]> The Tcpdump Group git mirrors - tcpdump/blob - print-esp.c
projects / tcpdump / blob
summary | shortlog | log | commit | commitdiff | tree
history | raw | HEAD
Pull a bunch of headers into the only source file that includes them.
[tcpdump] / print-esp.c
1 /* $NetBSD: print-ah.c,v 1.4 1996/05/20 00:41:16 fvdl Exp $ */
2
3 /*
4 * Copyright (c) 1988, 1989, 1990, 1991, 1992, 1993, 1994
5 * The Regents of the University of California. All rights reserved.
6 *
7 * Redistribution and use in source and binary forms, with or without
8 * modification, are permitted provided that: (1) source code distributions
9 * retain the above copyright notice and this paragraph in its entirety, (2)
10 * distributions including binary code include the above copyright notice and
11 * this paragraph in its entirety in the documentation or other materials
12 * provided with the distribution, and (3) all advertising materials mentioning
13 * features or use of this software display the following acknowledgement:
14 * ``This product includes software developed by the University of California,
15 * Lawrence Berkeley Laboratory and its contributors.'' Neither the name of
16 * the University nor the names of its contributors may be used to endorse
17 * or promote products derived from this software without specific prior
18 * written permission.
19 * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR IMPLIED
20 * WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF
21 * MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.
22 */
23
24 #ifndef lint
25 static const char rcsid[] _U_ =
26 "@(#) $Header: /tcpdump/master/tcpdump/print-esp.c,v 1.58 2007-12-07 00:03:07 mcr Exp $ (LBL)";
27 #endif
28
29 #ifdef HAVE_CONFIG_H
30 #include "config.h"
31 #endif
32
33 #include <string.h>
34
35 #include <tcpdump-stdinc.h>
36
37 #include <stdlib.h>
38
39 /* Any code in this file that depends on HAVE_LIBCRYPTO depends on
40 * HAVE_OPENSSL_EVP_H too. Undefining the former when the latter isn't defined
41 * is the simplest way of handling the dependency.
42 */
43 #ifdef HAVE_LIBCRYPTO
44 #ifdef HAVE_OPENSSL_EVP_H
45 #include <openssl/evp.h>
46 #else
47 #undef HAVE_LIBCRYPTO
48 #endif
49 #endif
50
51 #include <stdio.h>
52
53 #include "ip.h"
54 #ifdef INET6
55 #include "ip6.h"
56 #endif
57
58 #include "netdissect.h"
59 #include "addrtoname.h"
60 #include "extract.h"
61
62 #ifndef HAVE_SOCKADDR_STORAGE
63 #ifdef INET6
64 struct sockaddr_storage {
65 union {
66 struct sockaddr_in sin;
67 struct sockaddr_in6 sin6;
68 } un;
69 };
70 #else
71 #define sockaddr_storage sockaddr
72 #endif
73 #endif /* HAVE_SOCKADDR_STORAGE */
74
75 #ifdef HAVE_LIBCRYPTO
76 struct sa_list {
77 struct sa_list *next;
78 struct sockaddr_storage daddr;
79 u_int32_t spi; /* if == 0, then IKEv2 */
80 int initiator;
81 u_char spii[8]; /* for IKEv2 */
82 u_char spir[8];
83 const EVP_CIPHER *evp;
84 int ivlen;
85 int authlen;
86 u_char authsecret[256];
87 int authsecret_len;
88 u_char secret[256]; /* is that big enough for all secrets? */
89 int secretlen;
90 };
91
92 /*
93 * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
94 * All rights reserved.
95 *
96 * Redistribution and use in source and binary forms, with or without
97 * modification, are permitted provided that the following conditions
98 * are met:
99 * 1. Redistributions of source code must retain the above copyright
100 * notice, this list of conditions and the following disclaimer.
101 * 2. Redistributions in binary form must reproduce the above copyright
102 * notice, this list of conditions and the following disclaimer in the
103 * documentation and/or other materials provided with the distribution.
104 * 3. Neither the name of the project nor the names of its contributors
105 * may be used to endorse or promote products derived from this software
106 * without specific prior written permission.
107 *
108 * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
109 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
110 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
111 * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
112 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
113 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
114 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
115 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
116 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
117 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
118 * SUCH DAMAGE.
