From: Stephen Hemminger <shemminger@vyatta.com>
To: "Adam Langley" <agl@imperialviolet.org>
Cc: "David Miller" <davem@davemloft.net>,
吉藤英明 <yoshfuji@linux-ipv6.org>,
netdev@vger.kernel.org
Subject: Re: TCP MD5 and socket accept
Date: Thu, 26 Jun 2008 14:33:58 -0700 [thread overview]
Message-ID: <20080626143358.53fa9117@extreme> (raw)
In-Reply-To: <396556a20806260746s351ca696xb44b9b4d6bf257c2@mail.gmail.com>
On Thu, 26 Jun 2008 07:46:59 -0700
"Adam Langley" <agl@imperialviolet.org> wrote:
> On Wed, Jun 25, 2008 at 10:56 PM, Stephen Hemminger
> <shemminger@vyatta.com> wrote:
> > What will break if tcp_create_openreq_child was fixed to copy md5_info if
> > present?
> >
> > This all comes about because right now using Quagga a Linux to Linux
> > works with TCP MD5. But a Linux to Cisco connection fails if using
> > TCP MD5.
>
> I'll have a look at this later today but, as you say, Linux to Linux
> works, and getting the key wrong certainly breaks it (and without
> setsockopt on the child, I believe). So some MD5 information is
> getting copied from listening sockets to children.
>
> Also note the MD5 on Linux is pretty badly broken in the face of
> packet loss at the moment. I have patches floating around to fix it,
> but not in any trees yet.
>
>
> AGL
>
The problem is that md5 calculation assumes that the data buffer is
linear! It doesn't handle any kind of scatter-gather in skb!
int tcp_calc_md5_hash(char *md5_hash, struct tcp_md5sig_key *key,
int bplen,
struct tcphdr *th, unsigned int tcplen,
struct tcp_md5sig_pool *hp)
{
...
/* 3. The TCP segment data (if any) */
data_len = tcplen - (th->doff << 2);
if (data_len > 0) {
u8 *data = (u8 *)th + (th->doff << 2);
sg_set_buf(&sg[block++], data, data_len);
nbytes += data_len;
}
This is wrong, it needs to handle fragmented skb's. I'll work out a patch
but it means passing skb to calc_md5_hash or just turn off using scatter/gather
on MD5 connections.
next prev parent reply other threads:[~2008-06-26 21:34 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2008-06-26 5:56 TCP MD5 and socket accept Stephen Hemminger
2008-06-26 14:46 ` Adam Langley
2008-06-26 20:37 ` Adam Langley
2008-06-26 21:33 ` Stephen Hemminger [this message]
2008-06-27 18:28 ` [PATCH] TCP MD5 needs to disable Scatter/Gather Stephen Hemminger
2008-06-27 5:39 ` [PATCH] TCP MD5 and TSO/SG breakage Stephen Hemminger
2008-06-27 18:21 ` Stephen Hemminger
2008-06-27 18:28 ` Adam Langley
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20080626143358.53fa9117@extreme \
--to=shemminger@vyatta.com \
--cc=agl@imperialviolet.org \
--cc=davem@davemloft.net \
--cc=netdev@vger.kernel.org \
--cc=yoshfuji@linux-ipv6.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).