1 /* $NetBSD: print-tcp.c,v 1.9 2007/07/26 18:15:12 plunky Exp $ */ 2 3 /* 4 * Copyright (c) 1988, 1989, 1990, 1991, 1992, 1993, 1994, 1995, 1996, 1997 5 * The Regents of the University of California. All rights reserved. 6 * 7 * Copyright (c) 1999-2004 The tcpdump.org project 8 * 9 * Redistribution and use in source and binary forms, with or without 10 * modification, are permitted provided that: (1) source code distributions 11 * retain the above copyright notice and this paragraph in its entirety, (2) 12 * distributions including binary code include the above copyright notice and 13 * this paragraph in its entirety in the documentation or other materials 14 * provided with the distribution, and (3) all advertising materials mentioning 15 * features or use of this software display the following acknowledgement: 16 * ``This product includes software developed by the University of California, 17 * Lawrence Berkeley Laboratory and its contributors.'' Neither the name of 18 * the University nor the names of its contributors may be used to endorse 19 * or promote products derived from this software without specific prior 20 * written permission. 21 * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR IMPLIED 22 * WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF 23 * MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. 24 */ 25 26 #ifndef lint 27 static const char rcsid[] _U_ = 28 "@(#) $Header: /tcpdump/master/tcpdump/print-tcp.c,v 1.130.2.3 2007-12-22 03:08:45 guy Exp $ (LBL)"; 29 #else 30 __RCSID("$NetBSD: print-tcp.c,v 1.8 2007/07/24 11:53:48 drochner Exp $"); 31 #endif 32 33 #ifdef HAVE_CONFIG_H 34 #include "config.h" 35 #endif 36 37 #include <tcpdump-stdinc.h> 38 39 #include <stdio.h> 40 #include <stdlib.h> 41 #include <string.h> 42 43 #include "interface.h" 44 #include "addrtoname.h" 45 #include "extract.h" 46 47 #include "tcp.h" 48 49 #include "ip.h" 50 #ifdef INET6 51 #include "ip6.h" 52 #endif 53 #include "ipproto.h" 54 #include "rpc_auth.h" 55 #include "rpc_msg.h" 56 57 #include "nameser.h" 58 59 #ifdef HAVE_LIBCRYPTO 60 #include <openssl/md5.h> 61 62 #define SIGNATURE_VALID 0 63 #define SIGNATURE_INVALID 1 64 #define CANT_CHECK_SIGNATURE 2 65 66 static int tcp_verify_signature(const struct ip *ip, const struct tcphdr *tp, 67 const u_char *data, int length, const u_char *rcvsig); 68 #endif 69 70 static void print_tcp_rst_data(register const u_char *sp, u_int length); 71 72 #define MAX_RST_DATA_LEN 30 73 74 75 struct tha { 76 #ifndef INET6 77 struct in_addr src; 78 struct in_addr dst; 79 #else 80 struct in6_addr src; 81 struct in6_addr dst; 82 #endif /*INET6*/ 83 u_int port; 84 }; 85 86 struct tcp_seq_hash { 87 struct tcp_seq_hash *nxt; 88 struct tha addr; 89 tcp_seq seq; 90 tcp_seq ack; 91 }; 92 93 #define TSEQ_HASHSIZE 919 94 95 /* These tcp optinos do not have the size octet */ 96 #define ZEROLENOPT(o) ((o) == TCPOPT_EOL || (o) == TCPOPT_NOP) 97 98 static struct tcp_seq_hash tcp_seq_hash[TSEQ_HASHSIZE]; 