inet: split syncookie keys for ipv4 and ipv6 and initialize with net_get_random_once
This patch splits the secret key for syncookies for ipv4 and ipv6 and initializes them with net_get_random_once. This change was the reason I did this series. I think the initialization of the syncookie_secret is way to early. Cc: Florian Westphal <fw@strlen.de> Cc: Eric Dumazet <edumazet@google.com> Cc: "David S. Miller" <davem@davemloft.net> Signed-off-by: Hannes Frederic Sowa <hannes@stressinduktion.org> Signed-off-by: David S. Miller <davem@davemloft.net>
This commit is contained in:
Hannes Frederic Sowa
David S. Miller
parent
a48e42920f
commit
b23a002fc6
3 changed files with 14 additions and 14 deletions
|
|
@ -475,7 +475,6 @@ int tcp_send_rcvq(struct sock *sk, struct msghdr *msg, size_t size);
|
|||
void inet_sk_rx_dst_set(struct sock *sk, const struct sk_buff *skb);
|
||||
|
||||
/* From syncookies.c */
|
||||
extern __u32 syncookie_secret[2][16-4+SHA_DIGEST_WORDS];
|
||||
int __cookie_v4_check(const struct iphdr *iph, const struct tcphdr *th,
|
||||
u32 cookie);
|
||||
struct sock *cookie_v4_check(struct sock *sk, struct sk_buff *skb,
|
||||
|
|
|
|||
|
|
@ -25,15 +25,7 @@
|
|||
|
||||
extern int sysctl_tcp_syncookies;
|
||||
|
||||
__u32 syncookie_secret[2][16-4+SHA_DIGEST_WORDS];
|
||||
EXPORT_SYMBOL(syncookie_secret);
|
||||
|
||||
static __init int init_syncookies(void)
|
||||
{
|
||||
get_random_bytes(syncookie_secret, sizeof(syncookie_secret));
|
||||
return 0;
|
||||
}
|
||||
__initcall(init_syncookies);
|
||||
static u32 syncookie_secret[2][16-4+SHA_DIGEST_WORDS];
|
||||
|
||||
#define COOKIEBITS 24 /* Upper bits store count */
|
||||
#define COOKIEMASK (((__u32)1 << COOKIEBITS) - 1)
|
||||
|
|
@ -44,8 +36,11 @@ static DEFINE_PER_CPU(__u32 [16 + 5 + SHA_WORKSPACE_WORDS],
|
|||
static u32 cookie_hash(__be32 saddr, __be32 daddr, __be16 sport, __be16 dport,
|
||||
u32 count, int c)
|
||||
{
|
||||
__u32 *tmp = __get_cpu_var(ipv4_cookie_scratch);
|
||||
__u32 *tmp;
|
||||
|
||||
net_get_random_once(syncookie_secret, sizeof(syncookie_secret));
|
||||
|
||||
tmp = __get_cpu_var(ipv4_cookie_scratch);
|
||||
memcpy(tmp + 4, syncookie_secret[c], sizeof(syncookie_secret[c]));
|
||||
tmp[0] = (__force u32)saddr;
|
||||
tmp[1] = (__force u32)daddr;
|
||||
|
|
|
|||
|
|
@ -24,6 +24,8 @@
|
|||
#define COOKIEBITS 24 /* Upper bits store count */
|
||||
#define COOKIEMASK (((__u32)1 << COOKIEBITS) - 1)
|
||||
|
||||
static u32 syncookie6_secret[2][16-4+SHA_DIGEST_WORDS];
|
||||
|
||||
/* RFC 2460, Section 8.3:
|
||||
* [ipv6 tcp] MSS must be computed as the maximum packet size minus 60 [..]
|
||||
*
|
||||
|
|
@ -61,14 +63,18 @@ static DEFINE_PER_CPU(__u32 [16 + 5 + SHA_WORKSPACE_WORDS],
|
|||
static u32 cookie_hash(const struct in6_addr *saddr, const struct in6_addr *daddr,
|
||||
__be16 sport, __be16 dport, u32 count, int c)
|
||||
{
|
||||
__u32 *tmp = __get_cpu_var(ipv6_cookie_scratch);
|
||||
__u32 *tmp;
|
||||
|
||||
net_get_random_once(syncookie6_secret, sizeof(syncookie6_secret));
|
||||
|
||||
tmp = __get_cpu_var(ipv6_cookie_scratch);
|
||||
|
||||
/*
|
||||
* we have 320 bits of information to hash, copy in the remaining
|
||||
* 192 bits required for sha_transform, from the syncookie_secret
|
||||
* 192 bits required for sha_transform, from the syncookie6_secret
|
||||
* and overwrite the digest with the secret
|
||||
*/
|
||||
memcpy(tmp + 10, syncookie_secret[c], 44);
|
||||
memcpy(tmp + 10, syncookie6_secret[c], 44);
|
||||
memcpy(tmp, saddr, 16);
|
||||
memcpy(tmp + 4, daddr, 16);
|
||||
tmp[8] = ((__force u32)sport << 16) + (__force u32)dport;
|
||||
|
|
|
|||
Loading…
Reference in a new issue