]> The Tcpdump Group git mirrors - tcpdump/blob - print-isakmp.c
projects / tcpdump / blob
summary | shortlog | log | commit | commitdiff | tree
history | raw | HEAD
Merge branch 'master' into macsec
[tcpdump] / print-isakmp.c
1 /*
2 * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
3 * All rights reserved.
4 *
5 * Redistribution and use in source and binary forms, with or without
6 * modification, are permitted provided that the following conditions
7 * are met:
8 * 1. Redistributions of source code must retain the above copyright
9 * notice, this list of conditions and the following disclaimer.
10 * 2. Redistributions in binary form must reproduce the above copyright
11 * notice, this list of conditions and the following disclaimer in the
12 * documentation and/or other materials provided with the distribution.
13 * 3. Neither the name of the project nor the names of its contributors
14 * may be used to endorse or promote products derived from this software
15 * without specific prior written permission.
16 *
17 * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
18 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
19 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
20 * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
21 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
22 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
23 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
24 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
25 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
26 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
27 * SUCH DAMAGE.
28 *
29 */
30
31 /* \summary: Internet Security Association and Key Management Protocol (ISAKMP) printer */
32
33 /* specification: RFC 2407, RFC 2408, RFC 5996 */
34
35 #ifdef HAVE_CONFIG_H
36 #include <config.h>
37 #endif
38
39 /* The functions from print-esp.c used in this file are only defined when both
40 * OpenSSL and evp.h are detected. Employ the same preprocessor device here.
41 */
42 #ifndef HAVE_OPENSSL_EVP_H
43 #undef HAVE_LIBCRYPTO
44 #endif
45
46 #include "netdissect-stdinc.h"
47
48 #include <string.h>
49
50 #include "netdissect-ctype.h"
51
52 #include "netdissect.h"
53 #include "addrtoname.h"
54 #include "extract.h"
55
56 #include "ip.h"
57 #include "ip6.h"
58 #include "ipproto.h"
59
60 typedef nd_byte cookie_t[8];
61 typedef nd_byte msgid_t[4];
62
63 #define PORT_ISAKMP 500
64
65 /* 3.1 ISAKMP Header Format (IKEv1 and IKEv2)
66 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
67 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
68 ! Initiator !
69 ! Cookie !
70 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
71 ! Responder !
72 ! Cookie !
73 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
74 ! Next Payload ! MjVer ! MnVer ! Exchange Type ! Flags !
75 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
76 ! Message ID !
77 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
78 ! Length !
79 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
80 */
81 struct isakmp {
82 cookie_t i_ck; /* Initiator Cookie */
83 cookie_t r_ck; /* Responder Cookie */
84 nd_uint8_t np; /* Next Payload Type */
85 nd_uint8_t vers;
86 #define ISAKMP_VERS_MAJOR 0xf0
87 #define ISAKMP_VERS_MAJOR_SHIFT 4
88 #define ISAKMP_VERS_MINOR 0x0f
89 #define ISAKMP_VERS_MINOR_SHIFT 0
90 nd_uint8_t etype; /* Exchange Type */
91 nd_uint8_t flags; /* Flags */
92 msgid_t msgid;
93 nd_uint32_t len; /* Length */
94 };
95
96 /* Next Payload Type */
97 #define ISAKMP_NPTYPE_NONE 0 /* NONE*/
98 #define ISAKMP_NPTYPE_SA 1 /* Security Association */
99 #define ISAKMP_NPTYPE_P 2 /* Proposal */
100 #define ISAKMP_NPTYPE_T 3 /* Transform */
101 #define ISAKMP_NPTYPE_KE 4 /* Key Exchange */
102 #define ISAKMP_NPTYPE_ID 5 /* Identification */
103 #define ISAKMP_NPTYPE_CERT 6 /* Certificate */
104 #define ISAKMP_NPTYPE_CR 7 /* Certificate Request */
105 #define ISAKMP_NPTYPE_HASH 8 /* Hash */
106 #define ISAKMP_NPTYPE_SIG 9 /* Signature */
107 #define ISAKMP_NPTYPE_NONCE 10 /* Nonce */
108 #define ISAKMP_NPTYPE_N 11 /* Notification */
109 #define ISAKMP_NPTYPE_D 12 /* Delete */
110 #define ISAKMP_NPTYPE_VID 13 /* Vendor ID */
111 #define ISAKMP_NPTYPE_v2E 46 /* v2 Encrypted payload */
112
113 #define IKEv1_MAJOR_VERSION 1
114 #define IKEv1_MINOR_VERSION 0
115
116 #define IKEv2_MAJOR_VERSION 2
117 #define IKEv2_MINOR_VERSION 0
118
119 /* Flags */
120 #define ISAKMP_FLAG_E 0x01 /* Encryption Bit */
121 #define ISAKMP_FLAG_C 0x02 /* Commit Bit */
122 #define ISAKMP_FLAG_extra 0x04
123
124 /* IKEv2 */
125 #define ISAKMP_FLAG_I (1 << 3) /* (I)nitiator */
126 #define ISAKMP_FLAG_V (1 << 4) /* (V)ersion */
127 #define ISAKMP_FLAG_R (1 << 5) /* (R)esponse */
128
129
130 /* 3.2 Payload Generic Header
131 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
132 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
133 ! Next Payload ! RESERVED ! Payload Length !
134 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
135 */
136 struct isakmp_gen {
137 nd_uint8_t np; /* Next Payload */
138 nd_uint8_t critical; /* bit 7 - critical, rest is RESERVED */
139 nd_uint16_t len; /* Payload Length */
140 };
141
142 /* 3.3 Data Attributes
143 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
144 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
145 !A! Attribute Type ! AF=0 Attribute Length !
146 !F! ! AF=1 Attribute Value !
147 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
148 . AF=0 Attribute Value .
149 . AF=1 Not Transmitted .
150 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
151 */
152 struct isakmp_data {
153 nd_uint16_t type; /* defined by DOI-spec, and Attribute Format */
154 nd_uint16_t lorv; /* if f equal 1, Attribute Length */
155 /* if f equal 0, Attribute Value */
156 /* if f equal 1, Attribute Value */
157 };
158
159 /* 3.4 Security Association Payload */
160 /* MAY NOT be used, because of being defined in ipsec-doi. */
161 /*
162 If the current payload is the last in the message,
163 then the value of the next payload field will be 0.
164 This field MUST NOT contain the
165 values for the Proposal or Transform payloads as they are considered
166 part of the security association negotiation. For example, this
167 field would contain the value "10" (Nonce payload) in the first
168 message of a Base Exchange (see Section 4.4) and the value "0" in the
169 first message of an Identity Protect Exchange (see Section 4.5).
170 */
171 struct ikev1_pl_sa {
172 struct isakmp_gen h;
173 nd_uint32_t doi; /* Domain of Interpretation */
174 nd_uint32_t sit; /* Situation */
175 };
176
177 /* 3.5 Proposal Payload */
178 /*
179 The value of the next payload field MUST only contain the value "2"
180 or "0". If there are additional Proposal payloads in the message,
181 then this field will be 2. If the current Proposal payload is the
182 last within the security association proposal, then this field will
183 be 0.
184 */
185 struct ikev1_pl_p {
186 struct isakmp_gen h;
187 nd_uint8_t p_no; /* Proposal # */
188 nd_uint8_t prot_id; /* Protocol */
189 nd_uint8_t spi_size; /* SPI Size */
190 nd_uint8_t num_t; /* Number of Transforms */
191 /* SPI */
192 };
193
194 /* 3.6 Transform Payload */
195 /*
196 The value of the next payload field MUST only contain the value "3"
197 or "0". If there are additional Transform payloads in the proposal,
198 then this field will be 3. If the current Transform payload is the
199 last within the proposal, then this field will be 0.
200 */
201 struct ikev1_pl_t {
202 struct isakmp_gen h;
203 nd_uint8_t t_no; /* Transform # */
204 nd_uint8_t t_id; /* Transform-Id */
205 nd_byte reserved[2]; /* RESERVED2 */
206 /* SA Attributes */
207 };
208
209 /* 3.7 Key Exchange Payload */
210 struct ikev1_pl_ke {
211 struct isakmp_gen h;
212 /* Key Exchange Data */
213 };
214
215 /* 3.8 Identification Payload */
216 /* MUST NOT to be used, because of being defined in ipsec-doi. */
217 struct ikev1_pl_id {
218 struct isakmp_gen h;
219 union {
220 nd_uint8_t id_type; /* ID Type */
221 nd_uint32_t doi_data; /* DOI Specific ID Data */
222 } d;
223 /* Identification Data */
224 };
225
226 /* 3.9 Certificate Payload */
227 struct ikev1_pl_cert {
228 struct isakmp_gen h;
229 nd_uint8_t encode; /* Cert Encoding */
230 nd_uint8_t cert; /* Certificate Data */
231 /*
232 This field indicates the type of
233 certificate or certificate-related information contained in the
234 Certificate Data field.
235 */
236 };
237
238 /* 3.10 Certificate Request Payload */
239 struct ikev1_pl_cr {
240 struct isakmp_gen h;
241 nd_uint8_t num_cert; /* # Cert. Types */
242 /*
243 Certificate Types (variable length)
244 -- Contains a list of the types of certificates requested,
245 sorted in order of preference. Each individual certificate
246 type is 1 octet. This field is NOT requiredo
247 */
248 /* # Certificate Authorities (1 octet) */
249 /* Certificate Authorities (variable length) */
250 };
251
252 /* 3.11 Hash Payload */
253 /* may not be used, because of having only data. */
254 struct ikev1_pl_hash {
255 struct isakmp_gen h;
256 /* Hash Data */
257 };
258
259 /* 3.12 Signature Payload */
260 /* may not be used, because of having only data. */
261 struct ikev1_pl_sig {
262 struct isakmp_gen h;
263 /* Signature Data */
264 };
265
266 /* 3.13 Nonce Payload */
267 /* may not be used, because of having only data. */
268 struct ikev1_pl_nonce {
269 struct isakmp_gen h;
270 /* Nonce Data */
271 };
272
273 /* 3.14 Notification Payload */
274 struct ikev1_pl_n {
275 struct isakmp_gen h;
276 nd_uint32_t doi; /* Domain of Interpretation */
277 nd_uint8_t prot_id; /* Protocol-ID */
278 nd_uint8_t spi_size; /* SPI Size */
279 nd_uint16_t type; /* Notify Message Type */
280 /* SPI */
281 /* Notification Data */
282 };
283
284 /* 3.14.1 Notify Message Types */
285 /* NOTIFY MESSAGES - ERROR TYPES */
286 #define ISAKMP_NTYPE_INVALID_PAYLOAD_TYPE 1
287 #define ISAKMP_NTYPE_DOI_NOT_SUPPORTED 2
288 #define ISAKMP_NTYPE_SITUATION_NOT_SUPPORTED 3
289 #define ISAKMP_NTYPE_INVALID_COOKIE 4
290 #define ISAKMP_NTYPE_INVALID_MAJOR_VERSION 5
291 #define ISAKMP_NTYPE_INVALID_MINOR_VERSION 6
292 #define ISAKMP_NTYPE_INVALID_EXCHANGE_TYPE 7
293 #define ISAKMP_NTYPE_INVALID_FLAGS 8
294 #define ISAKMP_NTYPE_INVALID_MESSAGE_ID 9
295 #define ISAKMP_NTYPE_INVALID_PROTOCOL_ID 10
296 #define ISAKMP_NTYPE_INVALID_SPI 11
297 #define ISAKMP_NTYPE_INVALID_TRANSFORM_ID 12
298 #define ISAKMP_NTYPE_ATTRIBUTES_NOT_SUPPORTED 13
299 #define ISAKMP_NTYPE_NO_PROPOSAL_CHOSEN 14
300 #define ISAKMP_NTYPE_BAD_PROPOSAL_SYNTAX 15
301 #define ISAKMP_NTYPE_PAYLOAD_MALFORMED 16
302 #define ISAKMP_NTYPE_INVALID_KEY_INFORMATION 17
303 #define ISAKMP_NTYPE_INVALID_ID_INFORMATION 18
304 #define ISAKMP_NTYPE_INVALID_CERT_ENCODING 19
305 #define ISAKMP_NTYPE_INVALID_CERTIFICATE 20
306 #define ISAKMP_NTYPE_BAD_CERT_REQUEST_SYNTAX 21
307 #define ISAKMP_NTYPE_INVALID_CERT_AUTHORITY 22
308 #define ISAKMP_NTYPE_INVALID_HASH_INFORMATION 23
309 #define ISAKMP_NTYPE_AUTHENTICATION_FAILED 24
310 #define ISAKMP_NTYPE_INVALID_SIGNATURE 25
311 #define ISAKMP_NTYPE_ADDRESS_NOTIFICATION 26
312
313 /* 3.15 Delete Payload */
314 struct ikev1_pl_d {
315 struct isakmp_gen h;
316 nd_uint32_t doi; /* Domain of Interpretation */
317 nd_uint8_t prot_id; /* Protocol-Id */
