Ethereal-dev: Re: SV: [Ethereal-dev] IPsec Dissector to decrypt ESP Payload

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

From: "Frederic Roudaut" <frederic.roudaut@xxxxxxxx>
Date: Tue, 28 Mar 2006 13:24:29 +0200 (CEST)
Hi,

> Hi,
> I have checked in your patch with a change:
> #ifdef HAVE_LIBCRYPT
> #define __USE_LIBGCRYPT__
> #endif
> (Please check if that's correct).
>

yes it seems to be. Nevertheless I modified the comments in the ESP
preference since it seems to have been truncated ... perhaps because of
your  or my editor.
I have also changed hf_esp_pad to hf_esp.pad_len because I used to process
the PDML outpout. (It means that now in the output I also have
"esp.pad_len").

> Can you please put the information from the readme file on the wiki
> protocol
> pages.
> Brg
> Anders

As a consequence I also modified the README. Where do you want I put the
README in fact. In the InternetProtocolFamily section ? Do I have to do a
new section for Network layer (IPSEC) or something similar ? It seems that
I have to adapt the README to take into account the format you have
defined, right ?


Something completely different. As I wrote I used to check the PDML output.
Thus I noticed that the followings fields are not present in the output :

- Ripng : MustBeZero
- ICMPv6 Neighbor Sollicitation : Reserved
- ICMPv6 Router Sollicitation : Reserved
- ICMPv6 Destination Unreachable : Unused
- ICMPv6 MTU option : Reserved
- TCP : UrgentPointer
- TCP : ack when ack bit is not set.

I modified some of them, is there a need for this ?


