]> The Tcpdump Group git mirrors - tcpdump/blob - print-isakmp.c
projects / tcpdump / blob
summary | shortlog | log | commit | commitdiff | tree
history | raw | HEAD
Move safememcpy() to util.c so it doesn't get inlined.
[tcpdump] / print-isakmp.c
1 /*
2 * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
3 * All rights reserved.
4 *
5 * Redistribution and use in source and binary forms, with or without
6 * modification, are permitted provided that the following conditions
7 * are met:
8 * 1. Redistributions of source code must retain the above copyright
9 * notice, this list of conditions and the following disclaimer.
10 * 2. Redistributions in binary form must reproduce the above copyright
11 * notice, this list of conditions and the following disclaimer in the
12 * documentation and/or other materials provided with the distribution.
13 * 3. Neither the name of the project nor the names of its contributors
14 * may be used to endorse or promote products derived from this software
15 * without specific prior written permission.
16 *
17 * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
18 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
19 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
20 * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
21 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
22 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
23 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
24 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
25 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
26 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
27 * SUCH DAMAGE.
28 *
29 */
30
31 #define NETDISSECT_REWORKED
32 #ifdef HAVE_CONFIG_H
33 #include "config.h"
34 #endif
35
36 /* The functions from print-esp.c used in this file are only defined when both
37 * OpenSSL and evp.h are detected. Employ the same preprocessor device here.
38 */
39 #ifndef HAVE_OPENSSL_EVP_H
40 #undef HAVE_LIBCRYPTO
41 #endif
42
43 #include <tcpdump-stdinc.h>
44
45 #include <string.h>
46
47 #include <stdio.h>
48
49 #include "interface.h"
50 #include "addrtoname.h"
51 #include "extract.h" /* must come after interface.h */
52
53 #include "ip.h"
54 #ifdef INET6
55 #include "ip6.h"
56 #endif
57
58 #ifndef HAVE_SOCKADDR_STORAGE
59 #define sockaddr_storage sockaddr
60 #endif
61
62 /* refer to RFC 2408 */
63
64 typedef u_char cookie_t[8];
65 typedef u_char msgid_t[4];
66
67 #define PORT_ISAKMP 500
68
69 /* 3.1 ISAKMP Header Format (IKEv1 and IKEv2)
70 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
71 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
72 ! Initiator !
73 ! Cookie !
74 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
75 ! Responder !
76 ! Cookie !
77 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
78 ! Next Payload ! MjVer ! MnVer ! Exchange Type ! Flags !
79 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
80 ! Message ID !
81 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
82 ! Length !
83 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
84 */
85 struct isakmp {
86 cookie_t i_ck; /* Initiator Cookie */
87 cookie_t r_ck; /* Responder Cookie */
88 u_int8_t np; /* Next Payload Type */
89 u_int8_t vers;
90 #define ISAKMP_VERS_MAJOR 0xf0
91 #define ISAKMP_VERS_MAJOR_SHIFT 4
92 #define ISAKMP_VERS_MINOR 0x0f
93 #define ISAKMP_VERS_MINOR_SHIFT 0
94 u_int8_t etype; /* Exchange Type */
95 u_int8_t flags; /* Flags */
96 msgid_t msgid;
97 u_int32_t len; /* Length */
98 };
99
100 /* Next Payload Type */
101 #define ISAKMP_NPTYPE_NONE 0 /* NONE*/
102 #define ISAKMP_NPTYPE_SA 1 /* Security Association */
103 #define ISAKMP_NPTYPE_P 2 /* Proposal */
104 #define ISAKMP_NPTYPE_T 3 /* Transform */
105 #define ISAKMP_NPTYPE_KE 4 /* Key Exchange */
106 #define ISAKMP_NPTYPE_ID 5 /* Identification */
107 #define ISAKMP_NPTYPE_CERT 6 /* Certificate */
108 #define ISAKMP_NPTYPE_CR 7 /* Certificate Request */
109 #define ISAKMP_NPTYPE_HASH 8 /* Hash */
110 #define ISAKMP_NPTYPE_SIG 9 /* Signature */
111 #define ISAKMP_NPTYPE_NONCE 10 /* Nonce */
112 #define ISAKMP_NPTYPE_N 11 /* Notification */
113 #define ISAKMP_NPTYPE_D 12 /* Delete */
114 #define ISAKMP_NPTYPE_VID 13 /* Vendor ID */
115 #define ISAKMP_NPTYPE_v2E 46 /* v2 Encrypted payload */
116
117 #define IKEv1_MAJOR_VERSION 1
118 #define IKEv1_MINOR_VERSION 0
119
120 #define IKEv2_MAJOR_VERSION 2
121 #define IKEv2_MINOR_VERSION 0
122
123 /* Flags */
124 #define ISAKMP_FLAG_E 0x01 /* Encryption Bit */
125 #define ISAKMP_FLAG_C 0x02 /* Commit Bit */
126 #define ISAKMP_FLAG_extra 0x04
127
128 /* IKEv2 */
129 #define ISAKMP_FLAG_I (1 << 3) /* (I)nitiator */
130 #define ISAKMP_FLAG_V (1 << 4) /* (V)ersion */
131 #define ISAKMP_FLAG_R (1 << 5) /* (R)esponse */
132
133
134 /* 3.2 Payload Generic Header
135 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
136 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
137 ! Next Payload ! RESERVED ! Payload Length !
138 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
139 */
140 struct isakmp_gen {
141 u_int8_t np; /* Next Payload */
142 u_int8_t critical; /* bit 7 - critical, rest is RESERVED */
143 u_int16_t len; /* Payload Length */
144 };
145
146 /* 3.3 Data Attributes
147 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
148 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
149 !A! Attribute Type ! AF=0 Attribute Length !
150 !F! ! AF=1 Attribute Value !
151 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
152 . AF=0 Attribute Value .
153 . AF=1 Not Transmitted .
154 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
155 */
156 struct isakmp_data {
157 u_int16_t type; /* defined by DOI-spec, and Attribute Format */
158 u_int16_t lorv; /* if f equal 1, Attribute Length */
159 /* if f equal 0, Attribute Value */
160 /* if f equal 1, Attribute Value */
161 };
162
163 /* 3.4 Security Association Payload */
164 /* MAY NOT be used, because of being defined in ipsec-doi. */
165 /*
166 If the current payload is the last in the message,
167 then the value of the next payload field will be 0.
168 This field MUST NOT contain the
169 values for the Proposal or Transform payloads as they are considered
170 part of the security association negotiation. For example, this
171 field would contain the value "10" (Nonce payload) in the first
172 message of a Base Exchange (see Section 4.4) and the value "0" in the
173 first message of an Identity Protect Exchange (see Section 4.5).
174 */
175 struct ikev1_pl_sa {
176 struct isakmp_gen h;
177 u_int32_t doi; /* Domain of Interpretation */
178 u_int32_t sit; /* Situation */
179 };
180
181 /* 3.5 Proposal Payload */
182 /*
183 The value of the next payload field MUST only contain the value "2"
184 or "0". If there are additional Proposal payloads in the message,
185 then this field will be 2. If the current Proposal payload is the
186 last within the security association proposal, then this field will
187 be 0.
188 */
189 struct ikev1_pl_p {
190 struct isakmp_gen h;
191 u_int8_t p_no; /* Proposal # */
192 u_int8_t prot_id; /* Protocol */
193 u_int8_t spi_size; /* SPI Size */
194 u_int8_t num_t; /* Number of Transforms */
195 /* SPI */
196 };
197
198 /* 3.6 Transform Payload */
199 /*
200 The value of the next payload field MUST only contain the value "3"
201 or "0". If there are additional Transform payloads in the proposal,
202 then this field will be 3. If the current Transform payload is the
203 last within the proposal, then this field will be 0.
204 */
205 struct ikev1_pl_t {
206 struct isakmp_gen h;
207 u_int8_t t_no; /* Transform # */
208 u_int8_t t_id; /* Transform-Id */
209 u_int16_t reserved; /* RESERVED2 */
210 /* SA Attributes */
211 };
212
213 /* 3.7 Key Exchange Payload */
214 struct ikev1_pl_ke {
215 struct isakmp_gen h;
216 /* Key Exchange Data */
217 };
218
219 /* 3.8 Identification Payload */
220 /* MUST NOT to be used, because of being defined in ipsec-doi. */
221 struct ikev1_pl_id {
222 struct isakmp_gen h;
223 union {
224 u_int8_t id_type; /* ID Type */
225 u_int32_t doi_data; /* DOI Specific ID Data */
226 } d;
227 /* Identification Data */
228 };
229
230 /* 3.9 Certificate Payload */
231 struct ikev1_pl_cert {
232 struct isakmp_gen h;
233 u_int8_t encode; /* Cert Encoding */
234 char cert; /* Certificate Data */
235 /*
236 This field indicates the type of
237 certificate or certificate-related information contained in the
238 Certificate Data field.
239 */
240 };
241
242 /* 3.10 Certificate Request Payload */
243 struct ikev1_pl_cr {
244 struct isakmp_gen h;
245 u_int8_t num_cert; /* # Cert. Types */
246 /*
247 Certificate Types (variable length)
248 -- Contains a list of the types of certificates requested,
249 sorted in order of preference. Each individual certificate
250 type is 1 octet. This field is NOT requiredo
251 */
252 /* # Certificate Authorities (1 octet) */
253 /* Certificate Authorities (variable length) */
254 };
255
256 /* 3.11 Hash Payload */
257 /* may not be used, because of having only data. */
258 struct ikev1_pl_hash {
259 struct isakmp_gen h;
260 /* Hash Data */
261 };
262
263 /* 3.12 Signature Payload */
264 /* may not be used, because of having only data. */
265 struct ikev1_pl_sig {
266 struct isakmp_gen h;
267 /* Signature Data */
268 };
269
270 /* 3.13 Nonce Payload */
271 /* may not be used, because of having only data. */
272 struct ikev1_pl_nonce {
273 struct isakmp_gen h;
274 /* Nonce Data */
275 };
276
277 /* 3.14 Notification Payload */
278 struct ikev1_pl_n {
279 struct isakmp_gen h;
280 u_int32_t doi; /* Domain of Interpretation */
281 u_int8_t prot_id; /* Protocol-ID */
282 u_int8_t spi_size; /* SPI Size */
283 u_int16_t type; /* Notify Message Type */
284 /* SPI */
285 /* Notification Data */
286 };
287
288 /* 3.14.1 Notify Message Types */
289 /* NOTIFY MESSAGES - ERROR TYPES */
290 #define ISAKMP_NTYPE_INVALID_PAYLOAD_TYPE 1
291 #define ISAKMP_NTYPE_DOI_NOT_SUPPORTED 2
292 #define ISAKMP_NTYPE_SITUATION_NOT_SUPPORTED 3
293 #define ISAKMP_NTYPE_INVALID_COOKIE 4
294 #define ISAKMP_NTYPE_INVALID_MAJOR_VERSION 5
295 #define ISAKMP_NTYPE_INVALID_MINOR_VERSION 6
296 #define ISAKMP_NTYPE_INVALID_EXCHANGE_TYPE 7
297 #define ISAKMP_NTYPE_INVALID_FLAGS 8
298 #define ISAKMP_NTYPE_INVALID_MESSAGE_ID 9
299 #define ISAKMP_NTYPE_INVALID_PROTOCOL_ID 10
300 #define ISAKMP_NTYPE_INVALID_SPI 11
301 #define ISAKMP_NTYPE_INVALID_TRANSFORM_ID 12
302 #define ISAKMP_NTYPE_ATTRIBUTES_NOT_SUPPORTED 13
303 #define ISAKMP_NTYPE_NO_PROPOSAL_CHOSEN 14
304 #define ISAKMP_NTYPE_BAD_PROPOSAL_SYNTAX 15
305 #define ISAKMP_NTYPE_PAYLOAD_MALFORMED 16
306 #define ISAKMP_NTYPE_INVALID_KEY_INFORMATION 17
307 #define ISAKMP_NTYPE_INVALID_ID_INFORMATION 18
308 #define ISAKMP_NTYPE_INVALID_CERT_ENCODING 19
309 #define ISAKMP_NTYPE_INVALID_CERTIFICATE 20
310 #define ISAKMP_NTYPE_BAD_CERT_REQUEST_SYNTAX 21
311 #define ISAKMP_NTYPE_INVALID_CERT_AUTHORITY 22
