tcp_fastopen.c

Go to the documentation of this file.

/*-
 * Copyright (c) 2015-2017 Patrick Kelsey
 * All rights reserved.
 *
 * Redistribution and use in source and binary forms, with or without
 * modification, are permitted provided that the following conditions
 * are met:
 * 1. Redistributions of source code must retain the above copyright
 *    notice, this list of conditions and the following disclaimer.
 * 2. Redistributions in binary form must reproduce the above copyright
 *    notice, this list of conditions and the following disclaimer in the
 *    documentation and/or other materials provided with the distribution.
 *
 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
 * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
 * SUCH DAMAGE.
 */
 
/*
 * This is an implementation of TCP Fast Open (TFO) [RFC7413]. To include
 * this code, add the following line to your kernel config:
 *
 * options TCP_RFC7413
 *
 *
 * The generated TFO cookies are the 64-bit output of
 * SipHash24(key=<16-byte-key>, msg=<client-ip>).  Multiple concurrent valid
 * keys are supported so that time-based rolling cookie invalidation
 * policies can be implemented in the system.  The default number of
 * concurrent keys is 2.  This can be adjusted in the kernel config as
 * follows:
 *
 * options TCP_RFC7413_MAX_KEYS=<num-keys>
 *
 *
 * In addition to the facilities defined in RFC7413, this implementation
 * supports a pre-shared key (PSK) mode of operation in which the TFO server
 * requires the client to be in posession of a shared secret in order for
 * the client to be able to successfully open TFO connections with the
 * server.  This is useful, for example, in environments where TFO servers
 * are exposed to both internal and external clients and only wish to allow
 * TFO connections from internal clients.
 *
 * In the PSK mode of operation, the server generates and sends TFO cookies
 * to requesting clients as usual.  However, when validating cookies
 * received in TFO SYNs from clients, the server requires the
 * client-supplied cookie to equal SipHash24(key=<16-byte-psk>,
 * msg=<cookie-sent-to-client>).
 *
 * Multiple concurrent valid pre-shared keys are supported so that
 * time-based rolling PSK invalidation policies can be implemented in the
 * system.  The default number of concurrent pre-shared keys is 2.  This can
 * be adjusted in the kernel config as follows:
 *
 * options TCP_RFC7413_MAX_PSKS=<num-psks>
 *
 *
 * The following TFO-specific sysctls are defined:
 *
 * net.inet.tcp.fastopen.acceptany (RW, default 0)
 *     When non-zero, all client-supplied TFO cookies will be considered to
 *     be valid.
 *
 * net.inet.tcp.fastopen.autokey (RW, default 120)
 *     When this and net.inet.tcp.fastopen.server_enable are non-zero, a new
 *     key will be automatically generated after this many seconds.
 *
 * net.inet.tcp.fastopen.ccache_bucket_limit
 *                     (RWTUN, default TCP_FASTOPEN_CCACHE_BUCKET_LIMIT_DEFAULT)
 *     The maximum number of entries in a client cookie cache bucket.
 *
 * net.inet.tcp.fastopen.ccache_buckets
 *                          (RDTUN, default TCP_FASTOPEN_CCACHE_BUCKETS_DEFAULT)
 *     The number of client cookie cache buckets.
 *
 * net.inet.tcp.fastopen.ccache_list (RO)
 *     Print the client cookie cache.
 *
 * net.inet.tcp.fastopen.client_enable (RW, default 0)
 *     When zero, no new active (i.e., client) TFO connections can be
 *     created.  On the transition from enabled to disabled, the client
 *     cookie cache is cleared and disabled.  The transition from enabled to
 *     disabled does not affect any active TFO connections in progress; it
 *     only prevents new ones from being made.
 *
 * net.inet.tcp.fastopen.keylen (RD)
 *     The key length in bytes.
 *
 * net.inet.tcp.fastopen.maxkeys (RD)
 *     The maximum number of keys supported.
 *
 * net.inet.tcp.fastopen.maxpsks (RD)
 *     The maximum number of pre-shared keys supported.
 *
 * net.inet.tcp.fastopen.numkeys (RD)
 *     The current number of keys installed.
 *
 * net.inet.tcp.fastopen.numpsks (RD)
 *     The current number of pre-shared keys installed.
 *
 * net.inet.tcp.fastopen.path_disable_time
 *                          (RW, default TCP_FASTOPEN_PATH_DISABLE_TIME_DEFAULT)
 *     When a failure occurs while trying to create a new active (i.e.,
 *     client) TFO connection, new active connections on the same path, as
 *     determined by the tuple {client_ip, server_ip, server_port}, will be
 *     forced to be non-TFO for this many seconds.  Note that the path
 *     disable mechanism relies on state stored in client cookie cache
 *     entries, so it is possible for the disable time for a given path to
 *     be reduced if the corresponding client cookie cache entry is reused
 *     due to resource pressure before the disable period has elapsed.
 *
 * net.inet.tcp.fastopen.psk_enable (RW, default 0)
 *     When non-zero, pre-shared key (PSK) mode is enabled for all TFO
 *     servers.  On the transition from enabled to disabled, all installed
 *     pre-shared keys are removed.
 *
 * net.inet.tcp.fastopen.server_enable (RW, default 0)
 *     When zero, no new passive (i.e., server) TFO connections can be
 *     created.  On the transition from enabled to disabled, all installed
 *     keys and pre-shared keys are removed.  On the transition from
 *     disabled to enabled, if net.inet.tcp.fastopen.autokey is non-zero and
 *     there are no keys installed, a new key will be generated immediately.
 *     The transition from enabled to disabled does not affect any passive
 *     TFO connections in progress; it only prevents new ones from being
 *     made.
 *
 * net.inet.tcp.fastopen.setkey (WR)
 *     Install a new key by writing net.inet.tcp.fastopen.keylen bytes to
 *     this sysctl.
 *
 * net.inet.tcp.fastopen.setpsk (WR)
 *     Install a new pre-shared key by writing net.inet.tcp.fastopen.keylen
 *     bytes to this sysctl.
 *
 * In order for TFO connections to be created via a listen socket, that
 * socket must have the TCP_FASTOPEN socket option set on it.  This option
 * can be set on the socket either before or after the listen() is invoked.
 * Clearing this option on a listen socket after it has been set has no
 * effect on existing TFO connections or TFO connections in progress; it
 * only prevents new TFO connections from being made.
 *
 * For passively-created sockets, the TCP_FASTOPEN socket option can be
 * queried to determine whether the connection was established using TFO.
 * Note that connections that are established via a TFO SYN, but that fall
 * back to using a non-TFO SYN|ACK will have the TCP_FASTOPEN socket option
 * set.
 *
 * Per the RFC, this implementation limits the number of TFO connections
 * that can be in the SYN_RECEIVED state on a per listen-socket basis.
 * Whenever this limit is exceeded, requests for new TFO connections are
 * serviced as non-TFO requests.  Without such a limit, given a valid TFO
 * cookie, an attacker could keep the listen queue in an overflow condition
 * using a TFO SYN flood.  This implementation sets the limit at half the
 * configured listen backlog.
 *
 */
 
