X-Git-Url: https://git.tcpdump.org/tcpdump/blobdiff_plain/51a470b91366db5d36eb11feb24cfcdb2f7a5d3e..refs/heads/master:/print-esp.c?ds=inline

diff --git a/print-esp.c b/print-esp.c
index 1e68c9d7..d89fefbe 100644
--- a/print-esp.c
+++ b/print-esp.c
@@ -23,25 +23,15 @@
 
 /* \summary: IPSEC Encapsulating Security Payload (ESP) printer */
 
-#ifdef HAVE_CONFIG_H
 #include <config.h>
-#endif
 
 #include "netdissect-stdinc.h"
 
 #include <string.h>
 #include <stdlib.h>
 
-/* Any code in this file that depends on HAVE_LIBCRYPTO depends on
- * HAVE_OPENSSL_EVP_H too. Undefining the former when the latter isn't defined
- * is the simplest way of handling the dependency.
- */
 #ifdef HAVE_LIBCRYPTO
-#ifdef HAVE_OPENSSL_EVP_H
 #include <openssl/evp.h>
-#else
-#undef HAVE_LIBCRYPTO
-#endif
 #endif
 
 #include "netdissect.h"
@@ -134,10 +124,7 @@ EVP_CIPHER_CTX_new(void)
 {
 	EVP_CIPHER_CTX *ctx;
 
-	ctx = malloc(sizeof(*ctx));
-	if (ctx == NULL)
-		return (NULL);
-	memset(ctx, 0, sizeof(*ctx));
+	ctx = calloc(1, sizeof(*ctx));
 	return (ctx);
 }
 
@@ -238,7 +225,7 @@ do_decrypt(netdissect_options *ndo, const char *caller, struct sa_list *sa,
 	 * we can't decrypt on top of the input buffer.
 	 */
 	ptlen = ctlen;
-	pt = (u_char *)malloc(ptlen);
+	pt = (u_char *)calloc(1, ptlen);
 	if (pt == NULL) {
 		EVP_CIPHER_CTX_free(ctx);
 		(*ndo->ndo_error)(ndo, S_ERR_ND_MEM_ALLOC,
@@ -329,9 +316,10 @@ int esp_decrypt_buffer_by_ikev2_print(netdissect_options *ndo,
 	 * on the buffer stack so it can be freed; our caller must
 	 * pop it when done.
 	 */
-	if (!nd_push_buffer(ndo, pt, pt, pt + ctlen)) {
+	if (!nd_push_buffer(ndo, pt, pt, ctlen)) {
 		free(pt);
-		return 0;
+		(*ndo->ndo_error)(ndo, S_ERR_ND_MEM_ALLOC,
+			"%s: can't push buffer on buffer stack", __func__);
 	}
 
 	return 1;
@@ -361,7 +349,7 @@ static void esp_print_addsa(netdissect_options *ndo,
 }
 
 
-static u_int hexdigit(netdissect_options *ndo, char hex)
+static int hexdigit(netdissect_options *ndo, char hex)
 {
 	if (hex >= '0' && hex <= '9')
 		return (hex - '0');
@@ -370,19 +358,12 @@ static u_int hexdigit(netdissect_options *ndo, char hex)
 	else if (hex >= 'a' && hex <= 'f')
 		return (hex - 'a' + 10);
 	else {
-		(*ndo->ndo_error)(ndo, S_ERR_ND_ESP_SECRET,
-				  "invalid hex digit %c in espsecret\n", hex);
+		(*ndo->ndo_warning)(ndo,
+				    "invalid hex digit %c in espsecret\n", hex);
+		return (-1);
 	}
 }
 
-static u_int hex2byte(netdissect_options *ndo, char *hexstring)
-{
-	u_int byte;
-
-	byte = (hexdigit(ndo, hexstring[0]) << 4) + hexdigit(ndo, hexstring[1]);
-	return byte;
-}
-
 /*
  * returns size of binary, 0 on failure.
  */
@@ -390,19 +371,40 @@ static int
 espprint_decode_hex(netdissect_options *ndo,
 		    u_char *binbuf, unsigned int binbuf_len, char *hex)
 {
-	unsigned int len;
+	size_t len;
 	int i;
 
+	/*
+	 * XXX - fail if the string length isn't a multiple of 2?
+	 */
 	len = strlen(hex) / 2;
 
 	if (len > binbuf_len) {
-		(*ndo->ndo_warning)(ndo, "secret is too big: %u\n", len);
+		(*ndo->ndo_warning)(ndo, "secret is too big: %zu\n", len);
 		return 0;
 	}
 
 	i = 0;
 	while (hex[0] != '\0' && hex[1]!='\0') {
-		binbuf[i] = hex2byte(ndo, hex);
+		int upper_nibble, lower_nibble;
+
+		upper_nibble = hexdigit(ndo, hex[0]);
+		if (upper_nibble < 0) {
+			/*
+			 * Invalid hex digit; a warning has already been
+			 * printed.
+			 */
+			return 0;
+		}
+		lower_nibble = hexdigit(ndo, hex[1]);
+		if (lower_nibble < 0) {
+			/*
+			 * Invalid hex digit; a warning has already been
+			 * printed.
+			 */
+			return 0;
+		}
+		binbuf[i] = (((u_int)upper_nibble) << 4) + (((u_int)lower_nibble) << 0);
 		hex += 2;
 		i++;
 	}
@@ -423,6 +425,7 @@ espprint_decode_encalgo(netdissect_options *ndo,
 	const EVP_CIPHER *evp;
 	int authlen = 0;
 	char *colon, *p;
+	const char *real_decode;
 
