lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date:   Tue, 19 May 2020 14:07:48 +0200
From:   "Bram Bonné" <brambonne@...gle.com>
To:     "David S. Miller" <davem@...emloft.net>,
        Alexey Kuznetsov <kuznet@....inr.ac.ru>,
        Hideaki YOSHIFUJI <yoshfuji@...ux-ipv6.org>,
        Jakub Kicinski <kuba@...nel.org>,
        Hannes Frederic Sowa <hannes@...essinduktion.org>
Cc:     netdev@...r.kernel.org, Jeffrey Vander Stoep <jeffv@...gle.com>,
        Lorenzo Colitti <lorenzo@...gle.com>,
        "Bram Bonné" <brambonne@...gle.com>
Subject: [PATCH] ipv6: Add IN6_ADDR_GEN_MODE_STABLE_PRIVACY_SOFTMAC mode

IN6_ADDR_GEN_MODE_STABLE_PRIVACY_SOFTMAC behaves like the existing
IN6_ADDR_GEN_MODE_STABLE_PRIVACY mode, but uses the software-defined MAC
address (dev_addr) instead of the permanent, hardware-defined MAC
address (perm_addr) when generating IPv6 link-local addresses.

This mode allows the IPv6 link-local address to change in line with the
MAC address when per-network MAC address randomization is used. In this
case, the MAC address fulfills the role of both the Net_Iface and the
Network_ID parameters in RFC7217.

Signed-off-by: Bram Bonné <brambonne@...gle.com>
---
 include/uapi/linux/if_link.h |  1 +
 net/ipv6/addrconf.c          | 29 ++++++++++++++++++++++++-----
 2 files changed, 25 insertions(+), 5 deletions(-)

diff --git a/include/uapi/linux/if_link.h b/include/uapi/linux/if_link.h
index a009365ad67b..0de71cfdcd84 100644
--- a/include/uapi/linux/if_link.h
+++ b/include/uapi/linux/if_link.h
@@ -240,6 +240,7 @@ enum in6_addr_gen_mode {
 	IN6_ADDR_GEN_MODE_NONE,
 	IN6_ADDR_GEN_MODE_STABLE_PRIVACY,
 	IN6_ADDR_GEN_MODE_RANDOM,
+	IN6_ADDR_GEN_MODE_STABLE_PRIVACY_SOFTMAC,
 };
 
 /* Bridge section */
diff --git a/net/ipv6/addrconf.c b/net/ipv6/addrconf.c
index ab7e839753ae..02d999ca332c 100644
--- a/net/ipv6/addrconf.c
+++ b/net/ipv6/addrconf.c
@@ -142,6 +142,7 @@ static int ipv6_count_addresses(const struct inet6_dev *idev);
 static int ipv6_generate_stable_address(struct in6_addr *addr,
 					u8 dad_count,
 					const struct inet6_dev *idev);
+static bool ipv6_addr_gen_use_softmac(const struct inet6_dev *idev);
 
 #define IN6_ADDR_HSIZE_SHIFT	8
 #define IN6_ADDR_HSIZE		(1 << IN6_ADDR_HSIZE_SHIFT)
@@ -381,7 +382,8 @@ static struct inet6_dev *ipv6_add_dev(struct net_device *dev)
 	timer_setup(&ndev->rs_timer, addrconf_rs_timer, 0);
 	memcpy(&ndev->cnf, dev_net(dev)->ipv6.devconf_dflt, sizeof(ndev->cnf));
 
-	if (ndev->cnf.stable_secret.initialized)
+	if (ndev->cnf.stable_secret.initialized &&
+	    !ipv6_addr_gen_use_softmac(ndev))
 		ndev->cnf.addr_gen_mode = IN6_ADDR_GEN_MODE_STABLE_PRIVACY;
 
 	ndev->cnf.mtu6 = dev->mtu;
@@ -2540,6 +2542,8 @@ static void manage_tempaddrs(struct inet6_dev *idev,
 static bool is_addr_mode_generate_stable(struct inet6_dev *idev)
 {
 	return idev->cnf.addr_gen_mode == IN6_ADDR_GEN_MODE_STABLE_PRIVACY ||
+	       idev->cnf.addr_gen_mode ==
+		       IN6_ADDR_GEN_MODE_STABLE_PRIVACY_SOFTMAC ||
 	       idev->cnf.addr_gen_mode == IN6_ADDR_GEN_MODE_RANDOM;
 }
 
@@ -3191,6 +3195,12 @@ static bool ipv6_reserved_interfaceid(struct in6_addr address)
 	return false;
 }
 
