Remove some ISN generation code which has been unused since the

syncache went in.

MFC after:	3 days

4 files changed, 6 insertions, 58 deletions

diff --git a/sys/netinet/tcp_input.c b/sys/netinet/tcp_input.c
index 71684d0..5c60a14 100644
--- a/sys/netinet/tcp_input.c
+++ b/sys/netinet/tcp_input.c
@@ -343,7 +343,6 @@ tcp_input(m, off0)
 	register int thflags;
 	struct socket *so = 0;
 	int todrop, acked, ourfinisacked, needoutput = 0;
-	int iss = 0;
 	u_long tiwin;
 	struct tcpopt to;		/* options in this segment */
 	struct rmxp_tao *taop;		/* pointer to our TAO cache entry */
@@ -1491,7 +1490,6 @@ trimthenstep6:
 			if (thflags & TH_SYN &&
 			    tp->t_state == TCPS_TIME_WAIT &&
 			    SEQ_GT(th->th_seq, tp->rcv_nxt)) {
-				iss = tcp_new_isn(tp);
 				tp = tcp_close(tp);
 				goto findpcb;
 			}
diff --git a/sys/netinet/tcp_reass.c b/sys/netinet/tcp_reass.c
index 71684d0..5c60a14 100644
--- a/sys/netinet/tcp_reass.c
+++ b/sys/netinet/tcp_reass.c
@@ -343,7 +343,6 @@ tcp_input(m, off0)
 	register int thflags;
 	struct socket *so = 0;
 	int todrop, acked, ourfinisacked, needoutput = 0;
-	int iss = 0;
 	u_long tiwin;
 	struct tcpopt to;		/* options in this segment */
 	struct rmxp_tao *taop;		/* pointer to our TAO cache entry */
@@ -1491,7 +1490,6 @@ trimthenstep6:
 			if (thflags & TH_SYN &&
 			    tp->t_state == TCPS_TIME_WAIT &&
 			    SEQ_GT(th->th_seq, tp->rcv_nxt)) {
-				iss = tcp_new_isn(tp);
 				tp = tcp_close(tp);
 				goto findpcb;
 			}
diff --git a/sys/netinet/tcp_subr.c b/sys/netinet/tcp_subr.c
index 63af863..13d8300 100644
--- a/sys/netinet/tcp_subr.c
+++ b/sys/netinet/tcp_subr.c
@@ -140,10 +140,6 @@ static int	icmp_may_rst = 1;
 SYSCTL_INT(_net_inet_tcp, OID_AUTO, icmp_may_rst, CTLFLAG_RW, &icmp_may_rst, 0, 
     "Certain ICMP unreachable messages may abort connections in SYN_SENT");
 
-static int	tcp_strict_rfc1948 = 0;
-SYSCTL_INT(_net_inet_tcp, OID_AUTO, strict_rfc1948, CTLFLAG_RW,
-    &tcp_strict_rfc1948, 0, "Determines if RFC1948 is followed exactly");
-
 static int	tcp_isn_reseed_interval = 0;
 SYSCTL_INT(_net_inet_tcp, OID_AUTO, isn_reseed_interval, CTLFLAG_RW,
     &tcp_isn_reseed_interval, 0, "Seconds between reseeding of ISN secret");
@@ -1133,12 +1129,8 @@ tcp6_ctlinput(cmd, sa, d)
  * 1.  In SYN-ACK packets.
  * 2.  In SYN packets.
  *
- * The ISNs in SYN-ACK packets have no monotonicity requirement, 
- * and should be as unpredictable as possible to avoid the possibility
- * of spoofing and/or connection hijacking.  To satisfy this
- * requirement, SYN-ACK ISNs are generated via the arc4random()
- * function.  If exact RFC 1948 compliance is requested via sysctl,
- * these ISNs will be generated just like those in SYN packets.
+ * All ISNs for SYN-ACK packets are generated by the syncache.  See
+ * tcp_syncache.c for details.
  *
  * The ISNs in SYN packets must be monotonic; TIME_WAIT recycling
  * depends on this property.  In addition, these ISNs should be
@@ -1146,9 +1138,6 @@ tcp6_ctlinput(cmd, sa, d)
  * the requirements of this situation, the algorithm outlined in
  * RFC 1948 is used to generate sequence numbers.
  *
- * For more information on the theory of operation, please see
- * RFC 1948.
- *
  * Implementation details:
  *
  * Time is based off the system timer, and is corrected so that it
@@ -1156,17 +1145,10 @@ tcp6_ctlinput(cmd, sa, d)
  * recycling on high speed LANs while still leaving over an hour
  * before rollover.
  *
- * Two sysctls control the generation of ISNs:
- *
  * net.inet.tcp.isn_reseed_interval controls the number of seconds
  * between seeding of isn_secret.  This is normally set to zero,
  * as reseeding should not be necessary.
  *
- * net.inet.tcp.strict_rfc1948 controls whether RFC 1948 is followed
- * strictly.  When strict compliance is requested, reseeding is
- * disabled and SYN-ACKs will be generated in the same manner as
- * SYNs.  Strict mode is disabled by default.
- *
  */
 
