1 /* $NetBSD: print-tcp.c,v 1.9 2007/07/26 18:15:12 plunky Exp $ */
4 * Copyright (c) 1988, 1989, 1990, 1991, 1992, 1993, 1994, 1995, 1996, 1997
5 * The Regents of the University of California. All rights reserved.
7 * Copyright (c) 1999-2004 The tcpdump.org project
9 * Redistribution and use in source and binary forms, with or without
10 * modification, are permitted provided that: (1) source code distributions
11 * retain the above copyright notice and this paragraph in its entirety, (2)
12 * distributions including binary code include the above copyright notice and
13 * this paragraph in its entirety in the documentation or other materials
14 * provided with the distribution, and (3) all advertising materials mentioning
15 * features or use of this software display the following acknowledgement:
16 * ``This product includes software developed by the University of California,
17 * Lawrence Berkeley Laboratory and its contributors.'' Neither the name of
18 * the University nor the names of its contributors may be used to endorse
19 * or promote products derived from this software without specific prior
21 * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR IMPLIED
22 * WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF
23 * MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.
26 /* \summary: TCP printer */
30 __RCSID("$NetBSD: print-tcp.c,v 1.8 2007/07/24 11:53:48 drochner Exp $");
35 #include "netdissect-stdinc.h"
40 #define ND_LONGJMP_FROM_TCHECK
41 #include "netdissect.h"
42 #include "addrtoname.h"
45 #include "diag-control.h"
56 #include <openssl/md5.h>
57 #include "signature.h"
59 static int tcp_verify_signature(netdissect_options
*ndo
,
60 const struct ip
*ip
, const struct tcphdr
*tp
,
61 const u_char
*data
, u_int length
, const u_char
*rcvsig
);
64 static void print_tcp_rst_data(netdissect_options
*, const u_char
*sp
, u_int length
);
65 static void print_tcp_fastopen_option(netdissect_options
*ndo
, const u_char
*cp
,
68 #define MAX_RST_DATA_LEN 30
78 struct tcp_seq_hash
*nxt
;
90 struct tcp_seq_hash6
{
91 struct tcp_seq_hash6
*nxt
;
97 #define TSEQ_HASHSIZE 919
99 /* These tcp options do not have the size octet */
100 #define ZEROLENOPT(o) ((o) == TCPOPT_EOL || (o) == TCPOPT_NOP)
102 static struct tcp_seq_hash tcp_seq_hash4
[TSEQ_HASHSIZE
];
103 static struct tcp_seq_hash6 tcp_seq_hash6
[TSEQ_HASHSIZE
];
105 const struct tok tcp_flag_values
[] = {
118 static const struct tok tcp_option_values
[] = {
119 { TCPOPT_EOL
, "eol" },
120 { TCPOPT_NOP
, "nop" },
121 { TCPOPT_MAXSEG
, "mss" },
122 { TCPOPT_WSCALE
, "wscale" },
123 { TCPOPT_SACKOK
, "sackOK" },
124 { TCPOPT_SACK
, "sack" },
125 { TCPOPT_ECHO
, "echo" },
126 { TCPOPT_ECHOREPLY
, "echoreply" },
127 { TCPOPT_TIMESTAMP
, "TS" },
129 { TCPOPT_CCNEW
, "ccnew" },
130 { TCPOPT_CCECHO
, "ccecho" },
131 { TCPOPT_SIGNATURE
, "md5" },
132 { TCPOPT_SCPS
, "scps" },
133 { TCPOPT_UTO
, "uto" },
134 { TCPOPT_TCPAO
, "tcp-ao" },
135 { TCPOPT_MPTCP
, "mptcp" },
136 { TCPOPT_FASTOPEN
, "tfo" },
137 { TCPOPT_EXPERIMENT2
