tcp_subr.c (182855) | tcp_subr.c (183001) |
---|---|
1/*- 2 * Copyright (c) 1982, 1986, 1988, 1990, 1993, 1995 3 * The Regents of the University of California. All rights reserved. 4 * 5 * Redistribution and use in source and binary forms, with or without 6 * modification, are permitted provided that the following conditions 7 * are met: 8 * 1. Redistributions of source code must retain the above copyright --- 16 unchanged lines hidden (view full) --- 25 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 26 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 27 * SUCH DAMAGE. 28 * 29 * @(#)tcp_subr.c 8.2 (Berkeley) 5/24/95 30 */ 31 32#include <sys/cdefs.h> | 1/*- 2 * Copyright (c) 1982, 1986, 1988, 1990, 1993, 1995 3 * The Regents of the University of California. All rights reserved. 4 * 5 * Redistribution and use in source and binary forms, with or without 6 * modification, are permitted provided that the following conditions 7 * are met: 8 * 1. Redistributions of source code must retain the above copyright --- 16 unchanged lines hidden (view full) --- 25 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 26 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 27 * SUCH DAMAGE. 28 * 29 * @(#)tcp_subr.c 8.2 (Berkeley) 5/24/95 30 */ 31 32#include <sys/cdefs.h> |
33__FBSDID("$FreeBSD: head/sys/netinet/tcp_subr.c 182855 2008-09-07 20:44:45Z bz $"); | 33__FBSDID("$FreeBSD: head/sys/netinet/tcp_subr.c 183001 2008-09-13 17:26:46Z bz $"); |
34 35#include "opt_compat.h" 36#include "opt_inet.h" 37#include "opt_inet6.h" 38#include "opt_ipsec.h" 39#include "opt_mac.h" 40#include "opt_tcpdebug.h" 41 --- 56 unchanged lines hidden (view full) --- 98 99#ifdef IPSEC 100#include <netipsec/ipsec.h> 101#include <netipsec/xform.h> 102#ifdef INET6 103#include <netipsec/ipsec6.h> 104#endif 105#include <netipsec/key.h> | 34 35#include "opt_compat.h" 36#include "opt_inet.h" 37#include "opt_inet6.h" 38#include "opt_ipsec.h" 39#include "opt_mac.h" 40#include "opt_tcpdebug.h" 41 --- 56 unchanged lines hidden (view full) --- 98 99#ifdef IPSEC 100#include <netipsec/ipsec.h> 101#include <netipsec/xform.h> 102#ifdef INET6 103#include <netipsec/ipsec6.h> 104#endif 105#include <netipsec/key.h> |
106#include <sys/syslog.h> |
|
106#endif /*IPSEC*/ 107 108#include <machine/in_cksum.h> 109#include <sys/md5.h> 110 111#include <security/mac/mac_framework.h> 112 113int tcp_mssdflt = TCP_MSS; --- 1710 unchanged lines hidden (view full) --- 1824tcp_signature_apply(void *fstate, void *data, u_int len) 1825{ 1826 1827 MD5Update(fstate, (u_char *)data, len); 1828 return (0); 1829} 1830 1831/* | 107#endif /*IPSEC*/ 108 109#include <machine/in_cksum.h> 110#include <sys/md5.h> 111 112#include <security/mac/mac_framework.h> 113 114int tcp_mssdflt = TCP_MSS; --- 1710 unchanged lines hidden (view full) --- 1825tcp_signature_apply(void *fstate, void *data, u_int len) 1826{ 1827 1828 MD5Update(fstate, (u_char *)data, len); 1829 return (0); 1830} 1831 1832/* |
