mirror of
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
synced 2024-09-21 01:51:18 +00:00
tcp: resalt the secret every 10 seconds
[ Upstream commit 4dfa9b438e
]
In order to limit the ability for an observer to recognize the source
ports sequence used to contact a set of destinations, we should
periodically shuffle the secret. 10 seconds looks effective enough
without causing particular issues.
Cc: Moshe Kol <moshe.kol@mail.huji.ac.il>
Cc: Yossi Gilad <yossi.gilad@mail.huji.ac.il>
Cc: Amit Klein <aksecurity@gmail.com>
Cc: Jason A. Donenfeld <Jason@zx2c4.com>
Tested-by: Willy Tarreau <w@1wt.eu>
Signed-off-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
This commit is contained in:
parent
ff01554d87
commit
f41f6336bf
1 changed files with 9 additions and 3 deletions
|
@ -22,6 +22,8 @@
|
|||
static siphash_key_t net_secret __read_mostly;
|
||||
static siphash_key_t ts_secret __read_mostly;
|
||||
|
||||
#define EPHEMERAL_PORT_SHUFFLE_PERIOD (10 * HZ)
|
||||
|
||||
static __always_inline void net_secret_init(void)
|
||||
{
|
||||
net_get_random_once(&net_secret, sizeof(net_secret));
|
||||
|
@ -100,11 +102,13 @@ u64 secure_ipv6_port_ephemeral(const __be32 *saddr, const __be32 *daddr,
|
|||
const struct {
|
||||
struct in6_addr saddr;
|
||||
struct in6_addr daddr;
|
||||
unsigned int timeseed;
|
||||
__be16 dport;
|
||||
} __aligned(SIPHASH_ALIGNMENT) combined = {
|
||||
.saddr = *(struct in6_addr *)saddr,
|
||||
.daddr = *(struct in6_addr *)daddr,
|
||||
.dport = dport
|
||||
.timeseed = jiffies / EPHEMERAL_PORT_SHUFFLE_PERIOD,
|
||||
.dport = dport,
|
||||
};
|
||||
net_secret_init();
|
||||
return siphash(&combined, offsetofend(typeof(combined), dport),
|
||||
|
@ -145,8 +149,10 @@ EXPORT_SYMBOL_GPL(secure_tcp_seq);
|
|||
u64 secure_ipv4_port_ephemeral(__be32 saddr, __be32 daddr, __be16 dport)
|
||||
{
|
||||
net_secret_init();
|
||||
return siphash_3u32((__force u32)saddr, (__force u32)daddr,
|
||||
(__force u16)dport, &net_secret);
|
||||
return siphash_4u32((__force u32)saddr, (__force u32)daddr,
|
||||
(__force u16)dport,
|
||||
jiffies / EPHEMERAL_PORT_SHUFFLE_PERIOD,
|
||||
&net_secret);
|
||||
}
|
||||
EXPORT_SYMBOL_GPL(secure_ipv4_port_ephemeral);
|
||||
#endif
|
||||
|
|
Loading…
Reference in a new issue