/* Copyright (c) 2008 Victor Julien */ #include "suricata-common.h" #include "decode.h" #include "decode-tcp.h" #include "decode-events.h" #include "util-unittest.h" #include "util-debug.h" #include "flow.h" /** * \brief Calculates the checksum for the TCP packet * * \param shdr Pointer to source address field from the IP packet. Used as a * part of the psuedoheader for computing the checksum * \param pkt Pointer to the start of the TCP packet * \param hlen Total length of the TCP packet(header + payload) * * \retval csum Checksum for the TCP packet */ inline uint16_t TCPCalculateChecksum(uint16_t *shdr, uint16_t *pkt, uint16_t tlen) { uint16_t pad = 0; uint32_t csum = shdr[0]; csum += shdr[1] + shdr[2] + shdr[3] + htons(6 + tlen); csum += pkt[0] + pkt[1] + pkt[2] + pkt[3] + pkt[4] + pkt[5] + pkt[6] + pkt[7] + pkt[9]; tlen -= 20; pkt += 10; while (tlen >= 32) { csum += pkt[0] + pkt[1] + pkt[2] + pkt[3] + pkt[4] + pkt[5] + pkt[6] + pkt[7] + pkt[8] + pkt[9] + pkt[10] + pkt[11] + pkt[12] + pkt[13] + pkt[14] + pkt[15]; tlen -= 32; pkt += 16; } while(tlen >= 8) { csum += pkt[0] + pkt[1] + pkt[2] + pkt[3]; tlen -= 8; pkt += 4; } while(tlen >= 4) { csum += pkt[0] + pkt[1]; tlen -= 4; pkt += 2; } while (tlen > 1) { csum += pkt[0]; pkt += 1; tlen -= 2; } if (tlen == 1) { *(uint8_t *)(&pad) = (*(uint8_t *)pkt); csum += pad; } csum = (csum >> 16) + (csum & 0x0000FFFF); return (uint16_t) ~csum; } /** * \brief Calculates the checksum for the TCP packet * * \param shdr Pointer to source address field from the IPV6 packet. Used as a * part of the psuedoheader for computing the checksum * \param pkt Pointer to the start of the TCP packet * \param tlen Total length of the TCP packet(header + payload) * * \retval csum Checksum for the TCP packet */ inline uint16_t TCPV6CalculateChecksum(uint16_t *shdr, uint16_t *pkt, uint16_t tlen) { uint16_t pad = 0; uint32_t csum = shdr[0]; csum += shdr[1] + shdr[2] + shdr[3] + shdr[4] + shdr[5] + shdr[6] + shdr[7] + shdr[8] + shdr[9] + shdr[10] + shdr[11] + shdr[12] + shdr[13] + shdr[14] + shdr[15] + htons(6 + tlen); csum += pkt[0] + pkt[1] + pkt[2] + pkt[3] + pkt[4] + pkt[5] + pkt[6] + pkt[7] + pkt[9]; tlen -= 20; pkt += 10; while (tlen >= 32) { csum += pkt[0] + pkt[1] + pkt[2] + pkt[3] + pkt[4] + pkt[5] + pkt[6] + pkt[7] + pkt[8] + pkt[9] + pkt[10] + pkt[11] + pkt[12] + pkt[13] + pkt[14] + pkt[15]; tlen -= 32; pkt += 16; } while(tlen >= 8) { csum += pkt[0] + pkt[1] + pkt[2] + pkt[3]; tlen -= 8; pkt += 