]> The Tcpdump Group git mirrors - tcpdump/blob - print-isakmp.c
projects / tcpdump / blob


8ad8a60f73b4830f76938dbbce1de2f9f178e4a8
[tcpdump] / print-isakmp.c
1 /*
2 * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
3 * All rights reserved.
4 *
5 * Redistribution and use in source and binary forms, with or without
6 * modification, are permitted provided that the following conditions
7 * are met:
8 * 1. Redistributions of source code must retain the above copyright
9 * notice, this list of conditions and the following disclaimer.
10 * 2. Redistributions in binary form must reproduce the above copyright
11 * notice, this list of conditions and the following disclaimer in the
12 * documentation and/or other materials provided with the distribution.
13 * 3. Neither the name of the project nor the names of its contributors
14 * may be used to endorse or promote products derived from this software
15 * without specific prior written permission.
16 *
17 * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
18 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
19 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
20 * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
21 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
22 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
23 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
24 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
25 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
26 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
27 * SUCH DAMAGE.
28 *
29 */
30
31 /* \summary: Internet Security Association and Key Management Protocol (ISAKMP) printer */
32
33 /* specification: RFC 2407, RFC 2408, RFC 5996 */
34
35 #ifdef HAVE_CONFIG_H
36 #include <config.h>
37 #endif
38
39 /* The functions from print-esp.c used in this file are only defined when both
40 * OpenSSL and evp.h are detected. Employ the same preprocessor device here.
41 */
42 #ifndef HAVE_OPENSSL_EVP_H
43 #undef HAVE_LIBCRYPTO
44 #endif
45
46 #include "netdissect-stdinc.h"
47
48 #include <string.h>
49
50 #include "netdissect.h"
51 #include "addrtoname.h"
52 #include "extract.h"
53
54 #include "ip.h"
55 #include "ip6.h"
56 #include "ipproto.h"
57
58 typedef nd_byte cookie_t[8];
59 typedef nd_byte msgid_t[4];
60
61 #define PORT_ISAKMP 500
62
63 /* 3.1 ISAKMP Header Format (IKEv1 and IKEv2)
64 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
65 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
66 ! Initiator !
67 ! Cookie !
68 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
69 ! Responder !
70 ! Cookie !
71 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
72 ! Next Payload ! MjVer ! MnVer ! Exchange Type ! Flags !
73 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
74 ! Message ID !
75 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
76 ! Length !
77 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
78 */
79 struct isakmp {
80 cookie_t i_ck; /* Initiator Cookie */
81 cookie_t r_ck; /* Responder Cookie */
82 nd_uint8_t np; /* Next Payload Type */
83 nd_uint8_t vers;
84 #define ISAKMP_VERS_MAJOR 0xf0
85 #define ISAKMP_VERS_MAJOR_SHIFT 4
86 #define ISAKMP_VERS_MINOR 0x0f
87 #define ISAKMP_VERS_MINOR_SHIFT 0
88 nd_uint8_t etype; /* Exchange Type */
89 nd_uint8_t flags; /* Flags */
90 msgid_t msgid;
91 nd_uint32_t len; /* Length */
92 };
93
94 /* Next Payload Type */
95 #define ISAKMP_NPTYPE_NONE 0 /* NONE*/
96 #define ISAKMP_NPTYPE_SA 1 /* Security Association */
97 #define ISAKMP_NPTYPE_P 2 /* Proposal */
98 #define ISAKMP_NPTYPE_T 3 /* Transform */
99 #define ISAKMP_NPTYPE_KE 4 /* Key Exchange */
100 #define ISAKMP_NPTYPE_ID 5 /* Identification */
101 #define ISAKMP_NPTYPE_CERT 6 /* Certificate */
102 #define ISAKMP_NPTYPE_CR 7 /* Certificate Request */
103 #define ISAKMP_NPTYPE_HASH 8 /* Hash */
104 #define ISAKMP_NPTYPE_SIG 9 /* Signature */
105 #define ISAKMP_NPTYPE_NONCE 10 /* Nonce */
106 #define ISAKMP_NPTYPE_N 11 /* Notification */
107 #define ISAKMP_NPTYPE_D 12 /* Delete */
108 #define ISAKMP_NPTYPE_VID 13 /* Vendor ID */
109 #define ISAKMP_NPTYPE_v2E 46 /* v2 Encrypted payload */
110
111 #define IKEv1_MAJOR_VERSION 1
112 #define IKEv1_MINOR_VERSION 0
113
114 #define IKEv2_MAJOR_VERSION 2
115 #define IKEv2_MINOR_VERSION 0
116
117 /* Flags */
118 #define ISAKMP_FLAG_E 0x01 /* Encryption Bit */
119 #define ISAKMP_FLAG_C 0x02 /* Commit Bit */
120 #define ISAKMP_FLAG_extra 0x04
121
122 /* IKEv2 */
123 #define ISAKMP_FLAG_I (1 << 3) /* (I)nitiator */
124 #define ISAKMP_FLAG_V (1 << 4) /* (V)ersion */
125 #define ISAKMP_FLAG_R (1 << 5) /* (R)esponse */
126
127
128 /* 3.2 Payload Generic Header
129 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
130 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
131 ! Next Payload ! RESERVED ! Payload Length !
132 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
133 */
134 struct isakmp_gen {
135 nd_uint8_t np; /* Next Payload */
136 nd_uint8_t critical; /* bit 7 - critical, rest is RESERVED */
137 nd_uint16_t len; /* Payload Length */
138 };
139
140 /* 3.3 Data Attributes
141 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
142 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
143 !A! Attribute Type ! AF=0 Attribute Length !
144 !F! ! AF=1 Attribute Value !
145 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
146 . AF=0 Attribute Value .
147 . AF=1 Not Transmitted .
148 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
149 */
150 struct isakmp_data {
151 nd_uint16_t type; /* defined by DOI-spec, and Attribute Format */
152 nd_uint16_t lorv; /* if f equal 1, Attribute Length */
153 /* if f equal 0, Attribute Value */
154 /* if f equal 1, Attribute Value */
155 };
156
157 /* 3.4 Security Association Payload */
158 /* MAY NOT be used, because of being defined in ipsec-doi. */
159 /*
160 If the current payload is the last in the message,
161 then the value of the next payload field will be 0.
162 This field MUST NOT contain the
163 values for the Proposal or Transform payloads as they are considered
164 part of the security association negotiation. For example, this
165 field would contain the value "10" (Nonce payload) in the first
166 message of a Base Exchange (see Section 4.4) and the value "0" in the
167 first message of an Identity Protect Exchange (see Section 4.5).
168 */
169 struct ikev1_pl_sa {
170 struct isakmp_gen h;
171 nd_uint32_t doi; /* Domain of Interpretation */
172 nd_uint32_t sit; /* Situation */
173 };
174
175 /* 3.5 Proposal Payload */
176 /*
177 The value of the next payload field MUST only contain the value "2"
178 or "0". If there are additional Proposal payloads in the message,
179 then this field will be 2. If the current Proposal payload is the
180 last within the security association proposal, then this field will
181 be 0.
182 */
183 struct ikev1_pl_p {
184 struct isakmp_gen h;
185 nd_uint8_t p_no; /* Proposal # */
186 nd_uint8_t prot_id; /* Protocol */
187 nd_uint8_t spi_size; /* SPI Size */
188 nd_uint8_t num_t; /* Number of Transforms */
189 /* SPI */
190 };
191
192 /* 3.6 Transform Payload */
193 /*
194 The value of the next payload field MUST only contain the value "3"
195 or "0". If there are additional Transform payloads in the proposal,
196 then this field will be 3. If the current Transform payload is the
197 last within the proposal, then this field will be 0.
198 */
199 struct ikev1_pl_t {
200 struct isakmp_gen h;
201 nd_uint8_t t_no; /* Transform # */
202 nd_uint8_t t_id; /* Transform-Id */
203 nd_byte reserved[2]; /* RESERVED2 */
204 /* SA Attributes */
205 };
206
207 /* 3.7 Key Exchange Payload */
208 struct ikev1_pl_ke {
209 struct isakmp_gen h;
210 /* Key Exchange Data */
211 };
212
213 /* 3.8 Identification Payload */
214 /* MUST NOT to be used, because of being defined in ipsec-doi. */
215 struct ikev1_pl_id {
216 struct isakmp_gen h;
217 union {
218 nd_uint8_t id_type; /* ID Type */
219 nd_uint32_t doi_data; /* DOI Specific ID Data */
220 } d;
221 /* Identification Data */
222 };
223
224 /* 3.9 Certificate Payload */
225 struct ikev1_pl_cert {
226 struct isakmp_gen h;
227 nd_uint8_t encode; /* Cert Encoding */
228 nd_uint8_t cert; /* Certificate Data */
229 /*
230 This field indicates the type of
231 certificate or certificate-related information contained in the
232 Certificate Data field.
233 */
234 };
235
236 /* 3.10 Certificate Request Payload */
237 struct ikev1_pl_cr {
238 struct isakmp_gen h;
239 nd_uint8_t num_cert; /* # Cert. Types */
240 /*
241 Certificate Types (variable length)
242 -- Contains a list of the types of certificates requested,
243 sorted in order of preference. Each individual certificate
244 type is 1 octet. This field is NOT requiredo
245 */
246 /* # Certificate Authorities (1 octet) */
247 /* Certificate Authorities (variable length) */
248 };
249
250 /* 3.11 Hash Payload */
251 /* may not be used, because of having only data. */
252 struct ikev1_pl_hash {
253 struct isakmp_gen h;
254 /* Hash Data */
255 };
256
257 /* 3.12 Signature Payload */
258 /* may not be used, because of having only data. */
259 struct ikev1_pl_sig {
260 struct isakmp_gen h;
261 /* Signature Data */
262 };
263
264 /* 3.13 Nonce Payload */
265 /* may not be used, because of having only data. */
266 struct ikev1_pl_nonce {
267 struct isakmp_gen h;
268 /* Nonce Data */
269 };
270
271 /* 3.14 Notification Payload */
272 struct ikev1_pl_n {
273 struct isakmp_gen h;
274 nd_uint32_t doi; /* Domain of Interpretation */
275 nd_uint8_t prot_id; /* Protocol-ID */
276 nd_uint8_t spi_size; /* SPI Size */
277 nd_uint16_t type; /* Notify Message Type */
278 /* SPI */
279 /* Notification Data */
280 };
281
282 /* 3.14.1 Notify Message Types */
283 /* NOTIFY MESSAGES - ERROR TYPES */
284 #define ISAKMP_NTYPE_INVALID_PAYLOAD_TYPE 1
285 #define ISAKMP_NTYPE_DOI_NOT_SUPPORTED 2
286 #define ISAKMP_NTYPE_SITUATION_NOT_SUPPORTED 3
287 #define ISAKMP_NTYPE_INVALID_COOKIE 4
288 #define ISAKMP_NTYPE_INVALID_MAJOR_VERSION 5
289 #define ISAKMP_NTYPE_INVALID_MINOR_VERSION 6
290 #define ISAKMP_NTYPE_INVALID_EXCHANGE_TYPE 7
291 #define ISAKMP_NTYPE_INVALID_FLAGS 8
292 #define ISAKMP_NTYPE_INVALID_MESSAGE_ID 9
293 #define ISAKMP_NTYPE_INVALID_PROTOCOL_ID 10
294 #define ISAKMP_NTYPE_INVALID_SPI 11
295 #define ISAKMP_NTYPE_INVALID_TRANSFORM_ID 12
296 #define ISAKMP_NTYPE_ATTRIBUTES_NOT_SUPPORTED 13
297 #define ISAKMP_NTYPE_NO_PROPOSAL_CHOSEN 14
298 #define ISAKMP_NTYPE_BAD_PROPOSAL_SYNTAX 15
299 #define ISAKMP_NTYPE_PAYLOAD_MALFORMED 16
300 #define ISAKMP_NTYPE_INVALID_KEY_INFORMATION 17
301 #define ISAKMP_NTYPE_INVALID_ID_INFORMATION 18
302 #define ISAKMP_NTYPE_INVALID_CERT_ENCODING 19
303 #define ISAKMP_NTYPE_INVALID_CERTIFICATE 20
304 #define ISAKMP_NTYPE_BAD_CERT_REQUEST_SYNTAX 21
305 #define ISAKMP_NTYPE_INVALID_CERT_AUTHORITY 22
306 #define ISAKMP_NTYPE_INVALID_HASH_INFORMATION 23
307 #define ISAKMP_NTYPE_AUTHENTICATION_FAILED 24
308 #define ISAKMP_NTYPE_INVALID_SIGNATURE 25
309 #define ISAKMP_NTYPE_ADDRESS_NOTIFICATION 26
310
311 /* 3.15 Delete Payload */
312 struct ikev1_pl_d {
313 struct isakmp_gen h;
314 nd_uint32_t doi; /* Domain of Interpretation */
315 nd_uint8_t prot_id; /* Protocol-Id */
316 nd_uint8_t spi_size; /* SPI Size */
317 nd_uint16_t num_spi; /* # of SPIs */
