[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [PATCH] Add some randomness to TCP source port selection.
From: |
Robert LeBlanc |
Subject: |
Re: [PATCH] Add some randomness to TCP source port selection. |
Date: |
Mon, 22 Aug 2022 15:53:31 -0600 |
Anyone willing to implement this in a better way?
Thank you,
Robert LeBlanc
----------------
Robert LeBlanc
PGP Fingerprint 79A2 9CA4 6CC4 45DD A904 C70E E654 3BB2 FA62 B9F1
----------------
Robert LeBlanc
PGP Fingerprint 79A2 9CA4 6CC4 45DD A904 C70E E654 3BB2 FA62 B9F1
On Tue, Jun 14, 2022 at 7:19 AM Robert LeBlanc <robert@leblancnet.us> wrote:
>
> Thanks.
>
> I had trouble using the clock to seed the random number generator due to some
> dependency issues. I'm not strong enough in C to figure that out with the
> limited GRUB libraries (since standard libraries are not used), so I did what
> I could to show the intended behavior. Please feel free to submit a much
> better patch as I don't have the expertise to do so.
>
> Thank you,
> Robert LeBlanc
>
> Sent from a mobile device, please excuse any typos.
>
> On Mon, Jun 6, 2022, 11:27 AM Vladimir 'phcoder' Serbinenko
> <phcoder@gmail.com> wrote:
>>
>>
>>
>> Le lun. 6 juin 2022, 19:25, Vladimir 'phcoder' Serbinenko
>> <phcoder@gmail.com> a écrit :
>>>
>>> 256 is a bad modulo. A prime would be a much better one for those purposes.
>>> Also get_time_ms counts up from arbitrary point in time, often boot. I
>>> suggest using some combination of etc
>>
>> RTC, not etc
>>>
>>>
>>> and get_time to seed an LFSR algorithm
>>>
>>> Le lun. 6 juin 2022, 18:37, Robert LeBlanc <robert@leblancnet.us> a écrit :
>>>>
>>>> GRUB uses a static source TCP port and increments for each new
>>>> connection. When rapidly restarting GRUB this can cause issues with some
>>>> firewalls that suspect that a reply attack is happening. In addition
>>>> GRUB does not ACK the last FIN,ACK when booting the kernel and initrd
>>>> from HTTP for example. This cause the remote HTTP server to keep the TCP
>>>> session in TIME_WAIT and reject new connections from the same port
>>>> combination when restarted quickly. This helps to work around both
>>>> problems by shifting the source port by a small amount based on time.
>>>>
>>>> The missing final ACK should also be addressed, but I'm not sure how to
>>>> resolve that.
>>>>
>>>> Signed-off-by: Robert LeBlanc <robert@leblancnet.us>
>>>> ---
>>>> grub-core/net/tcp.c | 4 ++--
>>>> 1 file changed, 2 insertions(+), 2 deletions(-)
>>>>
>>>> diff --git a/grub-core/net/tcp.c b/grub-core/net/tcp.c
>>>> index 93dee0caa..2eefd3168 100644
>>>> --- a/grub-core/net/tcp.c
>>>> +++ b/grub-core/net/tcp.c
>>>> @@ -569,7 +569,7 @@ grub_net_tcp_open (char *server,
>>>> struct grub_net_network_level_interface *inf;
>>>> grub_net_network_level_address_t gateway;
>>>> grub_net_tcp_socket_t socket;
>>>> - static grub_uint16_t in_port = 21550;
>>>> + grub_uint16_t in_port = 21550 + grub_get_time_ms () % 256;
>>>> struct grub_net_buff *nb;
>>>> struct tcphdr *tcph;
>>>> int i;
>>>> @@ -603,7 +603,7 @@ grub_net_tcp_open (char *server,
>>>> socket->inf = inf;
>>>> socket->out_nla = addr;
>>>> socket->ll_target_addr = ll_target_addr;
>>>> - socket->in_port = in_port++;
>>>> + socket->in_port = in_port;
>>>> socket->recv_hook = recv_hook;
>>>> socket->error_hook = error_hook;
>>>> socket->fin_hook = fin_hook;
>>>> --
>>>> 2.35.1
>>>>
>>>>
>>>> _______________________________________________
>>>> Grub-devel mailing list
>>>> Grub-devel@gnu.org
>>>> https://lists.gnu.org/mailman/listinfo/grub-devel
>>
>> _______________________________________________
>> Grub-devel mailing list
>> Grub-devel@gnu.org
>> https://lists.gnu.org/mailman/listinfo/grub-devel
[Prev in Thread] |
Current Thread |
[Next in Thread] |
- Re: [PATCH] Add some randomness to TCP source port selection.,
Robert LeBlanc <=