K 10
svn:author
V 6
tuexen
K 8
svn:date
V 27
2019-05-30T16:32:18.802360Z
K 7
svn:log
V 1042
MFC r338053:

Don't expose the uptime via the TCP timestamps.

The TCP client side or the TCP server side when not using SYN-cookies
used the uptime as the TCP timestamp value. This patch uses in all
cases an offset, which is the result of a keyed hash function taking
the source and destination addresses and port numbers into account.
The keyed hash function is the same a used for the initial TSN.

The use of
VNET_DEFINE_STATIC(u_char, ts_offset_secret[32]);
had to be replaced by
VNET_DEFINE(u_char, ts_offset_secret[32]);

MFC r348290:

When an ACK segment as the third message of the three way handshake is
received and support for time stamps was negotiated in the SYN/SYNACK
exchange, perform the PAWS check and only expand the syn cache entry if
the check is passed.
Without this check, endpoints may get stuck on the incomplete queue.

Reviewed by:		jtl@, rrs@
Approved by:		re (kib@))
Sponsored by:		Netflix, Inc.
Differential Revision:	https://reviews.freebsd.org/D16636
Differential Revision:	https://reviews.freebsd.org/D20374

END