318 /* SPI(es) */
319 };
320
321 /* IKEv2 (RFC4306) */
322
323 /* 3.3 Security Association Payload -- generic header */
324 /* 3.3.1. Proposal Substructure */
325 struct ikev2_p {
326 struct isakmp_gen h;
327 nd_uint8_t p_no; /* Proposal # */
328 nd_uint8_t prot_id; /* Protocol */
329 nd_uint8_t spi_size; /* SPI Size */
330 nd_uint8_t num_t; /* Number of Transforms */
331 };
332
333 /* 3.3.2. Transform Substructure */
334 struct ikev2_t {
335 struct isakmp_gen h;
336 nd_uint8_t t_type; /* Transform Type (ENCR,PRF,INTEG,etc.*/
337 nd_byte res2; /* reserved byte */
338 nd_uint16_t t_id; /* Transform ID */
339 };
340
341 enum ikev2_t_type {
342 IV2_T_ENCR = 1,
343 IV2_T_PRF = 2,
344 IV2_T_INTEG= 3,
345 IV2_T_DH = 4,
346 IV2_T_ESN = 5
347 };
348
349 /* 3.4. Key Exchange Payload */
350 struct ikev2_ke {
351 struct isakmp_gen h;
352 nd_uint16_t ke_group;
353 nd_uint16_t ke_res1;
354 /* KE data */
355 };
356
357
358 /* 3.5. Identification Payloads */
359 enum ikev2_id_type {
360 ID_IPV4_ADDR=1,
361 ID_FQDN=2,
362 ID_RFC822_ADDR=3,
363 ID_IPV6_ADDR=5,
364 ID_DER_ASN1_DN=9,
365 ID_DER_ASN1_GN=10,
366 ID_KEY_ID=11
367 };
368 struct ikev2_id {
369 struct isakmp_gen h;
370 nd_uint8_t type; /* ID type */
371 nd_byte res1;
372 nd_byte res2[2];
373 /* SPI */
374 /* Notification Data */
375 };
376
377 /* 3.10 Notification Payload */
378 struct ikev2_n {
379 struct isakmp_gen h;
380 nd_uint8_t prot_id; /* Protocol-ID */
381 nd_uint8_t spi_size; /* SPI Size */
382 nd_uint16_t type; /* Notify Message Type */
383 };
384
385 enum ikev2_n_type {
386 IV2_NOTIFY_UNSUPPORTED_CRITICAL_PAYLOAD = 1,
387 IV2_NOTIFY_INVALID_IKE_SPI = 4,
388 IV2_NOTIFY_INVALID_MAJOR_VERSION = 5,
389 IV2_NOTIFY_INVALID_SYNTAX = 7,
390 IV2_NOTIFY_INVALID_MESSAGE_ID = 9,
391 IV2_NOTIFY_INVALID_SPI =11,
392 IV2_NOTIFY_NO_PROPOSAL_CHOSEN =14,
393 IV2_NOTIFY_INVALID_KE_PAYLOAD =17,
394 IV2_NOTIFY_AUTHENTICATION_FAILED =24,
395 IV2_NOTIFY_SINGLE_PAIR_REQUIRED =34,
396 IV2_NOTIFY_NO_ADDITIONAL_SAS =35,
397 IV2_NOTIFY_INTERNAL_ADDRESS_FAILURE =36,
398 IV2_NOTIFY_FAILED_CP_REQUIRED =37,
399 IV2_NOTIFY_INVALID_SELECTORS =39,
400 IV2_NOTIFY_INITIAL_CONTACT =16384,
401 IV2_NOTIFY_SET_WINDOW_SIZE =16385,
402 IV2_NOTIFY_ADDITIONAL_TS_POSSIBLE =16386,
403 IV2_NOTIFY_IPCOMP_SUPPORTED =16387,
404 IV2_NOTIFY_NAT_DETECTION_SOURCE_IP =16388,
405 IV2_NOTIFY_NAT_DETECTION_DESTINATION_IP =16389,
406 IV2_NOTIFY_COOKIE =16390,
407 IV2_NOTIFY_USE_TRANSPORT_MODE =16391,
408 IV2_NOTIFY_HTTP_CERT_LOOKUP_SUPPORTED =16392,
409 IV2_NOTIFY_REKEY_SA =16393,
410 IV2_NOTIFY_ESP_TFC_PADDING_NOT_SUPPORTED =16394,
411 IV2_NOTIFY_NON_FIRST_FRAGMENTS_ALSO =16395
412 };
413
414 struct notify_messages {
415 uint16_t type;
416 char *msg;
417 };
418
419 /* 3.8 Authentication Payload */
420 struct ikev2_auth {
421 struct isakmp_gen h;
422 nd_uint8_t auth_method; /* Protocol-ID */
423 nd_byte reserved[3];
424 /* authentication data */
425 };
426
427 enum ikev2_auth_type {
428 IV2_RSA_SIG = 1,
429 IV2_SHARED = 2,
430 IV2_DSS_SIG = 3
431 };
432
433 /* refer to RFC 2409 */
434
435 #if 0
436 /* isakmp sa structure */
437 struct oakley_sa {
438 uint8_t proto_id; /* OAKLEY */
439 vchar_t *spi; /* spi */
440 uint8_t dhgrp; /* DH; group */
441 uint8_t auth_t; /* method of authentication */
442 uint8_t prf_t; /* type of prf */
443 uint8_t hash_t; /* type of hash */
444 uint8_t enc_t; /* type of cipher */
445 uint8_t life_t; /* type of duration of lifetime */
446 uint32_t ldur; /* life duration */
447 };
448 #endif
449
450 /* refer to RFC 2407 */
451
452 #define IPSEC_DOI 1
453
454 /* 4.2 IPSEC Situation Definition */
455 #define IPSECDOI_SIT_IDENTITY_ONLY 0x00000001
456 #define IPSECDOI_SIT_SECRECY 0x00000002
457 #define IPSECDOI_SIT_INTEGRITY 0x00000004
458
459 /* 4.4.1 IPSEC Security Protocol Identifiers */
460 /* 4.4.2 IPSEC ISAKMP Transform Values */
461 #define IPSECDOI_PROTO_ISAKMP 1
462 #define IPSECDOI_KEY_IKE 1
463
464 /* 4.4.1 IPSEC Security Protocol Identifiers */
465 #define IPSECDOI_PROTO_IPSEC_AH 2
466 /* 4.4.3 IPSEC AH Transform Values */
467 #define IPSECDOI_AH_MD5 2
468 #define IPSECDOI_AH_SHA 3
469 #define IPSECDOI_AH_DES 4
470 #define IPSECDOI_AH_SHA2_256 5
471 #define IPSECDOI_AH_SHA2_384 6
472 #define IPSECDOI_AH_SHA2_512 7
473
474 /* 4.4.1 IPSEC Security Protocol Identifiers */
475 #define IPSECDOI_PROTO_IPSEC_ESP 3
476 /* 4.4.4 IPSEC ESP Transform Identifiers */
477 #define IPSECDOI_ESP_DES_IV64 1
478 #define IPSECDOI_ESP_DES 2
479 #define IPSECDOI_ESP_3DES 3
480 #define IPSECDOI_ESP_RC5 4
481 #define IPSECDOI_ESP_IDEA 5
482 #define IPSECDOI_ESP_CAST 6
483 #define IPSECDOI_ESP_BLOWFISH 7
484 #define IPSECDOI_ESP_3IDEA 8
485 #define IPSECDOI_ESP_DES_IV32 9
486 #define IPSECDOI_ESP_RC4 10
487 #define IPSECDOI_ESP_NULL 11
488 #define IPSECDOI_ESP_RIJNDAEL 12
489 #define IPSECDOI_ESP_AES 12
490
491 /* 4.4.1 IPSEC Security Protocol Identifiers */
492 #define IPSECDOI_PROTO_IPCOMP 4
493 /* 4.4.5 IPSEC IPCOMP Transform Identifiers */
494 #define IPSECDOI_IPCOMP_OUI 1
495 #define IPSECDOI_IPCOMP_DEFLATE 2
496 #define IPSECDOI_IPCOMP_LZS 3
497
498 /* 4.5 IPSEC Security Association Attributes */
499 #define IPSECDOI_ATTR_SA_LTYPE 1 /* B */
500 #define IPSECDOI_ATTR_SA_LTYPE_DEFAULT 1
501 #define IPSECDOI_ATTR_SA_LTYPE_SEC 1
502 #define IPSECDOI_ATTR_SA_LTYPE_KB 2
503 #define IPSECDOI_ATTR_SA_LDUR 2 /* V */
504 #define IPSECDOI_ATTR_SA_LDUR_DEFAULT 28800 /* 8 hours */
505 #define IPSECDOI_ATTR_GRP_DESC 3 /* B */
506 #define IPSECDOI_ATTR_ENC_MODE 4 /* B */
507 /* default value: host dependent */
508 #define IPSECDOI_ATTR_ENC_MODE_TUNNEL 1
509 #define IPSECDOI_ATTR_ENC_MODE_TRNS 2
510 #define IPSECDOI_ATTR_AUTH 5 /* B */
511 /* 0 means not to use authentication. */
512 #define IPSECDOI_ATTR_AUTH_HMAC_MD5 1
513 #define IPSECDOI_ATTR_AUTH_HMAC_SHA1 2
514 #define IPSECDOI_ATTR_AUTH_DES_MAC 3
515 #define IPSECDOI_ATTR_AUTH_KPDK 4 /*RFC-1826(Key/Pad/Data/Key)*/
516 /*
517 * When negotiating ESP without authentication, the Auth
518 * Algorithm attribute MUST NOT be included in the proposal.
519 * When negotiating ESP without confidentiality, the Auth
520 * Algorithm attribute MUST be included in the proposal and
521 * the ESP transform ID must be ESP_NULL.
522 */
523 #define IPSECDOI_ATTR_KEY_LENGTH 6 /* B */
524 #define IPSECDOI_ATTR_KEY_ROUNDS 7 /* B */
525 #define IPSECDOI_ATTR_COMP_DICT_SIZE 8 /* B */
526 #define IPSECDOI_ATTR_COMP_PRIVALG 9 /* V */
527
528 /* 4.6.1 Security Association Payload */
529 struct ipsecdoi_sa {
530 struct isakmp_gen h;
531 nd_uint32_t doi; /* Domain of Interpretation */
532 nd_uint32_t sit; /* Situation */
533 };
534
535 struct ipsecdoi_secrecy_h {
536 nd_uint16_t len;
537 nd_uint16_t reserved;
538 };
539
540 /* 4.6.2.1 Identification Type Values */
541 struct ipsecdoi_id {
542 struct isakmp_gen h;
543 nd_uint8_t type; /* ID Type */
544 nd_uint8_t proto_id; /* Protocol ID */
545 nd_uint16_t port; /* Port */
546 /* Identification Data */
547 };
548
549 #define IPSECDOI_ID_IPV4_ADDR 1
550 #define IPSECDOI_ID_FQDN 2
551 #define IPSECDOI_ID_USER_FQDN 3
552 #define IPSECDOI_ID_IPV4_ADDR_SUBNET 4
553 #define IPSECDOI_ID_IPV6_ADDR 5
554 #define IPSECDOI_ID_IPV6_ADDR_SUBNET 6
555 #define IPSECDOI_ID_IPV4_ADDR_RANGE 7
556 #define IPSECDOI_ID_IPV6_ADDR_RANGE 8
557 #define IPSECDOI_ID_DER_ASN1_DN 9
558 #define IPSECDOI_ID_DER_ASN1_GN 10
559 #define IPSECDOI_ID_KEY_ID 11
560
561 /* 4.6.3 IPSEC DOI Notify Message Types */
562 /* Notify Messages - Status Types */
563 #define IPSECDOI_NTYPE_RESPONDER_LIFETIME 24576
564 #define IPSECDOI_NTYPE_REPLAY_STATUS 24577
565 #define IPSECDOI_NTYPE_INITIAL_CONTACT 24578
566
567 #define DECLARE_PRINTER(func) static const u_char *ike##func##_print( \
568 netdissect_options *ndo, u_char tpay, \
569 const struct isakmp_gen *ext, \
570 u_int item_len, \
571 const u_char *end_pointer, \
572 uint32_t phase,\
573 uint32_t doi0, \
574 uint32_t proto0, int depth)
575
576 DECLARE_PRINTER(v1_sa);
577 DECLARE_PRINTER(v1_p);
578 DECLARE_PRINTER(v1_t);
579 DECLARE_PRINTER(v1_ke);
580 DECLARE_PRINTER(v1_id);
581 DECLARE_PRINTER(v1_cert);
582 DECLARE_PRINTER(v1_cr);
583 DECLARE_PRINTER(v1_sig);
584 DECLARE_PRINTER(v1_hash);
585 DECLARE_PRINTER(v1_nonce);
586 DECLARE_PRINTER(v1_n);
587 DECLARE_PRINTER(v1_d);
588 DECLARE_PRINTER(v1_vid);
589
590 DECLARE_PRINTER(v2_sa);
591 DECLARE_PRINTER(v2_ke);
592 DECLARE_PRINTER(v2_ID);
593 DECLARE_PRINTER(v2_cert);
594 DECLARE_PRINTER(v2_cr);
595 DECLARE_PRINTER(v2_auth);
596 DECLARE_PRINTER(v2_nonce);
597 DECLARE_PRINTER(v2_n);
598 DECLARE_PRINTER(v2_d);
599 DECLARE_PRINTER(v2_vid);
600 DECLARE_PRINTER(v2_TS);
601 DECLARE_PRINTER(v2_cp);
602 DECLARE_PRINTER(v2_eap);
603
604 static const u_char *ikev2_e_print(netdissect_options *ndo,
605 const struct isakmp *base,
606 u_char tpay,
607 const struct isakmp_gen *ext,
608 u_int item_len,
609 const u_char *end_pointer,
610 uint32_t phase,
611 uint32_t doi0,
612 uint32_t proto0, int depth);
613
614
615 static const u_char *ike_sub0_print(netdissect_options *ndo,u_char, const struct isakmp_gen *,
616 const u_char *, uint32_t, uint32_t, uint32_t, int);
617 static const u_char *ikev1_sub_print(netdissect_options *ndo,u_char, const struct isakmp_gen *,
618 const u_char *, uint32_t, uint32_t, uint32_t, int);
619
620 static const u_char *ikev2_sub_print(netdissect_options *ndo,
621 const struct isakmp *base,
622 u_char np, const struct isakmp_gen *ext,
623 const u_char *ep, uint32_t phase,
624 uint32_t doi, uint32_t proto,
625 int depth);
626
627
628 static char *numstr(u_int);
629
630 static void
631 ikev1_print(netdissect_options *ndo,
632 const u_char *bp, u_int length,
633 const u_char *bp2, const struct isakmp *base);
634
635 #define MAXINITIATORS 20
636 static int ninitiator = 0;
637 union inaddr_u {
638 struct in_addr in4;
639 struct in6_addr in6;
640 };
641 static struct {
642 cookie_t initiator;
643 u_int version;
644 union inaddr_u iaddr;
645 union inaddr_u raddr;
646 } cookiecache[MAXINITIATORS];
647
648 /* protocol id */
649 static const char *protoidstr[] = {
650 NULL, "isakmp", "ipsec-ah", "ipsec-esp", "ipcomp",
651 };
652
653 /* isakmp->np */
654 static const char *npstr[] = {
655 "none", "sa", "p", "t", "ke", "id", "cert", "cr", "hash", /* 0 - 8 */
656 "sig", "nonce", "n", "d", "vid", /* 9 - 13 */
657 "pay14", "pay15", "pay16", "pay17", "pay18", /* 14- 18 */
658 "pay19", "pay20", "pay21", "pay22", "pay23", /* 19- 23 */
659 "pay24", "pay25", "pay26", "pay27", "pay28", /* 24- 28 */
660 "pay29", "pay30", "pay31", "pay32", /* 29- 32 */
661 "v2sa", "v2ke", "v2IDi", "v2IDr", "v2cert",/* 33- 37 */
662 "v2cr", "v2auth","v2nonce", "v2n", "v2d", /* 38- 42 */
663 "v2vid", "v2TSi", "v2TSr", "v2e", "v2cp", /* 43- 47 */
664 "v2eap", /* 48 */
665
666 };
667
668 /* isakmp->np */
669 static const u_char *(*npfunc[])(netdissect_options *ndo, u_char tpay,
670 const struct isakmp_gen *ext,
671 u_int item_len,
672 const u_char *end_pointer,
673 uint32_t phase,
674 uint32_t doi0,
675 uint32_t proto0, int depth) = {
676 NULL,
677 ikev1_sa_print,
678 ikev1_p_print,
679 ikev1_t_print,
680 ikev1_ke_print,
681 ikev1_id_print,
682 ikev1_cert_print,
683 ikev1_cr_print,
684 ikev1_hash_print,
685 ikev1_sig_print,
686 ikev1_nonce_print,
687 ikev1_n_print,
688 ikev1_d_print,
689 ikev1_vid_print, /* 13 */
690 NULL, NULL, NULL, NULL, NULL, /* 14- 18 */
