• Ard Biesheuvel's avatar
    net: ipv4: move tcp_fastopen server side code to SipHash library · c681edae
    Ard Biesheuvel authored
    Using a bare block cipher in non-crypto code is almost always a bad idea,
    not only for security reasons (and we've seen some examples of this in
    the kernel in the past), but also for performance reasons.
    In the TCP fastopen case, we call into the bare AES block cipher one or
    two times (depending on whether the connection is IPv4 or IPv6). On most
    systems, this results in a call chain such as
      crypto_cipher_encrypt_one(ctx, dst, src)
        crypto_cipher_crt(tfm)->cit_encrypt_one(crypto_cipher_tfm(tfm), ...);
            aesni_enc(ctx, dst, src); // asm routine
    It is highly unlikely that the use of special AES instructions has a
    benefit in this case, especially since we are doing the above twice
    for IPv6 connections, instead of using a transform which can process
    the entire input in one go.
    We could switch to the cbcmac(aes) shash, which would at least get
    rid of the duplicated overhead in *some* cases (i.e., today, only
    arm64 has an accelerated implementation of cbcmac(aes), while x86 will
    end up using the generic cbcmac template wrapping the AES-NI cipher,
    which basically ends up doing exactly the above). However, in the given
    context, it makes more sense to use a light-weight MAC algorithm that
    is more suitable for the purpose at hand, such as SipHash.
    Since the output size of SipHash already matches our chosen value for
    TCP_FASTOPEN_COOKIE_SIZE, and given that it accepts arbitrary input
    sizes, this greatly simplifies the code as well.
    NOTE: Server farms backing a single server IP for load balancing purposes
          and sharing a single fastopen key will be adversely affected by
          this change unless all systems in the pool receive their kernel
          upgrades at the same time.
    Signed-off-by: default avatarArd Biesheuvel <ard.biesheuvel@linaro.org>
    Signed-off-by: default avatarEric Dumazet <edumazet@google.com>
    Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>