312 #define ISAKMP_NTYPE_INVALID_HASH_INFORMATION 23
313 #define ISAKMP_NTYPE_AUTHENTICATION_FAILED 24
314 #define ISAKMP_NTYPE_INVALID_SIGNATURE 25
315 #define ISAKMP_NTYPE_ADDRESS_NOTIFICATION 26
316
317 /* 3.15 Delete Payload */
318 struct ikev1_pl_d {
319 struct isakmp_gen h;
320 u_int32_t doi; /* Domain of Interpretation */
321 u_int8_t prot_id; /* Protocol-Id */
322 u_int8_t spi_size; /* SPI Size */
323 u_int16_t num_spi; /* # of SPIs */
324 /* SPI(es) */
325 };
326
327 \f
328 struct ikev1_ph1tab {
329 struct ikev1_ph1 *head;
330 struct ikev1_ph1 *tail;
331 int len;
332 };
333
334 struct isakmp_ph2tab {
335 struct ikev1_ph2 *head;
336 struct ikev1_ph2 *tail;
337 int len;
338 };
339
340 /* IKEv2 (RFC4306) */
341
342 /* 3.3 Security Association Payload -- generic header */
343 /* 3.3.1. Proposal Substructure */
344 struct ikev2_p {
345 struct isakmp_gen h;
346 u_int8_t p_no; /* Proposal # */
347 u_int8_t prot_id; /* Protocol */
348 u_int8_t spi_size; /* SPI Size */
349 u_int8_t num_t; /* Number of Transforms */
350 };
351
352 /* 3.3.2. Transform Substructure */
353 struct ikev2_t {
354 struct isakmp_gen h;
355 u_int8_t t_type; /* Transform Type (ENCR,PRF,INTEG,etc.*/
356 u_int8_t res2; /* reserved byte */
357 u_int16_t t_id; /* Transform ID */
358 };
359
360 enum ikev2_t_type {
361 IV2_T_ENCR = 1,
362 IV2_T_PRF = 2,
363 IV2_T_INTEG= 3,
364 IV2_T_DH = 4,
365 IV2_T_ESN = 5,
366 };
367
368 /* 3.4. Key Exchange Payload */
369 struct ikev2_ke {
370 struct isakmp_gen h;
371 u_int16_t ke_group;
372 u_int16_t ke_res1;
373 /* KE data */
374 };
375
376
377 /* 3.5. Identification Payloads */
378 enum ikev2_id_type {
379 ID_IPV4_ADDR=1,
380 ID_FQDN=2,
381 ID_RFC822_ADDR=3,
382 ID_IPV6_ADDR=5,
383 ID_DER_ASN1_DN=9,
384 ID_DER_ASN1_GN=10,
385 ID_KEY_ID=11,
386 };
387 struct ikev2_id {
388 struct isakmp_gen h;
389 u_int8_t type; /* ID type */
390 u_int8_t res1;
391 u_int16_t res2;
392 /* SPI */
393 /* Notification Data */
394 };
395
396 /* 3.10 Notification Payload */
397 struct ikev2_n {
398 struct isakmp_gen h;
399 u_int8_t prot_id; /* Protocol-ID */
400 u_int8_t spi_size; /* SPI Size */
401 u_int16_t type; /* Notify Message Type */
402 };
403
404 enum ikev2_n_type {
405 IV2_NOTIFY_UNSUPPORTED_CRITICAL_PAYLOAD = 1,
406 IV2_NOTIFY_INVALID_IKE_SPI = 4,
407 IV2_NOTIFY_INVALID_MAJOR_VERSION = 5,
408 IV2_NOTIFY_INVALID_SYNTAX = 7,
409 IV2_NOTIFY_INVALID_MESSAGE_ID = 9,
410 IV2_NOTIFY_INVALID_SPI =11,
411 IV2_NOTIFY_NO_PROPOSAL_CHOSEN =14,
412 IV2_NOTIFY_INVALID_KE_PAYLOAD =17,
413 IV2_NOTIFY_AUTHENTICATION_FAILED =24,
414 IV2_NOTIFY_SINGLE_PAIR_REQUIRED =34,
415 IV2_NOTIFY_NO_ADDITIONAL_SAS =35,
416 IV2_NOTIFY_INTERNAL_ADDRESS_FAILURE =36,
417 IV2_NOTIFY_FAILED_CP_REQUIRED =37,
418 IV2_NOTIFY_INVALID_SELECTORS =39,
419 IV2_NOTIFY_INITIAL_CONTACT =16384,
420 IV2_NOTIFY_SET_WINDOW_SIZE =16385,
421 IV2_NOTIFY_ADDITIONAL_TS_POSSIBLE =16386,
422 IV2_NOTIFY_IPCOMP_SUPPORTED =16387,
423 IV2_NOTIFY_NAT_DETECTION_SOURCE_IP =16388,
424 IV2_NOTIFY_NAT_DETECTION_DESTINATION_IP =16389,
425 IV2_NOTIFY_COOKIE =16390,
426 IV2_NOTIFY_USE_TRANSPORT_MODE =16391,
427 IV2_NOTIFY_HTTP_CERT_LOOKUP_SUPPORTED =16392,
428 IV2_NOTIFY_REKEY_SA =16393,
429 IV2_NOTIFY_ESP_TFC_PADDING_NOT_SUPPORTED =16394,
430 IV2_NOTIFY_NON_FIRST_FRAGMENTS_ALSO =16395
431 };
432
433 struct notify_messages {
434 u_int16_t type;
435 char *msg;
436 };
437
438 /* 3.8 Notification Payload */
439 struct ikev2_auth {
440 struct isakmp_gen h;
441 u_int8_t auth_method; /* Protocol-ID */
442 u_int8_t reserved[3];
443 /* authentication data */
444 };
445
446 enum ikev2_auth_type {
447 IV2_RSA_SIG = 1,
448 IV2_SHARED = 2,
449 IV2_DSS_SIG = 3,
450 };
451
452 /* refer to RFC 2409 */
453
454 #if 0
455 /* isakmp sa structure */
456 struct oakley_sa {
457 u_int8_t proto_id; /* OAKLEY */
458 vchar_t *spi; /* spi */
459 u_int8_t dhgrp; /* DH; group */
460 u_int8_t auth_t; /* method of authentication */
461 u_int8_t prf_t; /* type of prf */
462 u_int8_t hash_t; /* type of hash */
463 u_int8_t enc_t; /* type of cipher */
464 u_int8_t life_t; /* type of duration of lifetime */
465 u_int32_t ldur; /* life duration */
466 };
467 #endif
468
469 /* refer to RFC 2407 */
470
471 #define IPSEC_DOI 1
472
473 /* 4.2 IPSEC Situation Definition */
474 #define IPSECDOI_SIT_IDENTITY_ONLY 0x00000001
475 #define IPSECDOI_SIT_SECRECY 0x00000002
476 #define IPSECDOI_SIT_INTEGRITY 0x00000004
477
478 /* 4.4.1 IPSEC Security Protocol Identifiers */
479 /* 4.4.2 IPSEC ISAKMP Transform Values */
480 #define IPSECDOI_PROTO_ISAKMP 1
481 #define IPSECDOI_KEY_IKE 1
482
483 /* 4.4.1 IPSEC Security Protocol Identifiers */
484 #define IPSECDOI_PROTO_IPSEC_AH 2
485 /* 4.4.3 IPSEC AH Transform Values */
486 #define IPSECDOI_AH_MD5 2
487 #define IPSECDOI_AH_SHA 3
488 #define IPSECDOI_AH_DES 4
489 #define IPSECDOI_AH_SHA2_256 5
490 #define IPSECDOI_AH_SHA2_384 6
491 #define IPSECDOI_AH_SHA2_512 7
492
493 /* 4.4.1 IPSEC Security Protocol Identifiers */
494 #define IPSECDOI_PROTO_IPSEC_ESP 3
495 /* 4.4.4 IPSEC ESP Transform Identifiers */
496 #define IPSECDOI_ESP_DES_IV64 1
497 #define IPSECDOI_ESP_DES 2
498 #define IPSECDOI_ESP_3DES 3
499 #define IPSECDOI_ESP_RC5 4
500 #define IPSECDOI_ESP_IDEA 5
501 #define IPSECDOI_ESP_CAST 6
502 #define IPSECDOI_ESP_BLOWFISH 7
503 #define IPSECDOI_ESP_3IDEA 8
504 #define IPSECDOI_ESP_DES_IV32 9
505 #define IPSECDOI_ESP_RC4 10
506 #define IPSECDOI_ESP_NULL 11
507 #define IPSECDOI_ESP_RIJNDAEL 12
508 #define IPSECDOI_ESP_AES 12
509
510 /* 4.4.1 IPSEC Security Protocol Identifiers */
511 #define IPSECDOI_PROTO_IPCOMP 4
512 /* 4.4.5 IPSEC IPCOMP Transform Identifiers */
513 #define IPSECDOI_IPCOMP_OUI 1
514 #define IPSECDOI_IPCOMP_DEFLATE 2
515 #define IPSECDOI_IPCOMP_LZS 3
516
517 /* 4.5 IPSEC Security Association Attributes */
518 #define IPSECDOI_ATTR_SA_LTYPE 1 /* B */
519 #define IPSECDOI_ATTR_SA_LTYPE_DEFAULT 1
520 #define IPSECDOI_ATTR_SA_LTYPE_SEC 1
521 #define IPSECDOI_ATTR_SA_LTYPE_KB 2
522 #define IPSECDOI_ATTR_SA_LDUR 2 /* V */
523 #define IPSECDOI_ATTR_SA_LDUR_DEFAULT 28800 /* 8 hours */
524 #define IPSECDOI_ATTR_GRP_DESC 3 /* B */
525 #define IPSECDOI_ATTR_ENC_MODE 4 /* B */
526 /* default value: host dependent */
527 #define IPSECDOI_ATTR_ENC_MODE_TUNNEL 1
528 #define IPSECDOI_ATTR_ENC_MODE_TRNS 2
529 #define IPSECDOI_ATTR_AUTH 5 /* B */
530 /* 0 means not to use authentication. */
531 #define IPSECDOI_ATTR_AUTH_HMAC_MD5 1
532 #define IPSECDOI_ATTR_AUTH_HMAC_SHA1 2
533 #define IPSECDOI_ATTR_AUTH_DES_MAC 3
534 #define IPSECDOI_ATTR_AUTH_KPDK 4 /*RFC-1826(Key/Pad/Data/Key)*/
535 /*
536 * When negotiating ESP without authentication, the Auth
537 * Algorithm attribute MUST NOT be included in the proposal.
538 * When negotiating ESP without confidentiality, the Auth
539 * Algorithm attribute MUST be included in the proposal and
540 * the ESP transform ID must be ESP_NULL.
541 */
542 #define IPSECDOI_ATTR_KEY_LENGTH 6 /* B */
543 #define IPSECDOI_ATTR_KEY_ROUNDS 7 /* B */
544 #define IPSECDOI_ATTR_COMP_DICT_SIZE 8 /* B */
545 #define IPSECDOI_ATTR_COMP_PRIVALG 9 /* V */
546
547 /* 4.6.1 Security Association Payload */
548 struct ipsecdoi_sa {
549 struct isakmp_gen h;
550 u_int32_t doi; /* Domain of Interpretation */
551 u_int32_t sit; /* Situation */
552 };
553
554 struct ipsecdoi_secrecy_h {
555 u_int16_t len;
556 u_int16_t reserved;
557 };
558
559 /* 4.6.2.1 Identification Type Values */
560 struct ipsecdoi_id {
561 struct isakmp_gen h;
562 u_int8_t type; /* ID Type */
563 u_int8_t proto_id; /* Protocol ID */
564 u_int16_t port; /* Port */
565 /* Identification Data */
566 };
567
568 #define IPSECDOI_ID_IPV4_ADDR 1
569 #define IPSECDOI_ID_FQDN 2
570 #define IPSECDOI_ID_USER_FQDN 3
571 #define IPSECDOI_ID_IPV4_ADDR_SUBNET 4
572 #define IPSECDOI_ID_IPV6_ADDR 5
573 #define IPSECDOI_ID_IPV6_ADDR_SUBNET 6
574 #define IPSECDOI_ID_IPV4_ADDR_RANGE 7
575 #define IPSECDOI_ID_IPV6_ADDR_RANGE 8
576 #define IPSECDOI_ID_DER_ASN1_DN 9
577 #define IPSECDOI_ID_DER_ASN1_GN 10
578 #define IPSECDOI_ID_KEY_ID 11
579
580 /* 4.6.3 IPSEC DOI Notify Message Types */
581 /* Notify Messages - Status Types */
582 #define IPSECDOI_NTYPE_RESPONDER_LIFETIME 24576
583 #define IPSECDOI_NTYPE_REPLAY_STATUS 24577
584 #define IPSECDOI_NTYPE_INITIAL_CONTACT 24578
585
586 #define DECLARE_PRINTER(func) static const u_char *ike##func##_print( \
587 netdissect_options *ndo, u_char tpay, \
588 const struct isakmp_gen *ext, \
589 u_int item_len, \
590 const u_char *end_pointer, \
591 u_int32_t phase,\
592 u_int32_t doi0, \
593 u_int32_t proto0, int depth)
594
595 DECLARE_PRINTER(v1_sa);
596 DECLARE_PRINTER(v1_p);
597 DECLARE_PRINTER(v1_t);
598 DECLARE_PRINTER(v1_ke);
599 DECLARE_PRINTER(v1_id);
600 DECLARE_PRINTER(v1_cert);
601 DECLARE_PRINTER(v1_cr);
602 DECLARE_PRINTER(v1_sig);
603 DECLARE_PRINTER(v1_hash);
604 DECLARE_PRINTER(v1_nonce);
605 DECLARE_PRINTER(v1_n);
606 DECLARE_PRINTER(v1_d);
607 DECLARE_PRINTER(v1_vid);
608
609 DECLARE_PRINTER(v2_sa);
610 DECLARE_PRINTER(v2_ke);
611 DECLARE_PRINTER(v2_ID);
612 DECLARE_PRINTER(v2_cert);
613 DECLARE_PRINTER(v2_cr);
614 DECLARE_PRINTER(v2_auth);
615 DECLARE_PRINTER(v2_nonce);
616 DECLARE_PRINTER(v2_n);
617 DECLARE_PRINTER(v2_d);
618 DECLARE_PRINTER(v2_vid);
619 DECLARE_PRINTER(v2_TS);
620 DECLARE_PRINTER(v2_cp);
621 DECLARE_PRINTER(v2_eap);
622
623 static const u_char *ikev2_e_print(netdissect_options *ndo,
624 struct isakmp *base,
625 u_char tpay,
626 const struct isakmp_gen *ext,
627 u_int item_len,
628 const u_char *end_pointer,
629 u_int32_t phase,
630 u_int32_t doi0,
631 u_int32_t proto0, int depth);
632
633
634 static const u_char *ike_sub0_print(netdissect_options *ndo,u_char, const struct isakmp_gen *,
635 const u_char *, u_int32_t, u_int32_t, u_int32_t, int);
636 static const u_char *ikev1_sub_print(netdissect_options *ndo,u_char, const struct isakmp_gen *,
637 const u_char *, u_int32_t, u_int32_t, u_int32_t, int);
638
639 static const u_char *ikev2_sub_print(netdissect_options *ndo,
640 struct isakmp *base,
641 u_char np, const struct isakmp_gen *ext,
642 const u_char *ep, u_int32_t phase,
643 u_int32_t doi, u_int32_t proto,
644 int depth);
645
646
647 static char *numstr(int);
648
649 static void
650 ikev1_print(netdissect_options *ndo,
651 const u_char *bp, u_int length,
652 const u_char *bp2, struct isakmp *base);
653
654 #define MAXINITIATORS 20
655 int ninitiator = 0;
656 struct {
657 cookie_t initiator;
658 struct sockaddr_storage iaddr;
659 struct sockaddr_storage raddr;
660 } cookiecache[MAXINITIATORS];
661
662 /* protocol id */
663 static const char *protoidstr[] = {
664 NULL, "isakmp", "ipsec-ah", "ipsec-esp", "ipcomp",
665 };
666
667 /* isakmp->np */
668 static const char *npstr[] = {
669 "none", "sa", "p", "t", "ke", "id", "cert", "cr", "hash", /* 0 - 8 */
670 "sig", "nonce", "n", "d", "vid", /* 9 - 13 */
671 "pay14", "pay15", "pay16", "pay17", "pay18", /* 14- 18 */
672 "pay19", "pay20", "pay21", "pay22", "pay23", /* 19- 23 */
