]> The Tcpdump Group git mirrors - tcpdump/blob - print-isakmp.c
projects / tcpdump / blob
summary | shortlog | log | commit | commitdiff | tree
history | raw | HEAD
justify more function declarations
[tcpdump] / print-isakmp.c
1 /*
2 * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
3 * All rights reserved.
4 *
5 * Redistribution and use in source and binary forms, with or without
6 * modification, are permitted provided that the following conditions
7 * are met:
8 * 1. Redistributions of source code must retain the above copyright
9 * notice, this list of conditions and the following disclaimer.
10 * 2. Redistributions in binary form must reproduce the above copyright
11 * notice, this list of conditions and the following disclaimer in the
12 * documentation and/or other materials provided with the distribution.
13 * 3. Neither the name of the project nor the names of its contributors
14 * may be used to endorse or promote products derived from this software
15 * without specific prior written permission.
16 *
17 * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
18 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
19 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
20 * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
21 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
22 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
23 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
24 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
25 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
26 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
27 * SUCH DAMAGE.
28 *
29 */
30
31 #define NETDISSECT_REWORKED
32 #ifdef HAVE_CONFIG_H
33 #include "config.h"
34 #endif
35
36 /* The functions from print-esp.c used in this file are only defined when both
37 * OpenSSL and evp.h are detected. Employ the same preprocessor device here.
38 */
39 #ifndef HAVE_OPENSSL_EVP_H
40 #undef HAVE_LIBCRYPTO
41 #endif
42
43 #include <tcpdump-stdinc.h>
44
45 #include <string.h>
46
47 #include <stdio.h>
48
49 #include "interface.h"
50 #include "addrtoname.h"
51 #include "extract.h" /* must come after interface.h */
52
53 #include "ip.h"
54 #ifdef INET6
55 #include "ip6.h"
56 #endif
57
58 #ifndef HAVE_SOCKADDR_STORAGE
59 #define sockaddr_storage sockaddr
60 #endif
61
62 /* refer to RFC 2408 */
63
64 typedef u_char cookie_t[8];
65 typedef u_char msgid_t[4];
66
67 #define PORT_ISAKMP 500
68
69 /* 3.1 ISAKMP Header Format (IKEv1 and IKEv2)
70 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
71 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
72 ! Initiator !
73 ! Cookie !
74 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
75 ! Responder !
76 ! Cookie !
77 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
78 ! Next Payload ! MjVer ! MnVer ! Exchange Type ! Flags !
79 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
80 ! Message ID !
81 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
82 ! Length !
83 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
84 */
85 struct isakmp {
86 cookie_t i_ck; /* Initiator Cookie */
87 cookie_t r_ck; /* Responder Cookie */
88 u_int8_t np; /* Next Payload Type */
89 u_int8_t vers;
90 #define ISAKMP_VERS_MAJOR 0xf0
91 #define ISAKMP_VERS_MAJOR_SHIFT 4
92 #define ISAKMP_VERS_MINOR 0x0f
93 #define ISAKMP_VERS_MINOR_SHIFT 0
94 u_int8_t etype; /* Exchange Type */
95 u_int8_t flags; /* Flags */
96 msgid_t msgid;
97 u_int32_t len; /* Length */
98 };
99
100 /* Next Payload Type */
101 #define ISAKMP_NPTYPE_NONE 0 /* NONE*/
102 #define ISAKMP_NPTYPE_SA 1 /* Security Association */
103 #define ISAKMP_NPTYPE_P 2 /* Proposal */
104 #define ISAKMP_NPTYPE_T 3 /* Transform */
105 #define ISAKMP_NPTYPE_KE 4 /* Key Exchange */
106 #define ISAKMP_NPTYPE_ID 5 /* Identification */
107 #define ISAKMP_NPTYPE_CERT 6 /* Certificate */
108 #define ISAKMP_NPTYPE_CR 7 /* Certificate Request */
109 #define ISAKMP_NPTYPE_HASH 8 /* Hash */
110 #define ISAKMP_NPTYPE_SIG 9 /* Signature */
111 #define ISAKMP_NPTYPE_NONCE 10 /* Nonce */
112 #define ISAKMP_NPTYPE_N 11 /* Notification */
113 #define ISAKMP_NPTYPE_D 12 /* Delete */
114 #define ISAKMP_NPTYPE_VID 13 /* Vendor ID */
115 #define ISAKMP_NPTYPE_v2E 46 /* v2 Encrypted payload */
116
117 #define IKEv1_MAJOR_VERSION 1
118 #define IKEv1_MINOR_VERSION 0
119
120 #define IKEv2_MAJOR_VERSION 2
121 #define IKEv2_MINOR_VERSION 0
122
123 /* Flags */
124 #define ISAKMP_FLAG_E 0x01 /* Encryption Bit */
125 #define ISAKMP_FLAG_C 0x02 /* Commit Bit */
126 #define ISAKMP_FLAG_extra 0x04
127
128 /* IKEv2 */
129 #define ISAKMP_FLAG_I (1 << 3) /* (I)nitiator */
130 #define ISAKMP_FLAG_V (1 << 4) /* (V)ersion */
131 #define ISAKMP_FLAG_R (1 << 5) /* (R)esponse */
132
133
134 /* 3.2 Payload Generic Header
135 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
136 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
137 ! Next Payload ! RESERVED ! Payload Length !
138 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
139 */
140 struct isakmp_gen {
141 u_int8_t np; /* Next Payload */
142 u_int8_t critical; /* bit 7 - critical, rest is RESERVED */
143 u_int16_t len; /* Payload Length */
144 };
145
146 /* 3.3 Data Attributes
147 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
148 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
149 !A! Attribute Type ! AF=0 Attribute Length !
150 !F! ! AF=1 Attribute Value !
151 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
152 . AF=0 Attribute Value .
153 . AF=1 Not Transmitted .
154 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
155 */
156 struct isakmp_data {
157 u_int16_t type; /* defined by DOI-spec, and Attribute Format */
158 u_int16_t lorv; /* if f equal 1, Attribute Length */
159 /* if f equal 0, Attribute Value */
160 /* if f equal 1, Attribute Value */
161 };
162
163 /* 3.4 Security Association Payload */
164 /* MAY NOT be used, because of being defined in ipsec-doi. */
165 /*
166 If the current payload is the last in the message,
167 then the value of the next payload field will be 0.
168 This field MUST NOT contain the
169 values for the Proposal or Transform payloads as they are considered
170 part of the security association negotiation. For example, this
171 field would contain the value "10" (Nonce payload) in the first
172 message of a Base Exchange (see Section 4.4) and the value "0" in the
173 first message of an Identity Protect Exchange (see Section 4.5).
174 */
175 struct ikev1_pl_sa {
176 struct isakmp_gen h;
177 u_int32_t doi; /* Domain of Interpretation */
178 u_int32_t sit; /* Situation */
179 };
180
181 /* 3.5 Proposal Payload */
182 /*
183 The value of the next payload field MUST only contain the value "2"
184 or "0". If there are additional Proposal payloads in the message,
185 then this field will be 2. If the current Proposal payload is the
186 last within the security association proposal, then this field will
187 be 0.
188 */
189 struct ikev1_pl_p {
190 struct isakmp_gen h;
191 u_int8_t p_no; /* Proposal # */
192 u_int8_t prot_id; /* Protocol */
193 u_int8_t spi_size; /* SPI Size */
194 u_int8_t num_t; /* Number of Transforms */
195 /* SPI */
196 };
197
198 /* 3.6 Transform Payload */
199 /*
200 The value of the next payload field MUST only contain the value "3"
201 or "0". If there are additional Transform payloads in the proposal,
202 then this field will be 3. If the current Transform payload is the
203 last within the proposal, then this field will be 0.
204 */
205 struct ikev1_pl_t {
206 struct isakmp_gen h;
207 u_int8_t t_no; /* Transform # */
208 u_int8_t t_id; /* Transform-Id */
209 u_int16_t reserved; /* RESERVED2 */
210 /* SA Attributes */
211 };
212
213 /* 3.7 Key Exchange Payload */
214 struct ikev1_pl_ke {
215 struct isakmp_gen h;
216 /* Key Exchange Data */
217 };
218
219 /* 3.8 Identification Payload */
220 /* MUST NOT to be used, because of being defined in ipsec-doi. */
221 struct ikev1_pl_id {
222 struct isakmp_gen h;
223 union {
224 u_int8_t id_type; /* ID Type */
225 u_int32_t doi_data; /* DOI Specific ID Data */
226 } d;
227 /* Identification Data */
228 };
229
230 /* 3.9 Certificate Payload */
231 struct ikev1_pl_cert {
232 struct isakmp_gen h;
233 u_int8_t encode; /* Cert Encoding */
234 char cert; /* Certificate Data */
235 /*
236 This field indicates the type of
237 certificate or certificate-related information contained in the
238 Certificate Data field.
239 */
240 };
241
242 /* 3.10 Certificate Request Payload */
243 struct ikev1_pl_cr {
244 struct isakmp_gen h;
245 u_int8_t num_cert; /* # Cert. Types */
246 /*
247 Certificate Types (variable length)
248 -- Contains a list of the types of certificates requested,
249 sorted in order of preference. Each individual certificate
250 type is 1 octet. This field is NOT requiredo
251 */
252 /* # Certificate Authorities (1 octet) */
253 /* Certificate Authorities (variable length) */
254 };
255
256 /* 3.11 Hash Payload */
257 /* may not be used, because of having only data. */
258 struct ikev1_pl_hash {
259 struct isakmp_gen h;
260 /* Hash Data */
261 };
262
263 /* 3.12 Signature Payload */
264 /* may not be used, because of having only data. */
265 struct ikev1_pl_sig {
266 struct isakmp_gen h;
267 /* Signature Data */
268 };
269
270 /* 3.13 Nonce Payload */
271 /* may not be used, because of having only data. */
272 struct ikev1_pl_nonce {
273 struct isakmp_gen h;
274 /* Nonce Data */
275 };
276
277 /* 3.14 Notification Payload */
278 struct ikev1_pl_n {
279 struct isakmp_gen h;
280 u_int32_t doi; /* Domain of Interpretation */
281 u_int8_t prot_id; /* Protocol-ID */
282 u_int8_t spi_size; /* SPI Size */
283 u_int16_t type; /* Notify Message Type */
284 /* SPI */
285 /* Notification Data */
286 };
287
288 /* 3.14.1 Notify Message Types */
289 /* NOTIFY MESSAGES - ERROR TYPES */
290 #define ISAKMP_NTYPE_INVALID_PAYLOAD_TYPE 1
291 #define ISAKMP_NTYPE_DOI_NOT_SUPPORTED 2
292 #define ISAKMP_NTYPE_SITUATION_NOT_SUPPORTED 3
293 #define ISAKMP_NTYPE_INVALID_COOKIE 4
294 #define ISAKMP_NTYPE_INVALID_MAJOR_VERSION 5
295 #define ISAKMP_NTYPE_INVALID_MINOR_VERSION 6
296 #define ISAKMP_NTYPE_INVALID_EXCHANGE_TYPE 7
297 #define ISAKMP_NTYPE_INVALID_FLAGS 8
298 #define ISAKMP_NTYPE_INVALID_MESSAGE_ID 9
299 #define ISAKMP_NTYPE_INVALID_PROTOCOL_ID 10
300 #define ISAKMP_NTYPE_INVALID_SPI 11
301 #define ISAKMP_NTYPE_INVALID_TRANSFORM_ID 12
302 #define ISAKMP_NTYPE_ATTRIBUTES_NOT_SUPPORTED 13
303 #define ISAKMP_NTYPE_NO_PROPOSAL_CHOSEN 14
304 #define ISAKMP_NTYPE_BAD_PROPOSAL_SYNTAX 15
305 #define ISAKMP_NTYPE_PAYLOAD_MALFORMED 16
306 #define ISAKMP_NTYPE_INVALID_KEY_INFORMATION 17
307 #define ISAKMP_NTYPE_INVALID_ID_INFORMATION 18
308 #define ISAKMP_NTYPE_INVALID_CERT_ENCODING 19
309 #define ISAKMP_NTYPE_INVALID_CERTIFICATE 20
310 #define ISAKMP_NTYPE_BAD_CERT_REQUEST_SYNTAX 21
311 #define ISAKMP_NTYPE_INVALID_CERT_AUTHORITY 22