691 NULL, NULL, NULL, NULL, NULL, /* 19- 23 */
692 NULL, NULL, NULL, NULL, NULL, /* 24- 28 */
693 NULL, NULL, NULL, NULL, /* 29- 32 */
694 ikev2_sa_print, /* 33 */
695 ikev2_ke_print, /* 34 */
696 ikev2_ID_print, /* 35 */
697 ikev2_ID_print, /* 36 */
698 ikev2_cert_print, /* 37 */
699 ikev2_cr_print, /* 38 */
700 ikev2_auth_print, /* 39 */
701 ikev2_nonce_print, /* 40 */
702 ikev2_n_print, /* 41 */
703 ikev2_d_print, /* 42 */
704 ikev2_vid_print, /* 43 */
705 ikev2_TS_print, /* 44 */
706 ikev2_TS_print, /* 45 */
707 NULL, /* ikev2_e_print,*/ /* 46 - special */
708 ikev2_cp_print, /* 47 */
709 ikev2_eap_print, /* 48 */
710 };
711
712 /* isakmp->etype */
713 static const char *etypestr[] = {
714 /* IKEv1 exchange types */
715 "none", "base", "ident", "auth", "agg", "inf", NULL, NULL, /* 0-7 */
716 NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, /* 8-15 */
717 NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, /* 16-23 */
718 NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, /* 24-31 */
719 "oakley-quick", "oakley-newgroup", /* 32-33 */
720 /* IKEv2 exchange types */
721 "ikev2_init", "ikev2_auth", "child_sa", "inf2" /* 34-37 */
722 };
723
724 #define STR_OR_ID(x, tab) \
725 (((x) < sizeof(tab)/sizeof(tab[0]) && tab[(x)]) ? tab[(x)] : numstr(x))
726 #define PROTOIDSTR(x) STR_OR_ID(x, protoidstr)
727 #define NPSTR(x) STR_OR_ID(x, npstr)
728 #define ETYPESTR(x) STR_OR_ID(x, etypestr)
729
730 #define CHECKLEN(p, np) \
731 if (ep < (const u_char *)(p)) { \
732 ND_PRINT(" [|%s]", NPSTR(np)); \
733 goto done; \
734 }
735
736
737 #define NPFUNC(x) \
738 (((x) < sizeof(npfunc)/sizeof(npfunc[0]) && npfunc[(x)]) \
739 ? npfunc[(x)] : NULL)
740
741 static int
742 iszero(const u_char *p, size_t l)
743 {
744 while (l != 0) {
745 if (*p)
746 return 0;
747 p++;
748 l--;
749 }
750 return 1;
751 }
752
753 /* find cookie from initiator cache */
754 static int
755 cookie_find(const cookie_t *in)
756 {
757 int i;
758
759 for (i = 0; i < MAXINITIATORS; i++) {
760 if (memcmp(in, &cookiecache[i].initiator, sizeof(*in)) == 0)
761 return i;
762 }
763
764 return -1;
765 }
766
767 /* record initiator */
768 static void
769 cookie_record(netdissect_options *ndo, const cookie_t *in, const u_char *bp2)
770 {
771 int i;
772 const struct ip *ip;
773 const struct ip6_hdr *ip6;
774
775 i = cookie_find(in);
776 if (0 <= i) {
777 ninitiator = (i + 1) % MAXINITIATORS;
778 return;
779 }
780
781 ip = (const struct ip *)bp2;
782 switch (IP_V(ip)) {
783 case 4:
784 cookiecache[ninitiator].version = 4;
785 UNALIGNED_MEMCPY(&cookiecache[ninitiator].iaddr.in4,
786 ip->ip_src, sizeof(nd_ipv4));
787 UNALIGNED_MEMCPY(&cookiecache[ninitiator].raddr.in4,
788 ip->ip_dst, sizeof(nd_ipv4));
789 break;
790 case 6:
791 ip6 = (const struct ip6_hdr *)bp2;
792 cookiecache[ninitiator].version = 6;
793 UNALIGNED_MEMCPY(&cookiecache[ninitiator].iaddr.in6,
794 ip6->ip6_src, sizeof(nd_ipv6));
795 UNALIGNED_MEMCPY(&cookiecache[ninitiator].raddr.in6,
796 ip6->ip6_dst, sizeof(nd_ipv6));
797 break;
798 default:
799 return;
800 }
801 UNALIGNED_MEMCPY(&cookiecache[ninitiator].initiator, in, sizeof(*in));
802 ninitiator = (ninitiator + 1) % MAXINITIATORS;
803 }
804
805 #define cookie_isinitiator(ndo, x, y) cookie_sidecheck(ndo, (x), (y), 1)
806 #define cookie_isresponder(ndo, x, y) cookie_sidecheck(ndo, (x), (y), 0)
807 static int
808 cookie_sidecheck(netdissect_options *ndo, int i, const u_char *bp2, int initiator)
809 {
810 const struct ip *ip;
811 const struct ip6_hdr *ip6;
812
813 ip = (const struct ip *)bp2;
814 switch (IP_V(ip)) {
815 case 4:
816 if (cookiecache[i].version != 4)
817 return 0;
818 if (initiator) {
819 if (UNALIGNED_MEMCMP(ip->ip_src, &cookiecache[i].iaddr.in4, sizeof(nd_ipv4)) == 0)
820 return 1;
821 } else {
822 if (UNALIGNED_MEMCMP(ip->ip_src, &cookiecache[i].raddr.in4, sizeof(nd_ipv4)) == 0)
823 return 1;
824 }
825 break;
826 case 6:
827 if (cookiecache[i].version != 6)
828 return 0;
829 ip6 = (const struct ip6_hdr *)bp2;
830 if (initiator) {
831 if (UNALIGNED_MEMCMP(ip6->ip6_src, &cookiecache[i].iaddr.in6, sizeof(nd_ipv6)) == 0)
832 return 1;
833 } else {
834 if (UNALIGNED_MEMCMP(ip6->ip6_src, &cookiecache[i].raddr.in6, sizeof(nd_ipv6)) == 0)
835 return 1;
836 }
837 break;
838 default:
839 break;
840 }
841
842 return 0;
843 }
844
845 static void
846 hexprint(netdissect_options *ndo, const uint8_t *loc, size_t len)
847 {
848 const uint8_t *p;
849 size_t i;
850
851 p = loc;
852 for (i = 0; i < len; i++)
853 ND_PRINT("%02x", p[i] & 0xff);
854 }
855
856 static int
857 rawprint(netdissect_options *ndo, const uint8_t *loc, size_t len)
858 {
859 ND_TCHECK_LEN(loc, len);
860
861 hexprint(ndo, loc, len);
862 return 1;
863 trunc:
864 return 0;
865 }
866
867
868 /*
869 * returns false if we run out of data buffer
870 */
871 static int ike_show_somedata(netdissect_options *ndo,
872 const u_char *cp, const u_char *ep)
873 {
874 /* there is too much data, just show some of it */
875 const u_char *end = ep - 20;
876 size_t elen = 20;
877 size_t len = ep - cp;
878 if(len > 10) {
879 len = 10;
880 }
881
882 /* really shouldn't happen because of above */
883 if(end < cp + len) {
884 end = cp+len;
885 elen = ep - end;
886 }
887
888 ND_PRINT(" data=(");
889 if(!rawprint(ndo, (const uint8_t *)(cp), len)) goto trunc;
890 ND_PRINT("...");
891 if(elen) {
892 if(!rawprint(ndo, (const uint8_t *)(end), elen)) goto trunc;
893 }
894 ND_PRINT(")");
895 return 1;
896
897 trunc:
898 return 0;
899 }
900
901 struct attrmap {
902 const char *type;
903 u_int nvalue;
904 const char *value[30]; /*XXX*/
905 };
906
907 static const u_char *
908 ikev1_attrmap_print(netdissect_options *ndo,
909 const u_char *p, const u_char *ep2,
910 const struct attrmap *map, size_t nmap)
911 {
912 u_int totlen;
913 uint32_t t, v;
914
915 ND_TCHECK_1(p);
916 if (GET_U_1(p) & 0x80)
917 totlen = 4;
918 else {
919 ND_TCHECK_2(p + 2);
920 totlen = 4 + GET_BE_U_2(p + 2);
921 }
922 if (ep2 < p + totlen) {
923 ND_PRINT("[|attr]");
924 return ep2 + 1;
925 }
926
927 ND_TCHECK_2(p);
928 ND_PRINT("(");
929 t = GET_BE_U_2(p) & 0x7fff;
930 if (map && t < nmap && map[t].type)
931 ND_PRINT("type=%s ", map[t].type);
932 else
933 ND_PRINT("type=#%u ", t);
934 if (GET_U_1(p) & 0x80) {
935 ND_PRINT("value=");
936 ND_TCHECK_2(p + 2);
937 v = GET_BE_U_2(p + 2);
938 if (map && t < nmap && v < map[t].nvalue && map[t].value[v])
939 ND_PRINT("%s", map[t].value[v]);
940 else {
941 if (!rawprint(ndo, (const uint8_t *)(p + 2), 2)) {
942 ND_PRINT(")");
943 goto trunc;
944 }
945 }
946 } else {
947 ND_PRINT("len=%u value=", totlen - 4);
948 if (!rawprint(ndo, (const uint8_t *)(p + 4), totlen - 4)) {
949 ND_PRINT(")");
950 goto trunc;
951 }
952 }
953 ND_PRINT(")");
954 return p + totlen;
955
956 trunc:
957 return NULL;
958 }
959
960 static const u_char *
961 ikev1_attr_print(netdissect_options *ndo, const u_char *p, const u_char *ep2)
962 {
963 u_int totlen;
964 uint32_t t;
965
966 ND_TCHECK_1(p);
967 if (GET_U_1(p) & 0x80)
968 totlen = 4;
969 else {
970 ND_TCHECK_2(p + 2);
971 totlen = 4 + GET_BE_U_2(p + 2);
972 }
973 if (ep2 < p + totlen) {
974 ND_PRINT("[|attr]");
975 return ep2 + 1;
976 }
977
978 ND_TCHECK_2(p);
979 ND_PRINT("(");
980 t = GET_BE_U_2(p) & 0x7fff;
981 ND_PRINT("type=#%u ", t);
982 if (GET_U_1(p) & 0x80) {
983 ND_PRINT("value=");
984 t = GET_U_1(p + 2);
985 if (!rawprint(ndo, (const uint8_t *)(p + 2), 2)) {
986 ND_PRINT(")");
987 goto trunc;
988 }
989 } else {
990 ND_PRINT("len=%u value=", totlen - 4);
991 if (!rawprint(ndo, (const uint8_t *)(p + 4), totlen - 4)) {
992 ND_PRINT(")");
993 goto trunc;
994 }
995 }
996 ND_PRINT(")");
997 return p + totlen;
998
999 trunc:
1000 return NULL;
1001 }
1002
1003 static const u_char *
1004 ikev1_sa_print(netdissect_options *ndo, u_char tpay _U_,
1005 const struct isakmp_gen *ext,
1006 u_int item_len _U_,
1007 const u_char *ep, uint32_t phase, uint32_t doi0 _U_,
1008 uint32_t proto0, int depth)
1009 {
1010 const struct ikev1_pl_sa *p;
1011 uint32_t doi, sit, ident;
1012 const u_char *cp, *np;
1013 int t;
1014
1015 ND_PRINT("%s:", NPSTR(ISAKMP_NPTYPE_SA));
1016
1017 p = (const struct ikev1_pl_sa *)ext;
1018 ND_TCHECK_SIZE(p);
1019 doi = GET_BE_U_4(p->doi);
1020 sit = GET_BE_U_4(p->sit);
1021 if (doi != 1) {
1022 ND_PRINT(" doi=%u", doi);
1023 ND_PRINT(" situation=%u", sit);
1024 return (const u_char *)(p + 1);
1025 }
1026
1027 ND_PRINT(" doi=ipsec");
1028 ND_PRINT(" situation=");
1029 t = 0;
1030 if (sit & 0x01) {
1031 ND_PRINT("identity");
1032 t++;
1033 }
1034 if (sit & 0x02) {
1035 ND_PRINT("%ssecrecy", t ? "+" : "");
1036 t++;
1037 }
1038 if (sit & 0x04)
1039 ND_PRINT("%sintegrity", t ? "+" : "");
1040
1041 np = (const u_char *)ext + sizeof(struct ikev1_pl_sa);
1042 if (sit != 0x01) {
1043 ND_TCHECK_4(ext + 1);
1044 ident = GET_BE_U_4(ext + 1);
1045 ND_PRINT(" ident=%u", ident);
1046 np += sizeof(ident);
1047 }
1048
1049 ext = (const struct isakmp_gen *)np;
1050 ND_TCHECK_SIZE(ext);
1051
1052 cp = ikev1_sub_print(ndo, ISAKMP_NPTYPE_P, ext, ep, phase, doi, proto0,
1053 depth);
1054
1055 return cp;
1056 trunc:
1057 ND_PRINT(" [|%s]", NPSTR(ISAKMP_NPTYPE_SA));
1058 return NULL;
1059 }
1060
1061 static const u_char *
1062 ikev1_p_print(netdissect_options *ndo, u_char tpay _U_,
1063 const struct isakmp_gen *ext, u_int item_len _U_,
1064 const u_char *ep, uint32_t phase, uint32_t doi0,
1065 uint32_t proto0 _U_, int depth)
1066 {
1067 const struct ikev1_pl_p *p;
1068 const u_char *cp;
1069 uint8_t spi_size;
1070
1071 ND_PRINT("%s:", NPSTR(ISAKMP_NPTYPE_P));
1072
1073 p = (const struct ikev1_pl_p *)ext;
1074 ND_TCHECK_SIZE(p);
1075 ND_PRINT(" #%u protoid=%s transform=%u",
1076 GET_U_1(p->p_no), PROTOIDSTR(GET_U_1(p->prot_id)),
1077 GET_U_1(p->num_t));
1078 spi_size = GET_U_1(p->spi_size);
1079 if (spi_size) {
1080 ND_PRINT(" spi=");
1081 if (!rawprint(ndo, (const uint8_t *)(p + 1), spi_size))
1082 goto trunc;
1083 }
1084
1085 ext = (const struct isakmp_gen *)((const u_char *)(p + 1) + spi_size);
1086 ND_TCHECK_SIZE(ext);
1087
1088 cp = ikev1_sub_print(ndo, ISAKMP_NPTYPE_T, ext, ep, phase, doi0,
1089 GET_U_1(p->prot_id), depth);
1090
1091 return cp;
1092 trunc:
1093 ND_PRINT(" [|%s]", NPSTR(ISAKMP_NPTYPE_P));
1094 return NULL;
1095 }
1096
1097 static const char *ikev1_p_map[] = {
1098 NULL, "ike",
1099 };
1100
1101 static const char *ikev2_t_type_map[]={
1102 NULL, "encr", "prf", "integ", "dh", "esn"
1103 };
1104
1105 static const char *ah_p_map[] = {
1106 NULL, "(reserved)", "md5", "sha", "1des",
1107 "sha2-256", "sha2-384", "sha2-512",
1108 };
1109
1110 static const char *prf_p_map[] = {
1111 NULL, "hmac-md5", "hmac-sha", "hmac-tiger",
1112 "aes128_xcbc"
1113 };
1114
1115 static const char *integ_p_map[] = {
1116 NULL, "hmac-md5", "hmac-sha", "dec-mac",
1117 "kpdk-md5", "aes-xcbc"
1118 };
1119
1120 static const char *esn_p_map[] = {
1121 "no-esn", "esn"
1122 };
1123
1124 static const char *dh_p_map[] = {
1125 NULL, "modp768",
1126 "modp1024", /* group 2 */
1127 "EC2N 2^155", /* group 3 */
1128 "EC2N 2^185", /* group 4 */
1129 "modp1536", /* group 5 */
1130 "iana-grp06", "iana-grp07", /* reserved */
1131 "iana-grp08", "iana-grp09",
1132 "iana-grp10", "iana-grp11",
1133 "iana-grp12", "iana-grp13",
1134 "modp2048", /* group 14 */
1135 "modp3072", /* group 15 */
1136 "modp4096", /* group 16 */