673 "pay24", "pay25", "pay26", "pay27", "pay28", /* 24- 28 */
674 "pay29", "pay30", "pay31", "pay32", /* 29- 32 */
675 "v2sa", "v2ke", "v2IDi", "v2IDr", "v2cert",/* 33- 37 */
676 "v2cr", "v2auth","v2nonce", "v2n", "v2d", /* 38- 42 */
677 "v2vid", "v2TSi", "v2TSr", "v2e", "v2cp", /* 43- 47 */
678 "v2eap", /* 48 */
679
680 };
681
682 /* isakmp->np */
683 static const u_char *(*npfunc[])(netdissect_options *ndo, u_char tpay,
684 const struct isakmp_gen *ext,
685 u_int item_len,
686 const u_char *end_pointer,
687 u_int32_t phase,
688 u_int32_t doi0,
689 u_int32_t proto0, int depth) = {
690 NULL,
691 ikev1_sa_print,
692 ikev1_p_print,
693 ikev1_t_print,
694 ikev1_ke_print,
695 ikev1_id_print,
696 ikev1_cert_print,
697 ikev1_cr_print,
698 ikev1_hash_print,
699 ikev1_sig_print,
700 ikev1_nonce_print,
701 ikev1_n_print,
702 ikev1_d_print,
703 ikev1_vid_print, /* 13 */
704 NULL, NULL, NULL, NULL, NULL, /* 14- 18 */
705 NULL, NULL, NULL, NULL, NULL, /* 19- 23 */
706 NULL, NULL, NULL, NULL, NULL, /* 24- 28 */
707 NULL, NULL, NULL, NULL, /* 29- 32 */
708 ikev2_sa_print, /* 33 */
709 ikev2_ke_print, /* 34 */
710 ikev2_ID_print, /* 35 */
711 ikev2_ID_print, /* 36 */
712 ikev2_cert_print, /* 37 */
713 ikev2_cr_print, /* 38 */
714 ikev2_auth_print, /* 39 */
715 ikev2_nonce_print, /* 40 */
716 ikev2_n_print, /* 41 */
717 ikev2_d_print, /* 42 */
718 ikev2_vid_print, /* 43 */
719 ikev2_TS_print, /* 44 */
720 ikev2_TS_print, /* 45 */
721 NULL, /* ikev2_e_print,*/ /* 46 - special */
722 ikev2_cp_print, /* 47 */
723 ikev2_eap_print, /* 48 */
724 };
725
726 /* isakmp->etype */
727 static const char *etypestr[] = {
728 /* IKEv1 exchange types */
729 "none", "base", "ident", "auth", "agg", "inf", NULL, NULL, /* 0-7 */
730 NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, /* 8-15 */
731 NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, /* 16-23 */
732 NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, /* 24-31 */
733 "oakley-quick", "oakley-newgroup", /* 32-33 */
734 /* IKEv2 exchange types */
735 "ikev2_init", "ikev2_auth", "child_sa", "inf2" /* 34-37 */
736 };
737
738 #define STR_OR_ID(x, tab) \
739 (((x) < sizeof(tab)/sizeof(tab[0]) && tab[(x)]) ? tab[(x)] : numstr(x))
740 #define PROTOIDSTR(x) STR_OR_ID(x, protoidstr)
741 #define NPSTR(x) STR_OR_ID(x, npstr)
742 #define ETYPESTR(x) STR_OR_ID(x, etypestr)
743
744 #define CHECKLEN(p, np) \
745 if (ep < (u_char *)(p)) { \
746 ND_PRINT((ndo," [|%s]", NPSTR(np))); \
747 goto done; \
748 }
749
750
751 #define NPFUNC(x) \
752 (((x) < sizeof(npfunc)/sizeof(npfunc[0]) && npfunc[(x)]) \
753 ? npfunc[(x)] : NULL)
754
755 static int
756 iszero(u_char *p, size_t l)
757 {
758 while (l--) {
759 if (*p++)
760 return 0;
761 }
762 return 1;
763 }
764
765 /* find cookie from initiator cache */
766 static int
767 cookie_find(cookie_t *in)
768 {
769 int i;
770
771 for (i = 0; i < MAXINITIATORS; i++) {
772 if (memcmp(in, &cookiecache[i].initiator, sizeof(*in)) == 0)
773 return i;
774 }
775
776 return -1;
777 }
778
779 /* record initiator */
780 static void
781 cookie_record(cookie_t *in, const u_char *bp2)
782 {
783 int i;
784 struct ip *ip;
785 struct sockaddr_in *sin;
786 #ifdef INET6
787 struct ip6_hdr *ip6;
788 struct sockaddr_in6 *sin6;
789 #endif
790
791 i = cookie_find(in);
792 if (0 <= i) {
793 ninitiator = (i + 1) % MAXINITIATORS;
794 return;
795 }
796
797 ip = (struct ip *)bp2;
798 switch (IP_V(ip)) {
799 case 4:
800 memset(&cookiecache[ninitiator].iaddr, 0,
801 sizeof(cookiecache[ninitiator].iaddr));
802 memset(&cookiecache[ninitiator].raddr, 0,
803 sizeof(cookiecache[ninitiator].raddr));
804
805 sin = (struct sockaddr_in *)&cookiecache[ninitiator].iaddr;
806 #ifdef HAVE_SOCKADDR_SA_LEN
807 sin->sin_len = sizeof(struct sockaddr_in);
808 #endif
809 sin->sin_family = AF_INET;
810 unaligned_memcpy(&sin->sin_addr, &ip->ip_src, sizeof(ip->ip_src));
811 sin = (struct sockaddr_in *)&cookiecache[ninitiator].raddr;
812 #ifdef HAVE_SOCKADDR_SA_LEN
813 sin->sin_len = sizeof(struct sockaddr_in);
814 #endif
815 sin->sin_family = AF_INET;
816 unaligned_memcpy(&sin->sin_addr, &ip->ip_dst, sizeof(ip->ip_dst));
817 break;
818 #ifdef INET6
819 case 6:
820 memset(&cookiecache[ninitiator].iaddr, 0,
821 sizeof(cookiecache[ninitiator].iaddr));
822 memset(&cookiecache[ninitiator].raddr, 0,
823 sizeof(cookiecache[ninitiator].raddr));
824
825 ip6 = (struct ip6_hdr *)bp2;
826 sin6 = (struct sockaddr_in6 *)&cookiecache[ninitiator].iaddr;
827 #ifdef HAVE_SOCKADDR_SA_LEN
828 sin6->sin6_len = sizeof(struct sockaddr_in6);
829 #endif
830 sin6->sin6_family = AF_INET6;
831 unaligned_memcpy(&sin6->sin6_addr, &ip6->ip6_src, sizeof(ip6->ip6_src));
832 sin6 = (struct sockaddr_in6 *)&cookiecache[ninitiator].raddr;
833 #ifdef HAVE_SOCKADDR_SA_LEN
834 sin6->sin6_len = sizeof(struct sockaddr_in6);
835 #endif
836 sin6->sin6_family = AF_INET6;
837 unaligned_memcpy(&sin6->sin6_addr, &ip6->ip6_dst, sizeof(ip6->ip6_dst));
838 break;
839 #endif
840 default:
841 return;
842 }
843 unaligned_memcpy(&cookiecache[ninitiator].initiator, in, sizeof(*in));
844 ninitiator = (ninitiator + 1) % MAXINITIATORS;
845 }
846
847 #define cookie_isinitiator(x, y) cookie_sidecheck((x), (y), 1)
848 #define cookie_isresponder(x, y) cookie_sidecheck((x), (y), 0)
849 static int
850 cookie_sidecheck(int i, const u_char *bp2, int initiator)
851 {
852 struct sockaddr_storage ss;
853 struct sockaddr *sa;
854 struct ip *ip;
855 struct sockaddr_in *sin;
856 #ifdef INET6
857 struct ip6_hdr *ip6;
858 struct sockaddr_in6 *sin6;
859 #endif
860 int salen;
861
862 memset(&ss, 0, sizeof(ss));
863 ip = (struct ip *)bp2;
864 switch (IP_V(ip)) {
865 case 4:
866 sin = (struct sockaddr_in *)&ss;
867 #ifdef HAVE_SOCKADDR_SA_LEN
868 sin->sin_len = sizeof(struct sockaddr_in);
869 #endif
870 sin->sin_family = AF_INET;
871 unaligned_memcpy(&sin->sin_addr, &ip->ip_src, sizeof(ip->ip_src));
872 break;
873 #ifdef INET6
874 case 6:
875 ip6 = (struct ip6_hdr *)bp2;
876 sin6 = (struct sockaddr_in6 *)&ss;
877 #ifdef HAVE_SOCKADDR_SA_LEN
878 sin6->sin6_len = sizeof(struct sockaddr_in6);
879 #endif
880 sin6->sin6_family = AF_INET6;
881 unaligned_memcpy(&sin6->sin6_addr, &ip6->ip6_src, sizeof(ip6->ip6_src));
882 break;
883 #endif
884 default:
885 return 0;
886 }
887
888 sa = (struct sockaddr *)&ss;
889 if (initiator) {
890 if (sa->sa_family != ((struct sockaddr *)&cookiecache[i].iaddr)->sa_family)
891 return 0;
892 #ifdef HAVE_SOCKADDR_SA_LEN
893 salen = sa->sa_len;
894 #else
895 #ifdef INET6
896 if (sa->sa_family == AF_INET6)
897 salen = sizeof(struct sockaddr_in6);
898 else
899 salen = sizeof(struct sockaddr);
900 #else
901 salen = sizeof(struct sockaddr);
902 #endif
903 #endif
904 if (memcmp(&ss, &cookiecache[i].iaddr, salen) == 0)
905 return 1;
906 } else {
907 if (sa->sa_family != ((struct sockaddr *)&cookiecache[i].raddr)->sa_family)
908 return 0;
909 #ifdef HAVE_SOCKADDR_SA_LEN
910 salen = sa->sa_len;
911 #else
912 #ifdef INET6
913 if (sa->sa_family == AF_INET6)
914 salen = sizeof(struct sockaddr_in6);
915 else
916 salen = sizeof(struct sockaddr);
917 #else
918 salen = sizeof(struct sockaddr);
919 #endif
920 #endif
921 if (memcmp(&ss, &cookiecache[i].raddr, salen) == 0)
922 return 1;
923 }
924 return 0;
925 }
926
927 static void
928 hexprint(netdissect_options *ndo, caddr_t loc, size_t len)
929 {
930 u_char *p;
931 size_t i;
932
933 p = (u_char *)loc;
934 for (i = 0; i < len; i++)
935 ND_PRINT((ndo,"%02x", p[i] & 0xff));
936 }
937
938 static int
939 rawprint(netdissect_options *ndo, caddr_t loc, size_t len)
940 {
941 ND_TCHECK2(*loc, len);
942
943 hexprint(ndo, loc, len);
944 return 1;
945 trunc:
946 return 0;
947 }
948
949
950 /*
951 * returns false if we run out of data buffer
952 */
953 static int ike_show_somedata(struct netdissect_options *ndo,
954 const u_char *cp, const u_char *ep)
955 {
956 /* there is too much data, just show some of it */
957 const u_char *end = ep - 20;
958 int elen = 20;
959 int len = ep - cp;
960 if(len > 10) {
961 len = 10;
962 }
963
964 /* really shouldn't happen because of above */
965 if(end < cp + len) {
966 end = cp+len;
967 elen = ep - end;
968 }
969
970 ND_PRINT((ndo," data=("));
971 if(!rawprint(ndo, (caddr_t)(cp), len)) goto trunc;
972 ND_PRINT((ndo, "..."));
973 if(elen) {
974 if(!rawprint(ndo, (caddr_t)(end), elen)) goto trunc;
975 }
976 ND_PRINT((ndo,")"));
977 return 1;
978
979 trunc:
980 return 0;
981 }
982
983 struct attrmap {
984 const char *type;
985 u_int nvalue;
986 const char *value[30]; /*XXX*/
987 };
988
989 static const u_char *
990 ikev1_attrmap_print(netdissect_options *ndo,
991 const u_char *p, const u_char *ep,
992 const struct attrmap *map, size_t nmap)
993 {
994 int totlen;
995 u_int32_t t, v;
996
997 if (p[0] & 0x80)
998 totlen = 4;
999 else
1000 totlen = 4 + EXTRACT_16BITS(&p[2]);
1001 if (ep < p + totlen) {
1002 ND_PRINT((ndo,"[|attr]"));
1003 return ep + 1;
1004 }
1005
1006 ND_PRINT((ndo,"("));
1007 t = EXTRACT_16BITS(&p[0]) & 0x7fff;
1008 if (map && t < nmap && map[t].type)
1009 ND_PRINT((ndo,"type=%s ", map[t].type));
1010 else
1011 ND_PRINT((ndo,"type=#%d ", t));
1012 if (p[0] & 0x80) {
1013 ND_PRINT((ndo,"value="));
1014 v = EXTRACT_16BITS(&p[2]);
1015 if (map && t < nmap && v < map[t].nvalue && map[t].value[v])
1016 ND_PRINT((ndo,"%s", map[t].value[v]));
1017 else
1018 rawprint(ndo, (caddr_t)&p[2], 2);
1019 } else {
1020 ND_PRINT((ndo,"len=%d value=", EXTRACT_16BITS(&p[2])));
1021 rawprint(ndo, (caddr_t)&p[4], EXTRACT_16BITS(&p[2]));
1022 }
1023 ND_PRINT((ndo,")"));
1024 return p + totlen;
1025 }
1026
1027 static const u_char *
1028 ikev1_attr_print(netdissect_options *ndo, const u_char *p, const u_char *ep)
1029 {
1030 int totlen;
1031 u_int32_t t;
1032
1033 if (p[0] & 0x80)
1034 totlen = 4;
1035 else
1036 totlen = 4 + EXTRACT_16BITS(&p[2]);
1037 if (ep < p + totlen) {
1038 ND_PRINT((ndo,"[|attr]"));
1039 return ep + 1;
1040 }
1041
1042 ND_PRINT((ndo,"("));
1043 t = EXTRACT_16BITS(&p[0]) & 0x7fff;
1044 ND_PRINT((ndo,"type=#%d ", t));
1045 if (p[0] & 0x80) {
1046 ND_PRINT((ndo,"value="));
1047 t = p[2];
1048 rawprint(ndo, (caddr_t)&p[2], 2);
1049 } else {
1050 ND_PRINT((ndo,"len=%d value=", EXTRACT_16BITS(&p[2])));
1051 rawprint(ndo, (caddr_t)&p[4], EXTRACT_16BITS(&p[2]));
1052 }
1053 ND_PRINT((ndo,")"));
1054 return p + totlen;
1055 }
1056
1057 static const u_char *
1058 ikev1_sa_print(netdissect_options *ndo, u_char tpay _U_,
1059 const struct isakmp_gen *ext,
1060 u_int item_len _U_,
1061 const u_char *ep, u_int32_t phase, u_int32_t doi0 _U_,
1062 u_int32_t proto0, int depth)
1063 {
1064 const struct ikev1_pl_sa *p;
1065 struct ikev1_pl_sa sa;
1066 u_int32_t doi, sit, ident;
1067 const u_char *cp, *np;
1068 int t;
1069
1070 ND_PRINT((ndo,"%s:", NPSTR(ISAKMP_NPTYPE_SA)));
1071
1072 p = (struct ikev1_pl_sa *)ext;
1073 ND_TCHECK(*p);
1074 unaligned_memcpy(&sa, ext, sizeof(sa));
1075 doi = ntohl(sa.doi);
1076 sit = ntohl(sa.sit);
1077 if (doi != 1) {
1078 ND_PRINT((ndo," doi=%d", doi));