312 #define ISAKMP_NTYPE_INVALID_HASH_INFORMATION 23
313 #define ISAKMP_NTYPE_AUTHENTICATION_FAILED 24
314 #define ISAKMP_NTYPE_INVALID_SIGNATURE 25
315 #define ISAKMP_NTYPE_ADDRESS_NOTIFICATION 26
316
317 /* 3.15 Delete Payload */
318 struct ikev1_pl_d {
319 struct isakmp_gen h;
320 u_int32_t doi; /* Domain of Interpretation */
321 u_int8_t prot_id; /* Protocol-Id */
322 u_int8_t spi_size; /* SPI Size */
323 u_int16_t num_spi; /* # of SPIs */
324 /* SPI(es) */
325 };
326
327 \f
328 struct ikev1_ph1tab {
329 struct ikev1_ph1 *head;
330 struct ikev1_ph1 *tail;
331 int len;
332 };
333
334 struct isakmp_ph2tab {
335 struct ikev1_ph2 *head;
336 struct ikev1_ph2 *tail;
337 int len;
338 };
339
340 /* IKEv2 (RFC4306) */
341
342 /* 3.3 Security Association Payload -- generic header */
343 /* 3.3.1. Proposal Substructure */
344 struct ikev2_p {
345 struct isakmp_gen h;
346 u_int8_t p_no; /* Proposal # */
347 u_int8_t prot_id; /* Protocol */
348 u_int8_t spi_size; /* SPI Size */
349 u_int8_t num_t; /* Number of Transforms */
350 };
351
352 /* 3.3.2. Transform Substructure */
353 struct ikev2_t {
354 struct isakmp_gen h;
355 u_int8_t t_type; /* Transform Type (ENCR,PRF,INTEG,etc.*/
356 u_int8_t res2; /* reserved byte */
357 u_int16_t t_id; /* Transform ID */
358 };
359
360 enum ikev2_t_type {
361 IV2_T_ENCR = 1,
362 IV2_T_PRF = 2,
363 IV2_T_INTEG= 3,
364 IV2_T_DH = 4,
365 IV2_T_ESN = 5,
366 };
367
368 /* 3.4. Key Exchange Payload */
369 struct ikev2_ke {
370 struct isakmp_gen h;
371 u_int16_t ke_group;
372 u_int16_t ke_res1;
373 /* KE data */
374 };
375
376
377 /* 3.5. Identification Payloads */
378 enum ikev2_id_type {
379 ID_IPV4_ADDR=1,
380 ID_FQDN=2,
381 ID_RFC822_ADDR=3,
382 ID_IPV6_ADDR=5,
383 ID_DER_ASN1_DN=9,
384 ID_DER_ASN1_GN=10,
385 ID_KEY_ID=11,
386 };
387 struct ikev2_id {
388 struct isakmp_gen h;
389 u_int8_t type; /* ID type */
390 u_int8_t res1;
391 u_int16_t res2;
392 /* SPI */
393 /* Notification Data */
394 };
395
396 /* 3.10 Notification Payload */
397 struct ikev2_n {
398 struct isakmp_gen h;
399 u_int8_t prot_id; /* Protocol-ID */
400 u_int8_t spi_size; /* SPI Size */
401 u_int16_t type; /* Notify Message Type */
402 };
403
404 enum ikev2_n_type {
405 IV2_NOTIFY_UNSUPPORTED_CRITICAL_PAYLOAD = 1,
406 IV2_NOTIFY_INVALID_IKE_SPI = 4,
407 IV2_NOTIFY_INVALID_MAJOR_VERSION = 5,
408 IV2_NOTIFY_INVALID_SYNTAX = 7,
409 IV2_NOTIFY_INVALID_MESSAGE_ID = 9,
410 IV2_NOTIFY_INVALID_SPI =11,
411 IV2_NOTIFY_NO_PROPOSAL_CHOSEN =14,
412 IV2_NOTIFY_INVALID_KE_PAYLOAD =17,
413 IV2_NOTIFY_AUTHENTICATION_FAILED =24,
414 IV2_NOTIFY_SINGLE_PAIR_REQUIRED =34,
415 IV2_NOTIFY_NO_ADDITIONAL_SAS =35,
416 IV2_NOTIFY_INTERNAL_ADDRESS_FAILURE =36,
417 IV2_NOTIFY_FAILED_CP_REQUIRED =37,
418 IV2_NOTIFY_INVALID_SELECTORS =39,
419 IV2_NOTIFY_INITIAL_CONTACT =16384,
420 IV2_NOTIFY_SET_WINDOW_SIZE =16385,
421 IV2_NOTIFY_ADDITIONAL_TS_POSSIBLE =16386,
422 IV2_NOTIFY_IPCOMP_SUPPORTED =16387,
423 IV2_NOTIFY_NAT_DETECTION_SOURCE_IP =16388,
424 IV2_NOTIFY_NAT_DETECTION_DESTINATION_IP =16389,
425 IV2_NOTIFY_COOKIE =16390,
426 IV2_NOTIFY_USE_TRANSPORT_MODE =16391,
427 IV2_NOTIFY_HTTP_CERT_LOOKUP_SUPPORTED =16392,
428 IV2_NOTIFY_REKEY_SA =16393,
429 IV2_NOTIFY_ESP_TFC_PADDING_NOT_SUPPORTED =16394,
430 IV2_NOTIFY_NON_FIRST_FRAGMENTS_ALSO =16395
431 };
432
433 struct notify_messages {
434 u_int16_t type;
435 char *msg;
436 };
437
438 /* 3.8 Notification Payload */
439 struct ikev2_auth {
440 struct isakmp_gen h;
441 u_int8_t auth_method; /* Protocol-ID */
442 u_int8_t reserved[3];
443 /* authentication data */
444 };
445
446 enum ikev2_auth_type {
447 IV2_RSA_SIG = 1,
448 IV2_SHARED = 2,
449 IV2_DSS_SIG = 3,
450 };
451
452 /* refer to RFC 2409 */
453
454 #if 0
455 /* isakmp sa structure */
456 struct oakley_sa {
457 u_int8_t proto_id; /* OAKLEY */
458 vchar_t *spi; /* spi */
459 u_int8_t dhgrp; /* DH; group */
460 u_int8_t auth_t; /* method of authentication */
461 u_int8_t prf_t; /* type of prf */
462 u_int8_t hash_t; /* type of hash */
463 u_int8_t enc_t; /* type of cipher */
464 u_int8_t life_t; /* type of duration of lifetime */
465 u_int32_t ldur; /* life duration */
466 };
467 #endif
468
469 /* refer to RFC 2407 */
470
471 #define IPSEC_DOI 1
472
473 /* 4.2 IPSEC Situation Definition */
474 #define IPSECDOI_SIT_IDENTITY_ONLY 0x00000001
475 #define IPSECDOI_SIT_SECRECY 0x00000002
476 #define IPSECDOI_SIT_INTEGRITY 0x00000004
477
478 /* 4.4.1 IPSEC Security Protocol Identifiers */
479 /* 4.4.2 IPSEC ISAKMP Transform Values */
480 #define IPSECDOI_PROTO_ISAKMP 1
481 #define IPSECDOI_KEY_IKE 1
482
483 /* 4.4.1 IPSEC Security Protocol Identifiers */
484 #define IPSECDOI_PROTO_IPSEC_AH 2
485 /* 4.4.3 IPSEC AH Transform Values */
486 #define IPSECDOI_AH_MD5 2
487 #define IPSECDOI_AH_SHA 3
488 #define IPSECDOI_AH_DES 4
489 #define IPSECDOI_AH_SHA2_256 5
490 #define IPSECDOI_AH_SHA2_384 6
491 #define IPSECDOI_AH_SHA2_512 7
492
493 /* 4.4.1 IPSEC Security Protocol Identifiers */
494 #define IPSECDOI_PROTO_IPSEC_ESP 3
495 /* 4.4.4 IPSEC ESP Transform Identifiers */
496 #define IPSECDOI_ESP_DES_IV64 1
497 #define IPSECDOI_ESP_DES 2
498 #define IPSECDOI_ESP_3DES 3
499 #define IPSECDOI_ESP_RC5 4
500 #define IPSECDOI_ESP_IDEA 5
501 #define IPSECDOI_ESP_CAST 6
502 #define IPSECDOI_ESP_BLOWFISH 7
503 #define IPSECDOI_ESP_3IDEA 8
504 #define IPSECDOI_ESP_DES_IV32 9
505 #define IPSECDOI_ESP_RC4 10
506 #define IPSECDOI_ESP_NULL 11
507 #define IPSECDOI_ESP_RIJNDAEL 12
508 #define IPSECDOI_ESP_AES 12
509
510 /* 4.4.1 IPSEC Security Protocol Identifiers */
511 #define IPSECDOI_PROTO_IPCOMP 4
512 /* 4.4.5 IPSEC IPCOMP Transform Identifiers */
513 #define IPSECDOI_IPCOMP_OUI 1
514 #define IPSECDOI_IPCOMP_DEFLATE 2
515 #define IPSECDOI_IPCOMP_LZS 3
516
517 /* 4.5 IPSEC Security Association Attributes */
518 #define IPSECDOI_ATTR_SA_LTYPE 1 /* B */
519 #define IPSECDOI_ATTR_SA_LTYPE_DEFAULT 1
520 #define IPSECDOI_ATTR_SA_LTYPE_SEC 1
521 #define IPSECDOI_ATTR_SA_LTYPE_KB 2
522 #define IPSECDOI_ATTR_SA_LDUR 2 /* V */
523 #define IPSECDOI_ATTR_SA_LDUR_DEFAULT 28800 /* 8 hours */
524 #define IPSECDOI_ATTR_GRP_DESC 3 /* B */
525 #define IPSECDOI_ATTR_ENC_MODE 4 /* B */
526 /* default value: host dependent */
527 #define IPSECDOI_ATTR_ENC_MODE_TUNNEL 1
528 #define IPSECDOI_ATTR_ENC_MODE_TRNS 2
529 #define IPSECDOI_ATTR_AUTH 5 /* B */
530 /* 0 means not to use authentication. */
531 #define IPSECDOI_ATTR_AUTH_HMAC_MD5 1
532 #define IPSECDOI_ATTR_AUTH_HMAC_SHA1 2
533 #define IPSECDOI_ATTR_AUTH_DES_MAC 3
534 #define IPSECDOI_ATTR_AUTH_KPDK 4 /*RFC-1826(Key/Pad/Data/Key)*/
535 /*
536 * When negotiating ESP without authentication, the Auth
537 * Algorithm attribute MUST NOT be included in the proposal.
538 * When negotiating ESP without confidentiality, the Auth
539 * Algorithm attribute MUST be included in the proposal and
540 * the ESP transform ID must be ESP_NULL.
541 */
542 #define IPSECDOI_ATTR_KEY_LENGTH 6 /* B */
543 #define IPSECDOI_ATTR_KEY_ROUNDS 7 /* B */
544 #define IPSECDOI_ATTR_COMP_DICT_SIZE 8 /* B */
545 #define IPSECDOI_ATTR_COMP_PRIVALG 9 /* V */
546
547 /* 4.6.1 Security Association Payload */
548 struct ipsecdoi_sa {
549 struct isakmp_gen h;
550 u_int32_t doi; /* Domain of Interpretation */
551 u_int32_t sit; /* Situation */
552 };
553
554 struct ipsecdoi_secrecy_h {
555 u_int16_t len;
556 u_int16_t reserved;
557 };
558
559 /* 4.6.2.1 Identification Type Values */
560 struct ipsecdoi_id {
561 struct isakmp_gen h;
562 u_int8_t type; /* ID Type */
563 u_int8_t proto_id; /* Protocol ID */
564 u_int16_t port; /* Port */
565 /* Identification Data */
566 };
567
568 #define IPSECDOI_ID_IPV4_ADDR 1
569 #define IPSECDOI_ID_FQDN 2
570 #define IPSECDOI_ID_USER_FQDN 3
571 #define IPSECDOI_ID_IPV4_ADDR_SUBNET 4
572 #define IPSECDOI_ID_IPV6_ADDR 5
573 #define IPSECDOI_ID_IPV6_ADDR_SUBNET 6
574 #define IPSECDOI_ID_IPV4_ADDR_RANGE 7
575 #define IPSECDOI_ID_IPV6_ADDR_RANGE 8
576 #define IPSECDOI_ID_DER_ASN1_DN 9
577 #define IPSECDOI_ID_DER_ASN1_GN 10
578 #define IPSECDOI_ID_KEY_ID 11
579
580 /* 4.6.3 IPSEC DOI Notify Message Types */
581 /* Notify Messages - Status Types */
582 #define IPSECDOI_NTYPE_RESPONDER_LIFETIME 24576
583 #define IPSECDOI_NTYPE_REPLAY_STATUS 24577
584 #define IPSECDOI_NTYPE_INITIAL_CONTACT 24578
585
586 #define DECLARE_PRINTER(func) static const u_char *ike##func##_print( \
587 netdissect_options *ndo, u_char tpay, \
588 const struct isakmp_gen *ext, \
589 u_int item_len, \
590 const u_char *end_pointer, \
591 u_int32_t phase,\
592 u_int32_t doi0, \
593 u_int32_t proto0, int depth)
594
595 DECLARE_PRINTER(v1_sa);
596 DECLARE_PRINTER(v1_p);
597 DECLARE_PRINTER(v1_t);
598 DECLARE_PRINTER(v1_ke);
599 DECLARE_PRINTER(v1_id);
600 DECLARE_PRINTER(v1_cert);
601 DECLARE_PRINTER(v1_cr);
602 DECLARE_PRINTER(v1_sig);
603 DECLARE_PRINTER(v1_hash);
604 DECLARE_PRINTER(v1_nonce);
605 DECLARE_PRINTER(v1_n);
606 DECLARE_PRINTER(v1_d);
607 DECLARE_PRINTER(v1_vid);
608
609 DECLARE_PRINTER(v2_sa);
610 DECLARE_PRINTER(v2_ke);
611 DECLARE_PRINTER(v2_ID);
612 DECLARE_PRINTER(v2_cert);
613 DECLARE_PRINTER(v2_cr);
614 DECLARE_PRINTER(v2_auth);
615 DECLARE_PRINTER(v2_nonce);
616 DECLARE_PRINTER(v2_n);
617 DECLARE_PRINTER(v2_d);
618 DECLARE_PRINTER(v2_vid);
619 DECLARE_PRINTER(v2_TS);
620 DECLARE_PRINTER(v2_cp);
621 DECLARE_PRINTER(v2_eap);
622
623 static const u_char *ikev2_e_print(netdissect_options *ndo,
624 struct isakmp *base,
625 u_char tpay,
626 const struct isakmp_gen *ext,
627 u_int item_len,
628 const u_char *end_pointer,
629 u_int32_t phase,
630 u_int32_t doi0,
631 u_int32_t proto0, int depth);
632
633
634 static const u_char *ike_sub0_print(netdissect_options *ndo,u_char, const struct isakmp_gen *,
635 const u_char *, u_int32_t, u_int32_t, u_int32_t, int);
636 static const u_char *ikev1_sub_print(netdissect_options *ndo,u_char, const struct isakmp_gen *,
637 const u_char *, u_int32_t, u_int32_t, u_int32_t, int);
638
639 static const u_char *ikev2_sub_print(netdissect_options *ndo,
640 struct isakmp *base,
641 u_char np, const struct isakmp_gen *ext,
642 const u_char *ep, u_int32_t phase,
643 u_int32_t doi, u_int32_t proto,
644 int depth);
645
646
647 static char *numstr(int);
648 static void safememcpy(void *, const void *, size_t);
649
650 static void
651 ikev1_print(netdissect_options *ndo,
652 const u_char *bp, u_int length,
653 const u_char *bp2, struct isakmp *base);
654
655 #define MAXINITIATORS 20
656 int ninitiator = 0;
657 struct {
658 cookie_t initiator;
659 struct sockaddr_storage iaddr;
660 struct sockaddr_storage raddr;
661 } cookiecache[MAXINITIATORS];
662
663 /* protocol id */
664 static const char *protoidstr[] = {
665 NULL, "isakmp", "ipsec-ah", "ipsec-esp", "ipcomp",
666 };
667
668 /* isakmp->np */
669 static const char *npstr[] = {
670 "none", "sa", "p", "t", "ke", "id", "cert", "cr", "hash", /* 0 - 8 */
671 "sig", "nonce", "n", "d", "vid", /* 9 - 13 */
672 "pay14", "pay15", "pay16", "pay17", "pay18", /* 14- 18 */
