]> The Tcpdump Group git mirrors - tcpdump/blob - print-isakmp.c
projects / tcpdump / blob
summary | shortlog | log | commit | commitdiff | tree
history | raw | HEAD
Fix a bug the previous change made a bit more obvious.
[tcpdump] / print-isakmp.c
1 /*
2 * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
3 * All rights reserved.
4 *
5 * Redistribution and use in source and binary forms, with or without
6 * modification, are permitted provided that the following conditions
7 * are met:
8 * 1. Redistributions of source code must retain the above copyright
9 * notice, this list of conditions and the following disclaimer.
10 * 2. Redistributions in binary form must reproduce the above copyright
11 * notice, this list of conditions and the following disclaimer in the
12 * documentation and/or other materials provided with the distribution.
13 * 3. Neither the name of the project nor the names of its contributors
14 * may be used to endorse or promote products derived from this software
15 * without specific prior written permission.
16 *
17 * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
18 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
19 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
20 * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
21 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
22 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
23 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
24 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
25 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
26 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
27 * SUCH DAMAGE.
28 *
29 */
30
31 #define NETDISSECT_REWORKED
32 #ifdef HAVE_CONFIG_H
33 #include "config.h"
34 #endif
35
36 /* The functions from print-esp.c used in this file are only defined when both
37 * OpenSSL and evp.h are detected. Employ the same preprocessor device here.
38 */
39 #ifndef HAVE_OPENSSL_EVP_H
40 #undef HAVE_LIBCRYPTO
41 #endif
42
43 #include <tcpdump-stdinc.h>
44
45 #include <string.h>
46
47 #include <stdio.h>
48
49 #include "interface.h"
50 #include "addrtoname.h"
51 #include "extract.h" /* must come after interface.h */
52
53 #include "ip.h"
54 #ifdef INET6
55 #include "ip6.h"
56 #endif
57
58 #ifndef HAVE_SOCKADDR_STORAGE
59 #define sockaddr_storage sockaddr
60 #endif
61
62 /* refer to RFC 2408 */
63
64 typedef u_char cookie_t[8];
65 typedef u_char msgid_t[4];
66
67 #define PORT_ISAKMP 500
68
69 /* 3.1 ISAKMP Header Format (IKEv1 and IKEv2)
70 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
71 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
72 ! Initiator !
73 ! Cookie !
74 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
75 ! Responder !
76 ! Cookie !
77 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
78 ! Next Payload ! MjVer ! MnVer ! Exchange Type ! Flags !
79 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
80 ! Message ID !
81 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
82 ! Length !
83 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
84 */
85 struct isakmp {
86 cookie_t i_ck; /* Initiator Cookie */
87 cookie_t r_ck; /* Responder Cookie */
88 u_int8_t np; /* Next Payload Type */
89 u_int8_t vers;
90 #define ISAKMP_VERS_MAJOR 0xf0
91 #define ISAKMP_VERS_MAJOR_SHIFT 4
92 #define ISAKMP_VERS_MINOR 0x0f
93 #define ISAKMP_VERS_MINOR_SHIFT 0
94 u_int8_t etype; /* Exchange Type */
95 u_int8_t flags; /* Flags */
96 msgid_t msgid;
97 u_int32_t len; /* Length */
98 };
99
100 /* Next Payload Type */
101 #define ISAKMP_NPTYPE_NONE 0 /* NONE*/
102 #define ISAKMP_NPTYPE_SA 1 /* Security Association */
103 #define ISAKMP_NPTYPE_P 2 /* Proposal */
104 #define ISAKMP_NPTYPE_T 3 /* Transform */
105 #define ISAKMP_NPTYPE_KE 4 /* Key Exchange */
106 #define ISAKMP_NPTYPE_ID 5 /* Identification */
107 #define ISAKMP_NPTYPE_CERT 6 /* Certificate */
108 #define ISAKMP_NPTYPE_CR 7 /* Certificate Request */
109 #define ISAKMP_NPTYPE_HASH 8 /* Hash */
110 #define ISAKMP_NPTYPE_SIG 9 /* Signature */
111 #define ISAKMP_NPTYPE_NONCE 10 /* Nonce */
112 #define ISAKMP_NPTYPE_N 11 /* Notification */
113 #define ISAKMP_NPTYPE_D 12 /* Delete */
114 #define ISAKMP_NPTYPE_VID 13 /* Vendor ID */
115 #define ISAKMP_NPTYPE_v2E 46 /* v2 Encrypted payload */
116
117 #define IKEv1_MAJOR_VERSION 1
118 #define IKEv1_MINOR_VERSION 0
119
120 #define IKEv2_MAJOR_VERSION 2
121 #define IKEv2_MINOR_VERSION 0
122
123 /* Flags */
124 #define ISAKMP_FLAG_E 0x01 /* Encryption Bit */
125 #define ISAKMP_FLAG_C 0x02 /* Commit Bit */
126 #define ISAKMP_FLAG_extra 0x04
127
128 /* IKEv2 */
129 #define ISAKMP_FLAG_I (1 << 3) /* (I)nitiator */
130 #define ISAKMP_FLAG_V (1 << 4) /* (V)ersion */
131 #define ISAKMP_FLAG_R (1 << 5) /* (R)esponse */
132
133
134 /* 3.2 Payload Generic Header
135 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
136 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
137 ! Next Payload ! RESERVED ! Payload Length !
138 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
139 */
140 struct isakmp_gen {
141 u_int8_t np; /* Next Payload */
142 u_int8_t critical; /* bit 7 - critical, rest is RESERVED */
143 u_int16_t len; /* Payload Length */
144 };
145
146 /* 3.3 Data Attributes
147 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
148 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
149 !A! Attribute Type ! AF=0 Attribute Length !
150 !F! ! AF=1 Attribute Value !
151 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
152 . AF=0 Attribute Value .
153 . AF=1 Not Transmitted .
154 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
155 */
156 struct isakmp_data {
157 u_int16_t type; /* defined by DOI-spec, and Attribute Format */
158 u_int16_t lorv; /* if f equal 1, Attribute Length */
159 /* if f equal 0, Attribute Value */
160 /* if f equal 1, Attribute Value */
161 };
162
163 /* 3.4 Security Association Payload */
164 /* MAY NOT be used, because of being defined in ipsec-doi. */
165 /*
166 If the current payload is the last in the message,
167 then the value of the next payload field will be 0.
168 This field MUST NOT contain the
169 values for the Proposal or Transform payloads as they are considered
170 part of the security association negotiation. For example, this
171 field would contain the value "10" (Nonce payload) in the first
172 message of a Base Exchange (see Section 4.4) and the value "0" in the
173 first message of an Identity Protect Exchange (see Section 4.5).
174 */
175 struct ikev1_pl_sa {
176 struct isakmp_gen h;
177 u_int32_t doi; /* Domain of Interpretation */
178 u_int32_t sit; /* Situation */
179 };
180
181 /* 3.5 Proposal Payload */
182 /*
183 The value of the next payload field MUST only contain the value "2"
184 or "0". If there are additional Proposal payloads in the message,
185 then this field will be 2. If the current Proposal payload is the
186 last within the security association proposal, then this field will
187 be 0.
188 */
189 struct ikev1_pl_p {
190 struct isakmp_gen h;
191 u_int8_t p_no; /* Proposal # */
192 u_int8_t prot_id; /* Protocol */
193 u_int8_t spi_size; /* SPI Size */
194 u_int8_t num_t; /* Number of Transforms */
195 /* SPI */
196 };
197
198 /* 3.6 Transform Payload */
199 /*
200 The value of the next payload field MUST only contain the value "3"
201 or "0". If there are additional Transform payloads in the proposal,
202 then this field will be 3. If the current Transform payload is the
203 last within the proposal, then this field will be 0.
204 */
205 struct ikev1_pl_t {
206 struct isakmp_gen h;
207 u_int8_t t_no; /* Transform # */
208 u_int8_t t_id; /* Transform-Id */
209 u_int16_t reserved; /* RESERVED2 */
210 /* SA Attributes */
211 };
212
213 /* 3.7 Key Exchange Payload */
214 struct ikev1_pl_ke {
215 struct isakmp_gen h;
216 /* Key Exchange Data */
217 };
218
219 /* 3.8 Identification Payload */
220 /* MUST NOT to be used, because of being defined in ipsec-doi. */
221 struct ikev1_pl_id {
222 struct isakmp_gen h;
223 union {
224 u_int8_t id_type; /* ID Type */
225 u_int32_t doi_data; /* DOI Specific ID Data */
226 } d;
227 /* Identification Data */
228 };
229
230 /* 3.9 Certificate Payload */
231 struct ikev1_pl_cert {
232 struct isakmp_gen h;
233 u_int8_t encode; /* Cert Encoding */
234 char cert; /* Certificate Data */
235 /*
236 This field indicates the type of
237 certificate or certificate-related information contained in the
238 Certificate Data field.
239 */
240 };
241
242 /* 3.10 Certificate Request Payload */
243 struct ikev1_pl_cr {
244 struct isakmp_gen h;
245 u_int8_t num_cert; /* # Cert. Types */
246 /*
247 Certificate Types (variable length)
248 -- Contains a list of the types of certificates requested,
249 sorted in order of preference. Each individual certificate
250 type is 1 octet. This field is NOT requiredo
251 */
252 /* # Certificate Authorities (1 octet) */
253 /* Certificate Authorities (variable length) */
254 };
255
256 /* 3.11 Hash Payload */
257 /* may not be used, because of having only data. */
258 struct ikev1_pl_hash {
259 struct isakmp_gen h;
260 /* Hash Data */
261 };
262
263 /* 3.12 Signature Payload */
264 /* may not be used, because of having only data. */
265 struct ikev1_pl_sig {
266 struct isakmp_gen h;
267 /* Signature Data */
268 };
269
270 /* 3.13 Nonce Payload */
271 /* may not be used, because of having only data. */
272 struct ikev1_pl_nonce {
273 struct isakmp_gen h;
274 /* Nonce Data */
275 };
276
277 /* 3.14 Notification Payload */
278 struct ikev1_pl_n {
279 struct isakmp_gen h;
280 u_int32_t doi; /* Domain of Interpretation */
281 u_int8_t prot_id; /* Protocol-ID */
282 u_int8_t spi_size; /* SPI Size */
283 u_int16_t type; /* Notify Message Type */
284 /* SPI */
285 /* Notification Data */
286 };
287
288 /* 3.14.1 Notify Message Types */
289 /* NOTIFY MESSAGES - ERROR TYPES */
290 #define ISAKMP_NTYPE_INVALID_PAYLOAD_TYPE 1
291 #define ISAKMP_NTYPE_DOI_NOT_SUPPORTED 2
292 #define ISAKMP_NTYPE_SITUATION_NOT_SUPPORTED 3
293 #define ISAKMP_NTYPE_INVALID_COOKIE 4
294 #define ISAKMP_NTYPE_INVALID_MAJOR_VERSION 5
295 #define ISAKMP_NTYPE_INVALID_MINOR_VERSION 6
296 #define ISAKMP_NTYPE_INVALID_EXCHANGE_TYPE 7
297 #define ISAKMP_NTYPE_INVALID_FLAGS 8
298 #define ISAKMP_NTYPE_INVALID_MESSAGE_ID 9
299 #define ISAKMP_NTYPE_INVALID_PROTOCOL_ID 10
300 #define ISAKMP_NTYPE_INVALID_SPI 11
301 #define ISAKMP_NTYPE_INVALID_TRANSFORM_ID 12
302 #define ISAKMP_NTYPE_ATTRIBUTES_NOT_SUPPORTED 13
303 #define ISAKMP_NTYPE_NO_PROPOSAL_CHOSEN 14
304 #define ISAKMP_NTYPE_BAD_PROPOSAL_SYNTAX 15
305 #define ISAKMP_NTYPE_PAYLOAD_MALFORMED 16
306 #define ISAKMP_NTYPE_INVALID_KEY_INFORMATION 17
307 #define ISAKMP_NTYPE_INVALID_ID_INFORMATION 18
308 #define ISAKMP_NTYPE_INVALID_CERT_ENCODING 19
309 #define ISAKMP_NTYPE_INVALID_CERTIFICATE 20
310 #define ISAKMP_NTYPE_BAD_CERT_REQUEST_SYNTAX 21
311 #define ISAKMP_NTYPE_INVALID_CERT_AUTHORITY 22