1079 ND_PRINT((ndo," situation=%u", (u_int32_t)ntohl(sa.sit)));
1080 return (u_char *)(p + 1);
1081 }
1082
1083 ND_PRINT((ndo," doi=ipsec"));
1084 ND_PRINT((ndo," situation="));
1085 t = 0;
1086 if (sit & 0x01) {
1087 ND_PRINT((ndo,"identity"));
1088 t++;
1089 }
1090 if (sit & 0x02) {
1091 ND_PRINT((ndo,"%ssecrecy", t ? "+" : ""));
1092 t++;
1093 }
1094 if (sit & 0x04)
1095 ND_PRINT((ndo,"%sintegrity", t ? "+" : ""));
1096
1097 np = (u_char *)ext + sizeof(sa);
1098 if (sit != 0x01) {
1099 ND_TCHECK2(*(ext + 1), sizeof(ident));
1100 unaligned_memcpy(&ident, ext + 1, sizeof(ident));
1101 ND_PRINT((ndo," ident=%u", (u_int32_t)ntohl(ident)));
1102 np += sizeof(ident);
1103 }
1104
1105 ext = (struct isakmp_gen *)np;
1106 ND_TCHECK(*ext);
1107
1108 cp = ikev1_sub_print(ndo, ISAKMP_NPTYPE_P, ext, ep, phase, doi, proto0,
1109 depth);
1110
1111 return cp;
1112 trunc:
1113 ND_PRINT((ndo," [|%s]", NPSTR(ISAKMP_NPTYPE_SA)));
1114 return NULL;
1115 }
1116
1117 static const u_char *
1118 ikev1_p_print(netdissect_options *ndo, u_char tpay _U_,
1119 const struct isakmp_gen *ext, u_int item_len _U_,
1120 const u_char *ep, u_int32_t phase, u_int32_t doi0,
1121 u_int32_t proto0 _U_, int depth)
1122 {
1123 const struct ikev1_pl_p *p;
1124 struct ikev1_pl_p prop;
1125 const u_char *cp;
1126
1127 ND_PRINT((ndo,"%s:", NPSTR(ISAKMP_NPTYPE_P)));
1128
1129 p = (struct ikev1_pl_p *)ext;
1130 ND_TCHECK(*p);
1131 unaligned_memcpy(&prop, ext, sizeof(prop));
1132 ND_PRINT((ndo," #%d protoid=%s transform=%d",
1133 prop.p_no, PROTOIDSTR(prop.prot_id), prop.num_t));
1134 if (prop.spi_size) {
1135 ND_PRINT((ndo," spi="));
1136 if (!rawprint(ndo, (caddr_t)(p + 1), prop.spi_size))
1137 goto trunc;
1138 }
1139
1140 ext = (struct isakmp_gen *)((u_char *)(p + 1) + prop.spi_size);
1141 ND_TCHECK(*ext);
1142
1143 cp = ikev1_sub_print(ndo, ISAKMP_NPTYPE_T, ext, ep, phase, doi0,
1144 prop.prot_id, depth);
1145
1146 return cp;
1147 trunc:
1148 ND_PRINT((ndo," [|%s]", NPSTR(ISAKMP_NPTYPE_P)));
1149 return NULL;
1150 }
1151
1152 static const char *ikev1_p_map[] = {
1153 NULL, "ike",
1154 };
1155
1156 static const char *ikev2_t_type_map[]={
1157 NULL, "encr", "prf", "integ", "dh", "esn"
1158 };
1159
1160 static const char *ah_p_map[] = {
1161 NULL, "(reserved)", "md5", "sha", "1des",
1162 "sha2-256", "sha2-384", "sha2-512",
1163 };
1164
1165 static const char *prf_p_map[] = {
1166 NULL, "hmac-md5", "hmac-sha", "hmac-tiger",
1167 "aes128_xcbc"
1168 };
1169
1170 static const char *integ_p_map[] = {
1171 NULL, "hmac-md5", "hmac-sha", "dec-mac",
1172 "kpdk-md5", "aes-xcbc"
1173 };
1174
1175 static const char *esn_p_map[] = {
1176 "no-esn", "esn"
1177 };
1178
1179 static const char *dh_p_map[] = {
1180 NULL, "modp768",
1181 "modp1024", /* group 2 */
1182 "EC2N 2^155", /* group 3 */
1183 "EC2N 2^185", /* group 4 */
1184 "modp1536", /* group 5 */
1185 "iana-grp06", "iana-grp07", /* reserved */
1186 "iana-grp08", "iana-grp09",
1187 "iana-grp10", "iana-grp11",
1188 "iana-grp12", "iana-grp13",
1189 "modp2048", /* group 14 */
1190 "modp3072", /* group 15 */
1191 "modp4096", /* group 16 */
1192 "modp6144", /* group 17 */
1193 "modp8192", /* group 18 */
1194 };
1195
1196 static const char *esp_p_map[] = {
1197 NULL, "1des-iv64", "1des", "3des", "rc5", "idea", "cast",
1198 "blowfish", "3idea", "1des-iv32", "rc4", "null", "aes"
1199 };
1200
1201 static const char *ipcomp_p_map[] = {
1202 NULL, "oui", "deflate", "lzs",
1203 };
1204
1205 static const struct attrmap ipsec_t_map[] = {
1206 { NULL, 0, { NULL } },
1207 { "lifetype", 3, { NULL, "sec", "kb", }, },
1208 { "life", 0, { NULL } },
1209 { "group desc", 18, { NULL, "modp768",
1210 "modp1024", /* group 2 */
1211 "EC2N 2^155", /* group 3 */
1212 "EC2N 2^185", /* group 4 */
1213 "modp1536", /* group 5 */
1214 "iana-grp06", "iana-grp07", /* reserved */
1215 "iana-grp08", "iana-grp09",
1216 "iana-grp10", "iana-grp11",
1217 "iana-grp12", "iana-grp13",
1218 "modp2048", /* group 14 */
1219 "modp3072", /* group 15 */
1220 "modp4096", /* group 16 */
1221 "modp6144", /* group 17 */
1222 "modp8192", /* group 18 */
1223 }, },
1224 { "enc mode", 3, { NULL, "tunnel", "transport", }, },
1225 { "auth", 5, { NULL, "hmac-md5", "hmac-sha1", "1des-mac", "keyed", }, },
1226 { "keylen", 0, { NULL } },
1227 { "rounds", 0, { NULL } },
1228 { "dictsize", 0, { NULL } },
1229 { "privalg", 0, { NULL } },
1230 };
1231
1232 static const struct attrmap encr_t_map[] = {
1233 { NULL, 0, { NULL } }, { NULL, 0, { NULL } }, /* 0, 1 */
1234 { NULL, 0, { NULL } }, { NULL, 0, { NULL } }, /* 2, 3 */
1235 { NULL, 0, { NULL } }, { NULL, 0, { NULL } }, /* 4, 5 */
1236 { NULL, 0, { NULL } }, { NULL, 0, { NULL } }, /* 6, 7 */
1237 { NULL, 0, { NULL } }, { NULL, 0, { NULL } }, /* 8, 9 */
1238 { NULL, 0, { NULL } }, { NULL, 0, { NULL } }, /* 10,11*/
1239 { NULL, 0, { NULL } }, { NULL, 0, { NULL } }, /* 12,13*/
1240 { "keylen", 14, { NULL }},
1241 };
1242
1243 static const struct attrmap oakley_t_map[] = {
1244 { NULL, 0, { NULL } },
1245 { "enc", 8, { NULL, "1des", "idea", "blowfish", "rc5",
1246 "3des", "cast", "aes", }, },
1247 { "hash", 7, { NULL, "md5", "sha1", "tiger",
1248 "sha2-256", "sha2-384", "sha2-512", }, },
1249 { "auth", 6, { NULL, "preshared", "dss", "rsa sig", "rsa enc",
1250 "rsa enc revised", }, },
1251 { "group desc", 18, { NULL, "modp768",
1252 "modp1024", /* group 2 */
1253 "EC2N 2^155", /* group 3 */
1254 "EC2N 2^185", /* group 4 */
1255 "modp1536", /* group 5 */
1256 "iana-grp06", "iana-grp07", /* reserved */
1257 "iana-grp08", "iana-grp09",
1258 "iana-grp10", "iana-grp11",
1259 "iana-grp12", "iana-grp13",
1260 "modp2048", /* group 14 */
1261 "modp3072", /* group 15 */
1262 "modp4096", /* group 16 */
1263 "modp6144", /* group 17 */
1264 "modp8192", /* group 18 */
1265 }, },
1266 { "group type", 4, { NULL, "MODP", "ECP", "EC2N", }, },
1267 { "group prime", 0, { NULL } },
1268 { "group gen1", 0, { NULL } },
1269 { "group gen2", 0, { NULL } },
1270 { "group curve A", 0, { NULL } },
1271 { "group curve B", 0, { NULL } },
1272 { "lifetype", 3, { NULL, "sec", "kb", }, },
1273 { "lifeduration", 0, { NULL } },
1274 { "prf", 0, { NULL } },
1275 { "keylen", 0, { NULL } },
1276 { "field", 0, { NULL } },
1277 { "order", 0, { NULL } },
1278 };
1279
1280 static const u_char *
1281 ikev1_t_print(netdissect_options *ndo, u_char tpay _U_,
1282 const struct isakmp_gen *ext, u_int item_len,
1283 const u_char *ep, u_int32_t phase _U_, u_int32_t doi _U_,
1284 u_int32_t proto, int depth _U_)
1285 {
1286 const struct ikev1_pl_t *p;
1287 struct ikev1_pl_t t;
1288 const u_char *cp;
1289 const char *idstr;
1290 const struct attrmap *map;
1291 size_t nmap;
1292 const u_char *ep2;
1293
1294 ND_PRINT((ndo,"%s:", NPSTR(ISAKMP_NPTYPE_T)));
1295
1296 p = (struct ikev1_pl_t *)ext;
1297 ND_TCHECK(*p);
1298 unaligned_memcpy(&t, ext, sizeof(t));
1299
1300 switch (proto) {
1301 case 1:
1302 idstr = STR_OR_ID(t.t_id, ikev1_p_map);
1303 map = oakley_t_map;
1304 nmap = sizeof(oakley_t_map)/sizeof(oakley_t_map[0]);
1305 break;
1306 case 2:
1307 idstr = STR_OR_ID(t.t_id, ah_p_map);
1308 map = ipsec_t_map;
1309 nmap = sizeof(ipsec_t_map)/sizeof(ipsec_t_map[0]);
1310 break;
1311 case 3:
1312 idstr = STR_OR_ID(t.t_id, esp_p_map);
1313 map = ipsec_t_map;
1314 nmap = sizeof(ipsec_t_map)/sizeof(ipsec_t_map[0]);
1315 break;
1316 case 4:
1317 idstr = STR_OR_ID(t.t_id, ipcomp_p_map);
1318 map = ipsec_t_map;
1319 nmap = sizeof(ipsec_t_map)/sizeof(ipsec_t_map[0]);
1320 break;
1321 default:
1322 idstr = NULL;
1323 map = NULL;
1324 nmap = 0;
1325 break;
1326 }
1327
1328 if (idstr)
1329 ND_PRINT((ndo," #%d id=%s ", t.t_no, idstr));
1330 else
1331 ND_PRINT((ndo," #%d id=%d ", t.t_no, t.t_id));
1332 cp = (u_char *)(p + 1);
1333 ep2 = (u_char *)p + item_len;
1334 while (cp < ep && cp < ep2) {
1335 if (map && nmap) {
1336 cp = ikev1_attrmap_print(ndo, cp, (ep < ep2) ? ep : ep2,
1337 map, nmap);
1338 } else
1339 cp = ikev1_attr_print(ndo, cp, (ep < ep2) ? ep : ep2);
1340 }
1341 if (ep < ep2)
1342 ND_PRINT((ndo,"..."));
1343 return cp;
1344 trunc:
1345 ND_PRINT((ndo," [|%s]", NPSTR(ISAKMP_NPTYPE_T)));
1346 return NULL;
1347 }
1348
1349 static const u_char *
1350 ikev1_ke_print(netdissect_options *ndo, u_char tpay _U_,
1351 const struct isakmp_gen *ext, u_int item_len _U_,
1352 const u_char *ep _U_, u_int32_t phase _U_, u_int32_t doi _U_,
1353 u_int32_t proto _U_, int depth _U_)
1354 {
1355 struct isakmp_gen e;
1356
1357 ND_PRINT((ndo,"%s:", NPSTR(ISAKMP_NPTYPE_KE)));
1358
1359 ND_TCHECK(*ext);
1360 unaligned_memcpy(&e, ext, sizeof(e));
1361 ND_PRINT((ndo," key len=%d", ntohs(e.len) - 4));
1362 if (2 < ndo->ndo_vflag && 4 < ntohs(e.len)) {
1363 ND_PRINT((ndo," "));
1364 if (!rawprint(ndo, (caddr_t)(ext + 1), ntohs(e.len) - 4))
1365 goto trunc;
1366 }
1367 return (u_char *)ext + ntohs(e.len);
1368 trunc:
1369 ND_PRINT((ndo," [|%s]", NPSTR(ISAKMP_NPTYPE_KE)));
1370 return NULL;
1371 }
1372
1373 static const u_char *
1374 ikev1_id_print(netdissect_options *ndo, u_char tpay _U_,
1375 const struct isakmp_gen *ext, u_int item_len _U_,
1376 const u_char *ep _U_, u_int32_t phase, u_int32_t doi _U_,
1377 u_int32_t proto _U_, int depth _U_)
1378 {
1379 #define USE_IPSECDOI_IN_PHASE1 1
1380 const struct ikev1_pl_id *p;
1381 struct ikev1_pl_id id;
1382 static const char *idtypestr[] = {
1383 "IPv4", "IPv4net", "IPv6", "IPv6net",
1384 };
1385 static const char *ipsecidtypestr[] = {
1386 NULL, "IPv4", "FQDN", "user FQDN", "IPv4net", "IPv6",
1387 "IPv6net", "IPv4range", "IPv6range", "ASN1 DN", "ASN1 GN",
1388 "keyid",
1389 };
1390 int len;
1391 const u_char *data;
1392
1393 ND_PRINT((ndo,"%s:", NPSTR(ISAKMP_NPTYPE_ID)));
1394
1395 p = (struct ikev1_pl_id *)ext;
1396 ND_TCHECK(*p);
1397 unaligned_memcpy(&id, ext, sizeof(id));
1398 if (sizeof(*p) < item_len) {
1399 data = (u_char *)(p + 1);
1400 len = item_len - sizeof(*p);
1401 } else {
1402 data = NULL;
1403 len = 0;
1404 }
1405
1406 #if 0 /*debug*/
1407 ND_PRINT((ndo," [phase=%d doi=%d proto=%d]", phase, doi, proto));
1408 #endif
1409 switch (phase) {
1410 #ifndef USE_IPSECDOI_IN_PHASE1
1411 case 1:
1412 #endif
1413 default:
1414 ND_PRINT((ndo," idtype=%s", STR_OR_ID(id.d.id_type, idtypestr)));
1415 ND_PRINT((ndo," doi_data=%u",
1416 (u_int32_t)(ntohl(id.d.doi_data) & 0xffffff)));
1417 break;
1418
1419 #ifdef USE_IPSECDOI_IN_PHASE1
1420 case 1:
1421 #endif
1422 case 2:
1423 {
1424 const struct ipsecdoi_id *p;
1425 struct ipsecdoi_id id;
1426 struct protoent *pe;
1427
1428 p = (struct ipsecdoi_id *)ext;
1429 ND_TCHECK(*p);
1430 unaligned_memcpy(&id, ext, sizeof(id));
1431 ND_PRINT((ndo," idtype=%s", STR_OR_ID(id.type, ipsecidtypestr)));
1432 if (id.proto_id) {
1433 #ifndef WIN32
1434 setprotoent(1);
1435 #endif /* WIN32 */
1436 pe = getprotobynumber(id.proto_id);
1437 if (pe)
1438 ND_PRINT((ndo," protoid=%s", pe->p_name));
1439 #ifndef WIN32
1440 endprotoent();
1441 #endif /* WIN32 */
1442 } else {
1443 /* it DOES NOT mean IPPROTO_IP! */
