Merge branch 'net_get_random_once'

Hannes Frederic Sowa says: ==================== This series implements support for delaying the initialization of secret keys, e.g. used for hashing, for as long as possible. This functionality is implemented by a new macro, net_get_random_bytes. I already used it to protect the socket hashes, the syncookie secret (most important) and the tcp_fastopen secrets. Changelog: v2) Use static_keys in net_get_random_once to have as minimal impact to the fast-path as possible. v3) added patch "static_key: WARN on usage before jump_label_init was called": Patch "x86/jump_label: expect default_nop if static_key gets enabled on boot-up" relaxes the checks for using static_key primitives before jump_label_init. So tighten them first. v4) Update changelog on the patch "static_key: WARN on usage before jump_label_init was called" Included patches: ipv4: split inet_ehashfn to hash functions per compilation unit ipv6: split inet6_ehashfn to hash functions per compilation unit static_key: WARN on usage before jump_label_init was called x86/jump_label: expect default_nop if static_key gets enabled on boot-up net: introduce new macro net_get_random_once inet: split syncookie keys for ipv4 and ipv6 and initialize with net_get_random_once inet: convert inet_ehash_secret and ipv6_hash_secret to net_get_random_once tcp: switch tcp_fastopen key generation to net_get_random_once net: switch net_secret key generation to net_get_random_once ==================== Signed-off-by: David S. Miller <davem@davemloft.net>
author: David S. Miller <davem@davemloft.net> 2013-10-19 19:45:46 -0400
committer: David S. Miller <davem@davemloft.net> 2013-10-19 19:45:46 -0400
commit: 7dcade390860712551a4feb080911d5002226188 (patch)
tree: 68768a3e760a90b2b13a8e7a83d573c0e63a4a35 /include/net
parent: 53481da372851a5506deb5247302f75459b472b4 (diff)
parent: e34c9a69970d8664a36b46e6445a7cc879111cfd (diff)
4 files changed, 16 insertions, 45 deletions
diff --git a/include/net/inet6_hashtables.h b/include/net/inet6_hashtables.h
index a105d1a2fc00..ae0613544308 100644
--- a/include/net/inet6_hashtables.h
+++ b/include/net/inet6_hashtables.h
@@ -28,28 +28,14 @@
 struct inet_hashinfo;
-static inline unsigned int inet6_ehashfn(struct net *net,
+static inline unsigned int __inet6_ehashfn(const u32 lhash,
-                                const struct in6_addr *laddr, const u16 lport,
+                                    const u16 lport,
-                                const struct in6_addr *faddr, const __be16 fport)
+                                    const u32 fhash,
+                                    const __be16 fport,
+                                    const u32 initval)
 {
-        u32 ports = (((u32)lport) << 16) | (__force u32)fport;
+        const u32 ports = (((u32)lport) << 16) | (__force u32)fport;
+        return jhash_3words(lhash, fhash, ports, initval);
-        return jhash_3words((__force u32)laddr->s6_addr32[3],
-                            ipv6_addr_jhash(faddr),
-                            ports,
-                            inet_ehash_secret + net_hash_mix(net));
-}
-static inline int inet6_sk_ehashfn(const struct sock *sk)
-{
-        const struct inet_sock *inet = inet_sk(sk);
-        const struct in6_addr *laddr = &sk->sk_v6_rcv_saddr;
-        const struct in6_addr *faddr = &sk->sk_v6_daddr;
-        const __u16 lport = inet->inet_num;
-        const __be16 fport = inet->inet_dport;
-        struct net *net = sock_net(sk);
-        return inet6_ehashfn(net, laddr, lport, faddr, fport);
 }
 int __inet6_hash(struct sock *sk, struct inet_timewait_sock *twp);
diff --git a/include/net/inet_sock.h b/include/net/inet_sock.h
index 06da91efbc83..1833c3f389ee 100644
--- a/include/net/inet_sock.h
+++ b/include/net/inet_sock.h
@@ -204,30 +204,16 @@ static inline void inet_sk_copy_descendant(struct sock *sk_to,
 int inet_sk_rebuild_header(struct sock *sk);
-extern u32 inet_ehash_secret;
+static inline unsigned int __inet_ehashfn(const __be32 laddr,
-extern u32 ipv6_hash_secret;
+                                          const __u16 lport,
-void build_ehash_secret(void);
+                                          const __be32 faddr,
+                                          const __be16 fport,
-static inline unsigned int inet_ehashfn(struct net *net,
+                                          u32 initval)
-                                        const __be32 laddr, const __u16 lport,
-                                        const __be32 faddr, const __be16 fport)
 {
        return jhash_3words((__force __u32) laddr,
                            (__force __u32) faddr,
                            ((__u32) lport) << 16 | (__force __u32)fport,
-                            inet_ehash_secret + net_hash_mix(net));
+                            initval);
-}
-static inline int inet_sk_ehashfn(const struct sock *sk)
-{
-        const struct inet_sock *inet = inet_sk(sk);
-        const __be32 laddr = inet->inet_rcv_saddr;
-        const __u16 lport = inet->inet_num;
-        const __be32 faddr = inet->inet_daddr;
-        const __be16 fport = inet->inet_dport;
-        struct net *net = sock_net(sk);
-        return inet_ehashfn(net, laddr, lport, faddr, fport);
 }
 static inline struct request_sock *inet_reqsk_alloc(struct request_sock_ops *ops)
diff --git a/include/net/ipv6.h b/include/net/ipv6.h
index fe1c7f6c9217..a35055f4f8da 100644
--- a/include/net/ipv6.h
+++ b/include/net/ipv6.h
@@ -539,14 +539,14 @@ static inline u32 ipv6_addr_hash(const struct in6_addr *a)
 }
 /* more secured version of ipv6_addr_hash() */
-static inline u32 ipv6_addr_jhash(const struct in6_addr *a)
+static inline u32 __ipv6_addr_jhash(const struct in6_addr *a, const u32 initval)
 {
        u32 v = (__force u32)a->s6_addr32[0] ^ (__force u32)a->s6_addr32[1];
        return jhash_3words(v,
                            (__force u32)a->s6_addr32[2],
                            (__force u32)a->s6_addr32[3],
-                            ipv6_hash_secret);
+                            initval);
 }
 static inline bool ipv6_addr_loopback(const struct in6_addr *a)
diff --git a/include/net/tcp.h b/include/net/tcp.h
index 372dcccfeed0..b12e29a76590 100644
--- a/include/net/tcp.h
+++ b/include/net/tcp.h
@@ -475,7 +475,6 @@ int tcp_send_rcvq(struct sock *sk, struct msghdr *msg, size_t size);
 void inet_sk_rx_dst_set(struct sock *sk, const struct sk_buff *skb);
 /* From syncookies.c */
-extern __u32 syncookie_secret[2][16-4+SHA_DIGEST_WORDS];
 int __cookie_v4_check(const struct iphdr *iph, const struct tcphdr *th,
                      u32 cookie);
 struct sock *cookie_v4_check(struct sock *sk, struct sk_buff *skb,
@@ -1323,7 +1322,7 @@ extern struct tcp_fastopen_context __rcu *tcp_fastopen_ctx;
 int tcp_fastopen_reset_cipher(void *key, unsigned int len);
 void tcp_fastopen_cookie_gen(__be32 src, __be32 dst,
                             struct tcp_fastopen_cookie *foc);
+void tcp_fastopen_init_key_once(bool publish);
 #define TCP_FASTOPEN_KEY_LENGTH 16
 /* Fastopen key context */
author	David S. Miller <davem@davemloft.net>	2013-10-19 19:45:46 -0400
committer	David S. Miller <davem@davemloft.net>	2013-10-19 19:45:46 -0400
commit	7dcade390860712551a4feb080911d5002226188 (patch)
tree	68768a3e760a90b2b13a8e7a83d573c0e63a4a35 /include/net
parent	53481da372851a5506deb5247302f75459b472b4 (diff)
parent	e34c9a69970d8664a36b46e6445a7cc879111cfd (diff)

