Skip site navigation (1)Skip section navigation (2)
Date:      Wed, 21 Sep 2005 18:41:14 +0900 (JST)
From:      Noritoshi Demizu <demizu@dd.iij4u.or.jp>
To:        othermark <atkin901@yahoo.com>
Cc:        freebsd-net@freebsd.org
Subject:   Re: rfc2385 (tcp md5 checksums) in -current broken?
Message-ID:  <20050921.184114.115904070.Noritoshi@Demizu.ORG>
In-Reply-To: <20050921.161113.59648691.Noritoshi@Demizu.ORG>
References:  <dgp7lk$sov$1@sea.gmane.org> <20050921.012626.74752754.Noritoshi@Demizu.ORG> <20050921.161113.59648691.Noritoshi@Demizu.ORG>

next in thread | previous in thread | raw e-mail | index | archive | help
> > I think there is a bug in syncache_respond().

I am sorry I was wrong.  syncache_respond() does not have such bug.
Buggy thing was my brain...

> > In tcp_syncache.c rev 1.77, tcp_signature_compute() is called before
> > filling the TCP SACK Permitted option and the TCP EOL option.  I guess
> > it should be called after filling both the SACK Permitted and EOL option.

According to RFC2385, TCP options are excluded when computing MD5 hash.
So, TCP options fields can be rewritten after MD5 hash is computed.
I misunderstood it.  I am sorry if I made you confused.

My conclusion is that src/contrib/tcpdump/print-tcp.c has a bug.
And the patch below will fix it.

Regards,
Noritoshi Demizu


--- print-tcp.c-ORG	Thu Apr 21 15:36:05 2005
+++ print-tcp.c	Wed Sep 21 18:43:51 2005
@@ -799,7 +799,7 @@
 	MD5_Update(&ctx, tcpmd5secret, strlen(tcpmd5secret));
 	MD5_Final(sig, &ctx);
 
-	if (memcmp(rcvsig, sig, 16))
+	if (memcmp(rcvsig, sig, TCP_SIGLEN) == 0)
 		return (SIGNATURE_VALID);
 	else
 		return (SIGNATURE_INVALID);



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20050921.184114.115904070.Noritoshi>