From c7389be7ba51f5065993f0bb1468a0b1455f745f Mon Sep 17 00:00:00 2001 From: silby Date: Wed, 10 Apr 2002 22:12:01 +0000 Subject: [PATCH] Remove some ISN generation code which has been unused since the syncache went in. MFC after: 3 days --- sys/netinet/tcp_input.c | 2 -- sys/netinet/tcp_reass.c | 2 -- sys/netinet/tcp_subr.c | 30 +++--------------------------- sys/netinet/tcp_timewait.c | 30 +++--------------------------- 4 files changed, 6 insertions(+), 58 deletions(-) diff --git a/sys/netinet/tcp_input.c b/sys/netinet/tcp_input.c index 71684d091b3d..5c60a14d7a7a 100644 --- a/sys/netinet/tcp_input.c +++ b/sys/netinet/tcp_input.c @@ -343,7 +343,6 @@ tcp_input(m, off0) register int thflags; struct socket *so = 0; int todrop, acked, ourfinisacked, needoutput = 0; - int iss = 0; u_long tiwin; struct tcpopt to; /* options in this segment */ struct rmxp_tao *taop; /* pointer to our TAO cache entry */ @@ -1491,7 +1490,6 @@ tcp_input(m, off0) if (thflags & TH_SYN && tp->t_state == TCPS_TIME_WAIT && SEQ_GT(th->th_seq, tp->rcv_nxt)) { - iss = tcp_new_isn(tp); tp = tcp_close(tp); goto findpcb; } diff --git a/sys/netinet/tcp_reass.c b/sys/netinet/tcp_reass.c index 71684d091b3d..5c60a14d7a7a 100644 --- a/sys/netinet/tcp_reass.c +++ b/sys/netinet/tcp_reass.c @@ -343,7 +343,6 @@ tcp_input(m, off0) register int thflags; struct socket *so = 0; int todrop, acked, ourfinisacked, needoutput = 0; - int iss = 0; u_long tiwin; struct tcpopt to; /* options in this segment */ struct rmxp_tao *taop; /* pointer to our TAO cache entry */ @@ -1491,7 +1490,6 @@ tcp_input(m, off0) if (thflags & TH_SYN && tp->t_state == TCPS_TIME_WAIT && SEQ_GT(th->th_seq, tp->rcv_nxt)) { - iss = tcp_new_isn(tp); tp = tcp_close(tp); goto findpcb; } diff --git a/sys/netinet/tcp_subr.c b/sys/netinet/tcp_subr.c index 63af8636c5ed..13d8300cb862 100644 --- a/sys/netinet/tcp_subr.c +++ b/sys/netinet/tcp_subr.c @@ -140,10 +140,6 @@ static int icmp_may_rst = 1; SYSCTL_INT(_net_inet_tcp, OID_AUTO, icmp_may_rst, CTLFLAG_RW, &icmp_may_rst, 0, "Certain ICMP unreachable messages may abort connections in SYN_SENT"); -static int tcp_strict_rfc1948 = 0; -SYSCTL_INT(_net_inet_tcp, OID_AUTO, strict_rfc1948, CTLFLAG_RW, - &tcp_strict_rfc1948, 0, "Determines if RFC1948 is followed exactly"); - static int tcp_isn_reseed_interval = 0; SYSCTL_INT(_net_inet_tcp, OID_AUTO, isn_reseed_interval, CTLFLAG_RW, &tcp_isn_reseed_interval, 0, "Seconds between reseeding of ISN secret"); @@ -1133,12 +1129,8 @@ tcp6_ctlinput(cmd, sa, d) * 1. In SYN-ACK packets. * 2. In SYN packets. * - * The ISNs in SYN-ACK packets have no monotonicity requirement, - * and should be as unpredictable as possible to avoid the possibility - * of spoofing and/or connection hijacking. To satisfy this - * requirement, SYN-ACK ISNs are generated via the arc4random() - * function. If exact RFC 1948 compliance is requested via sysctl, - * these ISNs will be generated just like those in SYN packets. + * All ISNs for SYN-ACK packets are generated by the syncache. See + * tcp_syncache.c for details. * * The ISNs in SYN packets must be monotonic; TIME_WAIT recycling * depends on this property. In addition, these ISNs should be @@ -1146,9 +1138,6 @@ tcp6_ctlinput(cmd, sa, d) * the requirements of this situation, the algorithm outlined in * RFC 1948 is used to generate sequence numbers. * - * For more information on the theory of operation, please see - * RFC 1948. - * * Implementation details: * * Time is based off the system timer, and is corrected so that it @@ -1156,17 +1145,10 @@ tcp6_ctlinput(cmd, sa, d) * recycling on high speed LANs while still leaving over an hour * before rollover. * - * Two sysctls control the generation of ISNs: - * * net.inet.tcp.isn_reseed_interval controls the number of seconds * between seeding of isn_secret. This is normally set to zero, * as reseeding should not be necessary. * - * net.inet.tcp.strict_rfc1948 controls whether RFC 1948 