D33227.diff
No OneTemporary
Actions

Size

2 KB

Referenced Files

None

Subscribers

None

D33227.diff
View Options

	diff --git a/share/man/man4/tcp.4 b/share/man/man4/tcp.4
	--- a/share/man/man4/tcp.4
	+++ b/share/man/man4/tcp.4
	@@ -34,7 +34,7 @@
	.\" From: @(#)tcp.4 8.1 (Berkeley) 6/5/93
	.\" $FreeBSD$
	.\"
	-.Dd June 27, 2021
	+.Dd January 8, 2022
	.Dt TCP 4
	.Os
	.Sh NAME
	@@ -339,6 +339,10 @@
	.Pp
	If an SADB entry cannot be found for the destination,
	the system does not send any outgoing segments and drops any inbound segments.
	+However, during connection negotiation, a non-signed segment will be accepted if
	+an SADB entry does not exist between hosts.
	+When a non-signed segment is accepted, the established connection is not
	+protected with MD5 digests.
	.It Dv TCP_STATS
	Manage collection of connection level statistics using the
	.Xr stats 3
	diff --git a/sys/netinet/tcp_syncache.c b/sys/netinet/tcp_syncache.c
	--- a/sys/netinet/tcp_syncache.c
	+++ b/sys/netinet/tcp_syncache.c
	@@ -1514,19 +1514,25 @@

	#if defined(IPSEC_SUPPORT) \|\| defined(TCP_SIGNATURE)
	/*
	- * If listening socket requested TCP digests, check that received
	- * SYN has signature and it is correct. If signature doesn't match
	- * or TCP_SIGNATURE support isn't enabled, drop the packet.
	+ * When the socket is TCP-MD5 enabled check that,
	+ * - a signed packet is valid
	+ * - a non-signed packet does not have a security association
	+ *
	+ * If a signed packet fails validation or a non-signed packet has a
	+ * security association, the packet will be dropped.
	*/
	if (ltflags & TF_SIGNATURE) {
	- if ((to->to_flags & TOF_SIGNATURE) == 0) {
	- TCPSTAT_INC(tcps_sig_err_nosigopt);
	- goto done;
	+ if (to->to_flags & TOF_SIGNATURE) {
	+ if (!TCPMD5_ENABLED() \|\|
	+ TCPMD5_INPUT(m, th, to->to_signature) != 0)
	+ goto done;
	+ } else {
	+ if (TCPMD5_ENABLED() &&
	+ TCPMD5_INPUT(m, NULL, NULL) != ENOENT)
	+ goto done;
	}
	- if (!TCPMD5_ENABLED() \|\|
	- TCPMD5_INPUT(m, th, to->to_signature) != 0)
	- goto done;
	- }
	+ } else if (to->to_flags & TOF_SIGNATURE)
	+ goto done;
	#endif /* TCP_SIGNATURE */
	/*
	* See if we already have an entry for this connection.
	@@ -1724,11 +1730,11 @@
	}
	#if defined(IPSEC_SUPPORT) \|\| defined(TCP_SIGNATURE)
	/*
	- * If listening socket requested TCP digests, flag this in the
	+ * If incoming packet has an MD5 signature, flag this in the
	* syncache so that syncache_respond() will do the right thing
	* with the SYN+ACK.
	*/
	- if (ltflags & TF_SIGNATURE)
	+ if (to->to_flags & TOF_SIGNATURE)
	sc->sc_flags \|= SCF_SIGNATURE;
	#endif /* TCP_SIGNATURE */
	if (to->to_flags & TOF_SACKPERM)
	diff --git a/sys/netipsec/xform_tcp.c b/sys/netipsec/xform_tcp.c
	--- a/sys/netipsec/xform_tcp.c
	+++ b/sys/netipsec/xform_tcp.c
	@@ -269,6 +269,11 @@
	KMOD_TCPSTAT_INC(tcps_sig_err_buildsig);
	return (ENOENT);
	}
	+ if (buf == NULL) {
	+ key_freesav(&sav);
	+ KMOD_TCPSTAT_INC(tcps_sig_err_nosigopt);
	+ return (EACCES);
	+ }
	/*
	* tcp_input() operates with TCP header fields in host
	* byte order. We expect them in network byte order.

File Metadata

Mime Type: text/plain
Expires: Thu, Nov 21, 6:21 AM (21 h, 54 m)
Storage Engine: blob
Storage Format: Raw Data
Storage Handle: 14756175
Default Alt Text: D33227.diff (2 KB)

D33227.diffNo OneTemporaryActions

D33227.diffView Options

File Metadata

Event Timeline

D33227.diff
No OneTemporary
Actions

D33227.diff
View Options