]> The Tcpdump Group git mirrors - tcpdump/blob - print-isakmp.c
projects / tcpdump / blob
summary | shortlog | log | commit | commitdiff | tree
history | raw | HEAD
CVE-2017-12990/Fix printing of ISAKMPv1 Notification payload data.
[tcpdump] / print-isakmp.c
1 /*
2 * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
3 * All rights reserved.
4 *
5 * Redistribution and use in source and binary forms, with or without
6 * modification, are permitted provided that the following conditions
7 * are met:
8 * 1. Redistributions of source code must retain the above copyright
9 * notice, this list of conditions and the following disclaimer.
10 * 2. Redistributions in binary form must reproduce the above copyright
11 * notice, this list of conditions and the following disclaimer in the
12 * documentation and/or other materials provided with the distribution.
13 * 3. Neither the name of the project nor the names of its contributors
14 * may be used to endorse or promote products derived from this software
15 * without specific prior written permission.
16 *
17 * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
18 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
19 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
20 * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
21 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
22 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
23 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
24 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
25 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
26 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
27 * SUCH DAMAGE.
28 *
29 */
30
31 /* \summary: Internet Security Association and Key Management Protocol (ISAKMP) printer */
32
33 #ifdef HAVE_CONFIG_H
34 #include "config.h"
35 #endif
36
37 /* The functions from print-esp.c used in this file are only defined when both
38 * OpenSSL and evp.h are detected. Employ the same preprocessor device here.
39 */
40 #ifndef HAVE_OPENSSL_EVP_H
41 #undef HAVE_LIBCRYPTO
42 #endif
43
44 #include <netdissect-stdinc.h>
45
46 #include <string.h>
47
48 #include "netdissect.h"
49 #include "addrtoname.h"
50 #include "extract.h"
51
52 #include "ip.h"
53 #include "ip6.h"
54 #include "ipproto.h"
55
56 /* refer to RFC 2408 */
57
58 typedef u_char cookie_t[8];
59 typedef u_char msgid_t[4];
60
61 #define PORT_ISAKMP 500
62
63 /* 3.1 ISAKMP Header Format (IKEv1 and IKEv2)
64 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
65 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
66 ! Initiator !
67 ! Cookie !
68 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
69 ! Responder !
70 ! Cookie !
71 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
72 ! Next Payload ! MjVer ! MnVer ! Exchange Type ! Flags !
73 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
74 ! Message ID !
75 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
76 ! Length !
77 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
78 */
79 struct isakmp {
80 cookie_t i_ck; /* Initiator Cookie */
81 cookie_t r_ck; /* Responder Cookie */
82 uint8_t np; /* Next Payload Type */
83 uint8_t vers;
84 #define ISAKMP_VERS_MAJOR 0xf0
85 #define ISAKMP_VERS_MAJOR_SHIFT 4
86 #define ISAKMP_VERS_MINOR 0x0f
87 #define ISAKMP_VERS_MINOR_SHIFT 0
88 uint8_t etype; /* Exchange Type */
89 uint8_t flags; /* Flags */
90 msgid_t msgid;
91 uint32_t len; /* Length */
92 };
93
94 /* Next Payload Type */
95 #define ISAKMP_NPTYPE_NONE 0 /* NONE*/
96 #define ISAKMP_NPTYPE_SA 1 /* Security Association */
97 #define ISAKMP_NPTYPE_P 2 /* Proposal */
98 #define ISAKMP_NPTYPE_T 3 /* Transform */
99 #define ISAKMP_NPTYPE_KE 4 /* Key Exchange */
100 #define ISAKMP_NPTYPE_ID 5 /* Identification */
101 #define ISAKMP_NPTYPE_CERT 6 /* Certificate */
102 #define ISAKMP_NPTYPE_CR 7 /* Certificate Request */
103 #define ISAKMP_NPTYPE_HASH 8 /* Hash */
104 #define ISAKMP_NPTYPE_SIG 9 /* Signature */
105 #define ISAKMP_NPTYPE_NONCE 10 /* Nonce */
106 #define ISAKMP_NPTYPE_N 11 /* Notification */
107 #define ISAKMP_NPTYPE_D 12 /* Delete */
108 #define ISAKMP_NPTYPE_VID 13 /* Vendor ID */
109 #define ISAKMP_NPTYPE_v2E 46 /* v2 Encrypted payload */
110
111 #define IKEv1_MAJOR_VERSION 1
112 #define IKEv1_MINOR_VERSION 0
113
114 #define IKEv2_MAJOR_VERSION 2
115 #define IKEv2_MINOR_VERSION 0
116
117 /* Flags */
118 #define ISAKMP_FLAG_E 0x01 /* Encryption Bit */
119 #define ISAKMP_FLAG_C 0x02 /* Commit Bit */
120 #define ISAKMP_FLAG_extra 0x04
121
122 /* IKEv2 */
123 #define ISAKMP_FLAG_I (1 << 3) /* (I)nitiator */
124 #define ISAKMP_FLAG_V (1 << 4) /* (V)ersion */
125 #define ISAKMP_FLAG_R (1 << 5) /* (R)esponse */
126
127
128 /* 3.2 Payload Generic Header
129 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
130 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
131 ! Next Payload ! RESERVED ! Payload Length !
132 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
133 */
134 struct isakmp_gen {
135 uint8_t np; /* Next Payload */
136 uint8_t critical; /* bit 7 - critical, rest is RESERVED */
137 uint16_t len; /* Payload Length */
138 };
139
140 /* 3.3 Data Attributes
141 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
142 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
143 !A! Attribute Type ! AF=0 Attribute Length !
144 !F! ! AF=1 Attribute Value !
145 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
146 . AF=0 Attribute Value .
147 . AF=1 Not Transmitted .
148 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
149 */
150 struct isakmp_data {
151 uint16_t type; /* defined by DOI-spec, and Attribute Format */
152 uint16_t lorv; /* if f equal 1, Attribute Length */
153 /* if f equal 0, Attribute Value */
154 /* if f equal 1, Attribute Value */
155 };
156
157 /* 3.4 Security Association Payload */
158 /* MAY NOT be used, because of being defined in ipsec-doi. */
159 /*
160 If the current payload is the last in the message,
161 then the value of the next payload field will be 0.
162 This field MUST NOT contain the
163 values for the Proposal or Transform payloads as they are considered
164 part of the security association negotiation. For example, this
165 field would contain the value "10" (Nonce payload) in the first
166 message of a Base Exchange (see Section 4.4) and the value "0" in the
167 first message of an Identity Protect Exchange (see Section 4.5).
168 */
169 struct ikev1_pl_sa {
170 struct isakmp_gen h;
171 uint32_t doi; /* Domain of Interpretation */
172 uint32_t sit; /* Situation */
173 };
174
175 /* 3.5 Proposal Payload */
176 /*
177 The value of the next payload field MUST only contain the value "2"
178 or "0". If there are additional Proposal payloads in the message,
179 then this field will be 2. If the current Proposal payload is the
180 last within the security association proposal, then this field will
181 be 0.
182 */
183 struct ikev1_pl_p {
184 struct isakmp_gen h;
185 uint8_t p_no; /* Proposal # */
186 uint8_t prot_id; /* Protocol */
187 uint8_t spi_size; /* SPI Size */
188 uint8_t num_t; /* Number of Transforms */
189 /* SPI */
190 };
191
192 /* 3.6 Transform Payload */
193 /*
194 The value of the next payload field MUST only contain the value "3"
195 or "0". If there are additional Transform payloads in the proposal,
196 then this field will be 3. If the current Transform payload is the
197 last within the proposal, then this field will be 0.
198 */
199 struct ikev1_pl_t {
200 struct isakmp_gen h;
201 uint8_t t_no; /* Transform # */
202 uint8_t t_id; /* Transform-Id */
203 uint16_t reserved; /* RESERVED2 */
204 /* SA Attributes */
205 };
206
207 /* 3.7 Key Exchange Payload */
208 struct ikev1_pl_ke {
209 struct isakmp_gen h;
210 /* Key Exchange Data */
211 };
212
213 /* 3.8 Identification Payload */
214 /* MUST NOT to be used, because of being defined in ipsec-doi. */
215 struct ikev1_pl_id {
216 struct isakmp_gen h;
217 union {
218 uint8_t id_type; /* ID Type */
219 uint32_t doi_data; /* DOI Specific ID Data */
220 } d;
221 /* Identification Data */
222 };
223
224 /* 3.9 Certificate Payload */
225 struct ikev1_pl_cert {
226 struct isakmp_gen h;
227 uint8_t encode; /* Cert Encoding */
228 char cert; /* Certificate Data */
229 /*
230 This field indicates the type of
231 certificate or certificate-related information contained in the
232 Certificate Data field.
233 */
234 };
235
236 /* 3.10 Certificate Request Payload */
237 struct ikev1_pl_cr {
238 struct isakmp_gen h;
239 uint8_t num_cert; /* # Cert. Types */
240 /*
241 Certificate Types (variable length)
242 -- Contains a list of the types of certificates requested,
243 sorted in order of preference. Each individual certificate
244 type is 1 octet. This field is NOT requiredo
245 */
246 /* # Certificate Authorities (1 octet) */
247 /* Certificate Authorities (variable length) */
248 };
249
250 /* 3.11 Hash Payload */
251 /* may not be used, because of having only data. */
252 struct ikev1_pl_hash {
253 struct isakmp_gen h;
254 /* Hash Data */
255 };
256
257 /* 3.12 Signature Payload */
258 /* may not be used, because of having only data. */
259 struct ikev1_pl_sig {
260 struct isakmp_gen h;
261 /* Signature Data */
262 };
263
264 /* 3.13 Nonce Payload */
265 /* may not be used, because of having only data. */
266 struct ikev1_pl_nonce {
267 struct isakmp_gen h;
268 /* Nonce Data */
269 };
270
271 /* 3.14 Notification Payload */
272 struct ikev1_pl_n {
273 struct isakmp_gen h;
274 uint32_t doi; /* Domain of Interpretation */
275 uint8_t prot_id; /* Protocol-ID */
276 uint8_t spi_size; /* SPI Size */
277 uint16_t type; /* Notify Message Type */
278 /* SPI */
279 /* Notification Data */
280 };
281
282 /* 3.14.1 Notify Message Types */
283 /* NOTIFY MESSAGES - ERROR TYPES */
284 #define ISAKMP_NTYPE_INVALID_PAYLOAD_TYPE 1
285 #define ISAKMP_NTYPE_DOI_NOT_SUPPORTED 2
286 #define ISAKMP_NTYPE_SITUATION_NOT_SUPPORTED 3
287 #define ISAKMP_NTYPE_INVALID_COOKIE 4
288 #define ISAKMP_NTYPE_INVALID_MAJOR_VERSION 5
289 #define ISAKMP_NTYPE_INVALID_MINOR_VERSION 6
290 #define ISAKMP_NTYPE_INVALID_EXCHANGE_TYPE 7
291 #define ISAKMP_NTYPE_INVALID_FLAGS 8
292 #define ISAKMP_NTYPE_INVALID_MESSAGE_ID 9
293 #define ISAKMP_NTYPE_INVALID_PROTOCOL_ID 10
294 #define ISAKMP_NTYPE_INVALID_SPI 11
295 #define ISAKMP_NTYPE_INVALID_TRANSFORM_ID 12
296 #define ISAKMP_NTYPE_ATTRIBUTES_NOT_SUPPORTED 13
297 #define ISAKMP_NTYPE_NO_PROPOSAL_CHOSEN 14
298 #define ISAKMP_NTYPE_BAD_PROPOSAL_SYNTAX 15
299 #define ISAKMP_NTYPE_PAYLOAD_MALFORMED 16
300 #define ISAKMP_NTYPE_INVALID_KEY_INFORMATION 17
301 #define ISAKMP_NTYPE_INVALID_ID_INFORMATION 18
302 #define ISAKMP_NTYPE_INVALID_CERT_ENCODING 19
303 #define ISAKMP_NTYPE_INVALID_CERTIFICATE 20
304 #define ISAKMP_NTYPE_BAD_CERT_REQUEST_SYNTAX 21
305 #define ISAKMP_NTYPE_INVALID_CERT_AUTHORITY 22
306 #define ISAKMP_NTYPE_INVALID_HASH_INFORMATION 23
307 #define ISAKMP_NTYPE_AUTHENTICATION_FAILED 24
308 #define ISAKMP_NTYPE_INVALID_SIGNATURE 25
309 #define ISAKMP_NTYPE_ADDRESS_NOTIFICATION 26
310
311 /* 3.15 Delete Payload */
312 struct ikev1_pl_d {
313 struct isakmp_gen h;
314 uint32_t doi; /* Domain of Interpretation */
315 uint8_t prot_id; /* Protocol-Id */
316 uint8_t spi_size; /* SPI Size */
317 uint16_t num_spi; /* # of SPIs */
318 /* SPI(es) */
319 };
320
321 struct ikev1_ph1tab {
322 struct ikev1_ph1 *head;
323 struct ikev1_ph1 *tail;
324 int len;
325 };
326
327 struct isakmp_ph2tab {
328 struct ikev1_ph2 *head;
329 struct ikev1_ph2 *tail;
330 int len;
331 };
332
333 /* IKEv2 (RFC4306) */
334
335 /* 3.3 Security Association Payload -- generic header */
336 /* 3.3.1. Proposal Substructure */
337 struct ikev2_p {
338 struct isakmp_gen h;
339 uint8_t p_no; /* Proposal # */
340 uint8_t prot_id; /* Protocol */
341 uint8_t spi_size; /* SPI Size */
342 uint8_t num_t; /* Number of Transforms */
343 };
344
345 /* 3.3.2. Transform Substructure */
346 struct ikev2_t {
347 struct isakmp_gen h;
348 uint8_t t_type; /* Transform Type (ENCR,PRF,INTEG,etc.*/
349 uint8_t res2; /* reserved byte */
350 uint16_t t_id; /* Transform ID */
351 };
352
353 enum ikev2_t_type {
354 IV2_T_ENCR = 1,
355 IV2_T_PRF = 2,
356 IV2_T_INTEG= 3,