diff --git a/include/net/inet6_hashtables.h b/include/net/inet6_hashtables.h index a105d1a2fc00..ae0613544308 100644 --- a/include/net/inet6_hashtables.h +++ b/include/net/inet6_hashtables.h
@@ -28,28 +28,14 @@
28		28
29	struct inet_hashinfo;	29	struct inet_hashinfo;
30		30
31	static inline unsigned int inet6_ehashfn(struct net *net,	31	static inline unsigned int __inet6_ehashfn(const u32 lhash,
32	const struct in6_addr *laddr, const u16 lport,	32	const u16 lport,
33	const struct in6_addr *faddr, const __be16 fport)	33	const u32 fhash,
		34	const __be16 fport,
		35	const u32 initval)
34	{	36	{
35	u32 ports = (((u32)lport) << 16) \| (__force u32)fport;	37	const u32 ports = (((u32)lport) << 16) \| (__force u32)fport;
36		38	return jhash_3words(lhash, fhash, ports, initval);
37	return jhash_3words((__force u32)laddr->s6_addr32[3],
38	ipv6_addr_jhash(faddr),
39	ports,
40	inet_ehash_secret + net_hash_mix(net));
41	}
42
43	static inline int inet6_sk_ehashfn(const struct sock *sk)
44	{
45	const struct inet_sock *inet = inet_sk(sk);
46	const struct in6_addr *laddr = &sk->sk_v6_rcv_saddr;
47	const struct in6_addr *faddr = &sk->sk_v6_daddr;
48	const __u16 lport = inet->inet_num;
49	const __be16 fport = inet->inet_dport;
50	struct net *net = sock_net(sk);
51
52	return inet6_ehashfn(net, laddr, lport, faddr, fport);
53	}	39	}
54		40
55	int __inet6_hash(struct sock sk, struct inet_timewait_sock twp);	41	int __inet6_hash(struct sock sk, struct inet_timewait_sock twp);


