((V_tcp_syncache.hash_secret ^					\
188 	  (inc)->inc6_faddr.s6_addr32[0] ^				\
189 	  (inc)->inc6_faddr.s6_addr32[3] ^				\
190 	  (inc)->inc_fport ^ (inc)->inc_lport) & mask)
191 
192 #define ENDPTS_EQ(a, b) (						\
193 	(a)->ie_fport == (b)->ie_fport &&				\
194 	(a)->ie_lport == (b)->ie_lport &&				\
195 	(a)->ie_faddr.s_addr == (b)->ie_faddr.s_addr &&			\
196 	(a)->ie_laddr.s_addr == (b)->ie_laddr.s_addr			\
197 )
198 
199 #define ENDPTS6_EQ(a, b) (memcmp(a, b, sizeof(*a)) == 0)
200 
201 #define	SCH_LOCK(sch)		mtx_lock(&(sch)->sch_mtx)
202 #define	SCH_UNLOCK(sch)		mtx_unlock(&(sch)->sch_mtx)
203 #define	SCH_LOCK_ASSERT(sch)	mtx_assert(&(sch)->sch_mtx, MA_OWNED)
204 
205 /*
206  * Requires the syncache entry to be already removed from the bucket list.
207  */
208 static void
209 syncache_free(struct syncache *sc)
210 {
211 
212 	if (sc->sc_ipopts)
213 		(void) m_free(sc->sc_ipopts);
214 	if (sc->sc_cred)
215 		crfree(sc->sc_cred);
216 #ifdef MAC
217 	mac_syncache_destroy(&sc->sc_label);
218 #endif
219 
220 	uma_zfree(V_tcp_syncache.zone, sc);
221 }
222 
223 void
224 syncache_init(void)
225 {
226 	int i;
227 
228 	V_tcp_syncache.cache_count = 0;
229 	V_tcp_syncache.hashsize = TCP_SYNCACHE_HASHSIZE;
230 	V_tcp_syncache.bucket_limit = TCP_SYNCACHE_BUCKETLIMIT;
231 	V_tcp_syncache.rexmt_limit = SYNCACHE_MAXREXMTS;
232 	V_tcp_syncache.hash_secret = arc4random();
233 
234 	TUNABLE_INT_FETCH("net.inet.tcp.syncache.hashsize",
235 	    &V_tcp_syncache.hashsize);
236 	TUNABLE_INT_FETCH("net.inet.tcp.syncache.bucketlimit",
237 	    &V_tcp_syncache.bucket_limit);
238 	if (!powerof2(V_tcp_syncache.hashsize) ||
239 	    V_tcp_syncache.hashsize == 0) {
240 		printf("WARNING: syncache hash size is not a power of 2.\n");
241 		V_tcp_syncache.hashsize = TCP_SYNCACHE_HASHSIZE;
242 	}
243 	V_tcp_syncache.hashmask = V_tcp_syncache.hashsize - 1;
244 
245 	/* Set limits. */
246 	V_tcp_syncache.cache_limit =
247 	    V_tcp_syncache.hashsize * V_tcp_syncache.bucket_limit;
248 	TUNABLE_INT_FETCH("net.inet.tcp.syncache.cachelimit",
249 	    &V_tcp_syncache.cache_limit);
250 
251 	/* Allocate the hash table. */
252 	V_tcp_syncache.hashbase = malloc(V_tcp_syncache.hashsize *
253 	    sizeof(struct syncache_head), M_SYNCACHE, M_WAITOK | M_ZERO);
254 
255 	/* Initialize the hash buckets. */
256 	for (i = 0; i < V_tcp_syncache.hashsize; i++) {
257 #ifdef VIMAGE
258 		V_tcp_syncache.hashbase[i].sch_vnet = curvnet;
259 #endif
260 		TAILQ_INIT(&V_tcp_syncache.hashbase[i].sch_bucket);
261 		mtx_init(&V_tcp_syncache.hashbase[i].sch_mtx, "tcp_sc_head",
262 			 NULL, MTX_DEF);
263 		callout_init_mtx(&V_tcp_syncache.hashbase[i].sch_timer,
264 			 &V_tcp_syncache.hashbase[i].sch_mtx, 0);
265 		V_tcp_syncache.hashbase[i].sch_length = 0;
266 	}
267 
268 	/* Create the syncache entry zone. */
269 	V_tcp_syncache.zone = uma_zcreate("syncache", sizeof(struct syncache),
270 	    NULL, NULL, NULL, NULL, UMA_ALIGN_PTR, 0);
271 	uma_zone_set_max(V_tcp_syncache.zone, V_tcp_syncache.cache_limit);
272 }
273 
274 #ifdef VIMAGE
275 void
276 syncache_destroy(void)
277 {
278 	struct syncache_head *sch;
279 	struct syncache *sc, *nsc;
280 	int i;
281 
282 	/* Cleanup hash buckets: stop timers, free entries, destroy locks. */
283 	for (i = 0; i < V_tcp_syncache.hashsize; i++) {
284 
285 		sch = &V_tcp_syncache.hashbase[i];
286 		callout_drain(&sch->sch_timer);
287 
288 		SCH_LOCK(sch);
289 		TAILQ_FOREACH_SAFE(sc, &sch->sch_bucket, sc_hash, nsc)
290 			syncache_drop(sc, sch);
291 		SCH_UNLOCK(sch);
292 		KASSERT(TAILQ_EMPTY(&sch->sch_bucket),
293 		    ("%s: sch->sch_bucket not empty", __func__));
294 		KASSERT(sch->sch_length == 0, ("%s: sch->sch_length %d not 0",
295 		    __func__, sch->sch_length));
296 		mtx_destroy(&sch->sch_mtx);
297 	}
298 
299 	KASSERT(V_tcp_syncache.cache_count == 0, ("%s: cache_count %d not 0",
300 	    __func__, V_tcp_syncache.cache_count));
301 
302 	/* Free the allocated global resources. */
303 	uma_zdestroy(V_tcp_syncache.zone);
304 	free(V_tcp_syncache.hashbase, M_SYNCACHE);
305 }
306 #endif
307 
308 /*
309  * Inserts a syncache entry into the specified bucket row.
310  * Locks and unlocks the syncache_head autonomously.
311  */
312 static void
313 syncache_insert(struct syncache *sc, struct syncache_head *sch)
314 {
315 	struct syncache *sc2;
316 
317 	SCH_LOCK(sch);
318 
319 	/*
320 	 * Make sure that we don't overflow the per-bucket limit.
321 	 * If the bucket is full, toss the oldest element.
322 	 */
323 	if (sch->sch_length >= V_tcp_syncache.bucket_limit) {
324 		KASSERT(!TAILQ_EMPTY(&sch->sch_bucket),
325 			("sch->sch_length incorrect"));
326 		sc2 = TAILQ_LAST(&sch->sch_bucket, sch_head);
327 		syncache_drop(sc2, sch);
328 		TCPSTAT_INC(tcps_sc_bucketoverflow);
329 	}
330 
331 	/* Put it into the bucket. */
332 	TAILQ_INSERT_HEAD(&sch->sch_bucket, sc, sc_hash);
333 	sch->sch_length++;
334 
335 	/* Reinitialize the bucket row's timer. */
336 	if (sch->sch_length == 1)
337 		sch->sch_nextc = ticks + INT_MAX;
338 	syncache_timeout(sc, sch, 1);
339 
340 	SCH_UNLOCK(sch);
341 
342 	V_tcp_syncache.cache_count++;
343 	TCPSTAT_INC(tcps_sc_added);
344 }
345 
346 /*
347  * Remove and free entry from syncache bucket row.
348  * Expects locked syncache head.
349  */
350 static void
351 syncache_drop(struct syncache *sc, struct syncache_head *sch)
352 {
353 
354 	SCH_LOCK_ASSERT(sch);
355 
356 	TAILQ_REMOVE(&sch->sch_bucket, sc, sc_hash);
357 	sch->sch_length--;
358 
359 #ifndef TCP_OFFLOAD_DISABLE
360 	if (sc->sc_tu)
361 		sc->sc_tu->tu_syncache_event(TOE_SC_DROP, sc->sc_toepcb);
362 #endif
363 	syncache_free(sc);
364 	V_tcp_syncache.cache_count--;
365 }
366 
367 /*
368  * Engage/reengage time on bucket row.
369  */
370 static void
371 syncache_timeout(struct syncache *sc, struct syncache_head *sch, int docallout)
372 {
373 	sc->sc_rxttime = ticks +
374 		TCPTV_RTOBASE * (tcp_backoff[sc->sc_rxmits]);
375 	sc->sc_rxmits++;
376 	if (TSTMP_LT(sc->sc_rxttime, sch->sch_nextc)) {
377 		sch->sch_nextc = sc->sc_rxttime;
378 		if (docallout)
379 			callout_reset(&sch->sch_timer, sch->sch_nextc - ticks,
380 			    syncache_timer, (void *)sch);
381 	}
382 }
383 
384 /*
385  * Walk the timer queues, looking for SYN,ACKs that need to be retransmitted.
386  * If we have retransmitted an entry the maximum number of times, expire it.
387  * One separate timer for each bucket row.
