]> The Tcpdump Group git mirrors - tcpdump/blob - print-isakmp.c
projects / tcpdump / blob
summary | shortlog | log | commit | commitdiff | tree
history | raw | HEAD
From Sami Farin <[email protected]>: put in a missing blank before "NBT
[tcpdump] / print-isakmp.c
1 /*
2 * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
3 * All rights reserved.
4 *
5 * Redistribution and use in source and binary forms, with or without
6 * modification, are permitted provided that the following conditions
7 * are met:
8 * 1. Redistributions of source code must retain the above copyright
9 * notice, this list of conditions and the following disclaimer.
10 * 2. Redistributions in binary form must reproduce the above copyright
11 * notice, this list of conditions and the following disclaimer in the
12 * documentation and/or other materials provided with the distribution.
13 * 3. Neither the name of the project nor the names of its contributors
14 * may be used to endorse or promote products derived from this software
15 * without specific prior written permission.
16 *
17 * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
18 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
19 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
20 * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
21 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
22 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
23 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
24 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
25 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
26 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
27 * SUCH DAMAGE.
28 *
29 */
30
31 #ifndef lint
32 static const char rcsid[] =
33 "@(#) $Header: /tcpdump/master/tcpdump/print-isakmp.c,v 1.29 2001-10-26 03:41:29 itojun Exp $ (LBL)";
34 #endif
35
36 #ifdef HAVE_CONFIG_H
37 #include "config.h"
38 #endif
39
40 #include <string.h>
41 #include <ctype.h>
42 #include <sys/param.h>
43 #include <sys/time.h>
44 #include <sys/socket.h>
45
46 struct mbuf;
47 struct rtentry;
48
49 #include <netinet/in.h>
50
51 #include <stdio.h>
52 #include <netdb.h>
53
54 #include "isakmp.h"
55 #include "ipsec_doi.h"
56 #include "oakley.h"
57 #include "interface.h"
58 #include "addrtoname.h"
59 #include "extract.h" /* must come after interface.h */
60
61 #include "ip.h"
62 #ifdef INET6
63 #include "ip6.h"
64 #endif
65
66 #ifndef HAVE_SOCKADDR_STORAGE
67 #define sockaddr_storage sockaddr
68 #endif
69
70 static u_char *isakmp_sa_print(struct isakmp_gen *, u_char *, u_int32_t,
71 u_int32_t, u_int32_t);
72 static u_char *isakmp_p_print(struct isakmp_gen *, u_char *, u_int32_t,
73 u_int32_t, u_int32_t);
74 static u_char *isakmp_t_print(struct isakmp_gen *, u_char *, u_int32_t,
75 u_int32_t, u_int32_t);
76 static u_char *isakmp_ke_print(struct isakmp_gen *, u_char *, u_int32_t,
77 u_int32_t, u_int32_t);
78 static u_char *isakmp_id_print(struct isakmp_gen *, u_char *, u_int32_t,
79 u_int32_t, u_int32_t);
80 static u_char *isakmp_cert_print(struct isakmp_gen *, u_char *, u_int32_t,
81 u_int32_t, u_int32_t);
82 static u_char *isakmp_cr_print(struct isakmp_gen *, u_char *, u_int32_t,
83 u_int32_t, u_int32_t);
84 static u_char *isakmp_sig_print(struct isakmp_gen *, u_char *, u_int32_t,
85 u_int32_t, u_int32_t);
86 static u_char *isakmp_hash_print(struct isakmp_gen *, u_char *,
87 u_int32_t, u_int32_t, u_int32_t);
88 static u_char *isakmp_nonce_print(struct isakmp_gen *, u_char *,
89 u_int32_t, u_int32_t, u_int32_t);
90 static u_char *isakmp_n_print(struct isakmp_gen *, u_char *, u_int32_t,
91 u_int32_t, u_int32_t);
92 static u_char *isakmp_d_print(struct isakmp_gen *, u_char *, u_int32_t,
93 u_int32_t, u_int32_t);
94 static u_char *isakmp_vid_print(struct isakmp_gen *, u_char *, u_int32_t,
95 u_int32_t, u_int32_t);
96 static u_char *isakmp_sub0_print(u_char, struct isakmp_gen *, u_char *,
97 u_int32_t, u_int32_t, u_int32_t);
98 static u_char *isakmp_sub_print(u_char, struct isakmp_gen *, u_char *,
99 u_int32_t, u_int32_t, u_int32_t);
100 static char *numstr(int);
101 static void safememcpy(void *, void *, size_t);
