aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorbms <bms@FreeBSD.org>2004-08-03 09:51:24 +0800
committerbms <bms@FreeBSD.org>2004-08-03 09:51:24 +0800
commit498d2a9fc572e458b25a474d14e3b005c60e572b (patch)
tree4fe5b7f49c1bf4a4bc2257843e3f2eb6259e9f65
parent251ce234aef6ac6b61c044d4cbd28c88fd52a0ac (diff)
downloadfreebsd-ports-gnome-498d2a9fc572e458b25a474d14e3b005c60e572b.tar.gz
freebsd-ports-gnome-498d2a9fc572e458b25a474d14e3b005c60e572b.tar.zst
freebsd-ports-gnome-498d2a9fc572e458b25a474d14e3b005c60e572b.zip
Add optional tcp-md5 verification (crufted from tcpdump CVS) in the
interim, turned on with the WITH_TCPMD5 build-time knob. Note that this stuff is in tcpdump CVS but isn't in any releases yet.
-rw-r--r--net/tcpdump/Makefile5
-rw-r--r--net/tcpdump/files/extra-patch-tcpmd5-print-tcp.c112
-rw-r--r--net/tcpdump/files/extra-patch-tcpmd5-tcp.h19
3 files changed, 136 insertions, 0 deletions
diff --git a/net/tcpdump/Makefile b/net/tcpdump/Makefile
index 444161c57076..3e94bc0a678d 100644
--- a/net/tcpdump/Makefile
+++ b/net/tcpdump/Makefile
@@ -54,6 +54,11 @@ EXTRA_PATCHES+= ${PATCHDIR}/extra-patch-extract.h \
${PATCHDIR}/extra-patch-print-802_11.c
.endif
+.if defined(WITH_TCPMD5)
+EXTRA_PATCHES+= ${PATCHDIR}/extra-patch-tcpmd5-print-tcp.c \
+ ${PATCHDIR}/extra-patch-tcpmd5-tcp.h
+.endif
+
LOCALPCAPDIR= ${WRKDIR}/libpcap-0.8.1
LOCALPCAPFILES= include/pcap.h include/pcap-namedb.h include/pcap-bpf.h \
lib/libpcap.a
diff --git a/net/tcpdump/files/extra-patch-tcpmd5-print-tcp.c b/net/tcpdump/files/extra-patch-tcpmd5-print-tcp.c
new file mode 100644
index 000000000000..bb455293d1bc
--- /dev/null
+++ b/net/tcpdump/files/extra-patch-tcpmd5-print-tcp.c
@@ -0,0 +1,112 @@
+--- print-tcp.c.orig Mon Aug 2 18:47:22 2004
++++ print-tcp.c Mon Aug 2 18:47:30 2004
+@@ -50,6 +50,13 @@
+
+ #include "nameser.h"
+
++#ifdef HAVE_LIBCRYPTO
++#include <openssl/md5.h>
++
++static int tcp_verify_signature(const struct ip *ip, const struct tcphdr *tp,
++ const u_char *data, int length, const u_char *rcvsig);
++#endif
++
+ static void print_tcp_rst_data(register const u_char *sp, u_int length);
+
+ #define MAX_RST_DATA_LEN 30
+@@ -561,6 +568,22 @@
+ (void)printf(" %u", EXTRACT_32BITS(cp));
+ break;
+
++ case TCPOPT_SIGNATURE:
++ (void)printf("md5:");
++ datalen = TCP_SIGLEN;
++ LENCHECK(datalen);
++#ifdef HAVE_LIBCRYPTO
++ if (tcp_verify_signature(ip, tp,
++ bp + TH_OFF(tp) * 4, length, cp) == 0)
++ (void)printf("valid");
++ else
++ (void)printf("invalid");
++#else
++ for (i = 0; i < TCP_SIGLEN; ++i)
++ (void)printf("%02x", cp[i]);
++#endif
++ break;
++
+ default:
+ (void)printf("opt-%u:", opt);
+ datalen = len - 2;
+@@ -673,3 +696,72 @@
+ }
+ putchar(']');
+ }
++
++#ifdef HAVE_LIBCRYPTO
++static int
++tcp_verify_signature(const struct ip *ip, const struct tcphdr *tp,
++ const u_char *data, int length, const u_char *rcvsig)
++{
++ struct tcphdr tp1;
++ char sig[TCP_SIGLEN];
++ char zero_proto = 0;
++ MD5_CTX ctx;
++ u_int16_t savecsum, tlen;
++ struct ip6_hdr *ip6;
++ u_int32_t len32;
++ u_int8_t nxt;
++
++ tp1 = *tp;
++
++ if (tcpmd5secret == NULL)
++ return (-1);
++
++ MD5_Init(&ctx);
++ /*
++ * Step 1: Update MD5 hash with IP pseudo-header.