318 nd_uint8_t spi_size; /* SPI Size */
319 nd_uint16_t num_spi; /* # of SPIs */
320 /* SPI(es) */
321 };
322
323 /* IKEv2 (RFC4306) */
324
325 /* 3.3 Security Association Payload -- generic header */
326 /* 3.3.1. Proposal Substructure */
327 struct ikev2_p {
328 struct isakmp_gen h;
329 nd_uint8_t p_no; /* Proposal # */
330 nd_uint8_t prot_id; /* Protocol */
331 nd_uint8_t spi_size; /* SPI Size */
332 nd_uint8_t num_t; /* Number of Transforms */
333 };
334
335 /* 3.3.2. Transform Substructure */
336 struct ikev2_t {
337 struct isakmp_gen h;
338 nd_uint8_t t_type; /* Transform Type (ENCR,PRF,INTEG,etc.*/
339 nd_byte res2; /* reserved byte */
340 nd_uint16_t t_id; /* Transform ID */
341 };
342
343 enum ikev2_t_type {
344 IV2_T_ENCR = 1,
345 IV2_T_PRF = 2,
346 IV2_T_INTEG= 3,
347 IV2_T_DH = 4,
348 IV2_T_ESN = 5
349 };
350
351 /* 3.4. Key Exchange Payload */
352 struct ikev2_ke {
353 struct isakmp_gen h;
354 nd_uint16_t ke_group;
355 nd_uint16_t ke_res1;
356 /* KE data */
357 };
358
359
360 /* 3.5. Identification Payloads */
361 enum ikev2_id_type {
362 ID_IPV4_ADDR=1,
363 ID_FQDN=2,
364 ID_RFC822_ADDR=3,
365 ID_IPV6_ADDR=5,
366 ID_DER_ASN1_DN=9,
367 ID_DER_ASN1_GN=10,
368 ID_KEY_ID=11
369 };
370 struct ikev2_id {
371 struct isakmp_gen h;
372 nd_uint8_t type; /* ID type */
373 nd_byte res1;
374 nd_byte res2[2];
375 /* SPI */
376 /* Notification Data */
377 };
378
379 /* 3.10 Notification Payload */
380 struct ikev2_n {
381 struct isakmp_gen h;
382 nd_uint8_t prot_id; /* Protocol-ID */
383 nd_uint8_t spi_size; /* SPI Size */
384 nd_uint16_t type; /* Notify Message Type */
385 };
386
387 enum ikev2_n_type {
388 IV2_NOTIFY_UNSUPPORTED_CRITICAL_PAYLOAD = 1,
389 IV2_NOTIFY_INVALID_IKE_SPI = 4,
390 IV2_NOTIFY_INVALID_MAJOR_VERSION = 5,
391 IV2_NOTIFY_INVALID_SYNTAX = 7,
392 IV2_NOTIFY_INVALID_MESSAGE_ID = 9,
393 IV2_NOTIFY_INVALID_SPI =11,
394 IV2_NOTIFY_NO_PROPOSAL_CHOSEN =14,
395 IV2_NOTIFY_INVALID_KE_PAYLOAD =17,
396 IV2_NOTIFY_AUTHENTICATION_FAILED =24,
397 IV2_NOTIFY_SINGLE_PAIR_REQUIRED =34,
398 IV2_NOTIFY_NO_ADDITIONAL_SAS =35,
399 IV2_NOTIFY_INTERNAL_ADDRESS_FAILURE =36,
400 IV2_NOTIFY_FAILED_CP_REQUIRED =37,
401 IV2_NOTIFY_INVALID_SELECTORS =39,
402 IV2_NOTIFY_INITIAL_CONTACT =16384,
403 IV2_NOTIFY_SET_WINDOW_SIZE =16385,
404 IV2_NOTIFY_ADDITIONAL_TS_POSSIBLE =16386,
405 IV2_NOTIFY_IPCOMP_SUPPORTED =16387,
406 IV2_NOTIFY_NAT_DETECTION_SOURCE_IP =16388,
407 IV2_NOTIFY_NAT_DETECTION_DESTINATION_IP =16389,
408 IV2_NOTIFY_COOKIE =16390,
409 IV2_NOTIFY_USE_TRANSPORT_MODE =16391,
410 IV2_NOTIFY_HTTP_CERT_LOOKUP_SUPPORTED =16392,
411 IV2_NOTIFY_REKEY_SA =16393,
412 IV2_NOTIFY_ESP_TFC_PADDING_NOT_SUPPORTED =16394,
413 IV2_NOTIFY_NON_FIRST_FRAGMENTS_ALSO =16395
414 };
415
416 struct notify_messages {
417 uint16_t type;
418 char *msg;
419 };
420
421 /* 3.8 Authentication Payload */
422 struct ikev2_auth {
423 struct isakmp_gen h;
424 nd_uint8_t auth_method; /* Protocol-ID */
425 nd_byte reserved[3];
426 /* authentication data */
427 };
428
429 enum ikev2_auth_type {
430 IV2_RSA_SIG = 1,
431 IV2_SHARED = 2,
432 IV2_DSS_SIG = 3
433 };
434
435 /* refer to RFC 2409 */
436
437 #if 0
438 /* isakmp sa structure */
439 struct oakley_sa {
440 uint8_t proto_id; /* OAKLEY */
441 vchar_t *spi; /* spi */
442 uint8_t dhgrp; /* DH; group */
443 uint8_t auth_t; /* method of authentication */
444 uint8_t prf_t; /* type of prf */
445 uint8_t hash_t; /* type of hash */
446 uint8_t enc_t; /* type of cipher */
447 uint8_t life_t; /* type of duration of lifetime */
448 uint32_t ldur; /* life duration */
449 };
450 #endif
451
452 /* refer to RFC 2407 */
453
454 #define IPSEC_DOI 1
455
456 /* 4.2 IPSEC Situation Definition */
457 #define IPSECDOI_SIT_IDENTITY_ONLY 0x00000001
458 #define IPSECDOI_SIT_SECRECY 0x00000002
459 #define IPSECDOI_SIT_INTEGRITY 0x00000004
460
461 /* 4.4.1 IPSEC Security Protocol Identifiers */
462 /* 4.4.2 IPSEC ISAKMP Transform Values */
463 #define IPSECDOI_PROTO_ISAKMP 1
464 #define IPSECDOI_KEY_IKE 1
465
466 /* 4.4.1 IPSEC Security Protocol Identifiers */
467 #define IPSECDOI_PROTO_IPSEC_AH 2
468 /* 4.4.3 IPSEC AH Transform Values */
469 #define IPSECDOI_AH_MD5 2
470 #define IPSECDOI_AH_SHA 3
471 #define IPSECDOI_AH_DES 4
472 #define IPSECDOI_AH_SHA2_256 5
473 #define IPSECDOI_AH_SHA2_384 6
474 #define IPSECDOI_AH_SHA2_512 7
475
476 /* 4.4.1 IPSEC Security Protocol Identifiers */
477 #define IPSECDOI_PROTO_IPSEC_ESP 3
478 /* 4.4.4 IPSEC ESP Transform Identifiers */
479 #define IPSECDOI_ESP_DES_IV64 1
480 #define IPSECDOI_ESP_DES 2
481 #define IPSECDOI_ESP_3DES 3
482 #define IPSECDOI_ESP_RC5 4
483 #define IPSECDOI_ESP_IDEA 5
484 #define IPSECDOI_ESP_CAST 6
485 #define IPSECDOI_ESP_BLOWFISH 7
486 #define IPSECDOI_ESP_3IDEA 8
487 #define IPSECDOI_ESP_DES_IV32 9
488 #define IPSECDOI_ESP_RC4 10
489 #define IPSECDOI_ESP_NULL 11
490 #define IPSECDOI_ESP_RIJNDAEL 12
491 #define IPSECDOI_ESP_AES 12
492
493 /* 4.4.1 IPSEC Security Protocol Identifiers */
494 #define IPSECDOI_PROTO_IPCOMP 4
495 /* 4.4.5 IPSEC IPCOMP Transform Identifiers */
496 #define IPSECDOI_IPCOMP_OUI 1
497 #define IPSECDOI_IPCOMP_DEFLATE 2
498 #define IPSECDOI_IPCOMP_LZS 3
499
500 /* 4.5 IPSEC Security Association Attributes */
501 #define IPSECDOI_ATTR_SA_LTYPE 1 /* B */
502 #define IPSECDOI_ATTR_SA_LTYPE_DEFAULT 1
503 #define IPSECDOI_ATTR_SA_LTYPE_SEC 1
504 #define IPSECDOI_ATTR_SA_LTYPE_KB 2
505 #define IPSECDOI_ATTR_SA_LDUR 2 /* V */
506 #define IPSECDOI_ATTR_SA_LDUR_DEFAULT 28800 /* 8 hours */
507 #define IPSECDOI_ATTR_GRP_DESC 3 /* B */
508 #define IPSECDOI_ATTR_ENC_MODE 4 /* B */
509 /* default value: host dependent */
510 #define IPSECDOI_ATTR_ENC_MODE_TUNNEL 1
511 #define IPSECDOI_ATTR_ENC_MODE_TRNS 2
512 #define IPSECDOI_ATTR_AUTH 5 /* B */
513 /* 0 means not to use authentication. */
514 #define IPSECDOI_ATTR_AUTH_HMAC_MD5 1
515 #define IPSECDOI_ATTR_AUTH_HMAC_SHA1 2
516 #define IPSECDOI_ATTR_AUTH_DES_MAC 3
517 #define IPSECDOI_ATTR_AUTH_KPDK 4 /*RFC-1826(Key/Pad/Data/Key)*/
518 /*
519 * When negotiating ESP without authentication, the Auth
520 * Algorithm attribute MUST NOT be included in the proposal.
521 * When negotiating ESP without confidentiality, the Auth
522 * Algorithm attribute MUST be included in the proposal and
523 * the ESP transform ID must be ESP_NULL.
524 */
525 #define IPSECDOI_ATTR_KEY_LENGTH 6 /* B */
526 #define IPSECDOI_ATTR_KEY_ROUNDS 7 /* B */
527 #define IPSECDOI_ATTR_COMP_DICT_SIZE 8 /* B */
528 #define IPSECDOI_ATTR_COMP_PRIVALG 9 /* V */
529
530 /* 4.6.1 Security Association Payload */
531 struct ipsecdoi_sa {
532 struct isakmp_gen h;
533 nd_uint32_t doi; /* Domain of Interpretation */
534 nd_uint32_t sit; /* Situation */
535 };
536
537 struct ipsecdoi_secrecy_h {
538 nd_uint16_t len;
539 nd_uint16_t reserved;
540 };
541
542 /* 4.6.2.1 Identification Type Values */
543 struct ipsecdoi_id {
544 struct isakmp_gen h;
545 nd_uint8_t type; /* ID Type */
546 nd_uint8_t proto_id; /* Protocol ID */
547 nd_uint16_t port; /* Port */
548 /* Identification Data */
549 };
550
551 #define IPSECDOI_ID_IPV4_ADDR 1
552 #define IPSECDOI_ID_FQDN 2
553 #define IPSECDOI_ID_USER_FQDN 3
554 #define IPSECDOI_ID_IPV4_ADDR_SUBNET 4
555 #define IPSECDOI_ID_IPV6_ADDR 5
556 #define IPSECDOI_ID_IPV6_ADDR_SUBNET 6
557 #define IPSECDOI_ID_IPV4_ADDR_RANGE 7
558 #define IPSECDOI_ID_IPV6_ADDR_RANGE 8
559 #define IPSECDOI_ID_DER_ASN1_DN 9
560 #define IPSECDOI_ID_DER_ASN1_GN 10
561 #define IPSECDOI_ID_KEY_ID 11
562
563 /* 4.6.3 IPSEC DOI Notify Message Types */
564 /* Notify Messages - Status Types */
565 #define IPSECDOI_NTYPE_RESPONDER_LIFETIME 24576
566 #define IPSECDOI_NTYPE_REPLAY_STATUS 24577
567 #define IPSECDOI_NTYPE_INITIAL_CONTACT 24578
568
569 #define DECLARE_PRINTER(func) static const u_char *ike##func##_print( \
570 netdissect_options *ndo, u_char tpay, \
571 const struct isakmp_gen *ext, \
572 u_int item_len, \
573 const u_char *end_pointer, \
574 uint32_t phase,\
575 uint32_t doi0, \
576 uint32_t proto0, int depth)
577
578 DECLARE_PRINTER(v1_sa);
579 DECLARE_PRINTER(v1_p);
580 DECLARE_PRINTER(v1_t);
581 DECLARE_PRINTER(v1_ke);
582 DECLARE_PRINTER(v1_id);
583 DECLARE_PRINTER(v1_cert);
584 DECLARE_PRINTER(v1_cr);
585 DECLARE_PRINTER(v1_sig);
586 DECLARE_PRINTER(v1_hash);
587 DECLARE_PRINTER(v1_nonce);
588 DECLARE_PRINTER(v1_n);
589 DECLARE_PRINTER(v1_d);
590 DECLARE_PRINTER(v1_vid);
591
592 DECLARE_PRINTER(v2_sa);
593 DECLARE_PRINTER(v2_ke);
594 DECLARE_PRINTER(v2_ID);
595 DECLARE_PRINTER(v2_cert);
596 DECLARE_PRINTER(v2_cr);
597 DECLARE_PRINTER(v2_auth);
598 DECLARE_PRINTER(v2_nonce);
599 DECLARE_PRINTER(v2_n);
600 DECLARE_PRINTER(v2_d);
601 DECLARE_PRINTER(v2_vid);
602 DECLARE_PRINTER(v2_TS);
603 DECLARE_PRINTER(v2_cp);
604 DECLARE_PRINTER(v2_eap);
605
606 static const u_char *ikev2_e_print(netdissect_options *ndo,
607 const struct isakmp *base,
608 u_char tpay,
609 const struct isakmp_gen *ext,
610 u_int item_len,
611 const u_char *end_pointer,
612 uint32_t phase,
613 uint32_t doi0,
614 uint32_t proto0, int depth);
615
616
617 static const u_char *ike_sub0_print(netdissect_options *ndo,u_char, const struct isakmp_gen *,
618 const u_char *, uint32_t, uint32_t, uint32_t, int);
619 static const u_char *ikev1_sub_print(netdissect_options *ndo,u_char, const struct isakmp_gen *,
620 const u_char *, uint32_t, uint32_t, uint32_t, int);
621
622 static const u_char *ikev2_sub_print(netdissect_options *ndo,
623 const struct isakmp *base,
624 u_char np, const struct isakmp_gen *ext,
625 const u_char *ep, uint32_t phase,
626 uint32_t doi, uint32_t proto,
627 int depth);
628
629
630 static char *numstr(u_int);
631
632 static void
633 ikev1_print(netdissect_options *ndo,
634 const u_char *bp, u_int length,
635 const u_char *bp2, const struct isakmp *base);
636
637 #define MAXINITIATORS 20
638 static int ninitiator = 0;
639 union inaddr_u {
640 nd_ipv4 in4;
641 nd_ipv6 in6;
642 };
643 static struct {
644 cookie_t initiator;
645 u_int version;
646 union inaddr_u iaddr;
647 union inaddr_u raddr;
648 } cookiecache[MAXINITIATORS];
649
650 /* protocol id */
651 static const char *protoidstr[] = {
652 NULL, "isakmp", "ipsec-ah", "ipsec-esp", "ipcomp",
653 };
654
655 /* isakmp->np */
656 static const char *npstr[] = {
657 "none", "sa", "p", "t", "ke", "id", "cert", "cr", "hash", /* 0 - 8 */
658 "sig", "nonce", "n", "d", "vid", /* 9 - 13 */
659 "pay14", "pay15", "pay16", "pay17", "pay18", /* 14- 18 */
660 "pay19", "pay20", "pay21", "pay22", "pay23", /* 19- 23 */
661 "pay24", "pay25", "pay26", "pay27", "pay28", /* 24- 28 */
662 "pay29", "pay30", "pay31", "pay32", /* 29- 32 */
663 "v2sa", "v2ke", "v2IDi", "v2IDr", "v2cert",/* 33- 37 */
664 "v2cr", "v2auth","v2nonce", "v2n", "v2d", /* 38- 42 */
665 "v2vid", "v2TSi", "v2TSr", "v2e", "v2cp", /* 43- 47 */
666 "v2eap", /* 48 */
667
668 };
669
670 /* isakmp->np */
671 static const u_char *(*npfunc[])(netdissect_options *ndo, u_char tpay,
672 const struct isakmp_gen *ext,
673 u_int item_len,
674 const u_char *end_pointer,
675 uint32_t phase,
676 uint32_t doi0,
677 uint32_t proto0, int depth) = {
678 NULL,
679 ikev1_sa_print,
680 ikev1_p_print,
681 ikev1_t_print,
682 ikev1_ke_print,
683 ikev1_id_print,
684 ikev1_cert_print,
685 ikev1_cr_print,
686 ikev1_hash_print,
687 ikev1_sig_print,
688 ikev1_nonce_print,
689 ikev1_n_print,
690 ikev1_d_print,
