]> The Tcpdump Group git mirrors - tcpdump/blob - print-isakmp.c
projects / tcpdump / blob
summary | shortlog | log | commit | commitdiff | tree
history | raw | HEAD
Merge pull request #734 from jkcko/master
[tcpdump] / print-isakmp.c
1 /*
2 * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
3 * All rights reserved.
4 *
5 * Redistribution and use in source and binary forms, with or without
6 * modification, are permitted provided that the following conditions
7 * are met:
8 * 1. Redistributions of source code must retain the above copyright
9 * notice, this list of conditions and the following disclaimer.
10 * 2. Redistributions in binary form must reproduce the above copyright
11 * notice, this list of conditions and the following disclaimer in the
12 * documentation and/or other materials provided with the distribution.
13 * 3. Neither the name of the project nor the names of its contributors
14 * may be used to endorse or promote products derived from this software
15 * without specific prior written permission.
16 *
17 * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
18 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
19 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
20 * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
21 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
22 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
23 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
24 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
25 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
26 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
27 * SUCH DAMAGE.
28 *
29 */
30
31 /* \summary: Internet Security Association and Key Management Protocol (ISAKMP) printer */
32
33 /* specification: RFC 2407, RFC 2408, RFC 5996 */
34
35 #ifdef HAVE_CONFIG_H
36 #include <config.h>
37 #endif
38
39 /* The functions from print-esp.c used in this file are only defined when both
40 * OpenSSL and evp.h are detected. Employ the same preprocessor device here.
41 */
42 #ifndef HAVE_OPENSSL_EVP_H
43 #undef HAVE_LIBCRYPTO
44 #endif
45
46 #include "netdissect-stdinc.h"
47
48 #include <string.h>
49
50 #include "netdissect.h"
51 #include "addrtoname.h"
52 #include "extract.h"
53
54 #include "ip.h"
55 #include "ip6.h"
56 #include "ipproto.h"
57
58 typedef nd_byte cookie_t[8];
59 typedef nd_byte msgid_t[4];
60
61 #define PORT_ISAKMP 500
62
63 /* 3.1 ISAKMP Header Format (IKEv1 and IKEv2)
64 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
65 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
66 ! Initiator !
67 ! Cookie !
68 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
69 ! Responder !
70 ! Cookie !
71 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
72 ! Next Payload ! MjVer ! MnVer ! Exchange Type ! Flags !
73 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
74 ! Message ID !
75 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
76 ! Length !
77 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
78 */
79 struct isakmp {
80 cookie_t i_ck; /* Initiator Cookie */
81 cookie_t r_ck; /* Responder Cookie */
82 nd_uint8_t np; /* Next Payload Type */
83 nd_uint8_t vers;
84 #define ISAKMP_VERS_MAJOR 0xf0
85 #define ISAKMP_VERS_MAJOR_SHIFT 4
86 #define ISAKMP_VERS_MINOR 0x0f
87 #define ISAKMP_VERS_MINOR_SHIFT 0
88 nd_uint8_t etype; /* Exchange Type */
89 nd_uint8_t flags; /* Flags */
90 msgid_t msgid;
91 nd_uint32_t len; /* Length */
92 };
93
94 /* Next Payload Type */
95 #define ISAKMP_NPTYPE_NONE 0 /* NONE*/
96 #define ISAKMP_NPTYPE_SA 1 /* Security Association */
97 #define ISAKMP_NPTYPE_P 2 /* Proposal */
98 #define ISAKMP_NPTYPE_T 3 /* Transform */
99 #define ISAKMP_NPTYPE_KE 4 /* Key Exchange */
100 #define ISAKMP_NPTYPE_ID 5 /* Identification */
101 #define ISAKMP_NPTYPE_CERT 6 /* Certificate */
102 #define ISAKMP_NPTYPE_CR 7 /* Certificate Request */
103 #define ISAKMP_NPTYPE_HASH 8 /* Hash */
104 #define ISAKMP_NPTYPE_SIG 9 /* Signature */
105 #define ISAKMP_NPTYPE_NONCE 10 /* Nonce */
106 #define ISAKMP_NPTYPE_N 11 /* Notification */
107 #define ISAKMP_NPTYPE_D 12 /* Delete */
108 #define ISAKMP_NPTYPE_VID 13 /* Vendor ID */
109 #define ISAKMP_NPTYPE_v2E 46 /* v2 Encrypted payload */
110
111 #define IKEv1_MAJOR_VERSION 1
112 #define IKEv1_MINOR_VERSION 0
113
114 #define IKEv2_MAJOR_VERSION 2
115 #define IKEv2_MINOR_VERSION 0
116
117 /* Flags */
118 #define ISAKMP_FLAG_E 0x01 /* Encryption Bit */
119 #define ISAKMP_FLAG_C 0x02 /* Commit Bit */
120 #define ISAKMP_FLAG_extra 0x04
121
122 /* IKEv2 */
123 #define ISAKMP_FLAG_I (1 << 3) /* (I)nitiator */
124 #define ISAKMP_FLAG_V (1 << 4) /* (V)ersion */
125 #define ISAKMP_FLAG_R (1 << 5) /* (R)esponse */
126
127
128 /* 3.2 Payload Generic Header
129 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
130 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
131 ! Next Payload ! RESERVED ! Payload Length !
132 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
133 */
134 struct isakmp_gen {
135 nd_uint8_t np; /* Next Payload */
136 nd_uint8_t critical; /* bit 7 - critical, rest is RESERVED */
137 nd_uint16_t len; /* Payload Length */
138 };
139
140 /* 3.3 Data Attributes
141 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
142 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
143 !A! Attribute Type ! AF=0 Attribute Length !
144 !F! ! AF=1 Attribute Value !
145 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
146 . AF=0 Attribute Value .
147 . AF=1 Not Transmitted .
148 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
149 */
150 struct isakmp_data {
151 nd_uint16_t type; /* defined by DOI-spec, and Attribute Format */
152 nd_uint16_t lorv; /* if f equal 1, Attribute Length */
153 /* if f equal 0, Attribute Value */
154 /* if f equal 1, Attribute Value */
155 };
156
157 /* 3.4 Security Association Payload */
158 /* MAY NOT be used, because of being defined in ipsec-doi. */
159 /*
160 If the current payload is the last in the message,
161 then the value of the next payload field will be 0.
162 This field MUST NOT contain the
163 values for the Proposal or Transform payloads as they are considered
164 part of the security association negotiation. For example, this
165 field would contain the value "10" (Nonce payload) in the first
166 message of a Base Exchange (see Section 4.4) and the value "0" in the
167 first message of an Identity Protect Exchange (see Section 4.5).
168 */
169 struct ikev1_pl_sa {
170 struct isakmp_gen h;
171 nd_uint32_t doi; /* Domain of Interpretation */
172 nd_uint32_t sit; /* Situation */
173 };
174
175 /* 3.5 Proposal Payload */
176 /*
177 The value of the next payload field MUST only contain the value "2"
178 or "0". If there are additional Proposal payloads in the message,
179 then this field will be 2. If the current Proposal payload is the
180 last within the security association proposal, then this field will
181 be 0.
182 */
183 struct ikev1_pl_p {
184 struct isakmp_gen h;
185 nd_uint8_t p_no; /* Proposal # */
186 nd_uint8_t prot_id; /* Protocol */
187 nd_uint8_t spi_size; /* SPI Size */
188 nd_uint8_t num_t; /* Number of Transforms */
189 /* SPI */
190 };
191
192 /* 3.6 Transform Payload */
193 /*
194 The value of the next payload field MUST only contain the value "3"
195 or "0". If there are additional Transform payloads in the proposal,
196 then this field will be 3. If the current Transform payload is the
197 last within the proposal, then this field will be 0.
198 */
199 struct ikev1_pl_t {
200 struct isakmp_gen h;
201 nd_uint8_t t_no; /* Transform # */
202 nd_uint8_t t_id; /* Transform-Id */
203 nd_byte reserved[2]; /* RESERVED2 */
204 /* SA Attributes */
205 };
206
207 /* 3.7 Key Exchange Payload */
208 struct ikev1_pl_ke {
209 struct isakmp_gen h;
210 /* Key Exchange Data */
211 };
212
213 /* 3.8 Identification Payload */
214 /* MUST NOT to be used, because of being defined in ipsec-doi. */
215 struct ikev1_pl_id {
216 struct isakmp_gen h;
217 union {
218 nd_uint8_t id_type; /* ID Type */
219 nd_uint32_t doi_data; /* DOI Specific ID Data */
220 } d;
221 /* Identification Data */
222 };
223
224 /* 3.9 Certificate Payload */
225 struct ikev1_pl_cert {
226 struct isakmp_gen h;
227 nd_uint8_t encode; /* Cert Encoding */
228 nd_uint8_t cert; /* Certificate Data */
229 /*
230 This field indicates the type of
231 certificate or certificate-related information contained in the
232 Certificate Data field.
233 */
234 };
235
236 /* 3.10 Certificate Request Payload */
237 struct ikev1_pl_cr {
238 struct isakmp_gen h;
239 nd_uint8_t num_cert; /* # Cert. Types */
240 /*
241 Certificate Types (variable length)
242 -- Contains a list of the types of certificates requested,
243 sorted in order of preference. Each individual certificate
244 type is 1 octet. This field is NOT requiredo
245 */
246 /* # Certificate Authorities (1 octet) */
247 /* Certificate Authorities (variable length) */
248 };
249
250 /* 3.11 Hash Payload */
251 /* may not be used, because of having only data. */
252 struct ikev1_pl_hash {
253 struct isakmp_gen h;
254 /* Hash Data */
255 };
256
257 /* 3.12 Signature Payload */
258 /* may not be used, because of having only data. */
259 struct ikev1_pl_sig {
260 struct isakmp_gen h;
261 /* Signature Data */
262 };
263
264 /* 3.13 Nonce Payload */
265 /* may not be used, because of having only data. */
266 struct ikev1_pl_nonce {
267 struct isakmp_gen h;
268 /* Nonce Data */
269 };
270
271 /* 3.14 Notification Payload */
272 struct ikev1_pl_n {
273 struct isakmp_gen h;
274 nd_uint32_t doi; /* Domain of Interpretation */
275 nd_uint8_t prot_id; /* Protocol-ID */
276 nd_uint8_t spi_size; /* SPI Size */
277 nd_uint16_t type; /* Notify Message Type */
278 /* SPI */
279 /* Notification Data */
280 };
281
282 /* 3.14.1 Notify Message Types */
283 /* NOTIFY MESSAGES - ERROR TYPES */
284 #define ISAKMP_NTYPE_INVALID_PAYLOAD_TYPE 1
285 #define ISAKMP_NTYPE_DOI_NOT_SUPPORTED 2
286 #define ISAKMP_NTYPE_SITUATION_NOT_SUPPORTED 3
287 #define ISAKMP_NTYPE_INVALID_COOKIE 4
288 #define ISAKMP_NTYPE_INVALID_MAJOR_VERSION 5
289 #define ISAKMP_NTYPE_INVALID_MINOR_VERSION 6
290 #define ISAKMP_NTYPE_INVALID_EXCHANGE_TYPE 7
291 #define ISAKMP_NTYPE_INVALID_FLAGS 8
292 #define ISAKMP_NTYPE_INVALID_MESSAGE_ID 9
293 #define ISAKMP_NTYPE_INVALID_PROTOCOL_ID 10
294 #define ISAKMP_NTYPE_INVALID_SPI 11
295 #define ISAKMP_NTYPE_INVALID_TRANSFORM_ID 12
296 #define ISAKMP_NTYPE_ATTRIBUTES_NOT_SUPPORTED 13
297 #define ISAKMP_NTYPE_NO_PROPOSAL_CHOSEN 14
298 #define ISAKMP_NTYPE_BAD_PROPOSAL_SYNTAX 15
299 #define ISAKMP_NTYPE_PAYLOAD_MALFORMED 16
300 #define ISAKMP_NTYPE_INVALID_KEY_INFORMATION 17
301 #define ISAKMP_NTYPE_INVALID_ID_INFORMATION 18
302 #define ISAKMP_NTYPE_INVALID_CERT_ENCODING 19
303 #define ISAKMP_NTYPE_INVALID_CERTIFICATE 20
304 #define ISAKMP_NTYPE_BAD_CERT_REQUEST_SYNTAX 21
305 #define ISAKMP_NTYPE_INVALID_CERT_AUTHORITY 22
306 #define ISAKMP_NTYPE_INVALID_HASH_INFORMATION 23
307 #define ISAKMP_NTYPE_AUTHENTICATION_FAILED 24
308 #define ISAKMP_NTYPE_INVALID_SIGNATURE 25
309 #define ISAKMP_NTYPE_ADDRESS_NOTIFICATION 26
310
311 /* 3.15 Delete Payload */
312 struct ikev1_pl_d {
313 struct isakmp_gen h;
314 nd_uint32_t doi; /* Domain of Interpretation */
315 nd_uint8_t prot_id; /* Protocol-Id */
316 nd_uint8_t spi_size; /* SPI Size */
