]> The Tcpdump Group git mirrors - tcpdump/blob - print-isakmp.c
projects / tcpdump / blob
summary | shortlog | log | commit | commitdiff | tree
history | raw | HEAD
fixes for -Wall.
[tcpdump] / print-isakmp.c
1 /*
2 * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
3 * All rights reserved.
4 *
5 * Redistribution and use in source and binary forms, with or without
6 * modification, are permitted provided that the following conditions
7 * are met:
8 * 1. Redistributions of source code must retain the above copyright
9 * notice, this list of conditions and the following disclaimer.
10 * 2. Redistributions in binary form must reproduce the above copyright
11 * notice, this list of conditions and the following disclaimer in the
12 * documentation and/or other materials provided with the distribution.
13 * 3. Neither the name of the project nor the names of its contributors
14 * may be used to endorse or promote products derived from this software
15 * without specific prior written permission.
16 *
17 * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
18 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
19 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
20 * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
21 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
22 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
23 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
24 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
25 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
26 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
27 * SUCH DAMAGE.
28 *
29 */
30
31 #ifndef lint
32 static const char rcsid[] _U_ =
33 "@(#) $Header: /tcpdump/master/tcpdump/print-isakmp.c,v 1.55 2007-08-29 02:58:43 mcr Exp $ (LBL)";
34 #endif
35
36 #ifdef HAVE_CONFIG_H
37 #include "config.h"
38 #endif
39
40 #include <tcpdump-stdinc.h>
41
42 #include <string.h>
43
44 #include <stdio.h>
45
46 #include "isakmp.h"
47 #include "ipsec_doi.h"
48 #include "oakley.h"
49 #include "interface.h"
50 #include "addrtoname.h"
51 #include "extract.h" /* must come after interface.h */
52
53 #include "ip.h"
54 #ifdef INET6
55 #include "ip6.h"
56 #endif
57
58 #ifndef HAVE_SOCKADDR_STORAGE
59 #define sockaddr_storage sockaddr
60 #endif
61
62 #define DECLARE_PRINTER(func) static const u_char *ike##func##_print( \
63 netdissect_options *ndo, u_char tpay, \
64 const struct isakmp_gen *ext, \
65 u_int item_len, \
66 const u_char *end_pointer, \
67 u_int32_t phase,\
68 u_int32_t doi0, \
69 u_int32_t proto0, int depth)
70
71 DECLARE_PRINTER(v1_sa);
72 DECLARE_PRINTER(v1_p);
73 DECLARE_PRINTER(v1_t);
74 DECLARE_PRINTER(v1_ke);
75 DECLARE_PRINTER(v1_id);
76 DECLARE_PRINTER(v1_cert);
77 DECLARE_PRINTER(v1_cr);
78 DECLARE_PRINTER(v1_sig);
79 DECLARE_PRINTER(v1_hash);
80 DECLARE_PRINTER(v1_nonce);
81 DECLARE_PRINTER(v1_n);
82 DECLARE_PRINTER(v1_d);
83 DECLARE_PRINTER(v1_vid);
84
85 DECLARE_PRINTER(v2_sa);
86 DECLARE_PRINTER(v2_ke);
87 DECLARE_PRINTER(v2_ID);
88 DECLARE_PRINTER(v2_cert);
89 DECLARE_PRINTER(v2_cr);
90 DECLARE_PRINTER(v2_auth);
91 DECLARE_PRINTER(v2_nonce);
92 DECLARE_PRINTER(v2_n);
93 DECLARE_PRINTER(v2_d);
94 DECLARE_PRINTER(v2_vid);
95 DECLARE_PRINTER(v2_TS);
96 DECLARE_PRINTER(v2_e);
97 DECLARE_PRINTER(v2_cp);
98 DECLARE_PRINTER(v2_eap);
99
100 static const u_char *ike_sub0_print(netdissect_options *ndo,u_char, const struct isakmp_gen *,
101 const u_char *, u_int32_t, u_int32_t, u_int32_t, int);
102 static const u_char *ikev1_sub_print(netdissect_options *ndo,u_char, const struct isakmp_gen *,
103 const u_char *, u_int32_t, u_int32_t, u_int32_t, int);
104
105 static const u_char *ikev2_sub_print(netdissect_options *ndo,
106 u_char np, const struct isakmp_gen *ext,
107 const u_char *ep, u_int32_t phase,
108 u_int32_t doi, u_int32_t proto,
109 int depth);
110
111
112 static char *numstr(int);
113 static void safememcpy(void *, const void *, size_t);
114
115 static void
116 ikev1_print(netdissect_options *ndo,
117 const u_char *bp, u_int length,
118 const u_char *bp2, struct isakmp *base);
119
120 #define MAXINITIATORS 20
121 int ninitiator = 0;
122 struct {
123 cookie_t initiator;
124 struct sockaddr_storage iaddr;
125 struct sockaddr_storage raddr;
126 } cookiecache[MAXINITIATORS];
127
128 /* protocol id */
129 static const char *protoidstr[] = {
130 NULL, "isakmp", "ipsec-ah", "ipsec-esp", "ipcomp",
131 };
132
133 /* isakmp->np */
134 static const char *npstr[] = {
135 "none", "sa", "p", "t", "ke", "id", "cert", "cr", "hash", /* 0 - 8 */
136 "sig", "nonce", "n", "d", "vid", /* 9 - 13 */
137 "pay14", "pay15", "pay16", "pay17", "pay18", /* 14- 18 */
138 "pay19", "pay20", "pay21", "pay22", "pay23", /* 19- 23 */
139 "pay24", "pay25", "pay26", "pay27", "pay28", /* 24- 28 */
140 "pay29", "pay30", "pay31", "pay32", /* 29- 32 */
141 "v2sa", "v2ke", "v2IDi", "v2IDr", "v2cert",/* 33- 37 */
142 "v2cr", "v2auth","v2nonce", "v2n", "v2d", /* 38- 42 */
143 "v2vid", "v2TSi", "v2TSr", "v2e", "v2cp", /* 43- 47 */
144 "v2eap", /* 48 */
145
146 };
147
148 /* isakmp->np */
149 static const u_char *(*npfunc[])(netdissect_options *ndo, u_char tpay,
150 const struct isakmp_gen *ext,
151 u_int item_len,
152 const u_char *end_pointer,
153 u_int32_t phase,
154 u_int32_t doi0,
155 u_int32_t proto0, int depth) = {
156 NULL,
157 ikev1_sa_print,
158 ikev1_p_print,
159 ikev1_t_print,
160 ikev1_ke_print,
161 ikev1_id_print,
162 ikev1_cert_print,
163 ikev1_cr_print,
164 ikev1_hash_print,
165 ikev1_sig_print,
166 ikev1_nonce_print,
167 ikev1_n_print,
168 ikev1_d_print,
169 ikev1_vid_print, /* 13 */
170 NULL, NULL, NULL, NULL, NULL, /* 14- 18 */
171 NULL, NULL, NULL, NULL, NULL, /* 19- 23 */
172 NULL, NULL, NULL, NULL, NULL, /* 24- 28 */
173 NULL, NULL, NULL, NULL, /* 29- 32 */
174 ikev2_sa_print, /* 33 */
175 ikev2_ke_print, /* 34 */
176 ikev2_ID_print, /* 35 */
177 ikev2_ID_print, /* 36 */
178 ikev2_cert_print, /* 37 */
179 ikev2_cr_print, /* 38 */
180 ikev2_auth_print, /* 39 */
181 ikev2_nonce_print, /* 40 */
182 ikev2_n_print, /* 41 */
183 ikev2_d_print, /* 42 */
184 ikev2_vid_print, /* 43 */
185 ikev2_TS_print, /* 44 */
186 ikev2_TS_print, /* 45 */
187 ikev2_e_print, /* 46 */
188 ikev2_cp_print, /* 47 */
189 ikev2_eap_print, /* 48 */
190 };
191
192 /* isakmp->etype */
193 static const char *etypestr[] = {
194 /* IKEv1 exchange types */
195 "none", "base", "ident", "auth", "agg", "inf", NULL, NULL, /* 0-7 */
196 NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, /* 8-15 */
197 NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, /* 16-23 */
198 NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, /* 24-31 */
199 "oakley-quick", "oakley-newgroup", /* 32-33 */
200 /* IKEv2 exchange types */
201 "ikev2_init", "ikev2_auth", "child_sa", "inf2" /* 34-37 */
202 };
203
204 #define STR_OR_ID(x, tab) \
205 (((x) < sizeof(tab)/sizeof(tab[0]) && tab[(x)]) ? tab[(x)] : numstr(x))
206 #define PROTOIDSTR(x) STR_OR_ID(x, protoidstr)
207 #define NPSTR(x) STR_OR_ID(x, npstr)
208 #define ETYPESTR(x) STR_OR_ID(x, etypestr)
209
210 #define CHECKLEN(p, np) \
211 if (ep < (u_char *)(p)) { \
212 ND_PRINT((ndo," [|%s]", NPSTR(np))); \
213 goto done; \
214 }
215
216
217 #define NPFUNC(x) \
218 (((x) < sizeof(npfunc)/sizeof(npfunc[0]) && npfunc[(x)]) \
219 ? npfunc[(x)] : NULL)
220
221 static int
222 iszero(u_char *p, size_t l)
223 {
224 while (l--) {
225 if (*p++)
226 return 0;
227 }
228 return 1;
229 }
230
231 /* find cookie from initiator cache */
232 static int
233 cookie_find(cookie_t *in)
234 {
235 int i;
236
237 for (i = 0; i < MAXINITIATORS; i++) {
238 if (memcmp(in, &cookiecache[i].initiator, sizeof(*in)) == 0)
239 return i;
240 }
241
242 return -1;
243 }
244
245 /* record initiator */
246 static void
247 cookie_record(cookie_t *in, const u_char *bp2)
248 {
249 int i;
250 struct ip *ip;
251 struct sockaddr_in *sin;
252 #ifdef INET6
253 struct ip6_hdr *ip6;
254 struct sockaddr_in6 *sin6;
255 #endif
256
257 i = cookie_find(in);
258 if (0 <= i) {
259 ninitiator = (i + 1) % MAXINITIATORS;
260 return;
261 }
262
263 ip = (struct ip *)bp2;
264 switch (IP_V(ip)) {
265 case 4:
266 memset(&cookiecache[ninitiator].iaddr, 0,
267 sizeof(cookiecache[ninitiator].iaddr));
268 memset(&cookiecache[ninitiator].raddr, 0,
269 sizeof(cookiecache[ninitiator].raddr));
270
271 sin = (struct sockaddr_in *)&cookiecache[ninitiator].iaddr;