, "exp" },
142 tcp_cksum(netdissect_options
*ndo
,
144 const struct tcphdr
*tp
,
147 return nextproto4_cksum(ndo
, ip
, (const uint8_t *)tp
, len
, len
,
152 tcp6_cksum(netdissect_options
*ndo
,
153 const struct ip6_hdr
*ip6
,
154 const struct tcphdr
*tp
,
157 return nextproto6_cksum(ndo
, ip6
, (const uint8_t *)tp
, len
, len
,
162 tcp_print(netdissect_options
*ndo
,
163 const u_char
*bp
, u_int length
,
164 const u_char
*bp2
, int fragmented
)
166 const struct tcphdr
*tp
;
171 uint16_t sport
, dport
, win
, urp
;
172 uint32_t seq
, ack
, thseq
, thack
;
176 const struct ip6_hdr
*ip6
;
177 u_int header_len
; /* Header length in bytes */
179 ndo
->ndo_protocol
= "tcp";
180 tp
= (const struct tcphdr
*)bp
;
181 ip
= (const struct ip
*)bp2
;
183 ip6
= (const struct ip6_hdr
*)bp2
;
187 if (!ND_TTEST_2(tp
->th_dport
)) {
190 GET_IP6ADDR_STRING(ip6
->ip6_src
),
191 GET_IP6ADDR_STRING(ip6
->ip6_dst
));
194 GET_IPADDR_STRING(ip
->ip_src
),
195 GET_IPADDR_STRING(ip
->ip_dst
));
197 nd_trunc_longjmp(ndo
);
200 sport
= GET_BE_U_2(tp
->th_sport
);
201 dport
= GET_BE_U_2(tp
->th_dport
);
204 if (GET_U_1(ip6
->ip6_nxt
) == IPPROTO_TCP
) {
205 ND_PRINT("%s.%s > %s.%s: ",
206 GET_IP6ADDR_STRING(ip6
->ip6_src
),
207 tcpport_string(ndo
, sport
),
208 GET_IP6ADDR_STRING(ip6
->ip6_dst
),
209 tcpport_string(ndo
, dport
));
211 ND_PRINT("%s > %s: ",
212 tcpport_string(ndo
, sport
), tcpport_string(ndo
, dport
));
215 if (GET_U_1(ip
->ip_p
) == IPPROTO_TCP
) {
216 ND_PRINT("%s.%s > %s.%s: ",
217 GET_IPADDR_STRING(ip
->ip_src
),
218 tcpport_string(ndo
, sport
),
219 GET_IPADDR_STRING(ip
->ip_dst
),
220 tcpport_string(ndo
, dport
));
222 ND_PRINT("%s > %s: ",
223 tcpport_string(ndo
, sport
), tcpport_string(ndo
, dport
));
227 hlen
= TH_OFF(tp
) * 4;
229 if (hlen
< sizeof(*tp
)) {
230 ND_PRINT(" tcp %u [bad hdr length %u - too short, < %zu]",
231 length
- hlen
, hlen
, sizeof(*tp
));
235 seq
= GET_BE_U_4(tp
->th_seq
);
236 ack
= GET_BE_U_4(tp
->th_ack
);
237 win
= GET_BE_U_2(tp
->th_win
);
238 urp
= GET_BE_U_2(tp
->th_urp
);
240 if (ndo
->ndo_qflag
) {
241 ND_PRINT("tcp %u", length
- hlen
);
243 ND_PRINT(" [bad hdr length %u - too long, > %u]",
250 flags
= tcp_get_flags(tp
);
251 ND_PRINT("Flags [%s]", bittok2str_nosep(tcp_flag_values
, "none", flags
));
253 if (!ndo
->ndo_Sflag
&& (flags
& TH_ACK
)) {
255 * Find (or record) the initial sequence numbers for
256 * this conversation. (we pick an arbitrary
257 * collating order so there's only one entry for
262 struct tcp_seq_hash6
*th
;
263 struct tcp_seq_hash6
*tcp_seq_hash
;
264 const void *src
, *dst
;
267 tcp_seq_hash
= tcp_seq_hash6
;
268 src
= (const void *)ip6
->ip6_src
;
269 dst
= (const void *)ip6
->ip6_dst
;
272 else if (sport
== dport
) {
273 if (UNALIGNED_MEMCMP(src
, dst
, sizeof(ip6
->ip6_dst
)) > 0)
277 UNALIGNED_MEMCPY(&tha
.src
, dst
, sizeof(ip6
->ip6_dst
));
278 UNALIGNED_MEMCPY(&tha
.dst
, src
, sizeof(ip6
->ip6_src
));
279 tha
.port
= ((u_int
)dport
) << 16 | sport
;
281 UNALIGNED_MEMCPY(&tha
.dst
, dst
, sizeof(ip6
->ip6_dst
));
282 UNALIGNED_MEMCPY(&tha