317 nd_uint16_t num_spi; /* # of SPIs */
318 /* SPI(es) */
319 };
320
321 /* IKEv2 (RFC4306) */
322
323 /* 3.3 Security Association Payload -- generic header */
324 /* 3.3.1. Proposal Substructure */
325 struct ikev2_p {
326 struct isakmp_gen h;
327 nd_uint8_t p_no; /* Proposal # */
328 nd_uint8_t prot_id; /* Protocol */
329 nd_uint8_t spi_size; /* SPI Size */
330 nd_uint8_t num_t; /* Number of Transforms */
331 };
332
333 /* 3.3.2. Transform Substructure */
334 struct ikev2_t {
335 struct isakmp_gen h;
336 nd_uint8_t t_type; /* Transform Type (ENCR,PRF,INTEG,etc.*/
337 nd_byte res2; /* reserved byte */
338 nd_uint16_t t_id; /* Transform ID */
339 };
340
341 enum ikev2_t_type {
342 IV2_T_ENCR = 1,
343 IV2_T_PRF = 2,
344 IV2_T_INTEG= 3,
345 IV2_T_DH = 4,
346 IV2_T_ESN = 5
347 };
348
349 /* 3.4. Key Exchange Payload */
350 struct ikev2_ke {
351 struct isakmp_gen h;
352 nd_uint16_t ke_group;
353 nd_uint16_t ke_res1;
354 /* KE data */
355 };
356
357
358 /* 3.5. Identification Payloads */
359 enum ikev2_id_type {
360 ID_IPV4_ADDR=1,
361 ID_FQDN=2,
362 ID_RFC822_ADDR=3,
363 ID_IPV6_ADDR=5,
364 ID_DER_ASN1_DN=9,
365 ID_DER_ASN1_GN=10,
366 ID_KEY_ID=11
367 };
368 struct ikev2_id {
369 struct isakmp_gen h;
370 nd_uint8_t type; /* ID type */
371 nd_byte res1;
372 nd_byte res2[2];
373 /* SPI */
374 /* Notification Data */
375 };
376
377 /* 3.10 Notification Payload */
378 struct ikev2_n {
379 struct isakmp_gen h;
380 nd_uint8_t prot_id; /* Protocol-ID */
381 nd_uint8_t spi_size; /* SPI Size */
382 nd_uint16_t type; /* Notify Message Type */
383 };
384
385 enum ikev2_n_type {
386 IV2_NOTIFY_UNSUPPORTED_CRITICAL_PAYLOAD = 1,
387 IV2_NOTIFY_INVALID_IKE_SPI = 4,
388 IV2_NOTIFY_INVALID_MAJOR_VERSION = 5,
389 IV2_NOTIFY_INVALID_SYNTAX = 7,
390 IV2_NOTIFY_INVALID_MESSAGE_ID = 9,
391 IV2_NOTIFY_INVALID_SPI =11,
392 IV2_NOTIFY_NO_PROPOSAL_CHOSEN =14,
393 IV2_NOTIFY_INVALID_KE_PAYLOAD =17,
394 IV2_NOTIFY_AUTHENTICATION_FAILED =24,
395 IV2_NOTIFY_SINGLE_PAIR_REQUIRED =34,
396 IV2_NOTIFY_NO_ADDITIONAL_SAS =35,
397 IV2_NOTIFY_INTERNAL_ADDRESS_FAILURE =36,
398 IV2_NOTIFY_FAILED_CP_REQUIRED =37,
399 IV2_NOTIFY_INVALID_SELECTORS =39,
400 IV2_NOTIFY_INITIAL_CONTACT =16384,
401 IV2_NOTIFY_SET_WINDOW_SIZE =16385,
402 IV2_NOTIFY_ADDITIONAL_TS_POSSIBLE =16386,
403 IV2_NOTIFY_IPCOMP_SUPPORTED =16387,
404 IV2_NOTIFY_NAT_DETECTION_SOURCE_IP =16388,
405 IV2_NOTIFY_NAT_DETECTION_DESTINATION_IP =16389,
406 IV2_NOTIFY_COOKIE =16390,
407 IV2_NOTIFY_USE_TRANSPORT_MODE =16391,
408 IV2_NOTIFY_HTTP_CERT_LOOKUP_SUPPORTED =16392,
409 IV2_NOTIFY_REKEY_SA =16393,
410 IV2_NOTIFY_ESP_TFC_PADDING_NOT_SUPPORTED =16394,
411 IV2_NOTIFY_NON_FIRST_FRAGMENTS_ALSO =16395
412 };
413
414 struct notify_messages {
415 uint16_t type;
416 char *msg;
417 };
418
419 /* 3.8 Authentication Payload */
420 struct ikev2_auth {
421 struct isakmp_gen h;
422 nd_uint8_t auth_method; /* Protocol-ID */
423 nd_byte reserved[3];
424 /* authentication data */
425 };
426
427 enum ikev2_auth_type {
428 IV2_RSA_SIG = 1,
429 IV2_SHARED = 2,
430 IV2_DSS_SIG = 3
431 };
432
433 /* refer to RFC 2409 */
434
435 #if 0
436 /* isakmp sa structure */
437 struct oakley_sa {
438 uint8_t proto_id; /* OAKLEY */
439 vchar_t *spi; /* spi */
440 uint8_t dhgrp; /* DH; group */
441 uint8_t auth_t; /* method of authentication */
442 uint8_t prf_t; /* type of prf */
443 uint8_t hash_t; /* type of hash */
444 uint8_t enc_t; /* type of cipher */
445 uint8_t life_t; /* type of duration of lifetime */
446 uint32_t ldur; /* life duration */
447 };
448 #endif
449
450 /* refer to RFC 2407 */
451
452 #define IPSEC_DOI 1
453
454 /* 4.2 IPSEC Situation Definition */
455 #define IPSECDOI_SIT_IDENTITY_ONLY 0x00000001
456 #define IPSECDOI_SIT_SECRECY 0x00000002
457 #define IPSECDOI_SIT_INTEGRITY 0x00000004
458
459 /* 4.4.1 IPSEC Security Protocol Identifiers */
460 /* 4.4.2 IPSEC ISAKMP Transform Values */
461 #define IPSECDOI_PROTO_ISAKMP 1
462 #define IPSECDOI_KEY_IKE 1
463
464 /* 4.4.1 IPSEC Security Protocol Identifiers */
465 #define IPSECDOI_PROTO_IPSEC_AH 2
466 /* 4.4.3 IPSEC AH Transform Values */
467 #define IPSECDOI_AH_MD5 2
468 #define IPSECDOI_AH_SHA 3
469 #define IPSECDOI_AH_DES 4
470 #define IPSECDOI_AH_SHA2_256 5
471 #define IPSECDOI_AH_SHA2_384 6
472 #define IPSECDOI_AH_SHA2_512 7
473
474 /* 4.4.1 IPSEC Security Protocol Identifiers */
475 #define IPSECDOI_PROTO_IPSEC_ESP 3
476 /* 4.4.4 IPSEC ESP Transform Identifiers */
477 #define IPSECDOI_ESP_DES_IV64 1
478 #define IPSECDOI_ESP_DES 2
479 #define IPSECDOI_ESP_3DES 3
480 #define IPSECDOI_ESP_RC5 4
481 #define IPSECDOI_ESP_IDEA 5
482 #define IPSECDOI_ESP_CAST 6
483 #define IPSECDOI_ESP_BLOWFISH 7
484 #define IPSECDOI_ESP_3IDEA 8
485 #define IPSECDOI_ESP_DES_IV32 9
486 #define IPSECDOI_ESP_RC4 10
487 #define IPSECDOI_ESP_NULL 11
488 #define IPSECDOI_ESP_RIJNDAEL 12
489 #define IPSECDOI_ESP_AES 12
490
491 /* 4.4.1 IPSEC Security Protocol Identifiers */
492 #define IPSECDOI_PROTO_IPCOMP 4
493 /* 4.4.5 IPSEC IPCOMP Transform Identifiers */
494 #define IPSECDOI_IPCOMP_OUI 1
495 #define IPSECDOI_IPCOMP_DEFLATE 2
496 #define IPSECDOI_IPCOMP_LZS 3
497
498 /* 4.5 IPSEC Security Association Attributes */
499 #define IPSECDOI_ATTR_SA_LTYPE 1 /* B */
500 #define IPSECDOI_ATTR_SA_LTYPE_DEFAULT 1
501 #define IPSECDOI_ATTR_SA_LTYPE_SEC 1
502 #define IPSECDOI_ATTR_SA_LTYPE_KB 2
503 #define IPSECDOI_ATTR_SA_LDUR 2 /* V */
504 #define IPSECDOI_ATTR_SA_LDUR_DEFAULT 28800 /* 8 hours */
505 #define IPSECDOI_ATTR_GRP_DESC 3 /* B */
506 #define IPSECDOI_ATTR_ENC_MODE 4 /* B */
507 /* default value: host dependent */
508 #define IPSECDOI_ATTR_ENC_MODE_TUNNEL 1
509 #define IPSECDOI_ATTR_ENC_MODE_TRNS 2
510 #define IPSECDOI_ATTR_AUTH 5 /* B */
511 /* 0 means not to use authentication. */
512 #define IPSECDOI_ATTR_AUTH_HMAC_MD5 1
513 #define IPSECDOI_ATTR_AUTH_HMAC_SHA1 2
514 #define IPSECDOI_ATTR_AUTH_DES_MAC 3
515 #define IPSECDOI_ATTR_AUTH_KPDK 4 /*RFC-1826(Key/Pad/Data/Key)*/
516 /*
517 * When negotiating ESP without authentication, the Auth
518 * Algorithm attribute MUST NOT be included in the proposal.
519 * When negotiating ESP without confidentiality, the Auth
520 * Algorithm attribute MUST be included in the proposal and
521 * the ESP transform ID must be ESP_NULL.
522 */
523 #define IPSECDOI_ATTR_KEY_LENGTH 6 /* B */
524 #define IPSECDOI_ATTR_KEY_ROUNDS 7 /* B */
525 #define IPSECDOI_ATTR_COMP_DICT_SIZE 8 /* B */
526 #define IPSECDOI_ATTR_COMP_PRIVALG 9 /* V */
527
528 /* 4.6.1 Security Association Payload */
529 struct ipsecdoi_sa {
530 struct isakmp_gen h;
531 nd_uint32_t doi; /* Domain of Interpretation */
532 nd_uint32_t sit; /* Situation */
533 };
534
535 struct ipsecdoi_secrecy_h {
536 nd_uint16_t len;
537 nd_uint16_t reserved;
538 };
539
540 /* 4.6.2.1 Identification Type Values */
541 struct ipsecdoi_id {
542 struct isakmp_gen h;
543 nd_uint8_t type; /* ID Type */
544 nd_uint8_t proto_id; /* Protocol ID */
545 nd_uint16_t port; /* Port */
546 /* Identification Data */
547 };
548
549 #define IPSECDOI_ID_IPV4_ADDR 1
550 #define IPSECDOI_ID_FQDN 2
551 #define IPSECDOI_ID_USER_FQDN 3
552 #define IPSECDOI_ID_IPV4_ADDR_SUBNET 4
553 #define IPSECDOI_ID_IPV6_ADDR 5
554 #define IPSECDOI_ID_IPV6_ADDR_SUBNET 6
555 #define IPSECDOI_ID_IPV4_ADDR_RANGE 7
556 #define IPSECDOI_ID_IPV6_ADDR_RANGE 8
557 #define IPSECDOI_ID_DER_ASN1_DN 9
558 #define IPSECDOI_ID_DER_ASN1_GN 10
559 #define IPSECDOI_ID_KEY_ID 11
560
561 /* 4.6.3 IPSEC DOI Notify Message Types */
562 /* Notify Messages - Status Types */
563 #define IPSECDOI_NTYPE_RESPONDER_LIFETIME 24576
564 #define IPSECDOI_NTYPE_REPLAY_STATUS 24577
565 #define IPSECDOI_NTYPE_INITIAL_CONTACT 24578
566
567 #define DECLARE_PRINTER(func) static const u_char *ike##func##_print( \
568 netdissect_options *ndo, u_char tpay, \
569 const struct isakmp_gen *ext, \
570 u_int item_len, \
571 const u_char *end_pointer, \
572 uint32_t phase,\
573 uint32_t doi0, \
574 uint32_t proto0, int depth)
575
576 DECLARE_PRINTER(v1_sa);
577 DECLARE_PRINTER(v1_p);
578 DECLARE_PRINTER(v1_t);
579 DECLARE_PRINTER(v1_ke);
580 DECLARE_PRINTER(v1_id);
581 DECLARE_PRINTER(v1_cert);
582 DECLARE_PRINTER(v1_cr);
583 DECLARE_PRINTER(v1_sig);
584 DECLARE_PRINTER(v1_hash);
585 DECLARE_PRINTER(v1_nonce);
586 DECLARE_PRINTER(v1_n);
587 DECLARE_PRINTER(v1_d);
588 DECLARE_PRINTER(v1_vid);
589
590 DECLARE_PRINTER(v2_sa);
591 DECLARE_PRINTER(v2_ke);
592 DECLARE_PRINTER(v2_ID);
593 DECLARE_PRINTER(v2_cert);
594 DECLARE_PRINTER(v2_cr);
595 DECLARE_PRINTER(v2_auth);
596 DECLARE_PRINTER(v2_nonce);
597 DECLARE_PRINTER(v2_n);
598 DECLARE_PRINTER(v2_d);
599 DECLARE_PRINTER(v2_vid);
600 DECLARE_PRINTER(v2_TS);
601 DECLARE_PRINTER(v2_cp);
602 DECLARE_PRINTER(v2_eap);
603
604 static const u_char *ikev2_e_print(netdissect_options *ndo,
605 const struct isakmp *base,
606 u_char tpay,
607 const struct isakmp_gen *ext,
608 u_int item_len,
609 const u_char *end_pointer,
610 uint32_t phase,
611 uint32_t doi0,
612 uint32_t proto0, int depth);
613
614
615 static const u_char *ike_sub0_print(netdissect_options *ndo,u_char, const struct isakmp_gen *,
616 const u_char *, uint32_t, uint32_t, uint32_t, int);
617 static const u_char *ikev1_sub_print(netdissect_options *ndo,u_char, const struct isakmp_gen *,
618 const u_char *, uint32_t, uint32_t, uint32_t, int);
619
620 static const u_char *ikev2_sub_print(netdissect_options *ndo,
621 const struct isakmp *base,
622 u_char np, const struct isakmp_gen *ext,
623 const u_char *ep, uint32_t phase,
624 uint32_t doi, uint32_t proto,
625 int depth);
626
627
628 static char *numstr(u_int);
629
630 static void
631 ikev1_print(netdissect_options *ndo,
632 const u_char *bp, u_int length,
633 const u_char *bp2, const struct isakmp *base);
634
635 #define MAXINITIATORS 20
636 static int ninitiator = 0;
637 union inaddr_u {
638 struct in_addr in4;
639 struct in6_addr in6;
640 };
641 static struct {
642 cookie_t initiator;
643 u_int version;
644 union inaddr_u iaddr;
645 union inaddr_u raddr;
646 } cookiecache[MAXINITIATORS];
647
648 /* protocol id */
649 static const char *protoidstr[] = {
650 NULL, "isakmp", "ipsec-ah", "ipsec-esp", "ipcomp",
651 };
652
653 /* isakmp->np */
654 static const char *npstr[] = {
655 "none", "sa", "p", "t", "ke", "id", "cert", "cr", "hash", /* 0 - 8 */
656 "sig", "nonce", "n", "d", "vid", /* 9 - 13 */
657 "pay14", "pay15", "pay16", "pay17", "pay18", /* 14- 18 */
658 "pay19", "pay20", "pay21", "pay22", "pay23", /* 19- 23 */
659 "pay24", "pay25", "pay26", "pay27", "pay28", /* 24- 28 */
660 "pay29", "pay30", "pay31", "pay32", /* 29- 32 */
661 "v2sa", "v2ke", "v2IDi", "v2IDr", "v2cert",/* 33- 37 */
662 "v2cr", "v2auth","v2nonce", "v2n", "v2d", /* 38- 42 */
663 "v2vid", "v2TSi", "v2TSr", "v2e", "v2cp", /* 43- 47 */
664 "v2eap", /* 48 */
665
666 };
667
668 /* isakmp->np */
669 static const u_char *(*npfunc[])(netdissect_options *ndo, u_char tpay,
670 const struct isakmp_gen *ext,
671 u_int item_len,
672 const u_char *end_pointer,
673 uint32_t phase,
674 uint32_t doi0,
675 uint32_t proto0, int depth) = {
676 NULL,
677 ikev1_sa_print,
678 ikev1_p_print,
679 ikev1_t_print,
680 ikev1_ke_print,
681 ikev1_id_print,
682 ikev1_cert_print,
683 ikev1_cr_print,
684 ikev1_hash_print,
685 ikev1_sig_print,
686 ikev1_nonce_print,
687 ikev1_n_print,
688 ikev1_d_print,
689 ikev1_vid_print, /* 13 */
690 NULL, NULL, NULL, NULL, NULL, /* 14- 18 */
