TCPCT part 1b: generate Responder Cookie secret

Define (missing) hash message size for SHA1. Define hashing size constants specific to TCP cookies. Add new function: tcp_cookie_generator(). Maintain global secret values for tcp_cookie_generator(). This is a significantly revised implementation of earlier (15-year-old) Photuris [RFC-2522] code for the KA9Q cooperative multitasking platform. Linux RCU technique appears to be well-suited to this application, though neither of the circular queue items are freed. These functions will also be used in subsequent patches that implement additional features. Signed-off-by: William.Allen.Simpson@gmail.com Acked-by: Eric Dumazet <eric.dumazet@gmail.com> Signed-off-by: David S. Miller <davem@davemloft.net>
author: William Allen Simpson <william.allen.simpson@gmail.com> 2009-12-02 13:12:09 -0500
committer: David S. Miller <davem@davemloft.net> 2009-12-03 01:07:23 -0500
commit: da5c78c82629a167794436e4306b4cf1faddea90 (patch)
tree: c933fdc0583b592c01885890ebf770840555d28b /net
parent: e6b4d11367519bc71729c09d05a126b133c755be (diff)
1 files changed, 140 insertions, 0 deletions
diff --git a/net/ipv4/tcp.c b/net/ipv4/tcp.c
index 7d4648f8b3d3..ba03ac80435a 100644
--- a/net/ipv4/tcp.c
+++ b/net/ipv4/tcp.c
@@ -264,6 +264,7 @@
 #include <linux/cache.h>
 #include <linux/err.h>
 #include <linux/crypto.h>
+#include <linux/time.h>
 #include <net/icmp.h>
 #include <net/tcp.h>
@@ -2848,6 +2849,135 @@ EXPORT_SYMBOL(tcp_md5_hash_key);
 #endif
+/**
+ * Each Responder maintains up to two secret values concurrently for
+ * efficient secret rollover.  Each secret value has 4 states:
+ *
+ * Generating.  (tcp_secret_generating != tcp_secret_primary)
+ *    Generates new Responder-Cookies, but not yet used for primary
+ *    verification.  This is a short-term state, typically lasting only
+ *    one round trip time (RTT).
+ *
+ * Primary.  (tcp_secret_generating == tcp_secret_primary)
+ *    Used both for generation and primary verification.
+ *
+ * Retiring.  (tcp_secret_retiring != tcp_secret_secondary)
+ *    Used for verification, until the first failure that can be
+ *    verified by the newer Generating secret.  At that time, this
+ *    cookie's state is changed to Secondary, and the Generating
+ *    cookie's state is changed to Primary.  This is a short-term state,
+ *    typically lasting only one round trip time (RTT).
+ *
+ * Secondary.  (tcp_secret_retiring == tcp_secret_secondary)
+ *    Used for secondary verification, after primary verification
+ *    failures.  This state lasts no more than twice the Maximum Segment
+ *    Lifetime (2MSL).  Then, the secret is discarded.
+ */
+struct tcp_cookie_secret {
+        /* The secret is divided into two parts.  The digest part is the
+         * equivalent of previously hashing a secret and saving the state,
+         * and serves as an initialization vector (IV).  The message part
+         * serves as the trailing secret.
+         */
+        u32                             secrets[COOKIE_WORKSPACE_WORDS];
+        unsigned long                   expires;
+};
+#define TCP_SECRET_1MSL (HZ * TCP_PAWS_MSL)
+#define TCP_SECRET_2MSL (HZ * TCP_PAWS_MSL * 2)
+#define TCP_SECRET_LIFE (HZ * 600)
+static struct tcp_cookie_secret tcp_secret_one;
+static struct tcp_cookie_secret tcp_secret_two;
+/* Essentially a circular list, without dynamic allocation. */
+static struct tcp_cookie_secret *tcp_secret_generating;
+static struct tcp_cookie_secret *tcp_secret_primary;
+static struct tcp_cookie_secret *tcp_secret_retiring;
+static struct tcp_cookie_secret *tcp_secret_secondary;
+static DEFINE_SPINLOCK(tcp_secret_locker);
+/* Select a pseudo-random word in the cookie workspace.
+ */
+static inline u32 tcp_cookie_work(const u32 *ws, const int n)
+{
+        return ws[COOKIE_DIGEST_WORDS + ((COOKIE_MESSAGE_WORDS-1) & ws[n])];
+}
+/* Fill bakery[COOKIE_WORKSPACE_WORDS] with generator, updating as needed.
+ * Called in softirq context.
+ * Returns: 0 for success.
