]> The Tcpdump Group git mirrors - tcpdump/blob - print-esp.c
projects / tcpdump / blob
summary | shortlog | log | commit | commitdiff | tree
history | raw | HEAD
Get rid of FDDI cruft left over from copying fddi.h to ipfc.h and
[tcpdump] / print-esp.c
1 /* $NetBSD: print-ah.c,v 1.4 1996/05/20 00:41:16 fvdl Exp $ */
2
3 /*
4 * Copyright (c) 1988, 1989, 1990, 1991, 1992, 1993, 1994
5 * The Regents of the University of California. All rights reserved.
6 *
7 * Redistribution and use in source and binary forms, with or without
8 * modification, are permitted provided that: (1) source code distributions
9 * retain the above copyright notice and this paragraph in its entirety, (2)
10 * distributions including binary code include the above copyright notice and
11 * this paragraph in its entirety in the documentation or other materials
12 * provided with the distribution, and (3) all advertising materials mentioning
13 * features or use of this software display the following acknowledgement:
14 * ``This product includes software developed by the University of California,
15 * Lawrence Berkeley Laboratory and its contributors.'' Neither the name of
16 * the University nor the names of its contributors may be used to endorse
17 * or promote products derived from this software without specific prior
18 * written permission.
19 * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR IMPLIED
20 * WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF
21 * MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.
22 */
23
24 #ifndef lint
25 static const char rcsid[] =
26 "@(#) $Header: /tcpdump/master/tcpdump/print-esp.c,v 1.30 2002-11-13 09:35:13 guy Exp $ (LBL)";
27 #endif
28
29 #ifdef HAVE_CONFIG_H
30 #include "config.h"
31 #endif
32
33 #include <string.h>
34
35 #include <tcpdump-stdinc.h>
36
37 #include <stdlib.h>
38
39 #ifdef HAVE_LIBCRYPTO
40 #include <openssl/des.h>
41 #include <openssl/blowfish.h>
42 #ifdef HAVE_OPENSSL_RC5_H
43 #include <openssl/rc5.h>
44 #endif
45 #ifdef HAVE_OPENSSL_CAST_H
46 #include <openssl/cast.h>
47 #endif
48 #endif
49
50 #include <stdio.h>
51
52 #include "ip.h"
53 #include "esp.h"
54 #ifdef INET6
55 #include "ip6.h"
56 #endif
57
58 #define AVOID_CHURN 1
59 #include "interface.h"
60 #include "addrtoname.h"
61
62 static struct esp_algorithm *espsecret_xform=NULL; /* cache of decoded alg. */
63 static char *espsecret_key=NULL;
64
65
66 enum cipher { NONE,
67 DESCBC,
68 BLOWFISH,
69 RC5,
70 CAST128,
71 DES3CBC};
72
73
74
75 struct esp_algorithm {
76 const char *name;
77 enum cipher algo;
78 int ivlen;
79 int authlen;
80 int replaysize;
81 };
82
83 struct esp_algorithm esp_xforms[]={
84 {"none", NONE, 0, 0, 0},
85 {"des-cbc", DESCBC, 8, 0, 0},
86 {"des-cbc-hmac96", DESCBC, 8, 12, 4},
87 {"blowfish-cbc", BLOWFISH,8, 0, 0},
88 {"blowfish-cbc-hmac96", BLOWFISH,8, 12, 4},
89 {"rc5-cbc", RC5, 8, 0, 0},
90 {"rc5-cbc-hmac96", RC5, 8, 12, 4},
91 {"cast128-cbc", CAST128, 8, 0, 0},
92 {"cast128-cbc-hmac96", CAST128, 8, 12, 4},
93 {"3des-cbc-hmac96", DES3CBC, 8, 12, 4},
94 {NULL, NONE, 0, 0, 0}
95 };
96
97 static int hexdigit(char hex)
98 {
99 if(hex >= '0' && hex <= '9') {
100 return (hex - '0');
101 } else if(hex >= 'A' && hex <= 'F') {
102 return (hex - 'A' + 10);
103 } else if(hex >= 'a' && hex <= 'f') {
104 return (hex - 'a' + 10);
105 } else {
106 printf("invalid hex digit %c in espsecret\n", hex);
107 return 0;
108 }
109 }
110
111 static int hex2byte(char *hexstring)
112 {
113 int byte;
114
115 byte = (hexdigit(hexstring[0]) << 4) +
116 hexdigit(hexstring[1]);
117 return byte;
118 }
119
120
121 static void esp_print_decodesecret(void)
122 {
123 char *colon;
124 int len, i;
125 struct esp_algorithm *xf;
126 struct esp_algorithm *null_xf =
127 &esp_xforms[sizeof(esp_xforms)/sizeof(esp_xforms[0]) - 1];