#include <sys/cdefs.h>
__FBSDID("$FreeBSD$");
 
#include "opt_inet.h"
 
#include <sys/param.h>
#include <sys/jail.h>
#include <sys/kernel.h>
#include <sys/hash.h>
#include <sys/limits.h>
#include <sys/lock.h>
#include <sys/proc.h>
#include <sys/rmlock.h>
#include <sys/sbuf.h>
#include <sys/socket.h>
#include <sys/socketvar.h>
#include <sys/sysctl.h>
#include <sys/systm.h>
 
#include <crypto/siphash/siphash.h>
 
#include <net/vnet.h>
 
#include <netinet/in.h>
#include <netinet/in_pcb.h>
#include <netinet/tcp_var.h>
#include <netinet/tcp_fastopen.h>
 
#define TCP_FASTOPEN_KEY_LEN    SIPHASH_KEY_LENGTH
 
#if TCP_FASTOPEN_PSK_LEN != TCP_FASTOPEN_KEY_LEN
#error TCP_FASTOPEN_PSK_LEN must be equal to TCP_FASTOPEN_KEY_LEN
#endif
 
/*
 * Because a PSK-mode setsockopt() uses tcpcb.t_tfo_cookie.client to hold
 * the PSK until the connect occurs.
 */
#if TCP_FASTOPEN_MAX_COOKIE_LEN < TCP_FASTOPEN_PSK_LEN
#error TCP_FASTOPEN_MAX_COOKIE_LEN must be >= TCP_FASTOPEN_PSK_LEN
#endif
 
#define TCP_FASTOPEN_CCACHE_BUCKET_LIMIT_DEFAULT        16
#define TCP_FASTOPEN_CCACHE_BUCKETS_DEFAULT             2048 /* must be power of 2 */
 
#define TCP_FASTOPEN_PATH_DISABLE_TIME_DEFAULT          900 /* seconds */
 
#if !defined(TCP_RFC7413_MAX_KEYS) || (TCP_RFC7413_MAX_KEYS < 1)
#define TCP_FASTOPEN_MAX_KEYS   2
#else
#define TCP_FASTOPEN_MAX_KEYS   TCP_RFC7413_MAX_KEYS
#endif
 
#if TCP_FASTOPEN_MAX_KEYS > 10
#undef TCP_FASTOPEN_MAX_KEYS
#define TCP_FASTOPEN_MAX_KEYS   10
#endif
 
#if !defined(TCP_RFC7413_MAX_PSKS) || (TCP_RFC7413_MAX_PSKS < 1)
#define TCP_FASTOPEN_MAX_PSKS   2
#else
#define TCP_FASTOPEN_MAX_PSKS   TCP_RFC7413_MAX_PSKS
#endif
 
#if TCP_FASTOPEN_MAX_PSKS > 10
#undef TCP_FASTOPEN_MAX_PSKS
#define TCP_FASTOPEN_MAX_PSKS   10
#endif
 
struct tcp_fastopen_keylist {
        unsigned int newest;
        unsigned int newest_psk;
        uint8_t key[TCP_FASTOPEN_MAX_KEYS][TCP_FASTOPEN_KEY_LEN];
        uint8_t psk[TCP_FASTOPEN_MAX_PSKS][TCP_FASTOPEN_KEY_LEN];
};
 
struct tcp_fastopen_callout {
        struct callout c;
        struct vnet *v;
};
 
static struct tcp_fastopen_ccache_entry *tcp_fastopen_ccache_lookup(
    struct in_conninfo *, struct tcp_fastopen_ccache_bucket **);
static struct tcp_fastopen_ccache_entry *tcp_fastopen_ccache_create(
    struct tcp_fastopen_ccache_bucket *, struct in_conninfo *, uint16_t, uint8_t,
    uint8_t *);
static void tcp_fastopen_ccache_bucket_trim(struct tcp_fastopen_ccache_bucket *,
    unsigned int);
static void tcp_fastopen_ccache_entry_drop(struct tcp_fastopen_ccache_entry *,
    struct tcp_fastopen_ccache_bucket *);
 
SYSCTL_NODE(_net_inet_tcp, OID_AUTO, fastopen, CTLFLAG_RW | CTLFLAG_MPSAFE, 0,
    "TCP Fast Open");
 
VNET_DEFINE_STATIC(int, tcp_fastopen_acceptany) = 0;
#define V_tcp_fastopen_acceptany        VNET(tcp_fastopen_acceptany)
SYSCTL_INT(_net_inet_tcp_fastopen, OID_AUTO, acceptany,
    CTLFLAG_VNET | CTLFLAG_RW, &VNET_NAME(tcp_fastopen_acceptany), 0,
    "Accept any non-empty cookie");
 
VNET_DEFINE_STATIC(unsigned int, tcp_fastopen_autokey) = 120;
#define V_tcp_fastopen_autokey  VNET(tcp_fastopen_autokey)
static int sysctl_net_inet_tcp_fastopen_autokey(SYSCTL_HANDLER_ARGS);
SYSCTL_PROC(_net_inet_tcp_fastopen, OID_AUTO, autokey,
    CTLFLAG_VNET | CTLTYPE_UINT | CTLFLAG_RW | CTLFLAG_MPSAFE,
    NULL, 0, &sysctl_net_inet_tcp_fastopen_autokey, "IU",
    "Number of seconds between auto-generation of a new key; zero disables");
 
static int sysctl_net_inet_tcp_fastopen_ccache_bucket_limit(SYSCTL_HANDLER_ARGS);
SYSCTL_PROC(_net_inet_tcp_fastopen, OID_AUTO, ccache_bucket_limit,
    CTLFLAG_VNET | CTLTYPE_UINT | CTLFLAG_RWTUN | CTLFLAG_NEEDGIANT,
    NULL, 0, &sysctl_net_inet_tcp_fastopen_ccache_bucket_limit, "IU",
    "Max entries per bucket in client cookie cache");
 
VNET_DEFINE_STATIC(unsigned int, tcp_fastopen_ccache_buckets) =
    TCP_FASTOPEN_CCACHE_BUCKETS_DEFAULT;
#define V_tcp_fastopen_ccache_buckets VNET(tcp_fastopen_ccache_buckets)
SYSCTL_UINT(_net_inet_tcp_fastopen, OID_AUTO, ccache_buckets,
    CTLFLAG_VNET | CTLFLAG_RDTUN, &VNET_NAME(tcp_fastopen_ccache_buckets), 0,
    "Client cookie cache number of buckets (power of 2)");
 
