diff options
| author | David Gibson <david@gibson.dropbear.id.au> | 2023-11-30 13:02:21 +1100 |
|---|---|---|
| committer | Stefano Brivio <sbrivio@redhat.com> | 2023-12-04 09:51:32 +0100 |
| commit | e21b6d69b1e65b341d6c2177258ee2b38c5f6374 (patch) | |
| tree | 497e59d20ef6a1751b0094d42425e8ad2c34e109 /passt.h | |
| parent | cf83988e967405e898f85bec3da04714b1557397 (diff) | |
| download | passt-e21b6d69b1e65b341d6c2177258ee2b38c5f6374.tar passt-e21b6d69b1e65b341d6c2177258ee2b38c5f6374.tar.gz passt-e21b6d69b1e65b341d6c2177258ee2b38c5f6374.tar.bz2 passt-e21b6d69b1e65b341d6c2177258ee2b38c5f6374.tar.lz passt-e21b6d69b1e65b341d6c2177258ee2b38c5f6374.tar.xz passt-e21b6d69b1e65b341d6c2177258ee2b38c5f6374.tar.zst passt-e21b6d69b1e65b341d6c2177258ee2b38c5f6374.zip | |
tcp: "TCP" hash secret doesn't need to be TCP specific
The TCP state structure includes a 128-bit hash_secret which we use for
SipHash calculations to mitigate attacks on the TCP hash table and initial
sequence number.
We have plans to use SipHash in places that aren't TCP related, and there's
no particular reason they'd need their own secret. So move the hash_secret
to the general context structure.
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
Diffstat (limited to 'passt.h')
| -rw-r--r-- | passt.h | 2 |
1 files changed, 2 insertions, 0 deletions
@@ -211,6 +211,7 @@ struct ip6_ctx { * @fd_tap: AF_UNIX socket, tuntap device, or pre-opened socket * @mac: Host MAC address * @mac_guest: MAC address of guest or namespace, seen or configured + * @hash_secret: 128-bit secret for siphash functions * @ifi4: Index of template interface for IPv4, 0 if IPv4 disabled * @ip: IPv4 configuration * @dns_search: DNS search list @@ -265,6 +266,7 @@ struct ctx { int fd_tap; unsigned char mac[ETH_ALEN]; unsigned char mac_guest[ETH_ALEN]; + uint64_t hash_secret[2]; unsigned int ifi4; struct ip4_ctx ip4; |