From: Stephen Hemminger <shemminger@vyatta.com>
To: "Adam Langley" <agl@imperialviolet.org>
Cc: "Evgeniy Polyakov" <johnpol@2ka.mipt.ru>, netdev@vger.kernel.org
Subject: Re: MD5 SG fix
Date: Thu, 3 Jul 2008 21:02:27 -0700 [thread overview]
Message-ID: <20080703210227.0df5e80a@extreme> (raw)
In-Reply-To: <396556a20807031707u26276f7dx8787f8b23d050087@mail.gmail.com>
On Thu, 3 Jul 2008 17:07:54 -0700
"Adam Langley" <agl@imperialviolet.org> wrote:
> On Tue, Jul 1, 2008 at 9:55 PM, Evgeniy Polyakov <johnpol@2ka.mipt.ru> wrote:
> > Why dont't you want to iterate over all provided data/page pointers with
> > crypto_hash_update() and do not mess with huge scatterlist arrays?
>
> You're right, it's easier that way. I was just stuck in the thinking
> of the original code.
>
> Stephen: I managed to test the SG stuff by setting up lo in jumbo
> frames mode, so no need to test it on your BGP stuff.
>
>
> Cheers,
>
> AGL
Here is patch to netcat which is one of the easier ways to test
this. Should also make sure sendfile() a.k.a splice still works.
--- a/src/netcat.c 2008-06-25 16:35:25.000000000 -0700
+++ b/src/netcat.c 2008-06-25 16:35:25.000000000 -0700
@@ -59,7 +59,7 @@ int opt_wait = 0; /* wait time */
char *opt_outputfile = NULL; /* hexdump output file */
char *opt_exec = NULL; /* program to exec after connecting */
nc_proto_t opt_proto = NETCAT_PROTO_TCP; /* protocol to use for connections */
-
+char *opt_md5 = NULL; /* signature to use on TCP connection */
/* signal handling */
@@ -192,6 +192,7 @@ int main(int argc, char *argv[])
{ "help", no_argument, NULL, 'h' },
{ "interval", required_argument, NULL, 'i' },
{ "listen", no_argument, NULL, 'l' },
+ { "md5", required_argument, NULL, 'M' },
{ "tunnel", required_argument, NULL, 'L' },
{ "dont-resolve", no_argument, NULL, 'n' },
{ "output", required_argument, NULL, 'o' },
@@ -216,7 +217,7 @@ int main(int argc, char *argv[])
{ 0, 0, 0, 0 }
};
- c = getopt_long(argc, argv, "cde:g:G:hi:lL:no:p:P:rs:S:tTuvVxw:z",
+ c = getopt_long(argc, argv, "cde:g:G:hi:lM:L:no:p:P:rs:S:tTuvVxw:z",
long_options, &option_index);
if (c == -1)
break;
@@ -247,6 +248,15 @@ int main(int argc, char *argv[])
ncprint(NCPRINT_ERROR | NCPRINT_EXIT,
_("Invalid interval time \"%s\""), optarg);
break;
+ case 'M': /* TCP MD5 */
+#ifdef TCP_MD5SIG
+ opt_md5 = strdup(optarg);
+#else
+ ncprint(NCPRINT_ERROR | NCPRINT_EXIT,
+ _("This platform does not support TCP MD5 option"));
+#endif
+ break;
+
case 'l': /* mode flag: listen mode */
if (netcat_mode != NETCAT_UNSPEC)
ncprint(NCPRINT_ERROR | NCPRINT_EXIT,
@@ -390,6 +400,13 @@ int main(int argc, char *argv[])
debug_v(("Trying to parse non-args parameters (argc=%d, optind=%d)", argc,
optind));
+#ifdef TCP_MD5SIG
+ if (opt_md5 && netcat_mode == NETCAT_LISTEN && optind == argc) {
+ ncprint(NCPRINT_ERROR | NCPRINT_EXIT,
+ _("Remote host required with MD5 option"));
+ }
+#endif
+
/* try to get an hostname parameter */
if (optind < argc) {
char *myhost = argv[optind++];
--- a/src/network.c 2008-06-25 16:35:25.000000000 -0700
+++ b/src/network.c 2008-06-26 11:47:04.000000000 -0700
@@ -375,6 +375,27 @@ int netcat_socket_new(int domain, int ty
return sock;
}
+#ifdef TCP_MD5SIG
+int netcat_tcp_md5(int sock, int family, const struct in_addr *addr, in_port_t port)
+{
+ struct sockaddr_in *remote;
+ struct tcp_md5sig tcpm;
+
+ memset(&tcpm, 0, sizeof(tcpm));
+
+ remote = (struct sockaddr_in *) &tcpm.tcpm_addr;
+ remote->sin_family = family;
+ remote->sin_port = port;
+ memcpy(&remote->sin_addr, addr, sizeof(*addr));
+
+ tcpm.tcpm_keylen = strlen(opt_md5);
+ memcpy(tcpm.tcpm_key, opt_md5, tcpm.tcpm_keylen);
+
+ return setsockopt(sock, IPPROTO_TCP, TCP_MD5SIG,
+ &tcpm, sizeof(tcpm));
+}
+#endif
+
/* Creates a full outgoing async socket connection in the specified `domain'
and `type' to the specified `addr' and `port'. The connection is
originated using the optionally specified `local_addr' and `local_port'.
