From owner-freebsd-bugs@FreeBSD.ORG Mon Nov 21 13:45:00 2011 Return-Path: Delivered-To: freebsd-bugs@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id DE0591065672 for ; Mon, 21 Nov 2011 13:45:00 +0000 (UTC) (envelope-from borjam@sarenet.es) Received: from proxypop03.sare.net (proxypop03.sare.net [194.30.0.207]) by mx1.freebsd.org (Postfix) with ESMTP id 9A5918FC0A for ; Mon, 21 Nov 2011 13:45:00 +0000 (UTC) Received: from [172.16.2.2] (izaro.sarenet.es [192.148.167.11]) by proxypop03.sare.net (Postfix) with ESMTPSA id 82D1A9DC467 for ; Mon, 21 Nov 2011 14:28:43 +0100 (CET) From: Borja Marcos Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: quoted-printable Date: Mon, 21 Nov 2011 14:28:42 +0100 Message-Id: <129489FD-E98D-4954-8D43-632D88E745CE@sarenet.es> To: freebsd-bugs@FreeBSD.org Mime-Version: 1.0 (Apple Message framework v1084) X-Mailer: Apple Mail (2.1084) Cc: Subject: Openbgpd incorrectly sets TCP_MD5 on the listen socket, regardless of configuration X-BeenThere: freebsd-bugs@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Bug reports List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 21 Nov 2011 13:45:00 -0000 Sorry for the brief report and the scarce details. The f****ing form = insists on rejecting the captcha after one hour writing a report.=20 So, in short: If TCP_MD5 is available on the system, options IPSEC options TCP_SIGNATURE #include support for RFC 2385 device crypto Turns out openbgpd can't receive BGP connections.=20 The error is in the session.c file, line 148, function = setup_listeners(u_int *la_cnt). Code snippet: opt =3D 1; if (setsockopt(la->fd, IPPROTO_TCP, TCP_MD5SIG, &opt, sizeof(opt)) =3D=3D -1) { if (errno =3D=3D ENOPROTOOPT) { /* system = w/o md5sig */ log_warnx("md5sig not available, = disabling"); sysdep.no_md5sig =3D 1; } else fatal("setsockopt TCP_MD5SIG"); } This is wrong. Regardless of the configuration, this code activates = TCP_MD5 for the socket and leaves it enabled. This is what happens: 14:04:33.009212 IP 10.0.0.2.36610 > 10.0.0.1.179: Flags [S], seq = 1941690122, win 65535, options [mss 1460,nop,wscale 6,sackOK,TS val = 115224 ecr 0], length 0 14:04:33.009267 IP 10.0.0.1.179 > 10.0.0.2.36610: Flags [S.], seq = 2935503211, ack 1941690123, win 65535, options [mss 1460,nop,wscale = 6,sackOK,TS val 4192648161 ecr 115224,nop,nop,md5shared secret not = supplied with -M, can't check - a360f2c9a9f96a582ccbabe79418105c], = length 0 The daemon receiving the connection is replying with TCP_MD5, even = though there's no TCP_MD5 option set in the bgpd.conf file. Removing this code (or placing it outside of the loop, creating a = temporary socket just to enable TCP_MD5 on it and using it to detect the = availability of TCP_MD5) works: 14:04:35.395447 IP 10.0.0.1.45119 > 10.0.0.2.179: Flags [S], seq = 366635408, win 65535, options [mss 1460,nop,wscale 6,sackOK,TS val = 220116 ecr 0], length 0 14:04:35.395490 IP 10.0.0.2.179 > 10.0.0.1.45119: Flags [S.], seq = 1226417253, ack 366635409, win 65535, options [mss 1460,nop,wscale = 6,sackOK,TS val 511187362 ecr 220116], length 0 14:04:35.395584 IP 10.0.0.1.45119 > 10.0.0.2.179: Flags [.], ack 1, win = 1040, options [nop,nop,TS val 220116 ecr 511187362], length 0 14:04:35.396072 IP 10.0.0.1.45119 > 10.0.0.2.179: Flags [P.], seq 1:46, = ack 1, win 1040, options [nop,nop,TS val 220116 ecr 511187362], length = 45: BGP, length: 45 14:04:35.397031 IP 10.0.0.2.179 > 10.0.0.1.45119: Flags [P.], seq 1:50, = ack 46, win 1040, options [nop,nop,TS val 511187362 ecr 220116], length = 49: BGP, length: 49 14:04:35.397381 IP 10.0.0.1.45119 > 10.0.0.2.179: Flags [P.], seq 46:65, = ack 50, win 1040, options [nop,nop,TS val 220116 ecr 511187362], length = 19: BGP, length: 19 Sorry for the terse report. It was very detailed, but lost. Borja.