Merge branch 'fix/kconfig' into for-linus

author: Takashi Iwai <tiwai@suse.de> 2011-08-08 08:30:29 -0400
committer: Takashi Iwai <tiwai@suse.de> 2011-08-08 08:30:29 -0400
commit: 0a2d31b62dba9b5b92a38c67c9cc42630513662a (patch)
tree: f755d74ec85248de645e10c45ed1a2ed467530f6 /net/core/secure_seq.c
parent: 8039290a91c5dc4414093c086987a5d7738fe2fd (diff)
parent: df944f66784e6d4f2f50739263a4947885d8b6ae (diff)
1 files changed, 184 insertions, 0 deletions
diff --git a/net/core/secure_seq.c b/net/core/secure_seq.c
new file mode 100644
index 000000000000..45329d7c9dd9
--- /dev/null
+++ b/net/core/secure_seq.c
@@ -0,0 +1,184 @@
+#include <linux/kernel.h>
+#include <linux/init.h>
+#include <linux/cryptohash.h>
+#include <linux/module.h>
+#include <linux/cache.h>
+#include <linux/random.h>
+#include <linux/hrtimer.h>
+#include <linux/ktime.h>
+#include <linux/string.h>
+#include <net/secure_seq.h>
+static u32 net_secret[MD5_MESSAGE_BYTES / 4] ____cacheline_aligned;
+static int __init net_secret_init(void)
+{
+        get_random_bytes(net_secret, sizeof(net_secret));
+        return 0;
+}
+late_initcall(net_secret_init);
+static u32 seq_scale(u32 seq)
+{
+        /*
+         *      As close as possible to RFC 793, which
+         *      suggests using a 250 kHz clock.
+         *      Further reading shows this assumes 2 Mb/s networks.
+         *      For 10 Mb/s Ethernet, a 1 MHz clock is appropriate.
+         *      For 10 Gb/s Ethernet, a 1 GHz clock should be ok, but
+         *      we also need to limit the resolution so that the u32 seq
+         *      overlaps less than one time per MSL (2 minutes).
+         *      Choosing a clock of 64 ns period is OK. (period of 274 s)
+         */
+        return seq + (ktime_to_ns(ktime_get_real()) >> 6);
+}
+#if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
+__u32 secure_tcpv6_sequence_number(__be32 *saddr, __be32 *daddr,
+                                   __be16 sport, __be16 dport)
+{
+        u32 secret[MD5_MESSAGE_BYTES / 4];
+        u32 hash[MD5_DIGEST_WORDS];
+        u32 i;
+        memcpy(hash, saddr, 16);
+        for (i = 0; i < 4; i++)
+                secret[i] = net_secret[i] + daddr[i];
+        secret[4] = net_secret[4] +
+                (((__force u16)sport << 16) + (__force u16)dport);
+        for (i = 5; i < MD5_MESSAGE_BYTES / 4; i++)
+                secret[i] = net_secret[i];
+        md5_transform(hash, secret);
+        return seq_scale(hash[0]);
+}
+EXPORT_SYMBOL(secure_tcpv6_sequence_number);
+u32 secure_ipv6_port_ephemeral(const __be32 *saddr, const __be32 *daddr,
+                               __be16 dport)
+{
+        u32 secret[MD5_MESSAGE_BYTES / 4];
+        u32 hash[MD5_DIGEST_WORDS];
+        u32 i;
+        memcpy(hash, saddr, 16);
+        for (i = 0; i < 4; i++)
+                secret[i] = net_secret[i] + (__force u32) daddr[i];
