X-Git-Url: https://git.tcpdump.org/tcpdump/blobdiff_plain/0d2cdb5dad1a983d0e1884497e439efb39c9609d..d7b497cac78b6e22a66a6bae9bdec60a8044f67a:/print-esp.c diff --git a/print-esp.c b/print-esp.c index f2b4ab3c..d71bd23e 100644 --- a/print-esp.c +++ b/print-esp.c @@ -145,6 +145,39 @@ EVP_CIPHER_CTX_free(EVP_CIPHER_CTX *ctx) } #endif +#ifdef HAVE_EVP_CIPHERINIT_EX +/* + * Initialize the cipher by calling EVP_CipherInit_ex(), because + * calling EVP_CipherInit() will reset the cipher context, clearing + * the cipher, so calling it twice, with the second call having a + * null cipher, will clear the already-set cipher. EVP_CipherInit_ex(), + * however, won't reset the cipher context, so you can use it to specify + * the IV oin a second call after a first call to EVP_CipherInit_ex() + * to set the cipher and the key. + * + * XXX - is there some reason why we need to make two calls? + */ +static int +set_cipher_parameters(EVP_CIPHER_CTX *ctx, const EVP_CIPHER *cipher, + const unsigned char *key, + const unsigned char *iv, int enc) +{ + return EVP_CipherInit_ex(ctx, cipher, NULL, key, iv, enc); +} +#else +/* + * Initialize the cipher by calling EVP_CipherInit(), because we don't + * have EVP_CipherInit_ex(); we rely on it not trashing the context. + */ +static int +set_cipher_parameters(EVP_CIPHER_CTX *ctx, const EVP_CIPHER *cipher, + const unsigned char *key, + const unsigned char *iv, int enc) +{ + return EVP_CipherInit(ctx, cipher, key, iv, enc); +} +#endif + /* * this will adjust ndo_packetp and ndo_snapend to new buffer! */ @@ -190,9 +223,9 @@ int esp_print_decrypt_buffer_by_ikev2(netdissect_options *ndo, ctx = EVP_CIPHER_CTX_new(); if (ctx == NULL) return 0; - if (EVP_CipherInit(ctx, sa->evp, sa->secret, NULL, 0) < 0) + if (set_cipher_parameters(ctx, sa->evp, sa->secret, NULL, 0) < 0) (*ndo->ndo_warning)(ndo, "espkey init failed"); - EVP_CipherInit(ctx, NULL, NULL, iv, 0); + set_cipher_parameters(ctx, NULL, NULL, iv, 0); /* * Allocate a buffer for the decrypted data. * The output buffer must be separate from the input buffer, and @@ -203,6 +236,7 @@ int esp_print_decrypt_buffer_by_ikev2(netdissect_options *ndo, output_buffer = (u_char *)malloc(output_buffer_size); if (output_buffer == NULL) { (*ndo->ndo_warning)(ndo, "can't allocate memory for decryption buffer"); + EVP_CIPHER_CTX_free(ctx); return 0; } EVP_Cipher(ctx, output_buffer, buf, len); @@ -602,12 +636,12 @@ esp_print(netdissect_options *ndo, _U_ #endif , - int *nhdr + u_int *nhdr #ifndef HAVE_LIBCRYPTO _U_ #endif , - int *padlen + u_int *padlen #ifndef HAVE_LIBCRYPTO _U_ #endif @@ -649,8 +683,8 @@ esp_print(netdissect_options *ndo, ND_PRINT((ndo, "[|ESP]")); goto fail; } - ND_PRINT((ndo, "ESP(spi=0x%08x", EXTRACT_32BITS(&esp->esp_spi))); - ND_PRINT((ndo, ",seq=0x%x)", EXTRACT_32BITS(&esp->esp_seq))); + ND_PRINT((ndo, "ESP(spi=0x%08x", EXTRACT_BE_U_4(&esp->esp_spi))); + ND_PRINT((ndo, ",seq=0x%x)", EXTRACT_BE_U_4(&esp->esp_seq))); ND_PRINT((ndo, ", length %u", length)); #ifndef HAVE_LIBCRYPTO @@ -672,14 +706,14 @@ esp_print(netdissect_options *ndo, case 6: ip6 = (const struct ip6_hdr *)bp2; /* we do not attempt to decrypt jumbograms */ - if (!EXTRACT_16BITS(&ip6->ip6_plen)) + if (!EXTRACT_BE_U_2(&ip6->ip6_plen)) goto fail; /* if we can't get nexthdr, we do not need to decrypt it */ - len = sizeof(struct ip6_hdr) + EXTRACT_16BITS(&ip6->ip6_plen); + len = sizeof(struct ip6_hdr) + EXTRACT_BE_U_2(&ip6->ip6_plen); /* see if we can find the SA, and if so, decode it */ for (sa = ndo->ndo_sa_list_head; sa != NULL; sa = sa->next) { - if (sa->spi == EXTRACT_32BITS(&esp->esp_spi) && + if (sa->spi == EXTRACT_BE_U_4(&esp->esp_spi) && sa->daddr_version == 6 && UNALIGNED_MEMCMP(&sa->daddr.in6, &ip6->ip6_dst, sizeof(struct in6_addr)) == 0) { @@ -689,13 +723,13 @@ esp_print(netdissect_options *ndo, break; case 4: /* nexthdr & padding are in the last fragment */ - if (EXTRACT_16BITS(&ip->ip_off) & IP_MF) + if (EXTRACT_BE_U_2(&ip->ip_off) & IP_MF) goto fail; - len = EXTRACT_16BITS(&ip->ip_len); + len = EXTRACT_BE_U_2(&ip->ip_len); /* see if we can find the SA, and if so, decode it */ for (sa = ndo->ndo_sa_list_head; sa != NULL; sa = sa->next) { - if (sa->spi == EXTRACT_32BITS(&esp->esp_spi) && + if (sa->spi == EXTRACT_BE_U_4(&esp->esp_spi) && sa->daddr_version == 4 && UNALIGNED_MEMCMP(&sa->daddr.in4, &ip->ip_dst, sizeof(struct in_addr)) == 0) { @@ -735,11 +769,11 @@ esp_print(netdissect_options *ndo, if (sa->evp) { ctx = EVP_CIPHER_CTX_new(); if (ctx != NULL) { - if (EVP_CipherInit(ctx, sa->evp, secret, NULL, 0) < 0) + if (set_cipher_parameters(ctx, sa->evp, secret, NULL, 0) < 0) (*ndo->ndo_warning)(ndo, "espkey init failed"); p = ivoff; - EVP_CipherInit(ctx, NULL, NULL, p, 0); + set_cipher_parameters(ctx, NULL, NULL, p, 0); len = ep - (p + ivlen); /* @@ -753,6 +787,7 @@ esp_print(netdissect_options *ndo, output_buffer = (u_char *)malloc(output_buffer_size); if (output_buffer == NULL) { (*ndo->ndo_warning)(ndo, "can't allocate memory for decryption buffer"); + EVP_CIPHER_CTX_free(ctx); return -1; } @@ -772,14 +807,14 @@ esp_print(netdissect_options *ndo, advance = sizeof(struct newesp); /* sanity check for pad length */ - if (ep - bp < *(ep - 2)) + if (ep - bp < EXTRACT_U_1(ep - 2)) goto fail; if (padlen) - *padlen = *(ep - 2) + 2; + *padlen = EXTRACT_U_1(ep - 2) + 2; if (nhdr) - *nhdr = *(ep - 1); + *nhdr = EXTRACT_U_1(ep - 1); ND_PRINT((ndo, ": ")); return advance;