691 ikev1_vid_print, /* 13 */
692 NULL, NULL, NULL, NULL, NULL, /* 14- 18 */
693 NULL, NULL, NULL, NULL, NULL, /* 19- 23 */
694 NULL, NULL, NULL, NULL, NULL, /* 24- 28 */
695 NULL, NULL, NULL, NULL, /* 29- 32 */
696 ikev2_sa_print, /* 33 */
697 ikev2_ke_print, /* 34 */
698 ikev2_ID_print, /* 35 */
699 ikev2_ID_print, /* 36 */
700 ikev2_cert_print, /* 37 */
701 ikev2_cr_print, /* 38 */
702 ikev2_auth_print, /* 39 */
703 ikev2_nonce_print, /* 40 */
704 ikev2_n_print, /* 41 */
705 ikev2_d_print, /* 42 */
706 ikev2_vid_print, /* 43 */
707 ikev2_TS_print, /* 44 */
708 ikev2_TS_print, /* 45 */
709 NULL, /* ikev2_e_print,*/ /* 46 - special */
710 ikev2_cp_print, /* 47 */
711 ikev2_eap_print, /* 48 */
712 };
713
714 /* isakmp->etype */
715 static const char *etypestr[] = {
716 /* IKEv1 exchange types */
717 "none", "base", "ident", "auth", "agg", "inf", NULL, NULL, /* 0-7 */
718 NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, /* 8-15 */
719 NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, /* 16-23 */
720 NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, /* 24-31 */
721 "oakley-quick", "oakley-newgroup", /* 32-33 */
722 /* IKEv2 exchange types */
723 "ikev2_init", "ikev2_auth", "child_sa", "inf2" /* 34-37 */
724 };
725
726 #define STR_OR_ID(x, tab) \
727 (((x) < sizeof(tab)/sizeof(tab[0]) && tab[(x)]) ? tab[(x)] : numstr(x))
728 #define PROTOIDSTR(x) STR_OR_ID(x, protoidstr)
729 #define NPSTR(x) STR_OR_ID(x, npstr)
730 #define ETYPESTR(x) STR_OR_ID(x, etypestr)
731
732 #define CHECKLEN(p, np) \
733 if (ep < (const u_char *)(p)) { \
734 ND_PRINT(" [|%s]", NPSTR(np)); \
735 goto done; \
736 }
737
738
739 #define NPFUNC(x) \
740 (((x) < sizeof(npfunc)/sizeof(npfunc[0]) && npfunc[(x)]) \
741 ? npfunc[(x)] : NULL)
742
743 static int
744 iszero(const u_char *p, size_t l)
745 {
746 while (l != 0) {
747 if (*p)
748 return 0;
749 p++;
750 l--;
751 }
752 return 1;
753 }
754
755 /* find cookie from initiator cache */
756 static int
757 cookie_find(const cookie_t *in)
758 {
759 int i;
760
761 for (i = 0; i < MAXINITIATORS; i++) {
762 if (memcmp(in, &cookiecache[i].initiator, sizeof(*in)) == 0)
763 return i;
764 }
765
766 return -1;
767 }
768
769 /* record initiator */
770 static void
771 cookie_record(netdissect_options *ndo, const cookie_t *in, const u_char *bp2)
772 {
773 int i;
774 const struct ip *ip;
775 const struct ip6_hdr *ip6;
776
777 i = cookie_find(in);
778 if (0 <= i) {
779 ninitiator = (i + 1) % MAXINITIATORS;
780 return;
781 }
782
783 ip = (const struct ip *)bp2;
784 switch (IP_V(ip)) {
785 case 4:
786 cookiecache[ninitiator].version = 4;
787 UNALIGNED_MEMCPY(&cookiecache[ninitiator].iaddr.in4,
788 ip->ip_src, sizeof(nd_ipv4));
789 UNALIGNED_MEMCPY(&cookiecache[ninitiator].raddr.in4,
790 ip->ip_dst, sizeof(nd_ipv4));
791 break;
792 case 6:
793 ip6 = (const struct ip6_hdr *)bp2;
794 cookiecache[ninitiator].version = 6;
795 UNALIGNED_MEMCPY(&cookiecache[ninitiator].iaddr.in6,
796 ip6->ip6_src, sizeof(nd_ipv6));
797 UNALIGNED_MEMCPY(&cookiecache[ninitiator].raddr.in6,
798 ip6->ip6_dst, sizeof(nd_ipv6));
799 break;
800 default:
801 return;
802 }
803 UNALIGNED_MEMCPY(&cookiecache[ninitiator].initiator, in, sizeof(*in));
804 ninitiator = (ninitiator + 1) % MAXINITIATORS;
805 }
806
807 #define cookie_isinitiator(ndo, x, y) cookie_sidecheck(ndo, (x), (y), 1)
808 #define cookie_isresponder(ndo, x, y) cookie_sidecheck(ndo, (x), (y), 0)
809 static int
810 cookie_sidecheck(netdissect_options *ndo, int i, const u_char *bp2, int initiator)
811 {
812 const struct ip *ip;
813 const struct ip6_hdr *ip6;
814
815 ip = (const struct ip *)bp2;
816 switch (IP_V(ip)) {
817 case 4:
818 if (cookiecache[i].version != 4)
819 return 0;
820 if (initiator) {
821 if (UNALIGNED_MEMCMP(ip->ip_src, &cookiecache[i].iaddr.in4, sizeof(nd_ipv4)) == 0)
822 return 1;
823 } else {
824 if (UNALIGNED_MEMCMP(ip->ip_src, &cookiecache[i].raddr.in4, sizeof(nd_ipv4)) == 0)
825 return 1;
826 }
827 break;
828 case 6:
829 if (cookiecache[i].version != 6)
830 return 0;
831 ip6 = (const struct ip6_hdr *)bp2;
832 if (initiator) {
833 if (UNALIGNED_MEMCMP(ip6->ip6_src, &cookiecache[i].iaddr.in6, sizeof(nd_ipv6)) == 0)
834 return 1;
835 } else {
836 if (UNALIGNED_MEMCMP(ip6->ip6_src, &cookiecache[i].raddr.in6, sizeof(nd_ipv6)) == 0)
837 return 1;
838 }
839 break;
840 default:
841 break;
842 }
843
844 return 0;
845 }
846
847 static void
848 hexprint(netdissect_options *ndo, const uint8_t *loc, size_t len)
849 {
850 const uint8_t *p;
851 size_t i;
852
853 p = loc;
854 for (i = 0; i < len; i++)
855 ND_PRINT("%02x", p[i] & 0xff);
856 }
857
858 static int
859 rawprint(netdissect_options *ndo, const uint8_t *loc, size_t len)
860 {
861 ND_TCHECK_LEN(loc, len);
862
863 hexprint(ndo, loc, len);
864 return 1;
865 trunc:
866 return 0;
867 }
868
869
870 /*
871 * returns false if we run out of data buffer
872 */
873 static int ike_show_somedata(netdissect_options *ndo,
874 const u_char *cp, const u_char *ep)
875 {
876 /* there is too much data, just show some of it */
877 const u_char *end = ep - 20;
878 size_t elen = 20;
879 size_t len = ep - cp;
880 if(len > 10) {
881 len = 10;
882 }
883
884 /* really shouldn't happen because of above */
885 if(end < cp + len) {
886 end = cp+len;
887 elen = ep - end;
888 }
889
890 ND_PRINT(" data=(");
891 if(!rawprint(ndo, (const uint8_t *)(cp), len)) goto trunc;
892 ND_PRINT("...");
893 if(elen) {
894 if(!rawprint(ndo, (const uint8_t *)(end), elen)) goto trunc;
895 }
896 ND_PRINT(")");
897 return 1;
898
899 trunc:
900 return 0;
901 }
902
903 struct attrmap {
904 const char *type;
905 u_int nvalue;
906 const char *value[30]; /*XXX*/
907 };
908
909 static const u_char *
910 ikev1_attrmap_print(netdissect_options *ndo,
911 const u_char *p, const u_char *ep2,
912 const struct attrmap *map, size_t nmap)
913 {
914 u_int totlen;
915 uint32_t t, v;
916
917 ND_TCHECK_1(p);
918 if (GET_U_1(p) & 0x80)
919 totlen = 4;
920 else {
921 ND_TCHECK_2(p + 2);
922 totlen = 4 + GET_BE_U_2(p + 2);
923 }
924 if (ep2 < p + totlen) {
925 ND_PRINT("[|attr]");
926 return ep2 + 1;
927 }
928
929 ND_TCHECK_2(p);
930 ND_PRINT("(");
931 t = GET_BE_U_2(p) & 0x7fff;
932 if (map && t < nmap && map[t].type)
933 ND_PRINT("type=%s ", map[t].type);
934 else
935 ND_PRINT("type=#%u ", t);
936 if (GET_U_1(p) & 0x80) {
937 ND_PRINT("value=");
938 ND_TCHECK_2(p + 2);
939 v = GET_BE_U_2(p + 2);
940 if (map && t < nmap && v < map[t].nvalue && map[t].value[v])
941 ND_PRINT("%s", map[t].value[v]);
942 else {
943 if (!rawprint(ndo, (const uint8_t *)(p + 2), 2)) {
944 ND_PRINT(")");
945 goto trunc;
946 }
947 }
948 } else {
949 ND_PRINT("len=%u value=", totlen - 4);
950 if (!rawprint(ndo, (const uint8_t *)(p + 4), totlen - 4)) {
951 ND_PRINT(")");
952 goto trunc;
953 }
954 }
955 ND_PRINT(")");
956 return p + totlen;
957
958 trunc:
959 return NULL;
960 }
961
962 static const u_char *
963 ikev1_attr_print(netdissect_options *ndo, const u_char *p, const u_char *ep2)
964 {
965 u_int totlen;
966 uint32_t t;
967
968 ND_TCHECK_1(p);
969 if (GET_U_1(p) & 0x80)
970 totlen = 4;
971 else {
972 ND_TCHECK_2(p + 2);
973 totlen = 4 + GET_BE_U_2(p + 2);
974 }
975 if (ep2 < p + totlen) {
976 ND_PRINT("[|attr]");
977 return ep2 + 1;
978 }
979
980 ND_TCHECK_2(p);
981 ND_PRINT("(");
982 t = GET_BE_U_2(p) & 0x7fff;
983 ND_PRINT("type=#%u ", t);
984 if (GET_U_1(p) & 0x80) {
985 ND_PRINT("value=");
986 t = GET_U_1(p + 2);
987 if (!rawprint(ndo, (const uint8_t *)(p + 2), 2)) {
988 ND_PRINT(")");
989 goto trunc;
990 }
991 } else {
992 ND_PRINT("len=%u value=", totlen - 4);
993 if (!rawprint(ndo, (const uint8_t *)(p + 4), totlen - 4)) {
994 ND_PRINT(")");
995 goto trunc;
996 }
997 }
998 ND_PRINT(")");
999 return p + totlen;
1000
1001 trunc:
1002 return NULL;
1003 }
1004
1005 static const u_char *
1006 ikev1_sa_print(netdissect_options *ndo, u_char tpay _U_,
1007 const struct isakmp_gen *ext,
1008 u_int item_len _U_,
1009 const u_char *ep, uint32_t phase, uint32_t doi0 _U_,
1010 uint32_t proto0, int depth)
1011 {
1012 const struct ikev1_pl_sa *p;
1013 uint32_t doi, sit, ident;
1014 const u_char *cp, *np;
1015 int t;
1016
1017 ND_PRINT("%s:", NPSTR(ISAKMP_NPTYPE_SA));
1018
1019 p = (const struct ikev1_pl_sa *)ext;
1020 ND_TCHECK_SIZE(p);
1021 doi = GET_BE_U_4(p->doi);
1022 sit = GET_BE_U_4(p->sit);
1023 if (doi != 1) {
1024 ND_PRINT(" doi=%u", doi);
1025 ND_PRINT(" situation=%u", sit);
1026 return (const u_char *)(p + 1);
1027 }
1028
1029 ND_PRINT(" doi=ipsec");
1030 ND_PRINT(" situation=");
1031 t = 0;
1032 if (sit & 0x01) {
1033 ND_PRINT("identity");
1034 t++;
1035 }
1036 if (sit & 0x02) {
1037 ND_PRINT("%ssecrecy", t ? "+" : "");
1038 t++;
1039 }
1040 if (sit & 0x04)
1041 ND_PRINT("%sintegrity", t ? "+" : "");
1042
1043 np = (const u_char *)ext + sizeof(struct ikev1_pl_sa);
1044 if (sit != 0x01) {
1045 ND_TCHECK_4(ext + 1);
1046 ident = GET_BE_U_4(ext + 1);
1047 ND_PRINT(" ident=%u", ident);
1048 np += sizeof(ident);
1049 }
1050
1051 ext = (const struct isakmp_gen *)np;
1052 ND_TCHECK_SIZE(ext);
1053
1054 cp = ikev1_sub_print(ndo, ISAKMP_NPTYPE_P, ext, ep, phase, doi, proto0,
1055 depth);
1056
1057 return cp;
1058 trunc:
1059 ND_PRINT(" [|%s]", NPSTR(ISAKMP_NPTYPE_SA));
1060 return NULL;
1061 }
1062
1063 static const u_char *
1064 ikev1_p_print(netdissect_options *ndo, u_char tpay _U_,
1065 const struct isakmp_gen *ext, u_int item_len _U_,
1066 const u_char *ep, uint32_t phase, uint32_t doi0,
1067 uint32_t proto0 _U_, int depth)
1068 {
1069 const struct ikev1_pl_p *p;
1070 const u_char *cp;
1071 uint8_t spi_size;
1072
1073 ND_PRINT("%s:", NPSTR(ISAKMP_NPTYPE_P));
1074
1075 p = (const struct ikev1_pl_p *)ext;
1076 ND_TCHECK_SIZE(p);
1077 ND_PRINT(" #%u protoid=%s transform=%u",
1078 GET_U_1(p->p_no), PROTOIDSTR(GET_U_1(p->prot_id)),
1079 GET_U_1(p->num_t));
1080 spi_size = GET_U_1(p->spi_size);
1081 if (spi_size) {
1082 ND_PRINT(" spi=");
1083 if (!rawprint(ndo, (const uint8_t *)(p + 1), spi_size))
1084 goto trunc;
1085 }
1086
1087 ext = (const struct isakmp_gen *)((const u_char *)(p + 1) + spi_size);
1088 ND_TCHECK_SIZE(ext);
1089
1090 cp = ikev1_sub_print(ndo, ISAKMP_NPTYPE_T, ext, ep, phase, doi0,
1091 GET_U_1(p->prot_id), depth);
1092
1093 return cp;
1094 trunc:
1095 ND_PRINT(" [|%s]", NPSTR(ISAKMP_NPTYPE_P));
1096 return NULL;
1097 }
1098
1099 static const char *ikev1_p_map[] = {
1100 NULL, "ike",
1101 };
1102
1103 static const char *ikev2_t_type_map[]={
1104 NULL, "encr", "prf", "integ", "dh", "esn"
1105 };
1106
1107 static const char *ah_p_map[] = {
1108 NULL, "(reserved)", "md5", "sha", "1des",
1109 "sha2-256", "sha2-384", "sha2-512",
1110 };
1111
1112 static const char *prf_p_map[] = {
1113 NULL, "hmac-md5", "hmac-sha", "hmac-tiger",
1114 "aes128_xcbc"
1115 };
1116
1117 static const char *integ_p_map[] = {
1118 NULL, "hmac-md5", "hmac-sha", "dec-mac",
1119 "kpdk-md5", "aes-xcbc"
1120 };
1121
1122 static const char *esn_p_map[] = {
1123 "no-esn", "esn"
1124 };
1125
1126 static const char *dh_p_map[] = {
1127 NULL, "modp768",
1128 "modp1024", /* group 2 */
1129 "EC2N 2^155", /* group 3 */
1130 "EC2N 2^185", /* group 4 */
1131 "modp1536", /* group 5 */
1132 "iana-grp06", "iana-grp07", /* reserved */
1133 "iana-grp08", "iana-grp09",
1134 "iana-grp10", "iana-grp11",
1135 "iana-grp12", "iana-grp13",
1136 "modp2048", /* group 14 */
1137 "modp3072", /* group 15 */