272 #ifdef HAVE_SOCKADDR_SA_LEN
273 sin->sin_len = sizeof(struct sockaddr_in);
274 #endif
275 sin->sin_family = AF_INET;
276 memcpy(&sin->sin_addr, &ip->ip_src, sizeof(ip->ip_src));
277 sin = (struct sockaddr_in *)&cookiecache[ninitiator].raddr;
278 #ifdef HAVE_SOCKADDR_SA_LEN
279 sin->sin_len = sizeof(struct sockaddr_in);
280 #endif
281 sin->sin_family = AF_INET;
282 memcpy(&sin->sin_addr, &ip->ip_dst, sizeof(ip->ip_dst));
283 break;
284 #ifdef INET6
285 case 6:
286 memset(&cookiecache[ninitiator].iaddr, 0,
287 sizeof(cookiecache[ninitiator].iaddr));
288 memset(&cookiecache[ninitiator].raddr, 0,
289 sizeof(cookiecache[ninitiator].raddr));
290
291 ip6 = (struct ip6_hdr *)bp2;
292 sin6 = (struct sockaddr_in6 *)&cookiecache[ninitiator].iaddr;
293 #ifdef HAVE_SOCKADDR_SA_LEN
294 sin6->sin6_len = sizeof(struct sockaddr_in6);
295 #endif
296 sin6->sin6_family = AF_INET6;
297 memcpy(&sin6->sin6_addr, &ip6->ip6_src, sizeof(ip6->ip6_src));
298 sin6 = (struct sockaddr_in6 *)&cookiecache[ninitiator].raddr;
299 #ifdef HAVE_SOCKADDR_SA_LEN
300 sin6->sin6_len = sizeof(struct sockaddr_in6);
301 #endif
302 sin6->sin6_family = AF_INET6;
303 memcpy(&sin6->sin6_addr, &ip6->ip6_dst, sizeof(ip6->ip6_dst));
304 break;
305 #endif
306 default:
307 return;
308 }
309 memcpy(&cookiecache[ninitiator].initiator, in, sizeof(*in));
310 ninitiator = (ninitiator + 1) % MAXINITIATORS;
311 }
312
313 #define cookie_isinitiator(x, y) cookie_sidecheck((x), (y), 1)
314 #define cookie_isresponder(x, y) cookie_sidecheck((x), (y), 0)
315 static int
316 cookie_sidecheck(int i, const u_char *bp2, int initiator)
317 {
318 struct sockaddr_storage ss;
319 struct sockaddr *sa;
320 struct ip *ip;
321 struct sockaddr_in *sin;
322 #ifdef INET6
323 struct ip6_hdr *ip6;
324 struct sockaddr_in6 *sin6;
325 #endif
326 int salen;
327
328 memset(&ss, 0, sizeof(ss));
329 ip = (struct ip *)bp2;
330 switch (IP_V(ip)) {
331 case 4:
332 sin = (struct sockaddr_in *)&ss;
333 #ifdef HAVE_SOCKADDR_SA_LEN
334 sin->sin_len = sizeof(struct sockaddr_in);
335 #endif
336 sin->sin_family = AF_INET;
337 memcpy(&sin->sin_addr, &ip->ip_src, sizeof(ip->ip_src));
338 break;
339 #ifdef INET6
340 case 6:
341 ip6 = (struct ip6_hdr *)bp2;
342 sin6 = (struct sockaddr_in6 *)&ss;
343 #ifdef HAVE_SOCKADDR_SA_LEN
344 sin6->sin6_len = sizeof(struct sockaddr_in6);
345 #endif
346 sin6->sin6_family = AF_INET6;
347 memcpy(&sin6->sin6_addr, &ip6->ip6_src, sizeof(ip6->ip6_src));
348 break;
349 #endif
350 default:
351 return 0;
352 }
353
354 sa = (struct sockaddr *)&ss;
355 if (initiator) {
356 if (sa->sa_family != ((struct sockaddr *)&cookiecache[i].iaddr)->sa_family)
357 return 0;
358 #ifdef HAVE_SOCKADDR_SA_LEN
359 salen = sa->sa_len;
360 #else
361 #ifdef INET6
362 if (sa->sa_family == AF_INET6)
363 salen = sizeof(struct sockaddr_in6);
364 else
365 salen = sizeof(struct sockaddr);
366 #else
367 salen = sizeof(struct sockaddr);
368 #endif
369 #endif
370 if (memcmp(&ss, &cookiecache[i].iaddr, salen) == 0)
371 return 1;
372 } else {
373 if (sa->sa_family != ((struct sockaddr *)&cookiecache[i].raddr)->sa_family)
374 return 0;
375 #ifdef HAVE_SOCKADDR_SA_LEN
376 salen = sa->sa_len;
377 #else
378 #ifdef INET6
379 if (sa->sa_family == AF_INET6)
380 salen = sizeof(struct sockaddr_in6);
381 else
382 salen = sizeof(struct sockaddr);
383 #else
384 salen = sizeof(struct sockaddr);
385 #endif
386 #endif
387 if (memcmp(&ss, &cookiecache[i].raddr, salen) == 0)
388 return 1;
389 }
390 return 0;
391 }
392
393 static int
394 rawprint(netdissect_options *ndo, caddr_t loc, size_t len)
395 {
396 static u_char *p;
397 size_t i;
398
399 TCHECK2(*loc, len);
400
401 p = (u_char *)loc;
402 for (i = 0; i < len; i++)
403 ND_PRINT((ndo,"%02x", p[i] & 0xff));
404 return 1;
405 trunc:
406 return 0;
407 }
408
409 /*
410 * returns false if we run out of data buffer
411 */
412 static int ike_show_somedata(struct netdissect_options *ndo,
413 const u_char *cp, const u_char *ep)
414 {
415 /* there is too much data, just show some of it */
416 const u_char *end = ep - 20;
417 int elen = 20;
418 int len = ep - cp;
419 if(len > 10) {
420 len = 10;
421 }
422
423 /* really shouldn't happen because of above */
424 if(end < cp + len) {
425 end = cp+len;
426 elen = ep - end;
427 }
428
429 ND_PRINT((ndo," data=("));
430 if(!rawprint(ndo, (caddr_t)(cp), len)) goto trunc;
431 ND_PRINT((ndo, "..."));
432 if(elen) {
433 if(!rawprint(ndo, (caddr_t)(end), elen)) goto trunc;
434 }
435 ND_PRINT((ndo,")"));
436 return 1;
437
438 trunc:
439 return 0;
440 }
441
442 struct attrmap {
443 const char *type;
444 u_int nvalue;
445 const char *value[30]; /*XXX*/
446 };
447
448 static const u_char *
449 ikev1_attrmap_print(netdissect_options *ndo,
450 const u_char *p, const u_char *ep,
451 const struct attrmap *map, size_t nmap)
452 {
453 u_int16_t *q;
454 int totlen;
455 u_int32_t t, v;
456
457 q = (u_int16_t *)p;
458 if (p[0] & 0x80)
459 totlen = 4;
460 else
461 totlen = 4 + EXTRACT_16BITS(&q[1]);
462 if (ep < p + totlen) {
463 ND_PRINT((ndo,"[|attr]"));
464 return ep + 1;
465 }
466
467 ND_PRINT((ndo,"("));
468 t = EXTRACT_16BITS(&q[0]) & 0x7fff;
469 if (map && t < nmap && map[t].type)
470 ND_PRINT((ndo,"type=%s ", map[t].type));
471 else
472 ND_PRINT((ndo,"type=#%d ", t));
473 if (p[0] & 0x80) {
474 ND_PRINT((ndo,"value="));
475 v = EXTRACT_16BITS(&q[1]);
476 if (map && t < nmap && v < map[t].nvalue && map[t].value[v])
477 ND_PRINT((ndo,"%s", map[t].value[v]));
478 else
479 rawprint(ndo, (caddr_t)&q[1], 2);
480 } else {
481 ND_PRINT((ndo,"len=%d value=", EXTRACT_16BITS(&q[1])));
482 rawprint(ndo, (caddr_t)&p[4], EXTRACT_16BITS(&q[1]));
483 }
484 ND_PRINT((ndo,")"));
485 return p + totlen;
486 }
487
488 static const u_char *
489 ikev1_attr_print(netdissect_options *ndo, const u_char *p, const u_char *ep)
490 {
491 u_int16_t *q;
492 int totlen;
493 u_int32_t t;
494
495 q = (u_int16_t *)p;
496 if (p[0] & 0x80)
497 totlen = 4;
498 else
499 totlen = 4 + EXTRACT_16BITS(&q[1]);
500 if (ep < p + totlen) {
501 ND_PRINT((ndo,"[|attr]"));
502 return ep + 1;
503 }
504
505 ND_PRINT((ndo,"("));
506 t = EXTRACT_16BITS(&q[0]) & 0x7fff;
507 ND_PRINT((ndo,"type=#%d ", t));
508 if (p[0] & 0x80) {
509 ND_PRINT((ndo,"value="));
510 t = q[1];
511 rawprint(ndo, (caddr_t)&q[1], 2);
512 } else {
513 ND_PRINT((ndo,"len=%d value=", EXTRACT_16BITS(&q[1])));
514 rawprint(ndo, (caddr_t)&p[2], EXTRACT_16BITS(&q[1]));
515 }
516 ND_PRINT((ndo,")"));
517 return p + totlen;
518 }
519
520 static const u_char *
521 ikev1_sa_print(netdissect_options *ndo, u_char tpay _U_,
522 const struct isakmp_gen *ext,
523 u_int item_len _U_,
524 const u_char *ep, u_int32_t phase, u_int32_t doi0 _U_,
525 u_int32_t proto0, int depth)
526 {
527 const struct ikev1_pl_sa *p;
528 struct ikev1_pl_sa sa;
529 const u_int32_t *q;
530 u_int32_t doi, sit, ident;
531 const u_char *cp, *np;
532 int t;
533
534 ND_PRINT((ndo,"%s:", NPSTR(ISAKMP_NPTYPE_SA)));
535
536 p = (struct ikev1_pl_sa *)ext;
537 TCHECK(*p);
538 safememcpy(&sa, ext, sizeof(sa));
539 doi = ntohl(sa.doi);
540 sit = ntohl(sa.sit);
541 if (doi != 1) {
542 ND_PRINT((ndo," doi=%d", doi));
543 ND_PRINT((ndo," situation=%u", (u_int32_t)ntohl(sa.sit)));
544 return (u_char *)(p + 1);
545 }
546
547 ND_PRINT((ndo," doi=ipsec"));
548 q = (u_int32_t *)&sa.sit;
549 ND_PRINT((ndo," situation="));
550 t = 0;
551 if (sit & 0x01) {
552 ND_PRINT((ndo,"identity"));
553 t++;
554 }
555 if (sit & 0x02) {
556 ND_PRINT((ndo,"%ssecrecy", t ? "+" : ""));
557 t++;
558 }
559 if (sit & 0x04)
560 ND_PRINT((ndo,"%sintegrity", t ? "+" : ""));
561
562 np = (u_char *)ext + sizeof(sa);
563 if (sit != 0x01) {
564 TCHECK2(*(ext + 1), sizeof(ident));
565 safememcpy(&ident, ext + 1, sizeof(ident));
566 ND_PRINT((ndo," ident=%u", (u_int32_t)ntohl(ident)));
567 np += sizeof(ident);
568 }
569
570 ext = (struct isakmp_gen *)np;
571 TCHECK(*ext);
572
573 cp = ikev1_sub_print(ndo, ISAKMP_NPTYPE_P, ext, ep, phase, doi, proto0,
574 depth);
575
576 return cp;
577 trunc:
578 ND_PRINT((ndo," [|%s]", NPSTR(ISAKMP_NPTYPE_SA)));
579 return NULL;
580 }
581
582 static const u_char *
583 ikev1_p_print(netdissect_options *ndo, u_char tpay _U_,
584 const struct isakmp_gen *ext, u_int item_len _U_,
585 const u_char *ep, u_int32_t phase, u_int32_t doi0,
586 u_int32_t proto0 _U_, int depth)
587 {
588 const struct ikev1_pl_p *p;
589 struct ikev1_pl_p prop;
