Anyone willing to implement this in a better way? Thank you, Robert LeBlanc ---------------- Robert LeBlanc PGP Fingerprint 79A2 9CA4 6CC4 45DD A904 C70E E654 3BB2 FA62 B9F1
---------------- Robert LeBlanc PGP Fingerprint 79A2 9CA4 6CC4 45DD A904 C70E E654 3BB2 FA62 B9F1 On Tue, Jun 14, 2022 at 7:19 AM Robert LeBlanc <rob...@leblancnet.us> wrote: > > Thanks. > > I had trouble using the clock to seed the random number generator due to some > dependency issues. I'm not strong enough in C to figure that out with the > limited GRUB libraries (since standard libraries are not used), so I did what > I could to show the intended behavior. Please feel free to submit a much > better patch as I don't have the expertise to do so. > > Thank you, > Robert LeBlanc > > Sent from a mobile device, please excuse any typos. > > On Mon, Jun 6, 2022, 11:27 AM Vladimir 'phcoder' Serbinenko > <phco...@gmail.com> wrote: >> >> >> >> Le lun. 6 juin 2022, 19:25, Vladimir 'phcoder' Serbinenko >> <phco...@gmail.com> a écrit : >>> >>> 256 is a bad modulo. A prime would be a much better one for those purposes. >>> Also get_time_ms counts up from arbitrary point in time, often boot. I >>> suggest using some combination of etc >> >> RTC, not etc >>> >>> >>> and get_time to seed an LFSR algorithm >>> >>> Le lun. 6 juin 2022, 18:37, Robert LeBlanc <rob...@leblancnet.us> a écrit : >>>> >>>> GRUB uses a static source TCP port and increments for each new >>>> connection. When rapidly restarting GRUB this can cause issues with some >>>> firewalls that suspect that a reply attack is happening. In addition >>>> GRUB does not ACK the last FIN,ACK when booting the kernel and initrd >>>> from HTTP for example. This cause the remote HTTP server to keep the TCP >>>> session in TIME_WAIT and reject new connections from the same port >>>> combination when restarted quickly. This helps to work around both >>>> problems by shifting the source port by a small amount based on time. >>>> >>>> The missing final ACK should also be addressed, but I'm not sure how to >>>> resolve that. >>>> >>>> Signed-off-by: Robert LeBlanc <rob...@leblancnet.us> >>>> --- >>>> grub-core/net/tcp.c | 4 ++-- >>>> 1 file changed, 2 insertions(+), 2 deletions(-) >>>> >>>> diff --git a/grub-core/net/tcp.c b/grub-core/net/tcp.c >>>> index 93dee0caa..2eefd3168 100644 >>>> --- a/grub-core/net/tcp.c >>>> +++ b/grub-core/net/tcp.c >>>> @@ -569,7 +569,7 @@ grub_net_tcp_open (char *server, >>>> struct grub_net_network_level_interface *inf; >>>> grub_net_network_level_address_t gateway; >>>> grub_net_tcp_socket_t socket; >>>> - static grub_uint16_t in_port = 21550; >>>> + grub_uint16_t in_port = 21550 + grub_get_time_ms () % 256; >>>> struct grub_net_buff *nb; >>>> struct tcphdr *tcph; >>>> int i; >>>> @@ -603,7 +603,7 @@ grub_net_tcp_open (char *server, >>>> socket->inf = inf; >>>> socket->out_nla = addr; >>>> socket->ll_target_addr = ll_target_addr; >>>> - socket->in_port = in_port++; >>>> + socket->in_port = in_port; >>>> socket->recv_hook = recv_hook; >>>> socket->error_hook = error_hook; >>>> socket->fin_hook = fin_hook; >>>> -- >>>> 2.35.1 >>>> >>>> >>>> _______________________________________________ >>>> Grub-devel mailing list >>>> Grub-devel@gnu.org >>>> https://lists.gnu.org/mailman/listinfo/grub-devel >> >> _______________________________________________ >> Grub-devel mailing list >> Grub-devel@gnu.org >> https://lists.gnu.org/mailman/listinfo/grub-devel _______________________________________________ Grub-devel mailing list Grub-devel@gnu.org https://lists.gnu.org/mailman/listinfo/grub-devel