PERFORCE change 175593 for review
Andre Oppermann
andre at FreeBSD.org
Thu Mar 11 17:16:45 UTC 2010
http://p4web.freebsd.org/chv.cgi?CH=175593
Change 175593 by andre at andre_t61 on 2010/03/11 17:16:42
Move TCP-MD5 signature functions from tcp_subr.c to its own tcp_auth.c file.
Affected files ...
.. //depot/projects/tcp_new/netinet/tcp_auth.c#1 add
.. //depot/projects/tcp_new/netinet/tcp_subr.c#8 edit
Differences ...
==== //depot/projects/tcp_new/netinet/tcp_subr.c#8 (text+ko) ====
@@ -1658,127 +1658,6 @@
}
#endif /* IPSEC */
-#ifdef TCP_SIGNATURE
-/*
- * Callback function invoked by m_apply() to digest TCP segment data
- * contained within an mbuf chain.
- */
-static int
-tcp_signature_apply(void *fstate, void *data, u_int len)
-{
-
- MD5Update(fstate, (u_char *)data, len);
- return (0);
-}
-
-/*
- * Compute TCP-MD5 hash of a TCPv4 segment. (RFC2385)
- *
- * Parameters:
- * m pointer to head of mbuf chain
- * off0 offset to TCP header within the mbuf chain
- * len length of TCP segment data, excluding options
- * optlen length of TCP segment options
- * buf pointer to storage for computed MD5 digest
- * direction direction of flow (IPSEC_DIR_INBOUND or OUTBOUND)
- *
- * We do this over ip, tcphdr, segment data, and the key in the SADB.
- * When called from tcp_input(), we can be sure that th_sum has been
- * zeroed out and verified already.
- *
- * This function is for IPv4 use only. Calling this function with an
- * IPv6 packet in the mbuf chain will yield undefined results.
- *
- * Return 0 if successful, otherwise return -1.
- *
- * XXX The key is retrieved from the system's PF_KEY SADB, by keying a
- * search with the destination IP address, and a 'magic SPI' to be
- * determined by the application. This is hardcoded elsewhere to 1179
- * right now. Another branch of this code exists which uses the SPD to
- * specify per-application flows but it is unstable.
- */
-int
-tcp_signature_compute(struct mbuf *m, int off0, int len, int optlen,
- u_char *buf, u_int direction)
-{
- union sockaddr_union dst;
- struct ippseudo ippseudo;
- MD5_CTX ctx;
- int doff;
- struct ip *ip;
- struct ipovly *ipovly;
- struct secasvar *sav;
- struct tcphdr *th;
- u_short savecsum;
-
- KASSERT(m != NULL, ("NULL mbuf chain"));
- KASSERT(buf != NULL, ("NULL signature pointer"));
-
- /* Extract the destination from the IP header in the mbuf. */
- ip = mtod(m, struct ip *);
- bzero(&dst, sizeof(union sockaddr_union));
- dst.sa.sa_len = sizeof(struct sockaddr_in);
- dst.sa.sa_family = AF_INET;
- dst.sin.sin_addr = (direction == IPSEC_DIR_INBOUND) ?
- ip->ip_src : ip->ip_dst;
-
- /* Look up an SADB entry which matches the address of the peer. */
- sav = KEY_ALLOCSA(&dst, IPPROTO_TCP, htonl(TCP_SIG_SPI));
- if (sav == NULL) {
- printf("%s: SADB lookup failed for %s\n", __func__,
- inet_ntoa(dst.sin.sin_addr));
- return (EINVAL);
- }
-
- MD5Init(&ctx);
- ipovly = (struct ipovly *)ip;
- th = (struct tcphdr *)((u_char *)ip + off0);
- doff = off0 + sizeof(struct tcphdr) + optlen;
-
- /*
- * Step 1: Update MD5 hash with IP pseudo-header.
- *
- * XXX The ippseudo header MUST be digested in network byte order,
- * or else we'll fail the regression test. Assume all fields we've
- * been doing arithmetic on have been in host byte order.
- * XXX One cannot depend on ipovly->ih_len here. When called from
- * tcp_output(), the underlying ip_len member has not yet been set.
- */
- ippseudo.ippseudo_src = ipovly->ih_src;
- ippseudo.ippseudo_dst = ipovly->ih_dst;
- ippseudo.ippseudo_pad = 0;
- ippseudo.ippseudo_p = IPPROTO_TCP;
- ippseudo.ippseudo_len = htons(len + sizeof(struct tcphdr) + optlen);
- MD5Update(&ctx, (char *)&ippseudo, sizeof(struct ippseudo));
-
- /*
- * Step 2: Update MD5 hash with TCP header, excluding options.
- * The TCP checksum must be set to zero.
- */
- savecsum = th->th_sum;
- th->th_sum = 0;
- MD5Update(&ctx, (char *)th, sizeof(struct tcphdr));
- th->th_sum = savecsum;
-
- /*
- * Step 3: Update MD5 hash with TCP segment data.
- * Use m_apply() to avoid an early m_pullup().
- */
- if (len > 0)
- m_apply(m, doff, len, tcp_signature_apply, &ctx);
-
- /*
- * Step 4: Update MD5 hash with shared secret.
- */
- MD5Update(&ctx, sav->key_auth->key_data, _KEYLEN(sav->key_auth));
- MD5Final(buf, &ctx);
-
- key_sa_recordxfer(sav, m);
- KEY_FREESAV(&sav);
- return (0);
-}
-#endif /* TCP_SIGNATURE */
-
static int
sysctl_drop(SYSCTL_HANDLER_ARGS)
{
More information about the p4-projects
mailing list