1 /*        NetBSD: print-ah.c,v 1.4 1996/05/20 00:41:16 fvdl Exp       */
2 
3 /*
4  * Copyright (c) 1988, 1989, 1990, 1991, 1992, 1993, 1994
5  *        The Regents of the University of California.  All rights reserved.
6  *
7  * Redistribution and use in source and binary forms, with or without
8  * modification, are permitted provided that: (1) source code distributions
9  * retain the above copyright notice and this paragraph in its entirety, (2)
10  * distributions including binary code include the above copyright notice and
11  * this paragraph in its entirety in the documentation or other materials
12  * provided with the distribution, and (3) all advertising materials mentioning
13  * features or use of this software display the following acknowledgement:
14  * ``This product includes software developed by the University of California,
15  * Lawrence Berkeley Laboratory and its contributors.'' Neither the name of
16  * the University nor the names of its contributors may be used to endorse
17  * or promote products derived from this software without specific prior
18  * written permission.
19  * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR IMPLIED
20  * WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF
21  * MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.
22  */
23 
24 #include <sys/cdefs.h>
25 #ifndef lint
26 __RCSID("$NetBSD: print-esp.c,v 1.13 2024/09/02 16:15:31 christos Exp $");
27 #endif
28 
29 /* \summary: IPSEC Encapsulating Security Payload (ESP) printer */
30 
31 #include <config.h>
32 
33 #include "netdissect-stdinc.h"
34 
35 #include <string.h>
36 #include <stdlib.h>
37 
38 #ifdef HAVE_LIBCRYPTO
39 #include <openssl/evp.h>
40 #endif
41 
42 #include "netdissect.h"
43 #include "extract.h"
44 
45 #include "diag-control.h"
46 
47 #ifdef HAVE_LIBCRYPTO
48 #include "strtoaddr.h"
49 #include "ascii_strcasecmp.h"
50 #endif
51 
52 #include "ip.h"
53 #include "ip6.h"
54 
55 /*
56  * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
57  * All rights reserved.
58  *
59  * Redistribution and use in source and binary forms, with or without
60  * modification, are permitted provided that the following conditions
61  * are met:
62  * 1. Redistributions of source code must retain the above copyright
63  *    notice, this list of conditions and the following disclaimer.
64  * 2. Redistributions in binary form must reproduce the above copyright
65  *    notice, this list of conditions and the following disclaimer in the
66  *    documentation and/or other materials provided with the distribution.
67  * 3. Neither the name of the project nor the names of its contributors
68  *    may be used to endorse or promote products derived from this software
69  *    without specific prior written permission.
70  *
71  * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
72  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
73  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
74  * ARE DISCLAIMED.  IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
75  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
76  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
77  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
78  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
79  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
80  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
81  * SUCH DAMAGE.
82  */
83 
84 /*
85  * RFC1827/2406 Encapsulated Security Payload.
86  */
87 
88 struct newesp {
89           nd_uint32_t         esp_spi;  /* ESP */
90           nd_uint32_t         esp_seq;  /* Sequence number */
91           /*variable size*/             /* (IV and) Payload data */
92           /*variable size*/             /* padding */
93           /*8bit*/                      /* pad size */
94           /*8bit*/                      /* next header */
95           /*8bit*/                      /* next header */
96           /*variable size, 32bit bound*/          /* Authentication data */
97 };
98 
99 #ifdef HAVE_LIBCRYPTO
100 union inaddr_u {
101           nd_ipv4 in4;
102           nd_ipv6 in6;
103 };
104 struct sa_list {
105           struct sa_list      *next;
106           u_int               daddr_version;
107           union inaddr_u      daddr;
108           uint32_t  spi;          /* if == 0, then IKEv2 */
109           int             initiator;
110           u_char          spii[8];      /* for IKEv2 */
111           u_char          spir[8];
112           const EVP_CIPHER *evp;
113           u_int               ivlen;
114           int                 authlen;
115           u_char          authsecret[256];
116           int             authsecret_len;
117           u_char              secret[256];  /* is that big enough for all secrets? */
118           int                 secretlen;
119 };
120 
121 #ifndef HAVE_EVP_CIPHER_CTX_NEW
122 /*
123  * Allocate an EVP_CIPHER_CTX.
124  * Used if we have an older version of OpenSSL that doesn't provide
125  * routines to allocate and free them.
