]> The Tcpdump Group git mirrors - tcpdump/blob - print-isakmp.c
projects / tcpdump / blob
summary | shortlog | log | commit | commitdiff | tree
history | raw | HEAD
ISAKMP: Avoid reinventing nd_printjn()
[tcpdump] / print-isakmp.c
1 /*
2 * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
3 * All rights reserved.
4 *
5 * Redistribution and use in source and binary forms, with or without
6 * modification, are permitted provided that the following conditions
7 * are met:
8 * 1. Redistributions of source code must retain the above copyright
9 * notice, this list of conditions and the following disclaimer.
10 * 2. Redistributions in binary form must reproduce the above copyright
11 * notice, this list of conditions and the following disclaimer in the
12 * documentation and/or other materials provided with the distribution.
13 * 3. Neither the name of the project nor the names of its contributors
14 * may be used to endorse or promote products derived from this software
15 * without specific prior written permission.
16 *
17 * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
18 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
19 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
20 * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
21 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
22 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
23 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
24 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
25 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
26 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
27 * SUCH DAMAGE.
28 *
29 */
30
31 /* \summary: Internet Security Association and Key Management Protocol (ISAKMP) printer */
32
33 /* specification: RFC 2407, RFC 2408, RFC 5996 */
34
35 #include <config.h>
36
37 #include "netdissect-stdinc.h"
38
39 #include <string.h>
40
41 #include "netdissect-ctype.h"
42
43 #include "netdissect.h"
44 #include "addrtoname.h"
45 #include "extract.h"
46
47 #include "ip.h"
48 #include "ip6.h"
49 #include "ipproto.h" /* for netdb_protoname() */
50
51 typedef nd_byte cookie_t[8];
52 typedef nd_byte msgid_t[4];
53
54 #define PORT_ISAKMP 500
55
56 /* 3.1 ISAKMP Header Format (IKEv1 and IKEv2)
57 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
58 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
59 ! Initiator !
60 ! Cookie !
61 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
62 ! Responder !
63 ! Cookie !
64 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
65 ! Next Payload ! MjVer ! MnVer ! Exchange Type ! Flags !
66 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
67 ! Message ID !
68 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
69 ! Length !
70 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
71 */
72 struct isakmp {
73 cookie_t i_ck; /* Initiator Cookie */
74 cookie_t r_ck; /* Responder Cookie */
75 nd_uint8_t np; /* Next Payload Type */
76 nd_uint8_t vers;
77 #define ISAKMP_VERS_MAJOR 0xf0
78 #define ISAKMP_VERS_MAJOR_SHIFT 4
79 #define ISAKMP_VERS_MINOR 0x0f
80 #define ISAKMP_VERS_MINOR_SHIFT 0
81 nd_uint8_t etype; /* Exchange Type */
82 nd_uint8_t flags; /* Flags */
83 msgid_t msgid;
84 nd_uint32_t len; /* Length */
85 };
86
87 /* Next Payload Type */
88 #define ISAKMP_NPTYPE_NONE 0 /* NONE*/
89 #define ISAKMP_NPTYPE_SA 1 /* Security Association */
90 #define ISAKMP_NPTYPE_P 2 /* Proposal */
91 #define ISAKMP_NPTYPE_T 3 /* Transform */
92 #define ISAKMP_NPTYPE_KE 4 /* Key Exchange */
93 #define ISAKMP_NPTYPE_ID 5 /* Identification */
94 #define ISAKMP_NPTYPE_CERT 6 /* Certificate */
95 #define ISAKMP_NPTYPE_CR 7 /* Certificate Request */
96 #define ISAKMP_NPTYPE_HASH 8 /* Hash */
97 #define ISAKMP_NPTYPE_SIG 9 /* Signature */
98 #define ISAKMP_NPTYPE_NONCE 10 /* Nonce */
99 #define ISAKMP_NPTYPE_N 11 /* Notification */
100 #define ISAKMP_NPTYPE_D 12 /* Delete */
101 #define ISAKMP_NPTYPE_VID 13 /* Vendor ID */
102 #define ISAKMP_NPTYPE_v2E 46 /* v2 Encrypted payload */
103
104 #define IKEv1_MAJOR_VERSION 1
105 #define IKEv1_MINOR_VERSION 0
106
107 #define IKEv2_MAJOR_VERSION 2
108 #define IKEv2_MINOR_VERSION 0
109
110 /* Flags */
111 #define ISAKMP_FLAG_E 0x01 /* Encryption Bit */
112 #define ISAKMP_FLAG_C 0x02 /* Commit Bit */
113 #define ISAKMP_FLAG_extra 0x04
114
115 /* IKEv2 */
116 #define ISAKMP_FLAG_I (1 << 3) /* Initiator */
117 #define ISAKMP_FLAG_V (1 << 4) /* Version */
118 #define ISAKMP_FLAG_R (1 << 5) /* Response */
119
120
121 /* 3.2 Payload Generic Header
122 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
123 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
124 ! Next Payload ! RESERVED ! Payload Length !
125 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
126 */
127 struct isakmp_gen {
128 nd_uint8_t np; /* Next Payload */
129 nd_uint8_t critical; /* bit 7 - critical, rest is RESERVED */
130 nd_uint16_t len; /* Payload Length */
131 };
132
133 /* 3.3 Data Attributes
134 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
135 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
136 !A! Attribute Type ! AF=0 Attribute Length !
137 !F! ! AF=1 Attribute Value !
138 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
139 . AF=0 Attribute Value .
140 . AF=1 Not Transmitted .
141 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
142 */
143 struct isakmp_data {
144 nd_uint16_t type; /* defined by DOI-spec, and Attribute Format */
145 nd_uint16_t lorv; /* if f equal 1, Attribute Length */
146 /* if f equal 0, Attribute Value */
147 /* if f equal 1, Attribute Value */
148 };
149
150 /* 3.4 Security Association Payload */
151 /* MAY NOT be used, because of being defined in ipsec-doi. */
152 /*
153 If the current payload is the last in the message,
154 then the value of the next payload field will be 0.
155 This field MUST NOT contain the
156 values for the Proposal or Transform payloads as they are considered
157 part of the security association negotiation. For example, this
158 field would contain the value "10" (Nonce payload) in the first
159 message of a Base Exchange (see Section 4.4) and the value "0" in the
160 first message of an Identity Protect Exchange (see Section 4.5).
161 */
162 struct ikev1_pl_sa {
163 struct isakmp_gen h;
164 nd_uint32_t doi; /* Domain of Interpretation */
165 nd_uint32_t sit; /* Situation */
166 };
167
168 /* 3.5 Proposal Payload */
169 /*
170 The value of the next payload field MUST only contain the value "2"
171 or "0". If there are additional Proposal payloads in the message,
172 then this field will be 2. If the current Proposal payload is the
173 last within the security association proposal, then this field will
174 be 0.
175 */
176 struct ikev1_pl_p {
177 struct isakmp_gen h;
178 nd_uint8_t p_no; /* Proposal # */
179 nd_uint8_t prot_id; /* Protocol */
180 nd_uint8_t spi_size; /* SPI Size */
181 nd_uint8_t num_t; /* Number of Transforms */
182 /* SPI */
183 };
184
185 /* 3.6 Transform Payload */
186 /*
187 The value of the next payload field MUST only contain the value "3"
188 or "0". If there are additional Transform payloads in the proposal,
189 then this field will be 3. If the current Transform payload is the
190 last within the proposal, then this field will be 0.
191 */
192 struct ikev1_pl_t {
193 struct isakmp_gen h;
194 nd_uint8_t t_no; /* Transform # */
195 nd_uint8_t t_id; /* Transform-Id */
196 nd_byte reserved[2]; /* RESERVED2 */
197 /* SA Attributes */
198 };
199
200 /* 3.7 Key Exchange Payload */
201 struct ikev1_pl_ke {
202 struct isakmp_gen h;
203 /* Key Exchange Data */
204 };
205
206 /* 3.8 Identification Payload */
207 /* MUST NOT to be used, because of being defined in ipsec-doi. */
208 struct ikev1_pl_id {
209 struct isakmp_gen h;
210 union {
211 nd_uint8_t id_type; /* ID Type */
212 nd_uint32_t doi_data; /* DOI Specific ID Data */
213 } d;
214 /* Identification Data */
215 };
216
217 /* 3.9 Certificate Payload */
218 struct ikev1_pl_cert {
219 struct isakmp_gen h;
220 nd_uint8_t encode; /* Cert Encoding */
221 nd_uint8_t cert; /* Certificate Data */
222 /*
223 This field indicates the type of
224 certificate or certificate-related information contained in the
225 Certificate Data field.
226 */
227 };
228
229 /* 3.10 Certificate Request Payload */
230 struct ikev1_pl_cr {
231 struct isakmp_gen h;
232 nd_uint8_t num_cert; /* # Cert. Types */
233 /*
234 Certificate Types (variable length)
235 -- Contains a list of the types of certificates requested,
236 sorted in order of preference. Each individual certificate
237 type is 1 octet. This field is NOT required.
238 */
239 /* # Certificate Authorities (1 octet) */
240 /* Certificate Authorities (variable length) */
241 };
242
243 /* 3.11 Hash Payload */
244 /* may not be used, because of having only data. */
245 struct ikev1_pl_hash {
246 struct isakmp_gen h;
247 /* Hash Data */
248 };
249
250 /* 3.12 Signature Payload */
251 /* may not be used, because of having only data. */
252 struct ikev1_pl_sig {
253 struct isakmp_gen h;
254 /* Signature Data */
255 };
256
257 /* 3.13 Nonce Payload */
258 /* may not be used, because of having only data. */
259 struct ikev1_pl_nonce {
260 struct isakmp_gen h;
261 /* Nonce Data */
262 };
263
264 /* 3.14 Notification Payload */
265 struct ikev1_pl_n {
266 struct isakmp_gen h;
267 nd_uint32_t doi; /* Domain of Interpretation */
268 nd_uint8_t prot_id; /* Protocol-ID */
269 nd_uint8_t spi_size; /* SPI Size */
270 nd_uint16_t type; /* Notify Message Type */
271 /* SPI */
272 /* Notification Data */
273 };
274
275 /* 3.14.1 Notify Message Types */
276 /* NOTIFY MESSAGES - ERROR TYPES */
277 #define ISAKMP_NTYPE_INVALID_PAYLOAD_TYPE 1
278 #define ISAKMP_NTYPE_DOI_NOT_SUPPORTED 2
279 #define ISAKMP_NTYPE_SITUATION_NOT_SUPPORTED 3
280 #define ISAKMP_NTYPE_INVALID_COOKIE 4
281 #define ISAKMP_NTYPE_INVALID_MAJOR_VERSION 5
282 #define ISAKMP_NTYPE_INVALID_MINOR_VERSION 6
283 #define ISAKMP_NTYPE_INVALID_EXCHANGE_TYPE 7
284 #define ISAKMP_NTYPE_INVALID_FLAGS 8
285 #define ISAKMP_NTYPE_INVALID_MESSAGE_ID 9
286 #define ISAKMP_NTYPE_INVALID_PROTOCOL_ID 10
287 #define ISAKMP_NTYPE_INVALID_SPI 11
288 #define ISAKMP_NTYPE_INVALID_TRANSFORM_ID 12
289 #define ISAKMP_NTYPE_ATTRIBUTES_NOT_SUPPORTED 13
290 #define ISAKMP_NTYPE_NO_PROPOSAL_CHOSEN 14
291 #define ISAKMP_NTYPE_BAD_PROPOSAL_SYNTAX 15
292 #define ISAKMP_NTYPE_PAYLOAD_MALFORMED 16
293 #define ISAKMP_NTYPE_INVALID_KEY_INFORMATION 17
294 #define ISAKMP_NTYPE_INVALID_ID_INFORMATION 18
295 #define ISAKMP_NTYPE_INVALID_CERT_ENCODING 19
296 #define ISAKMP_NTYPE_INVALID_CERTIFICATE 20
297 #define ISAKMP_NTYPE_BAD_CERT_REQUEST_SYNTAX 21
298 #define ISAKMP_NTYPE_INVALID_CERT_AUTHORITY 22
299 #define ISAKMP_NTYPE_INVALID_HASH_INFORMATION 23
300 #define ISAKMP_NTYPE_AUTHENTICATION_FAILED 24
301 #define ISAKMP_NTYPE_INVALID_SIGNATURE 25
302 #define ISAKMP_NTYPE_ADDRESS_NOTIFICATION 26
303
304 /* 3.15 Delete Payload */
305 struct ikev1_pl_d {
306 struct isakmp_gen h;
307 nd_uint32_t doi; /* Domain of Interpretation */
308 nd_uint8_t prot_id; /* Protocol-Id */
309 nd_uint8_t spi_size; /* SPI Size */
310 nd_uint16_t num_spi; /* # of SPIs */
311 /* SPI(es) */
312 };
313
314 /* IKEv2 (RFC4306) */
315
316 /* 3.3 Security Association Payload -- generic header */
317 /* 3.3.1. Proposal Substructure */
318 struct ikev2_p {
319 struct isakmp_gen h;
320 nd_uint8_t p_no; /* Proposal # */
321 nd_uint8_t prot_id; /* Protocol */
322 nd_uint8_t spi_size; /* SPI Size */
323 nd_uint8_t num_t; /* Number of Transforms */
324 };
325
326 /* 3.3.2. Transform Substructure */
327 struct ikev2_t {
328 struct isakmp_gen h;
329 nd_uint8_t t_type; /* Transform Type (ENCR,PRF,INTEG,etc.*/
330 nd_byte res2; /* reserved byte */
331 nd_uint16_t t_id; /* Transform ID */
332 };
333
334 enum ikev2_t_type {
335 IV2_T_ENCR = 1,
336 IV2_T_PRF = 2,
337 IV2_T_INTEG= 3,
338 IV2_T_DH = 4,
339 IV2_T_ESN = 5
340 };
341
342 /* 3.4. Key Exchange Payload */
343 struct ikev2_ke {
344 struct isakmp_gen h;
345 nd_uint16_t ke_group;
346 nd_uint16_t ke_res1;
347 /* KE data */
348 };
349
350
351 /* 3.5. Identification Payloads */
352 enum ikev2_id_type {
353 ID_IPV4_ADDR=1,
