]> The Tcpdump Group git mirrors - tcpdump/blob - print-isakmp.c
projects / tcpdump / blob
summary | shortlog | log | commit | commitdiff | tree
history | raw | HEAD
CVE-2017-13689/IKEv1: Fix addr+subnet length check.
[tcpdump] / print-isakmp.c
1 /*
2 * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
3 * All rights reserved.
4 *
5 * Redistribution and use in source and binary forms, with or without
6 * modification, are permitted provided that the following conditions
7 * are met:
8 * 1. Redistributions of source code must retain the above copyright
9 * notice, this list of conditions and the following disclaimer.
10 * 2. Redistributions in binary form must reproduce the above copyright
11 * notice, this list of conditions and the following disclaimer in the
12 * documentation and/or other materials provided with the distribution.
13 * 3. Neither the name of the project nor the names of its contributors
14 * may be used to endorse or promote products derived from this software
15 * without specific prior written permission.
16 *
17 * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
18 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
19 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
20 * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
21 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
22 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
23 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
24 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
25 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
26 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
27 * SUCH DAMAGE.
28 *
29 */
30
31 /* \summary: Internet Security Association and Key Management Protocol (ISAKMP) printer */
32
33 #ifdef HAVE_CONFIG_H
34 #include "config.h"
35 #endif
36
37 /* The functions from print-esp.c used in this file are only defined when both
38 * OpenSSL and evp.h are detected. Employ the same preprocessor device here.
39 */
40 #ifndef HAVE_OPENSSL_EVP_H
41 #undef HAVE_LIBCRYPTO
42 #endif
43
44 #include <netdissect-stdinc.h>
45
46 #include <string.h>
47
48 #include "netdissect.h"
49 #include "addrtoname.h"
50 #include "extract.h"
51
52 #include "ip.h"
53 #include "ip6.h"
54 #include "ipproto.h"
55
56 /* refer to RFC 2408 */
57
58 typedef u_char cookie_t[8];
59 typedef u_char msgid_t[4];
60
61 #define PORT_ISAKMP 500
62
63 /* 3.1 ISAKMP Header Format (IKEv1 and IKEv2)
64 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
65 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
66 ! Initiator !
67 ! Cookie !
68 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
69 ! Responder !
70 ! Cookie !
71 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
72 ! Next Payload ! MjVer ! MnVer ! Exchange Type ! Flags !
73 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
74 ! Message ID !
75 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
76 ! Length !
77 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
78 */
79 struct isakmp {
80 cookie_t i_ck; /* Initiator Cookie */
81 cookie_t r_ck; /* Responder Cookie */
82 uint8_t np; /* Next Payload Type */
83 uint8_t vers;
84 #define ISAKMP_VERS_MAJOR 0xf0
85 #define ISAKMP_VERS_MAJOR_SHIFT 4
86 #define ISAKMP_VERS_MINOR 0x0f
87 #define ISAKMP_VERS_MINOR_SHIFT 0
88 uint8_t etype; /* Exchange Type */
89 uint8_t flags; /* Flags */
90 msgid_t msgid;
91 uint32_t len; /* Length */
92 };
93
94 /* Next Payload Type */
95 #define ISAKMP_NPTYPE_NONE 0 /* NONE*/
96 #define ISAKMP_NPTYPE_SA 1 /* Security Association */
97 #define ISAKMP_NPTYPE_P 2 /* Proposal */
98 #define ISAKMP_NPTYPE_T 3 /* Transform */
99 #define ISAKMP_NPTYPE_KE 4 /* Key Exchange */
100 #define ISAKMP_NPTYPE_ID 5 /* Identification */
101 #define ISAKMP_NPTYPE_CERT 6 /* Certificate */
102 #define ISAKMP_NPTYPE_CR 7 /* Certificate Request */
103 #define ISAKMP_NPTYPE_HASH 8 /* Hash */
104 #define ISAKMP_NPTYPE_SIG 9 /* Signature */
105 #define ISAKMP_NPTYPE_NONCE 10 /* Nonce */
106 #define ISAKMP_NPTYPE_N 11 /* Notification */
107 #define ISAKMP_NPTYPE_D 12 /* Delete */
108 #define ISAKMP_NPTYPE_VID 13 /* Vendor ID */
109 #define ISAKMP_NPTYPE_v2E 46 /* v2 Encrypted payload */
110
111 #define IKEv1_MAJOR_VERSION 1
112 #define IKEv1_MINOR_VERSION 0
113
114 #define IKEv2_MAJOR_VERSION 2
115 #define IKEv2_MINOR_VERSION 0
116
117 /* Flags */
118 #define ISAKMP_FLAG_E 0x01 /* Encryption Bit */
119 #define ISAKMP_FLAG_C 0x02 /* Commit Bit */
120 #define ISAKMP_FLAG_extra 0x04
121
122 /* IKEv2 */
123 #define ISAKMP_FLAG_I (1 << 3) /* (I)nitiator */
124 #define ISAKMP_FLAG_V (1 << 4) /* (V)ersion */
125 #define ISAKMP_FLAG_R (1 << 5) /* (R)esponse */
126
127
128 /* 3.2 Payload Generic Header
129 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
130 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
131 ! Next Payload ! RESERVED ! Payload Length !
132 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
133 */
134 struct isakmp_gen {
135 uint8_t np; /* Next Payload */
136 uint8_t critical; /* bit 7 - critical, rest is RESERVED */
137 uint16_t len; /* Payload Length */
138 };
139
140 /* 3.3 Data Attributes
141 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
142 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
143 !A! Attribute Type ! AF=0 Attribute Length !
144 !F! ! AF=1 Attribute Value !
145 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
146 . AF=0 Attribute Value .
147 . AF=1 Not Transmitted .
148 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
149 */
150 struct isakmp_data {
151 uint16_t type; /* defined by DOI-spec, and Attribute Format */
152 uint16_t lorv; /* if f equal 1, Attribute Length */
153 /* if f equal 0, Attribute Value */
154 /* if f equal 1, Attribute Value */
155 };
156
157 /* 3.4 Security Association Payload */
158 /* MAY NOT be used, because of being defined in ipsec-doi. */
159 /*
160 If the current payload is the last in the message,
161 then the value of the next payload field will be 0.
162 This field MUST NOT contain the
163 values for the Proposal or Transform payloads as they are considered
164 part of the security association negotiation. For example, this
165 field would contain the value "10" (Nonce payload) in the first
166 message of a Base Exchange (see Section 4.4) and the value "0" in the
167 first message of an Identity Protect Exchange (see Section 4.5).
168 */
169 struct ikev1_pl_sa {
170 struct isakmp_gen h;
171 uint32_t doi; /* Domain of Interpretation */
172 uint32_t sit; /* Situation */
173 };
174
175 /* 3.5 Proposal Payload */
176 /*
177 The value of the next payload field MUST only contain the value "2"
178 or "0". If there are additional Proposal payloads in the message,
179 then this field will be 2. If the current Proposal payload is the
180 last within the security association proposal, then this field will
181 be 0.
182 */
183 struct ikev1_pl_p {
184 struct isakmp_gen h;
185 uint8_t p_no; /* Proposal # */
186 uint8_t prot_id; /* Protocol */
187 uint8_t spi_size; /* SPI Size */
188 uint8_t num_t; /* Number of Transforms */
189 /* SPI */
190 };
191
192 /* 3.6 Transform Payload */
193 /*
194 The value of the next payload field MUST only contain the value "3"
195 or "0". If there are additional Transform payloads in the proposal,
196 then this field will be 3. If the current Transform payload is the
197 last within the proposal, then this field will be 0.
198 */
199 struct ikev1_pl_t {
200 struct isakmp_gen h;
201 uint8_t t_no; /* Transform # */
202 uint8_t t_id; /* Transform-Id */
203 uint16_t reserved; /* RESERVED2 */
204 /* SA Attributes */
205 };
206
207 /* 3.7 Key Exchange Payload */
208 struct ikev1_pl_ke {
209 struct isakmp_gen h;
210 /* Key Exchange Data */
211 };
212
213 /* 3.8 Identification Payload */
214 /* MUST NOT to be used, because of being defined in ipsec-doi. */
215 struct ikev1_pl_id {
216 struct isakmp_gen h;
217 union {
218 uint8_t id_type; /* ID Type */
219 uint32_t doi_data; /* DOI Specific ID Data */
220 } d;
221 /* Identification Data */
222 };
223
224 /* 3.9 Certificate Payload */
225 struct ikev1_pl_cert {
226 struct isakmp_gen h;
227 uint8_t encode; /* Cert Encoding */
228 char cert; /* Certificate Data */
229 /*
230 This field indicates the type of
231 certificate or certificate-related information contained in the
232 Certificate Data field.
233 */
234 };
235
236 /* 3.10 Certificate Request Payload */
237 struct ikev1_pl_cr {
238 struct isakmp_gen h;
239 uint8_t num_cert; /* # Cert. Types */
240 /*
241 Certificate Types (variable length)
242 -- Contains a list of the types of certificates requested,
243 sorted in order of preference. Each individual certificate
244 type is 1 octet. This field is NOT requiredo
245 */
246 /* # Certificate Authorities (1 octet) */
247 /* Certificate Authorities (variable length) */
248 };
249
250 /* 3.11 Hash Payload */
251 /* may not be used, because of having only data. */
252 struct ikev1_pl_hash {
253 struct isakmp_gen h;
254 /* Hash Data */
255 };
256
257 /* 3.12 Signature Payload */
258 /* may not be used, because of having only data. */
259 struct ikev1_pl_sig {
260 struct isakmp_gen h;
261 /* Signature Data */
262 };
263
264 /* 3.13 Nonce Payload */
265 /* may not be used, because of having only data. */
266 struct ikev1_pl_nonce {
267 struct isakmp_gen h;
268 /* Nonce Data */
269 };
270
271 /* 3.14 Notification Payload */
272 struct ikev1_pl_n {
273 struct isakmp_gen h;
274 uint32_t doi; /* Domain of Interpretation */
275 uint8_t prot_id; /* Protocol-ID */
276 uint8_t spi_size; /* SPI Size */
277 uint16_t type; /* Notify Message Type */
278 /* SPI */
279 /* Notification Data */
280 };
281
282 /* 3.14.1 Notify Message Types */
283 /* NOTIFY MESSAGES - ERROR TYPES */
284 #define ISAKMP_NTYPE_INVALID_PAYLOAD_TYPE 1
285 #define ISAKMP_NTYPE_DOI_NOT_SUPPORTED 2
286 #define ISAKMP_NTYPE_SITUATION_NOT_SUPPORTED 3
287 #define ISAKMP_NTYPE_INVALID_COOKIE 4
288 #define ISAKMP_NTYPE_INVALID_MAJOR_VERSION 5
289 #define ISAKMP_NTYPE_INVALID_MINOR_VERSION 6
290 #define ISAKMP_NTYPE_INVALID_EXCHANGE_TYPE 7
291 #define ISAKMP_NTYPE_INVALID_FLAGS 8
292 #define ISAKMP_NTYPE_INVALID_MESSAGE_ID 9
293 #define ISAKMP_NTYPE_INVALID_PROTOCOL_ID 10
294 #define ISAKMP_NTYPE_INVALID_SPI 11
295 #define ISAKMP_NTYPE_INVALID_TRANSFORM_ID 12
296 #define ISAKMP_NTYPE_ATTRIBUTES_NOT_SUPPORTED 13
297 #define ISAKMP_NTYPE_NO_PROPOSAL_CHOSEN 14
298 #define ISAKMP_NTYPE_BAD_PROPOSAL_SYNTAX 15
299 #define ISAKMP_NTYPE_PAYLOAD_MALFORMED 16
300 #define ISAKMP_NTYPE_INVALID_KEY_INFORMATION 17
301 #define ISAKMP_NTYPE_INVALID_ID_INFORMATION 18
302 #define ISAKMP_NTYPE_INVALID_CERT_ENCODING 19
303 #define ISAKMP_NTYPE_INVALID_CERTIFICATE 20
304 #define ISAKMP_NTYPE_BAD_CERT_REQUEST_SYNTAX 21
305 #define ISAKMP_NTYPE_INVALID_CERT_AUTHORITY 22
306 #define ISAKMP_NTYPE_INVALID_HASH_INFORMATION 23
