]> The Tcpdump Group git mirrors - tcpdump/blob - print-isakmp.c
projects / tcpdump / blob
summary | shortlog | log | commit | commitdiff | tree
history | raw | HEAD
Fix incompatible pointer types with time functions calls on Windows
[tcpdump] / print-isakmp.c
1 /*
2 * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
3 * All rights reserved.
4 *
5 * Redistribution and use in source and binary forms, with or without
6 * modification, are permitted provided that the following conditions
7 * are met:
8 * 1. Redistributions of source code must retain the above copyright
9 * notice, this list of conditions and the following disclaimer.
10 * 2. Redistributions in binary form must reproduce the above copyright
11 * notice, this list of conditions and the following disclaimer in the
12 * documentation and/or other materials provided with the distribution.
13 * 3. Neither the name of the project nor the names of its contributors
14 * may be used to endorse or promote products derived from this software
15 * without specific prior written permission.
16 *
17 * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
18 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
19 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
20 * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
21 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
22 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
23 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
24 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
25 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
26 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
27 * SUCH DAMAGE.
28 *
29 */
30
31 /* \summary: Internet Security Association and Key Management Protocol (ISAKMP) printer */
32
33 /* specification: RFC 2407, RFC 2408, RFC 5996 */
34
35 #include <config.h>
36
37 /* The functions from print-esp.c used in this file are only defined when both
38 * OpenSSL and evp.h are detected. Employ the same preprocessor device here.
39 */
40 #ifndef HAVE_OPENSSL_EVP_H
41 #undef HAVE_LIBCRYPTO
42 #endif
43
44 #include "netdissect-stdinc.h"
45
46 #include <string.h>
47
48 #include "netdissect-ctype.h"
49
50 #include "netdissect.h"
51 #include "addrtoname.h"
52 #include "extract.h"
53
54 #include "ip.h"
55 #include "ip6.h"
56 #include "ipproto.h" /* for netdb_protoname() */
57
58 typedef nd_byte cookie_t[8];
59 typedef nd_byte msgid_t[4];
60
61 #define PORT_ISAKMP 500
62
63 /* 3.1 ISAKMP Header Format (IKEv1 and IKEv2)
64 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
65 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
66 ! Initiator !
67 ! Cookie !
68 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
69 ! Responder !
70 ! Cookie !
71 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
72 ! Next Payload ! MjVer ! MnVer ! Exchange Type ! Flags !
73 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
74 ! Message ID !
75 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
76 ! Length !
77 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
78 */
79 struct isakmp {
80 cookie_t i_ck; /* Initiator Cookie */
81 cookie_t r_ck; /* Responder Cookie */
82 nd_uint8_t np; /* Next Payload Type */
83 nd_uint8_t vers;
84 #define ISAKMP_VERS_MAJOR 0xf0
85 #define ISAKMP_VERS_MAJOR_SHIFT 4
86 #define ISAKMP_VERS_MINOR 0x0f
87 #define ISAKMP_VERS_MINOR_SHIFT 0
88 nd_uint8_t etype; /* Exchange Type */
89 nd_uint8_t flags; /* Flags */
90 msgid_t msgid;
91 nd_uint32_t len; /* Length */
92 };
93
94 /* Next Payload Type */
95 #define ISAKMP_NPTYPE_NONE 0 /* NONE*/
96 #define ISAKMP_NPTYPE_SA 1 /* Security Association */
97 #define ISAKMP_NPTYPE_P 2 /* Proposal */
98 #define ISAKMP_NPTYPE_T 3 /* Transform */
99 #define ISAKMP_NPTYPE_KE 4 /* Key Exchange */
100 #define ISAKMP_NPTYPE_ID 5 /* Identification */
101 #define ISAKMP_NPTYPE_CERT 6 /* Certificate */
102 #define ISAKMP_NPTYPE_CR 7 /* Certificate Request */
103 #define ISAKMP_NPTYPE_HASH 8 /* Hash */
104 #define ISAKMP_NPTYPE_SIG 9 /* Signature */
105 #define ISAKMP_NPTYPE_NONCE 10 /* Nonce */
106 #define ISAKMP_NPTYPE_N 11 /* Notification */
107 #define ISAKMP_NPTYPE_D 12 /* Delete */
108 #define ISAKMP_NPTYPE_VID 13 /* Vendor ID */
109 #define ISAKMP_NPTYPE_v2E 46 /* v2 Encrypted payload */
110
111 #define IKEv1_MAJOR_VERSION 1
112 #define IKEv1_MINOR_VERSION 0
113
114 #define IKEv2_MAJOR_VERSION 2
115 #define IKEv2_MINOR_VERSION 0
116
117 /* Flags */
118 #define ISAKMP_FLAG_E 0x01 /* Encryption Bit */
119 #define ISAKMP_FLAG_C 0x02 /* Commit Bit */
120 #define ISAKMP_FLAG_extra 0x04
121
122 /* IKEv2 */
123 #define ISAKMP_FLAG_I (1 << 3) /* (I)nitiator */
124 #define ISAKMP_FLAG_V (1 << 4) /* (V)ersion */
125 #define ISAKMP_FLAG_R (1 << 5) /* (R)esponse */
126
127
128 /* 3.2 Payload Generic Header
129 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
130 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
131 ! Next Payload ! RESERVED ! Payload Length !
132 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
133 */
134 struct isakmp_gen {
135 nd_uint8_t np; /* Next Payload */
136 nd_uint8_t critical; /* bit 7 - critical, rest is RESERVED */
137 nd_uint16_t len; /* Payload Length */
138 };
139
140 /* 3.3 Data Attributes
141 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
142 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
143 !A! Attribute Type ! AF=0 Attribute Length !
144 !F! ! AF=1 Attribute Value !
145 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
146 . AF=0 Attribute Value .
147 . AF=1 Not Transmitted .
148 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
149 */
150 struct isakmp_data {
151 nd_uint16_t type; /* defined by DOI-spec, and Attribute Format */
152 nd_uint16_t lorv; /* if f equal 1, Attribute Length */
153 /* if f equal 0, Attribute Value */
154 /* if f equal 1, Attribute Value */
155 };
156
157 /* 3.4 Security Association Payload */
158 /* MAY NOT be used, because of being defined in ipsec-doi. */
159 /*
160 If the current payload is the last in the message,
161 then the value of the next payload field will be 0.
162 This field MUST NOT contain the
163 values for the Proposal or Transform payloads as they are considered
164 part of the security association negotiation. For example, this
165 field would contain the value "10" (Nonce payload) in the first
166 message of a Base Exchange (see Section 4.4) and the value "0" in the
167 first message of an Identity Protect Exchange (see Section 4.5).
168 */
169 struct ikev1_pl_sa {
170 struct isakmp_gen h;
171 nd_uint32_t doi; /* Domain of Interpretation */
172 nd_uint32_t sit; /* Situation */
173 };
174
175 /* 3.5 Proposal Payload */
176 /*
177 The value of the next payload field MUST only contain the value "2"
178 or "0". If there are additional Proposal payloads in the message,
179 then this field will be 2. If the current Proposal payload is the
180 last within the security association proposal, then this field will
181 be 0.
182 */
183 struct ikev1_pl_p {
184 struct isakmp_gen h;
185 nd_uint8_t p_no; /* Proposal # */
186 nd_uint8_t prot_id; /* Protocol */
187 nd_uint8_t spi_size; /* SPI Size */
188 nd_uint8_t num_t; /* Number of Transforms */
189 /* SPI */
190 };
191
192 /* 3.6 Transform Payload */
193 /*
194 The value of the next payload field MUST only contain the value "3"
195 or "0". If there are additional Transform payloads in the proposal,
196 then this field will be 3. If the current Transform payload is the
197 last within the proposal, then this field will be 0.
198 */
199 struct ikev1_pl_t {
200 struct isakmp_gen h;
201 nd_uint8_t t_no; /* Transform # */
202 nd_uint8_t t_id; /* Transform-Id */
203 nd_byte reserved[2]; /* RESERVED2 */
204 /* SA Attributes */
205 };
206
207 /* 3.7 Key Exchange Payload */
208 struct ikev1_pl_ke {
209 struct isakmp_gen h;
210 /* Key Exchange Data */
211 };
212
213 /* 3.8 Identification Payload */
214 /* MUST NOT to be used, because of being defined in ipsec-doi. */
215 struct ikev1_pl_id {
216 struct isakmp_gen h;
217 union {
218 nd_uint8_t id_type; /* ID Type */
219 nd_uint32_t doi_data; /* DOI Specific ID Data */
220 } d;
221 /* Identification Data */
222 };
223
224 /* 3.9 Certificate Payload */
225 struct ikev1_pl_cert {
226 struct isakmp_gen h;
227 nd_uint8_t encode; /* Cert Encoding */
228 nd_uint8_t cert; /* Certificate Data */
229 /*
230 This field indicates the type of
231 certificate or certificate-related information contained in the
232 Certificate Data field.
233 */
234 };
235
236 /* 3.10 Certificate Request Payload */
237 struct ikev1_pl_cr {
238 struct isakmp_gen h;
239 nd_uint8_t num_cert; /* # Cert. Types */
240 /*
241 Certificate Types (variable length)
242 -- Contains a list of the types of certificates requested,
243 sorted in order of preference. Each individual certificate
244 type is 1 octet. This field is NOT requiredo
245 */
246 /* # Certificate Authorities (1 octet) */
247 /* Certificate Authorities (variable length) */
248 };
249
250 /* 3.11 Hash Payload */
251 /* may not be used, because of having only data. */
252 struct ikev1_pl_hash {
253 struct isakmp_gen h;
254 /* Hash Data */
255 };
256
257 /* 3.12 Signature Payload */
258 /* may not be used, because of having only data. */
259 struct ikev1_pl_sig {
260 struct isakmp_gen h;
261 /* Signature Data */
262 };
263
264 /* 3.13 Nonce Payload */
265 /* may not be used, because of having only data. */
266 struct ikev1_pl_nonce {
267 struct isakmp_gen h;
268 /* Nonce Data */
269 };
270
271 /* 3.14 Notification Payload */
272 struct ikev1_pl_n {
273 struct isakmp_gen h;
274 nd_uint32_t doi; /* Domain of Interpretation */
275 nd_uint8_t prot_id; /* Protocol-ID */
276 nd_uint8_t spi_size; /* SPI Size */
277 nd_uint16_t type; /* Notify Message Type */
278 /* SPI */
279 /* Notification Data */
280 };
281
282 /* 3.14.1 Notify Message Types */
283 /* NOTIFY MESSAGES - ERROR TYPES */
284 #define ISAKMP_NTYPE_INVALID_PAYLOAD_TYPE 1
285 #define ISAKMP_NTYPE_DOI_NOT_SUPPORTED 2
286 #define ISAKMP_NTYPE_SITUATION_NOT_SUPPORTED 3
287 #define ISAKMP_NTYPE_INVALID_COOKIE 4
288 #define ISAKMP_NTYPE_INVALID_MAJOR_VERSION 5
289 #define ISAKMP_NTYPE_INVALID_MINOR_VERSION 6
290 #define ISAKMP_NTYPE_INVALID_EXCHANGE_TYPE 7
291 #define ISAKMP_NTYPE_INVALID_FLAGS 8
292 #define ISAKMP_NTYPE_INVALID_MESSAGE_ID 9
293 #define ISAKMP_NTYPE_INVALID_PROTOCOL_ID 10
294 #define ISAKMP_NTYPE_INVALID_SPI 11
295 #define ISAKMP_NTYPE_INVALID_TRANSFORM_ID 12
296 #define ISAKMP_NTYPE_ATTRIBUTES_NOT_SUPPORTED 13
297 #define ISAKMP_NTYPE_NO_PROPOSAL_CHOSEN 14
298 #define ISAKMP_NTYPE_BAD_PROPOSAL_SYNTAX 15
