[PATCH] Add some randomness to TCP source port selection.

[PATCH] Add some randomness to TCP source port selection.

[Robert LeBlanc]

GRUB uses a static source TCP port and increments for each new
connection. When rapidly restarting GRUB this can cause issues with some
firewalls that suspect that a reply attack is happening. In addition
GRUB does not ACK the last FIN,ACK when booting the kernel and initrd
from HTTP for example. This cause the remote HTTP server to keep the TCP
session in TIME_WAIT and reject new connections from the same port
combination when restarted quickly. This helps to work around both
problems by shifting the source port by a small amount based on time.

The missing final ACK should also be addressed, but I'm not sure how to
resolve that.

Signed-off-by: Robert LeBlanc <robert@leblancnet.us>
---
 grub-core/net/tcp.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/grub-core/net/tcp.c b/grub-core/net/tcp.c
index 93dee0caa..2eefd3168 100644
--- a/grub-core/net/tcp.c
+++ b/grub-core/net/tcp.c
@@ -569,7 +569,7 @@ grub_net_tcp_open (char *server,
   struct grub_net_network_level_interface *inf;
   grub_net_network_level_address_t gateway;
   grub_net_tcp_socket_t socket;
-  static grub_uint16_t in_port = 21550;
+  grub_uint16_t in_port = 21550 + grub_get_time_ms () % 256;
   struct grub_net_buff *nb;
   struct tcphdr *tcph;
   int i;
@@ -603,7 +603,7 @@ grub_net_tcp_open (char *server,
   socket->inf = inf;
   socket->out_nla = addr;
   socket->ll_target_addr = ll_target_addr;
-  socket->in_port = in_port++;
+  socket->in_port = in_port;
   socket->recv_hook = recv_hook;
   socket->error_hook = error_hook;
   socket->fin_hook = fin_hook;
-- 
2.35.1

Re: [PATCH] Add some randomness to TCP source port selection.

[Vladimir 'phcoder' Serbinenko]

[-- Attachment #1: Type: text/plain, Size: 2175 bytes --]

256 is a bad modulo. A prime would be a much better one for those purposes.
Also get_time_ms counts up from arbitrary point in time, often boot. I
suggest using some combination of etc and get_time to seed an LFSR algorithm

Le lun. 6 juin 2022, 18:37, Robert LeBlanc <robert@leblancnet.us> a écrit :

> GRUB uses a static source TCP port and increments for each new
> connection. When rapidly restarting GRUB this can cause issues with some
> firewalls that suspect that a reply attack is happening. In addition
> GRUB does not ACK the last FIN,ACK when booting the kernel and initrd
> from HTTP for example. This cause the remote HTTP server to keep the TCP
> session in TIME_WAIT and reject new connections from the same port
> combination when restarted quickly. This helps to work around both
> problems by shifting the source port by a small amount based on time.
>
> The missing final ACK should also be addressed, but I'm not sure how to
> resolve that.
>
> Signed-off-by: Robert LeBlanc <robert@leblancnet.us>
> ---
>  grub-core/net/tcp.c | 4 ++--
>  1 file changed, 2 insertions(+), 2 deletions(-)
>
> diff --git a/grub-core/net/tcp.c b/grub-core/net/tcp.c
> index 93dee0caa..2eefd3168 100644
> --- a/grub-core/net/tcp.c
> +++ b/grub-core/net/tcp.c
> @@ -569,7 +569,7 @@ grub_net_tcp_open (char *server,
>    struct grub_net_network_level_interface *inf;
>    grub_net_network_level_address_t gateway;
>    grub_net_tcp_socket_t socket;
> -  static grub_uint16_t in_port = 21550;
> +  grub_uint16_t in_port = 21550 + grub_get_time_ms () % 256;
>    struct grub_net_buff *nb;
>    struct tcphdr *tcph;
>    int i;
> @@ -603,7 +603,7 @@ grub_net_tcp_open (char *server,
>    socket->inf = inf;
>    socket->out_nla = addr;
>    socket->ll_target_addr = ll_target_addr;
> -  socket->in_port = in_port++;
> +  socket->in_port = in_port;
>    socket->recv_hook = recv_hook;
>    socket->error_hook = error_hook;
>    socket->fin_hook = fin_hook;
> --
> 2.35.1
>
>
> _______________________________________________
> Grub-devel mailing list
> Grub-devel@gnu.org
> https://lists.gnu.org/mailman/listinfo/grub-devel
>

