summaryrefslogtreecommitdiff
path: root/drivers
diff options
context:
space:
mode:
authorEric Dumazet <eric.dumazet@gmail.com>2011-07-22 08:25:58 +0400
committerDavid S. Miller <davem@davemloft.net>2011-07-22 08:25:58 +0400
commit87c48fa3b4630905f98268dde838ee43626a060c (patch)
tree1374b52ed0514682f836cfa0a6a683eb549c9613 /drivers
parent21efcfa0ff27776902a8a15e810147be4d937d69 (diff)
downloadlinux-87c48fa3b4630905f98268dde838ee43626a060c.tar.xz
ipv6: make fragment identifications less predictable
IPv6 fragment identification generation is way beyond what we use for IPv4 : It uses a single generator. Its not scalable and allows DOS attacks. Now inetpeer is IPv6 aware, we can use it to provide a more secure and scalable frag ident generator (per destination, instead of system wide) This patch : 1) defines a new secure_ipv6_id() helper 2) extends inet_getid() to provide 32bit results 3) extends ipv6_select_ident() with a new dest parameter Reported-by: Fernando Gont <fernando@gont.com.ar> Signed-off-by: Eric Dumazet <eric.dumazet@gmail.com> Signed-off-by: David S. Miller <davem@davemloft.net>
Diffstat (limited to 'drivers')
-rw-r--r--drivers/char/random.c15
1 files changed, 15 insertions, 0 deletions
diff --git a/drivers/char/random.c b/drivers/char/random.c
index d4ddeba56682..729281961f22 100644
--- a/drivers/char/random.c
+++ b/drivers/char/random.c
@@ -1523,6 +1523,21 @@ __u32 secure_ip_id(__be32 daddr)
return half_md4_transform(hash, keyptr->secret);
}
+__u32 secure_ipv6_id(const __be32 daddr[4])
+{
+ const struct keydata *keyptr;
+ __u32 hash[4];
+
+ keyptr = get_keyptr();
+
+ hash[0] = (__force __u32)daddr[0];
+ hash[1] = (__force __u32)daddr[1];
+ hash[2] = (__force __u32)daddr[2];
+ hash[3] = (__force __u32)daddr[3];
+
+ return half_md4_transform(hash, keyptr->secret);
+}
+
#ifdef CONFIG_INET
__u32 secure_tcp_sequence_number(__be32 saddr, __be32 daddr,