99 100 struct tok tcp_flag_values[] = { 101 { TH_FIN, "F" }, 102 { TH_SYN, "S" }, 103 { TH_RST, "R" }, 104 { TH_PUSH, "P" }, 105 { TH_ACK, "." }, 106 { TH_URG, "U" }, 107 { TH_ECNECHO, "E" }, 108 { TH_CWR, "W" }, 109 { 0, NULL } 110 }; 111 112 struct tok tcp_option_values[] = { 113 { TCPOPT_EOL, "eol" }, 114 { TCPOPT_NOP, "nop" }, 115 { TCPOPT_MAXSEG, "mss" }, 116 { TCPOPT_WSCALE, "wscale" }, 117 { TCPOPT_SACKOK, "sackOK" }, 118 { TCPOPT_SACK, "sack" }, 119 { TCPOPT_ECHO, "echo" }, 120 { TCPOPT_ECHOREPLY, "echoreply" }, 121 { TCPOPT_TIMESTAMP, "TS" }, 122 { TCPOPT_CC, "cc" }, 123 { TCPOPT_CCNEW, "ccnew" }, 124 { TCPOPT_CCECHO, "" }, 125 { TCPOPT_SIGNATURE, "md5" }, 126 { TCPOPT_AUTH, "enhanced auth" }, 127 { 0, NULL } 128 }; 129 130 static int tcp_cksum(register const struct ip *ip, 131 register const struct tcphdr *tp, 132 register u_int len) 133 { 134 union phu { 135 struct phdr { 136 u_int32_t src; 137 u_int32_t dst; 138 u_char mbz; 139 u_char proto; 140 u_int16_t len; 141 } ph; 142 u_int16_t pa[6]; 143 } phu; 144 const u_int16_t *sp; 145 146 /* pseudo-header.. */ 147 phu.ph.len = htons((u_int16_t)len); 148 phu.ph.mbz = 0; 149 phu.ph.proto = IPPROTO_TCP; 150 memcpy(&phu.ph.src, &ip->ip_src.s_addr, sizeof(u_int32_t)); 151 if (IP_HL(ip) == 5) 152 memcpy(&phu.ph.dst, &ip->ip_dst.s_addr, sizeof(u_int32_t)); 153 else 154 phu.ph.dst = ip_finddst(ip); 155 156 sp = &phu.pa[0]; 157 return in_cksum((u_short *)tp, len, 158 sp[0]+sp[1]+sp[2]+sp[3]+sp[4]+sp[5]); 159 } 160 161 #ifdef INET6 162 static int tcp6_cksum(const struct ip6_hdr *ip6, const struct tcphdr *tp, 163 u_int len) 164 { 165 size_t i; 166 u_int32_t sum = 0; 167 union { 168 struct { 169 struct in6_addr ph_src; 170 struct in6_addr ph_dst; 171 u_int32_t ph_len; 172 u_int8_t ph_zero[3]; 173 u_int8_t ph_nxt; 174 } ph; 175 u_int16_t pa[20]; 176 } phu; 177 178 /* pseudo-header */ 179 memset(&phu, 0, sizeof(phu)); 180 phu.ph.ph_src = ip6->ip6_src; 181 phu.ph.ph_dst = ip6->ip6_dst; 182 phu.ph.ph_len = htonl(len); 183 phu.ph.ph_nxt = IPPROTO_TCP; 184 185 for (i = 0; i < sizeof(phu.pa) / sizeof(phu.pa[0]); i++) 186 sum += phu.pa[i]; 187 188 return in_cksum((u_short *)tp, len, sum); 189 } 190 #endif 191 192 void 193 tcp_print(register const u_char *bp, register u_int length, 194 register const u_char *bp2, int fragmented) 195 { 196 register const struct tcphdr *tp; 197 register const struct ip *ip; 198 register u_char flags; 199 register u_int hlen; 200 register char ch; 201 u_int16_t sport, dport, win, urp; 202 u_int32_t seq, ack, thseq, thack; 203 int threv; 204 #ifdef INET6 205 register const struct ip6_hdr *ip6; 206 #endif 207 208 tp = (struct tcphdr *)bp; 209 ip = (struct ip *)bp2; 210 #ifdef INET6 211 if (IP_V(ip) == 6) 212 ip6 = (struct ip6_hdr *)bp2; 213 else 214 ip6 = NULL; 215 #endif /*INET6*/ 216 ch = '\0'; 217 if (!TTEST(tp->th_dport)) { 218 (void)printf("%s > %s: [|tcp]", 219 ipaddr_string(&ip->ip_src), 220 ipaddr_string(&ip->ip_dst)); 221 return; 222 } 223 224 sport = EXTRACT_16BITS(&tp->th_sport); 225 dport = EXTRACT_16BITS(&tp->th_dport); 226 227 hlen = TH_OFF(tp) * 4; 228 229 /* 230 * If data present, header length valid, and NFS port used, 231 * assume NFS. 232 * Pass offset of data plus 4 bytes for RPC TCP msg length 233 * to NFS print routines. 