]> The Tcpdump Group git mirrors - tcpdump/blob - print-isakmp.c
projects / tcpdump / blob
summary | shortlog | log | commit | commitdiff | tree
history | raw | HEAD
dismiss NETDISSECT_REWORKED macro
[tcpdump] / print-isakmp.c
1 /*
2 * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
3 * All rights reserved.
4 *
5 * Redistribution and use in source and binary forms, with or without
6 * modification, are permitted provided that the following conditions
7 * are met:
8 * 1. Redistributions of source code must retain the above copyright
9 * notice, this list of conditions and the following disclaimer.
10 * 2. Redistributions in binary form must reproduce the above copyright
11 * notice, this list of conditions and the following disclaimer in the
12 * documentation and/or other materials provided with the distribution.
13 * 3. Neither the name of the project nor the names of its contributors
14 * may be used to endorse or promote products derived from this software
15 * without specific prior written permission.
16 *
17 * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
18 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
19 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
20 * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
21 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
22 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
23 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
24 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
25 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
26 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
27 * SUCH DAMAGE.
28 *
29 */
30
31 #ifdef HAVE_CONFIG_H
32 #include "config.h"
33 #endif
34
35 /* The functions from print-esp.c used in this file are only defined when both
36 * OpenSSL and evp.h are detected. Employ the same preprocessor device here.
37 */
38 #ifndef HAVE_OPENSSL_EVP_H
39 #undef HAVE_LIBCRYPTO
40 #endif
41
42 #include <tcpdump-stdinc.h>
43
44 #include <string.h>
45
46 #include "interface.h"
47 #include "addrtoname.h"
48 #include "extract.h" /* must come after interface.h */
49
50 #include "ip.h"
51 #ifdef INET6
52 #include "ip6.h"
53 #endif
54
55 /* refer to RFC 2408 */
56
57 typedef u_char cookie_t[8];
58 typedef u_char msgid_t[4];
59
60 #define PORT_ISAKMP 500
61
62 /* 3.1 ISAKMP Header Format (IKEv1 and IKEv2)
63 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
64 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
65 ! Initiator !
66 ! Cookie !
67 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
68 ! Responder !
69 ! Cookie !
70 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
71 ! Next Payload ! MjVer ! MnVer ! Exchange Type ! Flags !
72 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
73 ! Message ID !
74 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
75 ! Length !
76 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
77 */
78 struct isakmp {
79 cookie_t i_ck; /* Initiator Cookie */
80 cookie_t r_ck; /* Responder Cookie */
81 uint8_t np; /* Next Payload Type */
82 uint8_t vers;
83 #define ISAKMP_VERS_MAJOR 0xf0
84 #define ISAKMP_VERS_MAJOR_SHIFT 4
85 #define ISAKMP_VERS_MINOR 0x0f
86 #define ISAKMP_VERS_MINOR_SHIFT 0
87 uint8_t etype; /* Exchange Type */
88 uint8_t flags; /* Flags */
89 msgid_t msgid;
90 uint32_t len; /* Length */
91 };
92
93 /* Next Payload Type */
94 #define ISAKMP_NPTYPE_NONE 0 /* NONE*/
95 #define ISAKMP_NPTYPE_SA 1 /* Security Association */
96 #define ISAKMP_NPTYPE_P 2 /* Proposal */
97 #define ISAKMP_NPTYPE_T 3 /* Transform */
98 #define ISAKMP_NPTYPE_KE 4 /* Key Exchange */
99 #define ISAKMP_NPTYPE_ID 5 /* Identification */
100 #define ISAKMP_NPTYPE_CERT 6 /* Certificate */
101 #define ISAKMP_NPTYPE_CR 7 /* Certificate Request */
102 #define ISAKMP_NPTYPE_HASH 8 /* Hash */
103 #define ISAKMP_NPTYPE_SIG 9 /* Signature */
104 #define ISAKMP_NPTYPE_NONCE 10 /* Nonce */
105 #define ISAKMP_NPTYPE_N 11 /* Notification */
106 #define ISAKMP_NPTYPE_D 12 /* Delete */
107 #define ISAKMP_NPTYPE_VID 13 /* Vendor ID */
108 #define ISAKMP_NPTYPE_v2E 46 /* v2 Encrypted payload */
109
110 #define IKEv1_MAJOR_VERSION 1
111 #define IKEv1_MINOR_VERSION 0
112
113 #define IKEv2_MAJOR_VERSION 2
114 #define IKEv2_MINOR_VERSION 0
115
116 /* Flags */
117 #define ISAKMP_FLAG_E 0x01 /* Encryption Bit */
118 #define ISAKMP_FLAG_C 0x02 /* Commit Bit */
119 #define ISAKMP_FLAG_extra 0x04
120
121 /* IKEv2 */
122 #define ISAKMP_FLAG_I (1 << 3) /* (I)nitiator */
123 #define ISAKMP_FLAG_V (1 << 4) /* (V)ersion */
124 #define ISAKMP_FLAG_R (1 << 5) /* (R)esponse */
125
126
127 /* 3.2 Payload Generic Header
128 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
129 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
130 ! Next Payload ! RESERVED ! Payload Length !
131 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
132 */
133 struct isakmp_gen {
134 uint8_t np; /* Next Payload */
135 uint8_t critical; /* bit 7 - critical, rest is RESERVED */
136 uint16_t len; /* Payload Length */
137 };
138
139 /* 3.3 Data Attributes
140 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
141 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
142 !A! Attribute Type ! AF=0 Attribute Length !
143 !F! ! AF=1 Attribute Value !
144 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
145 . AF=0 Attribute Value .
146 . AF=1 Not Transmitted .
147 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
148 */
149 struct isakmp_data {
150 uint16_t type; /* defined by DOI-spec, and Attribute Format */
151 uint16_t lorv; /* if f equal 1, Attribute Length */
152 /* if f equal 0, Attribute Value */
153 /* if f equal 1, Attribute Value */
154 };
155
156 /* 3.4 Security Association Payload */
157 /* MAY NOT be used, because of being defined in ipsec-doi. */
158 /*
159 If the current payload is the last in the message,
160 then the value of the next payload field will be 0.
161 This field MUST NOT contain the
162 values for the Proposal or Transform payloads as they are considered
163 part of the security association negotiation. For example, this
164 field would contain the value "10" (Nonce payload) in the first
165 message of a Base Exchange (see Section 4.4) and the value "0" in the
166 first message of an Identity Protect Exchange (see Section 4.5).
167 */
168 struct ikev1_pl_sa {
169 struct isakmp_gen h;
170 uint32_t doi; /* Domain of Interpretation */
171 uint32_t sit; /* Situation */
172 };
173
174 /* 3.5 Proposal Payload */
175 /*
176 The value of the next payload field MUST only contain the value "2"
177 or "0". If there are additional Proposal payloads in the message,
178 then this field will be 2. If the current Proposal payload is the
179 last within the security association proposal, then this field will
180 be 0.
181 */
182 struct ikev1_pl_p {
183 struct isakmp_gen h;
184 uint8_t p_no; /* Proposal # */
185 uint8_t prot_id; /* Protocol */
186 uint8_t spi_size; /* SPI Size */
187 uint8_t num_t; /* Number of Transforms */
188 /* SPI */
189 };
190
191 /* 3.6 Transform Payload */
192 /*
193 The value of the next payload field MUST only contain the value "3"
194 or "0". If there are additional Transform payloads in the proposal,
195 then this field will be 3. If the current Transform payload is the
196 last within the proposal, then this field will be 0.
197 */
198 struct ikev1_pl_t {
199 struct isakmp_gen h;
200 uint8_t t_no; /* Transform # */
201 uint8_t t_id; /* Transform-Id */
202 uint16_t reserved; /* RESERVED2 */
203 /* SA Attributes */
204 };
205
206 /* 3.7 Key Exchange Payload */
207 struct ikev1_pl_ke {
208 struct isakmp_gen h;
209 /* Key Exchange Data */
210 };
211
212 /* 3.8 Identification Payload */
213 /* MUST NOT to be used, because of being defined in ipsec-doi. */
214 struct ikev1_pl_id {
215 struct isakmp_gen h;
216 union {
217 uint8_t id_type; /* ID Type */
218 uint32_t doi_data; /* DOI Specific ID Data */
219 } d;
220 /* Identification Data */
221 };
222
223 /* 3.9 Certificate Payload */
224 struct ikev1_pl_cert {
225 struct isakmp_gen h;
226 uint8_t encode; /* Cert Encoding */
227 char cert; /* Certificate Data */
228 /*
229 This field indicates the type of
230 certificate or certificate-related information contained in the
231 Certificate Data field.
232 */
233 };
234
235 /* 3.10 Certificate Request Payload */
236 struct ikev1_pl_cr {
237 struct isakmp_gen h;
238 uint8_t num_cert; /* # Cert. Types */
239 /*
240 Certificate Types (variable length)
241 -- Contains a list of the types of certificates requested,
242 sorted in order of preference. Each individual certificate
243 type is 1 octet. This field is NOT requiredo
244 */
245 /* # Certificate Authorities (1 octet) */
246 /* Certificate Authorities (variable length) */
247 };
248
249 /* 3.11 Hash Payload */
250 /* may not be used, because of having only data. */
251 struct ikev1_pl_hash {
252 struct isakmp_gen h;
253 /* Hash Data */
254 };
255
256 /* 3.12 Signature Payload */
257 /* may not be used, because of having only data. */
258 struct ikev1_pl_sig {
259 struct isakmp_gen h;
260 /* Signature Data */
261 };
262
263 /* 3.13 Nonce Payload */
264 /* may not be used, because of having only data. */
265 struct ikev1_pl_nonce {
266 struct isakmp_gen h;
267 /* Nonce Data */
268 };
269
270 /* 3.14 Notification Payload */
271 struct ikev1_pl_n {
272 struct isakmp_gen h;
273 uint32_t doi; /* Domain of Interpretation */
274 uint8_t prot_id; /* Protocol-ID */
275 uint8_t spi_size; /* SPI Size */
276 uint16_t type; /* Notify Message Type */
277 /* SPI */
278 /* Notification Data */
279 };
280
281 /* 3.14.1 Notify Message Types */
282 /* NOTIFY MESSAGES - ERROR TYPES */
283 #define ISAKMP_NTYPE_INVALID_PAYLOAD_TYPE 1
284 #define ISAKMP_NTYPE_DOI_NOT_SUPPORTED 2
285 #define ISAKMP_NTYPE_SITUATION_NOT_SUPPORTED 3
286 #define ISAKMP_NTYPE_INVALID_COOKIE 4
287 #define ISAKMP_NTYPE_INVALID_MAJOR_VERSION 5
288 #define ISAKMP_NTYPE_INVALID_MINOR_VERSION 6
289 #define ISAKMP_NTYPE_INVALID_EXCHANGE_TYPE 7
290 #define ISAKMP_NTYPE_INVALID_FLAGS 8
291 #define ISAKMP_NTYPE_INVALID_MESSAGE_ID 9
292 #define ISAKMP_NTYPE_INVALID_PROTOCOL_ID 10
293 #define ISAKMP_NTYPE_INVALID_SPI 11
294 #define ISAKMP_NTYPE_INVALID_TRANSFORM_ID 12
295 #define ISAKMP_NTYPE_ATTRIBUTES_NOT_SUPPORTED 13
296 #define ISAKMP_NTYPE_NO_PROPOSAL_CHOSEN 14
297 #define ISAKMP_NTYPE_BAD_PROPOSAL_SYNTAX 15
298 #define ISAKMP_NTYPE_PAYLOAD_MALFORMED 16
299 #define ISAKMP_NTYPE_INVALID_KEY_INFORMATION 17
300 #define ISAKMP_NTYPE_INVALID_ID_INFORMATION 18
301 #define ISAKMP_NTYPE_INVALID_CERT_ENCODING 19
302 #define ISAKMP_NTYPE_INVALID_CERTIFICATE 20
303 #define ISAKMP_NTYPE_BAD_CERT_REQUEST_SYNTAX 21
304 #define ISAKMP_NTYPE_INVALID_CERT_AUTHORITY 22
305 #define ISAKMP_NTYPE_INVALID_HASH_INFORMATION 23
306 #define ISAKMP_NTYPE_AUTHENTICATION_FAILED 24