299 #define ISAKMP_NTYPE_PAYLOAD_MALFORMED 16
300 #define ISAKMP_NTYPE_INVALID_KEY_INFORMATION 17
301 #define ISAKMP_NTYPE_INVALID_ID_INFORMATION 18
302 #define ISAKMP_NTYPE_INVALID_CERT_ENCODING 19
303 #define ISAKMP_NTYPE_INVALID_CERTIFICATE 20
304 #define ISAKMP_NTYPE_BAD_CERT_REQUEST_SYNTAX 21
305 #define ISAKMP_NTYPE_INVALID_CERT_AUTHORITY 22
306 #define ISAKMP_NTYPE_INVALID_HASH_INFORMATION 23
307 #define ISAKMP_NTYPE_AUTHENTICATION_FAILED 24
308 #define ISAKMP_NTYPE_INVALID_SIGNATURE 25
309 #define ISAKMP_NTYPE_ADDRESS_NOTIFICATION 26
310
311 /* 3.15 Delete Payload */
312 struct ikev1_pl_d {
313 struct isakmp_gen h;
314 nd_uint32_t doi; /* Domain of Interpretation */
315 nd_uint8_t prot_id; /* Protocol-Id */
316 nd_uint8_t spi_size; /* SPI Size */
317 nd_uint16_t num_spi; /* # of SPIs */
318 /* SPI(es) */
319 };
320
321 /* IKEv2 (RFC4306) */
322
323 /* 3.3 Security Association Payload -- generic header */
324 /* 3.3.1. Proposal Substructure */
325 struct ikev2_p {
326 struct isakmp_gen h;
327 nd_uint8_t p_no; /* Proposal # */
328 nd_uint8_t prot_id; /* Protocol */
329 nd_uint8_t spi_size; /* SPI Size */
330 nd_uint8_t num_t; /* Number of Transforms */
331 };
332
333 /* 3.3.2. Transform Substructure */
334 struct ikev2_t {
335 struct isakmp_gen h;
336 nd_uint8_t t_type; /* Transform Type (ENCR,PRF,INTEG,etc.*/
337 nd_byte res2; /* reserved byte */
338 nd_uint16_t t_id; /* Transform ID */
339 };
340
341 enum ikev2_t_type {
342 IV2_T_ENCR = 1,
343 IV2_T_PRF = 2,
344 IV2_T_INTEG= 3,
345 IV2_T_DH = 4,
346 IV2_T_ESN = 5
347 };
348
349 /* 3.4. Key Exchange Payload */
350 struct ikev2_ke {
351 struct isakmp_gen h;
352 nd_uint16_t ke_group;
353 nd_uint16_t ke_res1;
354 /* KE data */
355 };
356
357
358 /* 3.5. Identification Payloads */
359 enum ikev2_id_type {
360 ID_IPV4_ADDR=1,
361 ID_FQDN=2,
362 ID_RFC822_ADDR=3,
363 ID_IPV6_ADDR=5,
364 ID_DER_ASN1_DN=9,
365 ID_DER_ASN1_GN=10,
366 ID_KEY_ID=11
367 };
368 struct ikev2_id {
369 struct isakmp_gen h;
370 nd_uint8_t type; /* ID type */
371 nd_byte res1;
372 nd_byte res2[2];
373 /* SPI */
374 /* Notification Data */
375 };
376
377 /* 3.10 Notification Payload */
378 struct ikev2_n {
379 struct isakmp_gen h;
380 nd_uint8_t prot_id; /* Protocol-ID */
381 nd_uint8_t spi_size; /* SPI Size */
382 nd_uint16_t type; /* Notify Message Type */
383 };
384
385 enum ikev2_n_type {
386 IV2_NOTIFY_UNSUPPORTED_CRITICAL_PAYLOAD = 1, /* [RFC7296] */
387 IV2_NOTIFY_INVALID_IKE_SPI = 4, /* [RFC7296] */
388 IV2_NOTIFY_INVALID_MAJOR_VERSION = 5, /* [RFC7296] */
389 IV2_NOTIFY_INVALID_SYNTAX = 7, /* [RFC7296] */
390 IV2_NOTIFY_INVALID_MESSAGE_ID = 9, /* [RFC7296] */
391 IV2_NOTIFY_INVALID_SPI =11, /* [RFC7296] */
392 IV2_NOTIFY_NO_PROPOSAL_CHOSEN =14, /* [RFC7296] */
393 IV2_NOTIFY_INVALID_KE_PAYLOAD =17, /* [RFC7296] */
394 IV2_NOTIFY_AUTHENTICATION_FAILED =24, /* [RFC7296] */
395 IV2_NOTIFY_SINGLE_PAIR_REQUIRED =34, /* [RFC7296] */
396 IV2_NOTIFY_NO_ADDITIONAL_SAS =35, /* [RFC7296] */
397 IV2_NOTIFY_INTERNAL_ADDRESS_FAILURE =36, /* [RFC7296] */
398 IV2_NOTIFY_FAILED_CP_REQUIRED =37, /* [RFC7296] */
399 IV2_NOTIFY_TS_UNACCEPTABLE =38, /* [RFC7296] */
400 IV2_NOTIFY_INVALID_SELECTORS =39, /* [RFC7296] */
401 IV2_NOTIFY_UNACCEPTABLE_ADDRESSES =40, /* [RFC4555] */
402 IV2_NOTIFY_UNEXPECTED_NAT_DETECTED =41, /* [RFC4555] */
403 IV2_NOTIFY_USE_ASSIGNED_HOA =42, /* [RFC5026] */
404 IV2_NOTIFY_TEMPORARY_FAILURE =43, /* [RFC7296] */
405 IV2_NOTIFY_CHILD_SA_NOT_FOUND =44, /* [RFC7296] */
406 IV2_NOTIFY_INVALID_GROUP_ID =45, /* [draft-yeung-g-ikev2] */
407 IV2_NOTIFY_AUTHORIZATION_FAILED =46, /* [draft-yeung-g-ikev2] */
408 IV2_NOTIFY_STATE_NOT_FOUND =47, /* [RFC-ietf-ipsecme-ikev2-multiple-ke-12] */
409 IV2_NOTIFY_INITIAL_CONTACT =16384, /* [RFC7296] */
410 IV2_NOTIFY_SET_WINDOW_SIZE =16385, /* [RFC7296] */
411 IV2_NOTIFY_ADDITIONAL_TS_POSSIBLE =16386, /* [RFC7296] */
412 IV2_NOTIFY_IPCOMP_SUPPORTED =16387, /* [RFC7296] */
413 IV2_NOTIFY_NAT_DETECTION_SOURCE_IP =16388, /* [RFC7296] */
414 IV2_NOTIFY_NAT_DETECTION_DESTINATION_IP =16389, /* [RFC7296] */
415 IV2_NOTIFY_COOKIE =16390, /* [RFC7296] */
416 IV2_NOTIFY_USE_TRANSPORT_MODE =16391, /* [RFC7296] */
417 IV2_NOTIFY_HTTP_CERT_LOOKUP_SUPPORTED =16392, /* [RFC7296] */
418 IV2_NOTIFY_REKEY_SA =16393, /* [RFC7296] */
419 IV2_NOTIFY_ESP_TFC_PADDING_NOT_SUPPORTED =16394, /* [RFC7296] */
420 IV2_NOTIFY_NON_FIRST_FRAGMENTS_ALSO =16395, /* [RFC7296] */
421 IV2_NOTIFY_MOBIKE_SUPPORTED =16396, /* [RFC4555] */
422 IV2_NOTIFY_ADDITIONAL_IP4_ADDRESS =16397, /* [RFC4555] */
423 IV2_NOTIFY_ADDITIONAL_IP6_ADDRESS =16398, /* [RFC4555] */
424 IV2_NOTIFY_NO_ADDITIONAL_ADDRESSES =16399, /* [RFC4555] */
425 IV2_NOTIFY_UPDATE_SA_ADDRESSES =16400, /* [RFC4555] */
426 IV2_NOTIFY_COOKIE2 =16401, /* [RFC4555] */
427 IV2_NOTIFY_NO_NATS_ALLOWED =16402, /* [RFC4555] */
428 IV2_NOTIFY_AUTH_LIFETIME =16403, /* [RFC4478] */
429 IV2_NOTIFY_MULTIPLE_AUTH_SUPPORTED =16404, /* [RFC4739] */
430 IV2_NOTIFY_ANOTHER_AUTH_FOLLOWS =16405, /* [RFC4739] */
431 IV2_NOTIFY_REDIRECT_SUPPORTED =16406, /* [RFC5685] */
432 IV2_NOTIFY_REDIRECT =16407, /* [RFC5685] */
433 IV2_NOTIFY_REDIRECTED_FROM =16408, /* [RFC5685] */
434 IV2_NOTIFY_TICKET_LT_OPAQUE =16409, /* [RFC5723] */
435 IV2_NOTIFY_TICKET_REQUEST =16410, /* [RFC5723] */
436 IV2_NOTIFY_TICKET_ACK =16411, /* [RFC5723] */
437 IV2_NOTIFY_TICKET_NACK =16412, /* [RFC5723] */
438 IV2_NOTIFY_TICKET_OPAQUE =16413, /* [RFC5723] */
439 IV2_NOTIFY_LINK_ID =16414, /* [RFC5739] */
440 IV2_NOTIFY_USE_WESP_MODE =16415, /* [RFC5840] */
441 IV2_NOTIFY_ROHC_SUPPORTED =16416, /* [RFC5857] */
442 IV2_NOTIFY_EAP_ONLY_AUTHENTICATION =16417, /* [RFC5998] */
443 IV2_NOTIFY_CHILDLESS_IKEV2_SUPPORTED =16418, /* [RFC6023] */
444 IV2_NOTIFY_QUICK_CRASH_DETECTION =16419, /* [RFC6290] */
445 IV2_NOTIFY_IKEV2_MESSAGE_ID_SYNC_SUPPORTED =16420, /* [RFC6311] */
446 IV2_NOTIFY_IPSEC_REPLAY_COUNTER_SYNC_SUPPORTED =16421, /* [RFC6311] */
447 IV2_NOTIFY_IKEV2_MESSAGE_ID_SYNC =16422, /* [RFC6311] */
448 IV2_NOTIFY_IPSEC_REPLAY_COUNTER_SYNC =16423, /* [RFC6311] */
449 IV2_NOTIFY_SECURE_PASSWORD_METHODS =16424, /* [RFC6467] */
450 IV2_NOTIFY_PSK_PERSIST =16425, /* [RFC6631] */
451 IV2_NOTIFY_PSK_CONFIRM =16426, /* [RFC6631] */
452 IV2_NOTIFY_ERX_SUPPORTED =16427, /* [RFC6867] */
453 IV2_NOTIFY_IFOM_CAPABILITY =16428, /* [Frederic_Firmin][3GPP TS 24.303 v10.6.0 annex B.2] */
454 IV2_NOTIFY_SENDER_REQUEST_ID =16429, /* [draft-yeung-g-ikev2] */
455 IV2_NOTIFY_IKEV2_FRAGMENTATION_SUPPORTED =16430, /* [RFC7383] */
456 IV2_NOTIFY_SIGNATURE_HASH_ALGORITHMS =16431, /* [RFC7427] */
457 IV2_NOTIFY_CLONE_IKE_SA_SUPPORTED =16432, /* [RFC7791] */
458 IV2_NOTIFY_CLONE_IKE_SA =16433, /* [RFC7791] */
459 IV2_NOTIFY_PUZZLE =16434, /* [RFC8019] */
460 IV2_NOTIFY_USE_PPK =16435, /* [RFC8784] */
461 IV2_NOTIFY_PPK_IDENTITY =16436, /* [RFC8784] */
462 IV2_NOTIFY_NO_PPK_AUTH =16437, /* [RFC8784] */
463 IV2_NOTIFY_INTERMEDIATE_EXCHANGE_SUPPORTED =16438, /* [RFC9242] */
464 IV2_NOTIFY_IP4_ALLOWED =16439, /* [RFC8983] */
465 IV2_NOTIFY_IP6_ALLOWED =16440, /* [RFC8983] */
466 IV2_NOTIFY_ADDITIONAL_KEY_EXCHANGE =16441, /* [RFC-ietf-ipsecme-ikev2-multiple-ke-12] */
467 IV2_NOTIFY_USE_AGGFRAG =16442 /* [RFC9347] */
468 };
469
470 struct notify_messages {
471 uint16_t type;
472 char *msg;
473 };
474
475 /* 3.8 Authentication Payload */
476 struct ikev2_auth {
477 struct isakmp_gen h;
478 nd_uint8_t auth_method; /* Protocol-ID */
479 nd_byte reserved[3];
480 /* authentication data */
481 };
482
483 enum ikev2_auth_type {
484 IV2_RSA_SIG = 1,
485 IV2_SHARED = 2,
486 IV2_DSS_SIG = 3
487 };
488
489 /* refer to RFC 2409 */
490
491 #if 0
492 /* isakmp sa structure */
493 struct oakley_sa {
494 uint8_t proto_id; /* OAKLEY */
495 vchar_t *spi; /* spi */
496 uint8_t dhgrp; /* DH; group */
497 uint8_t auth_t; /* method of authentication */
498 uint8_t prf_t; /* type of prf */
499 uint8_t hash_t; /* type of hash */
500 uint8_t enc_t; /* type of cipher */
501 uint8_t life_t; /* type of duration of lifetime */
502 uint32_t ldur; /* life duration */
503 };
504 #endif
505
506 /* refer to RFC 2407 */
507
508 #define IPSEC_DOI 1
509
510 /* 4.2 IPSEC Situation Definition */
511 #define IPSECDOI_SIT_IDENTITY_ONLY 0x00000001
512 #define IPSECDOI_SIT_SECRECY 0x00000002
513 #define IPSECDOI_SIT_INTEGRITY 0x00000004
514
515 /* 4.4.1 IPSEC Security Protocol Identifiers */
516 /* 4.4.2 IPSEC ISAKMP Transform Values */
517 #define IPSECDOI_PROTO_ISAKMP 1
518 #define IPSECDOI_KEY_IKE 1
519
520 /* 4.4.1 IPSEC Security Protocol Identifiers */
521 #define IPSECDOI_PROTO_IPSEC_AH 2
522 /* 4.4.3 IPSEC AH Transform Values */
523 #define IPSECDOI_AH_MD5 2
524 #define IPSECDOI_AH_SHA 3
525 #define IPSECDOI_AH_DES 4
526 #define IPSECDOI_AH_SHA2_256 5
527 #define IPSECDOI_AH_SHA2_384 6
528 #define IPSECDOI_AH_SHA2_512 7
529
530 /* 4.4.1 IPSEC Security Protocol Identifiers */
531 #define IPSECDOI_PROTO_IPSEC_ESP 3
532 /* 4.4.4 IPSEC ESP Transform Identifiers */
533 #define IPSECDOI_ESP_DES_IV64 1
534 #define IPSECDOI_ESP_DES 2
535 #define IPSECDOI_ESP_3DES 3
536 #define IPSECDOI_ESP_RC5 4
537 #define IPSECDOI_ESP_IDEA 5
538 #define IPSECDOI_ESP_CAST 6
539 #define IPSECDOI_ESP_BLOWFISH 7
540 #define IPSECDOI_ESP_3IDEA 8
541 #define IPSECDOI_ESP_DES_IV32 9
542 #define IPSECDOI_ESP_RC4 10
543 #define IPSECDOI_ESP_NULL 11
544 #define IPSECDOI_ESP_RIJNDAEL 12
545 #define IPSECDOI_ESP_AES 12
546
547 /* 4.4.1 IPSEC Security Protocol Identifiers */
548 #define IPSECDOI_PROTO_IPCOMP 4
549 /* 4.4.5 IPSEC IPCOMP Transform Identifiers */
550 #define IPSECDOI_IPCOMP_OUI 1
551 #define IPSECDOI_IPCOMP_DEFLATE 2
552 #define IPSECDOI_IPCOMP_LZS 3
553
554 /* 4.5 IPSEC Security Association Attributes */
555 #define IPSECDOI_ATTR_SA_LTYPE 1 /* B */
556 #define IPSECDOI_ATTR_SA_LTYPE_DEFAULT 1
557 #define IPSECDOI_ATTR_SA_LTYPE_SEC 1
558 #define IPSECDOI_ATTR_SA_LTYPE_KB 2
559 #define IPSECDOI_ATTR_SA_LDUR 2 /* V */
560 #define IPSECDOI_ATTR_SA_LDUR_DEFAULT 28800 /* 8 hours */
561 #define IPSECDOI_ATTR_GRP_DESC 3 /* B */
562 #define IPSECDOI_ATTR_ENC_MODE 4 /* B */
563 /* default value: host dependent */
564 #define IPSECDOI_ATTR_ENC_MODE_TUNNEL 1
565 #define IPSECDOI_ATTR_ENC_MODE_TRNS 2
566 #define IPSECDOI_ATTR_AUTH 5 /* B */
567 /* 0 means not to use authentication. */
568 #define IPSECDOI_ATTR_AUTH_HMAC_MD5 1
569 #define IPSECDOI_ATTR_AUTH_HMAC_SHA1 2
570 #define IPSECDOI_ATTR_AUTH_DES_MAC 3
571 #define IPSECDOI_ATTR_AUTH_KPDK 4 /*RFC-1826(Key/Pad/Data/Key)*/
572 /*
573 * When negotiating ESP without authentication, the Auth
574 * Algorithm attribute MUST NOT be included in the proposal.