388  */
389 static void
390 syncache_timer(void *xsch)
391 {
392 	struct syncache_head *sch = (struct syncache_head *)xsch;
393 	struct syncache *sc, *nsc;
394 	int tick = ticks;
395 	char *s;
396 
397 	CURVNET_SET(sch->sch_vnet);
398 
399 	/* NB: syncache_head has already been locked by the callout. */
400 	SCH_LOCK_ASSERT(sch);
401 
402 	/*
403 	 * In the following cycle we may remove some entries and/or
404 	 * advance some timeouts, so re-initialize the bucket timer.
405 	 */
406 	sch->sch_nextc = tick + INT_MAX;
407 
408 	TAILQ_FOREACH_SAFE(sc, &sch->sch_bucket, sc_hash, nsc) {
409 		/*
410 		 * We do not check if the listen socket still exists
411 		 * and accept the case where the listen socket may be
412 		 * gone by the time we resend the SYN/ACK.  We do
413 		 * not expect this to happens often. If it does,
414 		 * then the RST will be sent by the time the remote
415 		 * host does the SYN/ACK->ACK.
416 		 */
417 		if (TSTMP_GT(sc->sc_rxttime, tick)) {
418 			if (TSTMP_LT(sc->sc_rxttime, sch->sch_nextc))
419 				sch->sch_nextc = sc->sc_rxttime;
420 			continue;
421 		}
422 		if (sc->sc_rxmits > V_tcp_syncache.rexmt_limit) {
423 			if ((s = tcp_log_addrs(&sc->sc_inc, NULL, NULL, NULL))) {
424 				log(LOG_DEBUG, "%s; %s: Retransmits exhausted, "
425 				    "giving up and removing syncache entry\n",
426 				    s, __func__);
427 				free(s, M_TCPLOG);
428 			}
429 			syncache_drop(sc, sch);
430 			TCPSTAT_INC(tcps_sc_stale);
431 			continue;
432 		}
433 		if ((s = tcp_log_addrs(&sc->sc_inc, NULL, NULL, NULL))) {
434 			log(LOG_DEBUG, "%s; %s: Response timeout, "
435 			    "retransmitting (%u) SYN|ACK\n",
436 			    s, __func__, sc->sc_rxmits);
437 			free(s, M_TCPLOG);
438 		}
439 
440 		(void) syncache_respond(sc);
441 		TCPSTAT_INC(tcps_sc_retransmitted);
442 		syncache_timeout(sc, sch, 0);
443 	}
444 	if (!TAILQ_EMPTY(&(sch)->sch_bucket))
445 		callout_reset(&(sch)->sch_timer, (sch)->sch_nextc - tick,
446 			syncache_timer, (void *)(sch));
447 	CURVNET_RESTORE();
448 }
449 
450 /*
451  * Find an entry in the syncache.
452  * Returns always with locked syncache_head plus a matching entry or NULL.
453  */
454 struct syncache *
455 syncache_lookup(struct in_conninfo *inc, struct syncache_head **schp)
456 {
457 	struct syncache *sc;
458 	struct syncache_head *sch;
459 
460 #ifdef INET6
461 	if (inc->inc_flags & INC_ISIPV6) {
462 		sch = &V_tcp_syncache.hashbase[
463 		    SYNCACHE_HASH6(inc, V_tcp_syncache.hashmask)];
464 		*schp = sch;
465 
466 		SCH_LOCK(sch);
467 
468 		/* Circle through bucket row to find matching entry. */
469 		TAILQ_FOREACH(sc, &sch->sch_bucket, sc_hash) {
470 			if (ENDPTS6_EQ(&inc->inc_ie, &sc->sc_inc.inc_ie))
471 				return (sc);
472 		}
473 	} else
474 #endif
475 	{
476 		sch = &V_tcp_syncache.hashbase[
477 		    SYNCACHE_HASH(inc, V_tcp_syncache.hashmask)];
478 		*schp = sch;
479 
480 		SCH_LOCK(sch);
481 
482 		/* Circle through bucket row to find matching entry. */
483 		TAILQ_FOREACH(sc, &sch->sch_bucket, sc_hash) {
484 #ifdef INET6
485 			if (sc->sc_inc.inc_flags & INC_ISIPV6)
486 				continue;
487 #endif
488 			if (ENDPTS_EQ(&inc->inc_ie, &sc->sc_inc.inc_ie))
489 				return (sc);
490 		}
491 	}
492 	SCH_LOCK_ASSERT(*schp);
493 	return (NULL);			/* always returns with locked sch */
494 }
495 
496 /*
497  * This function is called when we get a RST for a
498  * non-existent connection, so that we can see if the
499  * connection is in the syn cache.  If it is, zap it.
500  */
501 void
502 syncache_chkrst(struct in_conninfo *inc, struct tcphdr *th)
503 {
504 	struct syncache *sc;
505 	struct syncache_head *sch;
506 	char *s = NULL;
507 
508 	sc = syncache_lookup(inc, &sch);	/* returns locked sch */
509 	SCH_LOCK_ASSERT(sch);
510 
511 	/*
512 	 * Any RST to our SYN|ACK must not carry ACK, SYN or FIN flags.
513 	 * See RFC 793 page 65, section SEGMENT ARRIVES.
514 	 */
515 	if (th->th_flags & (TH_ACK|TH_SYN|TH_FIN)) {
516 		if ((s = tcp_log_addrs(inc, th, NULL, NULL)))
517 			log(LOG_DEBUG, "%s; %s: Spurious RST with ACK, SYN or "
518 			    "FIN flag set, segment ignored\n", s, __func__);
519 		TCPSTAT_INC(tcps_badrst);
520 		goto done;
521 	}
522 
523 	/*
524 	 * No corresponding connection was found in syncache.
525 	 * If syncookies are enabled and possibly exclusively
526 	 * used, or we are under memory pressure, a valid RST
527 	 * may not find a syncache entry.  In that case we're
528 	 * done and no SYN|ACK retransmissions will happen.
529 	 * Otherwise the RST was misdirected or spoofed.
530 	 */
531 	if (sc == NULL) {
532 		if ((s = tcp_log_addrs(inc, th, NULL, NULL)))
533 			log(LOG_DEBUG, "%s; %s: Spurious RST without matching "
534 			    "syncache entry (possibly syncookie only), "
535 			    "segment ignored\n", s, __func__);
536 		TCPSTAT_INC(tcps_badrst);
537 		goto done;
538 	}
539 
540 	/*
541 	 * If the RST bit is set, check the sequence number to see
542 	 * if this is a valid reset segment.
543 	 * RFC 793 page 37:
544 	 *   In all states except SYN-SENT, all reset (RST) segments
545 	 *   are validated by checking their SEQ-fields.  A reset is
546 	 *   valid if its sequence number is in the window.
547 	 *
548 	 *   The sequence number in the reset segment is normally an
549 	 *   echo of our outgoing acknowlegement numbers, but some hosts
550 	 *   send a reset with the sequence number at the rightmost edge
551 	 *   of our receive window, and we have to handle this case.
552 	 */
553 	if (SEQ_GEQ(th->th_seq, sc->sc_irs) &&
554 	    SEQ_LEQ(th->th_seq, sc->sc_irs + sc->sc_wnd)) {
555 		syncache_drop(sc, sch);
556 		if ((s = tcp_log_addrs(inc, th, NULL, NULL)))
557 			log(LOG_DEBUG, "%s; %s: Our SYN|ACK was rejected, "
558 			    "connection attempt aborted by remote endpoint\n",
559 			    s, __func__);
560 		TCPSTAT_INC(tcps_sc_reset);
561 	} else {
562 		if ((s = tcp_log_addrs(inc, th, NULL, NULL)))
563 			log(LOG_DEBUG, "%s; %s: RST with invalid SEQ %u != "
564 			    "IRS %u (+WND %u), segment ignored\n",
565 			    s, __func__, th->th_seq, sc->sc_irs, sc->sc_wnd);
566 		TCPSTAT_INC(tcps_badrst);
567 	}
568 
569 done:
570 	if (s != NULL)
571 		free(s, M_TCPLOG);
572 	SCH_UNLOCK(sch);
573 }
574 
575 void
576 syncache_badack(struct in_conninfo *inc)
577 {
578 	struct syncache *sc;
579 	struct syncache_head *sch;
580 
581 	sc = syncache_lookup(inc, &sch);	/* returns locked sch */
582 	SCH_LOCK_ASSERT(sch);
583 	if (sc != NULL) {
584 		syncache_drop(sc, sch);
585 		TCPSTAT_INC(tcps_sc_badack);
586 	}
587 	SCH_UNLOCK(sch);
588 }
589 
590 void
591 syncache_unreach(struct in_conninfo *inc, struct tcphdr *th)
592 {
593 	struct syncache *sc;
594 	struct syncache_head *sch;
595 
596 	sc = syncache_lookup(inc, &sch);	/* returns locked sch */
597 	SCH_LOCK_ASSERT(sch);
598 	if (sc == NULL)
599 		goto done;
600 
601 	/* If the sequence number != sc_iss, then it's a bogus ICMP msg */
602 	if (ntohl(th->th_seq) != sc->sc_iss)
603 		goto done;
604 
605 	/*
606 	 * If we've rertransmitted 3 times and this is our second error,
607 	 * we remove the entry.  Otherwise, we allow it to continue on.
608 	 * This prevents us from incorrectly nuking an entry during a
609 	 * spurious network outage.
610 	 *
611 	 * See tcp_notify().