1137 "modp6144", /* group 17 */
1138 "modp8192", /* group 18 */
1139 };
1140
1141 static const char *esp_p_map[] = {
1142 NULL, "1des-iv64", "1des", "3des", "rc5", "idea", "cast",
1143 "blowfish", "3idea", "1des-iv32", "rc4", "null", "aes"
1144 };
1145
1146 static const char *ipcomp_p_map[] = {
1147 NULL, "oui", "deflate", "lzs",
1148 };
1149
1150 static const struct attrmap ipsec_t_map[] = {
1151 { NULL, 0, { NULL } },
1152 { "lifetype", 3, { NULL, "sec", "kb", }, },
1153 { "life", 0, { NULL } },
1154 { "group desc", 18, { NULL, "modp768",
1155 "modp1024", /* group 2 */
1156 "EC2N 2^155", /* group 3 */
1157 "EC2N 2^185", /* group 4 */
1158 "modp1536", /* group 5 */
1159 "iana-grp06", "iana-grp07", /* reserved */
1160 "iana-grp08", "iana-grp09",
1161 "iana-grp10", "iana-grp11",
1162 "iana-grp12", "iana-grp13",
1163 "modp2048", /* group 14 */
1164 "modp3072", /* group 15 */
1165 "modp4096", /* group 16 */
1166 "modp6144", /* group 17 */
1167 "modp8192", /* group 18 */
1168 }, },
1169 { "enc mode", 3, { NULL, "tunnel", "transport", }, },
1170 { "auth", 5, { NULL, "hmac-md5", "hmac-sha1", "1des-mac", "keyed", }, },
1171 { "keylen", 0, { NULL } },
1172 { "rounds", 0, { NULL } },
1173 { "dictsize", 0, { NULL } },
1174 { "privalg", 0, { NULL } },
1175 };
1176
1177 static const struct attrmap encr_t_map[] = {
1178 { NULL, 0, { NULL } }, { NULL, 0, { NULL } }, /* 0, 1 */
1179 { NULL, 0, { NULL } }, { NULL, 0, { NULL } }, /* 2, 3 */
1180 { NULL, 0, { NULL } }, { NULL, 0, { NULL } }, /* 4, 5 */
1181 { NULL, 0, { NULL } }, { NULL, 0, { NULL } }, /* 6, 7 */
1182 { NULL, 0, { NULL } }, { NULL, 0, { NULL } }, /* 8, 9 */
1183 { NULL, 0, { NULL } }, { NULL, 0, { NULL } }, /* 10,11*/
1184 { NULL, 0, { NULL } }, { NULL, 0, { NULL } }, /* 12,13*/
1185 { "keylen", 14, { NULL }},
1186 };
1187
1188 static const struct attrmap oakley_t_map[] = {
1189 { NULL, 0, { NULL } },
1190 { "enc", 8, { NULL, "1des", "idea", "blowfish", "rc5",
1191 "3des", "cast", "aes", }, },
1192 { "hash", 7, { NULL, "md5", "sha1", "tiger",
1193 "sha2-256", "sha2-384", "sha2-512", }, },
1194 { "auth", 6, { NULL, "preshared", "dss", "rsa sig", "rsa enc",
1195 "rsa enc revised", }, },
1196 { "group desc", 18, { NULL, "modp768",
1197 "modp1024", /* group 2 */
1198 "EC2N 2^155", /* group 3 */
1199 "EC2N 2^185", /* group 4 */
1200 "modp1536", /* group 5 */
1201 "iana-grp06", "iana-grp07", /* reserved */
1202 "iana-grp08", "iana-grp09",
1203 "iana-grp10", "iana-grp11",
1204 "iana-grp12", "iana-grp13",
1205 "modp2048", /* group 14 */
1206 "modp3072", /* group 15 */
1207 "modp4096", /* group 16 */
1208 "modp6144", /* group 17 */
1209 "modp8192", /* group 18 */
1210 }, },
1211 { "group type", 4, { NULL, "MODP", "ECP", "EC2N", }, },
1212 { "group prime", 0, { NULL } },
1213 { "group gen1", 0, { NULL } },
1214 { "group gen2", 0, { NULL } },
1215 { "group curve A", 0, { NULL } },
1216 { "group curve B", 0, { NULL } },
1217 { "lifetype", 3, { NULL, "sec", "kb", }, },
1218 { "lifeduration", 0, { NULL } },
1219 { "prf", 0, { NULL } },
1220 { "keylen", 0, { NULL } },
1221 { "field", 0, { NULL } },
1222 { "order", 0, { NULL } },
1223 };
1224
1225 static const u_char *
1226 ikev1_t_print(netdissect_options *ndo, u_char tpay _U_,
1227 const struct isakmp_gen *ext, u_int item_len,
1228 const u_char *ep, uint32_t phase _U_, uint32_t doi _U_,
1229 uint32_t proto, int depth _U_)
1230 {
1231 const struct ikev1_pl_t *p;
1232 const u_char *cp;
1233 const char *idstr;
1234 const struct attrmap *map;
1235 size_t nmap;
1236 const u_char *ep2;
1237
1238 ND_PRINT("%s:", NPSTR(ISAKMP_NPTYPE_T));
1239
1240 p = (const struct ikev1_pl_t *)ext;
1241 ND_TCHECK_SIZE(p);
1242
1243 switch (proto) {
1244 case 1:
1245 idstr = STR_OR_ID(GET_U_1(p->t_id), ikev1_p_map);
1246 map = oakley_t_map;
1247 nmap = sizeof(oakley_t_map)/sizeof(oakley_t_map[0]);
1248 break;
1249 case 2:
1250 idstr = STR_OR_ID(GET_U_1(p->t_id), ah_p_map);
1251 map = ipsec_t_map;
1252 nmap = sizeof(ipsec_t_map)/sizeof(ipsec_t_map[0]);
1253 break;
1254 case 3:
1255 idstr = STR_OR_ID(GET_U_1(p->t_id), esp_p_map);
1256 map = ipsec_t_map;
1257 nmap = sizeof(ipsec_t_map)/sizeof(ipsec_t_map[0]);
1258 break;
1259 case 4:
1260 idstr = STR_OR_ID(GET_U_1(p->t_id), ipcomp_p_map);
1261 map = ipsec_t_map;
1262 nmap = sizeof(ipsec_t_map)/sizeof(ipsec_t_map[0]);
1263 break;
1264 default:
1265 idstr = NULL;
1266 map = NULL;
1267 nmap = 0;
1268 break;
1269 }
1270
1271 if (idstr)
1272 ND_PRINT(" #%u id=%s ", GET_U_1(p->t_no), idstr);
1273 else
1274 ND_PRINT(" #%u id=%u ", GET_U_1(p->t_no), GET_U_1(p->t_id));
1275 cp = (const u_char *)(p + 1);
1276 ep2 = (const u_char *)p + item_len;
1277 while (cp < ep && cp < ep2) {
1278 if (map && nmap)
1279 cp = ikev1_attrmap_print(ndo, cp, ep2, map, nmap);
1280 else
1281 cp = ikev1_attr_print(ndo, cp, ep2);
1282 if (cp == NULL)
1283 goto trunc;
1284 }
1285 if (ep < ep2)
1286 ND_PRINT("...");
1287 return cp;
1288 trunc:
1289 ND_PRINT(" [|%s]", NPSTR(ISAKMP_NPTYPE_T));
1290 return NULL;
1291 }
1292
1293 static const u_char *
1294 ikev1_ke_print(netdissect_options *ndo, u_char tpay _U_,
1295 const struct isakmp_gen *ext, u_int item_len,
1296 const u_char *ep _U_, uint32_t phase _U_, uint32_t doi _U_,
1297 uint32_t proto _U_, int depth _U_)
1298 {
1299 ND_PRINT("%s:", NPSTR(ISAKMP_NPTYPE_KE));
1300
1301 ND_TCHECK_SIZE(ext);
1302 /*
1303 * Our caller has ensured that the length is >= 4.
1304 */
1305 ND_PRINT(" key len=%u", item_len - 4);
1306 if (2 < ndo->ndo_vflag && item_len > 4) {
1307 /* Print the entire payload in hex */
1308 ND_PRINT(" ");
1309 if (!rawprint(ndo, (const uint8_t *)(ext + 1), item_len - 4))
1310 goto trunc;
1311 }
1312 return (const u_char *)ext + item_len;
1313 trunc:
1314 ND_PRINT(" [|%s]", NPSTR(ISAKMP_NPTYPE_KE));
1315 return NULL;
1316 }
1317
1318 static const u_char *
1319 ikev1_id_print(netdissect_options *ndo, u_char tpay _U_,
1320 const struct isakmp_gen *ext, u_int item_len,
1321 const u_char *ep _U_, uint32_t phase, uint32_t doi _U_,
1322 uint32_t proto _U_, int depth _U_)
1323 {
1324 #define USE_IPSECDOI_IN_PHASE1 1
1325 const struct ikev1_pl_id *p;
1326 static const char *idtypestr[] = {
1327 "IPv4", "IPv4net", "IPv6", "IPv6net",
1328 };
1329 static const char *ipsecidtypestr[] = {
1330 NULL, "IPv4", "FQDN", "user FQDN", "IPv4net", "IPv6",
1331 "IPv6net", "IPv4range", "IPv6range", "ASN1 DN", "ASN1 GN",
1332 "keyid",
1333 };
1334 u_int len;
1335 const u_char *data;
1336
1337 ND_PRINT("%s:", NPSTR(ISAKMP_NPTYPE_ID));
1338
1339 p = (const struct ikev1_pl_id *)ext;
1340 ND_TCHECK_SIZE(p);
1341 if (sizeof(*p) < item_len) {
1342 data = (const u_char *)(p + 1);
1343 len = item_len - sizeof(*p);
1344 } else {
1345 data = NULL;
1346 len = 0;
1347 }
1348
1349 #if 0 /*debug*/
1350 ND_PRINT(" [phase=%u doi=%u proto=%u]", phase, doi, proto);
1351 #endif
1352 switch (phase) {
1353 #ifndef USE_IPSECDOI_IN_PHASE1
1354 case 1:
1355 #endif
1356 default:
1357 ND_PRINT(" idtype=%s",
1358 STR_OR_ID(GET_U_1(p->d.id_type), idtypestr));
1359 ND_PRINT(" doi_data=%u",
1360 GET_BE_U_4(p->d.doi_data) & 0xffffff);
1361 break;
1362
1363 #ifdef USE_IPSECDOI_IN_PHASE1
1364 case 1:
1365 #endif
1366 case 2:
1367 {
1368 const struct ipsecdoi_id *doi_p;
1369 const char *p_name;
1370 uint8_t type, proto_id;
1371
1372 doi_p = (const struct ipsecdoi_id *)ext;
1373 ND_TCHECK_SIZE(doi_p);
1374 type = GET_U_1(doi_p->type);
1375 ND_PRINT(" idtype=%s", STR_OR_ID(type, ipsecidtypestr));
1376 /* A protocol ID of 0 DOES NOT mean IPPROTO_IP! */
1377 proto_id = GET_U_1(doi_p->proto_id);
1378 if (!ndo->ndo_nflag && proto_id && (p_name = netdb_protoname(proto_id)) != NULL)
1379 ND_PRINT(" protoid=%s", p_name);
1380 else
1381 ND_PRINT(" protoid=%u", proto_id);
1382 ND_PRINT(" port=%u", GET_BE_U_2(doi_p->port));
1383 if (!len)
1384 break;
1385 if (data == NULL)
1386 goto trunc;
1387 ND_TCHECK_LEN(data, len);
1388 switch (type) {
1389 case IPSECDOI_ID_IPV4_ADDR:
1390 if (len < 4)
1391 ND_PRINT(" len=%u [bad: < 4]", len);
1392 else
1393 ND_PRINT(" len=%u %s", len, ipaddr_string(ndo, data));
1394 len = 0;
1395 break;
1396 case IPSECDOI_ID_FQDN:
1397 case IPSECDOI_ID_USER_FQDN:
1398 {
1399 u_int i;
1400 ND_PRINT(" len=%u ", len);
1401 for (i = 0; i < len; i++)
1402 fn_print_char(ndo, GET_U_1(data + i));
1403 len = 0;
1404 break;
1405 }
1406 case IPSECDOI_ID_IPV4_ADDR_SUBNET:
1407 {
1408 const u_char *mask;
1409 if (len < 8)
1410 ND_PRINT(" len=%u [bad: < 8]", len);
1411 else {
1412 mask = data + sizeof(nd_ipv4);
1413 ND_PRINT(" len=%u %s/%u.%u.%u.%u", len,
1414 ipaddr_string(ndo, data),
1415 GET_U_1(mask), GET_U_1(mask + 1),
1416 GET_U_1(mask + 2),
1417 GET_U_1(mask + 3));
1418 }
1419 len = 0;
1420 break;
1421 }
1422 case IPSECDOI_ID_IPV6_ADDR:
1423 if (len < 16)
1424 ND_PRINT(" len=%u [bad: < 16]", len);
1425 else
1426 ND_PRINT(" len=%u %s", len, ip6addr_string(ndo, data));
1427 len = 0;
1428 break;
1429 case IPSECDOI_ID_IPV6_ADDR_SUBNET:
1430 {
1431 const u_char *mask;
1432 if (len < 32)
1433 ND_PRINT(" len=%u [bad: < 32]", len);
1434 else {
1435 mask = (const u_char *)(data + sizeof(nd_ipv6));
1436 /*XXX*/
1437 ND_PRINT(" len=%u %s/0x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x", len,
1438 ip6addr_string(ndo, data),
1439 GET_U_1(mask), GET_U_1(mask + 1),
1440 GET_U_1(mask + 2),
1441 GET_U_1(mask + 3),
1442 GET_U_1(mask + 4),
1443 GET_U_1(mask + 5),
1444 GET_U_1(mask + 6),
1445 GET_U_1(mask + 7),
1446 GET_U_1(mask + 8),
1447 GET_U_1(mask + 9),
1448 GET_U_1(mask + 10),
1449 GET_U_1(mask + 11),
1450 GET_U_1(mask + 12),
1451 GET_U_1(mask + 13),
1452 GET_U_1(mask + 14),
1453 GET_U_1(mask + 15));
1454 }
1455 len = 0;
1456 break;
1457 }
1458 case IPSECDOI_ID_IPV4_ADDR_RANGE:
1459 if (len < 8)
1460 ND_PRINT(" len=%u [bad: < 8]", len);
1461 else {
1462 ND_PRINT(" len=%u %s-%s", len,
1463 ipaddr_string(ndo, data),
1464 ipaddr_string(ndo, data + sizeof(nd_ipv4)));
1465 }
1466 len = 0;
1467 break;
1468 case IPSECDOI_ID_IPV6_ADDR_RANGE:
1469 if (len < 32)
1470 ND_PRINT(" len=%u [bad: < 32]", len);
1471 else {
1472 ND_PRINT(" len=%u %s-%s", len,
1473 ip6addr_string(ndo, data),
1474 ip6addr_string(ndo, data + sizeof(nd_ipv6)));
1475 }
1476 len = 0;
1477 break;
1478 case IPSECDOI_ID_DER_ASN1_DN:
1479 case IPSECDOI_ID_DER_ASN1_GN:
1480 case IPSECDOI_ID_KEY_ID:
1481 break;
1482 }
1483 break;
1484 }
1485 }
1486 if (data && len) {
1487 ND_PRINT(" len=%u", len);
1488 if (2 < ndo->ndo_vflag) {
1489 ND_PRINT(" ");
1490 if (!rawprint(ndo, (const uint8_t *)data, len))
1491 goto trunc;
1492 }
1493 }
1494 return (const u_char *)ext + item_len;
1495 trunc:
1496 ND_PRINT(" [|%s]", NPSTR(ISAKMP_NPTYPE_ID));
1497 return NULL;
1498 }
1499
1500 static const u_char *
1501 ikev1_cert_print(netdissect_options *ndo, u_char tpay _U_,
1502 const struct isakmp_gen *ext, u_int item_len,
1503 const u_char *ep _U_, uint32_t phase _U_,
1504 uint32_t doi0 _U_,
1505 uint32_t proto0 _U_, int depth _U_)
1506 {
1507 const struct ikev1_pl_cert *p;
1508 static const char *certstr[] = {
1509 "none", "pkcs7", "pgp", "dns",
1510 "x509sign", "x509ke", "kerberos", "crl",
1511 "arl", "spki", "x509attr",
1512 };
1513
1514 ND_PRINT("%s:", NPSTR(ISAKMP_NPTYPE_CERT));
1515
1516 p = (const struct ikev1_pl_cert *)ext;
1517 ND_TCHECK_SIZE(p);
1518 /*
1519 * Our caller has ensured that the length is >= 4.