1444 ND_PRINT((ndo," protoid=%s", "0"));
1445 }
1446 ND_PRINT((ndo," port=%d", ntohs(id.port)));
1447 if (!len)
1448 break;
1449 if (data == NULL)
1450 goto trunc;
1451 ND_TCHECK2(*data, len);
1452 switch (id.type) {
1453 case IPSECDOI_ID_IPV4_ADDR:
1454 if (len < 4)
1455 ND_PRINT((ndo," len=%d [bad: < 4]", len));
1456 else
1457 ND_PRINT((ndo," len=%d %s", len, ipaddr_string(data)));
1458 len = 0;
1459 break;
1460 case IPSECDOI_ID_FQDN:
1461 case IPSECDOI_ID_USER_FQDN:
1462 {
1463 int i;
1464 ND_PRINT((ndo," len=%d ", len));
1465 for (i = 0; i < len; i++)
1466 safeputchar(data[i]);
1467 len = 0;
1468 break;
1469 }
1470 case IPSECDOI_ID_IPV4_ADDR_SUBNET:
1471 {
1472 const u_char *mask;
1473 if (len < 8)
1474 ND_PRINT((ndo," len=%d [bad: < 8]", len));
1475 else {
1476 mask = data + sizeof(struct in_addr);
1477 ND_PRINT((ndo," len=%d %s/%u.%u.%u.%u", len,
1478 ipaddr_string(data),
1479 mask[0], mask[1], mask[2], mask[3]));
1480 }
1481 len = 0;
1482 break;
1483 }
1484 #ifdef INET6
1485 case IPSECDOI_ID_IPV6_ADDR:
1486 if (len < 16)
1487 ND_PRINT((ndo," len=%d [bad: < 16]", len));
1488 else
1489 ND_PRINT((ndo," len=%d %s", len, ip6addr_string(data)));
1490 len = 0;
1491 break;
1492 case IPSECDOI_ID_IPV6_ADDR_SUBNET:
1493 {
1494 const u_int32_t *mask;
1495 if (len < 20)
1496 ND_PRINT((ndo," len=%d [bad: < 20]", len));
1497 else {
1498 mask = (u_int32_t *)(data + sizeof(struct in6_addr));
1499 /*XXX*/
1500 ND_PRINT((ndo," len=%d %s/0x%08x%08x%08x%08x", len,
1501 ip6addr_string(data),
1502 mask[0], mask[1], mask[2], mask[3]));
1503 }
1504 len = 0;
1505 break;
1506 }
1507 #endif /*INET6*/
1508 case IPSECDOI_ID_IPV4_ADDR_RANGE:
1509 if (len < 8)
1510 ND_PRINT((ndo," len=%d [bad: < 8]", len));
1511 else {
1512 ND_PRINT((ndo," len=%d %s-%s", len,
1513 ipaddr_string(data),
1514 ipaddr_string(data + sizeof(struct in_addr))));
1515 }
1516 len = 0;
1517 break;
1518 #ifdef INET6
1519 case IPSECDOI_ID_IPV6_ADDR_RANGE:
1520 if (len < 32)
1521 ND_PRINT((ndo," len=%d [bad: < 32]", len));
1522 else {
1523 ND_PRINT((ndo," len=%d %s-%s", len,
1524 ip6addr_string(data),
1525 ip6addr_string(data + sizeof(struct in6_addr))));
1526 }
1527 len = 0;
1528 break;
1529 #endif /*INET6*/
1530 case IPSECDOI_ID_DER_ASN1_DN:
1531 case IPSECDOI_ID_DER_ASN1_GN:
1532 case IPSECDOI_ID_KEY_ID:
1533 break;
1534 }
1535 break;
1536 }
1537 }
1538 if (data && len) {
1539 ND_PRINT((ndo," len=%d", len));
1540 if (2 < ndo->ndo_vflag) {
1541 ND_PRINT((ndo," "));
1542 if (!rawprint(ndo, (caddr_t)data, len))
1543 goto trunc;
1544 }
1545 }
1546 return (u_char *)ext + item_len;
1547 trunc:
1548 ND_PRINT((ndo," [|%s]", NPSTR(ISAKMP_NPTYPE_ID)));
1549 return NULL;
1550 }
1551
1552 static const u_char *
1553 ikev1_cert_print(netdissect_options *ndo, u_char tpay _U_,
1554 const struct isakmp_gen *ext, u_int item_len _U_,
1555 const u_char *ep _U_, u_int32_t phase _U_,
1556 u_int32_t doi0 _U_,
1557 u_int32_t proto0 _U_, int depth _U_)
1558 {
1559 const struct ikev1_pl_cert *p;
1560 struct ikev1_pl_cert cert;
1561 static const char *certstr[] = {
1562 "none", "pkcs7", "pgp", "dns",
1563 "x509sign", "x509ke", "kerberos", "crl",
1564 "arl", "spki", "x509attr",
1565 };
1566
1567 ND_PRINT((ndo,"%s:", NPSTR(ISAKMP_NPTYPE_CERT)));
1568
1569 p = (struct ikev1_pl_cert *)ext;
1570 ND_TCHECK(*p);
1571 unaligned_memcpy(&cert, ext, sizeof(cert));
1572 ND_PRINT((ndo," len=%d", item_len - 4));
1573 ND_PRINT((ndo," type=%s", STR_OR_ID((cert.encode), certstr)));
1574 if (2 < ndo->ndo_vflag && 4 < item_len) {
1575 ND_PRINT((ndo," "));
1576 if (!rawprint(ndo, (caddr_t)(ext + 1), item_len - 4))
1577 goto trunc;
1578 }
1579 return (u_char *)ext + item_len;
1580 trunc:
1581 ND_PRINT((ndo," [|%s]", NPSTR(ISAKMP_NPTYPE_CERT)));
1582 return NULL;
1583 }
1584
1585 static const u_char *
1586 ikev1_cr_print(netdissect_options *ndo, u_char tpay _U_,
1587 const struct isakmp_gen *ext, u_int item_len _U_,
1588 const u_char *ep _U_, u_int32_t phase _U_, u_int32_t doi0 _U_,
1589 u_int32_t proto0 _U_, int depth _U_)
1590 {
1591 const struct ikev1_pl_cert *p;
1592 struct ikev1_pl_cert cert;
1593 static const char *certstr[] = {
1594 "none", "pkcs7", "pgp", "dns",
1595 "x509sign", "x509ke", "kerberos", "crl",
1596 "arl", "spki", "x509attr",
1597 };
1598
1599 ND_PRINT((ndo,"%s:", NPSTR(ISAKMP_NPTYPE_CR)));
1600
1601 p = (struct ikev1_pl_cert *)ext;
1602 ND_TCHECK(*p);
1603 unaligned_memcpy(&cert, ext, sizeof(cert));
1604 ND_PRINT((ndo," len=%d", item_len - 4));
1605 ND_PRINT((ndo," type=%s", STR_OR_ID((cert.encode), certstr)));
1606 if (2 < ndo->ndo_vflag && 4 < item_len) {
1607 ND_PRINT((ndo," "));
1608 if (!rawprint(ndo, (caddr_t)(ext + 1), item_len - 4))
1609 goto trunc;
1610 }
1611 return (u_char *)ext + item_len;
1612 trunc:
1613 ND_PRINT((ndo," [|%s]", NPSTR(ISAKMP_NPTYPE_CR)));
1614 return NULL;
1615 }
1616
1617 static const u_char *
1618 ikev1_hash_print(netdissect_options *ndo, u_char tpay _U_,
1619 const struct isakmp_gen *ext, u_int item_len _U_,
1620 const u_char *ep _U_, u_int32_t phase _U_, u_int32_t doi _U_,
1621 u_int32_t proto _U_, int depth _U_)
1622 {
1623 struct isakmp_gen e;
1624
1625 ND_PRINT((ndo,"%s:", NPSTR(ISAKMP_NPTYPE_HASH)));
1626
1627 ND_TCHECK(*ext);
1628 unaligned_memcpy(&e, ext, sizeof(e));
1629 ND_PRINT((ndo," len=%d", ntohs(e.len) - 4));
1630 if (2 < ndo->ndo_vflag && 4 < ntohs(e.len)) {
1631 ND_PRINT((ndo," "));
1632 if (!rawprint(ndo, (caddr_t)(ext + 1), ntohs(e.len) - 4))
1633 goto trunc;
1634 }
1635 return (u_char *)ext + ntohs(e.len);
1636 trunc:
1637 ND_PRINT((ndo," [|%s]", NPSTR(ISAKMP_NPTYPE_HASH)));
1638 return NULL;
1639 }
1640
1641 static const u_char *
1642 ikev1_sig_print(netdissect_options *ndo, u_char tpay _U_,
1643 const struct isakmp_gen *ext, u_int item_len _U_,
1644 const u_char *ep _U_, u_int32_t phase _U_, u_int32_t doi _U_,
1645 u_int32_t proto _U_, int depth _U_)
1646 {
1647 struct isakmp_gen e;
1648
1649 ND_PRINT((ndo,"%s:", NPSTR(ISAKMP_NPTYPE_SIG)));
1650
1651 ND_TCHECK(*ext);
1652 unaligned_memcpy(&e, ext, sizeof(e));
1653 ND_PRINT((ndo," len=%d", ntohs(e.len) - 4));
1654 if (2 < ndo->ndo_vflag && 4 < ntohs(e.len)) {
1655 ND_PRINT((ndo," "));
1656 if (!rawprint(ndo, (caddr_t)(ext + 1), ntohs(e.len) - 4))
1657 goto trunc;
1658 }
1659 return (u_char *)ext + ntohs(e.len);
1660 trunc:
1661 ND_PRINT((ndo," [|%s]", NPSTR(ISAKMP_NPTYPE_SIG)));
1662 return NULL;
1663 }
1664
1665 static const u_char *
1666 ikev1_nonce_print(netdissect_options *ndo, u_char tpay _U_,
1667 const struct isakmp_gen *ext,
1668 u_int item_len _U_,
1669 const u_char *ep _U_,
1670 u_int32_t phase _U_, u_int32_t doi _U_,
1671 u_int32_t proto _U_, int depth _U_)
1672 {
1673 struct isakmp_gen e;
1674
1675 ND_PRINT((ndo,"%s:", NPSTR(ISAKMP_NPTYPE_NONCE)));
1676
1677 ND_TCHECK(*ext);
1678 unaligned_memcpy(&e, ext, sizeof(e));
1679 ND_PRINT((ndo," n len=%d", ntohs(e.len) - 4));
1680 if (2 < ndo->ndo_vflag && 4 < ntohs(e.len)) {
1681 ND_PRINT((ndo," "));
1682 if (!rawprint(ndo, (caddr_t)(ext + 1), ntohs(e.len) - 4))
1683 goto trunc;
1684 } else if (1 < ndo->ndo_vflag && 4 < ntohs(e.len)) {
1685 ND_PRINT((ndo," "));
1686 if (!ike_show_somedata(ndo, (u_char *)(caddr_t)(ext + 1), ep))
1687 goto trunc;
1688 }
1689 return (u_char *)ext + ntohs(e.len);
1690 trunc:
1691 ND_PRINT((ndo," [|%s]", NPSTR(ISAKMP_NPTYPE_NONCE)));
1692 return NULL;
1693 }
1694
1695 static const u_char *
1696 ikev1_n_print(netdissect_options *ndo, u_char tpay _U_,
1697 const struct isakmp_gen *ext, u_int item_len,
1698 const u_char *ep, u_int32_t phase, u_int32_t doi0 _U_,
1699 u_int32_t proto0 _U_, int depth)
1700 {
1701 struct ikev1_pl_n *p, n;
1702 const u_char *cp;
1703 u_char *ep2;
1704 u_int32_t doi;
1705 u_int32_t proto;
1706 static const char *notify_error_str[] = {
1707 NULL, "INVALID-PAYLOAD-TYPE",
1708 "DOI-NOT-SUPPORTED", "SITUATION-NOT-SUPPORTED",
1709 "INVALID-COOKIE", "INVALID-MAJOR-VERSION",
1710 "INVALID-MINOR-VERSION", "INVALID-EXCHANGE-TYPE",
1711 "INVALID-FLAGS", "INVALID-MESSAGE-ID",
1712 "INVALID-PROTOCOL-ID", "INVALID-SPI",
1713 "INVALID-TRANSFORM-ID", "ATTRIBUTES-NOT-SUPPORTED",
1714 "NO-PROPOSAL-CHOSEN", "BAD-PROPOSAL-SYNTAX",
1715 "PAYLOAD-MALFORMED", "INVALID-KEY-INFORMATION",
1716 "INVALID-ID-INFORMATION", "INVALID-CERT-ENCODING",
1717 "INVALID-CERTIFICATE", "CERT-TYPE-UNSUPPORTED",
1718 "INVALID-CERT-AUTHORITY", "INVALID-HASH-INFORMATION",
1719 "AUTHENTICATION-FAILED", "INVALID-SIGNATURE",
1720 "ADDRESS-NOTIFICATION", "NOTIFY-SA-LIFETIME",
1721 "CERTIFICATE-UNAVAILABLE", "UNSUPPORTED-EXCHANGE-TYPE",
1722 "UNEQUAL-PAYLOAD-LENGTHS",
1723 };
1724 static const char *ipsec_notify_error_str[] = {
1725 "RESERVED",
1726 };
1727 static const char *notify_status_str[] = {
1728 "CONNECTED",
1729 };
1730 static const char *ipsec_notify_status_str[] = {
1731 "RESPONDER-LIFETIME", "REPLAY-STATUS",
1732 "INITIAL-CONTACT",
1733 };
1734 /* NOTE: these macro must be called with x in proper range */
1735
1736 /* 0 - 8191 */
1737 #define NOTIFY_ERROR_STR(x) \
1738 STR_OR_ID((x), notify_error_str)
1739
1740 /* 8192 - 16383 */
1741 #define IPSEC_NOTIFY_ERROR_STR(x) \
1742 STR_OR_ID((u_int)((x) - 8192), ipsec_notify_error_str)
1743
1744 /* 16384 - 24575 */
1745 #define NOTIFY_STATUS_STR(x) \
1746 STR_OR_ID((u_int)((x) - 16384), notify_status_str)
1747
1748 /* 24576 - 32767 */
1749 #define IPSEC_NOTIFY_STATUS_STR(x) \
1750 STR_OR_ID((u_int)((x) - 24576), ipsec_notify_status_str)
1751
1752 ND_PRINT((ndo,"%s:", NPSTR(ISAKMP_NPTYPE_N)));
1753
1754 p = (struct ikev1_pl_n *)ext;
1755 ND_TCHECK(*p);
1756 unaligned_memcpy(&n, ext, sizeof(n));
1757 doi = ntohl(n.doi);
1758 proto = n.prot_id;
1759 if (doi != 1) {
1760 ND_PRINT((ndo," doi=%d", doi));
1761 ND_PRINT((ndo," proto=%d", proto));
1762 if (ntohs(n.type) < 8192)
1763 ND_PRINT((ndo," type=%s", NOTIFY_ERROR_STR(ntohs(n.type))));
1764 else if (ntohs(n.type) < 16384)
1765 ND_PRINT((ndo," type=%s", numstr(ntohs(n.type))));
1766 else if (ntohs(n.type) < 24576)
1767 ND_PRINT((ndo," type=%s", NOTIFY_STATUS_STR(ntohs(n.type))));
1768 else
1769 ND_PRINT((ndo," type=%s", numstr(ntohs(n.type))));
1770 if (n.spi_size) {
1771 ND_PRINT((ndo," spi="));
1772 if (!rawprint(ndo, (caddr_t)(p + 1), n.spi_size))
1773 goto trunc;
1774 }
1775 return (u_char *)(p + 1) + n.spi_size;
1776 }
1777
1778 ND_PRINT((ndo," doi=ipsec"));
1779 ND_PRINT((ndo," proto=%s", PROTOIDSTR(proto)));
1780 if (ntohs(n.type) < 8192)
1781 ND_PRINT((ndo," type=%s", NOTIFY_ERROR_STR(ntohs(n.type))));
1782 else if (ntohs(n.type) < 16384)
1783 ND_PRINT((ndo," type=%s", IPSEC_NOTIFY_ERROR_STR(ntohs(n.type))));
1784 else if (ntohs(n.type) < 24576)
1785 ND_PRINT((ndo," type=%s", NOTIFY_STATUS_STR(ntohs(n.type))));
1786 else if (ntohs(n.type) < 32768)
1787 ND_PRINT((ndo," type=%s", IPSEC_NOTIFY_STATUS_STR(ntohs(n.type))));
1788 else
1789 ND_PRINT((ndo," type=%s", numstr(ntohs(n.type))));
1790 if (n.spi_size) {
1791 ND_PRINT((ndo," spi="));
1792 if (!rawprint(ndo, (caddr_t)(p + 1), n.spi_size))