1138 "modp4096", /* group 16 */
1139 "modp6144", /* group 17 */
1140 "modp8192", /* group 18 */
1141 };
1142
1143 static const char *esp_p_map[] = {
1144 NULL, "1des-iv64", "1des", "3des", "rc5", "idea", "cast",
1145 "blowfish", "3idea", "1des-iv32", "rc4", "null", "aes"
1146 };
1147
1148 static const char *ipcomp_p_map[] = {
1149 NULL, "oui", "deflate", "lzs",
1150 };
1151
1152 static const struct attrmap ipsec_t_map[] = {
1153 { NULL, 0, { NULL } },
1154 { "lifetype", 3, { NULL, "sec", "kb", }, },
1155 { "life", 0, { NULL } },
1156 { "group desc", 18, { NULL, "modp768",
1157 "modp1024", /* group 2 */
1158 "EC2N 2^155", /* group 3 */
1159 "EC2N 2^185", /* group 4 */
1160 "modp1536", /* group 5 */
1161 "iana-grp06", "iana-grp07", /* reserved */
1162 "iana-grp08", "iana-grp09",
1163 "iana-grp10", "iana-grp11",
1164 "iana-grp12", "iana-grp13",
1165 "modp2048", /* group 14 */
1166 "modp3072", /* group 15 */
1167 "modp4096", /* group 16 */
1168 "modp6144", /* group 17 */
1169 "modp8192", /* group 18 */
1170 }, },
1171 { "enc mode", 3, { NULL, "tunnel", "transport", }, },
1172 { "auth", 5, { NULL, "hmac-md5", "hmac-sha1", "1des-mac", "keyed", }, },
1173 { "keylen", 0, { NULL } },
1174 { "rounds", 0, { NULL } },
1175 { "dictsize", 0, { NULL } },
1176 { "privalg", 0, { NULL } },
1177 };
1178
1179 static const struct attrmap encr_t_map[] = {
1180 { NULL, 0, { NULL } }, { NULL, 0, { NULL } }, /* 0, 1 */
1181 { NULL, 0, { NULL } }, { NULL, 0, { NULL } }, /* 2, 3 */
1182 { NULL, 0, { NULL } }, { NULL, 0, { NULL } }, /* 4, 5 */
1183 { NULL, 0, { NULL } }, { NULL, 0, { NULL } }, /* 6, 7 */
1184 { NULL, 0, { NULL } }, { NULL, 0, { NULL } }, /* 8, 9 */
1185 { NULL, 0, { NULL } }, { NULL, 0, { NULL } }, /* 10,11*/
1186 { NULL, 0, { NULL } }, { NULL, 0, { NULL } }, /* 12,13*/
1187 { "keylen", 14, { NULL }},
1188 };
1189
1190 static const struct attrmap oakley_t_map[] = {
1191 { NULL, 0, { NULL } },
1192 { "enc", 8, { NULL, "1des", "idea", "blowfish", "rc5",
1193 "3des", "cast", "aes", }, },
1194 { "hash", 7, { NULL, "md5", "sha1", "tiger",
1195 "sha2-256", "sha2-384", "sha2-512", }, },
1196 { "auth", 6, { NULL, "preshared", "dss", "rsa sig", "rsa enc",
1197 "rsa enc revised", }, },
1198 { "group desc", 18, { NULL, "modp768",
1199 "modp1024", /* group 2 */
1200 "EC2N 2^155", /* group 3 */
1201 "EC2N 2^185", /* group 4 */
1202 "modp1536", /* group 5 */
1203 "iana-grp06", "iana-grp07", /* reserved */
1204 "iana-grp08", "iana-grp09",
1205 "iana-grp10", "iana-grp11",
1206 "iana-grp12", "iana-grp13",
1207 "modp2048", /* group 14 */
1208 "modp3072", /* group 15 */
1209 "modp4096", /* group 16 */
1210 "modp6144", /* group 17 */
1211 "modp8192", /* group 18 */
1212 }, },
1213 { "group type", 4, { NULL, "MODP", "ECP", "EC2N", }, },
1214 { "group prime", 0, { NULL } },
1215 { "group gen1", 0, { NULL } },
1216 { "group gen2", 0, { NULL } },
1217 { "group curve A", 0, { NULL } },
1218 { "group curve B", 0, { NULL } },
1219 { "lifetype", 3, { NULL, "sec", "kb", }, },
1220 { "lifeduration", 0, { NULL } },
1221 { "prf", 0, { NULL } },
1222 { "keylen", 0, { NULL } },
1223 { "field", 0, { NULL } },
1224 { "order", 0, { NULL } },
1225 };
1226
1227 static const u_char *
1228 ikev1_t_print(netdissect_options *ndo, u_char tpay _U_,
1229 const struct isakmp_gen *ext, u_int item_len,
1230 const u_char *ep, uint32_t phase _U_, uint32_t doi _U_,
1231 uint32_t proto, int depth _U_)
1232 {
1233 const struct ikev1_pl_t *p;
1234 const u_char *cp;
1235 const char *idstr;
1236 const struct attrmap *map;
1237 size_t nmap;
1238 const u_char *ep2;
1239
1240 ND_PRINT("%s:", NPSTR(ISAKMP_NPTYPE_T));
1241
1242 p = (const struct ikev1_pl_t *)ext;
1243 ND_TCHECK_SIZE(p);
1244
1245 switch (proto) {
1246 case 1:
1247 idstr = STR_OR_ID(GET_U_1(p->t_id), ikev1_p_map);
1248 map = oakley_t_map;
1249 nmap = sizeof(oakley_t_map)/sizeof(oakley_t_map[0]);
1250 break;
1251 case 2:
1252 idstr = STR_OR_ID(GET_U_1(p->t_id), ah_p_map);
1253 map = ipsec_t_map;
1254 nmap = sizeof(ipsec_t_map)/sizeof(ipsec_t_map[0]);
1255 break;
1256 case 3:
1257 idstr = STR_OR_ID(GET_U_1(p->t_id), esp_p_map);
1258 map = ipsec_t_map;
1259 nmap = sizeof(ipsec_t_map)/sizeof(ipsec_t_map[0]);
1260 break;
1261 case 4:
1262 idstr = STR_OR_ID(GET_U_1(p->t_id), ipcomp_p_map);
1263 map = ipsec_t_map;
1264 nmap = sizeof(ipsec_t_map)/sizeof(ipsec_t_map[0]);
1265 break;
1266 default:
1267 idstr = NULL;
1268 map = NULL;
1269 nmap = 0;
1270 break;
1271 }
1272
1273 if (idstr)
1274 ND_PRINT(" #%u id=%s ", GET_U_1(p->t_no), idstr);
1275 else
1276 ND_PRINT(" #%u id=%u ", GET_U_1(p->t_no), GET_U_1(p->t_id));
1277 cp = (const u_char *)(p + 1);
1278 ep2 = (const u_char *)p + item_len;
1279 while (cp < ep && cp < ep2) {
1280 if (map && nmap)
1281 cp = ikev1_attrmap_print(ndo, cp, ep2, map, nmap);
1282 else
1283 cp = ikev1_attr_print(ndo, cp, ep2);
1284 if (cp == NULL)
1285 goto trunc;
1286 }
1287 if (ep < ep2)
1288 ND_PRINT("...");
1289 return cp;
1290 trunc:
1291 ND_PRINT(" [|%s]", NPSTR(ISAKMP_NPTYPE_T));
1292 return NULL;
1293 }
1294
1295 static const u_char *
1296 ikev1_ke_print(netdissect_options *ndo, u_char tpay _U_,
1297 const struct isakmp_gen *ext, u_int item_len,
1298 const u_char *ep _U_, uint32_t phase _U_, uint32_t doi _U_,
1299 uint32_t proto _U_, int depth _U_)
1300 {
1301 ND_PRINT("%s:", NPSTR(ISAKMP_NPTYPE_KE));
1302
1303 ND_TCHECK_SIZE(ext);
1304 /*
1305 * Our caller has ensured that the length is >= 4.
1306 */
1307 ND_PRINT(" key len=%u", item_len - 4);
1308 if (2 < ndo->ndo_vflag && item_len > 4) {
1309 /* Print the entire payload in hex */
1310 ND_PRINT(" ");
1311 if (!rawprint(ndo, (const uint8_t *)(ext + 1), item_len - 4))
1312 goto trunc;
1313 }
1314 return (const u_char *)ext + item_len;
1315 trunc:
1316 ND_PRINT(" [|%s]", NPSTR(ISAKMP_NPTYPE_KE));
1317 return NULL;
1318 }
1319
1320 static const u_char *
1321 ikev1_id_print(netdissect_options *ndo, u_char tpay _U_,
1322 const struct isakmp_gen *ext, u_int item_len,
1323 const u_char *ep _U_, uint32_t phase, uint32_t doi _U_,
1324 uint32_t proto _U_, int depth _U_)
1325 {
1326 #define USE_IPSECDOI_IN_PHASE1 1
1327 const struct ikev1_pl_id *p;
1328 static const char *idtypestr[] = {
1329 "IPv4", "IPv4net", "IPv6", "IPv6net",
1330 };
1331 static const char *ipsecidtypestr[] = {
1332 NULL, "IPv4", "FQDN", "user FQDN", "IPv4net", "IPv6",
1333 "IPv6net", "IPv4range", "IPv6range", "ASN1 DN", "ASN1 GN",
1334 "keyid",
1335 };
1336 u_int len;
1337 const u_char *data;
1338
1339 ND_PRINT("%s:", NPSTR(ISAKMP_NPTYPE_ID));
1340
1341 p = (const struct ikev1_pl_id *)ext;
1342 ND_TCHECK_SIZE(p);
1343 if (sizeof(*p) < item_len) {
1344 data = (const u_char *)(p + 1);
1345 len = item_len - sizeof(*p);
1346 } else {
1347 data = NULL;
1348 len = 0;
1349 }
1350
1351 #if 0 /*debug*/
1352 ND_PRINT(" [phase=%u doi=%u proto=%u]", phase, doi, proto);
1353 #endif
1354 switch (phase) {
1355 #ifndef USE_IPSECDOI_IN_PHASE1
1356 case 1:
1357 #endif
1358 default:
1359 ND_PRINT(" idtype=%s",
1360 STR_OR_ID(GET_U_1(p->d.id_type), idtypestr));
1361 ND_PRINT(" doi_data=%u",
1362 GET_BE_U_4(p->d.doi_data) & 0xffffff);
1363 break;
1364
1365 #ifdef USE_IPSECDOI_IN_PHASE1
1366 case 1:
1367 #endif
1368 case 2:
1369 {
1370 const struct ipsecdoi_id *doi_p;
1371 const char *p_name;
1372 uint8_t type, proto_id;
1373
1374 doi_p = (const struct ipsecdoi_id *)ext;
1375 ND_TCHECK_SIZE(doi_p);
1376 type = GET_U_1(doi_p->type);
1377 ND_PRINT(" idtype=%s", STR_OR_ID(type, ipsecidtypestr));
1378 /* A protocol ID of 0 DOES NOT mean IPPROTO_IP! */
1379 proto_id = GET_U_1(doi_p->proto_id);
1380 if (!ndo->ndo_nflag && proto_id && (p_name = netdb_protoname(proto_id)) != NULL)
1381 ND_PRINT(" protoid=%s", p_name);
1382 else
1383 ND_PRINT(" protoid=%u", proto_id);
1384 ND_PRINT(" port=%u", GET_BE_U_2(doi_p->port));
1385 if (!len)
1386 break;
1387 if (data == NULL)
1388 goto trunc;
1389 ND_TCHECK_LEN(data, len);
1390 switch (type) {
1391 case IPSECDOI_ID_IPV4_ADDR:
1392 if (len < 4)
1393 ND_PRINT(" len=%u [bad: < 4]", len);
1394 else
1395 ND_PRINT(" len=%u %s", len, GET_IPADDR_STRING(data));
1396 len = 0;
1397 break;
1398 case IPSECDOI_ID_FQDN:
1399 case IPSECDOI_ID_USER_FQDN:
1400 {
1401 u_int i;
1402 ND_PRINT(" len=%u ", len);
1403 for (i = 0; i < len; i++)
1404 fn_print_char(ndo, GET_U_1(data + i));
1405 len = 0;
1406 break;
1407 }
1408 case IPSECDOI_ID_IPV4_ADDR_SUBNET:
1409 {
1410 const u_char *mask;
1411 if (len < 8)
1412 ND_PRINT(" len=%u [bad: < 8]", len);
1413 else {
1414 mask = data + sizeof(nd_ipv4);
1415 ND_PRINT(" len=%u %s/%u.%u.%u.%u", len,
1416 GET_IPADDR_STRING(data),
1417 GET_U_1(mask), GET_U_1(mask + 1),
1418 GET_U_1(mask + 2),
1419 GET_U_1(mask + 3));
1420 }
1421 len = 0;
1422 break;
1423 }
1424 case IPSECDOI_ID_IPV6_ADDR:
1425 if (len < 16)
1426 ND_PRINT(" len=%u [bad: < 16]", len);
1427 else
1428 ND_PRINT(" len=%u %s", len, GET_IP6ADDR_STRING(data));
1429 len = 0;
1430 break;
1431 case IPSECDOI_ID_IPV6_ADDR_SUBNET:
1432 {
1433 const u_char *mask;
1434 if (len < 32)
1435 ND_PRINT(" len=%u [bad: < 32]", len);
1436 else {
1437 mask = (const u_char *)(data + sizeof(nd_ipv6));
1438 /*XXX*/
1439 ND_PRINT(" len=%u %s/0x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x", len,
1440 GET_IP6ADDR_STRING(data),
1441 GET_U_1(mask), GET_U_1(mask + 1),
1442 GET_U_1(mask + 2),
1443 GET_U_1(mask + 3),
1444 GET_U_1(mask + 4),
1445 GET_U_1(mask + 5),
1446 GET_U_1(mask + 6),
1447 GET_U_1(mask + 7),
1448 GET_U_1(mask + 8),
1449 GET_U_1(mask + 9),
1450 GET_U_1(mask + 10),
1451 GET_U_1(mask + 11),
1452 GET_U_1(mask + 12),
1453 GET_U_1(mask + 13),
1454 GET_U_1(mask + 14),
1455 GET_U_1(mask + 15));
1456 }
1457 len = 0;
1458 break;
1459 }
1460 case IPSECDOI_ID_IPV4_ADDR_RANGE:
1461 if (len < 8)
1462 ND_PRINT(" len=%u [bad: < 8]", len);
1463 else {
1464 ND_PRINT(" len=%u %s-%s", len,
1465 GET_IPADDR_STRING(data),
1466 GET_IPADDR_STRING(data + sizeof(nd_ipv4)));
1467 }
1468 len = 0;
1469 break;
1470 case IPSECDOI_ID_IPV6_ADDR_RANGE:
1471 if (len < 32)
1472 ND_PRINT(" len=%u [bad: < 32]", len);
1473 else {
1474 ND_PRINT(" len=%u %s-%s", len,
1475 GET_IP6ADDR_STRING(data),
1476 GET_IP6ADDR_STRING(data + sizeof(nd_ipv6)));
1477 }
1478 len = 0;
1479 break;
1480 case IPSECDOI_ID_DER_ASN1_DN:
1481 case IPSECDOI_ID_DER_ASN1_GN:
1482 case IPSECDOI_ID_KEY_ID:
1483 break;
1484 }
1485 break;
1486 }
1487 }
1488 if (data && len) {
1489 ND_PRINT(" len=%u", len);
1490 if (2 < ndo->ndo_vflag) {
1491 ND_PRINT(" ");
1492 if (!rawprint(ndo, (const uint8_t *)data, len))
1493 goto trunc;
1494 }
1495 }
1496 return (const u_char *)ext + item_len;
1497 trunc:
1498 ND_PRINT(" [|%s]", NPSTR(ISAKMP_NPTYPE_ID));
1499 return NULL;
1500 }
1501
1502 static const u_char *
1503 ikev1_cert_print(netdissect_options *ndo, u_char tpay _U_,
1504 const struct isakmp_gen *ext, u_int item_len,
1505 const u_char *ep _U_, uint32_t phase _U_,
1506 uint32_t doi0 _U_,
1507 uint32_t proto0 _U_, int depth _U_)
1508 {
1509 const struct ikev1_pl_cert *p;
1510 static const char *certstr[] = {
1511 "none", "pkcs7", "pgp", "dns",
1512 "x509sign", "x509ke", "kerberos", "crl",
1513 "arl", "spki", "x509attr",
1514 };
1515
1516 ND_PRINT("%s:", NPSTR(ISAKMP_NPTYPE_CERT));
1517
1518 p = (const struct ikev1_pl_cert *)ext;
1519 ND_TCHECK_SIZE(p);
1520 /*
1521 * Our caller has ensured that the length is >= 4.