575 * When negotiating ESP without confidentiality, the Auth
576 * Algorithm attribute MUST be included in the proposal and
577 * the ESP transform ID must be ESP_NULL.
578 */
579 #define IPSECDOI_ATTR_KEY_LENGTH 6 /* B */
580 #define IPSECDOI_ATTR_KEY_ROUNDS 7 /* B */
581 #define IPSECDOI_ATTR_COMP_DICT_SIZE 8 /* B */
582 #define IPSECDOI_ATTR_COMP_PRIVALG 9 /* V */
583
584 /* 4.6.1 Security Association Payload */
585 struct ipsecdoi_sa {
586 struct isakmp_gen h;
587 nd_uint32_t doi; /* Domain of Interpretation */
588 nd_uint32_t sit; /* Situation */
589 };
590
591 struct ipsecdoi_secrecy_h {
592 nd_uint16_t len;
593 nd_uint16_t reserved;
594 };
595
596 /* 4.6.2.1 Identification Type Values */
597 struct ipsecdoi_id {
598 struct isakmp_gen h;
599 nd_uint8_t type; /* ID Type */
600 nd_uint8_t proto_id; /* Protocol ID */
601 nd_uint16_t port; /* Port */
602 /* Identification Data */
603 };
604
605 #define IPSECDOI_ID_IPV4_ADDR 1
606 #define IPSECDOI_ID_FQDN 2
607 #define IPSECDOI_ID_USER_FQDN 3
608 #define IPSECDOI_ID_IPV4_ADDR_SUBNET 4
609 #define IPSECDOI_ID_IPV6_ADDR 5
610 #define IPSECDOI_ID_IPV6_ADDR_SUBNET 6
611 #define IPSECDOI_ID_IPV4_ADDR_RANGE 7
612 #define IPSECDOI_ID_IPV6_ADDR_RANGE 8
613 #define IPSECDOI_ID_DER_ASN1_DN 9
614 #define IPSECDOI_ID_DER_ASN1_GN 10
615 #define IPSECDOI_ID_KEY_ID 11
616
617 /* 4.6.3 IPSEC DOI Notify Message Types */
618 /* Notify Messages - Status Types */
619 #define IPSECDOI_NTYPE_RESPONDER_LIFETIME 24576
620 #define IPSECDOI_NTYPE_REPLAY_STATUS 24577
621 #define IPSECDOI_NTYPE_INITIAL_CONTACT 24578
622
623 #define DECLARE_PRINTER(func) static const u_char *ike##func##_print( \
624 netdissect_options *ndo, u_char tpay, \
625 const struct isakmp_gen *ext, \
626 u_int item_len, \
627 const u_char *end_pointer, \
628 uint32_t phase,\
629 uint32_t doi0, \
630 uint32_t proto0, int depth)
631
632 DECLARE_PRINTER(v1_sa);
633 DECLARE_PRINTER(v1_p);
634 DECLARE_PRINTER(v1_t);
635 DECLARE_PRINTER(v1_ke);
636 DECLARE_PRINTER(v1_id);
637 DECLARE_PRINTER(v1_cert);
638 DECLARE_PRINTER(v1_cr);
639 DECLARE_PRINTER(v1_sig);
640 DECLARE_PRINTER(v1_hash);
641 DECLARE_PRINTER(v1_nonce);
642 DECLARE_PRINTER(v1_n);
643 DECLARE_PRINTER(v1_d);
644 DECLARE_PRINTER(v1_vid);
645
646 DECLARE_PRINTER(v2_sa);
647 DECLARE_PRINTER(v2_ke);
648 DECLARE_PRINTER(v2_ID);
649 DECLARE_PRINTER(v2_cert);
650 DECLARE_PRINTER(v2_cr);
651 DECLARE_PRINTER(v2_auth);
652 DECLARE_PRINTER(v2_nonce);
653 DECLARE_PRINTER(v2_n);
654 DECLARE_PRINTER(v2_d);
655 DECLARE_PRINTER(v2_vid);
656 DECLARE_PRINTER(v2_TS);
657 DECLARE_PRINTER(v2_cp);
658 DECLARE_PRINTER(v2_eap);
659
660 static const u_char *ikev2_e_print(netdissect_options *ndo,
661 const struct isakmp *base,
662 u_char tpay,
663 const struct isakmp_gen *ext,
664 u_int item_len,
665 const u_char *end_pointer,
666 uint32_t phase,
667 uint32_t doi0,
668 uint32_t proto0, int depth);
669
670
671 static const u_char *ike_sub0_print(netdissect_options *ndo,u_char, const struct isakmp_gen *,
672 const u_char *, uint32_t, uint32_t, uint32_t, int);
673 static const u_char *ikev1_sub_print(netdissect_options *ndo,u_char, const struct isakmp_gen *,
674 const u_char *, uint32_t, uint32_t, uint32_t, int);
675
676 static const u_char *ikev2_sub_print(netdissect_options *ndo,
677 const struct isakmp *base,
678 u_char np, const struct isakmp_gen *ext,
679 const u_char *ep, uint32_t phase,
680 uint32_t doi, uint32_t proto,
681 int depth);
682
683
684 static char *numstr(u_int);
685
686 static void
687 ikev1_print(netdissect_options *ndo,
688 const u_char *bp, u_int length,
689 const u_char *bp2, const struct isakmp *base);
690
691 #define MAXINITIATORS 20
692 static int ninitiator = 0;
693 union inaddr_u {
694 nd_ipv4 in4;
695 nd_ipv6 in6;
696 };
697 static struct {
698 cookie_t initiator;
699 u_int version;
700 union inaddr_u iaddr;
701 union inaddr_u raddr;
702 } cookiecache[MAXINITIATORS];
703
704 /* protocol id */
705 static const char *protoidstr[] = {
706 NULL, "isakmp", "ipsec-ah", "ipsec-esp", "ipcomp",
707 };
708
709 /* isakmp->np */
710 static const char *npstr[] = {
711 "none", "sa", "p", "t", "ke", "id", "cert", "cr", "hash", /* 0 - 8 */
712 "sig", "nonce", "n", "d", "vid", /* 9 - 13 */
713 "pay14", "pay15", "pay16", "pay17", "pay18", /* 14- 18 */
714 "pay19", "pay20", "pay21", "pay22", "pay23", /* 19- 23 */
715 "pay24", "pay25", "pay26", "pay27", "pay28", /* 24- 28 */
716 "pay29", "pay30", "pay31", "pay32", /* 29- 32 */
717 "v2sa", "v2ke", "v2IDi", "v2IDr", "v2cert",/* 33- 37 */
718 "v2cr", "v2auth","v2nonce", "v2n", "v2d", /* 38- 42 */
719 "v2vid", "v2TSi", "v2TSr", "v2e", "v2cp", /* 43- 47 */
720 "v2eap", /* 48 */
721
722 };
723
724 /* isakmp->np */
725 static const u_char *(*npfunc[])(netdissect_options *ndo, u_char tpay,
726 const struct isakmp_gen *ext,
727 u_int item_len,
728 const u_char *end_pointer,
729 uint32_t phase,
730 uint32_t doi0,
731 uint32_t proto0, int depth) = {
732 NULL,
733 ikev1_sa_print,
734 ikev1_p_print,
735 ikev1_t_print,
736 ikev1_ke_print,
737 ikev1_id_print,
738 ikev1_cert_print,
739 ikev1_cr_print,
740 ikev1_hash_print,
741 ikev1_sig_print,
742 ikev1_nonce_print,
743 ikev1_n_print,
744 ikev1_d_print,
745 ikev1_vid_print, /* 13 */
746 NULL, NULL, NULL, NULL, NULL, /* 14- 18 */
747 NULL, NULL, NULL, NULL, NULL, /* 19- 23 */
748 NULL, NULL, NULL, NULL, NULL, /* 24- 28 */
749 NULL, NULL, NULL, NULL, /* 29- 32 */
750 ikev2_sa_print, /* 33 */
751 ikev2_ke_print, /* 34 */
752 ikev2_ID_print, /* 35 */
753 ikev2_ID_print, /* 36 */
754 ikev2_cert_print, /* 37 */
755 ikev2_cr_print, /* 38 */
756 ikev2_auth_print, /* 39 */
757 ikev2_nonce_print, /* 40 */
758 ikev2_n_print, /* 41 */
759 ikev2_d_print, /* 42 */
760 ikev2_vid_print, /* 43 */
761 ikev2_TS_print, /* 44 */
762 ikev2_TS_print, /* 45 */
763 NULL, /* ikev2_e_print,*/ /* 46 - special */
764 ikev2_cp_print, /* 47 */
765 ikev2_eap_print, /* 48 */
766 };
767
768 /* isakmp->etype */
769 static const char *etypestr[] = {
770 /* IKEv1 exchange types */
771 "none", "base", "ident", "auth", "agg", "inf", NULL, NULL, /* 0-7 */
772 NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, /* 8-15 */
773 NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, /* 16-23 */
774 NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, /* 24-31 */
775 "oakley-quick", "oakley-newgroup", /* 32-33 */
776 /* IKEv2 exchange types */
777 "ikev2_init", "ikev2_auth", "child_sa", "inf2" /* 34-37 */
778 };
779
780 #define STR_OR_ID(x, tab) \
781 (((x) < sizeof(tab)/sizeof(tab[0]) && tab[(x)]) ? tab[(x)] : numstr(x))
782 #define PROTOIDSTR(x) STR_OR_ID(x, protoidstr)
783 #define NPSTR(x) STR_OR_ID(x, npstr)
784 #define ETYPESTR(x) STR_OR_ID(x, etypestr)
785
786 #define CHECKLEN(p, np) \
787 if (ep < (const u_char *)(p)) { \
788 ND_PRINT(" [|%s]", NPSTR(np)); \
789 goto done; \
790 }
791
792
793 #define NPFUNC(x) \
794 (((x) < sizeof(npfunc)/sizeof(npfunc[0]) && npfunc[(x)]) \
795 ? npfunc[(x)] : NULL)
796
797 static int
798 iszero(netdissect_options *ndo, const u_char *p, size_t l)
799 {
800 while (l != 0) {
801 if (GET_U_1(p))
802 return 0;
803 p++;
804 l--;
805 }
806 return 1;
807 }
808
809 /* find cookie from initiator cache */
810 static int
811 cookie_find(const cookie_t *in)
812 {
813 int i;
814
815 for (i = 0; i < MAXINITIATORS; i++) {
816 if (memcmp(in, &cookiecache[i].initiator, sizeof(*in)) == 0)
817 return i;
818 }
819
820 return -1;
821 }
822
823 /* record initiator */
824 static void
825 cookie_record(netdissect_options *ndo, const cookie_t *in, const u_char *bp2)
826 {
827 int i;
828 const struct ip *ip;
829 const struct ip6_hdr *ip6;
830
831 i = cookie_find(in);
832 if (0 <= i) {
833 ninitiator = (i + 1) % MAXINITIATORS;
834 return;
835 }
836
837 ip = (const struct ip *)bp2;
838 switch (IP_V(ip)) {
839 case 4:
840 cookiecache[ninitiator].version = 4;
841 UNALIGNED_MEMCPY(&cookiecache[ninitiator].iaddr.in4,
842 ip->ip_src, sizeof(nd_ipv4));
843 UNALIGNED_MEMCPY(&cookiecache[ninitiator].raddr.in4,
844 ip->ip_dst, sizeof(nd_ipv4));
845 break;
846 case 6:
847 ip6 = (const struct ip6_hdr *)bp2;
848 cookiecache[ninitiator].version = 6;
849 UNALIGNED_MEMCPY(&cookiecache[ninitiator].iaddr.in6,
850 ip6->ip6_src, sizeof(nd_ipv6));
851 UNALIGNED_MEMCPY(&cookiecache[ninitiator].raddr.in6,
852 ip6->ip6_dst, sizeof(nd_ipv6));
853 break;
854 default:
855 return;
856 }
857 UNALIGNED_MEMCPY(&cookiecache[ninitiator].initiator, in, sizeof(*in));
858 ninitiator = (ninitiator + 1) % MAXINITIATORS;
859 }
860
861 #define cookie_isinitiator(ndo, x, y) cookie_sidecheck(ndo, (x), (y), 1)
862 #define cookie_isresponder(ndo, x, y) cookie_sidecheck(ndo, (x), (y), 0)
863 static int
864 cookie_sidecheck(netdissect_options *ndo, int i, const u_char *bp2, int initiator)
865 {
866 const struct ip *ip;
867 const struct ip6_hdr *ip6;
868
869 ip = (const struct ip *)bp2;
870 switch (IP_V(ip)) {
871 case 4:
872 if (cookiecache[i].version != 4)
873 return 0;
874 if (initiator) {
875 if (UNALIGNED_MEMCMP(ip->ip_src, &cookiecache[i].iaddr.in4, sizeof(nd_ipv4)) == 0)
876 return 1;
877 } else {
878 if (UNALIGNED_MEMCMP(ip->ip_src, &cookiecache[i].raddr.in4, sizeof(nd_ipv4)) == 0)
879 return 1;
880 }
881 break;
882 case 6:
883 if (cookiecache[i].version != 6)
884 return 0;
