Initialize tcp_secret in tcp_init

The initialization of a secret SHA256 context for generating TCP
initial sequence numbers is moved out of tcp_set_iss_tsm used to
set up ISN for new connections and into tcp_init, sparing the
need for a global flag.

OK deraadt, visa, mpi

1 files changed, 8 insertions, 10 deletions

diff --git a/sys/netinet/tcp_subr.c b/sys/netinet/tcp_subr.c
index 50f9b7872f0..67e8c1a80a1 100644
--- a/sys/netinet/tcp_subr.c
+++ b/sys/netinet/tcp_subr.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: tcp_subr.c,v 1.166 2017/10/22 14:11:34 mikeb Exp $	*/
+/*	$OpenBSD: tcp_subr.c,v 1.167 2017/12/07 16:52:21 mikeb Exp $	*/
 /*	$NetBSD: tcp_subr.c,v 1.22 1996/02/13 23:44:00 christos Exp $	*/
 
 /*
@@ -125,6 +125,9 @@ struct pool tcpqe_pool;
 struct pool sackhl_pool;
 
 struct cpumem *tcpcounters;		/* tcp statistics */
+
+u_char   tcp_secret[16];
+SHA2_CTX tcp_secret_ctx;
 tcp_seq  tcp_iss;
 
 /*
@@ -145,6 +148,10 @@ tcp_init(void)
 	in_pcbinit(&tcbtable, TCB_INITIAL_HASH_SIZE);
 	tcpcounters = counters_alloc(tcps_ncounters);
 
+	arc4random_buf(tcp_secret, sizeof(tcp_secret));
+	SHA512Init(&tcp_secret_ctx);
+	SHA512Update(&tcp_secret_ctx, tcp_secret, sizeof(tcp_secret));
+
 #ifdef INET6
 	/*
 	 * Since sizeof(struct ip6_hdr) > sizeof(struct ip), we
@@ -903,9 +910,6 @@ tcp_mtudisc_increase(struct inpcb *inp, int errno)
  * Generate new ISNs with a method based on RFC1948
  */
 #define TCP_ISS_CONN_INC 4096
-int tcp_secret_init;
-u_char tcp_secret[16];
-SHA2_CTX tcp_secret_ctx;
 
 void
 tcp_set_iss_tsm(struct tcpcb *tp)
@@ -917,12 +921,6 @@ tcp_set_iss_tsm(struct tcpcb *tp)
 	} digest;
 	u_int rdomain = rtable_l2(tp->t_inpcb->inp_rtableid);
 
-	if (tcp_secret_init == 0) {
-		arc4random_buf(tcp_secret, sizeof(tcp_secret));
-		SHA512Init(&tcp_secret_ctx);
-		SHA512Update(&tcp_secret_ctx, tcp_secret, sizeof(tcp_secret));
-		tcp_secret_init = 1;
-	}
 	ctx = tcp_secret_ctx;
 	SHA512Update(&ctx, &rdomain, sizeof(rdomain));
 	SHA512Update(&ctx, &tp->t_inpcb->inp_lport, sizeof(u_short));