Important changes to repositories hosted on mbed.com
Mbed hosted mercurial repositories are deprecated and are due to be permanently deleted in July 2026.
To keep a copy of this software download the repository Zip archive or clone locally using Mercurial.
It is also possible to export all your personal repositories from the account settings page.
Dependents: TYBLE16_simple_data_logger TYBLE16_MP3_Air
lwip_tcp_isn.c
00001 /** 00002 * @file 00003 * 00004 * Reference implementation of the TCP ISN algorithm standardized in RFC 6528. 00005 * Produce TCP Initial Sequence Numbers by combining an MD5-generated hash 00006 * based on the new TCP connection's identity and a stable secret, with the 00007 * current time at 4-microsecond granularity. 00008 * 00009 * Specifically, the implementation uses MD5 to compute a hash of the input 00010 * buffer, which contains both the four-tuple of the new TCP connection (local 00011 * and remote IP address and port), as well as a 16-byte secret to make the 00012 * results unpredictable to external parties. The secret must be given at 00013 * initialization time and should ideally remain the same across system 00014 * reboots. To be sure: the spoofing-resistance of the resulting ISN depends 00015 * mainly on the strength of the supplied secret! 00016 * 00017 * The implementation takes 32 bits from the computed hash, and adds to it the 00018 * current time, in 4-microsecond units. The current time is computed from a 00019 * boot time given at initialization, and the current uptime as provided by 00020 * sys_now(). Thus, it assumes that sys_now() returns a time value that is 00021 * relative to the boot time, i.e., that it starts at 0 at system boot, and 00022 * only ever increases monotonically. 00023 * 00024 * For efficiency reasons, a single MD5 input buffer is used, and partially 00025 * filled in at initialization time. Specifically, of this 64-byte buffer, the 00026 * first 36 bytes are used for the four-way TCP tuple data, followed by the 00027 * 16-byte secret, followed by 12-byte zero padding. The 64-byte size of the 00028 * buffer should achieve the best performance for the actual MD5 computation. 00029 * 00030 * Basic usage: 00031 * 00032 * 1. in your lwipopts.h, add the following lines: 00033 * 00034 * #include <lwip/arch.h> 00035 * struct ip_addr; 00036 * u32_t lwip_hook_tcp_isn(const struct ip_addr *local_ip, u16_t local_port, 00037 * const struct ip_addr *remote_ip, u16_t remote_port); 00038 * "#define LWIP_HOOK_TCP_ISN lwip_hook_tcp_isn"; 00039 * 00040 * 2. from your own code, call lwip_init_tcp_isn() at initialization time, with 00041 * appropriate parameters. 00042 */ 00043 00044 /* 00045 * Copyright (c) 2016 The MINIX 3 Project. 00046 * All rights reserved. 00047 * 00048 * Redistribution and use in source and binary forms, with or without modification, 00049 * are permitted provided that the following conditions are met: 00050 * 00051 * 1. Redistributions of source code must retain the above copyright notice, 00052 * this list of conditions and the following disclaimer. 00053 * 2. Redistributions in binary form must reproduce the above copyright notice, 00054 * this list of conditions and the following disclaimer in the documentation 00055 * and/or other materials provided with the distribution. 00056 * 3. The name of the author may not be used to endorse or promote products 00057 * derived from this software without specific prior written permission. 00058 * 00059 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR IMPLIED 00060 * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF 00061 * MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT 00062 * SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, 00063 * EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT 00064 * OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS 00065 * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN 00066 * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING 00067 * IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY 00068 * OF SUCH DAMAGE. 