1520 */
1521 ND_PRINT(" len=%u", item_len - 4);
1522 ND_PRINT(" type=%s", STR_OR_ID(GET_U_1(p->encode), certstr));
1523 if (2 < ndo->ndo_vflag && 4 < item_len) {
1524 /* Print the entire payload in hex */
1525 ND_PRINT(" ");
1526 if (!rawprint(ndo, (const uint8_t *)(ext + 1), item_len - 4))
1527 goto trunc;
1528 }
1529 return (const u_char *)ext + item_len;
1530 trunc:
1531 ND_PRINT(" [|%s]", NPSTR(ISAKMP_NPTYPE_CERT));
1532 return NULL;
1533 }
1534
1535 static const u_char *
1536 ikev1_cr_print(netdissect_options *ndo, u_char tpay _U_,
1537 const struct isakmp_gen *ext, u_int item_len,
1538 const u_char *ep _U_, uint32_t phase _U_, uint32_t doi0 _U_,
1539 uint32_t proto0 _U_, int depth _U_)
1540 {
1541 const struct ikev1_pl_cert *p;
1542 static const char *certstr[] = {
1543 "none", "pkcs7", "pgp", "dns",
1544 "x509sign", "x509ke", "kerberos", "crl",
1545 "arl", "spki", "x509attr",
1546 };
1547
1548 ND_PRINT("%s:", NPSTR(ISAKMP_NPTYPE_CR));
1549
1550 p = (const struct ikev1_pl_cert *)ext;
1551 ND_TCHECK_SIZE(p);
1552 /*
1553 * Our caller has ensured that the length is >= 4.
1554 */
1555 ND_PRINT(" len=%u", item_len - 4);
1556 ND_PRINT(" type=%s", STR_OR_ID(GET_U_1(p->encode), certstr));
1557 if (2 < ndo->ndo_vflag && 4 < item_len) {
1558 /* Print the entire payload in hex */
1559 ND_PRINT(" ");
1560 if (!rawprint(ndo, (const uint8_t *)(ext + 1), item_len - 4))
1561 goto trunc;
1562 }
1563 return (const u_char *)ext + item_len;
1564 trunc:
1565 ND_PRINT(" [|%s]", NPSTR(ISAKMP_NPTYPE_CR));
1566 return NULL;
1567 }
1568
1569 static const u_char *
1570 ikev1_hash_print(netdissect_options *ndo, u_char tpay _U_,
1571 const struct isakmp_gen *ext, u_int item_len,
1572 const u_char *ep _U_, uint32_t phase _U_, uint32_t doi _U_,
1573 uint32_t proto _U_, int depth _U_)
1574 {
1575 ND_PRINT("%s:", NPSTR(ISAKMP_NPTYPE_HASH));
1576
1577 ND_TCHECK_SIZE(ext);
1578 /*
1579 * Our caller has ensured that the length is >= 4.
1580 */
1581 ND_PRINT(" len=%u", item_len - 4);
1582 if (2 < ndo->ndo_vflag && 4 < item_len) {
1583 /* Print the entire payload in hex */
1584 ND_PRINT(" ");
1585 if (!rawprint(ndo, (const uint8_t *)(ext + 1), item_len - 4))
1586 goto trunc;
1587 }
1588 return (const u_char *)ext + item_len;
1589 trunc:
1590 ND_PRINT(" [|%s]", NPSTR(ISAKMP_NPTYPE_HASH));
1591 return NULL;
1592 }
1593
1594 static const u_char *
1595 ikev1_sig_print(netdissect_options *ndo, u_char tpay _U_,
1596 const struct isakmp_gen *ext, u_int item_len,
1597 const u_char *ep _U_, uint32_t phase _U_, uint32_t doi _U_,
1598 uint32_t proto _U_, int depth _U_)
1599 {
1600 ND_PRINT("%s:", NPSTR(ISAKMP_NPTYPE_SIG));
1601
1602 ND_TCHECK_SIZE(ext);
1603 /*
1604 * Our caller has ensured that the length is >= 4.
1605 */
1606 ND_PRINT(" len=%u", item_len - 4);
1607 if (2 < ndo->ndo_vflag && 4 < item_len) {
1608 /* Print the entire payload in hex */
1609 ND_PRINT(" ");
1610 if (!rawprint(ndo, (const uint8_t *)(ext + 1), item_len - 4))
1611 goto trunc;
1612 }
1613 return (const u_char *)ext + item_len;
1614 trunc:
1615 ND_PRINT(" [|%s]", NPSTR(ISAKMP_NPTYPE_SIG));
1616 return NULL;
1617 }
1618
1619 static const u_char *
1620 ikev1_nonce_print(netdissect_options *ndo, u_char tpay _U_,
1621 const struct isakmp_gen *ext,
1622 u_int item_len,
1623 const u_char *ep,
1624 uint32_t phase _U_, uint32_t doi _U_,
1625 uint32_t proto _U_, int depth _U_)
1626 {
1627 ND_PRINT("%s:", NPSTR(ISAKMP_NPTYPE_NONCE));
1628
1629 ND_TCHECK_SIZE(ext);
1630 /*
1631 * Our caller has ensured that the length is >= 4.
1632 */
1633 ND_PRINT(" n len=%u", item_len - 4);
1634 if (item_len > 4) {
1635 if (ndo->ndo_vflag > 2) {
1636 ND_PRINT(" ");
1637 if (!rawprint(ndo, (const uint8_t *)(ext + 1), item_len - 4))
1638 goto trunc;
1639 } else if (ndo->ndo_vflag > 1) {
1640 ND_PRINT(" ");
1641 if (!ike_show_somedata(ndo, (const u_char *)(ext + 1), ep))
1642 goto trunc;
1643 }
1644 }
1645 return (const u_char *)ext + item_len;
1646 trunc:
1647 ND_PRINT(" [|%s]", NPSTR(ISAKMP_NPTYPE_NONCE));
1648 return NULL;
1649 }
1650
1651 static const u_char *
1652 ikev1_n_print(netdissect_options *ndo, u_char tpay _U_,
1653 const struct isakmp_gen *ext, u_int item_len,
1654 const u_char *ep, uint32_t phase _U_, uint32_t doi0 _U_,
1655 uint32_t proto0 _U_, int depth _U_)
1656 {
1657 const struct ikev1_pl_n *p;
1658 const u_char *cp;
1659 const u_char *ep2;
1660 uint32_t doi;
1661 uint32_t proto;
1662 uint16_t type;
1663 uint8_t spi_size;
1664 static const char *notify_error_str[] = {
1665 NULL, "INVALID-PAYLOAD-TYPE",
1666 "DOI-NOT-SUPPORTED", "SITUATION-NOT-SUPPORTED",
1667 "INVALID-COOKIE", "INVALID-MAJOR-VERSION",
1668 "INVALID-MINOR-VERSION", "INVALID-EXCHANGE-TYPE",
1669 "INVALID-FLAGS", "INVALID-MESSAGE-ID",
1670 "INVALID-PROTOCOL-ID", "INVALID-SPI",
1671 "INVALID-TRANSFORM-ID", "ATTRIBUTES-NOT-SUPPORTED",
1672 "NO-PROPOSAL-CHOSEN", "BAD-PROPOSAL-SYNTAX",
1673 "PAYLOAD-MALFORMED", "INVALID-KEY-INFORMATION",
1674 "INVALID-ID-INFORMATION", "INVALID-CERT-ENCODING",
1675 "INVALID-CERTIFICATE", "CERT-TYPE-UNSUPPORTED",
1676 "INVALID-CERT-AUTHORITY", "INVALID-HASH-INFORMATION",
1677 "AUTHENTICATION-FAILED", "INVALID-SIGNATURE",
1678 "ADDRESS-NOTIFICATION", "NOTIFY-SA-LIFETIME",
1679 "CERTIFICATE-UNAVAILABLE", "UNSUPPORTED-EXCHANGE-TYPE",
1680 "UNEQUAL-PAYLOAD-LENGTHS",
1681 };
1682 static const char *ipsec_notify_error_str[] = {
1683 "RESERVED",
1684 };
1685 static const char *notify_status_str[] = {
1686 "CONNECTED",
1687 };
1688 static const char *ipsec_notify_status_str[] = {
1689 "RESPONDER-LIFETIME", "REPLAY-STATUS",
1690 "INITIAL-CONTACT",
1691 };
1692 /* NOTE: these macro must be called with x in proper range */
1693
1694 /* 0 - 8191 */
1695 #define NOTIFY_ERROR_STR(x) \
1696 STR_OR_ID((x), notify_error_str)
1697
1698 /* 8192 - 16383 */
1699 #define IPSEC_NOTIFY_ERROR_STR(x) \
1700 STR_OR_ID((u_int)((x) - 8192), ipsec_notify_error_str)
1701
1702 /* 16384 - 24575 */
1703 #define NOTIFY_STATUS_STR(x) \
1704 STR_OR_ID((u_int)((x) - 16384), notify_status_str)
1705
1706 /* 24576 - 32767 */
1707 #define IPSEC_NOTIFY_STATUS_STR(x) \
1708 STR_OR_ID((u_int)((x) - 24576), ipsec_notify_status_str)
1709
1710 ND_PRINT("%s:", NPSTR(ISAKMP_NPTYPE_N));
1711
1712 p = (const struct ikev1_pl_n *)ext;
1713 ND_TCHECK_SIZE(p);
1714 doi = GET_BE_U_4(p->doi);
1715 proto = GET_U_1(p->prot_id);
1716 if (doi != 1) {
1717 ND_PRINT(" doi=%u", doi);
1718 ND_PRINT(" proto=%u", proto);
1719 type = GET_BE_U_2(p->type);
1720 if (type < 8192)
1721 ND_PRINT(" type=%s", NOTIFY_ERROR_STR(type));
1722 else if (type < 16384)
1723 ND_PRINT(" type=%s", numstr(type));
1724 else if (type < 24576)
1725 ND_PRINT(" type=%s", NOTIFY_STATUS_STR(type));
1726 else
1727 ND_PRINT(" type=%s", numstr(type));
1728 spi_size = GET_U_1(p->spi_size);
1729 if (spi_size) {
1730 ND_PRINT(" spi=");
1731 if (!rawprint(ndo, (const uint8_t *)(p + 1), spi_size))
1732 goto trunc;
1733 }
1734 return (const u_char *)(p + 1) + spi_size;
1735 }
1736
1737 ND_PRINT(" doi=ipsec");
1738 ND_PRINT(" proto=%s", PROTOIDSTR(proto));
1739 type = GET_BE_U_2(p->type);
1740 if (type < 8192)
1741 ND_PRINT(" type=%s", NOTIFY_ERROR_STR(type));
1742 else if (type < 16384)
1743 ND_PRINT(" type=%s", IPSEC_NOTIFY_ERROR_STR(type));
1744 else if (type < 24576)
1745 ND_PRINT(" type=%s", NOTIFY_STATUS_STR(type));
1746 else if (type < 32768)
1747 ND_PRINT(" type=%s", IPSEC_NOTIFY_STATUS_STR(type));
1748 else
1749 ND_PRINT(" type=%s", numstr(type));
1750 spi_size = GET_U_1(p->spi_size);
1751 if (spi_size) {
1752 ND_PRINT(" spi=");
1753 if (!rawprint(ndo, (const uint8_t *)(p + 1), spi_size))
1754 goto trunc;
1755 }
1756
1757 cp = (const u_char *)(p + 1) + spi_size;
1758 ep2 = (const u_char *)p + item_len;
1759
1760 if (cp < ep) {
1761 switch (type) {
1762 case IPSECDOI_NTYPE_RESPONDER_LIFETIME:
1763 {
1764 const struct attrmap *map = oakley_t_map;
1765 size_t nmap = sizeof(oakley_t_map)/sizeof(oakley_t_map[0]);
1766 ND_PRINT(" attrs=(");
1767 while (cp < ep && cp < ep2) {
1768 cp = ikev1_attrmap_print(ndo, cp, ep2, map, nmap);
1769 if (cp == NULL) {
1770 ND_PRINT(")");
1771 goto trunc;
1772 }
1773 }
1774 ND_PRINT(")");
1775 break;
1776 }
1777 case IPSECDOI_NTYPE_REPLAY_STATUS:
1778 ND_PRINT(" status=(");
1779 ND_PRINT("replay detection %sabled",
1780 GET_BE_U_4(cp) ? "en" : "dis");
1781 ND_PRINT(")");
1782 break;
1783 default:
1784 /*
1785 * XXX - fill in more types here; see, for example,
1786 * draft-ietf-ipsec-notifymsg-04.
1787 */
1788 if (ndo->ndo_vflag > 3) {
1789 ND_PRINT(" data=(");
1790 if (!rawprint(ndo, (const uint8_t *)(cp), ep - cp))
1791 goto trunc;
1792 ND_PRINT(")");
1793 } else {
1794 if (!ike_show_somedata(ndo, cp, ep))
1795 goto trunc;
1796 }
1797 break;
1798 }
1799 }
1800 return (const u_char *)ext + item_len;
1801 trunc:
1802 ND_PRINT(" [|%s]", NPSTR(ISAKMP_NPTYPE_N));
1803 return NULL;
1804 }
1805
1806 static const u_char *
1807 ikev1_d_print(netdissect_options *ndo, u_char tpay _U_,
1808 const struct isakmp_gen *ext, u_int item_len _U_,
1809 const u_char *ep _U_, uint32_t phase _U_, uint32_t doi0 _U_,
1810 uint32_t proto0 _U_, int depth _U_)
1811 {
1812 const struct ikev1_pl_d *p;
1813 const uint8_t *q;
1814 uint32_t doi;
1815 uint32_t proto;
1816 uint8_t spi_size;
1817 uint16_t num_spi;
1818 u_int i;
1819
1820 ND_PRINT("%s:", NPSTR(ISAKMP_NPTYPE_D));
1821
1822 p = (const struct ikev1_pl_d *)ext;
1823 ND_TCHECK_SIZE(p);
1824 doi = GET_BE_U_4(p->doi);
1825 proto = GET_U_1(p->prot_id);
1826 if (doi != 1) {
1827 ND_PRINT(" doi=%u", doi);
1828 ND_PRINT(" proto=%u", proto);
1829 } else {
1830 ND_PRINT(" doi=ipsec");
1831 ND_PRINT(" proto=%s", PROTOIDSTR(proto));
1832 }
1833 spi_size = GET_U_1(p->spi_size);
1834 ND_PRINT(" spilen=%u", spi_size);
1835 num_spi = GET_BE_U_2(p->num_spi);
1836 ND_PRINT(" nspi=%u", num_spi);
1837 ND_PRINT(" spi=");
1838 q = (const uint8_t *)(p + 1);
1839 for (i = 0; i < num_spi; i++) {
1840 if (i != 0)
1841 ND_PRINT(",");
1842 if (!rawprint(ndo, (const uint8_t *)q, spi_size))
1843 goto trunc;
1844 q += spi_size;
1845 }
1846 return q;
1847 trunc:
1848 ND_PRINT(" [|%s]", NPSTR(ISAKMP_NPTYPE_D));
1849 return NULL;
1850 }
1851
1852 static const u_char *
1853 ikev1_vid_print(netdissect_options *ndo, u_char tpay _U_,
1854 const struct isakmp_gen *ext,
1855 u_int item_len, const u_char *ep _U_,
1856 uint32_t phase _U_, uint32_t doi _U_,
1857 uint32_t proto _U_, int depth _U_)
1858 {
1859 ND_PRINT("%s:", NPSTR(ISAKMP_NPTYPE_VID));
1860
1861 ND_TCHECK_SIZE(ext);
1862 /*
1863 * Our caller has ensured that the length is >= 4.