673 "pay19", "pay20", "pay21", "pay22", "pay23", /* 19- 23 */
674 "pay24", "pay25", "pay26", "pay27", "pay28", /* 24- 28 */
675 "pay29", "pay30", "pay31", "pay32", /* 29- 32 */
676 "v2sa", "v2ke", "v2IDi", "v2IDr", "v2cert",/* 33- 37 */
677 "v2cr", "v2auth","v2nonce", "v2n", "v2d", /* 38- 42 */
678 "v2vid", "v2TSi", "v2TSr", "v2e", "v2cp", /* 43- 47 */
679 "v2eap", /* 48 */
680
681 };
682
683 /* isakmp->np */
684 static const u_char *(*npfunc[])(netdissect_options *ndo, u_char tpay,
685 const struct isakmp_gen *ext,
686 u_int item_len,
687 const u_char *end_pointer,
688 u_int32_t phase,
689 u_int32_t doi0,
690 u_int32_t proto0, int depth) = {
691 NULL,
692 ikev1_sa_print,
693 ikev1_p_print,
694 ikev1_t_print,
695 ikev1_ke_print,
696 ikev1_id_print,
697 ikev1_cert_print,
698 ikev1_cr_print,
699 ikev1_hash_print,
700 ikev1_sig_print,
701 ikev1_nonce_print,
702 ikev1_n_print,
703 ikev1_d_print,
704 ikev1_vid_print, /* 13 */
705 NULL, NULL, NULL, NULL, NULL, /* 14- 18 */
706 NULL, NULL, NULL, NULL, NULL, /* 19- 23 */
707 NULL, NULL, NULL, NULL, NULL, /* 24- 28 */
708 NULL, NULL, NULL, NULL, /* 29- 32 */
709 ikev2_sa_print, /* 33 */
710 ikev2_ke_print, /* 34 */
711 ikev2_ID_print, /* 35 */
712 ikev2_ID_print, /* 36 */
713 ikev2_cert_print, /* 37 */
714 ikev2_cr_print, /* 38 */
715 ikev2_auth_print, /* 39 */
716 ikev2_nonce_print, /* 40 */
717 ikev2_n_print, /* 41 */
718 ikev2_d_print, /* 42 */
719 ikev2_vid_print, /* 43 */
720 ikev2_TS_print, /* 44 */
721 ikev2_TS_print, /* 45 */
722 NULL, /* ikev2_e_print,*/ /* 46 - special */
723 ikev2_cp_print, /* 47 */
724 ikev2_eap_print, /* 48 */
725 };
726
727 /* isakmp->etype */
728 static const char *etypestr[] = {
729 /* IKEv1 exchange types */
730 "none", "base", "ident", "auth", "agg", "inf", NULL, NULL, /* 0-7 */
731 NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, /* 8-15 */
732 NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, /* 16-23 */
733 NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, /* 24-31 */
734 "oakley-quick", "oakley-newgroup", /* 32-33 */
735 /* IKEv2 exchange types */
736 "ikev2_init", "ikev2_auth", "child_sa", "inf2" /* 34-37 */
737 };
738
739 #define STR_OR_ID(x, tab) \
740 (((x) < sizeof(tab)/sizeof(tab[0]) && tab[(x)]) ? tab[(x)] : numstr(x))
741 #define PROTOIDSTR(x) STR_OR_ID(x, protoidstr)
742 #define NPSTR(x) STR_OR_ID(x, npstr)
743 #define ETYPESTR(x) STR_OR_ID(x, etypestr)
744
745 #define CHECKLEN(p, np) \
746 if (ep < (u_char *)(p)) { \
747 ND_PRINT((ndo," [|%s]", NPSTR(np))); \
748 goto done; \
749 }
750
751
752 #define NPFUNC(x) \
753 (((x) < sizeof(npfunc)/sizeof(npfunc[0]) && npfunc[(x)]) \
754 ? npfunc[(x)] : NULL)
755
756 static int
757 iszero(u_char *p, size_t l)
758 {
759 while (l--) {
760 if (*p++)
761 return 0;
762 }
763 return 1;
764 }
765
766 /* find cookie from initiator cache */
767 static int
768 cookie_find(cookie_t *in)
769 {
770 int i;
771
772 for (i = 0; i < MAXINITIATORS; i++) {
773 if (memcmp(in, &cookiecache[i].initiator, sizeof(*in)) == 0)
774 return i;
775 }
776
777 return -1;
778 }
779
780 /* record initiator */
781 static void
782 cookie_record(cookie_t *in, const u_char *bp2)
783 {
784 int i;
785 struct ip *ip;
786 struct sockaddr_in *sin;
787 #ifdef INET6
788 struct ip6_hdr *ip6;
789 struct sockaddr_in6 *sin6;
790 #endif
791
792 i = cookie_find(in);
793 if (0 <= i) {
794 ninitiator = (i + 1) % MAXINITIATORS;
795 return;
796 }
797
798 ip = (struct ip *)bp2;
799 switch (IP_V(ip)) {
800 case 4:
801 memset(&cookiecache[ninitiator].iaddr, 0,
802 sizeof(cookiecache[ninitiator].iaddr));
803 memset(&cookiecache[ninitiator].raddr, 0,
804 sizeof(cookiecache[ninitiator].raddr));
805
806 sin = (struct sockaddr_in *)&cookiecache[ninitiator].iaddr;
807 #ifdef HAVE_SOCKADDR_SA_LEN
808 sin->sin_len = sizeof(struct sockaddr_in);
809 #endif
810 sin->sin_family = AF_INET;
811 memcpy(&sin->sin_addr, &ip->ip_src, sizeof(ip->ip_src));
812 sin = (struct sockaddr_in *)&cookiecache[ninitiator].raddr;
813 #ifdef HAVE_SOCKADDR_SA_LEN
814 sin->sin_len = sizeof(struct sockaddr_in);
815 #endif
816 sin->sin_family = AF_INET;
817 memcpy(&sin->sin_addr, &ip->ip_dst, sizeof(ip->ip_dst));
818 break;
819 #ifdef INET6
820 case 6:
821 memset(&cookiecache[ninitiator].iaddr, 0,
822 sizeof(cookiecache[ninitiator].iaddr));
823 memset(&cookiecache[ninitiator].raddr, 0,
824 sizeof(cookiecache[ninitiator].raddr));
825
826 ip6 = (struct ip6_hdr *)bp2;
827 sin6 = (struct sockaddr_in6 *)&cookiecache[ninitiator].iaddr;
828 #ifdef HAVE_SOCKADDR_SA_LEN
829 sin6->sin6_len = sizeof(struct sockaddr_in6);
830 #endif
831 sin6->sin6_family = AF_INET6;
832 memcpy(&sin6->sin6_addr, &ip6->ip6_src, sizeof(ip6->ip6_src));
833 sin6 = (struct sockaddr_in6 *)&cookiecache[ninitiator].raddr;
834 #ifdef HAVE_SOCKADDR_SA_LEN
835 sin6->sin6_len = sizeof(struct sockaddr_in6);
836 #endif
837 sin6->sin6_family = AF_INET6;
838 memcpy(&sin6->sin6_addr, &ip6->ip6_dst, sizeof(ip6->ip6_dst));
839 break;
840 #endif
841 default:
842 return;
843 }
844 memcpy(&cookiecache[ninitiator].initiator, in, sizeof(*in));
845 ninitiator = (ninitiator + 1) % MAXINITIATORS;
846 }
847
848 #define cookie_isinitiator(x, y) cookie_sidecheck((x), (y), 1)
849 #define cookie_isresponder(x, y) cookie_sidecheck((x), (y), 0)
850 static int
851 cookie_sidecheck(int i, const u_char *bp2, int initiator)
852 {
853 struct sockaddr_storage ss;
854 struct sockaddr *sa;
855 struct ip *ip;
856 struct sockaddr_in *sin;
857 #ifdef INET6
858 struct ip6_hdr *ip6;
859 struct sockaddr_in6 *sin6;
860 #endif
861 int salen;
862
863 memset(&ss, 0, sizeof(ss));
864 ip = (struct ip *)bp2;
865 switch (IP_V(ip)) {
866 case 4:
867 sin = (struct sockaddr_in *)&ss;
868 #ifdef HAVE_SOCKADDR_SA_LEN
869 sin->sin_len = sizeof(struct sockaddr_in);
870 #endif
871 sin->sin_family = AF_INET;
872 memcpy(&sin->sin_addr, &ip->ip_src, sizeof(ip->ip_src));
873 break;
874 #ifdef INET6
875 case 6:
876 ip6 = (struct ip6_hdr *)bp2;
877 sin6 = (struct sockaddr_in6 *)&ss;
878 #ifdef HAVE_SOCKADDR_SA_LEN
879 sin6->sin6_len = sizeof(struct sockaddr_in6);
880 #endif
881 sin6->sin6_family = AF_INET6;
882 memcpy(&sin6->sin6_addr, &ip6->ip6_src, sizeof(ip6->ip6_src));
883 break;
884 #endif
885 default:
886 return 0;
887 }
888
889 sa = (struct sockaddr *)&ss;
890 if (initiator) {
891 if (sa->sa_family != ((struct sockaddr *)&cookiecache[i].iaddr)->sa_family)
892 return 0;
893 #ifdef HAVE_SOCKADDR_SA_LEN
894 salen = sa->sa_len;
895 #else
896 #ifdef INET6
897 if (sa->sa_family == AF_INET6)
898 salen = sizeof(struct sockaddr_in6);
899 else
900 salen = sizeof(struct sockaddr);
901 #else
902 salen = sizeof(struct sockaddr);
903 #endif
904 #endif
905 if (memcmp(&ss, &cookiecache[i].iaddr, salen) == 0)
906 return 1;
907 } else {
908 if (sa->sa_family != ((struct sockaddr *)&cookiecache[i].raddr)->sa_family)
909 return 0;
910 #ifdef HAVE_SOCKADDR_SA_LEN
911 salen = sa->sa_len;
912 #else
913 #ifdef INET6
914 if (sa->sa_family == AF_INET6)
915 salen = sizeof(struct sockaddr_in6);
916 else
917 salen = sizeof(struct sockaddr);
918 #else
919 salen = sizeof(struct sockaddr);
920 #endif
921 #endif
922 if (memcmp(&ss, &cookiecache[i].raddr, salen) == 0)
923 return 1;
924 }
925 return 0;
926 }
927
928 static void
929 hexprint(netdissect_options *ndo, caddr_t loc, size_t len)
930 {
931 u_char *p;
932 size_t i;
933
934 p = (u_char *)loc;
935 for (i = 0; i < len; i++)
936 ND_PRINT((ndo,"%02x", p[i] & 0xff));
937 }
938
939 static int
940 rawprint(netdissect_options *ndo, caddr_t loc, size_t len)
941 {
942 ND_TCHECK2(*loc, len);
943
944 hexprint(ndo, loc, len);
945 return 1;
946 trunc:
947 return 0;
948 }
949
950
951 /*
952 * returns false if we run out of data buffer
953 */
954 static int ike_show_somedata(struct netdissect_options *ndo,
955 const u_char *cp, const u_char *ep)
956 {
957 /* there is too much data, just show some of it */
958 const u_char *end = ep - 20;
959 int elen = 20;
960 int len = ep - cp;
961 if(len > 10) {
962 len = 10;
963 }
964
965 /* really shouldn't happen because of above */
966 if(end < cp + len) {
967 end = cp+len;
968 elen = ep - end;
969 }
970
971 ND_PRINT((ndo," data=("));
972 if(!rawprint(ndo, (caddr_t)(cp), len)) goto trunc;
973 ND_PRINT((ndo, "..."));
974 if(elen) {
975 if(!rawprint(ndo, (caddr_t)(end), elen)) goto trunc;
976 }
977 ND_PRINT((ndo,")"));
978 return 1;
979
980 trunc:
981 return 0;
982 }
983
984 struct attrmap {
985 const char *type;
986 u_int nvalue;
987 const char *value[30]; /*XXX*/
988 };
989
990 static const u_char *
991 ikev1_attrmap_print(netdissect_options *ndo,
992 const u_char *p, const u_char *ep,
993 const struct attrmap *map, size_t nmap)
994 {
995 u_int16_t *q;
996 int totlen;
997 u_int32_t t, v;
998
999 q = (u_int16_t *)p;
1000 if (p[0] & 0x80)
1001 totlen = 4;
1002 else
1003 totlen = 4 + EXTRACT_16BITS(&q[1]);
1004 if (ep < p + totlen) {
1005 ND_PRINT((ndo,"[|attr]"));
1006 return ep + 1;
1007 }
1008
1009 ND_PRINT((ndo,"("));
1010 t = EXTRACT_16BITS(&q[0]) & 0x7fff;
1011 if (map && t < nmap && map[t].type)
1012 ND_PRINT((ndo,"type=%s ", map[t].type));
1013 else
1014 ND_PRINT((ndo,"type=#%d ", t));
1015 if (p[0] & 0x80) {
1016 ND_PRINT((ndo,"value="));
1017 v = EXTRACT_16BITS(&q[1]);
1018 if (map && t < nmap && v < map[t].nvalue && map[t].value[v])
1019 ND_PRINT((ndo,"%s", map[t].value[v]));
1020 else
1021 rawprint(ndo, (caddr_t)&q[1], 2);
1022 } else {
1023 ND_PRINT((ndo,"len=%d value=", EXTRACT_16BITS(&q[1])));
1024 rawprint(ndo, (caddr_t)&p[4], EXTRACT_16BITS(&q[1]));
1025 }
1026 ND_PRINT((ndo,")"));
1027 return p + totlen;
1028 }
1029
1030 static const u_char *
1031 ikev1_attr_print(netdissect_options *ndo, const u_char *p, const u_char *ep)
1032 {
1033 u_int16_t *q;
1034 int totlen;
1035 u_int32_t t;
1036
1037 q = (u_int16_t *)p;
1038 if (p[0] & 0x80)
1039 totlen = 4;
1040 else
1041 totlen = 4 + EXTRACT_16BITS(&q[1]);
1042 if (ep < p + totlen) {
1043 ND_PRINT((ndo,"[|attr]"));
1044 return ep + 1;
1045 }
1046
1047 ND_PRINT((ndo,"("));
1048 t = EXTRACT_16BITS(&q[0]) & 0x7fff;
1049 ND_PRINT((ndo,"type=#%d ", t));
1050 if (p[0] & 0x80) {
1051 ND_PRINT((ndo,"value="));
1052 t = q[1];
1053 rawprint(ndo, (caddr_t)&q[1], 2);
1054 } else {
1055 ND_PRINT((ndo,"len=%d value=", EXTRACT_16BITS(&q[1])));
1056 rawprint(ndo, (caddr_t)&p[2], EXTRACT_16BITS(&q[1]));
1057 }
1058 ND_PRINT((ndo,")"));
1059 return p + totlen;
1060 }
1061
1062 static const u_char *
1063 ikev1_sa_print(netdissect_options *ndo, u_char tpay _U_,
1064 const struct isakmp_gen *ext,
1065 u_int item_len _U_,
1066 const u_char *ep, u_int32_t phase, u_int32_t doi0 _U_,
1067 u_int32_t proto0, int depth)
1068 {
1069 const struct ikev1_pl_sa *p;
1070 struct ikev1_pl_sa sa;
1071 u_int32_t doi, sit, ident;
1072 const u_char *cp, *np;
1073 int t;
1074
1075 ND_PRINT((ndo,"%s:", NPSTR(ISAKMP_NPTYPE_SA)));
1076
1077 p = (struct ikev1_pl_sa *)ext;
1078 ND_TCHECK(*p);
1079 safememcpy(&sa, ext, sizeof(sa));