Best Regards,

Frederic Roudaut










>
> -----Ursprungligt meddelande-----
> Fr�n: ethereal-dev-bounces@xxxxxxxxxxxx
> [mailto:ethereal-dev-bounces@xxxxxxxxxxxx] F�r Frederic Roudaut
> Skickat: den 25 februari 2006 14:02
> Till: Ethereal development
> Kopia: Ethereal development
> �mne: RE: [Ethereal-dev] IPsec Dissector to decrypt ESP Payload
>
>
> Hi
>
>
> I just add a #define __USE_LIBGCRYPT__ that you have to set to be able to
> decrypt ESP payload. Otherwise if not, the original IPSEC dissector is
> compiled. I also notice that on current stable Ethereal versions gnutls is
> not linked.
> Thus you have to install libgcrypt and do:
>
> LDFLAGS=-lgcrypt ./configure && make
>
> For windows you should get:
>
> http://gnunet.org/download/win/libgcrypt-1.2.1.zip
>
> and do something similar.
>
> Best regards
> ---
> Frederic
>
>
>> Paolo,
>>
>> is there a way to compile the dissector with windows. The sourceforge
>> rep
>> (gnutls-win32-msvc.tgz) does not include the winposixtype.h and the
>> gcrypt.h.
>>
>> TIA
>>
>> Thomas
>>
>>
>>> --- Urspr�ngliche Nachricht ---
>>> Von: "Filonenko Alexander-AAF013" <AAF013@xxxxxxxxxxxx>
>>> An: "Ethereal development" <ethereal-dev@xxxxxxxxxxxx>
>>> Betreff: RE: [Ethereal-dev] IPsec Dissector to decrypt ESP Payload
>>> Datum: Fri, 24 Feb 2006 17:42:44 -0500
>>>
>>> Frederic,
>>>
>>> I find IPsec functionality you have added to the dissector very useful.
>>> Hope I can provide you with some feedback in a few weeks.
>>>
>>> Thank you,
>>> Alex Filonenko
>>>
>>> > -----Original Message-----
>>> > From: ethereal-dev-bounces@xxxxxxxxxxxx
>>> > [mailto:ethereal-dev-bounces@xxxxxxxxxxxx] On Behalf Of
>>> > Frederic Roudaut
>>> > Sent: Friday, February 24, 2006 10:01 AM
>>> > To: Ethereal development
>>> > Subject: [Ethereal-dev] IPsec Dissector to decrypt ESP Payload
>>> >
>>> >
>>> > Hi,
>>> >
>>> > finally, I have updated my dissector using libgcrypt.
>>> > It does not use openssl anymore.
>>> > If gnutls is installed, all should work.
>>> > Thus, now it should decrypt and dissect
>>> > (transport/tunnel/several encapsulations ...) :
>>> >
>>> > - NULL Encryption Algorithm
>>> > - TripleDES-CBC [RFC2451] : keylen 192 bits.
>>> > - AES-CBC with 128-bit keys [RFC3602] : keylen 128 and 192/256 bits.
>>> > - AES-CTR [RFC3686] : keylen 160/224/288 bits. The remaining
>>> > 32 bits will be used as nonce.
>>> > - DES-CBC [RFC2405] : keylen 64 bits
>>> >
>>> > I also have added :
>>> >
>>> > - BLOWFISH-CBC : keylen 128 bits.
>>> > - TWOFISH-CBC : keylen 128/256 bits.
>>> >
>>> > You have to indicate the Authentication algorithm even if all
>>> > Algorithms since it uses 12 bytes in the Auth field should
>>> > work (have a look to the README to understand why I put it
>>> > ;-) ). If you consider I have to throw it away please tell me.
>>> >
>>> > HMAC-SHA1-96 [RFC2404]
>>> > NULL
>>> > AES-XCBC-MAC-96 [RFC3566]
>>> > HMAC-MD5-96 [RFC2403]
>>> >
>>> > In the attachment you will get :
>>> > - this dissector
>>> > - a new README
>>> > - some example capture files with associated preferences
>>> > files (and setkey config files)
>>> >
>>> >
>>> > Best Regards,
>>> >
>>> >
>>> > ----
>>> > Frederic
>>> >
>>> >
>>> >
>>> >
>>> >
>>> >
>>> > --
>>> > Fr�d�ric ROUDAUT
>>> > IRISA-INRIA, Campus de Beaulieu, 35042 Rennes cedex, France
>>> > Tl: +33 (0) 2 99 84 71 44, Fax: +33 (0) 2 99 84 71 71
>>> >
>>> >
>>> _______________________________________________
>>> Ethereal-dev mailing list
>>> Ethereal-dev@xxxxxxxxxxxx
>>> http://www.ethereal.com/mailman/listinfo/ethereal-dev
>>>
>>
>> --
>> DSL-Aktion wegen gro�er Nachfrage bis 28.2.2006 verl�ngert:
>> GMX DSL-Flatrate 1 Jahr kostenlos* http://www.gmx.net/de/go/dsl
>> _______________________________________________
>> Ethereal-dev mailing list
>> Ethereal-dev@xxxxxxxxxxxx
>> http://www.ethereal.com/mailman/listinfo/ethereal-dev
>>
>
>
> _______________________________________________
> Ethereal-dev mailing list
> Ethereal-dev@xxxxxxxxxxxx
> http://www.ethereal.com/mailman/listinfo/ethereal-dev
>

Attachment: README_DISSECTOR_IPSEC_1.2
Description: Binary data

--- packet-ipsec.c	2006-03-28 12:47:47.000000000 +0200
+++ packet-ipsec-new.c	2006-03-28 12:19:29.000000000 +0200
@@ -55,6 +55,8 @@
 */
 