102
103 #define MAXINITIATORS 20
104 int ninitiator = 0;
105 struct {
106 cookie_t initiator;
107 struct sockaddr_storage iaddr;
108 struct sockaddr_storage raddr;
109 } cookiecache[MAXINITIATORS];
110
111 /* protocol id */
112 static char *protoidstr[] = {
113 NULL, "isakmp", "ipsec-ah", "ipsec-esp", "ipcomp",
114 };
115
116 /* isakmp->np */
117 static char *npstr[] = {
118 "none", "sa", "p", "t", "ke", "id", "cert", "cr", "hash",
119 "sig", "nonce", "n", "d", "vid"
120 };
121
122 /* isakmp->np */
123 static u_char *(*npfunc[])(struct isakmp_gen *, u_char *, u_int32_t,
124 u_int32_t, u_int32_t) = {
125 NULL,
126 isakmp_sa_print,
127 isakmp_p_print,
128 isakmp_t_print,
129 isakmp_ke_print,
130 isakmp_id_print,
131 isakmp_cert_print,
132 isakmp_cr_print,
133 isakmp_hash_print,
134 isakmp_sig_print,
135 isakmp_nonce_print,
136 isakmp_n_print,
137 isakmp_d_print,
138 isakmp_vid_print,
139 };
140
141 /* isakmp->etype */
142 static char *etypestr[] = {
143 "none", "base", "ident", "auth", "agg", "inf", NULL, NULL,
144 NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL,
145 NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL,
146 NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL,
147 "oakley-quick", "oakley-newgroup",
148 };
149
150 #define STR_OR_ID(x, tab) \
151 (((x) < sizeof(tab)/sizeof(tab[0]) && tab[(x)]) ? tab[(x)] : numstr(x))
152 #define PROTOIDSTR(x) STR_OR_ID(x, protoidstr)
153 #define NPSTR(x) STR_OR_ID(x, npstr)
154 #define ETYPESTR(x) STR_OR_ID(x, etypestr)
155
156 #define NPFUNC(x) \
157 (((x) < sizeof(npfunc)/sizeof(npfunc[0]) && npfunc[(x)]) \
158 ? npfunc[(x)] : NULL)
159
160 static int
161 iszero(u_char *p, size_t l)
162 {
163 while (l--) {
164 if (*p++)
165 return 0;
166 }
167 return 1;
168 }
169
170 /* find cookie from initiator cache */
171 static int
172 cookie_find(cookie_t *in)
173 {
174 int i;
175
176 for (i = 0; i < MAXINITIATORS; i++) {
177 if (memcmp(in, &cookiecache[i].initiator, sizeof(*in)) == 0)
178 return i;
179 }
180
181 return -1;
182 }
183
184 /* record initiator */
185 static void
186 cookie_record(cookie_t *in, const u_char *bp2)
187 {
188 int i;
189 struct ip *ip;
190 struct sockaddr_in *sin;
191 #ifdef INET6
192 struct ip6_hdr *ip6;
193 struct sockaddr_in6 *sin6;
194 #endif
195
196 i = cookie_find(in);
197 if (0 <= i) {
198 ninitiator = (i + 1) % MAXINITIATORS;
199 return;
200 }
201
202 ip = (struct ip *)bp2;
203 switch (IP_V(ip)) {
204 case 4:
205 memset(&cookiecache[ninitiator].iaddr, 0,
206 sizeof(cookiecache[ninitiator].iaddr));
207 memset(&cookiecache[ninitiator].raddr, 0,
208 sizeof(cookiecache[ninitiator].raddr));
209
210 sin = (struct sockaddr_in *)&cookiecache[ninitiator].iaddr;
211 #ifdef HAVE_SOCKADDR_SA_LEN
212 sin->sin_len = sizeof(struct sockaddr_in);
213 #endif
214 sin->sin_family = AF_INET;
215 memcpy(&sin->sin_addr, &ip->ip_src, sizeof(ip->ip_src));
216 sin = (struct sockaddr_in *)&cookiecache[ninitiator].raddr;
217 #ifdef HAVE_SOCKADDR_SA_LEN
218 sin->sin_len = sizeof(struct sockaddr_in);
219 #endif
220 sin->sin_family = AF_INET;
221 memcpy(&sin->sin_addr, &ip->ip_dst, sizeof(ip->ip_dst));
222 break;
223 #ifdef INET6
224 case 6:
225 memset(&cookiecache[ninitiator].iaddr, 0,
226 sizeof(cookiecache[ninitiator].iaddr));
227 memset(&cookiecache[ninitiator].raddr, 0,
228 sizeof(cookiecache[ninitiator].raddr));
229
230 ip6 = (struct ip6_hdr *)bp2;
231 sin6 = (struct sockaddr_in6 *)&cookiecache[ninitiator].iaddr;
232 #ifdef HAVE_SOCKADDR_SA_LEN
233 sin6->sin6_len = sizeof(struct sockaddr_in6);
234 #endif
235 sin6->sin6_family = AF_INET6;
236 memcpy(&sin6->sin6_addr, &ip6->ip6_src, sizeof(ip6->ip6_src));
237 sin6 = (struct sockaddr_in6 *)&cookiecache[ninitiator].raddr;
238 #ifdef HAVE_SOCKADDR_SA_LEN
239 sin6->sin6_len = sizeof(struct sockaddr_in6);
240 #endif
241 sin6->sin6_family = AF_INET6;
242 memcpy(&sin6->sin6_addr, &ip6->ip6_dst, sizeof(ip6->ip6_dst));
243 break;
244 #endif
245 default:
246 return;
247 }
248 memcpy(&cookiecache[ninitiator].initiator, in, sizeof(*in));
249 ninitiator = (ninitiator + 1) % MAXINITIATORS;
250 }
251