[-- Attachment #2: Type: text/html, Size: 2849 bytes --]

Re: [PATCH] Add some randomness to TCP source port selection.

[Vladimir 'phcoder' Serbinenko]

[-- Attachment #1: Type: text/plain, Size: 2358 bytes --]

Le lun. 6 juin 2022, 19:25, Vladimir 'phcoder' Serbinenko <phcoder@gmail.com>
a écrit :

> 256 is a bad modulo. A prime would be a much better one for those
> purposes. Also get_time_ms counts up from arbitrary point in time, often
> boot. I suggest using some combination of etc
>
RTC, not etc

>
>  and get_time to seed an LFSR algorithm
>
> Le lun. 6 juin 2022, 18:37, Robert LeBlanc <robert@leblancnet.us> a
> écrit :
>
>> GRUB uses a static source TCP port and increments for each new
>> connection. When rapidly restarting GRUB this can cause issues with some
>> firewalls that suspect that a reply attack is happening. In addition
>> GRUB does not ACK the last FIN,ACK when booting the kernel and initrd
>> from HTTP for example. This cause the remote HTTP server to keep the TCP
>> session in TIME_WAIT and reject new connections from the same port
>> combination when restarted quickly. This helps to work around both
>> problems by shifting the source port by a small amount based on time.
>>
>> The missing final ACK should also be addressed, but I'm not sure how to
>> resolve that.
>>
>> Signed-off-by: Robert LeBlanc <robert@leblancnet.us>
>> ---
>>  grub-core/net/tcp.c | 4 ++--
>>  1 file changed, 2 insertions(+), 2 deletions(-)
>>
>> diff --git a/grub-core/net/tcp.c b/grub-core/net/tcp.c
>> index 93dee0caa..2eefd3168 100644
>> --- a/grub-core/net/tcp.c
>> +++ b/grub-core/net/tcp.c
>> @@ -569,7 +569,7 @@ grub_net_tcp_open (char *server,
>>    struct grub_net_network_level_interface *inf;
>>    grub_net_network_level_address_t gateway;
>>    grub_net_tcp_socket_t socket;
>> -  static grub_uint16_t in_port = 21550;
>> +  grub_uint16_t in_port = 21550 + grub_get_time_ms () % 256;
>>    struct grub_net_buff *nb;
>>    struct tcphdr *tcph;
>>    int i;
>> @@ -603,7 +603,7 @@ grub_net_tcp_open (char *server,
>>    socket->inf = inf;
>>    socket->out_nla = addr;
>>    socket->ll_target_addr = ll_target_addr;
>> -  socket->in_port = in_port++;
>> +  socket->in_port = in_port;
>>    socket->recv_hook = recv_hook;
>>    socket->error_hook = error_hook;
>>    socket->fin_hook = fin_hook;
>> --
>> 2.35.1
>>
>>
>> _______________________________________________
>> Grub-devel mailing list
>> Grub-devel@gnu.org
>> https://lists.gnu.org/mailman/listinfo/grub-devel
>>
>

[-- Attachment #2: Type: text/html, Size: 3541 bytes --]

Re: [PATCH] Add some randomness to TCP source port selection.

[Robert LeBlanc]

[-- Attachment #1: Type: text/plain, Size: 3136 bytes --]

Thanks.

I had trouble using the clock to seed the random number generator due to
some dependency issues. I'm not strong enough in C to figure that out with
the limited GRUB libraries (since standard libraries are not used), so I
did what I could to show the intended behavior. Please feel free to submit
a much better patch as I don't have the expertise to do so.