354 ID_FQDN=2,
355 ID_RFC822_ADDR=3,
356 ID_IPV6_ADDR=5,
357 ID_DER_ASN1_DN=9,
358 ID_DER_ASN1_GN=10,
359 ID_KEY_ID=11
360 };
361 struct ikev2_id {
362 struct isakmp_gen h;
363 nd_uint8_t type; /* ID type */
364 nd_byte res1;
365 nd_byte res2[2];
366 /* SPI */
367 /* Notification Data */
368 };
369
370 /* 3.10 Notification Payload */
371 struct ikev2_n {
372 struct isakmp_gen h;
373 nd_uint8_t prot_id; /* Protocol-ID */
374 nd_uint8_t spi_size; /* SPI Size */
375 nd_uint16_t type; /* Notify Message Type */
376 };
377
378 enum ikev2_n_type {
379 IV2_NOTIFY_UNSUPPORTED_CRITICAL_PAYLOAD = 1, /* [RFC7296] */
380 IV2_NOTIFY_INVALID_IKE_SPI = 4, /* [RFC7296] */
381 IV2_NOTIFY_INVALID_MAJOR_VERSION = 5, /* [RFC7296] */
382 IV2_NOTIFY_INVALID_SYNTAX = 7, /* [RFC7296] */
383 IV2_NOTIFY_INVALID_MESSAGE_ID = 9, /* [RFC7296] */
384 IV2_NOTIFY_INVALID_SPI =11, /* [RFC7296] */
385 IV2_NOTIFY_NO_PROPOSAL_CHOSEN =14, /* [RFC7296] */
386 IV2_NOTIFY_INVALID_KE_PAYLOAD =17, /* [RFC7296] */
387 IV2_NOTIFY_AUTHENTICATION_FAILED =24, /* [RFC7296] */
388 IV2_NOTIFY_SINGLE_PAIR_REQUIRED =34, /* [RFC7296] */
389 IV2_NOTIFY_NO_ADDITIONAL_SAS =35, /* [RFC7296] */
390 IV2_NOTIFY_INTERNAL_ADDRESS_FAILURE =36, /* [RFC7296] */
391 IV2_NOTIFY_FAILED_CP_REQUIRED =37, /* [RFC7296] */
392 IV2_NOTIFY_TS_UNACCEPTABLE =38, /* [RFC7296] */
393 IV2_NOTIFY_INVALID_SELECTORS =39, /* [RFC7296] */
394 IV2_NOTIFY_UNACCEPTABLE_ADDRESSES =40, /* [RFC4555] */
395 IV2_NOTIFY_UNEXPECTED_NAT_DETECTED =41, /* [RFC4555] */
396 IV2_NOTIFY_USE_ASSIGNED_HOA =42, /* [RFC5026] */
397 IV2_NOTIFY_TEMPORARY_FAILURE =43, /* [RFC7296] */
398 IV2_NOTIFY_CHILD_SA_NOT_FOUND =44, /* [RFC7296] */
399 IV2_NOTIFY_INVALID_GROUP_ID =45, /* [draft-yeung-g-ikev2] */
400 IV2_NOTIFY_AUTHORIZATION_FAILED =46, /* [draft-yeung-g-ikev2] */
401 IV2_NOTIFY_STATE_NOT_FOUND =47, /* [RFC-ietf-ipsecme-ikev2-multiple-ke-12] */
402 IV2_NOTIFY_INITIAL_CONTACT =16384, /* [RFC7296] */
403 IV2_NOTIFY_SET_WINDOW_SIZE =16385, /* [RFC7296] */
404 IV2_NOTIFY_ADDITIONAL_TS_POSSIBLE =16386, /* [RFC7296] */
405 IV2_NOTIFY_IPCOMP_SUPPORTED =16387, /* [RFC7296] */
406 IV2_NOTIFY_NAT_DETECTION_SOURCE_IP =16388, /* [RFC7296] */
407 IV2_NOTIFY_NAT_DETECTION_DESTINATION_IP =16389, /* [RFC7296] */
408 IV2_NOTIFY_COOKIE =16390, /* [RFC7296] */
409 IV2_NOTIFY_USE_TRANSPORT_MODE =16391, /* [RFC7296] */
410 IV2_NOTIFY_HTTP_CERT_LOOKUP_SUPPORTED =16392, /* [RFC7296] */
411 IV2_NOTIFY_REKEY_SA =16393, /* [RFC7296] */
412 IV2_NOTIFY_ESP_TFC_PADDING_NOT_SUPPORTED =16394, /* [RFC7296] */
413 IV2_NOTIFY_NON_FIRST_FRAGMENTS_ALSO =16395, /* [RFC7296] */
414 IV2_NOTIFY_MOBIKE_SUPPORTED =16396, /* [RFC4555] */
415 IV2_NOTIFY_ADDITIONAL_IP4_ADDRESS =16397, /* [RFC4555] */
416 IV2_NOTIFY_ADDITIONAL_IP6_ADDRESS =16398, /* [RFC4555] */
417 IV2_NOTIFY_NO_ADDITIONAL_ADDRESSES =16399, /* [RFC4555] */
418 IV2_NOTIFY_UPDATE_SA_ADDRESSES =16400, /* [RFC4555] */
419 IV2_NOTIFY_COOKIE2 =16401, /* [RFC4555] */
420 IV2_NOTIFY_NO_NATS_ALLOWED =16402, /* [RFC4555] */
421 IV2_NOTIFY_AUTH_LIFETIME =16403, /* [RFC4478] */
422 IV2_NOTIFY_MULTIPLE_AUTH_SUPPORTED =16404, /* [RFC4739] */
423 IV2_NOTIFY_ANOTHER_AUTH_FOLLOWS =16405, /* [RFC4739] */
424 IV2_NOTIFY_REDIRECT_SUPPORTED =16406, /* [RFC5685] */
425 IV2_NOTIFY_REDIRECT =16407, /* [RFC5685] */
426 IV2_NOTIFY_REDIRECTED_FROM =16408, /* [RFC5685] */
427 IV2_NOTIFY_TICKET_LT_OPAQUE =16409, /* [RFC5723] */
428 IV2_NOTIFY_TICKET_REQUEST =16410, /* [RFC5723] */
429 IV2_NOTIFY_TICKET_ACK =16411, /* [RFC5723] */
430 IV2_NOTIFY_TICKET_NACK =16412, /* [RFC5723] */
431 IV2_NOTIFY_TICKET_OPAQUE =16413, /* [RFC5723] */
432 IV2_NOTIFY_LINK_ID =16414, /* [RFC5739] */
433 IV2_NOTIFY_USE_WESP_MODE =16415, /* [RFC5840] */
434 IV2_NOTIFY_ROHC_SUPPORTED =16416, /* [RFC5857] */
435 IV2_NOTIFY_EAP_ONLY_AUTHENTICATION =16417, /* [RFC5998] */
436 IV2_NOTIFY_CHILDLESS_IKEV2_SUPPORTED =16418, /* [RFC6023] */
437 IV2_NOTIFY_QUICK_CRASH_DETECTION =16419, /* [RFC6290] */
438 IV2_NOTIFY_IKEV2_MESSAGE_ID_SYNC_SUPPORTED =16420, /* [RFC6311] */
439 IV2_NOTIFY_IPSEC_REPLAY_COUNTER_SYNC_SUPPORTED =16421, /* [RFC6311] */
440 IV2_NOTIFY_IKEV2_MESSAGE_ID_SYNC =16422, /* [RFC6311] */
441 IV2_NOTIFY_IPSEC_REPLAY_COUNTER_SYNC =16423, /* [RFC6311] */
442 IV2_NOTIFY_SECURE_PASSWORD_METHODS =16424, /* [RFC6467] */
443 IV2_NOTIFY_PSK_PERSIST =16425, /* [RFC6631] */
444 IV2_NOTIFY_PSK_CONFIRM =16426, /* [RFC6631] */
445 IV2_NOTIFY_ERX_SUPPORTED =16427, /* [RFC6867] */
446 IV2_NOTIFY_IFOM_CAPABILITY =16428, /* [Frederic_Firmin][3GPP TS 24.303 v10.6.0 annex B.2] */
447 IV2_NOTIFY_SENDER_REQUEST_ID =16429, /* [draft-yeung-g-ikev2] */
448 IV2_NOTIFY_IKEV2_FRAGMENTATION_SUPPORTED =16430, /* [RFC7383] */
449 IV2_NOTIFY_SIGNATURE_HASH_ALGORITHMS =16431, /* [RFC7427] */
450 IV2_NOTIFY_CLONE_IKE_SA_SUPPORTED =16432, /* [RFC7791] */
451 IV2_NOTIFY_CLONE_IKE_SA =16433, /* [RFC7791] */
452 IV2_NOTIFY_PUZZLE =16434, /* [RFC8019] */
453 IV2_NOTIFY_USE_PPK =16435, /* [RFC8784] */
454 IV2_NOTIFY_PPK_IDENTITY =16436, /* [RFC8784] */
455 IV2_NOTIFY_NO_PPK_AUTH =16437, /* [RFC8784] */
456 IV2_NOTIFY_INTERMEDIATE_EXCHANGE_SUPPORTED =16438, /* [RFC9242] */
457 IV2_NOTIFY_IP4_ALLOWED =16439, /* [RFC8983] */
458 IV2_NOTIFY_IP6_ALLOWED =16440, /* [RFC8983] */
459 IV2_NOTIFY_ADDITIONAL_KEY_EXCHANGE =16441, /* [RFC-ietf-ipsecme-ikev2-multiple-ke-12] */
460 IV2_NOTIFY_USE_AGGFRAG =16442 /* [RFC9347] */
461 };
462
463 struct notify_messages {
464 uint16_t type;
465 char *msg;
466 };
467
468 /* 3.8 Authentication Payload */
469 struct ikev2_auth {
470 struct isakmp_gen h;
471 nd_uint8_t auth_method; /* Protocol-ID */
472 nd_byte reserved[3];
473 /* authentication data */
474 };
475
476 enum ikev2_auth_type {
477 IV2_RSA_SIG = 1,
478 IV2_SHARED = 2,
479 IV2_DSS_SIG = 3
480 };
481
482 /* refer to RFC 2409 */
483
484 #if 0
485 /* isakmp sa structure */
486 struct oakley_sa {
487 uint8_t proto_id; /* OAKLEY */
488 vchar_t *spi; /* spi */
489 uint8_t dhgrp; /* DH; group */
490 uint8_t auth_t; /* method of authentication */
491 uint8_t prf_t; /* type of prf */
492 uint8_t hash_t; /* type of hash */
493 uint8_t enc_t; /* type of cipher */
494 uint8_t life_t; /* type of duration of lifetime */
495 uint32_t ldur; /* life duration */
496 };
497 #endif
498
499 /* refer to RFC 2407 */
500
501 #define IPSEC_DOI 1
502
503 /* 4.2 IPSEC Situation Definition */
504 #define IPSECDOI_SIT_IDENTITY_ONLY 0x00000001
505 #define IPSECDOI_SIT_SECRECY 0x00000002
506 #define IPSECDOI_SIT_INTEGRITY 0x00000004
507
508 /* 4.4.1 IPSEC Security Protocol Identifiers */
509 /* 4.4.2 IPSEC ISAKMP Transform Values */
510 #define IPSECDOI_PROTO_ISAKMP 1
511 #define IPSECDOI_KEY_IKE 1
512
513 /* 4.4.1 IPSEC Security Protocol Identifiers */
514 #define IPSECDOI_PROTO_IPSEC_AH 2
515 /* 4.4.3 IPSEC AH Transform Values */
516 #define IPSECDOI_AH_MD5 2
517 #define IPSECDOI_AH_SHA 3
518 #define IPSECDOI_AH_DES 4
519 #define IPSECDOI_AH_SHA2_256 5
520 #define IPSECDOI_AH_SHA2_384 6
521 #define IPSECDOI_AH_SHA2_512 7
522
523 /* 4.4.1 IPSEC Security Protocol Identifiers */
524 #define IPSECDOI_PROTO_IPSEC_ESP 3
525 /* 4.4.4 IPSEC ESP Transform Identifiers */
526 #define IPSECDOI_ESP_DES_IV64 1
527 #define IPSECDOI_ESP_DES 2
528 #define IPSECDOI_ESP_3DES 3
529 #define IPSECDOI_ESP_RC5 4
530 #define IPSECDOI_ESP_IDEA 5
531 #define IPSECDOI_ESP_CAST 6
532 #define IPSECDOI_ESP_BLOWFISH 7
533 #define IPSECDOI_ESP_3IDEA 8
534 #define IPSECDOI_ESP_DES_IV32 9
535 #define IPSECDOI_ESP_RC4 10
536 #define IPSECDOI_ESP_NULL 11
537 #define IPSECDOI_ESP_RIJNDAEL 12
538 #define IPSECDOI_ESP_AES 12
539
540 /* 4.4.1 IPSEC Security Protocol Identifiers */
541 #define IPSECDOI_PROTO_IPCOMP 4
542 /* 4.4.5 IPSEC IPCOMP Transform Identifiers */
543 #define IPSECDOI_IPCOMP_OUI 1
544 #define IPSECDOI_IPCOMP_DEFLATE 2
545 #define IPSECDOI_IPCOMP_LZS 3
546
547 /* 4.5 IPSEC Security Association Attributes */
548 #define IPSECDOI_ATTR_SA_LTYPE 1 /* B */
549 #define IPSECDOI_ATTR_SA_LTYPE_DEFAULT 1
550 #define IPSECDOI_ATTR_SA_LTYPE_SEC 1
551 #define IPSECDOI_ATTR_SA_LTYPE_KB 2
552 #define IPSECDOI_ATTR_SA_LDUR 2 /* V */
553 #define IPSECDOI_ATTR_SA_LDUR_DEFAULT 28800 /* 8 hours */
554 #define IPSECDOI_ATTR_GRP_DESC 3 /* B */
555 #define IPSECDOI_ATTR_ENC_MODE 4 /* B */
556 /* default value: host dependent */
557 #define IPSECDOI_ATTR_ENC_MODE_TUNNEL 1
558 #define IPSECDOI_ATTR_ENC_MODE_TRNS 2
559 #define IPSECDOI_ATTR_AUTH 5 /* B */
560 /* 0 means not to use authentication. */
561 #define IPSECDOI_ATTR_AUTH_HMAC_MD5 1
562 #define IPSECDOI_ATTR_AUTH_HMAC_SHA1 2
563 #define IPSECDOI_ATTR_AUTH_DES_MAC 3
564 #define IPSECDOI_ATTR_AUTH_KPDK 4 /*RFC-1826(Key/Pad/Data/Key)*/
565 /*
566 * When negotiating ESP without authentication, the Auth
567 * Algorithm attribute MUST NOT be included in the proposal.
568 * When negotiating ESP without confidentiality, the Auth
569 * Algorithm attribute MUST be included in the proposal and
570 * the ESP transform ID must be ESP_NULL.
571 */
572 #define IPSECDOI_ATTR_KEY_LENGTH 6 /* B */
573 #define IPSECDOI_ATTR_KEY_ROUNDS 7 /* B */
574 #define IPSECDOI_ATTR_COMP_DICT_SIZE 8 /* B */
575 #define IPSECDOI_ATTR_COMP_PRIVALG 9 /* V */
576
577 /* 4.6.1 Security Association Payload */
578 struct ipsecdoi_sa {
579 struct isakmp_gen h;
580 nd_uint32_t doi; /* Domain of Interpretation */
581 nd_uint32_t sit; /* Situation */
582 };
583
584 struct ipsecdoi_secrecy_h {
585 nd_uint16_t len;
586 nd_uint16_t reserved;
587 };
588
589 /* 4.6.2.1 Identification Type Values */
590 struct ipsecdoi_id {
591 struct isakmp_gen h;
592 nd_uint8_t type; /* ID Type */
593 nd_uint8_t proto_id; /* Protocol ID */
594 nd_uint16_t port; /* Port */
595 /* Identification Data */
596 };
597
598 #define IPSECDOI_ID_IPV4_ADDR 1
599 #define IPSECDOI_ID_FQDN 2
600 #define IPSECDOI_ID_USER_FQDN 3
601 #define IPSECDOI_ID_IPV4_ADDR_SUBNET 4
602 #define IPSECDOI_ID_IPV6_ADDR 5
603 #define IPSECDOI_ID_IPV6_ADDR_SUBNET 6
604 #define IPSECDOI_ID_IPV4_ADDR_RANGE 7
605 #define IPSECDOI_ID_IPV6_ADDR_RANGE 8
606 #define IPSECDOI_ID_DER_ASN1_DN 9
607 #define IPSECDOI_ID_DER_ASN1_GN 10
608 #define IPSECDOI_ID_KEY_ID 11
609
610 /* 4.6.3 IPSEC DOI Notify Message Types */
611 /* Notify Messages - Status Types */
612 #define IPSECDOI_NTYPE_RESPONDER_LIFETIME 24576
613 #define IPSECDOI_NTYPE_REPLAY_STATUS 24577
614 #define IPSECDOI_NTYPE_INITIAL_CONTACT 24578
615
616 #define DECLARE_PRINTER(func) static const u_char *ike##func##_print( \
617 netdissect_options *ndo, u_char tpay, \
618 const struct isakmp_gen *ext, \
619 u_int item_len, \
620 const u_char *end_pointer, \
621 uint32_t phase,\
622 uint32_t doi0, \
623 uint32_t proto0, int depth)
624
625 DECLARE_PRINTER(v1_sa);
626 DECLARE_PRINTER(v1_p);
627 DECLARE_PRINTER(v1_t);
628 DECLARE_PRINTER(v1_ke);
629 DECLARE_PRINTER(v1_id);
630 DECLARE_PRINTER(v1_cert);
631 DECLARE_PRINTER(v1_cr);
632 DECLARE_PRINTER(v1_sig);
633 DECLARE_PRINTER(v1_hash);
634 DECLARE_PRINTER(v1_nonce);
635 DECLARE_PRINTER(v1_n);
636 DECLARE_PRINTER(v1_d);
637 DECLARE_PRINTER(v1_vid);
638
639 DECLARE_PRINTER(v2_sa);
640 DECLARE_PRINTER(v2_ke);
641 DECLARE_PRINTER(v2_ID);
642 DECLARE_PRINTER(v2_cert);
643 DECLARE_PRINTER(v2_cr);
644 DECLARE_PRINTER(v2_auth);
645 DECLARE_PRINTER(v2_nonce);
646 DECLARE_PRINTER(v2_n);
647 DECLARE_PRINTER(v2_d);
648 DECLARE_PRINTER(v2_vid);
649 DECLARE_PRINTER(v2_TS);
650 DECLARE_PRINTER(v2_cp);
651 DECLARE_PRINTER(v2_eap);
652
653 static const u_char *ikev2_e_print(netdissect_options *ndo,
654 const struct isakmp *base,
655 u_char tpay,
656 const struct isakmp_gen *ext,
657 u_int item_len,
658 const u_char *end_pointer,
659 uint32_t phase,
660 uint32_t doi0,
661 uint32_t proto0, int depth);
662
663
664 static const u_char *ike_sub0_print(netdissect_options *ndo,u_char, const struct isakmp_gen *,
665 const u_char *, uint32_t, uint32_t, uint32_t, int);
666 static const u_char *ikev1_sub_print(netdissect_options *ndo,u_char, const struct isakmp_gen *,
667 const u_char *, uint32_t, uint32_t, uint32_t, int);
668
669 static const u_char *ikev2_sub_print(netdissect_options *ndo,
670 const struct isakmp *base,
671 u_char np, const struct isakmp_gen *ext,