00069 * 00070 * Author: David van Moolenbroek <david@minix3.org> 00071 */ 00072 00073 #include "lwip/opt.h" 00074 #include "lwip/ip_addr.h" 00075 #include "lwip/sys.h" 00076 #include <string.h> 00077 00078 #if !LWIP_USE_EXTERNAL_MBEDTLS 00079 00080 #include "polarssl/md5.h" 00081 00082 #define MD5_context md5_context 00083 #define MD5_init(context) 00084 #define MD5_starts md5_starts 00085 #define MD5_update md5_update 00086 #define MD5_finish md5_finish 00087 #define MD5_free(context) 00088 00089 #endif /* !LWIP_USE_EXTERNAL_MBEDTLS */ 00090 00091 /* 00092 * Map hashes and ciphers functions to mbed TLS 00093 */ 00094 #if LWIP_USE_EXTERNAL_MBEDTLS 00095 00096 #include "mbedtls/md5.h" 00097 00098 #define MD5_context mbedtls_md5_context 00099 #define MD5_init mbedtls_md5_init 00100 #define MD5_starts mbedtls_md5_starts 00101 #define MD5_update mbedtls_md5_update 00102 #define MD5_finish mbedtls_md5_finish 00103 #define MD5_free mbedtls_md5_free 00104 00105 #endif /* LWIP_USE_EXTERNAL_MBEDTLS */ 00106 00107 static u8_t input[64]; 00108 static u32_t base_time; 00109 00110 /** 00111 * Initialize the TCP ISN module, with the boot time and a secret. 00112 * 00113 * @param boot_time Wall clock boot time of the system, in seconds. 00114 * @param secret_16_bytes A 16-byte secret used to randomize the TCP ISNs. 00115 */ 00116 void 00117 lwip_init_tcp_isn(u32_t boot_time, const u8_t *secret_16_bytes) 00118 { 00119 /* Initialize the input buffer with the secret and trailing zeroes. */ 00120 memset(input, 0, sizeof(input)); 00121 00122 MEMCPY(&input[36], secret_16_bytes, 16); 00123 00124 /* Save the boot time in 4-us units. Overflow is no problem here. */ 00125 base_time = boot_time * 250000; 00126 } 00127 00128 /** 00129 * Hook to generate an Initial Sequence Number (ISN) for a new TCP connection. 00130 * 00131 * @param local_ip The local IP address. 00132 * @param local_port The local port number, in host-byte order. 00133 * @param remote_ip The remote IP address. 00134 * @param remote_port The remote port number, in host-byte order. 00135 * @return The ISN to use for the new TCP connection. 00136 */ 00137 00138 u32_t 00139 lwip_hook_tcp_isn(const void *local_ip_ptr, u16_t local_port, 00140 const void *remote_ip_ptr, u16_t remote_port) 00141 { 00142 MD5_context ctx; 00143 u8_t output[16]; 00144 u32_t isn; 00145 const ip_addr_t *local_ip = local_ip_ptr; 00146 const ip_addr_t *remote_ip = remote_ip_ptr; 00147 00148 #if LWIP_IPV4 && LWIP_IPV6 00149 if (IP_IS_V6(local_ip)) 00150 #endif /* LWIP_IPV4 && LWIP_IPV6 */ 00151 #if LWIP_IPV6 00152 { 00153 const ip6_addr_t *local_ip6, *remote_ip6; 00154 00155 local_ip6 = ip_2_ip6(local_ip); 00156 remote_ip6 = ip_2_ip6(remote_ip); 00157 00158 SMEMCPY(&input[0], &local_ip6->addr, 16); 00159 SMEMCPY(&input[16], &remote_ip6->addr, 16); 00160 } 00161 #endif /* LWIP_IPV6 */ 00162 #if LWIP_IPV4 && LWIP_IPV6 00163 else 00164 #endif /* LWIP_IPV4 && LWIP_IPV6 */ 00165 #if LWIP_IPV4 00166 { 00167 const ip4_addr_t *local_ip4, *remote_ip4; 00168 00169 local_ip4 = ip_2_ip4(local_ip); 00170 remote_ip4 = ip_2_ip4(remote_ip); 00171 00172 /* Represent IPv4 addresses as IPv4-mapped IPv6 addresses, to ensure that 00173 * the IPv4 and IPv6 address spaces are completely disjoint. */ 00174 memset(&input[0], 0, 10); 00175 input[10] = 0xff; 00176 input[11] = 0xff; 00177 SMEMCPY(&input[12], &local_ip4->addr, 4); 00178 memset(&input[16], 0, 10); 00179 input[26] = 0xff; 00180 input[27] = 0xff; 00181 SMEMCPY(&input[28], &remote_ip4->addr, 4); 00182 } 00183 #endif /* LWIP_IPV4 */ 00184 00185 input[32] = local_port >> 8; 00186 input[33] = local_port & 0xff; 00187 input[34] = remote_port >> 8; 00188 input[35] = remote_port & 0xff; 00189 00190 /* The secret and padding are already filled in. */ 00191 /* Generate the hash, using MD5. */ 00192 MD5_init(&ctx); 00193 MD5_starts(&ctx); 00194 MD5_update(&ctx, input, sizeof(input)); 00195 MD5_finish(&ctx, output); 00196 MD5_free(&ctx); 00197 00198 /* Arbitrarily take the first 32 bits from the generated hash. */ 00199 MEMCPY(&isn, output, sizeof(isn)); 00200 00201 /* Add the current time in 4-microsecond units. */ 00202 return isn + base_time + sys_now() * 250; 00203 }
Generated on Tue Jul 12 2022 13:54:30 by