128
129 if(espsecret == NULL) {
130 /* set to NULL transform */
131 espsecret_xform = null_xf;
132 return;
133 }
134
135 if(espsecret_key != NULL) {
136 return;
137 }
138
139 colon = strchr(espsecret, ':');
140 if(colon == NULL) {
141 printf("failed to decode espsecret: %s\n",
142 espsecret);
143 /* set to NULL transform */
144 espsecret_xform = null_xf;
145 return;
146 }
147
148 len = colon - espsecret;
149 xf = esp_xforms;
150 while(xf->name && strncasecmp(espsecret, xf->name, len)!=0) {
151 xf++;
152 }
153 if(xf->name == NULL) {
154 printf("failed to find cipher algo %s\n",
155 espsecret);
156 /* set to NULL transform */
157 espsecret_xform = null_xf;
158 return;
159 }
160 espsecret_xform = xf;
161
162 colon++;
163 if(colon[0]=='0' && colon[1]=='x') {
164 /* decode some hex! */
165 colon+=2;
166 len = strlen(colon) / 2;
167 espsecret_key = (char *)malloc(len);
168 if(espsecret_key == NULL) {
169 fprintf(stderr, "%s: ran out of memory (%d) to allocate secret key\n",
170 program_name, len);
171 exit(2);
172 }
173 i = 0;
174 while(colon[0] != '\0' && colon[1]!='\0') {
175 espsecret_key[i]=hex2byte(colon);
176 colon+=2;
177 i++;
178 }
179 } else {
180 espsecret_key = colon;
181 }
182 }
183
184 int
185 esp_print(register const u_char *bp, register const u_char *bp2,
186 int *nhdr, int *padlen)
187 {
188 register const struct newesp *esp;
189 register const u_char *ep;
190 struct ip *ip = NULL;
191 #ifdef INET6
192 struct ip6_hdr *ip6 = NULL;
193 #endif
194 int advance;
195 int len;
196 char *secret;
197 int ivlen = 0;
198 u_char *ivoff;
199 #ifdef HAVE_LIBCRYPTO
200 u_char *p;
201 #endif
202
203 esp = (struct newesp *)bp;
204 secret = NULL;
205
206 #if 0
207 /* keep secret out of a register */
208 p = (u_char *)&secret;
209 #endif
210
211 /* 'ep' points to the end of available data. */
212 ep = snapend;
213
214 if ((u_char *)(esp + 1) >= ep) {
215 fputs("[|ESP]", stdout);
216 goto fail;
217 }
218 printf("ESP(spi=0x%08x", (u_int32_t)ntohl(esp->esp_spi));
219 printf(",seq=0x%x", (u_int32_t)ntohl(esp->esp_seq));
220 printf(")");
221
222 /* if we don't have decryption key, we can't decrypt this packet. */
223 if (!espsecret)
224 goto fail;
225
226 if(!espsecret_xform) {
227 esp_print_decodesecret();
228 }
229 if(espsecret_xform->name == NULL) {
230 goto fail;
231 }
232
233 ip = (struct ip *)bp2;
234 switch (IP_V(ip)) {
235 #ifdef INET6
236 case 6:
237 ip6 = (struct ip6_hdr *)bp2;
238 ip = NULL;
239 /* we do not attempt to decrypt jumbograms */
240 if (!ntohs(ip6->ip6_plen))
241 goto fail;
242 /* if we can't get nexthdr, we do not need to decrypt it */
243 len = sizeof(struct ip6_hdr) + ntohs(ip6->ip6_plen);
244 break;
245 #endif /*INET6*/
246 case 4:
247 /* nexthdr & padding are in the last fragment */
248 if (ntohs(ip->ip_off) & IP_MF)
249 goto fail;
250 #ifdef INET6
251 ip6 = NULL;
252 #endif
253 len = ntohs(ip->ip_len);
254 break;
255 default:
256 goto fail;
257 }
258
259 /* if we can't get nexthdr, we do not need to decrypt it */
260 if (ep - bp2 < len)
261 goto fail;
262 if (ep - bp2 > len) {
263 /* FCS included at end of frame (NetBSD 1.6 or later) */
264 ep = bp2 + len;
265 }
266
267 ivoff = (u_char *)(esp + 1) + espsecret_xform->replaysize;
268 ivlen = espsecret_xform->ivlen;
269 secret = espsecret_key;
270
271 switch (espsecret_xform->algo) {
272 case DESCBC:
273 #ifdef HAVE_LIBCRYPTO
274 {
275 u_char iv[8];
276 #if OPENSSL_VERSION_NUMBER >= 0x00907000L
277 DES_key_schedule schedule;
278 #else
279 des_key_schedule schedule;
280 #endif
281
282 switch (ivlen) {
283 case 4:
284 memcpy(iv, ivoff, 4);
285 memcpy(&iv[4], ivoff, 4);
286 p = &iv[4];
287 *p++ ^= 0xff;
288 *p++ ^= 0xff;
289 *p++ ^= 0xff;
290 *p++ ^= 0xff;
291 break;
292 case 8:
293 memcpy(iv, ivoff, 8);
294 break;
295 default:
296 goto fail;
297 }
