]> The Tcpdump Group git mirrors - tcpdump/blob - print-isakmp.c
projects / tcpdump / blob
summary | shortlog | log | commit | commitdiff | tree
history | raw | HEAD
pflog: don't use PF_ as a prefix for #defines.
[tcpdump] / print-isakmp.c
1 /*
2 * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
3 * All rights reserved.
4 *
5 * Redistribution and use in source and binary forms, with or without
6 * modification, are permitted provided that the following conditions
7 * are met:
8 * 1. Redistributions of source code must retain the above copyright
9 * notice, this list of conditions and the following disclaimer.
10 * 2. Redistributions in binary form must reproduce the above copyright
11 * notice, this list of conditions and the following disclaimer in the
12 * documentation and/or other materials provided with the distribution.
13 * 3. Neither the name of the project nor the names of its contributors
14 * may be used to endorse or promote products derived from this software
15 * without specific prior written permission.
16 *
17 * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
18 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
19 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
20 * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
21 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
22 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
23 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
24 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
25 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
26 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
27 * SUCH DAMAGE.
28 *
29 */
30
31 /* \summary: Internet Security Association and Key Management Protocol (ISAKMP) printer */
32
33 /* specification: RFC 2407, RFC 2408, RFC 5996 */
34
35 #include <config.h>
36
37 #include "netdissect-stdinc.h"
38
39 #include <string.h>
40
41 #include "netdissect-ctype.h"
42
43 #include "netdissect.h"
44 #include "addrtoname.h"
45 #include "extract.h"
46
47 #include "ip.h"
48 #include "ip6.h"
49 #include "ipproto.h" /* for netdb_protoname() */
50
51 typedef nd_byte cookie_t[8];
52 typedef nd_byte msgid_t[4];
53
54 #define PORT_ISAKMP 500
55
56 /* 3.1 ISAKMP Header Format (IKEv1 and IKEv2)
57 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
58 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
59 ! Initiator !
60 ! Cookie !
61 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
62 ! Responder !
63 ! Cookie !
64 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
65 ! Next Payload ! MjVer ! MnVer ! Exchange Type ! Flags !
66 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
67 ! Message ID !
68 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
69 ! Length !
70 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
71 */
72 struct isakmp {
73 cookie_t i_ck; /* Initiator Cookie */
74 cookie_t r_ck; /* Responder Cookie */
75 nd_uint8_t np; /* Next Payload Type */
76 nd_uint8_t vers;
77 #define ISAKMP_VERS_MAJOR 0xf0
78 #define ISAKMP_VERS_MAJOR_SHIFT 4
79 #define ISAKMP_VERS_MINOR 0x0f
80 #define ISAKMP_VERS_MINOR_SHIFT 0
81 nd_uint8_t etype; /* Exchange Type */
82 nd_uint8_t flags; /* Flags */
83 msgid_t msgid;
84 nd_uint32_t len; /* Length */
85 };
86
87 /* Next Payload Type */
88 #define ISAKMP_NPTYPE_NONE 0 /* NONE*/
89 #define ISAKMP_NPTYPE_SA 1 /* Security Association */
90 #define ISAKMP_NPTYPE_P 2 /* Proposal */
91 #define ISAKMP_NPTYPE_T 3 /* Transform */
92 #define ISAKMP_NPTYPE_KE 4 /* Key Exchange */
93 #define ISAKMP_NPTYPE_ID 5 /* Identification */
94 #define ISAKMP_NPTYPE_CERT 6 /* Certificate */
95 #define ISAKMP_NPTYPE_CR 7 /* Certificate Request */
96 #define ISAKMP_NPTYPE_HASH 8 /* Hash */
97 #define ISAKMP_NPTYPE_SIG 9 /* Signature */
98 #define ISAKMP_NPTYPE_NONCE 10 /* Nonce */
99 #define ISAKMP_NPTYPE_N 11 /* Notification */
100 #define ISAKMP_NPTYPE_D 12 /* Delete */
101 #define ISAKMP_NPTYPE_VID 13 /* Vendor ID */
102 #define ISAKMP_NPTYPE_v2E 46 /* v2 Encrypted payload */
103
104 #define IKEv1_MAJOR_VERSION 1
105 #define IKEv1_MINOR_VERSION 0
106
107 #define IKEv2_MAJOR_VERSION 2
108 #define IKEv2_MINOR_VERSION 0
109
110 /* Flags */
111 #define ISAKMP_FLAG_E 0x01 /* Encryption Bit */
112 #define ISAKMP_FLAG_C 0x02 /* Commit Bit */
113 #define ISAKMP_FLAG_extra 0x04
114
115 /* IKEv2 */
116 #define ISAKMP_FLAG_I (1 << 3) /* Initiator */
117 #define ISAKMP_FLAG_V (1 << 4) /* Version */
118 #define ISAKMP_FLAG_R (1 << 5) /* Response */
119
120
121 /* 3.2 Payload Generic Header
122 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
123 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
124 ! Next Payload ! RESERVED ! Payload Length !
125 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
126 */
127 struct isakmp_gen {
128 nd_uint8_t np; /* Next Payload */
129 nd_uint8_t critical; /* bit 7 - critical, rest is RESERVED */
130 nd_uint16_t len; /* Payload Length */
131 };
132
133 /* 3.3 Data Attributes
134 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
135 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
136 !A! Attribute Type ! AF=0 Attribute Length !
137 !F! ! AF=1 Attribute Value !
138 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
139 . AF=0 Attribute Value .
140 . AF=1 Not Transmitted .
141 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
142 */
143 struct isakmp_data {
144 nd_uint16_t type; /* defined by DOI-spec, and Attribute Format */
145 nd_uint16_t lorv; /* if f equal 1, Attribute Length */
146 /* if f equal 0, Attribute Value */
147 /* if f equal 1, Attribute Value */
148 };
149
150 /* 3.4 Security Association Payload */
151 /* MAY NOT be used, because of being defined in ipsec-doi. */
152 /*
153 If the current payload is the last in the message,
154 then the value of the next payload field will be 0.
155 This field MUST NOT contain the
156 values for the Proposal or Transform payloads as they are considered
157 part of the security association negotiation. For example, this
158 field would contain the value "10" (Nonce payload) in the first
159 message of a Base Exchange (see Section 4.4) and the value "0" in the
160 first message of an Identity Protect Exchange (see Section 4.5).
161 */
162 struct ikev1_pl_sa {
163 struct isakmp_gen h;
164 nd_uint32_t doi; /* Domain of Interpretation */
165 nd_uint32_t sit; /* Situation */
166 };
167
168 /* 3.5 Proposal Payload */
169 /*
170 The value of the next payload field MUST only contain the value "2"
171 or "0". If there are additional Proposal payloads in the message,
172 then this field will be 2. If the current Proposal payload is the
173 last within the security association proposal, then this field will
174 be 0.
175 */
176 struct ikev1_pl_p {
177 struct isakmp_gen h;
178 nd_uint8_t p_no; /* Proposal # */
179 nd_uint8_t prot_id; /* Protocol */
180 nd_uint8_t spi_size; /* SPI Size */
181 nd_uint8_t num_t; /* Number of Transforms */
182 /* SPI */
183 };
184
185 /* 3.6 Transform Payload */
186 /*
187 The value of the next payload field MUST only contain the value "3"
188 or "0". If there are additional Transform payloads in the proposal,
189 then this field will be 3. If the current Transform payload is the
190 last within the proposal, then this field will be 0.
191 */
192 struct ikev1_pl_t {
193 struct isakmp_gen h;
194 nd_uint8_t t_no; /* Transform # */
195 nd_uint8_t t_id; /* Transform-Id */
196 nd_byte reserved[2]; /* RESERVED2 */
197 /* SA Attributes */
198 };
199
200 /* 3.7 Key Exchange Payload */
201 struct ikev1_pl_ke {
202 struct isakmp_gen h;
203 /* Key Exchange Data */
204 };
205
206 /* 3.8 Identification Payload */
207 /* MUST NOT to be used, because of being defined in ipsec-doi. */
208 struct ikev1_pl_id {
209 struct isakmp_gen h;
210 union {
211 nd_uint8_t id_type; /* ID Type */
212 nd_uint32_t doi_data; /* DOI Specific ID Data */
213 } d;
214 /* Identification Data */
215 };
216
217 /* 3.9 Certificate Payload */
218 struct ikev1_pl_cert {
219 struct isakmp_gen h;
220 nd_uint8_t encode; /* Cert Encoding */
221 nd_uint8_t cert; /* Certificate Data */
222 /*
223 This field indicates the type of
224 certificate or certificate-related information contained in the
225 Certificate Data field.
226 */
227 };
228
229 /* 3.10 Certificate Request Payload */
230 struct ikev1_pl_cr {
231 struct isakmp_gen h;
232 nd_uint8_t num_cert; /* # Cert. Types */
233 /*
234 Certificate Types (variable length)
235 -- Contains a list of the types of certificates requested,
236 sorted in order of preference. Each individual certificate
237 type is 1 octet. This field is NOT requiredo
238 */
239 /* # Certificate Authorities (1 octet) */
240 /* Certificate Authorities (variable length) */
241 };
242
243 /* 3.11 Hash Payload */
244 /* may not be used, because of having only data. */
245 struct ikev1_pl_hash {
246 struct isakmp_gen h;
247 /* Hash Data */
248 };
249
250 /* 3.12 Signature Payload */
251 /* may not be used, because of having only data. */
252 struct ikev1_pl_sig {
253 struct isakmp_gen h;
254 /* Signature Data */
255 };
256
257 /* 3.13 Nonce Payload */
258 /* may not be used, because of having only data. */
259 struct ikev1_pl_nonce {
260 struct isakmp_gen h;
261 /* Nonce Data */
262 };
263
264 /* 3.14 Notification Payload */
265 struct ikev1_pl_n {
266 struct isakmp_gen h;
267 nd_uint32_t doi; /* Domain of Interpretation */
268 nd_uint8_t prot_id; /* Protocol-ID */
269 nd_uint8_t spi_size; /* SPI Size */
270 nd_uint16_t type; /* Notify Message Type */
271 /* SPI */
272 /* Notification Data */
273 };
274
275 /* 3.14.1 Notify Message Types */
276 /* NOTIFY MESSAGES - ERROR TYPES */
277 #define ISAKMP_NTYPE_INVALID_PAYLOAD_TYPE 1
278 #define ISAKMP_NTYPE_DOI_NOT_SUPPORTED 2
279 #define ISAKMP_NTYPE_SITUATION_NOT_SUPPORTED 3
280 #define ISAKMP_NTYPE_INVALID_COOKIE 4
281 #define ISAKMP_NTYPE_INVALID_MAJOR_VERSION 5
282 #define ISAKMP_NTYPE_INVALID_MINOR_VERSION 6
283 #define ISAKMP_NTYPE_INVALID_EXCHANGE_TYPE 7
284 #define ISAKMP_NTYPE_INVALID_FLAGS 8
285 #define ISAKMP_NTYPE_INVALID_MESSAGE_ID 9
286 #define ISAKMP_NTYPE_INVALID_PROTOCOL_ID 10
287 #define ISAKMP_NTYPE_INVALID_SPI 11
288 #define ISAKMP_NTYPE_INVALID_TRANSFORM_ID 12
289 #define ISAKMP_NTYPE_ATTRIBUTES_NOT_SUPPORTED 13
290 #define ISAKMP_NTYPE_NO_PROPOSAL_CHOSEN 14
291 #define ISAKMP_NTYPE_BAD_PROPOSAL_SYNTAX 15
292 #define ISAKMP_NTYPE_PAYLOAD_MALFORMED 16
293 #define ISAKMP_NTYPE_INVALID_KEY_INFORMATION 17
294 #define ISAKMP_NTYPE_INVALID_ID_INFORMATION 18
295 #define ISAKMP_NTYPE_INVALID_CERT_ENCODING 19
296 #define ISAKMP_NTYPE_INVALID_CERTIFICATE 20
297 #define ISAKMP_NTYPE_BAD_CERT_REQUEST_SYNTAX 21
298 #define ISAKMP_NTYPE_INVALID_CERT_AUTHORITY 22
299 #define ISAKMP_NTYPE_INVALID_HASH_INFORMATION 23
300 #define ISAKMP_NTYPE_AUTHENTICATION_FAILED 24
301 #define ISAKMP_NTYPE_INVALID_SIGNATURE 25
302 #define ISAKMP_NTYPE_ADDRESS_NOTIFICATION 26
303
304 /* 3.15 Delete Payload */
305 struct ikev1_pl_d {
306 struct isakmp_gen h;
307 nd_uint32_t doi; /* Domain of Interpretation */
308 nd_uint8_t prot_id; /* Protocol-Id */
309 nd_uint8_t spi_size; /* SPI Size */
310 nd_uint16_t num_spi; /* # of SPIs */
311 /* SPI(es) */
312 };
313
314 /* IKEv2 (RFC4306) */
315
316 /* 3.3 Security Association Payload -- generic header */
317 /* 3.3.1. Proposal Substructure */
318 struct ikev2_p {
319 struct isakmp_gen h;
320 nd_uint8_t p_no; /* Proposal # */
321 nd_uint8_t prot_id; /* Protocol */
322 nd_uint8_t spi_size; /* SPI Size */
323 nd_uint8_t num_t; /* Number of Transforms */
324 };
325
326 /* 3.3.2. Transform Substructure */
327 struct ikev2_t {
328 struct isakmp_gen h;
329 nd_uint8_t t_type; /* Transform Type (ENCR,PRF,INTEG,etc.*/
330 nd_byte res2; /* reserved byte */
331 nd_uint16_t t_id; /* Transform ID */
332 };
333
334 enum ikev2_t_type {
335 IV2_T_ENCR = 1,
336 IV2_T_PRF = 2,
337 IV2_T_INTEG= 3,
338 IV2_T_DH = 4,
339 IV2_T_ESN = 5
340 };
341
342 /* 3.4. Key Exchange Payload */
343 struct ikev2_ke {
344 struct isakmp_gen h;
345 nd_uint16_t ke_group;
346 nd_uint16_t ke_res1;
347 /* KE data */
348 };
349
350
351 /* 3.5. Identification Payloads */
352 enum ikev2_id_type {
353 ID_IPV4_ADDR=1,
