]> The Tcpdump Group git mirrors - tcpdump/blob - print-esp.c
projects / tcpdump / blob
summary | shortlog | log | commit | commitdiff | tree
history | raw | HEAD
Don't bother printing the amount of memory we tried to allocate if the
[tcpdump] / print-esp.c
1 /* $NetBSD: print-ah.c,v 1.4 1996/05/20 00:41:16 fvdl Exp $ */
2
3 /*
4 * Copyright (c) 1988, 1989, 1990, 1991, 1992, 1993, 1994
5 * The Regents of the University of California. All rights reserved.
6 *
7 * Redistribution and use in source and binary forms, with or without
8 * modification, are permitted provided that: (1) source code distributions
9 * retain the above copyright notice and this paragraph in its entirety, (2)
10 * distributions including binary code include the above copyright notice and
11 * this paragraph in its entirety in the documentation or other materials
12 * provided with the distribution, and (3) all advertising materials mentioning
13 * features or use of this software display the following acknowledgement:
14 * ``This product includes software developed by the University of California,
15 * Lawrence Berkeley Laboratory and its contributors.'' Neither the name of
16 * the University nor the names of its contributors may be used to endorse
17 * or promote products derived from this software without specific prior
18 * written permission.
19 * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR IMPLIED
20 * WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF
21 * MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.
22 */
23
24 #ifndef lint
25 static const char rcsid[] =
26 "@(#) $Header: /tcpdump/master/tcpdump/print-esp.c,v 1.39 2003-05-02 08:43:28 guy Exp $ (LBL)";
27 #endif
28
29 #ifdef HAVE_CONFIG_H
30 #include "config.h"
31 #endif
32
33 #include <string.h>
34
35 #include <tcpdump-stdinc.h>
36
37 #include <stdlib.h>
38
39 #ifdef HAVE_LIBCRYPTO
40 #include <openssl/des.h>
41 #include <openssl/blowfish.h>
42 #ifdef HAVE_OPENSSL_RC5_H
43 #include <openssl/rc5.h>
44 #endif
45 #ifdef HAVE_OPENSSL_CAST_H
46 #include <openssl/cast.h>
47 #endif
48 #endif
49
50 #include <stdio.h>
51
52 #include "ip.h"
53 #include "esp.h"
54 #ifdef INET6
55 #include "ip6.h"
56 #endif
57
58 #if defined(__MINGW32__) || defined(__WATCOMC__)
59 extern char *strsep (char **stringp, const char *delim); /* Missing/strsep.c */
60 #endif
61
62 #define AVOID_CHURN 1
63 #include "interface.h"
64 #include "addrtoname.h"
65 #include "extract.h"
66
67 enum cipher { NONE,
68 DESCBC,
69 BLOWFISH,
70 RC5,
71 CAST128,
72 DES3CBC};
73
74
75
76 struct esp_algorithm {
77 const char *name;
78 enum cipher algo;
79 int ivlen;
80 int authlen;
81 int replaysize; /* number of bytes, in excess of 4,
82 may be negative */
83 };
84
85 struct esp_algorithm esp_xforms[]={
86 {"none", NONE, 0, 0, 0},
87 {"des-cbc", DESCBC, 8, 0, 0},
88 {"des-cbc-hmac96", DESCBC, 8, 12, 0},