1864 */
1865 ND_PRINT(" len=%u", item_len - 4);
1866 if (2 < ndo->ndo_vflag && 4 < item_len) {
1867 /* Print the entire payload in hex */
1868 ND_PRINT(" ");
1869 if (!rawprint(ndo, (const uint8_t *)(ext + 1), item_len - 4))
1870 goto trunc;
1871 }
1872 return (const u_char *)ext + item_len;
1873 trunc:
1874 ND_PRINT(" [|%s]", NPSTR(ISAKMP_NPTYPE_VID));
1875 return NULL;
1876 }
1877
1878 /************************************************************/
1879 /* */
1880 /* IKE v2 - rfc4306 - dissector */
1881 /* */
1882 /************************************************************/
1883
1884 static void
1885 ikev2_pay_print(netdissect_options *ndo, const char *payname, uint8_t critical)
1886 {
1887 ND_PRINT("%s%s:", payname, critical&0x80 ? "[C]" : "");
1888 }
1889
1890 static const u_char *
1891 ikev2_gen_print(netdissect_options *ndo, u_char tpay,
1892 const struct isakmp_gen *ext, u_int item_len)
1893 {
1894 const struct isakmp_gen *p = (const struct isakmp_gen *)ext;
1895
1896 ND_TCHECK_SIZE(ext);
1897 ikev2_pay_print(ndo, NPSTR(tpay), GET_U_1(p->critical));
1898
1899 /*
1900 * Our caller has ensured that the length is >= 4.
1901 */
1902 ND_PRINT(" len=%u", item_len - 4);
1903 if (2 < ndo->ndo_vflag && 4 < item_len) {
1904 /* Print the entire payload in hex */
1905 ND_PRINT(" ");
1906 if (!rawprint(ndo, (const uint8_t *)(ext + 1), item_len - 4))
1907 goto trunc;
1908 }
1909 return (const u_char *)ext + item_len;
1910 trunc:
1911 ND_PRINT(" [|%s]", NPSTR(tpay));
1912 return NULL;
1913 }
1914
1915 static const u_char *
1916 ikev2_t_print(netdissect_options *ndo, int tcount,
1917 const struct isakmp_gen *ext, u_int item_len,
1918 const u_char *ep)
1919 {
1920 const struct ikev2_t *p;
1921 uint16_t t_id;
1922 uint8_t t_type;
1923 const u_char *cp;
1924 const char *idstr;
1925 const struct attrmap *map;
1926 size_t nmap;
1927 const u_char *ep2;
1928
1929 p = (const struct ikev2_t *)ext;
1930 ND_TCHECK_SIZE(p);
1931 ikev2_pay_print(ndo, NPSTR(ISAKMP_NPTYPE_T), GET_U_1(p->h.critical));
1932
1933 t_id = GET_BE_U_2(p->t_id);
1934
1935 map = NULL;
1936 nmap = 0;
1937
1938 t_type = GET_U_1(p->t_type);
1939 switch (t_type) {
1940 case IV2_T_ENCR:
1941 idstr = STR_OR_ID(t_id, esp_p_map);
1942 map = encr_t_map;
1943 nmap = sizeof(encr_t_map)/sizeof(encr_t_map[0]);
1944 break;
1945
1946 case IV2_T_PRF:
1947 idstr = STR_OR_ID(t_id, prf_p_map);
1948 break;
1949
1950 case IV2_T_INTEG:
1951 idstr = STR_OR_ID(t_id, integ_p_map);
1952 break;
1953
1954 case IV2_T_DH:
1955 idstr = STR_OR_ID(t_id, dh_p_map);
1956 break;
1957
1958 case IV2_T_ESN:
1959 idstr = STR_OR_ID(t_id, esn_p_map);
1960 break;
1961
1962 default:
1963 idstr = NULL;
1964 break;
1965 }
1966
1967 if (idstr)
1968 ND_PRINT(" #%u type=%s id=%s ", tcount,
1969 STR_OR_ID(t_type, ikev2_t_type_map),
1970 idstr);
1971 else
1972 ND_PRINT(" #%u type=%s id=%u ", tcount,
1973 STR_OR_ID(t_type, ikev2_t_type_map),
1974 t_id);
1975 cp = (const u_char *)(p + 1);
1976 ep2 = (const u_char *)p + item_len;
1977 while (cp < ep && cp < ep2) {
1978 if (map && nmap) {
1979 cp = ikev1_attrmap_print(ndo, cp, ep2, map, nmap);
1980 } else
1981 cp = ikev1_attr_print(ndo, cp, ep2);
1982 if (cp == NULL)
1983 goto trunc;
1984 }
1985 if (ep < ep2)
1986 ND_PRINT("...");
1987 return cp;
1988 trunc:
1989 ND_PRINT(" [|%s]", NPSTR(ISAKMP_NPTYPE_T));
1990 return NULL;
1991 }
1992
1993 static const u_char *
1994 ikev2_p_print(netdissect_options *ndo, u_char tpay _U_, int pcount _U_,
1995 const struct isakmp_gen *ext, u_int oprop_length,
1996 const u_char *ep, int depth)
1997 {
1998 const struct ikev2_p *p;
1999 u_int prop_length;
2000 uint8_t spi_size;
2001 const u_char *cp;
2002 int i;
2003 int tcount;
2004 u_char np;
2005 u_int item_len;
2006
2007 p = (const struct ikev2_p *)ext;
2008 ND_TCHECK_SIZE(p);
2009
2010 ikev2_pay_print(ndo, NPSTR(ISAKMP_NPTYPE_P), GET_U_1(p->h.critical));
2011
2012 /*
2013 * ikev2_sa_print() guarantees that this is >= 4.
2014 */
2015 prop_length = oprop_length - 4;
2016 ND_PRINT(" #%u protoid=%s transform=%u len=%u",
2017 GET_U_1(p->p_no), PROTOIDSTR(GET_U_1(p->prot_id)),
2018 GET_U_1(p->num_t), oprop_length);
2019 cp = (const u_char *)(p + 1);
2020
2021 spi_size = GET_U_1(p->spi_size);
2022 if (spi_size) {
2023 if (prop_length < spi_size)
2024 goto toolong;
2025 ND_PRINT(" spi=");
2026 if (!rawprint(ndo, (const uint8_t *)cp, spi_size))
2027 goto trunc;
2028 cp += spi_size;
2029 prop_length -= spi_size;
2030 }
2031
2032 /*
2033 * Print the transforms.
2034 */
2035 tcount = 0;
2036 for (np = ISAKMP_NPTYPE_T; np != 0; np = GET_U_1(ext->np)) {
2037 tcount++;
2038 ext = (const struct isakmp_gen *)cp;
2039 if (prop_length < sizeof(*ext))
2040 goto toolong;
2041 ND_TCHECK_SIZE(ext);
2042
2043 /*
2044 * Since we can't have a payload length of less than 4 bytes,
2045 * we need to bail out here if the generic header is nonsensical
2046 * or truncated, otherwise we could loop forever processing
2047 * zero-length items or otherwise misdissect the packet.
2048 */
2049 item_len = GET_BE_U_2(ext->len);
2050 if (item_len <= 4)
2051 goto trunc;
2052
2053 if (prop_length < item_len)
2054 goto toolong;
2055 ND_TCHECK_LEN(cp, item_len);
2056
2057 depth++;
2058 ND_PRINT("\n");
2059 for (i = 0; i < depth; i++)
2060 ND_PRINT(" ");
2061 ND_PRINT("(");
2062 if (np == ISAKMP_NPTYPE_T) {
2063 cp = ikev2_t_print(ndo, tcount, ext, item_len, ep);
2064 if (cp == NULL) {
2065 /* error, already reported */
2066 return NULL;
2067 }
2068 } else {
2069 ND_PRINT("%s", NPSTR(np));
2070 cp += item_len;
2071 }
2072 ND_PRINT(")");
2073 depth--;
2074 prop_length -= item_len;
2075 }
2076 return cp;
2077 toolong:
2078 /*
2079 * Skip the rest of the proposal.
2080 */
2081 cp += prop_length;
2082 ND_PRINT(" [|%s]", NPSTR(ISAKMP_NPTYPE_P));
2083 return cp;
2084 trunc:
2085 ND_PRINT(" [|%s]", NPSTR(ISAKMP_NPTYPE_P));
2086 return NULL;
2087 }
2088
2089 static const u_char *
2090 ikev2_sa_print(netdissect_options *ndo, u_char tpay,
2091 const struct isakmp_gen *ext1,
2092 u_int osa_length, const u_char *ep,
2093 uint32_t phase _U_, uint32_t doi _U_,
2094 uint32_t proto _U_, int depth)
2095 {
2096 const struct isakmp_gen *ext;
2097 u_int sa_length;
2098 const u_char *cp;
2099 int i;
2100 int pcount;
2101 u_char np;
2102 u_int item_len;
2103
2104 ND_TCHECK_SIZE(ext1);
2105 ikev2_pay_print(ndo, "sa", GET_U_1(ext1->critical));
2106
2107 /*
2108 * ikev2_sub0_print() guarantees that this is >= 4.
2109 */
2110 osa_length= GET_BE_U_2(ext1->len);
2111 sa_length = osa_length - 4;
2112 ND_PRINT(" len=%u", sa_length);
2113
2114 /*
2115 * Print the payloads.
2116 */
2117 cp = (const u_char *)(ext1 + 1);
2118 pcount = 0;
2119 for (np = ISAKMP_NPTYPE_P; np != 0; np = GET_U_1(ext->np)) {
2120 pcount++;
2121 ext = (const struct isakmp_gen *)cp;
2122 if (sa_length < sizeof(*ext))
2123 goto toolong;
2124 ND_TCHECK_SIZE(ext);
2125
2126 /*
2127 * Since we can't have a payload length of less than 4 bytes,
2128 * we need to bail out here if the generic header is nonsensical
2129 * or truncated, otherwise we could loop forever processing
2130 * zero-length items or otherwise misdissect the packet.
2131 */
2132 item_len = GET_BE_U_2(ext->len);
2133 if (item_len <= 4)
2134 goto trunc;
2135
2136 if (sa_length < item_len)
2137 goto toolong;
2138 ND_TCHECK_LEN(cp, item_len);
2139
2140 depth++;
2141 ND_PRINT("\n");
2142 for (i = 0; i < depth; i++)
2143 ND_PRINT(" ");
2144 ND_PRINT("(");
2145 if (np == ISAKMP_NPTYPE_P) {
2146 cp = ikev2_p_print(ndo, np, pcount, ext, item_len,
2147 ep, depth);
2148 if (cp == NULL) {
2149 /* error, already reported */
2150 return NULL;
2151 }
2152 } else {
2153 ND_PRINT("%s", NPSTR(np));
2154 cp += item_len;
2155 }
2156 ND_PRINT(")");
2157 depth--;
2158 sa_length -= item_len;
2159 }
2160 return cp;
2161 toolong:
2162 /*
2163 * Skip the rest of the SA.
2164 */
2165 cp += sa_length;
2166 ND_PRINT(" [|%s]", NPSTR(tpay));
2167 return cp;
2168 trunc:
2169 ND_PRINT(" [|%s]", NPSTR(tpay));
2170 return NULL;
2171 }
2172
2173 static const u_char *
2174 ikev2_ke_print(netdissect_options *ndo, u_char tpay,
2175 const struct isakmp_gen *ext,
2176 u_int item_len, const u_char *ep _U_,
2177 uint32_t phase _U_, uint32_t doi _U_,
2178 uint32_t proto _U_, int depth _U_)
2179 {
2180 const struct ikev2_ke *k;
2181
2182 k = (const struct ikev2_ke *)ext;
2183 ND_TCHECK_SIZE(k);
2184 ikev2_pay_print(ndo, NPSTR(tpay), GET_U_1(k->h.critical));
2185
2186 if (item_len < 8) {
2187 ND_PRINT(" len=%u < 8", item_len);
2188 return (const u_char *)ext + item_len;
2189 }
2190 ND_PRINT(" len=%u group=%s", item_len - 8,
2191 STR_OR_ID(GET_BE_U_2(k->ke_group), dh_p_map));
2192
2193 if (2 < ndo->ndo_vflag && 8 < item_len) {
2194 ND_PRINT(" ");
2195 if (!rawprint(ndo, (const uint8_t *)(k + 1), item_len - 8))
2196 goto trunc;
2197 }
2198 return (const u_char *)ext + item_len;
2199 trunc:
2200 ND_PRINT(" [|%s]", NPSTR(tpay));
2201 return NULL;
2202 }
2203
2204 static const u_char *
2205 ikev2_ID_print(netdissect_options *ndo, u_char tpay,
2206 const struct isakmp_gen *ext,
2207 u_int item_len, const u_char *ep _U_,
2208 uint32_t phase _U_, uint32_t doi _U_,
2209 uint32_t proto _U_, int depth _U_)
2210 {
2211 const struct ikev2_id *idp;
2212 u_int idtype_len, i;
2213 unsigned int dumpascii, dumphex;
2214 const unsigned char *typedata;
2215
2216 idp = (const struct ikev2_id *)ext;
2217 ND_TCHECK_SIZE(idp);
2218 ikev2_pay_print(ndo, NPSTR(tpay), GET_U_1(idp->h.critical));
2219
2220 /*
2221 * Our caller has ensured that the length is >= 4.
