K 10 svn:author V 2 ae K 8 svn:date V 27 2016-12-06T10:55:50.160652Z K 7 svn:log V 2154 Rework TCP_SIGNATURE support. Move all TCP_SIGNATURE code into xform_tcp.c. Handle TCP_MD5SIG socket option in tcp_ipsec_pcbctl() function. Add tcp_ipsec_input() and tcp_ipsec_output() functions to check inbound segments and calculate TCP-MD5 digest for outbound segments. Change how we handle signed and unsigned segments depending from TCP_MD5SIG socket option. tcp_input: Since we handle SYN and ACK in the syncache code, thus one of TCP_SIGNATURE blocks in tcp_input() is dead code. Remove it. Modify syncache_expand() to return -1 when checking of TCP-MD5 digest failed. RFC2385 requires that "failing comparison must result in the segment being dropped and must not produce any response back to the sender." If syncache_expand() returns -1, we just drop the segment. In other cases if socket has TF_SIGNATURE flag and there is no signature in the segment - drop segment. If signature verification is failed - drop segment. tcp_output: If socket has TF_SIGNATURE flag, but signature was not created (due to missed SA) - drop segment. From my point of view it is useless to send TCP segment with wrong signature (all zeroes). It will not pass inbound verification and we will not receive the reply. Change error handling in tcp_output() for case when error code is EACCESS. tcp_ipsec_output() returns EACCESS when SA was not found. XXX: this needs proper review. Without this if we trying to initiate TCP session, but SA is not yet installed, connection will be aborted after first failed try to send SYN. In tcp_addoptions() reset TOF_SIGNATURE flag if some error occurs and no space was reserved for signature. tcp_subr: Remove signature_verify_input sysctl. I don't see the reason when it could be useful. tcp_syncache: In syncache_add() if listenning socket has TCP_MD5SIG option, first of check that received SYN has signature, then check that it is correct. Do not create cache entry in case of failed checks. In syncache_expand() check that ACK has valid signature, if not - drop it. In syncache_respond() do not send segment if signature was not created, but it is required. END