1522 */
1523 ND_PRINT(" len=%u", item_len - 4);
1524 ND_PRINT(" type=%s", STR_OR_ID(GET_U_1(p->encode), certstr));
1525 if (2 < ndo->ndo_vflag && 4 < item_len) {
1526 /* Print the entire payload in hex */
1527 ND_PRINT(" ");
1528 if (!rawprint(ndo, (const uint8_t *)(ext + 1), item_len - 4))
1529 goto trunc;
1530 }
1531 return (const u_char *)ext + item_len;
1532 trunc:
1533 ND_PRINT(" [|%s]", NPSTR(ISAKMP_NPTYPE_CERT));
1534 return NULL;
1535 }
1536
1537 static const u_char *
1538 ikev1_cr_print(netdissect_options *ndo, u_char tpay _U_,
1539 const struct isakmp_gen *ext, u_int item_len,
1540 const u_char *ep _U_, uint32_t phase _U_, uint32_t doi0 _U_,
1541 uint32_t proto0 _U_, int depth _U_)
1542 {
1543 const struct ikev1_pl_cert *p;
1544 static const char *certstr[] = {
1545 "none", "pkcs7", "pgp", "dns",
1546 "x509sign", "x509ke", "kerberos", "crl",
1547 "arl", "spki", "x509attr",
1548 };
1549
1550 ND_PRINT("%s:", NPSTR(ISAKMP_NPTYPE_CR));
1551
1552 p = (const struct ikev1_pl_cert *)ext;
1553 ND_TCHECK_SIZE(p);
1554 /*
1555 * Our caller has ensured that the length is >= 4.
1556 */
1557 ND_PRINT(" len=%u", item_len - 4);
1558 ND_PRINT(" type=%s", STR_OR_ID(GET_U_1(p->encode), certstr));
1559 if (2 < ndo->ndo_vflag && 4 < item_len) {
1560 /* Print the entire payload in hex */
1561 ND_PRINT(" ");
1562 if (!rawprint(ndo, (const uint8_t *)(ext + 1), item_len - 4))
1563 goto trunc;
1564 }
1565 return (const u_char *)ext + item_len;
1566 trunc:
1567 ND_PRINT(" [|%s]", NPSTR(ISAKMP_NPTYPE_CR));
1568 return NULL;
1569 }
1570
1571 static const u_char *
1572 ikev1_hash_print(netdissect_options *ndo, u_char tpay _U_,
1573 const struct isakmp_gen *ext, u_int item_len,
1574 const u_char *ep _U_, uint32_t phase _U_, uint32_t doi _U_,
1575 uint32_t proto _U_, int depth _U_)
1576 {
1577 ND_PRINT("%s:", NPSTR(ISAKMP_NPTYPE_HASH));
1578
1579 ND_TCHECK_SIZE(ext);
1580 /*
1581 * Our caller has ensured that the length is >= 4.
1582 */
1583 ND_PRINT(" len=%u", item_len - 4);
1584 if (2 < ndo->ndo_vflag && 4 < item_len) {
1585 /* Print the entire payload in hex */
1586 ND_PRINT(" ");
1587 if (!rawprint(ndo, (const uint8_t *)(ext + 1), item_len - 4))
1588 goto trunc;
1589 }
1590 return (const u_char *)ext + item_len;
1591 trunc:
1592 ND_PRINT(" [|%s]", NPSTR(ISAKMP_NPTYPE_HASH));
1593 return NULL;
1594 }
1595
1596 static const u_char *
1597 ikev1_sig_print(netdissect_options *ndo, u_char tpay _U_,
1598 const struct isakmp_gen *ext, u_int item_len,
1599 const u_char *ep _U_, uint32_t phase _U_, uint32_t doi _U_,
1600 uint32_t proto _U_, int depth _U_)
1601 {
1602 ND_PRINT("%s:", NPSTR(ISAKMP_NPTYPE_SIG));
1603
1604 ND_TCHECK_SIZE(ext);
1605 /*
1606 * Our caller has ensured that the length is >= 4.
1607 */
1608 ND_PRINT(" len=%u", item_len - 4);
1609 if (2 < ndo->ndo_vflag && 4 < item_len) {
1610 /* Print the entire payload in hex */
1611 ND_PRINT(" ");
1612 if (!rawprint(ndo, (const uint8_t *)(ext + 1), item_len - 4))
1613 goto trunc;
1614 }
1615 return (const u_char *)ext + item_len;
1616 trunc:
1617 ND_PRINT(" [|%s]", NPSTR(ISAKMP_NPTYPE_SIG));
1618 return NULL;
1619 }
1620
1621 static const u_char *
1622 ikev1_nonce_print(netdissect_options *ndo, u_char tpay _U_,
1623 const struct isakmp_gen *ext,
1624 u_int item_len,
1625 const u_char *ep,
1626 uint32_t phase _U_, uint32_t doi _U_,
1627 uint32_t proto _U_, int depth _U_)
1628 {
1629 ND_PRINT("%s:", NPSTR(ISAKMP_NPTYPE_NONCE));
1630
1631 ND_TCHECK_SIZE(ext);
1632 /*
1633 * Our caller has ensured that the length is >= 4.
1634 */
1635 ND_PRINT(" n len=%u", item_len - 4);
1636 if (item_len > 4) {
1637 if (ndo->ndo_vflag > 2) {
1638 ND_PRINT(" ");
1639 if (!rawprint(ndo, (const uint8_t *)(ext + 1), item_len - 4))
1640 goto trunc;
1641 } else if (ndo->ndo_vflag > 1) {
1642 ND_PRINT(" ");
1643 if (!ike_show_somedata(ndo, (const u_char *)(ext + 1), ep))
1644 goto trunc;
1645 }
1646 }
1647 return (const u_char *)ext + item_len;
1648 trunc:
1649 ND_PRINT(" [|%s]", NPSTR(ISAKMP_NPTYPE_NONCE));
1650 return NULL;
1651 }
1652
1653 static const u_char *
1654 ikev1_n_print(netdissect_options *ndo, u_char tpay _U_,
1655 const struct isakmp_gen *ext, u_int item_len,
1656 const u_char *ep, uint32_t phase _U_, uint32_t doi0 _U_,
1657 uint32_t proto0 _U_, int depth _U_)
1658 {
1659 const struct ikev1_pl_n *p;
1660 const u_char *cp;
1661 const u_char *ep2;
1662 uint32_t doi;
1663 uint32_t proto;
1664 uint16_t type;
1665 uint8_t spi_size;
1666 static const char *notify_error_str[] = {
1667 NULL, "INVALID-PAYLOAD-TYPE",
1668 "DOI-NOT-SUPPORTED", "SITUATION-NOT-SUPPORTED",
1669 "INVALID-COOKIE", "INVALID-MAJOR-VERSION",
1670 "INVALID-MINOR-VERSION", "INVALID-EXCHANGE-TYPE",
1671 "INVALID-FLAGS", "INVALID-MESSAGE-ID",
1672 "INVALID-PROTOCOL-ID", "INVALID-SPI",
1673 "INVALID-TRANSFORM-ID", "ATTRIBUTES-NOT-SUPPORTED",
1674 "NO-PROPOSAL-CHOSEN", "BAD-PROPOSAL-SYNTAX",
1675 "PAYLOAD-MALFORMED", "INVALID-KEY-INFORMATION",
1676 "INVALID-ID-INFORMATION", "INVALID-CERT-ENCODING",
1677 "INVALID-CERTIFICATE", "CERT-TYPE-UNSUPPORTED",
1678 "INVALID-CERT-AUTHORITY", "INVALID-HASH-INFORMATION",
1679 "AUTHENTICATION-FAILED", "INVALID-SIGNATURE",
1680 "ADDRESS-NOTIFICATION", "NOTIFY-SA-LIFETIME",
1681 "CERTIFICATE-UNAVAILABLE", "UNSUPPORTED-EXCHANGE-TYPE",
1682 "UNEQUAL-PAYLOAD-LENGTHS",
1683 };
1684 static const char *ipsec_notify_error_str[] = {
1685 "RESERVED",
1686 };
1687 static const char *notify_status_str[] = {
1688 "CONNECTED",
1689 };
1690 static const char *ipsec_notify_status_str[] = {
1691 "RESPONDER-LIFETIME", "REPLAY-STATUS",
1692 "INITIAL-CONTACT",
1693 };
1694 /* NOTE: these macro must be called with x in proper range */
1695
1696 /* 0 - 8191 */
1697 #define NOTIFY_ERROR_STR(x) \
1698 STR_OR_ID((x), notify_error_str)
1699
1700 /* 8192 - 16383 */
1701 #define IPSEC_NOTIFY_ERROR_STR(x) \
1702 STR_OR_ID((u_int)((x) - 8192), ipsec_notify_error_str)
1703
1704 /* 16384 - 24575 */
1705 #define NOTIFY_STATUS_STR(x) \
1706 STR_OR_ID((u_int)((x) - 16384), notify_status_str)
1707
1708 /* 24576 - 32767 */
1709 #define IPSEC_NOTIFY_STATUS_STR(x) \
1710 STR_OR_ID((u_int)((x) - 24576), ipsec_notify_status_str)
1711
1712 ND_PRINT("%s:", NPSTR(ISAKMP_NPTYPE_N));
1713
1714 p = (const struct ikev1_pl_n *)ext;
1715 ND_TCHECK_SIZE(p);
1716 doi = GET_BE_U_4(p->doi);
1717 proto = GET_U_1(p->prot_id);
1718 if (doi != 1) {
1719 ND_PRINT(" doi=%u", doi);
1720 ND_PRINT(" proto=%u", proto);
1721 type = GET_BE_U_2(p->type);
1722 if (type < 8192)
1723 ND_PRINT(" type=%s", NOTIFY_ERROR_STR(type));
1724 else if (type < 16384)
1725 ND_PRINT(" type=%s", numstr(type));
1726 else if (type < 24576)
1727 ND_PRINT(" type=%s", NOTIFY_STATUS_STR(type));
1728 else
1729 ND_PRINT(" type=%s", numstr(type));
1730 spi_size = GET_U_1(p->spi_size);
1731 if (spi_size) {
1732 ND_PRINT(" spi=");
1733 if (!rawprint(ndo, (const uint8_t *)(p + 1), spi_size))
1734 goto trunc;
1735 }
1736 return (const u_char *)(p + 1) + spi_size;
1737 }
1738
1739 ND_PRINT(" doi=ipsec");
1740 ND_PRINT(" proto=%s", PROTOIDSTR(proto));
1741 type = GET_BE_U_2(p->type);
1742 if (type < 8192)
1743 ND_PRINT(" type=%s", NOTIFY_ERROR_STR(type));
1744 else if (type < 16384)
1745 ND_PRINT(" type=%s", IPSEC_NOTIFY_ERROR_STR(type));
1746 else if (type < 24576)
1747 ND_PRINT(" type=%s", NOTIFY_STATUS_STR(type));
1748 else if (type < 32768)
1749 ND_PRINT(" type=%s", IPSEC_NOTIFY_STATUS_STR(type));
1750 else
1751 ND_PRINT(" type=%s", numstr(type));
1752 spi_size = GET_U_1(p->spi_size);
1753 if (spi_size) {
1754 ND_PRINT(" spi=");
1755 if (!rawprint(ndo, (const uint8_t *)(p + 1), spi_size))
1756 goto trunc;
1757 }
1758
1759 cp = (const u_char *)(p + 1) + spi_size;
1760 ep2 = (const u_char *)p + item_len;
1761
1762 if (cp < ep) {
1763 switch (type) {
1764 case IPSECDOI_NTYPE_RESPONDER_LIFETIME:
1765 {
1766 const struct attrmap *map = oakley_t_map;
1767 size_t nmap = sizeof(oakley_t_map)/sizeof(oakley_t_map[0]);
1768 ND_PRINT(" attrs=(");
1769 while (cp < ep && cp < ep2) {
1770 cp = ikev1_attrmap_print(ndo, cp, ep2, map, nmap);
1771 if (cp == NULL) {
1772 ND_PRINT(")");
1773 goto trunc;
1774 }
1775 }
1776 ND_PRINT(")");
1777 break;
1778 }
1779 case IPSECDOI_NTYPE_REPLAY_STATUS:
1780 ND_PRINT(" status=(");
1781 ND_PRINT("replay detection %sabled",
1782 GET_BE_U_4(cp) ? "en" : "dis");
1783 ND_PRINT(")");
1784 break;
1785 default:
1786 /*
1787 * XXX - fill in more types here; see, for example,
1788 * draft-ietf-ipsec-notifymsg-04.
1789 */
1790 if (ndo->ndo_vflag > 3) {
1791 ND_PRINT(" data=(");
1792 if (!rawprint(ndo, (const uint8_t *)(cp), ep - cp))
1793 goto trunc;
1794 ND_PRINT(")");
1795 } else {
1796 if (!ike_show_somedata(ndo, cp, ep))
1797 goto trunc;
1798 }
1799 break;
1800 }
1801 }
1802 return (const u_char *)ext + item_len;
1803 trunc:
1804 ND_PRINT(" [|%s]", NPSTR(ISAKMP_NPTYPE_N));
1805 return NULL;
1806 }
1807
1808 static const u_char *
1809 ikev1_d_print(netdissect_options *ndo, u_char tpay _U_,
1810 const struct isakmp_gen *ext, u_int item_len _U_,
1811 const u_char *ep _U_, uint32_t phase _U_, uint32_t doi0 _U_,
1812 uint32_t proto0 _U_, int depth _U_)
1813 {
1814 const struct ikev1_pl_d *p;
1815 const uint8_t *q;
1816 uint32_t doi;
1817 uint32_t proto;
1818 uint8_t spi_size;
1819 uint16_t num_spi;
1820 u_int i;
1821
1822 ND_PRINT("%s:", NPSTR(ISAKMP_NPTYPE_D));
1823
1824 p = (const struct ikev1_pl_d *)ext;
1825 ND_TCHECK_SIZE(p);
1826 doi = GET_BE_U_4(p->doi);
1827 proto = GET_U_1(p->prot_id);
1828 if (doi != 1) {
1829 ND_PRINT(" doi=%u", doi);
1830 ND_PRINT(" proto=%u", proto);
1831 } else {
1832 ND_PRINT(" doi=ipsec");
1833 ND_PRINT(" proto=%s", PROTOIDSTR(proto));
1834 }
1835 spi_size = GET_U_1(p->spi_size);
1836 ND_PRINT(" spilen=%u", spi_size);
1837 num_spi = GET_BE_U_2(p->num_spi);
1838 ND_PRINT(" nspi=%u", num_spi);
1839 ND_PRINT(" spi=");
1840 q = (const uint8_t *)(p + 1);
1841 for (i = 0; i < num_spi; i++) {
1842 if (i != 0)
1843 ND_PRINT(",");
1844 if (!rawprint(ndo, (const uint8_t *)q, spi_size))
1845 goto trunc;
1846 q += spi_size;
1847 }
1848 return q;
1849 trunc:
1850 ND_PRINT(" [|%s]", NPSTR(ISAKMP_NPTYPE_D));
1851 return NULL;
1852 }
1853
1854 static const u_char *
1855 ikev1_vid_print(netdissect_options *ndo, u_char tpay _U_,
1856 const struct isakmp_gen *ext,
1857 u_int item_len, const u_char *ep _U_,
1858 uint32_t phase _U_, uint32_t doi _U_,
1859 uint32_t proto _U_, int depth _U_)
1860 {
1861 ND_PRINT("%s:", NPSTR(ISAKMP_NPTYPE_VID));
1862
1863 ND_TCHECK_SIZE(ext);
1864 /*
1865 * Our caller has ensured that the length is >= 4.