312 #define ISAKMP_NTYPE_INVALID_HASH_INFORMATION 23
313 #define ISAKMP_NTYPE_AUTHENTICATION_FAILED 24
314 #define ISAKMP_NTYPE_INVALID_SIGNATURE 25
315 #define ISAKMP_NTYPE_ADDRESS_NOTIFICATION 26
316
317 /* 3.15 Delete Payload */
318 struct ikev1_pl_d {
319 struct isakmp_gen h;
320 u_int32_t doi; /* Domain of Interpretation */
321 u_int8_t prot_id; /* Protocol-Id */
322 u_int8_t spi_size; /* SPI Size */
323 u_int16_t num_spi; /* # of SPIs */
324 /* SPI(es) */
325 };
326
327 \f
328 struct ikev1_ph1tab {
329 struct ikev1_ph1 *head;
330 struct ikev1_ph1 *tail;
331 int len;
332 };
333
334 struct isakmp_ph2tab {
335 struct ikev1_ph2 *head;
336 struct ikev1_ph2 *tail;
337 int len;
338 };
339
340 /* IKEv2 (RFC4306) */
341
342 /* 3.3 Security Association Payload -- generic header */
343 /* 3.3.1. Proposal Substructure */
344 struct ikev2_p {
345 struct isakmp_gen h;
346 u_int8_t p_no; /* Proposal # */
347 u_int8_t prot_id; /* Protocol */
348 u_int8_t spi_size; /* SPI Size */
349 u_int8_t num_t; /* Number of Transforms */
350 };
351
352 /* 3.3.2. Transform Substructure */
353 struct ikev2_t {
354 struct isakmp_gen h;
355 u_int8_t t_type; /* Transform Type (ENCR,PRF,INTEG,etc.*/
356 u_int8_t res2; /* reserved byte */
357 u_int16_t t_id; /* Transform ID */
358 };
359
360 enum ikev2_t_type {
361 IV2_T_ENCR = 1,
362 IV2_T_PRF = 2,
363 IV2_T_INTEG= 3,
364 IV2_T_DH = 4,
365 IV2_T_ESN = 5,
366 };
367
368 /* 3.4. Key Exchange Payload */
369 struct ikev2_ke {
370 struct isakmp_gen h;
371 u_int16_t ke_group;
372 u_int16_t ke_res1;
373 /* KE data */
374 };
375
376
377 /* 3.5. Identification Payloads */
378 enum ikev2_id_type {
379 ID_IPV4_ADDR=1,
380 ID_FQDN=2,
381 ID_RFC822_ADDR=3,
382 ID_IPV6_ADDR=5,
383 ID_DER_ASN1_DN=9,
384 ID_DER_ASN1_GN=10,
385 ID_KEY_ID=11,
386 };
387 struct ikev2_id {
388 struct isakmp_gen h;
389 u_int8_t type; /* ID type */
390 u_int8_t res1;
391 u_int16_t res2;
392 /* SPI */
393 /* Notification Data */
394 };
395
396 /* 3.10 Notification Payload */
397 struct ikev2_n {
398 struct isakmp_gen h;
399 u_int8_t prot_id; /* Protocol-ID */
400 u_int8_t spi_size; /* SPI Size */
401 u_int16_t type; /* Notify Message Type */
402 };
403
404 enum ikev2_n_type {
405 IV2_NOTIFY_UNSUPPORTED_CRITICAL_PAYLOAD = 1,
406 IV2_NOTIFY_INVALID_IKE_SPI = 4,
407 IV2_NOTIFY_INVALID_MAJOR_VERSION = 5,
408 IV2_NOTIFY_INVALID_SYNTAX = 7,
409 IV2_NOTIFY_INVALID_MESSAGE_ID = 9,
410 IV2_NOTIFY_INVALID_SPI =11,
411 IV2_NOTIFY_NO_PROPOSAL_CHOSEN =14,
412 IV2_NOTIFY_INVALID_KE_PAYLOAD =17,
413 IV2_NOTIFY_AUTHENTICATION_FAILED =24,
414 IV2_NOTIFY_SINGLE_PAIR_REQUIRED =34,
415 IV2_NOTIFY_NO_ADDITIONAL_SAS =35,
416 IV2_NOTIFY_INTERNAL_ADDRESS_FAILURE =36,
417 IV2_NOTIFY_FAILED_CP_REQUIRED =37,
418 IV2_NOTIFY_INVALID_SELECTORS =39,
419 IV2_NOTIFY_INITIAL_CONTACT =16384,
420 IV2_NOTIFY_SET_WINDOW_SIZE =16385,
421 IV2_NOTIFY_ADDITIONAL_TS_POSSIBLE =16386,
422 IV2_NOTIFY_IPCOMP_SUPPORTED =16387,
423 IV2_NOTIFY_NAT_DETECTION_SOURCE_IP =16388,
424 IV2_NOTIFY_NAT_DETECTION_DESTINATION_IP =16389,
425 IV2_NOTIFY_COOKIE =16390,
426 IV2_NOTIFY_USE_TRANSPORT_MODE =16391,
427 IV2_NOTIFY_HTTP_CERT_LOOKUP_SUPPORTED =16392,
428 IV2_NOTIFY_REKEY_SA =16393,
429 IV2_NOTIFY_ESP_TFC_PADDING_NOT_SUPPORTED =16394,
430 IV2_NOTIFY_NON_FIRST_FRAGMENTS_ALSO =16395
431 };
432
433 struct notify_messages {
434 u_int16_t type;
435 char *msg;
436 };
437
438 /* 3.8 Notification Payload */
439 struct ikev2_auth {
440 struct isakmp_gen h;
441 u_int8_t auth_method; /* Protocol-ID */
442 u_int8_t reserved[3];
443 /* authentication data */
444 };
445
446 enum ikev2_auth_type {
447 IV2_RSA_SIG = 1,
448 IV2_SHARED = 2,
449 IV2_DSS_SIG = 3,
450 };
451
452 /* refer to RFC 2409 */
453
454 #if 0
455 /* isakmp sa structure */
456 struct oakley_sa {
457 u_int8_t proto_id; /* OAKLEY */
458 vchar_t *spi; /* spi */
459 u_int8_t dhgrp; /* DH; group */
460 u_int8_t auth_t; /* method of authentication */
461 u_int8_t prf_t; /* type of prf */
462 u_int8_t hash_t; /* type of hash */
463 u_int8_t enc_t; /* type of cipher */
464 u_int8_t life_t; /* type of duration of lifetime */
465 u_int32_t ldur; /* life duration */
466 };
467 #endif
468
469 /* refer to RFC 2407 */
470
471 #define IPSEC_DOI 1
472
473 /* 4.2 IPSEC Situation Definition */
474 #define IPSECDOI_SIT_IDENTITY_ONLY 0x00000001
475 #define IPSECDOI_SIT_SECRECY 0x00000002
476 #define IPSECDOI_SIT_INTEGRITY 0x00000004
477
478 /* 4.4.1 IPSEC Security Protocol Identifiers */
479 /* 4.4.2 IPSEC ISAKMP Transform Values */
480 #define IPSECDOI_PROTO_ISAKMP 1
481 #define IPSECDOI_KEY_IKE 1
482
483 /* 4.4.1 IPSEC Security Protocol Identifiers */
484 #define IPSECDOI_PROTO_IPSEC_AH 2
485 /* 4.4.3 IPSEC AH Transform Values */
486 #define IPSECDOI_AH_MD5 2
487 #define IPSECDOI_AH_SHA 3
488 #define IPSECDOI_AH_DES 4
489 #define IPSECDOI_AH_SHA2_256 5
490 #define IPSECDOI_AH_SHA2_384 6
491 #define IPSECDOI_AH_SHA2_512 7
492
493 /* 4.4.1 IPSEC Security Protocol Identifiers */
494 #define IPSECDOI_PROTO_IPSEC_ESP 3
495 /* 4.4.4 IPSEC ESP Transform Identifiers */
496 #define IPSECDOI_ESP_DES_IV64 1
497 #define IPSECDOI_ESP_DES 2
498 #define IPSECDOI_ESP_3DES 3
499 #define IPSECDOI_ESP_RC5 4
500 #define IPSECDOI_ESP_IDEA 5
501 #define IPSECDOI_ESP_CAST 6
502 #define IPSECDOI_ESP_BLOWFISH 7
503 #define IPSECDOI_ESP_3IDEA 8
504 #define IPSECDOI_ESP_DES_IV32 9
505 #define IPSECDOI_ESP_RC4 10
506 #define IPSECDOI_ESP_NULL 11
507 #define IPSECDOI_ESP_RIJNDAEL 12
508 #define IPSECDOI_ESP_AES 12
509
510 /* 4.4.1 IPSEC Security Protocol Identifiers */
511 #define IPSECDOI_PROTO_IPCOMP 4
512 /* 4.4.5 IPSEC IPCOMP Transform Identifiers */
513 #define IPSECDOI_IPCOMP_OUI 1
514 #define IPSECDOI_IPCOMP_DEFLATE 2
515 #define IPSECDOI_IPCOMP_LZS 3
516
517 /* 4.5 IPSEC Security Association Attributes */
518 #define IPSECDOI_ATTR_SA_LTYPE 1 /* B */
519 #define IPSECDOI_ATTR_SA_LTYPE_DEFAULT 1
520 #define IPSECDOI_ATTR_SA_LTYPE_SEC 1
521 #define IPSECDOI_ATTR_SA_LTYPE_KB 2
522 #define IPSECDOI_ATTR_SA_LDUR 2 /* V */
523 #define IPSECDOI_ATTR_SA_LDUR_DEFAULT 28800 /* 8 hours */
524 #define IPSECDOI_ATTR_GRP_DESC 3 /* B */
525 #define IPSECDOI_ATTR_ENC_MODE 4 /* B */
526 /* default value: host dependent */
527 #define IPSECDOI_ATTR_ENC_MODE_TUNNEL 1
528 #define IPSECDOI_ATTR_ENC_MODE_TRNS 2
529 #define IPSECDOI_ATTR_AUTH 5 /* B */
530 /* 0 means not to use authentication. */
531 #define IPSECDOI_ATTR_AUTH_HMAC_MD5 1
532 #define IPSECDOI_ATTR_AUTH_HMAC_SHA1 2
533 #define IPSECDOI_ATTR_AUTH_DES_MAC 3
534 #define IPSECDOI_ATTR_AUTH_KPDK 4 /*RFC-1826(Key/Pad/Data/Key)*/
535 /*
536 * When negotiating ESP without authentication, the Auth
537 * Algorithm attribute MUST NOT be included in the proposal.
538 * When negotiating ESP without confidentiality, the Auth
539 * Algorithm attribute MUST be included in the proposal and
540 * the ESP transform ID must be ESP_NULL.
541 */
542 #define IPSECDOI_ATTR_KEY_LENGTH 6 /* B */
543 #define IPSECDOI_ATTR_KEY_ROUNDS 7 /* B */
544 #define IPSECDOI_ATTR_COMP_DICT_SIZE 8 /* B */
545 #define IPSECDOI_ATTR_COMP_PRIVALG 9 /* V */
546
547 /* 4.6.1 Security Association Payload */
548 struct ipsecdoi_sa {
549 struct isakmp_gen h;
550 u_int32_t doi; /* Domain of Interpretation */
551 u_int32_t sit; /* Situation */
552 };
553
554 struct ipsecdoi_secrecy_h {
555 u_int16_t len;
556 u_int16_t reserved;
557 };
558
559 /* 4.6.2.1 Identification Type Values */
560 struct ipsecdoi_id {
561 struct isakmp_gen h;
562 u_int8_t type; /* ID Type */
563 u_int8_t proto_id; /* Protocol ID */
564 u_int16_t port; /* Port */
565 /* Identification Data */
566 };
567
568 #define IPSECDOI_ID_IPV4_ADDR 1
569 #define IPSECDOI_ID_FQDN 2
570 #define IPSECDOI_ID_USER_FQDN 3
571 #define IPSECDOI_ID_IPV4_ADDR_SUBNET 4
572 #define IPSECDOI_ID_IPV6_ADDR 5
573 #define IPSECDOI_ID_IPV6_ADDR_SUBNET 6
574 #define IPSECDOI_ID_IPV4_ADDR_RANGE 7
575 #define IPSECDOI_ID_IPV6_ADDR_RANGE 8
576 #define IPSECDOI_ID_DER_ASN1_DN 9
577 #define IPSECDOI_ID_DER_ASN1_GN 10
578 #define IPSECDOI_ID_KEY_ID 11
579
580 /* 4.6.3 IPSEC DOI Notify Message Types */
581 /* Notify Messages - Status Types */
582 #define IPSECDOI_NTYPE_RESPONDER_LIFETIME 24576
583 #define IPSECDOI_NTYPE_REPLAY_STATUS 24577
584 #define IPSECDOI_NTYPE_INITIAL_CONTACT 24578
585
586 #define DECLARE_PRINTER(func) static const u_char *ike##func##_print( \
587 netdissect_options *ndo, u_char tpay, \
588 const struct isakmp_gen *ext, \
589 u_int item_len, \
590 const u_char *end_pointer, \
591 u_int32_t phase,\
592 u_int32_t doi0, \
593 u_int32_t proto0, int depth)
594
595 DECLARE_PRINTER(v1_sa);
596 DECLARE_PRINTER(v1_p);
597 DECLARE_PRINTER(v1_t);
598 DECLARE_PRINTER(v1_ke);
599 DECLARE_PRINTER(v1_id);
600 DECLARE_PRINTER(v1_cert);
601 DECLARE_PRINTER(v1_cr);
602 DECLARE_PRINTER(v1_sig);
603 DECLARE_PRINTER(v1_hash);
604 DECLARE_PRINTER(v1_nonce);
605 DECLARE_PRINTER(v1_n);
606 DECLARE_PRINTER(v1_d);
607 DECLARE_PRINTER(v1_vid);
608
609 DECLARE_PRINTER(v2_sa);
610 DECLARE_PRINTER(v2_ke);
611 DECLARE_PRINTER(v2_ID);
612 DECLARE_PRINTER(v2_cert);
613 DECLARE_PRINTER(v2_cr);
614 DECLARE_PRINTER(v2_auth);
615 DECLARE_PRINTER(v2_nonce);
616 DECLARE_PRINTER(v2_n);
617 DECLARE_PRINTER(v2_d);
618 DECLARE_PRINTER(v2_vid);
619 DECLARE_PRINTER(v2_TS);
620 DECLARE_PRINTER(v2_cp);
621 DECLARE_PRINTER(v2_eap);
622
623 static const u_char *ikev2_e_print(netdissect_options *ndo,
624 struct isakmp *base,
625 u_char tpay,
626 const struct isakmp_gen *ext,
627 u_int item_len,
628 const u_char *end_pointer,
629 u_int32_t phase,
630 u_int32_t doi0,
631 u_int32_t proto0, int depth);
632
633
634 static const u_char *ike_sub0_print(netdissect_options *ndo,u_char, const struct isakmp_gen *,
635 const u_char *, u_int32_t, u_int32_t, u_int32_t, int);
636 static const u_char *ikev1_sub_print(netdissect_options *ndo,u_char, const struct isakmp_gen *,
637 const u_char *, u_int32_t, u_int32_t, u_int32_t, int);
638
639 static const u_char *ikev2_sub_print(netdissect_options *ndo,
640 struct isakmp *base,
641 u_char np, const struct isakmp_gen *ext,
642 const u_char *ep, u_int32_t phase,
643 u_int32_t doi, u_int32_t proto,
644 int depth);
645
646
647 static char *numstr(int);
648 static void safememcpy(void *, const void *, size_t);
649
650 static void
651 ikev1_print(netdissect_options *ndo,
652 const u_char *bp, u_int length,
653 const u_char *bp2, struct isakmp *base);
654
655 #define MAXINITIATORS 20
656 int ninitiator = 0;
657 struct {
658 cookie_t initiator;
659 struct sockaddr_storage iaddr;
660 struct sockaddr_storage raddr;
661 } cookiecache[MAXINITIATORS];
662
663 /* protocol id */
664 static const char *protoidstr[] = {
665 NULL, "isakmp", "ipsec-ah", "ipsec-esp", "ipcomp",
666 };
667
668 /* isakmp->np */
669 static const char *npstr[] = {
670 "none", "sa", "p", "t", "ke", "id", "cert", "cr", "hash", /* 0 - 8 */
671 "sig", "nonce", "n", "d", "vid", /* 9 - 13 */