252 #define cookie_isinitiator(x, y) cookie_sidecheck((x), (y), 1)
253 #define cookie_isresponder(x, y) cookie_sidecheck((x), (y), 0)
254 static int
255 cookie_sidecheck(int i, const u_char *bp2, int initiator)
256 {
257 struct sockaddr_storage ss;
258 struct sockaddr *sa;
259 struct ip *ip;
260 struct sockaddr_in *sin;
261 #ifdef INET6
262 struct ip6_hdr *ip6;
263 struct sockaddr_in6 *sin6;
264 #endif
265 int salen;
266
267 memset(&ss, 0, sizeof(ss));
268 ip = (struct ip *)bp2;
269 switch (IP_V(ip)) {
270 case 4:
271 sin = (struct sockaddr_in *)&ss;
272 #ifdef HAVE_SOCKADDR_SA_LEN
273 sin->sin_len = sizeof(struct sockaddr_in);
274 #endif
275 sin->sin_family = AF_INET;
276 memcpy(&sin->sin_addr, &ip->ip_src, sizeof(ip->ip_src));
277 break;
278 #ifdef INET6
279 case 6:
280 ip6 = (struct ip6_hdr *)bp2;
281 sin6 = (struct sockaddr_in6 *)&ss;
282 #ifdef HAVE_SOCKADDR_SA_LEN
283 sin6->sin6_len = sizeof(struct sockaddr_in6);
284 #endif
285 sin6->sin6_family = AF_INET6;
286 memcpy(&sin6->sin6_addr, &ip6->ip6_src, sizeof(ip6->ip6_src));
287 break;
288 #endif
289 default:
290 return 0;
291 }
292
293 sa = (struct sockaddr *)&ss;
294 if (initiator) {
295 if (sa->sa_family != ((struct sockaddr *)&cookiecache[i].iaddr)->sa_family)
296 return 0;
297 #ifdef HAVE_SOCKADDR_SA_LEN
298 salen = sa->sa_len;
299 #else
300 #ifdef INET6
301 if (sa->sa_family == AF_INET6)
302 salen = sizeof(struct sockaddr_in6);
303 else
304 salen = sizeof(struct sockaddr);
305 #else
306 salen = sizeof(struct sockaddr);
307 #endif
308 #endif
309 if (memcmp(&ss, &cookiecache[i].iaddr, salen) == 0)
310 return 1;
311 } else {
312 if (sa->sa_family != ((struct sockaddr *)&cookiecache[i].raddr)->sa_family)
313 return 0;
314 #ifdef HAVE_SOCKADDR_SA_LEN
315 salen = sa->sa_len;
316 #else
317 #ifdef INET6
318 if (sa->sa_family == AF_INET6)
319 salen = sizeof(struct sockaddr_in6);
320 else
321 salen = sizeof(struct sockaddr);
322 #else
323 salen = sizeof(struct sockaddr);
324 #endif
325 #endif
326 if (memcmp(&ss, &cookiecache[i].raddr, salen) == 0)
327 return 1;
328 }
329 return 0;
330 }
331
332 static void
333 rawprint(caddr_t loc, size_t len)
334 {
335 static u_char *p;
336 int i;
337
338 p = (u_char *)loc;
339 for (i = 0; i < len; i++)
340 printf("%02x", p[i] & 0xff);
341 }
342
343 struct attrmap {
344 char *type;
345 int nvalue;
346 char *value[30]; /*XXX*/
347 };
348
349 static u_char *
350 isakmp_attrmap_print(u_char *p, u_char *ep, struct attrmap *map, size_t nmap)
351 {
352 u_int16_t *q;
353 int totlen;
354 u_int32_t t, v;
355
356 q = (u_int16_t *)p;
357 if (p[0] & 0x80)
358 totlen = 4;
359 else
360 totlen = 4 + ntohs(q[1]);
361 if (ep < p + totlen) {
362 printf("[|attr]");
363 return ep + 1;
364 }
365
366 printf("(");
367 t = ntohs(q[0]) & 0x7fff;
368 if (map && t < nmap && map[t].type)
369 printf("type=%s ", map[t].type);
370 else
371 printf("type=#%d ", t);
372 if (p[0] & 0x80) {
373 printf("value=");
374 v = ntohs(q[1]);
375 if (map && t < nmap && v < map[t].nvalue && map[t].value[v])
376 printf("%s", map[t].value[v]);
377 else
378 rawprint((caddr_t)&q[1], 2);
379 } else {
380 printf("len=%d value=", ntohs(q[1]));
381 rawprint((caddr_t)&p[4], ntohs(q[1]));
382 }
383 printf(")");
384 return p + totlen;
385 }
386
387 static u_char *
388 isakmp_attr_print(u_char *p, u_char *ep)
389 {
390 u_int16_t *q;
391 int totlen;
392 u_int32_t t;
393
394 q = (u_int16_t *)p;
395 if (p[0] & 0x80)
396 totlen = 4;
397 else
398 totlen = 4 + ntohs(q[1]);
399 if (ep < p + totlen) {
400 printf("[|attr]");
401 return ep + 1;
402 }
403
404 printf("(");
405 t = ntohs(q[0]) & 0x7fff;
406 printf("type=#%d ", t);
407 if (p[0] & 0x80) {
408 printf("value=");
409 t = q[1];
410 rawprint((caddr_t)&q[1], 2);
411 } else {
412 printf("len=%d value=", ntohs(q[1]));
413 rawprint((caddr_t)&p[2], ntohs(q[1]));
414 }
415 printf(")");
416 return p + totlen;
417 }
418
419 static u_char *
420 isakmp_sa_print(struct isakmp_gen *ext, u_char *ep, u_int32_t phase,
421 u_int32_t doi0, u_int32_t proto0)
422 {
423 struct isakmp_pl_sa *p, sa;
424 u_int32_t *q;
425 u_int32_t doi, sit, ident;
426 u_char *cp, *np;
427 int t;
