lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Date:	Sun, 18 Oct 2009 12:28:02 -0400
From:	William Allen Simpson <william.allen.simpson@...il.com>
To:	Linux Kernel Network Developers <netdev@...r.kernel.org>
Subject: [net-next-2.6 PATCH 4/4 resent] TCPCT part 1d: initial SYN exchange
 with SYNACK data



-------- Original Message --------
Subject: [net-next-2.6 PATCH 4/4] TCPCT part 1: initial SYN exchange with SYNACK data
Date: Thu, 15 Oct 2009 01:36:48 -0400
From: William Allen Simpson <william.allen.simpson@...il.com>
To: Linux Kernel Network Developers <netdev@...r.kernel.org>
References: <4AD6B31B.3060402@...il.com> <4AD6B3E8.2050904@...il.com> <4AD6B467.2080701@...il.com>

This is a significantly revised implementation of an earlier (year-old)
patch that no longer applies cleanly, with permission of the original
author (Adam Langley).  That patch was previously reviewed:

    http://thread.gmane.org/gmane.linux.network/102586

The principle difference is using a TCP option to carry the cookie nonce,
instead of a user configured offset in the data.  This is more flexible and
less subject to user configuration error.  Such a cookie option has been
suggested for many years, and is also useful without SYN data, allowing
several related concepts to use the same extension option.

    "Re: SYN floods (was: does history repeat itself?)", September 9, 1996.
    http://www.merit.net/mail.archives/nanog/1996-09/msg00235.html

    "Re: what a new TCP header might look like", May 12, 1998.
    ftp://ftp.isi.edu/end2end/end2end-interest-1998.mail

Data structures are carefully composed to require minimal additions.
For example, the struct tcp_options_received cookie_plus variable fits
between existing 16-bit and 8-bit variables, requiring no additional
space (taking alignment into consideration).  There are no additions to
tcp_request_sock, and only 1 pointer and 1 flag byte in tcp_sock.

Allocations have been rearranged to avoid requiring GFP_ATOMIC, with
only one unavoidable exception in tcp_create_openreq_child(), where the
tcp_sock itself is created GFP_ATOMIC.

These functions will also be used in subsequent patches that implement
additional features.

Requires:
   TCPCT part 1a: add function parameter for sending SYNACK
   TCPCT part 1b: sysctl_tcp_cookie_size and TCP_COOKIE_TRANSACTIONS
   TCPCT part 1c: redefine TCP header functions *_len_th(), cleanup
---
   include/linux/tcp.h      |   35 +++++++-
   include/net/tcp.h        |   72 ++++++++++++++--
   net/ipv4/syncookies.c    |    5 +-
   net/ipv4/tcp.c           |  133 +++++++++++++++++++++++++++-
   net/ipv4/tcp_input.c     |   82 +++++++++++++++---
   net/ipv4/tcp_ipv4.c      |   62 +++++++++++--
   net/ipv4/tcp_minisocks.c |   43 +++++++---
   net/ipv4/tcp_output.c    |  223 ++++++++++++++++++++++++++++++++++++++++++---
   net/ipv6/syncookies.c    |    5 +-
   net/ipv6/tcp_ipv6.c      |   47 +++++++++-
   10 files changed, 641 insertions(+), 66 deletions(-)



View attachment "TCPCT+1-4.patch" of type "text/plain" (39342 bytes)

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