+ */
+int tcp_cookie_generator(u32 *bakery)
+{
+        unsigned long jiffy = jiffies;
+        if (unlikely(time_after_eq(jiffy, tcp_secret_generating->expires))) {
+                spin_lock_bh(&tcp_secret_locker);
+                if (!time_after_eq(jiffy, tcp_secret_generating->expires)) {
+                        /* refreshed by another */
+                        memcpy(bakery,
+                               &tcp_secret_generating->secrets[0],
+                               COOKIE_WORKSPACE_WORDS);
+                } else {
+                        /* still needs refreshing */
+                        get_random_bytes(bakery, COOKIE_WORKSPACE_WORDS);
+                        /* The first time, paranoia assumes that the
+                         * randomization function isn't as strong.  But,
+                         * this secret initialization is delayed until
+                         * the last possible moment (packet arrival).
+                         * Although that time is observable, it is
+                         * unpredictably variable.  Mash in the most
+                         * volatile clock bits available, and expire the
+                         * secret extra quickly.
+                         */
+                        if (unlikely(tcp_secret_primary->expires ==
+                                     tcp_secret_secondary->expires)) {
+                                struct timespec tv;
+                                getnstimeofday(&tv);
+                                bakery[COOKIE_DIGEST_WORDS+0] ^=
+                                        (u32)tv.tv_nsec;
+                                tcp_secret_secondary->expires = jiffy
+                                        + TCP_SECRET_1MSL
+                                        + (0x0f & tcp_cookie_work(bakery, 0));
+                        } else {
+                                tcp_secret_secondary->expires = jiffy
+                                        + TCP_SECRET_LIFE
+                                        + (0xff & tcp_cookie_work(bakery, 1));
+                                tcp_secret_primary->expires = jiffy
+                                        + TCP_SECRET_2MSL
+                                        + (0x1f & tcp_cookie_work(bakery, 2));
+                        }
+                        memcpy(&tcp_secret_secondary->secrets[0],
+                               bakery, COOKIE_WORKSPACE_WORDS);
+                        rcu_assign_pointer(tcp_secret_generating,
+                                           tcp_secret_secondary);
+                        rcu_assign_pointer(tcp_secret_retiring,
+                                           tcp_secret_primary);
+                        /*
+                         * Neither call_rcu() nor synchronize_rcu() needed.
+                         * Retiring data is not freed.  It is replaced after
+                         * further (locked) pointer updates, and a quiet time
+                         * (minimum 1MSL, maximum LIFE - 2MSL).
+                         */
+                }
+                spin_unlock_bh(&tcp_secret_locker);
+        } else {
+                rcu_read_lock_bh();
+                memcpy(bakery,
+                       &rcu_dereference(tcp_secret_generating)->secrets[0],
+                       COOKIE_WORKSPACE_WORDS);
+                rcu_read_unlock_bh();
+        }
+        return 0;
+}
+EXPORT_SYMBOL(tcp_cookie_generator);
 void tcp_done(struct sock *sk)
 {
        if (sk->sk_state == TCP_SYN_SENT || sk->sk_state == TCP_SYN_RECV)
@@ -2882,6 +3012,7 @@ void __init tcp_init(void)
        struct sk_buff *skb = NULL;
        unsigned long nr_pages, limit;
        int order, i, max_share;
+        unsigned long jiffy = jiffies;
        BUILD_BUG_ON(sizeof(struct tcp_skb_cb) > sizeof(skb->cb));
@@ -2975,6 +3106,15 @@ void __init tcp_init(void)
               tcp_hashinfo.ehash_mask + 1, tcp_hashinfo.bhash_size);
        tcp_register_congestion_control(&tcp_reno);
+        memset(&tcp_secret_one.secrets[0], 0, sizeof(tcp_secret_one.secrets));
+        memset(&tcp_secret_two.secrets[0], 0, sizeof(tcp_secret_two.secrets));
+        tcp_secret_one.expires = jiffy; /* past due */
+        tcp_secret_two.expires = jiffy; /* past due */
+        tcp_secret_generating = &tcp_secret_one;
+        tcp_secret_primary = &tcp_secret_one;
+        tcp_secret_retiring = &tcp_secret_two;
+        tcp_secret_secondary = &tcp_secret_two;
 }
 EXPORT_SYMBOL(tcp_close);
author	William Allen Simpson <william.allen.simpson@gmail.com>	2009-12-02 13:12:09 -0500
committer	David S. Miller <davem@davemloft.net>	2009-12-03 01:07:23 -0500
commit	da5c78c82629a167794436e4306b4cf1faddea90 (patch)
tree	c933fdc0583b592c01885890ebf770840555d28b /net
parent	e6b4d11367519bc71729c09d05a126b133c755be (diff)

diff --git a/net/ipv4/tcp.c b/net/ipv4/tcp.c index 7d4648f8b3d3..ba03ac80435a 100644 --- a/net/ipv4/tcp.c +++ b/net/ipv4/tcp.c
@@ -264,6 +264,7 @@
264	#include <linux/cache.h>	264	#include <linux/cache.h>
265	#include <linux/err.h>	265	#include <linux/err.h>
266	#include <linux/crypto.h>	266	#include <linux/crypto.h>
		267	#include <linux/time.h>
267		268
268	#include <net/icmp.h>	269	#include <net/icmp.h>
269	#include <net/tcp.h>	270	#include <net/tcp.h>
@@ -2848,6 +2849,135 @@ EXPORT_SYMBOL(tcp_md5_hash_key);
2848		2849
2849	#endif	2850	#endif
2850		2851
		2852	/**
		2853	* Each Responder maintains up to two secret values concurrently for
		2854	* efficient secret rollover. Each secret value has 4 states:
		2855	*
		2856	* Generating. (tcp_secret_generating != tcp_secret_primary)
		2857	* Generates new Responder-Cookies, but not yet used for primary
		2858	* verification. This is a short-term state, typically lasting only
		2859	* one round trip time (RTT).
