tcp: secure_seq: add back ports to TS offset

#include <linux/types.h>

struct net;

extern struct net init_net;

union tcp_seq_and_ts_off {

	struct {

		u32 seq;

		u32 ts_off;

	};

	u64 hash64;

};

u64 secure_ipv4_port_ephemeral(__be32 saddr, __be32 daddr, __be16 dport);

u64 secure_ipv6_port_ephemeral(const __be32 *saddr, const __be32 *daddr,

			       __be16 dport);

u32 secure_tcp_seq(__be32 saddr, __be32 daddr,

union tcp_seq_and_ts_off

secure_tcp_seq_and_ts_off(const struct net *net, __be32 saddr, __be32 daddr,

			  __be16 sport, __be16 dport);

u32 secure_tcp_ts_off(const struct net *net, __be32 saddr, __be32 daddr);

u32 secure_tcpv6_seq(const __be32 *saddr, const __be32 *daddr,

static inline u32 secure_tcp_seq(__be32 saddr, __be32 daddr,

				 __be16 sport, __be16 dport)

{

	union tcp_seq_and_ts_off ts;

	ts = secure_tcp_seq_and_ts_off(&init_net, saddr, daddr,

				       sport, dport);

	return ts.seq;

}

union tcp_seq_and_ts_off

secure_tcpv6_seq_and_ts_off(const struct net *net, const __be32 *saddr,

			    const __be32 *daddr,

			    __be16 sport, __be16 dport);

u32 secure_tcpv6_ts_off(const struct net *net,

			const __be32 *saddr, const __be32 *daddr);

static inline u32 secure_tcpv6_seq(const __be32 *saddr, const __be32 *daddr,

				   __be16 sport, __be16 dport)

{

	union tcp_seq_and_ts_off ts;

	ts = secure_tcpv6_seq_and_ts_off(&init_net, saddr, daddr,

					 sport, dport);

	return ts.seq;

}

#endif /* _NET_SECURE_SEQ */

#include <net/dst.h>

#include <net/mptcp.h>

#include <net/xfrm.h>

#include <net/secure_seq.h>

#include <linux/seq_file.h>

#include <linux/memcontrol.h>

				       struct flowi *fl,

				       struct request_sock *req,

				       u32 tw_isn);

	u32 (*init_seq)(const struct sk_buff *skb);

	u32 (*init_ts_off)(const struct net *net, const struct sk_buff *skb);

	union tcp_seq_and_ts_off (*init_seq_and_ts_off)(

					const struct net *net,

					const struct sk_buff *skb);

	int (*send_synack)(const struct sock *sk, struct dst_entry *dst,

			   struct flowi *fl, struct request_sock *req,

			   struct tcp_fastopen_cookie *foc,

#include <net/tcp.h>

static siphash_aligned_key_t net_secret;

static siphash_aligned_key_t ts_secret;

#define EPHEMERAL_PORT_SHUFFLE_PERIOD (10 * HZ)

{

	net_get_random_once(&net_secret, sizeof(net_secret));

}

static __always_inline void ts_secret_init(void)

{

	net_get_random_once(&ts_secret, sizeof(ts_secret));

}

#endif

#ifdef CONFIG_INET

#endif

#if IS_ENABLED(CONFIG_IPV6)

u32 secure_tcpv6_ts_off(const struct net *net,

			const __be32 *saddr, const __be32 *daddr)

{

	const struct {

		struct in6_addr saddr;

		struct in6_addr daddr;

	} __aligned(SIPHASH_ALIGNMENT) combined = {

		.saddr = *(struct in6_addr *)saddr,

		.daddr = *(struct in6_addr *)daddr,

	};

	if (READ_ONCE(net->ipv4.sysctl_tcp_timestamps) != 1)

		return 0;

	ts_secret_init();

	return siphash(&combined, offsetofend(typeof(combined), daddr),

		       &ts_secret);

}

EXPORT_IPV6_MOD(secure_tcpv6_ts_off);

u32 secure_tcpv6_seq(const __be32 *saddr, const __be32 *daddr,

		     __be16 sport, __be16 dport)

union tcp_seq_and_ts_off

secure_tcpv6_seq_and_ts_off(const struct net *net, const __be32 *saddr,

			    const __be32 *daddr, __be16 sport, __be16 dport)

{

	const struct {

		struct in6_addr saddr;