298 p = ivoff + ivlen;
299
300 #if OPENSSL_VERSION_NUMBER >= 0x00907000L
301 DES_set_key_unchecked((DES_cblock *)secret, schedule);
302
303 DES_cbc_encrypt((const unsigned char *)p, p,
304 (long)(ep - p), schedule, (DES_cblock *)iv,
305 DES_DECRYPT);
306 #else
307 des_check_key = 0;
308 des_set_key((void *)secret, schedule);
309
310 des_cbc_encrypt((void *)p, (void *)p,
311 (long)(ep - p), schedule, (void *)iv,
312 DES_DECRYPT);
313 #endif
314 advance = ivoff - (u_char *)esp + ivlen;
315 break;
316 }
317 #else
318 goto fail;
319 #endif /*HAVE_LIBCRYPTO*/
320
321 case BLOWFISH:
322 #ifdef HAVE_LIBCRYPTO
323 {
324 BF_KEY schedule;
325
326 BF_set_key(&schedule, strlen(secret), secret);
327
328 p = ivoff + ivlen;
329 BF_cbc_encrypt(p, p, (long)(ep - p), &schedule, ivoff,
330 BF_DECRYPT);
331 advance = ivoff - (u_char *)esp + ivlen;
332 break;
333 }
334 #else
335 goto fail;
336 #endif /*HAVE_LIBCRYPTO*/
337
338 case RC5:
339 #if defined(HAVE_LIBCRYPTO) && defined(HAVE_RC5_H)
340 {
341 RC5_32_KEY schedule;
342
343 RC5_32_set_key(&schedule, strlen(secret), secret,
344 RC5_16_ROUNDS);
345
346 p = ivoff + ivlen;
347 RC5_32_cbc_encrypt(p, p, (long)(ep - p), &schedule, ivoff,
348 RC5_DECRYPT);
349 advance = ivoff - (u_char *)esp + ivlen;
350 break;
351 }
352 #else
353 goto fail;
354 #endif /*HAVE_LIBCRYPTO*/
355
356 case CAST128:
357 #if defined(HAVE_LIBCRYPTO) && defined(HAVE_CAST_H) && !defined(HAVE_BUGGY_CAST128)
358 {
359 CAST_KEY schedule;
360
361 CAST_set_key(&schedule, strlen(secret), secret);
362
363 p = ivoff + ivlen;
364 CAST_cbc_encrypt(p, p, (long)(ep - p), &schedule, ivoff,
365 CAST_DECRYPT);
366 advance = ivoff - (u_char *)esp + ivlen;
367 break;
368 }
369 #else
370 goto fail;
371 #endif /*HAVE_LIBCRYPTO*/
372
373 case DES3CBC:
374 #if defined(HAVE_LIBCRYPTO)
375 {
376 #if OPENSSL_VERSION_NUMBER >= 0x00907000L
377 DES_key_schedule s1, s2, s3;
378
379 DES_set_odd_parity((DES_cblock *)secret);
380 DES_set_odd_parity((DES_cblock *)(secret + 8));
381 DES_set_odd_parity((DES_cblock *)(secret + 16));
382 if(DES_set_key_checked((DES_cblock *)secret, s1) != 0) {
383 printf("failed to schedule key 1\n");
384 }
385 if(DES_set_key_checked((DES_cblock *)(secret + 8), s2)!=0) {
386 printf("failed to schedule key 2\n");
387 }
388 if(DES_set_key_checked((DES_cblock *)(secret + 16), s3)!=0) {
389 printf("failed to schedule key 3\n");
390 }
391
392 p = ivoff + ivlen;
393 DES_ede3_cbc_encrypt((const unsigned char *)p, p,
394 (long)(ep - p),
395 &s1, &s2, &s3,
396 (DES_cblock *)ivoff, DES_DECRYPT);
397 #else
398 des_key_schedule s1, s2, s3;
399
400 des_check_key = 1;
401 des_set_odd_parity((void *)secret);
402 des_set_odd_parity((void *)(secret + 8));
403 des_set_odd_parity((void *)(secret + 16));
404 if(des_set_key((void *)secret, s1) != 0) {
405 printf("failed to schedule key 1\n");
406 }
407 if(des_set_key((void *)(secret + 8), s2)!=0) {
408 printf("failed to schedule key 2\n");
409 }
410 if(des_set_key((void *)(secret + 16), s3)!=0) {
411 printf("failed to schedule key 3\n");
412 }
413
414 p = ivoff + ivlen;
415 des_ede3_cbc_encrypt((void *)p, (void *)p,
416 (long)(ep - p),
417 s1, s2, s3,
418 (void *)ivoff, DES_DECRYPT);
419 #endif
420 advance = ivoff - (u_char *)esp + ivlen;
421 break;
422 }
423 #else
424 goto fail;
425 #endif /*HAVE_LIBCRYPTO*/
426
427 case NONE:
428 default:
429 advance = sizeof(struct newesp) + espsecret_xform->replaysize;
430 break;
431 }
432
433 ep = ep - espsecret_xform->authlen;
434 /* sanity check for pad length */
435 if (ep - bp < *(ep - 2))
436 goto fail;
437
438 if (padlen)
439 *padlen = *(ep - 2) + 2;
440
441 if (nhdr)
442 *nhdr = *(ep - 1);
443
444 printf(": ");
445 return advance;
446
447 fail:
448 if (nhdr)
449 *nhdr = -1;
450 return 65536;
451 }
[mirror] the TCPdump network dissector