VNET_DEFINE(unsigned int, tcp_fastopen_client_enable) = 1;
static int sysctl_net_inet_tcp_fastopen_client_enable(SYSCTL_HANDLER_ARGS);
SYSCTL_PROC(_net_inet_tcp_fastopen, OID_AUTO, client_enable,
    CTLFLAG_VNET | CTLTYPE_UINT | CTLFLAG_RW | CTLFLAG_NEEDGIANT,
    NULL, 0, &sysctl_net_inet_tcp_fastopen_client_enable, "IU",
    "Enable/disable TCP Fast Open client functionality");
 
SYSCTL_INT(_net_inet_tcp_fastopen, OID_AUTO, keylen,
    CTLFLAG_RD, SYSCTL_NULL_INT_PTR, TCP_FASTOPEN_KEY_LEN,
    "Key length in bytes");
 
SYSCTL_INT(_net_inet_tcp_fastopen, OID_AUTO, maxkeys,
    CTLFLAG_RD, SYSCTL_NULL_INT_PTR, TCP_FASTOPEN_MAX_KEYS,
    "Maximum number of keys supported");
 
SYSCTL_INT(_net_inet_tcp_fastopen, OID_AUTO, maxpsks,
    CTLFLAG_RD, SYSCTL_NULL_INT_PTR, TCP_FASTOPEN_MAX_PSKS,
    "Maximum number of pre-shared keys supported");
 
VNET_DEFINE_STATIC(unsigned int, tcp_fastopen_numkeys) = 0;
#define V_tcp_fastopen_numkeys  VNET(tcp_fastopen_numkeys)
SYSCTL_UINT(_net_inet_tcp_fastopen, OID_AUTO, numkeys,
    CTLFLAG_VNET | CTLFLAG_RD, &VNET_NAME(tcp_fastopen_numkeys), 0,
    "Number of keys installed");
 
VNET_DEFINE_STATIC(unsigned int, tcp_fastopen_numpsks) = 0;
#define V_tcp_fastopen_numpsks  VNET(tcp_fastopen_numpsks)
SYSCTL_UINT(_net_inet_tcp_fastopen, OID_AUTO, numpsks,
    CTLFLAG_VNET | CTLFLAG_RD, &VNET_NAME(tcp_fastopen_numpsks), 0,
    "Number of pre-shared keys installed");
 
VNET_DEFINE_STATIC(unsigned int, tcp_fastopen_path_disable_time) =
    TCP_FASTOPEN_PATH_DISABLE_TIME_DEFAULT;
#define V_tcp_fastopen_path_disable_time VNET(tcp_fastopen_path_disable_time)
SYSCTL_UINT(_net_inet_tcp_fastopen, OID_AUTO, path_disable_time,
    CTLFLAG_VNET | CTLFLAG_RW, &VNET_NAME(tcp_fastopen_path_disable_time), 0,
    "Seconds a TFO failure disables a {client_ip, server_ip, server_port} path");
 
VNET_DEFINE_STATIC(unsigned int, tcp_fastopen_psk_enable) = 0;
#define V_tcp_fastopen_psk_enable       VNET(tcp_fastopen_psk_enable)
static int sysctl_net_inet_tcp_fastopen_psk_enable(SYSCTL_HANDLER_ARGS);
SYSCTL_PROC(_net_inet_tcp_fastopen, OID_AUTO, psk_enable,
    CTLFLAG_VNET | CTLTYPE_UINT | CTLFLAG_RW | CTLFLAG_MPSAFE,
    NULL, 0, &sysctl_net_inet_tcp_fastopen_psk_enable, "IU",
    "Enable/disable TCP Fast Open server pre-shared key mode");
 
VNET_DEFINE(unsigned int, tcp_fastopen_server_enable) = 0;
static int sysctl_net_inet_tcp_fastopen_server_enable(SYSCTL_HANDLER_ARGS);
SYSCTL_PROC(_net_inet_tcp_fastopen, OID_AUTO, server_enable,
    CTLFLAG_VNET | CTLTYPE_UINT | CTLFLAG_RW | CTLFLAG_MPSAFE,
    NULL, 0, &sysctl_net_inet_tcp_fastopen_server_enable, "IU",
    "Enable/disable TCP Fast Open server functionality");
 
static int sysctl_net_inet_tcp_fastopen_setkey(SYSCTL_HANDLER_ARGS);
SYSCTL_PROC(_net_inet_tcp_fastopen, OID_AUTO, setkey,
    CTLFLAG_VNET | CTLTYPE_OPAQUE | CTLFLAG_WR | CTLFLAG_MPSAFE,
    NULL, 0, &sysctl_net_inet_tcp_fastopen_setkey, "",
    "Install a new key");
 
static int sysctl_net_inet_tcp_fastopen_setpsk(SYSCTL_HANDLER_ARGS);
SYSCTL_PROC(_net_inet_tcp_fastopen, OID_AUTO, setpsk,
    CTLFLAG_VNET | CTLTYPE_OPAQUE | CTLFLAG_WR | CTLFLAG_MPSAFE,
    NULL, 0, &sysctl_net_inet_tcp_fastopen_setpsk, "",
    "Install a new pre-shared key");
 
static int sysctl_net_inet_tcp_fastopen_ccache_list(SYSCTL_HANDLER_ARGS);
SYSCTL_PROC(_net_inet_tcp_fastopen, OID_AUTO, ccache_list,
    CTLFLAG_VNET | CTLTYPE_STRING | CTLFLAG_RD | CTLFLAG_SKIP | CTLFLAG_MPSAFE,
    NULL, 0, sysctl_net_inet_tcp_fastopen_ccache_list, "A",
    "List of all client cookie cache entries");
 
VNET_DEFINE_STATIC(struct rmlock, tcp_fastopen_keylock);
#define V_tcp_fastopen_keylock  VNET(tcp_fastopen_keylock)
 
#define TCP_FASTOPEN_KEYS_RLOCK(t)      rm_rlock(&V_tcp_fastopen_keylock, (t))
#define TCP_FASTOPEN_KEYS_RUNLOCK(t)    rm_runlock(&V_tcp_fastopen_keylock, (t))
#define TCP_FASTOPEN_KEYS_WLOCK()       rm_wlock(&V_tcp_fastopen_keylock)
#define TCP_FASTOPEN_KEYS_WUNLOCK()     rm_wunlock(&V_tcp_fastopen_keylock)
 
VNET_DEFINE_STATIC(struct tcp_fastopen_keylist, tcp_fastopen_keys);
#define V_tcp_fastopen_keys     VNET(tcp_fastopen_keys)
 
VNET_DEFINE_STATIC(struct tcp_fastopen_callout, tcp_fastopen_autokey_ctx);
#define V_tcp_fastopen_autokey_ctx      VNET(tcp_fastopen_autokey_ctx)
 
VNET_DEFINE_STATIC(uma_zone_t, counter_zone);
#define V_counter_zone                  VNET(counter_zone)
 
static MALLOC_DEFINE(M_TCP_FASTOPEN_CCACHE, "tfo_ccache", "TFO client cookie cache buckets");
 