691 NULL, NULL, NULL, NULL, NULL, /* 19- 23 */
692 NULL, NULL, NULL, NULL, NULL, /* 24- 28 */
693 NULL, NULL, NULL, NULL, /* 29- 32 */
694 ikev2_sa_print, /* 33 */
695 ikev2_ke_print, /* 34 */
696 ikev2_ID_print, /* 35 */
697 ikev2_ID_print, /* 36 */
698 ikev2_cert_print, /* 37 */
699 ikev2_cr_print, /* 38 */
700 ikev2_auth_print, /* 39 */
701 ikev2_nonce_print, /* 40 */
702 ikev2_n_print, /* 41 */
703 ikev2_d_print, /* 42 */
704 ikev2_vid_print, /* 43 */
705 ikev2_TS_print, /* 44 */
706 ikev2_TS_print, /* 45 */
707 NULL, /* ikev2_e_print,*/ /* 46 - special */
708 ikev2_cp_print, /* 47 */
709 ikev2_eap_print, /* 48 */
710 };
711
712 /* isakmp->etype */
713 static const char *etypestr[] = {
714 /* IKEv1 exchange types */
715 "none", "base", "ident", "auth", "agg", "inf", NULL, NULL, /* 0-7 */
716 NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, /* 8-15 */
717 NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, /* 16-23 */
718 NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, /* 24-31 */
719 "oakley-quick", "oakley-newgroup", /* 32-33 */
720 /* IKEv2 exchange types */
721 "ikev2_init", "ikev2_auth", "child_sa", "inf2" /* 34-37 */
722 };
723
724 #define STR_OR_ID(x, tab) \
725 (((x) < sizeof(tab)/sizeof(tab[0]) && tab[(x)]) ? tab[(x)] : numstr(x))
726 #define PROTOIDSTR(x) STR_OR_ID(x, protoidstr)
727 #define NPSTR(x) STR_OR_ID(x, npstr)
728 #define ETYPESTR(x) STR_OR_ID(x, etypestr)
729
730 #define CHECKLEN(p, np) \
731 if (ep < (const u_char *)(p)) { \
732 ND_PRINT(" [|%s]", NPSTR(np)); \
733 goto done; \
734 }
735
736
737 #define NPFUNC(x) \
738 (((x) < sizeof(npfunc)/sizeof(npfunc[0]) && npfunc[(x)]) \
739 ? npfunc[(x)] : NULL)
740
741 static int
742 iszero(const u_char *p, size_t l)
743 {
744 while (l != 0) {
745 if (*p)
746 return 0;
747 p++;
748 l--;
749 }
750 return 1;
751 }
752
753 /* find cookie from initiator cache */
754 static int
755 cookie_find(const cookie_t *in)
756 {
757 int i;
758
759 for (i = 0; i < MAXINITIATORS; i++) {
760 if (memcmp(in, &cookiecache[i].initiator, sizeof(*in)) == 0)
761 return i;
762 }
763
764 return -1;
765 }
766
767 /* record initiator */
768 static void
769 cookie_record(const cookie_t *in, const u_char *bp2)
770 {
771 int i;
772 const struct ip *ip;
773 const struct ip6_hdr *ip6;
774
775 i = cookie_find(in);
776 if (0 <= i) {
777 ninitiator = (i + 1) % MAXINITIATORS;
778 return;
779 }
780
781 ip = (const struct ip *)bp2;
782 switch (IP_V(ip)) {
783 case 4:
784 cookiecache[ninitiator].version = 4;
785 UNALIGNED_MEMCPY(&cookiecache[ninitiator].iaddr.in4,
786 ip->ip_src, sizeof(nd_ipv4));
787 UNALIGNED_MEMCPY(&cookiecache[ninitiator].raddr.in4,
788 ip->ip_dst, sizeof(nd_ipv4));
789 break;
790 case 6:
791 ip6 = (const struct ip6_hdr *)bp2;
792 cookiecache[ninitiator].version = 6;
793 UNALIGNED_MEMCPY(&cookiecache[ninitiator].iaddr.in6,
794 ip6->ip6_src, sizeof(nd_ipv6));
795 UNALIGNED_MEMCPY(&cookiecache[ninitiator].raddr.in6,
796 ip6->ip6_dst, sizeof(nd_ipv6));
797 break;
798 default:
799 return;
800 }
801 UNALIGNED_MEMCPY(&cookiecache[ninitiator].initiator, in, sizeof(*in));
802 ninitiator = (ninitiator + 1) % MAXINITIATORS;
803 }
804
805 #define cookie_isinitiator(x, y) cookie_sidecheck((x), (y), 1)
806 #define cookie_isresponder(x, y) cookie_sidecheck((x), (y), 0)
807 static int
808 cookie_sidecheck(int i, const u_char *bp2, int initiator)
809 {
810 const struct ip *ip;
811 const struct ip6_hdr *ip6;
812
813 ip = (const struct ip *)bp2;
814 switch (IP_V(ip)) {
815 case 4:
816 if (cookiecache[i].version != 4)
817 return 0;
818 if (initiator) {
819 if (UNALIGNED_MEMCMP(ip->ip_src, &cookiecache[i].iaddr.in4, sizeof(nd_ipv4)) == 0)
820 return 1;
821 } else {
822 if (UNALIGNED_MEMCMP(ip->ip_src, &cookiecache[i].raddr.in4, sizeof(nd_ipv4)) == 0)
823 return 1;
824 }
825 break;
826 case 6:
827 if (cookiecache[i].version != 6)
828 return 0;
829 ip6 = (const struct ip6_hdr *)bp2;
830 if (initiator) {
831 if (UNALIGNED_MEMCMP(ip6->ip6_src, &cookiecache[i].iaddr.in6, sizeof(nd_ipv6)) == 0)
832 return 1;
833 } else {
834 if (UNALIGNED_MEMCMP(ip6->ip6_src, &cookiecache[i].raddr.in6, sizeof(nd_ipv6)) == 0)
835 return 1;
836 }
837 break;
838 default:
839 break;
840 }
841
842 return 0;
843 }
844
845 static void
846 hexprint(netdissect_options *ndo, const uint8_t *loc, size_t len)
847 {
848 const uint8_t *p;
849 size_t i;
850
851 p = loc;
852 for (i = 0; i < len; i++)
853 ND_PRINT("%02x", p[i] & 0xff);
854 }
855
856 static int
857 rawprint(netdissect_options *ndo, const uint8_t *loc, size_t len)
858 {
859 ND_TCHECK_LEN(loc, len);
860
861 hexprint(ndo, loc, len);
862 return 1;
863 trunc:
864 return 0;
865 }
866
867
868 /*
869 * returns false if we run out of data buffer
870 */
871 static int ike_show_somedata(netdissect_options *ndo,
872 const u_char *cp, const u_char *ep)
873 {
874 /* there is too much data, just show some of it */
875 const u_char *end = ep - 20;
876 size_t elen = 20;
877 size_t len = ep - cp;
878 if(len > 10) {
879 len = 10;
880 }
881
882 /* really shouldn't happen because of above */
883 if(end < cp + len) {
884 end = cp+len;
885 elen = ep - end;
886 }
887
888 ND_PRINT(" data=(");
889 if(!rawprint(ndo, (const uint8_t *)(cp), len)) goto trunc;
890 ND_PRINT("...");
891 if(elen) {
892 if(!rawprint(ndo, (const uint8_t *)(end), elen)) goto trunc;
893 }
894 ND_PRINT(")");
895 return 1;
896
897 trunc:
898 return 0;
899 }
900
901 struct attrmap {
902 const char *type;
903 u_int nvalue;
904 const char *value[30]; /*XXX*/
905 };
906
907 static const u_char *
908 ikev1_attrmap_print(netdissect_options *ndo,
909 const u_char *p, const u_char *ep2,
910 const struct attrmap *map, size_t nmap)
911 {
912 u_int totlen;
913 uint32_t t, v;
914
915 ND_TCHECK_1(p);
916 if (EXTRACT_U_1(p) & 0x80)
917 totlen = 4;
918 else {
919 ND_TCHECK_2(p + 2);
920 totlen = 4 + EXTRACT_BE_U_2(p + 2);
921 }
922 if (ep2 < p + totlen) {
923 ND_PRINT("[|attr]");
924 return ep2 + 1;
925 }
926
927 ND_TCHECK_2(p);
928 ND_PRINT("(");
929 t = EXTRACT_BE_U_2(p) & 0x7fff;
930 if (map && t < nmap && map[t].type)
931 ND_PRINT("type=%s ", map[t].type);
932 else
933 ND_PRINT("type=#%u ", t);
934 if (EXTRACT_U_1(p) & 0x80) {
935 ND_PRINT("value=");
936 ND_TCHECK_2(p + 2);
937 v = EXTRACT_BE_U_2(p + 2);
938 if (map && t < nmap && v < map[t].nvalue && map[t].value[v])
939 ND_PRINT("%s", map[t].value[v]);
940 else {
941 if (!rawprint(ndo, (const uint8_t *)(p + 2), 2)) {
942 ND_PRINT(")");
943 goto trunc;
944 }
945 }
946 } else {
947 ND_PRINT("len=%u value=", totlen - 4);
948 if (!rawprint(ndo, (const uint8_t *)(p + 4), totlen - 4)) {
949 ND_PRINT(")");
950 goto trunc;
951 }
952 }
953 ND_PRINT(")");
954 return p + totlen;
955
956 trunc:
957 return NULL;
958 }
959
960 static const u_char *
961 ikev1_attr_print(netdissect_options *ndo, const u_char *p, const u_char *ep2)
962 {
963 u_int totlen;
964 uint32_t t;
965
966 ND_TCHECK_1(p);
967 if (EXTRACT_U_1(p) & 0x80)
968 totlen = 4;
969 else {
970 ND_TCHECK_2(p + 2);
971 totlen = 4 + EXTRACT_BE_U_2(p + 2);
972 }
973 if (ep2 < p + totlen) {
974 ND_PRINT("[|attr]");
975 return ep2 + 1;
976 }
977
978 ND_TCHECK_2(p);
979 ND_PRINT("(");
980 t = EXTRACT_BE_U_2(p) & 0x7fff;
981 ND_PRINT("type=#%u ", t);
982 if (EXTRACT_U_1(p) & 0x80) {
983 ND_PRINT("value=");
984 t = EXTRACT_U_1(p + 2);
985 if (!rawprint(ndo, (const uint8_t *)(p + 2), 2)) {
986 ND_PRINT(")");
987 goto trunc;
988 }
989 } else {
990 ND_PRINT("len=%u value=", totlen - 4);
991 if (!rawprint(ndo, (const uint8_t *)(p + 4), totlen - 4)) {
992 ND_PRINT(")");
993 goto trunc;
994 }
995 }
996 ND_PRINT(")");
997 return p + totlen;
998
999 trunc:
1000 return NULL;
1001 }
1002
1003 static const u_char *
1004 ikev1_sa_print(netdissect_options *ndo, u_char tpay _U_,
1005 const struct isakmp_gen *ext,
1006 u_int item_len _U_,
1007 const u_char *ep, uint32_t phase, uint32_t doi0 _U_,
1008 uint32_t proto0, int depth)
1009 {
1010 const struct ikev1_pl_sa *p;
1011 uint32_t doi, sit, ident;
1012 const u_char *cp, *np;
1013 int t;
1014
1015 ND_PRINT("%s:", NPSTR(ISAKMP_NPTYPE_SA));
1016
1017 p = (const struct ikev1_pl_sa *)ext;
1018 ND_TCHECK_SIZE(p);
1019 doi = EXTRACT_BE_U_4(p->doi);
1020 sit = EXTRACT_BE_U_4(p->sit);
1021 if (doi != 1) {
1022 ND_PRINT(" doi=%u", doi);
1023 ND_PRINT(" situation=%u", sit);
1024 return (const u_char *)(p + 1);
1025 }
1026
1027 ND_PRINT(" doi=ipsec");
1028 ND_PRINT(" situation=");
1029 t = 0;
1030 if (sit & 0x01) {
1031 ND_PRINT("identity");
1032 t++;
1033 }
1034 if (sit & 0x02) {
1035 ND_PRINT("%ssecrecy", t ? "+" : "");
1036 t++;
1037 }
1038 if (sit & 0x04)
1039 ND_PRINT("%sintegrity", t ? "+" : "");
1040
1041 np = (const u_char *)ext + sizeof(struct ikev1_pl_sa);
1042 if (sit != 0x01) {
1043 ND_TCHECK_4(ext + 1);
1044 ident = EXTRACT_BE_U_4(ext + 1);
1045 ND_PRINT(" ident=%u", ident);
1046 np += sizeof(ident);
1047 }
1048
1049 ext = (const struct isakmp_gen *)np;
1050 ND_TCHECK_SIZE(ext);
1051
1052 cp = ikev1_sub_print(ndo, ISAKMP_NPTYPE_P, ext, ep, phase, doi, proto0,
1053 depth);
1054
1055 return cp;
1056 trunc:
1057 ND_PRINT(" [|%s]", NPSTR(ISAKMP_NPTYPE_SA));
1058 return NULL;
1059 }
1060
1061 static const u_char *
1062 ikev1_p_print(netdissect_options *ndo, u_char tpay _U_,
1063 const struct isakmp_gen *ext, u_int item_len _U_,
1064 const u_char *ep, uint32_t phase, uint32_t doi0,
1065 uint32_t proto0 _U_, int depth)
1066 {
1067 const struct ikev1_pl_p *p;
1068 const u_char *cp;
1069 uint8_t spi_size;
1070
1071 ND_PRINT("%s:", NPSTR(ISAKMP_NPTYPE_P));
1072
1073 p = (const struct ikev1_pl_p *)ext;
1074 ND_TCHECK_SIZE(p);
1075 ND_PRINT(" #%u protoid=%s transform=%u",
1076 EXTRACT_U_1(p->p_no), PROTOIDSTR(EXTRACT_U_1(p->prot_id)),
1077 EXTRACT_U_1(p->num_t));
1078 spi_size = EXTRACT_U_1(p->spi_size);
1079 if (spi_size) {
1080 ND_PRINT(" spi=");
1081 if (!rawprint(ndo, (const uint8_t *)(p + 1), spi_size))
1082 goto trunc;
1083 }
1084
1085 ext = (const struct isakmp_gen *)((const u_char *)(p + 1) + spi_size);
1086 ND_TCHECK_SIZE(ext);
1087
1088 cp = ikev1_sub_print(ndo, ISAKMP_NPTYPE_T, ext, ep, phase, doi0,
1089 EXTRACT_U_1(p->prot_id), depth);
1090
1091 return cp;
1092 trunc:
1093 ND_PRINT(" [|%s]", NPSTR(ISAKMP_NPTYPE_P));
1094 return NULL;
1095 }
1096
1097 static const char *ikev1_p_map[] = {
1098 NULL, "ike",
1099 };
1100
1101 static const char *ikev2_t_type_map[]={
1102 NULL, "encr", "prf", "integ", "dh", "esn"
1103 };
1104
1105 static const char *ah_p_map[] = {
1106 NULL, "(reserved)", "md5", "sha", "1des",
1107 "sha2-256", "sha2-384", "sha2-512",
1108 };
1109
1110 static const char *prf_p_map[] = {
1111 NULL, "hmac-md5", "hmac-sha", "hmac-tiger",
1112 "aes128_xcbc"
1113 };
1114
1115 static const char *integ_p_map[] = {
1116 NULL, "hmac-md5", "hmac-sha", "dec-mac",
1117 "kpdk-md5", "aes-xcbc"
1118 };
1119
1120 static const char *esn_p_map[] = {
1121 "no-esn", "esn"
1122 };
1123
1124 static const char *dh_p_map[] = {
1125 NULL, "modp768",
1126 "modp1024", /* group 2 */
1127 "EC2N 2^155", /* group 3 */
1128 "EC2N 2^185", /* group 4 */
1129 "modp1536", /* group 5 */
1130 "iana-grp06", "iana-grp07", /* reserved */
1131 "iana-grp08", "iana-grp09",
1132 "iana-grp10", "iana-grp11",
1133 "iana-grp12", "iana-grp13",
1134 "modp2048", /* group 14 */
1135 "modp3072", /* group 15 */
1136 "modp4096", /* group 16 */
1137 "modp6144", /* group 17 */
