Documentation/translations/zh_CN/security/siphash.rst
Source file repositories/reference/linux-study-clean/Documentation/translations/zh_CN/security/siphash.rst
File Facts
- System
- Linux kernel
- Corpus path
Documentation/translations/zh_CN/security/siphash.rst- Extension
.rst- Size
- 7414 bytes
- Lines
- 196
- Domain
- Support Tooling And Documentation
- Bucket
- Documentation
- Inferred role
- Support Tooling And Documentation: documentation
- Status
- atlas-only
Why This File Exists
Repository support layer: documentation, build tooling, samples, user-space helper tools, generated initramfs support, licenses, and validation utilities.
- Repository support layer: documentation, build tooling, samples, user-space helper tools, generated initramfs support, licenses, and validation utilities.
- Defines or uses C structs; map object ownership, embedded links, reference counts, and lock ownership.
Dependency Surface
- No C-style include directives detected by the generator.
Detected Declarations
struct some_hashtablestruct some_hashtablefunction init_hashtablefunction init_hashtable
Annotated Snippet
struct some_hashtable {
DECLARE_HASHTABLE(hashtable, 8);
siphash_key_t key;
};
void init_hashtable(struct some_hashtable *table)
{
get_random_bytes(&table->key, sizeof(table->key));
}
static inline hlist_head *some_hashtable_bucket(struct some_hashtable *table, struct interesting_input *input)
{
return &table->hashtable[siphash(input, sizeof(*input), &table->key) & (HASH_SIZE(table->hashtable) - 1)];
}
然后,你可以像往常一样对返回的哈希存储桶进行迭代。
安全性
======
SipHash有着非常高的安全性,因为其有128位的密钥。只要密钥是保密的,
即使攻击者看到多个输出,也无法猜测出函数的正确输出,因为2^128次
方个输出是非常庞大的。
Linux实现了SipHash的“2-4”变体
Struct-passing陷阱
==================
通常情况下,XuY函数的输出长度不够大,因此你可能需要传递一个预填充
的结构体给SipHash,在这样做时,务必确保结构体没有填充空隙,最简单
的方法就是将结构体的成员按照大小降序的方式排序,并且使用offsetofend()
函数代替sizeof()来获取结构体大小,出于性能的考虑,如果可以的话,最
好将结构体按右边界对齐,示例如下::
const struct {
struct in6_addr saddr;
u32 counter;
u16 dport;
} __aligned(SIPHASH_ALIGNMENT) combined = {
.saddr = *(struct in6_addr *)saddr,
.counter = counter,
.dport = dport
};
u64 h = siphash(&combined, offsetofend(typeof(combined), dport), &secret);
资源
====
如果你有兴趣了解更多信息,请阅读SipHash论文:
https://131002.net/siphash/siphash.pdf
-------------------------------------------------------------------------------
===========================================
HalfSipHash 是 SipHash 的一个较不安全的变种
===========================================
:作者: Jason A.Donenfeld <jason@zx2c4.com>
如果你认为SipHash的速度不够快,无法满足你的需求,那么你可以
使用HalfSipHash,这是一种令人担忧但是有用的选择。HalfSipHash
将SipHash的轮数从“2-4”降低到“1-3”,更令人担心的是,它使用一
个容易被穷举攻击的64位密钥(输出为32位),而不是SipHash的128位
密钥,不过,这对于要求高性能“jhash”用户来说这是比较好的选择。
HalfSipHash是通过 "hsiphash" 系列函数提供的。
.. warning::
绝对不要在作为哈希表键函数之外使用hsiphash函数,只有在你
Annotation
- Detected declarations: `struct some_hashtable`, `struct some_hashtable`, `function init_hashtable`, `function init_hashtable`.
- Atlas domain: Support Tooling And Documentation / Documentation.
- Implementation status: atlas-only.
Implementation Notes
- This generated page is the file-by-file coverage layer; curated subsystem chapters should link here when they synthesize a multi-file control flow.
- Core OS pages should be promoted from atlas-only to deep-reviewed when they explain data structures, invariants, locking, lifecycle, and C implementation snippets.
- Driver-family pages are intentionally pattern-oriented unless they are part of the selected PCIe/NVMe representative device path.