119 */
120
121 /*
122 * RFC1827/2406 Encapsulated Security Payload.
123 */
124
125 struct newesp {
126 u_int32_t esp_spi; /* ESP */
127 u_int32_t esp_seq; /* Sequence number */
128 /*variable size*/ /* (IV and) Payload data */
129 /*variable size*/ /* padding */
130 /*8bit*/ /* pad size */
131 /*8bit*/ /* next header */
132 /*8bit*/ /* next header */
133 /*variable size, 32bit bound*/ /* Authentication data */
134 };
135
136 /*
137 * this will adjust ndo_packetp and ndo_snapend to new buffer!
138 */
139 USES_APPLE_DEPRECATED_API
140 int esp_print_decrypt_buffer_by_ikev2(netdissect_options *ndo,
141 int initiator,
142 u_char spii[8], u_char spir[8],
143 u_char *buf, u_char *end)
144 {
145 struct sa_list *sa;
146 u_char *iv;
147 int len;
148 EVP_CIPHER_CTX ctx;
149
150 /* initiator arg is any non-zero value */
151 if(initiator) initiator=1;
152
153 /* see if we can find the SA, and if so, decode it */
154 for (sa = ndo->ndo_sa_list_head; sa != NULL; sa = sa->next) {
155 if (sa->spi == 0
156 && initiator == sa->initiator
157 && memcmp(spii, sa->spii, 8) == 0
158 && memcmp(spir, sa->spir, 8) == 0)
159 break;
160 }
161
162 if(sa == NULL) return 0;
163 if(sa->evp == NULL) return 0;
164
165 /*
166 * remove authenticator, and see if we still have something to
167 * work with
168 */
169 end = end - sa->authlen;
170 iv = buf;
171 buf = buf + sa->ivlen;
172 len = end-buf;
173
174 if(end <= buf) return 0;
175
176 memset(&ctx, 0, sizeof(ctx));
177 if (EVP_CipherInit(&ctx, sa->evp, sa->secret, NULL, 0) < 0)
178 (*ndo->ndo_warning)(ndo, "espkey init failed");
179 EVP_CipherInit(&ctx, NULL, NULL, iv, 0);
180 EVP_Cipher(&ctx, buf, buf, len);
181 EVP_CIPHER_CTX_cleanup(&ctx);
182
183 ndo->ndo_packetp = buf;
184 ndo->ndo_snapend = end;
185
186 return 1;
187
188 }
189 USES_APPLE_RST
190
191 static void esp_print_addsa(netdissect_options *ndo,
192 struct sa_list *sa, int sa_def)
193 {
194 /* copy the "sa" */
195
196 struct sa_list *nsa;
197
198 nsa = (struct sa_list *)malloc(sizeof(struct sa_list));
199 if (nsa == NULL)
200 (*ndo->ndo_error)(ndo, "ran out of memory to allocate sa structure");
201
202 *nsa = *sa;
203
204 if (sa_def)
205 ndo->ndo_sa_default = nsa;
206
207 nsa->next = ndo->ndo_sa_list_head;
208 ndo->ndo_sa_list_head = nsa;
209 }
210
211
212 static u_int hexdigit(netdissect_options *ndo, char hex)
213 {
214 if (hex >= '0' && hex <= '9')
215 return (hex - '0');
216 else if (hex >= 'A' && hex <= 'F')
217 return (hex - 'A' + 10);
218 else if (hex >= 'a' && hex <= 'f')
219 return (hex - 'a' + 10);
220 else {
221 (*ndo->ndo_error)(ndo, "invalid hex digit %c in espsecret\n", hex);
222 return 0;
223 }
224 }
225
226 static u_int hex2byte(netdissect_options *ndo, char *hexstring)
227 {
228 u_int byte;
229
230 byte = (hexdigit(ndo, hexstring[0]) << 4) + hexdigit(ndo, hexstring[1]);
231 return byte;
232 }
233
234 /*
235 * returns size of binary, 0 on failure.
