Remove some ISN generation code which has been unused since the
syncache went in. MFC after: 3 days
This commit is contained in:
silby
parent
8e0ca659ca
commit
c7389be7ba
@ -343,7 +343,6 @@ tcp_input(m, off0)
|
||||
register int thflags;
|
||||
struct socket *so = 0;
|
||||
int todrop, acked, ourfinisacked, needoutput = 0;
|
||||
int iss = 0;
|
||||
u_long tiwin;
|
||||
struct tcpopt to; /* options in this segment */
|
||||
struct rmxp_tao *taop; /* pointer to our TAO cache entry */
|
||||
@ -1491,7 +1490,6 @@ tcp_input(m, off0)
|
||||
if (thflags & TH_SYN &&
|
||||
tp->t_state == TCPS_TIME_WAIT &&
|
||||
SEQ_GT(th->th_seq, tp->rcv_nxt)) {
|
||||
iss = tcp_new_isn(tp);
|
||||
tp = tcp_close(tp);
|
||||
goto findpcb;
|
||||
}
|
||||
|
||||
@ -343,7 +343,6 @@ tcp_input(m, off0)
|
||||
register int thflags;
|
||||
struct socket *so = 0;
|
||||
int todrop, acked, ourfinisacked, needoutput = 0;
|
||||
int iss = 0;
|
||||
u_long tiwin;
|
||||
struct tcpopt to; /* options in this segment */
|
||||
struct rmxp_tao *taop; /* pointer to our TAO cache entry */
|
||||
@ -1491,7 +1490,6 @@ tcp_input(m, off0)
|
||||
if (thflags & TH_SYN &&
|
||||
tp->t_state == TCPS_TIME_WAIT &&
|
||||
SEQ_GT(th->th_seq, tp->rcv_nxt)) {
|
||||
iss = tcp_new_isn(tp);
|
||||
tp = tcp_close(tp);
|
||||
goto findpcb;
|
||||
}
|
||||
|
||||
@ -140,10 +140,6 @@ static int icmp_may_rst = 1;
|
||||
SYSCTL_INT(_net_inet_tcp, OID_AUTO, icmp_may_rst, CTLFLAG_RW, &icmp_may_rst, 0,
|
||||
"Certain ICMP unreachable messages may abort connections in SYN_SENT");
|
||||
|
||||
static int tcp_strict_rfc1948 = 0;
|
||||
SYSCTL_INT(_net_inet_tcp, OID_AUTO, strict_rfc1948, CTLFLAG_RW,
|
||||
&tcp_strict_rfc1948, 0, "Determines if RFC1948 is followed exactly");
|
||||
|
||||
static int tcp_isn_reseed_interval = 0;
|
||||
SYSCTL_INT(_net_inet_tcp, OID_AUTO, isn_reseed_interval, CTLFLAG_RW,
|
||||
&tcp_isn_reseed_interval, 0, "Seconds between reseeding of ISN secret");
|
||||
@ -1133,12 +1129,8 @@ tcp6_ctlinput(cmd, sa, d)
|
||||
* 1. In SYN-ACK packets.
|
||||
* 2. In SYN packets.
|
||||
*
|
||||
* The ISNs in SYN-ACK packets have no monotonicity requirement,
|
||||
* and should be as unpredictable as possible to avoid the possibility
|
||||
* of spoofing and/or connection hijacking. To satisfy this
|
||||
* requirement, SYN-ACK ISNs are generated via the arc4random()
|
||||
* function. If exact RFC 1948 compliance is requested via sysctl,
|
||||
* these ISNs will be generated just like those in SYN packets.
|
||||
* All ISNs for SYN-ACK packets are generated by the syncache. See
|
||||
* tcp_syncache.c for details.
|
||||
*
|
||||
* The ISNs in SYN packets must be monotonic; TIME_WAIT recycling
|
||||
* depends on this property. In addition, these ISNs should be
|
||||
@ -1146,9 +1138,6 @@ tcp6_ctlinput(cmd, sa, d)
|
||||
* the requirements of this situation, the algorithm outlined in
|
||||
* RFC 1948 is used to generate sequence numbers.
|
||||
*
|
||||
* For more information on the theory of operation, please see
|
||||
* RFC 1948.
|
||||
*
|
||||
* Implementation details:
|
||||
*
|
||||
* Time is based off the system timer, and is corrected so that it
|
||||
@ -1156,17 +1145,10 @@ tcp6_ctlinput(cmd, sa, d)
|
||||
* recycling on high speed LANs while still leaving over an hour
|
||||
* before rollover.
|
||||
*
|
||||
* Two sysctls control the generation of ISNs:
|
||||
*
|
||||
* net.inet.tcp.isn_reseed_interval controls the number of seconds
|
||||
* between seeding of isn_secret. This is normally set to zero,
|
||||
* as reseeding should not be necessary.
|
||||
*
|
||||
* net.inet.tcp.strict_rfc1948 controls whether RFC 1948 is followed
|
||||
* strictly. When strict compliance is requested, reseeding is
|
||||
* disabled and SYN-ACKs will be generated in the same manner as
|
||||
* SYNs. Strict mode is disabled by default.
