| blob | 4c4042b7ed8249701ec0cab90e721832ea1252b1 |
1 /* packet-ipsec.c
2 * Routines for IPsec/IPComp packet disassembly
3 *
4 * Wireshark - Network traffic analyzer
5 * By Gerald Combs <gerald@wireshark.org>
6 * Copyright 1998 Gerald Combs
7 *
8 * SPDX-License-Identifier: GPL-2.0-or-later
9 */
12 /*
14 Addon: ESP Decryption and Authentication Checking
16 Frederic ROUDAUT (frederic.roudaut@free.fr)
17 Copyright 2006 Frederic ROUDAUT
19 - Decrypt ESP Payload for the following Algorithms defined in RFC 4305:
21 Encryption Algorithm
22 --------------------
23 NULL
24 TripleDES-CBC [RFC2451] : keylen 192 bits.
25 AES-CBC with 128-bit keys [RFC3602] : keylen 128 and 192/256 bits.
26 AES-CTR [RFC3686] : keylen 160/224/288 bits. The remaining 32 bits will be used as nonce.
27 DES-CBC [RFC2405] : keylen 64 bits
29 - Add ESP Payload Decryption support for the following Encryption Algorithms :
30 BLOWFISH-CBC : keylen 128 bits.
31 TWOFISH-CBC : keylen 128/256 bits.
32 CAST5-CBC : keylen 128
34 - Check ESP Authentication for the following Algorithms defined in RFC 4305:
36 Authentication Algorithm
37 ------------------------
38 NULL
39 HMAC-SHA1-96 [RFC2404] : any keylen
40 HMAC-MD5-96 [RFC2403] : any keylen
41 AES-XCBC-MAC-96 [RFC3566] : Not available because no implementation found.
43 - Add ESP Authentication checking for the following Authentication Algorithm :
44 HMAC-SHA256 : any keylen
45 HMAC-RIPEMD160-96 [RFC2857] : any keylen
47 - Added/Modified Authentication checking (David Dahlberg <dahlberg@fgan.de>):
48 CHG: HMAC-SHA256 is now HMAC-SHA-256-96 [draft-ietf-ipsec-ciph-sha-256-00]
49 -> It is implemented this way in USAGI/KAME (Linux/BSD).
50 ADD: HMAC-SHA-256-128 [RFC4868]
51 ICV length of HMAC-SHA-256 was changed in draft-ietf-ipsec-ciph-sha-256-01
52 to 128 bit. This is "SHOULD" be the standard now!
53 ADD: Additional generic (non-checked) ICV length of 128, 192 and 256.
54 This follows RFC 4868 for the SHA-256+ family.
56 */
61 #include <epan/packet.h>
62 #include <epan/addr_resolv.h>
63 #include <epan/ipproto.h>
64 #include <epan/prefs.h>
65 #include <epan/expert.h>
66 #include <epan/tap.h>
67 #include <epan/exported_pdu.h>
68 #include <epan/proto_data.h>
69 #include <epan/decode_as.h>
70 #include <epan/capture_dissectors.h>
73 #include <epan/uat.h>
74 #include <wsutil/str_util.h>
75 #include <wsutil/wsgcrypt.h>
76 #include <wsutil/pint.h>
131 /* Encryption algorithms defined in RFC 4305 */
132 #define IPSEC_ENCRYPT_NULL 0
133 #define IPSEC_ENCRYPT_3DES_CBC 1
134 #define IPSEC_ENCRYPT_AES_CBC 2
135 #define IPSEC_ENCRYPT_AES_CTR 3
136 #define IPSEC_ENCRYPT_DES_CBC 4
137 #define IPSEC_ENCRYPT_BLOWFISH_CBC 5
138 #define IPSEC_ENCRYPT_TWOFISH_CBC 6
140 /* Encryption algorithm defined in RFC 2144 */
141 #define IPSEC_ENCRYPT_CAST5_CBC 7
143 /* Encryption algorithms defined in RFC 4106 */
144 #define IPSEC_ENCRYPT_AES_GCM 8
145 #define IPSEC_ENCRYPT_AES_GCM_8 9
146 #define IPSEC_ENCRYPT_AES_GCM_12 10
147 #define IPSEC_ENCRYPT_AES_GCM_16 11
149 /* Encryption algorithm defined in RFC 4106 & RFC 8750 */
150 #define IPSEC_ENCRYPT_AES_GCM_16_IIV 12
152 /* Encryption algorithm defined in RFC 7634 */
153 #define IPSEC_ENCRYPT_CHACHA20_POLY1305 13
155 /* Encryption algorithm defined in RFC 7634 & RFC 8750 */
156 #define IPSEC_ENCRYPT_CHACHA20_POLY1305_IIV 14
158 /* Authentication algorithms defined in RFC 4305 */
159 #define IPSEC_AUTH_NULL 0
160 #define IPSEC_AUTH_HMAC_SHA1_96 1
161 #define IPSEC_AUTH_HMAC_SHA256_96 2
162 #define IPSEC_AUTH_HMAC_SHA256_128 3
163 #define IPSEC_AUTH_HMAC_SHA384_192 4
164 #define IPSEC_AUTH_HMAC_SHA512_256 5
165 #define IPSEC_AUTH_HMAC_MD5_96 6
166 #define IPSEC_AUTH_HMAC_RIPEMD160_96 7
167 /* define IPSEC_AUTH_AES_XCBC_MAC_96 6 */
168 #define IPSEC_AUTH_ANY_64BIT 8
169 #define IPSEC_AUTH_ANY_96BIT 9
170 #define IPSEC_AUTH_ANY_128BIT 10
171 #define IPSEC_AUTH_ANY_192BIT 11
172 #define IPSEC_AUTH_ANY_256BIT 12
174 /* ICV types (not an RFC classification) */
