]> The Tcpdump Group git mirrors - tcpdump/blob - print-esp.c
projects / tcpdump / blob


08234974148bce0fc6de9a08de39cfc976f79e10
[tcpdump] / print-esp.c
1 /* $NetBSD: print-ah.c,v 1.4 1996/05/20 00:41:16 fvdl Exp $ */
2
3 /*
4 * Copyright (c) 1988, 1989, 1990, 1991, 1992, 1993, 1994
5 * The Regents of the University of California. All rights reserved.
6 *
7 * Redistribution and use in source and binary forms, with or without
8 * modification, are permitted provided that: (1) source code distributions
9 * retain the above copyright notice and this paragraph in its entirety, (2)
10 * distributions including binary code include the above copyright notice and
11 * this paragraph in its entirety in the documentation or other materials
12 * provided with the distribution, and (3) all advertising materials mentioning
13 * features or use of this software display the following acknowledgement:
14 * ``This product includes software developed by the University of California,
15 * Lawrence Berkeley Laboratory and its contributors.'' Neither the name of
16 * the University nor the names of its contributors may be used to endorse
17 * or promote products derived from this software without specific prior
18 * written permission.
19 * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR IMPLIED
20 * WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF
21 * MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.
22 */
23
24 #ifndef lint
25 static const char rcsid[] =
26 "@(#) $Header: /tcpdump/master/tcpdump/print-esp.c,v 1.21 2002-01-23 05:23:16 itojun Exp $ (LBL)";
27 #endif
28
29 #ifdef HAVE_CONFIG_H
30 #include "config.h"
31 #endif
32
33 #include <string.h>
34 #include <sys/param.h>
35 #include <sys/time.h>
36 #include <sys/types.h>
37 #include <sys/socket.h>
38 #include <stdlib.h>
39
40 #include <netinet/in.h>
41
42 #ifdef HAVE_LIBCRYPTO
43 #include <openssl/des.h>
44 #include <openssl/blowfish.h>
45 #ifdef HAVE_RC5_H
46 #include <openssl/rc5.h>
47 #endif
48 #ifdef HAVE_CAST_H
49 #include <openssl/cast.h>
50 #endif
51 #endif
52
53 #include <stdio.h>
54
55 #include "ip.h"
56 #include "esp.h"
57 #ifdef INET6
58 #include "ip6.h"
59 #endif
60
61 #define AVOID_CHURN 1
62 #include "interface.h"
63 #include "addrtoname.h"
64
65 static struct esp_algorithm *espsecret_xform=NULL; /* cache of decoded alg. */
66 static char *espsecret_key=NULL;
67
68
69 enum cipher { NONE,
70 DESCBC,
71 BLOWFISH,
72 RC5,
73 CAST128,
74 DES3CBC};
75
76
77
78 struct esp_algorithm {
79 char *name;
80 enum cipher algo;
81 int ivlen;
82 int authlen;
83 int replaysize;
84 };
85
86 struct esp_algorithm esp_xforms[]={
87 {"none", NONE, 0, 0, 0},
88 {"des-cbc", DESCBC, 8, 0, 0},
89 {"des-cbc-hmac96", DESCBC, 8, 12, 4},
90 {"blowfish-cbc", BLOWFISH,8, 0, 0},
91 {"blowfish-cbc-hmac96", BLOWFISH,8, 12, 4},
92 {"rc5-cbc", RC5, 8, 0, 0},
93 {"rc5-cbc-hmac96", RC5, 8, 12, 4},
94 {"cast128-cbc", CAST128, 8, 0, 0},
95 {"cast128-cbc-hmac96", CAST128, 8, 12, 4},
96 {"3des-cbc-hmac96", DES3CBC, 8, 12, 4},
97 };
98
99 static int hexdigit(char hex)
100 {
101 if(hex >= '0' && hex <= '9') {
102 return (hex - '0');
103 } else if(hex >= 'A' && hex <= 'F') {
104 return (hex - 'A' + 10);
105 } else if(hex >= 'a' && hex <= 'f') {
106 return (hex - 'a' + 10);
107 } else {
108 printf("invalid hex digit %c in espsecret\n", hex);