307 #define ISAKMP_NTYPE_AUTHENTICATION_FAILED 24
308 #define ISAKMP_NTYPE_INVALID_SIGNATURE 25
309 #define ISAKMP_NTYPE_ADDRESS_NOTIFICATION 26
310
311 /* 3.15 Delete Payload */
312 struct ikev1_pl_d {
313 struct isakmp_gen h;
314 uint32_t doi; /* Domain of Interpretation */
315 uint8_t prot_id; /* Protocol-Id */
316 uint8_t spi_size; /* SPI Size */
317 uint16_t num_spi; /* # of SPIs */
318 /* SPI(es) */
319 };
320
321 struct ikev1_ph1tab {
322 struct ikev1_ph1 *head;
323 struct ikev1_ph1 *tail;
324 int len;
325 };
326
327 struct isakmp_ph2tab {
328 struct ikev1_ph2 *head;
329 struct ikev1_ph2 *tail;
330 int len;
331 };
332
333 /* IKEv2 (RFC4306) */
334
335 /* 3.3 Security Association Payload -- generic header */
336 /* 3.3.1. Proposal Substructure */
337 struct ikev2_p {
338 struct isakmp_gen h;
339 uint8_t p_no; /* Proposal # */
340 uint8_t prot_id; /* Protocol */
341 uint8_t spi_size; /* SPI Size */
342 uint8_t num_t; /* Number of Transforms */
343 };
344
345 /* 3.3.2. Transform Substructure */
346 struct ikev2_t {
347 struct isakmp_gen h;
348 uint8_t t_type; /* Transform Type (ENCR,PRF,INTEG,etc.*/
349 uint8_t res2; /* reserved byte */
350 uint16_t t_id; /* Transform ID */
351 };
352
353 enum ikev2_t_type {
354 IV2_T_ENCR = 1,
355 IV2_T_PRF = 2,
356 IV2_T_INTEG= 3,
357 IV2_T_DH = 4,
358 IV2_T_ESN = 5
359 };
360
361 /* 3.4. Key Exchange Payload */
362 struct ikev2_ke {
363 struct isakmp_gen h;
364 uint16_t ke_group;
365 uint16_t ke_res1;
366 /* KE data */
367 };
368
369
370 /* 3.5. Identification Payloads */
371 enum ikev2_id_type {
372 ID_IPV4_ADDR=1,
373 ID_FQDN=2,
374 ID_RFC822_ADDR=3,
375 ID_IPV6_ADDR=5,
376 ID_DER_ASN1_DN=9,
377 ID_DER_ASN1_GN=10,
378 ID_KEY_ID=11
379 };
380 struct ikev2_id {
381 struct isakmp_gen h;
382 uint8_t type; /* ID type */
383 uint8_t res1;
384 uint16_t res2;
385 /* SPI */
386 /* Notification Data */
387 };
388
389 /* 3.10 Notification Payload */
390 struct ikev2_n {
391 struct isakmp_gen h;
392 uint8_t prot_id; /* Protocol-ID */
393 uint8_t spi_size; /* SPI Size */
394 uint16_t type; /* Notify Message Type */
395 };
396
397 enum ikev2_n_type {
398 IV2_NOTIFY_UNSUPPORTED_CRITICAL_PAYLOAD = 1,
399 IV2_NOTIFY_INVALID_IKE_SPI = 4,
400 IV2_NOTIFY_INVALID_MAJOR_VERSION = 5,
401 IV2_NOTIFY_INVALID_SYNTAX = 7,
402 IV2_NOTIFY_INVALID_MESSAGE_ID = 9,
403 IV2_NOTIFY_INVALID_SPI =11,
404 IV2_NOTIFY_NO_PROPOSAL_CHOSEN =14,
405 IV2_NOTIFY_INVALID_KE_PAYLOAD =17,
406 IV2_NOTIFY_AUTHENTICATION_FAILED =24,
407 IV2_NOTIFY_SINGLE_PAIR_REQUIRED =34,
408 IV2_NOTIFY_NO_ADDITIONAL_SAS =35,
409 IV2_NOTIFY_INTERNAL_ADDRESS_FAILURE =36,
410 IV2_NOTIFY_FAILED_CP_REQUIRED =37,
411 IV2_NOTIFY_INVALID_SELECTORS =39,
412 IV2_NOTIFY_INITIAL_CONTACT =16384,
413 IV2_NOTIFY_SET_WINDOW_SIZE =16385,
414 IV2_NOTIFY_ADDITIONAL_TS_POSSIBLE =16386,
415 IV2_NOTIFY_IPCOMP_SUPPORTED =16387,
416 IV2_NOTIFY_NAT_DETECTION_SOURCE_IP =16388,
417 IV2_NOTIFY_NAT_DETECTION_DESTINATION_IP =16389,
418 IV2_NOTIFY_COOKIE =16390,
419 IV2_NOTIFY_USE_TRANSPORT_MODE =16391,
420 IV2_NOTIFY_HTTP_CERT_LOOKUP_SUPPORTED =16392,
421 IV2_NOTIFY_REKEY_SA =16393,
422 IV2_NOTIFY_ESP_TFC_PADDING_NOT_SUPPORTED =16394,
423 IV2_NOTIFY_NON_FIRST_FRAGMENTS_ALSO =16395
424 };
425
426 struct notify_messages {
427 uint16_t type;
428 char *msg;
429 };
430
431 /* 3.8 Authentication Payload */
432 struct ikev2_auth {
433 struct isakmp_gen h;
434 uint8_t auth_method; /* Protocol-ID */
435 uint8_t reserved[3];
436 /* authentication data */
437 };
438
439 enum ikev2_auth_type {
440 IV2_RSA_SIG = 1,
441 IV2_SHARED = 2,
442 IV2_DSS_SIG = 3
443 };
444
445 /* refer to RFC 2409 */
446
447 #if 0
448 /* isakmp sa structure */
449 struct oakley_sa {
450 uint8_t proto_id; /* OAKLEY */
451 vchar_t *spi; /* spi */
452 uint8_t dhgrp; /* DH; group */
453 uint8_t auth_t; /* method of authentication */
454 uint8_t prf_t; /* type of prf */
455 uint8_t hash_t; /* type of hash */
456 uint8_t enc_t; /* type of cipher */
457 uint8_t life_t; /* type of duration of lifetime */
458 uint32_t ldur; /* life duration */
459 };
460 #endif
461
462 /* refer to RFC 2407 */
463
464 #define IPSEC_DOI 1
465
466 /* 4.2 IPSEC Situation Definition */
467 #define IPSECDOI_SIT_IDENTITY_ONLY 0x00000001
468 #define IPSECDOI_SIT_SECRECY 0x00000002
469 #define IPSECDOI_SIT_INTEGRITY 0x00000004
470
471 /* 4.4.1 IPSEC Security Protocol Identifiers */
472 /* 4.4.2 IPSEC ISAKMP Transform Values */
473 #define IPSECDOI_PROTO_ISAKMP 1
474 #define IPSECDOI_KEY_IKE 1
475
476 /* 4.4.1 IPSEC Security Protocol Identifiers */
477 #define IPSECDOI_PROTO_IPSEC_AH 2
478 /* 4.4.3 IPSEC AH Transform Values */
479 #define IPSECDOI_AH_MD5 2
480 #define IPSECDOI_AH_SHA 3
481 #define IPSECDOI_AH_DES 4
482 #define IPSECDOI_AH_SHA2_256 5
483 #define IPSECDOI_AH_SHA2_384 6
484 #define IPSECDOI_AH_SHA2_512 7
485
486 /* 4.4.1 IPSEC Security Protocol Identifiers */
487 #define IPSECDOI_PROTO_IPSEC_ESP 3
488 /* 4.4.4 IPSEC ESP Transform Identifiers */
489 #define IPSECDOI_ESP_DES_IV64 1
490 #define IPSECDOI_ESP_DES 2
491 #define IPSECDOI_ESP_3DES 3
492 #define IPSECDOI_ESP_RC5 4
493 #define IPSECDOI_ESP_IDEA 5
494 #define IPSECDOI_ESP_CAST 6
495 #define IPSECDOI_ESP_BLOWFISH 7
496 #define IPSECDOI_ESP_3IDEA 8
497 #define IPSECDOI_ESP_DES_IV32 9
498 #define IPSECDOI_ESP_RC4 10
499 #define IPSECDOI_ESP_NULL 11
500 #define IPSECDOI_ESP_RIJNDAEL 12
501 #define IPSECDOI_ESP_AES 12
502
503 /* 4.4.1 IPSEC Security Protocol Identifiers */
504 #define IPSECDOI_PROTO_IPCOMP 4
505 /* 4.4.5 IPSEC IPCOMP Transform Identifiers */
506 #define IPSECDOI_IPCOMP_OUI 1
507 #define IPSECDOI_IPCOMP_DEFLATE 2
508 #define IPSECDOI_IPCOMP_LZS 3
509
510 /* 4.5 IPSEC Security Association Attributes */
511 #define IPSECDOI_ATTR_SA_LTYPE 1 /* B */
512 #define IPSECDOI_ATTR_SA_LTYPE_DEFAULT 1
513 #define IPSECDOI_ATTR_SA_LTYPE_SEC 1
514 #define IPSECDOI_ATTR_SA_LTYPE_KB 2
515 #define IPSECDOI_ATTR_SA_LDUR 2 /* V */
516 #define IPSECDOI_ATTR_SA_LDUR_DEFAULT 28800 /* 8 hours */
517 #define IPSECDOI_ATTR_GRP_DESC 3 /* B */
518 #define IPSECDOI_ATTR_ENC_MODE 4 /* B */
519 /* default value: host dependent */
520 #define IPSECDOI_ATTR_ENC_MODE_TUNNEL 1
521 #define IPSECDOI_ATTR_ENC_MODE_TRNS 2
522 #define IPSECDOI_ATTR_AUTH 5 /* B */
523 /* 0 means not to use authentication. */
524 #define IPSECDOI_ATTR_AUTH_HMAC_MD5 1
525 #define IPSECDOI_ATTR_AUTH_HMAC_SHA1 2
526 #define IPSECDOI_ATTR_AUTH_DES_MAC 3
527 #define IPSECDOI_ATTR_AUTH_KPDK 4 /*RFC-1826(Key/Pad/Data/Key)*/
528 /*
529 * When negotiating ESP without authentication, the Auth
530 * Algorithm attribute MUST NOT be included in the proposal.
531 * When negotiating ESP without confidentiality, the Auth
532 * Algorithm attribute MUST be included in the proposal and
533 * the ESP transform ID must be ESP_NULL.
534 */
535 #define IPSECDOI_ATTR_KEY_LENGTH 6 /* B */
536 #define IPSECDOI_ATTR_KEY_ROUNDS 7 /* B */
537 #define IPSECDOI_ATTR_COMP_DICT_SIZE 8 /* B */
538 #define IPSECDOI_ATTR_COMP_PRIVALG 9 /* V */
539
540 /* 4.6.1 Security Association Payload */
541 struct ipsecdoi_sa {
542 struct isakmp_gen h;
543 uint32_t doi; /* Domain of Interpretation */
544 uint32_t sit; /* Situation */
545 };
546
547 struct ipsecdoi_secrecy_h {
548 uint16_t len;
549 uint16_t reserved;
550 };
551
552 /* 4.6.2.1 Identification Type Values */
553 struct ipsecdoi_id {
554 struct isakmp_gen h;
555 uint8_t type; /* ID Type */
556 uint8_t proto_id; /* Protocol ID */
557 uint16_t port; /* Port */
558 /* Identification Data */
559 };
560
561 #define IPSECDOI_ID_IPV4_ADDR 1
562 #define IPSECDOI_ID_FQDN 2
563 #define IPSECDOI_ID_USER_FQDN 3
564 #define IPSECDOI_ID_IPV4_ADDR_SUBNET 4
565 #define IPSECDOI_ID_IPV6_ADDR 5
566 #define IPSECDOI_ID_IPV6_ADDR_SUBNET 6
567 #define IPSECDOI_ID_IPV4_ADDR_RANGE 7
568 #define IPSECDOI_ID_IPV6_ADDR_RANGE 8
569 #define IPSECDOI_ID_DER_ASN1_DN 9
570 #define IPSECDOI_ID_DER_ASN1_GN 10
571 #define IPSECDOI_ID_KEY_ID 11
572
573 /* 4.6.3 IPSEC DOI Notify Message Types */
574 /* Notify Messages - Status Types */
575 #define IPSECDOI_NTYPE_RESPONDER_LIFETIME 24576
576 #define IPSECDOI_NTYPE_REPLAY_STATUS 24577
577 #define IPSECDOI_NTYPE_INITIAL_CONTACT 24578
578
579 #define DECLARE_PRINTER(func) static const u_char *ike##func##_print( \
580 netdissect_options *ndo, u_char tpay, \
581 const struct isakmp_gen *ext, \
582 u_int item_len, \
583 const u_char *end_pointer, \
584 uint32_t phase,\
585 uint32_t doi0, \
586 uint32_t proto0, int depth)
587
588 DECLARE_PRINTER(v1_sa);
589 DECLARE_PRINTER(v1_p);
590 DECLARE_PRINTER(v1_t);
591 DECLARE_PRINTER(v1_ke);
592 DECLARE_PRINTER(v1_id);
593 DECLARE_PRINTER(v1_cert);
594 DECLARE_PRINTER(v1_cr);
595 DECLARE_PRINTER(v1_sig);
596 DECLARE_PRINTER(v1_hash);
597 DECLARE_PRINTER(v1_nonce);
598 DECLARE_PRINTER(v1_n);
599 DECLARE_PRINTER(v1_d);
600 DECLARE_PRINTER(v1_vid);
601
602 DECLARE_PRINTER(v2_sa);
603 DECLARE_PRINTER(v2_ke);
604 DECLARE_PRINTER(v2_ID);
605 DECLARE_PRINTER(v2_cert);
606 DECLARE_PRINTER(v2_cr);
607 DECLARE_PRINTER(v2_auth);
608 DECLARE_PRINTER(v2_nonce);
609 DECLARE_PRINTER(v2_n);
610 DECLARE_PRINTER(v2_d);
611 DECLARE_PRINTER(v2_vid);
612 DECLARE_PRINTER(v2_TS);
613 DECLARE_PRINTER(v2_cp);
614 DECLARE_PRINTER(v2_eap);
615
616 static const u_char *ikev2_e_print(netdissect_options *ndo,
617 struct isakmp *base,
618 u_char tpay,
619 const struct isakmp_gen *ext,
620 u_int item_len,
621 const u_char *end_pointer,
622 uint32_t phase,
623 uint32_t doi0,
624 uint32_t proto0, int depth);
625
626
627 static const u_char *ike_sub0_print(netdissect_options *ndo,u_char, const struct isakmp_gen *,
628 const u_char *, uint32_t, uint32_t, uint32_t, int);
629 static const u_char *ikev1_sub_print(netdissect_options *ndo,u_char, const struct isakmp_gen *,
630 const u_char *, uint32_t, uint32_t, uint32_t, int);
631
632 static const u_char *ikev2_sub_print(netdissect_options *ndo,
633 struct isakmp *base,
634 u_char np, const struct isakmp_gen *ext,
635 const u_char *ep, uint32_t phase,
636 uint32_t doi, uint32_t proto,
637 int depth);
638
639
640 static char *numstr(int);
641
642 static void
643 ikev1_print(netdissect_options *ndo,
644 const u_char *bp, u_int length,
645 const u_char *bp2, struct isakmp *base);
646
647 #define MAXINITIATORS 20
648 static int ninitiator = 0;
649 union inaddr_u {
650 struct in_addr in4;
651 struct in6_addr in6;
652 };
653 static struct {
654 cookie_t initiator;
655 u_int version;
656 union inaddr_u iaddr;
657 union inaddr_u raddr;
658 } cookiecache[MAXINITIATORS];
659
660 /* protocol id */
661 static const char *protoidstr[] = {
662 NULL, "isakmp", "ipsec-ah", "ipsec-esp", "ipcomp",
663 };
664
665 /* isakmp->np */
666 static const char *npstr[] = {
667 "none", "sa", "p", "t", "ke", "id", "cert", "cr", "hash", /* 0 - 8 */
668 "sig", "nonce", "n", "d", "vid", /* 9 - 13 */
669 "pay14", "pay15", "pay16", "pay17", "pay18", /* 14- 18 */
