Instead of having a single TFO-context, we now have a list of
tcp_fastopen_context, bounded by TCP_FASTOPEN_CTXT_LEN (set to 2).
This enables us to do a rolling TFO-key update that allows the server to
accept old cookies and at the same time announce new ones to the client
(see follow-up patch).
Signed-off-by: Christoph Paasch <cpaa...@apple.com>
---
include/net/tcp.h | 2 ++
net/ipv4/tcp_fastopen.c | 52 +++++++++++++++++++++++++++++++++++++++++++++----
2 files changed, 50 insertions(+), 4 deletions(-)
diff --git a/include/net/tcp.h b/include/net/tcp.h
index e0a65c067662..e629ea2e6c9d 100644
--- a/include/net/tcp.h
+++ b/include/net/tcp.h
@@ -1622,9 +1622,11 @@ bool tcp_fastopen_cookie_check(struct sock *sk, u16 *mss,
struct tcp_fastopen_cookie *cookie);
bool tcp_fastopen_defer_connect(struct sock *sk, int *err);
#define TCP_FASTOPEN_KEY_LENGTH 16
+#define TCP_FASTOPEN_CTXT_LEN 2
/* Fastopen key context */
struct tcp_fastopen_context {
+ struct tcp_fastopen_context __rcu *next;
struct crypto_cipher *tfm;
__u8 key[TCP_FASTOPEN_KEY_LENGTH];
struct rcu_head rcu;
diff --git a/net/ipv4/tcp_fastopen.c b/net/ipv4/tcp_fastopen.c
index 018a48477355..c52d5b8eabf0 100644
--- a/net/ipv4/tcp_fastopen.c
+++ b/net/ipv4/tcp_fastopen.c
@@ -37,8 +37,14 @@ static void tcp_fastopen_ctx_free(struct rcu_head *head)
{
struct tcp_fastopen_context *ctx =
container_of(head, struct tcp_fastopen_context, rcu);
- crypto_free_cipher(ctx->tfm);
- kfree(ctx);
+
+ while (ctx) {
+ struct tcp_fastopen_context *prev = ctx;
+ /* We own ctx, thus no need to hold the Fastopen-lock */
+ ctx = rcu_dereference_protected(ctx->next, 1);
+ crypto_free_cipher(prev->tfm);
+ kfree(prev);
+ }
}
void tcp_fastopen_destroy_cipher(struct sock *sk)
@@ -66,6 +72,35 @@ void tcp_fastopen_ctx_destroy(struct net *net)
call_rcu(&ctxt->rcu, tcp_fastopen_ctx_free);
}
+static struct tcp_fastopen_context *
+tcp_fastopen_cut_keypool(struct tcp_fastopen_context *ctx,
+ spinlock_t *lock)
+{
+ int cnt = 0;
+
+ while (ctx) {
+ /* We iterate the list to see if we have more than
+ * TCP_FASTOPEN_CTXT_LEN contexts. If we do, we remove the rest
+ * of the list and free it later
+ */
+
+ cnt++;
+ if (cnt >= TCP_FASTOPEN_CTXT_LEN) {
+ /* It's the last one, return the rest so it gets freed
*/
+ struct tcp_fastopen_context *prev = ctx;
+
+ ctx = rcu_dereference_protected(ctx->next,
+ lockdep_is_held(lock));
+ rcu_assign_pointer(prev->next, NULL);
+ break;
+ }
+ ctx = rcu_dereference_protected(ctx->next,
+ lockdep_is_held(lock));
+ }
+
+ return ctx;
+}
+
int tcp_fastopen_reset_cipher(struct net *net, struct sock *sk,
void *key, unsigned int len)
{
@@ -96,13 +131,22 @@ error: kfree(ctx);
spin_lock(&net->ipv4.tcp_fastopen_ctx_lock);
if (sk) {
q = &inet_csk(sk)->icsk_accept_queue.fastopenq;
+ rcu_assign_pointer(ctx->next, q->ctx);
+ rcu_assign_pointer(q->ctx, ctx);
+
octx = rcu_dereference_protected(q->ctx,
lockdep_is_held(&net->ipv4.tcp_fastopen_ctx_lock));
- rcu_assign_pointer(q->ctx, ctx);
+
+ octx = tcp_fastopen_cut_keypool(octx,
&net->ipv4.tcp_fastopen_ctx_lock);
} else {
+ rcu_assign_pointer(ctx->next, net->ipv4.tcp_fastopen_ctx);
+ rcu_assign_pointer(net->ipv4.tcp_fastopen_ctx, ctx);
+
octx = rcu_dereference_protected(net->ipv4.tcp_fastopen_ctx,
lockdep_is_held(&net->ipv4.tcp_fastopen_ctx_lock));
- rcu_assign_pointer(net->ipv4.tcp_fastopen_ctx, ctx);
+
+ octx = tcp_fastopen_cut_keypool(octx,
+
&net->ipv4.tcp_fastopen_ctx_lock);
}
spin_unlock(&net->ipv4.tcp_fastopen_ctx_lock);
--
2.16.2