		.sport = sport,

		.dport = dport

	};

	u32 hash;

	union tcp_seq_and_ts_off st;

	net_secret_init();

	hash = siphash(&combined, offsetofend(typeof(combined), dport),

	st.hash64 = siphash(&combined, offsetofend(typeof(combined), dport),

			    &net_secret);

	return seq_scale(hash);

	if (READ_ONCE(net->ipv4.sysctl_tcp_timestamps) != 1)

		st.ts_off = 0;

	st.seq = seq_scale(st.seq);

	return st;

}

EXPORT_SYMBOL(secure_tcpv6_seq);

EXPORT_SYMBOL(secure_tcpv6_seq_and_ts_off);

u64 secure_ipv6_port_ephemeral(const __be32 *saddr, const __be32 *daddr,

			       __be16 dport)

#endif

#ifdef CONFIG_INET

u32 secure_tcp_ts_off(const struct net *net, __be32 saddr, __be32 daddr)

{

	if (READ_ONCE(net->ipv4.sysctl_tcp_timestamps) != 1)

		return 0;

	ts_secret_init();

	return siphash_2u32((__force u32)saddr, (__force u32)daddr,

			    &ts_secret);

}

/* secure_tcp_seq_and_tsoff(a, b, 0, d) == secure_ipv4_port_ephemeral(a, b, d),

 * but fortunately, `sport' cannot be 0 in any circumstances. If this changes,

 * it would be easy enough to have the former function use siphash_4u32, passing

 * the arguments as separate u32.

 */

u32 secure_tcp_seq(__be32 saddr, __be32 daddr,

union tcp_seq_and_ts_off

secure_tcp_seq_and_ts_off(const struct net *net, __be32 saddr, __be32 daddr,

			  __be16 sport, __be16 dport)

{

	u32 hash;

	u32 ports = (__force u32)sport << 16 | (__force u32)dport;

	union tcp_seq_and_ts_off st;

	net_secret_init();

	hash = siphash_3u32((__force u32)saddr, (__force u32)daddr,

			    (__force u32)sport << 16 | (__force u32)dport,

			    &net_secret);

	return seq_scale(hash);

	st.hash64 = siphash_3u32((__force u32)saddr, (__force u32)daddr,

				 ports, &net_secret);

	if (READ_ONCE(net->ipv4.sysctl_tcp_timestamps) != 1)

		st.ts_off = 0;

	st.seq = seq_scale(st.seq);

	return st;

}

EXPORT_SYMBOL_GPL(secure_tcp_seq);

EXPORT_SYMBOL_GPL(secure_tcp_seq_and_ts_off);

u64 secure_ipv4_port_ephemeral(__be32 saddr, __be32 daddr, __be16 dport)

{

	tcp_parse_options(net, skb, &tcp_opt, 0, NULL);

	if (tcp_opt.saw_tstamp && tcp_opt.rcv_tsecr) {

		tsoff = secure_tcp_ts_off(net,

		union tcp_seq_and_ts_off st;

		st = secure_tcp_seq_and_ts_off(net,

					       ip_hdr(skb)->daddr,

					  ip_hdr(skb)->saddr);

					       ip_hdr(skb)->saddr,

					       tcp_hdr(skb)->dest,

					       tcp_hdr(skb)->source);

		tsoff = st.ts_off;

		tcp_opt.rcv_tsecr -= tsoff;

	}

	const struct tcp_sock *tp = tcp_sk(sk);

	struct net *net = sock_net(sk);

	struct sock *fastopen_sk = NULL;

	union tcp_seq_and_ts_off st;

	struct request_sock *req;

	bool want_cookie = false;

	struct dst_entry *dst;

	if (!dst)

		goto drop_and_free;

	if (tmp_opt.tstamp_ok || (!want_cookie && !isn))

		st = af_ops->init_seq_and_ts_off(net, skb);

	if (tmp_opt.tstamp_ok) {

		tcp_rsk(req)->req_usec_ts = dst_tcp_usec_ts(dst);

		tcp_rsk(req)->ts_off = af_ops->init_ts_off(net, skb);

		tcp_rsk(req)->ts_off = st.ts_off;

	}

	if (!want_cookie && !isn) {

		int max_syn_backlog = READ_ONCE(net->ipv4.sysctl_max_syn_backlog);

			goto drop_and_release;

		}

		isn = af_ops->init_seq(skb);

		isn = st.seq;

	}

	tcp_ecn_create_request(req, skb, sk, dst);