670 "pay19", "pay20", "pay21", "pay22", "pay23", /* 19- 23 */
671 "pay24", "pay25", "pay26", "pay27", "pay28", /* 24- 28 */
672 "pay29", "pay30", "pay31", "pay32", /* 29- 32 */
673 "v2sa", "v2ke", "v2IDi", "v2IDr", "v2cert",/* 33- 37 */
674 "v2cr", "v2auth","v2nonce", "v2n", "v2d", /* 38- 42 */
675 "v2vid", "v2TSi", "v2TSr", "v2e", "v2cp", /* 43- 47 */
676 "v2eap", /* 48 */
677
678 };
679
680 /* isakmp->np */
681 static const u_char *(*npfunc[])(netdissect_options *ndo, u_char tpay,
682 const struct isakmp_gen *ext,
683 u_int item_len,
684 const u_char *end_pointer,
685 uint32_t phase,
686 uint32_t doi0,
687 uint32_t proto0, int depth) = {
688 NULL,
689 ikev1_sa_print,
690 ikev1_p_print,
691 ikev1_t_print,
692 ikev1_ke_print,
693 ikev1_id_print,
694 ikev1_cert_print,
695 ikev1_cr_print,
696 ikev1_hash_print,
697 ikev1_sig_print,
698 ikev1_nonce_print,
699 ikev1_n_print,
700 ikev1_d_print,
701 ikev1_vid_print, /* 13 */
702 NULL, NULL, NULL, NULL, NULL, /* 14- 18 */
703 NULL, NULL, NULL, NULL, NULL, /* 19- 23 */
704 NULL, NULL, NULL, NULL, NULL, /* 24- 28 */
705 NULL, NULL, NULL, NULL, /* 29- 32 */
706 ikev2_sa_print, /* 33 */
707 ikev2_ke_print, /* 34 */
708 ikev2_ID_print, /* 35 */
709 ikev2_ID_print, /* 36 */
710 ikev2_cert_print, /* 37 */
711 ikev2_cr_print, /* 38 */
712 ikev2_auth_print, /* 39 */
713 ikev2_nonce_print, /* 40 */
714 ikev2_n_print, /* 41 */
715 ikev2_d_print, /* 42 */
716 ikev2_vid_print, /* 43 */
717 ikev2_TS_print, /* 44 */
718 ikev2_TS_print, /* 45 */
719 NULL, /* ikev2_e_print,*/ /* 46 - special */
720 ikev2_cp_print, /* 47 */
721 ikev2_eap_print, /* 48 */
722 };
723
724 /* isakmp->etype */
725 static const char *etypestr[] = {
726 /* IKEv1 exchange types */
727 "none", "base", "ident", "auth", "agg", "inf", NULL, NULL, /* 0-7 */
728 NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, /* 8-15 */
729 NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, /* 16-23 */
730 NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, /* 24-31 */
731 "oakley-quick", "oakley-newgroup", /* 32-33 */
732 /* IKEv2 exchange types */
733 "ikev2_init", "ikev2_auth", "child_sa", "inf2" /* 34-37 */
734 };
735
736 #define STR_OR_ID(x, tab) \
737 (((x) < sizeof(tab)/sizeof(tab[0]) && tab[(x)]) ? tab[(x)] : numstr(x))
738 #define PROTOIDSTR(x) STR_OR_ID(x, protoidstr)
739 #define NPSTR(x) STR_OR_ID(x, npstr)
740 #define ETYPESTR(x) STR_OR_ID(x, etypestr)
741
742 #define CHECKLEN(p, np) \
743 if (ep < (const u_char *)(p)) { \
744 ND_PRINT((ndo," [|%s]", NPSTR(np))); \
745 goto done; \
746 }
747
748
749 #define NPFUNC(x) \
750 (((x) < sizeof(npfunc)/sizeof(npfunc[0]) && npfunc[(x)]) \
751 ? npfunc[(x)] : NULL)
752
753 static int
754 iszero(const u_char *p, size_t l)
755 {
756 while (l--) {
757 if (*p++)
758 return 0;
759 }
760 return 1;
761 }
762
763 /* find cookie from initiator cache */
764 static int
765 cookie_find(cookie_t *in)
766 {
767 int i;
768
769 for (i = 0; i < MAXINITIATORS; i++) {
770 if (memcmp(in, &cookiecache[i].initiator, sizeof(*in)) == 0)
771 return i;
772 }
773
774 return -1;
775 }
776
777 /* record initiator */
778 static void
779 cookie_record(cookie_t *in, const u_char *bp2)
780 {
781 int i;
782 const struct ip *ip;
783 const struct ip6_hdr *ip6;
784
785 i = cookie_find(in);
786 if (0 <= i) {
787 ninitiator = (i + 1) % MAXINITIATORS;
788 return;
789 }
790
791 ip = (const struct ip *)bp2;
792 switch (IP_V(ip)) {
793 case 4:
794 cookiecache[ninitiator].version = 4;
795 UNALIGNED_MEMCPY(&cookiecache[ninitiator].iaddr.in4, &ip->ip_src, sizeof(struct in_addr));
796 UNALIGNED_MEMCPY(&cookiecache[ninitiator].raddr.in4, &ip->ip_dst, sizeof(struct in_addr));
797 break;
798 case 6:
799 ip6 = (const struct ip6_hdr *)bp2;
800 cookiecache[ninitiator].version = 6;
801 UNALIGNED_MEMCPY(&cookiecache[ninitiator].iaddr.in6, &ip6->ip6_src, sizeof(struct in6_addr));
802 UNALIGNED_MEMCPY(&cookiecache[ninitiator].raddr.in6, &ip6->ip6_dst, sizeof(struct in6_addr));
803 break;
804 default:
805 return;
806 }
807 UNALIGNED_MEMCPY(&cookiecache[ninitiator].initiator, in, sizeof(*in));
808 ninitiator = (ninitiator + 1) % MAXINITIATORS;
809 }
810
811 #define cookie_isinitiator(x, y) cookie_sidecheck((x), (y), 1)
812 #define cookie_isresponder(x, y) cookie_sidecheck((x), (y), 0)
813 static int
814 cookie_sidecheck(int i, const u_char *bp2, int initiator)
815 {
816 const struct ip *ip;
817 const struct ip6_hdr *ip6;
818
819 ip = (const struct ip *)bp2;
820 switch (IP_V(ip)) {
821 case 4:
822 if (cookiecache[i].version != 4)
823 return 0;
824 if (initiator) {
825 if (UNALIGNED_MEMCMP(&ip->ip_src, &cookiecache[i].iaddr.in4, sizeof(struct in_addr)) == 0)
826 return 1;
827 } else {
828 if (UNALIGNED_MEMCMP(&ip->ip_src, &cookiecache[i].raddr.in4, sizeof(struct in_addr)) == 0)
829 return 1;
830 }
831 break;
832 case 6:
833 if (cookiecache[i].version != 6)
834 return 0;
835 ip6 = (const struct ip6_hdr *)bp2;
836 if (initiator) {
837 if (UNALIGNED_MEMCMP(&ip6->ip6_src, &cookiecache[i].iaddr.in6, sizeof(struct in6_addr)) == 0)
838 return 1;
839 } else {
840 if (UNALIGNED_MEMCMP(&ip6->ip6_src, &cookiecache[i].raddr.in6, sizeof(struct in6_addr)) == 0)
841 return 1;
842 }
843 break;
844 default:
845 break;
846 }
847
848 return 0;
849 }
850
851 static void
852 hexprint(netdissect_options *ndo, const uint8_t *loc, size_t len)
853 {
854 const uint8_t *p;
855 size_t i;
856
857 p = loc;
858 for (i = 0; i < len; i++)
859 ND_PRINT((ndo,"%02x", p[i] & 0xff));
860 }
861
862 static int
863 rawprint(netdissect_options *ndo, const uint8_t *loc, size_t len)
864 {
865 ND_TCHECK2(*loc, len);
866
867 hexprint(ndo, loc, len);
868 return 1;
869 trunc:
870 return 0;
871 }
872
873
874 /*
875 * returns false if we run out of data buffer
876 */
877 static int ike_show_somedata(netdissect_options *ndo,
878 const u_char *cp, const u_char *ep)
879 {
880 /* there is too much data, just show some of it */
881 const u_char *end = ep - 20;
882 int elen = 20;
883 int len = ep - cp;
884 if(len > 10) {
885 len = 10;
886 }
887
888 /* really shouldn't happen because of above */
889 if(end < cp + len) {
890 end = cp+len;
891 elen = ep - end;
892 }
893
894 ND_PRINT((ndo," data=("));
895 if(!rawprint(ndo, (const uint8_t *)(cp), len)) goto trunc;
896 ND_PRINT((ndo, "..."));
897 if(elen) {
898 if(!rawprint(ndo, (const uint8_t *)(end), elen)) goto trunc;
899 }
900 ND_PRINT((ndo,")"));
901 return 1;
902
903 trunc:
904 return 0;
905 }
906
907 struct attrmap {
908 const char *type;
909 u_int nvalue;
910 const char *value[30]; /*XXX*/
911 };
912
913 static const u_char *
914 ikev1_attrmap_print(netdissect_options *ndo,
915 const u_char *p, const u_char *ep2,
916 const struct attrmap *map, size_t nmap)
917 {
918 int totlen;
919 uint32_t t, v;
920
921 ND_TCHECK(p[0]);
922 if (p[0] & 0x80)
923 totlen = 4;
924 else {
925 ND_TCHECK_16BITS(&p[2]);
926 totlen = 4 + EXTRACT_16BITS(&p[2]);
927 }
928 if (ep2 < p + totlen) {
929 ND_PRINT((ndo,"[|attr]"));
930 return ep2 + 1;
931 }
932
933 ND_TCHECK_16BITS(&p[0]);
934 ND_PRINT((ndo,"("));
935 t = EXTRACT_16BITS(&p[0]) & 0x7fff;
936 if (map && t < nmap && map[t].type)
937 ND_PRINT((ndo,"type=%s ", map[t].type));
938 else
939 ND_PRINT((ndo,"type=#%d ", t));
940 if (p[0] & 0x80) {
941 ND_PRINT((ndo,"value="));
942 ND_TCHECK_16BITS(&p[2]);
943 v = EXTRACT_16BITS(&p[2]);
944 if (map && t < nmap && v < map[t].nvalue && map[t].value[v])
945 ND_PRINT((ndo,"%s", map[t].value[v]));
946 else {
947 if (!rawprint(ndo, (const uint8_t *)&p[2], 2)) {
948 ND_PRINT((ndo,")"));
949 goto trunc;
950 }
951 }
952 } else {
953 ND_PRINT((ndo,"len=%d value=", totlen - 4));
954 if (!rawprint(ndo, (const uint8_t *)&p[4], totlen - 4)) {
955 ND_PRINT((ndo,")"));
956 goto trunc;
957 }
958 }
959 ND_PRINT((ndo,")"));
960 return p + totlen;
961
962 trunc:
963 return NULL;
964 }
965
966 static const u_char *
967 ikev1_attr_print(netdissect_options *ndo, const u_char *p, const u_char *ep2)
968 {
969 int totlen;
970 uint32_t t;
971
972 ND_TCHECK(p[0]);
973 if (p[0] & 0x80)
974 totlen = 4;
975 else {
976 ND_TCHECK_16BITS(&p[2]);
977 totlen = 4 + EXTRACT_16BITS(&p[2]);
978 }
979 if (ep2 < p + totlen) {
980 ND_PRINT((ndo,"[|attr]"));
981 return ep2 + 1;
982 }
983
984 ND_TCHECK_16BITS(&p[0]);
985 ND_PRINT((ndo,"("));
986 t = EXTRACT_16BITS(&p[0]) & 0x7fff;
987 ND_PRINT((ndo,"type=#%d ", t));
988 if (p[0] & 0x80) {
989 ND_PRINT((ndo,"value="));
990 t = p[2];
991 if (!rawprint(ndo, (const uint8_t *)&p[2], 2)) {
992 ND_PRINT((ndo,")"));
993 goto trunc;
994 }
995 } else {
996 ND_PRINT((ndo,"len=%d value=", totlen - 4));
997 if (!rawprint(ndo, (const uint8_t *)&p[4], totlen - 4)) {
998 ND_PRINT((ndo,")"));
999 goto trunc;
1000 }
1001 }
1002 ND_PRINT((ndo,")"));
1003 return p + totlen;
1004
1005 trunc:
1006 return NULL;
1007 }
1008
1009 static const u_char *
1010 ikev1_sa_print(netdissect_options *ndo, u_char tpay _U_,
1011 const struct isakmp_gen *ext,
1012 u_int item_len _U_,
1013 const u_char *ep, uint32_t phase, uint32_t doi0 _U_,
1014 uint32_t proto0, int depth)
1015 {
1016 const struct ikev1_pl_sa *p;
1017 struct ikev1_pl_sa sa;
1018 uint32_t doi, sit, ident;
1019 const u_char *cp, *np;
1020 int t;
1021
1022 ND_PRINT((ndo,"%s:", NPSTR(ISAKMP_NPTYPE_SA)));
1023
1024 p = (const struct ikev1_pl_sa *)ext;
1025 ND_TCHECK(*p);
1026 UNALIGNED_MEMCPY(&sa, ext, sizeof(sa));
1027 doi = ntohl(sa.doi);
1028 sit = ntohl(sa.sit);
1029 if (doi != 1) {
1030 ND_PRINT((ndo," doi=%d", doi));
1031 ND_PRINT((ndo," situation=%u", (uint32_t)ntohl(sa.sit)));
1032 return (const u_char *)(p + 1);
1033 }
1034
1035 ND_PRINT((ndo," doi=ipsec"));
1036 ND_PRINT((ndo," situation="));
1037 t = 0;
1038 if (sit & 0x01) {
1039 ND_PRINT((ndo,"identity"));
1040 t++;
1041 }
1042 if (sit & 0x02) {
1043 ND_PRINT((ndo,"%ssecrecy", t ? "+" : ""));
1044 t++;
1045 }
1046 if (sit & 0x04)
1047 ND_PRINT((ndo,"%sintegrity", t ? "+" : ""));
1048
1049 np = (const u_char *)ext + sizeof(sa);
1050 if (sit != 0x01) {
1051 ND_TCHECK2(*(ext + 1), sizeof(ident));
1052 UNALIGNED_MEMCPY(&ident, ext + 1, sizeof(ident));
1053 ND_PRINT((ndo," ident=%u", (uint32_t)ntohl(ident)));
1054 np += sizeof(ident);
1055 }
1056
1057 ext = (const struct isakmp_gen *)np;
1058 ND_TCHECK(*ext);
1059
1060 cp = ikev1_sub_print(ndo, ISAKMP_NPTYPE_P, ext, ep, phase, doi, proto0,
1061 depth);
1062
1063 return cp;
1064 trunc:
1065 ND_PRINT((ndo," [|%s]", NPSTR(ISAKMP_NPTYPE_SA)));
1066 return NULL;
1067 }
1068
1069 static const u_char *
1070 ikev1_p_print(netdissect_options *ndo, u_char tpay _U_,
1071 const struct isakmp_gen *ext, u_int item_len _U_,
1072 const u_char *ep, uint32_t phase, uint32_t doi0,
1073 uint32_t proto0 _U_, int depth)
1074 {
1075 const struct ikev1_pl_p *p;
1076 struct ikev1_pl_p prop;
1077 const u_char *cp;
1078
1079 ND_PRINT((ndo,"%s:", NPSTR(ISAKMP_NPTYPE_P)));
1080
1081 p = (const struct ikev1_pl_p *)ext;