612 	 */
613 	if ((sc->sc_flags & SCF_UNREACH) == 0 || sc->sc_rxmits < 3 + 1) {
614 		sc->sc_flags |= SCF_UNREACH;
615 		goto done;
616 	}
617 	syncache_drop(sc, sch);
618 	TCPSTAT_INC(tcps_sc_unreach);
619 done:
620 	SCH_UNLOCK(sch);
621 }
622 
623 /*
624  * Build a new TCP socket structure from a syncache entry.
625  */
626 static struct socket *
627 syncache_socket(struct syncache *sc, struct socket *lso, struct mbuf *m)
628 {
629 	struct inpcb *inp = NULL;
630 	struct socket *so;
631 	struct tcpcb *tp;
632 	int error;
633 	char *s;
634 
635 	INP_INFO_WLOCK_ASSERT(&V_tcbinfo);
636 
637 	/*
638 	 * Ok, create the full blown connection, and set things up
639 	 * as they would have been set up if we had created the
640 	 * connection when the SYN arrived.  If we can't create
641 	 * the connection, abort it.
642 	 */
643 	so = sonewconn(lso, SS_ISCONNECTED);
644 	if (so == NULL) {
645 		/*
646 		 * Drop the connection; we will either send a RST or
647 		 * have the peer retransmit its SYN again after its
648 		 * RTO and try again.
649 		 */
650 		TCPSTAT_INC(tcps_listendrop);
651 		if ((s = tcp_log_addrs(&sc->sc_inc, NULL, NULL, NULL))) {
652 			log(LOG_DEBUG, "%s; %s: Socket create failed "
653 			    "due to limits or memory shortage\n",
654 			    s, __func__);
655 			free(s, M_TCPLOG);
656 		}
657 		goto abort2;
658 	}
659 #ifdef MAC
660 	mac_socketpeer_set_from_mbuf(m, so);
661 #endif
662 
663 	inp = sotoinpcb(so);
664 	inp->inp_inc.inc_fibnum = so->so_fibnum;
665 	INP_WLOCK(inp);
666 	INP_HASH_WLOCK(&V_tcbinfo);
667 
668 	/* Insert new socket into PCB hash list. */
669 	inp->inp_inc.inc_flags = sc->sc_inc.inc_flags;
670 #ifdef INET6
671 	if (sc->sc_inc.inc_flags & INC_ISIPV6) {
672 		inp->in6p_laddr = sc->sc_inc.inc6_laddr;
673 	} else {
674 		inp->inp_vflag &= ~INP_IPV6;
675 		inp->inp_vflag |= INP_IPV4;
676 #endif
677 		inp->inp_laddr = sc->sc_inc.inc_laddr;
678 #ifdef INET6
679 	}
680 #endif
681 
682 	/*
683 	 * Install in the reservation hash table for now, but don't yet
684 	 * install a connection group since the full 4-tuple isn't yet
685 	 * configured.
686 	 */
687 	inp->inp_lport = sc->sc_inc.inc_lport;
688 	if ((error = in_pcbinshash_nopcbgroup(inp)) != 0) {
689 		/*
690 		 * Undo the assignments above if we failed to
691 		 * put the PCB on the hash lists.
692 		 */
693 #ifdef INET6
694 		if (sc->sc_inc.inc_flags & INC_ISIPV6)
695 			inp->in6p_laddr = in6addr_any;
696 		else
697 #endif
698 			inp->inp_laddr.s_addr = INADDR_ANY;
699 		inp->inp_lport = 0;
700 		if ((s = tcp_log_addrs(&sc->sc_inc, NULL, NULL, NULL))) {
701 			log(LOG_DEBUG, "%s; %s: in_pcbinshash failed "
702 			    "with error %i\n",
703 			    s, __func__, error);
704 			free(s, M_TCPLOG);
705 		}
706 		INP_HASH_WUNLOCK(&V_tcbinfo);
707 		goto abort;
708 	}
709 #ifdef IPSEC
710 	/* Copy old policy into new socket's. */
711 	if (ipsec_copy_policy(sotoinpcb(lso)->inp_sp, inp->inp_sp))
712 		printf("syncache_socket: could not copy policy\n");
713 #endif
714 #ifdef INET6
715 	if (sc->sc_inc.inc_flags & INC_ISIPV6) {
716 		struct inpcb *oinp = sotoinpcb(lso);
717 		struct in6_addr laddr6;
718 		struct sockaddr_in6 sin6;
719 		/*
720 		 * Inherit socket options from the listening socket.
721 		 * Note that in6p_inputopts are not (and should not be)
722 		 * copied, since it stores previously received options and is
723 		 * used to detect if each new option is different than the
724 		 * previous one and hence should be passed to a user.
725 		 * If we copied in6p_inputopts, a user would not be able to
726 		 * receive options just after calling the accept system call.
727 		 */
728 		inp->inp_flags |= oinp->inp_flags & INP_CONTROLOPTS;
729 		if (oinp->in6p_outputopts)
730 			inp->in6p_outputopts =
731 			    ip6_copypktopts(oinp->in6p_outputopts, M_NOWAIT);
732 
733 		sin6.sin6_family = AF_INET6;
734 		sin6.sin6_len = sizeof(sin6);
735 		sin6.sin6_addr = sc->sc_inc.inc6_faddr;
736 		sin6.sin6_port = sc->sc_inc.inc_fport;
737 		sin6.sin6_flowinfo = sin6.sin6_scope_id = 0;
738 		laddr6 = inp->in6p_laddr;
739 		if (IN6_IS_ADDR_UNSPECIFIED(&inp->in6p_laddr))
740 			inp->in6p_laddr = sc->sc_inc.inc6_laddr;
741 		if ((error = in6_pcbconnect_mbuf(inp, (struct sockaddr *)&sin6,
742 		    thread0.td_ucred, m)) != 0) {
743 			inp->in6p_laddr = laddr6;
744 			if ((s = tcp_log_addrs(&sc->sc_inc, NULL, NULL, NULL))) {
745 				log(LOG_DEBUG, "%s; %s: in6_pcbconnect failed "
746 				    "with error %i\n",
747 				    s, __func__, error);
748 				free(s, M_TCPLOG);
749 			}
750 			INP_HASH_WUNLOCK(&V_tcbinfo);
751 			goto abort;
752 		}
753 		/* Override flowlabel from in6_pcbconnect. */
754 		inp->inp_flow &= ~IPV6_FLOWLABEL_MASK;
755 		inp->inp_flow |= sc->sc_flowlabel;
756 	}
757 #endif /* INET6 */
758 #if defined(INET) && defined(INET6)
759 	else
760 #endif
761 #ifdef INET
762 	{
763 		struct in_addr laddr;
764 		struct sockaddr_in sin;
765 
766 		inp->inp_options = (m) ? ip_srcroute(m) : NULL;
767 
768 		if (inp->inp_options == NULL) {
769 			inp->inp_options = sc->sc_ipopts;
770 			sc->sc_ipopts = NULL;
771 		}
772 
773 		sin.sin_family = AF_INET;
774 		sin.sin_len = sizeof(sin);
775 		sin.sin_addr = sc->sc_inc.inc_faddr;
776 		sin.sin_port = sc->sc_inc.inc_fport;
777 		bzero((caddr_t)sin.sin_zero, sizeof(sin.sin_zero));
778 		laddr = inp->inp_laddr;
779 		if (inp->inp_laddr.s_addr == INADDR_ANY)
780 			inp->inp_laddr = sc->sc_inc.inc_laddr;
781 		if ((error = in_pcbconnect_mbuf(inp, (struct sockaddr *)&sin,
782 		    thread0.td_ucred, m)) != 0) {
783 			inp->inp_laddr = laddr;
784 			if ((s = tcp_log_addrs(&sc->sc_inc, NULL, NULL, NULL))) {
785 				log(LOG_DEBUG, "%s; %s: in_pcbconnect failed "
786 				    "with error %i\n",
787 				    s, __func__, error);
788 				free(s, M_TCPLOG);
789 			}
790 			INP_HASH_WUNLOCK(&V_tcbinfo);
791 			goto abort;
792 		}
793 	}
794 #endif /* INET */
795 	INP_HASH_WUNLOCK(&V_tcbinfo);
796 	tp = intotcpcb(inp);
797 	tp->t_state = TCPS_SYN_RECEIVED;
798 	tp->iss = sc->sc_iss;
799 	tp->irs = sc->sc_irs;
800 	tcp_rcvseqinit(tp);
801 	tcp_sendseqinit(tp);
802 	tp->snd_wl1 = sc->sc_irs;
803 	tp->snd_max = tp->iss + 1;
804 	tp->snd_nxt = tp->iss + 1;
805 	tp->rcv_up = sc->sc_irs + 1;
806 	tp->rcv_wnd = sc->sc_wnd;
807 	tp->rcv_adv += tp->rcv_wnd;
808 	tp->last_ack_sent = tp->rcv_nxt;
809 
810 	tp->t_flags = sototcpcb(lso)->t_flags & (TF_NOPUSH|TF_NODELAY);
811 	if (sc->sc_flags & SCF_NOOPT)
812 		tp->t_flags |= TF_NOOPT;
813 	else {
814 		if (sc->sc_flags & SCF_WINSCALE) {
815 			tp->t_flags |= TF_REQ_SCALE|TF_RCVD_SCALE;
816 			tp->snd_scale = sc->sc_requested_s_scale;
817 			tp->request_r_scale = sc->sc_requested_r_scale;
818 		}
819 		if (sc->sc_flags & SCF_TIMESTAMP) {
820 			tp->t_flags |= TF_REQ_TSTMP|TF_RCVD_TSTMP;
821 			tp->ts_recent = sc->sc_tsreflect;
822 			tp->ts_recent_age = ticks;
823 			tp->ts_offset = sc->sc_tsoff;
824 		}
825 #ifdef TCP_SIGNATURE
826 		if (sc->sc_flags & SCF_SIGNATURE)
827 			tp->t_flags |= TF_SIGNATURE;
828 #endif
829 		if (sc->sc_flags & SCF_SACK)
830 			tp->t_flags |= TF_SACK_PERMIT;
831 	}
832 
833 	if (sc->sc_flags & SCF_ECN)
834 		tp->t_flags |= TF_ECN_PERMIT;
835 
836 	/*
837 	 * Set up MSS and get cached values from tcp_hostcache.