 	colon = strchr(decode, ':');
 	if (colon == NULL) {
@@ -443,10 +446,23 @@ espprint_decode_encalgo(netdissect_options *ndo,
 		p = strstr(decode, "-cbc");
 		*p = '\0';
 	}
-	evp = EVP_get_cipherbyname(decode);
+	/*
+	 * Not all versions of libcrypto support calls to add aliases
+	 * to ciphers - newer versions of libressl don't - so, instead
+	 * of making "3des" an alias for "des_ede3_cbc", if attempting
+	 * to get the cipher fails and the name is "3des", we try
+	 * "des_ede3_cbc".
+	 */
+	real_decode = decode;
+	if (strcmp(real_decode, "3des") == 0)
+		real_decode = "des-ede3-cbc";
+	evp = EVP_get_cipherbyname(real_decode);
 
 	if (!evp) {
-		(*ndo->ndo_warning)(ndo, "failed to find cipher algo %s\n", decode);
+		if (decode != real_decode)
+			(*ndo->ndo_warning)(ndo, "failed to find cipher algo %s (%s)\n", real_decode, decode);
+		else
+			(*ndo->ndo_warning)(ndo, "failed to find cipher algo %s\n", decode);
 		sa->evp = NULL;
 		sa->authlen = 0;
 		sa->ivlen = 0;
@@ -682,7 +698,6 @@ static void esp_init(netdissect_options *ndo _U_)
 #if !defined(OPENSSL_API_COMPAT) || OPENSSL_API_COMPAT < 0x10100000L
 	OpenSSL_add_all_algorithms();
 #endif
-	EVP_add_cipher_alias(SN_des_ede3_cbc, "3des");
 }
 DIAG_ON_DEPRECATION
 
@@ -732,8 +747,8 @@ esp_print(netdissect_options *ndo,
 	  u_int ttl_hl USED_IF_LIBCRYPTO)
 {
 	const struct newesp *esp;
-	const u_char *ep;
 #ifdef HAVE_LIBCRYPTO
+	const u_char *ep;
 	const struct ip *ip;
 	struct sa_list *sa = NULL;
 	const struct ip6_hdr *ip6 = NULL;
@@ -749,19 +764,17 @@ esp_print(netdissect_options *ndo,
 	ndo->ndo_protocol = "esp";
 	esp = (const struct newesp *)bp;
 
-	/* 'ep' points to the end of available data. */
-	ep = ndo->ndo_snapend;
+	nd_print_protocol_caps(ndo);
 
-	if ((const u_char *)(esp + 1) >= ep) {
-		nd_print_trunc(ndo);
-		return;
-	}
-	ND_PRINT("ESP(spi=0x%08x", GET_BE_U_4(esp->esp_spi));
+	ND_PRINT("(spi=0x%08x", GET_BE_U_4(esp->esp_spi));
 	ND_PRINT(",seq=0x%x)", GET_BE_U_4(esp->esp_seq));
 	ND_PRINT(", length %u", length);
 
 #ifdef HAVE_LIBCRYPTO
-	/* initiailize SAs */
+	/* 'ep' points to the end of available data. */
+	ep = ndo->ndo_snapend;
+
+	/* initialize SAs */
 	if (ndo->ndo_sa_list_head == NULL) {
 		if (!ndo->ndo_espsecret)
 			return;
@@ -877,8 +890,7 @@ esp_print(netdissect_options *ndo,
 	 * Switch to the output buffer for dissection, and
 	 * save it on the buffer stack so it can be freed.
 	 */
-	ep = pt + payloadlen;
-	if (!nd_push_buffer(ndo, pt, pt, ep)) {
+	if (!nd_push_buffer(ndo, pt, pt, payloadlen)) {
 		free(pt);
 		(*ndo->ndo_error)(ndo, S_ERR_ND_MEM_ALLOC,
 			"%s: can't push buffer on buffer stack", __func__);
@@ -893,14 +905,14 @@ esp_print(netdissect_options *ndo,
 	 * it was not decrypted with the correct key, so that the
 	 * "plaintext" is not what was being sent.
 	 */
-	padlen = GET_U_1(ep - 2);
+	padlen = GET_U_1(pt + payloadlen - 2);
 	if (padlen + 2 > payloadlen) {
 		nd_print_trunc(ndo);
 		return;
 	}
 
 	/* Get the next header */
-	nh = GET_U_1(ep - 1);
+	nh = GET_U_1(pt + payloadlen - 1);
 
 	ND_PRINT(": ");
 
@@ -908,7 +920,10 @@ esp_print(netdissect_options *ndo,
 	 * Don't put padding + padding length(1 byte) + next header(1 byte)
 	 * in the buffer because they are not part of the plaintext to decode.
 	 */
-	nd_push_snapend(ndo, ep - (padlen + 2));
+	if (!nd_push_snaplen(ndo, pt, payloadlen - (padlen + 2))) {
+		(*ndo->ndo_error)(ndo, S_ERR_ND_MEM_ALLOC,
+			"%s: can't push snaplen on buffer stack", __func__);
+	}
 
 	/* Now dissect the plaintext. */
 	ip_demux_print(ndo, pt, payloadlen - (padlen + 2), ver, fragmented,
@@ -916,7 +931,7 @@ esp_print(netdissect_options *ndo,
 
 	/* Pop the buffer, freeing it. */
 	nd_pop_packet_info(ndo);
-	/* Pop the nd_push_snapend */
+	/* Pop the nd_push_snaplen */
 	nd_pop_packet_info(ndo);
 #endif
 }