672 "pay14", "pay15", "pay16", "pay17", "pay18", /* 14- 18 */
673 "pay19", "pay20", "pay21", "pay22", "pay23", /* 19- 23 */
674 "pay24", "pay25", "pay26", "pay27", "pay28", /* 24- 28 */
675 "pay29", "pay30", "pay31", "pay32", /* 29- 32 */
676 "v2sa", "v2ke", "v2IDi", "v2IDr", "v2cert",/* 33- 37 */
677 "v2cr", "v2auth","v2nonce", "v2n", "v2d", /* 38- 42 */
678 "v2vid", "v2TSi", "v2TSr", "v2e", "v2cp", /* 43- 47 */
679 "v2eap", /* 48 */
680
681 };
682
683 /* isakmp->np */
684 static const u_char *(*npfunc[])(netdissect_options *ndo, u_char tpay,
685 const struct isakmp_gen *ext,
686 u_int item_len,
687 const u_char *end_pointer,
688 u_int32_t phase,
689 u_int32_t doi0,
690 u_int32_t proto0, int depth) = {
691 NULL,
692 ikev1_sa_print,
693 ikev1_p_print,
694 ikev1_t_print,
695 ikev1_ke_print,
696 ikev1_id_print,
697 ikev1_cert_print,
698 ikev1_cr_print,
699 ikev1_hash_print,
700 ikev1_sig_print,
701 ikev1_nonce_print,
702 ikev1_n_print,
703 ikev1_d_print,
704 ikev1_vid_print, /* 13 */
705 NULL, NULL, NULL, NULL, NULL, /* 14- 18 */
706 NULL, NULL, NULL, NULL, NULL, /* 19- 23 */
707 NULL, NULL, NULL, NULL, NULL, /* 24- 28 */
708 NULL, NULL, NULL, NULL, /* 29- 32 */
709 ikev2_sa_print, /* 33 */
710 ikev2_ke_print, /* 34 */
711 ikev2_ID_print, /* 35 */
712 ikev2_ID_print, /* 36 */
713 ikev2_cert_print, /* 37 */
714 ikev2_cr_print, /* 38 */
715 ikev2_auth_print, /* 39 */
716 ikev2_nonce_print, /* 40 */
717 ikev2_n_print, /* 41 */
718 ikev2_d_print, /* 42 */
719 ikev2_vid_print, /* 43 */
720 ikev2_TS_print, /* 44 */
721 ikev2_TS_print, /* 45 */
722 NULL, /* ikev2_e_print,*/ /* 46 - special */
723 ikev2_cp_print, /* 47 */
724 ikev2_eap_print, /* 48 */
725 };
726
727 /* isakmp->etype */
728 static const char *etypestr[] = {
729 /* IKEv1 exchange types */
730 "none", "base", "ident", "auth", "agg", "inf", NULL, NULL, /* 0-7 */
731 NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, /* 8-15 */
732 NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, /* 16-23 */
733 NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, /* 24-31 */
734 "oakley-quick", "oakley-newgroup", /* 32-33 */
735 /* IKEv2 exchange types */
736 "ikev2_init", "ikev2_auth", "child_sa", "inf2" /* 34-37 */
737 };
738
739 #define STR_OR_ID(x, tab) \
740 (((x) < sizeof(tab)/sizeof(tab[0]) && tab[(x)]) ? tab[(x)] : numstr(x))
741 #define PROTOIDSTR(x) STR_OR_ID(x, protoidstr)
742 #define NPSTR(x) STR_OR_ID(x, npstr)
743 #define ETYPESTR(x) STR_OR_ID(x, etypestr)
744
745 #define CHECKLEN(p, np) \
746 if (ep < (u_char *)(p)) { \
747 ND_PRINT((ndo," [|%s]", NPSTR(np))); \
748 goto done; \
749 }
750
751
752 #define NPFUNC(x) \
753 (((x) < sizeof(npfunc)/sizeof(npfunc[0]) && npfunc[(x)]) \
754 ? npfunc[(x)] : NULL)
755
756 static int
757 iszero(u_char *p, size_t l)
758 {
759 while (l--) {
760 if (*p++)
761 return 0;
762 }
763 return 1;
764 }
765
766 /* find cookie from initiator cache */
767 static int
768 cookie_find(cookie_t *in)
769 {
770 int i;
771
772 for (i = 0; i < MAXINITIATORS; i++) {
773 if (memcmp(in, &cookiecache[i].initiator, sizeof(*in)) == 0)
774 return i;
775 }
776
777 return -1;
778 }
779
780 /* record initiator */
781 static void
782 cookie_record(cookie_t *in, const u_char *bp2)
783 {
784 int i;
785 struct ip *ip;
786 struct sockaddr_in *sin;
787 #ifdef INET6
788 struct ip6_hdr *ip6;
789 struct sockaddr_in6 *sin6;
790 #endif
791
792 i = cookie_find(in);
793 if (0 <= i) {
794 ninitiator = (i + 1) % MAXINITIATORS;
795 return;
796 }
797
798 ip = (struct ip *)bp2;
799 switch (IP_V(ip)) {
800 case 4:
801 memset(&cookiecache[ninitiator].iaddr, 0,
802 sizeof(cookiecache[ninitiator].iaddr));
803 memset(&cookiecache[ninitiator].raddr, 0,
804 sizeof(cookiecache[ninitiator].raddr));
805
806 sin = (struct sockaddr_in *)&cookiecache[ninitiator].iaddr;
807 #ifdef HAVE_SOCKADDR_SA_LEN
808 sin->sin_len = sizeof(struct sockaddr_in);
809 #endif
810 sin->sin_family = AF_INET;
811 memcpy(&sin->sin_addr, &ip->ip_src, sizeof(ip->ip_src));
812 sin = (struct sockaddr_in *)&cookiecache[ninitiator].raddr;
813 #ifdef HAVE_SOCKADDR_SA_LEN
814 sin->sin_len = sizeof(struct sockaddr_in);
815 #endif
816 sin->sin_family = AF_INET;
817 memcpy(&sin->sin_addr, &ip->ip_dst, sizeof(ip->ip_dst));
818 break;
819 #ifdef INET6
820 case 6:
821 memset(&cookiecache[ninitiator].iaddr, 0,
822 sizeof(cookiecache[ninitiator].iaddr));
823 memset(&cookiecache[ninitiator].raddr, 0,
824 sizeof(cookiecache[ninitiator].raddr));
825
826 ip6 = (struct ip6_hdr *)bp2;
827 sin6 = (struct sockaddr_in6 *)&cookiecache[ninitiator].iaddr;
828 #ifdef HAVE_SOCKADDR_SA_LEN
829 sin6->sin6_len = sizeof(struct sockaddr_in6);
830 #endif
831 sin6->sin6_family = AF_INET6;
832 memcpy(&sin6->sin6_addr, &ip6->ip6_src, sizeof(ip6->ip6_src));
833 sin6 = (struct sockaddr_in6 *)&cookiecache[ninitiator].raddr;
834 #ifdef HAVE_SOCKADDR_SA_LEN
835 sin6->sin6_len = sizeof(struct sockaddr_in6);
836 #endif
837 sin6->sin6_family = AF_INET6;
838 memcpy(&sin6->sin6_addr, &ip6->ip6_dst, sizeof(ip6->ip6_dst));
839 break;
840 #endif
841 default:
842 return;
843 }
844 memcpy(&cookiecache[ninitiator].initiator, in, sizeof(*in));
845 ninitiator = (ninitiator + 1) % MAXINITIATORS;
846 }
847
848 #define cookie_isinitiator(x, y) cookie_sidecheck((x), (y), 1)
849 #define cookie_isresponder(x, y) cookie_sidecheck((x), (y), 0)
850 static int
851 cookie_sidecheck(int i, const u_char *bp2, int initiator)
852 {
853 struct sockaddr_storage ss;
854 struct sockaddr *sa;
855 struct ip *ip;
856 struct sockaddr_in *sin;
857 #ifdef INET6
858 struct ip6_hdr *ip6;
859 struct sockaddr_in6 *sin6;
860 #endif
861 int salen;
862
863 memset(&ss, 0, sizeof(ss));
864 ip = (struct ip *)bp2;
865 switch (IP_V(ip)) {
866 case 4:
867 sin = (struct sockaddr_in *)&ss;
868 #ifdef HAVE_SOCKADDR_SA_LEN
869 sin->sin_len = sizeof(struct sockaddr_in);
870 #endif
871 sin->sin_family = AF_INET;
872 memcpy(&sin->sin_addr, &ip->ip_src, sizeof(ip->ip_src));
873 break;
874 #ifdef INET6
875 case 6:
876 ip6 = (struct ip6_hdr *)bp2;
877 sin6 = (struct sockaddr_in6 *)&ss;
878 #ifdef HAVE_SOCKADDR_SA_LEN
879 sin6->sin6_len = sizeof(struct sockaddr_in6);
880 #endif
881 sin6->sin6_family = AF_INET6;
882 memcpy(&sin6->sin6_addr, &ip6->ip6_src, sizeof(ip6->ip6_src));
883 break;
884 #endif
885 default:
886 return 0;
887 }
888
889 sa = (struct sockaddr *)&ss;
890 if (initiator) {
891 if (sa->sa_family != ((struct sockaddr *)&cookiecache[i].iaddr)->sa_family)
892 return 0;
893 #ifdef HAVE_SOCKADDR_SA_LEN
894 salen = sa->sa_len;
895 #else
896 #ifdef INET6
897 if (sa->sa_family == AF_INET6)
898 salen = sizeof(struct sockaddr_in6);
899 else
900 salen = sizeof(struct sockaddr);
901 #else
902 salen = sizeof(struct sockaddr);
903 #endif
904 #endif
905 if (memcmp(&ss, &cookiecache[i].iaddr, salen) == 0)
906 return 1;
907 } else {
908 if (sa->sa_family != ((struct sockaddr *)&cookiecache[i].raddr)->sa_family)
909 return 0;
910 #ifdef HAVE_SOCKADDR_SA_LEN
911 salen = sa->sa_len;
912 #else
913 #ifdef INET6
914 if (sa->sa_family == AF_INET6)
915 salen = sizeof(struct sockaddr_in6);
916 else
917 salen = sizeof(struct sockaddr);
918 #else
919 salen = sizeof(struct sockaddr);
920 #endif
921 #endif
922 if (memcmp(&ss, &cookiecache[i].raddr, salen) == 0)
923 return 1;
924 }
925 return 0;
926 }
927
928 static void
929 hexprint(netdissect_options *ndo, caddr_t loc, size_t len)
930 {
931 u_char *p;
932 size_t i;
933
934 p = (u_char *)loc;
935 for (i = 0; i < len; i++)
936 ND_PRINT((ndo,"%02x", p[i] & 0xff));
937 }
938
939 static int
940 rawprint(netdissect_options *ndo, caddr_t loc, size_t len)
941 {
942 ND_TCHECK2(*loc, len);
943
944 hexprint(ndo, loc, len);
945 return 1;
946 trunc:
947 return 0;
948 }
949
950
951 /*
952 * returns false if we run out of data buffer
953 */
954 static int ike_show_somedata(struct netdissect_options *ndo,
955 const u_char *cp, const u_char *ep)
956 {
957 /* there is too much data, just show some of it */
958 const u_char *end = ep - 20;
959 int elen = 20;
960 int len = ep - cp;
961 if(len > 10) {
962 len = 10;
963 }
964
965 /* really shouldn't happen because of above */
966 if(end < cp + len) {
967 end = cp+len;
968 elen = ep - end;
969 }
970
971 ND_PRINT((ndo," data=("));
972 if(!rawprint(ndo, (caddr_t)(cp), len)) goto trunc;
973 ND_PRINT((ndo, "..."));
974 if(elen) {
975 if(!rawprint(ndo, (caddr_t)(end), elen)) goto trunc;
976 }
977 ND_PRINT((ndo,")"));
978 return 1;
979
980 trunc:
981 return 0;
982 }
983
984 struct attrmap {
985 const char *type;
986 u_int nvalue;
987 const char *value[30]; /*XXX*/
988 };
989
990 static const u_char *
991 ikev1_attrmap_print(netdissect_options *ndo,
992 const u_char *p, const u_char *ep,
993 const struct attrmap *map, size_t nmap)
994 {
995 int totlen;
996 u_int32_t t, v;
997
998 if (p[0] & 0x80)
999 totlen = 4;
1000 else
1001 totlen = 4 + EXTRACT_16BITS(&p[2]);
1002 if (ep < p + totlen) {
1003 ND_PRINT((ndo,"[|attr]"));
1004 return ep + 1;
1005 }
1006
1007 ND_PRINT((ndo,"("));
1008 t = EXTRACT_16BITS(&p[0]) & 0x7fff;
1009 if (map && t < nmap && map[t].type)
1010 ND_PRINT((ndo,"type=%s ", map[t].type));
1011 else
1012 ND_PRINT((ndo,"type=#%d ", t));
1013 if (p[0] & 0x80) {
1014 ND_PRINT((ndo,"value="));
1015 v = EXTRACT_16BITS(&p[2]);
1016 if (map && t < nmap && v < map[t].nvalue && map[t].value[v])
1017 ND_PRINT((ndo,"%s", map[t].value[v]));
1018 else
1019 rawprint(ndo, (caddr_t)&p[2], 2);
1020 } else {
1021 ND_PRINT((ndo,"len=%d value=", EXTRACT_16BITS(&p[2])));
1022 rawprint(ndo, (caddr_t)&p[4], EXTRACT_16BITS(&p[2]));
1023 }
1024 ND_PRINT((ndo,")"));
1025 return p + totlen;
1026 }
1027
1028 static const u_char *
1029 ikev1_attr_print(netdissect_options *ndo, const u_char *p, const u_char *ep)
1030 {
1031 int totlen;
1032 u_int32_t t;
1033
1034 if (p[0] & 0x80)
1035 totlen = 4;
1036 else
1037 totlen = 4 + EXTRACT_16BITS(&p[2]);
1038 if (ep < p + totlen) {
1039 ND_PRINT((ndo,"[|attr]"));
1040 return ep + 1;
1041 }
1042
1043 ND_PRINT((ndo,"("));
1044 t = EXTRACT_16BITS(&p[0]) & 0x7fff;
1045 ND_PRINT((ndo,"type=#%d ", t));
1046 if (p[0] & 0x80) {
1047 ND_PRINT((ndo,"value="));
1048 t = p[2];
1049 rawprint(ndo, (caddr_t)&p[2], 2);
1050 } else {
1051 ND_PRINT((ndo,"len=%d value=", EXTRACT_16BITS(&p[2])));
1052 rawprint(ndo, (caddr_t)&p[4], EXTRACT_16BITS(&p[2]));
1053 }
1054 ND_PRINT((ndo,")"));
1055 return p + totlen;
1056 }
1057
1058 static const u_char *
1059 ikev1_sa_print(netdissect_options *ndo, u_char tpay _U_,
1060 const struct isakmp_gen *ext,
1061 u_int item_len _U_,
1062 const u_char *ep, u_int32_t phase, u_int32_t doi0 _U_,
1063 u_int32_t proto0, int depth)
1064 {
1065 const struct ikev1_pl_sa *p;
1066 struct ikev1_pl_sa sa;
1067 u_int32_t doi, sit, ident;
1068 const u_char *cp, *np;
1069 int t;
1070
1071 ND_PRINT((ndo,"%s:", NPSTR(ISAKMP_NPTYPE_SA)));
1072
1073 p = (struct ikev1_pl_sa *)ext;
1074 ND_TCHECK(*p);
1075 safememcpy(&sa, ext, sizeof(sa));
1076 doi = ntohl(sa.doi);
1077 sit = ntohl(sa.sit);