838 	 * This might overwrite some of the defaults we just set.
839 	 */
840 	tcp_mss(tp, sc->sc_peer_mss);
841 
842 	/*
843 	 * If the SYN,ACK was retransmitted, reset cwnd to 1 segment.
844 	 * NB: sc_rxmits counts all SYN,ACK transmits, not just retransmits.
845 	 */
846 	if (sc->sc_rxmits > 1)
847 		tp->snd_cwnd = tp->t_maxseg;
848 	tcp_timer_activate(tp, TT_KEEP, tcp_keepinit);
849 
850 	INP_WUNLOCK(inp);
851 
852 	TCPSTAT_INC(tcps_accepts);
853 	return (so);
854 
855 abort:
856 	INP_WUNLOCK(inp);
857 abort2:
858 	if (so != NULL)
859 		soabort(so);
860 	return (NULL);
861 }
862 
863 /*
864  * This function gets called when we receive an ACK for a
865  * socket in the LISTEN state.  We look up the connection
866  * in the syncache, and if its there, we pull it out of
867  * the cache and turn it into a full-blown connection in
868  * the SYN-RECEIVED state.
869  */
870 int
871 syncache_expand(struct in_conninfo *inc, struct tcpopt *to, struct tcphdr *th,
872     struct socket **lsop, struct mbuf *m)
873 {
874 	struct syncache *sc;
875 	struct syncache_head *sch;
876 	struct syncache scs;
877 	char *s;
878 
879 	/*
880 	 * Global TCP locks are held because we manipulate the PCB lists
881 	 * and create a new socket.
882 	 */
883 	INP_INFO_WLOCK_ASSERT(&V_tcbinfo);
884 	KASSERT((th->th_flags & (TH_RST|TH_ACK|TH_SYN)) == TH_ACK,
885 	    ("%s: can handle only ACK", __func__));
886 
887 	sc = syncache_lookup(inc, &sch);	/* returns locked sch */
888 	SCH_LOCK_ASSERT(sch);
889 	if (sc == NULL) {
890 		/*
891 		 * There is no syncache entry, so see if this ACK is
892 		 * a returning syncookie.  To do this, first:
893 		 *  A. See if this socket has had a syncache entry dropped in
894 		 *     the past.  We don't want to accept a bogus syncookie
895 		 *     if we've never received a SYN.
896 		 *  B. check that the syncookie is valid.  If it is, then
897 		 *     cobble up a fake syncache entry, and return.
898 		 */
899 		if (!V_tcp_syncookies) {
900 			SCH_UNLOCK(sch);
901 			if ((s = tcp_log_addrs(inc, th, NULL, NULL)))
902 				log(LOG_DEBUG, "%s; %s: Spurious ACK, "
903 				    "segment rejected (syncookies disabled)\n",
904 				    s, __func__);
905 			goto failed;
906 		}
907 		bzero(&scs, sizeof(scs));
908 		sc = syncookie_lookup(inc, sch, &scs, to, th, *lsop);
909 		SCH_UNLOCK(sch);
910 		if (sc == NULL) {
911 			if ((s = tcp_log_addrs(inc, th, NULL, NULL)))
912 				log(LOG_DEBUG, "%s; %s: Segment failed "
913 				    "SYNCOOKIE authentication, segment rejected "
914 				    "(probably spoofed)\n", s, __func__);
915 			goto failed;
916 		}
917 	} else {
918 		/* Pull out the entry to unlock the bucket row. */
919 		TAILQ_REMOVE(&sch->sch_bucket, sc, sc_hash);
920 		sch->sch_length--;
921 		V_tcp_syncache.cache_count--;
922 		SCH_UNLOCK(sch);
923 	}
924 
925 	/*
926 	 * Segment validation:
927 	 * ACK must match our initial sequence number + 1 (the SYN|ACK).
928 	 */
929 	if (th->th_ack != sc->sc_iss + 1 && !TOEPCB_ISSET(sc)) {
930 		if ((s = tcp_log_addrs(inc, th, NULL, NULL)))
931 			log(LOG_DEBUG, "%s; %s: ACK %u != ISS+1 %u, segment "
932 			    "rejected\n", s, __func__, th->th_ack, sc->sc_iss);
933 		goto failed;
934 	}
935 
936 	/*
937 	 * The SEQ must fall in the window starting at the received
938 	 * initial receive sequence number + 1 (the SYN).
939 	 */
940 	if ((SEQ_LEQ(th->th_seq, sc->sc_irs) ||
941 	    SEQ_GT(th->th_seq, sc->sc_irs + sc->sc_wnd)) &&
942 	    !TOEPCB_ISSET(sc)) {
943 		if ((s = tcp_log_addrs(inc, th, NULL, NULL)))
944 			log(LOG_DEBUG, "%s; %s: SEQ %u != IRS+1 %u, segment "
945 			    "rejected\n", s, __func__, th->th_seq, sc->sc_irs);
946 		goto failed;
947 	}
948 
949 	if (!(sc->sc_flags & SCF_TIMESTAMP) && (to->to_flags & TOF_TS)) {
950 		if ((s = tcp_log_addrs(inc, th, NULL, NULL)))
951 			log(LOG_DEBUG, "%s; %s: Timestamp not expected, "
952 			    "segment rejected\n", s, __func__);
953 		goto failed;
954 	}
955 	/*
956 	 * If timestamps were negotiated the reflected timestamp
957 	 * must be equal to what we actually sent in the SYN|ACK.
958 	 */
959 	if ((to->to_flags & TOF_TS) && to->to_tsecr != sc->sc_ts &&
960 	    !TOEPCB_ISSET(sc)) {
961 		if ((s = tcp_log_addrs(inc, th, NULL, NULL)))
962 			log(LOG_DEBUG, "%s; %s: TSECR %u != TS %u, "
963 			    "segment rejected\n",
964 			    s, __func__, to->to_tsecr, sc->sc_ts);
965 		goto failed;
966 	}
967 
968 	*lsop = syncache_socket(sc, *lsop, m);
969 
970 	if (*lsop == NULL)
971 		TCPSTAT_INC(tcps_sc_aborted);
972 	else
973 		TCPSTAT_INC(tcps_sc_completed);
974 
975 /* how do we find the inp for the new socket? */
976 	if (sc != &scs)
977 		syncache_free(sc);
978 	return (1);
979 failed:
980 	if (sc != NULL && sc != &scs)
981 		syncache_free(sc);
982 	if (s != NULL)
983 		free(s, M_TCPLOG);
984 	*lsop = NULL;
985 	return (0);
986 }
987 
988 int
989 tcp_offload_syncache_expand(struct in_conninfo *inc, struct toeopt *toeo,
990     struct tcphdr *th, struct socket **lsop, struct mbuf *m)
991 {
992 	struct tcpopt to;
993 	int rc;
994 
995 	bzero(&to, sizeof(struct tcpopt));
996 	to.to_mss = toeo->to_mss;
997 	to.to_wscale = toeo->to_wscale;
998 	to.to_flags = toeo->to_flags;
999 
1000 	INP_INFO_WLOCK(&V_tcbinfo);
1001 	rc = syncache_expand(inc, &to, th, lsop, m);
1002 	INP_INFO_WUNLOCK(&V_tcbinfo);
1003 
1004 	return (rc);
1005 }
1006 
1007 /*
1008  * Given a LISTEN socket and an inbound SYN request, add
1009  * this to the syn cache, and send back a segment:
1010  *	<SEQ=ISS><ACK=RCV_NXT><CTL=SYN,ACK>
1011  * to the source.
1012  *
1013  * IMPORTANT NOTE: We do _NOT_ ACK data that might accompany the SYN.
1014  * Doing so would require that we hold onto the data and deliver it
1015  * to the application.  However, if we are the target of a SYN-flood
1016  * DoS attack, an attacker could send data which would eventually
1017  * consume all available buffer space if it were ACKed.  By not ACKing
1018  * the data, we avoid this DoS scenario.
1019  */
1020 static void
1021 _syncache_add(struct in_conninfo *inc, struct tcpopt *to, struct tcphdr *th,
1022     struct inpcb *inp, struct socket **lsop, struct mbuf *m,
1023     struct toe_usrreqs *tu, void *toepcb)
1024 {
1025 	struct tcpcb *tp;
1026 	struct socket *so;
1027 	struct syncache *sc = NULL;
1028 	struct syncache_head *sch;
1029 	struct mbuf *ipopts = NULL;
1030 	u_int32_t flowtmp;
1031 	u_int ltflags;
1032 	int win, sb_hiwat, ip_ttl, ip_tos;
1033 	char *s;
1034 #ifdef INET6
1035 	int autoflowlabel = 0;
1036 #endif
1037 #ifdef MAC
1038 	struct label *maclabel;
1039 #endif
1040 	struct syncache scs;
1041 	struct ucred *cred;
1042 
1043 	INP_INFO_WLOCK_ASSERT(&V_tcbinfo);
1044 	INP_WLOCK_ASSERT(inp);			/* listen socket */
1045 	KASSERT((th->th_flags & (TH_RST|TH_ACK|TH_SYN)) == TH_SYN,
1046 	    ("%s: unexpected tcp flags", __func__));
1047 
1048 	/*
1049 	 * Combine all so/tp operations very early to drop the INP lock as
1050 	 * soon as possible.
