X-Git-Url: https://git.tcpdump.org/tcpdump/blobdiff_plain/77328e886b32610405b0d20bdba7fa2328acaf35..refs/pull/1034/head:/print-esp.c diff --git a/print-esp.c b/print-esp.c index 91d394ff..2cee0889 100644 --- a/print-esp.c +++ b/print-esp.c @@ -45,10 +45,14 @@ #endif #include "netdissect.h" -#include "strtoaddr.h" #include "extract.h" +#include "diag-control.h" + +#ifdef HAVE_LIBCRYPTO +#include "strtoaddr.h" #include "ascii_strcasecmp.h" +#endif #include "ip.h" #include "ip6.h" @@ -234,7 +238,7 @@ do_decrypt(netdissect_options *ndo, const char *caller, struct sa_list *sa, * we can't decrypt on top of the input buffer. */ ptlen = ctlen; - pt = (u_char *)malloc(ptlen); + pt = (u_char *)calloc(1, ptlen); if (pt == NULL) { EVP_CIPHER_CTX_free(ctx); (*ndo->ndo_error)(ndo, S_ERR_ND_MEM_ALLOC, @@ -276,8 +280,8 @@ do_decrypt(netdissect_options *ndo, const char *caller, struct sa_list *sa, * dissecting anything in it and before it does any dissection of * anything in the old buffer. That will free the new buffer. */ -USES_APPLE_DEPRECATED_API -int esp_print_decrypt_buffer_by_ikev2(netdissect_options *ndo, +DIAG_OFF_DEPRECATION +int esp_decrypt_buffer_by_ikev2_print(netdissect_options *ndo, int initiator, const u_char spii[8], const u_char spir[8], @@ -315,7 +319,7 @@ int esp_print_decrypt_buffer_by_ikev2(netdissect_options *ndo, if(end <= ct) return 0; - pt = do_decrypt(ndo, "esp_print_decrypt_buffer_by_ikev2", sa, iv, + pt = do_decrypt(ndo, __func__, sa, iv, ct, ctlen); if (pt == NULL) return 0; @@ -325,17 +329,18 @@ int esp_print_decrypt_buffer_by_ikev2(netdissect_options *ndo, * on the buffer stack so it can be freed; our caller must * pop it when done. */ - if (!nd_push_buffer(ndo, pt, pt, pt + ctlen)) { + if (!nd_push_buffer(ndo, pt, pt, ctlen)) { free(pt); - return 0; + (*ndo->ndo_error)(ndo, S_ERR_ND_MEM_ALLOC, + "%s: can't push buffer on buffer stack", __func__); } return 1; } -USES_APPLE_RST +DIAG_ON_DEPRECATION static void esp_print_addsa(netdissect_options *ndo, - struct sa_list *sa, int sa_def) + const struct sa_list *sa, int sa_def) { /* copy the "sa" */ @@ -345,7 +350,7 @@ static void esp_print_addsa(netdissect_options *ndo, nsa = (struct sa_list *)malloc(sizeof(struct sa_list)); if (nsa == NULL) (*ndo->ndo_error)(ndo, S_ERR_ND_MEM_ALLOC, - "esp_print_addsa: malloc"); + "%s: malloc", __func__); *nsa = *sa; @@ -382,10 +387,9 @@ static u_int hex2byte(netdissect_options *ndo, char *hexstring) /* * returns size of binary, 0 on failure. */ -static -int espprint_decode_hex(netdissect_options *ndo, - u_char *binbuf, unsigned int binbuf_len, - char *hex) +static int +espprint_decode_hex(netdissect_options *ndo, + u_char *binbuf, unsigned int binbuf_len, char *hex) { unsigned int len; int i; @@ -411,7 +415,7 @@ int espprint_decode_hex(netdissect_options *ndo, * decode the form: SPINUM@IP ALGONAME:0xsecret */ -USES_APPLE_DEPRECATED_API +DIAG_OFF_DEPRECATION static int espprint_decode_encalgo(netdissect_options *ndo, char *decode, struct sa_list *sa) @@ -476,7 +480,7 @@ espprint_decode_encalgo(netdissect_options *ndo, return 1; } -USES_APPLE_RST +DIAG_ON_DEPRECATION /* * for the moment, ignore the auth algorithm, just hard code the authenticator @@ -601,8 +605,8 @@ static void esp_print_decode_onesecret(netdissect_options *ndo, char *line, secretfile = fopen(filename, FOPEN_READ_TXT); if (secretfile == NULL) { (*ndo->ndo_error)(ndo, S_ERR_ND_OPEN_FILE, - "print_esp: can't open %s: %s\n", - filename, strerror(errno)); + "%s: can't open %s: %s\n", + __func__, filename, strerror(errno)); } while (fgets(fileline, sizeof(fileline)-1, secretfile) != NULL) { @@ -668,7 +672,7 @@ static void esp_print_decode_onesecret(netdissect_options *ndo, char *line, esp_print_addsa(ndo, &sa1, sa_def); } -USES_APPLE_DEPRECATED_API +DIAG_OFF_DEPRECATION static void esp_init(netdissect_options *ndo _U_) { /* @@ -681,9 +685,9 @@ static void esp_init(netdissect_options *ndo _U_) #endif EVP_add_cipher_alias(SN_des_ede3_cbc, "3des"); } -USES_APPLE_RST +DIAG_ON_DEPRECATION -void esp_print_decodesecret(netdissect_options *ndo) +void esp_decodesecret_print(netdissect_options *ndo) { char *line; char *p; @@ -718,7 +722,7 @@ void esp_print_decodesecret(netdissect_options *ndo) #endif #ifdef HAVE_LIBCRYPTO -USES_APPLE_DEPRECATED_API +DIAG_OFF_DEPRECATION #endif void esp_print(netdissect_options *ndo, @@ -758,12 +762,12 @@ esp_print(netdissect_options *ndo, ND_PRINT(", length %u", length); #ifdef HAVE_LIBCRYPTO - /* initiailize SAs */ + /* initialize SAs */ if (ndo->ndo_sa_list_head == NULL) { if (!ndo->ndo_espsecret) return; - esp_print_decodesecret(ndo); + esp_decodesecret_print(ndo); } if (ndo->ndo_sa_list_head == NULL) @@ -866,7 +870,7 @@ esp_print(netdissect_options *ndo, return; } - pt = do_decrypt(ndo, "esp_print", sa, iv, ct, payloadlen); + pt = do_decrypt(ndo, __func__, sa, iv, ct, payloadlen); if (pt == NULL) return; @@ -874,11 +878,10 @@ esp_print(netdissect_options *ndo, * Switch to the output buffer for dissection, and * save it on the buffer stack so it can be freed. */ - ep = pt + payloadlen; - if (!nd_push_buffer(ndo, pt, pt, ep)) { + if (!nd_push_buffer(ndo, pt, pt, payloadlen)) { free(pt); (*ndo->ndo_error)(ndo, S_ERR_ND_MEM_ALLOC, - "esp_print: can't push buffer on buffer stack"); + "%s: can't push buffer on buffer stack", __func__); } /* @@ -890,25 +893,36 @@ esp_print(netdissect_options *ndo, * it was not decrypted with the correct key, so that the * "plaintext" is not what was being sent. */ - padlen = GET_U_1(ep - 2); + padlen = GET_U_1(pt + payloadlen - 2); if (padlen + 2 > payloadlen) { nd_print_trunc(ndo); return; } /* Get the next header */ - nh = GET_U_1(ep - 1); + nh = GET_U_1(pt + payloadlen - 1); ND_PRINT(": "); + /* + * Don't put padding + padding length(1 byte) + next header(1 byte) + * in the buffer because they are not part of the plaintext to decode. + */ + if (!nd_push_snaplen(ndo, pt, payloadlen - (padlen + 2))) { + (*ndo->ndo_error)(ndo, S_ERR_ND_MEM_ALLOC, + "%s: can't push snaplen on buffer stack", __func__); + } + /* Now dissect the plaintext. */ - ip_print_demux(ndo, pt, payloadlen - (padlen + 2), ver, fragmented, - ttl_hl, nh, bp2); + ip_demux_print(ndo, pt, payloadlen - (padlen + 2), ver, fragmented, + ttl_hl, nh, bp2); /* Pop the buffer, freeing it. */ nd_pop_packet_info(ndo); + /* Pop the nd_push_snaplen */ + nd_pop_packet_info(ndo); #endif } #ifdef HAVE_LIBCRYPTO -USES_APPLE_RST +DIAG_ON_DEPRECATION #endif