From 2e19c21f223f834300d9e8b7fc46636902205453 Mon Sep 17 00:00:00 2001 From: attilio Date: Mon, 25 Apr 2011 17:13:40 +0000 Subject: Add the possibility to verify MD5 hash of incoming TCP packets. As long as this is a costy function, even when compiled in (along with the option TCP_SIGNATURE), it can be disabled via the net.inet.tcp.signature_verify_input sysctl. Sponsored by: Sandvine Incorporated Reviewed by: emaste, bz MFC after: 2 weeks --- sys/netinet/tcp_var.h | 9 +++++++++ 1 file changed, 9 insertions(+) (limited to 'sys/netinet/tcp_var.h') diff --git a/sys/netinet/tcp_var.h b/sys/netinet/tcp_var.h index e265057..5d92d87 100644 --- a/sys/netinet/tcp_var.h +++ b/sys/netinet/tcp_var.h @@ -485,6 +485,13 @@ struct tcpstat { u_long tcps_ecn_shs; /* ECN successful handshakes */ u_long tcps_ecn_rcwnd; /* # times ECN reduced the cwnd */ + /* TCP_SIGNATURE related stats */ + u_long tcps_sig_rcvgoodsig; /* Total matching signature received */ + u_long tcps_sig_rcvbadsig; /* Total bad signature received */ + u_long tcps_sig_err_buildsig; /* Mismatching signature received */ + u_long tcps_sig_err_sigopt; /* No signature expected by socket */ + u_long tcps_sig_err_nosigopt; /* No signature provided by segment */ + u_long _pad[12]; /* 6 UTO, 6 TBD */ }; @@ -684,6 +691,8 @@ int tcp_twrespond(struct tcptw *, int); void tcp_setpersist(struct tcpcb *); #ifdef TCP_SIGNATURE int tcp_signature_compute(struct mbuf *, int, int, int, u_char *, u_int); +int tcp_signature_verify(struct mbuf *, int, int, int, struct tcpopt *, + struct tcphdr *, u_int); #endif void tcp_slowtimo(void); struct tcptemp * -- cgit v1.1