@@ -432,6 +453,11 @@ int netcat_socket_new_connect(int domain
}
}
+#ifdef TCP_MD5SIG
+ if (opt_md5)
+ netcat_tcp_md5(sock, my_family, &rem_addr.sin_addr, rem_addr.sin_port);
+#endif
+
/* add the non-blocking flag to this socket */
if ((ret = fcntl(sock, F_GETFL, 0)) >= 0)
ret = fcntl(sock, F_SETFL, ret | O_NONBLOCK);
--- a/src/proto.h 2008-06-25 16:35:25.000000000 -0700
+++ b/src/proto.h 2008-06-25 16:35:25.000000000 -0700
@@ -62,6 +62,7 @@ extern nc_proto_t opt_proto;
extern FILE *output_fp;
extern bool use_stdin, signal_handler, got_sigterm, got_sigint, got_sigusr1,
commandline_need_newline;
+extern char *opt_md5;
/* network.c */
bool netcat_resolvehost(nc_host_t *dst, const char *name);
@@ -77,6 +78,8 @@ int netcat_socket_new_connect(int domain
int netcat_socket_new_listen(int domain, const struct in_addr *addr,
in_port_t port);
int netcat_socket_accept(int fd, int timeout);
+int netcat_tcp_md5(int fd, int family,
+ const struct in_addr *addr, in_port_t port);
/* telnet.c */
void netcat_telnet_parse(nc_sock_t *ncsock);
--- a/src/misc.c 2008-06-25 16:35:25.000000000 -0700
+++ b/src/misc.c 2008-06-25 16:35:25.000000000 -0700
@@ -317,6 +317,9 @@ void netcat_printhelp(char *argv0)
" -G, --pointer=NUM source-routing pointer: 4, 8, 12, ...\n"
" -h, --help display this help and exit\n"
" -i, --interval=SECS delay interval for lines sent, ports scanned\n"
+#ifdef TCP_MD5SIG
+" -M, --md5=PASSWD use TCP MD5 option\n"
+#endif
" -l, --listen listen mode, for inbound connects\n"));
printf(_(""
" -L, --tunnel=ADDRESS:PORT forward local port to remote address\n"
--- a/src/core.c 2008-06-25 16:35:25.000000000 -0700
+++ b/src/core.c 2008-06-26 11:45:49.000000000 -0700
@@ -420,6 +420,12 @@ static int core_tcp_listen(nc_sock_t *nc
ncprint(NCPRINT_ERROR | NCPRINT_EXIT,
_("Couldn't setup listening socket (err=%d)"), sock_listen);
+#ifdef TCP_MD5SIG
+ if (opt_md5)
+ netcat_tcp_md5(sock_listen, AF_INET,
+ &ncsock->host.iaddrs[0], ncsock->port.netnum);
+#endif
+
/* if the port was set to 0 this means that it is assigned randomly by the
OS. Find out which port they assigned to us. */
if (ncsock->local_port.num == 0) {
--- a/src/netcat.h 2008-06-25 16:35:25.000000000 -0700
+++ b/src/netcat.h 2008-06-25 16:35:25.000000000 -0700
@@ -42,6 +42,7 @@
#include <arpa/inet.h> /* inet_ntop(), inet_pton() */
/* other misc unchecked includes */
+#include <netinet/tcp.h>
#if 0
#include <netinet/in_systm.h> /* misc crud that netinet/ip.h references */
#include <netinet/ip.h> /* IPOPT_LSRR, header stuff */
prev parent reply other threads:[~2008-07-04 4:02 UTC|newest]
Thread overview: 12+ messages / expand[flat|nested] mbox.gz Atom feed top
2008-07-01 21:16 MD5 SG fix Adam Langley
2008-07-01 21:39 ` Stephen Hemminger
2008-07-01 21:48 ` Adam Langley
2008-07-01 21:49 ` Adam Langley
2008-07-01 22:38 ` Adam Langley
2008-07-01 22:46 ` Stephen Hemminger
2008-07-01 22:49 ` Stephen Hemminger
2008-07-01 22:52 ` Adam Langley
2008-07-01 23:10 ` Stephen Hemminger
2008-07-02 4:55 ` Evgeniy Polyakov
2008-07-04 0:07 ` Adam Langley
2008-07-04 4:02 ` Stephen Hemminger [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20080703210227.0df5e80a@extreme \
--to=shemminger@vyatta.com \
--cc=agl@imperialviolet.org \
--cc=johnpol@2ka.mipt.ru \
--cc=netdev@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).