suricata
decode-tcp.h
Go to the documentation of this file.
1 /* Copyright (C) 2007-2013 Open Information Security Foundation
2  *
3  * You can copy, redistribute or modify this Program under the terms of
4  * the GNU General Public License version 2 as published by the Free
5  * Software Foundation.
6  *
7  * This program is distributed in the hope that it will be useful,
8  * but WITHOUT ANY WARRANTY; without even the implied warranty of
9  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10  * GNU General Public License for more details.
11  *
12  * You should have received a copy of the GNU General Public License
13  * version 2 along with this program; if not, write to the Free Software
14  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15  * 02110-1301, USA.
16  */
17 
18 /**
19  * \file
20  *
21  * \author Victor Julien <victor@inliniac.net>
22  * \todo RAW* macro's should be returning the raw value, not the host order
23  */
24 
25 #ifndef __DECODE_TCP_H__
26 #define __DECODE_TCP_H__
27 
28 #define TCP_HEADER_LEN 20
29 #define TCP_OPTLENMAX 40
30 #define TCP_OPTMAX 20 /* every opt is at least 2 bytes
31  * (type + len), except EOL and NOP */
32 
33 /* TCP flags */
34 
35 #define TH_FIN 0x01
36 #define TH_SYN 0x02
37 #define TH_RST 0x04
38 #define TH_PUSH 0x08
39 #define TH_ACK 0x10
40 #define TH_URG 0x20
41 /** Establish a new connection reducing window */
42 #define TH_ECN 0x40
43 /** Echo Congestion flag */
44 #define TH_CWR 0x80
45 
46 /* tcp option codes */
47 #define TCP_OPT_EOL 0x00
48 #define TCP_OPT_NOP 0x01
49 #define TCP_OPT_MSS 0x02
50 #define TCP_OPT_WS 0x03
51 #define TCP_OPT_SACKOK 0x04
52 #define TCP_OPT_SACK 0x05
53 #define TCP_OPT_TS 0x08
54 #define TCP_OPT_TFO 0x22 /* TCP Fast Open */
55 #define TCP_OPT_EXP1 0xfd /* Experimental, could be TFO */
56 #define TCP_OPT_EXP2 0xfe /* Experimental, could be TFO */
57 #define TCP_OPT_MD5 0x13 /* 19: RFC 2385 TCP MD5 option */
58 #define TCP_OPT_AO 0x1d /* 29: RFC 5925 TCP AO option */
59 
60 #define TCP_OPT_SACKOK_LEN 2
61 #define TCP_OPT_WS_LEN 3
62 #define TCP_OPT_TS_LEN 10
63 #define TCP_OPT_MSS_LEN 4
64 #define TCP_OPT_SACK_MIN_LEN 10 /* hdr 2, 1 pair 8 = 10 */
65 #define TCP_OPT_SACK_MAX_LEN 34 /* hdr 2, 4 pair 32= 34 */
66 #define TCP_OPT_TFO_MIN_LEN 6 /* kind, len, 6 */
67 #define TCP_OPT_TFO_MAX_LEN 18 /* kind, len, 18 */
68 
69 /** Max valid wscale value. */
70 #define TCP_WSCALE_MAX 14
71 
72 #define TCP_GET_RAW_OFFSET(tcph) (((tcph)->th_offx2 & 0xf0) >> 4)
73 #define TCP_GET_RAW_X2(tcph) (unsigned char)((tcph)->th_offx2 & 0x0f)
74 #define TCP_GET_RAW_SRC_PORT(tcph) SCNtohs((tcph)->th_sport)
75 #define TCP_GET_RAW_DST_PORT(tcph) SCNtohs((tcph)->th_dport)
76 
77 #define TCP_SET_RAW_TCP_OFFSET(tcph, value) ((tcph)->th_offx2 = (unsigned char)(((tcph)->th_offx2 & 0x0f) | (value << 4)))
78 #define TCP_SET_RAW_TCP_X2(tcph, value) ((tcph)->th_offx2 = (unsigned char)(((tcph)->th_offx2 & 0xf0) | (value & 0x0f)))
79 
80 #define TCP_GET_RAW_SEQ(tcph) SCNtohl((tcph)->th_seq)
81 #define TCP_GET_RAW_ACK(tcph) SCNtohl((tcph)->th_ack)
82 