1051 	 */
1052 	so = *lsop;
1053 	tp = sototcpcb(so);
1054 	cred = crhold(so->so_cred);
1055 
1056 #ifdef INET6
1057 	if ((inc->inc_flags & INC_ISIPV6) &&
1058 	    (inp->inp_flags & IN6P_AUTOFLOWLABEL))
1059 		autoflowlabel = 1;
1060 #endif
1061 	ip_ttl = inp->inp_ip_ttl;
1062 	ip_tos = inp->inp_ip_tos;
1063 	win = sbspace(&so->so_rcv);
1064 	sb_hiwat = so->so_rcv.sb_hiwat;
1065 	ltflags = (tp->t_flags & (TF_NOOPT | TF_SIGNATURE));
1066 
1067 	/* By the time we drop the lock these should no longer be used. */
1068 	so = NULL;
1069 	tp = NULL;
1070 
1071 #ifdef MAC
1072 	if (mac_syncache_init(&maclabel) != 0) {
1073 		INP_WUNLOCK(inp);
1074 		INP_INFO_WUNLOCK(&V_tcbinfo);
1075 		goto done;
1076 	} else
1077 		mac_syncache_create(maclabel, inp);
1078 #endif
1079 	INP_WUNLOCK(inp);
1080 	INP_INFO_WUNLOCK(&V_tcbinfo);
1081 
1082 	/*
1083 	 * Remember the IP options, if any.
1084 	 */
1085 #ifdef INET6
1086 	if (!(inc->inc_flags & INC_ISIPV6))
1087 #endif
1088 #ifdef INET
1089 		ipopts = (m) ? ip_srcroute(m) : NULL;
1090 #else
1091 		ipopts = NULL;
1092 #endif
1093 
1094 	/*
1095 	 * See if we already have an entry for this connection.
1096 	 * If we do, resend the SYN,ACK, and reset the retransmit timer.
1097 	 *
1098 	 * XXX: should the syncache be re-initialized with the contents
1099 	 * of the new SYN here (which may have different options?)
1100 	 *
1101 	 * XXX: We do not check the sequence number to see if this is a
1102 	 * real retransmit or a new connection attempt.  The question is
1103 	 * how to handle such a case; either ignore it as spoofed, or
1104 	 * drop the current entry and create a new one?
1105 	 */
1106 	sc = syncache_lookup(inc, &sch);	/* returns locked entry */
1107 	SCH_LOCK_ASSERT(sch);
1108 	if (sc != NULL) {
1109 #ifndef TCP_OFFLOAD_DISABLE
1110 		if (sc->sc_tu)
1111 			sc->sc_tu->tu_syncache_event(TOE_SC_ENTRY_PRESENT,
1112 			    sc->sc_toepcb);
1113 #endif
1114 		TCPSTAT_INC(tcps_sc_dupsyn);
1115 		if (ipopts) {
1116 			/*
1117 			 * If we were remembering a previous source route,
1118 			 * forget it and use the new one we've been given.
1119 			 */
1120 			if (sc->sc_ipopts)
1121 				(void) m_free(sc->sc_ipopts);
1122 			sc->sc_ipopts = ipopts;
1123 		}
1124 		/*
1125 		 * Update timestamp if present.
1126 		 */
1127 		if ((sc->sc_flags & SCF_TIMESTAMP) && (to->to_flags & TOF_TS))
1128 			sc->sc_tsreflect = to->to_tsval;
1129 		else
1130 			sc->sc_flags &= ~SCF_TIMESTAMP;
1131 #ifdef MAC
1132 		/*
1133 		 * Since we have already unconditionally allocated label
1134 		 * storage, free it up.  The syncache entry will already
1135 		 * have an initialized label we can use.
1136 		 */
1137 		mac_syncache_destroy(&maclabel);
1138 #endif
1139 		/* Retransmit SYN|ACK and reset retransmit count. */
1140 		if ((s = tcp_log_addrs(&sc->sc_inc, th, NULL, NULL))) {
1141 			log(LOG_DEBUG, "%s; %s: Received duplicate SYN, "
1142 			    "resetting timer and retransmitting SYN|ACK\n",
1143 			    s, __func__);
1144 			free(s, M_TCPLOG);
1145 		}
1146 		if (!TOEPCB_ISSET(sc) && syncache_respond(sc) == 0) {
1147 			sc->sc_rxmits = 0;
1148 			syncache_timeout(sc, sch, 1);
1149 			TCPSTAT_INC(tcps_sndacks);
1150 			TCPSTAT_INC(tcps_sndtotal);
1151 		}
1152 		SCH_UNLOCK(sch);
1153 		goto done;
1154 	}
1155 
1156 	sc = uma_zalloc(V_tcp_syncache.zone, M_NOWAIT | M_ZERO);
1157 	if (sc == NULL) {
1158 		/*
1159 		 * The zone allocator couldn't provide more entries.
1160 		 * Treat this as if the cache was full; drop the oldest
1161 		 * entry and insert the new one.
1162 		 */
1163 		TCPSTAT_INC(tcps_sc_zonefail);
1164 		if ((sc = TAILQ_LAST(&sch->sch_bucket, sch_head)) != NULL)
1165 			syncache_drop(sc, sch);
1166 		sc = uma_zalloc(V_tcp_syncache.zone, M_NOWAIT | M_ZERO);
1167 		if (sc == NULL) {
1168 			if (V_tcp_syncookies) {
1169 				bzero(&scs, sizeof(scs));
1170 				sc = &scs;
1171 			} else {
1172 				SCH_UNLOCK(sch);
1173 				if (ipopts)
1174 					(void) m_free(ipopts);
1175 				goto done;
1176 			}
1177 		}
1178 	}
1179 
1180 	/*
1181 	 * Fill in the syncache values.
1182 	 */
1183 #ifdef MAC
1184 	sc->sc_label = maclabel;
1185 #endif
1186 	sc->sc_cred = cred;
1187 	cred = NULL;
1188 	sc->sc_ipopts = ipopts;
1189 	bcopy(inc, &sc->sc_inc, sizeof(struct in_conninfo));
1190 #ifdef INET6
1191 	if (!(inc->inc_flags & INC_ISIPV6))
1192 #endif
1193 	{
1194 		sc->sc_ip_tos = ip_tos;
1195 		sc->sc_ip_ttl = ip_ttl;
1196 	}
1197 #ifndef TCP_OFFLOAD_DISABLE
1198 	sc->sc_tu = tu;
1199 	sc->sc_toepcb = toepcb;
1200 #endif
1201 	sc->sc_irs = th->th_seq;
1202 	sc->sc_iss = arc4random();
1203 	sc->sc_flags = 0;
1204 	sc->sc_flowlabel = 0;
1205 
1206 	/*
1207 	 * Initial receive window: clip sbspace to [0 .. TCP_MAXWIN].
1208 	 * win was derived from socket earlier in the function.
1209 	 */
1210 	win = imax(win, 0);
1211 	win = imin(win, TCP_MAXWIN);
1212 	sc->sc_wnd = win;
1213 
1214 	if (V_tcp_do_rfc1323) {
1215 		/*
1216 		 * A timestamp received in a SYN makes
1217 		 * it ok to send timestamp requests and replies.
1218 		 */
1219 		if (to->to_flags & TOF_TS) {
1220 			sc->sc_tsreflect = to->to_tsval;
1221 			sc->sc_ts = ticks;
1222 			sc->sc_flags |= SCF_TIMESTAMP;
1223 		}
1224 		if (to->to_flags & TOF_SCALE) {
1225 			int wscale = 0;
1226 
1227 			/*
1228 			 * Pick the smallest possible scaling factor that
1229 			 * will still allow us to scale up to sb_max, aka
1230 			 * kern.ipc.maxsockbuf.
1231 			 *
1232 			 * We do this because there are broken firewalls that
1233 			 * will corrupt the window scale option, leading to
1234 			 * the other endpoint believing that our advertised
1235 			 * window is unscaled.  At scale factors larger than
1236 			 * 5 the unscaled window will drop below 1500 bytes,
1237 			 * leading to serious problems when traversing these
1238 			 * broken firewalls.
1239 			 *
1240 			 * With the default maxsockbuf of 256K, a scale factor
1241 			 * of 3 will be chosen by this algorithm.  Those who
1242 			 * choose a larger maxsockbuf should watch out
1243 			 * for the compatiblity problems mentioned above.
1244 			 *
1245 			 * RFC1323: The Window field in a SYN (i.e., a <SYN>
1246 			 * or <SYN,ACK>) segment itself is never scaled.
