From owner-freebsd-net@FreeBSD.ORG  Wed Nov 28 06:30:07 2007
Return-Path: <owner-freebsd-net@FreeBSD.ORG>
Delivered-To: freebsd-net@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id CA09716A417
	for <freebsd-net@freebsd.org>; Wed, 28 Nov 2007 06:30:07 +0000 (UTC)
	(envelope-from bzeeb-lists@lists.zabbadoz.net)
Received: from mail.cksoft.de (mail.cksoft.de [62.111.66.27])
	by mx1.freebsd.org (Postfix) with ESMTP id 88A7813C44B
	for <freebsd-net@freebsd.org>; Wed, 28 Nov 2007 06:30:07 +0000 (UTC)
	(envelope-from bzeeb-lists@lists.zabbadoz.net)
Received: from localhost (amavis.str.cksoft.de [192.168.74.71])
	by mail.cksoft.de (Postfix) with ESMTP id 1A88441C733;
	Wed, 28 Nov 2007 07:30:06 +0100 (CET)
X-Virus-Scanned: amavisd-new at cksoft.de
Received: from mail.cksoft.de ([62.111.66.27])
	by localhost (amavis.str.cksoft.de [192.168.74.71]) (amavisd-new,
	port 10024)
	with ESMTP id MA8FPsSryckM; Wed, 28 Nov 2007 07:30:05 +0100 (CET)
Received: by mail.cksoft.de (Postfix, from userid 66)
	id BABDD41C71E; Wed, 28 Nov 2007 07:30:05 +0100 (CET)
Received: from maildrop.int.zabbadoz.net (maildrop.int.zabbadoz.net
	[10.111.66.10])
	(using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits))
	(No client certificate requested)
	by mail.int.zabbadoz.net (Postfix) with ESMTP id 7BD42444885;
	Wed, 28 Nov 2007 06:26:16 +0000 (UTC)
Date: Wed, 28 Nov 2007 06:26:15 +0000 (UTC)
From: "Bjoern A. Zeeb" <bzeeb-lists@lists.zabbadoz.net>
X-X-Sender: bz@maildrop.int.zabbadoz.net
To: Nick Hilliard <nick-lists@netability.ie>
In-Reply-To: <474CC3EC.1010205@netability.ie>
Message-ID: <20071128062332.E53707@maildrop.int.zabbadoz.net>
References: <474B24F3.2030603@netability.ie>
	<20071126224649.C53707@maildrop.int.zabbadoz.net>
	<474CC3EC.1010205@netability.ie>
X-OpenPGP-Key: 0x14003F198FEFA3E77207EE8D2B58B8F83CCF1842
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed
Cc: freebsd-net@freebsd.org
Subject: Re: tcp md5 checksums broken in 7.0-beta3
X-BeenThere: freebsd-net@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Networking and TCP/IP with FreeBSD <freebsd-net.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-net>,
	<mailto:freebsd-net-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-net>
List-Post: <mailto:freebsd-net@freebsd.org>
List-Help: <mailto:freebsd-net-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-net>,
	<mailto:freebsd-net-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Wed, 28 Nov 2007 06:30:07 -0000

On Wed, 28 Nov 2007, Nick Hilliard wrote:

Hi,

> Bjoern A. Zeeb wrote:
>> I'll try to find your bug the next days (in case you find anything let
>> me know).
>
> At the very least, this will be necessary:
>
> --- tcp_subr.c~        2007-11-28 01:14:46.000000000 +0000
> +++ tcp_subr.c  2007-11-28 01:14:46.000000000 +0000
> @@ -1948,7 +1948,7 @@
>        /*
>         * Step 4: Update MD5 hash with shared secret.
>         */
> -       MD5Update(&ctx, _KEYBUF(sav->key_auth), _KEYLEN(sav->key_auth));
> +       MD5Update(&ctx, sav->key_auth->key_data, _KEYLEN(sav->key_auth));
>        MD5Final(buf, &ctx);
>
>        key_sa_recordxfer(sav, m);
>
> But it doesn't fix the problem.

I stopped at the point validating the tcp header was correct last
night somewhen after midnight. With your + my other patches (not
posted yet) I have valid md5 sums again for all but the S/A case.
Expect a patch soonish.

-- 
Bjoern A. Zeeb                                 bzeeb at Zabbadoz dot NeT
Software is harder than hardware  so better get it right the first time.