179 #define IPSEC_IPV6_ADDR_LEN 128
180 #define IPSEC_IPV4_ADDR_LEN 32
181 #define IPSEC_STRLEN_IPV6 32
182 #define IPSEC_STRLEN_IPV4 8
183 #define IPSEC_SA_IPV4 1
184 #define IPSEC_SA_IPV6 2
185 #define IPSEC_SA_ANY 3
186 #define IPSEC_SA_UNKNOWN -1
188 /* the maximum number of bytes (10)(including the terminating nul character(11)) */
189 #define IPSEC_SPI_LEN_MAX 11
190 #define IPSEC_SA_SN 32
191 #define IPSEC_SA_ESN 64
194 /* well-known algorithm number (in CPI), from RFC2409 */
198 #define IPCOMP_MAX 4
206 };
208 /* The length of the two fields (SPI and Sequence Number) preceding the Payload Data */
209 #define ESP_HEADER_LEN 8
229 };
233 {
235 }
247 /* { IPSEC_AUTH_AES_XCBC_MAC_96, "AES-XCBC-MAC-96 [RFC3566]" }, */
254 };
258 {
260 }
263 /*-------------------------------------
264 * UAT for ESP
265 *-------------------------------------
266 */
267 /* UAT entry structure. */
292 /* Extra SA records that may be set programmatically */
293 /* 'records' array is now allocated on the heap */
294 #define MAX_EXTRA_SA_RECORDS 16
304 /*
305 Name : static int compute_ascii_key(char **ascii_key, char *key)
306 Description : Allocate memory for the key and transform the key if it is hexadecimal
307 Return : Return the key length
308 Params:
309 - char **ascii_key : the resulting ascii key allocated here
310 - char *key : the key to compute
311 - char **err : an error string to report if the input is found to be invalid
312 */
313 static int
315 {
322 {
325 {
326 /*
327 * Key begins with "0x" or "0X"; skip that and treat the rest
328 * as a sequence of hex digits.
329 */
333 {
334 /*
335 * Key has an odd number of characters; we act as if the
336 * first character had a 0 in front of it, making the
337 * number of characters even.
338 */
343 {
348 }
350 j++;
351 i++;
352 }
353 else
354 {
355 /*
356 * Key has an even number of characters, so we treat each
357 * pair of hex digits as a single byte value.
358 */
361 }
364 {
366 i++;
368 {
374 }
377 i++;
379 {
384 }
387 j++;
388 }
390 }
393 {
394 /* A valid null key */
397 }
398 else
399 {
400 /* Doesn't begin with 0X or 0x... */
403 }
404 }
407 }
413 /* Compute keys & lengths once and for all */
418 }
420 rec->encryption_key_length = compute_ascii_key(&rec->encryption_key, rec->encryption_key_string, err);
421 }
425 }
429 rec->authentication_key_length = compute_ascii_key(&rec->authentication_key, rec->authentication_key_string, err);
430 }
434 }
436 /* TODO: Make sure IP addresses have a valid conversion */
437 /* Unfortunately, return value of get_full_ipv4_addr() or get_full_ipv6_addr() (depending upon rec->protocol)
438 is not sufficient */
440 /* TODO: check format of spi */
442 /* Return true only if *err has not been set by checking code. */
444 }
450 /* Copy UAT fields */
465 /* Parse keys as in an update */
470 }
473 }
489 }
490 }
504 /* Configure a new SA (programmatically, most likely from a private dissector).
505 The arguments here are deliberately in the same string formats as the UAT fields
506 in order to keep code paths common.
507 Note that an attempt to match with these entries will be made *before* entries
508 added through the UAT entry interface/file. */
515 {
519 }
520 /* Add new entry */
523 }
525 /* No room left!! */
526 REPORT_DISSECTOR_BUG("<IPsec/ESP Dissector> Failed to add UE as already have max (%d) configured\n",
527 MAX_EXTRA_SA_RECORDS);
529 }
531 /* Copy key fields */
537 /* Encryption */
543 /* Authentication */
548 /* XXX - Should we change the function so private dissectors pass this in? */
552 /* Parse keys */
556 /* Free (but ignore) any error string set */
558 }
559 }
561 /*************************************/
562 /* Preference settings */
564 /* Default ESP payload decode to off */
567 /* Default ESP payload Authentication Checking to off */
570 /**************************************************/
571 /* Sequence number analysis */
573 /* SPI state, key is just 32-bit SPI */
575 {
581 /* The sequence analysis SPI hash table.
