]> The Tcpdump Group git mirrors - tcpdump/blob - print-esp.c
projects / tcpdump / blob
summary | shortlog | log | commit | commitdiff | tree
history | raw | HEAD
test of using "file" directive
[tcpdump] / print-esp.c
1 /* $NetBSD: print-ah.c,v 1.4 1996/05/20 00:41:16 fvdl Exp $ */
2
3 /*
4 * Copyright (c) 1988, 1989, 1990, 1991, 1992, 1993, 1994
5 * The Regents of the University of California. All rights reserved.
6 *
7 * Redistribution and use in source and binary forms, with or without
8 * modification, are permitted provided that: (1) source code distributions
9 * retain the above copyright notice and this paragraph in its entirety, (2)
10 * distributions including binary code include the above copyright notice and
11 * this paragraph in its entirety in the documentation or other materials
12 * provided with the distribution, and (3) all advertising materials mentioning
13 * features or use of this software display the following acknowledgement:
14 * ``This product includes software developed by the University of California,
15 * Lawrence Berkeley Laboratory and its contributors.'' Neither the name of
16 * the University nor the names of its contributors may be used to endorse
17 * or promote products derived from this software without specific prior
18 * written permission.
19 * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR IMPLIED
20 * WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF
21 * MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.
22 */
23
24 #ifndef lint
25 static const char rcsid[] =
26 "@(#) $Header: /tcpdump/master/tcpdump/print-esp.c,v 1.32 2003-02-05 02:38:45 guy Exp $ (LBL)";
27 #endif
28
29 #ifdef HAVE_CONFIG_H
30 #include "config.h"
31 #endif
32
33 #include <string.h>
34
35 #include <tcpdump-stdinc.h>
36
37 #include <stdlib.h>
38
39 #ifdef HAVE_LIBCRYPTO
40 #include <openssl/des.h>
41 #include <openssl/blowfish.h>
42 #ifdef HAVE_OPENSSL_RC5_H
43 #include <openssl/rc5.h>
44 #endif
45 #ifdef HAVE_OPENSSL_CAST_H
46 #include <openssl/cast.h>
47 #endif
48 #endif
49
50 #include <stdio.h>
51
52 #include "ip.h"
53 #include "esp.h"
54 #ifdef INET6
55 #include "ip6.h"
56 #endif
57
58 #define AVOID_CHURN 1
59 #include "interface.h"
60 #include "addrtoname.h"
61 #include "extract.h"
62
63 static struct esp_algorithm *espsecret_xform=NULL; /* cache of decoded alg. */
64 static char *espsecret_key=NULL;
65 static int espsecret_keylen=0;
66
67
68 enum cipher { NONE,
69 DESCBC,
70 BLOWFISH,
71 RC5,
72 CAST128,
73 DES3CBC};
74
75
76
77 struct esp_algorithm {
78 const char *name;
79 enum cipher algo;
80 int ivlen;
81 int authlen;
82 int replaysize;
83 };
84
85 struct esp_algorithm esp_xforms[]={
86 {"none", NONE, 0, 0, 0},
87 {"des-cbc", DESCBC, 8, 0, 0},
88 {"des-cbc-hmac96", DESCBC, 8, 12, 4},
89 {"blowfish-cbc", BLOWFISH,8, 0, 0},
90 {"blowfish-cbc-hmac96", BLOWFISH,8, 12, 4},
91 {"rc5-cbc", RC5, 8, 0, 0},
92 {"rc5-cbc-hmac96", RC5, 8, 12, 4},
93 {"cast128-cbc", CAST128, 8, 0, 0},