1078 if (doi != 1) {
1079 ND_PRINT((ndo," doi=%d", doi));
1080 ND_PRINT((ndo," situation=%u", (u_int32_t)ntohl(sa.sit)));
1081 return (u_char *)(p + 1);
1082 }
1083
1084 ND_PRINT((ndo," doi=ipsec"));
1085 ND_PRINT((ndo," situation="));
1086 t = 0;
1087 if (sit & 0x01) {
1088 ND_PRINT((ndo,"identity"));
1089 t++;
1090 }
1091 if (sit & 0x02) {
1092 ND_PRINT((ndo,"%ssecrecy", t ? "+" : ""));
1093 t++;
1094 }
1095 if (sit & 0x04)
1096 ND_PRINT((ndo,"%sintegrity", t ? "+" : ""));
1097
1098 np = (u_char *)ext + sizeof(sa);
1099 if (sit != 0x01) {
1100 ND_TCHECK2(*(ext + 1), sizeof(ident));
1101 safememcpy(&ident, ext + 1, sizeof(ident));
1102 ND_PRINT((ndo," ident=%u", (u_int32_t)ntohl(ident)));
1103 np += sizeof(ident);
1104 }
1105
1106 ext = (struct isakmp_gen *)np;
1107 ND_TCHECK(*ext);
1108
1109 cp = ikev1_sub_print(ndo, ISAKMP_NPTYPE_P, ext, ep, phase, doi, proto0,
1110 depth);
1111
1112 return cp;
1113 trunc:
1114 ND_PRINT((ndo," [|%s]", NPSTR(ISAKMP_NPTYPE_SA)));
1115 return NULL;
1116 }
1117
1118 static const u_char *
1119 ikev1_p_print(netdissect_options *ndo, u_char tpay _U_,
1120 const struct isakmp_gen *ext, u_int item_len _U_,
1121 const u_char *ep, u_int32_t phase, u_int32_t doi0,
1122 u_int32_t proto0 _U_, int depth)
1123 {
1124 const struct ikev1_pl_p *p;
1125 struct ikev1_pl_p prop;
1126 const u_char *cp;
1127
1128 ND_PRINT((ndo,"%s:", NPSTR(ISAKMP_NPTYPE_P)));
1129
1130 p = (struct ikev1_pl_p *)ext;
1131 ND_TCHECK(*p);
1132 safememcpy(&prop, ext, sizeof(prop));
1133 ND_PRINT((ndo," #%d protoid=%s transform=%d",
1134 prop.p_no, PROTOIDSTR(prop.prot_id), prop.num_t));
1135 if (prop.spi_size) {
1136 ND_PRINT((ndo," spi="));
1137 if (!rawprint(ndo, (caddr_t)(p + 1), prop.spi_size))
1138 goto trunc;
1139 }
1140
1141 ext = (struct isakmp_gen *)((u_char *)(p + 1) + prop.spi_size);
1142 ND_TCHECK(*ext);
1143
1144 cp = ikev1_sub_print(ndo, ISAKMP_NPTYPE_T, ext, ep, phase, doi0,
1145 prop.prot_id, depth);
1146
1147 return cp;
1148 trunc:
1149 ND_PRINT((ndo," [|%s]", NPSTR(ISAKMP_NPTYPE_P)));
1150 return NULL;
1151 }
1152
1153 static const char *ikev1_p_map[] = {
1154 NULL, "ike",
1155 };
1156
1157 static const char *ikev2_t_type_map[]={
1158 NULL, "encr", "prf", "integ", "dh", "esn"
1159 };
1160
1161 static const char *ah_p_map[] = {
1162 NULL, "(reserved)", "md5", "sha", "1des",
1163 "sha2-256", "sha2-384", "sha2-512",
1164 };
1165
1166 static const char *prf_p_map[] = {
1167 NULL, "hmac-md5", "hmac-sha", "hmac-tiger",
1168 "aes128_xcbc"
1169 };
1170
1171 static const char *integ_p_map[] = {
1172 NULL, "hmac-md5", "hmac-sha", "dec-mac",
1173 "kpdk-md5", "aes-xcbc"
1174 };
1175
1176 static const char *esn_p_map[] = {
1177 "no-esn", "esn"
1178 };
1179
1180 static const char *dh_p_map[] = {
1181 NULL, "modp768",
1182 "modp1024", /* group 2 */
1183 "EC2N 2^155", /* group 3 */
1184 "EC2N 2^185", /* group 4 */
1185 "modp1536", /* group 5 */
1186 "iana-grp06", "iana-grp07", /* reserved */
1187 "iana-grp08", "iana-grp09",
1188 "iana-grp10", "iana-grp11",
1189 "iana-grp12", "iana-grp13",
1190 "modp2048", /* group 14 */
1191 "modp3072", /* group 15 */
1192 "modp4096", /* group 16 */
1193 "modp6144", /* group 17 */
1194 "modp8192", /* group 18 */
1195 };
1196
1197 static const char *esp_p_map[] = {
1198 NULL, "1des-iv64", "1des", "3des", "rc5", "idea", "cast",
1199 "blowfish", "3idea", "1des-iv32", "rc4", "null", "aes"
1200 };
1201
1202 static const char *ipcomp_p_map[] = {
1203 NULL, "oui", "deflate", "lzs",
1204 };
1205
1206 static const struct attrmap ipsec_t_map[] = {
1207 { NULL, 0, { NULL } },
1208 { "lifetype", 3, { NULL, "sec", "kb", }, },
1209 { "life", 0, { NULL } },
1210 { "group desc", 18, { NULL, "modp768",
1211 "modp1024", /* group 2 */
1212 "EC2N 2^155", /* group 3 */
1213 "EC2N 2^185", /* group 4 */
1214 "modp1536", /* group 5 */
1215 "iana-grp06", "iana-grp07", /* reserved */
1216 "iana-grp08", "iana-grp09",
1217 "iana-grp10", "iana-grp11",
1218 "iana-grp12", "iana-grp13",
1219 "modp2048", /* group 14 */
1220 "modp3072", /* group 15 */
1221 "modp4096", /* group 16 */
1222 "modp6144", /* group 17 */
1223 "modp8192", /* group 18 */
1224 }, },
1225 { "enc mode", 3, { NULL, "tunnel", "transport", }, },
1226 { "auth", 5, { NULL, "hmac-md5", "hmac-sha1", "1des-mac", "keyed", }, },
1227 { "keylen", 0, { NULL } },
1228 { "rounds", 0, { NULL } },
1229 { "dictsize", 0, { NULL } },
1230 { "privalg", 0, { NULL } },
1231 };
1232
1233 static const struct attrmap encr_t_map[] = {
1234 { NULL, 0, { NULL } }, { NULL, 0, { NULL } }, /* 0, 1 */
1235 { NULL, 0, { NULL } }, { NULL, 0, { NULL } }, /* 2, 3 */
1236 { NULL, 0, { NULL } }, { NULL, 0, { NULL } }, /* 4, 5 */
1237 { NULL, 0, { NULL } }, { NULL, 0, { NULL } }, /* 6, 7 */
1238 { NULL, 0, { NULL } }, { NULL, 0, { NULL } }, /* 8, 9 */
1239 { NULL, 0, { NULL } }, { NULL, 0, { NULL } }, /* 10,11*/
1240 { NULL, 0, { NULL } }, { NULL, 0, { NULL } }, /* 12,13*/
1241 { "keylen", 14, { NULL }},
1242 };
1243
1244 static const struct attrmap oakley_t_map[] = {
1245 { NULL, 0, { NULL } },
1246 { "enc", 8, { NULL, "1des", "idea", "blowfish", "rc5",
1247 "3des", "cast", "aes", }, },
1248 { "hash", 7, { NULL, "md5", "sha1", "tiger",
1249 "sha2-256", "sha2-384", "sha2-512", }, },
1250 { "auth", 6, { NULL, "preshared", "dss", "rsa sig", "rsa enc",
1251 "rsa enc revised", }, },
1252 { "group desc", 18, { NULL, "modp768",
1253 "modp1024", /* group 2 */
1254 "EC2N 2^155", /* group 3 */
1255 "EC2N 2^185", /* group 4 */
1256 "modp1536", /* group 5 */
1257 "iana-grp06", "iana-grp07", /* reserved */
1258 "iana-grp08", "iana-grp09",
1259 "iana-grp10", "iana-grp11",
1260 "iana-grp12", "iana-grp13",
1261 "modp2048", /* group 14 */
1262 "modp3072", /* group 15 */
1263 "modp4096", /* group 16 */
1264 "modp6144", /* group 17 */
1265 "modp8192", /* group 18 */
1266 }, },
1267 { "group type", 4, { NULL, "MODP", "ECP", "EC2N", }, },
1268 { "group prime", 0, { NULL } },
1269 { "group gen1", 0, { NULL } },
1270 { "group gen2", 0, { NULL } },
1271 { "group curve A", 0, { NULL } },
1272 { "group curve B", 0, { NULL } },
1273 { "lifetype", 3, { NULL, "sec", "kb", }, },
1274 { "lifeduration", 0, { NULL } },
1275 { "prf", 0, { NULL } },
1276 { "keylen", 0, { NULL } },
1277 { "field", 0, { NULL } },
1278 { "order", 0, { NULL } },
1279 };
1280
1281 static const u_char *
1282 ikev1_t_print(netdissect_options *ndo, u_char tpay _U_,
1283 const struct isakmp_gen *ext, u_int item_len,
1284 const u_char *ep, u_int32_t phase _U_, u_int32_t doi _U_,
1285 u_int32_t proto, int depth _U_)
1286 {
1287 const struct ikev1_pl_t *p;
1288 struct ikev1_pl_t t;
1289 const u_char *cp;
1290 const char *idstr;
1291 const struct attrmap *map;
1292 size_t nmap;
1293 const u_char *ep2;
1294
1295 ND_PRINT((ndo,"%s:", NPSTR(ISAKMP_NPTYPE_T)));
1296
1297 p = (struct ikev1_pl_t *)ext;
1298 ND_TCHECK(*p);
1299 safememcpy(&t, ext, sizeof(t));
1300
1301 switch (proto) {
1302 case 1:
1303 idstr = STR_OR_ID(t.t_id, ikev1_p_map);
1304 map = oakley_t_map;
1305 nmap = sizeof(oakley_t_map)/sizeof(oakley_t_map[0]);
1306 break;
1307 case 2:
1308 idstr = STR_OR_ID(t.t_id, ah_p_map);
1309 map = ipsec_t_map;
1310 nmap = sizeof(ipsec_t_map)/sizeof(ipsec_t_map[0]);
1311 break;
1312 case 3:
1313 idstr = STR_OR_ID(t.t_id, esp_p_map);
1314 map = ipsec_t_map;
1315 nmap = sizeof(ipsec_t_map)/sizeof(ipsec_t_map[0]);
1316 break;
1317 case 4:
1318 idstr = STR_OR_ID(t.t_id, ipcomp_p_map);
1319 map = ipsec_t_map;
1320 nmap = sizeof(ipsec_t_map)/sizeof(ipsec_t_map[0]);
1321 break;
1322 default:
1323 idstr = NULL;
1324 map = NULL;
1325 nmap = 0;
1326 break;
1327 }
1328
1329 if (idstr)
1330 ND_PRINT((ndo," #%d id=%s ", t.t_no, idstr));
1331 else
1332 ND_PRINT((ndo," #%d id=%d ", t.t_no, t.t_id));
1333 cp = (u_char *)(p + 1);
1334 ep2 = (u_char *)p + item_len;
1335 while (cp < ep && cp < ep2) {
1336 if (map && nmap) {
1337 cp = ikev1_attrmap_print(ndo, cp, (ep < ep2) ? ep : ep2,
1338 map, nmap);
1339 } else
1340 cp = ikev1_attr_print(ndo, cp, (ep < ep2) ? ep : ep2);
1341 }
1342 if (ep < ep2)
1343 ND_PRINT((ndo,"..."));
1344 return cp;
1345 trunc:
1346 ND_PRINT((ndo," [|%s]", NPSTR(ISAKMP_NPTYPE_T)));
1347 return NULL;
1348 }
1349
1350 static const u_char *
1351 ikev1_ke_print(netdissect_options *ndo, u_char tpay _U_,
1352 const struct isakmp_gen *ext, u_int item_len _U_,
1353 const u_char *ep _U_, u_int32_t phase _U_, u_int32_t doi _U_,
1354 u_int32_t proto _U_, int depth _U_)
1355 {
1356 struct isakmp_gen e;
1357
1358 ND_PRINT((ndo,"%s:", NPSTR(ISAKMP_NPTYPE_KE)));
1359
1360 ND_TCHECK(*ext);
1361 safememcpy(&e, ext, sizeof(e));
1362 ND_PRINT((ndo," key len=%d", ntohs(e.len) - 4));
1363 if (2 < ndo->ndo_vflag && 4 < ntohs(e.len)) {
1364 ND_PRINT((ndo," "));
1365 if (!rawprint(ndo, (caddr_t)(ext + 1), ntohs(e.len) - 4))
1366 goto trunc;
1367 }
1368 return (u_char *)ext + ntohs(e.len);
1369 trunc:
1370 ND_PRINT((ndo," [|%s]", NPSTR(ISAKMP_NPTYPE_KE)));
1371 return NULL;
1372 }
1373
1374 static const u_char *
1375 ikev1_id_print(netdissect_options *ndo, u_char tpay _U_,
1376 const struct isakmp_gen *ext, u_int item_len _U_,
1377 const u_char *ep _U_, u_int32_t phase, u_int32_t doi _U_,
1378 u_int32_t proto _U_, int depth _U_)
1379 {
1380 #define USE_IPSECDOI_IN_PHASE1 1
1381 const struct ikev1_pl_id *p;
1382 struct ikev1_pl_id id;
1383 static const char *idtypestr[] = {
1384 "IPv4", "IPv4net", "IPv6", "IPv6net",
1385 };
1386 static const char *ipsecidtypestr[] = {
1387 NULL, "IPv4", "FQDN", "user FQDN", "IPv4net", "IPv6",
1388 "IPv6net", "IPv4range", "IPv6range", "ASN1 DN", "ASN1 GN",
1389 "keyid",
1390 };
1391 int len;
1392 const u_char *data;
1393
1394 ND_PRINT((ndo,"%s:", NPSTR(ISAKMP_NPTYPE_ID)));
1395
1396 p = (struct ikev1_pl_id *)ext;
1397 ND_TCHECK(*p);
1398 safememcpy(&id, ext, sizeof(id));
1399 if (sizeof(*p) < item_len) {
1400 data = (u_char *)(p + 1);
1401 len = item_len - sizeof(*p);
1402 } else {
1403 data = NULL;
1404 len = 0;
1405 }
1406
1407 #if 0 /*debug*/
1408 ND_PRINT((ndo," [phase=%d doi=%d proto=%d]", phase, doi, proto));
1409 #endif
1410 switch (phase) {
1411 #ifndef USE_IPSECDOI_IN_PHASE1
1412 case 1:
1413 #endif
1414 default:
1415 ND_PRINT((ndo," idtype=%s", STR_OR_ID(id.d.id_type, idtypestr)));
1416 ND_PRINT((ndo," doi_data=%u",
1417 (u_int32_t)(ntohl(id.d.doi_data) & 0xffffff)));
1418 break;
1419
1420 #ifdef USE_IPSECDOI_IN_PHASE1
1421 case 1:
1422 #endif
1423 case 2:
1424 {
1425 const struct ipsecdoi_id *p;
1426 struct ipsecdoi_id id;
1427 struct protoent *pe;
1428
1429 p = (struct ipsecdoi_id *)ext;
1430 ND_TCHECK(*p);
1431 safememcpy(&id, ext, sizeof(id));
1432 ND_PRINT((ndo," idtype=%s", STR_OR_ID(id.type, ipsecidtypestr)));
1433 if (id.proto_id) {
1434 #ifndef WIN32
1435 setprotoent(1);
1436 #endif /* WIN32 */
1437 pe = getprotobynumber(id.proto_id);
1438 if (pe)
1439 ND_PRINT((ndo," protoid=%s", pe->p_name));
1440 #ifndef WIN32
1441 endprotoent();
1442 #endif /* WIN32 */