1832 * Compute TCP-MD5 hash of a TCPv4 segment. (RFC2385) | 1833 * Compute TCP-MD5 hash of a TCP segment. (RFC2385) |
1833 * 1834 * Parameters: 1835 * m pointer to head of mbuf chain | 1834 * 1835 * Parameters: 1836 * m pointer to head of mbuf chain |
1836 * off0 offset to TCP header within the mbuf chain | 1837 * _unused |
1837 * len length of TCP segment data, excluding options 1838 * optlen length of TCP segment options 1839 * buf pointer to storage for computed MD5 digest 1840 * direction direction of flow (IPSEC_DIR_INBOUND or OUTBOUND) 1841 * 1842 * We do this over ip, tcphdr, segment data, and the key in the SADB. 1843 * When called from tcp_input(), we can be sure that th_sum has been 1844 * zeroed out and verified already. 1845 * | 1838 * len length of TCP segment data, excluding options 1839 * optlen length of TCP segment options 1840 * buf pointer to storage for computed MD5 digest 1841 * direction direction of flow (IPSEC_DIR_INBOUND or OUTBOUND) 1842 * 1843 * We do this over ip, tcphdr, segment data, and the key in the SADB. 1844 * When called from tcp_input(), we can be sure that th_sum has been 1845 * zeroed out and verified already. 1846 * |
1846 * This function is for IPv4 use only. Calling this function with an 1847 * IPv6 packet in the mbuf chain will yield undefined results. 1848 * | |
1849 * Return 0 if successful, otherwise return -1. 1850 * 1851 * XXX The key is retrieved from the system's PF_KEY SADB, by keying a 1852 * search with the destination IP address, and a 'magic SPI' to be 1853 * determined by the application. This is hardcoded elsewhere to 1179 1854 * right now. Another branch of this code exists which uses the SPD to 1855 * specify per-application flows but it is unstable. 1856 */ 1857int | 1847 * Return 0 if successful, otherwise return -1. 1848 * 1849 * XXX The key is retrieved from the system's PF_KEY SADB, by keying a 1850 * search with the destination IP address, and a 'magic SPI' to be 1851 * determined by the application. This is hardcoded elsewhere to 1179 1852 * right now. Another branch of this code exists which uses the SPD to 1853 * specify per-application flows but it is unstable. 1854 */ 1855int |
1858tcp_signature_compute(struct mbuf *m, int off0, int len, int optlen, | 1856tcp_signature_compute(struct mbuf *m, int _unused, int len, int optlen, |
1859 u_char *buf, u_int direction) 1860{ 1861 union sockaddr_union dst; 1862 struct ippseudo ippseudo; 1863 MD5_CTX ctx; 1864 int doff; 1865 struct ip *ip; 1866 struct ipovly *ipovly; 1867 struct secasvar *sav; 1868 struct tcphdr *th; | 1857 u_char *buf, u_int direction) 1858{ 1859 union sockaddr_union dst; 1860 struct ippseudo ippseudo; 1861 MD5_CTX ctx; 1862 int doff; 1863 struct ip *ip; 1864 struct ipovly *ipovly; 1865 struct secasvar *sav; 1866 struct tcphdr *th; |
1867#ifdef INET6 1868 struct ip6_hdr *ip6; 1869 struct in6_addr in6; 1870 char ip6buf[INET6_ADDRSTRLEN]; 1871 uint32_t plen; 1872 uint16_t nhdr; 1873#endif |
|