1793 goto trunc;
1794 }
1795
1796 cp = (u_char *)(p + 1) + n.spi_size;
1797 ep2 = (u_char *)p + item_len;
1798
1799 if (cp < ep) {
1800 ND_PRINT((ndo," orig=("));
1801 switch (ntohs(n.type)) {
1802 case IPSECDOI_NTYPE_RESPONDER_LIFETIME:
1803 {
1804 const struct attrmap *map = oakley_t_map;
1805 size_t nmap = sizeof(oakley_t_map)/sizeof(oakley_t_map[0]);
1806 while (cp < ep && cp < ep2) {
1807 cp = ikev1_attrmap_print(ndo, cp,
1808 (ep < ep2) ? ep : ep2, map, nmap);
1809 }
1810 break;
1811 }
1812 case IPSECDOI_NTYPE_REPLAY_STATUS:
1813 ND_PRINT((ndo,"replay detection %sabled",
1814 (*(u_int32_t *)cp) ? "en" : "dis"));
1815 break;
1816 case ISAKMP_NTYPE_NO_PROPOSAL_CHOSEN:
1817 if (ikev1_sub_print(ndo, ISAKMP_NPTYPE_SA,
1818 (struct isakmp_gen *)cp, ep, phase, doi, proto,
1819 depth) == NULL)
1820 return NULL;
1821 break;
1822 default:
1823 /* NULL is dummy */
1824 isakmp_print(ndo, cp,
1825 item_len - sizeof(*p) - n.spi_size,
1826 NULL);
1827 }
1828 ND_PRINT((ndo,")"));
1829 }
1830 return (u_char *)ext + item_len;
1831 trunc:
1832 ND_PRINT((ndo," [|%s]", NPSTR(ISAKMP_NPTYPE_N)));
1833 return NULL;
1834 }
1835
1836 static const u_char *
1837 ikev1_d_print(netdissect_options *ndo, u_char tpay _U_,
1838 const struct isakmp_gen *ext, u_int item_len _U_,
1839 const u_char *ep _U_, u_int32_t phase _U_, u_int32_t doi0 _U_,
1840 u_int32_t proto0 _U_, int depth _U_)
1841 {
1842 const struct ikev1_pl_d *p;
1843 struct ikev1_pl_d d;
1844 const u_int8_t *q;
1845 u_int32_t doi;
1846 u_int32_t proto;
1847 int i;
1848
1849 ND_PRINT((ndo,"%s:", NPSTR(ISAKMP_NPTYPE_D)));
1850
1851 p = (struct ikev1_pl_d *)ext;
1852 ND_TCHECK(*p);
1853 unaligned_memcpy(&d, ext, sizeof(d));
1854 doi = ntohl(d.doi);
1855 proto = d.prot_id;
1856 if (doi != 1) {
1857 ND_PRINT((ndo," doi=%u", doi));
1858 ND_PRINT((ndo," proto=%u", proto));
1859 } else {
1860 ND_PRINT((ndo," doi=ipsec"));
1861 ND_PRINT((ndo," proto=%s", PROTOIDSTR(proto)));
1862 }
1863 ND_PRINT((ndo," spilen=%u", d.spi_size));
1864 ND_PRINT((ndo," nspi=%u", ntohs(d.num_spi)));
1865 ND_PRINT((ndo," spi="));
1866 q = (u_int8_t *)(p + 1);
1867 for (i = 0; i < ntohs(d.num_spi); i++) {
1868 if (i != 0)
1869 ND_PRINT((ndo,","));
1870 if (!rawprint(ndo, (caddr_t)q, d.spi_size))
1871 goto trunc;
1872 q += d.spi_size;
1873 }
1874 return q;
1875 trunc:
1876 ND_PRINT((ndo," [|%s]", NPSTR(ISAKMP_NPTYPE_D)));
1877 return NULL;
1878 }
1879
1880 static const u_char *
1881 ikev1_vid_print(netdissect_options *ndo, u_char tpay _U_,
1882 const struct isakmp_gen *ext,
1883 u_int item_len _U_, const u_char *ep _U_,
1884 u_int32_t phase _U_, u_int32_t doi _U_,
1885 u_int32_t proto _U_, int depth _U_)
1886 {
1887 struct isakmp_gen e;
1888
1889 ND_PRINT((ndo,"%s:", NPSTR(ISAKMP_NPTYPE_VID)));
1890
1891 ND_TCHECK(*ext);
1892 unaligned_memcpy(&e, ext, sizeof(e));
1893 ND_PRINT((ndo," len=%d", ntohs(e.len) - 4));
1894 if (2 < ndo->ndo_vflag && 4 < ntohs(e.len)) {
1895 ND_PRINT((ndo," "));
1896 if (!rawprint(ndo, (caddr_t)(ext + 1), ntohs(e.len) - 4))
1897 goto trunc;
1898 }
1899 return (u_char *)ext + ntohs(e.len);
1900 trunc:
1901 ND_PRINT((ndo," [|%s]", NPSTR(ISAKMP_NPTYPE_VID)));
1902 return NULL;
1903 }
1904
1905 /************************************************************/
1906 /* */
1907 /* IKE v2 - rfc4306 - dissector */
1908 /* */
1909 /************************************************************/
1910
1911 static void
1912 ikev2_pay_print(netdissect_options *ndo, const char *payname, int critical)
1913 {
1914 ND_PRINT((ndo,"%s%s:", payname, critical&0x80 ? "[C]" : ""));
1915 }
1916
1917 static const u_char *
1918 ikev2_gen_print(netdissect_options *ndo, u_char tpay,
1919 const struct isakmp_gen *ext)
1920 {
1921 struct isakmp_gen e;
1922
1923 ND_TCHECK(*ext);
1924 unaligned_memcpy(&e, ext, sizeof(e));
1925 ikev2_pay_print(ndo, NPSTR(tpay), e.critical);
1926
1927 ND_PRINT((ndo," len=%d", ntohs(e.len) - 4));
1928 if (2 < ndo->ndo_vflag && 4 < ntohs(e.len)) {
1929 ND_PRINT((ndo," "));
1930 if (!rawprint(ndo, (caddr_t)(ext + 1), ntohs(e.len) - 4))
1931 goto trunc;
1932 }
1933 return (u_char *)ext + ntohs(e.len);
1934 trunc:
1935 ND_PRINT((ndo," [|%s]", NPSTR(tpay)));
1936 return NULL;
1937 }
1938
1939 static const u_char *
1940 ikev2_t_print(netdissect_options *ndo, u_char tpay _U_, int pcount,
1941 const struct isakmp_gen *ext, u_int item_len,
1942 const u_char *ep, u_int32_t phase _U_, u_int32_t doi _U_,
1943 u_int32_t proto _U_, int depth _U_)
1944 {
1945 const struct ikev2_t *p;
1946 struct ikev2_t t;
1947 u_int16_t t_id;
1948 const u_char *cp;
1949 const char *idstr;
1950 const struct attrmap *map;
1951 size_t nmap;
1952 const u_char *ep2;
1953
1954 p = (struct ikev2_t *)ext;
1955 ND_TCHECK(*p);
1956 unaligned_memcpy(&t, ext, sizeof(t));
1957 ikev2_pay_print(ndo, NPSTR(ISAKMP_NPTYPE_T), t.h.critical);
1958
1959 t_id = ntohs(t.t_id);
1960
1961 map = NULL;
1962 nmap = 0;
1963
1964 switch (t.t_type) {
1965 case IV2_T_ENCR:
1966 idstr = STR_OR_ID(t_id, esp_p_map);
1967 map = encr_t_map;
1968 nmap = sizeof(encr_t_map)/sizeof(encr_t_map[0]);
1969 break;
1970
1971 case IV2_T_PRF:
1972 idstr = STR_OR_ID(t_id, prf_p_map);
1973 break;
1974
1975 case IV2_T_INTEG:
1976 idstr = STR_OR_ID(t_id, integ_p_map);
1977 break;
1978
1979 case IV2_T_DH:
1980 idstr = STR_OR_ID(t_id, dh_p_map);
1981 break;
1982
1983 case IV2_T_ESN:
1984 idstr = STR_OR_ID(t_id, esn_p_map);
1985 break;
1986
1987 default:
1988 idstr = NULL;
1989 break;
1990 }
1991
1992 if (idstr)
1993 ND_PRINT((ndo," #%u type=%s id=%s ", pcount,
1994 STR_OR_ID(t.t_type, ikev2_t_type_map),
1995 idstr));
1996 else
1997 ND_PRINT((ndo," #%u type=%s id=%u ", pcount,
1998 STR_OR_ID(t.t_type, ikev2_t_type_map),
1999 t.t_id));
2000 cp = (u_char *)(p + 1);
2001 ep2 = (u_char *)p + item_len;
2002 while (cp < ep && cp < ep2) {
2003 if (map && nmap) {
2004 cp = ikev1_attrmap_print(ndo, cp, (ep < ep2) ? ep : ep2,
2005 map, nmap);
2006 } else
2007 cp = ikev1_attr_print(ndo, cp, (ep < ep2) ? ep : ep2);
2008 }
2009 if (ep < ep2)
2010 ND_PRINT((ndo,"..."));
2011 return cp;
2012 trunc:
2013 ND_PRINT((ndo," [|%s]", NPSTR(ISAKMP_NPTYPE_T)));
2014 return NULL;
2015 }
2016
2017 static const u_char *
2018 ikev2_p_print(netdissect_options *ndo, u_char tpay _U_, int pcount _U_,
2019 const struct isakmp_gen *ext, u_int item_len _U_,
2020 const u_char *ep, u_int32_t phase, u_int32_t doi0,
2021 u_int32_t proto0 _U_, int depth)
2022 {
2023 const struct ikev2_p *p;
2024 struct ikev2_p prop;
2025 const u_char *cp;
2026
2027 p = (struct ikev2_p *)ext;
2028 ND_TCHECK(*p);
2029 unaligned_memcpy(&prop, ext, sizeof(prop));
2030 ikev2_pay_print(ndo, NPSTR(ISAKMP_NPTYPE_P), prop.h.critical);
2031
2032 ND_PRINT((ndo," #%u protoid=%s transform=%d len=%u",
2033 prop.p_no, PROTOIDSTR(prop.prot_id),
2034 prop.num_t, ntohs(prop.h.len)));
2035 if (prop.spi_size) {
2036 ND_PRINT((ndo," spi="));
2037 if (!rawprint(ndo, (caddr_t)(p + 1), prop.spi_size))
2038 goto trunc;
2039 }
2040
2041 ext = (struct isakmp_gen *)((u_char *)(p + 1) + prop.spi_size);
2042 ND_TCHECK(*ext);
2043
2044 cp = ikev2_sub_print(ndo, NULL, ISAKMP_NPTYPE_T, ext, ep, phase, doi0,
2045 prop.prot_id, depth);
2046
2047 return cp;
2048 trunc:
2049 ND_PRINT((ndo," [|%s]", NPSTR(ISAKMP_NPTYPE_P)));
2050 return NULL;
2051 }
2052
2053 static const u_char *
2054 ikev2_sa_print(netdissect_options *ndo, u_char tpay,
2055 const struct isakmp_gen *ext1,
2056 u_int item_len _U_, const u_char *ep _U_,
2057 u_int32_t phase _U_, u_int32_t doi _U_,
2058 u_int32_t proto _U_, int depth _U_)
2059 {
2060 struct isakmp_gen e;
2061 int osa_length, sa_length;
2062
2063 ND_TCHECK(*ext1);
2064 unaligned_memcpy(&e, ext1, sizeof(e));
2065 ikev2_pay_print(ndo, "sa", e.critical);
2066
2067 osa_length= ntohs(e.len);
2068 sa_length = osa_length - 4;
2069 ND_PRINT((ndo," len=%d", sa_length));
2070
2071 ikev2_sub_print(ndo, NULL, ISAKMP_NPTYPE_P,
2072 ext1+1, ep,
2073 0, 0, 0, depth);
2074
2075 return (u_char *)ext1 + osa_length;
2076 trunc:
2077 ND_PRINT((ndo," [|%s]", NPSTR(tpay)));
2078 return NULL;
2079 }
2080
2081 static const u_char *
2082 ikev2_ke_print(netdissect_options *ndo, u_char tpay,
2083 const struct isakmp_gen *ext,
2084 u_int item_len _U_, const u_char *ep _U_,
2085 u_int32_t phase _U_, u_int32_t doi _U_,
2086 u_int32_t proto _U_, int depth _U_)
2087 {
2088 struct ikev2_ke ke;
2089 struct ikev2_ke *k;
2090
2091 k = (struct ikev2_ke *)ext;
2092 ND_TCHECK(*ext);
2093 unaligned_memcpy(&ke, ext, sizeof(ke));
2094 ikev2_pay_print(ndo, NPSTR(tpay), ke.h.critical);
2095
2096 ND_PRINT((ndo," len=%u group=%s", ntohs(ke.h.len) - 8,
2097 STR_OR_ID(ntohs(ke.ke_group), dh_p_map)));
2098
2099 if (2 < ndo->ndo_vflag && 8 < ntohs(ke.h.len)) {
2100 ND_PRINT((ndo," "));
2101 if (!rawprint(ndo, (caddr_t)(k + 1), ntohs(ke.h.len) - 8))
2102 goto trunc;
2103 }
2104 return (u_char *)ext + ntohs(ke.h.len);
2105 trunc:
2106 ND_PRINT((ndo," [|%s]", NPSTR(tpay)));
2107 return NULL;
2108 }
2109
2110 static const u_char *
2111 ikev2_ID_print(netdissect_options *ndo, u_char tpay,
2112 const struct isakmp_gen *ext,
2113 u_int item_len _U_, const u_char *ep _U_,
2114 u_int32_t phase _U_, u_int32_t doi _U_,
2115 u_int32_t proto _U_, int depth _U_)
2116 {
2117 struct ikev2_id id;
2118 int id_len, idtype_len, i;
2119 unsigned int dumpascii, dumphex;
2120 unsigned char *typedata;
2121
2122 ND_TCHECK(*ext);
2123 unaligned_memcpy(&id, ext, sizeof(id));
2124 ikev2_pay_print(ndo, NPSTR(tpay), id.h.critical);
2125
2126 id_len = ntohs(id.h.len);
2127
2128 ND_PRINT((ndo," len=%d", id_len - 4));
2129 if (2 < ndo->ndo_vflag && 4 < id_len) {
2130 ND_PRINT((ndo," "));
2131 if (!rawprint(ndo, (caddr_t)(ext + 1), id_len - 4))
2132 goto trunc;
2133 }
2134
2135 idtype_len =id_len - sizeof(struct ikev2_id);
2136 dumpascii = 0;
2137 dumphex = 0;
2138 typedata = (unsigned char *)(ext)+sizeof(struct ikev2_id);
2139
2140 switch(id.type) {
2141 case ID_IPV4_ADDR:
2142 ND_PRINT((ndo, " ipv4:"));
2143 dumphex=1;
2144 break;
2145 case ID_FQDN:
2146 ND_PRINT((ndo, " fqdn:"));
2147 dumpascii=1;
2148 break;
2149 case ID_RFC822_ADDR:
2150 ND_PRINT((ndo, " rfc822:"));
2151 dumpascii=1;
2152 break;
2153 case ID_IPV6_ADDR:
2154 ND_PRINT((ndo, " ipv6:"));
2155 dumphex=1;
2156 break;
2157 case ID_DER_ASN1_DN:
2158 ND_PRINT((ndo, " dn:"));
2159 dumphex=1;
2160 break;
2161 case ID_DER_ASN1_GN:
2162 ND_PRINT((ndo, " gn:"));
2163 dumphex=1;
2164 break;
2165 case ID_KEY_ID:
2166 ND_PRINT((ndo, " keyid:"));
2167 dumphex=1;
2168 break;
2169 }
2170
2171 if(dumpascii) {
2172 ND_TCHECK2(*typedata, idtype_len);
2173 for(i=0; i<idtype_len; i++) {
2174 if(isprint(typedata[i])) {
2175 ND_PRINT((ndo, "%c", typedata[i]));
2176 } else {
2177 ND_PRINT((ndo, "."));
2178 }
2179 }
2180 }
2181 if(dumphex) {
2182 if (!rawprint(ndo, (caddr_t)typedata, idtype_len))
2183 goto trunc;
2184 }
2185
2186 return (u_char *)ext + id_len;
2187 trunc:
2188 ND_PRINT((ndo," [|%s]", NPSTR(tpay)));