		2860	*
		2861	* Primary. (tcp_secret_generating == tcp_secret_primary)
		2862	* Used both for generation and primary verification.
		2863	*
		2864	* Retiring. (tcp_secret_retiring != tcp_secret_secondary)
		2865	* Used for verification, until the first failure that can be
		2866	* verified by the newer Generating secret. At that time, this
		2867	* cookie's state is changed to Secondary, and the Generating
		2868	* cookie's state is changed to Primary. This is a short-term state,
		2869	* typically lasting only one round trip time (RTT).
		2870	*
		2871	* Secondary. (tcp_secret_retiring == tcp_secret_secondary)
		2872	* Used for secondary verification, after primary verification
		2873	* failures. This state lasts no more than twice the Maximum Segment
		2874	* Lifetime (2MSL). Then, the secret is discarded.
		2875	*/
		2876	struct tcp_cookie_secret {
		2877	/* The secret is divided into two parts. The digest part is the
		2878	* equivalent of previously hashing a secret and saving the state,
		2879	* and serves as an initialization vector (IV). The message part
		2880	* serves as the trailing secret.
		2881	*/
		2882	u32 secrets[COOKIE_WORKSPACE_WORDS];
		2883	unsigned long expires;
		2884	};
		2885
		2886	#define TCP_SECRET_1MSL (HZ * TCP_PAWS_MSL)
		2887	#define TCP_SECRET_2MSL (HZ * TCP_PAWS_MSL * 2)
		2888	#define TCP_SECRET_LIFE (HZ * 600)
		2889
		2890	static struct tcp_cookie_secret tcp_secret_one;
		2891	static struct tcp_cookie_secret tcp_secret_two;
		2892
		2893	/* Essentially a circular list, without dynamic allocation. */
		2894	static struct tcp_cookie_secret *tcp_secret_generating;
		2895	static struct tcp_cookie_secret *tcp_secret_primary;
		2896	static struct tcp_cookie_secret *tcp_secret_retiring;
		2897	static struct tcp_cookie_secret *tcp_secret_secondary;
		2898
		2899	static DEFINE_SPINLOCK(tcp_secret_locker);
		2900
		2901	/* Select a pseudo-random word in the cookie workspace.
		2902	*/
		2903	static inline u32 tcp_cookie_work(const u32 *ws, const int n)
		2904	{
		2905	return ws[COOKIE_DIGEST_WORDS + ((COOKIE_MESSAGE_WORDS-1) & ws[n])];
		2906	}
		2907
		2908	/* Fill bakery[COOKIE_WORKSPACE_WORDS] with generator, updating as needed.
		2909	* Called in softirq context.
		2910	* Returns: 0 for success.
		2911	*/
		2912	int tcp_cookie_generator(u32 *bakery)
		2913	{
		2914	unsigned long jiffy = jiffies;
		2915
		2916	if (unlikely(time_after_eq(jiffy, tcp_secret_generating->expires))) {
		2917	spin_lock_bh(&tcp_secret_locker);
		2918	if (!time_after_eq(jiffy, tcp_secret_generating->expires)) {
		2919	/* refreshed by another */
		2920	memcpy(bakery,
		2921	&tcp_secret_generating->secrets[0],
		2922	COOKIE_WORKSPACE_WORDS);
		2923	} else {
		2924	/* still needs refreshing */
		2925	get_random_bytes(bakery, COOKIE_WORKSPACE_WORDS);
		2926
		2927	/* The first time, paranoia assumes that the
		2928	* randomization function isn't as strong. But,
		2929	* this secret initialization is delayed until
		2930	* the last possible moment (packet arrival).
