archives/linux
1
0
Fork 0
mirror of https://github.com/torvalds/linux.git synced 2026-03-08 02:24:32 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions
linux/include/net/secure_seq.h
Eric Dumazet 165573e41f tcp: secure_seq: add back ports to TS offset 
This reverts 28ee1b746f ("secure_seq: downgrade to per-host timestamp offsets")

tcp_tw_recycle went away in 2017.

Zhouyan Deng reported off-path TCP source port leakage via
SYN cookie side-channel that can be fixed in multiple ways.

One of them is to bring back TCP ports in TS offset randomization.

As a bonus, we perform a single siphash() computation
to provide both an ISN and a TS offset.

Fixes: 28ee1b746f ("secure_seq: downgrade to per-host timestamp offsets")
Reported-by: Zhouyan Deng <dengzhouyan_nwpu@163.com>
Signed-off-by: Eric Dumazet <edumazet@google.com>
Reviewed-by: Kuniyuki Iwashima <kuniyu@google.com>
Acked-by: Florian Westphal <fw@strlen.de>
Link: https://patch.msgid.link/20260302205527.1982836-1-edumazet@google.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
2026-03-04 17:44:35 -08:00

51 lines
1.2 KiB
C
Raw Permalink Blame History

/* SPDX-License-Identifier: GPL-2.0 */
#ifndef _NET_SECURE_SEQ
#define _NET_SECURE_SEQ
#include <linux/types.h>
struct net;
extern struct net init_net;
union tcp_seq_and_ts_off {
struct {
u32 seq;
u32 ts_off;
};
u64 hash64;
};
u64 secure_ipv4_port_ephemeral(__be32 saddr, __be32 daddr, __be16 dport);
u64 secure_ipv6_port_ephemeral(const __be32 *saddr, const __be32 *daddr,
__be16 dport);
union tcp_seq_and_ts_off
secure_tcp_seq_and_ts_off(const struct net *net, __be32 saddr, __be32 daddr,
__be16 sport, __be16 dport);
static inline u32 secure_tcp_seq(__be32 saddr, __be32 daddr,
__be16 sport, __be16 dport)
{
union tcp_seq_and_ts_off ts;
ts = secure_tcp_seq_and_ts_off(&init_net, saddr, daddr,
sport, dport);
return ts.seq;
}
union tcp_seq_and_ts_off
secure_tcpv6_seq_and_ts_off(const struct net *net, const __be32 *saddr,
const __be32 *daddr,
__be16 sport, __be16 dport);
static inline u32 secure_tcpv6_seq(const __be32 *saddr, const __be32 *daddr,
__be16 sport, __be16 dport)
{
union tcp_seq_and_ts_off ts;
ts = secure_tcpv6_seq_and_ts_off(&init_net, saddr, daddr,
sport, dport);
return ts.seq;
}
#endif /* _NET_SECURE_SEQ */
Reference in a new issue View git blame Copy permalink