VNET_DEFINE_STATIC(struct tcp_fastopen_ccache, tcp_fastopen_ccache);
#define V_tcp_fastopen_ccache   VNET(tcp_fastopen_ccache)
 
#define CCB_LOCK(ccb)           mtx_lock(&(ccb)->ccb_mtx)
#define CCB_UNLOCK(ccb)         mtx_unlock(&(ccb)->ccb_mtx)
#define CCB_LOCK_ASSERT(ccb)    mtx_assert(&(ccb)->ccb_mtx, MA_OWNED)
 
void
tcp_fastopen_init(void)
{
        unsigned int i;
 
        V_counter_zone = uma_zcreate("tfo", sizeof(unsigned int),
            NULL, NULL, NULL, NULL, UMA_ALIGN_PTR, 0);
        rm_init(&V_tcp_fastopen_keylock, "tfo_keylock");
        callout_init_rm(&V_tcp_fastopen_autokey_ctx.c,
            &V_tcp_fastopen_keylock, 0);
        V_tcp_fastopen_autokey_ctx.v = curvnet;
        V_tcp_fastopen_keys.newest = TCP_FASTOPEN_MAX_KEYS - 1;
        V_tcp_fastopen_keys.newest_psk = TCP_FASTOPEN_MAX_PSKS - 1;
 
        /* May already be non-zero if kernel tunable was set */
        if (V_tcp_fastopen_ccache.bucket_limit == 0)
                V_tcp_fastopen_ccache.bucket_limit =
                    TCP_FASTOPEN_CCACHE_BUCKET_LIMIT_DEFAULT;
 
        /* May already be non-zero if kernel tunable was set */
        if ((V_tcp_fastopen_ccache_buckets == 0) ||
            !powerof2(V_tcp_fastopen_ccache_buckets))
                V_tcp_fastopen_ccache.buckets =
                        TCP_FASTOPEN_CCACHE_BUCKETS_DEFAULT;
        else
                V_tcp_fastopen_ccache.buckets = V_tcp_fastopen_ccache_buckets;
 
        V_tcp_fastopen_ccache.mask = V_tcp_fastopen_ccache.buckets - 1;
        V_tcp_fastopen_ccache.secret = arc4random();
 
        V_tcp_fastopen_ccache.base = malloc(V_tcp_fastopen_ccache.buckets *
            sizeof(struct tcp_fastopen_ccache_bucket), M_TCP_FASTOPEN_CCACHE,
            M_WAITOK | M_ZERO);
 
        for (i = 0; i < V_tcp_fastopen_ccache.buckets; i++) {
                TAILQ_INIT(&V_tcp_fastopen_ccache.base[i].ccb_entries);
                mtx_init(&V_tcp_fastopen_ccache.base[i].ccb_mtx, "tfo_ccache_bucket",
                         NULL, MTX_DEF);
                if (V_tcp_fastopen_client_enable) {
                        /* enable bucket */
                        V_tcp_fastopen_ccache.base[i].ccb_num_entries = 0;
                } else {
                        /* disable bucket */
                        V_tcp_fastopen_ccache.base[i].ccb_num_entries = -1;
                }
                V_tcp_fastopen_ccache.base[i].ccb_ccache = &V_tcp_fastopen_ccache;
        }
 
        /*
         * Note that while the total number of entries in the cookie cache
         * is limited by the table management logic to
         * V_tcp_fastopen_ccache.buckets *
         * V_tcp_fastopen_ccache.bucket_limit, the total number of items in
         * this zone can exceed that amount by the number of CPUs in the
         * system times the maximum number of unallocated items that can be
         * present in each UMA per-CPU cache for this zone.
         */
        V_tcp_fastopen_ccache.zone = uma_zcreate("tfo_ccache_entries",
            sizeof(struct tcp_fastopen_ccache_entry), NULL, NULL, NULL, NULL,
            UMA_ALIGN_CACHE, 0);
}
 
void
tcp_fastopen_destroy(void)
{
        struct tcp_fastopen_ccache_bucket *ccb;
        unsigned int i;
 
        for (i = 0; i < V_tcp_fastopen_ccache.buckets; i++) {
                ccb = &V_tcp_fastopen_ccache.base[i];
                tcp_fastopen_ccache_bucket_trim(ccb, 0);
                mtx_destroy(&ccb->ccb_mtx);
        }
 
        KASSERT(uma_zone_get_cur(V_tcp_fastopen_ccache.zone) == 0,
            ("%s: TFO ccache zone allocation count not 0", __func__));
        uma_zdestroy(V_tcp_fastopen_ccache.zone);
        free(V_tcp_fastopen_ccache.base, M_TCP_FASTOPEN_CCACHE);
 
        callout_drain(&V_tcp_fastopen_autokey_ctx.c);
        rm_destroy(&V_tcp_fastopen_keylock);
        uma_zdestroy(V_counter_zone);
}
 
unsigned int *
tcp_fastopen_alloc_counter(void)
{
        unsigned int *counter;
        counter = uma_zalloc(V_counter_zone, M_NOWAIT);
        if (counter)
                *counter = 1;
        return (counter);
}
 
void
tcp_fastopen_decrement_counter(unsigned int *counter)
{
        if (*counter == 1)
                uma_zfree(V_counter_zone, counter);
        else
                atomic_subtract_int(counter, 1);
}
 
static void
tcp_fastopen_addkey_locked(uint8_t *key)
{
 
        V_tcp_fastopen_keys.newest++;
        if (V_tcp_fastopen_keys.newest == TCP_FASTOPEN_MAX_KEYS)
                V_tcp_fastopen_keys.newest = 0;
        memcpy(V_tcp_fastopen_keys.key[V_tcp_fastopen_keys.newest], key,
            TCP_FASTOPEN_KEY_LEN);
        if (V_tcp_fastopen_numkeys < TCP_FASTOPEN_MAX_KEYS)
                V_tcp_fastopen_numkeys++;
}
 
static void
tcp_fastopen_addpsk_locked(uint8_t *psk)
{
 
        V_tcp_fastopen_keys.newest_psk++;
        if (V_tcp_fastopen_keys.newest_psk == TCP_FASTOPEN_MAX_PSKS)
                V_tcp_fastopen_keys.newest_psk = 0;
        memcpy(V_tcp_fastopen_keys.psk[V_tcp_fastopen_keys.newest_psk], psk,
            TCP_FASTOPEN_KEY_LEN);
        if (V_tcp_fastopen_numpsks < TCP_FASTOPEN_MAX_PSKS)
                V_tcp_fastopen_numpsks++;
}
 
static void
tcp_fastopen_autokey_locked(void)
{
        uint8_t newkey[TCP_FASTOPEN_KEY_LEN];
 
        arc4rand(newkey, TCP_FASTOPEN_KEY_LEN, 0);
        tcp_fastopen_addkey_locked(newkey);
}
 
static void
tcp_fastopen_autokey_callout(void *arg)
{
        struct tcp_fastopen_callout *ctx = arg;
 
