Commit d8f28141 authored by ROOL's avatar ROOL 🤖
Browse files

Strip out insecure T/TCP support

Detail:
  RFC6247 moved T/TCP to historic status due to security concerns, this change actively removes the code (where previously we disabled it through sysctl).

  headers/netinet/tcp_var.h: remove T/TCP support (per FreeBSD revision 137139).
  headers/netinet/tcp.h: remove T/TCP support (per FreeBSD revision 137139).
  headers/netinet/tcp_seq.h: remove T/TCP support (per FreeBSD revision 137139).
  LibraryDoc: removed references to T/TCP, updated MIB variables section, added
              socketstat() and fstat() details.
Admin:
  Submission for TCP/IP bounty.

Version 5.64. Tagged as 'TCPIPLibs-5_64'
parent 65949659
Acorn TCP/IP libraries version 5.47
Acorn TCP/IP libraries version 5.64
-----------------------------------
These libraries are an update to the libraries described in chapter 123 of the PRM
......@@ -32,12 +32,12 @@ have changed. Notably a struct sockaddr now has a length field, and the msghdr
structure has changed. The potential compatibility problems arising from this
are solved as follows:
1) All previously existing Internet SWIs will accept both old and new
style structures as parameters.
2) All previously existing Internet SWIs will return only old-style
structures.
3) There are a set of new SWIs providing alternate forms of calls that
return new-style structures.
1) All previously existing Internet SWIs will accept both old and new
style structures as parameters.
2) All previously existing Internet SWIs will return only old-style
structures.
3) There are a set of new SWIs providing alternate forms of calls that
return new-style structures.
Now, if you define COMPAT_INET4 (using the -D option of the compiler), the
header files will define struct sockaddr etc. in the old way, and your code will
......@@ -459,7 +459,7 @@ A socket operation may fail with one of the following errors returned:
[EADDRNOTAVAIL] when an attempt is made to create a socket with a
network address for which no network interface exists.
[EACESS] when an attempt is made to create a raw IP socket by a
[EACCES] when an attempt is made to create a raw IP socket by a
non-privileged process.
The following errors specific to IP may occur when setting or getting IP
......@@ -502,8 +502,7 @@ sockets are created active; to create a passive socket the listen
socket call must be used after binding the socket with the bind system
call. Only passive sockets may use the accept call to accept incoming
connections. Only active sockets may use the connect call to initiate
connections. TCP also supports a more datagram-like mode, called
Transaction TCP, which is described in TTCP.
connections.
Passive sockets may 'underspecify' their location to match incoming
connection requests from multiple networks. This technique, termed
......@@ -543,12 +542,10 @@ TCP_NOOPT TCP usually sends a number of options in each packet,
TCP_NOPUSH By convention, the sender-TCP will set the 'push' bit and
begin transmission immediately (if permitted) at the end of
every user call to socketwrite or socketwritev. The TCP_NOPUSH
option is provided to allow servers to easily make use of
Transaction TCP (see TTCP). When the option is set to a
non-zero value, TCP will delay sending any data at all until
either the socket is closed, or the internal send buffer is
filled.
every user call to socketwrite or socketwritev. When this
option is set to a non-zero value, TCP will delay sending any
data at all until either the socket is closed, or the internal
send buffer is filled.
The option level for the setsockopt call is the protocol number for
TCP, available from getprotobyname, or IPPROTO_TCP. All options are
......@@ -561,18 +558,44 @@ reverse source route is used in responding.
MIB variables
-------------
The TCP protocol implements three variables in the net.inet branch of the
The TCP protocol implements thirteen variables in the net.inet branch of the
sysctl MIB.
TCPCTL_DO_RFC1323 (tcp.rfc1323) Implement the window scaling and time-
stamp options of RFC 1323 (default true).
tcp.rfc1323 Implement the window scaling and time-
stamp options of RFC 1323 (default true).
tcp.mssdflt The default value used for the maximum
segment size ('MSS') when no advice to the contrary
is received from MSS negotiation.