582 Maps SPI -> spi_status */
585 /* Results are stored here: framenum -> spi_status */
586 /* N.B. only store entries for out-of-order frames, if there is no entry for
587 a given frame, it was found to be in-order */
590 /* During the first pass, update the SPI state. If the sequence numbers
591 are out of order, add an entry to the report table */
593 {
594 /* Do the table lookup */
598 /* Create an entry for this SPI */
603 /* And add it to the table */
605 }
609 /* Entry already existed, so check that we got the sequence number we expected. */
611 /* Create report entry */
613 /* Copy what was expected */
615 /* And add it into the report table */
617 }
618 /* Adopt this setting as 'current' regardless of whether expected */
621 }
622 }
624 /* Check to see if there is a report stored for this frame. If there is,
625 add it to the tree and report using expert info */
628 {
629 /* Look up this frame in the report table. */
635 /* Expected sequence number */
641 }
644 /* Link back to previous frame for SPI */
649 /* Expert info */
654 }
658 spi,
660 }
664 spi,
666 }
667 }
668 }
670 /*
671 Default ESP payload heuristic decode to off
672 (only works if payload is NULL encrypted and ESP payload decode is off or payload is NULL encrypted
673 and the packet does not match a Security Association).
674 */
677 #define PADDING_RFC 0
678 #define PADDING_ZERO 1
679 #define PADDING_ANY 2
681 /* PADDING_RFC is chosen as 0 to be the default */
689 };
691 /* Default to doing ESP sequence analysis */
696 /*
697 Name : static int get_ipv6_suffix(char* ipv6_suffix, char *ipv6_address)
698 Description : Get the extended IPv6 Suffix of an IPv6 Address
699 Return : Return the number of char of the IPv6 address suffix parsed
700 Params:
701 - char *ipv6_address : the valid ipv6 address to parse in char *
702 - char *ipv6_suffix : the ipv6 suffix associated in char *
704 ex: if IPv6 address is "3ffe::1" the IPv6 suffix will be "0001" and the function will return 3
705 */
707 {
718 {
720 {
722 {
723 /* Add some 0 to the prefix; */
725 {
727 cpt_suffix ++;
728 }
732 {
733 /* Found a suffix */
735 }
736 else
738 {
739 /* found a suffix */
742 }
744 else
745 {
746 cpt++;
747 }
748 }
749 else
750 {
752 cpt_seg ++;
753 cpt_suffix ++;
754 cpt++;
755 }
756 }
759 {
761 {
763 cpt_suffix ++;
764 }
765 }
767 }
770 {
772 }
777 }
779 /*
780 Name : static int get_full_ipv6_addr(char* ipv6_addr_expanded, char *ipv6_addr)
781 Description : Get the extended IPv6 Address of an IPv6 Address
782 Return : Return the remaining number of char of the IPv6 address parsed
783 Params:
784 - char *ipv6_addr : the valid ipv6 address to parse in char *
785 - char *ipv6_addr_expanded : the expanded ipv6 address associated in char *
787 ex: if IPv6 address is "3ffe::1" the IPv6 expanded address
788 will be "3FFE0000000000000000000000000001" and the function will return 0
789 if IPV6 address is "3ffe::*" the IPv6 expanded address
790 will be "3FFE000000000000000000000000****" and the function will return 0
791 */
792 static int
794 {
816 {
820 }
823 {
825 {
827 }
830 }
836 {
841 }
845 {
847 }
852 {
854 {
863 }
864 }
865 }
869 else
871 }
874 /*
875 Name : static bool get_full_ipv4_addr(char* ipv4_addr_expanded, char *ipv4_addr)
876 Description : Get the extended IPv4 Address of an IPv4 Address
877 Return : Return true if it can derive an IPv4 address. It does not mean that
878 the previous one was valid.
879 Params:
880 - char *ipv4_addr : the valid ipv4 address to parse in char *
881 - char *ipv4_addr_expanded : the expanded ipv4 address associated in char *
883 ex: if IPv4 address is "190.*.*.1" the IPv4 expanded address will be "BE****01" and
884 the function will return 0
885 if IPv4 address is "*" the IPv4 expanded address will be "********" and
886 the function will return 0
887 */
888 static bool
890 {
907 {
911 }
914 {
916 {
918 }
921 }
928 {
930 {
933 {
935 {
937 cpt ++;
938 }
939 }
940 else
941 {
947 else
950 {
952 cpt ++;
953 }
954 }
956 }
959 {
962 {
964 {
966 cpt ++;
967 }
968 }
969 else
970 {
976 else
979 {
981 cpt ++;
982 }
983 }
985 j++;
986 }
987 else
988 {
990 {
991 /* Incorrect IPv4 Address. Erase previous Values in the Byte. (LRU mechanism) */
994 j++;
995 }
996 else
997 {
999 k++;
1000 j++;
1001 }
1002 }
1004 }
1007 {
1009 {
1018 }
1019 }
1020 }
1022 }
1025 }
1027 /*
1028 Name : static goolean filter_address_match(char *addr, char *filter, int len, int typ)
1029 Description : check the matching of an address with a filter
1030 Return : Return true if the filter and the address match
1031 Params:
1032 - char *addr : the address to check
1033 - char *filter : the filter
1034 - int typ : the Address type : either IPv6 or IPv4 (IPSEC_SA_IPV6, IPSEC_SA_IPV4)