 /* If you want to be able to decrypt ESP packets you MUST define this : */
+#define HAVE_LIBCRYPT
+
 #ifdef HAVE_LIBCRYPT
 #define __USE_LIBGCRYPT__ 
 #endif
@@ -85,7 +87,7 @@
 static int proto_esp = -1;
 static int hf_esp_spi = -1;
 static int hf_esp_sequence = -1;
-static int hf_esp_pad = -1;
+static int hf_esp_pad_len = -1;
 static int hf_esp_protocol = -1;
 static int proto_ipcomp = -1;
 static int hf_ipcomp_flags = -1;
@@ -733,7 +735,7 @@
 */
 #ifdef __USE_LIBGCRYPT__
 static gboolean
-esp_sa_parse_addr_len(const gchar *sa, guint index_start, guint *len, guint *index_end)
+esp_sa_parse_addr_len(const gchar *sa, guint index_start, gint *len, guint *index_end)
 {  
   guint cpt = 0;
   guint strlen_max = 3;  
@@ -872,8 +874,8 @@
   gchar *src_string;
   gchar *dst_string;
   gchar *spi_string;
-  guint src_len = 0; 
-  guint dst_len = 0;
+  gint src_len = 0; 
+  gint dst_len = 0;
   gchar *src; 
   gchar *dst;   
   gchar *sa;
@@ -1951,9 +1953,9 @@
 		      {	  
 			if(esp_pad_len !=0)
 			  {
-			    proto_tree_add_text(esp_tree, tvb_decrypted, decrypted_len - esp_auth_len - 2 - esp_pad_len, esp_pad_len,"PAD");
+			    proto_tree_add_text(esp_tree, tvb_decrypted, decrypted_len - esp_auth_len - 2 - esp_pad_len, esp_pad_len,"Pad");
 			  }
-			proto_tree_add_uint(esp_tree, hf_esp_pad, tvb_decrypted,
+			proto_tree_add_uint(esp_tree, hf_esp_pad_len, tvb_decrypted,
 					    decrypted_len - esp_auth_len - 2, 1,
 					    esp_pad_len);
 			proto_tree_add_uint(esp_tree, hf_esp_protocol, tvb_decrypted,
@@ -1962,7 +1964,7 @@
 			
 			if(esp_auth_len == 0)
 			  {
-			    proto_tree_add_text(esp_tree, tvb_decrypted, decrypted_len, decrypted_len,
+			    proto_tree_add_text(esp_tree, tvb_decrypted, decrypted_len, esp_auth_len,
 						"NULL Authentication");			    
 			  }
 			
@@ -2033,7 +2035,7 @@
         
         if(auth_decode_ok)
 	  {
-	    proto_tree_add_uint(esp_tree, hf_esp_pad, tvb,
+	    proto_tree_add_uint(esp_tree, hf_esp_pad_len, tvb,
 				len - 14, 1,
 				esp_pad_len);
 	    proto_tree_add_uint(esp_tree, hf_esp_protocol, tvb,
@@ -2142,8 +2144,8 @@
     { &hf_esp_sequence,
       { "Sequence",     "esp.sequence",	FT_UINT32,	BASE_DEC, NULL, 0x0,
       	"", HFILL }},
-    { &hf_esp_pad,
-      { "Pad Length",	"esp.pad",	FT_UINT8,	BASE_DEC, NULL, 0x0,
+    { &hf_esp_pad_len,
+      { "Pad Length",	"esp.pad_len",	FT_UINT8,	BASE_DEC, NULL, 0x0,
       	"", HFILL }},
     { &hf_esp_protocol,
       { "Next Header",	"esp.protocol",	FT_UINT8,	BASE_HEX, NULL, 0x0,
@@ -2271,27 +2273,8 @@
 	    