1082 ND_TCHECK(*p);
1083 UNALIGNED_MEMCPY(&prop, ext, sizeof(prop));
1084 ND_PRINT((ndo," #%d protoid=%s transform=%d",
1085 prop.p_no, PROTOIDSTR(prop.prot_id), prop.num_t));
1086 if (prop.spi_size) {
1087 ND_PRINT((ndo," spi="));
1088 if (!rawprint(ndo, (const uint8_t *)(p + 1), prop.spi_size))
1089 goto trunc;
1090 }
1091
1092 ext = (const struct isakmp_gen *)((const u_char *)(p + 1) + prop.spi_size);
1093 ND_TCHECK(*ext);
1094
1095 cp = ikev1_sub_print(ndo, ISAKMP_NPTYPE_T, ext, ep, phase, doi0,
1096 prop.prot_id, depth);
1097
1098 return cp;
1099 trunc:
1100 ND_PRINT((ndo," [|%s]", NPSTR(ISAKMP_NPTYPE_P)));
1101 return NULL;
1102 }
1103
1104 static const char *ikev1_p_map[] = {
1105 NULL, "ike",
1106 };
1107
1108 static const char *ikev2_t_type_map[]={
1109 NULL, "encr", "prf", "integ", "dh", "esn"
1110 };
1111
1112 static const char *ah_p_map[] = {
1113 NULL, "(reserved)", "md5", "sha", "1des",
1114 "sha2-256", "sha2-384", "sha2-512",
1115 };
1116
1117 static const char *prf_p_map[] = {
1118 NULL, "hmac-md5", "hmac-sha", "hmac-tiger",
1119 "aes128_xcbc"
1120 };
1121
1122 static const char *integ_p_map[] = {
1123 NULL, "hmac-md5", "hmac-sha", "dec-mac",
1124 "kpdk-md5", "aes-xcbc"
1125 };
1126
1127 static const char *esn_p_map[] = {
1128 "no-esn", "esn"
1129 };
1130
1131 static const char *dh_p_map[] = {
1132 NULL, "modp768",
1133 "modp1024", /* group 2 */
1134 "EC2N 2^155", /* group 3 */
1135 "EC2N 2^185", /* group 4 */
1136 "modp1536", /* group 5 */
1137 "iana-grp06", "iana-grp07", /* reserved */
1138 "iana-grp08", "iana-grp09",
1139 "iana-grp10", "iana-grp11",
1140 "iana-grp12", "iana-grp13",
1141 "modp2048", /* group 14 */
1142 "modp3072", /* group 15 */
1143 "modp4096", /* group 16 */
1144 "modp6144", /* group 17 */
1145 "modp8192", /* group 18 */
1146 };
1147
1148 static const char *esp_p_map[] = {
1149 NULL, "1des-iv64", "1des", "3des", "rc5", "idea", "cast",
1150 "blowfish", "3idea", "1des-iv32", "rc4", "null", "aes"
1151 };
1152
1153 static const char *ipcomp_p_map[] = {
1154 NULL, "oui", "deflate", "lzs",
1155 };
1156
1157 static const struct attrmap ipsec_t_map[] = {
1158 { NULL, 0, { NULL } },
1159 { "lifetype", 3, { NULL, "sec", "kb", }, },
1160 { "life", 0, { NULL } },
1161 { "group desc", 18, { NULL, "modp768",
1162 "modp1024", /* group 2 */
1163 "EC2N 2^155", /* group 3 */
1164 "EC2N 2^185", /* group 4 */
1165 "modp1536", /* group 5 */
1166 "iana-grp06", "iana-grp07", /* reserved */
1167 "iana-grp08", "iana-grp09",
1168 "iana-grp10", "iana-grp11",
1169 "iana-grp12", "iana-grp13",
1170 "modp2048", /* group 14 */
1171 "modp3072", /* group 15 */
1172 "modp4096", /* group 16 */
1173 "modp6144", /* group 17 */
1174 "modp8192", /* group 18 */
1175 }, },
1176 { "enc mode", 3, { NULL, "tunnel", "transport", }, },
1177 { "auth", 5, { NULL, "hmac-md5", "hmac-sha1", "1des-mac", "keyed", }, },
1178 { "keylen", 0, { NULL } },
1179 { "rounds", 0, { NULL } },
1180 { "dictsize", 0, { NULL } },
1181 { "privalg", 0, { NULL } },
1182 };
1183
1184 static const struct attrmap encr_t_map[] = {
1185 { NULL, 0, { NULL } }, { NULL, 0, { NULL } }, /* 0, 1 */
1186 { NULL, 0, { NULL } }, { NULL, 0, { NULL } }, /* 2, 3 */
1187 { NULL, 0, { NULL } }, { NULL, 0, { NULL } }, /* 4, 5 */
1188 { NULL, 0, { NULL } }, { NULL, 0, { NULL } }, /* 6, 7 */
1189 { NULL, 0, { NULL } }, { NULL, 0, { NULL } }, /* 8, 9 */
1190 { NULL, 0, { NULL } }, { NULL, 0, { NULL } }, /* 10,11*/
1191 { NULL, 0, { NULL } }, { NULL, 0, { NULL } }, /* 12,13*/
1192 { "keylen", 14, { NULL }},
1193 };
1194
1195 static const struct attrmap oakley_t_map[] = {
1196 { NULL, 0, { NULL } },
1197 { "enc", 8, { NULL, "1des", "idea", "blowfish", "rc5",
1198 "3des", "cast", "aes", }, },
1199 { "hash", 7, { NULL, "md5", "sha1", "tiger",
1200 "sha2-256", "sha2-384", "sha2-512", }, },
1201 { "auth", 6, { NULL, "preshared", "dss", "rsa sig", "rsa enc",
1202 "rsa enc revised", }, },
1203 { "group desc", 18, { NULL, "modp768",
1204 "modp1024", /* group 2 */
1205 "EC2N 2^155", /* group 3 */
1206 "EC2N 2^185", /* group 4 */
1207 "modp1536", /* group 5 */
1208 "iana-grp06", "iana-grp07", /* reserved */
1209 "iana-grp08", "iana-grp09",
1210 "iana-grp10", "iana-grp11",
1211 "iana-grp12", "iana-grp13",
1212 "modp2048", /* group 14 */
1213 "modp3072", /* group 15 */
1214 "modp4096", /* group 16 */
1215 "modp6144", /* group 17 */
1216 "modp8192", /* group 18 */
1217 }, },
1218 { "group type", 4, { NULL, "MODP", "ECP", "EC2N", }, },
1219 { "group prime", 0, { NULL } },
1220 { "group gen1", 0, { NULL } },
1221 { "group gen2", 0, { NULL } },
1222 { "group curve A", 0, { NULL } },
1223 { "group curve B", 0, { NULL } },
1224 { "lifetype", 3, { NULL, "sec", "kb", }, },
1225 { "lifeduration", 0, { NULL } },
1226 { "prf", 0, { NULL } },
1227 { "keylen", 0, { NULL } },
1228 { "field", 0, { NULL } },
1229 { "order", 0, { NULL } },
1230 };
1231
1232 static const u_char *
1233 ikev1_t_print(netdissect_options *ndo, u_char tpay _U_,
1234 const struct isakmp_gen *ext, u_int item_len,
1235 const u_char *ep, uint32_t phase _U_, uint32_t doi _U_,
1236 uint32_t proto, int depth _U_)
1237 {
1238 const struct ikev1_pl_t *p;
1239 struct ikev1_pl_t t;
1240 const u_char *cp;
1241 const char *idstr;
1242 const struct attrmap *map;
1243 size_t nmap;
1244 const u_char *ep2;
1245
1246 ND_PRINT((ndo,"%s:", NPSTR(ISAKMP_NPTYPE_T)));
1247
1248 p = (const struct ikev1_pl_t *)ext;
1249 ND_TCHECK(*p);
1250 UNALIGNED_MEMCPY(&t, ext, sizeof(t));
1251
1252 switch (proto) {
1253 case 1:
1254 idstr = STR_OR_ID(t.t_id, ikev1_p_map);
1255 map = oakley_t_map;
1256 nmap = sizeof(oakley_t_map)/sizeof(oakley_t_map[0]);
1257 break;
1258 case 2:
1259 idstr = STR_OR_ID(t.t_id, ah_p_map);
1260 map = ipsec_t_map;
1261 nmap = sizeof(ipsec_t_map)/sizeof(ipsec_t_map[0]);
1262 break;
1263 case 3:
1264 idstr = STR_OR_ID(t.t_id, esp_p_map);
1265 map = ipsec_t_map;
1266 nmap = sizeof(ipsec_t_map)/sizeof(ipsec_t_map[0]);
1267 break;
1268 case 4:
1269 idstr = STR_OR_ID(t.t_id, ipcomp_p_map);
1270 map = ipsec_t_map;
1271 nmap = sizeof(ipsec_t_map)/sizeof(ipsec_t_map[0]);
1272 break;
1273 default:
1274 idstr = NULL;
1275 map = NULL;
1276 nmap = 0;
1277 break;
1278 }
1279
1280 if (idstr)
1281 ND_PRINT((ndo," #%d id=%s ", t.t_no, idstr));
1282 else
1283 ND_PRINT((ndo," #%d id=%d ", t.t_no, t.t_id));
1284 cp = (const u_char *)(p + 1);
1285 ep2 = (const u_char *)p + item_len;
1286 while (cp < ep && cp < ep2) {
1287 if (map && nmap)
1288 cp = ikev1_attrmap_print(ndo, cp, ep2, map, nmap);
1289 else
1290 cp = ikev1_attr_print(ndo, cp, ep2);
1291 if (cp == NULL)
1292 goto trunc;
1293 }
1294 if (ep < ep2)
1295 ND_PRINT((ndo,"..."));
1296 return cp;
1297 trunc:
1298 ND_PRINT((ndo," [|%s]", NPSTR(ISAKMP_NPTYPE_T)));
1299 return NULL;
1300 }
1301
1302 static const u_char *
1303 ikev1_ke_print(netdissect_options *ndo, u_char tpay _U_,
1304 const struct isakmp_gen *ext, u_int item_len _U_,
1305 const u_char *ep _U_, uint32_t phase _U_, uint32_t doi _U_,
1306 uint32_t proto _U_, int depth _U_)
1307 {
1308 struct isakmp_gen e;
1309
1310 ND_PRINT((ndo,"%s:", NPSTR(ISAKMP_NPTYPE_KE)));
1311
1312 ND_TCHECK(*ext);
1313 UNALIGNED_MEMCPY(&e, ext, sizeof(e));
1314 ND_PRINT((ndo," key len=%d", ntohs(e.len) - 4));
1315 if (2 < ndo->ndo_vflag && 4 < ntohs(e.len)) {
1316 ND_PRINT((ndo," "));
1317 if (!rawprint(ndo, (const uint8_t *)(ext + 1), ntohs(e.len) - 4))
1318 goto trunc;
1319 }
1320 return (const u_char *)ext + ntohs(e.len);
1321 trunc:
1322 ND_PRINT((ndo," [|%s]", NPSTR(ISAKMP_NPTYPE_KE)));
1323 return NULL;
1324 }
1325
1326 static const u_char *
1327 ikev1_id_print(netdissect_options *ndo, u_char tpay _U_,
1328 const struct isakmp_gen *ext, u_int item_len,
1329 const u_char *ep _U_, uint32_t phase, uint32_t doi _U_,
1330 uint32_t proto _U_, int depth _U_)
1331 {
1332 #define USE_IPSECDOI_IN_PHASE1 1
1333 const struct ikev1_pl_id *p;
1334 struct ikev1_pl_id id;
1335 static const char *idtypestr[] = {
1336 "IPv4", "IPv4net", "IPv6", "IPv6net",
1337 };
1338 static const char *ipsecidtypestr[] = {
1339 NULL, "IPv4", "FQDN", "user FQDN", "IPv4net", "IPv6",
1340 "IPv6net", "IPv4range", "IPv6range", "ASN1 DN", "ASN1 GN",
1341 "keyid",
1342 };
1343 int len;
1344 const u_char *data;
1345
1346 ND_PRINT((ndo,"%s:", NPSTR(ISAKMP_NPTYPE_ID)));
1347
1348 p = (const struct ikev1_pl_id *)ext;
1349 ND_TCHECK(*p);
1350 UNALIGNED_MEMCPY(&id, ext, sizeof(id));
1351 if (sizeof(*p) < item_len) {
1352 data = (const u_char *)(p + 1);
1353 len = item_len - sizeof(*p);
1354 } else {
1355 data = NULL;
1356 len = 0;
1357 }
1358
1359 #if 0 /*debug*/
1360 ND_PRINT((ndo," [phase=%d doi=%d proto=%d]", phase, doi, proto));
1361 #endif
1362 switch (phase) {
1363 #ifndef USE_IPSECDOI_IN_PHASE1
1364 case 1:
1365 #endif
1366 default:
1367 ND_PRINT((ndo," idtype=%s", STR_OR_ID(id.d.id_type, idtypestr)));
1368 ND_PRINT((ndo," doi_data=%u",
1369 (uint32_t)(ntohl(id.d.doi_data) & 0xffffff)));
1370 break;
1371
1372 #ifdef USE_IPSECDOI_IN_PHASE1
1373 case 1:
1374 #endif
1375 case 2:
1376 {
1377 const struct ipsecdoi_id *doi_p;
1378 struct ipsecdoi_id doi_id;
1379 const char *p_name;
1380
1381 doi_p = (const struct ipsecdoi_id *)ext;
1382 ND_TCHECK(*doi_p);
1383 UNALIGNED_MEMCPY(&doi_id, ext, sizeof(doi_id));
1384 ND_PRINT((ndo," idtype=%s", STR_OR_ID(doi_id.type, ipsecidtypestr)));
1385 /* A protocol ID of 0 DOES NOT mean IPPROTO_IP! */
1386 if (!ndo->ndo_nflag && doi_id.proto_id && (p_name = netdb_protoname(doi_id.proto_id)) != NULL)
1387 ND_PRINT((ndo," protoid=%s", p_name));
1388 else
1389 ND_PRINT((ndo," protoid=%u", doi_id.proto_id));
1390 ND_PRINT((ndo," port=%d", ntohs(doi_id.port)));
1391 if (!len)
1392 break;
1393 if (data == NULL)
1394 goto trunc;
1395 ND_TCHECK2(*data, len);
1396 switch (doi_id.type) {
1397 case IPSECDOI_ID_IPV4_ADDR:
1398 if (len < 4)
1399 ND_PRINT((ndo," len=%d [bad: < 4]", len));
1400 else
1401 ND_PRINT((ndo," len=%d %s", len, ipaddr_string(ndo, data)));
1402 len = 0;
1403 break;
1404 case IPSECDOI_ID_FQDN:
1405 case IPSECDOI_ID_USER_FQDN:
1406 {
1407 int i;
1408 ND_PRINT((ndo," len=%d ", len));
1409 for (i = 0; i < len; i++)
1410 safeputchar(ndo, data[i]);
1411 len = 0;
1412 break;
1413 }
1414 case IPSECDOI_ID_IPV4_ADDR_SUBNET:
1415 {
1416 const u_char *mask;
1417 if (len < 8)
1418 ND_PRINT((ndo," len=%d [bad: < 8]", len));
1419 else {
1420 mask = data + sizeof(struct in_addr);
1421 ND_PRINT((ndo," len=%d %s/%u.%u.%u.%u", len,
1422 ipaddr_string(ndo, data),
1423 mask[0], mask[1], mask[2], mask[3]));
1424 }
1425 len = 0;
1426 break;
1427 }
1428 case IPSECDOI_ID_IPV6_ADDR:
1429 if (len < 16)
1430 ND_PRINT((ndo," len=%d [bad: < 16]", len));
1431 else
1432 ND_PRINT((ndo," len=%d %s", len, ip6addr_string(ndo, data)));
1433 len = 0;
1434 break;
1435 case IPSECDOI_ID_IPV6_ADDR_SUBNET:
1436 {
1437 const u_char *mask;
1438 if (len < 32)
1439 ND_PRINT((ndo," len=%d [bad: < 32]", len));