234 */ 235 if (!qflag && hlen >= sizeof(*tp) && hlen <= length && 236 (length - hlen) >= 4) { 237 u_char *fraglenp; 238 u_int32_t fraglen; 239 register struct sunrpc_msg *rp; 240 enum sunrpc_msg_type direction; 241 242 fraglenp = (u_char *)tp + hlen; 243 if (TTEST2(*fraglenp, 4)) { 244 fraglen = EXTRACT_32BITS(fraglenp) & 0x7FFFFFFF; 245 if (fraglen > (length - hlen) - 4) 246 fraglen = (length - hlen) - 4; 247 rp = (struct sunrpc_msg *)(fraglenp + 4); 248 if (TTEST(rp->rm_direction)) { 249 direction = (enum sunrpc_msg_type)EXTRACT_32BITS(&rp->rm_direction); 250 if (dport == NFS_PORT && 251 direction == SUNRPC_CALL) { 252 nfsreq_print((u_char *)rp, fraglen, 253 (u_char *)ip); 254 return; 255 } 256 if (sport == NFS_PORT && 257 direction == SUNRPC_REPLY) { 258 nfsreply_print((u_char *)rp, fraglen, 259 (u_char *)ip); 260 return; 261 } 262 } 263 } 264 } 265 #ifdef INET6 266 if (ip6) { 267 if (ip6->ip6_nxt == IPPROTO_TCP) { 268 (void)printf("%s.%s > %s.%s: ", 269 ip6addr_string(&ip6->ip6_src), 270 tcpport_string(sport), 271 ip6addr_string(&ip6->ip6_dst), 272 tcpport_string(dport)); 273 } else { 274 (void)printf("%s > %s: ", 275 tcpport_string(sport), tcpport_string(dport)); 276 } 277 } else 278 #endif /*INET6*/ 279 { 280 if (ip->ip_p == IPPROTO_TCP) { 281 (void)printf("%s.%s > %s.%s: ", 282 ipaddr_string(&ip->ip_src), 283 tcpport_string(sport), 284 ipaddr_string(&ip->ip_dst), 285 tcpport_string(dport)); 286 } else { 287 (void)printf("%s > %s: ", 288 tcpport_string(sport), tcpport_string(dport)); 289 } 290 } 291 292 if (hlen < sizeof(*tp)) { 293 (void)printf(" tcp %d [bad hdr length %u - too short, < %lu]", 294 length - hlen, hlen, (unsigned long)sizeof(*tp)); 295 return; 296 } 297 298 TCHECK(*tp); 299 300 seq = EXTRACT_32BITS(&tp->th_seq); 301 ack = EXTRACT_32BITS(&tp->th_ack); 302 win = EXTRACT_16BITS(&tp->th_win); 303 urp = EXTRACT_16BITS(&tp->th_urp); 304 305 if (qflag) { 306 (void)printf("tcp %d", length - hlen); 307 if (hlen > length) { 308 (void)printf(" [bad hdr length %u - too long, > %u]", 309 hlen, length); 310 } 311 return; 312 } 313 314 flags = tp->th_flags; 315 printf("Flags [%s]", bittok2str_nosep(tcp_flag_values, "none", flags)); 316 317 if (!Sflag && (flags & TH_ACK)) { 318 register struct tcp_seq_hash *th; 319 const void *src, *dst; 320 register int rev; 321 struct tha tha; 322 /* 323 * Find (or record) the initial sequence numbers for 324 * this conversation. (we pick an arbitrary 325 * collating order so there's only one entry for 326 * both directions). 