kern/82963: TCP MD5 disables rfc1323 options on passive connections

Noritoshi Demizu demizu at dd.iij4u.or.jp
Mon Jul 4 05:20:19 GMT 2005 

>Number:         82963
>Category:       kern
>Synopsis:       TCP MD5 disables rfc1323 options on passive connections
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    freebsd-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Mon Jul 04 05:20:18 GMT 2005
>Closed-Date:
>Last-Modified:
>Originator:     Noritoshi Demizu
>Release:        FreeBSD 6.0 current (as of July 4, 2005)
>Organization:
>Environment:
FreeBSD kodaira4.koganei.wide.ad.jp 6.0-CURRENT FreeBSD 6.0-CURRENT #0: Mon Jul  4 12:16:45 JST 2005     noritosi at kodaira4.koganei.wide.ad.jp:/home/src/os/FreeBSD-current/src/sys/i386/compile/GENERIC  i386
>Description:
When the TCP MD5 Signature option is used on a TCP connection,
both the TCP Timestamps option and the TCP Window Scale option
are turned off.

Below is an example of such scenario.

# tcpdump -nXi lo0 tcp
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on lo0, link-type NULL (BSD loopback), capture size 96 bytes
14:06:22.577329 IP 127.0.0.1.54072 > 127.0.0.1.58851: S 3668653428:3668653428(0) win 65535 <mss 16344,nop,wscale 1,nop,nop,timestamp 211371 0,opt-19:00000000000000000000000000000000,sackOK>
        0x0000:  4500 0050 06bf 4000 4006 35e7 7f00 0001  E..P.. at .@.5.....
        0x0010:  7f00 0001 d338 e5e3 daab 3574 0000 0000  .....8....5t....
        0x0020:  f002 ffff a8cd 0000 0204 3fd8 0103 0301  ..........?.....
        0x0030:  0101 080a 0003 39ab 0000 0000 1312 0000  ......9.........
        0x0040:  0000 0000 0000 0000 0000 0000 0000 0402  ................
14:06:22.577774 IP 127.0.0.1.58851 > 127.0.0.1.54072: S 1998295442:1998295442(0) ack 3668653429 win 65535 <mss 16344,opt-19:00000000000000000000000000000000,sackOK>
        0x0000:  4500 0040 06c0 4000 4006 35f6 7f00 0001  E.. at ..@. at .5.....
        0x0010:  7f00 0001 e5e3 d338 771b 9192 daab 3575  .......8w.....5u
        0x0020:  b012 ffff 26dc 0000 0204 3fd8 1312 0000  ....&.....?.....
        0x0030:  0000 0000 0000 0000 0000 0000 0000 0402  ................
14:06:22.591606 IP 127.0.0.1.54072 > 127.0.0.1.58851: . ack 1 win 65535 <opt-19:00000000000000000000000000000000,eol>
        0x0000:  4500 003c 06c1 4000 4006 35f9 7f00 0001  E..<.. at .@.5.....
        0x0010:  7f00 0001 d338 e5e3 daab 3575 771b 9193  .....8....5uw...
        0x0020:  a010 ffff 7cbf 0000 1312 0000 0000 0000  ....|...........
        0x0030:  0000 0000 0000 0000 0000 0000            ............
  (snip)

This problem was reported in
http://lists.freebsd.org/pipermail/freebsd-net/2005-April/006973.html
>How-To-Repeat:
1. Prepare a FreeBSD current box.  Turn on the TCP MD5 option,
   the TCP Timestamps option, and the TCP Window Scale option.
2. On that box, start a server program that accepts a TCP connection.
3. Try to establish a TCP connection with the server program.
   The incoming SYN should include the TCP MD5 option, the TCP
   Timestamps option and the TCP Window Scale option.
4. The outgoing SYN+ACK inclues the TCP MD5 option.  But it does not
   include the TCP Timestamps option and the TCP Window Scale option.
>Fix:
I think the cause and the fix are as following:
At line 987 in tcp_syncache.c 1.74, sc->sc_flags is overwritten
by SCF_SIGNATURE.  By this line, SCF_TIMESTAMP and SCF_WINSCALE
are turned off.  I think the operator "=" should be "|=".

  986:		if (to->to_flags & TOF_SIGNATURE)
- 987:			sc->sc_flags = SCF_SIGNATURE;
+ 987:			sc->sc_flags |= SCF_SIGNATURE;

With this change, the problem does not occur in my environment.
>Release-Note:
>Audit-Trail:
>Unformatted:

More information about the freebsd-bugs mailing list