1035 */
1036 static bool
1038 {
1063 }
1070 }
1075 /* No length specified */
1078 {
1079 /* Check byte by byte ... */
1081 {
1084 }
1086 }
1087 else
1091 }
1094 /*
1095 Name : static goolean filter_spi_match(char *spi, char *filter)
1096 Description : check the matching of a spi with a filter
1097 Return : Return true if the filter matches the spi.
1098 Params:
1099 - unsigned spi : the spi to check
1100 - char *filter : the filter
1101 */
1102 static bool
1104 {
1108 /* "*" matches against anything */
1112 /* If the filter has a wildcard, treat SPI as a string */
1118 /* Lengths need to match exactly... */
1122 /* ... which means '*' can only appear in the last position of the filter? */
1123 /* Start at 2, don't compare "0x" each time */
1129 }
1131 }
1134 /*
1135 Name : static goolean get_esp_sa(g_esp_sa_database *sad, int protocol_typ, char *src, char *dst, unsigned spi,
1136 int *encryption_algo,
1137 int *authentication_algo,
1138 char **encryption_key,
1139 unsigned *encryption_key_len,
1140 char **authentication_key,
1141 unsigned *authentication_key_len,
1142 gcry_cipher_hd_t **cipher_hd,
1143 bool **cipher_hd_created
1145 Description : Give Encryption Algo, Key and Authentication Algo for a Packet if a corresponding SA is available in a Security Association database
1146 Return: If the SA is not present, false is then returned.
1147 Params:
1148 - g_esp_sa_database *sad : the Security Association Database
1149 - int *pt_protocol_typ : the protocol type
1150 - char *src : the source address
1151 - char *dst : the destination address
1152 - char *spi : the spi of the SA
1153 - int *encryption_algo : the Encryption Algorithm to apply the packet
1154 - int *authentication_algo : the Authentication Algorithm to apply to the packet
1155 - char **encryption_key : the Encryption Key to apply to the packet
1156 - unsigned *encryption_key_len : the Encryption Key length to apply to the packet
1157 - char **authentication_key : the Authentication Key to apply to the packet
1158 - unsigned *authentication_key_len : the Authentication Key len to apply to the packet
1159 - gcry_cipher_hd_t **cipher_hd : pointer handle to be used for ciphering
1160 - bool **cipher_hd_created: points to boolean indicating that cipher handle has
1161 been created. If false, should assign handle to
1162 *cipher_hd and set this to true.
1164 */
1165 static bool
1177 )
1178 {
1185 /* Check each known SA in turn */
1186 for (i = 0, j=0; (found == false) && ((i < num_sa_uat) || (j < extra_esp_sa_records.num_records)); )
1187 {
1188 /* Get the next record to try */
1191 /* Extra ones checked first */
1193 }
1195 /* Then UAT ones */
1197 }
1200 && (filter_address_match(src, record->srcIP, protocol_typ) || record->protocol == IPSEC_SA_ANY)
1201 && (filter_address_match(dst, record->dstIP, protocol_typ) || record->protocol == IPSEC_SA_ANY)
1203 {
1210 {
1211 /* Bad key; XXX - report this */
1214 }
1217 }
1221 {
1222 /* Bad key; XXX - report this */
1225 }
1228 }
1230 /* Tell the caller whether cipher_hd has been created yet and a pointer.
1231 Pass pointer to created flag so that caller can set if/when
1232 it opens the cipher_hd. */
1238 }
1239 }
1242 }
1245 {
1248 }
1251 {
1253 }
1255 static void
1257 {
1259 exp_pdu_data_t *exp_pdu_data = export_pdu_create_common_tags(pinfo, dissector_handle_get_dissector_name(dissector_handle), EXP_PDU_TAG_DISSECTOR_NAME);
1266 }
1267 }
1269 /**
1270 * Implements much of RFC 5879, "Heuristics for Detecting ESP-NULL Packets"
1271 *
1272 * Does NOT attempt to properly detect ENCR_NULL_AUTH_AES_GMAC.
1273 */
1274 static int
1276 {
1284 dissector_handle_t dissector_handle;
1286 /* Possible ICV lengths to try. Per RFC 5879, smallest to largest.
1287 */
1294 };
1300 /* Make sure the packet is not truncated before the fields
1301 * we need to read to determine the encapsulated protocol.
1302 */
1304 {
1311 }
1314 }
1320 }
1321 }
1330 }
1331 }
1332 /* FALLTHROUGH */
1337 }
1338 }
1343 /* If the matching dissector has been disabled or rejects the packet,
1344 * consider the heuristic failed.
1345 * XXX: Should we also catch exceptions and consider those failures too?
1346 *
1347 * Note that the case of ENCR_NULL_AUTH_AES_GMAC will find the correct
1348 * padding and encapsulated protocol using a 16 byte ICV, but needs to
1349 * skip over the 8 bytes of IV.