2222 */
2223 ND_PRINT(" len=%u", item_len - 4);
2224 if (2 < ndo->ndo_vflag && 4 < item_len) {
2225 /* Print the entire payload in hex */
2226 ND_PRINT(" ");
2227 if (!rawprint(ndo, (const uint8_t *)(ext + 1), item_len - 4))
2228 goto trunc;
2229 }
2230
2231 idtype_len =item_len - sizeof(struct ikev2_id);
2232 dumpascii = 0;
2233 dumphex = 0;
2234 typedata = (const unsigned char *)(ext)+sizeof(struct ikev2_id);
2235
2236 switch(GET_U_1(idp->type)) {
2237 case ID_IPV4_ADDR:
2238 ND_PRINT(" ipv4:");
2239 dumphex=1;
2240 break;
2241 case ID_FQDN:
2242 ND_PRINT(" fqdn:");
2243 dumpascii=1;
2244 break;
2245 case ID_RFC822_ADDR:
2246 ND_PRINT(" rfc822:");
2247 dumpascii=1;
2248 break;
2249 case ID_IPV6_ADDR:
2250 ND_PRINT(" ipv6:");
2251 dumphex=1;
2252 break;
2253 case ID_DER_ASN1_DN:
2254 ND_PRINT(" dn:");
2255 dumphex=1;
2256 break;
2257 case ID_DER_ASN1_GN:
2258 ND_PRINT(" gn:");
2259 dumphex=1;
2260 break;
2261 case ID_KEY_ID:
2262 ND_PRINT(" keyid:");
2263 dumphex=1;
2264 break;
2265 }
2266
2267 if(dumpascii) {
2268 ND_TCHECK_LEN(typedata, idtype_len);
2269 for(i=0; i<idtype_len; i++) {
2270 if(ND_ISPRINT(GET_U_1(typedata + i))) {
2271 ND_PRINT("%c", GET_U_1(typedata + i));
2272 } else {
2273 ND_PRINT(".");
2274 }
2275 }
2276 }
2277 if(dumphex) {
2278 if (!rawprint(ndo, (const uint8_t *)typedata, idtype_len))
2279 goto trunc;
2280 }
2281
2282 return (const u_char *)ext + item_len;
2283 trunc:
2284 ND_PRINT(" [|%s]", NPSTR(tpay));
2285 return NULL;
2286 }
2287
2288 static const u_char *
2289 ikev2_cert_print(netdissect_options *ndo, u_char tpay,
2290 const struct isakmp_gen *ext,
2291 u_int item_len, const u_char *ep _U_,
2292 uint32_t phase _U_, uint32_t doi _U_,
2293 uint32_t proto _U_, int depth _U_)
2294 {
2295 return ikev2_gen_print(ndo, tpay, ext, item_len);
2296 }
2297
2298 static const u_char *
2299 ikev2_cr_print(netdissect_options *ndo, u_char tpay,
2300 const struct isakmp_gen *ext,
2301 u_int item_len, const u_char *ep _U_,
2302 uint32_t phase _U_, uint32_t doi _U_,
2303 uint32_t proto _U_, int depth _U_)
2304 {
2305 return ikev2_gen_print(ndo, tpay, ext, item_len);
2306 }
2307
2308 static const u_char *
2309 ikev2_auth_print(netdissect_options *ndo, u_char tpay,
2310 const struct isakmp_gen *ext,
2311 u_int item_len, const u_char *ep,
2312 uint32_t phase _U_, uint32_t doi _U_,
2313 uint32_t proto _U_, int depth _U_)
2314 {
2315 const struct ikev2_auth *p;
2316 const char *v2_auth[]={ "invalid", "rsasig",
2317 "shared-secret", "dsssig" };
2318 const u_char *authdata = (const u_char*)ext + sizeof(struct ikev2_auth);
2319
2320 ND_TCHECK_LEN(ext, sizeof(struct ikev2_auth));
2321 p = (const struct ikev2_auth *)ext;
2322 ikev2_pay_print(ndo, NPSTR(tpay), GET_U_1(p->h.critical));
2323
2324 /*
2325 * Our caller has ensured that the length is >= 4.
2326 */
2327 ND_PRINT(" len=%u method=%s", item_len-4,
2328 STR_OR_ID(GET_U_1(p->auth_method), v2_auth));
2329 if (item_len > 4) {
2330 if (ndo->ndo_vflag > 1) {
2331 ND_PRINT(" authdata=(");
2332 if (!rawprint(ndo, (const uint8_t *)authdata, item_len - sizeof(struct ikev2_auth)))
2333 goto trunc;
2334 ND_PRINT(") ");
2335 } else if (ndo->ndo_vflag) {
2336 if (!ike_show_somedata(ndo, authdata, ep))
2337 goto trunc;
2338 }
2339 }
2340
2341 return (const u_char *)ext + item_len;
2342 trunc:
2343 ND_PRINT(" [|%s]", NPSTR(tpay));
2344 return NULL;
2345 }
2346
2347 static const u_char *
2348 ikev2_nonce_print(netdissect_options *ndo, u_char tpay,
2349 const struct isakmp_gen *ext,
2350 u_int item_len, const u_char *ep,
2351 uint32_t phase _U_, uint32_t doi _U_,
2352 uint32_t proto _U_, int depth _U_)
2353 {
2354 ND_TCHECK_SIZE(ext);
2355 ikev2_pay_print(ndo, "nonce", GET_U_1(ext->critical));
2356
2357 /*
2358 * Our caller has ensured that the length is >= 4.
2359 */
2360 ND_PRINT(" len=%u", item_len - 4);
2361 if (1 < ndo->ndo_vflag && 4 < item_len) {
2362 ND_PRINT(" nonce=(");
2363 if (!rawprint(ndo, (const uint8_t *)(ext + 1), item_len - 4))
2364 goto trunc;
2365 ND_PRINT(") ");
2366 } else if(ndo->ndo_vflag && 4 < item_len) {
2367 if(!ike_show_somedata(ndo, (const u_char *)(ext+1), ep)) goto trunc;
2368 }
2369
2370 return (const u_char *)ext + item_len;
2371 trunc:
2372 ND_PRINT(" [|%s]", NPSTR(tpay));
2373 return NULL;
2374 }
2375
2376 /* notify payloads */
2377 static const u_char *
2378 ikev2_n_print(netdissect_options *ndo, u_char tpay _U_,
2379 const struct isakmp_gen *ext,
2380 u_int item_len, const u_char *ep,
2381 uint32_t phase _U_, uint32_t doi _U_,
2382 uint32_t proto _U_, int depth _U_)
2383 {
2384 const struct ikev2_n *p;
2385 uint16_t type;
2386 uint8_t spi_size;
2387 const u_char *cp;
2388 u_char showspi, showsomedata;
2389 const char *notify_name;
2390
2391 p = (const struct ikev2_n *)ext;
2392 ND_TCHECK_SIZE(p);
2393 ikev2_pay_print(ndo, NPSTR(ISAKMP_NPTYPE_N), GET_U_1(p->h.critical));
2394
2395 showspi = 1;
2396 showsomedata=0;
2397 notify_name=NULL;
2398
2399 ND_PRINT(" prot_id=%s", PROTOIDSTR(GET_U_1(p->prot_id)));
2400
2401 type = GET_BE_U_2(p->type);
2402
2403 /* notify space is annoying sparse */
2404 switch(type) {
2405 case IV2_NOTIFY_UNSUPPORTED_CRITICAL_PAYLOAD:
2406 notify_name = "unsupported_critical_payload";
2407 showspi = 0;
2408 break;
2409
2410 case IV2_NOTIFY_INVALID_IKE_SPI:
2411 notify_name = "invalid_ike_spi";
2412 showspi = 1;
2413 break;
2414
2415 case IV2_NOTIFY_INVALID_MAJOR_VERSION:
2416 notify_name = "invalid_major_version";
2417 showspi = 0;
2418 break;
2419
2420 case IV2_NOTIFY_INVALID_SYNTAX:
2421 notify_name = "invalid_syntax";
2422 showspi = 1;
2423 break;
2424
2425 case IV2_NOTIFY_INVALID_MESSAGE_ID:
2426 notify_name = "invalid_message_id";
2427 showspi = 1;
2428 break;
2429
2430 case IV2_NOTIFY_INVALID_SPI:
2431 notify_name = "invalid_spi";
2432 showspi = 1;
2433 break;
2434
2435 case IV2_NOTIFY_NO_PROPOSAL_CHOSEN:
2436 notify_name = "no_protocol_chosen";
2437 showspi = 1;
2438 break;
2439
2440 case IV2_NOTIFY_INVALID_KE_PAYLOAD:
2441 notify_name = "invalid_ke_payload";
2442 showspi = 1;
2443 break;
2444
2445 case IV2_NOTIFY_AUTHENTICATION_FAILED:
2446 notify_name = "authentication_failed";
2447 showspi = 1;
2448 break;
2449
2450 case IV2_NOTIFY_SINGLE_PAIR_REQUIRED:
2451 notify_name = "single_pair_required";
2452 showspi = 1;
2453 break;
2454
2455 case IV2_NOTIFY_NO_ADDITIONAL_SAS:
2456 notify_name = "no_additional_sas";
2457 showspi = 0;
2458 break;
2459
2460 case IV2_NOTIFY_INTERNAL_ADDRESS_FAILURE:
2461 notify_name = "internal_address_failure";
2462 showspi = 0;
2463 break;
2464
2465 case IV2_NOTIFY_FAILED_CP_REQUIRED:
2466 notify_name = "failed:cp_required";
2467 showspi = 0;
2468 break;
2469
2470 case IV2_NOTIFY_INVALID_SELECTORS:
2471 notify_name = "invalid_selectors";
2472 showspi = 0;
2473 break;
2474
2475 case IV2_NOTIFY_INITIAL_CONTACT:
2476 notify_name = "initial_contact";
2477 showspi = 0;
2478 break;
2479
2480 case IV2_NOTIFY_SET_WINDOW_SIZE:
2481 notify_name = "set_window_size";
2482 showspi = 0;
2483 break;
2484
2485 case IV2_NOTIFY_ADDITIONAL_TS_POSSIBLE:
2486 notify_name = "additional_ts_possible";
2487 showspi = 0;
2488 break;
2489
2490 case IV2_NOTIFY_IPCOMP_SUPPORTED:
2491 notify_name = "ipcomp_supported";
2492 showspi = 0;
2493 break;
2494
2495 case IV2_NOTIFY_NAT_DETECTION_SOURCE_IP:
2496 notify_name = "nat_detection_source_ip";
2497 showspi = 1;
2498 break;
2499
2500 case IV2_NOTIFY_NAT_DETECTION_DESTINATION_IP:
2501 notify_name = "nat_detection_destination_ip";
2502 showspi = 1;
2503 break;
2504
2505 case IV2_NOTIFY_COOKIE:
2506 notify_name = "cookie";
2507 showspi = 1;
2508 showsomedata= 1;
2509 break;
2510
2511 case IV2_NOTIFY_USE_TRANSPORT_MODE:
2512 notify_name = "use_transport_mode";
2513 showspi = 0;
2514 break;
2515
2516 case IV2_NOTIFY_HTTP_CERT_LOOKUP_SUPPORTED:
2517 notify_name = "http_cert_lookup_supported";
2518 showspi = 0;
2519 break;
2520
2521 case IV2_NOTIFY_REKEY_SA:
2522 notify_name = "rekey_sa";
2523 showspi = 1;
2524 break;
2525
2526 case IV2_NOTIFY_ESP_TFC_PADDING_NOT_SUPPORTED:
2527 notify_name = "tfc_padding_not_supported";
2528 showspi = 0;
2529 break;
2530
2531 case IV2_NOTIFY_NON_FIRST_FRAGMENTS_ALSO:
2532 notify_name = "non_first_fragment_also";
2533 showspi = 0;
2534 break;
2535
2536 default:
2537 if (type < 8192) {
2538 notify_name="error";
2539 } else if(type < 16384) {
2540 notify_name="private-error";
2541 } else if(type < 40960) {
2542 notify_name="status";
2543 } else {
2544 notify_name="private-status";
2545 }
2546 }
2547
2548 if(notify_name) {
2549 ND_PRINT(" type=%u(%s)", type, notify_name);
2550 }
2551
2552
2553 spi_size = GET_U_1(p->spi_size);
2554 if (showspi && spi_size) {
2555 ND_PRINT(" spi=");
2556 if (!rawprint(ndo, (const uint8_t *)(p + 1), spi_size))
2557 goto trunc;
2558 }
2559
2560 cp = (const u_char *)(p + 1) + spi_size;
2561
2562 if (cp < ep) {
2563 if (ndo->ndo_vflag > 3 || (showsomedata && ep-cp < 30)) {
2564 ND_PRINT(" data=(");
2565 if (!rawprint(ndo, (const uint8_t *)(cp), ep - cp))
2566 goto trunc;
2567
2568 ND_PRINT(")");
2569 } else if (showsomedata) {
2570 if (!ike_show_somedata(ndo, cp, ep))
2571 goto trunc;
2572 }
2573 }
2574
2575 return (const u_char *)ext + item_len;
2576 trunc:
2577 ND_PRINT(" [|%s]", NPSTR(ISAKMP_NPTYPE_N));
2578 return NULL;
2579 }
2580
2581 static const u_char *
2582 ikev2_d_print(netdissect_options *ndo, u_char tpay,
2583 const struct isakmp_gen *ext,
2584 u_int item_len, const u_char *ep _U_,
2585 uint32_t phase _U_, uint32_t doi _U_,
2586 uint32_t proto _U_, int depth _U_)
2587 {
2588 return ikev2_gen_print(ndo, tpay, ext, item_len);
2589 }
2590
2591 static const u_char *
2592 ikev2_vid_print(netdissect_options *ndo, u_char tpay,
2593 const struct isakmp_gen *ext,
2594 u_int item_len, const u_char *ep _U_,
2595 uint32_t phase _U_, uint32_t doi _U_,
2596 uint32_t proto _U_, int depth _U_)
2597 {
2598 const u_char *vid;
2599 u_int i, len;
2600
2601 ND_TCHECK_SIZE(ext);
2602 ikev2_pay_print(ndo, NPSTR(tpay), GET_U_1(ext->critical));
2603
2604 /*
2605 * Our caller has ensured that the length is >= 4.
2606 */
2607 ND_PRINT(" len=%u vid=", item_len - 4);
2608
2609 vid = (const u_char *)(ext+1);
2610 len = item_len - 4;
2611 ND_TCHECK_LEN(vid, len);
2612 for(i=0; i<len; i++) {
2613 if(ND_ISPRINT(GET_U_1(vid + i)))
2614 ND_PRINT("%c", GET_U_1(vid + i));
2615 else ND_PRINT(".");
2616 }
2617 if (2 < ndo->ndo_vflag && 4 < len) {
2618 /* Print the entire payload in hex */
2619 ND_PRINT(" ");
2620 if (!rawprint(ndo, (const uint8_t *)(ext + 1), item_len - 4))
2621 goto trunc;
2622 }
2623 return (const u_char *)ext + item_len;
2624 trunc:
2625 ND_PRINT(" [|%s]", NPSTR(tpay));
2626 return NULL;
2627 }
2628
2629 static const u_char *
2630 ikev2_TS_print(netdissect_options *ndo, u_char tpay,
2631 const struct isakmp_gen *ext,
2632 u_int item_len, const u_char *ep _U_,
2633 uint32_t phase _U_, uint32_t doi _U_,
2634 uint32_t proto _U_, int depth _U_)
2635 {
2636 return ikev2_gen_print(ndo, tpay, ext, item_len);
2637 }
2638
2639 static const u_char *
2640 ikev2_e_print(netdissect_options *ndo,
2641 #ifndef HAVE_LIBCRYPTO
2642 _U_
2643 #endif
2644 const struct isakmp *base,
2645 u_char tpay,
2646 const struct isakmp_gen *ext,
2647 u_int item_len, const u_char *ep _U_,
2648 #ifndef HAVE_LIBCRYPTO
2649 _U_
2650 #endif
2651 uint32_t phase,
2652 #ifndef HAVE_LIBCRYPTO
2653 _U_
2654 #endif
2655 uint32_t doi,
2656 #ifndef HAVE_LIBCRYPTO
2657 _U_
2658 #endif
2659 uint32_t proto,
2660 #ifndef HAVE_LIBCRYPTO
2661 _U_
2662 #endif
2663 int depth)
2664 {
2665 const u_char *dat;
2666 u_int dlen;
2667 #ifdef HAVE_LIBCRYPTO
2668 uint8_t np;
2669 #endif
2670
2671 ND_TCHECK_SIZE(ext);
2672 ikev2_pay_print(ndo, NPSTR(tpay), GET_U_1(ext->critical));
2673
2674 dlen = item_len-4;
2675
2676 ND_PRINT(" len=%u", dlen);
2677 if (2 < ndo->ndo_vflag && 4 < dlen) {
2678 ND_PRINT(" ");
2679 if (!rawprint(ndo, (const uint8_t *)(ext + 1), dlen))
2680 goto trunc;
2681 }
2682
2683 dat = (const u_char *)(ext+1);
2684 ND_TCHECK_LEN(dat, dlen);
2685
2686 #ifdef HAVE_LIBCRYPTO
2687 np = GET_U_1(ext->np);
2688
2689 /* try to decrypt it! */
2690 if(esp_print_decrypt_buffer_by_ikev2(ndo,
2691 GET_U_1(base->flags) & ISAKMP_FLAG_I,
2692 base->i_ck, base->r_ck,
2693 dat, dat+dlen)) {
2694
2695 ext = (const struct isakmp_gen *)ndo->ndo_packetp;
2696
2697 /* got it decrypted, print stuff inside. */
2698 ikev2_sub_print(ndo, base, np, ext,
2699 ndo->ndo_snapend, phase, doi, proto, depth+1);
2700 }
2701 #endif
2702
2703
2704 /* always return NULL, because E must be at end, and NP refers
2705 * to what was inside.
