Received: by 2002:a6b:fb09:0:0:0:0:0 with SMTP id h9csp6132675iog; Thu, 23 Jun 2022 12:02:39 -0700 (PDT) X-Google-Smtp-Source: AGRyM1t0GNiYqIkR0dxZ3NnM8xms3PB++w5ws78YDfeB+4PCdud0rZ+TT2bn0iyOFB2Q4IVKvutj X-Received: by 2002:a05:6402:5008:b0:42d:c421:48c8 with SMTP id p8-20020a056402500800b0042dc42148c8mr12560278eda.422.1656010958925; Thu, 23 Jun 2022 12:02:38 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1656010958; cv=none; d=google.com; s=arc-20160816; b=YcKImoZDdvz2wvllykG6HPoqNrSlj52ReOaNDp79wOCDwRTfUn2JZj/EinQM8ZrA1X QFBI5Tc4yrJGCJReZFzBLHxPtigOVeZz+kr80gKy0wunkCyjZuHV7ld6t1FUgmpdUjjT dALTl4zCe5fwt8Fn68g4Wyre8OHtYOwG4nnmTJmyVG7d4Iw+eXNjlqxNDfs0UVw+Bc/5 xRf75Xe+wrtFMoW6H05AI4c0rrvlBgx191ZHqtAgvMvEdaOKCIFfmxhH9j1Y38MG1Tty 5yTfbuipkYREsHHO/GjM2ZUvDi2FQ0jux00IuXSUoSBTQV5+zVXgPJvPQ+u29GdbpjwX z4OQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=Ew+wvpEAeli5cbj4ZBdRQx6XIbEmValTgqCvYHXWUnE=; b=hzQ+6iFAXXnQRUr47EM3O5P1mEJZLPLmZKRkg3kcC5UZPjCdPbJdZlptbwP0Lj3Jwm 6Ydq5Xpl/YoprrH49w2EjuKrhtZ5ZHJ3/GSV7ISPCSvZAnmgF17CL6JQG6ckUJQbsnlg yJ7QtRfXMj+fV3/HedOfzVU059X26+wart5Ktpfm3W3QZ1juA+7582NRRaX29qfS4vqu ipLBrJoe7PuYKeOVyg2SW5Znkli4JSn7oQCodR+Fr3GWyRsLTx+kI/uHsLhfQkQA/0on BxNaCIhNMBDtFqt4aiJ1AHYnCDx58nB1t88DuqqK+iWZWhV2fAanHsgKbmEWSi47Ehey C3Rg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=Em9SKihj; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id jg3-20020a170907970300b00725eb97f7a5si3217186ejc.227.2022.06.23.12.02.13; Thu, 23 Jun 2022 12:02:38 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=Em9SKihj; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S232571AbiFWRQf (ORCPT + 99 others); Thu, 23 Jun 2022 13:16:35 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:39212 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S233335AbiFWRMp (ORCPT ); Thu, 23 Jun 2022 13:12:45 -0400 Received: from dfw.source.kernel.org (dfw.source.kernel.org [139.178.84.217]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 3D53050013; Thu, 23 Jun 2022 09:58:43 -0700 (PDT) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by dfw.source.kernel.org (Postfix) with ESMTPS id E9891615F4; Thu, 23 Jun 2022 16:58:42 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id CF8E4C3411B; Thu, 23 Jun 2022 16:58:41 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1656003522; bh=GLC9E95aK2WnDeYRY9JZ5cRMLmuy/5ynGlZZ4TSsH4k=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=Em9SKihjysFvJ3JK28sZRUZV10Fcgcak/CqvegTogbAPSL9gKsNUEMy1TVvCXEgGZ bA/bH7d9pdN1tAjajHl6ihrXheRjUcVDBffg6x/UXJKPuZDsdomg3y/DUlbRjm4Sp5 opvg8fJUACOJpM2tN3iXBrdBH6SJYHML3luPdnvY= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, "Jason A. Donenfeld" , Moshe Kol , Yossi Gilad , Amit Klein , Eric Dumazet , Willy Tarreau , Jakub Kicinski , Ben Hutchings Subject: [PATCH 4.9 259/264] secure_seq: use the 64 bits of the siphash for port offset calculation Date: Thu, 23 Jun 2022 18:44:12 +0200 Message-Id: <20220623164351.393458192@linuxfoundation.org> X-Mailer: git-send-email 2.36.1 In-Reply-To: <20220623164344.053938039@linuxfoundation.org> References: <20220623164344.053938039@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-Spam-Status: No, score=-7.7 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_HI, SPF_HELO_NONE,SPF_PASS,T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Willy Tarreau commit b2d057560b8107c633b39aabe517ff9d93f285e3 upstream. SipHash replaced MD5 in secure_ipv{4,6}_port_ephemeral() via commit 7cd23e5300c1 ("secure_seq: use SipHash in place of MD5"), but the output remained truncated to 32-bit only. In order to exploit more bits from the hash, let's make the functions return the full 64-bit of siphash_3u32(). We also make sure the port offset calculation in __inet_hash_connect() remains done on 32-bit to avoid the need for div_u64_rem() and an extra