Page MenuHomeFreeBSD
Files F105772342

D33227.id99958.diff
No OneTemporary
Actions

D33227.id99958.diff
View Options

Index: share/man/man4/tcp.4
===================================================================
--- share/man/man4/tcp.4
+++ share/man/man4/tcp.4
@@ -34,7 +34,7 @@
.\" From: @(#)tcp.4 8.1 (Berkeley) 6/5/93
.\" $FreeBSD$
.\"
-.Dd June 27, 2021
+.Dd December 13, 2021
.Dt TCP 4
.Os
.Sh NAME
@@ -339,6 +339,11 @@
.Pp
If an SADB entry cannot be found for the destination,
the system does not send any outgoing segments and drops any inbound segments.
+.Pp
+There is an exception to the statement above.
+During initial connection negotiation, a socket with this option enabled will
+accept non-signed segments provided that an SADB entry does not exist between
+the sender and receiver.
.It Dv TCP_STATS
Manage collection of connection level statistics using the
.Xr stats 3
Index: sys/netinet/tcp_syncache.c
===================================================================
--- sys/netinet/tcp_syncache.c
+++ sys/netinet/tcp_syncache.c
@@ -1514,19 +1514,25 @@
#if defined(IPSEC_SUPPORT) || defined(TCP_SIGNATURE)
/*
- * If listening socket requested TCP digests, check that received
- * SYN has signature and it is correct. If signature doesn't match
- * or TCP_SIGNATURE support isn't enabled, drop the packet.
+ * When the socket is TCP-MD5 enabled check that,
+ * - a signed packet is valid
+ * - a non-signed packet does not have a security association
+ *
+ * If a signed packet fails validation or a non-signed packet has a
+ * security association, the packet will be dropped.
*/
if (ltflags & TF_SIGNATURE) {
- if ((to->to_flags & TOF_SIGNATURE) == 0) {
- TCPSTAT_INC(tcps_sig_err_nosigopt);
- goto done;
+ if (to->to_flags & TOF_SIGNATURE) {
+ if (!TCPMD5_ENABLED() ||
+ TCPMD5_INPUT(m, th, to->to_signature) != 0)
+ goto done;
+ } else {
+ if (TCPMD5_ENABLED() &&
+ TCPMD5_INPUT(m, NULL, NULL) != ENOENT)
+ goto done;
}
- if (!TCPMD5_ENABLED() ||
- TCPMD5_INPUT(m, th, to->to_signature) != 0)
- goto done;
- }
+ } else if (to->to_flags & TOF_SIGNATURE)
+ goto done;
#endif /* TCP_SIGNATURE */
/*
* See if we already have an entry for this connection.
Index: sys/netipsec/xform_tcp.c
===================================================================
--- sys/netipsec/xform_tcp.c
+++ sys/netipsec/xform_tcp.c
@@ -269,6 +269,11 @@
KMOD_TCPSTAT_INC(tcps_sig_err_buildsig);
return (ENOENT);
}
+ if (buf == NULL) {
+ key_freesav(&sav);
+ KMOD_TCPSTAT_INC(tcps_sig_err_nosigopt);
+ return (EACCES);
+ }
/*
* tcp_input() operates with TCP header fields in host
* byte order. We expect them in network byte order.

File Metadata

Mime Type
text/plain
Expires
Sat, Dec 21, 11:58 AM (17 h, 42 m)
Storage Engine
blob
Storage Format
Raw Data
Storage Handle
15541096
Default Alt Text
D33227.id99958.diff (2 KB)

Event Timeline