TCPCTL_DO_RFC1644 (tcp.rfc1644) Implement Transaction TCP, as described
in RFC 1644.
tcp.minmss The smallest acceptable maximum segment size ('MSS')
that will be used. Set to 0 to disable.
tcp.rttdflt The value of the default maximum TCP Round Trip Time.
TCPCTL_MSSDFLT (tcp.mssdflt) The default value used for the maximum
segment size ('MSS') when no advice to the contrary
is received from MSS negotiation.
tcp.sendspace The default maximum send and receive window sizes,
tcp.recvspace respectively
tcp.keepidle Amount of time, in milliseconds, that the connection must
be idle before keepalive probes (if enabled) are sent.
tcp.keepintvl The interval, in milliseconds, between keepalive probes sent
to remove machines, when no response is received on a keepidle
probe. After TCPTV_KEEPCNT (default 8) probes are sent, with
no response, the connection is dropped.
tcp.keepinit Timeout, in milliseconds, for new, non-established TCP
connections.
tcp.always_keepalive Assume that SO_KEEPALIVE is set on all TCP connections,
the kernel will periodically send a packet to the remote
host to verify the connection is still up.
tcp.pcbcount The number of active process control blocks (read-only).
tcp.path_mtu_discovery Enable Path MTU Discovery when non-zero.
tcp.delayed_ack Delay ACK to try and piggyback it onto a data packet.
Diagnostics
-----------
......@@ -607,135 +630,6 @@ See also
"TCP Extensions for High Performance", RFC 1323, V. Jacobson, R. Braden,
and D. Borman
"T/TCP - TCP Extensions for Transactions", RFC 1644, R. Braden
TTCP
====
Name
----
TTCP - Transmission Control Protocol Extensions for Transactions
Synopsis
--------
#include <sys/socket.h>
#include <netinet/in.h>
#include <netinet/tcp.h>
int setsockopt(sock, IPPROTO_TCP, TCP_NOPUSH, &One, sizeof One)
int sendto(sock, msg, len, MSG_EOF, &sin, sizeof sin)
int sendto(sock, msg, len, MSG_EOF, 0, 0)
Description
-----------
T/TCP refers to a set of extensions to the TCP protocol (see TCP)
which permit hosts to reliably exchange a small amount of data in a two-
packet exchange, thus eliminating the extra round-trip delays inherent in
a standard TCP connection. The socket interface includes modifications
to support T/TCP, detailed here for the specific case, and in the
socket and send manual pages for the protocol-independent support.
T/TCP is defined in RFC 1644.
The T/TCP extensions work by including certain options in all segments of
a particular connection, which enable the implementation to avoid the
three-way handshake for all but the first connection between a pair of
hosts. These same options also make it possible to more reliably
recognize old, duplicate packets, which in turn reduces the amount of
time the TCP protocol must maintain state after a connection closes. The
net.inet.tcp.rfc1644 MIB variable can be used to disable T/TCP
negotiation at run time; however, the protocol has been designed to
ensure that attempts by non-T/TCP systems to communicate with T/TCP-
enhanced ones automatically degenerate into standard TCP.
Transaction model
-----------------
The expected model of a "transaction" as used by T/TCP is a fairly simple
one:
1) A client program generates a request to be sent to the server, which
is small enough to fit in a single TCP segment, and sends a SYN PUSH
FIN segment with options and data to the server.
2) The server program accepts the request in the same manner as for
regular TCP connections, interprets it, and generates a reply which
may be small enough to fit in a single segment. If it is, the reply
is sent in a single SYN PUSH FIN ACK segment with (different) options
and data back to the client. If not, then the connection degenerates
into (almost) the usual case for TCP.