2189 return NULL;
2190 }
2191
2192 static const u_char *
2193 ikev2_cert_print(netdissect_options *ndo, u_char tpay,
2194 const struct isakmp_gen *ext,
2195 u_int item_len _U_, const u_char *ep _U_,
2196 u_int32_t phase _U_, u_int32_t doi _U_,
2197 u_int32_t proto _U_, int depth _U_)
2198 {
2199 return ikev2_gen_print(ndo, tpay, ext);
2200 }
2201
2202 static const u_char *
2203 ikev2_cr_print(netdissect_options *ndo, u_char tpay,
2204 const struct isakmp_gen *ext,
2205 u_int item_len _U_, const u_char *ep _U_,
2206 u_int32_t phase _U_, u_int32_t doi _U_,
2207 u_int32_t proto _U_, int depth _U_)
2208 {
2209 return ikev2_gen_print(ndo, tpay, ext);
2210 }
2211
2212 static const u_char *
2213 ikev2_auth_print(netdissect_options *ndo, u_char tpay,
2214 const struct isakmp_gen *ext,
2215 u_int item_len _U_, const u_char *ep _U_,
2216 u_int32_t phase _U_, u_int32_t doi _U_,
2217 u_int32_t proto _U_, int depth _U_)
2218 {
2219 struct ikev2_auth a;
2220 const char *v2_auth[]={ "invalid", "rsasig",
2221 "shared-secret", "dsssig" };
2222 u_char *authdata = (u_char*)ext + sizeof(a);
2223 unsigned int len;
2224
2225 ND_TCHECK(*ext);
2226 unaligned_memcpy(&a, ext, sizeof(a));
2227 ikev2_pay_print(ndo, NPSTR(tpay), a.h.critical);
2228 len = ntohs(a.h.len);
2229
2230 ND_PRINT((ndo," len=%d method=%s", len-4,
2231 STR_OR_ID(a.auth_method, v2_auth)));
2232
2233 if (1 < ndo->ndo_vflag && 4 < len) {
2234 ND_PRINT((ndo," authdata=("));
2235 if (!rawprint(ndo, (caddr_t)authdata, len - sizeof(a)))
2236 goto trunc;
2237 ND_PRINT((ndo,") "));
2238 } else if(ndo->ndo_vflag && 4 < len) {
2239 if(!ike_show_somedata(ndo, authdata, ep)) goto trunc;
2240 }
2241
2242 return (u_char *)ext + len;
2243 trunc:
2244 ND_PRINT((ndo," [|%s]", NPSTR(tpay)));
2245 return NULL;
2246 }
2247
2248 static const u_char *
2249 ikev2_nonce_print(netdissect_options *ndo, u_char tpay,
2250 const struct isakmp_gen *ext,
2251 u_int item_len _U_, const u_char *ep _U_,
2252 u_int32_t phase _U_, u_int32_t doi _U_,
2253 u_int32_t proto _U_, int depth _U_)
2254 {
2255 struct isakmp_gen e;
2256
2257 ND_TCHECK(*ext);
2258 unaligned_memcpy(&e, ext, sizeof(e));
2259 ikev2_pay_print(ndo, "nonce", e.critical);
2260
2261 ND_PRINT((ndo," len=%d", ntohs(e.len) - 4));
2262 if (1 < ndo->ndo_vflag && 4 < ntohs(e.len)) {
2263 ND_PRINT((ndo," nonce=("));
2264 if (!rawprint(ndo, (caddr_t)(ext + 1), ntohs(e.len) - 4))
2265 goto trunc;
2266 ND_PRINT((ndo,") "));
2267 } else if(ndo->ndo_vflag && 4 < ntohs(e.len)) {
2268 if(!ike_show_somedata(ndo, (const u_char *)(ext+1), ep)) goto trunc;
2269 }
2270
2271 return (u_char *)ext + ntohs(e.len);
2272 trunc:
2273 ND_PRINT((ndo," [|%s]", NPSTR(tpay)));
2274 return NULL;
2275 }
2276
2277 /* notify payloads */
2278 static const u_char *
2279 ikev2_n_print(netdissect_options *ndo, u_char tpay _U_,
2280 const struct isakmp_gen *ext,
2281 u_int item_len _U_, const u_char *ep _U_,
2282 u_int32_t phase _U_, u_int32_t doi _U_,
2283 u_int32_t proto _U_, int depth _U_)
2284 {
2285 struct ikev2_n *p, n;
2286 const u_char *cp;
2287 u_char showspi, showdata, showsomedata;
2288 const char *notify_name;
2289 u_int32_t type;
2290
2291 p = (struct ikev2_n *)ext;
2292 ND_TCHECK(*p);
2293 unaligned_memcpy(&n, ext, sizeof(n));
2294 ikev2_pay_print(ndo, NPSTR(ISAKMP_NPTYPE_N), n.h.critical);
2295
2296 showspi = 1;
2297 showdata = 0;
2298 showsomedata=0;
2299 notify_name=NULL;
2300
2301 ND_PRINT((ndo," prot_id=%s", PROTOIDSTR(n.prot_id)));
2302
2303 type = ntohs(n.type);
2304
2305 /* notify space is annoying sparse */
2306 switch(type) {
2307 case IV2_NOTIFY_UNSUPPORTED_CRITICAL_PAYLOAD:
2308 notify_name = "unsupported_critical_payload";
2309 showspi = 0;
2310 break;
2311
2312 case IV2_NOTIFY_INVALID_IKE_SPI:
2313 notify_name = "invalid_ike_spi";
2314 showspi = 1;
2315 break;
2316
2317 case IV2_NOTIFY_INVALID_MAJOR_VERSION:
2318 notify_name = "invalid_major_version";
2319 showspi = 0;
2320 break;
2321
2322 case IV2_NOTIFY_INVALID_SYNTAX:
2323 notify_name = "invalid_syntax";
2324 showspi = 1;
2325 break;
2326
2327 case IV2_NOTIFY_INVALID_MESSAGE_ID:
2328 notify_name = "invalid_message_id";
2329 showspi = 1;
2330 break;
2331
2332 case IV2_NOTIFY_INVALID_SPI:
2333 notify_name = "invalid_spi";
2334 showspi = 1;
2335 break;
2336
2337 case IV2_NOTIFY_NO_PROPOSAL_CHOSEN:
2338 notify_name = "no_protocol_chosen";
2339 showspi = 1;
2340 break;
2341
2342 case IV2_NOTIFY_INVALID_KE_PAYLOAD:
2343 notify_name = "invalid_ke_payload";
2344 showspi = 1;
2345 break;
2346
2347 case IV2_NOTIFY_AUTHENTICATION_FAILED:
2348 notify_name = "authentication_failed";
2349 showspi = 1;
2350 break;
2351
2352 case IV2_NOTIFY_SINGLE_PAIR_REQUIRED:
2353 notify_name = "single_pair_required";
2354 showspi = 1;
2355 break;
2356
2357 case IV2_NOTIFY_NO_ADDITIONAL_SAS:
2358 notify_name = "no_additional_sas";
2359 showspi = 0;
2360 break;
2361
2362 case IV2_NOTIFY_INTERNAL_ADDRESS_FAILURE:
2363 notify_name = "internal_address_failure";
2364 showspi = 0;
2365 break;
2366
2367 case IV2_NOTIFY_FAILED_CP_REQUIRED:
2368 notify_name = "failed:cp_required";
2369 showspi = 0;
2370 break;
2371
2372 case IV2_NOTIFY_INVALID_SELECTORS:
2373 notify_name = "invalid_selectors";
2374 showspi = 0;
2375 break;
2376
2377 case IV2_NOTIFY_INITIAL_CONTACT:
2378 notify_name = "initial_contact";
2379 showspi = 0;
2380 break;
2381
2382 case IV2_NOTIFY_SET_WINDOW_SIZE:
2383 notify_name = "set_window_size";
2384 showspi = 0;
2385 break;
2386
2387 case IV2_NOTIFY_ADDITIONAL_TS_POSSIBLE:
2388 notify_name = "additional_ts_possible";
2389 showspi = 0;
2390 break;
2391
2392 case IV2_NOTIFY_IPCOMP_SUPPORTED:
2393 notify_name = "ipcomp_supported";
2394 showspi = 0;
2395 break;
2396
2397 case IV2_NOTIFY_NAT_DETECTION_SOURCE_IP:
2398 notify_name = "nat_detection_source_ip";
2399 showspi = 1;
2400 break;
2401
2402 case IV2_NOTIFY_NAT_DETECTION_DESTINATION_IP:
2403 notify_name = "nat_detection_destination_ip";
2404 showspi = 1;
2405 break;
2406
2407 case IV2_NOTIFY_COOKIE:
2408 notify_name = "cookie";
2409 showspi = 1;
2410 showsomedata= 1;
2411 showdata= 0;
2412 break;
2413
2414 case IV2_NOTIFY_USE_TRANSPORT_MODE:
2415 notify_name = "use_transport_mode";
2416 showspi = 0;
2417 break;
2418
2419 case IV2_NOTIFY_HTTP_CERT_LOOKUP_SUPPORTED:
2420 notify_name = "http_cert_lookup_supported";
2421 showspi = 0;
2422 break;
2423
2424 case IV2_NOTIFY_REKEY_SA:
2425 notify_name = "rekey_sa";
2426 showspi = 1;
2427 break;
2428
2429 case IV2_NOTIFY_ESP_TFC_PADDING_NOT_SUPPORTED:
2430 notify_name = "tfc_padding_not_supported";
2431 showspi = 0;
2432 break;
2433
2434 case IV2_NOTIFY_NON_FIRST_FRAGMENTS_ALSO:
2435 notify_name = "non_first_fragment_also";
2436 showspi = 0;
2437 break;
2438
2439 default:
2440 if (type < 8192) {
2441 notify_name="error";
2442 } else if(type < 16384) {
2443 notify_name="private-error";
2444 } else if(type < 40960) {
2445 notify_name="status";
2446 } else {
2447 notify_name="private-status";
2448 }
2449 }
2450
2451 if(notify_name) {
2452 ND_PRINT((ndo," type=%u(%s)", type, notify_name));
2453 }
2454
2455
2456 if (showspi && n.spi_size) {
2457 ND_PRINT((ndo," spi="));
2458 if (!rawprint(ndo, (caddr_t)(p + 1), n.spi_size))
2459 goto trunc;
2460 }
2461
2462 cp = (u_char *)(p + 1) + n.spi_size;
2463
2464 if(3 < ndo->ndo_vflag) {
2465 showdata = 1;
2466 }
2467
2468 if ((showdata || (showsomedata && ep-cp < 30)) && cp < ep) {
2469 ND_PRINT((ndo," data=("));
2470 if (!rawprint(ndo, (caddr_t)(cp), ep - cp))
2471 goto trunc;
2472
2473 ND_PRINT((ndo,")"));
2474
2475 } else if(showsomedata && cp < ep) {
2476 if(!ike_show_somedata(ndo, cp, ep)) goto trunc;
2477 }
2478
2479 return (u_char *)ext + item_len;
2480 trunc:
2481 ND_PRINT((ndo," [|%s]", NPSTR(ISAKMP_NPTYPE_N)));
2482 return NULL;
2483 }
2484
2485 static const u_char *
2486 ikev2_d_print(netdissect_options *ndo, u_char tpay,
2487 const struct isakmp_gen *ext,
2488 u_int item_len _U_, const u_char *ep _U_,
2489 u_int32_t phase _U_, u_int32_t doi _U_,
2490 u_int32_t proto _U_, int depth _U_)
2491 {
2492 return ikev2_gen_print(ndo, tpay, ext);
2493 }
2494
2495 static const u_char *
2496 ikev2_vid_print(netdissect_options *ndo, u_char tpay,
2497 const struct isakmp_gen *ext,
2498 u_int item_len _U_, const u_char *ep _U_,
2499 u_int32_t phase _U_, u_int32_t doi _U_,
2500 u_int32_t proto _U_, int depth _U_)
2501 {
2502 struct isakmp_gen e;
2503 const u_char *vid;
2504 int i, len;
2505
2506 ND_TCHECK(*ext);
2507 unaligned_memcpy(&e, ext, sizeof(e));
2508 ikev2_pay_print(ndo, NPSTR(tpay), e.critical);
2509 ND_PRINT((ndo," len=%d vid=", ntohs(e.len) - 4));
2510
2511 vid = (const u_char *)(ext+1);
2512 len = ntohs(e.len) - 4;
2513 ND_TCHECK2(*vid, len);
2514 for(i=0; i<len; i++) {
2515 if(isprint(vid[i])) ND_PRINT((ndo, "%c", vid[i]));
2516 else ND_PRINT((ndo, "."));
2517 }
2518 if (2 < ndo->ndo_vflag && 4 < len) {
2519 ND_PRINT((ndo," "));
2520 if (!rawprint(ndo, (caddr_t)(ext + 1), ntohs(e.len) - 4))
2521 goto trunc;
2522 }
2523 return (u_char *)ext + ntohs(e.len);
2524 trunc:
2525 ND_PRINT((ndo," [|%s]", NPSTR(tpay)));
2526 return NULL;
2527 }
2528
2529 static const u_char *
2530 ikev2_TS_print(netdissect_options *ndo, u_char tpay,
2531 const struct isakmp_gen *ext,
2532 u_int item_len _U_, const u_char *ep _U_,
2533 u_int32_t phase _U_, u_int32_t doi _U_,
2534 u_int32_t proto _U_, int depth _U_)
2535 {
2536 return ikev2_gen_print(ndo, tpay, ext);
2537 }
2538
2539 static const u_char *
2540 ikev2_e_print(netdissect_options *ndo,
2541 #ifndef HAVE_LIBCRYPTO
2542 _U_
2543 #endif
2544 struct isakmp *base,
2545 u_char tpay,
2546 const struct isakmp_gen *ext,
2547 u_int item_len _U_, const u_char *ep _U_,
2548 #ifndef HAVE_LIBCRYPTO
2549 _U_
2550 #endif
2551 u_int32_t phase,
2552 #ifndef HAVE_LIBCRYPTO
2553 _U_
2554 #endif
2555 u_int32_t doi,
2556 #ifndef HAVE_LIBCRYPTO
2557 _U_
2558 #endif
2559 u_int32_t proto,
2560 #ifndef HAVE_LIBCRYPTO
2561 _U_
2562 #endif
2563 int depth)
2564 {
2565 struct isakmp_gen e;
2566 u_char *dat;
2567 volatile int dlen;
2568
2569 ND_TCHECK(*ext);
2570 unaligned_memcpy(&e, ext, sizeof(e));
2571 ikev2_pay_print(ndo, NPSTR(tpay), e.critical);
2572
2573 dlen = ntohs(e.len)-4;
2574
2575 ND_PRINT((ndo," len=%d", dlen));
2576 if (2 < ndo->ndo_vflag && 4 < dlen) {
2577 ND_PRINT((ndo," "));
2578 if (!rawprint(ndo, (caddr_t)(ext + 1), dlen))
2579 goto trunc;
2580 }
2581
2582 dat = (u_char *)(ext+1);
2583 ND_TCHECK2(*dat, dlen);
2584
2585 #ifdef HAVE_LIBCRYPTO
2586 /* try to decypt it! */
2587 if(esp_print_decrypt_buffer_by_ikev2(ndo,
2588 base->flags & ISAKMP_FLAG_I,
2589 base->i_ck, base->r_ck,
2590 dat, dat+dlen)) {
2591
2592 ext = (const struct isakmp_gen *)ndo->ndo_packetp;
2593
2594 /* got it decrypted, print stuff inside. */
2595 ikev2_sub_print(ndo, base, e.np, ext, ndo->ndo_snapend,
2596 phase, doi, proto, depth+1);
2597 }
2598 #endif
2599
2600
2601 /* always return NULL, because E must be at end, and NP refers
2602 * to what was inside.