1247 			 */
1248 			while (wscale < TCP_MAX_WINSHIFT &&
1249 			    (TCP_MAXWIN << wscale) < sb_max)
1250 				wscale++;
1251 			sc->sc_requested_r_scale = wscale;
1252 			sc->sc_requested_s_scale = to->to_wscale;
1253 			sc->sc_flags |= SCF_WINSCALE;
1254 		}
1255 	}
1256 #ifdef TCP_SIGNATURE
1257 	/*
1258 	 * If listening socket requested TCP digests, and received SYN
1259 	 * contains the option, flag this in the syncache so that
1260 	 * syncache_respond() will do the right thing with the SYN+ACK.
1261 	 * XXX: Currently we always record the option by default and will
1262 	 * attempt to use it in syncache_respond().
1263 	 */
1264 	if (to->to_flags & TOF_SIGNATURE || ltflags & TF_SIGNATURE)
1265 		sc->sc_flags |= SCF_SIGNATURE;
1266 #endif
1267 	if (to->to_flags & TOF_SACKPERM)
1268 		sc->sc_flags |= SCF_SACK;
1269 	if (to->to_flags & TOF_MSS)
1270 		sc->sc_peer_mss = to->to_mss;	/* peer mss may be zero */
1271 	if (ltflags & TF_NOOPT)
1272 		sc->sc_flags |= SCF_NOOPT;
1273 	if ((th->th_flags & (TH_ECE|TH_CWR)) && V_tcp_do_ecn)
1274 		sc->sc_flags |= SCF_ECN;
1275 
1276 	if (V_tcp_syncookies) {
1277 		syncookie_generate(sch, sc, &flowtmp);
1278 #ifdef INET6
1279 		if (autoflowlabel)
1280 			sc->sc_flowlabel = flowtmp;
1281 #endif
1282 	} else {
1283 #ifdef INET6
1284 		if (autoflowlabel)
1285 			sc->sc_flowlabel =
1286 			    (htonl(ip6_randomflowlabel()) & IPV6_FLOWLABEL_MASK);
1287 #endif
1288 	}
1289 	SCH_UNLOCK(sch);
1290 
1291 	/*
1292 	 * Do a standard 3-way handshake.
1293 	 */
1294 	if (TOEPCB_ISSET(sc) || syncache_respond(sc) == 0) {
1295 		if (V_tcp_syncookies && V_tcp_syncookiesonly && sc != &scs)
1296 			syncache_free(sc);
1297 		else if (sc != &scs)
1298 			syncache_insert(sc, sch);   /* locks and unlocks sch */
1299 		TCPSTAT_INC(tcps_sndacks);
1300 		TCPSTAT_INC(tcps_sndtotal);
1301 	} else {
1302 		if (sc != &scs)
1303 			syncache_free(sc);
1304 		TCPSTAT_INC(tcps_sc_dropped);
1305 	}
1306 
1307 done:
1308 	if (cred != NULL)
1309 		crfree(cred);
1310 #ifdef MAC
1311 	if (sc == &scs)
1312 		mac_syncache_destroy(&maclabel);
1313 #endif
1314 	if (m) {
1315 
1316 		*lsop = NULL;
1317 		m_freem(m);
1318 	}
1319 }
1320 
1321 static int
1322 syncache_respond(struct syncache *sc)
1323 {
1324 	struct ip *ip = NULL;
1325 	struct mbuf *m;
1326 	struct tcphdr *th = NULL;
1327 	int optlen, error = 0;	/* Make compiler happy */
1328 	u_int16_t hlen, tlen, mssopt;
1329 	struct tcpopt to;
1330 #ifdef INET6
1331 	struct ip6_hdr *ip6 = NULL;
1332 #endif
1333 
1334 	hlen =
1335 #ifdef INET6
1336 	       (sc->sc_inc.inc_flags & INC_ISIPV6) ? sizeof(struct ip6_hdr) :
1337 #endif
1338 		sizeof(struct ip);
1339 	tlen = hlen + sizeof(struct tcphdr);
1340 
1341 	/* Determine MSS we advertize to other end of connection. */
1342 	mssopt = tcp_mssopt(&sc->sc_inc);
1343 	if (sc->sc_peer_mss)
1344 		mssopt = max( min(sc->sc_peer_mss, mssopt), V_tcp_minmss);
1345 
1346 	/* XXX: Assume that the entire packet will fit in a header mbuf. */
1347 	KASSERT(max_linkhdr + tlen + TCP_MAXOLEN <= MHLEN,
1348 	    ("syncache: mbuf too small"));
1349 
1350 	/* Create the IP+TCP header from scratch. */
1351 	m = m_gethdr(M_DONTWAIT, MT_DATA);
1352 	if (m == NULL)
1353 		return (ENOBUFS);
1354 #ifdef MAC
1355 	mac_syncache_create_mbuf(sc->sc_label, m);
1356 #endif
1357 	m->m_data += max_linkhdr;
1358 	m->m_len = tlen;
1359 	m->m_pkthdr.len = tlen;
1360 	m->m_pkthdr.rcvif = NULL;
1361 
1362 #ifdef INET6
1363 	if (sc->sc_inc.inc_flags & INC_ISIPV6) {
1364 		ip6 = mtod(m, struct ip6_hdr *);
1365 		ip6->ip6_vfc = IPV6_VERSION;
1366 		ip6->ip6_nxt = IPPROTO_TCP;
1367 		ip6->ip6_src = sc->sc_inc.inc6_laddr;
1368 		ip6->ip6_dst = sc->sc_inc.inc6_faddr;
1369 		ip6->ip6_plen = htons(tlen - hlen);
1370 		/* ip6_hlim is set after checksum */
1371 		ip6->ip6_flow &= ~IPV6_FLOWLABEL_MASK;
1372 		ip6->ip6_flow |= sc->sc_flowlabel;
1373 
1374 		th = (struct tcphdr *)(ip6 + 1);
1375 	}
1376 #endif
1377 #if defined(INET6) && defined(INET)
1378 	else
1379 #endif
1380 #ifdef INET
1381 	{
1382 		ip = mtod(m, struct ip *);
1383 		ip->ip_v = IPVERSION;
1384 		ip->ip_hl = sizeof(struct ip) >> 2;
1385 		ip->ip_len = tlen;
1386 		ip->ip_id = 0;
1387 		ip->ip_off = 0;
1388 		ip->ip_sum = 0;
1389 		ip->ip_p = IPPROTO_TCP;
1390 		ip->ip_src = sc->sc_inc.inc_laddr;
1391 		ip->ip_dst = sc->sc_inc.inc_faddr;
1392 		ip->ip_ttl = sc->sc_ip_ttl;
1393 		ip->ip_tos = sc->sc_ip_tos;
1394 
1395 		/*
1396 		 * See if we should do MTU discovery.  Route lookups are
1397 		 * expensive, so we will only unset the DF bit if:
1398 		 *
1399 		 *	1) path_mtu_discovery is disabled
1400 		 *	2) the SCF_UNREACH flag has been set
1401 		 */
1402 		if (V_path_mtu_discovery && ((sc->sc_flags & SCF_UNREACH) == 0))
1403 		       ip->ip_off |= IP_DF;
1404 
1405 		th = (struct tcphdr *)(ip + 1);
1406 	}
1407 #endif /* INET */
1408 	th->th_sport = sc->sc_inc.inc_lport;
1409 	th->th_dport = sc->sc_inc.inc_fport;
1410 
1411 	th->th_seq = htonl(sc->sc_iss);
1412 	th->th_ack = htonl(sc->sc_irs + 1);
1413 	th->th_off = sizeof(struct tcphdr) >> 2;
1414 	th->th_x2 = 0;
1415 	th->th_flags = TH_SYN|TH_ACK;
1416 	th->th_win = htons(sc->sc_wnd);
1417 	th->th_urp = 0;
1418 
1419 	if (sc->sc_flags & SCF_ECN) {
1420 		th->th_flags |= TH_ECE;
1421 		TCPSTAT_INC(tcps_ecn_shs);
1422 	}
1423 
1424 	/* Tack on the TCP options. */
1425 	if ((sc->sc_flags & SCF_NOOPT) == 0) {
1426 		to.to_flags = 0;
1427 
1428 		to.to_mss = mssopt;
1429 		to.to_flags = TOF_MSS;
1430 		if (sc->sc_flags & SCF_WINSCALE) {
1431 			to.to_wscale = sc->sc_requested_r_scale;
1432 			to.to_flags |= TOF_SCALE;
1433 		}
1434 		if (sc->sc_flags & SCF_TIMESTAMP) {
1435 			/* Virgin timestamp or TCP cookie enhanced one. */
1436 			to.to_tsval = sc->sc_ts;
1437 			to.to_tsecr = sc->sc_tsreflect;
1438 			to.to_flags |= TOF_TS;
1439 		}
1440 		if (sc->sc_flags & SCF_SACK)
1441 			to.to_flags |= TOF_SACKPERM;
1442 #ifdef TCP_SIGNATURE
1443 		if (sc->sc_flags & SCF_SIGNATURE)
1444 			to.to_flags |= TOF_SIGNATURE;
1445 #endif
1446 		optlen = tcp_addoptions(&to, (u_char *)(th + 1));
1447 
1448 		/* Adjust headers by option size. */
1449 		th->th_off = (sizeof(struct tcphdr) + optlen) >> 2;
1450 		m->m_len += optlen;
1451 		m->m_pkthdr.len += optlen;
1452 
1453 #ifdef TCP_SIGNATURE
1454 		if (sc->sc_flags & SCF_SIGNATURE)
1455 			tcp_signature_compute(m, 0, 0, optlen,
1456 			    to.to_signature, IPSEC_DIR_OUTBOUND);
1457 #endif
1458 #ifdef INET6
1459 		if (sc->sc_inc.inc_flags & INC_ISIPV6)
1460 			ip6->ip6_plen = htons(ntohs(ip6->ip6_plen) + optlen);