Thank you,
Robert LeBlanc

Sent from a mobile device, please excuse any typos.

On Mon, Jun 6, 2022, 11:27 AM Vladimir 'phcoder' Serbinenko <
phcoder@gmail.com> wrote:

>
>
> Le lun. 6 juin 2022, 19:25, Vladimir 'phcoder' Serbinenko <
> phcoder@gmail.com> a écrit :
>
>> 256 is a bad modulo. A prime would be a much better one for those
>> purposes. Also get_time_ms counts up from arbitrary point in time, often
>> boot. I suggest using some combination of etc
>>
> RTC, not etc
>
>>
>>  and get_time to seed an LFSR algorithm
>>
>> Le lun. 6 juin 2022, 18:37, Robert LeBlanc <robert@leblancnet.us> a
>> écrit :
>>
>>> GRUB uses a static source TCP port and increments for each new
>>> connection. When rapidly restarting GRUB this can cause issues with some
>>> firewalls that suspect that a reply attack is happening. In addition
>>> GRUB does not ACK the last FIN,ACK when booting the kernel and initrd
>>> from HTTP for example. This cause the remote HTTP server to keep the TCP
>>> session in TIME_WAIT and reject new connections from the same port
>>> combination when restarted quickly. This helps to work around both
>>> problems by shifting the source port by a small amount based on time.
>>>
>>> The missing final ACK should also be addressed, but I'm not sure how to
>>> resolve that.
>>>
>>> Signed-off-by: Robert LeBlanc <robert@leblancnet.us>
>>> ---
>>>  grub-core/net/tcp.c | 4 ++--
>>>  1 file changed, 2 insertions(+), 2 deletions(-)
>>>
>>> diff --git a/grub-core/net/tcp.c b/grub-core/net/tcp.c
>>> index 93dee0caa..2eefd3168 100644
>>> --- a/grub-core/net/tcp.c
>>> +++ b/grub-core/net/tcp.c
>>> @@ -569,7 +569,7 @@ grub_net_tcp_open (char *server,
>>>    struct grub_net_network_level_interface *inf;
>>>    grub_net_network_level_address_t gateway;
>>>    grub_net_tcp_socket_t socket;
>>> -  static grub_uint16_t in_port = 21550;
>>> +  grub_uint16_t in_port = 21550 + grub_get_time_ms () % 256;
>>>    struct grub_net_buff *nb;
>>>    struct tcphdr *tcph;
>>>    int i;
>>> @@ -603,7 +603,7 @@ grub_net_tcp_open (char *server,
>>>    socket->inf = inf;
>>>    socket->out_nla = addr;
>>>    socket->ll_target_addr = ll_target_addr;
>>> -  socket->in_port = in_port++;
>>> +  socket->in_port = in_port;
>>>    socket->recv_hook = recv_hook;
>>>    socket->error_hook = error_hook;
>>>    socket->fin_hook = fin_hook;
>>> --
>>> 2.35.1
>>>
>>>
>>> _______________________________________________
>>> Grub-devel mailing list
>>> Grub-devel@gnu.org
>>> https://lists.gnu.org/mailman/listinfo/grub-devel
>>>
>> _______________________________________________
> Grub-devel mailing list
> Grub-devel@gnu.org
> https://lists.gnu.org/mailman/listinfo/grub-devel
>

[-- Attachment #2: Type: text/html, Size: 4943 bytes --]

Re: [PATCH] Add some randomness to TCP source port selection.

[Robert LeBlanc]

Anyone willing to implement this in a better way?

