git.ipfire.org Git - thirdparty/kernel/stable.git/commit

author	Eric Dumazet <edumazet@google.com>
	Tue, 27 Aug 2019 23:11:06 +0000 (00:11 +0100)
committer	Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	Fri, 6 Sep 2019 08:18:13 +0000 (10:18 +0200)
commit	66f8c5ff8ed3d99dd21d8f24aac89410de7a4a05
tree	5583e2491099f60df0221d42decb68001baa68cb	tree
parent	71b951c85b3b36480260a31419126b81f27db733	commit \| diff

inet: switch IP ID generator to siphash

commit df453700e8d81b1bdafdf684365ee2b9431fb702 upstream.

According to Amit Klein and Benny Pinkas, IP ID generation is too weak
and might be used by attackers.

Even with recent net_hash_mix() fix (netns: provide pure entropy for net_hash_mix())
having 64bit key and Jenkins hash is risky.

It is time to switch to siphash and its 128bit keys.

Signed-off-by: Eric Dumazet <edumazet@google.com>
Reported-by: Amit Klein <aksecurity@gmail.com>
Reported-by: Benny Pinkas <benny@pinkas.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
[bwh: Backported to 4.4: adjust context]
Signed-off-by: Ben Hutchings <ben.hutchings@codethink.co.uk>
Signed-off-by: Sasha Levin <sashal@kernel.org>

include/linux/siphash.h		diff \| blob \| blame \| history
include/net/netns/ipv4.h		diff \| blob \| blame \| history
net/ipv4/route.c		diff \| blob \| blame \| history
net/ipv6/output_core.c		diff \| blob \| blame \| history