]> The Tcpdump Group git mirrors - tcpdump/blob - print-esp.c
projects / tcpdump / blob
summary | shortlog | log | commit | commitdiff | tree
history | raw | HEAD
Define HAVE_PCAP_DUMP_FLUSH, as the current CVS version of WinPcap has
[tcpdump] / print-esp.c
1 /* $NetBSD: print-ah.c,v 1.4 1996/05/20 00:41:16 fvdl Exp $ */
2
3 /*
4 * Copyright (c) 1988, 1989, 1990, 1991, 1992, 1993, 1994
5 * The Regents of the University of California. All rights reserved.
6 *
7 * Redistribution and use in source and binary forms, with or without
8 * modification, are permitted provided that: (1) source code distributions
9 * retain the above copyright notice and this paragraph in its entirety, (2)
10 * distributions including binary code include the above copyright notice and
11 * this paragraph in its entirety in the documentation or other materials
12 * provided with the distribution, and (3) all advertising materials mentioning
13 * features or use of this software display the following acknowledgement:
14 * ``This product includes software developed by the University of California,
15 * Lawrence Berkeley Laboratory and its contributors.'' Neither the name of
16 * the University nor the names of its contributors may be used to endorse
17 * or promote products derived from this software without specific prior
18 * written permission.
19 * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR IMPLIED
20 * WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF
21 * MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.
22 */
23
24 #ifndef lint
25 static const char rcsid[] =
26 "@(#) $Header: /tcpdump/master/tcpdump/print-esp.c,v 1.31 2002-12-11 07:13:59 guy Exp $ (LBL)";
27 #endif
28
29 #ifdef HAVE_CONFIG_H
30 #include "config.h"
31 #endif
32
33 #include <string.h>
34
35 #include <tcpdump-stdinc.h>
36
37 #include <stdlib.h>
38
39 #ifdef HAVE_LIBCRYPTO
40 #include <openssl/des.h>
41 #include <openssl/blowfish.h>
42 #ifdef HAVE_OPENSSL_RC5_H
43 #include <openssl/rc5.h>
44 #endif
45 #ifdef HAVE_OPENSSL_CAST_H
46 #include <openssl/cast.h>
47 #endif
48 #endif
49
50 #include <stdio.h>
51
52 #include "ip.h"
53 #include "esp.h"
54 #ifdef INET6
55 #include "ip6.h"
56 #endif
57
58 #define AVOID_CHURN 1
59 #include "interface.h"
60 #include "addrtoname.h"
61 #include "extract.h"
62
63 static struct esp_algorithm *espsecret_xform=NULL; /* cache of decoded alg. */
64 static char *espsecret_key=NULL;
65
66
67 enum cipher { NONE,
68 DESCBC,
69 BLOWFISH,
70 RC5,
71 CAST128,
72 DES3CBC};
73
74
75
76 struct esp_algorithm {
77 const char *name;
78 enum cipher algo;
79 int ivlen;
80 int authlen;
81 int replaysize;
82 };
83
84 struct esp_algorithm esp_xforms[]={
85 {"none", NONE, 0, 0, 0},
86 {"des-cbc", DESCBC, 8, 0, 0},
87 {"des-cbc-hmac96", DESCBC, 8, 12, 4},
88 {"blowfish-cbc", BLOWFISH,8, 0, 0},
89 {"blowfish-cbc-hmac96", BLOWFISH,8, 12, 4},
