Gitiles
Code Review Sign In
gerrit-public.fairphone.software / kernel / msm-4.19 / 8382fcac1b813ad0a4e68a838fc7ae93fa39eda0 / . / net / core / secure_seq.c
blob: e61a8bb7fce73393ddaab88747a9637c1dcbf311 [file] [log] [blame]
David S. Miller6e5714e2011-08-03 20:50:44 -0700[diff] [blame]1#include <linux/kernel.h>
2#include <linux/init.h>
3#include <linux/cryptohash.h>
4#include <linux/module.h>
5#include <linux/cache.h>
6#include <linux/random.h>
7#include <linux/hrtimer.h>
8#include <linux/ktime.h>
9#include <linux/string.h>
10
11#include <net/secure_seq.h>
12
13static u32 net_secret[MD5_MESSAGE_BYTES / 4] ____cacheline_aligned;
14
15static int __init net_secret_init(void)
16{
17 get_random_bytes(net_secret, sizeof(net_secret));
18 return 0;
19}
20late_initcall(net_secret_init);
21
Stephen Boyd681090902011-12-06 08:04:40 +0000[diff] [blame]22#ifdef CONFIG_INET
David S. Miller6e5714e2011-08-03 20:50:44 -0700[diff] [blame]23static u32 seq_scale(u32 seq)
24{
25 /*
26 * As close as possible to RFC 793, which
27 * suggests using a 250 kHz clock.
28 * Further reading shows this assumes 2 Mb/s networks.
29 * For 10 Mb/s Ethernet, a 1 MHz clock is appropriate.
30 * For 10 Gb/s Ethernet, a 1 GHz clock should be ok, but
31 * we also need to limit the resolution so that the u32 seq
32 * overlaps less than one time per MSL (2 minutes).
33 * Choosing a clock of 64 ns period is OK. (period of 274 s)
34 */
35 return seq + (ktime_to_ns(ktime_get_real()) >> 6);
36}
Stephen Boyd681090902011-12-06 08:04:40 +0000[diff] [blame]37#endif
David S. Miller6e5714e2011-08-03 20:50:44 -0700[diff] [blame]38
Eric Dumazetdfd56b82011-12-10 09:48:31 +0000[diff] [blame]39#if IS_ENABLED(CONFIG_IPV6)
Eric Dumazetcf533ea2011-10-21 05:22:42 -0400[diff] [blame]40__u32 secure_tcpv6_sequence_number(const __be32 *saddr, const __be32 *daddr,
David S. Miller6e5714e2011-08-03 20:50:44 -0700[diff] [blame]41 __be16 sport, __be16 dport)
42{
43 u32 secret[MD5_MESSAGE_BYTES / 4];
44 u32 hash[MD5_DIGEST_WORDS];
45 u32 i;
46
47 memcpy(hash, saddr, 16);
48 for (i = 0; i < 4; i++)
Eric Dumazet747465e2012-01-16 19:27:39 +0000[diff] [blame]49 secret[i] = net_secret[i] + (__force u32)daddr[i];
David S. Miller6e5714e2011-08-03 20:50:44 -0700[diff] [blame]50 secret[4] = net_secret[4] +
51 (((__force u16)sport << 16) + (__force u16)dport);
52 for (i = 5; i < MD5_MESSAGE_BYTES / 4; i++)
53 secret[i] = net_secret[i];
54
55 md5_transform(hash, secret);
56
57 return seq_scale(hash[0]);
58}
59EXPORT_SYMBOL(secure_tcpv6_sequence_number);
60
61u32 secure_ipv6_port_ephemeral(const __be32 *saddr, const __be32 *daddr,
62 __be16 dport)
63{
64 u32 secret[MD5_MESSAGE_BYTES / 4];
65 u32 hash[MD5_DIGEST_WORDS];
66 u32 i;
67
68 memcpy(hash, saddr, 16);
69 for (i = 0; i < 4; i++)
70 secret[i] = net_secret[i] + (__force u32) daddr[i];
71 secret[4] = net_secret[4] + (__force u32)dport;
72 for (i = 5; i < MD5_MESSAGE_BYTES / 4; i++)
73 secret[i] = net_secret[i];
74
75 md5_transform(hash, secret);
76
77 return hash[0];