83 #define TCP_GET_RAW_WINDOW(tcph) SCNtohs((tcph)->th_win)
84 #define TCP_GET_RAW_URG_POINTER(tcph) SCNtohs((tcph)->th_urp)
85 #define TCP_GET_RAW_SUM(tcph) SCNtohs((tcph)->th_sum)
86 
87 /** macro for getting the first timestamp from the packet in host order */
88 #define TCP_GET_TSVAL(p) ((p)->tcpvars.ts_val)
89 
90 /** macro for getting the second timestamp from the packet in host order. */
91 #define TCP_GET_TSECR(p) ((p)->tcpvars.ts_ecr)
92 
93 #define TCP_HAS_WSCALE(p) ((p)->tcpvars.ws.type == TCP_OPT_WS)
94 #define TCP_HAS_SACK(p) ((p)->tcpvars.sack.type == TCP_OPT_SACK)
95 #define TCP_HAS_SACKOK(p) ((p)->tcpvars.sackok.type == TCP_OPT_SACKOK)
96 #define TCP_HAS_TS(p) ((p)->tcpvars.ts_set)
97 #define TCP_HAS_MSS(p) ((p)->tcpvars.mss.type == TCP_OPT_MSS)
98 #define TCP_HAS_TFO(p) ((p)->tcpvars.tfo.type == TCP_OPT_TFO)
99 
100 /** macro for getting the wscale from the packet. */
101 #define TCP_GET_WSCALE(p) (TCP_HAS_WSCALE((p)) ? \
102  (((*(uint8_t *)(p)->tcpvars.ws.data) <= TCP_WSCALE_MAX) ? \
103  (*(uint8_t *)((p)->tcpvars.ws.data)) : 0) : 0)
104 
105 #define TCP_GET_SACKOK(p) (TCP_HAS_SACKOK((p)) ? 1 : 0)
106 #define TCP_GET_SACK_PTR(p) TCP_HAS_SACK((p)) ? (p)->tcpvars.sack.data : NULL
107 #define TCP_GET_SACK_CNT(p) (TCP_HAS_SACK((p)) ? (((p)->tcpvars.sack.len - 2) / 8) : 0)
108 #define TCP_GET_MSS(p) SCNtohs(*(uint16_t *)((p)->tcpvars.mss.data))
109 
110 #define TCP_GET_OFFSET(p) TCP_GET_RAW_OFFSET((p)->tcph)
111 #define TCP_GET_X2(p) TCP_GET_RAW_X2((p)->tcph)
112 #define TCP_GET_HLEN(p) (TCP_GET_OFFSET((p)) << 2)
113 #define TCP_GET_SRC_PORT(p) TCP_GET_RAW_SRC_PORT((p)->tcph)
114 #define TCP_GET_DST_PORT(p) TCP_GET_RAW_DST_PORT((p)->tcph)
115 #define TCP_GET_SEQ(p) TCP_GET_RAW_SEQ((p)->tcph)
116 #define TCP_GET_ACK(p) TCP_GET_RAW_ACK((p)->tcph)
117 #define TCP_GET_WINDOW(p) TCP_GET_RAW_WINDOW((p)->tcph)
118 #define TCP_GET_URG_POINTER(p) TCP_GET_RAW_URG_POINTER((p)->tcph)
119 #define TCP_GET_SUM(p) TCP_GET_RAW_SUM((p)->tcph)
120 #define TCP_GET_FLAGS(p) (p)->tcph->th_flags
121 
122 #define TCP_ISSET_FLAG_FIN(p) ((p)->tcph->th_flags & TH_FIN)
123 #define TCP_ISSET_FLAG_SYN(p) ((p)->tcph->th_flags & TH_SYN)
124 #define TCP_ISSET_FLAG_RST(p) ((p)->tcph->th_flags & TH_RST)
125 #define TCP_ISSET_FLAG_PUSH(p) ((p)->tcph->th_flags & TH_PUSH)
126 #define TCP_ISSET_FLAG_ACK(p) ((p)->tcph->th_flags & TH_ACK)
127 #define TCP_ISSET_FLAG_URG(p) ((p)->tcph->th_flags & TH_URG)
128 #define TCP_ISSET_FLAG_RES2(p) ((p)->tcph->th_flags & TH_RES2)
129 #define TCP_ISSET_FLAG_RES1(p) ((p)->tcph->th_flags & TH_RES1)
130 
131 typedef struct TCPOpt_ {
132  uint8_t type;
133  uint8_t len;
134  const uint8_t *data;
135 } TCPOpt;
136 
137 typedef struct TCPOptSackRecord_ {
138  uint32_t le; /**< left edge, network order */
139  uint32_t re; /**< right edge, network order */
141 
142 typedef struct TCPHdr_
143 {
144  uint16_t th_sport; /**< source port */
145  uint16_t th_dport; /**< destination port */
146  uint32_t th_seq; /**< sequence number */
147  uint32_t th_ack; /**< acknowledgement number */
148  uint8_t th_offx2; /**< offset and reserved */