126  */
127 static EVP_CIPHER_CTX *
EVP_CIPHER_CTX_new(void)128 EVP_CIPHER_CTX_new(void)
129 {
130           EVP_CIPHER_CTX *ctx;
131 
132           ctx = malloc(sizeof(*ctx));
133           if (ctx == NULL)
134                     return (NULL);
135           memset(ctx, 0, sizeof(*ctx));
136           return (ctx);
137 }
138 
139 static void
EVP_CIPHER_CTX_free(EVP_CIPHER_CTX * ctx)140 EVP_CIPHER_CTX_free(EVP_CIPHER_CTX *ctx)
141 {
142           EVP_CIPHER_CTX_cleanup(ctx);
143           free(ctx);
144 }
145 #endif
146 
147 #ifdef HAVE_EVP_DECRYPTINIT_EX
148 /*
149  * Initialize the cipher by calling EVP_DecryptInit_ex(), because
150  * calling EVP_DecryptInit() will reset the cipher context, clearing
151  * the cipher, so calling it twice, with the second call having a
152  * null cipher, will clear the already-set cipher.  EVP_DecryptInit_ex(),
153  * however, won't reset the cipher context, so you can use it to specify
154  * the IV in a second call after a first call to EVP_DecryptInit_ex()
155  * to set the cipher and the key.
156  *
157  * XXX - is there some reason why we need to make two calls?
158  */
159 static int
set_cipher_parameters(EVP_CIPHER_CTX * ctx,const EVP_CIPHER * cipher,const unsigned char * key,const unsigned char * iv)160 set_cipher_parameters(EVP_CIPHER_CTX *ctx, const EVP_CIPHER *cipher,
161                           const unsigned char *key,
162                           const unsigned char *iv)
163 {
164           return EVP_DecryptInit_ex(ctx, cipher, NULL, key, iv);
165 }
166 #else
167 /*
168  * Initialize the cipher by calling EVP_DecryptInit(), because we don't
169  * have EVP_DecryptInit_ex(); we rely on it not trashing the context.
170  */
171 static int
set_cipher_parameters(EVP_CIPHER_CTX * ctx,const EVP_CIPHER * cipher,const unsigned char * key,const unsigned char * iv)172 set_cipher_parameters(EVP_CIPHER_CTX *ctx, const EVP_CIPHER *cipher,
173                           const unsigned char *key,
174                           const unsigned char *iv)
175 {
176           return EVP_DecryptInit(ctx, cipher, key, iv);
177 }
178 #endif
179 
180 static u_char *
do_decrypt(netdissect_options * ndo,const char * caller,struct sa_list * sa,const u_char * iv,const u_char * ct,unsigned int ctlen)181 do_decrypt(netdissect_options *ndo, const char *caller, struct sa_list *sa,
182     const u_char *iv, const u_char *ct, unsigned int ctlen)
183 {
184           EVP_CIPHER_CTX *ctx;
185           unsigned int block_size;
186           unsigned int ptlen;
187           u_char *pt;
188           int len;
189 
190           ctx = EVP_CIPHER_CTX_new();
191           if (ctx == NULL) {
192                     /*
193                      * Failed to initialize the cipher context.
194                      * From a look at the OpenSSL code, this appears to
195                      * mean "couldn't allocate memory for the cipher context";
196                      * note that we're not passing any parameters, so there's
197                      * not much else it can mean.
198                      */
199                     (*ndo->ndo_error)(ndo, S_ERR_ND_MEM_ALLOC,
200                         "%s: can't allocate memory for cipher context", caller);
201                     return NULL;
202           }
203 
204           if (set_cipher_parameters(ctx, sa->evp, sa->secret, NULL) < 0) {
205                     EVP_CIPHER_CTX_free(ctx);
206                     (*ndo->ndo_warning)(ndo, "%s: espkey init failed", caller);
207                     return NULL;
208           }
209           if (set_cipher_parameters(ctx, NULL, NULL, iv) < 0) {
210                     EVP_CIPHER_CTX_free(ctx);
211                     (*ndo->ndo_warning)(ndo, "%s: IV init failed", caller);
212                     return NULL;
213           }
214 
215           /*
216            * At least as I read RFC 5996 section 3.14 and RFC 4303 section 2.4,
217            * if the cipher has a block size of which the ciphertext's size must
218            * be a multiple, the payload must be padded to make that happen, so
219            * the ciphertext length must be a multiple of the block size.  Fail
220            * if that's not the case.
