From nobody Fri Jan 14 18:20:47 2022 X-Original-To: dev-commits-src-all@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 19D88194A0FD; Fri, 14 Jan 2022 18:20:48 +0000 (UTC) (envelope-from rew@freebsd.org) Received: from smtp.freebsd.org (smtp.freebsd.org [96.47.72.83]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "smtp.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4Jb8k674G9z3Dkg; Fri, 14 Jan 2022 18:20:46 +0000 (UTC) (envelope-from rew@freebsd.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1642184447; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=7x3/M9h3Pr2R7ha8JIzUrFkpD4eU7KH6Lrtw0tGloI4=; b=EptxXjwG+i+2U1eCH4m5YKD36S8U9gch2XJzSsy3/3izRmAi4kdqKbYHW/6wl3BsqSAOqX hI92CWR0FsMg/4eLXIaphLlkOi4EzSe6SGGQqevX6y93we/lrltlgfY4Xpz1cjIMr2SAaz +u9DUeuYdMPVKiTpSIgSQHYGVC3IsJLheldyAYGAXdYjrSyrpX89BInZQ8fJ09ayockOp7 0X4SA2jT4nVkXT+b++h8euwArqjueTcvlZ6f1oLKuWOFGrWAZs0gFsUpPGtOoEduaC15EI N/gTN30Bf33zZtSJjbrFrg4DOYZIvhlFePxTyJIPSDib9ZRr6EaK2xoazojQKA== Received: from mail-ed1-f52.google.com (mail-ed1-f52.google.com [209.85.208.52]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "GTS CA 1D4" (verified OK)) (Authenticated sender: rew) by smtp.freebsd.org (Postfix) with ESMTPSA id CF89AA8DA; Fri, 14 Jan 2022 18:20:45 +0000 (UTC) (envelope-from rew@freebsd.org) Received: by mail-ed1-f52.google.com with SMTP id w16so36920437edc.11; Fri, 14 Jan 2022 10:20:45 -0800 (PST) X-Gm-Message-State: AOAM530TkTsZjEwaO4FIcxvFRc1lK0PuNiw9DC0ELCRVV7iEKMHuciSH j1iVU3YHDy4jnh3jSXJmIkMT4Zvgm9GMS0uuRDw= X-Google-Smtp-Source: ABdhPJy3iAFgfawYokb4Nj37tILfpRm5UP1M44HpE6Q8OgyN53KNxAy9kBhmBWXVw+OI4WhokS/77BS2D4IZw/1/GDc= X-Received: by 2002:a17:907:2d26:: with SMTP id gs38mr7999650ejc.765.1642184444622; Fri, 14 Jan 2022 10:20:44 -0800 (PST) List-Id: Commit messages for all branches of the src repository List-Archive: https://lists.freebsd.org/archives/dev-commits-src-all List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-dev-commits-src-all@freebsd.org X-BeenThere: dev-commits-src-all@freebsd.org MIME-Version: 1.0 References: <202201122226.20CMQwMw007750@mail.karels.net> In-Reply-To: <202201122226.20CMQwMw007750@mail.karels.net> From: Rob Wing Date: Fri, 14 Jan 2022 09:20:47 -0900 X-Gmail-Original-Message-ID: Message-ID: Subject: Re: git: eb18708ec8c7 - main - syncache: accept packet with no SA when TCP_MD5SIG is set To: Mike Karels Cc: src-committers@freebsd.org, dev-commits-src-all@freebsd.org, dev-commits-src-main@freebsd.org Content-Type: multipart/alternative; boundary="0000000000007a3ef705d58edcb7" ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1642184447; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=7x3/M9h3Pr2R7ha8JIzUrFkpD4eU7KH6Lrtw0tGloI4=; b=pD9cnN0lsVfy03X7EPyVSOGRA1N3e1uDxpgU8JThtnqmGsXA8oFeGyyAbNZzXkvj7TFHv1 4TS4ClwPi0R3jluh/WjU0TUS4Mpd44+uSOcVVlvwzBQki98DbXD3dy1taZ8vaDEvcriF5S /c7W7K4Ce5JekrgVt1agZkOG1bfzv0oqb6yW+h8dqdYAH5kewfopKKiQtkkIyztNN6OhgB smFQ+HJFmplycyzkaXq7mAyXFQFtet95RwU4a9ji4e5DAKRBhoQJBBaQzFAQ/inaUrYbi/ L6dFo/V0dKktCcFdryOSw5OlDF03IwDx1e8R2FrPivqiaHBaSHdTPLyPr3qyNw== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1642184447; a=rsa-sha256; cv=none; b=AI7XOXi+Cz1mDJ+fxbZ4m0VGyF7BXDfIkx7YFWfSWFGfanyHEMVLGcbqAHVOtIPBCcjVVI 4o0c3nQ50dGSpQ2su+gQp0A9n32eBSg7Z+qA9aGHuCRwZIN4xysrZhceTOYS5RXSeOU7C4 