1461 		else
1462 #endif
1463 			ip->ip_len += optlen;
1464 	} else
1465 		optlen = 0;
1466 
1467 	M_SETFIB(m, sc->sc_inc.inc_fibnum);
1468 #ifdef INET6
1469 	if (sc->sc_inc.inc_flags & INC_ISIPV6) {
1470 		th->th_sum = 0;
1471 		th->th_sum = in6_cksum(m, IPPROTO_TCP, hlen,
1472 				       tlen + optlen - hlen);
1473 		ip6->ip6_hlim = in6_selecthlim(NULL, NULL);
1474 		error = ip6_output(m, NULL, NULL, 0, NULL, NULL, NULL);
1475 	}
1476 #endif
1477 #if defined(INET6) && defined(INET)
1478 	else
1479 #endif
1480 #ifdef INET
1481 	{
1482 		th->th_sum = in_pseudo(ip->ip_src.s_addr, ip->ip_dst.s_addr,
1483 		    htons(tlen + optlen - hlen + IPPROTO_TCP));
1484 		m->m_pkthdr.csum_flags = CSUM_TCP;
1485 		m->m_pkthdr.csum_data = offsetof(struct tcphdr, th_sum);
1486 		error = ip_output(m, sc->sc_ipopts, NULL, 0, NULL, NULL);
1487 	}
1488 #endif
1489 	return (error);
1490 }
1491 
1492 void
1493 syncache_add(struct in_conninfo *inc, struct tcpopt *to, struct tcphdr *th,
1494     struct inpcb *inp, struct socket **lsop, struct mbuf *m)
1495 {
1496 	_syncache_add(inc, to, th, inp, lsop, m, NULL, NULL);
1497 }
1498 
1499 void
1500 tcp_offload_syncache_add(struct in_conninfo *inc, struct toeopt *toeo,
1501     struct tcphdr *th, struct inpcb *inp, struct socket **lsop,
1502     struct toe_usrreqs *tu, void *toepcb)
1503 {
1504 	struct tcpopt to;
1505 
1506 	bzero(&to, sizeof(struct tcpopt));
1507 	to.to_mss = toeo->to_mss;
1508 	to.to_wscale = toeo->to_wscale;
1509 	to.to_flags = toeo->to_flags;
1510 
1511 	INP_INFO_WLOCK(&V_tcbinfo);
1512 	INP_WLOCK(inp);
1513 
1514 	_syncache_add(inc, &to, th, inp, lsop, NULL, tu, toepcb);
1515 }
1516 
1517 /*
1518  * The purpose of SYN cookies is to avoid keeping track of all SYN's we
1519  * receive and to be able to handle SYN floods from bogus source addresses
1520  * (where we will never receive any reply).  SYN floods try to exhaust all
1521  * our memory and available slots in the SYN cache table to cause a denial
1522  * of service to legitimate users of the local host.
1523  *
1524  * The idea of SYN cookies is to encode and include all necessary information
1525  * about the connection setup state within the SYN-ACK we send back and thus
1526  * to get along without keeping any local state until the ACK to the SYN-ACK
1527  * arrives (if ever).  Everything we need to know should be available from
1528  * the information we encoded in the SYN-ACK.
1529  *
1530  * More information about the theory behind SYN cookies and its first
1531  * discussion and specification can be found at:
1532  *  http://cr.yp.to/syncookies.html    (overview)
1533  *  http://cr.yp.to/syncookies/archive (gory details)
1534  *
1535  * This implementation extends the orginal idea and first implementation
1536  * of FreeBSD by using not only the initial sequence number field to store
1537  * information but also the timestamp field if present.  This way we can
1538  * keep track of the entire state we need to know to recreate the session in
1539  * its original form.  Almost all TCP speakers implement RFC1323 timestamps
1540  * these days.  For those that do not we still have to live with the known
1541  * shortcomings of the ISN only SYN cookies.
1542  *
1543  * Cookie layers:
1544  *
1545  * Initial sequence number we send:
1546  * 31|................................|0
1547  *    DDDDDDDDDDDDDDDDDDDDDDDDDMMMRRRP
1548  *    D = MD5 Digest (first dword)
1549  *    M = MSS index
1550  *    R = Rotation of secret
1551  *    P = Odd or Even secret
1552  *
1553  * The MD5 Digest is computed with over following parameters:
1554  *  a) randomly rotated secret
1555  *  b) struct in_conninfo containing the remote/local ip/port (IPv4&IPv6)
1556  *  c) the received initial sequence number from remote host
1557  *  d) the rotation offset and odd/even bit
1558  *
1559  * Timestamp we send:
1560  * 31|................................|0
1561  *    DDDDDDDDDDDDDDDDDDDDDDSSSSRRRRA5
1562  *    D = MD5 Digest (third dword) (only as filler)
1563  *    S = Requested send window scale
1564  *    R = Requested receive window scale
1565  *    A = SACK allowed
1566  *    5 = TCP-MD5 enabled (not implemented yet)
1567  *    XORed with MD5 Digest (forth dword)
1568  *
1569  * The timestamp isn't cryptographically secure and doesn't need to be.
1570  * The double use of the MD5 digest dwords ties it to a specific remote/
1571  * local host/port, remote initial sequence number and our local time
1572  * limited secret.  A received timestamp is reverted (XORed) and then
1573  * the contained MD5 dword is compared to the computed one to ensure the
1574  * timestamp belongs to the SYN-ACK we sent.  The other parameters may
1575  * have been tampered with but this isn't different from supplying bogus
1576  * values in the SYN in the first place.
1577  *
1578  * Some problems with SYN cookies remain however:
1579  * Consider the problem of a recreated (and retransmitted) cookie.  If the
1580  * original SYN was accepted, the connection is established.  The second
1581  * SYN is inflight, and if it arrives with an ISN that falls within the
1582  * receive window, the connection is killed.
1583  *
1584  * Notes:
1585  * A heuristic to determine when to accept syn cookies is not necessary.
1586  * An ACK flood would cause the syncookie verification to be attempted,
1587  * but a SYN flood causes syncookies to be generated.  Both are of equal
1588  * cost, so there's no point in trying to optimize the ACK flood case.
1589  * Also, if you don't process certain ACKs for some reason, then all someone
1590  * would have to do is launch a SYN and ACK flood at the same time, which
1591  * would stop cookie verification and defeat the entire purpose of syncookies.
1592  */
1593 static int tcp_sc_msstab[] = { 0, 256, 468, 536, 996, 1452, 1460, 8960 };
1594 
1595 static void
1596 syncookie_generate(struct syncache_head *sch, struct syncache *sc,
1597     u_int32_t *flowlabel)
1598 {
1599 	MD5_CTX ctx;
1600 	u_int32_t md5_buffer[MD5_DIGEST_LENGTH / sizeof(u_int32_t)];
1601 	u_int32_t data;
1602 	u_int32_t *secbits;
1603 	u_int off, pmss, mss;
1604 	int i;
1605 
1606 	SCH_LOCK_ASSERT(sch);
1607 
1608 	/* Which of the two secrets to use. */
1609 	secbits = sch->sch_oddeven ?
1610 			sch->sch_secbits_odd : sch->sch_secbits_even;
1611 
1612 	/* Reseed secret if too old. */
1613 	if (sch->sch_reseed < time_uptime) {
1614 		sch->sch_oddeven = sch->sch_oddeven ? 0 : 1;	/* toggle */
1615 		secbits = sch->sch_oddeven ?
