lwip: provide configuration option to enable TCP ISN hook

2020-10-15 19:10:11 +05:30 · 2020-10-15 19:10:11 +05:30 · 7d226ce542
commit 7d226ce542
--- a/components/lwip/CMakeLists.txt
+++ b/components/lwip/CMakeLists.txt
@ -4,6 +4,7 @@ set(include_dirs
    lwip/src/include
    port/esp32/include
    port/esp32/include/arch
+    port/esp32/tcp_isn
    )

 set(srcs
@ -135,6 +136,10 @@ else()
    list(APPEND srcs "port/esp32/no_vfs_syscalls.c")
 endif()

+if(CONFIG_LWIP_TCP_ISN_HOOK)
+    list(APPEND srcs "port/esp32/tcp_isn/tcp_isn.c")
+endif()
+
 idf_component_register(SRCS "${srcs}"
                    INCLUDE_DIRS "${include_dirs}"
                    LDFRAGMENTS linker.lf
--- a/components/lwip/Kconfig
+++ b/components/lwip/Kconfig
@ -327,6 +327,17 @@ menu "LWIP"

    menu "TCP"

+        config LWIP_TCP_ISN_HOOK
+            bool "Enable TCP ISN Hook"
+            default y
+            help
+                Enables custom TCP ISN hook to randomize initial sequence
+                number in TCP connection. This is recommended as default
+                lwIP implementation (`tcp_next_iss`) is not very strong,
+                as it does not take into consideration any platform
+                specific entropy source.
+
+
        config LWIP_MAX_ACTIVE_TCP
            int "Maximum active TCP Connections"
            range 1 1024
--- a/components/lwip/component.mk
+++ b/components/lwip/component.mk
@ -8,7 +8,8 @@ COMPONENT_ADD_INCLUDEDIRS := \
 	include/apps/sntp \
 	lwip/src/include \
 	port/esp32/include \
-	port/esp32/include/arch
+	port/esp32/include/arch \
+	port/esp32/tcp_isn

 COMPONENT_SRCDIRS := \
 	apps/dhcpserver \
@ -39,6 +40,10 @@ ifdef CONFIG_LWIP_PPP_SUPPORT
    COMPONENT_SRCDIRS += lwip/src/netif/ppp lwip/src/netif/ppp/polarssl
 endif

+ifdef CONFIG_LWIP_TCP_ISN_HOOK
+    COMPONENT_SRCDIRS += port/esp32/tcp_isn
+endif
+
 CFLAGS += -Wno-address  # lots of LWIP source files evaluate macros that check address of stack variables

 lwip/src/netif/ppp/ppp.o: CFLAGS += -Wno-uninitialized
--- a/components/lwip/port/esp32/include/lwipopts.h
+++ b/components/lwip/port/esp32/include/lwipopts.h
@ -420,6 +420,17 @@
 */
 #define LWIP_TCP_RTO_TIME             CONFIG_LWIP_TCP_RTO_TIME

+/**
+ * Set TCP hook for Initial Sequence Number (ISN)
+ */
+#ifdef CONFIG_LWIP_TCP_ISN_HOOK
+#include <lwip/arch.h>
+struct ip_addr;
+u32_t lwip_hook_tcp_isn(const struct ip_addr *local_ip, u16_t local_port,
+                        const struct ip_addr *remote_ip, u16_t remote_port);
+#define LWIP_HOOK_TCP_ISN               lwip_hook_tcp_isn
+#endif
+
 /*
   ----------------------------------
   ---------- Pbuf options ----------