ZxmIbk1Hk1iamWf8pikPa3L1jmVzAQe3MS1Z+5KQlcux+Lwxw8JNJ+qr0aVYZEJ9YbpB4/ zbGTtM7LcDFpCOsJBQoS/T7nEuuEaz2O7azC70JgSoSjJfWGcPZbwDSDNW1V3hqQgaBphk 3suNwZz1qACyZzcVsgWQVX9m/wTxcDKyGjjv7Vdg9Z2UU4QSb+UStxwZXX4X+A== ARC-Authentication-Results: i=1; mx1.freebsd.org; none X-ThisMailContainsUnwantedMimeParts: N --0000000000007a3ef705d58edcb7 Content-Type: text/plain; charset="UTF-8" On Wed, Jan 12, 2022 at 1:27 PM Mike Karels wrote: > Rob wrote: > > For what it's worth, this behavior is consistent with OpenBSD. > > That's a useful data point, thanks. > There is value in having the same semantics as OpenBSD for the TCP_MD5SIG option . If OpenBSD's semantics of the TCP_MD5SIG option were different, I likely would have taken a different approach. And also given that FreeBSD and OpenBSD's TCP_MD5SIG option had the same behavior until we diverged in 2017. ..that's how I ended up going in this direction -Rob > > Mike > > > -Rob > > > > > > > > Mike > > > > > > On 8 Jan 2022, at 19:45, Robert Wing wrote: > > > > > > > The branch main has been updated by rew: > > > > > > > > URL: > > > > https://cgit.FreeBSD.org/src/commit/?id=3Deb18708ec8c7e1de6a05aba41971659= > > 549991b10 > > > > > > > > commit eb18708ec8c7e1de6a05aba41971659549991b10 > > > > Author: Robert Wing > > > > AuthorDate: 2022-01-09 01:07:50 +0000 > > > > Commit: Robert Wing > > > > CommitDate: 2022-01-09 01:32:14 +0000 > > > > > > > > syncache: accept packet with no SA when TCP_MD5SIG is set > > > > > > > > When TCP_MD5SIG is set on a socket, all packets are dropped that > > > don't > > > > contain an MD5 signature. Relax this behavior to accept a > non-signe= > > d > > > > packet when a security association doesn't exist with the peer. > > > > > > > > This is useful when a listen socket set with TCP_MD5SIG wants to > > > handle > > > > connections protected with and without MD5 signatures. > > > > > > > > Reviewed by: bz (previous version) > > > > Sponsored by: nepustil.net > > > > Sponsored by: Klara Inc. > > > > Differential Revision: https://reviews.freebsd.org/D33227 > > > > --- > > > > share/man/man4/tcp.4 | 6 +++++- > > > > sys/netinet/tcp_syncache.c | 30 ++++++++++++++++++------------ > > > > sys/netipsec/xform_tcp.c | 5 +++++ > > > > 3 files changed, 28 insertions(+), 13 deletions(-) > > > > > > > > diff --git a/share/man/man4/tcp.4 b/share/man/man4/tcp.4 > > > > index 17138fa224ba..d103293132ba 100644 > > > > --- a/share/man/man4/tcp.4 > > > > +++ b/share/man/man4/tcp.4 > > > > @@ -34,7 +34,7 @@ > > > > .\" From: @(#)tcp.4 8.1 (Berkeley) 6/5/93 > > > > .\" $FreeBSD$ > > > > .\" > > > > -.Dd June 27, 2021 > > > > +.Dd January 8, 2022 > > > > .Dt TCP 4 > > > > .Os > > > > .Sh NAME > > > > @@ -339,6 +339,10 @@ This entry can only be specified on a per-host > > > basis at this time. > > > > .Pp > > > > If an SADB entry cannot be found for the destination, > > > > the system does not send any outgoing segments and drops any inbound > > > segments. > > > > +However, during connection negotiation, a non-signed segment will be > > > accepted if > > > > +an SADB entry does not exist between hosts. > > > > +When a non-signed segment is accepted, the established connection > is n= > > ot > > > > +protected with MD5 digests. > > > > .It Dv TCP_STATS > > > > Manage collection of