1440 else {
1441 mask = (const u_char *)(data + sizeof(struct in6_addr));
1442 /*XXX*/
1443 ND_PRINT((ndo," len=%d %s/0x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x", len,
1444 ip6addr_string(ndo, data),
1445 mask[0], mask[1], mask[2], mask[3],
1446 mask[4], mask[5], mask[6], mask[7],
1447 mask[8], mask[9], mask[10], mask[11],
1448 mask[12], mask[13], mask[14], mask[15]));
1449 }
1450 len = 0;
1451 break;
1452 }
1453 case IPSECDOI_ID_IPV4_ADDR_RANGE:
1454 if (len < 8)
1455 ND_PRINT((ndo," len=%d [bad: < 8]", len));
1456 else {
1457 ND_PRINT((ndo," len=%d %s-%s", len,
1458 ipaddr_string(ndo, data),
1459 ipaddr_string(ndo, data + sizeof(struct in_addr))));
1460 }
1461 len = 0;
1462 break;
1463 case IPSECDOI_ID_IPV6_ADDR_RANGE:
1464 if (len < 32)
1465 ND_PRINT((ndo," len=%d [bad: < 32]", len));
1466 else {
1467 ND_PRINT((ndo," len=%d %s-%s", len,
1468 ip6addr_string(ndo, data),
1469 ip6addr_string(ndo, data + sizeof(struct in6_addr))));
1470 }
1471 len = 0;
1472 break;
1473 case IPSECDOI_ID_DER_ASN1_DN:
1474 case IPSECDOI_ID_DER_ASN1_GN:
1475 case IPSECDOI_ID_KEY_ID:
1476 break;
1477 }
1478 break;
1479 }
1480 }
1481 if (data && len) {
1482 ND_PRINT((ndo," len=%d", len));
1483 if (2 < ndo->ndo_vflag) {
1484 ND_PRINT((ndo," "));
1485 if (!rawprint(ndo, (const uint8_t *)data, len))
1486 goto trunc;
1487 }
1488 }
1489 return (const u_char *)ext + item_len;
1490 trunc:
1491 ND_PRINT((ndo," [|%s]", NPSTR(ISAKMP_NPTYPE_ID)));
1492 return NULL;
1493 }
1494
1495 static const u_char *
1496 ikev1_cert_print(netdissect_options *ndo, u_char tpay _U_,
1497 const struct isakmp_gen *ext, u_int item_len,
1498 const u_char *ep _U_, uint32_t phase _U_,
1499 uint32_t doi0 _U_,
1500 uint32_t proto0 _U_, int depth _U_)
1501 {
1502 const struct ikev1_pl_cert *p;
1503 struct ikev1_pl_cert cert;
1504 static const char *certstr[] = {
1505 "none", "pkcs7", "pgp", "dns",
1506 "x509sign", "x509ke", "kerberos", "crl",
1507 "arl", "spki", "x509attr",
1508 };
1509
1510 ND_PRINT((ndo,"%s:", NPSTR(ISAKMP_NPTYPE_CERT)));
1511
1512 p = (const struct ikev1_pl_cert *)ext;
1513 ND_TCHECK(*p);
1514 UNALIGNED_MEMCPY(&cert, ext, sizeof(cert));
1515 ND_PRINT((ndo," len=%d", item_len - 4));
1516 ND_PRINT((ndo," type=%s", STR_OR_ID((cert.encode), certstr)));
1517 if (2 < ndo->ndo_vflag && 4 < item_len) {
1518 ND_PRINT((ndo," "));
1519 if (!rawprint(ndo, (const uint8_t *)(ext + 1), item_len - 4))
1520 goto trunc;
1521 }
1522 return (const u_char *)ext + item_len;
1523 trunc:
1524 ND_PRINT((ndo," [|%s]", NPSTR(ISAKMP_NPTYPE_CERT)));
1525 return NULL;
1526 }
1527
1528 static const u_char *
1529 ikev1_cr_print(netdissect_options *ndo, u_char tpay _U_,
1530 const struct isakmp_gen *ext, u_int item_len,
1531 const u_char *ep _U_, uint32_t phase _U_, uint32_t doi0 _U_,
1532 uint32_t proto0 _U_, int depth _U_)
1533 {
1534 const struct ikev1_pl_cert *p;
1535 struct ikev1_pl_cert cert;
1536 static const char *certstr[] = {
1537 "none", "pkcs7", "pgp", "dns",
1538 "x509sign", "x509ke", "kerberos", "crl",
1539 "arl", "spki", "x509attr",
1540 };
1541
1542 ND_PRINT((ndo,"%s:", NPSTR(ISAKMP_NPTYPE_CR)));
1543
1544 p = (const struct ikev1_pl_cert *)ext;
1545 ND_TCHECK(*p);
1546 UNALIGNED_MEMCPY(&cert, ext, sizeof(cert));
1547 ND_PRINT((ndo," len=%d", item_len - 4));
1548 ND_PRINT((ndo," type=%s", STR_OR_ID((cert.encode), certstr)));
1549 if (2 < ndo->ndo_vflag && 4 < item_len) {
1550 ND_PRINT((ndo," "));
1551 if (!rawprint(ndo, (const uint8_t *)(ext + 1), item_len - 4))
1552 goto trunc;
1553 }
1554 return (const u_char *)ext + item_len;
1555 trunc:
1556 ND_PRINT((ndo," [|%s]", NPSTR(ISAKMP_NPTYPE_CR)));
1557 return NULL;
1558 }
1559
1560 static const u_char *
1561 ikev1_hash_print(netdissect_options *ndo, u_char tpay _U_,
1562 const struct isakmp_gen *ext, u_int item_len _U_,
1563 const u_char *ep _U_, uint32_t phase _U_, uint32_t doi _U_,
1564 uint32_t proto _U_, int depth _U_)
1565 {
1566 struct isakmp_gen e;
1567
1568 ND_PRINT((ndo,"%s:", NPSTR(ISAKMP_NPTYPE_HASH)));
1569
1570 ND_TCHECK(*ext);
1571 UNALIGNED_MEMCPY(&e, ext, sizeof(e));
1572 ND_PRINT((ndo," len=%d", ntohs(e.len) - 4));
1573 if (2 < ndo->ndo_vflag && 4 < ntohs(e.len)) {
1574 ND_PRINT((ndo," "));
1575 if (!rawprint(ndo, (const uint8_t *)(ext + 1), ntohs(e.len) - 4))
1576 goto trunc;
1577 }
1578 return (const u_char *)ext + ntohs(e.len);
1579 trunc:
1580 ND_PRINT((ndo," [|%s]", NPSTR(ISAKMP_NPTYPE_HASH)));
1581 return NULL;
1582 }
1583
1584 static const u_char *
1585 ikev1_sig_print(netdissect_options *ndo, u_char tpay _U_,
1586 const struct isakmp_gen *ext, u_int item_len _U_,
1587 const u_char *ep _U_, uint32_t phase _U_, uint32_t doi _U_,
1588 uint32_t proto _U_, int depth _U_)
1589 {
1590 struct isakmp_gen e;
1591
1592 ND_PRINT((ndo,"%s:", NPSTR(ISAKMP_NPTYPE_SIG)));
1593
1594 ND_TCHECK(*ext);
1595 UNALIGNED_MEMCPY(&e, ext, sizeof(e));
1596 ND_PRINT((ndo," len=%d", ntohs(e.len) - 4));
1597 if (2 < ndo->ndo_vflag && 4 < ntohs(e.len)) {
1598 ND_PRINT((ndo," "));
1599 if (!rawprint(ndo, (const uint8_t *)(ext + 1), ntohs(e.len) - 4))
1600 goto trunc;
1601 }
1602 return (const u_char *)ext + ntohs(e.len);
1603 trunc:
1604 ND_PRINT((ndo," [|%s]", NPSTR(ISAKMP_NPTYPE_SIG)));
1605 return NULL;
1606 }
1607
1608 static const u_char *
1609 ikev1_nonce_print(netdissect_options *ndo, u_char tpay _U_,
1610 const struct isakmp_gen *ext,
1611 u_int item_len _U_,
1612 const u_char *ep,
1613 uint32_t phase _U_, uint32_t doi _U_,
1614 uint32_t proto _U_, int depth _U_)
1615 {
1616 struct isakmp_gen e;
1617
1618 ND_PRINT((ndo,"%s:", NPSTR(ISAKMP_NPTYPE_NONCE)));
1619
1620 ND_TCHECK(*ext);
1621 UNALIGNED_MEMCPY(&e, ext, sizeof(e));
1622 /*
1623 * Our caller has ensured that the length is >= 4.
1624 */
1625 ND_PRINT((ndo," n len=%u", ntohs(e.len) - 4));
1626 if (ntohs(e.len) > 4) {
1627 if (ndo->ndo_vflag > 2) {
1628 ND_PRINT((ndo, " "));
1629 if (!rawprint(ndo, (const uint8_t *)(ext + 1), ntohs(e.len) - 4))
1630 goto trunc;
1631 } else if (ndo->ndo_vflag > 1) {
1632 ND_PRINT((ndo, " "));
1633 if (!ike_show_somedata(ndo, (const u_char *)(ext + 1), ep))
1634 goto trunc;
1635 }
1636 }
1637 return (const u_char *)ext + ntohs(e.len);
1638 trunc:
1639 ND_PRINT((ndo," [|%s]", NPSTR(ISAKMP_NPTYPE_NONCE)));
1640 return NULL;
1641 }
1642
1643 static const u_char *
1644 ikev1_n_print(netdissect_options *ndo, u_char tpay _U_,
1645 const struct isakmp_gen *ext, u_int item_len,
1646 const u_char *ep, uint32_t phase _U_, uint32_t doi0 _U_,
1647 uint32_t proto0 _U_, int depth _U_)
1648 {
1649 const struct ikev1_pl_n *p;
1650 struct ikev1_pl_n n;
1651 const u_char *cp;
1652 const u_char *ep2;
1653 uint32_t doi;
1654 uint32_t proto;
1655 static const char *notify_error_str[] = {
1656 NULL, "INVALID-PAYLOAD-TYPE",
1657 "DOI-NOT-SUPPORTED", "SITUATION-NOT-SUPPORTED",
1658 "INVALID-COOKIE", "INVALID-MAJOR-VERSION",
1659 "INVALID-MINOR-VERSION", "INVALID-EXCHANGE-TYPE",
1660 "INVALID-FLAGS", "INVALID-MESSAGE-ID",
1661 "INVALID-PROTOCOL-ID", "INVALID-SPI",
1662 "INVALID-TRANSFORM-ID", "ATTRIBUTES-NOT-SUPPORTED",
1663 "NO-PROPOSAL-CHOSEN", "BAD-PROPOSAL-SYNTAX",
1664 "PAYLOAD-MALFORMED", "INVALID-KEY-INFORMATION",
1665 "INVALID-ID-INFORMATION", "INVALID-CERT-ENCODING",
1666 "INVALID-CERTIFICATE", "CERT-TYPE-UNSUPPORTED",
1667 "INVALID-CERT-AUTHORITY", "INVALID-HASH-INFORMATION",
1668 "AUTHENTICATION-FAILED", "INVALID-SIGNATURE",
1669 "ADDRESS-NOTIFICATION", "NOTIFY-SA-LIFETIME",
1670 "CERTIFICATE-UNAVAILABLE", "UNSUPPORTED-EXCHANGE-TYPE",
1671 "UNEQUAL-PAYLOAD-LENGTHS",
1672 };
1673 static const char *ipsec_notify_error_str[] = {
1674 "RESERVED",
1675 };
1676 static const char *notify_status_str[] = {
1677 "CONNECTED",
1678 };
1679 static const char *ipsec_notify_status_str[] = {
1680 "RESPONDER-LIFETIME", "REPLAY-STATUS",
1681 "INITIAL-CONTACT",
1682 };
1683 /* NOTE: these macro must be called with x in proper range */
1684
1685 /* 0 - 8191 */
1686 #define NOTIFY_ERROR_STR(x) \
1687 STR_OR_ID((x), notify_error_str)
1688
1689 /* 8192 - 16383 */
1690 #define IPSEC_NOTIFY_ERROR_STR(x) \
1691 STR_OR_ID((u_int)((x) - 8192), ipsec_notify_error_str)
1692
1693 /* 16384 - 24575 */
1694 #define NOTIFY_STATUS_STR(x) \
1695 STR_OR_ID((u_int)((x) - 16384), notify_status_str)
1696
1697 /* 24576 - 32767 */
1698 #define IPSEC_NOTIFY_STATUS_STR(x) \
1699 STR_OR_ID((u_int)((x) - 24576), ipsec_notify_status_str)
1700
1701 ND_PRINT((ndo,"%s:", NPSTR(ISAKMP_NPTYPE_N)));
1702
1703 p = (const struct ikev1_pl_n *)ext;
1704 ND_TCHECK(*p);
1705 UNALIGNED_MEMCPY(&n, ext, sizeof(n));
1706 doi = ntohl(n.doi);
1707 proto = n.prot_id;
1708 if (doi != 1) {
1709 ND_PRINT((ndo," doi=%d", doi));
1710 ND_PRINT((ndo," proto=%d", proto));
1711 if (ntohs(n.type) < 8192)
1712 ND_PRINT((ndo," type=%s", NOTIFY_ERROR_STR(ntohs(n.type))));
1713 else if (ntohs(n.type) < 16384)
1714 ND_PRINT((ndo," type=%s", numstr(ntohs(n.type))));
1715 else if (ntohs(n.type) < 24576)
1716 ND_PRINT((ndo," type=%s", NOTIFY_STATUS_STR(ntohs(n.type))));
1717 else
1718 ND_PRINT((ndo," type=%s", numstr(ntohs(n.type))));
1719 if (n.spi_size) {
1720 ND_PRINT((ndo," spi="));
1721 if (!rawprint(ndo, (const uint8_t *)(p + 1), n.spi_size))
1722 goto trunc;
1723 }
1724 return (const u_char *)(p + 1) + n.spi_size;
1725 }
1726
1727 ND_PRINT((ndo," doi=ipsec"));
1728 ND_PRINT((ndo," proto=%s", PROTOIDSTR(proto)));
1729 if (ntohs(n.type) < 8192)
1730 ND_PRINT((ndo," type=%s", NOTIFY_ERROR_STR(ntohs(n.type))));
1731 else if (ntohs(n.type) < 16384)
1732 ND_PRINT((ndo," type=%s", IPSEC_NOTIFY_ERROR_STR(ntohs(n.type))));
1733 else if (ntohs(n.type) < 24576)
1734 ND_PRINT((ndo," type=%s", NOTIFY_STATUS_STR(ntohs(n.type))));
1735 else if (ntohs(n.type) < 32768)
1736 ND_PRINT((ndo," type=%s", IPSEC_NOTIFY_STATUS_STR(ntohs(n.type))));
1737 else
1738 ND_PRINT((ndo," type=%s", numstr(ntohs(n.type))));
1739 if (n.spi_size) {
1740 ND_PRINT((ndo," spi="));
1741 if (!rawprint(ndo, (const uint8_t *)(p + 1), n.spi_size))
1742 goto trunc;
1743 }
1744
1745 cp = (const u_char *)(p + 1) + n.spi_size;
1746 ep2 = (const u_char *)p + item_len;
1747
1748 if (cp < ep) {
1749 switch (ntohs(n.type)) {
1750 case IPSECDOI_NTYPE_RESPONDER_LIFETIME:
1751 {
1752 const struct attrmap *map = oakley_t_map;
1753 size_t nmap = sizeof(oakley_t_map)/sizeof(oakley_t_map[0]);
1754 ND_PRINT((ndo," attrs=("));
1755 while (cp < ep && cp < ep2) {
1756 cp = ikev1_attrmap_print(ndo, cp, ep2, map, nmap);
1757 if (cp == NULL) {
1758 ND_PRINT((ndo,")"));
1759 goto trunc;
1760 }
1761 }
1762 ND_PRINT((ndo,")"));
1763 break;
1764 }
1765 case IPSECDOI_NTYPE_REPLAY_STATUS:
1766 ND_PRINT((ndo," status=("));
1767 ND_PRINT((ndo,"replay detection %sabled",
1768 EXTRACT_32BITS(cp) ? "en" : "dis"));
1769 ND_PRINT((ndo,")"));
1770 break;
1771 default:
1772 /*
1773 * XXX - fill in more types here; see, for example,
1774 * draft-ietf-ipsec-notifymsg-04.