Client support
--------------
Support on the client side is provided by extending the semantics of the
sendto and sendmsg system calls to understand the notion of implied
connect and send and shutdown. To send the request in a transaction, the
sendto system call is typically used, as in the following example:
char request[REQ_LEN];
struct sockaddr_in sin;
int sock, req_len;
sock = socket(PF_INET, SOCK_STREAM, 0);
/* prepare request[] and sin */
err = sendto(sock, request, req_len, MSG_EOF,
(struct sockaddr *)&sin, sin.sin_len);
/* do something if error */
req_len = socketread(sock, request, sizeof request);
socketclose(sock);
/* do something with the reply */
Note that, after the call to sendto, the socket is now in the same state
as if the connect and shutdown system calls had been used. That is
to say, the only reasonable operations to perform on this socket are
socketread and socketclose. (Because the client's TCP sender is already shut
down, it is not possible to connect this socket to another destination.)
Server support
--------------
There are two different options available for servers using T/TCP:
1) Set the TCP_NOPUSH socket option, and use normal socketwrite calls when
formulating the response.
2) Use sendto with the MSG_EOF flag, as in the client, but with the
destination unspecified.
The first option is generally the appropriate choice when converting
existing servers to use T/TCP extensions; simply add a call to
setsockopt(sock, IPPROTO_TCP, TCP_NOPUSH, &One, sizeof One) (where One is
an integer variable with a non-zero value). The server socket must be
closed before any data is sent (unless the socket buffers fill up).
The second option is preferable for new servers, and is sometimes easy
enough to retrofit into older servers. In this case, where the reply
phase would ordinarily have included a call to socketwrite, one substitutes
sendto(sock, reply_buf, reply_len, MSG_EOF, (struct sockaddr *)0, 0). In
this case, the reply is sent immediately, but as in the client case, the
socket is no lnoger useful for anything and should be immediately closed.
MIB variables
-------------
The T/TCP extensions require the net.inet.tcp.rfc1323 and
net.inet.tcp.rfc1644 MIB variables to both be true in order for the
appropriate TCP options to be sent. See tcp(4) for more information.
See also
--------
R. Braden, "T/TCP - TCP Extensions for Transactions", RFC 1644
History
-------
Support for T/TCP first appeared in Internet 5.00.
*****************
* LIBRARY CALLS *
......@@ -925,7 +819,7 @@ __progname containing the name of the program.
If the fmt argument is not NULL, the formatted error message, a colon
character, and a space are output. In the case of the err, verr, warn, and
vwarn functions, the error message string affiliated with the last error from
socklib (as obtained by the _inet_err function) is output. In all cases, the
Socklib (as obtained by the _inet_err function) is output. In all cases, the
output is followed by a newline character.
The err, verr, errx, and verrx functions do not return, but exit with the value
......@@ -996,7 +890,22 @@ Unixlib
FSTAT
=====
New prototype: int fstat(int s, struct stat *buf);
Name
----
fstat - get file status
Synopsis
--------
int fstat(int s, struct stat *buf);
See also
--------
socketstat
Exported by
-----------
Unixlib
GETEGID
=======
......@@ -1644,6 +1553,33 @@ SOCKETREAD
New prototypes: int socketread(int s, void *buf, unsigned int len);
int socketreadv(int s, const struct iovec *iov, int iovcnt);
SOCKETSTAT
==========
Name
----
socketstat - get socket status
Synopsis
--------
int socketstat(int s, struct stat *buf);
Description
-----------
The only meaningful fields of the status structure filled in when stat() is
applied to a socket are st_mode and st_blksize.
st_mode equals S_IFSOCK if the descriptor given is recognised as a socket
descriptor.
st_blksize gives the preferred send buffer size to use for the
protocol (or 0 if unknown) which can improve performance by
reducing fragmentation.
Exported by
-----------
Socklib
SOCKETWRITE
===========
New prototypes: int socketwrite(int s, const void *buf, unsigned int len);
......@@ -1885,7 +1821,6 @@ PF_INET Get or set various global information about the internet protocols.
igmp stats structure no
igmp forceleave integer yes
tcp rfc1323 integer yes
tcp rfc1644 integer yes
tcp mssdflt integer yes
tcp stats structure no
tcp rttdflt integer yes
......@@ -1902,7 +1837,7 @@ PF_INET Get or set various global information about the internet protocols.
[protocol].stats Returns a structure giving internal statistics for
the specified protocol. This is for the use
of the InetStat only.
of the InetStat utility only.
ip.forwarding Returns 1 when IP forwarding is enabled for the host,
meaning that the host is acting as a router.