connection level statistics using the > > > > .Xr stats 3 > > > > diff --git a/sys/netinet/tcp_syncache.c b/sys/netinet/tcp_syncache.c > > > > index 7dd8443cad65..32ca3bc2209b 100644 > > > > --- a/sys/netinet/tcp_syncache.c > > > > +++ b/sys/netinet/tcp_syncache.c > > > > @@ -1514,19 +1514,25 @@ syncache_add(struct in_conninfo *inc, struct > > > tcpopt *to, struct tcphdr *th, > > > > > > > > #if defined(IPSEC_SUPPORT) || defined(TCP_SIGNATURE) > > > > /* > > > > - * If listening socket requested TCP digests, check that > received > > > > - * SYN has signature and it is correct. If signature doesn't > matc= > > h > > > > - * or TCP_SIGNATURE support isn't enabled, drop the packet. > > > > + * When the socket is TCP-MD5 enabled check that, > > > > + * - a signed packet is valid > > > > + * - a non-signed packet does not have a security association > > > > + * > > > > + * If a signed packet fails validation or a non-signed packet > ha= > > s > > > a > > > > + * security association, the packet will be dropped. > > > > */ > > > > if (ltflags & TF_SIGNATURE) { > > > > - if ((to->to_flags & TOF_SIGNATURE) =3D=3D 0) { > > > > - TCPSTAT_INC(tcps_sig_err_nosigopt); > > > > - goto done; > > > > + if (to->to_flags & TOF_SIGNATURE) { > > > > + if (!TCPMD5_ENABLED() || > > > > + TCPMD5_INPUT(m, th, to->to_signature) !=3D > 0) > > > > + goto done; > > > > + } else { > > > > + if (TCPMD5_ENABLED() && > > > > + TCPMD5_INPUT(m, NULL, NULL) !=3D ENOENT) > > > > + goto done; > > > > } > > > > - if (!TCPMD5_ENABLED() || > > > > - TCPMD5_INPUT(m, th, to->to_signature) !=3D 0) > > > > - goto done; > > > > - } > > > > + } else if (to->to_flags & TOF_SIGNATURE) > > > > + goto done; > > > > #endif /* TCP_SIGNATURE */ > > > > /* > > > > * See if we already have an entry for this connection. > > > > @@ -1724,11 +1730,11 @@ skip_alloc: > > > > } > > > > #if defined(IPSEC_SUPPORT) || defined(TCP_SIGNATURE) > > > > /* > > > > - * If listening socket requested TCP digests, flag this in the > > > > + * If incoming packet has an MD5 signature, flag this in the > > > > * syncache so that syncache_respond() will do the right thing > > > > * with the SYN+ACK. > > > > */ > > > > - if (ltflags & TF_SIGNATURE) > > > > + if (to->to_flags & TOF_SIGNATURE) > > > > sc->sc_flags |=3D SCF_SIGNATURE; > > > > #endif /* TCP_SIGNATURE */ > > > > if (to->to_flags & TOF_SACKPERM) > > > > diff --git a/sys/netipsec/xform_tcp.c b/sys/netipsec/xform_tcp.c > > > > index b53544cd00fb..ce2552f0a205 100644 > > > > --- a/sys/netipsec/xform_tcp.c > > > > +++ b/sys/netipsec/xform_tcp.c > > > > @@ -269,6 +269,11 @@ tcp_ipsec_input(struct mbuf *m, struct tcphdr > *th, > > > u_char *buf) > > > > KMOD_TCPSTAT_INC(tcps_sig_err_buildsig); > > > > return (ENOENT); > > > > } > > > > + if (buf =3D=3D NULL) { > > > > + key_freesav(&sav); > > > > + KMOD_TCPSTAT_INC(tcps_sig_err_nosigopt); > > > > + return (EACCES); > > > > + } > > > > /* > > > > * tcp_input() operates with TCP header fields in host > > > > * byte order. We expect them in network byte order. > > > > --0000000000007a3ef705d58edcb7 Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable


=
On Wed, Jan 12, 2022 at 1:27 PM Mike = Karels <mike@karels.net> wrote= :
Rob wrote:
= > For what it's worth, this behavior is consistent with OpenBSD.