307 #define ISAKMP_NTYPE_INVALID_SIGNATURE 25
308 #define ISAKMP_NTYPE_ADDRESS_NOTIFICATION 26
309
310 /* 3.15 Delete Payload */
311 struct ikev1_pl_d {
312 struct isakmp_gen h;
313 uint32_t doi; /* Domain of Interpretation */
314 uint8_t prot_id; /* Protocol-Id */
315 uint8_t spi_size; /* SPI Size */
316 uint16_t num_spi; /* # of SPIs */
317 /* SPI(es) */
318 };
319
320 struct ikev1_ph1tab {
321 struct ikev1_ph1 *head;
322 struct ikev1_ph1 *tail;
323 int len;
324 };
325
326 struct isakmp_ph2tab {
327 struct ikev1_ph2 *head;
328 struct ikev1_ph2 *tail;
329 int len;
330 };
331
332 /* IKEv2 (RFC4306) */
333
334 /* 3.3 Security Association Payload -- generic header */
335 /* 3.3.1. Proposal Substructure */
336 struct ikev2_p {
337 struct isakmp_gen h;
338 uint8_t p_no; /* Proposal # */
339 uint8_t prot_id; /* Protocol */
340 uint8_t spi_size; /* SPI Size */
341 uint8_t num_t; /* Number of Transforms */
342 };
343
344 /* 3.3.2. Transform Substructure */
345 struct ikev2_t {
346 struct isakmp_gen h;
347 uint8_t t_type; /* Transform Type (ENCR,PRF,INTEG,etc.*/
348 uint8_t res2; /* reserved byte */
349 uint16_t t_id; /* Transform ID */
350 };
351
352 enum ikev2_t_type {
353 IV2_T_ENCR = 1,
354 IV2_T_PRF = 2,
355 IV2_T_INTEG= 3,
356 IV2_T_DH = 4,
357 IV2_T_ESN = 5,
358 };
359
360 /* 3.4. Key Exchange Payload */
361 struct ikev2_ke {
362 struct isakmp_gen h;
363 uint16_t ke_group;
364 uint16_t ke_res1;
365 /* KE data */
366 };
367
368
369 /* 3.5. Identification Payloads */
370 enum ikev2_id_type {
371 ID_IPV4_ADDR=1,
372 ID_FQDN=2,
373 ID_RFC822_ADDR=3,
374 ID_IPV6_ADDR=5,
375 ID_DER_ASN1_DN=9,
376 ID_DER_ASN1_GN=10,
377 ID_KEY_ID=11,
378 };
379 struct ikev2_id {
380 struct isakmp_gen h;
381 uint8_t type; /* ID type */
382 uint8_t res1;
383 uint16_t res2;
384 /* SPI */
385 /* Notification Data */
386 };
387
388 /* 3.10 Notification Payload */
389 struct ikev2_n {
390 struct isakmp_gen h;
391 uint8_t prot_id; /* Protocol-ID */
392 uint8_t spi_size; /* SPI Size */
393 uint16_t type; /* Notify Message Type */
394 };
395
396 enum ikev2_n_type {
397 IV2_NOTIFY_UNSUPPORTED_CRITICAL_PAYLOAD = 1,
398 IV2_NOTIFY_INVALID_IKE_SPI = 4,
399 IV2_NOTIFY_INVALID_MAJOR_VERSION = 5,
400 IV2_NOTIFY_INVALID_SYNTAX = 7,
401 IV2_NOTIFY_INVALID_MESSAGE_ID = 9,
402 IV2_NOTIFY_INVALID_SPI =11,
403 IV2_NOTIFY_NO_PROPOSAL_CHOSEN =14,
404 IV2_NOTIFY_INVALID_KE_PAYLOAD =17,
405 IV2_NOTIFY_AUTHENTICATION_FAILED =24,
406 IV2_NOTIFY_SINGLE_PAIR_REQUIRED =34,
407 IV2_NOTIFY_NO_ADDITIONAL_SAS =35,
408 IV2_NOTIFY_INTERNAL_ADDRESS_FAILURE =36,
409 IV2_NOTIFY_FAILED_CP_REQUIRED =37,
410 IV2_NOTIFY_INVALID_SELECTORS =39,
411 IV2_NOTIFY_INITIAL_CONTACT =16384,
412 IV2_NOTIFY_SET_WINDOW_SIZE =16385,
413 IV2_NOTIFY_ADDITIONAL_TS_POSSIBLE =16386,
414 IV2_NOTIFY_IPCOMP_SUPPORTED =16387,
415 IV2_NOTIFY_NAT_DETECTION_SOURCE_IP =16388,
416 IV2_NOTIFY_NAT_DETECTION_DESTINATION_IP =16389,
417 IV2_NOTIFY_COOKIE =16390,
418 IV2_NOTIFY_USE_TRANSPORT_MODE =16391,
419 IV2_NOTIFY_HTTP_CERT_LOOKUP_SUPPORTED =16392,
420 IV2_NOTIFY_REKEY_SA =16393,
421 IV2_NOTIFY_ESP_TFC_PADDING_NOT_SUPPORTED =16394,
422 IV2_NOTIFY_NON_FIRST_FRAGMENTS_ALSO =16395
423 };
424
425 struct notify_messages {
426 uint16_t type;
427 char *msg;
428 };
429
430 /* 3.8 Notification Payload */
431 struct ikev2_auth {
432 struct isakmp_gen h;
433 uint8_t auth_method; /* Protocol-ID */
434 uint8_t reserved[3];
435 /* authentication data */
436 };
437
438 enum ikev2_auth_type {
439 IV2_RSA_SIG = 1,
440 IV2_SHARED = 2,
441 IV2_DSS_SIG = 3,
442 };
443
444 /* refer to RFC 2409 */
445
446 #if 0
447 /* isakmp sa structure */
448 struct oakley_sa {
449 uint8_t proto_id; /* OAKLEY */
450 vchar_t *spi; /* spi */
451 uint8_t dhgrp; /* DH; group */
452 uint8_t auth_t; /* method of authentication */
453 uint8_t prf_t; /* type of prf */
454 uint8_t hash_t; /* type of hash */
455 uint8_t enc_t; /* type of cipher */
456 uint8_t life_t; /* type of duration of lifetime */
457 uint32_t ldur; /* life duration */
458 };
459 #endif
460
461 /* refer to RFC 2407 */
462
463 #define IPSEC_DOI 1
464
465 /* 4.2 IPSEC Situation Definition */
466 #define IPSECDOI_SIT_IDENTITY_ONLY 0x00000001
467 #define IPSECDOI_SIT_SECRECY 0x00000002
468 #define IPSECDOI_SIT_INTEGRITY 0x00000004
469
470 /* 4.4.1 IPSEC Security Protocol Identifiers */
471 /* 4.4.2 IPSEC ISAKMP Transform Values */
472 #define IPSECDOI_PROTO_ISAKMP 1
473 #define IPSECDOI_KEY_IKE 1
474
475 /* 4.4.1 IPSEC Security Protocol Identifiers */
476 #define IPSECDOI_PROTO_IPSEC_AH 2
477 /* 4.4.3 IPSEC AH Transform Values */
478 #define IPSECDOI_AH_MD5 2
479 #define IPSECDOI_AH_SHA 3
480 #define IPSECDOI_AH_DES 4
481 #define IPSECDOI_AH_SHA2_256 5
482 #define IPSECDOI_AH_SHA2_384 6
483 #define IPSECDOI_AH_SHA2_512 7
484
485 /* 4.4.1 IPSEC Security Protocol Identifiers */
486 #define IPSECDOI_PROTO_IPSEC_ESP 3
487 /* 4.4.4 IPSEC ESP Transform Identifiers */
488 #define IPSECDOI_ESP_DES_IV64 1
489 #define IPSECDOI_ESP_DES 2
490 #define IPSECDOI_ESP_3DES 3
491 #define IPSECDOI_ESP_RC5 4
492 #define IPSECDOI_ESP_IDEA 5
493 #define IPSECDOI_ESP_CAST 6
494 #define IPSECDOI_ESP_BLOWFISH 7
495 #define IPSECDOI_ESP_3IDEA 8
496 #define IPSECDOI_ESP_DES_IV32 9
497 #define IPSECDOI_ESP_RC4 10
498 #define IPSECDOI_ESP_NULL 11
499 #define IPSECDOI_ESP_RIJNDAEL 12
500 #define IPSECDOI_ESP_AES 12
501
502 /* 4.4.1 IPSEC Security Protocol Identifiers */
503 #define IPSECDOI_PROTO_IPCOMP 4
504 /* 4.4.5 IPSEC IPCOMP Transform Identifiers */
505 #define IPSECDOI_IPCOMP_OUI 1
506 #define IPSECDOI_IPCOMP_DEFLATE 2
507 #define IPSECDOI_IPCOMP_LZS 3
508
509 /* 4.5 IPSEC Security Association Attributes */
510 #define IPSECDOI_ATTR_SA_LTYPE 1 /* B */
511 #define IPSECDOI_ATTR_SA_LTYPE_DEFAULT 1
512 #define IPSECDOI_ATTR_SA_LTYPE_SEC 1
513 #define IPSECDOI_ATTR_SA_LTYPE_KB 2
514 #define IPSECDOI_ATTR_SA_LDUR 2 /* V */
515 #define IPSECDOI_ATTR_SA_LDUR_DEFAULT 28800 /* 8 hours */
516 #define IPSECDOI_ATTR_GRP_DESC 3 /* B */
517 #define IPSECDOI_ATTR_ENC_MODE 4 /* B */
518 /* default value: host dependent */
519 #define IPSECDOI_ATTR_ENC_MODE_TUNNEL 1
520 #define IPSECDOI_ATTR_ENC_MODE_TRNS 2
521 #define IPSECDOI_ATTR_AUTH 5 /* B */
522 /* 0 means not to use authentication. */
523 #define IPSECDOI_ATTR_AUTH_HMAC_MD5 1
524 #define IPSECDOI_ATTR_AUTH_HMAC_SHA1 2
525 #define IPSECDOI_ATTR_AUTH_DES_MAC 3
526 #define IPSECDOI_ATTR_AUTH_KPDK 4 /*RFC-1826(Key/Pad/Data/Key)*/
527 /*
528 * When negotiating ESP without authentication, the Auth
529 * Algorithm attribute MUST NOT be included in the proposal.
530 * When negotiating ESP without confidentiality, the Auth
531 * Algorithm attribute MUST be included in the proposal and
532 * the ESP transform ID must be ESP_NULL.
533 */
534 #define IPSECDOI_ATTR_KEY_LENGTH 6 /* B */
535 #define IPSECDOI_ATTR_KEY_ROUNDS 7 /* B */
536 #define IPSECDOI_ATTR_COMP_DICT_SIZE 8 /* B */
537 #define IPSECDOI_ATTR_COMP_PRIVALG 9 /* V */
538
539 /* 4.6.1 Security Association Payload */
540 struct ipsecdoi_sa {
541 struct isakmp_gen h;
542 uint32_t doi; /* Domain of Interpretation */
543 uint32_t sit; /* Situation */
544 };
545
546 struct ipsecdoi_secrecy_h {
547 uint16_t len;
548 uint16_t reserved;
549 };
550
551 /* 4.6.2.1 Identification Type Values */
552 struct ipsecdoi_id {
553 struct isakmp_gen h;
554 uint8_t type; /* ID Type */
555 uint8_t proto_id; /* Protocol ID */
556 uint16_t port; /* Port */
557 /* Identification Data */
558 };
559
560 #define IPSECDOI_ID_IPV4_ADDR 1
561 #define IPSECDOI_ID_FQDN 2
562 #define IPSECDOI_ID_USER_FQDN 3
563 #define IPSECDOI_ID_IPV4_ADDR_SUBNET 4
564 #define IPSECDOI_ID_IPV6_ADDR 5
565 #define IPSECDOI_ID_IPV6_ADDR_SUBNET 6
566 #define IPSECDOI_ID_IPV4_ADDR_RANGE 7
567 #define IPSECDOI_ID_IPV6_ADDR_RANGE 8
568 #define IPSECDOI_ID_DER_ASN1_DN 9
569 #define IPSECDOI_ID_DER_ASN1_GN 10
570 #define IPSECDOI_ID_KEY_ID 11
571
572 /* 4.6.3 IPSEC DOI Notify Message Types */
573 /* Notify Messages - Status Types */
574 #define IPSECDOI_NTYPE_RESPONDER_LIFETIME 24576
575 #define IPSECDOI_NTYPE_REPLAY_STATUS 24577
576 #define IPSECDOI_NTYPE_INITIAL_CONTACT 24578
577
578 #define DECLARE_PRINTER(func) static const u_char *ike##func##_print( \
579 netdissect_options *ndo, u_char tpay, \
580 const struct isakmp_gen *ext, \
581 u_int item_len, \
582 const u_char *end_pointer, \
583 uint32_t phase,\
584 uint32_t doi0, \
585 uint32_t proto0, int depth)
586
587 DECLARE_PRINTER(v1_sa);
588 DECLARE_PRINTER(v1_p);
589 DECLARE_PRINTER(v1_t);
590 DECLARE_PRINTER(v1_ke);
591 DECLARE_PRINTER(v1_id);
592 DECLARE_PRINTER(v1_cert);
593 DECLARE_PRINTER(v1_cr);
594 DECLARE_PRINTER(v1_sig);
595 DECLARE_PRINTER(v1_hash);
596 DECLARE_PRINTER(v1_nonce);
597 DECLARE_PRINTER(v1_n);
598 DECLARE_PRINTER(v1_d);
599 DECLARE_PRINTER(v1_vid);
600
601 DECLARE_PRINTER(v2_sa);
602 DECLARE_PRINTER(v2_ke);
603 DECLARE_PRINTER(v2_ID);
604 DECLARE_PRINTER(v2_cert);
605 DECLARE_PRINTER(v2_cr);
606 DECLARE_PRINTER(v2_auth);
607 DECLARE_PRINTER(v2_nonce);
608 DECLARE_PRINTER(v2_n);
609 DECLARE_PRINTER(v2_d);
610 DECLARE_PRINTER(v2_vid);
611 DECLARE_PRINTER(v2_TS);
612 DECLARE_PRINTER(v2_cp);
613 DECLARE_PRINTER(v2_eap);
614
615 static const u_char *ikev2_e_print(netdissect_options *ndo,
616 struct isakmp *base,
617 u_char tpay,
618 const struct isakmp_gen *ext,
619 u_int item_len,
620 const u_char *end_pointer,
621 uint32_t phase,
622 uint32_t doi0,
623 uint32_t proto0, int depth);
624
625
626 static const u_char *ike_sub0_print(netdissect_options *ndo,u_char, const struct isakmp_gen *,
627 const u_char *, uint32_t, uint32_t, uint32_t, int);
628 static const u_char *ikev1_sub_print(netdissect_options *ndo,u_char, const struct isakmp_gen *,
629 const u_char *, uint32_t, uint32_t, uint32_t, int);
630
631 static const u_char *ikev2_sub_print(netdissect_options *ndo,
632 struct isakmp *base,
633 u_char np, const struct isakmp_gen *ext,
634 const u_char *ep, uint32_t phase,
635 uint32_t doi, uint32_t proto,
636 int depth);
637
638
639 static char *numstr(int);
640
641 static void
642 ikev1_print(netdissect_options *ndo,
643 const u_char *bp, u_int length,
644 const u_char *bp2, struct isakmp *base);
645
646 #define MAXINITIATORS 20
647 int ninitiator = 0;
648 union inaddr_u {
649 struct in_addr in4;
650 #ifdef INET6
651 struct in6_addr in6;
652 #endif
653 };
654 struct {
655 cookie_t initiator;
656 u_int version;
657 union inaddr_u iaddr;
658 union inaddr_u raddr;
659 } cookiecache[MAXINITIATORS];
660
661 /* protocol id */
662 static const char *protoidstr[] = {
663 NULL, "isakmp", "ipsec-ah", "ipsec-esp", "ipcomp",
664 };
665
666 /* isakmp->np */
667 static const char *npstr[] = {
668 "none", "sa", "p", "t", "ke", "id", "cert", "cr", "hash", /* 0 - 8 */
669 "sig", "nonce", "n", "d", "vid", /* 9 - 13 */
670 "pay14", "pay15", "pay16", "pay17", "pay18", /* 14- 18 */