1869 u_short savecsum; 1870 1871 KASSERT(m != NULL, ("NULL mbuf chain")); 1872 KASSERT(buf != NULL, ("NULL signature pointer")); 1873 1874 /* Extract the destination from the IP header in the mbuf. */ | 1874 u_short savecsum; 1875 1876 KASSERT(m != NULL, ("NULL mbuf chain")); 1877 KASSERT(buf != NULL, ("NULL signature pointer")); 1878 1879 /* Extract the destination from the IP header in the mbuf. */ |
1875 ip = mtod(m, struct ip *); | |
1876 bzero(&dst, sizeof(union sockaddr_union)); | 1880 bzero(&dst, sizeof(union sockaddr_union)); |
1877 dst.sa.sa_len = sizeof(struct sockaddr_in); 1878 dst.sa.sa_family = AF_INET; 1879 dst.sin.sin_addr = (direction == IPSEC_DIR_INBOUND) ? 1880 ip->ip_src : ip->ip_dst; | 1881 ip = mtod(m, struct ip *); 1882#ifdef INET6 1883 ip6 = NULL; /* Make the compiler happy. */ 1884#endif 1885 switch (ip->ip_v) { 1886 case IPVERSION: 1887 dst.sa.sa_len = sizeof(struct sockaddr_in); 1888 dst.sa.sa_family = AF_INET; 1889 dst.sin.sin_addr = (direction == IPSEC_DIR_INBOUND) ? 1890 ip->ip_src : ip->ip_dst; 1891 break; 1892#ifdef INET6 1893 case (IPV6_VERSION >> 4): 1894 ip6 = mtod(m, struct ip6_hdr *); 1895 dst.sa.sa_len = sizeof(struct sockaddr_in6); 1896 dst.sa.sa_family = AF_INET6; 1897 dst.sin6.sin6_addr = (direction == IPSEC_DIR_INBOUND) ? 1898 ip6->ip6_src : ip6->ip6_dst; 1899 break; 1900#endif 1901 default: 1902 return (EINVAL); 1903 /* NOTREACHED */ 1904 break; 1905 } |
1881 1882 /* Look up an SADB entry which matches the address of the peer. */ 1883 sav = KEY_ALLOCSA(&dst, IPPROTO_TCP, htonl(TCP_SIG_SPI)); 1884 if (sav == NULL) { | 1906 1907 /* Look up an SADB entry which matches the address of the peer. */ 1908 sav = KEY_ALLOCSA(&dst, IPPROTO_TCP, htonl(TCP_SIG_SPI)); 1909 if (sav == NULL) { |
1885 printf("%s: SADB lookup failed for %s\n", __func__, 1886 inet_ntoa(dst.sin.sin_addr)); | 1910 ipseclog((LOG_ERR, "%s: SADB lookup failed for %s\n", __func__, 1911 (ip->ip_v == IPVERSION) ? inet_ntoa(dst.sin.sin_addr) : 1912#ifdef INET6 1913 (ip->ip_v == (IPV6_VERSION >> 4)) ? 1914 ip6_sprintf(ip6buf, &dst.sin6.sin6_addr) : 1915#endif 1916 "(unsupported)")); |
1887 return (EINVAL); 1888 } 1889 1890 MD5Init(&ctx); | 1917 return (EINVAL); 1918 } 1919 1920 MD5Init(&ctx); |
1891 ipovly = (struct ipovly *)ip; 1892 th = (struct tcphdr *)((u_char *)ip + off0); 1893 doff = off0 + sizeof(struct tcphdr) + optlen; 1894 | |
1895 /* | 1921 /* |
1896 * Step 1: Update MD5 hash with IP pseudo-header. | 1922 * Step 1: Update MD5 hash with IP(v6) pseudo-header. |
1897 * 1898 * XXX The ippseudo header MUST be digested in network byte order, 1899 * or else we'll fail the regression test. Assume all fields we've 1900 * been doing arithmetic on have been in host byte order. 1901 * XXX One cannot depend on ipovly->ih_len here. When called from 1902 * tcp_output(), the underlying ip_len member has not yet been set. 1903 */ | 1923 * 1924 * XXX The ippseudo header MUST be digested in network byte order, 1925 * or else we'll fail the regression test. Assume all fields we've 1926 * been doing arithmetic on have been in host byte order. 1927 * XXX One cannot depend on ipovly->ih_len here. When called from 1928 * tcp_output(), the underlying ip_len member has not yet been set. 1929 */ |