       prefs_register_string_preference(esp_module, str_sa,
 				       str_sa_comment,
-				       "This field uses the following syntax : \042<Protocol|Source Address|Destination Adress|SPI\042. "
-					   "<Protocol>: either IPv4, IPv6 (upper and/or lowercase letters). <SPI> : the Security Parameter Index "
-					   "of the Security Association. You may indicate it in decimal (ex: 123) or in hexadecimal (ex: 0x45). "
-					   "The special keywords '*' may be used to match any SPI.Nevertheless, if you use more than one '*', "
-					   "it will restrict the length of the SPI in decimal to as many '*' as indicated. For example '**' will "
-					   "match 23 but not 234. 234 will be match by '***'. No checking will be done on the SPI value. Thus you"
-					   "have to take into account that the SPI is 4 bytes length. <Addresses> : In this field we may have IPv6 "
-					   "or IPv4 address. Any address is a combination of an address or a prefix and a Prefixlen/Netmask separated "
-					   "by '/'. You may omit the Prefixlen/Netmask, assuming that the Adress is 128 bits length for IPv6 and 32 "
-					   "bits length for IPv4. The character '*' used at the Prefixlen/Netmask position will be as if you had omit it."
-					   " <IPv6 Addresses> : Any valid IPv6 address is accepted. ex: 3FFE::1/128, 3FFE:4:5:6666::/64, ::1/128, 3FFE:4::5 ."
-					   "If your address is incorrect and longer than 16 bytes, only the last 16 bytes will be taken into account. You also "
-					   "may use the special character '*' to indicate any 4 bits block. ie : 3ffe::45*6. If you use only one '*' in the "
-					   "Address field it will accept any IPv6 address. <IPv4 Addresses> : Any valid IPv4 address is accepted."
-					   " ex : 190.0.0.1/24, 10.0.0.2 .You also may use the special character '*' to indicate any 8 bits block."
-					   " ie : 190.*.*.3. If you use only one '*' in the Address field it will accept any IPv4 address. No checking "
-					   "of correct IPv4 address will be done. For example 456.345.567.890 will be accepted. Thus you have to take care "
-					   "about what you write. Nevertheless only 3 characters will be taken into account for one byte. "
-					   "Ex : 190.0.0.0184 will not be considered correct. (Instead a kind of LRU Mechanism will be used and the address taken into "
-					   "account will be 190.0.0.418). Moreover only the four first values will be used (Ie 190.0.0.12.13 will be considered as 190.0.0.12).",
-				       &g_esp_sad.table[i].sa);
+"This field uses the following syntax : \"Protocol|Source Address|Destination Adress|SPI\". <Protocol>: either IPv4, IPv6 (upper and/or lowercase letters). <SPI> : the Security Parameter Index of the Security Association. You may indicate it in decimal (ex: 123) or in hexadecimal (ex: 0x45). The special keywords '*' may be used to match any SPI.Nevertheless, if you use more than one '*', it will restrict the length of the SPI in decimal to as many '*' as indicated. For example '**' will match 23 but not 234. 234 will be match by '***'. No checking will be done on the SPI value. Thus you have to take into account that the SPI is 4 bytes length. <Addresses> : In this field we may have IPv6 or IPv4 address. Any address is a combination of an address or a prefix and a Prefixlen/Netmask separated by '/'. You may omit the Prefixlen/Netmask, assuming that the Adress is 128 bits length for IPv6 and 32 bits length for IPv4. The character '*' used at the Prefixlen/Netmask position wil
 l be as if you had omit it. <IPv6 Addresses> : Any valid IPv6 address is accepted. ex: 3FFE::1/128, 3FFE:4:5:6666::/64, ::1/128, 3FFE:4::5 . If your address is incorrect and longer than 16 bytes, only the last 16 bytes will be taken into account. You also may use the special character '*' to indicate any 4 bits block. ie : 3ffe::45*6. If you use only one '*' in the Address field it will accept any IPv6 address. <IPv4 Addresses> : Any valid IPv4 address is accepted. ex : 190.0.0.1/24, 10.0.0.2 .You also may use the special character '*' to indicate any 8 bits block. ie : 190.*.*.3. If you use only one '*' in the Address field it will accept any IPv4 address. No checking of correct IPv4 address will be done. For example 456.345.567.890 will be accepted. Thus you have to take care about what you write. Nevertheless only 3 characters will be taken into account for one byte. Ex : 190.0.0.0184 will not be considered correct. (Instead a kind of LRU Mechanism will be used and the ad
 dress taken into account will be 190.0.0.418). Moreover only the four first values will be used (Ie 190.0.0.12.13 will be considered as 190.0.0.12).",
+		       &g_esp_sad.table[i].sa);
       
       
       char *str_encryption_algorithm = (char *) g_malloc(21 + g_max_esp_size_nb_sa + 2);