2603 */
2604 return NULL;
2605 trunc:
2606 ND_PRINT((ndo," [|%s]", NPSTR(tpay)));
2607 return NULL;
2608 }
2609
2610 static const u_char *
2611 ikev2_cp_print(netdissect_options *ndo, u_char tpay,
2612 const struct isakmp_gen *ext,
2613 u_int item_len _U_, const u_char *ep _U_,
2614 u_int32_t phase _U_, u_int32_t doi _U_,
2615 u_int32_t proto _U_, int depth _U_)
2616 {
2617 return ikev2_gen_print(ndo, tpay, ext);
2618 }
2619
2620 static const u_char *
2621 ikev2_eap_print(netdissect_options *ndo, u_char tpay,
2622 const struct isakmp_gen *ext,
2623 u_int item_len _U_, const u_char *ep _U_,
2624 u_int32_t phase _U_, u_int32_t doi _U_,
2625 u_int32_t proto _U_, int depth _U_)
2626 {
2627 return ikev2_gen_print(ndo, tpay, ext);
2628 }
2629
2630 static const u_char *
2631 ike_sub0_print(netdissect_options *ndo,
2632 u_char np, const struct isakmp_gen *ext, const u_char *ep,
2633
2634 u_int32_t phase, u_int32_t doi, u_int32_t proto, int depth)
2635 {
2636 const u_char *cp;
2637 struct isakmp_gen e;
2638 u_int item_len;
2639
2640 cp = (u_char *)ext;
2641 ND_TCHECK(*ext);
2642 unaligned_memcpy(&e, ext, sizeof(e));
2643
2644 /*
2645 * Since we can't have a payload length of less than 4 bytes,
2646 * we need to bail out here if the generic header is nonsensical
2647 * or truncated, otherwise we could loop forever processing
2648 * zero-length items or otherwise misdissect the packet.
2649 */
2650 item_len = ntohs(e.len);
2651 if (item_len <= 4)
2652 return NULL;
2653
2654 if (NPFUNC(np)) {
2655 /*
2656 * XXX - what if item_len is too short, or too long,
2657 * for this payload type?
2658 */
2659 cp = (*npfunc[np])(ndo, np, ext, item_len, ep, phase, doi, proto, depth);
2660 } else {
2661 ND_PRINT((ndo,"%s", NPSTR(np)));
2662 cp += item_len;
2663 }
2664
2665 return cp;
2666 trunc:
2667 ND_PRINT((ndo," [|isakmp]"));
2668 return NULL;
2669 }
2670
2671 static const u_char *
2672 ikev1_sub_print(netdissect_options *ndo,
2673 u_char np, const struct isakmp_gen *ext, const u_char *ep,
2674 u_int32_t phase, u_int32_t doi, u_int32_t proto, int depth)
2675 {
2676 const u_char *cp;
2677 int i;
2678 struct isakmp_gen e;
2679
2680 cp = (const u_char *)ext;
2681
2682 while (np) {
2683 ND_TCHECK(*ext);
2684
2685 unaligned_memcpy(&e, ext, sizeof(e));
2686
2687 ND_TCHECK2(*ext, ntohs(e.len));
2688
2689 depth++;
2690 ND_PRINT((ndo,"\n"));
2691 for (i = 0; i < depth; i++)
2692 ND_PRINT((ndo," "));
2693 ND_PRINT((ndo,"("));
2694 cp = ike_sub0_print(ndo, np, ext, ep, phase, doi, proto, depth);
2695 ND_PRINT((ndo,")"));
2696 depth--;
2697
2698 if (cp == NULL) {
2699 /* Zero-length subitem */
2700 return NULL;
2701 }
2702
2703 np = e.np;
2704 ext = (struct isakmp_gen *)cp;
2705 }
2706 return cp;
2707 trunc:
2708 ND_PRINT((ndo," [|%s]", NPSTR(np)));
2709 return NULL;
2710 }
2711
2712 static char *
2713 numstr(int x)
2714 {
2715 static char buf[20];
2716 snprintf(buf, sizeof(buf), "#%d", x);
2717 return buf;
2718 }
2719
2720 static void
2721 ikev1_print(netdissect_options *ndo,
2722 const u_char *bp, u_int length,
2723 const u_char *bp2, struct isakmp *base)
2724 {
2725 const struct isakmp *p;
2726 const u_char *ep;
2727 u_char np;
2728 int i;
2729 int phase;
2730
2731 p = (const struct isakmp *)bp;
2732 ep = ndo->ndo_snapend;
2733
2734 phase = (EXTRACT_32BITS(base->msgid) == 0) ? 1 : 2;
2735 if (phase == 1)
2736 ND_PRINT((ndo," phase %d", phase));
2737 else
2738 ND_PRINT((ndo," phase %d/others", phase));
2739
2740 i = cookie_find(&base->i_ck);
2741 if (i < 0) {
2742 if (iszero((u_char *)&base->r_ck, sizeof(base->r_ck))) {
2743 /* the first packet */
2744 ND_PRINT((ndo," I"));
2745 if (bp2)
2746 cookie_record(&base->i_ck, bp2);
2747 } else
2748 ND_PRINT((ndo," ?"));
2749 } else {
2750 if (bp2 && cookie_isinitiator(i, bp2))
2751 ND_PRINT((ndo," I"));
2752 else if (bp2 && cookie_isresponder(i, bp2))
2753 ND_PRINT((ndo," R"));
2754 else
2755 ND_PRINT((ndo," ?"));
2756 }
2757
2758 ND_PRINT((ndo," %s", ETYPESTR(base->etype)));
2759 if (base->flags) {
2760 ND_PRINT((ndo,"[%s%s]", base->flags & ISAKMP_FLAG_E ? "E" : "",
2761 base->flags & ISAKMP_FLAG_C ? "C" : ""));
2762 }
2763
2764 if (ndo->ndo_vflag) {
2765 const struct isakmp_gen *ext;
2766
2767 ND_PRINT((ndo,":"));
2768
2769 /* regardless of phase... */
2770 if (base->flags & ISAKMP_FLAG_E) {
2771 /*
2772 * encrypted, nothing we can do right now.
2773 * we hope to decrypt the packet in the future...
2774 */
2775 ND_PRINT((ndo," [encrypted %s]", NPSTR(base->np)));
2776 goto done;
2777 }
2778
2779 CHECKLEN(p + 1, base->np);
2780 np = base->np;
2781 ext = (struct isakmp_gen *)(p + 1);
2782 ikev1_sub_print(ndo, np, ext, ep, phase, 0, 0, 0);
2783 }
2784
2785 done:
2786 if (ndo->ndo_vflag) {
2787 if (ntohl(base->len) != length) {
2788 ND_PRINT((ndo," (len mismatch: isakmp %u/ip %u)",
2789 (u_int32_t)ntohl(base->len), length));
2790 }
2791 }
2792 }
2793
2794 static const u_char *
2795 ikev2_sub0_print(netdissect_options *ndo, struct isakmp *base,
2796 u_char np, int pcount,
2797 const struct isakmp_gen *ext, const u_char *ep,
2798 u_int32_t phase, u_int32_t doi, u_int32_t proto, int depth)
2799 {
2800 const u_char *cp;
2801 struct isakmp_gen e;
2802 u_int item_len;
2803
2804 cp = (u_char *)ext;
2805 ND_TCHECK(*ext);
2806 unaligned_memcpy(&e, ext, sizeof(e));
2807
2808 /*
2809 * Since we can't have a payload length of less than 4 bytes,
2810 * we need to bail out here if the generic header is nonsensical
2811 * or truncated, otherwise we could loop forever processing
2812 * zero-length items or otherwise misdissect the packet.
2813 */
2814 item_len = ntohs(e.len);
2815 if (item_len <= 4)
2816 return NULL;
2817
2818 if(np == ISAKMP_NPTYPE_P) {
2819 cp = ikev2_p_print(ndo, np, pcount, ext, item_len,
2820 ep, phase, doi, proto, depth);
2821 } else if(np == ISAKMP_NPTYPE_T) {
2822 cp = ikev2_t_print(ndo, np, pcount, ext, item_len,
2823 ep, phase, doi, proto, depth);
2824 } else if(np == ISAKMP_NPTYPE_v2E) {
2825 cp = ikev2_e_print(ndo, base, np, ext, item_len,
2826 ep, phase, doi, proto, depth);
2827 } else if (NPFUNC(np)) {
2828 /*
2829 * XXX - what if item_len is too short, or too long,
2830 * for this payload type?
2831 */
2832 cp = (*npfunc[np])(ndo, np, /*pcount,*/ ext, item_len,
2833 ep, phase, doi, proto, depth);
2834 } else {
2835 ND_PRINT((ndo,"%s", NPSTR(np)));
2836 cp += item_len;
2837 }
2838
2839 return cp;
2840 trunc:
2841 ND_PRINT((ndo," [|isakmp]"));
2842 return NULL;
2843 }
2844
2845 static const u_char *
2846 ikev2_sub_print(netdissect_options *ndo,
2847 struct isakmp *base,
2848 u_char np, const struct isakmp_gen *ext, const u_char *ep,
2849 u_int32_t phase, u_int32_t doi, u_int32_t proto, int depth)
2850 {
2851 const u_char *cp;
2852 int i;
2853 int pcount;
2854 struct isakmp_gen e;
2855
2856 cp = (const u_char *)ext;
2857 pcount = 0;
2858 while (np) {
2859 pcount++;
2860 ND_TCHECK(*ext);
2861
2862 unaligned_memcpy(&e, ext, sizeof(e));
2863
2864 ND_TCHECK2(*ext, ntohs(e.len));
2865
2866 depth++;
2867 ND_PRINT((ndo,"\n"));
2868 for (i = 0; i < depth; i++)
2869 ND_PRINT((ndo," "));
2870 ND_PRINT((ndo,"("));
2871 cp = ikev2_sub0_print(ndo, base, np, pcount,
2872 ext, ep, phase, doi, proto, depth);
2873 ND_PRINT((ndo,")"));
2874 depth--;
2875
2876 if (cp == NULL) {
2877 /* Zero-length subitem */
2878 return NULL;
2879 }
2880
2881 np = e.np;
2882 ext = (struct isakmp_gen *)cp;
2883 }
2884 return cp;
2885 trunc:
2886 ND_PRINT((ndo," [|%s]", NPSTR(np)));
2887 return NULL;
2888 }
2889
2890 static void
2891 ikev2_print(netdissect_options *ndo,
2892 const u_char *bp, u_int length,
2893 const u_char *bp2 _U_, struct isakmp *base)
2894 {
2895 const struct isakmp *p;
2896 const u_char *ep;
2897 u_char np;
2898 int phase;
2899
2900 p = (const struct isakmp *)bp;
2901 ep = ndo->ndo_snapend;
2902
2903 phase = (EXTRACT_32BITS(base->msgid) == 0) ? 1 : 2;
2904 if (phase == 1)
2905 ND_PRINT((ndo, " parent_sa"));
2906 else
2907 ND_PRINT((ndo, " child_sa "));
2908
2909 ND_PRINT((ndo, " %s", ETYPESTR(base->etype)));
2910 if (base->flags) {
2911 ND_PRINT((ndo, "[%s%s%s]",
2912 base->flags & ISAKMP_FLAG_I ? "I" : "",
2913 base->flags & ISAKMP_FLAG_V ? "V" : "",
2914 base->flags & ISAKMP_FLAG_R ? "R" : ""));
2915 }
2916
2917 if (ndo->ndo_vflag) {
2918 const struct isakmp_gen *ext;
2919
2920 ND_PRINT((ndo, ":"));
2921
2922 /* regardless of phase... */
2923 if (base->flags & ISAKMP_FLAG_E) {
2924 /*
2925 * encrypted, nothing we can do right now.
2926 * we hope to decrypt the packet in the future...
2927 */
2928 ND_PRINT((ndo, " [encrypted %s]", NPSTR(base->np)));
2929 goto done;
2930 }
2931
2932 CHECKLEN(p + 1, base->np)
2933
2934 np = base->np;
2935 ext = (struct isakmp_gen *)(p + 1);
2936 ikev2_sub_print(ndo, base, np, ext, ep, phase, 0, 0, 0);
2937 }
2938
2939 done:
2940 if (ndo->ndo_vflag) {
2941 if (ntohl(base->len) != length) {
2942 ND_PRINT((ndo, " (len mismatch: isakmp %u/ip %u)",
2943 (u_int32_t)ntohl(base->len), length));
2944 }
2945 }
2946 }
2947
2948 void
2949 isakmp_print(netdissect_options *ndo,
2950 const u_char *bp, u_int length,
2951 const u_char *bp2)
2952 {
2953 const struct isakmp *p;
2954 struct isakmp base;
2955 const u_char *ep;
2956 int major, minor;
2957
2958 #ifdef HAVE_LIBCRYPTO
2959 /* initialize SAs */
2960 if (ndo->ndo_sa_list_head == NULL) {
2961 if (ndo->ndo_espsecret)
2962 esp_print_decodesecret(ndo);
2963 }
2964 #endif
2965
2966 p = (const struct isakmp *)bp;
2967 ep = ndo->ndo_snapend;
2968
2969 if ((struct isakmp *)ep < p + 1) {
2970 ND_PRINT((ndo,"[|isakmp]"));
2971 return;
2972 }
2973
2974 unaligned_memcpy(&base, p, sizeof(base));
2975
2976 ND_PRINT((ndo,"isakmp"));
2977 major = (base.vers & ISAKMP_VERS_MAJOR)
2978 >> ISAKMP_VERS_MAJOR_SHIFT;
2979 minor = (base.vers & ISAKMP_VERS_MINOR)
2980 >> ISAKMP_VERS_MINOR_SHIFT;
2981
2982 if (ndo->ndo_vflag) {
2983 ND_PRINT((ndo," %d.%d", major, minor));
2984 }
2985
2986 if (ndo->ndo_vflag) {
2987 ND_PRINT((ndo," msgid "));
2988 hexprint(ndo, (caddr_t)&base.msgid, sizeof(base.msgid));
2989 }
2990
2991 if (1 < ndo->ndo_vflag) {
2992 ND_PRINT((ndo," cookie "));
2993 hexprint(ndo, (caddr_t)&base.i_ck, sizeof(base.i_ck));
2994 ND_PRINT((ndo,"->"));
2995 hexprint(ndo, (caddr_t)&base.r_ck, sizeof(base.r_ck));
2996 }
2997 ND_PRINT((ndo,":"));
2998
2999 switch(major) {
3000 case IKEv1_MAJOR_VERSION:
3001 ikev1_print(ndo, bp, length, bp2, &base);
3002 break;
3003
3004 case IKEv2_MAJOR_VERSION:
3005 ikev2_print(ndo, bp, length, bp2, &base);
3006 break;
3007 }
3008 }
3009
3010 void
3011 isakmp_rfc3948_print(netdissect_options *ndo,
3012 const u_char *bp, u_int length,
3013 const u_char *bp2)
3014 {
3015
3016 if(length == 1 && bp[0]==0xff) {
3017 ND_PRINT((ndo, "isakmp-nat-keep-alive"));
3018 return;
3019 }
3020
3021 if(length < 4) {
3022 goto trunc;
3023 }
3024
3025 /*
3026 * see if this is an IKE packet
3027 */
3028 if(bp[0]==0 && bp[1]==0 && bp[2]==0 && bp[3]==0) {
3029 ND_PRINT((ndo, "NONESP-encap: "));
3030 isakmp_print(ndo, bp+4, length-4, bp2);
3031 return;
3032 }
3033
3034 /* must be an ESP packet */
3035 {
3036 int nh, enh, padlen;
3037 int advance;
3038
3039 ND_PRINT((ndo, "UDP-encap: "));
3040
3041 advance = esp_print(ndo, bp, length, bp2, &enh, &padlen);
3042 if(advance <= 0)
3043 return;
3044
3045 bp += advance;
3046 length -= advance + padlen;
3047 nh = enh & 0xff;
3048
3049 ip_print_inner(ndo, bp, length, nh, bp2);
3050 return;
3051 }
3052
3053 trunc:
3054 ND_PRINT((ndo,"[|isakmp]"));
3055 return;
3056 }
3057
3058 /*
3059 * Local Variables:
3060 * c-style: whitesmith
3061 * c-basic-offset: 8
3062 * End:
3063 */
3064
3065
3066
3067
[mirror] the TCPdump network dissector