tcp: syncookies: reduce cookie lifetime to 128 seconds

struct sock *cookie_v4_check(struct sock *sk, struct sk_buff *skb,

			     struct ip_options *opt);

#ifdef CONFIG_SYN_COOKIES

#include <linux/ktime.h>

/* Syncookies use a monotonic timer which increments every 64 seconds.

 * This counter is used both as a hash input and partially encoded into

 * the cookie value.  A cookie is only validated further if the delta

 * between the current counter value and the encoded one is less than this,

 * i.e. a sent cookie is valid only at most for 128 seconds (or less if

 * the counter advances immediately after a cookie is generated).

 */

#define MAX_SYNCOOKIE_AGE 2

static inline u32 tcp_cookie_time(void)

{

	struct timespec now;

	getnstimeofday(&now);

	return now.tv_sec >> 6; /* 64 seconds granularity */

}

u32 __cookie_v4_init_sequence(const struct iphdr *iph, const struct tcphdr *th,

			      u16 *mssp);

__u32 cookie_v4_init_sequence(struct sock *sk, struct sk_buff *skb, __u16 *mss);

static __u32 secure_tcp_syn_cookie(__be32 saddr, __be32 daddr, __be16 sport,

				   __be16 dport, __u32 sseq, __u32 count,

				   __u32 data)

				   __be16 dport, __u32 sseq, __u32 data)

{

	/*

	 * Compute the secure sequence number.

	 * As an extra hack, we add a small "data" value that encodes the

	 * MSS into the second hash value.

	 */

	u32 count = tcp_cookie_time();

	return (cookie_hash(saddr, daddr, sport, dport, 0, 0) +

		sseq + (count << COOKIEBITS) +

		((cookie_hash(saddr, daddr, sport, dport, count, 1) + data)

 * If the syncookie is bad, the data returned will be out of

 * range.  This must be checked by the caller.

 *

 * The count value used to generate the cookie must be within

 * "maxdiff" if the current (passed-in) "count".  The return value

 * is (__u32)-1 if this test fails.

 * The count value used to generate the cookie must be less than

 * MAX_SYNCOOKIE_AGE minutes in the past.

 * The return value (__u32)-1 if this test fails.

 */

static __u32 check_tcp_syn_cookie(__u32 cookie, __be32 saddr, __be32 daddr,

				  __be16 sport, __be16 dport, __u32 sseq,

				  __u32 count, __u32 maxdiff)

				  __be16 sport, __be16 dport, __u32 sseq)

{

	__u32 diff;

	u32 diff, count = tcp_cookie_time();

	/* Strip away the layers from the cookie */

	cookie -= cookie_hash(saddr, daddr, sport, dport, 0, 0) + sseq;

	/* Cookie is now reduced to (count * 2^24) ^ (hash % 2^24) */

	diff = (count - (cookie >> COOKIEBITS)) & ((__u32) - 1 >> COOKIEBITS);

	if (diff >= maxdiff)

	if (diff >= MAX_SYNCOOKIE_AGE)

		return (__u32)-1;

	return (cookie -

	return secure_tcp_syn_cookie(iph->saddr, iph->daddr,

				     th->source, th->dest, ntohl(th->seq),

				     jiffies / (HZ * 60), mssind);

				     mssind);

}

EXPORT_SYMBOL_GPL(__cookie_v4_init_sequence);

	return __cookie_v4_init_sequence(iph, th, mssp);

}

/*

 * This (misnamed) value is the age of syncookie which is permitted.

 * Its ideal value should be dependent on TCP_TIMEOUT_INIT and

 * sysctl_tcp_retries1. It's a rather complicated formula (exponential

 * backoff) to compute at runtime so it's currently hardcoded here.

 */

#define COUNTER_TRIES 4

/*

 * Check if a ack sequence number is a valid syncookie.

 * Return the decoded mss if it is, or 0 if not.

{

	__u32 seq = ntohl(th->seq) - 1;

	__u32 mssind = check_tcp_syn_cookie(cookie, iph->saddr, iph->daddr,

					    th->source, th->dest, seq,

					    jiffies / (HZ * 60),

					    COUNTER_TRIES);

					    th->source, th->dest, seq);

	return mssind < ARRAY_SIZE(msstab) ? msstab[mssind] : 0;

}

	9000 - 60,

};

/*

 * This (misnamed) value is the age of syncookie which is permitted.

 * Its ideal value should be dependent on TCP_TIMEOUT_INIT and

 * sysctl_tcp_retries1. It's a rather complicated formula (exponential

 * backoff) to compute at runtime so it's currently hardcoded here.

 */

#define COUNTER_TRIES 4

static inline struct sock *get_cookie_sock(struct sock *sk, struct sk_buff *skb,

					   struct request_sock *req,

					   struct dst_entry *dst)

static __u32 secure_tcp_syn_cookie(const struct in6_addr *saddr,

				   const struct in6_addr *daddr,

				   __be16 sport, __be16 dport, __u32 sseq,

				   __u32 count, __u32 data)

				   __u32 data)

{

	u32 count = tcp_cookie_time();

	return (cookie_hash(saddr, daddr, sport, dport, 0, 0) +

		sseq + (count << COOKIEBITS) +

		((cookie_hash(saddr, daddr, sport, dport, count, 1) + data)

static __u32 check_tcp_syn_cookie(__u32 cookie, const struct in6_addr *saddr,

				  const struct in6_addr *daddr, __be16 sport,

				  __be16 dport, __u32 sseq, __u32 count,

				  __u32 maxdiff)

				  __be16 dport, __u32 sseq)

{

	__u32 diff;

	__u32 diff, count = tcp_cookie_time();

	cookie -= cookie_hash(saddr, daddr, sport, dport, 0, 0) + sseq;

	diff = (count - (cookie >> COOKIEBITS)) & ((__u32) -1 >> COOKIEBITS);

	if (diff >= maxdiff)

	if (diff >= MAX_SYNCOOKIE_AGE)

		return (__u32)-1;

	return (cookie -

	*mssp = msstab[mssind];

	return secure_tcp_syn_cookie(&iph->saddr, &iph->daddr, th->source,

				     th->dest, ntohl(th->seq),

				     jiffies / (HZ * 60), mssind);

				     th->dest, ntohl(th->seq), mssind);

}

EXPORT_SYMBOL_GPL(__cookie_v6_init_sequence);

{

	__u32 seq = ntohl(th->seq) - 1;

	__u32 mssind = check_tcp_syn_cookie(cookie, &iph->saddr, &iph->daddr,

					    th->source, th->dest, seq,

					    jiffies / (HZ * 60), COUNTER_TRIES);

					    th->source, th->dest, seq);

	return mssind < ARRAY_SIZE(msstab) ? msstab[mssind] : 0;

}