1443 } else {
1444 /* it DOES NOT mean IPPROTO_IP! */
1445 ND_PRINT((ndo," protoid=%s", "0"));
1446 }
1447 ND_PRINT((ndo," port=%d", ntohs(id.port)));
1448 if (!len)
1449 break;
1450 if (data == NULL)
1451 goto trunc;
1452 ND_TCHECK2(*data, len);
1453 switch (id.type) {
1454 case IPSECDOI_ID_IPV4_ADDR:
1455 if (len < 4)
1456 ND_PRINT((ndo," len=%d [bad: < 4]", len));
1457 else
1458 ND_PRINT((ndo," len=%d %s", len, ipaddr_string(data)));
1459 len = 0;
1460 break;
1461 case IPSECDOI_ID_FQDN:
1462 case IPSECDOI_ID_USER_FQDN:
1463 {
1464 int i;
1465 ND_PRINT((ndo," len=%d ", len));
1466 for (i = 0; i < len; i++)
1467 safeputchar(data[i]);
1468 len = 0;
1469 break;
1470 }
1471 case IPSECDOI_ID_IPV4_ADDR_SUBNET:
1472 {
1473 const u_char *mask;
1474 if (len < 8)
1475 ND_PRINT((ndo," len=%d [bad: < 8]", len));
1476 else {
1477 mask = data + sizeof(struct in_addr);
1478 ND_PRINT((ndo," len=%d %s/%u.%u.%u.%u", len,
1479 ipaddr_string(data),
1480 mask[0], mask[1], mask[2], mask[3]));
1481 }
1482 len = 0;
1483 break;
1484 }
1485 #ifdef INET6
1486 case IPSECDOI_ID_IPV6_ADDR:
1487 if (len < 16)
1488 ND_PRINT((ndo," len=%d [bad: < 16]", len));
1489 else
1490 ND_PRINT((ndo," len=%d %s", len, ip6addr_string(data)));
1491 len = 0;
1492 break;
1493 case IPSECDOI_ID_IPV6_ADDR_SUBNET:
1494 {
1495 const u_int32_t *mask;
1496 if (len < 20)
1497 ND_PRINT((ndo," len=%d [bad: < 20]", len));
1498 else {
1499 mask = (u_int32_t *)(data + sizeof(struct in6_addr));
1500 /*XXX*/
1501 ND_PRINT((ndo," len=%d %s/0x%08x%08x%08x%08x", len,
1502 ip6addr_string(data),
1503 mask[0], mask[1], mask[2], mask[3]));
1504 }
1505 len = 0;
1506 break;
1507 }
1508 #endif /*INET6*/
1509 case IPSECDOI_ID_IPV4_ADDR_RANGE:
1510 if (len < 8)
1511 ND_PRINT((ndo," len=%d [bad: < 8]", len));
1512 else {
1513 ND_PRINT((ndo," len=%d %s-%s", len,
1514 ipaddr_string(data),
1515 ipaddr_string(data + sizeof(struct in_addr))));
1516 }
1517 len = 0;
1518 break;
1519 #ifdef INET6
1520 case IPSECDOI_ID_IPV6_ADDR_RANGE:
1521 if (len < 32)
1522 ND_PRINT((ndo," len=%d [bad: < 32]", len));
1523 else {
1524 ND_PRINT((ndo," len=%d %s-%s", len,
1525 ip6addr_string(data),
1526 ip6addr_string(data + sizeof(struct in6_addr))));
1527 }
1528 len = 0;
1529 break;
1530 #endif /*INET6*/
1531 case IPSECDOI_ID_DER_ASN1_DN:
1532 case IPSECDOI_ID_DER_ASN1_GN:
1533 case IPSECDOI_ID_KEY_ID:
1534 break;
1535 }
1536 break;
1537 }
1538 }
1539 if (data && len) {
1540 ND_PRINT((ndo," len=%d", len));
1541 if (2 < ndo->ndo_vflag) {
1542 ND_PRINT((ndo," "));
1543 if (!rawprint(ndo, (caddr_t)data, len))
1544 goto trunc;
1545 }
1546 }
1547 return (u_char *)ext + item_len;
1548 trunc:
1549 ND_PRINT((ndo," [|%s]", NPSTR(ISAKMP_NPTYPE_ID)));
1550 return NULL;
1551 }
1552
1553 static const u_char *
1554 ikev1_cert_print(netdissect_options *ndo, u_char tpay _U_,
1555 const struct isakmp_gen *ext, u_int item_len _U_,
1556 const u_char *ep _U_, u_int32_t phase _U_,
1557 u_int32_t doi0 _U_,
1558 u_int32_t proto0 _U_, int depth _U_)
1559 {
1560 const struct ikev1_pl_cert *p;
1561 struct ikev1_pl_cert cert;
1562 static const char *certstr[] = {
1563 "none", "pkcs7", "pgp", "dns",
1564 "x509sign", "x509ke", "kerberos", "crl",
1565 "arl", "spki", "x509attr",
1566 };
1567
1568 ND_PRINT((ndo,"%s:", NPSTR(ISAKMP_NPTYPE_CERT)));
1569
1570 p = (struct ikev1_pl_cert *)ext;
1571 ND_TCHECK(*p);
1572 safememcpy(&cert, ext, sizeof(cert));
1573 ND_PRINT((ndo," len=%d", item_len - 4));
1574 ND_PRINT((ndo," type=%s", STR_OR_ID((cert.encode), certstr)));
1575 if (2 < ndo->ndo_vflag && 4 < item_len) {
1576 ND_PRINT((ndo," "));
1577 if (!rawprint(ndo, (caddr_t)(ext + 1), item_len - 4))
1578 goto trunc;
1579 }
1580 return (u_char *)ext + item_len;
1581 trunc:
1582 ND_PRINT((ndo," [|%s]", NPSTR(ISAKMP_NPTYPE_CERT)));
1583 return NULL;
1584 }
1585
1586 static const u_char *
1587 ikev1_cr_print(netdissect_options *ndo, u_char tpay _U_,
1588 const struct isakmp_gen *ext, u_int item_len _U_,
1589 const u_char *ep _U_, u_int32_t phase _U_, u_int32_t doi0 _U_,
1590 u_int32_t proto0 _U_, int depth _U_)
1591 {
1592 const struct ikev1_pl_cert *p;
1593 struct ikev1_pl_cert cert;
1594 static const char *certstr[] = {
1595 "none", "pkcs7", "pgp", "dns",
1596 "x509sign", "x509ke", "kerberos", "crl",
1597 "arl", "spki", "x509attr",
1598 };
1599
1600 ND_PRINT((ndo,"%s:", NPSTR(ISAKMP_NPTYPE_CR)));
1601
1602 p = (struct ikev1_pl_cert *)ext;
1603 ND_TCHECK(*p);
1604 safememcpy(&cert, ext, sizeof(cert));
1605 ND_PRINT((ndo," len=%d", item_len - 4));
1606 ND_PRINT((ndo," type=%s", STR_OR_ID((cert.encode), certstr)));
1607 if (2 < ndo->ndo_vflag && 4 < item_len) {
1608 ND_PRINT((ndo," "));
1609 if (!rawprint(ndo, (caddr_t)(ext + 1), item_len - 4))
1610 goto trunc;
1611 }
1612 return (u_char *)ext + item_len;
1613 trunc:
1614 ND_PRINT((ndo," [|%s]", NPSTR(ISAKMP_NPTYPE_CR)));
1615 return NULL;
1616 }
1617
1618 static const u_char *
1619 ikev1_hash_print(netdissect_options *ndo, u_char tpay _U_,
1620 const struct isakmp_gen *ext, u_int item_len _U_,
1621 const u_char *ep _U_, u_int32_t phase _U_, u_int32_t doi _U_,
1622 u_int32_t proto _U_, int depth _U_)
1623 {
1624 struct isakmp_gen e;
1625
1626 ND_PRINT((ndo,"%s:", NPSTR(ISAKMP_NPTYPE_HASH)));
1627
1628 ND_TCHECK(*ext);
1629 safememcpy(&e, ext, sizeof(e));
1630 ND_PRINT((ndo," len=%d", ntohs(e.len) - 4));
1631 if (2 < ndo->ndo_vflag && 4 < ntohs(e.len)) {
1632 ND_PRINT((ndo," "));
1633 if (!rawprint(ndo, (caddr_t)(ext + 1), ntohs(e.len) - 4))
1634 goto trunc;
1635 }
1636 return (u_char *)ext + ntohs(e.len);
1637 trunc:
1638 ND_PRINT((ndo," [|%s]", NPSTR(ISAKMP_NPTYPE_HASH)));
1639 return NULL;
1640 }
1641
1642 static const u_char *
1643 ikev1_sig_print(netdissect_options *ndo, u_char tpay _U_,
1644 const struct isakmp_gen *ext, u_int item_len _U_,
1645 const u_char *ep _U_, u_int32_t phase _U_, u_int32_t doi _U_,
1646 u_int32_t proto _U_, int depth _U_)
1647 {
1648 struct isakmp_gen e;
1649
1650 ND_PRINT((ndo,"%s:", NPSTR(ISAKMP_NPTYPE_SIG)));
1651
1652 ND_TCHECK(*ext);
1653 safememcpy(&e, ext, sizeof(e));
1654 ND_PRINT((ndo," len=%d", ntohs(e.len) - 4));
1655 if (2 < ndo->ndo_vflag && 4 < ntohs(e.len)) {
1656 ND_PRINT((ndo," "));
1657 if (!rawprint(ndo, (caddr_t)(ext + 1), ntohs(e.len) - 4))
1658 goto trunc;
1659 }
1660 return (u_char *)ext + ntohs(e.len);
1661 trunc:
1662 ND_PRINT((ndo," [|%s]", NPSTR(ISAKMP_NPTYPE_SIG)));
1663 return NULL;
1664 }
1665
1666 static const u_char *
1667 ikev1_nonce_print(netdissect_options *ndo, u_char tpay _U_,
1668 const struct isakmp_gen *ext,
1669 u_int item_len _U_,
1670 const u_char *ep _U_,
1671 u_int32_t phase _U_, u_int32_t doi _U_,
1672 u_int32_t proto _U_, int depth _U_)
1673 {
1674 struct isakmp_gen e;
1675
1676 ND_PRINT((ndo,"%s:", NPSTR(ISAKMP_NPTYPE_NONCE)));
1677
1678 ND_TCHECK(*ext);
1679 safememcpy(&e, ext, sizeof(e));
1680 ND_PRINT((ndo," n len=%d", ntohs(e.len) - 4));
1681 if (2 < ndo->ndo_vflag && 4 < ntohs(e.len)) {
1682 ND_PRINT((ndo," "));
1683 if (!rawprint(ndo, (caddr_t)(ext + 1), ntohs(e.len) - 4))
1684 goto trunc;
1685 } else if (1 < ndo->ndo_vflag && 4 < ntohs(e.len)) {
1686 ND_PRINT((ndo," "));
1687 if (!ike_show_somedata(ndo, (u_char *)(caddr_t)(ext + 1), ep))
1688 goto trunc;
1689 }
1690 return (u_char *)ext + ntohs(e.len);
1691 trunc:
1692 ND_PRINT((ndo," [|%s]", NPSTR(ISAKMP_NPTYPE_NONCE)));
1693 return NULL;
1694 }
1695
1696 static const u_char *
1697 ikev1_n_print(netdissect_options *ndo, u_char tpay _U_,
1698 const struct isakmp_gen *ext, u_int item_len,
1699 const u_char *ep, u_int32_t phase, u_int32_t doi0 _U_,
1700 u_int32_t proto0 _U_, int depth)
1701 {
1702 struct ikev1_pl_n *p, n;
1703 const u_char *cp;
1704 u_char *ep2;
1705 u_int32_t doi;
1706 u_int32_t proto;
1707 static const char *notify_error_str[] = {
1708 NULL, "INVALID-PAYLOAD-TYPE",
1709 "DOI-NOT-SUPPORTED", "SITUATION-NOT-SUPPORTED",
1710 "INVALID-COOKIE", "INVALID-MAJOR-VERSION",
1711 "INVALID-MINOR-VERSION", "INVALID-EXCHANGE-TYPE",
1712 "INVALID-FLAGS", "INVALID-MESSAGE-ID",
1713 "INVALID-PROTOCOL-ID", "INVALID-SPI",
1714 "INVALID-TRANSFORM-ID", "ATTRIBUTES-NOT-SUPPORTED",
1715 "NO-PROPOSAL-CHOSEN", "BAD-PROPOSAL-SYNTAX",
1716 "PAYLOAD-MALFORMED", "INVALID-KEY-INFORMATION",
1717 "INVALID-ID-INFORMATION", "INVALID-CERT-ENCODING",
1718 "INVALID-CERTIFICATE", "CERT-TYPE-UNSUPPORTED",
1719 "INVALID-CERT-AUTHORITY", "INVALID-HASH-INFORMATION",
1720 "AUTHENTICATION-FAILED", "INVALID-SIGNATURE",
1721 "ADDRESS-NOTIFICATION", "NOTIFY-SA-LIFETIME",
1722 "CERTIFICATE-UNAVAILABLE", "UNSUPPORTED-EXCHANGE-TYPE",
1723 "UNEQUAL-PAYLOAD-LENGTHS",
1724 };
1725 static const char *ipsec_notify_error_str[] = {
1726 "RESERVED",
1727 };
1728 static const char *notify_status_str[] = {
1729 "CONNECTED",
1730 };
1731 static const char *ipsec_notify_status_str[] = {
1732 "RESPONDER-LIFETIME", "REPLAY-STATUS",
1733 "INITIAL-CONTACT",
1734 };
1735 /* NOTE: these macro must be called with x in proper range */
1736
1737 /* 0 - 8191 */
1738 #define NOTIFY_ERROR_STR(x) \
1739 STR_OR_ID((x), notify_error_str)
1740
1741 /* 8192 - 16383 */
1742 #define IPSEC_NOTIFY_ERROR_STR(x) \
1743 STR_OR_ID((u_int)((x) - 8192), ipsec_notify_error_str)
1744
1745 /* 16384 - 24575 */
1746 #define NOTIFY_STATUS_STR(x) \
1747 STR_OR_ID((u_int)((x) - 16384), notify_status_str)
1748
1749 /* 24576 - 32767 */
1750 #define IPSEC_NOTIFY_STATUS_STR(x) \
1751 STR_OR_ID((u_int)((x) - 24576), ipsec_notify_status_str)
1752
1753 ND_PRINT((ndo,"%s:", NPSTR(ISAKMP_NPTYPE_N)));
1754
1755 p = (struct ikev1_pl_n *)ext;
1756 ND_TCHECK(*p);
1757 safememcpy(&n, ext, sizeof(n));
1758 doi = ntohl(n.doi);
1759 proto = n.prot_id;
1760 if (doi != 1) {
1761 ND_PRINT((ndo," doi=%d", doi));
1762 ND_PRINT((ndo," proto=%d", proto));
1763 if (ntohs(n.type) < 8192)
1764 ND_PRINT((ndo," type=%s", NOTIFY_ERROR_STR(ntohs(n.type))));
1765 else if (ntohs(n.type) < 16384)
1766 ND_PRINT((ndo," type=%s", numstr(ntohs(n.type))));
1767 else if (ntohs(n.type) < 24576)
1768 ND_PRINT((ndo," type=%s", NOTIFY_STATUS_STR(ntohs(n.type))));
1769 else
1770 ND_PRINT((ndo," type=%s", numstr(ntohs(n.type))));
1771 if (n.spi_size) {
1772 ND_PRINT((ndo," spi="));
1773 if (!rawprint(ndo, (caddr_t)(p + 1), n.spi_size))
1774 goto trunc;
1775 }
1776 return (u_char *)(p + 1) + n.spi_size;
1777 }
1778
1779 ND_PRINT((ndo," doi=ipsec"));
1780 ND_PRINT((ndo," proto=%s", PROTOIDSTR(proto)));
1781 if (ntohs(n.type) < 8192)
1782 ND_PRINT((ndo," type=%s", NOTIFY_ERROR_STR(ntohs(n.type))));
1783 else if (ntohs(n.type) < 16384)
1784 ND_PRINT((ndo," type=%s", IPSEC_NOTIFY_ERROR_STR(ntohs(n.type))));
1785 else if (ntohs(n.type) < 24576)
1786 ND_PRINT((ndo," type=%s", NOTIFY_STATUS_STR(ntohs(n.type))));
1787 else if (ntohs(n.type) < 32768)
1788 ND_PRINT((ndo," type=%s", IPSEC_NOTIFY_STATUS_STR(ntohs(n.type))));
1789 else
1790 ND_PRINT((ndo," type=%s", numstr(ntohs(n.type))));
1791 if (n.spi_size) {
1792 ND_PRINT((ndo," spi="));