That's a useful data point, thanks.

There is value in having the same semantics as OpenBSD for the TCP_MD5SIG option.

<= div>If OpenBSD's semantics of the TCP_MD5SIG option were different, I l= ikely would have taken a different approach. And also given that FreeBSD an= d OpenBSD's TCP_MD5SIG option had the same behavior until we diverged i= n 2017.

..that's how I ended up going in t= his direction

-Rob
=C2=A0
<= blockquote class=3D"gmail_quote" style=3D"margin:0px 0px 0px 0.8ex;border-l= eft:1px solid rgb(204,204,204);padding-left:1ex">
=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 Mike

> -Rob


> >
> >=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0Mike=
> >
> > On 8 Jan 2022, at 19:45, Robert Wing wrote:
> >
> > > The branch main has been updated by rew:
> > >
> > > URL:
> > https://cgit= .FreeBSD.org/src/commit/?id=3D3Deb18708ec8c7e1de6a05aba41971659=3D
> 549991b10
> > >
> > > commit eb18708ec8c7e1de6a05aba41971659549991b10
> > > Author:=C2=A0 =C2=A0 =C2=A0Robert Wing <rew@FreeBSD.org&g= t;
> > > AuthorDate: 2022-01-09 01:07:50 +0000
> > > Commit:=C2=A0 =C2=A0 =C2=A0Robert Wing <rew@FreeBSD.org&g= t;
> > > CommitDate: 2022-01-09 01:32:14 +0000
> > >
> > >=C2=A0 =C2=A0 =C2=A0syncache: accept packet with no SA when T= CP_MD5SIG is set
> > >
> > >=C2=A0 =C2=A0 =C2=A0When TCP_MD5SIG is set on a socket, all p= ackets are dropped that
> > don't
> > >=C2=A0 =C2=A0 =C2=A0contain an MD5 signature. Relax this beha= vior to accept a non-signe=3D
> d
> > >=C2=A0 =C2=A0 =C2=A0packet when a security association doesn&= #39;t exist with the peer.
> > >
> > >=C2=A0 =C2=A0 =C2=A0This is useful when a listen socket set w= ith TCP_MD5SIG wants to
> > handle
> > >=C2=A0 =C2=A0 =C2=A0connections protected with and without MD= 5 signatures.
> > >
> > >=C2=A0 =C2=A0 =C2=A0Reviewed by:=C2=A0 =C2=A0 bz (previous ve= rsion)
> > >=C2=A0 =C2=A0 =C2=A0Sponsored by:=C2=A0 =C2=A0nepustil.net
> > >=C2=A0 =C2=A0 =C2=A0Sponsored by:=C2=A0 =C2=A0Klara Inc.