357 IV2_T_DH = 4,
358 IV2_T_ESN = 5
359 };
360
361 /* 3.4. Key Exchange Payload */
362 struct ikev2_ke {
363 struct isakmp_gen h;
364 uint16_t ke_group;
365 uint16_t ke_res1;
366 /* KE data */
367 };
368
369
370 /* 3.5. Identification Payloads */
371 enum ikev2_id_type {
372 ID_IPV4_ADDR=1,
373 ID_FQDN=2,
374 ID_RFC822_ADDR=3,
375 ID_IPV6_ADDR=5,
376 ID_DER_ASN1_DN=9,
377 ID_DER_ASN1_GN=10,
378 ID_KEY_ID=11
379 };
380 struct ikev2_id {
381 struct isakmp_gen h;
382 uint8_t type; /* ID type */
383 uint8_t res1;
384 uint16_t res2;
385 /* SPI */
386 /* Notification Data */
387 };
388
389 /* 3.10 Notification Payload */
390 struct ikev2_n {
391 struct isakmp_gen h;
392 uint8_t prot_id; /* Protocol-ID */
393 uint8_t spi_size; /* SPI Size */
394 uint16_t type; /* Notify Message Type */
395 };
396
397 enum ikev2_n_type {
398 IV2_NOTIFY_UNSUPPORTED_CRITICAL_PAYLOAD = 1,
399 IV2_NOTIFY_INVALID_IKE_SPI = 4,
400 IV2_NOTIFY_INVALID_MAJOR_VERSION = 5,
401 IV2_NOTIFY_INVALID_SYNTAX = 7,
402 IV2_NOTIFY_INVALID_MESSAGE_ID = 9,
403 IV2_NOTIFY_INVALID_SPI =11,
404 IV2_NOTIFY_NO_PROPOSAL_CHOSEN =14,
405 IV2_NOTIFY_INVALID_KE_PAYLOAD =17,
406 IV2_NOTIFY_AUTHENTICATION_FAILED =24,
407 IV2_NOTIFY_SINGLE_PAIR_REQUIRED =34,
408 IV2_NOTIFY_NO_ADDITIONAL_SAS =35,
409 IV2_NOTIFY_INTERNAL_ADDRESS_FAILURE =36,
410 IV2_NOTIFY_FAILED_CP_REQUIRED =37,
411 IV2_NOTIFY_INVALID_SELECTORS =39,
412 IV2_NOTIFY_INITIAL_CONTACT =16384,
413 IV2_NOTIFY_SET_WINDOW_SIZE =16385,
414 IV2_NOTIFY_ADDITIONAL_TS_POSSIBLE =16386,
415 IV2_NOTIFY_IPCOMP_SUPPORTED =16387,
416 IV2_NOTIFY_NAT_DETECTION_SOURCE_IP =16388,
417 IV2_NOTIFY_NAT_DETECTION_DESTINATION_IP =16389,
418 IV2_NOTIFY_COOKIE =16390,
419 IV2_NOTIFY_USE_TRANSPORT_MODE =16391,
420 IV2_NOTIFY_HTTP_CERT_LOOKUP_SUPPORTED =16392,
421 IV2_NOTIFY_REKEY_SA =16393,
422 IV2_NOTIFY_ESP_TFC_PADDING_NOT_SUPPORTED =16394,
423 IV2_NOTIFY_NON_FIRST_FRAGMENTS_ALSO =16395
424 };
425
426 struct notify_messages {
427 uint16_t type;
428 char *msg;
429 };
430
431 /* 3.8 Authentication Payload */
432 struct ikev2_auth {
433 struct isakmp_gen h;
434 uint8_t auth_method; /* Protocol-ID */
435 uint8_t reserved[3];
436 /* authentication data */
437 };
438
439 enum ikev2_auth_type {
440 IV2_RSA_SIG = 1,
441 IV2_SHARED = 2,
442 IV2_DSS_SIG = 3
443 };
444
445 /* refer to RFC 2409 */
446
447 #if 0
448 /* isakmp sa structure */
449 struct oakley_sa {
450 uint8_t proto_id; /* OAKLEY */
451 vchar_t *spi; /* spi */
452 uint8_t dhgrp; /* DH; group */
453 uint8_t auth_t; /* method of authentication */
454 uint8_t prf_t; /* type of prf */
455 uint8_t hash_t; /* type of hash */
456 uint8_t enc_t; /* type of cipher */
457 uint8_t life_t; /* type of duration of lifetime */
458 uint32_t ldur; /* life duration */
459 };
460 #endif
461
462 /* refer to RFC 2407 */
463
464 #define IPSEC_DOI 1
465
466 /* 4.2 IPSEC Situation Definition */
467 #define IPSECDOI_SIT_IDENTITY_ONLY 0x00000001
468 #define IPSECDOI_SIT_SECRECY 0x00000002
469 #define IPSECDOI_SIT_INTEGRITY 0x00000004
470
471 /* 4.4.1 IPSEC Security Protocol Identifiers */
472 /* 4.4.2 IPSEC ISAKMP Transform Values */
473 #define IPSECDOI_PROTO_ISAKMP 1
474 #define IPSECDOI_KEY_IKE 1
475
476 /* 4.4.1 IPSEC Security Protocol Identifiers */
477 #define IPSECDOI_PROTO_IPSEC_AH 2
478 /* 4.4.3 IPSEC AH Transform Values */
479 #define IPSECDOI_AH_MD5 2
480 #define IPSECDOI_AH_SHA 3
481 #define IPSECDOI_AH_DES 4
482 #define IPSECDOI_AH_SHA2_256 5
483 #define IPSECDOI_AH_SHA2_384 6
484 #define IPSECDOI_AH_SHA2_512 7
485
486 /* 4.4.1 IPSEC Security Protocol Identifiers */
487 #define IPSECDOI_PROTO_IPSEC_ESP 3
488 /* 4.4.4 IPSEC ESP Transform Identifiers */
489 #define IPSECDOI_ESP_DES_IV64 1
490 #define IPSECDOI_ESP_DES 2
491 #define IPSECDOI_ESP_3DES 3
492 #define IPSECDOI_ESP_RC5 4
493 #define IPSECDOI_ESP_IDEA 5
494 #define IPSECDOI_ESP_CAST 6
495 #define IPSECDOI_ESP_BLOWFISH 7
496 #define IPSECDOI_ESP_3IDEA 8
497 #define IPSECDOI_ESP_DES_IV32 9
498 #define IPSECDOI_ESP_RC4 10
499 #define IPSECDOI_ESP_NULL 11
500 #define IPSECDOI_ESP_RIJNDAEL 12
501 #define IPSECDOI_ESP_AES 12
502
503 /* 4.4.1 IPSEC Security Protocol Identifiers */
504 #define IPSECDOI_PROTO_IPCOMP 4
505 /* 4.4.5 IPSEC IPCOMP Transform Identifiers */
506 #define IPSECDOI_IPCOMP_OUI 1
507 #define IPSECDOI_IPCOMP_DEFLATE 2
508 #define IPSECDOI_IPCOMP_LZS 3
509
510 /* 4.5 IPSEC Security Association Attributes */
511 #define IPSECDOI_ATTR_SA_LTYPE 1 /* B */
512 #define IPSECDOI_ATTR_SA_LTYPE_DEFAULT 1
513 #define IPSECDOI_ATTR_SA_LTYPE_SEC 1
514 #define IPSECDOI_ATTR_SA_LTYPE_KB 2
515 #define IPSECDOI_ATTR_SA_LDUR 2 /* V */
516 #define IPSECDOI_ATTR_SA_LDUR_DEFAULT 28800 /* 8 hours */
517 #define IPSECDOI_ATTR_GRP_DESC 3 /* B */
518 #define IPSECDOI_ATTR_ENC_MODE 4 /* B */
519 /* default value: host dependent */
520 #define IPSECDOI_ATTR_ENC_MODE_TUNNEL 1
521 #define IPSECDOI_ATTR_ENC_MODE_TRNS 2
522 #define IPSECDOI_ATTR_AUTH 5 /* B */
523 /* 0 means not to use authentication. */
524 #define IPSECDOI_ATTR_AUTH_HMAC_MD5 1
525 #define IPSECDOI_ATTR_AUTH_HMAC_SHA1 2
526 #define IPSECDOI_ATTR_AUTH_DES_MAC 3
527 #define IPSECDOI_ATTR_AUTH_KPDK 4 /*RFC-1826(Key/Pad/Data/Key)*/
528 /*
529 * When negotiating ESP without authentication, the Auth
530 * Algorithm attribute MUST NOT be included in the proposal.
531 * When negotiating ESP without confidentiality, the Auth
532 * Algorithm attribute MUST be included in the proposal and
533 * the ESP transform ID must be ESP_NULL.
534 */
535 #define IPSECDOI_ATTR_KEY_LENGTH 6 /* B */
536 #define IPSECDOI_ATTR_KEY_ROUNDS 7 /* B */
537 #define IPSECDOI_ATTR_COMP_DICT_SIZE 8 /* B */
538 #define IPSECDOI_ATTR_COMP_PRIVALG 9 /* V */
539
540 /* 4.6.1 Security Association Payload */
541 struct ipsecdoi_sa {
542 struct isakmp_gen h;
543 uint32_t doi; /* Domain of Interpretation */
544 uint32_t sit; /* Situation */
545 };
546
547 struct ipsecdoi_secrecy_h {
548 uint16_t len;
549 uint16_t reserved;
550 };
551
552 /* 4.6.2.1 Identification Type Values */
553 struct ipsecdoi_id {
554 struct isakmp_gen h;
555 uint8_t type; /* ID Type */
556 uint8_t proto_id; /* Protocol ID */
557 uint16_t port; /* Port */
558 /* Identification Data */
559 };
560
561 #define IPSECDOI_ID_IPV4_ADDR 1
562 #define IPSECDOI_ID_FQDN 2
563 #define IPSECDOI_ID_USER_FQDN 3
564 #define IPSECDOI_ID_IPV4_ADDR_SUBNET 4
565 #define IPSECDOI_ID_IPV6_ADDR 5
566 #define IPSECDOI_ID_IPV6_ADDR_SUBNET 6
567 #define IPSECDOI_ID_IPV4_ADDR_RANGE 7
568 #define IPSECDOI_ID_IPV6_ADDR_RANGE 8
569 #define IPSECDOI_ID_DER_ASN1_DN 9
570 #define IPSECDOI_ID_DER_ASN1_GN 10
571 #define IPSECDOI_ID_KEY_ID 11
572
573 /* 4.6.3 IPSEC DOI Notify Message Types */
574 /* Notify Messages - Status Types */
575 #define IPSECDOI_NTYPE_RESPONDER_LIFETIME 24576
576 #define IPSECDOI_NTYPE_REPLAY_STATUS 24577
577 #define IPSECDOI_NTYPE_INITIAL_CONTACT 24578
578
579 #define DECLARE_PRINTER(func) static const u_char *ike##func##_print( \
580 netdissect_options *ndo, u_char tpay, \
581 const struct isakmp_gen *ext, \
582 u_int item_len, \
583 const u_char *end_pointer, \
584 uint32_t phase,\
585 uint32_t doi0, \
586 uint32_t proto0, int depth)
587
588 DECLARE_PRINTER(v1_sa);
589 DECLARE_PRINTER(v1_p);
590 DECLARE_PRINTER(v1_t);
591 DECLARE_PRINTER(v1_ke);
592 DECLARE_PRINTER(v1_id);
593 DECLARE_PRINTER(v1_cert);
594 DECLARE_PRINTER(v1_cr);
595 DECLARE_PRINTER(v1_sig);
596 DECLARE_PRINTER(v1_hash);
597 DECLARE_PRINTER(v1_nonce);
598 DECLARE_PRINTER(v1_n);
599 DECLARE_PRINTER(v1_d);
600 DECLARE_PRINTER(v1_vid);
601
602 DECLARE_PRINTER(v2_sa);
603 DECLARE_PRINTER(v2_ke);
604 DECLARE_PRINTER(v2_ID);
605 DECLARE_PRINTER(v2_cert);
606 DECLARE_PRINTER(v2_cr);
607 DECLARE_PRINTER(v2_auth);
608 DECLARE_PRINTER(v2_nonce);
609 DECLARE_PRINTER(v2_n);
610 DECLARE_PRINTER(v2_d);
611 DECLARE_PRINTER(v2_vid);
612 DECLARE_PRINTER(v2_TS);
613 DECLARE_PRINTER(v2_cp);
614 DECLARE_PRINTER(v2_eap);
615
616 static const u_char *ikev2_e_print(netdissect_options *ndo,
617 struct isakmp *base,
618 u_char tpay,
619 const struct isakmp_gen *ext,
620 u_int item_len,
621 const u_char *end_pointer,
622 uint32_t phase,
623 uint32_t doi0,
624 uint32_t proto0, int depth);
625
626
627 static const u_char *ike_sub0_print(netdissect_options *ndo,u_char, const struct isakmp_gen *,
628 const u_char *, uint32_t, uint32_t, uint32_t, int);
629 static const u_char *ikev1_sub_print(netdissect_options *ndo,u_char, const struct isakmp_gen *,
630 const u_char *, uint32_t, uint32_t, uint32_t, int);
631
632 static const u_char *ikev2_sub_print(netdissect_options *ndo,
633 struct isakmp *base,
634 u_char np, const struct isakmp_gen *ext,
635 const u_char *ep, uint32_t phase,
636 uint32_t doi, uint32_t proto,
637 int depth);
638
639
640 static char *numstr(int);
641
642 static void
643 ikev1_print(netdissect_options *ndo,
644 const u_char *bp, u_int length,
645 const u_char *bp2, struct isakmp *base);
646
647 #define MAXINITIATORS 20
648 static int ninitiator = 0;
649 union inaddr_u {
650 struct in_addr in4;
651 struct in6_addr in6;
652 };
653 static struct {
654 cookie_t initiator;
655 u_int version;
656 union inaddr_u iaddr;
657 union inaddr_u raddr;
658 } cookiecache[MAXINITIATORS];
659
660 /* protocol id */
661 static const char *protoidstr[] = {
662 NULL, "isakmp", "ipsec-ah", "ipsec-esp", "ipcomp",
663 };
664
665 /* isakmp->np */
666 static const char *npstr[] = {
667 "none", "sa", "p", "t", "ke", "id", "cert", "cr", "hash", /* 0 - 8 */
668 "sig", "nonce", "n", "d", "vid", /* 9 - 13 */
669 "pay14", "pay15", "pay16", "pay17", "pay18", /* 14- 18 */
670 "pay19", "pay20", "pay21", "pay22", "pay23", /* 19- 23 */
671 "pay24", "pay25", "pay26", "pay27", "pay28", /* 24- 28 */
672 "pay29", "pay30", "pay31", "pay32", /* 29- 32 */
673 "v2sa", "v2ke", "v2IDi", "v2IDr", "v2cert",/* 33- 37 */
674 "v2cr", "v2auth","v2nonce", "v2n", "v2d", /* 38- 42 */
675 "v2vid", "v2TSi", "v2TSr", "v2e", "v2cp", /* 43- 47 */
676 "v2eap", /* 48 */
677
678 };
679
680 /* isakmp->np */
681 static const u_char *(*npfunc[])(netdissect_options *ndo, u_char tpay,
682 const struct isakmp_gen *ext,
683 u_int item_len,
684 const u_char *end_pointer,
685 uint32_t phase,
686 uint32_t doi0,
687 uint32_t proto0, int depth) = {
688 NULL,
689 ikev1_sa_print,
690 ikev1_p_print,
691 ikev1_t_print,
692 ikev1_ke_print,
693 ikev1_id_print,
694 ikev1_cert_print,
695 ikev1_cr_print,
696 ikev1_hash_print,
697 ikev1_sig_print,
698 ikev1_nonce_print,
699 ikev1_n_print,
700 ikev1_d_print,
701 ikev1_vid_print, /* 13 */
702 NULL, NULL, NULL, NULL, NULL, /* 14- 18 */
703 NULL, NULL, NULL, NULL, NULL, /* 19- 23 */
704 NULL, NULL, NULL, NULL, NULL, /* 24- 28 */
705 NULL, NULL, NULL, NULL, /* 29- 32 */
706 ikev2_sa_print, /* 33 */
707 ikev2_ke_print, /* 34 */
708 ikev2_ID_print, /* 35 */
709 ikev2_ID_print, /* 36 */
710 ikev2_cert_print, /* 37 */
711 ikev2_cr_print, /* 38 */
712 ikev2_auth_print, /* 39 */
713 ikev2_nonce_print, /* 40 */
714 ikev2_n_print, /* 41 */
715 ikev2_d_print, /* 42 */
716 ikev2_vid_print, /* 43 */
717 ikev2_TS_print, /* 44 */
718 ikev2_TS_print, /* 45 */
719 NULL, /* ikev2_e_print,*/ /* 46 - special */
720 ikev2_cp_print, /* 47 */
721 ikev2_eap_print, /* 48 */
722 };
723
724 /* isakmp->etype */
725 static const char *etypestr[] = {
726 /* IKEv1 exchange types */
727 "none", "base", "ident", "auth", "agg", "inf", NULL, NULL, /* 0-7 */
728 NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, /* 8-15 */
729 NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, /* 16-23 */
730 NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, /* 24-31 */
731 "oakley-quick", "oakley-newgroup", /* 32-33 */
732 /* IKEv2 exchange types */
733 "ikev2_init", "ikev2_auth", "child_sa", "inf2" /* 34-37 */
734 };
735
736 #define STR_OR_ID(x, tab) \
737 (((x) < sizeof(tab)/sizeof(tab[0]) && tab[(x)]) ? tab[(x)] : numstr(x))
738 #define PROTOIDSTR(x) STR_OR_ID(x, protoidstr)
739 #define NPSTR(x) STR_OR_ID(x, npstr)
740 #define ETYPESTR(x) STR_OR_ID(x, etypestr)
741
742 #define CHECKLEN(p, np) \
743 if (ep < (const u_char *)(p)) { \
744 ND_PRINT((ndo," [|%s]", NPSTR(np))); \
745 goto done; \
746 }
747
748
749 #define NPFUNC(x) \