1138 "modp8192", /* group 18 */
1139 };
1140
1141 static const char *esp_p_map[] = {
1142 NULL, "1des-iv64", "1des", "3des", "rc5", "idea", "cast",
1143 "blowfish", "3idea", "1des-iv32", "rc4", "null", "aes"
1144 };
1145
1146 static const char *ipcomp_p_map[] = {
1147 NULL, "oui", "deflate", "lzs",
1148 };
1149
1150 static const struct attrmap ipsec_t_map[] = {
1151 { NULL, 0, { NULL } },
1152 { "lifetype", 3, { NULL, "sec", "kb", }, },
1153 { "life", 0, { NULL } },
1154 { "group desc", 18, { NULL, "modp768",
1155 "modp1024", /* group 2 */
1156 "EC2N 2^155", /* group 3 */
1157 "EC2N 2^185", /* group 4 */
1158 "modp1536", /* group 5 */
1159 "iana-grp06", "iana-grp07", /* reserved */
1160 "iana-grp08", "iana-grp09",
1161 "iana-grp10", "iana-grp11",
1162 "iana-grp12", "iana-grp13",
1163 "modp2048", /* group 14 */
1164 "modp3072", /* group 15 */
1165 "modp4096", /* group 16 */
1166 "modp6144", /* group 17 */
1167 "modp8192", /* group 18 */
1168 }, },
1169 { "enc mode", 3, { NULL, "tunnel", "transport", }, },
1170 { "auth", 5, { NULL, "hmac-md5", "hmac-sha1", "1des-mac", "keyed", }, },
1171 { "keylen", 0, { NULL } },
1172 { "rounds", 0, { NULL } },
1173 { "dictsize", 0, { NULL } },
1174 { "privalg", 0, { NULL } },
1175 };
1176
1177 static const struct attrmap encr_t_map[] = {
1178 { NULL, 0, { NULL } }, { NULL, 0, { NULL } }, /* 0, 1 */
1179 { NULL, 0, { NULL } }, { NULL, 0, { NULL } }, /* 2, 3 */
1180 { NULL, 0, { NULL } }, { NULL, 0, { NULL } }, /* 4, 5 */
1181 { NULL, 0, { NULL } }, { NULL, 0, { NULL } }, /* 6, 7 */
1182 { NULL, 0, { NULL } }, { NULL, 0, { NULL } }, /* 8, 9 */
1183 { NULL, 0, { NULL } }, { NULL, 0, { NULL } }, /* 10,11*/
1184 { NULL, 0, { NULL } }, { NULL, 0, { NULL } }, /* 12,13*/
1185 { "keylen", 14, { NULL }},
1186 };
1187
1188 static const struct attrmap oakley_t_map[] = {
1189 { NULL, 0, { NULL } },
1190 { "enc", 8, { NULL, "1des", "idea", "blowfish", "rc5",
1191 "3des", "cast", "aes", }, },
1192 { "hash", 7, { NULL, "md5", "sha1", "tiger",
1193 "sha2-256", "sha2-384", "sha2-512", }, },
1194 { "auth", 6, { NULL, "preshared", "dss", "rsa sig", "rsa enc",
1195 "rsa enc revised", }, },
1196 { "group desc", 18, { NULL, "modp768",
1197 "modp1024", /* group 2 */
1198 "EC2N 2^155", /* group 3 */
1199 "EC2N 2^185", /* group 4 */
1200 "modp1536", /* group 5 */
1201 "iana-grp06", "iana-grp07", /* reserved */
1202 "iana-grp08", "iana-grp09",
1203 "iana-grp10", "iana-grp11",
1204 "iana-grp12", "iana-grp13",
1205 "modp2048", /* group 14 */
1206 "modp3072", /* group 15 */
1207 "modp4096", /* group 16 */
1208 "modp6144", /* group 17 */
1209 "modp8192", /* group 18 */
1210 }, },
1211 { "group type", 4, { NULL, "MODP", "ECP", "EC2N", }, },
1212 { "group prime", 0, { NULL } },
1213 { "group gen1", 0, { NULL } },
1214 { "group gen2", 0, { NULL } },
1215 { "group curve A", 0, { NULL } },
1216 { "group curve B", 0, { NULL } },
1217 { "lifetype", 3, { NULL, "sec", "kb", }, },
1218 { "lifeduration", 0, { NULL } },
1219 { "prf", 0, { NULL } },
1220 { "keylen", 0, { NULL } },
1221 { "field", 0, { NULL } },
1222 { "order", 0, { NULL } },
1223 };
1224
1225 static const u_char *
1226 ikev1_t_print(netdissect_options *ndo, u_char tpay _U_,
1227 const struct isakmp_gen *ext, u_int item_len,
1228 const u_char *ep, uint32_t phase _U_, uint32_t doi _U_,
1229 uint32_t proto, int depth _U_)
1230 {
1231 const struct ikev1_pl_t *p;
1232 const u_char *cp;
1233 const char *idstr;
1234 const struct attrmap *map;
1235 size_t nmap;
1236 const u_char *ep2;
1237
1238 ND_PRINT("%s:", NPSTR(ISAKMP_NPTYPE_T));
1239
1240 p = (const struct ikev1_pl_t *)ext;
1241 ND_TCHECK_SIZE(p);
1242
1243 switch (proto) {
1244 case 1:
1245 idstr = STR_OR_ID(EXTRACT_U_1(p->t_id), ikev1_p_map);
1246 map = oakley_t_map;
1247 nmap = sizeof(oakley_t_map)/sizeof(oakley_t_map[0]);
1248 break;
1249 case 2:
1250 idstr = STR_OR_ID(EXTRACT_U_1(p->t_id), ah_p_map);
1251 map = ipsec_t_map;
1252 nmap = sizeof(ipsec_t_map)/sizeof(ipsec_t_map[0]);
1253 break;
1254 case 3:
1255 idstr = STR_OR_ID(EXTRACT_U_1(p->t_id), esp_p_map);
1256 map = ipsec_t_map;
1257 nmap = sizeof(ipsec_t_map)/sizeof(ipsec_t_map[0]);
1258 break;
1259 case 4:
1260 idstr = STR_OR_ID(EXTRACT_U_1(p->t_id), ipcomp_p_map);
1261 map = ipsec_t_map;
1262 nmap = sizeof(ipsec_t_map)/sizeof(ipsec_t_map[0]);
1263 break;
1264 default:
1265 idstr = NULL;
1266 map = NULL;
1267 nmap = 0;
1268 break;
1269 }
1270
1271 if (idstr)
1272 ND_PRINT(" #%u id=%s ", EXTRACT_U_1(p->t_no), idstr);
1273 else
1274 ND_PRINT(" #%u id=%u ", EXTRACT_U_1(p->t_no), EXTRACT_U_1(p->t_id));
1275 cp = (const u_char *)(p + 1);
1276 ep2 = (const u_char *)p + item_len;
1277 while (cp < ep && cp < ep2) {
1278 if (map && nmap)
1279 cp = ikev1_attrmap_print(ndo, cp, ep2, map, nmap);
1280 else
1281 cp = ikev1_attr_print(ndo, cp, ep2);
1282 if (cp == NULL)
1283 goto trunc;
1284 }
1285 if (ep < ep2)
1286 ND_PRINT("...");
1287 return cp;
1288 trunc:
1289 ND_PRINT(" [|%s]", NPSTR(ISAKMP_NPTYPE_T));
1290 return NULL;
1291 }
1292
1293 static const u_char *
1294 ikev1_ke_print(netdissect_options *ndo, u_char tpay _U_,
1295 const struct isakmp_gen *ext, u_int item_len,
1296 const u_char *ep _U_, uint32_t phase _U_, uint32_t doi _U_,
1297 uint32_t proto _U_, int depth _U_)
1298 {
1299 ND_PRINT("%s:", NPSTR(ISAKMP_NPTYPE_KE));
1300
1301 ND_TCHECK_SIZE(ext);
1302 /*
1303 * Our caller has ensured that the length is >= 4.
1304 */
1305 ND_PRINT(" key len=%u", item_len - 4);
1306 if (2 < ndo->ndo_vflag && item_len > 4) {
1307 /* Print the entire payload in hex */
1308 ND_PRINT(" ");
1309 if (!rawprint(ndo, (const uint8_t *)(ext + 1), item_len - 4))
1310 goto trunc;
1311 }
1312 return (const u_char *)ext + item_len;
1313 trunc:
1314 ND_PRINT(" [|%s]", NPSTR(ISAKMP_NPTYPE_KE));
1315 return NULL;
1316 }
1317
1318 static const u_char *
1319 ikev1_id_print(netdissect_options *ndo, u_char tpay _U_,
1320 const struct isakmp_gen *ext, u_int item_len,
1321 const u_char *ep _U_, uint32_t phase, uint32_t doi _U_,
1322 uint32_t proto _U_, int depth _U_)
1323 {
1324 #define USE_IPSECDOI_IN_PHASE1 1
1325 const struct ikev1_pl_id *p;
1326 static const char *idtypestr[] = {
1327 "IPv4", "IPv4net", "IPv6", "IPv6net",
1328 };
1329 static const char *ipsecidtypestr[] = {
1330 NULL, "IPv4", "FQDN", "user FQDN", "IPv4net", "IPv6",
1331 "IPv6net", "IPv4range", "IPv6range", "ASN1 DN", "ASN1 GN",
1332 "keyid",
1333 };
1334 u_int len;
1335 const u_char *data;
1336
1337 ND_PRINT("%s:", NPSTR(ISAKMP_NPTYPE_ID));
1338
1339 p = (const struct ikev1_pl_id *)ext;
1340 ND_TCHECK_SIZE(p);
1341 if (sizeof(*p) < item_len) {
1342 data = (const u_char *)(p + 1);
1343 len = item_len - sizeof(*p);
1344 } else {
1345 data = NULL;
1346 len = 0;
1347 }
1348
1349 #if 0 /*debug*/
1350 ND_PRINT(" [phase=%u doi=%u proto=%u]", phase, doi, proto);
1351 #endif
1352 switch (phase) {
1353 #ifndef USE_IPSECDOI_IN_PHASE1
1354 case 1:
1355 #endif
1356 default:
1357 ND_PRINT(" idtype=%s", STR_OR_ID(EXTRACT_U_1(p->d.id_type), idtypestr));
1358 ND_PRINT(" doi_data=%u",
1359 EXTRACT_BE_U_4(p->d.doi_data) & 0xffffff);
1360 break;
1361
1362 #ifdef USE_IPSECDOI_IN_PHASE1
1363 case 1:
1364 #endif
1365 case 2:
1366 {
1367 const struct ipsecdoi_id *doi_p;
1368 const char *p_name;
1369 uint8_t type, proto_id;
1370
1371 doi_p = (const struct ipsecdoi_id *)ext;
1372 ND_TCHECK_SIZE(doi_p);
1373 type = EXTRACT_U_1(doi_p->type);
1374 ND_PRINT(" idtype=%s", STR_OR_ID(type, ipsecidtypestr));
1375 /* A protocol ID of 0 DOES NOT mean IPPROTO_IP! */
1376 proto_id = EXTRACT_U_1(doi_p->proto_id);
1377 if (!ndo->ndo_nflag && proto_id && (p_name = netdb_protoname(proto_id)) != NULL)
1378 ND_PRINT(" protoid=%s", p_name);
1379 else
1380 ND_PRINT(" protoid=%u", proto_id);
1381 ND_PRINT(" port=%u", EXTRACT_BE_U_2(doi_p->port));
1382 if (!len)
1383 break;
1384 if (data == NULL)
1385 goto trunc;
1386 ND_TCHECK_LEN(data, len);
1387 switch (type) {
1388 case IPSECDOI_ID_IPV4_ADDR:
1389 if (len < 4)
1390 ND_PRINT(" len=%u [bad: < 4]", len);
1391 else
1392 ND_PRINT(" len=%u %s", len, ipaddr_string(ndo, data));
1393 len = 0;
1394 break;
1395 case IPSECDOI_ID_FQDN:
1396 case IPSECDOI_ID_USER_FQDN:
1397 {
1398 u_int i;
1399 ND_PRINT(" len=%u ", len);
1400 for (i = 0; i < len; i++)
1401 fn_print_char(ndo, EXTRACT_U_1(data + i));
1402 len = 0;
1403 break;
1404 }
1405 case IPSECDOI_ID_IPV4_ADDR_SUBNET:
1406 {
1407 const u_char *mask;
1408 if (len < 8)
1409 ND_PRINT(" len=%u [bad: < 8]", len);
1410 else {
1411 mask = data + sizeof(nd_ipv4);
1412 ND_PRINT(" len=%u %s/%u.%u.%u.%u", len,
1413 ipaddr_string(ndo, data),
1414 EXTRACT_U_1(mask), EXTRACT_U_1(mask + 1),
1415 EXTRACT_U_1(mask + 2), EXTRACT_U_1(mask + 3));
1416 }
1417 len = 0;
1418 break;
1419 }
1420 case IPSECDOI_ID_IPV6_ADDR:
1421 if (len < 16)
1422 ND_PRINT(" len=%u [bad: < 16]", len);
1423 else
1424 ND_PRINT(" len=%u %s", len, ip6addr_string(ndo, data));
1425 len = 0;
1426 break;
1427 case IPSECDOI_ID_IPV6_ADDR_SUBNET:
1428 {
1429 const u_char *mask;
1430 if (len < 32)
1431 ND_PRINT(" len=%u [bad: < 32]", len);
1432 else {
1433 mask = (const u_char *)(data + sizeof(nd_ipv6));
1434 /*XXX*/
1435 ND_PRINT(" len=%u %s/0x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x", len,
1436 ip6addr_string(ndo, data),
1437 EXTRACT_U_1(mask), EXTRACT_U_1(mask + 1), EXTRACT_U_1(mask + 2), EXTRACT_U_1(mask + 3),
1438 EXTRACT_U_1(mask + 4), EXTRACT_U_1(mask + 5), EXTRACT_U_1(mask + 6), EXTRACT_U_1(mask + 7),
1439 EXTRACT_U_1(mask + 8), EXTRACT_U_1(mask + 9), EXTRACT_U_1(mask + 10), EXTRACT_U_1(mask + 11),
1440 EXTRACT_U_1(mask + 12), EXTRACT_U_1(mask + 13), EXTRACT_U_1(mask + 14), EXTRACT_U_1(mask + 15));
1441 }
1442 len = 0;
1443 break;
1444 }
1445 case IPSECDOI_ID_IPV4_ADDR_RANGE:
1446 if (len < 8)
1447 ND_PRINT(" len=%u [bad: < 8]", len);
1448 else {
1449 ND_PRINT(" len=%u %s-%s", len,
1450 ipaddr_string(ndo, data),
1451 ipaddr_string(ndo, data + sizeof(nd_ipv4)));
1452 }
1453 len = 0;
1454 break;
1455 case IPSECDOI_ID_IPV6_ADDR_RANGE:
1456 if (len < 32)
1457 ND_PRINT(" len=%u [bad: < 32]", len);
1458 else {
1459 ND_PRINT(" len=%u %s-%s", len,
1460 ip6addr_string(ndo, data),
1461 ip6addr_string(ndo, data + sizeof(nd_ipv6)));
1462 }
1463 len = 0;
1464 break;
1465 case IPSECDOI_ID_DER_ASN1_DN:
1466 case IPSECDOI_ID_DER_ASN1_GN:
1467 case IPSECDOI_ID_KEY_ID:
1468 break;
1469 }
1470 break;
1471 }
1472 }
1473 if (data && len) {
1474 ND_PRINT(" len=%u", len);
1475 if (2 < ndo->ndo_vflag) {
1476 ND_PRINT(" ");
1477 if (!rawprint(ndo, (const uint8_t *)data, len))
1478 goto trunc;
1479 }
1480 }
1481 return (const u_char *)ext + item_len;
1482 trunc:
1483 ND_PRINT(" [|%s]", NPSTR(ISAKMP_NPTYPE_ID));
1484 return NULL;
1485 }
1486
1487 static const u_char *
1488 ikev1_cert_print(netdissect_options *ndo, u_char tpay _U_,
1489 const struct isakmp_gen *ext, u_int item_len,
1490 const u_char *ep _U_, uint32_t phase _U_,
1491 uint32_t doi0 _U_,
1492 uint32_t proto0 _U_, int depth _U_)
1493 {
1494 const struct ikev1_pl_cert *p;
1495 static const char *certstr[] = {
1496 "none", "pkcs7", "pgp", "dns",
1497 "x509sign", "x509ke", "kerberos", "crl",
1498 "arl", "spki", "x509attr",
1499 };
1500
1501 ND_PRINT("%s:", NPSTR(ISAKMP_NPTYPE_CERT));
1502
1503 p = (const struct ikev1_pl_cert *)ext;
1504 ND_TCHECK_SIZE(p);
1505 /*
1506 * Our caller has ensured that the length is >= 4.