671 "pay19", "pay20", "pay21", "pay22", "pay23", /* 19- 23 */
672 "pay24", "pay25", "pay26", "pay27", "pay28", /* 24- 28 */
673 "pay29", "pay30", "pay31", "pay32", /* 29- 32 */
674 "v2sa", "v2ke", "v2IDi", "v2IDr", "v2cert",/* 33- 37 */
675 "v2cr", "v2auth","v2nonce", "v2n", "v2d", /* 38- 42 */
676 "v2vid", "v2TSi", "v2TSr", "v2e", "v2cp", /* 43- 47 */
677 "v2eap", /* 48 */
678
679 };
680
681 /* isakmp->np */
682 static const u_char *(*npfunc[])(netdissect_options *ndo, u_char tpay,
683 const struct isakmp_gen *ext,
684 u_int item_len,
685 const u_char *end_pointer,
686 uint32_t phase,
687 uint32_t doi0,
688 uint32_t proto0, int depth) = {
689 NULL,
690 ikev1_sa_print,
691 ikev1_p_print,
692 ikev1_t_print,
693 ikev1_ke_print,
694 ikev1_id_print,
695 ikev1_cert_print,
696 ikev1_cr_print,
697 ikev1_hash_print,
698 ikev1_sig_print,
699 ikev1_nonce_print,
700 ikev1_n_print,
701 ikev1_d_print,
702 ikev1_vid_print, /* 13 */
703 NULL, NULL, NULL, NULL, NULL, /* 14- 18 */
704 NULL, NULL, NULL, NULL, NULL, /* 19- 23 */
705 NULL, NULL, NULL, NULL, NULL, /* 24- 28 */
706 NULL, NULL, NULL, NULL, /* 29- 32 */
707 ikev2_sa_print, /* 33 */
708 ikev2_ke_print, /* 34 */
709 ikev2_ID_print, /* 35 */
710 ikev2_ID_print, /* 36 */
711 ikev2_cert_print, /* 37 */
712 ikev2_cr_print, /* 38 */
713 ikev2_auth_print, /* 39 */
714 ikev2_nonce_print, /* 40 */
715 ikev2_n_print, /* 41 */
716 ikev2_d_print, /* 42 */
717 ikev2_vid_print, /* 43 */
718 ikev2_TS_print, /* 44 */
719 ikev2_TS_print, /* 45 */
720 NULL, /* ikev2_e_print,*/ /* 46 - special */
721 ikev2_cp_print, /* 47 */
722 ikev2_eap_print, /* 48 */
723 };
724
725 /* isakmp->etype */
726 static const char *etypestr[] = {
727 /* IKEv1 exchange types */
728 "none", "base", "ident", "auth", "agg", "inf", NULL, NULL, /* 0-7 */
729 NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, /* 8-15 */
730 NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, /* 16-23 */
731 NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, /* 24-31 */
732 "oakley-quick", "oakley-newgroup", /* 32-33 */
733 /* IKEv2 exchange types */
734 "ikev2_init", "ikev2_auth", "child_sa", "inf2" /* 34-37 */
735 };
736
737 #define STR_OR_ID(x, tab) \
738 (((x) < sizeof(tab)/sizeof(tab[0]) && tab[(x)]) ? tab[(x)] : numstr(x))
739 #define PROTOIDSTR(x) STR_OR_ID(x, protoidstr)
740 #define NPSTR(x) STR_OR_ID(x, npstr)
741 #define ETYPESTR(x) STR_OR_ID(x, etypestr)
742
743 #define CHECKLEN(p, np) \
744 if (ep < (u_char *)(p)) { \
745 ND_PRINT((ndo," [|%s]", NPSTR(np))); \
746 goto done; \
747 }
748
749
750 #define NPFUNC(x) \
751 (((x) < sizeof(npfunc)/sizeof(npfunc[0]) && npfunc[(x)]) \
752 ? npfunc[(x)] : NULL)
753
754 static int
755 iszero(u_char *p, size_t l)
756 {
757 while (l--) {
758 if (*p++)
759 return 0;
760 }
761 return 1;
762 }
763
764 /* find cookie from initiator cache */
765 static int
766 cookie_find(cookie_t *in)
767 {
768 int i;
769
770 for (i = 0; i < MAXINITIATORS; i++) {
771 if (memcmp(in, &cookiecache[i].initiator, sizeof(*in)) == 0)
772 return i;
773 }
774
775 return -1;
776 }
777
778 /* record initiator */
779 static void
780 cookie_record(cookie_t *in, const u_char *bp2)
781 {
782 int i;
783 struct ip *ip;
784 #ifdef INET6
785 struct ip6_hdr *ip6;
786 #endif
787
788 i = cookie_find(in);
789 if (0 <= i) {
790 ninitiator = (i + 1) % MAXINITIATORS;
791 return;
792 }
793
794 ip = (struct ip *)bp2;
795 switch (IP_V(ip)) {
796 case 4:
797 cookiecache[ninitiator].version = 4;
798 UNALIGNED_MEMCPY(&cookiecache[ninitiator].iaddr.in4, &ip->ip_src, sizeof(struct in_addr));
799 UNALIGNED_MEMCPY(&cookiecache[ninitiator].raddr.in4, &ip->ip_dst, sizeof(struct in_addr));
800 break;
801 #ifdef INET6
802 case 6:
803 ip6 = (struct ip6_hdr *)bp2;
804 cookiecache[ninitiator].version = 6;
805 UNALIGNED_MEMCPY(&cookiecache[ninitiator].iaddr.in6, &ip6->ip6_src, sizeof(struct in6_addr));
806 UNALIGNED_MEMCPY(&cookiecache[ninitiator].raddr.in6, &ip6->ip6_dst, sizeof(struct in6_addr));
807 break;
808 #endif
809 default:
810 return;
811 }
812 UNALIGNED_MEMCPY(&cookiecache[ninitiator].initiator, in, sizeof(*in));
813 ninitiator = (ninitiator + 1) % MAXINITIATORS;
814 }
815
816 #define cookie_isinitiator(x, y) cookie_sidecheck((x), (y), 1)
817 #define cookie_isresponder(x, y) cookie_sidecheck((x), (y), 0)
818 static int
819 cookie_sidecheck(int i, const u_char *bp2, int initiator)
820 {
821 struct ip *ip;
822 #ifdef INET6
823 struct ip6_hdr *ip6;
824 #endif
825
826 ip = (struct ip *)bp2;
827 switch (IP_V(ip)) {
828 case 4:
829 if (cookiecache[i].version != 4)
830 return 0;
831 if (initiator) {
832 if (UNALIGNED_MEMCMP(&ip->ip_src, &cookiecache[i].iaddr.in4, sizeof(struct in_addr)) == 0)
833 return 1;
834 } else {
835 if (UNALIGNED_MEMCMP(&ip->ip_src, &cookiecache[i].raddr.in4, sizeof(struct in_addr)) == 0)
836 return 1;
837 }
838 break;
839 #ifdef INET6
840 case 6:
841 if (cookiecache[i].version != 6)
842 return 0;
843 ip6 = (struct ip6_hdr *)bp2;
844 if (initiator) {
845 if (UNALIGNED_MEMCMP(&ip6->ip6_src, &cookiecache[i].iaddr.in6, sizeof(struct in6_addr)) == 0)
846 return 1;
847 } else {
848 if (UNALIGNED_MEMCMP(&ip6->ip6_src, &cookiecache[i].raddr.in6, sizeof(struct in6_addr)) == 0)
849 return 1;
850 }
851 break;
852 #endif /* INET6 */
853 default:
854 break;
855 }
856
857 return 0;
858 }
859
860 static void
861 hexprint(netdissect_options *ndo, caddr_t loc, size_t len)
862 {
863 u_char *p;
864 size_t i;
865
866 p = (u_char *)loc;
867 for (i = 0; i < len; i++)
868 ND_PRINT((ndo,"%02x", p[i] & 0xff));
869 }
870
871 static int
872 rawprint(netdissect_options *ndo, caddr_t loc, size_t len)
873 {
874 ND_TCHECK2(*loc, len);
875
876 hexprint(ndo, loc, len);
877 return 1;
878 trunc:
879 return 0;
880 }
881
882
883 /*
884 * returns false if we run out of data buffer
885 */
886 static int ike_show_somedata(netdissect_options *ndo,
887 const u_char *cp, const u_char *ep)
888 {
889 /* there is too much data, just show some of it */
890 const u_char *end = ep - 20;
891 int elen = 20;
892 int len = ep - cp;
893 if(len > 10) {
894 len = 10;
895 }
896
897 /* really shouldn't happen because of above */
898 if(end < cp + len) {
899 end = cp+len;
900 elen = ep - end;
901 }
902
903 ND_PRINT((ndo," data=("));
904 if(!rawprint(ndo, (caddr_t)(cp), len)) goto trunc;
905 ND_PRINT((ndo, "..."));
906 if(elen) {
907 if(!rawprint(ndo, (caddr_t)(end), elen)) goto trunc;
908 }
909 ND_PRINT((ndo,")"));
910 return 1;
911
912 trunc:
913 return 0;
914 }
915
916 struct attrmap {
917 const char *type;
918 u_int nvalue;
919 const char *value[30]; /*XXX*/
920 };
921
922 static const u_char *
923 ikev1_attrmap_print(netdissect_options *ndo,
924 const u_char *p, const u_char *ep,
925 const struct attrmap *map, size_t nmap)
926 {
927 int totlen;
928 uint32_t t, v;
929
930 if (p[0] & 0x80)
931 totlen = 4;
932 else
933 totlen = 4 + EXTRACT_16BITS(&p[2]);
934 if (ep < p + totlen) {
935 ND_PRINT((ndo,"[|attr]"));
936 return ep + 1;
937 }
938
939 ND_PRINT((ndo,"("));
940 t = EXTRACT_16BITS(&p[0]) & 0x7fff;
941 if (map && t < nmap && map[t].type)
942 ND_PRINT((ndo,"type=%s ", map[t].type));
943 else
944 ND_PRINT((ndo,"type=#%d ", t));
945 if (p[0] & 0x80) {
946 ND_PRINT((ndo,"value="));
947 v = EXTRACT_16BITS(&p[2]);
948 if (map && t < nmap && v < map[t].nvalue && map[t].value[v])
949 ND_PRINT((ndo,"%s", map[t].value[v]));
950 else
951 rawprint(ndo, (caddr_t)&p[2], 2);
952 } else {
953 ND_PRINT((ndo,"len=%d value=", EXTRACT_16BITS(&p[2])));
954 rawprint(ndo, (caddr_t)&p[4], EXTRACT_16BITS(&p[2]));
955 }
956 ND_PRINT((ndo,")"));
957 return p + totlen;
958 }
959
960 static const u_char *
961 ikev1_attr_print(netdissect_options *ndo, const u_char *p, const u_char *ep)
962 {
963 int totlen;
964 uint32_t t;
965
966 if (p[0] & 0x80)
967 totlen = 4;
968 else
969 totlen = 4 + EXTRACT_16BITS(&p[2]);
970 if (ep < p + totlen) {
971 ND_PRINT((ndo,"[|attr]"));
972 return ep + 1;
973 }
974
975 ND_PRINT((ndo,"("));
976 t = EXTRACT_16BITS(&p[0]) & 0x7fff;
977 ND_PRINT((ndo,"type=#%d ", t));
978 if (p[0] & 0x80) {
979 ND_PRINT((ndo,"value="));
980 t = p[2];
981 rawprint(ndo, (caddr_t)&p[2], 2);
982 } else {
983 ND_PRINT((ndo,"len=%d value=", EXTRACT_16BITS(&p[2])));
984 rawprint(ndo, (caddr_t)&p[4], EXTRACT_16BITS(&p[2]));
985 }
986 ND_PRINT((ndo,")"));
987 return p + totlen;
988 }
989
990 static const u_char *
991 ikev1_sa_print(netdissect_options *ndo, u_char tpay _U_,
992 const struct isakmp_gen *ext,
993 u_int item_len _U_,
994 const u_char *ep, uint32_t phase, uint32_t doi0 _U_,
995 uint32_t proto0, int depth)
996 {
997 const struct ikev1_pl_sa *p;
998 struct ikev1_pl_sa sa;
999 uint32_t doi, sit, ident;
1000 const u_char *cp, *np;
1001 int t;
1002
1003 ND_PRINT((ndo,"%s:", NPSTR(ISAKMP_NPTYPE_SA)));
1004
1005 p = (struct ikev1_pl_sa *)ext;
1006 ND_TCHECK(*p);
1007 UNALIGNED_MEMCPY(&sa, ext, sizeof(sa));
1008 doi = ntohl(sa.doi);
1009 sit = ntohl(sa.sit);
1010 if (doi != 1) {
1011 ND_PRINT((ndo," doi=%d", doi));
1012 ND_PRINT((ndo," situation=%u", (uint32_t)ntohl(sa.sit)));
1013 return (u_char *)(p + 1);
1014 }
1015
1016 ND_PRINT((ndo," doi=ipsec"));
1017 ND_PRINT((ndo," situation="));
1018 t = 0;
1019 if (sit & 0x01) {
1020 ND_PRINT((ndo,"identity"));
1021 t++;
1022 }
1023 if (sit & 0x02) {
1024 ND_PRINT((ndo,"%ssecrecy", t ? "+" : ""));
1025 t++;
1026 }
1027 if (sit & 0x04)
1028 ND_PRINT((ndo,"%sintegrity", t ? "+" : ""));
1029
1030 np = (u_char *)ext + sizeof(sa);
1031 if (sit != 0x01) {
1032 ND_TCHECK2(*(ext + 1), sizeof(ident));
1033 UNALIGNED_MEMCPY(&ident, ext + 1, sizeof(ident));
1034 ND_PRINT((ndo," ident=%u", (uint32_t)ntohl(ident)));
1035 np += sizeof(ident);
1036 }
1037
1038 ext = (struct isakmp_gen *)np;
1039 ND_TCHECK(*ext);
1040
1041 cp = ikev1_sub_print(ndo, ISAKMP_NPTYPE_P, ext, ep, phase, doi, proto0,
1042 depth);
1043
1044 return cp;
1045 trunc:
1046 ND_PRINT((ndo," [|%s]", NPSTR(ISAKMP_NPTYPE_SA)));
1047 return NULL;
1048 }
1049
1050 static const u_char *
1051 ikev1_p_print(netdissect_options *ndo, u_char tpay _U_,
1052 const struct isakmp_gen *ext, u_int item_len _U_,
1053 const u_char *ep, uint32_t phase, uint32_t doi0,
1054 uint32_t proto0 _U_, int depth)
1055 {
1056 const struct ikev1_pl_p *p;
1057 struct ikev1_pl_p prop;
1058 const u_char *cp;
1059
1060 ND_PRINT((ndo,"%s:", NPSTR(ISAKMP_NPTYPE_P)));
1061
1062 p = (struct ikev1_pl_p *)ext;
1063 ND_TCHECK(*p);
1064 UNALIGNED_MEMCPY(&prop, ext, sizeof(prop));
1065 ND_PRINT((ndo," #%d protoid=%s transform=%d",
1066 prop.p_no, PROTOIDSTR(prop.prot_id), prop.num_t));
1067 if (prop.spi_size) {
1068 ND_PRINT((ndo," spi="));
1069 if (!rawprint(ndo, (caddr_t)(p + 1), prop.spi_size))
1070 goto trunc;
1071 }
1072
1073 ext = (struct isakmp_gen *)((u_char *)(p + 1) + prop.spi_size);
1074 ND_TCHECK(*ext);
1075
1076 cp = ikev1_sub_print(ndo, ISAKMP_NPTYPE_T, ext, ep, phase, doi0,