750 (((x) < sizeof(npfunc)/sizeof(npfunc[0]) && npfunc[(x)]) \
751 ? npfunc[(x)] : NULL)
752
753 static int
754 iszero(const u_char *p, size_t l)
755 {
756 while (l--) {
757 if (*p++)
758 return 0;
759 }
760 return 1;
761 }
762
763 /* find cookie from initiator cache */
764 static int
765 cookie_find(cookie_t *in)
766 {
767 int i;
768
769 for (i = 0; i < MAXINITIATORS; i++) {
770 if (memcmp(in, &cookiecache[i].initiator, sizeof(*in)) == 0)
771 return i;
772 }
773
774 return -1;
775 }
776
777 /* record initiator */
778 static void
779 cookie_record(cookie_t *in, const u_char *bp2)
780 {
781 int i;
782 const struct ip *ip;
783 const struct ip6_hdr *ip6;
784
785 i = cookie_find(in);
786 if (0 <= i) {
787 ninitiator = (i + 1) % MAXINITIATORS;
788 return;
789 }
790
791 ip = (const struct ip *)bp2;
792 switch (IP_V(ip)) {
793 case 4:
794 cookiecache[ninitiator].version = 4;
795 UNALIGNED_MEMCPY(&cookiecache[ninitiator].iaddr.in4, &ip->ip_src, sizeof(struct in_addr));
796 UNALIGNED_MEMCPY(&cookiecache[ninitiator].raddr.in4, &ip->ip_dst, sizeof(struct in_addr));
797 break;
798 case 6:
799 ip6 = (const struct ip6_hdr *)bp2;
800 cookiecache[ninitiator].version = 6;
801 UNALIGNED_MEMCPY(&cookiecache[ninitiator].iaddr.in6, &ip6->ip6_src, sizeof(struct in6_addr));
802 UNALIGNED_MEMCPY(&cookiecache[ninitiator].raddr.in6, &ip6->ip6_dst, sizeof(struct in6_addr));
803 break;
804 default:
805 return;
806 }
807 UNALIGNED_MEMCPY(&cookiecache[ninitiator].initiator, in, sizeof(*in));
808 ninitiator = (ninitiator + 1) % MAXINITIATORS;
809 }
810
811 #define cookie_isinitiator(x, y) cookie_sidecheck((x), (y), 1)
812 #define cookie_isresponder(x, y) cookie_sidecheck((x), (y), 0)
813 static int
814 cookie_sidecheck(int i, const u_char *bp2, int initiator)
815 {
816 const struct ip *ip;
817 const struct ip6_hdr *ip6;
818
819 ip = (const struct ip *)bp2;
820 switch (IP_V(ip)) {
821 case 4:
822 if (cookiecache[i].version != 4)
823 return 0;
824 if (initiator) {
825 if (UNALIGNED_MEMCMP(&ip->ip_src, &cookiecache[i].iaddr.in4, sizeof(struct in_addr)) == 0)
826 return 1;
827 } else {
828 if (UNALIGNED_MEMCMP(&ip->ip_src, &cookiecache[i].raddr.in4, sizeof(struct in_addr)) == 0)
829 return 1;
830 }
831 break;
832 case 6:
833 if (cookiecache[i].version != 6)
834 return 0;
835 ip6 = (const struct ip6_hdr *)bp2;
836 if (initiator) {
837 if (UNALIGNED_MEMCMP(&ip6->ip6_src, &cookiecache[i].iaddr.in6, sizeof(struct in6_addr)) == 0)
838 return 1;
839 } else {
840 if (UNALIGNED_MEMCMP(&ip6->ip6_src, &cookiecache[i].raddr.in6, sizeof(struct in6_addr)) == 0)
841 return 1;
842 }
843 break;
844 default:
845 break;
846 }
847
848 return 0;
849 }
850
851 static void
852 hexprint(netdissect_options *ndo, const uint8_t *loc, size_t len)
853 {
854 const uint8_t *p;
855 size_t i;
856
857 p = loc;
858 for (i = 0; i < len; i++)
859 ND_PRINT((ndo,"%02x", p[i] & 0xff));
860 }
861
862 static int
863 rawprint(netdissect_options *ndo, const uint8_t *loc, size_t len)
864 {
865 ND_TCHECK2(*loc, len);
866
867 hexprint(ndo, loc, len);
868 return 1;
869 trunc:
870 return 0;
871 }
872
873
874 /*
875 * returns false if we run out of data buffer
876 */
877 static int ike_show_somedata(netdissect_options *ndo,
878 const u_char *cp, const u_char *ep)
879 {
880 /* there is too much data, just show some of it */
881 const u_char *end = ep - 20;
882 int elen = 20;
883 int len = ep - cp;
884 if(len > 10) {
885 len = 10;
886 }
887
888 /* really shouldn't happen because of above */
889 if(end < cp + len) {
890 end = cp+len;
891 elen = ep - end;
892 }
893
894 ND_PRINT((ndo," data=("));
895 if(!rawprint(ndo, (const uint8_t *)(cp), len)) goto trunc;
896 ND_PRINT((ndo, "..."));
897 if(elen) {
898 if(!rawprint(ndo, (const uint8_t *)(end), elen)) goto trunc;
899 }
900 ND_PRINT((ndo,")"));
901 return 1;
902
903 trunc:
904 return 0;
905 }
906
907 struct attrmap {
908 const char *type;
909 u_int nvalue;
910 const char *value[30]; /*XXX*/
911 };
912
913 static const u_char *
914 ikev1_attrmap_print(netdissect_options *ndo,
915 const u_char *p, const u_char *ep,
916 const struct attrmap *map, size_t nmap)
917 {
918 int totlen;
919 uint32_t t, v;
920
921 if (p[0] & 0x80)
922 totlen = 4;
923 else
924 totlen = 4 + EXTRACT_16BITS(&p[2]);
925 if (ep < p + totlen) {
926 ND_PRINT((ndo,"[|attr]"));
927 return ep + 1;
928 }
929
930 ND_PRINT((ndo,"("));
931 t = EXTRACT_16BITS(&p[0]) & 0x7fff;
932 if (map && t < nmap && map[t].type)
933 ND_PRINT((ndo,"type=%s ", map[t].type));
934 else
935 ND_PRINT((ndo,"type=#%d ", t));
936 if (p[0] & 0x80) {
937 ND_PRINT((ndo,"value="));
938 v = EXTRACT_16BITS(&p[2]);
939 if (map && t < nmap && v < map[t].nvalue && map[t].value[v])
940 ND_PRINT((ndo,"%s", map[t].value[v]));
941 else
942 rawprint(ndo, (const uint8_t *)&p[2], 2);
943 } else {
944 ND_PRINT((ndo,"len=%d value=", EXTRACT_16BITS(&p[2])));
945 rawprint(ndo, (const uint8_t *)&p[4], EXTRACT_16BITS(&p[2]));
946 }
947 ND_PRINT((ndo,")"));
948 return p + totlen;
949 }
950
951 static const u_char *
952 ikev1_attr_print(netdissect_options *ndo, const u_char *p, const u_char *ep)
953 {
954 int totlen;
955 uint32_t t;
956
957 if (p[0] & 0x80)
958 totlen = 4;
959 else
960 totlen = 4 + EXTRACT_16BITS(&p[2]);
961 if (ep < p + totlen) {
962 ND_PRINT((ndo,"[|attr]"));
963 return ep + 1;
964 }
965
966 ND_PRINT((ndo,"("));
967 t = EXTRACT_16BITS(&p[0]) & 0x7fff;
968 ND_PRINT((ndo,"type=#%d ", t));
969 if (p[0] & 0x80) {
970 ND_PRINT((ndo,"value="));
971 t = p[2];
972 rawprint(ndo, (const uint8_t *)&p[2], 2);
973 } else {
974 ND_PRINT((ndo,"len=%d value=", EXTRACT_16BITS(&p[2])));
975 rawprint(ndo, (const uint8_t *)&p[4], EXTRACT_16BITS(&p[2]));
976 }
977 ND_PRINT((ndo,")"));
978 return p + totlen;
979 }
980
981 static const u_char *
982 ikev1_sa_print(netdissect_options *ndo, u_char tpay _U_,
983 const struct isakmp_gen *ext,
984 u_int item_len _U_,
985 const u_char *ep, uint32_t phase, uint32_t doi0 _U_,
986 uint32_t proto0, int depth)
987 {
988 const struct ikev1_pl_sa *p;
989 struct ikev1_pl_sa sa;
990 uint32_t doi, sit, ident;
991 const u_char *cp, *np;
992 int t;
993
994 ND_PRINT((ndo,"%s:", NPSTR(ISAKMP_NPTYPE_SA)));
995
996 p = (const struct ikev1_pl_sa *)ext;
997 ND_TCHECK(*p);
998 UNALIGNED_MEMCPY(&sa, ext, sizeof(sa));
999 doi = ntohl(sa.doi);
1000 sit = ntohl(sa.sit);
1001 if (doi != 1) {
1002 ND_PRINT((ndo," doi=%d", doi));
1003 ND_PRINT((ndo," situation=%u", (uint32_t)ntohl(sa.sit)));
1004 return (const u_char *)(p + 1);
1005 }
1006
1007 ND_PRINT((ndo," doi=ipsec"));
1008 ND_PRINT((ndo," situation="));
1009 t = 0;
1010 if (sit & 0x01) {
1011 ND_PRINT((ndo,"identity"));
1012 t++;
1013 }
1014 if (sit & 0x02) {
1015 ND_PRINT((ndo,"%ssecrecy", t ? "+" : ""));
1016 t++;
1017 }
1018 if (sit & 0x04)
1019 ND_PRINT((ndo,"%sintegrity", t ? "+" : ""));
1020
1021 np = (const u_char *)ext + sizeof(sa);
1022 if (sit != 0x01) {
1023 ND_TCHECK2(*(ext + 1), sizeof(ident));
1024 UNALIGNED_MEMCPY(&ident, ext + 1, sizeof(ident));
1025 ND_PRINT((ndo," ident=%u", (uint32_t)ntohl(ident)));
1026 np += sizeof(ident);
1027 }
1028
1029 ext = (const struct isakmp_gen *)np;
1030 ND_TCHECK(*ext);
1031
1032 cp = ikev1_sub_print(ndo, ISAKMP_NPTYPE_P, ext, ep, phase, doi, proto0,
1033 depth);
1034
1035 return cp;
1036 trunc:
1037 ND_PRINT((ndo," [|%s]", NPSTR(ISAKMP_NPTYPE_SA)));
1038 return NULL;
1039 }
1040
1041 static const u_char *
1042 ikev1_p_print(netdissect_options *ndo, u_char tpay _U_,
1043 const struct isakmp_gen *ext, u_int item_len _U_,
1044 const u_char *ep, uint32_t phase, uint32_t doi0,
1045 uint32_t proto0 _U_, int depth)
1046 {
1047 const struct ikev1_pl_p *p;
1048 struct ikev1_pl_p prop;
1049 const u_char *cp;
1050
1051 ND_PRINT((ndo,"%s:", NPSTR(ISAKMP_NPTYPE_P)));
1052
1053 p = (const struct ikev1_pl_p *)ext;
1054 ND_TCHECK(*p);
1055 UNALIGNED_MEMCPY(&prop, ext, sizeof(prop));
1056 ND_PRINT((ndo," #%d protoid=%s transform=%d",
1057 prop.p_no, PROTOIDSTR(prop.prot_id), prop.num_t));
1058 if (prop.spi_size) {
1059 ND_PRINT((ndo," spi="));
1060 if (!rawprint(ndo, (const uint8_t *)(p + 1), prop.spi_size))
1061 goto trunc;
1062 }
1063
1064 ext = (const struct isakmp_gen *)((const u_char *)(p + 1) + prop.spi_size);
1065 ND_TCHECK(*ext);
1066
1067 cp = ikev1_sub_print(ndo, ISAKMP_NPTYPE_T, ext, ep, phase, doi0,
1068 prop.prot_id, depth);
1069
1070 return cp;
1071 trunc:
1072 ND_PRINT((ndo," [|%s]", NPSTR(ISAKMP_NPTYPE_P)));
1073 return NULL;
1074 }
1075
1076 static const char *ikev1_p_map[] = {
1077 NULL, "ike",
1078 };
1079
1080 static const char *ikev2_t_type_map[]={
1081 NULL, "encr", "prf", "integ", "dh", "esn"
1082 };
1083
1084 static const char *ah_p_map[] = {
1085 NULL, "(reserved)", "md5", "sha", "1des",
1086 "sha2-256", "sha2-384", "sha2-512",
1087 };
1088
1089 static const char *prf_p_map[] = {
1090 NULL, "hmac-md5", "hmac-sha", "hmac-tiger",
1091 "aes128_xcbc"
1092 };
1093
1094 static const char *integ_p_map[] = {
1095 NULL, "hmac-md5", "hmac-sha", "dec-mac",
1096 "kpdk-md5", "aes-xcbc"
1097 };
1098
1099 static const char *esn_p_map[] = {
1100 "no-esn", "esn"
1101 };
1102
1103 static const char *dh_p_map[] = {
1104 NULL, "modp768",
1105 "modp1024", /* group 2 */
1106 "EC2N 2^155", /* group 3 */
1107 "EC2N 2^185", /* group 4 */
1108 "modp1536", /* group 5 */
1109 "iana-grp06", "iana-grp07", /* reserved */
1110 "iana-grp08", "iana-grp09",
1111 "iana-grp10", "iana-grp11",
1112 "iana-grp12", "iana-grp13",
1113 "modp2048", /* group 14 */
1114 "modp3072", /* group 15 */
1115 "modp4096", /* group 16 */
1116 "modp6144", /* group 17 */
1117 "modp8192", /* group 18 */
1118 };
1119
1120 static const char *esp_p_map[] = {
1121 NULL, "1des-iv64", "1des", "3des", "rc5", "idea", "cast",
1122 "blowfish", "3idea", "1des-iv32", "rc4", "null", "aes"
1123 };
1124
1125 static const char *ipcomp_p_map[] = {
1126 NULL, "oui", "deflate", "lzs",
1127 };
1128
1129 static const struct attrmap ipsec_t_map[] = {
1130 { NULL, 0, { NULL } },
1131 { "lifetype", 3, { NULL, "sec", "kb", }, },
1132 { "life", 0, { NULL } },
1133 { "group desc", 18, { NULL, "modp768",
1134 "modp1024", /* group 2 */
1135 "EC2N 2^155", /* group 3 */
1136 "EC2N 2^185", /* group 4 */
1137 "modp1536", /* group 5 */
1138 "iana-grp06", "iana-grp07", /* reserved */
1139 "iana-grp08", "iana-grp09",
1140 "iana-grp10", "iana-grp11",
1141 "iana-grp12", "iana-grp13",
1142 "modp2048", /* group 14 */
1143 "modp3072", /* group 15 */
1144 "modp4096", /* group 16 */
1145 "modp6144", /* group 17 */
1146 "modp8192", /* group 18 */
1147 }, },
1148 { "enc mode", 3, { NULL, "tunnel", "transport", }, },
1149 { "auth", 5, { NULL, "hmac-md5", "hmac-sha1", "1des-mac", "keyed", }, },
1150 { "keylen", 0, { NULL } },
1151 { "rounds", 0, { NULL } },
1152 { "dictsize", 0, { NULL } },
1153 { "privalg", 0, { NULL } },
1154 };
1155
1156 static const struct attrmap encr_t_map[] = {
1157 { NULL, 0, { NULL } }, { NULL, 0, { NULL } }, /* 0, 1 */
1158 { NULL, 0, { NULL } }, { NULL, 0, { NULL } }, /* 2, 3 */
1159 { NULL, 0, { NULL } }, { NULL, 0, { NULL } }, /* 4, 5 */
1160 { NULL, 0, { NULL } }, { NULL, 0, { NULL } }, /* 6, 7 */
1161 { NULL, 0, { NULL } }, { NULL, 0, { NULL } }, /* 8, 9 */
1162 { NULL, 0, { NULL } }, { NULL, 0, { NULL } }, /* 10,11*/
1163 { NULL, 0, { NULL } }, { NULL, 0, { NULL } }, /* 12,13*/
1164 { "keylen", 14, { NULL }},
1165 };
1166
1167 static const struct attrmap oakley_t_map[] = {
1168 { NULL, 0, { NULL } },
1169 { "enc", 8, { NULL, "1des", "idea", "blowfish", "rc5",
1170 "3des", "cast", "aes", }, },
1171 { "hash", 7, { NULL, "md5", "sha1", "tiger",
1172 "sha2-256", "sha2-384", "sha2-512", }, },
1173 { "auth", 6, { NULL, "preshared", "dss", "rsa sig", "rsa enc",
1174 "rsa enc revised", }, },
1175 { "group desc", 18, { NULL, "modp768",
1176 "modp1024", /* group 2 */
1177 "EC2N 2^155", /* group 3 */
1178 "EC2N 2^185", /* group 4 */
1179 "modp1536", /* group 5 */
1180 "iana-grp06", "iana-grp07", /* reserved */
1181 "iana-grp08", "iana-grp09",
1182 "iana-grp10", "iana-grp11",
1183 "iana-grp12", "iana-grp13",
1184 "modp2048", /* group 14 */
1185 "modp3072", /* group 15 */
1186 "modp4096", /* group 16 */
1187 "modp6144", /* group 17 */
1188 "modp8192", /* group 18 */
1189 }, },