90 {"rc5-cbc", RC5, 8, 0, 0},
91 {"rc5-cbc-hmac96", RC5, 8, 12, 4},
92 {"cast128-cbc", CAST128, 8, 0, 0},
93 {"cast128-cbc-hmac96", CAST128, 8, 12, 4},
94 {"3des-cbc-hmac96", DES3CBC, 8, 12, 4},
95 {NULL, NONE, 0, 0, 0}
96 };
97
98 static int hexdigit(char hex)
99 {
100 if(hex >= '0' && hex <= '9') {
101 return (hex - '0');
102 } else if(hex >= 'A' && hex <= 'F') {
103 return (hex - 'A' + 10);
104 } else if(hex >= 'a' && hex <= 'f') {
105 return (hex - 'a' + 10);
106 } else {
107 printf("invalid hex digit %c in espsecret\n", hex);
108 return 0;
109 }
110 }
111
112 static int hex2byte(char *hexstring)
113 {
114 int byte;
115
116 byte = (hexdigit(hexstring[0]) << 4) +
117 hexdigit(hexstring[1]);
118 return byte;
119 }
120
121
122 static void esp_print_decodesecret(void)
123 {
124 char *colon;
125 int len, i;
126 struct esp_algorithm *xf;
127 struct esp_algorithm *null_xf =
128 &esp_xforms[sizeof(esp_xforms)/sizeof(esp_xforms[0]) - 1];
129
130 if(espsecret == NULL) {
131 /* set to NULL transform */
132 espsecret_xform = null_xf;
133 return;
134 }
135
136 if(espsecret_key != NULL) {
137 return;
138 }
139
140 colon = strchr(espsecret, ':');
141 if(colon == NULL) {
142 printf("failed to decode espsecret: %s\n",
143 espsecret);
144 /* set to NULL transform */
145 espsecret_xform = null_xf;
146 return;
147 }
148
149 len = colon - espsecret;
150 xf = esp_xforms;
151 while(xf->name && strncasecmp(espsecret, xf->name, len)!=0) {
152 xf++;
153 }
154 if(xf->name == NULL) {
155 printf("failed to find cipher algo %s\n",
156 espsecret);
157 /* set to NULL transform */
158 espsecret_xform = null_xf;
159 return;
160 }
161 espsecret_xform = xf;
162
163 colon++;
164 if(colon[0]=='0' && colon[1]=='x') {
165 /* decode some hex! */
166 colon+=2;
167 len = strlen(colon) / 2;
168 espsecret_key = (char *)malloc(len);
169 if(espsecret_key == NULL) {
170 fprintf(stderr, "%s: ran out of memory (%d) to allocate secret key\n",
171 program_name, len);
172 exit(2);
173 }
174 i = 0;
175 while(colon[0] != '\0' && colon[1]!='\0') {
176 espsecret_key[i]=hex2byte(colon);
177 colon+=2;
178 i++;
179 }
180 } else {
181 espsecret_key = colon;
182 }
183 }
184
185 int
186 esp_print(register const u_char *bp, register const u_char *bp2,
187 int *nhdr, int *padlen)
188 {
189 register const struct newesp *esp;
190 register const u_char *ep;
191 struct ip *ip = NULL;
192 #ifdef INET6
193 struct ip6_hdr *ip6 = NULL;
194 #endif
195 int advance;
196 int len;
197 char *secret;
198 int ivlen = 0;
199 u_char *ivoff;
200 #ifdef HAVE_LIBCRYPTO
201 u_char *p;
202 #endif
203
204 esp = (struct newesp *)bp;
205 secret = NULL;
206
207 #if 0
208 /* keep secret out of a register */
209 p = (u_char *)&secret;
210 #endif
211
212 /* 'ep' points to the end of available data. */
213 ep = snapend;
214
215 if ((u_char *)(esp + 1) >= ep) {
216 fputs("[|ESP]", stdout);