.src
, src
, sizeof(ip6
->ip6_src
));
283 tha
.port
= ((u_int
)sport
) << 16 | dport
;
286 for (th
= &tcp_seq_hash
[tha
.port
% TSEQ_HASHSIZE
];
287 th
->nxt
; th
= th
->nxt
)
288 if (memcmp((char *)&tha
, (char *)&th
->addr
,
289 sizeof(th
->addr
)) == 0)
292 if (!th
->nxt
|| (flags
& TH_SYN
)) {
293 /* didn't find it or new conversation */
294 /* calloc() return used by the 'tcp_seq_hash6'
295 hash table: do not free() */
296 if (th
->nxt
== NULL
) {
297 th
->nxt
= (struct tcp_seq_hash6
*)
298 calloc(1, sizeof(*th
));
300 (*ndo
->ndo_error
)(ndo
,
302 "%s: calloc", __func__
);
306 th
->ack
= seq
, th
->seq
= ack
- 1;
308 th
->seq
= seq
, th
->ack
= ack
- 1;
311 seq
-= th
->ack
, ack
-= th
->seq
;
313 seq
-= th
->seq
, ack
-= th
->ack
;
319 struct tcp_seq_hash
*th
;
320 struct tcp_seq_hash
*tcp_seq_hash
;
323 tcp_seq_hash
= tcp_seq_hash4
;
326 else if (sport
== dport
) {
327 if (UNALIGNED_MEMCMP(ip
->ip_src
, ip
->ip_dst
, sizeof(ip
->ip_dst
)) > 0)
331 UNALIGNED_MEMCPY(&tha
.src
, ip
->ip_dst
,
333 UNALIGNED_MEMCPY(&tha
.dst
, ip
->ip_src
,
335 tha
.port
= ((u_int
)dport
) << 16 | sport
;
337 UNALIGNED_MEMCPY(&tha
.dst
, ip
->ip_dst
,
339 UNALIGNED_MEMCPY(&tha
.src
, ip
->ip_src
,
341 tha
.port
= ((u_int
)sport
) << 16 | dport
;
344 for (th
= &tcp_seq_hash
[tha
.port
% TSEQ_HASHSIZE
];
345 th
->nxt
; th
= th
->nxt
)
346 if (memcmp((char *)&tha
, (char *)&th
->addr
,
347 sizeof(th
->addr
)) == 0)
350 if (!th
->nxt
|| (flags
& TH_SYN
)) {
351 /* didn't find it or new conversation */
352 /* calloc() return used by the 'tcp_seq_hash4'
353 hash table: do not free() */
354 if (th
->nxt
== NULL
) {
355 th
->nxt
= (struct tcp_seq_hash
*)
356 calloc(1, sizeof(*th
));
358 (*ndo
->ndo_error
)(ndo
,
360 "%s: calloc", __func__
);
364 th
->ack
= seq
, th
->seq
= ack
- 1;
366 th
->seq
= seq
, th
->ack
= ack
- 1;
369 seq
-= th
->ack
, ack
-= th
->seq
;
371 seq
-= th
->seq
, ack
-= th
->ack
;
379 thseq
= thack
= rev
= 0;
382 ND_PRINT(" [bad hdr length %u - too long, > %u]",
387 if (ndo
->ndo_vflag
&& !ndo
->ndo_Kflag
&& !fragmented
) {
388 /* Check the checksum, if possible. */
389 uint16_t sum
, tcp_sum
;
392 if (ND_TTEST_LEN(tp
->th_sport
, length
)) {
393 sum
= tcp_cksum(ndo
, ip
, tp
, length
);
394 tcp_sum
= GET_BE_U_2(tp
->th_sum
);
396 ND_PRINT(", cksum 0x%04x", tcp_sum
);
398 ND_PRINT(" (incorrect -> 0x%04x)",
399 in_cksum_shouldbe(tcp_sum
, sum
));
401 ND_PRINT(" (correct)");
403 } else if (IP_V(ip
) == 6) {
404 if (ND_TTEST_LEN(tp
->th_sport
, length
)) {
405 sum
= tcp6_cksum(ndo
, ip6
, tp
, length
);
406 tcp_sum
= GET_BE_U_2(tp
->th_sum
);
408 ND_PRINT(", cksum 0x%04x", tcp_sum
);
410 ND_PRINT(" (incorrect -> 0x%04x)",
411 in_cksum_shouldbe(tcp_sum
, sum
));
413 ND_PRINT(" (correct)");
420 if (ndo
->ndo_vflag
> 1 || length
> 0 || flags
& (TH_SYN
| TH_FIN
| TH_RST
)) {
421 ND_PRINT(", seq %u", seq
);
424 ND_PRINT(":%u", seq
+ length
);
428 if (flags
& TH_ACK
) {
429 ND_PRINT(", ack %u", ack
);
432 ND_PRINT(", win %u", win
);
435 ND_PRINT(", urg %u", urp
);
437 * Handle any options.