1077 prop.prot_id, depth);
1078
1079 return cp;
1080 trunc:
1081 ND_PRINT((ndo," [|%s]", NPSTR(ISAKMP_NPTYPE_P)));
1082 return NULL;
1083 }
1084
1085 static const char *ikev1_p_map[] = {
1086 NULL, "ike",
1087 };
1088
1089 static const char *ikev2_t_type_map[]={
1090 NULL, "encr", "prf", "integ", "dh", "esn"
1091 };
1092
1093 static const char *ah_p_map[] = {
1094 NULL, "(reserved)", "md5", "sha", "1des",
1095 "sha2-256", "sha2-384", "sha2-512",
1096 };
1097
1098 static const char *prf_p_map[] = {
1099 NULL, "hmac-md5", "hmac-sha", "hmac-tiger",
1100 "aes128_xcbc"
1101 };
1102
1103 static const char *integ_p_map[] = {
1104 NULL, "hmac-md5", "hmac-sha", "dec-mac",
1105 "kpdk-md5", "aes-xcbc"
1106 };
1107
1108 static const char *esn_p_map[] = {
1109 "no-esn", "esn"
1110 };
1111
1112 static const char *dh_p_map[] = {
1113 NULL, "modp768",
1114 "modp1024", /* group 2 */
1115 "EC2N 2^155", /* group 3 */
1116 "EC2N 2^185", /* group 4 */
1117 "modp1536", /* group 5 */
1118 "iana-grp06", "iana-grp07", /* reserved */
1119 "iana-grp08", "iana-grp09",
1120 "iana-grp10", "iana-grp11",
1121 "iana-grp12", "iana-grp13",
1122 "modp2048", /* group 14 */
1123 "modp3072", /* group 15 */
1124 "modp4096", /* group 16 */
1125 "modp6144", /* group 17 */
1126 "modp8192", /* group 18 */
1127 };
1128
1129 static const char *esp_p_map[] = {
1130 NULL, "1des-iv64", "1des", "3des", "rc5", "idea", "cast",
1131 "blowfish", "3idea", "1des-iv32", "rc4", "null", "aes"
1132 };
1133
1134 static const char *ipcomp_p_map[] = {
1135 NULL, "oui", "deflate", "lzs",
1136 };
1137
1138 static const struct attrmap ipsec_t_map[] = {
1139 { NULL, 0, { NULL } },
1140 { "lifetype", 3, { NULL, "sec", "kb", }, },
1141 { "life", 0, { NULL } },
1142 { "group desc", 18, { NULL, "modp768",
1143 "modp1024", /* group 2 */
1144 "EC2N 2^155", /* group 3 */
1145 "EC2N 2^185", /* group 4 */
1146 "modp1536", /* group 5 */
1147 "iana-grp06", "iana-grp07", /* reserved */
1148 "iana-grp08", "iana-grp09",
1149 "iana-grp10", "iana-grp11",
1150 "iana-grp12", "iana-grp13",
1151 "modp2048", /* group 14 */
1152 "modp3072", /* group 15 */
1153 "modp4096", /* group 16 */
1154 "modp6144", /* group 17 */
1155 "modp8192", /* group 18 */
1156 }, },
1157 { "enc mode", 3, { NULL, "tunnel", "transport", }, },
1158 { "auth", 5, { NULL, "hmac-md5", "hmac-sha1", "1des-mac", "keyed", }, },
1159 { "keylen", 0, { NULL } },
1160 { "rounds", 0, { NULL } },
1161 { "dictsize", 0, { NULL } },
1162 { "privalg", 0, { NULL } },
1163 };
1164
1165 static const struct attrmap encr_t_map[] = {
1166 { NULL, 0, { NULL } }, { NULL, 0, { NULL } }, /* 0, 1 */
1167 { NULL, 0, { NULL } }, { NULL, 0, { NULL } }, /* 2, 3 */
1168 { NULL, 0, { NULL } }, { NULL, 0, { NULL } }, /* 4, 5 */
1169 { NULL, 0, { NULL } }, { NULL, 0, { NULL } }, /* 6, 7 */
1170 { NULL, 0, { NULL } }, { NULL, 0, { NULL } }, /* 8, 9 */
1171 { NULL, 0, { NULL } }, { NULL, 0, { NULL } }, /* 10,11*/
1172 { NULL, 0, { NULL } }, { NULL, 0, { NULL } }, /* 12,13*/
1173 { "keylen", 14, { NULL }},
1174 };
1175
1176 static const struct attrmap oakley_t_map[] = {
1177 { NULL, 0, { NULL } },
1178 { "enc", 8, { NULL, "1des", "idea", "blowfish", "rc5",
1179 "3des", "cast", "aes", }, },
1180 { "hash", 7, { NULL, "md5", "sha1", "tiger",
1181 "sha2-256", "sha2-384", "sha2-512", }, },
1182 { "auth", 6, { NULL, "preshared", "dss", "rsa sig", "rsa enc",
1183 "rsa enc revised", }, },
1184 { "group desc", 18, { NULL, "modp768",
1185 "modp1024", /* group 2 */
1186 "EC2N 2^155", /* group 3 */
1187 "EC2N 2^185", /* group 4 */
1188 "modp1536", /* group 5 */
1189 "iana-grp06", "iana-grp07", /* reserved */
1190 "iana-grp08", "iana-grp09",
1191 "iana-grp10", "iana-grp11",
1192 "iana-grp12", "iana-grp13",
1193 "modp2048", /* group 14 */
1194 "modp3072", /* group 15 */
1195 "modp4096", /* group 16 */
1196 "modp6144", /* group 17 */
1197 "modp8192", /* group 18 */
1198 }, },
1199 { "group type", 4, { NULL, "MODP", "ECP", "EC2N", }, },
1200 { "group prime", 0, { NULL } },
1201 { "group gen1", 0, { NULL } },
1202 { "group gen2", 0, { NULL } },
1203 { "group curve A", 0, { NULL } },
1204 { "group curve B", 0, { NULL } },
1205 { "lifetype", 3, { NULL, "sec", "kb", }, },
1206 { "lifeduration", 0, { NULL } },
1207 { "prf", 0, { NULL } },
1208 { "keylen", 0, { NULL } },
1209 { "field", 0, { NULL } },
1210 { "order", 0, { NULL } },
1211 };
1212
1213 static const u_char *
1214 ikev1_t_print(netdissect_options *ndo, u_char tpay _U_,
1215 const struct isakmp_gen *ext, u_int item_len,
1216 const u_char *ep, uint32_t phase _U_, uint32_t doi _U_,
1217 uint32_t proto, int depth _U_)
1218 {
1219 const struct ikev1_pl_t *p;
1220 struct ikev1_pl_t t;
1221 const u_char *cp;
1222 const char *idstr;
1223 const struct attrmap *map;
1224 size_t nmap;
1225 const u_char *ep2;
1226
1227 ND_PRINT((ndo,"%s:", NPSTR(ISAKMP_NPTYPE_T)));
1228
1229 p = (struct ikev1_pl_t *)ext;
1230 ND_TCHECK(*p);
1231 UNALIGNED_MEMCPY(&t, ext, sizeof(t));
1232
1233 switch (proto) {
1234 case 1:
1235 idstr = STR_OR_ID(t.t_id, ikev1_p_map);
1236 map = oakley_t_map;
1237 nmap = sizeof(oakley_t_map)/sizeof(oakley_t_map[0]);
1238 break;
1239 case 2:
1240 idstr = STR_OR_ID(t.t_id, ah_p_map);
1241 map = ipsec_t_map;
1242 nmap = sizeof(ipsec_t_map)/sizeof(ipsec_t_map[0]);
1243 break;
1244 case 3:
1245 idstr = STR_OR_ID(t.t_id, esp_p_map);
1246 map = ipsec_t_map;
1247 nmap = sizeof(ipsec_t_map)/sizeof(ipsec_t_map[0]);
1248 break;
1249 case 4:
1250 idstr = STR_OR_ID(t.t_id, ipcomp_p_map);
1251 map = ipsec_t_map;
1252 nmap = sizeof(ipsec_t_map)/sizeof(ipsec_t_map[0]);
1253 break;
1254 default:
1255 idstr = NULL;
1256 map = NULL;
1257 nmap = 0;
1258 break;
1259 }
1260
1261 if (idstr)
1262 ND_PRINT((ndo," #%d id=%s ", t.t_no, idstr));
1263 else
1264 ND_PRINT((ndo," #%d id=%d ", t.t_no, t.t_id));
1265 cp = (u_char *)(p + 1);
1266 ep2 = (u_char *)p + item_len;
1267 while (cp < ep && cp < ep2) {
1268 if (map && nmap) {
1269 cp = ikev1_attrmap_print(ndo, cp, (ep < ep2) ? ep : ep2,
1270 map, nmap);
1271 } else
1272 cp = ikev1_attr_print(ndo, cp, (ep < ep2) ? ep : ep2);
1273 }
1274 if (ep < ep2)
1275 ND_PRINT((ndo,"..."));
1276 return cp;
1277 trunc:
1278 ND_PRINT((ndo," [|%s]", NPSTR(ISAKMP_NPTYPE_T)));
1279 return NULL;
1280 }
1281
1282 static const u_char *
1283 ikev1_ke_print(netdissect_options *ndo, u_char tpay _U_,
1284 const struct isakmp_gen *ext, u_int item_len _U_,
1285 const u_char *ep _U_, uint32_t phase _U_, uint32_t doi _U_,
1286 uint32_t proto _U_, int depth _U_)
1287 {
1288 struct isakmp_gen e;
1289
1290 ND_PRINT((ndo,"%s:", NPSTR(ISAKMP_NPTYPE_KE)));
1291
1292 ND_TCHECK(*ext);
1293 UNALIGNED_MEMCPY(&e, ext, sizeof(e));
1294 ND_PRINT((ndo," key len=%d", ntohs(e.len) - 4));
1295 if (2 < ndo->ndo_vflag && 4 < ntohs(e.len)) {
1296 ND_PRINT((ndo," "));
1297 if (!rawprint(ndo, (caddr_t)(ext + 1), ntohs(e.len) - 4))
1298 goto trunc;
1299 }
1300 return (u_char *)ext + ntohs(e.len);
1301 trunc:
1302 ND_PRINT((ndo," [|%s]", NPSTR(ISAKMP_NPTYPE_KE)));
1303 return NULL;
1304 }
1305
1306 static const u_char *
1307 ikev1_id_print(netdissect_options *ndo, u_char tpay _U_,
1308 const struct isakmp_gen *ext, u_int item_len,
1309 const u_char *ep _U_, uint32_t phase, uint32_t doi _U_,
1310 uint32_t proto _U_, int depth _U_)
1311 {
1312 #define USE_IPSECDOI_IN_PHASE1 1
1313 const struct ikev1_pl_id *p;
1314 struct ikev1_pl_id id;
1315 static const char *idtypestr[] = {
1316 "IPv4", "IPv4net", "IPv6", "IPv6net",
1317 };
1318 static const char *ipsecidtypestr[] = {
1319 NULL, "IPv4", "FQDN", "user FQDN", "IPv4net", "IPv6",
1320 "IPv6net", "IPv4range", "IPv6range", "ASN1 DN", "ASN1 GN",
1321 "keyid",
1322 };
1323 int len;
1324 const u_char *data;
1325
1326 ND_PRINT((ndo,"%s:", NPSTR(ISAKMP_NPTYPE_ID)));
1327
1328 p = (struct ikev1_pl_id *)ext;
1329 ND_TCHECK(*p);
1330 UNALIGNED_MEMCPY(&id, ext, sizeof(id));
1331 if (sizeof(*p) < item_len) {
1332 data = (u_char *)(p + 1);
1333 len = item_len - sizeof(*p);
1334 } else {
1335 data = NULL;
1336 len = 0;
1337 }
1338
1339 #if 0 /*debug*/
1340 ND_PRINT((ndo," [phase=%d doi=%d proto=%d]", phase, doi, proto));
1341 #endif
1342 switch (phase) {
1343 #ifndef USE_IPSECDOI_IN_PHASE1
1344 case 1:
1345 #endif
1346 default:
1347 ND_PRINT((ndo," idtype=%s", STR_OR_ID(id.d.id_type, idtypestr)));
1348 ND_PRINT((ndo," doi_data=%u",
1349 (uint32_t)(ntohl(id.d.doi_data) & 0xffffff)));
1350 break;
1351
1352 #ifdef USE_IPSECDOI_IN_PHASE1
1353 case 1:
1354 #endif
1355 case 2:
1356 {
1357 const struct ipsecdoi_id *p;
1358 struct ipsecdoi_id id;
1359 struct protoent *pe;
1360
1361 p = (struct ipsecdoi_id *)ext;
1362 ND_TCHECK(*p);
1363 UNALIGNED_MEMCPY(&id, ext, sizeof(id));
1364 ND_PRINT((ndo," idtype=%s", STR_OR_ID(id.type, ipsecidtypestr)));
1365 /* A protocol ID of 0 DOES NOT mean IPPROTO_IP! */
1366 pe = id.proto_id ? getprotobynumber(id.proto_id) : NULL;
1367 if (pe)
1368 ND_PRINT((ndo," protoid=%s", pe->p_name));
1369 else
1370 ND_PRINT((ndo," protoid=%u", id.proto_id));
1371 ND_PRINT((ndo," port=%d", ntohs(id.port)));
1372 if (!len)
1373 break;
1374 if (data == NULL)
1375 goto trunc;
1376 ND_TCHECK2(*data, len);
1377 switch (id.type) {
1378 case IPSECDOI_ID_IPV4_ADDR:
1379 if (len < 4)
1380 ND_PRINT((ndo," len=%d [bad: < 4]", len));
1381 else
1382 ND_PRINT((ndo," len=%d %s", len, ipaddr_string(ndo, data)));
1383 len = 0;
1384 break;
1385 case IPSECDOI_ID_FQDN:
1386 case IPSECDOI_ID_USER_FQDN:
1387 {
1388 int i;
1389 ND_PRINT((ndo," len=%d ", len));
1390 for (i = 0; i < len; i++)
1391 safeputchar(ndo, data[i]);
1392 len = 0;
1393 break;
1394 }
1395 case IPSECDOI_ID_IPV4_ADDR_SUBNET:
1396 {
1397 const u_char *mask;
1398 if (len < 8)
1399 ND_PRINT((ndo," len=%d [bad: < 8]", len));
1400 else {
1401 mask = data + sizeof(struct in_addr);
1402 ND_PRINT((ndo," len=%d %s/%u.%u.%u.%u", len,
1403 ipaddr_string(ndo, data),
1404 mask[0], mask[1], mask[2], mask[3]));
1405 }
1406 len = 0;
1407 break;
1408 }
1409 #ifdef INET6
1410 case IPSECDOI_ID_IPV6_ADDR:
1411 if (len < 16)
1412 ND_PRINT((ndo," len=%d [bad: < 16]", len));
1413 else
1414 ND_PRINT((ndo," len=%d %s", len, ip6addr_string(ndo, data)));
1415 len = 0;
1416 break;
1417 case IPSECDOI_ID_IPV6_ADDR_SUBNET:
1418 {
1419 const u_char *mask;
1420 if (len < 20)
1421 ND_PRINT((ndo," len=%d [bad: < 20]", len));
1422 else {
1423 mask = (u_char *)(data + sizeof(struct in6_addr));
1424 /*XXX*/
1425 ND_PRINT((ndo," len=%d %s/0x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x", len,
1426 ip6addr_string(ndo, data),
1427 mask[0], mask[1], mask[2], mask[3],
1428 mask[4], mask[5], mask[6], mask[7],
1429 mask[8], mask[9], mask[10], mask[11],
1430 mask[12], mask[13], mask[14], mask[15]));
1431 }
1432 len = 0;
1433 break;
1434 }
1435 #endif /*INET6*/
1436 case IPSECDOI_ID_IPV4_ADDR_RANGE:
1437 if (len < 8)
