diff --git a/sys/netinet/tcp_output.c b/sys/netinet/tcp_output.c index 2e386d072c03..64c7fa676e95 100644 --- a/sys/netinet/tcp_output.c +++ b/sys/netinet/tcp_output.c @@ -548,9 +548,8 @@ tcp_output(struct tcpcb *tp) if (tp->t_flags & TF_SIGNATURE) { int i; u_char *bp; - /* - * Initialize TCP-MD5 option (RFC2385) - */ + + /* Initialize TCP-MD5 option (RFC2385) */ bp = (u_char *)opt + optlen; *bp++ = TCPOPT_SIGNATURE; *bp++ = TCPOLEN_SIGNATURE; @@ -558,9 +557,8 @@ tcp_output(struct tcpcb *tp) for (i = 0; i < TCP_SIGLEN; i++) *bp++ = 0; optlen += TCPOLEN_SIGNATURE; - /* - * Terminate options list and maintain 32-bit alignment. - */ + + /* Terminate options list and maintain 32-bit alignment. */ *bp++ = TCPOPT_NOP; *bp++ = TCPOPT_EOL; optlen += 2; diff --git a/sys/netinet/tcp_subr.c b/sys/netinet/tcp_subr.c index 689d0cdc48b5..f099aa5a4a7d 100644 --- a/sys/netinet/tcp_subr.c +++ b/sys/netinet/tcp_subr.c @@ -1924,6 +1924,14 @@ tcp_xmit_bandwidth_limit(struct tcpcb *tp, tcp_seq ack_seq) /* * Compute TCP-MD5 hash of a TCPv4 segment. (RFC2385) * + * Parameters: + * m pointer to head of mbuf chain + * off0 offset to TCP header within the mbuf chain + * len length of TCP segment data, excluding options + * optlen length of TCP segment options + * buf pointer to storage for computed MD5 digest + * direction direction of flow (IPSEC_DIR_INBOUND or OUTBOUND) + * * We do this over ip, tcphdr, segment data, and the key in the SADB. * When called from tcp_input(), we can be sure that th_sum has been * zeroed out and verified already. @@ -1940,13 +1948,8 @@ tcp_xmit_bandwidth_limit(struct tcpcb *tp, tcp_seq ack_seq) * specify per-application flows but it is unstable. */ int -tcpsignature_compute( - struct mbuf *m, /* mbuf chain */ - int off0, /* offset to TCP header */ - int len, /* length of TCP data */ - int optlen, /* length of TCP options */ - u_char *buf, /* storage for MD5 digest */ - u_int direction) /* direction of flow */ +tcpsignature_compute(struct mbuf *m, int off0, int len, int optlen, + u_char *buf, u_int direction) { union sockaddr_union dst; struct ippseudo ippseudo; @@ -1958,32 +1961,30 @@ tcpsignature_compute( struct tcphdr *th; u_short savecsum; - KASSERT(m != NULL, ("passed NULL mbuf. Game over.")); - KASSERT(buf != NULL, ("passed NULL storage pointer for MD5 signature")); - /* - * Extract the destination from the IP header in the mbuf. - */ + KASSERT(m != NULL, ("NULL mbuf chain")); + KASSERT(buf != NULL, ("NULL signature pointer")); + + /* Extract the destination from the IP header in the mbuf. */ ip = mtod(m, struct ip *); bzero(&dst, sizeof(union sockaddr_union)); dst.sa.sa_len = sizeof(struct sockaddr_in); dst.sa.sa_family = AF_INET; dst.sin.sin_addr = (direction == IPSEC_DIR_INBOUND) ? ip->ip_src : ip->ip_dst; - /* - * Look up an SADB entry which matches the address found in - * the segment. - */ + + /* Look up an SADB entry which matches the address of the peer. */ sav = KEY_ALLOCSA(&dst, IPPROTO_TCP, htonl(TCP_SIG_SPI)); if (sav == NULL) { printf("%s: SADB lookup failed for %s\n", __func__, inet_ntoa(dst.sin.sin_addr)); return (EINVAL); } - MD5Init(&ctx); + MD5Init(&ctx); ipovly = (struct ipovly *)ip; th = (struct tcphdr *)((u_char *)ip + off0); doff = off0 + sizeof(struct tcphdr) + optlen; + /* * Step 1: Update MD5 hash with IP pseudo-header. * @@ -1999,6 +2000,7 @@ tcpsignature_compute( ippseudo.ippseudo_p = IPPROTO_TCP; ippseudo.ippseudo_len = htons(len + sizeof(struct tcphdr) + optlen); MD5Update(&ctx, (char *)&ippseudo, sizeof(struct ippseudo)); + /* * Step 2: Update MD5 hash with TCP header, excluding options. * The TCP checksum must be set to zero. @@ -2007,17 +2009,20 @@ tcpsignature_compute( th->th_sum = 0; MD5Update(&ctx, (char *)th, sizeof(struct tcphdr)); th->th_sum = savecsum; + /* * Step 3: Update MD5 hash with TCP segment data. * Use m_apply() to avoid an early m_pullup(). */ if (len > 0) m_apply(m, doff, len, tcpsignature_apply, &ctx); + /* * Step 4: Update MD5 hash with shared secret. */ MD5Update(&ctx, _KEYBUF(sav->key_auth), _KEYLEN(sav->key_auth)); MD5Final(buf, &ctx); + key_sa_recordxfer(sav, m); KEY_FREESAV(&sav); return (0); diff --git a/sys/netinet/tcp_timewait.c b/sys/netinet/tcp_timewait.c index 689d0cdc48b5..f099aa5a4a7d 100644 --- a/sys/netinet/tcp_timewait.c +++ b/sys/netinet/tcp_timewait.c @@ -1924,6 +1924,14 @@ tcp_xmit_bandwidth_limit(struct tcpcb *tp, tcp_seq ack_seq) /* * Compute TCP-MD5 hash of a TCPv4 segment. (RFC2385) * + * Parameters: + * m pointer to head of mbuf chain + * off0 offset to TCP header within the mbuf chain + * len length of TCP segment data, excluding options + * optlen length of TCP segment options + * buf pointer to storage for computed MD5 digest + * direction direction of flow (IPSEC_DIR_INBOUND or OUTBOUND) + * * We do this over ip, tcphdr, segment data, and the key in the SADB. * When called from tcp_input(), we can be sure that th_sum has been * zeroed out and verified already. @@ -1940,13 +1948,8 @@ tcp_xmit_bandwidth_limit(struct tcpcb *tp, tcp_seq ack_seq) * specify per-application flows but it is unstable. */ int -tcpsignature_compute( - struct mbuf *m, /* mbuf chain */ - int off0, /* offset to TCP header */ - int len, /* length of TCP data */ - int optlen, /* length of TCP options */ - u_char *buf, /* storage for MD5 digest */ - u_int direction) /* direction of flow */ +tcpsignature_compute(struct mbuf *m, int off0, int len, int optlen, + u_char *buf, u_int direction) { union sockaddr_union dst; struct ippseudo ippseudo; @@ -1958,32 +1961,30 @@ tcpsignature_compute( struct tcphdr *th; u_short savecsum; - KASSERT(m != NULL, ("passed NULL mbuf. Game over.")); - KASSERT(buf != NULL, ("passed NULL storage pointer for MD5 signature")); - /* - * Extract the destination from the IP header in the mbuf. - */ + KASSERT(m != NULL, ("NULL mbuf chain")); + KASSERT(buf != NULL, ("NULL signature pointer")); + + /* Extract the destination from the IP header in the mbuf. */ ip = mtod(m, struct ip *); bzero(&dst, sizeof(union sockaddr_union)); dst.sa.sa_len = sizeof(struct sockaddr_in); dst.sa.sa_family = AF_INET; dst.sin.sin_addr = (direction == IPSEC_DIR_INBOUND) ? ip->ip_src : ip->ip_dst; - /* - * Look up an SADB entry which matches the address found in - * the segment. - */ + + /* Look up an SADB entry which matches the address of the peer. */ sav = KEY_ALLOCSA(&dst, IPPROTO_TCP, htonl(TCP_SIG_SPI)); if (sav == NULL) { printf("%s: SADB lookup failed for %s\n", __func__, inet_ntoa(dst.sin.sin_addr)); return (EINVAL); } - MD5Init(&ctx); + MD5Init(&ctx); ipovly = (struct ipovly *)ip; th = (struct tcphdr *)((u_char *)ip + off0); doff = off0 + sizeof(struct tcphdr) + optlen; + /* * Step 1: Update MD5 hash with IP pseudo-header. * @@ -1999,6 +2000,7 @@ tcpsignature_compute( ippseudo.ippseudo_p = IPPROTO_TCP; ippseudo.ippseudo_len = htons(len + sizeof(struct tcphdr) + optlen); MD5Update(&ctx, (char *)&ippseudo, sizeof(struct ippseudo)); + /* * Step 2: Update MD5 hash with TCP header, excluding options. * The TCP checksum must be set to zero. @@ -2007,17 +2009,20 @@ tcpsignature_compute( th->th_sum = 0; MD5Update(&ctx, (char *)th, sizeof(struct tcphdr)); th->th_sum = savecsum; + /* * Step 3: Update MD5 hash with TCP segment data. * Use m_apply() to avoid an early m_pullup(). */ if (len > 0) m_apply(m, doff, len, tcpsignature_apply, &ctx); + /* * Step 4: Update MD5 hash with shared secret. */ MD5Update(&ctx, _KEYBUF(sav->key_auth), _KEYLEN(sav->key_auth)); MD5Final(buf, &ctx); + key_sa_recordxfer(sav, m); KEY_FREESAV(&sav); return (0);