Eric Dumazet 55667441c8 net/flow_dissector: switch to siphash
UDP IPv6 packets auto flowlabels are using a 32bit secret
(static u32 hashrnd in net/core/flow_dissector.c) and
apply jhash() over fields known by the receivers.

Attackers can easily infer the 32bit secret and use this information
to identify a device and/or user, since this 32bit secret is only
set at boot time.

Really, using jhash() to generate cookies sent on the wire
is a serious security concern.

Trying to change the rol32(hash, 16) in ip6_make_flowlabel() would be
a dead end. Trying to periodically change the secret (like in sch_sfq.c)
could change paths taken in the network for long lived flows.

Let's switch to siphash, as we did in commit df453700e8d8
("inet: switch IP ID generator to siphash")

Using a cryptographically strong pseudo random function will solve this
privacy issue and more generally remove other weak points in the stack.

Packet schedulers using skb_get_hash_perturb() benefit from this change.

Fixes: b56774163f99 ("ipv6: Enable auto flow labels by default")
Fixes: 42240901f7c4 ("ipv6: Implement different admin modes for automatic flow labels")
Fixes: 67800f9b1f4e ("ipv6: Call skb_get_hash_flowi6 to get skb->hash in ip6_make_flowlabel")
Fixes: cb1ce2ef387b ("ipv6: Implement automatic flow label generation on transmit")
Signed-off-by: Eric Dumazet <edumazet@google.com>
Reported-by: Jonathan Berger <jonathann1@walla.com>
Reported-by: Amit Klein <aksecurity@gmail.com>
Reported-by: Benny Pinkas <benny@pinkas.net>
Cc: Tom Herbert <tom@herbertland.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2019-10-23 20:13:22 -07:00

105 lines
2.7 KiB
C

/* SPDX-License-Identifier: GPL-2.0-only */
/*
* Copyright (c) 2016 Qualcomm Atheros, Inc
*
* Based on net/sched/sch_fq_codel.c
*/
#ifndef __NET_SCHED_FQ_H
#define __NET_SCHED_FQ_H
struct fq_tin;
/**
* struct fq_flow - per traffic flow queue
*
* @tin: owner of this flow. Used to manage collisions, i.e. when a packet
* hashes to an index which points to a flow that is already owned by a
* different tin the packet is destined to. In such case the implementer
* must provide a fallback flow
* @flowchain: can be linked to fq_tin's new_flows or old_flows. Used for DRR++
* (deficit round robin) based round robin queuing similar to the one
* found in net/sched/sch_fq_codel.c
* @backlogchain: can be linked to other fq_flow and fq. Used to keep track of
* fat flows and efficient head-dropping if packet limit is reached
* @queue: sk_buff queue to hold packets
* @backlog: number of bytes pending in the queue. The number of packets can be
* found in @queue.qlen
* @deficit: used for DRR++
*/
struct fq_flow {
struct fq_tin *tin;
struct list_head flowchain;
struct list_head backlogchain;
struct sk_buff_head queue;
u32 backlog;
int deficit;
};
/**
* struct fq_tin - a logical container of fq_flows
*
* Used to group fq_flows into a logical aggregate. DRR++ scheme is used to
* pull interleaved packets out of the associated flows.
*
* @new_flows: linked list of fq_flow
* @old_flows: linked list of fq_flow
*/
struct fq_tin {
struct list_head new_flows;
struct list_head old_flows;
u32 backlog_bytes;
u32 backlog_packets;
u32 overlimit;
u32 collisions;
u32 flows;
u32 tx_bytes;
u32 tx_packets;
};
/**
* struct fq - main container for fair queuing purposes
*
* @backlogs: linked to fq_flows. Used to maintain fat flows for efficient
* head-dropping when @backlog reaches @limit
* @limit: max number of packets that can be queued across all flows
* @backlog: number of packets queued across all flows
*/
struct fq {
struct fq_flow *flows;
struct list_head backlogs;
spinlock_t lock;
u32 flows_cnt;
siphash_key_t perturbation;
u32 limit;
u32 memory_limit;
u32 memory_usage;
u32 quantum;
u32 backlog;
u32 overlimit;
u32 overmemory;
u32 collisions;
};
typedef struct sk_buff *fq_tin_dequeue_t(struct fq *,
struct fq_tin *,
struct fq_flow *flow);
typedef void fq_skb_free_t(struct fq *,
struct fq_tin *,
struct fq_flow *,
struct sk_buff *);
/* Return %true to filter (drop) the frame. */
typedef bool fq_skb_filter_t(struct fq *,
struct fq_tin *,
struct fq_flow *,
struct sk_buff *,
void *);
typedef struct fq_flow *fq_flow_get_default_t(struct fq *,
struct fq_tin *,
int idx,
struct sk_buff *);
#endif