236 */
237 static
238 int espprint_decode_hex(netdissect_options *ndo,
239 u_char *binbuf, unsigned int binbuf_len,
240 char *hex)
241 {
242 unsigned int len;
243 int i;
244
245 len = strlen(hex) / 2;
246
247 if (len > binbuf_len) {
248 (*ndo->ndo_warning)(ndo, "secret is too big: %d\n", len);
249 return 0;
250 }
251
252 i = 0;
253 while (hex[0] != '\0' && hex[1]!='\0') {
254 binbuf[i] = hex2byte(ndo, hex);
255 hex += 2;
256 i++;
257 }
258
259 return i;
260 }
261
262 /*
263 * decode the form: SPINUM@IP <tab> ALGONAME:0xsecret
264 */
265
266 USES_APPLE_DEPRECATED_API
267 static int
268 espprint_decode_encalgo(netdissect_options *ndo,
269 char *decode, struct sa_list *sa)
270 {
271 size_t i;
272 const EVP_CIPHER *evp;
273 int authlen = 0;
274 char *colon, *p;
275
276 colon = strchr(decode, ':');
277 if (colon == NULL) {
278 (*ndo->ndo_warning)(ndo, "failed to decode espsecret: %s\n", decode);
279 return 0;
280 }
281 *colon = '\0';
282
283 if (strlen(decode) > strlen("-hmac96") &&
284 !strcmp(decode + strlen(decode) - strlen("-hmac96"),
285 "-hmac96")) {
286 p = strstr(decode, "-hmac96");
287 *p = '\0';
288 authlen = 12;
289 }
290 if (strlen(decode) > strlen("-cbc") &&
291 !strcmp(decode + strlen(decode) - strlen("-cbc"), "-cbc")) {
292 p = strstr(decode, "-cbc");
293 *p = '\0';
294 }
295 evp = EVP_get_cipherbyname(decode);
296
297 if (!evp) {
298 (*ndo->ndo_warning)(ndo, "failed to find cipher algo %s\n", decode);
299 sa->evp = NULL;
300 sa->authlen = 0;
301 sa->ivlen = 0;
302 return 0;
303 }
304
305 sa->evp = evp;
306 sa->authlen = authlen;
307 sa->ivlen = EVP_CIPHER_iv_length(evp);
308
309 colon++;
310 if (colon[0] == '0' && colon[1] == 'x') {
311 /* decode some hex! */
312
313 colon += 2;
314 sa->secretlen = espprint_decode_hex(ndo, sa->secret, sizeof(sa->secret), colon);
315 if(sa->secretlen == 0) return 0;
316 } else {
317 i = strlen(colon);
318
319 if (i < sizeof(sa->secret)) {
320 memcpy(sa->secret, colon, i);
321 sa->secretlen = i;
322 } else {
323 memcpy(sa->secret, colon, sizeof(sa->secret));
324 sa->secretlen = sizeof(sa->secret);
325 }
326 }
327
328 return 1;
329 }
330 USES_APPLE_RST
331
332 /*
333 * for the moment, ignore the auth algorith, just hard code the authenticator
334 * length. Need to research how openssl looks up HMAC stuff.