221            */
222           block_size = (unsigned int)EVP_CIPHER_CTX_block_size(ctx);
223           if ((ctlen % block_size) != 0) {
224                     EVP_CIPHER_CTX_free(ctx);
225                     (*ndo->ndo_warning)(ndo,
226                         "%s: ciphertext size %u is not a multiple of the cipher block size %u",
227                         caller, ctlen, block_size);
228                     return NULL;
229           }
230 
231           /*
232            * Attempt to allocate a buffer for the decrypted data, because
233            * we can't decrypt on top of the input buffer.
234            */
235           ptlen = ctlen;
236           pt = (u_char *)calloc(1, ptlen);
237           if (pt == NULL) {
238                     EVP_CIPHER_CTX_free(ctx);
239                     (*ndo->ndo_error)(ndo, S_ERR_ND_MEM_ALLOC,
240                         "%s: can't allocate memory for decryption buffer", caller);
241                     return NULL;
242           }
243 
244           /*
245            * The size of the ciphertext handed to us is a multiple of the
246            * cipher block size, so we don't need to worry about padding.
247            */
248           if (!EVP_CIPHER_CTX_set_padding(ctx, 0)) {
249                     free(pt);
250                     EVP_CIPHER_CTX_free(ctx);
251                     (*ndo->ndo_warning)(ndo,
252                         "%s: EVP_CIPHER_CTX_set_padding failed", caller);
253                     return NULL;
254           }
255           if (!EVP_DecryptUpdate(ctx, pt, &len, ct, ctlen)) {
256                     free(pt);
257                     EVP_CIPHER_CTX_free(ctx);
258                     (*ndo->ndo_warning)(ndo, "%s: EVP_DecryptUpdate failed",
259                         caller);
260                     return NULL;
261           }
262           EVP_CIPHER_CTX_free(ctx);
263           return pt;
264 }
265 
266 /*
267  * This will allocate a new buffer containing the decrypted data.
268  * It returns 1 on success and 0 on failure.
269  *
270  * It will push the new buffer and the values of ndo->ndo_packetp and
271  * ndo->ndo_snapend onto the buffer stack, and change ndo->ndo_packetp
272  * and ndo->ndo_snapend to refer to the new buffer.
273  *
274  * Our caller must pop the buffer off the stack when it's finished
275  * dissecting anything in it and before it does any dissection of
276  * anything in the old buffer.  That will free the new buffer.
277  */
278 DIAG_OFF_DEPRECATION
esp_decrypt_buffer_by_ikev2_print(netdissect_options * ndo,int initiator,const u_char spii[8],const u_char spir[8],const u_char * buf,const u_char * end)279 int esp_decrypt_buffer_by_ikev2_print(netdissect_options *ndo,
280                                               int initiator,
281                                               const u_char spii[8],
282                                               const u_char spir[8],
283                                               const u_char *buf, const u_char *end)
284 {
285           struct sa_list *sa;
286           const u_char *iv;
287           const u_char *ct;
288           unsigned int ctlen;
289           u_char *pt;
290 
291           /* initiator arg is any non-zero value */
292           if(initiator) initiator=1;
293 
294           /* see if we can find the SA, and if so, decode it */
295           for (sa = ndo->ndo_sa_list_head; sa != NULL; sa = sa->next) {
296                     if (sa->spi == 0
297                         && initiator == sa->initiator
298                         && memcmp(spii, sa->spii, 8) == 0
299                         && memcmp(spir, sa->spir, 8) == 0)
300                               break;
301           }
302 
303           if(sa == NULL) return 0;
304           if(sa->evp == NULL) return 0;
305 
306           /*
307            * remove authenticator, and see if we still have something to
308            * work with
309            */
310           end = end - sa->authlen;
311           iv  = buf;
312           ct = iv + sa->ivlen;
313           ctlen = end-ct;
314 
315           if(end <= ct) return 0;
316 
317           pt = do_decrypt(ndo, __func__, sa, iv,
318               ct, ctlen);
319           if (pt == NULL)
320                     return 0;
321 
322           /*
323            * Switch to the output buffer for dissection, and save it
324            * on the buffer stack so it can be freed; our caller must
325            * pop it when done.