1080 doi = ntohl(sa.doi);
1081 sit = ntohl(sa.sit);
1082 if (doi != 1) {
1083 ND_PRINT((ndo," doi=%d", doi));
1084 ND_PRINT((ndo," situation=%u", (u_int32_t)ntohl(sa.sit)));
1085 return (u_char *)(p + 1);
1086 }
1087
1088 ND_PRINT((ndo," doi=ipsec"));
1089 ND_PRINT((ndo," situation="));
1090 t = 0;
1091 if (sit & 0x01) {
1092 ND_PRINT((ndo,"identity"));
1093 t++;
1094 }
1095 if (sit & 0x02) {
1096 ND_PRINT((ndo,"%ssecrecy", t ? "+" : ""));
1097 t++;
1098 }
1099 if (sit & 0x04)
1100 ND_PRINT((ndo,"%sintegrity", t ? "+" : ""));
1101
1102 np = (u_char *)ext + sizeof(sa);
1103 if (sit != 0x01) {
1104 ND_TCHECK2(*(ext + 1), sizeof(ident));
1105 safememcpy(&ident, ext + 1, sizeof(ident));
1106 ND_PRINT((ndo," ident=%u", (u_int32_t)ntohl(ident)));
1107 np += sizeof(ident);
1108 }
1109
1110 ext = (struct isakmp_gen *)np;
1111 ND_TCHECK(*ext);
1112
1113 cp = ikev1_sub_print(ndo, ISAKMP_NPTYPE_P, ext, ep, phase, doi, proto0,
1114 depth);
1115
1116 return cp;
1117 trunc:
1118 ND_PRINT((ndo," [|%s]", NPSTR(ISAKMP_NPTYPE_SA)));
1119 return NULL;
1120 }
1121
1122 static const u_char *
1123 ikev1_p_print(netdissect_options *ndo, u_char tpay _U_,
1124 const struct isakmp_gen *ext, u_int item_len _U_,
1125 const u_char *ep, u_int32_t phase, u_int32_t doi0,
1126 u_int32_t proto0 _U_, int depth)
1127 {
1128 const struct ikev1_pl_p *p;
1129 struct ikev1_pl_p prop;
1130 const u_char *cp;
1131
1132 ND_PRINT((ndo,"%s:", NPSTR(ISAKMP_NPTYPE_P)));
1133
1134 p = (struct ikev1_pl_p *)ext;
1135 ND_TCHECK(*p);
1136 safememcpy(&prop, ext, sizeof(prop));
1137 ND_PRINT((ndo," #%d protoid=%s transform=%d",
1138 prop.p_no, PROTOIDSTR(prop.prot_id), prop.num_t));
1139 if (prop.spi_size) {
1140 ND_PRINT((ndo," spi="));
1141 if (!rawprint(ndo, (caddr_t)(p + 1), prop.spi_size))
1142 goto trunc;
1143 }
1144
1145 ext = (struct isakmp_gen *)((u_char *)(p + 1) + prop.spi_size);
1146 ND_TCHECK(*ext);
1147
1148 cp = ikev1_sub_print(ndo, ISAKMP_NPTYPE_T, ext, ep, phase, doi0,
1149 prop.prot_id, depth);
1150
1151 return cp;
1152 trunc:
1153 ND_PRINT((ndo," [|%s]", NPSTR(ISAKMP_NPTYPE_P)));
1154 return NULL;
1155 }
1156
1157 static const char *ikev1_p_map[] = {
1158 NULL, "ike",
1159 };
1160
1161 static const char *ikev2_t_type_map[]={
1162 NULL, "encr", "prf", "integ", "dh", "esn"
1163 };
1164
1165 static const char *ah_p_map[] = {
1166 NULL, "(reserved)", "md5", "sha", "1des",
1167 "sha2-256", "sha2-384", "sha2-512",
1168 };
1169
1170 static const char *prf_p_map[] = {
1171 NULL, "hmac-md5", "hmac-sha", "hmac-tiger",
1172 "aes128_xcbc"
1173 };
1174
1175 static const char *integ_p_map[] = {
1176 NULL, "hmac-md5", "hmac-sha", "dec-mac",
1177 "kpdk-md5", "aes-xcbc"
1178 };
1179
1180 static const char *esn_p_map[] = {
1181 "no-esn", "esn"
1182 };
1183
1184 static const char *dh_p_map[] = {
1185 NULL, "modp768",
1186 "modp1024", /* group 2 */
1187 "EC2N 2^155", /* group 3 */
1188 "EC2N 2^185", /* group 4 */
1189 "modp1536", /* group 5 */
1190 "iana-grp06", "iana-grp07", /* reserved */
1191 "iana-grp08", "iana-grp09",
1192 "iana-grp10", "iana-grp11",
1193 "iana-grp12", "iana-grp13",
1194 "modp2048", /* group 14 */
1195 "modp3072", /* group 15 */
1196 "modp4096", /* group 16 */
1197 "modp6144", /* group 17 */
1198 "modp8192", /* group 18 */
1199 };
1200
1201 static const char *esp_p_map[] = {
1202 NULL, "1des-iv64", "1des", "3des", "rc5", "idea", "cast",
1203 "blowfish", "3idea", "1des-iv32", "rc4", "null", "aes"
1204 };
1205
1206 static const char *ipcomp_p_map[] = {
1207 NULL, "oui", "deflate", "lzs",
1208 };
1209
1210 static const struct attrmap ipsec_t_map[] = {
1211 { NULL, 0, { NULL } },
1212 { "lifetype", 3, { NULL, "sec", "kb", }, },
1213 { "life", 0, { NULL } },
1214 { "group desc", 18, { NULL, "modp768",
1215 "modp1024", /* group 2 */
1216 "EC2N 2^155", /* group 3 */
1217 "EC2N 2^185", /* group 4 */
1218 "modp1536", /* group 5 */
1219 "iana-grp06", "iana-grp07", /* reserved */
1220 "iana-grp08", "iana-grp09",
1221 "iana-grp10", "iana-grp11",
1222 "iana-grp12", "iana-grp13",
1223 "modp2048", /* group 14 */
1224 "modp3072", /* group 15 */
1225 "modp4096", /* group 16 */
1226 "modp6144", /* group 17 */
1227 "modp8192", /* group 18 */
1228 }, },
1229 { "enc mode", 3, { NULL, "tunnel", "transport", }, },
1230 { "auth", 5, { NULL, "hmac-md5", "hmac-sha1", "1des-mac", "keyed", }, },
1231 { "keylen", 0, { NULL } },
1232 { "rounds", 0, { NULL } },
1233 { "dictsize", 0, { NULL } },
1234 { "privalg", 0, { NULL } },
1235 };
1236
1237 static const struct attrmap encr_t_map[] = {
1238 { NULL, 0, { NULL } }, { NULL, 0, { NULL } }, /* 0, 1 */
1239 { NULL, 0, { NULL } }, { NULL, 0, { NULL } }, /* 2, 3 */
1240 { NULL, 0, { NULL } }, { NULL, 0, { NULL } }, /* 4, 5 */
1241 { NULL, 0, { NULL } }, { NULL, 0, { NULL } }, /* 6, 7 */
1242 { NULL, 0, { NULL } }, { NULL, 0, { NULL } }, /* 8, 9 */
1243 { NULL, 0, { NULL } }, { NULL, 0, { NULL } }, /* 10,11*/
1244 { NULL, 0, { NULL } }, { NULL, 0, { NULL } }, /* 12,13*/
1245 { "keylen", 14, { NULL }},
1246 };
1247
1248 static const struct attrmap oakley_t_map[] = {
1249 { NULL, 0, { NULL } },
1250 { "enc", 8, { NULL, "1des", "idea", "blowfish", "rc5",
1251 "3des", "cast", "aes", }, },
1252 { "hash", 7, { NULL, "md5", "sha1", "tiger",
1253 "sha2-256", "sha2-384", "sha2-512", }, },
1254 { "auth", 6, { NULL, "preshared", "dss", "rsa sig", "rsa enc",
1255 "rsa enc revised", }, },
1256 { "group desc", 18, { NULL, "modp768",
1257 "modp1024", /* group 2 */
1258 "EC2N 2^155", /* group 3 */
1259 "EC2N 2^185", /* group 4 */
1260 "modp1536", /* group 5 */
1261 "iana-grp06", "iana-grp07", /* reserved */
1262 "iana-grp08", "iana-grp09",
1263 "iana-grp10", "iana-grp11",
1264 "iana-grp12", "iana-grp13",
1265 "modp2048", /* group 14 */
1266 "modp3072", /* group 15 */
1267 "modp4096", /* group 16 */
1268 "modp6144", /* group 17 */
1269 "modp8192", /* group 18 */
1270 }, },
1271 { "group type", 4, { NULL, "MODP", "ECP", "EC2N", }, },
1272 { "group prime", 0, { NULL } },
1273 { "group gen1", 0, { NULL } },
1274 { "group gen2", 0, { NULL } },
1275 { "group curve A", 0, { NULL } },
1276 { "group curve B", 0, { NULL } },
1277 { "lifetype", 3, { NULL, "sec", "kb", }, },
1278 { "lifeduration", 0, { NULL } },
1279 { "prf", 0, { NULL } },
1280 { "keylen", 0, { NULL } },
1281 { "field", 0, { NULL } },
1282 { "order", 0, { NULL } },
1283 };
1284
1285 static const u_char *
1286 ikev1_t_print(netdissect_options *ndo, u_char tpay _U_,
1287 const struct isakmp_gen *ext, u_int item_len,
1288 const u_char *ep, u_int32_t phase _U_, u_int32_t doi _U_,
1289 u_int32_t proto, int depth _U_)
1290 {
1291 const struct ikev1_pl_t *p;
1292 struct ikev1_pl_t t;
1293 const u_char *cp;
1294 const char *idstr;
1295 const struct attrmap *map;
1296 size_t nmap;
1297 const u_char *ep2;
1298
1299 ND_PRINT((ndo,"%s:", NPSTR(ISAKMP_NPTYPE_T)));
1300
1301 p = (struct ikev1_pl_t *)ext;
1302 ND_TCHECK(*p);
1303 safememcpy(&t, ext, sizeof(t));
1304
1305 switch (proto) {
1306 case 1:
1307 idstr = STR_OR_ID(t.t_id, ikev1_p_map);
1308 map = oakley_t_map;
1309 nmap = sizeof(oakley_t_map)/sizeof(oakley_t_map[0]);
1310 break;
1311 case 2:
1312 idstr = STR_OR_ID(t.t_id, ah_p_map);
1313 map = ipsec_t_map;
1314 nmap = sizeof(ipsec_t_map)/sizeof(ipsec_t_map[0]);
1315 break;
1316 case 3:
1317 idstr = STR_OR_ID(t.t_id, esp_p_map);
1318 map = ipsec_t_map;
1319 nmap = sizeof(ipsec_t_map)/sizeof(ipsec_t_map[0]);
1320 break;
1321 case 4:
1322 idstr = STR_OR_ID(t.t_id, ipcomp_p_map);
1323 map = ipsec_t_map;
1324 nmap = sizeof(ipsec_t_map)/sizeof(ipsec_t_map[0]);
1325 break;
1326 default:
1327 idstr = NULL;
1328 map = NULL;
1329 nmap = 0;
1330 break;
1331 }
1332
1333 if (idstr)
1334 ND_PRINT((ndo," #%d id=%s ", t.t_no, idstr));
1335 else
1336 ND_PRINT((ndo," #%d id=%d ", t.t_no, t.t_id));
1337 cp = (u_char *)(p + 1);
1338 ep2 = (u_char *)p + item_len;
1339 while (cp < ep && cp < ep2) {
1340 if (map && nmap) {
1341 cp = ikev1_attrmap_print(ndo, cp, (ep < ep2) ? ep : ep2,
1342 map, nmap);
1343 } else
1344 cp = ikev1_attr_print(ndo, cp, (ep < ep2) ? ep : ep2);
1345 }
1346 if (ep < ep2)
1347 ND_PRINT((ndo,"..."));
1348 return cp;
1349 trunc:
1350 ND_PRINT((ndo," [|%s]", NPSTR(ISAKMP_NPTYPE_T)));
1351 return NULL;
1352 }
1353
1354 static const u_char *
1355 ikev1_ke_print(netdissect_options *ndo, u_char tpay _U_,
1356 const struct isakmp_gen *ext, u_int item_len _U_,
1357 const u_char *ep _U_, u_int32_t phase _U_, u_int32_t doi _U_,
1358 u_int32_t proto _U_, int depth _U_)
1359 {
1360 struct isakmp_gen e;
1361
1362 ND_PRINT((ndo,"%s:", NPSTR(ISAKMP_NPTYPE_KE)));
1363
1364 ND_TCHECK(*ext);
1365 safememcpy(&e, ext, sizeof(e));
1366 ND_PRINT((ndo," key len=%d", ntohs(e.len) - 4));
1367 if (2 < ndo->ndo_vflag && 4 < ntohs(e.len)) {
1368 ND_PRINT((ndo," "));
1369 if (!rawprint(ndo, (caddr_t)(ext + 1), ntohs(e.len) - 4))
1370 goto trunc;
1371 }
1372 return (u_char *)ext + ntohs(e.len);
1373 trunc:
1374 ND_PRINT((ndo," [|%s]", NPSTR(ISAKMP_NPTYPE_KE)));
1375 return NULL;
1376 }
1377
1378 static const u_char *
1379 ikev1_id_print(netdissect_options *ndo, u_char tpay _U_,
1380 const struct isakmp_gen *ext, u_int item_len _U_,
1381 const u_char *ep _U_, u_int32_t phase, u_int32_t doi _U_,
1382 u_int32_t proto _U_, int depth _U_)
1383 {
1384 #define USE_IPSECDOI_IN_PHASE1 1
1385 const struct ikev1_pl_id *p;
1386 struct ikev1_pl_id id;
1387 static const char *idtypestr[] = {
1388 "IPv4", "IPv4net", "IPv6", "IPv6net",
1389 };
1390 static const char *ipsecidtypestr[] = {
1391 NULL, "IPv4", "FQDN", "user FQDN", "IPv4net", "IPv6",
1392 "IPv6net", "IPv4range", "IPv6range", "ASN1 DN", "ASN1 GN",
1393 "keyid",
1394 };
1395 int len;
1396 const u_char *data;
1397
1398 ND_PRINT((ndo,"%s:", NPSTR(ISAKMP_NPTYPE_ID)));
1399
1400 p = (struct ikev1_pl_id *)ext;
1401 ND_TCHECK(*p);
1402 safememcpy(&id, ext, sizeof(id));
1403 if (sizeof(*p) < item_len) {
1404 data = (u_char *)(p + 1);
1405 len = item_len - sizeof(*p);
1406 } else {
1407 data = NULL;
1408 len = 0;
1409 }
1410
1411 #if 0 /*debug*/
1412 ND_PRINT((ndo," [phase=%d doi=%d proto=%d]", phase, doi, proto));
1413 #endif
1414 switch (phase) {
1415 #ifndef USE_IPSECDOI_IN_PHASE1
1416 case 1:
1417 #endif
1418 default:
1419 ND_PRINT((ndo," idtype=%s", STR_OR_ID(id.d.id_type, idtypestr)));
1420 ND_PRINT((ndo," doi_data=%u",
1421 (u_int32_t)(ntohl(id.d.doi_data) & 0xffffff)));
1422 break;
1423
1424 #ifdef USE_IPSECDOI_IN_PHASE1
1425 case 1:
1426 #endif
1427 case 2:
1428 {
1429 const struct ipsecdoi_id *p;
1430 struct ipsecdoi_id id;
1431 struct protoent *pe;
1432
1433 p = (struct ipsecdoi_id *)ext;
1434 ND_TCHECK(*p);
1435 safememcpy(&id, ext, sizeof(id));
1436 ND_PRINT((ndo," idtype=%s", STR_OR_ID(id.type, ipsecidtypestr)));
1437 if (id.proto_id) {
1438 #ifndef WIN32
1439 setprotoent(1);
1440 #endif /* WIN32 */
1441 pe = getprotobynumber(id.proto_id);
1442 if (pe)
1443 ND_PRINT((ndo," protoid=%s", pe->p_name));
1444 #ifndef WIN32
1445 endprotoent();
