From owner-p4-projects@FreeBSD.ORG Thu Mar 11 17:16:45 2010 Return-Path: Delivered-To: p4-projects@freebsd.org Received: by hub.freebsd.org (Postfix, from userid 32767) id 6D2EE1065690; Thu, 11 Mar 2010 17:16:45 +0000 (UTC) Delivered-To: perforce@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 3067B1065677 for ; Thu, 11 Mar 2010 17:16:45 +0000 (UTC) (envelope-from andre@freebsd.org) Received: from repoman.freebsd.org (repoman.freebsd.org [IPv6:2001:4f8:fff6::29]) by mx1.freebsd.org (Postfix) with ESMTP id 1D3098FC13 for ; Thu, 11 Mar 2010 17:16:45 +0000 (UTC) Received: from repoman.freebsd.org (localhost [127.0.0.1]) by repoman.freebsd.org (8.14.3/8.14.3) with ESMTP id o2BHGjpN094382 for ; Thu, 11 Mar 2010 17:16:45 GMT (envelope-from andre@freebsd.org) Received: (from perforce@localhost) by repoman.freebsd.org (8.14.3/8.14.3/Submit) id o2BHGinW094380 for perforce@freebsd.org; Thu, 11 Mar 2010 17:16:44 GMT (envelope-from andre@freebsd.org) Date: Thu, 11 Mar 2010 17:16:44 GMT Message-Id: <201003111716.o2BHGinW094380@repoman.freebsd.org> X-Authentication-Warning: repoman.freebsd.org: perforce set sender to andre@freebsd.org using -f From: Andre Oppermann To: Perforce Change Reviews Precedence: bulk Cc: Subject: PERFORCE change 175593 for review X-BeenThere: p4-projects@freebsd.org X-Mailman-Version: 2.1.5 List-Id: p4 projects tree changes List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 11 Mar 2010 17:16:45 -0000 http://p4web.freebsd.org/chv.cgi?CH=175593 Change 175593 by andre@andre_t61 on 2010/03/11 17:16:42 Move TCP-MD5 signature functions from tcp_subr.c to its own tcp_auth.c file. Affected files ... .. //depot/projects/tcp_new/netinet/tcp_auth.c#1 add .. //depot/projects/tcp_new/netinet/tcp_subr.c#8 edit Differences ... ==== //depot/projects/tcp_new/netinet/tcp_subr.c#8 (text+ko) ==== @@ -1658,127 +1658,6 @@ } #endif /* IPSEC */ -#ifdef TCP_SIGNATURE -/* - * Callback function invoked by m_apply() to digest TCP segment data - * contained within an mbuf chain. - */ -static int -tcp_signature_apply(void *fstate, void *data, u_int len) -{ - - MD5Update(fstate, (u_char *)data, len); - return (0); -} - -/* - * Compute TCP-MD5 hash of a TCPv4 segment. (RFC2385) - * - * Parameters: - * m pointer to head of mbuf chain - * off0 offset to TCP header within the mbuf chain - * len length of TCP segment data, excluding options - * optlen length of TCP segment options - * buf pointer to storage for computed MD5 digest - * direction direction of flow (IPSEC_DIR_INBOUND or OUTBOUND) - * - * We do this over ip, tcphdr, segment data, and the key in the SADB. - * When called from tcp_input(), we can be sure that th_sum has been - * zeroed out and verified already. - * - * This function is for IPv4 use only. Calling this function with an - * IPv6 packet in the mbuf chain will yield undefined results. - * - * Return 0 if successful, otherwise return -1. - * - * XXX The key is retrieved from the system's PF_KEY SADB, by keying a - * search with the destination IP address, and a 'magic SPI' to be - * determined by the application. This is hardcoded elsewhere to 1179 - * right now. Another branch of this code exists which uses the SPD to - * specify per-application flows but it is unstable. - */ -int -tcp_signature_compute(struct mbuf *m, int off0, int len, int optlen, - u_char *buf, u_int direction) -{ - union sockaddr_union dst; - struct ippseudo ippseudo; - MD5_CTX ctx; - int doff; - struct ip *ip; - struct ipovly *ipovly; - struct secasvar *sav; - struct tcphdr *th; - u_short savecsum; - - KASSERT(m != NULL, ("NULL mbuf chain")); - KASSERT(buf != NULL, ("NULL signature pointer")); - - /* Extract the destination from the IP header in the mbuf. */ - ip = mtod(m, struct ip *); - bzero(&dst, sizeof(union sockaddr_union)); - dst.sa.sa_len = sizeof(struct sockaddr_in); - dst.sa.sa_family = AF_INET; - dst.sin.sin_addr = (direction == IPSEC_DIR_INBOUND) ? - ip->ip_src : ip->ip_dst; - - /* Look up an SADB entry which matches the address of the peer. */ - sav = KEY_ALLOCSA(&dst, IPPROTO_TCP, htonl(TCP_SIG_SPI)); - if (sav == NULL) { - printf("%s: SADB lookup failed for %s\n", __func__, - inet_ntoa(dst.sin.sin_addr)); - return (EINVAL); - } - - MD5Init(&ctx); - ipovly = (struct ipovly *)ip; - th = (struct tcphdr *)((u_char *)ip + off0); - doff = off0 + sizeof(struct tcphdr) + optlen; - - /* - * Step 1: Update MD5 hash with IP pseudo-header. - * - * XXX The ippseudo header MUST be digested in network byte order, - * or else we'll fail the regression test. Assume all fields we've - * been doing arithmetic on have been in host byte order. - * XXX One cannot depend on ipovly->ih_len here. When called from - * tcp_output(), the underlying ip_len member has not yet been set. - */ - ippseudo.ippseudo_src = ipovly->ih_src; - ippseudo.ippseudo_dst = ipovly->ih_dst; - ippseudo.ippseudo_pad = 0; - ippseudo.ippseudo_p = IPPROTO_TCP; - ippseudo.ippseudo_len = htons(len + sizeof(struct tcphdr) + optlen); - MD5Update(&ctx, (char *)&ippseudo, sizeof(struct ippseudo)); - - /* - * Step 2: Update MD5 hash with TCP header, excluding options. - * The TCP checksum must be set to zero. - */ - savecsum = th->th_sum; - th->th_sum = 0; - MD5Update(&ctx, (char *)th, sizeof(struct tcphdr)); - th->th_sum = savecsum; - - /* - * Step 3: Update MD5 hash with TCP segment data. - * Use m_apply() to avoid an early m_pullup(). - */ - if (len > 0) - m_apply(m, doff, len, tcp_signature_apply, &ctx); - - /* - * Step 4: Update MD5 hash with shared secret. - */ - MD5Update(&ctx, sav->key_auth->key_data, _KEYLEN(sav->key_auth)); - MD5Final(buf, &ctx); - - key_sa_recordxfer(sav, m); - KEY_FREESAV(&sav); - return (0); -} -#endif /* TCP_SIGNATURE */ - static int sysctl_drop(SYSCTL_HANDLER_ARGS) {