> > >=C2=A0 =C2=A0 =C2=A0Differential Revision:=C2=A0 htt= ps://reviews.freebsd.org/D33227
> > > ---
> > >=C2=A0 share/man/man4/tcp.4=C2=A0 =C2=A0 =C2=A0 =C2=A0|=C2=A0= 6 +++++-
> > >=C2=A0 sys/netinet/tcp_syncache.c | 30 ++++++++++++++++++----= --------
> > >=C2=A0 sys/netipsec/xform_tcp.c=C2=A0 =C2=A0|=C2=A0 5 +++++ > > >=C2=A0 3 files changed, 28 insertions(+), 13 deletions(-)
> > >
> > > diff --git a/share/man/man4/tcp.4 b/share/man/man4/tcp.4
> > > index 17138fa224ba..d103293132ba 100644
> > > --- a/share/man/man4/tcp.4
> > > +++ b/share/man/man4/tcp.4
> > > @@ -34,7 +34,7 @@
> > >=C2=A0 .\"=C2=A0 =C2=A0 =C2=A0From: @(#)tcp.4=C2=A0 =C2= =A0 =C2=A0 8.1 (Berkeley) 6/5/93
> > >=C2=A0 .\" $FreeBSD$
> > >=C2=A0 .\"
> > > -.Dd June 27, 2021
> > > +.Dd January 8, 2022
> > >=C2=A0 .Dt TCP 4
> > >=C2=A0 .Os
> > >=C2=A0 .Sh NAME
> > > @@ -339,6 +339,10 @@ This entry can only be specified on a p= er-host
> > basis at this time.
> > >=C2=A0 .Pp
> > >=C2=A0 If an SADB entry cannot be found for the destination,<= br> > > >=C2=A0 the system does not send any outgoing segments and dro= ps any inbound
> > segments.
> > > +However, during connection negotiation, a non-signed segmen= t will be
> > accepted if
> > > +an SADB entry does not exist between hosts.
> > > +When a non-signed segment is accepted, the established conn= ection is n=3D
> ot
> > > +protected with MD5 digests.
> > >=C2=A0 .It Dv TCP_STATS
> > >=C2=A0 Manage collection of connection level statistics using= the
> > >=C2=A0 .Xr stats 3
> > > diff --git a/sys/netinet/tcp_syncache.c b/sys/netinet/tcp_sy= ncache.c
> > > index 7dd8443cad65..32ca3bc2209b 100644
> > > --- a/sys/netinet/tcp_syncache.c
> > > +++ b/sys/netinet/tcp_syncache.c
> > > @@ -1514,19 +1514,25 @@ syncache_add(struct in_conninfo *inc= , struct
> > tcpopt *to, struct tcphdr *th,
> > >
> > >=C2=A0 #if defined(IPSEC_SUPPORT) || defined(TCP_SIGNATURE) > > >=C2=A0 =C2=A0 =C2=A0 =C2=A0/*
> > > -=C2=A0 =C2=A0 =C2=A0 * If listening socket requested TCP di= gests, check that received
> > > -=C2=A0 =C2=A0 =C2=A0 * SYN has signature and it is correct.= If signature doesn't matc=3D
> h
> > > -=C2=A0 =C2=A0 =C2=A0 * or TCP_SIGNATURE support isn't e= nabled, drop the packet.
> > > +=C2=A0 =C2=A0 =C2=A0 * When the socket is TCP-MD5 enabled c= heck that,
> > > +=C2=A0 =C2=A0 =C2=A0 *=C2=A0 - a signed packet is valid
> > > +=C2=A0 =C2=A0 =C2=A0 *=C2=A0 - a non-signed packet does not= have a security association
> > > +=C2=A0 =C2=A0 =C2=A0 *
> > > +=C2=A0 =C2=A0 =C2=A0 *=C2=A0 If a signed packet fails valid= ation or a non-signed packet ha=3D
> s
> > a
> > > +=C2=A0 =C2=A0 =C2=A0 *=C2=A0 security association, the pack= et will be dropped.