672 const u_char *ep, uint32_t phase,
673 uint32_t doi, uint32_t proto,
674 int depth);
675
676
677 static char *numstr(u_int);
678
679 static void
680 ikev1_print(netdissect_options *ndo,
681 const u_char *bp, u_int length,
682 const u_char *bp2, const struct isakmp *base);
683
684 #define MAXINITIATORS 20
685 static int ninitiator = 0;
686 union inaddr_u {
687 nd_ipv4 in4;
688 nd_ipv6 in6;
689 };
690 static struct {
691 cookie_t initiator;
692 u_int version;
693 union inaddr_u iaddr;
694 union inaddr_u raddr;
695 } cookiecache[MAXINITIATORS];
696
697 /* protocol id */
698 static const char *protoidstr[] = {
699 NULL, "isakmp", "ipsec-ah", "ipsec-esp", "ipcomp",
700 };
701
702 /* isakmp->np */
703 static const char *npstr[] = {
704 "none", "sa", "p", "t", "ke", "id", "cert", "cr", "hash", /* 0 - 8 */
705 "sig", "nonce", "n", "d", "vid", /* 9 - 13 */
706 "pay14", "pay15", "pay16", "pay17", "pay18", /* 14- 18 */
707 "pay19", "pay20", "pay21", "pay22", "pay23", /* 19- 23 */
708 "pay24", "pay25", "pay26", "pay27", "pay28", /* 24- 28 */
709 "pay29", "pay30", "pay31", "pay32", /* 29- 32 */
710 "v2sa", "v2ke", "v2IDi", "v2IDr", "v2cert",/* 33- 37 */
711 "v2cr", "v2auth","v2nonce", "v2n", "v2d", /* 38- 42 */
712 "v2vid", "v2TSi", "v2TSr", "v2e", "v2cp", /* 43- 47 */
713 "v2eap", /* 48 */
714
715 };
716
717 /* isakmp->np */
718 static const u_char *(*npfunc[])(netdissect_options *ndo, u_char tpay,
719 const struct isakmp_gen *ext,
720 u_int item_len,
721 const u_char *end_pointer,
722 uint32_t phase,
723 uint32_t doi0,
724 uint32_t proto0, int depth) = {
725 NULL,
726 ikev1_sa_print,
727 ikev1_p_print,
728 ikev1_t_print,
729 ikev1_ke_print,
730 ikev1_id_print,
731 ikev1_cert_print,
732 ikev1_cr_print,
733 ikev1_hash_print,
734 ikev1_sig_print,
735 ikev1_nonce_print,
736 ikev1_n_print,
737 ikev1_d_print,
738 ikev1_vid_print, /* 13 */
739 NULL, NULL, NULL, NULL, NULL, /* 14- 18 */
740 NULL, NULL, NULL, NULL, NULL, /* 19- 23 */
741 NULL, NULL, NULL, NULL, NULL, /* 24- 28 */
742 NULL, NULL, NULL, NULL, /* 29- 32 */
743 ikev2_sa_print, /* 33 */
744 ikev2_ke_print, /* 34 */
745 ikev2_ID_print, /* 35 */
746 ikev2_ID_print, /* 36 */
747 ikev2_cert_print, /* 37 */
748 ikev2_cr_print, /* 38 */
749 ikev2_auth_print, /* 39 */
750 ikev2_nonce_print, /* 40 */
751 ikev2_n_print, /* 41 */
752 ikev2_d_print, /* 42 */
753 ikev2_vid_print, /* 43 */
754 ikev2_TS_print, /* 44 */
755 ikev2_TS_print, /* 45 */
756 NULL, /* ikev2_e_print,*/ /* 46 - special */
757 ikev2_cp_print, /* 47 */
758 ikev2_eap_print, /* 48 */
759 };
760
761 /* isakmp->etype */
762 static const char *etypestr[] = {
763 /* IKEv1 exchange types */
764 "none", "base", "ident", "auth", "agg", "inf", NULL, NULL, /* 0-7 */
765 NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, /* 8-15 */
766 NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, /* 16-23 */
767 NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, /* 24-31 */
768 "oakley-quick", "oakley-newgroup", /* 32-33 */
769 /* IKEv2 exchange types */
770 "ikev2_init", "ikev2_auth", "child_sa", "inf2" /* 34-37 */
771 };
772
773 #define STR_OR_ID(x, tab) \
774 (((x) < sizeof(tab)/sizeof(tab[0]) && tab[(x)]) ? tab[(x)] : numstr(x))
775 #define PROTOIDSTR(x) STR_OR_ID(x, protoidstr)
776 #define NPSTR(x) STR_OR_ID(x, npstr)
777 #define ETYPESTR(x) STR_OR_ID(x, etypestr)
778
779 #define CHECKLEN(p, np) \
780 if (ep < (const u_char *)(p)) { \
781 ND_PRINT(" [|%s]", NPSTR(np)); \
782 goto done; \
783 }
784
785
786 #define NPFUNC(x) \
787 (((x) < sizeof(npfunc)/sizeof(npfunc[0]) && npfunc[(x)]) \
788 ? npfunc[(x)] : NULL)
789
790 static int
791 iszero(netdissect_options *ndo, const u_char *p, size_t l)
792 {
793 while (l != 0) {
794 if (GET_U_1(p))
795 return 0;
796 p++;
797 l--;
798 }
799 return 1;
800 }
801
802 /* find cookie from initiator cache */
803 static int
804 cookie_find(const cookie_t *in)
805 {
806 int i;
807
808 for (i = 0; i < MAXINITIATORS; i++) {
809 if (memcmp(in, &cookiecache[i].initiator, sizeof(*in)) == 0)
810 return i;
811 }
812
813 return -1;
814 }
815
816 /* record initiator */
817 static void
818 cookie_record(netdissect_options *ndo, const cookie_t *in, const u_char *bp2)
819 {
820 int i;
821 const struct ip *ip;
822 const struct ip6_hdr *ip6;
823
824 i = cookie_find(in);
825 if (0 <= i) {
826 ninitiator = (i + 1) % MAXINITIATORS;
827 return;
828 }
829
830 ip = (const struct ip *)bp2;
831 switch (IP_V(ip)) {
832 case 4:
833 cookiecache[ninitiator].version = 4;
834 UNALIGNED_MEMCPY(&cookiecache[ninitiator].iaddr.in4,
835 ip->ip_src, sizeof(nd_ipv4));
836 UNALIGNED_MEMCPY(&cookiecache[ninitiator].raddr.in4,
837 ip->ip_dst, sizeof(nd_ipv4));
838 break;
839 case 6:
840 ip6 = (const struct ip6_hdr *)bp2;
841 cookiecache[ninitiator].version = 6;
842 UNALIGNED_MEMCPY(&cookiecache[ninitiator].iaddr.in6,
843 ip6->ip6_src, sizeof(nd_ipv6));
844 UNALIGNED_MEMCPY(&cookiecache[ninitiator].raddr.in6,
845 ip6->ip6_dst, sizeof(nd_ipv6));
846 break;
847 default:
848 return;
849 }
850 UNALIGNED_MEMCPY(&cookiecache[ninitiator].initiator, in, sizeof(*in));
851 ninitiator = (ninitiator + 1) % MAXINITIATORS;
852 }
853
854 #define cookie_isinitiator(ndo, x, y) cookie_sidecheck(ndo, (x), (y), 1)
855 #define cookie_isresponder(ndo, x, y) cookie_sidecheck(ndo, (x), (y), 0)
856 static int
857 cookie_sidecheck(netdissect_options *ndo, int i, const u_char *bp2, int initiator)
858 {
859 const struct ip *ip;
860 const struct ip6_hdr *ip6;
861
862 ip = (const struct ip *)bp2;
863 switch (IP_V(ip)) {
864 case 4:
865 if (cookiecache[i].version != 4)
866 return 0;
867 if (initiator) {
868 if (UNALIGNED_MEMCMP(ip->ip_src, &cookiecache[i].iaddr.in4, sizeof(nd_ipv4)) == 0)
869 return 1;
870 } else {
871 if (UNALIGNED_MEMCMP(ip->ip_src, &cookiecache[i].raddr.in4, sizeof(nd_ipv4)) == 0)
872 return 1;
873 }
874 break;
875 case 6:
876 if (cookiecache[i].version != 6)
877 return 0;
878 ip6 = (const struct ip6_hdr *)bp2;
879 if (initiator) {
880 if (UNALIGNED_MEMCMP(ip6->ip6_src, &cookiecache[i].iaddr.in6, sizeof(nd_ipv6)) == 0)
881 return 1;
882 } else {
883 if (UNALIGNED_MEMCMP(ip6->ip6_src, &cookiecache[i].raddr.in6, sizeof(nd_ipv6)) == 0)
884 return 1;
885 }
886 break;
887 default:
888 break;
889 }
890
891 return 0;
892 }
893
894 static void
895 hexprint(netdissect_options *ndo, const uint8_t *loc, size_t len)
896 {
897 const uint8_t *p;
898 size_t i;
899
900 p = loc;
901 for (i = 0; i < len; i++)
902 ND_PRINT("%02x", p[i] & 0xff);
903 }
904
905 static int
906 rawprint(netdissect_options *ndo, const uint8_t *loc, size_t len)
907 {
908 ND_TCHECK_LEN(loc, len);
909
910 hexprint(ndo, loc, len);
911 return 1;
912 trunc:
913 return 0;
914 }
915
916
917 /*
918 * returns false if we run out of data buffer
919 */
920 static int ike_show_somedata(netdissect_options *ndo,
921 const u_char *cp, const u_char *ep)
922 {
923 /* there is too much data, just show some of it */
924 const u_char *end = ep - 20;
925 size_t elen = 20;
926 size_t len = ep - cp;
927 if(len > 10) {
928 len = 10;
929 }
930
931 /* really shouldn't happen because of above */
932 if(end < cp + len) {
933 end = cp+len;
934 elen = ep - end;
935 }
936
937 ND_PRINT(" data=(");
938 if(!rawprint(ndo, (const uint8_t *)(cp), len)) goto trunc;
939 ND_PRINT("...");
940 if(elen) {
941 if(!rawprint(ndo, (const uint8_t *)(end), elen)) goto trunc;
942 }
943 ND_PRINT(")");
944 return 1;
945
946 trunc:
947 return 0;
948 }
949
950 struct attrmap {
951 const char *type;
952 u_int nvalue;
953 const char *value[30]; /*XXX*/
954 };
955
956 static const u_char *
957 ikev1_attrmap_print(netdissect_options *ndo,
958 const u_char *p, const u_char *ep2,
959 const struct attrmap *map, size_t nmap)
960 {
961 u_int totlen;
962 uint32_t t, v;
963
964 if (GET_U_1(p) & 0x80)
965 totlen = 4;
966 else {
967 totlen = 4 + GET_BE_U_2(p + 2);
968 }
969 if (ep2 < p + totlen) {
970 ND_PRINT("[|attr]");
971 return ep2 + 1;
972 }
973
974 ND_PRINT("(");
975 t = GET_BE_U_2(p) & 0x7fff;
976 if (map && t < nmap && map[t].type)
977 ND_PRINT("type=%s ", map[t].type);
978 else
979 ND_PRINT("type=#%u ", t);
980 if (GET_U_1(p) & 0x80) {
981 ND_PRINT("value=");
982 v = GET_BE_U_2(p + 2);
983 if (map && t < nmap && v < map[t].nvalue && map[t].value[v])
984 ND_PRINT("%s", map[t].value[v]);
985 else {
986 if (!rawprint(ndo, (const uint8_t *)(p + 2), 2)) {
987 ND_PRINT(")");
988 goto trunc;
989 }
990 }
991 } else {
992 ND_PRINT("len=%u value=", totlen - 4);
993 if (!rawprint(ndo, (const uint8_t *)(p + 4), totlen - 4)) {
994 ND_PRINT(")");
995 goto trunc;
996 }
997 }
998 ND_PRINT(")");
999 return p + totlen;
1000
1001 trunc:
1002 return NULL;
1003 }
1004
1005 static const u_char *
1006 ikev1_attr_print(netdissect_options *ndo, const u_char *p, const u_char *ep2)
1007 {
1008 u_int totlen;
1009 uint32_t t;
1010
1011 if (GET_U_1(p) & 0x80)
1012 totlen = 4;
1013 else {
1014 totlen = 4 + GET_BE_U_2(p + 2);
1015 }
1016 if (ep2 < p + totlen) {
1017 ND_PRINT("[|attr]");
1018 return ep2 + 1;
1019 }
1020
1021 ND_PRINT("(");
1022 t = GET_BE_U_2(p) & 0x7fff;
1023 ND_PRINT("type=#%u ", t);
1024 if (GET_U_1(p) & 0x80) {
1025 ND_PRINT("value=");
1026 t = GET_U_1(p + 2);
1027 if (!rawprint(ndo, (const uint8_t *)(p + 2), 2)) {
1028 ND_PRINT(")");
1029 goto trunc;
1030 }
1031 } else {
1032 ND_PRINT("len=%u value=", totlen - 4);
1033 if (!rawprint(ndo, (const uint8_t *)(p + 4), totlen - 4)) {
1034 ND_PRINT(")");
1035 goto trunc;
1036 }
1037 }
1038 ND_PRINT(")");
1039 return p + totlen;
1040
1041 trunc:
1042 return NULL;
1043 }
1044
1045 static const u_char *
1046 ikev1_sa_print(netdissect_options *ndo, u_char tpay _U_,
1047 const struct isakmp_gen *ext,
1048 u_int item_len _U_,
1049 const u_char *ep, uint32_t phase, uint32_t doi0 _U_,
1050 uint32_t proto0, int depth)
1051 {
1052 const struct ikev1_pl_sa *p;
1053 uint32_t doi, sit, ident;
1054 const u_char *cp, *np;
1055 int t;
1056
1057 ND_PRINT("%s:", NPSTR(ISAKMP_NPTYPE_SA));
1058
1059 p = (const struct ikev1_pl_sa *)ext;
1060 ND_TCHECK_SIZE(p);
1061 doi = GET_BE_U_4(p->doi);
1062 sit = GET_BE_U_4(p->sit);
1063 if (doi != 1) {
1064 ND_PRINT(" doi=%u", doi);
1065 ND_PRINT(" situation=%u", sit);
1066 return (const u_char *)(p + 1);
1067 }
1068
1069 ND_PRINT(" doi=ipsec");
1070 ND_PRINT(" situation=");
1071 t = 0;
1072 if (sit & 0x01) {
1073 ND_PRINT("identity");
1074 t++;
1075 }
1076 if (sit & 0x02) {
1077 ND_PRINT("%ssecrecy", t ? "+" : "");
1078 t++;
1079 }
1080 if (sit & 0x04)
1081 ND_PRINT("%sintegrity", t ? "+" : "");
1082
1083 np = (const u_char *)ext + sizeof(struct ikev1_pl_sa);
1084 if (sit != 0x01) {
1085 ident = GET_BE_U_4(ext + 1);
1086 ND_PRINT(" ident=%u", ident);
1087 np += sizeof(ident);
1088 }
1089
1090 ext = (const struct isakmp_gen *)np;
1091 ND_TCHECK_SIZE(ext);
1092
1093 cp = ikev1_sub_print(ndo, ISAKMP_NPTYPE_P, ext, ep, phase, doi, proto0,
1094 depth);
1095
1096 return cp;
1097 trunc:
1098 ND_PRINT(" [|%s]", NPSTR(ISAKMP_NPTYPE_SA));
1099 return NULL;
1100 }
1101
1102 static const u_char *
1103 ikev1_p_print(netdissect_options *ndo, u_char tpay _U_,
1104 const struct isakmp_gen *ext, u_int item_len _U_,
1105 const u_char *ep, uint32_t phase, uint32_t doi0,
1106 uint32_t proto0 _U_, int depth)
1107 {
1108 const struct ikev1_pl_p *p;
1109 const u_char *cp;
1110 uint8_t spi_size;
1111
1112 ND_PRINT("%s:", NPSTR(ISAKMP_NPTYPE_P));
1113
1114 p = (const struct ikev1_pl_p *)ext;
1115 ND_TCHECK_SIZE(p);
1116 ND_PRINT(" #%u protoid=%s transform=%u",
1117 GET_U_1(p->p_no), PROTOIDSTR(GET_U_1(p->prot_id)),
1118 GET_U_1(p->num_t));
1119 spi_size = GET_U_1(p->spi_size);
1120 if (spi_size) {
1121 ND_PRINT(" spi=");
1122 if (!rawprint(ndo, (const uint8_t *)(p + 1), spi_size))
1123 goto trunc;
1124 }
1125
1126 ext = (const struct isakmp_gen *)((const u_char *)(p + 1) + spi_size);
1127 ND_TCHECK_SIZE(ext);
1128
1129 cp = ikev1_sub_print(ndo, ISAKMP_NPTYPE_T, ext, ep, phase, doi0,
1130 GET_U_1(p->prot_id), depth);
1131
1132 return cp;
1133 trunc:
1134 ND_PRINT(" [|%s]", NPSTR(ISAKMP_NPTYPE_P));
1135 return NULL;
1136 }
1137
1138 static const char *ikev1_p_map[] = {
1139 NULL, "ike",
1140 };
1141
1142 static const char *ikev2_t_type_map[]={
1143 NULL, "encr", "prf", "integ", "dh", "esn"