1446 #endif /* WIN32 */
1447 } else {
1448 /* it DOES NOT mean IPPROTO_IP! */
1449 ND_PRINT((ndo," protoid=%s", "0"));
1450 }
1451 ND_PRINT((ndo," port=%d", ntohs(id.port)));
1452 if (!len)
1453 break;
1454 if (data == NULL)
1455 goto trunc;
1456 ND_TCHECK2(*data, len);
1457 switch (id.type) {
1458 case IPSECDOI_ID_IPV4_ADDR:
1459 if (len < 4)
1460 ND_PRINT((ndo," len=%d [bad: < 4]", len));
1461 else
1462 ND_PRINT((ndo," len=%d %s", len, ipaddr_string(data)));
1463 len = 0;
1464 break;
1465 case IPSECDOI_ID_FQDN:
1466 case IPSECDOI_ID_USER_FQDN:
1467 {
1468 int i;
1469 ND_PRINT((ndo," len=%d ", len));
1470 for (i = 0; i < len; i++)
1471 safeputchar(data[i]);
1472 len = 0;
1473 break;
1474 }
1475 case IPSECDOI_ID_IPV4_ADDR_SUBNET:
1476 {
1477 const u_char *mask;
1478 if (len < 8)
1479 ND_PRINT((ndo," len=%d [bad: < 8]", len));
1480 else {
1481 mask = data + sizeof(struct in_addr);
1482 ND_PRINT((ndo," len=%d %s/%u.%u.%u.%u", len,
1483 ipaddr_string(data),
1484 mask[0], mask[1], mask[2], mask[3]));
1485 }
1486 len = 0;
1487 break;
1488 }
1489 #ifdef INET6
1490 case IPSECDOI_ID_IPV6_ADDR:
1491 if (len < 16)
1492 ND_PRINT((ndo," len=%d [bad: < 16]", len));
1493 else
1494 ND_PRINT((ndo," len=%d %s", len, ip6addr_string(data)));
1495 len = 0;
1496 break;
1497 case IPSECDOI_ID_IPV6_ADDR_SUBNET:
1498 {
1499 const u_int32_t *mask;
1500 if (len < 20)
1501 ND_PRINT((ndo," len=%d [bad: < 20]", len));
1502 else {
1503 mask = (u_int32_t *)(data + sizeof(struct in6_addr));
1504 /*XXX*/
1505 ND_PRINT((ndo," len=%d %s/0x%08x%08x%08x%08x", len,
1506 ip6addr_string(data),
1507 mask[0], mask[1], mask[2], mask[3]));
1508 }
1509 len = 0;
1510 break;
1511 }
1512 #endif /*INET6*/
1513 case IPSECDOI_ID_IPV4_ADDR_RANGE:
1514 if (len < 8)
1515 ND_PRINT((ndo," len=%d [bad: < 8]", len));
1516 else {
1517 ND_PRINT((ndo," len=%d %s-%s", len,
1518 ipaddr_string(data),
1519 ipaddr_string(data + sizeof(struct in_addr))));
1520 }
1521 len = 0;
1522 break;
1523 #ifdef INET6
1524 case IPSECDOI_ID_IPV6_ADDR_RANGE:
1525 if (len < 32)
1526 ND_PRINT((ndo," len=%d [bad: < 32]", len));
1527 else {
1528 ND_PRINT((ndo," len=%d %s-%s", len,
1529 ip6addr_string(data),
1530 ip6addr_string(data + sizeof(struct in6_addr))));
1531 }
1532 len = 0;
1533 break;
1534 #endif /*INET6*/
1535 case IPSECDOI_ID_DER_ASN1_DN:
1536 case IPSECDOI_ID_DER_ASN1_GN:
1537 case IPSECDOI_ID_KEY_ID:
1538 break;
1539 }
1540 break;
1541 }
1542 }
1543 if (data && len) {
1544 ND_PRINT((ndo," len=%d", len));
1545 if (2 < ndo->ndo_vflag) {
1546 ND_PRINT((ndo," "));
1547 if (!rawprint(ndo, (caddr_t)data, len))
1548 goto trunc;
1549 }
1550 }
1551 return (u_char *)ext + item_len;
1552 trunc:
1553 ND_PRINT((ndo," [|%s]", NPSTR(ISAKMP_NPTYPE_ID)));
1554 return NULL;
1555 }
1556
1557 static const u_char *
1558 ikev1_cert_print(netdissect_options *ndo, u_char tpay _U_,
1559 const struct isakmp_gen *ext, u_int item_len _U_,
1560 const u_char *ep _U_, u_int32_t phase _U_,
1561 u_int32_t doi0 _U_,
1562 u_int32_t proto0 _U_, int depth _U_)
1563 {
1564 const struct ikev1_pl_cert *p;
1565 struct ikev1_pl_cert cert;
1566 static const char *certstr[] = {
1567 "none", "pkcs7", "pgp", "dns",
1568 "x509sign", "x509ke", "kerberos", "crl",
1569 "arl", "spki", "x509attr",
1570 };
1571
1572 ND_PRINT((ndo,"%s:", NPSTR(ISAKMP_NPTYPE_CERT)));
1573
1574 p = (struct ikev1_pl_cert *)ext;
1575 ND_TCHECK(*p);
1576 safememcpy(&cert, ext, sizeof(cert));
1577 ND_PRINT((ndo," len=%d", item_len - 4));
1578 ND_PRINT((ndo," type=%s", STR_OR_ID((cert.encode), certstr)));
1579 if (2 < ndo->ndo_vflag && 4 < item_len) {
1580 ND_PRINT((ndo," "));
1581 if (!rawprint(ndo, (caddr_t)(ext + 1), item_len - 4))
1582 goto trunc;
1583 }
1584 return (u_char *)ext + item_len;
1585 trunc:
1586 ND_PRINT((ndo," [|%s]", NPSTR(ISAKMP_NPTYPE_CERT)));
1587 return NULL;
1588 }
1589
1590 static const u_char *
1591 ikev1_cr_print(netdissect_options *ndo, u_char tpay _U_,
1592 const struct isakmp_gen *ext, u_int item_len _U_,
1593 const u_char *ep _U_, u_int32_t phase _U_, u_int32_t doi0 _U_,
1594 u_int32_t proto0 _U_, int depth _U_)
1595 {
1596 const struct ikev1_pl_cert *p;
1597 struct ikev1_pl_cert cert;
1598 static const char *certstr[] = {
1599 "none", "pkcs7", "pgp", "dns",
1600 "x509sign", "x509ke", "kerberos", "crl",
1601 "arl", "spki", "x509attr",
1602 };
1603
1604 ND_PRINT((ndo,"%s:", NPSTR(ISAKMP_NPTYPE_CR)));
1605
1606 p = (struct ikev1_pl_cert *)ext;
1607 ND_TCHECK(*p);
1608 safememcpy(&cert, ext, sizeof(cert));
1609 ND_PRINT((ndo," len=%d", item_len - 4));
1610 ND_PRINT((ndo," type=%s", STR_OR_ID((cert.encode), certstr)));
1611 if (2 < ndo->ndo_vflag && 4 < item_len) {
1612 ND_PRINT((ndo," "));
1613 if (!rawprint(ndo, (caddr_t)(ext + 1), item_len - 4))
1614 goto trunc;
1615 }
1616 return (u_char *)ext + item_len;
1617 trunc:
1618 ND_PRINT((ndo," [|%s]", NPSTR(ISAKMP_NPTYPE_CR)));
1619 return NULL;
1620 }
1621
1622 static const u_char *
1623 ikev1_hash_print(netdissect_options *ndo, u_char tpay _U_,
1624 const struct isakmp_gen *ext, u_int item_len _U_,
1625 const u_char *ep _U_, u_int32_t phase _U_, u_int32_t doi _U_,
1626 u_int32_t proto _U_, int depth _U_)
1627 {
1628 struct isakmp_gen e;
1629
1630 ND_PRINT((ndo,"%s:", NPSTR(ISAKMP_NPTYPE_HASH)));
1631
1632 ND_TCHECK(*ext);
1633 safememcpy(&e, ext, sizeof(e));
1634 ND_PRINT((ndo," len=%d", ntohs(e.len) - 4));
1635 if (2 < ndo->ndo_vflag && 4 < ntohs(e.len)) {
1636 ND_PRINT((ndo," "));
1637 if (!rawprint(ndo, (caddr_t)(ext + 1), ntohs(e.len) - 4))
1638 goto trunc;
1639 }
1640 return (u_char *)ext + ntohs(e.len);
1641 trunc:
1642 ND_PRINT((ndo," [|%s]", NPSTR(ISAKMP_NPTYPE_HASH)));
1643 return NULL;
1644 }
1645
1646 static const u_char *
1647 ikev1_sig_print(netdissect_options *ndo, u_char tpay _U_,
1648 const struct isakmp_gen *ext, u_int item_len _U_,
1649 const u_char *ep _U_, u_int32_t phase _U_, u_int32_t doi _U_,
1650 u_int32_t proto _U_, int depth _U_)
1651 {
1652 struct isakmp_gen e;
1653
1654 ND_PRINT((ndo,"%s:", NPSTR(ISAKMP_NPTYPE_SIG)));
1655
1656 ND_TCHECK(*ext);
1657 safememcpy(&e, ext, sizeof(e));
1658 ND_PRINT((ndo," len=%d", ntohs(e.len) - 4));
1659 if (2 < ndo->ndo_vflag && 4 < ntohs(e.len)) {
1660 ND_PRINT((ndo," "));
1661 if (!rawprint(ndo, (caddr_t)(ext + 1), ntohs(e.len) - 4))
1662 goto trunc;
1663 }
1664 return (u_char *)ext + ntohs(e.len);
1665 trunc:
1666 ND_PRINT((ndo," [|%s]", NPSTR(ISAKMP_NPTYPE_SIG)));
1667 return NULL;
1668 }
1669
1670 static const u_char *
1671 ikev1_nonce_print(netdissect_options *ndo, u_char tpay _U_,
1672 const struct isakmp_gen *ext,
1673 u_int item_len _U_,
1674 const u_char *ep _U_,
1675 u_int32_t phase _U_, u_int32_t doi _U_,
1676 u_int32_t proto _U_, int depth _U_)
1677 {
1678 struct isakmp_gen e;
1679
1680 ND_PRINT((ndo,"%s:", NPSTR(ISAKMP_NPTYPE_NONCE)));
1681
1682 ND_TCHECK(*ext);
1683 safememcpy(&e, ext, sizeof(e));
1684 ND_PRINT((ndo," n len=%d", ntohs(e.len) - 4));
1685 if (2 < ndo->ndo_vflag && 4 < ntohs(e.len)) {
1686 ND_PRINT((ndo," "));
1687 if (!rawprint(ndo, (caddr_t)(ext + 1), ntohs(e.len) - 4))
1688 goto trunc;
1689 } else if (1 < ndo->ndo_vflag && 4 < ntohs(e.len)) {
1690 ND_PRINT((ndo," "));
1691 if (!ike_show_somedata(ndo, (u_char *)(caddr_t)(ext + 1), ep))
1692 goto trunc;
1693 }
1694 return (u_char *)ext + ntohs(e.len);
1695 trunc:
1696 ND_PRINT((ndo," [|%s]", NPSTR(ISAKMP_NPTYPE_NONCE)));
1697 return NULL;
1698 }
1699
1700 static const u_char *
1701 ikev1_n_print(netdissect_options *ndo, u_char tpay _U_,
1702 const struct isakmp_gen *ext, u_int item_len,
1703 const u_char *ep, u_int32_t phase, u_int32_t doi0 _U_,
1704 u_int32_t proto0 _U_, int depth)
1705 {
1706 struct ikev1_pl_n *p, n;
1707 const u_char *cp;
1708 u_char *ep2;
1709 u_int32_t doi;
1710 u_int32_t proto;
1711 static const char *notify_error_str[] = {
1712 NULL, "INVALID-PAYLOAD-TYPE",
1713 "DOI-NOT-SUPPORTED", "SITUATION-NOT-SUPPORTED",
1714 "INVALID-COOKIE", "INVALID-MAJOR-VERSION",
1715 "INVALID-MINOR-VERSION", "INVALID-EXCHANGE-TYPE",
1716 "INVALID-FLAGS", "INVALID-MESSAGE-ID",
1717 "INVALID-PROTOCOL-ID", "INVALID-SPI",
1718 "INVALID-TRANSFORM-ID", "ATTRIBUTES-NOT-SUPPORTED",
1719 "NO-PROPOSAL-CHOSEN", "BAD-PROPOSAL-SYNTAX",
1720 "PAYLOAD-MALFORMED", "INVALID-KEY-INFORMATION",
1721 "INVALID-ID-INFORMATION", "INVALID-CERT-ENCODING",
1722 "INVALID-CERTIFICATE", "CERT-TYPE-UNSUPPORTED",
1723 "INVALID-CERT-AUTHORITY", "INVALID-HASH-INFORMATION",
1724 "AUTHENTICATION-FAILED", "INVALID-SIGNATURE",
1725 "ADDRESS-NOTIFICATION", "NOTIFY-SA-LIFETIME",
1726 "CERTIFICATE-UNAVAILABLE", "UNSUPPORTED-EXCHANGE-TYPE",
1727 "UNEQUAL-PAYLOAD-LENGTHS",
1728 };
1729 static const char *ipsec_notify_error_str[] = {
1730 "RESERVED",
1731 };
1732 static const char *notify_status_str[] = {
1733 "CONNECTED",
1734 };
1735 static const char *ipsec_notify_status_str[] = {
1736 "RESPONDER-LIFETIME", "REPLAY-STATUS",
1737 "INITIAL-CONTACT",
1738 };
1739 /* NOTE: these macro must be called with x in proper range */
1740
1741 /* 0 - 8191 */
1742 #define NOTIFY_ERROR_STR(x) \
1743 STR_OR_ID((x), notify_error_str)
1744
1745 /* 8192 - 16383 */
1746 #define IPSEC_NOTIFY_ERROR_STR(x) \
1747 STR_OR_ID((u_int)((x) - 8192), ipsec_notify_error_str)
1748
1749 /* 16384 - 24575 */
1750 #define NOTIFY_STATUS_STR(x) \
1751 STR_OR_ID((u_int)((x) - 16384), notify_status_str)
1752
1753 /* 24576 - 32767 */
1754 #define IPSEC_NOTIFY_STATUS_STR(x) \
1755 STR_OR_ID((u_int)((x) - 24576), ipsec_notify_status_str)
1756
1757 ND_PRINT((ndo,"%s:", NPSTR(ISAKMP_NPTYPE_N)));
1758
1759 p = (struct ikev1_pl_n *)ext;
1760 ND_TCHECK(*p);
1761 safememcpy(&n, ext, sizeof(n));
1762 doi = ntohl(n.doi);
1763 proto = n.prot_id;
1764 if (doi != 1) {
1765 ND_PRINT((ndo," doi=%d", doi));
1766 ND_PRINT((ndo," proto=%d", proto));
1767 if (ntohs(n.type) < 8192)
1768 ND_PRINT((ndo," type=%s", NOTIFY_ERROR_STR(ntohs(n.type))));
1769 else if (ntohs(n.type) < 16384)
1770 ND_PRINT((ndo," type=%s", numstr(ntohs(n.type))));
1771 else if (ntohs(n.type) < 24576)
1772 ND_PRINT((ndo," type=%s", NOTIFY_STATUS_STR(ntohs(n.type))));
1773 else
1774 ND_PRINT((ndo," type=%s", numstr(ntohs(n.type))));
1775 if (n.spi_size) {
1776 ND_PRINT((ndo," spi="));
1777 if (!rawprint(ndo, (caddr_t)(p + 1), n.spi_size))
1778 goto trunc;
1779 }
1780 return (u_char *)(p + 1) + n.spi_size;
1781 }
1782
1783 ND_PRINT((ndo," doi=ipsec"));
1784 ND_PRINT((ndo," proto=%s", PROTOIDSTR(proto)));
1785 if (ntohs(n.type) < 8192)
1786 ND_PRINT((ndo," type=%s", NOTIFY_ERROR_STR(ntohs(n.type))));
1787 else if (ntohs(n.type) < 16384)
1788 ND_PRINT((ndo," type=%s", IPSEC_NOTIFY_ERROR_STR(ntohs(n.type))));
1789 else if (ntohs(n.type) < 24576)
1790 ND_PRINT((ndo," type=%s", NOTIFY_STATUS_STR(ntohs(n.type))));
1791 else if (ntohs(n.type) < 32768)
1792 ND_PRINT((ndo," type=%s", IPSEC_NOTIFY_STATUS_STR(ntohs(n.type))));
1793 else
1794 ND_PRINT((ndo," type=%s", numstr(ntohs(n.type))));
1795 if (n.spi_size) {
