lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-Id: <20220114142015.87974-3-Jason@zx2c4.com>
Date:   Fri, 14 Jan 2022 15:20:14 +0100
From:   "Jason A. Donenfeld" <Jason@...c4.com>
To:     linux-kernel@...r.kernel.org, netdev@...r.kernel.org,
        bpf@...r.kernel.org, linux-crypto@...r.kernel.org
Cc:     "Jason A. Donenfeld" <Jason@...c4.com>,
        Geert Uytterhoeven <geert@...ux-m68k.org>,
        Herbert Xu <herbert@...dor.apana.org.au>,
        Andy Lutomirski <luto@...capital.net>,
        Ard Biesheuvel <ardb@...nel.org>,
        Jean-Philippe Aumasson <jeanphilippe.aumasson@...il.com>,
        Hannes Frederic Sowa <hannes@...essinduktion.org>,
        Fernando Gont <fgont@...networks.com>,
        Erik Kline <ek@...gle.com>,
        Lorenzo Colitti <lorenzo@...gle.com>
Subject: [PATCH RFC v2 2/3] ipv6: move from sha1 to blake2s in address calculation

BLAKE2s is faster and more secure. SHA-1 has been broken for a long time
now. This also removes some code complexity, and lets us potentially
remove sha1 from lib, which would further reduce vmlinux size. This also
lets us use the secret in the proper field for a secret, rather than the
prepending done in the prior construction.

Cc: Geert Uytterhoeven <geert@...ux-m68k.org>
Cc: Herbert Xu <herbert@...dor.apana.org.au>
Cc: Andy Lutomirski <luto@...capital.net>
Cc: Ard Biesheuvel <ardb@...nel.org>
Cc: Jean-Philippe Aumasson <jeanphilippe.aumasson@...il.com>
Cc: Hannes Frederic Sowa <hannes@...essinduktion.org>
Cc: Fernando Gont <fgont@...networks.com>
Cc: Erik Kline <ek@...gle.com>
Cc: Lorenzo Colitti <lorenzo@...gle.com>
Signed-off-by: Jason A. Donenfeld <Jason@...c4.com>
---
 net/ipv6/addrconf.c | 56 ++++++++++++---------------------------------
 1 file changed, 14 insertions(+), 42 deletions(-)

diff --git a/net/ipv6/addrconf.c b/net/ipv6/addrconf.c
index 3eee17790a82..47048aafebd3 100644
--- a/net/ipv6/addrconf.c
+++ b/net/ipv6/addrconf.c
@@ -61,7 +61,7 @@
 #include <linux/delay.h>
 #include <linux/notifier.h>
 #include <linux/string.h>
-#include <linux/hash.h>
+#include <crypto/blake2s.h>
 
 #include <net/net_namespace.h>
 #include <net/sock.h>
@@ -3224,61 +3224,33 @@ static int ipv6_generate_stable_address(struct in6_addr *address,
 					u8 dad_count,
 					const struct inet6_dev *idev)
 {
-	static DEFINE_SPINLOCK(lock);
-	static __u32 digest[SHA1_DIGEST_WORDS];
-	static __u32 workspace[SHA1_WORKSPACE_WORDS];
-
-	static union {
-		char __data[SHA1_BLOCK_SIZE];
-		struct {
-			struct in6_addr secret;
-			__be32 prefix[2];
-			unsigned char hwaddr[MAX_ADDR_LEN];
-			u8 dad_count;
-		} __packed;
-	} data;
-
-	struct in6_addr secret;
-	struct in6_addr temp;
 	struct net *net = dev_net(idev->dev);
-
-	BUILD_BUG_ON(sizeof(data.__data) != sizeof(data));
+	const struct in6_addr *secret;
+	struct blake2s_state hash;
+	struct in6_addr proposal;
 
 	if (idev->cnf.stable_secret.initialized)
-		secret = idev->cnf.stable_secret.secret;
+		secret = &idev->cnf.stable_secret.secret;
 	else if (net->ipv6.devconf_dflt->stable_secret.initialized)
-		secret = net->ipv6.devconf_dflt->stable_secret.secret;
+		secret = &net->ipv6.devconf_dflt->stable_secret.secret;
 	else
 		return -1;
 
 retry:
-	spin_lock_bh(&lock);
-
-	sha1_init(digest);
-	memset(&data, 0, sizeof(data));
-	memset(workspace, 0, sizeof(workspace));
-	memcpy(data.hwaddr, idev->dev->perm_addr, idev->dev->addr_len);
-	data.prefix[0] = address->s6_addr32[0];
-	data.prefix[1] = address->s6_addr32[1];
-	data.secret = secret;
-	data.dad_count = dad_count;
-
-	sha1_transform(digest, data.__data, workspace);
-
-	temp = *address;
-	temp.s6_addr32[2] = (__force __be32)digest[0];
-	temp.s6_addr32[3] = (__force __be32)digest[1];
-
-	spin_unlock_bh(&lock);
+	blake2s_init_key(&hash, sizeof(proposal.s6_addr32[2]) * 2, secret, sizeof(*secret));
+	blake2s_update(&hash, (u8 *)&address->s6_addr32[0], sizeof(address->s6_addr32[0]) * 2);
+	blake2s_update(&hash, idev->dev->perm_addr, idev->dev->addr_len);
+	blake2s_update(&hash, (u8 *)&dad_count, sizeof(dad_count));
+	blake2s_final(&hash, (u8 *)&proposal.s6_addr32[2]);
 
-	if (ipv6_reserved_interfaceid(temp)) {
+	if (ipv6_reserved_interfaceid(proposal)) {
 		dad_count++;
-		if (dad_count > dev_net(idev->dev)->ipv6.sysctl.idgen_retries)
+		if (dad_count > net->ipv6.sysctl.idgen_retries)
 			return -1;
 		goto retry;
 	}
 
-	*address = temp;
+	*address = proposal;
 	return 0;
 }
 
-- 
2.34.1

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