335 */
336 static int
337 espprint_decode_authalgo(netdissect_options *ndo,
338 char *decode, struct sa_list *sa)
339 {
340 char *colon;
341
342 colon = strchr(decode, ':');
343 if (colon == NULL) {
344 (*ndo->ndo_warning)(ndo, "failed to decode espsecret: %s\n", decode);
345 return 0;
346 }
347 *colon = '\0';
348
349 if(strcasecmp(colon,"sha1") == 0 ||
350 strcasecmp(colon,"md5") == 0) {
351 sa->authlen = 12;
352 }
353 return 1;
354 }
355
356 static void esp_print_decode_ikeline(netdissect_options *ndo, char *line,
357 const char *file, int lineno)
358 {
359 /* it's an IKEv2 secret, store it instead */
360 struct sa_list sa1;
361
362 char *init;
363 char *icookie, *rcookie;
364 int ilen, rlen;
365 char *authkey;
366 char *enckey;
367
368 init = strsep(&line, " \t");
369 icookie = strsep(&line, " \t");
370 rcookie = strsep(&line, " \t");
371 authkey = strsep(&line, " \t");
372 enckey = strsep(&line, " \t");
373
374 /* if any fields are missing */
375 if(!init || !icookie || !rcookie || !authkey || !enckey) {
376 (*ndo->ndo_warning)(ndo, "print_esp: failed to find all fields for ikev2 at %s:%u",
377 file, lineno);
378
379 return;
380 }
381
382 ilen = strlen(icookie);
383 rlen = strlen(rcookie);
384
385 if((init[0]!='I' && init[0]!='R')
386 || icookie[0]!='0' || icookie[1]!='x'
387 || rcookie[0]!='0' || rcookie[1]!='x'
388 || ilen!=18
389 || rlen!=18) {
390 (*ndo->ndo_warning)(ndo, "print_esp: line %s:%u improperly formatted.",
391 file, lineno);
392
393 (*ndo->ndo_warning)(ndo, "init=%s icookie=%s(%u) rcookie=%s(%u)",
394 init, icookie, ilen, rcookie, rlen);
395
396 return;
397 }
398
399 sa1.spi = 0;
400 sa1.initiator = (init[0] == 'I');
401 if(espprint_decode_hex(ndo, sa1.spii, sizeof(sa1.spii), icookie+2)!=8)
402 return;
403
404 if(espprint_decode_hex(ndo, sa1.spir, sizeof(sa1.spir), rcookie+2)!=8)
405 return;
406
407 if(!espprint_decode_encalgo(ndo, enckey, &sa1)) return;
408
409 if(!espprint_decode_authalgo(ndo, authkey, &sa1)) return;
410
411 esp_print_addsa(ndo, &sa1, FALSE);
412 }
413
414 /*
415 *
416 * special form: file /name
417 * causes us to go read from this file instead.
418 *
419 */
420 static void esp_print_decode_onesecret(netdissect_options *ndo, char *line,
421 const char *file, int lineno)
422 {
423 struct sa_list sa1;
424 int sa_def;
425
426 char *spikey;
427 char *decode;
428
429 spikey = strsep(&line, " \t");
430 sa_def = 0;
431 memset(&sa1, 0, sizeof(struct sa_list));
432
433 /* if there is only one token, then it is an algo:key token */
434 if (line == NULL) {
435 decode = spikey;
436 spikey = NULL;
437 /* memset(&sa1.daddr, 0, sizeof(sa1.daddr)); */
438 /* sa1.spi = 0; */
439 sa_def = 1;
440 } else
441 decode = line;
442
443 if (spikey && strcasecmp(spikey, "file") == 0) {
444 /* open file and read it */
445 FILE *secretfile;
446 char fileline[1024];
447 int lineno=0;
448 char *nl;
449 char *filename = line;
450
451 secretfile = fopen(filename, FOPEN_READ_TXT);
452 if (secretfile == NULL) {
453 perror(filename);
454 exit(3);
455 }
456
457 while (fgets(fileline, sizeof(fileline)-1, secretfile) != NULL) {
458 lineno++;
459 /* remove newline from the line */
460 nl = strchr(fileline, '\n');
461 if (nl)
462 *nl = '\0';
463 if (fileline[0] == '#') continue;
464 if (fileline[0] == '\0') continue;
465