89 {"blowfish-cbc", BLOWFISH,8, 0, 0},
90 {"blowfish-cbc-hmac96", BLOWFISH,8, 12, 0},
91 {"rc5-cbc", RC5, 8, 0, 0},
92 {"rc5-cbc-hmac96", RC5, 8, 12, 0},
93 {"cast128-cbc", CAST128, 8, 0, 0},
94 {"cast128-cbc-hmac96", CAST128, 8, 12, 0},
95 {"3des-cbc-hmac96", DES3CBC, 8, 12, 0},
96 {NULL, NONE, 0, 0, 0}
97 };
98
99 struct esp_algorithm *null_xf =
100 &esp_xforms[sizeof(esp_xforms)/sizeof(esp_xforms[0]) - 1];
101
102 #ifndef HAVE_SOCKADDR_STORAGE
103 #ifdef INET6
104 struct sockaddr_storage {
105 union {
106 struct sockaddr_in sin;
107 struct sockaddr_in6 sin6;
108 } un;
109 };
110 #else
111 #define sockaddr_storage sockaddr
112 #endif
113 #endif /* HAVE_SOCKADDR_STORAGE */
114
115 struct sa_list {
116 struct sa_list *next;
117 struct sockaddr_storage daddr;
118 u_int32_t spi;
119 struct esp_algorithm *xform;
120 char secret[256]; /* is that big enough for all secrets? */
121 int secretlen;
122 };
123
124 static struct sa_list *sa_list_head=NULL;
125 static struct sa_list *sa_default=NULL;
126
127 static void esp_print_addsa(struct sa_list *sa, int sa_def)
128 {
129 /* copy the "sa" */
130
131 struct sa_list *nsa;
132
133 nsa = (struct sa_list *)malloc(sizeof(struct sa_list));
134 if (nsa == NULL)
135 error("ran out of memory to allocate sa structure");
136
137 *nsa = *sa;
138
139 if(sa_def) {
140 sa_default = nsa;
141 }
142
143 nsa->next = sa_list_head;
144 sa_list_head = nsa;
145 }
146
147
148 static int hexdigit(char hex)
149 {
150 if(hex >= '0' && hex <= '9') {
151 return (hex - '0');
152 } else if(hex >= 'A' && hex <= 'F') {
153 return (hex - 'A' + 10);
154 } else if(hex >= 'a' && hex <= 'f') {
155 return (hex - 'a' + 10);
156 } else {
157 printf("invalid hex digit %c in espsecret\n", hex);
158 return 0;
159 }
160 }
161
162 static int hex2byte(char *hexstring)
163 {
164 int byte;
165
166 byte = (hexdigit(hexstring[0]) << 4) +
167 hexdigit(hexstring[1]);
168 return byte;
169 }
170
171 /*
172 * decode the form: SPINUM@IP <tab> ALGONAME:0xsecret
173 *
174 * special form: file /name
175 * causes us to go read from this file instead.
176 *
177 */
178
179 static void esp_print_decode_onesecret(char *line)
180 {
181 struct esp_algorithm *xf;
182 struct sa_list sa1;
183 int sa_def;
184
185 char *spikey;
186 char *decode;
187
188 spikey = strsep(&line, " \t");
189 sa_def = 0;
190 memset(&sa1, 0, sizeof(struct sa_list));
191
192 /* if there is only one token, then it is an algo:key token */
193 if(line == NULL) {
194 decode = spikey;
195 spikey = NULL;
196 /* memset(&sa1.daddr, 0, sizeof(sa1.daddr)); */
197 /* sa1.spi = 0; */
198 sa_def = 1;
199 } else {
200 decode = line;
201 }
202
203 if(spikey && strcasecmp(spikey, "file")==0) {
204 /* open file and read it */
205 FILE *secretfile;
206 char fileline[1024];
207 char *nl;
208
209 secretfile = fopen(line, FOPEN_READ_TXT);
210 if(secretfile == NULL) {