1775 */
1776 if (ndo->ndo_vflag > 3) {
1777 ND_PRINT((ndo," data=("));
1778 if (!rawprint(ndo, (const uint8_t *)(cp), ep - cp))
1779 goto trunc;
1780 ND_PRINT((ndo,")"));
1781 } else {
1782 if (!ike_show_somedata(ndo, cp, ep))
1783 goto trunc;
1784 }
1785 break;
1786 }
1787 }
1788 return (const u_char *)ext + item_len;
1789 trunc:
1790 ND_PRINT((ndo," [|%s]", NPSTR(ISAKMP_NPTYPE_N)));
1791 return NULL;
1792 }
1793
1794 static const u_char *
1795 ikev1_d_print(netdissect_options *ndo, u_char tpay _U_,
1796 const struct isakmp_gen *ext, u_int item_len _U_,
1797 const u_char *ep _U_, uint32_t phase _U_, uint32_t doi0 _U_,
1798 uint32_t proto0 _U_, int depth _U_)
1799 {
1800 const struct ikev1_pl_d *p;
1801 struct ikev1_pl_d d;
1802 const uint8_t *q;
1803 uint32_t doi;
1804 uint32_t proto;
1805 int i;
1806
1807 ND_PRINT((ndo,"%s:", NPSTR(ISAKMP_NPTYPE_D)));
1808
1809 p = (const struct ikev1_pl_d *)ext;
1810 ND_TCHECK(*p);
1811 UNALIGNED_MEMCPY(&d, ext, sizeof(d));
1812 doi = ntohl(d.doi);
1813 proto = d.prot_id;
1814 if (doi != 1) {
1815 ND_PRINT((ndo," doi=%u", doi));
1816 ND_PRINT((ndo," proto=%u", proto));
1817 } else {
1818 ND_PRINT((ndo," doi=ipsec"));
1819 ND_PRINT((ndo," proto=%s", PROTOIDSTR(proto)));
1820 }
1821 ND_PRINT((ndo," spilen=%u", d.spi_size));
1822 ND_PRINT((ndo," nspi=%u", ntohs(d.num_spi)));
1823 ND_PRINT((ndo," spi="));
1824 q = (const uint8_t *)(p + 1);
1825 for (i = 0; i < ntohs(d.num_spi); i++) {
1826 if (i != 0)
1827 ND_PRINT((ndo,","));
1828 if (!rawprint(ndo, (const uint8_t *)q, d.spi_size))
1829 goto trunc;
1830 q += d.spi_size;
1831 }
1832 return q;
1833 trunc:
1834 ND_PRINT((ndo," [|%s]", NPSTR(ISAKMP_NPTYPE_D)));
1835 return NULL;
1836 }
1837
1838 static const u_char *
1839 ikev1_vid_print(netdissect_options *ndo, u_char tpay _U_,
1840 const struct isakmp_gen *ext,
1841 u_int item_len _U_, const u_char *ep _U_,
1842 uint32_t phase _U_, uint32_t doi _U_,
1843 uint32_t proto _U_, int depth _U_)
1844 {
1845 struct isakmp_gen e;
1846
1847 ND_PRINT((ndo,"%s:", NPSTR(ISAKMP_NPTYPE_VID)));
1848
1849 ND_TCHECK(*ext);
1850 UNALIGNED_MEMCPY(&e, ext, sizeof(e));
1851 ND_PRINT((ndo," len=%d", ntohs(e.len) - 4));
1852 if (2 < ndo->ndo_vflag && 4 < ntohs(e.len)) {
1853 ND_PRINT((ndo," "));
1854 if (!rawprint(ndo, (const uint8_t *)(ext + 1), ntohs(e.len) - 4))
1855 goto trunc;
1856 }
1857 return (const u_char *)ext + ntohs(e.len);
1858 trunc:
1859 ND_PRINT((ndo," [|%s]", NPSTR(ISAKMP_NPTYPE_VID)));
1860 return NULL;
1861 }
1862
1863 /************************************************************/
1864 /* */
1865 /* IKE v2 - rfc4306 - dissector */
1866 /* */
1867 /************************************************************/
1868
1869 static void
1870 ikev2_pay_print(netdissect_options *ndo, const char *payname, int critical)
1871 {
1872 ND_PRINT((ndo,"%s%s:", payname, critical&0x80 ? "[C]" : ""));
1873 }
1874
1875 static const u_char *
1876 ikev2_gen_print(netdissect_options *ndo, u_char tpay,
1877 const struct isakmp_gen *ext)
1878 {
1879 struct isakmp_gen e;
1880
1881 ND_TCHECK(*ext);
1882 UNALIGNED_MEMCPY(&e, ext, sizeof(e));
1883 ikev2_pay_print(ndo, NPSTR(tpay), e.critical);
1884
1885 ND_PRINT((ndo," len=%d", ntohs(e.len) - 4));
1886 if (2 < ndo->ndo_vflag && 4 < ntohs(e.len)) {
1887 ND_PRINT((ndo," "));
1888 if (!rawprint(ndo, (const uint8_t *)(ext + 1), ntohs(e.len) - 4))
1889 goto trunc;
1890 }
1891 return (const u_char *)ext + ntohs(e.len);
1892 trunc:
1893 ND_PRINT((ndo," [|%s]", NPSTR(tpay)));
1894 return NULL;
1895 }
1896
1897 static const u_char *
1898 ikev2_t_print(netdissect_options *ndo, int tcount,
1899 const struct isakmp_gen *ext, u_int item_len,
1900 const u_char *ep)
1901 {
1902 const struct ikev2_t *p;
1903 struct ikev2_t t;
1904 uint16_t t_id;
1905 const u_char *cp;
1906 const char *idstr;
1907 const struct attrmap *map;
1908 size_t nmap;
1909 const u_char *ep2;
1910
1911 p = (const struct ikev2_t *)ext;
1912 ND_TCHECK(*p);
1913 UNALIGNED_MEMCPY(&t, ext, sizeof(t));
1914 ikev2_pay_print(ndo, NPSTR(ISAKMP_NPTYPE_T), t.h.critical);
1915
1916 t_id = ntohs(t.t_id);
1917
1918 map = NULL;
1919 nmap = 0;
1920
1921 switch (t.t_type) {
1922 case IV2_T_ENCR:
1923 idstr = STR_OR_ID(t_id, esp_p_map);
1924 map = encr_t_map;
1925 nmap = sizeof(encr_t_map)/sizeof(encr_t_map[0]);
1926 break;
1927
1928 case IV2_T_PRF:
1929 idstr = STR_OR_ID(t_id, prf_p_map);
1930 break;
1931
1932 case IV2_T_INTEG:
1933 idstr = STR_OR_ID(t_id, integ_p_map);
1934 break;
1935
1936 case IV2_T_DH:
1937 idstr = STR_OR_ID(t_id, dh_p_map);
1938 break;
1939
1940 case IV2_T_ESN:
1941 idstr = STR_OR_ID(t_id, esn_p_map);
1942 break;
1943
1944 default:
1945 idstr = NULL;
1946 break;
1947 }
1948
1949 if (idstr)
1950 ND_PRINT((ndo," #%u type=%s id=%s ", tcount,
1951 STR_OR_ID(t.t_type, ikev2_t_type_map),
1952 idstr));
1953 else
1954 ND_PRINT((ndo," #%u type=%s id=%u ", tcount,
1955 STR_OR_ID(t.t_type, ikev2_t_type_map),
1956 t.t_id));
1957 cp = (const u_char *)(p + 1);
1958 ep2 = (const u_char *)p + item_len;
1959 while (cp < ep && cp < ep2) {
1960 if (map && nmap) {
1961 cp = ikev1_attrmap_print(ndo, cp, ep2, map, nmap);
1962 } else
1963 cp = ikev1_attr_print(ndo, cp, ep2);
1964 if (cp == NULL)
1965 goto trunc;
1966 }
1967 if (ep < ep2)
1968 ND_PRINT((ndo,"..."));
1969 return cp;
1970 trunc:
1971 ND_PRINT((ndo," [|%s]", NPSTR(ISAKMP_NPTYPE_T)));
1972 return NULL;
1973 }
1974
1975 static const u_char *
1976 ikev2_p_print(netdissect_options *ndo, u_char tpay _U_, int pcount _U_,
1977 const struct isakmp_gen *ext, u_int oprop_length,
1978 const u_char *ep, int depth)
1979 {
1980 const struct ikev2_p *p;
1981 struct ikev2_p prop;
1982 u_int prop_length;
1983 const u_char *cp;
1984 int i;
1985 int tcount;
1986 u_char np;
1987 struct isakmp_gen e;
1988 u_int item_len;
1989
1990 p = (const struct ikev2_p *)ext;
1991 ND_TCHECK(*p);
1992 UNALIGNED_MEMCPY(&prop, ext, sizeof(prop));
1993
1994 ikev2_pay_print(ndo, NPSTR(ISAKMP_NPTYPE_P), prop.h.critical);
1995
1996 /*
1997 * ikev2_sa_print() guarantees that this is >= 4.
1998 */
1999 prop_length = oprop_length - 4;
2000 ND_PRINT((ndo," #%u protoid=%s transform=%d len=%u",
2001 prop.p_no, PROTOIDSTR(prop.prot_id),
2002 prop.num_t, oprop_length));
2003 cp = (const u_char *)(p + 1);
2004
2005 if (prop.spi_size) {
2006 if (prop_length < prop.spi_size)
2007 goto toolong;
2008 ND_PRINT((ndo," spi="));
2009 if (!rawprint(ndo, (const uint8_t *)cp, prop.spi_size))
2010 goto trunc;
2011 cp += prop.spi_size;
2012 prop_length -= prop.spi_size;
2013 }
2014
2015 /*
2016 * Print the transforms.
2017 */
2018 tcount = 0;
2019 for (np = ISAKMP_NPTYPE_T; np != 0; np = e.np) {
2020 tcount++;
2021 ext = (const struct isakmp_gen *)cp;
2022 if (prop_length < sizeof(*ext))
2023 goto toolong;
2024 ND_TCHECK(*ext);
2025
2026 UNALIGNED_MEMCPY(&e, ext, sizeof(e));
2027
2028 /*
2029 * Since we can't have a payload length of less than 4 bytes,
2030 * we need to bail out here if the generic header is nonsensical
2031 * or truncated, otherwise we could loop forever processing
2032 * zero-length items or otherwise misdissect the packet.
2033 */
2034 item_len = ntohs(e.len);
2035 if (item_len <= 4)
2036 goto trunc;
2037
2038 if (prop_length < item_len)
2039 goto toolong;
2040 ND_TCHECK2(*cp, item_len);
2041
2042 depth++;
2043 ND_PRINT((ndo,"\n"));
2044 for (i = 0; i < depth; i++)
2045 ND_PRINT((ndo," "));
2046 ND_PRINT((ndo,"("));
2047 if (np == ISAKMP_NPTYPE_T) {
2048 cp = ikev2_t_print(ndo, tcount, ext, item_len, ep);
2049 if (cp == NULL) {
2050 /* error, already reported */
2051 return NULL;
2052 }
2053 } else {
2054 ND_PRINT((ndo, "%s", NPSTR(np)));
2055 cp += item_len;
2056 }
2057 ND_PRINT((ndo,")"));
2058 depth--;
2059 prop_length -= item_len;
2060 }
2061 return cp;
2062 toolong:
2063 /*
2064 * Skip the rest of the proposal.
2065 */
2066 cp += prop_length;
2067 ND_PRINT((ndo," [|%s]", NPSTR(ISAKMP_NPTYPE_P)));
2068 return cp;
2069 trunc:
2070 ND_PRINT((ndo," [|%s]", NPSTR(ISAKMP_NPTYPE_P)));
2071 return NULL;
2072 }
2073
2074 static const u_char *
2075 ikev2_sa_print(netdissect_options *ndo, u_char tpay,
2076 const struct isakmp_gen *ext1,
2077 u_int osa_length, const u_char *ep,
2078 uint32_t phase _U_, uint32_t doi _U_,
2079 uint32_t proto _U_, int depth)
2080 {
2081 const struct isakmp_gen *ext;
2082 struct isakmp_gen e;
2083 u_int sa_length;
2084 const u_char *cp;
2085 int i;
2086 int pcount;
2087 u_char np;
2088 u_int item_len;
2089
2090 ND_TCHECK(*ext1);
2091 UNALIGNED_MEMCPY(&e, ext1, sizeof(e));
2092 ikev2_pay_print(ndo, "sa", e.critical);
2093
2094 /*
2095 * ikev2_sub0_print() guarantees that this is >= 4.
2096 */
2097 osa_length= ntohs(e.len);
2098 sa_length = osa_length - 4;
2099 ND_PRINT((ndo," len=%d", sa_length));
2100
2101 /*
2102 * Print the payloads.
2103 */
2104 cp = (const u_char *)(ext1 + 1);
2105 pcount = 0;
2106 for (np = ISAKMP_NPTYPE_P; np != 0; np = e.np) {
2107 pcount++;
2108 ext = (const struct isakmp_gen *)cp;
2109 if (sa_length < sizeof(*ext))
2110 goto toolong;
2111 ND_TCHECK(*ext);
2112
2113 UNALIGNED_MEMCPY(&e, ext, sizeof(e));
2114
2115 /*
2116 * Since we can't have a payload length of less than 4 bytes,
2117 * we need to bail out here if the generic header is nonsensical
2118 * or truncated, otherwise we could loop forever processing
2119 * zero-length items or otherwise misdissect the packet.
2120 */
2121 item_len = ntohs(e.len);
2122 if (item_len <= 4)
2123 goto trunc;
2124
2125 if (sa_length < item_len)
2126 goto toolong;
2127 ND_TCHECK2(*cp, item_len);
2128
2129 depth++;
2130 ND_PRINT((ndo,"\n"));
2131 for (i = 0; i < depth; i++)
2132 ND_PRINT((ndo," "));
2133 ND_PRINT((ndo,"("));
2134 if (np == ISAKMP_NPTYPE_P) {
2135 cp = ikev2_p_print(ndo, np, pcount, ext, item_len,
2136 ep, depth);
2137 if (cp == NULL) {
2138 /* error, already reported */
2139 return NULL;
2140 }
2141 } else {
2142 ND_PRINT((ndo, "%s", NPSTR(np)));
2143 cp += item_len;
2144 }
2145 ND_PRINT((ndo,")"));
2146 depth--;
2147 sa_length -= item_len;
2148 }
2149 return cp;
2150 toolong:
2151 /*
2152 * Skip the rest of the SA.
2153 */
2154 cp += sa_length;
2155 ND_PRINT((ndo," [|%s]", NPSTR(tpay)));
2156 return cp;
2157 trunc:
2158 ND_PRINT((ndo," [|%s]", NPSTR(tpay)));
2159 return NULL;
2160 }
2161
2162 static const u_char *
2163 ikev2_ke_print(netdissect_options *ndo, u_char tpay,
2164 const struct isakmp_gen *ext,
2165 u_int item_len _U_, const u_char *ep _U_,
2166 uint32_t phase _U_, uint32_t doi _U_,
2167 uint32_t proto _U_, int depth _U_)
2168 {
2169 struct ikev2_ke ke;
2170 const struct ikev2_ke *k;
2171
2172 k = (const struct ikev2_ke *)ext;
2173 ND_TCHECK(*ext);
2174 UNALIGNED_MEMCPY(&ke, ext, sizeof(ke));
2175 ikev2_pay_print(ndo, NPSTR(tpay), ke.h.critical);
2176
2177 ND_PRINT((ndo," len=%u group=%s", ntohs(ke.h.len) - 8,
2178 STR_OR_ID(ntohs(ke.ke_group), dh_p_map)));
2179
2180 if (2 < ndo->ndo_vflag && 8 < ntohs(ke.h.len)) {
2181 ND_PRINT((ndo," "));
2182 if (!rawprint(ndo, (const uint8_t *)(k + 1), ntohs(ke.h.len) - 8))
2183 goto trunc;
2184 }
2185 return (const u_char *)ext + ntohs(ke.h.len);
2186 trunc:
2187 ND_PRINT((ndo," [|%s]", NPSTR(tpay)));
2188 return NULL;
2189 }
2190
2191 static const u_char *
2192 ikev2_ID_print(netdissect_options *ndo, u_char tpay,
2193 const struct isakmp_gen *ext,
2194 u_int item_len _U_, const u_char *ep _U_,
2195 uint32_t phase _U_, uint32_t doi _U_,
2196 uint32_t proto _U_, int depth _U_)
2197 {
2198 struct ikev2_id id;
2199 int id_len, idtype_len, i;
2200 unsigned int dumpascii, dumphex;
2201 const unsigned char *typedata;
2202
2203 ND_TCHECK(*ext);
2204 UNALIGNED_MEMCPY(&id, ext, sizeof(id));
2205 ikev2_pay_print(ndo, NPSTR(tpay), id.h.critical);
2206
2207 id_len = ntohs(id.h.len);
2208
2209 ND_PRINT((ndo," len=%d", id_len - 4));
2210 if (2 < ndo->ndo_vflag && 4 < id_len) {
2211 ND_PRINT((ndo," "));
2212 if (!rawprint(ndo, (const uint8_t *)(ext + 1), id_len - 4))
2213 goto trunc;
2214 }
2215
2216 idtype_len =id_len - sizeof(struct ikev2_id);
2217 dumpascii = 0;
2218 dumphex = 0;
2219 typedata = (const unsigned char *)(ext)+sizeof(struct ikev2_id);
2220
2221 switch(id.type) {
2222 case ID_IPV4_ADDR:
2223 ND_PRINT((ndo, " ipv4:"));
2224 dumphex=1;
2225 break;
2226 case ID_FQDN:
2227 ND_PRINT((ndo, " fqdn:"));
2228 dumpascii=1;
2229 break;
2230 case ID_RFC822_ADDR:
2231 ND_PRINT((ndo, " rfc822:"));
2232 dumpascii=1;
2233 break;
2234 case ID_IPV6_ADDR:
2235 ND_PRINT((ndo, " ipv6:"));
2236 dumphex=1;
2237 break;
2238 case ID_DER_ASN1_DN:
2239 ND_PRINT((ndo, " dn:"));
2240 dumphex=1;
2241 break;
2242 case ID_DER_ASN1_GN:
2243 ND_PRINT((ndo, " gn:"));
2244 dumphex=1;
2245 break;
2246 case ID_KEY_ID:
2247 ND_PRINT((ndo, " keyid:"));
2248 dumphex=1;
2249 break;
2250 }
2251
2252 if(dumpascii) {
2253 ND_TCHECK2(*typedata, idtype_len);
2254 for(i=0; i<idtype_len; i++) {
2255 if(ND_ISPRINT(typedata[i])) {
2256 ND_PRINT((ndo, "%c", typedata[i]));
2257 } else {
2258 ND_PRINT((ndo, "."));
2259 }
2260 }
2261 }
2262 if(dumphex) {
2263 if (!rawprint(ndo, (const uint8_t *)typedata, idtype_len))
2264 goto trunc;
2265 }
2266
2267 return (const u_char *)ext + id_len;
2268 trunc:
2269 ND_PRINT((ndo," [|%s]", NPSTR(tpay)));
2270 return NULL;
2271 }
2272
2273 static const u_char *
2274 ikev2_cert_print(netdissect_options *ndo, u_char tpay,
2275 const struct isakmp_gen *ext,
2276 u_int item_len _U_, const u_char *ep _U_,
2277 uint32_t phase _U_, uint32_t doi _U_,
2278 uint32_t proto _U_, int depth _U_)
2279 {
2280 return ikev2_gen_print(ndo, tpay, ext);
2281 }
2282
2283 static const u_char *
2284 ikev2_cr_print(netdissect_options *ndo, u_char tpay,
2285 const struct isakmp_gen *ext,
2286 u_int item_len _U_, const u_char *ep _U_,
2287 uint32_t phase _U_, uint32_t doi _U_,
2288 uint32_t proto _U_, int depth _U_)
2289 {
2290 return ikev2_gen_print(ndo, tpay, ext);
2291 }
2292
2293 static const u_char *
2294 ikev2_auth_print(netdissect_options *ndo, u_char tpay,
2295 const struct isakmp_gen *ext,
2296 u_int item_len _U_, const u_char *ep,
2297 uint32_t phase _U_, uint32_t doi _U_,
2298 uint32_t proto _U_, int depth _U_)
2299 {
2300 struct ikev2_auth a;
2301 const char *v2_auth[]={ "invalid", "rsasig",
2302 "shared-secret", "dsssig" };
2303 const u_char *authdata = (const u_char*)ext + sizeof(a);
2304 unsigned int len;
2305
2306 ND_TCHECK(*ext);
2307 UNALIGNED_MEMCPY(&a, ext, sizeof(a));
2308 ikev2_pay_print(ndo, NPSTR(tpay), a.h.critical);
2309 len = ntohs(a.h.len);
2310
2311 /*
2312 * Our caller has ensured that the length is >= 4.
