Add optional tcp-md5 verification (crufted from tcpdump CVS) in the

interim, turned on with the WITH_TCPMD5 build-time knob.
Note that this stuff is in tcpdump CVS but isn't in any releases yet.

3 files changed, 136 insertions, 0 deletions

diff --git a/net/tcpdump/Makefile b/net/tcpdump/Makefile
index 444161c57076..3e94bc0a678d 100644
--- a/net/tcpdump/Makefile
+++ b/net/tcpdump/Makefile
@@ -54,6 +54,11 @@ EXTRA_PATCHES+=	${PATCHDIR}/extra-patch-extract.h \
 		${PATCHDIR}/extra-patch-print-802_11.c
 .endif
 
+.if defined(WITH_TCPMD5)
+EXTRA_PATCHES+=	${PATCHDIR}/extra-patch-tcpmd5-print-tcp.c \
+		${PATCHDIR}/extra-patch-tcpmd5-tcp.h
+.endif
+
 LOCALPCAPDIR=	${WRKDIR}/libpcap-0.8.1
 LOCALPCAPFILES= include/pcap.h include/pcap-namedb.h include/pcap-bpf.h \
 		lib/libpcap.a
diff --git a/net/tcpdump/files/extra-patch-tcpmd5-print-tcp.c b/net/tcpdump/files/extra-patch-tcpmd5-print-tcp.c
new file mode 100644
index 000000000000..bb455293d1bc
--- /dev/null
+++ b/net/tcpdump/files/extra-patch-tcpmd5-print-tcp.c
@@ -0,0 +1,112 @@
+--- print-tcp.c.orig	Mon Aug  2 18:47:22 2004
++++ print-tcp.c	Mon Aug  2 18:47:30 2004
+@@ -50,6 +50,13 @@
+ 
+ #include "nameser.h"
+ 
++#ifdef HAVE_LIBCRYPTO
++#include <openssl/md5.h>
++
++static int tcp_verify_signature(const struct ip *ip, const struct tcphdr *tp,
++    const u_char *data, int length, const u_char *rcvsig);
++#endif
++
+ static void print_tcp_rst_data(register const u_char *sp, u_int length);
+ 
+ #define MAX_RST_DATA_LEN	30
+@@ -561,6 +568,22 @@
+ 				(void)printf(" %u", EXTRACT_32BITS(cp));
+ 				break;
+ 
++			case TCPOPT_SIGNATURE:
++				(void)printf("md5:");
++				datalen = TCP_SIGLEN;
++				LENCHECK(datalen);
++#ifdef HAVE_LIBCRYPTO
++				if (tcp_verify_signature(ip, tp,
++				    bp + TH_OFF(tp) * 4, length, cp) == 0)
++					(void)printf("valid");
++				else
++					(void)printf("invalid");
++#else
++				for (i = 0; i < TCP_SIGLEN; ++i)
++					(void)printf("%02x", cp[i]);
++#endif
++				break;
++
+ 			default:
+ 				(void)printf("opt-%u:", opt);
+ 				datalen = len - 2;
+@@ -673,3 +696,72 @@
+ 	}
+ 	putchar(']');
+ }
++
++#ifdef HAVE_LIBCRYPTO
++static int
++tcp_verify_signature(const struct ip *ip, const struct tcphdr *tp,
++    const u_char *data, int length, const u_char *rcvsig)
++{
++        struct tcphdr tp1;
++	char sig[TCP_SIGLEN];
++	char zero_proto = 0;
++	MD5_CTX ctx;
++	u_int16_t savecsum, tlen;
++	struct ip6_hdr *ip6;
++	u_int32_t len32;
++	u_int8_t nxt;
++
++	tp1 = *tp;
++
++	if (tcpmd5secret == NULL)
++		return (-1);
++
++	MD5_Init(&ctx);
++	/*
++	 * Step 1: Update MD5 hash with IP pseudo-header.
++	 */
++	if (IP_V(ip) == 4) {