1793 if (!rawprint(ndo, (caddr_t)(p + 1), n.spi_size))
1794 goto trunc;
1795 }
1796
1797 cp = (u_char *)(p + 1) + n.spi_size;
1798 ep2 = (u_char *)p + item_len;
1799
1800 if (cp < ep) {
1801 ND_PRINT((ndo," orig=("));
1802 switch (ntohs(n.type)) {
1803 case IPSECDOI_NTYPE_RESPONDER_LIFETIME:
1804 {
1805 const struct attrmap *map = oakley_t_map;
1806 size_t nmap = sizeof(oakley_t_map)/sizeof(oakley_t_map[0]);
1807 while (cp < ep && cp < ep2) {
1808 cp = ikev1_attrmap_print(ndo, cp,
1809 (ep < ep2) ? ep : ep2, map, nmap);
1810 }
1811 break;
1812 }
1813 case IPSECDOI_NTYPE_REPLAY_STATUS:
1814 ND_PRINT((ndo,"replay detection %sabled",
1815 (*(u_int32_t *)cp) ? "en" : "dis"));
1816 break;
1817 case ISAKMP_NTYPE_NO_PROPOSAL_CHOSEN:
1818 if (ikev1_sub_print(ndo, ISAKMP_NPTYPE_SA,
1819 (struct isakmp_gen *)cp, ep, phase, doi, proto,
1820 depth) == NULL)
1821 return NULL;
1822 break;
1823 default:
1824 /* NULL is dummy */
1825 isakmp_print(ndo, cp,
1826 item_len - sizeof(*p) - n.spi_size,
1827 NULL);
1828 }
1829 ND_PRINT((ndo,")"));
1830 }
1831 return (u_char *)ext + item_len;
1832 trunc:
1833 ND_PRINT((ndo," [|%s]", NPSTR(ISAKMP_NPTYPE_N)));
1834 return NULL;
1835 }
1836
1837 static const u_char *
1838 ikev1_d_print(netdissect_options *ndo, u_char tpay _U_,
1839 const struct isakmp_gen *ext, u_int item_len _U_,
1840 const u_char *ep _U_, u_int32_t phase _U_, u_int32_t doi0 _U_,
1841 u_int32_t proto0 _U_, int depth _U_)
1842 {
1843 const struct ikev1_pl_d *p;
1844 struct ikev1_pl_d d;
1845 const u_int8_t *q;
1846 u_int32_t doi;
1847 u_int32_t proto;
1848 int i;
1849
1850 ND_PRINT((ndo,"%s:", NPSTR(ISAKMP_NPTYPE_D)));
1851
1852 p = (struct ikev1_pl_d *)ext;
1853 ND_TCHECK(*p);
1854 safememcpy(&d, ext, sizeof(d));
1855 doi = ntohl(d.doi);
1856 proto = d.prot_id;
1857 if (doi != 1) {
1858 ND_PRINT((ndo," doi=%u", doi));
1859 ND_PRINT((ndo," proto=%u", proto));
1860 } else {
1861 ND_PRINT((ndo," doi=ipsec"));
1862 ND_PRINT((ndo," proto=%s", PROTOIDSTR(proto)));
1863 }
1864 ND_PRINT((ndo," spilen=%u", d.spi_size));
1865 ND_PRINT((ndo," nspi=%u", ntohs(d.num_spi)));
1866 ND_PRINT((ndo," spi="));
1867 q = (u_int8_t *)(p + 1);
1868 for (i = 0; i < ntohs(d.num_spi); i++) {
1869 if (i != 0)
1870 ND_PRINT((ndo,","));
1871 if (!rawprint(ndo, (caddr_t)q, d.spi_size))
1872 goto trunc;
1873 q += d.spi_size;
1874 }
1875 return q;
1876 trunc:
1877 ND_PRINT((ndo," [|%s]", NPSTR(ISAKMP_NPTYPE_D)));
1878 return NULL;
1879 }
1880
1881 static const u_char *
1882 ikev1_vid_print(netdissect_options *ndo, u_char tpay _U_,
1883 const struct isakmp_gen *ext,
1884 u_int item_len _U_, const u_char *ep _U_,
1885 u_int32_t phase _U_, u_int32_t doi _U_,
1886 u_int32_t proto _U_, int depth _U_)
1887 {
1888 struct isakmp_gen e;
1889
1890 ND_PRINT((ndo,"%s:", NPSTR(ISAKMP_NPTYPE_VID)));
1891
1892 ND_TCHECK(*ext);
1893 safememcpy(&e, ext, sizeof(e));
1894 ND_PRINT((ndo," len=%d", ntohs(e.len) - 4));
1895 if (2 < ndo->ndo_vflag && 4 < ntohs(e.len)) {
1896 ND_PRINT((ndo," "));
1897 if (!rawprint(ndo, (caddr_t)(ext + 1), ntohs(e.len) - 4))
1898 goto trunc;
1899 }
1900 return (u_char *)ext + ntohs(e.len);
1901 trunc:
1902 ND_PRINT((ndo," [|%s]", NPSTR(ISAKMP_NPTYPE_VID)));
1903 return NULL;
1904 }
1905
1906 /************************************************************/
1907 /* */
1908 /* IKE v2 - rfc4306 - dissector */
1909 /* */
1910 /************************************************************/
1911
1912 static void
1913 ikev2_pay_print(netdissect_options *ndo, const char *payname, int critical)
1914 {
1915 ND_PRINT((ndo,"%s%s:", payname, critical&0x80 ? "[C]" : ""));
1916 }
1917
1918 static const u_char *
1919 ikev2_gen_print(netdissect_options *ndo, u_char tpay,
1920 const struct isakmp_gen *ext)
1921 {
1922 struct isakmp_gen e;
1923
1924 ND_TCHECK(*ext);
1925 safememcpy(&e, ext, sizeof(e));
1926 ikev2_pay_print(ndo, NPSTR(tpay), e.critical);
1927
1928 ND_PRINT((ndo," len=%d", ntohs(e.len) - 4));
1929 if (2 < ndo->ndo_vflag && 4 < ntohs(e.len)) {
1930 ND_PRINT((ndo," "));
1931 if (!rawprint(ndo, (caddr_t)(ext + 1), ntohs(e.len) - 4))
1932 goto trunc;
1933 }
1934 return (u_char *)ext + ntohs(e.len);
1935 trunc:
1936 ND_PRINT((ndo," [|%s]", NPSTR(tpay)));
1937 return NULL;
1938 }
1939
1940 static const u_char *
1941 ikev2_t_print(netdissect_options *ndo, u_char tpay _U_, int pcount,
1942 const struct isakmp_gen *ext, u_int item_len,
1943 const u_char *ep, u_int32_t phase _U_, u_int32_t doi _U_,
1944 u_int32_t proto _U_, int depth _U_)
1945 {
1946 const struct ikev2_t *p;
1947 struct ikev2_t t;
1948 u_int16_t t_id;
1949 const u_char *cp;
1950 const char *idstr;
1951 const struct attrmap *map;
1952 size_t nmap;
1953 const u_char *ep2;
1954
1955 p = (struct ikev2_t *)ext;
1956 ND_TCHECK(*p);
1957 safememcpy(&t, ext, sizeof(t));
1958 ikev2_pay_print(ndo, NPSTR(ISAKMP_NPTYPE_T), t.h.critical);
1959
1960 t_id = ntohs(t.t_id);
1961
1962 map = NULL;
1963 nmap = 0;
1964
1965 switch (t.t_type) {
1966 case IV2_T_ENCR:
1967 idstr = STR_OR_ID(t_id, esp_p_map);
1968 map = encr_t_map;
1969 nmap = sizeof(encr_t_map)/sizeof(encr_t_map[0]);
1970 break;
1971
1972 case IV2_T_PRF:
1973 idstr = STR_OR_ID(t_id, prf_p_map);
1974 break;
1975
1976 case IV2_T_INTEG:
1977 idstr = STR_OR_ID(t_id, integ_p_map);
1978 break;
1979
1980 case IV2_T_DH:
1981 idstr = STR_OR_ID(t_id, dh_p_map);
1982 break;
1983
1984 case IV2_T_ESN:
1985 idstr = STR_OR_ID(t_id, esn_p_map);
1986 break;
1987
1988 default:
1989 idstr = NULL;
1990 break;
1991 }
1992
1993 if (idstr)
1994 ND_PRINT((ndo," #%u type=%s id=%s ", pcount,
1995 STR_OR_ID(t.t_type, ikev2_t_type_map),
1996 idstr));
1997 else
1998 ND_PRINT((ndo," #%u type=%s id=%u ", pcount,
1999 STR_OR_ID(t.t_type, ikev2_t_type_map),
2000 t.t_id));
2001 cp = (u_char *)(p + 1);
2002 ep2 = (u_char *)p + item_len;
2003 while (cp < ep && cp < ep2) {
2004 if (map && nmap) {
2005 cp = ikev1_attrmap_print(ndo, cp, (ep < ep2) ? ep : ep2,
2006 map, nmap);
2007 } else
2008 cp = ikev1_attr_print(ndo, cp, (ep < ep2) ? ep : ep2);
2009 }
2010 if (ep < ep2)
2011 ND_PRINT((ndo,"..."));
2012 return cp;
2013 trunc:
2014 ND_PRINT((ndo," [|%s]", NPSTR(ISAKMP_NPTYPE_T)));
2015 return NULL;
2016 }
2017
2018 static const u_char *
2019 ikev2_p_print(netdissect_options *ndo, u_char tpay _U_, int pcount _U_,
2020 const struct isakmp_gen *ext, u_int item_len _U_,
2021 const u_char *ep, u_int32_t phase, u_int32_t doi0,
2022 u_int32_t proto0 _U_, int depth)
2023 {
2024 const struct ikev2_p *p;
2025 struct ikev2_p prop;
2026 const u_char *cp;
2027
2028 p = (struct ikev2_p *)ext;
2029 ND_TCHECK(*p);
2030 safememcpy(&prop, ext, sizeof(prop));
2031 ikev2_pay_print(ndo, NPSTR(ISAKMP_NPTYPE_P), prop.h.critical);
2032
2033 ND_PRINT((ndo," #%u protoid=%s transform=%d len=%u",
2034 prop.p_no, PROTOIDSTR(prop.prot_id),
2035 prop.num_t, ntohs(prop.h.len)));
2036 if (prop.spi_size) {
2037 ND_PRINT((ndo," spi="));
2038 if (!rawprint(ndo, (caddr_t)(p + 1), prop.spi_size))
2039 goto trunc;
2040 }
2041
2042 ext = (struct isakmp_gen *)((u_char *)(p + 1) + prop.spi_size);
2043 ND_TCHECK(*ext);
2044
2045 cp = ikev2_sub_print(ndo, NULL, ISAKMP_NPTYPE_T, ext, ep, phase, doi0,
2046 prop.prot_id, depth);
2047
2048 return cp;
2049 trunc:
2050 ND_PRINT((ndo," [|%s]", NPSTR(ISAKMP_NPTYPE_P)));
2051 return NULL;
2052 }
2053
2054 static const u_char *
2055 ikev2_sa_print(netdissect_options *ndo, u_char tpay,
2056 const struct isakmp_gen *ext1,
2057 u_int item_len _U_, const u_char *ep _U_,
2058 u_int32_t phase _U_, u_int32_t doi _U_,
2059 u_int32_t proto _U_, int depth _U_)
2060 {
2061 struct isakmp_gen e;
2062 int osa_length, sa_length;
2063
2064 ND_TCHECK(*ext1);
2065 safememcpy(&e, ext1, sizeof(e));
2066 ikev2_pay_print(ndo, "sa", e.critical);
2067
2068 osa_length= ntohs(e.len);
2069 sa_length = osa_length - 4;
2070 ND_PRINT((ndo," len=%d", sa_length));
2071
2072 ikev2_sub_print(ndo, NULL, ISAKMP_NPTYPE_P,
2073 ext1+1, ep,
2074 0, 0, 0, depth);
2075
2076 return (u_char *)ext1 + osa_length;
2077 trunc:
2078 ND_PRINT((ndo," [|%s]", NPSTR(tpay)));
2079 return NULL;
2080 }
2081
2082 static const u_char *
2083 ikev2_ke_print(netdissect_options *ndo, u_char tpay,
2084 const struct isakmp_gen *ext,
2085 u_int item_len _U_, const u_char *ep _U_,
2086 u_int32_t phase _U_, u_int32_t doi _U_,
2087 u_int32_t proto _U_, int depth _U_)
2088 {
2089 struct ikev2_ke ke;
2090 struct ikev2_ke *k;
2091
2092 k = (struct ikev2_ke *)ext;
2093 ND_TCHECK(*ext);
2094 safememcpy(&ke, ext, sizeof(ke));
2095 ikev2_pay_print(ndo, NPSTR(tpay), ke.h.critical);
2096
2097 ND_PRINT((ndo," len=%u group=%s", ntohs(ke.h.len) - 8,
2098 STR_OR_ID(ntohs(ke.ke_group), dh_p_map)));
2099
2100 if (2 < ndo->ndo_vflag && 8 < ntohs(ke.h.len)) {
2101 ND_PRINT((ndo," "));
2102 if (!rawprint(ndo, (caddr_t)(k + 1), ntohs(ke.h.len) - 8))
2103 goto trunc;
2104 }
2105 return (u_char *)ext + ntohs(ke.h.len);
2106 trunc:
2107 ND_PRINT((ndo," [|%s]", NPSTR(tpay)));
2108 return NULL;
2109 }
2110
2111 static const u_char *
2112 ikev2_ID_print(netdissect_options *ndo, u_char tpay,
2113 const struct isakmp_gen *ext,
2114 u_int item_len _U_, const u_char *ep _U_,
2115 u_int32_t phase _U_, u_int32_t doi _U_,
2116 u_int32_t proto _U_, int depth _U_)
2117 {
2118 struct ikev2_id id;
2119 int id_len, idtype_len, i;
2120 unsigned int dumpascii, dumphex;
2121 unsigned char *typedata;
2122
2123 ND_TCHECK(*ext);
2124 safememcpy(&id, ext, sizeof(id));
2125 ikev2_pay_print(ndo, NPSTR(tpay), id.h.critical);
2126
2127 id_len = ntohs(id.h.len);
2128
2129 ND_PRINT((ndo," len=%d", id_len - 4));
2130 if (2 < ndo->ndo_vflag && 4 < id_len) {
2131 ND_PRINT((ndo," "));
2132 if (!rawprint(ndo, (caddr_t)(ext + 1), id_len - 4))
2133 goto trunc;
2134 }
2135
2136 idtype_len =id_len - sizeof(struct ikev2_id);
2137 dumpascii = 0;
2138 dumphex = 0;
2139 typedata = (unsigned char *)(ext)+sizeof(struct ikev2_id);
2140
2141 switch(id.type) {
2142 case ID_IPV4_ADDR:
2143 ND_PRINT((ndo, " ipv4:"));
2144 dumphex=1;
2145 break;
2146 case ID_FQDN:
2147 ND_PRINT((ndo, " fqdn:"));
2148 dumpascii=1;
2149 break;
2150 case ID_RFC822_ADDR:
2151 ND_PRINT((ndo, " rfc822:"));
2152 dumpascii=1;
2153 break;
2154 case ID_IPV6_ADDR:
2155 ND_PRINT((ndo, " ipv6:"));
2156 dumphex=1;
2157 break;
2158 case ID_DER_ASN1_DN:
2159 ND_PRINT((ndo, " dn:"));
2160 dumphex=1;
2161 break;
2162 case ID_DER_ASN1_GN:
2163 ND_PRINT((ndo, " gn:"));
2164 dumphex=1;
2165 break;
2166 case ID_KEY_ID:
2167 ND_PRINT((ndo, " keyid:"));
2168 dumphex=1;
2169 break;
2170 }
2171
2172 if(dumpascii) {
2173 ND_TCHECK2(*typedata, idtype_len);
2174 for(i=0; i<idtype_len; i++) {
2175 if(isprint(typedata[i])) {
2176 ND_PRINT((ndo, "%c", typedata[i]));
2177 } else {
2178 ND_PRINT((ndo, "."));
2179 }
2180 }
2181 }
2182 if(dumphex) {
2183 if (!rawprint(ndo, (caddr_t)typedata, idtype_len))
2184 goto trunc;
2185 }
2186
2187 return (u_char *)ext + id_len;
2188 trunc:
2189 ND_PRINT((ndo," [|%s]", NPSTR(tpay)));