2313 */
2314 ND_PRINT((ndo," len=%u method=%s", len-4,
2315 STR_OR_ID(a.auth_method, v2_auth)));
2316 if (len > 4) {
2317 if (ndo->ndo_vflag > 1) {
2318 ND_PRINT((ndo, " authdata=("));
2319 if (!rawprint(ndo, (const uint8_t *)authdata, len - sizeof(a)))
2320 goto trunc;
2321 ND_PRINT((ndo, ") "));
2322 } else if (ndo->ndo_vflag) {
2323 if (!ike_show_somedata(ndo, authdata, ep))
2324 goto trunc;
2325 }
2326 }
2327
2328 return (const u_char *)ext + len;
2329 trunc:
2330 ND_PRINT((ndo," [|%s]", NPSTR(tpay)));
2331 return NULL;
2332 }
2333
2334 static const u_char *
2335 ikev2_nonce_print(netdissect_options *ndo, u_char tpay,
2336 const struct isakmp_gen *ext,
2337 u_int item_len _U_, const u_char *ep,
2338 uint32_t phase _U_, uint32_t doi _U_,
2339 uint32_t proto _U_, int depth _U_)
2340 {
2341 struct isakmp_gen e;
2342
2343 ND_TCHECK(*ext);
2344 UNALIGNED_MEMCPY(&e, ext, sizeof(e));
2345 ikev2_pay_print(ndo, "nonce", e.critical);
2346
2347 ND_PRINT((ndo," len=%d", ntohs(e.len) - 4));
2348 if (1 < ndo->ndo_vflag && 4 < ntohs(e.len)) {
2349 ND_PRINT((ndo," nonce=("));
2350 if (!rawprint(ndo, (const uint8_t *)(ext + 1), ntohs(e.len) - 4))
2351 goto trunc;
2352 ND_PRINT((ndo,") "));
2353 } else if(ndo->ndo_vflag && 4 < ntohs(e.len)) {
2354 if(!ike_show_somedata(ndo, (const u_char *)(ext+1), ep)) goto trunc;
2355 }
2356
2357 return (const u_char *)ext + ntohs(e.len);
2358 trunc:
2359 ND_PRINT((ndo," [|%s]", NPSTR(tpay)));
2360 return NULL;
2361 }
2362
2363 /* notify payloads */
2364 static const u_char *
2365 ikev2_n_print(netdissect_options *ndo, u_char tpay _U_,
2366 const struct isakmp_gen *ext,
2367 u_int item_len, const u_char *ep,
2368 uint32_t phase _U_, uint32_t doi _U_,
2369 uint32_t proto _U_, int depth _U_)
2370 {
2371 const struct ikev2_n *p;
2372 struct ikev2_n n;
2373 const u_char *cp;
2374 u_char showspi, showsomedata;
2375 const char *notify_name;
2376 uint32_t type;
2377
2378 p = (const struct ikev2_n *)ext;
2379 ND_TCHECK(*p);
2380 UNALIGNED_MEMCPY(&n, ext, sizeof(n));
2381 ikev2_pay_print(ndo, NPSTR(ISAKMP_NPTYPE_N), n.h.critical);
2382
2383 showspi = 1;
2384 showsomedata=0;
2385 notify_name=NULL;
2386
2387 ND_PRINT((ndo," prot_id=%s", PROTOIDSTR(n.prot_id)));
2388
2389 type = ntohs(n.type);
2390
2391 /* notify space is annoying sparse */
2392 switch(type) {
2393 case IV2_NOTIFY_UNSUPPORTED_CRITICAL_PAYLOAD:
2394 notify_name = "unsupported_critical_payload";
2395 showspi = 0;
2396 break;
2397
2398 case IV2_NOTIFY_INVALID_IKE_SPI:
2399 notify_name = "invalid_ike_spi";
2400 showspi = 1;
2401 break;
2402
2403 case IV2_NOTIFY_INVALID_MAJOR_VERSION:
2404 notify_name = "invalid_major_version";
2405 showspi = 0;
2406 break;
2407
2408 case IV2_NOTIFY_INVALID_SYNTAX:
2409 notify_name = "invalid_syntax";
2410 showspi = 1;
2411 break;
2412
2413 case IV2_NOTIFY_INVALID_MESSAGE_ID:
2414 notify_name = "invalid_message_id";
2415 showspi = 1;
2416 break;
2417
2418 case IV2_NOTIFY_INVALID_SPI:
2419 notify_name = "invalid_spi";
2420 showspi = 1;
2421 break;
2422
2423 case IV2_NOTIFY_NO_PROPOSAL_CHOSEN:
2424 notify_name = "no_protocol_chosen";
2425 showspi = 1;
2426 break;
2427
2428 case IV2_NOTIFY_INVALID_KE_PAYLOAD:
2429 notify_name = "invalid_ke_payload";
2430 showspi = 1;
2431 break;
2432
2433 case IV2_NOTIFY_AUTHENTICATION_FAILED:
2434 notify_name = "authentication_failed";
2435 showspi = 1;
2436 break;
2437
2438 case IV2_NOTIFY_SINGLE_PAIR_REQUIRED:
2439 notify_name = "single_pair_required";
2440 showspi = 1;
2441 break;
2442
2443 case IV2_NOTIFY_NO_ADDITIONAL_SAS:
2444 notify_name = "no_additional_sas";
2445 showspi = 0;
2446 break;
2447
2448 case IV2_NOTIFY_INTERNAL_ADDRESS_FAILURE:
2449 notify_name = "internal_address_failure";
2450 showspi = 0;
2451 break;
2452
2453 case IV2_NOTIFY_FAILED_CP_REQUIRED:
2454 notify_name = "failed:cp_required";
2455 showspi = 0;
2456 break;
2457
2458 case IV2_NOTIFY_INVALID_SELECTORS:
2459 notify_name = "invalid_selectors";
2460 showspi = 0;
2461 break;
2462
2463 case IV2_NOTIFY_INITIAL_CONTACT:
2464 notify_name = "initial_contact";
2465 showspi = 0;
2466 break;
2467
2468 case IV2_NOTIFY_SET_WINDOW_SIZE:
2469 notify_name = "set_window_size";
2470 showspi = 0;
2471 break;
2472
2473 case IV2_NOTIFY_ADDITIONAL_TS_POSSIBLE:
2474 notify_name = "additional_ts_possible";
2475 showspi = 0;
2476 break;
2477
2478 case IV2_NOTIFY_IPCOMP_SUPPORTED:
2479 notify_name = "ipcomp_supported";
2480 showspi = 0;
2481 break;
2482
2483 case IV2_NOTIFY_NAT_DETECTION_SOURCE_IP:
2484 notify_name = "nat_detection_source_ip";
2485 showspi = 1;
2486 break;
2487
2488 case IV2_NOTIFY_NAT_DETECTION_DESTINATION_IP:
2489 notify_name = "nat_detection_destination_ip";
2490 showspi = 1;
2491 break;
2492
2493 case IV2_NOTIFY_COOKIE:
2494 notify_name = "cookie";
2495 showspi = 1;
2496 showsomedata= 1;
2497 break;
2498
2499 case IV2_NOTIFY_USE_TRANSPORT_MODE:
2500 notify_name = "use_transport_mode";
2501 showspi = 0;
2502 break;
2503
2504 case IV2_NOTIFY_HTTP_CERT_LOOKUP_SUPPORTED:
2505 notify_name = "http_cert_lookup_supported";
2506 showspi = 0;
2507 break;
2508
2509 case IV2_NOTIFY_REKEY_SA:
2510 notify_name = "rekey_sa";
2511 showspi = 1;
2512 break;
2513
2514 case IV2_NOTIFY_ESP_TFC_PADDING_NOT_SUPPORTED:
2515 notify_name = "tfc_padding_not_supported";
2516 showspi = 0;
2517 break;
2518
2519 case IV2_NOTIFY_NON_FIRST_FRAGMENTS_ALSO:
2520 notify_name = "non_first_fragment_also";
2521 showspi = 0;
2522 break;
2523
2524 default:
2525 if (type < 8192) {
2526 notify_name="error";
2527 } else if(type < 16384) {
2528 notify_name="private-error";
2529 } else if(type < 40960) {
2530 notify_name="status";
2531 } else {
2532 notify_name="private-status";
2533 }
2534 }
2535
2536 if(notify_name) {
2537 ND_PRINT((ndo," type=%u(%s)", type, notify_name));
2538 }
2539
2540
2541 if (showspi && n.spi_size) {
2542 ND_PRINT((ndo," spi="));
2543 if (!rawprint(ndo, (const uint8_t *)(p + 1), n.spi_size))
2544 goto trunc;
2545 }
2546
2547 cp = (const u_char *)(p + 1) + n.spi_size;
2548
2549 if (cp < ep) {
2550 if (ndo->ndo_vflag > 3 || (showsomedata && ep-cp < 30)) {
2551 ND_PRINT((ndo," data=("));
2552 if (!rawprint(ndo, (const uint8_t *)(cp), ep - cp))
2553 goto trunc;
2554
2555 ND_PRINT((ndo,")"));
2556 } else if (showsomedata) {
2557 if (!ike_show_somedata(ndo, cp, ep))
2558 goto trunc;
2559 }
2560 }
2561
2562 return (const u_char *)ext + item_len;
2563 trunc:
2564 ND_PRINT((ndo," [|%s]", NPSTR(ISAKMP_NPTYPE_N)));
2565 return NULL;
2566 }
2567
2568 static const u_char *
2569 ikev2_d_print(netdissect_options *ndo, u_char tpay,
2570 const struct isakmp_gen *ext,
2571 u_int item_len _U_, const u_char *ep _U_,
2572 uint32_t phase _U_, uint32_t doi _U_,
2573 uint32_t proto _U_, int depth _U_)
2574 {
2575 return ikev2_gen_print(ndo, tpay, ext);
2576 }
2577
2578 static const u_char *
2579 ikev2_vid_print(netdissect_options *ndo, u_char tpay,
2580 const struct isakmp_gen *ext,
2581 u_int item_len _U_, const u_char *ep _U_,
2582 uint32_t phase _U_, uint32_t doi _U_,
2583 uint32_t proto _U_, int depth _U_)
2584 {
2585 struct isakmp_gen e;
2586 const u_char *vid;
2587 int i, len;
2588
2589 ND_TCHECK(*ext);
2590 UNALIGNED_MEMCPY(&e, ext, sizeof(e));
2591 ikev2_pay_print(ndo, NPSTR(tpay), e.critical);
2592 ND_PRINT((ndo," len=%d vid=", ntohs(e.len) - 4));
2593
2594 vid = (const u_char *)(ext+1);
2595 len = ntohs(e.len) - 4;
2596 ND_TCHECK2(*vid, len);
2597 for(i=0; i<len; i++) {
2598 if(ND_ISPRINT(vid[i])) ND_PRINT((ndo, "%c", vid[i]));
2599 else ND_PRINT((ndo, "."));
2600 }
2601 if (2 < ndo->ndo_vflag && 4 < len) {
2602 ND_PRINT((ndo," "));
2603 if (!rawprint(ndo, (const uint8_t *)(ext + 1), ntohs(e.len) - 4))
2604 goto trunc;
2605 }
2606 return (const u_char *)ext + ntohs(e.len);
2607 trunc:
2608 ND_PRINT((ndo," [|%s]", NPSTR(tpay)));
2609 return NULL;
2610 }
2611
2612 static const u_char *
2613 ikev2_TS_print(netdissect_options *ndo, u_char tpay,
2614 const struct isakmp_gen *ext,
2615 u_int item_len _U_, const u_char *ep _U_,
2616 uint32_t phase _U_, uint32_t doi _U_,
2617 uint32_t proto _U_, int depth _U_)
2618 {
2619 return ikev2_gen_print(ndo, tpay, ext);
2620 }
2621
2622 static const u_char *
2623 ikev2_e_print(netdissect_options *ndo,
2624 #ifndef HAVE_LIBCRYPTO
2625 _U_
2626 #endif
2627 struct isakmp *base,
2628 u_char tpay,
2629 const struct isakmp_gen *ext,
2630 u_int item_len _U_, const u_char *ep _U_,
2631 #ifndef HAVE_LIBCRYPTO
2632 _U_
2633 #endif
2634 uint32_t phase,
2635 #ifndef HAVE_LIBCRYPTO
2636 _U_
2637 #endif
2638 uint32_t doi,
2639 #ifndef HAVE_LIBCRYPTO
2640 _U_
2641 #endif
2642 uint32_t proto,
2643 #ifndef HAVE_LIBCRYPTO
2644 _U_
2645 #endif
2646 int depth)
2647 {
2648 struct isakmp_gen e;
2649 const u_char *dat;
2650 volatile int dlen;
2651
2652 ND_TCHECK(*ext);
2653 UNALIGNED_MEMCPY(&e, ext, sizeof(e));
2654 ikev2_pay_print(ndo, NPSTR(tpay), e.critical);
2655
2656 dlen = ntohs(e.len)-4;
2657
2658 ND_PRINT((ndo," len=%d", dlen));
2659 if (2 < ndo->ndo_vflag && 4 < dlen) {
2660 ND_PRINT((ndo," "));
2661 if (!rawprint(ndo, (const uint8_t *)(ext + 1), dlen))
2662 goto trunc;
2663 }
2664
2665 dat = (const u_char *)(ext+1);
2666 ND_TCHECK2(*dat, dlen);
2667
2668 #ifdef HAVE_LIBCRYPTO
2669 /* try to decypt it! */
2670 if(esp_print_decrypt_buffer_by_ikev2(ndo,
2671 base->flags & ISAKMP_FLAG_I,
2672 base->i_ck, base->r_ck,
2673 dat, dat+dlen)) {
2674
2675 ext = (const struct isakmp_gen *)ndo->ndo_packetp;
2676
2677 /* got it decrypted, print stuff inside. */
2678 ikev2_sub_print(ndo, base, e.np, ext, ndo->ndo_snapend,
2679 phase, doi, proto, depth+1);
2680 }
2681 #endif
2682
2683
2684 /* always return NULL, because E must be at end, and NP refers
2685 * to what was inside.