1796 ND_PRINT((ndo," spi="));
1797 if (!rawprint(ndo, (caddr_t)(p + 1), n.spi_size))
1798 goto trunc;
1799 }
1800
1801 cp = (u_char *)(p + 1) + n.spi_size;
1802 ep2 = (u_char *)p + item_len;
1803
1804 if (cp < ep) {
1805 ND_PRINT((ndo," orig=("));
1806 switch (ntohs(n.type)) {
1807 case IPSECDOI_NTYPE_RESPONDER_LIFETIME:
1808 {
1809 const struct attrmap *map = oakley_t_map;
1810 size_t nmap = sizeof(oakley_t_map)/sizeof(oakley_t_map[0]);
1811 while (cp < ep && cp < ep2) {
1812 cp = ikev1_attrmap_print(ndo, cp,
1813 (ep < ep2) ? ep : ep2, map, nmap);
1814 }
1815 break;
1816 }
1817 case IPSECDOI_NTYPE_REPLAY_STATUS:
1818 ND_PRINT((ndo,"replay detection %sabled",
1819 (*(u_int32_t *)cp) ? "en" : "dis"));
1820 break;
1821 case ISAKMP_NTYPE_NO_PROPOSAL_CHOSEN:
1822 if (ikev1_sub_print(ndo, ISAKMP_NPTYPE_SA,
1823 (struct isakmp_gen *)cp, ep, phase, doi, proto,
1824 depth) == NULL)
1825 return NULL;
1826 break;
1827 default:
1828 /* NULL is dummy */
1829 isakmp_print(ndo, cp,
1830 item_len - sizeof(*p) - n.spi_size,
1831 NULL);
1832 }
1833 ND_PRINT((ndo,")"));
1834 }
1835 return (u_char *)ext + item_len;
1836 trunc:
1837 ND_PRINT((ndo," [|%s]", NPSTR(ISAKMP_NPTYPE_N)));
1838 return NULL;
1839 }
1840
1841 static const u_char *
1842 ikev1_d_print(netdissect_options *ndo, u_char tpay _U_,
1843 const struct isakmp_gen *ext, u_int item_len _U_,
1844 const u_char *ep _U_, u_int32_t phase _U_, u_int32_t doi0 _U_,
1845 u_int32_t proto0 _U_, int depth _U_)
1846 {
1847 const struct ikev1_pl_d *p;
1848 struct ikev1_pl_d d;
1849 const u_int8_t *q;
1850 u_int32_t doi;
1851 u_int32_t proto;
1852 int i;
1853
1854 ND_PRINT((ndo,"%s:", NPSTR(ISAKMP_NPTYPE_D)));
1855
1856 p = (struct ikev1_pl_d *)ext;
1857 ND_TCHECK(*p);
1858 safememcpy(&d, ext, sizeof(d));
1859 doi = ntohl(d.doi);
1860 proto = d.prot_id;
1861 if (doi != 1) {
1862 ND_PRINT((ndo," doi=%u", doi));
1863 ND_PRINT((ndo," proto=%u", proto));
1864 } else {
1865 ND_PRINT((ndo," doi=ipsec"));
1866 ND_PRINT((ndo," proto=%s", PROTOIDSTR(proto)));
1867 }
1868 ND_PRINT((ndo," spilen=%u", d.spi_size));
1869 ND_PRINT((ndo," nspi=%u", ntohs(d.num_spi)));
1870 ND_PRINT((ndo," spi="));
1871 q = (u_int8_t *)(p + 1);
1872 for (i = 0; i < ntohs(d.num_spi); i++) {
1873 if (i != 0)
1874 ND_PRINT((ndo,","));
1875 if (!rawprint(ndo, (caddr_t)q, d.spi_size))
1876 goto trunc;
1877 q += d.spi_size;
1878 }
1879 return q;
1880 trunc:
1881 ND_PRINT((ndo," [|%s]", NPSTR(ISAKMP_NPTYPE_D)));
1882 return NULL;
1883 }
1884
1885 static const u_char *
1886 ikev1_vid_print(netdissect_options *ndo, u_char tpay _U_,
1887 const struct isakmp_gen *ext,
1888 u_int item_len _U_, const u_char *ep _U_,
1889 u_int32_t phase _U_, u_int32_t doi _U_,
1890 u_int32_t proto _U_, int depth _U_)
1891 {
1892 struct isakmp_gen e;
1893
1894 ND_PRINT((ndo,"%s:", NPSTR(ISAKMP_NPTYPE_VID)));
1895
1896 ND_TCHECK(*ext);
1897 safememcpy(&e, ext, sizeof(e));
1898 ND_PRINT((ndo," len=%d", ntohs(e.len) - 4));
1899 if (2 < ndo->ndo_vflag && 4 < ntohs(e.len)) {
1900 ND_PRINT((ndo," "));
1901 if (!rawprint(ndo, (caddr_t)(ext + 1), ntohs(e.len) - 4))
1902 goto trunc;
1903 }
1904 return (u_char *)ext + ntohs(e.len);
1905 trunc:
1906 ND_PRINT((ndo," [|%s]", NPSTR(ISAKMP_NPTYPE_VID)));
1907 return NULL;
1908 }
1909
1910 /************************************************************/
1911 /* */
1912 /* IKE v2 - rfc4306 - dissector */
1913 /* */
1914 /************************************************************/
1915
1916 static void
1917 ikev2_pay_print(netdissect_options *ndo, const char *payname, int critical)
1918 {
1919 ND_PRINT((ndo,"%s%s:", payname, critical&0x80 ? "[C]" : ""));
1920 }
1921
1922 static const u_char *
1923 ikev2_gen_print(netdissect_options *ndo, u_char tpay,
1924 const struct isakmp_gen *ext)
1925 {
1926 struct isakmp_gen e;
1927
1928 ND_TCHECK(*ext);
1929 safememcpy(&e, ext, sizeof(e));
1930 ikev2_pay_print(ndo, NPSTR(tpay), e.critical);
1931
1932 ND_PRINT((ndo," len=%d", ntohs(e.len) - 4));
1933 if (2 < ndo->ndo_vflag && 4 < ntohs(e.len)) {
1934 ND_PRINT((ndo," "));
1935 if (!rawprint(ndo, (caddr_t)(ext + 1), ntohs(e.len) - 4))
1936 goto trunc;
1937 }
1938 return (u_char *)ext + ntohs(e.len);
1939 trunc:
1940 ND_PRINT((ndo," [|%s]", NPSTR(tpay)));
1941 return NULL;
1942 }
1943
1944 static const u_char *
1945 ikev2_t_print(netdissect_options *ndo, u_char tpay _U_, int pcount,
1946 const struct isakmp_gen *ext, u_int item_len,
1947 const u_char *ep, u_int32_t phase _U_, u_int32_t doi _U_,
1948 u_int32_t proto _U_, int depth _U_)
1949 {
1950 const struct ikev2_t *p;
1951 struct ikev2_t t;
1952 u_int16_t t_id;
1953 const u_char *cp;
1954 const char *idstr;
1955 const struct attrmap *map;
1956 size_t nmap;
1957 const u_char *ep2;
1958
1959 p = (struct ikev2_t *)ext;
1960 ND_TCHECK(*p);
1961 safememcpy(&t, ext, sizeof(t));
1962 ikev2_pay_print(ndo, NPSTR(ISAKMP_NPTYPE_T), t.h.critical);
1963
1964 t_id = ntohs(t.t_id);
1965
1966 map = NULL;
1967 nmap = 0;
1968
1969 switch (t.t_type) {
1970 case IV2_T_ENCR:
1971 idstr = STR_OR_ID(t_id, esp_p_map);
1972 map = encr_t_map;
1973 nmap = sizeof(encr_t_map)/sizeof(encr_t_map[0]);
1974 break;
1975
1976 case IV2_T_PRF:
1977 idstr = STR_OR_ID(t_id, prf_p_map);
1978 break;
1979
1980 case IV2_T_INTEG:
1981 idstr = STR_OR_ID(t_id, integ_p_map);
1982 break;
1983
1984 case IV2_T_DH:
1985 idstr = STR_OR_ID(t_id, dh_p_map);
1986 break;
1987
1988 case IV2_T_ESN:
1989 idstr = STR_OR_ID(t_id, esn_p_map);
1990 break;
1991
1992 default:
1993 idstr = NULL;
1994 break;
1995 }
1996
1997 if (idstr)
1998 ND_PRINT((ndo," #%u type=%s id=%s ", pcount,
1999 STR_OR_ID(t.t_type, ikev2_t_type_map),
2000 idstr));
2001 else
2002 ND_PRINT((ndo," #%u type=%s id=%u ", pcount,
2003 STR_OR_ID(t.t_type, ikev2_t_type_map),
2004 t.t_id));
2005 cp = (u_char *)(p + 1);
2006 ep2 = (u_char *)p + item_len;
2007 while (cp < ep && cp < ep2) {
2008 if (map && nmap) {
2009 cp = ikev1_attrmap_print(ndo, cp, (ep < ep2) ? ep : ep2,
2010 map, nmap);
2011 } else
2012 cp = ikev1_attr_print(ndo, cp, (ep < ep2) ? ep : ep2);
2013 }
2014 if (ep < ep2)
2015 ND_PRINT((ndo,"..."));
2016 return cp;
2017 trunc:
2018 ND_PRINT((ndo," [|%s]", NPSTR(ISAKMP_NPTYPE_T)));
2019 return NULL;
2020 }
2021
2022 static const u_char *
2023 ikev2_p_print(netdissect_options *ndo, u_char tpay _U_, int pcount _U_,
2024 const struct isakmp_gen *ext, u_int item_len _U_,
2025 const u_char *ep, u_int32_t phase, u_int32_t doi0,
2026 u_int32_t proto0 _U_, int depth)
2027 {
2028 const struct ikev2_p *p;
2029 struct ikev2_p prop;
2030 const u_char *cp;
2031
2032 p = (struct ikev2_p *)ext;
2033 ND_TCHECK(*p);
2034 safememcpy(&prop, ext, sizeof(prop));
2035 ikev2_pay_print(ndo, NPSTR(ISAKMP_NPTYPE_P), prop.h.critical);
2036
2037 ND_PRINT((ndo," #%u protoid=%s transform=%d len=%u",
2038 prop.p_no, PROTOIDSTR(prop.prot_id),
2039 prop.num_t, ntohs(prop.h.len)));
2040 if (prop.spi_size) {
2041 ND_PRINT((ndo," spi="));
2042 if (!rawprint(ndo, (caddr_t)(p + 1), prop.spi_size))
2043 goto trunc;
2044 }
2045
2046 ext = (struct isakmp_gen *)((u_char *)(p + 1) + prop.spi_size);
2047 ND_TCHECK(*ext);
2048
2049 cp = ikev2_sub_print(ndo, NULL, ISAKMP_NPTYPE_T, ext, ep, phase, doi0,
2050 prop.prot_id, depth);
2051
2052 return cp;
2053 trunc:
2054 ND_PRINT((ndo," [|%s]", NPSTR(ISAKMP_NPTYPE_P)));
2055 return NULL;
2056 }
2057
2058 static const u_char *
2059 ikev2_sa_print(netdissect_options *ndo, u_char tpay,
2060 const struct isakmp_gen *ext1,
2061 u_int item_len _U_, const u_char *ep _U_,
2062 u_int32_t phase _U_, u_int32_t doi _U_,
2063 u_int32_t proto _U_, int depth _U_)
2064 {
2065 struct isakmp_gen e;
2066 int osa_length, sa_length;
2067
2068 ND_TCHECK(*ext1);
2069 safememcpy(&e, ext1, sizeof(e));
2070 ikev2_pay_print(ndo, "sa", e.critical);
2071
2072 osa_length= ntohs(e.len);
2073 sa_length = osa_length - 4;
2074 ND_PRINT((ndo," len=%d", sa_length));
2075
2076 ikev2_sub_print(ndo, NULL, ISAKMP_NPTYPE_P,
2077 ext1+1, ep,
2078 0, 0, 0, depth);
2079
2080 return (u_char *)ext1 + osa_length;
2081 trunc:
2082 ND_PRINT((ndo," [|%s]", NPSTR(tpay)));
2083 return NULL;
2084 }
2085
2086 static const u_char *
2087 ikev2_ke_print(netdissect_options *ndo, u_char tpay,
2088 const struct isakmp_gen *ext,
2089 u_int item_len _U_, const u_char *ep _U_,
2090 u_int32_t phase _U_, u_int32_t doi _U_,
2091 u_int32_t proto _U_, int depth _U_)
2092 {
2093 struct ikev2_ke ke;
2094 struct ikev2_ke *k;
2095
2096 k = (struct ikev2_ke *)ext;
2097 ND_TCHECK(*ext);
2098 safememcpy(&ke, ext, sizeof(ke));
2099 ikev2_pay_print(ndo, NPSTR(tpay), ke.h.critical);
2100
2101 ND_PRINT((ndo," len=%u group=%s", ntohs(ke.h.len) - 8,
2102 STR_OR_ID(ntohs(ke.ke_group), dh_p_map)));
2103
2104 if (2 < ndo->ndo_vflag && 8 < ntohs(ke.h.len)) {
2105 ND_PRINT((ndo," "));
2106 if (!rawprint(ndo, (caddr_t)(k + 1), ntohs(ke.h.len) - 8))
2107 goto trunc;
2108 }
2109 return (u_char *)ext + ntohs(ke.h.len);
2110 trunc:
2111 ND_PRINT((ndo," [|%s]", NPSTR(tpay)));
2112 return NULL;
2113 }
2114
2115 static const u_char *
2116 ikev2_ID_print(netdissect_options *ndo, u_char tpay,
2117 const struct isakmp_gen *ext,
2118 u_int item_len _U_, const u_char *ep _U_,
2119 u_int32_t phase _U_, u_int32_t doi _U_,
2120 u_int32_t proto _U_, int depth _U_)
2121 {
2122 struct ikev2_id id;
2123 int id_len, idtype_len, i;
2124 unsigned int dumpascii, dumphex;
2125 unsigned char *typedata;
2126
2127 ND_TCHECK(*ext);
2128 safememcpy(&id, ext, sizeof(id));
2129 ikev2_pay_print(ndo, NPSTR(tpay), id.h.critical);
2130
2131 id_len = ntohs(id.h.len);
2132
2133 ND_PRINT((ndo," len=%d", id_len - 4));
2134 if (2 < ndo->ndo_vflag && 4 < id_len) {
2135 ND_PRINT((ndo," "));
2136 if (!rawprint(ndo, (caddr_t)(ext + 1), id_len - 4))
2137 goto trunc;
2138 }
2139
2140 idtype_len =id_len - sizeof(struct ikev2_id);
2141 dumpascii = 0;
2142 dumphex = 0;
2143 typedata = (unsigned char *)(ext)+sizeof(struct ikev2_id);
2144
2145 switch(id.type) {
2146 case ID_IPV4_ADDR:
2147 ND_PRINT((ndo, " ipv4:"));
2148 dumphex=1;
2149 break;
2150 case ID_FQDN:
2151 ND_PRINT((ndo, " fqdn:"));
2152 dumpascii=1;
2153 break;
2154 case ID_RFC822_ADDR:
2155 ND_PRINT((ndo, " rfc822:"));
2156 dumpascii=1;
2157 break;
2158 case ID_IPV6_ADDR:
2159 ND_PRINT((ndo, " ipv6:"));
2160 dumphex=1;
2161 break;
2162 case ID_DER_ASN1_DN:
2163 ND_PRINT((ndo, " dn:"));
2164 dumphex=1;
2165 break;
2166 case ID_DER_ASN1_GN:
2167 ND_PRINT((ndo, " gn:"));
2168 dumphex=1;
2169 break;
2170 case ID_KEY_ID:
2171 ND_PRINT((ndo, " keyid:"));
2172 dumphex=1;
2173 break;
2174 }
2175
2176 if(dumpascii) {
2177 ND_TCHECK2(*typedata, idtype_len);
2178 for(i=0; i<idtype_len; i++) {
2179 if(isprint(typedata[i])) {
2180 ND_PRINT((ndo, "%c", typedata[i]));
2181 } else {
2182 ND_PRINT((ndo, "."));
2183 }
2184 }
2185 }
2186 if(dumphex) {
2187 if (!rawprint(ndo, (caddr_t)typedata, idtype_len))
2188 goto trunc;
2189 }
2190
2191 return (u_char *)ext + id_len;
2192 trunc:
2193 ND_PRINT((ndo," [|%s]", NPSTR(tpay)));