428
429 printf("%s:", NPSTR(ISAKMP_NPTYPE_SA));
430
431 p = (struct isakmp_pl_sa *)ext;
432 safememcpy(&sa, ext, sizeof(sa));
433 doi = ntohl(sa.doi);
434 sit = ntohl(sa.sit);
435 if (doi != 1) {
436 printf(" doi=%d", doi);
437 printf(" situation=%u", (u_int32_t)ntohl(sa.sit));
438 return (u_char *)(p + 1);
439 }
440
441 printf(" doi=ipsec");
442 q = (u_int32_t *)&sa.sit;
443 printf(" situation=");
444 t = 0;
445 if (sit & 0x01) {
446 printf("identity");
447 t++;
448 }
449 if (sit & 0x02) {
450 printf("%ssecrecy", t ? "+" : "");
451 t++;
452 }
453 if (sit & 0x04)
454 printf("%sintegrity", t ? "+" : "");
455
456 np = (u_char *)ext + sizeof(sa);
457 if (sit != 0x01) {
458 safememcpy(&ident, ext + 1, sizeof(ident));
459 printf(" ident=%u", (u_int32_t)ntohl(ident));
460 np += sizeof(ident);
461 }
462
463 ext = (struct isakmp_gen *)np;
464
465 cp = isakmp_sub_print(ISAKMP_NPTYPE_P, ext, ep, phase, doi, proto0);
466
467 return cp;
468 }
469
470 static u_char *
471 isakmp_p_print(struct isakmp_gen *ext, u_char *ep, u_int32_t phase,
472 u_int32_t doi0, u_int32_t proto0)
473 {
474 struct isakmp_pl_p *p, prop;
475 u_char *cp;
476
477 printf("%s:", NPSTR(ISAKMP_NPTYPE_P));
478
479 p = (struct isakmp_pl_p *)ext;
480 safememcpy(&prop, ext, sizeof(prop));
481 printf(" #%d protoid=%s transform=%d",
482 prop.p_no, PROTOIDSTR(prop.prot_id), prop.num_t);
483 if (prop.spi_size) {
484 printf(" spi=");
485 rawprint((caddr_t)(p + 1), prop.spi_size);
486 }
487
488 ext = (struct isakmp_gen *)((u_char *)(p + 1) + prop.spi_size);
489
490 cp = isakmp_sub_print(ISAKMP_NPTYPE_T, ext, ep, phase, doi0,
491 prop.prot_id);
492
493 return cp;
494 }
495
496 static char *isakmp_p_map[] = {
497 NULL, "ike",
498 };
499
500 static char *ah_p_map[] = {
501 NULL, "(reserved)", "md5", "sha", "1des",
502 "sha2-256", "sha2-384", "sha2-512",
503 };
504
505 static char *esp_p_map[] = {
506 NULL, "1des-iv64", "1des", "3des", "rc5", "idea", "cast",
507 "blowfish", "3idea", "1des-iv32", "rc4", "null", "aes"
508 };
509
510 static char *ipcomp_p_map[] = {
511 NULL, "oui", "deflate", "lzs",
512 };
513
514 struct attrmap ipsec_t_map[] = {
515 { NULL, 0, },
516 { "lifetype", 3, { NULL, "sec", "kb", }, },
517 { "life", 0, },
518 { "group desc", 5, { NULL, "modp768", "modp1024", "EC2N 2^155",
519 "EC2N 2^185", }, },
520 { "enc mode", 3, { NULL, "tunnel", "transport", }, },
521 { "auth", 5, { NULL, "hmac-md5", "hmac-sha1", "1des-mac", "keyed", }, },
522 { "keylen", 0, },
523 { "rounds", 0, },
524 { "dictsize", 0, },
525 { "privalg", 0, },
526 };
527
528 struct attrmap oakley_t_map[] = {
529 { NULL, 0 },
530 { "enc", 8, { NULL, "1des", "idea", "blowfish", "rc5",
531 "3des", "cast", "aes", }, },
532 { "hash", 7, { NULL, "md5", "sha1", "tiger",
533 "sha2-256", "sha2-384", "sha2-512", }, },
534 { "auth", 6, { NULL, "preshared", "dss", "rsa sig", "rsa enc",
535 "rsa enc revised", }, },
536 { "group desc", 5, { NULL, "modp768", "modp1024", "EC2N 2^155",
537 "EC2N 2^185", }, },
538 { "group type", 4, { NULL, "MODP", "ECP", "EC2N", }, },
539 { "group prime", 0, },
540 { "group gen1", 0, },
541 { "group gen2", 0, },
542 { "group curve A", 0, },
543 { "group curve B", 0, },
544 { "lifetype", 3, { NULL, "sec", "kb", }, },
545 { "lifeduration", 0, },
546 { "prf", 0, },
547 { "keylen", 0, },
548 { "field", 0, },
549 { "order", 0, },
550 };
551
552 static u_char *
553 isakmp_t_print(struct isakmp_gen *ext, u_char *ep, u_int32_t phase,
554 u_int32_t doi, u_int32_t proto)
555 {
556 struct isakmp_pl_t *p, t;
557 u_char *cp;
558 char *idstr;
559 struct attrmap *map;
560 size_t nmap;
561 u_char *ep2;
562
563 printf("%s:", NPSTR(ISAKMP_NPTYPE_T));
564
565 p = (struct isakmp_pl_t *)ext;
566 safememcpy(&t, ext, sizeof(t));
567
568 switch (proto) {
569 case 1:
570 idstr = STR_OR_ID(t.t_id, isakmp_p_map);
571 map = oakley_t_map;
572 nmap = sizeof(oakley_t_map)/sizeof(oakley_t_map[0]);
573 break;
574 case 2:
575 idstr = STR_OR_ID(t.t_id, ah_p_map);
576 map = ipsec_t_map;
577 nmap = sizeof(ipsec_t_map)/sizeof(ipsec_t_map[0]);
578 break;
579 case 3:
580 idstr = STR_OR_ID(t.t_id, esp_p_map);