1866 */
1867 ND_PRINT(" len=%u", item_len - 4);
1868 if (2 < ndo->ndo_vflag && 4 < item_len) {
1869 /* Print the entire payload in hex */
1870 ND_PRINT(" ");
1871 if (!rawprint(ndo, (const uint8_t *)(ext + 1), item_len - 4))
1872 goto trunc;
1873 }
1874 return (const u_char *)ext + item_len;
1875 trunc:
1876 ND_PRINT(" [|%s]", NPSTR(ISAKMP_NPTYPE_VID));
1877 return NULL;
1878 }
1879
1880 /************************************************************/
1881 /* */
1882 /* IKE v2 - rfc4306 - dissector */
1883 /* */
1884 /************************************************************/
1885
1886 static void
1887 ikev2_pay_print(netdissect_options *ndo, const char *payname, uint8_t critical)
1888 {
1889 ND_PRINT("%s%s:", payname, critical&0x80 ? "[C]" : "");
1890 }
1891
1892 static const u_char *
1893 ikev2_gen_print(netdissect_options *ndo, u_char tpay,
1894 const struct isakmp_gen *ext, u_int item_len)
1895 {
1896 const struct isakmp_gen *p = (const struct isakmp_gen *)ext;
1897
1898 ND_TCHECK_SIZE(ext);
1899 ikev2_pay_print(ndo, NPSTR(tpay), GET_U_1(p->critical));
1900
1901 /*
1902 * Our caller has ensured that the length is >= 4.
1903 */
1904 ND_PRINT(" len=%u", item_len - 4);
1905 if (2 < ndo->ndo_vflag && 4 < item_len) {
1906 /* Print the entire payload in hex */
1907 ND_PRINT(" ");
1908 if (!rawprint(ndo, (const uint8_t *)(ext + 1), item_len - 4))
1909 goto trunc;
1910 }
1911 return (const u_char *)ext + item_len;
1912 trunc:
1913 ND_PRINT(" [|%s]", NPSTR(tpay));
1914 return NULL;
1915 }
1916
1917 static const u_char *
1918 ikev2_t_print(netdissect_options *ndo, int tcount,
1919 const struct isakmp_gen *ext, u_int item_len,
1920 const u_char *ep)
1921 {
1922 const struct ikev2_t *p;
1923 uint16_t t_id;
1924 uint8_t t_type;
1925 const u_char *cp;
1926 const char *idstr;
1927 const struct attrmap *map;
1928 size_t nmap;
1929 const u_char *ep2;
1930
1931 p = (const struct ikev2_t *)ext;
1932 ND_TCHECK_SIZE(p);
1933 ikev2_pay_print(ndo, NPSTR(ISAKMP_NPTYPE_T), GET_U_1(p->h.critical));
1934
1935 t_id = GET_BE_U_2(p->t_id);
1936
1937 map = NULL;
1938 nmap = 0;
1939
1940 t_type = GET_U_1(p->t_type);
1941 switch (t_type) {
1942 case IV2_T_ENCR:
1943 idstr = STR_OR_ID(t_id, esp_p_map);
1944 map = encr_t_map;
1945 nmap = sizeof(encr_t_map)/sizeof(encr_t_map[0]);
1946 break;
1947
1948 case IV2_T_PRF:
1949 idstr = STR_OR_ID(t_id, prf_p_map);
1950 break;
1951
1952 case IV2_T_INTEG:
1953 idstr = STR_OR_ID(t_id, integ_p_map);
1954 break;
1955
1956 case IV2_T_DH:
1957 idstr = STR_OR_ID(t_id, dh_p_map);
1958 break;
1959
1960 case IV2_T_ESN:
1961 idstr = STR_OR_ID(t_id, esn_p_map);
1962 break;
1963
1964 default:
1965 idstr = NULL;
1966 break;
1967 }
1968
1969 if (idstr)
1970 ND_PRINT(" #%u type=%s id=%s ", tcount,
1971 STR_OR_ID(t_type, ikev2_t_type_map),
1972 idstr);
1973 else
1974 ND_PRINT(" #%u type=%s id=%u ", tcount,
1975 STR_OR_ID(t_type, ikev2_t_type_map),
1976 t_id);
1977 cp = (const u_char *)(p + 1);
1978 ep2 = (const u_char *)p + item_len;
1979 while (cp < ep && cp < ep2) {
1980 if (map && nmap) {
1981 cp = ikev1_attrmap_print(ndo, cp, ep2, map, nmap);
1982 } else
1983 cp = ikev1_attr_print(ndo, cp, ep2);
1984 if (cp == NULL)
1985 goto trunc;
1986 }
1987 if (ep < ep2)
1988 ND_PRINT("...");
1989 return cp;
1990 trunc:
1991 ND_PRINT(" [|%s]", NPSTR(ISAKMP_NPTYPE_T));
1992 return NULL;
1993 }
1994
1995 static const u_char *
1996 ikev2_p_print(netdissect_options *ndo, u_char tpay _U_, int pcount _U_,
1997 const struct isakmp_gen *ext, u_int oprop_length,
1998 const u_char *ep, int depth)
1999 {
2000 const struct ikev2_p *p;
2001 u_int prop_length;
2002 uint8_t spi_size;
2003 const u_char *cp;
2004 int i;
2005 int tcount;
2006 u_char np;
2007 u_int item_len;
2008
2009 p = (const struct ikev2_p *)ext;
2010 ND_TCHECK_SIZE(p);
2011
2012 ikev2_pay_print(ndo, NPSTR(ISAKMP_NPTYPE_P), GET_U_1(p->h.critical));
2013
2014 /*
2015 * ikev2_sa_print() guarantees that this is >= 4.
2016 */
2017 prop_length = oprop_length - 4;
2018 ND_PRINT(" #%u protoid=%s transform=%u len=%u",
2019 GET_U_1(p->p_no), PROTOIDSTR(GET_U_1(p->prot_id)),
2020 GET_U_1(p->num_t), oprop_length);
2021 cp = (const u_char *)(p + 1);
2022
2023 spi_size = GET_U_1(p->spi_size);
2024 if (spi_size) {
2025 if (prop_length < spi_size)
2026 goto toolong;
2027 ND_PRINT(" spi=");
2028 if (!rawprint(ndo, (const uint8_t *)cp, spi_size))
2029 goto trunc;
2030 cp += spi_size;
2031 prop_length -= spi_size;
2032 }
2033
2034 /*
2035 * Print the transforms.
2036 */
2037 tcount = 0;
2038 for (np = ISAKMP_NPTYPE_T; np != 0; np = GET_U_1(ext->np)) {
2039 tcount++;
2040 ext = (const struct isakmp_gen *)cp;
2041 if (prop_length < sizeof(*ext))
2042 goto toolong;
2043 ND_TCHECK_SIZE(ext);
2044
2045 /*
2046 * Since we can't have a payload length of less than 4 bytes,
2047 * we need to bail out here if the generic header is nonsensical
2048 * or truncated, otherwise we could loop forever processing
2049 * zero-length items or otherwise misdissect the packet.
2050 */
2051 item_len = GET_BE_U_2(ext->len);
2052 if (item_len <= 4)
2053 goto trunc;
2054
2055 if (prop_length < item_len)
2056 goto toolong;
2057 ND_TCHECK_LEN(cp, item_len);
2058
2059 depth++;
2060 ND_PRINT("\n");
2061 for (i = 0; i < depth; i++)
2062 ND_PRINT(" ");
2063 ND_PRINT("(");
2064 if (np == ISAKMP_NPTYPE_T) {
2065 cp = ikev2_t_print(ndo, tcount, ext, item_len, ep);
2066 if (cp == NULL) {
2067 /* error, already reported */
2068 return NULL;
2069 }
2070 } else {
2071 ND_PRINT("%s", NPSTR(np));
2072 cp += item_len;
2073 }
2074 ND_PRINT(")");
2075 depth--;
2076 prop_length -= item_len;
2077 }
2078 return cp;
2079 toolong:
2080 /*
2081 * Skip the rest of the proposal.
2082 */
2083 cp += prop_length;
2084 ND_PRINT(" [|%s]", NPSTR(ISAKMP_NPTYPE_P));
2085 return cp;
2086 trunc:
2087 ND_PRINT(" [|%s]", NPSTR(ISAKMP_NPTYPE_P));
2088 return NULL;
2089 }
2090
2091 static const u_char *
2092 ikev2_sa_print(netdissect_options *ndo, u_char tpay,
2093 const struct isakmp_gen *ext1,
2094 u_int osa_length, const u_char *ep,
2095 uint32_t phase _U_, uint32_t doi _U_,
2096 uint32_t proto _U_, int depth)
2097 {
2098 const struct isakmp_gen *ext;
2099 u_int sa_length;
2100 const u_char *cp;
2101 int i;
2102 int pcount;
2103 u_char np;
2104 u_int item_len;
2105
2106 ND_TCHECK_SIZE(ext1);
2107 ikev2_pay_print(ndo, "sa", GET_U_1(ext1->critical));
2108
2109 /*
2110 * ikev2_sub0_print() guarantees that this is >= 4.
2111 */
2112 osa_length= GET_BE_U_2(ext1->len);
2113 sa_length = osa_length - 4;
2114 ND_PRINT(" len=%u", sa_length);
2115
2116 /*
2117 * Print the payloads.
2118 */
2119 cp = (const u_char *)(ext1 + 1);
2120 pcount = 0;
2121 for (np = ISAKMP_NPTYPE_P; np != 0; np = GET_U_1(ext->np)) {
2122 pcount++;
2123 ext = (const struct isakmp_gen *)cp;
2124 if (sa_length < sizeof(*ext))
2125 goto toolong;
2126 ND_TCHECK_SIZE(ext);
2127
2128 /*
2129 * Since we can't have a payload length of less than 4 bytes,
2130 * we need to bail out here if the generic header is nonsensical
2131 * or truncated, otherwise we could loop forever processing
2132 * zero-length items or otherwise misdissect the packet.
2133 */
2134 item_len = GET_BE_U_2(ext->len);
2135 if (item_len <= 4)
2136 goto trunc;
2137
2138 if (sa_length < item_len)
2139 goto toolong;
2140 ND_TCHECK_LEN(cp, item_len);
2141
2142 depth++;
2143 ND_PRINT("\n");
2144 for (i = 0; i < depth; i++)
2145 ND_PRINT(" ");
2146 ND_PRINT("(");
2147 if (np == ISAKMP_NPTYPE_P) {
2148 cp = ikev2_p_print(ndo, np, pcount, ext, item_len,
2149 ep, depth);
2150 if (cp == NULL) {
2151 /* error, already reported */
2152 return NULL;
2153 }
2154 } else {
2155 ND_PRINT("%s", NPSTR(np));
2156 cp += item_len;
2157 }
2158 ND_PRINT(")");
2159 depth--;
2160 sa_length -= item_len;
2161 }
2162 return cp;
2163 toolong:
2164 /*
2165 * Skip the rest of the SA.
2166 */
2167 cp += sa_length;
2168 ND_PRINT(" [|%s]", NPSTR(tpay));
2169 return cp;
2170 trunc:
2171 ND_PRINT(" [|%s]", NPSTR(tpay));
2172 return NULL;
2173 }
2174
2175 static const u_char *
2176 ikev2_ke_print(netdissect_options *ndo, u_char tpay,
2177 const struct isakmp_gen *ext,
2178 u_int item_len, const u_char *ep _U_,
2179 uint32_t phase _U_, uint32_t doi _U_,
2180 uint32_t proto _U_, int depth _U_)
2181 {
2182 const struct ikev2_ke *k;
2183
2184 k = (const struct ikev2_ke *)ext;
2185 ND_TCHECK_SIZE(k);
2186 ikev2_pay_print(ndo, NPSTR(tpay), GET_U_1(k->h.critical));
2187
2188 if (item_len < 8) {
2189 ND_PRINT(" len=%u < 8", item_len);
2190 return (const u_char *)ext + item_len;
2191 }
2192 ND_PRINT(" len=%u group=%s", item_len - 8,
2193 STR_OR_ID(GET_BE_U_2(k->ke_group), dh_p_map));
2194
2195 if (2 < ndo->ndo_vflag && 8 < item_len) {
2196 ND_PRINT(" ");
2197 if (!rawprint(ndo, (const uint8_t *)(k + 1), item_len - 8))
2198 goto trunc;
2199 }
2200 return (const u_char *)ext + item_len;
2201 trunc:
2202 ND_PRINT(" [|%s]", NPSTR(tpay));
2203 return NULL;
2204 }
2205
2206 static const u_char *
2207 ikev2_ID_print(netdissect_options *ndo, u_char tpay,
2208 const struct isakmp_gen *ext,
2209 u_int item_len, const u_char *ep _U_,
2210 uint32_t phase _U_, uint32_t doi _U_,
2211 uint32_t proto _U_, int depth _U_)
2212 {
2213 const struct ikev2_id *idp;
2214 u_int idtype_len, i;
2215 unsigned int dumpascii, dumphex;
2216 const unsigned char *typedata;
2217
2218 idp = (const struct ikev2_id *)ext;
2219 ND_TCHECK_SIZE(idp);
2220 ikev2_pay_print(ndo, NPSTR(tpay), GET_U_1(idp->h.critical));
2221
2222 /*
2223 * Our caller has ensured that the length is >= 4.
2224 */
2225 ND_PRINT(" len=%u", item_len - 4);
2226 if (2 < ndo->ndo_vflag && 4 < item_len) {
2227 /* Print the entire payload in hex */
2228 ND_PRINT(" ");
2229 if (!rawprint(ndo, (const uint8_t *)(ext + 1), item_len - 4))
2230 goto trunc;
2231 }
2232
2233 idtype_len =item_len - sizeof(struct ikev2_id);
2234 dumpascii = 0;
2235 dumphex = 0;
2236 typedata = (const unsigned char *)(ext)+sizeof(struct ikev2_id);
2237
2238 switch(GET_U_1(idp->type)) {
2239 case ID_IPV4_ADDR:
2240 ND_PRINT(" ipv4:");
2241 dumphex=1;
2242 break;
2243 case ID_FQDN:
2244 ND_PRINT(" fqdn:");
2245 dumpascii=1;
2246 break;
2247 case ID_RFC822_ADDR:
2248 ND_PRINT(" rfc822:");
2249 dumpascii=1;
2250 break;
2251 case ID_IPV6_ADDR:
2252 ND_PRINT(" ipv6:");
2253 dumphex=1;
2254 break;
2255 case ID_DER_ASN1_DN:
2256 ND_PRINT(" dn:");
2257 dumphex=1;
2258 break;
2259 case ID_DER_ASN1_GN:
2260 ND_PRINT(" gn:");
2261 dumphex=1;
2262 break;
2263 case ID_KEY_ID:
2264 ND_PRINT(" keyid:");
2265 dumphex=1;
2266 break;
2267 }
2268
2269 if(dumpascii) {
2270 ND_TCHECK_LEN(typedata, idtype_len);
2271 for(i=0; i<idtype_len; i++) {
2272 if(ND_ASCII_ISPRINT(GET_U_1(typedata + i))) {
2273 ND_PRINT("%c", GET_U_1(typedata + i));
2274 } else {
2275 ND_PRINT(".");
2276 }
2277 }
2278 }
2279 if(dumphex) {
2280 if (!rawprint(ndo, (const uint8_t *)typedata, idtype_len))
2281 goto trunc;
2282 }
2283
2284 return (const u_char *)ext + item_len;
2285 trunc:
2286 ND_PRINT(" [|%s]", NPSTR(tpay));
2287 return NULL;
2288 }
2289
2290 static const u_char *
2291 ikev2_cert_print(netdissect_options *ndo, u_char tpay,
2292 const struct isakmp_gen *ext,
2293 u_int item_len, const u_char *ep _U_,
2294 uint32_t phase _U_, uint32_t doi _U_,
2295 uint32_t proto _U_, int depth _U_)
2296 {
2297 return ikev2_gen_print(ndo, tpay, ext, item_len);
2298 }
2299
2300 static const u_char *
2301 ikev2_cr_print(netdissect_options *ndo, u_char tpay,
2302 const struct isakmp_gen *ext,
2303 u_int item_len, const u_char *ep _U_,
2304 uint32_t phase _U_, uint32_t doi _U_,
2305 uint32_t proto _U_, int depth _U_)
2306 {
2307 return ikev2_gen_print(ndo, tpay, ext, item_len);
2308 }
2309
2310 static const u_char *
2311 ikev2_auth_print(netdissect_options *ndo, u_char tpay,
2312 const struct isakmp_gen *ext,
2313 u_int item_len, const u_char *ep,
2314 uint32_t phase _U_, uint32_t doi _U_,
2315 uint32_t proto _U_, int depth _U_)
2316 {
2317 const struct ikev2_auth *p;
2318 const char *v2_auth[]={ "invalid", "rsasig",
2319 "shared-secret", "dsssig" };
2320 const u_char *authdata = (const u_char*)ext + sizeof(struct ikev2_auth);
2321
2322 ND_TCHECK_LEN(ext, sizeof(struct ikev2_auth));
2323 p = (const struct ikev2_auth *)ext;
2324 ikev2_pay_print(ndo, NPSTR(tpay), GET_U_1(p->h.critical));
2325
2326 /*
2327 * Our caller has ensured that the length is >= 4.
