X-Git-Url: https://git.tcpdump.org/tcpdump/blobdiff_plain/e2826164d4518667c80fa14a93390c77af8b8af7..dba96957457e18fd3ebc11e6e87aafd01d9fb55f:/print-tcp.c diff --git a/print-tcp.c b/print-tcp.c index 2b7c610c..6cce9e21 100644 --- a/print-tcp.c +++ b/print-tcp.c @@ -20,8 +20,8 @@ */ #ifndef lint -static const char rcsid[] = - "@(#) $Header: /tcpdump/master/tcpdump/print-tcp.c,v 1.106 2003-10-28 03:16:36 itojun Exp $ (LBL)"; +static const char rcsid[] _U_ = + "@(#) $Header: /tcpdump/master/tcpdump/print-tcp.c,v 1.111 2004-03-23 07:15:36 guy Exp $ (LBL)"; #endif #ifdef HAVE_CONFIG_H @@ -50,6 +50,13 @@ static const char rcsid[] = #include "nameser.h" +#ifdef HAVE_LIBCRYPTO +#include + +static int tcp_verify_signature(const struct ip *ip, struct tcphdr *tp, + const u_char *data, int length, const u_char *rcvsig); +#endif + static void print_tcp_rst_data(register const u_char *sp, u_int length); #define MAX_RST_DATA_LEN 30 @@ -100,7 +107,7 @@ static struct tcp_seq_hash tcp_seq_hash[TSEQ_HASHSIZE]; static int tcp_cksum(register const struct ip *ip, register const struct tcphdr *tp, - register int len) + register u_int len) { union phu { struct phdr { @@ -115,7 +122,7 @@ static int tcp_cksum(register const struct ip *ip, const u_int16_t *sp; /* pseudo-header.. */ - phu.ph.len = htons(len); /* XXX */ + phu.ph.len = htons((u_int16_t)len); phu.ph.mbz = 0; phu.ph.proto = IPPROTO_TCP; memcpy(&phu.ph.src, &ip->ip_src.s_addr, sizeof(u_int32_t)); @@ -131,9 +138,9 @@ static int tcp_cksum(register const struct ip *ip, #ifdef INET6 static int tcp6_cksum(const struct ip6_hdr *ip6, const struct tcphdr *tp, - int len) + u_int len) { - size_t i, tlen; + size_t i; register const u_int16_t *sp; u_int32_t sum; union { @@ -147,14 +154,11 @@ static int tcp6_cksum(const struct ip6_hdr *ip6, const struct tcphdr *tp, u_int16_t pa[20]; } phu; - tlen = EXTRACT_16BITS(&ip6->ip6_plen) + sizeof(struct ip6_hdr) - - ((const char *)tp - (const char*)ip6); - /* pseudo-header */ memset(&phu, 0, sizeof(phu)); phu.ph.ph_src = ip6->ip6_src; phu.ph.ph_dst = ip6->ip6_dst; - phu.ph.ph_len = htonl(tlen); + phu.ph.ph_len = htonl(len); phu.ph.ph_nxt = IPPROTO_TCP; sum = 0; @@ -163,10 +167,10 @@ static int tcp6_cksum(const struct ip6_hdr *ip6, const struct tcphdr *tp, sp = (const u_int16_t *)tp; - for (i = 0; i < (tlen & ~1); i += 2) + for (i = 0; i < (len & ~1); i += 2) sum += *sp++; - if (tlen & 1) + if (len & 1) sum += htons((*(const u_int8_t *)sp) << 8); while (sum > 0xffff) @@ -564,6 +568,26 @@ tcp_print(register const u_char *bp, register u_int length, (void)printf(" %u", EXTRACT_32BITS(cp)); break; + case TCPOPT_SIGNATURE: + (void)printf("md5:"); + if (IP_V(ip) != 4) { + (void)printf("!ipv4"); + break; + } + datalen = TCP_SIGLEN; + LENCHECK(datalen); +#ifdef HAVE_LIBCRYPTO + if (tcp_verify_signature(ip, tp, + bp + TH_OFF(tp) * 4, length, cp) == 0) + (void)printf("valid"); + else + (void)printf("invalid"); +#else + for (i = 0; i < TCP_SIGLEN; ++i) + (void)printf("%02x", cp[i]); +#endif + break; + default: (void)printf("opt-%u:", opt); datalen = len - 2; @@ -622,7 +646,7 @@ tcp_print(register const u_char *bp, register u_int length, * TCP DNS query has 2byte length at the head. * XXX packet could be unaligned, it can go strange */ - ns_print(bp + 2, length - 2); + ns_print(bp + 2, length - 2, 0); } else if (sport == MSDP_PORT || dport == MSDP_PORT) { msdp_print(bp, length); } @@ -676,3 +700,50 @@ print_tcp_rst_data(register const u_char *sp, u_int length) } putchar(']'); } + +#ifdef HAVE_LIBCRYPTO +static int +tcp_verify_signature(const struct ip *ip, struct tcphdr *tp, + const u_char *data, int length, const u_char *rcvsig) +{ + char sig[TCP_SIGLEN]; + char zero_proto = 0; + MD5_CTX ctx; + u_short savecsum, tlen; + + if (tcpmd5secret == NULL) + return (-1); + + MD5_Init(&ctx); + /* + * Step 1: Update MD5 hash with IP pseudo-header. + */ + MD5_Update(&ctx, (char *)&ip->ip_src, sizeof(ip->ip_src)); + MD5_Update(&ctx, (char *)&ip->ip_dst, sizeof(ip->ip_dst)); + MD5_Update(&ctx, (char *)&zero_proto, sizeof(zero_proto)); + MD5_Update(&ctx, (char *)&ip->ip_p, sizeof(ip->ip_p)); + tlen = EXTRACT_16BITS(&ip->ip_len) - IP_HL(ip) * 4; + tlen = htons(tlen); + MD5_Update(&ctx, (char *)&tlen, sizeof(tlen)); + /* + * Step 2: Update MD5 hash with TCP header, excluding options. + * The TCP checksum must be set to zero. + */ + savecsum = tp->th_sum; + tp->th_sum = 0; + MD5_Update(&ctx, (char *)tp, sizeof(struct tcphdr)); + tp->th_sum = savecsum; + /* + * Step 3: Update MD5 hash with TCP segment data, if present. + */ + if (length > 0) + MD5_Update(&ctx, data, length); + /* + * Step 4: Update MD5 hash with shared secret. + */ + MD5_Update(&ctx, tcpmd5secret, strlen(tcpmd5secret)); + MD5_Final(sig, &ctx); + + return (memcmp(rcvsig, sig, 16)); +} +#endif /* HAVE_LIBCRYPTO */