"Jason A. Donenfeld" <Jason@xxxxxxxxx> writes:
> BLAKE2s is faster and more secure. SHA-1 has been broken for a long time
> now. This also removes some code complexity, and lets us potentially
> remove sha1 from lib, which would further reduce vmlinux size.
So this one is a bit less obvious than the BPF case: the "stable address
generation" is supposed to result in generating addresses that are,
well, stable. The documentation for the stable_secret sysctl implies
that this should be for the lifetime of the system:
It is recommended to generate this secret during installation
of a system and keep it stable after that.
However, if we make this change, systems setting a stable_secret and
using addr_gen_mode 2 or 3 will come up with a completely different
address after a kernel upgrade. Which would be bad for any operator
expecting to be able to find their machine again after a reboot,
especially if it is accessed remotely.
I haven't ever used this feature myself, though, or seen it in use. So I
don't know if this is purely a theoretical concern, or if the
stable_address feature is actually used in this way in practice. If it
is, I guess the switch would have to be opt-in, which kinda defeats the
purpose, no (i.e., we'd have to keep the SHA1 code around)?
Adding some of the people involved in the original work on stable
address generation in the hope that they can shed some light on the
real-world uses for this feature.
-Toke
> Cc: Geert Uytterhoeven <geert@xxxxxxxxxxxxxx>
> Cc: Herbert Xu <herbert@xxxxxxxxxxxxxxxxxxx>
> Cc: Ard Biesheuvel <ardb@xxxxxxxxxx>
> Cc: Jean-Philippe Aumasson <jeanphilippe.aumasson@xxxxxxxxx>
> Cc: linux-crypto@xxxxxxxxxxxxxxx
> Signed-off-by: Jason A. Donenfeld <Jason@xxxxxxxxx>
> ---
> net/ipv6/addrconf.c | 31 +++++++++----------------------
> 1 file changed, 9 insertions(+), 22 deletions(-)
>
> diff --git a/net/ipv6/addrconf.c b/net/ipv6/addrconf.c
> index 3445f8017430..f5cb534aa261 100644
> --- a/net/ipv6/addrconf.c
> +++ b/net/ipv6/addrconf.c
> @@ -61,7 +61,7 @@
> #include <linux/delay.h>
> #include <linux/notifier.h>
> #include <linux/string.h>
> -#include <linux/hash.h>
> +#include <crypto/blake2s.h>
>
> #include <net/net_namespace.h>
> #include <net/sock.h>
> @@ -3225,25 +3225,16 @@ static int ipv6_generate_stable_address(struct in6_addr *address,
> const struct inet6_dev *idev)
> {
> static DEFINE_SPINLOCK(lock);
> - static __u32 digest[SHA1_DIGEST_WORDS];
> - static __u32 workspace[SHA1_WORKSPACE_WORDS];
> -
> - static union {
> - char __data[SHA1_BLOCK_SIZE];
> - struct {
> - struct in6_addr secret;
> - __be32 prefix[2];
> - unsigned char hwaddr[MAX_ADDR_LEN];
> - u8 dad_count;
> - } __packed;
> - } data;
> -
> + struct {
> + struct in6_addr secret;
> + __be32 prefix[2];
> + unsigned char hwaddr[MAX_ADDR_LEN];
> + u8 dad_count;
> + } __packed data;
> struct in6_addr secret;
> struct in6_addr temp;
> struct net *net = dev_net(idev->dev);
>
> - BUILD_BUG_ON(sizeof(data.__data) != sizeof(data));
> -
> if (idev->cnf.stable_secret.initialized)
> secret = idev->cnf.stable_secret.secret;
> else if (net->ipv6.devconf_dflt->stable_secret.initialized)
> @@ -3254,20 +3245,16 @@ static int ipv6_generate_stable_address(struct in6_addr *address,
> retry:
> spin_lock_bh(&lock);
>
> - sha1_init(digest);
> memset(&data, 0, sizeof(data));
> - memset(workspace, 0, sizeof(workspace));
> memcpy(data.hwaddr, idev->dev->perm_addr, idev->dev->addr_len);
> data.prefix[0] = address->s6_addr32[0];
> data.prefix[1] = address->s6_addr32[1];
> data.secret = secret;
> data.dad_count = dad_count;
>
> - sha1_transform(digest, data.__data, workspace);
> -
> temp = *address;
> - temp.s6_addr32[2] = (__force __be32)digest[0];
> - temp.s6_addr32[3] = (__force __be32)digest[1];
> + blake2s((u8 *)&temp.s6_addr32[2], (u8 *)&data, NULL,
> + sizeof(temp.s6_addr32[2]) * 2, sizeof(data), 0);
>
> spin_unlock_bh(&lock);
>
> --
> 2.34.1