        CURVNET_SET(ctx->v);
        tcp_fastopen_autokey_locked();
        callout_reset(&ctx->c, V_tcp_fastopen_autokey * hz,
                      tcp_fastopen_autokey_callout, ctx);
        CURVNET_RESTORE();
}
 
static uint64_t
tcp_fastopen_make_cookie(uint8_t key[SIPHASH_KEY_LENGTH], struct in_conninfo *inc)
{
        SIPHASH_CTX ctx;
        uint64_t siphash;
 
        SipHash24_Init(&ctx);
        SipHash_SetKey(&ctx, key);
        switch (inc->inc_flags & INC_ISIPV6) {
#ifdef INET
        case 0:
                SipHash_Update(&ctx, &inc->inc_faddr, sizeof(inc->inc_faddr));
                break;
#endif
#ifdef INET6
        case INC_ISIPV6:
                SipHash_Update(&ctx, &inc->inc6_faddr, sizeof(inc->inc6_faddr));
                break;
#endif
        }
        SipHash_Final((u_int8_t *)&siphash, &ctx);
 
        return (siphash);
}
 
static uint64_t
tcp_fastopen_make_psk_cookie(uint8_t *psk, uint8_t *cookie, uint8_t cookie_len)
{
        SIPHASH_CTX ctx;
        uint64_t psk_cookie;
 
        SipHash24_Init(&ctx);
        SipHash_SetKey(&ctx, psk);
        SipHash_Update(&ctx, cookie, cookie_len);
        SipHash_Final((u_int8_t *)&psk_cookie, &ctx);
 
        return (psk_cookie);
}
 
static int
tcp_fastopen_find_cookie_match_locked(uint8_t *wire_cookie, uint64_t *cur_cookie)
{
        unsigned int i, psk_index;
        uint64_t psk_cookie;
 
        if (V_tcp_fastopen_psk_enable) {
                psk_index = V_tcp_fastopen_keys.newest_psk;
                for (i = 0; i < V_tcp_fastopen_numpsks; i++) {
                        psk_cookie =
                            tcp_fastopen_make_psk_cookie(
                                 V_tcp_fastopen_keys.psk[psk_index],
                                 (uint8_t *)cur_cookie,
                                 TCP_FASTOPEN_COOKIE_LEN);
 
                        if (memcmp(wire_cookie, &psk_cookie,
                                   TCP_FASTOPEN_COOKIE_LEN) == 0)
                                return (1);
 
                        if (psk_index == 0)
                                psk_index = TCP_FASTOPEN_MAX_PSKS - 1;
                        else
                                psk_index--;
                }
        } else if (memcmp(wire_cookie, cur_cookie, TCP_FASTOPEN_COOKIE_LEN) == 0)
                return (1);
 
        return (0);
}
 
/*
 * Return values:
 *      -1      the cookie is invalid and no valid cookie is available
 *       0      the cookie is invalid and the latest cookie has been returned
 *       1      the cookie is valid and the latest cookie has been returned
 */
int
tcp_fastopen_check_cookie(struct in_conninfo *inc, uint8_t *cookie,
    unsigned int len, uint64_t *latest_cookie)
{
        struct rm_priotracker tracker;
        unsigned int i, key_index;
        int rv;
        uint64_t cur_cookie;
 
        if (V_tcp_fastopen_acceptany) {
                *latest_cookie = 0;
                return (1);
        }
 
        TCP_FASTOPEN_KEYS_RLOCK(&tracker);
        if (len != TCP_FASTOPEN_COOKIE_LEN) {
                if (V_tcp_fastopen_numkeys > 0) {
                        *latest_cookie =
                            tcp_fastopen_make_cookie(
                                V_tcp_fastopen_keys.key[V_tcp_fastopen_keys.newest],
                                inc);
                        rv = 0;
                } else
                        rv = -1;
                goto out;
        }
 
        /*
         * Check against each available key, from newest to oldest.
         */
        key_index = V_tcp_fastopen_keys.newest;
        for (i = 0; i < V_tcp_fastopen_numkeys; i++) {
                cur_cookie =
                    tcp_fastopen_make_cookie(V_tcp_fastopen_keys.key[key_index],
                        inc);
                if (i == 0)
                        *latest_cookie = cur_cookie;
                rv = tcp_fastopen_find_cookie_match_locked(cookie, &cur_cookie);
                if (rv)
                        goto out;
                if (key_index == 0)
                        key_index = TCP_FASTOPEN_MAX_KEYS - 1;
                else
                        key_index--;
        }
        rv = 0;
 
 out:
        TCP_FASTOPEN_KEYS_RUNLOCK(&tracker);
        return (rv);
}
 
static int
sysctl_net_inet_tcp_fastopen_autokey(SYSCTL_HANDLER_ARGS)
{
        int error;
        unsigned int new;
 
        new = V_tcp_fastopen_autokey;
        error = sysctl_handle_int(oidp, &new, 0, req);
        if (error == 0 && req->newptr) {
                if (new > (INT_MAX / hz))
                        return (EINVAL);
 
                TCP_FASTOPEN_KEYS_WLOCK();
                if (V_tcp_fastopen_server_enable) {
                        if (V_tcp_fastopen_autokey && !new)
                                callout_stop(&V_tcp_fastopen_autokey_ctx.c);
                        else if (new)
                                callout_reset(&V_tcp_fastopen_autokey_ctx.c,
                                    new * hz, tcp_fastopen_autokey_callout,
                                    &V_tcp_fastopen_autokey_ctx);
                }
                V_tcp_fastopen_autokey = new;
                TCP_FASTOPEN_KEYS_WUNLOCK();
        }
 
        return (error);
}
 
static int
sysctl_net_inet_tcp_fastopen_psk_enable(SYSCTL_HANDLER_ARGS)
{
        int error;
        unsigned int new;
 
        new = V_tcp_fastopen_psk_enable;
        error = sysctl_handle_int(oidp, &new, 0, req);
        if (error == 0 && req->newptr) {
                if (V_tcp_fastopen_psk_enable && !new) {
                        /* enabled -> disabled */
                        TCP_FASTOPEN_KEYS_WLOCK();
                        V_tcp_fastopen_numpsks = 0;
                        V_tcp_fastopen_keys.newest_psk =
                            TCP_FASTOPEN_MAX_PSKS - 1;
                        V_tcp_fastopen_psk_enable = 0;
                        TCP_FASTOPEN_KEYS_WUNLOCK();
                } else if (!V_tcp_fastopen_psk_enable && new) {
                        /* disabled -> enabled */
                        TCP_FASTOPEN_KEYS_WLOCK();
                        V_tcp_fastopen_psk_enable = 1;
                        TCP_FASTOPEN_KEYS_WUNLOCK();
                }
        }
        return (error);
}
 