++ */
++ if (IP_V(ip) == 4) {
++ MD5_Update(&ctx, (char *)&ip->ip_src, sizeof(ip->ip_src));
++ MD5_Update(&ctx, (char *)&ip->ip_dst, sizeof(ip->ip_dst));
++ MD5_Update(&ctx, (char *)&zero_proto, sizeof(zero_proto));
++ MD5_Update(&ctx, (char *)&ip->ip_p, sizeof(ip->ip_p));
++ tlen = EXTRACT_16BITS(&ip->ip_len) - IP_HL(ip) * 4;
++ tlen = htons(tlen);
++ MD5_Update(&ctx, (char *)&tlen, sizeof(tlen));
++ } else if (IP_V(ip) == 6) {
++ ip6 = (struct ip6_hdr *)ip;
++ MD5_Update(&ctx, (char *)&ip6->ip6_src, sizeof(ip6->ip6_src));
++ MD5_Update(&ctx, (char *)&ip6->ip6_dst, sizeof(ip6->ip6_dst));
++ len32 = htonl(ntohs(ip6->ip6_plen));
++ MD5_Update(&ctx, (char *)&len32, sizeof(len32));
++ nxt = 0;
++ MD5_Update(&ctx, (char *)&nxt, sizeof(nxt));
++ MD5_Update(&ctx, (char *)&nxt, sizeof(nxt));
++ MD5_Update(&ctx, (char *)&nxt, sizeof(nxt));
++ nxt = IPPROTO_TCP;
++ MD5_Update(&ctx, (char *)&nxt, sizeof(nxt));
++ } else
++ return (-1);
++
++ /*
++ * Step 2: Update MD5 hash with TCP header, excluding options.
++ * The TCP checksum must be set to zero.
++ */
++ savecsum = tp1.th_sum;
++ tp1.th_sum = 0;
++ MD5_Update(&ctx, (char *)&tp1, sizeof(struct tcphdr));
++ tp1.th_sum = savecsum;
++ /*
++ * Step 3: Update MD5 hash with TCP segment data, if present.
++ */
++ if (length > 0)
++ MD5_Update(&ctx, data, length);
++ /*
++ * Step 4: Update MD5 hash with shared secret.
++ */
++ MD5_Update(&ctx, tcpmd5secret, strlen(tcpmd5secret));
++ MD5_Final(sig, &ctx);
++
++ return (memcmp(rcvsig, sig, 16));
++}
++#endif /* HAVE_LIBCRYPTO */
diff --git a/net/tcpdump/files/extra-patch-tcpmd5-tcp.h b/net/tcpdump/files/extra-patch-tcpmd5-tcp.h
new file mode 100644
index 000000000000..1fee92e0175c
--- /dev/null
+++ b/net/tcpdump/files/extra-patch-tcpmd5-tcp.h
@@ -0,0 +1,19 @@
+--- tcp.h.orig Tue Dec 10 23:14:11 2002
++++ tcp.h Mon Aug 2 18:40:16 2004
+@@ -1,4 +1,4 @@
+-/* @(#) $Header: /tcpdump/master/tcpdump/tcp.h,v 1.10 2002/12/11 07:14:11 guy Exp $ (LBL) */
++/* @(#) $Header: /tcpdump/master/tcpdump/tcp.h,v 1.11 2004/03/23 07:15:37 guy Exp $ (LBL) */
+ /*
+ * Copyright (c) 1982, 1986, 1993
+ * The Regents of the University of California. All rights reserved.
+@@ -75,6 +75,10 @@
+ #define TCPOPT_CC 11 /* T/TCP CC options (rfc1644) */
+ #define TCPOPT_CCNEW 12 /* T/TCP CC options (rfc1644) */
+ #define TCPOPT_CCECHO 13 /* T/TCP CC options (rfc1644) */
++#define TCPOPT_SIGNATURE 19 /* Keyed MD5 (rfc2385) */
++#define TCPOLEN_SIGNATURE 18
++
++#define TCP_SIGLEN 16 /* length of an option 19 digest */
+
+ #define TCPOPT_TSTAMP_HDR \
+ (TCPOPT_NOP<<24|TCPOPT_NOP<<16|TCPOPT_TIMESTAMP<<8|TCPOLEN_TIMESTAMP)