4; } while(tlen >= 4) { csum += pkt[0] + pkt[1]; tlen -= 4; pkt += 2; } while (tlen > 1) { csum += pkt[0]; pkt += 1; tlen -= 2; } if (tlen == 1) { *(uint8_t *)(&pad) = (*(uint8_t *)pkt); csum += pad; } csum = (csum >> 16) + (csum & 0x0000FFFF); return (uint16_t) ~csum; } static int DecodeTCPOptions(ThreadVars *tv, Packet *p, uint8_t *pkt, uint16_t len) { uint16_t plen = len; while (plen) { /* single byte options */ if (*pkt == TCP_OPT_EOL) { break; } else if (*pkt == TCP_OPT_NOP) { pkt++; plen--; /* multibyte options */ } else { if (plen < 2) { break; } /* we already know that the total options len is valid, * so here the len of the specific option must be bad. * Also check for invalid lengths 0 and 1. */ if (*(pkt+1) > plen || *(pkt+1) < 2) { DECODER_SET_EVENT(p,TCP_OPT_INVALID_LEN); return -1; } p->TCP_OPTS[p->TCP_OPTS_CNT].type = *pkt; p->TCP_OPTS[p->TCP_OPTS_CNT].len = *(pkt+1); if (plen > 2) p->TCP_OPTS[p->TCP_OPTS_CNT].data = (pkt+2); else p->TCP_OPTS[p->TCP_OPTS_CNT].data = NULL; /* we are parsing the most commonly used opts to prevent * us from having to walk the opts list for these all the * time. */ switch (p->TCP_OPTS[p->TCP_OPTS_CNT].type) { case TCP_OPT_WS: if (p->TCP_OPTS[p->TCP_OPTS_CNT].len != TCP_OPT_WS_LEN) { DECODER_SET_EVENT(p,TCP_OPT_INVALID_LEN); } else { if (p->tcpvars.ws != NULL) { DECODER_SET_EVENT(p,TCP_OPT_DUPLICATE); } else { p->tcpvars.ws = &p->TCP_OPTS[p->TCP_OPTS_CNT]; } } break; case TCP_OPT_MSS: if (p->TCP_OPTS[p->TCP_OPTS_CNT].len != TCP_OPT_MSS_LEN) { DECODER_SET_EVENT(p,TCP_OPT_INVALID_LEN); } else { if (p->tcpvars.mss != NULL) { DECODER_SET_EVENT(p,TCP_OPT_DUPLICATE); } else { p->tcpvars.mss = &p->TCP_OPTS[p->TCP_OPTS_CNT]; } } break; case TCP_OPT_SACKOK: if (p->TCP_OPTS[p->TCP_OPTS_CNT].len != TCP_OPT_SACKOK_LEN) { DECODER_SET_EVENT(p,TCP_OPT_INVALID_LEN); } else { if (p->tcpvars.sackok != NULL) { DECODER_SET_EVENT(p,TCP_OPT_DUPLICATE); } else { p->tcpvars.sackok = &p->TCP_OPTS[p->TCP_OPTS_CNT]; } } break; case TCP_OPT_TS: if (p->TCP_OPTS[p->TCP_OPTS_CNT].len != TCP_OPT_TS_LEN) { DECODER_SET_EVENT(p,TCP_OPT_INVALID_LEN); } else { if (p->tcpvars.ts != NULL) { DECODER_SET_EVENT(p,TCP_OPT_DUPLICATE); } else { p->tcpvars.ts = &p->TCP_OPTS[p->TCP_OPTS_CNT]; } } break; } pkt += p->TCP_OPTS[p->TCP_OPTS_CNT].len; plen -= (p->TCP_OPTS[p->TCP_OPTS_CNT].len); p->TCP_OPTS_CNT++; } } return 0; } static int DecodeTCPPacket(ThreadVars *tv, Packet *p, uint8_t *pkt, uint16_t len) { if (len < TCP_HEADER_LEN) { DECODER_SET_EVENT(p, TCP_PKT_TOO_SMALL); return -1; } p->tcph = (TCPHdr *)pkt; p->tcpvars.hlen = TCP_GET_HLEN(p); if (len < p->tcpvars.hlen) { DECODER_SET_EVENT(p, TCP_HLEN_TOO_SMALL); return -1; } SET_TCP_SRC_PORT(p,&p->sp); SET_TCP_DST_PORT(p,&p->dp); p->tcpvars.tcp_opt_len = p->tcpvars.hlen - TCP_HEADER_LEN; if (p->tcpvars.tcp_opt_len > TCP_OPTLENMAX) { DECODER_SET_EVENT(p, TCP_INVALID_OPTLEN); return -1; } if (p->tcpvars.tcp_opt_len > 0) { DecodeTCPOptions(tv, p, pkt + TCP_HEADER_LEN, p->tcpvars.tcp_opt_len); } p->payload = pkt + p->tcpvars.hlen; p->payload_len = len - p->tcpvars.hlen; p->proto = IPPROTO_TCP; return 0; } void DecodeTCP(ThreadVars *tv, DecodeThreadVars *dtv, Packet *p, uint8_t *pkt, uint16_t len, PacketQueue *pq) { SCPerfCounterIncr(dtv->counter_tcp, tv->sc_perf_pca); if (DecodeTCPPacket(tv, p,pkt,len) < 0) { p->tcph = NULL; return; } #ifdef DEBUG SCLogDebug("TCP sp: %" PRIu32 " -> dp: %" PRIu32 " - HLEN: %" PRIu32 " LEN: %" PRIu32 " %s%s%s%s", GET_TCP_SRC_PORT(p), GET_TCP_DST_PORT(p), p->tcpvars.hlen, len, p->tcpvars.sackok ? "SACKOK " : "", p->tcpvars.ws ? "WS " : "", p->tcpvars.ts ? "TS " : "", p->tcpvars.mss ? "MSS " : ""); #endif /* Flow is an integral part of us */ FlowHandlePacket(tv, p); return; } #ifdef UNITTESTS static int TCPCalculateValidChecksumtest01(void) { uint16_t csum = 0; uint8_t raw_ipshdr[] = { 0x40, 0x8e, 0x7e, 0xb2, 0xc0, 0xa8, 0x01, 0x03}; uint8_t raw_tcp[] = { 0x00, 0x50, 0x8e, 0x16, 0x0d, 0x59, 0xcd, 0x3c, 0xcf, 0x0d, 0x21, 0x80, 0xa0, 0x12, 0x16, 0xa0, 0xfa, 0x03, 0x00, 0x00, 0x02, 0x04, 0x05, 0xb4, 0x04, 0x02, 0x08, 0x0a, 0x6e, 0x18, 0x78, 0x73, 0x01, 0x71, 0x74, 0xde, 0x01, 0x03, 0x03, 02}; csum = *( ((uint16_t *)raw_tcp) + 8); return (csum == TCPCalculateChecksum((uint16_t *) raw_ipshdr, (uint16_t *)raw_tcp, sizeof(raw_tcp))); } static int TCPCalculateInvalidChecksumtest02(void) { uint16_t csum = 0; uint8_t raw_ipshdr[] = { 0x40, 0x8e, 0x7e, 0xb2, 0xc0, 0xa8, 0x01, 0x03}; uint8_t raw_tcp[] = { 0x00, 0x50, 0x8e, 0x16, 0x0d, 0x59, 0xcd, 0x3c, 0xcf, 0x0d, 0x21, 0x80, 0xa0, 0x12, 0x16, 0xa0, 0xfa, 0x03, 0x00, 0x00, 0x02, 0x04, 0x05, 0xb4, 0x04, 0x02, 0x08, 0x0a, 0x6e, 0x18, 0x78, 0x73, 0x01, 0x71, 0x74, 0xde, 0x01, 0x03, 0x03, 03}; csum = *( ((uint16_t *)raw_tcp) + 8); return (csum == TCPCalculateChecksum((uint16_t *) raw_ipshdr, (uint16_t *)raw_tcp, sizeof(raw_tcp))); } static int TCPV6CalculateValidChecksumtest03(void) { uint16_t csum = 0; static uint8_t raw_ipv6[] = { 0x00, 0x60, 0x97, 