1507 */
1508 ND_PRINT(" len=%u", item_len - 4);
1509 ND_PRINT(" type=%s", STR_OR_ID(EXTRACT_U_1(p->encode), certstr));
1510 if (2 < ndo->ndo_vflag && 4 < item_len) {
1511 /* Print the entire payload in hex */
1512 ND_PRINT(" ");
1513 if (!rawprint(ndo, (const uint8_t *)(ext + 1), item_len - 4))
1514 goto trunc;
1515 }
1516 return (const u_char *)ext + item_len;
1517 trunc:
1518 ND_PRINT(" [|%s]", NPSTR(ISAKMP_NPTYPE_CERT));
1519 return NULL;
1520 }
1521
1522 static const u_char *
1523 ikev1_cr_print(netdissect_options *ndo, u_char tpay _U_,
1524 const struct isakmp_gen *ext, u_int item_len,
1525 const u_char *ep _U_, uint32_t phase _U_, uint32_t doi0 _U_,
1526 uint32_t proto0 _U_, int depth _U_)
1527 {
1528 const struct ikev1_pl_cert *p;
1529 static const char *certstr[] = {
1530 "none", "pkcs7", "pgp", "dns",
1531 "x509sign", "x509ke", "kerberos", "crl",
1532 "arl", "spki", "x509attr",
1533 };
1534
1535 ND_PRINT("%s:", NPSTR(ISAKMP_NPTYPE_CR));
1536
1537 p = (const struct ikev1_pl_cert *)ext;
1538 ND_TCHECK_SIZE(p);
1539 /*
1540 * Our caller has ensured that the length is >= 4.
1541 */
1542 ND_PRINT(" len=%u", item_len - 4);
1543 ND_PRINT(" type=%s", STR_OR_ID(EXTRACT_U_1(p->encode), certstr));
1544 if (2 < ndo->ndo_vflag && 4 < item_len) {
1545 /* Print the entire payload in hex */
1546 ND_PRINT(" ");
1547 if (!rawprint(ndo, (const uint8_t *)(ext + 1), item_len - 4))
1548 goto trunc;
1549 }
1550 return (const u_char *)ext + item_len;
1551 trunc:
1552 ND_PRINT(" [|%s]", NPSTR(ISAKMP_NPTYPE_CR));
1553 return NULL;
1554 }
1555
1556 static const u_char *
1557 ikev1_hash_print(netdissect_options *ndo, u_char tpay _U_,
1558 const struct isakmp_gen *ext, u_int item_len,
1559 const u_char *ep _U_, uint32_t phase _U_, uint32_t doi _U_,
1560 uint32_t proto _U_, int depth _U_)
1561 {
1562 ND_PRINT("%s:", NPSTR(ISAKMP_NPTYPE_HASH));
1563
1564 ND_TCHECK_SIZE(ext);
1565 /*
1566 * Our caller has ensured that the length is >= 4.
1567 */
1568 ND_PRINT(" len=%u", item_len - 4);
1569 if (2 < ndo->ndo_vflag && 4 < item_len) {
1570 /* Print the entire payload in hex */
1571 ND_PRINT(" ");
1572 if (!rawprint(ndo, (const uint8_t *)(ext + 1), item_len - 4))
1573 goto trunc;
1574 }
1575 return (const u_char *)ext + item_len;
1576 trunc:
1577 ND_PRINT(" [|%s]", NPSTR(ISAKMP_NPTYPE_HASH));
1578 return NULL;
1579 }
1580
1581 static const u_char *
1582 ikev1_sig_print(netdissect_options *ndo, u_char tpay _U_,
1583 const struct isakmp_gen *ext, u_int item_len,
1584 const u_char *ep _U_, uint32_t phase _U_, uint32_t doi _U_,
1585 uint32_t proto _U_, int depth _U_)
1586 {
1587 ND_PRINT("%s:", NPSTR(ISAKMP_NPTYPE_SIG));
1588
1589 ND_TCHECK_SIZE(ext);
1590 /*
1591 * Our caller has ensured that the length is >= 4.
1592 */
1593 ND_PRINT(" len=%u", item_len - 4);
1594 if (2 < ndo->ndo_vflag && 4 < item_len) {
1595 /* Print the entire payload in hex */
1596 ND_PRINT(" ");
1597 if (!rawprint(ndo, (const uint8_t *)(ext + 1), item_len - 4))
1598 goto trunc;
1599 }
1600 return (const u_char *)ext + item_len;
1601 trunc:
1602 ND_PRINT(" [|%s]", NPSTR(ISAKMP_NPTYPE_SIG));
1603 return NULL;
1604 }
1605
1606 static const u_char *
1607 ikev1_nonce_print(netdissect_options *ndo, u_char tpay _U_,
1608 const struct isakmp_gen *ext,
1609 u_int item_len,
1610 const u_char *ep,
1611 uint32_t phase _U_, uint32_t doi _U_,
1612 uint32_t proto _U_, int depth _U_)
1613 {
1614 ND_PRINT("%s:", NPSTR(ISAKMP_NPTYPE_NONCE));
1615
1616 ND_TCHECK_SIZE(ext);
1617 /*
1618 * Our caller has ensured that the length is >= 4.
1619 */
1620 ND_PRINT(" n len=%u", item_len - 4);
1621 if (item_len > 4) {
1622 if (ndo->ndo_vflag > 2) {
1623 ND_PRINT(" ");
1624 if (!rawprint(ndo, (const uint8_t *)(ext + 1), item_len - 4))
1625 goto trunc;
1626 } else if (ndo->ndo_vflag > 1) {
1627 ND_PRINT(" ");
1628 if (!ike_show_somedata(ndo, (const u_char *)(ext + 1), ep))
1629 goto trunc;
1630 }
1631 }
1632 return (const u_char *)ext + item_len;
1633 trunc:
1634 ND_PRINT(" [|%s]", NPSTR(ISAKMP_NPTYPE_NONCE));
1635 return NULL;
1636 }
1637
1638 static const u_char *
1639 ikev1_n_print(netdissect_options *ndo, u_char tpay _U_,
1640 const struct isakmp_gen *ext, u_int item_len,
1641 const u_char *ep, uint32_t phase _U_, uint32_t doi0 _U_,
1642 uint32_t proto0 _U_, int depth _U_)
1643 {
1644 const struct ikev1_pl_n *p;
1645 const u_char *cp;
1646 const u_char *ep2;
1647 uint32_t doi;
1648 uint32_t proto;
1649 uint16_t type;
1650 uint8_t spi_size;
1651 static const char *notify_error_str[] = {
1652 NULL, "INVALID-PAYLOAD-TYPE",
1653 "DOI-NOT-SUPPORTED", "SITUATION-NOT-SUPPORTED",
1654 "INVALID-COOKIE", "INVALID-MAJOR-VERSION",
1655 "INVALID-MINOR-VERSION", "INVALID-EXCHANGE-TYPE",
1656 "INVALID-FLAGS", "INVALID-MESSAGE-ID",
1657 "INVALID-PROTOCOL-ID", "INVALID-SPI",
1658 "INVALID-TRANSFORM-ID", "ATTRIBUTES-NOT-SUPPORTED",
1659 "NO-PROPOSAL-CHOSEN", "BAD-PROPOSAL-SYNTAX",
1660 "PAYLOAD-MALFORMED", "INVALID-KEY-INFORMATION",
1661 "INVALID-ID-INFORMATION", "INVALID-CERT-ENCODING",
1662 "INVALID-CERTIFICATE", "CERT-TYPE-UNSUPPORTED",
1663 "INVALID-CERT-AUTHORITY", "INVALID-HASH-INFORMATION",
1664 "AUTHENTICATION-FAILED", "INVALID-SIGNATURE",
1665 "ADDRESS-NOTIFICATION", "NOTIFY-SA-LIFETIME",
1666 "CERTIFICATE-UNAVAILABLE", "UNSUPPORTED-EXCHANGE-TYPE",
1667 "UNEQUAL-PAYLOAD-LENGTHS",
1668 };
1669 static const char *ipsec_notify_error_str[] = {
1670 "RESERVED",
1671 };
1672 static const char *notify_status_str[] = {
1673 "CONNECTED",
1674 };
1675 static const char *ipsec_notify_status_str[] = {
1676 "RESPONDER-LIFETIME", "REPLAY-STATUS",
1677 "INITIAL-CONTACT",
1678 };
1679 /* NOTE: these macro must be called with x in proper range */
1680
1681 /* 0 - 8191 */
1682 #define NOTIFY_ERROR_STR(x) \
1683 STR_OR_ID((x), notify_error_str)
1684
1685 /* 8192 - 16383 */
1686 #define IPSEC_NOTIFY_ERROR_STR(x) \
1687 STR_OR_ID((u_int)((x) - 8192), ipsec_notify_error_str)
1688
1689 /* 16384 - 24575 */
1690 #define NOTIFY_STATUS_STR(x) \
1691 STR_OR_ID((u_int)((x) - 16384), notify_status_str)
1692
1693 /* 24576 - 32767 */
1694 #define IPSEC_NOTIFY_STATUS_STR(x) \
1695 STR_OR_ID((u_int)((x) - 24576), ipsec_notify_status_str)
1696
1697 ND_PRINT("%s:", NPSTR(ISAKMP_NPTYPE_N));
1698
1699 p = (const struct ikev1_pl_n *)ext;
1700 ND_TCHECK_SIZE(p);
1701 doi = EXTRACT_BE_U_4(p->doi);
1702 proto = EXTRACT_U_1(p->prot_id);
1703 if (doi != 1) {
1704 ND_PRINT(" doi=%u", doi);
1705 ND_PRINT(" proto=%u", proto);
1706 type = EXTRACT_BE_U_2(p->type);
1707 if (type < 8192)
1708 ND_PRINT(" type=%s", NOTIFY_ERROR_STR(type));
1709 else if (type < 16384)
1710 ND_PRINT(" type=%s", numstr(type));
1711 else if (type < 24576)
1712 ND_PRINT(" type=%s", NOTIFY_STATUS_STR(type));
1713 else
1714 ND_PRINT(" type=%s", numstr(type));
1715 spi_size = EXTRACT_U_1(p->spi_size);
1716 if (spi_size) {
1717 ND_PRINT(" spi=");
1718 if (!rawprint(ndo, (const uint8_t *)(p + 1), spi_size))
1719 goto trunc;
1720 }
1721 return (const u_char *)(p + 1) + spi_size;
1722 }
1723
1724 ND_PRINT(" doi=ipsec");
1725 ND_PRINT(" proto=%s", PROTOIDSTR(proto));
1726 type = EXTRACT_BE_U_2(p->type);
1727 if (type < 8192)
1728 ND_PRINT(" type=%s", NOTIFY_ERROR_STR(type));
1729 else if (type < 16384)
1730 ND_PRINT(" type=%s", IPSEC_NOTIFY_ERROR_STR(type));
1731 else if (type < 24576)
1732 ND_PRINT(" type=%s", NOTIFY_STATUS_STR(type));
1733 else if (type < 32768)
1734 ND_PRINT(" type=%s", IPSEC_NOTIFY_STATUS_STR(type));
1735 else
1736 ND_PRINT(" type=%s", numstr(type));
1737 spi_size = EXTRACT_U_1(p->spi_size);
1738 if (spi_size) {
1739 ND_PRINT(" spi=");
1740 if (!rawprint(ndo, (const uint8_t *)(p + 1), spi_size))
1741 goto trunc;
1742 }
1743
1744 cp = (const u_char *)(p + 1) + spi_size;
1745 ep2 = (const u_char *)p + item_len;
1746
1747 if (cp < ep) {
1748 switch (type) {
1749 case IPSECDOI_NTYPE_RESPONDER_LIFETIME:
1750 {
1751 const struct attrmap *map = oakley_t_map;
1752 size_t nmap = sizeof(oakley_t_map)/sizeof(oakley_t_map[0]);
1753 ND_PRINT(" attrs=(");
1754 while (cp < ep && cp < ep2) {
1755 cp = ikev1_attrmap_print(ndo, cp, ep2, map, nmap);
1756 if (cp == NULL) {
1757 ND_PRINT(")");
1758 goto trunc;
1759 }
1760 }
1761 ND_PRINT(")");
1762 break;
1763 }
1764 case IPSECDOI_NTYPE_REPLAY_STATUS:
1765 ND_PRINT(" status=(");
1766 ND_PRINT("replay detection %sabled",
1767 EXTRACT_BE_U_4(cp) ? "en" : "dis");
1768 ND_PRINT(")");
1769 break;
1770 default:
1771 /*
1772 * XXX - fill in more types here; see, for example,
1773 * draft-ietf-ipsec-notifymsg-04.
1774 */
1775 if (ndo->ndo_vflag > 3) {
1776 ND_PRINT(" data=(");
1777 if (!rawprint(ndo, (const uint8_t *)(cp), ep - cp))
1778 goto trunc;
1779 ND_PRINT(")");
1780 } else {
1781 if (!ike_show_somedata(ndo, cp, ep))
1782 goto trunc;
1783 }
1784 break;
1785 }
1786 }
1787 return (const u_char *)ext + item_len;
1788 trunc:
1789 ND_PRINT(" [|%s]", NPSTR(ISAKMP_NPTYPE_N));
1790 return NULL;
1791 }
1792
1793 static const u_char *
1794 ikev1_d_print(netdissect_options *ndo, u_char tpay _U_,
1795 const struct isakmp_gen *ext, u_int item_len _U_,
1796 const u_char *ep _U_, uint32_t phase _U_, uint32_t doi0 _U_,
1797 uint32_t proto0 _U_, int depth _U_)
1798 {
1799 const struct ikev1_pl_d *p;
1800 const uint8_t *q;
1801 uint32_t doi;
1802 uint32_t proto;
1803 uint8_t spi_size;
1804 uint16_t num_spi;
1805 u_int i;
1806
1807 ND_PRINT("%s:", NPSTR(ISAKMP_NPTYPE_D));
1808
1809 p = (const struct ikev1_pl_d *)ext;
1810 ND_TCHECK_SIZE(p);
1811 doi = EXTRACT_BE_U_4(p->doi);
1812 proto = EXTRACT_U_1(p->prot_id);
1813 if (doi != 1) {
1814 ND_PRINT(" doi=%u", doi);
1815 ND_PRINT(" proto=%u", proto);
1816 } else {
1817 ND_PRINT(" doi=ipsec");
1818 ND_PRINT(" proto=%s", PROTOIDSTR(proto));
1819 }
1820 spi_size = EXTRACT_U_1(p->spi_size);
1821 ND_PRINT(" spilen=%u", spi_size);
1822 num_spi = EXTRACT_BE_U_2(p->num_spi);
1823 ND_PRINT(" nspi=%u", num_spi);
1824 ND_PRINT(" spi=");
1825 q = (const uint8_t *)(p + 1);
1826 for (i = 0; i < num_spi; i++) {
1827 if (i != 0)
1828 ND_PRINT(",");
1829 if (!rawprint(ndo, (const uint8_t *)q, spi_size))
1830 goto trunc;
1831 q += spi_size;
1832 }
1833 return q;
1834 trunc:
1835 ND_PRINT(" [|%s]", NPSTR(ISAKMP_NPTYPE_D));
1836 return NULL;
1837 }
1838
1839 static const u_char *
1840 ikev1_vid_print(netdissect_options *ndo, u_char tpay _U_,
1841 const struct isakmp_gen *ext,
1842 u_int item_len, const u_char *ep _U_,
1843 uint32_t phase _U_, uint32_t doi _U_,
1844 uint32_t proto _U_, int depth _U_)
1845 {
1846 ND_PRINT("%s:", NPSTR(ISAKMP_NPTYPE_VID));
1847
1848 ND_TCHECK_SIZE(ext);
1849 /*
1850 * Our caller has ensured that the length is >= 4.
