tcp_twrespond: send signed segment when connection is TCP-MD5

When a connection is established to use TCP-MD5, tcp_twrespond() doesn't
respond with a signed segment. This results in the host performing the
active close to remain in a TIME_WAIT state and the other host in the
LAST_ACK state. Fix this by sending a signed segment when the connection
is established to use TCP-MD5.

Reviewed by:	glebius
Differential Revision:	https://reviews.freebsd.org/D33490

sys/netinet/tcp_timewait.c

@@ -36,6 +36,7 @@ __FBSDID("$FreeBSD$");
 
 #include "opt_inet.h"
 #include "opt_inet6.h"
+#include "opt_ipsec.h"
 #include "opt_tcpdebug.h"
 
 #include <sys/param.h>
@@ -96,6 +97,9 @@ __FBSDID("$FreeBSD$");
 
 #include <netinet/udp.h>
 #include <netinet/udp_var.h>
+
+#include <netipsec/ipsec_support.h>
+
 #include <machine/in_cksum.h>
 
 #include <security/mac/mac_framework.h>
@@ -325,6 +329,7 @@ tcp_twstart(struct tcpcb *tp)
 	tw->t_port = tp->t_port;
 	tw->rcv_nxt = tp->rcv_nxt;
 	tw->tw_time = 0;
+	tw->tw_flags = tp->t_flags;
 
 /* XXX
  * If this code will
@@ -669,6 +674,10 @@ tcp_twrespond(struct tcptw *tw, int flags)
 		to.to_tsval = tcp_ts_getticks() + tw->ts_offset;
 		to.to_tsecr = tw->t_recent;
 	}
+#if defined(IPSEC_SUPPORT) || defined(TCP_SIGNATURE)
+	if (tw->tw_flags & TF_SIGNATURE)
+		to.to_flags |= TOF_SIGNATURE;
+#endif
 	optlen = tcp_addoptions(&to, (u_char *)(th + 1));
 
 	if (udp) {
@@ -686,6 +695,13 @@ tcp_twrespond(struct tcptw *tw, int flags)
 	th->th_flags = flags;
 	th->th_win = htons(tw->last_win);
 
+#if defined(IPSEC_SUPPORT) || defined(TCP_SIGNATURE)
+	if (tw->tw_flags & TF_SIGNATURE) {
+		if (!TCPMD5_ENABLED() ||
+		    TCPMD5_OUTPUT(m, th, to.to_signature) != 0)
+			return (-1);
+	}
+#endif
 #ifdef INET6
 	if (isipv6) {
 		if (tw->t_port) {

sys/netinet/tcp_var.h

@@ -535,6 +535,7 @@ struct tcptw {
 	u_int32_t	ts_offset;	/* our timestamp offset */
 	int		tw_time;
 	TAILQ_ENTRY(tcptw) tw_2msl;
+	u_int		tw_flags;	/* tcpcb t_flags */
 };
 
 #define	intotcpcb(ip)	((struct tcpcb *)(ip)->inp_ppcb)