|
||||
*
|
||||
*/
|
||||
|
||||
#define ISN_BYTES_PER_SECOND 1048576
|
||||
@ -1182,14 +1164,8 @@ tcp_new_isn(tp)
|
||||
u_int32_t md5_buffer[4];
|
||||
tcp_seq new_isn;
|
||||
|
||||
/* Use arc4random for SYN-ACKs when not in exact RFC1948 mode. */
|
||||
if (((tp->t_state == TCPS_LISTEN) || (tp->t_state == TCPS_TIME_WAIT))
|
||||
&& tcp_strict_rfc1948 == 0)
|
||||
return arc4random();
|
||||
|
||||
/* Seed if this is the first use, reseed if requested. */
|
||||
if ((isn_last_reseed == 0) ||
|
||||
((tcp_strict_rfc1948 == 0) && (tcp_isn_reseed_interval > 0) &&
|
||||
if ((isn_last_reseed == 0) || ((tcp_isn_reseed_interval > 0) &&
|
||||
(((u_int)isn_last_reseed + (u_int)tcp_isn_reseed_interval*hz)
|
||||
< (u_int)ticks))) {
|
||||
read_random(&isn_secret, sizeof(isn_secret));
|
||||
|
||||
@ -140,10 +140,6 @@ static int icmp_may_rst = 1;
|
||||
SYSCTL_INT(_net_inet_tcp, OID_AUTO, icmp_may_rst, CTLFLAG_RW, &icmp_may_rst, 0,
|
||||
"Certain ICMP unreachable messages may abort connections in SYN_SENT");
|
||||
|
||||
static int tcp_strict_rfc1948 = 0;
|
||||
SYSCTL_INT(_net_inet_tcp, OID_AUTO, strict_rfc1948, CTLFLAG_RW,
|
||||
&tcp_strict_rfc1948, 0, "Determines if RFC1948 is followed exactly");
|
||||
|
||||
static int tcp_isn_reseed_interval = 0;
|
||||
SYSCTL_INT(_net_inet_tcp, OID_AUTO, isn_reseed_interval, CTLFLAG_RW,
|
||||
&tcp_isn_reseed_interval, 0, "Seconds between reseeding of ISN secret");
|
||||
@ -1133,12 +1129,8 @@ tcp6_ctlinput(cmd, sa, d)
|
||||
* 1. In SYN-ACK packets.
|
||||
* 2. In SYN packets.
|
||||
*
|
||||
* The ISNs in SYN-ACK packets have no monotonicity requirement,
|
||||
* and should be as unpredictable as possible to avoid the possibility
|
||||
* of spoofing and/or connection hijacking. To satisfy this
|
||||
* requirement, SYN-ACK ISNs are generated via the arc4random()
|
||||
* function. If exact RFC 1948 compliance is requested via sysctl,
|
||||
* these ISNs will be generated just like those in SYN packets.
|
||||
* All ISNs for SYN-ACK packets are generated by the syncache. See
|
||||
* tcp_syncache.c for details.
|
||||
*
|
||||
* The ISNs in SYN packets must be monotonic; TIME_WAIT recycling
|
||||
* depends on this property. In addition, these ISNs should be
|
||||
@ -1146,9 +1138,6 @@ tcp6_ctlinput(cmd, sa, d)
|
||||
* the requirements of this situation, the algorithm outlined in
|
||||
* RFC 1948 is used to generate sequence numbers.
|
||||
*
|
||||
* For more information on the theory of operation, please see
|
||||
* RFC 1948.
|
||||
*
|
||||
* Implementation details:
|
||||
*
|
||||
* Time is based off the system timer, and is corrected so that it
|
||||
@ -1156,17 +1145,10 @@ tcp6_ctlinput(cmd, sa, d)
|
||||
* recycling on high speed LANs while still leaving over an hour
|
||||
* before rollover.
|
||||
*
|
||||
* Two sysctls control the generation of ISNs:
|
||||
*
|
||||
* net.inet.tcp.isn_reseed_interval controls the number of seconds
|
||||
* between seeding of isn_secret. This is normally set to zero,
|
||||
* as reseeding should not be necessary.
|
||||
*
|
||||
* net.inet.tcp.strict_rfc1948 controls whether RFC 1948 is followed
|
||||
* strictly. When strict compliance is requested, reseeding is
|
||||
* disabled and SYN-ACKs will be generated in the same manner as
|
||||
* SYNs. Strict mode is disabled by default.
|
||||
*
|
||||
*/
|
||||
|
||||
#define ISN_BYTES_PER_SECOND 1048576
|
||||
@ -1182,14 +1164,8 @@ tcp_new_isn(tp)
|
||||
u_int32_t md5_buffer[4];
|
||||
tcp_seq new_isn;
|
||||
|
||||
/* Use arc4random for SYN-ACKs when not in exact RFC1948 mode. */
|
||||
if (((tp->t_state == TCPS_LISTEN) || (tp->t_state == TCPS_TIME_WAIT))
|
||||
&& tcp_strict_rfc1948 == 0)
|
||||
return arc4random();
|
||||
|
||||
/* Seed if this is the first use, reseed if requested. */
|
||||
if ((isn_last_reseed == 0) ||
|
||||
((tcp_strict_rfc1948 == 0) && (tcp_isn_reseed_interval > 0) &&
|
||||
if ((isn_last_reseed == 0) || ((tcp_isn_reseed_interval > 0) &&
|
||||
(((u_int)isn_last_reseed + (u_int)tcp_isn_reseed_interval*hz)
|
||||
< (u_int)ticks))) {
|
||||
read_random(&isn_secret, sizeof(isn_secret));
|
||||
|
||||
Loading…
Reference in New Issue
Block a user