> > >=C2=A0 =C2=A0 =C2=A0 =C2=A0 */
> > >=C2=A0 =C2=A0 =C2=A0 =C2=A0if (ltflags & TF_SIGNATURE) {<= br> > > > -=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0if ((to->= ;to_flags & TOF_SIGNATURE) =3D3D=3D3D 0) {
> > > -=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2= =A0 =C2=A0 =C2=A0TCPSTAT_INC(tcps_sig_err_nosigopt);
> > > -=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2= =A0 =C2=A0 =C2=A0goto done;
> > > +=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0if (to->= to_flags & TOF_SIGNATURE) {
> > > +=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2= =A0 =C2=A0 =C2=A0if (!TCPMD5_ENABLED() ||
> > > +=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2= =A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0TCPMD5_INPUT(m, th, to->to_signature) != =3D3D 0)
> > > +=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2= =A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0goto done;
> > > +=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0} else { > > > +=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2= =A0 =C2=A0 =C2=A0if (TCPMD5_ENABLED() &&
> > > +=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2= =A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0TCPMD5_INPUT(m, NULL, NULL) !=3D3D ENOENT) > > > +=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2= =A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0goto done;
> > >=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0}
> > > -=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0if (!TCPMD5= _ENABLED() ||
> > > -=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2= =A0TCPMD5_INPUT(m, th, to->to_signature) !=3D3D 0)
> > > -=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2= =A0 =C2=A0 =C2=A0goto done;
> > > -=C2=A0 =C2=A0 =C2=A0}
> > > +=C2=A0 =C2=A0 =C2=A0} else if (to->to_flags & TOF_SI= GNATURE)
> > > +=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0goto done;<= br> > > >=C2=A0 #endif=C2=A0 =C2=A0 =C2=A0 =C2=A0/* TCP_SIGNATURE */ > > >=C2=A0 =C2=A0 =C2=A0 =C2=A0/*
> > >=C2=A0 =C2=A0 =C2=A0 =C2=A0 * See if we already have an entry= for this connection.
> > > @@ -1724,11 +1730,11 @@ skip_alloc:
> > >=C2=A0 =C2=A0 =C2=A0 =C2=A0}
> > >=C2=A0 #if defined(IPSEC_SUPPORT) || defined(TCP_SIGNATURE) > > >=C2=A0 =C2=A0 =C2=A0 =C2=A0/*
> > > -=C2=A0 =C2=A0 =C2=A0 * If listening socket requested TCP di= gests, flag this in the
> > > +=C2=A0 =C2=A0 =C2=A0 * If incoming packet has an MD5 signat= ure, flag this in the
> > >=C2=A0 =C2=A0 =C2=A0 =C2=A0 * syncache so that syncache_respo= nd() will do the right thing
> > >=C2=A0 =C2=A0 =C2=A0 =C2=A0 * with the SYN+ACK.
> > >=C2=A0 =C2=A0 =C2=A0 =C2=A0 */
> > > -=C2=A0 =C2=A0 =C2=A0if (ltflags & TF_SIGNATURE)
> > > +=C2=A0 =C2=A0 =C2=A0if (to->to_flags & TOF_SIGNATURE= )
> > >=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0sc->= ;sc_flags |=3D3D SCF_SIGNATURE;
> > >=C2=A0 #endif=C2=A0 =C2=A0 =C2=A0 =C2=A0/* TCP_SIGNATURE */ > > >=C2=A0 =C2=A0 =C2=A0 =C2=A0if (to->to_flags & TOF_SACK= PERM)
> > > diff --git a/sys/netipsec/xform_tcp.c b/sys/netipsec/xform_t= cp.c
> > > index b53544cd00fb..ce2552f0a205 100644
> > > --- a/sys/netipsec/xform_tcp.c
> > > +++ b/sys/netipsec/xform_tcp.c
> > > @@ -269,6 +269,11 @@ tcp_ipsec_input(struct mbuf *m, struct = tcphdr *th,
> > u_char *buf)
> > >=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0KMOD_T= CPSTAT_INC(tcps_sig_err_buildsig);
> > >=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0return= (ENOENT);
> > >=C2=A0 =C2=A0 =C2=A0 =C2=A0}
> > > +=C2=A0 =C2=A0 =C2=A0if (buf =3D3D=3D3D NULL) {
> > > +=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0key_freesav= (&sav);
> > > +=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0KMOD_TCPSTA= T_INC(tcps_sig_err_nosigopt);
> > > +=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0return (EAC= CES);
> > > +=C2=A0 =C2=A0 =C2=A0}
> > >=C2=A0 =C2=A0 =C2=A0 =C2=A0/*
> > >=C2=A0 =C2=A0 =C2=A0 =C2=A0 * tcp_input() operates with TCP h= eader fields in host
> > >=C2=A0 =C2=A0 =C2=A0 =C2=A0 * byte order. We expect them in n= etwork byte order.
> >
--0000000000007a3ef705d58edcb7--