581 map = ipsec_t_map;
582 nmap = sizeof(ipsec_t_map)/sizeof(ipsec_t_map[0]);
583 break;
584 case 4:
585 idstr = STR_OR_ID(t.t_id, ipcomp_p_map);
586 map = ipsec_t_map;
587 nmap = sizeof(ipsec_t_map)/sizeof(ipsec_t_map[0]);
588 break;
589 default:
590 idstr = NULL;
591 map = NULL;
592 nmap = 0;
593 break;
594 }
595
596 if (idstr)
597 printf(" #%d id=%s ", t.t_no, idstr);
598 else
599 printf(" #%d id=%d ", t.t_no, t.t_id);
600 cp = (u_char *)(p + 1);
601 ep2 = (u_char *)p + ntohs(t.h.len);
602 while (cp < ep && cp < ep2) {
603 if (map && nmap) {
604 cp = isakmp_attrmap_print(cp, (ep < ep2) ? ep : ep2,
605 map, nmap);
606 } else
607 cp = isakmp_attr_print(cp, (ep < ep2) ? ep : ep2);
608 }
609 if (ep < ep2)
610 printf("...");
611 return cp;
612 }
613
614 static u_char *
615 isakmp_ke_print(struct isakmp_gen *ext, u_char *ep, u_int32_t phase,
616 u_int32_t doi, u_int32_t proto)
617 {
618 struct isakmp_gen e;
619
620 printf("%s:", NPSTR(ISAKMP_NPTYPE_KE));
621
622 safememcpy(&e, ext, sizeof(e));
623 printf(" key len=%d", ntohs(e.len) - 4);
624 if (2 < vflag && 4 < ntohs(e.len)) {
625 printf(" ");
626 rawprint((caddr_t)(ext + 1), ntohs(e.len) - 4);
627 }
628 return (u_char *)ext + ntohs(e.len);
629 }
630
631 static u_char *
632 isakmp_id_print(struct isakmp_gen *ext, u_char *ep, u_int32_t phase,
633 u_int32_t doi, u_int32_t proto)
634 {
635 #define USE_IPSECDOI_IN_PHASE1 1
636 struct isakmp_pl_id *p, id;
637 static char *idtypestr[] = {
638 "IPv4", "IPv4net", "IPv6", "IPv6net",
639 };
640 static char *ipsecidtypestr[] = {
641 NULL, "IPv4", "FQDN", "user FQDN", "IPv4net", "IPv6",
642 "IPv6net", "IPv4range", "IPv6range", "ASN1 DN", "ASN1 GN",
643 "keyid",
644 };
645 int len;
646 u_char *data;
647
648 printf("%s:", NPSTR(ISAKMP_NPTYPE_ID));
649
650 p = (struct isakmp_pl_id *)ext;
651 safememcpy(&id, ext, sizeof(id));
652 if (sizeof(*p) < id.h.len)
653 data = (u_char *)(p + 1);
654 else
655 data = NULL;
656 len = ntohs(id.h.len) - sizeof(*p);
657
658 #if 0 /*debug*/
659 printf(" [phase=%d doi=%d proto=%d]", phase, doi, proto);
660 #endif
661 switch (phase) {
662 #ifndef USE_IPSECDOI_IN_PHASE1
663 case 1:
664 #endif
665 default:
666 printf(" idtype=%s", STR_OR_ID(id.d.id_type, idtypestr));
667 printf(" doi_data=%u",
668 (u_int32_t)(ntohl(id.d.doi_data) & 0xffffff));
669 break;
670
671 #ifdef USE_IPSECDOI_IN_PHASE1
672 case 1:
673 #endif
674 case 2:
675 {
676 struct ipsecdoi_id *p, id;
677 struct protoent *pe;
678
679 p = (struct ipsecdoi_id *)ext;
680 safememcpy(&id, ext, sizeof(id));
681 printf(" idtype=%s", STR_OR_ID(id.type, ipsecidtypestr));
682 if (id.proto_id) {
683 setprotoent(1);
684 pe = getprotobynumber(id.proto_id);
685 if (pe)
686 printf(" protoid=%s", pe->p_name);
687 endprotoent();
688 } else {
689 /* it DOES NOT mean IPPROTO_IP! */
690 printf(" protoid=%s", "0");
691 }
692 printf(" port=%d", ntohs(id.port));
693 if (!len)
694 break;
695 switch (id.type) {
696 case IPSECDOI_ID_IPV4_ADDR:
697 printf(" len=%d %s", len, ipaddr_string(data));
698 len = 0;
699 break;
700 case IPSECDOI_ID_FQDN:
701 case IPSECDOI_ID_USER_FQDN:
702 {
703 int i;
704 printf(" len=%d ", len);
705 for (i = 0; i < len; i++)
706 safeputchar(data[i]);
707 len = 0;
708 break;
709 }
710 case IPSECDOI_ID_IPV4_ADDR_SUBNET:
711 {
712 u_char *mask;
713 mask = data + sizeof(struct in_addr);
714 printf(" len=%d %s/%u.%u.%u.%u", len,
715 ipaddr_string(data),
716 mask[0], mask[1], mask[2], mask[3]);
717 len = 0;
718 break;
719 }
720 #ifdef INET6
721 case IPSECDOI_ID_IPV6_ADDR:
722 printf(" len=%d %s", len, ip6addr_string(data));
723 len = 0;
724 break;
725 case IPSECDOI_ID_IPV6_ADDR_SUBNET:
726 {
727 u_int32_t *mask;
728 mask = (u_int32_t *)(data + sizeof(struct in6_addr));
729 /*XXX*/
730 printf(" len=%d %s/0x%08x%08x%08x%08x", len,
731 ip6addr_string(data),
732 mask[0], mask[1], mask[2], mask[3]);
733 len = 0;
734 break;
735 }
736 #endif /*INET6*/
737 case IPSECDOI_ID_IPV4_ADDR_RANGE:
738 printf(" len=%d %s-%s", len, ipaddr_string(data),
739 ipaddr_string(data + sizeof(struct in_addr)));
740 len = 0;
741 break;
742 #ifdef INET6
743 case IPSECDOI_ID_IPV6_ADDR_RANGE:
744 printf(" len=%d %s-%s", len, ip6addr_string(data),
745 ip6addr_string(data + sizeof(struct in6_addr)));
746 len = 0;
747 break;
748 #endif /*INET6*/
749 case IPSECDOI_ID_DER_ASN1_DN:
750 case IPSECDOI_ID_DER_ASN1_GN:
751 case IPSECDOI_ID_KEY_ID:
752 break;
753 }
754 break;
755 }
756 }
757 if (data && len) {
758 printf(" len=%d", len);
759 if (2 < vflag) {
760 printf(" ");
761 rawprint((caddr_t)data, len);
762 }
763 }
764 return (u_char *)ext + ntohs(id.h.len);
765 }
766
767 static u_char *
768 isakmp_cert_print(struct isakmp_gen *ext, u_char *ep, u_int32_t phase,
769 u_int32_t doi0, u_int32_t proto0)
770 {
771 struct isakmp_pl_cert *p, cert;
772 static char *certstr[] = {
773 "none", "pkcs7", "pgp", "dns",
774 "x509sign", "x509ke", "kerberos", "crl",
775 "arl", "spki", "x509attr",
776 };
777
778 printf("%s:", NPSTR(ISAKMP_NPTYPE_CERT));
779
780 p = (struct isakmp_pl_cert *)ext;
781 safememcpy(&cert, ext, sizeof(cert));
782 printf(" len=%d", ntohs(cert.h.len) - 4);
783 printf(" type=%s", STR_OR_ID((cert.encode), certstr));
784 if (2 < vflag && 4 < ntohs(cert.h.len)) {
785 printf(" ");
786 rawprint((caddr_t)(ext + 1), ntohs(cert.h.len) - 4);
787 }
788 return (u_char *)ext + ntohs(cert.h.len);
789 }
790
791 static u_char *
792 isakmp_cr_print(struct isakmp_gen *ext, u_char *ep, u_int32_t phase,
793 u_int32_t doi0, u_int32_t proto0)
794 {
795 struct isakmp_pl_cert *p, cert;
796 static char *certstr[] = {
797 "none", "pkcs7", "pgp", "dns",
798 "x509sign", "x509ke", "kerberos", "crl",
799 "arl", "spki", "x509attr",
800 };
801
802 printf("%s:", NPSTR(ISAKMP_NPTYPE_CR));
803
804 p = (struct isakmp_pl_cert *)ext;
805 safememcpy(&cert, ext, sizeof(cert));
806 printf(" len=%d", ntohs(cert.h.len) - 4);
807 printf(" type=%s", STR_OR_ID((cert.encode), certstr));
808 if (2 < vflag && 4 < ntohs(cert.h.len)) {
809 printf(" ");
810 rawprint((caddr_t)(ext + 1), ntohs(cert.h.len) - 4);
811 }
812 return (u_char *)ext + ntohs(cert.h.len);
813 }
814
815 static u_char *
816 isakmp_hash_print(struct isakmp_gen *ext, u_char *ep, u_int32_t phase,
817 u_int32_t doi, u_int32_t proto)
818 {
819 struct isakmp_gen e;
820
821 printf("%s:", NPSTR(ISAKMP_NPTYPE_HASH));
822
823 safememcpy(&e, ext, sizeof(e));
824 printf(" len=%d", ntohs(e.len) - 4);
825 if (2 < vflag && 4 < ntohs(e.len)) {
826 printf(" ");
827 rawprint((caddr_t)(ext + 1), ntohs(e.len) - 4);
828 }
829 return (u_char *)ext + ntohs(e.len);
830 }
831
832 static u_char *
833 isakmp_sig_print(struct isakmp_gen *ext, u_char *ep, u_int32_t phase,
834 u_int32_t doi, u_int32_t proto)
835 {
836 struct isakmp_gen e;
837
838 printf("%s:", NPSTR(ISAKMP_NPTYPE_SIG));
839
840 safememcpy(&e, ext, sizeof(e));
841 printf(" len=%d", ntohs(e.len) - 4);
842 if (2 < vflag && 4 < ntohs(e.len)) {
843 printf(" ");
844 rawprint((caddr_t)(ext + 1), ntohs(e.len) - 4);
845 }
846 return (u_char *)ext + ntohs(e.len);
847 }
848
849 static u_char *
850 isakmp_nonce_print(struct isakmp_gen *ext, u_char *ep, u_int32_t phase,
851 u_int32_t doi, u_int32_t proto)
852 {
853 struct isakmp_gen e;
854
855 printf("%s:", NPSTR(ISAKMP_NPTYPE_NONCE));
856
857 safememcpy(&e, ext, sizeof(e));
858 printf(" n len=%d", ntohs(e.len) - 4);
859 if (2 < vflag && 4 < ntohs(e.len)) {
860 printf(" ");
861 rawprint((caddr_t)(ext + 1), ntohs(e.len) - 4);
862 }
863 return (u_char *)ext + ntohs(e.len);
864 }
865
866 static u_char *
867 isakmp_n_print(struct isakmp_gen *ext, u_char *ep, u_int32_t phase,
868 u_int32_t doi0, u_int32_t proto0)
869 {
870 struct isakmp_pl_n *p, n;
871 u_char *cp;
872 u_char *ep2;
873 u_int32_t doi;
874 u_int32_t proto;
875 static char *notifystr[] = {
876 NULL, "INVALID-PAYLOAD-TYPE",
877 "DOI-NOT-SUPPORTED", "SITUATION-NOT-SUPPORTED",
878 "INVALID-COOKIE", "INVALID-MAJOR-VERSION",
879 "INVALID-MINOR-VERSION", "INVALID-EXCHANGE-TYPE",
880 "INVALID-FLAGS", "INVALID-MESSAGE-ID",
881 "INVALID-PROTOCOL-ID", "INVALID-SPI",
882 "INVALID-TRANSFORM-ID", "ATTRIBUTES-NOT-SUPPORTED",
883 "NO-PROPOSAL-CHOSEN", "BAD-PROPOSAL-SYNTAX",
884 "PAYLOAD-MALFORMED", "INVALID-KEY-INFORMATION",
885 "INVALID-ID-INFORMATION", "INVALID-CERT-ENCODING",