1350 */
1351 if (call_dissector_only(dissector_handle, next_tvb, pinfo, proto_tree_get_parent_tree(esp_tree), NULL) == 0) {
1354 }
1365 }
1366 }
1370 esp_pad_len);
1374 encapsulated_protocol,
1377 }
1380 }
1381 }
1383 }
1385 static bool
1386 capture_ah(const unsigned char *pd, int offset, int len, capture_packet_info_t *cpinfo, const union wtap_pseudo_header *pseudo_header)
1387 {
1400 }
1402 static int
1404 {
1413 dissector_handle_t dissector_handle;
1443 /* Save next header value for Decode As dialog */
1452 /* do lookup with the subdissector table */
1459 }
1463 }
1465 }
1467 static int
1469 {
1474 /* Packet Variables related */
1482 dissector_handle_t dissector_handle;
1492 /* IPSEC encryption Variables related */
1520 /* Variables for decryption and authentication checking used for libgrypt */
1521 gcry_md_hd_t md_hd;
1536 /*
1537 * load the top pane info. This should be overwritten by
1538 * the next protocol in the stack
1539 */
1544 /*
1545 * populate a tree in the second pane with the status of the link layer
1546 * (ie none)
1547 */
1557 /* Sequence number analysis */
1561 }
1564 }
1568 /* Get length of remaining ESP packet (without the header) */
1575 /* The SAD is not activated */
1581 {
1582 /* Get Source & Destination Addresses in char * with all the bytes available. */
1588 }
1590 /* Create strings for src, dst addresses */
1594 /* Get the SPI */
1596 {
1598 }
1601 /*
1602 PARSE the SAD and fill it. It may take some time since it will
1603 be called every times an ESP Payload is found.
1604 */
1610 {
1613 {
1639 /* case IPSEC_AUTH_AES_XCBC_MAC_96: */
1646 }
1649 {
1667 }
1670 {
1674 /* We only support 2^32 - 1 frames (and only 2^31 - 1 in the Qt packet
1675 * list), so at most we can overflow once. In a normal capture we
1676 * expect half the frames to be from each direction, too. The proper
1677 * method in RFC 4303 Appendix A involves storing valid sequence
1678 * numbers at multiple points for subsequent passes to slide the window,
1679 * but we shouldn't need to. */
1684 sn_upper++;
1685 }
1688 sn_upper--;
1689 }
1690 }
1691 }
1692 }
1695 {
1697 /*
1698 RFC 2404 : HMAC-SHA-1-96 is a secret key algorithm.
1699 While no fixed key length is specified in [RFC-2104],
1700 for use with either ESP or AH a fixed key length of
1701 160-bits MUST be supported. Key lengths other than
1702 160-bits MUST NOT be supported (i.e. only 160-bit keys
1703 are to be used by HMAC-SHA-1-96). A key length of
1704 160-bits was chosen based on the recommendations in
1705 [RFC-2104] (i.e. key lengths less than the
1706 authentication length decrease security strength and
1707 keys longer than the authentication length do not
1708 significantly increase security strength).
1709 */
1717 /*
1718 case IPSEC_AUTH_AES_XCBC_MAC_96:
1719 auth_algo_libgcrypt =
1720 authentication_check_using_libgcrypt = true;
1721 break;
1722 */
1741 /*
1742 RFC 2403 : HMAC-MD5-96 is a secret key algorithm.
1743 While no fixed key length is specified in [RFC-2104],
1744 for use with either ESP or AH a fixed key length of
1745 128-bits MUST be supported. Key lengths other than
1746 128-bits MUST NOT be supported (i.e. only 128-bit keys
1747 are to be used by HMAC-MD5-96). A key length of
1748 128-bits was chosen based on the recommendations in
1749 [RFC-2104] (i.e. key lengths less than the
1750 authentication code length decrease security strength and
1751 keys longer than the authentication code length do not
1752 significantly increase security strength).
1753 */
1759 /*
1760 RFC 2857 : HMAC-RIPEMD-160-96 produces a 160-bit
1761 authentication code. This 160-bit value can be
1762 truncated as described in RFC2104. For use with
1763 either ESP or AH, a truncated value using the first
1764 96 bits MUST be supported.
1765 */
1777 }
1780 {
1781 /* Allocate buffer for ICV */
1786 {
1790 }
1791 else
1792 {
1795 {
1797 REPORT_DISSECTOR_BUG("<IPsec/ESP Dissector> Error in Algorithm %s, grcy_md_get_algo_dlen failed: %d\n",
1799 }
1800 else
1801 {
1806 gcry_md_write (md_hd, tvb_get_ptr(tvb, 0, esp_packet_len - esp_icv_len), esp_packet_len - esp_icv_len);
1813 }
1814 }
1818 {
1822 }
1831 }
1832 }
1835 }
1836 }
1837 }
1840 {
1841 /* Deactivation of the Heuristic to decrypt using the NULL encryption algorithm since the packet is matching a SA */
1845 {
1847 /* RFC 2451 says :
1848 3DES CBC uses a key of 192 bits.
1849 The first 3DES key is taken from the first 64 bits,
1850 the second from the next 64 bits, and the third
1851 from the last 64 bits.
1852 Implementations MUST take into consideration the
1853 parity bits when initially accepting a new set of
1854 keys. Each of the three keys is really 56 bits in
1855 length with the extra 8 bits used for parity. */
1857 /* Fix parameters for 3DES-CBC */
1863 {
1864 REPORT_DISSECTOR_BUG("<ESP Preferences> Error in Encryption Algorithm 3DES-CBC : Bad Keylen (got %u Bits, need %lu)\n",
1868 }
1869 else
1875 /* RFC 3602 says :
1876 AES supports three key sizes: 128 bits, 192 bits,
1877 and 256 bits. The default key size is 128 bits,
1878 and all implementations MUST support this key size.