0x07, 0x69, 0xea, 0x00, 0x00, 0x86, 0x05, 0x80, 0xda, 0x86, 0xdd, 0x60, 0x00, 0x00, 0x00, 0x00, 0x20, 0x06, 0x40, 0x3f, 0xfe, 0x05, 0x07, 0x00, 0x00, 0x00, 0x01, 0x02, 0x00, 0x86, 0xff, 0xfe, 0x05, 0x80, 0xda, 0x3f, 0xfe, 0x05, 0x01, 0x04, 0x10, 0x00, 0x00, 0x02, 0xc0, 0xdf, 0xff, 0xfe, 0x47, 0x03, 0x3e, 0x03, 0xfe, 0x00, 0x16, 0xd6, 0x76, 0xf5, 0x2d, 0x0c, 0x7a, 0x08, 0x77, 0x80, 0x10, 0x21, 0x5c, 0xc2, 0xf1, 0x00, 0x00, 0x01, 0x01, 0x08, 0x0a, 0x00, 0x08, 0xca, 0x5a, 0x00, 0x01, 0x69, 0x27}; csum = *( ((uint16_t *)(raw_ipv6 + 70))); return (csum == TCPV6CalculateChecksum((uint16_t *)(raw_ipv6 + 14 + 8), (uint16_t *)(raw_ipv6 + 54), 32)); } static int TCPV6CalculateInvalidChecksumtest04(void) { uint16_t csum = 0; static uint8_t raw_ipv6[] = { 0x00, 0x60, 0x97, 0x07, 0x69, 0xea, 0x00, 0x00, 0x86, 0x05, 0x80, 0xda, 0x86, 0xdd, 0x60, 0x00, 0x00, 0x00, 0x00, 0x20, 0x06, 0x40, 0x3f, 0xfe, 0x05, 0x07, 0x00, 0x00, 0x00, 0x01, 0x02, 0x00, 0x86, 0xff, 0xfe, 0x05, 0x80, 0xda, 0x3f, 0xfe, 0x05, 0x01, 0x04, 0x10, 0x00, 0x00, 0x02, 0xc0, 0xdf, 0xff, 0xfe, 0x47, 0x03, 0x3e, 0x03, 0xfe, 0x00, 0x16, 0xd6, 0x76, 0xf5, 0x2d, 0x0c, 0x7a, 0x08, 0x77, 0x80, 0x10, 0x21, 0x5c, 0xc2, 0xf1, 0x00, 0x00, 0x01, 0x01, 0x08, 0x0a, 0x00, 0x08, 0xca, 0x5a, 0x00, 0x01, 0x69, 0x28}; csum = *( ((uint16_t *)(raw_ipv6 + 70))); return (csum == TCPV6CalculateChecksum((uint16_t *)(raw_ipv6 + 14 + 8), (uint16_t *)(raw_ipv6 + 54), 32)); } /** \test Get the wscale of 2 */ static int TCPGetWscaleTest01(void) { int retval = 0; static uint8_t raw_tcp[] = {0xda, 0xc1, 0x00, 0x50, 0xb6, 0x21, 0x7f, 0x58, 0x00, 0x00, 0x00, 0x00, 0xa0, 0x02, 0x16, 0xd0, 0x8a, 0xaf, 0x00, 0x00, 0x02, 0x04, 0x05, 0xb4, 0x04, 0x02, 0x08, 0x0a, 0x00, 0x62, 0x88, 0x28, 0x00, 0x00, 0x00, 0x00, 0x01, 0x03, 0x03, 0x02}; Packet p; IPV4Hdr ip4h; ThreadVars tv; DecodeThreadVars dtv; memset(&tv, 0, sizeof(ThreadVars)); memset(&p, 0, sizeof(Packet)); memset(&dtv, 0, sizeof(DecodeThreadVars)); memset(&ip4h, 0, sizeof(IPV4Hdr)); p.src.family = AF_INET; p.dst.family = AF_INET; p.ip4h = &ip4h; FlowInitConfig(FLOW_QUIET); DecodeTCP(&tv, &dtv, &p, raw_tcp, sizeof(raw_tcp), NULL); FlowShutdown(); if (p.tcph == NULL) { printf("tcp packet decode failed: "); goto end; } uint8_t wscale = TCP_GET_WSCALE(&p); if (wscale != 2) { printf("wscale %"PRIu8", expected 2: ", wscale); goto end; } retval = 1; end: return retval; } /** \test Get the wscale of 15, so see if return 0 properly */ static int TCPGetWscaleTest02(void) { int