 #define ISN_BYTES_PER_SECOND 1048576
@@ -1182,14 +1164,8 @@ tcp_new_isn(tp)
 	u_int32_t md5_buffer[4];
 	tcp_seq new_isn;
 
-	/* Use arc4random for SYN-ACKs when not in exact RFC1948 mode. */
-	if (((tp->t_state == TCPS_LISTEN) || (tp->t_state == TCPS_TIME_WAIT))
-	   && tcp_strict_rfc1948 == 0)
-		return arc4random();
-
 	/* Seed if this is the first use, reseed if requested. */
-	if ((isn_last_reseed == 0) ||
-	    ((tcp_strict_rfc1948 == 0) && (tcp_isn_reseed_interval > 0) &&
+	if ((isn_last_reseed == 0) || ((tcp_isn_reseed_interval > 0) &&
 	     (((u_int)isn_last_reseed + (u_int)tcp_isn_reseed_interval*hz)
 		< (u_int)ticks))) {
 		read_random(&isn_secret, sizeof(isn_secret));
diff --git a/sys/netinet/tcp_timewait.c b/sys/netinet/tcp_timewait.c
index 63af863..13d8300 100644
--- a/sys/netinet/tcp_timewait.c
+++ b/sys/netinet/tcp_timewait.c
@@ -140,10 +140,6 @@ static int	icmp_may_rst = 1;
 SYSCTL_INT(_net_inet_tcp, OID_AUTO, icmp_may_rst, CTLFLAG_RW, &icmp_may_rst, 0, 
     "Certain ICMP unreachable messages may abort connections in SYN_SENT");
 
-static int	tcp_strict_rfc1948 = 0;
-SYSCTL_INT(_net_inet_tcp, OID_AUTO, strict_rfc1948, CTLFLAG_RW,
-    &tcp_strict_rfc1948, 0, "Determines if RFC1948 is followed exactly");
-
 static int	tcp_isn_reseed_interval = 0;
 SYSCTL_INT(_net_inet_tcp, OID_AUTO, isn_reseed_interval, CTLFLAG_RW,
     &tcp_isn_reseed_interval, 0, "Seconds between reseeding of ISN secret");
@@ -1133,12 +1129,8 @@ tcp6_ctlinput(cmd, sa, d)
  * 1.  In SYN-ACK packets.
  * 2.  In SYN packets.
  *
- * The ISNs in SYN-ACK packets have no monotonicity requirement, 
- * and should be as unpredictable as possible to avoid the possibility
- * of spoofing and/or connection hijacking.  To satisfy this
- * requirement, SYN-ACK ISNs are generated via the arc4random()
- * function.  If exact RFC 1948 compliance is requested via sysctl,
- * these ISNs will be generated just like those in SYN packets.
+ * All ISNs for SYN-ACK packets are generated by the syncache.  See
+ * tcp_syncache.c for details.
  *
  * The ISNs in SYN packets must be monotonic; TIME_WAIT recycling
  * depends on this property.  In addition, these ISNs should be
@@ -1146,9 +1138,6 @@ tcp6_ctlinput(cmd, sa, d)
  * the requirements of this situation, the algorithm outlined in
  * RFC 1948 is used to generate sequence numbers.
  *
- * For more information on the theory of operation, please see
- * RFC 1948.
- *
  * Implementation details:
  *
  * Time is based off the system timer, and is corrected so that it
@@ -1156,17 +1145,10 @@ tcp6_ctlinput(cmd, sa, d)
  * recycling on high speed LANs while still leaving over an hour
  * before rollover.
  *
- * Two sysctls control the generation of ISNs:
- *
  * net.inet.tcp.isn_reseed_interval controls the number of seconds
  * between seeding of isn_secret.  This is normally set to zero,
  * as reseeding should not be necessary.
  *
- * net.inet.tcp.strict_rfc1948 controls whether RFC 1948 is followed
- * strictly.  When strict compliance is requested, reseeding is
- * disabled and SYN-ACKs will be generated in the same manner as
- * SYNs.  Strict mode is disabled by default.
- *
  */
 
 #define ISN_BYTES_PER_SECOND 1048576
@@ -1182,14 +1164,8 @@ tcp_new_isn(tp)
 	u_int32_t md5_buffer[4];
 	tcp_seq new_isn;
 
-	/* Use arc4random for SYN-ACKs when not in exact RFC1948 mode. */
-	if (((tp->t_state == TCPS_LISTEN) || (tp->t_state == TCPS_TIME_WAIT))
-	   && tcp_strict_rfc1948 == 0)
-		return arc4random();
-
 	/* Seed if this is the first use, reseed if requested. */
-	if ((isn_last_reseed == 0) ||
-	    ((tcp_strict_rfc1948 == 0) && (tcp_isn_reseed_interval > 0) &&
+	if ((isn_last_reseed == 0) || ((tcp_isn_reseed_interval > 0) &&
 	     (((u_int)isn_last_reseed + (u_int)tcp_isn_reseed_interval*hz)
 		< (u_int)ticks))) {
 		read_random(&isn_secret, sizeof(isn_secret));