Thank you,
Robert LeBlanc
----------------
Robert LeBlanc
PGP Fingerprint 79A2 9CA4 6CC4 45DD A904  C70E E654 3BB2 FA62 B9F1

----------------
Robert LeBlanc
PGP Fingerprint 79A2 9CA4 6CC4 45DD A904  C70E E654 3BB2 FA62 B9F1


On Tue, Jun 14, 2022 at 7:19 AM Robert LeBlanc <robert@leblancnet.us> wrote:
>
> Thanks.
>
> I had trouble using the clock to seed the random number generator due to some dependency issues. I'm not strong enough in C to figure that out with the limited GRUB libraries (since standard libraries are not used), so I did what I could to show the intended behavior. Please feel free to submit a much better patch as I don't have the expertise to do so.
>
> Thank you,
> Robert LeBlanc
>
> Sent from a mobile device, please excuse any typos.
>
> On Mon, Jun 6, 2022, 11:27 AM Vladimir 'phcoder' Serbinenko <phcoder@gmail.com> wrote:
>>
>>
>>
>> Le lun. 6 juin 2022, 19:25, Vladimir 'phcoder' Serbinenko <phcoder@gmail.com> a écrit :
>>>
>>> 256 is a bad modulo. A prime would be a much better one for those purposes. Also get_time_ms counts up from arbitrary point in time, often boot. I suggest using some combination of etc
>>
>> RTC, not etc
>>>
>>>
>>>  and get_time to seed an LFSR algorithm
>>>
>>> Le lun. 6 juin 2022, 18:37, Robert LeBlanc <robert@leblancnet.us> a écrit :
>>>>
>>>> GRUB uses a static source TCP port and increments for each new
>>>> connection. When rapidly restarting GRUB this can cause issues with some
>>>> firewalls that suspect that a reply attack is happening. In addition
>>>> GRUB does not ACK the last FIN,ACK when booting the kernel and initrd
>>>> from HTTP for example. This cause the remote HTTP server to keep the TCP
>>>> session in TIME_WAIT and reject new connections from the same port
>>>> combination when restarted quickly. This helps to work around both
>>>> problems by shifting the source port by a small amount based on time.
>>>>
>>>> The missing final ACK should also be addressed, but I'm not sure how to
>>>> resolve that.
>>>>
>>>> Signed-off-by: Robert LeBlanc <robert@leblancnet.us>
>>>> ---
>>>>  grub-core/net/tcp.c | 4 ++--
>>>>  1 file changed, 2 insertions(+), 2 deletions(-)
>>>>
>>>> diff --git a/grub-core/net/tcp.c b/grub-core/net/tcp.c
>>>> index 93dee0caa..2eefd3168 100644
>>>> --- a/grub-core/net/tcp.c
>>>> +++ b/grub-core/net/tcp.c
>>>> @@ -569,7 +569,7 @@ grub_net_tcp_open (char *server,
>>>>    struct grub_net_network_level_interface *inf;
>>>>    grub_net_network_level_address_t gateway;
>>>>    grub_net_tcp_socket_t socket;
>>>> -  static grub_uint16_t in_port = 21550;
>>>> +  grub_uint16_t in_port = 21550 + grub_get_time_ms () % 256;
>>>>    struct grub_net_buff *nb;
>>>>    struct tcphdr *tcph;
>>>>    int i;
>>>> @@ -603,7 +603,7 @@ grub_net_tcp_open (char *server,
>>>>    socket->inf = inf;
>>>>    socket->out_nla = addr;
>>>>    socket->ll_target_addr = ll_target_addr;
>>>> -  socket->in_port = in_port++;
>>>> +  socket->in_port = in_port;
>>>>    socket->recv_hook = recv_hook;
>>>>    socket->error_hook = error_hook;
>>>>    socket->fin_hook = fin_hook;
>>>> --
>>>> 2.35.1
>>>>
>>>>
>>>> _______________________________________________
>>>> Grub-devel mailing list
>>>> Grub-devel@gnu.org
>>>> https://lists.gnu.org/mailman/listinfo/grub-devel
>>
>> _______________________________________________
>> Grub-devel mailing list
>> Grub-devel@gnu.org
>> https://lists.gnu.org/mailman/listinfo/grub-devel