885 ip6 = (const struct ip6_hdr *)bp2;
886 if (initiator) {
887 if (UNALIGNED_MEMCMP(ip6->ip6_src, &cookiecache[i].iaddr.in6, sizeof(nd_ipv6)) == 0)
888 return 1;
889 } else {
890 if (UNALIGNED_MEMCMP(ip6->ip6_src, &cookiecache[i].raddr.in6, sizeof(nd_ipv6)) == 0)
891 return 1;
892 }
893 break;
894 default:
895 break;
896 }
897
898 return 0;
899 }
900
901 static void
902 hexprint(netdissect_options *ndo, const uint8_t *loc, size_t len)
903 {
904 const uint8_t *p;
905 size_t i;
906
907 p = loc;
908 for (i = 0; i < len; i++)
909 ND_PRINT("%02x", p[i] & 0xff);
910 }
911
912 static int
913 rawprint(netdissect_options *ndo, const uint8_t *loc, size_t len)
914 {
915 ND_TCHECK_LEN(loc, len);
916
917 hexprint(ndo, loc, len);
918 return 1;
919 trunc:
920 return 0;
921 }
922
923
924 /*
925 * returns false if we run out of data buffer
926 */
927 static int ike_show_somedata(netdissect_options *ndo,
928 const u_char *cp, const u_char *ep)
929 {
930 /* there is too much data, just show some of it */
931 const u_char *end = ep - 20;
932 size_t elen = 20;
933 size_t len = ep - cp;
934 if(len > 10) {
935 len = 10;
936 }
937
938 /* really shouldn't happen because of above */
939 if(end < cp + len) {
940 end = cp+len;
941 elen = ep - end;
942 }
943
944 ND_PRINT(" data=(");
945 if(!rawprint(ndo, (const uint8_t *)(cp), len)) goto trunc;
946 ND_PRINT("...");
947 if(elen) {
948 if(!rawprint(ndo, (const uint8_t *)(end), elen)) goto trunc;
949 }
950 ND_PRINT(")");
951 return 1;
952
953 trunc:
954 return 0;
955 }
956
957 struct attrmap {
958 const char *type;
959 u_int nvalue;
960 const char *value[30]; /*XXX*/
961 };
962
963 static const u_char *
964 ikev1_attrmap_print(netdissect_options *ndo,
965 const u_char *p, const u_char *ep2,
966 const struct attrmap *map, size_t nmap)
967 {
968 u_int totlen;
969 uint32_t t, v;
970
971 if (GET_U_1(p) & 0x80)
972 totlen = 4;
973 else {
974 totlen = 4 + GET_BE_U_2(p + 2);
975 }
976 if (ep2 < p + totlen) {
977 ND_PRINT("[|attr]");
978 return ep2 + 1;
979 }
980
981 ND_PRINT("(");
982 t = GET_BE_U_2(p) & 0x7fff;
983 if (map && t < nmap && map[t].type)
984 ND_PRINT("type=%s ", map[t].type);
985 else
986 ND_PRINT("type=#%u ", t);
987 if (GET_U_1(p) & 0x80) {
988 ND_PRINT("value=");
989 v = GET_BE_U_2(p + 2);
990 if (map && t < nmap && v < map[t].nvalue && map[t].value[v])
991 ND_PRINT("%s", map[t].value[v]);
992 else {
993 if (!rawprint(ndo, (const uint8_t *)(p + 2), 2)) {
994 ND_PRINT(")");
995 goto trunc;
996 }
997 }
998 } else {
999 ND_PRINT("len=%u value=", totlen - 4);
1000 if (!rawprint(ndo, (const uint8_t *)(p + 4), totlen - 4)) {
1001 ND_PRINT(")");
1002 goto trunc;
1003 }
1004 }
1005 ND_PRINT(")");
1006 return p + totlen;
1007
1008 trunc:
1009 return NULL;
1010 }
1011
1012 static const u_char *
1013 ikev1_attr_print(netdissect_options *ndo, const u_char *p, const u_char *ep2)
1014 {
1015 u_int totlen;
1016 uint32_t t;
1017
1018 if (GET_U_1(p) & 0x80)
1019 totlen = 4;
1020 else {
1021 totlen = 4 + GET_BE_U_2(p + 2);
1022 }
1023 if (ep2 < p + totlen) {
1024 ND_PRINT("[|attr]");
1025 return ep2 + 1;
1026 }
1027
1028 ND_PRINT("(");
1029 t = GET_BE_U_2(p) & 0x7fff;
1030 ND_PRINT("type=#%u ", t);
1031 if (GET_U_1(p) & 0x80) {
1032 ND_PRINT("value=");
1033 t = GET_U_1(p + 2);
1034 if (!rawprint(ndo, (const uint8_t *)(p + 2), 2)) {
1035 ND_PRINT(")");
1036 goto trunc;
1037 }
1038 } else {
1039 ND_PRINT("len=%u value=", totlen - 4);
1040 if (!rawprint(ndo, (const uint8_t *)(p + 4), totlen - 4)) {
1041 ND_PRINT(")");
1042 goto trunc;
1043 }
1044 }
1045 ND_PRINT(")");
1046 return p + totlen;
1047
1048 trunc:
1049 return NULL;
1050 }
1051
1052 static const u_char *
1053 ikev1_sa_print(netdissect_options *ndo, u_char tpay _U_,
1054 const struct isakmp_gen *ext,
1055 u_int item_len _U_,
1056 const u_char *ep, uint32_t phase, uint32_t doi0 _U_,
1057 uint32_t proto0, int depth)
1058 {
1059 const struct ikev1_pl_sa *p;
1060 uint32_t doi, sit, ident;
1061 const u_char *cp, *np;
1062 int t;
1063
1064 ND_PRINT("%s:", NPSTR(ISAKMP_NPTYPE_SA));
1065
1066 p = (const struct ikev1_pl_sa *)ext;
1067 ND_TCHECK_SIZE(p);
1068 doi = GET_BE_U_4(p->doi);
1069 sit = GET_BE_U_4(p->sit);
1070 if (doi != 1) {
1071 ND_PRINT(" doi=%u", doi);
1072 ND_PRINT(" situation=%u", sit);
1073 return (const u_char *)(p + 1);
1074 }
1075
1076 ND_PRINT(" doi=ipsec");
1077 ND_PRINT(" situation=");
1078 t = 0;
1079 if (sit & 0x01) {
1080 ND_PRINT("identity");
1081 t++;
1082 }
1083 if (sit & 0x02) {
1084 ND_PRINT("%ssecrecy", t ? "+" : "");
1085 t++;
1086 }
1087 if (sit & 0x04)
1088 ND_PRINT("%sintegrity", t ? "+" : "");
1089
1090 np = (const u_char *)ext + sizeof(struct ikev1_pl_sa);
1091 if (sit != 0x01) {
1092 ident = GET_BE_U_4(ext + 1);
1093 ND_PRINT(" ident=%u", ident);
1094 np += sizeof(ident);
1095 }
1096
1097 ext = (const struct isakmp_gen *)np;
1098 ND_TCHECK_SIZE(ext);
1099
1100 cp = ikev1_sub_print(ndo, ISAKMP_NPTYPE_P, ext, ep, phase, doi, proto0,
1101 depth);
1102
1103 return cp;
1104 trunc:
1105 ND_PRINT(" [|%s]", NPSTR(ISAKMP_NPTYPE_SA));
1106 return NULL;
1107 }
1108
1109 static const u_char *
1110 ikev1_p_print(netdissect_options *ndo, u_char tpay _U_,
1111 const struct isakmp_gen *ext, u_int item_len _U_,
1112 const u_char *ep, uint32_t phase, uint32_t doi0,
1113 uint32_t proto0 _U_, int depth)
1114 {
1115 const struct ikev1_pl_p *p;
1116 const u_char *cp;
1117 uint8_t spi_size;
1118
1119 ND_PRINT("%s:", NPSTR(ISAKMP_NPTYPE_P));
1120
1121 p = (const struct ikev1_pl_p *)ext;
1122 ND_TCHECK_SIZE(p);
1123 ND_PRINT(" #%u protoid=%s transform=%u",
1124 GET_U_1(p->p_no), PROTOIDSTR(GET_U_1(p->prot_id)),
1125 GET_U_1(p->num_t));
1126 spi_size = GET_U_1(p->spi_size);
1127 if (spi_size) {
1128 ND_PRINT(" spi=");
1129 if (!rawprint(ndo, (const uint8_t *)(p + 1), spi_size))
1130 goto trunc;
1131 }
1132
1133 ext = (const struct isakmp_gen *)((const u_char *)(p + 1) + spi_size);
1134 ND_TCHECK_SIZE(ext);
1135
1136 cp = ikev1_sub_print(ndo, ISAKMP_NPTYPE_T, ext, ep, phase, doi0,
1137 GET_U_1(p->prot_id), depth);
1138
1139 return cp;
1140 trunc:
1141 ND_PRINT(" [|%s]", NPSTR(ISAKMP_NPTYPE_P));
1142 return NULL;
1143 }
1144
1145 static const char *ikev1_p_map[] = {
1146 NULL, "ike",
1147 };
1148
1149 static const char *ikev2_t_type_map[]={
1150 NULL, "encr", "prf", "integ", "dh", "esn"
1151 };
1152
1153 static const char *ah_p_map[] = {
1154 NULL, "(reserved)", "md5", "sha", "1des",
1155 "sha2-256", "sha2-384", "sha2-512",
1156 };
1157
1158 static const char *prf_p_map[] = {
1159 NULL, "hmac-md5", "hmac-sha", "hmac-tiger",
1160 "aes128_xcbc"
1161 };
1162
1163 static const char *integ_p_map[] = {
1164 NULL, "hmac-md5", "hmac-sha", "dec-mac",
1165 "kpdk-md5", "aes-xcbc"
1166 };
1167
1168 static const char *esn_p_map[] = {
1169 "no-esn", "esn"
1170 };
1171
1172 static const char *dh_p_map[] = {
1173 NULL, "modp768",
1174 "modp1024", /* group 2 */
1175 "EC2N 2^155", /* group 3 */
1176 "EC2N 2^185", /* group 4 */
1177 "modp1536", /* group 5 */
1178 "iana-grp06", "iana-grp07", /* reserved */
1179 "iana-grp08", "iana-grp09",
1180 "iana-grp10", "iana-grp11",
1181 "iana-grp12", "iana-grp13",
1182 "modp2048", /* group 14 */
1183 "modp3072", /* group 15 */
1184 "modp4096", /* group 16 */
1185 "modp6144", /* group 17 */
1186 "modp8192", /* group 18 */
1187 };
1188
1189 static const char *esp_p_map[] = {
1190 NULL, "1des-iv64", "1des", "3des", "rc5", "idea", "cast",
1191 "blowfish", "3idea", "1des-iv32", "rc4", "null", "aes"
1192 };
1193
1194 static const char *ipcomp_p_map[] = {
1195 NULL, "oui", "deflate", "lzs",
1196 };
1197
1198 static const struct attrmap ipsec_t_map[] = {
1199 { NULL, 0, { NULL } },
1200 { "lifetype", 3, { NULL, "sec", "kb", }, },
1201 { "life", 0, { NULL } },
1202 { "group desc", 18, { NULL, "modp768",
1203 "modp1024", /* group 2 */
1204 "EC2N 2^155", /* group 3 */
1205 "EC2N 2^185", /* group 4 */
1206 "modp1536", /* group 5 */
1207 "iana-grp06", "iana-grp07", /* reserved */
1208 "iana-grp08", "iana-grp09",
1209 "iana-grp10", "iana-grp11",
1210 "iana-grp12", "iana-grp13",
1211 "modp2048", /* group 14 */
1212 "modp3072", /* group 15 */
1213 "modp4096", /* group 16 */
1214 "modp6144", /* group 17 */
1215 "modp8192", /* group 18 */
1216 }, },
1217 { "enc mode", 3, { NULL, "tunnel", "transport", }, },
1218 { "auth", 5, { NULL, "hmac-md5", "hmac-sha1", "1des-mac", "keyed", }, },
1219 { "keylen", 0, { NULL } },
1220 { "rounds", 0, { NULL } },
1221 { "dictsize", 0, { NULL } },
1222 { "privalg", 0, { NULL } },
1223 };
1224
1225 static const struct attrmap encr_t_map[] = {
1226 { NULL, 0, { NULL } }, { NULL, 0, { NULL } }, /* 0, 1 */
1227 { NULL, 0, { NULL } }, { NULL, 0, { NULL } }, /* 2, 3 */
1228 { NULL, 0, { NULL } }, { NULL, 0, { NULL } }, /* 4, 5 */
1229 { NULL, 0, { NULL } }, { NULL, 0, { NULL } }, /* 6, 7 */
1230 { NULL, 0, { NULL } }, { NULL, 0, { NULL } }, /* 8, 9 */
1231 { NULL, 0, { NULL } }, { NULL, 0, { NULL } }, /* 10,11*/
1232 { NULL, 0, { NULL } }, { NULL, 0, { NULL } }, /* 12,13*/
1233 { "keylen", 14, { NULL }},
1234 };
1235
1236 static const struct attrmap oakley_t_map[] = {
1237 { NULL, 0, { NULL } },
1238 { "enc", 8, { NULL, "1des", "idea", "blowfish", "rc5",
1239 "3des", "cast", "aes", }, },
1240 { "hash", 7, { NULL, "md5", "sha1", "tiger",
