]> The Tcpdump Group git mirrors - tcpdump/blob - print-isakmp.c
projects / tcpdump / blob
summary | shortlog | log | commit | commitdiff | tree
history | raw | HEAD
We no longer use struct sockaddr_storage, so we don't need to define it.
[tcpdump] / print-isakmp.c
1 /*
2 * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
3 * All rights reserved.
4 *
5 * Redistribution and use in source and binary forms, with or without
6 * modification, are permitted provided that the following conditions
7 * are met:
8 * 1. Redistributions of source code must retain the above copyright
9 * notice, this list of conditions and the following disclaimer.
10 * 2. Redistributions in binary form must reproduce the above copyright
11 * notice, this list of conditions and the following disclaimer in the
12 * documentation and/or other materials provided with the distribution.
13 * 3. Neither the name of the project nor the names of its contributors
14 * may be used to endorse or promote products derived from this software
15 * without specific prior written permission.
16 *
17 * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
18 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
19 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
20 * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
21 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
22 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
23 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
24 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
25 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
26 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
27 * SUCH DAMAGE.
28 *
29 */
30
31 #define NETDISSECT_REWORKED
32 #ifdef HAVE_CONFIG_H
33 #include "config.h"
34 #endif
35
36 /* The functions from print-esp.c used in this file are only defined when both
37 * OpenSSL and evp.h are detected. Employ the same preprocessor device here.
38 */
39 #ifndef HAVE_OPENSSL_EVP_H
40 #undef HAVE_LIBCRYPTO
41 #endif
42
43 #include <tcpdump-stdinc.h>
44
45 #include <string.h>
46
47 #include <stdio.h>
48
49 #include "interface.h"
50 #include "addrtoname.h"
51 #include "extract.h" /* must come after interface.h */
52
53 #include "ip.h"
54 #ifdef INET6
55 #include "ip6.h"
56 #endif
57
58 /* refer to RFC 2408 */
59
60 typedef u_char cookie_t[8];
61 typedef u_char msgid_t[4];
62
63 #define PORT_ISAKMP 500
64
65 /* 3.1 ISAKMP Header Format (IKEv1 and IKEv2)
66 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
67 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
68 ! Initiator !
69 ! Cookie !
70 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
71 ! Responder !
72 ! Cookie !
73 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
74 ! Next Payload ! MjVer ! MnVer ! Exchange Type ! Flags !
75 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
76 ! Message ID !
77 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
78 ! Length !
79 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
80 */
81 struct isakmp {
82 cookie_t i_ck; /* Initiator Cookie */
83 cookie_t r_ck; /* Responder Cookie */
84 u_int8_t np; /* Next Payload Type */
85 u_int8_t vers;
86 #define ISAKMP_VERS_MAJOR 0xf0
87 #define ISAKMP_VERS_MAJOR_SHIFT 4
88 #define ISAKMP_VERS_MINOR 0x0f
89 #define ISAKMP_VERS_MINOR_SHIFT 0
90 u_int8_t etype; /* Exchange Type */
91 u_int8_t flags; /* Flags */
92 msgid_t msgid;
93 u_int32_t len; /* Length */
94 };
95
96 /* Next Payload Type */
97 #define ISAKMP_NPTYPE_NONE 0 /* NONE*/
98 #define ISAKMP_NPTYPE_SA 1 /* Security Association */
99 #define ISAKMP_NPTYPE_P 2 /* Proposal */
100 #define ISAKMP_NPTYPE_T 3 /* Transform */
101 #define ISAKMP_NPTYPE_KE 4 /* Key Exchange */
102 #define ISAKMP_NPTYPE_ID 5 /* Identification */
103 #define ISAKMP_NPTYPE_CERT 6 /* Certificate */
104 #define ISAKMP_NPTYPE_CR 7 /* Certificate Request */
105 #define ISAKMP_NPTYPE_HASH 8 /* Hash */
106 #define ISAKMP_NPTYPE_SIG 9 /* Signature */
107 #define ISAKMP_NPTYPE_NONCE 10 /* Nonce */
108 #define ISAKMP_NPTYPE_N 11 /* Notification */
109 #define ISAKMP_NPTYPE_D 12 /* Delete */
110 #define ISAKMP_NPTYPE_VID 13 /* Vendor ID */
111 #define ISAKMP_NPTYPE_v2E 46 /* v2 Encrypted payload */
112
113 #define IKEv1_MAJOR_VERSION 1
114 #define IKEv1_MINOR_VERSION 0
115
116 #define IKEv2_MAJOR_VERSION 2
117 #define IKEv2_MINOR_VERSION 0
118
119 /* Flags */
120 #define ISAKMP_FLAG_E 0x01 /* Encryption Bit */
121 #define ISAKMP_FLAG_C 0x02 /* Commit Bit */
122 #define ISAKMP_FLAG_extra 0x04
123
124 /* IKEv2 */
125 #define ISAKMP_FLAG_I (1 << 3) /* (I)nitiator */
126 #define ISAKMP_FLAG_V (1 << 4) /* (V)ersion */
127 #define ISAKMP_FLAG_R (1 << 5) /* (R)esponse */
128
129
130 /* 3.2 Payload Generic Header
131 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
132 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
133 ! Next Payload ! RESERVED ! Payload Length !
134 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
135 */
136 struct isakmp_gen {
137 u_int8_t np; /* Next Payload */
138 u_int8_t critical; /* bit 7 - critical, rest is RESERVED */
139 u_int16_t len; /* Payload Length */
140 };
141
142 /* 3.3 Data Attributes
143 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
144 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
145 !A! Attribute Type ! AF=0 Attribute Length !
146 !F! ! AF=1 Attribute Value !
147 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
148 . AF=0 Attribute Value .
149 . AF=1 Not Transmitted .
150 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
151 */
152 struct isakmp_data {
153 u_int16_t type; /* defined by DOI-spec, and Attribute Format */
154 u_int16_t lorv; /* if f equal 1, Attribute Length */
155 /* if f equal 0, Attribute Value */
156 /* if f equal 1, Attribute Value */
157 };
158
159 /* 3.4 Security Association Payload */
160 /* MAY NOT be used, because of being defined in ipsec-doi. */
161 /*
162 If the current payload is the last in the message,
163 then the value of the next payload field will be 0.
164 This field MUST NOT contain the
165 values for the Proposal or Transform payloads as they are considered
166 part of the security association negotiation. For example, this
167 field would contain the value "10" (Nonce payload) in the first
168 message of a Base Exchange (see Section 4.4) and the value "0" in the
169 first message of an Identity Protect Exchange (see Section 4.5).
170 */
171 struct ikev1_pl_sa {
172 struct isakmp_gen h;
173 u_int32_t doi; /* Domain of Interpretation */
174 u_int32_t sit; /* Situation */
175 };
176
177 /* 3.5 Proposal Payload */
178 /*
179 The value of the next payload field MUST only contain the value "2"
180 or "0". If there are additional Proposal payloads in the message,
181 then this field will be 2. If the current Proposal payload is the
182 last within the security association proposal, then this field will
183 be 0.
184 */
185 struct ikev1_pl_p {
186 struct isakmp_gen h;
187 u_int8_t p_no; /* Proposal # */
188 u_int8_t prot_id; /* Protocol */
189 u_int8_t spi_size; /* SPI Size */
190 u_int8_t num_t; /* Number of Transforms */
191 /* SPI */
192 };
193
194 /* 3.6 Transform Payload */
195 /*
196 The value of the next payload field MUST only contain the value "3"
197 or "0". If there are additional Transform payloads in the proposal,
198 then this field will be 3. If the current Transform payload is the
199 last within the proposal, then this field will be 0.
200 */
201 struct ikev1_pl_t {
202 struct isakmp_gen h;
203 u_int8_t t_no; /* Transform # */
204 u_int8_t t_id; /* Transform-Id */
205 u_int16_t reserved; /* RESERVED2 */
206 /* SA Attributes */
207 };
208
209 /* 3.7 Key Exchange Payload */
210 struct ikev1_pl_ke {
211 struct isakmp_gen h;
212 /* Key Exchange Data */
213 };
214
215 /* 3.8 Identification Payload */
216 /* MUST NOT to be used, because of being defined in ipsec-doi. */
217 struct ikev1_pl_id {
218 struct isakmp_gen h;
219 union {
220 u_int8_t id_type; /* ID Type */
221 u_int32_t doi_data; /* DOI Specific ID Data */
222 } d;
223 /* Identification Data */
224 };
225
226 /* 3.9 Certificate Payload */
227 struct ikev1_pl_cert {
228 struct isakmp_gen h;
229 u_int8_t encode; /* Cert Encoding */
230 char cert; /* Certificate Data */
231 /*
232 This field indicates the type of
233 certificate or certificate-related information contained in the
234 Certificate Data field.
235 */
236 };
237
238 /* 3.10 Certificate Request Payload */
239 struct ikev1_pl_cr {
240 struct isakmp_gen h;
241 u_int8_t num_cert; /* # Cert. Types */
242 /*
243 Certificate Types (variable length)
244 -- Contains a list of the types of certificates requested,
245 sorted in order of preference. Each individual certificate
246 type is 1 octet. This field is NOT requiredo
247 */
248 /* # Certificate Authorities (1 octet) */
249 /* Certificate Authorities (variable length) */
250 };
251
252 /* 3.11 Hash Payload */
253 /* may not be used, because of having only data. */
254 struct ikev1_pl_hash {
255 struct isakmp_gen h;
256 /* Hash Data */
257 };
258
259 /* 3.12 Signature Payload */
260 /* may not be used, because of having only data. */
261 struct ikev1_pl_sig {
262 struct isakmp_gen h;
263 /* Signature Data */
264 };
265
266 /* 3.13 Nonce Payload */
267 /* may not be used, because of having only data. */
268 struct ikev1_pl_nonce {
269 struct isakmp_gen h;
270 /* Nonce Data */
271 };
272
273 /* 3.14 Notification Payload */
274 struct ikev1_pl_n {
275 struct isakmp_gen h;
276 u_int32_t doi; /* Domain of Interpretation */
277 u_int8_t prot_id; /* Protocol-ID */
278 u_int8_t spi_size; /* SPI Size */
279 u_int16_t type; /* Notify Message Type */
280 /* SPI */
281 /* Notification Data */
282 };
283
284 /* 3.14.1 Notify Message Types */
285 /* NOTIFY MESSAGES - ERROR TYPES */
286 #define ISAKMP_NTYPE_INVALID_PAYLOAD_TYPE 1
287 #define ISAKMP_NTYPE_DOI_NOT_SUPPORTED 2
288 #define ISAKMP_NTYPE_SITUATION_NOT_SUPPORTED 3
289 #define ISAKMP_NTYPE_INVALID_COOKIE 4
290 #define ISAKMP_NTYPE_INVALID_MAJOR_VERSION 5
291 #define ISAKMP_NTYPE_INVALID_MINOR_VERSION 6
292 #define ISAKMP_NTYPE_INVALID_EXCHANGE_TYPE 7
293 #define ISAKMP_NTYPE_INVALID_FLAGS 8
294 #define ISAKMP_NTYPE_INVALID_MESSAGE_ID 9
295 #define ISAKMP_NTYPE_INVALID_PROTOCOL_ID 10
296 #define ISAKMP_NTYPE_INVALID_SPI 11
297 #define ISAKMP_NTYPE_INVALID_TRANSFORM_ID 12
298 #define ISAKMP_NTYPE_ATTRIBUTES_NOT_SUPPORTED 13
299 #define ISAKMP_NTYPE_NO_PROPOSAL_CHOSEN 14
300 #define ISAKMP_NTYPE_BAD_PROPOSAL_SYNTAX 15
301 #define ISAKMP_NTYPE_PAYLOAD_MALFORMED 16
302 #define ISAKMP_NTYPE_INVALID_KEY_INFORMATION 17
303 #define ISAKMP_NTYPE_INVALID_ID_INFORMATION 18
304 #define ISAKMP_NTYPE_INVALID_CERT_ENCODING 19
305 #define ISAKMP_NTYPE_INVALID_CERTIFICATE 20
306 #define ISAKMP_NTYPE_BAD_CERT_REQUEST_SYNTAX 21
307 #define ISAKMP_NTYPE_INVALID_CERT_AUTHORITY 22