1190 { "group type", 4, { NULL, "MODP", "ECP", "EC2N", }, },
1191 { "group prime", 0, { NULL } },
1192 { "group gen1", 0, { NULL } },
1193 { "group gen2", 0, { NULL } },
1194 { "group curve A", 0, { NULL } },
1195 { "group curve B", 0, { NULL } },
1196 { "lifetype", 3, { NULL, "sec", "kb", }, },
1197 { "lifeduration", 0, { NULL } },
1198 { "prf", 0, { NULL } },
1199 { "keylen", 0, { NULL } },
1200 { "field", 0, { NULL } },
1201 { "order", 0, { NULL } },
1202 };
1203
1204 static const u_char *
1205 ikev1_t_print(netdissect_options *ndo, u_char tpay _U_,
1206 const struct isakmp_gen *ext, u_int item_len,
1207 const u_char *ep, uint32_t phase _U_, uint32_t doi _U_,
1208 uint32_t proto, int depth _U_)
1209 {
1210 const struct ikev1_pl_t *p;
1211 struct ikev1_pl_t t;
1212 const u_char *cp;
1213 const char *idstr;
1214 const struct attrmap *map;
1215 size_t nmap;
1216 const u_char *ep2;
1217
1218 ND_PRINT((ndo,"%s:", NPSTR(ISAKMP_NPTYPE_T)));
1219
1220 p = (const struct ikev1_pl_t *)ext;
1221 ND_TCHECK(*p);
1222 UNALIGNED_MEMCPY(&t, ext, sizeof(t));
1223
1224 switch (proto) {
1225 case 1:
1226 idstr = STR_OR_ID(t.t_id, ikev1_p_map);
1227 map = oakley_t_map;
1228 nmap = sizeof(oakley_t_map)/sizeof(oakley_t_map[0]);
1229 break;
1230 case 2:
1231 idstr = STR_OR_ID(t.t_id, ah_p_map);
1232 map = ipsec_t_map;
1233 nmap = sizeof(ipsec_t_map)/sizeof(ipsec_t_map[0]);
1234 break;
1235 case 3:
1236 idstr = STR_OR_ID(t.t_id, esp_p_map);
1237 map = ipsec_t_map;
1238 nmap = sizeof(ipsec_t_map)/sizeof(ipsec_t_map[0]);
1239 break;
1240 case 4:
1241 idstr = STR_OR_ID(t.t_id, ipcomp_p_map);
1242 map = ipsec_t_map;
1243 nmap = sizeof(ipsec_t_map)/sizeof(ipsec_t_map[0]);
1244 break;
1245 default:
1246 idstr = NULL;
1247 map = NULL;
1248 nmap = 0;
1249 break;
1250 }
1251
1252 if (idstr)
1253 ND_PRINT((ndo," #%d id=%s ", t.t_no, idstr));
1254 else
1255 ND_PRINT((ndo," #%d id=%d ", t.t_no, t.t_id));
1256 cp = (const u_char *)(p + 1);
1257 ep2 = (const u_char *)p + item_len;
1258 while (cp < ep && cp < ep2) {
1259 if (map && nmap) {
1260 cp = ikev1_attrmap_print(ndo, cp, (ep < ep2) ? ep : ep2,
1261 map, nmap);
1262 } else
1263 cp = ikev1_attr_print(ndo, cp, (ep < ep2) ? ep : ep2);
1264 }
1265 if (ep < ep2)
1266 ND_PRINT((ndo,"..."));
1267 return cp;
1268 trunc:
1269 ND_PRINT((ndo," [|%s]", NPSTR(ISAKMP_NPTYPE_T)));
1270 return NULL;
1271 }
1272
1273 static const u_char *
1274 ikev1_ke_print(netdissect_options *ndo, u_char tpay _U_,
1275 const struct isakmp_gen *ext, u_int item_len _U_,
1276 const u_char *ep _U_, uint32_t phase _U_, uint32_t doi _U_,
1277 uint32_t proto _U_, int depth _U_)
1278 {
1279 struct isakmp_gen e;
1280
1281 ND_PRINT((ndo,"%s:", NPSTR(ISAKMP_NPTYPE_KE)));
1282
1283 ND_TCHECK(*ext);
1284 UNALIGNED_MEMCPY(&e, ext, sizeof(e));
1285 ND_PRINT((ndo," key len=%d", ntohs(e.len) - 4));
1286 if (2 < ndo->ndo_vflag && 4 < ntohs(e.len)) {
1287 ND_PRINT((ndo," "));
1288 if (!rawprint(ndo, (const uint8_t *)(ext + 1), ntohs(e.len) - 4))
1289 goto trunc;
1290 }
1291 return (const u_char *)ext + ntohs(e.len);
1292 trunc:
1293 ND_PRINT((ndo," [|%s]", NPSTR(ISAKMP_NPTYPE_KE)));
1294 return NULL;
1295 }
1296
1297 static const u_char *
1298 ikev1_id_print(netdissect_options *ndo, u_char tpay _U_,
1299 const struct isakmp_gen *ext, u_int item_len,
1300 const u_char *ep _U_, uint32_t phase, uint32_t doi _U_,
1301 uint32_t proto _U_, int depth _U_)
1302 {
1303 #define USE_IPSECDOI_IN_PHASE1 1
1304 const struct ikev1_pl_id *p;
1305 struct ikev1_pl_id id;
1306 static const char *idtypestr[] = {
1307 "IPv4", "IPv4net", "IPv6", "IPv6net",
1308 };
1309 static const char *ipsecidtypestr[] = {
1310 NULL, "IPv4", "FQDN", "user FQDN", "IPv4net", "IPv6",
1311 "IPv6net", "IPv4range", "IPv6range", "ASN1 DN", "ASN1 GN",
1312 "keyid",
1313 };
1314 int len;
1315 const u_char *data;
1316
1317 ND_PRINT((ndo,"%s:", NPSTR(ISAKMP_NPTYPE_ID)));
1318
1319 p = (const struct ikev1_pl_id *)ext;
1320 ND_TCHECK(*p);
1321 UNALIGNED_MEMCPY(&id, ext, sizeof(id));
1322 if (sizeof(*p) < item_len) {
1323 data = (const u_char *)(p + 1);
1324 len = item_len - sizeof(*p);
1325 } else {
1326 data = NULL;
1327 len = 0;
1328 }
1329
1330 #if 0 /*debug*/
1331 ND_PRINT((ndo," [phase=%d doi=%d proto=%d]", phase, doi, proto));
1332 #endif
1333 switch (phase) {
1334 #ifndef USE_IPSECDOI_IN_PHASE1
1335 case 1:
1336 #endif
1337 default:
1338 ND_PRINT((ndo," idtype=%s", STR_OR_ID(id.d.id_type, idtypestr)));
1339 ND_PRINT((ndo," doi_data=%u",
1340 (uint32_t)(ntohl(id.d.doi_data) & 0xffffff)));
1341 break;
1342
1343 #ifdef USE_IPSECDOI_IN_PHASE1
1344 case 1:
1345 #endif
1346 case 2:
1347 {
1348 const struct ipsecdoi_id *doi_p;
1349 struct ipsecdoi_id doi_id;
1350 const char *p_name;
1351
1352 doi_p = (const struct ipsecdoi_id *)ext;
1353 ND_TCHECK(*doi_p);
1354 UNALIGNED_MEMCPY(&doi_id, ext, sizeof(doi_id));
1355 ND_PRINT((ndo," idtype=%s", STR_OR_ID(doi_id.type, ipsecidtypestr)));
1356 /* A protocol ID of 0 DOES NOT mean IPPROTO_IP! */
1357 if (!ndo->ndo_nflag && doi_id.proto_id && (p_name = netdb_protoname(doi_id.proto_id)) != NULL)
1358 ND_PRINT((ndo," protoid=%s", p_name));
1359 else
1360 ND_PRINT((ndo," protoid=%u", doi_id.proto_id));
1361 ND_PRINT((ndo," port=%d", ntohs(doi_id.port)));
1362 if (!len)
1363 break;
1364 if (data == NULL)
1365 goto trunc;
1366 ND_TCHECK2(*data, len);
1367 switch (doi_id.type) {
1368 case IPSECDOI_ID_IPV4_ADDR:
1369 if (len < 4)
1370 ND_PRINT((ndo," len=%d [bad: < 4]", len));
1371 else
1372 ND_PRINT((ndo," len=%d %s", len, ipaddr_string(ndo, data)));
1373 len = 0;
1374 break;
1375 case IPSECDOI_ID_FQDN:
1376 case IPSECDOI_ID_USER_FQDN:
1377 {
1378 int i;
1379 ND_PRINT((ndo," len=%d ", len));
1380 for (i = 0; i < len; i++)
1381 safeputchar(ndo, data[i]);
1382 len = 0;
1383 break;
1384 }
1385 case IPSECDOI_ID_IPV4_ADDR_SUBNET:
1386 {
1387 const u_char *mask;
1388 if (len < 8)
1389 ND_PRINT((ndo," len=%d [bad: < 8]", len));
1390 else {
1391 mask = data + sizeof(struct in_addr);
1392 ND_PRINT((ndo," len=%d %s/%u.%u.%u.%u", len,
1393 ipaddr_string(ndo, data),
1394 mask[0], mask[1], mask[2], mask[3]));
1395 }
1396 len = 0;
1397 break;
1398 }
1399 case IPSECDOI_ID_IPV6_ADDR:
1400 if (len < 16)
1401 ND_PRINT((ndo," len=%d [bad: < 16]", len));
1402 else
1403 ND_PRINT((ndo," len=%d %s", len, ip6addr_string(ndo, data)));
1404 len = 0;
1405 break;
1406 case IPSECDOI_ID_IPV6_ADDR_SUBNET:
1407 {
1408 const u_char *mask;
1409 if (len < 20)
1410 ND_PRINT((ndo," len=%d [bad: < 20]", len));
1411 else {
1412 mask = (const u_char *)(data + sizeof(struct in6_addr));
1413 /*XXX*/
1414 ND_PRINT((ndo," len=%d %s/0x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x", len,
1415 ip6addr_string(ndo, data),
1416 mask[0], mask[1], mask[2], mask[3],
1417 mask[4], mask[5], mask[6], mask[7],
1418 mask[8], mask[9], mask[10], mask[11],
1419 mask[12], mask[13], mask[14], mask[15]));
1420 }
1421 len = 0;
1422 break;
1423 }
1424 case IPSECDOI_ID_IPV4_ADDR_RANGE:
1425 if (len < 8)
1426 ND_PRINT((ndo," len=%d [bad: < 8]", len));
1427 else {
1428 ND_PRINT((ndo," len=%d %s-%s", len,
1429 ipaddr_string(ndo, data),
1430 ipaddr_string(ndo, data + sizeof(struct in_addr))));
1431 }
1432 len = 0;
1433 break;
1434 case IPSECDOI_ID_IPV6_ADDR_RANGE:
1435 if (len < 32)
1436 ND_PRINT((ndo," len=%d [bad: < 32]", len));
1437 else {
1438 ND_PRINT((ndo," len=%d %s-%s", len,
1439 ip6addr_string(ndo, data),
1440 ip6addr_string(ndo, data + sizeof(struct in6_addr))));
1441 }
1442 len = 0;
1443 break;
1444 case IPSECDOI_ID_DER_ASN1_DN:
1445 case IPSECDOI_ID_DER_ASN1_GN:
1446 case IPSECDOI_ID_KEY_ID:
1447 break;
1448 }
1449 break;
1450 }
1451 }
1452 if (data && len) {
1453 ND_PRINT((ndo," len=%d", len));
1454 if (2 < ndo->ndo_vflag) {
1455 ND_PRINT((ndo," "));
1456 if (!rawprint(ndo, (const uint8_t *)data, len))
1457 goto trunc;
1458 }
1459 }
1460 return (const u_char *)ext + item_len;
1461 trunc:
1462 ND_PRINT((ndo," [|%s]", NPSTR(ISAKMP_NPTYPE_ID)));
1463 return NULL;
1464 }
1465
1466 static const u_char *
1467 ikev1_cert_print(netdissect_options *ndo, u_char tpay _U_,
1468 const struct isakmp_gen *ext, u_int item_len,
1469 const u_char *ep _U_, uint32_t phase _U_,
1470 uint32_t doi0 _U_,
1471 uint32_t proto0 _U_, int depth _U_)
1472 {
1473 const struct ikev1_pl_cert *p;
1474 struct ikev1_pl_cert cert;
1475 static const char *certstr[] = {
1476 "none", "pkcs7", "pgp", "dns",
1477 "x509sign", "x509ke", "kerberos", "crl",
1478 "arl", "spki", "x509attr",
1479 };
1480
1481 ND_PRINT((ndo,"%s:", NPSTR(ISAKMP_NPTYPE_CERT)));
1482
1483 p = (const struct ikev1_pl_cert *)ext;
1484 ND_TCHECK(*p);
1485 UNALIGNED_MEMCPY(&cert, ext, sizeof(cert));
1486 ND_PRINT((ndo," len=%d", item_len - 4));
1487 ND_PRINT((ndo," type=%s", STR_OR_ID((cert.encode), certstr)));
1488 if (2 < ndo->ndo_vflag && 4 < item_len) {
1489 ND_PRINT((ndo," "));
1490 if (!rawprint(ndo, (const uint8_t *)(ext + 1), item_len - 4))
1491 goto trunc;
1492 }
1493 return (const u_char *)ext + item_len;
1494 trunc:
1495 ND_PRINT((ndo," [|%s]", NPSTR(ISAKMP_NPTYPE_CERT)));
1496 return NULL;
1497 }
1498
1499 static const u_char *
1500 ikev1_cr_print(netdissect_options *ndo, u_char tpay _U_,
1501 const struct isakmp_gen *ext, u_int item_len,
1502 const u_char *ep _U_, uint32_t phase _U_, uint32_t doi0 _U_,
1503 uint32_t proto0 _U_, int depth _U_)
1504 {
1505 const struct ikev1_pl_cert *p;
1506 struct ikev1_pl_cert cert;
1507 static const char *certstr[] = {
1508 "none", "pkcs7", "pgp", "dns",
1509 "x509sign", "x509ke", "kerberos", "crl",
1510 "arl", "spki", "x509attr",
1511 };
1512
1513 ND_PRINT((ndo,"%s:", NPSTR(ISAKMP_NPTYPE_CR)));
1514
1515 p = (const struct ikev1_pl_cert *)ext;
1516 ND_TCHECK(*p);
1517 UNALIGNED_MEMCPY(&cert, ext, sizeof(cert));
1518 ND_PRINT((ndo," len=%d", item_len - 4));
1519 ND_PRINT((ndo," type=%s", STR_OR_ID((cert.encode), certstr)));
1520 if (2 < ndo->ndo_vflag && 4 < item_len) {
1521 ND_PRINT((ndo," "));
1522 if (!rawprint(ndo, (const uint8_t *)(ext + 1), item_len - 4))
1523 goto trunc;
1524 }
1525 return (const u_char *)ext + item_len;
1526 trunc:
1527 ND_PRINT((ndo," [|%s]", NPSTR(ISAKMP_NPTYPE_CR)));
1528 return NULL;
1529 }
1530
1531 static const u_char *
1532 ikev1_hash_print(netdissect_options *ndo, u_char tpay _U_,
1533 const struct isakmp_gen *ext, u_int item_len _U_,
1534 const u_char *ep _U_, uint32_t phase _U_, uint32_t doi _U_,
1535 uint32_t proto _U_, int depth _U_)
1536 {
1537 struct isakmp_gen e;
1538
1539 ND_PRINT((ndo,"%s:", NPSTR(ISAKMP_NPTYPE_HASH)));
1540
1541 ND_TCHECK(*ext);
1542 UNALIGNED_MEMCPY(&e, ext, sizeof(e));
1543 ND_PRINT((ndo," len=%d", ntohs(e.len) - 4));
1544 if (2 < ndo->ndo_vflag && 4 < ntohs(e.len)) {
1545 ND_PRINT((ndo," "));
1546 if (!rawprint(ndo, (const uint8_t *)(ext + 1), ntohs(e.len) - 4))
1547 goto trunc;
1548 }
1549 return (const u_char *)ext + ntohs(e.len);
1550 trunc:
1551 ND_PRINT((ndo," [|%s]", NPSTR(ISAKMP_NPTYPE_HASH)));
1552 return NULL;
1553 }
1554
1555 static const u_char *
1556 ikev1_sig_print(netdissect_options *ndo, u_char tpay _U_,
1557 const struct isakmp_gen *ext, u_int item_len _U_,
1558 const u_char *ep _U_, uint32_t phase _U_, uint32_t doi _U_,
1559 uint32_t proto _U_, int depth _U_)
1560 {
1561 struct isakmp_gen e;
1562
1563 ND_PRINT((ndo,"%s:", NPSTR(ISAKMP_NPTYPE_SIG)));
1564
1565 ND_TCHECK(*ext);
1566 UNALIGNED_MEMCPY(&e, ext, sizeof(e));
1567 ND_PRINT((ndo," len=%d", ntohs(e.len) - 4));
1568 if (2 < ndo->ndo_vflag && 4 < ntohs(e.len)) {
1569 ND_PRINT((ndo," "));
1570 if (!rawprint(ndo, (const uint8_t *)(ext + 1), ntohs(e.len) - 4))
1571 goto trunc;
1572 }
1573 return (const u_char *)ext + ntohs(e.len);
1574 trunc:
1575 ND_PRINT((ndo," [|%s]", NPSTR(ISAKMP_NPTYPE_SIG)));
1576 return NULL;
1577 }
1578
1579 static const u_char *
1580 ikev1_nonce_print(netdissect_options *ndo, u_char tpay _U_,
1581 const struct isakmp_gen *ext,
1582 u_int item_len _U_,
1583 const u_char *ep,
1584 uint32_t phase _U_, uint32_t doi _U_,
1585 uint32_t proto _U_, int depth _U_)
1586 {
1587 struct isakmp_gen e;
1588
1589 ND_PRINT((ndo,"%s:", NPSTR(ISAKMP_NPTYPE_NONCE)));
1590
1591 ND_TCHECK(*ext);
1592 UNALIGNED_MEMCPY(&e, ext, sizeof(e));
1593 /*
1594 * Our caller has ensured that the length is >= 4.
