ipv6: make fragment identifications less predictable

IPv6 fragment identification generation is way beyond what we use for IPv4 : It uses a single generator. Its not scalable and allows DOS attacks. Now inetpeer is IPv6 aware, we can use it to provide a more secure and scalable frag ident generator (per destination, instead of system wide) This patch : 1) defines a new secure_ipv6_id() helper 2) extends inet_getid() to provide 32bit results 3) extends ipv6_select_ident() with a new dest parameter Reported-by: Fernando Gont <fernando@gont.com.ar> Signed-off-by: Eric Dumazet <eric.dumazet@gmail.com> Signed-off-by: David S. Miller <davem@davemloft.net>

ipv6: make fragment identifications less predictable
IPv6 fragment identification generation is way beyond what we use for IPv4 : It uses a single generator. Its not scalable and allows DOS attacks. Now inetpeer is IPv6 aware, we can use it to provide a more secure and scalable frag ident generator (per destination, instead of system wide) This patch : 1) defines a new secure_ipv6_id() helper 2) extends inet_getid() to provide 32bit results 3) extends ipv6_select_ident() with a new dest parameter Reported-by: Fernando Gont <fernando@gont.com.ar> Signed-off-by: Eric Dumazet <eric.dumazet@gmail.com> Signed-off-by: David S. Miller <davem@davemloft.net>
Eric Dumazet · David S. Miller · Eric Lee
1 parent 21efcfa0ff
Showing 7 changed files with 64 additions and 22 deletions Side-by-side Diff
drivers/char/random.c
include/linux/random.h
include/net/inetpeer.h
include/net/ipv6.h
net/ipv4/inetpeer.c
net/ipv6/ip6_output.c
net/ipv6/udp.c
@@ -1523,6 +1523,21 @@
 	return half_md4_transform(hash, keyptr->secret);
 }
  
+__u32 secure_ipv6_id(const __be32 daddr[4])
+{
+	const struct keydata *keyptr;
+	__u32 hash[4];
+
+	keyptr = get_keyptr();
+
+	hash[0] = (__force __u32)daddr[0];
+	hash[1] = (__force __u32)daddr[1];
+	hash[2] = (__force __u32)daddr[2];
+	hash[3] = (__force __u32)daddr[3];
+
+	return half_md4_transform(hash, keyptr->secret);
+}
+
 #ifdef CONFIG_INET
  
 __u32 secure_tcp_sequence_number(__be32 saddr, __be32 daddr,
@@ -58,6 +58,7 @@
 void generate_random_uuid(unsigned char uuid_out[16]);
  
 extern __u32 secure_ip_id(__be32 daddr);
+extern __u32 secure_ipv6_id(const __be32 daddr[4]);
 extern u32 secure_ipv4_port_ephemeral(__be32 saddr, __be32 daddr, __be16 dport);
 extern u32 secure_ipv6_port_ephemeral(const __be32 *saddr, const __be32 *daddr,
 				      __be16 dport);
@@ -71,7 +71,7 @@
 }
  
 /* can be called with or without local BH being disabled */
-struct inet_peer	*inet_getpeer(struct inetpeer_addr *daddr, int create);
+struct inet_peer	*inet_getpeer(const struct inetpeer_addr *daddr, int create);
  
 static inline struct inet_peer *inet_getpeer_v4(__be32 v4daddr, int create)
 {
  
  
@@ -106,11 +106,18 @@
  
  
 /* can be called with or without local BH being disabled */
-static inline __u16	inet_getid(struct inet_peer *p, int more)
+static inline int inet_getid(struct inet_peer *p, int more)
 {
+	int old, new;
 	more++;
 	inet_peer_refcheck(p);
-	return atomic_add_return(more, &p->ip_id_count) - more;
+	do {
+		old = atomic_read(&p->ip_id_count);
+		new = old + more;
+		if (!new)
+			new = 1;
+	} while (atomic_cmpxchg(&p->ip_id_count, old, new) != old);
+	return new;
 }
  
 #endif /* _NET_INETPEER_H */
@@ -463,17 +463,7 @@
 	return __ipv6_addr_diff(a1, a2, sizeof(struct in6_addr));
 }
  
-static __inline__ void ipv6_select_ident(struct frag_hdr *fhdr)
-{
-	static u32 ipv6_fragmentation_id = 1;
-	static DEFINE_SPINLOCK(ip6_id_lock);
-
-	spin_lock_bh(&ip6_id_lock);
-	fhdr->identification = htonl(ipv6_fragmentation_id);
-	if (++ipv6_fragmentation_id == 0)
-		ipv6_fragmentation_id = 1;
-	spin_unlock_bh(&ip6_id_lock);
-}
+extern void ipv6_select_ident(struct frag_hdr *fhdr, struct rt6_info *rt);
  