211 perror(line);
212 exit(3);
213 }
214
215 while(fgets(fileline, sizeof(fileline)-1, secretfile) != NULL) {
216
217 /* remove newline from the line */
218 nl = strchr(fileline, '\n');
219 if(nl) {
220 *nl = '\0';
221 }
222 if(fileline[0]=='#') continue;
223 if(fileline[0]=='\0') continue;
224
225 esp_print_decode_onesecret(fileline);
226 }
227 fclose(secretfile);
228
229 return;
230 }
231
232 if(spikey) {
233 char *spistr, *foo;
234 u_int32_t spino;
235 struct sockaddr_in *sin;
236 #ifdef INET6
237 struct sockaddr_in6 *sin6;
238 #endif
239
240 spistr = strsep(&spikey, "@");
241
242 spino = strtoul(spistr, &foo, 0);
243 if(spistr == foo || !spikey) {
244 printf("print_esp: failed to decode spi# %s\n", foo);
245 return;
246 }
247
248 sa1.spi = spino;
249
250 sin = (struct sockaddr_in *)&sa1.daddr;
251 #ifdef INET6
252 sin6 = (struct sockaddr_in6 *)&sa1.daddr;
253 if(inet_pton(AF_INET6, spikey, &sin6->sin6_addr) == 1) {
254 #ifdef HAVE_SOCKADDR_SA_LEN
255 sin6->sin6_len = sizeof(struct sockaddr_in6);
256 #endif
257 sin6->sin6_family = AF_INET6;
258 } else
259 #endif
260 if(inet_pton(AF_INET, spikey, &sin->sin_addr) == 1) {
261 #ifdef HAVE_SOCKADDR_SA_LEN
262 sin->sin_len = sizeof(struct sockaddr_in);
263 #endif
264 sin->sin_family = AF_INET;
265 } else {
266 printf("print_esp: can not decode IP# %s\n", spikey);
267 return;
268 }
269 }
270
271 if(decode) {
272 char *colon;
273 char espsecret_key[256];
274 unsigned int len, i;
275
276 /* skip any blank spaces */
277 while(isspace((unsigned char)*decode)) decode++;
278
279 colon = strchr(decode, ':');
280 if(colon == NULL) {
281 printf("failed to decode espsecret: %s\n", decode);
282 return;
283 }
284
285 len = colon - decode;
286 xf = esp_xforms;
287 while(xf->name && strncasecmp(decode, xf->name, len)!=0) {
288 xf++;
289 }
290 if(xf->name == NULL) {
291 printf("failed to find cipher algo %s\n", decode);
292 /* set to NULL transform */
293 return;
294 }
295 sa1.xform = xf;
296
297 colon++;
298 if(colon[0]=='0' && colon[1]=='x') {
299 /* decode some hex! */
300 colon+=2;
301 len = strlen(colon) / 2;
302
303 if(len > 256) {
304 printf("secret is too big: %d\n", len);
305 return;
306 }
307
308 i = 0;
309 while(colon[0] != '\0' && colon[1]!='\0') {
310 espsecret_key[i]=hex2byte(colon);
311 colon+=2;
312 i++;
313 }
314 memcpy(sa1.secret, espsecret_key, i);
315 sa1.secretlen=i;
316 } else {
317 i = strlen(colon);
318 if(i < sizeof(sa1.secret)) {
319 memcpy(sa1.secret, espsecret_key, i);
320 sa1.secretlen = i;
321 } else {
322 memcpy(sa1.secret, espsecret_key, sizeof(sa1.secret));
323 sa1.secretlen = sizeof(sa1.secret);
324 }
325 }
326
327 }
328
329 esp_print_addsa(&sa1, sa_def);
330 }
331
332
333 static void esp_print_decodesecret(void)
334 {
335 char *line;
336 char *p;
337
338 if(espsecret == NULL) {
339 sa_list_head = NULL;
340 return;
341 }
342
343 if(sa_list_head != NULL) {
