From nobody Sun Jan 09 01:45:09 2022 X-Original-To: dev-commits-src-main@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id B61A51944565; Sun, 9 Jan 2022 01:45:10 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4JWfsf1YJHz3h8S; Sun, 9 Jan 2022 01:45:10 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 1432E1540; Sun, 9 Jan 2022 01:45:10 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from gitrepo.freebsd.org ([127.0.1.44]) by gitrepo.freebsd.org (8.16.1/8.16.1) with ESMTP id 2091j9R2028720; Sun, 9 Jan 2022 01:45:09 GMT (envelope-from git@gitrepo.freebsd.org) Received: (from git@localhost) by gitrepo.freebsd.org (8.16.1/8.16.1/Submit) id 2091j96M028719; Sun, 9 Jan 2022 01:45:09 GMT (envelope-from git) Date: Sun, 9 Jan 2022 01:45:09 GMT Message-Id: <202201090145.2091j96M028719@gitrepo.freebsd.org> To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-main@FreeBSD.org From: Robert Wing Subject: git: eb18708ec8c7 - main - syncache: accept packet with no SA when TCP_MD5SIG is set List-Id: Commit messages for the main branch of the src repository List-Archive: https://lists.freebsd.org/archives/dev-commits-src-main List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-dev-commits-src-main@freebsd.org X-BeenThere: dev-commits-src-main@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: rew X-Git-Repository: src X-Git-Refname: refs/heads/main X-Git-Reftype: branch X-Git-Commit: eb18708ec8c7e1de6a05aba41971659549991b10 Auto-Submitted: auto-generated ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1641692710; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=kIJRS98UlmR38ERntthUgUOJ/zJ50o3Fj8zw/wf7Wfk=; b=aB4Z7l0GZ0MlzOq67jUiWzEp1Noth2L7Qai86+BFIqh0WI89fcGmLgCPVluQ40hH1Wo8vN 6cNm4mIvCfDj7JnvKkp39DjF0G/kkc6NJULWQBmrsOTzS4LayKIZ3eSJ9SEnVdQ/OCr7jK gix1h2mFPmKDlS8aRaWwJV0AQo4LHhDoOnF7YqMBP+D1nda9tkzHHHBTM3URztLX/p0pxc muDuRfDNLh6yr9UyNz+b4Xf7VSJl5fYo7neE0H62KlJ2HKma/QPfvYyCyEU7kReh7tSLwG FFObimdECCuOqDEe2v9MoRj4RmfUavAOVfZLjpq9f0YKSZsV6LUlVIJpfxgIIg== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1641692710; a=rsa-sha256; cv=none; b=rjygmS/OgZYpoa3X/joo1nbPDu7psNURTILevE1d4/3+2zNvKnTmCMBlDJukW/Bt1Pg6qf nOGZ9tIBks70r8aDLqfSmuDOtsic5B7OLK+/SncVbiUDrueT9W0/o62kRx3qvUaS1KUb45 +uAokwcK8xCafVm0Iw39CbKNTrs8DWtFGDa41OsyqAjDH9K7s8qly0+pDUwm7WCEYq20Xk KTUsrGbDBnRXlxvnelRSOx1LmSRlw8EGnzGllywLErnOb887ixL6sW1GX6T3PGimiEX8Zx guNNsEx947YNNiFnqmCRyB3ESSRv2pWkXYH7gIMmXfnQIN6nl96BxPTuTau9WA== ARC-Authentication-Results: i=1; mx1.freebsd.org; none X-ThisMailContainsUnwantedMimeParts: N The branch main has been updated by rew: URL: https://cgit.FreeBSD.org/src/commit/?id=eb18708ec8c7e1de6a05aba41971659549991b10 commit eb18708ec8c7e1de6a05aba41971659549991b10 Author: Robert Wing AuthorDate: 2022-01-09 01:07:50 +0000 Commit: Robert Wing CommitDate: 2022-01-09 01:32:14 +0000 syncache: accept packet with no SA when TCP_MD5SIG is set When TCP_MD5SIG is set on a socket, all packets are dropped that don't contain an MD5 signature. Relax this behavior to accept a non-signed packet when a security association doesn't exist with the peer. This is useful when a listen socket set with TCP_MD5SIG wants to handle connections protected with and without MD5 signatures. Reviewed by: bz (previous version) Sponsored by: nepustil.net Sponsored by: Klara Inc. Differential Revision: https://reviews.freebsd.org/D33227 --- share/man/man4/tcp.4 | 6 +++++- sys/netinet/tcp_syncache.c | 30 ++++++++++++++++++------------ sys/netipsec/xform_tcp.c | 5 +++++ 3 files changed, 28 insertions(+), 13 deletions(-) diff --git a/share/man/man4/tcp.4 b/share/man/man4/tcp.4 index 17138fa224ba..d103293132ba 100644 --- a/share/man/man4/tcp.4 +++ b/share/man/man4/tcp.4 @@ -34,7 +34,7 @@ .