1851 */
1852 ND_PRINT(" len=%u", item_len - 4);
1853 if (2 < ndo->ndo_vflag && 4 < item_len) {
1854 /* Print the entire payload in hex */
1855 ND_PRINT(" ");
1856 if (!rawprint(ndo, (const uint8_t *)(ext + 1), item_len - 4))
1857 goto trunc;
1858 }
1859 return (const u_char *)ext + item_len;
1860 trunc:
1861 ND_PRINT(" [|%s]", NPSTR(ISAKMP_NPTYPE_VID));
1862 return NULL;
1863 }
1864
1865 /************************************************************/
1866 /* */
1867 /* IKE v2 - rfc4306 - dissector */
1868 /* */
1869 /************************************************************/
1870
1871 static void
1872 ikev2_pay_print(netdissect_options *ndo, const char *payname, uint8_t critical)
1873 {
1874 ND_PRINT("%s%s:", payname, critical&0x80 ? "[C]" : "");
1875 }
1876
1877 static const u_char *
1878 ikev2_gen_print(netdissect_options *ndo, u_char tpay,
1879 const struct isakmp_gen *ext, u_int item_len)
1880 {
1881 const struct isakmp_gen *p = (const struct isakmp_gen *)ext;
1882
1883 ND_TCHECK_SIZE(ext);
1884 ikev2_pay_print(ndo, NPSTR(tpay), EXTRACT_U_1(p->critical));
1885
1886 /*
1887 * Our caller has ensured that the length is >= 4.
1888 */
1889 ND_PRINT(" len=%u", item_len - 4);
1890 if (2 < ndo->ndo_vflag && 4 < item_len) {
1891 /* Print the entire payload in hex */
1892 ND_PRINT(" ");
1893 if (!rawprint(ndo, (const uint8_t *)(ext + 1), item_len - 4))
1894 goto trunc;
1895 }
1896 return (const u_char *)ext + item_len;
1897 trunc:
1898 ND_PRINT(" [|%s]", NPSTR(tpay));
1899 return NULL;
1900 }
1901
1902 static const u_char *
1903 ikev2_t_print(netdissect_options *ndo, int tcount,
1904 const struct isakmp_gen *ext, u_int item_len,
1905 const u_char *ep)
1906 {
1907 const struct ikev2_t *p;
1908 uint16_t t_id;
1909 uint8_t t_type;
1910 const u_char *cp;
1911 const char *idstr;
1912 const struct attrmap *map;
1913 size_t nmap;
1914 const u_char *ep2;
1915
1916 p = (const struct ikev2_t *)ext;
1917 ND_TCHECK_SIZE(p);
1918 ikev2_pay_print(ndo, NPSTR(ISAKMP_NPTYPE_T), EXTRACT_U_1(p->h.critical));
1919
1920 t_id = EXTRACT_BE_U_2(p->t_id);
1921
1922 map = NULL;
1923 nmap = 0;
1924
1925 t_type = EXTRACT_U_1(p->t_type);
1926 switch (t_type) {
1927 case IV2_T_ENCR:
1928 idstr = STR_OR_ID(t_id, esp_p_map);
1929 map = encr_t_map;
1930 nmap = sizeof(encr_t_map)/sizeof(encr_t_map[0]);
1931 break;
1932
1933 case IV2_T_PRF:
1934 idstr = STR_OR_ID(t_id, prf_p_map);
1935 break;
1936
1937 case IV2_T_INTEG:
1938 idstr = STR_OR_ID(t_id, integ_p_map);
1939 break;
1940
1941 case IV2_T_DH:
1942 idstr = STR_OR_ID(t_id, dh_p_map);
1943 break;
1944
1945 case IV2_T_ESN:
1946 idstr = STR_OR_ID(t_id, esn_p_map);
1947 break;
1948
1949 default:
1950 idstr = NULL;
1951 break;
1952 }
1953
1954 if (idstr)
1955 ND_PRINT(" #%u type=%s id=%s ", tcount,
1956 STR_OR_ID(t_type, ikev2_t_type_map),
1957 idstr);
1958 else
1959 ND_PRINT(" #%u type=%s id=%u ", tcount,
1960 STR_OR_ID(t_type, ikev2_t_type_map),
1961 t_id);
1962 cp = (const u_char *)(p + 1);
1963 ep2 = (const u_char *)p + item_len;
1964 while (cp < ep && cp < ep2) {
1965 if (map && nmap) {
1966 cp = ikev1_attrmap_print(ndo, cp, ep2, map, nmap);
1967 } else
1968 cp = ikev1_attr_print(ndo, cp, ep2);
1969 if (cp == NULL)
1970 goto trunc;
1971 }
1972 if (ep < ep2)
1973 ND_PRINT("...");
1974 return cp;
1975 trunc:
1976 ND_PRINT(" [|%s]", NPSTR(ISAKMP_NPTYPE_T));
1977 return NULL;
1978 }
1979
1980 static const u_char *
1981 ikev2_p_print(netdissect_options *ndo, u_char tpay _U_, int pcount _U_,
1982 const struct isakmp_gen *ext, u_int oprop_length,
1983 const u_char *ep, int depth)
1984 {
1985 const struct ikev2_p *p;
1986 u_int prop_length;
1987 uint8_t spi_size;
1988 const u_char *cp;
1989 int i;
1990 int tcount;
1991 u_char np;
1992 u_int item_len;
1993
1994 p = (const struct ikev2_p *)ext;
1995 ND_TCHECK_SIZE(p);
1996
1997 ikev2_pay_print(ndo, NPSTR(ISAKMP_NPTYPE_P), EXTRACT_U_1(p->h.critical));
1998
1999 /*
2000 * ikev2_sa_print() guarantees that this is >= 4.
2001 */
2002 prop_length = oprop_length - 4;
2003 ND_PRINT(" #%u protoid=%s transform=%u len=%u",
2004 EXTRACT_U_1(p->p_no), PROTOIDSTR(EXTRACT_U_1(p->prot_id)),
2005 EXTRACT_U_1(p->num_t), oprop_length);
2006 cp = (const u_char *)(p + 1);
2007
2008 spi_size = EXTRACT_U_1(p->spi_size);
2009 if (spi_size) {
2010 if (prop_length < spi_size)
2011 goto toolong;
2012 ND_PRINT(" spi=");
2013 if (!rawprint(ndo, (const uint8_t *)cp, spi_size))
2014 goto trunc;
2015 cp += spi_size;
2016 prop_length -= spi_size;
2017 }
2018
2019 /*
2020 * Print the transforms.
2021 */
2022 tcount = 0;
2023 for (np = ISAKMP_NPTYPE_T; np != 0; np = EXTRACT_U_1(ext->np)) {
2024 tcount++;
2025 ext = (const struct isakmp_gen *)cp;
2026 if (prop_length < sizeof(*ext))
2027 goto toolong;
2028 ND_TCHECK_SIZE(ext);
2029
2030 /*
2031 * Since we can't have a payload length of less than 4 bytes,
2032 * we need to bail out here if the generic header is nonsensical
2033 * or truncated, otherwise we could loop forever processing
2034 * zero-length items or otherwise misdissect the packet.
2035 */
2036 item_len = EXTRACT_BE_U_2(ext->len);
2037 if (item_len <= 4)
2038 goto trunc;
2039
2040 if (prop_length < item_len)
2041 goto toolong;
2042 ND_TCHECK_LEN(cp, item_len);
2043
2044 depth++;
2045 ND_PRINT("\n");
2046 for (i = 0; i < depth; i++)
2047 ND_PRINT(" ");
2048 ND_PRINT("(");
2049 if (np == ISAKMP_NPTYPE_T) {
2050 cp = ikev2_t_print(ndo, tcount, ext, item_len, ep);
2051 if (cp == NULL) {
2052 /* error, already reported */
2053 return NULL;
2054 }
2055 } else {
2056 ND_PRINT("%s", NPSTR(np));
2057 cp += item_len;
2058 }
2059 ND_PRINT(")");
2060 depth--;
2061 prop_length -= item_len;
2062 }
2063 return cp;
2064 toolong:
2065 /*
2066 * Skip the rest of the proposal.
2067 */
2068 cp += prop_length;
2069 ND_PRINT(" [|%s]", NPSTR(ISAKMP_NPTYPE_P));
2070 return cp;
2071 trunc:
2072 ND_PRINT(" [|%s]", NPSTR(ISAKMP_NPTYPE_P));
2073 return NULL;
2074 }
2075
2076 static const u_char *
2077 ikev2_sa_print(netdissect_options *ndo, u_char tpay,
2078 const struct isakmp_gen *ext1,
2079 u_int osa_length, const u_char *ep,
2080 uint32_t phase _U_, uint32_t doi _U_,
2081 uint32_t proto _U_, int depth)
2082 {
2083 const struct isakmp_gen *ext;
2084 u_int sa_length;
2085 const u_char *cp;
2086 int i;
2087 int pcount;
2088 u_char np;
2089 u_int item_len;
2090
2091 ND_TCHECK_SIZE(ext1);
2092 ikev2_pay_print(ndo, "sa", EXTRACT_U_1(ext1->critical));
2093
2094 /*
2095 * ikev2_sub0_print() guarantees that this is >= 4.
2096 */
2097 osa_length= EXTRACT_BE_U_2(ext1->len);
2098 sa_length = osa_length - 4;
2099 ND_PRINT(" len=%u", sa_length);
2100
2101 /*
2102 * Print the payloads.
2103 */
2104 cp = (const u_char *)(ext1 + 1);
2105 pcount = 0;
2106 for (np = ISAKMP_NPTYPE_P; np != 0; np = EXTRACT_U_1(ext->np)) {
2107 pcount++;
2108 ext = (const struct isakmp_gen *)cp;
2109 if (sa_length < sizeof(*ext))
2110 goto toolong;
2111 ND_TCHECK_SIZE(ext);
2112
2113 /*
2114 * Since we can't have a payload length of less than 4 bytes,
2115 * we need to bail out here if the generic header is nonsensical
2116 * or truncated, otherwise we could loop forever processing
2117 * zero-length items or otherwise misdissect the packet.
2118 */
2119 item_len = EXTRACT_BE_U_2(ext->len);
2120 if (item_len <= 4)
2121 goto trunc;
2122
2123 if (sa_length < item_len)
2124 goto toolong;
2125 ND_TCHECK_LEN(cp, item_len);
2126
2127 depth++;
2128 ND_PRINT("\n");
2129 for (i = 0; i < depth; i++)
2130 ND_PRINT(" ");
2131 ND_PRINT("(");
2132 if (np == ISAKMP_NPTYPE_P) {
2133 cp = ikev2_p_print(ndo, np, pcount, ext, item_len,
2134 ep, depth);
2135 if (cp == NULL) {
2136 /* error, already reported */
2137 return NULL;
2138 }
2139 } else {
2140 ND_PRINT("%s", NPSTR(np));
2141 cp += item_len;
2142 }
2143 ND_PRINT(")");
2144 depth--;
2145 sa_length -= item_len;
2146 }
2147 return cp;
2148 toolong:
2149 /*
2150 * Skip the rest of the SA.
2151 */
2152 cp += sa_length;
2153 ND_PRINT(" [|%s]", NPSTR(tpay));
2154 return cp;
2155 trunc:
2156 ND_PRINT(" [|%s]", NPSTR(tpay));
2157 return NULL;
2158 }
2159
2160 static const u_char *
2161 ikev2_ke_print(netdissect_options *ndo, u_char tpay,
2162 const struct isakmp_gen *ext,
2163 u_int item_len, const u_char *ep _U_,
2164 uint32_t phase _U_, uint32_t doi _U_,
2165 uint32_t proto _U_, int depth _U_)
2166 {
2167 const struct ikev2_ke *k;
2168
2169 k = (const struct ikev2_ke *)ext;
2170 ND_TCHECK_SIZE(k);
2171 ikev2_pay_print(ndo, NPSTR(tpay), EXTRACT_U_1(k->h.critical));
2172
2173 if (item_len < 8) {
2174 ND_PRINT(" len=%u < 8", item_len);
2175 return (const u_char *)ext + item_len;
2176 }
2177 ND_PRINT(" len=%u group=%s", item_len - 8,
2178 STR_OR_ID(EXTRACT_BE_U_2(k->ke_group), dh_p_map));
2179
2180 if (2 < ndo->ndo_vflag && 8 < item_len) {
2181 ND_PRINT(" ");
2182 if (!rawprint(ndo, (const uint8_t *)(k + 1), item_len - 8))
2183 goto trunc;
2184 }
2185 return (const u_char *)ext + item_len;
2186 trunc:
2187 ND_PRINT(" [|%s]", NPSTR(tpay));
2188 return NULL;
2189 }
2190
2191 static const u_char *
2192 ikev2_ID_print(netdissect_options *ndo, u_char tpay,
2193 const struct isakmp_gen *ext,
2194 u_int item_len, const u_char *ep _U_,
2195 uint32_t phase _U_, uint32_t doi _U_,
2196 uint32_t proto _U_, int depth _U_)
2197 {
2198 const struct ikev2_id *idp;
2199 u_int idtype_len, i;
2200 unsigned int dumpascii, dumphex;
2201 const unsigned char *typedata;
2202
2203 idp = (const struct ikev2_id *)ext;
2204 ND_TCHECK_SIZE(idp);
2205 ikev2_pay_print(ndo, NPSTR(tpay), EXTRACT_U_1(idp->h.critical));
2206
2207 /*
2208 * Our caller has ensured that the length is >= 4.
