]> The Tcpdump Group git mirrors - tcpdump/blob - print-isakmp.c
projects / tcpdump / blob
summary | shortlog | log | commit | commitdiff | tree
history | raw | HEAD
Simplify some expressions
[tcpdump] / print-isakmp.c
1 /*
2 * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
3 * All rights reserved.
4 *
5 * Redistribution and use in source and binary forms, with or without
6 * modification, are permitted provided that the following conditions
7 * are met:
8 * 1. Redistributions of source code must retain the above copyright
9 * notice, this list of conditions and the following disclaimer.
10 * 2. Redistributions in binary form must reproduce the above copyright
11 * notice, this list of conditions and the following disclaimer in the
12 * documentation and/or other materials provided with the distribution.
13 * 3. Neither the name of the project nor the names of its contributors
14 * may be used to endorse or promote products derived from this software
15 * without specific prior written permission.
16 *
17 * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
18 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
19 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
20 * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
21 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
22 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
23 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
24 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
25 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
26 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
27 * SUCH DAMAGE.
28 *
29 */
30
31 /* \summary: Internet Security Association and Key Management Protocol (ISAKMP) printer */
32
33 #ifdef HAVE_CONFIG_H
34 #include "config.h"
35 #endif
36
37 /* The functions from print-esp.c used in this file are only defined when both
38 * OpenSSL and evp.h are detected. Employ the same preprocessor device here.
39 */
40 #ifndef HAVE_OPENSSL_EVP_H
41 #undef HAVE_LIBCRYPTO
42 #endif
43
44 #include <netdissect-stdinc.h>
45
46 #include <string.h>
47
48 #include "netdissect.h"
49 #include "addrtoname.h"
50 #include "extract.h"
51
52 #include "ip.h"
53 #include "ip6.h"
54 #include "ipproto.h"
55
56 /* refer to RFC 2408 */
57
58 typedef u_char cookie_t[8];
59 typedef u_char msgid_t[4];
60
61 #define PORT_ISAKMP 500
62
63 /* 3.1 ISAKMP Header Format (IKEv1 and IKEv2)
64 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
65 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
66 ! Initiator !
67 ! Cookie !
68 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
69 ! Responder !
70 ! Cookie !
71 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
72 ! Next Payload ! MjVer ! MnVer ! Exchange Type ! Flags !
73 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
74 ! Message ID !
75 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
76 ! Length !
77 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
78 */
79 struct isakmp {
80 cookie_t i_ck; /* Initiator Cookie */
81 cookie_t r_ck; /* Responder Cookie */
82 uint8_t np; /* Next Payload Type */
83 uint8_t vers;
84 #define ISAKMP_VERS_MAJOR 0xf0
85 #define ISAKMP_VERS_MAJOR_SHIFT 4
86 #define ISAKMP_VERS_MINOR 0x0f
87 #define ISAKMP_VERS_MINOR_SHIFT 0
88 uint8_t etype; /* Exchange Type */
89 uint8_t flags; /* Flags */
90 msgid_t msgid;
91 uint32_t len; /* Length */
92 };
93
94 /* Next Payload Type */
95 #define ISAKMP_NPTYPE_NONE 0 /* NONE*/
96 #define ISAKMP_NPTYPE_SA 1 /* Security Association */
97 #define ISAKMP_NPTYPE_P 2 /* Proposal */
98 #define ISAKMP_NPTYPE_T 3 /* Transform */
99 #define ISAKMP_NPTYPE_KE 4 /* Key Exchange */
100 #define ISAKMP_NPTYPE_ID 5 /* Identification */
101 #define ISAKMP_NPTYPE_CERT 6 /* Certificate */
102 #define ISAKMP_NPTYPE_CR 7 /* Certificate Request */
103 #define ISAKMP_NPTYPE_HASH 8 /* Hash */
104 #define ISAKMP_NPTYPE_SIG 9 /* Signature */
105 #define ISAKMP_NPTYPE_NONCE 10 /* Nonce */
106 #define ISAKMP_NPTYPE_N 11 /* Notification */
107 #define ISAKMP_NPTYPE_D 12 /* Delete */
108 #define ISAKMP_NPTYPE_VID 13 /* Vendor ID */
109 #define ISAKMP_NPTYPE_v2E 46 /* v2 Encrypted payload */
110
111 #define IKEv1_MAJOR_VERSION 1
112 #define IKEv1_MINOR_VERSION 0
113
114 #define IKEv2_MAJOR_VERSION 2
115 #define IKEv2_MINOR_VERSION 0
116
117 /* Flags */
118 #define ISAKMP_FLAG_E 0x01 /* Encryption Bit */
119 #define ISAKMP_FLAG_C 0x02 /* Commit Bit */
120 #define ISAKMP_FLAG_extra 0x04
121
122 /* IKEv2 */
123 #define ISAKMP_FLAG_I (1 << 3) /* (I)nitiator */
124 #define ISAKMP_FLAG_V (1 << 4) /* (V)ersion */
125 #define ISAKMP_FLAG_R (1 << 5) /* (R)esponse */
126
127
128 /* 3.2 Payload Generic Header
129 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
130 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
131 ! Next Payload ! RESERVED ! Payload Length !
132 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
133 */
134 struct isakmp_gen {
135 uint8_t np; /* Next Payload */
136 uint8_t critical; /* bit 7 - critical, rest is RESERVED */
137 uint16_t len; /* Payload Length */
138 };
139
140 /* 3.3 Data Attributes
141 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
142 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
143 !A! Attribute Type ! AF=0 Attribute Length !
144 !F! ! AF=1 Attribute Value !
145 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
146 . AF=0 Attribute Value .
147 . AF=1 Not Transmitted .
148 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
149 */
150 struct isakmp_data {
151 uint16_t type; /* defined by DOI-spec, and Attribute Format */
152 uint16_t lorv; /* if f equal 1, Attribute Length */
153 /* if f equal 0, Attribute Value */
154 /* if f equal 1, Attribute Value */
155 };
156
157 /* 3.4 Security Association Payload */
158 /* MAY NOT be used, because of being defined in ipsec-doi. */
159 /*
160 If the current payload is the last in the message,
161 then the value of the next payload field will be 0.
162 This field MUST NOT contain the
163 values for the Proposal or Transform payloads as they are considered
164 part of the security association negotiation. For example, this
165 field would contain the value "10" (Nonce payload) in the first
166 message of a Base Exchange (see Section 4.4) and the value "0" in the
167 first message of an Identity Protect Exchange (see Section 4.5).
168 */
169 struct ikev1_pl_sa {
170 struct isakmp_gen h;
171 uint32_t doi; /* Domain of Interpretation */
172 uint32_t sit; /* Situation */
173 };
174
175 /* 3.5 Proposal Payload */
176 /*
177 The value of the next payload field MUST only contain the value "2"
178 or "0". If there are additional Proposal payloads in the message,
179 then this field will be 2. If the current Proposal payload is the
180 last within the security association proposal, then this field will
181 be 0.
182 */
183 struct ikev1_pl_p {
184 struct isakmp_gen h;
185 uint8_t p_no; /* Proposal # */
186 uint8_t prot_id; /* Protocol */
187 uint8_t spi_size; /* SPI Size */
188 uint8_t num_t; /* Number of Transforms */
189 /* SPI */
190 };
191
192 /* 3.6 Transform Payload */
193 /*
194 The value of the next payload field MUST only contain the value "3"
195 or "0". If there are additional Transform payloads in the proposal,
196 then this field will be 3. If the current Transform payload is the
197 last within the proposal, then this field will be 0.
198 */
199 struct ikev1_pl_t {
200 struct isakmp_gen h;
201 uint8_t t_no; /* Transform # */
202 uint8_t t_id; /* Transform-Id */
203 uint16_t reserved; /* RESERVED2 */
204 /* SA Attributes */
205 };
206
207 /* 3.7 Key Exchange Payload */
208 struct ikev1_pl_ke {
209 struct isakmp_gen h;
210 /* Key Exchange Data */
211 };
212
213 /* 3.8 Identification Payload */
214 /* MUST NOT to be used, because of being defined in ipsec-doi. */
215 struct ikev1_pl_id {
216 struct isakmp_gen h;
217 union {
218 uint8_t id_type; /* ID Type */
219 uint32_t doi_data; /* DOI Specific ID Data */
220 } d;
221 /* Identification Data */
222 };
223
224 /* 3.9 Certificate Payload */
225 struct ikev1_pl_cert {
226 struct isakmp_gen h;
227 uint8_t encode; /* Cert Encoding */
228 char cert; /* Certificate Data */
229 /*
230 This field indicates the type of
231 certificate or certificate-related information contained in the
232 Certificate Data field.
233 */
234 };
235
236 /* 3.10 Certificate Request Payload */
237 struct ikev1_pl_cr {
238 struct isakmp_gen h;
239 uint8_t num_cert; /* # Cert. Types */
240 /*
241 Certificate Types (variable length)
242 -- Contains a list of the types of certificates requested,
243 sorted in order of preference. Each individual certificate
244 type is 1 octet. This field is NOT requiredo
245 */
246 /* # Certificate Authorities (1 octet) */
247 /* Certificate Authorities (variable length) */
248 };
249
250 /* 3.11 Hash Payload */
251 /* may not be used, because of having only data. */
252 struct ikev1_pl_hash {
253 struct isakmp_gen h;
254 /* Hash Data */
255 };
256
257 /* 3.12 Signature Payload */
258 /* may not be used, because of having only data. */
259 struct ikev1_pl_sig {
260 struct isakmp_gen h;
261 /* Signature Data */
262 };
263
264 /* 3.13 Nonce Payload */
265 /* may not be used, because of having only data. */
266 struct ikev1_pl_nonce {
267 struct isakmp_gen h;
268 /* Nonce Data */
269 };
270
271 /* 3.14 Notification Payload */
272 struct ikev1_pl_n {
273 struct isakmp_gen h;
274 uint32_t doi; /* Domain of Interpretation */
275 uint8_t prot_id; /* Protocol-ID */
276 uint8_t spi_size; /* SPI Size */
277 uint16_t type; /* Notify Message Type */
278 /* SPI */
279 /* Notification Data */
280 };
281
282 /* 3.14.1 Notify Message Types */
283 /* NOTIFY MESSAGES - ERROR TYPES */
284 #define ISAKMP_NTYPE_INVALID_PAYLOAD_TYPE 1
285 #define ISAKMP_NTYPE_DOI_NOT_SUPPORTED 2
286 #define ISAKMP_NTYPE_SITUATION_NOT_SUPPORTED 3
287 #define ISAKMP_NTYPE_INVALID_COOKIE 4
288 #define ISAKMP_NTYPE_INVALID_MAJOR_VERSION 5
289 #define ISAKMP_NTYPE_INVALID_MINOR_VERSION 6
290 #define ISAKMP_NTYPE_INVALID_EXCHANGE_TYPE 7
291 #define ISAKMP_NTYPE_INVALID_FLAGS 8
292 #define ISAKMP_NTYPE_INVALID_MESSAGE_ID 9
293 #define ISAKMP_NTYPE_INVALID_PROTOCOL_ID 10
294 #define ISAKMP_NTYPE_INVALID_SPI 11
295 #define ISAKMP_NTYPE_INVALID_TRANSFORM_ID 12
296 #define ISAKMP_NTYPE_ATTRIBUTES_NOT_SUPPORTED 13
297 #define ISAKMP_NTYPE_NO_PROPOSAL_CHOSEN 14
298 #define ISAKMP_NTYPE_BAD_PROPOSAL_SYNTAX 15
299 #define ISAKMP_NTYPE_PAYLOAD_MALFORMED 16
300 #define ISAKMP_NTYPE_INVALID_KEY_INFORMATION 17
301 #define ISAKMP_NTYPE_INVALID_ID_INFORMATION 18
302 #define ISAKMP_NTYPE_INVALID_CERT_ENCODING 19
303 #define ISAKMP_NTYPE_INVALID_CERTIFICATE 20
304 #define ISAKMP_NTYPE_BAD_CERT_REQUEST_SYNTAX 21
305 #define ISAKMP_NTYPE_INVALID_CERT_AUTHORITY 22
306 #define ISAKMP_NTYPE_INVALID_HASH_INFORMATION 23
307 #define ISAKMP_NTYPE_AUTHENTICATION_FAILED 24
308 #define ISAKMP_NTYPE_INVALID_SIGNATURE 25