 /*
  *	Prototypes exported by ipv6
@@ -391,7 +391,7 @@
 	return cnt;
 }
  
-struct inet_peer *inet_getpeer(struct inetpeer_addr *daddr, int create)
+struct inet_peer *inet_getpeer(const struct inetpeer_addr *daddr, int create)
 {
 	struct inet_peer __rcu **stack[PEER_MAXDEPTH], ***stackptr;
 	struct inet_peer_base *base = family_to_base(daddr->family);
@@ -436,7 +436,10 @@
 		p->daddr = *daddr;
 		atomic_set(&p->refcnt, 1);
 		atomic_set(&p->rid, 0);
-		atomic_set(&p->ip_id_count, secure_ip_id(daddr->addr.a4));
+		atomic_set(&p->ip_id_count,
+				(daddr->family == AF_INET) ?
+					secure_ip_id(daddr->addr.a4) :
+					secure_ipv6_id(daddr->addr.a6));
 		p->tcp_ts_stamp = 0;
 		p->metrics[RTAX_LOCK-1] = INETPEER_METRICS_NEW;
 		p->rate_tokens = 0;
@@ -596,6 +596,31 @@
 	return offset;
 }
  
+void ipv6_select_ident(struct frag_hdr *fhdr, struct rt6_info *rt)
+{
+	static atomic_t ipv6_fragmentation_id;
+	int old, new;
+
+	if (rt) {
+		struct inet_peer *peer;
+
+		if (!rt->rt6i_peer)
+			rt6_bind_peer(rt, 1);
+		peer = rt->rt6i_peer;
+		if (peer) {
+			fhdr->identification = htonl(inet_getid(peer, 0));
+			return;
+		}
+	}
+	do {
+		old = atomic_read(&ipv6_fragmentation_id);
+		new = old + 1;
+		if (!new)
+			new = 1;
+	} while (atomic_cmpxchg(&ipv6_fragmentation_id, old, new) != old);
+	fhdr->identification = htonl(new);
+}
+
 int ip6_fragment(struct sk_buff *skb, int (*output)(struct sk_buff *))
 {
 	struct sk_buff *frag;
@@ -680,7 +705,7 @@
 		skb_reset_network_header(skb);
 		memcpy(skb_network_header(skb), tmp_hdr, hlen);
  
-		ipv6_select_ident(fh);
+		ipv6_select_ident(fh, rt);
 		fh->nexthdr = nexthdr;
 		fh->reserved = 0;
 		fh->frag_off = htons(IP6_MF);
@@ -826,7 +851,7 @@
 		fh->nexthdr = nexthdr;
 		fh->reserved = 0;
 		if (!frag_id) {
-			ipv6_select_ident(fh);
+			ipv6_select_ident(fh, rt);
 			frag_id = fh->identification;
 		} else
 			fh->identification = frag_id;
@@ -1076,7 +1101,8 @@
 			int getfrag(void *from, char *to, int offset, int len,
 			int odd, struct sk_buff *skb),
 			void *from, int length, int hh_len, int fragheaderlen,
-			int transhdrlen, int mtu,unsigned int flags)
+			int transhdrlen, int mtu,unsigned int flags,
+			struct rt6_info *rt)
  
 {
 	struct sk_buff *skb;
@@ -1120,7 +1146,7 @@
 		skb_shinfo(skb)->gso_size = (mtu - fragheaderlen -
 					     sizeof(struct frag_hdr)) & ~7;
 		skb_shinfo(skb)->gso_type = SKB_GSO_UDP;
-		ipv6_select_ident(&fhdr);
+		ipv6_select_ident(&fhdr, rt);
 		skb_shinfo(skb)->ip6_frag_id = fhdr.identification;
 		__skb_queue_tail(&sk->sk_write_queue, skb);
  
@@ -1286,7 +1312,7 @@
  
 			err = ip6_ufo_append_data(sk, getfrag, from, length,
 						  hh_len, fragheaderlen,
-						  transhdrlen, mtu, flags);
+						  transhdrlen, mtu, flags, rt);
 			if (err)
 				goto error;
 			return 0;
@@ -1359,7 +1359,7 @@
 	fptr = (struct frag_hdr *)(skb_network_header(skb) + unfrag_ip6hlen);
 	fptr->nexthdr = nexthdr;
 	fptr->reserved = 0;
-	ipv6_select_ident(fptr);
+	ipv6_select_ident(fptr, (struct rt6_info *)skb_dst(skb));
  