static int
sysctl_net_inet_tcp_fastopen_server_enable(SYSCTL_HANDLER_ARGS)
{
        int error;
        unsigned int new;
 
        new = V_tcp_fastopen_server_enable;
        error = sysctl_handle_int(oidp, &new, 0, req);
        if (error == 0 && req->newptr) {
                if (V_tcp_fastopen_server_enable && !new) {
                        /* enabled -> disabled */
                        TCP_FASTOPEN_KEYS_WLOCK();
                        V_tcp_fastopen_numkeys = 0;
                        V_tcp_fastopen_keys.newest = TCP_FASTOPEN_MAX_KEYS - 1;
                        if (V_tcp_fastopen_autokey)
                                callout_stop(&V_tcp_fastopen_autokey_ctx.c);
                        V_tcp_fastopen_numpsks = 0;
                        V_tcp_fastopen_keys.newest_psk =
                            TCP_FASTOPEN_MAX_PSKS - 1;
                        V_tcp_fastopen_server_enable = 0;
                        TCP_FASTOPEN_KEYS_WUNLOCK();
                } else if (!V_tcp_fastopen_server_enable && new) {
                        /* disabled -> enabled */
                        TCP_FASTOPEN_KEYS_WLOCK();
                        if (V_tcp_fastopen_autokey &&
                            (V_tcp_fastopen_numkeys == 0)) {
                                tcp_fastopen_autokey_locked();
                                callout_reset(&V_tcp_fastopen_autokey_ctx.c,
                                    V_tcp_fastopen_autokey * hz,
                                    tcp_fastopen_autokey_callout,
                                    &V_tcp_fastopen_autokey_ctx);
                        }
                        V_tcp_fastopen_server_enable = 1;
                        TCP_FASTOPEN_KEYS_WUNLOCK();
                }
        }
        return (error);
}
 
static int
sysctl_net_inet_tcp_fastopen_setkey(SYSCTL_HANDLER_ARGS)
{
        int error;
        uint8_t newkey[TCP_FASTOPEN_KEY_LEN];
 
        if (req->oldptr != NULL || req->oldlen != 0)
                return (EINVAL);
        if (req->newptr == NULL)
                return (EPERM);
        if (req->newlen != sizeof(newkey))
                return (EINVAL);
        error = SYSCTL_IN(req, newkey, sizeof(newkey));
        if (error)
                return (error);
 
        TCP_FASTOPEN_KEYS_WLOCK();
        tcp_fastopen_addkey_locked(newkey);
        TCP_FASTOPEN_KEYS_WUNLOCK();
 
        return (0);
}
 
static int
sysctl_net_inet_tcp_fastopen_setpsk(SYSCTL_HANDLER_ARGS)
{
        int error;
        uint8_t newpsk[TCP_FASTOPEN_KEY_LEN];
 
        if (req->oldptr != NULL || req->oldlen != 0)
                return (EINVAL);
        if (req->newptr == NULL)
                return (EPERM);
        if (req->newlen != sizeof(newpsk))
                return (EINVAL);
        error = SYSCTL_IN(req, newpsk, sizeof(newpsk));
        if (error)
                return (error);
 
        TCP_FASTOPEN_KEYS_WLOCK();
        tcp_fastopen_addpsk_locked(newpsk);
        TCP_FASTOPEN_KEYS_WUNLOCK();
 
        return (0);
}
 
static int
sysctl_net_inet_tcp_fastopen_ccache_bucket_limit(SYSCTL_HANDLER_ARGS)
{
        struct tcp_fastopen_ccache_bucket *ccb;
        int error;
        unsigned int new;
        unsigned int i;
 
        new = V_tcp_fastopen_ccache.bucket_limit;
        error = sysctl_handle_int(oidp, &new, 0, req);
        if (error == 0 && req->newptr) {
                if ((new == 0) || (new > INT_MAX))
                        error = EINVAL;
                else {
                        if (new < V_tcp_fastopen_ccache.bucket_limit) {
                                for (i = 0; i < V_tcp_fastopen_ccache.buckets;
                                     i++) {
                                        ccb = &V_tcp_fastopen_ccache.base[i];
                                        tcp_fastopen_ccache_bucket_trim(ccb, new);
                                }
                        }
                        V_tcp_fastopen_ccache.bucket_limit = new;
                }
        }
        return (error);
}
 
static int
sysctl_net_inet_tcp_fastopen_client_enable(SYSCTL_HANDLER_ARGS)
{
        struct tcp_fastopen_ccache_bucket *ccb;
        int error;
        unsigned int new, i;
 
        new = V_tcp_fastopen_client_enable;
        error = sysctl_handle_int(oidp, &new, 0, req);
        if (error == 0 && req->newptr) {
                if (V_tcp_fastopen_client_enable && !new) {
                        /* enabled -> disabled */
                        for (i = 0; i < V_tcp_fastopen_ccache.buckets; i++) {
                                ccb = &V_tcp_fastopen_ccache.base[i];
                                KASSERT(ccb->ccb_num_entries > -1,
                                    ("%s: ccb->ccb_num_entries %d is negative",
                                        __func__, ccb->ccb_num_entries));
                                tcp_fastopen_ccache_bucket_trim(ccb, 0);
                        }
                        V_tcp_fastopen_client_enable = 0;
                } else if (!V_tcp_fastopen_client_enable && new) {
                        /* disabled -> enabled */
                        for (i = 0; i < V_tcp_fastopen_ccache.buckets; i++) {
                                ccb = &V_tcp_fastopen_ccache.base[i];
                                CCB_LOCK(ccb);
                                KASSERT(TAILQ_EMPTY(&ccb->ccb_entries),
                                    ("%s: ccb->ccb_entries not empty", __func__));
                                KASSERT(ccb->ccb_num_entries == -1,
                                    ("%s: ccb->ccb_num_entries %d not -1", __func__,
                                        ccb->ccb_num_entries));
                                ccb->ccb_num_entries = 0; /* enable bucket */
                                CCB_UNLOCK(ccb);
                        }
                        V_tcp_fastopen_client_enable = 1;
                }
        }
        return (error);
}
 
void
tcp_fastopen_connect(struct tcpcb *tp)
{
        struct inpcb *inp;
        struct tcp_fastopen_ccache_bucket *ccb;
        struct tcp_fastopen_ccache_entry *cce;
        sbintime_t now;
        uint16_t server_mss;
        uint64_t psk_cookie;
 