354 ID_FQDN=2,
355 ID_RFC822_ADDR=3,
356 ID_IPV6_ADDR=5,
357 ID_DER_ASN1_DN=9,
358 ID_DER_ASN1_GN=10,
359 ID_KEY_ID=11
360 };
361 struct ikev2_id {
362 struct isakmp_gen h;
363 nd_uint8_t type; /* ID type */
364 nd_byte res1;
365 nd_byte res2[2];
366 /* SPI */
367 /* Notification Data */
368 };
369
370 /* 3.10 Notification Payload */
371 struct ikev2_n {
372 struct isakmp_gen h;
373 nd_uint8_t prot_id; /* Protocol-ID */
374 nd_uint8_t spi_size; /* SPI Size */
375 nd_uint16_t type; /* Notify Message Type */
376 };
377
378 enum ikev2_n_type {
379 IV2_NOTIFY_UNSUPPORTED_CRITICAL_PAYLOAD = 1, /* [RFC7296] */
380 IV2_NOTIFY_INVALID_IKE_SPI = 4, /* [RFC7296] */
381 IV2_NOTIFY_INVALID_MAJOR_VERSION = 5, /* [RFC7296] */
382 IV2_NOTIFY_INVALID_SYNTAX = 7, /* [RFC7296] */
383 IV2_NOTIFY_INVALID_MESSAGE_ID = 9, /* [RFC7296] */
384 IV2_NOTIFY_INVALID_SPI =11, /* [RFC7296] */
385 IV2_NOTIFY_NO_PROPOSAL_CHOSEN =14, /* [RFC7296] */
386 IV2_NOTIFY_INVALID_KE_PAYLOAD =17, /* [RFC7296] */
387 IV2_NOTIFY_AUTHENTICATION_FAILED =24, /* [RFC7296] */
388 IV2_NOTIFY_SINGLE_PAIR_REQUIRED =34, /* [RFC7296] */
389 IV2_NOTIFY_NO_ADDITIONAL_SAS =35, /* [RFC7296] */
390 IV2_NOTIFY_INTERNAL_ADDRESS_FAILURE =36, /* [RFC7296] */
391 IV2_NOTIFY_FAILED_CP_REQUIRED =37, /* [RFC7296] */
392 IV2_NOTIFY_TS_UNACCEPTABLE =38, /* [RFC7296] */
393 IV2_NOTIFY_INVALID_SELECTORS =39, /* [RFC7296] */
394 IV2_NOTIFY_UNACCEPTABLE_ADDRESSES =40, /* [RFC4555] */
395 IV2_NOTIFY_UNEXPECTED_NAT_DETECTED =41, /* [RFC4555] */
396 IV2_NOTIFY_USE_ASSIGNED_HOA =42, /* [RFC5026] */
397 IV2_NOTIFY_TEMPORARY_FAILURE =43, /* [RFC7296] */
398 IV2_NOTIFY_CHILD_SA_NOT_FOUND =44, /* [RFC7296] */
399 IV2_NOTIFY_INVALID_GROUP_ID =45, /* [draft-yeung-g-ikev2] */
400 IV2_NOTIFY_AUTHORIZATION_FAILED =46, /* [draft-yeung-g-ikev2] */
401 IV2_NOTIFY_STATE_NOT_FOUND =47, /* [RFC-ietf-ipsecme-ikev2-multiple-ke-12] */
402 IV2_NOTIFY_INITIAL_CONTACT =16384, /* [RFC7296] */
403 IV2_NOTIFY_SET_WINDOW_SIZE =16385, /* [RFC7296] */
404 IV2_NOTIFY_ADDITIONAL_TS_POSSIBLE =16386, /* [RFC7296] */
405 IV2_NOTIFY_IPCOMP_SUPPORTED =16387, /* [RFC7296] */
406 IV2_NOTIFY_NAT_DETECTION_SOURCE_IP =16388, /* [RFC7296] */
407 IV2_NOTIFY_NAT_DETECTION_DESTINATION_IP =16389, /* [RFC7296] */
408 IV2_NOTIFY_COOKIE =16390, /* [RFC7296] */
409 IV2_NOTIFY_USE_TRANSPORT_MODE =16391, /* [RFC7296] */
410 IV2_NOTIFY_HTTP_CERT_LOOKUP_SUPPORTED =16392, /* [RFC7296] */
411 IV2_NOTIFY_REKEY_SA =16393, /* [RFC7296] */
412 IV2_NOTIFY_ESP_TFC_PADDING_NOT_SUPPORTED =16394, /* [RFC7296] */
413 IV2_NOTIFY_NON_FIRST_FRAGMENTS_ALSO =16395, /* [RFC7296] */
414 IV2_NOTIFY_MOBIKE_SUPPORTED =16396, /* [RFC4555] */
415 IV2_NOTIFY_ADDITIONAL_IP4_ADDRESS =16397, /* [RFC4555] */
416 IV2_NOTIFY_ADDITIONAL_IP6_ADDRESS =16398, /* [RFC4555] */
417 IV2_NOTIFY_NO_ADDITIONAL_ADDRESSES =16399, /* [RFC4555] */
418 IV2_NOTIFY_UPDATE_SA_ADDRESSES =16400, /* [RFC4555] */
419 IV2_NOTIFY_COOKIE2 =16401, /* [RFC4555] */
420 IV2_NOTIFY_NO_NATS_ALLOWED =16402, /* [RFC4555] */
421 IV2_NOTIFY_AUTH_LIFETIME =16403, /* [RFC4478] */
422 IV2_NOTIFY_MULTIPLE_AUTH_SUPPORTED =16404, /* [RFC4739] */
423 IV2_NOTIFY_ANOTHER_AUTH_FOLLOWS =16405, /* [RFC4739] */
424 IV2_NOTIFY_REDIRECT_SUPPORTED =16406, /* [RFC5685] */
425 IV2_NOTIFY_REDIRECT =16407, /* [RFC5685] */
426 IV2_NOTIFY_REDIRECTED_FROM =16408, /* [RFC5685] */
427 IV2_NOTIFY_TICKET_LT_OPAQUE =16409, /* [RFC5723] */
428 IV2_NOTIFY_TICKET_REQUEST =16410, /* [RFC5723] */
429 IV2_NOTIFY_TICKET_ACK =16411, /* [RFC5723] */
430 IV2_NOTIFY_TICKET_NACK =16412, /* [RFC5723] */
431 IV2_NOTIFY_TICKET_OPAQUE =16413, /* [RFC5723] */
432 IV2_NOTIFY_LINK_ID =16414, /* [RFC5739] */
433 IV2_NOTIFY_USE_WESP_MODE =16415, /* [RFC5840] */
434 IV2_NOTIFY_ROHC_SUPPORTED =16416, /* [RFC5857] */
435 IV2_NOTIFY_EAP_ONLY_AUTHENTICATION =16417, /* [RFC5998] */
436 IV2_NOTIFY_CHILDLESS_IKEV2_SUPPORTED =16418, /* [RFC6023] */
437 IV2_NOTIFY_QUICK_CRASH_DETECTION =16419, /* [RFC6290] */
438 IV2_NOTIFY_IKEV2_MESSAGE_ID_SYNC_SUPPORTED =16420, /* [RFC6311] */
439 IV2_NOTIFY_IPSEC_REPLAY_COUNTER_SYNC_SUPPORTED =16421, /* [RFC6311] */
440 IV2_NOTIFY_IKEV2_MESSAGE_ID_SYNC =16422, /* [RFC6311] */
441 IV2_NOTIFY_IPSEC_REPLAY_COUNTER_SYNC =16423, /* [RFC6311] */
442 IV2_NOTIFY_SECURE_PASSWORD_METHODS =16424, /* [RFC6467] */
443 IV2_NOTIFY_PSK_PERSIST =16425, /* [RFC6631] */
444 IV2_NOTIFY_PSK_CONFIRM =16426, /* [RFC6631] */
445 IV2_NOTIFY_ERX_SUPPORTED =16427, /* [RFC6867] */
446 IV2_NOTIFY_IFOM_CAPABILITY =16428, /* [Frederic_Firmin][3GPP TS 24.303 v10.6.0 annex B.2] */
447 IV2_NOTIFY_SENDER_REQUEST_ID =16429, /* [draft-yeung-g-ikev2] */
448 IV2_NOTIFY_IKEV2_FRAGMENTATION_SUPPORTED =16430, /* [RFC7383] */
449 IV2_NOTIFY_SIGNATURE_HASH_ALGORITHMS =16431, /* [RFC7427] */
450 IV2_NOTIFY_CLONE_IKE_SA_SUPPORTED =16432, /* [RFC7791] */
451 IV2_NOTIFY_CLONE_IKE_SA =16433, /* [RFC7791] */
452 IV2_NOTIFY_PUZZLE =16434, /* [RFC8019] */
453 IV2_NOTIFY_USE_PPK =16435, /* [RFC8784] */
454 IV2_NOTIFY_PPK_IDENTITY =16436, /* [RFC8784] */
455 IV2_NOTIFY_NO_PPK_AUTH =16437, /* [RFC8784] */
456 IV2_NOTIFY_INTERMEDIATE_EXCHANGE_SUPPORTED =16438, /* [RFC9242] */
457 IV2_NOTIFY_IP4_ALLOWED =16439, /* [RFC8983] */
458 IV2_NOTIFY_IP6_ALLOWED =16440, /* [RFC8983] */
459 IV2_NOTIFY_ADDITIONAL_KEY_EXCHANGE =16441, /* [RFC-ietf-ipsecme-ikev2-multiple-ke-12] */
460 IV2_NOTIFY_USE_AGGFRAG =16442 /* [RFC9347] */
461 };
462
463 struct notify_messages {
464 uint16_t type;
465 char *msg;
466 };
467
468 /* 3.8 Authentication Payload */
469 struct ikev2_auth {
470 struct isakmp_gen h;
471 nd_uint8_t auth_method; /* Protocol-ID */
472 nd_byte reserved[3];
473 /* authentication data */
474 };
475
476 enum ikev2_auth_type {
477 IV2_RSA_SIG = 1,
478 IV2_SHARED = 2,
479 IV2_DSS_SIG = 3
480 };
481
482 /* refer to RFC 2409 */
483
484 #if 0
485 /* isakmp sa structure */
486 struct oakley_sa {
487 uint8_t proto_id; /* OAKLEY */
488 vchar_t *spi; /* spi */
489 uint8_t dhgrp; /* DH; group */
490 uint8_t auth_t; /* method of authentication */
491 uint8_t prf_t; /* type of prf */
492 uint8_t hash_t; /* type of hash */
493 uint8_t enc_t; /* type of cipher */
494 uint8_t life_t; /* type of duration of lifetime */
495 uint32_t ldur; /* life duration */
496 };
497 #endif
498
499 /* refer to RFC 2407 */
500
501 #define IPSEC_DOI 1
502
503 /* 4.2 IPSEC Situation Definition */
504 #define IPSECDOI_SIT_IDENTITY_ONLY 0x00000001
505 #define IPSECDOI_SIT_SECRECY 0x00000002
506 #define IPSECDOI_SIT_INTEGRITY 0x00000004
507
508 /* 4.4.1 IPSEC Security Protocol Identifiers */
509 /* 4.4.2 IPSEC ISAKMP Transform Values */
510 #define IPSECDOI_PROTO_ISAKMP 1
511 #define IPSECDOI_KEY_IKE 1
512
513 /* 4.4.1 IPSEC Security Protocol Identifiers */
514 #define IPSECDOI_PROTO_IPSEC_AH 2
515 /* 4.4.3 IPSEC AH Transform Values */
516 #define IPSECDOI_AH_MD5 2
517 #define IPSECDOI_AH_SHA 3
518 #define IPSECDOI_AH_DES 4
519 #define IPSECDOI_AH_SHA2_256 5
520 #define IPSECDOI_AH_SHA2_384 6
521 #define IPSECDOI_AH_SHA2_512 7
522
523 /* 4.4.1 IPSEC Security Protocol Identifiers */
524 #define IPSECDOI_PROTO_IPSEC_ESP 3
525 /* 4.4.4 IPSEC ESP Transform Identifiers */
526 #define IPSECDOI_ESP_DES_IV64 1
527 #define IPSECDOI_ESP_DES 2
528 #define IPSECDOI_ESP_3DES 3
529 #define IPSECDOI_ESP_RC5 4
530 #define IPSECDOI_ESP_IDEA 5
531 #define IPSECDOI_ESP_CAST 6
532 #define IPSECDOI_ESP_BLOWFISH 7
533 #define IPSECDOI_ESP_3IDEA 8
534 #define IPSECDOI_ESP_DES_IV32 9
535 #define IPSECDOI_ESP_RC4 10
536 #define IPSECDOI_ESP_NULL 11
537 #define IPSECDOI_ESP_RIJNDAEL 12
538 #define IPSECDOI_ESP_AES 12
539
540 /* 4.4.1 IPSEC Security Protocol Identifiers */
541 #define IPSECDOI_PROTO_IPCOMP 4
542 /* 4.4.5 IPSEC IPCOMP Transform Identifiers */
543 #define IPSECDOI_IPCOMP_OUI 1
544 #define IPSECDOI_IPCOMP_DEFLATE 2
545 #define IPSECDOI_IPCOMP_LZS 3
546
547 /* 4.5 IPSEC Security Association Attributes */
548 #define IPSECDOI_ATTR_SA_LTYPE 1 /* B */
549 #define IPSECDOI_ATTR_SA_LTYPE_DEFAULT 1
550 #define IPSECDOI_ATTR_SA_LTYPE_SEC 1
551 #define IPSECDOI_ATTR_SA_LTYPE_KB 2
552 #define IPSECDOI_ATTR_SA_LDUR 2 /* V */
553 #define IPSECDOI_ATTR_SA_LDUR_DEFAULT 28800 /* 8 hours */
554 #define IPSECDOI_ATTR_GRP_DESC 3 /* B */
555 #define IPSECDOI_ATTR_ENC_MODE 4 /* B */
556 /* default value: host dependent */
557 #define IPSECDOI_ATTR_ENC_MODE_TUNNEL 1
558 #define IPSECDOI_ATTR_ENC_MODE_TRNS 2
559 #define IPSECDOI_ATTR_AUTH 5 /* B */
560 /* 0 means not to use authentication. */
561 #define IPSECDOI_ATTR_AUTH_HMAC_MD5 1
562 #define IPSECDOI_ATTR_AUTH_HMAC_SHA1 2
563 #define IPSECDOI_ATTR_AUTH_DES_MAC 3
564 #define IPSECDOI_ATTR_AUTH_KPDK 4 /*RFC-1826(Key/Pad/Data/Key)*/
565 /*
566 * When negotiating ESP without authentication, the Auth
567 * Algorithm attribute MUST NOT be included in the proposal.
568 * When negotiating ESP without confidentiality, the Auth
569 * Algorithm attribute MUST be included in the proposal and
570 * the ESP transform ID must be ESP_NULL.
571 */
572 #define IPSECDOI_ATTR_KEY_LENGTH 6 /* B */
573 #define IPSECDOI_ATTR_KEY_ROUNDS 7 /* B */
574 #define IPSECDOI_ATTR_COMP_DICT_SIZE 8 /* B */
575 #define IPSECDOI_ATTR_COMP_PRIVALG 9 /* V */
576
577 /* 4.6.1 Security Association Payload */
578 struct ipsecdoi_sa {
579 struct isakmp_gen h;
580 nd_uint32_t doi; /* Domain of Interpretation */
581 nd_uint32_t sit; /* Situation */
582 };
583
584 struct ipsecdoi_secrecy_h {
585 nd_uint16_t len;
586 nd_uint16_t reserved;
587 };
588
589 /* 4.6.2.1 Identification Type Values */
590 struct ipsecdoi_id {
591 struct isakmp_gen h;
592 nd_uint8_t type; /* ID Type */
593 nd_uint8_t proto_id; /* Protocol ID */
594 nd_uint16_t port; /* Port */
595 /* Identification Data */
596 };
597
598 #define IPSECDOI_ID_IPV4_ADDR 1
599 #define IPSECDOI_ID_FQDN 2
600 #define IPSECDOI_ID_USER_FQDN 3
601 #define IPSECDOI_ID_IPV4_ADDR_SUBNET 4
602 #define IPSECDOI_ID_IPV6_ADDR 5
603 #define IPSECDOI_ID_IPV6_ADDR_SUBNET 6
604 #define IPSECDOI_ID_IPV4_ADDR_RANGE 7
605 #define IPSECDOI_ID_IPV6_ADDR_RANGE 8
606 #define IPSECDOI_ID_DER_ASN1_DN 9
607 #define IPSECDOI_ID_DER_ASN1_GN 10
608 #define IPSECDOI_ID_KEY_ID 11
609
610 /* 4.6.3 IPSEC DOI Notify Message Types */
611 /* Notify Messages - Status Types */
612 #define IPSECDOI_NTYPE_RESPONDER_LIFETIME 24576
613 #define IPSECDOI_NTYPE_REPLAY_STATUS 24577
614 #define IPSECDOI_NTYPE_INITIAL_CONTACT 24578
615
616 #define DECLARE_PRINTER(func) static const u_char *ike##func##_print( \
617 netdissect_options *ndo, u_char tpay, \
618 const struct isakmp_gen *ext, \
619 u_int item_len, \
620 const u_char *end_pointer, \
621 uint32_t phase,\
622 uint32_t doi0, \
623 uint32_t proto0, int depth)
624
625 DECLARE_PRINTER(v1_sa);
626 DECLARE_PRINTER(v1_p);
627 DECLARE_PRINTER(v1_t);
628 DECLARE_PRINTER(v1_ke);
629 DECLARE_PRINTER(v1_id);
630 DECLARE_PRINTER(v1_cert);
631 DECLARE_PRINTER(v1_cr);
632 DECLARE_PRINTER(v1_sig);
633 DECLARE_PRINTER(v1_hash);
634 DECLARE_PRINTER(v1_nonce);
635 DECLARE_PRINTER(v1_n);
636 DECLARE_PRINTER(v1_d);
637 DECLARE_PRINTER(v1_vid);
638
639 DECLARE_PRINTER(v2_sa);
640 DECLARE_PRINTER(v2_ke);
641 DECLARE_PRINTER(v2_ID);
642 DECLARE_PRINTER(v2_cert);
643 DECLARE_PRINTER(v2_cr);
644 DECLARE_PRINTER(v2_auth);
645 DECLARE_PRINTER(v2_nonce);
646 DECLARE_PRINTER(v2_n);
647 DECLARE_PRINTER(v2_d);
648 DECLARE_PRINTER(v2_vid);
649 DECLARE_PRINTER(v2_TS);
650 DECLARE_PRINTER(v2_cp);
651 DECLARE_PRINTER(v2_eap);
652
653 static const u_char *ikev2_e_print(netdissect_options *ndo,
654 const struct isakmp *base,
655 u_char tpay,
656 const struct isakmp_gen *ext,
657 u_int item_len,
658 const u_char *end_pointer,
659 uint32_t phase,
660 uint32_t doi0,
661 uint32_t proto0, int depth);
662
663
664 static const u_char *ike_sub0_print(netdissect_options *ndo,u_char, const struct isakmp_gen *,
665 const u_char *, uint32_t, uint32_t, uint32_t, int);
666 static const u_char *ikev1_sub_print(netdissect_options *ndo,u_char, const struct isakmp_gen *,
667 const u_char *, uint32_t, uint32_t, uint32_t, int);
668
669 static const u_char *ikev2_sub_print(netdissect_options *ndo,
670 const struct isakmp *base,
671 u_char np, const struct isakmp_gen *ext,
672 const u_char *ep, uint32_t phase,