1595 */
1596 ND_PRINT((ndo," n len=%u", ntohs(e.len) - 4));
1597 if (ntohs(e.len) > 4) {
1598 if (ndo->ndo_vflag > 2) {
1599 ND_PRINT((ndo, " "));
1600 if (!rawprint(ndo, (const uint8_t *)(ext + 1), ntohs(e.len) - 4))
1601 goto trunc;
1602 } else if (ndo->ndo_vflag > 1) {
1603 ND_PRINT((ndo, " "));
1604 if (!ike_show_somedata(ndo, (const u_char *)(ext + 1), ep))
1605 goto trunc;
1606 }
1607 }
1608 return (const u_char *)ext + ntohs(e.len);
1609 trunc:
1610 ND_PRINT((ndo," [|%s]", NPSTR(ISAKMP_NPTYPE_NONCE)));
1611 return NULL;
1612 }
1613
1614 static const u_char *
1615 ikev1_n_print(netdissect_options *ndo, u_char tpay _U_,
1616 const struct isakmp_gen *ext, u_int item_len,
1617 const u_char *ep, uint32_t phase _U_, uint32_t doi0 _U_,
1618 uint32_t proto0 _U_, int depth _U_)
1619 {
1620 const struct ikev1_pl_n *p;
1621 struct ikev1_pl_n n;
1622 const u_char *cp;
1623 const u_char *ep2;
1624 uint32_t doi;
1625 uint32_t proto;
1626 static const char *notify_error_str[] = {
1627 NULL, "INVALID-PAYLOAD-TYPE",
1628 "DOI-NOT-SUPPORTED", "SITUATION-NOT-SUPPORTED",
1629 "INVALID-COOKIE", "INVALID-MAJOR-VERSION",
1630 "INVALID-MINOR-VERSION", "INVALID-EXCHANGE-TYPE",
1631 "INVALID-FLAGS", "INVALID-MESSAGE-ID",
1632 "INVALID-PROTOCOL-ID", "INVALID-SPI",
1633 "INVALID-TRANSFORM-ID", "ATTRIBUTES-NOT-SUPPORTED",
1634 "NO-PROPOSAL-CHOSEN", "BAD-PROPOSAL-SYNTAX",
1635 "PAYLOAD-MALFORMED", "INVALID-KEY-INFORMATION",
1636 "INVALID-ID-INFORMATION", "INVALID-CERT-ENCODING",
1637 "INVALID-CERTIFICATE", "CERT-TYPE-UNSUPPORTED",
1638 "INVALID-CERT-AUTHORITY", "INVALID-HASH-INFORMATION",
1639 "AUTHENTICATION-FAILED", "INVALID-SIGNATURE",
1640 "ADDRESS-NOTIFICATION", "NOTIFY-SA-LIFETIME",
1641 "CERTIFICATE-UNAVAILABLE", "UNSUPPORTED-EXCHANGE-TYPE",
1642 "UNEQUAL-PAYLOAD-LENGTHS",
1643 };
1644 static const char *ipsec_notify_error_str[] = {
1645 "RESERVED",
1646 };
1647 static const char *notify_status_str[] = {
1648 "CONNECTED",
1649 };
1650 static const char *ipsec_notify_status_str[] = {
1651 "RESPONDER-LIFETIME", "REPLAY-STATUS",
1652 "INITIAL-CONTACT",
1653 };
1654 /* NOTE: these macro must be called with x in proper range */
1655
1656 /* 0 - 8191 */
1657 #define NOTIFY_ERROR_STR(x) \
1658 STR_OR_ID((x), notify_error_str)
1659
1660 /* 8192 - 16383 */
1661 #define IPSEC_NOTIFY_ERROR_STR(x) \
1662 STR_OR_ID((u_int)((x) - 8192), ipsec_notify_error_str)
1663
1664 /* 16384 - 24575 */
1665 #define NOTIFY_STATUS_STR(x) \
1666 STR_OR_ID((u_int)((x) - 16384), notify_status_str)
1667
1668 /* 24576 - 32767 */
1669 #define IPSEC_NOTIFY_STATUS_STR(x) \
1670 STR_OR_ID((u_int)((x) - 24576), ipsec_notify_status_str)
1671
1672 ND_PRINT((ndo,"%s:", NPSTR(ISAKMP_NPTYPE_N)));
1673
1674 p = (const struct ikev1_pl_n *)ext;
1675 ND_TCHECK(*p);
1676 UNALIGNED_MEMCPY(&n, ext, sizeof(n));
1677 doi = ntohl(n.doi);
1678 proto = n.prot_id;
1679 if (doi != 1) {
1680 ND_PRINT((ndo," doi=%d", doi));
1681 ND_PRINT((ndo," proto=%d", proto));
1682 if (ntohs(n.type) < 8192)
1683 ND_PRINT((ndo," type=%s", NOTIFY_ERROR_STR(ntohs(n.type))));
1684 else if (ntohs(n.type) < 16384)
1685 ND_PRINT((ndo," type=%s", numstr(ntohs(n.type))));
1686 else if (ntohs(n.type) < 24576)
1687 ND_PRINT((ndo," type=%s", NOTIFY_STATUS_STR(ntohs(n.type))));
1688 else
1689 ND_PRINT((ndo," type=%s", numstr(ntohs(n.type))));
1690 if (n.spi_size) {
1691 ND_PRINT((ndo," spi="));
1692 if (!rawprint(ndo, (const uint8_t *)(p + 1), n.spi_size))
1693 goto trunc;
1694 }
1695 return (const u_char *)(p + 1) + n.spi_size;
1696 }
1697
1698 ND_PRINT((ndo," doi=ipsec"));
1699 ND_PRINT((ndo," proto=%s", PROTOIDSTR(proto)));
1700 if (ntohs(n.type) < 8192)
1701 ND_PRINT((ndo," type=%s", NOTIFY_ERROR_STR(ntohs(n.type))));
1702 else if (ntohs(n.type) < 16384)
1703 ND_PRINT((ndo," type=%s", IPSEC_NOTIFY_ERROR_STR(ntohs(n.type))));
1704 else if (ntohs(n.type) < 24576)
1705 ND_PRINT((ndo," type=%s", NOTIFY_STATUS_STR(ntohs(n.type))));
1706 else if (ntohs(n.type) < 32768)
1707 ND_PRINT((ndo," type=%s", IPSEC_NOTIFY_STATUS_STR(ntohs(n.type))));
1708 else
1709 ND_PRINT((ndo," type=%s", numstr(ntohs(n.type))));
1710 if (n.spi_size) {
1711 ND_PRINT((ndo," spi="));
1712 if (!rawprint(ndo, (const uint8_t *)(p + 1), n.spi_size))
1713 goto trunc;
1714 }
1715
1716 cp = (const u_char *)(p + 1) + n.spi_size;
1717 ep2 = (const u_char *)p + item_len;
1718
1719 if (cp < ep) {
1720 switch (ntohs(n.type)) {
1721 case IPSECDOI_NTYPE_RESPONDER_LIFETIME:
1722 {
1723 const struct attrmap *map = oakley_t_map;
1724 size_t nmap = sizeof(oakley_t_map)/sizeof(oakley_t_map[0]);
1725 ND_PRINT((ndo," attrs=("));
1726 while (cp < ep && cp < ep2) {
1727 cp = ikev1_attrmap_print(ndo, cp,
1728 (ep < ep2) ? ep : ep2, map, nmap);
1729 }
1730 ND_PRINT((ndo,")"));
1731 break;
1732 }
1733 case IPSECDOI_NTYPE_REPLAY_STATUS:
1734 ND_PRINT((ndo," status=("));
1735 ND_PRINT((ndo,"replay detection %sabled",
1736 EXTRACT_32BITS(cp) ? "en" : "dis"));
1737 ND_PRINT((ndo,")"));
1738 break;
1739 default:
1740 /*
1741 * XXX - fill in more types here; see, for example,
1742 * draft-ietf-ipsec-notifymsg-04.
