X-Git-Url: https://git.tcpdump.org/tcpdump/blobdiff_plain/699711dfb3ebdfb063c4718e94ae57d2ed6e3c47..refs/heads/master:/print-esp.c

diff --git a/print-esp.c b/print-esp.c
index 2cee0889..d89fefbe 100644
--- a/print-esp.c
+++ b/print-esp.c
@@ -23,25 +23,15 @@
 
 /* \summary: IPSEC Encapsulating Security Payload (ESP) printer */
 
-#ifdef HAVE_CONFIG_H
 #include <config.h>
-#endif
 
 #include "netdissect-stdinc.h"
 
 #include <string.h>
 #include <stdlib.h>
 
-/* Any code in this file that depends on HAVE_LIBCRYPTO depends on
- * HAVE_OPENSSL_EVP_H too. Undefining the former when the latter isn't defined
- * is the simplest way of handling the dependency.
- */
 #ifdef HAVE_LIBCRYPTO
-#ifdef HAVE_OPENSSL_EVP_H
 #include <openssl/evp.h>
-#else
-#undef HAVE_LIBCRYPTO
-#endif
 #endif
 
 #include "netdissect.h"
@@ -134,10 +124,7 @@ EVP_CIPHER_CTX_new(void)
 {
 	EVP_CIPHER_CTX *ctx;
 
-	ctx = malloc(sizeof(*ctx));
-	if (ctx == NULL)
-		return (NULL);
-	memset(ctx, 0, sizeof(*ctx));
+	ctx = calloc(1, sizeof(*ctx));
 	return (ctx);
 }
 
@@ -362,7 +349,7 @@ static void esp_print_addsa(netdissect_options *ndo,
 }
 
 
-static u_int hexdigit(netdissect_options *ndo, char hex)
+static int hexdigit(netdissect_options *ndo, char hex)
 {
 	if (hex >= '0' && hex <= '9')
 		return (hex - '0');
@@ -371,19 +358,12 @@ static u_int hexdigit(netdissect_options *ndo, char hex)
 	else if (hex >= 'a' && hex <= 'f')
 		return (hex - 'a' + 10);
 	else {
-		(*ndo->ndo_error)(ndo, S_ERR_ND_ESP_SECRET,
-				  "invalid hex digit %c in espsecret\n", hex);
+		(*ndo->ndo_warning)(ndo,
+				    "invalid hex digit %c in espsecret\n", hex);
+		return (-1);
 	}
 }
 
-static u_int hex2byte(netdissect_options *ndo, char *hexstring)
-{
-	u_int byte;
-
-	byte = (hexdigit(ndo, hexstring[0]) << 4) + hexdigit(ndo, hexstring[1]);
-	return byte;
-}
-
 /*
  * returns size of binary, 0 on failure.
  */
@@ -391,19 +371,40 @@ static int
 espprint_decode_hex(netdissect_options *ndo,
 		    u_char *binbuf, unsigned int binbuf_len, char *hex)
 {
-	unsigned int len;
+	size_t len;
 	int i;
 
+	/*
+	 * XXX - fail if the string length isn't a multiple of 2?
+	 */
 	len = strlen(hex) / 2;
 
 	if (len > binbuf_len) {
-		(*ndo->ndo_warning)(ndo, "secret is too big: %u\n", len);
+		(*ndo->ndo_warning)(ndo, "secret is too big: %zu\n", len);
 		return 0;
 	}
 