673 uint32_t doi, uint32_t proto,
674 int depth);
675
676
677 static char *numstr(u_int);
678
679 static void
680 ikev1_print(netdissect_options *ndo,
681 const u_char *bp, u_int length,
682 const u_char *bp2, const struct isakmp *base);
683
684 #define MAXINITIATORS 20
685 static int ninitiator = 0;
686 union inaddr_u {
687 nd_ipv4 in4;
688 nd_ipv6 in6;
689 };
690 static struct {
691 cookie_t initiator;
692 u_int version;
693 union inaddr_u iaddr;
694 union inaddr_u raddr;
695 } cookiecache[MAXINITIATORS];
696
697 /* protocol id */
698 static const char *protoidstr[] = {
699 NULL, "isakmp", "ipsec-ah", "ipsec-esp", "ipcomp",
700 };
701
702 /* isakmp->np */
703 static const char *npstr[] = {
704 "none", "sa", "p", "t", "ke", "id", "cert", "cr", "hash", /* 0 - 8 */
705 "sig", "nonce", "n", "d", "vid", /* 9 - 13 */
706 "pay14", "pay15", "pay16", "pay17", "pay18", /* 14- 18 */
707 "pay19", "pay20", "pay21", "pay22", "pay23", /* 19- 23 */
708 "pay24", "pay25", "pay26", "pay27", "pay28", /* 24- 28 */
709 "pay29", "pay30", "pay31", "pay32", /* 29- 32 */
710 "v2sa", "v2ke", "v2IDi", "v2IDr", "v2cert",/* 33- 37 */
711 "v2cr", "v2auth","v2nonce", "v2n", "v2d", /* 38- 42 */
712 "v2vid", "v2TSi", "v2TSr", "v2e", "v2cp", /* 43- 47 */
713 "v2eap", /* 48 */
714
715 };
716
717 /* isakmp->np */
718 static const u_char *(*npfunc[])(netdissect_options *ndo, u_char tpay,
719 const struct isakmp_gen *ext,
720 u_int item_len,
721 const u_char *end_pointer,
722 uint32_t phase,
723 uint32_t doi0,
724 uint32_t proto0, int depth) = {
725 NULL,
726 ikev1_sa_print,
727 ikev1_p_print,
728 ikev1_t_print,
729 ikev1_ke_print,
730 ikev1_id_print,
731 ikev1_cert_print,
732 ikev1_cr_print,
733 ikev1_hash_print,
734 ikev1_sig_print,
735 ikev1_nonce_print,
736 ikev1_n_print,
737 ikev1_d_print,
738 ikev1_vid_print, /* 13 */
739 NULL, NULL, NULL, NULL, NULL, /* 14- 18 */
740 NULL, NULL, NULL, NULL, NULL, /* 19- 23 */
741 NULL, NULL, NULL, NULL, NULL, /* 24- 28 */
742 NULL, NULL, NULL, NULL, /* 29- 32 */
743 ikev2_sa_print, /* 33 */
744 ikev2_ke_print, /* 34 */
745 ikev2_ID_print, /* 35 */
746 ikev2_ID_print, /* 36 */
747 ikev2_cert_print, /* 37 */
748 ikev2_cr_print, /* 38 */
749 ikev2_auth_print, /* 39 */
750 ikev2_nonce_print, /* 40 */
751 ikev2_n_print, /* 41 */
752 ikev2_d_print, /* 42 */
753 ikev2_vid_print, /* 43 */
754 ikev2_TS_print, /* 44 */
755 ikev2_TS_print, /* 45 */
756 NULL, /* ikev2_e_print,*/ /* 46 - special */
757 ikev2_cp_print, /* 47 */
758 ikev2_eap_print, /* 48 */
759 };
760
761 /* isakmp->etype */
762 static const char *etypestr[] = {
763 /* IKEv1 exchange types */
764 "none", "base", "ident", "auth", "agg", "inf", NULL, NULL, /* 0-7 */
765 NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, /* 8-15 */
766 NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, /* 16-23 */
767 NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, /* 24-31 */
768 "oakley-quick", "oakley-newgroup", /* 32-33 */
769 /* IKEv2 exchange types */
770 "ikev2_init", "ikev2_auth", "child_sa", "inf2" /* 34-37 */
771 };
772
773 #define STR_OR_ID(x, tab) \
774 (((x) < sizeof(tab)/sizeof(tab[0]) && tab[(x)]) ? tab[(x)] : numstr(x))
775 #define PROTOIDSTR(x) STR_OR_ID(x, protoidstr)
776 #define NPSTR(x) STR_OR_ID(x, npstr)
777 #define ETYPESTR(x) STR_OR_ID(x, etypestr)
778
779 #define CHECKLEN(p, np) \
780 if (ep < (const u_char *)(p)) { \
781 ND_PRINT(" [|%s]", NPSTR(np)); \
782 goto done; \
783 }
784
785
786 #define NPFUNC(x) \
787 (((x) < sizeof(npfunc)/sizeof(npfunc[0]) && npfunc[(x)]) \
788 ? npfunc[(x)] : NULL)
789
790 static int
791 iszero(netdissect_options *ndo, const u_char *p, size_t l)
792 {
793 while (l != 0) {
794 if (GET_U_1(p))
795 return 0;
796 p++;
797 l--;
798 }
799 return 1;
800 }
801
802 /* find cookie from initiator cache */
803 static int
804 cookie_find(const cookie_t *in)
805 {
806 int i;
807
808 for (i = 0; i < MAXINITIATORS; i++) {
809 if (memcmp(in, &cookiecache[i].initiator, sizeof(*in)) == 0)
810 return i;
811 }
812
813 return -1;
814 }
815
816 /* record initiator */
817 static void
818 cookie_record(netdissect_options *ndo, const cookie_t *in, const u_char *bp2)
819 {
820 int i;
821 const struct ip *ip;
822 const struct ip6_hdr *ip6;
823
824 i = cookie_find(in);
825 if (0 <= i) {
826 ninitiator = (i + 1) % MAXINITIATORS;
827 return;
828 }
829
830 ip = (const struct ip *)bp2;
831 switch (IP_V(ip)) {
832 case 4:
833 cookiecache[ninitiator].version = 4;
834 UNALIGNED_MEMCPY(&cookiecache[ninitiator].iaddr.in4,
835 ip->ip_src, sizeof(nd_ipv4));
836 UNALIGNED_MEMCPY(&cookiecache[ninitiator].raddr.in4,
837 ip->ip_dst, sizeof(nd_ipv4));
838 break;
839 case 6:
840 ip6 = (const struct ip6_hdr *)bp2;
841 cookiecache[ninitiator].version = 6;
842 UNALIGNED_MEMCPY(&cookiecache[ninitiator].iaddr.in6,
843 ip6->ip6_src, sizeof(nd_ipv6));
844 UNALIGNED_MEMCPY(&cookiecache[ninitiator].raddr.in6,
845 ip6->ip6_dst, sizeof(nd_ipv6));
846 break;
847 default:
848 return;
849 }
850 UNALIGNED_MEMCPY(&cookiecache[ninitiator].initiator, in, sizeof(*in));
851 ninitiator = (ninitiator + 1) % MAXINITIATORS;
852 }
853
854 #define cookie_isinitiator(ndo, x, y) cookie_sidecheck(ndo, (x), (y), 1)
855 #define cookie_isresponder(ndo, x, y) cookie_sidecheck(ndo, (x), (y), 0)
856 static int
857 cookie_sidecheck(netdissect_options *ndo, int i, const u_char *bp2, int initiator)
858 {
859 const struct ip *ip;
860 const struct ip6_hdr *ip6;
861
862 ip = (const struct ip *)bp2;
863 switch (IP_V(ip)) {
864 case 4:
865 if (cookiecache[i].version != 4)
866 return 0;
867 if (initiator) {
868 if (UNALIGNED_MEMCMP(ip->ip_src, &cookiecache[i].iaddr.in4, sizeof(nd_ipv4)) == 0)
869 return 1;
870 } else {
871 if (UNALIGNED_MEMCMP(ip->ip_src, &cookiecache[i].raddr.in4, sizeof(nd_ipv4)) == 0)
872 return 1;
873 }
874 break;
875 case 6:
876 if (cookiecache[i].version != 6)
877 return 0;
878 ip6 = (const struct ip6_hdr *)bp2;
879 if (initiator) {
880 if (UNALIGNED_MEMCMP(ip6->ip6_src, &cookiecache[i].iaddr.in6, sizeof(nd_ipv6)) == 0)
881 return 1;
882 } else {
883 if (UNALIGNED_MEMCMP(ip6->ip6_src, &cookiecache[i].raddr.in6, sizeof(nd_ipv6)) == 0)
884 return 1;
885 }
886 break;
887 default:
888 break;
889 }
890
891 return 0;
892 }
893
894 static void
895 hexprint(netdissect_options *ndo, const uint8_t *loc, size_t len)
896 {
897 const uint8_t *p;
898 size_t i;
899
900 p = loc;
901 for (i = 0; i < len; i++)
902 ND_PRINT("%02x", p[i] & 0xff);
903 }
904
905 static int
906 rawprint(netdissect_options *ndo, const uint8_t *loc, size_t len)
907 {
908 ND_TCHECK_LEN(loc, len);
909
910 hexprint(ndo, loc, len);
911 return 1;
912 trunc:
913 return 0;
914 }
915
916
917 /*
918 * returns false if we run out of data buffer
919 */
920 static int ike_show_somedata(netdissect_options *ndo,
921 const u_char *cp, const u_char *ep)
922 {
923 /* there is too much data, just show some of it */
924 const u_char *end = ep - 20;
925 size_t elen = 20;
926 size_t len = ep - cp;
927 if(len > 10) {
928 len = 10;
929 }
930
931 /* really shouldn't happen because of above */
932 if(end < cp + len) {
933 end = cp+len;
934 elen = ep - end;
935 }
936
937 ND_PRINT(" data=(");
938 if(!rawprint(ndo, (const uint8_t *)(cp), len)) goto trunc;
939 ND_PRINT("...");
940 if(elen) {
941 if(!rawprint(ndo, (const uint8_t *)(end), elen)) goto trunc;
942 }
943 ND_PRINT(")");
944 return 1;
945
946 trunc:
947 return 0;
948 }
949
950 struct attrmap {
951 const char *type;
952 u_int nvalue;
953 const char *value[30]; /*XXX*/
954 };
955
956 static const u_char *
957 ikev1_attrmap_print(netdissect_options *ndo,
958 const u_char *p, const u_char *ep2,
959 const struct attrmap *map, size_t nmap)
960 {
961 u_int totlen;
962 uint32_t t, v;
963
964 if (GET_U_1(p) & 0x80)
965 totlen = 4;
966 else {
967 totlen = 4 + GET_BE_U_2(p + 2);
968 }
969 if (ep2 < p + totlen) {
970 ND_PRINT("[|attr]");
971 return ep2 + 1;
972 }
973
974 ND_PRINT("(");
975 t = GET_BE_U_2(p) & 0x7fff;
976 if (map && t < nmap && map[t].type)
977 ND_PRINT("type=%s ", map[t].type);
978 else
979 ND_PRINT("type=#%u ", t);
980 if (GET_U_1(p) & 0x80) {
981 ND_PRINT("value=");
982 v = GET_BE_U_2(p + 2);
983 if (map && t < nmap && v < map[t].nvalue && map[t].value[v])
984 ND_PRINT("%s", map[t].value[v]);
985 else {
986 if (!rawprint(ndo, (const uint8_t *)(p + 2), 2)) {
987 ND_PRINT(")");
988 goto trunc;
989 }
990 }
991 } else {
992 ND_PRINT("len=%u value=", totlen - 4);
993 if (!rawprint(ndo, (const uint8_t *)(p + 4), totlen - 4)) {
994 ND_PRINT(")");
995 goto trunc;
996 }
997 }
998 ND_PRINT(")");
999 return p + totlen;
1000
1001 trunc:
1002 return NULL;
1003 }
1004
1005 static const u_char *
1006 ikev1_attr_print(netdissect_options *ndo, const u_char *p, const u_char *ep2)
1007 {
1008 u_int totlen;
1009 uint32_t t;
1010
1011 if (GET_U_1(p) & 0x80)
1012 totlen = 4;
1013 else {
1014 totlen = 4 + GET_BE_U_2(p + 2);
1015 }
1016 if (ep2 < p + totlen) {
1017 ND_PRINT("[|attr]");
1018 return ep2 + 1;
1019 }
1020
1021 ND_PRINT("(");
1022 t = GET_BE_U_2(p) & 0x7fff;
1023 ND_PRINT("type=#%u ", t);
1024 if (GET_U_1(p) & 0x80) {
1025 ND_PRINT("value=");
1026 t = GET_U_1(p + 2);
1027 if (!rawprint(ndo, (const uint8_t *)(p + 2), 2)) {
1028 ND_PRINT(")");
1029 goto trunc;
1030 }
1031 } else {
1032 ND_PRINT("len=%u value=", totlen - 4);
1033 if (!rawprint(ndo, (const uint8_t *)(p + 4), totlen - 4)) {
1034 ND_PRINT(")");
1035 goto trunc;
1036 }
1037 }
1038 ND_PRINT(")");
1039 return p + totlen;
1040
1041 trunc:
1042 return NULL;
1043 }
1044
1045 static const u_char *
1046 ikev1_sa_print(netdissect_options *ndo, u_char tpay _U_,
1047 const struct isakmp_gen *ext,
1048 u_int item_len _U_,
1049 const u_char *ep, uint32_t phase, uint32_t doi0 _U_,
1050 uint32_t proto0, int depth)
1051 {
1052 const struct ikev1_pl_sa *p;
1053 uint32_t doi, sit, ident;
1054 const u_char *cp, *np;
1055 int t;
1056
1057 ND_PRINT("%s:", NPSTR(ISAKMP_NPTYPE_SA));
1058
1059 p = (const struct ikev1_pl_sa *)ext;
1060 ND_TCHECK_SIZE(p);
1061 doi = GET_BE_U_4(p->doi);
1062 sit = GET_BE_U_4(p->sit);
1063 if (doi != 1) {
1064 ND_PRINT(" doi=%u", doi);
1065 ND_PRINT(" situation=%u", sit);
1066 return (const u_char *)(p + 1);
1067 }
1068
1069 ND_PRINT(" doi=ipsec");
1070 ND_PRINT(" situation=");
1071 t = 0;
1072 if (sit & 0x01) {
1073 ND_PRINT("identity");
1074 t++;
1075 }
1076 if (sit & 0x02) {
1077 ND_PRINT("%ssecrecy", t ? "+" : "");
1078 t++;
1079 }
1080 if (sit & 0x04)
1081 ND_PRINT("%sintegrity", t ? "+" : "");
1082
1083 np = (const u_char *)ext + sizeof(struct ikev1_pl_sa);
1084 if (sit != 0x01) {
1085 ident = GET_BE_U_4(ext + 1);
1086 ND_PRINT(" ident=%u", ident);
1087 np += sizeof(ident);
1088 }
1089
1090 ext = (const struct isakmp_gen *)np;
1091 ND_TCHECK_SIZE(ext);
1092
1093 cp = ikev1_sub_print(ndo, ISAKMP_NPTYPE_P, ext, ep, phase, doi, proto0,
1094 depth);
1095
1096 return cp;
1097 trunc:
1098 ND_PRINT(" [|%s]", NPSTR(ISAKMP_NPTYPE_SA));
1099 return NULL;
1100 }
1101
1102 static const u_char *
1103 ikev1_p_print(netdissect_options *ndo, u_char tpay _U_,
1104 const struct isakmp_gen *ext, u_int item_len _U_,
1105 const u_char *ep, uint32_t phase, uint32_t doi0,
1106 uint32_t proto0 _U_, int depth)
1107 {
1108 const struct ikev1_pl_p *p;
1109 const u_char *cp;
1110 uint8_t spi_size;
1111
1112 ND_PRINT("%s:", NPSTR(ISAKMP_NPTYPE_P));
1113
1114 p = (const struct ikev1_pl_p *)ext;
1115 ND_TCHECK_SIZE(p);
1116 ND_PRINT(" #%u protoid=%s transform=%u",
1117 GET_U_1(p->p_no), PROTOIDSTR(GET_U_1(p->prot_id)),
1118 GET_U_1(p->num_t));
1119 spi_size = GET_U_1(p->spi_size);
1120 if (spi_size) {
1121 ND_PRINT(" spi=");
1122 if (!rawprint(ndo, (const uint8_t *)(p + 1), spi_size))
1123 goto trunc;
1124 }
1125
1126 ext = (const struct isakmp_gen *)((const u_char *)(p + 1) + spi_size);
1127 ND_TCHECK_SIZE(ext);
1128
1129 cp = ikev1_sub_print(ndo, ISAKMP_NPTYPE_T, ext, ep, phase, doi0,
1130 GET_U_1(p->prot_id), depth);
1131
1132 return cp;
1133 trunc:
1134 ND_PRINT(" [|%s]", NPSTR(ISAKMP_NPTYPE_P));
1135 return NULL;
1136 }
1137
1138 static const char *ikev1_p_map[] = {
1139 NULL, "ike",
1140 };
1141
1142 static const char *ikev2_t_type_map[]={
1143 NULL, "encr", "prf", "integ", "dh", "esn"
1144 };
1145