1743 */
1744 if (ndo->ndo_vflag > 3) {
1745 ND_PRINT((ndo," data=("));
1746 if (!rawprint(ndo, (const uint8_t *)(cp), ep - cp))
1747 goto trunc;
1748 ND_PRINT((ndo,")"));
1749 } else {
1750 if (!ike_show_somedata(ndo, cp, ep))
1751 goto trunc;
1752 }
1753 break;
1754 }
1755 }
1756 return (const u_char *)ext + item_len;
1757 trunc:
1758 ND_PRINT((ndo," [|%s]", NPSTR(ISAKMP_NPTYPE_N)));
1759 return NULL;
1760 }
1761
1762 static const u_char *
1763 ikev1_d_print(netdissect_options *ndo, u_char tpay _U_,
1764 const struct isakmp_gen *ext, u_int item_len _U_,
1765 const u_char *ep _U_, uint32_t phase _U_, uint32_t doi0 _U_,
1766 uint32_t proto0 _U_, int depth _U_)
1767 {
1768 const struct ikev1_pl_d *p;
1769 struct ikev1_pl_d d;
1770 const uint8_t *q;
1771 uint32_t doi;
1772 uint32_t proto;
1773 int i;
1774
1775 ND_PRINT((ndo,"%s:", NPSTR(ISAKMP_NPTYPE_D)));
1776
1777 p = (const struct ikev1_pl_d *)ext;
1778 ND_TCHECK(*p);
1779 UNALIGNED_MEMCPY(&d, ext, sizeof(d));
1780 doi = ntohl(d.doi);
1781 proto = d.prot_id;
1782 if (doi != 1) {
1783 ND_PRINT((ndo," doi=%u", doi));
1784 ND_PRINT((ndo," proto=%u", proto));
1785 } else {
1786 ND_PRINT((ndo," doi=ipsec"));
1787 ND_PRINT((ndo," proto=%s", PROTOIDSTR(proto)));
1788 }
1789 ND_PRINT((ndo," spilen=%u", d.spi_size));
1790 ND_PRINT((ndo," nspi=%u", ntohs(d.num_spi)));
1791 ND_PRINT((ndo," spi="));
1792 q = (const uint8_t *)(p + 1);
1793 for (i = 0; i < ntohs(d.num_spi); i++) {
1794 if (i != 0)
1795 ND_PRINT((ndo,","));
1796 if (!rawprint(ndo, (const uint8_t *)q, d.spi_size))
1797 goto trunc;
1798 q += d.spi_size;
1799 }
1800 return q;
1801 trunc:
1802 ND_PRINT((ndo," [|%s]", NPSTR(ISAKMP_NPTYPE_D)));
1803 return NULL;
1804 }
1805
1806 static const u_char *
1807 ikev1_vid_print(netdissect_options *ndo, u_char tpay _U_,
1808 const struct isakmp_gen *ext,
1809 u_int item_len _U_, const u_char *ep _U_,
1810 uint32_t phase _U_, uint32_t doi _U_,
1811 uint32_t proto _U_, int depth _U_)
1812 {
1813 struct isakmp_gen e;
1814
1815 ND_PRINT((ndo,"%s:", NPSTR(ISAKMP_NPTYPE_VID)));
1816
1817 ND_TCHECK(*ext);
1818 UNALIGNED_MEMCPY(&e, ext, sizeof(e));
1819 ND_PRINT((ndo," len=%d", ntohs(e.len) - 4));
1820 if (2 < ndo->ndo_vflag && 4 < ntohs(e.len)) {
1821 ND_PRINT((ndo," "));
1822 if (!rawprint(ndo, (const uint8_t *)(ext + 1), ntohs(e.len) - 4))
1823 goto trunc;
1824 }
1825 return (const u_char *)ext + ntohs(e.len);
1826 trunc:
1827 ND_PRINT((ndo," [|%s]", NPSTR(ISAKMP_NPTYPE_VID)));
1828 return NULL;
1829 }
1830
1831 /************************************************************/
1832 /* */
1833 /* IKE v2 - rfc4306 - dissector */
1834 /* */
1835 /************************************************************/
1836
1837 static void
1838 ikev2_pay_print(netdissect_options *ndo, const char *payname, int critical)
1839 {
1840 ND_PRINT((ndo,"%s%s:", payname, critical&0x80 ? "[C]" : ""));
1841 }
1842
1843 static const u_char *
1844 ikev2_gen_print(netdissect_options *ndo, u_char tpay,
1845 const struct isakmp_gen *ext)
1846 {
1847 struct isakmp_gen e;
1848
1849 ND_TCHECK(*ext);
1850 UNALIGNED_MEMCPY(&e, ext, sizeof(e));
1851 ikev2_pay_print(ndo, NPSTR(tpay), e.critical);
1852
1853 ND_PRINT((ndo," len=%d", ntohs(e.len) - 4));
1854 if (2 < ndo->ndo_vflag && 4 < ntohs(e.len)) {
1855 ND_PRINT((ndo," "));
1856 if (!rawprint(ndo, (const uint8_t *)(ext + 1), ntohs(e.len) - 4))
1857 goto trunc;
1858 }
1859 return (const u_char *)ext + ntohs(e.len);
1860 trunc:
1861 ND_PRINT((ndo," [|%s]", NPSTR(tpay)));
1862 return NULL;
1863 }
1864
1865 static const u_char *
1866 ikev2_t_print(netdissect_options *ndo, int tcount,
1867 const struct isakmp_gen *ext, u_int item_len,
1868 const u_char *ep)
1869 {
1870 const struct ikev2_t *p;
1871 struct ikev2_t t;
1872 uint16_t t_id;
1873 const u_char *cp;
1874 const char *idstr;
1875 const struct attrmap *map;
1876 size_t nmap;
1877 const u_char *ep2;
1878
1879 p = (const struct ikev2_t *)ext;
1880 ND_TCHECK(*p);
1881 UNALIGNED_MEMCPY(&t, ext, sizeof(t));
1882 ikev2_pay_print(ndo, NPSTR(ISAKMP_NPTYPE_T), t.h.critical);
1883
1884 t_id = ntohs(t.t_id);
1885
1886 map = NULL;
1887 nmap = 0;
1888
1889 switch (t.t_type) {
1890 case IV2_T_ENCR:
1891 idstr = STR_OR_ID(t_id, esp_p_map);
1892 map = encr_t_map;
1893 nmap = sizeof(encr_t_map)/sizeof(encr_t_map[0]);
1894 break;
1895
1896 case IV2_T_PRF:
1897 idstr = STR_OR_ID(t_id, prf_p_map);
1898 break;
1899
1900 case IV2_T_INTEG:
1901 idstr = STR_OR_ID(t_id, integ_p_map);
1902 break;
1903
1904 case IV2_T_DH:
1905 idstr = STR_OR_ID(t_id, dh_p_map);
1906 break;
1907
1908 case IV2_T_ESN:
1909 idstr = STR_OR_ID(t_id, esn_p_map);
1910 break;
1911
1912 default:
1913 idstr = NULL;
1914 break;
1915 }
1916
1917 if (idstr)
1918 ND_PRINT((ndo," #%u type=%s id=%s ", tcount,
1919 STR_OR_ID(t.t_type, ikev2_t_type_map),
1920 idstr));
1921 else
1922 ND_PRINT((ndo," #%u type=%s id=%u ", tcount,
1923 STR_OR_ID(t.t_type, ikev2_t_type_map),
1924 t.t_id));
1925 cp = (const u_char *)(p + 1);
1926 ep2 = (const u_char *)p + item_len;
1927 while (cp < ep && cp < ep2) {
1928 if (map && nmap) {
1929 cp = ikev1_attrmap_print(ndo, cp, (ep < ep2) ? ep : ep2,
1930 map, nmap);
1931 } else
1932 cp = ikev1_attr_print(ndo, cp, (ep < ep2) ? ep : ep2);
1933 }
1934 if (ep < ep2)
1935 ND_PRINT((ndo,"..."));
1936 return cp;
1937 trunc:
1938 ND_PRINT((ndo," [|%s]", NPSTR(ISAKMP_NPTYPE_T)));
1939 return NULL;
1940 }
1941
1942 static const u_char *
1943 ikev2_p_print(netdissect_options *ndo, u_char tpay _U_, int pcount _U_,
1944 const struct isakmp_gen *ext, u_int oprop_length,
1945 const u_char *ep, int depth)
1946 {
1947 const struct ikev2_p *p;
1948 struct ikev2_p prop;
1949 u_int prop_length;
1950 const u_char *cp;
1951 int i;
1952 int tcount;
1953 u_char np;
1954 struct isakmp_gen e;
1955 u_int item_len;
1956
1957 p = (const struct ikev2_p *)ext;
1958 ND_TCHECK(*p);
1959 UNALIGNED_MEMCPY(&prop, ext, sizeof(prop));
1960
1961 ikev2_pay_print(ndo, NPSTR(ISAKMP_NPTYPE_P), prop.h.critical);
1962
1963 /*
1964 * ikev2_sa_print() guarantees that this is >= 4.
1965 */
1966 prop_length = oprop_length - 4;
1967 ND_PRINT((ndo," #%u protoid=%s transform=%d len=%u",
1968 prop.p_no, PROTOIDSTR(prop.prot_id),
1969 prop.num_t, oprop_length));
1970 cp = (const u_char *)(p + 1);
1971
1972 if (prop.spi_size) {
1973 if (prop_length < prop.spi_size)
1974 goto toolong;
1975 ND_PRINT((ndo," spi="));
1976 if (!rawprint(ndo, (const uint8_t *)cp, prop.spi_size))
1977 goto trunc;
1978 cp += prop.spi_size;
1979 prop_length -= prop.spi_size;
1980 }
1981
1982 /*
1983 * Print the transforms.
1984 */
1985 tcount = 0;
1986 for (np = ISAKMP_NPTYPE_T; np != 0; np = e.np) {
1987 tcount++;
1988 ext = (const struct isakmp_gen *)cp;
1989 if (prop_length < sizeof(*ext))
1990 goto toolong;
1991 ND_TCHECK(*ext);
1992
1993 UNALIGNED_MEMCPY(&e, ext, sizeof(e));
1994
1995 /*
1996 * Since we can't have a payload length of less than 4 bytes,
1997 * we need to bail out here if the generic header is nonsensical
1998 * or truncated, otherwise we could loop forever processing
1999 * zero-length items or otherwise misdissect the packet.
2000 */
2001 item_len = ntohs(e.len);
2002 if (item_len <= 4)
2003 goto trunc;
2004
2005 if (prop_length < item_len)
2006 goto toolong;
2007 ND_TCHECK2(*cp, item_len);
2008
2009 depth++;
2010 ND_PRINT((ndo,"\n"));
2011 for (i = 0; i < depth; i++)
2012 ND_PRINT((ndo," "));
2013 ND_PRINT((ndo,"("));
2014 if (np == ISAKMP_NPTYPE_T) {
2015 cp = ikev2_t_print(ndo, tcount, ext, item_len, ep);
2016 if (cp == NULL) {
2017 /* error, already reported */
2018 return NULL;
2019 }
2020 } else {
2021 ND_PRINT((ndo, "%s", NPSTR(np)));
2022 cp += item_len;
2023 }
2024 ND_PRINT((ndo,")"));
2025 depth--;
2026 prop_length -= item_len;
2027 }
2028 return cp;
2029 toolong:
2030 /*
2031 * Skip the rest of the proposal.
2032 */
2033 cp += prop_length;
2034 ND_PRINT((ndo," [|%s]", NPSTR(ISAKMP_NPTYPE_P)));
2035 return cp;
2036 trunc:
2037 ND_PRINT((ndo," [|%s]", NPSTR(ISAKMP_NPTYPE_P)));
2038 return NULL;
2039 }
2040
2041 static const u_char *
2042 ikev2_sa_print(netdissect_options *ndo, u_char tpay,
2043 const struct isakmp_gen *ext1,
2044 u_int osa_length, const u_char *ep,
2045 uint32_t phase _U_, uint32_t doi _U_,
2046 uint32_t proto _U_, int depth)
2047 {
2048 const struct isakmp_gen *ext;
2049 struct isakmp_gen e;
2050 u_int sa_length;
2051 const u_char *cp;
2052 int i;
2053 int pcount;
2054 u_char np;
2055 u_int item_len;
2056
2057 ND_TCHECK(*ext1);
2058 UNALIGNED_MEMCPY(&e, ext1, sizeof(e));
2059 ikev2_pay_print(ndo, "sa", e.critical);
2060
2061 /*
2062 * ikev2_sub0_print() guarantees that this is >= 4.
2063 */
2064 osa_length= ntohs(e.len);
2065 sa_length = osa_length - 4;
2066 ND_PRINT((ndo," len=%d", sa_length));
2067
2068 /*
2069 * Print the payloads.
2070 */
2071 cp = (const u_char *)(ext1 + 1);
2072 pcount = 0;
2073 for (np = ISAKMP_NPTYPE_P; np != 0; np = e.np) {
2074 pcount++;
2075 ext = (const struct isakmp_gen *)cp;
2076 if (sa_length < sizeof(*ext))
2077 goto toolong;
2078 ND_TCHECK(*ext);
2079
2080 UNALIGNED_MEMCPY(&e, ext, sizeof(e));
2081
2082 /*
2083 * Since we can't have a payload length of less than 4 bytes,
2084 * we need to bail out here if the generic header is nonsensical
2085 * or truncated, otherwise we could loop forever processing
2086 * zero-length items or otherwise misdissect the packet.
2087 */
2088 item_len = ntohs(e.len);
2089 if (item_len <= 4)
2090 goto trunc;
2091
2092 if (sa_length < item_len)
2093 goto toolong;
2094 ND_TCHECK2(*cp, item_len);
2095
2096 depth++;
2097 ND_PRINT((ndo,"\n"));
2098 for (i = 0; i < depth; i++)
2099 ND_PRINT((ndo," "));
2100 ND_PRINT((ndo,"("));
2101 if (np == ISAKMP_NPTYPE_P) {
2102 cp = ikev2_p_print(ndo, np, pcount, ext, item_len,
2103 ep, depth);
2104 if (cp == NULL) {
2105 /* error, already reported */
2106 return NULL;
2107 }
2108 } else {
2109 ND_PRINT((ndo, "%s", NPSTR(np)));
2110 cp += item_len;
2111 }
2112 ND_PRINT((ndo,")"));
2113 depth--;
2114 sa_length -= item_len;
2115 }
2116 return cp;
2117 toolong:
2118 /*
2119 * Skip the rest of the SA.
2120 */
2121 cp += sa_length;
2122 ND_PRINT((ndo," [|%s]", NPSTR(tpay)));
2123 return cp;
2124 trunc:
2125 ND_PRINT((ndo," [|%s]", NPSTR(tpay)));
2126 return NULL;
2127 }
2128
2129 static const u_char *
2130 ikev2_ke_print(netdissect_options *ndo, u_char tpay,
2131 const struct isakmp_gen *ext,
2132 u_int item_len _U_, const u_char *ep _U_,
2133 uint32_t phase _U_, uint32_t doi _U_,
2134 uint32_t proto _U_, int depth _U_)
2135 {
2136 struct ikev2_ke ke;
2137 const struct ikev2_ke *k;
2138
2139 k = (const struct ikev2_ke *)ext;
2140 ND_TCHECK(*ext);
2141 UNALIGNED_MEMCPY(&ke, ext, sizeof(ke));
2142 ikev2_pay_print(ndo, NPSTR(tpay), ke.h.critical);
2143
2144 ND_PRINT((ndo," len=%u group=%s", ntohs(ke.h.len) - 8,
2145 STR_OR_ID(ntohs(ke.ke_group), dh_p_map)));
2146
2147 if (2 < ndo->ndo_vflag && 8 < ntohs(ke.h.len)) {
2148 ND_PRINT((ndo," "));
2149 if (!rawprint(ndo, (const uint8_t *)(k + 1), ntohs(ke.h.len) - 8))
2150 goto trunc;
2151 }
2152 return (const u_char *)ext + ntohs(ke.h.len);
2153 trunc:
2154 ND_PRINT((ndo," [|%s]", NPSTR(tpay)));
2155 return NULL;
2156 }
2157
2158 static const u_char *
2159 ikev2_ID_print(netdissect_options *ndo, u_char tpay,
2160 const struct isakmp_gen *ext,
2161 u_int item_len _U_, const u_char *ep _U_,
2162 uint32_t phase _U_, uint32_t doi _U_,
2163 uint32_t proto _U_, int depth _U_)
2164 {
2165 struct ikev2_id id;
2166 int id_len, idtype_len, i;
2167 unsigned int dumpascii, dumphex;
2168 const unsigned char *typedata;
2169
2170 ND_TCHECK(*ext);
2171 UNALIGNED_MEMCPY(&id, ext, sizeof(id));
2172 ikev2_pay_print(ndo, NPSTR(tpay), id.h.critical);
2173
2174 id_len = ntohs(id.h.len);
2175
2176 ND_PRINT((ndo," len=%d", id_len - 4));
2177 if (2 < ndo->ndo_vflag && 4 < id_len) {
2178 ND_PRINT((ndo," "));
2179 if (!rawprint(ndo, (const uint8_t *)(ext + 1), id_len - 4))
2180 goto trunc;
2181 }
2182
2183 idtype_len =id_len - sizeof(struct ikev2_id);
2184 dumpascii = 0;
2185 dumphex = 0;
2186 typedata = (const unsigned char *)(ext)+sizeof(struct ikev2_id);
2187
2188 switch(id.type) {
2189 case ID_IPV4_ADDR:
2190 ND_PRINT((ndo, " ipv4:"));
2191 dumphex=1;
2192 break;
2193 case ID_FQDN:
2194 ND_PRINT((ndo, " fqdn:"));
2195 dumpascii=1;
2196 break;
2197 case ID_RFC822_ADDR:
2198 ND_PRINT((ndo, " rfc822:"));
2199 dumpascii=1;
2200 break;
2201 case ID_IPV6_ADDR:
2202 ND_PRINT((ndo, " ipv6:"));
2203 dumphex=1;
2204 break;
2205 case ID_DER_ASN1_DN:
2206 ND_PRINT((ndo, " dn:"));
2207 dumphex=1;
2208 break;
2209 case ID_DER_ASN1_GN:
2210 ND_PRINT((ndo, " gn:"));
2211 dumphex=1;
2212 break;
2213 case ID_KEY_ID:
2214 ND_PRINT((ndo, " keyid:"));
2215 dumphex=1;
2216 break;
2217 }
2218
2219 if(dumpascii) {
2220 ND_TCHECK2(*typedata, idtype_len);
2221 for(i=0; i<idtype_len; i++) {
2222 if(ND_ISPRINT(typedata[i])) {
2223 ND_PRINT((ndo, "%c", typedata[i]));
2224 } else {
2225 ND_PRINT((ndo, "."));
2226 }
2227 }
2228 }
2229 if(dumphex) {
2230 if (!rawprint(ndo, (const uint8_t *)typedata, idtype_len))
2231 goto trunc;
2232 }
2233
2234 return (const u_char *)ext + id_len;
2235 trunc:
2236 ND_PRINT((ndo," [|%s]", NPSTR(tpay)));
2237 return NULL;
2238 }
2239
2240 static const u_char *
2241 ikev2_cert_print(netdissect_options *ndo, u_char tpay,
2242 const struct isakmp_gen *ext,
2243 u_int item_len _U_, const u_char *ep _U_,
2244 uint32_t phase _U_, uint32_t doi _U_,
2245 uint32_t proto _U_, int depth _U_)
2246 {
2247 return ikev2_gen_print(ndo, tpay, ext);
2248 }
2249
2250 static const u_char *
2251 ikev2_cr_print(netdissect_options *ndo, u_char tpay,
2252 const struct isakmp_gen *ext,
2253 u_int item_len _U_, const u_char *ep _U_,
2254 uint32_t phase _U_, uint32_t doi _U_,
2255 uint32_t proto _U_, int depth _U_)
2256 {
2257 return ikev2_gen_print(ndo, tpay, ext);
2258 }
2259
2260 static const u_char *
2261 ikev2_auth_print(netdissect_options *ndo, u_char tpay,
2262 const struct isakmp_gen *ext,
2263 u_int item_len _U_, const u_char *ep,
2264 uint32_t phase _U_, uint32_t doi _U_,
2265 uint32_t proto _U_, int depth _U_)
2266 {
2267 struct ikev2_auth a;
2268 const char *v2_auth[]={ "invalid", "rsasig",
2269 "shared-secret", "dsssig" };
2270 const u_char *authdata = (const u_char*)ext + sizeof(a);
2271 unsigned int len;
2272
2273 ND_TCHECK(*ext);
2274 UNALIGNED_MEMCPY(&a, ext, sizeof(a));
2275 ikev2_pay_print(ndo, NPSTR(tpay), a.h.critical);
2276 len = ntohs(a.h.len);
2277
2278 /*
2279 * Our caller has ensured that the length is >= 4.