 	/* Fragment the skb. ipv6 header and the remaining fields of the
 	 * fragment header are updated in ipv6_gso_segment()
...	...	@@ -1523,6 +1523,21 @@
1523	1523	return half_md4_transform(hash, keyptr->secret);
1524	1524	}
1525	1525
	1526	+__u32 secure_ipv6_id(const __be32 daddr[4])
	1527	+{
	1528	+ const struct keydata *keyptr;
	1529	+ __u32 hash[4];
	1530	+
	1531	+ keyptr = get_keyptr();
	1532	+
	1533	+ hash[0] = (__force __u32)daddr[0];
	1534	+ hash[1] = (__force __u32)daddr[1];
	1535	+ hash[2] = (__force __u32)daddr[2];
	1536	+ hash[3] = (__force __u32)daddr[3];
	1537	+
	1538	+ return half_md4_transform(hash, keyptr->secret);
	1539	+}
	1540	+
1526	1541	#ifdef CONFIG_INET
1527	1542
1528	1543	__u32 secure_tcp_sequence_number(__be32 saddr, __be32 daddr,
...	...	@@ -58,6 +58,7 @@
58	58	void generate_random_uuid(unsigned char uuid_out[16]);
59	59
60	60	extern __u32 secure_ip_id(__be32 daddr);
	61	+extern __u32 secure_ipv6_id(const __be32 daddr[4]);
61	62	extern u32 secure_ipv4_port_ephemeral(__be32 saddr, __be32 daddr, __be16 dport);
62	63	extern u32 secure_ipv6_port_ephemeral(const __be32 saddr, const __be32 daddr,
63	64	__be16 dport);
...	...	@@ -71,7 +71,7 @@
71	71	}
72	72
73	73	/* can be called with or without local BH being disabled */
74		-struct inet_peer inet_getpeer(struct inetpeer_addr daddr, int create);
	74	+struct inet_peer inet_getpeer(const struct inetpeer_addr daddr, int create);
75	75
76	76	static inline struct inet_peer *inet_getpeer_v4(__be32 v4daddr, int create)
77	77	{
78	78
79	79
...	...	@@ -106,11 +106,18 @@
106	106
107	107
108	108	/* can be called with or without local BH being disabled */
109		-static inline __u16 inet_getid(struct inet_peer *p, int more)
	109	+static inline int inet_getid(struct inet_peer *p, int more)
110	110	{
	111	+ int old, new;
111	112	more++;
112	113	inet_peer_refcheck(p);
113		- return atomic_add_return(more, &p->ip_id_count) - more;
	114	+ do {
	115	+ old = atomic_read(&p->ip_id_count);
	116	+ new = old + more;
	117	+ if (!new)
	118	+ new = 1;
	119	+ } while (atomic_cmpxchg(&p->ip_id_count, old, new) != old);
	120	+ return new;
114	121	}
115	122
116	123	#endif /* _NET_INETPEER_H */
...	...	@@ -463,17 +463,7 @@
463	463	return __ipv6_addr_diff(a1, a2, sizeof(struct in6_addr));
464	464	}
465	465
466		-static __inline__ void ipv6_select_ident(struct frag_hdr *fhdr)
467		-{
468		- static u32 ipv6_fragmentation_id = 1;
469		- static DEFINE_SPINLOCK(ip6_id_lock);
470		-
471		- spin_lock_bh(&ip6_id_lock);
472		- fhdr->identification = htonl(ipv6_fragmentation_id);
473		- if (++ipv6_fragmentation_id == 0)
474		- ipv6_fragmentation_id = 1;
475		- spin_unlock_bh(&ip6_id_lock);
476		-}
	466	+extern void ipv6_select_ident(struct frag_hdr fhdr, struct rt6_info rt);
477	467
478	468	/*
479	469	* Prototypes exported by ipv6
...	...	@@ -391,7 +391,7 @@
391	391	return cnt;
392	392	}
393	393
394		-struct inet_peer inet_getpeer(struct inetpeer_addr daddr, int create)
	394	+struct inet_peer inet_getpeer(const struct inetpeer_addr daddr, int create)
395	395	{
396	396	struct inet_peer __rcu stack[PEER_MAXDEPTH], *stackptr;
397	397	struct inet_peer_base *base = family_to_base(daddr->family);
...	...	@@ -436,7 +436,10 @@
436	436	p->daddr = *daddr;