327 */ 328 #ifdef INET6 329 memset(&tha, 0, sizeof(tha)); 330 rev = 0; 331 if (ip6) { 332 src = &ip6->ip6_src; 333 dst = &ip6->ip6_dst; 334 if (sport > dport) 335 rev = 1; 336 else if (sport == dport) { 337 if (memcmp(src, dst, sizeof ip6->ip6_dst) > 0) 338 rev = 1; 339 } 340 if (rev) { 341 memcpy(&tha.src, dst, sizeof ip6->ip6_dst); 342 memcpy(&tha.dst, src, sizeof ip6->ip6_src); 343 tha.port = dport << 16 | sport; 344 } else { 345 memcpy(&tha.dst, dst, sizeof ip6->ip6_dst); 346 memcpy(&tha.src, src, sizeof ip6->ip6_src); 347 tha.port = sport << 16 | dport; 348 } 349 } else { 350 src = &ip->ip_src; 351 dst = &ip->ip_dst; 352 if (sport > dport) 353 rev = 1; 354 else if (sport == dport) { 355 if (memcmp(src, dst, sizeof ip->ip_dst) > 0) 356 rev = 1; 357 } 358 if (rev) { 359 memcpy(&tha.src, dst, sizeof ip->ip_dst); 360 memcpy(&tha.dst, src, sizeof ip->ip_src); 361 tha.port = dport << 16 | sport; 362 } else { 363 memcpy(&tha.dst, dst, sizeof ip->ip_dst); 364 memcpy(&tha.src, src, sizeof ip->ip_src); 365 tha.port = sport << 16 | dport; 366 } 367 } 368 #else 369 rev = 0; 370 src = &ip->ip_src; 371 dst = &ip->ip_dst; 372 if (sport > dport) 373 rev = 1; 374 else if (sport == dport) { 375 if (memcmp(src, dst, sizeof ip->ip_dst) > 0) 376 rev = 1; 377 } 378 if (rev) { 379 memcpy(&tha.src, dst, sizeof ip->ip_dst); 380 memcpy(&tha.dst, src, sizeof ip->ip_src); 381 tha.port = dport << 16 | sport; 382 } else { 383 memcpy(&tha.dst, dst, sizeof ip->ip_dst); 384 memcpy(&tha.src, src, sizeof ip->ip_src); 385 tha.port = sport << 16 | dport; 386 } 387 #endif 388 389 threv = rev; 390 for (th = &tcp_seq_hash[tha.port % TSEQ_HASHSIZE]; 391 th->nxt; th = th->nxt) 392 if (memcmp((char *)&tha, (char *)&th->addr, 393 sizeof(th->addr)) == 0) 394 break; 395 396 if (!th->nxt || (flags & TH_SYN)) { 397 /* didn't find it or new conversation */ 398 if (th->nxt == NULL) { 399 th->nxt = (struct tcp_seq_hash *) 400 calloc(1, sizeof(*th)); 401 if (th->nxt == NULL) 402 error("tcp_print: calloc"); 403 } 404 th->addr = tha; 405 if (rev) 406 th->ack = seq, th->seq = ack - 1; 407 else 408 th->seq = seq, th->ack = ack - 1; 409 } else { 410 if (rev) 411 seq -= th->ack, ack -= th->seq; 412 else 413 seq -= th->seq, ack -= th->ack; 414 } 415 416 thseq = th->seq; 417 thack = th->ack; 418 } else { 419 /*fool gcc*/ 420 thseq = thack = threv = 0; 421 } 422 if (hlen > length) { 423 (void)printf(" [bad hdr length %u - too long, > %u]", 424 hlen, length); 425 return; 426 } 427 428 if (IP_V(ip) == 4 && vflag && !Kflag && !fragmented) { 429 u_int16_t sum, tcp_sum; 430 if (TTEST2(tp->th_sport, length)) { 431 sum = tcp_cksum(ip, tp, length); 432 433 (void)printf(", cksum 0x%04x",EXTRACT_16BITS(&tp->th_sum)); 434 if (sum != 0) { 435 tcp_sum = EXTRACT_16BITS(&tp->th_sum); 436 (void)printf(" (incorrect -> 0x%04x)",in_cksum_shouldbe(tcp_sum, sum)); 437 } else 438 (void)printf(" (correct)"); 439 } 440 } 441 #ifdef INET6 442 if (IP_V(ip) == 6 && ip6->ip6_plen && vflag && !Kflag && !fragmented) { 443 u_int16_t sum,tcp_sum; 444 if (TTEST2(tp->th_sport, length)) { 445 sum = tcp6_cksum(ip6, tp, length); 446 (void)printf(", cksum 0x%04x",EXTRACT_16BITS(&tp->th_sum)); 