439 if (hlen
> sizeof(*tp
)) {
441 u_int i
, opt
, datalen
;
445 cp
= (const u_char
*)tp
+ sizeof(*tp
);
446 ND_PRINT(", options [");
456 cp
++; /* total including type, len */
457 if (len
< 2 || len
> hlen
)
459 --hlen
; /* account for length byte */
461 --hlen
; /* account for type byte */
464 /* Bail if "l" bytes of data are not left or were not captured */
465 #define LENCHECK(l) { if ((l) > hlen) goto bad; }
468 ND_PRINT("%s", tok2str(tcp_option_values
, "unknown-%u", opt
));
475 ND_PRINT(" %u", GET_BE_U_2(cp
));
481 ND_PRINT(" %u", GET_U_1(cp
));
486 if (datalen
% 8 != 0) {
487 ND_PRINT(" invalid sack");
491 ND_PRINT(" %u ", datalen
/ 8);
492 for (i
= 0; i
< datalen
; i
+= 8) {
494 s
= GET_BE_U_4(cp
+ i
);
496 e
= GET_BE_U_4(cp
+ i
+ 4);
504 ND_PRINT("{%u:%u}", s
, e
);
513 case TCPOPT_ECHOREPLY
:
516 * those options share their semantics.
521 ND_PRINT(" %u", GET_BE_U_4(cp
));
524 case TCPOPT_TIMESTAMP
:
527 ND_PRINT(" val %u ecr %u",
532 case TCPOPT_SIGNATURE
:
533 datalen
= TCP_SIGLEN
;
535 ND_TCHECK_LEN(cp
, datalen
);
537 #ifdef HAVE_LIBCRYPTO
538 switch (tcp_verify_signature(ndo
, ip
, tp
,
539 bp
+ TH_OFF(tp
) * 4, length
, cp
)) {
541 case SIGNATURE_VALID
:
545 case SIGNATURE_INVALID
:
546 nd_print_invalid(ndo
);
549 case CANT_CHECK_SIGNATURE
:
550 ND_PRINT("can't check - ");
551 for (i
= 0; i
< TCP_SIGLEN
; ++i
)
557 for (i
= 0; i
< TCP_SIGLEN
; ++i
)
558 ND_PRINT("%02x", GET_U_1(cp
+ i
));
565 ND_PRINT(" cap %02x id %u", GET_U_1(cp
),
571 /* RFC 5925 Section 2.2:
572 * "The Length value MUST be greater than or equal to 4."
573 * (This includes the Kind and Length fields already processed
577 nd_print_invalid(ndo
);
580 ND_PRINT(" keyid %u", GET_U_1(cp
));
582 ND_PRINT(" rnextkeyid %u",
586 for (i
= 2; i
< datalen
; i
++) {
599 * Nothing interesting.
607 utoval
= GET_BE_U_2(cp
);
608 ND_PRINT(" 0x%x", utoval
);
610 utoval
= (utoval
>> 1) * 60;
613 ND_PRINT(" %u", utoval
);
618 const u_char
*snapend_save
;
623 /* FIXME: Proof-read mptcp_print() and if it
624 * always covers all bytes when it returns 1,
625 * only do ND_TCHECK_LEN() if it returned 0.