        psk_cookie = 0;
        inp = tp->t_inpcb;
        cce = tcp_fastopen_ccache_lookup(&inp->inp_inc, &ccb);
        if (cce) {
                if (cce->disable_time == 0) {
                        if ((cce->cookie_len > 0) &&
                            (tp->t_tfo_client_cookie_len ==
                             TCP_FASTOPEN_PSK_LEN)) {
                                psk_cookie =
                                    tcp_fastopen_make_psk_cookie(
                                        tp->t_tfo_cookie.client,
                                        cce->cookie, cce->cookie_len);
                        } else {
                                tp->t_tfo_client_cookie_len = cce->cookie_len;
                                memcpy(tp->t_tfo_cookie.client, cce->cookie,
                                    cce->cookie_len);
                        }
                        server_mss = cce->server_mss;
                        CCB_UNLOCK(ccb);
                        if (tp->t_tfo_client_cookie_len ==
                            TCP_FASTOPEN_PSK_LEN && psk_cookie) {
                                tp->t_tfo_client_cookie_len =
                                    TCP_FASTOPEN_COOKIE_LEN;
                                memcpy(tp->t_tfo_cookie.client, &psk_cookie,
                                    TCP_FASTOPEN_COOKIE_LEN);
                        }
                        tcp_mss(tp, server_mss ? server_mss : -1);
                        tp->snd_wnd = tp->t_maxseg;
                } else {
                        /*
                         * The path is disabled.  Check the time and
                         * possibly re-enable.
                         */
                        now = getsbinuptime();
                        if (now - cce->disable_time >
                            ((sbintime_t)V_tcp_fastopen_path_disable_time << 32)) {
                                /*
                                 * Re-enable path.  Force a TFO cookie
                                 * request.  Forget the old MSS as it may be
                                 * bogus now, and we will rediscover it in
                                 * the SYN|ACK.
                                 */
                                cce->disable_time = 0;
                                cce->server_mss = 0;
                                cce->cookie_len = 0;
                                /*
                                 * tp->t_tfo... cookie details are already
                                 * zero from the tcpcb init.
                                 */
                        } else {
                                /*
                                 * Path is disabled, so disable TFO on this
                                 * connection.
                                 */
                                tp->t_flags &= ~TF_FASTOPEN;
                        }
                        CCB_UNLOCK(ccb);
                        tcp_mss(tp, -1);
                        /*
                         * snd_wnd is irrelevant since we are either forcing
                         * a TFO cookie request or disabling TFO - either
                         * way, no data with the SYN.
                         */
                }
        } else {
                /*
                 * A new entry for this path will be created when a SYN|ACK
                 * comes back, or the attempt otherwise fails.
                 */
                CCB_UNLOCK(ccb);
                tcp_mss(tp, -1);
                /*
                 * snd_wnd is irrelevant since we are forcing a TFO cookie
                 * request.
                 */
        }
}
 
void
tcp_fastopen_disable_path(struct tcpcb *tp)
{
        struct in_conninfo *inc = &tp->t_inpcb->inp_inc;
        struct tcp_fastopen_ccache_bucket *ccb;
        struct tcp_fastopen_ccache_entry *cce;
 
        cce = tcp_fastopen_ccache_lookup(inc, &ccb);
        if (cce) {
                cce->server_mss = 0;
                cce->cookie_len = 0;
                /*
                 * Preserve the existing disable time if it is already
                 * disabled.
                 */
                if (cce->disable_time == 0)
                        cce->disable_time = getsbinuptime();
        } else /* use invalid cookie len to create disabled entry */
                tcp_fastopen_ccache_create(ccb, inc, 0,
                    TCP_FASTOPEN_MAX_COOKIE_LEN + 1, NULL);
 
        CCB_UNLOCK(ccb);
        tp->t_flags &= ~TF_FASTOPEN;
}
 
void
tcp_fastopen_update_cache(struct tcpcb *tp, uint16_t mss,
    uint8_t cookie_len, uint8_t *cookie)
{
        struct in_conninfo *inc = &tp->t_inpcb->inp_inc;
        struct tcp_fastopen_ccache_bucket *ccb;
        struct tcp_fastopen_ccache_entry *cce;
 
        cce = tcp_fastopen_ccache_lookup(inc, &ccb);
        if (cce) {
                if ((cookie_len >= TCP_FASTOPEN_MIN_COOKIE_LEN) &&
                    (cookie_len <= TCP_FASTOPEN_MAX_COOKIE_LEN) &&
                    ((cookie_len & 0x1) == 0)) {
                        cce->server_mss = mss;
                        cce->cookie_len = cookie_len;
                        memcpy(cce->cookie, cookie, cookie_len);
                        cce->disable_time = 0;
                } else {
                        /* invalid cookie length, disable entry */
                        cce->server_mss = 0;
                        cce->cookie_len = 0;
                        /*
                         * Preserve the existing disable time if it is
                         * already disabled.
                         */
                        if (cce->disable_time == 0)
                                cce->disable_time = getsbinuptime();
                }
        } else
                tcp_fastopen_ccache_create(ccb, inc, mss, cookie_len, cookie);
 
        CCB_UNLOCK(ccb);
}
 
static struct tcp_fastopen_ccache_entry *
tcp_fastopen_ccache_lookup(struct in_conninfo *inc,
    struct tcp_fastopen_ccache_bucket **ccbp)
{
        struct tcp_fastopen_ccache_bucket *ccb;
        struct tcp_fastopen_ccache_entry *cce;
        uint32_t last_word;
        uint32_t hash;
 
        hash = jenkins_hash32((uint32_t *)&inc->inc_ie.ie_dependladdr, 4,
            V_tcp_fastopen_ccache.secret);
        hash = jenkins_hash32((uint32_t *)&inc->inc_ie.ie_dependfaddr, 4,
            hash);
        last_word = inc->inc_fport;
        hash = jenkins_hash32(&last_word, 1, hash);
        ccb = &V_tcp_fastopen_ccache.base[hash & V_tcp_fastopen_ccache.mask];
        *ccbp = ccb;
        CCB_LOCK(ccb);
 
        /*
         * Always returns with locked bucket.
         */
        TAILQ_FOREACH(cce, &ccb->ccb_entries, cce_link)
                if ((!(cce->af == AF_INET6) == !(inc->inc_flags & INC_ISIPV6)) &&
                    (cce->server_port == inc->inc_ie.ie_fport) &&
                    (((cce->af == AF_INET) &&
                      (cce->cce_client_ip.v4.s_addr == inc->inc_laddr.s_addr) &&
                      (cce->cce_server_ip.v4.s_addr == inc->inc_faddr.s_addr)) ||
                     ((cce->af == AF_INET6) &&
                      IN6_ARE_ADDR_EQUAL(&cce->cce_client_ip.v6, &inc->inc6_laddr) &&
                      IN6_ARE_ADDR_EQUAL(&cce->cce_server_ip.v6, &inc->inc6_faddr))))
                        break;
 
        return (cce);
}
 
static struct tcp_fastopen_ccache_entry *
tcp_fastopen_ccache_create(struct tcp_fastopen_ccache_bucket *ccb,
    struct in_conninfo *inc, uint16_t mss, uint8_t cookie_len, uint8_t *cookie)
{
        struct tcp_fastopen_ccache_entry *cce;
 
