rfc2385 (tcp md5 checksums) in -current broken?
Noritoshi Demizu
demizu at dd.iij4u.or.jp
Wed Sep 21 02:41:50 PDT 2005
> > I think there is a bug in syncache_respond().
I am sorry I was wrong. syncache_respond() does not have such bug.
Buggy thing was my brain...
> > In tcp_syncache.c rev 1.77, tcp_signature_compute() is called before
> > filling the TCP SACK Permitted option and the TCP EOL option. I guess
> > it should be called after filling both the SACK Permitted and EOL option.
According to RFC2385, TCP options are excluded when computing MD5 hash.
So, TCP options fields can be rewritten after MD5 hash is computed.
I misunderstood it. I am sorry if I made you confused.
My conclusion is that src/contrib/tcpdump/print-tcp.c has a bug.
And the patch below will fix it.
Regards,
Noritoshi Demizu
--- print-tcp.c-ORG Thu Apr 21 15:36:05 2005
+++ print-tcp.c Wed Sep 21 18:43:51 2005
@@ -799,7 +799,7 @@
MD5_Update(&ctx, tcpmd5secret, strlen(tcpmd5secret));
MD5_Final(sig, &ctx);
- if (memcmp(rcvsig, sig, 16))
+ if (memcmp(rcvsig, sig, TCP_SIGLEN) == 0)
return (SIGNATURE_VALID);
else
return (SIGNATURE_INVALID);
More information about the freebsd-net
mailing list