1144 };
1145
1146 static const char *ah_p_map[] = {
1147 NULL, "(reserved)", "md5", "sha", "1des",
1148 "sha2-256", "sha2-384", "sha2-512",
1149 };
1150
1151 static const char *prf_p_map[] = {
1152 NULL, "hmac-md5", "hmac-sha", "hmac-tiger",
1153 "aes128_xcbc"
1154 };
1155
1156 static const char *integ_p_map[] = {
1157 NULL, "hmac-md5", "hmac-sha", "dec-mac",
1158 "kpdk-md5", "aes-xcbc"
1159 };
1160
1161 static const char *esn_p_map[] = {
1162 "no-esn", "esn"
1163 };
1164
1165 static const char *dh_p_map[] = {
1166 NULL, "modp768",
1167 "modp1024", /* group 2 */
1168 "EC2N 2^155", /* group 3 */
1169 "EC2N 2^185", /* group 4 */
1170 "modp1536", /* group 5 */
1171 "iana-grp06", "iana-grp07", /* reserved */
1172 "iana-grp08", "iana-grp09",
1173 "iana-grp10", "iana-grp11",
1174 "iana-grp12", "iana-grp13",
1175 "modp2048", /* group 14 */
1176 "modp3072", /* group 15 */
1177 "modp4096", /* group 16 */
1178 "modp6144", /* group 17 */
1179 "modp8192", /* group 18 */
1180 };
1181
1182 static const char *esp_p_map[] = {
1183 NULL, "1des-iv64", "1des", "3des", "rc5", "idea", "cast",
1184 "blowfish", "3idea", "1des-iv32", "rc4", "null", "aes"
1185 };
1186
1187 static const char *ipcomp_p_map[] = {
1188 NULL, "oui", "deflate", "lzs",
1189 };
1190
1191 static const struct attrmap ipsec_t_map[] = {
1192 { NULL, 0, { NULL } },
1193 { "lifetype", 3, { NULL, "sec", "kb", }, },
1194 { "life", 0, { NULL } },
1195 { "group desc", 18, { NULL, "modp768",
1196 "modp1024", /* group 2 */
1197 "EC2N 2^155", /* group 3 */
1198 "EC2N 2^185", /* group 4 */
1199 "modp1536", /* group 5 */
1200 "iana-grp06", "iana-grp07", /* reserved */
1201 "iana-grp08", "iana-grp09",
1202 "iana-grp10", "iana-grp11",
1203 "iana-grp12", "iana-grp13",
1204 "modp2048", /* group 14 */
1205 "modp3072", /* group 15 */
1206 "modp4096", /* group 16 */
1207 "modp6144", /* group 17 */
1208 "modp8192", /* group 18 */
1209 }, },
1210 { "enc mode", 3, { NULL, "tunnel", "transport", }, },
1211 { "auth", 5, { NULL, "hmac-md5", "hmac-sha1", "1des-mac", "keyed", }, },
1212 { "keylen", 0, { NULL } },
1213 { "rounds", 0, { NULL } },
1214 { "dictsize", 0, { NULL } },
1215 { "privalg", 0, { NULL } },
1216 };
1217
1218 static const struct attrmap encr_t_map[] = {
1219 { NULL, 0, { NULL } }, { NULL, 0, { NULL } }, /* 0, 1 */
1220 { NULL, 0, { NULL } }, { NULL, 0, { NULL } }, /* 2, 3 */
1221 { NULL, 0, { NULL } }, { NULL, 0, { NULL } }, /* 4, 5 */
1222 { NULL, 0, { NULL } }, { NULL, 0, { NULL } }, /* 6, 7 */
1223 { NULL, 0, { NULL } }, { NULL, 0, { NULL } }, /* 8, 9 */
1224 { NULL, 0, { NULL } }, { NULL, 0, { NULL } }, /* 10,11*/
1225 { NULL, 0, { NULL } }, { NULL, 0, { NULL } }, /* 12,13*/
1226 { "keylen", 14, { NULL }},
1227 };
1228
1229 static const struct attrmap oakley_t_map[] = {
1230 { NULL, 0, { NULL } },
1231 { "enc", 8, { NULL, "1des", "idea", "blowfish", "rc5",
1232 "3des", "cast", "aes", }, },
1233 { "hash", 7, { NULL, "md5", "sha1", "tiger",
1234 "sha2-256", "sha2-384", "sha2-512", }, },
1235 { "auth", 6, { NULL, "preshared", "dss", "rsa sig", "rsa enc",
1236 "rsa enc revised", }, },
1237 { "group desc", 18, { NULL, "modp768",
1238 "modp1024", /* group 2 */
1239 "EC2N 2^155", /* group 3 */
1240 "EC2N 2^185", /* group 4 */
1241 "modp1536", /* group 5 */
1242 "iana-grp06", "iana-grp07", /* reserved */
1243 "iana-grp08", "iana-grp09",
1244 "iana-grp10", "iana-grp11",
1245 "iana-grp12", "iana-grp13",
1246 "modp2048", /* group 14 */
1247 "modp3072", /* group 15 */
1248 "modp4096", /* group 16 */
1249 "modp6144", /* group 17 */
1250 "modp8192", /* group 18 */
1251 }, },
1252 { "group type", 4, { NULL, "MODP", "ECP", "EC2N", }, },
1253 { "group prime", 0, { NULL } },
1254 { "group gen1", 0, { NULL } },
1255 { "group gen2", 0, { NULL } },
1256 { "group curve A", 0, { NULL } },
1257 { "group curve B", 0, { NULL } },
1258 { "lifetype", 3, { NULL, "sec", "kb", }, },
1259 { "lifeduration", 0, { NULL } },
1260 { "prf", 0, { NULL } },
1261 { "keylen", 0, { NULL } },
1262 { "field", 0, { NULL } },
1263 { "order", 0, { NULL } },
1264 };
1265
1266 static const u_char *
1267 ikev1_t_print(netdissect_options *ndo, u_char tpay _U_,
1268 const struct isakmp_gen *ext, u_int item_len,
1269 const u_char *ep, uint32_t phase _U_, uint32_t doi _U_,
1270 uint32_t proto, int depth _U_)
1271 {
1272 const struct ikev1_pl_t *p;
1273 const u_char *cp;
1274 const char *idstr;
1275 const struct attrmap *map;
1276 size_t nmap;
1277 const u_char *ep2;
1278
1279 ND_PRINT("%s:", NPSTR(ISAKMP_NPTYPE_T));
1280
1281 p = (const struct ikev1_pl_t *)ext;
1282 ND_TCHECK_SIZE(p);
1283
1284 switch (proto) {
1285 case 1:
1286 idstr = STR_OR_ID(GET_U_1(p->t_id), ikev1_p_map);
1287 map = oakley_t_map;
1288 nmap = sizeof(oakley_t_map)/sizeof(oakley_t_map[0]);
1289 break;
1290 case 2:
1291 idstr = STR_OR_ID(GET_U_1(p->t_id), ah_p_map);
1292 map = ipsec_t_map;
1293 nmap = sizeof(ipsec_t_map)/sizeof(ipsec_t_map[0]);
1294 break;
1295 case 3:
1296 idstr = STR_OR_ID(GET_U_1(p->t_id), esp_p_map);
1297 map = ipsec_t_map;
1298 nmap = sizeof(ipsec_t_map)/sizeof(ipsec_t_map[0]);
1299 break;
1300 case 4:
1301 idstr = STR_OR_ID(GET_U_1(p->t_id), ipcomp_p_map);
1302 map = ipsec_t_map;
1303 nmap = sizeof(ipsec_t_map)/sizeof(ipsec_t_map[0]);
1304 break;
1305 default:
1306 idstr = NULL;
1307 map = NULL;
1308 nmap = 0;
1309 break;
1310 }
1311
1312 if (idstr)
1313 ND_PRINT(" #%u id=%s ", GET_U_1(p->t_no), idstr);
1314 else
1315 ND_PRINT(" #%u id=%u ", GET_U_1(p->t_no), GET_U_1(p->t_id));
1316 cp = (const u_char *)(p + 1);
1317 ep2 = (const u_char *)p + item_len;
1318 while (cp < ep && cp < ep2) {
1319 if (map && nmap)
1320 cp = ikev1_attrmap_print(ndo, cp, ep2, map, nmap);
1321 else
1322 cp = ikev1_attr_print(ndo, cp, ep2);
1323 if (cp == NULL)
1324 goto trunc;
1325 }
1326 if (ep < ep2)
1327 ND_PRINT("...");
1328 return cp;
1329 trunc:
1330 ND_PRINT(" [|%s]", NPSTR(ISAKMP_NPTYPE_T));
1331 return NULL;
1332 }
1333
1334 static const u_char *
1335 ikev1_ke_print(netdissect_options *ndo, u_char tpay _U_,
1336 const struct isakmp_gen *ext, u_int item_len,
1337 const u_char *ep _U_, uint32_t phase _U_, uint32_t doi _U_,
1338 uint32_t proto _U_, int depth _U_)
1339 {
1340 ND_PRINT("%s:", NPSTR(ISAKMP_NPTYPE_KE));
1341
1342 ND_TCHECK_SIZE(ext);
1343 /*
1344 * Our caller has ensured that the length is >= 4.
1345 */
1346 ND_PRINT(" key len=%u", item_len - 4);
1347 if (2 < ndo->ndo_vflag && item_len > 4) {
1348 /* Print the entire payload in hex */
1349 ND_PRINT(" ");
1350 if (!rawprint(ndo, (const uint8_t *)(ext + 1), item_len - 4))
1351 goto trunc;
1352 }
1353 return (const u_char *)ext + item_len;
1354 trunc:
1355 ND_PRINT(" [|%s]", NPSTR(ISAKMP_NPTYPE_KE));
1356 return NULL;
1357 }
1358
1359 static const u_char *
1360 ikev1_id_print(netdissect_options *ndo, u_char tpay _U_,
1361 const struct isakmp_gen *ext, u_int item_len,
1362 const u_char *ep _U_, uint32_t phase, uint32_t doi _U_,
1363 uint32_t proto _U_, int depth _U_)
1364 {
1365 #define USE_IPSECDOI_IN_PHASE1 1
1366 const struct ikev1_pl_id *p;
1367 static const char *idtypestr[] = {
1368 "IPv4", "IPv4net", "IPv6", "IPv6net",
1369 };
1370 static const char *ipsecidtypestr[] = {
1371 NULL, "IPv4", "FQDN", "user FQDN", "IPv4net", "IPv6",
1372 "IPv6net", "IPv4range", "IPv6range", "ASN1 DN", "ASN1 GN",
1373 "keyid",
1374 };
1375 u_int len;
1376 const u_char *data;
1377
1378 ND_PRINT("%s:", NPSTR(ISAKMP_NPTYPE_ID));
1379
1380 p = (const struct ikev1_pl_id *)ext;
1381 ND_TCHECK_SIZE(p);
1382 if (sizeof(*p) < item_len) {
1383 data = (const u_char *)(p + 1);
1384 len = item_len - sizeof(*p);
1385 } else {
1386 data = NULL;
1387 len = 0;
1388 }
1389
1390 #if 0 /*debug*/
1391 ND_PRINT(" [phase=%u doi=%u proto=%u]", phase, doi, proto);
1392 #endif
1393 switch (phase) {
1394 #ifndef USE_IPSECDOI_IN_PHASE1
1395 case 1:
1396 #endif
1397 default:
1398 ND_PRINT(" idtype=%s",
1399 STR_OR_ID(GET_U_1(p->d.id_type), idtypestr));
1400 ND_PRINT(" doi_data=%u",
1401 GET_BE_U_4(p->d.doi_data) & 0xffffff);
1402 break;
1403
1404 #ifdef USE_IPSECDOI_IN_PHASE1
1405 case 1:
1406 #endif
1407 case 2:
1408 {
1409 const struct ipsecdoi_id *doi_p;
1410 const char *p_name;
1411 uint8_t type, proto_id;
1412
1413 doi_p = (const struct ipsecdoi_id *)ext;
1414 ND_TCHECK_SIZE(doi_p);
1415 type = GET_U_1(doi_p->type);
1416 ND_PRINT(" idtype=%s", STR_OR_ID(type, ipsecidtypestr));
1417 /* A protocol ID of 0 DOES NOT mean IPPROTO_IP! */
1418 proto_id = GET_U_1(doi_p->proto_id);
1419 if (!ndo->ndo_nflag && proto_id && (p_name = netdb_protoname(proto_id)) != NULL)
1420 ND_PRINT(" protoid=%s", p_name);
1421 else
1422 ND_PRINT(" protoid=%u", proto_id);
1423 ND_PRINT(" port=%u", GET_BE_U_2(doi_p->port));
1424 if (!len)
1425 break;
1426 if (data == NULL)
1427 goto trunc;
1428 ND_TCHECK_LEN(data, len);
1429 switch (type) {
1430 case IPSECDOI_ID_IPV4_ADDR:
1431 if (len < 4)
1432 ND_PRINT(" len=%u [bad: < 4]", len);
1433 else
1434 ND_PRINT(" len=%u %s", len, GET_IPADDR_STRING(data));
1435 len = 0;
1436 break;
1437 case IPSECDOI_ID_FQDN:
1438 case IPSECDOI_ID_USER_FQDN:
1439 {
1440 ND_PRINT(" len=%u ", len);
1441 nd_printjn(ndo, data, len);
1442 len = 0;
1443 break;
1444 }
1445 case IPSECDOI_ID_IPV4_ADDR_SUBNET:
1446 {
1447 const u_char *mask;
1448 if (len < 8)
1449 ND_PRINT(" len=%u [bad: < 8]", len);
1450 else {
1451 mask = data + sizeof(nd_ipv4);
1452 ND_PRINT(" len=%u %s/%u.%u.%u.%u", len,
1453 GET_IPADDR_STRING(data),
1454 GET_U_1(mask), GET_U_1(mask + 1),
1455 GET_U_1(mask + 2),
1456 GET_U_1(mask + 3));
1457 }
1458 len = 0;
1459 break;
1460 }
1461 case IPSECDOI_ID_IPV6_ADDR:
1462 if (len < 16)
1463 ND_PRINT(" len=%u [bad: < 16]", len);
1464 else
1465 ND_PRINT(" len=%u %s", len, GET_IP6ADDR_STRING(data));
1466 len = 0;
1467 break;
1468 case IPSECDOI_ID_IPV6_ADDR_SUBNET:
1469 {
1470 const u_char *mask;
1471 if (len < 32)
1472 ND_PRINT(" len=%u [bad: < 32]", len);
1473 else {
1474 mask = (const u_char *)(data + sizeof(nd_ipv6));
1475 /*XXX*/
1476 ND_PRINT(" len=%u %s/0x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x", len,
1477 GET_IP6ADDR_STRING(data),
1478 GET_U_1(mask), GET_U_1(mask + 1),
1479 GET_U_1(mask + 2),
1480 GET_U_1(mask + 3),
1481 GET_U_1(mask + 4),
1482 GET_U_1(mask + 5),
1483 GET_U_1(mask + 6),
1484 GET_U_1(mask + 7),
1485 GET_U_1(mask + 8),
1486 GET_U_1(mask + 9),
1487 GET_U_1(mask + 10),
1488 GET_U_1(mask + 11),
1489 GET_U_1(mask + 12),
1490 GET_U_1(mask + 13),
1491 GET_U_1(mask + 14),
1492 GET_U_1(mask + 15));
1493 }
1494 len = 0;
1495 break;
1496 }
1497 case IPSECDOI_ID_IPV4_ADDR_RANGE:
1498 if (len < 8)
1499 ND_PRINT(" len=%u [bad: < 8]", len);
1500 else {
1501 ND_PRINT(" len=%u %s-%s", len,
1502 GET_IPADDR_STRING(data),
1503 GET_IPADDR_STRING(data + sizeof(nd_ipv4)));
1504 }
1505 len = 0;
1506 break;
1507 case IPSECDOI_ID_IPV6_ADDR_RANGE:
1508 if (len < 32)
1509 ND_PRINT(" len=%u [bad: < 32]", len);
1510 else {
1511 ND_PRINT(" len=%u %s-%s", len,
1512 GET_IP6ADDR_STRING(data),
1513 GET_IP6ADDR_STRING(data + sizeof(nd_ipv6)));
1514 }
1515 len = 0;
1516 break;
1517 case IPSECDOI_ID_DER_ASN1_DN:
1518 case IPSECDOI_ID_DER_ASN1_GN:
1519 case IPSECDOI_ID_KEY_ID:
1520 break;
1521 }
1522 break;
1523 }
1524 }
1525 if (data && len) {
1526 ND_PRINT(" len=%u", len);
1527 if (2 < ndo->ndo_vflag) {
1528 ND_PRINT(" ");
1529 if (!rawprint(ndo, (const uint8_t *)data, len))
1530 goto trunc;
1531 }
1532 }
1533 return (const u_char *)ext + item_len;
1534 trunc:
1535 ND_PRINT(" [|%s]", NPSTR(ISAKMP_NPTYPE_ID));
1536 return NULL;
1537 }
1538
1539 static const u_char *
1540 ikev1_cert_print(netdissect_options *ndo, u_char tpay _U_,
1541 const struct isakmp_gen *ext, u_int item_len,
1542 const u_char *ep _U_, uint32_t phase _U_,
1543 uint32_t doi0 _U_,
1544 uint32_t proto0 _U_, int depth _U_)
1545 {
1546 const struct ikev1_pl_cert *p;
1547 static const char *certstr[] = {
1548 "none", "pkcs7", "pgp", "dns",
1549 "x509sign", "x509ke", "kerberos", "crl",
1550 "arl", "spki", "x509attr",
1551 };
1552
1553 ND_PRINT("%s:", NPSTR(ISAKMP_NPTYPE_CERT));
1554
1555 p = (const struct ikev1_pl_cert *)ext;
1556 ND_TCHECK_SIZE(p);
1557 /*
1558 * Our caller has ensured that the length is >= 4.
