search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
(parent: 175a407) | patch
inet: switch IP ID generator to siphash
commitb97a2f3d58f439d11ececb2faa21dac775d63c5c
authorEric Dumazet <edumazet@google.com>
Fri, 16 Aug 2019 23:01:27 +0000 (17 00:01 +0100)
committerGreg Kroah-Hartman <gregkh@linuxfoundation.org>
Sun, 25 Aug 2019 08:51:42 +0000 (25 10:51 +0200)
treecc8b186b50e182d14acc88e2b8de2208f5943545tree | snapshot (tar.gz zip)
parent175a407ce432088d827b822b8a47afd8360a8dbecommit | diff
inet: switch IP ID generator to siphash

commit df453700e8d81b1bdafdf684365ee2b9431fb702 upstream.

According to Amit Klein and Benny Pinkas, IP ID generation is too weak
and might be used by attackers.

Even with recent net_hash_mix() fix (netns: provide pure entropy for net_hash_mix())
having 64bit key and Jenkins hash is risky.

It is time to switch to siphash and its 128bit keys.

Signed-off-by: Eric Dumazet <edumazet@google.com>
Reported-by: Amit Klein <aksecurity@gmail.com>
Reported-by: Benny Pinkas <benny@pinkas.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
[bwh: Backported to 4.9: adjust context]
Signed-off-by: Ben Hutchings <ben.hutchings@codethink.co.uk>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
include/linux/siphash.h diff | blob | blame | history
include/net/netns/ipv4.h diff | blob | blame | history
net/ipv4/route.c diff | blob | blame | history
net/ipv6/output_core.c diff | blob | blame | history
Linux with added FPC-III support