1241 "sha2-256", "sha2-384", "sha2-512", }, },
1242 { "auth", 6, { NULL, "preshared", "dss", "rsa sig", "rsa enc",
1243 "rsa enc revised", }, },
1244 { "group desc", 18, { NULL, "modp768",
1245 "modp1024", /* group 2 */
1246 "EC2N 2^155", /* group 3 */
1247 "EC2N 2^185", /* group 4 */
1248 "modp1536", /* group 5 */
1249 "iana-grp06", "iana-grp07", /* reserved */
1250 "iana-grp08", "iana-grp09",
1251 "iana-grp10", "iana-grp11",
1252 "iana-grp12", "iana-grp13",
1253 "modp2048", /* group 14 */
1254 "modp3072", /* group 15 */
1255 "modp4096", /* group 16 */
1256 "modp6144", /* group 17 */
1257 "modp8192", /* group 18 */
1258 }, },
1259 { "group type", 4, { NULL, "MODP", "ECP", "EC2N", }, },
1260 { "group prime", 0, { NULL } },
1261 { "group gen1", 0, { NULL } },
1262 { "group gen2", 0, { NULL } },
1263 { "group curve A", 0, { NULL } },
1264 { "group curve B", 0, { NULL } },
1265 { "lifetype", 3, { NULL, "sec", "kb", }, },
1266 { "lifeduration", 0, { NULL } },
1267 { "prf", 0, { NULL } },
1268 { "keylen", 0, { NULL } },
1269 { "field", 0, { NULL } },
1270 { "order", 0, { NULL } },
1271 };
1272
1273 static const u_char *
1274 ikev1_t_print(netdissect_options *ndo, u_char tpay _U_,
1275 const struct isakmp_gen *ext, u_int item_len,
1276 const u_char *ep, uint32_t phase _U_, uint32_t doi _U_,
1277 uint32_t proto, int depth _U_)
1278 {
1279 const struct ikev1_pl_t *p;
1280 const u_char *cp;
1281 const char *idstr;
1282 const struct attrmap *map;
1283 size_t nmap;
1284 const u_char *ep2;
1285
1286 ND_PRINT("%s:", NPSTR(ISAKMP_NPTYPE_T));
1287
1288 p = (const struct ikev1_pl_t *)ext;
1289 ND_TCHECK_SIZE(p);
1290
1291 switch (proto) {
1292 case 1:
1293 idstr = STR_OR_ID(GET_U_1(p->t_id), ikev1_p_map);
1294 map = oakley_t_map;
1295 nmap = sizeof(oakley_t_map)/sizeof(oakley_t_map[0]);
1296 break;
1297 case 2:
1298 idstr = STR_OR_ID(GET_U_1(p->t_id), ah_p_map);
1299 map = ipsec_t_map;
1300 nmap = sizeof(ipsec_t_map)/sizeof(ipsec_t_map[0]);
1301 break;
1302 case 3:
1303 idstr = STR_OR_ID(GET_U_1(p->t_id), esp_p_map);
1304 map = ipsec_t_map;
1305 nmap = sizeof(ipsec_t_map)/sizeof(ipsec_t_map[0]);
1306 break;
1307 case 4:
1308 idstr = STR_OR_ID(GET_U_1(p->t_id), ipcomp_p_map);
1309 map = ipsec_t_map;
1310 nmap = sizeof(ipsec_t_map)/sizeof(ipsec_t_map[0]);
1311 break;
1312 default:
1313 idstr = NULL;
1314 map = NULL;
1315 nmap = 0;
1316 break;
1317 }
1318
1319 if (idstr)
1320 ND_PRINT(" #%u id=%s ", GET_U_1(p->t_no), idstr);
1321 else
1322 ND_PRINT(" #%u id=%u ", GET_U_1(p->t_no), GET_U_1(p->t_id));
1323 cp = (const u_char *)(p + 1);
1324 ep2 = (const u_char *)p + item_len;
1325 while (cp < ep && cp < ep2) {
1326 if (map && nmap)
1327 cp = ikev1_attrmap_print(ndo, cp, ep2, map, nmap);
1328 else
1329 cp = ikev1_attr_print(ndo, cp, ep2);
1330 if (cp == NULL)
1331 goto trunc;
1332 }
1333 if (ep < ep2)
1334 ND_PRINT("...");
1335 return cp;
1336 trunc:
1337 ND_PRINT(" [|%s]", NPSTR(ISAKMP_NPTYPE_T));
1338 return NULL;
1339 }
1340
1341 static const u_char *
1342 ikev1_ke_print(netdissect_options *ndo, u_char tpay _U_,
1343 const struct isakmp_gen *ext, u_int item_len,
1344 const u_char *ep _U_, uint32_t phase _U_, uint32_t doi _U_,
1345 uint32_t proto _U_, int depth _U_)
1346 {
1347 ND_PRINT("%s:", NPSTR(ISAKMP_NPTYPE_KE));
1348
1349 ND_TCHECK_SIZE(ext);
1350 /*
1351 * Our caller has ensured that the length is >= 4.
1352 */
1353 ND_PRINT(" key len=%u", item_len - 4);
1354 if (2 < ndo->ndo_vflag && item_len > 4) {
1355 /* Print the entire payload in hex */
1356 ND_PRINT(" ");
1357 if (!rawprint(ndo, (const uint8_t *)(ext + 1), item_len - 4))
1358 goto trunc;
1359 }
1360 return (const u_char *)ext + item_len;
1361 trunc:
1362 ND_PRINT(" [|%s]", NPSTR(ISAKMP_NPTYPE_KE));
1363 return NULL;
1364 }
1365
1366 static const u_char *
1367 ikev1_id_print(netdissect_options *ndo, u_char tpay _U_,
1368 const struct isakmp_gen *ext, u_int item_len,
1369 const u_char *ep _U_, uint32_t phase, uint32_t doi _U_,
1370 uint32_t proto _U_, int depth _U_)
1371 {
1372 #define USE_IPSECDOI_IN_PHASE1 1
1373 const struct ikev1_pl_id *p;
1374 static const char *idtypestr[] = {
1375 "IPv4", "IPv4net", "IPv6", "IPv6net",
1376 };
1377 static const char *ipsecidtypestr[] = {
1378 NULL, "IPv4", "FQDN", "user FQDN", "IPv4net", "IPv6",
1379 "IPv6net", "IPv4range", "IPv6range", "ASN1 DN", "ASN1 GN",
1380 "keyid",
1381 };
1382 u_int len;
1383 const u_char *data;
1384
1385 ND_PRINT("%s:", NPSTR(ISAKMP_NPTYPE_ID));
1386
1387 p = (const struct ikev1_pl_id *)ext;
1388 ND_TCHECK_SIZE(p);
1389 if (sizeof(*p) < item_len) {
1390 data = (const u_char *)(p + 1);
1391 len = item_len - sizeof(*p);
1392 } else {
1393 data = NULL;
1394 len = 0;
1395 }
1396
1397 #if 0 /*debug*/
1398 ND_PRINT(" [phase=%u doi=%u proto=%u]", phase, doi, proto);
1399 #endif
1400 switch (phase) {
1401 #ifndef USE_IPSECDOI_IN_PHASE1
1402 case 1:
1403 #endif
1404 default:
1405 ND_PRINT(" idtype=%s",
1406 STR_OR_ID(GET_U_1(p->d.id_type), idtypestr));
1407 ND_PRINT(" doi_data=%u",
1408 GET_BE_U_4(p->d.doi_data) & 0xffffff);
1409 break;
1410
1411 #ifdef USE_IPSECDOI_IN_PHASE1
1412 case 1:
1413 #endif
1414 case 2:
1415 {
1416 const struct ipsecdoi_id *doi_p;
1417 const char *p_name;
1418 uint8_t type, proto_id;
1419
1420 doi_p = (const struct ipsecdoi_id *)ext;
1421 ND_TCHECK_SIZE(doi_p);
1422 type = GET_U_1(doi_p->type);
1423 ND_PRINT(" idtype=%s", STR_OR_ID(type, ipsecidtypestr));
1424 /* A protocol ID of 0 DOES NOT mean IPPROTO_IP! */
1425 proto_id = GET_U_1(doi_p->proto_id);
1426 if (!ndo->ndo_nflag && proto_id && (p_name = netdb_protoname(proto_id)) != NULL)
1427 ND_PRINT(" protoid=%s", p_name);
1428 else
1429 ND_PRINT(" protoid=%u", proto_id);
1430 ND_PRINT(" port=%u", GET_BE_U_2(doi_p->port));
1431 if (!len)
1432 break;
1433 if (data == NULL)
1434 goto trunc;
1435 ND_TCHECK_LEN(data, len);
1436 switch (type) {
1437 case IPSECDOI_ID_IPV4_ADDR:
1438 if (len < 4)
1439 ND_PRINT(" len=%u [bad: < 4]", len);
1440 else
1441 ND_PRINT(" len=%u %s", len, GET_IPADDR_STRING(data));
1442 len = 0;
1443 break;
1444 case IPSECDOI_ID_FQDN:
1445 case IPSECDOI_ID_USER_FQDN:
1446 {
1447 u_int i;
1448 ND_PRINT(" len=%u ", len);
1449 for (i = 0; i < len; i++)
1450 fn_print_char(ndo, GET_U_1(data + i));
1451 len = 0;
1452 break;
1453 }
1454 case IPSECDOI_ID_IPV4_ADDR_SUBNET:
1455 {
1456 const u_char *mask;
1457 if (len < 8)
1458 ND_PRINT(" len=%u [bad: < 8]", len);
1459 else {
1460 mask = data + sizeof(nd_ipv4);
1461 ND_PRINT(" len=%u %s/%u.%u.%u.%u", len,
1462 GET_IPADDR_STRING(data),
1463 GET_U_1(mask), GET_U_1(mask + 1),
1464 GET_U_1(mask + 2),
1465 GET_U_1(mask + 3));
1466 }
1467 len = 0;
1468 break;
1469 }
1470 case IPSECDOI_ID_IPV6_ADDR:
1471 if (len < 16)
1472 ND_PRINT(" len=%u [bad: < 16]", len);
1473 else
1474 ND_PRINT(" len=%u %s", len, GET_IP6ADDR_STRING(data));
1475 len = 0;
1476 break;
1477 case IPSECDOI_ID_IPV6_ADDR_SUBNET:
1478 {
1479 const u_char *mask;
1480 if (len < 32)
1481 ND_PRINT(" len=%u [bad: < 32]", len);
1482 else {
1483 mask = (const u_char *)(data + sizeof(nd_ipv6));
1484 /*XXX*/
1485 ND_PRINT(" len=%u %s/0x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x", len,
1486 GET_IP6ADDR_STRING(data),
1487 GET_U_1(mask), GET_U_1(mask + 1),
1488 GET_U_1(mask + 2),
1489 GET_U_1(mask + 3),
1490 GET_U_1(mask + 4),
1491 GET_U_1(mask + 5),
1492 GET_U_1(mask + 6),
1493 GET_U_1(mask + 7),
1494 GET_U_1(mask + 8),
1495 GET_U_1(mask + 9),
1496 GET_U_1(mask + 10),
1497 GET_U_1(mask + 11),
1498 GET_U_1(mask + 12),
1499 GET_U_1(mask + 13),
1500 GET_U_1(mask + 14),
1501 GET_U_1(mask + 15));
1502 }
1503 len = 0;
1504 break;
1505 }
1506 case IPSECDOI_ID_IPV4_ADDR_RANGE:
1507 if (len < 8)
1508 ND_PRINT(" len=%u [bad: < 8]", len);
1509 else {
1510 ND_PRINT(" len=%u %s-%s", len,
1511 GET_IPADDR_STRING(data),
1512 GET_IPADDR_STRING(data + sizeof(nd_ipv4)));
1513 }
1514 len = 0;
1515 break;
1516 case IPSECDOI_ID_IPV6_ADDR_RANGE:
1517 if (len < 32)
1518 ND_PRINT(" len=%u [bad: < 32]", len);
1519 else {
1520 ND_PRINT(" len=%u %s-%s", len,
1521 GET_IP6ADDR_STRING(data),
1522 GET_IP6ADDR_STRING(data + sizeof(nd_ipv6)));
1523 }
1524 len = 0;
1525 break;
1526 case IPSECDOI_ID_DER_ASN1_DN:
1527 case IPSECDOI_ID_DER_ASN1_GN:
1528 case IPSECDOI_ID_KEY_ID:
1529 break;
1530 }
1531 break;
1532 }
1533 }
1534 if (data && len) {
1535 ND_PRINT(" len=%u", len);
1536 if (2 < ndo->ndo_vflag) {
1537 ND_PRINT(" ");
1538 if (!rawprint(ndo, (const uint8_t *)data, len))
1539 goto trunc;
1540 }
1541 }
1542 return (const u_char *)ext + item_len;
1543 trunc:
1544 ND_PRINT(" [|%s]", NPSTR(ISAKMP_NPTYPE_ID));
1545 return NULL;
1546 }
1547
1548 static const u_char *
1549 ikev1_cert_print(netdissect_options *ndo, u_char tpay _U_,
1550 const struct isakmp_gen *ext, u_int item_len,
1551 const u_char *ep _U_, uint32_t phase _U_,
1552 uint32_t doi0 _U_,
1553 uint32_t proto0 _U_, int depth _U_)
1554 {
1555 const struct ikev1_pl_cert *p;
1556 static const char *certstr[] = {
1557 "none", "pkcs7", "pgp", "dns",
1558 "x509sign", "x509ke", "kerberos", "crl",
1559 "arl", "spki", "x509attr",
1560 };
1561
1562 ND_PRINT("%s:", NPSTR(ISAKMP_NPTYPE_CERT));
1563
1564 p = (const struct ikev1_pl_cert *)ext;
1565 ND_TCHECK_SIZE(p);
1566 /*
1567 * Our caller has ensured that the length is >= 4.