590 const u_char *cp;
591
592 ND_PRINT((ndo,"%s:", NPSTR(ISAKMP_NPTYPE_P)));
593
594 p = (struct ikev1_pl_p *)ext;
595 TCHECK(*p);
596 safememcpy(&prop, ext, sizeof(prop));
597 ND_PRINT((ndo," #%d protoid=%s transform=%d",
598 prop.p_no, PROTOIDSTR(prop.prot_id), prop.num_t));
599 if (prop.spi_size) {
600 ND_PRINT((ndo," spi="));
601 if (!rawprint(ndo, (caddr_t)(p + 1), prop.spi_size))
602 goto trunc;
603 }
604
605 ext = (struct isakmp_gen *)((u_char *)(p + 1) + prop.spi_size);
606 TCHECK(*ext);
607
608 cp = ikev1_sub_print(ndo, ISAKMP_NPTYPE_T, ext, ep, phase, doi0,
609 prop.prot_id, depth);
610
611 return cp;
612 trunc:
613 ND_PRINT((ndo," [|%s]", NPSTR(ISAKMP_NPTYPE_P)));
614 return NULL;
615 }
616
617 static const char *ikev1_p_map[] = {
618 NULL, "ike",
619 };
620
621 static const char *ikev2_t_type_map[]={
622 NULL, "encr", "prf", "integ", "dh", "esn"
623 };
624
625 static const char *ah_p_map[] = {
626 NULL, "(reserved)", "md5", "sha", "1des",
627 "sha2-256", "sha2-384", "sha2-512",
628 };
629
630 static const char *prf_p_map[] = {
631 NULL, "hmac-md5", "hmac-sha", "hmac-tiger",
632 "aes128_xcbc"
633 };
634
635 static const char *integ_p_map[] = {
636 NULL, "hmac-md5", "hmac-sha", "dec-mac",
637 "kpdk-md5", "aes-xcbc"
638 };
639
640 static const char *esn_p_map[] = {
641 "no-esn", "esn"
642 };
643
644 static const char *dh_p_map[] = {
645 NULL, "modp768",
646 "modp1024", /* group 2 */
647 "EC2N 2^155", /* group 3 */
648 "EC2N 2^185", /* group 4 */
649 "modp1536", /* group 5 */
650 "iana-grp06", "iana-grp07", /* reserved */
651 "iana-grp08", "iana-grp09",
652 "iana-grp10", "iana-grp11",
653 "iana-grp12", "iana-grp13",
654 "modp2048", /* group 14 */
655 "modp3072", /* group 15 */
656 "modp4096", /* group 16 */
657 "modp6144", /* group 17 */
658 "modp8192", /* group 18 */
659 };
660
661 static const char *esp_p_map[] = {
662 NULL, "1des-iv64", "1des", "3des", "rc5", "idea", "cast",
663 "blowfish", "3idea", "1des-iv32", "rc4", "null", "aes"
664 };
665
666 static const char *ipcomp_p_map[] = {
667 NULL, "oui", "deflate", "lzs",
668 };
669
670 const struct attrmap ipsec_t_map[] = {
671 { NULL, 0, { NULL } },
672 { "lifetype", 3, { NULL, "sec", "kb", }, },
673 { "life", 0, { NULL } },
674 { "group desc", 18, { NULL, "modp768",
675 "modp1024", /* group 2 */
676 "EC2N 2^155", /* group 3 */
677 "EC2N 2^185", /* group 4 */
678 "modp1536", /* group 5 */
679 "iana-grp06", "iana-grp07", /* reserved */
680 "iana-grp08", "iana-grp09",
681 "iana-grp10", "iana-grp11",
682 "iana-grp12", "iana-grp13",
683 "modp2048", /* group 14 */
684 "modp3072", /* group 15 */
685 "modp4096", /* group 16 */
686 "modp6144", /* group 17 */
687 "modp8192", /* group 18 */
688 }, },
689 { "enc mode", 3, { NULL, "tunnel", "transport", }, },
690 { "auth", 5, { NULL, "hmac-md5", "hmac-sha1", "1des-mac", "keyed", }, },
691 { "keylen", 0, { NULL } },
692 { "rounds", 0, { NULL } },
693 { "dictsize", 0, { NULL } },
694 { "privalg", 0, { NULL } },
695 };
696
697 const struct attrmap encr_t_map[] = {
698 { NULL, 0, { NULL } }, { NULL, 0, { NULL } }, /* 0, 1 */
699 { NULL, 0, { NULL } }, { NULL, 0, { NULL } }, /* 2, 3 */
700 { NULL, 0, { NULL } }, { NULL, 0, { NULL } }, /* 4, 5 */
701 { NULL, 0, { NULL } }, { NULL, 0, { NULL } }, /* 6, 7 */
702 { NULL, 0, { NULL } }, { NULL, 0, { NULL } }, /* 8, 9 */
703 { NULL, 0, { NULL } }, { NULL, 0, { NULL } }, /* 10,11*/
704 { NULL, 0, { NULL } }, { NULL, 0, { NULL } }, /* 12,13*/
705 { "keylen", 14, { NULL }},
706 };
707
708 const struct attrmap oakley_t_map[] = {
709 { NULL, 0, { NULL } },
710 { "enc", 8, { NULL, "1des", "idea", "blowfish", "rc5",
711 "3des", "cast", "aes", }, },
712 { "hash", 7, { NULL, "md5", "sha1", "tiger",
713 "sha2-256", "sha2-384", "sha2-512", }, },
714 { "auth", 6, { NULL, "preshared", "dss", "rsa sig", "rsa enc",
715 "rsa enc revised", }, },
716 { "group desc", 18, { NULL, "modp768",
717 "modp1024", /* group 2 */
718 "EC2N 2^155", /* group 3 */
719 "EC2N 2^185", /* group 4 */
720 "modp1536", /* group 5 */
721 "iana-grp06", "iana-grp07", /* reserved */
722 "iana-grp08", "iana-grp09",
723 "iana-grp10", "iana-grp11",
724 "iana-grp12", "iana-grp13",
725 "modp2048", /* group 14 */
726 "modp3072", /* group 15 */
727 "modp4096", /* group 16 */
728 "modp6144", /* group 17 */
729 "modp8192", /* group 18 */
730 }, },
731 { "group type", 4, { NULL, "MODP", "ECP", "EC2N", }, },
732 { "group prime", 0, { NULL } },
733 { "group gen1", 0, { NULL } },
734 { "group gen2", 0, { NULL } },
735 { "group curve A", 0, { NULL } },
736 { "group curve B", 0, { NULL } },
737 { "lifetype", 3, { NULL, "sec", "kb", }, },
738 { "lifeduration", 0, { NULL } },
739 { "prf", 0, { NULL } },
740 { "keylen", 0, { NULL } },
741 { "field", 0, { NULL } },
742 { "order", 0, { NULL } },
743 };
744
745 static const u_char *
746 ikev1_t_print(netdissect_options *ndo, u_char tpay _U_,
747 const struct isakmp_gen *ext, u_int item_len,
748 const u_char *ep, u_int32_t phase _U_, u_int32_t doi _U_,
749 u_int32_t proto, int depth _U_)
750 {
751 const struct ikev1_pl_t *p;
752 struct ikev1_pl_t t;
753 const u_char *cp;
754 const char *idstr;
755 const struct attrmap *map;
756 size_t nmap;
757 const u_char *ep2;
758
759 ND_PRINT((ndo,"%s:", NPSTR(ISAKMP_NPTYPE_T)));
760
761 p = (struct ikev1_pl_t *)ext;
762 TCHECK(*p);
763 safememcpy(&t, ext, sizeof(t));
764
765 switch (proto) {
766 case 1:
767 idstr = STR_OR_ID(t.t_id, ikev1_p_map);
768 map = oakley_t_map;
769 nmap = sizeof(oakley_t_map)/sizeof(oakley_t_map[0]);
770 break;
771 case 2:
772 idstr = STR_OR_ID(t.t_id, ah_p_map);
773 map = ipsec_t_map;
774 nmap = sizeof(ipsec_t_map)/sizeof(ipsec_t_map[0]);
775 break;
776 case 3:
777 idstr = STR_OR_ID(t.t_id, esp_p_map);
778 map = ipsec_t_map;
779 nmap = sizeof(ipsec_t_map)/sizeof(ipsec_t_map[0]);
780 break;
781 case 4:
782 idstr = STR_OR_ID(t.t_id, ipcomp_p_map);
783 map = ipsec_t_map;
784 nmap = sizeof(ipsec_t_map)/sizeof(ipsec_t_map[0]);
785 break;
786 default:
787 idstr = NULL;
788 map = NULL;
789 nmap = 0;
790 break;
791 }
792
793 if (idstr)
794 ND_PRINT((ndo," #%d id=%s ", t.t_no, idstr));
795 else
796 ND_PRINT((ndo," #%d id=%d ", t.t_no, t.t_id));
797 cp = (u_char *)(p + 1);
798 ep2 = (u_char *)p + item_len;
799 while (cp < ep && cp < ep2) {
800 if (map && nmap) {
801 cp = ikev1_attrmap_print(ndo, cp, (ep < ep2) ? ep : ep2,
802 map, nmap);
803 } else
804 cp = ikev1_attr_print(ndo, cp, (ep < ep2) ? ep : ep2);
805 }
806 if (ep < ep2)
807 ND_PRINT((ndo,"..."));
808 return cp;
809 trunc:
810 ND_PRINT((ndo," [|%s]", NPSTR(ISAKMP_NPTYPE_T)));
811 return NULL;
812 }
813
814 static const u_char *
815 ikev1_ke_print(netdissect_options *ndo, u_char tpay _U_,
816 const struct isakmp_gen *ext, u_int item_len _U_,
817 const u_char *ep _U_, u_int32_t phase _U_, u_int32_t doi _U_,
818 u_int32_t proto _U_, int depth _U_)
819 {
820 struct isakmp_gen e;
821
822 ND_PRINT((ndo,"%s:", NPSTR(ISAKMP_NPTYPE_KE)));
823
824 TCHECK(*ext);
825 safememcpy(&e, ext, sizeof(e));
826 ND_PRINT((ndo," key len=%d", ntohs(e.len) - 4));
827 if (2 < vflag && 4 < ntohs(e.len)) {
828 ND_PRINT((ndo," "));
829 if (!rawprint(ndo, (caddr_t)(ext + 1), ntohs(e.len) - 4))
830 goto trunc;
831 }
832 return (u_char *)ext + ntohs(e.len);
833 trunc:
834 ND_PRINT((ndo," [|%s]", NPSTR(ISAKMP_NPTYPE_KE)));
835 return NULL;
836 }
837
838 static const u_char *
839 ikev1_id_print(netdissect_options *ndo, u_char tpay _U_,
840 const struct isakmp_gen *ext, u_int item_len _U_,
841 const u_char *ep _U_, u_int32_t phase, u_int32_t doi _U_,
842 u_int32_t proto _U_, int depth _U_)
843 {
844 #define USE_IPSECDOI_IN_PHASE1 1
845 const struct ikev1_pl_id *p;
846 struct ikev1_pl_id id;
847 static const char *idtypestr[] = {
848 "IPv4", "IPv4net", "IPv6", "IPv6net",
849 };
850 static const char *ipsecidtypestr[] = {
851 NULL, "IPv4", "FQDN", "user FQDN", "IPv4net", "IPv6",
852 "IPv6net", "IPv4range", "IPv6range", "ASN1 DN", "ASN1 GN",
853 "keyid",
854 };
855 int len;
856 const u_char *data;
857
858 ND_PRINT((ndo,"%s:", NPSTR(ISAKMP_NPTYPE_ID)));
859
860 p = (struct ikev1_pl_id *)ext;
861 TCHECK(*p);
862 safememcpy(&id, ext, sizeof(id));
863 if (sizeof(*p) < item_len) {
864 data = (u_char *)(p + 1);
865 len = item_len - sizeof(*p);
866 } else {
867 data = NULL;
868 len = 0;
869 }
870
871 #if 0 /*debug*/
872 ND_PRINT((ndo," [phase=%d doi=%d proto=%d]", phase, doi, proto));
