tcp md5 checksums broken in 7.0-beta3
Bjoern A. Zeeb
bzeeb-lists at lists.zabbadoz.net
Tue Nov 27 22:30:07 PST 2007
On Wed, 28 Nov 2007, Nick Hilliard wrote:
> Bjoern A. Zeeb wrote:
>> I'll try to find your bug the next days (in case you find anything let
>> me know).
> At the very least, this will be necessary:
> --- tcp_subr.c~ 2007-11-28 01:14:46.000000000 +0000
> +++ tcp_subr.c 2007-11-28 01:14:46.000000000 +0000
> @@ -1948,7 +1948,7 @@
> * Step 4: Update MD5 hash with shared secret.
> - MD5Update(&ctx, _KEYBUF(sav->key_auth), _KEYLEN(sav->key_auth));
> + MD5Update(&ctx, sav->key_auth->key_data, _KEYLEN(sav->key_auth));
> MD5Final(buf, &ctx);
> key_sa_recordxfer(sav, m);
> But it doesn't fix the problem.
I stopped at the point validating the tcp header was correct last
night somewhen after midnight. With your + my other patches (not
posted yet) I have valid md5 sums again for all but the S/A case.
Expect a patch soonish.
Bjoern A. Zeeb bzeeb at Zabbadoz dot NeT
Software is harder than hardware so better get it right the first time.
More information about the freebsd-net