217 goto fail;
218 }
219 printf("ESP(spi=0x%08x", EXTRACT_32BITS(&esp->esp_spi));
220 printf(",seq=0x%x", EXTRACT_32BITS(&esp->esp_seq));
221 printf(")");
222
223 /* if we don't have decryption key, we can't decrypt this packet. */
224 if (!espsecret)
225 goto fail;
226
227 if(!espsecret_xform) {
228 esp_print_decodesecret();
229 }
230 if(espsecret_xform->name == NULL) {
231 goto fail;
232 }
233
234 ip = (struct ip *)bp2;
235 switch (IP_V(ip)) {
236 #ifdef INET6
237 case 6:
238 ip6 = (struct ip6_hdr *)bp2;
239 ip = NULL;
240 /* we do not attempt to decrypt jumbograms */
241 if (!EXTRACT_16BITS(&ip6->ip6_plen))
242 goto fail;
243 /* if we can't get nexthdr, we do not need to decrypt it */
244 len = sizeof(struct ip6_hdr) + EXTRACT_16BITS(&ip6->ip6_plen);
245 break;
246 #endif /*INET6*/
247 case 4:
248 /* nexthdr & padding are in the last fragment */
249 if (EXTRACT_16BITS(&ip->ip_off) & IP_MF)
250 goto fail;
251 #ifdef INET6
252 ip6 = NULL;
253 #endif
254 len = EXTRACT_16BITS(&ip->ip_len);
255 break;
256 default:
257 goto fail;
258 }
259
260 /* if we can't get nexthdr, we do not need to decrypt it */
261 if (ep - bp2 < len)
262 goto fail;
263 if (ep - bp2 > len) {
264 /* FCS included at end of frame (NetBSD 1.6 or later) */
265 ep = bp2 + len;
266 }
267
268 ivoff = (u_char *)(esp + 1) + espsecret_xform->replaysize;
269 ivlen = espsecret_xform->ivlen;
270 secret = espsecret_key;
271
272 switch (espsecret_xform->algo) {
273 case DESCBC:
274 #ifdef HAVE_LIBCRYPTO
275 {
276 u_char iv[8];
277 #if OPENSSL_VERSION_NUMBER >= 0x00907000L
278 DES_key_schedule schedule;
279 #else
280 des_key_schedule schedule;
281 #endif
282
283 switch (ivlen) {
284 case 4:
285 memcpy(iv, ivoff, 4);
286 memcpy(&iv[4], ivoff, 4);
287 p = &iv[4];
288 *p++ ^= 0xff;
289 *p++ ^= 0xff;
290 *p++ ^= 0xff;
291 *p++ ^= 0xff;
292 break;
293 case 8:
294 memcpy(iv, ivoff, 8);
295 break;
296 default:
297 goto fail;
298 }
299 p = ivoff + ivlen;
300
301 #if OPENSSL_VERSION_NUMBER >= 0x00907000L
302 DES_set_key_unchecked((DES_cblock *)secret, schedule);
303
304 DES_cbc_encrypt((const unsigned char *)p, p,
305 (long)(ep - p), schedule, (DES_cblock *)iv,
306 DES_DECRYPT);
307 #else
308 des_check_key = 0;
309 des_set_key((void *)secret, schedule);
310
311 des_cbc_encrypt((void *)p, (void *)p,
312 (long)(ep - p), schedule, (void *)iv,
313 DES_DECRYPT);
314 #endif
315 advance = ivoff - (u_char *)esp + ivlen;
316 break;
317 }
318 #else
319 goto fail;
320 #endif /*HAVE_LIBCRYPTO*/
321
322 case BLOWFISH:
323 #ifdef HAVE_LIBCRYPTO
324 {
325 BF_KEY schedule;
326
327 BF_set_key(&schedule, strlen(secret), secret);
328
329 p = ivoff + ivlen;
330 BF_cbc_encrypt(p, p, (long)(ep - p), &schedule, ivoff,
331 BF_DECRYPT);
332 advance = ivoff - (u_char *)esp + ivlen;
333 break;
334 }
335 #else
336 goto fail;
337 #endif /*HAVE_LIBCRYPTO*/
338
339 case RC5:
340 #if defined(HAVE_LIBCRYPTO) && defined(HAVE_RC5_H)
341 {
342 RC5_32_KEY schedule;
343
344 RC5_32_set_key(&schedule, strlen(secret), secret,
345 RC5_16_ROUNDS);
346
347 p = ivoff + ivlen;
348 RC5_32_cbc_encrypt(p, p, (long)(ep - p), &schedule, ivoff,
349 RC5_DECRYPT);
350 advance = ivoff - (u_char *)esp + ivlen;
351 break;
352 }
353 #else
354 goto fail;
355 #endif /*HAVE_LIBCRYPTO*/
356
357 case CAST128:
358 #if defined(HAVE_LIBCRYPTO) && defined(HAVE_CAST_H) && !defined(HAVE_BUGGY_CAST128)
359 {
360 CAST_KEY schedule;
361
362 CAST_set_key(&schedule, strlen(secret), secret);
363
364 p = ivoff + ivlen;
365 CAST_cbc_encrypt(p, p, (long)(ep - p), &schedule, ivoff,
366 CAST_DECRYPT);
367 advance = ivoff - (u_char *)esp + ivlen;
368 break;
369 }
370 #else
371 goto fail;
372 #endif /*HAVE_LIBCRYPTO*/
373
374 case DES3CBC:
375 #if defined(HAVE_LIBCRYPTO)
376 {
377 #if OPENSSL_VERSION_NUMBER >= 0x00907000L
378 DES_key_schedule s1, s2, s3;
379
380 DES_set_odd_parity((DES_cblock *)secret);
381 DES_set_odd_parity((DES_cblock *)(secret + 8));
382 DES_set_odd_parity((DES_cblock *)(secret + 16));
383 if(DES_set_key_checked((DES_cblock *)secret, s1) != 0) {
384 printf("failed to schedule key 1\n");
385 }
386 if(DES_set_key_checked((DES_cblock *)(secret + 8), s2)!=0) {
387 printf("failed to schedule key 2\n");
388 }
389 if(DES_set_key_checked((DES_cblock *)(secret + 16), s3)!=0) {
390 printf("failed to schedule key 3\n");
391 }
392
393 p = ivoff + ivlen;
394 DES_ede3_cbc_encrypt((const unsigned char *)p, p,
395 (long)(ep - p),
396 &s1, &s2, &s3,
397 (DES_cblock *)ivoff, DES_DECRYPT);
398 #else
399 des_key_schedule s1, s2, s3;
400
401 des_check_key = 1;
402 des_set_odd_parity((void *)secret);
403 des_set_odd_parity((void *)(secret + 8));
404 des_set_odd_parity((void *)(secret + 16));
405 if(des_set_key((void *)secret, s1) != 0) {
406 printf("failed to schedule key 1\n");
407 }
408 if(des_set_key((void *)(secret + 8), s2)!=0) {
409 printf("failed to schedule key 2\n");
410 }
411 if(des_set_key((void *)(secret + 16), s3)!=0) {
412 printf("failed to schedule key 3\n");
413 }
414
415 p = ivoff + ivlen;
416 des_ede3_cbc_encrypt((void *)p, (void *)p,
417 (long)(ep - p),
418 s1, s2, s3,
419 (void *)ivoff, DES_DECRYPT);
420 #endif
421 advance = ivoff - (u_char *)esp + ivlen;
422 break;
423 }
424 #else
425 goto fail;
426 #endif /*HAVE_LIBCRYPTO*/
427
428 case NONE:
429 default:
430 advance = sizeof(struct newesp) + espsecret_xform->replaysize;
431 break;
432 }
433
434 ep = ep - espsecret_xform->authlen;
435 /* sanity check for pad length */
436 if (ep - bp < *(ep - 2))
437 goto fail;
438
439 if (padlen)
440 *padlen = *(ep - 2) + 2;
441
442 if (nhdr)
443 *nhdr = *(ep - 1);
444
445 printf(": ");
446 return advance;
447
448 fail:
449 if (nhdr)
450 *nhdr = -1;
451 return 65536;
452 }
[mirror] the TCPdump network dissector