1904 ippseudo.ippseudo_src = ipovly->ih_src; 1905 ippseudo.ippseudo_dst = ipovly->ih_dst; 1906 ippseudo.ippseudo_pad = 0; 1907 ippseudo.ippseudo_p = IPPROTO_TCP; 1908 ippseudo.ippseudo_len = htons(len + sizeof(struct tcphdr) + optlen); 1909 MD5Update(&ctx, (char *)&ippseudo, sizeof(struct ippseudo)); | 1930 switch (ip->ip_v) { 1931 case IPVERSION: 1932 ipovly = (struct ipovly *)ip; 1933 ippseudo.ippseudo_src = ipovly->ih_src; 1934 ippseudo.ippseudo_dst = ipovly->ih_dst; 1935 ippseudo.ippseudo_pad = 0; 1936 ippseudo.ippseudo_p = IPPROTO_TCP; 1937 ippseudo.ippseudo_len = htons(len + sizeof(struct tcphdr) + 1938 optlen); 1939 MD5Update(&ctx, (char *)&ippseudo, sizeof(struct ippseudo)); |
1910 | 1940 |
1941 th = (struct tcphdr *)((u_char *)ip + sizeof(struct ip)); 1942 doff = sizeof(struct ip) + sizeof(struct tcphdr) + optlen; 1943 break; 1944#ifdef INET6 |
|
1911 /* | 1945 /* |
1946 * RFC 2385, 2.0 Proposal 1947 * For IPv6, the pseudo-header is as described in RFC 2460, namely the 1948 * 128-bit source IPv6 address, 128-bit destination IPv6 address, zero- 1949 * extended next header value (to form 32 bits), and 32-bit segment 1950 * length. 1951 * Note: Upper-Layer Packet Length comes before Next Header. 1952 */ 1953 case (IPV6_VERSION >> 4): 1954 in6 = ip6->ip6_src; 1955 in6_clearscope(&in6); 1956 MD5Update(&ctx, (char *)&in6, sizeof(struct in6_addr)); 1957 in6 = ip6->ip6_dst; 1958 in6_clearscope(&in6); 1959 MD5Update(&ctx, (char *)&in6, sizeof(struct in6_addr)); 1960 plen = htonl(len + sizeof(struct tcphdr) + optlen); 1961 MD5Update(&ctx, (char *)&plen, sizeof(uint32_t)); 1962 nhdr = 0; 1963 MD5Update(&ctx, (char *)&nhdr, sizeof(uint8_t)); 1964 MD5Update(&ctx, (char *)&nhdr, sizeof(uint8_t)); 1965 MD5Update(&ctx, (char *)&nhdr, sizeof(uint8_t)); 1966 nhdr = IPPROTO_TCP; 1967 MD5Update(&ctx, (char *)&nhdr, sizeof(uint8_t)); 1968 1969 th = (struct tcphdr *)((u_char *)ip6 + sizeof(struct ip6_hdr)); 1970 doff = sizeof(struct ip6_hdr) + sizeof(struct tcphdr) + optlen; 1971 break; 1972#endif 1973 default: 1974 return (EINVAL); 1975 /* NOTREACHED */ 1976 break; 1977 } 1978 1979 1980 /* |
|
1912 * Step 2: Update MD5 hash with TCP header, excluding options. 1913 * The TCP checksum must be set to zero. 1914 */ 1915 savecsum = th->th_sum; 1916 th->th_sum = 0; 1917 MD5Update(&ctx, (char *)th, sizeof(struct tcphdr)); 1918 th->th_sum = savecsum; 1919 --- 224 unchanged lines hidden --- | 1981 * Step 2: Update MD5 hash with TCP header, excluding options. 1982 * The TCP checksum must be set to zero. 1983 */ 1984 savecsum = th->th_sum; 1985 th->th_sum = 0; 1986 MD5Update(&ctx, (char *)th, sizeof(struct tcphdr)); 1987 th->th_sum = savecsum; 1988 --- 224 unchanged lines hidden --- |