X-Git-Url: https://git.tcpdump.org/tcpdump/blobdiff_plain/9d1b3968536b43821038a458fb0141bd0b4fed9c..c0de704a5331dd3b9bd060dd0969163025186c0e:/print-tcp.c diff --git a/print-tcp.c b/print-tcp.c index c3b4d6ea..b5d70c82 100644 --- a/print-tcp.c +++ b/print-tcp.c @@ -2,6 +2,8 @@ * Copyright (c) 1988, 1989, 1990, 1991, 1992, 1993, 1994, 1995, 1996, 1997 * The Regents of the University of California. All rights reserved. * + * Copyright (c) 1999-2004 The tcpdump.org project + * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that: (1) source code distributions * retain the above copyright notice and this paragraph in its entirety, (2) @@ -21,7 +23,7 @@ #ifndef lint static const char rcsid[] _U_ = - "@(#) $Header: /tcpdump/master/tcpdump/print-tcp.c,v 1.116 2004-07-08 10:25:08 guy Exp $ (LBL)"; + "@(#) $Header: /tcpdump/master/tcpdump/print-tcp.c,v 1.124 2005-11-29 09:07:47 hannes Exp $ (LBL)"; #endif #ifdef HAVE_CONFIG_H @@ -30,8 +32,6 @@ static const char rcsid[] _U_ = #include -#include - #include #include #include @@ -47,12 +47,18 @@ static const char rcsid[] _U_ = #include "ip6.h" #endif #include "ipproto.h" +#include "rpc_auth.h" +#include "rpc_msg.h" #include "nameser.h" #ifdef HAVE_LIBCRYPTO #include +#define SIGNATURE_VALID 0 +#define SIGNATURE_INVALID 1 +#define CANT_CHECK_SIGNATURE 2 + static int tcp_verify_signature(const struct ip *ip, const struct tcphdr *tp, const u_char *data, int length, const u_char *rcvsig); #endif @@ -225,12 +231,12 @@ tcp_print(register const u_char *bp, register u_int length, * to NFS print routines. */ if (!qflag && hlen >= sizeof(*tp) && hlen <= length) { - if ((u_char *)tp + 4 + sizeof(struct rpc_msg) <= snapend && + if ((u_char *)tp + 4 + sizeof(struct sunrpc_msg) <= snapend && dport == NFS_PORT) { nfsreq_print((u_char *)tp + hlen + 4, length - hlen, (u_char *)ip); return; - } else if ((u_char *)tp + 4 + sizeof(struct rpc_msg) + } else if ((u_char *)tp + 4 + sizeof(struct sunrpc_msg) <= snapend && sport == NFS_PORT) { nfsreply_print((u_char *)tp + hlen + 4, length - hlen, @@ -266,8 +272,8 @@ tcp_print(register const u_char *bp, register u_int length, } if (hlen < sizeof(*tp)) { - (void)printf(" tcp %d [bad hdr length %u - too short, < %u]", - length - hlen, hlen, sizeof(*tp)); + (void)printf(" tcp %d [bad hdr length %u - too short, < %lu]", + length - hlen, hlen, (unsigned long)sizeof(*tp)); return; } @@ -514,14 +520,13 @@ tcp_print(register const u_char *bp, register u_int length, break; case TCPOPT_SACK: - (void)printf("sack"); datalen = len - 2; if (datalen % 8 != 0) { - (void)printf(" malformed sack "); + (void)printf("malformed sack"); } else { u_int32_t s, e; - (void)printf(" sack %d ", datalen / 8); + (void)printf("sack %d ", datalen / 8); for (i = 0; i < datalen; i += 8) { LENCHECK(i + 4); s = EXTRACT_32BITS(cp + i); @@ -536,7 +541,6 @@ tcp_print(register const u_char *bp, register u_int length, } (void)printf("{%u:%u}", s, e); } - (void)printf(" "); } break; @@ -589,17 +593,38 @@ tcp_print(register const u_char *bp, register u_int length, datalen = TCP_SIGLEN; LENCHECK(datalen); #ifdef HAVE_LIBCRYPTO - if (tcp_verify_signature(ip, tp, - bp + TH_OFF(tp) * 4, length, cp) == 0) + switch (tcp_verify_signature(ip, tp, + bp + TH_OFF(tp) * 4, length, cp)) { + + case SIGNATURE_VALID: (void)printf("valid"); - else + break; + + case SIGNATURE_INVALID: (void)printf("invalid"); + break; + + case CANT_CHECK_SIGNATURE: + (void)printf("can't check - "); + for (i = 0; i < TCP_SIGLEN; ++i) + (void)printf("%02x", cp[i]); + break; + } #else for (i = 0; i < TCP_SIGLEN; ++i) (void)printf("%02x", cp[i]); #endif break; + case TCPOPT_AUTH: + (void)printf("Enhanced Auth: keyid %d", *cp++); + datalen = len - 3; + for (i = 0; i < datalen; ++i) { + LENCHECK(i); + (void)printf("%02x", cp[i]); + } + break; + default: (void)printf("opt-%u:", opt); datalen = len - 2; @@ -720,18 +745,20 @@ tcp_verify_signature(const struct ip *ip, const struct tcphdr *tp, const u_char *data, int length, const u_char *rcvsig) { struct tcphdr tp1; - char sig[TCP_SIGLEN]; + u_char sig[TCP_SIGLEN]; char zero_proto = 0; MD5_CTX ctx; u_int16_t savecsum, tlen; +#ifdef INET6 struct ip6_hdr *ip6; +#endif u_int32_t len32; u_int8_t nxt; tp1 = *tp; if (tcpmd5secret == NULL) - return (-1); + return (CANT_CHECK_SIGNATURE); MD5_Init(&ctx); /* @@ -745,6 +772,7 @@ tcp_verify_signature(const struct ip *ip, const struct tcphdr *tp, tlen = EXTRACT_16BITS(&ip->ip_len) - IP_HL(ip) * 4; tlen = htons(tlen); MD5_Update(&ctx, (char *)&tlen, sizeof(tlen)); +#ifdef INET6 } else if (IP_V(ip) == 6) { ip6 = (struct ip6_hdr *)ip; MD5_Update(&ctx, (char *)&ip6->ip6_src, sizeof(ip6->ip6_src)); @@ -757,8 +785,9 @@ tcp_verify_signature(const struct ip *ip, const struct tcphdr *tp, MD5_Update(&ctx, (char *)&nxt, sizeof(nxt)); nxt = IPPROTO_TCP; MD5_Update(&ctx, (char *)&nxt, sizeof(nxt)); +#endif } else - return (-1); + return (CANT_CHECK_SIGNATURE); /* * Step 2: Update MD5 hash with TCP header, excluding options. @@ -779,6 +808,9 @@ tcp_verify_signature(const struct ip *ip, const struct tcphdr *tp, MD5_Update(&ctx, tcpmd5secret, strlen(tcpmd5secret)); MD5_Final(sig, &ctx); - return (memcmp(rcvsig, sig, 16)); + if (memcmp(rcvsig, sig, TCP_SIGLEN) == 0) + return (SIGNATURE_VALID); + else + return (SIGNATURE_INVALID); } #endif /* HAVE_LIBCRYPTO */