qiurui
/
Centos-kernel-stream-9
mirror of https://gitlab.com/redhat/centos-stream/src/kernel/centos-stream-9.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

tcp: resalt the secret every 10 seconds 

Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=2064868
Upstream Status: linux.git
CVE: CVE-2022-1012
Conflicts:
  (context) Missing upstream commit 49ecc2e9c3ab ("net: align static
  siphash keys"):
    RHEL 9 still declares net_secret and ts_secret as siphash_key_t,
    while upstream uses the new siphash_aligned_key_t.

commit 4dfa9b438ee34caca4e6a4e5e961641807367f6f
Author: Eric Dumazet <edumazet@google.com>
Date:   Mon May 2 10:46:10 2022 +0200

    tcp: resalt the secret every 10 seconds

    In order to limit the ability for an observer to recognize the source
    ports sequence used to contact a set of destinations, we should
    periodically shuffle the secret. 10 seconds looks effective enough
    without causing particular issues.

    Cc: Moshe Kol <moshe.kol@mail.huji.ac.il>
    Cc: Yossi Gilad <yossi.gilad@mail.huji.ac.il>
    Cc: Amit Klein <aksecurity@gmail.com>
    Cc: Jason A. Donenfeld <Jason@zx2c4.com>
    Tested-by: Willy Tarreau <w@1wt.eu>
    Signed-off-by: Eric Dumazet <edumazet@google.com>
    Signed-off-by: Jakub Kicinski <kuba@kernel.org>

Signed-off-by: Guillaume Nault <gnault@redhat.com>
This commit is contained in:
Guillaume Nault 2022-05-10 21:30:49 +02:00
parent cf01c418b1
commit 76a5e5ab10
1 changed files with 9 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

12
net/core/secure_seq.c
View File

@ -22,6 +22,8 @@
static siphash_key_t net_secret __read_mostly;
static siphash_key_t ts_secret __read_mostly;
#define EPHEMERAL_PORT_SHUFFLE_PERIOD (10 * HZ)
static __always_inline void net_secret_init(void)
{
net_get_random_once(&net_secret, sizeof(net_secret));
@ -100,11 +102,13 @@ u64 secure_ipv6_port_ephemeral(const __be32 *saddr, const __be32 *daddr,
const struct {
struct in6_addr saddr;
struct in6_addr daddr;
unsigned int timeseed;
__be16 dport;
} __aligned(SIPHASH_ALIGNMENT) combined = {
.saddr = *(struct in6_addr *)saddr,
.daddr = *(struct in6_addr *)daddr,
.dport = dport
.timeseed = jiffies / EPHEMERAL_PORT_SHUFFLE_PERIOD,
.dport = dport,
};
net_secret_init();
return siphash(&combined, offsetofend(typeof(combined), dport),
@ -145,8 +149,10 @@ EXPORT_SYMBOL_GPL(secure_tcp_seq);
u64 secure_ipv4_port_ephemeral(__be32 saddr, __be32 daddr, __be16 dport)
{
net_secret_init();
return siphash_3u32((__force u32)saddr, (__force u32)daddr,
(__force u16)dport, &net_secret);
return siphash_4u32((__force u32)saddr, (__force u32)daddr,
(__force u16)dport,
jiffies / EPHEMERAL_PORT_SHUFFLE_PERIOD,
&net_secret);
}
EXPORT_SYMBOL_GPL(secure_ipv4_port_ephemeral);
#endif