109 return 0;
110 }
111 }
112
113 static int hex2byte(char *hexstring)
114 {
115 int byte;
116
117 byte = (hexdigit(hexstring[0]) << 4) +
118 hexdigit(hexstring[1]);
119 return byte;
120 }
121
122
123 static void esp_print_decodesecret(void)
124 {
125 char *colon;
126 int len, i;
127 struct esp_algorithm *xf;
128
129 if(espsecret == NULL) {
130 /* set to NONE transform */
131 espsecret_xform = esp_xforms;
132 return;
133 }
134
135 if(espsecret_key != NULL) {
136 return;
137 }
138
139 colon = strchr(espsecret, ':');
140 if(colon == NULL) {
141 printf("failed to decode espsecret: %s\n",
142 espsecret);
143 /* set to NONE transform */
144 espsecret_xform = esp_xforms;
145 }
146
147 len = colon - espsecret;
148 xf = esp_xforms;
149 while(xf->name && strncasecmp(espsecret, xf->name, len)!=0) {
150 xf++;
151 }
152 if(xf->name == NULL) {
153 printf("failed to find cipher algo %s\n",
154 espsecret);
155 espsecret_xform = esp_xforms;
156 return;
157 }
158 espsecret_xform = xf;
159
160 colon++;
161 if(colon[0]=='0' && colon[1]=='x') {
162 /* decode some hex! */
163 colon+=2;
164 len = strlen(colon) / 2;
165 espsecret_key = (char *)malloc(len);
166 if(espsecret_key == NULL) {
167 fprintf(stderr, "%s: ran out of memory (%d) to allocate secret key\n",
168 program_name, len);
169 exit(2);
170 }
171 i = 0;
172 while(colon[0] != '\0' && colon[1]!='\0') {
173 espsecret_key[i]=hex2byte(colon);
174 colon+=2;
175 i++;
176 }
177 } else {
178 espsecret_key = colon;
179 }
180 }
181
182 int
183 esp_print(register const u_char *bp, register const u_char *bp2,
184 int *nhdr, int *padlen)
185 {
186 register const struct esp *esp;
187 register const u_char *ep;
188 u_int32_t spi;
189 struct ip *ip = NULL;
190 #ifdef INET6
191 struct ip6_hdr *ip6 = NULL;
192 #endif
193 int advance;
194 int len;
195 char *secret;
196 int ivlen = 0;
197 u_char *ivoff;
198 u_char *p;
199
200 esp = (struct esp *)bp;
201 spi = (u_int32_t)ntohl(esp->esp_spi);
202 secret = NULL;
203
204 #if 0
205 /* keep secret out of a register */
206 p = (u_char *)&secret;
207 #endif
208
209 /* 'ep' points to the end of available data. */
210 ep = snapend;
211
212 if ((u_char *)(esp + 1) >= ep - sizeof(struct esp)) {
213 fputs("[|ESP]", stdout);
214 goto fail;
215 }
216 printf("ESP(spi=0x%08x", spi);
217 printf(",seq=0x%x", (u_int32_t)ntohl(*(u_int32_t *)(esp + 1)));
218 printf(")");
219
220 /* if we don't have decryption key, we can't decrypt this packet. */
221 if (!espsecret)
222 goto fail;
223
224 if(!espsecret_xform) {
225 esp_print_decodesecret();
226 }
227 if(espsecret_xform->algo == NONE) {
228 goto fail;
229 }
230
231 ip = (struct ip *)bp2;
232 switch (IP_V(ip)) {
233 #ifdef INET6
234 case 6:
235 ip6 = (struct ip6_hdr *)bp2;
236 ip = NULL;
237 /* we do not attempt to decrypt jumbograms */
238 if (!ntohs(ip6->ip6_plen))
239 goto fail;
240 /* if we can't get nexthdr, we do not need to decrypt it */
241 len = sizeof(struct ip6_hdr) + ntohs(ip6->ip6_plen);
242 break;
243 #endif /*INET6*/
244 case 4:
245 /* nexthdr & padding are in the last fragment */
246 if (ntohs(ip->ip_off) & IP_MF)
247 goto fail;
248 #ifdef INET6
249 ip6 = NULL;
250 #endif
251 len = ntohs(ip->ip_len);
252 break;
253 default:
254 goto fail;
255 }
256
257 /* if we can't get nexthdr, we do not need to decrypt it */
258 if (ep - bp2 < len)
259 goto fail;