1559 */
1560 ND_PRINT(" len=%u", item_len - 4);
1561 ND_PRINT(" type=%s", STR_OR_ID(GET_U_1(p->encode), certstr));
1562 if (2 < ndo->ndo_vflag && 4 < item_len) {
1563 /* Print the entire payload in hex */
1564 ND_PRINT(" ");
1565 if (!rawprint(ndo, (const uint8_t *)(ext + 1), item_len - 4))
1566 goto trunc;
1567 }
1568 return (const u_char *)ext + item_len;
1569 trunc:
1570 ND_PRINT(" [|%s]", NPSTR(ISAKMP_NPTYPE_CERT));
1571 return NULL;
1572 }
1573
1574 static const u_char *
1575 ikev1_cr_print(netdissect_options *ndo, u_char tpay _U_,
1576 const struct isakmp_gen *ext, u_int item_len,
1577 const u_char *ep _U_, uint32_t phase _U_, uint32_t doi0 _U_,
1578 uint32_t proto0 _U_, int depth _U_)
1579 {
1580 const struct ikev1_pl_cert *p;
1581 static const char *certstr[] = {
1582 "none", "pkcs7", "pgp", "dns",
1583 "x509sign", "x509ke", "kerberos", "crl",
1584 "arl", "spki", "x509attr",
1585 };
1586
1587 ND_PRINT("%s:", NPSTR(ISAKMP_NPTYPE_CR));
1588
1589 p = (const struct ikev1_pl_cert *)ext;
1590 ND_TCHECK_SIZE(p);
1591 /*
1592 * Our caller has ensured that the length is >= 4.
1593 */
1594 ND_PRINT(" len=%u", item_len - 4);
1595 ND_PRINT(" type=%s", STR_OR_ID(GET_U_1(p->encode), certstr));
1596 if (2 < ndo->ndo_vflag && 4 < item_len) {
1597 /* Print the entire payload in hex */
1598 ND_PRINT(" ");
1599 if (!rawprint(ndo, (const uint8_t *)(ext + 1), item_len - 4))
1600 goto trunc;
1601 }
1602 return (const u_char *)ext + item_len;
1603 trunc:
1604 ND_PRINT(" [|%s]", NPSTR(ISAKMP_NPTYPE_CR));
1605 return NULL;
1606 }
1607
1608 static const u_char *
1609 ikev1_hash_print(netdissect_options *ndo, u_char tpay _U_,
1610 const struct isakmp_gen *ext, u_int item_len,
1611 const u_char *ep _U_, uint32_t phase _U_, uint32_t doi _U_,
1612 uint32_t proto _U_, int depth _U_)
1613 {
1614 ND_PRINT("%s:", NPSTR(ISAKMP_NPTYPE_HASH));
1615
1616 ND_TCHECK_SIZE(ext);
1617 /*
1618 * Our caller has ensured that the length is >= 4.
1619 */
1620 ND_PRINT(" len=%u", item_len - 4);
1621 if (2 < ndo->ndo_vflag && 4 < item_len) {
1622 /* Print the entire payload in hex */
1623 ND_PRINT(" ");
1624 if (!rawprint(ndo, (const uint8_t *)(ext + 1), item_len - 4))
1625 goto trunc;
1626 }
1627 return (const u_char *)ext + item_len;
1628 trunc:
1629 ND_PRINT(" [|%s]", NPSTR(ISAKMP_NPTYPE_HASH));
1630 return NULL;
1631 }
1632
1633 static const u_char *
1634 ikev1_sig_print(netdissect_options *ndo, u_char tpay _U_,
1635 const struct isakmp_gen *ext, u_int item_len,
1636 const u_char *ep _U_, uint32_t phase _U_, uint32_t doi _U_,
1637 uint32_t proto _U_, int depth _U_)
1638 {
1639 ND_PRINT("%s:", NPSTR(ISAKMP_NPTYPE_SIG));
1640
1641 ND_TCHECK_SIZE(ext);
1642 /*
1643 * Our caller has ensured that the length is >= 4.
1644 */
1645 ND_PRINT(" len=%u", item_len - 4);
1646 if (2 < ndo->ndo_vflag && 4 < item_len) {
1647 /* Print the entire payload in hex */
1648 ND_PRINT(" ");
1649 if (!rawprint(ndo, (const uint8_t *)(ext + 1), item_len - 4))
1650 goto trunc;
1651 }
1652 return (const u_char *)ext + item_len;
1653 trunc:
1654 ND_PRINT(" [|%s]", NPSTR(ISAKMP_NPTYPE_SIG));
1655 return NULL;
1656 }
1657
1658 static const u_char *
1659 ikev1_nonce_print(netdissect_options *ndo, u_char tpay _U_,
1660 const struct isakmp_gen *ext,
1661 u_int item_len,
1662 const u_char *ep,
1663 uint32_t phase _U_, uint32_t doi _U_,
1664 uint32_t proto _U_, int depth _U_)
1665 {
1666 ND_PRINT("%s:", NPSTR(ISAKMP_NPTYPE_NONCE));
1667
1668 ND_TCHECK_SIZE(ext);
1669 /*
1670 * Our caller has ensured that the length is >= 4.
1671 */
1672 ND_PRINT(" n len=%u", item_len - 4);
1673 if (item_len > 4) {
1674 if (ndo->ndo_vflag > 2) {
1675 ND_PRINT(" ");
1676 if (!rawprint(ndo, (const uint8_t *)(ext + 1), item_len - 4))
1677 goto trunc;
1678 } else if (ndo->ndo_vflag > 1) {
1679 ND_PRINT(" ");
1680 if (!ike_show_somedata(ndo, (const u_char *)(ext + 1), ep))
1681 goto trunc;
1682 }
1683 }
1684 return (const u_char *)ext + item_len;
1685 trunc:
1686 ND_PRINT(" [|%s]", NPSTR(ISAKMP_NPTYPE_NONCE));
1687 return NULL;
1688 }
1689
1690 static const u_char *
1691 ikev1_n_print(netdissect_options *ndo, u_char tpay _U_,
1692 const struct isakmp_gen *ext, u_int item_len,
1693 const u_char *ep, uint32_t phase _U_, uint32_t doi0 _U_,
1694 uint32_t proto0 _U_, int depth _U_)
1695 {
1696 const struct ikev1_pl_n *p;
1697 const u_char *cp;
1698 const u_char *ep2;
1699 uint32_t doi;
1700 uint32_t proto;
1701 uint16_t type;
1702 uint8_t spi_size;
1703 static const char *notify_error_str[] = {
1704 NULL, "INVALID-PAYLOAD-TYPE",
1705 "DOI-NOT-SUPPORTED", "SITUATION-NOT-SUPPORTED",
1706 "INVALID-COOKIE", "INVALID-MAJOR-VERSION",
1707 "INVALID-MINOR-VERSION", "INVALID-EXCHANGE-TYPE",
1708 "INVALID-FLAGS", "INVALID-MESSAGE-ID",
1709 "INVALID-PROTOCOL-ID", "INVALID-SPI",
1710 "INVALID-TRANSFORM-ID", "ATTRIBUTES-NOT-SUPPORTED",
1711 "NO-PROPOSAL-CHOSEN", "BAD-PROPOSAL-SYNTAX",
1712 "PAYLOAD-MALFORMED", "INVALID-KEY-INFORMATION",
1713 "INVALID-ID-INFORMATION", "INVALID-CERT-ENCODING",
1714 "INVALID-CERTIFICATE", "CERT-TYPE-UNSUPPORTED",
1715 "INVALID-CERT-AUTHORITY", "INVALID-HASH-INFORMATION",
1716 "AUTHENTICATION-FAILED", "INVALID-SIGNATURE",
1717 "ADDRESS-NOTIFICATION", "NOTIFY-SA-LIFETIME",
1718 "CERTIFICATE-UNAVAILABLE", "UNSUPPORTED-EXCHANGE-TYPE",
1719 "UNEQUAL-PAYLOAD-LENGTHS",
1720 };
1721 static const char *ipsec_notify_error_str[] = {
1722 "RESERVED",
1723 };
1724 static const char *notify_status_str[] = {
1725 "CONNECTED",
1726 };
1727 static const char *ipsec_notify_status_str[] = {
1728 "RESPONDER-LIFETIME", "REPLAY-STATUS",
1729 "INITIAL-CONTACT",
1730 };
1731 /* NOTE: these macro must be called with x in proper range */
1732
1733 /* 0 - 8191 */
1734 #define NOTIFY_ERROR_STR(x) \
1735 STR_OR_ID((x), notify_error_str)
1736
1737 /* 8192 - 16383 */
1738 #define IPSEC_NOTIFY_ERROR_STR(x) \
1739 STR_OR_ID((u_int)((x) - 8192), ipsec_notify_error_str)
1740
1741 /* 16384 - 24575 */
1742 #define NOTIFY_STATUS_STR(x) \
1743 STR_OR_ID((u_int)((x) - 16384), notify_status_str)
1744
1745 /* 24576 - 32767 */
1746 #define IPSEC_NOTIFY_STATUS_STR(x) \
1747 STR_OR_ID((u_int)((x) - 24576), ipsec_notify_status_str)
1748
1749 ND_PRINT("%s:", NPSTR(ISAKMP_NPTYPE_N));
1750
1751 p = (const struct ikev1_pl_n *)ext;
1752 ND_TCHECK_SIZE(p);
1753 doi = GET_BE_U_4(p->doi);
1754 proto = GET_U_1(p->prot_id);
1755 if (doi != 1) {
1756 ND_PRINT(" doi=%u", doi);
1757 ND_PRINT(" proto=%u", proto);
1758 type = GET_BE_U_2(p->type);
1759 if (type < 8192)
1760 ND_PRINT(" type=%s", NOTIFY_ERROR_STR(type));
1761 else if (type < 16384)
1762 ND_PRINT(" type=%s", numstr(type));
1763 else if (type < 24576)
1764 ND_PRINT(" type=%s", NOTIFY_STATUS_STR(type));
1765 else
1766 ND_PRINT(" type=%s", numstr(type));
1767 spi_size = GET_U_1(p->spi_size);
1768 if (spi_size) {
1769 ND_PRINT(" spi=");
1770 if (!rawprint(ndo, (const uint8_t *)(p + 1), spi_size))
1771 goto trunc;
1772 }
1773 return (const u_char *)(p + 1) + spi_size;
1774 }
1775
1776 ND_PRINT(" doi=ipsec");
1777 ND_PRINT(" proto=%s", PROTOIDSTR(proto));
1778 type = GET_BE_U_2(p->type);
1779 if (type < 8192)
1780 ND_PRINT(" type=%s", NOTIFY_ERROR_STR(type));
1781 else if (type < 16384)
1782 ND_PRINT(" type=%s", IPSEC_NOTIFY_ERROR_STR(type));
1783 else if (type < 24576)
1784 ND_PRINT(" type=%s", NOTIFY_STATUS_STR(type));
1785 else if (type < 32768)
1786 ND_PRINT(" type=%s", IPSEC_NOTIFY_STATUS_STR(type));
1787 else
1788 ND_PRINT(" type=%s", numstr(type));
1789 spi_size = GET_U_1(p->spi_size);
1790 if (spi_size) {
1791 ND_PRINT(" spi=");
1792 if (!rawprint(ndo, (const uint8_t *)(p + 1), spi_size))
1793 goto trunc;
1794 }
1795
1796 cp = (const u_char *)(p + 1) + spi_size;
1797 ep2 = (const u_char *)p + item_len;
1798
1799 if (cp < ep) {
1800 switch (type) {
1801 case IPSECDOI_NTYPE_RESPONDER_LIFETIME:
1802 {
1803 const struct attrmap *map = oakley_t_map;
1804 size_t nmap = sizeof(oakley_t_map)/sizeof(oakley_t_map[0]);
1805 ND_PRINT(" attrs=(");
1806 while (cp < ep && cp < ep2) {
1807 cp = ikev1_attrmap_print(ndo, cp, ep2, map, nmap);
1808 if (cp == NULL) {
1809 ND_PRINT(")");
1810 goto trunc;
1811 }
1812 }
1813 ND_PRINT(")");
1814 break;
1815 }
1816 case IPSECDOI_NTYPE_REPLAY_STATUS:
1817 ND_PRINT(" status=(");
1818 ND_PRINT("replay detection %sabled",
1819 GET_BE_U_4(cp) ? "en" : "dis");
1820 ND_PRINT(")");
1821 break;
1822 default:
1823 /*
1824 * XXX - fill in more types here; see, for example,
1825 * draft-ietf-ipsec-notifymsg-04.
1826 */
1827 if (ndo->ndo_vflag > 3) {
1828 ND_PRINT(" data=(");
1829 if (!rawprint(ndo, (const uint8_t *)(cp), ep - cp))
1830 goto trunc;
1831 ND_PRINT(")");
1832 } else {
1833 if (!ike_show_somedata(ndo, cp, ep))
1834 goto trunc;
1835 }
1836 break;
1837 }
1838 }
1839 return (const u_char *)ext + item_len;
1840 trunc:
1841 ND_PRINT(" [|%s]", NPSTR(ISAKMP_NPTYPE_N));
1842 return NULL;
1843 }
1844
1845 static const u_char *
1846 ikev1_d_print(netdissect_options *ndo, u_char tpay _U_,
1847 const struct isakmp_gen *ext, u_int item_len _U_,
1848 const u_char *ep _U_, uint32_t phase _U_, uint32_t doi0 _U_,
1849 uint32_t proto0 _U_, int depth _U_)
1850 {
1851 const struct ikev1_pl_d *p;
1852 const uint8_t *q;
1853 uint32_t doi;
1854 uint32_t proto;
1855 uint8_t spi_size;
1856 uint16_t num_spi;
1857 u_int i;
1858
1859 ND_PRINT("%s:", NPSTR(ISAKMP_NPTYPE_D));
1860
1861 p = (const struct ikev1_pl_d *)ext;
1862 ND_TCHECK_SIZE(p);
1863 doi = GET_BE_U_4(p->doi);
1864 proto = GET_U_1(p->prot_id);
1865 if (doi != 1) {
1866 ND_PRINT(" doi=%u", doi);
1867 ND_PRINT(" proto=%u", proto);
1868 } else {
1869 ND_PRINT(" doi=ipsec");
1870 ND_PRINT(" proto=%s", PROTOIDSTR(proto));
1871 }
1872 spi_size = GET_U_1(p->spi_size);
1873 ND_PRINT(" spilen=%u", spi_size);
1874 num_spi = GET_BE_U_2(p->num_spi);
1875 ND_PRINT(" nspi=%u", num_spi);
1876 q = (const uint8_t *)(p + 1);
1877 if (spi_size) {
1878 ND_PRINT(" spi=");
1879 for (i = 0; i < num_spi; i++) {
1880 if (i != 0)
1881 ND_PRINT(",");
1882 if (!rawprint(ndo, (const uint8_t *)q, spi_size))
1883 goto trunc;
1884 q += spi_size;
1885 }
1886 }
1887 return q;
1888 trunc:
1889 ND_PRINT(" [|%s]", NPSTR(ISAKMP_NPTYPE_D));
1890 return NULL;
1891 }
1892
1893 static const u_char *
1894 ikev1_vid_print(netdissect_options *ndo, u_char tpay _U_,
1895 const struct isakmp_gen *ext,
1896 u_int item_len, const u_char *ep _U_,
1897 uint32_t phase _U_, uint32_t doi _U_,
1898 uint32_t proto _U_, int depth _U_)
1899 {
1900 ND_PRINT("%s:", NPSTR(ISAKMP_NPTYPE_VID));
1901
1902 ND_TCHECK_SIZE(ext);
1903 /*
1904 * Our caller has ensured that the length is >= 4.
1905 */
1906 ND_PRINT(" len=%u", item_len - 4);
1907 if (2 < ndo->ndo_vflag && 4 < item_len) {
1908 /* Print the entire payload in hex */
1909 ND_PRINT(" ");
1910 if (!rawprint(ndo, (const uint8_t *)(ext + 1), item_len - 4))
1911 goto trunc;
1912 }
1913 return (const u_char *)ext + item_len;
1914 trunc:
1915 ND_PRINT(" [|%s]", NPSTR(ISAKMP_NPTYPE_VID));
1916 return NULL;
1917 }
1918
1919 /************************************************************/
1920 /* */
1921 /* IKE v2 - rfc4306 - dissector */
1922 /* */
1923 /************************************************************/
1924
1925 static void
1926 ikev2_pay_print(netdissect_options *ndo, const char *payname, uint8_t critical)
1927 {
1928 ND_PRINT("%s%s:", payname, critical&0x80 ? "[C]" : "");
1929 }
1930
1931 static const u_char *
1932 ikev2_gen_print(netdissect_options *ndo, u_char tpay,
1933 const struct isakmp_gen *ext, u_int item_len)
1934 {
1935 const struct isakmp_gen *p = (const struct isakmp_gen *)ext;
1936
1937 ND_TCHECK_SIZE(ext);
1938 ikev2_pay_print(ndo, NPSTR(tpay), GET_U_1(p->critical));
1939
1940 /*
1941 * Our caller has ensured that the length is >= 4.