+static inline bool ipv6_addr_gen_use_softmac(const struct inet6_dev *idev)
+{
+	return idev->cnf.addr_gen_mode ==
+	    IN6_ADDR_GEN_MODE_STABLE_PRIVACY_SOFTMAC;
+}
+
 static int ipv6_generate_stable_address(struct in6_addr *address,
 					u8 dad_count,
 					const struct inet6_dev *idev)
@@ -3212,6 +3222,7 @@ static int ipv6_generate_stable_address(struct in6_addr *address,
 	struct in6_addr secret;
 	struct in6_addr temp;
 	struct net *net = dev_net(idev->dev);
+	unsigned char *hwaddr;
 
 	BUILD_BUG_ON(sizeof(data.__data) != sizeof(data));
 
@@ -3222,13 +3233,16 @@ static int ipv6_generate_stable_address(struct in6_addr *address,
 	else
 		return -1;
 
+	hwaddr = ipv6_addr_gen_use_softmac(idev) ?
+			idev->dev->dev_addr : idev->dev->perm_addr;
+
 retry:
 	spin_lock_bh(&lock);
 
 	sha_init(digest);
 	memset(&data, 0, sizeof(data));
 	memset(workspace, 0, sizeof(workspace));
-	memcpy(data.hwaddr, idev->dev->perm_addr, idev->dev->addr_len);
+	memcpy(data.hwaddr, hwaddr, idev->dev->addr_len);
 	data.prefix[0] = address->s6_addr32[0];
 	data.prefix[1] = address->s6_addr32[1];
 	data.secret = secret;
@@ -3283,6 +3297,7 @@ static void addrconf_addr_gen(struct inet6_dev *idev, bool prefix_route)
 		ipv6_gen_mode_random_init(idev);
 		fallthrough;
 	case IN6_ADDR_GEN_MODE_STABLE_PRIVACY:
+	case IN6_ADDR_GEN_MODE_STABLE_PRIVACY_SOFTMAC:
 		if (!ipv6_generate_stable_address(&addr, 0, idev))
 			addrconf_add_linklocal(idev, &addr,
 					       IFA_F_STABLE_PRIVACY);
@@ -5726,6 +5741,7 @@ static int check_addr_gen_mode(int mode)
 	if (mode != IN6_ADDR_GEN_MODE_EUI64 &&
 	    mode != IN6_ADDR_GEN_MODE_NONE &&
 	    mode != IN6_ADDR_GEN_MODE_STABLE_PRIVACY &&
+	    mode != IN6_ADDR_GEN_MODE_STABLE_PRIVACY_SOFTMAC &&
 	    mode != IN6_ADDR_GEN_MODE_RANDOM)
 		return -EINVAL;
 	return 1;
@@ -5734,7 +5750,8 @@ static int check_addr_gen_mode(int mode)
 static int check_stable_privacy(struct inet6_dev *idev, struct net *net,
 				int mode)
 {
-	if (mode == IN6_ADDR_GEN_MODE_STABLE_PRIVACY &&
+	if ((mode == IN6_ADDR_GEN_MODE_STABLE_PRIVACY ||
+	     mode == IN6_ADDR_GEN_MODE_STABLE_PRIVACY) &&
 	    !idev->cnf.stable_secret.initialized &&
 	    !net->ipv6.devconf_dflt->stable_secret.initialized)
 		return -EINVAL;
@@ -6355,7 +6372,7 @@ static int addrconf_sysctl_stable_secret(struct ctl_table *ctl, int write,
 		for_each_netdev(net, dev) {
 			struct inet6_dev *idev = __in6_dev_get(dev);
 
-			if (idev) {
+			if (idev && !ipv6_addr_gen_use_softmac(idev)) {
 				idev->cnf.addr_gen_mode =
 					IN6_ADDR_GEN_MODE_STABLE_PRIVACY;
 			}
@@ -6363,7 +6380,9 @@ static int addrconf_sysctl_stable_secret(struct ctl_table *ctl, int write,
 	} else {
 		struct inet6_dev *idev = ctl->extra1;
 
-		idev->cnf.addr_gen_mode = IN6_ADDR_GEN_MODE_STABLE_PRIVACY;
+		if (idev && !ipv6_addr_gen_use_softmac(idev))
+			idev->cnf.addr_gen_mode =
+				IN6_ADDR_GEN_MODE_STABLE_PRIVACY;
 	}
 
 out:
-- 
2.26.2.761.g0e0b3e54be-goog

Powered by blists - more mailing lists