        /*
         * 1. Create a new entry, or
         * 2. Reclaim an existing entry, or
         * 3. Fail
         */
 
        CCB_LOCK_ASSERT(ccb);
 
        cce = NULL;
        if (ccb->ccb_num_entries < V_tcp_fastopen_ccache.bucket_limit)
                cce = uma_zalloc(V_tcp_fastopen_ccache.zone, M_NOWAIT);
 
        if (cce == NULL) {
                /*
                 * At bucket limit, or out of memory - reclaim last
                 * entry in bucket.
                 */
                cce = TAILQ_LAST(&ccb->ccb_entries, bucket_entries);
                if (cce == NULL) {
                        /* XXX count this event */
                        return (NULL);
                }
 
                TAILQ_REMOVE(&ccb->ccb_entries, cce, cce_link);
        } else
                ccb->ccb_num_entries++;
 
        TAILQ_INSERT_HEAD(&ccb->ccb_entries, cce, cce_link);
        cce->af = (inc->inc_flags & INC_ISIPV6) ? AF_INET6 : AF_INET;
        if (cce->af == AF_INET) {
                cce->cce_client_ip.v4 = inc->inc_laddr;
                cce->cce_server_ip.v4 = inc->inc_faddr;
        } else {
                cce->cce_client_ip.v6 = inc->inc6_laddr;
                cce->cce_server_ip.v6 = inc->inc6_faddr;
        }
        cce->server_port = inc->inc_fport;
        if ((cookie_len >= TCP_FASTOPEN_MIN_COOKIE_LEN) &&
            (cookie_len <= TCP_FASTOPEN_MAX_COOKIE_LEN) &&
            ((cookie_len & 0x1) == 0)) {
                cce->server_mss = mss;
                cce->cookie_len = cookie_len;
                memcpy(cce->cookie, cookie, cookie_len);
                cce->disable_time = 0;
        } else {
                /* invalid cookie length, disable cce */
                cce->server_mss = 0;
                cce->cookie_len = 0;
                cce->disable_time = getsbinuptime();
        }
 
        return (cce);
}
 
static void
tcp_fastopen_ccache_bucket_trim(struct tcp_fastopen_ccache_bucket *ccb,
    unsigned int limit)
{
        struct tcp_fastopen_ccache_entry *cce, *cce_tmp;
        unsigned int entries;
 
        CCB_LOCK(ccb);
        entries = 0;
        TAILQ_FOREACH_SAFE(cce, &ccb->ccb_entries, cce_link, cce_tmp) {
                entries++;
                if (entries > limit)
                        tcp_fastopen_ccache_entry_drop(cce, ccb);
        }
        KASSERT(ccb->ccb_num_entries <= (int)limit,
            ("%s: ccb->ccb_num_entries %d exceeds limit %d", __func__,
                ccb->ccb_num_entries, limit));
        if (limit == 0) {
                KASSERT(TAILQ_EMPTY(&ccb->ccb_entries),
                    ("%s: ccb->ccb_entries not empty", __func__));
                ccb->ccb_num_entries = -1; /* disable bucket */
        }
        CCB_UNLOCK(ccb);
}
 
static void
tcp_fastopen_ccache_entry_drop(struct tcp_fastopen_ccache_entry *cce,
    struct tcp_fastopen_ccache_bucket *ccb)
{
 
        CCB_LOCK_ASSERT(ccb);
 
        TAILQ_REMOVE(&ccb->ccb_entries, cce, cce_link);
        ccb->ccb_num_entries--;
        uma_zfree(V_tcp_fastopen_ccache.zone, cce);
}
 
static int
sysctl_net_inet_tcp_fastopen_ccache_list(SYSCTL_HANDLER_ARGS)
{
        struct sbuf sb;
        struct tcp_fastopen_ccache_bucket *ccb;
        struct tcp_fastopen_ccache_entry *cce;
        sbintime_t now, duration, limit;
        const int linesize = 128;
        int i, error, num_entries;
        unsigned int j;
#ifdef INET6
        char clt_buf[INET6_ADDRSTRLEN], srv_buf[INET6_ADDRSTRLEN];
#else
        char clt_buf[INET_ADDRSTRLEN], srv_buf[INET_ADDRSTRLEN];
#endif
 
        if (jailed_without_vnet(curthread->td_ucred) != 0)
                return (EPERM);
 
        /* Only allow root to read the client cookie cache */
        if (curthread->td_ucred->cr_uid != 0)
                return (EPERM);
 
        num_entries = 0;
        for (i = 0; i < V_tcp_fastopen_ccache.buckets; i++) {
                ccb = &V_tcp_fastopen_ccache.base[i];
                CCB_LOCK(ccb);
                if (ccb->ccb_num_entries > 0)
                        num_entries += ccb->ccb_num_entries;
                CCB_UNLOCK(ccb);
        }
        sbuf_new(&sb, NULL, linesize * (num_entries + 1), SBUF_INCLUDENUL);
 
        sbuf_printf(&sb,
                    "\nLocal IP address     Remote IP address     Port   MSS"
                    " Disabled Cookie\n");
 
        now = getsbinuptime();
        limit = (sbintime_t)V_tcp_fastopen_path_disable_time << 32;
        for (i = 0; i < V_tcp_fastopen_ccache.buckets; i++) {
                ccb = &V_tcp_fastopen_ccache.base[i];
                CCB_LOCK(ccb);
                TAILQ_FOREACH(cce, &ccb->ccb_entries, cce_link) {
                        if (cce->disable_time != 0) {
                                duration = now - cce->disable_time;
                                if (limit >= duration)
                                        duration = limit - duration;
                                else
                                        duration = 0;
                        } else
                                duration = 0;
                        sbuf_printf(&sb,
                                    "%-20s %-20s %5u %5u ",
                                    inet_ntop(cce->af, &cce->cce_client_ip,
                                        clt_buf, sizeof(clt_buf)),
                                    inet_ntop(cce->af, &cce->cce_server_ip,
                                        srv_buf, sizeof(srv_buf)),
                                    ntohs(cce->server_port),
                                    cce->server_mss);
                        if (duration > 0)
                                sbuf_printf(&sb, "%7ds ", sbintime_getsec(duration));
                        else
                                sbuf_printf(&sb, "%8s ", "No");
                        for (j = 0; j < cce->cookie_len; j++)
                                sbuf_printf(&sb, "%02x", cce->cookie[j]);
                        sbuf_putc(&sb, '\n');
                }
                CCB_UNLOCK(ccb);
        }
        error = sbuf_finish(&sb);
        if (error == 0)
                error = SYSCTL_OUT(req, sbuf_data(&sb), sbuf_len(&sb));
        sbuf_delete(&sb);
        return (error);
}