1942 */
1943 ND_PRINT(" len=%u", item_len - 4);
1944 if (2 < ndo->ndo_vflag && 4 < item_len) {
1945 /* Print the entire payload in hex */
1946 ND_PRINT(" ");
1947 if (!rawprint(ndo, (const uint8_t *)(ext + 1), item_len - 4))
1948 goto trunc;
1949 }
1950 return (const u_char *)ext + item_len;
1951 trunc:
1952 ND_PRINT(" [|%s]", NPSTR(tpay));
1953 return NULL;
1954 }
1955
1956 static const u_char *
1957 ikev2_t_print(netdissect_options *ndo, int tcount,
1958 const struct isakmp_gen *ext, u_int item_len,
1959 const u_char *ep)
1960 {
1961 const struct ikev2_t *p;
1962 uint16_t t_id;
1963 uint8_t t_type;
1964 const u_char *cp;
1965 const char *idstr;
1966 const struct attrmap *map;
1967 size_t nmap;
1968 const u_char *ep2;
1969
1970 p = (const struct ikev2_t *)ext;
1971 ND_TCHECK_SIZE(p);
1972 ikev2_pay_print(ndo, NPSTR(ISAKMP_NPTYPE_T), GET_U_1(p->h.critical));
1973
1974 t_id = GET_BE_U_2(p->t_id);
1975
1976 map = NULL;
1977 nmap = 0;
1978
1979 t_type = GET_U_1(p->t_type);
1980 switch (t_type) {
1981 case IV2_T_ENCR:
1982 idstr = STR_OR_ID(t_id, esp_p_map);
1983 map = encr_t_map;
1984 nmap = sizeof(encr_t_map)/sizeof(encr_t_map[0]);
1985 break;
1986
1987 case IV2_T_PRF:
1988 idstr = STR_OR_ID(t_id, prf_p_map);
1989 break;
1990
1991 case IV2_T_INTEG:
1992 idstr = STR_OR_ID(t_id, integ_p_map);
1993 break;
1994
1995 case IV2_T_DH:
1996 idstr = STR_OR_ID(t_id, dh_p_map);
1997 break;
1998
1999 case IV2_T_ESN:
2000 idstr = STR_OR_ID(t_id, esn_p_map);
2001 break;
2002
2003 default:
2004 idstr = NULL;
2005 break;
2006 }
2007
2008 if (idstr)
2009 ND_PRINT(" #%u type=%s id=%s ", tcount,
2010 STR_OR_ID(t_type, ikev2_t_type_map),
2011 idstr);
2012 else
2013 ND_PRINT(" #%u type=%s id=%u ", tcount,
2014 STR_OR_ID(t_type, ikev2_t_type_map),
2015 t_id);
2016 cp = (const u_char *)(p + 1);
2017 ep2 = (const u_char *)p + item_len;
2018 while (cp < ep && cp < ep2) {
2019 if (map && nmap) {
2020 cp = ikev1_attrmap_print(ndo, cp, ep2, map, nmap);
2021 } else
2022 cp = ikev1_attr_print(ndo, cp, ep2);
2023 if (cp == NULL)
2024 goto trunc;
2025 }
2026 if (ep < ep2)
2027 ND_PRINT("...");
2028 return cp;
2029 trunc:
2030 ND_PRINT(" [|%s]", NPSTR(ISAKMP_NPTYPE_T));
2031 return NULL;
2032 }
2033
2034 static const u_char *
2035 ikev2_p_print(netdissect_options *ndo, u_char tpay _U_, int pcount _U_,
2036 const struct isakmp_gen *ext, u_int oprop_length,
2037 const u_char *ep, int depth)
2038 {
2039 const struct ikev2_p *p;
2040 u_int prop_length;
2041 uint8_t spi_size;
2042 const u_char *cp;
2043 int i;
2044 int tcount;
2045 u_char np;
2046 u_int item_len;
2047
2048 p = (const struct ikev2_p *)ext;
2049 ND_TCHECK_SIZE(p);
2050
2051 ikev2_pay_print(ndo, NPSTR(ISAKMP_NPTYPE_P), GET_U_1(p->h.critical));
2052
2053 /*
2054 * ikev2_sa_print() guarantees that this is >= 4.
2055 */
2056 prop_length = oprop_length - 4;
2057 ND_PRINT(" #%u protoid=%s transform=%u len=%u",
2058 GET_U_1(p->p_no), PROTOIDSTR(GET_U_1(p->prot_id)),
2059 GET_U_1(p->num_t), oprop_length);
2060 cp = (const u_char *)(p + 1);
2061
2062 spi_size = GET_U_1(p->spi_size);
2063 if (spi_size) {
2064 if (prop_length < spi_size)
2065 goto toolong;
2066 ND_PRINT(" spi=");
2067 if (!rawprint(ndo, (const uint8_t *)cp, spi_size))
2068 goto trunc;
2069 cp += spi_size;
2070 prop_length -= spi_size;
2071 }
2072
2073 /*
2074 * Print the transforms.
2075 */
2076 tcount = 0;
2077 for (np = ISAKMP_NPTYPE_T; np != 0; np = GET_U_1(ext->np)) {
2078 tcount++;
2079 ext = (const struct isakmp_gen *)cp;
2080 if (prop_length < sizeof(*ext))
2081 goto toolong;
2082 ND_TCHECK_SIZE(ext);
2083
2084 /*
2085 * Since we can't have a payload length of less than 4 bytes,
2086 * we need to bail out here if the generic header is nonsensical
2087 * or truncated, otherwise we could loop forever processing
2088 * zero-length items or otherwise misdissect the packet.
2089 */
2090 item_len = GET_BE_U_2(ext->len);
2091 if (item_len <= 4)
2092 goto trunc;
2093
2094 if (prop_length < item_len)
2095 goto toolong;
2096 ND_TCHECK_LEN(cp, item_len);
2097
2098 depth++;
2099 ND_PRINT("\n");
2100 for (i = 0; i < depth; i++)
2101 ND_PRINT(" ");
2102 ND_PRINT("(");
2103 if (np == ISAKMP_NPTYPE_T) {
2104 cp = ikev2_t_print(ndo, tcount, ext, item_len, ep);
2105 if (cp == NULL) {
2106 /* error, already reported */
2107 return NULL;
2108 }
2109 } else {
2110 ND_PRINT("%s", NPSTR(np));
2111 cp += item_len;
2112 }
2113 ND_PRINT(")");
2114 depth--;
2115 prop_length -= item_len;
2116 }
2117 return cp;
2118 toolong:
2119 /*
2120 * Skip the rest of the proposal.
2121 */
2122 cp += prop_length;
2123 ND_PRINT(" [|%s]", NPSTR(ISAKMP_NPTYPE_P));
2124 return cp;
2125 trunc:
2126 ND_PRINT(" [|%s]", NPSTR(ISAKMP_NPTYPE_P));
2127 return NULL;
2128 }
2129
2130 static const u_char *
2131 ikev2_sa_print(netdissect_options *ndo, u_char tpay,
2132 const struct isakmp_gen *ext1,
2133 u_int osa_length, const u_char *ep,
2134 uint32_t phase _U_, uint32_t doi _U_,
2135 uint32_t proto _U_, int depth)
2136 {
2137 const struct isakmp_gen *ext;
2138 u_int sa_length;
2139 const u_char *cp;
2140 int i;
2141 int pcount;
2142 u_char np;
2143 u_int item_len;
2144
2145 ND_TCHECK_SIZE(ext1);
2146 ikev2_pay_print(ndo, "sa", GET_U_1(ext1->critical));
2147
2148 /*
2149 * ikev2_sub0_print() guarantees that this is >= 4.
2150 */
2151 osa_length= GET_BE_U_2(ext1->len);
2152 sa_length = osa_length - 4;
2153 ND_PRINT(" len=%u", sa_length);
2154
2155 /*
2156 * Print the payloads.
2157 */
2158 cp = (const u_char *)(ext1 + 1);
2159 pcount = 0;
2160 for (np = ISAKMP_NPTYPE_P; np != 0; np = GET_U_1(ext->np)) {
2161 pcount++;
2162 ext = (const struct isakmp_gen *)cp;
2163 if (sa_length < sizeof(*ext))
2164 goto toolong;
2165 ND_TCHECK_SIZE(ext);
2166
2167 /*
2168 * Since we can't have a payload length of less than 4 bytes,
2169 * we need to bail out here if the generic header is nonsensical
2170 * or truncated, otherwise we could loop forever processing
2171 * zero-length items or otherwise misdissect the packet.
2172 */
2173 item_len = GET_BE_U_2(ext->len);
2174 if (item_len <= 4)
2175 goto trunc;
2176
2177 if (sa_length < item_len)
2178 goto toolong;
2179 ND_TCHECK_LEN(cp, item_len);
2180
2181 depth++;
2182 ND_PRINT("\n");
2183 for (i = 0; i < depth; i++)
2184 ND_PRINT(" ");
2185 ND_PRINT("(");
2186 if (np == ISAKMP_NPTYPE_P) {
2187 cp = ikev2_p_print(ndo, np, pcount, ext, item_len,
2188 ep, depth);
2189 if (cp == NULL) {
2190 /* error, already reported */
2191 return NULL;
2192 }
2193 } else {
2194 ND_PRINT("%s", NPSTR(np));
2195 cp += item_len;
2196 }
2197 ND_PRINT(")");
2198 depth--;
2199 sa_length -= item_len;
2200 }
2201 return cp;
2202 toolong:
2203 /*
2204 * Skip the rest of the SA.
2205 */
2206 cp += sa_length;
2207 ND_PRINT(" [|%s]", NPSTR(tpay));
2208 return cp;
2209 trunc:
2210 ND_PRINT(" [|%s]", NPSTR(tpay));
2211 return NULL;
2212 }
2213
2214 static const u_char *
2215 ikev2_ke_print(netdissect_options *ndo, u_char tpay,
2216 const struct isakmp_gen *ext,
2217 u_int item_len, const u_char *ep _U_,
2218 uint32_t phase _U_, uint32_t doi _U_,
2219 uint32_t proto _U_, int depth _U_)
2220 {
2221 const struct ikev2_ke *k;
2222
2223 k = (const struct ikev2_ke *)ext;
2224 ND_TCHECK_SIZE(k);
2225 ikev2_pay_print(ndo, NPSTR(tpay), GET_U_1(k->h.critical));
2226
2227 if (item_len < 8) {
2228 ND_PRINT(" len=%u < 8", item_len);
2229 return (const u_char *)ext + item_len;
2230 }
2231 ND_PRINT(" len=%u group=%s", item_len - 8,
2232 STR_OR_ID(GET_BE_U_2(k->ke_group), dh_p_map));
2233
2234 if (2 < ndo->ndo_vflag && 8 < item_len) {
2235 ND_PRINT(" ");
2236 if (!rawprint(ndo, (const uint8_t *)(k + 1), item_len - 8))
2237 goto trunc;
2238 }
2239 return (const u_char *)ext + item_len;
2240 trunc:
2241 ND_PRINT(" [|%s]", NPSTR(tpay));
2242 return NULL;
2243 }
2244
2245 static const u_char *
2246 ikev2_ID_print(netdissect_options *ndo, u_char tpay,
2247 const struct isakmp_gen *ext,
2248 u_int item_len, const u_char *ep _U_,
2249 uint32_t phase _U_, uint32_t doi _U_,
2250 uint32_t proto _U_, int depth _U_)
2251 {
2252 const struct ikev2_id *idp;
2253 u_int idtype_len, i;
2254 unsigned int dumpascii, dumphex;
2255 const unsigned char *typedata;
2256
2257 idp = (const struct ikev2_id *)ext;
2258 ND_TCHECK_SIZE(idp);
2259 ikev2_pay_print(ndo, NPSTR(tpay), GET_U_1(idp->h.critical));
2260
2261 /*
2262 * Our caller has ensured that the length is >= 4.
2263 */
2264 ND_PRINT(" len=%u", item_len - 4);
2265 if (2 < ndo->ndo_vflag && 4 < item_len) {
2266 /* Print the entire payload in hex */
2267 ND_PRINT(" ");
2268 if (!rawprint(ndo, (const uint8_t *)(ext + 1), item_len - 4))
2269 goto trunc;
2270 }
2271
2272 idtype_len =item_len - sizeof(struct ikev2_id);
2273 dumpascii = 0;
2274 dumphex = 0;
2275 typedata = (const unsigned char *)(ext)+sizeof(struct ikev2_id);
2276
2277 switch(GET_U_1(idp->type)) {
2278 case ID_IPV4_ADDR:
2279 ND_PRINT(" ipv4:");
2280 dumphex=1;
2281 break;
2282 case ID_FQDN:
2283 ND_PRINT(" fqdn:");
2284 dumpascii=1;
2285 break;
2286 case ID_RFC822_ADDR:
2287 ND_PRINT(" rfc822:");
2288 dumpascii=1;
2289 break;
2290 case ID_IPV6_ADDR:
2291 ND_PRINT(" ipv6:");
2292 dumphex=1;
2293 break;
2294 case ID_DER_ASN1_DN:
2295 ND_PRINT(" dn:");
2296 dumphex=1;
2297 break;
2298 case ID_DER_ASN1_GN:
2299 ND_PRINT(" gn:");
2300 dumphex=1;
2301 break;
2302 case ID_KEY_ID:
2303 ND_PRINT(" keyid:");
2304 dumphex=1;
2305 break;
2306 }
2307
2308 if(dumpascii) {
2309 ND_TCHECK_LEN(typedata, idtype_len);
2310 for(i=0; i<idtype_len; i++) {
2311 if(ND_ASCII_ISPRINT(GET_U_1(typedata + i))) {
2312 ND_PRINT("%c", GET_U_1(typedata + i));
2313 } else {
2314 ND_PRINT(".");
2315 }
2316 }
2317 }
2318 if(dumphex) {
2319 if (!rawprint(ndo, (const uint8_t *)typedata, idtype_len))
2320 goto trunc;
2321 }
2322
2323 return (const u_char *)ext + item_len;
2324 trunc:
2325 ND_PRINT(" [|%s]", NPSTR(tpay));
2326 return NULL;
2327 }
2328
2329 static const u_char *
2330 ikev2_cert_print(netdissect_options *ndo, u_char tpay,
2331 const struct isakmp_gen *ext,
2332 u_int item_len, const u_char *ep _U_,
2333 uint32_t phase _U_, uint32_t doi _U_,
2334 uint32_t proto _U_, int depth _U_)
2335 {
2336 return ikev2_gen_print(ndo, tpay, ext, item_len);
2337 }
2338
2339 static const u_char *
2340 ikev2_cr_print(netdissect_options *ndo, u_char tpay,
2341 const struct isakmp_gen *ext,
2342 u_int item_len, const u_char *ep _U_,
2343 uint32_t phase _U_, uint32_t doi _U_,
2344 uint32_t proto _U_, int depth _U_)
2345 {
2346 return ikev2_gen_print(ndo, tpay, ext, item_len);
2347 }
2348
2349 static const u_char *
2350 ikev2_auth_print(netdissect_options *ndo, u_char tpay,
2351 const struct isakmp_gen *ext,
2352 u_int item_len, const u_char *ep,
2353 uint32_t phase _U_, uint32_t doi _U_,
2354 uint32_t proto _U_, int depth _U_)
2355 {
2356 const struct ikev2_auth *p;
2357 const char *v2_auth[]={ "invalid", "rsasig",
2358 "shared-secret", "dsssig" };
2359 const u_char *authdata = (const u_char *)ext + sizeof(struct ikev2_auth);
2360
2361 ND_TCHECK_LEN(ext, sizeof(struct ikev2_auth));
2362 p = (const struct ikev2_auth *)ext;
2363 ikev2_pay_print(ndo, NPSTR(tpay), GET_U_1(p->h.critical));
2364
2365 /*
2366 * Our caller has ensured that the length is >= 4.
2367 */
2368 ND_PRINT(" len=%u method=%s", item_len-4,
2369 STR_OR_ID(GET_U_1(p->auth_method), v2_auth));
2370 if (item_len > 4) {
2371 if (ndo->ndo_vflag > 1) {
2372 ND_PRINT(" authdata=(");
2373 if (!rawprint(ndo, (const uint8_t *)authdata, item_len - sizeof(struct ikev2_auth)))
2374 goto trunc;
2375 ND_PRINT(") ");
2376 } else if (ndo->ndo_vflag) {
2377 if (!ike_show_somedata(ndo, authdata, ep))
2378 goto trunc;
2379 }
2380 }
2381
2382 return (const u_char *)ext + item_len;
2383 trunc:
2384 ND_PRINT(" [|%s]", NPSTR(tpay));
2385 return NULL;
2386 }
2387
2388 static const u_char *
2389 ikev2_nonce_print(netdissect_options *ndo, u_char tpay,
2390 const struct isakmp_gen *ext,
2391 u_int item_len, const u_char *ep,
2392 uint32_t phase _U_, uint32_t doi _U_,
2393 uint32_t proto _U_, int depth _U_)
2394 {
2395 ND_TCHECK_SIZE(ext);
2396 ikev2_pay_print(ndo, "nonce", GET_U_1(ext->critical));
2397
2398 /*
2399 * Our caller has ensured that the length is >= 4.