retval = 0; static uint8_t raw_tcp[] = {0xda, 0xc1, 0x00, 0x50, 0xb6, 0x21, 0x7f, 0x58, 0x00, 0x00, 0x00, 0x00, 0xa0, 0x02, 0x16, 0xd0, 0x8a, 0xaf, 0x00, 0x00, 0x02, 0x04, 0x05, 0xb4, 0x04, 0x02, 0x08, 0x0a, 0x00, 0x62, 0x88, 0x28, 0x00, 0x00, 0x00, 0x00, 0x01, 0x03, 0x03, 0x0f}; Packet p; IPV4Hdr ip4h; ThreadVars tv; DecodeThreadVars dtv; memset(&tv, 0, sizeof(ThreadVars)); memset(&p, 0, sizeof(Packet)); memset(&dtv, 0, sizeof(DecodeThreadVars)); memset(&ip4h, 0, sizeof(IPV4Hdr)); p.src.family = AF_INET; p.dst.family = AF_INET; p.ip4h = &ip4h; FlowInitConfig(FLOW_QUIET); DecodeTCP(&tv, &dtv, &p, raw_tcp, sizeof(raw_tcp), NULL); FlowShutdown(); if (p.tcph == NULL) { printf("tcp packet decode failed: "); goto end; } uint8_t wscale = TCP_GET_WSCALE(&p); if (wscale != 0) { printf("wscale %"PRIu8", expected 0: ", wscale); goto end; } retval = 1; end: return retval; } /** \test Get the wscale, but it's missing, so see if return 0 properly */ static int TCPGetWscaleTest03(void) { int retval = 0; static uint8_t raw_tcp[] = {0xda, 0xc1, 0x00, 0x50, 0xb6, 0x21, 0x7f, 0x59, 0xdd, 0xa3, 0x6f, 0xf8, 0x80, 0x10, 0x05, 0xb4, 0x7c, 0x70, 0x00, 0x00, 0x01, 0x01, 0x08, 0x0a, 0x00, 0x62, 0x88, 0x9e, 0x00, 0x00, 0x00, 0x00}; Packet p; IPV4Hdr ip4h; ThreadVars tv; DecodeThreadVars dtv; memset(&tv, 0, sizeof(ThreadVars)); memset(&p, 0, sizeof(Packet)); memset(&dtv, 0, sizeof(DecodeThreadVars)); memset(&ip4h, 0, sizeof(IPV4Hdr)); p.src.family = AF_INET; p.dst.family = AF_INET; p.ip4h = &ip4h; FlowInitConfig(FLOW_QUIET); DecodeTCP(&tv, &dtv, &p, raw_tcp, sizeof(raw_tcp), NULL); FlowShutdown(); if (p.tcph == NULL) { printf("tcp packet decode failed: "); goto end; } uint8_t wscale = TCP_GET_WSCALE(&p); if (wscale != 0) { printf("wscale %"PRIu8", expected 0: ", wscale); goto end; } retval = 1; end: return retval; } #endif /* UNITTESTS */ void DecodeTCPRegisterTests(void) { #ifdef UNITTESTS UtRegisterTest("TCPCalculateValidChecksumtest01", TCPCalculateValidChecksumtest01, 1); UtRegisterTest("TCPCalculateInvalidChecksumtest02", TCPCalculateInvalidChecksumtest02, 0); UtRegisterTest("TCPV6CalculateValidChecksumtest03", TCPV6CalculateValidChecksumtest03, 1); UtRegisterTest("TCPV6CalculateInvalidChecksumtest04", TCPV6CalculateInvalidChecksumtest04, 0); UtRegisterTest("TCPGetWscaleTest01", TCPGetWscaleTest01, 1); UtRegisterTest("TCPGetWscaleTest02", TCPGetWscaleTest02, 1); UtRegisterTest("TCPGetWscaleTest03", TCPGetWscaleTest03, 1); #endif /* UNITTESTS */ }