+        secret[4] = net_secret[4] + (__force u32)dport;
+        for (i = 5; i < MD5_MESSAGE_BYTES / 4; i++)
+                secret[i] = net_secret[i];
+        md5_transform(hash, secret);
+        return hash[0];
+}
+#endif
+#ifdef CONFIG_INET
+__u32 secure_ip_id(__be32 daddr)
+{
+        u32 hash[MD5_DIGEST_WORDS];
+        hash[0] = (__force __u32) daddr;
+        hash[1] = net_secret[13];
+        hash[2] = net_secret[14];
+        hash[3] = net_secret[15];
+        md5_transform(hash, net_secret);
+        return hash[0];
+}
+__u32 secure_ipv6_id(const __be32 daddr[4])
+{
+        __u32 hash[4];
+        memcpy(hash, daddr, 16);
+        md5_transform(hash, net_secret);
+        return hash[0];
+}
+__u32 secure_tcp_sequence_number(__be32 saddr, __be32 daddr,
+                                 __be16 sport, __be16 dport)
+{
+        u32 hash[MD5_DIGEST_WORDS];
+        hash[0] = (__force u32)saddr;
+        hash[1] = (__force u32)daddr;
+        hash[2] = ((__force u16)sport << 16) + (__force u16)dport;
+        hash[3] = net_secret[15];
+        md5_transform(hash, net_secret);
+        return seq_scale(hash[0]);
+}
+u32 secure_ipv4_port_ephemeral(__be32 saddr, __be32 daddr, __be16 dport)
+{
+        u32 hash[MD5_DIGEST_WORDS];
+        hash[0] = (__force u32)saddr;
+        hash[1] = (__force u32)daddr;
+        hash[2] = (__force u32)dport ^ net_secret[14];
+        hash[3] = net_secret[15];
+        md5_transform(hash, net_secret);
+        return hash[0];
+}
+EXPORT_SYMBOL_GPL(secure_ipv4_port_ephemeral);
+#endif
+#if defined(CONFIG_IP_DCCP) || defined(CONFIG_IP_DCCP_MODULE)
+u64 secure_dccp_sequence_number(__be32 saddr, __be32 daddr,
+                                __be16 sport, __be16 dport)
+{
+        u32 hash[MD5_DIGEST_WORDS];
+        u64 seq;
+        hash[0] = (__force u32)saddr;
+        hash[1] = (__force u32)daddr;
+        hash[2] = ((__force u16)sport << 16) + (__force u16)dport;
+        hash[3] = net_secret[15];
+        md5_transform(hash, net_secret);
+        seq = hash[0] | (((u64)hash[1]) << 32);
+        seq += ktime_to_ns(ktime_get_real());
+        seq &= (1ull << 48) - 1;
+        return seq;
+}
+EXPORT_SYMBOL(secure_dccp_sequence_number);
+#if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
+u64 secure_dccpv6_sequence_number(__be32 *saddr, __be32 *daddr,
+                                  __be16 sport, __be16 dport)
+{
+        u32 secret[MD5_MESSAGE_BYTES / 4];
+        u32 hash[MD5_DIGEST_WORDS];
+        u64 seq;
+        u32 i;
+        memcpy(hash, saddr, 16);
+        for (i = 0; i < 4; i++)
+                secret[i] = net_secret[i] + daddr[i];
+        secret[4] = net_secret[4] +
+                (((__force u16)sport << 16) + (__force u16)dport);
+        for (i = 5; i < MD5_MESSAGE_BYTES / 4; i++)
+                secret[i] = net_secret[i];
+        md5_transform(hash, secret);
