diff options
author | bms <bms@FreeBSD.org> | 2004-08-03 09:51:24 +0800 |
---|---|---|
committer | bms <bms@FreeBSD.org> | 2004-08-03 09:51:24 +0800 |
commit | 498d2a9fc572e458b25a474d14e3b005c60e572b (patch) | |
tree | 4fe5b7f49c1bf4a4bc2257843e3f2eb6259e9f65 | |
parent | 251ce234aef6ac6b61c044d4cbd28c88fd52a0ac (diff) | |
download | freebsd-ports-gnome-498d2a9fc572e458b25a474d14e3b005c60e572b.tar.gz freebsd-ports-gnome-498d2a9fc572e458b25a474d14e3b005c60e572b.tar.zst freebsd-ports-gnome-498d2a9fc572e458b25a474d14e3b005c60e572b.zip |
Add optional tcp-md5 verification (crufted from tcpdump CVS) in the
interim, turned on with the WITH_TCPMD5 build-time knob.
Note that this stuff is in tcpdump CVS but isn't in any releases yet.
-rw-r--r-- | net/tcpdump/Makefile | 5 | ||||
-rw-r--r-- | net/tcpdump/files/extra-patch-tcpmd5-print-tcp.c | 112 | ||||
-rw-r--r-- | net/tcpdump/files/extra-patch-tcpmd5-tcp.h | 19 |
3 files changed, 136 insertions, 0 deletions
diff --git a/net/tcpdump/Makefile b/net/tcpdump/Makefile index 444161c57076..3e94bc0a678d 100644 --- a/net/tcpdump/Makefile +++ b/net/tcpdump/Makefile @@ -54,6 +54,11 @@ EXTRA_PATCHES+= ${PATCHDIR}/extra-patch-extract.h \ ${PATCHDIR}/extra-patch-print-802_11.c .endif +.if defined(WITH_TCPMD5) +EXTRA_PATCHES+= ${PATCHDIR}/extra-patch-tcpmd5-print-tcp.c \ + ${PATCHDIR}/extra-patch-tcpmd5-tcp.h +.endif + LOCALPCAPDIR= ${WRKDIR}/libpcap-0.8.1 LOCALPCAPFILES= include/pcap.h include/pcap-namedb.h include/pcap-bpf.h \ lib/libpcap.a diff --git a/net/tcpdump/files/extra-patch-tcpmd5-print-tcp.c b/net/tcpdump/files/extra-patch-tcpmd5-print-tcp.c new file mode 100644 index 000000000000..bb455293d1bc --- /dev/null +++ b/net/tcpdump/files/extra-patch-tcpmd5-print-tcp.c @@ -0,0 +1,112 @@ +--- print-tcp.c.orig Mon Aug 2 18:47:22 2004 ++++ print-tcp.c Mon Aug 2 18:47:30 2004 +@@ -50,6 +50,13 @@ + + #include "nameser.h" + ++#ifdef HAVE_LIBCRYPTO ++#include <openssl/md5.h> ++ ++static int tcp_verify_signature(const struct ip *ip, const struct tcphdr *tp, ++ const u_char *data, int length, const u_char *rcvsig); ++#endif ++ + static void print_tcp_rst_data(register const u_char *sp, u_int length); + + #define MAX_RST_DATA_LEN 30 +@@ -561,6 +568,22 @@ + (void)printf(" %u", EXTRACT_32BITS(cp)); + break; + ++ case TCPOPT_SIGNATURE: ++ (void)printf("md5:"); ++ datalen = TCP_SIGLEN; ++ LENCHECK(datalen); ++#ifdef HAVE_LIBCRYPTO ++ if (tcp_verify_signature(ip, tp, ++ bp + TH_OFF(tp) * 4, length, cp) == 0) ++ (void)printf("valid"); ++ else ++ (void)printf("invalid"); ++#else ++ for (i = 0; i < TCP_SIGLEN; ++i) ++ (void)printf("%02x", cp[i]); ++#endif ++ break; ++ + default: + (void)printf("opt-%u:", opt); + datalen = len - 2; +@@ -673,3 +696,72 @@ + } + putchar(']'); + } ++ ++#ifdef HAVE_LIBCRYPTO ++static int ++tcp_verify_signature(const struct ip *ip, const struct tcphdr *tp, ++ const u_char *data, int length, const u_char *rcvsig) ++{ ++ struct tcphdr