149  uint8_t th_flags; /**< pkt flags */
150  uint16_t th_win; /**< pkt window */
151  uint16_t th_sum; /**< checksum */
152  uint16_t th_urp; /**< urgent pointer */
153 } __attribute__((__packed__)) TCPHdr;
154 
155 typedef struct TCPVars_
156 {
157  /* commonly used and needed opts */
160  bool ts_set;
161  uint32_t ts_val; /* host-order */
162  uint32_t ts_ecr; /* host-order */
167  TCPOpt tfo; /* tcp fast open */
168 } TCPVars;
169 
170 #define CLEAR_TCP_PACKET(p) { \
171  (p)->level4_comp_csum = -1; \
172  PACKET_CLEAR_L4VARS((p)); \
173  (p)->tcph = NULL; \
174 }
175 
176 void DecodeTCPRegisterTests(void);
177 
178 /** -------- Inline functions ------- */
179 static inline uint16_t TCPChecksum(uint16_t *, uint16_t *, uint16_t, uint16_t);
180 static inline uint16_t TCPV6Checksum(uint16_t *, uint16_t *, uint16_t, uint16_t);
181 
182 /**
183  * \brief Calculate or validate the checksum for the TCP packet
184  *
185  * \param shdr Pointer to source address field from the IP packet. Used as a
186  * part of the pseudoheader for computing the checksum
187  * \param pkt Pointer to the start of the TCP packet
188  * \param tlen Total length of the TCP packet(header + payload)
189  * \param init The current checksum if validating, 0 if generating.
190  *
191  * \retval csum For validation 0 will be returned for success, for calculation
192  * this will be the checksum.
193  */
194 static inline uint16_t TCPChecksum(uint16_t *shdr, uint16_t *pkt,
195  uint16_t tlen, uint16_t init)
196 {
197  uint16_t pad = 0;
198  uint32_t csum = init;
199 
200  csum += shdr[0] + shdr[1] + shdr[2] + shdr[3] + htons(6) + htons(tlen);
201 
202  csum += pkt[0] + pkt[1] + pkt[2] + pkt[3] + pkt[4] + pkt[5] + pkt[6] +
203  pkt[7] + pkt[9];
204 
205  tlen -= 20;
206  pkt += 10;
207 
208  while (tlen >= 32) {
209  csum += pkt[0] + pkt[1] + pkt[2] + pkt[3] + pkt[4] + pkt[5] + pkt[6] +
210  pkt[7] +
211  pkt[8] +
212  pkt[9] + pkt[10] + pkt[11] + pkt[12] + pkt[13] +
213  pkt[14] + pkt[15];
214  tlen -= 32;
215  pkt += 16;
216  }
217 
218  while(tlen >= 8) {
219  csum += pkt[0] + pkt[1] + pkt[2] + pkt[3];
220  tlen -= 8;
221  pkt += 4;
222  }
223 
224  while(tlen >= 4) {
225  csum += pkt[0] + pkt[1];
226  tlen -= 4;
227  pkt += 2;
228  }
229 
230  while (tlen > 1) {
231  csum += pkt[0];
232  pkt += 1;
233  tlen -= 2;
234  }
235 
236  if (tlen == 1) {
237  *(uint8_t *)(&pad) = (*(uint8_t *)pkt);
238  csum += pad;
239  }
240 
241  csum = (csum >> 16) + (csum & 0x0000FFFF);
242  csum += (csum >> 16);
243 
244  return (uint16_t)~csum;
245 }
246 
247 /**
248  * \brief Calculate or validate the checksum for the TCP packet
249  *
250  * \param shdr Pointer to source address field from the IPV6 packet. Used as a
251  * part of the psuedoheader for computing the checksum
252  * \param pkt Pointer to the start of the TCP packet
253  * \param tlen Total length of the TCP packet(header + payload)
254  * \param init The current checksum if validating, 0 if generating.
255  *
256  * \retval csum For validation 0 will be returned for success, for calculation
257  * this will be the checksum.