308 #define ISAKMP_NTYPE_INVALID_HASH_INFORMATION 23
309 #define ISAKMP_NTYPE_AUTHENTICATION_FAILED 24
310 #define ISAKMP_NTYPE_INVALID_SIGNATURE 25
311 #define ISAKMP_NTYPE_ADDRESS_NOTIFICATION 26
312
313 /* 3.15 Delete Payload */
314 struct ikev1_pl_d {
315 struct isakmp_gen h;
316 u_int32_t doi; /* Domain of Interpretation */
317 u_int8_t prot_id; /* Protocol-Id */
318 u_int8_t spi_size; /* SPI Size */
319 u_int16_t num_spi; /* # of SPIs */
320 /* SPI(es) */
321 };
322
323 struct ikev1_ph1tab {
324 struct ikev1_ph1 *head;
325 struct ikev1_ph1 *tail;
326 int len;
327 };
328
329 struct isakmp_ph2tab {
330 struct ikev1_ph2 *head;
331 struct ikev1_ph2 *tail;
332 int len;
333 };
334
335 /* IKEv2 (RFC4306) */
336
337 /* 3.3 Security Association Payload -- generic header */
338 /* 3.3.1. Proposal Substructure */
339 struct ikev2_p {
340 struct isakmp_gen h;
341 u_int8_t p_no; /* Proposal # */
342 u_int8_t prot_id; /* Protocol */
343 u_int8_t spi_size; /* SPI Size */
344 u_int8_t num_t; /* Number of Transforms */
345 };
346
347 /* 3.3.2. Transform Substructure */
348 struct ikev2_t {
349 struct isakmp_gen h;
350 u_int8_t t_type; /* Transform Type (ENCR,PRF,INTEG,etc.*/
351 u_int8_t res2; /* reserved byte */
352 u_int16_t t_id; /* Transform ID */
353 };
354
355 enum ikev2_t_type {
356 IV2_T_ENCR = 1,
357 IV2_T_PRF = 2,
358 IV2_T_INTEG= 3,
359 IV2_T_DH = 4,
360 IV2_T_ESN = 5,
361 };
362
363 /* 3.4. Key Exchange Payload */
364 struct ikev2_ke {
365 struct isakmp_gen h;
366 u_int16_t ke_group;
367 u_int16_t ke_res1;
368 /* KE data */
369 };
370
371
372 /* 3.5. Identification Payloads */
373 enum ikev2_id_type {
374 ID_IPV4_ADDR=1,
375 ID_FQDN=2,
376 ID_RFC822_ADDR=3,
377 ID_IPV6_ADDR=5,
378 ID_DER_ASN1_DN=9,
379 ID_DER_ASN1_GN=10,
380 ID_KEY_ID=11,
381 };
382 struct ikev2_id {
383 struct isakmp_gen h;
384 u_int8_t type; /* ID type */
385 u_int8_t res1;
386 u_int16_t res2;
387 /* SPI */
388 /* Notification Data */
389 };
390
391 /* 3.10 Notification Payload */
392 struct ikev2_n {
393 struct isakmp_gen h;
394 u_int8_t prot_id; /* Protocol-ID */
395 u_int8_t spi_size; /* SPI Size */
396 u_int16_t type; /* Notify Message Type */
397 };
398
399 enum ikev2_n_type {
400 IV2_NOTIFY_UNSUPPORTED_CRITICAL_PAYLOAD = 1,
401 IV2_NOTIFY_INVALID_IKE_SPI = 4,
402 IV2_NOTIFY_INVALID_MAJOR_VERSION = 5,
403 IV2_NOTIFY_INVALID_SYNTAX = 7,
404 IV2_NOTIFY_INVALID_MESSAGE_ID = 9,
405 IV2_NOTIFY_INVALID_SPI =11,
406 IV2_NOTIFY_NO_PROPOSAL_CHOSEN =14,
407 IV2_NOTIFY_INVALID_KE_PAYLOAD =17,
408 IV2_NOTIFY_AUTHENTICATION_FAILED =24,
409 IV2_NOTIFY_SINGLE_PAIR_REQUIRED =34,
410 IV2_NOTIFY_NO_ADDITIONAL_SAS =35,
411 IV2_NOTIFY_INTERNAL_ADDRESS_FAILURE =36,
412 IV2_NOTIFY_FAILED_CP_REQUIRED =37,
413 IV2_NOTIFY_INVALID_SELECTORS =39,
414 IV2_NOTIFY_INITIAL_CONTACT =16384,
415 IV2_NOTIFY_SET_WINDOW_SIZE =16385,
416 IV2_NOTIFY_ADDITIONAL_TS_POSSIBLE =16386,
417 IV2_NOTIFY_IPCOMP_SUPPORTED =16387,
418 IV2_NOTIFY_NAT_DETECTION_SOURCE_IP =16388,
419 IV2_NOTIFY_NAT_DETECTION_DESTINATION_IP =16389,
420 IV2_NOTIFY_COOKIE =16390,
421 IV2_NOTIFY_USE_TRANSPORT_MODE =16391,
422 IV2_NOTIFY_HTTP_CERT_LOOKUP_SUPPORTED =16392,
423 IV2_NOTIFY_REKEY_SA =16393,
424 IV2_NOTIFY_ESP_TFC_PADDING_NOT_SUPPORTED =16394,
425 IV2_NOTIFY_NON_FIRST_FRAGMENTS_ALSO =16395
426 };
427
428 struct notify_messages {
429 u_int16_t type;
430 char *msg;
431 };
432
433 /* 3.8 Notification Payload */
434 struct ikev2_auth {
435 struct isakmp_gen h;
436 u_int8_t auth_method; /* Protocol-ID */
437 u_int8_t reserved[3];
438 /* authentication data */
439 };
440
441 enum ikev2_auth_type {
442 IV2_RSA_SIG = 1,
443 IV2_SHARED = 2,
444 IV2_DSS_SIG = 3,
445 };
446
447 /* refer to RFC 2409 */
448
449 #if 0
450 /* isakmp sa structure */
451 struct oakley_sa {
452 u_int8_t proto_id; /* OAKLEY */
453 vchar_t *spi; /* spi */
454 u_int8_t dhgrp; /* DH; group */
455 u_int8_t auth_t; /* method of authentication */
456 u_int8_t prf_t; /* type of prf */
457 u_int8_t hash_t; /* type of hash */
458 u_int8_t enc_t; /* type of cipher */
459 u_int8_t life_t; /* type of duration of lifetime */
460 u_int32_t ldur; /* life duration */
461 };
462 #endif
463
464 /* refer to RFC 2407 */
465
466 #define IPSEC_DOI 1
467
468 /* 4.2 IPSEC Situation Definition */
469 #define IPSECDOI_SIT_IDENTITY_ONLY 0x00000001
470 #define IPSECDOI_SIT_SECRECY 0x00000002
471 #define IPSECDOI_SIT_INTEGRITY 0x00000004
472
473 /* 4.4.1 IPSEC Security Protocol Identifiers */
474 /* 4.4.2 IPSEC ISAKMP Transform Values */
475 #define IPSECDOI_PROTO_ISAKMP 1
476 #define IPSECDOI_KEY_IKE 1
477
478 /* 4.4.1 IPSEC Security Protocol Identifiers */
479 #define IPSECDOI_PROTO_IPSEC_AH 2
480 /* 4.4.3 IPSEC AH Transform Values */
481 #define IPSECDOI_AH_MD5 2
482 #define IPSECDOI_AH_SHA 3
483 #define IPSECDOI_AH_DES 4
484 #define IPSECDOI_AH_SHA2_256 5
485 #define IPSECDOI_AH_SHA2_384 6
486 #define IPSECDOI_AH_SHA2_512 7
487
488 /* 4.4.1 IPSEC Security Protocol Identifiers */
489 #define IPSECDOI_PROTO_IPSEC_ESP 3
490 /* 4.4.4 IPSEC ESP Transform Identifiers */
491 #define IPSECDOI_ESP_DES_IV64 1
492 #define IPSECDOI_ESP_DES 2
493 #define IPSECDOI_ESP_3DES 3
494 #define IPSECDOI_ESP_RC5 4
495 #define IPSECDOI_ESP_IDEA 5
496 #define IPSECDOI_ESP_CAST 6
497 #define IPSECDOI_ESP_BLOWFISH 7
498 #define IPSECDOI_ESP_3IDEA 8
499 #define IPSECDOI_ESP_DES_IV32 9
500 #define IPSECDOI_ESP_RC4 10
501 #define IPSECDOI_ESP_NULL 11
502 #define IPSECDOI_ESP_RIJNDAEL 12
503 #define IPSECDOI_ESP_AES 12
504
505 /* 4.4.1 IPSEC Security Protocol Identifiers */
506 #define IPSECDOI_PROTO_IPCOMP 4
507 /* 4.4.5 IPSEC IPCOMP Transform Identifiers */
508 #define IPSECDOI_IPCOMP_OUI 1
509 #define IPSECDOI_IPCOMP_DEFLATE 2
510 #define IPSECDOI_IPCOMP_LZS 3
511
512 /* 4.5 IPSEC Security Association Attributes */
513 #define IPSECDOI_ATTR_SA_LTYPE 1 /* B */
514 #define IPSECDOI_ATTR_SA_LTYPE_DEFAULT 1
515 #define IPSECDOI_ATTR_SA_LTYPE_SEC 1
516 #define IPSECDOI_ATTR_SA_LTYPE_KB 2
517 #define IPSECDOI_ATTR_SA_LDUR 2 /* V */
518 #define IPSECDOI_ATTR_SA_LDUR_DEFAULT 28800 /* 8 hours */
519 #define IPSECDOI_ATTR_GRP_DESC 3 /* B */
520 #define IPSECDOI_ATTR_ENC_MODE 4 /* B */
521 /* default value: host dependent */
522 #define IPSECDOI_ATTR_ENC_MODE_TUNNEL 1
523 #define IPSECDOI_ATTR_ENC_MODE_TRNS 2
524 #define IPSECDOI_ATTR_AUTH 5 /* B */
525 /* 0 means not to use authentication. */
526 #define IPSECDOI_ATTR_AUTH_HMAC_MD5 1
527 #define IPSECDOI_ATTR_AUTH_HMAC_SHA1 2
528 #define IPSECDOI_ATTR_AUTH_DES_MAC 3
529 #define IPSECDOI_ATTR_AUTH_KPDK 4 /*RFC-1826(Key/Pad/Data/Key)*/
530 /*
531 * When negotiating ESP without authentication, the Auth
532 * Algorithm attribute MUST NOT be included in the proposal.
533 * When negotiating ESP without confidentiality, the Auth
534 * Algorithm attribute MUST be included in the proposal and
535 * the ESP transform ID must be ESP_NULL.
536 */
537 #define IPSECDOI_ATTR_KEY_LENGTH 6 /* B */
538 #define IPSECDOI_ATTR_KEY_ROUNDS 7 /* B */
539 #define IPSECDOI_ATTR_COMP_DICT_SIZE 8 /* B */
540 #define IPSECDOI_ATTR_COMP_PRIVALG 9 /* V */
541
542 /* 4.6.1 Security Association Payload */
543 struct ipsecdoi_sa {
544 struct isakmp_gen h;
545 u_int32_t doi; /* Domain of Interpretation */
546 u_int32_t sit; /* Situation */
547 };
548
549 struct ipsecdoi_secrecy_h {
550 u_int16_t len;
551 u_int16_t reserved;
552 };
553
554 /* 4.6.2.1 Identification Type Values */
555 struct ipsecdoi_id {
556 struct isakmp_gen h;
557 u_int8_t type; /* ID Type */
558 u_int8_t proto_id; /* Protocol ID */
559 u_int16_t port; /* Port */
560 /* Identification Data */
561 };
562
563 #define IPSECDOI_ID_IPV4_ADDR 1
564 #define IPSECDOI_ID_FQDN 2
565 #define IPSECDOI_ID_USER_FQDN 3
566 #define IPSECDOI_ID_IPV4_ADDR_SUBNET 4
567 #define IPSECDOI_ID_IPV6_ADDR 5
568 #define IPSECDOI_ID_IPV6_ADDR_SUBNET 6
569 #define IPSECDOI_ID_IPV4_ADDR_RANGE 7
570 #define IPSECDOI_ID_IPV6_ADDR_RANGE 8
571 #define IPSECDOI_ID_DER_ASN1_DN 9
572 #define IPSECDOI_ID_DER_ASN1_GN 10
573 #define IPSECDOI_ID_KEY_ID 11
574
575 /* 4.6.3 IPSEC DOI Notify Message Types */
576 /* Notify Messages - Status Types */
577 #define IPSECDOI_NTYPE_RESPONDER_LIFETIME 24576
578 #define IPSECDOI_NTYPE_REPLAY_STATUS 24577
579 #define IPSECDOI_NTYPE_INITIAL_CONTACT 24578
580
581 #define DECLARE_PRINTER(func) static const u_char *ike##func##_print( \
582 netdissect_options *ndo, u_char tpay, \
583 const struct isakmp_gen *ext, \
584 u_int item_len, \
585 const u_char *end_pointer, \
586 u_int32_t phase,\
587 u_int32_t doi0, \
588 u_int32_t proto0, int depth)
589
590 DECLARE_PRINTER(v1_sa);
591 DECLARE_PRINTER(v1_p);
592 DECLARE_PRINTER(v1_t);
593 DECLARE_PRINTER(v1_ke);
594 DECLARE_PRINTER(v1_id);
595 DECLARE_PRINTER(v1_cert);
596 DECLARE_PRINTER(v1_cr);
597 DECLARE_PRINTER(v1_sig);
598 DECLARE_PRINTER(v1_hash);
599 DECLARE_PRINTER(v1_nonce);
600 DECLARE_PRINTER(v1_n);
601 DECLARE_PRINTER(v1_d);
602 DECLARE_PRINTER(v1_vid);
603
604 DECLARE_PRINTER(v2_sa);
605 DECLARE_PRINTER(v2_ke);
606 DECLARE_PRINTER(v2_ID);
607 DECLARE_PRINTER(v2_cert);
608 DECLARE_PRINTER(v2_cr);
609 DECLARE_PRINTER(v2_auth);
610 DECLARE_PRINTER(v2_nonce);
611 DECLARE_PRINTER(v2_n);
612 DECLARE_PRINTER(v2_d);
613 DECLARE_PRINTER(v2_vid);
614 DECLARE_PRINTER(v2_TS);
615 DECLARE_PRINTER(v2_cp);
616 DECLARE_PRINTER(v2_eap);
617
618 static const u_char *ikev2_e_print(netdissect_options *ndo,
619 struct isakmp *base,
620 u_char tpay,
621 const struct isakmp_gen *ext,
622 u_int item_len,
623 const u_char *end_pointer,
624 u_int32_t phase,
625 u_int32_t doi0,
626 u_int32_t proto0, int depth);
627
628
629 static const u_char *ike_sub0_print(netdissect_options *ndo,u_char, const struct isakmp_gen *,
630 const u_char *, u_int32_t, u_int32_t, u_int32_t, int);
631 static const u_char *ikev1_sub_print(netdissect_options *ndo,u_char, const struct isakmp_gen *,
632 const u_char *, u_int32_t, u_int32_t, u_int32_t, int);
633
634 static const u_char *ikev2_sub_print(netdissect_options *ndo,
635 struct isakmp *base,
636 u_char np, const struct isakmp_gen *ext,
637 const u_char *ep, u_int32_t phase,
638 u_int32_t doi, u_int32_t proto,
639 int depth);
640
641
642 static char *numstr(int);
643
644 static void
645 ikev1_print(netdissect_options *ndo,
646 const u_char *bp, u_int length,
647 const u_char *bp2, struct isakmp *base);
648
649 #define MAXINITIATORS 20
650 int ninitiator = 0;
651 union inaddr_u {
652 struct in_addr in4;
653 #ifdef INET6
654 struct in6_addr in6;
655 #endif
656 };
657 struct {
658 cookie_t initiator;
659 u_int version;
660 union inaddr_u iaddr;
661 union inaddr_u raddr;
662 } cookiecache[MAXINITIATORS];
663
664 /* protocol id */
665 static const char *protoidstr[] = {
666 NULL, "isakmp", "ipsec-ah", "ipsec-esp", "ipcomp",
667 };
668
669 /* isakmp->np */
670 static const char *npstr[] = {
671 "none", "sa", "p", "t", "ke", "id", "cert", "cr", "hash", /* 0 - 8 */
672 "sig", "nonce", "n", "d", "vid", /* 9 - 13 */
673 "pay14", "pay15", "pay16", "pay17", "pay18", /* 14- 18 */
674 "pay19", "pay20", "pay21", "pay22", "pay23", /* 19- 23 */
675 "pay24", "pay25", "pay26", "pay27", "pay28", /* 24- 28 */
676 "pay29", "pay30", "pay31", "pay32", /* 29- 32 */
677 "v2sa", "v2ke", "v2IDi", "v2IDr", "v2cert",/* 33- 37 */
678 "v2cr", "v2auth","v2nonce", "v2n", "v2d", /* 38- 42 */
679 "v2vid", "v2TSi", "v2TSr", "v2e", "v2cp", /* 43- 47 */
680 "v2eap", /* 48 */
681
682 };
683
684 /* isakmp->np */
685 static const u_char *(*npfunc[])(netdissect_options *ndo, u_char tpay,
686 const struct isakmp_gen *ext,
687 u_int item_len,
688 const u_char *end_pointer,
689 u_int32_t phase,
690 u_int32_t doi0,
691 u_int32_t proto0, int depth) = {
692 NULL,
693 ikev1_sa_print,
694 ikev1_p_print,
695 ikev1_t_print,
696 ikev1_ke_print,
697 ikev1_id_print,
698 ikev1_cert_print,
699 ikev1_cr_print,
700 ikev1_hash_print,
701 ikev1_sig_print,
702 ikev1_nonce_print,
703 ikev1_n_print,
704 ikev1_d_print,
705 ikev1_vid_print, /* 13 */
706 NULL, NULL, NULL, NULL, NULL, /* 14- 18 */
707 NULL, NULL, NULL, NULL, NULL, /* 19- 23 */
708 NULL, NULL, NULL, NULL, NULL, /* 24- 28 */
709 NULL, NULL, NULL, NULL, /* 29- 32 */
710 ikev2_sa_print, /* 33 */
711 ikev2_ke_print, /* 34 */
712 ikev2_ID_print, /* 35 */
713 ikev2_ID_print, /* 36 */
714 ikev2_cert_print, /* 37 */
715 ikev2_cr_print, /* 38 */
716 ikev2_auth_print, /* 39 */
717 ikev2_nonce_print, /* 40 */
718 ikev2_n_print, /* 41 */
719 ikev2_d_print, /* 42 */
720 ikev2_vid_print, /* 43 */
721 ikev2_TS_print, /* 44 */
722 ikev2_TS_print, /* 45 */
723 NULL, /* ikev2_e_print,*/ /* 46 - special */
724 ikev2_cp_print, /* 47 */
725 ikev2_eap_print, /* 48 */
726 };
727
728 /* isakmp->etype */
729 static const char *etypestr[] = {
730 /* IKEv1 exchange types */
731 "none", "base", "ident", "auth", "agg", "inf", NULL, NULL, /* 0-7 */
732 NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, /* 8-15 */
733 NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, /* 16-23 */
734 NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, /* 24-31 */
735 "oakley-quick", "oakley-newgroup", /* 32-33 */
736 /* IKEv2 exchange types */
737 "ikev2_init", "ikev2_auth", "child_sa", "inf2" /* 34-37 */
738 };
739
740 #define STR_OR_ID(x, tab) \
741 (((x) < sizeof(tab)/sizeof(tab[0]) && tab[(x)]) ? tab[(x)] : numstr(x))
742 #define PROTOIDSTR(x) STR_OR_ID(x, protoidstr)
743 #define NPSTR(x) STR_OR_ID(x, npstr)
744 #define ETYPESTR(x) STR_OR_ID(x, etypestr)
745
746 #define CHECKLEN(p, np) \
747 if (ep < (u_char *)(p)) { \
748 ND_PRINT((ndo," [|%s]", NPSTR(np))); \
749 goto done; \
750 }
751
752
753 #define NPFUNC(x) \
754 (((x) < sizeof(npfunc)/sizeof(npfunc[0]) && npfunc[(x)]) \
755 ? npfunc[(x)] : NULL)
756
757 static int
758 iszero(u_char *p, size_t l)
759 {
760 while (l--) {
761 if (*p++)
762 return 0;
763 }
764 return 1;
765 }
766
767 /* find cookie from initiator cache */
768 static int
769 cookie_find(cookie_t *in)
770 {
771 int i;
772
773 for (i = 0; i < MAXINITIATORS; i++) {
774 if (memcmp(in, &cookiecache[i].initiator, sizeof(*in)) == 0)
775 return i;
776 }
777
778 return -1;
779 }
780
781 /* record initiator */
782 static void
783 cookie_record(cookie_t *in, const u_char *bp2)
784 {
785 int i;
786 struct ip *ip;
787 #ifdef INET6
788 struct ip6_hdr *ip6;
789 #endif
790
791 i = cookie_find(in);
792 if (0 <= i) {
793 ninitiator = (i + 1) % MAXINITIATORS;
794 return;
795 }
796
797 ip = (struct ip *)bp2;
798 switch (IP_V(ip)) {
799 case 4:
800 cookiecache[ninitiator].version = 4;
801 unaligned_memcpy(&cookiecache[ninitiator].iaddr.in4, &ip->ip_src, sizeof(struct in_addr));
802 unaligned_memcpy(&cookiecache[ninitiator].raddr.in4, &ip->ip_dst, sizeof(struct in_addr));
803 break;
804 #ifdef INET6
805 case 6:
806 ip6 = (struct ip6_hdr *)bp2;
807 cookiecache[ninitiator].version = 6;
808 unaligned_memcpy(&cookiecache[ninitiator].iaddr.in6, &ip6->ip6_src, sizeof(struct in6_addr));
809 unaligned_memcpy(&cookiecache[ninitiator].raddr.in6, &ip6->ip6_dst, sizeof(struct in6_addr));
810 break;
811 #endif
812 default:
813 return;
814 }
815 unaligned_memcpy(&cookiecache[ninitiator].initiator, in, sizeof(*in));
816 ninitiator = (ninitiator + 1) % MAXINITIATORS;
817 }
818
819 #define cookie_isinitiator(x, y) cookie_sidecheck((x), (y), 1)
820 #define cookie_isresponder(x, y) cookie_sidecheck((x), (y), 0)
821 static int
822 cookie_sidecheck(int i, const u_char *bp2, int initiator)
823 {
824 struct ip *ip;
825 #ifdef INET6
826 struct ip6_hdr *ip6;
827 #endif
828
829 ip = (struct ip *)bp2;
830 switch (IP_V(ip)) {
831 case 4:
832 if (cookiecache[i].version != 4)
833 return 0;
834 if (initiator) {
835 if (unaligned_memcmp(&ip->ip_src, &cookiecache[i].iaddr.in4, sizeof(struct in_addr)) == 0)
836 return 1;
837 } else {
838 if (unaligned_memcmp(&ip->ip_src, &cookiecache[i].raddr.in4, sizeof(struct in_addr)) == 0)
839 return 1;
840 }
841 break;
842 #ifdef INET6
843 case 6:
844 if (cookiecache[i].version != 6)
845 return 0;
846 ip6 = (struct ip6_hdr *)bp2;
847 if (initiator) {
848 if (unaligned_memcmp(&ip6->ip6_src, &cookiecache[i].iaddr.in6, sizeof(struct in6_addr)) == 0)
849 return 1;
850 } else {
851 if (unaligned_memcmp(&ip6->ip6_src, &cookiecache[i].raddr.in6, sizeof(struct in6_addr)) == 0)
852 return 1;
853 }
854 break;
855 #endif /* INET6 */
856 default:
857 break;
858 }
859
860 return 0;
861 }
862
863 static void
864 hexprint(netdissect_options *ndo, caddr_t loc, size_t len)
865 {
866 u_char *p;
867 size_t i;
868
869 p = (u_char *)loc;
870 for (i = 0; i < len; i++)
871 ND_PRINT((ndo,"%02x", p[i] & 0xff));
872 }
873
874 static int
875 rawprint(netdissect_options *ndo, caddr_t loc, size_t len)
876 {
877 ND_TCHECK2(*loc, len);
878
879 hexprint(ndo, loc, len);
880 return 1;
881 trunc:
882 return 0;
883 }
884
885
886 /*
887 * returns false if we run out of data buffer
888 */
889 static int ike_show_somedata(struct netdissect_options *ndo,
890 const u_char *cp, const u_char *ep)
891 {
892 /* there is too much data, just show some of it */
893 const u_char *end = ep - 20;
894 int elen = 20;
895 int len = ep - cp;
896 if(len > 10) {
897 len = 10;
898 }
899
900 /* really shouldn't happen because of above */
901 if(end < cp + len) {
902 end = cp+len;
903 elen = ep - end;
904 }
905
906 ND_PRINT((ndo," data=("));
907 if(!rawprint(ndo, (caddr_t)(cp), len)) goto trunc;
908 ND_PRINT((ndo, "..."));
909 if(elen) {
910 if(!rawprint(ndo, (caddr_t)(end), elen)) goto trunc;
911 }
912 ND_PRINT((ndo,")"));
913 return 1;
914
915 trunc:
916 return 0;
917 }
918
919 struct attrmap {
920 const char *type;
921 u_int nvalue;
922 const char *value[30]; /*XXX*/
923 };
924
925 static const u_char *
926 ikev1_attrmap_print(netdissect_options *ndo,
927 const u_char *p, const u_char *ep,
928 const struct attrmap *map, size_t nmap)
929 {
930 int totlen;
931 u_int32_t t, v;
932
933 if (p[0] & 0x80)
934 totlen = 4;
935 else
936 totlen = 4 + EXTRACT_16BITS(&p[2]);
937 if (ep < p + totlen) {
938 ND_PRINT((ndo,"[|attr]"));
939 return ep + 1;
940 }
941
942 ND_PRINT((ndo,"("));
943 t = EXTRACT_16BITS(&p[0]) & 0x7fff;
944 if (map && t < nmap && map[t].type)
945 ND_PRINT((ndo,"type=%s ", map[t].type));
946 else
947 ND_PRINT((ndo,"type=#%d ", t));
948 if (p[0] & 0x80) {
949 ND_PRINT((ndo,"value="));
950 v = EXTRACT_16BITS(&p[2]);
951 if (map && t < nmap && v < map[t].nvalue && map[t].value[v])
952 ND_PRINT((ndo,"%s", map[t].value[v]));
953 else
954 rawprint(ndo, (caddr_t)&p[2], 2);
955 } else {
956 ND_PRINT((ndo,"len=%d value=", EXTRACT_16BITS(&p[2])));
957 rawprint(ndo, (caddr_t)&p[4], EXTRACT_16BITS(&p[2]));
958 }
959 ND_PRINT((ndo,")"));
960 return p + totlen;
961 }
962
963 static const u_char *
964 ikev1_attr_print(netdissect_options *ndo, const u_char *p, const u_char *ep)
965 {
966 int totlen;
967 u_int32_t t;
968
969 if (p[0] & 0x80)
970 totlen = 4;
971 else
972 totlen = 4 + EXTRACT_16BITS(&p[2]);
973 if (ep < p + totlen) {
974 ND_PRINT((ndo,"[|attr]"));
975 return ep + 1;
976 }
977
978 ND_PRINT((ndo,"("));
979 t = EXTRACT_16BITS(&p[0]) & 0x7fff;
980 ND_PRINT((ndo,"type=#%d ", t));
981 if (p[0] & 0x80) {
982 ND_PRINT((ndo,"value="));
983 t = p[2];
984 rawprint(ndo, (caddr_t)&p[2], 2);
985 } else {
986 ND_PRINT((ndo,"len=%d value=", EXTRACT_16BITS(&p[2])));
987 rawprint(ndo, (caddr_t)&p[4], EXTRACT_16BITS(&p[2]));
988 }
989 ND_PRINT((ndo,")"));
990 return p + totlen;
991 }
992
993 static const u_char *
994 ikev1_sa_print(netdissect_options *ndo, u_char tpay _U_,
995 const struct isakmp_gen *ext,
996 u_int item_len _U_,
997 const u_char *ep, u_int32_t phase, u_int32_t doi0 _U_,
998 u_int32_t proto0, int depth)
999 {
1000 const struct ikev1_pl_sa *p;
1001 struct ikev1_pl_sa sa;
1002 u_int32_t doi, sit, ident;
1003 const u_char *cp, *np;
1004 int t;
1005
1006 ND_PRINT((ndo,"%s:", NPSTR(ISAKMP_NPTYPE_SA)));
1007
1008 p = (struct ikev1_pl_sa *)ext;
1009 ND_TCHECK(*p);
1010 unaligned_memcpy(&sa, ext, sizeof(sa));
1011 doi = ntohl(sa.doi);
1012 sit = ntohl(sa.sit);
1013 if (doi != 1) {
1014 ND_PRINT((ndo," doi=%d", doi));
1015 ND_PRINT((ndo," situation=%u", (u_int32_t)ntohl(sa.sit)));
1016 return (u_char *)(p + 1);
1017 }
1018
1019 ND_PRINT((ndo," doi=ipsec"));
1020 ND_PRINT((ndo," situation="));
1021 t = 0;
1022 if (sit & 0x01) {
1023 ND_PRINT((ndo,"identity"));
1024 t++;
1025 }
1026 if (sit & 0x02) {
1027 ND_PRINT((ndo,"%ssecrecy", t ? "+" : ""));
1028 t++;
1029 }
1030 if (sit & 0x04)
1031 ND_PRINT((ndo,"%sintegrity", t ? "+" : ""));
1032
1033 np = (u_char *)ext + sizeof(sa);
1034 if (sit != 0x01) {
1035 ND_TCHECK2(*(ext + 1), sizeof(ident));
1036 unaligned_memcpy(&ident, ext + 1, sizeof(ident));
1037 ND_PRINT((ndo," ident=%u", (u_int32_t)ntohl(ident)));
1038 np += sizeof(ident);
1039 }
1040
1041 ext = (struct isakmp_gen *)np;
1042 ND_TCHECK(*ext);
1043
1044 cp = ikev1_sub_print(ndo, ISAKMP_NPTYPE_P, ext, ep, phase, doi, proto0,
1045 depth);
1046
1047 return cp;
1048 trunc:
1049 ND_PRINT((ndo," [|%s]", NPSTR(ISAKMP_NPTYPE_SA)));
1050 return NULL;
1051 }
1052
1053 static const u_char *
1054 ikev1_p_print(netdissect_options *ndo, u_char tpay _U_,
1055 const struct isakmp_gen *ext, u_int item_len _U_,
1056 const u_char *ep, u_int32_t phase, u_int32_t doi0,
1057 u_int32_t proto0 _U_, int depth)
1058 {
1059 const struct ikev1_pl_p *p;
1060 struct ikev1_pl_p prop;
1061 const u_char *cp;
1062
1063 ND_PRINT((ndo,"%s:", NPSTR(ISAKMP_NPTYPE_P)));
1064
1065 p = (struct ikev1_pl_p *)ext;
1066 ND_TCHECK(*p);
1067 unaligned_memcpy(&prop, ext, sizeof(prop));
1068 ND_PRINT((ndo," #%d protoid=%s transform=%d",
1069 prop.p_no, PROTOIDSTR(prop.prot_id), prop.num_t));
1070 if (prop.spi_size) {
1071 ND_PRINT((ndo," spi="));
1072 if (!rawprint(ndo, (caddr_t)(p + 1), prop.spi_size))
1073 goto trunc;
1074 }
1075
1076 ext = (struct isakmp_gen *)((u_char *)(p + 1) + prop.spi_size);
1077 ND_TCHECK(*ext);
1078
1079 cp = ikev1_sub_print(ndo, ISAKMP_NPTYPE_T, ext, ep, phase, doi0,
1080 prop.prot_id, depth);
1081
1082 return cp;
1083 trunc:
1084 ND_PRINT((ndo," [|%s]", NPSTR(ISAKMP_NPTYPE_P)));
1085 return NULL;
1086 }
1087
1088 static const char *ikev1_p_map[] = {
1089 NULL, "ike",
1090 };
1091
1092 static const char *ikev2_t_type_map[]={
1093 NULL, "encr", "prf", "integ", "dh", "esn"
1094 };
1095
1096 static const char *ah_p_map[] = {
1097 NULL, "(reserved)", "md5", "sha", "1des",
1098 "sha2-256", "sha2-384", "sha2-512",
1099 };
1100
1101 static const char *prf_p_map[] = {
1102 NULL, "hmac-md5", "hmac-sha", "hmac-tiger",
1103 "aes128_xcbc"
1104 };
1105
1106 static const char *integ_p_map[] = {
1107 NULL, "hmac-md5", "hmac-sha", "dec-mac",
1108 "kpdk-md5", "aes-xcbc"
1109 };
1110
1111 static const char *esn_p_map[] = {
1112 "no-esn", "esn"
1113 };
1114
1115 static const char *dh_p_map[] = {
1116 NULL, "modp768",
1117 "modp1024", /* group 2 */
1118 "EC2N 2^155", /* group 3 */
1119 "EC2N 2^185", /* group 4 */
1120 "modp1536", /* group 5 */
1121 "iana-grp06", "iana-grp07", /* reserved */
1122 "iana-grp08", "iana-grp09",
1123 "iana-grp10", "iana-grp11",
1124 "iana-grp12", "iana-grp13",
1125 "modp2048", /* group 14 */
1126 "modp3072", /* group 15 */
1127 "modp4096", /* group 16 */
1128 "modp6144", /* group 17 */
1129 "modp8192", /* group 18 */
1130 };
1131
1132 static const char *esp_p_map[] = {
1133 NULL, "1des-iv64", "1des", "3des", "rc5", "idea", "cast",
1134 "blowfish", "3idea", "1des-iv32", "rc4", "null", "aes"
1135 };
1136
1137 static const char *ipcomp_p_map[] = {
1138 NULL, "oui", "deflate", "lzs",
1139 };
1140
1141 static const struct attrmap ipsec_t_map[] = {
1142 { NULL, 0, { NULL } },
1143 { "lifetype", 3, { NULL, "sec", "kb", }, },
1144 { "life", 0, { NULL } },
1145 { "group desc", 18, { NULL, "modp768",
1146 "modp1024", /* group 2 */
1147 "EC2N 2^155", /* group 3 */
1148 "EC2N 2^185", /* group 4 */
1149 "modp1536", /* group 5 */
1150 "iana-grp06", "iana-grp07", /* reserved */
1151 "iana-grp08", "iana-grp09",
1152 "iana-grp10", "iana-grp11",
1153 "iana-grp12", "iana-grp13",
1154 "modp2048", /* group 14 */
1155 "modp3072", /* group 15 */
1156 "modp4096", /* group 16 */
1157 "modp6144", /* group 17 */
1158 "modp8192", /* group 18 */
1159 }, },
1160 { "enc mode", 3, { NULL, "tunnel", "transport", }, },
1161 { "auth", 5, { NULL, "hmac-md5", "hmac-sha1", "1des-mac", "keyed", }, },
1162 { "keylen", 0, { NULL } },
1163 { "rounds", 0, { NULL } },
1164 { "dictsize", 0, { NULL } },
1165 { "privalg", 0, { NULL } },
1166 };
1167
1168 static const struct attrmap encr_t_map[] = {
1169 { NULL, 0, { NULL } }, { NULL, 0, { NULL } }, /* 0, 1 */
1170 { NULL, 0, { NULL } }, { NULL, 0, { NULL } }, /* 2, 3 */
1171 { NULL, 0, { NULL } }, { NULL, 0, { NULL } }, /* 4, 5 */
1172 { NULL, 0, { NULL } }, { NULL, 0, { NULL } }, /* 6, 7 */
1173 { NULL, 0, { NULL } }, { NULL, 0, { NULL } }, /* 8, 9 */
1174 { NULL, 0, { NULL } }, { NULL, 0, { NULL } }, /* 10,11*/
1175 { NULL, 0, { NULL } }, { NULL, 0, { NULL } }, /* 12,13*/
1176 { "keylen", 14, { NULL }},
1177 };
1178
1179 static const struct attrmap oakley_t_map[] = {
1180 { NULL, 0, { NULL } },
1181 { "enc", 8, { NULL, "1des", "idea", "blowfish", "rc5",
1182 "3des", "cast", "aes", }, },
1183 { "hash", 7, { NULL, "md5", "sha1", "tiger",
1184 "sha2-256", "sha2-384", "sha2-512", }, },
1185 { "auth", 6, { NULL, "preshared", "dss", "rsa sig", "rsa enc",
1186 "rsa enc revised", }, },
1187 { "group desc", 18, { NULL, "modp768",
1188 "modp1024", /* group 2 */
1189 "EC2N 2^155", /* group 3 */
1190 "EC2N 2^185", /* group 4 */
1191 "modp1536", /* group 5 */
1192 "iana-grp06", "iana-grp07", /* reserved */
1193 "iana-grp08", "iana-grp09",
1194 "iana-grp10", "iana-grp11",
1195 "iana-grp12", "iana-grp13",
1196 "modp2048", /* group 14 */
1197 "modp3072", /* group 15 */
1198 "modp4096", /* group 16 */
1199 "modp6144", /* group 17 */
1200 "modp8192", /* group 18 */
1201 }, },
1202 { "group type", 4, { NULL, "MODP", "ECP", "EC2N", }, },
1203 { "group prime", 0, { NULL } },
1204 { "group gen1", 0, { NULL } },
1205 { "group gen2", 0, { NULL } },
1206 { "group curve A", 0, { NULL } },
1207 { "group curve B", 0, { NULL } },
1208 { "lifetype", 3, { NULL, "sec", "kb", }, },
1209 { "lifeduration", 0, { NULL } },
1210 { "prf", 0, { NULL } },
1211 { "keylen", 0, { NULL } },
1212 { "field", 0, { NULL } },
1213 { "order", 0, { NULL } },
1214 };
1215
1216 static const u_char *
1217 ikev1_t_print(netdissect_options *ndo, u_char tpay _U_,
1218 const struct isakmp_gen *ext, u_int item_len,
1219 const u_char *ep, u_int32_t phase _U_, u_int32_t doi _U_,
1220 u_int32_t proto, int depth _U_)
1221 {
1222 const struct ikev1_pl_t *p;
1223 struct ikev1_pl_t t;
1224 const u_char *cp;
1225 const char *idstr;
1226 const struct attrmap *map;
1227 size_t nmap;
1228 const u_char *ep2;
1229
1230 ND_PRINT((ndo,"%s:", NPSTR(ISAKMP_NPTYPE_T)));
1231
1232 p = (struct ikev1_pl_t *)ext;
1233 ND_TCHECK(*p);
1234 unaligned_memcpy(&t, ext, sizeof(t));
1235
1236 switch (proto) {
1237 case 1:
1238 idstr = STR_OR_ID(t.t_id, ikev1_p_map);
1239 map = oakley_t_map;
1240 nmap = sizeof(oakley_t_map)/sizeof(oakley_t_map[0]);
1241 break;
1242 case 2:
1243 idstr = STR_OR_ID(t.t_id, ah_p_map);
1244 map = ipsec_t_map;
1245 nmap = sizeof(ipsec_t_map)/sizeof(ipsec_t_map[0]);
1246 break;
1247 case 3:
1248 idstr = STR_OR_ID(t.t_id, esp_p_map);
1249 map = ipsec_t_map;
1250 nmap = sizeof(ipsec_t_map)/sizeof(ipsec_t_map[0]);
1251 break;
1252 case 4:
1253 idstr = STR_OR_ID(t.t_id, ipcomp_p_map);
1254 map = ipsec_t_map;
1255 nmap = sizeof(ipsec_t_map)/sizeof(ipsec_t_map[0]);
1256 break;
1257 default:
1258 idstr = NULL;
1259 map = NULL;
1260 nmap = 0;
1261 break;
1262 }
1263
1264 if (idstr)
1265 ND_PRINT((ndo," #%d id=%s ", t.t_no, idstr));
1266 else
1267 ND_PRINT((ndo," #%d id=%d ", t.t_no, t.t_id));
1268 cp = (u_char *)(p + 1);
1269 ep2 = (u_char *)p + item_len;
1270 while (cp < ep && cp < ep2) {
1271 if (map && nmap) {
1272 cp = ikev1_attrmap_print(ndo, cp, (ep < ep2) ? ep : ep2,
1273 map, nmap);
1274 } else
1275 cp = ikev1_attr_print(ndo, cp, (ep < ep2) ? ep : ep2);
1276 }
1277 if (ep < ep2)
1278 ND_PRINT((ndo,"..."));
1279 return cp;
1280 trunc:
1281 ND_PRINT((ndo," [|%s]", NPSTR(ISAKMP_NPTYPE_T)));
1282 return NULL;
1283 }
1284
1285 static const u_char *
1286 ikev1_ke_print(netdissect_options *ndo, u_char tpay _U_,
1287 const struct isakmp_gen *ext, u_int item_len _U_,
1288 const u_char *ep _U_, u_int32_t phase _U_, u_int32_t doi _U_,
1289 u_int32_t proto _U_, int depth _U_)
1290 {
1291 struct isakmp_gen e;
1292
1293 ND_PRINT((ndo,"%s:", NPSTR(ISAKMP_NPTYPE_KE)));
1294
1295 ND_TCHECK(*ext);
1296 unaligned_memcpy(&e, ext, sizeof(e));
1297 ND_PRINT((ndo," key len=%d", ntohs(e.len) - 4));
1298 if (2 < ndo->ndo_vflag && 4 < ntohs(e.len)) {
1299 ND_PRINT((ndo," "));
1300 if (!rawprint(ndo, (caddr_t)(ext + 1), ntohs(e.len) - 4))
1301 goto trunc;
1302 }
1303 return (u_char *)ext + ntohs(e.len);
1304 trunc:
1305 ND_PRINT((ndo," [|%s]", NPSTR(ISAKMP_NPTYPE_KE)));
1306 return NULL;
1307 }
1308
1309 static const u_char *
1310 ikev1_id_print(netdissect_options *ndo, u_char tpay _U_,
1311 const struct isakmp_gen *ext, u_int item_len _U_,
1312 const u_char *ep _U_, u_int32_t phase, u_int32_t doi _U_,
1313 u_int32_t proto _U_, int depth _U_)
1314 {
1315 #define USE_IPSECDOI_IN_PHASE1 1
1316 const struct ikev1_pl_id *p;
1317 struct ikev1_pl_id id;
1318 static const char *idtypestr[] = {
1319 "IPv4", "IPv4net", "IPv6", "IPv6net",
1320 };
1321 static const char *ipsecidtypestr[] = {
1322 NULL, "IPv4", "FQDN", "user FQDN", "IPv4net", "IPv6",
1323 "IPv6net", "IPv4range", "IPv6range", "ASN1 DN", "ASN1 GN",
1324 "keyid",
1325 };
1326 int len;
1327 const u_char *data;
1328
1329 ND_PRINT((ndo,"%s:", NPSTR(ISAKMP_NPTYPE_ID)));
1330
1331 p = (struct ikev1_pl_id *)ext;
1332 ND_TCHECK(*p);
1333 unaligned_memcpy(&id, ext, sizeof(id));
1334 if (sizeof(*p) < item_len) {
1335 data = (u_char *)(p + 1);
1336 len = item_len - sizeof(*p);
1337 } else {
1338 data = NULL;
1339 len = 0;
1340 }
1341
1342 #if 0 /*debug*/
1343 ND_PRINT((ndo," [phase=%d doi=%d proto=%d]", phase, doi, proto));
1344 #endif
1345 switch (phase) {
1346 #ifndef USE_IPSECDOI_IN_PHASE1
1347 case 1:
1348 #endif
1349 default:
1350 ND_PRINT((ndo," idtype=%s", STR_OR_ID(id.d.id_type, idtypestr)));
1351 ND_PRINT((ndo," doi_data=%u",
1352 (u_int32_t)(ntohl(id.d.doi_data) & 0xffffff)));
1353 break;
1354
1355 #ifdef USE_IPSECDOI_IN_PHASE1
1356 case 1:
1357 #endif
1358 case 2:
1359 {
1360 const struct ipsecdoi_id *p;
1361 struct ipsecdoi_id id;
1362 struct protoent *pe;
1363
1364 p = (struct ipsecdoi_id *)ext;
1365 ND_TCHECK(*p);
1366 unaligned_memcpy(&id, ext, sizeof(id));
1367 ND_PRINT((ndo," idtype=%s", STR_OR_ID(id.type, ipsecidtypestr)));
1368 if (id.proto_id) {
1369 #ifndef WIN32
1370 setprotoent(1);
1371 #endif /* WIN32 */
1372 pe = getprotobynumber(id.proto_id);
1373 if (pe)
1374 ND_PRINT((ndo," protoid=%s", pe->p_name));
1375 #ifndef WIN32
1376 endprotoent();
1377 #endif /* WIN32 */
1378 } else {
1379 /* it DOES NOT mean IPPROTO_IP! */
1380 ND_PRINT((ndo," protoid=%s", "0"));
1381 }
1382 ND_PRINT((ndo," port=%d", ntohs(id.port)));
1383 if (!len)
1384 break;
1385 if (data == NULL)
1386 goto trunc;
1387 ND_TCHECK2(*data, len);
1388 switch (id.type) {
1389 case IPSECDOI_ID_IPV4_ADDR:
1390 if (len < 4)
1391 ND_PRINT((ndo," len=%d [bad: < 4]", len));
1392 else
1393 ND_PRINT((ndo," len=%d %s", len, ipaddr_string(data)));
1394 len = 0;
1395 break;
1396 case IPSECDOI_ID_FQDN:
1397 case IPSECDOI_ID_USER_FQDN:
1398 {
1399 int i;
1400 ND_PRINT((ndo," len=%d ", len));
1401 for (i = 0; i < len; i++)
1402 safeputchar(data[i]);
1403 len = 0;
1404 break;
1405 }
1406 case IPSECDOI_ID_IPV4_ADDR_SUBNET:
1407 {
1408 const u_char *mask;
1409 if (len < 8)
1410 ND_PRINT((ndo," len=%d [bad: < 8]", len));
1411 else {
1412 mask = data + sizeof(struct in_addr);
1413 ND_PRINT((ndo," len=%d %s/%u.%u.%u.%u", len,
1414 ipaddr_string(data),
1415 mask[0], mask[1], mask[2], mask[3]));
1416 }
1417 len = 0;
1418 break;
1419 }
1420 #ifdef INET6
1421 case IPSECDOI_ID_IPV6_ADDR:
1422 if (len < 16)
1423 ND_PRINT((ndo," len=%d [bad: < 16]", len));
1424 else
1425 ND_PRINT((ndo," len=%d %s", len, ip6addr_string(data)));
1426 len = 0;
1427 break;
1428 case IPSECDOI_ID_IPV6_ADDR_SUBNET:
1429 {
1430 const u_char *mask;
1431 if (len < 20)
1432 ND_PRINT((ndo," len=%d [bad: < 20]", len));
1433 else {
1434 mask = (u_char *)(data + sizeof(struct in6_addr));
1435 /*XXX*/
1436 ND_PRINT((ndo," len=%d %s/0x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x", len,
1437 ip6addr_string(data),
1438 mask[0], mask[1], mask[2], mask[3],
1439 mask[4], mask[5], mask[6], mask[7],
1440 mask[8], mask[9], mask[10], mask[11],
1441 mask[12], mask[13], mask[14], mask[15]));
1442 }
1443 len = 0;
1444 break;
1445 }
1446 #endif /*INET6*/
1447 case IPSECDOI_ID_IPV4_ADDR_RANGE:
1448 if (len < 8)
1449 ND_PRINT((ndo," len=%d [bad: < 8]", len));
1450 else {
1451 ND_PRINT((ndo," len=%d %s-%s", len,
1452 ipaddr_string(data),
1453 ipaddr_string(data + sizeof(struct in_addr))));
1454 }
1455 len = 0;
1456 break;
1457 #ifdef INET6
1458 case IPSECDOI_ID_IPV6_ADDR_RANGE:
1459 if (len < 32)
1460 ND_PRINT((ndo," len=%d [bad: < 32]", len));
1461 else {
1462 ND_PRINT((ndo," len=%d %s-%s", len,
1463 ip6addr_string(data),
1464 ip6addr_string(data + sizeof(struct in6_addr))));
1465 }
1466 len = 0;
1467 break;
1468 #endif /*INET6*/
1469 case IPSECDOI_ID_DER_ASN1_DN:
1470 case IPSECDOI_ID_DER_ASN1_GN:
1471 case IPSECDOI_ID_KEY_ID:
1472 break;
1473 }
1474 break;
1475 }
1476 }
1477 if (data && len) {
1478 ND_PRINT((ndo," len=%d", len));
1479 if (2 < ndo->ndo_vflag) {
1480 ND_PRINT((ndo," "));
1481 if (!rawprint(ndo, (caddr_t)data, len))
1482 goto trunc;
1483 }
1484 }
1485 return (u_char *)ext + item_len;
1486 trunc:
1487 ND_PRINT((ndo," [|%s]", NPSTR(ISAKMP_NPTYPE_ID)));
1488 return NULL;
1489 }
1490
1491 static const u_char *
1492 ikev1_cert_print(netdissect_options *ndo, u_char tpay _U_,
1493 const struct isakmp_gen *ext, u_int item_len _U_,
1494 const u_char *ep _U_, u_int32_t phase _U_,
1495 u_int32_t doi0 _U_,
1496 u_int32_t proto0 _U_, int depth _U_)
1497 {
1498 const struct ikev1_pl_cert *p;
1499 struct ikev1_pl_cert cert;
1500 static const char *certstr[] = {
1501 "none", "pkcs7", "pgp", "dns",
1502 "x509sign", "x509ke", "kerberos", "crl",
1503 "arl", "spki", "x509attr",
1504 };
1505
1506 ND_PRINT((ndo,"%s:", NPSTR(ISAKMP_NPTYPE_CERT)));
1507
1508 p = (struct ikev1_pl_cert *)ext;
1509 ND_TCHECK(*p);
1510 unaligned_memcpy(&cert, ext, sizeof(cert));
1511 ND_PRINT((ndo," len=%d", item_len - 4));
1512 ND_PRINT((ndo," type=%s", STR_OR_ID((cert.encode), certstr)));
1513 if (2 < ndo->ndo_vflag && 4 < item_len) {
1514 ND_PRINT((ndo," "));
1515 if (!rawprint(ndo, (caddr_t)(ext + 1), item_len - 4))
1516 goto trunc;
1517 }
1518 return (u_char *)ext + item_len;
1519 trunc:
1520 ND_PRINT((ndo," [|%s]", NPSTR(ISAKMP_NPTYPE_CERT)));
1521 return NULL;
1522 }
1523
1524 static const u_char *
1525 ikev1_cr_print(netdissect_options *ndo, u_char tpay _U_,
1526 const struct isakmp_gen *ext, u_int item_len _U_,
1527 const u_char *ep _U_, u_int32_t phase _U_, u_int32_t doi0 _U_,
1528 u_int32_t proto0 _U_, int depth _U_)
1529 {
1530 const struct ikev1_pl_cert *p;
1531 struct ikev1_pl_cert cert;
1532 static const char *certstr[] = {
1533 "none", "pkcs7", "pgp", "dns",
1534 "x509sign", "x509ke", "kerberos", "crl",
1535 "arl", "spki", "x509attr",
1536 };
1537
1538 ND_PRINT((ndo,"%s:", NPSTR(ISAKMP_NPTYPE_CR)));
1539
1540 p = (struct ikev1_pl_cert *)ext;
1541 ND_TCHECK(*p);
1542 unaligned_memcpy(&cert, ext, sizeof(cert));
1543 ND_PRINT((ndo," len=%d", item_len - 4));
1544 ND_PRINT((ndo," type=%s", STR_OR_ID((cert.encode), certstr)));
1545 if (2 < ndo->ndo_vflag && 4 < item_len) {
1546 ND_PRINT((ndo," "));
1547 if (!rawprint(ndo, (caddr_t)(ext + 1), item_len - 4))
1548 goto trunc;
1549 }
1550 return (u_char *)ext + item_len;
1551 trunc:
1552 ND_PRINT((ndo," [|%s]", NPSTR(ISAKMP_NPTYPE_CR)));
1553 return NULL;
1554 }
1555
1556 static const u_char *
1557 ikev1_hash_print(netdissect_options *ndo, u_char tpay _U_,
1558 const struct isakmp_gen *ext, u_int item_len _U_,
1559 const u_char *ep _U_, u_int32_t phase _U_, u_int32_t doi _U_,
1560 u_int32_t proto _U_, int depth _U_)
1561 {
1562 struct isakmp_gen e;
1563
1564 ND_PRINT((ndo,"%s:", NPSTR(ISAKMP_NPTYPE_HASH)));
1565
1566 ND_TCHECK(*ext);
1567 unaligned_memcpy(&e, ext, sizeof(e));
1568 ND_PRINT((ndo," len=%d", ntohs(e.len) - 4));
1569 if (2 < ndo->ndo_vflag && 4 < ntohs(e.len)) {
1570 ND_PRINT((ndo," "));
1571 if (!rawprint(ndo, (caddr_t)(ext + 1), ntohs(e.len) - 4))
1572 goto trunc;
1573 }
1574 return (u_char *)ext + ntohs(e.len);
1575 trunc:
1576 ND_PRINT((ndo," [|%s]", NPSTR(ISAKMP_NPTYPE_HASH)));
1577 return NULL;
1578 }
1579
1580 static const u_char *
1581 ikev1_sig_print(netdissect_options *ndo, u_char tpay _U_,
1582 const struct isakmp_gen *ext, u_int item_len _U_,
1583 const u_char *ep _U_, u_int32_t phase _U_, u_int32_t doi _U_,
1584 u_int32_t proto _U_, int depth _U_)
1585 {
1586 struct isakmp_gen e;
1587
1588 ND_PRINT((ndo,"%s:", NPSTR(ISAKMP_NPTYPE_SIG)));
1589
1590 ND_TCHECK(*ext);
1591 unaligned_memcpy(&e, ext, sizeof(e));
1592 ND_PRINT((ndo," len=%d", ntohs(e.len) - 4));
1593 if (2 < ndo->ndo_vflag && 4 < ntohs(e.len)) {
1594 ND_PRINT((ndo," "));
1595 if (!rawprint(ndo, (caddr_t)(ext + 1), ntohs(e.len) - 4))
1596 goto trunc;
1597 }
1598 return (u_char *)ext + ntohs(e.len);
1599 trunc:
1600 ND_PRINT((ndo," [|%s]", NPSTR(ISAKMP_NPTYPE_SIG)));
1601 return NULL;
1602 }
1603
1604 static const u_char *
1605 ikev1_nonce_print(netdissect_options *ndo, u_char tpay _U_,
1606 const struct isakmp_gen *ext,
1607 u_int item_len _U_,
1608 const u_char *ep _U_,
1609 u_int32_t phase _U_, u_int32_t doi _U_,
1610 u_int32_t proto _U_, int depth _U_)
1611 {
1612 struct isakmp_gen e;
1613
1614 ND_PRINT((ndo,"%s:", NPSTR(ISAKMP_NPTYPE_NONCE)));
1615
1616 ND_TCHECK(*ext);
1617 unaligned_memcpy(&e, ext, sizeof(e));
1618 ND_PRINT((ndo," n len=%d", ntohs(e.len) - 4));
1619 if (2 < ndo->ndo_vflag && 4 < ntohs(e.len)) {
1620 ND_PRINT((ndo," "));
1621 if (!rawprint(ndo, (caddr_t)(ext + 1), ntohs(e.len) - 4))
1622 goto trunc;
1623 } else if (1 < ndo->ndo_vflag && 4 < ntohs(e.len)) {
1624 ND_PRINT((ndo," "));
1625 if (!ike_show_somedata(ndo, (u_char *)(caddr_t)(ext + 1), ep))
1626 goto trunc;
1627 }
1628 return (u_char *)ext + ntohs(e.len);
1629 trunc:
1630 ND_PRINT((ndo," [|%s]", NPSTR(ISAKMP_NPTYPE_NONCE)));
1631 return NULL;
1632 }
1633
1634 static const u_char *
1635 ikev1_n_print(netdissect_options *ndo, u_char tpay _U_,
1636 const struct isakmp_gen *ext, u_int item_len,
1637 const u_char *ep, u_int32_t phase, u_int32_t doi0 _U_,
1638 u_int32_t proto0 _U_, int depth)
1639 {
1640 struct ikev1_pl_n *p, n;
1641 const u_char *cp;
1642 u_char *ep2;
1643 u_int32_t doi;
1644 u_int32_t proto;
1645 static const char *notify_error_str[] = {
1646 NULL, "INVALID-PAYLOAD-TYPE",
1647 "DOI-NOT-SUPPORTED", "SITUATION-NOT-SUPPORTED",
1648 "INVALID-COOKIE", "INVALID-MAJOR-VERSION",
1649 "INVALID-MINOR-VERSION", "INVALID-EXCHANGE-TYPE",
1650 "INVALID-FLAGS", "INVALID-MESSAGE-ID",
1651 "INVALID-PROTOCOL-ID", "INVALID-SPI",
1652 "INVALID-TRANSFORM-ID", "ATTRIBUTES-NOT-SUPPORTED",
1653 "NO-PROPOSAL-CHOSEN", "BAD-PROPOSAL-SYNTAX",
1654 "PAYLOAD-MALFORMED", "INVALID-KEY-INFORMATION",
1655 "INVALID-ID-INFORMATION", "INVALID-CERT-ENCODING",
1656 "INVALID-CERTIFICATE", "CERT-TYPE-UNSUPPORTED",
1657 "INVALID-CERT-AUTHORITY", "INVALID-HASH-INFORMATION",
1658 "AUTHENTICATION-FAILED", "INVALID-SIGNATURE",
1659 "ADDRESS-NOTIFICATION", "NOTIFY-SA-LIFETIME",
1660 "CERTIFICATE-UNAVAILABLE", "UNSUPPORTED-EXCHANGE-TYPE",
1661 "UNEQUAL-PAYLOAD-LENGTHS",
1662 };
1663 static const char *ipsec_notify_error_str[] = {
1664 "RESERVED",
1665 };
1666 static const char *notify_status_str[] = {
1667 "CONNECTED",
1668 };
1669 static const char *ipsec_notify_status_str[] = {
1670 "RESPONDER-LIFETIME", "REPLAY-STATUS",
1671 "INITIAL-CONTACT",
1672 };
1673 /* NOTE: these macro must be called with x in proper range */
1674
1675 /* 0 - 8191 */
1676 #define NOTIFY_ERROR_STR(x) \
1677 STR_OR_ID((x), notify_error_str)
1678
1679 /* 8192 - 16383 */
1680 #define IPSEC_NOTIFY_ERROR_STR(x) \
1681 STR_OR_ID((u_int)((x) - 8192), ipsec_notify_error_str)
1682
1683 /* 16384 - 24575 */
1684 #define NOTIFY_STATUS_STR(x) \
1685 STR_OR_ID((u_int)((x) - 16384), notify_status_str)
1686
1687 /* 24576 - 32767 */
1688 #define IPSEC_NOTIFY_STATUS_STR(x) \
1689 STR_OR_ID((u_int)((x) - 24576), ipsec_notify_status_str)
1690
1691 ND_PRINT((ndo,"%s:", NPSTR(ISAKMP_NPTYPE_N)));
1692
1693 p = (struct ikev1_pl_n *)ext;
1694 ND_TCHECK(*p);
1695 unaligned_memcpy(&n, ext, sizeof(n));
1696 doi = ntohl(n.doi);
1697 proto = n.prot_id;
1698 if (doi != 1) {
1699 ND_PRINT((ndo," doi=%d", doi));
1700 ND_PRINT((ndo," proto=%d", proto));
1701 if (ntohs(n.type) < 8192)
1702 ND_PRINT((ndo," type=%s", NOTIFY_ERROR_STR(ntohs(n.type))));
1703 else if (ntohs(n.type) < 16384)
1704 ND_PRINT((ndo," type=%s", numstr(ntohs(n.type))));
1705 else if (ntohs(n.type) < 24576)
1706 ND_PRINT((ndo," type=%s", NOTIFY_STATUS_STR(ntohs(n.type))));
1707 else
1708 ND_PRINT((ndo," type=%s", numstr(ntohs(n.type))));
1709 if (n.spi_size) {
1710 ND_PRINT((ndo," spi="));
1711 if (!rawprint(ndo, (caddr_t)(p + 1), n.spi_size))
1712 goto trunc;
1713 }
1714 return (u_char *)(p + 1) + n.spi_size;
1715 }
1716
1717 ND_PRINT((ndo," doi=ipsec"));
1718 ND_PRINT((ndo," proto=%s", PROTOIDSTR(proto)));
1719 if (ntohs(n.type) < 8192)
1720 ND_PRINT((ndo," type=%s", NOTIFY_ERROR_STR(ntohs(n.type))));
1721 else if (ntohs(n.type) < 16384)
1722 ND_PRINT((ndo," type=%s", IPSEC_NOTIFY_ERROR_STR(ntohs(n.type))));
1723 else if (ntohs(n.type) < 24576)
1724 ND_PRINT((ndo," type=%s", NOTIFY_STATUS_STR(ntohs(n.type))));
1725 else if (ntohs(n.type) < 32768)
1726 ND_PRINT((ndo," type=%s", IPSEC_NOTIFY_STATUS_STR(ntohs(n.type))));
1727 else
1728 ND_PRINT((ndo," type=%s", numstr(ntohs(n.type))));
1729 if (n.spi_size) {
1730 ND_PRINT((ndo," spi="));
1731 if (!rawprint(ndo, (caddr_t)(p + 1), n.spi_size))
1732 goto trunc;
1733 }
1734
1735 cp = (u_char *)(p + 1) + n.spi_size;
1736 ep2 = (u_char *)p + item_len;
1737
1738 if (cp < ep) {
1739 ND_PRINT((ndo," orig=("));
1740 switch (ntohs(n.type)) {
1741 case IPSECDOI_NTYPE_RESPONDER_LIFETIME:
1742 {
1743 const struct attrmap *map = oakley_t_map;
1744 size_t nmap = sizeof(oakley_t_map)/sizeof(oakley_t_map[0]);
1745 while (cp < ep && cp < ep2) {
1746 cp = ikev1_attrmap_print(ndo, cp,
1747 (ep < ep2) ? ep : ep2, map, nmap);
1748 }
1749 break;
1750 }
1751 case IPSECDOI_NTYPE_REPLAY_STATUS:
1752 ND_PRINT((ndo,"replay detection %sabled",
1753 EXTRACT_32BITS(cp) ? "en" : "dis"));
1754 break;
1755 case ISAKMP_NTYPE_NO_PROPOSAL_CHOSEN:
1756 if (ikev1_sub_print(ndo, ISAKMP_NPTYPE_SA,
1757 (struct isakmp_gen *)cp, ep, phase, doi, proto,
1758 depth) == NULL)
1759 return NULL;
1760 break;
1761 default:
1762 /* NULL is dummy */
1763 isakmp_print(ndo, cp,
1764 item_len - sizeof(*p) - n.spi_size,
1765 NULL);
1766 }
1767 ND_PRINT((ndo,")"));
1768 }
1769 return (u_char *)ext + item_len;
1770 trunc:
1771 ND_PRINT((ndo," [|%s]", NPSTR(ISAKMP_NPTYPE_N)));
1772 return NULL;
1773 }
1774
1775 static const u_char *
1776 ikev1_d_print(netdissect_options *ndo, u_char tpay _U_,
1777 const struct isakmp_gen *ext, u_int item_len _U_,
1778 const u_char *ep _U_, u_int32_t phase _U_, u_int32_t doi0 _U_,
1779 u_int32_t proto0 _U_, int depth _U_)
1780 {
1781 const struct ikev1_pl_d *p;
1782 struct ikev1_pl_d d;
1783 const u_int8_t *q;
1784 u_int32_t doi;
1785 u_int32_t proto;
1786 int i;
1787
1788 ND_PRINT((ndo,"%s:", NPSTR(ISAKMP_NPTYPE_D)));
1789
1790 p = (struct ikev1_pl_d *)ext;
1791 ND_TCHECK(*p);
1792 unaligned_memcpy(&d, ext, sizeof(d));
1793 doi = ntohl(d.doi);
1794 proto = d.prot_id;
1795 if (doi != 1) {
1796 ND_PRINT((ndo," doi=%u", doi));
1797 ND_PRINT((ndo," proto=%u", proto));
1798 } else {
1799 ND_PRINT((ndo," doi=ipsec"));
1800 ND_PRINT((ndo," proto=%s", PROTOIDSTR(proto)));
1801 }
1802 ND_PRINT((ndo," spilen=%u", d.spi_size));
1803 ND_PRINT((ndo," nspi=%u", ntohs(d.num_spi)));
1804 ND_PRINT((ndo," spi="));
1805 q = (u_int8_t *)(p + 1);
1806 for (i = 0; i < ntohs(d.num_spi); i++) {
1807 if (i != 0)
1808 ND_PRINT((ndo,","));
1809 if (!rawprint(ndo, (caddr_t)q, d.spi_size))
1810 goto trunc;
1811 q += d.spi_size;
1812 }
1813 return q;
1814 trunc:
1815 ND_PRINT((ndo," [|%s]", NPSTR(ISAKMP_NPTYPE_D)));
1816 return NULL;
1817 }
1818
1819 static const u_char *
1820 ikev1_vid_print(netdissect_options *ndo, u_char tpay _U_,
1821 const struct isakmp_gen *ext,
1822 u_int item_len _U_, const u_char *ep _U_,
1823 u_int32_t phase _U_, u_int32_t doi _U_,
1824 u_int32_t proto _U_, int depth _U_)
1825 {
1826 struct isakmp_gen e;
1827
1828 ND_PRINT((ndo,"%s:", NPSTR(ISAKMP_NPTYPE_VID)));
1829
1830 ND_TCHECK(*ext);
1831 unaligned_memcpy(&e, ext, sizeof(e));
1832 ND_PRINT((ndo," len=%d", ntohs(e.len) - 4));
1833 if (2 < ndo->ndo_vflag && 4 < ntohs(e.len)) {
1834 ND_PRINT((ndo," "));
1835 if (!rawprint(ndo, (caddr_t)(ext + 1), ntohs(e.len) - 4))
1836 goto trunc;
1837 }
1838 return (u_char *)ext + ntohs(e.len);
1839 trunc:
1840 ND_PRINT((ndo," [|%s]", NPSTR(ISAKMP_NPTYPE_VID)));
1841 return NULL;
1842 }
1843
1844 /************************************************************/
1845 /* */
1846 /* IKE v2 - rfc4306 - dissector */
1847 /* */
1848 /************************************************************/
1849
1850 static void
1851 ikev2_pay_print(netdissect_options *ndo, const char *payname, int critical)
1852 {
1853 ND_PRINT((ndo,"%s%s:", payname, critical&0x80 ? "[C]" : ""));
1854 }
1855
1856 static const u_char *
1857 ikev2_gen_print(netdissect_options *ndo, u_char tpay,
1858 const struct isakmp_gen *ext)
1859 {
1860 struct isakmp_gen e;
1861
1862 ND_TCHECK(*ext);
1863 unaligned_memcpy(&e, ext, sizeof(e));
1864 ikev2_pay_print(ndo, NPSTR(tpay), e.critical);
1865
1866 ND_PRINT((ndo," len=%d", ntohs(e.len) - 4));
1867 if (2 < ndo->ndo_vflag && 4 < ntohs(e.len)) {
1868 ND_PRINT((ndo," "));
1869 if (!rawprint(ndo, (caddr_t)(ext + 1), ntohs(e.len) - 4))
1870 goto trunc;
1871 }
1872 return (u_char *)ext + ntohs(e.len);
1873 trunc:
1874 ND_PRINT((ndo," [|%s]", NPSTR(tpay)));
1875 return NULL;
1876 }
1877
1878 static const u_char *
1879 ikev2_t_print(netdissect_options *ndo, u_char tpay _U_, int pcount,
1880 const struct isakmp_gen *ext, u_int item_len,
1881 const u_char *ep, u_int32_t phase _U_, u_int32_t doi _U_,
1882 u_int32_t proto _U_, int depth _U_)
1883 {
1884 const struct ikev2_t *p;
1885 struct ikev2_t t;
1886 u_int16_t t_id;
1887 const u_char *cp;
1888 const char *idstr;
1889 const struct attrmap *map;
1890 size_t nmap;
1891 const u_char *ep2;
1892
1893 p = (struct ikev2_t *)ext;
1894 ND_TCHECK(*p);
1895 unaligned_memcpy(&t, ext, sizeof(t));
1896 ikev2_pay_print(ndo, NPSTR(ISAKMP_NPTYPE_T), t.h.critical);
1897
1898 t_id = ntohs(t.t_id);
1899
1900 map = NULL;
1901 nmap = 0;
1902
1903 switch (t.t_type) {
1904 case IV2_T_ENCR:
1905 idstr = STR_OR_ID(t_id, esp_p_map);
1906 map = encr_t_map;
1907 nmap = sizeof(encr_t_map)/sizeof(encr_t_map[0]);
1908 break;
1909
1910 case IV2_T_PRF:
1911 idstr = STR_OR_ID(t_id, prf_p_map);
1912 break;
1913
1914 case IV2_T_INTEG:
1915 idstr = STR_OR_ID(t_id, integ_p_map);
1916 break;
1917
1918 case IV2_T_DH:
1919 idstr = STR_OR_ID(t_id, dh_p_map);
1920 break;
1921
1922 case IV2_T_ESN:
1923 idstr = STR_OR_ID(t_id, esn_p_map);
1924 break;
1925
1926 default:
1927 idstr = NULL;
1928 break;
1929 }
1930
1931 if (idstr)
1932 ND_PRINT((ndo," #%u type=%s id=%s ", pcount,
1933 STR_OR_ID(t.t_type, ikev2_t_type_map),
1934 idstr));
1935 else
1936 ND_PRINT((ndo," #%u type=%s id=%u ", pcount,
1937 STR_OR_ID(t.t_type, ikev2_t_type_map),
1938 t.t_id));
1939 cp = (u_char *)(p + 1);
1940 ep2 = (u_char *)p + item_len;
1941 while (cp < ep && cp < ep2) {
1942 if (map && nmap) {
1943 cp = ikev1_attrmap_print(ndo, cp, (ep < ep2) ? ep : ep2,
1944 map, nmap);
1945 } else
1946 cp = ikev1_attr_print(ndo, cp, (ep < ep2) ? ep : ep2);
1947 }
1948 if (ep < ep2)
1949 ND_PRINT((ndo,"..."));
1950 return cp;
1951 trunc:
1952 ND_PRINT((ndo," [|%s]", NPSTR(ISAKMP_NPTYPE_T)));
1953 return NULL;
1954 }
1955
1956 static const u_char *
1957 ikev2_p_print(netdissect_options *ndo, u_char tpay _U_, int pcount _U_,
1958 const struct isakmp_gen *ext, u_int item_len _U_,
1959 const u_char *ep, u_int32_t phase, u_int32_t doi0,
1960 u_int32_t proto0 _U_, int depth)
1961 {
1962 const struct ikev2_p *p;
1963 struct ikev2_p prop;
1964 const u_char *cp;
1965
1966 p = (struct ikev2_p *)ext;
1967 ND_TCHECK(*p);
1968 unaligned_memcpy(&prop, ext, sizeof(prop));
1969 ikev2_pay_print(ndo, NPSTR(ISAKMP_NPTYPE_P), prop.h.critical);
1970
1971 ND_PRINT((ndo," #%u protoid=%s transform=%d len=%u",
1972 prop.p_no, PROTOIDSTR(prop.prot_id),
1973 prop.num_t, ntohs(prop.h.len)));
1974 if (prop.spi_size) {
1975 ND_PRINT((ndo," spi="));
1976 if (!rawprint(ndo, (caddr_t)(p + 1), prop.spi_size))
1977 goto trunc;
1978 }
1979
1980 ext = (struct isakmp_gen *)((u_char *)(p + 1) + prop.spi_size);
1981 ND_TCHECK(*ext);
1982
1983 cp = ikev2_sub_print(ndo, NULL, ISAKMP_NPTYPE_T, ext, ep, phase, doi0,
1984 prop.prot_id, depth);
1985
1986 return cp;
1987 trunc:
1988 ND_PRINT((ndo," [|%s]", NPSTR(ISAKMP_NPTYPE_P)));
1989 return NULL;
1990 }
1991
1992 static const u_char *
1993 ikev2_sa_print(netdissect_options *ndo, u_char tpay,
1994 const struct isakmp_gen *ext1,
1995 u_int item_len _U_, const u_char *ep _U_,
1996 u_int32_t phase _U_, u_int32_t doi _U_,
1997 u_int32_t proto _U_, int depth _U_)
1998 {
1999 struct isakmp_gen e;
2000 int osa_length, sa_length;
2001
2002 ND_TCHECK(*ext1);
2003 unaligned_memcpy(&e, ext1, sizeof(e));
2004 ikev2_pay_print(ndo, "sa", e.critical);
2005
2006 osa_length= ntohs(e.len);
2007 sa_length = osa_length - 4;
2008 ND_PRINT((ndo," len=%d", sa_length));
2009
2010 ikev2_sub_print(ndo, NULL, ISAKMP_NPTYPE_P,
2011 ext1+1, ep,
2012 0, 0, 0, depth);
2013
2014 return (u_char *)ext1 + osa_length;
2015 trunc:
2016 ND_PRINT((ndo," [|%s]", NPSTR(tpay)));
2017 return NULL;
2018 }
2019
2020 static const u_char *
2021 ikev2_ke_print(netdissect_options *ndo, u_char tpay,
2022 const struct isakmp_gen *ext,
2023 u_int item_len _U_, const u_char *ep _U_,
2024 u_int32_t phase _U_, u_int32_t doi _U_,
2025 u_int32_t proto _U_, int depth _U_)
2026 {
2027 struct ikev2_ke ke;
2028 struct ikev2_ke *k;
2029
2030 k = (struct ikev2_ke *)ext;
2031 ND_TCHECK(*ext);
2032 unaligned_memcpy(&ke, ext, sizeof(ke));
2033 ikev2_pay_print(ndo, NPSTR(tpay), ke.h.critical);
2034
2035 ND_PRINT((ndo," len=%u group=%s", ntohs(ke.h.len) - 8,
2036 STR_OR_ID(ntohs(ke.ke_group), dh_p_map)));
2037
2038 if (2 < ndo->ndo_vflag && 8 < ntohs(ke.h.len)) {
2039 ND_PRINT((ndo," "));
2040 if (!rawprint(ndo, (caddr_t)(k + 1), ntohs(ke.h.len) - 8))
2041 goto trunc;
2042 }
2043 return (u_char *)ext + ntohs(ke.h.len);
2044 trunc:
2045 ND_PRINT((ndo," [|%s]", NPSTR(tpay)));
2046 return NULL;
2047 }
2048
2049 static const u_char *
2050 ikev2_ID_print(netdissect_options *ndo, u_char tpay,
2051 const struct isakmp_gen *ext,
2052 u_int item_len _U_, const u_char *ep _U_,
2053 u_int32_t phase _U_, u_int32_t doi _U_,
2054 u_int32_t proto _U_, int depth _U_)
2055 {
2056 struct ikev2_id id;
2057 int id_len, idtype_len, i;
2058 unsigned int dumpascii, dumphex;
2059 unsigned char *typedata;
2060
2061 ND_TCHECK(*ext);
2062 unaligned_memcpy(&id, ext, sizeof(id));
2063 ikev2_pay_print(ndo, NPSTR(tpay), id.h.critical);
2064
2065 id_len = ntohs(id.h.len);
2066
2067 ND_PRINT((ndo," len=%d", id_len - 4));
2068 if (2 < ndo->ndo_vflag && 4 < id_len) {
2069 ND_PRINT((ndo," "));
2070 if (!rawprint(ndo, (caddr_t)(ext + 1), id_len - 4))
2071 goto trunc;
2072 }
2073
2074 idtype_len =id_len - sizeof(struct ikev2_id);
2075 dumpascii = 0;
2076 dumphex = 0;
2077 typedata = (unsigned char *)(ext)+sizeof(struct ikev2_id);
2078
2079 switch(id.type) {
2080 case ID_IPV4_ADDR:
2081 ND_PRINT((ndo, " ipv4:"));
2082 dumphex=1;
2083 break;
2084 case ID_FQDN:
2085 ND_PRINT((ndo, " fqdn:"));
2086 dumpascii=1;
2087 break;
2088 case ID_RFC822_ADDR:
2089 ND_PRINT((ndo, " rfc822:"));
2090 dumpascii=1;
2091 break;
2092 case ID_IPV6_ADDR:
2093 ND_PRINT((ndo, " ipv6:"));
2094 dumphex=1;
2095 break;
2096 case ID_DER_ASN1_DN:
2097 ND_PRINT((ndo, " dn:"));
2098 dumphex=1;
2099 break;
2100 case ID_DER_ASN1_GN:
2101 ND_PRINT((ndo, " gn:"));
2102 dumphex=1;
2103 break;
2104 case ID_KEY_ID:
2105 ND_PRINT((ndo, " keyid:"));
2106 dumphex=1;
2107 break;
2108 }
2109
2110 if(dumpascii) {
2111 ND_TCHECK2(*typedata, idtype_len);
2112 for(i=0; i<idtype_len; i++) {
2113 if(isprint(typedata[i])) {
2114 ND_PRINT((ndo, "%c", typedata[i]));
2115 } else {
2116 ND_PRINT((ndo, "."));
2117 }
2118 }
2119 }
2120 if(dumphex) {
2121 if (!rawprint(ndo, (caddr_t)typedata, idtype_len))
2122 goto trunc;
2123 }
2124
2125 return (u_char *)ext + id_len;
2126 trunc:
2127 ND_PRINT((ndo," [|%s]", NPSTR(tpay)));
2128 return NULL;
2129 }
2130
2131 static const u_char *
2132 ikev2_cert_print(netdissect_options *ndo, u_char tpay,
2133 const struct isakmp_gen *ext,
2134 u_int item_len _U_, const u_char *ep _U_,
2135 u_int32_t phase _U_, u_int32_t doi _U_,
2136 u_int32_t proto _U_, int depth _U_)
2137 {
2138 return ikev2_gen_print(ndo, tpay, ext);
2139 }
2140
2141 static const u_char *
2142 ikev2_cr_print(netdissect_options *ndo, u_char tpay,
2143 const struct isakmp_gen *ext,
2144 u_int item_len _U_, const u_char *ep _U_,
2145 u_int32_t phase _U_, u_int32_t doi _U_,
2146 u_int32_t proto _U_, int depth _U_)
2147 {
2148 return ikev2_gen_print(ndo, tpay, ext);
2149 }
2150
2151 static const u_char *
2152 ikev2_auth_print(netdissect_options *ndo, u_char tpay,
2153 const struct isakmp_gen *ext,
2154 u_int item_len _U_, const u_char *ep _U_,
2155 u_int32_t phase _U_, u_int32_t doi _U_,
2156 u_int32_t proto _U_, int depth _U_)
2157 {
2158 struct ikev2_auth a;
2159 const char *v2_auth[]={ "invalid", "rsasig",
2160 "shared-secret", "dsssig" };
2161 u_char *authdata = (u_char*)ext + sizeof(a);
2162 unsigned int len;
2163
2164 ND_TCHECK(*ext);
2165 unaligned_memcpy(&a, ext, sizeof(a));
2166 ikev2_pay_print(ndo, NPSTR(tpay), a.h.critical);
2167 len = ntohs(a.h.len);
2168
2169 ND_PRINT((ndo," len=%d method=%s", len-4,
2170 STR_OR_ID(a.auth_method, v2_auth)));
2171
2172 if (1 < ndo->ndo_vflag && 4 < len) {
2173 ND_PRINT((ndo," authdata=("));
2174 if (!rawprint(ndo, (caddr_t)authdata, len - sizeof(a)))
2175 goto trunc;
2176 ND_PRINT((ndo,") "));
2177 } else if(ndo->ndo_vflag && 4 < len) {
2178 if(!ike_show_somedata(ndo, authdata, ep)) goto trunc;
2179 }
2180
2181 return (u_char *)ext + len;
2182 trunc:
2183 ND_PRINT((ndo," [|%s]", NPSTR(tpay)));
2184 return NULL;
2185 }
2186
2187 static const u_char *
2188 ikev2_nonce_print(netdissect_options *ndo, u_char tpay,
2189 const struct isakmp_gen *ext,
2190 u_int item_len _U_, const u_char *ep _U_,
2191 u_int32_t phase _U_, u_int32_t doi _U_,
2192 u_int32_t proto _U_, int depth _U_)
2193 {
2194 struct isakmp_gen e;
2195
2196 ND_TCHECK(*ext);
2197 unaligned_memcpy(&e, ext, sizeof(e));
2198 ikev2_pay_print(ndo, "nonce", e.critical);
2199
2200 ND_PRINT((ndo," len=%d", ntohs(e.len) - 4));
2201 if (1 < ndo->ndo_vflag && 4 < ntohs(e.len)) {
2202 ND_PRINT((ndo," nonce=("));
2203 if (!rawprint(ndo, (caddr_t)(ext + 1), ntohs(e.len) - 4))
2204 goto trunc;
2205 ND_PRINT((ndo,") "));
2206 } else if(ndo->ndo_vflag && 4 < ntohs(e.len)) {
2207 if(!ike_show_somedata(ndo, (const u_char *)(ext+1), ep)) goto trunc;
2208 }
2209
2210 return (u_char *)ext + ntohs(e.len);
2211 trunc:
2212 ND_PRINT((ndo," [|%s]", NPSTR(tpay)));
2213 return NULL;
2214 }
2215
2216 /* notify payloads */
2217 static const u_char *
2218 ikev2_n_print(netdissect_options *ndo, u_char tpay _U_,
2219 const struct isakmp_gen *ext,
2220 u_int item_len _U_, const u_char *ep _U_,
2221 u_int32_t phase _U_, u_int32_t doi _U_,
2222 u_int32_t proto _U_, int depth _U_)
2223 {
2224 struct ikev2_n *p, n;
2225 const u_char *cp;
2226 u_char showspi, showdata, showsomedata;
2227 const char *notify_name;
2228 u_int32_t type;
2229
2230 p = (struct ikev2_n *)ext;
2231 ND_TCHECK(*p);
2232 unaligned_memcpy(&n, ext, sizeof(n));
2233 ikev2_pay_print(ndo, NPSTR(ISAKMP_NPTYPE_N), n.h.critical);
2234
2235 showspi = 1;
2236 showdata = 0;
2237 showsomedata=0;
2238 notify_name=NULL;
2239
2240 ND_PRINT((ndo," prot_id=%s", PROTOIDSTR(n.prot_id)));
2241
2242 type = ntohs(n.type);
2243
2244 /* notify space is annoying sparse */
2245 switch(type) {
2246 case IV2_NOTIFY_UNSUPPORTED_CRITICAL_PAYLOAD:
2247 notify_name = "unsupported_critical_payload";
2248 showspi = 0;
2249 break;
2250
2251 case IV2_NOTIFY_INVALID_IKE_SPI:
2252 notify_name = "invalid_ike_spi";
2253 showspi = 1;
2254 break;
2255
2256 case IV2_NOTIFY_INVALID_MAJOR_VERSION:
2257 notify_name = "invalid_major_version";
2258 showspi = 0;
2259 break;
2260
2261 case IV2_NOTIFY_INVALID_SYNTAX:
2262 notify_name = "invalid_syntax";
2263 showspi = 1;
2264 break;
2265
2266 case IV2_NOTIFY_INVALID_MESSAGE_ID:
2267 notify_name = "invalid_message_id";
2268 showspi = 1;
2269 break;
2270
2271 case IV2_NOTIFY_INVALID_SPI:
2272 notify_name = "invalid_spi";
2273 showspi = 1;
2274 break;
2275
2276 case IV2_NOTIFY_NO_PROPOSAL_CHOSEN:
2277 notify_name = "no_protocol_chosen";
2278 showspi = 1;
2279 break;
2280
2281 case IV2_NOTIFY_INVALID_KE_PAYLOAD:
2282 notify_name = "invalid_ke_payload";
2283 showspi = 1;
2284 break;
2285
2286 case IV2_NOTIFY_AUTHENTICATION_FAILED:
2287 notify_name = "authentication_failed";
2288 showspi = 1;
2289 break;
2290
2291 case IV2_NOTIFY_SINGLE_PAIR_REQUIRED:
2292 notify_name = "single_pair_required";
2293 showspi = 1;
2294 break;
2295
2296 case IV2_NOTIFY_NO_ADDITIONAL_SAS:
2297 notify_name = "no_additional_sas";
2298 showspi = 0;
2299 break;
2300
2301 case IV2_NOTIFY_INTERNAL_ADDRESS_FAILURE:
2302 notify_name = "internal_address_failure";
2303 showspi = 0;
2304 break;
2305
2306 case IV2_NOTIFY_FAILED_CP_REQUIRED:
2307 notify_name = "failed:cp_required";
2308 showspi = 0;
2309 break;
2310
2311 case IV2_NOTIFY_INVALID_SELECTORS:
2312 notify_name = "invalid_selectors";
2313 showspi = 0;
2314 break;
2315
2316 case IV2_NOTIFY_INITIAL_CONTACT:
2317 notify_name = "initial_contact";
2318 showspi = 0;
2319 break;
2320
2321 case IV2_NOTIFY_SET_WINDOW_SIZE:
2322 notify_name = "set_window_size";
2323 showspi = 0;
2324 break;
2325
2326 case IV2_NOTIFY_ADDITIONAL_TS_POSSIBLE:
2327 notify_name = "additional_ts_possible";
2328 showspi = 0;
2329 break;
2330
2331 case IV2_NOTIFY_IPCOMP_SUPPORTED:
2332 notify_name = "ipcomp_supported";
2333 showspi = 0;
2334 break;
2335
2336 case IV2_NOTIFY_NAT_DETECTION_SOURCE_IP:
2337 notify_name = "nat_detection_source_ip";
2338 showspi = 1;
2339 break;
2340
2341 case IV2_NOTIFY_NAT_DETECTION_DESTINATION_IP:
2342 notify_name = "nat_detection_destination_ip";
2343 showspi = 1;
2344 break;
2345
2346 case IV2_NOTIFY_COOKIE:
2347 notify_name = "cookie";
2348 showspi = 1;
2349 showsomedata= 1;
2350 showdata= 0;
2351 break;
2352
2353 case IV2_NOTIFY_USE_TRANSPORT_MODE:
2354 notify_name = "use_transport_mode";
2355 showspi = 0;
2356 break;
2357
2358 case IV2_NOTIFY_HTTP_CERT_LOOKUP_SUPPORTED:
2359 notify_name = "http_cert_lookup_supported";
2360 showspi = 0;
2361 break;
2362
2363 case IV2_NOTIFY_REKEY_SA:
2364 notify_name = "rekey_sa";
2365 showspi = 1;
2366 break;
2367
2368 case IV2_NOTIFY_ESP_TFC_PADDING_NOT_SUPPORTED:
2369 notify_name = "tfc_padding_not_supported";
2370 showspi = 0;
2371 break;
2372
2373 case IV2_NOTIFY_NON_FIRST_FRAGMENTS_ALSO:
2374 notify_name = "non_first_fragment_also";
2375 showspi = 0;
2376 break;
2377
2378 default:
2379 if (type < 8192) {
2380 notify_name="error";
2381 } else if(type < 16384) {
2382 notify_name="private-error";
2383 } else if(type < 40960) {
2384 notify_name="status";
2385 } else {
2386 notify_name="private-status";
2387 }
2388 }
2389
2390 if(notify_name) {
2391 ND_PRINT((ndo," type=%u(%s)", type, notify_name));
2392 }
2393
2394
2395 if (showspi && n.spi_size) {
2396 ND_PRINT((ndo," spi="));
2397 if (!rawprint(ndo, (caddr_t)(p + 1), n.spi_size))
2398 goto trunc;
2399 }
2400
2401 cp = (u_char *)(p + 1) + n.spi_size;
2402
2403 if(3 < ndo->ndo_vflag) {
2404 showdata = 1;
2405 }
2406
2407 if ((showdata || (showsomedata && ep-cp < 30)) && cp < ep) {
2408 ND_PRINT((ndo," data=("));
2409 if (!rawprint(ndo, (caddr_t)(cp), ep - cp))
2410 goto trunc;
2411
2412 ND_PRINT((ndo,")"));
2413
2414 } else if(showsomedata && cp < ep) {
2415 if(!ike_show_somedata(ndo, cp, ep)) goto trunc;
2416 }
2417
2418 return (u_char *)ext + item_len;
2419 trunc:
2420 ND_PRINT((ndo," [|%s]", NPSTR(ISAKMP_NPTYPE_N)));
2421 return NULL;
2422 }
2423
2424 static const u_char *
2425 ikev2_d_print(netdissect_options *ndo, u_char tpay,
2426 const struct isakmp_gen *ext,
2427 u_int item_len _U_, const u_char *ep _U_,
2428 u_int32_t phase _U_, u_int32_t doi _U_,
2429 u_int32_t proto _U_, int depth _U_)
2430 {
2431 return ikev2_gen_print(ndo, tpay, ext);
2432 }
2433
2434 static const u_char *
2435 ikev2_vid_print(netdissect_options *ndo, u_char tpay,
2436 const struct isakmp_gen *ext,
2437 u_int item_len _U_, const u_char *ep _U_,
2438 u_int32_t phase _U_, u_int32_t doi _U_,
2439 u_int32_t proto _U_, int depth _U_)
2440 {
2441 struct isakmp_gen e;
2442 const u_char *vid;
2443 int i, len;
2444
2445 ND_TCHECK(*ext);
2446 unaligned_memcpy(&e, ext, sizeof(e));
2447 ikev2_pay_print(ndo, NPSTR(tpay), e.critical);
2448 ND_PRINT((ndo," len=%d vid=", ntohs(e.len) - 4));
2449
2450 vid = (const u_char *)(ext+1);
2451 len = ntohs(e.len) - 4;
2452 ND_TCHECK2(*vid, len);
2453 for(i=0; i<len; i++) {
2454 if(isprint(vid[i])) ND_PRINT((ndo, "%c", vid[i]));
2455 else ND_PRINT((ndo, "."));
2456 }
2457 if (2 < ndo->ndo_vflag && 4 < len) {
2458 ND_PRINT((ndo," "));
2459 if (!rawprint(ndo, (caddr_t)(ext + 1), ntohs(e.len) - 4))
2460 goto trunc;
2461 }
2462 return (u_char *)ext + ntohs(e.len);
2463 trunc:
2464 ND_PRINT((ndo," [|%s]", NPSTR(tpay)));
2465 return NULL;
2466 }
2467
2468 static const u_char *
2469 ikev2_TS_print(netdissect_options *ndo, u_char tpay,
2470 const struct isakmp_gen *ext,
2471 u_int item_len _U_, const u_char *ep _U_,
2472 u_int32_t phase _U_, u_int32_t doi _U_,
2473 u_int32_t proto _U_, int depth _U_)
2474 {
2475 return ikev2_gen_print(ndo, tpay, ext);
2476 }
2477
2478 static const u_char *
2479 ikev2_e_print(netdissect_options *ndo,
2480 #ifndef HAVE_LIBCRYPTO
2481 _U_
2482 #endif
2483 struct isakmp *base,
2484 u_char tpay,
2485 const struct isakmp_gen *ext,
2486 u_int item_len _U_, const u_char *ep _U_,
2487 #ifndef HAVE_LIBCRYPTO
2488 _U_
2489 #endif
2490 u_int32_t phase,
2491 #ifndef HAVE_LIBCRYPTO
2492 _U_
2493 #endif
2494 u_int32_t doi,
2495 #ifndef HAVE_LIBCRYPTO
2496 _U_
2497 #endif
2498 u_int32_t proto,
2499 #ifndef HAVE_LIBCRYPTO
2500 _U_
2501 #endif
2502 int depth)
2503 {
2504 struct isakmp_gen e;
2505 u_char *dat;
2506 volatile int dlen;
2507
2508 ND_TCHECK(*ext);
2509 unaligned_memcpy(&e, ext, sizeof(e));
2510 ikev2_pay_print(ndo, NPSTR(tpay), e.critical);
2511
2512 dlen = ntohs(e.len)-4;
2513
2514 ND_PRINT((ndo," len=%d", dlen));
2515 if (2 < ndo->ndo_vflag && 4 < dlen) {
2516 ND_PRINT((ndo," "));
2517 if (!rawprint(ndo, (caddr_t)(ext + 1), dlen))
2518 goto trunc;
2519 }
2520
2521 dat = (u_char *)(ext+1);
2522 ND_TCHECK2(*dat, dlen);
2523
2524 #ifdef HAVE_LIBCRYPTO
2525 /* try to decypt it! */
2526 if(esp_print_decrypt_buffer_by_ikev2(ndo,
2527 base->flags & ISAKMP_FLAG_I,
2528 base->i_ck, base->r_ck,
2529 dat, dat+dlen)) {
2530
2531 ext = (const struct isakmp_gen *)ndo->ndo_packetp;
2532
2533 /* got it decrypted, print stuff inside. */
2534 ikev2_sub_print(ndo, base, e.np, ext, ndo->ndo_snapend,
2535 phase, doi, proto, depth+1);
2536 }
2537 #endif
2538
2539
2540 /* always return NULL, because E must be at end, and NP refers
2541 * to what was inside.
2542 */
2543 return NULL;
2544 trunc:
2545 ND_PRINT((ndo," [|%s]", NPSTR(tpay)));
2546 return NULL;
2547 }
2548
2549 static const u_char *
2550 ikev2_cp_print(netdissect_options *ndo, u_char tpay,
2551 const struct isakmp_gen *ext,
2552 u_int item_len _U_, const u_char *ep _U_,
2553 u_int32_t phase _U_, u_int32_t doi _U_,
2554 u_int32_t proto _U_, int depth _U_)
2555 {
2556 return ikev2_gen_print(ndo, tpay, ext);
2557 }
2558
2559 static const u_char *
2560 ikev2_eap_print(netdissect_options *ndo, u_char tpay,
2561 const struct isakmp_gen *ext,
2562 u_int item_len _U_, const u_char *ep _U_,
2563 u_int32_t phase _U_, u_int32_t doi _U_,
2564 u_int32_t proto _U_, int depth _U_)
2565 {
2566 return ikev2_gen_print(ndo, tpay, ext);
2567 }
2568
2569 static const u_char *
2570 ike_sub0_print(netdissect_options *ndo,
2571 u_char np, const struct isakmp_gen *ext, const u_char *ep,
2572
2573 u_int32_t phase, u_int32_t doi, u_int32_t proto, int depth)
2574 {
2575 const u_char *cp;
2576 struct isakmp_gen e;
2577 u_int item_len;
2578
2579 cp = (u_char *)ext;
2580 ND_TCHECK(*ext);
2581 unaligned_memcpy(&e, ext, sizeof(e));
2582
2583 /*
2584 * Since we can't have a payload length of less than 4 bytes,
2585 * we need to bail out here if the generic header is nonsensical
2586 * or truncated, otherwise we could loop forever processing
2587 * zero-length items or otherwise misdissect the packet.
2588 */
2589 item_len = ntohs(e.len);
2590 if (item_len <= 4)
2591 return NULL;
2592
2593 if (NPFUNC(np)) {
2594 /*
2595 * XXX - what if item_len is too short, or too long,
2596 * for this payload type?
2597 */
2598 cp = (*npfunc[np])(ndo, np, ext, item_len, ep, phase, doi, proto, depth);
2599 } else {
2600 ND_PRINT((ndo,"%s", NPSTR(np)));
2601 cp += item_len;
2602 }
2603
2604 return cp;
2605 trunc:
2606 ND_PRINT((ndo," [|isakmp]"));
2607 return NULL;
2608 }
2609
2610 static const u_char *
2611 ikev1_sub_print(netdissect_options *ndo,
2612 u_char np, const struct isakmp_gen *ext, const u_char *ep,
2613 u_int32_t phase, u_int32_t doi, u_int32_t proto, int depth)
2614 {
2615 const u_char *cp;
2616 int i;
2617 struct isakmp_gen e;
2618
2619 cp = (const u_char *)ext;
2620
2621 while (np) {
2622 ND_TCHECK(*ext);
2623
2624 unaligned_memcpy(&e, ext, sizeof(e));
2625
2626 ND_TCHECK2(*ext, ntohs(e.len));
2627
2628 depth++;
2629 ND_PRINT((ndo,"\n"));
2630 for (i = 0; i < depth; i++)
2631 ND_PRINT((ndo," "));
2632 ND_PRINT((ndo,"("));
2633 cp = ike_sub0_print(ndo, np, ext, ep, phase, doi, proto, depth);
2634 ND_PRINT((ndo,")"));
2635 depth--;
2636
2637 if (cp == NULL) {
2638 /* Zero-length subitem */
2639 return NULL;
2640 }
2641
2642 np = e.np;
2643 ext = (struct isakmp_gen *)cp;
2644 }
2645 return cp;
2646 trunc:
2647 ND_PRINT((ndo," [|%s]", NPSTR(np)));
2648 return NULL;
2649 }
2650
2651 static char *
2652 numstr(int x)
2653 {
2654 static char buf[20];
2655 snprintf(buf, sizeof(buf), "#%d", x);
2656 return buf;
2657 }
2658
2659 static void
2660 ikev1_print(netdissect_options *ndo,
2661 const u_char *bp, u_int length,
2662 const u_char *bp2, struct isakmp *base)
2663 {
2664 const struct isakmp *p;
2665 const u_char *ep;
2666 u_char np;
2667 int i;
2668 int phase;
2669
2670 p = (const struct isakmp *)bp;
2671 ep = ndo->ndo_snapend;
2672
2673 phase = (EXTRACT_32BITS(base->msgid) == 0) ? 1 : 2;
2674 if (phase == 1)
2675 ND_PRINT((ndo," phase %d", phase));
2676 else
2677 ND_PRINT((ndo," phase %d/others", phase));
2678
2679 i = cookie_find(&base->i_ck);
2680 if (i < 0) {
2681 if (iszero((u_char *)&base->r_ck, sizeof(base->r_ck))) {
2682 /* the first packet */
2683 ND_PRINT((ndo," I"));
2684 if (bp2)
2685 cookie_record(&base->i_ck, bp2);
2686 } else
2687 ND_PRINT((ndo," ?"));
2688 } else {
2689 if (bp2 && cookie_isinitiator(i, bp2))
2690 ND_PRINT((ndo," I"));
2691 else if (bp2 && cookie_isresponder(i, bp2))
2692 ND_PRINT((ndo," R"));
2693 else
2694 ND_PRINT((ndo," ?"));
2695 }
2696
2697 ND_PRINT((ndo," %s", ETYPESTR(base->etype)));
2698 if (base->flags) {
2699 ND_PRINT((ndo,"[%s%s]", base->flags & ISAKMP_FLAG_E ? "E" : "",
2700 base->flags & ISAKMP_FLAG_C ? "C" : ""));
2701 }
2702
2703 if (ndo->ndo_vflag) {
2704 const struct isakmp_gen *ext;
2705
2706 ND_PRINT((ndo,":"));
2707
2708 /* regardless of phase... */
2709 if (base->flags & ISAKMP_FLAG_E) {
2710 /*
2711 * encrypted, nothing we can do right now.
2712 * we hope to decrypt the packet in the future...
2713 */
2714 ND_PRINT((ndo," [encrypted %s]", NPSTR(base->np)));
2715 goto done;
2716 }
2717
2718 CHECKLEN(p + 1, base->np);
2719 np = base->np;
2720 ext = (struct isakmp_gen *)(p + 1);
2721 ikev1_sub_print(ndo, np, ext, ep, phase, 0, 0, 0);
2722 }
2723
2724 done:
2725 if (ndo->ndo_vflag) {
2726 if (ntohl(base->len) != length) {
2727 ND_PRINT((ndo," (len mismatch: isakmp %u/ip %u)",
2728 (u_int32_t)ntohl(base->len), length));
2729 }
2730 }
2731 }
2732
2733 static const u_char *
2734 ikev2_sub0_print(netdissect_options *ndo, struct isakmp *base,
2735 u_char np, int pcount,
2736 const struct isakmp_gen *ext, const u_char *ep,
2737 u_int32_t phase, u_int32_t doi, u_int32_t proto, int depth)
2738 {
2739 const u_char *cp;
2740 struct isakmp_gen e;
2741 u_int item_len;
2742
2743 cp = (u_char *)ext;
2744 ND_TCHECK(*ext);
2745 unaligned_memcpy(&e, ext, sizeof(e));
2746
2747 /*
2748 * Since we can't have a payload length of less than 4 bytes,
2749 * we need to bail out here if the generic header is nonsensical
2750 * or truncated, otherwise we could loop forever processing
2751 * zero-length items or otherwise misdissect the packet.
2752 */
2753 item_len = ntohs(e.len);
2754 if (item_len <= 4)
2755 return NULL;
2756
2757 if(np == ISAKMP_NPTYPE_P) {
2758 cp = ikev2_p_print(ndo, np, pcount, ext, item_len,
2759 ep, phase, doi, proto, depth);
2760 } else if(np == ISAKMP_NPTYPE_T) {
2761 cp = ikev2_t_print(ndo, np, pcount, ext, item_len,
2762 ep, phase, doi, proto, depth);
2763 } else if(np == ISAKMP_NPTYPE_v2E) {
2764 cp = ikev2_e_print(ndo, base, np, ext, item_len,
2765 ep, phase, doi, proto, depth);
2766 } else if (NPFUNC(np)) {
2767 /*
2768 * XXX - what if item_len is too short, or too long,
2769 * for this payload type?
2770 */
2771 cp = (*npfunc[np])(ndo, np, /*pcount,*/ ext, item_len,
2772 ep, phase, doi, proto, depth);
2773 } else {
2774 ND_PRINT((ndo,"%s", NPSTR(np)));
2775 cp += item_len;
2776 }
2777
2778 return cp;
2779 trunc:
2780 ND_PRINT((ndo," [|isakmp]"));
2781 return NULL;
2782 }
2783
2784 static const u_char *
2785 ikev2_sub_print(netdissect_options *ndo,
2786 struct isakmp *base,
2787 u_char np, const struct isakmp_gen *ext, const u_char *ep,
2788 u_int32_t phase, u_int32_t doi, u_int32_t proto, int depth)
2789 {
2790 const u_char *cp;
2791 int i;
2792 int pcount;
2793 struct isakmp_gen e;
2794
2795 cp = (const u_char *)ext;
2796 pcount = 0;
2797 while (np) {
2798 pcount++;
2799 ND_TCHECK(*ext);
2800
2801 unaligned_memcpy(&e, ext, sizeof(e));
2802
2803 ND_TCHECK2(*ext, ntohs(e.len));
2804
2805 depth++;
2806 ND_PRINT((ndo,"\n"));
2807 for (i = 0; i < depth; i++)
2808 ND_PRINT((ndo," "));
2809 ND_PRINT((ndo,"("));
2810 cp = ikev2_sub0_print(ndo, base, np, pcount,
2811 ext, ep, phase, doi, proto, depth);
2812 ND_PRINT((ndo,")"));
2813 depth--;
2814
2815 if (cp == NULL) {
2816 /* Zero-length subitem */
2817 return NULL;
2818 }
2819
2820 np = e.np;
2821 ext = (struct isakmp_gen *)cp;
2822 }
2823 return cp;
2824 trunc:
2825 ND_PRINT((ndo," [|%s]", NPSTR(np)));
2826 return NULL;
2827 }
2828
2829 static void
2830 ikev2_print(netdissect_options *ndo,
2831 const u_char *bp, u_int length,
2832 const u_char *bp2 _U_, struct isakmp *base)
2833 {
2834 const struct isakmp *p;
2835 const u_char *ep;
2836 u_char np;
2837 int phase;
2838
2839 p = (const struct isakmp *)bp;
2840 ep = ndo->ndo_snapend;
2841
2842 phase = (EXTRACT_32BITS(base->msgid) == 0) ? 1 : 2;
2843 if (phase == 1)
2844 ND_PRINT((ndo, " parent_sa"));
2845 else
2846 ND_PRINT((ndo, " child_sa "));
2847
2848 ND_PRINT((ndo, " %s", ETYPESTR(base->etype)));
2849 if (base->flags) {
2850 ND_PRINT((ndo, "[%s%s%s]",
2851 base->flags & ISAKMP_FLAG_I ? "I" : "",
2852 base->flags & ISAKMP_FLAG_V ? "V" : "",
2853 base->flags & ISAKMP_FLAG_R ? "R" : ""));
2854 }
2855
2856 if (ndo->ndo_vflag) {
2857 const struct isakmp_gen *ext;
2858
2859 ND_PRINT((ndo, ":"));
2860
2861 /* regardless of phase... */
2862 if (base->flags & ISAKMP_FLAG_E) {
2863 /*
2864 * encrypted, nothing we can do right now.
2865 * we hope to decrypt the packet in the future...
2866 */
2867 ND_PRINT((ndo, " [encrypted %s]", NPSTR(base->np)));
2868 goto done;
2869 }
2870
2871 CHECKLEN(p + 1, base->np)
2872
2873 np = base->np;
2874 ext = (struct isakmp_gen *)(p + 1);
2875 ikev2_sub_print(ndo, base, np, ext, ep, phase, 0, 0, 0);
2876 }
2877
2878 done:
2879 if (ndo->ndo_vflag) {
2880 if (ntohl(base->len) != length) {
2881 ND_PRINT((ndo, " (len mismatch: isakmp %u/ip %u)",
2882 (u_int32_t)ntohl(base->len), length));
2883 }
2884 }
2885 }
2886
2887 void
2888 isakmp_print(netdissect_options *ndo,
2889 const u_char *bp, u_int length,
2890 const u_char *bp2)
2891 {
2892 const struct isakmp *p;
2893 struct isakmp base;
2894 const u_char *ep;
2895 int major, minor;
2896
2897 #ifdef HAVE_LIBCRYPTO
2898 /* initialize SAs */
2899 if (ndo->ndo_sa_list_head == NULL) {
2900 if (ndo->ndo_espsecret)
2901 esp_print_decodesecret(ndo);
2902 }
2903 #endif
2904
2905 p = (const struct isakmp *)bp;
2906 ep = ndo->ndo_snapend;
2907
2908 if ((struct isakmp *)ep < p + 1) {
2909 ND_PRINT((ndo,"[|isakmp]"));
2910 return;
2911 }
2912
2913 unaligned_memcpy(&base, p, sizeof(base));
2914
2915 ND_PRINT((ndo,"isakmp"));
2916 major = (base.vers & ISAKMP_VERS_MAJOR)
2917 >> ISAKMP_VERS_MAJOR_SHIFT;
2918 minor = (base.vers & ISAKMP_VERS_MINOR)
2919 >> ISAKMP_VERS_MINOR_SHIFT;
2920
2921 if (ndo->ndo_vflag) {
2922 ND_PRINT((ndo," %d.%d", major, minor));
2923 }
2924
2925 if (ndo->ndo_vflag) {
2926 ND_PRINT((ndo," msgid "));
2927 hexprint(ndo, (caddr_t)&base.msgid, sizeof(base.msgid));
2928 }
2929
2930 if (1 < ndo->ndo_vflag) {
2931 ND_PRINT((ndo," cookie "));
2932 hexprint(ndo, (caddr_t)&base.i_ck, sizeof(base.i_ck));
2933 ND_PRINT((ndo,"->"));
2934 hexprint(ndo, (caddr_t)&base.r_ck, sizeof(base.r_ck));
2935 }
2936 ND_PRINT((ndo,":"));
2937
2938 switch(major) {
2939 case IKEv1_MAJOR_VERSION:
2940 ikev1_print(ndo, bp, length, bp2, &base);
2941 break;
2942
2943 case IKEv2_MAJOR_VERSION:
2944 ikev2_print(ndo, bp, length, bp2, &base);
2945 break;
2946 }
2947 }
2948
2949 void
2950 isakmp_rfc3948_print(netdissect_options *ndo,
2951 const u_char *bp, u_int length,
2952 const u_char *bp2)
2953 {
2954
2955 if(length == 1 && bp[0]==0xff) {
2956 ND_PRINT((ndo, "isakmp-nat-keep-alive"));
2957 return;
2958 }
2959
2960 if(length < 4) {
2961 goto trunc;
2962 }
2963
2964 /*
2965 * see if this is an IKE packet
2966 */
2967 if(bp[0]==0 && bp[1]==0 && bp[2]==0 && bp[3]==0) {
2968 ND_PRINT((ndo, "NONESP-encap: "));
2969 isakmp_print(ndo, bp+4, length-4, bp2);
2970 return;
2971 }
2972
2973 /* must be an ESP packet */
2974 {
2975 int nh, enh, padlen;
2976 int advance;
2977
2978 ND_PRINT((ndo, "UDP-encap: "));
2979
2980 advance = esp_print(ndo, bp, length, bp2, &enh, &padlen);
2981 if(advance <= 0)
2982 return;
2983
2984 bp += advance;
2985 length -= advance + padlen;
2986 nh = enh & 0xff;
2987
2988 ip_print_inner(ndo, bp, length, nh, bp2);
2989 return;
2990 }
2991
2992 trunc:
2993 ND_PRINT((ndo,"[|isakmp]"));
2994 return;
2995 }
2996
2997 /*
2998 * Local Variables:
2999 * c-style: whitesmith
3000 * c-basic-offset: 8
3001 * End:
3002 */
3003
3004
3005
3006
[mirror] the TCPdump network dissector