873 #endif
874 switch (phase) {
875 #ifndef USE_IPSECDOI_IN_PHASE1
876 case 1:
877 #endif
878 default:
879 ND_PRINT((ndo," idtype=%s", STR_OR_ID(id.d.id_type, idtypestr)));
880 ND_PRINT((ndo," doi_data=%u",
881 (u_int32_t)(ntohl(id.d.doi_data) & 0xffffff)));
882 break;
883
884 #ifdef USE_IPSECDOI_IN_PHASE1
885 case 1:
886 #endif
887 case 2:
888 {
889 const struct ipsecdoi_id *p;
890 struct ipsecdoi_id id;
891 struct protoent *pe;
892
893 p = (struct ipsecdoi_id *)ext;
894 TCHECK(*p);
895 safememcpy(&id, ext, sizeof(id));
896 ND_PRINT((ndo," idtype=%s", STR_OR_ID(id.type, ipsecidtypestr)));
897 if (id.proto_id) {
898 #ifndef WIN32
899 setprotoent(1);
900 #endif /* WIN32 */
901 pe = getprotobynumber(id.proto_id);
902 if (pe)
903 ND_PRINT((ndo," protoid=%s", pe->p_name));
904 #ifndef WIN32
905 endprotoent();
906 #endif /* WIN32 */
907 } else {
908 /* it DOES NOT mean IPPROTO_IP! */
909 ND_PRINT((ndo," protoid=%s", "0"));
910 }
911 ND_PRINT((ndo," port=%d", ntohs(id.port)));
912 if (!len)
913 break;
914 if (data == NULL)
915 goto trunc;
916 TCHECK2(*data, len);
917 switch (id.type) {
918 case IPSECDOI_ID_IPV4_ADDR:
919 if (len < 4)
920 ND_PRINT((ndo," len=%d [bad: < 4]", len));
921 else
922 ND_PRINT((ndo," len=%d %s", len, ipaddr_string(data)));
923 len = 0;
924 break;
925 case IPSECDOI_ID_FQDN:
926 case IPSECDOI_ID_USER_FQDN:
927 {
928 int i;
929 ND_PRINT((ndo," len=%d ", len));
930 for (i = 0; i < len; i++)
931 safeputchar(data[i]);
932 len = 0;
933 break;
934 }
935 case IPSECDOI_ID_IPV4_ADDR_SUBNET:
936 {
937 const u_char *mask;
938 if (len < 8)
939 ND_PRINT((ndo," len=%d [bad: < 8]", len));
940 else {
941 mask = data + sizeof(struct in_addr);
942 ND_PRINT((ndo," len=%d %s/%u.%u.%u.%u", len,
943 ipaddr_string(data),
944 mask[0], mask[1], mask[2], mask[3]));
945 }
946 len = 0;
947 break;
948 }
949 #ifdef INET6
950 case IPSECDOI_ID_IPV6_ADDR:
951 if (len < 16)
952 ND_PRINT((ndo," len=%d [bad: < 16]", len));
953 else
954 ND_PRINT((ndo," len=%d %s", len, ip6addr_string(data)));
955 len = 0;
956 break;
957 case IPSECDOI_ID_IPV6_ADDR_SUBNET:
958 {
959 const u_int32_t *mask;
960 if (len < 20)
961 ND_PRINT((ndo," len=%d [bad: < 20]", len));
962 else {
963 mask = (u_int32_t *)(data + sizeof(struct in6_addr));
964 /*XXX*/
965 ND_PRINT((ndo," len=%d %s/0x%08x%08x%08x%08x", len,
966 ip6addr_string(data),
967 mask[0], mask[1], mask[2], mask[3]));
968 }
969 len = 0;
970 break;
971 }
972 #endif /*INET6*/
973 case IPSECDOI_ID_IPV4_ADDR_RANGE:
974 if (len < 8)
975 ND_PRINT((ndo," len=%d [bad: < 8]", len));
976 else {
977 ND_PRINT((ndo," len=%d %s-%s", len,
978 ipaddr_string(data),
979 ipaddr_string(data + sizeof(struct in_addr))));
980 }
981 len = 0;
982 break;
983 #ifdef INET6
984 case IPSECDOI_ID_IPV6_ADDR_RANGE:
985 if (len < 32)
986 ND_PRINT((ndo," len=%d [bad: < 32]", len));
987 else {
988 ND_PRINT((ndo," len=%d %s-%s", len,
989 ip6addr_string(data),
990 ip6addr_string(data + sizeof(struct in6_addr))));
991 }
992 len = 0;
993 break;
994 #endif /*INET6*/
995 case IPSECDOI_ID_DER_ASN1_DN:
996 case IPSECDOI_ID_DER_ASN1_GN:
997 case IPSECDOI_ID_KEY_ID:
998 break;
999 }
1000 break;
1001 }
1002 }
1003 if (data && len) {
1004 ND_PRINT((ndo," len=%d", len));
1005 if (2 < vflag) {
1006 ND_PRINT((ndo," "));
1007 if (!rawprint(ndo, (caddr_t)data, len))
1008 goto trunc;
1009 }
1010 }
1011 return (u_char *)ext + item_len;
1012 trunc:
1013 ND_PRINT((ndo," [|%s]", NPSTR(ISAKMP_NPTYPE_ID)));
1014 return NULL;
1015 }
1016
1017 static const u_char *
1018 ikev1_cert_print(netdissect_options *ndo, u_char tpay _U_,
1019 const struct isakmp_gen *ext, u_int item_len _U_,
1020 const u_char *ep _U_, u_int32_t phase _U_,
1021 u_int32_t doi0 _U_,
1022 u_int32_t proto0 _U_, int depth _U_)
1023 {
1024 const struct ikev1_pl_cert *p;
1025 struct ikev1_pl_cert cert;
1026 static const char *certstr[] = {
1027 "none", "pkcs7", "pgp", "dns",
1028 "x509sign", "x509ke", "kerberos", "crl",
1029 "arl", "spki", "x509attr",
1030 };
1031
1032 ND_PRINT((ndo,"%s:", NPSTR(ISAKMP_NPTYPE_CERT)));
1033
1034 p = (struct ikev1_pl_cert *)ext;
1035 TCHECK(*p);
1036 safememcpy(&cert, ext, sizeof(cert));
1037 ND_PRINT((ndo," len=%d", item_len - 4));
1038 ND_PRINT((ndo," type=%s", STR_OR_ID((cert.encode), certstr)));
1039 if (2 < vflag && 4 < item_len) {
1040 ND_PRINT((ndo," "));
1041 if (!rawprint(ndo, (caddr_t)(ext + 1), item_len - 4))
1042 goto trunc;
1043 }
1044 return (u_char *)ext + item_len;
1045 trunc:
1046 ND_PRINT((ndo," [|%s]", NPSTR(ISAKMP_NPTYPE_CERT)));
1047 return NULL;
1048 }
1049
1050 static const u_char *
1051 ikev1_cr_print(netdissect_options *ndo, u_char tpay _U_,
1052 const struct isakmp_gen *ext, u_int item_len _U_,
1053 const u_char *ep _U_, u_int32_t phase _U_, u_int32_t doi0 _U_,
1054 u_int32_t proto0 _U_, int depth _U_)
1055 {
1056 const struct ikev1_pl_cert *p;
1057 struct ikev1_pl_cert cert;
1058 static const char *certstr[] = {
1059 "none", "pkcs7", "pgp", "dns",
1060 "x509sign", "x509ke", "kerberos", "crl",
1061 "arl", "spki", "x509attr",
1062 };
1063
1064 ND_PRINT((ndo,"%s:", NPSTR(ISAKMP_NPTYPE_CR)));
1065
1066 p = (struct ikev1_pl_cert *)ext;
1067 TCHECK(*p);
1068 safememcpy(&cert, ext, sizeof(cert));
1069 ND_PRINT((ndo," len=%d", item_len - 4));
1070 ND_PRINT((ndo," type=%s", STR_OR_ID((cert.encode), certstr)));
1071 if (2 < vflag && 4 < item_len) {
1072 ND_PRINT((ndo," "));
1073 if (!rawprint(ndo, (caddr_t)(ext + 1), item_len - 4))
1074 goto trunc;
1075 }
1076 return (u_char *)ext + item_len;
1077 trunc:
1078 ND_PRINT((ndo," [|%s]", NPSTR(ISAKMP_NPTYPE_CR)));
1079 return NULL;
1080 }
1081
1082 static const u_char *
1083 ikev1_hash_print(netdissect_options *ndo, u_char tpay _U_,
1084 const struct isakmp_gen *ext, u_int item_len _U_,
1085 const u_char *ep _U_, u_int32_t phase _U_, u_int32_t doi _U_,
1086 u_int32_t proto _U_, int depth _U_)
1087 {
1088 struct isakmp_gen e;
1089
1090 ND_PRINT((ndo,"%s:", NPSTR(ISAKMP_NPTYPE_HASH)));
1091
1092 TCHECK(*ext);
1093 safememcpy(&e, ext, sizeof(e));
1094 ND_PRINT((ndo," len=%d", ntohs(e.len) - 4));
1095 if (2 < vflag && 4 < ntohs(e.len)) {
1096 ND_PRINT((ndo," "));
1097 if (!rawprint(ndo, (caddr_t)(ext + 1), ntohs(e.len) - 4))
1098 goto trunc;
1099 }
1100 return (u_char *)ext + ntohs(e.len);
1101 trunc:
1102 ND_PRINT((ndo," [|%s]", NPSTR(ISAKMP_NPTYPE_HASH)));
1103 return NULL;
1104 }
1105
1106 static const u_char *
1107 ikev1_sig_print(netdissect_options *ndo, u_char tpay _U_,
1108 const struct isakmp_gen *ext, u_int item_len _U_,
1109 const u_char *ep _U_, u_int32_t phase _U_, u_int32_t doi _U_,
1110 u_int32_t proto _U_, int depth _U_)
1111 {
1112 struct isakmp_gen e;
1113
1114 ND_PRINT((ndo,"%s:", NPSTR(ISAKMP_NPTYPE_SIG)));
1115
1116 TCHECK(*ext);
1117 safememcpy(&e, ext, sizeof(e));
1118 ND_PRINT((ndo," len=%d", ntohs(e.len) - 4));
1119 if (2 < vflag && 4 < ntohs(e.len)) {
1120 ND_PRINT((ndo," "));
1121 if (!rawprint(ndo, (caddr_t)(ext + 1), ntohs(e.len) - 4))
1122 goto trunc;
1123 }
1124 return (u_char *)ext + ntohs(e.len);
1125 trunc:
1126 ND_PRINT((ndo," [|%s]", NPSTR(ISAKMP_NPTYPE_SIG)));
1127 return NULL;
1128 }
1129
1130 static const u_char *
1131 ikev1_nonce_print(netdissect_options *ndo, u_char tpay _U_,
1132 const struct isakmp_gen *ext,
1133 u_int item_len _U_,
1134 const u_char *ep _U_,
1135 u_int32_t phase _U_, u_int32_t doi _U_,
1136 u_int32_t proto _U_, int depth _U_)
1137 {
1138 struct isakmp_gen e;
1139
1140 ND_PRINT((ndo,"%s:", NPSTR(ISAKMP_NPTYPE_NONCE)));
1141
1142 TCHECK(*ext);
1143 safememcpy(&e, ext, sizeof(e));
1144 ND_PRINT((ndo," n len=%d", ntohs(e.len) - 4));
1145 if (2 < vflag && 4 < ntohs(e.len)) {
1146 ND_PRINT((ndo," "));
1147 if (!rawprint(ndo, (caddr_t)(ext + 1), ntohs(e.len) - 4))
1148 goto trunc;
1149 } else if (1 < vflag && 4 < ntohs(e.len)) {
1150 ND_PRINT((ndo," "));
1151 if (!ike_show_somedata(ndo, (u_char *)(caddr_t)(ext + 1), ep))
1152 goto trunc;
1153 }
1154 return (u_char *)ext + ntohs(e.len);
1155 trunc:
1156 ND_PRINT((ndo," [|%s]", NPSTR(ISAKMP_NPTYPE_NONCE)));
1157 return NULL;
1158 }
1159
1160 static const u_char *
1161 ikev1_n_print(netdissect_options *ndo, u_char tpay _U_,
1162 const struct isakmp_gen *ext, u_int item_len,
1163 const u_char *ep, u_int32_t phase, u_int32_t doi0 _U_,
1164 u_int32_t proto0 _U_, int depth)
1165 {
1166 struct ikev1_pl_n *p, n;
1167 const u_char *cp;