2328 */
2329 ND_PRINT(" len=%u method=%s", item_len-4,
2330 STR_OR_ID(GET_U_1(p->auth_method), v2_auth));
2331 if (item_len > 4) {
2332 if (ndo->ndo_vflag > 1) {
2333 ND_PRINT(" authdata=(");
2334 if (!rawprint(ndo, (const uint8_t *)authdata, item_len - sizeof(struct ikev2_auth)))
2335 goto trunc;
2336 ND_PRINT(") ");
2337 } else if (ndo->ndo_vflag) {
2338 if (!ike_show_somedata(ndo, authdata, ep))
2339 goto trunc;
2340 }
2341 }
2342
2343 return (const u_char *)ext + item_len;
2344 trunc:
2345 ND_PRINT(" [|%s]", NPSTR(tpay));
2346 return NULL;
2347 }
2348
2349 static const u_char *
2350 ikev2_nonce_print(netdissect_options *ndo, u_char tpay,
2351 const struct isakmp_gen *ext,
2352 u_int item_len, const u_char *ep,
2353 uint32_t phase _U_, uint32_t doi _U_,
2354 uint32_t proto _U_, int depth _U_)
2355 {
2356 ND_TCHECK_SIZE(ext);
2357 ikev2_pay_print(ndo, "nonce", GET_U_1(ext->critical));
2358
2359 /*
2360 * Our caller has ensured that the length is >= 4.
2361 */
2362 ND_PRINT(" len=%u", item_len - 4);
2363 if (1 < ndo->ndo_vflag && 4 < item_len) {
2364 ND_PRINT(" nonce=(");
2365 if (!rawprint(ndo, (const uint8_t *)(ext + 1), item_len - 4))
2366 goto trunc;
2367 ND_PRINT(") ");
2368 } else if(ndo->ndo_vflag && 4 < item_len) {
2369 if(!ike_show_somedata(ndo, (const u_char *)(ext+1), ep)) goto trunc;
2370 }
2371
2372 return (const u_char *)ext + item_len;
2373 trunc:
2374 ND_PRINT(" [|%s]", NPSTR(tpay));
2375 return NULL;
2376 }
2377
2378 /* notify payloads */
2379 static const u_char *
2380 ikev2_n_print(netdissect_options *ndo, u_char tpay _U_,
2381 const struct isakmp_gen *ext,
2382 u_int item_len, const u_char *ep,
2383 uint32_t phase _U_, uint32_t doi _U_,
2384 uint32_t proto _U_, int depth _U_)
2385 {
2386 const struct ikev2_n *p;
2387 uint16_t type;
2388 uint8_t spi_size;
2389 const u_char *cp;
2390 u_char showspi, showsomedata;
2391 const char *notify_name;
2392
2393 p = (const struct ikev2_n *)ext;
2394 ND_TCHECK_SIZE(p);
2395 ikev2_pay_print(ndo, NPSTR(ISAKMP_NPTYPE_N), GET_U_1(p->h.critical));
2396
2397 showspi = 1;
2398 showsomedata=0;
2399 notify_name=NULL;
2400
2401 ND_PRINT(" prot_id=%s", PROTOIDSTR(GET_U_1(p->prot_id)));
2402
2403 type = GET_BE_U_2(p->type);
2404
2405 /* notify space is annoying sparse */
2406 switch(type) {
2407 case IV2_NOTIFY_UNSUPPORTED_CRITICAL_PAYLOAD:
2408 notify_name = "unsupported_critical_payload";
2409 showspi = 0;
2410 break;
2411
2412 case IV2_NOTIFY_INVALID_IKE_SPI:
2413 notify_name = "invalid_ike_spi";
2414 showspi = 1;
2415 break;
2416
2417 case IV2_NOTIFY_INVALID_MAJOR_VERSION:
2418 notify_name = "invalid_major_version";
2419 showspi = 0;
2420 break;
2421
2422 case IV2_NOTIFY_INVALID_SYNTAX:
2423 notify_name = "invalid_syntax";
2424 showspi = 1;
2425 break;
2426
2427 case IV2_NOTIFY_INVALID_MESSAGE_ID:
2428 notify_name = "invalid_message_id";
2429 showspi = 1;
2430 break;
2431
2432 case IV2_NOTIFY_INVALID_SPI:
2433 notify_name = "invalid_spi";
2434 showspi = 1;
2435 break;
2436
2437 case IV2_NOTIFY_NO_PROPOSAL_CHOSEN:
2438 notify_name = "no_protocol_chosen";
2439 showspi = 1;
2440 break;
2441
2442 case IV2_NOTIFY_INVALID_KE_PAYLOAD:
2443 notify_name = "invalid_ke_payload";
2444 showspi = 1;
2445 break;
2446
2447 case IV2_NOTIFY_AUTHENTICATION_FAILED:
2448 notify_name = "authentication_failed";
2449 showspi = 1;
2450 break;
2451
2452 case IV2_NOTIFY_SINGLE_PAIR_REQUIRED:
2453 notify_name = "single_pair_required";
2454 showspi = 1;
2455 break;
2456
2457 case IV2_NOTIFY_NO_ADDITIONAL_SAS:
2458 notify_name = "no_additional_sas";
2459 showspi = 0;
2460 break;
2461
2462 case IV2_NOTIFY_INTERNAL_ADDRESS_FAILURE:
2463 notify_name = "internal_address_failure";
2464 showspi = 0;
2465 break;
2466
2467 case IV2_NOTIFY_FAILED_CP_REQUIRED:
2468 notify_name = "failed:cp_required";
2469 showspi = 0;
2470 break;
2471
2472 case IV2_NOTIFY_INVALID_SELECTORS:
2473 notify_name = "invalid_selectors";
2474 showspi = 0;
2475 break;
2476
2477 case IV2_NOTIFY_INITIAL_CONTACT:
2478 notify_name = "initial_contact";
2479 showspi = 0;
2480 break;
2481
2482 case IV2_NOTIFY_SET_WINDOW_SIZE:
2483 notify_name = "set_window_size";
2484 showspi = 0;
2485 break;
2486
2487 case IV2_NOTIFY_ADDITIONAL_TS_POSSIBLE:
2488 notify_name = "additional_ts_possible";
2489 showspi = 0;
2490 break;
2491
2492 case IV2_NOTIFY_IPCOMP_SUPPORTED:
2493 notify_name = "ipcomp_supported";
2494 showspi = 0;
2495 break;
2496
2497 case IV2_NOTIFY_NAT_DETECTION_SOURCE_IP:
2498 notify_name = "nat_detection_source_ip";
2499 showspi = 1;
2500 break;
2501
2502 case IV2_NOTIFY_NAT_DETECTION_DESTINATION_IP:
2503 notify_name = "nat_detection_destination_ip";
2504 showspi = 1;
2505 break;
2506
2507 case IV2_NOTIFY_COOKIE:
2508 notify_name = "cookie";
2509 showspi = 1;
2510 showsomedata= 1;
2511 break;
2512
2513 case IV2_NOTIFY_USE_TRANSPORT_MODE:
2514 notify_name = "use_transport_mode";
2515 showspi = 0;
2516 break;
2517
2518 case IV2_NOTIFY_HTTP_CERT_LOOKUP_SUPPORTED:
2519 notify_name = "http_cert_lookup_supported";
2520 showspi = 0;
2521 break;
2522
2523 case IV2_NOTIFY_REKEY_SA:
2524 notify_name = "rekey_sa";
2525 showspi = 1;
2526 break;
2527
2528 case IV2_NOTIFY_ESP_TFC_PADDING_NOT_SUPPORTED:
2529 notify_name = "tfc_padding_not_supported";
2530 showspi = 0;
2531 break;
2532
2533 case IV2_NOTIFY_NON_FIRST_FRAGMENTS_ALSO:
2534 notify_name = "non_first_fragment_also";
2535 showspi = 0;
2536 break;
2537
2538 default:
2539 if (type < 8192) {
2540 notify_name="error";
2541 } else if(type < 16384) {
2542 notify_name="private-error";
2543 } else if(type < 40960) {
2544 notify_name="status";
2545 } else {
2546 notify_name="private-status";
2547 }
2548 }
2549
2550 if(notify_name) {
2551 ND_PRINT(" type=%u(%s)", type, notify_name);
2552 }
2553
2554
2555 spi_size = GET_U_1(p->spi_size);
2556 if (showspi && spi_size) {
2557 ND_PRINT(" spi=");
2558 if (!rawprint(ndo, (const uint8_t *)(p + 1), spi_size))
2559 goto trunc;
2560 }
2561
2562 cp = (const u_char *)(p + 1) + spi_size;
2563
2564 if (cp < ep) {
2565 if (ndo->ndo_vflag > 3 || (showsomedata && ep-cp < 30)) {
2566 ND_PRINT(" data=(");
2567 if (!rawprint(ndo, (const uint8_t *)(cp), ep - cp))
2568 goto trunc;
2569
2570 ND_PRINT(")");
2571 } else if (showsomedata) {
2572 if (!ike_show_somedata(ndo, cp, ep))
2573 goto trunc;
2574 }
2575 }
2576
2577 return (const u_char *)ext + item_len;
2578 trunc:
2579 ND_PRINT(" [|%s]", NPSTR(ISAKMP_NPTYPE_N));
2580 return NULL;
2581 }
2582
2583 static const u_char *
2584 ikev2_d_print(netdissect_options *ndo, u_char tpay,
2585 const struct isakmp_gen *ext,
2586 u_int item_len, const u_char *ep _U_,
2587 uint32_t phase _U_, uint32_t doi _U_,
2588 uint32_t proto _U_, int depth _U_)
2589 {
2590 return ikev2_gen_print(ndo, tpay, ext, item_len);
2591 }
2592
2593 static const u_char *
2594 ikev2_vid_print(netdissect_options *ndo, u_char tpay,
2595 const struct isakmp_gen *ext,
2596 u_int item_len, const u_char *ep _U_,
2597 uint32_t phase _U_, uint32_t doi _U_,
2598 uint32_t proto _U_, int depth _U_)
2599 {
2600 const u_char *vid;
2601 u_int i, len;
2602
2603 ND_TCHECK_SIZE(ext);
2604 ikev2_pay_print(ndo, NPSTR(tpay), GET_U_1(ext->critical));
2605
2606 /*
2607 * Our caller has ensured that the length is >= 4.
2608 */
2609 ND_PRINT(" len=%u vid=", item_len - 4);
2610
2611 vid = (const u_char *)(ext+1);
2612 len = item_len - 4;
2613 ND_TCHECK_LEN(vid, len);
2614 for(i=0; i<len; i++) {
2615 if(ND_ASCII_ISPRINT(GET_U_1(vid + i)))
2616 ND_PRINT("%c", GET_U_1(vid + i));
2617 else ND_PRINT(".");
2618 }
2619 if (2 < ndo->ndo_vflag && 4 < len) {
2620 /* Print the entire payload in hex */
2621 ND_PRINT(" ");
2622 if (!rawprint(ndo, (const uint8_t *)(ext + 1), item_len - 4))
2623 goto trunc;
2624 }
2625 return (const u_char *)ext + item_len;
2626 trunc:
2627 ND_PRINT(" [|%s]", NPSTR(tpay));
2628 return NULL;
2629 }
2630
2631 static const u_char *
2632 ikev2_TS_print(netdissect_options *ndo, u_char tpay,
2633 const struct isakmp_gen *ext,
2634 u_int item_len, const u_char *ep _U_,
2635 uint32_t phase _U_, uint32_t doi _U_,
2636 uint32_t proto _U_, int depth _U_)
2637 {
2638 return ikev2_gen_print(ndo, tpay, ext, item_len);
2639 }
2640
2641 static const u_char *
2642 ikev2_e_print(netdissect_options *ndo,
2643 #ifndef HAVE_LIBCRYPTO
2644 _U_
2645 #endif
2646 const struct isakmp *base,
2647 u_char tpay,
2648 const struct isakmp_gen *ext,
2649 u_int item_len, const u_char *ep _U_,
2650 #ifndef HAVE_LIBCRYPTO
2651 _U_
2652 #endif
2653 uint32_t phase,
2654 #ifndef HAVE_LIBCRYPTO
2655 _U_
2656 #endif
2657 uint32_t doi,
2658 #ifndef HAVE_LIBCRYPTO
2659 _U_
2660 #endif
2661 uint32_t proto,
2662 #ifndef HAVE_LIBCRYPTO
2663 _U_
2664 #endif
2665 int depth)
2666 {
2667 const u_char *dat;
2668 u_int dlen;
2669 #ifdef HAVE_LIBCRYPTO
2670 uint8_t np;
2671 #endif
2672
2673 ND_TCHECK_SIZE(ext);
2674 ikev2_pay_print(ndo, NPSTR(tpay), GET_U_1(ext->critical));
2675
2676 dlen = item_len-4;
2677
2678 ND_PRINT(" len=%u", dlen);
2679 if (2 < ndo->ndo_vflag && 4 < dlen) {
2680 ND_PRINT(" ");
2681 if (!rawprint(ndo, (const uint8_t *)(ext + 1), dlen))
2682 goto trunc;
2683 }
2684
2685 dat = (const u_char *)(ext+1);
2686 ND_TCHECK_LEN(dat, dlen);
2687
2688 #ifdef HAVE_LIBCRYPTO
2689 np = GET_U_1(ext->np);
2690
2691 /* try to decrypt it! */
2692 if(esp_decrypt_buffer_by_ikev2_print(ndo,
2693 GET_U_1(base->flags) & ISAKMP_FLAG_I,
2694 base->i_ck, base->r_ck,
2695 dat, dat+dlen)) {
2696
2697 ext = (const struct isakmp_gen *)ndo->ndo_packetp;
2698
2699 /* got it decrypted, print stuff inside. */
2700 ikev2_sub_print(ndo, base, np, ext,
2701 ndo->ndo_snapend, phase, doi, proto, depth+1);
2702
2703 /*
2704 * esp_decrypt_buffer_by_ikev2_print pushed information
2705 * on the buffer stack; we're done with the buffer, so
2706 * pop it (which frees the buffer)
2707 */
2708 nd_pop_packet_info(ndo);
2709 }
2710 #endif
2711
2712
2713 /* always return NULL, because E must be at end, and NP refers
2714 * to what was inside.