1568 */
1569 ND_PRINT(" len=%u", item_len - 4);
1570 ND_PRINT(" type=%s", STR_OR_ID(GET_U_1(p->encode), certstr));
1571 if (2 < ndo->ndo_vflag && 4 < item_len) {
1572 /* Print the entire payload in hex */
1573 ND_PRINT(" ");
1574 if (!rawprint(ndo, (const uint8_t *)(ext + 1), item_len - 4))
1575 goto trunc;
1576 }
1577 return (const u_char *)ext + item_len;
1578 trunc:
1579 ND_PRINT(" [|%s]", NPSTR(ISAKMP_NPTYPE_CERT));
1580 return NULL;
1581 }
1582
1583 static const u_char *
1584 ikev1_cr_print(netdissect_options *ndo, u_char tpay _U_,
1585 const struct isakmp_gen *ext, u_int item_len,
1586 const u_char *ep _U_, uint32_t phase _U_, uint32_t doi0 _U_,
1587 uint32_t proto0 _U_, int depth _U_)
1588 {
1589 const struct ikev1_pl_cert *p;
1590 static const char *certstr[] = {
1591 "none", "pkcs7", "pgp", "dns",
1592 "x509sign", "x509ke", "kerberos", "crl",
1593 "arl", "spki", "x509attr",
1594 };
1595
1596 ND_PRINT("%s:", NPSTR(ISAKMP_NPTYPE_CR));
1597
1598 p = (const struct ikev1_pl_cert *)ext;
1599 ND_TCHECK_SIZE(p);
1600 /*
1601 * Our caller has ensured that the length is >= 4.
1602 */
1603 ND_PRINT(" len=%u", item_len - 4);
1604 ND_PRINT(" type=%s", STR_OR_ID(GET_U_1(p->encode), certstr));
1605 if (2 < ndo->ndo_vflag && 4 < item_len) {
1606 /* Print the entire payload in hex */
1607 ND_PRINT(" ");
1608 if (!rawprint(ndo, (const uint8_t *)(ext + 1), item_len - 4))
1609 goto trunc;
1610 }
1611 return (const u_char *)ext + item_len;
1612 trunc:
1613 ND_PRINT(" [|%s]", NPSTR(ISAKMP_NPTYPE_CR));
1614 return NULL;
1615 }
1616
1617 static const u_char *
1618 ikev1_hash_print(netdissect_options *ndo, u_char tpay _U_,
1619 const struct isakmp_gen *ext, u_int item_len,
1620 const u_char *ep _U_, uint32_t phase _U_, uint32_t doi _U_,
1621 uint32_t proto _U_, int depth _U_)
1622 {
1623 ND_PRINT("%s:", NPSTR(ISAKMP_NPTYPE_HASH));
1624
1625 ND_TCHECK_SIZE(ext);
1626 /*
1627 * Our caller has ensured that the length is >= 4.
1628 */
1629 ND_PRINT(" len=%u", item_len - 4);
1630 if (2 < ndo->ndo_vflag && 4 < item_len) {
1631 /* Print the entire payload in hex */
1632 ND_PRINT(" ");
1633 if (!rawprint(ndo, (const uint8_t *)(ext + 1), item_len - 4))
1634 goto trunc;
1635 }
1636 return (const u_char *)ext + item_len;
1637 trunc:
1638 ND_PRINT(" [|%s]", NPSTR(ISAKMP_NPTYPE_HASH));
1639 return NULL;
1640 }
1641
1642 static const u_char *
1643 ikev1_sig_print(netdissect_options *ndo, u_char tpay _U_,
1644 const struct isakmp_gen *ext, u_int item_len,
1645 const u_char *ep _U_, uint32_t phase _U_, uint32_t doi _U_,
1646 uint32_t proto _U_, int depth _U_)
1647 {
1648 ND_PRINT("%s:", NPSTR(ISAKMP_NPTYPE_SIG));
1649
1650 ND_TCHECK_SIZE(ext);
1651 /*
1652 * Our caller has ensured that the length is >= 4.
1653 */
1654 ND_PRINT(" len=%u", item_len - 4);
1655 if (2 < ndo->ndo_vflag && 4 < item_len) {
1656 /* Print the entire payload in hex */
1657 ND_PRINT(" ");
1658 if (!rawprint(ndo, (const uint8_t *)(ext + 1), item_len - 4))
1659 goto trunc;
1660 }
1661 return (const u_char *)ext + item_len;
1662 trunc:
1663 ND_PRINT(" [|%s]", NPSTR(ISAKMP_NPTYPE_SIG));
1664 return NULL;
1665 }
1666
1667 static const u_char *
1668 ikev1_nonce_print(netdissect_options *ndo, u_char tpay _U_,
1669 const struct isakmp_gen *ext,
1670 u_int item_len,
1671 const u_char *ep,
1672 uint32_t phase _U_, uint32_t doi _U_,
1673 uint32_t proto _U_, int depth _U_)
1674 {
1675 ND_PRINT("%s:", NPSTR(ISAKMP_NPTYPE_NONCE));
1676
1677 ND_TCHECK_SIZE(ext);
1678 /*
1679 * Our caller has ensured that the length is >= 4.
1680 */
1681 ND_PRINT(" n len=%u", item_len - 4);
1682 if (item_len > 4) {
1683 if (ndo->ndo_vflag > 2) {
1684 ND_PRINT(" ");
1685 if (!rawprint(ndo, (const uint8_t *)(ext + 1), item_len - 4))
1686 goto trunc;
1687 } else if (ndo->ndo_vflag > 1) {
1688 ND_PRINT(" ");
1689 if (!ike_show_somedata(ndo, (const u_char *)(ext + 1), ep))
1690 goto trunc;
1691 }
1692 }
1693 return (const u_char *)ext + item_len;
1694 trunc:
1695 ND_PRINT(" [|%s]", NPSTR(ISAKMP_NPTYPE_NONCE));
1696 return NULL;
1697 }
1698
1699 static const u_char *
1700 ikev1_n_print(netdissect_options *ndo, u_char tpay _U_,
1701 const struct isakmp_gen *ext, u_int item_len,
1702 const u_char *ep, uint32_t phase _U_, uint32_t doi0 _U_,
1703 uint32_t proto0 _U_, int depth _U_)
1704 {
1705 const struct ikev1_pl_n *p;
1706 const u_char *cp;
1707 const u_char *ep2;
1708 uint32_t doi;
1709 uint32_t proto;
1710 uint16_t type;
1711 uint8_t spi_size;
1712 static const char *notify_error_str[] = {
1713 NULL, "INVALID-PAYLOAD-TYPE",
1714 "DOI-NOT-SUPPORTED", "SITUATION-NOT-SUPPORTED",
1715 "INVALID-COOKIE", "INVALID-MAJOR-VERSION",
1716 "INVALID-MINOR-VERSION", "INVALID-EXCHANGE-TYPE",
1717 "INVALID-FLAGS", "INVALID-MESSAGE-ID",
1718 "INVALID-PROTOCOL-ID", "INVALID-SPI",
1719 "INVALID-TRANSFORM-ID", "ATTRIBUTES-NOT-SUPPORTED",
1720 "NO-PROPOSAL-CHOSEN", "BAD-PROPOSAL-SYNTAX",
1721 "PAYLOAD-MALFORMED", "INVALID-KEY-INFORMATION",
1722 "INVALID-ID-INFORMATION", "INVALID-CERT-ENCODING",
1723 "INVALID-CERTIFICATE", "CERT-TYPE-UNSUPPORTED",
1724 "INVALID-CERT-AUTHORITY", "INVALID-HASH-INFORMATION",
1725 "AUTHENTICATION-FAILED", "INVALID-SIGNATURE",
1726 "ADDRESS-NOTIFICATION", "NOTIFY-SA-LIFETIME",
1727 "CERTIFICATE-UNAVAILABLE", "UNSUPPORTED-EXCHANGE-TYPE",
1728 "UNEQUAL-PAYLOAD-LENGTHS",
1729 };
1730 static const char *ipsec_notify_error_str[] = {
1731 "RESERVED",
1732 };
1733 static const char *notify_status_str[] = {
1734 "CONNECTED",
1735 };
1736 static const char *ipsec_notify_status_str[] = {
1737 "RESPONDER-LIFETIME", "REPLAY-STATUS",
1738 "INITIAL-CONTACT",
1739 };
1740 /* NOTE: these macro must be called with x in proper range */
1741
1742 /* 0 - 8191 */
1743 #define NOTIFY_ERROR_STR(x) \
1744 STR_OR_ID((x), notify_error_str)
1745
1746 /* 8192 - 16383 */
1747 #define IPSEC_NOTIFY_ERROR_STR(x) \
1748 STR_OR_ID((u_int)((x) - 8192), ipsec_notify_error_str)
1749
1750 /* 16384 - 24575 */
1751 #define NOTIFY_STATUS_STR(x) \
1752 STR_OR_ID((u_int)((x) - 16384), notify_status_str)
1753
1754 /* 24576 - 32767 */
1755 #define IPSEC_NOTIFY_STATUS_STR(x) \
1756 STR_OR_ID((u_int)((x) - 24576), ipsec_notify_status_str)
1757
1758 ND_PRINT("%s:", NPSTR(ISAKMP_NPTYPE_N));
1759
1760 p = (const struct ikev1_pl_n *)ext;
1761 ND_TCHECK_SIZE(p);
1762 doi = GET_BE_U_4(p->doi);
1763 proto = GET_U_1(p->prot_id);
1764 if (doi != 1) {
1765 ND_PRINT(" doi=%u", doi);
1766 ND_PRINT(" proto=%u", proto);
1767 type = GET_BE_U_2(p->type);
1768 if (type < 8192)
1769 ND_PRINT(" type=%s", NOTIFY_ERROR_STR(type));
1770 else if (type < 16384)
1771 ND_PRINT(" type=%s", numstr(type));
1772 else if (type < 24576)
1773 ND_PRINT(" type=%s", NOTIFY_STATUS_STR(type));
1774 else
1775 ND_PRINT(" type=%s", numstr(type));
1776 spi_size = GET_U_1(p->spi_size);
1777 if (spi_size) {
1778 ND_PRINT(" spi=");
1779 if (!rawprint(ndo, (const uint8_t *)(p + 1), spi_size))
1780 goto trunc;
1781 }
1782 return (const u_char *)(p + 1) + spi_size;
1783 }
1784
1785 ND_PRINT(" doi=ipsec");
1786 ND_PRINT(" proto=%s", PROTOIDSTR(proto));
1787 type = GET_BE_U_2(p->type);
1788 if (type < 8192)
1789 ND_PRINT(" type=%s", NOTIFY_ERROR_STR(type));
1790 else if (type < 16384)
1791 ND_PRINT(" type=%s", IPSEC_NOTIFY_ERROR_STR(type));
1792 else if (type < 24576)
1793 ND_PRINT(" type=%s", NOTIFY_STATUS_STR(type));
1794 else if (type < 32768)
1795 ND_PRINT(" type=%s", IPSEC_NOTIFY_STATUS_STR(type));
1796 else
1797 ND_PRINT(" type=%s", numstr(type));
1798 spi_size = GET_U_1(p->spi_size);
1799 if (spi_size) {
1800 ND_PRINT(" spi=");
1801 if (!rawprint(ndo, (const uint8_t *)(p + 1), spi_size))
1802 goto trunc;
1803 }
1804
1805 cp = (const u_char *)(p + 1) + spi_size;
1806 ep2 = (const u_char *)p + item_len;
1807
1808 if (cp < ep) {
1809 switch (type) {
1810 case IPSECDOI_NTYPE_RESPONDER_LIFETIME:
1811 {
1812 const struct attrmap *map = oakley_t_map;
1813 size_t nmap = sizeof(oakley_t_map)/sizeof(oakley_t_map[0]);
1814 ND_PRINT(" attrs=(");
1815 while (cp < ep && cp < ep2) {
1816 cp = ikev1_attrmap_print(ndo, cp, ep2, map, nmap);
1817 if (cp == NULL) {
1818 ND_PRINT(")");
1819 goto trunc;
1820 }
1821 }
1822 ND_PRINT(")");
1823 break;
1824 }
1825 case IPSECDOI_NTYPE_REPLAY_STATUS:
1826 ND_PRINT(" status=(");
1827 ND_PRINT("replay detection %sabled",
1828 GET_BE_U_4(cp) ? "en" : "dis");
1829 ND_PRINT(")");
1830 break;
1831 default:
1832 /*
1833 * XXX - fill in more types here; see, for example,
1834 * draft-ietf-ipsec-notifymsg-04.
1835 */
1836 if (ndo->ndo_vflag > 3) {
1837 ND_PRINT(" data=(");
1838 if (!rawprint(ndo, (const uint8_t *)(cp), ep - cp))
1839 goto trunc;
1840 ND_PRINT(")");
1841 } else {
1842 if (!ike_show_somedata(ndo, cp, ep))
1843 goto trunc;
1844 }
1845 break;
1846 }
1847 }
1848 return (const u_char *)ext + item_len;
1849 trunc:
1850 ND_PRINT(" [|%s]", NPSTR(ISAKMP_NPTYPE_N));
1851 return NULL;
1852 }
1853
1854 static const u_char *
1855 ikev1_d_print(netdissect_options *ndo, u_char tpay _U_,
1856 const struct isakmp_gen *ext, u_int item_len _U_,
1857 const u_char *ep _U_, uint32_t phase _U_, uint32_t doi0 _U_,
1858 uint32_t proto0 _U_, int depth _U_)
1859 {
1860 const struct ikev1_pl_d *p;
1861 const uint8_t *q;
1862 uint32_t doi;
1863 uint32_t proto;
1864 uint8_t spi_size;
1865 uint16_t num_spi;
1866 u_int i;
1867
1868 ND_PRINT("%s:", NPSTR(ISAKMP_NPTYPE_D));
1869
1870 p = (const struct ikev1_pl_d *)ext;
1871 ND_TCHECK_SIZE(p);
1872 doi = GET_BE_U_4(p->doi);
1873 proto = GET_U_1(p->prot_id);
1874 if (doi != 1) {
1875 ND_PRINT(" doi=%u", doi);
1876 ND_PRINT(" proto=%u", proto);
1877 } else {
1878 ND_PRINT(" doi=ipsec");
1879 ND_PRINT(" proto=%s", PROTOIDSTR(proto));
1880 }
1881 spi_size = GET_U_1(p->spi_size);
1882 ND_PRINT(" spilen=%u", spi_size);
1883 num_spi = GET_BE_U_2(p->num_spi);
1884 ND_PRINT(" nspi=%u", num_spi);
1885 q = (const uint8_t *)(p + 1);
1886 if (spi_size) {
1887 ND_PRINT(" spi=");
1888 for (i = 0; i < num_spi; i++) {
1889 if (i != 0)
1890 ND_PRINT(",");
1891 if (!rawprint(ndo, (const uint8_t *)q, spi_size))
1892 goto trunc;
1893 q += spi_size;
1894 }
1895 }
1896 return q;
1897 trunc:
1898 ND_PRINT(" [|%s]", NPSTR(ISAKMP_NPTYPE_D));
1899 return NULL;
1900 }
1901
1902 static const u_char *
1903 ikev1_vid_print(netdissect_options *ndo, u_char tpay _U_,
1904 const struct isakmp_gen *ext,
1905 u_int item_len, const u_char *ep _U_,
1906 uint32_t phase _U_, uint32_t doi _U_,
1907 uint32_t proto _U_, int depth _U_)
1908 {
1909 ND_PRINT("%s:", NPSTR(ISAKMP_NPTYPE_VID));
1910
1911 ND_TCHECK_SIZE(ext);
1912 /*
1913 * Our caller has ensured that the length is >= 4.
