From nobody Sun Jun 25 19:26:55 2023 X-Original-To: dev-commits-src-branches@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4Qq1FD2tfvz4hL9r; Sun, 25 Jun 2023 19:26:56 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4Qq1FD1LSlz3C9h; Sun, 25 Jun 2023 19:26:56 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1687721216; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=NGD8Ye4taEk6Ijvv3zFs4a//O1uCk13/Jo4ZyET+B+U=; b=C/vk+nwheixdXdUj+IVYRK/BNpCd8jcxitsq6E5ZLsGEpzqpUDtvs39tjYR0JvaNweFsCP /SxAk80r+ileoy9McZelmnoYT8Np63A7so7VlZJbIRBMNRNLkIZ7dbbv8grSeaQ7aG0Jzh GUjW+9CrlW3d0hyzjqt+L6HgsOctsQEKRM5mGJDibHucIudcDVciYtXxiXaa7T+aIb28c2 Fq7D6K8BlihM6V4EFZekmgcnj7k74cASSiKCgS77x55KeAzNhssSY5Aa65iJZ0D8Xfo3Rf +qYPDrFNIkSa8Mm8Zfy24Sa3SszsNBBMdSXWD21rXJqkqpNvDsE+KE7N1frxYA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1687721216; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=NGD8Ye4taEk6Ijvv3zFs4a//O1uCk13/Jo4ZyET+B+U=; b=QVN9xMw5T607m8W2hBDfIMQhQqdLgrT4em6Omnx2ldkuV4nNsKnIcZsF+VleCrF/sekto1 XyTKUa8GSEpTiZF3HhEI255jt0alADuBqCvYp5lwycJfBXTnzci3MioY48B7glt0piHfZ9 Js/KOgfYXJ3b4FGYICjThnM+9DV3J1czOTlVWiz9MgvqC6g7p2AGOZBizPTT17HHJxhQeo 0xzwyC9li6qXBM2O2BuNyU8FmdAC+A/cFvhYTEd5JIYDHOeKNwTovc4Ucflg57rcAW49rh S4Nih6MJCClOC2qoviLYCL/gscDhPMlqGpwh9WILw9KkVnjBAd47JzyibcjLQQ== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1687721216; a=rsa-sha256; cv=none; b=KLer3+1DNAogDXZTCGMnz08k5P6tr3EgnUmJ2Gx9LVxf5aQ8TSRTJH4GnP1Ofl/v4FxRm0 d1S10mPICQA3Zkk+4nM9vb/YnGqJ7cYl6om6OvyojaSRIPQRRVp/tX9+ugF1AOTQ9Mfg30 zR6iSTjMcxYUpxnUCjZ95vTJFCJNlpfHoDA4LXpc0HNXdrKDfQA0rY52WdtMl8W37kPQWP 6irUbSur8eLq7vrRAvypWxx+8mRw5bfcgMPBsh3cUE3SdlNHClUd7X3yoawVWSjNsw2JTF +r52W/BQOWLyXl+oPoH0Eo297N0atD6BLr1lE0HgKy9kkuymn4rON2RoGrlwjw== Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4Qq1FC6MqNzg7n; Sun, 25 Jun 2023 19:26:55 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from gitrepo.freebsd.org ([127.0.1.44]) by gitrepo.freebsd.org (8.16.1/8.16.1) with ESMTP id 35PJQtxD024983; Sun, 25 Jun 2023 19:26:55 GMT (envelope-from git@gitrepo.freebsd.org) Received: (from git@localhost) by gitrepo.freebsd.org (8.16.1/8.16.1/Submit) id 35PJQteT024982; Sun, 25 Jun 2023 19:26:55 GMT (envelope-from git) Date: Sun, 25 Jun 2023 19:26:55 GMT Message-Id: <202306251926.35PJQteT024982@gitrepo.freebsd.org> To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-branches@FreeBSD.org From: Michael Tuexen Subject: git: edff1d344c6b - stable/13 - tcp: fix TCP MD5 computation for the BBR and RACK stack List-Id: Commits to the stable branches of the FreeBSD src repository List-Archive: https://lists.freebsd.org/archives/dev-commits-src-branches List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-dev-commits-src-branches@freebsd.org X-BeenThere: dev-commits-src-branches@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: tuexen X-Git-Repository: src X-Git-Refname: refs/heads/stable/13 X-Git-Reftype: branch X-Git-Commit: edff1d344c6bf8f3de2ba1e36b2807fd6d1e7ea8 Auto-Submitted: auto-generated X-ThisMailContainsUnwantedMimeParts: N The branch stable/13 has been updated by tuexen: URL: https://cgit.FreeBSD.org/src/commit/?id=edff1d344c6bf8f3de2ba1e36b2807fd6d1e7ea8 commit edff1d344c6bf8f3de2ba1e36b2807fd6d1e7ea8 Author: Michael Tuexen AuthorDate: 2023-06-21 20:54:33 +0000 Commit: Michael Tuexen CommitDate: 2023-06-25 19:26:32 +0000 tcp: fix TCP MD5 computation for the BBR and RACK stack PR: 253096 Reviewed by: cc, rscheff Sponsored by: Netflix, Inc. Differential Revision: https://reviews.freebsd.org/D40597 (cherry picked from commit 02b885b09d1e90574162a1442b9ede06cef2b13a) --- sys/netinet/tcp_stacks/bbr.c | 10 +++---- sys/netinet/tcp_stacks/rack.c | 66 ++++++++++++++++++++++++++++++++++++------- 2 files changed, 61 insertions(+), 15 deletions(-) diff --git a/sys/netinet/tcp_stacks/bbr.c b/sys/netinet/tcp_stacks/bbr.c index 1b4abfb6f5c4..e0cf524c49ea 100644 --- a/sys/netinet/tcp_stacks/bbr.c +++ b/sys/netinet/tcp_stacks/bbr.c @@ -13501,6 +13501,11 @@ send: * the pointer in case of a stack switch. */ tp->snd_up = tp->snd_una; + /* + * Put TCP length in extended header, and then checksum extended + * header and data. + */ + m->m_pkthdr.len = hdrlen + len; /* in6_cksum() need this */ #if defined(IPSEC_SUPPORT) || defined(TCP_SIGNATURE) if (to.to_flags & TOF_SIGNATURE) { @@ -13520,11 +13525,6 @@ send: } #endif - /* - * Put TCP length in extended header, and then checksum extended - * header and data. - */ - m->m_pkthdr.len = hdrlen + len; /* in6_cksum() need this */ #ifdef INET6 if (isipv6) { /* diff --git a/sys/netinet/tcp_stacks/rack.c b/sys/netinet/tcp_stacks/rack.c index ead81528ace5..09a1b3ee6464 100644 --- a/sys/netinet/tcp_stacks/rack.c +++ b/sys/netinet/tcp_stacks/rack.c @@ -15265,6 +15265,11 @@ rack_fast_rsm_output(struct tcpcb *tp, struct tcp_rack *rack, struct rack_sendma to.to_tsecr = tp->ts_recent; to.to_flags = TOF_TS; } +#if defined(IPSEC_SUPPORT) || defined(TCP_SIGNATURE) + /* TCP-MD5 (RFC2385). */ + if (tp->t_flags & TF_SIGNATURE) + to.to_flags |= TOF_SIGNATURE; +#endif optlen = tcp_addoptions(&to, opt); hdrlen += optlen; udp = rack->r_ctl.fsb.udp; @@ -15397,6 +15402,24 @@ rack_fast_rsm_output(struct tcpcb *tp, struct tcp_rack *rack, struct rack_sendma } m->m_pkthdr.rcvif = (struct ifnet *)0; m->m_pkthdr.len = hdrlen + len; /* in6_cksum() need this */ +#if defined(IPSEC_SUPPORT) || defined(TCP_SIGNATURE) + if (to.to_flags & TOF_SIGNATURE) { + /* + * Calculate MD5 signature and put it into the place + * determined before. + * NOTE: since TCP options buffer doesn't point into + * mbuf's data, calculate offset and use it. + */ + if (!TCPMD5_ENABLED() || TCPMD5_OUTPUT(m, th, + (u_char *)(th + 1) + (to.to_signature - opt)) != 0) { + /* + * Do not send segment if the calculation of MD5 + * digest has failed. + */ + goto failed; + } + } +#endif #ifdef INET6 if (rack->r_is_v6) { if (tp->t_port) { @@ -15734,6 +15757,11 @@ rack_fast_output(struct tcpcb *tp, struct tcp_rack *rack, uint64_t ts_val, to.to_tsecr = tp->ts_recent; to.to_flags = TOF_TS; } +#if defined(IPSEC_SUPPORT) || defined(TCP_SIGNATURE) + /* TCP-MD5 (RFC2385). */ + if (tp->t_flags & TF_SIGNATURE) + to.to_flags |= TOF_SIGNATURE; +#endif optlen = tcp_addoptions(&to, opt); hdrlen += optlen; udp = rack->r_ctl.fsb.udp; @@ -15880,6 +15908,24 @@ again: flags |= TH_ECE; } m->m_pkthdr.len = hdrlen + len; /* in6_cksum() need this */ +#if defined(IPSEC_SUPPORT) || defined(TCP_SIGNATURE) + if (to.to_flags & TOF_SIGNATURE) { + /* + * Calculate MD5 signature and put it into the place + * determined before. + * NOTE: since TCP options buffer doesn't point into + * mbuf's data, calculate offset and use it. + */ + if (!TCPMD5_ENABLED() || TCPMD5_OUTPUT(m, th, + (u_char *)(th + 1) + (to.to_signature - opt)) != 0) { + /* + * Do not send segment if the calculation of MD5 + * digest has failed. + */ + goto failed; + } + } +#endif #ifdef INET6 if (rack->r_is_v6) { if (tp->t_port) { @@ -17521,7 +17567,7 @@ send: /* TCP-MD5 (RFC2385). */ if (tp->t_flags & TF_SIGNATURE) to.to_flags |= TOF_SIGNATURE; -#endif /* TCP_SIGNATURE */ +#endif /* Processing the options. */ hdrlen += optlen = tcp_addoptions(&to, opt); @@ -18047,6 +18093,15 @@ send: if (udp) udp = (struct udphdr *)(cpto + ((uint8_t *)rack->r_ctl.fsb.udp - rack->r_ctl.fsb.tcp_ip_hdr)); } + if (optlen) { + bcopy(opt, th + 1, optlen); + th->th_off = (sizeof(struct tcphdr) + optlen) >> 2; + } + /* + * Put TCP length in extended header, and then checksum extended + * header and data. + */ + m->m_pkthdr.len = hdrlen + len; /* in6_cksum() need this */ #if defined(IPSEC_SUPPORT) || defined(TCP_SIGNATURE) if (to.to_flags & TOF_SIGNATURE) { /* @@ -18065,15 +18120,6 @@ send: } } #endif - if (optlen) { - bcopy(opt, th + 1, optlen); - th->th_off = (sizeof(struct tcphdr) + optlen) >> 2; - } - /* - * Put TCP length in extended header, and then checksum extended - * header and data. - */ - m->m_pkthdr.len = hdrlen + len; /* in6_cksum() need this */ #ifdef INET6 if (isipv6) { /*