cost on 32-bit systems. Cc: Jason A. Donenfeld Cc: Moshe Kol Cc: Yossi Gilad Cc: Amit Klein Reviewed-by: Eric Dumazet Signed-off-by: Willy Tarreau Signed-off-by: Jakub Kicinski Signed-off-by: Ben Hutchings Signed-off-by: Greg Kroah-Hartman --- include/net/inet_hashtables.h | 2 +- include/net/secure_seq.h | 4 ++-- net/core/secure_seq.c | 4 ++-- net/ipv4/inet_hashtables.c | 10 ++++++---- net/ipv6/inet6_hashtables.c | 4 ++-- 5 files changed, 13 insertions(+), 11 deletions(-) --- a/include/net/inet_hashtables.h +++ b/include/net/inet_hashtables.h @@ -382,7 +382,7 @@ static inline void sk_rcv_saddr_set(stru } int __inet_hash_connect(struct inet_timewait_death_row *death_row, - struct sock *sk, u32 port_offset, + struct sock *sk, u64 port_offset, int (*check_established)(struct inet_timewait_death_row *, struct sock *, __u16, struct inet_timewait_sock **)); --- a/include/net/secure_seq.h +++ b/include/net/secure_seq.h @@ -3,8 +3,8 @@ #include -u32 secure_ipv4_port_ephemeral(__be32 saddr, __be32 daddr, __be16 dport); -u32 secure_ipv6_port_ephemeral(const __be32 *saddr, const __be32 *daddr, +u64 secure_ipv4_port_ephemeral(__be32 saddr, __be32 daddr, __be16 dport); +u64 secure_ipv6_port_ephemeral(const __be32 *saddr, const __be32 *daddr, __be16 dport); __u32 secure_tcp_sequence_number(__be32 saddr, __be32 daddr, __be16 sport, __be16 dport); --- a/net/core/secure_seq.c +++ b/net/core/secure_seq.c @@ -62,7 +62,7 @@ __u32 secure_tcpv6_sequence_number(const } EXPORT_SYMBOL(secure_tcpv6_sequence_number); -u32 secure_ipv6_port_ephemeral(const __be32 *saddr, const __be32 *daddr, +u64 secure_ipv6_port_ephemeral(const __be32 *saddr, const __be32 *daddr, __be16 dport) { u32 secret[MD5_MESSAGE_BYTES / 4]; @@ -102,7 +102,7 @@ __u32 secure_tcp_sequence_number(__be32 return seq_scale(hash[0]); } -u32 secure_ipv4_port_ephemeral(__be32 saddr, __be32 daddr, __be16 dport) +u64 secure_ipv4_port_ephemeral(__be32 saddr, __be32 daddr, __be16 dport) { u32 hash[MD5_DIGEST_WORDS]; --- a/net/ipv4/inet_hashtables.c +++ b/net/ipv4/inet_hashtables.c @@ -382,7 +382,7 @@ not_unique: return -EADDRNOTAVAIL; } -static u32 inet_sk_port_offset(const struct sock *sk) +static u64 inet_sk_port_offset(const struct sock *sk) { const struct inet_sock *inet = inet_sk(sk); @@ -549,7 +549,7 @@ EXPORT_SYMBOL_GPL(inet_unhash); static u32 table_perturb[1 << INET_TABLE_PERTURB_SHIFT]; int __inet_hash_connect(struct inet_timewait_death_row *death_row, - struct sock *sk, u32 port_offset, + struct sock *sk, u64 port_offset, int (*check_established)(struct inet_timewait_death_row *, struct sock *, __u16, struct inet_timewait_sock **)) { @@ -589,7 +589,9 @@ int __inet_hash_connect(struct inet_time net_get_random_once(table_perturb, sizeof(table_perturb)); index = hash_32(port_offset, INET_TABLE_PERTURB_SHIFT); - offset = (READ_ONCE(table_perturb[index]) + port_offset) % remaining; + offset = READ_ONCE(table_perturb[index]) + port_offset; + offset %= remaining; + /* In first pass we try ports of @low parity. * inet_csk_get_port() does the opposite choice. */ @@ -670,7 +672,7 @@ ok: int inet_hash_connect(struct inet_timewait_death_row *death_row, struct sock *sk) { - u32 port_offset = 0; + u64 port_offset = 0; if (!inet_sk(sk)->inet_num) port_offset = inet_sk_port_offset(sk); --- a/net/ipv6/inet6_hashtables.c +++ b/net/ipv6/inet6_hashtables.c @@ -242,7 +242,7 @@ not_unique: return -EADDRNOTAVAIL; } -static u32 inet6_sk_port_offset(const struct sock *sk) +static u64 inet6_sk_port_offset(const struct sock *sk) { const struct inet_sock *inet = inet_sk(sk); @@ -254,7 +254,7 @@ static u32 inet6_sk_port_offset(const st int inet6_hash_connect(struct inet_timewait_death_row *death_row, struct sock *sk) { - u32 port_offset = 0; + u64 port_offset = 0; if (!inet_sk(sk)->inet_num) port_offset = inet6_sk_port_offset(sk);