From: bluhm Date: Fri, 14 Sep 2018 12:55:17 +0000 (+0000) Subject: In general it is a bad idea to use one random secret for two things. X-Git-Url: http://artulab.com/gitweb/?a=commitdiff_plain;h=1d4d3d772b21a748fbc3855d9e7a497e8e9b850c;p=openbsd In general it is a bad idea to use one random secret for two things. The inet PCB uses one hash with local and foreign addresses, and one with local port numbers. Give both hashes separate keys. Also document the struct fields. OK visa@ --- diff --git a/sys/netinet/in_pcb.c b/sys/netinet/in_pcb.c index 346c93534f9..02a1e883095 100644 --- a/sys/netinet/in_pcb.c +++ b/sys/netinet/in_pcb.c @@ -1,4 +1,4 @@ -/* $OpenBSD: in_pcb.c,v 1.244 2018/09/13 19:53:58 bluhm Exp $ */ +/* $OpenBSD: in_pcb.c,v 1.245 2018/09/14 12:55:17 bluhm Exp $ */ /* $NetBSD: in_pcb.c,v 1.25 1996/02/13 23:41:53 christos Exp $ */ /* @@ -148,7 +148,7 @@ in_pcblhash(struct inpcbtable *table, int rdom, u_short lport) SIPHASH_CTX ctx; u_int32_t nrdom = htonl(rdom); - SipHash24_Init(&ctx, &table->inpt_key); + SipHash24_Init(&ctx, &table->inpt_lkey); SipHash24_Update(&ctx, &nrdom, sizeof(nrdom)); SipHash24_Update(&ctx, &lport, sizeof(lport)); @@ -171,6 +171,7 @@ in_pcbinit(struct inpcbtable *table, int hashsize) table->inpt_count = 0; table->inpt_size = hashsize; arc4random_buf(&table->inpt_key, sizeof(table->inpt_key)); + arc4random_buf(&table->inpt_lkey, sizeof(table->inpt_lkey)); } /* @@ -999,6 +1000,7 @@ in_pcbresize(struct inpcbtable *table, int hashsize) table->inpt_lmask = nlmask; table->inpt_size = hashsize; arc4random_buf(&table->inpt_key, sizeof(table->inpt_key)); + arc4random_buf(&table->inpt_lkey, sizeof(table->inpt_lkey)); TAILQ_FOREACH(inp, &table->inpt_queue, inp_queue) { in_pcbrehash(inp); diff --git a/sys/netinet/in_pcb.h b/sys/netinet/in_pcb.h index 984adb47a83..8b90762d50e 100644 --- a/sys/netinet/in_pcb.h +++ b/sys/netinet/in_pcb.h @@ -1,4 +1,4 @@ -/* $OpenBSD: in_pcb.h,v 1.112 2018/09/14 07:25:02 jsg Exp $ */ +/* $OpenBSD: in_pcb.h,v 1.113 2018/09/14 12:55:17 bluhm Exp $ */ /* $NetBSD: in_pcb.h,v 1.14 1996/02/13 23:42:00 christos Exp $ */ /* @@ -91,10 +91,10 @@ union inpaddru { * control block. */ struct inpcb { - LIST_ENTRY(inpcb) inp_hash; - LIST_ENTRY(inpcb) inp_lhash; /* extra hash for lport */ - TAILQ_ENTRY(inpcb) inp_queue; - struct inpcbtable *inp_table; + LIST_ENTRY(inpcb) inp_hash; /* local and foreign hash */ + LIST_ENTRY(inpcb) inp_lhash; /* local port hash */ + TAILQ_ENTRY(inpcb) inp_queue; /* inet PCB queue */ + struct inpcbtable *inp_table; /* inet queue/hash table */ union inpaddru inp_faddru; /* Foreign address. */ union inpaddru inp_laddru; /* Local address. */ #define inp_faddr inp_faddru.iau_a4u.inaddr @@ -150,11 +150,12 @@ struct inpcb { LIST_HEAD(inpcbhead, inpcb); struct inpcbtable { - TAILQ_HEAD(inpthead, inpcb) inpt_queue; - struct inpcbhead *inpt_hashtbl, *inpt_lhashtbl; - SIPHASH_KEY inpt_key; - u_long inpt_mask, inpt_lmask; - int inpt_count, inpt_size; + TAILQ_HEAD(inpthead, inpcb) inpt_queue; /* inet PCB queue */ + struct inpcbhead *inpt_hashtbl; /* local and foreign hash */ + struct inpcbhead *inpt_lhashtbl; /* local port hash */ + SIPHASH_KEY inpt_key, inpt_lkey; /* secrets for hashes */ + u_long inpt_mask, inpt_lmask; /* hash masks */ + int inpt_count, inpt_size; /* queue count, hash size */ }; /* flags in inp_flags: */