1168 u_char *ep2;
1169 u_int32_t doi;
1170 u_int32_t proto;
1171 static const char *notify_error_str[] = {
1172 NULL, "INVALID-PAYLOAD-TYPE",
1173 "DOI-NOT-SUPPORTED", "SITUATION-NOT-SUPPORTED",
1174 "INVALID-COOKIE", "INVALID-MAJOR-VERSION",
1175 "INVALID-MINOR-VERSION", "INVALID-EXCHANGE-TYPE",
1176 "INVALID-FLAGS", "INVALID-MESSAGE-ID",
1177 "INVALID-PROTOCOL-ID", "INVALID-SPI",
1178 "INVALID-TRANSFORM-ID", "ATTRIBUTES-NOT-SUPPORTED",
1179 "NO-PROPOSAL-CHOSEN", "BAD-PROPOSAL-SYNTAX",
1180 "PAYLOAD-MALFORMED", "INVALID-KEY-INFORMATION",
1181 "INVALID-ID-INFORMATION", "INVALID-CERT-ENCODING",
1182 "INVALID-CERTIFICATE", "CERT-TYPE-UNSUPPORTED",
1183 "INVALID-CERT-AUTHORITY", "INVALID-HASH-INFORMATION",
1184 "AUTHENTICATION-FAILED", "INVALID-SIGNATURE",
1185 "ADDRESS-NOTIFICATION", "NOTIFY-SA-LIFETIME",
1186 "CERTIFICATE-UNAVAILABLE", "UNSUPPORTED-EXCHANGE-TYPE",
1187 "UNEQUAL-PAYLOAD-LENGTHS",
1188 };
1189 static const char *ipsec_notify_error_str[] = {
1190 "RESERVED",
1191 };
1192 static const char *notify_status_str[] = {
1193 "CONNECTED",
1194 };
1195 static const char *ipsec_notify_status_str[] = {
1196 "RESPONDER-LIFETIME", "REPLAY-STATUS",
1197 "INITIAL-CONTACT",
1198 };
1199 /* NOTE: these macro must be called with x in proper range */
1200
1201 /* 0 - 8191 */
1202 #define NOTIFY_ERROR_STR(x) \
1203 STR_OR_ID((x), notify_error_str)
1204
1205 /* 8192 - 16383 */
1206 #define IPSEC_NOTIFY_ERROR_STR(x) \
1207 STR_OR_ID((u_int)((x) - 8192), ipsec_notify_error_str)
1208
1209 /* 16384 - 24575 */
1210 #define NOTIFY_STATUS_STR(x) \
1211 STR_OR_ID((u_int)((x) - 16384), notify_status_str)
1212
1213 /* 24576 - 32767 */
1214 #define IPSEC_NOTIFY_STATUS_STR(x) \
1215 STR_OR_ID((u_int)((x) - 24576), ipsec_notify_status_str)
1216
1217 ND_PRINT((ndo,"%s:", NPSTR(ISAKMP_NPTYPE_N)));
1218
1219 p = (struct ikev1_pl_n *)ext;
1220 TCHECK(*p);
1221 safememcpy(&n, ext, sizeof(n));
1222 doi = ntohl(n.doi);
1223 proto = n.prot_id;
1224 if (doi != 1) {
1225 ND_PRINT((ndo," doi=%d", doi));
1226 ND_PRINT((ndo," proto=%d", proto));
1227 if (ntohs(n.type) < 8192)
1228 ND_PRINT((ndo," type=%s", NOTIFY_ERROR_STR(ntohs(n.type))));
1229 else if (ntohs(n.type) < 16384)
1230 ND_PRINT((ndo," type=%s", numstr(ntohs(n.type))));
1231 else if (ntohs(n.type) < 24576)
1232 ND_PRINT((ndo," type=%s", NOTIFY_STATUS_STR(ntohs(n.type))));
1233 else
1234 ND_PRINT((ndo," type=%s", numstr(ntohs(n.type))));
1235 if (n.spi_size) {
1236 ND_PRINT((ndo," spi="));
1237 if (!rawprint(ndo, (caddr_t)(p + 1), n.spi_size))
1238 goto trunc;
1239 }
1240 return (u_char *)(p + 1) + n.spi_size;
1241 }
1242
1243 ND_PRINT((ndo," doi=ipsec"));
1244 ND_PRINT((ndo," proto=%s", PROTOIDSTR(proto)));
1245 if (ntohs(n.type) < 8192)
1246 ND_PRINT((ndo," type=%s", NOTIFY_ERROR_STR(ntohs(n.type))));
1247 else if (ntohs(n.type) < 16384)
1248 ND_PRINT((ndo," type=%s", IPSEC_NOTIFY_ERROR_STR(ntohs(n.type))));
1249 else if (ntohs(n.type) < 24576)
1250 ND_PRINT((ndo," type=%s", NOTIFY_STATUS_STR(ntohs(n.type))));
1251 else if (ntohs(n.type) < 32768)
1252 ND_PRINT((ndo," type=%s", IPSEC_NOTIFY_STATUS_STR(ntohs(n.type))));
1253 else
1254 ND_PRINT((ndo," type=%s", numstr(ntohs(n.type))));
1255 if (n.spi_size) {
1256 ND_PRINT((ndo," spi="));
1257 if (!rawprint(ndo, (caddr_t)(p + 1), n.spi_size))
1258 goto trunc;
1259 }
1260
1261 cp = (u_char *)(p + 1) + n.spi_size;
1262 ep2 = (u_char *)p + item_len;
1263
1264 if (cp < ep) {
1265 ND_PRINT((ndo," orig=("));
1266 switch (ntohs(n.type)) {
1267 case IPSECDOI_NTYPE_RESPONDER_LIFETIME:
1268 {
1269 const struct attrmap *map = oakley_t_map;
1270 size_t nmap = sizeof(oakley_t_map)/sizeof(oakley_t_map[0]);
1271 while (cp < ep && cp < ep2) {
1272 cp = ikev1_attrmap_print(ndo, cp,
1273 (ep < ep2) ? ep : ep2, map, nmap);
1274 }
1275 break;
1276 }
1277 case IPSECDOI_NTYPE_REPLAY_STATUS:
1278 ND_PRINT((ndo,"replay detection %sabled",
1279 (*(u_int32_t *)cp) ? "en" : "dis"));
1280 break;
1281 case ISAKMP_NTYPE_NO_PROPOSAL_CHOSEN:
1282 if (ikev1_sub_print(ndo, ISAKMP_NPTYPE_SA,
1283 (struct isakmp_gen *)cp, ep, phase, doi, proto,
1284 depth) == NULL)
1285 return NULL;
1286 break;
1287 default:
1288 /* NULL is dummy */
1289 isakmp_print(gndo, cp,
1290 item_len - sizeof(*p) - n.spi_size,
1291 NULL);
1292 }
1293 ND_PRINT((ndo,")"));
1294 }
1295 return (u_char *)ext + item_len;
1296 trunc:
1297 ND_PRINT((ndo," [|%s]", NPSTR(ISAKMP_NPTYPE_N)));
1298 return NULL;
1299 }
1300
1301 static const u_char *
1302 ikev1_d_print(netdissect_options *ndo, u_char tpay _U_,
1303 const struct isakmp_gen *ext, u_int item_len _U_,
1304 const u_char *ep _U_, u_int32_t phase _U_, u_int32_t doi0 _U_,
1305 u_int32_t proto0 _U_, int depth _U_)
1306 {
1307 const struct ikev1_pl_d *p;
1308 struct ikev1_pl_d d;
1309 const u_int8_t *q;
1310 u_int32_t doi;
1311 u_int32_t proto;
1312 int i;
1313
1314 ND_PRINT((ndo,"%s:", NPSTR(ISAKMP_NPTYPE_D)));
1315
1316 p = (struct ikev1_pl_d *)ext;
1317 TCHECK(*p);
1318 safememcpy(&d, ext, sizeof(d));
1319 doi = ntohl(d.doi);
1320 proto = d.prot_id;
1321 if (doi != 1) {
1322 ND_PRINT((ndo," doi=%u", doi));
1323 ND_PRINT((ndo," proto=%u", proto));
1324 } else {
1325 ND_PRINT((ndo," doi=ipsec"));
1326 ND_PRINT((ndo," proto=%s", PROTOIDSTR(proto)));
1327 }
1328 ND_PRINT((ndo," spilen=%u", d.spi_size));
1329 ND_PRINT((ndo," nspi=%u", ntohs(d.num_spi)));
1330 ND_PRINT((ndo," spi="));
1331 q = (u_int8_t *)(p + 1);
1332 for (i = 0; i < ntohs(d.num_spi); i++) {
1333 if (i != 0)
1334 ND_PRINT((ndo,","));
1335 if (!rawprint(ndo, (caddr_t)q, d.spi_size))
1336 goto trunc;
1337 q += d.spi_size;
1338 }
1339 return q;
1340 trunc:
1341 ND_PRINT((ndo," [|%s]", NPSTR(ISAKMP_NPTYPE_D)));
1342 return NULL;
1343 }
1344
1345 static const u_char *
1346 ikev1_vid_print(netdissect_options *ndo, u_char tpay _U_,
1347 const struct isakmp_gen *ext,
1348 u_int item_len _U_, const u_char *ep _U_,
1349 u_int32_t phase _U_, u_int32_t doi _U_,
1350 u_int32_t proto _U_, int depth _U_)
1351 {
1352 struct isakmp_gen e;
1353
1354 ND_PRINT((ndo,"%s:", NPSTR(ISAKMP_NPTYPE_VID)));
1355
1356 TCHECK(*ext);
1357 safememcpy(&e, ext, sizeof(e));
1358 ND_PRINT((ndo," len=%d", ntohs(e.len) - 4));
1359 if (2 < vflag && 4 < ntohs(e.len)) {
1360 ND_PRINT((ndo," "));
1361 if (!rawprint(ndo, (caddr_t)(ext + 1), ntohs(e.len) - 4))
1362 goto trunc;
1363 }
1364 return (u_char *)ext + ntohs(e.len);
1365 trunc:
1366 ND_PRINT((ndo," [|%s]", NPSTR(ISAKMP_NPTYPE_VID)));
1367 return NULL;
1368 }
1369
1370 /************************************************************/
1371 /* */
1372 /* IKE v2 - rfc4306 - dissector */
1373 /* */
1374 /************************************************************/
1375
1376 static void
1377 ikev2_pay_print(netdissect_options *ndo, const char *payname, int critical)
1378 {
1379 ND_PRINT((ndo,"%s%s:", payname, critical&0x80 ? "[C]" : ""));
1380 }
1381
1382 static const u_char *
1383 ikev2_gen_print(netdissect_options *ndo, u_char tpay,
1384 const struct isakmp_gen *ext)
1385 {
1386 struct isakmp_gen e;
1387
1388 TCHECK(*ext);
1389 safememcpy(&e, ext, sizeof(e));
1390 ikev2_pay_print(ndo, NPSTR(tpay), e.critical);
1391
1392 ND_PRINT((ndo," len=%d", ntohs(e.len) - 4));
1393 if (2 < vflag && 4 < ntohs(e.len)) {
1394 ND_PRINT((ndo," "));
1395 if (!rawprint(ndo, (caddr_t)(ext + 1), ntohs(e.len) - 4))
1396 goto trunc;
1397 }
1398 return (u_char *)ext + ntohs(e.len);
1399 trunc:
1400 ND_PRINT((ndo," [|%s]", NPSTR(tpay)));
1401 return NULL;
1402 }
1403
1404 static const u_char *
1405 ikev2_t_print(netdissect_options *ndo, u_char tpay _U_, int pcount,
1406 const struct isakmp_gen *ext, u_int item_len,
1407 const u_char *ep, u_int32_t phase _U_, u_int32_t doi _U_,
1408 u_int32_t proto _U_, int depth _U_)
1409 {
1410 const struct ikev2_t *p;
1411 struct ikev2_t t;
1412 u_int16_t t_id;
1413 const u_char *cp;
1414 const char *idstr;
1415 const struct attrmap *map;
1416 size_t nmap;
1417 const u_char *ep2;
1418
1419 p = (struct ikev2_t *)ext;
1420 TCHECK(*p);
1421 safememcpy(&t, ext, sizeof(t));
1422 ikev2_pay_print(ndo, NPSTR(ISAKMP_NPTYPE_T), t.h.critical);
1423
1424 t_id = ntohs(t.t_id);
1425
1426 map = NULL;
1427 nmap = 0;
1428
1429 switch (t.t_type) {
1430 case IV2_T_ENCR:
1431 idstr = STR_OR_ID(t_id, esp_p_map);
1432 map = encr_t_map;
1433 nmap = sizeof(encr_t_map)/sizeof(encr_t_map[0]);
1434 break;
1435
1436 case IV2_T_PRF:
1437 idstr = STR_OR_ID(t_id, prf_p_map);
1438 break;
1439
1440 case IV2_T_INTEG:
1441 idstr = STR_OR_ID(t_id, integ_p_map);
1442 break;
1443
1444 case IV2_T_DH:
1445 idstr = STR_OR_ID(t_id, dh_p_map);
1446 break;
1447
1448 case IV2_T_ESN:
1449 idstr = STR_OR_ID(t_id, esn_p_map);
1450 break;
1451
1452 default:
1453 idstr = NULL;
1454 break;
1455 }
1456
1457 if (idstr)
1458 ND_PRINT((ndo," #%u type=%s id=%s ", pcount,
1459 STR_OR_ID(t.t_type, ikev2_t_type_map),
1460 idstr));
1461 else
1462 ND_PRINT((ndo," #%u type=%s id=%u ", pcount,
1463 STR_OR_ID(t.t_type, ikev2_t_type_map),
1464 t.t_id));
1465 cp = (u_char *)(p + 1);
1466 ep2 = (u_char *)p + item_len;
1467 while (cp < ep && cp < ep2) {
1468 if (map && nmap) {
1469 cp = ikev1_attrmap_print(ndo, cp, (ep < ep2) ? ep : ep2,
1470 map, nmap);
1471 } else
1472 cp = ikev1_attr_print(ndo, cp, (ep < ep2) ? ep : ep2);
1473 }
1474 if (ep < ep2)
1475 ND_PRINT((ndo,"..."));
1476 return cp;
1477 trunc:
1478 ND_PRINT((ndo," [|%s]", NPSTR(ISAKMP_NPTYPE_T)));
1479 return NULL;
1480 }
1481
1482 static const u_char *
1483 ikev2_p_print(netdissect_options *ndo, u_char tpay _U_, int pcount _U_,
1484 const struct isakmp_gen *ext, u_int item_len _U_,
1485 const u_char *ep, u_int32_t phase, u_int32_t doi0,
1486 u_int32_t proto0 _U_, int depth)
1487 {
1488 const struct ikev2_p *p;
1489 struct ikev2_p prop;
1490 const u_char *cp;
1491
1492 p = (struct ikev2_p *)ext;
1493 TCHECK(*p);
1494 safememcpy(&prop, ext, sizeof(prop));
1495 ikev2_pay_print(ndo, NPSTR(ISAKMP_NPTYPE_P), prop.h.critical);
1496
1497 ND_PRINT((ndo," #%u protoid=%s transform=%d",
1498 prop.p_no, PROTOIDSTR(prop.prot_id), prop.num_t));
1499 if (prop.spi_size) {
1500 ND_PRINT((ndo," spi="));
1501 if (!rawprint(ndo, (caddr_t)(p + 1), prop.spi_size))
1502 goto trunc;
1503 }
1504
1505 ext = (struct isakmp_gen *)((u_char *)(p + 1) + prop.spi_size);
1506 TCHECK(*ext);
1507
1508 cp = ikev2_sub_print(ndo, ISAKMP_NPTYPE_T, ext, ep, phase, doi0,
1509 prop.prot_id, depth);
1510
1511 return cp;
1512 trunc:
1513 ND_PRINT((ndo," [|%s]", NPSTR(ISAKMP_NPTYPE_P)));
1514 return NULL;
1515 }
1516
1517 static const u_char *
1518 ikev2_sa_print(netdissect_options *ndo, u_char tpay,
1519 const struct isakmp_gen *ext1,
1520 u_int item_len _U_, const u_char *ep _U_,
1521 u_int32_t phase _U_, u_int32_t doi _U_,
1522 u_int32_t proto _U_, int depth _U_)
1523 {
1524 struct isakmp_gen e;
1525 int osa_len, sa_len;
1526
1527 TCHECK(*ext1);
1528 safememcpy(&e, ext1, sizeof(e));
1529 ikev2_pay_print(ndo, "sa", e.critical);
1530
1531 osa_len= ntohs(e.len);
1532 sa_len = osa_len - 4;
1533 ND_PRINT((ndo," len=%d", sa_len));
1534
1535 ikev2_sub_print(ndo, ISAKMP_NPTYPE_P,
1536 ext1+1, ep,
1537 0, 0, 0, depth);
1538
1539 return (u_char *)ext1 + osa_len;
1540 trunc:
1541 ND_PRINT((ndo," [|%s]", NPSTR(tpay)));
1542 return NULL;
1543 }
1544
1545 static const u_char *
1546 ikev2_ke_print(netdissect_options *ndo, u_char tpay,
1547 const struct isakmp_gen *ext,
1548 u_int item_len _U_, const u_char *ep _U_,
1549 u_int32_t phase _U_, u_int32_t doi _U_,
1550 u_int32_t proto _U_, int depth _U_)
1551 {
1552 struct ikev2_ke ke;
1553 struct ikev2_ke *k;
1554
1555 k = (struct ikev2_ke *)ext;
1556 TCHECK(*ext);
1557 safememcpy(&ke, ext, sizeof(ke));
1558 ikev2_pay_print(ndo, NPSTR(tpay), ke.h.critical);
1559
1560 ND_PRINT((ndo," len=%u group=%s", ntohs(ke.h.len) - 8,
1561 STR_OR_ID(ntohs(ke.ke_group), dh_p_map)));
1562
1563 if (2 < vflag && 8 < ntohs(ke.h.len)) {
1564 ND_PRINT((ndo," "));
1565 if (!rawprint(ndo, (caddr_t)(k + 1), ntohs(ke.h.len) - 8))
1566 goto trunc;
1567 }
1568 return (u_char *)ext + ntohs(ke.h.len);
1569 trunc:
1570 ND_PRINT((ndo," [|%s]", NPSTR(tpay)));
1571 return NULL;
1572 }
1573
1574 static const u_char *
1575 ikev2_ID_print(netdissect_options *ndo, u_char tpay,
1576 const struct isakmp_gen *ext,
1577 u_int item_len _U_, const u_char *ep _U_,
1578 u_int32_t phase _U_, u_int32_t doi _U_,
1579 u_int32_t proto _U_, int depth _U_)
1580 {
1581 return ikev2_gen_print(ndo, tpay, ext);
1582 }
1583
1584 static const u_char *
1585 ikev2_cert_print(netdissect_options *ndo, u_char tpay,
1586 const struct isakmp_gen *ext,
1587 u_int item_len _U_, const u_char *ep _U_,
1588 u_int32_t phase _U_, u_int32_t doi _U_,
1589 u_int32_t proto _U_, int depth _U_)
1590 {
1591 return ikev2_gen_print(ndo, tpay, ext);
1592 }
1593
1594 static const u_char *
1595 ikev2_cr_print(netdissect_options *ndo, u_char tpay,
1596 const struct isakmp_gen *ext,
1597 u_int item_len _U_, const u_char *ep _U_,
1598 u_int32_t phase _U_, u_int32_t doi _U_,
1599 u_int32_t proto _U_, int depth _U_)
1600 {
1601 return ikev2_gen_print(ndo, tpay, ext);
1602 }
1603
1604 static const u_char *
1605 ikev2_auth_print(netdissect_options *ndo, u_char tpay,
1606 const struct isakmp_gen *ext,
1607 u_int item_len _U_, const u_char *ep _U_,
1608 u_int32_t phase _U_, u_int32_t doi _U_,
1609 u_int32_t proto _U_, int depth _U_)
1610 {
1611 struct ikev2_auth e;
1612 const char *v2_auth[]={ "invalid", "rsasig",
1613 "shared-secret", "dsssig" };
1614
1615 TCHECK(*ext);
1616 safememcpy(&e, ext, sizeof(e));
1617 ikev2_pay_print(ndo, NPSTR(tpay), e.h.critical);
1618
1619 ND_PRINT((ndo," len=%d method=%s", ntohs(e.h.len) - 4,
1620 STR_OR_ID(e.auth_method, v2_auth)));
1621
1622 if (1 < ndo->ndo_vflag && 4 < ntohs(e.h.len)) {
1623 ND_PRINT((ndo," authdata=("));
1624 if (!rawprint(ndo, (caddr_t)(ext + 1), ntohs(e.h.len) - 4))
1625 goto trunc;
1626 ND_PRINT((ndo,") "));
1627 } else if(ndo->ndo_vflag && 4 < ntohs(e.h.len)) {
1628 if(!ike_show_somedata(ndo, (const u_char *)(ext+1), ep)) goto trunc;
1629 }
1630
1631 return (u_char *)ext + ntohs(e.h.len);
1632 trunc:
1633 ND_PRINT((ndo," [|%s]", NPSTR(tpay)));
1634 return NULL;
1635 }
1636
1637 static const u_char *
1638 ikev2_nonce_print(netdissect_options *ndo, u_char tpay,
1639 const struct isakmp_gen *ext,
1640 u_int item_len _U_, const u_char *ep _U_,
1641 u_int32_t phase _U_, u_int32_t doi _U_,
1642 u_int32_t proto _U_, int depth _U_)
1643 {
1644 struct isakmp_gen e;
1645
1646 TCHECK(*ext);
1647 safememcpy(&e, ext, sizeof(e));
1648 ikev2_pay_print(ndo, "nonce", e.critical);
1649
1650 ND_PRINT((ndo," len=%d", ntohs(e.len) - 4));
1651 if (1 < ndo->ndo_vflag && 4 < ntohs(e.len)) {
1652 ND_PRINT((ndo," nonce=("));
1653 if (!rawprint(ndo, (caddr_t)(ext + 1), ntohs(e.len) - 4))
1654 goto trunc;
1655 ND_PRINT((ndo,") "));
1656 } else if(ndo->ndo_vflag && 4 < ntohs(e.len)) {
1657 if(!ike_show_somedata(ndo, (const u_char *)(ext+1), ep)) goto trunc;
1658 }
1659
1660 return (u_char *)ext + ntohs(e.len);
1661 trunc:
1662 ND_PRINT((ndo," [|%s]", NPSTR(tpay)));
1663 return NULL;
1664 }
1665
1666 /* notify payloads */
1667 static const u_char *
1668 ikev2_n_print(netdissect_options *ndo, u_char tpay _U_,
1669 const struct isakmp_gen *ext,
1670 u_int item_len _U_, const u_char *ep _U_,
1671 u_int32_t phase _U_, u_int32_t doi _U_,
1672 u_int32_t proto _U_, int depth _U_)
1673 {
1674 struct ikev2_n *p, n;
1675 const u_char *cp;
1676 u_char *ep2;
1677 u_char showspi, showdata, showsomedata;
1678 const char *notify_name;
1679 u_int32_t type;
1680
1681 p = (struct ikev2_n *)ext;
1682 TCHECK(*p);
1683 safememcpy(&n, ext, sizeof(n));
1684 ikev2_pay_print(ndo, NPSTR(ISAKMP_NPTYPE_N), n.h.critical);
1685
1686 showspi = 1;
1687 showdata = 0;
1688 showsomedata=0;
1689 notify_name=NULL;
1690
1691 ND_PRINT((ndo," prot_id=%s", PROTOIDSTR(n.prot_id)));
1692
1693 type = ntohs(n.type);
1694
1695 /* notify space is annoying sparse */
1696 switch(type) {
1697 case IV2_NOTIFY_UNSUPPORTED_CRITICAL_PAYLOAD:
1698 notify_name = "unsupported_critical_payload";
1699 showspi = 0;
1700 break;
1701
1702 case IV2_NOTIFY_INVALID_IKE_SPI:
1703 notify_name = "invalid_ike_spi";
1704 showspi = 1;
1705 break;
1706
1707 case IV2_NOTIFY_INVALID_MAJOR_VERSION:
1708 notify_name = "invalid_major_version";
1709 showspi = 0;
1710 break;
1711
1712 case IV2_NOTIFY_INVALID_SYNTAX:
1713 notify_name = "invalid_syntax";
1714 showspi = 1;
1715 break;
1716
1717 case IV2_NOTIFY_INVALID_MESSAGE_ID:
1718 notify_name = "invalid_message_id";
1719 showspi = 1;
1720 break;
1721
1722 case IV2_NOTIFY_INVALID_SPI:
1723 notify_name = "invalid_spi";
1724 showspi = 1;
1725 break;
1726
1727 case IV2_NOTIFY_NO_PROPOSAL_CHOSEN:
1728 notify_name = "no_protocol_chosen";
1729 showspi = 1;
1730 break;
1731
