Finish 4.4-Lite-2 merge: randomize TCP initial sequence numbers

to make ISS-guessing spoofing attacks harder.

6 files changed, 62 insertions, 35 deletions

diff --git a/sys/netinet/tcp_input.c b/sys/netinet/tcp_input.c
index 8e2bdf0..7762f81 100644
--- a/sys/netinet/tcp_input.c
+++ b/sys/netinet/tcp_input.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1982, 1986, 1988, 1990, 1993, 1994
+ * Copyright (c) 1982, 1986, 1988, 1990, 1993, 1994, 1995
  *	The Regents of the University of California.  All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
@@ -30,8 +30,8 @@
  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
  * SUCH DAMAGE.
  *
- *	From: @(#)tcp_input.c	8.5 (Berkeley) 4/10/94
- *	$Id: tcp_input.c,v 1.27 1995/07/10 15:39:13 wollman Exp $
+ *	@(#)tcp_input.c	8.12 (Berkeley) 5/24/95
+ *	$Id: tcp_input.c,v 1.28 1995/07/31 10:24:22 olah Exp $
  */
 
 #ifndef TUBA_INCLUDE
@@ -45,6 +45,8 @@
 #include <sys/errno.h>
 #include <sys/queue.h>
 
+#include <machine/cpu.h>	/* before tcp_seq.h, for tcp_random18() */
+
 #include <net/if.h>
 #include <net/route.h>
 
@@ -243,7 +245,7 @@ tcp_input(m, iphlen)
 {
 	register struct tcpiphdr *ti;
 	register struct inpcb *inp;
-	caddr_t optp = NULL;
+	u_char *optp = NULL;
 	int optlen = 0;
 	int len, tlen, off;
 	register struct tcpcb *tp = 0;
@@ -315,7 +317,7 @@ tcp_input(m, iphlen)
 			ti = mtod(m, struct tcpiphdr *);
 		}
 		optlen = off - sizeof (struct tcphdr);
-		optp = mtod(m, caddr_t) + sizeof (struct tcpiphdr);
+		optp = mtod(m, u_char *) + sizeof (struct tcpiphdr);
 		/*
 		 * Do quick retrieval of timestamp options ("options
 		 * prediction?").  If timestamp is the only option and it's
@@ -650,7 +652,7 @@ findpcb:
 			tp->iss = iss;
 		else
 			tp->iss = tcp_iss;
-		tcp_iss += TCP_ISSINCR/2;
+		tcp_iss += TCP_ISSINCR/4;
 		tp->irs = ti->ti_seq;
 		tcp_sendseqinit(tp);
 		tcp_rcvseqinit(tp);
diff --git a/sys/netinet/tcp_reass.c b/sys/netinet/tcp_reass.c
index 8e2bdf0..7762f81 100644
--- a/sys/netinet/tcp_reass.c
+++ b/sys/netinet/tcp_reass.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1982, 1986, 1988, 1990, 1993, 1994
+ * Copyright (c) 1982, 1986, 1988, 1990, 1993, 1994, 1995
  *	The Regents of the University of California.  All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
@@ -30,8 +30,8 @@
  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
  * SUCH DAMAGE.
  *
- *	From: @(#)tcp_input.c	8.5 (Berkeley) 4/10/94
- *	$Id: tcp_input.c,v 1.27 1995/07/10 15:39:13 wollman Exp $
+ *	@(#)tcp_input.c	8.12 (Berkeley) 5/24/95
+ *	$Id: tcp_input.c,v 1.28 1995/07/31 10:24:22 olah Exp $
  */
 
 #ifndef TUBA_INCLUDE
@@ -45,6 +45,8 @@
 #include <sys/errno.h>
 #include <sys/queue.h>
 
+#include <machine/cpu.h>	/* before tcp_seq.h, for tcp_random18() */
+
 #include <net/if.h>
 #include <net/route.h>
 