++		MD5_Update(&ctx, (char *)&ip->ip_src, sizeof(ip->ip_src));
++		MD5_Update(&ctx, (char *)&ip->ip_dst, sizeof(ip->ip_dst));
++		MD5_Update(&ctx, (char *)&zero_proto, sizeof(zero_proto));
++		MD5_Update(&ctx, (char *)&ip->ip_p, sizeof(ip->ip_p));
++		tlen = EXTRACT_16BITS(&ip->ip_len) - IP_HL(ip) * 4;
++		tlen = htons(tlen);
++		MD5_Update(&ctx, (char *)&tlen, sizeof(tlen));
++	} else if (IP_V(ip) == 6) {
++		ip6 = (struct ip6_hdr *)ip;
++		MD5_Update(&ctx, (char *)&ip6->ip6_src, sizeof(ip6->ip6_src));
++		MD5_Update(&ctx, (char *)&ip6->ip6_dst, sizeof(ip6->ip6_dst));
++		len32 = htonl(ntohs(ip6->ip6_plen));
++		MD5_Update(&ctx, (char *)&len32, sizeof(len32));
++		nxt = 0;
++		MD5_Update(&ctx, (char *)&nxt, sizeof(nxt));
++		MD5_Update(&ctx, (char *)&nxt, sizeof(nxt));
++		MD5_Update(&ctx, (char *)&nxt, sizeof(nxt));
++		nxt = IPPROTO_TCP;
++		MD5_Update(&ctx, (char *)&nxt, sizeof(nxt));
++	} else
++		return (-1);
++
++	/*
++	 * Step 2: Update MD5 hash with TCP header, excluding options.
++	 * The TCP checksum must be set to zero.
++	 */
++	savecsum = tp1.th_sum;
++	tp1.th_sum = 0;
++	MD5_Update(&ctx, (char *)&tp1, sizeof(struct tcphdr));
++	tp1.th_sum = savecsum;
++	/*
++	 * Step 3: Update MD5 hash with TCP segment data, if present.
++	 */
++	if (length > 0)
++		MD5_Update(&ctx, data, length);
++	/*
++	 * Step 4: Update MD5 hash with shared secret.
++	 */
++	MD5_Update(&ctx, tcpmd5secret, strlen(tcpmd5secret));
++	MD5_Final(sig, &ctx);
++
++	return (memcmp(rcvsig, sig, 16));
++}
++#endif /* HAVE_LIBCRYPTO */
diff --git a/net/tcpdump/files/extra-patch-tcpmd5-tcp.h b/net/tcpdump/files/extra-patch-tcpmd5-tcp.h
new file mode 100644
index 000000000000..1fee92e0175c
--- /dev/null
+++ b/net/tcpdump/files/extra-patch-tcpmd5-tcp.h
@@ -0,0 +1,19 @@
+--- tcp.h.orig	Tue Dec 10 23:14:11 2002
++++ tcp.h	Mon Aug  2 18:40:16 2004
+@@ -1,4 +1,4 @@
+-/* @(#) $Header: /tcpdump/master/tcpdump/tcp.h,v 1.10 2002/12/11 07:14:11 guy Exp $ (LBL) */
++/* @(#) $Header: /tcpdump/master/tcpdump/tcp.h,v 1.11 2004/03/23 07:15:37 guy Exp $ (LBL) */
+ /*
+  * Copyright (c) 1982, 1986, 1993
+  *	The Regents of the University of California.  All rights reserved.
+@@ -75,6 +75,10 @@
+ #define TCPOPT_CC		11	/* T/TCP CC options (rfc1644) */
+ #define TCPOPT_CCNEW		12	/* T/TCP CC options (rfc1644) */
+ #define TCPOPT_CCECHO		13	/* T/TCP CC options (rfc1644) */
++#define TCPOPT_SIGNATURE	19	/* Keyed MD5 (rfc2385) */
++#define    TCPOLEN_SIGNATURE		18
++
++#define TCP_SIGLEN 16			/* length of an option 19 digest */
+ 
+ #define TCPOPT_TSTAMP_HDR	\
+     (TCPOPT_NOP<<24|TCPOPT_NOP<<16|TCPOPT_TIMESTAMP<<8|TCPOLEN_TIMESTAMP)