94 {"cast128-cbc-hmac96", CAST128, 8, 12, 4},
95 {"3des-cbc-hmac96", DES3CBC, 8, 12, 4},
96 {NULL, NONE, 0, 0, 0}
97 };
98
99 static int hexdigit(char hex)
100 {
101 if(hex >= '0' && hex <= '9') {
102 return (hex - '0');
103 } else if(hex >= 'A' && hex <= 'F') {
104 return (hex - 'A' + 10);
105 } else if(hex >= 'a' && hex <= 'f') {
106 return (hex - 'a' + 10);
107 } else {
108 printf("invalid hex digit %c in espsecret\n", hex);
109 return 0;
110 }
111 }
112
113 static int hex2byte(char *hexstring)
114 {
115 int byte;
116
117 byte = (hexdigit(hexstring[0]) << 4) +
118 hexdigit(hexstring[1]);
119 return byte;
120 }
121
122
123 static void esp_print_decodesecret(void)
124 {
125 char *colon;
126 int len, i;
127 struct esp_algorithm *xf;
128 struct esp_algorithm *null_xf =
129 &esp_xforms[sizeof(esp_xforms)/sizeof(esp_xforms[0]) - 1];
130
131 if(espsecret == NULL) {
132 /* set to NULL transform */
133 espsecret_xform = null_xf;
134 return;
135 }
136
137 if(espsecret_key != NULL) {
138 return;
139 }
140
141 colon = strchr(espsecret, ':');
142 if(colon == NULL) {
143 printf("failed to decode espsecret: %s\n",
144 espsecret);
145 /* set to NULL transform */
146 espsecret_xform = null_xf;
147 return;
148 }
149
150 len = colon - espsecret;
151 xf = esp_xforms;
152 while(xf->name && strncasecmp(espsecret, xf->name, len)!=0) {
153 xf++;
154 }
155 if(xf->name == NULL) {
156 printf("failed to find cipher algo %s\n",
157 espsecret);
158 /* set to NULL transform */
159 espsecret_xform = null_xf;
160 return;
161 }
162 espsecret_xform = xf;
163
164 colon++;
165 if(colon[0]=='0' && colon[1]=='x') {
166 /* decode some hex! */
167 colon+=2;
168 len = strlen(colon) / 2;
169 espsecret_key = (char *)malloc(len);
170 if(espsecret_key == NULL) {
171 fprintf(stderr, "%s: ran out of memory (%d) to allocate secret key\n",
172 program_name, len);
173 exit(2);
174 }
175 i = 0;
176 while(colon[0] != '\0' && colon[1]!='\0') {
177 espsecret_key[i]=hex2byte(colon);
178 colon+=2;
179 i++;
180 }
181 espsecret_keylen = len;
182 } else {
183 espsecret_key = colon;
184 espsecret_keylen = strlen(colon);
185 }
186 }
187
188 int
189 esp_print(register const u_char *bp, register const u_char *bp2,
190 int *nhdr, int *padlen)
191 {
192 register const struct newesp *esp;
193 register const u_char *ep;
194 struct ip *ip = NULL;
195 #ifdef INET6
196 struct ip6_hdr *ip6 = NULL;
197 #endif
198 int advance;
199 int len;
200 char *secret;
201 int ivlen = 0;
202 u_char *ivoff;
203 #ifdef HAVE_LIBCRYPTO
204 u_char *p;
205 #endif
206
207 esp = (struct newesp *)bp;
208 secret = NULL;
209
210 #if 0
211 /* keep secret out of a register */
212 p = (u_char *)&secret;
213 #endif
214
215 /* 'ep' points to the end of available data. */
216 ep = snapend;
217
218 if ((u_char *)(esp + 1) >= ep) {
219 fputs("[|ESP]", stdout);
220 goto fail;
221 }
222 printf("ESP(spi=0x%08x", EXTRACT_32BITS(&esp->esp_spi));
223 printf(",seq=0x%x", EXTRACT_32BITS(&esp->esp_seq));
