git.hungrycats.org Git - linux/commit

author	Eric Dumazet <edumazet@google.com>
	Wed, 27 Mar 2019 19:40:33 +0000 (12:40 -0700)
committer	Ben Hutchings <ben@decadent.org.uk>
	Tue, 13 Aug 2019 11:39:32 +0000 (12:39 +0100)
commit	9ebeec41ed3f52fd94267f25f8b9bf3f4cbf1e4e
tree	3b2bdfa126461196bb4d35d0830b4566a61358a1	tree \| snapshot
parent	a78ff0010f999bc2b0346ec2a89896af3f5c2ca8	commit \| diff

inet: switch IP ID generator to siphash

commit df453700e8d81b1bdafdf684365ee2b9431fb702 upstream.

According to Amit Klein and Benny Pinkas, IP ID generation is too weak
and might be used by attackers.

Even with recent net_hash_mix() fix (netns: provide pure entropy for net_hash_mix())
having 64bit key and Jenkins hash is risky.

It is time to switch to siphash and its 128bit keys.

Signed-off-by: Eric Dumazet <edumazet@google.com>
Reported-by: Amit Klein <aksecurity@gmail.com>
Reported-by: Benny Pinkas <benny@pinkas.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>

include/linux/siphash.h		diff \| blob \| history
include/net/netns/ipv4.h		diff \| blob \| history
net/ipv4/route.c		diff \| blob \| history
net/ipv6/output_core.c		diff \| blob \| history