lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:	Thu, 01 Aug 2013 15:35:12 -0700 (PDT)
From:	David Miller <davem@...emloft.net>
To:	fan.du@...driver.com
Cc:	steffen.klassert@...unet.com, herbert@...dor.hengli.com.au,
	netdev@...r.kernel.org
Subject: Re: [PATCH] xfrm: Refactor xfrm_state timer management

From: Fan Du <fan.du@...driver.com>
Date: Thu, 1 Aug 2013 15:39:50 +0800

> Current xfrm_state timer management is vulnerable in below several ways:
> 
> - Use hrtimer for timer, the timer handler use wall clock checking expire events
>   commit e3c0d047 "Fix unexpected SA hard expiration after changing date" fix
>   the partial problem by notify IKED with soft -> expire sequence when user
>   changing system time forward. But it didn't fix the issue when use changing
>   system time backwards, which is most crucial as SAs lifetime will be a *bigger*
>   one when doing so, thus buy much time for cracker.
> 
>   In short words, changing system time forward/backward can either result in
>   long long lifetime SAs or sudden SA hard expired first.
> 
>   It actually can be fixed this by adding more flags, and with more complicated
>   checking whether system time is being turned forward or backward. I did it and
>   eventually works well. But it's only for "add time expire", taking care of
>   "use time expire" will add more logic into timer handler, and much more
>   complicated.
> 
> - When user give "use lifetime" by xfrm user configuration
>   interface, current xfrm_state timer management will actually turn the timer on
>   even when no IP packet hit policy, and the "use lifetime" eventually become
>   "add lifetime".
> 
> The culprit is: with one timer for both "add lifetime" and "use lifetime", at the
> same time using wall clock to check two expire events. This patch tries to solve
> it by:
> - Switch real time timer with monotonic timer against any system time changing
> - Use "add lifetime" to override "use lifetime" when both applied, as most popular
>   IKED like Racoon2/StrongSwan use "add lifetime" only.
> - Start "add lifetime" timer only when xfrm_state is updated/added
> - Start "use lifetime" timer when actually SAs is used.
> - Start the timer with soft lifetime interval first, and then in timer handler
>   rearm timer with hard lifetime to get rid of using wall clock.
> 
> Signed-off-by: Fan Du <fan.du@...driver.com>

This is getting way too complicated, there must be a much better way
to handle this.

I suspect the thing to do is to have system time changes generate a
notifier when clock_was_set() is called.

The XFRM code would walk the rules and pretend that we hit the soft
timeout for every rule that we haven't hit the soft timeout yet
already.

If a rule hit the soft timeout, force a hard timeout.

When forcing a soft timeout, adjust the hard timeout to be
(hard_timeout - soft_timeout) into the future.

Because these other approaches are extremely fragile and
unmaintainable.
--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