]> The Tcpdump Group git mirrors - tcpdump/blob - print-isakmp.c
projects / tcpdump / blob
summary | shortlog | log | commit | commitdiff | tree
history | raw | HEAD
If -n is specified, don't look up IP protocol numbers.
[tcpdump] / print-isakmp.c
1 /*
2 * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
3 * All rights reserved.
4 *
5 * Redistribution and use in source and binary forms, with or without
6 * modification, are permitted provided that the following conditions
7 * are met:
8 * 1. Redistributions of source code must retain the above copyright
9 * notice, this list of conditions and the following disclaimer.
10 * 2. Redistributions in binary form must reproduce the above copyright
11 * notice, this list of conditions and the following disclaimer in the
12 * documentation and/or other materials provided with the distribution.
13 * 3. Neither the name of the project nor the names of its contributors
14 * may be used to endorse or promote products derived from this software
15 * without specific prior written permission.
16 *
17 * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
18 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
19 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
20 * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
21 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
22 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
23 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
24 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
25 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
26 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
27 * SUCH DAMAGE.
28 *
29 */
30
31 /* \summary: Internet Security Association and Key Management Protocol (ISAKMP) printer */
32
33 #ifdef HAVE_CONFIG_H
34 #include "config.h"
35 #endif
36
37 /* The functions from print-esp.c used in this file are only defined when both
38 * OpenSSL and evp.h are detected. Employ the same preprocessor device here.
39 */
40 #ifndef HAVE_OPENSSL_EVP_H
41 #undef HAVE_LIBCRYPTO
42 #endif
43
44 #include <netdissect-stdinc.h>
45
46 #include <string.h>
47
48 #include "netdissect.h"
49 #include "addrtoname.h"
50 #include "extract.h"
51
52 #include "ip.h"
53 #include "ip6.h"
54
55 /* refer to RFC 2408 */
56
57 typedef u_char cookie_t[8];
58 typedef u_char msgid_t[4];
59
60 #define PORT_ISAKMP 500
61
62 /* 3.1 ISAKMP Header Format (IKEv1 and IKEv2)
63 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
64 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
65 ! Initiator !
66 ! Cookie !
67 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
68 ! Responder !
69 ! Cookie !
70 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
71 ! Next Payload ! MjVer ! MnVer ! Exchange Type ! Flags !
72 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
73 ! Message ID !
74 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
75 ! Length !
76 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
77 */
78 struct isakmp {
79 cookie_t i_ck; /* Initiator Cookie */
80 cookie_t r_ck; /* Responder Cookie */
81 uint8_t np; /* Next Payload Type */
82 uint8_t vers;
83 #define ISAKMP_VERS_MAJOR 0xf0
84 #define ISAKMP_VERS_MAJOR_SHIFT 4
85 #define ISAKMP_VERS_MINOR 0x0f
86 #define ISAKMP_VERS_MINOR_SHIFT 0
87 uint8_t etype; /* Exchange Type */
88 uint8_t flags; /* Flags */
89 msgid_t msgid;
90 uint32_t len; /* Length */
91 };
92
93 /* Next Payload Type */
94 #define ISAKMP_NPTYPE_NONE 0 /* NONE*/
95 #define ISAKMP_NPTYPE_SA 1 /* Security Association */
96 #define ISAKMP_NPTYPE_P 2 /* Proposal */
97 #define ISAKMP_NPTYPE_T 3 /* Transform */
98 #define ISAKMP_NPTYPE_KE 4 /* Key Exchange */
99 #define ISAKMP_NPTYPE_ID 5 /* Identification */
100 #define ISAKMP_NPTYPE_CERT 6 /* Certificate */
101 #define ISAKMP_NPTYPE_CR 7 /* Certificate Request */
102 #define ISAKMP_NPTYPE_HASH 8 /* Hash */
103 #define ISAKMP_NPTYPE_SIG 9 /* Signature */
104 #define ISAKMP_NPTYPE_NONCE 10 /* Nonce */
105 #define ISAKMP_NPTYPE_N 11 /* Notification */
106 #define ISAKMP_NPTYPE_D 12 /* Delete */
107 #define ISAKMP_NPTYPE_VID 13 /* Vendor ID */
108 #define ISAKMP_NPTYPE_v2E 46 /* v2 Encrypted payload */
109
110 #define IKEv1_MAJOR_VERSION 1
111 #define IKEv1_MINOR_VERSION 0
112
113 #define IKEv2_MAJOR_VERSION 2
114 #define IKEv2_MINOR_VERSION 0
115
116 /* Flags */
117 #define ISAKMP_FLAG_E 0x01 /* Encryption Bit */
118 #define ISAKMP_FLAG_C 0x02 /* Commit Bit */
119 #define ISAKMP_FLAG_extra 0x04
120
121 /* IKEv2 */
122 #define ISAKMP_FLAG_I (1 << 3) /* (I)nitiator */
123 #define ISAKMP_FLAG_V (1 << 4) /* (V)ersion */
124 #define ISAKMP_FLAG_R (1 << 5) /* (R)esponse */
125
126
127 /* 3.2 Payload Generic Header
128 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
129 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
130 ! Next Payload ! RESERVED ! Payload Length !
131 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
132 */
133 struct isakmp_gen {
134 uint8_t np; /* Next Payload */
135 uint8_t critical; /* bit 7 - critical, rest is RESERVED */
136 uint16_t len; /* Payload Length */
137 };
138
139 /* 3.3 Data Attributes
140 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
141 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
142 !A! Attribute Type ! AF=0 Attribute Length !
143 !F! ! AF=1 Attribute Value !
144 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
145 . AF=0 Attribute Value .
146 . AF=1 Not Transmitted .
147 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
148 */
149 struct isakmp_data {
150 uint16_t type; /* defined by DOI-spec, and Attribute Format */
151 uint16_t lorv; /* if f equal 1, Attribute Length */
152 /* if f equal 0, Attribute Value */
153 /* if f equal 1, Attribute Value */
154 };
155
156 /* 3.4 Security Association Payload */
157 /* MAY NOT be used, because of being defined in ipsec-doi. */
158 /*
159 If the current payload is the last in the message,
160 then the value of the next payload field will be 0.
161 This field MUST NOT contain the
162 values for the Proposal or Transform payloads as they are considered
163 part of the security association negotiation. For example, this
164 field would contain the value "10" (Nonce payload) in the first
165 message of a Base Exchange (see Section 4.4) and the value "0" in the
166 first message of an Identity Protect Exchange (see Section 4.5).
167 */
168 struct ikev1_pl_sa {
169 struct isakmp_gen h;
170 uint32_t doi; /* Domain of Interpretation */
171 uint32_t sit; /* Situation */
172 };
173
174 /* 3.5 Proposal Payload */
175 /*
176 The value of the next payload field MUST only contain the value "2"
177 or "0". If there are additional Proposal payloads in the message,
178 then this field will be 2. If the current Proposal payload is the
179 last within the security association proposal, then this field will
180 be 0.
181 */
182 struct ikev1_pl_p {
183 struct isakmp_gen h;
184 uint8_t p_no; /* Proposal # */
185 uint8_t prot_id; /* Protocol */
186 uint8_t spi_size; /* SPI Size */
187 uint8_t num_t; /* Number of Transforms */
188 /* SPI */
189 };
190
191 /* 3.6 Transform Payload */
192 /*
193 The value of the next payload field MUST only contain the value "3"
194 or "0". If there are additional Transform payloads in the proposal,
195 then this field will be 3. If the current Transform payload is the
196 last within the proposal, then this field will be 0.
197 */
198 struct ikev1_pl_t {
199 struct isakmp_gen h;
200 uint8_t t_no; /* Transform # */
201 uint8_t t_id; /* Transform-Id */
202 uint16_t reserved; /* RESERVED2 */
203 /* SA Attributes */
204 };
205
206 /* 3.7 Key Exchange Payload */
207 struct ikev1_pl_ke {
208 struct isakmp_gen h;
209 /* Key Exchange Data */
210 };
211
212 /* 3.8 Identification Payload */
213 /* MUST NOT to be used, because of being defined in ipsec-doi. */
214 struct ikev1_pl_id {
215 struct isakmp_gen h;
216 union {
217 uint8_t id_type; /* ID Type */
218 uint32_t doi_data; /* DOI Specific ID Data */
219 } d;
220 /* Identification Data */
221 };
222
223 /* 3.9 Certificate Payload */
224 struct ikev1_pl_cert {
225 struct isakmp_gen h;
226 uint8_t encode; /* Cert Encoding */
227 char cert; /* Certificate Data */
228 /*
229 This field indicates the type of
230 certificate or certificate-related information contained in the
231 Certificate Data field.
232 */
233 };
234
235 /* 3.10 Certificate Request Payload */
236 struct ikev1_pl_cr {
237 struct isakmp_gen h;
238 uint8_t num_cert; /* # Cert. Types */
239 /*
240 Certificate Types (variable length)
241 -- Contains a list of the types of certificates requested,
242 sorted in order of preference. Each individual certificate
243 type is 1 octet. This field is NOT requiredo
244 */
245 /* # Certificate Authorities (1 octet) */
246 /* Certificate Authorities (variable length) */
247 };
248
249 /* 3.11 Hash Payload */
250 /* may not be used, because of having only data. */
251 struct ikev1_pl_hash {
252 struct isakmp_gen h;
253 /* Hash Data */
254 };
255
256 /* 3.12 Signature Payload */
257 /* may not be used, because of having only data. */
258 struct ikev1_pl_sig {
259 struct isakmp_gen h;
260 /* Signature Data */
261 };
262
263 /* 3.13 Nonce Payload */
264 /* may not be used, because of having only data. */
265 struct ikev1_pl_nonce {
266 struct isakmp_gen h;
267 /* Nonce Data */
268 };
269
270 /* 3.14 Notification Payload */
271 struct ikev1_pl_n {
272 struct isakmp_gen h;
273 uint32_t doi; /* Domain of Interpretation */
274 uint8_t prot_id; /* Protocol-ID */
275 uint8_t spi_size; /* SPI Size */
276 uint16_t type; /* Notify Message Type */
277 /* SPI */
278 /* Notification Data */
279 };
280
281 /* 3.14.1 Notify Message Types */
282 /* NOTIFY MESSAGES - ERROR TYPES */
283 #define ISAKMP_NTYPE_INVALID_PAYLOAD_TYPE 1
284 #define ISAKMP_NTYPE_DOI_NOT_SUPPORTED 2
285 #define ISAKMP_NTYPE_SITUATION_NOT_SUPPORTED 3
286 #define ISAKMP_NTYPE_INVALID_COOKIE 4
287 #define ISAKMP_NTYPE_INVALID_MAJOR_VERSION 5
288 #define ISAKMP_NTYPE_INVALID_MINOR_VERSION 6
289 #define ISAKMP_NTYPE_INVALID_EXCHANGE_TYPE 7
290 #define ISAKMP_NTYPE_INVALID_FLAGS 8
291 #define ISAKMP_NTYPE_INVALID_MESSAGE_ID 9
292 #define ISAKMP_NTYPE_INVALID_PROTOCOL_ID 10
293 #define ISAKMP_NTYPE_INVALID_SPI 11
294 #define ISAKMP_NTYPE_INVALID_TRANSFORM_ID 12
295 #define ISAKMP_NTYPE_ATTRIBUTES_NOT_SUPPORTED 13
296 #define ISAKMP_NTYPE_NO_PROPOSAL_CHOSEN 14
297 #define ISAKMP_NTYPE_BAD_PROPOSAL_SYNTAX 15
298 #define ISAKMP_NTYPE_PAYLOAD_MALFORMED 16
299 #define ISAKMP_NTYPE_INVALID_KEY_INFORMATION 17
300 #define ISAKMP_NTYPE_INVALID_ID_INFORMATION 18
301 #define ISAKMP_NTYPE_INVALID_CERT_ENCODING 19
302 #define ISAKMP_NTYPE_INVALID_CERTIFICATE 20
303 #define ISAKMP_NTYPE_BAD_CERT_REQUEST_SYNTAX 21
304 #define ISAKMP_NTYPE_INVALID_CERT_AUTHORITY 22
305 #define ISAKMP_NTYPE_INVALID_HASH_INFORMATION 23
306 #define ISAKMP_NTYPE_AUTHENTICATION_FAILED 24
307 #define ISAKMP_NTYPE_INVALID_SIGNATURE 25
308 #define ISAKMP_NTYPE_ADDRESS_NOTIFICATION 26
309
310 /* 3.15 Delete Payload */
311 struct ikev1_pl_d {
312 struct isakmp_gen h;
313 uint32_t doi; /* Domain of Interpretation */
314 uint8_t prot_id; /* Protocol-Id */
315 uint8_t spi_size; /* SPI Size */
316 uint16_t num_spi; /* # of SPIs */
317 /* SPI(es) */
318 };
319
320 struct ikev1_ph1tab {
321 struct ikev1_ph1 *head;
322 struct ikev1_ph1 *tail;
323 int len;
324 };
325
326 struct isakmp_ph2tab {
327 struct ikev1_ph2 *head;
328 struct ikev1_ph2 *tail;
329 int len;
330 };
331
332 /* IKEv2 (RFC4306) */
333
334 /* 3.3 Security Association Payload -- generic header */
335 /* 3.3.1. Proposal Substructure */
336 struct ikev2_p {
337 struct isakmp_gen h;
338 uint8_t p_no; /* Proposal # */
339 uint8_t prot_id; /* Protocol */
340 uint8_t spi_size; /* SPI Size */
341 uint8_t num_t; /* Number of Transforms */
342 };
343
344 /* 3.3.2. Transform Substructure */
345 struct ikev2_t {
346 struct isakmp_gen h;
347 uint8_t t_type; /* Transform Type (ENCR,PRF,INTEG,etc.*/
348 uint8_t res2; /* reserved byte */
349 uint16_t t_id; /* Transform ID */
350 };
351
352 enum ikev2_t_type {
353 IV2_T_ENCR = 1,
354 IV2_T_PRF = 2,
355 IV2_T_INTEG= 3,
356 IV2_T_DH = 4,
357 IV2_T_ESN = 5
358 };
359
360 /* 3.4. Key Exchange Payload */
361 struct ikev2_ke {
362 struct isakmp_gen h;
363 uint16_t ke_group;
364 uint16_t ke_res1;
365 /* KE data */
366 };
367
368
369 /* 3.5. Identification Payloads */
370 enum ikev2_id_type {
371 ID_IPV4_ADDR=1,
372 ID_FQDN=2,
373 ID_RFC822_ADDR=3,
374 ID_IPV6_ADDR=5,
375 ID_DER_ASN1_DN=9,
376 ID_DER_ASN1_GN=10,
377 ID_KEY_ID=11
378 };
379 struct ikev2_id {
380 struct isakmp_gen h;
381 uint8_t type; /* ID type */
382 uint8_t res1;
383 uint16_t res2;
384 /* SPI */
385 /* Notification Data */
386 };
387
388 /* 3.10 Notification Payload */
389 struct ikev2_n {
390 struct isakmp_gen h;
391 uint8_t prot_id; /* Protocol-ID */
392 uint8_t spi_size; /* SPI Size */
393 uint16_t type; /* Notify Message Type */
394 };
395
396 enum ikev2_n_type {
397 IV2_NOTIFY_UNSUPPORTED_CRITICAL_PAYLOAD = 1,
398 IV2_NOTIFY_INVALID_IKE_SPI = 4,
399 IV2_NOTIFY_INVALID_MAJOR_VERSION = 5,
400 IV2_NOTIFY_INVALID_SYNTAX = 7,
401 IV2_NOTIFY_INVALID_MESSAGE_ID = 9,
402 IV2_NOTIFY_INVALID_SPI =11,
403 IV2_NOTIFY_NO_PROPOSAL_CHOSEN =14,
404 IV2_NOTIFY_INVALID_KE_PAYLOAD =17,
405 IV2_NOTIFY_AUTHENTICATION_FAILED =24,
406 IV2_NOTIFY_SINGLE_PAIR_REQUIRED =34,
407 IV2_NOTIFY_NO_ADDITIONAL_SAS =35,
408 IV2_NOTIFY_INTERNAL_ADDRESS_FAILURE =36,
409 IV2_NOTIFY_FAILED_CP_REQUIRED =37,
410 IV2_NOTIFY_INVALID_SELECTORS =39,
411 IV2_NOTIFY_INITIAL_CONTACT =16384,
412 IV2_NOTIFY_SET_WINDOW_SIZE =16385,
413 IV2_NOTIFY_ADDITIONAL_TS_POSSIBLE =16386,
414 IV2_NOTIFY_IPCOMP_SUPPORTED =16387,
415 IV2_NOTIFY_NAT_DETECTION_SOURCE_IP =16388,
416 IV2_NOTIFY_NAT_DETECTION_DESTINATION_IP =16389,
417 IV2_NOTIFY_COOKIE =16390,
418 IV2_NOTIFY_USE_TRANSPORT_MODE =16391,
419 IV2_NOTIFY_HTTP_CERT_LOOKUP_SUPPORTED =16392,
420 IV2_NOTIFY_REKEY_SA =16393,
421 IV2_NOTIFY_ESP_TFC_PADDING_NOT_SUPPORTED =16394,
422 IV2_NOTIFY_NON_FIRST_FRAGMENTS_ALSO =16395
423 };
424
425 struct notify_messages {
426 uint16_t type;
427 char *msg;
428 };
429
430 /* 3.8 Notification Payload */
431 struct ikev2_auth {
432 struct isakmp_gen h;
433 uint8_t auth_method; /* Protocol-ID */
434 uint8_t reserved[3];
435 /* authentication data */
436 };
437
438 enum ikev2_auth_type {
439 IV2_RSA_SIG = 1,
440 IV2_SHARED = 2,
441 IV2_DSS_SIG = 3
442 };
443
444 /* refer to RFC 2409 */
445
446 #if 0
447 /* isakmp sa structure */
448 struct oakley_sa {
449 uint8_t proto_id; /* OAKLEY */
450 vchar_t *spi; /* spi */
451 uint8_t dhgrp; /* DH; group */
452 uint8_t auth_t; /* method of authentication */
453 uint8_t prf_t; /* type of prf */
454 uint8_t hash_t; /* type of hash */
455 uint8_t enc_t; /* type of cipher */
456 uint8_t life_t; /* type of duration of lifetime */
457 uint32_t ldur; /* life duration */
458 };
459 #endif
460
461 /* refer to RFC 2407 */
462
463 #define IPSEC_DOI 1
464
465 /* 4.2 IPSEC Situation Definition */
466 #define IPSECDOI_SIT_IDENTITY_ONLY 0x00000001
467 #define IPSECDOI_SIT_SECRECY 0x00000002
468 #define IPSECDOI_SIT_INTEGRITY 0x00000004
469
470 /* 4.4.1 IPSEC Security Protocol Identifiers */
471 /* 4.4.2 IPSEC ISAKMP Transform Values */
472 #define IPSECDOI_PROTO_ISAKMP 1
473 #define IPSECDOI_KEY_IKE 1
474
475 /* 4.4.1 IPSEC Security Protocol Identifiers */
476 #define IPSECDOI_PROTO_IPSEC_AH 2
477 /* 4.4.3 IPSEC AH Transform Values */
478 #define IPSECDOI_AH_MD5 2
479 #define IPSECDOI_AH_SHA 3
480 #define IPSECDOI_AH_DES 4
481 #define IPSECDOI_AH_SHA2_256 5
482 #define IPSECDOI_AH_SHA2_384 6
483 #define IPSECDOI_AH_SHA2_512 7
484
485 /* 4.4.1 IPSEC Security Protocol Identifiers */
486 #define IPSECDOI_PROTO_IPSEC_ESP 3
487 /* 4.4.4 IPSEC ESP Transform Identifiers */
488 #define IPSECDOI_ESP_DES_IV64 1
489 #define IPSECDOI_ESP_DES 2
490 #define IPSECDOI_ESP_3DES 3
491 #define IPSECDOI_ESP_RC5 4
492 #define IPSECDOI_ESP_IDEA 5
493 #define IPSECDOI_ESP_CAST 6
494 #define IPSECDOI_ESP_BLOWFISH 7
495 #define IPSECDOI_ESP_3IDEA 8
496 #define IPSECDOI_ESP_DES_IV32 9
497 #define IPSECDOI_ESP_RC4 10
498 #define IPSECDOI_ESP_NULL 11
499 #define IPSECDOI_ESP_RIJNDAEL 12
500 #define IPSECDOI_ESP_AES 12
501
502 /* 4.4.1 IPSEC Security Protocol Identifiers */
503 #define IPSECDOI_PROTO_IPCOMP 4
504 /* 4.4.5 IPSEC IPCOMP Transform Identifiers */
505 #define IPSECDOI_IPCOMP_OUI 1
506 #define IPSECDOI_IPCOMP_DEFLATE 2
507 #define IPSECDOI_IPCOMP_LZS 3
508
509 /* 4.5 IPSEC Security Association Attributes */
510 #define IPSECDOI_ATTR_SA_LTYPE 1 /* B */
511 #define IPSECDOI_ATTR_SA_LTYPE_DEFAULT 1
512 #define IPSECDOI_ATTR_SA_LTYPE_SEC 1
513 #define IPSECDOI_ATTR_SA_LTYPE_KB 2
514 #define IPSECDOI_ATTR_SA_LDUR 2 /* V */
515 #define IPSECDOI_ATTR_SA_LDUR_DEFAULT 28800 /* 8 hours */
516 #define IPSECDOI_ATTR_GRP_DESC 3 /* B */
517 #define IPSECDOI_ATTR_ENC_MODE 4 /* B */
518 /* default value: host dependent */
519 #define IPSECDOI_ATTR_ENC_MODE_TUNNEL 1
520 #define IPSECDOI_ATTR_ENC_MODE_TRNS 2
521 #define IPSECDOI_ATTR_AUTH 5 /* B */
522 /* 0 means not to use authentication. */
523 #define IPSECDOI_ATTR_AUTH_HMAC_MD5 1
524 #define IPSECDOI_ATTR_AUTH_HMAC_SHA1 2
525 #define IPSECDOI_ATTR_AUTH_DES_MAC 3
526 #define IPSECDOI_ATTR_AUTH_KPDK 4 /*RFC-1826(Key/Pad/Data/Key)*/
527 /*
528 * When negotiating ESP without authentication, the Auth
529 * Algorithm attribute MUST NOT be included in the proposal.
530 * When negotiating ESP without confidentiality, the Auth
531 * Algorithm attribute MUST be included in the proposal and
532 * the ESP transform ID must be ESP_NULL.
533 */
534 #define IPSECDOI_ATTR_KEY_LENGTH 6 /* B */
535 #define IPSECDOI_ATTR_KEY_ROUNDS 7 /* B */
536 #define IPSECDOI_ATTR_COMP_DICT_SIZE 8 /* B */
537 #define IPSECDOI_ATTR_COMP_PRIVALG 9 /* V */
538
539 /* 4.6.1 Security Association Payload */
540 struct ipsecdoi_sa {
541 struct isakmp_gen h;
542 uint32_t doi; /* Domain of Interpretation */
543 uint32_t sit; /* Situation */
544 };
545
546 struct ipsecdoi_secrecy_h {
547 uint16_t len;
548 uint16_t reserved;
549 };
550
551 /* 4.6.2.1 Identification Type Values */
552 struct ipsecdoi_id {
553 struct isakmp_gen h;
554 uint8_t type; /* ID Type */
555 uint8_t proto_id; /* Protocol ID */
556 uint16_t port; /* Port */
557 /* Identification Data */
558 };
559
560 #define IPSECDOI_ID_IPV4_ADDR 1
561 #define IPSECDOI_ID_FQDN 2
562 #define IPSECDOI_ID_USER_FQDN 3
563 #define IPSECDOI_ID_IPV4_ADDR_SUBNET 4
564 #define IPSECDOI_ID_IPV6_ADDR 5
565 #define IPSECDOI_ID_IPV6_ADDR_SUBNET 6
566 #define IPSECDOI_ID_IPV4_ADDR_RANGE 7
567 #define IPSECDOI_ID_IPV6_ADDR_RANGE 8
568 #define IPSECDOI_ID_DER_ASN1_DN 9
569 #define IPSECDOI_ID_DER_ASN1_GN 10
570 #define IPSECDOI_ID_KEY_ID 11
571
572 /* 4.6.3 IPSEC DOI Notify Message Types */
573 /* Notify Messages - Status Types */
574 #define IPSECDOI_NTYPE_RESPONDER_LIFETIME 24576
575 #define IPSECDOI_NTYPE_REPLAY_STATUS 24577
576 #define IPSECDOI_NTYPE_INITIAL_CONTACT 24578
577
578 #define DECLARE_PRINTER(func) static const u_char *ike##func##_print( \
579 netdissect_options *ndo, u_char tpay, \
580 const struct isakmp_gen *ext, \
581 u_int item_len, \
582 const u_char *end_pointer, \
583 uint32_t phase,\
584 uint32_t doi0, \
585 uint32_t proto0, int depth)
586
587 DECLARE_PRINTER(v1_sa);
588 DECLARE_PRINTER(v1_p);
589 DECLARE_PRINTER(v1_t);
590 DECLARE_PRINTER(v1_ke);
591 DECLARE_PRINTER(v1_id);
592 DECLARE_PRINTER(v1_cert);
593 DECLARE_PRINTER(v1_cr);
594 DECLARE_PRINTER(v1_sig);
595 DECLARE_PRINTER(v1_hash);
596 DECLARE_PRINTER(v1_nonce);
597 DECLARE_PRINTER(v1_n);
598 DECLARE_PRINTER(v1_d);
599 DECLARE_PRINTER(v1_vid);
600
601 DECLARE_PRINTER(v2_sa);
602 DECLARE_PRINTER(v2_ke);
603 DECLARE_PRINTER(v2_ID);
604 DECLARE_PRINTER(v2_cert);
605 DECLARE_PRINTER(v2_cr);
606 DECLARE_PRINTER(v2_auth);
607 DECLARE_PRINTER(v2_nonce);
608 DECLARE_PRINTER(v2_n);
609 DECLARE_PRINTER(v2_d);
610 DECLARE_PRINTER(v2_vid);
611 DECLARE_PRINTER(v2_TS);
612 DECLARE_PRINTER(v2_cp);
613 DECLARE_PRINTER(v2_eap);
614
615 static const u_char *ikev2_e_print(netdissect_options *ndo,
616 struct isakmp *base,
617 u_char tpay,
618 const struct isakmp_gen *ext,
619 u_int item_len,
620 const u_char *end_pointer,
621 uint32_t phase,
622 uint32_t doi0,
623 uint32_t proto0, int depth);
624
625
626 static const u_char *ike_sub0_print(netdissect_options *ndo,u_char, const struct isakmp_gen *,
627 const u_char *, uint32_t, uint32_t, uint32_t, int);
628 static const u_char *ikev1_sub_print(netdissect_options *ndo,u_char, const struct isakmp_gen *,
629 const u_char *, uint32_t, uint32_t, uint32_t, int);
630
631 static const u_char *ikev2_sub_print(netdissect_options *ndo,
632 struct isakmp *base,
633 u_char np, const struct isakmp_gen *ext,
634 const u_char *ep, uint32_t phase,
635 uint32_t doi, uint32_t proto,
636 int depth);
637
638
639 static char *numstr(int);
640
641 static void
642 ikev1_print(netdissect_options *ndo,
643 const u_char *bp, u_int length,
644 const u_char *bp2, struct isakmp *base);
645
646 #define MAXINITIATORS 20
647 static int ninitiator = 0;
648 union inaddr_u {
649 struct in_addr in4;
650 struct in6_addr in6;
651 };
652 static struct {
653 cookie_t initiator;
654 u_int version;
655 union inaddr_u iaddr;
656 union inaddr_u raddr;
657 } cookiecache[MAXINITIATORS];
658
659 /* protocol id */
660 static const char *protoidstr[] = {
661 NULL, "isakmp", "ipsec-ah", "ipsec-esp", "ipcomp",
662 };
663
664 /* isakmp->np */
665 static const char *npstr[] = {
666 "none", "sa", "p", "t", "ke", "id", "cert", "cr", "hash", /* 0 - 8 */
667 "sig", "nonce", "n", "d", "vid", /* 9 - 13 */
668 "pay14", "pay15", "pay16", "pay17", "pay18", /* 14- 18 */
669 "pay19", "pay20", "pay21", "pay22", "pay23", /* 19- 23 */
670 "pay24", "pay25", "pay26", "pay27", "pay28", /* 24- 28 */
671 "pay29", "pay30", "pay31", "pay32", /* 29- 32 */
672 "v2sa", "v2ke", "v2IDi", "v2IDr", "v2cert",/* 33- 37 */
673 "v2cr", "v2auth","v2nonce", "v2n", "v2d", /* 38- 42 */
674 "v2vid", "v2TSi", "v2TSr", "v2e", "v2cp", /* 43- 47 */
675 "v2eap", /* 48 */
676
677 };
678
679 /* isakmp->np */
680 static const u_char *(*npfunc[])(netdissect_options *ndo, u_char tpay,
681 const struct isakmp_gen *ext,
682 u_int item_len,
683 const u_char *end_pointer,
684 uint32_t phase,
685 uint32_t doi0,
686 uint32_t proto0, int depth) = {
687 NULL,
688 ikev1_sa_print,
689 ikev1_p_print,
690 ikev1_t_print,
691 ikev1_ke_print,
692 ikev1_id_print,
693 ikev1_cert_print,
694 ikev1_cr_print,
695 ikev1_hash_print,
696 ikev1_sig_print,
697 ikev1_nonce_print,
698 ikev1_n_print,
699 ikev1_d_print,
700 ikev1_vid_print, /* 13 */
701 NULL, NULL, NULL, NULL, NULL, /* 14- 18 */
702 NULL, NULL, NULL, NULL, NULL, /* 19- 23 */
703 NULL, NULL, NULL, NULL, NULL, /* 24- 28 */
704 NULL, NULL, NULL, NULL, /* 29- 32 */
705 ikev2_sa_print, /* 33 */
706 ikev2_ke_print, /* 34 */
707 ikev2_ID_print, /* 35 */
708 ikev2_ID_print, /* 36 */
709 ikev2_cert_print, /* 37 */
710 ikev2_cr_print, /* 38 */
711 ikev2_auth_print, /* 39 */
712 ikev2_nonce_print, /* 40 */
713 ikev2_n_print, /* 41 */
714 ikev2_d_print, /* 42 */
715 ikev2_vid_print, /* 43 */
716 ikev2_TS_print, /* 44 */
717 ikev2_TS_print, /* 45 */
718 NULL, /* ikev2_e_print,*/ /* 46 - special */
719 ikev2_cp_print, /* 47 */
720 ikev2_eap_print, /* 48 */
721 };
722
723 /* isakmp->etype */
724 static const char *etypestr[] = {
725 /* IKEv1 exchange types */
726 "none", "base", "ident", "auth", "agg", "inf", NULL, NULL, /* 0-7 */
727 NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, /* 8-15 */
728 NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, /* 16-23 */
729 NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, /* 24-31 */
730 "oakley-quick", "oakley-newgroup", /* 32-33 */
731 /* IKEv2 exchange types */
732 "ikev2_init", "ikev2_auth", "child_sa", "inf2" /* 34-37 */
733 };
734
735 #define STR_OR_ID(x, tab) \
736 (((x) < sizeof(tab)/sizeof(tab[0]) && tab[(x)]) ? tab[(x)] : numstr(x))
737 #define PROTOIDSTR(x) STR_OR_ID(x, protoidstr)
738 #define NPSTR(x) STR_OR_ID(x, npstr)
739 #define ETYPESTR(x) STR_OR_ID(x, etypestr)
740
741 #define CHECKLEN(p, np) \
742 if (ep < (const u_char *)(p)) { \
743 ND_PRINT((ndo," [|%s]", NPSTR(np))); \
744 goto done; \
745 }
746
747
748 #define NPFUNC(x) \
749 (((x) < sizeof(npfunc)/sizeof(npfunc[0]) && npfunc[(x)]) \
750 ? npfunc[(x)] : NULL)
751
752 static int
753 iszero(const u_char *p, size_t l)
754 {
755 while (l--) {
756 if (*p++)
757 return 0;
758 }
759 return 1;
760 }
761
762 /* find cookie from initiator cache */
763 static int
764 cookie_find(cookie_t *in)
765 {
766 int i;
767
768 for (i = 0; i < MAXINITIATORS; i++) {
769 if (memcmp(in, &cookiecache[i].initiator, sizeof(*in)) == 0)
770 return i;
771 }
772
773 return -1;
774 }
775
776 /* record initiator */
777 static void
778 cookie_record(cookie_t *in, const u_char *bp2)
779 {
780 int i;
781 const struct ip *ip;
782 const struct ip6_hdr *ip6;
783
784 i = cookie_find(in);
785 if (0 <= i) {
786 ninitiator = (i + 1) % MAXINITIATORS;
787 return;
788 }
789
790 ip = (const struct ip *)bp2;
791 switch (IP_V(ip)) {
792 case 4:
793 cookiecache[ninitiator].version = 4;
794 UNALIGNED_MEMCPY(&cookiecache[ninitiator].iaddr.in4, &ip->ip_src, sizeof(struct in_addr));
795 UNALIGNED_MEMCPY(&cookiecache[ninitiator].raddr.in4, &ip->ip_dst, sizeof(struct in_addr));
796 break;
797 case 6:
798 ip6 = (const struct ip6_hdr *)bp2;
799 cookiecache[ninitiator].version = 6;
800 UNALIGNED_MEMCPY(&cookiecache[ninitiator].iaddr.in6, &ip6->ip6_src, sizeof(struct in6_addr));
801 UNALIGNED_MEMCPY(&cookiecache[ninitiator].raddr.in6, &ip6->ip6_dst, sizeof(struct in6_addr));
802 break;
803 default:
804 return;
805 }
806 UNALIGNED_MEMCPY(&cookiecache[ninitiator].initiator, in, sizeof(*in));
807 ninitiator = (ninitiator + 1) % MAXINITIATORS;
808 }
809
810 #define cookie_isinitiator(x, y) cookie_sidecheck((x), (y), 1)
811 #define cookie_isresponder(x, y) cookie_sidecheck((x), (y), 0)
812 static int
813 cookie_sidecheck(int i, const u_char *bp2, int initiator)
814 {
815 const struct ip *ip;
816 const struct ip6_hdr *ip6;
817
818 ip = (const struct ip *)bp2;
819 switch (IP_V(ip)) {
820 case 4:
821 if (cookiecache[i].version != 4)
822 return 0;
823 if (initiator) {
824 if (UNALIGNED_MEMCMP(&ip->ip_src, &cookiecache[i].iaddr.in4, sizeof(struct in_addr)) == 0)
825 return 1;
826 } else {
827 if (UNALIGNED_MEMCMP(&ip->ip_src, &cookiecache[i].raddr.in4, sizeof(struct in_addr)) == 0)
828 return 1;
829 }
830 break;
831 case 6:
832 if (cookiecache[i].version != 6)
833 return 0;
834 ip6 = (const struct ip6_hdr *)bp2;
835 if (initiator) {
836 if (UNALIGNED_MEMCMP(&ip6->ip6_src, &cookiecache[i].iaddr.in6, sizeof(struct in6_addr)) == 0)
837 return 1;
838 } else {
839 if (UNALIGNED_MEMCMP(&ip6->ip6_src, &cookiecache[i].raddr.in6, sizeof(struct in6_addr)) == 0)
840 return 1;
841 }
842 break;
843 default:
844 break;
845 }
846
847 return 0;
848 }
849
850 static void
851 hexprint(netdissect_options *ndo, const uint8_t *loc, size_t len)
852 {
853 const uint8_t *p;
854 size_t i;
855
856 p = loc;
857 for (i = 0; i < len; i++)
858 ND_PRINT((ndo,"%02x", p[i] & 0xff));
859 }
860
861 static int
862 rawprint(netdissect_options *ndo, const uint8_t *loc, size_t len)
863 {
864 ND_TCHECK2(*loc, len);
865
866 hexprint(ndo, loc, len);
867 return 1;
868 trunc:
869 return 0;
870 }
871
872
873 /*
874 * returns false if we run out of data buffer
875 */
876 static int ike_show_somedata(netdissect_options *ndo,
877 const u_char *cp, const u_char *ep)
878 {
879 /* there is too much data, just show some of it */
880 const u_char *end = ep - 20;
881 int elen = 20;
882 int len = ep - cp;
883 if(len > 10) {
884 len = 10;
885 }
886
887 /* really shouldn't happen because of above */
888 if(end < cp + len) {
889 end = cp+len;
890 elen = ep - end;
891 }
892
893 ND_PRINT((ndo," data=("));
894 if(!rawprint(ndo, (const uint8_t *)(cp), len)) goto trunc;
895 ND_PRINT((ndo, "..."));
896 if(elen) {
897 if(!rawprint(ndo, (const uint8_t *)(end), elen)) goto trunc;
898 }
899 ND_PRINT((ndo,")"));
900 return 1;
901
902 trunc:
903 return 0;
904 }
905
906 struct attrmap {
907 const char *type;
908 u_int nvalue;
909 const char *value[30]; /*XXX*/
910 };
911
912 static const u_char *
913 ikev1_attrmap_print(netdissect_options *ndo,
914 const u_char *p, const u_char *ep,
915 const struct attrmap *map, size_t nmap)
916 {
917 int totlen;
918 uint32_t t, v;
919
920 if (p[0] & 0x80)
921 totlen = 4;
922 else
923 totlen = 4 + EXTRACT_16BITS(&p[2]);
924 if (ep < p + totlen) {
925 ND_PRINT((ndo,"[|attr]"));
926 return ep + 1;
927 }
928
929 ND_PRINT((ndo,"("));
930 t = EXTRACT_16BITS(&p[0]) & 0x7fff;
931 if (map && t < nmap && map[t].type)
932 ND_PRINT((ndo,"type=%s ", map[t].type));
933 else
934 ND_PRINT((ndo,"type=#%d ", t));
935 if (p[0] & 0x80) {
936 ND_PRINT((ndo,"value="));
937 v = EXTRACT_16BITS(&p[2]);
938 if (map && t < nmap && v < map[t].nvalue && map[t].value[v])
939 ND_PRINT((ndo,"%s", map[t].value[v]));
940 else
941 rawprint(ndo, (const uint8_t *)&p[2], 2);
942 } else {
943 ND_PRINT((ndo,"len=%d value=", EXTRACT_16BITS(&p[2])));
944 rawprint(ndo, (const uint8_t *)&p[4], EXTRACT_16BITS(&p[2]));
945 }
946 ND_PRINT((ndo,")"));
947 return p + totlen;
948 }
949
950 static const u_char *
951 ikev1_attr_print(netdissect_options *ndo, const u_char *p, const u_char *ep)
952 {
953 int totlen;
954 uint32_t t;
955
956 if (p[0] & 0x80)
957 totlen = 4;
958 else
959 totlen = 4 + EXTRACT_16BITS(&p[2]);
960 if (ep < p + totlen) {
961 ND_PRINT((ndo,"[|attr]"));
962 return ep + 1;
963 }
964
965 ND_PRINT((ndo,"("));
966 t = EXTRACT_16BITS(&p[0]) & 0x7fff;
967 ND_PRINT((ndo,"type=#%d ", t));
968 if (p[0] & 0x80) {
969 ND_PRINT((ndo,"value="));
970 t = p[2];
971 rawprint(ndo, (const uint8_t *)&p[2], 2);
972 } else {
973 ND_PRINT((ndo,"len=%d value=", EXTRACT_16BITS(&p[2])));
974 rawprint(ndo, (const uint8_t *)&p[4], EXTRACT_16BITS(&p[2]));
975 }
976 ND_PRINT((ndo,")"));
977 return p + totlen;
978 }
979
980 static const u_char *
981 ikev1_sa_print(netdissect_options *ndo, u_char tpay _U_,
982 const struct isakmp_gen *ext,
983 u_int item_len _U_,
984 const u_char *ep, uint32_t phase, uint32_t doi0 _U_,
985 uint32_t proto0, int depth)
986 {
987 const struct ikev1_pl_sa *p;
988 struct ikev1_pl_sa sa;
989 uint32_t doi, sit, ident;
990 const u_char *cp, *np;
991 int t;
992
993 ND_PRINT((ndo,"%s:", NPSTR(ISAKMP_NPTYPE_SA)));
994
995 p = (const struct ikev1_pl_sa *)ext;
996 ND_TCHECK(*p);
997 UNALIGNED_MEMCPY(&sa, ext, sizeof(sa));
998 doi = ntohl(sa.doi);
999 sit = ntohl(sa.sit);
1000 if (doi != 1) {
1001 ND_PRINT((ndo," doi=%d", doi));
1002 ND_PRINT((ndo," situation=%u", (uint32_t)ntohl(sa.sit)));
1003 return (const u_char *)(p + 1);
1004 }
1005
1006 ND_PRINT((ndo," doi=ipsec"));
1007 ND_PRINT((ndo," situation="));
1008 t = 0;
1009 if (sit & 0x01) {
1010 ND_PRINT((ndo,"identity"));
1011 t++;
1012 }
1013 if (sit & 0x02) {
1014 ND_PRINT((ndo,"%ssecrecy", t ? "+" : ""));
1015 t++;
1016 }
1017 if (sit & 0x04)
1018 ND_PRINT((ndo,"%sintegrity", t ? "+" : ""));
1019
1020 np = (const u_char *)ext + sizeof(sa);
1021 if (sit != 0x01) {
1022 ND_TCHECK2(*(ext + 1), sizeof(ident));
1023 UNALIGNED_MEMCPY(&ident, ext + 1, sizeof(ident));
1024 ND_PRINT((ndo," ident=%u", (uint32_t)ntohl(ident)));
1025 np += sizeof(ident);
1026 }
1027
1028 ext = (const struct isakmp_gen *)np;
1029 ND_TCHECK(*ext);
1030
1031 cp = ikev1_sub_print(ndo, ISAKMP_NPTYPE_P, ext, ep, phase, doi, proto0,
1032 depth);
1033
1034 return cp;
1035 trunc:
1036 ND_PRINT((ndo," [|%s]", NPSTR(ISAKMP_NPTYPE_SA)));
1037 return NULL;
1038 }
1039
1040 static const u_char *
1041 ikev1_p_print(netdissect_options *ndo, u_char tpay _U_,
1042 const struct isakmp_gen *ext, u_int item_len _U_,
1043 const u_char *ep, uint32_t phase, uint32_t doi0,
1044 uint32_t proto0 _U_, int depth)
1045 {
1046 const struct ikev1_pl_p *p;
1047 struct ikev1_pl_p prop;
1048 const u_char *cp;
1049
1050 ND_PRINT((ndo,"%s:", NPSTR(ISAKMP_NPTYPE_P)));
1051
1052 p = (const struct ikev1_pl_p *)ext;
1053 ND_TCHECK(*p);
1054 UNALIGNED_MEMCPY(&prop, ext, sizeof(prop));
1055 ND_PRINT((ndo," #%d protoid=%s transform=%d",
1056 prop.p_no, PROTOIDSTR(prop.prot_id), prop.num_t));
1057 if (prop.spi_size) {
1058 ND_PRINT((ndo," spi="));
1059 if (!rawprint(ndo, (const uint8_t *)(p + 1), prop.spi_size))
1060 goto trunc;
1061 }
1062
1063 ext = (const struct isakmp_gen *)((const u_char *)(p + 1) + prop.spi_size);
1064 ND_TCHECK(*ext);
1065
1066 cp = ikev1_sub_print(ndo, ISAKMP_NPTYPE_T, ext, ep, phase, doi0,
1067 prop.prot_id, depth);
1068
1069 return cp;
1070 trunc:
1071 ND_PRINT((ndo," [|%s]", NPSTR(ISAKMP_NPTYPE_P)));
1072 return NULL;
1073 }
1074
1075 static const char *ikev1_p_map[] = {
1076 NULL, "ike",
1077 };
1078
1079 static const char *ikev2_t_type_map[]={
1080 NULL, "encr", "prf", "integ", "dh", "esn"
1081 };
1082
1083 static const char *ah_p_map[] = {
1084 NULL, "(reserved)", "md5", "sha", "1des",
1085 "sha2-256", "sha2-384", "sha2-512",
1086 };
1087
1088 static const char *prf_p_map[] = {
1089 NULL, "hmac-md5", "hmac-sha", "hmac-tiger",
1090 "aes128_xcbc"
1091 };
1092
1093 static const char *integ_p_map[] = {
1094 NULL, "hmac-md5", "hmac-sha", "dec-mac",
1095 "kpdk-md5", "aes-xcbc"
1096 };
1097
1098 static const char *esn_p_map[] = {
1099 "no-esn", "esn"
1100 };
1101
1102 static const char *dh_p_map[] = {
1103 NULL, "modp768",
1104 "modp1024", /* group 2 */
1105 "EC2N 2^155", /* group 3 */
1106 "EC2N 2^185", /* group 4 */
1107 "modp1536", /* group 5 */
1108 "iana-grp06", "iana-grp07", /* reserved */
1109 "iana-grp08", "iana-grp09",
1110 "iana-grp10", "iana-grp11",
1111 "iana-grp12", "iana-grp13",
1112 "modp2048", /* group 14 */
1113 "modp3072", /* group 15 */
1114 "modp4096", /* group 16 */
1115 "modp6144", /* group 17 */
1116 "modp8192", /* group 18 */
1117 };
1118
1119 static const char *esp_p_map[] = {
1120 NULL, "1des-iv64", "1des", "3des", "rc5", "idea", "cast",
1121 "blowfish", "3idea", "1des-iv32", "rc4", "null", "aes"
1122 };
1123
1124 static const char *ipcomp_p_map[] = {
1125 NULL, "oui", "deflate", "lzs",
1126 };
1127
1128 static const struct attrmap ipsec_t_map[] = {
1129 { NULL, 0, { NULL } },
1130 { "lifetype", 3, { NULL, "sec", "kb", }, },
1131 { "life", 0, { NULL } },
1132 { "group desc", 18, { NULL, "modp768",
1133 "modp1024", /* group 2 */
1134 "EC2N 2^155", /* group 3 */
1135 "EC2N 2^185", /* group 4 */
1136 "modp1536", /* group 5 */
1137 "iana-grp06", "iana-grp07", /* reserved */
1138 "iana-grp08", "iana-grp09",
1139 "iana-grp10", "iana-grp11",
1140 "iana-grp12", "iana-grp13",
1141 "modp2048", /* group 14 */
1142 "modp3072", /* group 15 */
1143 "modp4096", /* group 16 */
1144 "modp6144", /* group 17 */
1145 "modp8192", /* group 18 */
1146 }, },
1147 { "enc mode", 3, { NULL, "tunnel", "transport", }, },
1148 { "auth", 5, { NULL, "hmac-md5", "hmac-sha1", "1des-mac", "keyed", }, },
1149 { "keylen", 0, { NULL } },
1150 { "rounds", 0, { NULL } },
1151 { "dictsize", 0, { NULL } },
1152 { "privalg", 0, { NULL } },
1153 };
1154
1155 static const struct attrmap encr_t_map[] = {
1156 { NULL, 0, { NULL } }, { NULL, 0, { NULL } }, /* 0, 1 */
1157 { NULL, 0, { NULL } }, { NULL, 0, { NULL } }, /* 2, 3 */
1158 { NULL, 0, { NULL } }, { NULL, 0, { NULL } }, /* 4, 5 */
1159 { NULL, 0, { NULL } }, { NULL, 0, { NULL } }, /* 6, 7 */
1160 { NULL, 0, { NULL } }, { NULL, 0, { NULL } }, /* 8, 9 */
1161 { NULL, 0, { NULL } }, { NULL, 0, { NULL } }, /* 10,11*/
1162 { NULL, 0, { NULL } }, { NULL, 0, { NULL } }, /* 12,13*/
1163 { "keylen", 14, { NULL }},
1164 };
1165
1166 static const struct attrmap oakley_t_map[] = {
1167 { NULL, 0, { NULL } },
1168 { "enc", 8, { NULL, "1des", "idea", "blowfish", "rc5",
1169 "3des", "cast", "aes", }, },
1170 { "hash", 7, { NULL, "md5", "sha1", "tiger",
1171 "sha2-256", "sha2-384", "sha2-512", }, },
1172 { "auth", 6, { NULL, "preshared", "dss", "rsa sig", "rsa enc",
1173 "rsa enc revised", }, },
1174 { "group desc", 18, { NULL, "modp768",
1175 "modp1024", /* group 2 */
1176 "EC2N 2^155", /* group 3 */
1177 "EC2N 2^185", /* group 4 */
1178 "modp1536", /* group 5 */
1179 "iana-grp06", "iana-grp07", /* reserved */
1180 "iana-grp08", "iana-grp09",
1181 "iana-grp10", "iana-grp11",
1182 "iana-grp12", "iana-grp13",
1183 "modp2048", /* group 14 */
1184 "modp3072", /* group 15 */
1185 "modp4096", /* group 16 */
1186 "modp6144", /* group 17 */
1187 "modp8192", /* group 18 */
1188 }, },
1189 { "group type", 4, { NULL, "MODP", "ECP", "EC2N", }, },
1190 { "group prime", 0, { NULL } },
1191 { "group gen1", 0, { NULL } },
1192 { "group gen2", 0, { NULL } },
1193 { "group curve A", 0, { NULL } },
1194 { "group curve B", 0, { NULL } },
1195 { "lifetype", 3, { NULL, "sec", "kb", }, },
1196 { "lifeduration", 0, { NULL } },
1197 { "prf", 0, { NULL } },
1198 { "keylen", 0, { NULL } },
1199 { "field", 0, { NULL } },
1200 { "order", 0, { NULL } },
1201 };
1202
1203 static const u_char *
1204 ikev1_t_print(netdissect_options *ndo, u_char tpay _U_,
1205 const struct isakmp_gen *ext, u_int item_len,
1206 const u_char *ep, uint32_t phase _U_, uint32_t doi _U_,
1207 uint32_t proto, int depth _U_)
1208 {
1209 const struct ikev1_pl_t *p;
1210 struct ikev1_pl_t t;
1211 const u_char *cp;
1212 const char *idstr;
1213 const struct attrmap *map;
1214 size_t nmap;
1215 const u_char *ep2;
1216
1217 ND_PRINT((ndo,"%s:", NPSTR(ISAKMP_NPTYPE_T)));
1218
1219 p = (const struct ikev1_pl_t *)ext;
1220 ND_TCHECK(*p);
1221 UNALIGNED_MEMCPY(&t, ext, sizeof(t));
1222
1223 switch (proto) {
1224 case 1:
1225 idstr = STR_OR_ID(t.t_id, ikev1_p_map);
1226 map = oakley_t_map;
1227 nmap = sizeof(oakley_t_map)/sizeof(oakley_t_map[0]);
1228 break;
1229 case 2:
1230 idstr = STR_OR_ID(t.t_id, ah_p_map);
1231 map = ipsec_t_map;
1232 nmap = sizeof(ipsec_t_map)/sizeof(ipsec_t_map[0]);
1233 break;
1234 case 3:
1235 idstr = STR_OR_ID(t.t_id, esp_p_map);
1236 map = ipsec_t_map;
1237 nmap = sizeof(ipsec_t_map)/sizeof(ipsec_t_map[0]);
1238 break;
1239 case 4:
1240 idstr = STR_OR_ID(t.t_id, ipcomp_p_map);
1241 map = ipsec_t_map;
1242 nmap = sizeof(ipsec_t_map)/sizeof(ipsec_t_map[0]);
1243 break;
1244 default:
1245 idstr = NULL;
1246 map = NULL;
1247 nmap = 0;
1248 break;
1249 }
1250
1251 if (idstr)
1252 ND_PRINT((ndo," #%d id=%s ", t.t_no, idstr));
1253 else
1254 ND_PRINT((ndo," #%d id=%d ", t.t_no, t.t_id));
1255 cp = (const u_char *)(p + 1);
1256 ep2 = (const u_char *)p + item_len;
1257 while (cp < ep && cp < ep2) {
1258 if (map && nmap) {
1259 cp = ikev1_attrmap_print(ndo, cp, (ep < ep2) ? ep : ep2,
1260 map, nmap);
1261 } else
1262 cp = ikev1_attr_print(ndo, cp, (ep < ep2) ? ep : ep2);
1263 }
1264 if (ep < ep2)
1265 ND_PRINT((ndo,"..."));
1266 return cp;
1267 trunc:
1268 ND_PRINT((ndo," [|%s]", NPSTR(ISAKMP_NPTYPE_T)));
1269 return NULL;
1270 }
1271
1272 static const u_char *
1273 ikev1_ke_print(netdissect_options *ndo, u_char tpay _U_,
1274 const struct isakmp_gen *ext, u_int item_len _U_,
1275 const u_char *ep _U_, uint32_t phase _U_, uint32_t doi _U_,
1276 uint32_t proto _U_, int depth _U_)
1277 {
1278 struct isakmp_gen e;
1279
1280 ND_PRINT((ndo,"%s:", NPSTR(ISAKMP_NPTYPE_KE)));
1281
1282 ND_TCHECK(*ext);
1283 UNALIGNED_MEMCPY(&e, ext, sizeof(e));
1284 ND_PRINT((ndo," key len=%d", ntohs(e.len) - 4));
1285 if (2 < ndo->ndo_vflag && 4 < ntohs(e.len)) {
1286 ND_PRINT((ndo," "));
1287 if (!rawprint(ndo, (const uint8_t *)(ext + 1), ntohs(e.len) - 4))
1288 goto trunc;
1289 }
1290 return (const u_char *)ext + ntohs(e.len);
1291 trunc:
1292 ND_PRINT((ndo," [|%s]", NPSTR(ISAKMP_NPTYPE_KE)));
1293 return NULL;
1294 }
1295
1296 static const u_char *
1297 ikev1_id_print(netdissect_options *ndo, u_char tpay _U_,
1298 const struct isakmp_gen *ext, u_int item_len,
1299 const u_char *ep _U_, uint32_t phase, uint32_t doi _U_,
1300 uint32_t proto _U_, int depth _U_)
1301 {
1302 #define USE_IPSECDOI_IN_PHASE1 1
1303 const struct ikev1_pl_id *p;
1304 struct ikev1_pl_id id;
1305 static const char *idtypestr[] = {
1306 "IPv4", "IPv4net", "IPv6", "IPv6net",
1307 };
1308 static const char *ipsecidtypestr[] = {
1309 NULL, "IPv4", "FQDN", "user FQDN", "IPv4net", "IPv6",
1310 "IPv6net", "IPv4range", "IPv6range", "ASN1 DN", "ASN1 GN",
1311 "keyid",
1312 };
1313 int len;
1314 const u_char *data;
1315
1316 ND_PRINT((ndo,"%s:", NPSTR(ISAKMP_NPTYPE_ID)));
1317
1318 p = (const struct ikev1_pl_id *)ext;
1319 ND_TCHECK(*p);
1320 UNALIGNED_MEMCPY(&id, ext, sizeof(id));
1321 if (sizeof(*p) < item_len) {
1322 data = (const u_char *)(p + 1);
1323 len = item_len - sizeof(*p);
1324 } else {
1325 data = NULL;
1326 len = 0;
1327 }
1328
1329 #if 0 /*debug*/
1330 ND_PRINT((ndo," [phase=%d doi=%d proto=%d]", phase, doi, proto));
1331 #endif
1332 switch (phase) {
1333 #ifndef USE_IPSECDOI_IN_PHASE1
1334 case 1:
1335 #endif
1336 default:
1337 ND_PRINT((ndo," idtype=%s", STR_OR_ID(id.d.id_type, idtypestr)));
1338 ND_PRINT((ndo," doi_data=%u",
1339 (uint32_t)(ntohl(id.d.doi_data) & 0xffffff)));
1340 break;
1341
1342 #ifdef USE_IPSECDOI_IN_PHASE1
1343 case 1:
1344 #endif
1345 case 2:
1346 {
1347 const struct ipsecdoi_id *doi_p;
1348 struct ipsecdoi_id doi_id;
1349 struct protoent *pe;
1350
1351 doi_p = (const struct ipsecdoi_id *)ext;
1352 ND_TCHECK(*doi_p);
1353 UNALIGNED_MEMCPY(&doi_id, ext, sizeof(doi_id));
1354 ND_PRINT((ndo," idtype=%s", STR_OR_ID(doi_id.type, ipsecidtypestr)));
1355 /* A protocol ID of 0 DOES NOT mean IPPROTO_IP! */
1356 if (!ndo->ndo_nflag && doi_id.proto_id && (pe = getprotobynumber(doi_id.proto_id)) != NULL)
1357 ND_PRINT((ndo," protoid=%s", pe->p_name));
1358 else
1359 ND_PRINT((ndo," protoid=%u", doi_id.proto_id));
1360 ND_PRINT((ndo," port=%d", ntohs(doi_id.port)));
1361 if (!len)
1362 break;
1363 if (data == NULL)
1364 goto trunc;
1365 ND_TCHECK2(*data, len);
1366 switch (doi_id.type) {
1367 case IPSECDOI_ID_IPV4_ADDR:
1368 if (len < 4)
1369 ND_PRINT((ndo," len=%d [bad: < 4]", len));
1370 else
1371 ND_PRINT((ndo," len=%d %s", len, ipaddr_string(ndo, data)));
1372 len = 0;
1373 break;
1374 case IPSECDOI_ID_FQDN:
1375 case IPSECDOI_ID_USER_FQDN:
1376 {
1377 int i;
1378 ND_PRINT((ndo," len=%d ", len));
1379 for (i = 0; i < len; i++)
1380 safeputchar(ndo, data[i]);
1381 len = 0;
1382 break;
1383 }
1384 case IPSECDOI_ID_IPV4_ADDR_SUBNET:
1385 {
1386 const u_char *mask;
1387 if (len < 8)
1388 ND_PRINT((ndo," len=%d [bad: < 8]", len));
1389 else {
1390 mask = data + sizeof(struct in_addr);
1391 ND_PRINT((ndo," len=%d %s/%u.%u.%u.%u", len,
1392 ipaddr_string(ndo, data),
1393 mask[0], mask[1], mask[2], mask[3]));
1394 }
1395 len = 0;
1396 break;
1397 }
1398 case IPSECDOI_ID_IPV6_ADDR:
1399 if (len < 16)
1400 ND_PRINT((ndo," len=%d [bad: < 16]", len));
1401 else
1402 ND_PRINT((ndo," len=%d %s", len, ip6addr_string(ndo, data)));
1403 len = 0;
1404 break;
1405 case IPSECDOI_ID_IPV6_ADDR_SUBNET:
1406 {
1407 const u_char *mask;
1408 if (len < 20)
1409 ND_PRINT((ndo," len=%d [bad: < 20]", len));
1410 else {
1411 mask = (const u_char *)(data + sizeof(struct in6_addr));
1412 /*XXX*/
1413 ND_PRINT((ndo," len=%d %s/0x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x", len,
1414 ip6addr_string(ndo, data),
1415 mask[0], mask[1], mask[2], mask[3],
1416 mask[4], mask[5], mask[6], mask[7],
1417 mask[8], mask[9], mask[10], mask[11],
1418 mask[12], mask[13], mask[14], mask[15]));
1419 }
1420 len = 0;
1421 break;
1422 }
1423 case IPSECDOI_ID_IPV4_ADDR_RANGE:
1424 if (len < 8)
1425 ND_PRINT((ndo," len=%d [bad: < 8]", len));
1426 else {
1427 ND_PRINT((ndo," len=%d %s-%s", len,
1428 ipaddr_string(ndo, data),
1429 ipaddr_string(ndo, data + sizeof(struct in_addr))));
1430 }
1431 len = 0;
1432 break;
1433 case IPSECDOI_ID_IPV6_ADDR_RANGE:
1434 if (len < 32)
1435 ND_PRINT((ndo," len=%d [bad: < 32]", len));
1436 else {
1437 ND_PRINT((ndo," len=%d %s-%s", len,
1438 ip6addr_string(ndo, data),
1439 ip6addr_string(ndo, data + sizeof(struct in6_addr))));
1440 }
1441 len = 0;
1442 break;
1443 case IPSECDOI_ID_DER_ASN1_DN:
1444 case IPSECDOI_ID_DER_ASN1_GN:
1445 case IPSECDOI_ID_KEY_ID:
1446 break;
1447 }
1448 break;
1449 }
1450 }
1451 if (data && len) {
1452 ND_PRINT((ndo," len=%d", len));
1453 if (2 < ndo->ndo_vflag) {
1454 ND_PRINT((ndo," "));
1455 if (!rawprint(ndo, (const uint8_t *)data, len))
1456 goto trunc;
1457 }
1458 }
1459 return (const u_char *)ext + item_len;
1460 trunc:
1461 ND_PRINT((ndo," [|%s]", NPSTR(ISAKMP_NPTYPE_ID)));
1462 return NULL;
1463 }
1464
1465 static const u_char *
1466 ikev1_cert_print(netdissect_options *ndo, u_char tpay _U_,
1467 const struct isakmp_gen *ext, u_int item_len,
1468 const u_char *ep _U_, uint32_t phase _U_,
1469 uint32_t doi0 _U_,
1470 uint32_t proto0 _U_, int depth _U_)
1471 {
1472 const struct ikev1_pl_cert *p;
1473 struct ikev1_pl_cert cert;
1474 static const char *certstr[] = {
1475 "none", "pkcs7", "pgp", "dns",
1476 "x509sign", "x509ke", "kerberos", "crl",
1477 "arl", "spki", "x509attr",
1478 };
1479
1480 ND_PRINT((ndo,"%s:", NPSTR(ISAKMP_NPTYPE_CERT)));
1481
1482 p = (const struct ikev1_pl_cert *)ext;
1483 ND_TCHECK(*p);
1484 UNALIGNED_MEMCPY(&cert, ext, sizeof(cert));
1485 ND_PRINT((ndo," len=%d", item_len - 4));
1486 ND_PRINT((ndo," type=%s", STR_OR_ID((cert.encode), certstr)));
1487 if (2 < ndo->ndo_vflag && 4 < item_len) {
1488 ND_PRINT((ndo," "));
1489 if (!rawprint(ndo, (const uint8_t *)(ext + 1), item_len - 4))
1490 goto trunc;
1491 }
1492 return (const u_char *)ext + item_len;
1493 trunc:
1494 ND_PRINT((ndo," [|%s]", NPSTR(ISAKMP_NPTYPE_CERT)));
1495 return NULL;
1496 }
1497
1498 static const u_char *
1499 ikev1_cr_print(netdissect_options *ndo, u_char tpay _U_,
1500 const struct isakmp_gen *ext, u_int item_len,
1501 const u_char *ep _U_, uint32_t phase _U_, uint32_t doi0 _U_,
1502 uint32_t proto0 _U_, int depth _U_)
1503 {
1504 const struct ikev1_pl_cert *p;
1505 struct ikev1_pl_cert cert;
1506 static const char *certstr[] = {
1507 "none", "pkcs7", "pgp", "dns",
1508 "x509sign", "x509ke", "kerberos", "crl",
1509 "arl", "spki", "x509attr",
1510 };
1511
1512 ND_PRINT((ndo,"%s:", NPSTR(ISAKMP_NPTYPE_CR)));
1513
1514 p = (const struct ikev1_pl_cert *)ext;
1515 ND_TCHECK(*p);
1516 UNALIGNED_MEMCPY(&cert, ext, sizeof(cert));
1517 ND_PRINT((ndo," len=%d", item_len - 4));
1518 ND_PRINT((ndo," type=%s", STR_OR_ID((cert.encode), certstr)));
1519 if (2 < ndo->ndo_vflag && 4 < item_len) {
1520 ND_PRINT((ndo," "));
1521 if (!rawprint(ndo, (const uint8_t *)(ext + 1), item_len - 4))
1522 goto trunc;
1523 }
1524 return (const u_char *)ext + item_len;
1525 trunc:
1526 ND_PRINT((ndo," [|%s]", NPSTR(ISAKMP_NPTYPE_CR)));
1527 return NULL;
1528 }
1529
1530 static const u_char *
1531 ikev1_hash_print(netdissect_options *ndo, u_char tpay _U_,
1532 const struct isakmp_gen *ext, u_int item_len _U_,
1533 const u_char *ep _U_, uint32_t phase _U_, uint32_t doi _U_,
1534 uint32_t proto _U_, int depth _U_)
1535 {
1536 struct isakmp_gen e;
1537
1538 ND_PRINT((ndo,"%s:", NPSTR(ISAKMP_NPTYPE_HASH)));
1539
1540 ND_TCHECK(*ext);
1541 UNALIGNED_MEMCPY(&e, ext, sizeof(e));
1542 ND_PRINT((ndo," len=%d", ntohs(e.len) - 4));
1543 if (2 < ndo->ndo_vflag && 4 < ntohs(e.len)) {
1544 ND_PRINT((ndo," "));
1545 if (!rawprint(ndo, (const uint8_t *)(ext + 1), ntohs(e.len) - 4))
1546 goto trunc;
1547 }
1548 return (const u_char *)ext + ntohs(e.len);
1549 trunc:
1550 ND_PRINT((ndo," [|%s]", NPSTR(ISAKMP_NPTYPE_HASH)));
1551 return NULL;
1552 }
1553
1554 static const u_char *
1555 ikev1_sig_print(netdissect_options *ndo, u_char tpay _U_,
1556 const struct isakmp_gen *ext, u_int item_len _U_,
1557 const u_char *ep _U_, uint32_t phase _U_, uint32_t doi _U_,
1558 uint32_t proto _U_, int depth _U_)
1559 {
1560 struct isakmp_gen e;
1561
1562 ND_PRINT((ndo,"%s:", NPSTR(ISAKMP_NPTYPE_SIG)));
1563
1564 ND_TCHECK(*ext);
1565 UNALIGNED_MEMCPY(&e, ext, sizeof(e));
1566 ND_PRINT((ndo," len=%d", ntohs(e.len) - 4));
1567 if (2 < ndo->ndo_vflag && 4 < ntohs(e.len)) {
1568 ND_PRINT((ndo," "));
1569 if (!rawprint(ndo, (const uint8_t *)(ext + 1), ntohs(e.len) - 4))
1570 goto trunc;
1571 }
1572 return (const u_char *)ext + ntohs(e.len);
1573 trunc:
1574 ND_PRINT((ndo," [|%s]", NPSTR(ISAKMP_NPTYPE_SIG)));
1575 return NULL;
1576 }
1577
1578 static const u_char *
1579 ikev1_nonce_print(netdissect_options *ndo, u_char tpay _U_,
1580 const struct isakmp_gen *ext,
1581 u_int item_len _U_,
1582 const u_char *ep,
1583 uint32_t phase _U_, uint32_t doi _U_,
1584 uint32_t proto _U_, int depth _U_)
1585 {
1586 struct isakmp_gen e;
1587
1588 ND_PRINT((ndo,"%s:", NPSTR(ISAKMP_NPTYPE_NONCE)));
1589
1590 ND_TCHECK(*ext);
1591 UNALIGNED_MEMCPY(&e, ext, sizeof(e));
1592 ND_PRINT((ndo," n len=%d", ntohs(e.len) - 4));
1593 if (2 < ndo->ndo_vflag && 4 < ntohs(e.len)) {
1594 ND_PRINT((ndo," "));
1595 if (!rawprint(ndo, (const uint8_t *)(ext + 1), ntohs(e.len) - 4))
1596 goto trunc;
1597 } else if (1 < ndo->ndo_vflag && 4 < ntohs(e.len)) {
1598 ND_PRINT((ndo," "));
1599 if (!ike_show_somedata(ndo, (const u_char *)(const uint8_t *)(ext + 1), ep))
1600 goto trunc;
1601 }
1602 return (const u_char *)ext + ntohs(e.len);
1603 trunc:
1604 ND_PRINT((ndo," [|%s]", NPSTR(ISAKMP_NPTYPE_NONCE)));
1605 return NULL;
1606 }
1607
1608 static const u_char *
1609 ikev1_n_print(netdissect_options *ndo, u_char tpay _U_,
1610 const struct isakmp_gen *ext, u_int item_len,
1611 const u_char *ep, uint32_t phase, uint32_t doi0 _U_,
1612 uint32_t proto0 _U_, int depth)
1613 {
1614 const struct ikev1_pl_n *p;
1615 struct ikev1_pl_n n;
1616 const u_char *cp;
1617 const u_char *ep2;
1618 uint32_t doi;
1619 uint32_t proto;
1620 static const char *notify_error_str[] = {
1621 NULL, "INVALID-PAYLOAD-TYPE",
1622 "DOI-NOT-SUPPORTED", "SITUATION-NOT-SUPPORTED",
1623 "INVALID-COOKIE", "INVALID-MAJOR-VERSION",
1624 "INVALID-MINOR-VERSION", "INVALID-EXCHANGE-TYPE",
1625 "INVALID-FLAGS", "INVALID-MESSAGE-ID",
1626 "INVALID-PROTOCOL-ID", "INVALID-SPI",
1627 "INVALID-TRANSFORM-ID", "ATTRIBUTES-NOT-SUPPORTED",
1628 "NO-PROPOSAL-CHOSEN", "BAD-PROPOSAL-SYNTAX",
1629 "PAYLOAD-MALFORMED", "INVALID-KEY-INFORMATION",
1630 "INVALID-ID-INFORMATION", "INVALID-CERT-ENCODING",
1631 "INVALID-CERTIFICATE", "CERT-TYPE-UNSUPPORTED",
1632 "INVALID-CERT-AUTHORITY", "INVALID-HASH-INFORMATION",
1633 "AUTHENTICATION-FAILED", "INVALID-SIGNATURE",
1634 "ADDRESS-NOTIFICATION", "NOTIFY-SA-LIFETIME",
1635 "CERTIFICATE-UNAVAILABLE", "UNSUPPORTED-EXCHANGE-TYPE",
1636 "UNEQUAL-PAYLOAD-LENGTHS",
1637 };
1638 static const char *ipsec_notify_error_str[] = {
1639 "RESERVED",
1640 };
1641 static const char *notify_status_str[] = {
1642 "CONNECTED",
1643 };
1644 static const char *ipsec_notify_status_str[] = {
1645 "RESPONDER-LIFETIME", "REPLAY-STATUS",
1646 "INITIAL-CONTACT",
1647 };
1648 /* NOTE: these macro must be called with x in proper range */
1649
1650 /* 0 - 8191 */
1651 #define NOTIFY_ERROR_STR(x) \
1652 STR_OR_ID((x), notify_error_str)
1653
1654 /* 8192 - 16383 */
1655 #define IPSEC_NOTIFY_ERROR_STR(x) \
1656 STR_OR_ID((u_int)((x) - 8192), ipsec_notify_error_str)
1657
1658 /* 16384 - 24575 */
1659 #define NOTIFY_STATUS_STR(x) \
1660 STR_OR_ID((u_int)((x) - 16384), notify_status_str)
1661
1662 /* 24576 - 32767 */
1663 #define IPSEC_NOTIFY_STATUS_STR(x) \
1664 STR_OR_ID((u_int)((x) - 24576), ipsec_notify_status_str)
1665
1666 ND_PRINT((ndo,"%s:", NPSTR(ISAKMP_NPTYPE_N)));
1667
1668 p = (const struct ikev1_pl_n *)ext;
1669 ND_TCHECK(*p);
1670 UNALIGNED_MEMCPY(&n, ext, sizeof(n));
1671 doi = ntohl(n.doi);
1672 proto = n.prot_id;
1673 if (doi != 1) {
1674 ND_PRINT((ndo," doi=%d", doi));
1675 ND_PRINT((ndo," proto=%d", proto));
1676 if (ntohs(n.type) < 8192)
1677 ND_PRINT((ndo," type=%s", NOTIFY_ERROR_STR(ntohs(n.type))));
1678 else if (ntohs(n.type) < 16384)
1679 ND_PRINT((ndo," type=%s", numstr(ntohs(n.type))));
1680 else if (ntohs(n.type) < 24576)
1681 ND_PRINT((ndo," type=%s", NOTIFY_STATUS_STR(ntohs(n.type))));
1682 else
1683 ND_PRINT((ndo," type=%s", numstr(ntohs(n.type))));
1684 if (n.spi_size) {
1685 ND_PRINT((ndo," spi="));
1686 if (!rawprint(ndo, (const uint8_t *)(p + 1), n.spi_size))
1687 goto trunc;
1688 }
1689 return (const u_char *)(p + 1) + n.spi_size;
1690 }
1691
1692 ND_PRINT((ndo," doi=ipsec"));
1693 ND_PRINT((ndo," proto=%s", PROTOIDSTR(proto)));
1694 if (ntohs(n.type) < 8192)
1695 ND_PRINT((ndo," type=%s", NOTIFY_ERROR_STR(ntohs(n.type))));
1696 else if (ntohs(n.type) < 16384)
1697 ND_PRINT((ndo," type=%s", IPSEC_NOTIFY_ERROR_STR(ntohs(n.type))));
1698 else if (ntohs(n.type) < 24576)
1699 ND_PRINT((ndo," type=%s", NOTIFY_STATUS_STR(ntohs(n.type))));
1700 else if (ntohs(n.type) < 32768)
1701 ND_PRINT((ndo," type=%s", IPSEC_NOTIFY_STATUS_STR(ntohs(n.type))));
1702 else
1703 ND_PRINT((ndo," type=%s", numstr(ntohs(n.type))));
1704 if (n.spi_size) {
1705 ND_PRINT((ndo," spi="));
1706 if (!rawprint(ndo, (const uint8_t *)(p + 1), n.spi_size))
1707 goto trunc;
1708 }
1709
1710 cp = (const u_char *)(p + 1) + n.spi_size;
1711 ep2 = (const u_char *)p + item_len;
1712
1713 if (cp < ep) {
1714 ND_PRINT((ndo," orig=("));
1715 switch (ntohs(n.type)) {
1716 case IPSECDOI_NTYPE_RESPONDER_LIFETIME:
1717 {
1718 const struct attrmap *map = oakley_t_map;
1719 size_t nmap = sizeof(oakley_t_map)/sizeof(oakley_t_map[0]);
1720 while (cp < ep && cp < ep2) {
1721 cp = ikev1_attrmap_print(ndo, cp,
1722 (ep < ep2) ? ep : ep2, map, nmap);
1723 }
1724 break;
1725 }
1726 case IPSECDOI_NTYPE_REPLAY_STATUS:
1727 ND_PRINT((ndo,"replay detection %sabled",
1728 EXTRACT_32BITS(cp) ? "en" : "dis"));
1729 break;
1730 case ISAKMP_NTYPE_NO_PROPOSAL_CHOSEN:
1731 if (ikev1_sub_print(ndo, ISAKMP_NPTYPE_SA,
1732 (const struct isakmp_gen *)cp, ep, phase, doi, proto,
1733 depth) == NULL)
1734 return NULL;
1735 break;
1736 default:
1737 /* NULL is dummy */
1738 isakmp_print(ndo, cp,
1739 item_len - sizeof(*p) - n.spi_size,
1740 NULL);
1741 }
1742 ND_PRINT((ndo,")"));
1743 }
1744 return (const u_char *)ext + item_len;
1745 trunc:
1746 ND_PRINT((ndo," [|%s]", NPSTR(ISAKMP_NPTYPE_N)));
1747 return NULL;
1748 }
1749
1750 static const u_char *
1751 ikev1_d_print(netdissect_options *ndo, u_char tpay _U_,
1752 const struct isakmp_gen *ext, u_int item_len _U_,
1753 const u_char *ep _U_, uint32_t phase _U_, uint32_t doi0 _U_,
1754 uint32_t proto0 _U_, int depth _U_)
1755 {
1756 const struct ikev1_pl_d *p;
1757 struct ikev1_pl_d d;
1758 const uint8_t *q;
1759 uint32_t doi;
1760 uint32_t proto;
1761 int i;
1762
1763 ND_PRINT((ndo,"%s:", NPSTR(ISAKMP_NPTYPE_D)));
1764
1765 p = (const struct ikev1_pl_d *)ext;
1766 ND_TCHECK(*p);
1767 UNALIGNED_MEMCPY(&d, ext, sizeof(d));
1768 doi = ntohl(d.doi);
1769 proto = d.prot_id;
1770 if (doi != 1) {
1771 ND_PRINT((ndo," doi=%u", doi));
1772 ND_PRINT((ndo," proto=%u", proto));
1773 } else {
1774 ND_PRINT((ndo," doi=ipsec"));
1775 ND_PRINT((ndo," proto=%s", PROTOIDSTR(proto)));
1776 }
1777 ND_PRINT((ndo," spilen=%u", d.spi_size));
1778 ND_PRINT((ndo," nspi=%u", ntohs(d.num_spi)));
1779 ND_PRINT((ndo," spi="));
1780 q = (const uint8_t *)(p + 1);
1781 for (i = 0; i < ntohs(d.num_spi); i++) {
1782 if (i != 0)
1783 ND_PRINT((ndo,","));
1784 if (!rawprint(ndo, (const uint8_t *)q, d.spi_size))
1785 goto trunc;
1786 q += d.spi_size;
1787 }
1788 return q;
1789 trunc:
1790 ND_PRINT((ndo," [|%s]", NPSTR(ISAKMP_NPTYPE_D)));
1791 return NULL;
1792 }
1793
1794 static const u_char *
1795 ikev1_vid_print(netdissect_options *ndo, u_char tpay _U_,
1796 const struct isakmp_gen *ext,
1797 u_int item_len _U_, const u_char *ep _U_,
1798 uint32_t phase _U_, uint32_t doi _U_,
1799 uint32_t proto _U_, int depth _U_)
1800 {
1801 struct isakmp_gen e;
1802
1803 ND_PRINT((ndo,"%s:", NPSTR(ISAKMP_NPTYPE_VID)));
1804
1805 ND_TCHECK(*ext);
1806 UNALIGNED_MEMCPY(&e, ext, sizeof(e));
1807 ND_PRINT((ndo," len=%d", ntohs(e.len) - 4));
1808 if (2 < ndo->ndo_vflag && 4 < ntohs(e.len)) {
1809 ND_PRINT((ndo," "));
1810 if (!rawprint(ndo, (const uint8_t *)(ext + 1), ntohs(e.len) - 4))
1811 goto trunc;
1812 }
1813 return (const u_char *)ext + ntohs(e.len);
1814 trunc:
1815 ND_PRINT((ndo," [|%s]", NPSTR(ISAKMP_NPTYPE_VID)));
1816 return NULL;
1817 }
1818
1819 /************************************************************/
1820 /* */
1821 /* IKE v2 - rfc4306 - dissector */
1822 /* */
1823 /************************************************************/
1824
1825 static void
1826 ikev2_pay_print(netdissect_options *ndo, const char *payname, int critical)
1827 {
1828 ND_PRINT((ndo,"%s%s:", payname, critical&0x80 ? "[C]" : ""));
1829 }
1830
1831 static const u_char *
1832 ikev2_gen_print(netdissect_options *ndo, u_char tpay,
1833 const struct isakmp_gen *ext)
1834 {
1835 struct isakmp_gen e;
1836
1837 ND_TCHECK(*ext);
1838 UNALIGNED_MEMCPY(&e, ext, sizeof(e));
1839 ikev2_pay_print(ndo, NPSTR(tpay), e.critical);
1840
1841 ND_PRINT((ndo," len=%d", ntohs(e.len) - 4));
1842 if (2 < ndo->ndo_vflag && 4 < ntohs(e.len)) {
1843 ND_PRINT((ndo," "));
1844 if (!rawprint(ndo, (const uint8_t *)(ext + 1), ntohs(e.len) - 4))
1845 goto trunc;
1846 }
1847 return (const u_char *)ext + ntohs(e.len);
1848 trunc:
1849 ND_PRINT((ndo," [|%s]", NPSTR(tpay)));
1850 return NULL;
1851 }
1852
1853 static const u_char *
1854 ikev2_t_print(netdissect_options *ndo, int tcount,
1855 const struct isakmp_gen *ext, u_int item_len,
1856 const u_char *ep)
1857 {
1858 const struct ikev2_t *p;
1859 struct ikev2_t t;
1860 uint16_t t_id;
1861 const u_char *cp;
1862 const char *idstr;
1863 const struct attrmap *map;
1864 size_t nmap;
1865 const u_char *ep2;
1866
1867 p = (const struct ikev2_t *)ext;
1868 ND_TCHECK(*p);
1869 UNALIGNED_MEMCPY(&t, ext, sizeof(t));
1870 ikev2_pay_print(ndo, NPSTR(ISAKMP_NPTYPE_T), t.h.critical);
1871
1872 t_id = ntohs(t.t_id);
1873
1874 map = NULL;
1875 nmap = 0;
1876
1877 switch (t.t_type) {
1878 case IV2_T_ENCR:
1879 idstr = STR_OR_ID(t_id, esp_p_map);
1880 map = encr_t_map;
1881 nmap = sizeof(encr_t_map)/sizeof(encr_t_map[0]);
1882 break;
1883
1884 case IV2_T_PRF:
1885 idstr = STR_OR_ID(t_id, prf_p_map);
1886 break;
1887
1888 case IV2_T_INTEG:
1889 idstr = STR_OR_ID(t_id, integ_p_map);
1890 break;
1891
1892 case IV2_T_DH:
1893 idstr = STR_OR_ID(t_id, dh_p_map);
1894 break;
1895
1896 case IV2_T_ESN:
1897 idstr = STR_OR_ID(t_id, esn_p_map);
1898 break;
1899
1900 default:
1901 idstr = NULL;
1902 break;
1903 }
1904
1905 if (idstr)
1906 ND_PRINT((ndo," #%u type=%s id=%s ", tcount,
1907 STR_OR_ID(t.t_type, ikev2_t_type_map),
1908 idstr));
1909 else
1910 ND_PRINT((ndo," #%u type=%s id=%u ", tcount,
1911 STR_OR_ID(t.t_type, ikev2_t_type_map),
1912 t.t_id));
1913 cp = (const u_char *)(p + 1);
1914 ep2 = (const u_char *)p + item_len;
1915 while (cp < ep && cp < ep2) {
1916 if (map && nmap) {
1917 cp = ikev1_attrmap_print(ndo, cp, (ep < ep2) ? ep : ep2,
1918 map, nmap);
1919 } else
1920 cp = ikev1_attr_print(ndo, cp, (ep < ep2) ? ep : ep2);
1921 }
1922 if (ep < ep2)
1923 ND_PRINT((ndo,"..."));
1924 return cp;
1925 trunc:
1926 ND_PRINT((ndo," [|%s]", NPSTR(ISAKMP_NPTYPE_T)));
1927 return NULL;
1928 }
1929
1930 static const u_char *
1931 ikev2_p_print(netdissect_options *ndo, u_char tpay _U_, int pcount _U_,
1932 const struct isakmp_gen *ext, u_int oprop_length,
1933 const u_char *ep, int depth)
1934 {
1935 const struct ikev2_p *p;
1936 struct ikev2_p prop;
1937 u_int prop_length;
1938 const u_char *cp;
1939 int i;
1940 int tcount;
1941 u_char np;
1942 struct isakmp_gen e;
1943 u_int item_len;
1944
1945 p = (const struct ikev2_p *)ext;
1946 ND_TCHECK(*p);
1947 UNALIGNED_MEMCPY(&prop, ext, sizeof(prop));
1948
1949 ikev2_pay_print(ndo, NPSTR(ISAKMP_NPTYPE_P), prop.h.critical);
1950
1951 /*
1952 * ikev2_sa_print() guarantees that this is >= 4.
1953 */
1954 prop_length = oprop_length - 4;
1955 ND_PRINT((ndo," #%u protoid=%s transform=%d len=%u",
1956 prop.p_no, PROTOIDSTR(prop.prot_id),
1957 prop.num_t, oprop_length));
1958 cp = (const u_char *)(p + 1);
1959
1960 if (prop.spi_size) {
1961 if (prop_length < prop.spi_size)
1962 goto toolong;
1963 ND_PRINT((ndo," spi="));
1964 if (!rawprint(ndo, (const uint8_t *)cp, prop.spi_size))
1965 goto trunc;
1966 cp += prop.spi_size;
1967 prop_length -= prop.spi_size;
1968 }
1969
1970 /*
1971 * Print the transforms.
1972 */
1973 tcount = 0;
1974 for (np = ISAKMP_NPTYPE_T; np != 0; np = e.np) {
1975 tcount++;
1976 ext = (const struct isakmp_gen *)cp;
1977 if (prop_length < sizeof(*ext))
1978 goto toolong;
1979 ND_TCHECK(*ext);
1980
1981 UNALIGNED_MEMCPY(&e, ext, sizeof(e));
1982
1983 /*
1984 * Since we can't have a payload length of less than 4 bytes,
1985 * we need to bail out here if the generic header is nonsensical
1986 * or truncated, otherwise we could loop forever processing
1987 * zero-length items or otherwise misdissect the packet.
1988 */
1989 item_len = ntohs(e.len);
1990 if (item_len <= 4)
1991 goto trunc;
1992
1993 if (prop_length < item_len)
1994 goto toolong;
1995 ND_TCHECK2(*cp, item_len);
1996
1997 depth++;
1998 ND_PRINT((ndo,"\n"));
1999 for (i = 0; i < depth; i++)
2000 ND_PRINT((ndo," "));
2001 ND_PRINT((ndo,"("));
2002 if (np == ISAKMP_NPTYPE_T) {
2003 cp = ikev2_t_print(ndo, tcount, ext, item_len, ep);
2004 if (cp == NULL) {
2005 /* error, already reported */
2006 return NULL;
2007 }
2008 } else {
2009 ND_PRINT((ndo, "%s", NPSTR(np)));
2010 cp += item_len;
2011 }
2012 ND_PRINT((ndo,")"));
2013 depth--;
2014 prop_length -= item_len;
2015 }
2016 return cp;
2017 toolong:
2018 /*
2019 * Skip the rest of the proposal.
2020 */
2021 cp += prop_length;
2022 ND_PRINT((ndo," [|%s]", NPSTR(ISAKMP_NPTYPE_P)));
2023 return cp;
2024 trunc:
2025 ND_PRINT((ndo," [|%s]", NPSTR(ISAKMP_NPTYPE_P)));
2026 return NULL;
2027 }
2028
2029 static const u_char *
2030 ikev2_sa_print(netdissect_options *ndo, u_char tpay,
2031 const struct isakmp_gen *ext1,
2032 u_int osa_length, const u_char *ep,
2033 uint32_t phase _U_, uint32_t doi _U_,
2034 uint32_t proto _U_, int depth)
2035 {
2036 const struct isakmp_gen *ext;
2037 struct isakmp_gen e;
2038 u_int sa_length;
2039 const u_char *cp;
2040 int i;
2041 int pcount;
2042 u_char np;
2043 u_int item_len;
2044
2045 ND_TCHECK(*ext1);
2046 UNALIGNED_MEMCPY(&e, ext1, sizeof(e));
2047 ikev2_pay_print(ndo, "sa", e.critical);
2048
2049 /*
2050 * ikev2_sub0_print() guarantees that this is >= 4.
2051 */
2052 osa_length= ntohs(e.len);
2053 sa_length = osa_length - 4;
2054 ND_PRINT((ndo," len=%d", sa_length));
2055
2056 /*
2057 * Print the payloads.
2058 */
2059 cp = (const u_char *)(ext1 + 1);
2060 pcount = 0;
2061 for (np = ISAKMP_NPTYPE_P; np != 0; np = e.np) {
2062 pcount++;
2063 ext = (const struct isakmp_gen *)cp;
2064 if (sa_length < sizeof(*ext))
2065 goto toolong;
2066 ND_TCHECK(*ext);
2067
2068 UNALIGNED_MEMCPY(&e, ext, sizeof(e));
2069
2070 /*
2071 * Since we can't have a payload length of less than 4 bytes,
2072 * we need to bail out here if the generic header is nonsensical
2073 * or truncated, otherwise we could loop forever processing
2074 * zero-length items or otherwise misdissect the packet.
2075 */
2076 item_len = ntohs(e.len);
2077 if (item_len <= 4)
2078 goto trunc;
2079
2080 if (sa_length < item_len)
2081 goto toolong;
2082 ND_TCHECK2(*cp, item_len);
2083
2084 depth++;
2085 ND_PRINT((ndo,"\n"));
2086 for (i = 0; i < depth; i++)
2087 ND_PRINT((ndo," "));
2088 ND_PRINT((ndo,"("));
2089 if (np == ISAKMP_NPTYPE_P) {
2090 cp = ikev2_p_print(ndo, np, pcount, ext, item_len,
2091 ep, depth);
2092 if (cp == NULL) {
2093 /* error, already reported */
2094 return NULL;
2095 }
2096 } else {
2097 ND_PRINT((ndo, "%s", NPSTR(np)));
2098 cp += item_len;
2099 }
2100 ND_PRINT((ndo,")"));
2101 depth--;
2102 sa_length -= item_len;
2103 }
2104 return cp;
2105 toolong:
2106 /*
2107 * Skip the rest of the SA.
2108 */
2109 cp += sa_length;
2110 ND_PRINT((ndo," [|%s]", NPSTR(tpay)));
2111 return cp;
2112 trunc:
2113 ND_PRINT((ndo," [|%s]", NPSTR(tpay)));
2114 return NULL;
2115 }
2116
2117 static const u_char *
2118 ikev2_ke_print(netdissect_options *ndo, u_char tpay,
2119 const struct isakmp_gen *ext,
2120 u_int item_len _U_, const u_char *ep _U_,
2121 uint32_t phase _U_, uint32_t doi _U_,
2122 uint32_t proto _U_, int depth _U_)
2123 {
2124 struct ikev2_ke ke;
2125 const struct ikev2_ke *k;
2126
2127 k = (const struct ikev2_ke *)ext;
2128 ND_TCHECK(*ext);
2129 UNALIGNED_MEMCPY(&ke, ext, sizeof(ke));
2130 ikev2_pay_print(ndo, NPSTR(tpay), ke.h.critical);
2131
2132 ND_PRINT((ndo," len=%u group=%s", ntohs(ke.h.len) - 8,
2133 STR_OR_ID(ntohs(ke.ke_group), dh_p_map)));
2134
2135 if (2 < ndo->ndo_vflag && 8 < ntohs(ke.h.len)) {
2136 ND_PRINT((ndo," "));
2137 if (!rawprint(ndo, (const uint8_t *)(k + 1), ntohs(ke.h.len) - 8))
2138 goto trunc;
2139 }
2140 return (const u_char *)ext + ntohs(ke.h.len);
2141 trunc:
2142 ND_PRINT((ndo," [|%s]", NPSTR(tpay)));
2143 return NULL;
2144 }
2145
2146 static const u_char *
2147 ikev2_ID_print(netdissect_options *ndo, u_char tpay,
2148 const struct isakmp_gen *ext,
2149 u_int item_len _U_, const u_char *ep _U_,
2150 uint32_t phase _U_, uint32_t doi _U_,
2151 uint32_t proto _U_, int depth _U_)
2152 {
2153 struct ikev2_id id;
2154 int id_len, idtype_len, i;
2155 unsigned int dumpascii, dumphex;
2156 const unsigned char *typedata;
2157
2158 ND_TCHECK(*ext);
2159 UNALIGNED_MEMCPY(&id, ext, sizeof(id));
2160 ikev2_pay_print(ndo, NPSTR(tpay), id.h.critical);
2161
2162 id_len = ntohs(id.h.len);
2163
2164 ND_PRINT((ndo," len=%d", id_len - 4));
2165 if (2 < ndo->ndo_vflag && 4 < id_len) {
2166 ND_PRINT((ndo," "));
2167 if (!rawprint(ndo, (const uint8_t *)(ext + 1), id_len - 4))
2168 goto trunc;
2169 }
2170
2171 idtype_len =id_len - sizeof(struct ikev2_id);
2172 dumpascii = 0;
2173 dumphex = 0;
2174 typedata = (const unsigned char *)(ext)+sizeof(struct ikev2_id);
2175
2176 switch(id.type) {
2177 case ID_IPV4_ADDR:
2178 ND_PRINT((ndo, " ipv4:"));
2179 dumphex=1;
2180 break;
2181 case ID_FQDN:
2182 ND_PRINT((ndo, " fqdn:"));
2183 dumpascii=1;
2184 break;
2185 case ID_RFC822_ADDR:
2186 ND_PRINT((ndo, " rfc822:"));
2187 dumpascii=1;
2188 break;
2189 case ID_IPV6_ADDR:
2190 ND_PRINT((ndo, " ipv6:"));
2191 dumphex=1;
2192 break;
2193 case ID_DER_ASN1_DN:
2194 ND_PRINT((ndo, " dn:"));
2195 dumphex=1;
2196 break;
2197 case ID_DER_ASN1_GN:
2198 ND_PRINT((ndo, " gn:"));
2199 dumphex=1;
2200 break;
2201 case ID_KEY_ID:
2202 ND_PRINT((ndo, " keyid:"));
2203 dumphex=1;
2204 break;
2205 }
2206
2207 if(dumpascii) {
2208 ND_TCHECK2(*typedata, idtype_len);
2209 for(i=0; i<idtype_len; i++) {
2210 if(ND_ISPRINT(typedata[i])) {
2211 ND_PRINT((ndo, "%c", typedata[i]));
2212 } else {
2213 ND_PRINT((ndo, "."));
2214 }
2215 }
2216 }
2217 if(dumphex) {
2218 if (!rawprint(ndo, (const uint8_t *)typedata, idtype_len))
2219 goto trunc;
2220 }
2221
2222 return (const u_char *)ext + id_len;
2223 trunc:
2224 ND_PRINT((ndo," [|%s]", NPSTR(tpay)));
2225 return NULL;
2226 }
2227
2228 static const u_char *
2229 ikev2_cert_print(netdissect_options *ndo, u_char tpay,
2230 const struct isakmp_gen *ext,
2231 u_int item_len _U_, const u_char *ep _U_,
2232 uint32_t phase _U_, uint32_t doi _U_,
2233 uint32_t proto _U_, int depth _U_)
2234 {
2235 return ikev2_gen_print(ndo, tpay, ext);
2236 }
2237
2238 static const u_char *
2239 ikev2_cr_print(netdissect_options *ndo, u_char tpay,
2240 const struct isakmp_gen *ext,
2241 u_int item_len _U_, const u_char *ep _U_,
2242 uint32_t phase _U_, uint32_t doi _U_,
2243 uint32_t proto _U_, int depth _U_)
2244 {
2245 return ikev2_gen_print(ndo, tpay, ext);
2246 }
2247
2248 static const u_char *
2249 ikev2_auth_print(netdissect_options *ndo, u_char tpay,
2250 const struct isakmp_gen *ext,
2251 u_int item_len _U_, const u_char *ep,
2252 uint32_t phase _U_, uint32_t doi _U_,
2253 uint32_t proto _U_, int depth _U_)
2254 {
2255 struct ikev2_auth a;
2256 const char *v2_auth[]={ "invalid", "rsasig",
2257 "shared-secret", "dsssig" };
2258 const u_char *authdata = (const u_char*)ext + sizeof(a);
2259 unsigned int len;
2260
2261 ND_TCHECK(*ext);
2262 UNALIGNED_MEMCPY(&a, ext, sizeof(a));
2263 ikev2_pay_print(ndo, NPSTR(tpay), a.h.critical);
2264 len = ntohs(a.h.len);
2265
2266 ND_PRINT((ndo," len=%d method=%s", len-4,
2267 STR_OR_ID(a.auth_method, v2_auth)));
2268
2269 if (1 < ndo->ndo_vflag && 4 < len) {
2270 ND_PRINT((ndo," authdata=("));
2271 if (!rawprint(ndo, (const uint8_t *)authdata, len - sizeof(a)))
2272 goto trunc;
2273 ND_PRINT((ndo,") "));
2274 } else if(ndo->ndo_vflag && 4 < len) {
2275 if(!ike_show_somedata(ndo, authdata, ep)) goto trunc;
2276 }
2277
2278 return (const u_char *)ext + len;
2279 trunc:
2280 ND_PRINT((ndo," [|%s]", NPSTR(tpay)));
2281 return NULL;
2282 }
2283
2284 static const u_char *
2285 ikev2_nonce_print(netdissect_options *ndo, u_char tpay,
2286 const struct isakmp_gen *ext,
2287 u_int item_len _U_, const u_char *ep,
2288 uint32_t phase _U_, uint32_t doi _U_,
2289 uint32_t proto _U_, int depth _U_)
2290 {
2291 struct isakmp_gen e;
2292
2293 ND_TCHECK(*ext);
2294 UNALIGNED_MEMCPY(&e, ext, sizeof(e));
2295 ikev2_pay_print(ndo, "nonce", e.critical);
2296
2297 ND_PRINT((ndo," len=%d", ntohs(e.len) - 4));
2298 if (1 < ndo->ndo_vflag && 4 < ntohs(e.len)) {
2299 ND_PRINT((ndo," nonce=("));
2300 if (!rawprint(ndo, (const uint8_t *)(ext + 1), ntohs(e.len) - 4))
2301 goto trunc;
2302 ND_PRINT((ndo,") "));
2303 } else if(ndo->ndo_vflag && 4 < ntohs(e.len)) {
2304 if(!ike_show_somedata(ndo, (const u_char *)(ext+1), ep)) goto trunc;
2305 }
2306
2307 return (const u_char *)ext + ntohs(e.len);
2308 trunc:
2309 ND_PRINT((ndo," [|%s]", NPSTR(tpay)));
2310 return NULL;
2311 }
2312
2313 /* notify payloads */
2314 static const u_char *
2315 ikev2_n_print(netdissect_options *ndo, u_char tpay _U_,
2316 const struct isakmp_gen *ext,
2317 u_int item_len, const u_char *ep,
2318 uint32_t phase _U_, uint32_t doi _U_,
2319 uint32_t proto _U_, int depth _U_)
2320 {
2321 const struct ikev2_n *p;
2322 struct ikev2_n n;
2323 const u_char *cp;
2324 u_char showspi, showdata, showsomedata;
2325 const char *notify_name;
2326 uint32_t type;
2327
2328 p = (const struct ikev2_n *)ext;
2329 ND_TCHECK(*p);
2330 UNALIGNED_MEMCPY(&n, ext, sizeof(n));
2331 ikev2_pay_print(ndo, NPSTR(ISAKMP_NPTYPE_N), n.h.critical);
2332
2333 showspi = 1;
2334 showdata = 0;
2335 showsomedata=0;
2336 notify_name=NULL;
2337
2338 ND_PRINT((ndo," prot_id=%s", PROTOIDSTR(n.prot_id)));
2339
2340 type = ntohs(n.type);
2341
2342 /* notify space is annoying sparse */
2343 switch(type) {
2344 case IV2_NOTIFY_UNSUPPORTED_CRITICAL_PAYLOAD:
2345 notify_name = "unsupported_critical_payload";
2346 showspi = 0;
2347 break;
2348
2349 case IV2_NOTIFY_INVALID_IKE_SPI:
2350 notify_name = "invalid_ike_spi";
2351 showspi = 1;
2352 break;
2353
2354 case IV2_NOTIFY_INVALID_MAJOR_VERSION:
2355 notify_name = "invalid_major_version";
2356 showspi = 0;
2357 break;
2358
2359 case IV2_NOTIFY_INVALID_SYNTAX:
2360 notify_name = "invalid_syntax";
2361 showspi = 1;
2362 break;
2363
2364 case IV2_NOTIFY_INVALID_MESSAGE_ID:
2365 notify_name = "invalid_message_id";
2366 showspi = 1;
2367 break;
2368
2369 case IV2_NOTIFY_INVALID_SPI:
2370 notify_name = "invalid_spi";
2371 showspi = 1;
2372 break;
2373
2374 case IV2_NOTIFY_NO_PROPOSAL_CHOSEN:
2375 notify_name = "no_protocol_chosen";
2376 showspi = 1;
2377 break;
2378
2379 case IV2_NOTIFY_INVALID_KE_PAYLOAD:
2380 notify_name = "invalid_ke_payload";
2381 showspi = 1;
2382 break;
2383
2384 case IV2_NOTIFY_AUTHENTICATION_FAILED:
2385 notify_name = "authentication_failed";
2386 showspi = 1;
2387 break;
2388
2389 case IV2_NOTIFY_SINGLE_PAIR_REQUIRED:
2390 notify_name = "single_pair_required";
2391 showspi = 1;
2392 break;
2393
2394 case IV2_NOTIFY_NO_ADDITIONAL_SAS:
2395 notify_name = "no_additional_sas";
2396 showspi = 0;
2397 break;
2398
2399 case IV2_NOTIFY_INTERNAL_ADDRESS_FAILURE:
2400 notify_name = "internal_address_failure";
2401 showspi = 0;
2402 break;
2403
2404 case IV2_NOTIFY_FAILED_CP_REQUIRED:
2405 notify_name = "failed:cp_required";
2406 showspi = 0;
2407 break;
2408
2409 case IV2_NOTIFY_INVALID_SELECTORS:
2410 notify_name = "invalid_selectors";
2411 showspi = 0;
2412 break;
2413
2414 case IV2_NOTIFY_INITIAL_CONTACT:
2415 notify_name = "initial_contact";
2416 showspi = 0;
2417 break;
2418
2419 case IV2_NOTIFY_SET_WINDOW_SIZE:
2420 notify_name = "set_window_size";
2421 showspi = 0;
2422 break;
2423
2424 case IV2_NOTIFY_ADDITIONAL_TS_POSSIBLE:
2425 notify_name = "additional_ts_possible";
2426 showspi = 0;
2427 break;
2428
2429 case IV2_NOTIFY_IPCOMP_SUPPORTED:
2430 notify_name = "ipcomp_supported";
2431 showspi = 0;
2432 break;
2433
2434 case IV2_NOTIFY_NAT_DETECTION_SOURCE_IP:
2435 notify_name = "nat_detection_source_ip";
2436 showspi = 1;
2437 break;
2438
2439 case IV2_NOTIFY_NAT_DETECTION_DESTINATION_IP:
2440 notify_name = "nat_detection_destination_ip";
2441 showspi = 1;
2442 break;
2443
2444 case IV2_NOTIFY_COOKIE:
2445 notify_name = "cookie";
2446 showspi = 1;
2447 showsomedata= 1;
2448 showdata= 0;
2449 break;
2450
2451 case IV2_NOTIFY_USE_TRANSPORT_MODE:
2452 notify_name = "use_transport_mode";
2453 showspi = 0;
2454 break;
2455
2456 case IV2_NOTIFY_HTTP_CERT_LOOKUP_SUPPORTED:
2457 notify_name = "http_cert_lookup_supported";
2458 showspi = 0;
2459 break;
2460
2461 case IV2_NOTIFY_REKEY_SA:
2462 notify_name = "rekey_sa";
2463 showspi = 1;
2464 break;
2465
2466 case IV2_NOTIFY_ESP_TFC_PADDING_NOT_SUPPORTED:
2467 notify_name = "tfc_padding_not_supported";
2468 showspi = 0;
2469 break;
2470
2471 case IV2_NOTIFY_NON_FIRST_FRAGMENTS_ALSO:
2472 notify_name = "non_first_fragment_also";
2473 showspi = 0;
2474 break;
2475
2476 default:
2477 if (type < 8192) {
2478 notify_name="error";
2479 } else if(type < 16384) {
2480 notify_name="private-error";
2481 } else if(type < 40960) {
2482 notify_name="status";
2483 } else {
2484 notify_name="private-status";
2485 }
2486 }
2487
2488 if(notify_name) {
2489 ND_PRINT((ndo," type=%u(%s)", type, notify_name));
2490 }
2491
2492
2493 if (showspi && n.spi_size) {
2494 ND_PRINT((ndo," spi="));
2495 if (!rawprint(ndo, (const uint8_t *)(p + 1), n.spi_size))
2496 goto trunc;
2497 }
2498
2499 cp = (const u_char *)(p + 1) + n.spi_size;
2500
2501 if(3 < ndo->ndo_vflag) {
2502 showdata = 1;
2503 }
2504
2505 if ((showdata || (showsomedata && ep-cp < 30)) && cp < ep) {
2506 ND_PRINT((ndo," data=("));
2507 if (!rawprint(ndo, (const uint8_t *)(cp), ep - cp))
2508 goto trunc;
2509
2510 ND_PRINT((ndo,")"));
2511
2512 } else if(showsomedata && cp < ep) {
2513 if(!ike_show_somedata(ndo, cp, ep)) goto trunc;
2514 }
2515
2516 return (const u_char *)ext + item_len;
2517 trunc:
2518 ND_PRINT((ndo," [|%s]", NPSTR(ISAKMP_NPTYPE_N)));
2519 return NULL;
2520 }
2521
2522 static const u_char *
2523 ikev2_d_print(netdissect_options *ndo, u_char tpay,
2524 const struct isakmp_gen *ext,
2525 u_int item_len _U_, const u_char *ep _U_,
2526 uint32_t phase _U_, uint32_t doi _U_,
2527 uint32_t proto _U_, int depth _U_)
2528 {
2529 return ikev2_gen_print(ndo, tpay, ext);
2530 }
2531
2532 static const u_char *
2533 ikev2_vid_print(netdissect_options *ndo, u_char tpay,
2534 const struct isakmp_gen *ext,
2535 u_int item_len _U_, const u_char *ep _U_,
2536 uint32_t phase _U_, uint32_t doi _U_,
2537 uint32_t proto _U_, int depth _U_)
2538 {
2539 struct isakmp_gen e;
2540 const u_char *vid;
2541 int i, len;
2542
2543 ND_TCHECK(*ext);
2544 UNALIGNED_MEMCPY(&e, ext, sizeof(e));
2545 ikev2_pay_print(ndo, NPSTR(tpay), e.critical);
2546 ND_PRINT((ndo," len=%d vid=", ntohs(e.len) - 4));
2547
2548 vid = (const u_char *)(ext+1);
2549 len = ntohs(e.len) - 4;
2550 ND_TCHECK2(*vid, len);
2551 for(i=0; i<len; i++) {
2552 if(ND_ISPRINT(vid[i])) ND_PRINT((ndo, "%c", vid[i]));
2553 else ND_PRINT((ndo, "."));
2554 }
2555 if (2 < ndo->ndo_vflag && 4 < len) {
2556 ND_PRINT((ndo," "));
2557 if (!rawprint(ndo, (const uint8_t *)(ext + 1), ntohs(e.len) - 4))
2558 goto trunc;
2559 }
2560 return (const u_char *)ext + ntohs(e.len);
2561 trunc:
2562 ND_PRINT((ndo," [|%s]", NPSTR(tpay)));
2563 return NULL;
2564 }
2565
2566 static const u_char *
2567 ikev2_TS_print(netdissect_options *ndo, u_char tpay,
2568 const struct isakmp_gen *ext,
2569 u_int item_len _U_, const u_char *ep _U_,
2570 uint32_t phase _U_, uint32_t doi _U_,
2571 uint32_t proto _U_, int depth _U_)
2572 {
2573 return ikev2_gen_print(ndo, tpay, ext);
2574 }
2575
2576 static const u_char *
2577 ikev2_e_print(netdissect_options *ndo,
2578 #ifndef HAVE_LIBCRYPTO
2579 _U_
2580 #endif
2581 struct isakmp *base,
2582 u_char tpay,
2583 const struct isakmp_gen *ext,
2584 u_int item_len _U_, const u_char *ep _U_,
2585 #ifndef HAVE_LIBCRYPTO
2586 _U_
2587 #endif
2588 uint32_t phase,
2589 #ifndef HAVE_LIBCRYPTO
2590 _U_
2591 #endif
2592 uint32_t doi,
2593 #ifndef HAVE_LIBCRYPTO
2594 _U_
2595 #endif
2596 uint32_t proto,
2597 #ifndef HAVE_LIBCRYPTO
2598 _U_
2599 #endif
2600 int depth)
2601 {
2602 struct isakmp_gen e;
2603 const u_char *dat;
2604 volatile int dlen;
2605
2606 ND_TCHECK(*ext);
2607 UNALIGNED_MEMCPY(&e, ext, sizeof(e));
2608 ikev2_pay_print(ndo, NPSTR(tpay), e.critical);
2609
2610 dlen = ntohs(e.len)-4;
2611
2612 ND_PRINT((ndo," len=%d", dlen));
2613 if (2 < ndo->ndo_vflag && 4 < dlen) {
2614 ND_PRINT((ndo," "));
2615 if (!rawprint(ndo, (const uint8_t *)(ext + 1), dlen))
2616 goto trunc;
2617 }
2618
2619 dat = (const u_char *)(ext+1);
2620 ND_TCHECK2(*dat, dlen);
2621
2622 #ifdef HAVE_LIBCRYPTO
2623 /* try to decypt it! */
2624 if(esp_print_decrypt_buffer_by_ikev2(ndo,
2625 base->flags & ISAKMP_FLAG_I,
2626 base->i_ck, base->r_ck,
2627 dat, dat+dlen)) {
2628
2629 ext = (const struct isakmp_gen *)ndo->ndo_packetp;
2630
2631 /* got it decrypted, print stuff inside. */
2632 ikev2_sub_print(ndo, base, e.np, ext, ndo->ndo_snapend,
2633 phase, doi, proto, depth+1);
2634 }
2635 #endif
2636
2637
2638 /* always return NULL, because E must be at end, and NP refers
2639 * to what was inside.
2640 */
2641 return NULL;
2642 trunc:
2643 ND_PRINT((ndo," [|%s]", NPSTR(tpay)));
2644 return NULL;
2645 }
2646
2647 static const u_char *
2648 ikev2_cp_print(netdissect_options *ndo, u_char tpay,
2649 const struct isakmp_gen *ext,
2650 u_int item_len _U_, const u_char *ep _U_,
2651 uint32_t phase _U_, uint32_t doi _U_,
2652 uint32_t proto _U_, int depth _U_)
2653 {
2654 return ikev2_gen_print(ndo, tpay, ext);
2655 }
2656
2657 static const u_char *
2658 ikev2_eap_print(netdissect_options *ndo, u_char tpay,
2659 const struct isakmp_gen *ext,
2660 u_int item_len _U_, const u_char *ep _U_,
2661 uint32_t phase _U_, uint32_t doi _U_,
2662 uint32_t proto _U_, int depth _U_)
2663 {
2664 return ikev2_gen_print(ndo, tpay, ext);
2665 }
2666
2667 static const u_char *
2668 ike_sub0_print(netdissect_options *ndo,
2669 u_char np, const struct isakmp_gen *ext, const u_char *ep,
2670
2671 uint32_t phase, uint32_t doi, uint32_t proto, int depth)
2672 {
2673 const u_char *cp;
2674 struct isakmp_gen e;
2675 u_int item_len;
2676
2677 cp = (const u_char *)ext;
2678 ND_TCHECK(*ext);
2679 UNALIGNED_MEMCPY(&e, ext, sizeof(e));
2680
2681 /*
2682 * Since we can't have a payload length of less than 4 bytes,
2683 * we need to bail out here if the generic header is nonsensical
2684 * or truncated, otherwise we could loop forever processing
2685 * zero-length items or otherwise misdissect the packet.
2686 */
2687 item_len = ntohs(e.len);
2688 if (item_len <= 4)
2689 return NULL;
2690
2691 if (NPFUNC(np)) {
2692 /*
2693 * XXX - what if item_len is too short, or too long,
2694 * for this payload type?
2695 */
2696 cp = (*npfunc[np])(ndo, np, ext, item_len, ep, phase, doi, proto, depth);
2697 } else {
2698 ND_PRINT((ndo,"%s", NPSTR(np)));
2699 cp += item_len;
2700 }
2701
2702 return cp;
2703 trunc:
2704 ND_PRINT((ndo," [|isakmp]"));
2705 return NULL;
2706 }
2707
2708 static const u_char *
2709 ikev1_sub_print(netdissect_options *ndo,
2710 u_char np, const struct isakmp_gen *ext, const u_char *ep,
2711 uint32_t phase, uint32_t doi, uint32_t proto, int depth)
2712 {
2713 const u_char *cp;
2714 int i;
2715 struct isakmp_gen e;
2716
2717 cp = (const u_char *)ext;
2718
2719 while (np) {
2720 ND_TCHECK(*ext);
2721
2722 UNALIGNED_MEMCPY(&e, ext, sizeof(e));
2723
2724 ND_TCHECK2(*ext, ntohs(e.len));
2725
2726 depth++;
2727 ND_PRINT((ndo,"\n"));
2728 for (i = 0; i < depth; i++)
2729 ND_PRINT((ndo," "));
2730 ND_PRINT((ndo,"("));
2731 cp = ike_sub0_print(ndo, np, ext, ep, phase, doi, proto, depth);
2732 ND_PRINT((ndo,")"));
2733 depth--;
2734
2735 if (cp == NULL) {
2736 /* Zero-length subitem */
2737 return NULL;
2738 }
2739
2740 np = e.np;
2741 ext = (const struct isakmp_gen *)cp;
2742 }
2743 return cp;
2744 trunc:
2745 ND_PRINT((ndo," [|%s]", NPSTR(np)));
2746 return NULL;
2747 }
2748
2749 static char *
2750 numstr(int x)
2751 {
2752 static char buf[20];
2753 snprintf(buf, sizeof(buf), "#%d", x);
2754 return buf;
2755 }
2756
2757 static void
2758 ikev1_print(netdissect_options *ndo,
2759 const u_char *bp, u_int length,
2760 const u_char *bp2, struct isakmp *base)
2761 {
2762 const struct isakmp *p;
2763 const u_char *ep;
2764 u_char np;
2765 int i;
2766 int phase;
2767
2768 p = (const struct isakmp *)bp;
2769 ep = ndo->ndo_snapend;
2770
2771 phase = (EXTRACT_32BITS(base->msgid) == 0) ? 1 : 2;
2772 if (phase == 1)
2773 ND_PRINT((ndo," phase %d", phase));
2774 else
2775 ND_PRINT((ndo," phase %d/others", phase));
2776
2777 i = cookie_find(&base->i_ck);
2778 if (i < 0) {
2779 if (iszero((const u_char *)&base->r_ck, sizeof(base->r_ck))) {
2780 /* the first packet */
2781 ND_PRINT((ndo," I"));
2782 if (bp2)
2783 cookie_record(&base->i_ck, bp2);
2784 } else
2785 ND_PRINT((ndo," ?"));
2786 } else {
2787 if (bp2 && cookie_isinitiator(i, bp2))
2788 ND_PRINT((ndo," I"));
2789 else if (bp2 && cookie_isresponder(i, bp2))
2790 ND_PRINT((ndo," R"));
2791 else
2792 ND_PRINT((ndo," ?"));
2793 }
2794
2795 ND_PRINT((ndo," %s", ETYPESTR(base->etype)));
2796 if (base->flags) {
2797 ND_PRINT((ndo,"[%s%s]", base->flags & ISAKMP_FLAG_E ? "E" : "",
2798 base->flags & ISAKMP_FLAG_C ? "C" : ""));
2799 }
2800
2801 if (ndo->ndo_vflag) {
2802 const struct isakmp_gen *ext;
2803
2804 ND_PRINT((ndo,":"));
2805
2806 /* regardless of phase... */
2807 if (base->flags & ISAKMP_FLAG_E) {
2808 /*
2809 * encrypted, nothing we can do right now.
2810 * we hope to decrypt the packet in the future...
2811 */
2812 ND_PRINT((ndo," [encrypted %s]", NPSTR(base->np)));
2813 goto done;
2814 }
2815
2816 CHECKLEN(p + 1, base->np);
2817 np = base->np;
2818 ext = (const struct isakmp_gen *)(p + 1);
2819 ikev1_sub_print(ndo, np, ext, ep, phase, 0, 0, 0);
2820 }
2821
2822 done:
2823 if (ndo->ndo_vflag) {
2824 if (ntohl(base->len) != length) {
2825 ND_PRINT((ndo," (len mismatch: isakmp %u/ip %u)",
2826 (uint32_t)ntohl(base->len), length));
2827 }
2828 }
2829 }
2830
2831 static const u_char *
2832 ikev2_sub0_print(netdissect_options *ndo, struct isakmp *base,
2833 u_char np,
2834 const struct isakmp_gen *ext, const u_char *ep,
2835 uint32_t phase, uint32_t doi, uint32_t proto, int depth)
2836 {
2837 const u_char *cp;
2838 struct isakmp_gen e;
2839 u_int item_len;
2840
2841 cp = (const u_char *)ext;
2842 ND_TCHECK(*ext);
2843 UNALIGNED_MEMCPY(&e, ext, sizeof(e));
2844
2845 /*
2846 * Since we can't have a payload length of less than 4 bytes,
2847 * we need to bail out here if the generic header is nonsensical
2848 * or truncated, otherwise we could loop forever processing
2849 * zero-length items or otherwise misdissect the packet.
2850 */
2851 item_len = ntohs(e.len);
2852 if (item_len <= 4)
2853 return NULL;
2854
2855 if (np == ISAKMP_NPTYPE_v2E) {
2856 cp = ikev2_e_print(ndo, base, np, ext, item_len,
2857 ep, phase, doi, proto, depth);
2858 } else if (NPFUNC(np)) {
2859 /*
2860 * XXX - what if item_len is too short, or too long,
2861 * for this payload type?
2862 */
2863 cp = (*npfunc[np])(ndo, np, ext, item_len,
2864 ep, phase, doi, proto, depth);
2865 } else {
2866 ND_PRINT((ndo,"%s", NPSTR(np)));
2867 cp += item_len;
2868 }
2869
2870 return cp;
2871 trunc:
2872 ND_PRINT((ndo," [|isakmp]"));
2873 return NULL;
2874 }
2875
2876 static const u_char *
2877 ikev2_sub_print(netdissect_options *ndo,
2878 struct isakmp *base,
2879 u_char np, const struct isakmp_gen *ext, const u_char *ep,
2880 uint32_t phase, uint32_t doi, uint32_t proto, int depth)
2881 {
2882 const u_char *cp;
2883 int i;
2884 struct isakmp_gen e;
2885
2886 cp = (const u_char *)ext;
2887 while (np) {
2888 ND_TCHECK(*ext);
2889
2890 UNALIGNED_MEMCPY(&e, ext, sizeof(e));
2891
2892 ND_TCHECK2(*ext, ntohs(e.len));
2893
2894 depth++;
2895 ND_PRINT((ndo,"\n"));
2896 for (i = 0; i < depth; i++)
2897 ND_PRINT((ndo," "));
2898 ND_PRINT((ndo,"("));
2899 cp = ikev2_sub0_print(ndo, base, np,
2900 ext, ep, phase, doi, proto, depth);
2901 ND_PRINT((ndo,")"));
2902 depth--;
2903
2904 if (cp == NULL) {
2905 /* Zero-length subitem */
2906 return NULL;
2907 }
2908
2909 np = e.np;
2910 ext = (const struct isakmp_gen *)cp;
2911 }
2912 return cp;
2913 trunc:
2914 ND_PRINT((ndo," [|%s]", NPSTR(np)));
2915 return NULL;
2916 }
2917
2918 static void
2919 ikev2_print(netdissect_options *ndo,
2920 const u_char *bp, u_int length,
2921 const u_char *bp2 _U_, struct isakmp *base)
2922 {
2923 const struct isakmp *p;
2924 const u_char *ep;
2925 u_char np;
2926 int phase;
2927
2928 p = (const struct isakmp *)bp;
2929 ep = ndo->ndo_snapend;
2930
2931 phase = (EXTRACT_32BITS(base->msgid) == 0) ? 1 : 2;
2932 if (phase == 1)
2933 ND_PRINT((ndo, " parent_sa"));
2934 else
2935 ND_PRINT((ndo, " child_sa "));
2936
2937 ND_PRINT((ndo, " %s", ETYPESTR(base->etype)));
2938 if (base->flags) {
2939 ND_PRINT((ndo, "[%s%s%s]",
2940 base->flags & ISAKMP_FLAG_I ? "I" : "",
2941 base->flags & ISAKMP_FLAG_V ? "V" : "",
2942 base->flags & ISAKMP_FLAG_R ? "R" : ""));
2943 }
2944
2945 if (ndo->ndo_vflag) {
2946 const struct isakmp_gen *ext;
2947
2948 ND_PRINT((ndo, ":"));
2949
2950 /* regardless of phase... */
2951 if (base->flags & ISAKMP_FLAG_E) {
2952 /*
2953 * encrypted, nothing we can do right now.
2954 * we hope to decrypt the packet in the future...
2955 */
2956 ND_PRINT((ndo, " [encrypted %s]", NPSTR(base->np)));
2957 goto done;
2958 }
2959
2960 CHECKLEN(p + 1, base->np)
2961
2962 np = base->np;
2963 ext = (const struct isakmp_gen *)(p + 1);
2964 ikev2_sub_print(ndo, base, np, ext, ep, phase, 0, 0, 0);
2965 }
2966
2967 done:
2968 if (ndo->ndo_vflag) {
2969 if (ntohl(base->len) != length) {
2970 ND_PRINT((ndo, " (len mismatch: isakmp %u/ip %u)",
2971 (uint32_t)ntohl(base->len), length));
2972 }
2973 }
2974 }
2975
2976 void
2977 isakmp_print(netdissect_options *ndo,
2978 const u_char *bp, u_int length,
2979 const u_char *bp2)
2980 {
2981 const struct isakmp *p;
2982 struct isakmp base;
2983 const u_char *ep;
2984 int major, minor;
2985
2986 #ifdef HAVE_LIBCRYPTO
2987 /* initialize SAs */
2988 if (ndo->ndo_sa_list_head == NULL) {
2989 if (ndo->ndo_espsecret)
2990 esp_print_decodesecret(ndo);
2991 }
2992 #endif
2993
2994 p = (const struct isakmp *)bp;
2995 ep = ndo->ndo_snapend;
2996
2997 if ((const struct isakmp *)ep < p + 1) {
2998 ND_PRINT((ndo,"[|isakmp]"));
2999 return;
3000 }
3001
3002 UNALIGNED_MEMCPY(&base, p, sizeof(base));
3003
3004 ND_PRINT((ndo,"isakmp"));
3005 major = (base.vers & ISAKMP_VERS_MAJOR)
3006 >> ISAKMP_VERS_MAJOR_SHIFT;
3007 minor = (base.vers & ISAKMP_VERS_MINOR)
3008 >> ISAKMP_VERS_MINOR_SHIFT;
3009
3010 if (ndo->ndo_vflag) {
3011 ND_PRINT((ndo," %d.%d", major, minor));
3012 }
3013
3014 if (ndo->ndo_vflag) {
3015 ND_PRINT((ndo," msgid "));
3016 hexprint(ndo, (const uint8_t *)&base.msgid, sizeof(base.msgid));
3017 }
3018
3019 if (1 < ndo->ndo_vflag) {
3020 ND_PRINT((ndo," cookie "));
3021 hexprint(ndo, (const uint8_t *)&base.i_ck, sizeof(base.i_ck));
3022 ND_PRINT((ndo,"->"));
3023 hexprint(ndo, (const uint8_t *)&base.r_ck, sizeof(base.r_ck));
3024 }
3025 ND_PRINT((ndo,":"));
3026
3027 switch(major) {
3028 case IKEv1_MAJOR_VERSION:
3029 ikev1_print(ndo, bp, length, bp2, &base);
3030 break;
3031
3032 case IKEv2_MAJOR_VERSION:
3033 ikev2_print(ndo, bp, length, bp2, &base);
3034 break;
3035 }
3036 }
3037
3038 void
3039 isakmp_rfc3948_print(netdissect_options *ndo,
3040 const u_char *bp, u_int length,
3041 const u_char *bp2)
3042 {
3043
3044 if(length == 1 && bp[0]==0xff) {
3045 ND_PRINT((ndo, "isakmp-nat-keep-alive"));
3046 return;
3047 }
3048
3049 if(length < 4) {
3050 goto trunc;
3051 }
3052
3053 /*
3054 * see if this is an IKE packet
3055 */
3056 if(bp[0]==0 && bp[1]==0 && bp[2]==0 && bp[3]==0) {
3057 ND_PRINT((ndo, "NONESP-encap: "));
3058 isakmp_print(ndo, bp+4, length-4, bp2);
3059 return;
3060 }
3061
3062 /* must be an ESP packet */
3063 {
3064 int nh, enh, padlen;
3065 int advance;
3066
3067 ND_PRINT((ndo, "UDP-encap: "));
3068
3069 advance = esp_print(ndo, bp, length, bp2, &enh, &padlen);
3070 if(advance <= 0)
3071 return;
3072
3073 bp += advance;
3074 length -= advance + padlen;
3075 nh = enh & 0xff;
3076
3077 ip_print_inner(ndo, bp, length, nh, bp2);
3078 return;
3079 }
3080
3081 trunc:
3082 ND_PRINT((ndo,"[|isakmp]"));
3083 return;
3084 }
3085
3086 /*
3087 * Local Variables:
3088 * c-style: whitesmith
3089 * c-basic-offset: 8
3090 * End:
3091 */
3092
3093
3094
3095
[mirror] the TCPdump network dissector