1914 */
1915 ND_PRINT(" len=%u", item_len - 4);
1916 if (2 < ndo->ndo_vflag && 4 < item_len) {
1917 /* Print the entire payload in hex */
1918 ND_PRINT(" ");
1919 if (!rawprint(ndo, (const uint8_t *)(ext + 1), item_len - 4))
1920 goto trunc;
1921 }
1922 return (const u_char *)ext + item_len;
1923 trunc:
1924 ND_PRINT(" [|%s]", NPSTR(ISAKMP_NPTYPE_VID));
1925 return NULL;
1926 }
1927
1928 /************************************************************/
1929 /* */
1930 /* IKE v2 - rfc4306 - dissector */
1931 /* */
1932 /************************************************************/
1933
1934 static void
1935 ikev2_pay_print(netdissect_options *ndo, const char *payname, uint8_t critical)
1936 {
1937 ND_PRINT("%s%s:", payname, critical&0x80 ? "[C]" : "");
1938 }
1939
1940 static const u_char *
1941 ikev2_gen_print(netdissect_options *ndo, u_char tpay,
1942 const struct isakmp_gen *ext, u_int item_len)
1943 {
1944 const struct isakmp_gen *p = (const struct isakmp_gen *)ext;
1945
1946 ND_TCHECK_SIZE(ext);
1947 ikev2_pay_print(ndo, NPSTR(tpay), GET_U_1(p->critical));
1948
1949 /*
1950 * Our caller has ensured that the length is >= 4.
1951 */
1952 ND_PRINT(" len=%u", item_len - 4);
1953 if (2 < ndo->ndo_vflag && 4 < item_len) {
1954 /* Print the entire payload in hex */
1955 ND_PRINT(" ");
1956 if (!rawprint(ndo, (const uint8_t *)(ext + 1), item_len - 4))
1957 goto trunc;
1958 }
1959 return (const u_char *)ext + item_len;
1960 trunc:
1961 ND_PRINT(" [|%s]", NPSTR(tpay));
1962 return NULL;
1963 }
1964
1965 static const u_char *
1966 ikev2_t_print(netdissect_options *ndo, int tcount,
1967 const struct isakmp_gen *ext, u_int item_len,
1968 const u_char *ep)
1969 {
1970 const struct ikev2_t *p;
1971 uint16_t t_id;
1972 uint8_t t_type;
1973 const u_char *cp;
1974 const char *idstr;
1975 const struct attrmap *map;
1976 size_t nmap;
1977 const u_char *ep2;
1978
1979 p = (const struct ikev2_t *)ext;
1980 ND_TCHECK_SIZE(p);
1981 ikev2_pay_print(ndo, NPSTR(ISAKMP_NPTYPE_T), GET_U_1(p->h.critical));
1982
1983 t_id = GET_BE_U_2(p->t_id);
1984
1985 map = NULL;
1986 nmap = 0;
1987
1988 t_type = GET_U_1(p->t_type);
1989 switch (t_type) {
1990 case IV2_T_ENCR:
1991 idstr = STR_OR_ID(t_id, esp_p_map);
1992 map = encr_t_map;
1993 nmap = sizeof(encr_t_map)/sizeof(encr_t_map[0]);
1994 break;
1995
1996 case IV2_T_PRF:
1997 idstr = STR_OR_ID(t_id, prf_p_map);
1998 break;
1999
2000 case IV2_T_INTEG:
2001 idstr = STR_OR_ID(t_id, integ_p_map);
2002 break;
2003
2004 case IV2_T_DH:
2005 idstr = STR_OR_ID(t_id, dh_p_map);
2006 break;
2007
2008 case IV2_T_ESN:
2009 idstr = STR_OR_ID(t_id, esn_p_map);
2010 break;
2011
2012 default:
2013 idstr = NULL;
2014 break;
2015 }
2016
2017 if (idstr)
2018 ND_PRINT(" #%u type=%s id=%s ", tcount,
2019 STR_OR_ID(t_type, ikev2_t_type_map),
2020 idstr);
2021 else
2022 ND_PRINT(" #%u type=%s id=%u ", tcount,
2023 STR_OR_ID(t_type, ikev2_t_type_map),
2024 t_id);
2025 cp = (const u_char *)(p + 1);
2026 ep2 = (const u_char *)p + item_len;
2027 while (cp < ep && cp < ep2) {
2028 if (map && nmap) {
2029 cp = ikev1_attrmap_print(ndo, cp, ep2, map, nmap);
2030 } else
2031 cp = ikev1_attr_print(ndo, cp, ep2);
2032 if (cp == NULL)
2033 goto trunc;
2034 }
2035 if (ep < ep2)
2036 ND_PRINT("...");
2037 return cp;
2038 trunc:
2039 ND_PRINT(" [|%s]", NPSTR(ISAKMP_NPTYPE_T));
2040 return NULL;
2041 }
2042
2043 static const u_char *
2044 ikev2_p_print(netdissect_options *ndo, u_char tpay _U_, int pcount _U_,
2045 const struct isakmp_gen *ext, u_int oprop_length,
2046 const u_char *ep, int depth)
2047 {
2048 const struct ikev2_p *p;
2049 u_int prop_length;
2050 uint8_t spi_size;
2051 const u_char *cp;
2052 int i;
2053 int tcount;
2054 u_char np;
2055 u_int item_len;
2056
2057 p = (const struct ikev2_p *)ext;
2058 ND_TCHECK_SIZE(p);
2059
2060 ikev2_pay_print(ndo, NPSTR(ISAKMP_NPTYPE_P), GET_U_1(p->h.critical));
2061
2062 /*
2063 * ikev2_sa_print() guarantees that this is >= 4.
2064 */
2065 prop_length = oprop_length - 4;
2066 ND_PRINT(" #%u protoid=%s transform=%u len=%u",
2067 GET_U_1(p->p_no), PROTOIDSTR(GET_U_1(p->prot_id)),
2068 GET_U_1(p->num_t), oprop_length);
2069 cp = (const u_char *)(p + 1);
2070
2071 spi_size = GET_U_1(p->spi_size);
2072 if (spi_size) {
2073 if (prop_length < spi_size)
2074 goto toolong;
2075 ND_PRINT(" spi=");
2076 if (!rawprint(ndo, (const uint8_t *)cp, spi_size))
2077 goto trunc;
2078 cp += spi_size;
2079 prop_length -= spi_size;
2080 }
2081
2082 /*
2083 * Print the transforms.
2084 */
2085 tcount = 0;
2086 for (np = ISAKMP_NPTYPE_T; np != 0; np = GET_U_1(ext->np)) {
2087 tcount++;
2088 ext = (const struct isakmp_gen *)cp;
2089 if (prop_length < sizeof(*ext))
2090 goto toolong;
2091 ND_TCHECK_SIZE(ext);
2092
2093 /*
2094 * Since we can't have a payload length of less than 4 bytes,
2095 * we need to bail out here if the generic header is nonsensical
2096 * or truncated, otherwise we could loop forever processing
2097 * zero-length items or otherwise misdissect the packet.
2098 */
2099 item_len = GET_BE_U_2(ext->len);
2100 if (item_len <= 4)
2101 goto trunc;
2102
2103 if (prop_length < item_len)
2104 goto toolong;
2105 ND_TCHECK_LEN(cp, item_len);
2106
2107 depth++;
2108 ND_PRINT("\n");
2109 for (i = 0; i < depth; i++)
2110 ND_PRINT(" ");
2111 ND_PRINT("(");
2112 if (np == ISAKMP_NPTYPE_T) {
2113 cp = ikev2_t_print(ndo, tcount, ext, item_len, ep);
2114 if (cp == NULL) {
2115 /* error, already reported */
2116 return NULL;
2117 }
2118 } else {
2119 ND_PRINT("%s", NPSTR(np));
2120 cp += item_len;
2121 }
2122 ND_PRINT(")");
2123 depth--;
2124 prop_length -= item_len;
2125 }
2126 return cp;
2127 toolong:
2128 /*
2129 * Skip the rest of the proposal.
2130 */
2131 cp += prop_length;
2132 ND_PRINT(" [|%s]", NPSTR(ISAKMP_NPTYPE_P));
2133 return cp;
2134 trunc:
2135 ND_PRINT(" [|%s]", NPSTR(ISAKMP_NPTYPE_P));
2136 return NULL;
2137 }
2138
2139 static const u_char *
2140 ikev2_sa_print(netdissect_options *ndo, u_char tpay,
2141 const struct isakmp_gen *ext1,
2142 u_int osa_length, const u_char *ep,
2143 uint32_t phase _U_, uint32_t doi _U_,
2144 uint32_t proto _U_, int depth)
2145 {
2146 const struct isakmp_gen *ext;
2147 u_int sa_length;
2148 const u_char *cp;
2149 int i;
2150 int pcount;
2151 u_char np;
2152 u_int item_len;
2153
2154 ND_TCHECK_SIZE(ext1);
2155 ikev2_pay_print(ndo, "sa", GET_U_1(ext1->critical));
2156
2157 /*
2158 * ikev2_sub0_print() guarantees that this is >= 4.
2159 */
2160 osa_length= GET_BE_U_2(ext1->len);
2161 sa_length = osa_length - 4;
2162 ND_PRINT(" len=%u", sa_length);
2163
2164 /*
2165 * Print the payloads.
2166 */
2167 cp = (const u_char *)(ext1 + 1);
2168 pcount = 0;
2169 for (np = ISAKMP_NPTYPE_P; np != 0; np = GET_U_1(ext->np)) {
2170 pcount++;
2171 ext = (const struct isakmp_gen *)cp;
2172 if (sa_length < sizeof(*ext))
2173 goto toolong;
2174 ND_TCHECK_SIZE(ext);
2175
2176 /*
2177 * Since we can't have a payload length of less than 4 bytes,
2178 * we need to bail out here if the generic header is nonsensical
2179 * or truncated, otherwise we could loop forever processing
2180 * zero-length items or otherwise misdissect the packet.
2181 */
2182 item_len = GET_BE_U_2(ext->len);
2183 if (item_len <= 4)
2184 goto trunc;
2185
2186 if (sa_length < item_len)
2187 goto toolong;
2188 ND_TCHECK_LEN(cp, item_len);
2189
2190 depth++;
2191 ND_PRINT("\n");
2192 for (i = 0; i < depth; i++)
2193 ND_PRINT(" ");
2194 ND_PRINT("(");
2195 if (np == ISAKMP_NPTYPE_P) {
2196 cp = ikev2_p_print(ndo, np, pcount, ext, item_len,
2197 ep, depth);
2198 if (cp == NULL) {
2199 /* error, already reported */
2200 return NULL;
2201 }
2202 } else {
2203 ND_PRINT("%s", NPSTR(np));
2204 cp += item_len;
2205 }
2206 ND_PRINT(")");
2207 depth--;
2208 sa_length -= item_len;
2209 }
2210 return cp;
2211 toolong:
2212 /*
2213 * Skip the rest of the SA.
2214 */
2215 cp += sa_length;
2216 ND_PRINT(" [|%s]", NPSTR(tpay));
2217 return cp;
2218 trunc:
2219 ND_PRINT(" [|%s]", NPSTR(tpay));
2220 return NULL;
2221 }
2222
2223 static const u_char *
2224 ikev2_ke_print(netdissect_options *ndo, u_char tpay,
2225 const struct isakmp_gen *ext,
2226 u_int item_len, const u_char *ep _U_,
2227 uint32_t phase _U_, uint32_t doi _U_,
2228 uint32_t proto _U_, int depth _U_)
2229 {
2230 const struct ikev2_ke *k;
2231
2232 k = (const struct ikev2_ke *)ext;
2233 ND_TCHECK_SIZE(k);
2234 ikev2_pay_print(ndo, NPSTR(tpay), GET_U_1(k->h.critical));
2235
2236 if (item_len < 8) {
2237 ND_PRINT(" len=%u < 8", item_len);
2238 return (const u_char *)ext + item_len;
2239 }
2240 ND_PRINT(" len=%u group=%s", item_len - 8,
2241 STR_OR_ID(GET_BE_U_2(k->ke_group), dh_p_map));
2242
2243 if (2 < ndo->ndo_vflag && 8 < item_len) {
2244 ND_PRINT(" ");
2245 if (!rawprint(ndo, (const uint8_t *)(k + 1), item_len - 8))
2246 goto trunc;
2247 }
2248 return (const u_char *)ext + item_len;
2249 trunc:
2250 ND_PRINT(" [|%s]", NPSTR(tpay));
2251 return NULL;
2252 }
2253
2254 static const u_char *
2255 ikev2_ID_print(netdissect_options *ndo, u_char tpay,
2256 const struct isakmp_gen *ext,
2257 u_int item_len, const u_char *ep _U_,
2258 uint32_t phase _U_, uint32_t doi _U_,
2259 uint32_t proto _U_, int depth _U_)
2260 {
2261 const struct ikev2_id *idp;
2262 u_int idtype_len, i;
2263 unsigned int dumpascii, dumphex;
2264 const unsigned char *typedata;
2265
2266 idp = (const struct ikev2_id *)ext;
2267 ND_TCHECK_SIZE(idp);
2268 ikev2_pay_print(ndo, NPSTR(tpay), GET_U_1(idp->h.critical));
2269
2270 /*
2271 * Our caller has ensured that the length is >= 4.