1732 case IV2_NOTIFY_INVALID_KE_PAYLOAD:
1733 notify_name = "invalid_ke_payload";
1734 showspi = 1;
1735 break;
1736
1737 case IV2_NOTIFY_AUTHENTICATION_FAILED:
1738 notify_name = "authentication_failed";
1739 showspi = 1;
1740 break;
1741
1742 case IV2_NOTIFY_SINGLE_PAIR_REQUIRED:
1743 notify_name = "single_pair_required";
1744 showspi = 1;
1745 break;
1746
1747 case IV2_NOTIFY_NO_ADDITIONAL_SAS:
1748 notify_name = "no_additional_sas";
1749 showspi = 0;
1750 break;
1751
1752 case IV2_NOTIFY_INTERNAL_ADDRESS_FAILURE:
1753 notify_name = "internal_address_failure";
1754 showspi = 0;
1755 break;
1756
1757 case IV2_NOTIFY_FAILED_CP_REQUIRED:
1758 notify_name = "failed:cp_required";
1759 showspi = 0;
1760 break;
1761
1762 case IV2_NOTIFY_INVALID_SELECTORS:
1763 notify_name = "invalid_selectors";
1764 showspi = 0;
1765 break;
1766
1767 case IV2_NOTIFY_INITIAL_CONTACT:
1768 notify_name = "initial_contact";
1769 showspi = 0;
1770 break;
1771
1772 case IV2_NOTIFY_SET_WINDOW_SIZE:
1773 notify_name = "set_window_size";
1774 showspi = 0;
1775 break;
1776
1777 case IV2_NOTIFY_ADDITIONAL_TS_POSSIBLE:
1778 notify_name = "additional_ts_possible";
1779 showspi = 0;
1780 break;
1781
1782 case IV2_NOTIFY_IPCOMP_SUPPORTED:
1783 notify_name = "ipcomp_supported";
1784 showspi = 0;
1785 break;
1786
1787 case IV2_NOTIFY_NAT_DETECTION_SOURCE_IP:
1788 notify_name = "nat_detection_source_ip";
1789 showspi = 1;
1790 break;
1791
1792 case IV2_NOTIFY_NAT_DETECTION_DESTINATION_IP:
1793 notify_name = "nat_detection_destination_ip";
1794 showspi = 1;
1795 break;
1796
1797 case IV2_NOTIFY_COOKIE:
1798 notify_name = "cookie";
1799 showspi = 1;
1800 showsomedata= 1;
1801 showdata= 0;
1802 break;
1803
1804 case IV2_NOTIFY_USE_TRANSPORT_MODE:
1805 notify_name = "use_transport_mode";
1806 showspi = 0;
1807 break;
1808
1809 case IV2_NOTIFY_HTTP_CERT_LOOKUP_SUPPORTED:
1810 notify_name = "http_cert_lookup_supported";
1811 showspi = 0;
1812 break;
1813
1814 case IV2_NOTIFY_REKEY_SA:
1815 notify_name = "rekey_sa";
1816 showspi = 1;
1817 break;
1818
1819 case IV2_NOTIFY_ESP_TFC_PADDING_NOT_SUPPORTED:
1820 notify_name = "tfc_padding_not_supported";
1821 showspi = 0;
1822 break;
1823
1824 case IV2_NOTIFY_NON_FIRST_FRAGMENTS_ALSO:
1825 notify_name = "non_first_fragment_also";
1826 showspi = 0;
1827 break;
1828
1829 default:
1830 if (type < 8192) {
1831 notify_name="error";
1832 } else if(type < 16384) {
1833 notify_name="private-error";
1834 } else if(type < 40960) {
1835 notify_name="status";
1836 } else {
1837 notify_name="private-status";
1838 }
1839 }
1840
1841 if(notify_name) {
1842 ND_PRINT((ndo," type=%u(%s)", type, notify_name));
1843 }
1844
1845
1846 if (showspi && n.spi_size) {
1847 ND_PRINT((ndo," spi="));
1848 if (!rawprint(ndo, (caddr_t)(p + 1), n.spi_size))
1849 goto trunc;
1850 }
1851
1852 cp = (u_char *)(p + 1) + n.spi_size;
1853 ep2 = (u_char *)p + item_len;
1854
1855 if(3 < ndo->ndo_vflag) {
1856 showdata = 1;
1857 }
1858
1859 if ((showdata || (showsomedata && ep-cp < 30)) && cp < ep) {
1860 ND_PRINT((ndo," data=("));
1861 if (!rawprint(ndo, (caddr_t)(cp), ep - cp))
1862 goto trunc;
1863
1864 ND_PRINT((ndo,")"));
1865
1866 } else if(showsomedata && cp < ep) {
1867 if(!ike_show_somedata(ndo, cp, ep)) goto trunc;
1868 }
1869
1870 return (u_char *)ext + item_len;
1871 trunc:
1872 ND_PRINT((ndo," [|%s]", NPSTR(ISAKMP_NPTYPE_N)));
1873 return NULL;
1874 }
1875
1876 static const u_char *
1877 ikev2_d_print(netdissect_options *ndo, u_char tpay,
1878 const struct isakmp_gen *ext,
1879 u_int item_len _U_, const u_char *ep _U_,
1880 u_int32_t phase _U_, u_int32_t doi _U_,
1881 u_int32_t proto _U_, int depth _U_)
1882 {
1883 return ikev2_gen_print(ndo, tpay, ext);
1884 }
1885
1886 static const u_char *
1887 ikev2_vid_print(netdissect_options *ndo, u_char tpay,
1888 const struct isakmp_gen *ext,
1889 u_int item_len _U_, const u_char *ep _U_,
1890 u_int32_t phase _U_, u_int32_t doi _U_,
1891 u_int32_t proto _U_, int depth _U_)
1892 {
1893 struct isakmp_gen e;
1894 const u_char *vid;
1895 int i, len;
1896
1897 TCHECK(*ext);
1898 safememcpy(&e, ext, sizeof(e));
1899 ikev2_pay_print(ndo, NPSTR(tpay), e.critical);
1900 ND_PRINT((ndo," len=%d vid=", ntohs(e.len) - 4));
1901
1902 vid = (const u_char *)(ext+1);
1903 len = ntohs(e.len) - 4;
1904 TCHECK2(*vid, len);
1905 for(i=0; i<len; i++) {
1906 if(isprint(vid[i])) ND_PRINT((ndo, "%c", vid[i]));
1907 else ND_PRINT((ndo, ".", vid[i]));
1908 }
1909 if (2 < vflag && 4 < len) {
1910 ND_PRINT((ndo," "));
1911 if (!rawprint(ndo, (caddr_t)(ext + 1), ntohs(e.len) - 4))
1912 goto trunc;
1913 }
1914 return (u_char *)ext + ntohs(e.len);
1915 trunc:
1916 ND_PRINT((ndo," [|%s]", NPSTR(tpay)));
1917 return NULL;
1918 }
1919
1920 static const u_char *
1921 ikev2_TS_print(netdissect_options *ndo, u_char tpay,
1922 const struct isakmp_gen *ext,
1923 u_int item_len _U_, const u_char *ep _U_,
1924 u_int32_t phase _U_, u_int32_t doi _U_,
1925 u_int32_t proto _U_, int depth _U_)
1926 {
1927 return ikev2_gen_print(ndo, tpay, ext);
1928 }
1929
1930 static const u_char *
1931 ikev2_e_print(netdissect_options *ndo, u_char tpay,
1932 const struct isakmp_gen *ext,
1933 u_int item_len _U_, const u_char *ep _U_,
1934 u_int32_t phase _U_, u_int32_t doi _U_,
1935 u_int32_t proto _U_, int depth _U_)
1936 {
1937 return ikev2_gen_print(ndo, tpay, ext);
1938 }
1939
1940 static const u_char *
1941 ikev2_cp_print(netdissect_options *ndo, u_char tpay,
1942 const struct isakmp_gen *ext,
1943 u_int item_len _U_, const u_char *ep _U_,
1944 u_int32_t phase _U_, u_int32_t doi _U_,
1945 u_int32_t proto _U_, int depth _U_)
1946 {
1947 return ikev2_gen_print(ndo, tpay, ext);
1948 }
1949
1950 static const u_char *
1951 ikev2_eap_print(netdissect_options *ndo, u_char tpay,
1952 const struct isakmp_gen *ext,
1953 u_int item_len _U_, const u_char *ep _U_,
1954 u_int32_t phase _U_, u_int32_t doi _U_,
1955 u_int32_t proto _U_, int depth _U_)
1956 {
1957 return ikev2_gen_print(ndo, tpay, ext);
1958 }
1959
1960 static const u_char *
1961 ike_sub0_print(netdissect_options *ndo,
1962 u_char np, const struct isakmp_gen *ext, const u_char *ep,
1963 u_int32_t phase, u_int32_t doi, u_int32_t proto, int depth)
1964 {
1965 const u_char *cp;
1966 struct isakmp_gen e;
1967 u_int item_len;
1968
1969 cp = (u_char *)ext;
1970 TCHECK(*ext);
1971 safememcpy(&e, ext, sizeof(e));
1972
1973 /*
1974 * Since we can't have a payload length of less than 4 bytes,
1975 * we need to bail out here if the generic header is nonsensical
1976 * or truncated, otherwise we could loop forever processing
1977 * zero-length items or otherwise misdissect the packet.
1978 */
1979 item_len = ntohs(e.len);
1980 if (item_len <= 4)
1981 return NULL;
1982
1983 if (NPFUNC(np)) {
1984 /*
1985 * XXX - what if item_len is too short, or too long,
1986 * for this payload type?
1987 */
1988 cp = (*npfunc[np])(ndo, np, ext, item_len, ep, phase, doi, proto, depth);
1989 } else {
1990 ND_PRINT((ndo,"%s", NPSTR(np)));
1991 cp += item_len;
1992 }
1993
1994 return cp;
1995 trunc:
1996 ND_PRINT((ndo," [|isakmp]"));
1997 return NULL;
1998 }
1999
2000 static const u_char *
2001 ikev1_sub_print(netdissect_options *ndo,
2002 u_char np, const struct isakmp_gen *ext, const u_char *ep,
2003 u_int32_t phase, u_int32_t doi, u_int32_t proto, int depth)
2004 {
2005 const u_char *cp;
2006 int i;
2007 struct isakmp_gen e;
2008
2009 cp = (const u_char *)ext;
2010
2011 while (np) {
2012 TCHECK(*ext);
2013
2014 safememcpy(&e, ext, sizeof(e));
2015
2016 TCHECK2(*ext, ntohs(e.len));
2017
2018 depth++;
2019 ND_PRINT((ndo,"\n"));
2020 for (i = 0; i < depth; i++)
2021 ND_PRINT((ndo," "));
2022 ND_PRINT((ndo,"("));
2023 cp = ike_sub0_print(ndo, np, ext, ep, phase, doi, proto, depth);
2024 ND_PRINT((ndo,")"));
2025 depth--;
2026
2027 if (cp == NULL) {
2028 /* Zero-length subitem */
2029 return NULL;
2030 }
2031
2032 np = e.np;
2033 ext = (struct isakmp_gen *)cp;
2034 }
2035 return cp;
2036 trunc:
2037 ND_PRINT((ndo," [|%s]", NPSTR(np)));
2038 return NULL;
2039 }
2040
2041 static char *
2042 numstr(int x)
2043 {
2044 static char buf[20];
2045 snprintf(buf, sizeof(buf), "#%d", x);
2046 return buf;
2047 }
2048
2049 /*
2050 * some compiler tries to optimize memcpy(), using the alignment constraint
2051 * on the argument pointer type. by using this function, we try to avoid the
2052 * optimization.
