diff options
| author | Eric Dumazet <edumazet@google.com> | 2019-03-27 12:40:33 -0700 |
|---|---|---|
| committer | Greg Kroah-Hartman <gregkh@linuxfoundation.org> | 2019-06-04 08:02:30 +0200 |
| commit | 07480da0c8a1979e0973d6dd783b6aed966dccf6 (patch) | |
| tree | aa99b025ee2a5cddefa764fb457fd0aae74c5172 /include/linux | |
| parent | 9c9144e7899680ef12edf6c7003c9d5b1ac6cc1c (diff) | |
| download | linux-stable-07480da0c8a1979e0973d6dd783b6aed966dccf6.tar.gz linux-stable-07480da0c8a1979e0973d6dd783b6aed966dccf6.tar.bz2 linux-stable-07480da0c8a1979e0973d6dd783b6aed966dccf6.zip | |
inet: switch IP ID generator to siphash
[ Upstream commit df453700e8d81b1bdafdf684365ee2b9431fb702 ]
According to Amit Klein and Benny Pinkas, IP ID generation is too weak
and might be used by attackers.
Even with recent net_hash_mix() fix (netns: provide pure entropy for net_hash_mix())
having 64bit key and Jenkins hash is risky.
It is time to switch to siphash and its 128bit keys.
Signed-off-by: Eric Dumazet <edumazet@google.com>
Reported-by: Amit Klein <aksecurity@gmail.com>
Reported-by: Benny Pinkas <benny@pinkas.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Diffstat (limited to 'include/linux')
| -rw-r--r-- | include/linux/siphash.h | 5 |
1 files changed, 5 insertions, 0 deletions
diff --git a/include/linux/siphash.h b/include/linux/siphash.h index fa7a6b9cedbf..bf21591a9e5e 100644 --- a/include/linux/siphash.h +++ b/include/linux/siphash.h @@ -21,6 +21,11 @@ typedef struct { u64 key[2]; } siphash_key_t; +static inline bool siphash_key_is_zero(const siphash_key_t *key) +{ + return !(key->key[0] | key->key[1]); +} + u64 __siphash_aligned(const void *data, size_t len, const siphash_key_t *key); #ifndef CONFIG_HAVE_EFFICIENT_UNALIGNED_ACCESS u64 __siphash_unaligned(const void *data, size_t len, const siphash_key_t *key); |