[src/trunk]: src/sys/netinet Don't overexpose tcp_iss_secret and don't bother...

[kefren <kefren%NetBSD.org@localhost>]

details:   https://anonhg.NetBSD.org/src/rev/e85f84bc1687
branches:  trunk
changeset: 338248:e85f84bc1687
user:      kefren <kefren%NetBSD.org@localhost>
date:      Sat May 16 10:09:20 2015 +0000

description:
Don't overexpose tcp_iss_secret and don't bother compute it unless
RFC1948 compliance is activated

diffstat:

 sys/netinet/tcp_subr.c |  27 ++++++++++++++-------------
 1 files changed, 14 insertions(+), 13 deletions(-)

diffs (62 lines):

diff -r 43afe3e934d7 -r e85f84bc1687 sys/netinet/tcp_subr.c
--- a/sys/netinet/tcp_subr.c    Sat May 16 09:39:47 2015 +0000
+++ b/sys/netinet/tcp_subr.c    Sat May 16 10:09:20 2015 +0000
@@ -1,4 +1,4 @@
-/*     $NetBSD: tcp_subr.c,v 1.260 2015/04/27 02:59:44 ozaki-r Exp $   */
+/*     $NetBSD: tcp_subr.c,v 1.261 2015/05/16 10:09:20 kefren Exp $    */
 
 /*
  * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
@@ -91,7 +91,7 @@
  */
 
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: tcp_subr.c,v 1.260 2015/04/27 02:59:44 ozaki-r Exp $");
+__KERNEL_RCSID(0, "$NetBSD: tcp_subr.c,v 1.261 2015/05/16 10:09:20 kefren Exp $");
 
 #include "opt_inet.h"
 #include "opt_ipsec.h"
@@ -2189,7 +2189,6 @@
 }
 
 tcp_seq         tcp_iss_seq = 0;       /* tcp initial seq # */
-u_int8_t tcp_iss_secret[16];   /* 128 bits; should be plenty */
 
 /*
  * Get a new sequence value given a tcp control block
@@ -2227,23 +2226,25 @@
 {
        tcp_seq tcp_iss;
 
+       /* RFC1948 specifics */
        static bool tcp_iss_gotten_secret;
-
-       /*
-        * If we haven't been here before, initialize our cryptographic
-        * hash secret.
-        */
-       if (tcp_iss_gotten_secret == false) {
-               cprng_strong(kern_cprng,
-                            tcp_iss_secret, sizeof(tcp_iss_secret), 0);
-               tcp_iss_gotten_secret = true;
-       }
+       static u_int8_t tcp_iss_secret[16];     /* 128 bits; should be plenty */
 
        if (tcp_do_rfc1948) {
                MD5_CTX ctx;
                u_int8_t hash[16];      /* XXX MD5 knowledge */
 
                /*
+                * If we haven't been here before, initialize our cryptographic
+                * hash secret.
+                */
+               if (tcp_iss_gotten_secret == false) {
+                       cprng_strong(kern_cprng,
+                           tcp_iss_secret, sizeof(tcp_iss_secret), 0);
+                       tcp_iss_gotten_secret = true;
+               }
+
+               /*
                 * Compute the base value of the ISS.  It is a hash
                 * of (saddr, sport, daddr, dport, secret).
                 */