2715 */
2716 return NULL;
2717 trunc:
2718 ND_PRINT(" [|%s]", NPSTR(tpay));
2719 return NULL;
2720 }
2721
2722 static const u_char *
2723 ikev2_cp_print(netdissect_options *ndo, u_char tpay,
2724 const struct isakmp_gen *ext,
2725 u_int item_len, const u_char *ep _U_,
2726 uint32_t phase _U_, uint32_t doi _U_,
2727 uint32_t proto _U_, int depth _U_)
2728 {
2729 return ikev2_gen_print(ndo, tpay, ext, item_len);
2730 }
2731
2732 static const u_char *
2733 ikev2_eap_print(netdissect_options *ndo, u_char tpay,
2734 const struct isakmp_gen *ext,
2735 u_int item_len, const u_char *ep _U_,
2736 uint32_t phase _U_, uint32_t doi _U_,
2737 uint32_t proto _U_, int depth _U_)
2738 {
2739 return ikev2_gen_print(ndo, tpay, ext, item_len);
2740 }
2741
2742 static const u_char *
2743 ike_sub0_print(netdissect_options *ndo,
2744 u_char np, const struct isakmp_gen *ext, const u_char *ep,
2745
2746 uint32_t phase, uint32_t doi, uint32_t proto, int depth)
2747 {
2748 const u_char *cp;
2749 u_int item_len;
2750
2751 cp = (const u_char *)ext;
2752 ND_TCHECK_SIZE(ext);
2753
2754 /*
2755 * Since we can't have a payload length of less than 4 bytes,
2756 * we need to bail out here if the generic header is nonsensical
2757 * or truncated, otherwise we could loop forever processing
2758 * zero-length items or otherwise misdissect the packet.
2759 */
2760 item_len = GET_BE_U_2(ext->len);
2761 if (item_len <= 4)
2762 return NULL;
2763
2764 if (NPFUNC(np)) {
2765 /*
2766 * XXX - what if item_len is too short, or too long,
2767 * for this payload type?
2768 */
2769 cp = (*npfunc[np])(ndo, np, ext, item_len, ep, phase, doi, proto, depth);
2770 } else {
2771 ND_PRINT("%s", NPSTR(np));
2772 cp += item_len;
2773 }
2774
2775 return cp;
2776 trunc:
2777 nd_print_trunc(ndo);
2778 return NULL;
2779 }
2780
2781 static const u_char *
2782 ikev1_sub_print(netdissect_options *ndo,
2783 u_char np, const struct isakmp_gen *ext, const u_char *ep,
2784 uint32_t phase, uint32_t doi, uint32_t proto, int depth)
2785 {
2786 const u_char *cp;
2787 int i;
2788 u_int item_len;
2789
2790 cp = (const u_char *)ext;
2791
2792 while (np) {
2793 ND_TCHECK_SIZE(ext);
2794
2795 item_len = GET_BE_U_2(ext->len);
2796 ND_TCHECK_LEN(ext, item_len);
2797
2798 depth++;
2799 ND_PRINT("\n");
2800 for (i = 0; i < depth; i++)
2801 ND_PRINT(" ");
2802 ND_PRINT("(");
2803 cp = ike_sub0_print(ndo, np, ext, ep, phase, doi, proto, depth);
2804 ND_PRINT(")");
2805 depth--;
2806
2807 if (cp == NULL) {
2808 /* Zero-length subitem */
2809 return NULL;
2810 }
2811
2812 np = GET_U_1(ext->np);
2813 ext = (const struct isakmp_gen *)cp;
2814 }
2815 return cp;
2816 trunc:
2817 ND_PRINT(" [|%s]", NPSTR(np));
2818 return NULL;
2819 }
2820
2821 static char *
2822 numstr(u_int x)
2823 {
2824 static char buf[20];
2825 snprintf(buf, sizeof(buf), "#%u", x);
2826 return buf;
2827 }
2828
2829 static void
2830 ikev1_print(netdissect_options *ndo,
2831 const u_char *bp, u_int length,
2832 const u_char *bp2, const struct isakmp *base)
2833 {
2834 const struct isakmp *p;
2835 const u_char *ep;
2836 u_int flags;
2837 u_char np;
2838 int i;
2839 u_int phase;
2840
2841 p = (const struct isakmp *)bp;
2842 ep = ndo->ndo_snapend;
2843
2844 phase = (GET_BE_U_4(base->msgid) == 0) ? 1 : 2;
2845 if (phase == 1)
2846 ND_PRINT(" phase %u", phase);
2847 else
2848 ND_PRINT(" phase %u/others", phase);
2849
2850 i = cookie_find(&base->i_ck);
2851 if (i < 0) {
2852 if (iszero((const u_char *)&base->r_ck, sizeof(base->r_ck))) {
2853 /* the first packet */
2854 ND_PRINT(" I");
2855 if (bp2)
2856 cookie_record(ndo, &base->i_ck, bp2);
2857 } else
2858 ND_PRINT(" ?");
2859 } else {
2860 if (bp2 && cookie_isinitiator(ndo, i, bp2))
2861 ND_PRINT(" I");
2862 else if (bp2 && cookie_isresponder(ndo, i, bp2))
2863 ND_PRINT(" R");
2864 else
2865 ND_PRINT(" ?");
2866 }
2867
2868 ND_PRINT(" %s", ETYPESTR(GET_U_1(base->etype)));
2869 flags = GET_U_1(base->flags);
2870 if (flags) {
2871 ND_PRINT("[%s%s]", flags & ISAKMP_FLAG_E ? "E" : "",
2872 flags & ISAKMP_FLAG_C ? "C" : "");
2873 }
2874
2875 if (ndo->ndo_vflag) {
2876 const struct isakmp_gen *ext;
2877
2878 ND_PRINT(":");
2879
2880 np = GET_U_1(base->np);
2881
2882 /* regardless of phase... */
2883 if (flags & ISAKMP_FLAG_E) {
2884 /*
2885 * encrypted, nothing we can do right now.
2886 * we hope to decrypt the packet in the future...
2887 */
2888 ND_PRINT(" [encrypted %s]", NPSTR(np));
2889 goto done;
2890 }
2891
2892 CHECKLEN(p + 1, np);
2893 ext = (const struct isakmp_gen *)(p + 1);
2894 ikev1_sub_print(ndo, np, ext, ep, phase, 0, 0, 0);
2895 }
2896
2897 done:
2898 if (ndo->ndo_vflag) {
2899 if (GET_BE_U_4(base->len) != length) {
2900 ND_PRINT(" (len mismatch: isakmp %u/ip %u)",
2901 GET_BE_U_4(base->len), length);
2902 }
2903 }
2904 }
2905
2906 static const u_char *
2907 ikev2_sub0_print(netdissect_options *ndo, const struct isakmp *base,
2908 u_char np,
2909 const struct isakmp_gen *ext, const u_char *ep,
2910 uint32_t phase, uint32_t doi, uint32_t proto, int depth)
2911 {
2912 const u_char *cp;
2913 u_int item_len;
2914
2915 cp = (const u_char *)ext;
2916 ND_TCHECK_SIZE(ext);
2917
2918 /*
2919 * Since we can't have a payload length of less than 4 bytes,
2920 * we need to bail out here if the generic header is nonsensical
2921 * or truncated, otherwise we could loop forever processing
2922 * zero-length items or otherwise misdissect the packet.
2923 */
2924 item_len = GET_BE_U_2(ext->len);
2925 if (item_len <= 4)
2926 return NULL;
2927
2928 if (np == ISAKMP_NPTYPE_v2E) {
2929 cp = ikev2_e_print(ndo, base, np, ext, item_len,
2930 ep, phase, doi, proto, depth);
2931 } else if (NPFUNC(np)) {
2932 /*
2933 * XXX - what if item_len is too short, or too long,
2934 * for this payload type?
2935 */
2936 cp = (*npfunc[np])(ndo, np, ext, item_len,
2937 ep, phase, doi, proto, depth);
2938 } else {
2939 ND_PRINT("%s", NPSTR(np));
2940 cp += item_len;
2941 }
2942
2943 return cp;
2944 trunc:
2945 nd_print_trunc(ndo);
2946 return NULL;
2947 }
2948
2949 static const u_char *
2950 ikev2_sub_print(netdissect_options *ndo,
2951 const struct isakmp *base,
2952 u_char np, const struct isakmp_gen *ext, const u_char *ep,
2953 uint32_t phase, uint32_t doi, uint32_t proto, int depth)
2954 {
2955 const u_char *cp;
2956 int i;
2957
2958 cp = (const u_char *)ext;
2959 while (np) {
2960 ND_TCHECK_SIZE(ext);
2961
2962 ND_TCHECK_LEN(ext, GET_BE_U_2(ext->len));
2963
2964 depth++;
2965 ND_PRINT("\n");
2966 for (i = 0; i < depth; i++)
2967 ND_PRINT(" ");
2968 ND_PRINT("(");
2969 cp = ikev2_sub0_print(ndo, base, np,
2970 ext, ep, phase, doi, proto, depth);
2971 ND_PRINT(")");
2972 depth--;
2973
2974 if (cp == NULL) {
2975 /* Zero-length subitem */
2976 return NULL;
2977 }
2978
2979 np = GET_U_1(ext->np);
2980 ext = (const struct isakmp_gen *)cp;
2981 }
2982 return cp;
2983 trunc:
2984 ND_PRINT(" [|%s]", NPSTR(np));
2985 return NULL;
2986 }
2987
2988 static void
2989 ikev2_print(netdissect_options *ndo,
2990 const u_char *bp, u_int length,
2991 const u_char *bp2 _U_, const struct isakmp *base)
2992 {
2993 const struct isakmp *p;
2994 const u_char *ep;
2995 uint8_t flags;
2996 u_char np;
2997 u_int phase;
2998
2999 p = (const struct isakmp *)bp;
3000 ep = ndo->ndo_snapend;
3001
3002 phase = (GET_BE_U_4(base->msgid) == 0) ? 1 : 2;
3003 if (phase == 1)
3004 ND_PRINT(" parent_sa");
3005 else
3006 ND_PRINT(" child_sa ");
3007
3008 ND_PRINT(" %s", ETYPESTR(GET_U_1(base->etype)));
3009 flags = GET_U_1(base->flags);
3010 if (flags) {
3011 ND_PRINT("[%s%s%s]",
3012 flags & ISAKMP_FLAG_I ? "I" : "",
3013 flags & ISAKMP_FLAG_V ? "V" : "",
3014 flags & ISAKMP_FLAG_R ? "R" : "");
3015 }
3016
3017 if (ndo->ndo_vflag) {
3018 const struct isakmp_gen *ext;
3019
3020 ND_PRINT(":");
3021
3022 np = GET_U_1(base->np);
3023
3024 /* regardless of phase... */
3025 if (flags & ISAKMP_FLAG_E) {
3026 /*
3027 * encrypted, nothing we can do right now.
3028 * we hope to decrypt the packet in the future...
3029 */
3030 ND_PRINT(" [encrypted %s]", NPSTR(np));
3031 goto done;
3032 }
3033
3034 CHECKLEN(p + 1, np)
3035 ext = (const struct isakmp_gen *)(p + 1);
3036 ikev2_sub_print(ndo, base, np, ext, ep, phase, 0, 0, 0);
3037 }
3038
3039 done:
3040 if (ndo->ndo_vflag) {
3041 if (GET_BE_U_4(base->len) != length) {
3042 ND_PRINT(" (len mismatch: isakmp %u/ip %u)",
3043 GET_BE_U_4(base->len), length);
3044 }
3045 }
3046 }
3047
3048 void
3049 isakmp_print(netdissect_options *ndo,
3050 const u_char *bp, u_int length,
3051 const u_char *bp2)
3052 {
3053 const struct isakmp *p;
3054 const u_char *ep;
3055 u_int major, minor;
3056
3057 ndo->ndo_protocol = "isakmp";
3058 #ifdef HAVE_LIBCRYPTO
3059 /* initialize SAs */
3060 if (ndo->ndo_sa_list_head == NULL) {
3061 if (ndo->ndo_espsecret)
3062 esp_decodesecret_print(ndo);
3063 }
3064 #endif
3065
3066 p = (const struct isakmp *)bp;
3067 ep = ndo->ndo_snapend;
3068
3069 if ((const struct isakmp *)ep < p + 1) {
3070 nd_print_trunc(ndo);
3071 return;
3072 }
3073
3074 ND_PRINT("isakmp");
3075 major = (GET_U_1(p->vers) & ISAKMP_VERS_MAJOR)
3076 >> ISAKMP_VERS_MAJOR_SHIFT;
3077 minor = (GET_U_1(p->vers) & ISAKMP_VERS_MINOR)
3078 >> ISAKMP_VERS_MINOR_SHIFT;
3079
3080 if (ndo->ndo_vflag) {
3081 ND_PRINT(" %u.%u", major, minor);
3082 }
3083
3084 if (ndo->ndo_vflag) {
3085 ND_PRINT(" msgid ");
3086 hexprint(ndo, p->msgid, sizeof(p->msgid));
3087 }
3088
3089 if (1 < ndo->ndo_vflag) {
3090 ND_PRINT(" cookie ");
3091 hexprint(ndo, p->i_ck, sizeof(p->i_ck));
3092 ND_PRINT("->");
3093 hexprint(ndo, p->r_ck, sizeof(p->r_ck));
3094 }
3095 ND_PRINT(":");
3096
3097 switch(major) {
3098 case IKEv1_MAJOR_VERSION:
3099 ikev1_print(ndo, bp, length, bp2, p);
3100 break;
3101
3102 case IKEv2_MAJOR_VERSION:
3103 ikev2_print(ndo, bp, length, bp2, p);
3104 break;
3105 }
3106 }
3107
3108 void
3109 isakmp_rfc3948_print(netdissect_options *ndo,
3110 const u_char *bp, u_int length,
3111 const u_char *bp2, int ver, int fragmented, u_int ttl_hl)
3112 {
3113 ndo->ndo_protocol = "isakmp_rfc3948";
3114 ND_TCHECK_1(bp);
3115 if(length == 1 && GET_U_1(bp)==0xff) {
3116 ND_PRINT("isakmp-nat-keep-alive");
3117 return;
3118 }
3119
3120 if(length < 4) {
3121 goto trunc;
3122 }
3123 ND_TCHECK_1(bp + 3);
3124
3125 /*
3126 * see if this is an IKE packet
3127 */
3128 if (GET_BE_U_4(bp) == 0) {
3129 ND_PRINT("NONESP-encap: ");
3130 isakmp_print(ndo, bp+4, length-4, bp2);
3131 return;
3132 }
3133
3134 /* must be an ESP packet */
3135 {
3136 ND_PRINT("UDP-encap: ");
3137
3138 esp_print(ndo, bp, length, bp2, ver, fragmented, ttl_hl);
3139
3140 /*
3141 * Either this has decrypted the payload and
3142 * printed it, in which case there's nothing more
3143 * to do, or it hasn't, in which case there's
3144 * nothing more to do.
3145 */
3146 return;
3147 }
3148
3149 trunc:
3150 nd_print_trunc(ndo);
3151 return;
3152 }
[mirror] the TCPdump network dissector