Merge branch 'add-TFO-backup-key'

	0 to disable the blackhole detection.

	By default, it is set to 1hr.

tcp_fastopen_key - list of comma separated 32-digit hexadecimal INTEGERs

	The list consists of a primary key and an optional backup key. The

	primary key is used for both creating and validating cookies, while the

	optional backup key is only used for validating cookies. The purpose of

	the backup key is to maximize TFO validation when keys are rotated.

	A randomly chosen primary key may be configured by the kernel if

	the tcp_fastopen sysctl is set to 0x400 (see above), or if the

	TCP_FASTOPEN setsockopt() optname is set and a key has not been

	previously configured via sysctl. If keys are configured via

	setsockopt() by using the TCP_FASTOPEN_KEY optname, then those

	per-socket keys will be used instead of any keys that are specified via

	sysctl.

	A key is specified as 4 8-digit hexadecimal integers which are separated

	by a '-' as: xxxxxxxx-xxxxxxxx-xxxxxxxx-xxxxxxxx. Leading zeros may be

	omitted. A primary and a backup key may be specified by separating them

	by a comma. If only one key is specified, it becomes the primary key and

	any previously configured backup keys are removed.

tcp_syn_retries - INTEGER

	Number of times initial SYNs for an active TCP connection attempt

	will be retransmitted. Should not be higher than 127. Default value

void tcp_fastopen_destroy_cipher(struct sock *sk);

void tcp_fastopen_ctx_destroy(struct net *net);

int tcp_fastopen_reset_cipher(struct net *net, struct sock *sk,

			      void *key, unsigned int len);

			      void *primary_key, void *backup_key,

			      unsigned int len);

void tcp_fastopen_add_skb(struct sock *sk, struct sk_buff *skb);

struct sock *tcp_try_fastopen(struct sock *sk, struct sk_buff *skb,

			      struct request_sock *req,

			     struct tcp_fastopen_cookie *cookie);

bool tcp_fastopen_defer_connect(struct sock *sk, int *err);

#define TCP_FASTOPEN_KEY_LENGTH 16

#define TCP_FASTOPEN_KEY_MAX 2

#define TCP_FASTOPEN_KEY_BUF_LENGTH \

	(TCP_FASTOPEN_KEY_LENGTH * TCP_FASTOPEN_KEY_MAX)

/* Fastopen key context */

struct tcp_fastopen_context {

	struct crypto_cipher	*tfm;

	__u8			key[TCP_FASTOPEN_KEY_LENGTH];

	struct crypto_cipher	*tfm[TCP_FASTOPEN_KEY_MAX];

	__u8			key[TCP_FASTOPEN_KEY_BUF_LENGTH];

	struct rcu_head		rcu;

};

void tcp_fastopen_active_disable_ofo_check(struct sock *sk);

void tcp_fastopen_active_detect_blackhole(struct sock *sk, bool expired);

/* Caller needs to wrap with rcu_read_(un)lock() */

static inline

struct tcp_fastopen_context *tcp_fastopen_get_ctx(const struct sock *sk)

{

	struct tcp_fastopen_context *ctx;

	ctx = rcu_dereference(inet_csk(sk)->icsk_accept_queue.fastopenq.ctx);

	if (!ctx)

		ctx = rcu_dereference(sock_net(sk)->ipv4.tcp_fastopen_ctx);

	return ctx;

}

static inline

bool tcp_fastopen_cookie_match(const struct tcp_fastopen_cookie *foc,

			       const struct tcp_fastopen_cookie *orig)

{

	if (orig->len == TCP_FASTOPEN_COOKIE_SIZE &&

	    orig->len == foc->len &&

	    !memcmp(orig->val, foc->val, foc->len))

		return true;

	return false;

}

static inline

int tcp_fastopen_context_len(const struct tcp_fastopen_context *ctx)

{

	if (ctx->tfm[1])

		return 2;

	return 1;

}

/* Latencies incurred by various limits for a sender. They are

 * chronograph-like stats that are mutually exclusive.

 */

	LINUX_MIB_TCPACKCOMPRESSED,		/* TCPAckCompressed */

	LINUX_MIB_TCPZEROWINDOWDROP,		/* TCPZeroWindowDrop */

	LINUX_MIB_TCPRCVQDROP,			/* TCPRcvQDrop */

	LINUX_MIB_TCPFASTOPENPASSIVEALTKEY,	/* TCPFastOpenPassiveAltKey */

	__LINUX_MIB_MAX

};

	SNMP_MIB_ITEM("TCPAckCompressed", LINUX_MIB_TCPACKCOMPRESSED),

	SNMP_MIB_ITEM("TCPZeroWindowDrop", LINUX_MIB_TCPZEROWINDOWDROP),

	SNMP_MIB_ITEM("TCPRcvQDrop", LINUX_MIB_TCPRCVQDROP),

	SNMP_MIB_ITEM("TCPFastOpenPassiveAltKey", LINUX_MIB_TCPFASTOPENPASSIVEALTKEY),

	SNMP_MIB_SENTINEL

};

	return ret;

}

static int sscanf_key(char *buf, __le32 *key)

{

	u32 user_key[4];

	int i, ret = 0;

	if (sscanf(buf, "%x-%x-%x-%x", user_key, user_key + 1,

		   user_key + 2, user_key + 3) != 4) {

		ret = -EINVAL;