1146 static const char *ah_p_map[] = {
1147 NULL, "(reserved)", "md5", "sha", "1des",
1148 "sha2-256", "sha2-384", "sha2-512",
1149 };
1150
1151 static const char *prf_p_map[] = {
1152 NULL, "hmac-md5", "hmac-sha", "hmac-tiger",
1153 "aes128_xcbc"
1154 };
1155
1156 static const char *integ_p_map[] = {
1157 NULL, "hmac-md5", "hmac-sha", "dec-mac",
1158 "kpdk-md5", "aes-xcbc"
1159 };
1160
1161 static const char *esn_p_map[] = {
1162 "no-esn", "esn"
1163 };
1164
1165 static const char *dh_p_map[] = {
1166 NULL, "modp768",
1167 "modp1024", /* group 2 */
1168 "EC2N 2^155", /* group 3 */
1169 "EC2N 2^185", /* group 4 */
1170 "modp1536", /* group 5 */
1171 "iana-grp06", "iana-grp07", /* reserved */
1172 "iana-grp08", "iana-grp09",
1173 "iana-grp10", "iana-grp11",
1174 "iana-grp12", "iana-grp13",
1175 "modp2048", /* group 14 */
1176 "modp3072", /* group 15 */
1177 "modp4096", /* group 16 */
1178 "modp6144", /* group 17 */
1179 "modp8192", /* group 18 */
1180 };
1181
1182 static const char *esp_p_map[] = {
1183 NULL, "1des-iv64", "1des", "3des", "rc5", "idea", "cast",
1184 "blowfish", "3idea", "1des-iv32", "rc4", "null", "aes"
1185 };
1186
1187 static const char *ipcomp_p_map[] = {
1188 NULL, "oui", "deflate", "lzs",
1189 };
1190
1191 static const struct attrmap ipsec_t_map[] = {
1192 { NULL, 0, { NULL } },
1193 { "lifetype", 3, { NULL, "sec", "kb", }, },
1194 { "life", 0, { NULL } },
1195 { "group desc", 18, { NULL, "modp768",
1196 "modp1024", /* group 2 */
1197 "EC2N 2^155", /* group 3 */
1198 "EC2N 2^185", /* group 4 */
1199 "modp1536", /* group 5 */
1200 "iana-grp06", "iana-grp07", /* reserved */
1201 "iana-grp08", "iana-grp09",
1202 "iana-grp10", "iana-grp11",
1203 "iana-grp12", "iana-grp13",
1204 "modp2048", /* group 14 */
1205 "modp3072", /* group 15 */
1206 "modp4096", /* group 16 */
1207 "modp6144", /* group 17 */
1208 "modp8192", /* group 18 */
1209 }, },
1210 { "enc mode", 3, { NULL, "tunnel", "transport", }, },
1211 { "auth", 5, { NULL, "hmac-md5", "hmac-sha1", "1des-mac", "keyed", }, },
1212 { "keylen", 0, { NULL } },
1213 { "rounds", 0, { NULL } },
1214 { "dictsize", 0, { NULL } },
1215 { "privalg", 0, { NULL } },
1216 };
1217
1218 static const struct attrmap encr_t_map[] = {
1219 { NULL, 0, { NULL } }, { NULL, 0, { NULL } }, /* 0, 1 */
1220 { NULL, 0, { NULL } }, { NULL, 0, { NULL } }, /* 2, 3 */
1221 { NULL, 0, { NULL } }, { NULL, 0, { NULL } }, /* 4, 5 */
1222 { NULL, 0, { NULL } }, { NULL, 0, { NULL } }, /* 6, 7 */
1223 { NULL, 0, { NULL } }, { NULL, 0, { NULL } }, /* 8, 9 */
1224 { NULL, 0, { NULL } }, { NULL, 0, { NULL } }, /* 10,11*/
1225 { NULL, 0, { NULL } }, { NULL, 0, { NULL } }, /* 12,13*/
1226 { "keylen", 14, { NULL }},
1227 };
1228
1229 static const struct attrmap oakley_t_map[] = {
1230 { NULL, 0, { NULL } },
1231 { "enc", 8, { NULL, "1des", "idea", "blowfish", "rc5",
1232 "3des", "cast", "aes", }, },
1233 { "hash", 7, { NULL, "md5", "sha1", "tiger",
1234 "sha2-256", "sha2-384", "sha2-512", }, },
1235 { "auth", 6, { NULL, "preshared", "dss", "rsa sig", "rsa enc",
1236 "rsa enc revised", }, },
1237 { "group desc", 18, { NULL, "modp768",
1238 "modp1024", /* group 2 */
1239 "EC2N 2^155", /* group 3 */
1240 "EC2N 2^185", /* group 4 */
1241 "modp1536", /* group 5 */
1242 "iana-grp06", "iana-grp07", /* reserved */
1243 "iana-grp08", "iana-grp09",
1244 "iana-grp10", "iana-grp11",
1245 "iana-grp12", "iana-grp13",
1246 "modp2048", /* group 14 */
1247 "modp3072", /* group 15 */
1248 "modp4096", /* group 16 */
1249 "modp6144", /* group 17 */
1250 "modp8192", /* group 18 */
1251 }, },
1252 { "group type", 4, { NULL, "MODP", "ECP", "EC2N", }, },
1253 { "group prime", 0, { NULL } },
1254 { "group gen1", 0, { NULL } },
1255 { "group gen2", 0, { NULL } },
1256 { "group curve A", 0, { NULL } },
1257 { "group curve B", 0, { NULL } },
1258 { "lifetype", 3, { NULL, "sec", "kb", }, },
1259 { "lifeduration", 0, { NULL } },
1260 { "prf", 0, { NULL } },
1261 { "keylen", 0, { NULL } },
1262 { "field", 0, { NULL } },
1263 { "order", 0, { NULL } },
1264 };
1265
1266 static const u_char *
1267 ikev1_t_print(netdissect_options *ndo, u_char tpay _U_,
1268 const struct isakmp_gen *ext, u_int item_len,
1269 const u_char *ep, uint32_t phase _U_, uint32_t doi _U_,
1270 uint32_t proto, int depth _U_)
1271 {
1272 const struct ikev1_pl_t *p;
1273 const u_char *cp;
1274 const char *idstr;
1275 const struct attrmap *map;
1276 size_t nmap;
1277 const u_char *ep2;
1278
1279 ND_PRINT("%s:", NPSTR(ISAKMP_NPTYPE_T));
1280
1281 p = (const struct ikev1_pl_t *)ext;
1282 ND_TCHECK_SIZE(p);
1283
1284 switch (proto) {
1285 case 1:
1286 idstr = STR_OR_ID(GET_U_1(p->t_id), ikev1_p_map);
1287 map = oakley_t_map;
1288 nmap = sizeof(oakley_t_map)/sizeof(oakley_t_map[0]);
1289 break;
1290 case 2:
1291 idstr = STR_OR_ID(GET_U_1(p->t_id), ah_p_map);
1292 map = ipsec_t_map;
1293 nmap = sizeof(ipsec_t_map)/sizeof(ipsec_t_map[0]);
1294 break;
1295 case 3:
1296 idstr = STR_OR_ID(GET_U_1(p->t_id), esp_p_map);
1297 map = ipsec_t_map;
1298 nmap = sizeof(ipsec_t_map)/sizeof(ipsec_t_map[0]);
1299 break;
1300 case 4:
1301 idstr = STR_OR_ID(GET_U_1(p->t_id), ipcomp_p_map);
1302 map = ipsec_t_map;
1303 nmap = sizeof(ipsec_t_map)/sizeof(ipsec_t_map[0]);
1304 break;
1305 default:
1306 idstr = NULL;
1307 map = NULL;
1308 nmap = 0;
1309 break;
1310 }
1311
1312 if (idstr)
1313 ND_PRINT(" #%u id=%s ", GET_U_1(p->t_no), idstr);
1314 else
1315 ND_PRINT(" #%u id=%u ", GET_U_1(p->t_no), GET_U_1(p->t_id));
1316 cp = (const u_char *)(p + 1);
1317 ep2 = (const u_char *)p + item_len;
1318 while (cp < ep && cp < ep2) {
1319 if (map && nmap)
1320 cp = ikev1_attrmap_print(ndo, cp, ep2, map, nmap);
1321 else
1322 cp = ikev1_attr_print(ndo, cp, ep2);
1323 if (cp == NULL)
1324 goto trunc;
1325 }
1326 if (ep < ep2)
1327 ND_PRINT("...");
1328 return cp;
1329 trunc:
1330 ND_PRINT(" [|%s]", NPSTR(ISAKMP_NPTYPE_T));
1331 return NULL;
1332 }
1333
1334 static const u_char *
1335 ikev1_ke_print(netdissect_options *ndo, u_char tpay _U_,
1336 const struct isakmp_gen *ext, u_int item_len,
1337 const u_char *ep _U_, uint32_t phase _U_, uint32_t doi _U_,
1338 uint32_t proto _U_, int depth _U_)
1339 {
1340 ND_PRINT("%s:", NPSTR(ISAKMP_NPTYPE_KE));
1341
1342 ND_TCHECK_SIZE(ext);
1343 /*
1344 * Our caller has ensured that the length is >= 4.
1345 */
1346 ND_PRINT(" key len=%u", item_len - 4);
1347 if (2 < ndo->ndo_vflag && item_len > 4) {
1348 /* Print the entire payload in hex */
1349 ND_PRINT(" ");
1350 if (!rawprint(ndo, (const uint8_t *)(ext + 1), item_len - 4))
1351 goto trunc;
1352 }
1353 return (const u_char *)ext + item_len;
1354 trunc:
1355 ND_PRINT(" [|%s]", NPSTR(ISAKMP_NPTYPE_KE));
1356 return NULL;
1357 }
1358
1359 static const u_char *
1360 ikev1_id_print(netdissect_options *ndo, u_char tpay _U_,
1361 const struct isakmp_gen *ext, u_int item_len,
1362 const u_char *ep _U_, uint32_t phase, uint32_t doi _U_,
1363 uint32_t proto _U_, int depth _U_)
1364 {
1365 #define USE_IPSECDOI_IN_PHASE1 1
1366 const struct ikev1_pl_id *p;
1367 static const char *idtypestr[] = {
1368 "IPv4", "IPv4net", "IPv6", "IPv6net",
1369 };
1370 static const char *ipsecidtypestr[] = {
1371 NULL, "IPv4", "FQDN", "user FQDN", "IPv4net", "IPv6",
1372 "IPv6net", "IPv4range", "IPv6range", "ASN1 DN", "ASN1 GN",
1373 "keyid",
1374 };
1375 u_int len;
1376 const u_char *data;
1377
1378 ND_PRINT("%s:", NPSTR(ISAKMP_NPTYPE_ID));
1379
1380 p = (const struct ikev1_pl_id *)ext;
1381 ND_TCHECK_SIZE(p);
1382 if (sizeof(*p) < item_len) {
1383 data = (const u_char *)(p + 1);
1384 len = item_len - sizeof(*p);
1385 } else {
1386 data = NULL;
1387 len = 0;
1388 }
1389
1390 #if 0 /*debug*/
1391 ND_PRINT(" [phase=%u doi=%u proto=%u]", phase, doi, proto);
1392 #endif
1393 switch (phase) {
1394 #ifndef USE_IPSECDOI_IN_PHASE1
1395 case 1:
1396 #endif
1397 default:
1398 ND_PRINT(" idtype=%s",
1399 STR_OR_ID(GET_U_1(p->d.id_type), idtypestr));
1400 ND_PRINT(" doi_data=%u",
1401 GET_BE_U_4(p->d.doi_data) & 0xffffff);
1402 break;
1403
1404 #ifdef USE_IPSECDOI_IN_PHASE1
1405 case 1:
1406 #endif
1407 case 2:
1408 {
1409 const struct ipsecdoi_id *doi_p;
1410 const char *p_name;
1411 uint8_t type, proto_id;
1412
1413 doi_p = (const struct ipsecdoi_id *)ext;
1414 ND_TCHECK_SIZE(doi_p);
1415 type = GET_U_1(doi_p->type);
1416 ND_PRINT(" idtype=%s", STR_OR_ID(type, ipsecidtypestr));
1417 /* A protocol ID of 0 DOES NOT mean IPPROTO_IP! */
1418 proto_id = GET_U_1(doi_p->proto_id);
1419 if (!ndo->ndo_nflag && proto_id && (p_name = netdb_protoname(proto_id)) != NULL)
1420 ND_PRINT(" protoid=%s", p_name);
1421 else
1422 ND_PRINT(" protoid=%u", proto_id);
1423 ND_PRINT(" port=%u", GET_BE_U_2(doi_p->port));
1424 if (!len)
1425 break;
1426 if (data == NULL)
1427 goto trunc;
1428 ND_TCHECK_LEN(data, len);
1429 switch (type) {
1430 case IPSECDOI_ID_IPV4_ADDR:
1431 if (len < 4)
1432 ND_PRINT(" len=%u [bad: < 4]", len);
1433 else
1434 ND_PRINT(" len=%u %s", len, GET_IPADDR_STRING(data));
1435 len = 0;
1436 break;
1437 case IPSECDOI_ID_FQDN:
1438 case IPSECDOI_ID_USER_FQDN:
1439 {
1440 u_int i;
1441 ND_PRINT(" len=%u ", len);
1442 for (i = 0; i < len; i++)
1443 fn_print_char(ndo, GET_U_1(data + i));
1444 len = 0;
1445 break;
1446 }
1447 case IPSECDOI_ID_IPV4_ADDR_SUBNET:
1448 {
1449 const u_char *mask;
1450 if (len < 8)
1451 ND_PRINT(" len=%u [bad: < 8]", len);
1452 else {
1453 mask = data + sizeof(nd_ipv4);
1454 ND_PRINT(" len=%u %s/%u.%u.%u.%u", len,
1455 GET_IPADDR_STRING(data),
1456 GET_U_1(mask), GET_U_1(mask + 1),
1457 GET_U_1(mask + 2),
1458 GET_U_1(mask + 3));
1459 }
1460 len = 0;
1461 break;
1462 }
1463 case IPSECDOI_ID_IPV6_ADDR:
1464 if (len < 16)
1465 ND_PRINT(" len=%u [bad: < 16]", len);
1466 else
1467 ND_PRINT(" len=%u %s", len, GET_IP6ADDR_STRING(data));
1468 len = 0;
1469 break;
1470 case IPSECDOI_ID_IPV6_ADDR_SUBNET:
1471 {
1472 const u_char *mask;
1473 if (len < 32)
1474 ND_PRINT(" len=%u [bad: < 32]", len);
1475 else {
1476 mask = (const u_char *)(data + sizeof(nd_ipv6));
1477 /*XXX*/
1478 ND_PRINT(" len=%u %s/0x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x", len,
1479 GET_IP6ADDR_STRING(data),
1480 GET_U_1(mask), GET_U_1(mask + 1),
1481 GET_U_1(mask + 2),
1482 GET_U_1(mask + 3),
1483 GET_U_1(mask + 4),
1484 GET_U_1(mask + 5),
1485 GET_U_1(mask + 6),
1486 GET_U_1(mask + 7),
1487 GET_U_1(mask + 8),
1488 GET_U_1(mask + 9),
1489 GET_U_1(mask + 10),
1490 GET_U_1(mask + 11),
1491 GET_U_1(mask + 12),
1492 GET_U_1(mask + 13),
1493 GET_U_1(mask + 14),
1494 GET_U_1(mask + 15));
1495 }
1496 len = 0;
1497 break;
1498 }
1499 case IPSECDOI_ID_IPV4_ADDR_RANGE:
1500 if (len < 8)
1501 ND_PRINT(" len=%u [bad: < 8]", len);
1502 else {
1503 ND_PRINT(" len=%u %s-%s", len,
1504 GET_IPADDR_STRING(data),
1505 GET_IPADDR_STRING(data + sizeof(nd_ipv4)));
1506 }
1507 len = 0;
1508 break;
1509 case IPSECDOI_ID_IPV6_ADDR_RANGE:
1510 if (len < 32)
1511 ND_PRINT(" len=%u [bad: < 32]", len);
1512 else {
1513 ND_PRINT(" len=%u %s-%s", len,
1514 GET_IP6ADDR_STRING(data),
1515 GET_IP6ADDR_STRING(data + sizeof(nd_ipv6)));
1516 }
1517 len = 0;
1518 break;
1519 case IPSECDOI_ID_DER_ASN1_DN:
1520 case IPSECDOI_ID_DER_ASN1_GN:
1521 case IPSECDOI_ID_KEY_ID:
1522 break;
1523 }
1524 break;
1525 }
1526 }
1527 if (data && len) {
1528 ND_PRINT(" len=%u", len);
1529 if (2 < ndo->ndo_vflag) {
1530 ND_PRINT(" ");
1531 if (!rawprint(ndo, (const uint8_t *)data, len))
1532 goto trunc;
1533 }
1534 }
1535 return (const u_char *)ext + item_len;
1536 trunc:
1537 ND_PRINT(" [|%s]", NPSTR(ISAKMP_NPTYPE_ID));
1538 return NULL;
1539 }
1540
1541 static const u_char *
1542 ikev1_cert_print(netdissect_options *ndo, u_char tpay _U_,
1543 const struct isakmp_gen *ext, u_int item_len,
1544 const u_char *ep _U_, uint32_t phase _U_,
1545 uint32_t doi0 _U_,
1546 uint32_t proto0 _U_, int depth _U_)
1547 {
1548 const struct ikev1_pl_cert *p;
1549 static const char *certstr[] = {
1550 "none", "pkcs7", "pgp", "dns",
1551 "x509sign", "x509ke", "kerberos", "crl",
1552 "arl", "spki", "x509attr",
1553 };
1554
1555 ND_PRINT("%s:", NPSTR(ISAKMP_NPTYPE_CERT));
1556
1557 p = (const struct ikev1_pl_cert *)ext;
1558 ND_TCHECK_SIZE(p);
1559 /*
1560 * Our caller has ensured that the length is >= 4.
