lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <20131108142856.GA28330@order.stressinduktion.org>
Date:	Fri, 8 Nov 2013 15:28:56 +0100
From:	Hannes Frederic Sowa <hannes@...essinduktion.org>
To:	Eric Dumazet <eric.dumazet@...il.com>
Cc:	David Miller <davem@...emloft.net>, netdev <netdev@...r.kernel.org>
Subject: Re: [RFC] tcp: randomize TCP source ports

On Fri, Nov 08, 2013 at 06:03:38AM -0800, Eric Dumazet wrote:
> On Fri, 2013-11-08 at 14:02 +0100, Hannes Frederic Sowa wrote:
> 
> > If I understand the code correctly the UDP ports are fully randomized? This
> > is good as per-peer randomization and then incrementation seems to be
> > theoretically broken:
> > 
> > <https://sites.google.com/site/hayashulman/files/NIC-derandomisation.pdf>
> > 
> > Looking at the code I somehow would like to check the use of net_random there.
> > The prandom function is reseeded as late_initcall and then only seeded by some
> > network addresses.
> > 
> > At the time the late_initcall reseeds the PRNG my tests have shown that
> > the nonblockingpool was still not fully initialized where the PRNG gets
> > reseeded from.
> > 
> > Hm, I propose a patch which does reseed the pool as soon as the nonblocking
> > pool got credited enough entropy in credit_entropy_bits. This should help
> > later binds().
> 
> Or even better have a reseed every XX seconds.

Yes, that's even better.

> 
> Something like :
> 
> diff --git a/lib/random32.c b/lib/random32.c
> index 52280d5526be..4af2d72281e3 100644
> --- a/lib/random32.c
> +++ b/lib/random32.c
> @@ -60,6 +60,8 @@ u32 prandom_u32_state(struct rnd_state *state)
>  }
>  EXPORT_SYMBOL(prandom_u32_state);
>  
> +static DEFINE_PER_CPU(unsigned long, net_rand_shuffle);
> +
>  /**
>   *	prandom_u32 - pseudo random number generator
>   *
> @@ -71,6 +73,19 @@ u32 prandom_u32(void)
>  {
>  	unsigned long r;
>  	struct rnd_state *state = &get_cpu_var(net_rand_state);
> +
> +	if (unlikely(time_after(jiffies, net_rand_shuffle))) {
> +		unsigned long delay;
> +		u32 entropy;
> +
> +		get_random_bytes_arch(&entropy, sizeof(entropy));

What do you think about using a timer to keep the reseed out of fast-path
and switch to the non-arch get_random_bytes instead?

Thanks,

  Hannes

--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