2194 return NULL;
2195 }
2196
2197 static const u_char *
2198 ikev2_cert_print(netdissect_options *ndo, u_char tpay,
2199 const struct isakmp_gen *ext,
2200 u_int item_len _U_, const u_char *ep _U_,
2201 u_int32_t phase _U_, u_int32_t doi _U_,
2202 u_int32_t proto _U_, int depth _U_)
2203 {
2204 return ikev2_gen_print(ndo, tpay, ext);
2205 }
2206
2207 static const u_char *
2208 ikev2_cr_print(netdissect_options *ndo, u_char tpay,
2209 const struct isakmp_gen *ext,
2210 u_int item_len _U_, const u_char *ep _U_,
2211 u_int32_t phase _U_, u_int32_t doi _U_,
2212 u_int32_t proto _U_, int depth _U_)
2213 {
2214 return ikev2_gen_print(ndo, tpay, ext);
2215 }
2216
2217 static const u_char *
2218 ikev2_auth_print(netdissect_options *ndo, u_char tpay,
2219 const struct isakmp_gen *ext,
2220 u_int item_len _U_, const u_char *ep _U_,
2221 u_int32_t phase _U_, u_int32_t doi _U_,
2222 u_int32_t proto _U_, int depth _U_)
2223 {
2224 struct ikev2_auth a;
2225 const char *v2_auth[]={ "invalid", "rsasig",
2226 "shared-secret", "dsssig" };
2227 u_char *authdata = (u_char*)ext + sizeof(a);
2228 unsigned int len;
2229
2230 ND_TCHECK(*ext);
2231 safememcpy(&a, ext, sizeof(a));
2232 ikev2_pay_print(ndo, NPSTR(tpay), a.h.critical);
2233 len = ntohs(a.h.len);
2234
2235 ND_PRINT((ndo," len=%d method=%s", len-4,
2236 STR_OR_ID(a.auth_method, v2_auth)));
2237
2238 if (1 < ndo->ndo_vflag && 4 < len) {
2239 ND_PRINT((ndo," authdata=("));
2240 if (!rawprint(ndo, (caddr_t)authdata, len - sizeof(a)))
2241 goto trunc;
2242 ND_PRINT((ndo,") "));
2243 } else if(ndo->ndo_vflag && 4 < len) {
2244 if(!ike_show_somedata(ndo, authdata, ep)) goto trunc;
2245 }
2246
2247 return (u_char *)ext + len;
2248 trunc:
2249 ND_PRINT((ndo," [|%s]", NPSTR(tpay)));
2250 return NULL;
2251 }
2252
2253 static const u_char *
2254 ikev2_nonce_print(netdissect_options *ndo, u_char tpay,
2255 const struct isakmp_gen *ext,
2256 u_int item_len _U_, const u_char *ep _U_,
2257 u_int32_t phase _U_, u_int32_t doi _U_,
2258 u_int32_t proto _U_, int depth _U_)
2259 {
2260 struct isakmp_gen e;
2261
2262 ND_TCHECK(*ext);
2263 safememcpy(&e, ext, sizeof(e));
2264 ikev2_pay_print(ndo, "nonce", e.critical);
2265
2266 ND_PRINT((ndo," len=%d", ntohs(e.len) - 4));
2267 if (1 < ndo->ndo_vflag && 4 < ntohs(e.len)) {
2268 ND_PRINT((ndo," nonce=("));
2269 if (!rawprint(ndo, (caddr_t)(ext + 1), ntohs(e.len) - 4))
2270 goto trunc;
2271 ND_PRINT((ndo,") "));
2272 } else if(ndo->ndo_vflag && 4 < ntohs(e.len)) {
2273 if(!ike_show_somedata(ndo, (const u_char *)(ext+1), ep)) goto trunc;
2274 }
2275
2276 return (u_char *)ext + ntohs(e.len);
2277 trunc:
2278 ND_PRINT((ndo," [|%s]", NPSTR(tpay)));
2279 return NULL;
2280 }
2281
2282 /* notify payloads */
2283 static const u_char *
2284 ikev2_n_print(netdissect_options *ndo, u_char tpay _U_,
2285 const struct isakmp_gen *ext,
2286 u_int item_len _U_, const u_char *ep _U_,
2287 u_int32_t phase _U_, u_int32_t doi _U_,
2288 u_int32_t proto _U_, int depth _U_)
2289 {
2290 struct ikev2_n *p, n;
2291 const u_char *cp;
2292 u_char showspi, showdata, showsomedata;
2293 const char *notify_name;
2294 u_int32_t type;
2295
2296 p = (struct ikev2_n *)ext;
2297 ND_TCHECK(*p);
2298 safememcpy(&n, ext, sizeof(n));
2299 ikev2_pay_print(ndo, NPSTR(ISAKMP_NPTYPE_N), n.h.critical);
2300
2301 showspi = 1;
2302 showdata = 0;
2303 showsomedata=0;
2304 notify_name=NULL;
2305
2306 ND_PRINT((ndo," prot_id=%s", PROTOIDSTR(n.prot_id)));
2307
2308 type = ntohs(n.type);
2309
2310 /* notify space is annoying sparse */
2311 switch(type) {
2312 case IV2_NOTIFY_UNSUPPORTED_CRITICAL_PAYLOAD:
2313 notify_name = "unsupported_critical_payload";
2314 showspi = 0;
2315 break;
2316
2317 case IV2_NOTIFY_INVALID_IKE_SPI:
2318 notify_name = "invalid_ike_spi";
2319 showspi = 1;
2320 break;
2321
2322 case IV2_NOTIFY_INVALID_MAJOR_VERSION:
2323 notify_name = "invalid_major_version";
2324 showspi = 0;
2325 break;
2326
2327 case IV2_NOTIFY_INVALID_SYNTAX:
2328 notify_name = "invalid_syntax";
2329 showspi = 1;
2330 break;
2331
2332 case IV2_NOTIFY_INVALID_MESSAGE_ID:
2333 notify_name = "invalid_message_id";
2334 showspi = 1;
2335 break;
2336
2337 case IV2_NOTIFY_INVALID_SPI:
2338 notify_name = "invalid_spi";
2339 showspi = 1;
2340 break;
2341
2342 case IV2_NOTIFY_NO_PROPOSAL_CHOSEN:
2343 notify_name = "no_protocol_chosen";
2344 showspi = 1;
2345 break;
2346
2347 case IV2_NOTIFY_INVALID_KE_PAYLOAD:
2348 notify_name = "invalid_ke_payload";
2349 showspi = 1;
2350 break;
2351
2352 case IV2_NOTIFY_AUTHENTICATION_FAILED:
2353 notify_name = "authentication_failed";
2354 showspi = 1;
2355 break;
2356
2357 case IV2_NOTIFY_SINGLE_PAIR_REQUIRED:
2358 notify_name = "single_pair_required";
2359 showspi = 1;
2360 break;
2361
2362 case IV2_NOTIFY_NO_ADDITIONAL_SAS:
2363 notify_name = "no_additional_sas";
2364 showspi = 0;
2365 break;
2366
2367 case IV2_NOTIFY_INTERNAL_ADDRESS_FAILURE:
2368 notify_name = "internal_address_failure";
2369 showspi = 0;
2370 break;
2371
2372 case IV2_NOTIFY_FAILED_CP_REQUIRED:
2373 notify_name = "failed:cp_required";
2374 showspi = 0;
2375 break;
2376
2377 case IV2_NOTIFY_INVALID_SELECTORS:
2378 notify_name = "invalid_selectors";
2379 showspi = 0;
2380 break;
2381
2382 case IV2_NOTIFY_INITIAL_CONTACT:
2383 notify_name = "initial_contact";
2384 showspi = 0;
2385 break;
2386
2387 case IV2_NOTIFY_SET_WINDOW_SIZE:
2388 notify_name = "set_window_size";
2389 showspi = 0;
2390 break;
2391
2392 case IV2_NOTIFY_ADDITIONAL_TS_POSSIBLE:
2393 notify_name = "additional_ts_possible";
2394 showspi = 0;
2395 break;
2396
2397 case IV2_NOTIFY_IPCOMP_SUPPORTED:
2398 notify_name = "ipcomp_supported";
2399 showspi = 0;
2400 break;
2401
2402 case IV2_NOTIFY_NAT_DETECTION_SOURCE_IP:
2403 notify_name = "nat_detection_source_ip";
2404 showspi = 1;
2405 break;
2406
2407 case IV2_NOTIFY_NAT_DETECTION_DESTINATION_IP:
2408 notify_name = "nat_detection_destination_ip";
2409 showspi = 1;
2410 break;
2411
2412 case IV2_NOTIFY_COOKIE:
2413 notify_name = "cookie";
2414 showspi = 1;
2415 showsomedata= 1;
2416 showdata= 0;
2417 break;
2418
2419 case IV2_NOTIFY_USE_TRANSPORT_MODE:
2420 notify_name = "use_transport_mode";
2421 showspi = 0;
2422 break;
2423
2424 case IV2_NOTIFY_HTTP_CERT_LOOKUP_SUPPORTED:
2425 notify_name = "http_cert_lookup_supported";
2426 showspi = 0;
2427 break;
2428
2429 case IV2_NOTIFY_REKEY_SA:
2430 notify_name = "rekey_sa";
2431 showspi = 1;
2432 break;
2433
2434 case IV2_NOTIFY_ESP_TFC_PADDING_NOT_SUPPORTED:
2435 notify_name = "tfc_padding_not_supported";
2436 showspi = 0;
2437 break;
2438
2439 case IV2_NOTIFY_NON_FIRST_FRAGMENTS_ALSO:
2440 notify_name = "non_first_fragment_also";
2441 showspi = 0;
2442 break;
2443
2444 default:
2445 if (type < 8192) {
2446 notify_name="error";
2447 } else if(type < 16384) {
2448 notify_name="private-error";
2449 } else if(type < 40960) {
2450 notify_name="status";
2451 } else {
2452 notify_name="private-status";
2453 }
2454 }
2455
2456 if(notify_name) {
2457 ND_PRINT((ndo," type=%u(%s)", type, notify_name));
2458 }
2459
2460
2461 if (showspi && n.spi_size) {
2462 ND_PRINT((ndo," spi="));
2463 if (!rawprint(ndo, (caddr_t)(p + 1), n.spi_size))
2464 goto trunc;
2465 }
2466
2467 cp = (u_char *)(p + 1) + n.spi_size;
2468
2469 if(3 < ndo->ndo_vflag) {
2470 showdata = 1;
2471 }
2472
2473 if ((showdata || (showsomedata && ep-cp < 30)) && cp < ep) {
2474 ND_PRINT((ndo," data=("));
2475 if (!rawprint(ndo, (caddr_t)(cp), ep - cp))
2476 goto trunc;
2477
2478 ND_PRINT((ndo,")"));
2479
2480 } else if(showsomedata && cp < ep) {
2481 if(!ike_show_somedata(ndo, cp, ep)) goto trunc;
2482 }
2483
2484 return (u_char *)ext + item_len;
2485 trunc:
2486 ND_PRINT((ndo," [|%s]", NPSTR(ISAKMP_NPTYPE_N)));
2487 return NULL;
2488 }
2489
2490 static const u_char *
2491 ikev2_d_print(netdissect_options *ndo, u_char tpay,
2492 const struct isakmp_gen *ext,
2493 u_int item_len _U_, const u_char *ep _U_,
2494 u_int32_t phase _U_, u_int32_t doi _U_,
2495 u_int32_t proto _U_, int depth _U_)
2496 {
2497 return ikev2_gen_print(ndo, tpay, ext);
2498 }
2499
2500 static const u_char *
2501 ikev2_vid_print(netdissect_options *ndo, u_char tpay,
2502 const struct isakmp_gen *ext,
2503 u_int item_len _U_, const u_char *ep _U_,
2504 u_int32_t phase _U_, u_int32_t doi _U_,
2505 u_int32_t proto _U_, int depth _U_)
2506 {
2507 struct isakmp_gen e;
2508 const u_char *vid;
2509 int i, len;
2510
2511 ND_TCHECK(*ext);
2512 safememcpy(&e, ext, sizeof(e));
2513 ikev2_pay_print(ndo, NPSTR(tpay), e.critical);
2514 ND_PRINT((ndo," len=%d vid=", ntohs(e.len) - 4));
2515
2516 vid = (const u_char *)(ext+1);
2517 len = ntohs(e.len) - 4;
2518 ND_TCHECK2(*vid, len);
2519 for(i=0; i<len; i++) {
2520 if(isprint(vid[i])) ND_PRINT((ndo, "%c", vid[i]));
2521 else ND_PRINT((ndo, "."));
2522 }
2523 if (2 < ndo->ndo_vflag && 4 < len) {
2524 ND_PRINT((ndo," "));
2525 if (!rawprint(ndo, (caddr_t)(ext + 1), ntohs(e.len) - 4))
2526 goto trunc;
2527 }
2528 return (u_char *)ext + ntohs(e.len);
2529 trunc:
2530 ND_PRINT((ndo," [|%s]", NPSTR(tpay)));
2531 return NULL;
2532 }
2533
2534 static const u_char *
2535 ikev2_TS_print(netdissect_options *ndo, u_char tpay,
2536 const struct isakmp_gen *ext,
2537 u_int item_len _U_, const u_char *ep _U_,
2538 u_int32_t phase _U_, u_int32_t doi _U_,
2539 u_int32_t proto _U_, int depth _U_)
2540 {
2541 return ikev2_gen_print(ndo, tpay, ext);
2542 }
2543
2544 static const u_char *
2545 ikev2_e_print(netdissect_options *ndo,
2546 #ifndef HAVE_LIBCRYPTO
2547 _U_
2548 #endif
2549 struct isakmp *base,
2550 u_char tpay,
2551 const struct isakmp_gen *ext,
2552 u_int item_len _U_, const u_char *ep _U_,
2553 #ifndef HAVE_LIBCRYPTO
2554 _U_
2555 #endif
2556 u_int32_t phase,
2557 #ifndef HAVE_LIBCRYPTO
2558 _U_
2559 #endif
2560 u_int32_t doi,
2561 #ifndef HAVE_LIBCRYPTO
2562 _U_
2563 #endif
2564 u_int32_t proto,
2565 #ifndef HAVE_LIBCRYPTO
2566 _U_
2567 #endif
2568 int depth)
2569 {
2570 struct isakmp_gen e;
2571 u_char *dat;
2572 volatile int dlen;
2573
2574 ND_TCHECK(*ext);
2575 safememcpy(&e, ext, sizeof(e));
2576 ikev2_pay_print(ndo, NPSTR(tpay), e.critical);
2577
2578 dlen = ntohs(e.len)-4;
2579
2580 ND_PRINT((ndo," len=%d", dlen));
2581 if (2 < ndo->ndo_vflag && 4 < dlen) {
2582 ND_PRINT((ndo," "));
2583 if (!rawprint(ndo, (caddr_t)(ext + 1), dlen))
2584 goto trunc;
2585 }
2586
2587 dat = (u_char *)(ext+1);
2588 ND_TCHECK2(*dat, dlen);
2589
2590 #ifdef HAVE_LIBCRYPTO
2591 /* try to decypt it! */
2592 if(esp_print_decrypt_buffer_by_ikev2(ndo,
2593 base->flags & ISAKMP_FLAG_I,
2594 base->i_ck, base->r_ck,
2595 dat, dat+dlen)) {
2596
2597 ext = (const struct isakmp_gen *)ndo->ndo_packetp;
2598
2599 /* got it decrypted, print stuff inside. */
2600 ikev2_sub_print(ndo, base, e.np, ext, ndo->ndo_snapend,
2601 phase, doi, proto, depth+1);
2602 }
2603 #endif
2604
2605
2606 /* always return NULL, because E must be at end, and NP refers
2607 * to what was inside.