1879 Implementations MAY also support key sizes of 192
1880 bits and 256 bits. */
1882 /* Fix parameters for AES-CBC */
1887 {
1904 REPORT_DISSECTOR_BUG("<ESP Preferences> Error in Encryption Algorithm AES-CBC : Bad Keylen (%u Bits)\n",
1907 }
1912 /* RFC 2144 says :
1913 The CAST-128 encryption algorithm has been designed to allow a key
1914 size that can vary from 40 bits to 128 bits, in 8-bit increments
1915 (that is, the allowable key sizes are 40, 48, 56, 64, ..., 112, 120,
1916 and 128 bits.)
1917 We support only 128 bits. */
1919 /* Fix parameters for CAST5-CBC */
1924 {
1930 REPORT_DISSECTOR_BUG("<ESP Preferences> Error in Encryption Algorithm CAST5-CBC : Bad Keylen (%u Bits)\n",
1933 }
1937 /* RFC 2405 says :
1938 DES-CBC is a symmetric secret key algorithm.
1939 The key size is 64-bits.
1940 [It is commonly known as a 56-bit key as the key
1941 has 56 significant bits; the least significant
1942 bit in every byte is the parity bit.] */
1944 /* Fix parameters for DES-CBC */
1950 {
1951 REPORT_DISSECTOR_BUG("<ESP Preferences> Error in Encryption Algorithm DES-CBC : Bad Keylen (%u Bits, need %lu)\n",
1954 }
1955 else
1962 /* RFC 3686 says :
1963 AES supports three key sizes: 128 bits, 192 bits,
1964 and 256 bits. The default key size is 128 bits,
1965 and all implementations MUST support this key
1966 size. Implementations MAY also support key sizes
1967 of 192 bits and 256 bits. The remaining 32 bits
1968 will be used as nonce. */
1970 /* Fix parameters for AES-CTR/AES-GCM */
1973 /* The counter mode key includes a 4 byte nonce following the key, which is used as the salt */
1977 crypt_mode_libgcrypt =
1980 {
1997 REPORT_DISSECTOR_BUG("<ESP Preferences> Error in Encryption Algorithm %s : Bad Keylen (%u Bits)\n",
2001 }
2005 REPORT_DISSECTOR_BUG("<ESP Preferences> Error: AES-GCM encryption can only be used with NULL authentication\n");
2006 }
2008 }
2013 /* Twofish is a 128-bit block cipher developed by
2014 Counterpane Labs that accepts a variable-length
2015 key up to 256 bits.
2016 We will only accept key sizes of 128 and 256 bits.
2017 */
2019 /* Fix parameters for TWOFISH-CBC */
2024 {
2036 REPORT_DISSECTOR_BUG("<ESP Preferences> Error in Encryption Algorithm TWOFISH-CBC : Bad Keylen (%u Bits)\n",
2039 }
2044 /* Bruce Schneier of Counterpane Systems developed
2045 the Blowfish block cipher algorithm.
2046 RFC 2451 shows that Blowfish uses key sizes from
2047 40 to 448 bits. The Default size is 128 bits.
2048 We will only accept key sizes of 128 bits, because
2049 libgrypt only accept this key size.
2050 */
2052 /* Fix parameters for BLOWFISH-CBC */
2058 {
2059 REPORT_DISSECTOR_BUG("<ESP Preferences> Error in Encryption Algorithm BLOWFISH-CBC : Bad Keylen (%u Bits, need %lu)\n",
2062 }
2063 else
2073 /* The key includes a 4 byte nonce following the key, which is used as the salt */
2078 {
2095 REPORT_DISSECTOR_BUG("<ESP Preferences> Error in Encryption Algorithm AES_GCM16: Bad Keylen (%u Bits)\n",
2098 }
2110 /* The key includes a 4 byte nonce following the key, which is used as the salt */
2115 {
2116 REPORT_DISSECTOR_BUG("<ESP Preferences> Error in Encryption Algorithm CHACHA20_POLY1305: Bad Keylen (%u Bits, need %lu)\n",
2119 }
2120 else
2133 /* The counter mode key includes a 4 byte nonce following the key, which is used as the salt */
2138 {
2139 REPORT_DISSECTOR_BUG("<ESP Preferences> Error in Encryption Algorithm CHACHA20_POLY1305_IIV: Bad Keylen (%u Bits, need %lu)\n",
2142 }
2143 else
2150 /* Fix parameters */
2154 /* Allocate buffer for decrypted data */
2163 }
2167 /*
2168 * Zero or negative length of encrypted data shows that the user specified
2169 * wrong encryption algorithm and/or authentication algorithm.
2170 */
2173 }
2175 /*
2176 * Add the IV to the tree and store it in a packet scope buffer for later decryption
2177 * if the specified encryption algorithm uses IV.
2178 */
2187 }
2189 /*
2190 * Add the encrypted portion to the tree and store it in a packet scope buffer for later decryption.
2191 */
2193 encr_data_item = proto_tree_add_item(esp_tree, hf_esp_encrypted_data, tvb, offset, esp_encr_data_len, ENC_NA);
2195 esp_encr_data_len,
2201 /*
2202 * Verify that the encrypted payload data is properly aligned: The ciphertext length
2203 * needs to be a multiple of the of block size (which equals 1 for 'stream ciphers'
2204 * like AES-GCM and AES-CTR) and the ciphertext needs to terminate on a 4-byte boundary,
2205 * according to RFC 2406, section 2.4. Given the fact that all current block sizes are
2206 * powers of 2, only the stricter alignment requirement needs to be checked:
2207 */
2209 proto_item_append_text(encr_data_item, "[Invalid length, ciphertext should be a multiple of block size (%u)]",
2210 esp_block_len);
2213 proto_item_append_text(encr_data_item, "[Invalid length, ciphertext should terminate at 4-byte boundary]");
2215 }
2216 }
2219 /*
2220 * Add the ICV (Integrity Check Value) to the tree before decryption to ensure
2221 * the ICV be displayed even if the decryption fails.