	} else {

		for (i = 0; i < ARRAY_SIZE(user_key); i++)

			key[i] = cpu_to_le32(user_key[i]);

	}

	pr_debug("proc TFO key set 0x%x-%x-%x-%x <- 0x%s: %u\n",

		 user_key[0], user_key[1], user_key[2], user_key[3], buf, ret);

	return ret;

}

static int proc_tcp_fastopen_key(struct ctl_table *table, int write,

				 void __user *buffer, size_t *lenp,

				 loff_t *ppos)

{

	struct net *net = container_of(table->data, struct net,

	    ipv4.sysctl_tcp_fastopen);

	struct ctl_table tbl = { .maxlen = (TCP_FASTOPEN_KEY_LENGTH * 2 + 10) };

	struct tcp_fastopen_context *ctxt;

	u32  user_key[4]; /* 16 bytes, matching TCP_FASTOPEN_KEY_LENGTH */

	__le32 key[4];

	int ret, i;

	/* maxlen to print the list of keys in hex (*2), with dashes

	 * separating doublewords and a comma in between keys.

	 */

	struct ctl_table tbl = { .maxlen = ((TCP_FASTOPEN_KEY_LENGTH *

					    2 * TCP_FASTOPEN_KEY_MAX) +

					    (TCP_FASTOPEN_KEY_MAX * 5)) };

	struct tcp_fastopen_context *ctx;

	u32 user_key[TCP_FASTOPEN_KEY_MAX * 4];

	__le32 key[TCP_FASTOPEN_KEY_MAX * 4];

	char *backup_data;

	int ret, i = 0, off = 0, n_keys = 0;

	tbl.data = kmalloc(tbl.maxlen, GFP_KERNEL);

	if (!tbl.data)

		return -ENOMEM;

	rcu_read_lock();

	ctxt = rcu_dereference(net->ipv4.tcp_fastopen_ctx);

	if (ctxt)

		memcpy(key, ctxt->key, TCP_FASTOPEN_KEY_LENGTH);

	else

		memset(key, 0, sizeof(key));

	ctx = rcu_dereference(net->ipv4.tcp_fastopen_ctx);

	if (ctx) {

		n_keys = tcp_fastopen_context_len(ctx);

		memcpy(&key[0], &ctx->key[0], TCP_FASTOPEN_KEY_LENGTH * n_keys);

	}

	rcu_read_unlock();

	for (i = 0; i < ARRAY_SIZE(key); i++)

	if (!n_keys) {

		memset(&key[0], 0, TCP_FASTOPEN_KEY_LENGTH);

		n_keys = 1;

	}

	for (i = 0; i < n_keys * 4; i++)

		user_key[i] = le32_to_cpu(key[i]);

	snprintf(tbl.data, tbl.maxlen, "%08x-%08x-%08x-%08x",

		user_key[0], user_key[1], user_key[2], user_key[3]);

	for (i = 0; i < n_keys; i++) {

		off += snprintf(tbl.data + off, tbl.maxlen - off,

				"%08x-%08x-%08x-%08x",

				user_key[i * 4],

				user_key[i * 4 + 1],

				user_key[i * 4 + 2],

				user_key[i * 4 + 3]);

		if (i + 1 < n_keys)

			off += snprintf(tbl.data + off, tbl.maxlen - off, ",");

	}

	ret = proc_dostring(&tbl, write, buffer, lenp, ppos);

	if (write && ret == 0) {

		if (sscanf(tbl.data, "%x-%x-%x-%x", user_key, user_key + 1,

			   user_key + 2, user_key + 3) != 4) {

		backup_data = strchr(tbl.data, ',');

		if (backup_data) {

			*backup_data = '\0';

			backup_data++;

		}

		if (sscanf_key(tbl.data, key)) {

			ret = -EINVAL;

			goto bad_key;

		}

		for (i = 0; i < ARRAY_SIZE(user_key); i++)

			key[i] = cpu_to_le32(user_key[i]);

		if (backup_data) {

			if (sscanf_key(backup_data, key + 4)) {

				ret = -EINVAL;

				goto bad_key;

			}

		}

		tcp_fastopen_reset_cipher(net, NULL, key,

					  backup_data ? key + 4 : NULL,

					  TCP_FASTOPEN_KEY_LENGTH);

	}

bad_key:

	pr_debug("proc FO key set 0x%x-%x-%x-%x <- 0x%s: %u\n",

		user_key[0], user_key[1], user_key[2], user_key[3],

	       (char *)tbl.data, ret);

	kfree(tbl.data);

	return ret;

}

		.procname	= "tcp_fastopen_key",

		.mode		= 0600,

		.data		= &init_net.ipv4.sysctl_tcp_fastopen,

		.maxlen		= ((TCP_FASTOPEN_KEY_LENGTH * 2) + 10),

		/* maxlen to print the list of keys in hex (*2), with dashes

		 * separating doublewords and a comma in between keys.

		 */

		.maxlen		= ((TCP_FASTOPEN_KEY_LENGTH *

				   2 * TCP_FASTOPEN_KEY_MAX) +

				   (TCP_FASTOPEN_KEY_MAX * 5)),

		.proc_handler	= proc_tcp_fastopen_key,

	},

	{