326            */
327           if (!nd_push_buffer(ndo, pt, pt, ctlen)) {
328                     free(pt);
329                     (*ndo->ndo_error)(ndo, S_ERR_ND_MEM_ALLOC,
330                               "%s: can't push buffer on buffer stack", __func__);
331           }
332 
333           return 1;
334 }
335 DIAG_ON_DEPRECATION
336 
esp_print_addsa(netdissect_options * ndo,const struct sa_list * sa,int sa_def)337 static void esp_print_addsa(netdissect_options *ndo,
338                                   const struct sa_list *sa, int sa_def)
339 {
340           /* copy the "sa" */
341 
342           struct sa_list *nsa;
343 
344           /* malloc() return used in a 'struct sa_list': do not free() */
345           nsa = (struct sa_list *)malloc(sizeof(struct sa_list));
346           if (nsa == NULL)
347                     (*ndo->ndo_error)(ndo, S_ERR_ND_MEM_ALLOC,
348                                           "%s: malloc", __func__);
349 
350           *nsa = *sa;
351 
352           if (sa_def)
353                     ndo->ndo_sa_default = nsa;
354 
355           nsa->next = ndo->ndo_sa_list_head;
356           ndo->ndo_sa_list_head = nsa;
357 }
358 
359 
hexdigit(netdissect_options * ndo,char hex)360 static u_int hexdigit(netdissect_options *ndo, char hex)
361 {
362           if (hex >= '0' && hex <= '9')
363                     return (hex - '0');
364           else if (hex >= 'A' && hex <= 'F')
365                     return (hex - 'A' + 10);
366           else if (hex >= 'a' && hex <= 'f')
367                     return (hex - 'a' + 10);
368           else {
369                     (*ndo->ndo_error)(ndo, S_ERR_ND_ESP_SECRET,
370                                           "invalid hex digit %c in espsecret\n", hex);
371           }
372 }
373 
hex2byte(netdissect_options * ndo,char * hexstring)374 static u_int hex2byte(netdissect_options *ndo, char *hexstring)
375 {
376           u_int byte;
377 
378           byte = (hexdigit(ndo, hexstring[0]) << 4) + hexdigit(ndo, hexstring[1]);
379           return byte;
380 }
381 
382 /*
383  * returns size of binary, 0 on failure.
384  */
385 static int
espprint_decode_hex(netdissect_options * ndo,u_char * binbuf,unsigned int binbuf_len,char * hex)386 espprint_decode_hex(netdissect_options *ndo,
387                         u_char *binbuf, unsigned int binbuf_len, char *hex)
388 {
389           unsigned int len;
390           int i;
391 
392           len = strlen(hex) / 2;
393 
394           if (len > binbuf_len) {
395                     (*ndo->ndo_warning)(ndo, "secret is too big: %u\n", len);
396                     return 0;
397           }
398 
399           i = 0;
400           while (hex[0] != '\0' && hex[1]!='\0') {
401                     binbuf[i] = hex2byte(ndo, hex);
402                     hex += 2;
403                     i++;
404           }
405 
406           return i;
407 }
408 
409 /*
410  * decode the form:    SPINUM@IP <tab> ALGONAME:0xsecret
411  */
412 
413 DIAG_OFF_DEPRECATION
414 static int
espprint_decode_encalgo(netdissect_options * ndo,char * decode,struct sa_list * sa)415 espprint_decode_encalgo(netdissect_options *ndo,
416                               char *decode, struct sa_list *sa)
417 {
418           size_t i;
419           const EVP_CIPHER *evp;
420           int authlen = 0;
421           char *colon, *p;
422           const char *real_decode;
423 
424           colon = strchr(decode, ':');
425           if (colon == NULL) {
426                     (*ndo->ndo_warning)(ndo, "failed to decode espsecret: %s\n", decode);
427                     return 0;
428           }
429           *colon = '\0';
430 
431           if (strlen(decode) > strlen("-hmac96") &&
432               !strcmp(decode + strlen(decode) - strlen("-hmac96"),
433                         "-hmac96")) {
434                     p = strstr(decode, "-hmac96");
435                     *p = '\0';
436                     authlen = 12;
437           }
438           if (strlen(decode) > strlen("-cbc") &&
439               !strcmp(decode + strlen(decode) - strlen("-cbc"), "-cbc")) {
440                     p = strstr(decode, "-cbc");
441                     *p = '\0';
442           }
443           /*
444            * Not all versions of libcrypto support calls to add aliases
445            * to ciphers - newer versions of libressl don't - so, instead
446            * of making "3des" an alias for "des_ede3_cbc", if attempting
447            * to get the cipher fails and the name is "3des", we try
448            * "des_ede3_cbc".