2280 */
2281 ND_PRINT((ndo," len=%u method=%s", len-4,
2282 STR_OR_ID(a.auth_method, v2_auth)));
2283 if (len > 4) {
2284 if (ndo->ndo_vflag > 1) {
2285 ND_PRINT((ndo, " authdata=("));
2286 if (!rawprint(ndo, (const uint8_t *)authdata, len - sizeof(a)))
2287 goto trunc;
2288 ND_PRINT((ndo, ") "));
2289 } else if (ndo->ndo_vflag) {
2290 if (!ike_show_somedata(ndo, authdata, ep))
2291 goto trunc;
2292 }
2293 }
2294
2295 return (const u_char *)ext + len;
2296 trunc:
2297 ND_PRINT((ndo," [|%s]", NPSTR(tpay)));
2298 return NULL;
2299 }
2300
2301 static const u_char *
2302 ikev2_nonce_print(netdissect_options *ndo, u_char tpay,
2303 const struct isakmp_gen *ext,
2304 u_int item_len _U_, const u_char *ep,
2305 uint32_t phase _U_, uint32_t doi _U_,
2306 uint32_t proto _U_, int depth _U_)
2307 {
2308 struct isakmp_gen e;
2309
2310 ND_TCHECK(*ext);
2311 UNALIGNED_MEMCPY(&e, ext, sizeof(e));
2312 ikev2_pay_print(ndo, "nonce", e.critical);
2313
2314 ND_PRINT((ndo," len=%d", ntohs(e.len) - 4));
2315 if (1 < ndo->ndo_vflag && 4 < ntohs(e.len)) {
2316 ND_PRINT((ndo," nonce=("));
2317 if (!rawprint(ndo, (const uint8_t *)(ext + 1), ntohs(e.len) - 4))
2318 goto trunc;
2319 ND_PRINT((ndo,") "));
2320 } else if(ndo->ndo_vflag && 4 < ntohs(e.len)) {
2321 if(!ike_show_somedata(ndo, (const u_char *)(ext+1), ep)) goto trunc;
2322 }
2323
2324 return (const u_char *)ext + ntohs(e.len);
2325 trunc:
2326 ND_PRINT((ndo," [|%s]", NPSTR(tpay)));
2327 return NULL;
2328 }
2329
2330 /* notify payloads */
2331 static const u_char *
2332 ikev2_n_print(netdissect_options *ndo, u_char tpay _U_,
2333 const struct isakmp_gen *ext,
2334 u_int item_len, const u_char *ep,
2335 uint32_t phase _U_, uint32_t doi _U_,
2336 uint32_t proto _U_, int depth _U_)
2337 {
2338 const struct ikev2_n *p;
2339 struct ikev2_n n;
2340 const u_char *cp;
2341 u_char showspi, showsomedata;
2342 const char *notify_name;
2343 uint32_t type;
2344
2345 p = (const struct ikev2_n *)ext;
2346 ND_TCHECK(*p);
2347 UNALIGNED_MEMCPY(&n, ext, sizeof(n));
2348 ikev2_pay_print(ndo, NPSTR(ISAKMP_NPTYPE_N), n.h.critical);
2349
2350 showspi = 1;
2351 showsomedata=0;
2352 notify_name=NULL;
2353
2354 ND_PRINT((ndo," prot_id=%s", PROTOIDSTR(n.prot_id)));
2355
2356 type = ntohs(n.type);
2357
2358 /* notify space is annoying sparse */
2359 switch(type) {
2360 case IV2_NOTIFY_UNSUPPORTED_CRITICAL_PAYLOAD:
2361 notify_name = "unsupported_critical_payload";
2362 showspi = 0;
2363 break;
2364
2365 case IV2_NOTIFY_INVALID_IKE_SPI:
2366 notify_name = "invalid_ike_spi";
2367 showspi = 1;
2368 break;
2369
2370 case IV2_NOTIFY_INVALID_MAJOR_VERSION:
2371 notify_name = "invalid_major_version";
2372 showspi = 0;
2373 break;
2374
2375 case IV2_NOTIFY_INVALID_SYNTAX:
2376 notify_name = "invalid_syntax";
2377 showspi = 1;
2378 break;
2379
2380 case IV2_NOTIFY_INVALID_MESSAGE_ID:
2381 notify_name = "invalid_message_id";
2382 showspi = 1;
2383 break;
2384
2385 case IV2_NOTIFY_INVALID_SPI:
2386 notify_name = "invalid_spi";
2387 showspi = 1;
2388 break;
2389
2390 case IV2_NOTIFY_NO_PROPOSAL_CHOSEN:
2391 notify_name = "no_protocol_chosen";
2392 showspi = 1;
2393 break;
2394
2395 case IV2_NOTIFY_INVALID_KE_PAYLOAD:
2396 notify_name = "invalid_ke_payload";
2397 showspi = 1;
2398 break;
2399
2400 case IV2_NOTIFY_AUTHENTICATION_FAILED:
2401 notify_name = "authentication_failed";
2402 showspi = 1;
2403 break;
2404
2405 case IV2_NOTIFY_SINGLE_PAIR_REQUIRED:
2406 notify_name = "single_pair_required";
2407 showspi = 1;
2408 break;
2409
2410 case IV2_NOTIFY_NO_ADDITIONAL_SAS:
2411 notify_name = "no_additional_sas";
2412 showspi = 0;
2413 break;
2414
2415 case IV2_NOTIFY_INTERNAL_ADDRESS_FAILURE:
2416 notify_name = "internal_address_failure";
2417 showspi = 0;
2418 break;
2419
2420 case IV2_NOTIFY_FAILED_CP_REQUIRED:
2421 notify_name = "failed:cp_required";
2422 showspi = 0;
2423 break;
2424
2425 case IV2_NOTIFY_INVALID_SELECTORS:
2426 notify_name = "invalid_selectors";
2427 showspi = 0;
2428 break;
2429
2430 case IV2_NOTIFY_INITIAL_CONTACT:
2431 notify_name = "initial_contact";
2432 showspi = 0;
2433 break;
2434
2435 case IV2_NOTIFY_SET_WINDOW_SIZE:
2436 notify_name = "set_window_size";
2437 showspi = 0;
2438 break;
2439
2440 case IV2_NOTIFY_ADDITIONAL_TS_POSSIBLE:
2441 notify_name = "additional_ts_possible";
2442 showspi = 0;
2443 break;
2444
2445 case IV2_NOTIFY_IPCOMP_SUPPORTED:
2446 notify_name = "ipcomp_supported";
2447 showspi = 0;
2448 break;
2449
2450 case IV2_NOTIFY_NAT_DETECTION_SOURCE_IP:
2451 notify_name = "nat_detection_source_ip";
2452 showspi = 1;
2453 break;
2454
2455 case IV2_NOTIFY_NAT_DETECTION_DESTINATION_IP:
2456 notify_name = "nat_detection_destination_ip";
2457 showspi = 1;
2458 break;
2459
2460 case IV2_NOTIFY_COOKIE:
2461 notify_name = "cookie";
2462 showspi = 1;
2463 showsomedata= 1;
2464 break;
2465
2466 case IV2_NOTIFY_USE_TRANSPORT_MODE:
2467 notify_name = "use_transport_mode";
2468 showspi = 0;
2469 break;
2470
2471 case IV2_NOTIFY_HTTP_CERT_LOOKUP_SUPPORTED:
2472 notify_name = "http_cert_lookup_supported";
2473 showspi = 0;
2474 break;
2475
2476 case IV2_NOTIFY_REKEY_SA:
2477 notify_name = "rekey_sa";
2478 showspi = 1;
2479 break;
2480
2481 case IV2_NOTIFY_ESP_TFC_PADDING_NOT_SUPPORTED:
2482 notify_name = "tfc_padding_not_supported";
2483 showspi = 0;
2484 break;
2485
2486 case IV2_NOTIFY_NON_FIRST_FRAGMENTS_ALSO:
2487 notify_name = "non_first_fragment_also";
2488 showspi = 0;
2489 break;
2490
2491 default:
2492 if (type < 8192) {
2493 notify_name="error";
2494 } else if(type < 16384) {
2495 notify_name="private-error";
2496 } else if(type < 40960) {
2497 notify_name="status";
2498 } else {
2499 notify_name="private-status";
2500 }
2501 }
2502
2503 if(notify_name) {
2504 ND_PRINT((ndo," type=%u(%s)", type, notify_name));
2505 }
2506
2507
2508 if (showspi && n.spi_size) {
2509 ND_PRINT((ndo," spi="));
2510 if (!rawprint(ndo, (const uint8_t *)(p + 1), n.spi_size))
2511 goto trunc;
2512 }
2513
2514 cp = (const u_char *)(p + 1) + n.spi_size;
2515
2516 if (cp < ep) {
2517 if (ndo->ndo_vflag > 3 || (showsomedata && ep-cp < 30)) {
2518 ND_PRINT((ndo," data=("));
2519 if (!rawprint(ndo, (const uint8_t *)(cp), ep - cp))
2520 goto trunc;
2521
2522 ND_PRINT((ndo,")"));
2523 } else if (showsomedata) {
2524 if (!ike_show_somedata(ndo, cp, ep))
2525 goto trunc;
2526 }
2527 }
2528
2529 return (const u_char *)ext + item_len;
2530 trunc:
2531 ND_PRINT((ndo," [|%s]", NPSTR(ISAKMP_NPTYPE_N)));
2532 return NULL;
2533 }
2534
2535 static const u_char *
2536 ikev2_d_print(netdissect_options *ndo, u_char tpay,
2537 const struct isakmp_gen *ext,
2538 u_int item_len _U_, const u_char *ep _U_,
2539 uint32_t phase _U_, uint32_t doi _U_,
2540 uint32_t proto _U_, int depth _U_)
2541 {
2542 return ikev2_gen_print(ndo, tpay, ext);
2543 }
2544
2545 static const u_char *
2546 ikev2_vid_print(netdissect_options *ndo, u_char tpay,
2547 const struct isakmp_gen *ext,
2548 u_int item_len _U_, const u_char *ep _U_,
2549 uint32_t phase _U_, uint32_t doi _U_,
2550 uint32_t proto _U_, int depth _U_)
2551 {
2552 struct isakmp_gen e;
2553 const u_char *vid;
2554 int i, len;
2555
2556 ND_TCHECK(*ext);
2557 UNALIGNED_MEMCPY(&e, ext, sizeof(e));
2558 ikev2_pay_print(ndo, NPSTR(tpay), e.critical);
2559 ND_PRINT((ndo," len=%d vid=", ntohs(e.len) - 4));
2560
2561 vid = (const u_char *)(ext+1);
2562 len = ntohs(e.len) - 4;
2563 ND_TCHECK2(*vid, len);
2564 for(i=0; i<len; i++) {
2565 if(ND_ISPRINT(vid[i])) ND_PRINT((ndo, "%c", vid[i]));
2566 else ND_PRINT((ndo, "."));
2567 }
2568 if (2 < ndo->ndo_vflag && 4 < len) {
2569 ND_PRINT((ndo," "));
2570 if (!rawprint(ndo, (const uint8_t *)(ext + 1), ntohs(e.len) - 4))
2571 goto trunc;
2572 }
2573 return (const u_char *)ext + ntohs(e.len);
2574 trunc:
2575 ND_PRINT((ndo," [|%s]", NPSTR(tpay)));
2576 return NULL;
2577 }
2578
2579 static const u_char *
2580 ikev2_TS_print(netdissect_options *ndo, u_char tpay,
2581 const struct isakmp_gen *ext,
2582 u_int item_len _U_, const u_char *ep _U_,
2583 uint32_t phase _U_, uint32_t doi _U_,
2584 uint32_t proto _U_, int depth _U_)
2585 {
2586 return ikev2_gen_print(ndo, tpay, ext);
2587 }
2588
2589 static const u_char *
2590 ikev2_e_print(netdissect_options *ndo,
2591 #ifndef HAVE_LIBCRYPTO
2592 _U_
2593 #endif
2594 struct isakmp *base,
2595 u_char tpay,
2596 const struct isakmp_gen *ext,
2597 u_int item_len _U_, const u_char *ep _U_,
2598 #ifndef HAVE_LIBCRYPTO
2599 _U_
2600 #endif
2601 uint32_t phase,
2602 #ifndef HAVE_LIBCRYPTO
2603 _U_
2604 #endif
2605 uint32_t doi,
2606 #ifndef HAVE_LIBCRYPTO
2607 _U_
2608 #endif
2609 uint32_t proto,
2610 #ifndef HAVE_LIBCRYPTO
2611 _U_
2612 #endif
2613 int depth)
2614 {
2615 struct isakmp_gen e;
2616 const u_char *dat;
2617 volatile int dlen;
2618
2619 ND_TCHECK(*ext);
2620 UNALIGNED_MEMCPY(&e, ext, sizeof(e));
2621 ikev2_pay_print(ndo, NPSTR(tpay), e.critical);
2622
2623 dlen = ntohs(e.len)-4;
2624
2625 ND_PRINT((ndo," len=%d", dlen));
2626 if (2 < ndo->ndo_vflag && 4 < dlen) {
2627 ND_PRINT((ndo," "));
2628 if (!rawprint(ndo, (const uint8_t *)(ext + 1), dlen))
2629 goto trunc;
2630 }
2631
2632 dat = (const u_char *)(ext+1);
2633 ND_TCHECK2(*dat, dlen);
2634
2635 #ifdef HAVE_LIBCRYPTO
2636 /* try to decypt it! */
2637 if(esp_print_decrypt_buffer_by_ikev2(ndo,
2638 base->flags & ISAKMP_FLAG_I,
2639 base->i_ck, base->r_ck,
2640 dat, dat+dlen)) {
2641
2642 ext = (const struct isakmp_gen *)ndo->ndo_packetp;
2643
2644 /* got it decrypted, print stuff inside. */
2645 ikev2_sub_print(ndo, base, e.np, ext, ndo->ndo_snapend,
2646 phase, doi, proto, depth+1);
2647 }
2648 #endif
2649
2650
2651 /* always return NULL, because E must be at end, and NP refers
2652 * to what was inside.