344 return;
345 }
346
347 p=espsecret;
348
349 while(espsecret && espsecret[0]!='\0') {
350 /* pick out the first line or first thing until a comma */
351 if((line = strsep(&espsecret, "\n,"))==NULL) {
352 line=espsecret;
353 espsecret=NULL;
354 }
355
356 esp_print_decode_onesecret(line);
357 }
358 }
359
360 int
361 esp_print(register const u_char *bp, register const u_char *bp2,
362 int *nhdr, int *padlen)
363 {
364 register const struct newesp *esp;
365 register const u_char *ep;
366 struct ip *ip;
367 struct sa_list *sa = NULL;
368 int espsecret_keylen;
369 #ifdef INET6
370 struct ip6_hdr *ip6 = NULL;
371 #endif
372 int advance;
373 int len;
374 char *secret;
375 int ivlen = 0;
376 u_char *ivoff;
377 #ifdef HAVE_LIBCRYPTO
378 u_char *p;
379 #endif
380
381 esp = (struct newesp *)bp;
382 secret = NULL;
383 advance = 0;
384
385 #if 0
386 /* keep secret out of a register */
387 p = (u_char *)&secret;
388 #endif
389
390 /* 'ep' points to the end of available data. */
391 ep = snapend;
392
393 if ((u_char *)(esp + 1) >= ep) {
394 fputs("[|ESP]", stdout);
395 goto fail;
396 }
397 printf("ESP(spi=0x%08x", EXTRACT_32BITS(&esp->esp_spi));
398 printf(",seq=0x%x", EXTRACT_32BITS(&esp->esp_seq));
399 printf(")");
400
401 /* if we don't have decryption key, we can't decrypt this packet. */
402 if(sa_list_head == NULL) {
403 if (!espsecret) {
404 goto fail;
405 }
406 esp_print_decodesecret();
407 }
408
409 if(sa_list_head == NULL) {
410 goto fail;
411 }
412
413 ip = (struct ip *)bp2;
414 switch (IP_V(ip)) {
415 #ifdef INET6
416 case 6:
417 ip6 = (struct ip6_hdr *)bp2;
418 /* we do not attempt to decrypt jumbograms */
419 if (!EXTRACT_16BITS(&ip6->ip6_plen))
420 goto fail;
421 /* if we can't get nexthdr, we do not need to decrypt it */
422 len = sizeof(struct ip6_hdr) + EXTRACT_16BITS(&ip6->ip6_plen);
423
424 /* see if we can find the SA, and if so, decode it */
425 for (sa = sa_list_head; sa != NULL; sa = sa->next) {
426 struct sockaddr_in6 *sin6 = (struct sockaddr_in6 *)&sa->daddr;
427 if (sa->spi == ntohl(esp->esp_spi) &&
428 sin6->sin6_family == AF_INET6 &&
429 memcmp(&sin6->sin6_addr, &ip6->ip6_dst,
430 sizeof(struct in6_addr)) == 0) {
431 break;
432 }
433 }
434 break;
435 #endif /*INET6*/
436 case 4:
437 /* nexthdr & padding are in the last fragment */
438 if (EXTRACT_16BITS(&ip->ip_off) & IP_MF)
439 goto fail;
440 len = EXTRACT_16BITS(&ip->ip_len);
441
442 /* see if we can find the SA, and if so, decode it */
443 for (sa = sa_list_head; sa != NULL; sa = sa->next) {
444 struct sockaddr_in *sin = (struct sockaddr_in *)&sa->daddr;
445 if (sa->spi == ntohl(esp->esp_spi) &&
446 sin->sin_family == AF_INET &&
447 sin->sin_addr.s_addr == ip->ip_dst.s_addr) {
448 break;
449 }
450 }
451 break;
452 default:
453 goto fail;
454 }
455
456 /* if we didn't find the specific one, then look for
457 * an unspecified one.
