On Sunday 07 July 2002 07.46, Joakim Axelsson wrote: > res = ((key->sip & 0xF0F0F0F0) >> 4) | ((key->sip & 0x0F0F0F0F) << > 4); res *= 0x47441DFB; > res ^= key->dip ^ key->proto; > res ^= ((key->dport << 16) | key->sport); > res ^= 0x57655A7D; > res ^= (res >> 24); > res ^= (res >> 8); > > > Now someone else have to take a look at it. I digged my head into a > corner.
Hmm... > res ^= key->dip ^ key->proto; > res ^= ((key->dport << 16) | key->sport); can easily nullify itself.. here you are just xor:ing the destination IP with the source and destination ports, which makes a highly predictable hash pattern.. To always hit the same hash bucket you just need to keep the source IP constant, and the result of the above XOR constant.. > res ^= 0x57655A7D; > res ^= (res >> 24); > res ^= (res >> 8); And this is twofold.. it both obfuscates the bits and probably makes it likelier an attacker can find bits that nullify eachother, especially so if the hash size is not prime (or at a minimum odd).. These 5 xor statements xor:s quite many sources into the lower bits, always in the same order.. I am pretty sure you will find very interesting iterference patterns if you unwind these xors. Regards Henrik
