Fix for 2 bugs related to TCP Signatures :

- If the peer sends the Signature option in the SYN, use of Timestamps
  and Window Scaling were disabled (even if the peer supports them).
- The sender must not disable signatures if the option is absent in
  the received SYN. (See comment in syncache_add()).

Found, Submitted by:	Noritoshi Demizu <demizu at dd dot ij4u dot or dot jp>.
Reviewed by:		Mohan Srinivasan <mohans at yahoo-inc dot com>.

1 files changed, 10 insertions, 7 deletions

diff --git a/sys/netinet/tcp_syncache.c b/sys/netinet/tcp_syncache.c
index b95efb6..e2e9254 100644
--- a/sys/netinet/tcp_syncache.c
+++ b/sys/netinet/tcp_syncache.c
@@ -977,14 +977,17 @@ syncache_add(inc, to, th, sop, m)
 		sc->sc_flags = SCF_NOOPT;
 #ifdef TCP_SIGNATURE
 	/*
-	 * If listening socket requested TCP digests, and received SYN
-	 * contains the option, flag this in the syncache so that
-	 * syncache_respond() will do the right thing with the SYN+ACK.
-	 * XXX Currently we always record the option by default and will
-	 * attempt to use it in syncache_respond().
+	 * If listening socket requested TCP digests, flag this in the 
+	 * syncache so that syncache_respond() will do the right thing 
+	 * with the SYN+ACK.
+	 *
+	 * RFC 2395, Section 2.0, says
+	 * "Unlike other TCP extensions (e.g., the Window Scale option
+	 * [RFC1323]), the absence of the option in the SYN,ACK segment must not
+	 * cause the sender to disable its sending of signatures".
 	 */
-	if (to->to_flags & TOF_SIGNATURE)
-		sc->sc_flags = SCF_SIGNATURE;
+	if (tp->t_flags & TF_SIGNATURE)
+		sc->sc_flags |= SCF_SIGNATURE;
 #endif
 
 	if (to->to_flags & TOF_SACK)