lwip: provide configuration option to enable TCP ISN hook

components/lwip/CMakeLists.txt

@@ -5,6 +5,7 @@ set(COMPONENT_ADD_INCLUDEDIRS
     port/esp32/include
     port/esp32/include/arch
     include_compat
+    port/esp32/tcp_isn
     )
 
 set(COMPONENT_SRCS "apps/dhcpserver/dhcpserver.c"
@@ -123,6 +124,10 @@ if(CONFIG_PPP_SUPPORT)
                    "lwip/src/netif/ppp/polarssl/sha1.c")
 endif()
 
+if(CONFIG_LWIP_TCP_ISN_HOOK)
+    list(APPEND COMPONENT_SRCS "port/esp32/tcp_isn/tcp_isn.c")
+endif()
+
 set(COMPONENT_REQUIRES vfs)
 set(COMPONENT_PRIV_REQUIRES ethernet tcpip_adapter nvs_flash)
 

components/lwip/Kconfig

@@ -296,6 +296,17 @@ menu "LWIP"
 
     menu "TCP"
 
+        config LWIP_TCP_ISN_HOOK
+            bool "Enable TCP ISN Hook"
+            default y
+            help
+                Enables custom TCP ISN hook to randomize initial sequence
+                number in TCP connection. This is recommended as default
+                lwIP implementation (`tcp_next_iss`) is not very strong,
+                as it does not take into consideration any platform
+                specific entropy source.
+
+
         config LWIP_MAX_ACTIVE_TCP
             int "Maximum active TCP Connections"
             range 1 1024

components/lwip/component.mk

@@ -9,7 +9,8 @@ COMPONENT_ADD_INCLUDEDIRS := \
 	lwip/src/include \
 	port/esp32/include \
 	port/esp32/include/arch \
-	include_compat
+	include_compat \
+	port/esp32/tcp_isn
 
 COMPONENT_SRCDIRS := \
 	apps/dhcpserver \
@@ -30,6 +31,10 @@ ifdef CONFIG_PPP_SUPPORT
     COMPONENT_SRCDIRS += lwip/src/netif/ppp lwip/src/netif/ppp/polarssl
 endif
 
+ifdef CONFIG_LWIP_TCP_ISN_HOOK
+    COMPONENT_SRCDIRS += port/esp32/tcp_isn
+endif
+
 CFLAGS += -Wno-address  # lots of LWIP source files evaluate macros that check address of stack variables
 
 ifeq ($(GCC_NOT_5_2_0), 1)

components/lwip/port/esp32/include/lwipopts.h

@@ -396,6 +396,17 @@
  */
 #define LWIP_TCP_RTO_TIME             CONFIG_LWIP_TCP_RTO_TIME
 
+/**
+ * Set TCP hook for Initial Sequence Number (ISN)
+ */
+#ifdef CONFIG_LWIP_TCP_ISN_HOOK
+#include <lwip/arch.h>
+struct ip_addr;
+u32_t lwip_hook_tcp_isn(const struct ip_addr *local_ip, u16_t local_port,
+                        const struct ip_addr *remote_ip, u16_t remote_port);
+#define LWIP_HOOK_TCP_ISN               lwip_hook_tcp_isn
+#endif
+
 /*
    ----------------------------------
    ---------- Pbuf options ----------