260
261 ivoff = (u_char *)(esp + 1) + espsecret_xform->replaysize;
262 ivlen = espsecret_xform->ivlen;
263 secret = espsecret_key;
264
265 switch (espsecret_xform->algo) {
266 case DESCBC:
267 #ifdef HAVE_LIBCRYPTO
268 {
269 u_char iv[8];
270 des_key_schedule schedule;
271
272 switch (ivlen) {
273 case 4:
274 memcpy(iv, ivoff, 4);
275 memcpy(&iv[4], ivoff, 4);
276 p = &iv[4];
277 *p++ ^= 0xff;
278 *p++ ^= 0xff;
279 *p++ ^= 0xff;
280 *p++ ^= 0xff;
281 break;
282 case 8:
283 memcpy(iv, ivoff, 8);
284 break;
285 default:
286 goto fail;
287 }
288
289 des_check_key = 0;
290 des_set_key((void *)secret, schedule);
291
292 p = ivoff + ivlen;
293 des_cbc_encrypt((void *)p, (void *)p,
294 (long)(ep - p), schedule, (void *)iv,
295 DES_DECRYPT);
296 advance = ivoff - (u_char *)esp + ivlen;
297 break;
298 }
299 #else
300 goto fail;
301 #endif /*HAVE_LIBCRYPTO*/
302
303 case BLOWFISH:
304 #ifdef HAVE_LIBCRYPTO
305 {
306 BF_KEY schedule;
307
308 BF_set_key(&schedule, strlen(secret), secret);
309
310 p = ivoff + ivlen;
311 BF_cbc_encrypt(p, p, (long)(ep - p), &schedule, ivoff,
312 BF_DECRYPT);
313 advance = ivoff - (u_char *)esp + ivlen;
314 break;
315 }
316 #else
317 goto fail;
318 #endif /*HAVE_LIBCRYPTO*/
319
320 case RC5:
321 #if defined(HAVE_LIBCRYPTO) && defined(HAVE_RC5_H)
322 {
323 RC5_32_KEY schedule;
324
325 RC5_32_set_key(&schedule, strlen(secret), secret,
326 RC5_16_ROUNDS);
327
328 p = ivoff + ivlen;
329 RC5_32_cbc_encrypt(p, p, (long)(ep - p), &schedule, ivoff,
330 RC5_DECRYPT);
331 advance = ivoff - (u_char *)esp + ivlen;
332 break;
333 }
334 #else
335 goto fail;
336 #endif /*HAVE_LIBCRYPTO*/
337
338 case CAST128:
339 #if defined(HAVE_LIBCRYPTO) && defined(HAVE_CAST_H) && !defined(HAVE_BUGGY_CAST128)
340 {
341 CAST_KEY schedule;
342
343 CAST_set_key(&schedule, strlen(secret), secret);
344
345 p = ivoff + ivlen;
346 CAST_cbc_encrypt(p, p, (long)(ep - p), &schedule, ivoff,
347 CAST_DECRYPT);
348 advance = ivoff - (u_char *)esp + ivlen;
349 break;
350 }
351 #else
352 goto fail;
353 #endif /*HAVE_LIBCRYPTO*/
354
355 case DES3CBC:
356 #if defined(HAVE_LIBCRYPTO)
357 {
358 des_key_schedule s1, s2, s3;
359
360 des_check_key = 1;
361 des_set_odd_parity((void *)secret);
362 des_set_odd_parity((void *)secret+8);
363 des_set_odd_parity((void *)secret+16);
364 if(des_set_key((void *)secret, s1) != 0) {
365 printf("failed to schedule key 1\n");
366 }
367 if(des_set_key((void *)(secret + 8), s2)!=0) {
368 printf("failed to schedule key 2\n");
369 }
370 if(des_set_key((void *)(secret + 16), s3)!=0) {
371 printf("failed to schedule key 3\n");
372 }
373
374 p = ivoff + ivlen;
375 des_ede3_cbc_encrypt((void *)p, (void *)p,
376 (long)(ep - p),
377 s1, s2, s3,
378 (void *)ivoff, DES_DECRYPT);
379 advance = ivoff - (u_char *)esp + ivlen;
380 break;
381 }
382 #else
383 goto fail;
384 #endif /*HAVE_LIBCRYPTO*/
385
386 case NONE:
387 default:
388 advance = sizeof(struct esp) + espsecret_xform->replaysize;
389 break;
390 }
391
392 ep = ep - espsecret_xform->authlen;
393 /* sanity check for pad length */
394 if (ep - bp < *(ep - 2))
395 goto fail;
396
397 if (padlen)
398 *padlen = *(ep - 2) + 2;
399
400 if (nhdr)
401 *nhdr = *(ep - 1);
402
403 printf(": ");
404 return advance;
405
406 fail:
407 if (nhdr)
408 *nhdr = -1;
409 return 65536;
410 }
[mirror] the TCPdump network dissector