1438 ND_PRINT((ndo," len=%d [bad: < 8]", len));
1439 else {
1440 ND_PRINT((ndo," len=%d %s-%s", len,
1441 ipaddr_string(ndo, data),
1442 ipaddr_string(ndo, data + sizeof(struct in_addr))));
1443 }
1444 len = 0;
1445 break;
1446 #ifdef INET6
1447 case IPSECDOI_ID_IPV6_ADDR_RANGE:
1448 if (len < 32)
1449 ND_PRINT((ndo," len=%d [bad: < 32]", len));
1450 else {
1451 ND_PRINT((ndo," len=%d %s-%s", len,
1452 ip6addr_string(ndo, data),
1453 ip6addr_string(ndo, data + sizeof(struct in6_addr))));
1454 }
1455 len = 0;
1456 break;
1457 #endif /*INET6*/
1458 case IPSECDOI_ID_DER_ASN1_DN:
1459 case IPSECDOI_ID_DER_ASN1_GN:
1460 case IPSECDOI_ID_KEY_ID:
1461 break;
1462 }
1463 break;
1464 }
1465 }
1466 if (data && len) {
1467 ND_PRINT((ndo," len=%d", len));
1468 if (2 < ndo->ndo_vflag) {
1469 ND_PRINT((ndo," "));
1470 if (!rawprint(ndo, (caddr_t)data, len))
1471 goto trunc;
1472 }
1473 }
1474 return (u_char *)ext + item_len;
1475 trunc:
1476 ND_PRINT((ndo," [|%s]", NPSTR(ISAKMP_NPTYPE_ID)));
1477 return NULL;
1478 }
1479
1480 static const u_char *
1481 ikev1_cert_print(netdissect_options *ndo, u_char tpay _U_,
1482 const struct isakmp_gen *ext, u_int item_len _U_,
1483 const u_char *ep _U_, uint32_t phase _U_,
1484 uint32_t doi0 _U_,
1485 uint32_t proto0 _U_, int depth _U_)
1486 {
1487 const struct ikev1_pl_cert *p;
1488 struct ikev1_pl_cert cert;
1489 static const char *certstr[] = {
1490 "none", "pkcs7", "pgp", "dns",
1491 "x509sign", "x509ke", "kerberos", "crl",
1492 "arl", "spki", "x509attr",
1493 };
1494
1495 ND_PRINT((ndo,"%s:", NPSTR(ISAKMP_NPTYPE_CERT)));
1496
1497 p = (struct ikev1_pl_cert *)ext;
1498 ND_TCHECK(*p);
1499 UNALIGNED_MEMCPY(&cert, ext, sizeof(cert));
1500 ND_PRINT((ndo," len=%d", item_len - 4));
1501 ND_PRINT((ndo," type=%s", STR_OR_ID((cert.encode), certstr)));
1502 if (2 < ndo->ndo_vflag && 4 < item_len) {
1503 ND_PRINT((ndo," "));
1504 if (!rawprint(ndo, (caddr_t)(ext + 1), item_len - 4))
1505 goto trunc;
1506 }
1507 return (u_char *)ext + item_len;
1508 trunc:
1509 ND_PRINT((ndo," [|%s]", NPSTR(ISAKMP_NPTYPE_CERT)));
1510 return NULL;
1511 }
1512
1513 static const u_char *
1514 ikev1_cr_print(netdissect_options *ndo, u_char tpay _U_,
1515 const struct isakmp_gen *ext, u_int item_len _U_,
1516 const u_char *ep _U_, uint32_t phase _U_, uint32_t doi0 _U_,
1517 uint32_t proto0 _U_, int depth _U_)
1518 {
1519 const struct ikev1_pl_cert *p;
1520 struct ikev1_pl_cert cert;
1521 static const char *certstr[] = {
1522 "none", "pkcs7", "pgp", "dns",
1523 "x509sign", "x509ke", "kerberos", "crl",
1524 "arl", "spki", "x509attr",
1525 };
1526
1527 ND_PRINT((ndo,"%s:", NPSTR(ISAKMP_NPTYPE_CR)));
1528
1529 p = (struct ikev1_pl_cert *)ext;
1530 ND_TCHECK(*p);
1531 UNALIGNED_MEMCPY(&cert, ext, sizeof(cert));
1532 ND_PRINT((ndo," len=%d", item_len - 4));
1533 ND_PRINT((ndo," type=%s", STR_OR_ID((cert.encode), certstr)));
1534 if (2 < ndo->ndo_vflag && 4 < item_len) {
1535 ND_PRINT((ndo," "));
1536 if (!rawprint(ndo, (caddr_t)(ext + 1), item_len - 4))
1537 goto trunc;
1538 }
1539 return (u_char *)ext + item_len;
1540 trunc:
1541 ND_PRINT((ndo," [|%s]", NPSTR(ISAKMP_NPTYPE_CR)));
1542 return NULL;
1543 }
1544
1545 static const u_char *
1546 ikev1_hash_print(netdissect_options *ndo, u_char tpay _U_,
1547 const struct isakmp_gen *ext, u_int item_len _U_,
1548 const u_char *ep _U_, uint32_t phase _U_, uint32_t doi _U_,
1549 uint32_t proto _U_, int depth _U_)
1550 {
1551 struct isakmp_gen e;
1552
1553 ND_PRINT((ndo,"%s:", NPSTR(ISAKMP_NPTYPE_HASH)));
1554
1555 ND_TCHECK(*ext);
1556 UNALIGNED_MEMCPY(&e, ext, sizeof(e));
1557 ND_PRINT((ndo," len=%d", ntohs(e.len) - 4));
1558 if (2 < ndo->ndo_vflag && 4 < ntohs(e.len)) {
1559 ND_PRINT((ndo," "));
1560 if (!rawprint(ndo, (caddr_t)(ext + 1), ntohs(e.len) - 4))
1561 goto trunc;
1562 }
1563 return (u_char *)ext + ntohs(e.len);
1564 trunc:
1565 ND_PRINT((ndo," [|%s]", NPSTR(ISAKMP_NPTYPE_HASH)));
1566 return NULL;
1567 }
1568
1569 static const u_char *
1570 ikev1_sig_print(netdissect_options *ndo, u_char tpay _U_,
1571 const struct isakmp_gen *ext, u_int item_len _U_,
1572 const u_char *ep _U_, uint32_t phase _U_, uint32_t doi _U_,
1573 uint32_t proto _U_, int depth _U_)
1574 {
1575 struct isakmp_gen e;
1576
1577 ND_PRINT((ndo,"%s:", NPSTR(ISAKMP_NPTYPE_SIG)));
1578
1579 ND_TCHECK(*ext);
1580 UNALIGNED_MEMCPY(&e, ext, sizeof(e));
1581 ND_PRINT((ndo," len=%d", ntohs(e.len) - 4));
1582 if (2 < ndo->ndo_vflag && 4 < ntohs(e.len)) {
1583 ND_PRINT((ndo," "));
1584 if (!rawprint(ndo, (caddr_t)(ext + 1), ntohs(e.len) - 4))
1585 goto trunc;
1586 }
1587 return (u_char *)ext + ntohs(e.len);
1588 trunc:
1589 ND_PRINT((ndo," [|%s]", NPSTR(ISAKMP_NPTYPE_SIG)));
1590 return NULL;
1591 }
1592
1593 static const u_char *
1594 ikev1_nonce_print(netdissect_options *ndo, u_char tpay _U_,
1595 const struct isakmp_gen *ext,
1596 u_int item_len _U_,
1597 const u_char *ep _U_,
1598 uint32_t phase _U_, uint32_t doi _U_,
1599 uint32_t proto _U_, int depth _U_)
1600 {
1601 struct isakmp_gen e;
1602
1603 ND_PRINT((ndo,"%s:", NPSTR(ISAKMP_NPTYPE_NONCE)));
1604
1605 ND_TCHECK(*ext);
1606 UNALIGNED_MEMCPY(&e, ext, sizeof(e));
1607 ND_PRINT((ndo," n len=%d", ntohs(e.len) - 4));
1608 if (2 < ndo->ndo_vflag && 4 < ntohs(e.len)) {
1609 ND_PRINT((ndo," "));
1610 if (!rawprint(ndo, (caddr_t)(ext + 1), ntohs(e.len) - 4))
1611 goto trunc;
1612 } else if (1 < ndo->ndo_vflag && 4 < ntohs(e.len)) {
1613 ND_PRINT((ndo," "));
1614 if (!ike_show_somedata(ndo, (u_char *)(caddr_t)(ext + 1), ep))
1615 goto trunc;
1616 }
1617 return (u_char *)ext + ntohs(e.len);
1618 trunc:
1619 ND_PRINT((ndo," [|%s]", NPSTR(ISAKMP_NPTYPE_NONCE)));
1620 return NULL;
1621 }
1622
1623 static const u_char *
1624 ikev1_n_print(netdissect_options *ndo, u_char tpay _U_,
1625 const struct isakmp_gen *ext, u_int item_len,
1626 const u_char *ep, uint32_t phase, uint32_t doi0 _U_,
1627 uint32_t proto0 _U_, int depth)
1628 {
1629 struct ikev1_pl_n *p, n;
1630 const u_char *cp;
1631 u_char *ep2;
1632 uint32_t doi;
1633 uint32_t proto;
1634 static const char *notify_error_str[] = {
1635 NULL, "INVALID-PAYLOAD-TYPE",
1636 "DOI-NOT-SUPPORTED", "SITUATION-NOT-SUPPORTED",
1637 "INVALID-COOKIE", "INVALID-MAJOR-VERSION",
1638 "INVALID-MINOR-VERSION", "INVALID-EXCHANGE-TYPE",
1639 "INVALID-FLAGS", "INVALID-MESSAGE-ID",
1640 "INVALID-PROTOCOL-ID", "INVALID-SPI",
1641 "INVALID-TRANSFORM-ID", "ATTRIBUTES-NOT-SUPPORTED",
1642 "NO-PROPOSAL-CHOSEN", "BAD-PROPOSAL-SYNTAX",
1643 "PAYLOAD-MALFORMED", "INVALID-KEY-INFORMATION",
1644 "INVALID-ID-INFORMATION", "INVALID-CERT-ENCODING",
1645 "INVALID-CERTIFICATE", "CERT-TYPE-UNSUPPORTED",
1646 "INVALID-CERT-AUTHORITY", "INVALID-HASH-INFORMATION",
1647 "AUTHENTICATION-FAILED", "INVALID-SIGNATURE",
1648 "ADDRESS-NOTIFICATION", "NOTIFY-SA-LIFETIME",
1649 "CERTIFICATE-UNAVAILABLE", "UNSUPPORTED-EXCHANGE-TYPE",
1650 "UNEQUAL-PAYLOAD-LENGTHS",
1651 };
1652 static const char *ipsec_notify_error_str[] = {
1653 "RESERVED",
1654 };
1655 static const char *notify_status_str[] = {
1656 "CONNECTED",
1657 };
1658 static const char *ipsec_notify_status_str[] = {
1659 "RESPONDER-LIFETIME", "REPLAY-STATUS",
1660 "INITIAL-CONTACT",
1661 };
1662 /* NOTE: these macro must be called with x in proper range */
1663
1664 /* 0 - 8191 */
1665 #define NOTIFY_ERROR_STR(x) \
1666 STR_OR_ID((x), notify_error_str)
1667
1668 /* 8192 - 16383 */
1669 #define IPSEC_NOTIFY_ERROR_STR(x) \
1670 STR_OR_ID((u_int)((x) - 8192), ipsec_notify_error_str)
1671
1672 /* 16384 - 24575 */
1673 #define NOTIFY_STATUS_STR(x) \
1674 STR_OR_ID((u_int)((x) - 16384), notify_status_str)
1675
1676 /* 24576 - 32767 */
1677 #define IPSEC_NOTIFY_STATUS_STR(x) \
1678 STR_OR_ID((u_int)((x) - 24576), ipsec_notify_status_str)
1679
1680 ND_PRINT((ndo,"%s:", NPSTR(ISAKMP_NPTYPE_N)));
1681
1682 p = (struct ikev1_pl_n *)ext;
1683 ND_TCHECK(*p);
1684 UNALIGNED_MEMCPY(&n, ext, sizeof(n));
1685 doi = ntohl(n.doi);
1686 proto = n.prot_id;
1687 if (doi != 1) {
1688 ND_PRINT((ndo," doi=%d", doi));
1689 ND_PRINT((ndo," proto=%d", proto));
1690 if (ntohs(n.type) < 8192)
1691 ND_PRINT((ndo," type=%s", NOTIFY_ERROR_STR(ntohs(n.type))));
1692 else if (ntohs(n.type) < 16384)
1693 ND_PRINT((ndo," type=%s", numstr(ntohs(n.type))));
1694 else if (ntohs(n.type) < 24576)
1695 ND_PRINT((ndo," type=%s", NOTIFY_STATUS_STR(ntohs(n.type))));
1696 else
1697 ND_PRINT((ndo," type=%s", numstr(ntohs(n.type))));
1698 if (n.spi_size) {
1699 ND_PRINT((ndo," spi="));
1700 if (!rawprint(ndo, (caddr_t)(p + 1), n.spi_size))
1701 goto trunc;
1702 }
1703 return (u_char *)(p + 1) + n.spi_size;
1704 }
1705
1706 ND_PRINT((ndo," doi=ipsec"));
1707 ND_PRINT((ndo," proto=%s", PROTOIDSTR(proto)));
1708 if (ntohs(n.type) < 8192)
1709 ND_PRINT((ndo," type=%s", NOTIFY_ERROR_STR(ntohs(n.type))));
1710 else if (ntohs(n.type) < 16384)
1711 ND_PRINT((ndo," type=%s", IPSEC_NOTIFY_ERROR_STR(ntohs(n.type))));
1712 else if (ntohs(n.type) < 24576)
1713 ND_PRINT((ndo," type=%s", NOTIFY_STATUS_STR(ntohs(n.type))));
1714 else if (ntohs(n.type) < 32768)
1715 ND_PRINT((ndo," type=%s", IPSEC_NOTIFY_STATUS_STR(ntohs(n.type))));
1716 else
1717 ND_PRINT((ndo," type=%s", numstr(ntohs(n.type))));
1718 if (n.spi_size) {
1719 ND_PRINT((ndo," spi="));
1720 if (!rawprint(ndo, (caddr_t)(p + 1), n.spi_size))
1721 goto trunc;
1722 }
1723
1724 cp = (u_char *)(p + 1) + n.spi_size;
1725 ep2 = (u_char *)p + item_len;
1726
1727 if (cp < ep) {
1728 ND_PRINT((ndo," orig=("));
1729 switch (ntohs(n.type)) {
1730 case IPSECDOI_NTYPE_RESPONDER_LIFETIME:
1731 {
1732 const struct attrmap *map = oakley_t_map;
1733 size_t nmap = sizeof(oakley_t_map)/sizeof(oakley_t_map[0]);
1734 while (cp < ep && cp < ep2) {
1735 cp = ikev1_attrmap_print(ndo, cp,
1736 (ep < ep2) ? ep : ep2, map, nmap);
1737 }
1738 break;
1739 }
1740 case IPSECDOI_NTYPE_REPLAY_STATUS:
1741 ND_PRINT((ndo,"replay detection %sabled",
1742 EXTRACT_32BITS(cp) ? "en" : "dis"));
1743 break;
1744 case ISAKMP_NTYPE_NO_PROPOSAL_CHOSEN:
1745 if (ikev1_sub_print(ndo, ISAKMP_NPTYPE_SA,
1746 (struct isakmp_gen *)cp, ep, phase, doi, proto,
1747 depth) == NULL)
1748 return NULL;
1749 break;
1750 default:
1751 /* NULL is dummy */
1752 isakmp_print(ndo, cp,
1753 item_len - sizeof(*p) - n.spi_size,
1754 NULL);
1755 }
1756 ND_PRINT((ndo,")"));
1757 }
1758 return (u_char *)ext + item_len;
1759 trunc:
1760 ND_PRINT((ndo," [|%s]", NPSTR(ISAKMP_NPTYPE_N)));
1761 return NULL;
1762 }
1763
1764 static const u_char *
1765 ikev1_d_print(netdissect_options *ndo, u_char tpay _U_,
1766 const struct isakmp_gen *ext, u_int item_len _U_,
1767 const u_char *ep _U_, uint32_t phase _U_, uint32_t doi0 _U_,
1768 uint32_t proto0 _U_, int depth _U_)
1769 {
1770 const struct ikev1_pl_d *p;
1771 struct ikev1_pl_d d;
1772 const uint8_t *q;
1773 uint32_t doi;
1774 uint32_t proto;
1775 int i;
1776