447 if (sum != 0) { 448 tcp_sum = EXTRACT_16BITS(&tp->th_sum); 449 (void)printf(" (incorrect -> 0x%04x)",in_cksum_shouldbe(tcp_sum, sum)); 450 } else 451 (void)printf(" (correct)"); 452 453 } 454 } 455 #endif 456 457 length -= hlen; 458 if (vflag > 1 || flags & (TH_SYN | TH_FIN | TH_RST)) { 459 (void)printf(", seq %u", seq); 460 461 if (length > 0) { 462 (void)printf(":%u", seq + length); 463 } 464 } 465 466 if (flags & TH_ACK) { 467 (void)printf(", ack %u", ack); 468 } 469 470 (void)printf(", win %d", win); 471 472 if (flags & TH_URG) 473 (void)printf(", urg %d", urp); 474 /* 475 * Handle any options. 476 */ 477 if (hlen > sizeof(*tp)) { 478 register const u_char *cp; 479 register u_int i, opt, datalen; 480 register u_int len; 481 482 hlen -= sizeof(*tp); 483 cp = (const u_char *)tp + sizeof(*tp); 484 printf(", options ["); 485 while (hlen > 0) { 486 if (ch != '\0') 487 putchar(ch); 488 TCHECK(*cp); 489 opt = *cp++; 490 if (ZEROLENOPT(opt)) 491 len = 1; 492 else { 493 TCHECK(*cp); 494 len = *cp++; /* total including type, len */ 495 if (len < 2 || len > hlen) 496 goto bad; 497 --hlen; /* account for length byte */ 498 } 499 --hlen; /* account for type byte */ 500 datalen = 0; 501 502 /* Bail if "l" bytes of data are not left or were not captured */ 503 #define LENCHECK(l) { if ((l) > hlen) goto bad; TCHECK2(*cp, l); } 504 505 506 printf("%s", tok2str(tcp_option_values, "Unknown Option %u", opt)); 507 508 switch (opt) { 509 510 case TCPOPT_MAXSEG: 511 datalen = 2; 512 LENCHECK(datalen); 513 (void)printf(" %u", EXTRACT_16BITS(cp)); 514 break; 515 516 case TCPOPT_WSCALE: 517 datalen = 1; 518 LENCHECK(datalen); 519 (void)printf(" %u", *cp); 520 break; 521 522 case TCPOPT_SACK: 523 datalen = len - 2; 524 if (datalen % 8 != 0) { 525 (void)printf("malformed sack"); 526 } else { 527 u_int32_t s, e; 528 529 (void)printf(" %d ", datalen / 8); 530 for (i = 0; i < datalen; i += 8) { 531 LENCHECK(i + 4); 532 s = EXTRACT_32BITS(cp + i); 533 LENCHECK(i + 8); 534 e = EXTRACT_32BITS(cp + i + 4); 535 if (threv) { 536 s -= thseq; 537 e -= thseq; 538 } else { 539 s -= thack; 540 e -= thack; 541 } 542 (void)printf("{%u:%u}", s, e); 543 } 544 } 545 break; 546 547 case TCPOPT_CC: 548 case TCPOPT_CCNEW: 549 case TCPOPT_CCECHO: 550 case TCPOPT_ECHO: 551 case TCPOPT_ECHOREPLY: 552 553 /* 554 * those options share their semantics. 555 * fall through 556 */ 557 datalen = 4; 558 LENCHECK(datalen); 559 (void)printf(" %u", EXTRACT_32BITS(cp)); 560 break; 561 562 case TCPOPT_TIMESTAMP: 563 datalen = 8; 564 LENCHECK(datalen); 565 (void)printf(" val %u ecr %u", 566 EXTRACT_32BITS(cp), 567 EXTRACT_32BITS(cp + 4)); 568 break; 569 570 case TCPOPT_SIGNATURE: 571 datalen = TCP_SIGLEN; 572 LENCHECK(datalen); 573 #ifdef HAVE_LIBCRYPTO 574 switch (tcp_verify_signature(ip, tp, 575 bp + TH_OFF(tp) * 4, length, cp)) { 576 577 case SIGNATURE_VALID: 578 (void)printf("valid"); 579 break; 580 581 case SIGNATURE_INVALID: 582 (void)printf("invalid"); 583 break; 584 585 