886 "INVALID-CERTIFICATE", "CERT-TYPE-UNSUPPORTED",
887 "INVALID-CERT-AUTHORITY", "INVALID-HASH-INFORMATION",
888 "AUTHENTICATION-FAILED", "INVALID-SIGNATURE",
889 "ADDRESS-NOTIFICATION", "NOTIFY-SA-LIFETIME",
890 "CERTIFICATE-UNAVAILABLE", "UNSUPPORTED-EXCHANGE-TYPE",
891 "UNEQUAL-PAYLOAD-LENGTHS",
892 };
893 static char *ipsecnotifystr[] = {
894 "RESPONDER-LIFETIME", "REPLAY-STATUS",
895 "INITIAL-CONTACT",
896 };
897 /* NOTE: these macro must be called with x in proper range */
898 #define NOTIFYSTR(x) \
899 (((x) == 16384) ? "CONNECTED" : STR_OR_ID((x), notifystr))
900 #define IPSECNOTIFYSTR(x) \
901 (((x) == 8192) ? "RESERVED" : STR_OR_ID(((x) - 24576), ipsecnotifystr))
902
903 printf("%s:", NPSTR(ISAKMP_NPTYPE_N));
904
905 p = (struct isakmp_pl_n *)ext;
906 safememcpy(&n, ext, sizeof(n));
907 doi = ntohl(n.doi);
908 proto = n.prot_id;
909 if (doi != 1) {
910 printf(" doi=%d", doi);
911 printf(" proto=%d", proto);
912 printf(" type=%s", NOTIFYSTR(ntohs(n.type)));
913 if (n.spi_size) {
914 printf(" spi=");
915 rawprint((caddr_t)(p + 1), n.spi_size);
916 }
917 return (u_char *)(p + 1) + n.spi_size;
918 }
919
920 printf(" doi=ipsec");
921 printf(" proto=%s", PROTOIDSTR(proto));
922 if (ntohs(n.type) < 8192)
923 printf(" type=%s", NOTIFYSTR(ntohs(n.type)));
924 else if (ntohs(n.type) < 16384)
925 printf(" type=%s", IPSECNOTIFYSTR(ntohs(n.type)));
926 else if (ntohs(n.type) < 24576)
927 printf(" type=%s", NOTIFYSTR(ntohs(n.type)));
928 else if (ntohs(n.type) < 40960)
929 printf(" type=%s", IPSECNOTIFYSTR(ntohs(n.type)));
930 else
931 printf(" type=%s", NOTIFYSTR(ntohs(n.type)));
932 if (n.spi_size) {
933 printf(" spi=");
934 rawprint((caddr_t)(p + 1), n.spi_size);
935 }
936
937 cp = (u_char *)(p + 1) + n.spi_size;
938 ep2 = (u_char *)p + ntohs(n.h.len);
939
940 if (cp < ep) {
941 printf(" orig=(");
942 switch (ntohs(n.type)) {
943 case IPSECDOI_NTYPE_RESPONDER_LIFETIME:
944 {
945 struct attrmap *map = oakley_t_map;
946 size_t nmap = sizeof(oakley_t_map)/sizeof(oakley_t_map[0]);
947 while (cp < ep && cp < ep2) {
948 cp = isakmp_attrmap_print(cp,
949 (ep < ep2) ? ep : ep2, map, nmap);
950 }
951 break;
952 }
953 case IPSECDOI_NTYPE_REPLAY_STATUS:
954 printf("replay detection %sabled",
955 (*(u_int32_t *)cp) ? "en" : "dis");
956 break;
957 case ISAKMP_NTYPE_NO_PROPOSAL_CHOSEN:
958 isakmp_sub_print(ISAKMP_NPTYPE_SA,
959 (struct isakmp_gen *)cp, ep, phase, doi, proto);
960 break;
961 default:
962 /* NULL is dummy */
963 isakmp_print(cp,
964 ntohs(n.h.len) - sizeof(*p) - n.spi_size,
965 NULL);
966 }
967 printf(")");
968 }
969 return (u_char *)ext + ntohs(n.h.len);
970 }
971
972 static u_char *
973 isakmp_d_print(struct isakmp_gen *ext, u_char *ep, u_int32_t phase,
974 u_int32_t doi0, u_int32_t proto0)
975 {
976 struct isakmp_pl_d *p, d;
977 u_int8_t *q;
978 u_int32_t doi;
979 u_int32_t proto;
980 int i;
981
982 printf("%s:", NPSTR(ISAKMP_NPTYPE_D));
983
984 p = (struct isakmp_pl_d *)ext;
985 safememcpy(&d, ext, sizeof(d));
986 doi = ntohl(d.doi);
987 proto = d.prot_id;
988 if (doi != 1) {
989 printf(" doi=%u", doi);
990 printf(" proto=%u", proto);
991 } else {
992 printf(" doi=ipsec");
993 printf(" proto=%s", PROTOIDSTR(proto));
994 }
995 printf(" spilen=%u", d.spi_size);
996 printf(" nspi=%u", ntohs(d.num_spi));
997 printf(" spi=");
998 q = (u_int8_t *)(p + 1);
999 for (i = 0; i < ntohs(d.num_spi); i++) {
1000 if (i != 0)
1001 printf(",");
1002 rawprint((caddr_t)q, d.spi_size);
1003 q += d.spi_size;
1004 }
1005 return q;
1006 }
1007
1008 static u_char *
1009 isakmp_vid_print(struct isakmp_gen *ext, u_char *ep, u_int32_t phase,
1010 u_int32_t doi, u_int32_t proto)
1011 {
1012 struct isakmp_gen e;
1013
1014 printf("%s:", NPSTR(ISAKMP_NPTYPE_VID));
1015
1016 safememcpy(&e, ext, sizeof(e));
1017 printf(" len=%d", ntohs(e.len) - 4);
1018 if (2 < vflag && 4 < ntohs(e.len)) {
1019 printf(" ");
1020 rawprint((caddr_t)(ext + 1), ntohs(e.len) - 4);
1021 }
1022 return (u_char *)ext + ntohs(e.len);
1023 }
1024
1025 static u_char *
1026 isakmp_sub0_print(u_char np, struct isakmp_gen *ext, u_char *ep,
1027 u_int32_t phase, u_int32_t doi, u_int32_t proto)
