X-Git-Url: https://git.tcpdump.org/tcpdump/blobdiff_plain/91e08f888d86fc7bc83732ee216c4ea609691d1c..06df4f81b66c76be479e2dd1e2d18a011410037b:/print-esp.c diff --git a/print-esp.c b/print-esp.c index bdd591ef..52081491 100644 --- a/print-esp.c +++ b/print-esp.c @@ -21,6 +21,8 @@ * MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. */ +/* \summary: IPSEC Encapsulating Security Payload (ESP) printer */ + #ifdef HAVE_CONFIG_H #include "config.h" #endif @@ -154,7 +156,8 @@ int esp_print_decrypt_buffer_by_ikev2(netdissect_options *ndo, { struct sa_list *sa; const u_char *iv; - int len; + u_char *buf_mut, *output_buffer; + int len, block_size, cipher_nid, output_buffer_size ; EVP_CIPHER_CTX *ctx; /* initiator arg is any non-zero value */ @@ -189,14 +192,29 @@ int esp_print_decrypt_buffer_by_ikev2(netdissect_options *ndo, if (EVP_CipherInit(ctx, sa->evp, sa->secret, NULL, 0) < 0) (*ndo->ndo_warning)(ndo, "espkey init failed"); EVP_CipherInit(ctx, NULL, NULL, iv, 0); - EVP_Cipher(ctx, buf, buf, len); + + /* We need a block size */ + block_size = EVP_CIPHER_CTX_block_size(ctx); + /* We need the buffer size to be multiple of a block size */ + output_buffer_size = len + (block_size - len % block_size); + output_buffer = (u_char *)calloc(output_buffer_size, sizeof(u_char)); + /* EVP_Cipher output buffer should be different from the input one. + * Also it should be of size that is multiple of cipher block size. */ + EVP_Cipher(ctx, output_buffer, buf, len); EVP_CIPHER_CTX_free(ctx); + buf_mut = (u_char*) buf; + /* Of course this is wrong, because buf is a const buffer, but changing this + * would require more complicated fix. */ + memcpy(buf_mut, output_buffer, len); + free(output_buffer); + ndo->ndo_packetp = buf; ndo->ndo_snapend = end; return 1; + } USES_APPLE_RST @@ -530,8 +548,14 @@ static void esp_print_decode_onesecret(netdissect_options *ndo, char *line, USES_APPLE_DEPRECATED_API static void esp_init(netdissect_options *ndo _U_) { - + /* + * 0.9.6 doesn't appear to define OPENSSL_API_COMPAT, so + * we check whether it's undefined or it's less than the + * value for 1.1.0. + */ +#if !defined(OPENSSL_API_COMPAT) || OPENSSL_API_COMPAT < 0x10100000L OpenSSL_add_all_algorithms(); +#endif EVP_add_cipher_alias(SN_des_ede3_cbc, "3des"); } USES_APPLE_RST @@ -598,6 +622,8 @@ esp_print(netdissect_options *ndo, const u_char *ivoff; const u_char *p; EVP_CIPHER_CTX *ctx; + u_char *buf_mut, *output_buffer; + int block_size, cipher_nid, output_buffer_size; #endif esp = (const struct newesp *)bp; @@ -708,8 +734,19 @@ esp_print(netdissect_options *ndo, p = ivoff; EVP_CipherInit(ctx, NULL, NULL, p, 0); - EVP_Cipher(ctx, p + ivlen, p + ivlen, ep - (p + ivlen)); + len = ep - (p + ivlen); + + /* We need a block size */ + block_size = EVP_CIPHER_CTX_block_size(ctx); + /* We need the buffer size to be multiple of a block size */ + output_buffer_size = len + (block_size - len % block_size); + output_buffer = (u_char *)calloc(output_buffer_size, sizeof(u_char)); + /* EVP_Cipher output buffer should be different from the input one. + * Also it should be of size that is multiple of cipher block size. */ + EVP_Cipher(ctx, output_buffer, p + ivlen, len); EVP_CIPHER_CTX_free(ctx); + memcpy(p + ivlen, output_buffer, len); + free(output_buffer); advance = ivoff - (const u_char *)esp + ivlen; } else advance = sizeof(struct newesp);