]> The Tcpdump Group git mirrors - tcpdump/blob - print-isakmp.c
projects / tcpdump / blob
summary | shortlog | log | commit | commitdiff | tree
history | raw | HEAD
CI: Add warning exemptions for Sun C (suncc-5.14) on Solaris 10
[tcpdump] / print-isakmp.c
1 /*
2 * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
3 * All rights reserved.
4 *
5 * Redistribution and use in source and binary forms, with or without
6 * modification, are permitted provided that the following conditions
7 * are met:
8 * 1. Redistributions of source code must retain the above copyright
9 * notice, this list of conditions and the following disclaimer.
10 * 2. Redistributions in binary form must reproduce the above copyright
11 * notice, this list of conditions and the following disclaimer in the
12 * documentation and/or other materials provided with the distribution.
13 * 3. Neither the name of the project nor the names of its contributors
14 * may be used to endorse or promote products derived from this software
15 * without specific prior written permission.
16 *
17 * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
18 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
19 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
20 * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
21 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
22 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
23 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
24 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
25 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
26 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
27 * SUCH DAMAGE.
28 *
29 */
30
31 /* \summary: Internet Security Association and Key Management Protocol (ISAKMP) printer */
32
33 /* specification: RFC 2407, RFC 2408, RFC 5996 */
34
35 #include <config.h>
36
37 #include "netdissect-stdinc.h"
38
39 #include <string.h>
40
41 #include "netdissect-ctype.h"
42
43 #include "netdissect.h"
44 #include "addrtoname.h"
45 #include "extract.h"
46
47 #include "ip.h"
48 #include "ip6.h"
49 #include "ipproto.h" /* for netdb_protoname() */
50
51 typedef nd_byte cookie_t[8];
52 typedef nd_byte msgid_t[4];
53
54 #define PORT_ISAKMP 500
55
56 /* 3.1 ISAKMP Header Format (IKEv1 and IKEv2)
57 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
58 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
59 ! Initiator !
60 ! Cookie !
61 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
62 ! Responder !
63 ! Cookie !
64 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
65 ! Next Payload ! MjVer ! MnVer ! Exchange Type ! Flags !
66 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
67 ! Message ID !
68 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
69 ! Length !
70 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
71 */
72 struct isakmp {
73 cookie_t i_ck; /* Initiator Cookie */
74 cookie_t r_ck; /* Responder Cookie */
75 nd_uint8_t np; /* Next Payload Type */
76 nd_uint8_t vers;
77 #define ISAKMP_VERS_MAJOR 0xf0
78 #define ISAKMP_VERS_MAJOR_SHIFT 4
79 #define ISAKMP_VERS_MINOR 0x0f
80 #define ISAKMP_VERS_MINOR_SHIFT 0
81 nd_uint8_t etype; /* Exchange Type */
82 nd_uint8_t flags; /* Flags */
83 msgid_t msgid;
84 nd_uint32_t len; /* Length */
85 };
86
87 /* Next Payload Type */
88 #define ISAKMP_NPTYPE_NONE 0 /* NONE*/
89 #define ISAKMP_NPTYPE_SA 1 /* Security Association */
90 #define ISAKMP_NPTYPE_P 2 /* Proposal */
91 #define ISAKMP_NPTYPE_T 3 /* Transform */
92 #define ISAKMP_NPTYPE_KE 4 /* Key Exchange */
93 #define ISAKMP_NPTYPE_ID 5 /* Identification */
94 #define ISAKMP_NPTYPE_CERT 6 /* Certificate */
95 #define ISAKMP_NPTYPE_CR 7 /* Certificate Request */
96 #define ISAKMP_NPTYPE_HASH 8 /* Hash */
97 #define ISAKMP_NPTYPE_SIG 9 /* Signature */
98 #define ISAKMP_NPTYPE_NONCE 10 /* Nonce */
99 #define ISAKMP_NPTYPE_N 11 /* Notification */
100 #define ISAKMP_NPTYPE_D 12 /* Delete */
101 #define ISAKMP_NPTYPE_VID 13 /* Vendor ID */
102 #define ISAKMP_NPTYPE_v2E 46 /* v2 Encrypted payload */
103
104 #define IKEv1_MAJOR_VERSION 1
105 #define IKEv1_MINOR_VERSION 0
106
107 #define IKEv2_MAJOR_VERSION 2
108 #define IKEv2_MINOR_VERSION 0
109
110 /* Flags */
111 #define ISAKMP_FLAG_E 0x01 /* Encryption Bit */
112 #define ISAKMP_FLAG_C 0x02 /* Commit Bit */
113 #define ISAKMP_FLAG_extra 0x04
114
115 /* IKEv2 */
116 #define ISAKMP_FLAG_I (1 << 3) /* Initiator */
117 #define ISAKMP_FLAG_V (1 << 4) /* Version */
118 #define ISAKMP_FLAG_R (1 << 5) /* Response */
119
120
121 /* 3.2 Payload Generic Header
122 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
123 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
124 ! Next Payload ! RESERVED ! Payload Length !
125 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
126 */
127 struct isakmp_gen {
128 nd_uint8_t np; /* Next Payload */
129 nd_uint8_t critical; /* bit 7 - critical, rest is RESERVED */
130 nd_uint16_t len; /* Payload Length */
131 };
132
133 /* 3.3 Data Attributes
134 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
135 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
136 !A! Attribute Type ! AF=0 Attribute Length !
137 !F! ! AF=1 Attribute Value !
138 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
139 . AF=0 Attribute Value .
140 . AF=1 Not Transmitted .
141 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
142 */
143 struct isakmp_data {
144 nd_uint16_t type; /* defined by DOI-spec, and Attribute Format */
145 nd_uint16_t lorv; /* if f equal 1, Attribute Length */
146 /* if f equal 0, Attribute Value */
147 /* if f equal 1, Attribute Value */
148 };
149
150 /* 3.4 Security Association Payload */
151 /* MAY NOT be used, because of being defined in ipsec-doi. */
152 /*
153 If the current payload is the last in the message,
154 then the value of the next payload field will be 0.
155 This field MUST NOT contain the
156 values for the Proposal or Transform payloads as they are considered
157 part of the security association negotiation. For example, this
158 field would contain the value "10" (Nonce payload) in the first
159 message of a Base Exchange (see Section 4.4) and the value "0" in the
160 first message of an Identity Protect Exchange (see Section 4.5).
161 */
162 struct ikev1_pl_sa {
163 struct isakmp_gen h;
164 nd_uint32_t doi; /* Domain of Interpretation */
165 nd_uint32_t sit; /* Situation */
166 };
167
168 /* 3.5 Proposal Payload */
169 /*
170 The value of the next payload field MUST only contain the value "2"
171 or "0". If there are additional Proposal payloads in the message,
172 then this field will be 2. If the current Proposal payload is the
173 last within the security association proposal, then this field will
174 be 0.
175 */
176 struct ikev1_pl_p {
177 struct isakmp_gen h;
178 nd_uint8_t p_no; /* Proposal # */
179 nd_uint8_t prot_id; /* Protocol */
180 nd_uint8_t spi_size; /* SPI Size */
181 nd_uint8_t num_t; /* Number of Transforms */
182 /* SPI */
183 };
184
185 /* 3.6 Transform Payload */
186 /*
187 The value of the next payload field MUST only contain the value "3"
188 or "0". If there are additional Transform payloads in the proposal,
189 then this field will be 3. If the current Transform payload is the
190 last within the proposal, then this field will be 0.
191 */
192 struct ikev1_pl_t {
193 struct isakmp_gen h;
194 nd_uint8_t t_no; /* Transform # */
195 nd_uint8_t t_id; /* Transform-Id */
196 nd_byte reserved[2]; /* RESERVED2 */
197 /* SA Attributes */
198 };
199
200 /* 3.7 Key Exchange Payload */
201 struct ikev1_pl_ke {
202 struct isakmp_gen h;
203 /* Key Exchange Data */
204 };
205
206 /* 3.8 Identification Payload */
207 /* MUST NOT to be used, because of being defined in ipsec-doi. */
208 struct ikev1_pl_id {
209 struct isakmp_gen h;
210 union {
211 nd_uint8_t id_type; /* ID Type */
212 nd_uint32_t doi_data; /* DOI Specific ID Data */
213 } d;
214 /* Identification Data */
215 };
216
217 /* 3.9 Certificate Payload */
218 struct ikev1_pl_cert {
219 struct isakmp_gen h;
220 nd_uint8_t encode; /* Cert Encoding */
221 nd_uint8_t cert; /* Certificate Data */
222 /*
223 This field indicates the type of
224 certificate or certificate-related information contained in the
225 Certificate Data field.
226 */
227 };
228
229 /* 3.10 Certificate Request Payload */
230 struct ikev1_pl_cr {
231 struct isakmp_gen h;
232 nd_uint8_t num_cert; /* # Cert. Types */
233 /*
234 Certificate Types (variable length)
235 -- Contains a list of the types of certificates requested,
236 sorted in order of preference. Each individual certificate
237 type is 1 octet. This field is NOT required.
238 */
239 /* # Certificate Authorities (1 octet) */
240 /* Certificate Authorities (variable length) */
241 };
242
243 /* 3.11 Hash Payload */
244 /* may not be used, because of having only data. */
245 struct ikev1_pl_hash {
246 struct isakmp_gen h;
247 /* Hash Data */
248 };
249
250 /* 3.12 Signature Payload */
251 /* may not be used, because of having only data. */
252 struct ikev1_pl_sig {
253 struct isakmp_gen h;
254 /* Signature Data */
255 };
256
257 /* 3.13 Nonce Payload */
258 /* may not be used, because of having only data. */
259 struct ikev1_pl_nonce {
260 struct isakmp_gen h;
261 /* Nonce Data */
262 };
263
264 /* 3.14 Notification Payload */
265 struct ikev1_pl_n {
266 struct isakmp_gen h;
267 nd_uint32_t doi; /* Domain of Interpretation */
268 nd_uint8_t prot_id; /* Protocol-ID */
269 nd_uint8_t spi_size; /* SPI Size */
270 nd_uint16_t type; /* Notify Message Type */
271 /* SPI */
272 /* Notification Data */
273 };
274
275 /* 3.14.1 Notify Message Types */
276 /* NOTIFY MESSAGES - ERROR TYPES */
277 #define ISAKMP_NTYPE_INVALID_PAYLOAD_TYPE 1
278 #define ISAKMP_NTYPE_DOI_NOT_SUPPORTED 2
279 #define ISAKMP_NTYPE_SITUATION_NOT_SUPPORTED 3
280 #define ISAKMP_NTYPE_INVALID_COOKIE 4
281 #define ISAKMP_NTYPE_INVALID_MAJOR_VERSION 5
282 #define ISAKMP_NTYPE_INVALID_MINOR_VERSION 6
283 #define ISAKMP_NTYPE_INVALID_EXCHANGE_TYPE 7
284 #define ISAKMP_NTYPE_INVALID_FLAGS 8
285 #define ISAKMP_NTYPE_INVALID_MESSAGE_ID 9
286 #define ISAKMP_NTYPE_INVALID_PROTOCOL_ID 10
287 #define ISAKMP_NTYPE_INVALID_SPI 11
288 #define ISAKMP_NTYPE_INVALID_TRANSFORM_ID 12
289 #define ISAKMP_NTYPE_ATTRIBUTES_NOT_SUPPORTED 13
290 #define ISAKMP_NTYPE_NO_PROPOSAL_CHOSEN 14
291 #define ISAKMP_NTYPE_BAD_PROPOSAL_SYNTAX 15
292 #define ISAKMP_NTYPE_PAYLOAD_MALFORMED 16
293 #define ISAKMP_NTYPE_INVALID_KEY_INFORMATION 17
294 #define ISAKMP_NTYPE_INVALID_ID_INFORMATION 18
295 #define ISAKMP_NTYPE_INVALID_CERT_ENCODING 19
296 #define ISAKMP_NTYPE_INVALID_CERTIFICATE 20
297 #define ISAKMP_NTYPE_BAD_CERT_REQUEST_SYNTAX 21
298 #define ISAKMP_NTYPE_INVALID_CERT_AUTHORITY 22
299 #define ISAKMP_NTYPE_INVALID_HASH_INFORMATION 23
300 #define ISAKMP_NTYPE_AUTHENTICATION_FAILED 24
301 #define ISAKMP_NTYPE_INVALID_SIGNATURE 25
302 #define ISAKMP_NTYPE_ADDRESS_NOTIFICATION 26
303
304 /* 3.15 Delete Payload */
305 struct ikev1_pl_d {
306 struct isakmp_gen h;
307 nd_uint32_t doi; /* Domain of Interpretation */
308 nd_uint8_t prot_id; /* Protocol-Id */
309 nd_uint8_t spi_size; /* SPI Size */
310 nd_uint16_t num_spi; /* # of SPIs */
311 /* SPI(es) */
312 };
313
314 /* IKEv2 (RFC4306) */
315
316 /* 3.3 Security Association Payload -- generic header */
317 /* 3.3.1. Proposal Substructure */
318 struct ikev2_p {
319 struct isakmp_gen h;
320 nd_uint8_t p_no; /* Proposal # */
321 nd_uint8_t prot_id; /* Protocol */
322 nd_uint8_t spi_size; /* SPI Size */
323 nd_uint8_t num_t; /* Number of Transforms */
324 };
325
326 /* 3.3.2. Transform Substructure */
327 struct ikev2_t {
328 struct isakmp_gen h;
329 nd_uint8_t t_type; /* Transform Type (ENCR,PRF,INTEG,etc.*/
330 nd_byte res2; /* reserved byte */
331 nd_uint16_t t_id; /* Transform ID */
332 };
333
334 enum ikev2_t_type {
335 IV2_T_ENCR = 1,
336 IV2_T_PRF = 2,
337 IV2_T_INTEG= 3,
338 IV2_T_DH = 4,
339 IV2_T_ESN = 5
340 };
341
342 /* 3.4. Key Exchange Payload */
343 struct ikev2_ke {
344 struct isakmp_gen h;
345 nd_uint16_t ke_group;
346 nd_uint16_t ke_res1;
347 /* KE data */
348 };
349
350
351 /* 3.5. Identification Payloads */
352 enum ikev2_id_type {
353 ID_IPV4_ADDR=1,
354 ID_FQDN=2,
355 ID_RFC822_ADDR=3,
356 ID_IPV6_ADDR=5,
357 ID_DER_ASN1_DN=9,
358 ID_DER_ASN1_GN=10,
359 ID_KEY_ID=11
360 };
361 struct ikev2_id {
362 struct isakmp_gen h;
363 nd_uint8_t type; /* ID type */
364 nd_byte res1;
365 nd_byte res2[2];
366 /* SPI */
367 /* Notification Data */
368 };
369
370 /* 3.10 Notification Payload */
371 struct ikev2_n {
372 struct isakmp_gen h;
373 nd_uint8_t prot_id; /* Protocol-ID */
374 nd_uint8_t spi_size; /* SPI Size */
375 nd_uint16_t type; /* Notify Message Type */
376 };
377
378 enum ikev2_n_type {
379 IV2_NOTIFY_UNSUPPORTED_CRITICAL_PAYLOAD = 1, /* [RFC7296] */
380 IV2_NOTIFY_INVALID_IKE_SPI = 4, /* [RFC7296] */
381 IV2_NOTIFY_INVALID_MAJOR_VERSION = 5, /* [RFC7296] */
382 IV2_NOTIFY_INVALID_SYNTAX = 7, /* [RFC7296] */
383 IV2_NOTIFY_INVALID_MESSAGE_ID = 9, /* [RFC7296] */
384 IV2_NOTIFY_INVALID_SPI =11, /* [RFC7296] */
385 IV2_NOTIFY_NO_PROPOSAL_CHOSEN =14, /* [RFC7296] */
386 IV2_NOTIFY_INVALID_KE_PAYLOAD =17, /* [RFC7296] */
387 IV2_NOTIFY_AUTHENTICATION_FAILED =24, /* [RFC7296] */
388 IV2_NOTIFY_SINGLE_PAIR_REQUIRED =34, /* [RFC7296] */
389 IV2_NOTIFY_NO_ADDITIONAL_SAS =35, /* [RFC7296] */
390 IV2_NOTIFY_INTERNAL_ADDRESS_FAILURE =36, /* [RFC7296] */
391 IV2_NOTIFY_FAILED_CP_REQUIRED =37, /* [RFC7296] */
392 IV2_NOTIFY_TS_UNACCEPTABLE =38, /* [RFC7296] */
393 IV2_NOTIFY_INVALID_SELECTORS =39, /* [RFC7296] */
394 IV2_NOTIFY_UNACCEPTABLE_ADDRESSES =40, /* [RFC4555] */
395 IV2_NOTIFY_UNEXPECTED_NAT_DETECTED =41, /* [RFC4555] */
396 IV2_NOTIFY_USE_ASSIGNED_HOA =42, /* [RFC5026] */
397 IV2_NOTIFY_TEMPORARY_FAILURE =43, /* [RFC7296] */
398 IV2_NOTIFY_CHILD_SA_NOT_FOUND =44, /* [RFC7296] */
399 IV2_NOTIFY_INVALID_GROUP_ID =45, /* [draft-yeung-g-ikev2] */
400 IV2_NOTIFY_AUTHORIZATION_FAILED =46, /* [draft-yeung-g-ikev2] */
401 IV2_NOTIFY_STATE_NOT_FOUND =47, /* [RFC-ietf-ipsecme-ikev2-multiple-ke-12] */
402 IV2_NOTIFY_INITIAL_CONTACT =16384, /* [RFC7296] */
403 IV2_NOTIFY_SET_WINDOW_SIZE =16385, /* [RFC7296] */
404 IV2_NOTIFY_ADDITIONAL_TS_POSSIBLE =16386, /* [RFC7296] */
405 IV2_NOTIFY_IPCOMP_SUPPORTED =16387, /* [RFC7296] */
406 IV2_NOTIFY_NAT_DETECTION_SOURCE_IP =16388, /* [RFC7296] */
407 IV2_NOTIFY_NAT_DETECTION_DESTINATION_IP =16389, /* [RFC7296] */
408 IV2_NOTIFY_COOKIE =16390, /* [RFC7296] */
409 IV2_NOTIFY_USE_TRANSPORT_MODE =16391, /* [RFC7296] */
410 IV2_NOTIFY_HTTP_CERT_LOOKUP_SUPPORTED =16392, /* [RFC7296] */
411 IV2_NOTIFY_REKEY_SA =16393, /* [RFC7296] */
412 IV2_NOTIFY_ESP_TFC_PADDING_NOT_SUPPORTED =16394, /* [RFC7296] */
413 IV2_NOTIFY_NON_FIRST_FRAGMENTS_ALSO =16395, /* [RFC7296] */
414 IV2_NOTIFY_MOBIKE_SUPPORTED =16396, /* [RFC4555] */
415 IV2_NOTIFY_ADDITIONAL_IP4_ADDRESS =16397, /* [RFC4555] */
416 IV2_NOTIFY_ADDITIONAL_IP6_ADDRESS =16398, /* [RFC4555] */
417 IV2_NOTIFY_NO_ADDITIONAL_ADDRESSES =16399, /* [RFC4555] */
418 IV2_NOTIFY_UPDATE_SA_ADDRESSES =16400, /* [RFC4555] */
419 IV2_NOTIFY_COOKIE2 =16401, /* [RFC4555] */
420 IV2_NOTIFY_NO_NATS_ALLOWED =16402, /* [RFC4555] */
421 IV2_NOTIFY_AUTH_LIFETIME =16403, /* [RFC4478] */
422 IV2_NOTIFY_MULTIPLE_AUTH_SUPPORTED =16404, /* [RFC4739] */
423 IV2_NOTIFY_ANOTHER_AUTH_FOLLOWS =16405, /* [RFC4739] */
424 IV2_NOTIFY_REDIRECT_SUPPORTED =16406, /* [RFC5685] */
425 IV2_NOTIFY_REDIRECT =16407, /* [RFC5685] */
426 IV2_NOTIFY_REDIRECTED_FROM =16408, /* [RFC5685] */
427 IV2_NOTIFY_TICKET_LT_OPAQUE =16409, /* [RFC5723] */
428 IV2_NOTIFY_TICKET_REQUEST =16410, /* [RFC5723] */
429 IV2_NOTIFY_TICKET_ACK =16411, /* [RFC5723] */
430 IV2_NOTIFY_TICKET_NACK =16412, /* [RFC5723] */
431 IV2_NOTIFY_TICKET_OPAQUE =16413, /* [RFC5723] */
432 IV2_NOTIFY_LINK_ID =16414, /* [RFC5739] */
433 IV2_NOTIFY_USE_WESP_MODE =16415, /* [RFC5840] */
434 IV2_NOTIFY_ROHC_SUPPORTED =16416, /* [RFC5857] */
435 IV2_NOTIFY_EAP_ONLY_AUTHENTICATION =16417, /* [RFC5998] */
436 IV2_NOTIFY_CHILDLESS_IKEV2_SUPPORTED =16418, /* [RFC6023] */
437 IV2_NOTIFY_QUICK_CRASH_DETECTION =16419, /* [RFC6290] */
438 IV2_NOTIFY_IKEV2_MESSAGE_ID_SYNC_SUPPORTED =16420, /* [RFC6311] */
439 IV2_NOTIFY_IPSEC_REPLAY_COUNTER_SYNC_SUPPORTED =16421, /* [RFC6311] */
440 IV2_NOTIFY_IKEV2_MESSAGE_ID_SYNC =16422, /* [RFC6311] */
441 IV2_NOTIFY_IPSEC_REPLAY_COUNTER_SYNC =16423, /* [RFC6311] */
442 IV2_NOTIFY_SECURE_PASSWORD_METHODS =16424, /* [RFC6467] */
443 IV2_NOTIFY_PSK_PERSIST =16425, /* [RFC6631] */
444 IV2_NOTIFY_PSK_CONFIRM =16426, /* [RFC6631] */
445 IV2_NOTIFY_ERX_SUPPORTED =16427, /* [RFC6867] */
446 IV2_NOTIFY_IFOM_CAPABILITY =16428, /* [Frederic_Firmin][3GPP TS 24.303 v10.6.0 annex B.2] */
447 IV2_NOTIFY_SENDER_REQUEST_ID =16429, /* [draft-yeung-g-ikev2] */
448 IV2_NOTIFY_IKEV2_FRAGMENTATION_SUPPORTED =16430, /* [RFC7383] */
449 IV2_NOTIFY_SIGNATURE_HASH_ALGORITHMS =16431, /* [RFC7427] */
450 IV2_NOTIFY_CLONE_IKE_SA_SUPPORTED =16432, /* [RFC7791] */
451 IV2_NOTIFY_CLONE_IKE_SA =16433, /* [RFC7791] */
452 IV2_NOTIFY_PUZZLE =16434, /* [RFC8019] */
453 IV2_NOTIFY_USE_PPK =16435, /* [RFC8784] */
454 IV2_NOTIFY_PPK_IDENTITY =16436, /* [RFC8784] */
455 IV2_NOTIFY_NO_PPK_AUTH =16437, /* [RFC8784] */
456 IV2_NOTIFY_INTERMEDIATE_EXCHANGE_SUPPORTED =16438, /* [RFC9242] */
457 IV2_NOTIFY_IP4_ALLOWED =16439, /* [RFC8983] */
458 IV2_NOTIFY_IP6_ALLOWED =16440, /* [RFC8983] */
459 IV2_NOTIFY_ADDITIONAL_KEY_EXCHANGE =16441, /* [RFC-ietf-ipsecme-ikev2-multiple-ke-12] */
460 IV2_NOTIFY_USE_AGGFRAG =16442 /* [RFC9347] */
461 };
462
463 struct notify_messages {
464 uint16_t type;
465 char *msg;
466 };
467
468 /* 3.8 Authentication Payload */
469 struct ikev2_auth {
470 struct isakmp_gen h;
471 nd_uint8_t auth_method; /* Protocol-ID */
472 nd_byte reserved[3];
473 /* authentication data */
474 };
475
476 enum ikev2_auth_type {
477 IV2_RSA_SIG = 1,
478 IV2_SHARED = 2,
479 IV2_DSS_SIG = 3
480 };
481
482 /* refer to RFC 2409 */
483
484 #if 0
485 /* isakmp sa structure */
486 struct oakley_sa {
487 uint8_t proto_id; /* OAKLEY */
488 vchar_t *spi; /* spi */
489 uint8_t dhgrp; /* DH; group */
490 uint8_t auth_t; /* method of authentication */
491 uint8_t prf_t; /* type of prf */
492 uint8_t hash_t; /* type of hash */
493 uint8_t enc_t; /* type of cipher */
494 uint8_t life_t; /* type of duration of lifetime */
495 uint32_t ldur; /* life duration */
496 };
497 #endif
498
499 /* refer to RFC 2407 */
500
501 #define IPSEC_DOI 1
502
503 /* 4.2 IPSEC Situation Definition */
504 #define IPSECDOI_SIT_IDENTITY_ONLY 0x00000001
505 #define IPSECDOI_SIT_SECRECY 0x00000002
506 #define IPSECDOI_SIT_INTEGRITY 0x00000004
507
508 /* 4.4.1 IPSEC Security Protocol Identifiers */
509 /* 4.4.2 IPSEC ISAKMP Transform Values */
510 #define IPSECDOI_PROTO_ISAKMP 1
511 #define IPSECDOI_KEY_IKE 1
512
513 /* 4.4.1 IPSEC Security Protocol Identifiers */
514 #define IPSECDOI_PROTO_IPSEC_AH 2
515 /* 4.4.3 IPSEC AH Transform Values */
516 #define IPSECDOI_AH_MD5 2
517 #define IPSECDOI_AH_SHA 3
518 #define IPSECDOI_AH_DES 4
519 #define IPSECDOI_AH_SHA2_256 5
520 #define IPSECDOI_AH_SHA2_384 6
521 #define IPSECDOI_AH_SHA2_512 7
522
523 /* 4.4.1 IPSEC Security Protocol Identifiers */
524 #define IPSECDOI_PROTO_IPSEC_ESP 3
525 /* 4.4.4 IPSEC ESP Transform Identifiers */
526 #define IPSECDOI_ESP_DES_IV64 1
527 #define IPSECDOI_ESP_DES 2
528 #define IPSECDOI_ESP_3DES 3
529 #define IPSECDOI_ESP_RC5 4
530 #define IPSECDOI_ESP_IDEA 5
531 #define IPSECDOI_ESP_CAST 6
532 #define IPSECDOI_ESP_BLOWFISH 7
533 #define IPSECDOI_ESP_3IDEA 8
534 #define IPSECDOI_ESP_DES_IV32 9
535 #define IPSECDOI_ESP_RC4 10
536 #define IPSECDOI_ESP_NULL 11
537 #define IPSECDOI_ESP_RIJNDAEL 12
538 #define IPSECDOI_ESP_AES 12
539
540 /* 4.4.1 IPSEC Security Protocol Identifiers */
541 #define IPSECDOI_PROTO_IPCOMP 4
542 /* 4.4.5 IPSEC IPCOMP Transform Identifiers */
543 #define IPSECDOI_IPCOMP_OUI 1
544 #define IPSECDOI_IPCOMP_DEFLATE 2
545 #define IPSECDOI_IPCOMP_LZS 3
546
547 /* 4.5 IPSEC Security Association Attributes */
548 #define IPSECDOI_ATTR_SA_LTYPE 1 /* B */
549 #define IPSECDOI_ATTR_SA_LTYPE_DEFAULT 1
550 #define IPSECDOI_ATTR_SA_LTYPE_SEC 1
551 #define IPSECDOI_ATTR_SA_LTYPE_KB 2
552 #define IPSECDOI_ATTR_SA_LDUR 2 /* V */
553 #define IPSECDOI_ATTR_SA_LDUR_DEFAULT 28800 /* 8 hours */
554 #define IPSECDOI_ATTR_GRP_DESC 3 /* B */
555 #define IPSECDOI_ATTR_ENC_MODE 4 /* B */
556 /* default value: host dependent */
557 #define IPSECDOI_ATTR_ENC_MODE_TUNNEL 1
558 #define IPSECDOI_ATTR_ENC_MODE_TRNS 2
559 #define IPSECDOI_ATTR_AUTH 5 /* B */
560 /* 0 means not to use authentication. */
561 #define IPSECDOI_ATTR_AUTH_HMAC_MD5 1
562 #define IPSECDOI_ATTR_AUTH_HMAC_SHA1 2
563 #define IPSECDOI_ATTR_AUTH_DES_MAC 3
564 #define IPSECDOI_ATTR_AUTH_KPDK 4 /*RFC-1826(Key/Pad/Data/Key)*/
565 /*
566 * When negotiating ESP without authentication, the Auth
567 * Algorithm attribute MUST NOT be included in the proposal.
568 * When negotiating ESP without confidentiality, the Auth
569 * Algorithm attribute MUST be included in the proposal and
570 * the ESP transform ID must be ESP_NULL.
571 */
572 #define IPSECDOI_ATTR_KEY_LENGTH 6 /* B */
573 #define IPSECDOI_ATTR_KEY_ROUNDS 7 /* B */
574 #define IPSECDOI_ATTR_COMP_DICT_SIZE 8 /* B */
575 #define IPSECDOI_ATTR_COMP_PRIVALG 9 /* V */
576
577 /* 4.6.1 Security Association Payload */
578 struct ipsecdoi_sa {
579 struct isakmp_gen h;
580 nd_uint32_t doi; /* Domain of Interpretation */
581 nd_uint32_t sit; /* Situation */
582 };
583
584 struct ipsecdoi_secrecy_h {
585 nd_uint16_t len;
586 nd_uint16_t reserved;
587 };
588
589 /* 4.6.2.1 Identification Type Values */
590 struct ipsecdoi_id {
591 struct isakmp_gen h;
592 nd_uint8_t type; /* ID Type */
593 nd_uint8_t proto_id; /* Protocol ID */
594 nd_uint16_t port; /* Port */
595 /* Identification Data */
596 };
597
598 #define IPSECDOI_ID_IPV4_ADDR 1
599 #define IPSECDOI_ID_FQDN 2
600 #define IPSECDOI_ID_USER_FQDN 3
601 #define IPSECDOI_ID_IPV4_ADDR_SUBNET 4
602 #define IPSECDOI_ID_IPV6_ADDR 5
603 #define IPSECDOI_ID_IPV6_ADDR_SUBNET 6
604 #define IPSECDOI_ID_IPV4_ADDR_RANGE 7
605 #define IPSECDOI_ID_IPV6_ADDR_RANGE 8
606 #define IPSECDOI_ID_DER_ASN1_DN 9
607 #define IPSECDOI_ID_DER_ASN1_GN 10
608 #define IPSECDOI_ID_KEY_ID 11
609
610 /* 4.6.3 IPSEC DOI Notify Message Types */
611 /* Notify Messages - Status Types */
612 #define IPSECDOI_NTYPE_RESPONDER_LIFETIME 24576
613 #define IPSECDOI_NTYPE_REPLAY_STATUS 24577
614 #define IPSECDOI_NTYPE_INITIAL_CONTACT 24578
615
616 #define DECLARE_PRINTER(func) static const u_char *ike##func##_print( \
617 netdissect_options *ndo, u_char tpay, \
618 const struct isakmp_gen *ext, \
619 u_int item_len, \
620 const u_char *end_pointer, \
621 uint32_t phase,\
622 uint32_t doi0, \
623 uint32_t proto0, int depth)
624
625 DECLARE_PRINTER(v1_sa);
626 DECLARE_PRINTER(v1_p);
627 DECLARE_PRINTER(v1_t);
628 DECLARE_PRINTER(v1_ke);
629 DECLARE_PRINTER(v1_id);
630 DECLARE_PRINTER(v1_cert);
631 DECLARE_PRINTER(v1_cr);
632 DECLARE_PRINTER(v1_sig);
633 DECLARE_PRINTER(v1_hash);
634 DECLARE_PRINTER(v1_nonce);
635 DECLARE_PRINTER(v1_n);
636 DECLARE_PRINTER(v1_d);
637 DECLARE_PRINTER(v1_vid);
638
639 DECLARE_PRINTER(v2_sa);
640 DECLARE_PRINTER(v2_ke);
641 DECLARE_PRINTER(v2_ID);
642 DECLARE_PRINTER(v2_cert);
643 DECLARE_PRINTER(v2_cr);
644 DECLARE_PRINTER(v2_auth);
645 DECLARE_PRINTER(v2_nonce);
646 DECLARE_PRINTER(v2_n);
647 DECLARE_PRINTER(v2_d);
648 DECLARE_PRINTER(v2_vid);
649 DECLARE_PRINTER(v2_TS);
650 DECLARE_PRINTER(v2_cp);
651 DECLARE_PRINTER(v2_eap);
652
653 static const u_char *ikev2_e_print(netdissect_options *ndo,
654 const struct isakmp *base,
655 u_char tpay,
656 const struct isakmp_gen *ext,
657 u_int item_len,
658 const u_char *end_pointer,
659 uint32_t phase,
660 uint32_t doi0,
661 uint32_t proto0, int depth);
662
663
664 static const u_char *ike_sub0_print(netdissect_options *ndo,u_char, const struct isakmp_gen *,
665 const u_char *, uint32_t, uint32_t, uint32_t, int);
666 static const u_char *ikev1_sub_print(netdissect_options *ndo,u_char, const struct isakmp_gen *,
667 const u_char *, uint32_t, uint32_t, uint32_t, int);
668
669 static const u_char *ikev2_sub_print(netdissect_options *ndo,
670 const struct isakmp *base,
671 u_char np, const struct isakmp_gen *ext,
672 const u_char *ep, uint32_t phase,
673 uint32_t doi, uint32_t proto,
674 int depth);
675
676
677 static char *numstr(u_int);
678
679 static void
680 ikev1_print(netdissect_options *ndo,
681 const u_char *bp, u_int length,
682 const u_char *bp2, const struct isakmp *base);
683
684 #define MAXINITIATORS 20
685 static int ninitiator = 0;
686 union inaddr_u {
687 nd_ipv4 in4;
688 nd_ipv6 in6;
689 };
690 static struct {
691 cookie_t initiator;
692 u_int version;
693 union inaddr_u iaddr;
694 union inaddr_u raddr;
695 } cookiecache[MAXINITIATORS];
696
697 /* protocol id */
698 static const char *protoidstr[] = {
699 NULL, "isakmp", "ipsec-ah", "ipsec-esp", "ipcomp",
700 };
701
702 /* isakmp->np */
703 static const char *npstr[] = {
704 "none", "sa", "p", "t", "ke", "id", "cert", "cr", "hash", /* 0 - 8 */
705 "sig", "nonce", "n", "d", "vid", /* 9 - 13 */
706 "pay14", "pay15", "pay16", "pay17", "pay18", /* 14- 18 */
707 "pay19", "pay20", "pay21", "pay22", "pay23", /* 19- 23 */
708 "pay24", "pay25", "pay26", "pay27", "pay28", /* 24- 28 */
709 "pay29", "pay30", "pay31", "pay32", /* 29- 32 */
710 "v2sa", "v2ke", "v2IDi", "v2IDr", "v2cert",/* 33- 37 */
711 "v2cr", "v2auth","v2nonce", "v2n", "v2d", /* 38- 42 */
712 "v2vid", "v2TSi", "v2TSr", "v2e", "v2cp", /* 43- 47 */
713 "v2eap", /* 48 */
714
715 };
716
717 /* isakmp->np */
718 static const u_char *(*npfunc[])(netdissect_options *ndo, u_char tpay,
719 const struct isakmp_gen *ext,
720 u_int item_len,
721 const u_char *end_pointer,
722 uint32_t phase,
723 uint32_t doi0,
724 uint32_t proto0, int depth) = {
725 NULL,
726 ikev1_sa_print,
727 ikev1_p_print,
728 ikev1_t_print,
729 ikev1_ke_print,
730 ikev1_id_print,
731 ikev1_cert_print,
732 ikev1_cr_print,
733 ikev1_hash_print,
734 ikev1_sig_print,
735 ikev1_nonce_print,
736 ikev1_n_print,
737 ikev1_d_print,
738 ikev1_vid_print, /* 13 */
739 NULL, NULL, NULL, NULL, NULL, /* 14- 18 */
740 NULL, NULL, NULL, NULL, NULL, /* 19- 23 */
741 NULL, NULL, NULL, NULL, NULL, /* 24- 28 */
742 NULL, NULL, NULL, NULL, /* 29- 32 */
743 ikev2_sa_print, /* 33 */
744 ikev2_ke_print, /* 34 */
745 ikev2_ID_print, /* 35 */
746 ikev2_ID_print, /* 36 */
747 ikev2_cert_print, /* 37 */
748 ikev2_cr_print, /* 38 */
749 ikev2_auth_print, /* 39 */
750 ikev2_nonce_print, /* 40 */
751 ikev2_n_print, /* 41 */
752 ikev2_d_print, /* 42 */
753 ikev2_vid_print, /* 43 */
754 ikev2_TS_print, /* 44 */
755 ikev2_TS_print, /* 45 */
756 NULL, /* ikev2_e_print,*/ /* 46 - special */
757 ikev2_cp_print, /* 47 */
758 ikev2_eap_print, /* 48 */
759 };
760
761 /* isakmp->etype */
762 static const char *etypestr[] = {
763 /* IKEv1 exchange types */
764 "none", "base", "ident", "auth", "agg", "inf", NULL, NULL, /* 0-7 */
765 NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, /* 8-15 */
766 NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, /* 16-23 */
767 NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, /* 24-31 */
768 "oakley-quick", "oakley-newgroup", /* 32-33 */
769 /* IKEv2 exchange types */
770 "ikev2_init", "ikev2_auth", "child_sa", "inf2" /* 34-37 */
771 };
772
773 #define STR_OR_ID(x, tab) \
774 (((x) < sizeof(tab)/sizeof(tab[0]) && tab[(x)]) ? tab[(x)] : numstr(x))
775 #define PROTOIDSTR(x) STR_OR_ID(x, protoidstr)
776 #define NPSTR(x) STR_OR_ID(x, npstr)
777 #define ETYPESTR(x) STR_OR_ID(x, etypestr)
778
779 #define CHECKLEN(p, np) \
780 if (ep < (const u_char *)(p)) { \
781 ND_PRINT(" [|%s]", NPSTR(np)); \
782 goto done; \
783 }
784
785
786 #define NPFUNC(x) \
787 (((x) < sizeof(npfunc)/sizeof(npfunc[0]) && npfunc[(x)]) \
788 ? npfunc[(x)] : NULL)
789
790 static int
791 iszero(netdissect_options *ndo, const u_char *p, size_t l)
792 {
793 while (l != 0) {
794 if (GET_U_1(p))
795 return 0;
796 p++;
797 l--;
798 }
799 return 1;
800 }
801
802 /* find cookie from initiator cache */
803 static int
804 cookie_find(const cookie_t *in)
805 {
806 int i;
807
808 for (i = 0; i < MAXINITIATORS; i++) {
809 if (memcmp(in, &cookiecache[i].initiator, sizeof(*in)) == 0)
810 return i;
811 }
812
813 return -1;
814 }
815
816 /* record initiator */
817 static void
818 cookie_record(netdissect_options *ndo, const cookie_t *in, const u_char *bp2)
819 {
820 int i;
821 const struct ip *ip;
822 const struct ip6_hdr *ip6;
823
824 i = cookie_find(in);
825 if (0 <= i) {
826 ninitiator = (i + 1) % MAXINITIATORS;
827 return;
828 }
829
830 ip = (const struct ip *)bp2;
831 switch (IP_V(ip)) {
832 case 4:
833 cookiecache[ninitiator].version = 4;
834 UNALIGNED_MEMCPY(&cookiecache[ninitiator].iaddr.in4,
835 ip->ip_src, sizeof(nd_ipv4));
836 UNALIGNED_MEMCPY(&cookiecache[ninitiator].raddr.in4,
837 ip->ip_dst, sizeof(nd_ipv4));
838 break;
839 case 6:
840 ip6 = (const struct ip6_hdr *)bp2;
841 cookiecache[ninitiator].version = 6;
842 UNALIGNED_MEMCPY(&cookiecache[ninitiator].iaddr.in6,
843 ip6->ip6_src, sizeof(nd_ipv6));
844 UNALIGNED_MEMCPY(&cookiecache[ninitiator].raddr.in6,
845 ip6->ip6_dst, sizeof(nd_ipv6));
846 break;
847 default:
848 return;
849 }
850 UNALIGNED_MEMCPY(&cookiecache[ninitiator].initiator, in, sizeof(*in));
851 ninitiator = (ninitiator + 1) % MAXINITIATORS;
852 }
853
854 #define cookie_isinitiator(ndo, x, y) cookie_sidecheck(ndo, (x), (y), 1)
855 #define cookie_isresponder(ndo, x, y) cookie_sidecheck(ndo, (x), (y), 0)
856 static int
857 cookie_sidecheck(netdissect_options *ndo, int i, const u_char *bp2, int initiator)
858 {
859 const struct ip *ip;
860 const struct ip6_hdr *ip6;
861
862 ip = (const struct ip *)bp2;
863 switch (IP_V(ip)) {
864 case 4:
865 if (cookiecache[i].version != 4)
866 return 0;
867 if (initiator) {
868 if (UNALIGNED_MEMCMP(ip->ip_src, &cookiecache[i].iaddr.in4, sizeof(nd_ipv4)) == 0)
869 return 1;
870 } else {
871 if (UNALIGNED_MEMCMP(ip->ip_src, &cookiecache[i].raddr.in4, sizeof(nd_ipv4)) == 0)
872 return 1;
873 }
874 break;
875 case 6:
876 if (cookiecache[i].version != 6)
877 return 0;
878 ip6 = (const struct ip6_hdr *)bp2;
879 if (initiator) {
880 if (UNALIGNED_MEMCMP(ip6->ip6_src, &cookiecache[i].iaddr.in6, sizeof(nd_ipv6)) == 0)
881 return 1;
882 } else {
883 if (UNALIGNED_MEMCMP(ip6->ip6_src, &cookiecache[i].raddr.in6, sizeof(nd_ipv6)) == 0)
884 return 1;
885 }
886 break;
887 default:
888 break;
889 }
890
891 return 0;
892 }
893
894 static void
895 hexprint(netdissect_options *ndo, const uint8_t *loc, size_t len)
896 {
897 const uint8_t *p;
898 size_t i;
899
900 p = loc;
901 for (i = 0; i < len; i++)
902 ND_PRINT("%02x", p[i] & 0xff);
903 }
904
905 static int
906 rawprint(netdissect_options *ndo, const uint8_t *loc, size_t len)
907 {
908 ND_TCHECK_LEN(loc, len);
909
910 hexprint(ndo, loc, len);
911 return 1;
912 trunc:
913 return 0;
914 }
915
916
917 /*
918 * returns false if we run out of data buffer
919 */
920 static int ike_show_somedata(netdissect_options *ndo,
921 const u_char *cp, const u_char *ep)
922 {
923 /* there is too much data, just show some of it */
924 const u_char *end = ep - 20;
925 size_t elen = 20;
926 size_t len = ep - cp;
927 if(len > 10) {
928 len = 10;
929 }
930
931 /* really shouldn't happen because of above */
932 if(end < cp + len) {
933 end = cp+len;
934 elen = ep - end;
935 }
936
937 ND_PRINT(" data=(");
938 if(!rawprint(ndo, (const uint8_t *)(cp), len)) goto trunc;
939 ND_PRINT("...");
940 if(elen) {
941 if(!rawprint(ndo, (const uint8_t *)(end), elen)) goto trunc;
942 }
943 ND_PRINT(")");
944 return 1;
945
946 trunc:
947 return 0;
948 }
949
950 struct attrmap {
951 const char *type;
952 u_int nvalue;
953 const char *value[30]; /*XXX*/
954 };
955
956 static const u_char *
957 ikev1_attrmap_print(netdissect_options *ndo,
958 const u_char *p, const u_char *ep2,
959 const struct attrmap *map, size_t nmap)
960 {
961 u_int totlen;
962 uint32_t t, v;
963
964 if (GET_U_1(p) & 0x80)
965 totlen = 4;
966 else {
967 totlen = 4 + GET_BE_U_2(p + 2);
968 }
969 if (ep2 < p + totlen) {
970 ND_PRINT("[|attr]");
971 return ep2 + 1;
972 }
973
974 ND_PRINT("(");
975 t = GET_BE_U_2(p) & 0x7fff;
976 if (map && t < nmap && map[t].type)
977 ND_PRINT("type=%s ", map[t].type);
978 else
979 ND_PRINT("type=#%u ", t);
980 if (GET_U_1(p) & 0x80) {
981 ND_PRINT("value=");
982 v = GET_BE_U_2(p + 2);
983 if (map && t < nmap && v < map[t].nvalue && map[t].value[v])
984 ND_PRINT("%s", map[t].value[v]);
985 else {
986 if (!rawprint(ndo, (const uint8_t *)(p + 2), 2)) {
987 ND_PRINT(")");
988 goto trunc;
989 }
990 }
991 } else {
992 ND_PRINT("len=%u value=", totlen - 4);
993 if (!rawprint(ndo, (const uint8_t *)(p + 4), totlen - 4)) {
994 ND_PRINT(")");
995 goto trunc;
996 }
997 }
998 ND_PRINT(")");
999 return p + totlen;
1000
1001 trunc:
1002 return NULL;
1003 }
1004
1005 static const u_char *
1006 ikev1_attr_print(netdissect_options *ndo, const u_char *p, const u_char *ep2)
1007 {
1008 u_int totlen;
1009 uint32_t t;
1010
1011 if (GET_U_1(p) & 0x80)
1012 totlen = 4;
1013 else {
1014 totlen = 4 + GET_BE_U_2(p + 2);
1015 }
1016 if (ep2 < p + totlen) {
1017 ND_PRINT("[|attr]");
1018 return ep2 + 1;
1019 }
1020
1021 ND_PRINT("(");
1022 t = GET_BE_U_2(p) & 0x7fff;
1023 ND_PRINT("type=#%u ", t);
1024 if (GET_U_1(p) & 0x80) {
1025 ND_PRINT("value=");
1026 t = GET_U_1(p + 2);
1027 if (!rawprint(ndo, (const uint8_t *)(p + 2), 2)) {
1028 ND_PRINT(")");
1029 goto trunc;
1030 }
1031 } else {
1032 ND_PRINT("len=%u value=", totlen - 4);
1033 if (!rawprint(ndo, (const uint8_t *)(p + 4), totlen - 4)) {
1034 ND_PRINT(")");
1035 goto trunc;
1036 }
1037 }
1038 ND_PRINT(")");
1039 return p + totlen;
1040
1041 trunc:
1042 return NULL;
1043 }
1044
1045 static const u_char *
1046 ikev1_sa_print(netdissect_options *ndo, u_char tpay _U_,
1047 const struct isakmp_gen *ext,
1048 u_int item_len _U_,
1049 const u_char *ep, uint32_t phase, uint32_t doi0 _U_,
1050 uint32_t proto0, int depth)
1051 {
1052 const struct ikev1_pl_sa *p;
1053 uint32_t doi, sit, ident;
1054 const u_char *cp, *np;
1055 int t;
1056
1057 ND_PRINT("%s:", NPSTR(ISAKMP_NPTYPE_SA));
1058
1059 p = (const struct ikev1_pl_sa *)ext;
1060 ND_TCHECK_SIZE(p);
1061 doi = GET_BE_U_4(p->doi);
1062 sit = GET_BE_U_4(p->sit);
1063 if (doi != 1) {
1064 ND_PRINT(" doi=%u", doi);
1065 ND_PRINT(" situation=%u", sit);
1066 return (const u_char *)(p + 1);
1067 }
1068
1069 ND_PRINT(" doi=ipsec");
1070 ND_PRINT(" situation=");
1071 t = 0;
1072 if (sit & 0x01) {
1073 ND_PRINT("identity");
1074 t++;
1075 }
1076 if (sit & 0x02) {
1077 ND_PRINT("%ssecrecy", t ? "+" : "");
1078 t++;
1079 }
1080 if (sit & 0x04)
1081 ND_PRINT("%sintegrity", t ? "+" : "");
1082
1083 np = (const u_char *)ext + sizeof(struct ikev1_pl_sa);
1084 if (sit != 0x01) {
1085 ident = GET_BE_U_4(ext + 1);
1086 ND_PRINT(" ident=%u", ident);
1087 np += sizeof(ident);
1088 }
1089
1090 ext = (const struct isakmp_gen *)np;
1091 ND_TCHECK_SIZE(ext);
1092
1093 cp = ikev1_sub_print(ndo, ISAKMP_NPTYPE_P, ext, ep, phase, doi, proto0,
1094 depth);
1095
1096 return cp;
1097 trunc:
1098 ND_PRINT(" [|%s]", NPSTR(ISAKMP_NPTYPE_SA));
1099 return NULL;
1100 }
1101
1102 static const u_char *
1103 ikev1_p_print(netdissect_options *ndo, u_char tpay _U_,
1104 const struct isakmp_gen *ext, u_int item_len _U_,
1105 const u_char *ep, uint32_t phase, uint32_t doi0,
1106 uint32_t proto0 _U_, int depth)
1107 {
1108 const struct ikev1_pl_p *p;
1109 const u_char *cp;
1110 uint8_t spi_size;
1111
1112 ND_PRINT("%s:", NPSTR(ISAKMP_NPTYPE_P));
1113
1114 p = (const struct ikev1_pl_p *)ext;
1115 ND_TCHECK_SIZE(p);
1116 ND_PRINT(" #%u protoid=%s transform=%u",
1117 GET_U_1(p->p_no), PROTOIDSTR(GET_U_1(p->prot_id)),
1118 GET_U_1(p->num_t));
1119 spi_size = GET_U_1(p->spi_size);
1120 if (spi_size) {
1121 ND_PRINT(" spi=");
1122 if (!rawprint(ndo, (const uint8_t *)(p + 1), spi_size))
1123 goto trunc;
1124 }
1125
1126 ext = (const struct isakmp_gen *)((const u_char *)(p + 1) + spi_size);
1127 ND_TCHECK_SIZE(ext);
1128
1129 cp = ikev1_sub_print(ndo, ISAKMP_NPTYPE_T, ext, ep, phase, doi0,
1130 GET_U_1(p->prot_id), depth);
1131
1132 return cp;
1133 trunc:
1134 ND_PRINT(" [|%s]", NPSTR(ISAKMP_NPTYPE_P));
1135 return NULL;
1136 }
1137
1138 static const char *ikev1_p_map[] = {
1139 NULL, "ike",
1140 };
1141
1142 static const char *ikev2_t_type_map[]={
1143 NULL, "encr", "prf", "integ", "dh", "esn"
1144 };
1145
1146 static const char *ah_p_map[] = {
1147 NULL, "(reserved)", "md5", "sha", "1des",
1148 "sha2-256", "sha2-384", "sha2-512",
1149 };
1150
1151 static const char *prf_p_map[] = {
1152 NULL, "hmac-md5", "hmac-sha", "hmac-tiger",
1153 "aes128_xcbc"
1154 };
1155
1156 static const char *integ_p_map[] = {
1157 NULL, "hmac-md5", "hmac-sha", "dec-mac",
1158 "kpdk-md5", "aes-xcbc"
1159 };
1160
1161 static const char *esn_p_map[] = {
1162 "no-esn", "esn"
1163 };
1164
1165 static const char *dh_p_map[] = {
1166 NULL, "modp768",
1167 "modp1024", /* group 2 */
1168 "EC2N 2^155", /* group 3 */
1169 "EC2N 2^185", /* group 4 */
1170 "modp1536", /* group 5 */
1171 "iana-grp06", "iana-grp07", /* reserved */
1172 "iana-grp08", "iana-grp09",
1173 "iana-grp10", "iana-grp11",
1174 "iana-grp12", "iana-grp13",
1175 "modp2048", /* group 14 */
1176 "modp3072", /* group 15 */
1177 "modp4096", /* group 16 */
1178 "modp6144", /* group 17 */
1179 "modp8192", /* group 18 */
1180 };
1181
1182 static const char *esp_p_map[] = {
1183 NULL, "1des-iv64", "1des", "3des", "rc5", "idea", "cast",
1184 "blowfish", "3idea", "1des-iv32", "rc4", "null", "aes"
1185 };
1186
1187 static const char *ipcomp_p_map[] = {
1188 NULL, "oui", "deflate", "lzs",
1189 };
1190
1191 static const struct attrmap ipsec_t_map[] = {
1192 { NULL, 0, { NULL } },
1193 { "lifetype", 3, { NULL, "sec", "kb", }, },
1194 { "life", 0, { NULL } },
1195 { "group desc", 18, { NULL, "modp768",
1196 "modp1024", /* group 2 */
1197 "EC2N 2^155", /* group 3 */
1198 "EC2N 2^185", /* group 4 */
1199 "modp1536", /* group 5 */
1200 "iana-grp06", "iana-grp07", /* reserved */
1201 "iana-grp08", "iana-grp09",
1202 "iana-grp10", "iana-grp11",
1203 "iana-grp12", "iana-grp13",
1204 "modp2048", /* group 14 */
1205 "modp3072", /* group 15 */
1206 "modp4096", /* group 16 */
1207 "modp6144", /* group 17 */
1208 "modp8192", /* group 18 */
1209 }, },
1210 { "enc mode", 3, { NULL, "tunnel", "transport", }, },
1211 { "auth", 5, { NULL, "hmac-md5", "hmac-sha1", "1des-mac", "keyed", }, },
1212 { "keylen", 0, { NULL } },
1213 { "rounds", 0, { NULL } },
1214 { "dictsize", 0, { NULL } },
1215 { "privalg", 0, { NULL } },
1216 };
1217
1218 static const struct attrmap encr_t_map[] = {
1219 { NULL, 0, { NULL } }, { NULL, 0, { NULL } }, /* 0, 1 */
1220 { NULL, 0, { NULL } }, { NULL, 0, { NULL } }, /* 2, 3 */
1221 { NULL, 0, { NULL } }, { NULL, 0, { NULL } }, /* 4, 5 */
1222 { NULL, 0, { NULL } }, { NULL, 0, { NULL } }, /* 6, 7 */
1223 { NULL, 0, { NULL } }, { NULL, 0, { NULL } }, /* 8, 9 */
1224 { NULL, 0, { NULL } }, { NULL, 0, { NULL } }, /* 10,11*/
1225 { NULL, 0, { NULL } }, { NULL, 0, { NULL } }, /* 12,13*/
1226 { "keylen", 14, { NULL }},
1227 };
1228
1229 static const struct attrmap oakley_t_map[] = {
1230 { NULL, 0, { NULL } },
1231 { "enc", 8, { NULL, "1des", "idea", "blowfish", "rc5",
1232 "3des", "cast", "aes", }, },
1233 { "hash", 7, { NULL, "md5", "sha1", "tiger",
1234 "sha2-256", "sha2-384", "sha2-512", }, },
1235 { "auth", 6, { NULL, "preshared", "dss", "rsa sig", "rsa enc",
1236 "rsa enc revised", }, },
1237 { "group desc", 18, { NULL, "modp768",
1238 "modp1024", /* group 2 */
1239 "EC2N 2^155", /* group 3 */
1240 "EC2N 2^185", /* group 4 */
1241 "modp1536", /* group 5 */
1242 "iana-grp06", "iana-grp07", /* reserved */
1243 "iana-grp08", "iana-grp09",
1244 "iana-grp10", "iana-grp11",
1245 "iana-grp12", "iana-grp13",
1246 "modp2048", /* group 14 */
1247 "modp3072", /* group 15 */
1248 "modp4096", /* group 16 */
1249 "modp6144", /* group 17 */
1250 "modp8192", /* group 18 */
1251 }, },
1252 { "group type", 4, { NULL, "MODP", "ECP", "EC2N", }, },
1253 { "group prime", 0, { NULL } },
1254 { "group gen1", 0, { NULL } },
1255 { "group gen2", 0, { NULL } },
1256 { "group curve A", 0, { NULL } },
1257 { "group curve B", 0, { NULL } },
1258 { "lifetype", 3, { NULL, "sec", "kb", }, },
1259 { "lifeduration", 0, { NULL } },
1260 { "prf", 0, { NULL } },
1261 { "keylen", 0, { NULL } },
1262 { "field", 0, { NULL } },
1263 { "order", 0, { NULL } },
1264 };
1265
1266 static const u_char *
1267 ikev1_t_print(netdissect_options *ndo, u_char tpay _U_,
1268 const struct isakmp_gen *ext, u_int item_len,
1269 const u_char *ep, uint32_t phase _U_, uint32_t doi _U_,
1270 uint32_t proto, int depth _U_)
1271 {
1272 const struct ikev1_pl_t *p;
1273 const u_char *cp;
1274 const char *idstr;
1275 const struct attrmap *map;
1276 size_t nmap;
1277 const u_char *ep2;
1278
1279 ND_PRINT("%s:", NPSTR(ISAKMP_NPTYPE_T));
1280
1281 p = (const struct ikev1_pl_t *)ext;
1282 ND_TCHECK_SIZE(p);
1283
1284 switch (proto) {
1285 case 1:
1286 idstr = STR_OR_ID(GET_U_1(p->t_id), ikev1_p_map);
1287 map = oakley_t_map;
1288 nmap = sizeof(oakley_t_map)/sizeof(oakley_t_map[0]);
1289 break;
1290 case 2:
1291 idstr = STR_OR_ID(GET_U_1(p->t_id), ah_p_map);
1292 map = ipsec_t_map;
1293 nmap = sizeof(ipsec_t_map)/sizeof(ipsec_t_map[0]);
1294 break;
1295 case 3:
1296 idstr = STR_OR_ID(GET_U_1(p->t_id), esp_p_map);
1297 map = ipsec_t_map;
1298 nmap = sizeof(ipsec_t_map)/sizeof(ipsec_t_map[0]);
1299 break;
1300 case 4:
1301 idstr = STR_OR_ID(GET_U_1(p->t_id), ipcomp_p_map);
1302 map = ipsec_t_map;
1303 nmap = sizeof(ipsec_t_map)/sizeof(ipsec_t_map[0]);
1304 break;
1305 default:
1306 idstr = NULL;
1307 map = NULL;
1308 nmap = 0;
1309 break;
1310 }
1311
1312 if (idstr)
1313 ND_PRINT(" #%u id=%s ", GET_U_1(p->t_no), idstr);
1314 else
1315 ND_PRINT(" #%u id=%u ", GET_U_1(p->t_no), GET_U_1(p->t_id));
1316 cp = (const u_char *)(p + 1);
1317 ep2 = (const u_char *)p + item_len;
1318 while (cp < ep && cp < ep2) {
1319 if (map && nmap)
1320 cp = ikev1_attrmap_print(ndo, cp, ep2, map, nmap);
1321 else
1322 cp = ikev1_attr_print(ndo, cp, ep2);
1323 if (cp == NULL)
1324 goto trunc;
1325 }
1326 if (ep < ep2)
1327 ND_PRINT("...");
1328 return cp;
1329 trunc:
1330 ND_PRINT(" [|%s]", NPSTR(ISAKMP_NPTYPE_T));
1331 return NULL;
1332 }
1333
1334 static const u_char *
1335 ikev1_ke_print(netdissect_options *ndo, u_char tpay _U_,
1336 const struct isakmp_gen *ext, u_int item_len,
1337 const u_char *ep _U_, uint32_t phase _U_, uint32_t doi _U_,
1338 uint32_t proto _U_, int depth _U_)
1339 {
1340 ND_PRINT("%s:", NPSTR(ISAKMP_NPTYPE_KE));
1341
1342 ND_TCHECK_SIZE(ext);
1343 /*
1344 * Our caller has ensured that the length is >= 4.
1345 */
1346 ND_PRINT(" key len=%u", item_len - 4);
1347 if (2 < ndo->ndo_vflag && item_len > 4) {
1348 /* Print the entire payload in hex */
1349 ND_PRINT(" ");
1350 if (!rawprint(ndo, (const uint8_t *)(ext + 1), item_len - 4))
1351 goto trunc;
1352 }
1353 return (const u_char *)ext + item_len;
1354 trunc:
1355 ND_PRINT(" [|%s]", NPSTR(ISAKMP_NPTYPE_KE));
1356 return NULL;
1357 }
1358
1359 static const u_char *
1360 ikev1_id_print(netdissect_options *ndo, u_char tpay _U_,
1361 const struct isakmp_gen *ext, u_int item_len,
1362 const u_char *ep _U_, uint32_t phase, uint32_t doi _U_,
1363 uint32_t proto _U_, int depth _U_)
1364 {
1365 #define USE_IPSECDOI_IN_PHASE1 1
1366 const struct ikev1_pl_id *p;
1367 static const char *idtypestr[] = {
1368 "IPv4", "IPv4net", "IPv6", "IPv6net",
1369 };
1370 static const char *ipsecidtypestr[] = {
1371 NULL, "IPv4", "FQDN", "user FQDN", "IPv4net", "IPv6",
1372 "IPv6net", "IPv4range", "IPv6range", "ASN1 DN", "ASN1 GN",
1373 "keyid",
1374 };
1375 u_int len;
1376 const u_char *data;
1377
1378 ND_PRINT("%s:", NPSTR(ISAKMP_NPTYPE_ID));
1379
1380 p = (const struct ikev1_pl_id *)ext;
1381 ND_TCHECK_SIZE(p);
1382 if (sizeof(*p) < item_len) {
1383 data = (const u_char *)(p + 1);
1384 len = item_len - sizeof(*p);
1385 } else {
1386 data = NULL;
1387 len = 0;
1388 }
1389
1390 #if 0 /*debug*/
1391 ND_PRINT(" [phase=%u doi=%u proto=%u]", phase, doi, proto);
1392 #endif
1393 switch (phase) {
1394 #ifndef USE_IPSECDOI_IN_PHASE1
1395 case 1:
1396 #endif
1397 default:
1398 ND_PRINT(" idtype=%s",
1399 STR_OR_ID(GET_U_1(p->d.id_type), idtypestr));
1400 ND_PRINT(" doi_data=%u",
1401 GET_BE_U_4(p->d.doi_data) & 0xffffff);
1402 break;
1403
1404 #ifdef USE_IPSECDOI_IN_PHASE1
1405 case 1:
1406 #endif
1407 case 2:
1408 {
1409 const struct ipsecdoi_id *doi_p;
1410 const char *p_name;
1411 uint8_t type, proto_id;
1412
1413 doi_p = (const struct ipsecdoi_id *)ext;
1414 ND_TCHECK_SIZE(doi_p);
1415 type = GET_U_1(doi_p->type);
1416 ND_PRINT(" idtype=%s", STR_OR_ID(type, ipsecidtypestr));
1417 /* A protocol ID of 0 DOES NOT mean IPPROTO_IP! */
1418 proto_id = GET_U_1(doi_p->proto_id);
1419 if (!ndo->ndo_nflag && proto_id && (p_name = netdb_protoname(proto_id)) != NULL)
1420 ND_PRINT(" protoid=%s", p_name);
1421 else
1422 ND_PRINT(" protoid=%u", proto_id);
1423 ND_PRINT(" port=%u", GET_BE_U_2(doi_p->port));
1424 if (!len)
1425 break;
1426 if (data == NULL)
1427 goto trunc;
1428 ND_TCHECK_LEN(data, len);
1429 switch (type) {
1430 case IPSECDOI_ID_IPV4_ADDR:
1431 if (len < 4)
1432 ND_PRINT(" len=%u [bad: < 4]", len);
1433 else
1434 ND_PRINT(" len=%u %s", len, GET_IPADDR_STRING(data));
1435 len = 0;
1436 break;
1437 case IPSECDOI_ID_FQDN:
1438 case IPSECDOI_ID_USER_FQDN:
1439 {
1440 ND_PRINT(" len=%u ", len);
1441 nd_printjn(ndo, data, len);
1442 len = 0;
1443 break;
1444 }
1445 case IPSECDOI_ID_IPV4_ADDR_SUBNET:
1446 {
1447 const u_char *mask;
1448 if (len < 8)
1449 ND_PRINT(" len=%u [bad: < 8]", len);
1450 else {
1451 mask = data + sizeof(nd_ipv4);
1452 ND_PRINT(" len=%u %s/%u.%u.%u.%u", len,
1453 GET_IPADDR_STRING(data),
1454 GET_U_1(mask), GET_U_1(mask + 1),
1455 GET_U_1(mask + 2),
1456 GET_U_1(mask + 3));
1457 }
1458 len = 0;
1459 break;
1460 }
1461 case IPSECDOI_ID_IPV6_ADDR:
1462 if (len < 16)
1463 ND_PRINT(" len=%u [bad: < 16]", len);
1464 else
1465 ND_PRINT(" len=%u %s", len, GET_IP6ADDR_STRING(data));
1466 len = 0;
1467 break;
1468 case IPSECDOI_ID_IPV6_ADDR_SUBNET:
1469 {
1470 const u_char *mask;
1471 if (len < 32)
1472 ND_PRINT(" len=%u [bad: < 32]", len);
1473 else {
1474 mask = (const u_char *)(data + sizeof(nd_ipv6));
1475 /*XXX*/
1476 ND_PRINT(" len=%u %s/0x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x", len,
1477 GET_IP6ADDR_STRING(data),
1478 GET_U_1(mask), GET_U_1(mask + 1),
1479 GET_U_1(mask + 2),
1480 GET_U_1(mask + 3),
1481 GET_U_1(mask + 4),
1482 GET_U_1(mask + 5),
1483 GET_U_1(mask + 6),
1484 GET_U_1(mask + 7),
1485 GET_U_1(mask + 8),
1486 GET_U_1(mask + 9),
1487 GET_U_1(mask + 10),
1488 GET_U_1(mask + 11),
1489 GET_U_1(mask + 12),
1490 GET_U_1(mask + 13),
1491 GET_U_1(mask + 14),
1492 GET_U_1(mask + 15));
1493 }
1494 len = 0;
1495 break;
1496 }
1497 case IPSECDOI_ID_IPV4_ADDR_RANGE:
1498 if (len < 8)
1499 ND_PRINT(" len=%u [bad: < 8]", len);
1500 else {
1501 ND_PRINT(" len=%u %s-%s", len,
1502 GET_IPADDR_STRING(data),
1503 GET_IPADDR_STRING(data + sizeof(nd_ipv4)));
1504 }
1505 len = 0;
1506 break;
1507 case IPSECDOI_ID_IPV6_ADDR_RANGE:
1508 if (len < 32)
1509 ND_PRINT(" len=%u [bad: < 32]", len);
1510 else {
1511 ND_PRINT(" len=%u %s-%s", len,
1512 GET_IP6ADDR_STRING(data),
1513 GET_IP6ADDR_STRING(data + sizeof(nd_ipv6)));
1514 }
1515 len = 0;
1516 break;
1517 case IPSECDOI_ID_DER_ASN1_DN:
1518 case IPSECDOI_ID_DER_ASN1_GN:
1519 case IPSECDOI_ID_KEY_ID:
1520 break;
1521 }
1522 break;
1523 }
1524 }
1525 if (data && len) {
1526 ND_PRINT(" len=%u", len);
1527 if (2 < ndo->ndo_vflag) {
1528 ND_PRINT(" ");
1529 if (!rawprint(ndo, (const uint8_t *)data, len))
1530 goto trunc;
1531 }
1532 }
1533 return (const u_char *)ext + item_len;
1534 trunc:
1535 ND_PRINT(" [|%s]", NPSTR(ISAKMP_NPTYPE_ID));
1536 return NULL;
1537 }
1538
1539 static const u_char *
1540 ikev1_cert_print(netdissect_options *ndo, u_char tpay _U_,
1541 const struct isakmp_gen *ext, u_int item_len,
1542 const u_char *ep _U_, uint32_t phase _U_,
1543 uint32_t doi0 _U_,
1544 uint32_t proto0 _U_, int depth _U_)
1545 {
1546 const struct ikev1_pl_cert *p;
1547 static const char *certstr[] = {
1548 "none", "pkcs7", "pgp", "dns",
1549 "x509sign", "x509ke", "kerberos", "crl",
1550 "arl", "spki", "x509attr",
1551 };
1552
1553 ND_PRINT("%s:", NPSTR(ISAKMP_NPTYPE_CERT));
1554
1555 p = (const struct ikev1_pl_cert *)ext;
1556 ND_TCHECK_SIZE(p);
1557 /*
1558 * Our caller has ensured that the length is >= 4.
1559 */
1560 ND_PRINT(" len=%u", item_len - 4);
1561 ND_PRINT(" type=%s", STR_OR_ID(GET_U_1(p->encode), certstr));
1562 if (2 < ndo->ndo_vflag && 4 < item_len) {
1563 /* Print the entire payload in hex */
1564 ND_PRINT(" ");
1565 if (!rawprint(ndo, (const uint8_t *)(ext + 1), item_len - 4))
1566 goto trunc;
1567 }
1568 return (const u_char *)ext + item_len;
1569 trunc:
1570 ND_PRINT(" [|%s]", NPSTR(ISAKMP_NPTYPE_CERT));
1571 return NULL;
1572 }
1573
1574 static const u_char *
1575 ikev1_cr_print(netdissect_options *ndo, u_char tpay _U_,
1576 const struct isakmp_gen *ext, u_int item_len,
1577 const u_char *ep _U_, uint32_t phase _U_, uint32_t doi0 _U_,
1578 uint32_t proto0 _U_, int depth _U_)
1579 {
1580 const struct ikev1_pl_cert *p;
1581 static const char *certstr[] = {
1582 "none", "pkcs7", "pgp", "dns",
1583 "x509sign", "x509ke", "kerberos", "crl",
1584 "arl", "spki", "x509attr",
1585 };
1586
1587 ND_PRINT("%s:", NPSTR(ISAKMP_NPTYPE_CR));
1588
1589 p = (const struct ikev1_pl_cert *)ext;
1590 ND_TCHECK_SIZE(p);
1591 /*
1592 * Our caller has ensured that the length is >= 4.
1593 */
1594 ND_PRINT(" len=%u", item_len - 4);
1595 ND_PRINT(" type=%s", STR_OR_ID(GET_U_1(p->encode), certstr));
1596 if (2 < ndo->ndo_vflag && 4 < item_len) {
1597 /* Print the entire payload in hex */
1598 ND_PRINT(" ");
1599 if (!rawprint(ndo, (const uint8_t *)(ext + 1), item_len - 4))
1600 goto trunc;
1601 }
1602 return (const u_char *)ext + item_len;
1603 trunc:
1604 ND_PRINT(" [|%s]", NPSTR(ISAKMP_NPTYPE_CR));
1605 return NULL;
1606 }
1607
1608 static const u_char *
1609 ikev1_hash_print(netdissect_options *ndo, u_char tpay _U_,
1610 const struct isakmp_gen *ext, u_int item_len,
1611 const u_char *ep _U_, uint32_t phase _U_, uint32_t doi _U_,
1612 uint32_t proto _U_, int depth _U_)
1613 {
1614 ND_PRINT("%s:", NPSTR(ISAKMP_NPTYPE_HASH));
1615
1616 ND_TCHECK_SIZE(ext);
1617 /*
1618 * Our caller has ensured that the length is >= 4.
1619 */
1620 ND_PRINT(" len=%u", item_len - 4);
1621 if (2 < ndo->ndo_vflag && 4 < item_len) {
1622 /* Print the entire payload in hex */
1623 ND_PRINT(" ");
1624 if (!rawprint(ndo, (const uint8_t *)(ext + 1), item_len - 4))
1625 goto trunc;
1626 }
1627 return (const u_char *)ext + item_len;
1628 trunc:
1629 ND_PRINT(" [|%s]", NPSTR(ISAKMP_NPTYPE_HASH));
1630 return NULL;
1631 }
1632
1633 static const u_char *
1634 ikev1_sig_print(netdissect_options *ndo, u_char tpay _U_,
1635 const struct isakmp_gen *ext, u_int item_len,
1636 const u_char *ep _U_, uint32_t phase _U_, uint32_t doi _U_,
1637 uint32_t proto _U_, int depth _U_)
1638 {
1639 ND_PRINT("%s:", NPSTR(ISAKMP_NPTYPE_SIG));
1640
1641 ND_TCHECK_SIZE(ext);
1642 /*
1643 * Our caller has ensured that the length is >= 4.
1644 */
1645 ND_PRINT(" len=%u", item_len - 4);
1646 if (2 < ndo->ndo_vflag && 4 < item_len) {
1647 /* Print the entire payload in hex */
1648 ND_PRINT(" ");
1649 if (!rawprint(ndo, (const uint8_t *)(ext + 1), item_len - 4))
1650 goto trunc;
1651 }
1652 return (const u_char *)ext + item_len;
1653 trunc:
1654 ND_PRINT(" [|%s]", NPSTR(ISAKMP_NPTYPE_SIG));
1655 return NULL;
1656 }
1657
1658 static const u_char *
1659 ikev1_nonce_print(netdissect_options *ndo, u_char tpay _U_,
1660 const struct isakmp_gen *ext,
1661 u_int item_len,
1662 const u_char *ep,
1663 uint32_t phase _U_, uint32_t doi _U_,
1664 uint32_t proto _U_, int depth _U_)
1665 {
1666 ND_PRINT("%s:", NPSTR(ISAKMP_NPTYPE_NONCE));
1667
1668 ND_TCHECK_SIZE(ext);
1669 /*
1670 * Our caller has ensured that the length is >= 4.
1671 */
1672 ND_PRINT(" n len=%u", item_len - 4);
1673 if (item_len > 4) {
1674 if (ndo->ndo_vflag > 2) {
1675 ND_PRINT(" ");
1676 if (!rawprint(ndo, (const uint8_t *)(ext + 1), item_len - 4))
1677 goto trunc;
1678 } else if (ndo->ndo_vflag > 1) {
1679 ND_PRINT(" ");
1680 if (!ike_show_somedata(ndo, (const u_char *)(ext + 1), ep))
1681 goto trunc;
1682 }
1683 }
1684 return (const u_char *)ext + item_len;
1685 trunc:
1686 ND_PRINT(" [|%s]", NPSTR(ISAKMP_NPTYPE_NONCE));
1687 return NULL;
1688 }
1689
1690 static const u_char *
1691 ikev1_n_print(netdissect_options *ndo, u_char tpay _U_,
1692 const struct isakmp_gen *ext, u_int item_len,
1693 const u_char *ep, uint32_t phase _U_, uint32_t doi0 _U_,
1694 uint32_t proto0 _U_, int depth _U_)
1695 {
1696 const struct ikev1_pl_n *p;
1697 const u_char *cp;
1698 const u_char *ep2;
1699 uint32_t doi;
1700 uint32_t proto;
1701 uint16_t type;
1702 uint8_t spi_size;
1703 static const char *notify_error_str[] = {
1704 NULL, "INVALID-PAYLOAD-TYPE",
1705 "DOI-NOT-SUPPORTED", "SITUATION-NOT-SUPPORTED",
1706 "INVALID-COOKIE", "INVALID-MAJOR-VERSION",
1707 "INVALID-MINOR-VERSION", "INVALID-EXCHANGE-TYPE",
1708 "INVALID-FLAGS", "INVALID-MESSAGE-ID",
1709 "INVALID-PROTOCOL-ID", "INVALID-SPI",
1710 "INVALID-TRANSFORM-ID", "ATTRIBUTES-NOT-SUPPORTED",
1711 "NO-PROPOSAL-CHOSEN", "BAD-PROPOSAL-SYNTAX",
1712 "PAYLOAD-MALFORMED", "INVALID-KEY-INFORMATION",
1713 "INVALID-ID-INFORMATION", "INVALID-CERT-ENCODING",
1714 "INVALID-CERTIFICATE", "CERT-TYPE-UNSUPPORTED",
1715 "INVALID-CERT-AUTHORITY", "INVALID-HASH-INFORMATION",
1716 "AUTHENTICATION-FAILED", "INVALID-SIGNATURE",
1717 "ADDRESS-NOTIFICATION", "NOTIFY-SA-LIFETIME",
1718 "CERTIFICATE-UNAVAILABLE", "UNSUPPORTED-EXCHANGE-TYPE",
1719 "UNEQUAL-PAYLOAD-LENGTHS",
1720 };
1721 static const char *ipsec_notify_error_str[] = {
1722 "RESERVED",
1723 };
1724 static const char *notify_status_str[] = {
1725 "CONNECTED",
1726 };
1727 static const char *ipsec_notify_status_str[] = {
1728 "RESPONDER-LIFETIME", "REPLAY-STATUS",
1729 "INITIAL-CONTACT",
1730 };
1731 /* NOTE: these macro must be called with x in proper range */
1732
1733 /* 0 - 8191 */
1734 #define NOTIFY_ERROR_STR(x) \
1735 STR_OR_ID((x), notify_error_str)
1736
1737 /* 8192 - 16383 */
1738 #define IPSEC_NOTIFY_ERROR_STR(x) \
1739 STR_OR_ID((u_int)((x) - 8192), ipsec_notify_error_str)
1740
1741 /* 16384 - 24575 */
1742 #define NOTIFY_STATUS_STR(x) \
1743 STR_OR_ID((u_int)((x) - 16384), notify_status_str)
1744
1745 /* 24576 - 32767 */
1746 #define IPSEC_NOTIFY_STATUS_STR(x) \
1747 STR_OR_ID((u_int)((x) - 24576), ipsec_notify_status_str)
1748
1749 ND_PRINT("%s:", NPSTR(ISAKMP_NPTYPE_N));
1750
1751 p = (const struct ikev1_pl_n *)ext;
1752 ND_TCHECK_SIZE(p);
1753 doi = GET_BE_U_4(p->doi);
1754 proto = GET_U_1(p->prot_id);
1755 if (doi != 1) {
1756 ND_PRINT(" doi=%u", doi);
1757 ND_PRINT(" proto=%u", proto);
1758 type = GET_BE_U_2(p->type);
1759 if (type < 8192)
1760 ND_PRINT(" type=%s", NOTIFY_ERROR_STR(type));
1761 else if (type < 16384)
1762 ND_PRINT(" type=%s", numstr(type));
1763 else if (type < 24576)
1764 ND_PRINT(" type=%s", NOTIFY_STATUS_STR(type));
1765 else
1766 ND_PRINT(" type=%s", numstr(type));
1767 spi_size = GET_U_1(p->spi_size);
1768 if (spi_size) {
1769 ND_PRINT(" spi=");
1770 if (!rawprint(ndo, (const uint8_t *)(p + 1), spi_size))
1771 goto trunc;
1772 }
1773 return (const u_char *)(p + 1) + spi_size;
1774 }
1775
1776 ND_PRINT(" doi=ipsec");
1777 ND_PRINT(" proto=%s", PROTOIDSTR(proto));
1778 type = GET_BE_U_2(p->type);
1779 if (type < 8192)
1780 ND_PRINT(" type=%s", NOTIFY_ERROR_STR(type));
1781 else if (type < 16384)
1782 ND_PRINT(" type=%s", IPSEC_NOTIFY_ERROR_STR(type));
1783 else if (type < 24576)
1784 ND_PRINT(" type=%s", NOTIFY_STATUS_STR(type));
1785 else if (type < 32768)
1786 ND_PRINT(" type=%s", IPSEC_NOTIFY_STATUS_STR(type));
1787 else
1788 ND_PRINT(" type=%s", numstr(type));
1789 spi_size = GET_U_1(p->spi_size);
1790 if (spi_size) {
1791 ND_PRINT(" spi=");
1792 if (!rawprint(ndo, (const uint8_t *)(p + 1), spi_size))
1793 goto trunc;
1794 }
1795
1796 cp = (const u_char *)(p + 1) + spi_size;
1797 ep2 = (const u_char *)p + item_len;
1798
1799 if (cp < ep) {
1800 switch (type) {
1801 case IPSECDOI_NTYPE_RESPONDER_LIFETIME:
1802 {
1803 const struct attrmap *map = oakley_t_map;
1804 size_t nmap = sizeof(oakley_t_map)/sizeof(oakley_t_map[0]);
1805 ND_PRINT(" attrs=(");
1806 while (cp < ep && cp < ep2) {
1807 cp = ikev1_attrmap_print(ndo, cp, ep2, map, nmap);
1808 if (cp == NULL) {
1809 ND_PRINT(")");
1810 goto trunc;
1811 }
1812 }
1813 ND_PRINT(")");
1814 break;
1815 }
1816 case IPSECDOI_NTYPE_REPLAY_STATUS:
1817 ND_PRINT(" status=(");
1818 ND_PRINT("replay detection %sabled",
1819 GET_BE_U_4(cp) ? "en" : "dis");
1820 ND_PRINT(")");
1821 break;
1822 default:
1823 /*
1824 * XXX - fill in more types here; see, for example,
1825 * draft-ietf-ipsec-notifymsg-04.
1826 */
1827 if (ndo->ndo_vflag > 3) {
1828 ND_PRINT(" data=(");
1829 if (!rawprint(ndo, (const uint8_t *)(cp), ep - cp))
1830 goto trunc;
1831 ND_PRINT(")");
1832 } else {
1833 if (!ike_show_somedata(ndo, cp, ep))
1834 goto trunc;
1835 }
1836 break;
1837 }
1838 }
1839 return (const u_char *)ext + item_len;
1840 trunc:
1841 ND_PRINT(" [|%s]", NPSTR(ISAKMP_NPTYPE_N));
1842 return NULL;
1843 }
1844
1845 static const u_char *
1846 ikev1_d_print(netdissect_options *ndo, u_char tpay _U_,
1847 const struct isakmp_gen *ext, u_int item_len _U_,
1848 const u_char *ep _U_, uint32_t phase _U_, uint32_t doi0 _U_,
1849 uint32_t proto0 _U_, int depth _U_)
1850 {
1851 const struct ikev1_pl_d *p;
1852 const uint8_t *q;
1853 uint32_t doi;
1854 uint32_t proto;
1855 uint8_t spi_size;
1856 uint16_t num_spi;
1857 u_int i;
1858
1859 ND_PRINT("%s:", NPSTR(ISAKMP_NPTYPE_D));
1860
1861 p = (const struct ikev1_pl_d *)ext;
1862 ND_TCHECK_SIZE(p);
1863 doi = GET_BE_U_4(p->doi);
1864 proto = GET_U_1(p->prot_id);
1865 if (doi != 1) {
1866 ND_PRINT(" doi=%u", doi);
1867 ND_PRINT(" proto=%u", proto);
1868 } else {
1869 ND_PRINT(" doi=ipsec");
1870 ND_PRINT(" proto=%s", PROTOIDSTR(proto));
1871 }
1872 spi_size = GET_U_1(p->spi_size);
1873 ND_PRINT(" spilen=%u", spi_size);
1874 num_spi = GET_BE_U_2(p->num_spi);
1875 ND_PRINT(" nspi=%u", num_spi);
1876 q = (const uint8_t *)(p + 1);
1877 if (spi_size) {
1878 ND_PRINT(" spi=");
1879 for (i = 0; i < num_spi; i++) {
1880 if (i != 0)
1881 ND_PRINT(",");
1882 if (!rawprint(ndo, (const uint8_t *)q, spi_size))
1883 goto trunc;
1884 q += spi_size;
1885 }
1886 }
1887 return q;
1888 trunc:
1889 ND_PRINT(" [|%s]", NPSTR(ISAKMP_NPTYPE_D));
1890 return NULL;
1891 }
1892
1893 static const u_char *
1894 ikev1_vid_print(netdissect_options *ndo, u_char tpay _U_,
1895 const struct isakmp_gen *ext,
1896 u_int item_len, const u_char *ep _U_,
1897 uint32_t phase _U_, uint32_t doi _U_,
1898 uint32_t proto _U_, int depth _U_)
1899 {
1900 ND_PRINT("%s:", NPSTR(ISAKMP_NPTYPE_VID));
1901
1902 ND_TCHECK_SIZE(ext);
1903 /*
1904 * Our caller has ensured that the length is >= 4.
1905 */
1906 ND_PRINT(" len=%u", item_len - 4);
1907 if (2 < ndo->ndo_vflag && 4 < item_len) {
1908 /* Print the entire payload in hex */
1909 ND_PRINT(" ");
1910 if (!rawprint(ndo, (const uint8_t *)(ext + 1), item_len - 4))
1911 goto trunc;
1912 }
1913 return (const u_char *)ext + item_len;
1914 trunc:
1915 ND_PRINT(" [|%s]", NPSTR(ISAKMP_NPTYPE_VID));
1916 return NULL;
1917 }
1918
1919 /************************************************************/
1920 /* */
1921 /* IKE v2 - rfc4306 - dissector */
1922 /* */
1923 /************************************************************/
1924
1925 static void
1926 ikev2_pay_print(netdissect_options *ndo, const char *payname, uint8_t critical)
1927 {
1928 ND_PRINT("%s%s:", payname, critical&0x80 ? "[C]" : "");
1929 }
1930
1931 static const u_char *
1932 ikev2_gen_print(netdissect_options *ndo, u_char tpay,
1933 const struct isakmp_gen *ext, u_int item_len)
1934 {
1935 const struct isakmp_gen *p = (const struct isakmp_gen *)ext;
1936
1937 ND_TCHECK_SIZE(ext);
1938 ikev2_pay_print(ndo, NPSTR(tpay), GET_U_1(p->critical));
1939
1940 /*
1941 * Our caller has ensured that the length is >= 4.
1942 */
1943 ND_PRINT(" len=%u", item_len - 4);
1944 if (2 < ndo->ndo_vflag && 4 < item_len) {
1945 /* Print the entire payload in hex */
1946 ND_PRINT(" ");
1947 if (!rawprint(ndo, (const uint8_t *)(ext + 1), item_len - 4))
1948 goto trunc;
1949 }
1950 return (const u_char *)ext + item_len;
1951 trunc:
1952 ND_PRINT(" [|%s]", NPSTR(tpay));
1953 return NULL;
1954 }
1955
1956 static const u_char *
1957 ikev2_t_print(netdissect_options *ndo, int tcount,
1958 const struct isakmp_gen *ext, u_int item_len,
1959 const u_char *ep)
1960 {
1961 const struct ikev2_t *p;
1962 uint16_t t_id;
1963 uint8_t t_type;
1964 const u_char *cp;
1965 const char *idstr;
1966 const struct attrmap *map;
1967 size_t nmap;
1968 const u_char *ep2;
1969
1970 p = (const struct ikev2_t *)ext;
1971 ND_TCHECK_SIZE(p);
1972 ikev2_pay_print(ndo, NPSTR(ISAKMP_NPTYPE_T), GET_U_1(p->h.critical));
1973
1974 t_id = GET_BE_U_2(p->t_id);
1975
1976 map = NULL;
1977 nmap = 0;
1978
1979 t_type = GET_U_1(p->t_type);
1980 switch (t_type) {
1981 case IV2_T_ENCR:
1982 idstr = STR_OR_ID(t_id, esp_p_map);
1983 map = encr_t_map;
1984 nmap = sizeof(encr_t_map)/sizeof(encr_t_map[0]);
1985 break;
1986
1987 case IV2_T_PRF:
1988 idstr = STR_OR_ID(t_id, prf_p_map);
1989 break;
1990
1991 case IV2_T_INTEG:
1992 idstr = STR_OR_ID(t_id, integ_p_map);
1993 break;
1994
1995 case IV2_T_DH:
1996 idstr = STR_OR_ID(t_id, dh_p_map);
1997 break;
1998
1999 case IV2_T_ESN:
2000 idstr = STR_OR_ID(t_id, esn_p_map);
2001 break;
2002
2003 default:
2004 idstr = NULL;
2005 break;
2006 }
2007
2008 if (idstr)
2009 ND_PRINT(" #%u type=%s id=%s ", tcount,
2010 STR_OR_ID(t_type, ikev2_t_type_map),
2011 idstr);
2012 else
2013 ND_PRINT(" #%u type=%s id=%u ", tcount,
2014 STR_OR_ID(t_type, ikev2_t_type_map),
2015 t_id);
2016 cp = (const u_char *)(p + 1);
2017 ep2 = (const u_char *)p + item_len;
2018 while (cp < ep && cp < ep2) {
2019 if (map && nmap) {
2020 cp = ikev1_attrmap_print(ndo, cp, ep2, map, nmap);
2021 } else
2022 cp = ikev1_attr_print(ndo, cp, ep2);
2023 if (cp == NULL)
2024 goto trunc;
2025 }
2026 if (ep < ep2)
2027 ND_PRINT("...");
2028 return cp;
2029 trunc:
2030 ND_PRINT(" [|%s]", NPSTR(ISAKMP_NPTYPE_T));
2031 return NULL;
2032 }
2033
2034 static const u_char *
2035 ikev2_p_print(netdissect_options *ndo, u_char tpay _U_, int pcount _U_,
2036 const struct isakmp_gen *ext, u_int oprop_length,
2037 const u_char *ep, int depth)
2038 {
2039 const struct ikev2_p *p;
2040 u_int prop_length;
2041 uint8_t spi_size;
2042 const u_char *cp;
2043 int i;
2044 int tcount;
2045 u_char np;
2046 u_int item_len;
2047
2048 p = (const struct ikev2_p *)ext;
2049 ND_TCHECK_SIZE(p);
2050
2051 ikev2_pay_print(ndo, NPSTR(ISAKMP_NPTYPE_P), GET_U_1(p->h.critical));
2052
2053 /*
2054 * ikev2_sa_print() guarantees that this is >= 4.
2055 */
2056 prop_length = oprop_length - 4;
2057 ND_PRINT(" #%u protoid=%s transform=%u len=%u",
2058 GET_U_1(p->p_no), PROTOIDSTR(GET_U_1(p->prot_id)),
2059 GET_U_1(p->num_t), oprop_length);
2060 cp = (const u_char *)(p + 1);
2061
2062 spi_size = GET_U_1(p->spi_size);
2063 if (spi_size) {
2064 if (prop_length < spi_size)
2065 goto toolong;
2066 ND_PRINT(" spi=");
2067 if (!rawprint(ndo, (const uint8_t *)cp, spi_size))
2068 goto trunc;
2069 cp += spi_size;
2070 prop_length -= spi_size;
2071 }
2072
2073 /*
2074 * Print the transforms.
2075 */
2076 tcount = 0;
2077 for (np = ISAKMP_NPTYPE_T; np != 0; np = GET_U_1(ext->np)) {
2078 tcount++;
2079 ext = (const struct isakmp_gen *)cp;
2080 if (prop_length < sizeof(*ext))
2081 goto toolong;
2082 ND_TCHECK_SIZE(ext);
2083
2084 /*
2085 * Since we can't have a payload length of less than 4 bytes,
2086 * we need to bail out here if the generic header is nonsensical
2087 * or truncated, otherwise we could loop forever processing
2088 * zero-length items or otherwise misdissect the packet.
2089 */
2090 item_len = GET_BE_U_2(ext->len);
2091 if (item_len <= 4)
2092 goto trunc;
2093
2094 if (prop_length < item_len)
2095 goto toolong;
2096 ND_TCHECK_LEN(cp, item_len);
2097
2098 depth++;
2099 ND_PRINT("\n");
2100 for (i = 0; i < depth; i++)
2101 ND_PRINT(" ");
2102 ND_PRINT("(");
2103 if (np == ISAKMP_NPTYPE_T) {
2104 cp = ikev2_t_print(ndo, tcount, ext, item_len, ep);
2105 if (cp == NULL) {
2106 /* error, already reported */
2107 return NULL;
2108 }
2109 } else {
2110 ND_PRINT("%s", NPSTR(np));
2111 cp += item_len;
2112 }
2113 ND_PRINT(")");
2114 depth--;
2115 prop_length -= item_len;
2116 }
2117 return cp;
2118 toolong:
2119 /*
2120 * Skip the rest of the proposal.
2121 */
2122 cp += prop_length;
2123 ND_PRINT(" [|%s]", NPSTR(ISAKMP_NPTYPE_P));
2124 return cp;
2125 trunc:
2126 ND_PRINT(" [|%s]", NPSTR(ISAKMP_NPTYPE_P));
2127 return NULL;
2128 }
2129
2130 static const u_char *
2131 ikev2_sa_print(netdissect_options *ndo, u_char tpay,
2132 const struct isakmp_gen *ext1,
2133 u_int osa_length, const u_char *ep,
2134 uint32_t phase _U_, uint32_t doi _U_,
2135 uint32_t proto _U_, int depth)
2136 {
2137 const struct isakmp_gen *ext;
2138 u_int sa_length;
2139 const u_char *cp;
2140 int i;
2141 int pcount;
2142 u_char np;
2143 u_int item_len;
2144
2145 ND_TCHECK_SIZE(ext1);
2146 ikev2_pay_print(ndo, "sa", GET_U_1(ext1->critical));
2147
2148 /*
2149 * ikev2_sub0_print() guarantees that this is >= 4.
2150 */
2151 osa_length= GET_BE_U_2(ext1->len);
2152 sa_length = osa_length - 4;
2153 ND_PRINT(" len=%u", sa_length);
2154
2155 /*
2156 * Print the payloads.
2157 */
2158 cp = (const u_char *)(ext1 + 1);
2159 pcount = 0;
2160 for (np = ISAKMP_NPTYPE_P; np != 0; np = GET_U_1(ext->np)) {
2161 pcount++;
2162 ext = (const struct isakmp_gen *)cp;
2163 if (sa_length < sizeof(*ext))
2164 goto toolong;
2165 ND_TCHECK_SIZE(ext);
2166
2167 /*
2168 * Since we can't have a payload length of less than 4 bytes,
2169 * we need to bail out here if the generic header is nonsensical
2170 * or truncated, otherwise we could loop forever processing
2171 * zero-length items or otherwise misdissect the packet.
2172 */
2173 item_len = GET_BE_U_2(ext->len);
2174 if (item_len <= 4)
2175 goto trunc;
2176
2177 if (sa_length < item_len)
2178 goto toolong;
2179 ND_TCHECK_LEN(cp, item_len);
2180
2181 depth++;
2182 ND_PRINT("\n");
2183 for (i = 0; i < depth; i++)
2184 ND_PRINT(" ");
2185 ND_PRINT("(");
2186 if (np == ISAKMP_NPTYPE_P) {
2187 cp = ikev2_p_print(ndo, np, pcount, ext, item_len,
2188 ep, depth);
2189 if (cp == NULL) {
2190 /* error, already reported */
2191 return NULL;
2192 }
2193 } else {
2194 ND_PRINT("%s", NPSTR(np));
2195 cp += item_len;
2196 }
2197 ND_PRINT(")");
2198 depth--;
2199 sa_length -= item_len;
2200 }
2201 return cp;
2202 toolong:
2203 /*
2204 * Skip the rest of the SA.
2205 */
2206 cp += sa_length;
2207 ND_PRINT(" [|%s]", NPSTR(tpay));
2208 return cp;
2209 trunc:
2210 ND_PRINT(" [|%s]", NPSTR(tpay));
2211 return NULL;
2212 }
2213
2214 static const u_char *
2215 ikev2_ke_print(netdissect_options *ndo, u_char tpay,
2216 const struct isakmp_gen *ext,
2217 u_int item_len, const u_char *ep _U_,
2218 uint32_t phase _U_, uint32_t doi _U_,
2219 uint32_t proto _U_, int depth _U_)
2220 {
2221 const struct ikev2_ke *k;
2222
2223 k = (const struct ikev2_ke *)ext;
2224 ND_TCHECK_SIZE(k);
2225 ikev2_pay_print(ndo, NPSTR(tpay), GET_U_1(k->h.critical));
2226
2227 if (item_len < 8) {
2228 ND_PRINT(" len=%u < 8", item_len);
2229 return (const u_char *)ext + item_len;
2230 }
2231 ND_PRINT(" len=%u group=%s", item_len - 8,
2232 STR_OR_ID(GET_BE_U_2(k->ke_group), dh_p_map));
2233
2234 if (2 < ndo->ndo_vflag && 8 < item_len) {
2235 ND_PRINT(" ");
2236 if (!rawprint(ndo, (const uint8_t *)(k + 1), item_len - 8))
2237 goto trunc;
2238 }
2239 return (const u_char *)ext + item_len;
2240 trunc:
2241 ND_PRINT(" [|%s]", NPSTR(tpay));
2242 return NULL;
2243 }
2244
2245 static const u_char *
2246 ikev2_ID_print(netdissect_options *ndo, u_char tpay,
2247 const struct isakmp_gen *ext,
2248 u_int item_len, const u_char *ep _U_,
2249 uint32_t phase _U_, uint32_t doi _U_,
2250 uint32_t proto _U_, int depth _U_)
2251 {
2252 const struct ikev2_id *idp;
2253 u_int idtype_len;
2254 unsigned int dumpascii, dumphex;
2255 const unsigned char *typedata;
2256
2257 idp = (const struct ikev2_id *)ext;
2258 ND_TCHECK_SIZE(idp);
2259 ikev2_pay_print(ndo, NPSTR(tpay), GET_U_1(idp->h.critical));
2260
2261 /*
2262 * Our caller has ensured that the length is >= 4.
2263 */
2264 ND_PRINT(" len=%u", item_len - 4);
2265 if (2 < ndo->ndo_vflag && 4 < item_len) {
2266 /* Print the entire payload in hex */
2267 ND_PRINT(" ");
2268 if (!rawprint(ndo, (const uint8_t *)(ext + 1), item_len - 4))
2269 goto trunc;
2270 }
2271
2272 idtype_len =item_len - sizeof(struct ikev2_id);
2273 dumpascii = 0;
2274 dumphex = 0;
2275 typedata = (const unsigned char *)(ext)+sizeof(struct ikev2_id);
2276
2277 switch(GET_U_1(idp->type)) {
2278 case ID_IPV4_ADDR:
2279 ND_PRINT(" ipv4:");
2280 dumphex=1;
2281 break;
2282 case ID_FQDN:
2283 ND_PRINT(" fqdn:");
2284 dumpascii=1;
2285 break;
2286 case ID_RFC822_ADDR:
2287 ND_PRINT(" rfc822:");
2288 dumpascii=1;
2289 break;
2290 case ID_IPV6_ADDR:
2291 ND_PRINT(" ipv6:");
2292 dumphex=1;
2293 break;
2294 case ID_DER_ASN1_DN:
2295 ND_PRINT(" dn:");
2296 dumphex=1;
2297 break;
2298 case ID_DER_ASN1_GN:
2299 ND_PRINT(" gn:");
2300 dumphex=1;
2301 break;
2302 case ID_KEY_ID:
2303 ND_PRINT(" keyid:");
2304 dumphex=1;
2305 break;
2306 }
2307
2308 if(dumpascii) {
2309 ND_TCHECK_LEN(typedata, idtype_len);
2310 nd_printjn(ndo, typedata, idtype_len);
2311 }
2312 if(dumphex) {
2313 if (!rawprint(ndo, (const uint8_t *)typedata, idtype_len))
2314 goto trunc;
2315 }
2316
2317 return (const u_char *)ext + item_len;
2318 trunc:
2319 ND_PRINT(" [|%s]", NPSTR(tpay));
2320 return NULL;
2321 }
2322
2323 static const u_char *
2324 ikev2_cert_print(netdissect_options *ndo, u_char tpay,
2325 const struct isakmp_gen *ext,
2326 u_int item_len, const u_char *ep _U_,
2327 uint32_t phase _U_, uint32_t doi _U_,
2328 uint32_t proto _U_, int depth _U_)
2329 {
2330 return ikev2_gen_print(ndo, tpay, ext, item_len);
2331 }
2332
2333 static const u_char *
2334 ikev2_cr_print(netdissect_options *ndo, u_char tpay,
2335 const struct isakmp_gen *ext,
2336 u_int item_len, const u_char *ep _U_,
2337 uint32_t phase _U_, uint32_t doi _U_,
2338 uint32_t proto _U_, int depth _U_)
2339 {
2340 return ikev2_gen_print(ndo, tpay, ext, item_len);
2341 }
2342
2343 static const u_char *
2344 ikev2_auth_print(netdissect_options *ndo, u_char tpay,
2345 const struct isakmp_gen *ext,
2346 u_int item_len, const u_char *ep,
2347 uint32_t phase _U_, uint32_t doi _U_,
2348 uint32_t proto _U_, int depth _U_)
2349 {
2350 const struct ikev2_auth *p;
2351 const char *v2_auth[]={ "invalid", "rsasig",
2352 "shared-secret", "dsssig" };
2353 const u_char *authdata = (const u_char *)ext + sizeof(struct ikev2_auth);
2354
2355 ND_TCHECK_LEN(ext, sizeof(struct ikev2_auth));
2356 p = (const struct ikev2_auth *)ext;
2357 ikev2_pay_print(ndo, NPSTR(tpay), GET_U_1(p->h.critical));
2358
2359 /*
2360 * Our caller has ensured that the length is >= 4.
2361 */
2362 ND_PRINT(" len=%u method=%s", item_len-4,
2363 STR_OR_ID(GET_U_1(p->auth_method), v2_auth));
2364 if (item_len > 4) {
2365 if (ndo->ndo_vflag > 1) {
2366 ND_PRINT(" authdata=(");
2367 if (!rawprint(ndo, (const uint8_t *)authdata, item_len - sizeof(struct ikev2_auth)))
2368 goto trunc;
2369 ND_PRINT(") ");
2370 } else if (ndo->ndo_vflag) {
2371 if (!ike_show_somedata(ndo, authdata, ep))
2372 goto trunc;
2373 }
2374 }
2375
2376 return (const u_char *)ext + item_len;
2377 trunc:
2378 ND_PRINT(" [|%s]", NPSTR(tpay));
2379 return NULL;
2380 }
2381
2382 static const u_char *
2383 ikev2_nonce_print(netdissect_options *ndo, u_char tpay,
2384 const struct isakmp_gen *ext,
2385 u_int item_len, const u_char *ep,
2386 uint32_t phase _U_, uint32_t doi _U_,
2387 uint32_t proto _U_, int depth _U_)
2388 {
2389 ND_TCHECK_SIZE(ext);
2390 ikev2_pay_print(ndo, "nonce", GET_U_1(ext->critical));
2391
2392 /*
2393 * Our caller has ensured that the length is >= 4.
2394 */
2395 ND_PRINT(" len=%u", item_len - 4);
2396 if (1 < ndo->ndo_vflag && 4 < item_len) {
2397 ND_PRINT(" nonce=(");
2398 if (!rawprint(ndo, (const uint8_t *)(ext + 1), item_len - 4))
2399 goto trunc;
2400 ND_PRINT(") ");
2401 } else if(ndo->ndo_vflag && 4 < item_len) {
2402 if(!ike_show_somedata(ndo, (const u_char *)(ext+1), ep)) goto trunc;
2403 }
2404
2405 return (const u_char *)ext + item_len;
2406 trunc:
2407 ND_PRINT(" [|%s]", NPSTR(tpay));
2408 return NULL;
2409 }
2410
2411 /* notify payloads */
2412 static const u_char *
2413 ikev2_n_print(netdissect_options *ndo, u_char tpay _U_,
2414 const struct isakmp_gen *ext,
2415 u_int item_len, const u_char *ep,
2416 uint32_t phase _U_, uint32_t doi _U_,
2417 uint32_t proto _U_, int depth _U_)
2418 {
2419 const struct ikev2_n *p;
2420 uint16_t type;
2421 uint8_t spi_size;
2422 const u_char *cp;
2423 u_char showspi, showsomedata;
2424 const char *notify_name;
2425
2426 p = (const struct ikev2_n *)ext;
2427 ND_TCHECK_SIZE(p);
2428 ikev2_pay_print(ndo, NPSTR(ISAKMP_NPTYPE_N), GET_U_1(p->h.critical));
2429
2430 showspi=0;
2431 showsomedata=0;
2432 notify_name=NULL;
2433
2434 ND_PRINT(" prot_id=%s", PROTOIDSTR(GET_U_1(p->prot_id)));
2435
2436 type = GET_BE_U_2(p->type);
2437
2438 /* notify space is annoying sparse */
2439 switch(type) {
2440 case IV2_NOTIFY_UNSUPPORTED_CRITICAL_PAYLOAD:
2441 notify_name = "unsupported_critical_payload";
2442 break;
2443
2444 case IV2_NOTIFY_INVALID_IKE_SPI:
2445 notify_name = "invalid_ike_spi";
2446 showspi = 1;
2447 break;
2448
2449 case IV2_NOTIFY_INVALID_MAJOR_VERSION:
2450 notify_name = "invalid_major_version";
2451 break;
2452
2453 case IV2_NOTIFY_INVALID_SYNTAX:
2454 notify_name = "invalid_syntax";
2455 showspi = 1;
2456 break;
2457
2458 case IV2_NOTIFY_INVALID_MESSAGE_ID:
2459 notify_name = "invalid_message_id";
2460 showspi = 1;
2461 break;
2462
2463 case IV2_NOTIFY_INVALID_SPI:
2464 notify_name = "invalid_spi";
2465 showspi = 1;
2466 break;
2467
2468 case IV2_NOTIFY_NO_PROPOSAL_CHOSEN:
2469 notify_name = "no_proposal_chosen";
2470 showspi = 1;
2471 break;
2472
2473 case IV2_NOTIFY_INVALID_KE_PAYLOAD:
2474 notify_name = "invalid_ke_payload";
2475 showspi = 1;
2476 break;
2477
2478 case IV2_NOTIFY_AUTHENTICATION_FAILED:
2479 notify_name = "authentication_failed";
2480 showspi = 1;
2481 break;
2482
2483 case IV2_NOTIFY_SINGLE_PAIR_REQUIRED:
2484 notify_name = "single_pair_required";
2485 showspi = 1;
2486 break;
2487
2488 case IV2_NOTIFY_NO_ADDITIONAL_SAS:
2489 notify_name = "no_additional_sas";
2490 break;
2491
2492 case IV2_NOTIFY_INTERNAL_ADDRESS_FAILURE:
2493 notify_name = "internal_address_failure";
2494 break;
2495
2496 case IV2_NOTIFY_FAILED_CP_REQUIRED:
2497 notify_name = "failed_cp_required";
2498 break;
2499
2500 case IV2_NOTIFY_TS_UNACCEPTABLE:
2501 notify_name = "ts_unacceptable";
2502 break;
2503
2504 case IV2_NOTIFY_INVALID_SELECTORS:
2505 notify_name = "invalid_selectors";
2506 break;
2507
2508 case IV2_NOTIFY_UNACCEPTABLE_ADDRESSES:
2509 notify_name = "unacceptable_addresses";
2510 break;
2511
2512 case IV2_NOTIFY_UNEXPECTED_NAT_DETECTED:
2513 notify_name = "unexpected_nat_detected";
2514 break;
2515
2516 case IV2_NOTIFY_USE_ASSIGNED_HOA:
2517 notify_name = "use_assigned_hoa";
2518 break;
2519
2520 case IV2_NOTIFY_TEMPORARY_FAILURE:
2521 notify_name = "temporary_failure";
2522 break;
2523
2524 case IV2_NOTIFY_CHILD_SA_NOT_FOUND:
2525 notify_name = "child_sa_not_found";
2526 break;
2527
2528 case IV2_NOTIFY_INVALID_GROUP_ID:
2529 notify_name = "invalid_group_id";
2530 break;
2531
2532 case IV2_NOTIFY_AUTHORIZATION_FAILED:
2533 notify_name = "authorization_failed";
2534 break;
2535
2536 case IV2_NOTIFY_STATE_NOT_FOUND:
2537 notify_name = "state_not_found";
2538 break;
2539
2540 case IV2_NOTIFY_INITIAL_CONTACT:
2541 notify_name = "initial_contact";
2542 break;
2543
2544 case IV2_NOTIFY_SET_WINDOW_SIZE:
2545 notify_name = "set_window_size";
2546 break;
2547
2548 case IV2_NOTIFY_ADDITIONAL_TS_POSSIBLE:
2549 notify_name = "additional_ts_possible";
2550 break;
2551
2552 case IV2_NOTIFY_IPCOMP_SUPPORTED:
2553 notify_name = "ipcomp_supported";
2554 break;
2555
2556 case IV2_NOTIFY_NAT_DETECTION_SOURCE_IP:
2557 notify_name = "nat_detection_source_ip";
2558 showspi = 1;
2559 break;
2560
2561 case IV2_NOTIFY_NAT_DETECTION_DESTINATION_IP:
2562 notify_name = "nat_detection_destination_ip";
2563 showspi = 1;
2564 break;
2565
2566 case IV2_NOTIFY_COOKIE:
2567 notify_name = "cookie";
2568 showspi = 1;
2569 showsomedata= 1;
2570 break;
2571
2572 case IV2_NOTIFY_USE_TRANSPORT_MODE:
2573 notify_name = "use_transport_mode";
2574 break;
2575
2576 case IV2_NOTIFY_HTTP_CERT_LOOKUP_SUPPORTED:
2577 notify_name = "http_cert_lookup_supported";
2578 break;
2579
2580 case IV2_NOTIFY_REKEY_SA:
2581 notify_name = "rekey_sa";
2582 showspi = 1;
2583 break;
2584
2585 case IV2_NOTIFY_ESP_TFC_PADDING_NOT_SUPPORTED:
2586 notify_name = "tfc_padding_not_supported";
2587 break;
2588
2589 case IV2_NOTIFY_NON_FIRST_FRAGMENTS_ALSO:
2590 notify_name = "non_first_fragment_also";
2591 break;
2592
2593 case IV2_NOTIFY_MOBIKE_SUPPORTED:
2594 notify_name = "mobike_supported";
2595 break;
2596
2597 case IV2_NOTIFY_ADDITIONAL_IP4_ADDRESS:
2598 notify_name = "additional_ip4_address";
2599 break;
2600
2601 case IV2_NOTIFY_ADDITIONAL_IP6_ADDRESS:
2602 notify_name = "additional_ip6_address";
2603 break;
2604
2605 case IV2_NOTIFY_NO_ADDITIONAL_ADDRESSES:
2606 notify_name = "no_additional_addresses";
2607 break;
2608
2609 case IV2_NOTIFY_UPDATE_SA_ADDRESSES:
2610 notify_name = "update_sa_addresses";
2611 break;
2612
2613 case IV2_NOTIFY_COOKIE2:
2614 notify_name = "cookie2";
2615 break;
2616
2617 case IV2_NOTIFY_NO_NATS_ALLOWED:
2618 notify_name = "no_nats_allowed";
2619 break;
2620
2621 case IV2_NOTIFY_AUTH_LIFETIME:
2622 notify_name = "auth_lifetime";
2623 break;
2624
2625 case IV2_NOTIFY_MULTIPLE_AUTH_SUPPORTED:
2626 notify_name = "multiple_auth_supported";
2627 break;
2628
2629 case IV2_NOTIFY_ANOTHER_AUTH_FOLLOWS:
2630 notify_name = "another_auth_follows";
2631 break;
2632
2633 case IV2_NOTIFY_REDIRECT_SUPPORTED:
2634 notify_name = "redirect_supported";
2635 break;
2636
2637 case IV2_NOTIFY_REDIRECT:
2638 notify_name = "redirect";
2639 break;
2640
2641 case IV2_NOTIFY_REDIRECTED_FROM:
2642 notify_name = "redirected_from";
2643 break;
2644
2645 case IV2_NOTIFY_TICKET_LT_OPAQUE:
2646 notify_name = "ticket_lt_opaque";
2647 break;
2648
2649 case IV2_NOTIFY_TICKET_REQUEST:
2650 notify_name = "ticket_request";
2651 break;
2652
2653 case IV2_NOTIFY_TICKET_ACK:
2654 notify_name = "ticket_ack";
2655 break;
2656
2657 case IV2_NOTIFY_TICKET_NACK:
2658 notify_name = "ticket_nack";
2659 break;
2660
2661 case IV2_NOTIFY_TICKET_OPAQUE:
2662 notify_name = "ticket_opaque";
2663 break;
2664
2665 case IV2_NOTIFY_LINK_ID:
2666 notify_name = "link_id";
2667 break;
2668
2669 case IV2_NOTIFY_USE_WESP_MODE:
2670 notify_name = "use_wesp_mode";
2671 break;
2672
2673 case IV2_NOTIFY_ROHC_SUPPORTED:
2674 notify_name = "rohc_supported";
2675 break;
2676
2677 case IV2_NOTIFY_EAP_ONLY_AUTHENTICATION:
2678 notify_name = "eap_only_authentication";
2679 break;
2680
2681 case IV2_NOTIFY_CHILDLESS_IKEV2_SUPPORTED:
2682 notify_name = "childless_ikev2_supported";
2683 break;
2684
2685 case IV2_NOTIFY_QUICK_CRASH_DETECTION:
2686 notify_name = "quick_crash_detection";
2687 break;
2688
2689 case IV2_NOTIFY_IKEV2_MESSAGE_ID_SYNC_SUPPORTED:
2690 notify_name = "ikev2_message_id_sync_supported";
2691 break;
2692
2693 case IV2_NOTIFY_IPSEC_REPLAY_COUNTER_SYNC_SUPPORTED:
2694 notify_name = "ipsec_replay_counter_sync_supported";
2695 break;
2696
2697 case IV2_NOTIFY_IKEV2_MESSAGE_ID_SYNC:
2698 notify_name = "ikev2_message_id_sync";
2699 break;
2700
2701 case IV2_NOTIFY_IPSEC_REPLAY_COUNTER_SYNC:
2702 notify_name = "ipsec_replay_counter_sync";
2703 break;
2704
2705 case IV2_NOTIFY_SECURE_PASSWORD_METHODS:
2706 notify_name = "secure_password_methods";
2707 break;
2708
2709 case IV2_NOTIFY_PSK_PERSIST:
2710 notify_name = "psk_persist";
2711 break;
2712
2713 case IV2_NOTIFY_PSK_CONFIRM:
2714 notify_name = "psk_confirm";
2715 break;
2716
2717 case IV2_NOTIFY_ERX_SUPPORTED:
2718 notify_name = "erx_supported";
2719 break;
2720
2721 case IV2_NOTIFY_IFOM_CAPABILITY:
2722 notify_name = "ifom_capability";
2723 break;
2724
2725 case IV2_NOTIFY_SENDER_REQUEST_ID:
2726 notify_name = "sender_request_id";
2727 break;
2728
2729 case IV2_NOTIFY_IKEV2_FRAGMENTATION_SUPPORTED:
2730 notify_name = "ikev2_fragmentation_supported";
2731 break;
2732
2733 case IV2_NOTIFY_SIGNATURE_HASH_ALGORITHMS:
2734 notify_name = "signature_hash_algorithms";
2735 break;
2736
2737 case IV2_NOTIFY_CLONE_IKE_SA_SUPPORTED:
2738 notify_name = "clone_ike_sa_supported";
2739 break;
2740
2741 case IV2_NOTIFY_CLONE_IKE_SA:
2742 notify_name = "clone_ike_sa";
2743 break;
2744
2745 case IV2_NOTIFY_PUZZLE:
2746 notify_name = "puzzle";
2747 break;
2748
2749 case IV2_NOTIFY_USE_PPK:
2750 notify_name = "use_ppk";
2751 break;
2752
2753 case IV2_NOTIFY_PPK_IDENTITY:
2754 notify_name = "ppk_identity";
2755 break;
2756
2757 case IV2_NOTIFY_NO_PPK_AUTH:
2758 notify_name = "no_ppk_auth";
2759 break;
2760
2761 case IV2_NOTIFY_INTERMEDIATE_EXCHANGE_SUPPORTED:
2762 notify_name = "intermediate_exchange_supported";
2763 break;
2764
2765 case IV2_NOTIFY_IP4_ALLOWED:
2766 notify_name = "ip4_allowed";
2767 break;
2768
2769 case IV2_NOTIFY_IP6_ALLOWED:
2770 notify_name = "ip6_allowed";
2771 break;
2772
2773 case IV2_NOTIFY_ADDITIONAL_KEY_EXCHANGE:
2774 notify_name = "additional_key_exchange";
2775 break;
2776
2777 case IV2_NOTIFY_USE_AGGFRAG:
2778 notify_name = "use_aggfrag";
2779 break;
2780
2781 default:
2782 showspi = 1;
2783 if (type < 8192) {
2784 notify_name="error";
2785 } else if(type < 16384) {
2786 notify_name="private-error";
2787 } else if(type < 40960) {
2788 notify_name="status";
2789 } else {
2790 notify_name="private-status";
2791 }
2792 }
2793
2794 if(notify_name) {
2795 ND_PRINT(" type=%u(%s)", type, notify_name);
2796 }
2797
2798
2799 spi_size = GET_U_1(p->spi_size);
2800 if (showspi && spi_size) {
2801 ND_PRINT(" spi=");
2802 if (!rawprint(ndo, (const uint8_t *)(p + 1), spi_size))
2803 goto trunc;
2804 }
2805
2806 cp = (const u_char *)(p + 1) + spi_size;
2807
2808 if (cp < ep) {
2809 if (ndo->ndo_vflag > 3 || (showsomedata && ep-cp < 30)) {
2810 ND_PRINT(" data=(");
2811 if (!rawprint(ndo, (const uint8_t *)(cp), ep - cp))
2812 goto trunc;
2813
2814 ND_PRINT(")");
2815 } else if (showsomedata) {
2816 if (!ike_show_somedata(ndo, cp, ep))
2817 goto trunc;
2818 }
2819 }
2820
2821 return (const u_char *)ext + item_len;
2822 trunc:
2823 ND_PRINT(" [|%s]", NPSTR(ISAKMP_NPTYPE_N));
2824 return NULL;
2825 }
2826
2827 static const u_char *
2828 ikev2_d_print(netdissect_options *ndo, u_char tpay,
2829 const struct isakmp_gen *ext,
2830 u_int item_len, const u_char *ep _U_,
2831 uint32_t phase _U_, uint32_t doi _U_,
2832 uint32_t proto _U_, int depth _U_)
2833 {
2834 return ikev2_gen_print(ndo, tpay, ext, item_len);
2835 }
2836
2837 static const u_char *
2838 ikev2_vid_print(netdissect_options *ndo, u_char tpay,
2839 const struct isakmp_gen *ext,
2840 u_int item_len, const u_char *ep _U_,
2841 uint32_t phase _U_, uint32_t doi _U_,
2842 uint32_t proto _U_, int depth _U_)
2843 {
2844 const u_char *vid;
2845 u_int len;
2846
2847 ND_TCHECK_SIZE(ext);
2848 ikev2_pay_print(ndo, NPSTR(tpay), GET_U_1(ext->critical));
2849
2850 /*
2851 * Our caller has ensured that the length is >= 4.
2852 */
2853 ND_PRINT(" len=%u vid=", item_len - 4);
2854
2855 vid = (const u_char *)(ext+1);
2856 len = item_len - 4;
2857 ND_TCHECK_LEN(vid, len);
2858 nd_printjn(ndo, vid, len);
2859 if (2 < ndo->ndo_vflag && 4 < len) {
2860 /* Print the entire payload in hex */
2861 ND_PRINT(" ");
2862 if (!rawprint(ndo, (const uint8_t *)(ext + 1), item_len - 4))
2863 goto trunc;
2864 }
2865 return (const u_char *)ext + item_len;
2866 trunc:
2867 ND_PRINT(" [|%s]", NPSTR(tpay));
2868 return NULL;
2869 }
2870
2871 static const u_char *
2872 ikev2_TS_print(netdissect_options *ndo, u_char tpay,
2873 const struct isakmp_gen *ext,
2874 u_int item_len, const u_char *ep _U_,
2875 uint32_t phase _U_, uint32_t doi _U_,
2876 uint32_t proto _U_, int depth _U_)
2877 {
2878 return ikev2_gen_print(ndo, tpay, ext, item_len);
2879 }
2880
2881 static const u_char *
2882 ikev2_e_print(netdissect_options *ndo,
2883 #ifndef HAVE_LIBCRYPTO
2884 _U_
2885 #endif
2886 const struct isakmp *base,
2887 u_char tpay,
2888 const struct isakmp_gen *ext,
2889 u_int item_len, const u_char *ep _U_,
2890 #ifndef HAVE_LIBCRYPTO
2891 _U_
2892 #endif
2893 uint32_t phase,
2894 #ifndef HAVE_LIBCRYPTO
2895 _U_
2896 #endif
2897 uint32_t doi,
2898 #ifndef HAVE_LIBCRYPTO
2899 _U_
2900 #endif
2901 uint32_t proto,
2902 #ifndef HAVE_LIBCRYPTO
2903 _U_
2904 #endif
2905 int depth)
2906 {
2907 const u_char *dat;
2908 u_int dlen;
2909 #ifdef HAVE_LIBCRYPTO
2910 uint8_t np;
2911 #endif
2912
2913 ND_TCHECK_SIZE(ext);
2914 ikev2_pay_print(ndo, NPSTR(tpay), GET_U_1(ext->critical));
2915
2916 dlen = item_len-4;
2917
2918 ND_PRINT(" len=%u", dlen);
2919 if (2 < ndo->ndo_vflag && 4 < dlen) {
2920 ND_PRINT(" ");
2921 if (!rawprint(ndo, (const uint8_t *)(ext + 1), dlen))
2922 goto trunc;
2923 }
2924
2925 dat = (const u_char *)(ext+1);
2926 ND_TCHECK_LEN(dat, dlen);
2927
2928 #ifdef HAVE_LIBCRYPTO
2929 np = GET_U_1(ext->np);
2930
2931 /* try to decrypt it! */
2932 if(esp_decrypt_buffer_by_ikev2_print(ndo,
2933 GET_U_1(base->flags) & ISAKMP_FLAG_I,
2934 base->i_ck, base->r_ck,
2935 dat, dat+dlen)) {
2936
2937 ext = (const struct isakmp_gen *)ndo->ndo_packetp;
2938
2939 /* got it decrypted, print stuff inside. */
2940 ikev2_sub_print(ndo, base, np, ext,
2941 ndo->ndo_snapend, phase, doi, proto, depth+1);
2942
2943 /*
2944 * esp_decrypt_buffer_by_ikev2_print pushed information
2945 * on the buffer stack; we're done with the buffer, so
2946 * pop it (which frees the buffer)
2947 */
2948 nd_pop_packet_info(ndo);
2949 }
2950 #endif
2951
2952
2953 /* always return NULL, because E must be at end, and NP refers
2954 * to what was inside.
2955 */
2956 return NULL;
2957 trunc:
2958 ND_PRINT(" [|%s]", NPSTR(tpay));
2959 return NULL;
2960 }
2961
2962 static const u_char *
2963 ikev2_cp_print(netdissect_options *ndo, u_char tpay,
2964 const struct isakmp_gen *ext,
2965 u_int item_len, const u_char *ep _U_,
2966 uint32_t phase _U_, uint32_t doi _U_,
2967 uint32_t proto _U_, int depth _U_)
2968 {
2969 return ikev2_gen_print(ndo, tpay, ext, item_len);
2970 }
2971
2972 static const u_char *
2973 ikev2_eap_print(netdissect_options *ndo, u_char tpay,
2974 const struct isakmp_gen *ext,
2975 u_int item_len, const u_char *ep _U_,
2976 uint32_t phase _U_, uint32_t doi _U_,
2977 uint32_t proto _U_, int depth _U_)
2978 {
2979 return ikev2_gen_print(ndo, tpay, ext, item_len);
2980 }
2981
2982 static const u_char *
2983 ike_sub0_print(netdissect_options *ndo,
2984 u_char np, const struct isakmp_gen *ext, const u_char *ep,
2985
2986 uint32_t phase, uint32_t doi, uint32_t proto, int depth)
2987 {
2988 const u_char *cp;
2989 u_int item_len;
2990
2991 cp = (const u_char *)ext;
2992 ND_TCHECK_SIZE(ext);
2993
2994 /*
2995 * Since we can't have a payload length of less than 4 bytes,
2996 * we need to bail out here if the generic header is nonsensical
2997 * or truncated, otherwise we could loop forever processing
2998 * zero-length items or otherwise misdissect the packet.
2999 */
3000 item_len = GET_BE_U_2(ext->len);
3001 if (item_len <= 4)
3002 return NULL;
3003
3004 if (NPFUNC(np)) {
3005 /*
3006 * XXX - what if item_len is too short, or too long,
3007 * for this payload type?
3008 */
3009 cp = (*npfunc[np])(ndo, np, ext, item_len, ep, phase, doi, proto, depth);
3010 } else {
3011 ND_PRINT("%s", NPSTR(np));
3012 cp += item_len;
3013 }
3014
3015 return cp;
3016 trunc:
3017 nd_print_trunc(ndo);
3018 return NULL;
3019 }
3020
3021 static const u_char *
3022 ikev1_sub_print(netdissect_options *ndo,
3023 u_char np, const struct isakmp_gen *ext, const u_char *ep,
3024 uint32_t phase, uint32_t doi, uint32_t proto, int depth)
3025 {
3026 const u_char *cp;
3027 int i;
3028 u_int item_len;
3029
3030 cp = (const u_char *)ext;
3031
3032 while (np) {
3033 ND_TCHECK_SIZE(ext);
3034
3035 item_len = GET_BE_U_2(ext->len);
3036 ND_TCHECK_LEN(ext, item_len);
3037
3038 depth++;
3039 ND_PRINT("\n");
3040 for (i = 0; i < depth; i++)
3041 ND_PRINT(" ");
3042 ND_PRINT("(");
3043 cp = ike_sub0_print(ndo, np, ext, ep, phase, doi, proto, depth);
3044 ND_PRINT(")");
3045 depth--;
3046
3047 if (cp == NULL) {
3048 /* Zero-length subitem */
3049 return NULL;
3050 }
3051
3052 np = GET_U_1(ext->np);
3053 ext = (const struct isakmp_gen *)cp;
3054 }
3055 return cp;
3056 trunc:
3057 ND_PRINT(" [|%s]", NPSTR(np));
3058 return NULL;
3059 }
3060
3061 static char *
3062 numstr(u_int x)
3063 {
3064 static char buf[20];
3065 snprintf(buf, sizeof(buf), "#%u", x);
3066 return buf;
3067 }
3068
3069 static void
3070 ikev1_print(netdissect_options *ndo,
3071 const u_char *bp, u_int length,
3072 const u_char *bp2, const struct isakmp *base)
3073 {
3074 const struct isakmp *p;
3075 const u_char *ep;
3076 u_int flags;
3077 u_char np;
3078 int i;
3079 u_int phase;
3080
3081 p = (const struct isakmp *)bp;
3082 ep = ndo->ndo_snapend;
3083
3084 phase = (GET_BE_U_4(base->msgid) == 0) ? 1 : 2;
3085 if (phase == 1)
3086 ND_PRINT(" phase %u", phase);
3087 else
3088 ND_PRINT(" phase %u/others", phase);
3089
3090 i = cookie_find(&base->i_ck);
3091 if (i < 0) {
3092 if (iszero(ndo, base->r_ck, sizeof(base->r_ck))) {
3093 /* the first packet */
3094 ND_PRINT(" I");
3095 if (bp2)
3096 cookie_record(ndo, &base->i_ck, bp2);
3097 } else
3098 ND_PRINT(" ?");
3099 } else {
3100 if (bp2 && cookie_isinitiator(ndo, i, bp2))
3101 ND_PRINT(" I");
3102 else if (bp2 && cookie_isresponder(ndo, i, bp2))
3103 ND_PRINT(" R");
3104 else
3105 ND_PRINT(" ?");
3106 }
3107
3108 ND_PRINT(" %s", ETYPESTR(GET_U_1(base->etype)));
3109 flags = GET_U_1(base->flags);
3110 if (flags) {
3111 ND_PRINT("[%s%s]", flags & ISAKMP_FLAG_E ? "E" : "",
3112 flags & ISAKMP_FLAG_C ? "C" : "");
3113 }
3114
3115 if (ndo->ndo_vflag) {
3116 const struct isakmp_gen *ext;
3117
3118 ND_PRINT(":");
3119
3120 np = GET_U_1(base->np);
3121
3122 /* regardless of phase... */
3123 if (flags & ISAKMP_FLAG_E) {
3124 /*
3125 * encrypted, nothing we can do right now.
3126 * we hope to decrypt the packet in the future...
3127 */
3128 ND_PRINT(" [encrypted %s]", NPSTR(np));
3129 goto done;
3130 }
3131
3132 CHECKLEN(p + 1, np);
3133 ext = (const struct isakmp_gen *)(p + 1);
3134 ikev1_sub_print(ndo, np, ext, ep, phase, 0, 0, 0);
3135 }
3136
3137 done:
3138 if (ndo->ndo_vflag) {
3139 if (GET_BE_U_4(base->len) != length) {
3140 ND_PRINT(" (len mismatch: isakmp %u/ip %u)",
3141 GET_BE_U_4(base->len), length);
3142 }
3143 }
3144 }
3145
3146 static const u_char *
3147 ikev2_sub0_print(netdissect_options *ndo, const struct isakmp *base,
3148 u_char np,
3149 const struct isakmp_gen *ext, const u_char *ep,
3150 uint32_t phase, uint32_t doi, uint32_t proto, int depth)
3151 {
3152 const u_char *cp;
3153 u_int item_len;
3154
3155 cp = (const u_char *)ext;
3156 ND_TCHECK_SIZE(ext);
3157
3158 /*
3159 * Since we can't have a payload length of less than 4 bytes,
3160 * we need to bail out here if the generic header is nonsensical
3161 * or truncated, otherwise we could loop forever processing
3162 * zero-length items or otherwise misdissect the packet.
3163 */
3164 item_len = GET_BE_U_2(ext->len);
3165 if (item_len <= 4)
3166 return NULL;
3167
3168 if (np == ISAKMP_NPTYPE_v2E) {
3169 cp = ikev2_e_print(ndo, base, np, ext, item_len,
3170 ep, phase, doi, proto, depth);
3171 } else if (NPFUNC(np)) {
3172 /*
3173 * XXX - what if item_len is too short, or too long,
3174 * for this payload type?
3175 */
3176 cp = (*npfunc[np])(ndo, np, ext, item_len,
3177 ep, phase, doi, proto, depth);
3178 } else {
3179 ND_PRINT("%s", NPSTR(np));
3180 cp += item_len;
3181 }
3182
3183 return cp;
3184 trunc:
3185 nd_print_trunc(ndo);
3186 return NULL;
3187 }
3188
3189 static const u_char *
3190 ikev2_sub_print(netdissect_options *ndo,
3191 const struct isakmp *base,
3192 u_char np, const struct isakmp_gen *ext, const u_char *ep,
3193 uint32_t phase, uint32_t doi, uint32_t proto, int depth)
3194 {
3195 const u_char *cp;
3196 int i;
3197
3198 cp = (const u_char *)ext;
3199 while (np) {
3200 ND_TCHECK_SIZE(ext);
3201
3202 ND_TCHECK_LEN(ext, GET_BE_U_2(ext->len));
3203
3204 depth++;
3205 ND_PRINT("\n");
3206 for (i = 0; i < depth; i++)
3207 ND_PRINT(" ");
3208 ND_PRINT("(");
3209 cp = ikev2_sub0_print(ndo, base, np,
3210 ext, ep, phase, doi, proto, depth);
3211 ND_PRINT(")");
3212 depth--;
3213
3214 if (cp == NULL) {
3215 /* Zero-length subitem */
3216 return NULL;
3217 }
3218
3219 np = GET_U_1(ext->np);
3220 ext = (const struct isakmp_gen *)cp;
3221 }
3222 return cp;
3223 trunc:
3224 ND_PRINT(" [|%s]", NPSTR(np));
3225 return NULL;
3226 }
3227
3228 static void
3229 ikev2_print(netdissect_options *ndo,
3230 const u_char *bp, u_int length,
3231 const u_char *bp2 _U_, const struct isakmp *base)
3232 {
3233 const struct isakmp *p;
3234 const u_char *ep;
3235 uint8_t flags;
3236 u_char np;
3237 u_int phase;
3238
3239 p = (const struct isakmp *)bp;
3240 ep = ndo->ndo_snapend;
3241
3242 phase = (GET_BE_U_4(base->msgid) == 0) ? 1 : 2;
3243 if (phase == 1)
3244 ND_PRINT(" parent_sa");
3245 else
3246 ND_PRINT(" child_sa ");
3247
3248 ND_PRINT(" %s", ETYPESTR(GET_U_1(base->etype)));
3249 flags = GET_U_1(base->flags);
3250 if (flags) {
3251 ND_PRINT("[%s%s%s]",
3252 flags & ISAKMP_FLAG_I ? "I" : "",
3253 flags & ISAKMP_FLAG_V ? "V" : "",
3254 flags & ISAKMP_FLAG_R ? "R" : "");
3255 }
3256
3257 if (ndo->ndo_vflag) {
3258 const struct isakmp_gen *ext;
3259
3260 ND_PRINT(":");
3261
3262 np = GET_U_1(base->np);
3263
3264 /* regardless of phase... */
3265 if (flags & ISAKMP_FLAG_E) {
3266 /*
3267 * encrypted, nothing we can do right now.
3268 * we hope to decrypt the packet in the future...
3269 */
3270 ND_PRINT(" [encrypted %s]", NPSTR(np));
3271 goto done;
3272 }
3273
3274 CHECKLEN(p + 1, np)
3275 ext = (const struct isakmp_gen *)(p + 1);
3276 ikev2_sub_print(ndo, base, np, ext, ep, phase, 0, 0, 0);
3277 }
3278
3279 done:
3280 if (ndo->ndo_vflag) {
3281 if (GET_BE_U_4(base->len) != length) {
3282 ND_PRINT(" (len mismatch: isakmp %u/ip %u)",
3283 GET_BE_U_4(base->len), length);
3284 }
3285 }
3286 }
3287
3288 void
3289 isakmp_print(netdissect_options *ndo,
3290 const u_char *bp, u_int length,
3291 const u_char *bp2)
3292 {
3293 const struct isakmp *p;
3294 const u_char *ep;
3295 u_int major, minor;
3296
3297 ndo->ndo_protocol = "isakmp";
3298 #ifdef HAVE_LIBCRYPTO
3299 /* initialize SAs */
3300 if (ndo->ndo_sa_list_head == NULL) {
3301 if (ndo->ndo_espsecret)
3302 esp_decodesecret_print(ndo);
3303 }
3304 #endif
3305
3306 p = (const struct isakmp *)bp;
3307 ep = ndo->ndo_snapend;
3308
3309 if ((const struct isakmp *)ep < p + 1) {
3310 nd_print_trunc(ndo);
3311 return;
3312 }
3313
3314 ND_PRINT("isakmp");
3315 major = (GET_U_1(p->vers) & ISAKMP_VERS_MAJOR)
3316 >> ISAKMP_VERS_MAJOR_SHIFT;
3317 minor = (GET_U_1(p->vers) & ISAKMP_VERS_MINOR)
3318 >> ISAKMP_VERS_MINOR_SHIFT;
3319
3320 if (ndo->ndo_vflag) {
3321 ND_PRINT(" %u.%u", major, minor);
3322 }
3323
3324 if (ndo->ndo_vflag) {
3325 ND_PRINT(" msgid ");
3326 hexprint(ndo, p->msgid, sizeof(p->msgid));
3327 }
3328
3329 if (1 < ndo->ndo_vflag) {
3330 ND_PRINT(" cookie ");
3331 hexprint(ndo, p->i_ck, sizeof(p->i_ck));
3332 ND_PRINT("->");
3333 hexprint(ndo, p->r_ck, sizeof(p->r_ck));
3334 }
3335 ND_PRINT(":");
3336
3337 switch(major) {
3338 case IKEv1_MAJOR_VERSION:
3339 ikev1_print(ndo, bp, length, bp2, p);
3340 break;
3341
3342 case IKEv2_MAJOR_VERSION:
3343 ikev2_print(ndo, bp, length, bp2, p);
3344 break;
3345 }
3346 }
3347
3348 void
3349 isakmp_rfc3948_print(netdissect_options *ndo,
3350 const u_char *bp, u_int length,
3351 const u_char *bp2, int ver, int fragmented, u_int ttl_hl)
3352 {
3353 ndo->ndo_protocol = "isakmp_rfc3948";
3354 if(length == 1 && GET_U_1(bp)==0xff) {
3355 ND_PRINT("isakmp-nat-keep-alive");
3356 return;
3357 }
3358
3359 if(length < 4) {
3360 goto trunc;
3361 }
3362
3363 /*
3364 * see if this is an IKE packet
3365 */
3366 if (GET_BE_U_4(bp) == 0) {
3367 ND_PRINT("NONESP-encap: ");
3368 isakmp_print(ndo, bp+4, length-4, bp2);
3369 return;
3370 }
3371
3372 /* must be an ESP packet */
3373 {
3374 ND_PRINT("UDP-encap: ");
3375
3376 esp_print(ndo, bp, length, bp2, ver, fragmented, ttl_hl);
3377
3378 /*
3379 * Either this has decrypted the payload and
3380 * printed it, in which case there's nothing more
3381 * to do, or it hasn't, in which case there's
3382 * nothing more to do.
3383 */
3384 return;
3385 }
3386
3387 trunc:
3388 nd_print_trunc(ndo);
3389 }
[mirror] the TCPdump network dissector