......@@ -2256,7 +2191,6 @@ appropriate action; for example the DHCP module might remove our IP address,
send a DHCPDECLINE message and go back into the DHCP INIT state.
********
* SWIS *
********
......@@ -2300,6 +2234,7 @@ Socket_Sendmsg_1 &4121E nsendmsg
Socket_Sysctl &4121A sysctl
Socket_Version &41222 socketversion
**********************
* THE INTERNET EVENT *
**********************
......
/* (5.63)
/* (5.64)
*
* This file is automatically maintained by srccommit, do not edit manually.
* Last processed by srccommit version: 1.1.
*
*/
#define Module_MajorVersion_CMHG 5.63
#define Module_MajorVersion_CMHG 5.64
#define Module_MinorVersion_CMHG
#define Module_Date_CMHG 13 Jan 2018
#define Module_Date_CMHG 28 Apr 2018
#define Module_MajorVersion "5.63"
#define Module_Version 563
#define Module_MajorVersion "5.64"
#define Module_Version 564
#define Module_MinorVersion ""
#define Module_Date "13 Jan 2018"
#define Module_Date "28 Apr 2018"
#define Module_ApplicationDate "13-Jan-18"
#define Module_ApplicationDate "28-Apr-18"
#define Module_ComponentName "TCPIPLibs"
#define Module_ComponentPath "mixed/RiscOS/Sources/Lib/TCPIPLibs"
#define Module_FullVersion "5.63"
#define Module_HelpVersion "5.63 (13 Jan 2018)"
#define Module_LibraryVersionInfo "5:63"
#define Module_FullVersion "5.64"
#define Module_HelpVersion "5.64 (28 Apr 2018)"
#define Module_LibraryVersionInfo "5:64"
......@@ -37,7 +37,6 @@
#define _NETINET_TCP_H_
typedef u_int32_t tcp_seq;
typedef u_int32_t tcp_cc; /* connection count per rfc1644 */
/*
* TCP header.
......@@ -85,14 +84,6 @@ struct tcphdr {
#define TCPOPT_TSTAMP_HDR \
(TCPOPT_NOP<<24|TCPOPT_NOP<<16|TCPOPT_TIMESTAMP<<8|TCPOLEN_TIMESTAMP)
#define TCPOPT_CC 11 /* CC options: RFC-1644 */
#define TCPOPT_CCNEW 12
#define TCPOPT_CCECHO 13
#define TCPOLEN_CC 6
#define TCPOLEN_CC_APPA (TCPOLEN_CC+2)
#define TCPOPT_CC_HDR(ccopt) \
(TCPOPT_NOP<<24|TCPOPT_NOP<<16|(ccopt)<<8|TCPOLEN_CC)
/*
* Default maximum segment size for TCP.
* With an IP MSS of 576, this is 536,
......@@ -104,6 +95,15 @@ struct tcphdr {
#else
#define TCP_MSS 512
#endif
/*
* TCP_MINMSS is defined to be 216 which is fine for the smallest
* link MTU (256 bytes, AX.25 packet radio) in the Internet.
* However it is very unlikely to come across such low MTU interfaces
* these days (anno dato 2003).
* See tcp_subr.c tcp_minmss SYSCTL declaration for more comments.
* Setting this to "0" disables the minmss check.
*/
#define TCP_MINMSS 216
#define TCP_MAXWIN 65535 /* largest value for (unscaled) window */
#define TTCP_CLIENT_SND_WND 4096 /* dflt send window for T/TCP client */
......
......@@ -78,8 +78,6 @@
/* timestamp wrap-around time */
#ifdef KERNEL
extern tcp_cc tcp_ccgen; /* global connection count */
/*
* Increment for tcp_iss each second.
* This is designed to increment at the standard 250 KB/s,
......