1561 */
1562 ND_PRINT(" len=%u", item_len - 4);
1563 ND_PRINT(" type=%s", STR_OR_ID(GET_U_1(p->encode), certstr));
1564 if (2 < ndo->ndo_vflag && 4 < item_len) {
1565 /* Print the entire payload in hex */
1566 ND_PRINT(" ");
1567 if (!rawprint(ndo, (const uint8_t *)(ext + 1), item_len - 4))
1568 goto trunc;
1569 }
1570 return (const u_char *)ext + item_len;
1571 trunc:
1572 ND_PRINT(" [|%s]", NPSTR(ISAKMP_NPTYPE_CERT));
1573 return NULL;
1574 }
1575
1576 static const u_char *
1577 ikev1_cr_print(netdissect_options *ndo, u_char tpay _U_,
1578 const struct isakmp_gen *ext, u_int item_len,
1579 const u_char *ep _U_, uint32_t phase _U_, uint32_t doi0 _U_,
1580 uint32_t proto0 _U_, int depth _U_)
1581 {
1582 const struct ikev1_pl_cert *p;
1583 static const char *certstr[] = {
1584 "none", "pkcs7", "pgp", "dns",
1585 "x509sign", "x509ke", "kerberos", "crl",
1586 "arl", "spki", "x509attr",
1587 };
1588
1589 ND_PRINT("%s:", NPSTR(ISAKMP_NPTYPE_CR));
1590
1591 p = (const struct ikev1_pl_cert *)ext;
1592 ND_TCHECK_SIZE(p);
1593 /*
1594 * Our caller has ensured that the length is >= 4.
1595 */
1596 ND_PRINT(" len=%u", item_len - 4);
1597 ND_PRINT(" type=%s", STR_OR_ID(GET_U_1(p->encode), certstr));
1598 if (2 < ndo->ndo_vflag && 4 < item_len) {
1599 /* Print the entire payload in hex */
1600 ND_PRINT(" ");
1601 if (!rawprint(ndo, (const uint8_t *)(ext + 1), item_len - 4))
1602 goto trunc;
1603 }
1604 return (const u_char *)ext + item_len;
1605 trunc:
1606 ND_PRINT(" [|%s]", NPSTR(ISAKMP_NPTYPE_CR));
1607 return NULL;
1608 }
1609
1610 static const u_char *
1611 ikev1_hash_print(netdissect_options *ndo, u_char tpay _U_,
1612 const struct isakmp_gen *ext, u_int item_len,
1613 const u_char *ep _U_, uint32_t phase _U_, uint32_t doi _U_,
1614 uint32_t proto _U_, int depth _U_)
1615 {
1616 ND_PRINT("%s:", NPSTR(ISAKMP_NPTYPE_HASH));
1617
1618 ND_TCHECK_SIZE(ext);
1619 /*
1620 * Our caller has ensured that the length is >= 4.
1621 */
1622 ND_PRINT(" len=%u", item_len - 4);
1623 if (2 < ndo->ndo_vflag && 4 < item_len) {
1624 /* Print the entire payload in hex */
1625 ND_PRINT(" ");
1626 if (!rawprint(ndo, (const uint8_t *)(ext + 1), item_len - 4))
1627 goto trunc;
1628 }
1629 return (const u_char *)ext + item_len;
1630 trunc:
1631 ND_PRINT(" [|%s]", NPSTR(ISAKMP_NPTYPE_HASH));
1632 return NULL;
1633 }
1634
1635 static const u_char *
1636 ikev1_sig_print(netdissect_options *ndo, u_char tpay _U_,
1637 const struct isakmp_gen *ext, u_int item_len,
1638 const u_char *ep _U_, uint32_t phase _U_, uint32_t doi _U_,
1639 uint32_t proto _U_, int depth _U_)
1640 {
1641 ND_PRINT("%s:", NPSTR(ISAKMP_NPTYPE_SIG));
1642
1643 ND_TCHECK_SIZE(ext);
1644 /*
1645 * Our caller has ensured that the length is >= 4.
1646 */
1647 ND_PRINT(" len=%u", item_len - 4);
1648 if (2 < ndo->ndo_vflag && 4 < item_len) {
1649 /* Print the entire payload in hex */
1650 ND_PRINT(" ");
1651 if (!rawprint(ndo, (const uint8_t *)(ext + 1), item_len - 4))
1652 goto trunc;
1653 }
1654 return (const u_char *)ext + item_len;
1655 trunc:
1656 ND_PRINT(" [|%s]", NPSTR(ISAKMP_NPTYPE_SIG));
1657 return NULL;
1658 }
1659
1660 static const u_char *
1661 ikev1_nonce_print(netdissect_options *ndo, u_char tpay _U_,
1662 const struct isakmp_gen *ext,
1663 u_int item_len,
1664 const u_char *ep,
1665 uint32_t phase _U_, uint32_t doi _U_,
1666 uint32_t proto _U_, int depth _U_)
1667 {
1668 ND_PRINT("%s:", NPSTR(ISAKMP_NPTYPE_NONCE));
1669
1670 ND_TCHECK_SIZE(ext);
1671 /*
1672 * Our caller has ensured that the length is >= 4.
1673 */
1674 ND_PRINT(" n len=%u", item_len - 4);
1675 if (item_len > 4) {
1676 if (ndo->ndo_vflag > 2) {
1677 ND_PRINT(" ");
1678 if (!rawprint(ndo, (const uint8_t *)(ext + 1), item_len - 4))
1679 goto trunc;
1680 } else if (ndo->ndo_vflag > 1) {
1681 ND_PRINT(" ");
1682 if (!ike_show_somedata(ndo, (const u_char *)(ext + 1), ep))
1683 goto trunc;
1684 }
1685 }
1686 return (const u_char *)ext + item_len;
1687 trunc:
1688 ND_PRINT(" [|%s]", NPSTR(ISAKMP_NPTYPE_NONCE));
1689 return NULL;
1690 }
1691
1692 static const u_char *
1693 ikev1_n_print(netdissect_options *ndo, u_char tpay _U_,
1694 const struct isakmp_gen *ext, u_int item_len,
1695 const u_char *ep, uint32_t phase _U_, uint32_t doi0 _U_,
1696 uint32_t proto0 _U_, int depth _U_)
1697 {
1698 const struct ikev1_pl_n *p;
1699 const u_char *cp;
1700 const u_char *ep2;
1701 uint32_t doi;
1702 uint32_t proto;
1703 uint16_t type;
1704 uint8_t spi_size;
1705 static const char *notify_error_str[] = {
1706 NULL, "INVALID-PAYLOAD-TYPE",
1707 "DOI-NOT-SUPPORTED", "SITUATION-NOT-SUPPORTED",
1708 "INVALID-COOKIE", "INVALID-MAJOR-VERSION",
1709 "INVALID-MINOR-VERSION", "INVALID-EXCHANGE-TYPE",
1710 "INVALID-FLAGS", "INVALID-MESSAGE-ID",
1711 "INVALID-PROTOCOL-ID", "INVALID-SPI",
1712 "INVALID-TRANSFORM-ID", "ATTRIBUTES-NOT-SUPPORTED",
1713 "NO-PROPOSAL-CHOSEN", "BAD-PROPOSAL-SYNTAX",
1714 "PAYLOAD-MALFORMED", "INVALID-KEY-INFORMATION",
1715 "INVALID-ID-INFORMATION", "INVALID-CERT-ENCODING",
1716 "INVALID-CERTIFICATE", "CERT-TYPE-UNSUPPORTED",
1717 "INVALID-CERT-AUTHORITY", "INVALID-HASH-INFORMATION",
1718 "AUTHENTICATION-FAILED", "INVALID-SIGNATURE",
1719 "ADDRESS-NOTIFICATION", "NOTIFY-SA-LIFETIME",
1720 "CERTIFICATE-UNAVAILABLE", "UNSUPPORTED-EXCHANGE-TYPE",
1721 "UNEQUAL-PAYLOAD-LENGTHS",
1722 };
1723 static const char *ipsec_notify_error_str[] = {
1724 "RESERVED",
1725 };
1726 static const char *notify_status_str[] = {
1727 "CONNECTED",
1728 };
1729 static const char *ipsec_notify_status_str[] = {
1730 "RESPONDER-LIFETIME", "REPLAY-STATUS",
1731 "INITIAL-CONTACT",
1732 };
1733 /* NOTE: these macro must be called with x in proper range */
1734
1735 /* 0 - 8191 */
1736 #define NOTIFY_ERROR_STR(x) \
1737 STR_OR_ID((x), notify_error_str)
1738
1739 /* 8192 - 16383 */
1740 #define IPSEC_NOTIFY_ERROR_STR(x) \
1741 STR_OR_ID((u_int)((x) - 8192), ipsec_notify_error_str)
1742
1743 /* 16384 - 24575 */
1744 #define NOTIFY_STATUS_STR(x) \
1745 STR_OR_ID((u_int)((x) - 16384), notify_status_str)
1746
1747 /* 24576 - 32767 */
1748 #define IPSEC_NOTIFY_STATUS_STR(x) \
1749 STR_OR_ID((u_int)((x) - 24576), ipsec_notify_status_str)
1750
1751 ND_PRINT("%s:", NPSTR(ISAKMP_NPTYPE_N));
1752
1753 p = (const struct ikev1_pl_n *)ext;
1754 ND_TCHECK_SIZE(p);
1755 doi = GET_BE_U_4(p->doi);
1756 proto = GET_U_1(p->prot_id);
1757 if (doi != 1) {
1758 ND_PRINT(" doi=%u", doi);
1759 ND_PRINT(" proto=%u", proto);
1760 type = GET_BE_U_2(p->type);
1761 if (type < 8192)
1762 ND_PRINT(" type=%s", NOTIFY_ERROR_STR(type));
1763 else if (type < 16384)
1764 ND_PRINT(" type=%s", numstr(type));
1765 else if (type < 24576)
1766 ND_PRINT(" type=%s", NOTIFY_STATUS_STR(type));
1767 else
1768 ND_PRINT(" type=%s", numstr(type));
1769 spi_size = GET_U_1(p->spi_size);
1770 if (spi_size) {
1771 ND_PRINT(" spi=");
1772 if (!rawprint(ndo, (const uint8_t *)(p + 1), spi_size))
1773 goto trunc;
1774 }
1775 return (const u_char *)(p + 1) + spi_size;
1776 }
1777
1778 ND_PRINT(" doi=ipsec");
1779 ND_PRINT(" proto=%s", PROTOIDSTR(proto));
1780 type = GET_BE_U_2(p->type);
1781 if (type < 8192)
1782 ND_PRINT(" type=%s", NOTIFY_ERROR_STR(type));
1783 else if (type < 16384)
1784 ND_PRINT(" type=%s", IPSEC_NOTIFY_ERROR_STR(type));
1785 else if (type < 24576)
1786 ND_PRINT(" type=%s", NOTIFY_STATUS_STR(type));
1787 else if (type < 32768)
1788 ND_PRINT(" type=%s", IPSEC_NOTIFY_STATUS_STR(type));
1789 else
1790 ND_PRINT(" type=%s", numstr(type));
1791 spi_size = GET_U_1(p->spi_size);
1792 if (spi_size) {
1793 ND_PRINT(" spi=");
1794 if (!rawprint(ndo, (const uint8_t *)(p + 1), spi_size))
1795 goto trunc;
1796 }
1797
1798 cp = (const u_char *)(p + 1) + spi_size;
1799 ep2 = (const u_char *)p + item_len;
1800
1801 if (cp < ep) {
1802 switch (type) {
1803 case IPSECDOI_NTYPE_RESPONDER_LIFETIME:
1804 {
1805 const struct attrmap *map = oakley_t_map;
1806 size_t nmap = sizeof(oakley_t_map)/sizeof(oakley_t_map[0]);
1807 ND_PRINT(" attrs=(");
1808 while (cp < ep && cp < ep2) {
1809 cp = ikev1_attrmap_print(ndo, cp, ep2, map, nmap);
1810 if (cp == NULL) {
1811 ND_PRINT(")");
1812 goto trunc;
1813 }
1814 }
1815 ND_PRINT(")");
1816 break;
1817 }
1818 case IPSECDOI_NTYPE_REPLAY_STATUS:
1819 ND_PRINT(" status=(");
1820 ND_PRINT("replay detection %sabled",
1821 GET_BE_U_4(cp) ? "en" : "dis");
1822 ND_PRINT(")");
1823 break;
1824 default:
1825 /*
1826 * XXX - fill in more types here; see, for example,
1827 * draft-ietf-ipsec-notifymsg-04.
1828 */
1829 if (ndo->ndo_vflag > 3) {
1830 ND_PRINT(" data=(");
1831 if (!rawprint(ndo, (const uint8_t *)(cp), ep - cp))
1832 goto trunc;
1833 ND_PRINT(")");
1834 } else {
1835 if (!ike_show_somedata(ndo, cp, ep))
1836 goto trunc;
1837 }
1838 break;
1839 }
1840 }
1841 return (const u_char *)ext + item_len;
1842 trunc:
1843 ND_PRINT(" [|%s]", NPSTR(ISAKMP_NPTYPE_N));
1844 return NULL;
1845 }
1846
1847 static const u_char *
1848 ikev1_d_print(netdissect_options *ndo, u_char tpay _U_,
1849 const struct isakmp_gen *ext, u_int item_len _U_,
1850 const u_char *ep _U_, uint32_t phase _U_, uint32_t doi0 _U_,
1851 uint32_t proto0 _U_, int depth _U_)
1852 {
1853 const struct ikev1_pl_d *p;
1854 const uint8_t *q;
1855 uint32_t doi;
1856 uint32_t proto;
1857 uint8_t spi_size;
1858 uint16_t num_spi;
1859 u_int i;
1860
1861 ND_PRINT("%s:", NPSTR(ISAKMP_NPTYPE_D));
1862
1863 p = (const struct ikev1_pl_d *)ext;
1864 ND_TCHECK_SIZE(p);
1865 doi = GET_BE_U_4(p->doi);
1866 proto = GET_U_1(p->prot_id);
1867 if (doi != 1) {
1868 ND_PRINT(" doi=%u", doi);
1869 ND_PRINT(" proto=%u", proto);
1870 } else {
1871 ND_PRINT(" doi=ipsec");
1872 ND_PRINT(" proto=%s", PROTOIDSTR(proto));
1873 }
1874 spi_size = GET_U_1(p->spi_size);
1875 ND_PRINT(" spilen=%u", spi_size);
1876 num_spi = GET_BE_U_2(p->num_spi);
1877 ND_PRINT(" nspi=%u", num_spi);
1878 q = (const uint8_t *)(p + 1);
1879 if (spi_size) {
1880 ND_PRINT(" spi=");
1881 for (i = 0; i < num_spi; i++) {
1882 if (i != 0)
1883 ND_PRINT(",");
1884 if (!rawprint(ndo, (const uint8_t *)q, spi_size))
1885 goto trunc;
1886 q += spi_size;
1887 }
1888 }
1889 return q;
1890 trunc:
1891 ND_PRINT(" [|%s]", NPSTR(ISAKMP_NPTYPE_D));
1892 return NULL;
1893 }
1894
1895 static const u_char *
1896 ikev1_vid_print(netdissect_options *ndo, u_char tpay _U_,
1897 const struct isakmp_gen *ext,
1898 u_int item_len, const u_char *ep _U_,
1899 uint32_t phase _U_, uint32_t doi _U_,
1900 uint32_t proto _U_, int depth _U_)
1901 {
1902 ND_PRINT("%s:", NPSTR(ISAKMP_NPTYPE_VID));
1903
1904 ND_TCHECK_SIZE(ext);
1905 /*
1906 * Our caller has ensured that the length is >= 4.
1907 */
1908 ND_PRINT(" len=%u", item_len - 4);
1909 if (2 < ndo->ndo_vflag && 4 < item_len) {
1910 /* Print the entire payload in hex */
1911 ND_PRINT(" ");
1912 if (!rawprint(ndo, (const uint8_t *)(ext + 1), item_len - 4))
1913 goto trunc;
1914 }
1915 return (const u_char *)ext + item_len;
1916 trunc:
1917 ND_PRINT(" [|%s]", NPSTR(ISAKMP_NPTYPE_VID));
1918 return NULL;
1919 }
1920
1921 /************************************************************/
1922 /* */
1923 /* IKE v2 - rfc4306 - dissector */
1924 /* */
1925 /************************************************************/
1926
1927 static void
1928 ikev2_pay_print(netdissect_options *ndo, const char *payname, uint8_t critical)
1929 {
1930 ND_PRINT("%s%s:", payname, critical&0x80 ? "[C]" : "");
1931 }
1932
1933 static const u_char *
1934 ikev2_gen_print(netdissect_options *ndo, u_char tpay,
1935 const struct isakmp_gen *ext, u_int item_len)
1936 {
1937 const struct isakmp_gen *p = (const struct isakmp_gen *)ext;
1938
1939 ND_TCHECK_SIZE(ext);
1940 ikev2_pay_print(ndo, NPSTR(tpay), GET_U_1(p->critical));
1941
1942 /*
1943 * Our caller has ensured that the length is >= 4.