 	i = 0;
 	while (hex[0] != '\0' && hex[1]!='\0') {
-		binbuf[i] = hex2byte(ndo, hex);
+		int upper_nibble, lower_nibble;
+
+		upper_nibble = hexdigit(ndo, hex[0]);
+		if (upper_nibble < 0) {
+			/*
+			 * Invalid hex digit; a warning has already been
+			 * printed.
+			 */
+			return 0;
+		}
+		lower_nibble = hexdigit(ndo, hex[1]);
+		if (lower_nibble < 0) {
+			/*
+			 * Invalid hex digit; a warning has already been
+			 * printed.
+			 */
+			return 0;
+		}
+		binbuf[i] = (((u_int)upper_nibble) << 4) + (((u_int)lower_nibble) << 0);
 		hex += 2;
 		i++;
 	}
@@ -424,6 +425,7 @@ espprint_decode_encalgo(netdissect_options *ndo,
 	const EVP_CIPHER *evp;
 	int authlen = 0;
 	char *colon, *p;
+	const char *real_decode;
 
 	colon = strchr(decode, ':');
 	if (colon == NULL) {
@@ -444,10 +446,23 @@ espprint_decode_encalgo(netdissect_options *ndo,
 		p = strstr(decode, "-cbc");
 		*p = '\0';
 	}
-	evp = EVP_get_cipherbyname(decode);
+	/*
+	 * Not all versions of libcrypto support calls to add aliases
+	 * to ciphers - newer versions of libressl don't - so, instead
+	 * of making "3des" an alias for "des_ede3_cbc", if attempting
+	 * to get the cipher fails and the name is "3des", we try
+	 * "des_ede3_cbc".
+	 */
+	real_decode = decode;
+	if (strcmp(real_decode, "3des") == 0)
+		real_decode = "des-ede3-cbc";
+	evp = EVP_get_cipherbyname(real_decode);
 
 	if (!evp) {
-		(*ndo->ndo_warning)(ndo, "failed to find cipher algo %s\n", decode);
+		if (decode != real_decode)
+			(*ndo->ndo_warning)(ndo, "failed to find cipher algo %s (%s)\n", real_decode, decode);
+		else
+			(*ndo->ndo_warning)(ndo, "failed to find cipher algo %s\n", decode);
 		sa->evp = NULL;
 		sa->authlen = 0;
 		sa->ivlen = 0;
@@ -683,7 +698,6 @@ static void esp_init(netdissect_options *ndo _U_)
 #if !defined(OPENSSL_API_COMPAT) || OPENSSL_API_COMPAT < 0x10100000L
 	OpenSSL_add_all_algorithms();
 #endif
-	EVP_add_cipher_alias(SN_des_ede3_cbc, "3des");
 }
 DIAG_ON_DEPRECATION
 
@@ -733,8 +747,8 @@ esp_print(netdissect_options *ndo,
 	  u_int ttl_hl USED_IF_LIBCRYPTO)
 {
 	const struct newesp *esp;
-	const u_char *ep;
 #ifdef HAVE_LIBCRYPTO
+	const u_char *ep;
 	const struct ip *ip;
 	struct sa_list *sa = NULL;
 	const struct ip6_hdr *ip6 = NULL;
@@ -750,18 +764,16 @@ esp_print(netdissect_options *ndo,
 	ndo->ndo_protocol = "esp";
 	esp = (const struct newesp *)bp;
 
-	/* 'ep' points to the end of available data. */
-	ep = ndo->ndo_snapend;
+	nd_print_protocol_caps(ndo);
 
-	if ((const u_char *)(esp + 1) >= ep) {
-		nd_print_trunc(ndo);
-		return;
-	}
-	ND_PRINT("ESP(spi=0x%08x", GET_BE_U_4(esp->esp_spi));
+	ND_PRINT("(spi=0x%08x", GET_BE_U_4(esp->esp_spi));
 	ND_PRINT(",seq=0x%x)", GET_BE_U_4(esp->esp_seq));
 	ND_PRINT(", length %u", length);
 
 #ifdef HAVE_LIBCRYPTO
+	/* 'ep' points to the end of available data. */
+	ep = ndo->ndo_snapend;
+
 	/* initialize SAs */
 	if (ndo->ndo_sa_list_head == NULL) {
 		if (!ndo->ndo_espsecret)