is followed - * strictly. When strict compliance is requested, reseeding is - * disabled and SYN-ACKs will be generated in the same manner as - * SYNs. Strict mode is disabled by default. - * */ #define ISN_BYTES_PER_SECOND 1048576 @@ -1182,14 +1164,8 @@ tcp_new_isn(tp) u_int32_t md5_buffer[4]; tcp_seq new_isn; - /* Use arc4random for SYN-ACKs when not in exact RFC1948 mode. */ - if (((tp->t_state == TCPS_LISTEN) || (tp->t_state == TCPS_TIME_WAIT)) - && tcp_strict_rfc1948 == 0) - return arc4random(); - /* Seed if this is the first use, reseed if requested. */ - if ((isn_last_reseed == 0) || - ((tcp_strict_rfc1948 == 0) && (tcp_isn_reseed_interval > 0) && + if ((isn_last_reseed == 0) || ((tcp_isn_reseed_interval > 0) && (((u_int)isn_last_reseed + (u_int)tcp_isn_reseed_interval*hz) < (u_int)ticks))) { read_random(&isn_secret, sizeof(isn_secret)); diff --git a/sys/netinet/tcp_timewait.c b/sys/netinet/tcp_timewait.c index 63af8636c5ed..13d8300cb862 100644 --- a/sys/netinet/tcp_timewait.c +++ b/sys/netinet/tcp_timewait.c @@ -140,10 +140,6 @@ static int icmp_may_rst = 1; SYSCTL_INT(_net_inet_tcp, OID_AUTO, icmp_may_rst, CTLFLAG_RW, &icmp_may_rst, 0, "Certain ICMP unreachable messages may abort connections in SYN_SENT"); -static int tcp_strict_rfc1948 = 0; -SYSCTL_INT(_net_inet_tcp, OID_AUTO, strict_rfc1948, CTLFLAG_RW, - &tcp_strict_rfc1948, 0, "Determines if RFC1948 is followed exactly"); - static int tcp_isn_reseed_interval = 0; SYSCTL_INT(_net_inet_tcp, OID_AUTO, isn_reseed_interval, CTLFLAG_RW, &tcp_isn_reseed_interval, 0, "Seconds between reseeding of ISN secret"); @@ -1133,12 +1129,8 @@ tcp6_ctlinput(cmd, sa, d) * 1. In SYN-ACK packets. * 2. In SYN packets. * - * The ISNs in SYN-ACK packets have no monotonicity requirement, - * and should be as unpredictable as possible to avoid the possibility - * of spoofing and/or connection hijacking. To satisfy this - * requirement, SYN-ACK ISNs are generated via the arc4random() - * function. If exact RFC 1948 compliance is requested via sysctl, - * these ISNs will be generated just like those in SYN packets. + * All ISNs for SYN-ACK packets are generated by the syncache. See + * tcp_syncache.c for details. * * The ISNs in SYN packets must be monotonic; TIME_WAIT recycling * depends on this property. In addition, these ISNs should be @@ -1146,9 +1138,6 @@ tcp6_ctlinput(cmd, sa, d) * the requirements of this situation, the algorithm outlined in * RFC 1948 is used to generate sequence numbers. * - * For more information on the theory of operation, please see - * RFC 1948. - * * Implementation details: * * Time is based off the system timer, and is corrected so that it @@ -1156,17 +1145,10 @@ tcp6_ctlinput(cmd, sa, d) * recycling on high speed LANs while still leaving over an hour * before rollover. * - * Two sysctls control the generation of ISNs: - * * net.inet.tcp.isn_reseed_interval controls the number of seconds * between seeding of isn_secret. This is normally set to zero, * as reseeding should not be necessary. * - * net.inet.tcp.strict_rfc1948 controls whether RFC 1948 is followed - * strictly. When strict compliance is requested, reseeding is - * disabled and SYN-ACKs will be generated in the same manner as - * SYNs. Strict mode is disabled by default. - * */ #define ISN_BYTES_PER_SECOND 1048576 @@ -1182,14 +1164,8 @@ tcp_new_isn(tp) u_int32_t md5_buffer[4]; tcp_seq new_isn; - /* Use arc4random for SYN-ACKs when not in exact RFC1948 mode. */ - if (((tp->t_state == TCPS_LISTEN) || (tp->t_state == TCPS_TIME_WAIT)) - && tcp_strict_rfc1948 == 0) - return arc4random(); - /* Seed if this is the first use, reseed if requested. */ - if ((isn_last_reseed == 0) || - ((tcp_strict_rfc1948 == 0) && (tcp_isn_reseed_interval > 0) && + if ((isn_last_reseed == 0) || ((tcp_isn_reseed_interval > 0) && (((u_int)isn_last_reseed + (u_int)tcp_isn_reseed_interval*hz) < (u_int)ticks))) { read_random(&isn_secret, sizeof(isn_secret));