449            */
450           real_decode = decode;
451           if (strcmp(real_decode, "3des") == 0)
452                     real_decode = "des-ede3-cbc";
453           evp = EVP_get_cipherbyname(real_decode);
454 
455           if (!evp) {
456                     if (decode != real_decode)
457                               (*ndo->ndo_warning)(ndo, "failed to find cipher algo %s (%s)\n", real_decode, decode);
458                     else
459                               (*ndo->ndo_warning)(ndo, "failed to find cipher algo %s\n", decode);
460                     sa->evp = NULL;
461                     sa->authlen = 0;
462                     sa->ivlen = 0;
463                     return 0;
464           }
465 
466           sa->evp = evp;
467           sa->authlen = authlen;
468           /* This returns an int, but it should never be negative */
469           sa->ivlen = EVP_CIPHER_iv_length(evp);
470 
471           colon++;
472           if (colon[0] == '0' && colon[1] == 'x') {
473                     /* decode some hex! */
474 
475                     colon += 2;
476                     sa->secretlen = espprint_decode_hex(ndo, sa->secret, sizeof(sa->secret), colon);
477                     if(sa->secretlen == 0) return 0;
478           } else {
479                     i = strlen(colon);
480 
481                     if (i < sizeof(sa->secret)) {
482                               memcpy(sa->secret, colon, i);
483                               sa->secretlen = i;
484                     } else {
485                               memcpy(sa->secret, colon, sizeof(sa->secret));
486                               sa->secretlen = sizeof(sa->secret);
487                     }
488           }
489 
490           return 1;
491 }
492 DIAG_ON_DEPRECATION
493 
494 /*
495  * for the moment, ignore the auth algorithm, just hard code the authenticator
496  * length. Need to research how openssl looks up HMAC stuff.
497  */
498 static int
espprint_decode_authalgo(netdissect_options * ndo,char * decode,struct sa_list * sa)499 espprint_decode_authalgo(netdissect_options *ndo,
500                                char *decode, struct sa_list *sa)
501 {
502           char *colon;
503 
504           colon = strchr(decode, ':');
505           if (colon == NULL) {
506                     (*ndo->ndo_warning)(ndo, "failed to decode espsecret: %s\n", decode);
507                     return 0;
508           }
509           *colon = '\0';
510 
511           if(ascii_strcasecmp(decode,"sha1") == 0 ||
512              ascii_strcasecmp(decode,"md5") == 0) {
513                     sa->authlen = 12;
514           }
515           return 1;
516 }
517 
esp_print_decode_ikeline(netdissect_options * ndo,char * line,const char * file,int lineno)518 static void esp_print_decode_ikeline(netdissect_options *ndo, char *line,
519                                              const char *file, int lineno)
520 {
521           /* it's an IKEv2 secret, store it instead */
522           struct sa_list sa1;
523 
524           char *init;
525           char *icookie, *rcookie;
526           int   ilen, rlen;
527           char *authkey;
528           char *enckey;
529 
530           init = strsep(&line, " \t");
531           icookie = strsep(&line, " \t");
532           rcookie = strsep(&line, " \t");
533           authkey = strsep(&line, " \t");
534           enckey  = strsep(&line, " \t");
535 
536           /* if any fields are missing */
537           if(!init || !icookie || !rcookie || !authkey || !enckey) {
538                     (*ndo->ndo_warning)(ndo, "print_esp: failed to find all fields for ikev2 at %s:%u",
539                                             file, lineno);
540 
541                     return;
542           }
543 
544           ilen = strlen(icookie);
545           rlen = strlen(rcookie);
546 
547           if((init[0]!='I' && init[0]!='R')
548              || icookie[0]!='0' || icookie[1]!='x'
549              || rcookie[0]!='0' || rcookie[1]!='x'
550              || ilen!=18
551              || rlen!=18) {
552                     (*ndo->ndo_warning)(ndo, "print_esp: line %s:%u improperly formatted.",
553                                             file, lineno);
554 
555                     (*ndo->ndo_warning)(ndo, "init=%s icookie=%s(%u) rcookie=%s(%u)",
556                                             init, icookie, ilen, rcookie, rlen);
557 
558                     return;
559           }
560 
561           sa1.spi = 0;
562           sa1.initiator = (init[0] == 'I');
563           if(espprint_decode_hex(ndo, sa1.spii, sizeof(sa1.spii), icookie+2)!=8)
564                     return;
565 
566           if(espprint_decode_hex(ndo, sa1.spir, sizeof(sa1.spir), rcookie+2)!=8)
567                     return;
568 
569           if(!espprint_decode_encalgo(ndo, enckey, &sa1)) return;
570 
571           if(!espprint_decode_authalgo(ndo, authkey, &sa1)) return;
572 
573           esp_print_addsa(ndo, &sa1, FALSE);
574 }
575 
576 /*
577  *
578  * special form: file /name
579  * causes us to go read from this file instead.