2400 */
2401 ND_PRINT(" len=%u", item_len - 4);
2402 if (1 < ndo->ndo_vflag && 4 < item_len) {
2403 ND_PRINT(" nonce=(");
2404 if (!rawprint(ndo, (const uint8_t *)(ext + 1), item_len - 4))
2405 goto trunc;
2406 ND_PRINT(") ");
2407 } else if(ndo->ndo_vflag && 4 < item_len) {
2408 if(!ike_show_somedata(ndo, (const u_char *)(ext+1), ep)) goto trunc;
2409 }
2410
2411 return (const u_char *)ext + item_len;
2412 trunc:
2413 ND_PRINT(" [|%s]", NPSTR(tpay));
2414 return NULL;
2415 }
2416
2417 /* notify payloads */
2418 static const u_char *
2419 ikev2_n_print(netdissect_options *ndo, u_char tpay _U_,
2420 const struct isakmp_gen *ext,
2421 u_int item_len, const u_char *ep,
2422 uint32_t phase _U_, uint32_t doi _U_,
2423 uint32_t proto _U_, int depth _U_)
2424 {
2425 const struct ikev2_n *p;
2426 uint16_t type;
2427 uint8_t spi_size;
2428 const u_char *cp;
2429 u_char showspi, showsomedata;
2430 const char *notify_name;
2431
2432 p = (const struct ikev2_n *)ext;
2433 ND_TCHECK_SIZE(p);
2434 ikev2_pay_print(ndo, NPSTR(ISAKMP_NPTYPE_N), GET_U_1(p->h.critical));
2435
2436 showspi=0;
2437 showsomedata=0;
2438 notify_name=NULL;
2439
2440 ND_PRINT(" prot_id=%s", PROTOIDSTR(GET_U_1(p->prot_id)));
2441
2442 type = GET_BE_U_2(p->type);
2443
2444 /* notify space is annoying sparse */
2445 switch(type) {
2446 case IV2_NOTIFY_UNSUPPORTED_CRITICAL_PAYLOAD:
2447 notify_name = "unsupported_critical_payload";
2448 break;
2449
2450 case IV2_NOTIFY_INVALID_IKE_SPI:
2451 notify_name = "invalid_ike_spi";
2452 showspi = 1;
2453 break;
2454
2455 case IV2_NOTIFY_INVALID_MAJOR_VERSION:
2456 notify_name = "invalid_major_version";
2457 break;
2458
2459 case IV2_NOTIFY_INVALID_SYNTAX:
2460 notify_name = "invalid_syntax";
2461 showspi = 1;
2462 break;
2463
2464 case IV2_NOTIFY_INVALID_MESSAGE_ID:
2465 notify_name = "invalid_message_id";
2466 showspi = 1;
2467 break;
2468
2469 case IV2_NOTIFY_INVALID_SPI:
2470 notify_name = "invalid_spi";
2471 showspi = 1;
2472 break;
2473
2474 case IV2_NOTIFY_NO_PROPOSAL_CHOSEN:
2475 notify_name = "no_proposal_chosen";
2476 showspi = 1;
2477 break;
2478
2479 case IV2_NOTIFY_INVALID_KE_PAYLOAD:
2480 notify_name = "invalid_ke_payload";
2481 showspi = 1;
2482 break;
2483
2484 case IV2_NOTIFY_AUTHENTICATION_FAILED:
2485 notify_name = "authentication_failed";
2486 showspi = 1;
2487 break;
2488
2489 case IV2_NOTIFY_SINGLE_PAIR_REQUIRED:
2490 notify_name = "single_pair_required";
2491 showspi = 1;
2492 break;
2493
2494 case IV2_NOTIFY_NO_ADDITIONAL_SAS:
2495 notify_name = "no_additional_sas";
2496 break;
2497
2498 case IV2_NOTIFY_INTERNAL_ADDRESS_FAILURE:
2499 notify_name = "internal_address_failure";
2500 break;
2501
2502 case IV2_NOTIFY_FAILED_CP_REQUIRED:
2503 notify_name = "failed_cp_required";
2504 break;
2505
2506 case IV2_NOTIFY_TS_UNACCEPTABLE:
2507 notify_name = "ts_unacceptable";
2508 break;
2509
2510 case IV2_NOTIFY_INVALID_SELECTORS:
2511 notify_name = "invalid_selectors";
2512 break;
2513
2514 case IV2_NOTIFY_UNACCEPTABLE_ADDRESSES:
2515 notify_name = "unacceptable_addresses";
2516 break;
2517
2518 case IV2_NOTIFY_UNEXPECTED_NAT_DETECTED:
2519 notify_name = "unexpected_nat_detected";
2520 break;
2521
2522 case IV2_NOTIFY_USE_ASSIGNED_HOA:
2523 notify_name = "use_assigned_hoa";
2524 break;
2525
2526 case IV2_NOTIFY_TEMPORARY_FAILURE:
2527 notify_name = "temporary_failure";
2528 break;
2529
2530 case IV2_NOTIFY_CHILD_SA_NOT_FOUND:
2531 notify_name = "child_sa_not_found";
2532 break;
2533
2534 case IV2_NOTIFY_INVALID_GROUP_ID:
2535 notify_name = "invalid_group_id";
2536 break;
2537
2538 case IV2_NOTIFY_AUTHORIZATION_FAILED:
2539 notify_name = "authorization_failed";
2540 break;
2541
2542 case IV2_NOTIFY_STATE_NOT_FOUND:
2543 notify_name = "state_not_found";
2544 break;
2545
2546 case IV2_NOTIFY_INITIAL_CONTACT:
2547 notify_name = "initial_contact";
2548 break;
2549
2550 case IV2_NOTIFY_SET_WINDOW_SIZE:
2551 notify_name = "set_window_size";
2552 break;
2553
2554 case IV2_NOTIFY_ADDITIONAL_TS_POSSIBLE:
2555 notify_name = "additional_ts_possible";
2556 break;
2557
2558 case IV2_NOTIFY_IPCOMP_SUPPORTED:
2559 notify_name = "ipcomp_supported";
2560 break;
2561
2562 case IV2_NOTIFY_NAT_DETECTION_SOURCE_IP:
2563 notify_name = "nat_detection_source_ip";
2564 showspi = 1;
2565 break;
2566
2567 case IV2_NOTIFY_NAT_DETECTION_DESTINATION_IP:
2568 notify_name = "nat_detection_destination_ip";
2569 showspi = 1;
2570 break;
2571
2572 case IV2_NOTIFY_COOKIE:
2573 notify_name = "cookie";
2574 showspi = 1;
2575 showsomedata= 1;
2576 break;
2577
2578 case IV2_NOTIFY_USE_TRANSPORT_MODE:
2579 notify_name = "use_transport_mode";
2580 break;
2581
2582 case IV2_NOTIFY_HTTP_CERT_LOOKUP_SUPPORTED:
2583 notify_name = "http_cert_lookup_supported";
2584 break;
2585
2586 case IV2_NOTIFY_REKEY_SA:
2587 notify_name = "rekey_sa";
2588 showspi = 1;
2589 break;
2590
2591 case IV2_NOTIFY_ESP_TFC_PADDING_NOT_SUPPORTED:
2592 notify_name = "tfc_padding_not_supported";
2593 break;
2594
2595 case IV2_NOTIFY_NON_FIRST_FRAGMENTS_ALSO:
2596 notify_name = "non_first_fragment_also";
2597 break;
2598
2599 case IV2_NOTIFY_MOBIKE_SUPPORTED:
2600 notify_name = "mobike_supported";
2601 break;
2602
2603 case IV2_NOTIFY_ADDITIONAL_IP4_ADDRESS:
2604 notify_name = "additional_ip4_address";
2605 break;
2606
2607 case IV2_NOTIFY_ADDITIONAL_IP6_ADDRESS:
2608 notify_name = "additional_ip6_address";
2609 break;
2610
2611 case IV2_NOTIFY_NO_ADDITIONAL_ADDRESSES:
2612 notify_name = "no_additional_addresses";
2613 break;
2614
2615 case IV2_NOTIFY_UPDATE_SA_ADDRESSES:
2616 notify_name = "update_sa_addresses";
2617 break;
2618
2619 case IV2_NOTIFY_COOKIE2:
2620 notify_name = "cookie2";
2621 break;
2622
2623 case IV2_NOTIFY_NO_NATS_ALLOWED:
2624 notify_name = "no_nats_allowed";
2625 break;
2626
2627 case IV2_NOTIFY_AUTH_LIFETIME:
2628 notify_name = "auth_lifetime";
2629 break;
2630
2631 case IV2_NOTIFY_MULTIPLE_AUTH_SUPPORTED:
2632 notify_name = "multiple_auth_supported";
2633 break;
2634
2635 case IV2_NOTIFY_ANOTHER_AUTH_FOLLOWS:
2636 notify_name = "another_auth_follows";
2637 break;
2638
2639 case IV2_NOTIFY_REDIRECT_SUPPORTED:
2640 notify_name = "redirect_supported";
2641 break;
2642
2643 case IV2_NOTIFY_REDIRECT:
2644 notify_name = "redirect";
2645 break;
2646
2647 case IV2_NOTIFY_REDIRECTED_FROM:
2648 notify_name = "redirected_from";
2649 break;
2650
2651 case IV2_NOTIFY_TICKET_LT_OPAQUE:
2652 notify_name = "ticket_lt_opaque";
2653 break;
2654
2655 case IV2_NOTIFY_TICKET_REQUEST:
2656 notify_name = "ticket_request";
2657 break;
2658
2659 case IV2_NOTIFY_TICKET_ACK:
2660 notify_name = "ticket_ack";
2661 break;
2662
2663 case IV2_NOTIFY_TICKET_NACK:
2664 notify_name = "ticket_nack";
2665 break;
2666
2667 case IV2_NOTIFY_TICKET_OPAQUE:
2668 notify_name = "ticket_opaque";
2669 break;
2670
2671 case IV2_NOTIFY_LINK_ID:
2672 notify_name = "link_id";
2673 break;
2674
2675 case IV2_NOTIFY_USE_WESP_MODE:
2676 notify_name = "use_wesp_mode";
2677 break;
2678
2679 case IV2_NOTIFY_ROHC_SUPPORTED:
2680 notify_name = "rohc_supported";
2681 break;
2682
2683 case IV2_NOTIFY_EAP_ONLY_AUTHENTICATION:
2684 notify_name = "eap_only_authentication";
2685 break;
2686
2687 case IV2_NOTIFY_CHILDLESS_IKEV2_SUPPORTED:
2688 notify_name = "childless_ikev2_supported";
2689 break;
2690
2691 case IV2_NOTIFY_QUICK_CRASH_DETECTION:
2692 notify_name = "quick_crash_detection";
2693 break;
2694
2695 case IV2_NOTIFY_IKEV2_MESSAGE_ID_SYNC_SUPPORTED:
2696 notify_name = "ikev2_message_id_sync_supported";
2697 break;
2698
2699 case IV2_NOTIFY_IPSEC_REPLAY_COUNTER_SYNC_SUPPORTED:
2700 notify_name = "ipsec_replay_counter_sync_supported";
2701 break;
2702
2703 case IV2_NOTIFY_IKEV2_MESSAGE_ID_SYNC:
2704 notify_name = "ikev2_message_id_sync";
2705 break;
2706
2707 case IV2_NOTIFY_IPSEC_REPLAY_COUNTER_SYNC:
2708 notify_name = "ipsec_replay_counter_sync";
2709 break;
2710
2711 case IV2_NOTIFY_SECURE_PASSWORD_METHODS:
2712 notify_name = "secure_password_methods";
2713 break;
2714
2715 case IV2_NOTIFY_PSK_PERSIST:
2716 notify_name = "psk_persist";
2717 break;
2718
2719 case IV2_NOTIFY_PSK_CONFIRM:
2720 notify_name = "psk_confirm";
2721 break;
2722
2723 case IV2_NOTIFY_ERX_SUPPORTED:
2724 notify_name = "erx_supported";
2725 break;
2726
2727 case IV2_NOTIFY_IFOM_CAPABILITY:
2728 notify_name = "ifom_capability";
2729 break;
2730
2731 case IV2_NOTIFY_SENDER_REQUEST_ID:
2732 notify_name = "sender_request_id";
2733 break;
2734
2735 case IV2_NOTIFY_IKEV2_FRAGMENTATION_SUPPORTED:
2736 notify_name = "ikev2_fragmentation_supported";
2737 break;
2738
2739 case IV2_NOTIFY_SIGNATURE_HASH_ALGORITHMS:
2740 notify_name = "signature_hash_algorithms";
2741 break;
2742
2743 case IV2_NOTIFY_CLONE_IKE_SA_SUPPORTED:
2744 notify_name = "clone_ike_sa_supported";
2745 break;
2746
2747 case IV2_NOTIFY_CLONE_IKE_SA:
2748 notify_name = "clone_ike_sa";
2749 break;
2750
2751 case IV2_NOTIFY_PUZZLE:
2752 notify_name = "puzzle";
2753 break;
2754
2755 case IV2_NOTIFY_USE_PPK:
2756 notify_name = "use_ppk";
2757 break;
2758
2759 case IV2_NOTIFY_PPK_IDENTITY:
2760 notify_name = "ppk_identity";
2761 break;
2762
2763 case IV2_NOTIFY_NO_PPK_AUTH:
2764 notify_name = "no_ppk_auth";
2765 break;
2766
2767 case IV2_NOTIFY_INTERMEDIATE_EXCHANGE_SUPPORTED:
2768 notify_name = "intermediate_exchange_supported";
2769 break;
2770
2771 case IV2_NOTIFY_IP4_ALLOWED:
2772 notify_name = "ip4_allowed";
2773 break;
2774
2775 case IV2_NOTIFY_IP6_ALLOWED:
2776 notify_name = "ip6_allowed";
2777 break;
2778
2779 case IV2_NOTIFY_ADDITIONAL_KEY_EXCHANGE:
2780 notify_name = "additional_key_exchange";
2781 break;
2782
2783 case IV2_NOTIFY_USE_AGGFRAG:
2784 notify_name = "use_aggfrag";
2785 break;
2786
2787 default:
2788 showspi = 1;
2789 if (type < 8192) {
2790 notify_name="error";
2791 } else if(type < 16384) {
2792 notify_name="private-error";
2793 } else if(type < 40960) {
2794 notify_name="status";
2795 } else {
2796 notify_name="private-status";
2797 }
2798 }
2799
2800 if(notify_name) {
2801 ND_PRINT(" type=%u(%s)", type, notify_name);
2802 }
2803
2804
2805 spi_size = GET_U_1(p->spi_size);
2806 if (showspi && spi_size) {
2807 ND_PRINT(" spi=");
2808 if (!rawprint(ndo, (const uint8_t *)(p + 1), spi_size))
2809 goto trunc;
2810 }
2811
2812 cp = (const u_char *)(p + 1) + spi_size;
2813
2814 if (cp < ep) {
2815 if (ndo->ndo_vflag > 3 || (showsomedata && ep-cp < 30)) {
2816 ND_PRINT(" data=(");
2817 if (!rawprint(ndo, (const uint8_t *)(cp), ep - cp))
2818 goto trunc;
2819
2820 ND_PRINT(")");
2821 } else if (showsomedata) {
2822 if (!ike_show_somedata(ndo, cp, ep))
2823 goto trunc;
2824 }
2825 }
2826
2827 return (const u_char *)ext + item_len;
2828 trunc:
2829 ND_PRINT(" [|%s]", NPSTR(ISAKMP_NPTYPE_N));
2830 return NULL;
2831 }
2832
2833 static const u_char *
2834 ikev2_d_print(netdissect_options *ndo, u_char tpay,
2835 const struct isakmp_gen *ext,
2836 u_int item_len, const u_char *ep _U_,
2837 uint32_t phase _U_, uint32_t doi _U_,
2838 uint32_t proto _U_, int depth _U_)
2839 {
2840 return ikev2_gen_print(ndo, tpay, ext, item_len);
2841 }
2842
2843 static const u_char *
2844 ikev2_vid_print(netdissect_options *ndo, u_char tpay,
2845 const struct isakmp_gen *ext,
2846 u_int item_len, const u_char *ep _U_,
2847 uint32_t phase _U_, uint32_t doi _U_,
2848 uint32_t proto _U_, int depth _U_)
2849 {
2850 const u_char *vid;
2851 u_int i, len;
2852
2853 ND_TCHECK_SIZE(ext);
2854 ikev2_pay_print(ndo, NPSTR(tpay), GET_U_1(ext->critical));
2855
2856 /*
2857 * Our caller has ensured that the length is >= 4.