627 ND_TCHECK_LEN(cp
, datalen
);
628 /* Update the snapend to the end of the option
629 * before calling mptcp_print(). Some options
630 * (MPTCP or others) may be present after a
631 * MPTCP option. This prevents that, in
632 * mptcp_print(), the remaining length < the
635 snapend_save
= ndo
->ndo_snapend
;
636 ndo
->ndo_snapend
= ND_MIN(cp
- 2 + len
,
638 ret
= mptcp_print(ndo
, cp
- 2, len
, flags
);
639 ndo
->ndo_snapend
= snapend_save
;
645 case TCPOPT_FASTOPEN
:
648 ND_TCHECK_LEN(cp
, datalen
);
650 print_tcp_fastopen_option(ndo
, cp
, datalen
);
653 case TCPOPT_EXPERIMENT2
:
656 ND_TCHECK_LEN(cp
, datalen
);
660 magic
= GET_BE_U_2(cp
);
665 case 0xf989: /* TCP Fast Open RFC 7413 */
667 print_tcp_fastopen_option(ndo
, cp
+ 2, datalen
- 2);
671 /* Unknown magic number */
672 ND_PRINT("%04x", magic
);
681 for (i
= 0; i
< datalen
; ++i
) {
683 ND_PRINT("%02x", GET_U_1(cp
+ i
));
688 /* Account for data printed */
692 /* Check specification against observed length */
693 ++datalen
; /* option octet */
694 if (!ZEROLENOPT(opt
))
695 ++datalen
; /* size octet */
697 ND_PRINT("[len %u]", len
);
699 if (opt
== TCPOPT_EOL
)
706 * Print length field before crawling down the stack.
708 ND_PRINT(", length %u", length
);
714 * Decode payload if necessary.
716 header_len
= TH_OFF(tp
) * 4;
718 * Do a bounds check before decoding the payload.
719 * At least the header data is required.
721 if (!ND_TTEST_LEN(bp
, header_len
)) {
722 ND_PRINT(" [remaining caplen(%u) < header length(%u)]",
723 ND_BYTES_AVAILABLE_AFTER(bp
), header_len
);
724 nd_trunc_longjmp(ndo
);
727 if ((flags
& TH_RST
) && ndo
->ndo_vflag
) {
728 print_tcp_rst_data(ndo
, bp
, length
);
732 if (ndo
->ndo_packettype
) {
733 switch (ndo
->ndo_packettype
) {
735 zmtp1_print(ndo
, bp
, length
);
738 resp_print(ndo
, bp
, length
);
741 /* over_tcp: TRUE, is_mdns: FALSE */
742 domain_print(ndo
, bp
, length
, TRUE
, FALSE
);
748 if (IS_SRC_OR_DST_PORT(FTP_PORT
)) {
750 ftp_print(ndo
, bp
, length
);
751 } else if (IS_SRC_OR_DST_PORT(SSH_PORT
)) {
752 ssh_print(ndo
, bp
, length
);
753 } else if (IS_SRC_OR_DST_PORT(TELNET_PORT
)) {
754 telnet_print(ndo
, bp
, length
);
755 } else if (IS_SRC_OR_DST_PORT(SMTP_PORT
)) {
757 smtp_print(ndo
, bp
, length
);
758 } else if (IS_SRC_OR_DST_PORT(WHOIS_PORT
)) {
760 whois_print(ndo
, bp
, length
);
761 } else if (IS_SRC_OR_DST_PORT(NAMESERVER_PORT
)) {
762 /* over_tcp: TRUE, is_mdns: FALSE */
763 domain_print(ndo