224 printf(")");
225
226 /* if we don't have decryption key, we can't decrypt this packet. */
227 if (!espsecret)
228 goto fail;
229
230 if(!espsecret_xform) {
231 esp_print_decodesecret();
232 }
233 if(espsecret_xform->name == NULL) {
234 goto fail;
235 }
236
237 ip = (struct ip *)bp2;
238 switch (IP_V(ip)) {
239 #ifdef INET6
240 case 6:
241 ip6 = (struct ip6_hdr *)bp2;
242 ip = NULL;
243 /* we do not attempt to decrypt jumbograms */
244 if (!EXTRACT_16BITS(&ip6->ip6_plen))
245 goto fail;
246 /* if we can't get nexthdr, we do not need to decrypt it */
247 len = sizeof(struct ip6_hdr) + EXTRACT_16BITS(&ip6->ip6_plen);
248 break;
249 #endif /*INET6*/
250 case 4:
251 /* nexthdr & padding are in the last fragment */
252 if (EXTRACT_16BITS(&ip->ip_off) & IP_MF)
253 goto fail;
254 #ifdef INET6
255 ip6 = NULL;
256 #endif
257 len = EXTRACT_16BITS(&ip->ip_len);
258 break;
259 default:
260 goto fail;
261 }
262
263 /* if we can't get nexthdr, we do not need to decrypt it */
264 if (ep - bp2 < len)
265 goto fail;
266 if (ep - bp2 > len) {
267 /* FCS included at end of frame (NetBSD 1.6 or later) */
268 ep = bp2 + len;
269 }
270
271 ivoff = (u_char *)(esp + 1) + espsecret_xform->replaysize;
272 ivlen = espsecret_xform->ivlen;
273 secret = espsecret_key;
274
275 switch (espsecret_xform->algo) {
276 case DESCBC:
277 #ifdef HAVE_LIBCRYPTO
278 {
279 u_char iv[8];
280 #if OPENSSL_VERSION_NUMBER >= 0x00907000L
281 DES_key_schedule schedule;
282 #else
283 des_key_schedule schedule;
284 #endif
285
286 switch (ivlen) {
287 case 4:
288 memcpy(iv, ivoff, 4);
289 memcpy(&iv[4], ivoff, 4);
290 p = &iv[4];
291 *p++ ^= 0xff;
292 *p++ ^= 0xff;
293 *p++ ^= 0xff;
294 *p++ ^= 0xff;
295 break;
296 case 8:
297 memcpy(iv, ivoff, 8);
298 break;
299 default:
300 goto fail;
301 }
302 p = ivoff + ivlen;
303
304 if (espsecret_keylen != 8)
305 goto fail;
306 #if OPENSSL_VERSION_NUMBER >= 0x00907000L
307 DES_set_key_unchecked((DES_cblock *)secret, schedule);
308
309 DES_cbc_encrypt((const unsigned char *)p, p,
310 (long)(ep - p), schedule, (DES_cblock *)iv,
311 DES_DECRYPT);
312 #else
313 des_check_key = 0;
314 des_set_key((void *)secret, schedule);
315
316 des_cbc_encrypt((void *)p, (void *)p,
317 (long)(ep - p), schedule, (void *)iv,
318 DES_DECRYPT);
319 #endif
320 advance = ivoff - (u_char *)esp + ivlen;
321 break;
322 }
323 #else
324 goto fail;
325 #endif /*HAVE_LIBCRYPTO*/
326
327 case BLOWFISH:
328 #ifdef HAVE_LIBCRYPTO
329 {
330 BF_KEY schedule;
331
332 if (espsecret_keylen < 5 || espsecret_keylen > 56)
333 goto fail;
334 BF_set_key(&schedule, espsecret_keylen, secret);
335
336 p = ivoff + ivlen;
337 BF_cbc_encrypt(p, p, (long)(ep - p), &schedule, ivoff,
338 BF_DECRYPT);
339 advance = ivoff - (u_char *)esp + ivlen;
340 break;
341 }
342 #else
343 goto fail;
344 #endif /*HAVE_LIBCRYPTO*/
345
346 case RC5:
347 #if defined(HAVE_LIBCRYPTO) && defined(HAVE_RC5_H)
348 {
349 RC5_32_KEY schedule;
350
351 if (espsecret_keylen < 5 || espsecret_keylen > 255)
