]> The Tcpdump Group git mirrors - tcpdump/blob - print-esp.c
projects / tcpdump / blob
summary | shortlog | log | commit | commitdiff | tree
history | raw | HEAD
Get rid of unneeded includes of <net/if.h>.
[tcpdump] / print-esp.c
1 /* $NetBSD: print-ah.c,v 1.4 1996/05/20 00:41:16 fvdl Exp $ */
2
3 /*
4 * Copyright (c) 1988, 1989, 1990, 1991, 1992, 1993, 1994
5 * The Regents of the University of California. All rights reserved.
6 *
7 * Redistribution and use in source and binary forms, with or without
8 * modification, are permitted provided that: (1) source code distributions
9 * retain the above copyright notice and this paragraph in its entirety, (2)
10 * distributions including binary code include the above copyright notice and
11 * this paragraph in its entirety in the documentation or other materials
12 * provided with the distribution, and (3) all advertising materials mentioning
13 * features or use of this software display the following acknowledgement:
14 * ``This product includes software developed by the University of California,
15 * Lawrence Berkeley Laboratory and its contributors.'' Neither the name of
16 * the University nor the names of its contributors may be used to endorse
17 * or promote products derived from this software without specific prior
18 * written permission.
19 * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR IMPLIED
20 * WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF
21 * MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.
22 */
23
24 #ifndef lint
25 static const char rcsid[] =
26 "@(#) $Header: /tcpdump/master/tcpdump/print-esp.c,v 1.10 2000-09-28 06:42:58 guy Exp $ (LBL)";
27 #endif
28
29 #ifdef HAVE_CONFIG_H
30 #include "config.h"
31 #endif
32
33 #include <string.h>
34 #include <sys/param.h>
35 #include <sys/time.h>
36 #include <sys/types.h>
37 #include <sys/socket.h>
38
39 #include <net/route.h>
40
41 #include <netinet/in.h>
42 #include <netinet/in_systm.h>
43
44 #ifdef HAVE_LIBCRYPTO
45 #include <des.h>
46 #include <blowfish.h>
47 #ifdef HAVE_RC5_H
48 #include <rc5.h>
49 #endif
50 #ifdef HAVE_CAST_H
51 #include <cast.h>
52 #endif
53 #endif
54
55 #include <stdio.h>
56
57 #ifdef INET6
58 #include <netinet/ip6.h>
59 #endif
60
61 #include "ip.h"
62
63 /* there's no standard definition so we are on our own */
64 struct esp {
65 u_int32_t esp_spi; /* ESP */
66 /*variable size, 32bit bound*/ /* Initialization Vector */
67 /*variable size*/ /* Payload data */
68 /*variable size*/ /* padding */
69 /*8bit*/ /* pad size */
70 /*8bit*/ /* next header */
71 /*8bit*/ /* next header */
72 /*variable size, 32bit bound*/ /* Authentication data (new IPsec) */
73 };
74
75 struct newesp {
76 u_int32_t esp_spi; /* ESP */
77 u_int32_t esp_seq; /* Sequence number */
78 /*variable size*/ /* (IV and) Payload data */
79 /*variable size*/ /* padding */
80 /*8bit*/ /* pad size */
81 /*8bit*/ /* next header */
82 /*8bit*/ /* next header */
83 /*variable size, 32bit bound*/ /* Authentication data */
84 };
85
86 #include "interface.h"
87 #include "addrtoname.h"
88
89 int
90 esp_print(register const u_char *bp, register const u_char *bp2, int *nhdr)
91 {
92 register const struct esp *esp;
93 register const u_char *ep;
94 u_int32_t spi;
95 enum { NONE, DESCBC, BLOWFISH, RC5, CAST128, DES3CBC } algo = NONE;
96 struct ip *ip = NULL;
97 #ifdef INET6
98 struct ip6_hdr *ip6 = NULL;
99 #endif
100 int advance;
101 int len;
102 char *secret = NULL;
103 int ivlen = 0;
104 u_char *ivoff;
105
106 esp = (struct esp *)bp;
107 spi = (u_int32_t)ntohl(esp->esp_spi);
108
109 /* 'ep' points to the end of avaible data. */
110 ep = snapend;
111
112 if ((u_char *)(esp + 1) >= ep - sizeof(struct esp)) {
113 fputs("[|ESP]", stdout);
114 goto fail;
115 }
116 printf("ESP(spi=%u", spi);
117 printf(",seq=0x%x", (u_int32_t)ntohl(*(u_int32_t *)(esp + 1)));
118 printf(")");
119
120 /* if we don't have decryption key, we can't decrypt this packet. */
121 if (!espsecret)
122 goto fail;
123
124 if (strncmp(espsecret, "des-cbc:", 8) == 0
125 && strlen(espsecret + 8) == 8) {
126 algo = DESCBC;
127 ivlen = 8;
128 secret = espsecret + 8;
129 } else if (strncmp(espsecret, "blowfish-cbc:", 13) == 0) {
130 algo = BLOWFISH;
131 ivlen = 8;
132 secret = espsecret + 13;
133 } else if (strncmp(espsecret, "rc5-cbc:", 8) == 0) {
