tech-net: Re: RFC2385 (TCP MD5 signatures) working with patch!

Subject: Re: RFC2385 (TCP MD5 signatures) working with patch!
To: Jason Thorpe <thorpej@wasabisystems.com>
From: Jeff Rizzo <riz@redcrowgroup.com>
List: tech-net
Date: 06/25/2004 18:05:35

On Fri, Jun 25, 2004 at 06:02:38PM -0700, Jason Thorpe wrote:
> 
> 
> >I would greatly appreciate it if someone with more knowledge than
> >me could look over the patch and let me know how it could be 
> >improved...
> 
> I'd be happy to, but you forgot to attach the patch :-)
> 
>         -- Jason R. Thorpe <thorpej@wasabisystems.com>
> 

Feh.  At least I remembered to put it in the PR.  :)

Here it is:

Index: tcp_input.c
===================================================================
RCS file: /usr/mirror/main/src/sys/netinet/tcp_input.c,v
retrieving revision 1.207
diff -u -r1.207 tcp_input.c
--- tcp_input.c	23 May 2004 00:37:27 -0000	1.207
+++ tcp_input.c	25 Jun 2004 22:07:22 -0000
@@ -2630,11 +2630,13 @@
 	struct ippseudo ippseudo;
 	struct ip6_hdr_pseudo ip6pseudo;
 	struct tcphdr th0;
-	int l;
+	int l, tcphdrlen;
 
 	if (sav == NULL)
 		return (-1);
 
+	tcphdrlen = th->th_off * 4;
+
 	switch (mtod(m, struct ip *)->ip_v) {
 	case 4:
 		ip = mtod(m, struct ip *);
@@ -2674,10 +2676,10 @@
 	th0.th_sum = 0;
 	MD5Update(&ctx, (char *)&th0, sizeof(th0));
 
-	l = m->m_pkthdr.len - thoff - sizeof(struct tcphdr);
+	l = m->m_pkthdr.len - thoff - tcphdrlen;
 	if (l > 0)
-		m_apply(m, thoff + sizeof(struct tcphdr),
-		    m->m_pkthdr.len - thoff - sizeof(struct tcphdr),
+		m_apply(m, thoff + tcphdrlen,
+		    m->m_pkthdr.len - thoff - tcphdrlen,
 		    tcp_signature_apply, &ctx);
 
 	MD5Update(&ctx, _KEYBUF(sav->key_auth), _KEYLEN(sav->key_auth));
@@ -2834,6 +2836,8 @@
 	}
 
 	if ((sigp ? TF_SIGNATURE : 0) ^ (tp->t_flags & TF_SIGNATURE)) {
+		if (sav == NULL)
+			return (-1);
 #ifdef FAST_IPSEC
 		KEY_FREESAV(&sav);
 #else
@@ -2848,6 +2852,8 @@
 		TCP_FIELDS_TO_NET(th);
 		if (tcp_signature(m, th, toff, sav, sig) < 0) {
 			TCP_FIELDS_TO_HOST(th);
+			if (sav == NULL)
+				return (-1);
 #ifdef FAST_IPSEC
 			KEY_FREESAV(&sav);
 #else
@@ -2859,6 +2865,8 @@
 
 		if (bcmp(sig, sigp, TCP_SIGLEN)) {
 			tcpstat.tcps_badsig++;
+			if (sav == NULL)
+				return (-1);
 #ifdef FAST_IPSEC
 			KEY_FREESAV(&sav);
 #else
@@ -3798,6 +3806,10 @@
 	if (optp)
 #endif
 	{
+		tb.t_flags = tcp_do_rfc1323 ? (TF_REQ_SCALE|TF_REQ_TSTMP) : 0;
+#ifdef TCP_SIGNATURE
+		tb.t_flags |= (tp->t_flags & TF_SIGNATURE);
+#endif
 		if (tcp_dooptions(&tb, optp, optlen, th, m, m->m_pkthdr.len -
 		    sizeof(struct tcphdr) - optlen - hlen, oi) < 0)
 			return (0);



-- 
Jeff Rizzo                                         http://www.redcrowgroup.com/