, bp
, length
, TRUE
, FALSE
);
764 } else if (IS_SRC_OR_DST_PORT(HTTP_PORT
)) {
766 http_print(ndo
, bp
, length
);
768 } else if (IS_SRC_OR_DST_PORT(NETBIOS_SSN_PORT
)) {
769 nbt_tcp_print(ndo
, bp
, length
);
771 } else if (IS_SRC_OR_DST_PORT(BGP_PORT
)) {
772 bgp_print(ndo
, bp
, length
);
773 } else if (IS_SRC_OR_DST_PORT(RPKI_RTR_PORT
)) {
774 rpki_rtr_print(ndo
, bp
, length
);
776 } else if (IS_SRC_OR_DST_PORT(SMB_PORT
)) {
777 smb_tcp_print(ndo
, bp
, length
);
779 } else if (IS_SRC_OR_DST_PORT(RTSP_PORT
)) {
781 rtsp_print(ndo
, bp
, length
);
782 } else if (IS_SRC_OR_DST_PORT(MSDP_PORT
)) {
783 msdp_print(ndo
, bp
, length
);
784 } else if (IS_SRC_OR_DST_PORT(LDP_PORT
)) {
785 ldp_print(ndo
, bp
, length
);
786 } else if (IS_SRC_OR_DST_PORT(PPTP_PORT
))
788 else if (IS_SRC_OR_DST_PORT(REDIS_PORT
))
789 resp_print(ndo
, bp
, length
);
790 else if (IS_SRC_OR_DST_PORT(BEEP_PORT
))
791 beep_print(ndo
, bp
, length
);
792 else if (IS_SRC_OR_DST_PORT(OPENFLOW_PORT_OLD
) || IS_SRC_OR_DST_PORT(OPENFLOW_PORT_IANA
)) {
793 openflow_print(ndo
, bp
, length
);
794 } else if (IS_SRC_OR_DST_PORT(HTTP_PORT_ALT
)) {
796 http_print(ndo
, bp
, length
);
797 } else if (IS_SRC_OR_DST_PORT(RTSP_PORT_ALT
)) {
799 rtsp_print(ndo
, bp
, length
);
800 } else if ((IS_SRC_OR_DST_PORT(NFS_PORT
)) &&
803 * If data present, header length valid, and NFS port used,
805 * Pass offset of data plus 4 bytes for RPC TCP msg length
806 * to NFS print routines.
809 const struct sunrpc_msg
*rp
;
810 enum sunrpc_msg_type direction
;
812 fraglen
= GET_BE_U_4(bp
) & 0x7FFFFFFF;
813 if (fraglen
> (length
) - 4)
814 fraglen
= (length
) - 4;
815 rp
= (const struct sunrpc_msg
*)(bp
+ 4);
816 if (ND_TTEST_4(rp
->rm_direction
)) {
817 direction
= (enum sunrpc_msg_type
) GET_BE_U_4(rp
->rm_direction
);
818 if (dport
== NFS_PORT
&& direction
== SUNRPC_CALL
) {
819 ND_PRINT(": NFS request xid %u ",
820 GET_BE_U_4(rp
->rm_xid
));
821 nfsreq_noaddr_print(ndo
, (const u_char
*)rp
, fraglen
, (const u_char
*)ip
);
824 if (sport
== NFS_PORT
&& direction
== SUNRPC_REPLY
) {
825 ND_PRINT(": NFS reply xid %u ",
826 GET_BE_U_4(rp
->rm_xid
));
827 nfsreply_noaddr_print(ndo
, (const u_char
*)rp
, fraglen
, (const u_char
*)ip
);
835 ND_PRINT("[bad opt]");
840 nd_print_invalid(ndo
);
844 * RFC1122 says the following on data in RST segments:
846 * 4.2.2.12 RST Segment: RFC-793 Section 3.4
848 * A TCP SHOULD allow a received RST segment to include data.