tp1; ++ char sig[TCP_SIGLEN]; ++ char zero_proto = 0; ++ MD5_CTX ctx; ++ u_int16_t savecsum, tlen; ++ struct ip6_hdr *ip6; ++ u_int32_t len32; ++ u_int8_t nxt; ++ ++ tp1 = *tp; ++ ++ if (tcpmd5secret == NULL) ++ return (-1); ++ ++ MD5_Init(&ctx); ++ /* ++ * Step 1: Update MD5 hash with IP pseudo-header. ++ */ ++ if (IP_V(ip) == 4) { ++ MD5_Update(&ctx, (char *)&ip->ip_src, sizeof(ip->ip_src)); ++ MD5_Update(&ctx, (char *)&ip->ip_dst, sizeof(ip->ip_dst)); ++ MD5_Update(&ctx, (char *)&zero_proto, sizeof(zero_proto)); ++ MD5_Update(&ctx, (char *)&ip->ip_p, sizeof(ip->ip_p)); ++ tlen = EXTRACT_16BITS(&ip->ip_len) - IP_HL(ip) * 4; ++ tlen = htons(tlen); ++ MD5_Update(&ctx, (char *)&tlen, sizeof(tlen)); ++ } else if (IP_V(ip) == 6) { ++ ip6 = (struct ip6_hdr *)ip; ++ MD5_Update(&ctx, (char *)&ip6->ip6_src, sizeof(ip6->ip6_src)); ++ MD5_Update(&ctx, (char *)&ip6->ip6_dst, sizeof(ip6->ip6_dst)); ++ len32 = htonl(ntohs(ip6->ip6_plen)); ++ MD5_Update(&ctx, (char *)&len32, sizeof(len32)); ++ nxt = 0; ++ MD5_Update(&ctx, (char *)&nxt, sizeof(nxt)); ++ MD5_Update(&ctx, (char *)&nxt, sizeof(nxt)); ++ MD5_Update(&ctx, (char *)&nxt, sizeof(nxt)); ++ nxt = IPPROTO_TCP; ++ MD5_Update(&ctx, (char *)&nxt, sizeof(nxt)); ++ } else ++ return (-1); ++ ++ /* ++ * Step 2: Update MD5 hash with TCP header, excluding options. ++ * The TCP checksum must be set to zero. ++ */ ++ savecsum = tp1.th_sum; ++ tp1.th_sum = 0; ++ MD5_Update(&ctx, (char *)&tp1, sizeof(struct tcphdr)); ++ tp1.th_sum = savecsum; ++ /* ++ * Step 3: Update MD5 hash with TCP segment data, if present. ++ */ ++ if (length > 0) ++ MD5_Update(&ctx, data, length); ++ /* ++ * Step 4: Update MD5 hash with shared secret. ++ */ ++ MD5_Update(&ctx, tcpmd5secret, strlen(tcpmd5secret)); ++ MD5_Final(sig, &ctx); ++ ++ return (memcmp(rcvsig, sig, 16)); ++} ++#endif /* HAVE_LIBCRYPTO */ diff --git a/net/tcpdump/files/extra-patch-tcpmd5-tcp.h b/net/tcpdump/files/extra-patch-tcpmd5-tcp.h new file mode 100644 index 000000000000..1fee92e0175c --- /dev/null +++ b/net/tcpdump/files/extra-patch-tcpmd5-tcp.h @@ -0,0 +1,19 @@ +--- tcp.h.orig Tue Dec 10 23:14:11 2002 ++++ tcp.h Mon Aug 2 18:40:16 2004 +@@ -1,4 +1,4 @@ +-/* @(#) $Header: /tcpdump/master/tcpdump/tcp.h,v 1.10 2002/12/11 07:14:11 guy Exp $ (LBL) */ ++/* @(#) $Header: /tcpdump/master/tcpdump/tcp.h,v 1.11 2004/03/23 07:15:37 guy Exp $ (LBL) */ + /* + * Copyright (c) 1982, 1986, 1993 + * The Regents of the University of California. All rights reserved. +@@ -75,6 +75,10 @@ + #define TCPOPT_CC 11 /* T/TCP CC options (rfc1644) */ + #define TCPOPT_CCNEW 12 /* T/TCP CC options (rfc1644) */ + #define TCPOPT_CCECHO 13 /* T/TCP CC options (rfc1644) */ ++#define TCPOPT_SIGNATURE 19 /* Keyed MD5 (rfc2385) */ ++#define TCPOLEN_SIGNATURE 18 ++ ++#define TCP_SIGLEN 16 /* length of an option 19 digest */ + + #define TCPOPT_TSTAMP_HDR \ + (TCPOPT_NOP<<24|TCPOPT_NOP<<16|TCPOPT_TIMESTAMP<<8|TCPOLEN_TIMESTAMP) |