1777 ND_PRINT((ndo,"%s:", NPSTR(ISAKMP_NPTYPE_D)));
1778
1779 p = (struct ikev1_pl_d *)ext;
1780 ND_TCHECK(*p);
1781 UNALIGNED_MEMCPY(&d, ext, sizeof(d));
1782 doi = ntohl(d.doi);
1783 proto = d.prot_id;
1784 if (doi != 1) {
1785 ND_PRINT((ndo," doi=%u", doi));
1786 ND_PRINT((ndo," proto=%u", proto));
1787 } else {
1788 ND_PRINT((ndo," doi=ipsec"));
1789 ND_PRINT((ndo," proto=%s", PROTOIDSTR(proto)));
1790 }
1791 ND_PRINT((ndo," spilen=%u", d.spi_size));
1792 ND_PRINT((ndo," nspi=%u", ntohs(d.num_spi)));
1793 ND_PRINT((ndo," spi="));
1794 q = (uint8_t *)(p + 1);
1795 for (i = 0; i < ntohs(d.num_spi); i++) {
1796 if (i != 0)
1797 ND_PRINT((ndo,","));
1798 if (!rawprint(ndo, (caddr_t)q, d.spi_size))
1799 goto trunc;
1800 q += d.spi_size;
1801 }
1802 return q;
1803 trunc:
1804 ND_PRINT((ndo," [|%s]", NPSTR(ISAKMP_NPTYPE_D)));
1805 return NULL;
1806 }
1807
1808 static const u_char *
1809 ikev1_vid_print(netdissect_options *ndo, u_char tpay _U_,
1810 const struct isakmp_gen *ext,
1811 u_int item_len _U_, const u_char *ep _U_,
1812 uint32_t phase _U_, uint32_t doi _U_,
1813 uint32_t proto _U_, int depth _U_)
1814 {
1815 struct isakmp_gen e;
1816
1817 ND_PRINT((ndo,"%s:", NPSTR(ISAKMP_NPTYPE_VID)));
1818
1819 ND_TCHECK(*ext);
1820 UNALIGNED_MEMCPY(&e, ext, sizeof(e));
1821 ND_PRINT((ndo," len=%d", ntohs(e.len) - 4));
1822 if (2 < ndo->ndo_vflag && 4 < ntohs(e.len)) {
1823 ND_PRINT((ndo," "));
1824 if (!rawprint(ndo, (caddr_t)(ext + 1), ntohs(e.len) - 4))
1825 goto trunc;
1826 }
1827 return (u_char *)ext + ntohs(e.len);
1828 trunc:
1829 ND_PRINT((ndo," [|%s]", NPSTR(ISAKMP_NPTYPE_VID)));
1830 return NULL;
1831 }
1832
1833 /************************************************************/
1834 /* */
1835 /* IKE v2 - rfc4306 - dissector */
1836 /* */
1837 /************************************************************/
1838
1839 static void
1840 ikev2_pay_print(netdissect_options *ndo, const char *payname, int critical)
1841 {
1842 ND_PRINT((ndo,"%s%s:", payname, critical&0x80 ? "[C]" : ""));
1843 }
1844
1845 static const u_char *
1846 ikev2_gen_print(netdissect_options *ndo, u_char tpay,
1847 const struct isakmp_gen *ext)
1848 {
1849 struct isakmp_gen e;
1850
1851 ND_TCHECK(*ext);
1852 UNALIGNED_MEMCPY(&e, ext, sizeof(e));
1853 ikev2_pay_print(ndo, NPSTR(tpay), e.critical);
1854
1855 ND_PRINT((ndo," len=%d", ntohs(e.len) - 4));
1856 if (2 < ndo->ndo_vflag && 4 < ntohs(e.len)) {
1857 ND_PRINT((ndo," "));
1858 if (!rawprint(ndo, (caddr_t)(ext + 1), ntohs(e.len) - 4))
1859 goto trunc;
1860 }
1861 return (u_char *)ext + ntohs(e.len);
1862 trunc:
1863 ND_PRINT((ndo," [|%s]", NPSTR(tpay)));
1864 return NULL;
1865 }
1866
1867 static const u_char *
1868 ikev2_t_print(netdissect_options *ndo, u_char tpay _U_, int pcount,
1869 const struct isakmp_gen *ext, u_int item_len,
1870 const u_char *ep, uint32_t phase _U_, uint32_t doi _U_,
1871 uint32_t proto _U_, int depth _U_)
1872 {
1873 const struct ikev2_t *p;
1874 struct ikev2_t t;
1875 uint16_t t_id;
1876 const u_char *cp;
1877 const char *idstr;
1878 const struct attrmap *map;
1879 size_t nmap;
1880 const u_char *ep2;
1881
1882 p = (struct ikev2_t *)ext;
1883 ND_TCHECK(*p);
1884 UNALIGNED_MEMCPY(&t, ext, sizeof(t));
1885 ikev2_pay_print(ndo, NPSTR(ISAKMP_NPTYPE_T), t.h.critical);
1886
1887 t_id = ntohs(t.t_id);
1888
1889 map = NULL;
1890 nmap = 0;
1891
1892 switch (t.t_type) {
1893 case IV2_T_ENCR:
1894 idstr = STR_OR_ID(t_id, esp_p_map);
1895 map = encr_t_map;
1896 nmap = sizeof(encr_t_map)/sizeof(encr_t_map[0]);
1897 break;
1898
1899 case IV2_T_PRF:
1900 idstr = STR_OR_ID(t_id, prf_p_map);
1901 break;
1902
1903 case IV2_T_INTEG:
1904 idstr = STR_OR_ID(t_id, integ_p_map);
1905 break;
1906
1907 case IV2_T_DH:
1908 idstr = STR_OR_ID(t_id, dh_p_map);
1909 break;
1910
1911 case IV2_T_ESN:
1912 idstr = STR_OR_ID(t_id, esn_p_map);
1913 break;
1914
1915 default:
1916 idstr = NULL;
1917 break;
1918 }
1919
1920 if (idstr)
1921 ND_PRINT((ndo," #%u type=%s id=%s ", pcount,
1922 STR_OR_ID(t.t_type, ikev2_t_type_map),
1923 idstr));
1924 else
1925 ND_PRINT((ndo," #%u type=%s id=%u ", pcount,
1926 STR_OR_ID(t.t_type, ikev2_t_type_map),
1927 t.t_id));
1928 cp = (u_char *)(p + 1);
1929 ep2 = (u_char *)p + item_len;
1930 while (cp < ep && cp < ep2) {
1931 if (map && nmap) {
1932 cp = ikev1_attrmap_print(ndo, cp, (ep < ep2) ? ep : ep2,
1933 map, nmap);
1934 } else
1935 cp = ikev1_attr_print(ndo, cp, (ep < ep2) ? ep : ep2);
1936 }
1937 if (ep < ep2)
1938 ND_PRINT((ndo,"..."));
1939 return cp;
1940 trunc:
1941 ND_PRINT((ndo," [|%s]", NPSTR(ISAKMP_NPTYPE_T)));
1942 return NULL;
1943 }
1944
1945 static const u_char *
1946 ikev2_p_print(netdissect_options *ndo, u_char tpay _U_, int pcount _U_,
1947 const struct isakmp_gen *ext, u_int item_len _U_,
1948 const u_char *ep, uint32_t phase, uint32_t doi0,
1949 uint32_t proto0 _U_, int depth)
1950 {
1951 const struct ikev2_p *p;
1952 struct ikev2_p prop;
1953 const u_char *cp;
1954
1955 p = (struct ikev2_p *)ext;
1956 ND_TCHECK(*p);
1957 UNALIGNED_MEMCPY(&prop, ext, sizeof(prop));
1958 ikev2_pay_print(ndo, NPSTR(ISAKMP_NPTYPE_P), prop.h.critical);
1959
1960 ND_PRINT((ndo," #%u protoid=%s transform=%d len=%u",
1961 prop.p_no, PROTOIDSTR(prop.prot_id),
1962 prop.num_t, ntohs(prop.h.len)));
1963 if (prop.spi_size) {
1964 ND_PRINT((ndo," spi="));
1965 if (!rawprint(ndo, (caddr_t)(p + 1), prop.spi_size))
1966 goto trunc;
1967 }
1968
1969 ext = (struct isakmp_gen *)((u_char *)(p + 1) + prop.spi_size);
1970 ND_TCHECK(*ext);
1971
1972 cp = ikev2_sub_print(ndo, NULL, ISAKMP_NPTYPE_T, ext, ep, phase, doi0,
1973 prop.prot_id, depth);
1974
1975 return cp;
1976 trunc:
1977 ND_PRINT((ndo," [|%s]", NPSTR(ISAKMP_NPTYPE_P)));
1978 return NULL;
1979 }
1980
1981 static const u_char *
1982 ikev2_sa_print(netdissect_options *ndo, u_char tpay,
1983 const struct isakmp_gen *ext1,
1984 u_int item_len _U_, const u_char *ep _U_,
1985 uint32_t phase _U_, uint32_t doi _U_,
1986 uint32_t proto _U_, int depth _U_)
1987 {
1988 struct isakmp_gen e;
1989 int osa_length, sa_length;
1990
1991 ND_TCHECK(*ext1);
1992 UNALIGNED_MEMCPY(&e, ext1, sizeof(e));
1993 ikev2_pay_print(ndo, "sa", e.critical);
1994
1995 osa_length= ntohs(e.len);
1996 sa_length = osa_length - 4;
1997 ND_PRINT((ndo," len=%d", sa_length));
1998
1999 ikev2_sub_print(ndo, NULL, ISAKMP_NPTYPE_P,
2000 ext1+1, ep,
2001 0, 0, 0, depth);
2002
2003 return (u_char *)ext1 + osa_length;
2004 trunc:
2005 ND_PRINT((ndo," [|%s]", NPSTR(tpay)));
2006 return NULL;
2007 }
2008
2009 static const u_char *
2010 ikev2_ke_print(netdissect_options *ndo, u_char tpay,
2011 const struct isakmp_gen *ext,
2012 u_int item_len _U_, const u_char *ep _U_,
2013 uint32_t phase _U_, uint32_t doi _U_,
2014 uint32_t proto _U_, int depth _U_)
2015 {
2016 struct ikev2_ke ke;
2017 struct ikev2_ke *k;
2018
2019 k = (struct ikev2_ke *)ext;
2020 ND_TCHECK(*ext);
2021 UNALIGNED_MEMCPY(&ke, ext, sizeof(ke));
2022 ikev2_pay_print(ndo, NPSTR(tpay), ke.h.critical);
2023
2024 ND_PRINT((ndo," len=%u group=%s", ntohs(ke.h.len) - 8,
2025 STR_OR_ID(ntohs(ke.ke_group), dh_p_map)));
2026
2027 if (2 < ndo->ndo_vflag && 8 < ntohs(ke.h.len)) {
2028 ND_PRINT((ndo," "));
2029 if (!rawprint(ndo, (caddr_t)(k + 1), ntohs(ke.h.len) - 8))
2030 goto trunc;
2031 }
2032 return (u_char *)ext + ntohs(ke.h.len);
2033 trunc:
2034 ND_PRINT((ndo," [|%s]", NPSTR(tpay)));
2035 return NULL;
2036 }
2037
2038 static const u_char *
2039 ikev2_ID_print(netdissect_options *ndo, u_char tpay,
2040 const struct isakmp_gen *ext,
2041 u_int item_len _U_, const u_char *ep _U_,
2042 uint32_t phase _U_, uint32_t doi _U_,
2043 uint32_t proto _U_, int depth _U_)
2044 {
2045 struct ikev2_id id;
2046 int id_len, idtype_len, i;
2047 unsigned int dumpascii, dumphex;
2048 unsigned char *typedata;
2049
2050 ND_TCHECK(*ext);
2051 UNALIGNED_MEMCPY(&id, ext, sizeof(id));
2052 ikev2_pay_print(ndo, NPSTR(tpay), id.h.critical);
2053
2054 id_len = ntohs(id.h.len);
2055
2056 ND_PRINT((ndo," len=%d", id_len - 4));
2057 if (2 < ndo->ndo_vflag && 4 < id_len) {
2058 ND_PRINT((ndo," "));
2059 if (!rawprint(ndo, (caddr_t)(ext + 1), id_len - 4))
2060 goto trunc;
2061 }
2062
2063 idtype_len =id_len - sizeof(struct ikev2_id);
2064 dumpascii = 0;
2065 dumphex = 0;
2066 typedata = (unsigned char *)(ext)+sizeof(struct ikev2_id);
2067
2068 switch(id.type) {
2069 case ID_IPV4_ADDR:
2070 ND_PRINT((ndo, " ipv4:"));
2071 dumphex=1;
2072 break;
2073 case ID_FQDN:
2074 ND_PRINT((ndo, " fqdn:"));
2075 dumpascii=1;
2076 break;
2077 case ID_RFC822_ADDR:
2078 ND_PRINT((ndo, " rfc822:"));
2079 dumpascii=1;
2080 break;
2081 case ID_IPV6_ADDR:
2082 ND_PRINT((ndo, " ipv6:"));
2083 dumphex=1;
2084 break;
2085 case ID_DER_ASN1_DN:
2086 ND_PRINT((ndo, " dn:"));
2087 dumphex=1;
2088 break;
2089 case ID_DER_ASN1_GN:
2090 ND_PRINT((ndo, " gn:"));
2091 dumphex=1;
2092 break;
2093 case ID_KEY_ID:
2094 ND_PRINT((ndo, " keyid:"));
2095 dumphex=1;
2096 break;
2097 }
2098
2099 if(dumpascii) {
2100 ND_TCHECK2(*typedata, idtype_len);
2101 for(i=0; i<idtype_len; i++) {
2102 if(ND_ISPRINT(typedata[i])) {
2103 ND_PRINT((ndo, "%c", typedata[i]));
2104 } else {
2105 ND_PRINT((ndo, "."));
2106 }
2107 }
2108 }
2109 if(dumphex) {
2110 if (!rawprint(ndo, (caddr_t)typedata, idtype_len))
2111 goto trunc;
2112 }
2113
2114 return (u_char *)ext + id_len;
2115 trunc:
2116 ND_PRINT((ndo," [|%s]", NPSTR(tpay)));
2117 return NULL;
2118 }
2119
2120 static const u_char *
2121 ikev2_cert_print(netdissect_options *ndo, u_char tpay,
2122 const struct isakmp_gen *ext,
2123 u_int item_len _U_, const u_char *ep _U_,
2124 uint32_t phase _U_, uint32_t doi _U_,
2125 uint32_t proto _U_, int depth _U_)
2126 {
2127 return ikev2_gen_print(ndo, tpay, ext);
2128 }
2129
2130 static const u_char *
2131 ikev2_cr_print(netdissect_options *ndo, u_char tpay,
2132 const struct isakmp_gen *ext,
2133 u_int item_len _U_, const u_char *ep _U_,
2134 uint32_t phase _U_, uint32_t doi _U_,
2135 uint32_t proto _U_, int depth _U_)
2136 {
2137 return ikev2_gen_print(ndo, tpay, ext);
2138 }
2139
2140 static const u_char *
2141 ikev2_auth_print(netdissect_options *ndo, u_char tpay,
2142 const struct isakmp_gen *ext,
2143 u_int item_len _U_, const u_char *ep _U_,
2144 uint32_t phase _U_, uint32_t doi _U_,
2145 uint32_t proto _U_, int depth _U_)
2146 {
2147 struct ikev2_auth a;
2148 const char *v2_auth[]={ "invalid", "rsasig",
2149 "shared-secret", "dsssig" };
2150 u_char *authdata = (u_char*)ext + sizeof(a);
2151 unsigned int len;
2152
2153 ND_TCHECK(*ext);
2154 UNALIGNED_MEMCPY(&a, ext, sizeof(a));
2155 ikev2_pay_print(ndo, NPSTR(tpay), a.h.critical);
2156 len = ntohs(a.h.len);
2157
2158 ND_PRINT((ndo," len=%d method=%s", len-4,
2159 STR_OR_ID(a.auth_method, v2_auth)));
2160
2161 if (1 < ndo->ndo_vflag && 4 < len) {
2162 ND_PRINT((ndo," authdata=("));
2163 if (!rawprint(ndo, (caddr_t)authdata, len - sizeof(a)))