458 */
459 if(sa == NULL) {
460 sa = sa_default;
461 }
462
463 /* if not found fail */
464 if(sa == NULL)
465 goto fail;
466
467 /* if we can't get nexthdr, we do not need to decrypt it */
468 if (ep - bp2 < len)
469 goto fail;
470 if (ep - bp2 > len) {
471 /* FCS included at end of frame (NetBSD 1.6 or later) */
472 ep = bp2 + len;
473 }
474
475 ivoff = (u_char *)(esp + 1) + sa->xform->replaysize;
476 ivlen = sa->xform->ivlen;
477 secret = sa->secret;
478 espsecret_keylen = sa->secretlen;
479
480 switch (sa->xform->algo) {
481 case DESCBC:
482 #ifdef HAVE_LIBCRYPTO
483 {
484 u_char iv[8];
485 #if OPENSSL_VERSION_NUMBER >= 0x00907000L
486 DES_key_schedule schedule;
487 #else
488 des_key_schedule schedule;
489 #endif
490
491 switch (ivlen) {
492 case 4:
493 memcpy(iv, ivoff, 4);
494 memcpy(&iv[4], ivoff, 4);
495 p = &iv[4];
496 *p++ ^= 0xff;
497 *p++ ^= 0xff;
498 *p++ ^= 0xff;
499 *p++ ^= 0xff;
500 break;
501 case 8:
502 memcpy(iv, ivoff, 8);
503 break;
504 default:
505 goto fail;
506 }
507 p = ivoff + ivlen;
508
509 if (espsecret_keylen != 8)
510 goto fail;
511
512 #if OPENSSL_VERSION_NUMBER >= 0x00908000L
513 DES_set_key_unchecked((const_DES_cblock *)secret, &schedule);
514
515 DES_cbc_encrypt((const unsigned char *)p, p,
516 (long)(ep - p), &schedule, (DES_cblock *)iv,
517 DES_DECRYPT);
518
519 #elif OPENSSL_VERSION_NUMBER >= 0x00907000L
520 DES_set_key_unchecked((DES_cblock *)secret, schedule);
521
522 DES_cbc_encrypt((const unsigned char *)p, p,
523 (long)(ep - p), schedule, (DES_cblock *)iv,
524 DES_DECRYPT);
525 #else
526 des_check_key = 0;
527 des_set_key((void *)secret, schedule);
528
529 des_cbc_encrypt((void *)p, (void *)p,
530 (long)(ep - p), schedule, (void *)iv,
531 DES_DECRYPT);
532 #endif
533 advance = ivoff - (u_char *)esp + ivlen;
534 break;
535 }
536 #else
537 goto fail;
538 #endif /*HAVE_LIBCRYPTO*/
539
540 case BLOWFISH:
541 #ifdef HAVE_LIBCRYPTO
542 {
543 BF_KEY schedule;
544
545 if (espsecret_keylen < 5 || espsecret_keylen > 56)
546 goto fail;
547 BF_set_key(&schedule, espsecret_keylen, secret);
548
549 p = ivoff + ivlen;
550 BF_cbc_encrypt(p, p, (long)(ep - p), &schedule, ivoff,
551 BF_DECRYPT);
552 advance = ivoff - (u_char *)esp + ivlen;
553 break;
554 }
555 #else
556 goto fail;
557 #endif /*HAVE_LIBCRYPTO*/
558
559 case RC5:
560 #if defined(HAVE_LIBCRYPTO) && defined(HAVE_RC5_H)
561 {
562 RC5_32_KEY schedule;
563
564 if (espsecret_keylen < 5 || espsecret_keylen > 255)
565 goto fail;
566 RC5_32_set_key(&schedule, espsecret_keylen, secret,
567 RC5_16_ROUNDS);
568
569 p = ivoff + ivlen;
570 RC5_32_cbc_encrypt(p, p, (long)(ep - p), &schedule, ivoff,
571 RC5_DECRYPT);
572 advance = ivoff - (u_char *)esp + ivlen;
573 break;
574 }
575 #else
576 goto fail;
577 #endif /*HAVE_LIBCRYPTO*/
578
579 case CAST128:
580 #if defined(HAVE_LIBCRYPTO) && defined(HAVE_CAST_H) && !defined(HAVE_BUGGY_CAST128)
581 {
582 CAST_KEY schedule;