diff --git a/include/net/inet_sock.h b/include/net/inet_sock.h index 06da91efbc83..1833c3f389ee 100644 --- a/include/net/inet_sock.h +++ b/include/net/inet_sock.h
@@ -204,30 +204,16 @@ static inline void inet_sk_copy_descendant(struct sock *sk_to,
204		204
205	int inet_sk_rebuild_header(struct sock *sk);	205	int inet_sk_rebuild_header(struct sock *sk);
206		206
207	extern u32 inet_ehash_secret;	207	static inline unsigned int __inet_ehashfn(const __be32 laddr,
208	extern u32 ipv6_hash_secret;	208	const __u16 lport,
209	void build_ehash_secret(void);	209	const __be32 faddr,
210		210	const __be16 fport,
211	static inline unsigned int inet_ehashfn(struct net *net,	211	u32 initval)
212	const __be32 laddr, const __u16 lport,
213	const __be32 faddr, const __be16 fport)
214	{	212	{
215	return jhash_3words((__force __u32) laddr,	213	return jhash_3words((__force __u32) laddr,
216	(__force __u32) faddr,	214	(__force __u32) faddr,
217	((__u32) lport) << 16 \| (__force __u32)fport,	215	((__u32) lport) << 16 \| (__force __u32)fport,
218	inet_ehash_secret + net_hash_mix(net));	216	initval);
219	}
220
221	static inline int inet_sk_ehashfn(const struct sock *sk)
222	{
223	const struct inet_sock *inet = inet_sk(sk);
224	const __be32 laddr = inet->inet_rcv_saddr;
225	const __u16 lport = inet->inet_num;
226	const __be32 faddr = inet->inet_daddr;
227	const __be16 fport = inet->inet_dport;
228	struct net *net = sock_net(sk);
229
230	return inet_ehashfn(net, laddr, lport, faddr, fport);
231	}	217	}
232		218
233	static inline struct request_sock inet_reqsk_alloc(struct request_sock_ops ops)	219	static inline struct request_sock inet_reqsk_alloc(struct request_sock_ops ops)


diff --git a/include/net/ipv6.h b/include/net/ipv6.h index fe1c7f6c9217..a35055f4f8da 100644 --- a/include/net/ipv6.h +++ b/include/net/ipv6.h
@@ -539,14 +539,14 @@ static inline u32 ipv6_addr_hash(const struct in6_addr *a)
539	}	539	}
540		540
541	/* more secured version of ipv6_addr_hash() */	541	/* more secured version of ipv6_addr_hash() */
542	static inline u32 ipv6_addr_jhash(const struct in6_addr *a)	542	static inline u32 __ipv6_addr_jhash(const struct in6_addr *a, const u32 initval)
543	{	543	{
544	u32 v = (__force u32)a->s6_addr32[0] ^ (__force u32)a->s6_addr32[1];	544	u32 v = (__force u32)a->s6_addr32[0] ^ (__force u32)a->s6_addr32[1];
545		545
546	return jhash_3words(v,	546	return jhash_3words(v,
547	(__force u32)a->s6_addr32[2],	547	(__force u32)a->s6_addr32[2],
548	(__force u32)a->s6_addr32[3],	548	(__force u32)a->s6_addr32[3],
549	ipv6_hash_secret);	549	initval);
550	}	550	}
551		551
552	static inline bool ipv6_addr_loopback(const struct in6_addr *a)	552	static inline bool ipv6_addr_loopback(const struct in6_addr *a)


diff --git a/include/net/tcp.h b/include/net/tcp.h index 372dcccfeed0..b12e29a76590 100644 --- a/include/net/tcp.h +++ b/include/net/tcp.h
@@ -475,7 +475,6 @@ int tcp_send_rcvq(struct sock sk, struct msghdr msg, size_t size);
475	void inet_sk_rx_dst_set(struct sock sk, const struct sk_buff skb);	475	void inet_sk_rx_dst_set(struct sock sk, const struct sk_buff skb);
476		476
477	/* From syncookies.c */	477	/* From syncookies.c */
478	extern __u32 syncookie_secret[2][16-4+SHA_DIGEST_WORDS];
479	int __cookie_v4_check(const struct iphdr iph, const struct tcphdr th,	478	int __cookie_v4_check(const struct iphdr iph, const struct tcphdr th,
480	u32 cookie);	479	u32 cookie);
481	struct sock cookie_v4_check(struct sock sk, struct sk_buff *skb,	480	struct sock cookie_v4_check(struct sock sk, struct sk_buff *skb,
@@ -1323,7 +1322,7 @@ extern struct tcp_fastopen_context __rcu *tcp_fastopen_ctx;
1323	int tcp_fastopen_reset_cipher(void *key, unsigned int len);	1322	int tcp_fastopen_reset_cipher(void *key, unsigned int len);
1324	void tcp_fastopen_cookie_gen(__be32 src, __be32 dst,	1323	void tcp_fastopen_cookie_gen(__be32 src, __be32 dst,
1325	struct tcp_fastopen_cookie *foc);	1324	struct tcp_fastopen_cookie *foc);
1326		1325	void tcp_fastopen_init_key_once(bool publish);
1327	#define TCP_FASTOPEN_KEY_LENGTH 16	1326	#define TCP_FASTOPEN_KEY_LENGTH 16
1328		1327
1329	/* Fastopen key context */	1328	/* Fastopen key context */