258  */
259 static inline uint16_t TCPV6Checksum(uint16_t *shdr, uint16_t *pkt,
260  uint16_t tlen, uint16_t init)
261 {
262  uint16_t pad = 0;
263  uint32_t csum = init;
264 
265  csum += shdr[0] + shdr[1] + shdr[2] + shdr[3] + shdr[4] + shdr[5] +
266  shdr[6] + shdr[7] + shdr[8] + shdr[9] + shdr[10] + shdr[11] +
267  shdr[12] + shdr[13] + shdr[14] + shdr[15] + htons(6) + htons(tlen);
268 
269  csum += pkt[0] + pkt[1] + pkt[2] + pkt[3] + pkt[4] + pkt[5] + pkt[6] +
270  pkt[7] + pkt[9];
271 
272  tlen -= 20;
273  pkt += 10;
274 
275  while (tlen >= 32) {
276  csum += pkt[0] + pkt[1] + pkt[2] + pkt[3] + pkt[4] + pkt[5] + pkt[6] +
277  pkt[7] + pkt[8] + pkt[9] + pkt[10] + pkt[11] + pkt[12] + pkt[13] +
278  pkt[14] + pkt[15];
279  tlen -= 32;
280  pkt += 16;
281  }
282 
283  while(tlen >= 8) {
284  csum += pkt[0] + pkt[1] + pkt[2] + pkt[3];
285  tlen -= 8;
286  pkt += 4;
287  }
288 
289  while(tlen >= 4) {
290  csum += pkt[0] + pkt[1];
291  tlen -= 4;
292  pkt += 2;
293  }
294 
295  while (tlen > 1) {
296  csum += pkt[0];
297  pkt += 1;
298  tlen -= 2;
299  }
300 
301  if (tlen == 1) {
302  *(uint8_t *)(&pad) = (*(uint8_t *)pkt);
303  csum += pad;
304  }
305 
306  csum = (csum >> 16) + (csum & 0x0000FFFF);
307  csum += (csum >> 16);
308 
309  return (uint16_t)~csum;
310 }
311 
312 
313 #endif /* __DECODE_TCP_H__ */
314 
TCPVars
struct TCPVars_ TCPVars
TCPOpt_
Definition: decode-tcp.h:130
TCPHdr_::th_dport
uint16_t th_dport
Definition: decode-tcp.h:144
TCPVars_::sackok
TCPOpt sackok
Definition: decode-tcp.h:163
TCPVars_::ts_set
bool ts_set
Definition: decode-tcp.h:159
TCPVars_
Definition: decode-tcp.h:155
DecodeTCPRegisterTests
void DecodeTCPRegisterTests(void)
Definition: decode-tcp.c:570
TCPHdr_::th_win
uint16_t th_win
Definition: decode-tcp.h:149
TCPVars_::md5_option_present
bool md5_option_present
Definition: decode-tcp.h:157
TCPOpt_::data
const uint8_t * data
Definition: decode-tcp.h:133
pad
uint16_t pad
Definition: source-erf-file.c:60
TCPHdr_::th_ack
uint32_t th_ack
Definition: decode-tcp.h:146
__attribute__
struct TCPHdr_ __attribute__((__packed__)) TCPHdr
DNP3 link header.
Definition: decode-vlan.c:117
TCPVars_::tfo
TCPOpt tfo
Definition: decode-tcp.h:166
TCPHdr_::th_sport
uint16_t th_sport
Definition: decode-tcp.h:143
TCPHdr_::th_flags
uint8_t th_flags
Definition: decode-tcp.h:148
TCPVars_::ts_ecr
uint32_t ts_ecr
Definition: decode-tcp.h:161
TCPOpt_::type
uint8_t type
Definition: decode-tcp.h:131
TCPHdr_::th_seq
uint32_t th_seq
Definition: decode-tcp.h:145
TCPHdr_::th_offx2
uint8_t th_offx2
Definition: decode-tcp.h:147
TCPHdr_::th_sum
uint16_t th_sum
Definition: decode-tcp.h:150
TCPOpt
struct TCPOpt_ TCPOpt
TCPHdr_::th_urp
uint16_t th_urp
Definition: decode-tcp.h:151
TCPVars_::mss
TCPOpt mss
Definition: decode-tcp.h:165
TCPOpt_::len
uint8_t len
Definition: decode-tcp.h:132
TCPOptSackRecord_
Definition: decode-tcp.h:136
TCPVars_::ts_val
uint32_t ts_val
Definition: decode-tcp.h:160
TCPVars_::ws
TCPOpt ws
Definition: decode-tcp.h:164
TCPOptSackRecord_::le
uint32_t le
Definition: decode-tcp.h:137
TCPVars_::ao_option_present
bool ao_option_present
Definition: decode-tcp.h:158
TCPOptSackRecord_::re
uint32_t re
Definition: decode-tcp.h:138
TCPOptSackRecord
struct TCPOptSackRecord_ TCPOptSackRecord
TCPVars_::sack
TCPOpt sack
Definition: decode-tcp.h:162
TCPHdr_
Definition: decode-tcp.h:142