466 esp_print_decode_onesecret(ndo, fileline, filename, lineno);
467 }
468 fclose(secretfile);
469
470 return;
471 }
472
473 if (spikey && strcasecmp(spikey, "ikev2") == 0) {
474 esp_print_decode_ikeline(ndo, line, file, lineno);
475 return;
476 }
477
478 if (spikey) {
479
480 char *spistr, *foo;
481 u_int32_t spino;
482 struct sockaddr_in *sin;
483 #ifdef INET6
484 struct sockaddr_in6 *sin6;
485 #endif
486
487 spistr = strsep(&spikey, "@");
488
489 spino = strtoul(spistr, &foo, 0);
490 if (spistr == foo || !spikey) {
491 (*ndo->ndo_warning)(ndo, "print_esp: failed to decode spi# %s\n", foo);
492 return;
493 }
494
495 sa1.spi = spino;
496
497 sin = (struct sockaddr_in *)&sa1.daddr;
498 #ifdef INET6
499 sin6 = (struct sockaddr_in6 *)&sa1.daddr;
500 if (inet_pton(AF_INET6, spikey, &sin6->sin6_addr) == 1) {
501 #ifdef HAVE_SOCKADDR_SA_LEN
502 sin6->sin6_len = sizeof(struct sockaddr_in6);
503 #endif
504 sin6->sin6_family = AF_INET6;
505 } else
506 #endif
507 if (inet_pton(AF_INET, spikey, &sin->sin_addr) == 1) {
508 #ifdef HAVE_SOCKADDR_SA_LEN
509 sin->sin_len = sizeof(struct sockaddr_in);
510 #endif
511 sin->sin_family = AF_INET;
512 } else {
513 (*ndo->ndo_warning)(ndo, "print_esp: can not decode IP# %s\n", spikey);
514 return;
515 }
516 }
517
518 if (decode) {
519 /* skip any blank spaces */
520 while (isspace((unsigned char)*decode))
521 decode++;
522
523 if(!espprint_decode_encalgo(ndo, decode, &sa1)) {
524 return;
525 }
526 }
527
528 esp_print_addsa(ndo, &sa1, sa_def);
529 }
530
531 USES_APPLE_DEPRECATED_API
532 static void esp_init(netdissect_options *ndo _U_)
533 {
534
535 OpenSSL_add_all_algorithms();
536 EVP_add_cipher_alias(SN_des_ede3_cbc, "3des");
537 }
538 USES_APPLE_RST
539
540 void esp_print_decodesecret(netdissect_options *ndo)
541 {
542 char *line;
543 char *p;
544 static int initialized = 0;
545
546 if (!initialized) {
547 esp_init(ndo);
548 initialized = 1;
549 }
550
551 p = ndo->ndo_espsecret;
552
553 while (p && p[0] != '\0') {
554 /* pick out the first line or first thing until a comma */
555 if ((line = strsep(&p, "\n,")) == NULL) {
556 line = p;
557 p = NULL;
558 }
559
560 esp_print_decode_onesecret(ndo, line, "cmdline", 0);
561 }
562
563 ndo->ndo_espsecret = NULL;
564 }
565
566 #endif
567
568 #ifdef HAVE_LIBCRYPTO
569 USES_APPLE_DEPRECATED_API
570 #endif
571 int
572 esp_print(netdissect_options *ndo,
573 const u_char *bp, const int length, const u_char *bp2
574 #ifndef HAVE_LIBCRYPTO
575 _U_
576 #endif
577 ,
578 int *nhdr
579 #ifndef HAVE_LIBCRYPTO
580 _U_
581 #endif
582 ,
583 int *padlen
584 #ifndef HAVE_LIBCRYPTO
585 _U_
586 #endif
587 )
588 {
589 register const struct newesp *esp;
590 register const u_char *ep;
591 #ifdef HAVE_LIBCRYPTO
592 struct ip *ip;
593 struct sa_list *sa = NULL;
594 #ifdef INET6
595 struct ip6_hdr *ip6 = NULL;
596 #endif
597 int advance;
598 int len;
599 u_char *secret;
600 int ivlen = 0;
601 u_char *ivoff;
602 u_char *p;
603 EVP_CIPHER_CTX ctx;
604 #endif
605
606 esp = (struct newesp *)bp;
607
608 #ifdef HAVE_LIBCRYPTO
609 secret = NULL;
610 advance = 0;
611 #endif
612
613 #if 0
614 /* keep secret out of a register */
615 p = (u_char *)&secret;
616 #endif
617
618 /* 'ep' points to the end of available data. */
619 ep = ndo->ndo_snapend;
620
621 if ((u_char *)(esp + 1) >= ep) {
