]> The Tcpdump Group git mirrors - tcpdump/blob - print-isakmp.c
projects / tcpdump / blob
summary | shortlog | log | commit | commitdiff | tree
history | raw | HEAD
Put a variable only used if we have libcrypto under HAVE_LIBCRYPTO.
[tcpdump] / print-isakmp.c
1 /*
2 * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
3 * All rights reserved.
4 *
5 * Redistribution and use in source and binary forms, with or without
6 * modification, are permitted provided that the following conditions
7 * are met:
8 * 1. Redistributions of source code must retain the above copyright
9 * notice, this list of conditions and the following disclaimer.
10 * 2. Redistributions in binary form must reproduce the above copyright
11 * notice, this list of conditions and the following disclaimer in the
12 * documentation and/or other materials provided with the distribution.
13 * 3. Neither the name of the project nor the names of its contributors
14 * may be used to endorse or promote products derived from this software
15 * without specific prior written permission.
16 *
17 * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
18 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
19 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
20 * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
21 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
22 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
23 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
24 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
25 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
26 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
27 * SUCH DAMAGE.
28 *
29 */
30
31 /* \summary: Internet Security Association and Key Management Protocol (ISAKMP) printer */
32
33 /* specification: RFC 2407, RFC 2408, RFC 5996 */
34
35 #ifdef HAVE_CONFIG_H
36 #include "config.h"
37 #endif
38
39 /* The functions from print-esp.c used in this file are only defined when both
40 * OpenSSL and evp.h are detected. Employ the same preprocessor device here.
41 */
42 #ifndef HAVE_OPENSSL_EVP_H
43 #undef HAVE_LIBCRYPTO
44 #endif
45
46 #include <netdissect-stdinc.h>
47
48 #include <string.h>
49
50 #include "netdissect.h"
51 #include "addrtoname.h"
52 #include "extract.h"
53
54 #include "ip.h"
55 #include "ip6.h"
56 #include "ipproto.h"
57
58 typedef nd_byte cookie_t[8];
59 typedef nd_byte msgid_t[4];
60
61 #define PORT_ISAKMP 500
62
63 /* 3.1 ISAKMP Header Format (IKEv1 and IKEv2)
64 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
65 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
66 ! Initiator !
67 ! Cookie !
68 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
69 ! Responder !
70 ! Cookie !
71 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
72 ! Next Payload ! MjVer ! MnVer ! Exchange Type ! Flags !
73 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
74 ! Message ID !
75 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
76 ! Length !
77 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
78 */
79 struct isakmp {
80 cookie_t i_ck; /* Initiator Cookie */
81 cookie_t r_ck; /* Responder Cookie */
82 nd_uint8_t np; /* Next Payload Type */
83 nd_uint8_t vers;
84 #define ISAKMP_VERS_MAJOR 0xf0
85 #define ISAKMP_VERS_MAJOR_SHIFT 4
86 #define ISAKMP_VERS_MINOR 0x0f
87 #define ISAKMP_VERS_MINOR_SHIFT 0
88 nd_uint8_t etype; /* Exchange Type */
89 nd_uint8_t flags; /* Flags */
90 msgid_t msgid;
91 nd_uint32_t len; /* Length */
92 };
93
94 /* Next Payload Type */
95 #define ISAKMP_NPTYPE_NONE 0 /* NONE*/
96 #define ISAKMP_NPTYPE_SA 1 /* Security Association */
97 #define ISAKMP_NPTYPE_P 2 /* Proposal */
98 #define ISAKMP_NPTYPE_T 3 /* Transform */
99 #define ISAKMP_NPTYPE_KE 4 /* Key Exchange */
100 #define ISAKMP_NPTYPE_ID 5 /* Identification */
101 #define ISAKMP_NPTYPE_CERT 6 /* Certificate */
102 #define ISAKMP_NPTYPE_CR 7 /* Certificate Request */
103 #define ISAKMP_NPTYPE_HASH 8 /* Hash */
104 #define ISAKMP_NPTYPE_SIG 9 /* Signature */
105 #define ISAKMP_NPTYPE_NONCE 10 /* Nonce */
106 #define ISAKMP_NPTYPE_N 11 /* Notification */
107 #define ISAKMP_NPTYPE_D 12 /* Delete */
108 #define ISAKMP_NPTYPE_VID 13 /* Vendor ID */
109 #define ISAKMP_NPTYPE_v2E 46 /* v2 Encrypted payload */
110
111 #define IKEv1_MAJOR_VERSION 1
112 #define IKEv1_MINOR_VERSION 0
113
114 #define IKEv2_MAJOR_VERSION 2
115 #define IKEv2_MINOR_VERSION 0
116
117 /* Flags */
118 #define ISAKMP_FLAG_E 0x01 /* Encryption Bit */
119 #define ISAKMP_FLAG_C 0x02 /* Commit Bit */
120 #define ISAKMP_FLAG_extra 0x04
121
122 /* IKEv2 */
123 #define ISAKMP_FLAG_I (1 << 3) /* (I)nitiator */
124 #define ISAKMP_FLAG_V (1 << 4) /* (V)ersion */
125 #define ISAKMP_FLAG_R (1 << 5) /* (R)esponse */
126
127
128 /* 3.2 Payload Generic Header
129 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
130 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
131 ! Next Payload ! RESERVED ! Payload Length !
132 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
133 */
134 struct isakmp_gen {
135 nd_uint8_t np; /* Next Payload */
136 nd_uint8_t critical; /* bit 7 - critical, rest is RESERVED */
137 nd_uint16_t len; /* Payload Length */
138 };
139
140 /* 3.3 Data Attributes
141 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
142 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
143 !A! Attribute Type ! AF=0 Attribute Length !
144 !F! ! AF=1 Attribute Value !
145 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
146 . AF=0 Attribute Value .
147 . AF=1 Not Transmitted .
148 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
149 */
150 struct isakmp_data {
151 nd_uint16_t type; /* defined by DOI-spec, and Attribute Format */
152 nd_uint16_t lorv; /* if f equal 1, Attribute Length */
153 /* if f equal 0, Attribute Value */
154 /* if f equal 1, Attribute Value */
155 };
156
157 /* 3.4 Security Association Payload */
158 /* MAY NOT be used, because of being defined in ipsec-doi. */
159 /*
160 If the current payload is the last in the message,
161 then the value of the next payload field will be 0.
162 This field MUST NOT contain the
163 values for the Proposal or Transform payloads as they are considered
164 part of the security association negotiation. For example, this
165 field would contain the value "10" (Nonce payload) in the first
166 message of a Base Exchange (see Section 4.4) and the value "0" in the
167 first message of an Identity Protect Exchange (see Section 4.5).
168 */
169 struct ikev1_pl_sa {
170 struct isakmp_gen h;
171 nd_uint32_t doi; /* Domain of Interpretation */
172 nd_uint32_t sit; /* Situation */
173 };
174
175 /* 3.5 Proposal Payload */
176 /*
177 The value of the next payload field MUST only contain the value "2"
178 or "0". If there are additional Proposal payloads in the message,
179 then this field will be 2. If the current Proposal payload is the
180 last within the security association proposal, then this field will
181 be 0.
182 */
183 struct ikev1_pl_p {
184 struct isakmp_gen h;
185 nd_uint8_t p_no; /* Proposal # */
186 nd_uint8_t prot_id; /* Protocol */
187 nd_uint8_t spi_size; /* SPI Size */
188 nd_uint8_t num_t; /* Number of Transforms */
189 /* SPI */
190 };
191
192 /* 3.6 Transform Payload */
193 /*
194 The value of the next payload field MUST only contain the value "3"
195 or "0". If there are additional Transform payloads in the proposal,
196 then this field will be 3. If the current Transform payload is the
197 last within the proposal, then this field will be 0.
198 */
199 struct ikev1_pl_t {
200 struct isakmp_gen h;
201 nd_uint8_t t_no; /* Transform # */
202 nd_uint8_t t_id; /* Transform-Id */
203 nd_byte reserved[2]; /* RESERVED2 */
204 /* SA Attributes */
205 };
206
207 /* 3.7 Key Exchange Payload */
208 struct ikev1_pl_ke {
209 struct isakmp_gen h;
210 /* Key Exchange Data */
211 };
212
213 /* 3.8 Identification Payload */
214 /* MUST NOT to be used, because of being defined in ipsec-doi. */
215 struct ikev1_pl_id {
216 struct isakmp_gen h;
217 union {
218 nd_uint8_t id_type; /* ID Type */
219 nd_uint32_t doi_data; /* DOI Specific ID Data */
220 } d;
221 /* Identification Data */
222 };
223
224 /* 3.9 Certificate Payload */
225 struct ikev1_pl_cert {
226 struct isakmp_gen h;
227 nd_uint8_t encode; /* Cert Encoding */
228 nd_uint8_t cert; /* Certificate Data */
229 /*
230 This field indicates the type of
231 certificate or certificate-related information contained in the
232 Certificate Data field.
233 */
234 };
235
236 /* 3.10 Certificate Request Payload */
237 struct ikev1_pl_cr {
238 struct isakmp_gen h;
239 nd_uint8_t num_cert; /* # Cert. Types */
240 /*
241 Certificate Types (variable length)
242 -- Contains a list of the types of certificates requested,
243 sorted in order of preference. Each individual certificate
244 type is 1 octet. This field is NOT requiredo
245 */
246 /* # Certificate Authorities (1 octet) */
247 /* Certificate Authorities (variable length) */
248 };
249
250 /* 3.11 Hash Payload */
251 /* may not be used, because of having only data. */
252 struct ikev1_pl_hash {
253 struct isakmp_gen h;
254 /* Hash Data */
255 };
256
257 /* 3.12 Signature Payload */
258 /* may not be used, because of having only data. */
259 struct ikev1_pl_sig {
260 struct isakmp_gen h;
261 /* Signature Data */
262 };
263
264 /* 3.13 Nonce Payload */
265 /* may not be used, because of having only data. */
266 struct ikev1_pl_nonce {
267 struct isakmp_gen h;
268 /* Nonce Data */
269 };
270
271 /* 3.14 Notification Payload */
272 struct ikev1_pl_n {
273 struct isakmp_gen h;
274 nd_uint32_t doi; /* Domain of Interpretation */
275 nd_uint8_t prot_id; /* Protocol-ID */
276 nd_uint8_t spi_size; /* SPI Size */
277 nd_uint16_t type; /* Notify Message Type */
278 /* SPI */
279 /* Notification Data */
280 };
281
282 /* 3.14.1 Notify Message Types */
283 /* NOTIFY MESSAGES - ERROR TYPES */
284 #define ISAKMP_NTYPE_INVALID_PAYLOAD_TYPE 1
285 #define ISAKMP_NTYPE_DOI_NOT_SUPPORTED 2
286 #define ISAKMP_NTYPE_SITUATION_NOT_SUPPORTED 3
287 #define ISAKMP_NTYPE_INVALID_COOKIE 4
288 #define ISAKMP_NTYPE_INVALID_MAJOR_VERSION 5
289 #define ISAKMP_NTYPE_INVALID_MINOR_VERSION 6
290 #define ISAKMP_NTYPE_INVALID_EXCHANGE_TYPE 7
291 #define ISAKMP_NTYPE_INVALID_FLAGS 8
292 #define ISAKMP_NTYPE_INVALID_MESSAGE_ID 9
293 #define ISAKMP_NTYPE_INVALID_PROTOCOL_ID 10
294 #define ISAKMP_NTYPE_INVALID_SPI 11
295 #define ISAKMP_NTYPE_INVALID_TRANSFORM_ID 12
296 #define ISAKMP_NTYPE_ATTRIBUTES_NOT_SUPPORTED 13
297 #define ISAKMP_NTYPE_NO_PROPOSAL_CHOSEN 14
298 #define ISAKMP_NTYPE_BAD_PROPOSAL_SYNTAX 15
299 #define ISAKMP_NTYPE_PAYLOAD_MALFORMED 16
300 #define ISAKMP_NTYPE_INVALID_KEY_INFORMATION 17
301 #define ISAKMP_NTYPE_INVALID_ID_INFORMATION 18
302 #define ISAKMP_NTYPE_INVALID_CERT_ENCODING 19
303 #define ISAKMP_NTYPE_INVALID_CERTIFICATE 20
304 #define ISAKMP_NTYPE_BAD_CERT_REQUEST_SYNTAX 21
305 #define ISAKMP_NTYPE_INVALID_CERT_AUTHORITY 22
306 #define ISAKMP_NTYPE_INVALID_HASH_INFORMATION 23
307 #define ISAKMP_NTYPE_AUTHENTICATION_FAILED 24
308 #define ISAKMP_NTYPE_INVALID_SIGNATURE 25
309 #define ISAKMP_NTYPE_ADDRESS_NOTIFICATION 26
310
311 /* 3.15 Delete Payload */
312 struct ikev1_pl_d {
313 struct isakmp_gen h;
314 nd_uint32_t doi; /* Domain of Interpretation */
315 nd_uint8_t prot_id; /* Protocol-Id */
316 nd_uint8_t spi_size; /* SPI Size */
317 nd_uint16_t num_spi; /* # of SPIs */
318 /* SPI(es) */
319 };
320
321 /* IKEv2 (RFC4306) */
322
323 /* 3.3 Security Association Payload -- generic header */
324 /* 3.3.1. Proposal Substructure */
325 struct ikev2_p {
326 struct isakmp_gen h;
327 nd_uint8_t p_no; /* Proposal # */
328 nd_uint8_t prot_id; /* Protocol */
329 nd_uint8_t spi_size; /* SPI Size */
330 nd_uint8_t num_t; /* Number of Transforms */
331 };
332
333 /* 3.3.2. Transform Substructure */
334 struct ikev2_t {
335 struct isakmp_gen h;
336 nd_uint8_t t_type; /* Transform Type (ENCR,PRF,INTEG,etc.*/
337 nd_byte res2; /* reserved byte */
338 nd_uint16_t t_id; /* Transform ID */
339 };
340
341 enum ikev2_t_type {
342 IV2_T_ENCR = 1,
343 IV2_T_PRF = 2,
344 IV2_T_INTEG= 3,
345 IV2_T_DH = 4,
346 IV2_T_ESN = 5
347 };
348
349 /* 3.4. Key Exchange Payload */
350 struct ikev2_ke {
351 struct isakmp_gen h;
352 nd_uint16_t ke_group;
353 nd_uint16_t ke_res1;
354 /* KE data */
355 };
356
357
358 /* 3.5. Identification Payloads */
359 enum ikev2_id_type {
360 ID_IPV4_ADDR=1,
361 ID_FQDN=2,
362 ID_RFC822_ADDR=3,
363 ID_IPV6_ADDR=5,
364 ID_DER_ASN1_DN=9,
365 ID_DER_ASN1_GN=10,
366 ID_KEY_ID=11
367 };
368 struct ikev2_id {
369 struct isakmp_gen h;
370 nd_uint8_t type; /* ID type */
371 nd_byte res1;
372 nd_byte res2[2];
373 /* SPI */
374 /* Notification Data */
375 };
376
377 /* 3.10 Notification Payload */
378 struct ikev2_n {
379 struct isakmp_gen h;
380 nd_uint8_t prot_id; /* Protocol-ID */
381 nd_uint8_t spi_size; /* SPI Size */
382 nd_uint16_t type; /* Notify Message Type */
383 };
384
385 enum ikev2_n_type {
386 IV2_NOTIFY_UNSUPPORTED_CRITICAL_PAYLOAD = 1,
387 IV2_NOTIFY_INVALID_IKE_SPI = 4,
388 IV2_NOTIFY_INVALID_MAJOR_VERSION = 5,
389 IV2_NOTIFY_INVALID_SYNTAX = 7,
390 IV2_NOTIFY_INVALID_MESSAGE_ID = 9,
391 IV2_NOTIFY_INVALID_SPI =11,
392 IV2_NOTIFY_NO_PROPOSAL_CHOSEN =14,
393 IV2_NOTIFY_INVALID_KE_PAYLOAD =17,
394 IV2_NOTIFY_AUTHENTICATION_FAILED =24,
395 IV2_NOTIFY_SINGLE_PAIR_REQUIRED =34,
396 IV2_NOTIFY_NO_ADDITIONAL_SAS =35,
397 IV2_NOTIFY_INTERNAL_ADDRESS_FAILURE =36,
398 IV2_NOTIFY_FAILED_CP_REQUIRED =37,
399 IV2_NOTIFY_INVALID_SELECTORS =39,
400 IV2_NOTIFY_INITIAL_CONTACT =16384,
401 IV2_NOTIFY_SET_WINDOW_SIZE =16385,
402 IV2_NOTIFY_ADDITIONAL_TS_POSSIBLE =16386,
403 IV2_NOTIFY_IPCOMP_SUPPORTED =16387,
404 IV2_NOTIFY_NAT_DETECTION_SOURCE_IP =16388,
405 IV2_NOTIFY_NAT_DETECTION_DESTINATION_IP =16389,
406 IV2_NOTIFY_COOKIE =16390,
407 IV2_NOTIFY_USE_TRANSPORT_MODE =16391,
408 IV2_NOTIFY_HTTP_CERT_LOOKUP_SUPPORTED =16392,
409 IV2_NOTIFY_REKEY_SA =16393,
410 IV2_NOTIFY_ESP_TFC_PADDING_NOT_SUPPORTED =16394,
411 IV2_NOTIFY_NON_FIRST_FRAGMENTS_ALSO =16395
412 };
413
414 struct notify_messages {
415 uint16_t type;
416 char *msg;
417 };
418
419 /* 3.8 Authentication Payload */
420 struct ikev2_auth {
421 struct isakmp_gen h;
422 nd_uint8_t auth_method; /* Protocol-ID */
423 nd_byte reserved[3];
424 /* authentication data */
425 };
426
427 enum ikev2_auth_type {
428 IV2_RSA_SIG = 1,
429 IV2_SHARED = 2,
430 IV2_DSS_SIG = 3
431 };
432
433 /* refer to RFC 2409 */
434
435 #if 0
436 /* isakmp sa structure */
437 struct oakley_sa {
438 uint8_t proto_id; /* OAKLEY */
439 vchar_t *spi; /* spi */
440 uint8_t dhgrp; /* DH; group */
441 uint8_t auth_t; /* method of authentication */
442 uint8_t prf_t; /* type of prf */
443 uint8_t hash_t; /* type of hash */
444 uint8_t enc_t; /* type of cipher */
445 uint8_t life_t; /* type of duration of lifetime */
446 uint32_t ldur; /* life duration */
447 };
448 #endif
449
450 /* refer to RFC 2407 */
451
452 #define IPSEC_DOI 1
453
454 /* 4.2 IPSEC Situation Definition */
455 #define IPSECDOI_SIT_IDENTITY_ONLY 0x00000001
456 #define IPSECDOI_SIT_SECRECY 0x00000002
457 #define IPSECDOI_SIT_INTEGRITY 0x00000004
458
459 /* 4.4.1 IPSEC Security Protocol Identifiers */
460 /* 4.4.2 IPSEC ISAKMP Transform Values */
461 #define IPSECDOI_PROTO_ISAKMP 1
462 #define IPSECDOI_KEY_IKE 1
463
464 /* 4.4.1 IPSEC Security Protocol Identifiers */
465 #define IPSECDOI_PROTO_IPSEC_AH 2
466 /* 4.4.3 IPSEC AH Transform Values */
467 #define IPSECDOI_AH_MD5 2
468 #define IPSECDOI_AH_SHA 3
469 #define IPSECDOI_AH_DES 4
470 #define IPSECDOI_AH_SHA2_256 5
471 #define IPSECDOI_AH_SHA2_384 6
472 #define IPSECDOI_AH_SHA2_512 7
473
474 /* 4.4.1 IPSEC Security Protocol Identifiers */
475 #define IPSECDOI_PROTO_IPSEC_ESP 3
476 /* 4.4.4 IPSEC ESP Transform Identifiers */
477 #define IPSECDOI_ESP_DES_IV64 1
478 #define IPSECDOI_ESP_DES 2
479 #define IPSECDOI_ESP_3DES 3
480 #define IPSECDOI_ESP_RC5 4
481 #define IPSECDOI_ESP_IDEA 5
482 #define IPSECDOI_ESP_CAST 6
483 #define IPSECDOI_ESP_BLOWFISH 7
484 #define IPSECDOI_ESP_3IDEA 8
485 #define IPSECDOI_ESP_DES_IV32 9
486 #define IPSECDOI_ESP_RC4 10
487 #define IPSECDOI_ESP_NULL 11
488 #define IPSECDOI_ESP_RIJNDAEL 12
489 #define IPSECDOI_ESP_AES 12
490
491 /* 4.4.1 IPSEC Security Protocol Identifiers */
492 #define IPSECDOI_PROTO_IPCOMP 4
493 /* 4.4.5 IPSEC IPCOMP Transform Identifiers */
494 #define IPSECDOI_IPCOMP_OUI 1
495 #define IPSECDOI_IPCOMP_DEFLATE 2
496 #define IPSECDOI_IPCOMP_LZS 3
497
498 /* 4.5 IPSEC Security Association Attributes */
499 #define IPSECDOI_ATTR_SA_LTYPE 1 /* B */
500 #define IPSECDOI_ATTR_SA_LTYPE_DEFAULT 1
501 #define IPSECDOI_ATTR_SA_LTYPE_SEC 1
502 #define IPSECDOI_ATTR_SA_LTYPE_KB 2
503 #define IPSECDOI_ATTR_SA_LDUR 2 /* V */
504 #define IPSECDOI_ATTR_SA_LDUR_DEFAULT 28800 /* 8 hours */
505 #define IPSECDOI_ATTR_GRP_DESC 3 /* B */
506 #define IPSECDOI_ATTR_ENC_MODE 4 /* B */
507 /* default value: host dependent */
508 #define IPSECDOI_ATTR_ENC_MODE_TUNNEL 1
509 #define IPSECDOI_ATTR_ENC_MODE_TRNS 2
510 #define IPSECDOI_ATTR_AUTH 5 /* B */
511 /* 0 means not to use authentication. */
512 #define IPSECDOI_ATTR_AUTH_HMAC_MD5 1
513 #define IPSECDOI_ATTR_AUTH_HMAC_SHA1 2
514 #define IPSECDOI_ATTR_AUTH_DES_MAC 3
515 #define IPSECDOI_ATTR_AUTH_KPDK 4 /*RFC-1826(Key/Pad/Data/Key)*/
516 /*
517 * When negotiating ESP without authentication, the Auth
518 * Algorithm attribute MUST NOT be included in the proposal.
519 * When negotiating ESP without confidentiality, the Auth
520 * Algorithm attribute MUST be included in the proposal and
521 * the ESP transform ID must be ESP_NULL.
522 */
523 #define IPSECDOI_ATTR_KEY_LENGTH 6 /* B */
524 #define IPSECDOI_ATTR_KEY_ROUNDS 7 /* B */
525 #define IPSECDOI_ATTR_COMP_DICT_SIZE 8 /* B */
526 #define IPSECDOI_ATTR_COMP_PRIVALG 9 /* V */
527
528 /* 4.6.1 Security Association Payload */
529 struct ipsecdoi_sa {
530 struct isakmp_gen h;
531 nd_uint32_t doi; /* Domain of Interpretation */
532 nd_uint32_t sit; /* Situation */
533 };
534
535 struct ipsecdoi_secrecy_h {
536 nd_uint16_t len;
537 nd_uint16_t reserved;
538 };
539
540 /* 4.6.2.1 Identification Type Values */
541 struct ipsecdoi_id {
542 struct isakmp_gen h;
543 nd_uint8_t type; /* ID Type */
544 nd_uint8_t proto_id; /* Protocol ID */
545 nd_uint16_t port; /* Port */
546 /* Identification Data */
547 };
548
549 #define IPSECDOI_ID_IPV4_ADDR 1
550 #define IPSECDOI_ID_FQDN 2
551 #define IPSECDOI_ID_USER_FQDN 3
552 #define IPSECDOI_ID_IPV4_ADDR_SUBNET 4
553 #define IPSECDOI_ID_IPV6_ADDR 5
554 #define IPSECDOI_ID_IPV6_ADDR_SUBNET 6
555 #define IPSECDOI_ID_IPV4_ADDR_RANGE 7
556 #define IPSECDOI_ID_IPV6_ADDR_RANGE 8
557 #define IPSECDOI_ID_DER_ASN1_DN 9
558 #define IPSECDOI_ID_DER_ASN1_GN 10
559 #define IPSECDOI_ID_KEY_ID 11
560
561 /* 4.6.3 IPSEC DOI Notify Message Types */
562 /* Notify Messages - Status Types */
563 #define IPSECDOI_NTYPE_RESPONDER_LIFETIME 24576
564 #define IPSECDOI_NTYPE_REPLAY_STATUS 24577
565 #define IPSECDOI_NTYPE_INITIAL_CONTACT 24578
566
567 #define DECLARE_PRINTER(func) static const u_char *ike##func##_print( \
568 netdissect_options *ndo, u_char tpay, \
569 const struct isakmp_gen *ext, \
570 u_int item_len, \
571 const u_char *end_pointer, \
572 uint32_t phase,\
573 uint32_t doi0, \
574 uint32_t proto0, int depth)
575
576 DECLARE_PRINTER(v1_sa);
577 DECLARE_PRINTER(v1_p);
578 DECLARE_PRINTER(v1_t);
579 DECLARE_PRINTER(v1_ke);
580 DECLARE_PRINTER(v1_id);
581 DECLARE_PRINTER(v1_cert);
582 DECLARE_PRINTER(v1_cr);
583 DECLARE_PRINTER(v1_sig);
584 DECLARE_PRINTER(v1_hash);
585 DECLARE_PRINTER(v1_nonce);
586 DECLARE_PRINTER(v1_n);
587 DECLARE_PRINTER(v1_d);
588 DECLARE_PRINTER(v1_vid);
589
590 DECLARE_PRINTER(v2_sa);
591 DECLARE_PRINTER(v2_ke);
592 DECLARE_PRINTER(v2_ID);
593 DECLARE_PRINTER(v2_cert);
594 DECLARE_PRINTER(v2_cr);
595 DECLARE_PRINTER(v2_auth);
596 DECLARE_PRINTER(v2_nonce);
597 DECLARE_PRINTER(v2_n);
598 DECLARE_PRINTER(v2_d);
599 DECLARE_PRINTER(v2_vid);
600 DECLARE_PRINTER(v2_TS);
601 DECLARE_PRINTER(v2_cp);
602 DECLARE_PRINTER(v2_eap);
603
604 static const u_char *ikev2_e_print(netdissect_options *ndo,
605 const struct isakmp *base,
606 u_char tpay,
607 const struct isakmp_gen *ext,
608 u_int item_len,
609 const u_char *end_pointer,
610 uint32_t phase,
611 uint32_t doi0,
612 uint32_t proto0, int depth);
613
614
615 static const u_char *ike_sub0_print(netdissect_options *ndo,u_char, const struct isakmp_gen *,
616 const u_char *, uint32_t, uint32_t, uint32_t, int);
617 static const u_char *ikev1_sub_print(netdissect_options *ndo,u_char, const struct isakmp_gen *,
618 const u_char *, uint32_t, uint32_t, uint32_t, int);
619
620 static const u_char *ikev2_sub_print(netdissect_options *ndo,
621 const struct isakmp *base,
622 u_char np, const struct isakmp_gen *ext,
623 const u_char *ep, uint32_t phase,
624 uint32_t doi, uint32_t proto,
625 int depth);
626
627
628 static char *numstr(u_int);
629
630 static void
631 ikev1_print(netdissect_options *ndo,
632 const u_char *bp, u_int length,
633 const u_char *bp2, const struct isakmp *base);
634
635 #define MAXINITIATORS 20
636 static int ninitiator = 0;
637 union inaddr_u {
638 struct in_addr in4;
639 struct in6_addr in6;
640 };
641 static struct {
642 cookie_t initiator;
643 u_int version;
644 union inaddr_u iaddr;
645 union inaddr_u raddr;
646 } cookiecache[MAXINITIATORS];
647
648 /* protocol id */
649 static const char *protoidstr[] = {
650 NULL, "isakmp", "ipsec-ah", "ipsec-esp", "ipcomp",
651 };
652
653 /* isakmp->np */
654 static const char *npstr[] = {
655 "none", "sa", "p", "t", "ke", "id", "cert", "cr", "hash", /* 0 - 8 */
656 "sig", "nonce", "n", "d", "vid", /* 9 - 13 */
657 "pay14", "pay15", "pay16", "pay17", "pay18", /* 14- 18 */
658 "pay19", "pay20", "pay21", "pay22", "pay23", /* 19- 23 */
659 "pay24", "pay25", "pay26", "pay27", "pay28", /* 24- 28 */
660 "pay29", "pay30", "pay31", "pay32", /* 29- 32 */
661 "v2sa", "v2ke", "v2IDi", "v2IDr", "v2cert",/* 33- 37 */
662 "v2cr", "v2auth","v2nonce", "v2n", "v2d", /* 38- 42 */
663 "v2vid", "v2TSi", "v2TSr", "v2e", "v2cp", /* 43- 47 */
664 "v2eap", /* 48 */
665
666 };
667
668 /* isakmp->np */
669 static const u_char *(*npfunc[])(netdissect_options *ndo, u_char tpay,
670 const struct isakmp_gen *ext,
671 u_int item_len,
672 const u_char *end_pointer,
673 uint32_t phase,
674 uint32_t doi0,
675 uint32_t proto0, int depth) = {
676 NULL,
677 ikev1_sa_print,
678 ikev1_p_print,
679 ikev1_t_print,
680 ikev1_ke_print,
681 ikev1_id_print,
682 ikev1_cert_print,
683 ikev1_cr_print,
684 ikev1_hash_print,
685 ikev1_sig_print,
686 ikev1_nonce_print,
687 ikev1_n_print,
688 ikev1_d_print,
689 ikev1_vid_print, /* 13 */
690 NULL, NULL, NULL, NULL, NULL, /* 14- 18 */
691 NULL, NULL, NULL, NULL, NULL, /* 19- 23 */
692 NULL, NULL, NULL, NULL, NULL, /* 24- 28 */
693 NULL, NULL, NULL, NULL, /* 29- 32 */
694 ikev2_sa_print, /* 33 */
695 ikev2_ke_print, /* 34 */
696 ikev2_ID_print, /* 35 */
697 ikev2_ID_print, /* 36 */
698 ikev2_cert_print, /* 37 */
699 ikev2_cr_print, /* 38 */
700 ikev2_auth_print, /* 39 */
701 ikev2_nonce_print, /* 40 */
702 ikev2_n_print, /* 41 */
703 ikev2_d_print, /* 42 */
704 ikev2_vid_print, /* 43 */
705 ikev2_TS_print, /* 44 */
706 ikev2_TS_print, /* 45 */
707 NULL, /* ikev2_e_print,*/ /* 46 - special */
708 ikev2_cp_print, /* 47 */
709 ikev2_eap_print, /* 48 */
710 };
711
712 /* isakmp->etype */
713 static const char *etypestr[] = {
714 /* IKEv1 exchange types */
715 "none", "base", "ident", "auth", "agg", "inf", NULL, NULL, /* 0-7 */
716 NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, /* 8-15 */
717 NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, /* 16-23 */
718 NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, /* 24-31 */
719 "oakley-quick", "oakley-newgroup", /* 32-33 */
720 /* IKEv2 exchange types */
721 "ikev2_init", "ikev2_auth", "child_sa", "inf2" /* 34-37 */
722 };
723
724 #define STR_OR_ID(x, tab) \
725 (((x) < sizeof(tab)/sizeof(tab[0]) && tab[(x)]) ? tab[(x)] : numstr(x))
726 #define PROTOIDSTR(x) STR_OR_ID(x, protoidstr)
727 #define NPSTR(x) STR_OR_ID(x, npstr)
728 #define ETYPESTR(x) STR_OR_ID(x, etypestr)
729
730 #define CHECKLEN(p, np) \
731 if (ep < (const u_char *)(p)) { \
732 ND_PRINT((ndo," [|%s]", NPSTR(np))); \
733 goto done; \
734 }
735
736
737 #define NPFUNC(x) \
738 (((x) < sizeof(npfunc)/sizeof(npfunc[0]) && npfunc[(x)]) \
739 ? npfunc[(x)] : NULL)
740
741 static int
742 iszero(const u_char *p, size_t l)
743 {
744 while (l--) {
745 if (*p++)
746 return 0;
747 }
748 return 1;
749 }
750
751 /* find cookie from initiator cache */
752 static int
753 cookie_find(const cookie_t *in)
754 {
755 int i;
756
757 for (i = 0; i < MAXINITIATORS; i++) {
758 if (memcmp(in, &cookiecache[i].initiator, sizeof(*in)) == 0)
759 return i;
760 }
761
762 return -1;
763 }
764
765 /* record initiator */
766 static void
767 cookie_record(const cookie_t *in, const u_char *bp2)
768 {
769 int i;
770 const struct ip *ip;
771 const struct ip6_hdr *ip6;
772
773 i = cookie_find(in);
774 if (0 <= i) {
775 ninitiator = (i + 1) % MAXINITIATORS;
776 return;
777 }
778
779 ip = (const struct ip *)bp2;
780 switch (IP_V(ip)) {
781 case 4:
782 cookiecache[ninitiator].version = 4;
783 UNALIGNED_MEMCPY(&cookiecache[ninitiator].iaddr.in4, &ip->ip_src, sizeof(struct in_addr));
784 UNALIGNED_MEMCPY(&cookiecache[ninitiator].raddr.in4, &ip->ip_dst, sizeof(struct in_addr));
785 break;
786 case 6:
787 ip6 = (const struct ip6_hdr *)bp2;
788 cookiecache[ninitiator].version = 6;
789 UNALIGNED_MEMCPY(&cookiecache[ninitiator].iaddr.in6, &ip6->ip6_src, sizeof(struct in6_addr));
790 UNALIGNED_MEMCPY(&cookiecache[ninitiator].raddr.in6, &ip6->ip6_dst, sizeof(struct in6_addr));
791 break;
792 default:
793 return;
794 }
795 UNALIGNED_MEMCPY(&cookiecache[ninitiator].initiator, in, sizeof(*in));
796 ninitiator = (ninitiator + 1) % MAXINITIATORS;
797 }
798
799 #define cookie_isinitiator(x, y) cookie_sidecheck((x), (y), 1)
800 #define cookie_isresponder(x, y) cookie_sidecheck((x), (y), 0)
801 static int
802 cookie_sidecheck(int i, const u_char *bp2, int initiator)
803 {
804 const struct ip *ip;
805 const struct ip6_hdr *ip6;
806
807 ip = (const struct ip *)bp2;
808 switch (IP_V(ip)) {
809 case 4:
810 if (cookiecache[i].version != 4)
811 return 0;
812 if (initiator) {
813 if (UNALIGNED_MEMCMP(&ip->ip_src, &cookiecache[i].iaddr.in4, sizeof(struct in_addr)) == 0)
814 return 1;
815 } else {
816 if (UNALIGNED_MEMCMP(&ip->ip_src, &cookiecache[i].raddr.in4, sizeof(struct in_addr)) == 0)
817 return 1;
818 }
819 break;
820 case 6:
821 if (cookiecache[i].version != 6)
822 return 0;
823 ip6 = (const struct ip6_hdr *)bp2;
824 if (initiator) {
825 if (UNALIGNED_MEMCMP(&ip6->ip6_src, &cookiecache[i].iaddr.in6, sizeof(struct in6_addr)) == 0)
826 return 1;
827 } else {
828 if (UNALIGNED_MEMCMP(&ip6->ip6_src, &cookiecache[i].raddr.in6, sizeof(struct in6_addr)) == 0)
829 return 1;
830 }
831 break;
832 default:
833 break;
834 }
835
836 return 0;
837 }
838
839 static void
840 hexprint(netdissect_options *ndo, const uint8_t *loc, size_t len)
841 {
842 const uint8_t *p;
843 size_t i;
844
845 p = loc;
846 for (i = 0; i < len; i++)
847 ND_PRINT((ndo,"%02x", p[i] & 0xff));
848 }
849
850 static int
851 rawprint(netdissect_options *ndo, const uint8_t *loc, size_t len)
852 {
853 ND_TCHECK_LEN(loc, len);
854
855 hexprint(ndo, loc, len);
856 return 1;
857 trunc:
858 return 0;
859 }
860
861
862 /*
863 * returns false if we run out of data buffer
864 */
865 static int ike_show_somedata(netdissect_options *ndo,
866 const u_char *cp, const u_char *ep)
867 {
868 /* there is too much data, just show some of it */
869 const u_char *end = ep - 20;
870 size_t elen = 20;
871 size_t len = ep - cp;
872 if(len > 10) {
873 len = 10;
874 }
875
876 /* really shouldn't happen because of above */
877 if(end < cp + len) {
878 end = cp+len;
879 elen = ep - end;
880 }
881
882 ND_PRINT((ndo," data=("));
883 if(!rawprint(ndo, (const uint8_t *)(cp), len)) goto trunc;
884 ND_PRINT((ndo, "..."));
885 if(elen) {
886 if(!rawprint(ndo, (const uint8_t *)(end), elen)) goto trunc;
887 }
888 ND_PRINT((ndo,")"));
889 return 1;
890
891 trunc:
892 return 0;
893 }
894
895 struct attrmap {
896 const char *type;
897 u_int nvalue;
898 const char *value[30]; /*XXX*/
899 };
900
901 static const u_char *
902 ikev1_attrmap_print(netdissect_options *ndo,
903 const u_char *p, const u_char *ep2,
904 const struct attrmap *map, size_t nmap)
905 {
906 u_int totlen;
907 uint32_t t, v;
908
909 ND_TCHECK_1(p);
910 if (EXTRACT_U_1(p) & 0x80)
911 totlen = 4;
912 else {
913 ND_TCHECK_2(p + 2);
914 totlen = 4 + EXTRACT_BE_U_2(p + 2);
915 }
916 if (ep2 < p + totlen) {
917 ND_PRINT((ndo,"[|attr]"));
918 return ep2 + 1;
919 }
920
921 ND_TCHECK_2(p);
922 ND_PRINT((ndo,"("));
923 t = EXTRACT_BE_U_2(p) & 0x7fff;
924 if (map && t < nmap && map[t].type)
925 ND_PRINT((ndo,"type=%s ", map[t].type));
926 else
927 ND_PRINT((ndo,"type=#%u ", t));
928 if (EXTRACT_U_1(p) & 0x80) {
929 ND_PRINT((ndo,"value="));
930 ND_TCHECK_2(p + 2);
931 v = EXTRACT_BE_U_2(p + 2);
932 if (map && t < nmap && v < map[t].nvalue && map[t].value[v])
933 ND_PRINT((ndo,"%s", map[t].value[v]));
934 else {
935 if (!rawprint(ndo, (const uint8_t *)(p + 2), 2)) {
936 ND_PRINT((ndo,")"));
937 goto trunc;
938 }
939 }
940 } else {
941 ND_PRINT((ndo,"len=%u value=", totlen - 4));
942 if (!rawprint(ndo, (const uint8_t *)(p + 4), totlen - 4)) {
943 ND_PRINT((ndo,")"));
944 goto trunc;
945 }
946 }
947 ND_PRINT((ndo,")"));
948 return p + totlen;
949
950 trunc:
951 return NULL;
952 }
953
954 static const u_char *
955 ikev1_attr_print(netdissect_options *ndo, const u_char *p, const u_char *ep2)
956 {
957 u_int totlen;
958 uint32_t t;
959
960 ND_TCHECK_1(p);
961 if (EXTRACT_U_1(p) & 0x80)
962 totlen = 4;
963 else {
964 ND_TCHECK_2(p + 2);
965 totlen = 4 + EXTRACT_BE_U_2(p + 2);
966 }
967 if (ep2 < p + totlen) {
968 ND_PRINT((ndo,"[|attr]"));
969 return ep2 + 1;
970 }
971
972 ND_TCHECK_2(p);
973 ND_PRINT((ndo,"("));
974 t = EXTRACT_BE_U_2(p) & 0x7fff;
975 ND_PRINT((ndo,"type=#%u ", t));
976 if (EXTRACT_U_1(p) & 0x80) {
977 ND_PRINT((ndo,"value="));
978 t = EXTRACT_U_1(p + 2);
979 if (!rawprint(ndo, (const uint8_t *)(p + 2), 2)) {
980 ND_PRINT((ndo,")"));
981 goto trunc;
982 }
983 } else {
984 ND_PRINT((ndo,"len=%u value=", totlen - 4));
985 if (!rawprint(ndo, (const uint8_t *)(p + 4), totlen - 4)) {
986 ND_PRINT((ndo,")"));
987 goto trunc;
988 }
989 }
990 ND_PRINT((ndo,")"));
991 return p + totlen;
992
993 trunc:
994 return NULL;
995 }
996
997 static const u_char *
998 ikev1_sa_print(netdissect_options *ndo, u_char tpay _U_,
999 const struct isakmp_gen *ext,
1000 u_int item_len _U_,
1001 const u_char *ep, uint32_t phase, uint32_t doi0 _U_,
1002 uint32_t proto0, int depth)
1003 {
1004 const struct ikev1_pl_sa *p;
1005 uint32_t doi, sit, ident;
1006 const u_char *cp, *np;
1007 int t;
1008
1009 ND_PRINT((ndo,"%s:", NPSTR(ISAKMP_NPTYPE_SA)));
1010
1011 p = (const struct ikev1_pl_sa *)ext;
1012 ND_TCHECK(*p);
1013 doi = EXTRACT_BE_U_4(p->doi);
1014 sit = EXTRACT_BE_U_4(p->sit);
1015 if (doi != 1) {
1016 ND_PRINT((ndo," doi=%u", doi));
1017 ND_PRINT((ndo," situation=%u", sit));
1018 return (const u_char *)(p + 1);
1019 }
1020
1021 ND_PRINT((ndo," doi=ipsec"));
1022 ND_PRINT((ndo," situation="));
1023 t = 0;
1024 if (sit & 0x01) {
1025 ND_PRINT((ndo,"identity"));
1026 t++;
1027 }
1028 if (sit & 0x02) {
1029 ND_PRINT((ndo,"%ssecrecy", t ? "+" : ""));
1030 t++;
1031 }
1032 if (sit & 0x04)
1033 ND_PRINT((ndo,"%sintegrity", t ? "+" : ""));
1034
1035 np = (const u_char *)ext + sizeof(struct ikev1_pl_sa);
1036 if (sit != 0x01) {
1037 ND_TCHECK_4(ext + 1);
1038 ident = EXTRACT_BE_U_4(ext + 1);
1039 ND_PRINT((ndo," ident=%u", ident));
1040 np += sizeof(ident);
1041 }
1042
1043 ext = (const struct isakmp_gen *)np;
1044 ND_TCHECK(*ext);
1045
1046 cp = ikev1_sub_print(ndo, ISAKMP_NPTYPE_P, ext, ep, phase, doi, proto0,
1047 depth);
1048
1049 return cp;
1050 trunc:
1051 ND_PRINT((ndo," [|%s]", NPSTR(ISAKMP_NPTYPE_SA)));
1052 return NULL;
1053 }
1054
1055 static const u_char *
1056 ikev1_p_print(netdissect_options *ndo, u_char tpay _U_,
1057 const struct isakmp_gen *ext, u_int item_len _U_,
1058 const u_char *ep, uint32_t phase, uint32_t doi0,
1059 uint32_t proto0 _U_, int depth)
1060 {
1061 const struct ikev1_pl_p *p;
1062 const u_char *cp;
1063 uint8_t spi_size;
1064
1065 ND_PRINT((ndo,"%s:", NPSTR(ISAKMP_NPTYPE_P)));
1066
1067 p = (const struct ikev1_pl_p *)ext;
1068 ND_TCHECK(*p);
1069 ND_PRINT((ndo," #%u protoid=%s transform=%u",
1070 EXTRACT_U_1(p->p_no), PROTOIDSTR(EXTRACT_U_1(p->prot_id)),
1071 EXTRACT_U_1(p->num_t)));
1072 spi_size = EXTRACT_U_1(p->spi_size);
1073 if (spi_size) {
1074 ND_PRINT((ndo," spi="));
1075 if (!rawprint(ndo, (const uint8_t *)(p + 1), spi_size))
1076 goto trunc;
1077 }
1078
1079 ext = (const struct isakmp_gen *)((const u_char *)(p + 1) + spi_size);
1080 ND_TCHECK(*ext);
1081
1082 cp = ikev1_sub_print(ndo, ISAKMP_NPTYPE_T, ext, ep, phase, doi0,
1083 EXTRACT_U_1(p->prot_id), depth);
1084
1085 return cp;
1086 trunc:
1087 ND_PRINT((ndo," [|%s]", NPSTR(ISAKMP_NPTYPE_P)));
1088 return NULL;
1089 }
1090
1091 static const char *ikev1_p_map[] = {
1092 NULL, "ike",
1093 };
1094
1095 static const char *ikev2_t_type_map[]={
1096 NULL, "encr", "prf", "integ", "dh", "esn"
1097 };
1098
1099 static const char *ah_p_map[] = {
1100 NULL, "(reserved)", "md5", "sha", "1des",
1101 "sha2-256", "sha2-384", "sha2-512",
1102 };
1103
1104 static const char *prf_p_map[] = {
1105 NULL, "hmac-md5", "hmac-sha", "hmac-tiger",
1106 "aes128_xcbc"
1107 };
1108
1109 static const char *integ_p_map[] = {
1110 NULL, "hmac-md5", "hmac-sha", "dec-mac",
1111 "kpdk-md5", "aes-xcbc"
1112 };
1113
1114 static const char *esn_p_map[] = {
1115 "no-esn", "esn"
1116 };
1117
1118 static const char *dh_p_map[] = {
1119 NULL, "modp768",
1120 "modp1024", /* group 2 */
1121 "EC2N 2^155", /* group 3 */
1122 "EC2N 2^185", /* group 4 */
1123 "modp1536", /* group 5 */
1124 "iana-grp06", "iana-grp07", /* reserved */
1125 "iana-grp08", "iana-grp09",
1126 "iana-grp10", "iana-grp11",
1127 "iana-grp12", "iana-grp13",
1128 "modp2048", /* group 14 */
1129 "modp3072", /* group 15 */
1130 "modp4096", /* group 16 */
1131 "modp6144", /* group 17 */
1132 "modp8192", /* group 18 */
1133 };
1134
1135 static const char *esp_p_map[] = {
1136 NULL, "1des-iv64", "1des", "3des", "rc5", "idea", "cast",
1137 "blowfish", "3idea", "1des-iv32", "rc4", "null", "aes"
1138 };
1139
1140 static const char *ipcomp_p_map[] = {
1141 NULL, "oui", "deflate", "lzs",
1142 };
1143
1144 static const struct attrmap ipsec_t_map[] = {
1145 { NULL, 0, { NULL } },
1146 { "lifetype", 3, { NULL, "sec", "kb", }, },
1147 { "life", 0, { NULL } },
1148 { "group desc", 18, { NULL, "modp768",
1149 "modp1024", /* group 2 */
1150 "EC2N 2^155", /* group 3 */
1151 "EC2N 2^185", /* group 4 */
1152 "modp1536", /* group 5 */
1153 "iana-grp06", "iana-grp07", /* reserved */
1154 "iana-grp08", "iana-grp09",
1155 "iana-grp10", "iana-grp11",
1156 "iana-grp12", "iana-grp13",
1157 "modp2048", /* group 14 */
1158 "modp3072", /* group 15 */
1159 "modp4096", /* group 16 */
1160 "modp6144", /* group 17 */
1161 "modp8192", /* group 18 */
1162 }, },
1163 { "enc mode", 3, { NULL, "tunnel", "transport", }, },
1164 { "auth", 5, { NULL, "hmac-md5", "hmac-sha1", "1des-mac", "keyed", }, },
1165 { "keylen", 0, { NULL } },
1166 { "rounds", 0, { NULL } },
1167 { "dictsize", 0, { NULL } },
1168 { "privalg", 0, { NULL } },
1169 };
1170
1171 static const struct attrmap encr_t_map[] = {
1172 { NULL, 0, { NULL } }, { NULL, 0, { NULL } }, /* 0, 1 */
1173 { NULL, 0, { NULL } }, { NULL, 0, { NULL } }, /* 2, 3 */
1174 { NULL, 0, { NULL } }, { NULL, 0, { NULL } }, /* 4, 5 */
1175 { NULL, 0, { NULL } }, { NULL, 0, { NULL } }, /* 6, 7 */
1176 { NULL, 0, { NULL } }, { NULL, 0, { NULL } }, /* 8, 9 */
1177 { NULL, 0, { NULL } }, { NULL, 0, { NULL } }, /* 10,11*/
1178 { NULL, 0, { NULL } }, { NULL, 0, { NULL } }, /* 12,13*/
1179 { "keylen", 14, { NULL }},
1180 };
1181
1182 static const struct attrmap oakley_t_map[] = {
1183 { NULL, 0, { NULL } },
1184 { "enc", 8, { NULL, "1des", "idea", "blowfish", "rc5",
1185 "3des", "cast", "aes", }, },
1186 { "hash", 7, { NULL, "md5", "sha1", "tiger",
1187 "sha2-256", "sha2-384", "sha2-512", }, },
1188 { "auth", 6, { NULL, "preshared", "dss", "rsa sig", "rsa enc",
1189 "rsa enc revised", }, },
1190 { "group desc", 18, { NULL, "modp768",
1191 "modp1024", /* group 2 */
1192 "EC2N 2^155", /* group 3 */
1193 "EC2N 2^185", /* group 4 */
1194 "modp1536", /* group 5 */
1195 "iana-grp06", "iana-grp07", /* reserved */
1196 "iana-grp08", "iana-grp09",
1197 "iana-grp10", "iana-grp11",
1198 "iana-grp12", "iana-grp13",
1199 "modp2048", /* group 14 */
1200 "modp3072", /* group 15 */
1201 "modp4096", /* group 16 */
1202 "modp6144", /* group 17 */
1203 "modp8192", /* group 18 */
1204 }, },
1205 { "group type", 4, { NULL, "MODP", "ECP", "EC2N", }, },
1206 { "group prime", 0, { NULL } },
1207 { "group gen1", 0, { NULL } },
1208 { "group gen2", 0, { NULL } },
1209 { "group curve A", 0, { NULL } },
1210 { "group curve B", 0, { NULL } },
1211 { "lifetype", 3, { NULL, "sec", "kb", }, },
1212 { "lifeduration", 0, { NULL } },
1213 { "prf", 0, { NULL } },
1214 { "keylen", 0, { NULL } },
1215 { "field", 0, { NULL } },
1216 { "order", 0, { NULL } },
1217 };
1218
1219 static const u_char *
1220 ikev1_t_print(netdissect_options *ndo, u_char tpay _U_,
1221 const struct isakmp_gen *ext, u_int item_len,
1222 const u_char *ep, uint32_t phase _U_, uint32_t doi _U_,
1223 uint32_t proto, int depth _U_)
1224 {
1225 const struct ikev1_pl_t *p;
1226 const u_char *cp;
1227 const char *idstr;
1228 const struct attrmap *map;
1229 size_t nmap;
1230 const u_char *ep2;
1231
1232 ND_PRINT((ndo,"%s:", NPSTR(ISAKMP_NPTYPE_T)));
1233
1234 p = (const struct ikev1_pl_t *)ext;
1235 ND_TCHECK(*p);
1236
1237 switch (proto) {
1238 case 1:
1239 idstr = STR_OR_ID(EXTRACT_U_1(p->t_id), ikev1_p_map);
1240 map = oakley_t_map;
1241 nmap = sizeof(oakley_t_map)/sizeof(oakley_t_map[0]);
1242 break;
1243 case 2:
1244 idstr = STR_OR_ID(EXTRACT_U_1(p->t_id), ah_p_map);
1245 map = ipsec_t_map;
1246 nmap = sizeof(ipsec_t_map)/sizeof(ipsec_t_map[0]);
1247 break;
1248 case 3:
1249 idstr = STR_OR_ID(EXTRACT_U_1(p->t_id), esp_p_map);
1250 map = ipsec_t_map;
1251 nmap = sizeof(ipsec_t_map)/sizeof(ipsec_t_map[0]);
1252 break;
1253 case 4:
1254 idstr = STR_OR_ID(EXTRACT_U_1(p->t_id), ipcomp_p_map);
1255 map = ipsec_t_map;
1256 nmap = sizeof(ipsec_t_map)/sizeof(ipsec_t_map[0]);
1257 break;
1258 default:
1259 idstr = NULL;
1260 map = NULL;
1261 nmap = 0;
1262 break;
1263 }
1264
1265 if (idstr)
1266 ND_PRINT((ndo," #%u id=%s ", EXTRACT_U_1(p->t_no), idstr));
1267 else
1268 ND_PRINT((ndo," #%u id=%u ", EXTRACT_U_1(p->t_no), EXTRACT_U_1(p->t_id)));
1269 cp = (const u_char *)(p + 1);
1270 ep2 = (const u_char *)p + item_len;
1271 while (cp < ep && cp < ep2) {
1272 if (map && nmap)
1273 cp = ikev1_attrmap_print(ndo, cp, ep2, map, nmap);
1274 else
1275 cp = ikev1_attr_print(ndo, cp, ep2);
1276 if (cp == NULL)
1277 goto trunc;
1278 }
1279 if (ep < ep2)
1280 ND_PRINT((ndo,"..."));
1281 return cp;
1282 trunc:
1283 ND_PRINT((ndo," [|%s]", NPSTR(ISAKMP_NPTYPE_T)));
1284 return NULL;
1285 }
1286
1287 static const u_char *
1288 ikev1_ke_print(netdissect_options *ndo, u_char tpay _U_,
1289 const struct isakmp_gen *ext, u_int item_len,
1290 const u_char *ep _U_, uint32_t phase _U_, uint32_t doi _U_,
1291 uint32_t proto _U_, int depth _U_)
1292 {
1293 ND_PRINT((ndo,"%s:", NPSTR(ISAKMP_NPTYPE_KE)));
1294
1295 ND_TCHECK(*ext);
1296 /*
1297 * Our caller has ensured that the length is >= 4.
1298 */
1299 ND_PRINT((ndo," key len=%u", item_len - 4));
1300 if (2 < ndo->ndo_vflag && item_len > 4) {
1301 /* Print the entire payload in hex */
1302 ND_PRINT((ndo," "));
1303 if (!rawprint(ndo, (const uint8_t *)(ext + 1), item_len - 4))
1304 goto trunc;
1305 }
1306 return (const u_char *)ext + item_len;
1307 trunc:
1308 ND_PRINT((ndo," [|%s]", NPSTR(ISAKMP_NPTYPE_KE)));
1309 return NULL;
1310 }
1311
1312 static const u_char *
1313 ikev1_id_print(netdissect_options *ndo, u_char tpay _U_,
1314 const struct isakmp_gen *ext, u_int item_len,
1315 const u_char *ep _U_, uint32_t phase, uint32_t doi _U_,
1316 uint32_t proto _U_, int depth _U_)
1317 {
1318 #define USE_IPSECDOI_IN_PHASE1 1
1319 const struct ikev1_pl_id *p;
1320 static const char *idtypestr[] = {
1321 "IPv4", "IPv4net", "IPv6", "IPv6net",
1322 };
1323 static const char *ipsecidtypestr[] = {
1324 NULL, "IPv4", "FQDN", "user FQDN", "IPv4net", "IPv6",
1325 "IPv6net", "IPv4range", "IPv6range", "ASN1 DN", "ASN1 GN",
1326 "keyid",
1327 };
1328 u_int len;
1329 const u_char *data;
1330
1331 ND_PRINT((ndo,"%s:", NPSTR(ISAKMP_NPTYPE_ID)));
1332
1333 p = (const struct ikev1_pl_id *)ext;
1334 ND_TCHECK(*p);
1335 if (sizeof(*p) < item_len) {
1336 data = (const u_char *)(p + 1);
1337 len = item_len - sizeof(*p);
1338 } else {
1339 data = NULL;
1340 len = 0;
1341 }
1342
1343 #if 0 /*debug*/
1344 ND_PRINT((ndo," [phase=%u doi=%u proto=%u]", phase, doi, proto));
1345 #endif
1346 switch (phase) {
1347 #ifndef USE_IPSECDOI_IN_PHASE1
1348 case 1:
1349 #endif
1350 default:
1351 ND_PRINT((ndo," idtype=%s", STR_OR_ID(EXTRACT_U_1(p->d.id_type), idtypestr)));
1352 ND_PRINT((ndo," doi_data=%u",
1353 EXTRACT_BE_U_4(p->d.doi_data) & 0xffffff));
1354 break;
1355
1356 #ifdef USE_IPSECDOI_IN_PHASE1
1357 case 1:
1358 #endif
1359 case 2:
1360 {
1361 const struct ipsecdoi_id *doi_p;
1362 const char *p_name;
1363 uint8_t type, proto_id;
1364
1365 doi_p = (const struct ipsecdoi_id *)ext;
1366 ND_TCHECK(*doi_p);
1367 type = EXTRACT_U_1(doi_p->type);
1368 ND_PRINT((ndo," idtype=%s", STR_OR_ID(type, ipsecidtypestr)));
1369 /* A protocol ID of 0 DOES NOT mean IPPROTO_IP! */
1370 proto_id = EXTRACT_U_1(doi_p->proto_id);
1371 if (!ndo->ndo_nflag && proto_id && (p_name = netdb_protoname(proto_id)) != NULL)
1372 ND_PRINT((ndo," protoid=%s", p_name));
1373 else
1374 ND_PRINT((ndo," protoid=%u", proto_id));
1375 ND_PRINT((ndo," port=%u", EXTRACT_BE_U_2(doi_p->port)));
1376 if (!len)
1377 break;
1378 if (data == NULL)
1379 goto trunc;
1380 ND_TCHECK_LEN(data, len);
1381 switch (type) {
1382 case IPSECDOI_ID_IPV4_ADDR:
1383 if (len < 4)
1384 ND_PRINT((ndo," len=%u [bad: < 4]", len));
1385 else
1386 ND_PRINT((ndo," len=%u %s", len, ipaddr_string(ndo, data)));
1387 len = 0;
1388 break;
1389 case IPSECDOI_ID_FQDN:
1390 case IPSECDOI_ID_USER_FQDN:
1391 {
1392 u_int i;
1393 ND_PRINT((ndo," len=%u ", len));
1394 for (i = 0; i < len; i++)
1395 safeputchar(ndo, EXTRACT_U_1(data + i));
1396 len = 0;
1397 break;
1398 }
1399 case IPSECDOI_ID_IPV4_ADDR_SUBNET:
1400 {
1401 const u_char *mask;
1402 if (len < 8)
1403 ND_PRINT((ndo," len=%u [bad: < 8]", len));
1404 else {
1405 mask = data + sizeof(struct in_addr);
1406 ND_PRINT((ndo," len=%u %s/%u.%u.%u.%u", len,
1407 ipaddr_string(ndo, data),
1408 EXTRACT_U_1(mask), EXTRACT_U_1(mask + 1),
1409 EXTRACT_U_1(mask + 2), EXTRACT_U_1(mask + 3)));
1410 }
1411 len = 0;
1412 break;
1413 }
1414 case IPSECDOI_ID_IPV6_ADDR:
1415 if (len < 16)
1416 ND_PRINT((ndo," len=%u [bad: < 16]", len));
1417 else
1418 ND_PRINT((ndo," len=%u %s", len, ip6addr_string(ndo, data)));
1419 len = 0;
1420 break;
1421 case IPSECDOI_ID_IPV6_ADDR_SUBNET:
1422 {
1423 const u_char *mask;
1424 if (len < 32)
1425 ND_PRINT((ndo," len=%u [bad: < 32]", len));
1426 else {
1427 mask = (const u_char *)(data + sizeof(struct in6_addr));
1428 /*XXX*/
1429 ND_PRINT((ndo," len=%u %s/0x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x", len,
1430 ip6addr_string(ndo, data),
1431 EXTRACT_U_1(mask), EXTRACT_U_1(mask + 1), EXTRACT_U_1(mask + 2), EXTRACT_U_1(mask + 3),
1432 EXTRACT_U_1(mask + 4), EXTRACT_U_1(mask + 5), EXTRACT_U_1(mask + 6), EXTRACT_U_1(mask + 7),
1433 EXTRACT_U_1(mask + 8), EXTRACT_U_1(mask + 9), EXTRACT_U_1(mask + 10), EXTRACT_U_1(mask + 11),
1434 EXTRACT_U_1(mask + 12), EXTRACT_U_1(mask + 13), EXTRACT_U_1(mask + 14), EXTRACT_U_1(mask + 15)));
1435 }
1436 len = 0;
1437 break;
1438 }
1439 case IPSECDOI_ID_IPV4_ADDR_RANGE:
1440 if (len < 8)
1441 ND_PRINT((ndo," len=%u [bad: < 8]", len));
1442 else {
1443 ND_PRINT((ndo," len=%u %s-%s", len,
1444 ipaddr_string(ndo, data),
1445 ipaddr_string(ndo, data + sizeof(struct in_addr))));
1446 }
1447 len = 0;
1448 break;
1449 case IPSECDOI_ID_IPV6_ADDR_RANGE:
1450 if (len < 32)
1451 ND_PRINT((ndo," len=%u [bad: < 32]", len));
1452 else {
1453 ND_PRINT((ndo," len=%u %s-%s", len,
1454 ip6addr_string(ndo, data),
1455 ip6addr_string(ndo, data + sizeof(struct in6_addr))));
1456 }
1457 len = 0;
1458 break;
1459 case IPSECDOI_ID_DER_ASN1_DN:
1460 case IPSECDOI_ID_DER_ASN1_GN:
1461 case IPSECDOI_ID_KEY_ID:
1462 break;
1463 }
1464 break;
1465 }
1466 }
1467 if (data && len) {
1468 ND_PRINT((ndo," len=%u", len));
1469 if (2 < ndo->ndo_vflag) {
1470 ND_PRINT((ndo," "));
1471 if (!rawprint(ndo, (const uint8_t *)data, len))
1472 goto trunc;
1473 }
1474 }
1475 return (const u_char *)ext + item_len;
1476 trunc:
1477 ND_PRINT((ndo," [|%s]", NPSTR(ISAKMP_NPTYPE_ID)));
1478 return NULL;
1479 }
1480
1481 static const u_char *
1482 ikev1_cert_print(netdissect_options *ndo, u_char tpay _U_,
1483 const struct isakmp_gen *ext, u_int item_len,
1484 const u_char *ep _U_, uint32_t phase _U_,
1485 uint32_t doi0 _U_,
1486 uint32_t proto0 _U_, int depth _U_)
1487 {
1488 const struct ikev1_pl_cert *p;
1489 static const char *certstr[] = {
1490 "none", "pkcs7", "pgp", "dns",
1491 "x509sign", "x509ke", "kerberos", "crl",
1492 "arl", "spki", "x509attr",
1493 };
1494
1495 ND_PRINT((ndo,"%s:", NPSTR(ISAKMP_NPTYPE_CERT)));
1496
1497 p = (const struct ikev1_pl_cert *)ext;
1498 ND_TCHECK(*p);
1499 /*
1500 * Our caller has ensured that the length is >= 4.
1501 */
1502 ND_PRINT((ndo," len=%u", item_len - 4));
1503 ND_PRINT((ndo," type=%s", STR_OR_ID(EXTRACT_U_1(p->encode), certstr)));
1504 if (2 < ndo->ndo_vflag && 4 < item_len) {
1505 /* Print the entire payload in hex */
1506 ND_PRINT((ndo," "));
1507 if (!rawprint(ndo, (const uint8_t *)(ext + 1), item_len - 4))
1508 goto trunc;
1509 }
1510 return (const u_char *)ext + item_len;
1511 trunc:
1512 ND_PRINT((ndo," [|%s]", NPSTR(ISAKMP_NPTYPE_CERT)));
1513 return NULL;
1514 }
1515
1516 static const u_char *
1517 ikev1_cr_print(netdissect_options *ndo, u_char tpay _U_,
1518 const struct isakmp_gen *ext, u_int item_len,
1519 const u_char *ep _U_, uint32_t phase _U_, uint32_t doi0 _U_,
1520 uint32_t proto0 _U_, int depth _U_)
1521 {
1522 const struct ikev1_pl_cert *p;
1523 static const char *certstr[] = {
1524 "none", "pkcs7", "pgp", "dns",
1525 "x509sign", "x509ke", "kerberos", "crl",
1526 "arl", "spki", "x509attr",
1527 };
1528
1529 ND_PRINT((ndo,"%s:", NPSTR(ISAKMP_NPTYPE_CR)));
1530
1531 p = (const struct ikev1_pl_cert *)ext;
1532 ND_TCHECK(*p);
1533 /*
1534 * Our caller has ensured that the length is >= 4.
1535 */
1536 ND_PRINT((ndo," len=%u", item_len - 4));
1537 ND_PRINT((ndo," type=%s", STR_OR_ID(EXTRACT_U_1(p->encode), certstr)));
1538 if (2 < ndo->ndo_vflag && 4 < item_len) {
1539 /* Print the entire payload in hex */
1540 ND_PRINT((ndo," "));
1541 if (!rawprint(ndo, (const uint8_t *)(ext + 1), item_len - 4))
1542 goto trunc;
1543 }
1544 return (const u_char *)ext + item_len;
1545 trunc:
1546 ND_PRINT((ndo," [|%s]", NPSTR(ISAKMP_NPTYPE_CR)));
1547 return NULL;
1548 }
1549
1550 static const u_char *
1551 ikev1_hash_print(netdissect_options *ndo, u_char tpay _U_,
1552 const struct isakmp_gen *ext, u_int item_len,
1553 const u_char *ep _U_, uint32_t phase _U_, uint32_t doi _U_,
1554 uint32_t proto _U_, int depth _U_)
1555 {
1556 ND_PRINT((ndo,"%s:", NPSTR(ISAKMP_NPTYPE_HASH)));
1557
1558 ND_TCHECK(*ext);
1559 /*
1560 * Our caller has ensured that the length is >= 4.
1561 */
1562 ND_PRINT((ndo," len=%u", item_len - 4));
1563 if (2 < ndo->ndo_vflag && 4 < item_len) {
1564 /* Print the entire payload in hex */
1565 ND_PRINT((ndo," "));
1566 if (!rawprint(ndo, (const uint8_t *)(ext + 1), item_len - 4))
1567 goto trunc;
1568 }
1569 return (const u_char *)ext + item_len;
1570 trunc:
1571 ND_PRINT((ndo," [|%s]", NPSTR(ISAKMP_NPTYPE_HASH)));
1572 return NULL;
1573 }
1574
1575 static const u_char *
1576 ikev1_sig_print(netdissect_options *ndo, u_char tpay _U_,
1577 const struct isakmp_gen *ext, u_int item_len,
1578 const u_char *ep _U_, uint32_t phase _U_, uint32_t doi _U_,
1579 uint32_t proto _U_, int depth _U_)
1580 {
1581 ND_PRINT((ndo,"%s:", NPSTR(ISAKMP_NPTYPE_SIG)));
1582
1583 ND_TCHECK(*ext);
1584 /*
1585 * Our caller has ensured that the length is >= 4.
1586 */
1587 ND_PRINT((ndo," len=%u", item_len - 4));
1588 if (2 < ndo->ndo_vflag && 4 < item_len) {
1589 /* Print the entire payload in hex */
1590 ND_PRINT((ndo," "));
1591 if (!rawprint(ndo, (const uint8_t *)(ext + 1), item_len - 4))
1592 goto trunc;
1593 }
1594 return (const u_char *)ext + item_len;
1595 trunc:
1596 ND_PRINT((ndo," [|%s]", NPSTR(ISAKMP_NPTYPE_SIG)));
1597 return NULL;
1598 }
1599
1600 static const u_char *
1601 ikev1_nonce_print(netdissect_options *ndo, u_char tpay _U_,
1602 const struct isakmp_gen *ext,
1603 u_int item_len,
1604 const u_char *ep,
1605 uint32_t phase _U_, uint32_t doi _U_,
1606 uint32_t proto _U_, int depth _U_)
1607 {
1608 ND_PRINT((ndo,"%s:", NPSTR(ISAKMP_NPTYPE_NONCE)));
1609
1610 ND_TCHECK(*ext);
1611 /*
1612 * Our caller has ensured that the length is >= 4.
1613 */
1614 ND_PRINT((ndo," n len=%u", item_len - 4));
1615 if (item_len > 4) {
1616 if (ndo->ndo_vflag > 2) {
1617 ND_PRINT((ndo, " "));
1618 if (!rawprint(ndo, (const uint8_t *)(ext + 1), item_len - 4))
1619 goto trunc;
1620 } else if (ndo->ndo_vflag > 1) {
1621 ND_PRINT((ndo, " "));
1622 if (!ike_show_somedata(ndo, (const u_char *)(ext + 1), ep))
1623 goto trunc;
1624 }
1625 }
1626 return (const u_char *)ext + item_len;
1627 trunc:
1628 ND_PRINT((ndo," [|%s]", NPSTR(ISAKMP_NPTYPE_NONCE)));
1629 return NULL;
1630 }
1631
1632 static const u_char *
1633 ikev1_n_print(netdissect_options *ndo, u_char tpay _U_,
1634 const struct isakmp_gen *ext, u_int item_len,
1635 const u_char *ep, uint32_t phase _U_, uint32_t doi0 _U_,
1636 uint32_t proto0 _U_, int depth _U_)
1637 {
1638 const struct ikev1_pl_n *p;
1639 const u_char *cp;
1640 const u_char *ep2;
1641 uint32_t doi;
1642 uint32_t proto;
1643 uint16_t type;
1644 uint8_t spi_size;
1645 static const char *notify_error_str[] = {
1646 NULL, "INVALID-PAYLOAD-TYPE",
1647 "DOI-NOT-SUPPORTED", "SITUATION-NOT-SUPPORTED",
1648 "INVALID-COOKIE", "INVALID-MAJOR-VERSION",
1649 "INVALID-MINOR-VERSION", "INVALID-EXCHANGE-TYPE",
1650 "INVALID-FLAGS", "INVALID-MESSAGE-ID",
1651 "INVALID-PROTOCOL-ID", "INVALID-SPI",
1652 "INVALID-TRANSFORM-ID", "ATTRIBUTES-NOT-SUPPORTED",
1653 "NO-PROPOSAL-CHOSEN", "BAD-PROPOSAL-SYNTAX",
1654 "PAYLOAD-MALFORMED", "INVALID-KEY-INFORMATION",
1655 "INVALID-ID-INFORMATION", "INVALID-CERT-ENCODING",
1656 "INVALID-CERTIFICATE", "CERT-TYPE-UNSUPPORTED",
1657 "INVALID-CERT-AUTHORITY", "INVALID-HASH-INFORMATION",
1658 "AUTHENTICATION-FAILED", "INVALID-SIGNATURE",
1659 "ADDRESS-NOTIFICATION", "NOTIFY-SA-LIFETIME",
1660 "CERTIFICATE-UNAVAILABLE", "UNSUPPORTED-EXCHANGE-TYPE",
1661 "UNEQUAL-PAYLOAD-LENGTHS",
1662 };
1663 static const char *ipsec_notify_error_str[] = {
1664 "RESERVED",
1665 };
1666 static const char *notify_status_str[] = {
1667 "CONNECTED",
1668 };
1669 static const char *ipsec_notify_status_str[] = {
1670 "RESPONDER-LIFETIME", "REPLAY-STATUS",
1671 "INITIAL-CONTACT",
1672 };
1673 /* NOTE: these macro must be called with x in proper range */
1674
1675 /* 0 - 8191 */
1676 #define NOTIFY_ERROR_STR(x) \
1677 STR_OR_ID((x), notify_error_str)
1678
1679 /* 8192 - 16383 */
1680 #define IPSEC_NOTIFY_ERROR_STR(x) \
1681 STR_OR_ID((u_int)((x) - 8192), ipsec_notify_error_str)
1682
1683 /* 16384 - 24575 */
1684 #define NOTIFY_STATUS_STR(x) \
1685 STR_OR_ID((u_int)((x) - 16384), notify_status_str)
1686
1687 /* 24576 - 32767 */
1688 #define IPSEC_NOTIFY_STATUS_STR(x) \
1689 STR_OR_ID((u_int)((x) - 24576), ipsec_notify_status_str)
1690
1691 ND_PRINT((ndo,"%s:", NPSTR(ISAKMP_NPTYPE_N)));
1692
1693 p = (const struct ikev1_pl_n *)ext;
1694 ND_TCHECK(*p);
1695 doi = EXTRACT_BE_U_4(p->doi);
1696 proto = EXTRACT_U_1(p->prot_id);
1697 if (doi != 1) {
1698 ND_PRINT((ndo," doi=%u", doi));
1699 ND_PRINT((ndo," proto=%u", proto));
1700 type = EXTRACT_BE_U_2(p->type);
1701 if (type < 8192)
1702 ND_PRINT((ndo," type=%s", NOTIFY_ERROR_STR(type)));
1703 else if (type < 16384)
1704 ND_PRINT((ndo," type=%s", numstr(type)));
1705 else if (type < 24576)
1706 ND_PRINT((ndo," type=%s", NOTIFY_STATUS_STR(type)));
1707 else
1708 ND_PRINT((ndo," type=%s", numstr(type)));
1709 spi_size = EXTRACT_U_1(p->spi_size);
1710 if (spi_size) {
1711 ND_PRINT((ndo," spi="));
1712 if (!rawprint(ndo, (const uint8_t *)(p + 1), spi_size))
1713 goto trunc;
1714 }
1715 return (const u_char *)(p + 1) + spi_size;
1716 }
1717
1718 ND_PRINT((ndo," doi=ipsec"));
1719 ND_PRINT((ndo," proto=%s", PROTOIDSTR(proto)));
1720 type = EXTRACT_BE_U_2(p->type);
1721 if (type < 8192)
1722 ND_PRINT((ndo," type=%s", NOTIFY_ERROR_STR(type)));
1723 else if (type < 16384)
1724 ND_PRINT((ndo," type=%s", IPSEC_NOTIFY_ERROR_STR(type)));
1725 else if (type < 24576)
1726 ND_PRINT((ndo," type=%s", NOTIFY_STATUS_STR(type)));
1727 else if (type < 32768)
1728 ND_PRINT((ndo," type=%s", IPSEC_NOTIFY_STATUS_STR(type)));
1729 else
1730 ND_PRINT((ndo," type=%s", numstr(type)));
1731 spi_size = EXTRACT_U_1(p->spi_size);
1732 if (spi_size) {
1733 ND_PRINT((ndo," spi="));
1734 if (!rawprint(ndo, (const uint8_t *)(p + 1), spi_size))
1735 goto trunc;
1736 }
1737
1738 cp = (const u_char *)(p + 1) + spi_size;
1739 ep2 = (const u_char *)p + item_len;
1740
1741 if (cp < ep) {
1742 switch (type) {
1743 case IPSECDOI_NTYPE_RESPONDER_LIFETIME:
1744 {
1745 const struct attrmap *map = oakley_t_map;
1746 size_t nmap = sizeof(oakley_t_map)/sizeof(oakley_t_map[0]);
1747 ND_PRINT((ndo," attrs=("));
1748 while (cp < ep && cp < ep2) {
1749 cp = ikev1_attrmap_print(ndo, cp, ep2, map, nmap);
1750 if (cp == NULL) {
1751 ND_PRINT((ndo,")"));
1752 goto trunc;
1753 }
1754 }
1755 ND_PRINT((ndo,")"));
1756 break;
1757 }
1758 case IPSECDOI_NTYPE_REPLAY_STATUS:
1759 ND_PRINT((ndo," status=("));
1760 ND_PRINT((ndo,"replay detection %sabled",
1761 EXTRACT_BE_U_4(cp) ? "en" : "dis"));
1762 ND_PRINT((ndo,")"));
1763 break;
1764 default:
1765 /*
1766 * XXX - fill in more types here; see, for example,
1767 * draft-ietf-ipsec-notifymsg-04.
1768 */
1769 if (ndo->ndo_vflag > 3) {
1770 ND_PRINT((ndo," data=("));
1771 if (!rawprint(ndo, (const uint8_t *)(cp), ep - cp))
1772 goto trunc;
1773 ND_PRINT((ndo,")"));
1774 } else {
1775 if (!ike_show_somedata(ndo, cp, ep))
1776 goto trunc;
1777 }
1778 break;
1779 }
1780 }
1781 return (const u_char *)ext + item_len;
1782 trunc:
1783 ND_PRINT((ndo," [|%s]", NPSTR(ISAKMP_NPTYPE_N)));
1784 return NULL;
1785 }
1786
1787 static const u_char *
1788 ikev1_d_print(netdissect_options *ndo, u_char tpay _U_,
1789 const struct isakmp_gen *ext, u_int item_len _U_,
1790 const u_char *ep _U_, uint32_t phase _U_, uint32_t doi0 _U_,
1791 uint32_t proto0 _U_, int depth _U_)
1792 {
1793 const struct ikev1_pl_d *p;
1794 const uint8_t *q;
1795 uint32_t doi;
1796 uint32_t proto;
1797 uint8_t spi_size;
1798 uint16_t num_spi;
1799 u_int i;
1800
1801 ND_PRINT((ndo,"%s:", NPSTR(ISAKMP_NPTYPE_D)));
1802
1803 p = (const struct ikev1_pl_d *)ext;
1804 ND_TCHECK(*p);
1805 doi = EXTRACT_BE_U_4(p->doi);
1806 proto = EXTRACT_U_1(p->prot_id);
1807 if (doi != 1) {
1808 ND_PRINT((ndo," doi=%u", doi));
1809 ND_PRINT((ndo," proto=%u", proto));
1810 } else {
1811 ND_PRINT((ndo," doi=ipsec"));
1812 ND_PRINT((ndo," proto=%s", PROTOIDSTR(proto)));
1813 }
1814 spi_size = EXTRACT_U_1(p->spi_size);
1815 ND_PRINT((ndo," spilen=%u", spi_size));
1816 num_spi = EXTRACT_BE_U_2(p->num_spi);
1817 ND_PRINT((ndo," nspi=%u", num_spi));
1818 ND_PRINT((ndo," spi="));
1819 q = (const uint8_t *)(p + 1);
1820 for (i = 0; i < num_spi; i++) {
1821 if (i != 0)
1822 ND_PRINT((ndo,","));
1823 if (!rawprint(ndo, (const uint8_t *)q, spi_size))
1824 goto trunc;
1825 q += spi_size;
1826 }
1827 return q;
1828 trunc:
1829 ND_PRINT((ndo," [|%s]", NPSTR(ISAKMP_NPTYPE_D)));
1830 return NULL;
1831 }
1832
1833 static const u_char *
1834 ikev1_vid_print(netdissect_options *ndo, u_char tpay _U_,
1835 const struct isakmp_gen *ext,
1836 u_int item_len, const u_char *ep _U_,
1837 uint32_t phase _U_, uint32_t doi _U_,
1838 uint32_t proto _U_, int depth _U_)
1839 {
1840 ND_PRINT((ndo,"%s:", NPSTR(ISAKMP_NPTYPE_VID)));
1841
1842 ND_TCHECK(*ext);
1843 /*
1844 * Our caller has ensured that the length is >= 4.
1845 */
1846 ND_PRINT((ndo," len=%u", item_len - 4));
1847 if (2 < ndo->ndo_vflag && 4 < item_len) {
1848 /* Print the entire payload in hex */
1849 ND_PRINT((ndo," "));
1850 if (!rawprint(ndo, (const uint8_t *)(ext + 1), item_len - 4))
1851 goto trunc;
1852 }
1853 return (const u_char *)ext + item_len;
1854 trunc:
1855 ND_PRINT((ndo," [|%s]", NPSTR(ISAKMP_NPTYPE_VID)));
1856 return NULL;
1857 }
1858
1859 /************************************************************/
1860 /* */
1861 /* IKE v2 - rfc4306 - dissector */
1862 /* */
1863 /************************************************************/
1864
1865 static void
1866 ikev2_pay_print(netdissect_options *ndo, const char *payname, uint8_t critical)
1867 {
1868 ND_PRINT((ndo,"%s%s:", payname, critical&0x80 ? "[C]" : ""));
1869 }
1870
1871 static const u_char *
1872 ikev2_gen_print(netdissect_options *ndo, u_char tpay,
1873 const struct isakmp_gen *ext, u_int item_len)
1874 {
1875 const struct isakmp_gen *p = (const struct isakmp_gen *)ext;
1876
1877 ND_TCHECK(*ext);
1878 ikev2_pay_print(ndo, NPSTR(tpay), EXTRACT_U_1(p->critical));
1879
1880 /*
1881 * Our caller has ensured that the length is >= 4.
1882 */
1883 ND_PRINT((ndo," len=%u", item_len - 4));
1884 if (2 < ndo->ndo_vflag && 4 < item_len) {
1885 /* Print the entire payload in hex */
1886 ND_PRINT((ndo," "));
1887 if (!rawprint(ndo, (const uint8_t *)(ext + 1), item_len - 4))
1888 goto trunc;
1889 }
1890 return (const u_char *)ext + item_len;
1891 trunc:
1892 ND_PRINT((ndo," [|%s]", NPSTR(tpay)));
1893 return NULL;
1894 }
1895
1896 static const u_char *
1897 ikev2_t_print(netdissect_options *ndo, int tcount,
1898 const struct isakmp_gen *ext, u_int item_len,
1899 const u_char *ep)
1900 {
1901 const struct ikev2_t *p;
1902 uint16_t t_id;
1903 uint8_t t_type;
1904 const u_char *cp;
1905 const char *idstr;
1906 const struct attrmap *map;
1907 size_t nmap;
1908 const u_char *ep2;
1909
1910 p = (const struct ikev2_t *)ext;
1911 ND_TCHECK(*p);
1912 ikev2_pay_print(ndo, NPSTR(ISAKMP_NPTYPE_T), EXTRACT_U_1(p->h.critical));
1913
1914 t_id = EXTRACT_BE_U_2(p->t_id);
1915
1916 map = NULL;
1917 nmap = 0;
1918
1919 t_type = EXTRACT_U_1(p->t_type);
1920 switch (t_type) {
1921 case IV2_T_ENCR:
1922 idstr = STR_OR_ID(t_id, esp_p_map);
1923 map = encr_t_map;
1924 nmap = sizeof(encr_t_map)/sizeof(encr_t_map[0]);
1925 break;
1926
1927 case IV2_T_PRF:
1928 idstr = STR_OR_ID(t_id, prf_p_map);
1929 break;
1930
1931 case IV2_T_INTEG:
1932 idstr = STR_OR_ID(t_id, integ_p_map);
1933 break;
1934
1935 case IV2_T_DH:
1936 idstr = STR_OR_ID(t_id, dh_p_map);
1937 break;
1938
1939 case IV2_T_ESN:
1940 idstr = STR_OR_ID(t_id, esn_p_map);
1941 break;
1942
1943 default:
1944 idstr = NULL;
1945 break;
1946 }
1947
1948 if (idstr)
1949 ND_PRINT((ndo," #%u type=%s id=%s ", tcount,
1950 STR_OR_ID(t_type, ikev2_t_type_map),
1951 idstr));
1952 else
1953 ND_PRINT((ndo," #%u type=%s id=%u ", tcount,
1954 STR_OR_ID(t_type, ikev2_t_type_map),
1955 t_id));
1956 cp = (const u_char *)(p + 1);
1957 ep2 = (const u_char *)p + item_len;
1958 while (cp < ep && cp < ep2) {
1959 if (map && nmap) {
1960 cp = ikev1_attrmap_print(ndo, cp, ep2, map, nmap);
1961 } else
1962 cp = ikev1_attr_print(ndo, cp, ep2);
1963 if (cp == NULL)
1964 goto trunc;
1965 }
1966 if (ep < ep2)
1967 ND_PRINT((ndo,"..."));
1968 return cp;
1969 trunc:
1970 ND_PRINT((ndo," [|%s]", NPSTR(ISAKMP_NPTYPE_T)));
1971 return NULL;
1972 }
1973
1974 static const u_char *
1975 ikev2_p_print(netdissect_options *ndo, u_char tpay _U_, int pcount _U_,
1976 const struct isakmp_gen *ext, u_int oprop_length,
1977 const u_char *ep, int depth)
1978 {
1979 const struct ikev2_p *p;
1980 u_int prop_length;
1981 uint8_t spi_size;
1982 const u_char *cp;
1983 int i;
1984 int tcount;
1985 u_char np;
1986 u_int item_len;
1987
1988 p = (const struct ikev2_p *)ext;
1989 ND_TCHECK(*p);
1990
1991 ikev2_pay_print(ndo, NPSTR(ISAKMP_NPTYPE_P), EXTRACT_U_1(p->h.critical));
1992
1993 /*
1994 * ikev2_sa_print() guarantees that this is >= 4.
1995 */
1996 prop_length = oprop_length - 4;
1997 ND_PRINT((ndo," #%u protoid=%s transform=%u len=%u",
1998 EXTRACT_U_1(p->p_no), PROTOIDSTR(EXTRACT_U_1(p->prot_id)),
1999 EXTRACT_U_1(p->num_t), oprop_length));
2000 cp = (const u_char *)(p + 1);
2001
2002 spi_size = EXTRACT_U_1(p->spi_size);
2003 if (spi_size) {
2004 if (prop_length < spi_size)
2005 goto toolong;
2006 ND_PRINT((ndo," spi="));
2007 if (!rawprint(ndo, (const uint8_t *)cp, spi_size))
2008 goto trunc;
2009 cp += spi_size;
2010 prop_length -= spi_size;
2011 }
2012
2013 /*
2014 * Print the transforms.
2015 */
2016 tcount = 0;
2017 for (np = ISAKMP_NPTYPE_T; np != 0; np = EXTRACT_U_1(ext->np)) {
2018 tcount++;
2019 ext = (const struct isakmp_gen *)cp;
2020 if (prop_length < sizeof(*ext))
2021 goto toolong;
2022 ND_TCHECK(*ext);
2023
2024 /*
2025 * Since we can't have a payload length of less than 4 bytes,
2026 * we need to bail out here if the generic header is nonsensical
2027 * or truncated, otherwise we could loop forever processing
2028 * zero-length items or otherwise misdissect the packet.
2029 */
2030 item_len = EXTRACT_BE_U_2(ext->len);
2031 if (item_len <= 4)
2032 goto trunc;
2033
2034 if (prop_length < item_len)
2035 goto toolong;
2036 ND_TCHECK_LEN(cp, item_len);
2037
2038 depth++;
2039 ND_PRINT((ndo,"\n"));
2040 for (i = 0; i < depth; i++)
2041 ND_PRINT((ndo," "));
2042 ND_PRINT((ndo,"("));
2043 if (np == ISAKMP_NPTYPE_T) {
2044 cp = ikev2_t_print(ndo, tcount, ext, item_len, ep);
2045 if (cp == NULL) {
2046 /* error, already reported */
2047 return NULL;
2048 }
2049 } else {
2050 ND_PRINT((ndo, "%s", NPSTR(np)));
2051 cp += item_len;
2052 }
2053 ND_PRINT((ndo,")"));
2054 depth--;
2055 prop_length -= item_len;
2056 }
2057 return cp;
2058 toolong:
2059 /*
2060 * Skip the rest of the proposal.
2061 */
2062 cp += prop_length;
2063 ND_PRINT((ndo," [|%s]", NPSTR(ISAKMP_NPTYPE_P)));
2064 return cp;
2065 trunc:
2066 ND_PRINT((ndo," [|%s]", NPSTR(ISAKMP_NPTYPE_P)));
2067 return NULL;
2068 }
2069
2070 static const u_char *
2071 ikev2_sa_print(netdissect_options *ndo, u_char tpay,
2072 const struct isakmp_gen *ext1,
2073 u_int osa_length, const u_char *ep,
2074 uint32_t phase _U_, uint32_t doi _U_,
2075 uint32_t proto _U_, int depth)
2076 {
2077 const struct isakmp_gen *ext;
2078 u_int sa_length;
2079 const u_char *cp;
2080 int i;
2081 int pcount;
2082 u_char np;
2083 u_int item_len;
2084
2085 ND_TCHECK(*ext1);
2086 ikev2_pay_print(ndo, "sa", EXTRACT_U_1(ext1->critical));
2087
2088 /*
2089 * ikev2_sub0_print() guarantees that this is >= 4.
2090 */
2091 osa_length= EXTRACT_BE_U_2(ext1->len);
2092 sa_length = osa_length - 4;
2093 ND_PRINT((ndo," len=%u", sa_length));
2094
2095 /*
2096 * Print the payloads.
2097 */
2098 cp = (const u_char *)(ext1 + 1);
2099 pcount = 0;
2100 for (np = ISAKMP_NPTYPE_P; np != 0; np = EXTRACT_U_1(ext->np)) {
2101 pcount++;
2102 ext = (const struct isakmp_gen *)cp;
2103 if (sa_length < sizeof(*ext))
2104 goto toolong;
2105 ND_TCHECK(*ext);
2106
2107 /*
2108 * Since we can't have a payload length of less than 4 bytes,
2109 * we need to bail out here if the generic header is nonsensical
2110 * or truncated, otherwise we could loop forever processing
2111 * zero-length items or otherwise misdissect the packet.
2112 */
2113 item_len = EXTRACT_BE_U_2(ext->len);
2114 if (item_len <= 4)
2115 goto trunc;
2116
2117 if (sa_length < item_len)
2118 goto toolong;
2119 ND_TCHECK_LEN(cp, item_len);
2120
2121 depth++;
2122 ND_PRINT((ndo,"\n"));
2123 for (i = 0; i < depth; i++)
2124 ND_PRINT((ndo," "));
2125 ND_PRINT((ndo,"("));
2126 if (np == ISAKMP_NPTYPE_P) {
2127 cp = ikev2_p_print(ndo, np, pcount, ext, item_len,
2128 ep, depth);
2129 if (cp == NULL) {
2130 /* error, already reported */
2131 return NULL;
2132 }
2133 } else {
2134 ND_PRINT((ndo, "%s", NPSTR(np)));
2135 cp += item_len;
2136 }
2137 ND_PRINT((ndo,")"));
2138 depth--;
2139 sa_length -= item_len;
2140 }
2141 return cp;
2142 toolong:
2143 /*
2144 * Skip the rest of the SA.
2145 */
2146 cp += sa_length;
2147 ND_PRINT((ndo," [|%s]", NPSTR(tpay)));
2148 return cp;
2149 trunc:
2150 ND_PRINT((ndo," [|%s]", NPSTR(tpay)));
2151 return NULL;
2152 }
2153
2154 static const u_char *
2155 ikev2_ke_print(netdissect_options *ndo, u_char tpay,
2156 const struct isakmp_gen *ext,
2157 u_int item_len, const u_char *ep _U_,
2158 uint32_t phase _U_, uint32_t doi _U_,
2159 uint32_t proto _U_, int depth _U_)
2160 {
2161 const struct ikev2_ke *k;
2162
2163 k = (const struct ikev2_ke *)ext;
2164 ND_TCHECK(*k);
2165 ikev2_pay_print(ndo, NPSTR(tpay), EXTRACT_U_1(k->h.critical));
2166
2167 if (item_len < 8) {
2168 ND_PRINT((ndo," len=%u < 8", item_len));
2169 return (const u_char *)ext + item_len;
2170 }
2171 ND_PRINT((ndo," len=%u group=%s", item_len - 8,
2172 STR_OR_ID(EXTRACT_BE_U_2(k->ke_group), dh_p_map)));
2173
2174 if (2 < ndo->ndo_vflag && 8 < item_len) {
2175 ND_PRINT((ndo," "));
2176 if (!rawprint(ndo, (const uint8_t *)(k + 1), item_len - 8))
2177 goto trunc;
2178 }
2179 return (const u_char *)ext + item_len;
2180 trunc:
2181 ND_PRINT((ndo," [|%s]", NPSTR(tpay)));
2182 return NULL;
2183 }
2184
2185 static const u_char *
2186 ikev2_ID_print(netdissect_options *ndo, u_char tpay,
2187 const struct isakmp_gen *ext,
2188 u_int item_len, const u_char *ep _U_,
2189 uint32_t phase _U_, uint32_t doi _U_,
2190 uint32_t proto _U_, int depth _U_)
2191 {
2192 const struct ikev2_id *idp;
2193 u_int idtype_len, i;
2194 unsigned int dumpascii, dumphex;
2195 const unsigned char *typedata;
2196
2197 idp = (const struct ikev2_id *)ext;
2198 ND_TCHECK(*idp);
2199 ikev2_pay_print(ndo, NPSTR(tpay), EXTRACT_U_1(idp->h.critical));
2200
2201 /*
2202 * Our caller has ensured that the length is >= 4.
2203 */
2204 ND_PRINT((ndo," len=%u", item_len - 4));
2205 if (2 < ndo->ndo_vflag && 4 < item_len) {
2206 /* Print the entire payload in hex */
2207 ND_PRINT((ndo," "));
2208 if (!rawprint(ndo, (const uint8_t *)(ext + 1), item_len - 4))
2209 goto trunc;
2210 }
2211
2212 idtype_len =item_len - sizeof(struct ikev2_id);
2213 dumpascii = 0;
2214 dumphex = 0;
2215 typedata = (const unsigned char *)(ext)+sizeof(struct ikev2_id);
2216
2217 switch(EXTRACT_U_1(idp->type)) {
2218 case ID_IPV4_ADDR:
2219 ND_PRINT((ndo, " ipv4:"));
2220 dumphex=1;
2221 break;
2222 case ID_FQDN:
2223 ND_PRINT((ndo, " fqdn:"));
2224 dumpascii=1;
2225 break;
2226 case ID_RFC822_ADDR:
2227 ND_PRINT((ndo, " rfc822:"));
2228 dumpascii=1;
2229 break;
2230 case ID_IPV6_ADDR:
2231 ND_PRINT((ndo, " ipv6:"));
2232 dumphex=1;
2233 break;
2234 case ID_DER_ASN1_DN:
2235 ND_PRINT((ndo, " dn:"));
2236 dumphex=1;
2237 break;
2238 case ID_DER_ASN1_GN:
2239 ND_PRINT((ndo, " gn:"));
2240 dumphex=1;
2241 break;
2242 case ID_KEY_ID:
2243 ND_PRINT((ndo, " keyid:"));
2244 dumphex=1;
2245 break;
2246 }
2247
2248 if(dumpascii) {
2249 ND_TCHECK_LEN(typedata, idtype_len);
2250 for(i=0; i<idtype_len; i++) {
2251 if(ND_ISPRINT(EXTRACT_U_1(typedata + i))) {
2252 ND_PRINT((ndo, "%c", EXTRACT_U_1(typedata + i)));
2253 } else {
2254 ND_PRINT((ndo, "."));
2255 }
2256 }
2257 }
2258 if(dumphex) {
2259 if (!rawprint(ndo, (const uint8_t *)typedata, idtype_len))
2260 goto trunc;
2261 }
2262
2263 return (const u_char *)ext + item_len;
2264 trunc:
2265 ND_PRINT((ndo," [|%s]", NPSTR(tpay)));
2266 return NULL;
2267 }
2268
2269 static const u_char *
2270 ikev2_cert_print(netdissect_options *ndo, u_char tpay,
2271 const struct isakmp_gen *ext,
2272 u_int item_len, const u_char *ep _U_,
2273 uint32_t phase _U_, uint32_t doi _U_,
2274 uint32_t proto _U_, int depth _U_)
2275 {
2276 return ikev2_gen_print(ndo, tpay, ext, item_len);
2277 }
2278
2279 static const u_char *
2280 ikev2_cr_print(netdissect_options *ndo, u_char tpay,
2281 const struct isakmp_gen *ext,
2282 u_int item_len, const u_char *ep _U_,
2283 uint32_t phase _U_, uint32_t doi _U_,
2284 uint32_t proto _U_, int depth _U_)
2285 {
2286 return ikev2_gen_print(ndo, tpay, ext, item_len);
2287 }
2288
2289 static const u_char *
2290 ikev2_auth_print(netdissect_options *ndo, u_char tpay,
2291 const struct isakmp_gen *ext,
2292 u_int item_len, const u_char *ep,
2293 uint32_t phase _U_, uint32_t doi _U_,
2294 uint32_t proto _U_, int depth _U_)
2295 {
2296 const struct ikev2_auth *p;
2297 const char *v2_auth[]={ "invalid", "rsasig",
2298 "shared-secret", "dsssig" };
2299 const u_char *authdata = (const u_char*)ext + sizeof(struct ikev2_auth);
2300
2301 ND_TCHECK_LEN(ext, sizeof(struct ikev2_auth));
2302 p = (const struct ikev2_auth *)ext;
2303 ikev2_pay_print(ndo, NPSTR(tpay), EXTRACT_U_1(p->h.critical));
2304
2305 /*
2306 * Our caller has ensured that the length is >= 4.
2307 */
2308 ND_PRINT((ndo," len=%u method=%s", item_len-4,
2309 STR_OR_ID(EXTRACT_U_1(p->auth_method), v2_auth)));
2310 if (item_len > 4) {
2311 if (ndo->ndo_vflag > 1) {
2312 ND_PRINT((ndo, " authdata=("));
2313 if (!rawprint(ndo, (const uint8_t *)authdata, item_len - sizeof(struct ikev2_auth)))
2314 goto trunc;
2315 ND_PRINT((ndo, ") "));
2316 } else if (ndo->ndo_vflag) {
2317 if (!ike_show_somedata(ndo, authdata, ep))
2318 goto trunc;
2319 }
2320 }
2321
2322 return (const u_char *)ext + item_len;
2323 trunc:
2324 ND_PRINT((ndo," [|%s]", NPSTR(tpay)));
2325 return NULL;
2326 }
2327
2328 static const u_char *
2329 ikev2_nonce_print(netdissect_options *ndo, u_char tpay,
2330 const struct isakmp_gen *ext,
2331 u_int item_len, const u_char *ep,
2332 uint32_t phase _U_, uint32_t doi _U_,
2333 uint32_t proto _U_, int depth _U_)
2334 {
2335 ND_TCHECK(*ext);
2336 ikev2_pay_print(ndo, "nonce", EXTRACT_U_1(ext->critical));
2337
2338 /*
2339 * Our caller has ensured that the length is >= 4.
2340 */
2341 ND_PRINT((ndo," len=%u", item_len - 4));
2342 if (1 < ndo->ndo_vflag && 4 < item_len) {
2343 ND_PRINT((ndo," nonce=("));
2344 if (!rawprint(ndo, (const uint8_t *)(ext + 1), item_len - 4))
2345 goto trunc;
2346 ND_PRINT((ndo,") "));
2347 } else if(ndo->ndo_vflag && 4 < item_len) {
2348 if(!ike_show_somedata(ndo, (const u_char *)(ext+1), ep)) goto trunc;
2349 }
2350
2351 return (const u_char *)ext + item_len;
2352 trunc:
2353 ND_PRINT((ndo," [|%s]", NPSTR(tpay)));
2354 return NULL;
2355 }
2356
2357 /* notify payloads */
2358 static const u_char *
2359 ikev2_n_print(netdissect_options *ndo, u_char tpay _U_,
2360 const struct isakmp_gen *ext,
2361 u_int item_len, const u_char *ep,
2362 uint32_t phase _U_, uint32_t doi _U_,
2363 uint32_t proto _U_, int depth _U_)
2364 {
2365 const struct ikev2_n *p;
2366 uint16_t type;
2367 uint8_t spi_size;
2368 const u_char *cp;
2369 u_char showspi, showsomedata;
2370 const char *notify_name;
2371
2372 p = (const struct ikev2_n *)ext;
2373 ND_TCHECK(*p);
2374 ikev2_pay_print(ndo, NPSTR(ISAKMP_NPTYPE_N), EXTRACT_U_1(p->h.critical));
2375
2376 showspi = 1;
2377 showsomedata=0;
2378 notify_name=NULL;
2379
2380 ND_PRINT((ndo," prot_id=%s", PROTOIDSTR(EXTRACT_U_1(p->prot_id))));
2381
2382 type = EXTRACT_BE_U_2(p->type);
2383
2384 /* notify space is annoying sparse */
2385 switch(type) {
2386 case IV2_NOTIFY_UNSUPPORTED_CRITICAL_PAYLOAD:
2387 notify_name = "unsupported_critical_payload";
2388 showspi = 0;
2389 break;
2390
2391 case IV2_NOTIFY_INVALID_IKE_SPI:
2392 notify_name = "invalid_ike_spi";
2393 showspi = 1;
2394 break;
2395
2396 case IV2_NOTIFY_INVALID_MAJOR_VERSION:
2397 notify_name = "invalid_major_version";
2398 showspi = 0;
2399 break;
2400
2401 case IV2_NOTIFY_INVALID_SYNTAX:
2402 notify_name = "invalid_syntax";
2403 showspi = 1;
2404 break;
2405
2406 case IV2_NOTIFY_INVALID_MESSAGE_ID:
2407 notify_name = "invalid_message_id";
2408 showspi = 1;
2409 break;
2410
2411 case IV2_NOTIFY_INVALID_SPI:
2412 notify_name = "invalid_spi";
2413 showspi = 1;
2414 break;
2415
2416 case IV2_NOTIFY_NO_PROPOSAL_CHOSEN:
2417 notify_name = "no_protocol_chosen";
2418 showspi = 1;
2419 break;
2420
2421 case IV2_NOTIFY_INVALID_KE_PAYLOAD:
2422 notify_name = "invalid_ke_payload";
2423 showspi = 1;
2424 break;
2425
2426 case IV2_NOTIFY_AUTHENTICATION_FAILED:
2427 notify_name = "authentication_failed";
2428 showspi = 1;
2429 break;
2430
2431 case IV2_NOTIFY_SINGLE_PAIR_REQUIRED:
2432 notify_name = "single_pair_required";
2433 showspi = 1;
2434 break;
2435
2436 case IV2_NOTIFY_NO_ADDITIONAL_SAS:
2437 notify_name = "no_additional_sas";
2438 showspi = 0;
2439 break;
2440
2441 case IV2_NOTIFY_INTERNAL_ADDRESS_FAILURE:
2442 notify_name = "internal_address_failure";
2443 showspi = 0;
2444 break;
2445
2446 case IV2_NOTIFY_FAILED_CP_REQUIRED:
2447 notify_name = "failed:cp_required";
2448 showspi = 0;
2449 break;
2450
2451 case IV2_NOTIFY_INVALID_SELECTORS:
2452 notify_name = "invalid_selectors";
2453 showspi = 0;
2454 break;
2455
2456 case IV2_NOTIFY_INITIAL_CONTACT:
2457 notify_name = "initial_contact";
2458 showspi = 0;
2459 break;
2460
2461 case IV2_NOTIFY_SET_WINDOW_SIZE:
2462 notify_name = "set_window_size";
2463 showspi = 0;
2464 break;
2465
2466 case IV2_NOTIFY_ADDITIONAL_TS_POSSIBLE:
2467 notify_name = "additional_ts_possible";
2468 showspi = 0;
2469 break;
2470
2471 case IV2_NOTIFY_IPCOMP_SUPPORTED:
2472 notify_name = "ipcomp_supported";
2473 showspi = 0;
2474 break;
2475
2476 case IV2_NOTIFY_NAT_DETECTION_SOURCE_IP:
2477 notify_name = "nat_detection_source_ip";
2478 showspi = 1;
2479 break;
2480
2481 case IV2_NOTIFY_NAT_DETECTION_DESTINATION_IP:
2482 notify_name = "nat_detection_destination_ip";
2483 showspi = 1;
2484 break;
2485
2486 case IV2_NOTIFY_COOKIE:
2487 notify_name = "cookie";
2488 showspi = 1;
2489 showsomedata= 1;
2490 break;
2491
2492 case IV2_NOTIFY_USE_TRANSPORT_MODE:
2493 notify_name = "use_transport_mode";
2494 showspi = 0;
2495 break;
2496
2497 case IV2_NOTIFY_HTTP_CERT_LOOKUP_SUPPORTED:
2498 notify_name = "http_cert_lookup_supported";
2499 showspi = 0;
2500 break;
2501
2502 case IV2_NOTIFY_REKEY_SA:
2503 notify_name = "rekey_sa";
2504 showspi = 1;
2505 break;
2506
2507 case IV2_NOTIFY_ESP_TFC_PADDING_NOT_SUPPORTED:
2508 notify_name = "tfc_padding_not_supported";
2509 showspi = 0;
2510 break;
2511
2512 case IV2_NOTIFY_NON_FIRST_FRAGMENTS_ALSO:
2513 notify_name = "non_first_fragment_also";
2514 showspi = 0;
2515 break;
2516
2517 default:
2518 if (type < 8192) {
2519 notify_name="error";
2520 } else if(type < 16384) {
2521 notify_name="private-error";
2522 } else if(type < 40960) {
2523 notify_name="status";
2524 } else {
2525 notify_name="private-status";
2526 }
2527 }
2528
2529 if(notify_name) {
2530 ND_PRINT((ndo," type=%u(%s)", type, notify_name));
2531 }
2532
2533
2534 spi_size = EXTRACT_U_1(p->spi_size);
2535 if (showspi && spi_size) {
2536 ND_PRINT((ndo," spi="));
2537 if (!rawprint(ndo, (const uint8_t *)(p + 1), spi_size))
2538 goto trunc;
2539 }
2540
2541 cp = (const u_char *)(p + 1) + spi_size;
2542
2543 if (cp < ep) {
2544 if (ndo->ndo_vflag > 3 || (showsomedata && ep-cp < 30)) {
2545 ND_PRINT((ndo," data=("));
2546 if (!rawprint(ndo, (const uint8_t *)(cp), ep - cp))
2547 goto trunc;
2548
2549 ND_PRINT((ndo,")"));
2550 } else if (showsomedata) {
2551 if (!ike_show_somedata(ndo, cp, ep))
2552 goto trunc;
2553 }
2554 }
2555
2556 return (const u_char *)ext + item_len;
2557 trunc:
2558 ND_PRINT((ndo," [|%s]", NPSTR(ISAKMP_NPTYPE_N)));
2559 return NULL;
2560 }
2561
2562 static const u_char *
2563 ikev2_d_print(netdissect_options *ndo, u_char tpay,
2564 const struct isakmp_gen *ext,
2565 u_int item_len, const u_char *ep _U_,
2566 uint32_t phase _U_, uint32_t doi _U_,
2567 uint32_t proto _U_, int depth _U_)
2568 {
2569 return ikev2_gen_print(ndo, tpay, ext, item_len);
2570 }
2571
2572 static const u_char *
2573 ikev2_vid_print(netdissect_options *ndo, u_char tpay,
2574 const struct isakmp_gen *ext,
2575 u_int item_len, const u_char *ep _U_,
2576 uint32_t phase _U_, uint32_t doi _U_,
2577 uint32_t proto _U_, int depth _U_)
2578 {
2579 const u_char *vid;
2580 u_int i, len;
2581
2582 ND_TCHECK(*ext);
2583 ikev2_pay_print(ndo, NPSTR(tpay), EXTRACT_U_1(ext->critical));
2584
2585 /*
2586 * Our caller has ensured that the length is >= 4.
2587 */
2588 ND_PRINT((ndo," len=%u vid=", item_len - 4));
2589
2590 vid = (const u_char *)(ext+1);
2591 len = item_len - 4;
2592 ND_TCHECK_LEN(vid, len);
2593 for(i=0; i<len; i++) {
2594 if(ND_ISPRINT(EXTRACT_U_1(vid + i)))
2595 ND_PRINT((ndo, "%c", EXTRACT_U_1(vid + i)));
2596 else ND_PRINT((ndo, "."));
2597 }
2598 if (2 < ndo->ndo_vflag && 4 < len) {
2599 /* Print the entire payload in hex */
2600 ND_PRINT((ndo," "));
2601 if (!rawprint(ndo, (const uint8_t *)(ext + 1), item_len - 4))
2602 goto trunc;
2603 }
2604 return (const u_char *)ext + item_len;
2605 trunc:
2606 ND_PRINT((ndo," [|%s]", NPSTR(tpay)));
2607 return NULL;
2608 }
2609
2610 static const u_char *
2611 ikev2_TS_print(netdissect_options *ndo, u_char tpay,
2612 const struct isakmp_gen *ext,
2613 u_int item_len, const u_char *ep _U_,
2614 uint32_t phase _U_, uint32_t doi _U_,
2615 uint32_t proto _U_, int depth _U_)
2616 {
2617 return ikev2_gen_print(ndo, tpay, ext, item_len);
2618 }
2619
2620 static const u_char *
2621 ikev2_e_print(netdissect_options *ndo,
2622 #ifndef HAVE_LIBCRYPTO
2623 _U_
2624 #endif
2625 const struct isakmp *base,
2626 u_char tpay,
2627 const struct isakmp_gen *ext,
2628 u_int item_len, const u_char *ep _U_,
2629 #ifndef HAVE_LIBCRYPTO
2630 _U_
2631 #endif
2632 uint32_t phase,
2633 #ifndef HAVE_LIBCRYPTO
2634 _U_
2635 #endif
2636 uint32_t doi,
2637 #ifndef HAVE_LIBCRYPTO
2638 _U_
2639 #endif
2640 uint32_t proto,
2641 #ifndef HAVE_LIBCRYPTO
2642 _U_
2643 #endif
2644 int depth)
2645 {
2646 const u_char *dat;
2647 volatile u_int dlen;
2648 #ifdef HAVE_LIBCRYPTO
2649 uint8_t np;
2650 #endif
2651
2652 ND_TCHECK(*ext);
2653 ikev2_pay_print(ndo, NPSTR(tpay), EXTRACT_U_1(ext->critical));
2654
2655 dlen = item_len-4;
2656
2657 ND_PRINT((ndo," len=%u", dlen));
2658 if (2 < ndo->ndo_vflag && 4 < dlen) {
2659 ND_PRINT((ndo," "));
2660 if (!rawprint(ndo, (const uint8_t *)(ext + 1), dlen))
2661 goto trunc;
2662 }
2663
2664 dat = (const u_char *)(ext+1);
2665 ND_TCHECK_LEN(dat, dlen);
2666
2667 #ifdef HAVE_LIBCRYPTO
2668 np = EXTRACT_U_1(ext->np);
2669
2670 /* try to decypt it! */
2671 if(esp_print_decrypt_buffer_by_ikev2(ndo,
2672 EXTRACT_U_1(base->flags) & ISAKMP_FLAG_I,
2673 base->i_ck, base->r_ck,
2674 dat, dat+dlen)) {
2675
2676 ext = (const struct isakmp_gen *)ndo->ndo_packetp;
2677
2678 /* got it decrypted, print stuff inside. */
2679 ikev2_sub_print(ndo, base, np, ext,
2680 ndo->ndo_snapend, phase, doi, proto, depth+1);
2681 }
2682 #endif
2683
2684
2685 /* always return NULL, because E must be at end, and NP refers
2686 * to what was inside.
2687 */
2688 return NULL;
2689 trunc:
2690 ND_PRINT((ndo," [|%s]", NPSTR(tpay)));
2691 return NULL;
2692 }
2693
2694 static const u_char *
2695 ikev2_cp_print(netdissect_options *ndo, u_char tpay,
2696 const struct isakmp_gen *ext,
2697 u_int item_len, const u_char *ep _U_,
2698 uint32_t phase _U_, uint32_t doi _U_,
2699 uint32_t proto _U_, int depth _U_)
2700 {
2701 return ikev2_gen_print(ndo, tpay, ext, item_len);
2702 }
2703
2704 static const u_char *
2705 ikev2_eap_print(netdissect_options *ndo, u_char tpay,
2706 const struct isakmp_gen *ext,
2707 u_int item_len, const u_char *ep _U_,
2708 uint32_t phase _U_, uint32_t doi _U_,
2709 uint32_t proto _U_, int depth _U_)
2710 {
2711 return ikev2_gen_print(ndo, tpay, ext, item_len);
2712 }
2713
2714 static const u_char *
2715 ike_sub0_print(netdissect_options *ndo,
2716 u_char np, const struct isakmp_gen *ext, const u_char *ep,
2717
2718 uint32_t phase, uint32_t doi, uint32_t proto, int depth)
2719 {
2720 const u_char *cp;
2721 u_int item_len;
2722
2723 cp = (const u_char *)ext;
2724 ND_TCHECK(*ext);
2725
2726 /*
2727 * Since we can't have a payload length of less than 4 bytes,
2728 * we need to bail out here if the generic header is nonsensical
2729 * or truncated, otherwise we could loop forever processing
2730 * zero-length items or otherwise misdissect the packet.
2731 */
2732 item_len = EXTRACT_BE_U_2(ext->len);
2733 if (item_len <= 4)
2734 return NULL;
2735
2736 if (NPFUNC(np)) {
2737 /*
2738 * XXX - what if item_len is too short, or too long,
2739 * for this payload type?
2740 */
2741 cp = (*npfunc[np])(ndo, np, ext, item_len, ep, phase, doi, proto, depth);
2742 } else {
2743 ND_PRINT((ndo,"%s", NPSTR(np)));
2744 cp += item_len;
2745 }
2746
2747 return cp;
2748 trunc:
2749 ND_PRINT((ndo," [|isakmp]"));
2750 return NULL;
2751 }
2752
2753 static const u_char *
2754 ikev1_sub_print(netdissect_options *ndo,
2755 u_char np, const struct isakmp_gen *ext, const u_char *ep,
2756 uint32_t phase, uint32_t doi, uint32_t proto, int depth)
2757 {
2758 const u_char *cp;
2759 int i;
2760 u_int item_len;
2761
2762 cp = (const u_char *)ext;
2763
2764 while (np) {
2765 ND_TCHECK(*ext);
2766
2767 item_len = EXTRACT_BE_U_2(ext->len);
2768 ND_TCHECK_LEN(ext, item_len);
2769
2770 depth++;
2771 ND_PRINT((ndo,"\n"));
2772 for (i = 0; i < depth; i++)
2773 ND_PRINT((ndo," "));
2774 ND_PRINT((ndo,"("));
2775 cp = ike_sub0_print(ndo, np, ext, ep, phase, doi, proto, depth);
2776 ND_PRINT((ndo,")"));
2777 depth--;
2778
2779 if (cp == NULL) {
2780 /* Zero-length subitem */
2781 return NULL;
2782 }
2783
2784 np = EXTRACT_U_1(ext->np);
2785 ext = (const struct isakmp_gen *)cp;
2786 }
2787 return cp;
2788 trunc:
2789 ND_PRINT((ndo," [|%s]", NPSTR(np)));
2790 return NULL;
2791 }
2792
2793 static char *
2794 numstr(u_int x)
2795 {
2796 static char buf[20];
2797 snprintf(buf, sizeof(buf), "#%u", x);
2798 return buf;
2799 }
2800
2801 static void
2802 ikev1_print(netdissect_options *ndo,
2803 const u_char *bp, u_int length,
2804 const u_char *bp2, const struct isakmp *base)
2805 {
2806 const struct isakmp *p;
2807 const u_char *ep;
2808 u_int flags;
2809 u_char np;
2810 int i;
2811 u_int phase;
2812
2813 p = (const struct isakmp *)bp;
2814 ep = ndo->ndo_snapend;
2815
2816 phase = (EXTRACT_BE_U_4(base->msgid) == 0) ? 1 : 2;
2817 if (phase == 1)
2818 ND_PRINT((ndo," phase %u", phase));
2819 else
2820 ND_PRINT((ndo," phase %u/others", phase));
2821
2822 i = cookie_find(&base->i_ck);
2823 if (i < 0) {
2824 if (iszero((const u_char *)&base->r_ck, sizeof(base->r_ck))) {
2825 /* the first packet */
2826 ND_PRINT((ndo," I"));
2827 if (bp2)
2828 cookie_record(&base->i_ck, bp2);
2829 } else
2830 ND_PRINT((ndo," ?"));
2831 } else {
2832 if (bp2 && cookie_isinitiator(i, bp2))
2833 ND_PRINT((ndo," I"));
2834 else if (bp2 && cookie_isresponder(i, bp2))
2835 ND_PRINT((ndo," R"));
2836 else
2837 ND_PRINT((ndo," ?"));
2838 }
2839
2840 ND_PRINT((ndo," %s", ETYPESTR(EXTRACT_U_1(base->etype))));
2841 flags = EXTRACT_U_1(base->flags);
2842 if (flags) {
2843 ND_PRINT((ndo,"[%s%s]", flags & ISAKMP_FLAG_E ? "E" : "",
2844 flags & ISAKMP_FLAG_C ? "C" : ""));
2845 }
2846
2847 if (ndo->ndo_vflag) {
2848 const struct isakmp_gen *ext;
2849
2850 ND_PRINT((ndo,":"));
2851
2852 np = EXTRACT_U_1(base->np);
2853
2854 /* regardless of phase... */
2855 if (flags & ISAKMP_FLAG_E) {
2856 /*
2857 * encrypted, nothing we can do right now.
2858 * we hope to decrypt the packet in the future...
2859 */
2860 ND_PRINT((ndo," [encrypted %s]", NPSTR(np)));
2861 goto done;
2862 }
2863
2864 CHECKLEN(p + 1, np);
2865 ext = (const struct isakmp_gen *)(p + 1);
2866 ikev1_sub_print(ndo, np, ext, ep, phase, 0, 0, 0);
2867 }
2868
2869 done:
2870 if (ndo->ndo_vflag) {
2871 if (EXTRACT_BE_U_4(base->len) != length) {
2872 ND_PRINT((ndo," (len mismatch: isakmp %u/ip %u)",
2873 EXTRACT_BE_U_4(base->len), length));
2874 }
2875 }
2876 }
2877
2878 static const u_char *
2879 ikev2_sub0_print(netdissect_options *ndo, const struct isakmp *base,
2880 u_char np,
2881 const struct isakmp_gen *ext, const u_char *ep,
2882 uint32_t phase, uint32_t doi, uint32_t proto, int depth)
2883 {
2884 const u_char *cp;
2885 u_int item_len;
2886
2887 cp = (const u_char *)ext;
2888 ND_TCHECK(*ext);
2889
2890 /*
2891 * Since we can't have a payload length of less than 4 bytes,
2892 * we need to bail out here if the generic header is nonsensical
2893 * or truncated, otherwise we could loop forever processing
2894 * zero-length items or otherwise misdissect the packet.
2895 */
2896 item_len = EXTRACT_BE_U_2(ext->len);
2897 if (item_len <= 4)
2898 return NULL;
2899
2900 if (np == ISAKMP_NPTYPE_v2E) {
2901 cp = ikev2_e_print(ndo, base, np, ext, item_len,
2902 ep, phase, doi, proto, depth);
2903 } else if (NPFUNC(np)) {
2904 /*
2905 * XXX - what if item_len is too short, or too long,
2906 * for this payload type?
2907 */
2908 cp = (*npfunc[np])(ndo, np, ext, item_len,
2909 ep, phase, doi, proto, depth);
2910 } else {
2911 ND_PRINT((ndo,"%s", NPSTR(np)));
2912 cp += item_len;
2913 }
2914
2915 return cp;
2916 trunc:
2917 ND_PRINT((ndo," [|isakmp]"));
2918 return NULL;
2919 }
2920
2921 static const u_char *
2922 ikev2_sub_print(netdissect_options *ndo,
2923 const struct isakmp *base,
2924 u_char np, const struct isakmp_gen *ext, const u_char *ep,
2925 uint32_t phase, uint32_t doi, uint32_t proto, int depth)
2926 {
2927 const u_char *cp;
2928 int i;
2929
2930 cp = (const u_char *)ext;
2931 while (np) {
2932 ND_TCHECK(*ext);
2933
2934 ND_TCHECK_LEN(ext, EXTRACT_BE_U_2(ext->len));
2935
2936 depth++;
2937 ND_PRINT((ndo,"\n"));
2938 for (i = 0; i < depth; i++)
2939 ND_PRINT((ndo," "));
2940 ND_PRINT((ndo,"("));
2941 cp = ikev2_sub0_print(ndo, base, np,
2942 ext, ep, phase, doi, proto, depth);
2943 ND_PRINT((ndo,")"));
2944 depth--;
2945
2946 if (cp == NULL) {
2947 /* Zero-length subitem */
2948 return NULL;
2949 }
2950
2951 np = EXTRACT_U_1(ext->np);
2952 ext = (const struct isakmp_gen *)cp;
2953 }
2954 return cp;
2955 trunc:
2956 ND_PRINT((ndo," [|%s]", NPSTR(np)));
2957 return NULL;
2958 }
2959
2960 static void
2961 ikev2_print(netdissect_options *ndo,
2962 const u_char *bp, u_int length,
2963 const u_char *bp2 _U_, const struct isakmp *base)
2964 {
2965 const struct isakmp *p;
2966 const u_char *ep;
2967 uint8_t flags;
2968 u_char np;
2969 u_int phase;
2970
2971 p = (const struct isakmp *)bp;
2972 ep = ndo->ndo_snapend;
2973
2974 phase = (EXTRACT_BE_U_4(base->msgid) == 0) ? 1 : 2;
2975 if (phase == 1)
2976 ND_PRINT((ndo, " parent_sa"));
2977 else
2978 ND_PRINT((ndo, " child_sa "));
2979
2980 ND_PRINT((ndo, " %s", ETYPESTR(EXTRACT_U_1(base->etype))));
2981 flags = EXTRACT_U_1(base->flags);
2982 if (flags) {
2983 ND_PRINT((ndo, "[%s%s%s]",
2984 flags & ISAKMP_FLAG_I ? "I" : "",
2985 flags & ISAKMP_FLAG_V ? "V" : "",
2986 flags & ISAKMP_FLAG_R ? "R" : ""));
2987 }
2988
2989 if (ndo->ndo_vflag) {
2990 const struct isakmp_gen *ext;
2991
2992 ND_PRINT((ndo, ":"));
2993
2994 np = EXTRACT_U_1(base->np);
2995
2996 /* regardless of phase... */
2997 if (flags & ISAKMP_FLAG_E) {
2998 /*
2999 * encrypted, nothing we can do right now.
3000 * we hope to decrypt the packet in the future...
3001 */
3002 ND_PRINT((ndo, " [encrypted %s]", NPSTR(np)));
3003 goto done;
3004 }
3005
3006 CHECKLEN(p + 1, np)
3007 ext = (const struct isakmp_gen *)(p + 1);
3008 ikev2_sub_print(ndo, base, np, ext, ep, phase, 0, 0, 0);
3009 }
3010
3011 done:
3012 if (ndo->ndo_vflag) {
3013 if (EXTRACT_BE_U_4(base->len) != length) {
3014 ND_PRINT((ndo, " (len mismatch: isakmp %u/ip %u)",
3015 EXTRACT_BE_U_4(base->len), length));
3016 }
3017 }
3018 }
3019
3020 void
3021 isakmp_print(netdissect_options *ndo,
3022 const u_char *bp, u_int length,
3023 const u_char *bp2)
3024 {
3025 const struct isakmp *p;
3026 const u_char *ep;
3027 u_int major, minor;
3028
3029 #ifdef HAVE_LIBCRYPTO
3030 /* initialize SAs */
3031 if (ndo->ndo_sa_list_head == NULL) {
3032 if (ndo->ndo_espsecret)
3033 esp_print_decodesecret(ndo);
3034 }
3035 #endif
3036
3037 p = (const struct isakmp *)bp;
3038 ep = ndo->ndo_snapend;
3039
3040 if ((const struct isakmp *)ep < p + 1) {
3041 ND_PRINT((ndo,"[|isakmp]"));
3042 return;
3043 }
3044
3045 ND_PRINT((ndo,"isakmp"));
3046 major = (EXTRACT_U_1(p->vers) & ISAKMP_VERS_MAJOR)
3047 >> ISAKMP_VERS_MAJOR_SHIFT;
3048 minor = (EXTRACT_U_1(p->vers) & ISAKMP_VERS_MINOR)
3049 >> ISAKMP_VERS_MINOR_SHIFT;
3050
3051 if (ndo->ndo_vflag) {
3052 ND_PRINT((ndo," %u.%u", major, minor));
3053 }
3054
3055 if (ndo->ndo_vflag) {
3056 ND_PRINT((ndo," msgid "));
3057 hexprint(ndo, p->msgid, sizeof(p->msgid));
3058 }
3059
3060 if (1 < ndo->ndo_vflag) {
3061 ND_PRINT((ndo," cookie "));
3062 hexprint(ndo, p->i_ck, sizeof(p->i_ck));
3063 ND_PRINT((ndo,"->"));
3064 hexprint(ndo, p->r_ck, sizeof(p->r_ck));
3065 }
3066 ND_PRINT((ndo,":"));
3067
3068 switch(major) {
3069 case IKEv1_MAJOR_VERSION:
3070 ikev1_print(ndo, bp, length, bp2, p);
3071 break;
3072
3073 case IKEv2_MAJOR_VERSION:
3074 ikev2_print(ndo, bp, length, bp2, p);
3075 break;
3076 }
3077 }
3078
3079 void
3080 isakmp_rfc3948_print(netdissect_options *ndo,
3081 const u_char *bp, u_int length,
3082 const u_char *bp2)
3083 {
3084 ND_TCHECK_1(bp);
3085 if(length == 1 && EXTRACT_U_1(bp)==0xff) {
3086 ND_PRINT((ndo, "isakmp-nat-keep-alive"));
3087 return;
3088 }
3089
3090 if(length < 4) {
3091 goto trunc;
3092 }
3093 ND_TCHECK_1(bp + 3);
3094
3095 /*
3096 * see if this is an IKE packet
3097 */
3098 if (EXTRACT_U_1(bp) == 0 && EXTRACT_U_1(bp + 1) == 0 &&
3099 EXTRACT_U_1(bp + 2) == 0 && EXTRACT_U_1(bp + 3) == 0) {
3100 ND_PRINT((ndo, "NONESP-encap: "));
3101 isakmp_print(ndo, bp+4, length-4, bp2);
3102 return;
3103 }
3104
3105 /* must be an ESP packet */
3106 {
3107 u_int nh, enh, padlen;
3108 int advance;
3109
3110 ND_PRINT((ndo, "UDP-encap: "));
3111
3112 advance = esp_print(ndo, bp, length, bp2, &enh, &padlen);
3113 if(advance <= 0)
3114 return;
3115
3116 bp += advance;
3117 length -= advance + padlen;
3118 nh = enh & 0xff;
3119
3120 ip_print_inner(ndo, bp, length, nh, bp2);
3121 return;
3122 }
3123
3124 trunc:
3125 ND_PRINT((ndo,"[|isakmp]"));
3126 return;
3127 }
3128
3129 /*
3130 * Local Variables:
3131 * c-style: whitesmith
3132 * c-basic-offset: 8
3133 * End:
3134 */
[mirror] the TCPdump network dissector