2190 return NULL;
2191 }
2192
2193 static const u_char *
2194 ikev2_cert_print(netdissect_options *ndo, u_char tpay,
2195 const struct isakmp_gen *ext,
2196 u_int item_len _U_, const u_char *ep _U_,
2197 u_int32_t phase _U_, u_int32_t doi _U_,
2198 u_int32_t proto _U_, int depth _U_)
2199 {
2200 return ikev2_gen_print(ndo, tpay, ext);
2201 }
2202
2203 static const u_char *
2204 ikev2_cr_print(netdissect_options *ndo, u_char tpay,
2205 const struct isakmp_gen *ext,
2206 u_int item_len _U_, const u_char *ep _U_,
2207 u_int32_t phase _U_, u_int32_t doi _U_,
2208 u_int32_t proto _U_, int depth _U_)
2209 {
2210 return ikev2_gen_print(ndo, tpay, ext);
2211 }
2212
2213 static const u_char *
2214 ikev2_auth_print(netdissect_options *ndo, u_char tpay,
2215 const struct isakmp_gen *ext,
2216 u_int item_len _U_, const u_char *ep _U_,
2217 u_int32_t phase _U_, u_int32_t doi _U_,
2218 u_int32_t proto _U_, int depth _U_)
2219 {
2220 struct ikev2_auth a;
2221 const char *v2_auth[]={ "invalid", "rsasig",
2222 "shared-secret", "dsssig" };
2223 u_char *authdata = (u_char*)ext + sizeof(a);
2224 unsigned int len;
2225
2226 ND_TCHECK(*ext);
2227 safememcpy(&a, ext, sizeof(a));
2228 ikev2_pay_print(ndo, NPSTR(tpay), a.h.critical);
2229 len = ntohs(a.h.len);
2230
2231 ND_PRINT((ndo," len=%d method=%s", len-4,
2232 STR_OR_ID(a.auth_method, v2_auth)));
2233
2234 if (1 < ndo->ndo_vflag && 4 < len) {
2235 ND_PRINT((ndo," authdata=("));
2236 if (!rawprint(ndo, (caddr_t)authdata, len - sizeof(a)))
2237 goto trunc;
2238 ND_PRINT((ndo,") "));
2239 } else if(ndo->ndo_vflag && 4 < len) {
2240 if(!ike_show_somedata(ndo, authdata, ep)) goto trunc;
2241 }
2242
2243 return (u_char *)ext + len;
2244 trunc:
2245 ND_PRINT((ndo," [|%s]", NPSTR(tpay)));
2246 return NULL;
2247 }
2248
2249 static const u_char *
2250 ikev2_nonce_print(netdissect_options *ndo, u_char tpay,
2251 const struct isakmp_gen *ext,
2252 u_int item_len _U_, const u_char *ep _U_,
2253 u_int32_t phase _U_, u_int32_t doi _U_,
2254 u_int32_t proto _U_, int depth _U_)
2255 {
2256 struct isakmp_gen e;
2257
2258 ND_TCHECK(*ext);
2259 safememcpy(&e, ext, sizeof(e));
2260 ikev2_pay_print(ndo, "nonce", e.critical);
2261
2262 ND_PRINT((ndo," len=%d", ntohs(e.len) - 4));
2263 if (1 < ndo->ndo_vflag && 4 < ntohs(e.len)) {
2264 ND_PRINT((ndo," nonce=("));
2265 if (!rawprint(ndo, (caddr_t)(ext + 1), ntohs(e.len) - 4))
2266 goto trunc;
2267 ND_PRINT((ndo,") "));
2268 } else if(ndo->ndo_vflag && 4 < ntohs(e.len)) {
2269 if(!ike_show_somedata(ndo, (const u_char *)(ext+1), ep)) goto trunc;
2270 }
2271
2272 return (u_char *)ext + ntohs(e.len);
2273 trunc:
2274 ND_PRINT((ndo," [|%s]", NPSTR(tpay)));
2275 return NULL;
2276 }
2277
2278 /* notify payloads */
2279 static const u_char *
2280 ikev2_n_print(netdissect_options *ndo, u_char tpay _U_,
2281 const struct isakmp_gen *ext,
2282 u_int item_len _U_, const u_char *ep _U_,
2283 u_int32_t phase _U_, u_int32_t doi _U_,
2284 u_int32_t proto _U_, int depth _U_)
2285 {
2286 struct ikev2_n *p, n;
2287 const u_char *cp;
2288 u_char showspi, showdata, showsomedata;
2289 const char *notify_name;
2290 u_int32_t type;
2291
2292 p = (struct ikev2_n *)ext;
2293 ND_TCHECK(*p);
2294 safememcpy(&n, ext, sizeof(n));
2295 ikev2_pay_print(ndo, NPSTR(ISAKMP_NPTYPE_N), n.h.critical);
2296
2297 showspi = 1;
2298 showdata = 0;
2299 showsomedata=0;
2300 notify_name=NULL;
2301
2302 ND_PRINT((ndo," prot_id=%s", PROTOIDSTR(n.prot_id)));
2303
2304 type = ntohs(n.type);
2305
2306 /* notify space is annoying sparse */
2307 switch(type) {
2308 case IV2_NOTIFY_UNSUPPORTED_CRITICAL_PAYLOAD:
2309 notify_name = "unsupported_critical_payload";
2310 showspi = 0;
2311 break;
2312
2313 case IV2_NOTIFY_INVALID_IKE_SPI:
2314 notify_name = "invalid_ike_spi";
2315 showspi = 1;
2316 break;
2317
2318 case IV2_NOTIFY_INVALID_MAJOR_VERSION:
2319 notify_name = "invalid_major_version";
2320 showspi = 0;
2321 break;
2322
2323 case IV2_NOTIFY_INVALID_SYNTAX:
2324 notify_name = "invalid_syntax";
2325 showspi = 1;
2326 break;
2327
2328 case IV2_NOTIFY_INVALID_MESSAGE_ID:
2329 notify_name = "invalid_message_id";
2330 showspi = 1;
2331 break;
2332
2333 case IV2_NOTIFY_INVALID_SPI:
2334 notify_name = "invalid_spi";
2335 showspi = 1;
2336 break;
2337
2338 case IV2_NOTIFY_NO_PROPOSAL_CHOSEN:
2339 notify_name = "no_protocol_chosen";
2340 showspi = 1;
2341 break;
2342
2343 case IV2_NOTIFY_INVALID_KE_PAYLOAD:
2344 notify_name = "invalid_ke_payload";
2345 showspi = 1;
2346 break;
2347
2348 case IV2_NOTIFY_AUTHENTICATION_FAILED:
2349 notify_name = "authentication_failed";
2350 showspi = 1;
2351 break;
2352
2353 case IV2_NOTIFY_SINGLE_PAIR_REQUIRED:
2354 notify_name = "single_pair_required";
2355 showspi = 1;
2356 break;
2357
2358 case IV2_NOTIFY_NO_ADDITIONAL_SAS:
2359 notify_name = "no_additional_sas";
2360 showspi = 0;
2361 break;
2362
2363 case IV2_NOTIFY_INTERNAL_ADDRESS_FAILURE:
2364 notify_name = "internal_address_failure";
2365 showspi = 0;
2366 break;
2367
2368 case IV2_NOTIFY_FAILED_CP_REQUIRED:
2369 notify_name = "failed:cp_required";
2370 showspi = 0;
2371 break;
2372
2373 case IV2_NOTIFY_INVALID_SELECTORS:
2374 notify_name = "invalid_selectors";
2375 showspi = 0;
2376 break;
2377
2378 case IV2_NOTIFY_INITIAL_CONTACT:
2379 notify_name = "initial_contact";
2380 showspi = 0;
2381 break;
2382
2383 case IV2_NOTIFY_SET_WINDOW_SIZE:
2384 notify_name = "set_window_size";
2385 showspi = 0;
2386 break;
2387
2388 case IV2_NOTIFY_ADDITIONAL_TS_POSSIBLE:
2389 notify_name = "additional_ts_possible";
2390 showspi = 0;
2391 break;
2392
2393 case IV2_NOTIFY_IPCOMP_SUPPORTED:
2394 notify_name = "ipcomp_supported";
2395 showspi = 0;
2396 break;
2397
2398 case IV2_NOTIFY_NAT_DETECTION_SOURCE_IP:
2399 notify_name = "nat_detection_source_ip";
2400 showspi = 1;
2401 break;
2402
2403 case IV2_NOTIFY_NAT_DETECTION_DESTINATION_IP:
2404 notify_name = "nat_detection_destination_ip";
2405 showspi = 1;
2406 break;
2407
2408 case IV2_NOTIFY_COOKIE:
2409 notify_name = "cookie";
2410 showspi = 1;
2411 showsomedata= 1;
2412 showdata= 0;
2413 break;
2414
2415 case IV2_NOTIFY_USE_TRANSPORT_MODE:
2416 notify_name = "use_transport_mode";
2417 showspi = 0;
2418 break;
2419
2420 case IV2_NOTIFY_HTTP_CERT_LOOKUP_SUPPORTED:
2421 notify_name = "http_cert_lookup_supported";
2422 showspi = 0;
2423 break;
2424
2425 case IV2_NOTIFY_REKEY_SA:
2426 notify_name = "rekey_sa";
2427 showspi = 1;
2428 break;
2429
2430 case IV2_NOTIFY_ESP_TFC_PADDING_NOT_SUPPORTED:
2431 notify_name = "tfc_padding_not_supported";
2432 showspi = 0;
2433 break;
2434
2435 case IV2_NOTIFY_NON_FIRST_FRAGMENTS_ALSO:
2436 notify_name = "non_first_fragment_also";
2437 showspi = 0;
2438 break;
2439
2440 default:
2441 if (type < 8192) {
2442 notify_name="error";
2443 } else if(type < 16384) {
2444 notify_name="private-error";
2445 } else if(type < 40960) {
2446 notify_name="status";
2447 } else {
2448 notify_name="private-status";
2449 }
2450 }
2451
2452 if(notify_name) {
2453 ND_PRINT((ndo," type=%u(%s)", type, notify_name));
2454 }
2455
2456
2457 if (showspi && n.spi_size) {
2458 ND_PRINT((ndo," spi="));
2459 if (!rawprint(ndo, (caddr_t)(p + 1), n.spi_size))
2460 goto trunc;
2461 }
2462
2463 cp = (u_char *)(p + 1) + n.spi_size;
2464
2465 if(3 < ndo->ndo_vflag) {
2466 showdata = 1;
2467 }
2468
2469 if ((showdata || (showsomedata && ep-cp < 30)) && cp < ep) {
2470 ND_PRINT((ndo," data=("));
2471 if (!rawprint(ndo, (caddr_t)(cp), ep - cp))
2472 goto trunc;
2473
2474 ND_PRINT((ndo,")"));
2475
2476 } else if(showsomedata && cp < ep) {
2477 if(!ike_show_somedata(ndo, cp, ep)) goto trunc;
2478 }
2479
2480 return (u_char *)ext + item_len;
2481 trunc:
2482 ND_PRINT((ndo," [|%s]", NPSTR(ISAKMP_NPTYPE_N)));
2483 return NULL;
2484 }
2485
2486 static const u_char *
2487 ikev2_d_print(netdissect_options *ndo, u_char tpay,
2488 const struct isakmp_gen *ext,
2489 u_int item_len _U_, const u_char *ep _U_,
2490 u_int32_t phase _U_, u_int32_t doi _U_,
2491 u_int32_t proto _U_, int depth _U_)
2492 {
2493 return ikev2_gen_print(ndo, tpay, ext);
2494 }
2495
2496 static const u_char *
2497 ikev2_vid_print(netdissect_options *ndo, u_char tpay,
2498 const struct isakmp_gen *ext,
2499 u_int item_len _U_, const u_char *ep _U_,
2500 u_int32_t phase _U_, u_int32_t doi _U_,
2501 u_int32_t proto _U_, int depth _U_)
2502 {
2503 struct isakmp_gen e;
2504 const u_char *vid;
2505 int i, len;
2506
2507 ND_TCHECK(*ext);
2508 safememcpy(&e, ext, sizeof(e));
2509 ikev2_pay_print(ndo, NPSTR(tpay), e.critical);
2510 ND_PRINT((ndo," len=%d vid=", ntohs(e.len) - 4));
2511
2512 vid = (const u_char *)(ext+1);
2513 len = ntohs(e.len) - 4;
2514 ND_TCHECK2(*vid, len);
2515 for(i=0; i<len; i++) {
2516 if(isprint(vid[i])) ND_PRINT((ndo, "%c", vid[i]));
2517 else ND_PRINT((ndo, "."));
2518 }
2519 if (2 < ndo->ndo_vflag && 4 < len) {
2520 ND_PRINT((ndo," "));
2521 if (!rawprint(ndo, (caddr_t)(ext + 1), ntohs(e.len) - 4))
2522 goto trunc;
2523 }
2524 return (u_char *)ext + ntohs(e.len);
2525 trunc:
2526 ND_PRINT((ndo," [|%s]", NPSTR(tpay)));
2527 return NULL;
2528 }
2529
2530 static const u_char *
2531 ikev2_TS_print(netdissect_options *ndo, u_char tpay,
2532 const struct isakmp_gen *ext,
2533 u_int item_len _U_, const u_char *ep _U_,
2534 u_int32_t phase _U_, u_int32_t doi _U_,
2535 u_int32_t proto _U_, int depth _U_)
2536 {
2537 return ikev2_gen_print(ndo, tpay, ext);
2538 }
2539
2540 static const u_char *
2541 ikev2_e_print(netdissect_options *ndo,
2542 #ifndef HAVE_LIBCRYPTO
2543 _U_
2544 #endif
2545 struct isakmp *base,
2546 u_char tpay,
2547 const struct isakmp_gen *ext,
2548 u_int item_len _U_, const u_char *ep _U_,
2549 #ifndef HAVE_LIBCRYPTO
2550 _U_
2551 #endif
2552 u_int32_t phase,
2553 #ifndef HAVE_LIBCRYPTO
2554 _U_
2555 #endif
2556 u_int32_t doi,
2557 #ifndef HAVE_LIBCRYPTO
2558 _U_
2559 #endif
2560 u_int32_t proto,
2561 #ifndef HAVE_LIBCRYPTO
2562 _U_
2563 #endif
2564 int depth)
2565 {
2566 struct isakmp_gen e;
2567 u_char *dat;
2568 volatile int dlen;
2569
2570 ND_TCHECK(*ext);
2571 safememcpy(&e, ext, sizeof(e));
2572 ikev2_pay_print(ndo, NPSTR(tpay), e.critical);
2573
2574 dlen = ntohs(e.len)-4;
2575
2576 ND_PRINT((ndo," len=%d", dlen));
2577 if (2 < ndo->ndo_vflag && 4 < dlen) {
2578 ND_PRINT((ndo," "));
2579 if (!rawprint(ndo, (caddr_t)(ext + 1), dlen))
2580 goto trunc;
2581 }
2582
2583 dat = (u_char *)(ext+1);
2584 ND_TCHECK2(*dat, dlen);
2585
2586 #ifdef HAVE_LIBCRYPTO
2587 /* try to decypt it! */
2588 if(esp_print_decrypt_buffer_by_ikev2(ndo,
2589 base->flags & ISAKMP_FLAG_I,
2590 base->i_ck, base->r_ck,
2591 dat, dat+dlen)) {
2592
2593 ext = (const struct isakmp_gen *)ndo->ndo_packetp;
2594
2595 /* got it decrypted, print stuff inside. */
2596 ikev2_sub_print(ndo, base, e.np, ext, ndo->ndo_snapend,
2597 phase, doi, proto, depth+1);
2598 }
2599 #endif
2600
2601
2602 /* always return NULL, because E must be at end, and NP refers
2603 * to what was inside.