2164 goto trunc;
2165 ND_PRINT((ndo,") "));
2166 } else if(ndo->ndo_vflag && 4 < len) {
2167 if(!ike_show_somedata(ndo, authdata, ep)) goto trunc;
2168 }
2169
2170 return (u_char *)ext + len;
2171 trunc:
2172 ND_PRINT((ndo," [|%s]", NPSTR(tpay)));
2173 return NULL;
2174 }
2175
2176 static const u_char *
2177 ikev2_nonce_print(netdissect_options *ndo, u_char tpay,
2178 const struct isakmp_gen *ext,
2179 u_int item_len _U_, const u_char *ep _U_,
2180 uint32_t phase _U_, uint32_t doi _U_,
2181 uint32_t proto _U_, int depth _U_)
2182 {
2183 struct isakmp_gen e;
2184
2185 ND_TCHECK(*ext);
2186 UNALIGNED_MEMCPY(&e, ext, sizeof(e));
2187 ikev2_pay_print(ndo, "nonce", e.critical);
2188
2189 ND_PRINT((ndo," len=%d", ntohs(e.len) - 4));
2190 if (1 < ndo->ndo_vflag && 4 < ntohs(e.len)) {
2191 ND_PRINT((ndo," nonce=("));
2192 if (!rawprint(ndo, (caddr_t)(ext + 1), ntohs(e.len) - 4))
2193 goto trunc;
2194 ND_PRINT((ndo,") "));
2195 } else if(ndo->ndo_vflag && 4 < ntohs(e.len)) {
2196 if(!ike_show_somedata(ndo, (const u_char *)(ext+1), ep)) goto trunc;
2197 }
2198
2199 return (u_char *)ext + ntohs(e.len);
2200 trunc:
2201 ND_PRINT((ndo," [|%s]", NPSTR(tpay)));
2202 return NULL;
2203 }
2204
2205 /* notify payloads */
2206 static const u_char *
2207 ikev2_n_print(netdissect_options *ndo, u_char tpay _U_,
2208 const struct isakmp_gen *ext,
2209 u_int item_len _U_, const u_char *ep _U_,
2210 uint32_t phase _U_, uint32_t doi _U_,
2211 uint32_t proto _U_, int depth _U_)
2212 {
2213 struct ikev2_n *p, n;
2214 const u_char *cp;
2215 u_char showspi, showdata, showsomedata;
2216 const char *notify_name;
2217 uint32_t type;
2218
2219 p = (struct ikev2_n *)ext;
2220 ND_TCHECK(*p);
2221 UNALIGNED_MEMCPY(&n, ext, sizeof(n));
2222 ikev2_pay_print(ndo, NPSTR(ISAKMP_NPTYPE_N), n.h.critical);
2223
2224 showspi = 1;
2225 showdata = 0;
2226 showsomedata=0;
2227 notify_name=NULL;
2228
2229 ND_PRINT((ndo," prot_id=%s", PROTOIDSTR(n.prot_id)));
2230
2231 type = ntohs(n.type);
2232
2233 /* notify space is annoying sparse */
2234 switch(type) {
2235 case IV2_NOTIFY_UNSUPPORTED_CRITICAL_PAYLOAD:
2236 notify_name = "unsupported_critical_payload";
2237 showspi = 0;
2238 break;
2239
2240 case IV2_NOTIFY_INVALID_IKE_SPI:
2241 notify_name = "invalid_ike_spi";
2242 showspi = 1;
2243 break;
2244
2245 case IV2_NOTIFY_INVALID_MAJOR_VERSION:
2246 notify_name = "invalid_major_version";
2247 showspi = 0;
2248 break;
2249
2250 case IV2_NOTIFY_INVALID_SYNTAX:
2251 notify_name = "invalid_syntax";
2252 showspi = 1;
2253 break;
2254
2255 case IV2_NOTIFY_INVALID_MESSAGE_ID:
2256 notify_name = "invalid_message_id";
2257 showspi = 1;
2258 break;
2259
2260 case IV2_NOTIFY_INVALID_SPI:
2261 notify_name = "invalid_spi";
2262 showspi = 1;
2263 break;
2264
2265 case IV2_NOTIFY_NO_PROPOSAL_CHOSEN:
2266 notify_name = "no_protocol_chosen";
2267 showspi = 1;
2268 break;
2269
2270 case IV2_NOTIFY_INVALID_KE_PAYLOAD:
2271 notify_name = "invalid_ke_payload";
2272 showspi = 1;
2273 break;
2274
2275 case IV2_NOTIFY_AUTHENTICATION_FAILED:
2276 notify_name = "authentication_failed";
2277 showspi = 1;
2278 break;
2279
2280 case IV2_NOTIFY_SINGLE_PAIR_REQUIRED:
2281 notify_name = "single_pair_required";
2282 showspi = 1;
2283 break;
2284
2285 case IV2_NOTIFY_NO_ADDITIONAL_SAS:
2286 notify_name = "no_additional_sas";
2287 showspi = 0;
2288 break;
2289
2290 case IV2_NOTIFY_INTERNAL_ADDRESS_FAILURE:
2291 notify_name = "internal_address_failure";
2292 showspi = 0;
2293 break;
2294
2295 case IV2_NOTIFY_FAILED_CP_REQUIRED:
2296 notify_name = "failed:cp_required";
2297 showspi = 0;
2298 break;
2299
2300 case IV2_NOTIFY_INVALID_SELECTORS:
2301 notify_name = "invalid_selectors";
2302 showspi = 0;
2303 break;
2304
2305 case IV2_NOTIFY_INITIAL_CONTACT:
2306 notify_name = "initial_contact";
2307 showspi = 0;
2308 break;
2309
2310 case IV2_NOTIFY_SET_WINDOW_SIZE:
2311 notify_name = "set_window_size";
2312 showspi = 0;
2313 break;
2314
2315 case IV2_NOTIFY_ADDITIONAL_TS_POSSIBLE:
2316 notify_name = "additional_ts_possible";
2317 showspi = 0;
2318 break;
2319
2320 case IV2_NOTIFY_IPCOMP_SUPPORTED:
2321 notify_name = "ipcomp_supported";
2322 showspi = 0;
2323 break;
2324
2325 case IV2_NOTIFY_NAT_DETECTION_SOURCE_IP:
2326 notify_name = "nat_detection_source_ip";
2327 showspi = 1;
2328 break;
2329
2330 case IV2_NOTIFY_NAT_DETECTION_DESTINATION_IP:
2331 notify_name = "nat_detection_destination_ip";
2332 showspi = 1;
2333 break;
2334
2335 case IV2_NOTIFY_COOKIE:
2336 notify_name = "cookie";
2337 showspi = 1;
2338 showsomedata= 1;
2339 showdata= 0;
2340 break;
2341
2342 case IV2_NOTIFY_USE_TRANSPORT_MODE:
2343 notify_name = "use_transport_mode";
2344 showspi = 0;
2345 break;
2346
2347 case IV2_NOTIFY_HTTP_CERT_LOOKUP_SUPPORTED:
2348 notify_name = "http_cert_lookup_supported";
2349 showspi = 0;
2350 break;
2351
2352 case IV2_NOTIFY_REKEY_SA:
2353 notify_name = "rekey_sa";
2354 showspi = 1;
2355 break;
2356
2357 case IV2_NOTIFY_ESP_TFC_PADDING_NOT_SUPPORTED:
2358 notify_name = "tfc_padding_not_supported";
2359 showspi = 0;
2360 break;
2361
2362 case IV2_NOTIFY_NON_FIRST_FRAGMENTS_ALSO:
2363 notify_name = "non_first_fragment_also";
2364 showspi = 0;
2365 break;
2366
2367 default:
2368 if (type < 8192) {
2369 notify_name="error";
2370 } else if(type < 16384) {
2371 notify_name="private-error";
2372 } else if(type < 40960) {
2373 notify_name="status";
2374 } else {
2375 notify_name="private-status";
2376 }
2377 }
2378
2379 if(notify_name) {
2380 ND_PRINT((ndo," type=%u(%s)", type, notify_name));
2381 }
2382
2383
2384 if (showspi && n.spi_size) {
2385 ND_PRINT((ndo," spi="));
2386 if (!rawprint(ndo, (caddr_t)(p + 1), n.spi_size))
2387 goto trunc;
2388 }
2389
2390 cp = (u_char *)(p + 1) + n.spi_size;
2391
2392 if(3 < ndo->ndo_vflag) {
2393 showdata = 1;
2394 }
2395
2396 if ((showdata || (showsomedata && ep-cp < 30)) && cp < ep) {
2397 ND_PRINT((ndo," data=("));
2398 if (!rawprint(ndo, (caddr_t)(cp), ep - cp))
2399 goto trunc;
2400
2401 ND_PRINT((ndo,")"));
2402
2403 } else if(showsomedata && cp < ep) {
2404 if(!ike_show_somedata(ndo, cp, ep)) goto trunc;
2405 }
2406
2407 return (u_char *)ext + item_len;
2408 trunc:
2409 ND_PRINT((ndo," [|%s]", NPSTR(ISAKMP_NPTYPE_N)));
2410 return NULL;
2411 }
2412
2413 static const u_char *
2414 ikev2_d_print(netdissect_options *ndo, u_char tpay,
2415 const struct isakmp_gen *ext,
2416 u_int item_len _U_, const u_char *ep _U_,
2417 uint32_t phase _U_, uint32_t doi _U_,
2418 uint32_t proto _U_, int depth _U_)
2419 {
2420 return ikev2_gen_print(ndo, tpay, ext);
2421 }
2422
2423 static const u_char *
2424 ikev2_vid_print(netdissect_options *ndo, u_char tpay,
2425 const struct isakmp_gen *ext,
2426 u_int item_len _U_, const u_char *ep _U_,
2427 uint32_t phase _U_, uint32_t doi _U_,
2428 uint32_t proto _U_, int depth _U_)
2429 {
2430 struct isakmp_gen e;
2431 const u_char *vid;
2432 int i, len;
2433
2434 ND_TCHECK(*ext);
2435 UNALIGNED_MEMCPY(&e, ext, sizeof(e));
2436 ikev2_pay_print(ndo, NPSTR(tpay), e.critical);
2437 ND_PRINT((ndo," len=%d vid=", ntohs(e.len) - 4));
2438
2439 vid = (const u_char *)(ext+1);
2440 len = ntohs(e.len) - 4;
2441 ND_TCHECK2(*vid, len);
2442 for(i=0; i<len; i++) {
2443 if(ND_ISPRINT(vid[i])) ND_PRINT((ndo, "%c", vid[i]));
2444 else ND_PRINT((ndo, "."));
2445 }
2446 if (2 < ndo->ndo_vflag && 4 < len) {
2447 ND_PRINT((ndo," "));
2448 if (!rawprint(ndo, (caddr_t)(ext + 1), ntohs(e.len) - 4))
2449 goto trunc;
2450 }
2451 return (u_char *)ext + ntohs(e.len);
2452 trunc:
2453 ND_PRINT((ndo," [|%s]", NPSTR(tpay)));
2454 return NULL;
2455 }
2456
2457 static const u_char *
2458 ikev2_TS_print(netdissect_options *ndo, u_char tpay,
2459 const struct isakmp_gen *ext,
2460 u_int item_len _U_, const u_char *ep _U_,
2461 uint32_t phase _U_, uint32_t doi _U_,
2462 uint32_t proto _U_, int depth _U_)
2463 {
2464 return ikev2_gen_print(ndo, tpay, ext);
2465 }
2466
2467 static const u_char *
2468 ikev2_e_print(netdissect_options *ndo,
2469 #ifndef HAVE_LIBCRYPTO
2470 _U_
2471 #endif
2472 struct isakmp *base,
2473 u_char tpay,
2474 const struct isakmp_gen *ext,
2475 u_int item_len _U_, const u_char *ep _U_,
2476 #ifndef HAVE_LIBCRYPTO
2477 _U_
2478 #endif
2479 uint32_t phase,
2480 #ifndef HAVE_LIBCRYPTO
2481 _U_
2482 #endif
2483 uint32_t doi,
2484 #ifndef HAVE_LIBCRYPTO
2485 _U_
2486 #endif
2487 uint32_t proto,
2488 #ifndef HAVE_LIBCRYPTO
2489 _U_
2490 #endif
2491 int depth)
2492 {
2493 struct isakmp_gen e;
2494 u_char *dat;
2495 volatile int dlen;
2496
2497 ND_TCHECK(*ext);
2498 UNALIGNED_MEMCPY(&e, ext, sizeof(e));
2499 ikev2_pay_print(ndo, NPSTR(tpay), e.critical);
2500
2501 dlen = ntohs(e.len)-4;
2502
2503 ND_PRINT((ndo," len=%d", dlen));
2504 if (2 < ndo->ndo_vflag && 4 < dlen) {
2505 ND_PRINT((ndo," "));
2506 if (!rawprint(ndo, (caddr_t)(ext + 1), dlen))
2507 goto trunc;
2508 }
2509
2510 dat = (u_char *)(ext+1);
2511 ND_TCHECK2(*dat, dlen);
2512
2513 #ifdef HAVE_LIBCRYPTO
2514 /* try to decypt it! */
2515 if(esp_print_decrypt_buffer_by_ikev2(ndo,
2516 base->flags & ISAKMP_FLAG_I,
2517 base->i_ck, base->r_ck,
2518 dat, dat+dlen)) {
2519
2520 ext = (const struct isakmp_gen *)ndo->ndo_packetp;
2521
2522 /* got it decrypted, print stuff inside. */
2523 ikev2_sub_print(ndo, base, e.np, ext, ndo->ndo_snapend,
2524 phase, doi, proto, depth+1);
2525 }
2526 #endif
2527
2528
2529 /* always return NULL, because E must be at end, and NP refers
2530 * to what was inside.
2531 */
2532 return NULL;
2533 trunc:
2534 ND_PRINT((ndo," [|%s]", NPSTR(tpay)));
2535 return NULL;
2536 }
2537
2538 static const u_char *
2539 ikev2_cp_print(netdissect_options *ndo, u_char tpay,
2540 const struct isakmp_gen *ext,
2541 u_int item_len _U_, const u_char *ep _U_,
2542 uint32_t phase _U_, uint32_t doi _U_,
2543 uint32_t proto _U_, int depth _U_)
2544 {
2545 return ikev2_gen_print(ndo, tpay, ext);
2546 }
2547
2548 static const u_char *
2549 ikev2_eap_print(netdissect_options *ndo, u_char tpay,
2550 const struct isakmp_gen *ext,
2551 u_int item_len _U_, const u_char *ep _U_,
2552 uint32_t phase _U_, uint32_t doi _U_,
2553 uint32_t proto _U_, int depth _U_)
2554 {
2555 return ikev2_gen_print(ndo, tpay, ext);
2556 }
2557
2558 static const u_char *
2559 ike_sub0_print(netdissect_options *ndo,
2560 u_char np, const struct isakmp_gen *ext, const u_char *ep,
2561
2562 uint32_t phase, uint32_t doi, uint32_t proto, int depth)
2563 {
2564 const u_char *cp;
2565 struct isakmp_gen e;
2566 u_int item_len;
2567
2568 cp = (u_char *)ext;
2569 ND_TCHECK(*ext);
2570 UNALIGNED_MEMCPY(&e, ext, sizeof(e));
2571
2572 /*
2573 * Since we can't have a payload length of less than 4 bytes,
2574 * we need to bail out here if the generic header is nonsensical
2575 * or truncated, otherwise we could loop forever processing
2576 * zero-length items or otherwise misdissect the packet.
