]> The Tcpdump Group git mirrors - tcpdump/blob - print-esp.c
projects / tcpdump / blob
summary | shortlog | log | commit | commitdiff | tree
history | raw | HEAD
Initial support for OpenSSL version 0.9.7 and higher.
[tcpdump] / print-esp.c
1 /* $NetBSD: print-ah.c,v 1.4 1996/05/20 00:41:16 fvdl Exp $ */
2
3 /*
4 * Copyright (c) 1988, 1989, 1990, 1991, 1992, 1993, 1994
5 * The Regents of the University of California. All rights reserved.
6 *
7 * Redistribution and use in source and binary forms, with or without
8 * modification, are permitted provided that: (1) source code distributions
9 * retain the above copyright notice and this paragraph in its entirety, (2)
10 * distributions including binary code include the above copyright notice and
11 * this paragraph in its entirety in the documentation or other materials
12 * provided with the distribution, and (3) all advertising materials mentioning
13 * features or use of this software display the following acknowledgement:
14 * ``This product includes software developed by the University of California,
15 * Lawrence Berkeley Laboratory and its contributors.'' Neither the name of
16 * the University nor the names of its contributors may be used to endorse
17 * or promote products derived from this software without specific prior
18 * written permission.
19 * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR IMPLIED
20 * WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF
21 * MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.
22 */
23
24 #ifndef lint
25 static const char rcsid[] =
26 "@(#) $Header: /tcpdump/master/tcpdump/print-esp.c,v 1.27 2002-07-28 04:23:00 fenner Exp $ (LBL)";
27 #endif
28
29 #ifdef HAVE_CONFIG_H
30 #include "config.h"
31 #endif
32
33 #include <string.h>
34 #include <sys/param.h>
35 #include <sys/time.h>
36 #include <sys/types.h>
37 #include <sys/socket.h>
38 #include <stdlib.h>
39
40 #include <netinet/in.h>
41
42 #ifdef HAVE_LIBCRYPTO
43 #include <openssl/des.h>
44 #include <openssl/blowfish.h>
45 #ifdef HAVE_OPENSSL_RC5_H
46 #include <openssl/rc5.h>
47 #endif
48 #ifdef HAVE_OPENSSL_CAST_H
49 #include <openssl/cast.h>
50 #endif
51 #endif
52
53 #include <stdio.h>
54
55 #include "ip.h"
56 #include "esp.h"
57 #ifdef INET6
58 #include "ip6.h"
59 #endif
60
61 #define AVOID_CHURN 1
62 #include "interface.h"
63 #include "addrtoname.h"
64
65 static struct esp_algorithm *espsecret_xform=NULL; /* cache of decoded alg. */
66 static char *espsecret_key=NULL;
67
68
69 enum cipher { NONE,
70 DESCBC,
71 BLOWFISH,
72 RC5,
73 CAST128,
74 DES3CBC};
75
76
77
78 struct esp_algorithm {
79 char *name;
80 enum cipher algo;
81 int ivlen;
82 int authlen;
83 int replaysize;
84 };
85
86 struct esp_algorithm esp_xforms[]={
87 {"none", NONE, 0, 0, 0},
88 {"des-cbc", DESCBC, 8, 0, 0},
89 {"des-cbc-hmac96", DESCBC, 8, 12, 4},
90 {"blowfish-cbc", BLOWFISH,8, 0, 0},
91 {"blowfish-cbc-hmac96", BLOWFISH,8, 12, 4},
92 {"rc5-cbc", RC5, 8, 0, 0},
93 {"rc5-cbc-hmac96", RC5, 8, 12, 4},
94 {"cast128-cbc", CAST128, 8, 0, 0},
95 {"cast128-cbc-hmac96", CAST128, 8, 12, 4},
96 {"3des-cbc-hmac96", DES3CBC, 8, 12, 4},
97 {NULL, NONE, 0, 0, 0}
98 };
99
100 static int hexdigit(char hex)
101 {
102 if(hex >= '0' && hex <= '9') {
103 return (hex - '0');
104 } else if(hex >= 'A' && hex <= 'F') {
105 return (hex - 'A' + 10);
106 } else if(hex >= 'a' && hex <= 'f') {
107 return (hex - 'a' + 10);
108 } else {
109 printf("invalid hex digit %c in espsecret\n", hex);
110 return 0;
111 }
112 }
113
114 static int hex2byte(char *hexstring)
115 {
116 int byte;
117
118 byte = (hexdigit(hexstring[0]) << 4) +
119 hexdigit(hexstring[1]);
120 return byte;
121 }
122
123
124 static void esp_print_decodesecret(void)
125 {
126 char *colon;
127 int len, i;
128 struct esp_algorithm *xf;