352 goto fail;
353 RC5_32_set_key(&schedule, espsecret_keylen, secret,
354 RC5_16_ROUNDS);
355
356 p = ivoff + ivlen;
357 RC5_32_cbc_encrypt(p, p, (long)(ep - p), &schedule, ivoff,
358 RC5_DECRYPT);
359 advance = ivoff - (u_char *)esp + ivlen;
360 break;
361 }
362 #else
363 goto fail;
364 #endif /*HAVE_LIBCRYPTO*/
365
366 case CAST128:
367 #if defined(HAVE_LIBCRYPTO) && defined(HAVE_CAST_H) && !defined(HAVE_BUGGY_CAST128)
368 {
369 CAST_KEY schedule;
370
371 if (espsecret_keylen < 5 || espsecret_keylen > 16)
372 goto fail;
373 CAST_set_key(&schedule, espsecret_keylen, secret);
374
375 p = ivoff + ivlen;
376 CAST_cbc_encrypt(p, p, (long)(ep - p), &schedule, ivoff,
377 CAST_DECRYPT);
378 advance = ivoff - (u_char *)esp + ivlen;
379 break;
380 }
381 #else
382 goto fail;
383 #endif /*HAVE_LIBCRYPTO*/
384
385 case DES3CBC:
386 #if defined(HAVE_LIBCRYPTO)
387 {
388 #if OPENSSL_VERSION_NUMBER >= 0x00907000L
389 DES_key_schedule s1, s2, s3;
390
391 if (espsecret_keylen != 24)
392 goto fail;
393 DES_set_odd_parity((DES_cblock *)secret);
394 DES_set_odd_parity((DES_cblock *)(secret + 8));
395 DES_set_odd_parity((DES_cblock *)(secret + 16));
396 if(DES_set_key_checked((DES_cblock *)secret, s1) != 0) {
397 printf("failed to schedule key 1\n");
398 }
399 if(DES_set_key_checked((DES_cblock *)(secret + 8), s2)!=0) {
400 printf("failed to schedule key 2\n");
401 }
402 if(DES_set_key_checked((DES_cblock *)(secret + 16), s3)!=0) {
403 printf("failed to schedule key 3\n");
404 }
405
406 p = ivoff + ivlen;
407 DES_ede3_cbc_encrypt((const unsigned char *)p, p,
408 (long)(ep - p),
409 &s1, &s2, &s3,
410 (DES_cblock *)ivoff, DES_DECRYPT);
411 #else
412 des_key_schedule s1, s2, s3;
413
414 if (espsecret_keylen != 24)
415 goto fail;
416 des_check_key = 1;
417 des_set_odd_parity((void *)secret);
418 des_set_odd_parity((void *)(secret + 8));
419 des_set_odd_parity((void *)(secret + 16));
420 if(des_set_key((void *)secret, s1) != 0) {
421 printf("failed to schedule key 1\n");
422 }
423 if(des_set_key((void *)(secret + 8), s2)!=0) {
424 printf("failed to schedule key 2\n");
425 }
426 if(des_set_key((void *)(secret + 16), s3)!=0) {
427 printf("failed to schedule key 3\n");
428 }
429
430 p = ivoff + ivlen;
431 des_ede3_cbc_encrypt((void *)p, (void *)p,
432 (long)(ep - p),
433 s1, s2, s3,
434 (void *)ivoff, DES_DECRYPT);
435 #endif
436 advance = ivoff - (u_char *)esp + ivlen;
437 break;
438 }
439 #else
440 goto fail;
441 #endif /*HAVE_LIBCRYPTO*/
442
443 case NONE:
444 default:
445 advance = sizeof(struct newesp) + espsecret_xform->replaysize;
446 break;
447 }
448
449 ep = ep - espsecret_xform->authlen;
450 /* sanity check for pad length */
451 if (ep - bp < *(ep - 2))
452 goto fail;
453
454 if (padlen)
455 *padlen = *(ep - 2) + 2;
456
457 if (nhdr)
458 *nhdr = *(ep - 1);
459
460 printf(": ");
461 return advance;
462
463 fail:
464 if (nhdr)
465 *nhdr = -1;
466 return 65536;
467 }
[mirror] the TCPdump network dissector