2577 */
2578 item_len = ntohs(e.len);
2579 if (item_len <= 4)
2580 return NULL;
2581
2582 if (NPFUNC(np)) {
2583 /*
2584 * XXX - what if item_len is too short, or too long,
2585 * for this payload type?
2586 */
2587 cp = (*npfunc[np])(ndo, np, ext, item_len, ep, phase, doi, proto, depth);
2588 } else {
2589 ND_PRINT((ndo,"%s", NPSTR(np)));
2590 cp += item_len;
2591 }
2592
2593 return cp;
2594 trunc:
2595 ND_PRINT((ndo," [|isakmp]"));
2596 return NULL;
2597 }
2598
2599 static const u_char *
2600 ikev1_sub_print(netdissect_options *ndo,
2601 u_char np, const struct isakmp_gen *ext, const u_char *ep,
2602 uint32_t phase, uint32_t doi, uint32_t proto, int depth)
2603 {
2604 const u_char *cp;
2605 int i;
2606 struct isakmp_gen e;
2607
2608 cp = (const u_char *)ext;
2609
2610 while (np) {
2611 ND_TCHECK(*ext);
2612
2613 UNALIGNED_MEMCPY(&e, ext, sizeof(e));
2614
2615 ND_TCHECK2(*ext, ntohs(e.len));
2616
2617 depth++;
2618 ND_PRINT((ndo,"\n"));
2619 for (i = 0; i < depth; i++)
2620 ND_PRINT((ndo," "));
2621 ND_PRINT((ndo,"("));
2622 cp = ike_sub0_print(ndo, np, ext, ep, phase, doi, proto, depth);
2623 ND_PRINT((ndo,")"));
2624 depth--;
2625
2626 if (cp == NULL) {
2627 /* Zero-length subitem */
2628 return NULL;
2629 }
2630
2631 np = e.np;
2632 ext = (struct isakmp_gen *)cp;
2633 }
2634 return cp;
2635 trunc:
2636 ND_PRINT((ndo," [|%s]", NPSTR(np)));
2637 return NULL;
2638 }
2639
2640 static char *
2641 numstr(int x)
2642 {
2643 static char buf[20];
2644 snprintf(buf, sizeof(buf), "#%d", x);
2645 return buf;
2646 }
2647
2648 static void
2649 ikev1_print(netdissect_options *ndo,
2650 const u_char *bp, u_int length,
2651 const u_char *bp2, struct isakmp *base)
2652 {
2653 const struct isakmp *p;
2654 const u_char *ep;
2655 u_char np;
2656 int i;
2657 int phase;
2658
2659 p = (const struct isakmp *)bp;
2660 ep = ndo->ndo_snapend;
2661
2662 phase = (EXTRACT_32BITS(base->msgid) == 0) ? 1 : 2;
2663 if (phase == 1)
2664 ND_PRINT((ndo," phase %d", phase));
2665 else
2666 ND_PRINT((ndo," phase %d/others", phase));
2667
2668 i = cookie_find(&base->i_ck);
2669 if (i < 0) {
2670 if (iszero((u_char *)&base->r_ck, sizeof(base->r_ck))) {
2671 /* the first packet */
2672 ND_PRINT((ndo," I"));
2673 if (bp2)
2674 cookie_record(&base->i_ck, bp2);
2675 } else
2676 ND_PRINT((ndo," ?"));
2677 } else {
2678 if (bp2 && cookie_isinitiator(i, bp2))
2679 ND_PRINT((ndo," I"));
2680 else if (bp2 && cookie_isresponder(i, bp2))
2681 ND_PRINT((ndo," R"));
2682 else
2683 ND_PRINT((ndo," ?"));
2684 }
2685
2686 ND_PRINT((ndo," %s", ETYPESTR(base->etype)));
2687 if (base->flags) {
2688 ND_PRINT((ndo,"[%s%s]", base->flags & ISAKMP_FLAG_E ? "E" : "",
2689 base->flags & ISAKMP_FLAG_C ? "C" : ""));
2690 }
2691
2692 if (ndo->ndo_vflag) {
2693 const struct isakmp_gen *ext;
2694
2695 ND_PRINT((ndo,":"));
2696
2697 /* regardless of phase... */
2698 if (base->flags & ISAKMP_FLAG_E) {
2699 /*
2700 * encrypted, nothing we can do right now.
2701 * we hope to decrypt the packet in the future...
2702 */
2703 ND_PRINT((ndo," [encrypted %s]", NPSTR(base->np)));
2704 goto done;
2705 }
2706
2707 CHECKLEN(p + 1, base->np);
2708 np = base->np;
2709 ext = (struct isakmp_gen *)(p + 1);
2710 ikev1_sub_print(ndo, np, ext, ep, phase, 0, 0, 0);
2711 }
2712
2713 done:
2714 if (ndo->ndo_vflag) {
2715 if (ntohl(base->len) != length) {
2716 ND_PRINT((ndo," (len mismatch: isakmp %u/ip %u)",
2717 (uint32_t)ntohl(base->len), length));
2718 }
2719 }
2720 }
2721
2722 static const u_char *
2723 ikev2_sub0_print(netdissect_options *ndo, struct isakmp *base,
2724 u_char np, int pcount,
2725 const struct isakmp_gen *ext, const u_char *ep,
2726 uint32_t phase, uint32_t doi, uint32_t proto, int depth)
2727 {
2728 const u_char *cp;
2729 struct isakmp_gen e;
2730 u_int item_len;
2731
2732 cp = (u_char *)ext;
2733 ND_TCHECK(*ext);
2734 UNALIGNED_MEMCPY(&e, ext, sizeof(e));
2735
2736 /*
2737 * Since we can't have a payload length of less than 4 bytes,
2738 * we need to bail out here if the generic header is nonsensical
2739 * or truncated, otherwise we could loop forever processing
2740 * zero-length items or otherwise misdissect the packet.
2741 */
2742 item_len = ntohs(e.len);
2743 if (item_len <= 4)
2744 return NULL;
2745
2746 if(np == ISAKMP_NPTYPE_P) {
2747 cp = ikev2_p_print(ndo, np, pcount, ext, item_len,
2748 ep, phase, doi, proto, depth);
2749 } else if(np == ISAKMP_NPTYPE_T) {
2750 cp = ikev2_t_print(ndo, np, pcount, ext, item_len,
2751 ep, phase, doi, proto, depth);
2752 } else if(np == ISAKMP_NPTYPE_v2E) {
2753 cp = ikev2_e_print(ndo, base, np, ext, item_len,
2754 ep, phase, doi, proto, depth);
2755 } else if (NPFUNC(np)) {
2756 /*
2757 * XXX - what if item_len is too short, or too long,
2758 * for this payload type?
2759 */
2760 cp = (*npfunc[np])(ndo, np, /*pcount,*/ ext, item_len,
2761 ep, phase, doi, proto, depth);
2762 } else {
2763 ND_PRINT((ndo,"%s", NPSTR(np)));
2764 cp += item_len;
2765 }
2766
2767 return cp;
2768 trunc:
2769 ND_PRINT((ndo," [|isakmp]"));
2770 return NULL;
2771 }
2772
2773 static const u_char *
2774 ikev2_sub_print(netdissect_options *ndo,
2775 struct isakmp *base,
2776 u_char np, const struct isakmp_gen *ext, const u_char *ep,
2777 uint32_t phase, uint32_t doi, uint32_t proto, int depth)
2778 {
2779 const u_char *cp;
2780 int i;
2781 int pcount;
2782 struct isakmp_gen e;
2783
2784 cp = (const u_char *)ext;
2785 pcount = 0;
2786 while (np) {
2787 pcount++;
2788 ND_TCHECK(*ext);
2789
2790 UNALIGNED_MEMCPY(&e, ext, sizeof(e));
2791
2792 ND_TCHECK2(*ext, ntohs(e.len));
2793
2794 depth++;
2795 ND_PRINT((ndo,"\n"));
2796 for (i = 0; i < depth; i++)
2797 ND_PRINT((ndo," "));
2798 ND_PRINT((ndo,"("));
2799 cp = ikev2_sub0_print(ndo, base, np, pcount,
2800 ext, ep, phase, doi, proto, depth);
2801 ND_PRINT((ndo,")"));
2802 depth--;
2803
2804 if (cp == NULL) {
2805 /* Zero-length subitem */
2806 return NULL;
2807 }
2808
2809 np = e.np;
2810 ext = (struct isakmp_gen *)cp;
2811 }
2812 return cp;
2813 trunc:
2814 ND_PRINT((ndo," [|%s]", NPSTR(np)));
2815 return NULL;
2816 }
2817
2818 static void
2819 ikev2_print(netdissect_options *ndo,
2820 const u_char *bp, u_int length,
2821 const u_char *bp2 _U_, struct isakmp *base)
2822 {
2823 const struct isakmp *p;
2824 const u_char *ep;
2825 u_char np;
2826 int phase;
2827
2828 p = (const struct isakmp *)bp;
2829 ep = ndo->ndo_snapend;
2830
2831 phase = (EXTRACT_32BITS(base->msgid) == 0) ? 1 : 2;
2832 if (phase == 1)
2833 ND_PRINT((ndo, " parent_sa"));
2834 else
2835 ND_PRINT((ndo, " child_sa "));
2836
2837 ND_PRINT((ndo, " %s", ETYPESTR(base->etype)));
2838 if (base->flags) {
2839 ND_PRINT((ndo, "[%s%s%s]",
2840 base->flags & ISAKMP_FLAG_I ? "I" : "",
2841 base->flags & ISAKMP_FLAG_V ? "V" : "",
2842 base->flags & ISAKMP_FLAG_R ? "R" : ""));
2843 }
2844
2845 if (ndo->ndo_vflag) {
2846 const struct isakmp_gen *ext;
2847
2848 ND_PRINT((ndo, ":"));
2849
2850 /* regardless of phase... */
2851 if (base->flags & ISAKMP_FLAG_E) {
2852 /*
2853 * encrypted, nothing we can do right now.
2854 * we hope to decrypt the packet in the future...
2855 */
2856 ND_PRINT((ndo, " [encrypted %s]", NPSTR(base->np)));
2857 goto done;
2858 }
2859
2860 CHECKLEN(p + 1, base->np)
2861
2862 np = base->np;
2863 ext = (struct isakmp_gen *)(p + 1);
2864 ikev2_sub_print(ndo, base, np, ext, ep, phase, 0, 0, 0);
2865 }
2866
2867 done:
2868 if (ndo->ndo_vflag) {
2869 if (ntohl(base->len) != length) {
2870 ND_PRINT((ndo, " (len mismatch: isakmp %u/ip %u)",
2871 (uint32_t)ntohl(base->len), length));
2872 }
2873 }
2874 }
2875
2876 void
2877 isakmp_print(netdissect_options *ndo,
2878 const u_char *bp, u_int length,
2879 const u_char *bp2)
2880 {
2881 const struct isakmp *p;
2882 struct isakmp base;
2883 const u_char *ep;
2884 int major, minor;
2885
2886 #ifdef HAVE_LIBCRYPTO
2887 /* initialize SAs */
2888 if (ndo->ndo_sa_list_head == NULL) {
2889 if (ndo->ndo_espsecret)
2890 esp_print_decodesecret(ndo);
2891 }
2892 #endif
2893
2894 p = (const struct isakmp *)bp;
2895 ep = ndo->ndo_snapend;
2896
2897 if ((struct isakmp *)ep < p + 1) {
2898 ND_PRINT((ndo,"[|isakmp]"));
2899 return;
2900 }
2901
2902 UNALIGNED_MEMCPY(&base, p, sizeof(base));
2903
2904 ND_PRINT((ndo,"isakmp"));
2905 major = (base.vers & ISAKMP_VERS_MAJOR)
2906 >> ISAKMP_VERS_MAJOR_SHIFT;
2907 minor = (base.vers & ISAKMP_VERS_MINOR)
2908 >> ISAKMP_VERS_MINOR_SHIFT;
2909
2910 if (ndo->ndo_vflag) {
2911 ND_PRINT((ndo," %d.%d", major, minor));
2912 }
2913
2914 if (ndo->ndo_vflag) {
2915 ND_PRINT((ndo," msgid "));
2916 hexprint(ndo, (caddr_t)&base.msgid, sizeof(base.msgid));
2917 }
2918
2919 if (1 < ndo->ndo_vflag) {
2920 ND_PRINT((ndo," cookie "));
2921 hexprint(ndo, (caddr_t)&base.i_ck, sizeof(base.i_ck));
2922 ND_PRINT((ndo,"->"));
2923 hexprint(ndo, (caddr_t)&base.r_ck, sizeof(base.r_ck));
2924 }
2925 ND_PRINT((ndo,":"));
2926
2927 switch(major) {
2928 case IKEv1_MAJOR_VERSION:
2929 ikev1_print(ndo, bp, length, bp2, &base);
2930 break;
2931
2932 case IKEv2_MAJOR_VERSION:
2933 ikev2_print(ndo, bp, length, bp2, &base);
2934 break;
2935 }
2936 }
2937
2938 void
2939 isakmp_rfc3948_print(netdissect_options *ndo,
2940 const u_char *bp, u_int length,
2941 const u_char *bp2)
2942 {
2943
2944 if(length == 1 && bp[0]==0xff) {
2945 ND_PRINT((ndo, "isakmp-nat-keep-alive"));
2946 return;
2947 }
2948
2949 if(length < 4) {
2950 goto trunc;
2951 }
2952
2953 /*
2954 * see if this is an IKE packet
2955 */
2956 if(bp[0]==0 && bp[1]==0 && bp[2]==0 && bp[3]==0) {
2957 ND_PRINT((ndo, "NONESP-encap: "));
2958 isakmp_print(ndo, bp+4, length-4, bp2);
2959 return;
2960 }
2961
2962 /* must be an ESP packet */
2963 {
2964 int nh, enh, padlen;
2965 int advance;
2966
2967 ND_PRINT((ndo, "UDP-encap: "));
2968
2969 advance = esp_print(ndo, bp, length, bp2, &enh, &padlen);
2970 if(advance <= 0)
2971 return;
2972
2973 bp += advance;
2974 length -= advance + padlen;
2975 nh = enh & 0xff;
2976
2977 ip_print_inner(ndo, bp, length, nh, bp2);
2978 return;
2979 }
2980
2981 trunc:
2982 ND_PRINT((ndo,"[|isakmp]"));
2983 return;
2984 }
2985
2986 /*
2987 * Local Variables:
2988 * c-style: whitesmith
2989 * c-basic-offset: 8
2990 * End:
2991 */
2992
2993
2994
2995
[mirror] the TCPdump network dissector