+        seq = hash[0] | (((u64)hash[1]) << 32);
+        seq += ktime_to_ns(ktime_get_real());
+        seq &= (1ull << 48) - 1;
+        return seq;
+}
+EXPORT_SYMBOL(secure_dccpv6_sequence_number);
+#endif
+#endif
author	Takashi Iwai <tiwai@suse.de>	2011-08-08 08:30:29 -0400
committer	Takashi Iwai <tiwai@suse.de>	2011-08-08 08:30:29 -0400
commit	0a2d31b62dba9b5b92a38c67c9cc42630513662a (patch)
tree	f755d74ec85248de645e10c45ed1a2ed467530f6 /net/core/secure_seq.c
parent	8039290a91c5dc4414093c086987a5d7738fe2fd (diff)
parent	df944f66784e6d4f2f50739263a4947885d8b6ae (diff)

diff --git a/net/core/secure_seq.c b/net/core/secure_seq.c new file mode 100644 index 000000000000..45329d7c9dd9 --- /dev/null +++ b/net/core/secure_seq.c
@@ -0,0 +1,184 @@
	1	#include <linux/kernel.h>
	2	#include <linux/init.h>
	3	#include <linux/cryptohash.h>
	4	#include <linux/module.h>
	5	#include <linux/cache.h>
	6	#include <linux/random.h>
	7	#include <linux/hrtimer.h>
	8	#include <linux/ktime.h>
	9	#include <linux/string.h>
	10
	11	#include <net/secure_seq.h>
	12
	13	static u32 net_secret[MD5_MESSAGE_BYTES / 4] ____cacheline_aligned;
	14
	15	static int __init net_secret_init(void)
	16	{
	17	get_random_bytes(net_secret, sizeof(net_secret));
	18	return 0;
	19	}
	20	late_initcall(net_secret_init);
	21
	22	static u32 seq_scale(u32 seq)
	23	{
	24	/*
	25	* As close as possible to RFC 793, which
	26	* suggests using a 250 kHz clock.
	27	* Further reading shows this assumes 2 Mb/s networks.
	28	* For 10 Mb/s Ethernet, a 1 MHz clock is appropriate.
	29	* For 10 Gb/s Ethernet, a 1 GHz clock should be ok, but
	30	* we also need to limit the resolution so that the u32 seq
	31	* overlaps less than one time per MSL (2 minutes).
	32	* Choosing a clock of 64 ns period is OK. (period of 274 s)
	33	*/
	34	return seq + (ktime_to_ns(ktime_get_real()) >> 6);
	35	}
	36
	37	#if defined(CONFIG_IPV6) \|\| defined(CONFIG_IPV6_MODULE)
	38	__u32 secure_tcpv6_sequence_number(__be32 saddr, __be32 daddr,
	39	__be16 sport, __be16 dport)
	40	{
	41	u32 secret[MD5_MESSAGE_BYTES / 4];
	42	u32 hash[MD5_DIGEST_WORDS];
	43	u32 i;
	44
	45	memcpy(hash, saddr, 16);
	46	for (i = 0; i < 4; i++)
	47	secret[i] = net_secret[i] + daddr[i];
	48	secret[4] = net_secret[4] +
	49	(((__force u16)sport << 16) + (__force u16)dport);
	50	for (i = 5; i < MD5_MESSAGE_BYTES / 4; i++)
	51	secret[i] = net_secret[i];
	52
	53	md5_transform(hash, secret);
	54
	55	return seq_scale(hash[0]);
	56	}
	57	EXPORT_SYMBOL(secure_tcpv6_sequence_number);
	58
	59	u32 secure_ipv6_port_ephemeral(const __be32 saddr, const __be32 daddr,
	60	__be16 dport)
	61	{
	62	u32 secret[MD5_MESSAGE_BYTES / 4];
	63	u32 hash[MD5_DIGEST_WORDS];
	64	u32 i;
	65
	66	memcpy(hash, saddr, 16);
	67	for (i = 0; i < 4; i++)
	68	secret[i] = net_secret[i] + (__force u32) daddr[i];
	69	secret[4] = net_secret[4] + (__force u32)dport;
	70	for (i = 5; i < MD5_MESSAGE_BYTES / 4; i++)