2706 */
2707 return NULL;
2708 trunc:
2709 ND_PRINT(" [|%s]", NPSTR(tpay));
2710 return NULL;
2711 }
2712
2713 static const u_char *
2714 ikev2_cp_print(netdissect_options *ndo, u_char tpay,
2715 const struct isakmp_gen *ext,
2716 u_int item_len, const u_char *ep _U_,
2717 uint32_t phase _U_, uint32_t doi _U_,
2718 uint32_t proto _U_, int depth _U_)
2719 {
2720 return ikev2_gen_print(ndo, tpay, ext, item_len);
2721 }
2722
2723 static const u_char *
2724 ikev2_eap_print(netdissect_options *ndo, u_char tpay,
2725 const struct isakmp_gen *ext,
2726 u_int item_len, const u_char *ep _U_,
2727 uint32_t phase _U_, uint32_t doi _U_,
2728 uint32_t proto _U_, int depth _U_)
2729 {
2730 return ikev2_gen_print(ndo, tpay, ext, item_len);
2731 }
2732
2733 static const u_char *
2734 ike_sub0_print(netdissect_options *ndo,
2735 u_char np, const struct isakmp_gen *ext, const u_char *ep,
2736
2737 uint32_t phase, uint32_t doi, uint32_t proto, int depth)
2738 {
2739 const u_char *cp;
2740 u_int item_len;
2741
2742 cp = (const u_char *)ext;
2743 ND_TCHECK_SIZE(ext);
2744
2745 /*
2746 * Since we can't have a payload length of less than 4 bytes,
2747 * we need to bail out here if the generic header is nonsensical
2748 * or truncated, otherwise we could loop forever processing
2749 * zero-length items or otherwise misdissect the packet.
2750 */
2751 item_len = GET_BE_U_2(ext->len);
2752 if (item_len <= 4)
2753 return NULL;
2754
2755 if (NPFUNC(np)) {
2756 /*
2757 * XXX - what if item_len is too short, or too long,
2758 * for this payload type?
2759 */
2760 cp = (*npfunc[np])(ndo, np, ext, item_len, ep, phase, doi, proto, depth);
2761 } else {
2762 ND_PRINT("%s", NPSTR(np));
2763 cp += item_len;
2764 }
2765
2766 return cp;
2767 trunc:
2768 nd_print_trunc(ndo);
2769 return NULL;
2770 }
2771
2772 static const u_char *
2773 ikev1_sub_print(netdissect_options *ndo,
2774 u_char np, const struct isakmp_gen *ext, const u_char *ep,
2775 uint32_t phase, uint32_t doi, uint32_t proto, int depth)
2776 {
2777 const u_char *cp;
2778 int i;
2779 u_int item_len;
2780
2781 cp = (const u_char *)ext;
2782
2783 while (np) {
2784 ND_TCHECK_SIZE(ext);
2785
2786 item_len = GET_BE_U_2(ext->len);
2787 ND_TCHECK_LEN(ext, item_len);
2788
2789 depth++;
2790 ND_PRINT("\n");
2791 for (i = 0; i < depth; i++)
2792 ND_PRINT(" ");
2793 ND_PRINT("(");
2794 cp = ike_sub0_print(ndo, np, ext, ep, phase, doi, proto, depth);
2795 ND_PRINT(")");
2796 depth--;
2797
2798 if (cp == NULL) {
2799 /* Zero-length subitem */
2800 return NULL;
2801 }
2802
2803 np = GET_U_1(ext->np);
2804 ext = (const struct isakmp_gen *)cp;
2805 }
2806 return cp;
2807 trunc:
2808 ND_PRINT(" [|%s]", NPSTR(np));
2809 return NULL;
2810 }
2811
2812 static char *
2813 numstr(u_int x)
2814 {
2815 static char buf[20];
2816 nd_snprintf(buf, sizeof(buf), "#%u", x);
2817 return buf;
2818 }
2819
2820 static void
2821 ikev1_print(netdissect_options *ndo,
2822 const u_char *bp, u_int length,
2823 const u_char *bp2, const struct isakmp *base)
2824 {
2825 const struct isakmp *p;
2826 const u_char *ep;
2827 u_int flags;
2828 u_char np;
2829 int i;
2830 u_int phase;
2831
2832 p = (const struct isakmp *)bp;
2833 ep = ndo->ndo_snapend;
2834
2835 phase = (GET_BE_U_4(base->msgid) == 0) ? 1 : 2;
2836 if (phase == 1)
2837 ND_PRINT(" phase %u", phase);
2838 else
2839 ND_PRINT(" phase %u/others", phase);
2840
2841 i = cookie_find(&base->i_ck);
2842 if (i < 0) {
2843 if (iszero((const u_char *)&base->r_ck, sizeof(base->r_ck))) {
2844 /* the first packet */
2845 ND_PRINT(" I");
2846 if (bp2)
2847 cookie_record(ndo, &base->i_ck, bp2);
2848 } else
2849 ND_PRINT(" ?");
2850 } else {
2851 if (bp2 && cookie_isinitiator(ndo, i, bp2))
2852 ND_PRINT(" I");
2853 else if (bp2 && cookie_isresponder(ndo, i, bp2))
2854 ND_PRINT(" R");
2855 else
2856 ND_PRINT(" ?");
2857 }
2858
2859 ND_PRINT(" %s", ETYPESTR(GET_U_1(base->etype)));
2860 flags = GET_U_1(base->flags);
2861 if (flags) {
2862 ND_PRINT("[%s%s]", flags & ISAKMP_FLAG_E ? "E" : "",
2863 flags & ISAKMP_FLAG_C ? "C" : "");
2864 }
2865
2866 if (ndo->ndo_vflag) {
2867 const struct isakmp_gen *ext;
2868
2869 ND_PRINT(":");
2870
2871 np = GET_U_1(base->np);
2872
2873 /* regardless of phase... */
2874 if (flags & ISAKMP_FLAG_E) {
2875 /*
2876 * encrypted, nothing we can do right now.
2877 * we hope to decrypt the packet in the future...
2878 */
2879 ND_PRINT(" [encrypted %s]", NPSTR(np));
2880 goto done;
2881 }
2882
2883 CHECKLEN(p + 1, np);
2884 ext = (const struct isakmp_gen *)(p + 1);
2885 ikev1_sub_print(ndo, np, ext, ep, phase, 0, 0, 0);
2886 }
2887
2888 done:
2889 if (ndo->ndo_vflag) {
2890 if (GET_BE_U_4(base->len) != length) {
2891 ND_PRINT(" (len mismatch: isakmp %u/ip %u)",
2892 GET_BE_U_4(base->len), length);
2893 }
2894 }
2895 }
2896
2897 static const u_char *
2898 ikev2_sub0_print(netdissect_options *ndo, const struct isakmp *base,
2899 u_char np,
2900 const struct isakmp_gen *ext, const u_char *ep,
2901 uint32_t phase, uint32_t doi, uint32_t proto, int depth)
2902 {
2903 const u_char *cp;
2904 u_int item_len;
2905
2906 cp = (const u_char *)ext;
2907 ND_TCHECK_SIZE(ext);
2908
2909 /*
2910 * Since we can't have a payload length of less than 4 bytes,
2911 * we need to bail out here if the generic header is nonsensical
2912 * or truncated, otherwise we could loop forever processing
2913 * zero-length items or otherwise misdissect the packet.
2914 */
2915 item_len = GET_BE_U_2(ext->len);
2916 if (item_len <= 4)
2917 return NULL;
2918
2919 if (np == ISAKMP_NPTYPE_v2E) {
2920 cp = ikev2_e_print(ndo, base, np, ext, item_len,
2921 ep, phase, doi, proto, depth);
2922 } else if (NPFUNC(np)) {
2923 /*
2924 * XXX - what if item_len is too short, or too long,
2925 * for this payload type?
2926 */
2927 cp = (*npfunc[np])(ndo, np, ext, item_len,
2928 ep, phase, doi, proto, depth);
2929 } else {
2930 ND_PRINT("%s", NPSTR(np));
2931 cp += item_len;
2932 }
2933
2934 return cp;
2935 trunc:
2936 nd_print_trunc(ndo);
2937 return NULL;
2938 }
2939
2940 static const u_char *
2941 ikev2_sub_print(netdissect_options *ndo,
2942 const struct isakmp *base,
2943 u_char np, const struct isakmp_gen *ext, const u_char *ep,
2944 uint32_t phase, uint32_t doi, uint32_t proto, int depth)
2945 {
2946 const u_char *cp;
2947 int i;
2948
2949 cp = (const u_char *)ext;
2950 while (np) {
2951 ND_TCHECK_SIZE(ext);
2952
2953 ND_TCHECK_LEN(ext, GET_BE_U_2(ext->len));
2954
2955 depth++;
2956 ND_PRINT("\n");
2957 for (i = 0; i < depth; i++)
2958 ND_PRINT(" ");
2959 ND_PRINT("(");
2960 cp = ikev2_sub0_print(ndo, base, np,
2961 ext, ep, phase, doi, proto, depth);
2962 ND_PRINT(")");
2963 depth--;
2964
2965 if (cp == NULL) {
2966 /* Zero-length subitem */
2967 return NULL;
2968 }
2969
2970 np = GET_U_1(ext->np);
2971 ext = (const struct isakmp_gen *)cp;
2972 }
2973 return cp;
2974 trunc:
2975 ND_PRINT(" [|%s]", NPSTR(np));
2976 return NULL;
2977 }
2978
2979 static void
2980 ikev2_print(netdissect_options *ndo,
2981 const u_char *bp, u_int length,
2982 const u_char *bp2 _U_, const struct isakmp *base)
2983 {
2984 const struct isakmp *p;
2985 const u_char *ep;
2986 uint8_t flags;
2987 u_char np;
2988 u_int phase;
2989
2990 p = (const struct isakmp *)bp;
2991 ep = ndo->ndo_snapend;
2992
2993 phase = (GET_BE_U_4(base->msgid) == 0) ? 1 : 2;
2994 if (phase == 1)
2995 ND_PRINT(" parent_sa");
2996 else
2997 ND_PRINT(" child_sa ");
2998
2999 ND_PRINT(" %s", ETYPESTR(GET_U_1(base->etype)));
3000 flags = GET_U_1(base->flags);
3001 if (flags) {
3002 ND_PRINT("[%s%s%s]",
3003 flags & ISAKMP_FLAG_I ? "I" : "",
3004 flags & ISAKMP_FLAG_V ? "V" : "",
3005 flags & ISAKMP_FLAG_R ? "R" : "");
3006 }
3007
3008 if (ndo->ndo_vflag) {
3009 const struct isakmp_gen *ext;
3010
3011 ND_PRINT(":");
3012
3013 np = GET_U_1(base->np);
3014
3015 /* regardless of phase... */
3016 if (flags & ISAKMP_FLAG_E) {
3017 /*
3018 * encrypted, nothing we can do right now.
3019 * we hope to decrypt the packet in the future...
3020 */
3021 ND_PRINT(" [encrypted %s]", NPSTR(np));
3022 goto done;
3023 }
3024
3025 CHECKLEN(p + 1, np)
3026 ext = (const struct isakmp_gen *)(p + 1);
3027 ikev2_sub_print(ndo, base, np, ext, ep, phase, 0, 0, 0);
3028 }
3029
3030 done:
3031 if (ndo->ndo_vflag) {
3032 if (GET_BE_U_4(base->len) != length) {
3033 ND_PRINT(" (len mismatch: isakmp %u/ip %u)",
3034 GET_BE_U_4(base->len), length);
3035 }
3036 }
3037 }
3038
3039 void
3040 isakmp_print(netdissect_options *ndo,
3041 const u_char *bp, u_int length,
3042 const u_char *bp2)
3043 {
3044 const struct isakmp *p;
3045 const u_char *ep;
3046 u_int major, minor;
3047
3048 ndo->ndo_protocol = "isakmp";
3049 #ifdef HAVE_LIBCRYPTO
3050 /* initialize SAs */
3051 if (ndo->ndo_sa_list_head == NULL) {
3052 if (ndo->ndo_espsecret)
3053 esp_print_decodesecret(ndo);
3054 }
3055 #endif
3056
3057 p = (const struct isakmp *)bp;
3058 ep = ndo->ndo_snapend;
3059
3060 if ((const struct isakmp *)ep < p + 1) {
3061 nd_print_trunc(ndo);
3062 return;
3063 }
3064
3065 ND_PRINT("isakmp");
3066 major = (GET_U_1(p->vers) & ISAKMP_VERS_MAJOR)
3067 >> ISAKMP_VERS_MAJOR_SHIFT;
3068 minor = (GET_U_1(p->vers) & ISAKMP_VERS_MINOR)
3069 >> ISAKMP_VERS_MINOR_SHIFT;
3070
3071 if (ndo->ndo_vflag) {
3072 ND_PRINT(" %u.%u", major, minor);
3073 }
3074
3075 if (ndo->ndo_vflag) {
3076 ND_PRINT(" msgid ");
3077 hexprint(ndo, p->msgid, sizeof(p->msgid));
3078 }
3079
3080 if (1 < ndo->ndo_vflag) {
3081 ND_PRINT(" cookie ");
3082 hexprint(ndo, p->i_ck, sizeof(p->i_ck));
3083 ND_PRINT("->");
3084 hexprint(ndo, p->r_ck, sizeof(p->r_ck));
3085 }
3086 ND_PRINT(":");
3087
3088 switch(major) {
3089 case IKEv1_MAJOR_VERSION:
3090 ikev1_print(ndo, bp, length, bp2, p);
3091 break;
3092
3093 case IKEv2_MAJOR_VERSION:
3094 ikev2_print(ndo, bp, length, bp2, p);
3095 break;
3096 }
3097 }
3098
3099 void
3100 isakmp_rfc3948_print(netdissect_options *ndo,
3101 const u_char *bp, u_int length,
3102 const u_char *bp2, int ver, int fragmented, u_int ttl_hl)
3103 {
3104 ndo->ndo_protocol = "isakmp_rfc3948";
3105 ND_TCHECK_1(bp);
3106 if(length == 1 && GET_U_1(bp)==0xff) {
3107 ND_PRINT("isakmp-nat-keep-alive");
3108 return;
3109 }
3110
3111 if(length < 4) {
3112 goto trunc;
3113 }
3114 ND_TCHECK_1(bp + 3);
3115
3116 /*
3117 * see if this is an IKE packet
3118 */
3119 if (GET_BE_U_4(bp) == 0) {
3120 ND_PRINT("NONESP-encap: ");
3121 isakmp_print(ndo, bp+4, length-4, bp2);
3122 return;
3123 }
3124
3125 /* must be an ESP packet */
3126 {
3127 ND_PRINT("UDP-encap: ");
3128
3129 esp_print(ndo, bp, length, bp2, ver, fragmented, ttl_hl);
3130
3131 /*
3132 * Either this has decrypted the payload and
3133 * printed it, in which case there's nothing more
3134 * to do, or it hasn't, in which case there's
3135 * nothing more to do.
3136 */
3137 return;
3138 }
3139
3140 trunc:
3141 nd_print_trunc(ndo);
3142 return;
3143 }
[mirror] the TCPdump network dissector