1028 {
1029 u_char *cp;
1030 struct isakmp_gen e;
1031
1032 cp = (u_char *)ext;
1033 safememcpy(&e, ext, sizeof(e));
1034
1035 if (NPFUNC(np))
1036 cp = (*NPFUNC(np))(ext, ep, phase, doi, proto);
1037 else {
1038 printf("%s", NPSTR(np));
1039 cp += ntohs(e.len);
1040 }
1041 return cp;
1042 }
1043
1044 static u_char *
1045 isakmp_sub_print(u_char np, struct isakmp_gen *ext, u_char *ep,
1046 u_int32_t phase, u_int32_t doi, u_int32_t proto)
1047 {
1048 u_char *cp;
1049 static int depth = 0;
1050 int i;
1051 struct isakmp_gen e;
1052
1053 cp = (u_char *)ext;
1054
1055 while (np) {
1056 safememcpy(&e, ext, sizeof(e));
1057
1058 if (ep < (u_char *)ext + ntohs(e.len)) {
1059 printf(" [|%s]", NPSTR(np));
1060 cp = ep + 1;
1061 break;
1062 }
1063 depth++;
1064 printf("\n");
1065 for (i = 0; i < depth; i++)
1066 printf(" ");
1067 printf("(");
1068 cp = isakmp_sub0_print(np, ext, ep, phase, doi, proto);
1069 printf(")");
1070 depth--;
1071
1072 np = e.np;
1073 ext = (struct isakmp_gen *)cp;
1074 }
1075 return cp;
1076 }
1077
1078 static char *
1079 numstr(int x)
1080 {
1081 static char buf[20];
1082 snprintf(buf, sizeof(buf), "#%d", x);
1083 return buf;
1084 }
1085
1086 /*
1087 * some compiler tries to optimize memcpy(), using the alignment constraint
1088 * on the argument pointer type. by using this function, we try to avoid the
1089 * optimization.
1090 */
1091 static void
1092 safememcpy(void *p, void *q, size_t l)
1093 {
1094 memcpy(p, q, l);
1095 }
1096
1097 void
1098 isakmp_print(const u_char *bp, u_int length, const u_char *bp2)
1099 {
1100 struct isakmp *p, base;
1101 u_char *ep;
1102 u_char np;
1103 int i;
1104 int phase;
1105 int major, minor;
1106
1107 p = (struct isakmp *)bp;
1108 ep = (u_char *)snapend;
1109
1110 if ((struct isakmp *)ep < p + 1) {
1111 printf("[|isakmp]");
1112 return;
1113 }
1114
1115 safememcpy(&base, p, sizeof(base));
1116
1117 printf("isakmp");
1118 if (vflag) {
1119 major = (base.vers & ISAKMP_VERS_MAJOR)
1120 >> ISAKMP_VERS_MAJOR_SHIFT;
1121 minor = (base.vers & ISAKMP_VERS_MINOR)
1122 >> ISAKMP_VERS_MINOR_SHIFT;
1123 printf(" %d.%d", major, minor);
1124 }
1125
1126 if (vflag) {
1127 printf(" msgid ");
1128 rawprint((caddr_t)&base.msgid, sizeof(base.msgid));
1129 }
1130
1131 if (1 < vflag) {
1132 printf(" cookie ");
1133 rawprint((caddr_t)&base.i_ck, sizeof(base.i_ck));
1134 printf("->");
1135 rawprint((caddr_t)&base.r_ck, sizeof(base.r_ck));
1136 }
1137 printf(":");
1138
1139 phase = (*(u_int32_t *)base.msgid == 0) ? 1 : 2;
1140 if (phase == 1)
1141 printf(" phase %d", phase);
1142 else
1143 printf(" phase %d/others", phase);
1144
1145 i = cookie_find(&base.i_ck);
1146 if (i < 0) {
1147 if (iszero((u_char *)&base.r_ck, sizeof(base.r_ck))) {
1148 /* the first packet */
1149 printf(" I");
1150 if (bp2)
1151 cookie_record(&base.i_ck, bp2);
1152 } else
1153 printf(" ?");
1154 } else {
1155 if (bp2 && cookie_isinitiator(i, bp2))
1156 printf(" I");
1157 else if (bp2 && cookie_isresponder(i, bp2))
1158 printf(" R");
1159 else
1160 printf(" ?");
1161 }
1162
1163 printf(" %s", ETYPESTR(base.etype));
1164 if (base.flags) {
1165 printf("[%s%s]", base.flags & ISAKMP_FLAG_E ? "E" : "",
1166 base.flags & ISAKMP_FLAG_C ? "C" : "");
1167 }
1168 printf(":");
1169
1170 {
1171 struct isakmp_gen *ext;
1172 int nparen;
1173
1174 #define CHECKLEN(p, np) \
1175 if (ep < (u_char *)(p)) { \
1176 printf(" [|%s]", NPSTR(np)); \
1177 goto done; \
1178 }
1179
1180 /* regardless of phase... */
1181 if (base.flags & ISAKMP_FLAG_E) {
1182 /*
1183 * encrypted, nothing we can do right now.
1184 * we hope to decrypt the packet in the future...
1185 */
1186 printf(" [encrypted %s]", NPSTR(base.np));
1187 goto done;
1188 }
1189
1190 nparen = 0;
1191 CHECKLEN(p + 1, base.np)
1192
1193 np = base.np;
1194 ext = (struct isakmp_gen *)(p + 1);
1195 isakmp_sub_print(np, ext, ep, phase, 0, 0);
1196 }
1197
1198 done:
1199 if (vflag) {
1200 if (ntohl(base.len) != length) {
1201 printf(" (len mismatch: isakmp %u/ip %d)",
1202 (u_int32_t)ntohl(base.len), length);
1203 }
1204 }
1205 }
[mirror] the TCPdump network dissector