134 algo = RC5;
135 ivlen = 8;
136 secret = espsecret + 8;
137 } else if (strncmp(espsecret, "cast128-cbc:", 12) == 0) {
138 algo = CAST128;
139 ivlen = 8;
140 secret = espsecret + 12;
141 } else if (strncmp(espsecret, "3des-cbc:", 9) == 0
142 && strlen(espsecret + 9) == 24) {
143 algo = DES3CBC;
144 ivlen = 8;
145 secret = espsecret + 9;
146 } else if (strncmp(espsecret, "none:", 5) == 0) {
147 algo = NONE;
148 ivlen = 0;
149 secret = espsecret + 5;
150 } else if (strlen(espsecret) == 8) {
151 algo = DESCBC;
152 ivlen = 8;
153 secret = espsecret;
154 } else {
155 algo = NONE;
156 ivlen = 0;
157 secret = espsecret;
158 }
159
160 ip = (struct ip *)bp2;
161 switch (ip->ip_v) {
162 #ifdef INET6
163 case 6:
164 ip6 = (struct ip6_hdr *)bp2;
165 ip = NULL;
166 /* we do not attempt to decrypt jumbograms */
167 if (!ntohs(ip6->ip6_plen))
168 goto fail;
169 /* if we can't get nexthdr, we do not need to decrypt it */
170 len = sizeof(struct ip6_hdr) + ntohs(ip6->ip6_plen);
171 break;
172 #endif /*INET6*/
173 case 4:
174 #ifdef INET6
175 ip6 = NULL;
176 #endif
177 len = ntohs(ip->ip_len);
178 break;
179 default:
180 goto fail;
181 }
182
183 /* if we can't get nexthdr, we do not need to decrypt it */
184 if (ep - bp2 < len)
185 goto fail;
186
187 if (Rflag)
188 ivoff = (u_char *)(esp + 1) + sizeof(u_int32_t);
189 else
190 ivoff = (u_char *)(esp + 1);
191
192 switch (algo) {
193 case DESCBC:
194 #ifdef HAVE_LIBCRYPTO
195 {
196 u_char iv[8];
197 des_key_schedule schedule;
198 u_char *p;
199
200 switch (ivlen) {
201 case 4:
202 memcpy(iv, ivoff, 4);
203 memcpy(&iv[4], ivoff, 4);
204 p = &iv[4];
205 *p++ ^= 0xff;
206 *p++ ^= 0xff;
207 *p++ ^= 0xff;
208 *p++ ^= 0xff;
209 break;
210 case 8:
211 memcpy(iv, ivoff, 8);
212 break;
213 default:
214 goto fail;
215 }
216
217 des_check_key = 0;
218 des_set_key((void *)secret, schedule);
219
220 p = ivoff + ivlen;
221 des_cbc_encrypt((void *)p, (void *)p,
222 (long)(ep - p), schedule, (void *)iv,
223 DES_DECRYPT);
224 advance = ivoff - (u_char *)esp + ivlen;
225 break;
226 }
227 #else
228 goto fail;
229 #endif /*HAVE_LIBCRYPTO*/
230
231 case BLOWFISH:
232 #ifdef HAVE_LIBCRYPTO
233 {
234 BF_KEY schedule;
235 u_char *p;
236
237 BF_set_key(&schedule, strlen(secret), secret);
238
239 p = ivoff + ivlen;
240 BF_cbc_encrypt(p, p, (long)(ep - p), &schedule, ivoff,
241 BF_DECRYPT);
242 advance = ivoff - (u_char *)esp + ivlen;
243 break;
244 }
245 #else
246 goto fail;
247 #endif /*HAVE_LIBCRYPTO*/
248
249 case RC5:
250 #if defined(HAVE_LIBCRYPTO) && defined(HAVE_RC5_H)
251 {
252 RC5_32_KEY schedule;
253 u_char *p;
254
255 RC5_32_set_key(&schedule, strlen(secret), secret,
256 RC5_16_ROUNDS);
257
258 p = ivoff + ivlen;
259 RC5_32_cbc_encrypt(p, p, (long)(ep - p), &schedule, ivoff,
260 RC5_DECRYPT);
261 advance = ivoff - (u_char *)esp + ivlen;
262 break;
263 }
264 #else
265 goto fail;
266 #endif /*HAVE_LIBCRYPTO*/
267
268 case CAST128:
269 #if defined(HAVE_LIBCRYPTO) && defined(HAVE_CAST_H) && !defined(HAVE_BUGGY_CAST128)
270 {
271 CAST_KEY schedule;
272 u_char *p;
273
274 CAST_set_key(&schedule, strlen(secret), secret);
275
276 p = ivoff + ivlen;
277 CAST_cbc_encrypt(p, p, (long)(ep - p), &schedule, ivoff,
278 CAST_DECRYPT);
279 advance = ivoff - (u_char *)esp + ivlen;
280 break;
281 }
282 #else
283 goto fail;
284 #endif /*HAVE_LIBCRYPTO*/
285
286 case DES3CBC:
287 #if defined(HAVE_LIBCRYPTO)
288 {
289 des_key_schedule s1, s2, s3;
290 u_char *p;
291
292 des_check_key = 0;
293 des_set_key((void *)secret, s1);
294 des_set_key((void *)(secret + 8), s2);
295 des_set_key((void *)(secret + 16), s3);
296
297 p = ivoff + ivlen;
298 des_ede3_cbc_encrypt((void *)p, (void *)p,
299 (long)(ep - p), s1, s2, s3, (void *)ivoff, DES_DECRYPT);
300 advance = ivoff - (u_char *)esp + ivlen;
301 break;
302 }
303 #else
304 goto fail;
305 #endif /*HAVE_LIBCRYPTO*/
306
307 case NONE:
308 default:
309 if (Rflag)
310 advance = sizeof(struct esp) + sizeof(u_int32_t);
311 else
312 advance = sizeof(struct esp);
313 break;
314 }
315
316 /* sanity check for pad length */
317 if (ep - bp < *(ep - 2))
318 goto fail;
319
320 if (nhdr)
321 *nhdr = *(ep - 1);
322
323 printf(": ");
324 return advance;
325
326 fail:
327 if (nhdr)
328 *nhdr = -1;
329 return 65536;
330 }
[mirror] the TCPdump network dissector