2858 */
2859 ND_PRINT(" len=%u vid=", item_len - 4);
2860
2861 vid = (const u_char *)(ext+1);
2862 len = item_len - 4;
2863 ND_TCHECK_LEN(vid, len);
2864 for(i=0; i<len; i++) {
2865 if(ND_ASCII_ISPRINT(GET_U_1(vid + i)))
2866 ND_PRINT("%c", GET_U_1(vid + i));
2867 else ND_PRINT(".");
2868 }
2869 if (2 < ndo->ndo_vflag && 4 < len) {
2870 /* Print the entire payload in hex */
2871 ND_PRINT(" ");
2872 if (!rawprint(ndo, (const uint8_t *)(ext + 1), item_len - 4))
2873 goto trunc;
2874 }
2875 return (const u_char *)ext + item_len;
2876 trunc:
2877 ND_PRINT(" [|%s]", NPSTR(tpay));
2878 return NULL;
2879 }
2880
2881 static const u_char *
2882 ikev2_TS_print(netdissect_options *ndo, u_char tpay,
2883 const struct isakmp_gen *ext,
2884 u_int item_len, const u_char *ep _U_,
2885 uint32_t phase _U_, uint32_t doi _U_,
2886 uint32_t proto _U_, int depth _U_)
2887 {
2888 return ikev2_gen_print(ndo, tpay, ext, item_len);
2889 }
2890
2891 static const u_char *
2892 ikev2_e_print(netdissect_options *ndo,
2893 #ifndef HAVE_LIBCRYPTO
2894 _U_
2895 #endif
2896 const struct isakmp *base,
2897 u_char tpay,
2898 const struct isakmp_gen *ext,
2899 u_int item_len, const u_char *ep _U_,
2900 #ifndef HAVE_LIBCRYPTO
2901 _U_
2902 #endif
2903 uint32_t phase,
2904 #ifndef HAVE_LIBCRYPTO
2905 _U_
2906 #endif
2907 uint32_t doi,
2908 #ifndef HAVE_LIBCRYPTO
2909 _U_
2910 #endif
2911 uint32_t proto,
2912 #ifndef HAVE_LIBCRYPTO
2913 _U_
2914 #endif
2915 int depth)
2916 {
2917 const u_char *dat;
2918 u_int dlen;
2919 #ifdef HAVE_LIBCRYPTO
2920 uint8_t np;
2921 #endif
2922
2923 ND_TCHECK_SIZE(ext);
2924 ikev2_pay_print(ndo, NPSTR(tpay), GET_U_1(ext->critical));
2925
2926 dlen = item_len-4;
2927
2928 ND_PRINT(" len=%u", dlen);
2929 if (2 < ndo->ndo_vflag && 4 < dlen) {
2930 ND_PRINT(" ");
2931 if (!rawprint(ndo, (const uint8_t *)(ext + 1), dlen))
2932 goto trunc;
2933 }
2934
2935 dat = (const u_char *)(ext+1);
2936 ND_TCHECK_LEN(dat, dlen);
2937
2938 #ifdef HAVE_LIBCRYPTO
2939 np = GET_U_1(ext->np);
2940
2941 /* try to decrypt it! */
2942 if(esp_decrypt_buffer_by_ikev2_print(ndo,
2943 GET_U_1(base->flags) & ISAKMP_FLAG_I,
2944 base->i_ck, base->r_ck,
2945 dat, dat+dlen)) {
2946
2947 ext = (const struct isakmp_gen *)ndo->ndo_packetp;
2948
2949 /* got it decrypted, print stuff inside. */
2950 ikev2_sub_print(ndo, base, np, ext,
2951 ndo->ndo_snapend, phase, doi, proto, depth+1);
2952
2953 /*
2954 * esp_decrypt_buffer_by_ikev2_print pushed information
2955 * on the buffer stack; we're done with the buffer, so
2956 * pop it (which frees the buffer)
2957 */
2958 nd_pop_packet_info(ndo);
2959 }
2960 #endif
2961
2962
2963 /* always return NULL, because E must be at end, and NP refers
2964 * to what was inside.
2965 */
2966 return NULL;
2967 trunc:
2968 ND_PRINT(" [|%s]", NPSTR(tpay));
2969 return NULL;
2970 }
2971
2972 static const u_char *
2973 ikev2_cp_print(netdissect_options *ndo, u_char tpay,
2974 const struct isakmp_gen *ext,
2975 u_int item_len, const u_char *ep _U_,
2976 uint32_t phase _U_, uint32_t doi _U_,
2977 uint32_t proto _U_, int depth _U_)
2978 {
2979 return ikev2_gen_print(ndo, tpay, ext, item_len);
2980 }
2981
2982 static const u_char *
2983 ikev2_eap_print(netdissect_options *ndo, u_char tpay,
2984 const struct isakmp_gen *ext,
2985 u_int item_len, const u_char *ep _U_,
2986 uint32_t phase _U_, uint32_t doi _U_,
2987 uint32_t proto _U_, int depth _U_)
2988 {
2989 return ikev2_gen_print(ndo, tpay, ext, item_len);
2990 }
2991
2992 static const u_char *
2993 ike_sub0_print(netdissect_options *ndo,
2994 u_char np, const struct isakmp_gen *ext, const u_char *ep,
2995
2996 uint32_t phase, uint32_t doi, uint32_t proto, int depth)
2997 {
2998 const u_char *cp;
2999 u_int item_len;
3000
3001 cp = (const u_char *)ext;
3002 ND_TCHECK_SIZE(ext);
3003
3004 /*
3005 * Since we can't have a payload length of less than 4 bytes,
3006 * we need to bail out here if the generic header is nonsensical
3007 * or truncated, otherwise we could loop forever processing
3008 * zero-length items or otherwise misdissect the packet.
3009 */
3010 item_len = GET_BE_U_2(ext->len);
3011 if (item_len <= 4)
3012 return NULL;
3013
3014 if (NPFUNC(np)) {
3015 /*
3016 * XXX - what if item_len is too short, or too long,
3017 * for this payload type?
3018 */
3019 cp = (*npfunc[np])(ndo, np, ext, item_len, ep, phase, doi, proto, depth);
3020 } else {
3021 ND_PRINT("%s", NPSTR(np));
3022 cp += item_len;
3023 }
3024
3025 return cp;
3026 trunc:
3027 nd_print_trunc(ndo);
3028 return NULL;
3029 }
3030
3031 static const u_char *
3032 ikev1_sub_print(netdissect_options *ndo,
3033 u_char np, const struct isakmp_gen *ext, const u_char *ep,
3034 uint32_t phase, uint32_t doi, uint32_t proto, int depth)
3035 {
3036 const u_char *cp;
3037 int i;
3038 u_int item_len;
3039
3040 cp = (const u_char *)ext;
3041
3042 while (np) {
3043 ND_TCHECK_SIZE(ext);
3044
3045 item_len = GET_BE_U_2(ext->len);
3046 ND_TCHECK_LEN(ext, item_len);
3047
3048 depth++;
3049 ND_PRINT("\n");
3050 for (i = 0; i < depth; i++)
3051 ND_PRINT(" ");
3052 ND_PRINT("(");
3053 cp = ike_sub0_print(ndo, np, ext, ep, phase, doi, proto, depth);
3054 ND_PRINT(")");
3055 depth--;
3056
3057 if (cp == NULL) {
3058 /* Zero-length subitem */
3059 return NULL;
3060 }
3061
3062 np = GET_U_1(ext->np);
3063 ext = (const struct isakmp_gen *)cp;
3064 }
3065 return cp;
3066 trunc:
3067 ND_PRINT(" [|%s]", NPSTR(np));
3068 return NULL;
3069 }
3070
3071 static char *
3072 numstr(u_int x)
3073 {
3074 static char buf[20];
3075 snprintf(buf, sizeof(buf), "#%u", x);
3076 return buf;
3077 }
3078
3079 static void
3080 ikev1_print(netdissect_options *ndo,
3081 const u_char *bp, u_int length,
3082 const u_char *bp2, const struct isakmp *base)
3083 {
3084 const struct isakmp *p;
3085 const u_char *ep;
3086 u_int flags;
3087 u_char np;
3088 int i;
3089 u_int phase;
3090
3091 p = (const struct isakmp *)bp;
3092 ep = ndo->ndo_snapend;
3093
3094 phase = (GET_BE_U_4(base->msgid) == 0) ? 1 : 2;
3095 if (phase == 1)
3096 ND_PRINT(" phase %u", phase);
3097 else
3098 ND_PRINT(" phase %u/others", phase);
3099
3100 i = cookie_find(&base->i_ck);
3101 if (i < 0) {
3102 if (iszero(ndo, base->r_ck, sizeof(base->r_ck))) {
3103 /* the first packet */
3104 ND_PRINT(" I");
3105 if (bp2)
3106 cookie_record(ndo, &base->i_ck, bp2);
3107 } else
3108 ND_PRINT(" ?");
3109 } else {
3110 if (bp2 && cookie_isinitiator(ndo, i, bp2))
3111 ND_PRINT(" I");
3112 else if (bp2 && cookie_isresponder(ndo, i, bp2))
3113 ND_PRINT(" R");
3114 else
3115 ND_PRINT(" ?");
3116 }
3117
3118 ND_PRINT(" %s", ETYPESTR(GET_U_1(base->etype)));
3119 flags = GET_U_1(base->flags);
3120 if (flags) {
3121 ND_PRINT("[%s%s]", flags & ISAKMP_FLAG_E ? "E" : "",
3122 flags & ISAKMP_FLAG_C ? "C" : "");
3123 }
3124
3125 if (ndo->ndo_vflag) {
3126 const struct isakmp_gen *ext;
3127
3128 ND_PRINT(":");
3129
3130 np = GET_U_1(base->np);
3131
3132 /* regardless of phase... */
3133 if (flags & ISAKMP_FLAG_E) {
3134 /*
3135 * encrypted, nothing we can do right now.
3136 * we hope to decrypt the packet in the future...
3137 */
3138 ND_PRINT(" [encrypted %s]", NPSTR(np));
3139 goto done;
3140 }
3141
3142 CHECKLEN(p + 1, np);
3143 ext = (const struct isakmp_gen *)(p + 1);
3144 ikev1_sub_print(ndo, np, ext, ep, phase, 0, 0, 0);
3145 }
3146
3147 done:
3148 if (ndo->ndo_vflag) {
3149 if (GET_BE_U_4(base->len) != length) {
3150 ND_PRINT(" (len mismatch: isakmp %u/ip %u)",
3151 GET_BE_U_4(base->len), length);
3152 }
3153 }
3154 }
3155
3156 static const u_char *
3157 ikev2_sub0_print(netdissect_options *ndo, const struct isakmp *base,
3158 u_char np,
3159 const struct isakmp_gen *ext, const u_char *ep,
3160 uint32_t phase, uint32_t doi, uint32_t proto, int depth)
3161 {
3162 const u_char *cp;
3163 u_int item_len;
3164
3165 cp = (const u_char *)ext;
3166 ND_TCHECK_SIZE(ext);
3167
3168 /*
3169 * Since we can't have a payload length of less than 4 bytes,
3170 * we need to bail out here if the generic header is nonsensical
3171 * or truncated, otherwise we could loop forever processing
3172 * zero-length items or otherwise misdissect the packet.
3173 */
3174 item_len = GET_BE_U_2(ext->len);
3175 if (item_len <= 4)
3176 return NULL;
3177
3178 if (np == ISAKMP_NPTYPE_v2E) {
3179 cp = ikev2_e_print(ndo, base, np, ext, item_len,
3180 ep, phase, doi, proto, depth);
3181 } else if (NPFUNC(np)) {
3182 /*
3183 * XXX - what if item_len is too short, or too long,
3184 * for this payload type?
3185 */
3186 cp = (*npfunc[np])(ndo, np, ext, item_len,
3187 ep, phase, doi, proto, depth);
3188 } else {
3189 ND_PRINT("%s", NPSTR(np));
3190 cp += item_len;
3191 }
3192
3193 return cp;
3194 trunc:
3195 nd_print_trunc(ndo);
3196 return NULL;
3197 }
3198
3199 static const u_char *
3200 ikev2_sub_print(netdissect_options *ndo,
3201 const struct isakmp *base,
3202 u_char np, const struct isakmp_gen *ext, const u_char *ep,
3203 uint32_t phase, uint32_t doi, uint32_t proto, int depth)
3204 {
3205 const u_char *cp;
3206 int i;
3207
3208 cp = (const u_char *)ext;
3209 while (np) {
3210 ND_TCHECK_SIZE(ext);
3211
3212 ND_TCHECK_LEN(ext, GET_BE_U_2(ext->len));
3213
3214 depth++;
3215 ND_PRINT("\n");
3216 for (i = 0; i < depth; i++)
3217 ND_PRINT(" ");
3218 ND_PRINT("(");
3219 cp = ikev2_sub0_print(ndo, base, np,
3220 ext, ep, phase, doi, proto, depth);
3221 ND_PRINT(")");
3222 depth--;
3223
3224 if (cp == NULL) {
3225 /* Zero-length subitem */
3226 return NULL;
3227 }
3228
3229 np = GET_U_1(ext->np);
3230 ext = (const struct isakmp_gen *)cp;
3231 }
3232 return cp;
3233 trunc:
3234 ND_PRINT(" [|%s]", NPSTR(np));
3235 return NULL;
3236 }
3237
3238 static void
3239 ikev2_print(netdissect_options *ndo,
3240 const u_char *bp, u_int length,
3241 const u_char *bp2 _U_, const struct isakmp *base)
3242 {
3243 const struct isakmp *p;
3244 const u_char *ep;
3245 uint8_t flags;
3246 u_char np;
3247 u_int phase;
3248
3249 p = (const struct isakmp *)bp;
3250 ep = ndo->ndo_snapend;
3251
3252 phase = (GET_BE_U_4(base->msgid) == 0) ? 1 : 2;
3253 if (phase == 1)
3254 ND_PRINT(" parent_sa");
3255 else
3256 ND_PRINT(" child_sa ");
3257
3258 ND_PRINT(" %s", ETYPESTR(GET_U_1(base->etype)));
3259 flags = GET_U_1(base->flags);
3260 if (flags) {
3261 ND_PRINT("[%s%s%s]",
3262 flags & ISAKMP_FLAG_I ? "I" : "",
3263 flags & ISAKMP_FLAG_V ? "V" : "",
3264 flags & ISAKMP_FLAG_R ? "R" : "");
3265 }
3266
3267 if (ndo->ndo_vflag) {
3268 const struct isakmp_gen *ext;
3269
3270 ND_PRINT(":");
3271
3272 np = GET_U_1(base->np);
3273
3274 /* regardless of phase... */
3275 if (flags & ISAKMP_FLAG_E) {
3276 /*
3277 * encrypted, nothing we can do right now.
3278 * we hope to decrypt the packet in the future...
3279 */
3280 ND_PRINT(" [encrypted %s]", NPSTR(np));
3281 goto done;
3282 }
3283
3284 CHECKLEN(p + 1, np)
3285 ext = (const struct isakmp_gen *)(p + 1);
3286 ikev2_sub_print(ndo, base, np, ext, ep, phase, 0, 0, 0);
3287 }
3288
3289 done:
3290 if (ndo->ndo_vflag) {
3291 if (GET_BE_U_4(base->len) != length) {
3292 ND_PRINT(" (len mismatch: isakmp %u/ip %u)",
3293 GET_BE_U_4(base->len), length);
3294 }
3295 }
3296 }
3297
3298 void
3299 isakmp_print(netdissect_options *ndo,
3300 const u_char *bp, u_int length,
3301 const u_char *bp2)
3302 {
3303 const struct isakmp *p;
3304 const u_char *ep;
3305 u_int major, minor;
3306
3307 ndo->ndo_protocol = "isakmp";
3308 #ifdef HAVE_LIBCRYPTO
3309 /* initialize SAs */
3310 if (ndo->ndo_sa_list_head == NULL) {
3311 if (ndo->ndo_espsecret)
3312 esp_decodesecret_print(ndo);
3313 }
3314 #endif
3315
3316 p = (const struct isakmp *)bp;
3317 ep = ndo->ndo_snapend;
3318
3319 if ((const struct isakmp *)ep < p + 1) {
3320 nd_print_trunc(ndo);
3321 return;
3322 }
3323
3324 ND_PRINT("isakmp");
3325 major = (GET_U_1(p->vers) & ISAKMP_VERS_MAJOR)
3326 >> ISAKMP_VERS_MAJOR_SHIFT;
3327 minor = (GET_U_1(p->vers) & ISAKMP_VERS_MINOR)
3328 >> ISAKMP_VERS_MINOR_SHIFT;
3329
3330 if (ndo->ndo_vflag) {
3331 ND_PRINT(" %u.%u", major, minor);
3332 }
3333
3334 if (ndo->ndo_vflag) {
3335 ND_PRINT(" msgid ");
3336 hexprint(ndo, p->msgid, sizeof(p->msgid));
3337 }
3338
3339 if (1 < ndo->ndo_vflag) {
3340 ND_PRINT(" cookie ");
3341 hexprint(ndo, p->i_ck, sizeof(p->i_ck));
3342 ND_PRINT("->");
3343 hexprint(ndo, p->r_ck, sizeof(p->r_ck));
3344 }
3345 ND_PRINT(":");
3346
3347 switch(major) {
3348 case IKEv1_MAJOR_VERSION:
3349 ikev1_print(ndo, bp, length, bp2, p);
3350 break;
3351
3352 case IKEv2_MAJOR_VERSION:
3353 ikev2_print(ndo, bp, length, bp2, p);
3354 break;
3355 }
3356 }
3357
3358 void
3359 isakmp_rfc3948_print(netdissect_options *ndo,
3360 const u_char *bp, u_int length,
3361 const u_char *bp2, int ver, int fragmented, u_int ttl_hl)
3362 {
3363 ndo->ndo_protocol = "isakmp_rfc3948";
3364 if(length == 1 && GET_U_1(bp)==0xff) {
3365 ND_PRINT("isakmp-nat-keep-alive");
3366 return;
3367 }
3368
3369 if(length < 4) {
3370 goto trunc;
3371 }
3372
3373 /*
3374 * see if this is an IKE packet
3375 */
3376 if (GET_BE_U_4(bp) == 0) {
3377 ND_PRINT("NONESP-encap: ");
3378 isakmp_print(ndo, bp+4, length-4, bp2);
3379 return;
3380 }
3381
3382 /* must be an ESP packet */
3383 {
3384 ND_PRINT("UDP-encap: ");
3385
3386 esp_print(ndo, bp, length, bp2, ver, fragmented, ttl_hl);
3387
3388 /*
3389 * Either this has decrypted the payload and
3390 * printed it, in which case there's nothing more
3391 * to do, or it hasn't, in which case there's
3392 * nothing more to do.
3393 */
3394 return;
3395 }
3396
3397 trunc:
3398 nd_print_trunc(ndo);
3399 }
[mirror] the TCPdump network dissector