129 struct esp_algorithm *null_xf =
130 &esp_xforms[sizeof(esp_xforms)/sizeof(esp_xforms[0]) - 1];
131
132 if(espsecret == NULL) {
133 /* set to NULL transform */
134 espsecret_xform = null_xf;
135 return;
136 }
137
138 if(espsecret_key != NULL) {
139 return;
140 }
141
142 colon = strchr(espsecret, ':');
143 if(colon == NULL) {
144 printf("failed to decode espsecret: %s\n",
145 espsecret);
146 /* set to NULL transform */
147 espsecret_xform = null_xf;
148 return;
149 }
150
151 len = colon - espsecret;
152 xf = esp_xforms;
153 while(xf->name && strncasecmp(espsecret, xf->name, len)!=0) {
154 xf++;
155 }
156 if(xf->name == NULL) {
157 printf("failed to find cipher algo %s\n",
158 espsecret);
159 /* set to NULL transform */
160 espsecret_xform = null_xf;
161 return;
162 }
163 espsecret_xform = xf;
164
165 colon++;
166 if(colon[0]=='0' && colon[1]=='x') {
167 /* decode some hex! */
168 colon+=2;
169 len = strlen(colon) / 2;
170 espsecret_key = (char *)malloc(len);
171 if(espsecret_key == NULL) {
172 fprintf(stderr, "%s: ran out of memory (%d) to allocate secret key\n",
173 program_name, len);
174 exit(2);
175 }
176 i = 0;
177 while(colon[0] != '\0' && colon[1]!='\0') {
178 espsecret_key[i]=hex2byte(colon);
179 colon+=2;
180 i++;
181 }
182 } else {
183 espsecret_key = colon;
184 }
185 }
186
187 int
188 esp_print(register const u_char *bp, register const u_char *bp2,
189 int *nhdr, int *padlen)
190 {
191 register const struct newesp *esp;
192 register const u_char *ep;
193 struct ip *ip = NULL;
194 #ifdef INET6
195 struct ip6_hdr *ip6 = NULL;
196 #endif
197 int advance;
198 int len;
199 char *secret;
200 int ivlen = 0;
201 u_char *ivoff;
202 #ifdef HAVE_LIBCRYPTO
203 u_char *p;
204 #endif
205
206 esp = (struct newesp *)bp;
207 secret = NULL;
208
209 #if 0
210 /* keep secret out of a register */
211 p = (u_char *)&secret;
212 #endif
213
214 /* 'ep' points to the end of available data. */
215 ep = snapend;
216
217 if ((u_char *)(esp + 1) >= ep) {
218 fputs("[|ESP]", stdout);
219 goto fail;
220 }
221 printf("ESP(spi=0x%08x", (u_int32_t)ntohl(esp->esp_spi));
222 printf(",seq=0x%x", (u_int32_t)ntohl(esp->esp_seq));
223 printf(")");
224
225 /* if we don't have decryption key, we can't decrypt this packet. */
226 if (!espsecret)
227 goto fail;
228
229 if(!espsecret_xform) {
230 esp_print_decodesecret();
231 }
232 if(espsecret_xform->name == NULL) {
233 goto fail;
234 }
235
236 ip = (struct ip *)bp2;
237 switch (IP_V(ip)) {
238 #ifdef INET6
239 case 6:
240 ip6 = (struct ip6_hdr *)bp2;
241 ip = NULL;
242 /* we do not attempt to decrypt jumbograms */
243 if (!ntohs(ip6->ip6_plen))
244 goto fail;
245 /* if we can't get nexthdr, we do not need to decrypt it */
246 len = sizeof(struct ip6_hdr) + ntohs(ip6->ip6_plen);
247 break;
248 #endif /*INET6*/
249 case 4:
250 /* nexthdr & padding are in the last fragment */
251 if (ntohs(ip->ip_off) & IP_MF)
252 goto fail;
253 #ifdef INET6
254 ip6 = NULL;
255 #endif
256 len = ntohs(ip->ip_len);
257 break;
258 default:
259 goto fail;
260 }
261
262 /* if we can't get nexthdr, we do not need to decrypt it */
263 if (ep - bp2 < len)
264 goto fail;
265
266 ivoff = (u_char *)(esp + 1) + espsecret_xform->replaysize;
267 ivlen = espsecret_xform->ivlen;
268 secret = espsecret_key;
269
270 switch (espsecret_xform->algo) {
271 case DESCBC:
272 #ifdef HAVE_LIBCRYPTO
273 {
274 u_char iv[8];
275 #if OPENSSL_VERSION_NUMBER >= 0x00907000L
276 DES_key_schedule schedule;
277 #else
278 des_key_schedule schedule;
279 #endif
280
281 switch (ivlen) {
282 case 4:
283 memcpy(iv, ivoff, 4);
284 memcpy(&iv[4], ivoff, 4);
285 p = &iv[4];
286 *p++ ^= 0xff;
287 *p++ ^= 0xff;
288 *p++ ^= 0xff;
289 *p++ ^= 0xff;
290 break;
291 case 8:
292 memcpy(iv, ivoff, 8);
293 break;
294 default:
295 goto fail;
296 }