@@ -243,7 +245,7 @@ tcp_input(m, iphlen)
 {
 	register struct tcpiphdr *ti;
 	register struct inpcb *inp;
-	caddr_t optp = NULL;
+	u_char *optp = NULL;
 	int optlen = 0;
 	int len, tlen, off;
 	register struct tcpcb *tp = 0;
@@ -315,7 +317,7 @@ tcp_input(m, iphlen)
 			ti = mtod(m, struct tcpiphdr *);
 		}
 		optlen = off - sizeof (struct tcphdr);
-		optp = mtod(m, caddr_t) + sizeof (struct tcpiphdr);
+		optp = mtod(m, u_char *) + sizeof (struct tcpiphdr);
 		/*
 		 * Do quick retrieval of timestamp options ("options
 		 * prediction?").  If timestamp is the only option and it's
@@ -650,7 +652,7 @@ findpcb:
 			tp->iss = iss;
 		else
 			tp->iss = tcp_iss;
-		tcp_iss += TCP_ISSINCR/2;
+		tcp_iss += TCP_ISSINCR/4;
 		tp->irs = ti->ti_seq;
 		tcp_sendseqinit(tp);
 		tcp_rcvseqinit(tp);
diff --git a/sys/netinet/tcp_seq.h b/sys/netinet/tcp_seq.h
index 6f0532f..f2fff27 100644
--- a/sys/netinet/tcp_seq.h
+++ b/sys/netinet/tcp_seq.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1982, 1986, 1993
+ * Copyright (c) 1982, 1986, 1993, 1995
  *	The Regents of the University of California.  All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
@@ -30,8 +30,8 @@
  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
  * SUCH DAMAGE.
  *
- *	@(#)tcp_seq.h	8.1 (Berkeley) 6/10/93
- * $Id: tcp_seq.h,v 1.4 1995/02/08 20:18:46 wollman Exp $
+ *	@(#)tcp_seq.h	8.3 (Berkeley) 6/21/95
+ *	$Id: tcp_seq.h,v 1.5 1995/02/14 02:35:17 wollman Exp $
  */
 
 #ifndef _NETINET_TCP_SEQ_H_
@@ -75,13 +75,28 @@
 	(tp)->snd_una = (tp)->snd_nxt = (tp)->snd_max = (tp)->snd_up = \
 	    (tp)->iss
 
-#define	TCP_ISSINCR	(125*1024)	/* increment for tcp_iss each second */
-
 #define TCP_PAWS_IDLE	(24 * 24 * 60 * 60 * PR_SLOWHZ)
 					/* timestamp wrap-around time */
 
 #ifdef KERNEL
-extern tcp_seq	tcp_iss;		/* tcp initial send seq # */
 extern tcp_cc	tcp_ccgen;		/* global connection count */
+
+/*
+ * Increment for tcp_iss each second.
+ * This is designed to increment at the standard 250 KB/s,
+ * but with a random component averaging 128 KB.
+ * We also increment tcp_iss by a quarter of this amount
+ * each time we use the value for a new connection.
+ * If defined, the tcp_random18() macro should produce a
+ * number in the range [0-0x3ffff] that is hard to predict.
+ */
+#ifndef tcp_random18
+#define	tcp_random18()	((random() >> 14) & 0x3ffff)
 #endif
-#endif
+#define	TCP_ISSINCR	(122*1024 + tcp_random18())
+
+extern tcp_seq	tcp_iss;		/* tcp initial send seq # */
+#else
+#define	TCP_ISSINCR	(250*1024)	/* increment for tcp_iss each second */
+#endif /* KERNEL */
+#endif /* _NETINET_TCP_SEQ_H_ */
diff --git a/sys/netinet/tcp_subr.c b/sys/netinet/tcp_subr.c
index a614854..d166bba 100644
--- a/sys/netinet/tcp_subr.c
+++ b/sys/netinet/tcp_subr.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1982, 1986, 1988, 1990, 1993
+ * Copyright (c) 1982, 1986, 1988, 1990, 1993, 1995
  *	The Regents of the University of California.  All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
@@ -30,8 +30,8 @@
  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
  * SUCH DAMAGE.
  *
- *	@(#)tcp_subr.c	8.1 (Berkeley) 6/10/93
- * $Id: tcp_subr.c,v 1.15 1995/09/20 21:00:59 wollman Exp $
+ *	@(#)tcp_subr.c	8.2 (Berkeley) 5/24/95
+ *	$Id: tcp_subr.c,v 1.16 1995/09/22 17:43:37 wollman Exp $
  */
 
 #include <sys/param.h>
@@ -87,7 +87,7 @@ void
 tcp_init()
 {
 
-	tcp_iss = 1;		/* wrong */
+	tcp_iss = random();	/* wrong, but better than a constant */
 	tcp_ccgen = 1;
 	tcp_cleartaocache();
 	LIST_INIT(&tcb);
diff --git a/sys/netinet/tcp_timer.c b/sys/netinet/tcp_timer.c
index 9badee0..c3da457 100644
--- a/sys/netinet/tcp_timer.c
+++ b/sys/netinet/tcp_timer.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1982, 1986, 1988, 1990, 1993
+ * Copyright (c) 1982, 1986, 1988, 1990, 1993, 1995
  *	The Regents of the University of California.  All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
@@ -30,8 +30,8 @@
  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
  * SUCH DAMAGE.
  *
- *	@(#)tcp_timer.c	8.1 (Berkeley) 6/10/93
- * $Id: tcp_timer.c,v 1.7 1995/05/30 08:09:59 rgrimes Exp $
+ *	@(#)tcp_timer.c	8.2 (Berkeley) 5/24/95
+ *	$Id: tcp_timer.c,v 1.8 1995/07/29 18:48:43 davidg Exp $
  */
 