78}
Patrick McHardy58a317f2012-08-26 19:14:12 +0200[diff] [blame]79EXPORT_SYMBOL(secure_ipv6_port_ephemeral);
David S. Miller6e5714e2011-08-03 20:50:44 -0700[diff] [blame]80#endif
81
82#ifdef CONFIG_INET
83__u32 secure_ip_id(__be32 daddr)
84{
85 u32 hash[MD5_DIGEST_WORDS];
86
87 hash[0] = (__force __u32) daddr;
88 hash[1] = net_secret[13];
89 hash[2] = net_secret[14];
90 hash[3] = net_secret[15];
91
92 md5_transform(hash, net_secret);
93
94 return hash[0];
95}
96
97__u32 secure_ipv6_id(const __be32 daddr[4])
98{
99 __u32 hash[4];
100
101 memcpy(hash, daddr, 16);
102 md5_transform(hash, net_secret);
103
104 return hash[0];
105}
106
107__u32 secure_tcp_sequence_number(__be32 saddr, __be32 daddr,
108 __be16 sport, __be16 dport)
109{
110 u32 hash[MD5_DIGEST_WORDS];
111
112 hash[0] = (__force u32)saddr;
113 hash[1] = (__force u32)daddr;
114 hash[2] = ((__force u16)sport << 16) + (__force u16)dport;
115 hash[3] = net_secret[15];
116
117 md5_transform(hash, net_secret);
118
119 return seq_scale(hash[0]);
120}
121
122u32 secure_ipv4_port_ephemeral(__be32 saddr, __be32 daddr, __be16 dport)
123{
124 u32 hash[MD5_DIGEST_WORDS];
125
126 hash[0] = (__force u32)saddr;
127 hash[1] = (__force u32)daddr;
128 hash[2] = (__force u32)dport ^ net_secret[14];
129 hash[3] = net_secret[15];
130
131 md5_transform(hash, net_secret);
132
133 return hash[0];
134}
135EXPORT_SYMBOL_GPL(secure_ipv4_port_ephemeral);
136#endif
137
Igor Maravića3bf7ae2011-12-12 02:58:22 +0000[diff] [blame]138#if IS_ENABLED(CONFIG_IP_DCCP)
David S. Miller6e5714e2011-08-03 20:50:44 -0700[diff] [blame]139u64 secure_dccp_sequence_number(__be32 saddr, __be32 daddr,
140 __be16 sport, __be16 dport)
141{
142 u32 hash[MD5_DIGEST_WORDS];
143 u64 seq;
144
145 hash[0] = (__force u32)saddr;
146 hash[1] = (__force u32)daddr;
147 hash[2] = ((__force u16)sport << 16) + (__force u16)dport;
148 hash[3] = net_secret[15];
149
150 md5_transform(hash, net_secret);
151
152 seq = hash[0] | (((u64)hash[1]) << 32);
153 seq += ktime_to_ns(ktime_get_real());
154 seq &= (1ull << 48) - 1;
155
156 return seq;
157}
158EXPORT_SYMBOL(secure_dccp_sequence_number);
159
Eric Dumazetdfd56b82011-12-10 09:48:31 +0000[diff] [blame]160#if IS_ENABLED(CONFIG_IPV6)
David S. Miller6e5714e2011-08-03 20:50:44 -0700[diff] [blame]161u64 secure_dccpv6_sequence_number(__be32 *saddr, __be32 *daddr,
162 __be16 sport, __be16 dport)
163{
164 u32 secret[MD5_MESSAGE_BYTES / 4];
165 u32 hash[MD5_DIGEST_WORDS];
166 u64 seq;
167 u32 i;
168
169 memcpy(hash, saddr, 16);
170 for (i = 0; i < 4; i++)
171 secret[i] = net_secret[i] + daddr[i];
172 secret[4] = net_secret[4] +
173 (((__force u16)sport << 16) + (__force u16)dport);
174 for (i = 5; i < MD5_MESSAGE_BYTES / 4; i++)
175 secret[i] = net_secret[i];
176
177 md5_transform(hash, secret);
178
179 seq = hash[0] | (((u64)hash[1]) << 32);
180 seq += ktime_to_ns(ktime_get_real());
181 seq &= (1ull << 48) - 1;
182
183 return seq;
184}
185EXPORT_SYMBOL(secure_dccpv6_sequence_number);
186#endif
187#endif