		2931	* Although that time is observable, it is
		2932	* unpredictably variable. Mash in the most
		2933	* volatile clock bits available, and expire the
		2934	* secret extra quickly.
		2935	*/
		2936	if (unlikely(tcp_secret_primary->expires ==
		2937	tcp_secret_secondary->expires)) {
		2938	struct timespec tv;
		2939
		2940	getnstimeofday(&tv);
		2941	bakery[COOKIE_DIGEST_WORDS+0] ^=
		2942	(u32)tv.tv_nsec;
		2943
		2944	tcp_secret_secondary->expires = jiffy
		2945	+ TCP_SECRET_1MSL
		2946	+ (0x0f & tcp_cookie_work(bakery, 0));
		2947	} else {
		2948	tcp_secret_secondary->expires = jiffy
		2949	+ TCP_SECRET_LIFE
		2950	+ (0xff & tcp_cookie_work(bakery, 1));
		2951	tcp_secret_primary->expires = jiffy
		2952	+ TCP_SECRET_2MSL
		2953	+ (0x1f & tcp_cookie_work(bakery, 2));
		2954	}
		2955	memcpy(&tcp_secret_secondary->secrets[0],
		2956	bakery, COOKIE_WORKSPACE_WORDS);
		2957
		2958	rcu_assign_pointer(tcp_secret_generating,
		2959	tcp_secret_secondary);
		2960	rcu_assign_pointer(tcp_secret_retiring,
		2961	tcp_secret_primary);
		2962	/*
		2963	* Neither call_rcu() nor synchronize_rcu() needed.
		2964	* Retiring data is not freed. It is replaced after
		2965	* further (locked) pointer updates, and a quiet time
		2966	* (minimum 1MSL, maximum LIFE - 2MSL).
		2967	*/
		2968	}
		2969	spin_unlock_bh(&tcp_secret_locker);
		2970	} else {
		2971	rcu_read_lock_bh();
		2972	memcpy(bakery,
		2973	&rcu_dereference(tcp_secret_generating)->secrets[0],
		2974	COOKIE_WORKSPACE_WORDS);
		2975	rcu_read_unlock_bh();
		2976	}
		2977	return 0;
		2978	}
		2979	EXPORT_SYMBOL(tcp_cookie_generator);
		2980
2851	void tcp_done(struct sock *sk)	2981	void tcp_done(struct sock *sk)
2852	{	2982	{
2853	if (sk->sk_state == TCP_SYN_SENT \|\| sk->sk_state == TCP_SYN_RECV)	2983	if (sk->sk_state == TCP_SYN_SENT \|\| sk->sk_state == TCP_SYN_RECV)
@@ -2882,6 +3012,7 @@ void __init tcp_init(void)
2882	struct sk_buff *skb = NULL;	3012	struct sk_buff *skb = NULL;
2883	unsigned long nr_pages, limit;	3013	unsigned long nr_pages, limit;
2884	int order, i, max_share;	3014	int order, i, max_share;
		3015	unsigned long jiffy = jiffies;
2885		3016
2886	BUILD_BUG_ON(sizeof(struct tcp_skb_cb) > sizeof(skb->cb));	3017	BUILD_BUG_ON(sizeof(struct tcp_skb_cb) > sizeof(skb->cb));
2887		3018
@@ -2975,6 +3106,15 @@ void __init tcp_init(void)
2975	tcp_hashinfo.ehash_mask + 1, tcp_hashinfo.bhash_size);	3106	tcp_hashinfo.ehash_mask + 1, tcp_hashinfo.bhash_size);
2976		3107
2977	tcp_register_congestion_control(&tcp_reno);	3108	tcp_register_congestion_control(&tcp_reno);
		3109
		3110	memset(&tcp_secret_one.secrets[0], 0, sizeof(tcp_secret_one.secrets));
		3111	memset(&tcp_secret_two.secrets[0], 0, sizeof(tcp_secret_two.secrets));
		3112	tcp_secret_one.expires = jiffy; /* past due */
		3113	tcp_secret_two.expires = jiffy; /* past due */
		3114	tcp_secret_generating = &tcp_secret_one;
		3115	tcp_secret_primary = &tcp_secret_one;
		3116	tcp_secret_retiring = &tcp_secret_two;
		3117	tcp_secret_secondary = &tcp_secret_two;
2978	}	3118	}
2979		3119
2980	EXPORT_SYMBOL(tcp_close);	3120	EXPORT_SYMBOL(tcp_close);