 #ifndef TUBA_INCLUDE
@@ -45,6 +45,8 @@
 #include <sys/errno.h>
 #include <sys/queue.h>
 
+#include <machine/cpu.h>	/* before tcp_seq.h, for tcp_random18() */
+
 #include <net/if.h>
 #include <net/route.h>
 
@@ -62,10 +64,14 @@
 
 int	tcp_keepidle = TCPTV_KEEP_IDLE;
 int	tcp_keepintvl = TCPTV_KEEPINTVL;
+int	tcp_keepcnt = TCPTV_KEEPCNT;		/* max idle probes */
+int	tcp_maxpersistidle = TCPTV_KEEP_IDLE;	/* max idle time in persist */
 int	tcp_maxidle;
-int	tcp_maxpersistidle = TCPTV_KEEP_IDLE;
-int	tcp_totbackoff = 511;
+#else /* TUBA_INCLUDE */
+
+extern	int tcp_maxpersistidle;
 #endif /* TUBA_INCLUDE */
+
 /*
  * Fast timeout routine for processing delayed acks
  */
@@ -105,7 +111,7 @@ tcp_slowtimo()
 
 	s = splnet();
 
-	tcp_maxidle = TCPTV_KEEPCNT * tcp_keepintvl;
+	tcp_maxidle = tcp_keepcnt * tcp_keepintvl;
 
 	ip = tcb.lh_first;
 	if (ip == NULL) {
@@ -118,7 +124,7 @@ tcp_slowtimo()
 	for (; ip != NULL; ip = ipnxt) {
 		ipnxt = ip->inp_list.le_next;
 		tp = intotcpcb(ip);
-		if (tp == 0)
+		if (tp == 0 || tp->t_state == TCPS_LISTEN)
 			continue;
 		for (i = 0; i < TCPT_NTIMERS; i++) {
 			if (tp->t_timer[i] && --tp->t_timer[i] == 0) {
@@ -138,7 +144,7 @@ tpgone:
 	tcp_iss += TCP_ISSINCR/PR_SLOWHZ;		/* increment iss */
 #ifdef TCP_COMPAT_42
 	if ((int)tcp_iss < 0)
-		tcp_iss = 0;				/* XXX */
+		tcp_iss = TCP_ISSINCR;			/* XXX */
 #endif
 	tcp_now++;					/* for timestamps */
 	splx(s);
@@ -161,6 +167,8 @@ tcp_canceltimers(tp)
 int	tcp_backoff[TCP_MAXRXTSHIFT + 1] =
     { 1, 2, 4, 8, 16, 32, 64, 64, 64, 64, 64, 64, 64 };
 
+int tcp_totbackoff = 511;	/* sum of tcp_backoff[] */
+
 /*
  * TCP timer processing.
  */
diff --git a/sys/netinet/tcp_timewait.c b/sys/netinet/tcp_timewait.c
index a614854..d166bba 100644
--- a/sys/netinet/tcp_timewait.c
+++ b/sys/netinet/tcp_timewait.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1982, 1986, 1988, 1990, 1993
+ * Copyright (c) 1982, 1986, 1988, 1990, 1993, 1995
  *	The Regents of the University of California.  All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
@@ -30,8 +30,8 @@
  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
  * SUCH DAMAGE.
  *
- *	@(#)tcp_subr.c	8.1 (Berkeley) 6/10/93
- * $Id: tcp_subr.c,v 1.15 1995/09/20 21:00:59 wollman Exp $
+ *	@(#)tcp_subr.c	8.2 (Berkeley) 5/24/95
+ *	$Id: tcp_subr.c,v 1.16 1995/09/22 17:43:37 wollman Exp $
  */
 
 #include <sys/param.h>
@@ -87,7 +87,7 @@ void
 tcp_init()
 {
 
-	tcp_iss = 1;		/* wrong */
+	tcp_iss = random();	/* wrong, but better than a constant */
 	tcp_ccgen = 1;
 	tcp_cleartaocache();
 	LIST_INIT(&tcb);