1616 				sch->sch_secbits_odd : sch->sch_secbits_even;
1617 		for (i = 0; i < SYNCOOKIE_SECRET_SIZE; i++)
1618 			secbits[i] = arc4random();
1619 		sch->sch_reseed = time_uptime + SYNCOOKIE_LIFETIME;
1620 	}
1621 
1622 	/* Secret rotation offset. */
1623 	off = sc->sc_iss & 0x7;			/* iss was randomized before */
1624 
1625 	/* Maximum segment size calculation. */
1626 	pmss =
1627 	    max( min(sc->sc_peer_mss, tcp_mssopt(&sc->sc_inc)),	V_tcp_minmss);
1628 	for (mss = sizeof(tcp_sc_msstab) / sizeof(int) - 1; mss > 0; mss--)
1629 		if (tcp_sc_msstab[mss] <= pmss)
1630 			break;
1631 
1632 	/* Fold parameters and MD5 digest into the ISN we will send. */
1633 	data = sch->sch_oddeven;/* odd or even secret, 1 bit */
1634 	data |= off << 1;	/* secret offset, derived from iss, 3 bits */
1635 	data |= mss << 4;	/* mss, 3 bits */
1636 
1637 	MD5Init(&ctx);
1638 	MD5Update(&ctx, ((u_int8_t *)secbits) + off,
1639 	    SYNCOOKIE_SECRET_SIZE * sizeof(*secbits) - off);
1640 	MD5Update(&ctx, secbits, off);
1641 	MD5Update(&ctx, &sc->sc_inc, sizeof(sc->sc_inc));
1642 	MD5Update(&ctx, &sc->sc_irs, sizeof(sc->sc_irs));
1643 	MD5Update(&ctx, &data, sizeof(data));
1644 	MD5Final((u_int8_t *)&md5_buffer, &ctx);
1645 
1646 	data |= (md5_buffer[0] << 7);
1647 	sc->sc_iss = data;
1648 
1649 #ifdef INET6
1650 	*flowlabel = md5_buffer[1] & IPV6_FLOWLABEL_MASK;
1651 #endif
1652 
1653 	/* Additional parameters are stored in the timestamp if present. */
1654 	if (sc->sc_flags & SCF_TIMESTAMP) {
1655 		data =  ((sc->sc_flags & SCF_SIGNATURE) ? 1 : 0); /* TCP-MD5, 1 bit */
1656 		data |= ((sc->sc_flags & SCF_SACK) ? 1 : 0) << 1; /* SACK, 1 bit */
1657 		data |= sc->sc_requested_s_scale << 2;  /* SWIN scale, 4 bits */
1658 		data |= sc->sc_requested_r_scale << 6;  /* RWIN scale, 4 bits */
1659 		data |= md5_buffer[2] << 10;		/* more digest bits */
1660 		data ^= md5_buffer[3];
1661 		sc->sc_ts = data;
1662 		sc->sc_tsoff = data - ticks;		/* after XOR */
1663 	}
1664 
1665 	TCPSTAT_INC(tcps_sc_sendcookie);
1666 }
1667 
1668 static struct syncache *
1669 syncookie_lookup(struct in_conninfo *inc, struct syncache_head *sch,
1670     struct syncache *sc, struct tcpopt *to, struct tcphdr *th,
1671     struct socket *so)
1672 {
1673 	MD5_CTX ctx;
1674 	u_int32_t md5_buffer[MD5_DIGEST_LENGTH / sizeof(u_int32_t)];
1675 	u_int32_t data = 0;
1676 	u_int32_t *secbits;
1677 	tcp_seq ack, seq;
1678 	int off, mss, wnd, flags;
1679 
1680 	SCH_LOCK_ASSERT(sch);
1681 
1682 	/*
1683 	 * Pull information out of SYN-ACK/ACK and
1684 	 * revert sequence number advances.
1685 	 */
1686 	ack = th->th_ack - 1;
1687 	seq = th->th_seq - 1;
1688 	off = (ack >> 1) & 0x7;
1689 	mss = (ack >> 4) & 0x7;
1690 	flags = ack & 0x7f;
1691 
1692 	/* Which of the two secrets to use. */
1693 	secbits = (flags & 0x1) ? sch->sch_secbits_odd : sch->sch_secbits_even;
1694 
1695 	/*
1696 	 * The secret wasn't updated for the lifetime of a syncookie,
1697 	 * so this SYN-ACK/ACK is either too old (replay) or totally bogus.
1698 	 */
1699 	if (sch->sch_reseed + SYNCOOKIE_LIFETIME < time_uptime) {
1700 		return (NULL);
1701 	}
1702 
1703 	/* Recompute the digest so we can compare it. */
1704 	MD5Init(&ctx);
1705 	MD5Update(&ctx, ((u_int8_t *)secbits) + off,
1706 	    SYNCOOKIE_SECRET_SIZE * sizeof(*secbits) - off);
1707 	MD5Update(&ctx, secbits, off);
1708 	MD5Update(&ctx, inc, sizeof(*inc));
1709 	MD5Update(&ctx, &seq, sizeof(seq));
1710 	MD5Update(&ctx, &flags, sizeof(flags));
1711 	MD5Final((u_int8_t *)&md5_buffer, &ctx);
1712 
1713 	/* Does the digest part of or ACK'ed ISS match? */
1714 	if ((ack & (~0x7f)) != (md5_buffer[0] << 7))
1715 		return (NULL);
1716 
1717 	/* Does the digest part of our reflected timestamp match? */
1718 	if (to->to_flags & TOF_TS) {
1719 		data = md5_buffer[3] ^ to->to_tsecr;
1720 		if ((data & (~0x3ff)) != (md5_buffer[2] << 10))
1721 			return (NULL);
1722 	}
1723 
1724 	/* Fill in the syncache values. */
1725 	bcopy(inc, &sc->sc_inc, sizeof(struct in_conninfo));
1726 	sc->sc_ipopts = NULL;
1727 
1728 	sc->sc_irs = seq;
1729 	sc->sc_iss = ack;
1730 
1731 #ifdef INET6
1732 	if (inc->inc_flags & INC_ISIPV6) {
1733 		if (sotoinpcb(so)->inp_flags & IN6P_AUTOFLOWLABEL)
1734 			sc->sc_flowlabel = md5_buffer[1] & IPV6_FLOWLABEL_MASK;
1735 	} else
1736 #endif
1737 	{
1738 		sc->sc_ip_ttl = sotoinpcb(so)->inp_ip_ttl;
1739 		sc->sc_ip_tos = sotoinpcb(so)->inp_ip_tos;
1740 	}
1741 
1742 	/* Additional parameters that were encoded in the timestamp. */
1743 	if (data) {
1744 		sc->sc_flags |= SCF_TIMESTAMP;
1745 		sc->sc_tsreflect = to->to_tsval;
1746 		sc->sc_ts = to->to_tsecr;
1747 		sc->sc_tsoff = to->to_tsecr - ticks;
1748 		sc->sc_flags |= (data & 0x1) ? SCF_SIGNATURE : 0;
1749 		sc->sc_flags |= ((data >> 1) & 0x1) ? SCF_SACK : 0;
1750 		sc->sc_requested_s_scale = min((data >> 2) & 0xf,
1751 		    TCP_MAX_WINSHIFT);
1752 		sc->sc_requested_r_scale = min((data >> 6) & 0xf,
1753 		    TCP_MAX_WINSHIFT);
1754 		if (sc->sc_requested_s_scale || sc->sc_requested_r_scale)
1755 			sc->sc_flags |= SCF_WINSCALE;
1756 	} else
1757 		sc->sc_flags |= SCF_NOOPT;
1758 
1759 	wnd = sbspace(&so->so_rcv);
1760 	wnd = imax(wnd, 0);
1761 	wnd = imin(wnd, TCP_MAXWIN);
1762 	sc->sc_wnd = wnd;
1763 
1764 	sc->sc_rxmits = 0;
1765 	sc->sc_peer_mss = tcp_sc_msstab[mss];
1766 
1767 	TCPSTAT_INC(tcps_sc_recvcookie);
1768 	return (sc);
1769 }
1770 
1771 /*
1772  * Returns the current number of syncache entries.  This number
1773  * will probably change before you get around to calling
1774  * syncache_pcblist.
1775  */
1776 
1777 int
1778 syncache_pcbcount(void)
1779 {
1780 	struct syncache_head *sch;
1781 	int count, i;
1782 
1783 	for (count = 0, i = 0; i < V_tcp_syncache.hashsize; i++) {
1784 		/* No need to lock for a read. */
1785 		sch = &V_tcp_syncache.hashbase[i];
1786 		count += sch->sch_length;
1787 	}
1788 	return count;
1789 }
1790 
1791 /*
1792  * Exports the syncache entries to userland so that netstat can display
1793  * them alongside the other sockets.  This function is intended to be
1794  * called only from tcp_pcblist.
1795  *
1796  * Due to concurrency on an active system, the number of pcbs exported
1797  * may have no relation to max_pcbs.  max_pcbs merely indicates the
1798  * amount of space the caller allocated for this function to use.
1799  */
1800 int
1801 syncache_pcblist(struct sysctl_req *req, int max_pcbs, int *pcbs_exported)
1802 {
1803 	struct xtcpcb xt;
1804 	struct syncache *sc;
1805 	struct syncache_head *sch;
1806 	int count, error, i;
1807 
1808 	for (count = 0, error = 0, i = 0; i < V_tcp_syncache.hashsize; i++) {
1809 		sch = &V_tcp_syncache.hashbase[i];
1810 		SCH_LOCK(sch);
1811 		TAILQ_FOREACH(sc, &sch->sch_bucket, sc_hash) {
1812 			if (count >= max_pcbs) {
1813 				SCH_UNLOCK(sch);
1814 				goto exit;
1815 			}
1816 			if (cr_cansee(req->td->td_ucred, sc->sc_cred) != 0)
1817 				continue;
1818 			bzero(&xt, sizeof(xt));
1819 			xt.xt_len = sizeof(xt);
1820 			if (sc->sc_inc.inc_flags & INC_ISIPV6)
1821 				xt.xt_inp.inp_vflag = INP_IPV6;
1822 			else
1823 				xt.xt_inp.inp_vflag = INP_IPV4;
1824 			bcopy(&sc->sc_inc, &xt.xt_inp.inp_inc, sizeof (struct in_conninfo));
1825 			xt.xt_tp.t_inpcb = &xt.xt_inp;
1826 			xt.xt_tp.t_state = TCPS_SYN_RECEIVED;
1827 			xt.xt_socket.xso_protocol = IPPROTO_TCP;
1828 			xt.xt_socket.xso_len = sizeof (struct xsocket);
1829 			xt.xt_socket.so_type = SOCK_STREAM;
1830 			xt.xt_socket.so_state = SS_ISCONNECTING;
1831 			error = SYSCTL_OUT(req, &xt, sizeof xt);
1832 			if (error) {
1833 				SCH_UNLOCK(sch);
1834 				goto exit;
1835 			}
1836 			count++;
1837 		}
1838 		SCH_UNLOCK(sch);
1839 	}
1840 exit:
1841 	*pcbs_exported = count;
1842 	return error;
1843 }
1844