2604 */
2605 return NULL;
2606 trunc:
2607 ND_PRINT((ndo," [|%s]", NPSTR(tpay)));
2608 return NULL;
2609 }
2610
2611 static const u_char *
2612 ikev2_cp_print(netdissect_options *ndo, u_char tpay,
2613 const struct isakmp_gen *ext,
2614 u_int item_len _U_, const u_char *ep _U_,
2615 u_int32_t phase _U_, u_int32_t doi _U_,
2616 u_int32_t proto _U_, int depth _U_)
2617 {
2618 return ikev2_gen_print(ndo, tpay, ext);
2619 }
2620
2621 static const u_char *
2622 ikev2_eap_print(netdissect_options *ndo, u_char tpay,
2623 const struct isakmp_gen *ext,
2624 u_int item_len _U_, const u_char *ep _U_,
2625 u_int32_t phase _U_, u_int32_t doi _U_,
2626 u_int32_t proto _U_, int depth _U_)
2627 {
2628 return ikev2_gen_print(ndo, tpay, ext);
2629 }
2630
2631 static const u_char *
2632 ike_sub0_print(netdissect_options *ndo,
2633 u_char np, const struct isakmp_gen *ext, const u_char *ep,
2634
2635 u_int32_t phase, u_int32_t doi, u_int32_t proto, int depth)
2636 {
2637 const u_char *cp;
2638 struct isakmp_gen e;
2639 u_int item_len;
2640
2641 cp = (u_char *)ext;
2642 ND_TCHECK(*ext);
2643 safememcpy(&e, ext, sizeof(e));
2644
2645 /*
2646 * Since we can't have a payload length of less than 4 bytes,
2647 * we need to bail out here if the generic header is nonsensical
2648 * or truncated, otherwise we could loop forever processing
2649 * zero-length items or otherwise misdissect the packet.
2650 */
2651 item_len = ntohs(e.len);
2652 if (item_len <= 4)
2653 return NULL;
2654
2655 if (NPFUNC(np)) {
2656 /*
2657 * XXX - what if item_len is too short, or too long,
2658 * for this payload type?
2659 */
2660 cp = (*npfunc[np])(ndo, np, ext, item_len, ep, phase, doi, proto, depth);
2661 } else {
2662 ND_PRINT((ndo,"%s", NPSTR(np)));
2663 cp += item_len;
2664 }
2665
2666 return cp;
2667 trunc:
2668 ND_PRINT((ndo," [|isakmp]"));
2669 return NULL;
2670 }
2671
2672 static const u_char *
2673 ikev1_sub_print(netdissect_options *ndo,
2674 u_char np, const struct isakmp_gen *ext, const u_char *ep,
2675 u_int32_t phase, u_int32_t doi, u_int32_t proto, int depth)
2676 {
2677 const u_char *cp;
2678 int i;
2679 struct isakmp_gen e;
2680
2681 cp = (const u_char *)ext;
2682
2683 while (np) {
2684 ND_TCHECK(*ext);
2685
2686 safememcpy(&e, ext, sizeof(e));
2687
2688 ND_TCHECK2(*ext, ntohs(e.len));
2689
2690 depth++;
2691 ND_PRINT((ndo,"\n"));
2692 for (i = 0; i < depth; i++)
2693 ND_PRINT((ndo," "));
2694 ND_PRINT((ndo,"("));
2695 cp = ike_sub0_print(ndo, np, ext, ep, phase, doi, proto, depth);
2696 ND_PRINT((ndo,")"));
2697 depth--;
2698
2699 if (cp == NULL) {
2700 /* Zero-length subitem */
2701 return NULL;
2702 }
2703
2704 np = e.np;
2705 ext = (struct isakmp_gen *)cp;
2706 }
2707 return cp;
2708 trunc:
2709 ND_PRINT((ndo," [|%s]", NPSTR(np)));
2710 return NULL;
2711 }
2712
2713 static char *
2714 numstr(int x)
2715 {
2716 static char buf[20];
2717 snprintf(buf, sizeof(buf), "#%d", x);
2718 return buf;
2719 }
2720
2721 /*
2722 * some compiler tries to optimize memcpy(), using the alignment constraint
2723 * on the argument pointer type. by using this function, we try to avoid the
2724 * optimization.
2725 */
2726 static void
2727 safememcpy(void *p, const void *q, size_t l)
2728 {
2729 memcpy(p, q, l);
2730 }
2731
2732 static void
2733 ikev1_print(netdissect_options *ndo,
2734 const u_char *bp, u_int length,
2735 const u_char *bp2, struct isakmp *base)
2736 {
2737 const struct isakmp *p;
2738 const u_char *ep;
2739 u_char np;
2740 int i;
2741 int phase;
2742
2743 p = (const struct isakmp *)bp;
2744 ep = ndo->ndo_snapend;
2745
2746 phase = (EXTRACT_32BITS(base->msgid) == 0) ? 1 : 2;
2747 if (phase == 1)
2748 ND_PRINT((ndo," phase %d", phase));
2749 else
2750 ND_PRINT((ndo," phase %d/others", phase));
2751
2752 i = cookie_find(&base->i_ck);
2753 if (i < 0) {
2754 if (iszero((u_char *)&base->r_ck, sizeof(base->r_ck))) {
2755 /* the first packet */
2756 ND_PRINT((ndo," I"));
2757 if (bp2)
2758 cookie_record(&base->i_ck, bp2);
2759 } else
2760 ND_PRINT((ndo," ?"));
2761 } else {
2762 if (bp2 && cookie_isinitiator(i, bp2))
2763 ND_PRINT((ndo," I"));
2764 else if (bp2 && cookie_isresponder(i, bp2))
2765 ND_PRINT((ndo," R"));
2766 else
2767 ND_PRINT((ndo," ?"));
2768 }
2769
2770 ND_PRINT((ndo," %s", ETYPESTR(base->etype)));
2771 if (base->flags) {
2772 ND_PRINT((ndo,"[%s%s]", base->flags & ISAKMP_FLAG_E ? "E" : "",
2773 base->flags & ISAKMP_FLAG_C ? "C" : ""));
2774 }
2775
2776 if (ndo->ndo_vflag) {
2777 const struct isakmp_gen *ext;
2778
2779 ND_PRINT((ndo,":"));
2780
2781 /* regardless of phase... */
2782 if (base->flags & ISAKMP_FLAG_E) {
2783 /*
2784 * encrypted, nothing we can do right now.
2785 * we hope to decrypt the packet in the future...
2786 */
2787 ND_PRINT((ndo," [encrypted %s]", NPSTR(base->np)));
2788 goto done;
2789 }
2790
2791 CHECKLEN(p + 1, base->np);
2792 np = base->np;
2793 ext = (struct isakmp_gen *)(p + 1);
2794 ikev1_sub_print(ndo, np, ext, ep, phase, 0, 0, 0);
2795 }
2796
2797 done:
2798 if (ndo->ndo_vflag) {
2799 if (ntohl(base->len) != length) {
2800 ND_PRINT((ndo," (len mismatch: isakmp %u/ip %u)",
2801 (u_int32_t)ntohl(base->len), length));
2802 }
2803 }
2804 }
2805
2806 static const u_char *
2807 ikev2_sub0_print(netdissect_options *ndo, struct isakmp *base,
2808 u_char np, int pcount,
2809 const struct isakmp_gen *ext, const u_char *ep,
2810 u_int32_t phase, u_int32_t doi, u_int32_t proto, int depth)
2811 {
2812 const u_char *cp;
2813 struct isakmp_gen e;
2814 u_int item_len;
2815
2816 cp = (u_char *)ext;
2817 ND_TCHECK(*ext);
2818 safememcpy(&e, ext, sizeof(e));
2819
2820 /*
2821 * Since we can't have a payload length of less than 4 bytes,
2822 * we need to bail out here if the generic header is nonsensical
2823 * or truncated, otherwise we could loop forever processing
2824 * zero-length items or otherwise misdissect the packet.
2825 */
2826 item_len = ntohs(e.len);
2827 if (item_len <= 4)
2828 return NULL;
2829
2830 if(np == ISAKMP_NPTYPE_P) {
2831 cp = ikev2_p_print(ndo, np, pcount, ext, item_len,
2832 ep, phase, doi, proto, depth);
2833 } else if(np == ISAKMP_NPTYPE_T) {
2834 cp = ikev2_t_print(ndo, np, pcount, ext, item_len,
2835 ep, phase, doi, proto, depth);
2836 } else if(np == ISAKMP_NPTYPE_v2E) {
2837 cp = ikev2_e_print(ndo, base, np, ext, item_len,
2838 ep, phase, doi, proto, depth);
2839 } else if (NPFUNC(np)) {
2840 /*
2841 * XXX - what if item_len is too short, or too long,
2842 * for this payload type?
2843 */
2844 cp = (*npfunc[np])(ndo, np, /*pcount,*/ ext, item_len,
2845 ep, phase, doi, proto, depth);
2846 } else {
2847 ND_PRINT((ndo,"%s", NPSTR(np)));
2848 cp += item_len;
2849 }
2850
2851 return cp;
2852 trunc:
2853 ND_PRINT((ndo," [|isakmp]"));
2854 return NULL;
2855 }
2856
2857 static const u_char *
2858 ikev2_sub_print(netdissect_options *ndo,
2859 struct isakmp *base,
2860 u_char np, const struct isakmp_gen *ext, const u_char *ep,
2861 u_int32_t phase, u_int32_t doi, u_int32_t proto, int depth)
2862 {
2863 const u_char *cp;
2864 int i;
2865 int pcount;
2866 struct isakmp_gen e;
2867
2868 cp = (const u_char *)ext;
2869 pcount = 0;
2870 while (np) {
2871 pcount++;
2872 ND_TCHECK(*ext);
2873
2874 safememcpy(&e, ext, sizeof(e));
2875
2876 ND_TCHECK2(*ext, ntohs(e.len));
2877
2878 depth++;
2879 ND_PRINT((ndo,"\n"));
2880 for (i = 0; i < depth; i++)
2881 ND_PRINT((ndo," "));
2882 ND_PRINT((ndo,"("));
2883 cp = ikev2_sub0_print(ndo, base, np, pcount,
2884 ext, ep, phase, doi, proto, depth);
2885 ND_PRINT((ndo,")"));
2886 depth--;
2887
2888 if (cp == NULL) {
2889 /* Zero-length subitem */
2890 return NULL;
2891 }
2892
2893 np = e.np;
2894 ext = (struct isakmp_gen *)cp;
2895 }
2896 return cp;
2897 trunc:
2898 ND_PRINT((ndo," [|%s]", NPSTR(np)));
2899 return NULL;
2900 }
2901
2902 static void
2903 ikev2_print(netdissect_options *ndo,
2904 const u_char *bp, u_int length,
2905 const u_char *bp2 _U_, struct isakmp *base)
2906 {
2907 const struct isakmp *p;
2908 const u_char *ep;
2909 u_char np;
2910 int phase;
2911
2912 p = (const struct isakmp *)bp;
2913 ep = ndo->ndo_snapend;
2914
2915 phase = (EXTRACT_32BITS(base->msgid) == 0) ? 1 : 2;
2916 if (phase == 1)
2917 ND_PRINT((ndo, " parent_sa"));
2918 else
2919 ND_PRINT((ndo, " child_sa "));
2920
2921 ND_PRINT((ndo, " %s", ETYPESTR(base->etype)));
2922 if (base->flags) {
2923 ND_PRINT((ndo, "[%s%s%s]",
2924 base->flags & ISAKMP_FLAG_I ? "I" : "",
2925 base->flags & ISAKMP_FLAG_V ? "V" : "",
2926 base->flags & ISAKMP_FLAG_R ? "R" : ""));
2927 }
2928
2929 if (ndo->ndo_vflag) {
2930 const struct isakmp_gen *ext;
2931
2932 ND_PRINT((ndo, ":"));
2933
2934 /* regardless of phase... */
2935 if (base->flags & ISAKMP_FLAG_E) {
2936 /*
2937 * encrypted, nothing we can do right now.
2938 * we hope to decrypt the packet in the future...
2939 */
2940 ND_PRINT((ndo, " [encrypted %s]", NPSTR(base->np)));
2941 goto done;
2942 }
2943
2944 CHECKLEN(p + 1, base->np)
2945
2946 np = base->np;
2947 ext = (struct isakmp_gen *)(p + 1);
2948 ikev2_sub_print(ndo, base, np, ext, ep, phase, 0, 0, 0);
2949 }
2950
2951 done:
2952 if (ndo->ndo_vflag) {
2953 if (ntohl(base->len) != length) {
2954 ND_PRINT((ndo, " (len mismatch: isakmp %u/ip %u)",
2955 (u_int32_t)ntohl(base->len), length));
2956 }
2957 }
2958 }
2959
2960 void
2961 isakmp_print(netdissect_options *ndo,
2962 const u_char *bp, u_int length,
2963 const u_char *bp2)
2964 {
2965 const struct isakmp *p;
2966 struct isakmp base;
2967 const u_char *ep;
2968 int major, minor;
2969
2970 #ifdef HAVE_LIBCRYPTO
2971 /* initialize SAs */
2972 if (ndo->ndo_sa_list_head == NULL) {
2973 if (ndo->ndo_espsecret)
2974 esp_print_decodesecret(ndo);
2975 }
2976 #endif
2977
2978 p = (const struct isakmp *)bp;
2979 ep = ndo->ndo_snapend;
2980
2981 if ((struct isakmp *)ep < p + 1) {
2982 ND_PRINT((ndo,"[|isakmp]"));
2983 return;
2984 }
2985
2986 safememcpy(&base, p, sizeof(base));
2987
2988 ND_PRINT((ndo,"isakmp"));
2989 major = (base.vers & ISAKMP_VERS_MAJOR)
2990 >> ISAKMP_VERS_MAJOR_SHIFT;
2991 minor = (base.vers & ISAKMP_VERS_MINOR)
2992 >> ISAKMP_VERS_MINOR_SHIFT;
2993
2994 if (ndo->ndo_vflag) {
2995 ND_PRINT((ndo," %d.%d", major, minor));
2996 }
2997
2998 if (ndo->ndo_vflag) {
2999 ND_PRINT((ndo," msgid "));
3000 hexprint(ndo, (caddr_t)&base.msgid, sizeof(base.msgid));
3001 }
3002
3003 if (1 < ndo->ndo_vflag) {
3004 ND_PRINT((ndo," cookie "));
3005 hexprint(ndo, (caddr_t)&base.i_ck, sizeof(base.i_ck));
3006 ND_PRINT((ndo,"->"));
3007 hexprint(ndo, (caddr_t)&base.r_ck, sizeof(base.r_ck));
3008 }
3009 ND_PRINT((ndo,":"));
3010
3011 switch(major) {
3012 case IKEv1_MAJOR_VERSION:
3013 ikev1_print(ndo, bp, length, bp2, &base);
3014 break;
3015
3016 case IKEv2_MAJOR_VERSION:
3017 ikev2_print(ndo, bp, length, bp2, &base);
3018 break;
3019 }
3020 }
3021
3022 void
3023 isakmp_rfc3948_print(netdissect_options *ndo,
3024 const u_char *bp, u_int length,
3025 const u_char *bp2)
3026 {
3027
3028 if(length == 1 && bp[0]==0xff) {
3029 ND_PRINT((ndo, "isakmp-nat-keep-alive"));
3030 return;
3031 }
3032
3033 if(length < 4) {
3034 goto trunc;
3035 }
3036
3037 /*
3038 * see if this is an IKE packet
3039 */
3040 if(bp[0]==0 && bp[1]==0 && bp[2]==0 && bp[3]==0) {
3041 ND_PRINT((ndo, "NONESP-encap: "));
3042 isakmp_print(ndo, bp+4, length-4, bp2);
3043 return;
3044 }
3045
3046 /* must be an ESP packet */
3047 {
3048 int nh, enh, padlen;
3049 int advance;
3050
3051 ND_PRINT((ndo, "UDP-encap: "));
3052
3053 advance = esp_print(ndo, bp, length, bp2, &enh, &padlen);
3054 if(advance <= 0)
3055 return;
3056
3057 bp += advance;
3058 length -= advance + padlen;
3059 nh = enh & 0xff;
3060
3061 ip_print_inner(ndo, bp, length, nh, bp2);
3062 return;
3063 }
3064
3065 trunc:
3066 ND_PRINT((ndo,"[|isakmp]"));
3067 return;
3068 }
3069
3070 /*
3071 * Local Variables:
3072 * c-style: whitesmith
3073 * c-basic-offset: 8
3074 * End:
3075 */
3076
3077
3078
3079
[mirror] the TCPdump network dissector