2053 */
2054 static void
2055 safememcpy(void *p, const void *q, size_t l)
2056 {
2057 memcpy(p, q, l);
2058 }
2059
2060 void
2061 ikev1_print(netdissect_options *ndo,
2062 const u_char *bp, u_int length,
2063 const u_char *bp2, struct isakmp *base)
2064 {
2065 const struct isakmp *p;
2066 const u_char *ep;
2067 u_char np;
2068 int i;
2069 int phase;
2070
2071 p = (const struct isakmp *)bp;
2072 ep = ndo->ndo_snapend;
2073
2074 phase = (*(u_int32_t *)base->msgid == 0) ? 1 : 2;
2075 if (phase == 1)
2076 ND_PRINT((ndo," phase %d", phase));
2077 else
2078 ND_PRINT((ndo," phase %d/others", phase));
2079
2080 i = cookie_find(&base->i_ck);
2081 if (i < 0) {
2082 if (iszero((u_char *)&base->r_ck, sizeof(base->r_ck))) {
2083 /* the first packet */
2084 ND_PRINT((ndo," I"));
2085 if (bp2)
2086 cookie_record(&base->i_ck, bp2);
2087 } else
2088 ND_PRINT((ndo," ?"));
2089 } else {
2090 if (bp2 && cookie_isinitiator(i, bp2))
2091 ND_PRINT((ndo," I"));
2092 else if (bp2 && cookie_isresponder(i, bp2))
2093 ND_PRINT((ndo," R"));
2094 else
2095 ND_PRINT((ndo," ?"));
2096 }
2097
2098 ND_PRINT((ndo," %s", ETYPESTR(base->etype)));
2099 if (base->flags) {
2100 ND_PRINT((ndo,"[%s%s]", base->flags & ISAKMP_FLAG_E ? "E" : "",
2101 base->flags & ISAKMP_FLAG_C ? "C" : ""));
2102 }
2103
2104 if (vflag) {
2105 const struct isakmp_gen *ext;
2106 int nparen;
2107
2108 ND_PRINT((ndo,":"));
2109
2110 /* regardless of phase... */
2111 if (base->flags & ISAKMP_FLAG_E) {
2112 /*
2113 * encrypted, nothing we can do right now.
2114 * we hope to decrypt the packet in the future...
2115 */
2116 ND_PRINT((ndo," [encrypted %s]", NPSTR(base->np)));
2117 goto done;
2118 }
2119
2120 nparen = 0;
2121 CHECKLEN(p + 1, base->np);
2122 np = base->np;
2123 ext = (struct isakmp_gen *)(p + 1);
2124 ikev1_sub_print(ndo, np, ext, ep, phase, 0, 0, 0);
2125 }
2126
2127 done:
2128 if (vflag) {
2129 if (ntohl(base->len) != length) {
2130 ND_PRINT((ndo," (len mismatch: isakmp %u/ip %u)",
2131 (u_int32_t)ntohl(base->len), length));
2132 }
2133 }
2134 }
2135
2136 static const u_char *
2137 ikev2_sub0_print(netdissect_options *ndo, u_char np, int pcount,
2138 const struct isakmp_gen *ext, const u_char *ep,
2139 u_int32_t phase, u_int32_t doi, u_int32_t proto, int depth)
2140 {
2141 const u_char *cp;
2142 struct isakmp_gen e;
2143 u_int item_len;
2144
2145 cp = (u_char *)ext;
2146 TCHECK(*ext);
2147 safememcpy(&e, ext, sizeof(e));
2148
2149 /*
2150 * Since we can't have a payload length of less than 4 bytes,
2151 * we need to bail out here if the generic header is nonsensical
2152 * or truncated, otherwise we could loop forever processing
2153 * zero-length items or otherwise misdissect the packet.
2154 */
2155 item_len = ntohs(e.len);
2156 if (item_len <= 4)
2157 return NULL;
2158
2159 if(np == ISAKMP_NPTYPE_P) {
2160 cp = ikev2_p_print(ndo, np, pcount, ext, item_len,
2161 ep, phase, doi, proto, depth);
2162 } else if(np == ISAKMP_NPTYPE_T) {
2163 cp = ikev2_t_print(ndo, np, pcount, ext, item_len,
2164 ep, phase, doi, proto, depth);
2165 } else if (NPFUNC(np)) {
2166 /*
2167 * XXX - what if item_len is too short, or too long,
2168 * for this payload type?
2169 */
2170 cp = (*npfunc[np])(ndo, np, /*pcount,*/ ext, item_len,
2171 ep, phase, doi, proto, depth);
2172 } else {
2173 ND_PRINT((ndo,"%s", NPSTR(np)));
2174 cp += item_len;
2175 }
2176
2177 return cp;
2178 trunc:
2179 ND_PRINT((ndo," [|isakmp]"));
2180 return NULL;
2181 }
2182
2183 static const u_char *
2184 ikev2_sub_print(netdissect_options *ndo,
2185 u_char np, const struct isakmp_gen *ext, const u_char *ep,
2186 u_int32_t phase, u_int32_t doi, u_int32_t proto, int depth)
2187 {
2188 const u_char *cp;
2189 int i;
2190 int pcount;
2191 struct isakmp_gen e;
2192
2193 cp = (const u_char *)ext;
2194 pcount = 0;
2195 while (np) {
2196 pcount++;
2197 TCHECK(*ext);
2198
2199 safememcpy(&e, ext, sizeof(e));
2200
2201 TCHECK2(*ext, ntohs(e.len));
2202
2203 depth++;
2204 ND_PRINT((ndo,"\n"));
2205 for (i = 0; i < depth; i++)
2206 ND_PRINT((ndo," "));
2207 ND_PRINT((ndo,"("));
2208 cp = ikev2_sub0_print(ndo, np, pcount,
2209 ext, ep, phase, doi, proto, depth);
2210 ND_PRINT((ndo,")"));
2211 depth--;
2212
2213 if (cp == NULL) {
2214 /* Zero-length subitem */
2215 return NULL;
2216 }
2217
2218 np = e.np;
2219 ext = (struct isakmp_gen *)cp;
2220 }
2221 return cp;
2222 trunc:
2223 ND_PRINT((ndo," [|%s]", NPSTR(np)));
2224 return NULL;
2225 }
2226
2227 static void
2228 ikev2_print(netdissect_options *ndo,
2229 const u_char *bp, u_int length,
2230 const u_char *bp2 _U_, struct isakmp *base)
2231 {
2232 const struct isakmp *p;
2233 const u_char *ep;
2234 u_char np;
2235 int phase;
2236
2237 p = (const struct isakmp *)bp;
2238 ep = ndo->ndo_snapend;
2239
2240 phase = (*(u_int32_t *)base->msgid == 0) ? 1 : 2;
2241 if (phase == 1)
2242 ND_PRINT((ndo, " parent_sa"));
2243 else
2244 ND_PRINT((ndo, " child_sa "));
2245
2246 ND_PRINT((ndo, " %s", ETYPESTR(base->etype)));
2247 if (base->flags) {
2248 ND_PRINT((ndo, "[%s%s]",
2249 base->flags & ISAKMP_FLAG_I ? "I" : "",
2250 base->flags & ISAKMP_FLAG_V ? "V" : "",
2251 base->flags & ISAKMP_FLAG_R ? "R" : ""));
2252 }
2253
2254 if (ndo->ndo_vflag) {
2255 const struct isakmp_gen *ext;
2256 int nparen;
2257
2258 ND_PRINT((ndo, ":"));
2259
2260 /* regardless of phase... */
2261 if (base->flags & ISAKMP_FLAG_E) {
2262 /*
2263 * encrypted, nothing we can do right now.
2264 * we hope to decrypt the packet in the future...
2265 */
2266 ND_PRINT((ndo, " [encrypted %s]", NPSTR(base->np)));
2267 goto done;
2268 }
2269
2270 nparen = 0;
2271 CHECKLEN(p + 1, base->np)
2272
2273 np = base->np;
2274 ext = (struct isakmp_gen *)(p + 1);
2275 ikev2_sub_print(ndo, np, ext, ep, phase, 0, 0, 0);
2276 }
2277
2278 done:
2279 if (ndo->ndo_vflag) {
2280 if (ntohl(base->len) != length) {
2281 ND_PRINT((ndo, " (len mismatch: isakmp %u/ip %u)",
2282 (u_int32_t)ntohl(base->len), length));
2283 }
2284 }
2285 }
2286
2287 void
2288 isakmp_print(netdissect_options *ndo,
2289 const u_char *bp, u_int length,
2290 const u_char *bp2)
2291 {
2292 const struct isakmp *p;
2293 struct isakmp base;
2294 const u_char *ep;
2295 int major, minor;
2296
2297 p = (const struct isakmp *)bp;
2298 ep = ndo->ndo_snapend;
2299
2300 if ((struct isakmp *)ep < p + 1) {
2301 ND_PRINT((ndo,"[|isakmp]"));
2302 return;
2303 }
2304
2305 safememcpy(&base, p, sizeof(base));
2306
2307 ND_PRINT((ndo,"isakmp"));
2308 major = (base.vers & ISAKMP_VERS_MAJOR)
2309 >> ISAKMP_VERS_MAJOR_SHIFT;
2310 minor = (base.vers & ISAKMP_VERS_MINOR)
2311 >> ISAKMP_VERS_MINOR_SHIFT;
2312
2313 if (ndo->ndo_vflag) {
2314 ND_PRINT((ndo," %d.%d", major, minor));
2315 }
2316
2317 if (ndo->ndo_vflag) {
2318 ND_PRINT((ndo," msgid "));
2319 rawprint(ndo, (caddr_t)&base.msgid, sizeof(base.msgid));
2320 }
2321
2322 if (1 < ndo->ndo_vflag) {
2323 ND_PRINT((ndo," cookie "));
2324 rawprint(ndo, (caddr_t)&base.i_ck, sizeof(base.i_ck));
2325 ND_PRINT((ndo,"->"));
2326 rawprint(ndo, (caddr_t)&base.r_ck, sizeof(base.r_ck));
2327 }
2328 ND_PRINT((ndo,":"));
2329
2330 switch(major) {
2331 case IKEv1_MAJOR_VERSION:
2332 ikev1_print(ndo, bp, length, bp2, &base);
2333 break;
2334
2335 case IKEv2_MAJOR_VERSION:
2336 ikev2_print(ndo, bp, length, bp2, &base);
2337 break;
2338 }
2339 }
2340
2341 void
2342 isakmp_rfc3948_print(netdissect_options *ndo,
2343 const u_char *bp, u_int length,
2344 const u_char *bp2)
2345 {
2346 const u_char *ep;
2347 ep = ndo->ndo_snapend;
2348
2349 if(length == 1 && bp[0]==0xff) {
2350 ND_PRINT((ndo, "isakmp-nat-keep-alive"));
2351 return;
2352 }
2353
2354 if(length < 4) {
2355 goto trunc;
2356 }
2357
2358 /*
2359 * see if this is an IKE packet
2360 */
2361 if(bp[0]==0 && bp[1]==0 && bp[2]==0 && bp[3]==0) {
2362 ND_PRINT((ndo, "NONESP-encap: "));
2363 isakmp_print(ndo, bp+4, length-4, bp2);
2364 return;
2365 }
2366
2367 /* must be an ESP packet */
2368 {
2369 int nh, enh, padlen;
2370 int advance;
2371
2372 ND_PRINT((ndo, "UDP-encap: "));
2373
2374 advance = esp_print(ndo, bp, length, bp2, &enh, &padlen);
2375 if(advance <= 0)
2376 return;
2377
2378 bp += advance;
2379 length -= advance + padlen;
2380 nh = enh & 0xff;
2381
2382 ip_print_inner(ndo, bp, length, nh, bp2);
2383 return;
2384 }
2385
2386 trunc:
2387 ND_PRINT((ndo,"[|isakmp]"));
2388 return;
2389 }
2390
2391 /*
2392 * Local Variables:
2393 * c-style: whitesmith
2394 * c-basic-offset: 8
2395 * End:
2396 */
2397
2398
2399
2400
[mirror] the TCPdump network dissector