From cd1054d7515fbdf1734b5a54f16ea7cd0199de98 Mon Sep 17 00:00:00 2001 From: mikeb Date: Thu, 7 Dec 2017 16:52:21 +0000 Subject: [PATCH] Initialize tcp_secret in tcp_init The initialization of a secret SHA256 context for generating TCP initial sequence numbers is moved out of tcp_set_iss_tsm used to set up ISN for new connections and into tcp_init, sparing the need for a global flag. OK deraadt, visa, mpi --- sys/netinet/tcp_subr.c | 18 ++++++++---------- 1 file changed, 8 insertions(+), 10 deletions(-) diff --git a/sys/netinet/tcp_subr.c b/sys/netinet/tcp_subr.c index 50f9b7872f0..67e8c1a80a1 100644 --- a/sys/netinet/tcp_subr.c +++ b/sys/netinet/tcp_subr.c @@ -1,4 +1,4 @@ -/* $OpenBSD: tcp_subr.c,v 1.166 2017/10/22 14:11:34 mikeb Exp $ */ +/* $OpenBSD: tcp_subr.c,v 1.167 2017/12/07 16:52:21 mikeb Exp $ */ /* $NetBSD: tcp_subr.c,v 1.22 1996/02/13 23:44:00 christos Exp $ */ /* @@ -125,6 +125,9 @@ struct pool tcpqe_pool; struct pool sackhl_pool; struct cpumem *tcpcounters; /* tcp statistics */ + +u_char tcp_secret[16]; +SHA2_CTX tcp_secret_ctx; tcp_seq tcp_iss; /* @@ -145,6 +148,10 @@ tcp_init(void) in_pcbinit(&tcbtable, TCB_INITIAL_HASH_SIZE); tcpcounters = counters_alloc(tcps_ncounters); + arc4random_buf(tcp_secret, sizeof(tcp_secret)); + SHA512Init(&tcp_secret_ctx); + SHA512Update(&tcp_secret_ctx, tcp_secret, sizeof(tcp_secret)); + #ifdef INET6 /* * Since sizeof(struct ip6_hdr) > sizeof(struct ip), we @@ -903,9 +910,6 @@ tcp_mtudisc_increase(struct inpcb *inp, int errno) * Generate new ISNs with a method based on RFC1948 */ #define TCP_ISS_CONN_INC 4096 -int tcp_secret_init; -u_char tcp_secret[16]; -SHA2_CTX tcp_secret_ctx; void tcp_set_iss_tsm(struct tcpcb *tp) @@ -917,12 +921,6 @@ tcp_set_iss_tsm(struct tcpcb *tp) } digest; u_int rdomain = rtable_l2(tp->t_inpcb->inp_rtableid); - if (tcp_secret_init == 0) { - arc4random_buf(tcp_secret, sizeof(tcp_secret)); - SHA512Init(&tcp_secret_ctx); - SHA512Update(&tcp_secret_ctx, tcp_secret, sizeof(tcp_secret)); - tcp_secret_init = 1; - } ctx = tcp_secret_ctx; SHA512Update(&ctx, &rdomain, sizeof(rdomain)); SHA512Update(&ctx, &tp->t_inpcb->inp_lport, sizeof(u_short)); -- 2.20.1