......@@ -67,9 +67,6 @@ struct tcpcb {
#define TF_NEEDSYN 0x00400 /* send SYN (implicit state) */
#define TF_NEEDFIN 0x00800 /* send FIN (implicit state) */
#define TF_NOPUSH 0x01000 /* don't push */
#define TF_REQ_CC 0x02000 /* have/will request CC */
#define TF_RCVD_CC 0x04000 /* a CC was received in SYN */
#define TF_SENDCCNEW 0x08000 /* send CCnew instead of CC in SYN */
#define TF_MORETOCOME 0x10000 /* More data to be appended to sock */
struct tcpiphdr *t_template; /* skeletal packet for transmit */
......@@ -133,9 +130,6 @@ struct tcpcb {
u_long ts_recent; /* timestamp echo data */
u_long ts_recent_age; /* when last updated */
tcp_seq last_ack_sent;
/* RFC 1644 variables */
tcp_cc cc_send; /* send connection count */
tcp_cc cc_recv; /* receive connection count */
u_long t_duration; /* connection duration */
/* More RTT stuff */
......@@ -151,32 +145,10 @@ struct tcpcb {
struct tcpopt {
u_long to_flag; /* which options are present */
#define TOF_TS 0x0001 /* timestamp */
#define TOF_CC 0x0002 /* CC and CCnew are exclusive */
#define TOF_CCNEW 0x0004
#define TOF_CCECHO 0x0008
u_long to_tsval;
u_long to_tsecr;
tcp_cc to_cc; /* holds CC or CCnew */
tcp_cc to_ccecho;
};
/*
* The TAO cache entry which is stored in the protocol family specific
* portion of the route metrics.
*/
struct rmxp_tao {
tcp_cc tao_cc; /* latest CC in valid SYN */
tcp_cc tao_ccsent; /* latest CC sent to peer */
u_short tao_mssopt; /* peer's cached MSS */
#ifdef notyet
u_short tao_flags; /* cache status flags */
#define TAOF_DONT 0x0001 /* peer doesn't understand rfc1644 */
#define TAOF_OK 0x0002 /* peer does understand rfc1644 */
#define TAOF_UNDEF 0 /* we don't know yet */
#endif /* notyet */
};
#define rmx_taop(r) ((struct rmxp_tao *)(r).rmx_filler)
#define intotcpcb(ip) ((struct tcpcb *)(ip)->inp_ppcb)
#define sototcpcb(so) (intotcpcb(sotoinpcb(so)))
......@@ -314,7 +286,6 @@ struct xtcpcb {
* Names for TCP sysctl objects
*/
#define TCPCTL_DO_RFC1323 1 /* use RFC-1323 extensions */
#define TCPCTL_DO_RFC1644 2 /* use RFC-1644 extensions */
#define TCPCTL_MSSDFLT 3 /* MSS default */
#define TCPCTL_STATS 4 /* statistics (read-only) */
#define TCPCTL_RTTDFLT 5 /* default RTT estimate */
......@@ -329,7 +300,6 @@ struct xtcpcb {
#define TCPCTL_NAMES { \
{ 0, 0 }, \
{ "rfc1323", CTLTYPE_INT }, \
{ "rfc1644", CTLTYPE_INT }, \
{ "mssdflt", CTLTYPE_INT }, \
{ "stats", CTLTYPE_STRUCT }, \
{ "rttdflt", CTLTYPE_INT }, \
......@@ -350,6 +320,7 @@ extern struct inpcbhead tcb; /* head of queue of active tcpcb's */
extern struct inpcbinfo tcbinfo;
extern struct tcpstat tcpstat; /* tcp statistics */
extern int tcp_mssdflt; /* XXX */
extern int tcp_minmss;
extern u_long tcp_now; /* for RFC 1323 timestamps */
extern u_short tcp_lastport; /* last assigned port */
......@@ -362,8 +333,6 @@ struct tcpcb *
tcp_drop(struct tcpcb *, int);
void tcp_drain(void);
void tcp_fasttimo(void);
struct rmxp_tao *
tcp_gettaocache(struct inpcb *);
void tcp_init(void);
void tcp_input(struct mbuf *, int);
void tcp_mss(struct tcpcb *, int);
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment