]> The Tcpdump Group git mirrors - tcpdump/blob - print-isakmp.c
projects / tcpdump / blob


2fa15b861a141033c98587719022bb8cc2aacbf8
[tcpdump] / print-isakmp.c
1 /*
2 * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
3 * All rights reserved.
4 *
5 * Redistribution and use in source and binary forms, with or without
6 * modification, are permitted provided that the following conditions
7 * are met:
8 * 1. Redistributions of source code must retain the above copyright
9 * notice, this list of conditions and the following disclaimer.
10 * 2. Redistributions in binary form must reproduce the above copyright
11 * notice, this list of conditions and the following disclaimer in the
12 * documentation and/or other materials provided with the distribution.
13 * 3. Neither the name of the project nor the names of its contributors
14 * may be used to endorse or promote products derived from this software
15 * without specific prior written permission.
16 *
17 * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
18 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
19 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
20 * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
21 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
22 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
23 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
24 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
25 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
26 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
27 * SUCH DAMAGE.
28 *
29 */
30
31 /* \summary: Internet Security Association and Key Management Protocol (ISAKMP) printer */
32
33 #ifdef HAVE_CONFIG_H
34 #include "config.h"
35 #endif
36
37 /* The functions from print-esp.c used in this file are only defined when both
38 * OpenSSL and evp.h are detected. Employ the same preprocessor device here.
39 */
40 #ifndef HAVE_OPENSSL_EVP_H
41 #undef HAVE_LIBCRYPTO
42 #endif
43
44 #include <netdissect-stdinc.h>
45
46 #include <string.h>
47
48 #include "netdissect.h"
49 #include "addrtoname.h"
50 #include "extract.h"
51
52 #include "ip.h"
53 #include "ip6.h"
54 #include "ipproto.h"
55
56 /* refer to RFC 2408 */
57
58 typedef u_char cookie_t[8];
59 typedef u_char msgid_t[4];
60
61 #define PORT_ISAKMP 500
62
63 /* 3.1 ISAKMP Header Format (IKEv1 and IKEv2)
64 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
65 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
66 ! Initiator !
67 ! Cookie !
68 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
69 ! Responder !
70 ! Cookie !
71 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
72 ! Next Payload ! MjVer ! MnVer ! Exchange Type ! Flags !
73 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
74 ! Message ID !
75 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
76 ! Length !
77 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
78 */
79 struct isakmp {
80 cookie_t i_ck; /* Initiator Cookie */
81 cookie_t r_ck; /* Responder Cookie */
82 uint8_t np; /* Next Payload Type */
83 uint8_t vers;
84 #define ISAKMP_VERS_MAJOR 0xf0
85 #define ISAKMP_VERS_MAJOR_SHIFT 4
86 #define ISAKMP_VERS_MINOR 0x0f
87 #define ISAKMP_VERS_MINOR_SHIFT 0
88 uint8_t etype; /* Exchange Type */
89 uint8_t flags; /* Flags */
90 msgid_t msgid;
91 uint32_t len; /* Length */
92 };
93
94 /* Next Payload Type */
95 #define ISAKMP_NPTYPE_NONE 0 /* NONE*/
96 #define ISAKMP_NPTYPE_SA 1 /* Security Association */
97 #define ISAKMP_NPTYPE_P 2 /* Proposal */
98 #define ISAKMP_NPTYPE_T 3 /* Transform */
99 #define ISAKMP_NPTYPE_KE 4 /* Key Exchange */
100 #define ISAKMP_NPTYPE_ID 5 /* Identification */
101 #define ISAKMP_NPTYPE_CERT 6 /* Certificate */
102 #define ISAKMP_NPTYPE_CR 7 /* Certificate Request */
103 #define ISAKMP_NPTYPE_HASH 8 /* Hash */
104 #define ISAKMP_NPTYPE_SIG 9 /* Signature */
105 #define ISAKMP_NPTYPE_NONCE 10 /* Nonce */
106 #define ISAKMP_NPTYPE_N 11 /* Notification */
107 #define ISAKMP_NPTYPE_D 12 /* Delete */
108 #define ISAKMP_NPTYPE_VID 13 /* Vendor ID */
109 #define ISAKMP_NPTYPE_v2E 46 /* v2 Encrypted payload */
110
111 #define IKEv1_MAJOR_VERSION 1
112 #define IKEv1_MINOR_VERSION 0
113
114 #define IKEv2_MAJOR_VERSION 2
115 #define IKEv2_MINOR_VERSION 0
116
117 /* Flags */
118 #define ISAKMP_FLAG_E 0x01 /* Encryption Bit */
119 #define ISAKMP_FLAG_C 0x02 /* Commit Bit */
120 #define ISAKMP_FLAG_extra 0x04
121
122 /* IKEv2 */
123 #define ISAKMP_FLAG_I (1 << 3) /* (I)nitiator */
124 #define ISAKMP_FLAG_V (1 << 4) /* (V)ersion */
125 #define ISAKMP_FLAG_R (1 << 5) /* (R)esponse */
126
127
128 /* 3.2 Payload Generic Header
129 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
130 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
131 ! Next Payload ! RESERVED ! Payload Length !
132 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
133 */
134 struct isakmp_gen {
135 uint8_t np; /* Next Payload */
136 uint8_t critical; /* bit 7 - critical, rest is RESERVED */
137 uint16_t len; /* Payload Length */
138 };
139
140 /* 3.3 Data Attributes
141 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
142 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
143 !A! Attribute Type ! AF=0 Attribute Length !
144 !F! ! AF=1 Attribute Value !
145 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
146 . AF=0 Attribute Value .
147 . AF=1 Not Transmitted .
148 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
149 */
150 struct isakmp_data {
151 uint16_t type; /* defined by DOI-spec, and Attribute Format */
152 uint16_t lorv; /* if f equal 1, Attribute Length */
153 /* if f equal 0, Attribute Value */
154 /* if f equal 1, Attribute Value */
155 };
156
157 /* 3.4 Security Association Payload */
158 /* MAY NOT be used, because of being defined in ipsec-doi. */
159 /*
160 If the current payload is the last in the message,
161 then the value of the next payload field will be 0.
162 This field MUST NOT contain the
163 values for the Proposal or Transform payloads as they are considered
164 part of the security association negotiation. For example, this
165 field would contain the value "10" (Nonce payload) in the first
166 message of a Base Exchange (see Section 4.4) and the value "0" in the
167 first message of an Identity Protect Exchange (see Section 4.5).
168 */
169 struct ikev1_pl_sa {
170 struct isakmp_gen h;
171 uint32_t doi; /* Domain of Interpretation */
172 uint32_t sit; /* Situation */
173 };
174
175 /* 3.5 Proposal Payload */
176 /*
177 The value of the next payload field MUST only contain the value "2"
178 or "0". If there are additional Proposal payloads in the message,
179 then this field will be 2. If the current Proposal payload is the
180 last within the security association proposal, then this field will
181 be 0.
182 */
183 struct ikev1_pl_p {
184 struct isakmp_gen h;
185 uint8_t p_no; /* Proposal # */
186 uint8_t prot_id; /* Protocol */
187 uint8_t spi_size; /* SPI Size */
188 uint8_t num_t; /* Number of Transforms */
189 /* SPI */
190 };
191
192 /* 3.6 Transform Payload */
193 /*
194 The value of the next payload field MUST only contain the value "3"
195 or "0". If there are additional Transform payloads in the proposal,
196 then this field will be 3. If the current Transform payload is the
197 last within the proposal, then this field will be 0.
198 */
199 struct ikev1_pl_t {
200 struct isakmp_gen h;
201 uint8_t t_no; /* Transform # */
202 uint8_t t_id; /* Transform-Id */
203 uint16_t reserved; /* RESERVED2 */
204 /* SA Attributes */
205 };
206
207 /* 3.7 Key Exchange Payload */
208 struct ikev1_pl_ke {
209 struct isakmp_gen h;
210 /* Key Exchange Data */
211 };
212
213 /* 3.8 Identification Payload */
214 /* MUST NOT to be used, because of being defined in ipsec-doi. */
215 struct ikev1_pl_id {
216 struct isakmp_gen h;
217 union {
218 uint8_t id_type; /* ID Type */
219 uint32_t doi_data; /* DOI Specific ID Data */
220 } d;
221 /* Identification Data */
222 };
223
224 /* 3.9 Certificate Payload */
225 struct ikev1_pl_cert {
226 struct isakmp_gen h;
227 uint8_t encode; /* Cert Encoding */
228 char cert; /* Certificate Data */
229 /*
230 This field indicates the type of
231 certificate or certificate-related information contained in the
232 Certificate Data field.
233 */
234 };
235
236 /* 3.10 Certificate Request Payload */
237 struct ikev1_pl_cr {
238 struct isakmp_gen h;
239 uint8_t num_cert; /* # Cert. Types */
240 /*
241 Certificate Types (variable length)
242 -- Contains a list of the types of certificates requested,
243 sorted in order of preference. Each individual certificate
244 type is 1 octet. This field is NOT requiredo
245 */
246 /* # Certificate Authorities (1 octet) */
247 /* Certificate Authorities (variable length) */
248 };
249
250 /* 3.11 Hash Payload */
251 /* may not be used, because of having only data. */
252 struct ikev1_pl_hash {
253 struct isakmp_gen h;
254 /* Hash Data */
255 };
256
257 /* 3.12 Signature Payload */
258 /* may not be used, because of having only data. */
259 struct ikev1_pl_sig {
260 struct isakmp_gen h;
261 /* Signature Data */
262 };
263
264 /* 3.13 Nonce Payload */
265 /* may not be used, because of having only data. */
266 struct ikev1_pl_nonce {
267 struct isakmp_gen h;
268 /* Nonce Data */
269 };
270
271 /* 3.14 Notification Payload */
272 struct ikev1_pl_n {
273 struct isakmp_gen h;
274 uint32_t doi; /* Domain of Interpretation */
275 uint8_t prot_id; /* Protocol-ID */
276 uint8_t spi_size; /* SPI Size */
277 uint16_t type; /* Notify Message Type */
278 /* SPI */
279 /* Notification Data */
280 };
281
282 /* 3.14.1 Notify Message Types */
283 /* NOTIFY MESSAGES - ERROR TYPES */
284 #define ISAKMP_NTYPE_INVALID_PAYLOAD_TYPE 1
285 #define ISAKMP_NTYPE_DOI_NOT_SUPPORTED 2
286 #define ISAKMP_NTYPE_SITUATION_NOT_SUPPORTED 3
287 #define ISAKMP_NTYPE_INVALID_COOKIE 4
288 #define ISAKMP_NTYPE_INVALID_MAJOR_VERSION 5
289 #define ISAKMP_NTYPE_INVALID_MINOR_VERSION 6
290 #define ISAKMP_NTYPE_INVALID_EXCHANGE_TYPE 7
291 #define ISAKMP_NTYPE_INVALID_FLAGS 8
292 #define ISAKMP_NTYPE_INVALID_MESSAGE_ID 9
293 #define ISAKMP_NTYPE_INVALID_PROTOCOL_ID 10
294 #define ISAKMP_NTYPE_INVALID_SPI 11
295 #define ISAKMP_NTYPE_INVALID_TRANSFORM_ID 12
296 #define ISAKMP_NTYPE_ATTRIBUTES_NOT_SUPPORTED 13
297 #define ISAKMP_NTYPE_NO_PROPOSAL_CHOSEN 14
298 #define ISAKMP_NTYPE_BAD_PROPOSAL_SYNTAX 15
299 #define ISAKMP_NTYPE_PAYLOAD_MALFORMED 16
300 #define ISAKMP_NTYPE_INVALID_KEY_INFORMATION 17
301 #define ISAKMP_NTYPE_INVALID_ID_INFORMATION 18
302 #define ISAKMP_NTYPE_INVALID_CERT_ENCODING 19
303 #define ISAKMP_NTYPE_INVALID_CERTIFICATE 20
304 #define ISAKMP_NTYPE_BAD_CERT_REQUEST_SYNTAX 21
305 #define ISAKMP_NTYPE_INVALID_CERT_AUTHORITY 22
306 #define ISAKMP_NTYPE_INVALID_HASH_INFORMATION 23
307 #define ISAKMP_NTYPE_AUTHENTICATION_FAILED 24
308 #define ISAKMP_NTYPE_INVALID_SIGNATURE 25
309 #define ISAKMP_NTYPE_ADDRESS_NOTIFICATION 26
310
311 /* 3.15 Delete Payload */
312 struct ikev1_pl_d {
313 struct isakmp_gen h;
314 uint32_t doi; /* Domain of Interpretation */
315 uint8_t prot_id; /* Protocol-Id */
316 uint8_t spi_size; /* SPI Size */
317 uint16_t num_spi; /* # of SPIs */
318 /* SPI(es) */
319 };
320
321 struct ikev1_ph1tab {
322 struct ikev1_ph1 *head;
323 struct ikev1_ph1 *tail;
324 int len;
325 };
326
327 struct isakmp_ph2tab {
328 struct ikev1_ph2 *head;
329 struct ikev1_ph2 *tail;
330 int len;
331 };
332
333 /* IKEv2 (RFC4306) */
334
335 /* 3.3 Security Association Payload -- generic header */
336 /* 3.3.1. Proposal Substructure */
337 struct ikev2_p {
338 struct isakmp_gen h;
339 uint8_t p_no; /* Proposal # */
340 uint8_t prot_id; /* Protocol */
341 uint8_t spi_size; /* SPI Size */
342 uint8_t num_t; /* Number of Transforms */
343 };
344
345 /* 3.3.2. Transform Substructure */
346 struct ikev2_t {
347 struct isakmp_gen h;
348 uint8_t t_type; /* Transform Type (ENCR,PRF,INTEG,etc.*/
349 uint8_t res2; /* reserved byte */
350 uint16_t t_id; /* Transform ID */
351 };
352
353 enum ikev2_t_type {
354 IV2_T_ENCR = 1,
355 IV2_T_PRF = 2,
356 IV2_T_INTEG= 3,
357 IV2_T_DH = 4,
358 IV2_T_ESN = 5
359 };
360
361 /* 3.4. Key Exchange Payload */
362 struct ikev2_ke {
363 struct isakmp_gen h;
364 uint16_t ke_group;
365 uint16_t ke_res1;
366 /* KE data */
367 };
368
369
370 /* 3.5. Identification Payloads */
371 enum ikev2_id_type {
372 ID_IPV4_ADDR=1,
373 ID_FQDN=2,
374 ID_RFC822_ADDR=3,
375 ID_IPV6_ADDR=5,
376 ID_DER_ASN1_DN=9,
377 ID_DER_ASN1_GN=10,
378 ID_KEY_ID=11
379 };
380 struct ikev2_id {
381 struct isakmp_gen h;
382 uint8_t type; /* ID type */
383 uint8_t res1;
384 uint16_t res2;
385 /* SPI */
386 /* Notification Data */
387 };
388
389 /* 3.10 Notification Payload */
390 struct ikev2_n {
391 struct isakmp_gen h;
392 uint8_t prot_id; /* Protocol-ID */
393 uint8_t spi_size; /* SPI Size */
394 uint16_t type; /* Notify Message Type */
395 };
396
397 enum ikev2_n_type {
398 IV2_NOTIFY_UNSUPPORTED_CRITICAL_PAYLOAD = 1,
399 IV2_NOTIFY_INVALID_IKE_SPI = 4,
400 IV2_NOTIFY_INVALID_MAJOR_VERSION = 5,
401 IV2_NOTIFY_INVALID_SYNTAX = 7,
402 IV2_NOTIFY_INVALID_MESSAGE_ID = 9,
403 IV2_NOTIFY_INVALID_SPI =11,
404 IV2_NOTIFY_NO_PROPOSAL_CHOSEN =14,
405 IV2_NOTIFY_INVALID_KE_PAYLOAD =17,
406 IV2_NOTIFY_AUTHENTICATION_FAILED =24,
407 IV2_NOTIFY_SINGLE_PAIR_REQUIRED =34,
408 IV2_NOTIFY_NO_ADDITIONAL_SAS =35,
409 IV2_NOTIFY_INTERNAL_ADDRESS_FAILURE =36,
410 IV2_NOTIFY_FAILED_CP_REQUIRED =37,
411 IV2_NOTIFY_INVALID_SELECTORS =39,
412 IV2_NOTIFY_INITIAL_CONTACT =16384,
413 IV2_NOTIFY_SET_WINDOW_SIZE =16385,
414 IV2_NOTIFY_ADDITIONAL_TS_POSSIBLE =16386,
415 IV2_NOTIFY_IPCOMP_SUPPORTED =16387,
416 IV2_NOTIFY_NAT_DETECTION_SOURCE_IP =16388,
417 IV2_NOTIFY_NAT_DETECTION_DESTINATION_IP =16389,
418 IV2_NOTIFY_COOKIE =16390,
419 IV2_NOTIFY_USE_TRANSPORT_MODE =16391,
420 IV2_NOTIFY_HTTP_CERT_LOOKUP_SUPPORTED =16392,
421 IV2_NOTIFY_REKEY_SA =16393,
422 IV2_NOTIFY_ESP_TFC_PADDING_NOT_SUPPORTED =16394,
423 IV2_NOTIFY_NON_FIRST_FRAGMENTS_ALSO =16395
424 };
425
426 struct notify_messages {
427 uint16_t type;
428 char *msg;
429 };
430
431 /* 3.8 Notification Payload */
432 struct ikev2_auth {
433 struct isakmp_gen h;
434 uint8_t auth_method; /* Protocol-ID */
435 uint8_t reserved[3];
436 /* authentication data */
437 };
438
439 enum ikev2_auth_type {
440 IV2_RSA_SIG = 1,
441 IV2_SHARED = 2,
442 IV2_DSS_SIG = 3
443 };
444
445 /* refer to RFC 2409 */
446
447 #if 0
448 /* isakmp sa structure */
449 struct oakley_sa {
450 uint8_t proto_id; /* OAKLEY */
451 vchar_t *spi; /* spi */
452 uint8_t dhgrp; /* DH; group */
453 uint8_t auth_t; /* method of authentication */
454 uint8_t prf_t; /* type of prf */
455 uint8_t hash_t; /* type of hash */
456 uint8_t enc_t; /* type of cipher */
457 uint8_t life_t; /* type of duration of lifetime */
458 uint32_t ldur; /* life duration */
459 };
460 #endif
461
462 /* refer to RFC 2407 */
463
464 #define IPSEC_DOI 1
465
466 /* 4.2 IPSEC Situation Definition */
467 #define IPSECDOI_SIT_IDENTITY_ONLY 0x00000001
468 #define IPSECDOI_SIT_SECRECY 0x00000002
469 #define IPSECDOI_SIT_INTEGRITY 0x00000004
470
471 /* 4.4.1 IPSEC Security Protocol Identifiers */
472 /* 4.4.2 IPSEC ISAKMP Transform Values */
473 #define IPSECDOI_PROTO_ISAKMP 1
474 #define IPSECDOI_KEY_IKE 1
475
476 /* 4.4.1 IPSEC Security Protocol Identifiers */
477 #define IPSECDOI_PROTO_IPSEC_AH 2
478 /* 4.4.3 IPSEC AH Transform Values */
479 #define IPSECDOI_AH_MD5 2
480 #define IPSECDOI_AH_SHA 3
481 #define IPSECDOI_AH_DES 4
482 #define IPSECDOI_AH_SHA2_256 5
483 #define IPSECDOI_AH_SHA2_384 6
484 #define IPSECDOI_AH_SHA2_512 7
485
486 /* 4.4.1 IPSEC Security Protocol Identifiers */
487 #define IPSECDOI_PROTO_IPSEC_ESP 3
488 /* 4.4.4 IPSEC ESP Transform Identifiers */
489 #define IPSECDOI_ESP_DES_IV64 1
490 #define IPSECDOI_ESP_DES 2
491 #define IPSECDOI_ESP_3DES 3
492 #define IPSECDOI_ESP_RC5 4
493 #define IPSECDOI_ESP_IDEA 5
494 #define IPSECDOI_ESP_CAST 6
495 #define IPSECDOI_ESP_BLOWFISH 7
496 #define IPSECDOI_ESP_3IDEA 8
497 #define IPSECDOI_ESP_DES_IV32 9
498 #define IPSECDOI_ESP_RC4 10
499 #define IPSECDOI_ESP_NULL 11
500 #define IPSECDOI_ESP_RIJNDAEL 12
501 #define IPSECDOI_ESP_AES 12
502
503 /* 4.4.1 IPSEC Security Protocol Identifiers */
504 #define IPSECDOI_PROTO_IPCOMP 4
505 /* 4.4.5 IPSEC IPCOMP Transform Identifiers */
506 #define IPSECDOI_IPCOMP_OUI 1
507 #define IPSECDOI_IPCOMP_DEFLATE 2
508 #define IPSECDOI_IPCOMP_LZS 3
509
510 /* 4.5 IPSEC Security Association Attributes */
511 #define IPSECDOI_ATTR_SA_LTYPE 1 /* B */
512 #define IPSECDOI_ATTR_SA_LTYPE_DEFAULT 1
513 #define IPSECDOI_ATTR_SA_LTYPE_SEC 1
514 #define IPSECDOI_ATTR_SA_LTYPE_KB 2
515 #define IPSECDOI_ATTR_SA_LDUR 2 /* V */
516 #define IPSECDOI_ATTR_SA_LDUR_DEFAULT 28800 /* 8 hours */
517 #define IPSECDOI_ATTR_GRP_DESC 3 /* B */
518 #define IPSECDOI_ATTR_ENC_MODE 4 /* B */
519 /* default value: host dependent */
520 #define IPSECDOI_ATTR_ENC_MODE_TUNNEL 1
521 #define IPSECDOI_ATTR_ENC_MODE_TRNS 2
522 #define IPSECDOI_ATTR_AUTH 5 /* B */
523 /* 0 means not to use authentication. */
524 #define IPSECDOI_ATTR_AUTH_HMAC_MD5 1
525 #define IPSECDOI_ATTR_AUTH_HMAC_SHA1 2
526 #define IPSECDOI_ATTR_AUTH_DES_MAC 3
527 #define IPSECDOI_ATTR_AUTH_KPDK 4 /*RFC-1826(Key/Pad/Data/Key)*/
528 /*
529 * When negotiating ESP without authentication, the Auth
530 * Algorithm attribute MUST NOT be included in the proposal.
531 * When negotiating ESP without confidentiality, the Auth
532 * Algorithm attribute MUST be included in the proposal and
533 * the ESP transform ID must be ESP_NULL.
534 */
535 #define IPSECDOI_ATTR_KEY_LENGTH 6 /* B */
536 #define IPSECDOI_ATTR_KEY_ROUNDS 7 /* B */
537 #define IPSECDOI_ATTR_COMP_DICT_SIZE 8 /* B */
538 #define IPSECDOI_ATTR_COMP_PRIVALG 9 /* V */
539
540 /* 4.6.1 Security Association Payload */
541 struct ipsecdoi_sa {
542 struct isakmp_gen h;
543 uint32_t doi; /* Domain of Interpretation */
544 uint32_t sit; /* Situation */
545 };
546
547 struct ipsecdoi_secrecy_h {
548 uint16_t len;
549 uint16_t reserved;
550 };
551
552 /* 4.6.2.1 Identification Type Values */
553 struct ipsecdoi_id {
554 struct isakmp_gen h;
555 uint8_t type; /* ID Type */
556 uint8_t proto_id; /* Protocol ID */
557 uint16_t port; /* Port */
558 /* Identification Data */
559 };
560
561 #define IPSECDOI_ID_IPV4_ADDR 1
562 #define IPSECDOI_ID_FQDN 2
563 #define IPSECDOI_ID_USER_FQDN 3
564 #define IPSECDOI_ID_IPV4_ADDR_SUBNET 4
565 #define IPSECDOI_ID_IPV6_ADDR 5
566 #define IPSECDOI_ID_IPV6_ADDR_SUBNET 6
567 #define IPSECDOI_ID_IPV4_ADDR_RANGE 7
568 #define IPSECDOI_ID_IPV6_ADDR_RANGE 8
569 #define IPSECDOI_ID_DER_ASN1_DN 9
570 #define IPSECDOI_ID_DER_ASN1_GN 10
571 #define IPSECDOI_ID_KEY_ID 11
572
573 /* 4.6.3 IPSEC DOI Notify Message Types */
574 /* Notify Messages - Status Types */
575 #define IPSECDOI_NTYPE_RESPONDER_LIFETIME 24576
576 #define IPSECDOI_NTYPE_REPLAY_STATUS 24577
577 #define IPSECDOI_NTYPE_INITIAL_CONTACT 24578
578
579 #define DECLARE_PRINTER(func) static const u_char *ike##func##_print( \
580 netdissect_options *ndo, u_char tpay, \
581 const struct isakmp_gen *ext, \
582 u_int item_len, \
583 const u_char *end_pointer, \
584 uint32_t phase,\
585 uint32_t doi0, \
586 uint32_t proto0, int depth)
587
588 DECLARE_PRINTER(v1_sa);
589 DECLARE_PRINTER(v1_p);
590 DECLARE_PRINTER(v1_t);
591 DECLARE_PRINTER(v1_ke);
592 DECLARE_PRINTER(v1_id);
593 DECLARE_PRINTER(v1_cert);
594 DECLARE_PRINTER(v1_cr);
595 DECLARE_PRINTER(v1_sig);
596 DECLARE_PRINTER(v1_hash);
597 DECLARE_PRINTER(v1_nonce);
598 DECLARE_PRINTER(v1_n);
599 DECLARE_PRINTER(v1_d);
600 DECLARE_PRINTER(v1_vid);
601
602 DECLARE_PRINTER(v2_sa);
603 DECLARE_PRINTER(v2_ke);
604 DECLARE_PRINTER(v2_ID);
605 DECLARE_PRINTER(v2_cert);
606 DECLARE_PRINTER(v2_cr);
607 DECLARE_PRINTER(v2_auth);
608 DECLARE_PRINTER(v2_nonce);
609 DECLARE_PRINTER(v2_n);
610 DECLARE_PRINTER(v2_d);
611 DECLARE_PRINTER(v2_vid);
612 DECLARE_PRINTER(v2_TS);
613 DECLARE_PRINTER(v2_cp);
614 DECLARE_PRINTER(v2_eap);
615
616 static const u_char *ikev2_e_print(netdissect_options *ndo,
617 struct isakmp *base,
618 u_char tpay,
619 const struct isakmp_gen *ext,
620 u_int item_len,
621 const u_char *end_pointer,
622 uint32_t phase,
623 uint32_t doi0,
624 uint32_t proto0, int depth);
625
626
627 static const u_char *ike_sub0_print(netdissect_options *ndo,u_char, const struct isakmp_gen *,
628 const u_char *, uint32_t, uint32_t, uint32_t, int);
629 static const u_char *ikev1_sub_print(netdissect_options *ndo,u_char, const struct isakmp_gen *,
630 const u_char *, uint32_t, uint32_t, uint32_t, int);
631
632 static const u_char *ikev2_sub_print(netdissect_options *ndo,
633 struct isakmp *base,
634 u_char np, const struct isakmp_gen *ext,
635 const u_char *ep, uint32_t phase,
636 uint32_t doi, uint32_t proto,
637 int depth);
638
639
640 static char *numstr(int);
641
642 static void
643 ikev1_print(netdissect_options *ndo,
644 const u_char *bp, u_int length,
645 const u_char *bp2, struct isakmp *base);
646
647 #define MAXINITIATORS 20
648 static int ninitiator = 0;
649 union inaddr_u {
650 struct in_addr in4;
651 struct in6_addr in6;
652 };
653 static struct {
654 cookie_t initiator;
655 u_int version;
656 union inaddr_u iaddr;
657 union inaddr_u raddr;
658 } cookiecache[MAXINITIATORS];
659
660 /* protocol id */
661 static const char *protoidstr[] = {
662 NULL, "isakmp", "ipsec-ah", "ipsec-esp", "ipcomp",
663 };
664
665 /* isakmp->np */
666 static const char *npstr[] = {
667 "none", "sa", "p", "t", "ke", "id", "cert", "cr", "hash", /* 0 - 8 */
668 "sig", "nonce", "n", "d", "vid", /* 9 - 13 */
669 "pay14", "pay15", "pay16", "pay17", "pay18", /* 14- 18 */
670 "pay19", "pay20", "pay21", "pay22", "pay23", /* 19- 23 */
671 "pay24", "pay25", "pay26", "pay27", "pay28", /* 24- 28 */
672 "pay29", "pay30", "pay31", "pay32", /* 29- 32 */
673 "v2sa", "v2ke", "v2IDi", "v2IDr", "v2cert",/* 33- 37 */
674 "v2cr", "v2auth","v2nonce", "v2n", "v2d", /* 38- 42 */
675 "v2vid", "v2TSi", "v2TSr", "v2e", "v2cp", /* 43- 47 */
676 "v2eap", /* 48 */
677
678 };
679
680 /* isakmp->np */
681 static const u_char *(*npfunc[])(netdissect_options *ndo, u_char tpay,
682 const struct isakmp_gen *ext,
683 u_int item_len,
684 const u_char *end_pointer,
685 uint32_t phase,
686 uint32_t doi0,
687 uint32_t proto0, int depth) = {
688 NULL,
689 ikev1_sa_print,
690 ikev1_p_print,
691 ikev1_t_print,
692 ikev1_ke_print,
693 ikev1_id_print,
694 ikev1_cert_print,
695 ikev1_cr_print,
696 ikev1_hash_print,
697 ikev1_sig_print,
698 ikev1_nonce_print,
699 ikev1_n_print,
700 ikev1_d_print,
701 ikev1_vid_print, /* 13 */
702 NULL, NULL, NULL, NULL, NULL, /* 14- 18 */
703 NULL, NULL, NULL, NULL, NULL, /* 19- 23 */
704 NULL, NULL, NULL, NULL, NULL, /* 24- 28 */
705 NULL, NULL, NULL, NULL, /* 29- 32 */
706 ikev2_sa_print, /* 33 */
707 ikev2_ke_print, /* 34 */
708 ikev2_ID_print, /* 35 */
709 ikev2_ID_print, /* 36 */
710 ikev2_cert_print, /* 37 */
711 ikev2_cr_print, /* 38 */
712 ikev2_auth_print, /* 39 */
713 ikev2_nonce_print, /* 40 */
714 ikev2_n_print, /* 41 */
715 ikev2_d_print, /* 42 */
716 ikev2_vid_print, /* 43 */
717 ikev2_TS_print, /* 44 */
718 ikev2_TS_print, /* 45 */
719 NULL, /* ikev2_e_print,*/ /* 46 - special */
720 ikev2_cp_print, /* 47 */
721 ikev2_eap_print, /* 48 */
722 };
723
724 /* isakmp->etype */
725 static const char *etypestr[] = {
726 /* IKEv1 exchange types */
727 "none", "base", "ident", "auth", "agg", "inf", NULL, NULL, /* 0-7 */
728 NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, /* 8-15 */
729 NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, /* 16-23 */
730 NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, /* 24-31 */
731 "oakley-quick", "oakley-newgroup", /* 32-33 */
732 /* IKEv2 exchange types */
733 "ikev2_init", "ikev2_auth", "child_sa", "inf2" /* 34-37 */
734 };
735
736 #define STR_OR_ID(x, tab) \
737 (((x) < sizeof(tab)/sizeof(tab[0]) && tab[(x)]) ? tab[(x)] : numstr(x))
738 #define PROTOIDSTR(x) STR_OR_ID(x, protoidstr)
739 #define NPSTR(x) STR_OR_ID(x, npstr)
740 #define ETYPESTR(x) STR_OR_ID(x, etypestr)
741
742 #define CHECKLEN(p, np) \
743 if (ep < (const u_char *)(p)) { \
744 ND_PRINT((ndo," [|%s]", NPSTR(np))); \
745 goto done; \
746 }
747
748
749 #define NPFUNC(x) \
750 (((x) < sizeof(npfunc)/sizeof(npfunc[0]) && npfunc[(x)]) \
751 ? npfunc[(x)] : NULL)
752
753 static int
754 iszero(const u_char *p, size_t l)
755 {
756 while (l--) {
757 if (*p++)
758 return 0;
759 }
760 return 1;
761 }
762
763 /* find cookie from initiator cache */
764 static int
765 cookie_find(cookie_t *in)
766 {
767 int i;
768
769 for (i = 0; i < MAXINITIATORS; i++) {
770 if (memcmp(in, &cookiecache[i].initiator, sizeof(*in)) == 0)
771 return i;
772 }
773
774 return -1;
775 }
776
777 /* record initiator */
778 static void
779 cookie_record(cookie_t *in, const u_char *bp2)
780 {
781 int i;
782 const struct ip *ip;
783 const struct ip6_hdr *ip6;
784
785 i = cookie_find(in);
786 if (0 <= i) {
787 ninitiator = (i + 1) % MAXINITIATORS;
788 return;
789 }
790
791 ip = (const struct ip *)bp2;
792 switch (IP_V(ip)) {
793 case 4:
794 cookiecache[ninitiator].version = 4;
795 UNALIGNED_MEMCPY(&cookiecache[ninitiator].iaddr.in4, &ip->ip_src, sizeof(struct in_addr));
796 UNALIGNED_MEMCPY(&cookiecache[ninitiator].raddr.in4, &ip->ip_dst, sizeof(struct in_addr));
797 break;
798 case 6:
799 ip6 = (const struct ip6_hdr *)bp2;
800 cookiecache[ninitiator].version = 6;
801 UNALIGNED_MEMCPY(&cookiecache[ninitiator].iaddr.in6, &ip6->ip6_src, sizeof(struct in6_addr));
802 UNALIGNED_MEMCPY(&cookiecache[ninitiator].raddr.in6, &ip6->ip6_dst, sizeof(struct in6_addr));
803 break;
804 default:
805 return;
806 }
807 UNALIGNED_MEMCPY(&cookiecache[ninitiator].initiator, in, sizeof(*in));
808 ninitiator = (ninitiator + 1) % MAXINITIATORS;
809 }
810
811 #define cookie_isinitiator(x, y) cookie_sidecheck((x), (y), 1)
812 #define cookie_isresponder(x, y) cookie_sidecheck((x), (y), 0)
813 static int
814 cookie_sidecheck(int i, const u_char *bp2, int initiator)
815 {
816 const struct ip *ip;
817 const struct ip6_hdr *ip6;
818
819 ip = (const struct ip *)bp2;
820 switch (IP_V(ip)) {
821 case 4:
822 if (cookiecache[i].version != 4)
823 return 0;
824 if (initiator) {
825 if (UNALIGNED_MEMCMP(&ip->ip_src, &cookiecache[i].iaddr.in4, sizeof(struct in_addr)) == 0)
826 return 1;
827 } else {
828 if (UNALIGNED_MEMCMP(&ip->ip_src, &cookiecache[i].raddr.in4, sizeof(struct in_addr)) == 0)
829 return 1;
830 }
831 break;
832 case 6:
833 if (cookiecache[i].version != 6)
834 return 0;
835 ip6 = (const struct ip6_hdr *)bp2;
836 if (initiator) {
837 if (UNALIGNED_MEMCMP(&ip6->ip6_src, &cookiecache[i].iaddr.in6, sizeof(struct in6_addr)) == 0)
838 return 1;
839 } else {
840 if (UNALIGNED_MEMCMP(&ip6->ip6_src, &cookiecache[i].raddr.in6, sizeof(struct in6_addr)) == 0)
841 return 1;
842 }
843 break;
844 default:
845 break;
846 }
847
848 return 0;
849 }
850
851 static void
852 hexprint(netdissect_options *ndo, const uint8_t *loc, size_t len)
853 {
854 const uint8_t *p;
855 size_t i;
856
857 p = loc;
858 for (i = 0; i < len; i++)
859 ND_PRINT((ndo,"%02x", p[i] & 0xff));
860 }
861
862 static int
863 rawprint(netdissect_options *ndo, const uint8_t *loc, size_t len)
864 {
865 ND_TCHECK2(*loc, len);
866
867 hexprint(ndo, loc, len);
868 return 1;
869 trunc:
870 return 0;
871 }
872
873
874 /*
875 * returns false if we run out of data buffer
876 */
877 static int ike_show_somedata(netdissect_options *ndo,
878 const u_char *cp, const u_char *ep)
879 {
880 /* there is too much data, just show some of it */
881 const u_char *end = ep - 20;
882 int elen = 20;
883 int len = ep - cp;
884 if(len > 10) {
885 len = 10;
886 }
887
888 /* really shouldn't happen because of above */
889 if(end < cp + len) {
890 end = cp+len;
891 elen = ep - end;
892 }
893
894 ND_PRINT((ndo," data=("));
895 if(!rawprint(ndo, (const uint8_t *)(cp), len)) goto trunc;
896 ND_PRINT((ndo, "..."));
897 if(elen) {
898 if(!rawprint(ndo, (const uint8_t *)(end), elen)) goto trunc;
899 }
900 ND_PRINT((ndo,")"));
901 return 1;
902
903 trunc:
904 return 0;
905 }
906
907 struct attrmap {
908 const char *type;
909 u_int nvalue;
910 const char *value[30]; /*XXX*/
911 };
912
913 static const u_char *
914 ikev1_attrmap_print(netdissect_options *ndo,
915 const u_char *p, const u_char *ep,
916 const struct attrmap *map, size_t nmap)
917 {
918 int totlen;
919 uint32_t t, v;
920
921 if (p[0] & 0x80)
922 totlen = 4;
923 else
924 totlen = 4 + EXTRACT_16BITS(&p[2]);
925 if (ep < p + totlen) {
926 ND_PRINT((ndo,"[|attr]"));
927 return ep + 1;
928 }
929
930 ND_PRINT((ndo,"("));
931 t = EXTRACT_16BITS(&p[0]) & 0x7fff;
932 if (map && t < nmap && map[t].type)
933 ND_PRINT((ndo,"type=%s ", map[t].type));
934 else
935 ND_PRINT((ndo,"type=#%d ", t));
936 if (p[0] & 0x80) {
937 ND_PRINT((ndo,"value="));
938 v = EXTRACT_16BITS(&p[2]);
939 if (map && t < nmap && v < map[t].nvalue && map[t].value[v])
940 ND_PRINT((ndo,"%s", map[t].value[v]));
941 else
942 rawprint(ndo, (const uint8_t *)&p[2], 2);
943 } else {
944 ND_PRINT((ndo,"len=%d value=", EXTRACT_16BITS(&p[2])));
945 rawprint(ndo, (const uint8_t *)&p[4], EXTRACT_16BITS(&p[2]));
946 }
947 ND_PRINT((ndo,")"));
948 return p + totlen;
949 }
950
951 static const u_char *
952 ikev1_attr_print(netdissect_options *ndo, const u_char *p, const u_char *ep)
953 {
954 int totlen;
955 uint32_t t;
956
957 if (p[0] & 0x80)
958 totlen = 4;
959 else
960 totlen = 4 + EXTRACT_16BITS(&p[2]);
961 if (ep < p + totlen) {
962 ND_PRINT((ndo,"[|attr]"));
963 return ep + 1;
964 }
965
966 ND_PRINT((ndo,"("));
967 t = EXTRACT_16BITS(&p[0]) & 0x7fff;
968 ND_PRINT((ndo,"type=#%d ", t));
969 if (p[0] & 0x80) {
970 ND_PRINT((ndo,"value="));
971 t = p[2];
972 rawprint(ndo, (const uint8_t *)&p[2], 2);
973 } else {
974 ND_PRINT((ndo,"len=%d value=", EXTRACT_16BITS(&p[2])));
975 rawprint(ndo, (const uint8_t *)&p[4], EXTRACT_16BITS(&p[2]));
976 }
977 ND_PRINT((ndo,")"));
978 return p + totlen;
979 }
980
981 static const u_char *
982 ikev1_sa_print(netdissect_options *ndo, u_char tpay _U_,
983 const struct isakmp_gen *ext,
984 u_int item_len _U_,
985 const u_char *ep, uint32_t phase, uint32_t doi0 _U_,
986 uint32_t proto0, int depth)
987 {
988 const struct ikev1_pl_sa *p;
989 struct ikev1_pl_sa sa;
990 uint32_t doi, sit, ident;
991 const u_char *cp, *np;
992 int t;
993
994 ND_PRINT((ndo,"%s:", NPSTR(ISAKMP_NPTYPE_SA)));
995
996 p = (const struct ikev1_pl_sa *)ext;
997 ND_TCHECK(*p);
998 UNALIGNED_MEMCPY(&sa, ext, sizeof(sa));
999 doi = ntohl(sa.doi);
1000 sit = ntohl(sa.sit);
1001 if (doi != 1) {
1002 ND_PRINT((ndo," doi=%d", doi));
1003 ND_PRINT((ndo," situation=%u", (uint32_t)ntohl(sa.sit)));
1004 return (const u_char *)(p + 1);
1005 }
1006
1007 ND_PRINT((ndo," doi=ipsec"));
1008 ND_PRINT((ndo," situation="));
1009 t = 0;
1010 if (sit & 0x01) {
1011 ND_PRINT((ndo,"identity"));
1012 t++;
1013 }
1014 if (sit & 0x02) {
1015 ND_PRINT((ndo,"%ssecrecy", t ? "+" : ""));
1016 t++;
1017 }
1018 if (sit & 0x04)
1019 ND_PRINT((ndo,"%sintegrity", t ? "+" : ""));
1020
1021 np = (const u_char *)ext + sizeof(sa);
1022 if (sit != 0x01) {
1023 ND_TCHECK2(*(ext + 1), sizeof(ident));
1024 UNALIGNED_MEMCPY(&ident, ext + 1, sizeof(ident));
1025 ND_PRINT((ndo," ident=%u", (uint32_t)ntohl(ident)));
1026 np += sizeof(ident);
1027 }
1028
1029 ext = (const struct isakmp_gen *)np;
1030 ND_TCHECK(*ext);
1031
1032 cp = ikev1_sub_print(ndo, ISAKMP_NPTYPE_P, ext, ep, phase, doi, proto0,
1033 depth);
1034
1035 return cp;
1036 trunc:
1037 ND_PRINT((ndo," [|%s]", NPSTR(ISAKMP_NPTYPE_SA)));
1038 return NULL;
1039 }
1040
1041 static const u_char *
1042 ikev1_p_print(netdissect_options *ndo, u_char tpay _U_,
1043 const struct isakmp_gen *ext, u_int item_len _U_,
1044 const u_char *ep, uint32_t phase, uint32_t doi0,
1045 uint32_t proto0 _U_, int depth)
1046 {
1047 const struct ikev1_pl_p *p;
1048 struct ikev1_pl_p prop;
1049 const u_char *cp;
1050
1051 ND_PRINT((ndo,"%s:", NPSTR(ISAKMP_NPTYPE_P)));
1052
1053 p = (const struct ikev1_pl_p *)ext;
1054 ND_TCHECK(*p);
1055 UNALIGNED_MEMCPY(&prop, ext, sizeof(prop));
1056 ND_PRINT((ndo," #%d protoid=%s transform=%d",
1057 prop.p_no, PROTOIDSTR(prop.prot_id), prop.num_t));
1058 if (prop.spi_size) {
1059 ND_PRINT((ndo," spi="));
1060 if (!rawprint(ndo, (const uint8_t *)(p + 1), prop.spi_size))
1061 goto trunc;
1062 }
1063
1064 ext = (const struct isakmp_gen *)((const u_char *)(p + 1) + prop.spi_size);
1065 ND_TCHECK(*ext);
1066
1067 cp = ikev1_sub_print(ndo, ISAKMP_NPTYPE_T, ext, ep, phase, doi0,
1068 prop.prot_id, depth);
1069
1070 return cp;
1071 trunc:
1072 ND_PRINT((ndo," [|%s]", NPSTR(ISAKMP_NPTYPE_P)));
1073 return NULL;
1074 }
1075
1076 static const char *ikev1_p_map[] = {
1077 NULL, "ike",
1078 };
1079
1080 static const char *ikev2_t_type_map[]={
1081 NULL, "encr", "prf", "integ", "dh", "esn"
1082 };
1083
1084 static const char *ah_p_map[] = {
1085 NULL, "(reserved)", "md5", "sha", "1des",
1086 "sha2-256", "sha2-384", "sha2-512",
1087 };
1088
1089 static const char *prf_p_map[] = {
1090 NULL, "hmac-md5", "hmac-sha", "hmac-tiger",
1091 "aes128_xcbc"
1092 };
1093
1094 static const char *integ_p_map[] = {
1095 NULL, "hmac-md5", "hmac-sha", "dec-mac",
1096 "kpdk-md5", "aes-xcbc"
1097 };
1098
1099 static const char *esn_p_map[] = {
1100 "no-esn", "esn"
1101 };
1102
1103 static const char *dh_p_map[] = {
1104 NULL, "modp768",
1105 "modp1024", /* group 2 */
1106 "EC2N 2^155", /* group 3 */
1107 "EC2N 2^185", /* group 4 */
1108 "modp1536", /* group 5 */
1109 "iana-grp06", "iana-grp07", /* reserved */
1110 "iana-grp08", "iana-grp09",
1111 "iana-grp10", "iana-grp11",
1112 "iana-grp12", "iana-grp13",
1113 "modp2048", /* group 14 */
1114 "modp3072", /* group 15 */
1115 "modp4096", /* group 16 */
1116 "modp6144", /* group 17 */
1117 "modp8192", /* group 18 */
1118 };
1119
1120 static const char *esp_p_map[] = {
1121 NULL, "1des-iv64", "1des", "3des", "rc5", "idea", "cast",
1122 "blowfish", "3idea", "1des-iv32", "rc4", "null", "aes"
1123 };
1124
1125 static const char *ipcomp_p_map[] = {
1126 NULL, "oui", "deflate", "lzs",
1127 };
1128
1129 static const struct attrmap ipsec_t_map[] = {
1130 { NULL, 0, { NULL } },
1131 { "lifetype", 3, { NULL, "sec", "kb", }, },
1132 { "life", 0, { NULL } },
1133 { "group desc", 18, { NULL, "modp768",
1134 "modp1024", /* group 2 */
1135 "EC2N 2^155", /* group 3 */
1136 "EC2N 2^185", /* group 4 */
1137 "modp1536", /* group 5 */
1138 "iana-grp06", "iana-grp07", /* reserved */
1139 "iana-grp08", "iana-grp09",
1140 "iana-grp10", "iana-grp11",
1141 "iana-grp12", "iana-grp13",
1142 "modp2048", /* group 14 */
1143 "modp3072", /* group 15 */
1144 "modp4096", /* group 16 */
1145 "modp6144", /* group 17 */
1146 "modp8192", /* group 18 */
1147 }, },
1148 { "enc mode", 3, { NULL, "tunnel", "transport", }, },
1149 { "auth", 5, { NULL, "hmac-md5", "hmac-sha1", "1des-mac", "keyed", }, },
1150 { "keylen", 0, { NULL } },
1151 { "rounds", 0, { NULL } },
1152 { "dictsize", 0, { NULL } },
1153 { "privalg", 0, { NULL } },
1154 };
1155
1156 static const struct attrmap encr_t_map[] = {
1157 { NULL, 0, { NULL } }, { NULL, 0, { NULL } }, /* 0, 1 */
1158 { NULL, 0, { NULL } }, { NULL, 0, { NULL } }, /* 2, 3 */
1159 { NULL, 0, { NULL } }, { NULL, 0, { NULL } }, /* 4, 5 */
1160 { NULL, 0, { NULL } }, { NULL, 0, { NULL } }, /* 6, 7 */
1161 { NULL, 0, { NULL } }, { NULL, 0, { NULL } }, /* 8, 9 */
1162 { NULL, 0, { NULL } }, { NULL, 0, { NULL } }, /* 10,11*/
1163 { NULL, 0, { NULL } }, { NULL, 0, { NULL } }, /* 12,13*/
1164 { "keylen", 14, { NULL }},
1165 };
1166
1167 static const struct attrmap oakley_t_map[] = {
1168 { NULL, 0, { NULL } },
1169 { "enc", 8, { NULL, "1des", "idea", "blowfish", "rc5",
1170 "3des", "cast", "aes", }, },
1171 { "hash", 7, { NULL, "md5", "sha1", "tiger",
1172 "sha2-256", "sha2-384", "sha2-512", }, },
1173 { "auth", 6, { NULL, "preshared", "dss", "rsa sig", "rsa enc",
1174 "rsa enc revised", }, },
1175 { "group desc", 18, { NULL, "modp768",
1176 "modp1024", /* group 2 */
1177 "EC2N 2^155", /* group 3 */
1178 "EC2N 2^185", /* group 4 */
1179 "modp1536", /* group 5 */
1180 "iana-grp06", "iana-grp07", /* reserved */
1181 "iana-grp08", "iana-grp09",
1182 "iana-grp10", "iana-grp11",
1183 "iana-grp12", "iana-grp13",
1184 "modp2048", /* group 14 */
1185 "modp3072", /* group 15 */
1186 "modp4096", /* group 16 */
1187 "modp6144", /* group 17 */
1188 "modp8192", /* group 18 */
1189 }, },
1190 { "group type", 4, { NULL, "MODP", "ECP", "EC2N", }, },
1191 { "group prime", 0, { NULL } },
1192 { "group gen1", 0, { NULL } },
1193 { "group gen2", 0, { NULL } },
1194 { "group curve A", 0, { NULL } },
1195 { "group curve B", 0, { NULL } },
1196 { "lifetype", 3, { NULL, "sec", "kb", }, },
1197 { "lifeduration", 0, { NULL } },
1198 { "prf", 0, { NULL } },
1199 { "keylen", 0, { NULL } },
1200 { "field", 0, { NULL } },
1201 { "order", 0, { NULL } },
1202 };
1203
1204 static const u_char *
1205 ikev1_t_print(netdissect_options *ndo, u_char tpay _U_,
1206 const struct isakmp_gen *ext, u_int item_len,
1207 const u_char *ep, uint32_t phase _U_, uint32_t doi _U_,
1208 uint32_t proto, int depth _U_)
1209 {
1210 const struct ikev1_pl_t *p;
1211 struct ikev1_pl_t t;
1212 const u_char *cp;
1213 const char *idstr;
1214 const struct attrmap *map;
1215 size_t nmap;
1216 const u_char *ep2;
1217
1218 ND_PRINT((ndo,"%s:", NPSTR(ISAKMP_NPTYPE_T)));
1219
1220 p = (const struct ikev1_pl_t *)ext;
1221 ND_TCHECK(*p);
1222 UNALIGNED_MEMCPY(&t, ext, sizeof(t));
1223
1224 switch (proto) {
1225 case 1:
1226 idstr = STR_OR_ID(t.t_id, ikev1_p_map);
1227 map = oakley_t_map;
1228 nmap = sizeof(oakley_t_map)/sizeof(oakley_t_map[0]);
1229 break;
1230 case 2:
1231 idstr = STR_OR_ID(t.t_id, ah_p_map);
1232 map = ipsec_t_map;
1233 nmap = sizeof(ipsec_t_map)/sizeof(ipsec_t_map[0]);
1234 break;
1235 case 3:
1236 idstr = STR_OR_ID(t.t_id, esp_p_map);
1237 map = ipsec_t_map;
1238 nmap = sizeof(ipsec_t_map)/sizeof(ipsec_t_map[0]);
1239 break;
1240 case 4:
1241 idstr = STR_OR_ID(t.t_id, ipcomp_p_map);
1242 map = ipsec_t_map;
1243 nmap = sizeof(ipsec_t_map)/sizeof(ipsec_t_map[0]);
1244 break;
1245 default:
1246 idstr = NULL;
1247 map = NULL;
1248 nmap = 0;
1249 break;
1250 }
1251
1252 if (idstr)
1253 ND_PRINT((ndo," #%d id=%s ", t.t_no, idstr));
1254 else
1255 ND_PRINT((ndo," #%d id=%d ", t.t_no, t.t_id));
1256 cp = (const u_char *)(p + 1);
1257 ep2 = (const u_char *)p + item_len;
1258 while (cp < ep && cp < ep2) {
1259 if (map && nmap) {
1260 cp = ikev1_attrmap_print(ndo, cp, (ep < ep2) ? ep : ep2,
1261 map, nmap);
1262 } else
1263 cp = ikev1_attr_print(ndo, cp, (ep < ep2) ? ep : ep2);
1264 }
1265 if (ep < ep2)
1266 ND_PRINT((ndo,"..."));
1267 return cp;
1268 trunc:
1269 ND_PRINT((ndo," [|%s]", NPSTR(ISAKMP_NPTYPE_T)));
1270 return NULL;
1271 }
1272
1273 static const u_char *
1274 ikev1_ke_print(netdissect_options *ndo, u_char tpay _U_,
1275 const struct isakmp_gen *ext, u_int item_len _U_,
1276 const u_char *ep _U_, uint32_t phase _U_, uint32_t doi _U_,
1277 uint32_t proto _U_, int depth _U_)
1278 {
1279 struct isakmp_gen e;
1280
1281 ND_PRINT((ndo,"%s:", NPSTR(ISAKMP_NPTYPE_KE)));
1282
1283 ND_TCHECK(*ext);
1284 UNALIGNED_MEMCPY(&e, ext, sizeof(e));
1285 ND_PRINT((ndo," key len=%d", ntohs(e.len) - 4));
1286 if (2 < ndo->ndo_vflag && 4 < ntohs(e.len)) {
1287 ND_PRINT((ndo," "));
1288 if (!rawprint(ndo, (const uint8_t *)(ext + 1), ntohs(e.len) - 4))
1289 goto trunc;
1290 }
1291 return (const u_char *)ext + ntohs(e.len);
1292 trunc:
1293 ND_PRINT((ndo," [|%s]", NPSTR(ISAKMP_NPTYPE_KE)));
1294 return NULL;
1295 }
1296
1297 static const u_char *
1298 ikev1_id_print(netdissect_options *ndo, u_char tpay _U_,
1299 const struct isakmp_gen *ext, u_int item_len,
1300 const u_char *ep _U_, uint32_t phase, uint32_t doi _U_,
1301 uint32_t proto _U_, int depth _U_)
1302 {
1303 #define USE_IPSECDOI_IN_PHASE1 1
1304 const struct ikev1_pl_id *p;
1305 struct ikev1_pl_id id;
1306 static const char *idtypestr[] = {
1307 "IPv4", "IPv4net", "IPv6", "IPv6net",
1308 };
1309 static const char *ipsecidtypestr[] = {
1310 NULL, "IPv4", "FQDN", "user FQDN", "IPv4net", "IPv6",
1311 "IPv6net", "IPv4range", "IPv6range", "ASN1 DN", "ASN1 GN",
1312 "keyid",
1313 };
1314 int len;
1315 const u_char *data;
1316
1317 ND_PRINT((ndo,"%s:", NPSTR(ISAKMP_NPTYPE_ID)));
1318
1319 p = (const struct ikev1_pl_id *)ext;
1320 ND_TCHECK(*p);
1321 UNALIGNED_MEMCPY(&id, ext, sizeof(id));
1322 if (sizeof(*p) < item_len) {
1323 data = (const u_char *)(p + 1);
1324 len = item_len - sizeof(*p);
1325 } else {
1326 data = NULL;
1327 len = 0;
1328 }
1329
1330 #if 0 /*debug*/
1331 ND_PRINT((ndo," [phase=%d doi=%d proto=%d]", phase, doi, proto));
1332 #endif
1333 switch (phase) {
1334 #ifndef USE_IPSECDOI_IN_PHASE1
1335 case 1:
1336 #endif
1337 default:
1338 ND_PRINT((ndo," idtype=%s", STR_OR_ID(id.d.id_type, idtypestr)));
1339 ND_PRINT((ndo," doi_data=%u",
1340 (uint32_t)(ntohl(id.d.doi_data) & 0xffffff)));
1341 break;
1342
1343 #ifdef USE_IPSECDOI_IN_PHASE1
1344 case 1:
1345 #endif
1346 case 2:
1347 {
1348 const struct ipsecdoi_id *doi_p;
1349 struct ipsecdoi_id doi_id;
1350 const char *p_name;
1351
1352 doi_p = (const struct ipsecdoi_id *)ext;
1353 ND_TCHECK(*doi_p);
1354 UNALIGNED_MEMCPY(&doi_id, ext, sizeof(doi_id));
1355 ND_PRINT((ndo," idtype=%s", STR_OR_ID(doi_id.type, ipsecidtypestr)));
1356 /* A protocol ID of 0 DOES NOT mean IPPROTO_IP! */
1357 if (!ndo->ndo_nflag && doi_id.proto_id && (p_name = netdb_protoname(doi_id.proto_id)) != NULL)
1358 ND_PRINT((ndo," protoid=%s", p_name));
1359 else
1360 ND_PRINT((ndo," protoid=%u", doi_id.proto_id));
1361 ND_PRINT((ndo," port=%d", ntohs(doi_id.port)));
1362 if (!len)
1363 break;
1364 if (data == NULL)
1365 goto trunc;
1366 ND_TCHECK2(*data, len);
1367 switch (doi_id.type) {
1368 case IPSECDOI_ID_IPV4_ADDR:
1369 if (len < 4)
1370 ND_PRINT((ndo," len=%d [bad: < 4]", len));
1371 else
1372 ND_PRINT((ndo," len=%d %s", len, ipaddr_string(ndo, data)));
1373 len = 0;
1374 break;
1375 case IPSECDOI_ID_FQDN:
1376 case IPSECDOI_ID_USER_FQDN:
1377 {
1378 int i;
1379 ND_PRINT((ndo," len=%d ", len));
1380 for (i = 0; i < len; i++)
1381 safeputchar(ndo, data[i]);
1382 len = 0;
1383 break;
1384 }
1385 case IPSECDOI_ID_IPV4_ADDR_SUBNET:
1386 {
1387 const u_char *mask;
1388 if (len < 8)
1389 ND_PRINT((ndo," len=%d [bad: < 8]", len));
1390 else {
1391 mask = data + sizeof(struct in_addr);
1392 ND_PRINT((ndo," len=%d %s/%u.%u.%u.%u", len,
1393 ipaddr_string(ndo, data),
1394 mask[0], mask[1], mask[2], mask[3]));
1395 }
1396 len = 0;
1397 break;
1398 }
1399 case IPSECDOI_ID_IPV6_ADDR:
1400 if (len < 16)
1401 ND_PRINT((ndo," len=%d [bad: < 16]", len));
1402 else
1403 ND_PRINT((ndo," len=%d %s", len, ip6addr_string(ndo, data)));
1404 len = 0;
1405 break;
1406 case IPSECDOI_ID_IPV6_ADDR_SUBNET:
1407 {
1408 const u_char *mask;
1409 if (len < 20)
1410 ND_PRINT((ndo," len=%d [bad: < 20]", len));
1411 else {
1412 mask = (const u_char *)(data + sizeof(struct in6_addr));
1413 /*XXX*/
1414 ND_PRINT((ndo," len=%d %s/0x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x", len,
1415 ip6addr_string(ndo, data),
1416 mask[0], mask[1], mask[2], mask[3],
1417 mask[4], mask[5], mask[6], mask[7],
1418 mask[8], mask[9], mask[10], mask[11],
1419 mask[12], mask[13], mask[14], mask[15]));
1420 }
1421 len = 0;
1422 break;
1423 }
1424 case IPSECDOI_ID_IPV4_ADDR_RANGE:
1425 if (len < 8)
1426 ND_PRINT((ndo," len=%d [bad: < 8]", len));
1427 else {
1428 ND_PRINT((ndo," len=%d %s-%s", len,
1429 ipaddr_string(ndo, data),
1430 ipaddr_string(ndo, data + sizeof(struct in_addr))));
1431 }
1432 len = 0;
1433 break;
1434 case IPSECDOI_ID_IPV6_ADDR_RANGE:
1435 if (len < 32)
1436 ND_PRINT((ndo," len=%d [bad: < 32]", len));
1437 else {
1438 ND_PRINT((ndo," len=%d %s-%s", len,
1439 ip6addr_string(ndo, data),
1440 ip6addr_string(ndo, data + sizeof(struct in6_addr))));
1441 }
1442 len = 0;
1443 break;
1444 case IPSECDOI_ID_DER_ASN1_DN:
1445 case IPSECDOI_ID_DER_ASN1_GN:
1446 case IPSECDOI_ID_KEY_ID:
1447 break;
1448 }
1449 break;
1450 }
1451 }
1452 if (data && len) {
1453 ND_PRINT((ndo," len=%d", len));
1454 if (2 < ndo->ndo_vflag) {
1455 ND_PRINT((ndo," "));
1456 if (!rawprint(ndo, (const uint8_t *)data, len))
1457 goto trunc;
1458 }
1459 }
1460 return (const u_char *)ext + item_len;
1461 trunc:
1462 ND_PRINT((ndo," [|%s]", NPSTR(ISAKMP_NPTYPE_ID)));
1463 return NULL;
1464 }
1465
1466 static const u_char *
1467 ikev1_cert_print(netdissect_options *ndo, u_char tpay _U_,
1468 const struct isakmp_gen *ext, u_int item_len,
1469 const u_char *ep _U_, uint32_t phase _U_,
1470 uint32_t doi0 _U_,
1471 uint32_t proto0 _U_, int depth _U_)
1472 {
1473 const struct ikev1_pl_cert *p;
1474 struct ikev1_pl_cert cert;
1475 static const char *certstr[] = {
1476 "none", "pkcs7", "pgp", "dns",
1477 "x509sign", "x509ke", "kerberos", "crl",
1478 "arl", "spki", "x509attr",
1479 };
1480
1481 ND_PRINT((ndo,"%s:", NPSTR(ISAKMP_NPTYPE_CERT)));
1482
1483 p = (const struct ikev1_pl_cert *)ext;
1484 ND_TCHECK(*p);
1485 UNALIGNED_MEMCPY(&cert, ext, sizeof(cert));
1486 ND_PRINT((ndo," len=%d", item_len - 4));
1487 ND_PRINT((ndo," type=%s", STR_OR_ID((cert.encode), certstr)));
1488 if (2 < ndo->ndo_vflag && 4 < item_len) {
1489 ND_PRINT((ndo," "));
1490 if (!rawprint(ndo, (const uint8_t *)(ext + 1), item_len - 4))
1491 goto trunc;
1492 }
1493 return (const u_char *)ext + item_len;
1494 trunc:
1495 ND_PRINT((ndo," [|%s]", NPSTR(ISAKMP_NPTYPE_CERT)));
1496 return NULL;
1497 }
1498
1499 static const u_char *
1500 ikev1_cr_print(netdissect_options *ndo, u_char tpay _U_,
1501 const struct isakmp_gen *ext, u_int item_len,
1502 const u_char *ep _U_, uint32_t phase _U_, uint32_t doi0 _U_,
1503 uint32_t proto0 _U_, int depth _U_)
1504 {
1505 const struct ikev1_pl_cert *p;
1506 struct ikev1_pl_cert cert;
1507 static const char *certstr[] = {
1508 "none", "pkcs7", "pgp", "dns",
1509 "x509sign", "x509ke", "kerberos", "crl",
1510 "arl", "spki", "x509attr",
1511 };
1512
1513 ND_PRINT((ndo,"%s:", NPSTR(ISAKMP_NPTYPE_CR)));
1514
1515 p = (const struct ikev1_pl_cert *)ext;
1516 ND_TCHECK(*p);
1517 UNALIGNED_MEMCPY(&cert, ext, sizeof(cert));
1518 ND_PRINT((ndo," len=%d", item_len - 4));
1519 ND_PRINT((ndo," type=%s", STR_OR_ID((cert.encode), certstr)));
1520 if (2 < ndo->ndo_vflag && 4 < item_len) {
1521 ND_PRINT((ndo," "));
1522 if (!rawprint(ndo, (const uint8_t *)(ext + 1), item_len - 4))
1523 goto trunc;
1524 }
1525 return (const u_char *)ext + item_len;
1526 trunc:
1527 ND_PRINT((ndo," [|%s]", NPSTR(ISAKMP_NPTYPE_CR)));
1528 return NULL;
1529 }
1530
1531 static const u_char *
1532 ikev1_hash_print(netdissect_options *ndo, u_char tpay _U_,
1533 const struct isakmp_gen *ext, u_int item_len _U_,
1534 const u_char *ep _U_, uint32_t phase _U_, uint32_t doi _U_,
1535 uint32_t proto _U_, int depth _U_)
1536 {
1537 struct isakmp_gen e;
1538
1539 ND_PRINT((ndo,"%s:", NPSTR(ISAKMP_NPTYPE_HASH)));
1540
1541 ND_TCHECK(*ext);
1542 UNALIGNED_MEMCPY(&e, ext, sizeof(e));
1543 ND_PRINT((ndo," len=%d", ntohs(e.len) - 4));
1544 if (2 < ndo->ndo_vflag && 4 < ntohs(e.len)) {
1545 ND_PRINT((ndo," "));
1546 if (!rawprint(ndo, (const uint8_t *)(ext + 1), ntohs(e.len) - 4))
1547 goto trunc;
1548 }
1549 return (const u_char *)ext + ntohs(e.len);
1550 trunc:
1551 ND_PRINT((ndo," [|%s]", NPSTR(ISAKMP_NPTYPE_HASH)));
1552 return NULL;
1553 }
1554
1555 static const u_char *
1556 ikev1_sig_print(netdissect_options *ndo, u_char tpay _U_,
1557 const struct isakmp_gen *ext, u_int item_len _U_,
1558 const u_char *ep _U_, uint32_t phase _U_, uint32_t doi _U_,
1559 uint32_t proto _U_, int depth _U_)
1560 {
1561 struct isakmp_gen e;
1562
1563 ND_PRINT((ndo,"%s:", NPSTR(ISAKMP_NPTYPE_SIG)));
1564
1565 ND_TCHECK(*ext);
1566 UNALIGNED_MEMCPY(&e, ext, sizeof(e));
1567 ND_PRINT((ndo," len=%d", ntohs(e.len) - 4));
1568 if (2 < ndo->ndo_vflag && 4 < ntohs(e.len)) {
1569 ND_PRINT((ndo," "));
1570 if (!rawprint(ndo, (const uint8_t *)(ext + 1), ntohs(e.len) - 4))
1571 goto trunc;
1572 }
1573 return (const u_char *)ext + ntohs(e.len);
1574 trunc:
1575 ND_PRINT((ndo," [|%s]", NPSTR(ISAKMP_NPTYPE_SIG)));
1576 return NULL;
1577 }
1578
1579 static const u_char *
1580 ikev1_nonce_print(netdissect_options *ndo, u_char tpay _U_,
1581 const struct isakmp_gen *ext,
1582 u_int item_len _U_,
1583 const u_char *ep,
1584 uint32_t phase _U_, uint32_t doi _U_,
1585 uint32_t proto _U_, int depth _U_)
1586 {
1587 struct isakmp_gen e;
1588
1589 ND_PRINT((ndo,"%s:", NPSTR(ISAKMP_NPTYPE_NONCE)));
1590
1591 ND_TCHECK(*ext);
1592 UNALIGNED_MEMCPY(&e, ext, sizeof(e));
1593 ND_PRINT((ndo," n len=%d", ntohs(e.len) - 4));
1594 if (2 < ndo->ndo_vflag && 4 < ntohs(e.len)) {
1595 ND_PRINT((ndo," "));
1596 if (!rawprint(ndo, (const uint8_t *)(ext + 1), ntohs(e.len) - 4))
1597 goto trunc;
1598 } else if (1 < ndo->ndo_vflag && 4 < ntohs(e.len)) {
1599 ND_PRINT((ndo," "));
1600 if (!ike_show_somedata(ndo, (const u_char *)(const uint8_t *)(ext + 1), ep))
1601 goto trunc;
1602 }
1603 return (const u_char *)ext + ntohs(e.len);
1604 trunc:
1605 ND_PRINT((ndo," [|%s]", NPSTR(ISAKMP_NPTYPE_NONCE)));
1606 return NULL;
1607 }
1608
1609 static const u_char *
1610 ikev1_n_print(netdissect_options *ndo, u_char tpay _U_,
1611 const struct isakmp_gen *ext, u_int item_len,
1612 const u_char *ep, uint32_t phase, uint32_t doi0 _U_,
1613 uint32_t proto0 _U_, int depth)
1614 {
1615 const struct ikev1_pl_n *p;
1616 struct ikev1_pl_n n;
1617 const u_char *cp;
1618 const u_char *ep2;
1619 uint32_t doi;
1620 uint32_t proto;
1621 static const char *notify_error_str[] = {
1622 NULL, "INVALID-PAYLOAD-TYPE",
1623 "DOI-NOT-SUPPORTED", "SITUATION-NOT-SUPPORTED",
1624 "INVALID-COOKIE", "INVALID-MAJOR-VERSION",
1625 "INVALID-MINOR-VERSION", "INVALID-EXCHANGE-TYPE",
1626 "INVALID-FLAGS", "INVALID-MESSAGE-ID",
1627 "INVALID-PROTOCOL-ID", "INVALID-SPI",
1628 "INVALID-TRANSFORM-ID", "ATTRIBUTES-NOT-SUPPORTED",
1629 "NO-PROPOSAL-CHOSEN", "BAD-PROPOSAL-SYNTAX",
1630 "PAYLOAD-MALFORMED", "INVALID-KEY-INFORMATION",
1631 "INVALID-ID-INFORMATION", "INVALID-CERT-ENCODING",
1632 "INVALID-CERTIFICATE", "CERT-TYPE-UNSUPPORTED",
1633 "INVALID-CERT-AUTHORITY", "INVALID-HASH-INFORMATION",
1634 "AUTHENTICATION-FAILED", "INVALID-SIGNATURE",
1635 "ADDRESS-NOTIFICATION", "NOTIFY-SA-LIFETIME",
1636 "CERTIFICATE-UNAVAILABLE", "UNSUPPORTED-EXCHANGE-TYPE",
1637 "UNEQUAL-PAYLOAD-LENGTHS",
1638 };
1639 static const char *ipsec_notify_error_str[] = {
1640 "RESERVED",
1641 };
1642 static const char *notify_status_str[] = {
1643 "CONNECTED",
1644 };
1645 static const char *ipsec_notify_status_str[] = {
1646 "RESPONDER-LIFETIME", "REPLAY-STATUS",
1647 "INITIAL-CONTACT",
1648 };
1649 /* NOTE: these macro must be called with x in proper range */
1650
1651 /* 0 - 8191 */
1652 #define NOTIFY_ERROR_STR(x) \
1653 STR_OR_ID((x), notify_error_str)
1654
1655 /* 8192 - 16383 */
1656 #define IPSEC_NOTIFY_ERROR_STR(x) \
1657 STR_OR_ID((u_int)((x) - 8192), ipsec_notify_error_str)
1658
1659 /* 16384 - 24575 */
1660 #define NOTIFY_STATUS_STR(x) \
1661 STR_OR_ID((u_int)((x) - 16384), notify_status_str)
1662
1663 /* 24576 - 32767 */
1664 #define IPSEC_NOTIFY_STATUS_STR(x) \
1665 STR_OR_ID((u_int)((x) - 24576), ipsec_notify_status_str)
1666
1667 ND_PRINT((ndo,"%s:", NPSTR(ISAKMP_NPTYPE_N)));
1668
1669 p = (const struct ikev1_pl_n *)ext;
1670 ND_TCHECK(*p);
1671 UNALIGNED_MEMCPY(&n, ext, sizeof(n));
1672 doi = ntohl(n.doi);
1673 proto = n.prot_id;
1674 if (doi != 1) {
1675 ND_PRINT((ndo," doi=%d", doi));
1676 ND_PRINT((ndo," proto=%d", proto));
1677 if (ntohs(n.type) < 8192)
1678 ND_PRINT((ndo," type=%s", NOTIFY_ERROR_STR(ntohs(n.type))));
1679 else if (ntohs(n.type) < 16384)
1680 ND_PRINT((ndo," type=%s", numstr(ntohs(n.type))));
1681 else if (ntohs(n.type) < 24576)
1682 ND_PRINT((ndo," type=%s", NOTIFY_STATUS_STR(ntohs(n.type))));
1683 else
1684 ND_PRINT((ndo," type=%s", numstr(ntohs(n.type))));
1685 if (n.spi_size) {
1686 ND_PRINT((ndo," spi="));
1687 if (!rawprint(ndo, (const uint8_t *)(p + 1), n.spi_size))
1688 goto trunc;
1689 }
1690 return (const u_char *)(p + 1) + n.spi_size;
1691 }
1692
1693 ND_PRINT((ndo," doi=ipsec"));
1694 ND_PRINT((ndo," proto=%s", PROTOIDSTR(proto)));
1695 if (ntohs(n.type) < 8192)
1696 ND_PRINT((ndo," type=%s", NOTIFY_ERROR_STR(ntohs(n.type))));
1697 else if (ntohs(n.type) < 16384)
1698 ND_PRINT((ndo," type=%s", IPSEC_NOTIFY_ERROR_STR(ntohs(n.type))));
1699 else if (ntohs(n.type) < 24576)
1700 ND_PRINT((ndo," type=%s", NOTIFY_STATUS_STR(ntohs(n.type))));
1701 else if (ntohs(n.type) < 32768)
1702 ND_PRINT((ndo," type=%s", IPSEC_NOTIFY_STATUS_STR(ntohs(n.type))));
1703 else
1704 ND_PRINT((ndo," type=%s", numstr(ntohs(n.type))));
1705 if (n.spi_size) {
1706 ND_PRINT((ndo," spi="));
1707 if (!rawprint(ndo, (const uint8_t *)(p + 1), n.spi_size))
1708 goto trunc;
1709 }
1710
1711 cp = (const u_char *)(p + 1) + n.spi_size;
1712 ep2 = (const u_char *)p + item_len;
1713
1714 if (cp < ep) {
1715 ND_PRINT((ndo," orig=("));
1716 switch (ntohs(n.type)) {
1717 case IPSECDOI_NTYPE_RESPONDER_LIFETIME:
1718 {
1719 const struct attrmap *map = oakley_t_map;
1720 size_t nmap = sizeof(oakley_t_map)/sizeof(oakley_t_map[0]);
1721 while (cp < ep && cp < ep2) {
1722 cp = ikev1_attrmap_print(ndo, cp,
1723 (ep < ep2) ? ep : ep2, map, nmap);
1724 }
1725 break;
1726 }
1727 case IPSECDOI_NTYPE_REPLAY_STATUS:
1728 ND_PRINT((ndo,"replay detection %sabled",
1729 EXTRACT_32BITS(cp) ? "en" : "dis"));
1730 break;
1731 case ISAKMP_NTYPE_NO_PROPOSAL_CHOSEN:
1732 if (ikev1_sub_print(ndo, ISAKMP_NPTYPE_SA,
1733 (const struct isakmp_gen *)cp, ep, phase, doi, proto,
1734 depth) == NULL)
1735 return NULL;
1736 break;
1737 default:
1738 /* NULL is dummy */
1739 isakmp_print(ndo, cp,
1740 item_len - sizeof(*p) - n.spi_size,
1741 NULL);
1742 }
1743 ND_PRINT((ndo,")"));
1744 }
1745 return (const u_char *)ext + item_len;
1746 trunc:
1747 ND_PRINT((ndo," [|%s]", NPSTR(ISAKMP_NPTYPE_N)));
1748 return NULL;
1749 }
1750
1751 static const u_char *
1752 ikev1_d_print(netdissect_options *ndo, u_char tpay _U_,
1753 const struct isakmp_gen *ext, u_int item_len _U_,
1754 const u_char *ep _U_, uint32_t phase _U_, uint32_t doi0 _U_,
1755 uint32_t proto0 _U_, int depth _U_)
1756 {
1757 const struct ikev1_pl_d *p;
1758 struct ikev1_pl_d d;
1759 const uint8_t *q;
1760 uint32_t doi;
1761 uint32_t proto;
1762 int i;
1763
1764 ND_PRINT((ndo,"%s:", NPSTR(ISAKMP_NPTYPE_D)));
1765
1766 p = (const struct ikev1_pl_d *)ext;
1767 ND_TCHECK(*p);
1768 UNALIGNED_MEMCPY(&d, ext, sizeof(d));
1769 doi = ntohl(d.doi);
1770 proto = d.prot_id;
1771 if (doi != 1) {
1772 ND_PRINT((ndo," doi=%u", doi));
1773 ND_PRINT((ndo," proto=%u", proto));
1774 } else {
1775 ND_PRINT((ndo," doi=ipsec"));
1776 ND_PRINT((ndo," proto=%s", PROTOIDSTR(proto)));
1777 }
1778 ND_PRINT((ndo," spilen=%u", d.spi_size));
1779 ND_PRINT((ndo," nspi=%u", ntohs(d.num_spi)));
1780 ND_PRINT((ndo," spi="));
1781 q = (const uint8_t *)(p + 1);
1782 for (i = 0; i < ntohs(d.num_spi); i++) {
1783 if (i != 0)
1784 ND_PRINT((ndo,","));
1785 if (!rawprint(ndo, (const uint8_t *)q, d.spi_size))
1786 goto trunc;
1787 q += d.spi_size;
1788 }
1789 return q;
1790 trunc:
1791 ND_PRINT((ndo," [|%s]", NPSTR(ISAKMP_NPTYPE_D)));
1792 return NULL;
1793 }
1794
1795 static const u_char *
1796 ikev1_vid_print(netdissect_options *ndo, u_char tpay _U_,
1797 const struct isakmp_gen *ext,
1798 u_int item_len _U_, const u_char *ep _U_,
1799 uint32_t phase _U_, uint32_t doi _U_,
1800 uint32_t proto _U_, int depth _U_)
1801 {
1802 struct isakmp_gen e;
1803
1804 ND_PRINT((ndo,"%s:", NPSTR(ISAKMP_NPTYPE_VID)));
1805
1806 ND_TCHECK(*ext);
1807 UNALIGNED_MEMCPY(&e, ext, sizeof(e));
1808 ND_PRINT((ndo," len=%d", ntohs(e.len) - 4));
1809 if (2 < ndo->ndo_vflag && 4 < ntohs(e.len)) {
1810 ND_PRINT((ndo," "));
1811 if (!rawprint(ndo, (const uint8_t *)(ext + 1), ntohs(e.len) - 4))
1812 goto trunc;
1813 }
1814 return (const u_char *)ext + ntohs(e.len);
1815 trunc:
1816 ND_PRINT((ndo," [|%s]", NPSTR(ISAKMP_NPTYPE_VID)));
1817 return NULL;
1818 }
1819
1820 /************************************************************/
1821 /* */
1822 /* IKE v2 - rfc4306 - dissector */
1823 /* */
1824 /************************************************************/
1825
1826 static void
1827 ikev2_pay_print(netdissect_options *ndo, const char *payname, int critical)
1828 {
1829 ND_PRINT((ndo,"%s%s:", payname, critical&0x80 ? "[C]" : ""));
1830 }
1831
1832 static const u_char *
1833 ikev2_gen_print(netdissect_options *ndo, u_char tpay,
1834 const struct isakmp_gen *ext)
1835 {
1836 struct isakmp_gen e;
1837
1838 ND_TCHECK(*ext);
1839 UNALIGNED_MEMCPY(&e, ext, sizeof(e));
1840 ikev2_pay_print(ndo, NPSTR(tpay), e.critical);
1841
1842 ND_PRINT((ndo," len=%d", ntohs(e.len) - 4));
1843 if (2 < ndo->ndo_vflag && 4 < ntohs(e.len)) {
1844 ND_PRINT((ndo," "));
1845 if (!rawprint(ndo, (const uint8_t *)(ext + 1), ntohs(e.len) - 4))
1846 goto trunc;
1847 }
1848 return (const u_char *)ext + ntohs(e.len);
1849 trunc:
1850 ND_PRINT((ndo," [|%s]", NPSTR(tpay)));
1851 return NULL;
1852 }
1853
1854 static const u_char *
1855 ikev2_t_print(netdissect_options *ndo, int tcount,
1856 const struct isakmp_gen *ext, u_int item_len,
1857 const u_char *ep)
1858 {
1859 const struct ikev2_t *p;
1860 struct ikev2_t t;
1861 uint16_t t_id;
1862 const u_char *cp;
1863 const char *idstr;
1864 const struct attrmap *map;
1865 size_t nmap;
1866 const u_char *ep2;
1867
1868 p = (const struct ikev2_t *)ext;
1869 ND_TCHECK(*p);
1870 UNALIGNED_MEMCPY(&t, ext, sizeof(t));
1871 ikev2_pay_print(ndo, NPSTR(ISAKMP_NPTYPE_T), t.h.critical);
1872
1873 t_id = ntohs(t.t_id);
1874
1875 map = NULL;
1876 nmap = 0;
1877
1878 switch (t.t_type) {
1879 case IV2_T_ENCR:
1880 idstr = STR_OR_ID(t_id, esp_p_map);
1881 map = encr_t_map;
1882 nmap = sizeof(encr_t_map)/sizeof(encr_t_map[0]);
1883 break;
1884
1885 case IV2_T_PRF:
1886 idstr = STR_OR_ID(t_id, prf_p_map);
1887 break;
1888
1889 case IV2_T_INTEG:
1890 idstr = STR_OR_ID(t_id, integ_p_map);
1891 break;
1892
1893 case IV2_T_DH:
1894 idstr = STR_OR_ID(t_id, dh_p_map);
1895 break;
1896
1897 case IV2_T_ESN:
1898 idstr = STR_OR_ID(t_id, esn_p_map);
1899 break;
1900
1901 default:
1902 idstr = NULL;
1903 break;
1904 }
1905
1906 if (idstr)
1907 ND_PRINT((ndo," #%u type=%s id=%s ", tcount,
1908 STR_OR_ID(t.t_type, ikev2_t_type_map),
1909 idstr));
1910 else
1911 ND_PRINT((ndo," #%u type=%s id=%u ", tcount,
1912 STR_OR_ID(t.t_type, ikev2_t_type_map),
1913 t.t_id));
1914 cp = (const u_char *)(p + 1);
1915 ep2 = (const u_char *)p + item_len;
1916 while (cp < ep && cp < ep2) {
1917 if (map && nmap) {
1918 cp = ikev1_attrmap_print(ndo, cp, (ep < ep2) ? ep : ep2,
1919 map, nmap);
1920 } else
1921 cp = ikev1_attr_print(ndo, cp, (ep < ep2) ? ep : ep2);
1922 }
1923 if (ep < ep2)
1924 ND_PRINT((ndo,"..."));
1925 return cp;
1926 trunc:
1927 ND_PRINT((ndo," [|%s]", NPSTR(ISAKMP_NPTYPE_T)));
1928 return NULL;
1929 }
1930
1931 static const u_char *
1932 ikev2_p_print(netdissect_options *ndo, u_char tpay _U_, int pcount _U_,
1933 const struct isakmp_gen *ext, u_int oprop_length,
1934 const u_char *ep, int depth)
1935 {
1936 const struct ikev2_p *p;
1937 struct ikev2_p prop;
1938 u_int prop_length;
1939 const u_char *cp;
1940 int i;
1941 int tcount;
1942 u_char np;
1943 struct isakmp_gen e;
1944 u_int item_len;
1945
1946 p = (const struct ikev2_p *)ext;
1947 ND_TCHECK(*p);
1948 UNALIGNED_MEMCPY(&prop, ext, sizeof(prop));
1949
1950 ikev2_pay_print(ndo, NPSTR(ISAKMP_NPTYPE_P), prop.h.critical);
1951
1952 /*
1953 * ikev2_sa_print() guarantees that this is >= 4.
1954 */
1955 prop_length = oprop_length - 4;
1956 ND_PRINT((ndo," #%u protoid=%s transform=%d len=%u",
1957 prop.p_no, PROTOIDSTR(prop.prot_id),
1958 prop.num_t, oprop_length));
1959 cp = (const u_char *)(p + 1);
1960
1961 if (prop.spi_size) {
1962 if (prop_length < prop.spi_size)
1963 goto toolong;
1964 ND_PRINT((ndo," spi="));
1965 if (!rawprint(ndo, (const uint8_t *)cp, prop.spi_size))
1966 goto trunc;
1967 cp += prop.spi_size;
1968 prop_length -= prop.spi_size;
1969 }
1970
1971 /*
1972 * Print the transforms.
1973 */
1974 tcount = 0;
1975 for (np = ISAKMP_NPTYPE_T; np != 0; np = e.np) {
1976 tcount++;
1977 ext = (const struct isakmp_gen *)cp;
1978 if (prop_length < sizeof(*ext))
1979 goto toolong;
1980 ND_TCHECK(*ext);
1981
1982 UNALIGNED_MEMCPY(&e, ext, sizeof(e));
1983
1984 /*
1985 * Since we can't have a payload length of less than 4 bytes,
1986 * we need to bail out here if the generic header is nonsensical
1987 * or truncated, otherwise we could loop forever processing
1988 * zero-length items or otherwise misdissect the packet.
1989 */
1990 item_len = ntohs(e.len);
1991 if (item_len <= 4)
1992 goto trunc;
1993
1994 if (prop_length < item_len)
1995 goto toolong;
1996 ND_TCHECK2(*cp, item_len);
1997
1998 depth++;
1999 ND_PRINT((ndo,"\n"));
2000 for (i = 0; i < depth; i++)
2001 ND_PRINT((ndo," "));
2002 ND_PRINT((ndo,"("));
2003 if (np == ISAKMP_NPTYPE_T) {
2004 cp = ikev2_t_print(ndo, tcount, ext, item_len, ep);
2005 if (cp == NULL) {
2006 /* error, already reported */
2007 return NULL;
2008 }
2009 } else {
2010 ND_PRINT((ndo, "%s", NPSTR(np)));
2011 cp += item_len;
2012 }
2013 ND_PRINT((ndo,")"));
2014 depth--;
2015 prop_length -= item_len;
2016 }
2017 return cp;
2018 toolong:
2019 /*
2020 * Skip the rest of the proposal.
2021 */
2022 cp += prop_length;
2023 ND_PRINT((ndo," [|%s]", NPSTR(ISAKMP_NPTYPE_P)));
2024 return cp;
2025 trunc:
2026 ND_PRINT((ndo," [|%s]", NPSTR(ISAKMP_NPTYPE_P)));
2027 return NULL;
2028 }
2029
2030 static const u_char *
2031 ikev2_sa_print(netdissect_options *ndo, u_char tpay,
2032 const struct isakmp_gen *ext1,
2033 u_int osa_length, const u_char *ep,
2034 uint32_t phase _U_, uint32_t doi _U_,
2035 uint32_t proto _U_, int depth)
2036 {
2037 const struct isakmp_gen *ext;
2038 struct isakmp_gen e;
2039 u_int sa_length;
2040 const u_char *cp;
2041 int i;
2042 int pcount;
2043 u_char np;
2044 u_int item_len;
2045
2046 ND_TCHECK(*ext1);
2047 UNALIGNED_MEMCPY(&e, ext1, sizeof(e));
2048 ikev2_pay_print(ndo, "sa", e.critical);
2049
2050 /*
2051 * ikev2_sub0_print() guarantees that this is >= 4.
2052 */
2053 osa_length= ntohs(e.len);
2054 sa_length = osa_length - 4;
2055 ND_PRINT((ndo," len=%d", sa_length));
2056
2057 /*
2058 * Print the payloads.
2059 */
2060 cp = (const u_char *)(ext1 + 1);
2061 pcount = 0;
2062 for (np = ISAKMP_NPTYPE_P; np != 0; np = e.np) {
2063 pcount++;
2064 ext = (const struct isakmp_gen *)cp;
2065 if (sa_length < sizeof(*ext))
2066 goto toolong;
2067 ND_TCHECK(*ext);
2068
2069 UNALIGNED_MEMCPY(&e, ext, sizeof(e));
2070
2071 /*
2072 * Since we can't have a payload length of less than 4 bytes,
2073 * we need to bail out here if the generic header is nonsensical
2074 * or truncated, otherwise we could loop forever processing
2075 * zero-length items or otherwise misdissect the packet.
2076 */
2077 item_len = ntohs(e.len);
2078 if (item_len <= 4)
2079 goto trunc;
2080
2081 if (sa_length < item_len)
2082 goto toolong;
2083 ND_TCHECK2(*cp, item_len);
2084
2085 depth++;
2086 ND_PRINT((ndo,"\n"));
2087 for (i = 0; i < depth; i++)
2088 ND_PRINT((ndo," "));
2089 ND_PRINT((ndo,"("));
2090 if (np == ISAKMP_NPTYPE_P) {
2091 cp = ikev2_p_print(ndo, np, pcount, ext, item_len,
2092 ep, depth);
2093 if (cp == NULL) {
2094 /* error, already reported */
2095 return NULL;
2096 }
2097 } else {
2098 ND_PRINT((ndo, "%s", NPSTR(np)));
2099 cp += item_len;
2100 }
2101 ND_PRINT((ndo,")"));
2102 depth--;
2103 sa_length -= item_len;
2104 }
2105 return cp;
2106 toolong:
2107 /*
2108 * Skip the rest of the SA.
2109 */
2110 cp += sa_length;
2111 ND_PRINT((ndo," [|%s]", NPSTR(tpay)));
2112 return cp;
2113 trunc:
2114 ND_PRINT((ndo," [|%s]", NPSTR(tpay)));
2115 return NULL;
2116 }
2117
2118 static const u_char *
2119 ikev2_ke_print(netdissect_options *ndo, u_char tpay,
2120 const struct isakmp_gen *ext,
2121 u_int item_len _U_, const u_char *ep _U_,
2122 uint32_t phase _U_, uint32_t doi _U_,
2123 uint32_t proto _U_, int depth _U_)
2124 {
2125 struct ikev2_ke ke;
2126 const struct ikev2_ke *k;
2127
2128 k = (const struct ikev2_ke *)ext;
2129 ND_TCHECK(*ext);
2130 UNALIGNED_MEMCPY(&ke, ext, sizeof(ke));
2131 ikev2_pay_print(ndo, NPSTR(tpay), ke.h.critical);
2132
2133 ND_PRINT((ndo," len=%u group=%s", ntohs(ke.h.len) - 8,
2134 STR_OR_ID(ntohs(ke.ke_group), dh_p_map)));
2135
2136 if (2 < ndo->ndo_vflag && 8 < ntohs(ke.h.len)) {
2137 ND_PRINT((ndo," "));
2138 if (!rawprint(ndo, (const uint8_t *)(k + 1), ntohs(ke.h.len) - 8))
2139 goto trunc;
2140 }
2141 return (const u_char *)ext + ntohs(ke.h.len);
2142 trunc:
2143 ND_PRINT((ndo," [|%s]", NPSTR(tpay)));
2144 return NULL;
2145 }
2146
2147 static const u_char *
2148 ikev2_ID_print(netdissect_options *ndo, u_char tpay,
2149 const struct isakmp_gen *ext,
2150 u_int item_len _U_, const u_char *ep _U_,
2151 uint32_t phase _U_, uint32_t doi _U_,
2152 uint32_t proto _U_, int depth _U_)
2153 {
2154 struct ikev2_id id;
2155 int id_len, idtype_len, i;
2156 unsigned int dumpascii, dumphex;
2157 const unsigned char *typedata;
2158
2159 ND_TCHECK(*ext);
2160 UNALIGNED_MEMCPY(&id, ext, sizeof(id));
2161 ikev2_pay_print(ndo, NPSTR(tpay), id.h.critical);
2162
2163 id_len = ntohs(id.h.len);
2164
2165 ND_PRINT((ndo," len=%d", id_len - 4));
2166 if (2 < ndo->ndo_vflag && 4 < id_len) {
2167 ND_PRINT((ndo," "));
2168 if (!rawprint(ndo, (const uint8_t *)(ext + 1), id_len - 4))
2169 goto trunc;
2170 }
2171
2172 idtype_len =id_len - sizeof(struct ikev2_id);
2173 dumpascii = 0;
2174 dumphex = 0;
2175 typedata = (const unsigned char *)(ext)+sizeof(struct ikev2_id);
2176
2177 switch(id.type) {
2178 case ID_IPV4_ADDR:
2179 ND_PRINT((ndo, " ipv4:"));
2180 dumphex=1;
2181 break;
2182 case ID_FQDN:
2183 ND_PRINT((ndo, " fqdn:"));
2184 dumpascii=1;
2185 break;
2186 case ID_RFC822_ADDR:
2187 ND_PRINT((ndo, " rfc822:"));
2188 dumpascii=1;
2189 break;
2190 case ID_IPV6_ADDR:
2191 ND_PRINT((ndo, " ipv6:"));
2192 dumphex=1;
2193 break;
2194 case ID_DER_ASN1_DN:
2195 ND_PRINT((ndo, " dn:"));
2196 dumphex=1;
2197 break;
2198 case ID_DER_ASN1_GN:
2199 ND_PRINT((ndo, " gn:"));
2200 dumphex=1;
2201 break;
2202 case ID_KEY_ID:
2203 ND_PRINT((ndo, " keyid:"));
2204 dumphex=1;
2205 break;
2206 }
2207
2208 if(dumpascii) {
2209 ND_TCHECK2(*typedata, idtype_len);
2210 for(i=0; i<idtype_len; i++) {
2211 if(ND_ISPRINT(typedata[i])) {
2212 ND_PRINT((ndo, "%c", typedata[i]));
2213 } else {
2214 ND_PRINT((ndo, "."));
2215 }
2216 }
2217 }
2218 if(dumphex) {
2219 if (!rawprint(ndo, (const uint8_t *)typedata, idtype_len))
2220 goto trunc;
2221 }
2222
2223 return (const u_char *)ext + id_len;
2224 trunc:
2225 ND_PRINT((ndo," [|%s]", NPSTR(tpay)));
2226 return NULL;
2227 }
2228
2229 static const u_char *
2230 ikev2_cert_print(netdissect_options *ndo, u_char tpay,
2231 const struct isakmp_gen *ext,
2232 u_int item_len _U_, const u_char *ep _U_,
2233 uint32_t phase _U_, uint32_t doi _U_,
2234 uint32_t proto _U_, int depth _U_)
2235 {
2236 return ikev2_gen_print(ndo, tpay, ext);
2237 }
2238
2239 static const u_char *
2240 ikev2_cr_print(netdissect_options *ndo, u_char tpay,
2241 const struct isakmp_gen *ext,
2242 u_int item_len _U_, const u_char *ep _U_,
2243 uint32_t phase _U_, uint32_t doi _U_,
2244 uint32_t proto _U_, int depth _U_)
2245 {
2246 return ikev2_gen_print(ndo, tpay, ext);
2247 }
2248
2249 static const u_char *
2250 ikev2_auth_print(netdissect_options *ndo, u_char tpay,
2251 const struct isakmp_gen *ext,
2252 u_int item_len _U_, const u_char *ep,
2253 uint32_t phase _U_, uint32_t doi _U_,
2254 uint32_t proto _U_, int depth _U_)
2255 {
2256 struct ikev2_auth a;
2257 const char *v2_auth[]={ "invalid", "rsasig",
2258 "shared-secret", "dsssig" };
2259 const u_char *authdata = (const u_char*)ext + sizeof(a);
2260 unsigned int len;
2261
2262 ND_TCHECK(*ext);
2263 UNALIGNED_MEMCPY(&a, ext, sizeof(a));
2264 ikev2_pay_print(ndo, NPSTR(tpay), a.h.critical);
2265 len = ntohs(a.h.len);
2266
2267 ND_PRINT((ndo," len=%d method=%s", len-4,
2268 STR_OR_ID(a.auth_method, v2_auth)));
2269
2270 if (1 < ndo->ndo_vflag && 4 < len) {
2271 ND_PRINT((ndo," authdata=("));
2272 if (!rawprint(ndo, (const uint8_t *)authdata, len - sizeof(a)))
2273 goto trunc;
2274 ND_PRINT((ndo,") "));
2275 } else if(ndo->ndo_vflag && 4 < len) {
2276 if(!ike_show_somedata(ndo, authdata, ep)) goto trunc;
2277 }
2278
2279 return (const u_char *)ext + len;
2280 trunc:
2281 ND_PRINT((ndo," [|%s]", NPSTR(tpay)));
2282 return NULL;
2283 }
2284
2285 static const u_char *
2286 ikev2_nonce_print(netdissect_options *ndo, u_char tpay,
2287 const struct isakmp_gen *ext,
2288 u_int item_len _U_, const u_char *ep,
2289 uint32_t phase _U_, uint32_t doi _U_,
2290 uint32_t proto _U_, int depth _U_)
2291 {
2292 struct isakmp_gen e;
2293
2294 ND_TCHECK(*ext);
2295 UNALIGNED_MEMCPY(&e, ext, sizeof(e));
2296 ikev2_pay_print(ndo, "nonce", e.critical);
2297
2298 ND_PRINT((ndo," len=%d", ntohs(e.len) - 4));
2299 if (1 < ndo->ndo_vflag && 4 < ntohs(e.len)) {
2300 ND_PRINT((ndo," nonce=("));
2301 if (!rawprint(ndo, (const uint8_t *)(ext + 1), ntohs(e.len) - 4))
2302 goto trunc;
2303 ND_PRINT((ndo,") "));
2304 } else if(ndo->ndo_vflag && 4 < ntohs(e.len)) {
2305 if(!ike_show_somedata(ndo, (const u_char *)(ext+1), ep)) goto trunc;
2306 }
2307
2308 return (const u_char *)ext + ntohs(e.len);
2309 trunc:
2310 ND_PRINT((ndo," [|%s]", NPSTR(tpay)));
2311 return NULL;
2312 }
2313
2314 /* notify payloads */
2315 static const u_char *
2316 ikev2_n_print(netdissect_options *ndo, u_char tpay _U_,
2317 const struct isakmp_gen *ext,
2318 u_int item_len, const u_char *ep,
2319 uint32_t phase _U_, uint32_t doi _U_,
2320 uint32_t proto _U_, int depth _U_)
2321 {
2322 const struct ikev2_n *p;
2323 struct ikev2_n n;
2324 const u_char *cp;
2325 u_char showspi, showdata, showsomedata;
2326 const char *notify_name;
2327 uint32_t type;
2328
2329 p = (const struct ikev2_n *)ext;
2330 ND_TCHECK(*p);
2331 UNALIGNED_MEMCPY(&n, ext, sizeof(n));
2332 ikev2_pay_print(ndo, NPSTR(ISAKMP_NPTYPE_N), n.h.critical);
2333
2334 showspi = 1;
2335 showdata = 0;
2336 showsomedata=0;
2337 notify_name=NULL;
2338
2339 ND_PRINT((ndo," prot_id=%s", PROTOIDSTR(n.prot_id)));
2340
2341 type = ntohs(n.type);
2342
2343 /* notify space is annoying sparse */
2344 switch(type) {
2345 case IV2_NOTIFY_UNSUPPORTED_CRITICAL_PAYLOAD:
2346 notify_name = "unsupported_critical_payload";
2347 showspi = 0;
2348 break;
2349
2350 case IV2_NOTIFY_INVALID_IKE_SPI:
2351 notify_name = "invalid_ike_spi";
2352 showspi = 1;
2353 break;
2354
2355 case IV2_NOTIFY_INVALID_MAJOR_VERSION:
2356 notify_name = "invalid_major_version";
2357 showspi = 0;
2358 break;
2359
2360 case IV2_NOTIFY_INVALID_SYNTAX:
2361 notify_name = "invalid_syntax";
2362 showspi = 1;
2363 break;
2364
2365 case IV2_NOTIFY_INVALID_MESSAGE_ID:
2366 notify_name = "invalid_message_id";
2367 showspi = 1;
2368 break;
2369
2370 case IV2_NOTIFY_INVALID_SPI:
2371 notify_name = "invalid_spi";
2372 showspi = 1;
2373 break;
2374
2375 case IV2_NOTIFY_NO_PROPOSAL_CHOSEN:
2376 notify_name = "no_protocol_chosen";
2377 showspi = 1;
2378 break;
2379
2380 case IV2_NOTIFY_INVALID_KE_PAYLOAD:
2381 notify_name = "invalid_ke_payload";
2382 showspi = 1;
2383 break;
2384
2385 case IV2_NOTIFY_AUTHENTICATION_FAILED:
2386 notify_name = "authentication_failed";
2387 showspi = 1;
2388 break;
2389
2390 case IV2_NOTIFY_SINGLE_PAIR_REQUIRED:
2391 notify_name = "single_pair_required";
2392 showspi = 1;
2393 break;
2394
2395 case IV2_NOTIFY_NO_ADDITIONAL_SAS:
2396 notify_name = "no_additional_sas";
2397 showspi = 0;
2398 break;
2399
2400 case IV2_NOTIFY_INTERNAL_ADDRESS_FAILURE:
2401 notify_name = "internal_address_failure";
2402 showspi = 0;
2403 break;
2404
2405 case IV2_NOTIFY_FAILED_CP_REQUIRED:
2406 notify_name = "failed:cp_required";
2407 showspi = 0;
2408 break;
2409
2410 case IV2_NOTIFY_INVALID_SELECTORS:
2411 notify_name = "invalid_selectors";
2412 showspi = 0;
2413 break;
2414
2415 case IV2_NOTIFY_INITIAL_CONTACT:
2416 notify_name = "initial_contact";
2417 showspi = 0;
2418 break;
2419
2420 case IV2_NOTIFY_SET_WINDOW_SIZE:
2421 notify_name = "set_window_size";
2422 showspi = 0;
2423 break;
2424
2425 case IV2_NOTIFY_ADDITIONAL_TS_POSSIBLE:
2426 notify_name = "additional_ts_possible";
2427 showspi = 0;
2428 break;
2429
2430 case IV2_NOTIFY_IPCOMP_SUPPORTED:
2431 notify_name = "ipcomp_supported";
2432 showspi = 0;
2433 break;
2434
2435 case IV2_NOTIFY_NAT_DETECTION_SOURCE_IP:
2436 notify_name = "nat_detection_source_ip";
2437 showspi = 1;
2438 break;
2439
2440 case IV2_NOTIFY_NAT_DETECTION_DESTINATION_IP:
2441 notify_name = "nat_detection_destination_ip";
2442 showspi = 1;
2443 break;
2444
2445 case IV2_NOTIFY_COOKIE:
2446 notify_name = "cookie";
2447 showspi = 1;
2448 showsomedata= 1;
2449 showdata= 0;
2450 break;
2451
2452 case IV2_NOTIFY_USE_TRANSPORT_MODE:
2453 notify_name = "use_transport_mode";
2454 showspi = 0;
2455 break;
2456
2457 case IV2_NOTIFY_HTTP_CERT_LOOKUP_SUPPORTED:
2458 notify_name = "http_cert_lookup_supported";
2459 showspi = 0;
2460 break;
2461
2462 case IV2_NOTIFY_REKEY_SA:
2463 notify_name = "rekey_sa";
2464 showspi = 1;
2465 break;
2466
2467 case IV2_NOTIFY_ESP_TFC_PADDING_NOT_SUPPORTED:
2468 notify_name = "tfc_padding_not_supported";
2469 showspi = 0;
2470 break;
2471
2472 case IV2_NOTIFY_NON_FIRST_FRAGMENTS_ALSO:
2473 notify_name = "non_first_fragment_also";
2474 showspi = 0;
2475 break;
2476
2477 default:
2478 if (type < 8192) {
2479 notify_name="error";
2480 } else if(type < 16384) {
2481 notify_name="private-error";
2482 } else if(type < 40960) {
2483 notify_name="status";
2484 } else {
2485 notify_name="private-status";
2486 }
2487 }
2488
2489 if(notify_name) {
2490 ND_PRINT((ndo," type=%u(%s)", type, notify_name));
2491 }
2492
2493
2494 if (showspi && n.spi_size) {
2495 ND_PRINT((ndo," spi="));
2496 if (!rawprint(ndo, (const uint8_t *)(p + 1), n.spi_size))
2497 goto trunc;
2498 }
2499
2500 cp = (const u_char *)(p + 1) + n.spi_size;
2501
2502 if(3 < ndo->ndo_vflag) {
2503 showdata = 1;
2504 }
2505
2506 if ((showdata || (showsomedata && ep-cp < 30)) && cp < ep) {
2507 ND_PRINT((ndo," data=("));
2508 if (!rawprint(ndo, (const uint8_t *)(cp), ep - cp))
2509 goto trunc;
2510
2511 ND_PRINT((ndo,")"));
2512
2513 } else if(showsomedata && cp < ep) {
2514 if(!ike_show_somedata(ndo, cp, ep)) goto trunc;
2515 }
2516
2517 return (const u_char *)ext + item_len;
2518 trunc:
2519 ND_PRINT((ndo," [|%s]", NPSTR(ISAKMP_NPTYPE_N)));
2520 return NULL;
2521 }
2522
2523 static const u_char *
2524 ikev2_d_print(netdissect_options *ndo, u_char tpay,
2525 const struct isakmp_gen *ext,
2526 u_int item_len _U_, const u_char *ep _U_,
2527 uint32_t phase _U_, uint32_t doi _U_,
2528 uint32_t proto _U_, int depth _U_)
2529 {
2530 return ikev2_gen_print(ndo, tpay, ext);
2531 }
2532
2533 static const u_char *
2534 ikev2_vid_print(netdissect_options *ndo, u_char tpay,
2535 const struct isakmp_gen *ext,
2536 u_int item_len _U_, const u_char *ep _U_,
2537 uint32_t phase _U_, uint32_t doi _U_,
2538 uint32_t proto _U_, int depth _U_)
2539 {
2540 struct isakmp_gen e;
2541 const u_char *vid;
2542 int i, len;
2543
2544 ND_TCHECK(*ext);
2545 UNALIGNED_MEMCPY(&e, ext, sizeof(e));
2546 ikev2_pay_print(ndo, NPSTR(tpay), e.critical);
2547 ND_PRINT((ndo," len=%d vid=", ntohs(e.len) - 4));
2548
2549 vid = (const u_char *)(ext+1);
2550 len = ntohs(e.len) - 4;
2551 ND_TCHECK2(*vid, len);
2552 for(i=0; i<len; i++) {
2553 if(ND_ISPRINT(vid[i])) ND_PRINT((ndo, "%c", vid[i]));
2554 else ND_PRINT((ndo, "."));
2555 }
2556 if (2 < ndo->ndo_vflag && 4 < len) {
2557 ND_PRINT((ndo," "));
2558 if (!rawprint(ndo, (const uint8_t *)(ext + 1), ntohs(e.len) - 4))
2559 goto trunc;
2560 }
2561 return (const u_char *)ext + ntohs(e.len);
2562 trunc:
2563 ND_PRINT((ndo," [|%s]", NPSTR(tpay)));
2564 return NULL;
2565 }
2566
2567 static const u_char *
2568 ikev2_TS_print(netdissect_options *ndo, u_char tpay,
2569 const struct isakmp_gen *ext,
2570 u_int item_len _U_, const u_char *ep _U_,
2571 uint32_t phase _U_, uint32_t doi _U_,
2572 uint32_t proto _U_, int depth _U_)
2573 {
2574 return ikev2_gen_print(ndo, tpay, ext);
2575 }
2576
2577 static const u_char *
2578 ikev2_e_print(netdissect_options *ndo,
2579 #ifndef HAVE_LIBCRYPTO
2580 _U_
2581 #endif
2582 struct isakmp *base,
2583 u_char tpay,
2584 const struct isakmp_gen *ext,
2585 u_int item_len _U_, const u_char *ep _U_,
2586 #ifndef HAVE_LIBCRYPTO
2587 _U_
2588 #endif
2589 uint32_t phase,
2590 #ifndef HAVE_LIBCRYPTO
2591 _U_
2592 #endif
2593 uint32_t doi,
2594 #ifndef HAVE_LIBCRYPTO
2595 _U_
2596 #endif
2597 uint32_t proto,
2598 #ifndef HAVE_LIBCRYPTO
2599 _U_
2600 #endif
2601 int depth)
2602 {
2603 struct isakmp_gen e;
2604 const u_char *dat;
2605 volatile int dlen;
2606
2607 ND_TCHECK(*ext);
2608 UNALIGNED_MEMCPY(&e, ext, sizeof(e));
2609 ikev2_pay_print(ndo, NPSTR(tpay), e.critical);
2610
2611 dlen = ntohs(e.len)-4;
2612
2613 ND_PRINT((ndo," len=%d", dlen));
2614 if (2 < ndo->ndo_vflag && 4 < dlen) {
2615 ND_PRINT((ndo," "));
2616 if (!rawprint(ndo, (const uint8_t *)(ext + 1), dlen))
2617 goto trunc;
2618 }
2619
2620 dat = (const u_char *)(ext+1);
2621 ND_TCHECK2(*dat, dlen);
2622
2623 #ifdef HAVE_LIBCRYPTO
2624 /* try to decypt it! */
2625 if(esp_print_decrypt_buffer_by_ikev2(ndo,
2626 base->flags & ISAKMP_FLAG_I,
2627 base->i_ck, base->r_ck,
2628 dat, dat+dlen)) {
2629
2630 ext = (const struct isakmp_gen *)ndo->ndo_packetp;
2631
2632 /* got it decrypted, print stuff inside. */
2633 ikev2_sub_print(ndo, base, e.np, ext, ndo->ndo_snapend,
2634 phase, doi, proto, depth+1);
2635 }
2636 #endif
2637
2638
2639 /* always return NULL, because E must be at end, and NP refers
2640 * to what was inside.
2641 */
2642 return NULL;
2643 trunc:
2644 ND_PRINT((ndo," [|%s]", NPSTR(tpay)));
2645 return NULL;
2646 }
2647
2648 static const u_char *
2649 ikev2_cp_print(netdissect_options *ndo, u_char tpay,
2650 const struct isakmp_gen *ext,
2651 u_int item_len _U_, const u_char *ep _U_,
2652 uint32_t phase _U_, uint32_t doi _U_,
2653 uint32_t proto _U_, int depth _U_)
2654 {
2655 return ikev2_gen_print(ndo, tpay, ext);
2656 }
2657
2658 static const u_char *
2659 ikev2_eap_print(netdissect_options *ndo, u_char tpay,
2660 const struct isakmp_gen *ext,
2661 u_int item_len _U_, const u_char *ep _U_,
2662 uint32_t phase _U_, uint32_t doi _U_,
2663 uint32_t proto _U_, int depth _U_)
2664 {
2665 return ikev2_gen_print(ndo, tpay, ext);
2666 }
2667
2668 static const u_char *
2669 ike_sub0_print(netdissect_options *ndo,
2670 u_char np, const struct isakmp_gen *ext, const u_char *ep,
2671
2672 uint32_t phase, uint32_t doi, uint32_t proto, int depth)
2673 {
2674 const u_char *cp;
2675 struct isakmp_gen e;
2676 u_int item_len;
2677
2678 cp = (const u_char *)ext;
2679 ND_TCHECK(*ext);
2680 UNALIGNED_MEMCPY(&e, ext, sizeof(e));
2681
2682 /*
2683 * Since we can't have a payload length of less than 4 bytes,
2684 * we need to bail out here if the generic header is nonsensical
2685 * or truncated, otherwise we could loop forever processing
2686 * zero-length items or otherwise misdissect the packet.
2687 */
2688 item_len = ntohs(e.len);
2689 if (item_len <= 4)
2690 return NULL;
2691
2692 if (NPFUNC(np)) {
2693 /*
2694 * XXX - what if item_len is too short, or too long,
2695 * for this payload type?
2696 */
2697 cp = (*npfunc[np])(ndo, np, ext, item_len, ep, phase, doi, proto, depth);
2698 } else {
2699 ND_PRINT((ndo,"%s", NPSTR(np)));
2700 cp += item_len;
2701 }
2702
2703 return cp;
2704 trunc:
2705 ND_PRINT((ndo," [|isakmp]"));
2706 return NULL;
2707 }
2708
2709 static const u_char *
2710 ikev1_sub_print(netdissect_options *ndo,
2711 u_char np, const struct isakmp_gen *ext, const u_char *ep,
2712 uint32_t phase, uint32_t doi, uint32_t proto, int depth)
2713 {
2714 const u_char *cp;
2715 int i;
2716 struct isakmp_gen e;
2717
2718 cp = (const u_char *)ext;
2719
2720 while (np) {
2721 ND_TCHECK(*ext);
2722
2723 UNALIGNED_MEMCPY(&e, ext, sizeof(e));
2724
2725 ND_TCHECK2(*ext, ntohs(e.len));
2726
2727 depth++;
2728 ND_PRINT((ndo,"\n"));
2729 for (i = 0; i < depth; i++)
2730 ND_PRINT((ndo," "));
2731 ND_PRINT((ndo,"("));
2732 cp = ike_sub0_print(ndo, np, ext, ep, phase, doi, proto, depth);
2733 ND_PRINT((ndo,")"));
2734 depth--;
2735
2736 if (cp == NULL) {
2737 /* Zero-length subitem */
2738 return NULL;
2739 }
2740
2741 np = e.np;
2742 ext = (const struct isakmp_gen *)cp;
2743 }
2744 return cp;
2745 trunc:
2746 ND_PRINT((ndo," [|%s]", NPSTR(np)));
2747 return NULL;
2748 }
2749
2750 static char *
2751 numstr(int x)
2752 {
2753 static char buf[20];
2754 snprintf(buf, sizeof(buf), "#%d", x);
2755 return buf;
2756 }
2757
2758 static void
2759 ikev1_print(netdissect_options *ndo,
2760 const u_char *bp, u_int length,
2761 const u_char *bp2, struct isakmp *base)
2762 {
2763 const struct isakmp *p;
2764 const u_char *ep;
2765 u_char np;
2766 int i;
2767 int phase;
2768
2769 p = (const struct isakmp *)bp;
2770 ep = ndo->ndo_snapend;
2771
2772 phase = (EXTRACT_32BITS(base->msgid) == 0) ? 1 : 2;
2773 if (phase == 1)
2774 ND_PRINT((ndo," phase %d", phase));
2775 else
2776 ND_PRINT((ndo," phase %d/others", phase));
2777
2778 i = cookie_find(&base->i_ck);
2779 if (i < 0) {
2780 if (iszero((const u_char *)&base->r_ck, sizeof(base->r_ck))) {
2781 /* the first packet */
2782 ND_PRINT((ndo," I"));
2783 if (bp2)
2784 cookie_record(&base->i_ck, bp2);
2785 } else
2786 ND_PRINT((ndo," ?"));
2787 } else {
2788 if (bp2 && cookie_isinitiator(i, bp2))
2789 ND_PRINT((ndo," I"));
2790 else if (bp2 && cookie_isresponder(i, bp2))
2791 ND_PRINT((ndo," R"));
2792 else
2793 ND_PRINT((ndo," ?"));
2794 }
2795
2796 ND_PRINT((ndo," %s", ETYPESTR(base->etype)));
2797 if (base->flags) {
2798 ND_PRINT((ndo,"[%s%s]", base->flags & ISAKMP_FLAG_E ? "E" : "",
2799 base->flags & ISAKMP_FLAG_C ? "C" : ""));
2800 }
2801
2802 if (ndo->ndo_vflag) {
2803 const struct isakmp_gen *ext;
2804
2805 ND_PRINT((ndo,":"));
2806
2807 /* regardless of phase... */
2808 if (base->flags & ISAKMP_FLAG_E) {
2809 /*
2810 * encrypted, nothing we can do right now.
2811 * we hope to decrypt the packet in the future...
2812 */
2813 ND_PRINT((ndo," [encrypted %s]", NPSTR(base->np)));
2814 goto done;
2815 }
2816
2817 CHECKLEN(p + 1, base->np);
2818 np = base->np;
2819 ext = (const struct isakmp_gen *)(p + 1);
2820 ikev1_sub_print(ndo, np, ext, ep, phase, 0, 0, 0);
2821 }
2822
2823 done:
2824 if (ndo->ndo_vflag) {
2825 if (ntohl(base->len) != length) {
2826 ND_PRINT((ndo," (len mismatch: isakmp %u/ip %u)",
2827 (uint32_t)ntohl(base->len), length));
2828 }
2829 }
2830 }
2831
2832 static const u_char *
2833 ikev2_sub0_print(netdissect_options *ndo, struct isakmp *base,
2834 u_char np,
2835 const struct isakmp_gen *ext, const u_char *ep,
2836 uint32_t phase, uint32_t doi, uint32_t proto, int depth)
2837 {
2838 const u_char *cp;
2839 struct isakmp_gen e;
2840 u_int item_len;
2841
2842 cp = (const u_char *)ext;
2843 ND_TCHECK(*ext);
2844 UNALIGNED_MEMCPY(&e, ext, sizeof(e));
2845
2846 /*
2847 * Since we can't have a payload length of less than 4 bytes,
2848 * we need to bail out here if the generic header is nonsensical
2849 * or truncated, otherwise we could loop forever processing
2850 * zero-length items or otherwise misdissect the packet.
2851 */
2852 item_len = ntohs(e.len);
2853 if (item_len <= 4)
2854 return NULL;
2855
2856 if (np == ISAKMP_NPTYPE_v2E) {
2857 cp = ikev2_e_print(ndo, base, np, ext, item_len,
2858 ep, phase, doi, proto, depth);
2859 } else if (NPFUNC(np)) {
2860 /*
2861 * XXX - what if item_len is too short, or too long,
2862 * for this payload type?
2863 */
2864 cp = (*npfunc[np])(ndo, np, ext, item_len,
2865 ep, phase, doi, proto, depth);
2866 } else {
2867 ND_PRINT((ndo,"%s", NPSTR(np)));
2868 cp += item_len;
2869 }
2870
2871 return cp;
2872 trunc:
2873 ND_PRINT((ndo," [|isakmp]"));
2874 return NULL;
2875 }
2876
2877 static const u_char *
2878 ikev2_sub_print(netdissect_options *ndo,
2879 struct isakmp *base,
2880 u_char np, const struct isakmp_gen *ext, const u_char *ep,
2881 uint32_t phase, uint32_t doi, uint32_t proto, int depth)
2882 {
2883 const u_char *cp;
2884 int i;
2885 struct isakmp_gen e;
2886
2887 cp = (const u_char *)ext;
2888 while (np) {
2889 ND_TCHECK(*ext);
2890
2891 UNALIGNED_MEMCPY(&e, ext, sizeof(e));
2892
2893 ND_TCHECK2(*ext, ntohs(e.len));
2894
2895 depth++;
2896 ND_PRINT((ndo,"\n"));
2897 for (i = 0; i < depth; i++)
2898 ND_PRINT((ndo," "));
2899 ND_PRINT((ndo,"("));
2900 cp = ikev2_sub0_print(ndo, base, np,
2901 ext, ep, phase, doi, proto, depth);
2902 ND_PRINT((ndo,")"));
2903 depth--;
2904
2905 if (cp == NULL) {
2906 /* Zero-length subitem */
2907 return NULL;
2908 }
2909
2910 np = e.np;
2911 ext = (const struct isakmp_gen *)cp;
2912 }
2913 return cp;
2914 trunc:
2915 ND_PRINT((ndo," [|%s]", NPSTR(np)));
2916 return NULL;
2917 }
2918
2919 static void
2920 ikev2_print(netdissect_options *ndo,
2921 const u_char *bp, u_int length,
2922 const u_char *bp2 _U_, struct isakmp *base)
2923 {
2924 const struct isakmp *p;
2925 const u_char *ep;
2926 u_char np;
2927 int phase;
2928
2929 p = (const struct isakmp *)bp;
2930 ep = ndo->ndo_snapend;
2931
2932 phase = (EXTRACT_32BITS(base->msgid) == 0) ? 1 : 2;
2933 if (phase == 1)
2934 ND_PRINT((ndo, " parent_sa"));
2935 else
2936 ND_PRINT((ndo, " child_sa "));
2937
2938 ND_PRINT((ndo, " %s", ETYPESTR(base->etype)));
2939 if (base->flags) {
2940 ND_PRINT((ndo, "[%s%s%s]",
2941 base->flags & ISAKMP_FLAG_I ? "I" : "",
2942 base->flags & ISAKMP_FLAG_V ? "V" : "",
2943 base->flags & ISAKMP_FLAG_R ? "R" : ""));
2944 }
2945
2946 if (ndo->ndo_vflag) {
2947 const struct isakmp_gen *ext;
2948
2949 ND_PRINT((ndo, ":"));
2950
2951 /* regardless of phase... */
2952 if (base->flags & ISAKMP_FLAG_E) {
2953 /*
2954 * encrypted, nothing we can do right now.
2955 * we hope to decrypt the packet in the future...
2956 */
2957 ND_PRINT((ndo, " [encrypted %s]", NPSTR(base->np)));
2958 goto done;
2959 }
2960
2961 CHECKLEN(p + 1, base->np)
2962
2963 np = base->np;
2964 ext = (const struct isakmp_gen *)(p + 1);
2965 ikev2_sub_print(ndo, base, np, ext, ep, phase, 0, 0, 0);
2966 }
2967
2968 done:
2969 if (ndo->ndo_vflag) {
2970 if (ntohl(base->len) != length) {
2971 ND_PRINT((ndo, " (len mismatch: isakmp %u/ip %u)",
2972 (uint32_t)ntohl(base->len), length));
2973 }
2974 }
2975 }
2976
2977 void
2978 isakmp_print(netdissect_options *ndo,
2979 const u_char *bp, u_int length,
2980 const u_char *bp2)
2981 {
2982 const struct isakmp *p;
2983 struct isakmp base;
2984 const u_char *ep;
2985 int major, minor;
2986
2987 #ifdef HAVE_LIBCRYPTO
2988 /* initialize SAs */
2989 if (ndo->ndo_sa_list_head == NULL) {
2990 if (ndo->ndo_espsecret)
2991 esp_print_decodesecret(ndo);
2992 }
2993 #endif
2994
2995 p = (const struct isakmp *)bp;
2996 ep = ndo->ndo_snapend;
2997
2998 if ((const struct isakmp *)ep < p + 1) {
2999 ND_PRINT((ndo,"[|isakmp]"));
3000 return;
3001 }
3002
3003 UNALIGNED_MEMCPY(&base, p, sizeof(base));
3004
3005 ND_PRINT((ndo,"isakmp"));
3006 major = (base.vers & ISAKMP_VERS_MAJOR)
3007 >> ISAKMP_VERS_MAJOR_SHIFT;
3008 minor = (base.vers & ISAKMP_VERS_MINOR)
3009 >> ISAKMP_VERS_MINOR_SHIFT;
3010
3011 if (ndo->ndo_vflag) {
3012 ND_PRINT((ndo," %d.%d", major, minor));
3013 }
3014
3015 if (ndo->ndo_vflag) {
3016 ND_PRINT((ndo," msgid "));
3017 hexprint(ndo, (const uint8_t *)&base.msgid, sizeof(base.msgid));
3018 }
3019
3020 if (1 < ndo->ndo_vflag) {
3021 ND_PRINT((ndo," cookie "));
3022 hexprint(ndo, (const uint8_t *)&base.i_ck, sizeof(base.i_ck));
3023 ND_PRINT((ndo,"->"));
3024 hexprint(ndo, (const uint8_t *)&base.r_ck, sizeof(base.r_ck));
3025 }
3026 ND_PRINT((ndo,":"));
3027
3028 switch(major) {
3029 case IKEv1_MAJOR_VERSION:
3030 ikev1_print(ndo, bp, length, bp2, &base);
3031 break;
3032
3033 case IKEv2_MAJOR_VERSION:
3034 ikev2_print(ndo, bp, length, bp2, &base);
3035 break;
3036 }
3037 }
3038
3039 void
3040 isakmp_rfc3948_print(netdissect_options *ndo,
3041 const u_char *bp, u_int length,
3042 const u_char *bp2)
3043 {
3044 ND_TCHECK(bp[0]);
3045 if(length == 1 && bp[0]==0xff) {
3046 ND_PRINT((ndo, "isakmp-nat-keep-alive"));
3047 return;
3048 }
3049
3050 if(length < 4) {
3051 goto trunc;
3052 }
3053 ND_TCHECK(bp[3]);
3054
3055 /*
3056 * see if this is an IKE packet
3057 */
3058 if(bp[0]==0 && bp[1]==0 && bp[2]==0 && bp[3]==0) {
3059 ND_PRINT((ndo, "NONESP-encap: "));
3060 isakmp_print(ndo, bp+4, length-4, bp2);
3061 return;
3062 }
3063
3064 /* must be an ESP packet */
3065 {
3066 int nh, enh, padlen;
3067 int advance;
3068
3069 ND_PRINT((ndo, "UDP-encap: "));
3070
3071 advance = esp_print(ndo, bp, length, bp2, &enh, &padlen);
3072 if(advance <= 0)
3073 return;
3074
3075 bp += advance;
3076 length -= advance + padlen;
3077 nh = enh & 0xff;
3078
3079 ip_print_inner(ndo, bp, length, nh, bp2);
3080 return;
3081 }
3082
3083 trunc:
3084 ND_PRINT((ndo,"[|isakmp]"));
3085 return;
3086 }
3087
3088 /*
3089 * Local Variables:
3090 * c-style: whitesmith
3091 * c-basic-offset: 8
3092 * End:
3093 */
3094
3095
3096
3097
[mirror] the TCPdump network dissector