2653 */
2654 return NULL;
2655 trunc:
2656 ND_PRINT((ndo," [|%s]", NPSTR(tpay)));
2657 return NULL;
2658 }
2659
2660 static const u_char *
2661 ikev2_cp_print(netdissect_options *ndo, u_char tpay,
2662 const struct isakmp_gen *ext,
2663 u_int item_len _U_, const u_char *ep _U_,
2664 uint32_t phase _U_, uint32_t doi _U_,
2665 uint32_t proto _U_, int depth _U_)
2666 {
2667 return ikev2_gen_print(ndo, tpay, ext);
2668 }
2669
2670 static const u_char *
2671 ikev2_eap_print(netdissect_options *ndo, u_char tpay,
2672 const struct isakmp_gen *ext,
2673 u_int item_len _U_, const u_char *ep _U_,
2674 uint32_t phase _U_, uint32_t doi _U_,
2675 uint32_t proto _U_, int depth _U_)
2676 {
2677 return ikev2_gen_print(ndo, tpay, ext);
2678 }
2679
2680 static const u_char *
2681 ike_sub0_print(netdissect_options *ndo,
2682 u_char np, const struct isakmp_gen *ext, const u_char *ep,
2683
2684 uint32_t phase, uint32_t doi, uint32_t proto, int depth)
2685 {
2686 const u_char *cp;
2687 struct isakmp_gen e;
2688 u_int item_len;
2689
2690 cp = (const u_char *)ext;
2691 ND_TCHECK(*ext);
2692 UNALIGNED_MEMCPY(&e, ext, sizeof(e));
2693
2694 /*
2695 * Since we can't have a payload length of less than 4 bytes,
2696 * we need to bail out here if the generic header is nonsensical
2697 * or truncated, otherwise we could loop forever processing
2698 * zero-length items or otherwise misdissect the packet.
2699 */
2700 item_len = ntohs(e.len);
2701 if (item_len <= 4)
2702 return NULL;
2703
2704 if (NPFUNC(np)) {
2705 /*
2706 * XXX - what if item_len is too short, or too long,
2707 * for this payload type?
2708 */
2709 cp = (*npfunc[np])(ndo, np, ext, item_len, ep, phase, doi, proto, depth);
2710 } else {
2711 ND_PRINT((ndo,"%s", NPSTR(np)));
2712 cp += item_len;
2713 }
2714
2715 return cp;
2716 trunc:
2717 ND_PRINT((ndo," [|isakmp]"));
2718 return NULL;
2719 }
2720
2721 static const u_char *
2722 ikev1_sub_print(netdissect_options *ndo,
2723 u_char np, const struct isakmp_gen *ext, const u_char *ep,
2724 uint32_t phase, uint32_t doi, uint32_t proto, int depth)
2725 {
2726 const u_char *cp;
2727 int i;
2728 struct isakmp_gen e;
2729
2730 cp = (const u_char *)ext;
2731
2732 while (np) {
2733 ND_TCHECK(*ext);
2734
2735 UNALIGNED_MEMCPY(&e, ext, sizeof(e));
2736
2737 ND_TCHECK2(*ext, ntohs(e.len));
2738
2739 depth++;
2740 ND_PRINT((ndo,"\n"));
2741 for (i = 0; i < depth; i++)
2742 ND_PRINT((ndo," "));
2743 ND_PRINT((ndo,"("));
2744 cp = ike_sub0_print(ndo, np, ext, ep, phase, doi, proto, depth);
2745 ND_PRINT((ndo,")"));
2746 depth--;
2747
2748 if (cp == NULL) {
2749 /* Zero-length subitem */
2750 return NULL;
2751 }
2752
2753 np = e.np;
2754 ext = (const struct isakmp_gen *)cp;
2755 }
2756 return cp;
2757 trunc:
2758 ND_PRINT((ndo," [|%s]", NPSTR(np)));
2759 return NULL;
2760 }
2761
2762 static char *
2763 numstr(int x)
2764 {
2765 static char buf[20];
2766 snprintf(buf, sizeof(buf), "#%d", x);
2767 return buf;
2768 }
2769
2770 static void
2771 ikev1_print(netdissect_options *ndo,
2772 const u_char *bp, u_int length,
2773 const u_char *bp2, struct isakmp *base)
2774 {
2775 const struct isakmp *p;
2776 const u_char *ep;
2777 u_char np;
2778 int i;
2779 int phase;
2780
2781 p = (const struct isakmp *)bp;
2782 ep = ndo->ndo_snapend;
2783
2784 phase = (EXTRACT_32BITS(base->msgid) == 0) ? 1 : 2;
2785 if (phase == 1)
2786 ND_PRINT((ndo," phase %d", phase));
2787 else
2788 ND_PRINT((ndo," phase %d/others", phase));
2789
2790 i = cookie_find(&base->i_ck);
2791 if (i < 0) {
2792 if (iszero((const u_char *)&base->r_ck, sizeof(base->r_ck))) {
2793 /* the first packet */
2794 ND_PRINT((ndo," I"));
2795 if (bp2)
2796 cookie_record(&base->i_ck, bp2);
2797 } else
2798 ND_PRINT((ndo," ?"));
2799 } else {
2800 if (bp2 && cookie_isinitiator(i, bp2))
2801 ND_PRINT((ndo," I"));
2802 else if (bp2 && cookie_isresponder(i, bp2))
2803 ND_PRINT((ndo," R"));
2804 else
2805 ND_PRINT((ndo," ?"));
2806 }
2807
2808 ND_PRINT((ndo," %s", ETYPESTR(base->etype)));
2809 if (base->flags) {
2810 ND_PRINT((ndo,"[%s%s]", base->flags & ISAKMP_FLAG_E ? "E" : "",
2811 base->flags & ISAKMP_FLAG_C ? "C" : ""));
2812 }
2813
2814 if (ndo->ndo_vflag) {
2815 const struct isakmp_gen *ext;
2816
2817 ND_PRINT((ndo,":"));
2818
2819 /* regardless of phase... */
2820 if (base->flags & ISAKMP_FLAG_E) {
2821 /*
2822 * encrypted, nothing we can do right now.
2823 * we hope to decrypt the packet in the future...
2824 */
2825 ND_PRINT((ndo," [encrypted %s]", NPSTR(base->np)));
2826 goto done;
2827 }
2828
2829 CHECKLEN(p + 1, base->np);
2830 np = base->np;
2831 ext = (const struct isakmp_gen *)(p + 1);
2832 ikev1_sub_print(ndo, np, ext, ep, phase, 0, 0, 0);
2833 }
2834
2835 done:
2836 if (ndo->ndo_vflag) {
2837 if (ntohl(base->len) != length) {
2838 ND_PRINT((ndo," (len mismatch: isakmp %u/ip %u)",
2839 (uint32_t)ntohl(base->len), length));
2840 }
2841 }
2842 }
2843
2844 static const u_char *
2845 ikev2_sub0_print(netdissect_options *ndo, struct isakmp *base,
2846 u_char np,
2847 const struct isakmp_gen *ext, const u_char *ep,
2848 uint32_t phase, uint32_t doi, uint32_t proto, int depth)
2849 {
2850 const u_char *cp;
2851 struct isakmp_gen e;
2852 u_int item_len;
2853
2854 cp = (const u_char *)ext;
2855 ND_TCHECK(*ext);
2856 UNALIGNED_MEMCPY(&e, ext, sizeof(e));
2857
2858 /*
2859 * Since we can't have a payload length of less than 4 bytes,
2860 * we need to bail out here if the generic header is nonsensical
2861 * or truncated, otherwise we could loop forever processing
2862 * zero-length items or otherwise misdissect the packet.
2863 */
2864 item_len = ntohs(e.len);
2865 if (item_len <= 4)
2866 return NULL;
2867
2868 if (np == ISAKMP_NPTYPE_v2E) {
2869 cp = ikev2_e_print(ndo, base, np, ext, item_len,
2870 ep, phase, doi, proto, depth);
2871 } else if (NPFUNC(np)) {
2872 /*
2873 * XXX - what if item_len is too short, or too long,
2874 * for this payload type?
2875 */
2876 cp = (*npfunc[np])(ndo, np, ext, item_len,
2877 ep, phase, doi, proto, depth);
2878 } else {
2879 ND_PRINT((ndo,"%s", NPSTR(np)));
2880 cp += item_len;
2881 }
2882
2883 return cp;
2884 trunc:
2885 ND_PRINT((ndo," [|isakmp]"));
2886 return NULL;
2887 }
2888
2889 static const u_char *
2890 ikev2_sub_print(netdissect_options *ndo,
2891 struct isakmp *base,
2892 u_char np, const struct isakmp_gen *ext, const u_char *ep,
2893 uint32_t phase, uint32_t doi, uint32_t proto, int depth)
2894 {
2895 const u_char *cp;
2896 int i;
2897 struct isakmp_gen e;
2898
2899 cp = (const u_char *)ext;
2900 while (np) {
2901 ND_TCHECK(*ext);
2902
2903 UNALIGNED_MEMCPY(&e, ext, sizeof(e));
2904
2905 ND_TCHECK2(*ext, ntohs(e.len));
2906
2907 depth++;
2908 ND_PRINT((ndo,"\n"));
2909 for (i = 0; i < depth; i++)
2910 ND_PRINT((ndo," "));
2911 ND_PRINT((ndo,"("));
2912 cp = ikev2_sub0_print(ndo, base, np,
2913 ext, ep, phase, doi, proto, depth);
2914 ND_PRINT((ndo,")"));
2915 depth--;
2916
2917 if (cp == NULL) {
2918 /* Zero-length subitem */
2919 return NULL;
2920 }
2921
2922 np = e.np;
2923 ext = (const struct isakmp_gen *)cp;
2924 }
2925 return cp;
2926 trunc:
2927 ND_PRINT((ndo," [|%s]", NPSTR(np)));
2928 return NULL;
2929 }
2930
2931 static void
2932 ikev2_print(netdissect_options *ndo,
2933 const u_char *bp, u_int length,
2934 const u_char *bp2 _U_, struct isakmp *base)
2935 {
2936 const struct isakmp *p;
2937 const u_char *ep;
2938 u_char np;
2939 int phase;
2940
2941 p = (const struct isakmp *)bp;
2942 ep = ndo->ndo_snapend;
2943
2944 phase = (EXTRACT_32BITS(base->msgid) == 0) ? 1 : 2;
2945 if (phase == 1)
2946 ND_PRINT((ndo, " parent_sa"));
2947 else
2948 ND_PRINT((ndo, " child_sa "));
2949
2950 ND_PRINT((ndo, " %s", ETYPESTR(base->etype)));
2951 if (base->flags) {
2952 ND_PRINT((ndo, "[%s%s%s]",
2953 base->flags & ISAKMP_FLAG_I ? "I" : "",
2954 base->flags & ISAKMP_FLAG_V ? "V" : "",
2955 base->flags & ISAKMP_FLAG_R ? "R" : ""));
2956 }
2957
2958 if (ndo->ndo_vflag) {
2959 const struct isakmp_gen *ext;
2960
2961 ND_PRINT((ndo, ":"));
2962
2963 /* regardless of phase... */
2964 if (base->flags & ISAKMP_FLAG_E) {
2965 /*
2966 * encrypted, nothing we can do right now.
2967 * we hope to decrypt the packet in the future...
2968 */
2969 ND_PRINT((ndo, " [encrypted %s]", NPSTR(base->np)));
2970 goto done;
2971 }
2972
2973 CHECKLEN(p + 1, base->np)
2974
2975 np = base->np;
2976 ext = (const struct isakmp_gen *)(p + 1);
2977 ikev2_sub_print(ndo, base, np, ext, ep, phase, 0, 0, 0);
2978 }
2979
2980 done:
2981 if (ndo->ndo_vflag) {
2982 if (ntohl(base->len) != length) {
2983 ND_PRINT((ndo, " (len mismatch: isakmp %u/ip %u)",
2984 (uint32_t)ntohl(base->len), length));
2985 }
2986 }
2987 }
2988
2989 void
2990 isakmp_print(netdissect_options *ndo,
2991 const u_char *bp, u_int length,
2992 const u_char *bp2)
2993 {
2994 const struct isakmp *p;
2995 struct isakmp base;
2996 const u_char *ep;
2997 int major, minor;
2998
2999 #ifdef HAVE_LIBCRYPTO
3000 /* initialize SAs */
3001 if (ndo->ndo_sa_list_head == NULL) {
3002 if (ndo->ndo_espsecret)
3003 esp_print_decodesecret(ndo);
3004 }
3005 #endif
3006
3007 p = (const struct isakmp *)bp;
3008 ep = ndo->ndo_snapend;
3009
3010 if ((const struct isakmp *)ep < p + 1) {
3011 ND_PRINT((ndo,"[|isakmp]"));
3012 return;
3013 }
3014
3015 UNALIGNED_MEMCPY(&base, p, sizeof(base));
3016
3017 ND_PRINT((ndo,"isakmp"));
3018 major = (base.vers & ISAKMP_VERS_MAJOR)
3019 >> ISAKMP_VERS_MAJOR_SHIFT;
3020 minor = (base.vers & ISAKMP_VERS_MINOR)
3021 >> ISAKMP_VERS_MINOR_SHIFT;
3022
3023 if (ndo->ndo_vflag) {
3024 ND_PRINT((ndo," %d.%d", major, minor));
3025 }
3026
3027 if (ndo->ndo_vflag) {
3028 ND_PRINT((ndo," msgid "));
3029 hexprint(ndo, (const uint8_t *)&base.msgid, sizeof(base.msgid));
3030 }
3031
3032 if (1 < ndo->ndo_vflag) {
3033 ND_PRINT((ndo," cookie "));
3034 hexprint(ndo, (const uint8_t *)&base.i_ck, sizeof(base.i_ck));
3035 ND_PRINT((ndo,"->"));
3036 hexprint(ndo, (const uint8_t *)&base.r_ck, sizeof(base.r_ck));
3037 }
3038 ND_PRINT((ndo,":"));
3039
3040 switch(major) {
3041 case IKEv1_MAJOR_VERSION:
3042 ikev1_print(ndo, bp, length, bp2, &base);
3043 break;
3044
3045 case IKEv2_MAJOR_VERSION:
3046 ikev2_print(ndo, bp, length, bp2, &base);
3047 break;
3048 }
3049 }
3050
3051 void
3052 isakmp_rfc3948_print(netdissect_options *ndo,
3053 const u_char *bp, u_int length,
3054 const u_char *bp2)
3055 {
3056 ND_TCHECK(bp[0]);
3057 if(length == 1 && bp[0]==0xff) {
3058 ND_PRINT((ndo, "isakmp-nat-keep-alive"));
3059 return;
3060 }
3061
3062 if(length < 4) {
3063 goto trunc;
3064 }
3065 ND_TCHECK(bp[3]);
3066
3067 /*
3068 * see if this is an IKE packet
3069 */
3070 if(bp[0]==0 && bp[1]==0 && bp[2]==0 && bp[3]==0) {
3071 ND_PRINT((ndo, "NONESP-encap: "));
3072 isakmp_print(ndo, bp+4, length-4, bp2);
3073 return;
3074 }
3075
3076 /* must be an ESP packet */
3077 {
3078 int nh, enh, padlen;
3079 int advance;
3080
3081 ND_PRINT((ndo, "UDP-encap: "));
3082
3083 advance = esp_print(ndo, bp, length, bp2, &enh, &padlen);
3084 if(advance <= 0)
3085 return;
3086
3087 bp += advance;
3088 length -= advance + padlen;
3089 nh = enh & 0xff;
3090
3091 ip_print_inner(ndo, bp, length, nh, bp2);
3092 return;
3093 }
3094
3095 trunc:
3096 ND_PRINT((ndo,"[|isakmp]"));
3097 return;
3098 }
3099
3100 /*
3101 * Local Variables:
3102 * c-style: whitesmith
3103 * c-basic-offset: 8
3104 * End:
3105 */
[mirror] the TCPdump network dissector