2209 */
2210 ND_PRINT(" len=%u", item_len - 4);
2211 if (2 < ndo->ndo_vflag && 4 < item_len) {
2212 /* Print the entire payload in hex */
2213 ND_PRINT(" ");
2214 if (!rawprint(ndo, (const uint8_t *)(ext + 1), item_len - 4))
2215 goto trunc;
2216 }
2217
2218 idtype_len =item_len - sizeof(struct ikev2_id);
2219 dumpascii = 0;
2220 dumphex = 0;
2221 typedata = (const unsigned char *)(ext)+sizeof(struct ikev2_id);
2222
2223 switch(EXTRACT_U_1(idp->type)) {
2224 case ID_IPV4_ADDR:
2225 ND_PRINT(" ipv4:");
2226 dumphex=1;
2227 break;
2228 case ID_FQDN:
2229 ND_PRINT(" fqdn:");
2230 dumpascii=1;
2231 break;
2232 case ID_RFC822_ADDR:
2233 ND_PRINT(" rfc822:");
2234 dumpascii=1;
2235 break;
2236 case ID_IPV6_ADDR:
2237 ND_PRINT(" ipv6:");
2238 dumphex=1;
2239 break;
2240 case ID_DER_ASN1_DN:
2241 ND_PRINT(" dn:");
2242 dumphex=1;
2243 break;
2244 case ID_DER_ASN1_GN:
2245 ND_PRINT(" gn:");
2246 dumphex=1;
2247 break;
2248 case ID_KEY_ID:
2249 ND_PRINT(" keyid:");
2250 dumphex=1;
2251 break;
2252 }
2253
2254 if(dumpascii) {
2255 ND_TCHECK_LEN(typedata, idtype_len);
2256 for(i=0; i<idtype_len; i++) {
2257 if(ND_ISPRINT(EXTRACT_U_1(typedata + i))) {
2258 ND_PRINT("%c", EXTRACT_U_1(typedata + i));
2259 } else {
2260 ND_PRINT(".");
2261 }
2262 }
2263 }
2264 if(dumphex) {
2265 if (!rawprint(ndo, (const uint8_t *)typedata, idtype_len))
2266 goto trunc;
2267 }
2268
2269 return (const u_char *)ext + item_len;
2270 trunc:
2271 ND_PRINT(" [|%s]", NPSTR(tpay));
2272 return NULL;
2273 }
2274
2275 static const u_char *
2276 ikev2_cert_print(netdissect_options *ndo, u_char tpay,
2277 const struct isakmp_gen *ext,
2278 u_int item_len, const u_char *ep _U_,
2279 uint32_t phase _U_, uint32_t doi _U_,
2280 uint32_t proto _U_, int depth _U_)
2281 {
2282 return ikev2_gen_print(ndo, tpay, ext, item_len);
2283 }
2284
2285 static const u_char *
2286 ikev2_cr_print(netdissect_options *ndo, u_char tpay,
2287 const struct isakmp_gen *ext,
2288 u_int item_len, const u_char *ep _U_,
2289 uint32_t phase _U_, uint32_t doi _U_,
2290 uint32_t proto _U_, int depth _U_)
2291 {
2292 return ikev2_gen_print(ndo, tpay, ext, item_len);
2293 }
2294
2295 static const u_char *
2296 ikev2_auth_print(netdissect_options *ndo, u_char tpay,
2297 const struct isakmp_gen *ext,
2298 u_int item_len, const u_char *ep,
2299 uint32_t phase _U_, uint32_t doi _U_,
2300 uint32_t proto _U_, int depth _U_)
2301 {
2302 const struct ikev2_auth *p;
2303 const char *v2_auth[]={ "invalid", "rsasig",
2304 "shared-secret", "dsssig" };
2305 const u_char *authdata = (const u_char*)ext + sizeof(struct ikev2_auth);
2306
2307 ND_TCHECK_LEN(ext, sizeof(struct ikev2_auth));
2308 p = (const struct ikev2_auth *)ext;
2309 ikev2_pay_print(ndo, NPSTR(tpay), EXTRACT_U_1(p->h.critical));
2310
2311 /*
2312 * Our caller has ensured that the length is >= 4.
2313 */
2314 ND_PRINT(" len=%u method=%s", item_len-4,
2315 STR_OR_ID(EXTRACT_U_1(p->auth_method), v2_auth));
2316 if (item_len > 4) {
2317 if (ndo->ndo_vflag > 1) {
2318 ND_PRINT(" authdata=(");
2319 if (!rawprint(ndo, (const uint8_t *)authdata, item_len - sizeof(struct ikev2_auth)))
2320 goto trunc;
2321 ND_PRINT(") ");
2322 } else if (ndo->ndo_vflag) {
2323 if (!ike_show_somedata(ndo, authdata, ep))
2324 goto trunc;
2325 }
2326 }
2327
2328 return (const u_char *)ext + item_len;
2329 trunc:
2330 ND_PRINT(" [|%s]", NPSTR(tpay));
2331 return NULL;
2332 }
2333
2334 static const u_char *
2335 ikev2_nonce_print(netdissect_options *ndo, u_char tpay,
2336 const struct isakmp_gen *ext,
2337 u_int item_len, const u_char *ep,
2338 uint32_t phase _U_, uint32_t doi _U_,
2339 uint32_t proto _U_, int depth _U_)
2340 {
2341 ND_TCHECK_SIZE(ext);
2342 ikev2_pay_print(ndo, "nonce", EXTRACT_U_1(ext->critical));
2343
2344 /*
2345 * Our caller has ensured that the length is >= 4.
2346 */
2347 ND_PRINT(" len=%u", item_len - 4);
2348 if (1 < ndo->ndo_vflag && 4 < item_len) {
2349 ND_PRINT(" nonce=(");
2350 if (!rawprint(ndo, (const uint8_t *)(ext + 1), item_len - 4))
2351 goto trunc;
2352 ND_PRINT(") ");
2353 } else if(ndo->ndo_vflag && 4 < item_len) {
2354 if(!ike_show_somedata(ndo, (const u_char *)(ext+1), ep)) goto trunc;
2355 }
2356
2357 return (const u_char *)ext + item_len;
2358 trunc:
2359 ND_PRINT(" [|%s]", NPSTR(tpay));
2360 return NULL;
2361 }
2362
2363 /* notify payloads */
2364 static const u_char *
2365 ikev2_n_print(netdissect_options *ndo, u_char tpay _U_,
2366 const struct isakmp_gen *ext,
2367 u_int item_len, const u_char *ep,
2368 uint32_t phase _U_, uint32_t doi _U_,
2369 uint32_t proto _U_, int depth _U_)
2370 {
2371 const struct ikev2_n *p;
2372 uint16_t type;
2373 uint8_t spi_size;
2374 const u_char *cp;
2375 u_char showspi, showsomedata;
2376 const char *notify_name;
2377
2378 p = (const struct ikev2_n *)ext;
2379 ND_TCHECK_SIZE(p);
2380 ikev2_pay_print(ndo, NPSTR(ISAKMP_NPTYPE_N), EXTRACT_U_1(p->h.critical));
2381
2382 showspi = 1;
2383 showsomedata=0;
2384 notify_name=NULL;
2385
2386 ND_PRINT(" prot_id=%s", PROTOIDSTR(EXTRACT_U_1(p->prot_id)));
2387
2388 type = EXTRACT_BE_U_2(p->type);
2389
2390 /* notify space is annoying sparse */
2391 switch(type) {
2392 case IV2_NOTIFY_UNSUPPORTED_CRITICAL_PAYLOAD:
2393 notify_name = "unsupported_critical_payload";
2394 showspi = 0;
2395 break;
2396
2397 case IV2_NOTIFY_INVALID_IKE_SPI:
2398 notify_name = "invalid_ike_spi";
2399 showspi = 1;
2400 break;
2401
2402 case IV2_NOTIFY_INVALID_MAJOR_VERSION:
2403 notify_name = "invalid_major_version";
2404 showspi = 0;
2405 break;
2406
2407 case IV2_NOTIFY_INVALID_SYNTAX:
2408 notify_name = "invalid_syntax";
2409 showspi = 1;
2410 break;
2411
2412 case IV2_NOTIFY_INVALID_MESSAGE_ID:
2413 notify_name = "invalid_message_id";
2414 showspi = 1;
2415 break;
2416
2417 case IV2_NOTIFY_INVALID_SPI:
2418 notify_name = "invalid_spi";
2419 showspi = 1;
2420 break;
2421
2422 case IV2_NOTIFY_NO_PROPOSAL_CHOSEN:
2423 notify_name = "no_protocol_chosen";
2424 showspi = 1;
2425 break;
2426
2427 case IV2_NOTIFY_INVALID_KE_PAYLOAD:
2428 notify_name = "invalid_ke_payload";
2429 showspi = 1;
2430 break;
2431
2432 case IV2_NOTIFY_AUTHENTICATION_FAILED:
2433 notify_name = "authentication_failed";
2434 showspi = 1;
2435 break;
2436
2437 case IV2_NOTIFY_SINGLE_PAIR_REQUIRED:
2438 notify_name = "single_pair_required";
2439 showspi = 1;
2440 break;
2441
2442 case IV2_NOTIFY_NO_ADDITIONAL_SAS:
2443 notify_name = "no_additional_sas";
2444 showspi = 0;
2445 break;
2446
2447 case IV2_NOTIFY_INTERNAL_ADDRESS_FAILURE:
2448 notify_name = "internal_address_failure";
2449 showspi = 0;
2450 break;
2451
2452 case IV2_NOTIFY_FAILED_CP_REQUIRED:
2453 notify_name = "failed:cp_required";
2454 showspi = 0;
2455 break;
2456
2457 case IV2_NOTIFY_INVALID_SELECTORS:
2458 notify_name = "invalid_selectors";
2459 showspi = 0;
2460 break;
2461
2462 case IV2_NOTIFY_INITIAL_CONTACT:
2463 notify_name = "initial_contact";
2464 showspi = 0;
2465 break;
2466
2467 case IV2_NOTIFY_SET_WINDOW_SIZE:
2468 notify_name = "set_window_size";
2469 showspi = 0;
2470 break;
2471
2472 case IV2_NOTIFY_ADDITIONAL_TS_POSSIBLE:
2473 notify_name = "additional_ts_possible";
2474 showspi = 0;
2475 break;
2476
2477 case IV2_NOTIFY_IPCOMP_SUPPORTED:
2478 notify_name = "ipcomp_supported";
2479 showspi = 0;
2480 break;
2481
2482 case IV2_NOTIFY_NAT_DETECTION_SOURCE_IP:
2483 notify_name = "nat_detection_source_ip";
2484 showspi = 1;
2485 break;
2486
2487 case IV2_NOTIFY_NAT_DETECTION_DESTINATION_IP:
2488 notify_name = "nat_detection_destination_ip";
2489 showspi = 1;
2490 break;
2491
2492 case IV2_NOTIFY_COOKIE:
2493 notify_name = "cookie";
2494 showspi = 1;
2495 showsomedata= 1;
2496 break;
2497
2498 case IV2_NOTIFY_USE_TRANSPORT_MODE:
2499 notify_name = "use_transport_mode";
2500 showspi = 0;
2501 break;
2502
2503 case IV2_NOTIFY_HTTP_CERT_LOOKUP_SUPPORTED:
2504 notify_name = "http_cert_lookup_supported";
2505 showspi = 0;
2506 break;
2507
2508 case IV2_NOTIFY_REKEY_SA:
2509 notify_name = "rekey_sa";
2510 showspi = 1;
2511 break;
2512
2513 case IV2_NOTIFY_ESP_TFC_PADDING_NOT_SUPPORTED:
2514 notify_name = "tfc_padding_not_supported";
2515 showspi = 0;
2516 break;
2517
2518 case IV2_NOTIFY_NON_FIRST_FRAGMENTS_ALSO:
2519 notify_name = "non_first_fragment_also";
2520 showspi = 0;
2521 break;
2522
2523 default:
2524 if (type < 8192) {
2525 notify_name="error";
2526 } else if(type < 16384) {
2527 notify_name="private-error";
2528 } else if(type < 40960) {
2529 notify_name="status";
2530 } else {
2531 notify_name="private-status";
2532 }
2533 }
2534
2535 if(notify_name) {
2536 ND_PRINT(" type=%u(%s)", type, notify_name);
2537 }
2538
2539
2540 spi_size = EXTRACT_U_1(p->spi_size);
2541 if (showspi && spi_size) {
2542 ND_PRINT(" spi=");
2543 if (!rawprint(ndo, (const uint8_t *)(p + 1), spi_size))
2544 goto trunc;
2545 }
2546
2547 cp = (const u_char *)(p + 1) + spi_size;
2548
2549 if (cp < ep) {
2550 if (ndo->ndo_vflag > 3 || (showsomedata && ep-cp < 30)) {
2551 ND_PRINT(" data=(");
2552 if (!rawprint(ndo, (const uint8_t *)(cp), ep - cp))
2553 goto trunc;
2554
2555 ND_PRINT(")");
2556 } else if (showsomedata) {
2557 if (!ike_show_somedata(ndo, cp, ep))
2558 goto trunc;
2559 }
2560 }
2561
2562 return (const u_char *)ext + item_len;
2563 trunc:
2564 ND_PRINT(" [|%s]", NPSTR(ISAKMP_NPTYPE_N));
2565 return NULL;
2566 }
2567
2568 static const u_char *
2569 ikev2_d_print(netdissect_options *ndo, u_char tpay,
2570 const struct isakmp_gen *ext,
2571 u_int item_len, const u_char *ep _U_,
2572 uint32_t phase _U_, uint32_t doi _U_,
2573 uint32_t proto _U_, int depth _U_)
2574 {
2575 return ikev2_gen_print(ndo, tpay, ext, item_len);
2576 }
2577
2578 static const u_char *
2579 ikev2_vid_print(netdissect_options *ndo, u_char tpay,
2580 const struct isakmp_gen *ext,
2581 u_int item_len, const u_char *ep _U_,
2582 uint32_t phase _U_, uint32_t doi _U_,
2583 uint32_t proto _U_, int depth _U_)
2584 {
2585 const u_char *vid;
2586 u_int i, len;
2587
2588 ND_TCHECK_SIZE(ext);
2589 ikev2_pay_print(ndo, NPSTR(tpay), EXTRACT_U_1(ext->critical));
2590
2591 /*
2592 * Our caller has ensured that the length is >= 4.
2593 */
2594 ND_PRINT(" len=%u vid=", item_len - 4);
2595
2596 vid = (const u_char *)(ext+1);
2597 len = item_len - 4;
2598 ND_TCHECK_LEN(vid, len);
2599 for(i=0; i<len; i++) {
2600 if(ND_ISPRINT(EXTRACT_U_1(vid + i)))
2601 ND_PRINT("%c", EXTRACT_U_1(vid + i));
2602 else ND_PRINT(".");
2603 }
2604 if (2 < ndo->ndo_vflag && 4 < len) {
2605 /* Print the entire payload in hex */
2606 ND_PRINT(" ");
2607 if (!rawprint(ndo, (const uint8_t *)(ext + 1), item_len - 4))
2608 goto trunc;
2609 }
2610 return (const u_char *)ext + item_len;
2611 trunc:
2612 ND_PRINT(" [|%s]", NPSTR(tpay));
2613 return NULL;
2614 }
2615
2616 static const u_char *
2617 ikev2_TS_print(netdissect_options *ndo, u_char tpay,
2618 const struct isakmp_gen *ext,
2619 u_int item_len, const u_char *ep _U_,
2620 uint32_t phase _U_, uint32_t doi _U_,
2621 uint32_t proto _U_, int depth _U_)
2622 {
2623 return ikev2_gen_print(ndo, tpay, ext, item_len);
2624 }
2625
2626 static const u_char *
2627 ikev2_e_print(netdissect_options *ndo,
2628 #ifndef HAVE_LIBCRYPTO
2629 _U_
2630 #endif
2631 const struct isakmp *base,
2632 u_char tpay,
2633 const struct isakmp_gen *ext,
2634 u_int item_len, const u_char *ep _U_,
2635 #ifndef HAVE_LIBCRYPTO
2636 _U_
2637 #endif
2638 uint32_t phase,
2639 #ifndef HAVE_LIBCRYPTO
2640 _U_
2641 #endif
2642 uint32_t doi,
2643 #ifndef HAVE_LIBCRYPTO
2644 _U_
2645 #endif
2646 uint32_t proto,
2647 #ifndef HAVE_LIBCRYPTO
2648 _U_
2649 #endif
2650 int depth)
2651 {
2652 const u_char *dat;
2653 u_int dlen;
2654 #ifdef HAVE_LIBCRYPTO
2655 uint8_t np;
2656 #endif
2657
2658 ND_TCHECK_SIZE(ext);
2659 ikev2_pay_print(ndo, NPSTR(tpay), EXTRACT_U_1(ext->critical));
2660
2661 dlen = item_len-4;
2662
2663 ND_PRINT(" len=%u", dlen);
2664 if (2 < ndo->ndo_vflag && 4 < dlen) {
2665 ND_PRINT(" ");
2666 if (!rawprint(ndo, (const uint8_t *)(ext + 1), dlen))
2667 goto trunc;
2668 }
2669
2670 dat = (const u_char *)(ext+1);
2671 ND_TCHECK_LEN(dat, dlen);
2672
2673 #ifdef HAVE_LIBCRYPTO
2674 np = EXTRACT_U_1(ext->np);
2675
2676 /* try to decypt it! */
2677 if(esp_print_decrypt_buffer_by_ikev2(ndo,
2678 EXTRACT_U_1(base->flags) & ISAKMP_FLAG_I,
2679 base->i_ck, base->r_ck,
2680 dat, dat+dlen)) {
2681
2682 ext = (const struct isakmp_gen *)ndo->ndo_packetp;
2683
2684 /* got it decrypted, print stuff inside. */
2685 ikev2_sub_print(ndo, base, np, ext,
2686 ndo->ndo_snapend, phase, doi, proto, depth+1);
2687 }
2688 #endif
2689
2690
2691 /* always return NULL, because E must be at end, and NP refers
2692 * to what was inside.