	71	secret[i] = net_secret[i];
	72
	73	md5_transform(hash, secret);
	74
	75	return hash[0];
	76	}
	77	#endif
	78
	79	#ifdef CONFIG_INET
	80	__u32 secure_ip_id(__be32 daddr)
	81	{
	82	u32 hash[MD5_DIGEST_WORDS];
	83
	84	hash[0] = (__force __u32) daddr;
	85	hash[1] = net_secret[13];
	86	hash[2] = net_secret[14];
	87	hash[3] = net_secret[15];
	88
	89	md5_transform(hash, net_secret);
	90
	91	return hash[0];
	92	}
	93
	94	__u32 secure_ipv6_id(const __be32 daddr[4])
	95	{
	96	__u32 hash[4];
	97
	98	memcpy(hash, daddr, 16);
	99	md5_transform(hash, net_secret);
	100
	101	return hash[0];
	102	}
	103
	104	__u32 secure_tcp_sequence_number(__be32 saddr, __be32 daddr,
	105	__be16 sport, __be16 dport)
	106	{
	107	u32 hash[MD5_DIGEST_WORDS];
	108
	109	hash[0] = (__force u32)saddr;
	110	hash[1] = (__force u32)daddr;
	111	hash[2] = ((__force u16)sport << 16) + (__force u16)dport;
	112	hash[3] = net_secret[15];
	113
	114	md5_transform(hash, net_secret);
	115
	116	return seq_scale(hash[0]);
	117	}
	118
	119	u32 secure_ipv4_port_ephemeral(__be32 saddr, __be32 daddr, __be16 dport)
	120	{
	121	u32 hash[MD5_DIGEST_WORDS];
	122
	123	hash[0] = (__force u32)saddr;
	124	hash[1] = (__force u32)daddr;
	125	hash[2] = (__force u32)dport ^ net_secret[14];
	126	hash[3] = net_secret[15];
	127
	128	md5_transform(hash, net_secret);
	129
	130	return hash[0];
	131	}
	132	EXPORT_SYMBOL_GPL(secure_ipv4_port_ephemeral);
	133	#endif
	134
	135	#if defined(CONFIG_IP_DCCP) \|\| defined(CONFIG_IP_DCCP_MODULE)
	136	u64 secure_dccp_sequence_number(__be32 saddr, __be32 daddr,
	137	__be16 sport, __be16 dport)
	138	{
	139	u32 hash[MD5_DIGEST_WORDS];
	140	u64 seq;
	141
	142	hash[0] = (__force u32)saddr;
	143	hash[1] = (__force u32)daddr;
	144	hash[2] = ((__force u16)sport << 16) + (__force u16)dport;
	145	hash[3] = net_secret[15];
	146
	147	md5_transform(hash, net_secret);
	148
	149	seq = hash[0] \| (((u64)hash[1]) << 32);
	150	seq += ktime_to_ns(ktime_get_real());
	151	seq &= (1ull << 48) - 1;
	152
	153	return seq;
	154	}
	155	EXPORT_SYMBOL(secure_dccp_sequence_number);
	156
	157	#if defined(CONFIG_IPV6) \|\| defined(CONFIG_IPV6_MODULE)
	158	u64 secure_dccpv6_sequence_number(__be32 saddr, __be32 daddr,
	159	__be16 sport, __be16 dport)
	160	{
	161	u32 secret[MD5_MESSAGE_BYTES / 4];
	162	u32 hash[MD5_DIGEST_WORDS];
	163	u64 seq;
	164	u32 i;
	165
	166	memcpy(hash, saddr, 16);
	167	for (i = 0; i < 4; i++)
	168	secret[i] = net_secret[i] + daddr[i];
	169	secret[4] = net_secret[4] +
	170	(((__force u16)sport << 16) + (__force u16)dport);
	171	for (i = 5; i < MD5_MESSAGE_BYTES / 4; i++)
	172	secret[i] = net_secret[i];
	173
	174	md5_transform(hash, secret);
	175
	176	seq = hash[0] \| (((u64)hash[1]) << 32);
	177	seq += ktime_to_ns(ktime_get_real());
	178	seq &= (1ull << 48) - 1;
	179
	180	return seq;
	181	}
	182	EXPORT_SYMBOL(secure_dccpv6_sequence_number);
	183	#endif
	184	#endif