309 #define ISAKMP_NTYPE_ADDRESS_NOTIFICATION 26
310
311 /* 3.15 Delete Payload */
312 struct ikev1_pl_d {
313 struct isakmp_gen h;
314 uint32_t doi; /* Domain of Interpretation */
315 uint8_t prot_id; /* Protocol-Id */
316 uint8_t spi_size; /* SPI Size */
317 uint16_t num_spi; /* # of SPIs */
318 /* SPI(es) */
319 };
320
321 struct ikev1_ph1tab {
322 struct ikev1_ph1 *head;
323 struct ikev1_ph1 *tail;
324 int len;
325 };
326
327 struct isakmp_ph2tab {
328 struct ikev1_ph2 *head;
329 struct ikev1_ph2 *tail;
330 int len;
331 };
332
333 /* IKEv2 (RFC4306) */
334
335 /* 3.3 Security Association Payload -- generic header */
336 /* 3.3.1. Proposal Substructure */
337 struct ikev2_p {
338 struct isakmp_gen h;
339 uint8_t p_no; /* Proposal # */
340 uint8_t prot_id; /* Protocol */
341 uint8_t spi_size; /* SPI Size */
342 uint8_t num_t; /* Number of Transforms */
343 };
344
345 /* 3.3.2. Transform Substructure */
346 struct ikev2_t {
347 struct isakmp_gen h;
348 uint8_t t_type; /* Transform Type (ENCR,PRF,INTEG,etc.*/
349 uint8_t res2; /* reserved byte */
350 uint16_t t_id; /* Transform ID */
351 };
352
353 enum ikev2_t_type {
354 IV2_T_ENCR = 1,
355 IV2_T_PRF = 2,
356 IV2_T_INTEG= 3,
357 IV2_T_DH = 4,
358 IV2_T_ESN = 5
359 };
360
361 /* 3.4. Key Exchange Payload */
362 struct ikev2_ke {
363 struct isakmp_gen h;
364 uint16_t ke_group;
365 uint16_t ke_res1;
366 /* KE data */
367 };
368
369
370 /* 3.5. Identification Payloads */
371 enum ikev2_id_type {
372 ID_IPV4_ADDR=1,
373 ID_FQDN=2,
374 ID_RFC822_ADDR=3,
375 ID_IPV6_ADDR=5,
376 ID_DER_ASN1_DN=9,
377 ID_DER_ASN1_GN=10,
378 ID_KEY_ID=11
379 };
380 struct ikev2_id {
381 struct isakmp_gen h;
382 uint8_t type; /* ID type */
383 uint8_t res1;
384 uint16_t res2;
385 /* SPI */
386 /* Notification Data */
387 };
388
389 /* 3.10 Notification Payload */
390 struct ikev2_n {
391 struct isakmp_gen h;
392 uint8_t prot_id; /* Protocol-ID */
393 uint8_t spi_size; /* SPI Size */
394 uint16_t type; /* Notify Message Type */
395 };
396
397 enum ikev2_n_type {
398 IV2_NOTIFY_UNSUPPORTED_CRITICAL_PAYLOAD = 1,
399 IV2_NOTIFY_INVALID_IKE_SPI = 4,
400 IV2_NOTIFY_INVALID_MAJOR_VERSION = 5,
401 IV2_NOTIFY_INVALID_SYNTAX = 7,
402 IV2_NOTIFY_INVALID_MESSAGE_ID = 9,
403 IV2_NOTIFY_INVALID_SPI =11,
404 IV2_NOTIFY_NO_PROPOSAL_CHOSEN =14,
405 IV2_NOTIFY_INVALID_KE_PAYLOAD =17,
406 IV2_NOTIFY_AUTHENTICATION_FAILED =24,
407 IV2_NOTIFY_SINGLE_PAIR_REQUIRED =34,
408 IV2_NOTIFY_NO_ADDITIONAL_SAS =35,
409 IV2_NOTIFY_INTERNAL_ADDRESS_FAILURE =36,
410 IV2_NOTIFY_FAILED_CP_REQUIRED =37,
411 IV2_NOTIFY_INVALID_SELECTORS =39,
412 IV2_NOTIFY_INITIAL_CONTACT =16384,
413 IV2_NOTIFY_SET_WINDOW_SIZE =16385,
414 IV2_NOTIFY_ADDITIONAL_TS_POSSIBLE =16386,
415 IV2_NOTIFY_IPCOMP_SUPPORTED =16387,
416 IV2_NOTIFY_NAT_DETECTION_SOURCE_IP =16388,
417 IV2_NOTIFY_NAT_DETECTION_DESTINATION_IP =16389,
418 IV2_NOTIFY_COOKIE =16390,
419 IV2_NOTIFY_USE_TRANSPORT_MODE =16391,
420 IV2_NOTIFY_HTTP_CERT_LOOKUP_SUPPORTED =16392,
421 IV2_NOTIFY_REKEY_SA =16393,
422 IV2_NOTIFY_ESP_TFC_PADDING_NOT_SUPPORTED =16394,
423 IV2_NOTIFY_NON_FIRST_FRAGMENTS_ALSO =16395
424 };
425
426 struct notify_messages {
427 uint16_t type;
428 char *msg;
429 };
430
431 /* 3.8 Authentication Payload */
432 struct ikev2_auth {
433 struct isakmp_gen h;
434 uint8_t auth_method; /* Protocol-ID */
435 uint8_t reserved[3];
436 /* authentication data */
437 };
438
439 enum ikev2_auth_type {
440 IV2_RSA_SIG = 1,
441 IV2_SHARED = 2,
442 IV2_DSS_SIG = 3
443 };
444
445 /* refer to RFC 2409 */
446
447 #if 0
448 /* isakmp sa structure */
449 struct oakley_sa {
450 uint8_t proto_id; /* OAKLEY */
451 vchar_t *spi; /* spi */
452 uint8_t dhgrp; /* DH; group */
453 uint8_t auth_t; /* method of authentication */
454 uint8_t prf_t; /* type of prf */
455 uint8_t hash_t; /* type of hash */
456 uint8_t enc_t; /* type of cipher */
457 uint8_t life_t; /* type of duration of lifetime */
458 uint32_t ldur; /* life duration */
459 };
460 #endif
461
462 /* refer to RFC 2407 */
463
464 #define IPSEC_DOI 1
465
466 /* 4.2 IPSEC Situation Definition */
467 #define IPSECDOI_SIT_IDENTITY_ONLY 0x00000001
468 #define IPSECDOI_SIT_SECRECY 0x00000002
469 #define IPSECDOI_SIT_INTEGRITY 0x00000004
470
471 /* 4.4.1 IPSEC Security Protocol Identifiers */
472 /* 4.4.2 IPSEC ISAKMP Transform Values */
473 #define IPSECDOI_PROTO_ISAKMP 1
474 #define IPSECDOI_KEY_IKE 1
475
476 /* 4.4.1 IPSEC Security Protocol Identifiers */
477 #define IPSECDOI_PROTO_IPSEC_AH 2
478 /* 4.4.3 IPSEC AH Transform Values */
479 #define IPSECDOI_AH_MD5 2
480 #define IPSECDOI_AH_SHA 3
481 #define IPSECDOI_AH_DES 4
482 #define IPSECDOI_AH_SHA2_256 5
483 #define IPSECDOI_AH_SHA2_384 6
484 #define IPSECDOI_AH_SHA2_512 7
485
486 /* 4.4.1 IPSEC Security Protocol Identifiers */
487 #define IPSECDOI_PROTO_IPSEC_ESP 3
488 /* 4.4.4 IPSEC ESP Transform Identifiers */
489 #define IPSECDOI_ESP_DES_IV64 1
490 #define IPSECDOI_ESP_DES 2
491 #define IPSECDOI_ESP_3DES 3
492 #define IPSECDOI_ESP_RC5 4
493 #define IPSECDOI_ESP_IDEA 5
494 #define IPSECDOI_ESP_CAST 6
495 #define IPSECDOI_ESP_BLOWFISH 7
496 #define IPSECDOI_ESP_3IDEA 8
497 #define IPSECDOI_ESP_DES_IV32 9
498 #define IPSECDOI_ESP_RC4 10
499 #define IPSECDOI_ESP_NULL 11
500 #define IPSECDOI_ESP_RIJNDAEL 12
501 #define IPSECDOI_ESP_AES 12
502
503 /* 4.4.1 IPSEC Security Protocol Identifiers */
504 #define IPSECDOI_PROTO_IPCOMP 4
505 /* 4.4.5 IPSEC IPCOMP Transform Identifiers */
506 #define IPSECDOI_IPCOMP_OUI 1
507 #define IPSECDOI_IPCOMP_DEFLATE 2
508 #define IPSECDOI_IPCOMP_LZS 3
509
510 /* 4.5 IPSEC Security Association Attributes */
511 #define IPSECDOI_ATTR_SA_LTYPE 1 /* B */
512 #define IPSECDOI_ATTR_SA_LTYPE_DEFAULT 1
513 #define IPSECDOI_ATTR_SA_LTYPE_SEC 1
514 #define IPSECDOI_ATTR_SA_LTYPE_KB 2
515 #define IPSECDOI_ATTR_SA_LDUR 2 /* V */
516 #define IPSECDOI_ATTR_SA_LDUR_DEFAULT 28800 /* 8 hours */
517 #define IPSECDOI_ATTR_GRP_DESC 3 /* B */
518 #define IPSECDOI_ATTR_ENC_MODE 4 /* B */
519 /* default value: host dependent */
520 #define IPSECDOI_ATTR_ENC_MODE_TUNNEL 1
521 #define IPSECDOI_ATTR_ENC_MODE_TRNS 2
522 #define IPSECDOI_ATTR_AUTH 5 /* B */
523 /* 0 means not to use authentication. */
524 #define IPSECDOI_ATTR_AUTH_HMAC_MD5 1
525 #define IPSECDOI_ATTR_AUTH_HMAC_SHA1 2
526 #define IPSECDOI_ATTR_AUTH_DES_MAC 3
527 #define IPSECDOI_ATTR_AUTH_KPDK 4 /*RFC-1826(Key/Pad/Data/Key)*/
528 /*
529 * When negotiating ESP without authentication, the Auth
530 * Algorithm attribute MUST NOT be included in the proposal.
531 * When negotiating ESP without confidentiality, the Auth
532 * Algorithm attribute MUST be included in the proposal and
533 * the ESP transform ID must be ESP_NULL.
534 */
535 #define IPSECDOI_ATTR_KEY_LENGTH 6 /* B */
536 #define IPSECDOI_ATTR_KEY_ROUNDS 7 /* B */
537 #define IPSECDOI_ATTR_COMP_DICT_SIZE 8 /* B */
538 #define IPSECDOI_ATTR_COMP_PRIVALG 9 /* V */
539
540 /* 4.6.1 Security Association Payload */
541 struct ipsecdoi_sa {
542 struct isakmp_gen h;
543 uint32_t doi; /* Domain of Interpretation */
544 uint32_t sit; /* Situation */
545 };
546
547 struct ipsecdoi_secrecy_h {
548 uint16_t len;
549 uint16_t reserved;
550 };
551
552 /* 4.6.2.1 Identification Type Values */
553 struct ipsecdoi_id {
554 struct isakmp_gen h;
555 uint8_t type; /* ID Type */
556 uint8_t proto_id; /* Protocol ID */
557 uint16_t port; /* Port */
558 /* Identification Data */
559 };
560
561 #define IPSECDOI_ID_IPV4_ADDR 1
562 #define IPSECDOI_ID_FQDN 2
563 #define IPSECDOI_ID_USER_FQDN 3
564 #define IPSECDOI_ID_IPV4_ADDR_SUBNET 4
565 #define IPSECDOI_ID_IPV6_ADDR 5
566 #define IPSECDOI_ID_IPV6_ADDR_SUBNET 6
567 #define IPSECDOI_ID_IPV4_ADDR_RANGE 7
568 #define IPSECDOI_ID_IPV6_ADDR_RANGE 8
569 #define IPSECDOI_ID_DER_ASN1_DN 9
570 #define IPSECDOI_ID_DER_ASN1_GN 10
571 #define IPSECDOI_ID_KEY_ID 11
572
573 /* 4.6.3 IPSEC DOI Notify Message Types */
574 /* Notify Messages - Status Types */
575 #define IPSECDOI_NTYPE_RESPONDER_LIFETIME 24576
576 #define IPSECDOI_NTYPE_REPLAY_STATUS 24577
577 #define IPSECDOI_NTYPE_INITIAL_CONTACT 24578
578
579 #define DECLARE_PRINTER(func) static const u_char *ike##func##_print( \
580 netdissect_options *ndo, u_char tpay, \
581 const struct isakmp_gen *ext, \
582 u_int item_len, \
583 const u_char *end_pointer, \
584 uint32_t phase,\
585 uint32_t doi0, \
586 uint32_t proto0, int depth)
587
588 DECLARE_PRINTER(v1_sa);
589 DECLARE_PRINTER(v1_p);
590 DECLARE_PRINTER(v1_t);
591 DECLARE_PRINTER(v1_ke);
592 DECLARE_PRINTER(v1_id);
593 DECLARE_PRINTER(v1_cert);
594 DECLARE_PRINTER(v1_cr);
595 DECLARE_PRINTER(v1_sig);
596 DECLARE_PRINTER(v1_hash);
597 DECLARE_PRINTER(v1_nonce);
598 DECLARE_PRINTER(v1_n);
599 DECLARE_PRINTER(v1_d);
600 DECLARE_PRINTER(v1_vid);
601
602 DECLARE_PRINTER(v2_sa);
603 DECLARE_PRINTER(v2_ke);
604 DECLARE_PRINTER(v2_ID);
605 DECLARE_PRINTER(v2_cert);
606 DECLARE_PRINTER(v2_cr);
607 DECLARE_PRINTER(v2_auth);
608 DECLARE_PRINTER(v2_nonce);
609 DECLARE_PRINTER(v2_n);
610 DECLARE_PRINTER(v2_d);
611 DECLARE_PRINTER(v2_vid);
612 DECLARE_PRINTER(v2_TS);
613 DECLARE_PRINTER(v2_cp);
614 DECLARE_PRINTER(v2_eap);
615
616 static const u_char *ikev2_e_print(netdissect_options *ndo,
617 struct isakmp *base,
618 u_char tpay,
619 const struct isakmp_gen *ext,
620 u_int item_len,
621 const u_char *end_pointer,
622 uint32_t phase,
623 uint32_t doi0,
624 uint32_t proto0, int depth);
625
626
627 static const u_char *ike_sub0_print(netdissect_options *ndo,u_char, const struct isakmp_gen *,
628 const u_char *, uint32_t, uint32_t, uint32_t, int);
629 static const u_char *ikev1_sub_print(netdissect_options *ndo,u_char, const struct isakmp_gen *,
630 const u_char *, uint32_t, uint32_t, uint32_t, int);
631
632 static const u_char *ikev2_sub_print(netdissect_options *ndo,
633 struct isakmp *base,
634 u_char np, const struct isakmp_gen *ext,
635 const u_char *ep, uint32_t phase,
636 uint32_t doi, uint32_t proto,
637 int depth);
638
639
640 static char *numstr(int);
641
642 static void
643 ikev1_print(netdissect_options *ndo,
644 const u_char *bp, u_int length,
645 const u_char *bp2, struct isakmp *base);
646
647 #define MAXINITIATORS 20
648 static int ninitiator = 0;
649 union inaddr_u {
650 struct in_addr in4;
651 struct in6_addr in6;
652 };
653 static struct {
654 cookie_t initiator;
655 u_int version;
656 union inaddr_u iaddr;
657 union inaddr_u raddr;
658 } cookiecache[MAXINITIATORS];
659
660 /* protocol id */
661 static const char *protoidstr[] = {
662 NULL, "isakmp", "ipsec-ah", "ipsec-esp", "ipcomp",
663 };
664
665 /* isakmp->np */
666 static const char *npstr[] = {
667 "none", "sa", "p", "t", "ke", "id", "cert", "cr", "hash", /* 0 - 8 */
668 "sig", "nonce", "n", "d", "vid", /* 9 - 13 */
669 "pay14", "pay15", "pay16", "pay17", "pay18", /* 14- 18 */
670 "pay19", "pay20", "pay21", "pay22", "pay23", /* 19- 23 */
671 "pay24", "pay25", "pay26", "pay27", "pay28", /* 24- 28 */
672 "pay29", "pay30", "pay31", "pay32", /* 29- 32 */
673 "v2sa", "v2ke", "v2IDi", "v2IDr", "v2cert",/* 33- 37 */
674 "v2cr", "v2auth","v2nonce", "v2n", "v2d", /* 38- 42 */
675 "v2vid", "v2TSi", "v2TSr", "v2e", "v2cp", /* 43- 47 */
676 "v2eap", /* 48 */
677
678 };
679
680 /* isakmp->np */
681 static const u_char *(*npfunc[])(netdissect_options *ndo, u_char tpay,
682 const struct isakmp_gen *ext,
683 u_int item_len,
684 const u_char *end_pointer,
685 uint32_t phase,
686 uint32_t doi0,
687 uint32_t proto0, int depth) = {
688 NULL,
689 ikev1_sa_print,
690 ikev1_p_print,
691 ikev1_t_print,
692 ikev1_ke_print,
693 ikev1_id_print,
694 ikev1_cert_print,
695 ikev1_cr_print,
696 ikev1_hash_print,
697 ikev1_sig_print,
698 ikev1_nonce_print,
699 ikev1_n_print,
700 ikev1_d_print,
701 ikev1_vid_print, /* 13 */
702 NULL, NULL, NULL, NULL, NULL, /* 14- 18 */
703 NULL, NULL, NULL, NULL, NULL, /* 19- 23 */
704 NULL, NULL, NULL, NULL, NULL, /* 24- 28 */
705 NULL, NULL, NULL, NULL, /* 29- 32 */
706 ikev2_sa_print, /* 33 */
707 ikev2_ke_print, /* 34 */
708 ikev2_ID_print, /* 35 */
709 ikev2_ID_print, /* 36 */
710 ikev2_cert_print, /* 37 */
711 ikev2_cr_print, /* 38 */
712 ikev2_auth_print, /* 39 */
713 ikev2_nonce_print, /* 40 */
714 ikev2_n_print, /* 41 */
715 ikev2_d_print, /* 42 */
716 ikev2_vid_print, /* 43 */
717 ikev2_TS_print, /* 44 */
718 ikev2_TS_print, /* 45 */
719 NULL, /* ikev2_e_print,*/ /* 46 - special */
720 ikev2_cp_print, /* 47 */
721 ikev2_eap_print, /* 48 */
722 };
723
724 /* isakmp->etype */
725 static const char *etypestr[] = {
726 /* IKEv1 exchange types */
727 "none", "base", "ident", "auth", "agg", "inf", NULL, NULL, /* 0-7 */
728 NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, /* 8-15 */
729 NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, /* 16-23 */
730 NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, /* 24-31 */
731 "oakley-quick", "oakley-newgroup", /* 32-33 */
732 /* IKEv2 exchange types */
733 "ikev2_init", "ikev2_auth", "child_sa", "inf2" /* 34-37 */
734 };
735
736 #define STR_OR_ID(x, tab) \
737 (((x) < sizeof(tab)/sizeof(tab[0]) && tab[(x)]) ? tab[(x)] : numstr(x))
738 #define PROTOIDSTR(x) STR_OR_ID(x, protoidstr)
739 #define NPSTR(x) STR_OR_ID(x, npstr)
740 #define ETYPESTR(x) STR_OR_ID(x, etypestr)
741
742 #define CHECKLEN(p, np) \
743 if (ep < (const u_char *)(p)) { \
744 ND_PRINT((ndo," [|%s]", NPSTR(np))); \
745 goto done; \
746 }
747
748
749 #define NPFUNC(x) \
750 (((x) < sizeof(npfunc)/sizeof(npfunc[0]) && npfunc[(x)]) \
751 ? npfunc[(x)] : NULL)
752
753 static int
754 iszero(const u_char *p, size_t l)
755 {
756 while (l--) {
757 if (*p++)
758 return 0;
759 }
760 return 1;
761 }
762
763 /* find cookie from initiator cache */
764 static int
765 cookie_find(cookie_t *in)
766 {
767 int i;
768
769 for (i = 0; i < MAXINITIATORS; i++) {
770 if (memcmp(in, &cookiecache[i].initiator, sizeof(*in)) == 0)
771 return i;
772 }
773
774 return -1;
775 }
776
777 /* record initiator */
778 static void
779 cookie_record(cookie_t *in, const u_char *bp2)
780 {
781 int i;
782 const struct ip *ip;
783 const struct ip6_hdr *ip6;
784
785 i = cookie_find(in);
786 if (0 <= i) {
787 ninitiator = (i + 1) % MAXINITIATORS;
788 return;
789 }
790
791 ip = (const struct ip *)bp2;
792 switch (IP_V(ip)) {
793 case 4:
794 cookiecache[ninitiator].version = 4;
795 UNALIGNED_MEMCPY(&cookiecache[ninitiator].iaddr.in4, &ip->ip_src, sizeof(struct in_addr));
796 UNALIGNED_MEMCPY(&cookiecache[ninitiator].raddr.in4, &ip->ip_dst, sizeof(struct in_addr));
797 break;
798 case 6:
799 ip6 = (const struct ip6_hdr *)bp2;
800 cookiecache[ninitiator].version = 6;
801 UNALIGNED_MEMCPY(&cookiecache[ninitiator].iaddr.in6, &ip6->ip6_src, sizeof(struct in6_addr));
802 UNALIGNED_MEMCPY(&cookiecache[ninitiator].raddr.in6, &ip6->ip6_dst, sizeof(struct in6_addr));
803 break;
804 default:
805 return;
806 }
807 UNALIGNED_MEMCPY(&cookiecache[ninitiator].initiator, in, sizeof(*in));
808 ninitiator = (ninitiator + 1) % MAXINITIATORS;
809 }
810
811 #define cookie_isinitiator(x, y) cookie_sidecheck((x), (y), 1)
812 #define cookie_isresponder(x, y) cookie_sidecheck((x), (y), 0)
813 static int
814 cookie_sidecheck(int i, const u_char *bp2, int initiator)
815 {
816 const struct ip *ip;
817 const struct ip6_hdr *ip6;
818
819 ip = (const struct ip *)bp2;
820 switch (IP_V(ip)) {
821 case 4:
822 if (cookiecache[i].version != 4)
823 return 0;
824 if (initiator) {
825 if (UNALIGNED_MEMCMP(&ip->ip_src, &cookiecache[i].iaddr.in4, sizeof(struct in_addr)) == 0)
826 return 1;
827 } else {
828 if (UNALIGNED_MEMCMP(&ip->ip_src, &cookiecache[i].raddr.in4, sizeof(struct in_addr)) == 0)
829 return 1;
830 }
831 break;
832 case 6:
833 if (cookiecache[i].version != 6)
834 return 0;
835 ip6 = (const struct ip6_hdr *)bp2;
836 if (initiator) {
837 if (UNALIGNED_MEMCMP(&ip6->ip6_src, &cookiecache[i].iaddr.in6, sizeof(struct in6_addr)) == 0)
838 return 1;
839 } else {
840 if (UNALIGNED_MEMCMP(&ip6->ip6_src, &cookiecache[i].raddr.in6, sizeof(struct in6_addr)) == 0)
841 return 1;
842 }
843 break;
844 default:
845 break;
846 }
847
848 return 0;
849 }
850
851 static void
852 hexprint(netdissect_options *ndo, const uint8_t *loc, size_t len)
853 {
854 const uint8_t *p;
855 size_t i;
856
857 p = loc;
858 for (i = 0; i < len; i++)
859 ND_PRINT((ndo,"%02x", p[i] & 0xff));
860 }
861
862 static int
863 rawprint(netdissect_options *ndo, const uint8_t *loc, size_t len)
864 {
865 ND_TCHECK2(*loc, len);
866
867 hexprint(ndo, loc, len);
868 return 1;
869 trunc:
870 return 0;
871 }
872
873
874 /*
875 * returns false if we run out of data buffer
876 */
877 static int ike_show_somedata(netdissect_options *ndo,
878 const u_char *cp, const u_char *ep)
879 {
880 /* there is too much data, just show some of it */
881 const u_char *end = ep - 20;
882 int elen = 20;
883 int len = ep - cp;
884 if(len > 10) {
885 len = 10;
886 }
887
888 /* really shouldn't happen because of above */
889 if(end < cp + len) {
890 end = cp+len;
891 elen = ep - end;
892 }
893
894 ND_PRINT((ndo," data=("));
895 if(!rawprint(ndo, (const uint8_t *)(cp), len)) goto trunc;
896 ND_PRINT((ndo, "..."));
897 if(elen) {
898 if(!rawprint(ndo, (const uint8_t *)(end), elen)) goto trunc;
899 }
900 ND_PRINT((ndo,")"));
901 return 1;
902
903 trunc:
904 return 0;
905 }
906
907 struct attrmap {
908 const char *type;
909 u_int nvalue;
910 const char *value[30]; /*XXX*/
911 };
912
913 static const u_char *
914 ikev1_attrmap_print(netdissect_options *ndo,
915 const u_char *p, const u_char *ep2,
916 const struct attrmap *map, size_t nmap)
917 {
918 int totlen;
919 uint32_t t, v;
920
921 ND_TCHECK(p[0]);
922 if (p[0] & 0x80)
923 totlen = 4;
924 else {
925 ND_TCHECK_2(p + 2);
926 totlen = 4 + EXTRACT_BE_U_2(p + 2);
927 }
928 if (ep2 < p + totlen) {
929 ND_PRINT((ndo,"[|attr]"));
930 return ep2 + 1;
931 }
932
933 ND_TCHECK_2(p);
934 ND_PRINT((ndo,"("));
935 t = EXTRACT_BE_U_2(p) & 0x7fff;
936 if (map && t < nmap && map[t].type)
937 ND_PRINT((ndo,"type=%s ", map[t].type));
938 else
939 ND_PRINT((ndo,"type=#%d ", t));
940 if (p[0] & 0x80) {
941 ND_PRINT((ndo,"value="));
942 ND_TCHECK_2(p + 2);
943 v = EXTRACT_BE_U_2(p + 2);
944 if (map && t < nmap && v < map[t].nvalue && map[t].value[v])
945 ND_PRINT((ndo,"%s", map[t].value[v]));
946 else {
947 if (!rawprint(ndo, (const uint8_t *)(p + 2), 2)) {
948 ND_PRINT((ndo,")"));
949 goto trunc;
950 }
951 }
952 } else {
953 ND_PRINT((ndo,"len=%d value=", totlen - 4));
954 if (!rawprint(ndo, (const uint8_t *)(p + 4), totlen - 4)) {
955 ND_PRINT((ndo,")"));
956 goto trunc;
957 }
958 }
959 ND_PRINT((ndo,")"));
960 return p + totlen;
961
962 trunc:
963 return NULL;
964 }
965
966 static const u_char *
967 ikev1_attr_print(netdissect_options *ndo, const u_char *p, const u_char *ep2)
968 {
969 int totlen;
970 uint32_t t;
971
972 ND_TCHECK(p[0]);
973 if (p[0] & 0x80)
974 totlen = 4;
975 else {
976 ND_TCHECK_2(p + 2);
977 totlen = 4 + EXTRACT_BE_U_2(p + 2);
978 }
979 if (ep2 < p + totlen) {
980 ND_PRINT((ndo,"[|attr]"));
981 return ep2 + 1;
982 }
983
984 ND_TCHECK_2(p);
985 ND_PRINT((ndo,"("));
986 t = EXTRACT_BE_U_2(p) & 0x7fff;
987 ND_PRINT((ndo,"type=#%d ", t));
988 if (p[0] & 0x80) {
989 ND_PRINT((ndo,"value="));
990 t = p[2];
991 if (!rawprint(ndo, (const uint8_t *)(p + 2), 2)) {
992 ND_PRINT((ndo,")"));
993 goto trunc;
994 }
995 } else {
996 ND_PRINT((ndo,"len=%d value=", totlen - 4));
997 if (!rawprint(ndo, (const uint8_t *)(p + 4), totlen - 4)) {
998 ND_PRINT((ndo,")"));
999 goto trunc;
1000 }
1001 }
1002 ND_PRINT((ndo,")"));
1003 return p + totlen;
1004
1005 trunc:
1006 return NULL;
1007 }
1008
1009 static const u_char *
1010 ikev1_sa_print(netdissect_options *ndo, u_char tpay _U_,
1011 const struct isakmp_gen *ext,
1012 u_int item_len _U_,
1013 const u_char *ep, uint32_t phase, uint32_t doi0 _U_,
1014 uint32_t proto0, int depth)
1015 {
1016 const struct ikev1_pl_sa *p;
1017 struct ikev1_pl_sa sa;
1018 uint32_t doi, sit, ident;
1019 const u_char *cp, *np;
1020 int t;
1021
1022 ND_PRINT((ndo,"%s:", NPSTR(ISAKMP_NPTYPE_SA)));
1023
1024 p = (const struct ikev1_pl_sa *)ext;
1025 ND_TCHECK(*p);
1026 UNALIGNED_MEMCPY(&sa, ext, sizeof(sa));
1027 doi = ntohl(sa.doi);
1028 sit = ntohl(sa.sit);
1029 if (doi != 1) {
1030 ND_PRINT((ndo," doi=%d", doi));
1031 ND_PRINT((ndo," situation=%u", (uint32_t)ntohl(sa.sit)));
1032 return (const u_char *)(p + 1);
1033 }
1034
1035 ND_PRINT((ndo," doi=ipsec"));
1036 ND_PRINT((ndo," situation="));
1037 t = 0;
1038 if (sit & 0x01) {
1039 ND_PRINT((ndo,"identity"));
1040 t++;
1041 }
1042 if (sit & 0x02) {
1043 ND_PRINT((ndo,"%ssecrecy", t ? "+" : ""));
1044 t++;
1045 }
1046 if (sit & 0x04)
1047 ND_PRINT((ndo,"%sintegrity", t ? "+" : ""));
1048
1049 np = (const u_char *)ext + sizeof(sa);
1050 if (sit != 0x01) {
1051 ND_TCHECK2(*(ext + 1), sizeof(ident));
1052 UNALIGNED_MEMCPY(&ident, ext + 1, sizeof(ident));
1053 ND_PRINT((ndo," ident=%u", (uint32_t)ntohl(ident)));
1054 np += sizeof(ident);
1055 }
1056
1057 ext = (const struct isakmp_gen *)np;
1058 ND_TCHECK(*ext);
1059
1060 cp = ikev1_sub_print(ndo, ISAKMP_NPTYPE_P, ext, ep, phase, doi, proto0,
1061 depth);
1062
1063 return cp;
1064 trunc:
1065 ND_PRINT((ndo," [|%s]", NPSTR(ISAKMP_NPTYPE_SA)));
1066 return NULL;
1067 }
1068
1069 static const u_char *
1070 ikev1_p_print(netdissect_options *ndo, u_char tpay _U_,
1071 const struct isakmp_gen *ext, u_int item_len _U_,
1072 const u_char *ep, uint32_t phase, uint32_t doi0,
1073 uint32_t proto0 _U_, int depth)
1074 {
1075 const struct ikev1_pl_p *p;
1076 struct ikev1_pl_p prop;
1077 const u_char *cp;
1078
1079 ND_PRINT((ndo,"%s:", NPSTR(ISAKMP_NPTYPE_P)));
1080
1081 p = (const struct ikev1_pl_p *)ext;
1082 ND_TCHECK(*p);
1083 UNALIGNED_MEMCPY(&prop, ext, sizeof(prop));
1084 ND_PRINT((ndo," #%d protoid=%s transform=%d",
1085 prop.p_no, PROTOIDSTR(prop.prot_id), prop.num_t));
1086 if (prop.spi_size) {
1087 ND_PRINT((ndo," spi="));
1088 if (!rawprint(ndo, (const uint8_t *)(p + 1), prop.spi_size))
1089 goto trunc;
1090 }
1091
1092 ext = (const struct isakmp_gen *)((const u_char *)(p + 1) + prop.spi_size);
1093 ND_TCHECK(*ext);
1094
1095 cp = ikev1_sub_print(ndo, ISAKMP_NPTYPE_T, ext, ep, phase, doi0,
1096 prop.prot_id, depth);
1097
1098 return cp;
1099 trunc:
1100 ND_PRINT((ndo," [|%s]", NPSTR(ISAKMP_NPTYPE_P)));
1101 return NULL;
1102 }
1103
1104 static const char *ikev1_p_map[] = {
1105 NULL, "ike",
1106 };
1107
1108 static const char *ikev2_t_type_map[]={
1109 NULL, "encr", "prf", "integ", "dh", "esn"
1110 };
1111
1112 static const char *ah_p_map[] = {
1113 NULL, "(reserved)", "md5", "sha", "1des",
1114 "sha2-256", "sha2-384", "sha2-512",
1115 };
1116
1117 static const char *prf_p_map[] = {
1118 NULL, "hmac-md5", "hmac-sha", "hmac-tiger",
1119 "aes128_xcbc"
1120 };
1121
1122 static const char *integ_p_map[] = {
1123 NULL, "hmac-md5", "hmac-sha", "dec-mac",
1124 "kpdk-md5", "aes-xcbc"
1125 };
1126
1127 static const char *esn_p_map[] = {
1128 "no-esn", "esn"
1129 };
1130
1131 static const char *dh_p_map[] = {
1132 NULL, "modp768",
1133 "modp1024", /* group 2 */
1134 "EC2N 2^155", /* group 3 */
1135 "EC2N 2^185", /* group 4 */
1136 "modp1536", /* group 5 */
1137 "iana-grp06", "iana-grp07", /* reserved */
1138 "iana-grp08", "iana-grp09",
1139 "iana-grp10", "iana-grp11",
1140 "iana-grp12", "iana-grp13",
1141 "modp2048", /* group 14 */
1142 "modp3072", /* group 15 */
1143 "modp4096", /* group 16 */
1144 "modp6144", /* group 17 */
1145 "modp8192", /* group 18 */
1146 };
1147
1148 static const char *esp_p_map[] = {
1149 NULL, "1des-iv64", "1des", "3des", "rc5", "idea", "cast",
1150 "blowfish", "3idea", "1des-iv32", "rc4", "null", "aes"
1151 };
1152
1153 static const char *ipcomp_p_map[] = {
1154 NULL, "oui", "deflate", "lzs",
1155 };
1156
1157 static const struct attrmap ipsec_t_map[] = {
1158 { NULL, 0, { NULL } },
1159 { "lifetype", 3, { NULL, "sec", "kb", }, },
1160 { "life", 0, { NULL } },
1161 { "group desc", 18, { NULL, "modp768",
1162 "modp1024", /* group 2 */
1163 "EC2N 2^155", /* group 3 */
1164 "EC2N 2^185", /* group 4 */
1165 "modp1536", /* group 5 */
1166 "iana-grp06", "iana-grp07", /* reserved */
1167 "iana-grp08", "iana-grp09",
1168 "iana-grp10", "iana-grp11",
1169 "iana-grp12", "iana-grp13",
1170 "modp2048", /* group 14 */
1171 "modp3072", /* group 15 */
1172 "modp4096", /* group 16 */
1173 "modp6144", /* group 17 */
1174 "modp8192", /* group 18 */
1175 }, },
1176 { "enc mode", 3, { NULL, "tunnel", "transport", }, },
1177 { "auth", 5, { NULL, "hmac-md5", "hmac-sha1", "1des-mac", "keyed", }, },
1178 { "keylen", 0, { NULL } },
1179 { "rounds", 0, { NULL } },
1180 { "dictsize", 0, { NULL } },
1181 { "privalg", 0, { NULL } },
1182 };
1183
1184 static const struct attrmap encr_t_map[] = {
1185 { NULL, 0, { NULL } }, { NULL, 0, { NULL } }, /* 0, 1 */
1186 { NULL, 0, { NULL } }, { NULL, 0, { NULL } }, /* 2, 3 */
1187 { NULL, 0, { NULL } }, { NULL, 0, { NULL } }, /* 4, 5 */
1188 { NULL, 0, { NULL } }, { NULL, 0, { NULL } }, /* 6, 7 */
1189 { NULL, 0, { NULL } }, { NULL, 0, { NULL } }, /* 8, 9 */
1190 { NULL, 0, { NULL } }, { NULL, 0, { NULL } }, /* 10,11*/
1191 { NULL, 0, { NULL } }, { NULL, 0, { NULL } }, /* 12,13*/
1192 { "keylen", 14, { NULL }},
1193 };
1194
1195 static const struct attrmap oakley_t_map[] = {
1196 { NULL, 0, { NULL } },
1197 { "enc", 8, { NULL, "1des", "idea", "blowfish", "rc5",
1198 "3des", "cast", "aes", }, },
1199 { "hash", 7, { NULL, "md5", "sha1", "tiger",
1200 "sha2-256", "sha2-384", "sha2-512", }, },
1201 { "auth", 6, { NULL, "preshared", "dss", "rsa sig", "rsa enc",
1202 "rsa enc revised", }, },
1203 { "group desc", 18, { NULL, "modp768",
1204 "modp1024", /* group 2 */
1205 "EC2N 2^155", /* group 3 */
1206 "EC2N 2^185", /* group 4 */
1207 "modp1536", /* group 5 */
1208 "iana-grp06", "iana-grp07", /* reserved */
1209 "iana-grp08", "iana-grp09",
1210 "iana-grp10", "iana-grp11",
1211 "iana-grp12", "iana-grp13",
1212 "modp2048", /* group 14 */
1213 "modp3072", /* group 15 */
1214 "modp4096", /* group 16 */
1215 "modp6144", /* group 17 */
1216 "modp8192", /* group 18 */
1217 }, },
1218 { "group type", 4, { NULL, "MODP", "ECP", "EC2N", }, },
1219 { "group prime", 0, { NULL } },
1220 { "group gen1", 0, { NULL } },
1221 { "group gen2", 0, { NULL } },
1222 { "group curve A", 0, { NULL } },
1223 { "group curve B", 0, { NULL } },
1224 { "lifetype", 3, { NULL, "sec", "kb", }, },
1225 { "lifeduration", 0, { NULL } },
1226 { "prf", 0, { NULL } },
1227 { "keylen", 0, { NULL } },
1228 { "field", 0, { NULL } },
1229 { "order", 0, { NULL } },
1230 };
1231
1232 static const u_char *
1233 ikev1_t_print(netdissect_options *ndo, u_char tpay _U_,
1234 const struct isakmp_gen *ext, u_int item_len,
1235 const u_char *ep, uint32_t phase _U_, uint32_t doi _U_,
1236 uint32_t proto, int depth _U_)
1237 {
1238 const struct ikev1_pl_t *p;
1239 struct ikev1_pl_t t;
1240 const u_char *cp;
1241 const char *idstr;
1242 const struct attrmap *map;
1243 size_t nmap;
1244 const u_char *ep2;
1245
1246 ND_PRINT((ndo,"%s:", NPSTR(ISAKMP_NPTYPE_T)));
1247
1248 p = (const struct ikev1_pl_t *)ext;
1249 ND_TCHECK(*p);
1250 UNALIGNED_MEMCPY(&t, ext, sizeof(t));
1251
1252 switch (proto) {
1253 case 1:
1254 idstr = STR_OR_ID(t.t_id, ikev1_p_map);
1255 map = oakley_t_map;
1256 nmap = sizeof(oakley_t_map)/sizeof(oakley_t_map[0]);
1257 break;
1258 case 2:
1259 idstr = STR_OR_ID(t.t_id, ah_p_map);
1260 map = ipsec_t_map;
1261 nmap = sizeof(ipsec_t_map)/sizeof(ipsec_t_map[0]);
1262 break;
1263 case 3:
1264 idstr = STR_OR_ID(t.t_id, esp_p_map);
1265 map = ipsec_t_map;
1266 nmap = sizeof(ipsec_t_map)/sizeof(ipsec_t_map[0]);
1267 break;
1268 case 4:
1269 idstr = STR_OR_ID(t.t_id, ipcomp_p_map);
1270 map = ipsec_t_map;
1271 nmap = sizeof(ipsec_t_map)/sizeof(ipsec_t_map[0]);
1272 break;
1273 default:
1274 idstr = NULL;
1275 map = NULL;
1276 nmap = 0;
1277 break;
1278 }
1279
1280 if (idstr)
1281 ND_PRINT((ndo," #%d id=%s ", t.t_no, idstr));
1282 else
1283 ND_PRINT((ndo," #%d id=%d ", t.t_no, t.t_id));
1284 cp = (const u_char *)(p + 1);
1285 ep2 = (const u_char *)p + item_len;
1286 while (cp < ep && cp < ep2) {
1287 if (map && nmap)
1288 cp = ikev1_attrmap_print(ndo, cp, ep2, map, nmap);
1289 else
1290 cp = ikev1_attr_print(ndo, cp, ep2);
1291 if (cp == NULL)
1292 goto trunc;
1293 }
1294 if (ep < ep2)
1295 ND_PRINT((ndo,"..."));
1296 return cp;
1297 trunc:
1298 ND_PRINT((ndo," [|%s]", NPSTR(ISAKMP_NPTYPE_T)));
1299 return NULL;
1300 }
1301
1302 static const u_char *
1303 ikev1_ke_print(netdissect_options *ndo, u_char tpay _U_,
1304 const struct isakmp_gen *ext, u_int item_len _U_,
1305 const u_char *ep _U_, uint32_t phase _U_, uint32_t doi _U_,
1306 uint32_t proto _U_, int depth _U_)
1307 {
1308 struct isakmp_gen e;
1309
1310 ND_PRINT((ndo,"%s:", NPSTR(ISAKMP_NPTYPE_KE)));
1311
1312 ND_TCHECK(*ext);
1313 UNALIGNED_MEMCPY(&e, ext, sizeof(e));
1314 ND_PRINT((ndo," key len=%d", ntohs(e.len) - 4));
1315 if (2 < ndo->ndo_vflag && 4 < ntohs(e.len)) {
1316 /* Print the entire payload in hex */
1317 ND_PRINT((ndo," "));
1318 if (!rawprint(ndo, (const uint8_t *)(ext + 1), ntohs(e.len) - 4))
1319 goto trunc;
1320 }
1321 return (const u_char *)ext + ntohs(e.len);
1322 trunc:
1323 ND_PRINT((ndo," [|%s]", NPSTR(ISAKMP_NPTYPE_KE)));
1324 return NULL;
1325 }
1326
1327 static const u_char *
1328 ikev1_id_print(netdissect_options *ndo, u_char tpay _U_,
1329 const struct isakmp_gen *ext, u_int item_len,
1330 const u_char *ep _U_, uint32_t phase, uint32_t doi _U_,
1331 uint32_t proto _U_, int depth _U_)
1332 {
1333 #define USE_IPSECDOI_IN_PHASE1 1
1334 const struct ikev1_pl_id *p;
1335 struct ikev1_pl_id id;
1336 static const char *idtypestr[] = {
1337 "IPv4", "IPv4net", "IPv6", "IPv6net",
1338 };
1339 static const char *ipsecidtypestr[] = {
1340 NULL, "IPv4", "FQDN", "user FQDN", "IPv4net", "IPv6",
1341 "IPv6net", "IPv4range", "IPv6range", "ASN1 DN", "ASN1 GN",
1342 "keyid",
1343 };
1344 int len;
1345 const u_char *data;
1346
1347 ND_PRINT((ndo,"%s:", NPSTR(ISAKMP_NPTYPE_ID)));
1348
1349 p = (const struct ikev1_pl_id *)ext;
1350 ND_TCHECK(*p);
1351 UNALIGNED_MEMCPY(&id, ext, sizeof(id));
1352 if (sizeof(*p) < item_len) {
1353 data = (const u_char *)(p + 1);
1354 len = item_len - sizeof(*p);
1355 } else {
1356 data = NULL;
1357 len = 0;
1358 }
1359
1360 #if 0 /*debug*/
1361 ND_PRINT((ndo," [phase=%d doi=%d proto=%d]", phase, doi, proto));
1362 #endif
1363 switch (phase) {
1364 #ifndef USE_IPSECDOI_IN_PHASE1
1365 case 1:
1366 #endif
1367 default:
1368 ND_PRINT((ndo," idtype=%s", STR_OR_ID(id.d.id_type, idtypestr)));
1369 ND_PRINT((ndo," doi_data=%u",
1370 (uint32_t)(ntohl(id.d.doi_data) & 0xffffff)));
1371 break;
1372
1373 #ifdef USE_IPSECDOI_IN_PHASE1
1374 case 1:
1375 #endif
1376 case 2:
1377 {
1378 const struct ipsecdoi_id *doi_p;
1379 struct ipsecdoi_id doi_id;
1380 const char *p_name;
1381
1382 doi_p = (const struct ipsecdoi_id *)ext;
1383 ND_TCHECK(*doi_p);
1384 UNALIGNED_MEMCPY(&doi_id, ext, sizeof(doi_id));
1385 ND_PRINT((ndo," idtype=%s", STR_OR_ID(doi_id.type, ipsecidtypestr)));
1386 /* A protocol ID of 0 DOES NOT mean IPPROTO_IP! */
1387 if (!ndo->ndo_nflag && doi_id.proto_id && (p_name = netdb_protoname(doi_id.proto_id)) != NULL)
1388 ND_PRINT((ndo," protoid=%s", p_name));
1389 else
1390 ND_PRINT((ndo," protoid=%u", doi_id.proto_id));
1391 ND_PRINT((ndo," port=%d", ntohs(doi_id.port)));
1392 if (!len)
1393 break;
1394 if (data == NULL)
1395 goto trunc;
1396 ND_TCHECK2(*data, len);
1397 switch (doi_id.type) {
1398 case IPSECDOI_ID_IPV4_ADDR:
1399 if (len < 4)
1400 ND_PRINT((ndo," len=%d [bad: < 4]", len));
1401 else
1402 ND_PRINT((ndo," len=%d %s", len, ipaddr_string(ndo, data)));
1403 len = 0;
1404 break;
1405 case IPSECDOI_ID_FQDN:
1406 case IPSECDOI_ID_USER_FQDN:
1407 {
1408 int i;
1409 ND_PRINT((ndo," len=%d ", len));
1410 for (i = 0; i < len; i++)
1411 safeputchar(ndo, EXTRACT_U_1(data + i));
1412 len = 0;
1413 break;
1414 }
1415 case IPSECDOI_ID_IPV4_ADDR_SUBNET:
1416 {
1417 const u_char *mask;
1418 if (len < 8)
1419 ND_PRINT((ndo," len=%d [bad: < 8]", len));
1420 else {
1421 mask = data + sizeof(struct in_addr);
1422 ND_PRINT((ndo," len=%d %s/%u.%u.%u.%u", len,
1423 ipaddr_string(ndo, data),
1424 EXTRACT_U_1(mask), EXTRACT_U_1(mask + 1),
1425 EXTRACT_U_1(mask + 2), EXTRACT_U_1(mask + 3)));
1426 }
1427 len = 0;
1428 break;
1429 }
1430 case IPSECDOI_ID_IPV6_ADDR:
1431 if (len < 16)
1432 ND_PRINT((ndo," len=%d [bad: < 16]", len));
1433 else
1434 ND_PRINT((ndo," len=%d %s", len, ip6addr_string(ndo, data)));
1435 len = 0;
1436 break;
1437 case IPSECDOI_ID_IPV6_ADDR_SUBNET:
1438 {
1439 const u_char *mask;
1440 if (len < 32)
1441 ND_PRINT((ndo," len=%d [bad: < 32]", len));
1442 else {
1443 mask = (const u_char *)(data + sizeof(struct in6_addr));
1444 /*XXX*/
1445 ND_PRINT((ndo," len=%d %s/0x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x", len,
1446 ip6addr_string(ndo, data),
1447 EXTRACT_U_1(mask), EXTRACT_U_1(mask + 1), EXTRACT_U_1(mask + 2), EXTRACT_U_1(mask + 3),
1448 EXTRACT_U_1(mask + 4), EXTRACT_U_1(mask + 5), EXTRACT_U_1(mask + 6), EXTRACT_U_1(mask + 7),
1449 EXTRACT_U_1(mask + 8), EXTRACT_U_1(mask + 9), EXTRACT_U_1(mask + 10), EXTRACT_U_1(mask + 11),
1450 EXTRACT_U_1(mask + 12), EXTRACT_U_1(mask + 13), EXTRACT_U_1(mask + 14), EXTRACT_U_1(mask + 15)));
1451 }
1452 len = 0;
1453 break;
1454 }
1455 case IPSECDOI_ID_IPV4_ADDR_RANGE:
1456 if (len < 8)
1457 ND_PRINT((ndo," len=%d [bad: < 8]", len));
1458 else {
1459 ND_PRINT((ndo," len=%d %s-%s", len,
1460 ipaddr_string(ndo, data),
1461 ipaddr_string(ndo, data + sizeof(struct in_addr))));
1462 }
1463 len = 0;
1464 break;
1465 case IPSECDOI_ID_IPV6_ADDR_RANGE:
1466 if (len < 32)
1467 ND_PRINT((ndo," len=%d [bad: < 32]", len));
1468 else {
1469 ND_PRINT((ndo," len=%d %s-%s", len,
1470 ip6addr_string(ndo, data),
1471 ip6addr_string(ndo, data + sizeof(struct in6_addr))));
1472 }
1473 len = 0;
1474 break;
1475 case IPSECDOI_ID_DER_ASN1_DN:
1476 case IPSECDOI_ID_DER_ASN1_GN:
1477 case IPSECDOI_ID_KEY_ID:
1478 break;
1479 }
1480 break;
1481 }
1482 }
1483 if (data && len) {
1484 ND_PRINT((ndo," len=%d", len));
1485 if (2 < ndo->ndo_vflag) {
1486 ND_PRINT((ndo," "));
1487 if (!rawprint(ndo, (const uint8_t *)data, len))
1488 goto trunc;
1489 }
1490 }
1491 return (const u_char *)ext + item_len;
1492 trunc:
1493 ND_PRINT((ndo," [|%s]", NPSTR(ISAKMP_NPTYPE_ID)));
1494 return NULL;
1495 }
1496
1497 static const u_char *
1498 ikev1_cert_print(netdissect_options *ndo, u_char tpay _U_,
1499 const struct isakmp_gen *ext, u_int item_len,
1500 const u_char *ep _U_, uint32_t phase _U_,
1501 uint32_t doi0 _U_,
1502 uint32_t proto0 _U_, int depth _U_)
1503 {
1504 const struct ikev1_pl_cert *p;
1505 struct ikev1_pl_cert cert;
1506 static const char *certstr[] = {
1507 "none", "pkcs7", "pgp", "dns",
1508 "x509sign", "x509ke", "kerberos", "crl",
1509 "arl", "spki", "x509attr",
1510 };
1511
1512 ND_PRINT((ndo,"%s:", NPSTR(ISAKMP_NPTYPE_CERT)));
1513
1514 p = (const struct ikev1_pl_cert *)ext;
1515 ND_TCHECK(*p);
1516 UNALIGNED_MEMCPY(&cert, ext, sizeof(cert));
1517 ND_PRINT((ndo," len=%d", item_len - 4));
1518 ND_PRINT((ndo," type=%s", STR_OR_ID((cert.encode), certstr)));
1519 if (2 < ndo->ndo_vflag && 4 < item_len) {
1520 /* Print the entire payload in hex */
1521 ND_PRINT((ndo," "));
1522 if (!rawprint(ndo, (const uint8_t *)(ext + 1), item_len - 4))
1523 goto trunc;
1524 }
1525 return (const u_char *)ext + item_len;
1526 trunc:
1527 ND_PRINT((ndo," [|%s]", NPSTR(ISAKMP_NPTYPE_CERT)));
1528 return NULL;
1529 }
1530
1531 static const u_char *
1532 ikev1_cr_print(netdissect_options *ndo, u_char tpay _U_,
1533 const struct isakmp_gen *ext, u_int item_len,
1534 const u_char *ep _U_, uint32_t phase _U_, uint32_t doi0 _U_,
1535 uint32_t proto0 _U_, int depth _U_)
1536 {
1537 const struct ikev1_pl_cert *p;
1538 struct ikev1_pl_cert cert;
1539 static const char *certstr[] = {
1540 "none", "pkcs7", "pgp", "dns",
1541 "x509sign", "x509ke", "kerberos", "crl",
1542 "arl", "spki", "x509attr",
1543 };
1544
1545 ND_PRINT((ndo,"%s:", NPSTR(ISAKMP_NPTYPE_CR)));
1546
1547 p = (const struct ikev1_pl_cert *)ext;
1548 ND_TCHECK(*p);
1549 UNALIGNED_MEMCPY(&cert, ext, sizeof(cert));
1550 ND_PRINT((ndo," len=%d", item_len - 4));
1551 ND_PRINT((ndo," type=%s", STR_OR_ID((cert.encode), certstr)));
1552 if (2 < ndo->ndo_vflag && 4 < item_len) {
1553 /* Print the entire payload in hex */
1554 ND_PRINT((ndo," "));
1555 if (!rawprint(ndo, (const uint8_t *)(ext + 1), item_len - 4))
1556 goto trunc;
1557 }
1558 return (const u_char *)ext + item_len;
1559 trunc:
1560 ND_PRINT((ndo," [|%s]", NPSTR(ISAKMP_NPTYPE_CR)));
1561 return NULL;
1562 }
1563
1564 static const u_char *
1565 ikev1_hash_print(netdissect_options *ndo, u_char tpay _U_,
1566 const struct isakmp_gen *ext, u_int item_len _U_,
1567 const u_char *ep _U_, uint32_t phase _U_, uint32_t doi _U_,
1568 uint32_t proto _U_, int depth _U_)
1569 {
1570 struct isakmp_gen e;
1571
1572 ND_PRINT((ndo,"%s:", NPSTR(ISAKMP_NPTYPE_HASH)));
1573
1574 ND_TCHECK(*ext);
1575 UNALIGNED_MEMCPY(&e, ext, sizeof(e));
1576 ND_PRINT((ndo," len=%d", ntohs(e.len) - 4));
1577 if (2 < ndo->ndo_vflag && 4 < ntohs(e.len)) {
1578 /* Print the entire payload in hex */
1579 ND_PRINT((ndo," "));
1580 if (!rawprint(ndo, (const uint8_t *)(ext + 1), ntohs(e.len) - 4))
1581 goto trunc;
1582 }
1583 return (const u_char *)ext + ntohs(e.len);
1584 trunc:
1585 ND_PRINT((ndo," [|%s]", NPSTR(ISAKMP_NPTYPE_HASH)));
1586 return NULL;
1587 }
1588
1589 static const u_char *
1590 ikev1_sig_print(netdissect_options *ndo, u_char tpay _U_,
1591 const struct isakmp_gen *ext, u_int item_len _U_,
1592 const u_char *ep _U_, uint32_t phase _U_, uint32_t doi _U_,
1593 uint32_t proto _U_, int depth _U_)
1594 {
1595 struct isakmp_gen e;
1596
1597 ND_PRINT((ndo,"%s:", NPSTR(ISAKMP_NPTYPE_SIG)));
1598
1599 ND_TCHECK(*ext);
1600 UNALIGNED_MEMCPY(&e, ext, sizeof(e));
1601 ND_PRINT((ndo," len=%d", ntohs(e.len) - 4));
1602 if (2 < ndo->ndo_vflag && 4 < ntohs(e.len)) {
1603 /* Print the entire payload in hex */
1604 ND_PRINT((ndo," "));
1605 if (!rawprint(ndo, (const uint8_t *)(ext + 1), ntohs(e.len) - 4))
1606 goto trunc;
1607 }
1608 return (const u_char *)ext + ntohs(e.len);
1609 trunc:
1610 ND_PRINT((ndo," [|%s]", NPSTR(ISAKMP_NPTYPE_SIG)));
1611 return NULL;
1612 }
1613
1614 static const u_char *
1615 ikev1_nonce_print(netdissect_options *ndo, u_char tpay _U_,
1616 const struct isakmp_gen *ext,
1617 u_int item_len _U_,
1618 const u_char *ep,
1619 uint32_t phase _U_, uint32_t doi _U_,
1620 uint32_t proto _U_, int depth _U_)
1621 {
1622 struct isakmp_gen e;
1623
1624 ND_PRINT((ndo,"%s:", NPSTR(ISAKMP_NPTYPE_NONCE)));
1625
1626 ND_TCHECK(*ext);
1627 UNALIGNED_MEMCPY(&e, ext, sizeof(e));
1628 /*
1629 * Our caller has ensured that the length is >= 4.
1630 */
1631 ND_PRINT((ndo," n len=%u", ntohs(e.len) - 4));
1632 if (ntohs(e.len) > 4) {
1633 if (ndo->ndo_vflag > 2) {
1634 ND_PRINT((ndo, " "));
1635 if (!rawprint(ndo, (const uint8_t *)(ext + 1), ntohs(e.len) - 4))
1636 goto trunc;
1637 } else if (ndo->ndo_vflag > 1) {
1638 ND_PRINT((ndo, " "));
1639 if (!ike_show_somedata(ndo, (const u_char *)(ext + 1), ep))
1640 goto trunc;
1641 }
1642 }
1643 return (const u_char *)ext + ntohs(e.len);
1644 trunc:
1645 ND_PRINT((ndo," [|%s]", NPSTR(ISAKMP_NPTYPE_NONCE)));
1646 return NULL;
1647 }
1648
1649 static const u_char *
1650 ikev1_n_print(netdissect_options *ndo, u_char tpay _U_,
1651 const struct isakmp_gen *ext, u_int item_len,
1652 const u_char *ep, uint32_t phase _U_, uint32_t doi0 _U_,
1653 uint32_t proto0 _U_, int depth _U_)
1654 {
1655 const struct ikev1_pl_n *p;
1656 struct ikev1_pl_n n;
1657 const u_char *cp;
1658 const u_char *ep2;
1659 uint32_t doi;
1660 uint32_t proto;
1661 static const char *notify_error_str[] = {
1662 NULL, "INVALID-PAYLOAD-TYPE",
1663 "DOI-NOT-SUPPORTED", "SITUATION-NOT-SUPPORTED",
1664 "INVALID-COOKIE", "INVALID-MAJOR-VERSION",
1665 "INVALID-MINOR-VERSION", "INVALID-EXCHANGE-TYPE",
1666 "INVALID-FLAGS", "INVALID-MESSAGE-ID",
1667 "INVALID-PROTOCOL-ID", "INVALID-SPI",
1668 "INVALID-TRANSFORM-ID", "ATTRIBUTES-NOT-SUPPORTED",
1669 "NO-PROPOSAL-CHOSEN", "BAD-PROPOSAL-SYNTAX",
1670 "PAYLOAD-MALFORMED", "INVALID-KEY-INFORMATION",
1671 "INVALID-ID-INFORMATION", "INVALID-CERT-ENCODING",
1672 "INVALID-CERTIFICATE", "CERT-TYPE-UNSUPPORTED",
1673 "INVALID-CERT-AUTHORITY", "INVALID-HASH-INFORMATION",
1674 "AUTHENTICATION-FAILED", "INVALID-SIGNATURE",
1675 "ADDRESS-NOTIFICATION", "NOTIFY-SA-LIFETIME",
1676 "CERTIFICATE-UNAVAILABLE", "UNSUPPORTED-EXCHANGE-TYPE",
1677 "UNEQUAL-PAYLOAD-LENGTHS",
1678 };
1679 static const char *ipsec_notify_error_str[] = {
1680 "RESERVED",
1681 };
1682 static const char *notify_status_str[] = {
1683 "CONNECTED",
1684 };
1685 static const char *ipsec_notify_status_str[] = {
1686 "RESPONDER-LIFETIME", "REPLAY-STATUS",
1687 "INITIAL-CONTACT",
1688 };
1689 /* NOTE: these macro must be called with x in proper range */
1690
1691 /* 0 - 8191 */
1692 #define NOTIFY_ERROR_STR(x) \
1693 STR_OR_ID((x), notify_error_str)
1694
1695 /* 8192 - 16383 */
1696 #define IPSEC_NOTIFY_ERROR_STR(x) \
1697 STR_OR_ID((u_int)((x) - 8192), ipsec_notify_error_str)
1698
1699 /* 16384 - 24575 */
1700 #define NOTIFY_STATUS_STR(x) \
1701 STR_OR_ID((u_int)((x) - 16384), notify_status_str)
1702
1703 /* 24576 - 32767 */
1704 #define IPSEC_NOTIFY_STATUS_STR(x) \
1705 STR_OR_ID((u_int)((x) - 24576), ipsec_notify_status_str)
1706
1707 ND_PRINT((ndo,"%s:", NPSTR(ISAKMP_NPTYPE_N)));
1708
1709 p = (const struct ikev1_pl_n *)ext;
1710 ND_TCHECK(*p);
1711 UNALIGNED_MEMCPY(&n, ext, sizeof(n));
1712 doi = ntohl(n.doi);
1713 proto = n.prot_id;
1714 if (doi != 1) {
1715 ND_PRINT((ndo," doi=%d", doi));
1716 ND_PRINT((ndo," proto=%d", proto));
1717 if (ntohs(n.type) < 8192)
1718 ND_PRINT((ndo," type=%s", NOTIFY_ERROR_STR(ntohs(n.type))));
1719 else if (ntohs(n.type) < 16384)
1720 ND_PRINT((ndo," type=%s", numstr(ntohs(n.type))));
1721 else if (ntohs(n.type) < 24576)
1722 ND_PRINT((ndo," type=%s", NOTIFY_STATUS_STR(ntohs(n.type))));
1723 else
1724 ND_PRINT((ndo," type=%s", numstr(ntohs(n.type))));
1725 if (n.spi_size) {
1726 ND_PRINT((ndo," spi="));
1727 if (!rawprint(ndo, (const uint8_t *)(p + 1), n.spi_size))
1728 goto trunc;
1729 }
1730 return (const u_char *)(p + 1) + n.spi_size;
1731 }
1732
1733 ND_PRINT((ndo," doi=ipsec"));
1734 ND_PRINT((ndo," proto=%s", PROTOIDSTR(proto)));
1735 if (ntohs(n.type) < 8192)
1736 ND_PRINT((ndo," type=%s", NOTIFY_ERROR_STR(ntohs(n.type))));
1737 else if (ntohs(n.type) < 16384)
1738 ND_PRINT((ndo," type=%s", IPSEC_NOTIFY_ERROR_STR(ntohs(n.type))));
1739 else if (ntohs(n.type) < 24576)
1740 ND_PRINT((ndo," type=%s", NOTIFY_STATUS_STR(ntohs(n.type))));
1741 else if (ntohs(n.type) < 32768)
1742 ND_PRINT((ndo," type=%s", IPSEC_NOTIFY_STATUS_STR(ntohs(n.type))));
1743 else
1744 ND_PRINT((ndo," type=%s", numstr(ntohs(n.type))));
1745 if (n.spi_size) {
1746 ND_PRINT((ndo," spi="));
1747 if (!rawprint(ndo, (const uint8_t *)(p + 1), n.spi_size))
1748 goto trunc;
1749 }
1750
1751 cp = (const u_char *)(p + 1) + n.spi_size;
1752 ep2 = (const u_char *)p + item_len;
1753
1754 if (cp < ep) {
1755 switch (ntohs(n.type)) {
1756 case IPSECDOI_NTYPE_RESPONDER_LIFETIME:
1757 {
1758 const struct attrmap *map = oakley_t_map;
1759 size_t nmap = sizeof(oakley_t_map)/sizeof(oakley_t_map[0]);
1760 ND_PRINT((ndo," attrs=("));
1761 while (cp < ep && cp < ep2) {
1762 cp = ikev1_attrmap_print(ndo, cp, ep2, map, nmap);
1763 if (cp == NULL) {
1764 ND_PRINT((ndo,")"));
1765 goto trunc;
1766 }
1767 }
1768 ND_PRINT((ndo,")"));
1769 break;
1770 }
1771 case IPSECDOI_NTYPE_REPLAY_STATUS:
1772 ND_PRINT((ndo," status=("));
1773 ND_PRINT((ndo,"replay detection %sabled",
1774 EXTRACT_BE_U_4(cp) ? "en" : "dis"));
1775 ND_PRINT((ndo,")"));
1776 break;
1777 default:
1778 /*
1779 * XXX - fill in more types here; see, for example,
1780 * draft-ietf-ipsec-notifymsg-04.
1781 */
1782 if (ndo->ndo_vflag > 3) {
1783 ND_PRINT((ndo," data=("));
1784 if (!rawprint(ndo, (const uint8_t *)(cp), ep - cp))
1785 goto trunc;
1786 ND_PRINT((ndo,")"));
1787 } else {
1788 if (!ike_show_somedata(ndo, cp, ep))
1789 goto trunc;
1790 }
1791 break;
1792 }
1793 }
1794 return (const u_char *)ext + item_len;
1795 trunc:
1796 ND_PRINT((ndo," [|%s]", NPSTR(ISAKMP_NPTYPE_N)));
1797 return NULL;
1798 }
1799
1800 static const u_char *
1801 ikev1_d_print(netdissect_options *ndo, u_char tpay _U_,
1802 const struct isakmp_gen *ext, u_int item_len _U_,
1803 const u_char *ep _U_, uint32_t phase _U_, uint32_t doi0 _U_,
1804 uint32_t proto0 _U_, int depth _U_)
1805 {
1806 const struct ikev1_pl_d *p;
1807 struct ikev1_pl_d d;
1808 const uint8_t *q;
1809 uint32_t doi;
1810 uint32_t proto;
1811 int i;
1812
1813 ND_PRINT((ndo,"%s:", NPSTR(ISAKMP_NPTYPE_D)));
1814
1815 p = (const struct ikev1_pl_d *)ext;
1816 ND_TCHECK(*p);
1817 UNALIGNED_MEMCPY(&d, ext, sizeof(d));
1818 doi = ntohl(d.doi);
1819 proto = d.prot_id;
1820 if (doi != 1) {
1821 ND_PRINT((ndo," doi=%u", doi));
1822 ND_PRINT((ndo," proto=%u", proto));
1823 } else {
1824 ND_PRINT((ndo," doi=ipsec"));
1825 ND_PRINT((ndo," proto=%s", PROTOIDSTR(proto)));
1826 }
1827 ND_PRINT((ndo," spilen=%u", d.spi_size));
1828 ND_PRINT((ndo," nspi=%u", ntohs(d.num_spi)));
1829 ND_PRINT((ndo," spi="));
1830 q = (const uint8_t *)(p + 1);
1831 for (i = 0; i < ntohs(d.num_spi); i++) {
1832 if (i != 0)
1833 ND_PRINT((ndo,","));
1834 if (!rawprint(ndo, (const uint8_t *)q, d.spi_size))
1835 goto trunc;
1836 q += d.spi_size;
1837 }
1838 return q;
1839 trunc:
1840 ND_PRINT((ndo," [|%s]", NPSTR(ISAKMP_NPTYPE_D)));
1841 return NULL;
1842 }
1843
1844 static const u_char *
1845 ikev1_vid_print(netdissect_options *ndo, u_char tpay _U_,
1846 const struct isakmp_gen *ext,
1847 u_int item_len _U_, const u_char *ep _U_,
1848 uint32_t phase _U_, uint32_t doi _U_,
1849 uint32_t proto _U_, int depth _U_)
1850 {
1851 struct isakmp_gen e;
1852
1853 ND_PRINT((ndo,"%s:", NPSTR(ISAKMP_NPTYPE_VID)));
1854
1855 ND_TCHECK(*ext);
1856 UNALIGNED_MEMCPY(&e, ext, sizeof(e));
1857 ND_PRINT((ndo," len=%d", ntohs(e.len) - 4));
1858 if (2 < ndo->ndo_vflag && 4 < ntohs(e.len)) {
1859 /* Print the entire payload in hex */
1860 ND_PRINT((ndo," "));
1861 if (!rawprint(ndo, (const uint8_t *)(ext + 1), ntohs(e.len) - 4))
1862 goto trunc;
1863 }
1864 return (const u_char *)ext + ntohs(e.len);
1865 trunc:
1866 ND_PRINT((ndo," [|%s]", NPSTR(ISAKMP_NPTYPE_VID)));
1867 return NULL;
1868 }
1869
1870 /************************************************************/
1871 /* */
1872 /* IKE v2 - rfc4306 - dissector */
1873 /* */
1874 /************************************************************/
1875
1876 static void
1877 ikev2_pay_print(netdissect_options *ndo, const char *payname, int critical)
1878 {
1879 ND_PRINT((ndo,"%s%s:", payname, critical&0x80 ? "[C]" : ""));
1880 }
1881
1882 static const u_char *
1883 ikev2_gen_print(netdissect_options *ndo, u_char tpay,
1884 const struct isakmp_gen *ext)
1885 {
1886 struct isakmp_gen e;
1887
1888 ND_TCHECK(*ext);
1889 UNALIGNED_MEMCPY(&e, ext, sizeof(e));
1890 ikev2_pay_print(ndo, NPSTR(tpay), e.critical);
1891
1892 ND_PRINT((ndo," len=%d", ntohs(e.len) - 4));
1893 if (2 < ndo->ndo_vflag && 4 < ntohs(e.len)) {
1894 /* Print the entire payload in hex */
1895 ND_PRINT((ndo," "));
1896 if (!rawprint(ndo, (const uint8_t *)(ext + 1), ntohs(e.len) - 4))
1897 goto trunc;
1898 }
1899 return (const u_char *)ext + ntohs(e.len);
1900 trunc:
1901 ND_PRINT((ndo," [|%s]", NPSTR(tpay)));
1902 return NULL;
1903 }
1904
1905 static const u_char *
1906 ikev2_t_print(netdissect_options *ndo, int tcount,
1907 const struct isakmp_gen *ext, u_int item_len,
1908 const u_char *ep)
1909 {
1910 const struct ikev2_t *p;
1911 struct ikev2_t t;
1912 uint16_t t_id;
1913 const u_char *cp;
1914 const char *idstr;
1915 const struct attrmap *map;
1916 size_t nmap;
1917 const u_char *ep2;
1918
1919 p = (const struct ikev2_t *)ext;
1920 ND_TCHECK(*p);
1921 UNALIGNED_MEMCPY(&t, ext, sizeof(t));
1922 ikev2_pay_print(ndo, NPSTR(ISAKMP_NPTYPE_T), t.h.critical);
1923
1924 t_id = ntohs(t.t_id);
1925
1926 map = NULL;
1927 nmap = 0;
1928
1929 switch (t.t_type) {
1930 case IV2_T_ENCR:
1931 idstr = STR_OR_ID(t_id, esp_p_map);
1932 map = encr_t_map;
1933 nmap = sizeof(encr_t_map)/sizeof(encr_t_map[0]);
1934 break;
1935
1936 case IV2_T_PRF:
1937 idstr = STR_OR_ID(t_id, prf_p_map);
1938 break;
1939
1940 case IV2_T_INTEG:
1941 idstr = STR_OR_ID(t_id, integ_p_map);
1942 break;
1943
1944 case IV2_T_DH:
1945 idstr = STR_OR_ID(t_id, dh_p_map);
1946 break;
1947
1948 case IV2_T_ESN:
1949 idstr = STR_OR_ID(t_id, esn_p_map);
1950 break;
1951
1952 default:
1953 idstr = NULL;
1954 break;
1955 }
1956
1957 if (idstr)
1958 ND_PRINT((ndo," #%u type=%s id=%s ", tcount,
1959 STR_OR_ID(t.t_type, ikev2_t_type_map),
1960 idstr));
1961 else
1962 ND_PRINT((ndo," #%u type=%s id=%u ", tcount,
1963 STR_OR_ID(t.t_type, ikev2_t_type_map),
1964 t.t_id));
1965 cp = (const u_char *)(p + 1);
1966 ep2 = (const u_char *)p + item_len;
1967 while (cp < ep && cp < ep2) {
1968 if (map && nmap) {
1969 cp = ikev1_attrmap_print(ndo, cp, ep2, map, nmap);
1970 } else
1971 cp = ikev1_attr_print(ndo, cp, ep2);
1972 if (cp == NULL)
1973 goto trunc;
1974 }
1975 if (ep < ep2)
1976 ND_PRINT((ndo,"..."));
1977 return cp;
1978 trunc:
1979 ND_PRINT((ndo," [|%s]", NPSTR(ISAKMP_NPTYPE_T)));
1980 return NULL;
1981 }
1982
1983 static const u_char *
1984 ikev2_p_print(netdissect_options *ndo, u_char tpay _U_, int pcount _U_,
1985 const struct isakmp_gen *ext, u_int oprop_length,
1986 const u_char *ep, int depth)
1987 {
1988 const struct ikev2_p *p;
1989 struct ikev2_p prop;
1990 u_int prop_length;
1991 const u_char *cp;
1992 int i;
1993 int tcount;
1994 u_char np;
1995 struct isakmp_gen e;
1996 u_int item_len;
1997
1998 p = (const struct ikev2_p *)ext;
1999 ND_TCHECK(*p);
2000 UNALIGNED_MEMCPY(&prop, ext, sizeof(prop));
2001
2002 ikev2_pay_print(ndo, NPSTR(ISAKMP_NPTYPE_P), prop.h.critical);
2003
2004 /*
2005 * ikev2_sa_print() guarantees that this is >= 4.
2006 */
2007 prop_length = oprop_length - 4;
2008 ND_PRINT((ndo," #%u protoid=%s transform=%d len=%u",
2009 prop.p_no, PROTOIDSTR(prop.prot_id),
2010 prop.num_t, oprop_length));
2011 cp = (const u_char *)(p + 1);
2012
2013 if (prop.spi_size) {
2014 if (prop_length < prop.spi_size)
2015 goto toolong;
2016 ND_PRINT((ndo," spi="));
2017 if (!rawprint(ndo, (const uint8_t *)cp, prop.spi_size))
2018 goto trunc;
2019 cp += prop.spi_size;
2020 prop_length -= prop.spi_size;
2021 }
2022
2023 /*
2024 * Print the transforms.
2025 */
2026 tcount = 0;
2027 for (np = ISAKMP_NPTYPE_T; np != 0; np = e.np) {
2028 tcount++;
2029 ext = (const struct isakmp_gen *)cp;
2030 if (prop_length < sizeof(*ext))
2031 goto toolong;
2032 ND_TCHECK(*ext);
2033 UNALIGNED_MEMCPY(&e, ext, sizeof(e));
2034
2035 /*
2036 * Since we can't have a payload length of less than 4 bytes,
2037 * we need to bail out here if the generic header is nonsensical
2038 * or truncated, otherwise we could loop forever processing
2039 * zero-length items or otherwise misdissect the packet.
2040 */
2041 item_len = ntohs(e.len);
2042 if (item_len <= 4)
2043 goto trunc;
2044
2045 if (prop_length < item_len)
2046 goto toolong;
2047 ND_TCHECK2(*cp, item_len);
2048
2049 depth++;
2050 ND_PRINT((ndo,"\n"));
2051 for (i = 0; i < depth; i++)
2052 ND_PRINT((ndo," "));
2053 ND_PRINT((ndo,"("));
2054 if (np == ISAKMP_NPTYPE_T) {
2055 cp = ikev2_t_print(ndo, tcount, ext, item_len, ep);
2056 if (cp == NULL) {
2057 /* error, already reported */
2058 return NULL;
2059 }
2060 } else {
2061 ND_PRINT((ndo, "%s", NPSTR(np)));
2062 cp += item_len;
2063 }
2064 ND_PRINT((ndo,")"));
2065 depth--;
2066 prop_length -= item_len;
2067 }
2068 return cp;
2069 toolong:
2070 /*
2071 * Skip the rest of the proposal.
2072 */
2073 cp += prop_length;
2074 ND_PRINT((ndo," [|%s]", NPSTR(ISAKMP_NPTYPE_P)));
2075 return cp;
2076 trunc:
2077 ND_PRINT((ndo," [|%s]", NPSTR(ISAKMP_NPTYPE_P)));
2078 return NULL;
2079 }
2080
2081 static const u_char *
2082 ikev2_sa_print(netdissect_options *ndo, u_char tpay,
2083 const struct isakmp_gen *ext1,
2084 u_int osa_length, const u_char *ep,
2085 uint32_t phase _U_, uint32_t doi _U_,
2086 uint32_t proto _U_, int depth)
2087 {
2088 const struct isakmp_gen *ext;
2089 struct isakmp_gen e;
2090 u_int sa_length;
2091 const u_char *cp;
2092 int i;
2093 int pcount;
2094 u_char np;
2095 u_int item_len;
2096
2097 ND_TCHECK(*ext1);
2098 UNALIGNED_MEMCPY(&e, ext1, sizeof(e));
2099 ikev2_pay_print(ndo, "sa", e.critical);
2100
2101 /*
2102 * ikev2_sub0_print() guarantees that this is >= 4.
2103 */
2104 osa_length= ntohs(e.len);
2105 sa_length = osa_length - 4;
2106 ND_PRINT((ndo," len=%d", sa_length));
2107
2108 /*
2109 * Print the payloads.
2110 */
2111 cp = (const u_char *)(ext1 + 1);
2112 pcount = 0;
2113 for (np = ISAKMP_NPTYPE_P; np != 0; np = e.np) {
2114 pcount++;
2115 ext = (const struct isakmp_gen *)cp;
2116 if (sa_length < sizeof(*ext))
2117 goto toolong;
2118 ND_TCHECK(*ext);
2119 UNALIGNED_MEMCPY(&e, ext, sizeof(e));
2120
2121 /*
2122 * Since we can't have a payload length of less than 4 bytes,
2123 * we need to bail out here if the generic header is nonsensical
2124 * or truncated, otherwise we could loop forever processing
2125 * zero-length items or otherwise misdissect the packet.
2126 */
2127 item_len = ntohs(e.len);
2128 if (item_len <= 4)
2129 goto trunc;
2130
2131 if (sa_length < item_len)
2132 goto toolong;
2133 ND_TCHECK2(*cp, item_len);
2134
2135 depth++;
2136 ND_PRINT((ndo,"\n"));
2137 for (i = 0; i < depth; i++)
2138 ND_PRINT((ndo," "));
2139 ND_PRINT((ndo,"("));
2140 if (np == ISAKMP_NPTYPE_P) {
2141 cp = ikev2_p_print(ndo, np, pcount, ext, item_len,
2142 ep, depth);
2143 if (cp == NULL) {
2144 /* error, already reported */
2145 return NULL;
2146 }
2147 } else {
2148 ND_PRINT((ndo, "%s", NPSTR(np)));
2149 cp += item_len;
2150 }
2151 ND_PRINT((ndo,")"));
2152 depth--;
2153 sa_length -= item_len;
2154 }
2155 return cp;
2156 toolong:
2157 /*
2158 * Skip the rest of the SA.
2159 */
2160 cp += sa_length;
2161 ND_PRINT((ndo," [|%s]", NPSTR(tpay)));
2162 return cp;
2163 trunc:
2164 ND_PRINT((ndo," [|%s]", NPSTR(tpay)));
2165 return NULL;
2166 }
2167
2168 static const u_char *
2169 ikev2_ke_print(netdissect_options *ndo, u_char tpay,
2170 const struct isakmp_gen *ext,
2171 u_int item_len _U_, const u_char *ep _U_,
2172 uint32_t phase _U_, uint32_t doi _U_,
2173 uint32_t proto _U_, int depth _U_)
2174 {
2175 struct ikev2_ke ke;
2176 const struct ikev2_ke *k;
2177
2178 k = (const struct ikev2_ke *)ext;
2179 ND_TCHECK(*k);
2180 UNALIGNED_MEMCPY(&ke, ext, sizeof(ke));
2181 ikev2_pay_print(ndo, NPSTR(tpay), ke.h.critical);
2182
2183 ND_PRINT((ndo," len=%u group=%s", ntohs(ke.h.len) - 8,
2184 STR_OR_ID(ntohs(ke.ke_group), dh_p_map)));
2185
2186 if (2 < ndo->ndo_vflag && 8 < ntohs(ke.h.len)) {
2187 ND_PRINT((ndo," "));
2188 if (!rawprint(ndo, (const uint8_t *)(k + 1), ntohs(ke.h.len) - 8))
2189 goto trunc;
2190 }
2191 return (const u_char *)ext + ntohs(ke.h.len);
2192 trunc:
2193 ND_PRINT((ndo," [|%s]", NPSTR(tpay)));
2194 return NULL;
2195 }
2196
2197 static const u_char *
2198 ikev2_ID_print(netdissect_options *ndo, u_char tpay,
2199 const struct isakmp_gen *ext,
2200 u_int item_len _U_, const u_char *ep _U_,
2201 uint32_t phase _U_, uint32_t doi _U_,
2202 uint32_t proto _U_, int depth _U_)
2203 {
2204 const struct ikev2_id *idp;
2205 struct ikev2_id id;
2206 int id_len, idtype_len, i;
2207 unsigned int dumpascii, dumphex;
2208 const unsigned char *typedata;
2209
2210 idp = (const struct ikev2_id *)ext;
2211 ND_TCHECK(*idp);
2212 UNALIGNED_MEMCPY(&id, ext, sizeof(id));
2213 ikev2_pay_print(ndo, NPSTR(tpay), id.h.critical);
2214
2215 id_len = ntohs(id.h.len);
2216
2217 ND_PRINT((ndo," len=%d", id_len - 4));
2218 if (2 < ndo->ndo_vflag && 4 < id_len) {
2219 /* Print the entire payload in hex */
2220 ND_PRINT((ndo," "));
2221 if (!rawprint(ndo, (const uint8_t *)(ext + 1), id_len - 4))
2222 goto trunc;
2223 }
2224
2225 idtype_len =id_len - sizeof(struct ikev2_id);
2226 dumpascii = 0;
2227 dumphex = 0;
2228 typedata = (const unsigned char *)(ext)+sizeof(struct ikev2_id);
2229
2230 switch(id.type) {
2231 case ID_IPV4_ADDR:
2232 ND_PRINT((ndo, " ipv4:"));
2233 dumphex=1;
2234 break;
2235 case ID_FQDN:
2236 ND_PRINT((ndo, " fqdn:"));
2237 dumpascii=1;
2238 break;
2239 case ID_RFC822_ADDR:
2240 ND_PRINT((ndo, " rfc822:"));
2241 dumpascii=1;
2242 break;
2243 case ID_IPV6_ADDR:
2244 ND_PRINT((ndo, " ipv6:"));
2245 dumphex=1;
2246 break;
2247 case ID_DER_ASN1_DN:
2248 ND_PRINT((ndo, " dn:"));
2249 dumphex=1;
2250 break;
2251 case ID_DER_ASN1_GN:
2252 ND_PRINT((ndo, " gn:"));
2253 dumphex=1;
2254 break;
2255 case ID_KEY_ID:
2256 ND_PRINT((ndo, " keyid:"));
2257 dumphex=1;
2258 break;
2259 }
2260
2261 if(dumpascii) {
2262 ND_TCHECK2(*typedata, idtype_len);
2263 for(i=0; i<idtype_len; i++) {
2264 if(ND_ISPRINT(EXTRACT_U_1(typedata + i))) {
2265 ND_PRINT((ndo, "%c", EXTRACT_U_1(typedata + i)));
2266 } else {
2267 ND_PRINT((ndo, "."));
2268 }
2269 }
2270 }
2271 if(dumphex) {
2272 if (!rawprint(ndo, (const uint8_t *)typedata, idtype_len))
2273 goto trunc;
2274 }
2275
2276 return (const u_char *)ext + id_len;
2277 trunc:
2278 ND_PRINT((ndo," [|%s]", NPSTR(tpay)));
2279 return NULL;
2280 }
2281
2282 static const u_char *
2283 ikev2_cert_print(netdissect_options *ndo, u_char tpay,
2284 const struct isakmp_gen *ext,
2285 u_int item_len _U_, const u_char *ep _U_,
2286 uint32_t phase _U_, uint32_t doi _U_,
2287 uint32_t proto _U_, int depth _U_)
2288 {
2289 return ikev2_gen_print(ndo, tpay, ext);
2290 }
2291
2292 static const u_char *
2293 ikev2_cr_print(netdissect_options *ndo, u_char tpay,
2294 const struct isakmp_gen *ext,
2295 u_int item_len _U_, const u_char *ep _U_,
2296 uint32_t phase _U_, uint32_t doi _U_,
2297 uint32_t proto _U_, int depth _U_)
2298 {
2299 return ikev2_gen_print(ndo, tpay, ext);
2300 }
2301
2302 static const u_char *
2303 ikev2_auth_print(netdissect_options *ndo, u_char tpay,
2304 const struct isakmp_gen *ext,
2305 u_int item_len _U_, const u_char *ep,
2306 uint32_t phase _U_, uint32_t doi _U_,
2307 uint32_t proto _U_, int depth _U_)
2308 {
2309 struct ikev2_auth a;
2310 const char *v2_auth[]={ "invalid", "rsasig",
2311 "shared-secret", "dsssig" };
2312 const u_char *authdata = (const u_char*)ext + sizeof(a);
2313 unsigned int len;
2314
2315 ND_TCHECK2(*ext, sizeof(a));
2316 UNALIGNED_MEMCPY(&a, ext, sizeof(a));
2317 ikev2_pay_print(ndo, NPSTR(tpay), a.h.critical);
2318 len = ntohs(a.h.len);
2319
2320 /*
2321 * Our caller has ensured that the length is >= 4.
2322 */
2323 ND_PRINT((ndo," len=%u method=%s", len-4,
2324 STR_OR_ID(a.auth_method, v2_auth)));
2325 if (len > 4) {
2326 if (ndo->ndo_vflag > 1) {
2327 ND_PRINT((ndo, " authdata=("));
2328 if (!rawprint(ndo, (const uint8_t *)authdata, len - sizeof(a)))
2329 goto trunc;
2330 ND_PRINT((ndo, ") "));
2331 } else if (ndo->ndo_vflag) {
2332 if (!ike_show_somedata(ndo, authdata, ep))
2333 goto trunc;
2334 }
2335 }
2336
2337 return (const u_char *)ext + len;
2338 trunc:
2339 ND_PRINT((ndo," [|%s]", NPSTR(tpay)));
2340 return NULL;
2341 }
2342
2343 static const u_char *
2344 ikev2_nonce_print(netdissect_options *ndo, u_char tpay,
2345 const struct isakmp_gen *ext,
2346 u_int item_len _U_, const u_char *ep,
2347 uint32_t phase _U_, uint32_t doi _U_,
2348 uint32_t proto _U_, int depth _U_)
2349 {
2350 struct isakmp_gen e;
2351
2352 ND_TCHECK(*ext);
2353 UNALIGNED_MEMCPY(&e, ext, sizeof(e));
2354 ikev2_pay_print(ndo, "nonce", e.critical);
2355
2356 ND_PRINT((ndo," len=%d", ntohs(e.len) - 4));
2357 if (1 < ndo->ndo_vflag && 4 < ntohs(e.len)) {
2358 ND_PRINT((ndo," nonce=("));
2359 if (!rawprint(ndo, (const uint8_t *)(ext + 1), ntohs(e.len) - 4))
2360 goto trunc;
2361 ND_PRINT((ndo,") "));
2362 } else if(ndo->ndo_vflag && 4 < ntohs(e.len)) {
2363 if(!ike_show_somedata(ndo, (const u_char *)(ext+1), ep)) goto trunc;
2364 }
2365
2366 return (const u_char *)ext + ntohs(e.len);
2367 trunc:
2368 ND_PRINT((ndo," [|%s]", NPSTR(tpay)));
2369 return NULL;
2370 }
2371
2372 /* notify payloads */
2373 static const u_char *
2374 ikev2_n_print(netdissect_options *ndo, u_char tpay _U_,
2375 const struct isakmp_gen *ext,
2376 u_int item_len, const u_char *ep,
2377 uint32_t phase _U_, uint32_t doi _U_,
2378 uint32_t proto _U_, int depth _U_)
2379 {
2380 const struct ikev2_n *p;
2381 struct ikev2_n n;
2382 const u_char *cp;
2383 u_char showspi, showsomedata;
2384 const char *notify_name;
2385 uint32_t type;
2386
2387 p = (const struct ikev2_n *)ext;
2388 ND_TCHECK(*p);
2389 UNALIGNED_MEMCPY(&n, ext, sizeof(n));
2390 ikev2_pay_print(ndo, NPSTR(ISAKMP_NPTYPE_N), n.h.critical);
2391
2392 showspi = 1;
2393 showsomedata=0;
2394 notify_name=NULL;
2395
2396 ND_PRINT((ndo," prot_id=%s", PROTOIDSTR(n.prot_id)));
2397
2398 type = ntohs(n.type);
2399
2400 /* notify space is annoying sparse */
2401 switch(type) {
2402 case IV2_NOTIFY_UNSUPPORTED_CRITICAL_PAYLOAD:
2403 notify_name = "unsupported_critical_payload";
2404 showspi = 0;
2405 break;
2406
2407 case IV2_NOTIFY_INVALID_IKE_SPI:
2408 notify_name = "invalid_ike_spi";
2409 showspi = 1;
2410 break;
2411
2412 case IV2_NOTIFY_INVALID_MAJOR_VERSION:
2413 notify_name = "invalid_major_version";
2414 showspi = 0;
2415 break;
2416
2417 case IV2_NOTIFY_INVALID_SYNTAX:
2418 notify_name = "invalid_syntax";
2419 showspi = 1;
2420 break;
2421
2422 case IV2_NOTIFY_INVALID_MESSAGE_ID:
2423 notify_name = "invalid_message_id";
2424 showspi = 1;
2425 break;
2426
2427 case IV2_NOTIFY_INVALID_SPI:
2428 notify_name = "invalid_spi";
2429 showspi = 1;
2430 break;
2431
2432 case IV2_NOTIFY_NO_PROPOSAL_CHOSEN:
2433 notify_name = "no_protocol_chosen";
2434 showspi = 1;
2435 break;
2436
2437 case IV2_NOTIFY_INVALID_KE_PAYLOAD:
2438 notify_name = "invalid_ke_payload";
2439 showspi = 1;
2440 break;
2441
2442 case IV2_NOTIFY_AUTHENTICATION_FAILED:
2443 notify_name = "authentication_failed";
2444 showspi = 1;
2445 break;
2446
2447 case IV2_NOTIFY_SINGLE_PAIR_REQUIRED:
2448 notify_name = "single_pair_required";
2449 showspi = 1;
2450 break;
2451
2452 case IV2_NOTIFY_NO_ADDITIONAL_SAS:
2453 notify_name = "no_additional_sas";
2454 showspi = 0;
2455 break;
2456
2457 case IV2_NOTIFY_INTERNAL_ADDRESS_FAILURE:
2458 notify_name = "internal_address_failure";
2459 showspi = 0;
2460 break;
2461
2462 case IV2_NOTIFY_FAILED_CP_REQUIRED:
2463 notify_name = "failed:cp_required";
2464 showspi = 0;
2465 break;
2466
2467 case IV2_NOTIFY_INVALID_SELECTORS:
2468 notify_name = "invalid_selectors";
2469 showspi = 0;
2470 break;
2471
2472 case IV2_NOTIFY_INITIAL_CONTACT:
2473 notify_name = "initial_contact";
2474 showspi = 0;
2475 break;
2476
2477 case IV2_NOTIFY_SET_WINDOW_SIZE:
2478 notify_name = "set_window_size";
2479 showspi = 0;
2480 break;
2481
2482 case IV2_NOTIFY_ADDITIONAL_TS_POSSIBLE:
2483 notify_name = "additional_ts_possible";
2484 showspi = 0;
2485 break;
2486
2487 case IV2_NOTIFY_IPCOMP_SUPPORTED:
2488 notify_name = "ipcomp_supported";
2489 showspi = 0;
2490 break;
2491
2492 case IV2_NOTIFY_NAT_DETECTION_SOURCE_IP:
2493 notify_name = "nat_detection_source_ip";
2494 showspi = 1;
2495 break;
2496
2497 case IV2_NOTIFY_NAT_DETECTION_DESTINATION_IP:
2498 notify_name = "nat_detection_destination_ip";
2499 showspi = 1;
2500 break;
2501
2502 case IV2_NOTIFY_COOKIE:
2503 notify_name = "cookie";
2504 showspi = 1;
2505 showsomedata= 1;
2506 break;
2507
2508 case IV2_NOTIFY_USE_TRANSPORT_MODE:
2509 notify_name = "use_transport_mode";
2510 showspi = 0;
2511 break;
2512
2513 case IV2_NOTIFY_HTTP_CERT_LOOKUP_SUPPORTED:
2514 notify_name = "http_cert_lookup_supported";
2515 showspi = 0;
2516 break;
2517
2518 case IV2_NOTIFY_REKEY_SA:
2519 notify_name = "rekey_sa";
2520 showspi = 1;
2521 break;
2522
2523 case IV2_NOTIFY_ESP_TFC_PADDING_NOT_SUPPORTED:
2524 notify_name = "tfc_padding_not_supported";
2525 showspi = 0;
2526 break;
2527
2528 case IV2_NOTIFY_NON_FIRST_FRAGMENTS_ALSO:
2529 notify_name = "non_first_fragment_also";
2530 showspi = 0;
2531 break;
2532
2533 default:
2534 if (type < 8192) {
2535 notify_name="error";
2536 } else if(type < 16384) {
2537 notify_name="private-error";
2538 } else if(type < 40960) {
2539 notify_name="status";
2540 } else {
2541 notify_name="private-status";
2542 }
2543 }
2544
2545 if(notify_name) {
2546 ND_PRINT((ndo," type=%u(%s)", type, notify_name));
2547 }
2548
2549
2550 if (showspi && n.spi_size) {
2551 ND_PRINT((ndo," spi="));
2552 if (!rawprint(ndo, (const uint8_t *)(p + 1), n.spi_size))
2553 goto trunc;
2554 }
2555
2556 cp = (const u_char *)(p + 1) + n.spi_size;
2557
2558 if (cp < ep) {
2559 if (ndo->ndo_vflag > 3 || (showsomedata && ep-cp < 30)) {
2560 ND_PRINT((ndo," data=("));
2561 if (!rawprint(ndo, (const uint8_t *)(cp), ep - cp))
2562 goto trunc;
2563
2564 ND_PRINT((ndo,")"));
2565 } else if (showsomedata) {
2566 if (!ike_show_somedata(ndo, cp, ep))
2567 goto trunc;
2568 }
2569 }
2570
2571 return (const u_char *)ext + item_len;
2572 trunc:
2573 ND_PRINT((ndo," [|%s]", NPSTR(ISAKMP_NPTYPE_N)));
2574 return NULL;
2575 }
2576
2577 static const u_char *
2578 ikev2_d_print(netdissect_options *ndo, u_char tpay,
2579 const struct isakmp_gen *ext,
2580 u_int item_len _U_, const u_char *ep _U_,
2581 uint32_t phase _U_, uint32_t doi _U_,
2582 uint32_t proto _U_, int depth _U_)
2583 {
2584 return ikev2_gen_print(ndo, tpay, ext);
2585 }
2586
2587 static const u_char *
2588 ikev2_vid_print(netdissect_options *ndo, u_char tpay,
2589 const struct isakmp_gen *ext,
2590 u_int item_len _U_, const u_char *ep _U_,
2591 uint32_t phase _U_, uint32_t doi _U_,
2592 uint32_t proto _U_, int depth _U_)
2593 {
2594 struct isakmp_gen e;
2595 const u_char *vid;
2596 int i, len;
2597
2598 ND_TCHECK(*ext);
2599 UNALIGNED_MEMCPY(&e, ext, sizeof(e));
2600 ikev2_pay_print(ndo, NPSTR(tpay), e.critical);
2601 ND_PRINT((ndo," len=%d vid=", ntohs(e.len) - 4));
2602
2603 vid = (const u_char *)(ext+1);
2604 len = ntohs(e.len) - 4;
2605 ND_TCHECK2(*vid, len);
2606 for(i=0; i<len; i++) {
2607 if(ND_ISPRINT(EXTRACT_U_1(vid + i)))
2608 ND_PRINT((ndo, "%c", EXTRACT_U_1(vid + i)));
2609 else ND_PRINT((ndo, "."));
2610 }
2611 if (2 < ndo->ndo_vflag && 4 < len) {
2612 /* Print the entire payload in hex */
2613 ND_PRINT((ndo," "));
2614 if (!rawprint(ndo, (const uint8_t *)(ext + 1), ntohs(e.len) - 4))
2615 goto trunc;
2616 }
2617 return (const u_char *)ext + ntohs(e.len);
2618 trunc:
2619 ND_PRINT((ndo," [|%s]", NPSTR(tpay)));
2620 return NULL;
2621 }
2622
2623 static const u_char *
2624 ikev2_TS_print(netdissect_options *ndo, u_char tpay,
2625 const struct isakmp_gen *ext,
2626 u_int item_len _U_, const u_char *ep _U_,
2627 uint32_t phase _U_, uint32_t doi _U_,
2628 uint32_t proto _U_, int depth _U_)
2629 {
2630 return ikev2_gen_print(ndo, tpay, ext);
2631 }
2632
2633 static const u_char *
2634 ikev2_e_print(netdissect_options *ndo,
2635 #ifndef HAVE_LIBCRYPTO
2636 _U_
2637 #endif
2638 struct isakmp *base,
2639 u_char tpay,
2640 const struct isakmp_gen *ext,
2641 u_int item_len _U_, const u_char *ep _U_,
2642 #ifndef HAVE_LIBCRYPTO
2643 _U_
2644 #endif
2645 uint32_t phase,
2646 #ifndef HAVE_LIBCRYPTO
2647 _U_
2648 #endif
2649 uint32_t doi,
2650 #ifndef HAVE_LIBCRYPTO
2651 _U_
2652 #endif
2653 uint32_t proto,
2654 #ifndef HAVE_LIBCRYPTO
2655 _U_
2656 #endif
2657 int depth)
2658 {
2659 struct isakmp_gen e;
2660 const u_char *dat;
2661 volatile int dlen;
2662
2663 ND_TCHECK(*ext);
2664 UNALIGNED_MEMCPY(&e, ext, sizeof(e));
2665 ikev2_pay_print(ndo, NPSTR(tpay), e.critical);
2666
2667 dlen = ntohs(e.len)-4;
2668
2669 ND_PRINT((ndo," len=%d", dlen));
2670 if (2 < ndo->ndo_vflag && 4 < dlen) {
2671 ND_PRINT((ndo," "));
2672 if (!rawprint(ndo, (const uint8_t *)(ext + 1), dlen))
2673 goto trunc;
2674 }
2675
2676 dat = (const u_char *)(ext+1);
2677 ND_TCHECK2(*dat, dlen);
2678
2679 #ifdef HAVE_LIBCRYPTO
2680 /* try to decypt it! */
2681 if(esp_print_decrypt_buffer_by_ikev2(ndo,
2682 base->flags & ISAKMP_FLAG_I,
2683 base->i_ck, base->r_ck,
2684 dat, dat+dlen)) {
2685
2686 ext = (const struct isakmp_gen *)ndo->ndo_packetp;
2687
2688 /* got it decrypted, print stuff inside. */
2689 ikev2_sub_print(ndo, base, e.np, ext, ndo->ndo_snapend,
2690 phase, doi, proto, depth+1);
2691 }
2692 #endif
2693
2694
2695 /* always return NULL, because E must be at end, and NP refers
2696 * to what was inside.
2697 */
2698 return NULL;
2699 trunc:
2700 ND_PRINT((ndo," [|%s]", NPSTR(tpay)));
2701 return NULL;
2702 }
2703
2704 static const u_char *
2705 ikev2_cp_print(netdissect_options *ndo, u_char tpay,
2706 const struct isakmp_gen *ext,
2707 u_int item_len _U_, const u_char *ep _U_,
2708 uint32_t phase _U_, uint32_t doi _U_,
2709 uint32_t proto _U_, int depth _U_)
2710 {
2711 return ikev2_gen_print(ndo, tpay, ext);
2712 }
2713
2714 static const u_char *
2715 ikev2_eap_print(netdissect_options *ndo, u_char tpay,
2716 const struct isakmp_gen *ext,
2717 u_int item_len _U_, const u_char *ep _U_,
2718 uint32_t phase _U_, uint32_t doi _U_,
2719 uint32_t proto _U_, int depth _U_)
2720 {
2721 return ikev2_gen_print(ndo, tpay, ext);
2722 }
2723
2724 static const u_char *
2725 ike_sub0_print(netdissect_options *ndo,
2726 u_char np, const struct isakmp_gen *ext, const u_char *ep,
2727
2728 uint32_t phase, uint32_t doi, uint32_t proto, int depth)
2729 {
2730 const u_char *cp;
2731 struct isakmp_gen e;
2732 u_int item_len;
2733
2734 cp = (const u_char *)ext;
2735 ND_TCHECK(*ext);
2736 UNALIGNED_MEMCPY(&e, ext, sizeof(e));
2737
2738 /*
2739 * Since we can't have a payload length of less than 4 bytes,
2740 * we need to bail out here if the generic header is nonsensical
2741 * or truncated, otherwise we could loop forever processing
2742 * zero-length items or otherwise misdissect the packet.
2743 */
2744 item_len = ntohs(e.len);
2745 if (item_len <= 4)
2746 return NULL;
2747
2748 if (NPFUNC(np)) {
2749 /*
2750 * XXX - what if item_len is too short, or too long,
2751 * for this payload type?
2752 */
2753 cp = (*npfunc[np])(ndo, np, ext, item_len, ep, phase, doi, proto, depth);
2754 } else {
2755 ND_PRINT((ndo,"%s", NPSTR(np)));
2756 cp += item_len;
2757 }
2758
2759 return cp;
2760 trunc:
2761 ND_PRINT((ndo," [|isakmp]"));
2762 return NULL;
2763 }
2764
2765 static const u_char *
2766 ikev1_sub_print(netdissect_options *ndo,
2767 u_char np, const struct isakmp_gen *ext, const u_char *ep,
2768 uint32_t phase, uint32_t doi, uint32_t proto, int depth)
2769 {
2770 const u_char *cp;
2771 int i;
2772 struct isakmp_gen e;
2773
2774 cp = (const u_char *)ext;
2775
2776 while (np) {
2777 ND_TCHECK(*ext);
2778 UNALIGNED_MEMCPY(&e, ext, sizeof(e));
2779
2780 ND_TCHECK2(*ext, ntohs(e.len));
2781
2782 depth++;
2783 ND_PRINT((ndo,"\n"));
2784 for (i = 0; i < depth; i++)
2785 ND_PRINT((ndo," "));
2786 ND_PRINT((ndo,"("));
2787 cp = ike_sub0_print(ndo, np, ext, ep, phase, doi, proto, depth);
2788 ND_PRINT((ndo,")"));
2789 depth--;
2790
2791 if (cp == NULL) {
2792 /* Zero-length subitem */
2793 return NULL;
2794 }
2795
2796 np = e.np;
2797 ext = (const struct isakmp_gen *)cp;
2798 }
2799 return cp;
2800 trunc:
2801 ND_PRINT((ndo," [|%s]", NPSTR(np)));
2802 return NULL;
2803 }
2804
2805 static char *
2806 numstr(int x)
2807 {
2808 static char buf[20];
2809 snprintf(buf, sizeof(buf), "#%d", x);
2810 return buf;
2811 }
2812
2813 static void
2814 ikev1_print(netdissect_options *ndo,
2815 const u_char *bp, u_int length,
2816 const u_char *bp2, struct isakmp *base)
2817 {
2818 const struct isakmp *p;
2819 const u_char *ep;
2820 u_char np;
2821 int i;
2822 int phase;
2823
2824 p = (const struct isakmp *)bp;
2825 ep = ndo->ndo_snapend;
2826
2827 phase = (EXTRACT_BE_U_4(base->msgid) == 0) ? 1 : 2;
2828 if (phase == 1)
2829 ND_PRINT((ndo," phase %d", phase));
2830 else
2831 ND_PRINT((ndo," phase %d/others", phase));
2832
2833 i = cookie_find(&base->i_ck);
2834 if (i < 0) {
2835 if (iszero((const u_char *)&base->r_ck, sizeof(base->r_ck))) {
2836 /* the first packet */
2837 ND_PRINT((ndo," I"));
2838 if (bp2)
2839 cookie_record(&base->i_ck, bp2);
2840 } else
2841 ND_PRINT((ndo," ?"));
2842 } else {
2843 if (bp2 && cookie_isinitiator(i, bp2))
2844 ND_PRINT((ndo," I"));
2845 else if (bp2 && cookie_isresponder(i, bp2))
2846 ND_PRINT((ndo," R"));
2847 else
2848 ND_PRINT((ndo," ?"));
2849 }
2850
2851 ND_PRINT((ndo," %s", ETYPESTR(base->etype)));
2852 if (base->flags) {
2853 ND_PRINT((ndo,"[%s%s]", base->flags & ISAKMP_FLAG_E ? "E" : "",
2854 base->flags & ISAKMP_FLAG_C ? "C" : ""));
2855 }
2856
2857 if (ndo->ndo_vflag) {
2858 const struct isakmp_gen *ext;
2859
2860 ND_PRINT((ndo,":"));
2861
2862 /* regardless of phase... */
2863 if (base->flags & ISAKMP_FLAG_E) {
2864 /*
2865 * encrypted, nothing we can do right now.
2866 * we hope to decrypt the packet in the future...
2867 */
2868 ND_PRINT((ndo," [encrypted %s]", NPSTR(base->np)));
2869 goto done;
2870 }
2871
2872 CHECKLEN(p + 1, base->np);
2873 np = base->np;
2874 ext = (const struct isakmp_gen *)(p + 1);
2875 ikev1_sub_print(ndo, np, ext, ep, phase, 0, 0, 0);
2876 }
2877
2878 done:
2879 if (ndo->ndo_vflag) {
2880 if (ntohl(base->len) != length) {
2881 ND_PRINT((ndo," (len mismatch: isakmp %u/ip %u)",
2882 (uint32_t)ntohl(base->len), length));
2883 }
2884 }
2885 }
2886
2887 static const u_char *
2888 ikev2_sub0_print(netdissect_options *ndo, struct isakmp *base,
2889 u_char np,
2890 const struct isakmp_gen *ext, const u_char *ep,
2891 uint32_t phase, uint32_t doi, uint32_t proto, int depth)
2892 {
2893 const u_char *cp;
2894 struct isakmp_gen e;
2895 u_int item_len;
2896
2897 cp = (const u_char *)ext;
2898 ND_TCHECK(*ext);
2899 UNALIGNED_MEMCPY(&e, ext, sizeof(e));
2900
2901 /*
2902 * Since we can't have a payload length of less than 4 bytes,
2903 * we need to bail out here if the generic header is nonsensical
2904 * or truncated, otherwise we could loop forever processing
2905 * zero-length items or otherwise misdissect the packet.
2906 */
2907 item_len = ntohs(e.len);
2908 if (item_len <= 4)
2909 return NULL;
2910
2911 if (np == ISAKMP_NPTYPE_v2E) {
2912 cp = ikev2_e_print(ndo, base, np, ext, item_len,
2913 ep, phase, doi, proto, depth);
2914 } else if (NPFUNC(np)) {
2915 /*
2916 * XXX - what if item_len is too short, or too long,
2917 * for this payload type?
2918 */
2919 cp = (*npfunc[np])(ndo, np, ext, item_len,
2920 ep, phase, doi, proto, depth);
2921 } else {
2922 ND_PRINT((ndo,"%s", NPSTR(np)));
2923 cp += item_len;
2924 }
2925
2926 return cp;
2927 trunc:
2928 ND_PRINT((ndo," [|isakmp]"));
2929 return NULL;
2930 }
2931
2932 static const u_char *
2933 ikev2_sub_print(netdissect_options *ndo,
2934 struct isakmp *base,
2935 u_char np, const struct isakmp_gen *ext, const u_char *ep,
2936 uint32_t phase, uint32_t doi, uint32_t proto, int depth)
2937 {
2938 const u_char *cp;
2939 int i;
2940 struct isakmp_gen e;
2941
2942 cp = (const u_char *)ext;
2943 while (np) {
2944 ND_TCHECK(*ext);
2945 UNALIGNED_MEMCPY(&e, ext, sizeof(e));
2946
2947 ND_TCHECK2(*ext, ntohs(e.len));
2948
2949 depth++;
2950 ND_PRINT((ndo,"\n"));
2951 for (i = 0; i < depth; i++)
2952 ND_PRINT((ndo," "));
2953 ND_PRINT((ndo,"("));
2954 cp = ikev2_sub0_print(ndo, base, np,
2955 ext, ep, phase, doi, proto, depth);
2956 ND_PRINT((ndo,")"));
2957 depth--;
2958
2959 if (cp == NULL) {
2960 /* Zero-length subitem */
2961 return NULL;
2962 }
2963
2964 np = e.np;
2965 ext = (const struct isakmp_gen *)cp;
2966 }
2967 return cp;
2968 trunc:
2969 ND_PRINT((ndo," [|%s]", NPSTR(np)));
2970 return NULL;
2971 }
2972
2973 static void
2974 ikev2_print(netdissect_options *ndo,
2975 const u_char *bp, u_int length,
2976 const u_char *bp2 _U_, struct isakmp *base)
2977 {
2978 const struct isakmp *p;
2979 const u_char *ep;
2980 u_char np;
2981 int phase;
2982
2983 p = (const struct isakmp *)bp;
2984 ep = ndo->ndo_snapend;
2985
2986 phase = (EXTRACT_BE_U_4(base->msgid) == 0) ? 1 : 2;
2987 if (phase == 1)
2988 ND_PRINT((ndo, " parent_sa"));
2989 else
2990 ND_PRINT((ndo, " child_sa "));
2991
2992 ND_PRINT((ndo, " %s", ETYPESTR(base->etype)));
2993 if (base->flags) {
2994 ND_PRINT((ndo, "[%s%s%s]",
2995 base->flags & ISAKMP_FLAG_I ? "I" : "",
2996 base->flags & ISAKMP_FLAG_V ? "V" : "",
2997 base->flags & ISAKMP_FLAG_R ? "R" : ""));
2998 }
2999
3000 if (ndo->ndo_vflag) {
3001 const struct isakmp_gen *ext;
3002
3003 ND_PRINT((ndo, ":"));
3004
3005 /* regardless of phase... */
3006 if (base->flags & ISAKMP_FLAG_E) {
3007 /*
3008 * encrypted, nothing we can do right now.
3009 * we hope to decrypt the packet in the future...
3010 */
3011 ND_PRINT((ndo, " [encrypted %s]", NPSTR(base->np)));
3012 goto done;
3013 }
3014
3015 CHECKLEN(p + 1, base->np)
3016
3017 np = base->np;
3018 ext = (const struct isakmp_gen *)(p + 1);
3019 ikev2_sub_print(ndo, base, np, ext, ep, phase, 0, 0, 0);
3020 }
3021
3022 done:
3023 if (ndo->ndo_vflag) {
3024 if (ntohl(base->len) != length) {
3025 ND_PRINT((ndo, " (len mismatch: isakmp %u/ip %u)",
3026 (uint32_t)ntohl(base->len), length));
3027 }
3028 }
3029 }
3030
3031 void
3032 isakmp_print(netdissect_options *ndo,
3033 const u_char *bp, u_int length,
3034 const u_char *bp2)
3035 {
3036 const struct isakmp *p;
3037 struct isakmp base;
3038 const u_char *ep;
3039 int major, minor;
3040
3041 #ifdef HAVE_LIBCRYPTO
3042 /* initialize SAs */
3043 if (ndo->ndo_sa_list_head == NULL) {
3044 if (ndo->ndo_espsecret)
3045 esp_print_decodesecret(ndo);
3046 }
3047 #endif
3048
3049 p = (const struct isakmp *)bp;
3050 ep = ndo->ndo_snapend;
3051
3052 if ((const struct isakmp *)ep < p + 1) {
3053 ND_PRINT((ndo,"[|isakmp]"));
3054 return;
3055 }
3056
3057 UNALIGNED_MEMCPY(&base, p, sizeof(base));
3058
3059 ND_PRINT((ndo,"isakmp"));
3060 major = (base.vers & ISAKMP_VERS_MAJOR)
3061 >> ISAKMP_VERS_MAJOR_SHIFT;
3062 minor = (base.vers & ISAKMP_VERS_MINOR)
3063 >> ISAKMP_VERS_MINOR_SHIFT;
3064
3065 if (ndo->ndo_vflag) {
3066 ND_PRINT((ndo," %d.%d", major, minor));
3067 }
3068
3069 if (ndo->ndo_vflag) {
3070 ND_PRINT((ndo," msgid "));
3071 hexprint(ndo, (const uint8_t *)&base.msgid, sizeof(base.msgid));
3072 }
3073
3074 if (1 < ndo->ndo_vflag) {
3075 ND_PRINT((ndo," cookie "));
3076 hexprint(ndo, (const uint8_t *)&base.i_ck, sizeof(base.i_ck));
3077 ND_PRINT((ndo,"->"));
3078 hexprint(ndo, (const uint8_t *)&base.r_ck, sizeof(base.r_ck));
3079 }
3080 ND_PRINT((ndo,":"));
3081
3082 switch(major) {
3083 case IKEv1_MAJOR_VERSION:
3084 ikev1_print(ndo, bp, length, bp2, &base);
3085 break;
3086
3087 case IKEv2_MAJOR_VERSION:
3088 ikev2_print(ndo, bp, length, bp2, &base);
3089 break;
3090 }
3091 }
3092
3093 void
3094 isakmp_rfc3948_print(netdissect_options *ndo,
3095 const u_char *bp, u_int length,
3096 const u_char *bp2)
3097 {
3098 ND_TCHECK(bp[0]);
3099 if(length == 1 && bp[0]==0xff) {
3100 ND_PRINT((ndo, "isakmp-nat-keep-alive"));
3101 return;
3102 }
3103
3104 if(length < 4) {
3105 goto trunc;
3106 }
3107 ND_TCHECK(bp[3]);
3108
3109 /*
3110 * see if this is an IKE packet
3111 */
3112 if(bp[0]==0 && bp[1]==0 && bp[2]==0 && bp[3]==0) {
3113 ND_PRINT((ndo, "NONESP-encap: "));
3114 isakmp_print(ndo, bp+4, length-4, bp2);
3115 return;
3116 }
3117
3118 /* must be an ESP packet */
3119 {
3120 u_int nh, enh, padlen;
3121 int advance;
3122
3123 ND_PRINT((ndo, "UDP-encap: "));
3124
3125 advance = esp_print(ndo, bp, length, bp2, &enh, &padlen);
3126 if(advance <= 0)
3127 return;
3128
3129 bp += advance;
3130 length -= advance + padlen;
3131 nh = enh & 0xff;
3132
3133 ip_print_inner(ndo, bp, length, nh, bp2);
3134 return;
3135 }
3136
3137 trunc:
3138 ND_PRINT((ndo,"[|isakmp]"));
3139 return;
3140 }
3141
3142 /*
3143 * Local Variables:
3144 * c-style: whitesmith
3145 * c-basic-offset: 8
3146 * End:
3147 */
[mirror] the TCPdump network dissector