2222 */
2227 esp_icv_len,
2232 }
2235 {
2236 /*
2237 * Allocate buffer for decrypted data.
2238 */
2244 /* (Lazily) create the cipher_hd */
2248 REPORT_DISSECTOR_BUG("<IPsec/ESP Dissector> Error in Algorithm %s Mode %d, grcy_open_cipher failed: %s\n",
2250 }
2251 else
2252 {
2253 /* OK, set the key */
2255 {
2260 REPORT_DISSECTOR_BUG("<IPsec/ESP Dissector> Error in Algorithm %s Mode %d, gcry_cipher_setkey(key_len=%u) failed: %s\n",
2261 gcry_cipher_algo_name(crypt_algo_libgcrypt), crypt_mode_libgcrypt, esp_encr_key_len, gcry_strerror(err));
2262 }
2263 }
2265 /* Key is created and has its key set now */
2267 }
2268 }
2270 /* Now try to decrypt */
2272 {
2275 /* Set CTR first */
2283 /* AES-CTR is used as fallback for AES-GCM (only) if gcrypt does not have AEAD ciphers.
2284 * The extra increment is necessary because AES-GCM reserves counter 0 for the final
2285 * step to create the authentication tag and starts encryption with counter 1.
2286 */
2288 }
2292 }
2293 }
2294 else if (esp_encr_algo == IPSEC_ENCRYPT_CHACHA20_POLY1305_IIV || esp_encr_algo == IPSEC_ENCRYPT_AES_GCM_16_IIV)
2295 {
2296 // Implicit IV, see https://www.rfc-editor.org/rfc/rfc8750.html
2305 }
2307 {
2308 // see https://www.rfc-editor.org/rfc/rfc7634.html
2316 }
2317 else
2318 {
2320 }
2324 REPORT_DISSECTOR_BUG("<IPsec/ESP Dissector> Error in Algorithm %s Mode %d, gcry_cipher_set%s() failed: %s\n",
2328 }
2332 /* Allocate buffer for ICV */
2336 err = gcry_cipher_authenticate(*cipher_hd, tvb_get_ptr(tvb, 0, ESP_HEADER_LEN), ESP_HEADER_LEN);
2343 }
2347 REPORT_DISSECTOR_BUG("<IPsec/ESP Dissector> Error in Algorithm %s Mode %d, gcry_cipher_authenticate() failed: %s\n",
2349 }
2350 }
2353 {
2354 err = gcry_cipher_decrypt(*cipher_hd, esp_decr_data, esp_decr_data_len, esp_encr_data, esp_encr_data_len);
2355 }
2358 {
2360 REPORT_DISSECTOR_BUG("<IPsec/ESP Dissector> Error in Algorithm %s, Mode %d, gcry_cipher_decrypt failed: %s\n",
2362 }
2363 else
2364 {
2365 /* Decryption has finished */
2372 tag_len = (auth_algo_libgcrypt == GCRY_MAC_POLY1305) ? 16 : (int)gcry_cipher_get_algo_blklen(crypt_algo_libgcrypt);
2375 fprintf (stderr, "<IPsec/ESP Dissector> Error in Algorithm %s, tag length (%d) is less than icv length (%d)\n",
2377 }
2383 REPORT_DISSECTOR_BUG("<IPsec/ESP Dissector> Error in Algorithm %s: gcry_cipher_gettag failed: %s",
2385 }
2394 }
2395 }
2396 }
2397 }
2398 }
2399 }
2401 {
2402 /* The packet does not belong to a Security Association */
2404 }
2407 {
2408 tvb_decrypted = tvb_new_child_real_data(tvb, (uint8_t *)wmem_memdup(pinfo->pool, esp_decr_data, esp_decr_data_len),
2412 item = proto_tree_add_item(esp_tree, hf_esp_decrypted_data, tvb_decrypted, 0, esp_decr_data_len, ENC_NA);
2413 proto_item_append_text(item, " (%d byte%s)", esp_decr_data_len, plurality(esp_decr_data_len, "", "s"));
2417 /* Make sure the packet is not truncated before the fields
2418 * we need to read to determine the encapsulated protocol */
2420 {
2427 {
2428 item = proto_tree_add_item(decr_tree, hf_esp_contained_data, tvb_decrypted, 0, esp_contained_data_len, ENC_NA);
2429 proto_item_append_text(item, " (%d byte%s)", esp_contained_data_len, plurality(esp_contained_data_len, "", "s"));
2431 /* Get the encapsulated protocol */
2436 /*
2437 * Recursively dissect the decrypted frame
2438 *
2439 * Note that the dissection restarts at the top level 'tree' here, not
2440 * at 'decr_tree', which is hidden inside the ESP subtree. This has
2441 * the effect that the protocol layers of the decrypted packet show up
2442 * in the protocol stack of the Packet Details Pane immediately below
2443 * the ESP layer, which is more intuitive and practical for the user.