\" From: @(#)tcp.4 8.1 (Berkeley) 6/5/93 .\" $FreeBSD$ .\" -.Dd June 27, 2021 +.Dd January 8, 2022 .Dt TCP 4 .Os .Sh NAME @@ -339,6 +339,10 @@ This entry can only be specified on a per-host basis at this time. .Pp If an SADB entry cannot be found for the destination, the system does not send any outgoing segments and drops any inbound segments. +However, during connection negotiation, a non-signed segment will be accepted if +an SADB entry does not exist between hosts. +When a non-signed segment is accepted, the established connection is not +protected with MD5 digests. .It Dv TCP_STATS Manage collection of connection level statistics using the .Xr stats 3 diff --git a/sys/netinet/tcp_syncache.c b/sys/netinet/tcp_syncache.c index 7dd8443cad65..32ca3bc2209b 100644 --- a/sys/netinet/tcp_syncache.c +++ b/sys/netinet/tcp_syncache.c @@ -1514,19 +1514,25 @@ syncache_add(struct in_conninfo *inc, struct tcpopt *to, struct tcphdr *th, #if defined(IPSEC_SUPPORT) || defined(TCP_SIGNATURE) /* - * If listening socket requested TCP digests, check that received - * SYN has signature and it is correct. If signature doesn't match - * or TCP_SIGNATURE support isn't enabled, drop the packet. + * When the socket is TCP-MD5 enabled check that, + * - a signed packet is valid + * - a non-signed packet does not have a security association + * + * If a signed packet fails validation or a non-signed packet has a + * security association, the packet will be dropped. */ if (ltflags & TF_SIGNATURE) { - if ((to->to_flags & TOF_SIGNATURE) == 0) { - TCPSTAT_INC(tcps_sig_err_nosigopt); - goto done; + if (to->to_flags & TOF_SIGNATURE) { + if (!TCPMD5_ENABLED() || + TCPMD5_INPUT(m, th, to->to_signature) != 0) + goto done; + } else { + if (TCPMD5_ENABLED() && + TCPMD5_INPUT(m, NULL, NULL) != ENOENT) + goto done; } - if (!TCPMD5_ENABLED() || - TCPMD5_INPUT(m, th, to->to_signature) != 0) - goto done; - } + } else if (to->to_flags & TOF_SIGNATURE) + goto done; #endif /* TCP_SIGNATURE */ /* * See if we already have an entry for this connection. @@ -1724,11 +1730,11 @@ skip_alloc: } #if defined(IPSEC_SUPPORT) || defined(TCP_SIGNATURE) /* - * If listening socket requested TCP digests, flag this in the + * If incoming packet has an MD5 signature, flag this in the * syncache so that syncache_respond() will do the right thing * with the SYN+ACK. */ - if (ltflags & TF_SIGNATURE) + if (to->to_flags & TOF_SIGNATURE) sc->sc_flags |= SCF_SIGNATURE; #endif /* TCP_SIGNATURE */ if (to->to_flags & TOF_SACKPERM) diff --git a/sys/netipsec/xform_tcp.c b/sys/netipsec/xform_tcp.c index b53544cd00fb..ce2552f0a205 100644 --- a/sys/netipsec/xform_tcp.c +++ b/sys/netipsec/xform_tcp.c @@ -269,6 +269,11 @@ tcp_ipsec_input(struct mbuf *m, struct tcphdr *th, u_char *buf) KMOD_TCPSTAT_INC(tcps_sig_err_buildsig); return (ENOENT); } + if (buf == NULL) { + key_freesav(&sav); + KMOD_TCPSTAT_INC(tcps_sig_err_nosigopt); + return (EACCES); + } /* * tcp_input() operates with TCP header fields in host * byte order. We expect them in network byte order.