Date: Fri, 15 Apr 2005 14:35:21 +0900 (JST) From: Noritoshi Demizu <demizu@dd.iij4u.or.jp> To: freebsd-net@freebsd.org Subject: TCP MD5 Signature option handling in tcp_syncache.c Message-ID: <20050415.143521.57443821.Noritoshi@Demizu.ORG>
next in thread | raw e-mail | index | archive | help
I'm trying to use the TCP MD5 Signature option in my TCP experiments.
On a FreeBSD current box, I run a small experimental server,
which just accepts a TCP connection and receives data.
I have two problems.
1. When the TCP MD5 Signature option is used on a TCP connection,
both the TCP Timestamps option and the TCP Window Scale option
are turned off.
I think the cause and the fix are as following:
At line 987 in tcp_syncache.c 1.70, sc->sc_flags is overwritten
by SCF_SIGNATURE. By this line, SCF_TIMESTAMP and SCF_WINSCALE
are turned off. I think the operator "=" should be "|=".
987: - sc->sc_flags = SCF_SIGNATURE;
987: + sc->sc_flags |= SCF_SIGNATURE;
2. The TCP MD5 Signature option is used iff an incoming SYN has the
TCP MD5 Signature option. However, RFC2385 says in section 2.0
as following.
"Unlike other TCP extensions (e.g., the Window Scale option
[RFC1323]), the absence of the option in the SYN,ACK segment must not
cause the sender to disable its sending of signatures."
I am sorry if the current behavior is intentional, but should the
condition to turn on SCF_SIGNATURE be (tp->t_flags & TF_SIGNATURE)?
986: - if (to->to_flags & TOF_SIGNATURE)
986: + if (tp->t_flags & TF_SIGNATURE)
Or, considering backward compatibility, should it be
((tp->t_flags & TF_SIGNATURE) || (to->to_flags & TOF_SIGNATURE))?
BTW, I think the line 977 has the same problem with #1 above.
Though it does not cause any practical problem at this moment,
it would be safe to fix it.
977: - sc->sc_flags = SCF_NOOPT;
977: + sc->sc_flags |= SCF_NOOPT;
Thank you.
Regards,
Noritoshi Demizu
=========================================================================
<< An excerpt from line 976 - 988 of tcp_syncache.c Rev 1.70 >>
976: if (tp->t_flags & TF_NOOPT)
977: sc->sc_flags = SCF_NOOPT;
#ifdef TCP_SIGNATURE
979: /*
980: * If listening socket requested TCP digests, and received SYN
981: * contains the option, flag this in the syncache so that
982: * syncache_respond() will do the right thing with the SYN+ACK.
983: * XXX Currently we always record the option by default and will
984: * attempt to use it in syncache_respond().
985: */
986: if (to->to_flags & TOF_SIGNATURE)
987: sc->sc_flags = SCF_SIGNATURE;
#endif
=========================================================================
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20050415.143521.57443821.Noritoshi>