1944 */
1945 ND_PRINT(" len=%u", item_len - 4);
1946 if (2 < ndo->ndo_vflag && 4 < item_len) {
1947 /* Print the entire payload in hex */
1948 ND_PRINT(" ");
1949 if (!rawprint(ndo, (const uint8_t *)(ext + 1), item_len - 4))
1950 goto trunc;
1951 }
1952 return (const u_char *)ext + item_len;
1953 trunc:
1954 ND_PRINT(" [|%s]", NPSTR(tpay));
1955 return NULL;
1956 }
1957
1958 static const u_char *
1959 ikev2_t_print(netdissect_options *ndo, int tcount,
1960 const struct isakmp_gen *ext, u_int item_len,
1961 const u_char *ep)
1962 {
1963 const struct ikev2_t *p;
1964 uint16_t t_id;
1965 uint8_t t_type;
1966 const u_char *cp;
1967 const char *idstr;
1968 const struct attrmap *map;
1969 size_t nmap;
1970 const u_char *ep2;
1971
1972 p = (const struct ikev2_t *)ext;
1973 ND_TCHECK_SIZE(p);
1974 ikev2_pay_print(ndo, NPSTR(ISAKMP_NPTYPE_T), GET_U_1(p->h.critical));
1975
1976 t_id = GET_BE_U_2(p->t_id);
1977
1978 map = NULL;
1979 nmap = 0;
1980
1981 t_type = GET_U_1(p->t_type);
1982 switch (t_type) {
1983 case IV2_T_ENCR:
1984 idstr = STR_OR_ID(t_id, esp_p_map);
1985 map = encr_t_map;
1986 nmap = sizeof(encr_t_map)/sizeof(encr_t_map[0]);
1987 break;
1988
1989 case IV2_T_PRF:
1990 idstr = STR_OR_ID(t_id, prf_p_map);
1991 break;
1992
1993 case IV2_T_INTEG:
1994 idstr = STR_OR_ID(t_id, integ_p_map);
1995 break;
1996
1997 case IV2_T_DH:
1998 idstr = STR_OR_ID(t_id, dh_p_map);
1999 break;
2000
2001 case IV2_T_ESN:
2002 idstr = STR_OR_ID(t_id, esn_p_map);
2003 break;
2004
2005 default:
2006 idstr = NULL;
2007 break;
2008 }
2009
2010 if (idstr)
2011 ND_PRINT(" #%u type=%s id=%s ", tcount,
2012 STR_OR_ID(t_type, ikev2_t_type_map),
2013 idstr);
2014 else
2015 ND_PRINT(" #%u type=%s id=%u ", tcount,
2016 STR_OR_ID(t_type, ikev2_t_type_map),
2017 t_id);
2018 cp = (const u_char *)(p + 1);
2019 ep2 = (const u_char *)p + item_len;
2020 while (cp < ep && cp < ep2) {
2021 if (map && nmap) {
2022 cp = ikev1_attrmap_print(ndo, cp, ep2, map, nmap);
2023 } else
2024 cp = ikev1_attr_print(ndo, cp, ep2);
2025 if (cp == NULL)
2026 goto trunc;
2027 }
2028 if (ep < ep2)
2029 ND_PRINT("...");
2030 return cp;
2031 trunc:
2032 ND_PRINT(" [|%s]", NPSTR(ISAKMP_NPTYPE_T));
2033 return NULL;
2034 }
2035
2036 static const u_char *
2037 ikev2_p_print(netdissect_options *ndo, u_char tpay _U_, int pcount _U_,
2038 const struct isakmp_gen *ext, u_int oprop_length,
2039 const u_char *ep, int depth)
2040 {
2041 const struct ikev2_p *p;
2042 u_int prop_length;
2043 uint8_t spi_size;
2044 const u_char *cp;
2045 int i;
2046 int tcount;
2047 u_char np;
2048 u_int item_len;
2049
2050 p = (const struct ikev2_p *)ext;
2051 ND_TCHECK_SIZE(p);
2052
2053 ikev2_pay_print(ndo, NPSTR(ISAKMP_NPTYPE_P), GET_U_1(p->h.critical));
2054
2055 /*
2056 * ikev2_sa_print() guarantees that this is >= 4.
2057 */
2058 prop_length = oprop_length - 4;
2059 ND_PRINT(" #%u protoid=%s transform=%u len=%u",
2060 GET_U_1(p->p_no), PROTOIDSTR(GET_U_1(p->prot_id)),
2061 GET_U_1(p->num_t), oprop_length);
2062 cp = (const u_char *)(p + 1);
2063
2064 spi_size = GET_U_1(p->spi_size);
2065 if (spi_size) {
2066 if (prop_length < spi_size)
2067 goto toolong;
2068 ND_PRINT(" spi=");
2069 if (!rawprint(ndo, (const uint8_t *)cp, spi_size))
2070 goto trunc;
2071 cp += spi_size;
2072 prop_length -= spi_size;
2073 }
2074
2075 /*
2076 * Print the transforms.
2077 */
2078 tcount = 0;
2079 for (np = ISAKMP_NPTYPE_T; np != 0; np = GET_U_1(ext->np)) {
2080 tcount++;
2081 ext = (const struct isakmp_gen *)cp;
2082 if (prop_length < sizeof(*ext))
2083 goto toolong;
2084 ND_TCHECK_SIZE(ext);
2085
2086 /*
2087 * Since we can't have a payload length of less than 4 bytes,
2088 * we need to bail out here if the generic header is nonsensical
2089 * or truncated, otherwise we could loop forever processing
2090 * zero-length items or otherwise misdissect the packet.
2091 */
2092 item_len = GET_BE_U_2(ext->len);
2093 if (item_len <= 4)
2094 goto trunc;
2095
2096 if (prop_length < item_len)
2097 goto toolong;
2098 ND_TCHECK_LEN(cp, item_len);
2099
2100 depth++;
2101 ND_PRINT("\n");
2102 for (i = 0; i < depth; i++)
2103 ND_PRINT(" ");
2104 ND_PRINT("(");
2105 if (np == ISAKMP_NPTYPE_T) {
2106 cp = ikev2_t_print(ndo, tcount, ext, item_len, ep);
2107 if (cp == NULL) {
2108 /* error, already reported */
2109 return NULL;
2110 }
2111 } else {
2112 ND_PRINT("%s", NPSTR(np));
2113 cp += item_len;
2114 }
2115 ND_PRINT(")");
2116 depth--;
2117 prop_length -= item_len;
2118 }
2119 return cp;
2120 toolong:
2121 /*
2122 * Skip the rest of the proposal.
2123 */
2124 cp += prop_length;
2125 ND_PRINT(" [|%s]", NPSTR(ISAKMP_NPTYPE_P));
2126 return cp;
2127 trunc:
2128 ND_PRINT(" [|%s]", NPSTR(ISAKMP_NPTYPE_P));
2129 return NULL;
2130 }
2131
2132 static const u_char *
2133 ikev2_sa_print(netdissect_options *ndo, u_char tpay,
2134 const struct isakmp_gen *ext1,
2135 u_int osa_length, const u_char *ep,
2136 uint32_t phase _U_, uint32_t doi _U_,
2137 uint32_t proto _U_, int depth)
2138 {
2139 const struct isakmp_gen *ext;
2140 u_int sa_length;
2141 const u_char *cp;
2142 int i;
2143 int pcount;
2144 u_char np;
2145 u_int item_len;
2146
2147 ND_TCHECK_SIZE(ext1);
2148 ikev2_pay_print(ndo, "sa", GET_U_1(ext1->critical));
2149
2150 /*
2151 * ikev2_sub0_print() guarantees that this is >= 4.
2152 */
2153 osa_length= GET_BE_U_2(ext1->len);
2154 sa_length = osa_length - 4;
2155 ND_PRINT(" len=%u", sa_length);
2156
2157 /*
2158 * Print the payloads.
2159 */
2160 cp = (const u_char *)(ext1 + 1);
2161 pcount = 0;
2162 for (np = ISAKMP_NPTYPE_P; np != 0; np = GET_U_1(ext->np)) {
2163 pcount++;
2164 ext = (const struct isakmp_gen *)cp;
2165 if (sa_length < sizeof(*ext))
2166 goto toolong;
2167 ND_TCHECK_SIZE(ext);
2168
2169 /*
2170 * Since we can't have a payload length of less than 4 bytes,
2171 * we need to bail out here if the generic header is nonsensical
2172 * or truncated, otherwise we could loop forever processing
2173 * zero-length items or otherwise misdissect the packet.
2174 */
2175 item_len = GET_BE_U_2(ext->len);
2176 if (item_len <= 4)
2177 goto trunc;
2178
2179 if (sa_length < item_len)
2180 goto toolong;
2181 ND_TCHECK_LEN(cp, item_len);
2182
2183 depth++;
2184 ND_PRINT("\n");
2185 for (i = 0; i < depth; i++)
2186 ND_PRINT(" ");
2187 ND_PRINT("(");
2188 if (np == ISAKMP_NPTYPE_P) {
2189 cp = ikev2_p_print(ndo, np, pcount, ext, item_len,
2190 ep, depth);
2191 if (cp == NULL) {
2192 /* error, already reported */
2193 return NULL;
2194 }
2195 } else {
2196 ND_PRINT("%s", NPSTR(np));
2197 cp += item_len;
2198 }
2199 ND_PRINT(")");
2200 depth--;
2201 sa_length -= item_len;
2202 }
2203 return cp;
2204 toolong:
2205 /*
2206 * Skip the rest of the SA.
2207 */
2208 cp += sa_length;
2209 ND_PRINT(" [|%s]", NPSTR(tpay));
2210 return cp;
2211 trunc:
2212 ND_PRINT(" [|%s]", NPSTR(tpay));
2213 return NULL;
2214 }
2215
2216 static const u_char *
2217 ikev2_ke_print(netdissect_options *ndo, u_char tpay,
2218 const struct isakmp_gen *ext,
2219 u_int item_len, const u_char *ep _U_,
2220 uint32_t phase _U_, uint32_t doi _U_,
2221 uint32_t proto _U_, int depth _U_)
2222 {
2223 const struct ikev2_ke *k;
2224
2225 k = (const struct ikev2_ke *)ext;
2226 ND_TCHECK_SIZE(k);
2227 ikev2_pay_print(ndo, NPSTR(tpay), GET_U_1(k->h.critical));
2228
2229 if (item_len < 8) {
2230 ND_PRINT(" len=%u < 8", item_len);
2231 return (const u_char *)ext + item_len;
2232 }
2233 ND_PRINT(" len=%u group=%s", item_len - 8,
2234 STR_OR_ID(GET_BE_U_2(k->ke_group), dh_p_map));
2235
2236 if (2 < ndo->ndo_vflag && 8 < item_len) {
2237 ND_PRINT(" ");
2238 if (!rawprint(ndo, (const uint8_t *)(k + 1), item_len - 8))
2239 goto trunc;
2240 }
2241 return (const u_char *)ext + item_len;
2242 trunc:
2243 ND_PRINT(" [|%s]", NPSTR(tpay));
2244 return NULL;
2245 }
2246
2247 static const u_char *
2248 ikev2_ID_print(netdissect_options *ndo, u_char tpay,
2249 const struct isakmp_gen *ext,
2250 u_int item_len, const u_char *ep _U_,
2251 uint32_t phase _U_, uint32_t doi _U_,
2252 uint32_t proto _U_, int depth _U_)
2253 {
2254 const struct ikev2_id *idp;
2255 u_int idtype_len, i;
2256 unsigned int dumpascii, dumphex;
2257 const unsigned char *typedata;
2258
2259 idp = (const struct ikev2_id *)ext;
2260 ND_TCHECK_SIZE(idp);
2261 ikev2_pay_print(ndo, NPSTR(tpay), GET_U_1(idp->h.critical));
2262
2263 /*
2264 * Our caller has ensured that the length is >= 4.
2265 */
2266 ND_PRINT(" len=%u", item_len - 4);
2267 if (2 < ndo->ndo_vflag && 4 < item_len) {
2268 /* Print the entire payload in hex */
2269 ND_PRINT(" ");
2270 if (!rawprint(ndo, (const uint8_t *)(ext + 1), item_len - 4))
2271 goto trunc;
2272 }
2273
2274 idtype_len =item_len - sizeof(struct ikev2_id);
2275 dumpascii = 0;
2276 dumphex = 0;
2277 typedata = (const unsigned char *)(ext)+sizeof(struct ikev2_id);
2278
2279 switch(GET_U_1(idp->type)) {
2280 case ID_IPV4_ADDR:
2281 ND_PRINT(" ipv4:");
2282 dumphex=1;
2283 break;
2284 case ID_FQDN:
2285 ND_PRINT(" fqdn:");
2286 dumpascii=1;
2287 break;
2288 case ID_RFC822_ADDR:
2289 ND_PRINT(" rfc822:");
2290 dumpascii=1;
2291 break;
2292 case ID_IPV6_ADDR:
2293 ND_PRINT(" ipv6:");
2294 dumphex=1;
2295 break;
2296 case ID_DER_ASN1_DN:
2297 ND_PRINT(" dn:");
2298 dumphex=1;
2299 break;
2300 case ID_DER_ASN1_GN:
2301 ND_PRINT(" gn:");
2302 dumphex=1;
2303 break;
2304 case ID_KEY_ID:
2305 ND_PRINT(" keyid:");
2306 dumphex=1;
2307 break;
2308 }
2309
2310 if(dumpascii) {
2311 ND_TCHECK_LEN(typedata, idtype_len);
2312 for(i=0; i<idtype_len; i++) {
2313 if(ND_ASCII_ISPRINT(GET_U_1(typedata + i))) {
2314 ND_PRINT("%c", GET_U_1(typedata + i));
2315 } else {
2316 ND_PRINT(".");
2317 }
2318 }
2319 }
2320 if(dumphex) {
2321 if (!rawprint(ndo, (const uint8_t *)typedata, idtype_len))
2322 goto trunc;
2323 }
2324
2325 return (const u_char *)ext + item_len;
2326 trunc:
2327 ND_PRINT(" [|%s]", NPSTR(tpay));
2328 return NULL;
2329 }
2330
2331 static const u_char *
2332 ikev2_cert_print(netdissect_options *ndo, u_char tpay,
2333 const struct isakmp_gen *ext,
2334 u_int item_len, const u_char *ep _U_,
2335 uint32_t phase _U_, uint32_t doi _U_,
2336 uint32_t proto _U_, int depth _U_)
2337 {
2338 return ikev2_gen_print(ndo, tpay, ext, item_len);
2339 }
2340
2341 static const u_char *
2342 ikev2_cr_print(netdissect_options *ndo, u_char tpay,
2343 const struct isakmp_gen *ext,
2344 u_int item_len, const u_char *ep _U_,
2345 uint32_t phase _U_, uint32_t doi _U_,
2346 uint32_t proto _U_, int depth _U_)
2347 {
2348 return ikev2_gen_print(ndo, tpay, ext, item_len);
2349 }
2350
2351 static const u_char *
2352 ikev2_auth_print(netdissect_options *ndo, u_char tpay,
2353 const struct isakmp_gen *ext,
2354 u_int item_len, const u_char *ep,
2355 uint32_t phase _U_, uint32_t doi _U_,
2356 uint32_t proto _U_, int depth _U_)
2357 {
2358 const struct ikev2_auth *p;
2359 const char *v2_auth[]={ "invalid", "rsasig",
2360 "shared-secret", "dsssig" };
2361 const u_char *authdata = (const u_char *)ext + sizeof(struct ikev2_auth);
2362
2363 ND_TCHECK_LEN(ext, sizeof(struct ikev2_auth));
2364 p = (const struct ikev2_auth *)ext;
2365 ikev2_pay_print(ndo, NPSTR(tpay), GET_U_1(p->h.critical));
2366
2367 /*
2368 * Our caller has ensured that the length is >= 4.
2369 */
2370 ND_PRINT(" len=%u method=%s", item_len-4,
2371 STR_OR_ID(GET_U_1(p->auth_method), v2_auth));
2372 if (item_len > 4) {
2373 if (ndo->ndo_vflag > 1) {
2374 ND_PRINT(" authdata=(");
2375 if (!rawprint(ndo, (const uint8_t *)authdata, item_len - sizeof(struct ikev2_auth)))
2376 goto trunc;
2377 ND_PRINT(") ");
2378 } else if (ndo->ndo_vflag) {
2379 if (!ike_show_somedata(ndo, authdata, ep))
2380 goto trunc;
2381 }
2382 }
2383
2384 return (const u_char *)ext + item_len;
2385 trunc:
2386 ND_PRINT(" [|%s]", NPSTR(tpay));
2387 return NULL;
2388 }
2389
2390 static const u_char *
2391 ikev2_nonce_print(netdissect_options *ndo, u_char tpay,
2392 const struct isakmp_gen *ext,
2393 u_int item_len, const u_char *ep,
2394 uint32_t phase _U_, uint32_t doi _U_,
2395 uint32_t proto _U_, int depth _U_)
2396 {
2397 ND_TCHECK_SIZE(ext);
2398 ikev2_pay_print(ndo, "nonce", GET_U_1(ext->critical));
2399
2400 /*
2401 * Our caller has ensured that the length is >= 4.