583
584 if (espsecret_keylen < 5 || espsecret_keylen > 16)
585 goto fail;
586 CAST_set_key(&schedule, espsecret_keylen, secret);
587
588 p = ivoff + ivlen;
589 CAST_cbc_encrypt(p, p, (long)(ep - p), &schedule, ivoff,
590 CAST_DECRYPT);
591 advance = ivoff - (u_char *)esp + ivlen;
592 break;
593 }
594 #else
595 goto fail;
596 #endif /*HAVE_LIBCRYPTO*/
597
598 case DES3CBC:
599 #if defined(HAVE_LIBCRYPTO)
600 {
601 #if OPENSSL_VERSION_NUMBER >= 0x00907000L
602 DES_key_schedule s1, s2, s3;
603
604 if (espsecret_keylen != 24)
605 goto fail;
606 DES_set_odd_parity((DES_cblock *)secret);
607 DES_set_odd_parity((DES_cblock *)(secret + 8));
608 DES_set_odd_parity((DES_cblock *)(secret + 16));
609 #if OPENSSL_VERSION_NUMBER >= 0x00908000L
610 if(DES_set_key_checked((const_DES_cblock *)secret, &s1) != 0) {
611 printf("failed to schedule key 1\n");
612 }
613 if(DES_set_key_checked((const_DES_cblock *)(secret + 8), &s2)!=0) {
614 printf("failed to schedule key 2\n");
615 }
616 if(DES_set_key_checked((const_DES_cblock *)(secret + 16), &s3)!=0) {
617 printf("failed to schedule key 3\n");
618 }
619 #else
620 if(DES_set_key_checked((DES_cblock *)secret, s1) != 0) {
621 printf("failed to schedule key 1\n");
622 }
623 if(DES_set_key_checked((DES_cblock *)(secret + 8), s2)!=0) {
624 printf("failed to schedule key 2\n");
625 }
626 if(DES_set_key_checked((DES_cblock *)(secret + 16), s3)!=0) {
627 printf("failed to schedule key 3\n");
628 }
629 #endif
630
631 p = ivoff + ivlen;
632 DES_ede3_cbc_encrypt((const unsigned char *)p, p,
633 (long)(ep - p),
634 &s1, &s2, &s3,
635 (DES_cblock *)ivoff, DES_DECRYPT);
636 #else
637 des_key_schedule s1, s2, s3;
638
639 if (espsecret_keylen != 24)
640 goto fail;
641 des_check_key = 1;
642 des_set_odd_parity((void *)secret);
643 des_set_odd_parity((void *)(secret + 8));
644 des_set_odd_parity((void *)(secret + 16));
645 if(des_set_key((void *)secret, s1) != 0) {
646 printf("failed to schedule key 1\n");
647 }
648 if(des_set_key((void *)(secret + 8), s2)!=0) {
649 printf("failed to schedule key 2\n");
650 }
651 if(des_set_key((void *)(secret + 16), s3)!=0) {
652 printf("failed to schedule key 3\n");
653 }
654
655 p = ivoff + ivlen;
656 des_ede3_cbc_encrypt((void *)p, (void *)p,
657 (long)(ep - p),
658 s1, s2, s3,
659 (void *)ivoff, DES_DECRYPT);
660 #endif
661 advance = ivoff - (u_char *)esp + ivlen;
662 break;
663 }
664 #else
665 goto fail;
666 #endif /*HAVE_LIBCRYPTO*/
667
668 case NONE:
669 default:
670 advance = sizeof(struct newesp) + sa->xform->replaysize;
671 break;
672 }
673
674 ep = ep - sa->xform->authlen;
675 /* sanity check for pad length */
676 if (ep - bp < *(ep - 2))
677 goto fail;
678
679 if (padlen)
680 *padlen = *(ep - 2) + 2;
681
682 if (nhdr)
683 *nhdr = *(ep - 1);
684
685 printf(": ");
686 return advance;
687
688 fail:
689 if (nhdr)
690 *nhdr = -1;
691 return 65536;
692 }
[mirror] the TCPdump network dissector