622 fputs("[|ESP]", stdout);
623 goto fail;
624 }
625 (*ndo->ndo_printf)(ndo, "ESP(spi=0x%08x", EXTRACT_32BITS(&esp->esp_spi));
626 (*ndo->ndo_printf)(ndo, ",seq=0x%x)", EXTRACT_32BITS(&esp->esp_seq));
627 (*ndo->ndo_printf)(ndo, ", length %u", length);
628
629 #ifndef HAVE_LIBCRYPTO
630 goto fail;
631 #else
632 /* initiailize SAs */
633 if (ndo->ndo_sa_list_head == NULL) {
634 if (!ndo->ndo_espsecret)
635 goto fail;
636
637 esp_print_decodesecret(ndo);
638 }
639
640 if (ndo->ndo_sa_list_head == NULL)
641 goto fail;
642
643 ip = (struct ip *)bp2;
644 switch (IP_V(ip)) {
645 #ifdef INET6
646 case 6:
647 ip6 = (struct ip6_hdr *)bp2;
648 /* we do not attempt to decrypt jumbograms */
649 if (!EXTRACT_16BITS(&ip6->ip6_plen))
650 goto fail;
651 /* if we can't get nexthdr, we do not need to decrypt it */
652 len = sizeof(struct ip6_hdr) + EXTRACT_16BITS(&ip6->ip6_plen);
653
654 /* see if we can find the SA, and if so, decode it */
655 for (sa = ndo->ndo_sa_list_head; sa != NULL; sa = sa->next) {
656 struct sockaddr_in6 *sin6 = (struct sockaddr_in6 *)&sa->daddr;
657 if (sa->spi == EXTRACT_32BITS(&esp->esp_spi) &&
658 sin6->sin6_family == AF_INET6 &&
659 memcmp(&sin6->sin6_addr, &ip6->ip6_dst,
660 sizeof(struct in6_addr)) == 0) {
661 break;
662 }
663 }
664 break;
665 #endif /*INET6*/
666 case 4:
667 /* nexthdr & padding are in the last fragment */
668 if (EXTRACT_16BITS(&ip->ip_off) & IP_MF)
669 goto fail;
670 len = EXTRACT_16BITS(&ip->ip_len);
671
672 /* see if we can find the SA, and if so, decode it */
673 for (sa = ndo->ndo_sa_list_head; sa != NULL; sa = sa->next) {
674 struct sockaddr_in *sin = (struct sockaddr_in *)&sa->daddr;
675 if (sa->spi == EXTRACT_32BITS(&esp->esp_spi) &&
676 sin->sin_family == AF_INET &&
677 sin->sin_addr.s_addr == ip->ip_dst.s_addr) {
678 break;
679 }
680 }
681 break;
682 default:
683 goto fail;
684 }
685
686 /* if we didn't find the specific one, then look for
687 * an unspecified one.
688 */
689 if (sa == NULL)
690 sa = ndo->ndo_sa_default;
691
692 /* if not found fail */
693 if (sa == NULL)
694 goto fail;
695
696 /* if we can't get nexthdr, we do not need to decrypt it */
697 if (ep - bp2 < len)
698 goto fail;
699 if (ep - bp2 > len) {
700 /* FCS included at end of frame (NetBSD 1.6 or later) */
701 ep = bp2 + len;
702 }
703
704 ivoff = (u_char *)(esp + 1) + 0;
705 ivlen = sa->ivlen;
706 secret = sa->secret;
707 ep = ep - sa->authlen;
708
709 if (sa->evp) {
710 memset(&ctx, 0, sizeof(ctx));
711 if (EVP_CipherInit(&ctx, sa->evp, secret, NULL, 0) < 0)
712 (*ndo->ndo_warning)(ndo, "espkey init failed");
713
714 p = ivoff;
715 EVP_CipherInit(&ctx, NULL, NULL, p, 0);
716 EVP_Cipher(&ctx, p + ivlen, p + ivlen, ep - (p + ivlen));
717 EVP_CIPHER_CTX_cleanup(&ctx);
718 advance = ivoff - (u_char *)esp + ivlen;
719 } else
720 advance = sizeof(struct newesp);
721
722 /* sanity check for pad length */
723 if (ep - bp < *(ep - 2))
724 goto fail;
725
726 if (padlen)
727 *padlen = *(ep - 2) + 2;
728
729 if (nhdr)
730 *nhdr = *(ep - 1);
731
732 (ndo->ndo_printf)(ndo, ": ");
733 return advance;
734 #endif
735
736 fail:
737 return -1;
738 }
739 #ifdef HAVE_LIBCRYPTO
740 USES_APPLE_RST
741 #endif
742
743 /*
744 * Local Variables:
745 * c-style: whitesmith
746 * c-basic-offset: 8
747 * End:
748 */
[mirror] the TCPdump network dissector