2608 */
2609 return NULL;
2610 trunc:
2611 ND_PRINT((ndo," [|%s]", NPSTR(tpay)));
2612 return NULL;
2613 }
2614
2615 static const u_char *
2616 ikev2_cp_print(netdissect_options *ndo, u_char tpay,
2617 const struct isakmp_gen *ext,
2618 u_int item_len _U_, const u_char *ep _U_,
2619 u_int32_t phase _U_, u_int32_t doi _U_,
2620 u_int32_t proto _U_, int depth _U_)
2621 {
2622 return ikev2_gen_print(ndo, tpay, ext);
2623 }
2624
2625 static const u_char *
2626 ikev2_eap_print(netdissect_options *ndo, u_char tpay,
2627 const struct isakmp_gen *ext,
2628 u_int item_len _U_, const u_char *ep _U_,
2629 u_int32_t phase _U_, u_int32_t doi _U_,
2630 u_int32_t proto _U_, int depth _U_)
2631 {
2632 return ikev2_gen_print(ndo, tpay, ext);
2633 }
2634
2635 static const u_char *
2636 ike_sub0_print(netdissect_options *ndo,
2637 u_char np, const struct isakmp_gen *ext, const u_char *ep,
2638
2639 u_int32_t phase, u_int32_t doi, u_int32_t proto, int depth)
2640 {
2641 const u_char *cp;
2642 struct isakmp_gen e;
2643 u_int item_len;
2644
2645 cp = (u_char *)ext;
2646 ND_TCHECK(*ext);
2647 safememcpy(&e, ext, sizeof(e));
2648
2649 /*
2650 * Since we can't have a payload length of less than 4 bytes,
2651 * we need to bail out here if the generic header is nonsensical
2652 * or truncated, otherwise we could loop forever processing
2653 * zero-length items or otherwise misdissect the packet.
2654 */
2655 item_len = ntohs(e.len);
2656 if (item_len <= 4)
2657 return NULL;
2658
2659 if (NPFUNC(np)) {
2660 /*
2661 * XXX - what if item_len is too short, or too long,
2662 * for this payload type?
2663 */
2664 cp = (*npfunc[np])(ndo, np, ext, item_len, ep, phase, doi, proto, depth);
2665 } else {
2666 ND_PRINT((ndo,"%s", NPSTR(np)));
2667 cp += item_len;
2668 }
2669
2670 return cp;
2671 trunc:
2672 ND_PRINT((ndo," [|isakmp]"));
2673 return NULL;
2674 }
2675
2676 static const u_char *
2677 ikev1_sub_print(netdissect_options *ndo,
2678 u_char np, const struct isakmp_gen *ext, const u_char *ep,
2679 u_int32_t phase, u_int32_t doi, u_int32_t proto, int depth)
2680 {
2681 const u_char *cp;
2682 int i;
2683 struct isakmp_gen e;
2684
2685 cp = (const u_char *)ext;
2686
2687 while (np) {
2688 ND_TCHECK(*ext);
2689
2690 safememcpy(&e, ext, sizeof(e));
2691
2692 ND_TCHECK2(*ext, ntohs(e.len));
2693
2694 depth++;
2695 ND_PRINT((ndo,"\n"));
2696 for (i = 0; i < depth; i++)
2697 ND_PRINT((ndo," "));
2698 ND_PRINT((ndo,"("));
2699 cp = ike_sub0_print(ndo, np, ext, ep, phase, doi, proto, depth);
2700 ND_PRINT((ndo,")"));
2701 depth--;
2702
2703 if (cp == NULL) {
2704 /* Zero-length subitem */
2705 return NULL;
2706 }
2707
2708 np = e.np;
2709 ext = (struct isakmp_gen *)cp;
2710 }
2711 return cp;
2712 trunc:
2713 ND_PRINT((ndo," [|%s]", NPSTR(np)));
2714 return NULL;
2715 }
2716
2717 static char *
2718 numstr(int x)
2719 {
2720 static char buf[20];
2721 snprintf(buf, sizeof(buf), "#%d", x);
2722 return buf;
2723 }
2724
2725 /*
2726 * some compiler tries to optimize memcpy(), using the alignment constraint
2727 * on the argument pointer type. by using this function, we try to avoid the
2728 * optimization.
2729 */
2730 static void
2731 safememcpy(void *p, const void *q, size_t l)
2732 {
2733 memcpy(p, q, l);
2734 }
2735
2736 static void
2737 ikev1_print(netdissect_options *ndo,
2738 const u_char *bp, u_int length,
2739 const u_char *bp2, struct isakmp *base)
2740 {
2741 const struct isakmp *p;
2742 const u_char *ep;
2743 u_char np;
2744 int i;
2745 int phase;
2746
2747 p = (const struct isakmp *)bp;
2748 ep = ndo->ndo_snapend;
2749
2750 phase = (EXTRACT_32BITS(base->msgid) == 0) ? 1 : 2;
2751 if (phase == 1)
2752 ND_PRINT((ndo," phase %d", phase));
2753 else
2754 ND_PRINT((ndo," phase %d/others", phase));
2755
2756 i = cookie_find(&base->i_ck);
2757 if (i < 0) {
2758 if (iszero((u_char *)&base->r_ck, sizeof(base->r_ck))) {
2759 /* the first packet */
2760 ND_PRINT((ndo," I"));
2761 if (bp2)
2762 cookie_record(&base->i_ck, bp2);
2763 } else
2764 ND_PRINT((ndo," ?"));
2765 } else {
2766 if (bp2 && cookie_isinitiator(i, bp2))
2767 ND_PRINT((ndo," I"));
2768 else if (bp2 && cookie_isresponder(i, bp2))
2769 ND_PRINT((ndo," R"));
2770 else
2771 ND_PRINT((ndo," ?"));
2772 }
2773
2774 ND_PRINT((ndo," %s", ETYPESTR(base->etype)));
2775 if (base->flags) {
2776 ND_PRINT((ndo,"[%s%s]", base->flags & ISAKMP_FLAG_E ? "E" : "",
2777 base->flags & ISAKMP_FLAG_C ? "C" : ""));
2778 }
2779
2780 if (ndo->ndo_vflag) {
2781 const struct isakmp_gen *ext;
2782
2783 ND_PRINT((ndo,":"));
2784
2785 /* regardless of phase... */
2786 if (base->flags & ISAKMP_FLAG_E) {
2787 /*
2788 * encrypted, nothing we can do right now.
2789 * we hope to decrypt the packet in the future...
2790 */
2791 ND_PRINT((ndo," [encrypted %s]", NPSTR(base->np)));
2792 goto done;
2793 }
2794
2795 CHECKLEN(p + 1, base->np);
2796 np = base->np;
2797 ext = (struct isakmp_gen *)(p + 1);
2798 ikev1_sub_print(ndo, np, ext, ep, phase, 0, 0, 0);
2799 }
2800
2801 done:
2802 if (ndo->ndo_vflag) {
2803 if (ntohl(base->len) != length) {
2804 ND_PRINT((ndo," (len mismatch: isakmp %u/ip %u)",
2805 (u_int32_t)ntohl(base->len), length));
2806 }
2807 }
2808 }
2809
2810 static const u_char *
2811 ikev2_sub0_print(netdissect_options *ndo, struct isakmp *base,
2812 u_char np, int pcount,
2813 const struct isakmp_gen *ext, const u_char *ep,
2814 u_int32_t phase, u_int32_t doi, u_int32_t proto, int depth)
2815 {
2816 const u_char *cp;
2817 struct isakmp_gen e;
2818 u_int item_len;
2819
2820 cp = (u_char *)ext;
2821 ND_TCHECK(*ext);
2822 safememcpy(&e, ext, sizeof(e));
2823
2824 /*
2825 * Since we can't have a payload length of less than 4 bytes,
2826 * we need to bail out here if the generic header is nonsensical
2827 * or truncated, otherwise we could loop forever processing
2828 * zero-length items or otherwise misdissect the packet.
2829 */
2830 item_len = ntohs(e.len);
2831 if (item_len <= 4)
2832 return NULL;
2833
2834 if(np == ISAKMP_NPTYPE_P) {
2835 cp = ikev2_p_print(ndo, np, pcount, ext, item_len,
2836 ep, phase, doi, proto, depth);
2837 } else if(np == ISAKMP_NPTYPE_T) {
2838 cp = ikev2_t_print(ndo, np, pcount, ext, item_len,
2839 ep, phase, doi, proto, depth);
2840 } else if(np == ISAKMP_NPTYPE_v2E) {
2841 cp = ikev2_e_print(ndo, base, np, ext, item_len,
2842 ep, phase, doi, proto, depth);
2843 } else if (NPFUNC(np)) {
2844 /*
2845 * XXX - what if item_len is too short, or too long,
2846 * for this payload type?
2847 */
2848 cp = (*npfunc[np])(ndo, np, /*pcount,*/ ext, item_len,
2849 ep, phase, doi, proto, depth);
2850 } else {
2851 ND_PRINT((ndo,"%s", NPSTR(np)));
2852 cp += item_len;
2853 }
2854
2855 return cp;
2856 trunc:
2857 ND_PRINT((ndo," [|isakmp]"));
2858 return NULL;
2859 }
2860
2861 static const u_char *
2862 ikev2_sub_print(netdissect_options *ndo,
2863 struct isakmp *base,
2864 u_char np, const struct isakmp_gen *ext, const u_char *ep,
2865 u_int32_t phase, u_int32_t doi, u_int32_t proto, int depth)
2866 {
2867 const u_char *cp;
2868 int i;
2869 int pcount;
2870 struct isakmp_gen e;
2871
2872 cp = (const u_char *)ext;
2873 pcount = 0;
2874 while (np) {
2875 pcount++;
2876 ND_TCHECK(*ext);
2877
2878 safememcpy(&e, ext, sizeof(e));
2879
2880 ND_TCHECK2(*ext, ntohs(e.len));
2881
2882 depth++;
2883 ND_PRINT((ndo,"\n"));
2884 for (i = 0; i < depth; i++)
2885 ND_PRINT((ndo," "));
2886 ND_PRINT((ndo,"("));
2887 cp = ikev2_sub0_print(ndo, base, np, pcount,
2888 ext, ep, phase, doi, proto, depth);
2889 ND_PRINT((ndo,")"));
2890 depth--;
2891
2892 if (cp == NULL) {
2893 /* Zero-length subitem */
2894 return NULL;
2895 }
2896
2897 np = e.np;
2898 ext = (struct isakmp_gen *)cp;
2899 }
2900 return cp;
2901 trunc:
2902 ND_PRINT((ndo," [|%s]", NPSTR(np)));
2903 return NULL;
2904 }
2905
2906 static void
2907 ikev2_print(netdissect_options *ndo,
2908 const u_char *bp, u_int length,
2909 const u_char *bp2 _U_, struct isakmp *base)
2910 {
2911 const struct isakmp *p;
2912 const u_char *ep;
2913 u_char np;
2914 int phase;
2915
2916 p = (const struct isakmp *)bp;
2917 ep = ndo->ndo_snapend;
2918
2919 phase = (EXTRACT_32BITS(base->msgid) == 0) ? 1 : 2;
2920 if (phase == 1)
2921 ND_PRINT((ndo, " parent_sa"));
2922 else
2923 ND_PRINT((ndo, " child_sa "));
2924
2925 ND_PRINT((ndo, " %s", ETYPESTR(base->etype)));
2926 if (base->flags) {
2927 ND_PRINT((ndo, "[%s%s%s]",
2928 base->flags & ISAKMP_FLAG_I ? "I" : "",
2929 base->flags & ISAKMP_FLAG_V ? "V" : "",
2930 base->flags & ISAKMP_FLAG_R ? "R" : ""));
2931 }
2932
2933 if (ndo->ndo_vflag) {
2934 const struct isakmp_gen *ext;
2935
2936 ND_PRINT((ndo, ":"));
2937
2938 /* regardless of phase... */
2939 if (base->flags & ISAKMP_FLAG_E) {
2940 /*
2941 * encrypted, nothing we can do right now.
2942 * we hope to decrypt the packet in the future...
2943 */
2944 ND_PRINT((ndo, " [encrypted %s]", NPSTR(base->np)));
2945 goto done;
2946 }
2947
2948 CHECKLEN(p + 1, base->np)
2949
2950 np = base->np;
2951 ext = (struct isakmp_gen *)(p + 1);
2952 ikev2_sub_print(ndo, base, np, ext, ep, phase, 0, 0, 0);
2953 }
2954
2955 done:
2956 if (ndo->ndo_vflag) {
2957 if (ntohl(base->len) != length) {
2958 ND_PRINT((ndo, " (len mismatch: isakmp %u/ip %u)",
2959 (u_int32_t)ntohl(base->len), length));
2960 }
2961 }
2962 }
2963
2964 void
2965 isakmp_print(netdissect_options *ndo,
2966 const u_char *bp, u_int length,
2967 const u_char *bp2)
2968 {
2969 const struct isakmp *p;
2970 struct isakmp base;
2971 const u_char *ep;
2972 int major, minor;
2973
2974 #ifdef HAVE_LIBCRYPTO
2975 /* initialize SAs */
2976 if (ndo->ndo_sa_list_head == NULL) {
2977 if (ndo->ndo_espsecret)
2978 esp_print_decodesecret(ndo);
2979 }
2980 #endif
2981
2982 p = (const struct isakmp *)bp;
2983 ep = ndo->ndo_snapend;
2984
2985 if ((struct isakmp *)ep < p + 1) {
2986 ND_PRINT((ndo,"[|isakmp]"));
2987 return;
2988 }
2989
2990 safememcpy(&base, p, sizeof(base));
2991
2992 ND_PRINT((ndo,"isakmp"));
2993 major = (base.vers & ISAKMP_VERS_MAJOR)
2994 >> ISAKMP_VERS_MAJOR_SHIFT;
2995 minor = (base.vers & ISAKMP_VERS_MINOR)
2996 >> ISAKMP_VERS_MINOR_SHIFT;
2997
2998 if (ndo->ndo_vflag) {
2999 ND_PRINT((ndo," %d.%d", major, minor));
3000 }
3001
3002 if (ndo->ndo_vflag) {
3003 ND_PRINT((ndo," msgid "));
3004 hexprint(ndo, (caddr_t)&base.msgid, sizeof(base.msgid));
3005 }
3006
3007 if (1 < ndo->ndo_vflag) {
3008 ND_PRINT((ndo," cookie "));
3009 hexprint(ndo, (caddr_t)&base.i_ck, sizeof(base.i_ck));
3010 ND_PRINT((ndo,"->"));
3011 hexprint(ndo, (caddr_t)&base.r_ck, sizeof(base.r_ck));
3012 }
3013 ND_PRINT((ndo,":"));
3014
3015 switch(major) {
3016 case IKEv1_MAJOR_VERSION:
3017 ikev1_print(ndo, bp, length, bp2, &base);
3018 break;
3019
3020 case IKEv2_MAJOR_VERSION:
3021 ikev2_print(ndo, bp, length, bp2, &base);
3022 break;
3023 }
3024 }
3025
3026 void
3027 isakmp_rfc3948_print(netdissect_options *ndo,
3028 const u_char *bp, u_int length,
3029 const u_char *bp2)
3030 {
3031
3032 if(length == 1 && bp[0]==0xff) {
3033 ND_PRINT((ndo, "isakmp-nat-keep-alive"));
3034 return;
3035 }
3036
3037 if(length < 4) {
3038 goto trunc;
3039 }
3040
3041 /*
3042 * see if this is an IKE packet
3043 */
3044 if(bp[0]==0 && bp[1]==0 && bp[2]==0 && bp[3]==0) {
3045 ND_PRINT((ndo, "NONESP-encap: "));
3046 isakmp_print(ndo, bp+4, length-4, bp2);
3047 return;
3048 }
3049
3050 /* must be an ESP packet */
3051 {
3052 int nh, enh, padlen;
3053 int advance;
3054
3055 ND_PRINT((ndo, "UDP-encap: "));
3056
3057 advance = esp_print(ndo, bp, length, bp2, &enh, &padlen);
3058 if(advance <= 0)
3059 return;
3060
3061 bp += advance;
3062 length -= advance + padlen;
3063 nh = enh & 0xff;
3064
3065 ip_print_inner(ndo, bp, length, nh, bp2);
3066 return;
3067 }
3068
3069 trunc:
3070 ND_PRINT((ndo,"[|isakmp]"));
3071 return;
3072 }
3073
3074 /*
3075 * Local Variables:
3076 * c-style: whitesmith
3077 * c-basic-offset: 8
3078 * End:
3079 */
3080
3081
3082
3083
[mirror] the TCPdump network dissector