580  *
581  */
esp_print_decode_onesecret(netdissect_options * ndo,char * line,const char * file,int lineno)582 static void esp_print_decode_onesecret(netdissect_options *ndo, char *line,
583                                                const char *file, int lineno)
584 {
585           struct sa_list sa1;
586           int sa_def;
587 
588           char *spikey;
589           char *decode;
590 
591           spikey = strsep(&line, " \t");
592           sa_def = 0;
593           memset(&sa1, 0, sizeof(struct sa_list));
594 
595           /* if there is only one token, then it is an algo:key token */
596           if (line == NULL) {
597                     decode = spikey;
598                     spikey = NULL;
599                     /* sa1.daddr.version = 0; */
600                     /* memset(&sa1.daddr, 0, sizeof(sa1.daddr)); */
601                     /* sa1.spi = 0; */
602                     sa_def    = 1;
603           } else
604                     decode = line;
605 
606           if (spikey && ascii_strcasecmp(spikey, "file") == 0) {
607                     /* open file and read it */
608                     FILE *secretfile;
609                     char  fileline[1024];
610                     int   subfile_lineno=0;
611                     char  *nl;
612                     char *filename = line;
613 
614                     secretfile = fopen(filename, FOPEN_READ_TXT);
615                     if (secretfile == NULL) {
616                               (*ndo->ndo_error)(ndo, S_ERR_ND_OPEN_FILE,
617                                                     "%s: can't open %s: %s\n",
618                                                     __func__, filename, strerror(errno));
619                     }
620 
621                     while (fgets(fileline, sizeof(fileline)-1, secretfile) != NULL) {
622                               subfile_lineno++;
623                               /* remove newline from the line */
624                               nl = strchr(fileline, '\n');
625                               if (nl)
626                                         *nl = '\0';
627                               if (fileline[0] == '#') continue;
628                               if (fileline[0] == '\0') continue;
629 
630                               esp_print_decode_onesecret(ndo, fileline, filename, subfile_lineno);
631                     }
632                     fclose(secretfile);
633 
634                     return;
635           }
636 
637           if (spikey && ascii_strcasecmp(spikey, "ikev2") == 0) {
638                     esp_print_decode_ikeline(ndo, line, file, lineno);
639                     return;
640           }
641 
642           if (spikey) {
643 
644                     char *spistr, *foo;
645                     uint32_t spino;
646 
647                     spistr = strsep(&spikey, "@");
648                     if (spistr == NULL) {
649                               (*ndo->ndo_warning)(ndo, "print_esp: failed to find the @ token");
650                               return;
651                     }
652 
653                     spino = strtoul(spistr, &foo, 0);
654                     if (spistr == foo || !spikey) {
655                               (*ndo->ndo_warning)(ndo, "print_esp: failed to decode spi# %s\n", foo);
656                               return;
657                     }
658 
659                     sa1.spi = spino;
660 
661                     if (strtoaddr6(spikey, &sa1.daddr.in6) == 1) {
662                               sa1.daddr_version = 6;
663                     } else if (strtoaddr(spikey, &sa1.daddr.in4) == 1) {
664                               sa1.daddr_version = 4;
665                     } else {
666                               (*ndo->ndo_warning)(ndo, "print_esp: can not decode IP# %s\n", spikey);
667                               return;
668                     }
669           }
670 
671           if (decode) {
672                     /* skip any blank spaces */
673                     while (*decode == ' ' || *decode == '\t' || *decode == '\r' || *decode == '\n')
674                               decode++;
675 
676                     if(!espprint_decode_encalgo(ndo, decode, &sa1)) {
677                               return;
678                     }
679           }
680 
681           esp_print_addsa(ndo, &sa1, sa_def);
682 }
683 
684 DIAG_OFF_DEPRECATION
esp_init(netdissect_options * ndo _U_)685 static void esp_init(netdissect_options *ndo _U_)
686 {
687           /*
688            * 0.9.6 doesn't appear to define OPENSSL_API_COMPAT, so
689            * we check whether it's undefined or it's less than the
690            * value for 1.1.0.
