From: Willy Tarreau <w@1wt.eu>
To: "Jason A. Donenfeld" <Jason@zx2c4.com>
Cc: netdev@vger.kernel.org, David Miller <davem@davemloft.net>,
Jakub Kicinski <kuba@kernel.org>,
Eric Dumazet <edumazet@google.com>,
Moshe Kol <moshe.kol@mail.huji.ac.il>,
Yossi Gilad <yossi.gilad@mail.huji.ac.il>,
Amit Klein <aksecurity@gmail.com>,
linux-kernel@vger.kernel.org
Subject: Re: [PATCH net 1/7] secure_seq: return the full 64-bit of the siphash
Date: Wed, 27 Apr 2022 22:19:39 +0200 [thread overview]
Message-ID: <20220427201938.GC4326@1wt.eu> (raw)
In-Reply-To: <Yml6+PKmxW7VSHch@zx2c4.com>
Hi Jason,
On Wed, Apr 27, 2022 at 07:18:48PM +0200, Jason A. Donenfeld wrote:
> Hi Willy,
>
> On Wed, Apr 27, 2022 at 08:52:27AM +0200, Willy Tarreau wrote:
> > diff --git a/include/net/secure_seq.h b/include/net/secure_seq.h
> > index d7d2495f83c2..5cea9ed9c773 100644
> > --- a/include/net/secure_seq.h
> > +++ b/include/net/secure_seq.h
> > @@ -4,7 +4,7 @@
> >
> > #include <linux/types.h>
> >
> > -u32 secure_ipv4_port_ephemeral(__be32 saddr, __be32 daddr, __be16 dport);
> > +u64 secure_ipv4_port_ephemeral(__be32 saddr, __be32 daddr, __be16 dport);
> > u32 secure_ipv6_port_ephemeral(const __be32 *saddr, const __be32 *daddr,
> > __be16 dport);
> > u32 secure_tcp_seq(__be32 saddr, __be32 daddr,
> > diff --git a/net/core/secure_seq.c b/net/core/secure_seq.c
> > index 9b8443774449..2cdd43a63f64 100644
> > --- a/net/core/secure_seq.c
> > +++ b/net/core/secure_seq.c
> > @@ -142,7 +142,7 @@ u32 secure_tcp_seq(__be32 saddr, __be32 daddr,
> > }
> > EXPORT_SYMBOL_GPL(secure_tcp_seq);
> >
> > -u32 secure_ipv4_port_ephemeral(__be32 saddr, __be32 daddr, __be16 dport)
> > +u64 secure_ipv4_port_ephemeral(__be32 saddr, __be32 daddr, __be16 dport)
> > {
> > net_secret_init();
> > return siphash_3u32((__force u32)saddr, (__force u32)daddr,
>
> Should you be doing the same with secure_ipv6_port_ephemeral() too? Why
> the asymmetry?
I remember not finding it in the similar code path, but maybe I missed
something. It's used by inet6_sk_port_offset() which also returns a u32,
itself used by inet6_hash_connect() and passed to __inet_hash_connect().
Hmmm the loop is now closed, I don't know how I missed it. So yes I
agree that it would definitely be needed. I'll update the patch, many
thanks!
Willy
next prev parent reply other threads:[~2022-04-27 20:20 UTC|newest]
Thread overview: 24+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-04-27 6:52 [PATCH net 0/7] insufficient TCP source port randomness Willy Tarreau
2022-04-27 6:52 ` [PATCH net 1/7] secure_seq: return the full 64-bit of the siphash Willy Tarreau
2022-04-27 9:56 ` kernel test robot
2022-04-27 10:07 ` Willy Tarreau
2022-04-27 10:07 ` Willy Tarreau
2022-04-27 16:35 ` Willy Tarreau
2022-04-27 16:35 ` Willy Tarreau
2022-04-27 16:50 ` Eric Dumazet
2022-04-27 16:50 ` Eric Dumazet
2022-04-27 16:56 ` Willy Tarreau
2022-04-27 16:56 ` Willy Tarreau
2022-04-27 17:18 ` Jason A. Donenfeld
2022-04-27 20:19 ` Willy Tarreau [this message]
2022-04-28 1:59 ` kernel test robot
2022-04-27 6:52 ` [PATCH net 2/7] tcp: use different parts of the port_offset for index and offset Willy Tarreau
2022-04-27 6:52 ` [PATCH net 3/7] tcp: resalt the secret every 10 seconds Willy Tarreau
2022-04-27 15:56 ` Stephen Hemminger
2022-04-27 16:21 ` Willy Tarreau
2022-04-27 6:52 ` [PATCH net 4/7] tcp: add small random increments to the source port Willy Tarreau
2022-04-27 6:52 ` [PATCH net 5/7] tcp: dynamically allocate the perturb table used by source ports Willy Tarreau
2022-04-27 6:52 ` [PATCH net 6/7] tcp: increase source port perturb table to 2^16 Willy Tarreau
2022-04-27 8:07 ` David Laight
2022-04-27 8:19 ` Willy Tarreau
2022-04-27 6:52 ` [PATCH net 7/7] tcp: drop the hash_32() part from the index calculation Willy Tarreau
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20220427201938.GC4326@1wt.eu \
--to=w@1wt.eu \
--cc=Jason@zx2c4.com \
--cc=aksecurity@gmail.com \
--cc=davem@davemloft.net \
--cc=edumazet@google.com \
--cc=kuba@kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=moshe.kol@mail.huji.ac.il \
--cc=netdev@vger.kernel.org \
--cc=yossi.gilad@mail.huji.ac.il \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.