2693 */
2694 return NULL;
2695 trunc:
2696 ND_PRINT(" [|%s]", NPSTR(tpay));
2697 return NULL;
2698 }
2699
2700 static const u_char *
2701 ikev2_cp_print(netdissect_options *ndo, u_char tpay,
2702 const struct isakmp_gen *ext,
2703 u_int item_len, const u_char *ep _U_,
2704 uint32_t phase _U_, uint32_t doi _U_,
2705 uint32_t proto _U_, int depth _U_)
2706 {
2707 return ikev2_gen_print(ndo, tpay, ext, item_len);
2708 }
2709
2710 static const u_char *
2711 ikev2_eap_print(netdissect_options *ndo, u_char tpay,
2712 const struct isakmp_gen *ext,
2713 u_int item_len, const u_char *ep _U_,
2714 uint32_t phase _U_, uint32_t doi _U_,
2715 uint32_t proto _U_, int depth _U_)
2716 {
2717 return ikev2_gen_print(ndo, tpay, ext, item_len);
2718 }
2719
2720 static const u_char *
2721 ike_sub0_print(netdissect_options *ndo,
2722 u_char np, const struct isakmp_gen *ext, const u_char *ep,
2723
2724 uint32_t phase, uint32_t doi, uint32_t proto, int depth)
2725 {
2726 const u_char *cp;
2727 u_int item_len;
2728
2729 cp = (const u_char *)ext;
2730 ND_TCHECK_SIZE(ext);
2731
2732 /*
2733 * Since we can't have a payload length of less than 4 bytes,
2734 * we need to bail out here if the generic header is nonsensical
2735 * or truncated, otherwise we could loop forever processing
2736 * zero-length items or otherwise misdissect the packet.
2737 */
2738 item_len = EXTRACT_BE_U_2(ext->len);
2739 if (item_len <= 4)
2740 return NULL;
2741
2742 if (NPFUNC(np)) {
2743 /*
2744 * XXX - what if item_len is too short, or too long,
2745 * for this payload type?
2746 */
2747 cp = (*npfunc[np])(ndo, np, ext, item_len, ep, phase, doi, proto, depth);
2748 } else {
2749 ND_PRINT("%s", NPSTR(np));
2750 cp += item_len;
2751 }
2752
2753 return cp;
2754 trunc:
2755 nd_print_trunc(ndo);
2756 return NULL;
2757 }
2758
2759 static const u_char *
2760 ikev1_sub_print(netdissect_options *ndo,
2761 u_char np, const struct isakmp_gen *ext, const u_char *ep,
2762 uint32_t phase, uint32_t doi, uint32_t proto, int depth)
2763 {
2764 const u_char *cp;
2765 int i;
2766 u_int item_len;
2767
2768 cp = (const u_char *)ext;
2769
2770 while (np) {
2771 ND_TCHECK_SIZE(ext);
2772
2773 item_len = EXTRACT_BE_U_2(ext->len);
2774 ND_TCHECK_LEN(ext, item_len);
2775
2776 depth++;
2777 ND_PRINT("\n");
2778 for (i = 0; i < depth; i++)
2779 ND_PRINT(" ");
2780 ND_PRINT("(");
2781 cp = ike_sub0_print(ndo, np, ext, ep, phase, doi, proto, depth);
2782 ND_PRINT(")");
2783 depth--;
2784
2785 if (cp == NULL) {
2786 /* Zero-length subitem */
2787 return NULL;
2788 }
2789
2790 np = EXTRACT_U_1(ext->np);
2791 ext = (const struct isakmp_gen *)cp;
2792 }
2793 return cp;
2794 trunc:
2795 ND_PRINT(" [|%s]", NPSTR(np));
2796 return NULL;
2797 }
2798
2799 static char *
2800 numstr(u_int x)
2801 {
2802 static char buf[20];
2803 nd_snprintf(buf, sizeof(buf), "#%u", x);
2804 return buf;
2805 }
2806
2807 static void
2808 ikev1_print(netdissect_options *ndo,
2809 const u_char *bp, u_int length,
2810 const u_char *bp2, const struct isakmp *base)
2811 {
2812 const struct isakmp *p;
2813 const u_char *ep;
2814 u_int flags;
2815 u_char np;
2816 int i;
2817 u_int phase;
2818
2819 p = (const struct isakmp *)bp;
2820 ep = ndo->ndo_snapend;
2821
2822 phase = (EXTRACT_BE_U_4(base->msgid) == 0) ? 1 : 2;
2823 if (phase == 1)
2824 ND_PRINT(" phase %u", phase);
2825 else
2826 ND_PRINT(" phase %u/others", phase);
2827
2828 i = cookie_find(&base->i_ck);
2829 if (i < 0) {
2830 if (iszero((const u_char *)&base->r_ck, sizeof(base->r_ck))) {
2831 /* the first packet */
2832 ND_PRINT(" I");
2833 if (bp2)
2834 cookie_record(&base->i_ck, bp2);
2835 } else
2836 ND_PRINT(" ?");
2837 } else {
2838 if (bp2 && cookie_isinitiator(i, bp2))
2839 ND_PRINT(" I");
2840 else if (bp2 && cookie_isresponder(i, bp2))
2841 ND_PRINT(" R");
2842 else
2843 ND_PRINT(" ?");
2844 }
2845
2846 ND_PRINT(" %s", ETYPESTR(EXTRACT_U_1(base->etype)));
2847 flags = EXTRACT_U_1(base->flags);
2848 if (flags) {
2849 ND_PRINT("[%s%s]", flags & ISAKMP_FLAG_E ? "E" : "",
2850 flags & ISAKMP_FLAG_C ? "C" : "");
2851 }
2852
2853 if (ndo->ndo_vflag) {
2854 const struct isakmp_gen *ext;
2855
2856 ND_PRINT(":");
2857
2858 np = EXTRACT_U_1(base->np);
2859
2860 /* regardless of phase... */
2861 if (flags & ISAKMP_FLAG_E) {
2862 /*
2863 * encrypted, nothing we can do right now.
2864 * we hope to decrypt the packet in the future...
2865 */
2866 ND_PRINT(" [encrypted %s]", NPSTR(np));
2867 goto done;
2868 }
2869
2870 CHECKLEN(p + 1, np);
2871 ext = (const struct isakmp_gen *)(p + 1);
2872 ikev1_sub_print(ndo, np, ext, ep, phase, 0, 0, 0);
2873 }
2874
2875 done:
2876 if (ndo->ndo_vflag) {
2877 if (EXTRACT_BE_U_4(base->len) != length) {
2878 ND_PRINT(" (len mismatch: isakmp %u/ip %u)",
2879 EXTRACT_BE_U_4(base->len), length);
2880 }
2881 }
2882 }
2883
2884 static const u_char *
2885 ikev2_sub0_print(netdissect_options *ndo, const struct isakmp *base,
2886 u_char np,
2887 const struct isakmp_gen *ext, const u_char *ep,
2888 uint32_t phase, uint32_t doi, uint32_t proto, int depth)
2889 {
2890 const u_char *cp;
2891 u_int item_len;
2892
2893 cp = (const u_char *)ext;
2894 ND_TCHECK_SIZE(ext);
2895
2896 /*
2897 * Since we can't have a payload length of less than 4 bytes,
2898 * we need to bail out here if the generic header is nonsensical
2899 * or truncated, otherwise we could loop forever processing
2900 * zero-length items or otherwise misdissect the packet.
2901 */
2902 item_len = EXTRACT_BE_U_2(ext->len);
2903 if (item_len <= 4)
2904 return NULL;
2905
2906 if (np == ISAKMP_NPTYPE_v2E) {
2907 cp = ikev2_e_print(ndo, base, np, ext, item_len,
2908 ep, phase, doi, proto, depth);
2909 } else if (NPFUNC(np)) {
2910 /*
2911 * XXX - what if item_len is too short, or too long,
2912 * for this payload type?
2913 */
2914 cp = (*npfunc[np])(ndo, np, ext, item_len,
2915 ep, phase, doi, proto, depth);
2916 } else {
2917 ND_PRINT("%s", NPSTR(np));
2918 cp += item_len;
2919 }
2920
2921 return cp;
2922 trunc:
2923 nd_print_trunc(ndo);
2924 return NULL;
2925 }
2926
2927 static const u_char *
2928 ikev2_sub_print(netdissect_options *ndo,
2929 const struct isakmp *base,
2930 u_char np, const struct isakmp_gen *ext, const u_char *ep,
2931 uint32_t phase, uint32_t doi, uint32_t proto, int depth)
2932 {
2933 const u_char *cp;
2934 int i;
2935
2936 cp = (const u_char *)ext;
2937 while (np) {
2938 ND_TCHECK_SIZE(ext);
2939
2940 ND_TCHECK_LEN(ext, EXTRACT_BE_U_2(ext->len));
2941
2942 depth++;
2943 ND_PRINT("\n");
2944 for (i = 0; i < depth; i++)
2945 ND_PRINT(" ");
2946 ND_PRINT("(");
2947 cp = ikev2_sub0_print(ndo, base, np,
2948 ext, ep, phase, doi, proto, depth);
2949 ND_PRINT(")");
2950 depth--;
2951
2952 if (cp == NULL) {
2953 /* Zero-length subitem */
2954 return NULL;
2955 }
2956
2957 np = EXTRACT_U_1(ext->np);
2958 ext = (const struct isakmp_gen *)cp;
2959 }
2960 return cp;
2961 trunc:
2962 ND_PRINT(" [|%s]", NPSTR(np));
2963 return NULL;
2964 }
2965
2966 static void
2967 ikev2_print(netdissect_options *ndo,
2968 const u_char *bp, u_int length,
2969 const u_char *bp2 _U_, const struct isakmp *base)
2970 {
2971 const struct isakmp *p;
2972 const u_char *ep;
2973 uint8_t flags;
2974 u_char np;
2975 u_int phase;
2976
2977 p = (const struct isakmp *)bp;
2978 ep = ndo->ndo_snapend;
2979
2980 phase = (EXTRACT_BE_U_4(base->msgid) == 0) ? 1 : 2;
2981 if (phase == 1)
2982 ND_PRINT(" parent_sa");
2983 else
2984 ND_PRINT(" child_sa ");
2985
2986 ND_PRINT(" %s", ETYPESTR(EXTRACT_U_1(base->etype)));
2987 flags = EXTRACT_U_1(base->flags);
2988 if (flags) {
2989 ND_PRINT("[%s%s%s]",
2990 flags & ISAKMP_FLAG_I ? "I" : "",
2991 flags & ISAKMP_FLAG_V ? "V" : "",
2992 flags & ISAKMP_FLAG_R ? "R" : "");
2993 }
2994
2995 if (ndo->ndo_vflag) {
2996 const struct isakmp_gen *ext;
2997
2998 ND_PRINT(":");
2999
3000 np = EXTRACT_U_1(base->np);
3001
3002 /* regardless of phase... */
3003 if (flags & ISAKMP_FLAG_E) {
3004 /*
3005 * encrypted, nothing we can do right now.
3006 * we hope to decrypt the packet in the future...
3007 */
3008 ND_PRINT(" [encrypted %s]", NPSTR(np));
3009 goto done;
3010 }
3011
3012 CHECKLEN(p + 1, np)
3013 ext = (const struct isakmp_gen *)(p + 1);
3014 ikev2_sub_print(ndo, base, np, ext, ep, phase, 0, 0, 0);
3015 }
3016
3017 done:
3018 if (ndo->ndo_vflag) {
3019 if (EXTRACT_BE_U_4(base->len) != length) {
3020 ND_PRINT(" (len mismatch: isakmp %u/ip %u)",
3021 EXTRACT_BE_U_4(base->len), length);
3022 }
3023 }
3024 }
3025
3026 void
3027 isakmp_print(netdissect_options *ndo,
3028 const u_char *bp, u_int length,
3029 const u_char *bp2)
3030 {
3031 const struct isakmp *p;
3032 const u_char *ep;
3033 u_int major, minor;
3034
3035 ndo->ndo_protocol = "isakmp";
3036 #ifdef HAVE_LIBCRYPTO
3037 /* initialize SAs */
3038 if (ndo->ndo_sa_list_head == NULL) {
3039 if (ndo->ndo_espsecret)
3040 esp_print_decodesecret(ndo);
3041 }
3042 #endif
3043
3044 p = (const struct isakmp *)bp;
3045 ep = ndo->ndo_snapend;
3046
3047 if ((const struct isakmp *)ep < p + 1) {
3048 nd_print_trunc(ndo);
3049 return;
3050 }
3051
3052 ND_PRINT("isakmp");
3053 major = (EXTRACT_U_1(p->vers) & ISAKMP_VERS_MAJOR)
3054 >> ISAKMP_VERS_MAJOR_SHIFT;
3055 minor = (EXTRACT_U_1(p->vers) & ISAKMP_VERS_MINOR)
3056 >> ISAKMP_VERS_MINOR_SHIFT;
3057
3058 if (ndo->ndo_vflag) {
3059 ND_PRINT(" %u.%u", major, minor);
3060 }
3061
3062 if (ndo->ndo_vflag) {
3063 ND_PRINT(" msgid ");
3064 hexprint(ndo, p->msgid, sizeof(p->msgid));
3065 }
3066
3067 if (1 < ndo->ndo_vflag) {
3068 ND_PRINT(" cookie ");
3069 hexprint(ndo, p->i_ck, sizeof(p->i_ck));
3070 ND_PRINT("->");
3071 hexprint(ndo, p->r_ck, sizeof(p->r_ck));
3072 }
3073 ND_PRINT(":");
3074
3075 switch(major) {
3076 case IKEv1_MAJOR_VERSION:
3077 ikev1_print(ndo, bp, length, bp2, p);
3078 break;
3079
3080 case IKEv2_MAJOR_VERSION:
3081 ikev2_print(ndo, bp, length, bp2, p);
3082 break;
3083 }
3084 }
3085
3086 void
3087 isakmp_rfc3948_print(netdissect_options *ndo,
3088 const u_char *bp, u_int length,
3089 const u_char *bp2)
3090 {
3091 ndo->ndo_protocol = "isakmp_rfc3948";
3092 ND_TCHECK_1(bp);
3093 if(length == 1 && EXTRACT_U_1(bp)==0xff) {
3094 ND_PRINT("isakmp-nat-keep-alive");
3095 return;
3096 }
3097
3098 if(length < 4) {
3099 goto trunc;
3100 }
3101 ND_TCHECK_1(bp + 3);
3102
3103 /*
3104 * see if this is an IKE packet
3105 */
3106 if (EXTRACT_BE_U_4(bp) == 0) {
3107 ND_PRINT("NONESP-encap: ");
3108 isakmp_print(ndo, bp+4, length-4, bp2);
3109 return;
3110 }
3111
3112 /* must be an ESP packet */
3113 {
3114 u_int nh, enh, padlen;
3115 int advance;
3116
3117 ND_PRINT("UDP-encap: ");
3118
3119 advance = esp_print(ndo, bp, length, bp2, &enh, &padlen);
3120 if(advance <= 0)
3121 return;
3122
3123 bp += advance;
3124 length -= advance + padlen;
3125 nh = enh & 0xff;
3126
3127 ip_inner_print(ndo, bp, length, nh, bp2);
3128 return;
3129 }
3130
3131 trunc:
3132 nd_print_trunc(ndo);
3133 return;
3134 }
[mirror] the TCPdump network dissector