2444 */
2452 }
2453 }
2454 }
2457 {
2459 {
2462 tvb_decrypted,
2468 esp_pad_len);
2472 encapsulated_protocol,
2475 }
2476 }
2477 else
2478 {
2480 esp_decr_data_len);
2483 }
2484 }
2485 }
2487 /*
2488 If the packet is present in the security association database and the field g_esp_enable_authentication_check set.
2489 */
2491 {
2492 next_tvb = tvb_new_subset_length_caplen(tvb, ESP_HEADER_LEN, esp_packet_len - ESP_HEADER_LEN - esp_icv_len, -1);
2495 }
2496 /* The packet does not belong to a security association and the field g_esp_enable_null_encryption_decode_heuristic is set */
2498 {
2500 {
2502 }
2505 {
2508 {
2509 /* Make sure we have the auth trailer data */
2511 {
2513 }
2514 else
2515 {
2516 /* Truncated so just display what we have */
2520 }
2521 }
2522 }
2523 }
2540 }
2541 }
2545 }
2548 }
2557 }
2560 }
2563 static int
2565 {
2570 dissector_handle_t dissector_handle;
2574 /*
2575 * load the top pane info. This should be overwritten by
2576 * the next protocol in the stack
2577 */
2583 /*
2584 * populate a tree in the second pane with the status of the link layer
2585 * (ie none)
2586 */
2593 proto_tree_add_item_ret_uint(ipcomp_tree, hf_ipcomp_cpi, tvb, 2, 2, ENC_BIG_ENDIAN, &comp_cpi);
2595 col_add_fstr(pinfo->cinfo, COL_INFO, "IPComp (CPI=%s)", val_to_str(comp_cpi, cpi2val, "0x%04x"));
2601 /*
2602 * try to uncompress as if it were DEFLATEd. With negotiated
2603 * CPIs, we don't know the algorithm beforehand; if we get it
2604 * wrong, tvb_child_uncompress_zlib() returns NULL and nothing is displayed.
2605 */
2615 }
2619 }
2622 }
2625 {
2626 /* Free any SA records added by other dissectors */
2630 }
2632 /* Free overall block of records */
2636 }
2638 void
2640 {
2643 { "Next header", "ah.next_header", FT_UINT8, BASE_DEC | BASE_EXT_STRING, &ipproto_val_ext, 0x0,
2660 };
2705 };
2717 };
2725 };
2728 { &ei_esp_sequence_analysis_wrong_sequence_number, { "esp.sequence-analysis.wrong-sequence-number", PI_SEQUENCE, PI_WARN, "Wrong Sequence Number", EXPFILL }},
2729 { &ei_esp_pad_bogus, { "esp.pad.bogus", PI_PROTOCOL, PI_WARN, "Padding MUST increment starting with 1 [RFC 4303 2.4]", EXPFILL }}
2730 };
2737 };
2743 };
2750 UAT_FLD_VS(uat_esp_sa_records, encryption_algo, "Encryption", esp_encryption_type_vals, "Encryption algorithm"),
2751 UAT_FLD_CSTRING(uat_esp_sa_records, encryption_key_string, "Encryption Key", "Encryption Key"),
2752 UAT_FLD_VS(uat_esp_sa_records, authentication_algo, "Authentication", esp_authentication_type_vals, "Authentication algorithm"),
2753 UAT_FLD_CSTRING(uat_esp_sa_records, authentication_key_string, "Authentication Key", "Authentication Key"),
2755 UAT_FLD_HEX(uat_esp_sa_records, sn_upper, "ESN High Bits", "Extended Sequence Number upper 32 bits (hex)"),
2756 UAT_END_FIELDS
2757 };
2791 "This is done only if the Decoding is not SET or the packet does not belong to a SA. "
2792 "Tries ICV lengths of 12, 16, 24, and 32 bytes, checks for valid padding, "
2793 "and attempts to decode based on the derived Next Header field. "
2799 "RFC 4303 2.4 requires that padding bytes, if present, MUST "
2800 "be the monotonically increasing sequence 1, 2, 3, …. "
2801 "Some implementations add non-compliant padding. "
2802 "This option determines what, if any, non-compliant padding "
2803 "the NULL encryption heuristic will allow. "
2804 "WARNING: Allowing non-compliant padding can lead to "
2810 "Check that successive frames increase sequence number by 1 within an SPI. This should work OK when only one host is sending frames on an SPI",
2846 esp_uat);
2848 esp_sequence_analysis_hash = wmem_map_new_autoreset(wmem_epan_scope(), wmem_file_scope(), g_direct_hash, g_direct_equal);
2849 esp_sequence_analysis_report_hash = wmem_map_new_autoreset(wmem_epan_scope(), wmem_file_scope(), g_direct_hash, g_direct_equal);
2859 }
2861 void
2863 {
2878 }
2880 /*
2881 * Editor modelines
2882 *
2883 * Local Variables:
2884 * c-basic-offset: 2
2885 * tab-width: 8
2886 * indent-tabs-mode: nil
2887 * End:
2888 *
2889 * ex: set shiftwidth=2 tabstop=8 expandtab:
2890 * :indentSize=2:tabSize=8:noTabs=true:
2891 */