2402 */
2403 ND_PRINT(" len=%u", item_len - 4);
2404 if (1 < ndo->ndo_vflag && 4 < item_len) {
2405 ND_PRINT(" nonce=(");
2406 if (!rawprint(ndo, (const uint8_t *)(ext + 1), item_len - 4))
2407 goto trunc;
2408 ND_PRINT(") ");
2409 } else if(ndo->ndo_vflag && 4 < item_len) {
2410 if(!ike_show_somedata(ndo, (const u_char *)(ext+1), ep)) goto trunc;
2411 }
2412
2413 return (const u_char *)ext + item_len;
2414 trunc:
2415 ND_PRINT(" [|%s]", NPSTR(tpay));
2416 return NULL;
2417 }
2418
2419 /* notify payloads */
2420 static const u_char *
2421 ikev2_n_print(netdissect_options *ndo, u_char tpay _U_,
2422 const struct isakmp_gen *ext,
2423 u_int item_len, const u_char *ep,
2424 uint32_t phase _U_, uint32_t doi _U_,
2425 uint32_t proto _U_, int depth _U_)
2426 {
2427 const struct ikev2_n *p;
2428 uint16_t type;
2429 uint8_t spi_size;
2430 const u_char *cp;
2431 u_char showspi, showsomedata;
2432 const char *notify_name;
2433
2434 p = (const struct ikev2_n *)ext;
2435 ND_TCHECK_SIZE(p);
2436 ikev2_pay_print(ndo, NPSTR(ISAKMP_NPTYPE_N), GET_U_1(p->h.critical));
2437
2438 showspi=0;
2439 showsomedata=0;
2440 notify_name=NULL;
2441
2442 ND_PRINT(" prot_id=%s", PROTOIDSTR(GET_U_1(p->prot_id)));
2443
2444 type = GET_BE_U_2(p->type);
2445
2446 /* notify space is annoying sparse */
2447 switch(type) {
2448 case IV2_NOTIFY_UNSUPPORTED_CRITICAL_PAYLOAD:
2449 notify_name = "unsupported_critical_payload";
2450 break;
2451
2452 case IV2_NOTIFY_INVALID_IKE_SPI:
2453 notify_name = "invalid_ike_spi";
2454 showspi = 1;
2455 break;
2456
2457 case IV2_NOTIFY_INVALID_MAJOR_VERSION:
2458 notify_name = "invalid_major_version";
2459 break;
2460
2461 case IV2_NOTIFY_INVALID_SYNTAX:
2462 notify_name = "invalid_syntax";
2463 showspi = 1;
2464 break;
2465
2466 case IV2_NOTIFY_INVALID_MESSAGE_ID:
2467 notify_name = "invalid_message_id";
2468 showspi = 1;
2469 break;
2470
2471 case IV2_NOTIFY_INVALID_SPI:
2472 notify_name = "invalid_spi";
2473 showspi = 1;
2474 break;
2475
2476 case IV2_NOTIFY_NO_PROPOSAL_CHOSEN:
2477 notify_name = "no_proposal_chosen";
2478 showspi = 1;
2479 break;
2480
2481 case IV2_NOTIFY_INVALID_KE_PAYLOAD:
2482 notify_name = "invalid_ke_payload";
2483 showspi = 1;
2484 break;
2485
2486 case IV2_NOTIFY_AUTHENTICATION_FAILED:
2487 notify_name = "authentication_failed";
2488 showspi = 1;
2489 break;
2490
2491 case IV2_NOTIFY_SINGLE_PAIR_REQUIRED:
2492 notify_name = "single_pair_required";
2493 showspi = 1;
2494 break;
2495
2496 case IV2_NOTIFY_NO_ADDITIONAL_SAS:
2497 notify_name = "no_additional_sas";
2498 break;
2499
2500 case IV2_NOTIFY_INTERNAL_ADDRESS_FAILURE:
2501 notify_name = "internal_address_failure";
2502 break;
2503
2504 case IV2_NOTIFY_FAILED_CP_REQUIRED:
2505 notify_name = "failed_cp_required";
2506 break;
2507
2508 case IV2_NOTIFY_TS_UNACCEPTABLE:
2509 notify_name = "ts_unacceptable";
2510 break;
2511
2512 case IV2_NOTIFY_INVALID_SELECTORS:
2513 notify_name = "invalid_selectors";
2514 break;
2515
2516 case IV2_NOTIFY_UNACCEPTABLE_ADDRESSES:
2517 notify_name = "unacceptable_addresses";
2518 break;
2519
2520 case IV2_NOTIFY_UNEXPECTED_NAT_DETECTED:
2521 notify_name = "unexpected_nat_detected";
2522 break;
2523
2524 case IV2_NOTIFY_USE_ASSIGNED_HOA:
2525 notify_name = "use_assigned_hoa";
2526 break;
2527
2528 case IV2_NOTIFY_TEMPORARY_FAILURE:
2529 notify_name = "temporary_failure";
2530 break;
2531
2532 case IV2_NOTIFY_CHILD_SA_NOT_FOUND:
2533 notify_name = "child_sa_not_found";
2534 break;
2535
2536 case IV2_NOTIFY_INVALID_GROUP_ID:
2537 notify_name = "invalid_group_id";
2538 break;
2539
2540 case IV2_NOTIFY_AUTHORIZATION_FAILED:
2541 notify_name = "authorization_failed";
2542 break;
2543
2544 case IV2_NOTIFY_STATE_NOT_FOUND:
2545 notify_name = "state_not_found";
2546 break;
2547
2548 case IV2_NOTIFY_INITIAL_CONTACT:
2549 notify_name = "initial_contact";
2550 break;
2551
2552 case IV2_NOTIFY_SET_WINDOW_SIZE:
2553 notify_name = "set_window_size";
2554 break;
2555
2556 case IV2_NOTIFY_ADDITIONAL_TS_POSSIBLE:
2557 notify_name = "additional_ts_possible";
2558 break;
2559
2560 case IV2_NOTIFY_IPCOMP_SUPPORTED:
2561 notify_name = "ipcomp_supported";
2562 break;
2563
2564 case IV2_NOTIFY_NAT_DETECTION_SOURCE_IP:
2565 notify_name = "nat_detection_source_ip";
2566 showspi = 1;
2567 break;
2568
2569 case IV2_NOTIFY_NAT_DETECTION_DESTINATION_IP:
2570 notify_name = "nat_detection_destination_ip";
2571 showspi = 1;
2572 break;
2573
2574 case IV2_NOTIFY_COOKIE:
2575 notify_name = "cookie";
2576 showspi = 1;
2577 showsomedata= 1;
2578 break;
2579
2580 case IV2_NOTIFY_USE_TRANSPORT_MODE:
2581 notify_name = "use_transport_mode";
2582 break;
2583
2584 case IV2_NOTIFY_HTTP_CERT_LOOKUP_SUPPORTED:
2585 notify_name = "http_cert_lookup_supported";
2586 break;
2587
2588 case IV2_NOTIFY_REKEY_SA:
2589 notify_name = "rekey_sa";
2590 showspi = 1;
2591 break;
2592
2593 case IV2_NOTIFY_ESP_TFC_PADDING_NOT_SUPPORTED:
2594 notify_name = "tfc_padding_not_supported";
2595 break;
2596
2597 case IV2_NOTIFY_NON_FIRST_FRAGMENTS_ALSO:
2598 notify_name = "non_first_fragment_also";
2599 break;
2600
2601 case IV2_NOTIFY_MOBIKE_SUPPORTED:
2602 notify_name = "mobike_supported";
2603 break;
2604
2605 case IV2_NOTIFY_ADDITIONAL_IP4_ADDRESS:
2606 notify_name = "additional_ip4_address";
2607 break;
2608
2609 case IV2_NOTIFY_ADDITIONAL_IP6_ADDRESS:
2610 notify_name = "additional_ip6_address";
2611 break;
2612
2613 case IV2_NOTIFY_NO_ADDITIONAL_ADDRESSES:
2614 notify_name = "no_additional_addresses";
2615 break;
2616
2617 case IV2_NOTIFY_UPDATE_SA_ADDRESSES:
2618 notify_name = "update_sa_addresses";
2619 break;
2620
2621 case IV2_NOTIFY_COOKIE2:
2622 notify_name = "cookie2";
2623 break;
2624
2625 case IV2_NOTIFY_NO_NATS_ALLOWED:
2626 notify_name = "no_nats_allowed";
2627 break;
2628
2629 case IV2_NOTIFY_AUTH_LIFETIME:
2630 notify_name = "auth_lifetime";
2631 break;
2632
2633 case IV2_NOTIFY_MULTIPLE_AUTH_SUPPORTED:
2634 notify_name = "multiple_auth_supported";
2635 break;
2636
2637 case IV2_NOTIFY_ANOTHER_AUTH_FOLLOWS:
2638 notify_name = "another_auth_follows";
2639 break;
2640
2641 case IV2_NOTIFY_REDIRECT_SUPPORTED:
2642 notify_name = "redirect_supported";
2643 break;
2644
2645 case IV2_NOTIFY_REDIRECT:
2646 notify_name = "redirect";
2647 break;
2648
2649 case IV2_NOTIFY_REDIRECTED_FROM:
2650 notify_name = "redirected_from";
2651 break;
2652
2653 case IV2_NOTIFY_TICKET_LT_OPAQUE:
2654 notify_name = "ticket_lt_opaque";
2655 break;
2656
2657 case IV2_NOTIFY_TICKET_REQUEST:
2658 notify_name = "ticket_request";
2659 break;
2660
2661 case IV2_NOTIFY_TICKET_ACK:
2662 notify_name = "ticket_ack";
2663 break;
2664
2665 case IV2_NOTIFY_TICKET_NACK:
2666 notify_name = "ticket_nack";
2667 break;
2668
2669 case IV2_NOTIFY_TICKET_OPAQUE:
2670 notify_name = "ticket_opaque";
2671 break;
2672
2673 case IV2_NOTIFY_LINK_ID:
2674 notify_name = "link_id";
2675 break;
2676
2677 case IV2_NOTIFY_USE_WESP_MODE:
2678 notify_name = "use_wesp_mode";
2679 break;
2680
2681 case IV2_NOTIFY_ROHC_SUPPORTED:
2682 notify_name = "rohc_supported";
2683 break;
2684
2685 case IV2_NOTIFY_EAP_ONLY_AUTHENTICATION:
2686 notify_name = "eap_only_authentication";
2687 break;
2688
2689 case IV2_NOTIFY_CHILDLESS_IKEV2_SUPPORTED:
2690 notify_name = "childless_ikev2_supported";
2691 break;
2692
2693 case IV2_NOTIFY_QUICK_CRASH_DETECTION:
2694 notify_name = "quick_crash_detection";
2695 break;
2696
2697 case IV2_NOTIFY_IKEV2_MESSAGE_ID_SYNC_SUPPORTED:
2698 notify_name = "ikev2_message_id_sync_supported";
2699 break;
2700
2701 case IV2_NOTIFY_IPSEC_REPLAY_COUNTER_SYNC_SUPPORTED:
2702 notify_name = "ipsec_replay_counter_sync_supported";
2703 break;
2704
2705 case IV2_NOTIFY_IKEV2_MESSAGE_ID_SYNC:
2706 notify_name = "ikev2_message_id_sync";
2707 break;
2708
2709 case IV2_NOTIFY_IPSEC_REPLAY_COUNTER_SYNC:
2710 notify_name = "ipsec_replay_counter_sync";
2711 break;
2712
2713 case IV2_NOTIFY_SECURE_PASSWORD_METHODS:
2714 notify_name = "secure_password_methods";
2715 break;
2716
2717 case IV2_NOTIFY_PSK_PERSIST:
2718 notify_name = "psk_persist";
2719 break;
2720
2721 case IV2_NOTIFY_PSK_CONFIRM:
2722 notify_name = "psk_confirm";
2723 break;
2724
2725 case IV2_NOTIFY_ERX_SUPPORTED:
2726 notify_name = "erx_supported";
2727 break;
2728
2729 case IV2_NOTIFY_IFOM_CAPABILITY:
2730 notify_name = "ifom_capability";
2731 break;
2732
2733 case IV2_NOTIFY_SENDER_REQUEST_ID:
2734 notify_name = "sender_request_id";
2735 break;
2736
2737 case IV2_NOTIFY_IKEV2_FRAGMENTATION_SUPPORTED:
2738 notify_name = "ikev2_fragmentation_supported";
2739 break;
2740
2741 case IV2_NOTIFY_SIGNATURE_HASH_ALGORITHMS:
2742 notify_name = "signature_hash_algorithms";
2743 break;
2744
2745 case IV2_NOTIFY_CLONE_IKE_SA_SUPPORTED:
2746 notify_name = "clone_ike_sa_supported";
2747 break;
2748
2749 case IV2_NOTIFY_CLONE_IKE_SA:
2750 notify_name = "clone_ike_sa";
2751 break;
2752
2753 case IV2_NOTIFY_PUZZLE:
2754 notify_name = "puzzle";
2755 break;
2756
2757 case IV2_NOTIFY_USE_PPK:
2758 notify_name = "use_ppk";
2759 break;
2760
2761 case IV2_NOTIFY_PPK_IDENTITY:
2762 notify_name = "ppk_identity";
2763 break;
2764
2765 case IV2_NOTIFY_NO_PPK_AUTH:
2766 notify_name = "no_ppk_auth";
2767 break;
2768
2769 case IV2_NOTIFY_INTERMEDIATE_EXCHANGE_SUPPORTED:
2770 notify_name = "intermediate_exchange_supported";
2771 break;
2772
2773 case IV2_NOTIFY_IP4_ALLOWED:
2774 notify_name = "ip4_allowed";
2775 break;
2776
2777 case IV2_NOTIFY_IP6_ALLOWED:
2778 notify_name = "ip6_allowed";
2779 break;
2780
2781 case IV2_NOTIFY_ADDITIONAL_KEY_EXCHANGE:
2782 notify_name = "additional_key_exchange";
2783 break;
2784
2785 case IV2_NOTIFY_USE_AGGFRAG:
2786 notify_name = "use_aggfrag";
2787 break;
2788
2789 default:
2790 showspi = 1;
2791 if (type < 8192) {
2792 notify_name="error";
2793 } else if(type < 16384) {
2794 notify_name="private-error";
2795 } else if(type < 40960) {
2796 notify_name="status";
2797 } else {
2798 notify_name="private-status";
2799 }
2800 }
2801
2802 if(notify_name) {
2803 ND_PRINT(" type=%u(%s)", type, notify_name);
2804 }
2805
2806
2807 spi_size = GET_U_1(p->spi_size);
2808 if (showspi && spi_size) {
2809 ND_PRINT(" spi=");
2810 if (!rawprint(ndo, (const uint8_t *)(p + 1), spi_size))
2811 goto trunc;
2812 }
2813
2814 cp = (const u_char *)(p + 1) + spi_size;
2815
2816 if (cp < ep) {
2817 if (ndo->ndo_vflag > 3 || (showsomedata && ep-cp < 30)) {
2818 ND_PRINT(" data=(");
2819 if (!rawprint(ndo, (const uint8_t *)(cp), ep - cp))
2820 goto trunc;
2821
2822 ND_PRINT(")");
2823 } else if (showsomedata) {
2824 if (!ike_show_somedata(ndo, cp, ep))
2825 goto trunc;
2826 }
2827 }
2828
2829 return (const u_char *)ext + item_len;
2830 trunc:
2831 ND_PRINT(" [|%s]", NPSTR(ISAKMP_NPTYPE_N));
2832 return NULL;
2833 }
2834
2835 static const u_char *
2836 ikev2_d_print(netdissect_options *ndo, u_char tpay,
2837 const struct isakmp_gen *ext,
2838 u_int item_len, const u_char *ep _U_,
2839 uint32_t phase _U_, uint32_t doi _U_,
2840 uint32_t proto _U_, int depth _U_)
2841 {
2842 return ikev2_gen_print(ndo, tpay, ext, item_len);
2843 }
2844
2845 static const u_char *
2846 ikev2_vid_print(netdissect_options *ndo, u_char tpay,
2847 const struct isakmp_gen *ext,
2848 u_int item_len, const u_char *ep _U_,
2849 uint32_t phase _U_, uint32_t doi _U_,
2850 uint32_t proto _U_, int depth _U_)
2851 {
2852 const u_char *vid;
2853 u_int i, len;
2854
2855 ND_TCHECK_SIZE(ext);
2856 ikev2_pay_print(ndo, NPSTR(tpay), GET_U_1(ext->critical));
2857
2858 /*
2859 * Our caller has ensured that the length is >= 4.
2860 */
2861 ND_PRINT(" len=%u vid=", item_len - 4);
2862
2863 vid = (const u_char *)(ext+1);
2864 len = item_len - 4;
2865 ND_TCHECK_LEN(vid, len);
2866 for(i=0; i<len; i++) {
2867 if(ND_ASCII_ISPRINT(GET_U_1(vid + i)))
2868 ND_PRINT("%c", GET_U_1(vid + i));
2869 else ND_PRINT(".");
2870 }
2871 if (2 < ndo->ndo_vflag && 4 < len) {
2872 /* Print the entire payload in hex */
2873 ND_PRINT(" ");
2874 if (!rawprint(ndo, (const uint8_t *)(ext + 1), item_len - 4))
2875 goto trunc;
2876 }
2877 return (const u_char *)ext + item_len;
2878 trunc:
2879 ND_PRINT(" [|%s]", NPSTR(tpay));
2880 return NULL;
2881 }
2882
2883 static const u_char *
2884 ikev2_TS_print(netdissect_options *ndo, u_char tpay,
2885 const struct isakmp_gen *ext,
2886 u_int item_len, const u_char *ep _U_,
2887 uint32_t phase _U_, uint32_t doi _U_,
2888 uint32_t proto _U_, int depth _U_)
2889 {
2890 return ikev2_gen_print(ndo, tpay, ext, item_len);
2891 }
2892
2893 static const u_char *
2894 ikev2_e_print(netdissect_options *ndo,
2895 #ifndef HAVE_LIBCRYPTO
2896 _U_
2897 #endif
2898 const struct isakmp *base,
2899 u_char tpay,
2900 const struct isakmp_gen *ext,
2901 u_int item_len, const u_char *ep _U_,
2902 #ifndef HAVE_LIBCRYPTO
2903 _U_
2904 #endif
2905 uint32_t phase,
2906 #ifndef HAVE_LIBCRYPTO
2907 _U_
2908 #endif
2909 uint32_t doi,
2910 #ifndef HAVE_LIBCRYPTO
2911 _U_
2912 #endif
2913 uint32_t proto,
2914 #ifndef HAVE_LIBCRYPTO
2915 _U_
2916 #endif
2917 int depth)
2918 {
2919 const u_char *dat;
2920 u_int dlen;
2921 #ifdef HAVE_LIBCRYPTO
2922 uint8_t np;
2923 #endif
2924
2925 ND_TCHECK_SIZE(ext);
2926 ikev2_pay_print(ndo, NPSTR(tpay), GET_U_1(ext->critical));
2927
2928 dlen = item_len-4;
2929
2930 ND_PRINT(" len=%u", dlen);
2931 if (2 < ndo->ndo_vflag && 4 < dlen) {
2932 ND_PRINT(" ");
2933 if (!rawprint(ndo, (const uint8_t *)(ext + 1), dlen))
2934 goto trunc;
2935 }
2936
2937 dat = (const u_char *)(ext+1);
2938 ND_TCHECK_LEN(dat, dlen);
2939
2940 #ifdef HAVE_LIBCRYPTO
2941 np = GET_U_1(ext->np);
2942
2943 /* try to decrypt it! */
2944 if(esp_decrypt_buffer_by_ikev2_print(ndo,
2945 GET_U_1(base->flags) & ISAKMP_FLAG_I,
2946 base->i_ck, base->r_ck,
2947 dat, dat+dlen)) {
2948
2949 ext = (const struct isakmp_gen *)ndo->ndo_packetp;
2950
2951 /* got it decrypted, print stuff inside. */
2952 ikev2_sub_print(ndo, base, np, ext,
2953 ndo->ndo_snapend, phase, doi, proto, depth+1);
2954
2955 /*
2956 * esp_decrypt_buffer_by_ikev2_print pushed information
2957 * on the buffer stack; we're done with the buffer, so
2958 * pop it (which frees the buffer)
2959 */
2960 nd_pop_packet_info(ndo);
2961 }
2962 #endif
2963
2964
2965 /* always return NULL, because E must be at end, and NP refers
2966 * to what was inside.
2967 */
2968 return NULL;
2969 trunc:
2970 ND_PRINT(" [|%s]", NPSTR(tpay));
2971 return NULL;
2972 }
2973
2974 static const u_char *
2975 ikev2_cp_print(netdissect_options *ndo, u_char tpay,
2976 const struct isakmp_gen *ext,
2977 u_int item_len, const u_char *ep _U_,
2978 uint32_t phase _U_, uint32_t doi _U_,
2979 uint32_t proto _U_, int depth _U_)
2980 {
2981 return ikev2_gen_print(ndo, tpay, ext, item_len);
2982 }
2983
2984 static const u_char *
2985 ikev2_eap_print(netdissect_options *ndo, u_char tpay,
2986 const struct isakmp_gen *ext,
2987 u_int item_len, const u_char *ep _U_,
2988 uint32_t phase _U_, uint32_t doi _U_,
2989 uint32_t proto _U_, int depth _U_)
2990 {
2991 return ikev2_gen_print(ndo, tpay, ext, item_len);
2992 }
2993
2994 static const u_char *
2995 ike_sub0_print(netdissect_options *ndo,
2996 u_char np, const struct isakmp_gen *ext, const u_char *ep,
2997
2998 uint32_t phase, uint32_t doi, uint32_t proto, int depth)
2999 {
3000 const u_char *cp;
3001 u_int item_len;
3002
3003 cp = (const u_char *)ext;
3004 ND_TCHECK_SIZE(ext);
3005
3006 /*
3007 * Since we can't have a payload length of less than 4 bytes,
3008 * we need to bail out here if the generic header is nonsensical
3009 * or truncated, otherwise we could loop forever processing
3010 * zero-length items or otherwise misdissect the packet.
3011 */
3012 item_len = GET_BE_U_2(ext->len);
3013 if (item_len <= 4)
3014 return NULL;
3015
3016 if (NPFUNC(np)) {
3017 /*
3018 * XXX - what if item_len is too short, or too long,
3019 * for this payload type?
3020 */
3021 cp = (*npfunc[np])(ndo, np, ext, item_len, ep, phase, doi, proto, depth);
3022 } else {
3023 ND_PRINT("%s", NPSTR(np));
3024 cp += item_len;
3025 }
3026
3027 return cp;
3028 trunc:
3029 nd_print_trunc(ndo);
3030 return NULL;
3031 }
3032
3033 static const u_char *
3034 ikev1_sub_print(netdissect_options *ndo,
3035 u_char np, const struct isakmp_gen *ext, const u_char *ep,
3036 uint32_t phase, uint32_t doi, uint32_t proto, int depth)
3037 {
3038 const u_char *cp;
3039 int i;
3040 u_int item_len;
3041
3042 cp = (const u_char *)ext;
3043
3044 while (np) {
3045 ND_TCHECK_SIZE(ext);
3046
3047 item_len = GET_BE_U_2(ext->len);
3048 ND_TCHECK_LEN(ext, item_len);
3049
3050 depth++;
3051 ND_PRINT("\n");
3052 for (i = 0; i < depth; i++)
3053 ND_PRINT(" ");
3054 ND_PRINT("(");
3055 cp = ike_sub0_print(ndo, np, ext, ep, phase, doi, proto, depth);
3056 ND_PRINT(")");
3057 depth--;
3058
3059 if (cp == NULL) {
3060 /* Zero-length subitem */
3061 return NULL;
3062 }
3063
3064 np = GET_U_1(ext->np);
3065 ext = (const struct isakmp_gen *)cp;
3066 }
3067 return cp;
3068 trunc:
3069 ND_PRINT(" [|%s]", NPSTR(np));
3070 return NULL;
3071 }
3072
3073 static char *
3074 numstr(u_int x)
3075 {
3076 static char buf[20];
3077 snprintf(buf, sizeof(buf), "#%u", x);
3078 return buf;
3079 }
3080
3081 static void
3082 ikev1_print(netdissect_options *ndo,
3083 const u_char *bp, u_int length,
3084 const u_char *bp2, const struct isakmp *base)
3085 {
3086 const struct isakmp *p;
3087 const u_char *ep;
3088 u_int flags;
3089 u_char np;
3090 int i;
3091 u_int phase;
3092
3093 p = (const struct isakmp *)bp;
3094 ep = ndo->ndo_snapend;
3095
3096 phase = (GET_BE_U_4(base->msgid) == 0) ? 1 : 2;
3097 if (phase == 1)
3098 ND_PRINT(" phase %u", phase);
3099 else
3100 ND_PRINT(" phase %u/others", phase);
3101
3102 i = cookie_find(&base->i_ck);
3103 if (i < 0) {
3104 if (iszero(ndo, base->r_ck, sizeof(base->r_ck))) {
3105 /* the first packet */
3106 ND_PRINT(" I");
3107 if (bp2)
3108 cookie_record(ndo, &base->i_ck, bp2);
3109 } else
3110 ND_PRINT(" ?");
3111 } else {
3112 if (bp2 && cookie_isinitiator(ndo, i, bp2))
3113 ND_PRINT(" I");
3114 else if (bp2 && cookie_isresponder(ndo, i, bp2))
3115 ND_PRINT(" R");
3116 else
3117 ND_PRINT(" ?");
3118 }
3119
3120 ND_PRINT(" %s", ETYPESTR(GET_U_1(base->etype)));
3121 flags = GET_U_1(base->flags);
3122 if (flags) {
3123 ND_PRINT("[%s%s]", flags & ISAKMP_FLAG_E ? "E" : "",
3124 flags & ISAKMP_FLAG_C ? "C" : "");
3125 }
3126
3127 if (ndo->ndo_vflag) {
3128 const struct isakmp_gen *ext;
3129
3130 ND_PRINT(":");
3131
3132 np = GET_U_1(base->np);
3133
3134 /* regardless of phase... */
3135 if (flags & ISAKMP_FLAG_E) {
3136 /*
3137 * encrypted, nothing we can do right now.
3138 * we hope to decrypt the packet in the future...
3139 */
3140 ND_PRINT(" [encrypted %s]", NPSTR(np));
3141 goto done;
3142 }
3143
3144 CHECKLEN(p + 1, np);
3145 ext = (const struct isakmp_gen *)(p + 1);
3146 ikev1_sub_print(ndo, np, ext, ep, phase, 0, 0, 0);
3147 }
3148
3149 done:
3150 if (ndo->ndo_vflag) {
3151 if (GET_BE_U_4(base->len) != length) {
3152 ND_PRINT(" (len mismatch: isakmp %u/ip %u)",
3153 GET_BE_U_4(base->len), length);
3154 }
3155 }
3156 }
3157
3158 static const u_char *
3159 ikev2_sub0_print(netdissect_options *ndo, const struct isakmp *base,
3160 u_char np,
3161 const struct isakmp_gen *ext, const u_char *ep,
3162 uint32_t phase, uint32_t doi, uint32_t proto, int depth)
3163 {
3164 const u_char *cp;
3165 u_int item_len;
3166
3167 cp = (const u_char *)ext;
3168 ND_TCHECK_SIZE(ext);
3169
3170 /*
3171 * Since we can't have a payload length of less than 4 bytes,
3172 * we need to bail out here if the generic header is nonsensical
3173 * or truncated, otherwise we could loop forever processing
3174 * zero-length items or otherwise misdissect the packet.
3175 */
3176 item_len = GET_BE_U_2(ext->len);
3177 if (item_len <= 4)
3178 return NULL;
3179
3180 if (np == ISAKMP_NPTYPE_v2E) {
3181 cp = ikev2_e_print(ndo, base, np, ext, item_len,
3182 ep, phase, doi, proto, depth);
3183 } else if (NPFUNC(np)) {
3184 /*
3185 * XXX - what if item_len is too short, or too long,
3186 * for this payload type?
3187 */
3188 cp = (*npfunc[np])(ndo, np, ext, item_len,
3189 ep, phase, doi, proto, depth);
3190 } else {
3191 ND_PRINT("%s", NPSTR(np));
3192 cp += item_len;
3193 }
3194
3195 return cp;
3196 trunc:
3197 nd_print_trunc(ndo);
3198 return NULL;
3199 }
3200
3201 static const u_char *
3202 ikev2_sub_print(netdissect_options *ndo,
3203 const struct isakmp *base,
3204 u_char np, const struct isakmp_gen *ext, const u_char *ep,
3205 uint32_t phase, uint32_t doi, uint32_t proto, int depth)
3206 {
3207 const u_char *cp;
3208 int i;
3209
3210 cp = (const u_char *)ext;
3211 while (np) {
3212 ND_TCHECK_SIZE(ext);
3213
3214 ND_TCHECK_LEN(ext, GET_BE_U_2(ext->len));
3215
3216 depth++;
3217 ND_PRINT("\n");
3218 for (i = 0; i < depth; i++)
3219 ND_PRINT(" ");
3220 ND_PRINT("(");
3221 cp = ikev2_sub0_print(ndo, base, np,
3222 ext, ep, phase, doi, proto, depth);
3223 ND_PRINT(")");
3224 depth--;
3225
3226 if (cp == NULL) {
3227 /* Zero-length subitem */
3228 return NULL;
3229 }
3230
3231 np = GET_U_1(ext->np);
3232 ext = (const struct isakmp_gen *)cp;
3233 }
3234 return cp;
3235 trunc:
3236 ND_PRINT(" [|%s]", NPSTR(np));
3237 return NULL;
3238 }
3239
3240 static void
3241 ikev2_print(netdissect_options *ndo,
3242 const u_char *bp, u_int length,
3243 const u_char *bp2 _U_, const struct isakmp *base)
3244 {
3245 const struct isakmp *p;
3246 const u_char *ep;
3247 uint8_t flags;
3248 u_char np;
3249 u_int phase;
3250
3251 p = (const struct isakmp *)bp;
3252 ep = ndo->ndo_snapend;
3253
3254 phase = (GET_BE_U_4(base->msgid) == 0) ? 1 : 2;
3255 if (phase == 1)
3256 ND_PRINT(" parent_sa");
3257 else
3258 ND_PRINT(" child_sa ");
3259
3260 ND_PRINT(" %s", ETYPESTR(GET_U_1(base->etype)));
3261 flags = GET_U_1(base->flags);
3262 if (flags) {
3263 ND_PRINT("[%s%s%s]",
3264 flags & ISAKMP_FLAG_I ? "I" : "",
3265 flags & ISAKMP_FLAG_V ? "V" : "",
3266 flags & ISAKMP_FLAG_R ? "R" : "");
3267 }
3268
3269 if (ndo->ndo_vflag) {
3270 const struct isakmp_gen *ext;
3271
3272 ND_PRINT(":");
3273
3274 np = GET_U_1(base->np);
3275
3276 /* regardless of phase... */
3277 if (flags & ISAKMP_FLAG_E) {
3278 /*
3279 * encrypted, nothing we can do right now.
3280 * we hope to decrypt the packet in the future...
3281 */
3282 ND_PRINT(" [encrypted %s]", NPSTR(np));
3283 goto done;
3284 }
3285
3286 CHECKLEN(p + 1, np)
3287 ext = (const struct isakmp_gen *)(p + 1);
3288 ikev2_sub_print(ndo, base, np, ext, ep, phase, 0, 0, 0);
3289 }
3290
3291 done:
3292 if (ndo->ndo_vflag) {
3293 if (GET_BE_U_4(base->len) != length) {
3294 ND_PRINT(" (len mismatch: isakmp %u/ip %u)",
3295 GET_BE_U_4(base->len), length);
3296 }
3297 }
3298 }
3299
3300 void
3301 isakmp_print(netdissect_options *ndo,
3302 const u_char *bp, u_int length,
3303 const u_char *bp2)
3304 {
3305 const struct isakmp *p;
3306 const u_char *ep;
3307 u_int major, minor;
3308
3309 ndo->ndo_protocol = "isakmp";
3310 #ifdef HAVE_LIBCRYPTO
3311 /* initialize SAs */
3312 if (ndo->ndo_sa_list_head == NULL) {
3313 if (ndo->ndo_espsecret)
3314 esp_decodesecret_print(ndo);
3315 }
3316 #endif
3317
3318 p = (const struct isakmp *)bp;
3319 ep = ndo->ndo_snapend;
3320
3321 if ((const struct isakmp *)ep < p + 1) {
3322 nd_print_trunc(ndo);
3323 return;
3324 }
3325
3326 ND_PRINT("isakmp");
3327 major = (GET_U_1(p->vers) & ISAKMP_VERS_MAJOR)
3328 >> ISAKMP_VERS_MAJOR_SHIFT;
3329 minor = (GET_U_1(p->vers) & ISAKMP_VERS_MINOR)
3330 >> ISAKMP_VERS_MINOR_SHIFT;
3331
3332 if (ndo->ndo_vflag) {
3333 ND_PRINT(" %u.%u", major, minor);
3334 }
3335
3336 if (ndo->ndo_vflag) {
3337 ND_PRINT(" msgid ");
3338 hexprint(ndo, p->msgid, sizeof(p->msgid));
3339 }
3340
3341 if (1 < ndo->ndo_vflag) {
3342 ND_PRINT(" cookie ");
3343 hexprint(ndo, p->i_ck, sizeof(p->i_ck));
3344 ND_PRINT("->");
3345 hexprint(ndo, p->r_ck, sizeof(p->r_ck));
3346 }
3347 ND_PRINT(":");
3348
3349 switch(major) {
3350 case IKEv1_MAJOR_VERSION:
3351 ikev1_print(ndo, bp, length, bp2, p);
3352 break;
3353
3354 case IKEv2_MAJOR_VERSION:
3355 ikev2_print(ndo, bp, length, bp2, p);
3356 break;
3357 }
3358 }
3359
3360 void
3361 isakmp_rfc3948_print(netdissect_options *ndo,
3362 const u_char *bp, u_int length,
3363 const u_char *bp2, int ver, int fragmented, u_int ttl_hl)
3364 {
3365 ndo->ndo_protocol = "isakmp_rfc3948";
3366 if(length == 1 && GET_U_1(bp)==0xff) {
3367 ND_PRINT("isakmp-nat-keep-alive");
3368 return;
3369 }
3370
3371 if(length < 4) {
3372 goto trunc;
3373 }
3374
3375 /*
3376 * see if this is an IKE packet
3377 */
3378 if (GET_BE_U_4(bp) == 0) {
3379 ND_PRINT("NONESP-encap: ");
3380 isakmp_print(ndo, bp+4, length-4, bp2);
3381 return;
3382 }
3383
3384 /* must be an ESP packet */
3385 {
3386 ND_PRINT("UDP-encap: ");
3387
3388 esp_print(ndo, bp, length, bp2, ver, fragmented, ttl_hl);
3389
3390 /*
3391 * Either this has decrypted the payload and
3392 * printed it, in which case there's nothing more
3393 * to do, or it hasn't, in which case there's
3394 * nothing more to do.
3395 */
3396 return;
3397 }
3398
3399 trunc:
3400 nd_print_trunc(ndo);
3401 }
[mirror] the TCPdump network dissector