lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-Id: <1381987923-1524-1-git-send-email-hannes@stressinduktion.org>
Date:	Thu, 17 Oct 2013 07:31:54 +0200
From:	Hannes Frederic Sowa <hannes@...essinduktion.org>
To:	netdev@...r.kernel.org
Cc:	linux-kernel@...r.kernel.org
Subject: [PATCH net-next v3 0/9] Introduce support to lazy initialize mostly static keys

Hi!

This series implements support for delaying the initialization of secret
keys, e.g. used for hashing, for as long as possible. This functionality
is implemented by a new macro, net_get_random_bytes.

I already used it to protect the socket hashes, the syncookie secret
(most important) and the tcp_fastopen secrets.

Changelog:
v2) Use static_keys in net_get_random_once to have as minimal impact to
    the fast-path as possible.
v3) added patch "static_key: WARN on usage before jump_label_init was called":
    Patch "x86/jump_label: expect default_nop if static_key gets enabled
    on boot-up" relaxes the checks for using static_key primitives before
    jump_label_init. So tighten them first.

Included patches:
 ipv4: split inet_ehashfn to hash functions per compilation unit
 ipv6: split inet6_ehashfn to hash functions per compilation unit
 static_key: WARN on usage before jump_label_init was called
 x86/jump_label: expect default_nop if static_key gets enabled on boot-up
 net: introduce new macro net_get_random_once
 inet: split syncookie keys for ipv4 and ipv6 and initialize with net_get_random_once
 inet: convert inet_ehash_secret and ipv6_hash_secret to net_get_random_once
 tcp: switch tcp_fastopen key generation to net_get_random_once
 net: switch net_secret key generation to net_get_random_once

Diffstat:
 arch/x86/kernel/jump_label.c         | 25 ++++++++++++++++++-------
 include/linux/jump_label.h           | 10 ++++++++++
 include/linux/jump_label_ratelimit.h |  2 ++
 include/linux/net.h                  | 25 +++++++++++++++++++++++++
 include/net/inet6_hashtables.h       | 28 +++++++---------------------
 include/net/inet_sock.h              | 26 ++++++--------------------
 include/net/ipv6.h                   |  4 ++--
 include/net/tcp.h                    |  3 +--
 init/main.c                          |  7 +++++++
 kernel/jump_label.c                  |  5 +++++
 net/core/secure_seq.c                | 14 ++------------
 net/core/utils.c                     | 48 ++++++++++++++++++++++++++++++++++++++++++++++++
 net/ipv4/af_inet.c                   | 27 ---------------------------
 net/ipv4/inet_hashtables.c           | 25 +++++++++++++++++++++++++
 net/ipv4/syncookies.c                | 15 +++++----------
 net/ipv4/sysctl_net_ipv4.c           |  5 +++++
 net/ipv4/tcp_fastopen.c              | 27 ++++++++++++++++-----------
 net/ipv4/udp.c                       | 20 ++++++++++++++++----
 net/ipv6/af_inet6.c                  |  5 -----
 net/ipv6/inet6_hashtables.c          | 33 +++++++++++++++++++++++++++++++++
 net/ipv6/syncookies.c                | 12 +++++++++---
 net/ipv6/udp.c                       | 31 +++++++++++++++++++++++++++----
 net/rds/connection.c                 | 12 +++++++++---
 23 files changed, 278 insertions(+), 131 deletions(-)

Greetings,

  Hannes

--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