691            */
692 #if !defined(OPENSSL_API_COMPAT) || OPENSSL_API_COMPAT < 0x10100000L
693           OpenSSL_add_all_algorithms();
694 #endif
695 }
696 DIAG_ON_DEPRECATION
697 
esp_decodesecret_print(netdissect_options * ndo)698 void esp_decodesecret_print(netdissect_options *ndo)
699 {
700           char *line;
701           char *p;
702           static int initialized = 0;
703 
704           if (!initialized) {
705                     esp_init(ndo);
706                     initialized = 1;
707           }
708 
709           p = ndo->ndo_espsecret;
710 
711           while (p && p[0] != '\0') {
712                     /* pick out the first line or first thing until a comma */
713                     if ((line = strsep(&p, "\n,")) == NULL) {
714                               line = p;
715                               p = NULL;
716                     }
717 
718                     esp_print_decode_onesecret(ndo, line, "cmdline", 0);
719           }
720 
721           ndo->ndo_espsecret = NULL;
722 }
723 
724 #endif
725 
726 #ifdef HAVE_LIBCRYPTO
727 #define USED_IF_LIBCRYPTO
728 #else
729 #define USED_IF_LIBCRYPTO _U_
730 #endif
731 
732 #ifdef HAVE_LIBCRYPTO
733 DIAG_OFF_DEPRECATION
734 #endif
735 void
esp_print(netdissect_options * ndo,const u_char * bp,u_int length,const u_char * bp2 USED_IF_LIBCRYPTO,u_int ver USED_IF_LIBCRYPTO,int fragmented USED_IF_LIBCRYPTO,u_int ttl_hl USED_IF_LIBCRYPTO)736 esp_print(netdissect_options *ndo,
737             const u_char *bp, u_int length,
738             const u_char *bp2 USED_IF_LIBCRYPTO,
739             u_int ver USED_IF_LIBCRYPTO,
740             int fragmented USED_IF_LIBCRYPTO,
741             u_int ttl_hl USED_IF_LIBCRYPTO)
742 {
743           const struct newesp *esp;
744           const u_char *ep;
745 #ifdef HAVE_LIBCRYPTO
746           const struct ip *ip;
747           struct sa_list *sa = NULL;
748           const struct ip6_hdr *ip6 = NULL;
749           const u_char *iv;
750           u_int ivlen;
751           u_int payloadlen;
752           const u_char *ct;
753           u_char *pt;
754           u_int padlen;
755           u_int nh;
756 #endif
757 
758           ndo->ndo_protocol = "esp";
759           esp = (const struct newesp *)bp;
760 
761           /* 'ep' points to the end of available data. */
762           ep = ndo->ndo_snapend;
763 
764           if ((const u_char *)(esp + 1) >= ep) {
765                     nd_print_trunc(ndo);
766                     return;
767           }
768           ND_PRINT("ESP(spi=0x%08x", GET_BE_U_4(esp->esp_spi));
769           ND_PRINT(",seq=0x%x)", GET_BE_U_4(esp->esp_seq));
770           ND_PRINT(", length %u", length);
771 
772 #ifdef HAVE_LIBCRYPTO
773           /* initialize SAs */
774           if (ndo->ndo_sa_list_head == NULL) {
775                     if (!ndo->ndo_espsecret)
776                               return;
777 
778                     esp_decodesecret_print(ndo);
779           }
780 
781           if (ndo->ndo_sa_list_head == NULL)
782                     return;
783 
784           ip = (const struct ip *)bp2;
785           switch (ver) {
786           case 6:
787                     ip6 = (const struct ip6_hdr *)bp2;
788                     /* we do not attempt to decrypt jumbograms */
789                     if (!GET_BE_U_2(ip6->ip6_plen))
790                               return;
791                     /* XXX - check whether it's fragmented? */
792                     /* if we can't get nexthdr, we do not need to decrypt it */
793 
794                     /* see if we can find the SA, and if so, decode it */
795                     for (sa = ndo->ndo_sa_list_head; sa != NULL; sa = sa->next) {
796                               if (sa->spi == GET_BE_U_4(esp->esp_spi) &&
797                                   sa->daddr_version == 6 &&
798                                   UNALIGNED_MEMCMP(&sa->daddr.in6, &ip6->ip6_dst,
799                                            sizeof(nd_ipv6)) == 0) {
800                                         break;
801                               }
802                     }
803                     break;
804           case 4:
805                     /* nexthdr & padding are in the last fragment */
806                     if (fragmented)
807                               return;
808 
809                     /* see if we can find the SA, and if so, decode it */
810                     for (sa = ndo->ndo_sa_list_head; sa != NULL; sa = sa->next) {
811                               if (sa->spi == GET_BE_U_4(esp->esp_spi) &&
812                                   sa->daddr_version == 4 &&
813                                   UNALIGNED_MEMCMP(&sa->daddr.in4, &ip->ip_dst,
814                                            sizeof(nd_ipv4)) == 0) {
815                                         break;
816                               }
817                     }
818                     break;
819           default:
820                     return;
821           }
822 
823           /* if we didn't find the specific one, then look for
824            * an unspecified one.