case CANT_CHECK_SIGNATURE: 586 (void)printf("can't check - "); 587 for (i = 0; i < TCP_SIGLEN; ++i) 588 (void)printf("%02x", cp[i]); 589 break; 590 } 591 #else 592 for (i = 0; i < TCP_SIGLEN; ++i) 593 (void)printf("%02x", cp[i]); 594 #endif 595 break; 596 597 case TCPOPT_AUTH: 598 (void)printf("keyid %d", *cp++); 599 datalen = len - 3; 600 for (i = 0; i < datalen; ++i) { 601 LENCHECK(i); 602 (void)printf("%02x", cp[i]); 603 } 604 break; 605 606 607 case TCPOPT_EOL: 608 case TCPOPT_NOP: 609 case TCPOPT_SACKOK: 610 /* 611 * Nothing interesting. 612 * fall through 613 */ 614 break; 615 616 default: 617 datalen = len - 2; 618 for (i = 0; i < datalen; ++i) { 619 LENCHECK(i); 620 (void)printf("%02x", cp[i]); 621 } 622 break; 623 } 624 625 /* Account for data printed */ 626 cp += datalen; 627 hlen -= datalen; 628 629 /* Check specification against observed length */ 630 ++datalen; /* option octet */ 631 if (!ZEROLENOPT(opt)) 632 ++datalen; /* size octet */ 633 if (datalen != len) 634 (void)printf("[len %d]", len); 635 ch = ','; 636 if (opt == TCPOPT_EOL) 637 break; 638 } 639 putchar(']'); 640 } 641 642 /* 643 * Print length field before crawling down the stack. 644 */ 645 printf(", length %u", length); 646 647 if (length <= 0) 648 return; 649 650 /* 651 * Decode payload if necessary. 652 */ 653 bp += TH_OFF(tp) * 4; 654 if ((flags & TH_RST) && vflag) { 655 print_tcp_rst_data(bp, length); 656 return; 657 } 658 659 if (sport == TELNET_PORT || dport == TELNET_PORT) { 660 if (!qflag && vflag) 661 telnet_print(bp, length); 662 } else if (sport == BGP_PORT || dport == BGP_PORT) 663 bgp_print(bp, length); 664 else if (sport == PPTP_PORT || dport == PPTP_PORT) 665 pptp_print(bp); 666 #ifdef TCPDUMP_DO_SMB 667 else if (sport == NETBIOS_SSN_PORT || dport == NETBIOS_SSN_PORT) 668 nbt_tcp_print(bp, length); 669 else if (sport == SMB_PORT || dport == SMB_PORT) 670 smb_tcp_print(bp, length); 671 #endif 672 else if (sport == BEEP_PORT || dport == BEEP_PORT) 673 beep_print(bp, length); 674 else if (length > 2 && 675 (sport == NAMESERVER_PORT || dport == NAMESERVER_PORT || 676 sport == MULTICASTDNS_PORT || dport == MULTICASTDNS_PORT)) { 677 /* 678 * TCP DNS query has 2byte length at the head. 679 * XXX packet could be unaligned, it can go strange 680 */ 681 ns_print(bp + 2, length - 2, 0); 682 } else if (sport == MSDP_PORT || dport == MSDP_PORT) { 683 msdp_print(bp, length); 684 } 685 else if (length > 0 && (sport == LDP_PORT || dport == LDP_PORT)) { 686 ldp_print(bp, length); 687 } 688 689 return; 690 bad: 691 fputs("[bad opt]", stdout); 692 if (ch != '\0') 693 putchar('>'); 694 return; 695 trunc: 696 fputs("[|tcp]", stdout); 697 if (ch != '\0') 698 putchar('>'); 699 } 700 701 /* 702 * RFC1122 says the following on data in RST segments: 703 * 704 * 4.2.2.12 RST Segment: RFC-793 Section 3.4 705 * 706 * A TCP SHOULD allow a received RST segment to include data. 707 * 708 * DISCUSSION 709 * It has been suggested that a RST segment could contain 710 * ASCII text that encoded and explained the cause of the 711 * RST. No standard has yet been established for such 712 * data. 713 * 714 */ 715 716 static void 717 print_tcp_rst_data(register const u_char *sp, u_int length) 718 { 719 int c; 720 721 if (TTEST2(*sp, length)) 722 printf(" [RST"); 723 else 724 printf(" [!RST"); 725 if (length > MAX_RST_DATA_LEN) { 726 length = MAX_RST_DATA_LEN; /* can use -X for longer */ 727 putchar('+'); /* indicate we truncate */ 728 } 729 putchar(' '); 730 while (length-- && sp <= snapend) { 731 c = *sp++; 732 safeputchar(c); 733 } 734 putchar(']'); 735 } 736 737 #ifdef HAVE_LIBCRYPTO 738 static int 739 tcp_verify_signature(const struct ip *ip, const struct tcphdr *tp, 740 const u_char *data, int length, const u_char *rcvsig) 741 { 742 struct tcphdr tp1; 743 u_char sig[TCP_SIGLEN]; 744 char zero_proto = 0; 745 MD5_CTX ctx; 746 u_int16_t savecsum, tlen; 747 #ifdef INET6 748 struct ip6_hdr *ip6; 749 u_int32_t len32; 750 u_int8_t nxt; 751 #endif 752 753 tp1 = *tp; 754 755 if (tcpmd5secret == NULL) 756 return (CANT_CHECK_SIGNATURE); 757 758 MD5_Init(&ctx); 759 /* 760 * Step 1: Update MD5 hash with IP pseudo-header. 761 */ 762 if (IP_V(ip) == 4) { 763 MD5_Update(&ctx, (char *)&ip->ip_src, sizeof(ip->ip_src)); 764 MD5_Update(&ctx, (char *)&ip->ip_dst, sizeof(ip->ip_dst)); 765 MD5_Update(&ctx, (char *)&zero_proto, sizeof(zero_proto)); 766 MD5_Update(&ctx, (char *)&ip->ip_p, sizeof(ip->ip_p)); 767 tlen = EXTRACT_16BITS(&ip->ip_len) - IP_HL(ip) * 4; 768 tlen = htons(tlen); 769 MD5_Update(&ctx, (char *)&tlen, sizeof(tlen)); 770 #ifdef INET6 771 } else if (IP_V(ip) == 6) { 772 ip6 = (struct ip6_hdr *)ip; 773 MD5_Update(&ctx, (char *)&ip6->ip6_src, sizeof(ip6->ip6_src)); 774 MD5_Update(&ctx, (char *)&ip6->ip6_dst, sizeof(ip6->ip6_dst)); 775 len32 = htonl(ntohs(ip6->ip6_plen)); 776 MD5_Update(&ctx, (char *)&len32, sizeof(len32)); 777 nxt = 0; 778 MD5_Update(&ctx, (char *)&nxt, sizeof(nxt)); 779 MD5_Update(&ctx, (char *)&nxt, sizeof(nxt)); 780 MD5_Update(&ctx, (char *)&nxt, sizeof(nxt)); 781 nxt = IPPROTO_TCP; 782 MD5_Update(&ctx, (char *)&nxt, sizeof(nxt)); 783 #endif 784 } else 785 return (CANT_CHECK_SIGNATURE); 786 787 /* 788 * Step 2: Update MD5 hash with TCP header, excluding options. 789 * The TCP checksum must be set to zero. 790 */ 791 savecsum = tp1.th_sum; 792 tp1.th_sum = 0; 793 MD5_Update(&ctx, (char *)&tp1, sizeof(struct tcphdr)); 794 tp1.th_sum = savecsum; 795 /* 796 * Step 3: Update MD5 hash with TCP segment data, if present. 797 */ 798 if (length > 0) 799 MD5_Update(&ctx, data, length); 800 /* 801 * Step 4: Update MD5 hash with shared secret. 802 */ 803 MD5_Update(&ctx, tcpmd5secret, strlen(tcpmd5secret)); 804 MD5_Final(sig, &ctx); 805 806 if (memcmp(rcvsig, sig, TCP_SIGLEN) == 0) 807 return (SIGNATURE_VALID); 808 else 809 return (SIGNATURE_INVALID); 810 } 811 #endif /* HAVE_LIBCRYPTO */ 812 813 /* 814 * Local Variables: 815 * c-style: whitesmith 816 * c-basic-offset: 8 817 * End: 818 */ 819