2686 */
2687 return NULL;
2688 trunc:
2689 ND_PRINT((ndo," [|%s]", NPSTR(tpay)));
2690 return NULL;
2691 }
2692
2693 static const u_char *
2694 ikev2_cp_print(netdissect_options *ndo, u_char tpay,
2695 const struct isakmp_gen *ext,
2696 u_int item_len _U_, const u_char *ep _U_,
2697 uint32_t phase _U_, uint32_t doi _U_,
2698 uint32_t proto _U_, int depth _U_)
2699 {
2700 return ikev2_gen_print(ndo, tpay, ext);
2701 }
2702
2703 static const u_char *
2704 ikev2_eap_print(netdissect_options *ndo, u_char tpay,
2705 const struct isakmp_gen *ext,
2706 u_int item_len _U_, const u_char *ep _U_,
2707 uint32_t phase _U_, uint32_t doi _U_,
2708 uint32_t proto _U_, int depth _U_)
2709 {
2710 return ikev2_gen_print(ndo, tpay, ext);
2711 }
2712
2713 static const u_char *
2714 ike_sub0_print(netdissect_options *ndo,
2715 u_char np, const struct isakmp_gen *ext, const u_char *ep,
2716
2717 uint32_t phase, uint32_t doi, uint32_t proto, int depth)
2718 {
2719 const u_char *cp;
2720 struct isakmp_gen e;
2721 u_int item_len;
2722
2723 cp = (const u_char *)ext;
2724 ND_TCHECK(*ext);
2725 UNALIGNED_MEMCPY(&e, ext, sizeof(e));
2726
2727 /*
2728 * Since we can't have a payload length of less than 4 bytes,
2729 * we need to bail out here if the generic header is nonsensical
2730 * or truncated, otherwise we could loop forever processing
2731 * zero-length items or otherwise misdissect the packet.
2732 */
2733 item_len = ntohs(e.len);
2734 if (item_len <= 4)
2735 return NULL;
2736
2737 if (NPFUNC(np)) {
2738 /*
2739 * XXX - what if item_len is too short, or too long,
2740 * for this payload type?
2741 */
2742 cp = (*npfunc[np])(ndo, np, ext, item_len, ep, phase, doi, proto, depth);
2743 } else {
2744 ND_PRINT((ndo,"%s", NPSTR(np)));
2745 cp += item_len;
2746 }
2747
2748 return cp;
2749 trunc:
2750 ND_PRINT((ndo," [|isakmp]"));
2751 return NULL;
2752 }
2753
2754 static const u_char *
2755 ikev1_sub_print(netdissect_options *ndo,
2756 u_char np, const struct isakmp_gen *ext, const u_char *ep,
2757 uint32_t phase, uint32_t doi, uint32_t proto, int depth)
2758 {
2759 const u_char *cp;
2760 int i;
2761 struct isakmp_gen e;
2762
2763 cp = (const u_char *)ext;
2764
2765 while (np) {
2766 ND_TCHECK(*ext);
2767
2768 UNALIGNED_MEMCPY(&e, ext, sizeof(e));
2769
2770 ND_TCHECK2(*ext, ntohs(e.len));
2771
2772 depth++;
2773 ND_PRINT((ndo,"\n"));
2774 for (i = 0; i < depth; i++)
2775 ND_PRINT((ndo," "));
2776 ND_PRINT((ndo,"("));
2777 cp = ike_sub0_print(ndo, np, ext, ep, phase, doi, proto, depth);
2778 ND_PRINT((ndo,")"));
2779 depth--;
2780
2781 if (cp == NULL) {
2782 /* Zero-length subitem */
2783 return NULL;
2784 }
2785
2786 np = e.np;
2787 ext = (const struct isakmp_gen *)cp;
2788 }
2789 return cp;
2790 trunc:
2791 ND_PRINT((ndo," [|%s]", NPSTR(np)));
2792 return NULL;
2793 }
2794
2795 static char *
2796 numstr(int x)
2797 {
2798 static char buf[20];
2799 snprintf(buf, sizeof(buf), "#%d", x);
2800 return buf;
2801 }
2802
2803 static void
2804 ikev1_print(netdissect_options *ndo,
2805 const u_char *bp, u_int length,
2806 const u_char *bp2, struct isakmp *base)
2807 {
2808 const struct isakmp *p;
2809 const u_char *ep;
2810 u_char np;
2811 int i;
2812 int phase;
2813
2814 p = (const struct isakmp *)bp;
2815 ep = ndo->ndo_snapend;
2816
2817 phase = (EXTRACT_32BITS(base->msgid) == 0) ? 1 : 2;
2818 if (phase == 1)
2819 ND_PRINT((ndo," phase %d", phase));
2820 else
2821 ND_PRINT((ndo," phase %d/others", phase));
2822
2823 i = cookie_find(&base->i_ck);
2824 if (i < 0) {
2825 if (iszero((const u_char *)&base->r_ck, sizeof(base->r_ck))) {
2826 /* the first packet */
2827 ND_PRINT((ndo," I"));
2828 if (bp2)
2829 cookie_record(&base->i_ck, bp2);
2830 } else
2831 ND_PRINT((ndo," ?"));
2832 } else {
2833 if (bp2 && cookie_isinitiator(i, bp2))
2834 ND_PRINT((ndo," I"));
2835 else if (bp2 && cookie_isresponder(i, bp2))
2836 ND_PRINT((ndo," R"));
2837 else
2838 ND_PRINT((ndo," ?"));
2839 }
2840
2841 ND_PRINT((ndo," %s", ETYPESTR(base->etype)));
2842 if (base->flags) {
2843 ND_PRINT((ndo,"[%s%s]", base->flags & ISAKMP_FLAG_E ? "E" : "",
2844 base->flags & ISAKMP_FLAG_C ? "C" : ""));
2845 }
2846
2847 if (ndo->ndo_vflag) {
2848 const struct isakmp_gen *ext;
2849
2850 ND_PRINT((ndo,":"));
2851
2852 /* regardless of phase... */
2853 if (base->flags & ISAKMP_FLAG_E) {
2854 /*
2855 * encrypted, nothing we can do right now.
2856 * we hope to decrypt the packet in the future...
2857 */
2858 ND_PRINT((ndo," [encrypted %s]", NPSTR(base->np)));
2859 goto done;
2860 }
2861
2862 CHECKLEN(p + 1, base->np);
2863 np = base->np;
2864 ext = (const struct isakmp_gen *)(p + 1);
2865 ikev1_sub_print(ndo, np, ext, ep, phase, 0, 0, 0);
2866 }
2867
2868 done:
2869 if (ndo->ndo_vflag) {
2870 if (ntohl(base->len) != length) {
2871 ND_PRINT((ndo," (len mismatch: isakmp %u/ip %u)",
2872 (uint32_t)ntohl(base->len), length));
2873 }
2874 }
2875 }
2876
2877 static const u_char *
2878 ikev2_sub0_print(netdissect_options *ndo, struct isakmp *base,
2879 u_char np,
2880 const struct isakmp_gen *ext, const u_char *ep,
2881 uint32_t phase, uint32_t doi, uint32_t proto, int depth)
2882 {
2883 const u_char *cp;
2884 struct isakmp_gen e;
2885 u_int item_len;
2886
2887 cp = (const u_char *)ext;
2888 ND_TCHECK(*ext);
2889 UNALIGNED_MEMCPY(&e, ext, sizeof(e));
2890
2891 /*
2892 * Since we can't have a payload length of less than 4 bytes,
2893 * we need to bail out here if the generic header is nonsensical
2894 * or truncated, otherwise we could loop forever processing
2895 * zero-length items or otherwise misdissect the packet.
2896 */
2897 item_len = ntohs(e.len);
2898 if (item_len <= 4)
2899 return NULL;
2900
2901 if (np == ISAKMP_NPTYPE_v2E) {
2902 cp = ikev2_e_print(ndo, base, np, ext, item_len,
2903 ep, phase, doi, proto, depth);
2904 } else if (NPFUNC(np)) {
2905 /*
2906 * XXX - what if item_len is too short, or too long,
2907 * for this payload type?
2908 */
2909 cp = (*npfunc[np])(ndo, np, ext, item_len,
2910 ep, phase, doi, proto, depth);
2911 } else {
2912 ND_PRINT((ndo,"%s", NPSTR(np)));
2913 cp += item_len;
2914 }
2915
2916 return cp;
2917 trunc:
2918 ND_PRINT((ndo," [|isakmp]"));
2919 return NULL;
2920 }
2921
2922 static const u_char *
2923 ikev2_sub_print(netdissect_options *ndo,
2924 struct isakmp *base,
2925 u_char np, const struct isakmp_gen *ext, const u_char *ep,
2926 uint32_t phase, uint32_t doi, uint32_t proto, int depth)
2927 {
2928 const u_char *cp;
2929 int i;
2930 struct isakmp_gen e;
2931
2932 cp = (const u_char *)ext;
2933 while (np) {
2934 ND_TCHECK(*ext);
2935
2936 UNALIGNED_MEMCPY(&e, ext, sizeof(e));
2937
2938 ND_TCHECK2(*ext, ntohs(e.len));
2939
2940 depth++;
2941 ND_PRINT((ndo,"\n"));
2942 for (i = 0; i < depth; i++)
2943 ND_PRINT((ndo," "));
2944 ND_PRINT((ndo,"("));
2945 cp = ikev2_sub0_print(ndo, base, np,
2946 ext, ep, phase, doi, proto, depth);
2947 ND_PRINT((ndo,")"));
2948 depth--;
2949
2950 if (cp == NULL) {
2951 /* Zero-length subitem */
2952 return NULL;
2953 }
2954
2955 np = e.np;
2956 ext = (const struct isakmp_gen *)cp;
2957 }
2958 return cp;
2959 trunc:
2960 ND_PRINT((ndo," [|%s]", NPSTR(np)));
2961 return NULL;
2962 }
2963
2964 static void
2965 ikev2_print(netdissect_options *ndo,
2966 const u_char *bp, u_int length,
2967 const u_char *bp2 _U_, struct isakmp *base)
2968 {
2969 const struct isakmp *p;
2970 const u_char *ep;
2971 u_char np;
2972 int phase;
2973
2974 p = (const struct isakmp *)bp;
2975 ep = ndo->ndo_snapend;
2976
2977 phase = (EXTRACT_32BITS(base->msgid) == 0) ? 1 : 2;
2978 if (phase == 1)
2979 ND_PRINT((ndo, " parent_sa"));
2980 else
2981 ND_PRINT((ndo, " child_sa "));
2982
2983 ND_PRINT((ndo, " %s", ETYPESTR(base->etype)));
2984 if (base->flags) {
2985 ND_PRINT((ndo, "[%s%s%s]",
2986 base->flags & ISAKMP_FLAG_I ? "I" : "",
2987 base->flags & ISAKMP_FLAG_V ? "V" : "",
2988 base->flags & ISAKMP_FLAG_R ? "R" : ""));
2989 }
2990
2991 if (ndo->ndo_vflag) {
2992 const struct isakmp_gen *ext;
2993
2994 ND_PRINT((ndo, ":"));
2995
2996 /* regardless of phase... */
2997 if (base->flags & ISAKMP_FLAG_E) {
2998 /*
2999 * encrypted, nothing we can do right now.
3000 * we hope to decrypt the packet in the future...
3001 */
3002 ND_PRINT((ndo, " [encrypted %s]", NPSTR(base->np)));
3003 goto done;
3004 }
3005
3006 CHECKLEN(p + 1, base->np)
3007
3008 np = base->np;
3009 ext = (const struct isakmp_gen *)(p + 1);
3010 ikev2_sub_print(ndo, base, np, ext, ep, phase, 0, 0, 0);
3011 }
3012
3013 done:
3014 if (ndo->ndo_vflag) {
3015 if (ntohl(base->len) != length) {
3016 ND_PRINT((ndo, " (len mismatch: isakmp %u/ip %u)",
3017 (uint32_t)ntohl(base->len), length));
3018 }
3019 }
3020 }
3021
3022 void
3023 isakmp_print(netdissect_options *ndo,
3024 const u_char *bp, u_int length,
3025 const u_char *bp2)
3026 {
3027 const struct isakmp *p;
3028 struct isakmp base;
3029 const u_char *ep;
3030 int major, minor;
3031
3032 #ifdef HAVE_LIBCRYPTO
3033 /* initialize SAs */
3034 if (ndo->ndo_sa_list_head == NULL) {
3035 if (ndo->ndo_espsecret)
3036 esp_print_decodesecret(ndo);
3037 }
3038 #endif
3039
3040 p = (const struct isakmp *)bp;
3041 ep = ndo->ndo_snapend;
3042
3043 if ((const struct isakmp *)ep < p + 1) {
3044 ND_PRINT((ndo,"[|isakmp]"));
3045 return;
3046 }
3047
3048 UNALIGNED_MEMCPY(&base, p, sizeof(base));
3049
3050 ND_PRINT((ndo,"isakmp"));
3051 major = (base.vers & ISAKMP_VERS_MAJOR)
3052 >> ISAKMP_VERS_MAJOR_SHIFT;
3053 minor = (base.vers & ISAKMP_VERS_MINOR)
3054 >> ISAKMP_VERS_MINOR_SHIFT;
3055
3056 if (ndo->ndo_vflag) {
3057 ND_PRINT((ndo," %d.%d", major, minor));
3058 }
3059
3060 if (ndo->ndo_vflag) {
3061 ND_PRINT((ndo," msgid "));
3062 hexprint(ndo, (const uint8_t *)&base.msgid, sizeof(base.msgid));
3063 }
3064
3065 if (1 < ndo->ndo_vflag) {
3066 ND_PRINT((ndo," cookie "));
3067 hexprint(ndo, (const uint8_t *)&base.i_ck, sizeof(base.i_ck));
3068 ND_PRINT((ndo,"->"));
3069 hexprint(ndo, (const uint8_t *)&base.r_ck, sizeof(base.r_ck));
3070 }
3071 ND_PRINT((ndo,":"));
3072
3073 switch(major) {
3074 case IKEv1_MAJOR_VERSION:
3075 ikev1_print(ndo, bp, length, bp2, &base);
3076 break;
3077
3078 case IKEv2_MAJOR_VERSION:
3079 ikev2_print(ndo, bp, length, bp2, &base);
3080 break;
3081 }
3082 }
3083
3084 void
3085 isakmp_rfc3948_print(netdissect_options *ndo,
3086 const u_char *bp, u_int length,
3087 const u_char *bp2)
3088 {
3089 ND_TCHECK(bp[0]);
3090 if(length == 1 && bp[0]==0xff) {
3091 ND_PRINT((ndo, "isakmp-nat-keep-alive"));
3092 return;
3093 }
3094
3095 if(length < 4) {
3096 goto trunc;
3097 }
3098 ND_TCHECK(bp[3]);
3099
3100 /*
3101 * see if this is an IKE packet
3102 */
3103 if(bp[0]==0 && bp[1]==0 && bp[2]==0 && bp[3]==0) {
3104 ND_PRINT((ndo, "NONESP-encap: "));
3105 isakmp_print(ndo, bp+4, length-4, bp2);
3106 return;
3107 }
3108
3109 /* must be an ESP packet */
3110 {
3111 int nh, enh, padlen;
3112 int advance;
3113
3114 ND_PRINT((ndo, "UDP-encap: "));
3115
3116 advance = esp_print(ndo, bp, length, bp2, &enh, &padlen);
3117 if(advance <= 0)
3118 return;
3119
3120 bp += advance;
3121 length -= advance + padlen;
3122 nh = enh & 0xff;
3123
3124 ip_print_inner(ndo, bp, length, nh, bp2);
3125 return;
3126 }
3127
3128 trunc:
3129 ND_PRINT((ndo,"[|isakmp]"));
3130 return;
3131 }
3132
3133 /*
3134 * Local Variables:
3135 * c-style: whitesmith
3136 * c-basic-offset: 8
3137 * End:
3138 */
[mirror] the TCPdump network dissector