825            */
826           if (sa == NULL)
827                     sa = ndo->ndo_sa_default;
828 
829           /* if not found fail */
830           if (sa == NULL)
831                     return;
832 
833           /* pointer to the IV, if there is one */
834           iv = (const u_char *)(esp + 1) + 0;
835           /* length of the IV, if there is one; 0, if there isn't */
836           ivlen = sa->ivlen;
837 
838           /*
839            * Get a pointer to the ciphertext.
840            *
841            * p points to the beginning of the payload, i.e. to the
842            * initialization vector, so if we skip past the initialization
843            * vector, it points to the beginning of the ciphertext.
844            */
845           ct = iv + ivlen;
846 
847           /*
848            * Make sure the authentication data/integrity check value length
849            * isn't bigger than the total amount of data available after
850            * the ESP header and initialization vector is removed and,
851            * if not, slice the authentication data/ICV off.
852            */
853           if (ep - ct < sa->authlen) {
854                     nd_print_trunc(ndo);
855                     return;
856           }
857           ep = ep - sa->authlen;
858 
859           /*
860            * Calculate the length of the ciphertext.  ep points to
861            * the beginning of the authentication data/integrity check
862            * value, i.e. right past the end of the ciphertext;
863            */
864           payloadlen = ep - ct;
865 
866           if (sa->evp == NULL)
867                     return;
868 
869           /*
870            * If the next header value is past the end of the available
871            * data, we won't be able to fetch it once we've decrypted
872            * the ciphertext, so there's no point in decrypting the data.
873            *
874            * Report it as truncation.
875            */
876           if (!ND_TTEST_1(ep - 1)) {
877                     nd_print_trunc(ndo);
878                     return;
879           }
880 
881           pt = do_decrypt(ndo, __func__, sa, iv, ct, payloadlen);
882           if (pt == NULL)
883                     return;
884 
885           /*
886            * Switch to the output buffer for dissection, and
887            * save it on the buffer stack so it can be freed.
888            */
889           if (!nd_push_buffer(ndo, pt, pt, payloadlen)) {
890                     free(pt);
891                     (*ndo->ndo_error)(ndo, S_ERR_ND_MEM_ALLOC,
892                               "%s: can't push buffer on buffer stack", __func__);
893           }
894 
895           /*
896            * Sanity check for pad length; if it, plus 2 for the pad
897            * length and next header fields, is bigger than the ciphertext
898            * length (which is also the plaintext length), it's too big.
899            *
900            * XXX - the check can fail if the packet is corrupt *or* if
901            * it was not decrypted with the correct key, so that the
902            * "plaintext" is not what was being sent.
903            */
904           padlen = GET_U_1(pt + payloadlen - 2);
905           if (padlen + 2 > payloadlen) {
906                     nd_print_trunc(ndo);
907                     return;
908           }
909 
910           /* Get the next header */
911           nh = GET_U_1(pt + payloadlen - 1);
912 
913           ND_PRINT(": ");
914 
915           /*
916            * Don't put padding + padding length(1 byte) + next header(1 byte)
917            * in the buffer because they are not part of the plaintext to decode.
918            */
919           if (!nd_push_snaplen(ndo, pt, payloadlen - (padlen + 2))) {
920                     (*ndo->ndo_error)(ndo, S_ERR_ND_MEM_ALLOC,
921                               "%s: can't push snaplen on buffer stack", __func__);
922           }
923 
924           /* Now dissect the plaintext. */
925           ip_demux_print(ndo, pt, payloadlen - (padlen + 2), ver, fragmented,
926                            ttl_hl, nh, bp2);
927 
928           /* Pop the buffer, freeing it. */
929           nd_pop_packet_info(ndo);
930           /* Pop the nd_push_snaplen */
931           nd_pop_packet_info(ndo);
932 #endif
933 }
934 #ifdef HAVE_LIBCRYPTO
935 DIAG_ON_DEPRECATION
936 #endif
937