437	437	atomic_set(&p->refcnt, 1);
438	438	atomic_set(&p->rid, 0);
439		- atomic_set(&p->ip_id_count, secure_ip_id(daddr->addr.a4));
	439	+ atomic_set(&p->ip_id_count,
	440	+ (daddr->family == AF_INET) ?
	441	+ secure_ip_id(daddr->addr.a4) :
	442	+ secure_ipv6_id(daddr->addr.a6));
440	443	p->tcp_ts_stamp = 0;
441	444	p->metrics[RTAX_LOCK-1] = INETPEER_METRICS_NEW;
442	445	p->rate_tokens = 0;
...	...	@@ -596,6 +596,31 @@
596	596	return offset;
597	597	}
598	598
	599	+void ipv6_select_ident(struct frag_hdr fhdr, struct rt6_info rt)
	600	+{
	601	+ static atomic_t ipv6_fragmentation_id;
	602	+ int old, new;
	603	+
	604	+ if (rt) {
	605	+ struct inet_peer *peer;
	606	+
	607	+ if (!rt->rt6i_peer)
	608	+ rt6_bind_peer(rt, 1);
	609	+ peer = rt->rt6i_peer;
	610	+ if (peer) {
	611	+ fhdr->identification = htonl(inet_getid(peer, 0));
	612	+ return;
	613	+ }
	614	+ }
	615	+ do {
	616	+ old = atomic_read(&ipv6_fragmentation_id);
	617	+ new = old + 1;
	618	+ if (!new)
	619	+ new = 1;
	620	+ } while (atomic_cmpxchg(&ipv6_fragmentation_id, old, new) != old);
	621	+ fhdr->identification = htonl(new);
	622	+}
	623	+
599	624	int ip6_fragment(struct sk_buff skb, int (output)(struct sk_buff *))
600	625	{
601	626	struct sk_buff *frag;
...	...	@@ -680,7 +705,7 @@
680	705	skb_reset_network_header(skb);
681	706	memcpy(skb_network_header(skb), tmp_hdr, hlen);
682	707
683		- ipv6_select_ident(fh);
	708	+ ipv6_select_ident(fh, rt);
684	709	fh->nexthdr = nexthdr;
685	710	fh->reserved = 0;
686	711	fh->frag_off = htons(IP6_MF);
...	...	@@ -826,7 +851,7 @@
826	851	fh->nexthdr = nexthdr;
827	852	fh->reserved = 0;
828	853	if (!frag_id) {
829		- ipv6_select_ident(fh);
	854	+ ipv6_select_ident(fh, rt);
830	855	frag_id = fh->identification;
831	856	} else
832	857	fh->identification = frag_id;
...	...	@@ -1076,7 +1101,8 @@
1076	1101	int getfrag(void from, char to, int offset, int len,
1077	1102	int odd, struct sk_buff *skb),
1078	1103	void *from, int length, int hh_len, int fragheaderlen,
1079		- int transhdrlen, int mtu,unsigned int flags)
	1104	+ int transhdrlen, int mtu,unsigned int flags,
	1105	+ struct rt6_info *rt)
1080	1106
1081	1107	{
1082	1108	struct sk_buff *skb;
...	...	@@ -1120,7 +1146,7 @@
1120	1146	skb_shinfo(skb)->gso_size = (mtu - fragheaderlen -
1121	1147	sizeof(struct frag_hdr)) & ~7;
1122	1148	skb_shinfo(skb)->gso_type = SKB_GSO_UDP;
1123		- ipv6_select_ident(&fhdr);
	1149	+ ipv6_select_ident(&fhdr, rt);
1124	1150	skb_shinfo(skb)->ip6_frag_id = fhdr.identification;
1125	1151	__skb_queue_tail(&sk->sk_write_queue, skb);
1126	1152
...	...	@@ -1286,7 +1312,7 @@
1286	1312
1287	1313	err = ip6_ufo_append_data(sk, getfrag, from, length,
1288	1314	hh_len, fragheaderlen,
1289		- transhdrlen, mtu, flags);
	1315	+ transhdrlen, mtu, flags, rt);
1290	1316	if (err)
1291	1317	goto error;
1292	1318	return 0;
...	...	@@ -1359,7 +1359,7 @@
1359	1359	fptr = (struct frag_hdr *)(skb_network_header(skb) + unfrag_ip6hlen);
1360	1360	fptr->nexthdr = nexthdr;
1361	1361	fptr->reserved = 0;
1362		- ipv6_select_ident(fptr);
	1362	+ ipv6_select_ident(fptr, (struct rt6_info *)skb_dst(skb));
1363	1363
1364	1364	/* Fragment the skb. ipv6 header and the remaining fields of the
1365	1365	* fragment header are updated in ipv6_gso_segment()