851 * It has been suggested that a RST segment could contain
852 * ASCII text that encoded and explained the cause of the
853 * RST. No standard has yet been established for such
859 print_tcp_rst_data(netdissect_options
*ndo
,
860 const u_char
*sp
, u_int length
)
862 ND_PRINT(ND_TTEST_LEN(sp
, length
) ? " [RST" : " [!RST");
863 if (length
> MAX_RST_DATA_LEN
) {
864 length
= MAX_RST_DATA_LEN
; /* can use -X for longer */
865 ND_PRINT("+"); /* indicate we truncate */
868 (void)nd_printn(ndo
, sp
, length
, ndo
->ndo_snapend
);
873 print_tcp_fastopen_option(netdissect_options
*ndo
, const u_char
*cp
,
879 /* Fast Open Cookie Request */
880 ND_PRINT(" cookiereq");
882 /* Fast Open Cookie */
883 if (datalen
% 2 != 0 || datalen
< 4 || datalen
> 16) {
884 nd_print_invalid(ndo
);
886 ND_PRINT(" cookie ");
887 for (i
= 0; i
< datalen
; ++i
)
888 ND_PRINT("%02x", GET_U_1(cp
+ i
));
893 #ifdef HAVE_LIBCRYPTO
896 tcp_verify_signature(netdissect_options
*ndo
,
897 const struct ip
*ip
, const struct tcphdr
*tp
,
898 const u_char
*data
, u_int length
, const u_char
*rcvsig
)
901 u_char sig
[TCP_SIGLEN
];
904 uint16_t savecsum
, tlen
;
905 const struct ip6_hdr
*ip6
;
909 if (!ND_TTEST_LEN(data
, length
)) {
910 ND_PRINT("snaplen too short, ");
911 return (CANT_CHECK_SIGNATURE
);
916 if (ndo
->ndo_sigsecret
== NULL
) {
917 ND_PRINT("shared secret not supplied with -M, ");
918 return (CANT_CHECK_SIGNATURE
);
923 * Step 1: Update MD5 hash with IP pseudo-header.
926 MD5_Update(&ctx
, (const char *)&ip
->ip_src
, sizeof(ip
->ip_src
));
927 MD5_Update(&ctx
, (const char *)&ip
->ip_dst
, sizeof(ip
->ip_dst
));
928 MD5_Update(&ctx
, (const char *)&zero_proto
, sizeof(zero_proto
));
929 MD5_Update(&ctx
, (const char *)&ip
->ip_p
, sizeof(ip
->ip_p
));
930 tlen
= GET_BE_U_2(ip
->ip_len
) - IP_HL(ip
) * 4;
932 MD5_Update(&ctx
, (const char *)&tlen
, sizeof(tlen
));
933 } else if (IP_V(ip
) == 6) {
934 ip6
= (const struct ip6_hdr
*)ip
;
935 MD5_Update(&ctx
, (const char *)&ip6
->ip6_src
, sizeof(ip6
->ip6_src
));
936 MD5_Update(&ctx
, (const char *)&ip6
->ip6_dst
, sizeof(ip6
->ip6_dst
));
937 len32
= htonl(GET_BE_U_2(ip6
->ip6_plen
));
938 MD5_Update(&ctx
, (const char *)&len32
, sizeof(len32
));
940 MD5_Update(&ctx
, (const char *)&nxt
, sizeof(nxt
));
941 MD5_Update(&ctx
, (const char *)&nxt
, sizeof(nxt
));
942 MD5_Update(&ctx
, (const char *)&nxt
, sizeof(nxt
));
944 MD5_Update(&ctx
, (const char *)&nxt
, sizeof(nxt
));
946 ND_PRINT("IP version not 4 or 6, ");
947 return (CANT_CHECK_SIGNATURE
);
951 * Step 2: Update MD5 hash with TCP header, excluding options.
952 * The TCP checksum must be set to zero.
954 memcpy(&savecsum
, tp1
.th_sum
, sizeof(savecsum
));
955 memset(tp1
.th_sum
, 0, sizeof(tp1
.th_sum
));
956 MD5_Update(&ctx
, (const char *)&tp1
, sizeof(struct tcphdr
));
957 memcpy(tp1
.th_sum
, &savecsum
, sizeof(tp1
.th_sum
));
959 * Step 3: Update MD5 hash with TCP segment data, if present.
962 MD5_Update(&ctx
, data
, length
);
964 * Step 4: Update MD5 hash with shared secret.
966 MD5_Update(&ctx
, ndo
->ndo_sigsecret
, strlen(ndo
->ndo_sigsecret
));
967 MD5_Final(sig
, &ctx
);
969 if (memcmp(rcvsig
, sig
, TCP_SIGLEN
) == 0)
970 return (SIGNATURE_VALID
);
972 return (SIGNATURE_INVALID
);
975 #endif /* HAVE_LIBCRYPTO */