297 p = ivoff + ivlen;
298
299 #if OPENSSL_VERSION_NUMBER >= 0x00907000L
300 DES_set_key_unchecked((DES_cblock *)secret, schedule);
301
302 DES_cbc_encrypt((const unsigned char *)p, p,
303 (long)(ep - p), schedule, (DES_cblock *)iv,
304 DES_DECRYPT);
305 #else
306 des_check_key = 0;
307 des_set_key((void *)secret, schedule);
308
309 des_cbc_encrypt((void *)p, (void *)p,
310 (long)(ep - p), schedule, (void *)iv,
311 DES_DECRYPT);
312 #endif
313 advance = ivoff - (u_char *)esp + ivlen;
314 break;
315 }
316 #else
317 goto fail;
318 #endif /*HAVE_LIBCRYPTO*/
319
320 case BLOWFISH:
321 #ifdef HAVE_LIBCRYPTO
322 {
323 BF_KEY schedule;
324
325 BF_set_key(&schedule, strlen(secret), secret);
326
327 p = ivoff + ivlen;
328 BF_cbc_encrypt(p, p, (long)(ep - p), &schedule, ivoff,
329 BF_DECRYPT);
330 advance = ivoff - (u_char *)esp + ivlen;
331 break;
332 }
333 #else
334 goto fail;
335 #endif /*HAVE_LIBCRYPTO*/
336
337 case RC5:
338 #if defined(HAVE_LIBCRYPTO) && defined(HAVE_RC5_H)
339 {
340 RC5_32_KEY schedule;
341
342 RC5_32_set_key(&schedule, strlen(secret), secret,
343 RC5_16_ROUNDS);
344
345 p = ivoff + ivlen;
346 RC5_32_cbc_encrypt(p, p, (long)(ep - p), &schedule, ivoff,
347 RC5_DECRYPT);
348 advance = ivoff - (u_char *)esp + ivlen;
349 break;
350 }
351 #else
352 goto fail;
353 #endif /*HAVE_LIBCRYPTO*/
354
355 case CAST128:
356 #if defined(HAVE_LIBCRYPTO) && defined(HAVE_CAST_H) && !defined(HAVE_BUGGY_CAST128)
357 {
358 CAST_KEY schedule;
359
360 CAST_set_key(&schedule, strlen(secret), secret);
361
362 p = ivoff + ivlen;
363 CAST_cbc_encrypt(p, p, (long)(ep - p), &schedule, ivoff,
364 CAST_DECRYPT);
365 advance = ivoff - (u_char *)esp + ivlen;
366 break;
367 }
368 #else
369 goto fail;
370 #endif /*HAVE_LIBCRYPTO*/
371
372 case DES3CBC:
373 #if defined(HAVE_LIBCRYPTO)
374 {
375 #if OPENSSL_VERSION_NUMBER >= 0x00907000L
376 DES_key_schedule s1, s2, s3;
377
378 DES_set_odd_parity((DES_cblock *)secret);
379 DES_set_odd_parity((DES_cblock *)(secret + 8));
380 DES_set_odd_parity((DES_cblock *)(secret + 16));
381 if(DES_set_key_checked((DES_cblock *)secret, s1) != 0) {
382 printf("failed to schedule key 1\n");
383 }
384 if(DES_set_key_checked((DES_cblock *)(secret + 8), s2)!=0) {
385 printf("failed to schedule key 2\n");
386 }
387 if(DES_set_key_checked((DES_cblock *)(secret + 16), s3)!=0) {
388 printf("failed to schedule key 3\n");
389 }
390
391 p = ivoff + ivlen;
392 DES_ede3_cbc_encrypt((const unsigned char *)p, p,
393 (long)(ep - p),
394 &s1, &s2, &s3,
395 (DES_cblock *)ivoff, DES_DECRYPT);
396 #else
397 des_key_schedule s1, s2, s3;
398
399 des_check_key = 1;
400 des_set_odd_parity((void *)secret);
401 des_set_odd_parity((void *)(secret + 8));
402 des_set_odd_parity((void *)(secret + 16));
403 if(des_set_key((void *)secret, s1) != 0) {
404 printf("failed to schedule key 1\n");
405 }
406 if(des_set_key((void *)(secret + 8), s2)!=0) {
407 printf("failed to schedule key 2\n");
408 }
409 if(des_set_key((void *)(secret + 16), s3)!=0) {
410 printf("failed to schedule key 3\n");
411 }
412
413 p = ivoff + ivlen;
414 des_ede3_cbc_encrypt((void *)p, (void *)p,
415 (long)(ep - p),
416 s1, s2, s3,
417 (void *)ivoff, DES_DECRYPT);
418 #endif
419 advance = ivoff - (u_char *)esp + ivlen;
420 break;
421 }
422 #else
423 goto fail;
424 #endif /*HAVE_LIBCRYPTO*/
425
426 case NONE:
427 default:
428 advance = sizeof(struct newesp) + espsecret_xform->replaysize;
429 break;
430 }
431
432 ep = ep - espsecret_xform->authlen;
433 /* sanity check for pad length */
434 if (ep - bp < *(ep - 2))
435 goto fail;
436
437 if (padlen)
438 *padlen = *(ep - 2) + 2;
439
440 if (nhdr)
441 *nhdr = *(ep - 1);
442
443 printf(": ");
444 return advance;
445
446 fail:
447 if (nhdr)
448 *nhdr = -1;
449 return 65536;
450 }
[mirror] the TCPdump network dissector