2272 */
2273 ND_PRINT(" len=%u", item_len - 4);
2274 if (2 < ndo->ndo_vflag && 4 < item_len) {
2275 /* Print the entire payload in hex */
2276 ND_PRINT(" ");
2277 if (!rawprint(ndo, (const uint8_t *)(ext + 1), item_len - 4))
2278 goto trunc;
2279 }
2280
2281 idtype_len =item_len - sizeof(struct ikev2_id);
2282 dumpascii = 0;
2283 dumphex = 0;
2284 typedata = (const unsigned char *)(ext)+sizeof(struct ikev2_id);
2285
2286 switch(GET_U_1(idp->type)) {
2287 case ID_IPV4_ADDR:
2288 ND_PRINT(" ipv4:");
2289 dumphex=1;
2290 break;
2291 case ID_FQDN:
2292 ND_PRINT(" fqdn:");
2293 dumpascii=1;
2294 break;
2295 case ID_RFC822_ADDR:
2296 ND_PRINT(" rfc822:");
2297 dumpascii=1;
2298 break;
2299 case ID_IPV6_ADDR:
2300 ND_PRINT(" ipv6:");
2301 dumphex=1;
2302 break;
2303 case ID_DER_ASN1_DN:
2304 ND_PRINT(" dn:");
2305 dumphex=1;
2306 break;
2307 case ID_DER_ASN1_GN:
2308 ND_PRINT(" gn:");
2309 dumphex=1;
2310 break;
2311 case ID_KEY_ID:
2312 ND_PRINT(" keyid:");
2313 dumphex=1;
2314 break;
2315 }
2316
2317 if(dumpascii) {
2318 ND_TCHECK_LEN(typedata, idtype_len);
2319 for(i=0; i<idtype_len; i++) {
2320 if(ND_ASCII_ISPRINT(GET_U_1(typedata + i))) {
2321 ND_PRINT("%c", GET_U_1(typedata + i));
2322 } else {
2323 ND_PRINT(".");
2324 }
2325 }
2326 }
2327 if(dumphex) {
2328 if (!rawprint(ndo, (const uint8_t *)typedata, idtype_len))
2329 goto trunc;
2330 }
2331
2332 return (const u_char *)ext + item_len;
2333 trunc:
2334 ND_PRINT(" [|%s]", NPSTR(tpay));
2335 return NULL;
2336 }
2337
2338 static const u_char *
2339 ikev2_cert_print(netdissect_options *ndo, u_char tpay,
2340 const struct isakmp_gen *ext,
2341 u_int item_len, const u_char *ep _U_,
2342 uint32_t phase _U_, uint32_t doi _U_,
2343 uint32_t proto _U_, int depth _U_)
2344 {
2345 return ikev2_gen_print(ndo, tpay, ext, item_len);
2346 }
2347
2348 static const u_char *
2349 ikev2_cr_print(netdissect_options *ndo, u_char tpay,
2350 const struct isakmp_gen *ext,
2351 u_int item_len, const u_char *ep _U_,
2352 uint32_t phase _U_, uint32_t doi _U_,
2353 uint32_t proto _U_, int depth _U_)
2354 {
2355 return ikev2_gen_print(ndo, tpay, ext, item_len);
2356 }
2357
2358 static const u_char *
2359 ikev2_auth_print(netdissect_options *ndo, u_char tpay,
2360 const struct isakmp_gen *ext,
2361 u_int item_len, const u_char *ep,
2362 uint32_t phase _U_, uint32_t doi _U_,
2363 uint32_t proto _U_, int depth _U_)
2364 {
2365 const struct ikev2_auth *p;
2366 const char *v2_auth[]={ "invalid", "rsasig",
2367 "shared-secret", "dsssig" };
2368 const u_char *authdata = (const u_char *)ext + sizeof(struct ikev2_auth);
2369
2370 ND_TCHECK_LEN(ext, sizeof(struct ikev2_auth));
2371 p = (const struct ikev2_auth *)ext;
2372 ikev2_pay_print(ndo, NPSTR(tpay), GET_U_1(p->h.critical));
2373
2374 /*
2375 * Our caller has ensured that the length is >= 4.
2376 */
2377 ND_PRINT(" len=%u method=%s", item_len-4,
2378 STR_OR_ID(GET_U_1(p->auth_method), v2_auth));
2379 if (item_len > 4) {
2380 if (ndo->ndo_vflag > 1) {
2381 ND_PRINT(" authdata=(");
2382 if (!rawprint(ndo, (const uint8_t *)authdata, item_len - sizeof(struct ikev2_auth)))
2383 goto trunc;
2384 ND_PRINT(") ");
2385 } else if (ndo->ndo_vflag) {
2386 if (!ike_show_somedata(ndo, authdata, ep))
2387 goto trunc;
2388 }
2389 }
2390
2391 return (const u_char *)ext + item_len;
2392 trunc:
2393 ND_PRINT(" [|%s]", NPSTR(tpay));
2394 return NULL;
2395 }
2396
2397 static const u_char *
2398 ikev2_nonce_print(netdissect_options *ndo, u_char tpay,
2399 const struct isakmp_gen *ext,
2400 u_int item_len, const u_char *ep,
2401 uint32_t phase _U_, uint32_t doi _U_,
2402 uint32_t proto _U_, int depth _U_)
2403 {
2404 ND_TCHECK_SIZE(ext);
2405 ikev2_pay_print(ndo, "nonce", GET_U_1(ext->critical));
2406
2407 /*
2408 * Our caller has ensured that the length is >= 4.
2409 */
2410 ND_PRINT(" len=%u", item_len - 4);
2411 if (1 < ndo->ndo_vflag && 4 < item_len) {
2412 ND_PRINT(" nonce=(");
2413 if (!rawprint(ndo, (const uint8_t *)(ext + 1), item_len - 4))
2414 goto trunc;
2415 ND_PRINT(") ");
2416 } else if(ndo->ndo_vflag && 4 < item_len) {
2417 if(!ike_show_somedata(ndo, (const u_char *)(ext+1), ep)) goto trunc;
2418 }
2419
2420 return (const u_char *)ext + item_len;
2421 trunc:
2422 ND_PRINT(" [|%s]", NPSTR(tpay));
2423 return NULL;
2424 }
2425
2426 /* notify payloads */
2427 static const u_char *
2428 ikev2_n_print(netdissect_options *ndo, u_char tpay _U_,
2429 const struct isakmp_gen *ext,
2430 u_int item_len, const u_char *ep,
2431 uint32_t phase _U_, uint32_t doi _U_,
2432 uint32_t proto _U_, int depth _U_)
2433 {
2434 const struct ikev2_n *p;
2435 uint16_t type;
2436 uint8_t spi_size;
2437 const u_char *cp;
2438 u_char showspi, showsomedata;
2439 const char *notify_name;
2440
2441 p = (const struct ikev2_n *)ext;
2442 ND_TCHECK_SIZE(p);
2443 ikev2_pay_print(ndo, NPSTR(ISAKMP_NPTYPE_N), GET_U_1(p->h.critical));
2444
2445 showspi=0;
2446 showsomedata=0;
2447 notify_name=NULL;
2448
2449 ND_PRINT(" prot_id=%s", PROTOIDSTR(GET_U_1(p->prot_id)));
2450
2451 type = GET_BE_U_2(p->type);
2452
2453 /* notify space is annoying sparse */
2454 switch(type) {
2455 case IV2_NOTIFY_UNSUPPORTED_CRITICAL_PAYLOAD:
2456 notify_name = "unsupported_critical_payload";
2457 break;
2458
2459 case IV2_NOTIFY_INVALID_IKE_SPI:
2460 notify_name = "invalid_ike_spi";
2461 showspi = 1;
2462 break;
2463
2464 case IV2_NOTIFY_INVALID_MAJOR_VERSION:
2465 notify_name = "invalid_major_version";
2466 break;
2467
2468 case IV2_NOTIFY_INVALID_SYNTAX:
2469 notify_name = "invalid_syntax";
2470 showspi = 1;
2471 break;
2472
2473 case IV2_NOTIFY_INVALID_MESSAGE_ID:
2474 notify_name = "invalid_message_id";
2475 showspi = 1;
2476 break;
2477
2478 case IV2_NOTIFY_INVALID_SPI:
2479 notify_name = "invalid_spi";
2480 showspi = 1;
2481 break;
2482
2483 case IV2_NOTIFY_NO_PROPOSAL_CHOSEN:
2484 notify_name = "no_proposal_chosen";
2485 showspi = 1;
2486 break;
2487
2488 case IV2_NOTIFY_INVALID_KE_PAYLOAD:
2489 notify_name = "invalid_ke_payload";
2490 showspi = 1;
2491 break;
2492
2493 case IV2_NOTIFY_AUTHENTICATION_FAILED:
2494 notify_name = "authentication_failed";
2495 showspi = 1;
2496 break;
2497
2498 case IV2_NOTIFY_SINGLE_PAIR_REQUIRED:
2499 notify_name = "single_pair_required";
2500 showspi = 1;
2501 break;
2502
2503 case IV2_NOTIFY_NO_ADDITIONAL_SAS:
2504 notify_name = "no_additional_sas";
2505 break;
2506
2507 case IV2_NOTIFY_INTERNAL_ADDRESS_FAILURE:
2508 notify_name = "internal_address_failure";
2509 break;
2510
2511 case IV2_NOTIFY_FAILED_CP_REQUIRED:
2512 notify_name = "failed_cp_required";
2513 break;
2514
2515 case IV2_NOTIFY_TS_UNACCEPTABLE:
2516 notify_name = "ts_unacceptable";
2517 break;
2518
2519 case IV2_NOTIFY_INVALID_SELECTORS:
2520 notify_name = "invalid_selectors";
2521 break;
2522
2523 case IV2_NOTIFY_UNACCEPTABLE_ADDRESSES:
2524 notify_name = "unacceptable_addresses";
2525 break;
2526
2527 case IV2_NOTIFY_UNEXPECTED_NAT_DETECTED:
2528 notify_name = "unexpected_nat_detected";
2529 break;
2530
2531 case IV2_NOTIFY_USE_ASSIGNED_HOA:
2532 notify_name = "use_assigned_hoa";
2533 break;
2534
2535 case IV2_NOTIFY_TEMPORARY_FAILURE:
2536 notify_name = "temporary_failure";
2537 break;
2538
2539 case IV2_NOTIFY_CHILD_SA_NOT_FOUND:
2540 notify_name = "child_sa_not_found";
2541 break;
2542
2543 case IV2_NOTIFY_INVALID_GROUP_ID:
2544 notify_name = "invalid_group_id";
2545 break;
2546
2547 case IV2_NOTIFY_AUTHORIZATION_FAILED:
2548 notify_name = "authorization_failed";
2549 break;
2550
2551 case IV2_NOTIFY_STATE_NOT_FOUND:
2552 notify_name = "state_not_found";
2553 break;
2554
2555 case IV2_NOTIFY_INITIAL_CONTACT:
2556 notify_name = "initial_contact";
2557 break;
2558
2559 case IV2_NOTIFY_SET_WINDOW_SIZE:
2560 notify_name = "set_window_size";
2561 break;
2562
2563 case IV2_NOTIFY_ADDITIONAL_TS_POSSIBLE:
2564 notify_name = "additional_ts_possible";
2565 break;
2566
2567 case IV2_NOTIFY_IPCOMP_SUPPORTED:
2568 notify_name = "ipcomp_supported";
2569 break;
2570
2571 case IV2_NOTIFY_NAT_DETECTION_SOURCE_IP:
2572 notify_name = "nat_detection_source_ip";
2573 showspi = 1;
2574 break;
2575
2576 case IV2_NOTIFY_NAT_DETECTION_DESTINATION_IP:
2577 notify_name = "nat_detection_destination_ip";
2578 showspi = 1;
2579 break;
2580
2581 case IV2_NOTIFY_COOKIE:
2582 notify_name = "cookie";
2583 showspi = 1;
2584 showsomedata= 1;
2585 break;
2586
2587 case IV2_NOTIFY_USE_TRANSPORT_MODE:
2588 notify_name = "use_transport_mode";
2589 break;
2590
2591 case IV2_NOTIFY_HTTP_CERT_LOOKUP_SUPPORTED:
2592 notify_name = "http_cert_lookup_supported";
2593 break;
2594
2595 case IV2_NOTIFY_REKEY_SA:
2596 notify_name = "rekey_sa";
2597 showspi = 1;
2598 break;
2599
2600 case IV2_NOTIFY_ESP_TFC_PADDING_NOT_SUPPORTED:
2601 notify_name = "tfc_padding_not_supported";
2602 break;
2603
2604 case IV2_NOTIFY_NON_FIRST_FRAGMENTS_ALSO:
2605 notify_name = "non_first_fragment_also";
2606 break;
2607
2608 case IV2_NOTIFY_MOBIKE_SUPPORTED:
2609 notify_name = "mobike_supported";
2610 break;
2611
2612 case IV2_NOTIFY_ADDITIONAL_IP4_ADDRESS:
2613 notify_name = "additional_ip4_address";
2614 break;
2615
2616 case IV2_NOTIFY_ADDITIONAL_IP6_ADDRESS:
2617 notify_name = "additional_ip6_address";
2618 break;
2619
2620 case IV2_NOTIFY_NO_ADDITIONAL_ADDRESSES:
2621 notify_name = "no_additional_addresses";
2622 break;
2623
2624 case IV2_NOTIFY_UPDATE_SA_ADDRESSES:
2625 notify_name = "update_sa_addresses";
2626 break;
2627
2628 case IV2_NOTIFY_COOKIE2:
2629 notify_name = "cookie2";
2630 break;
2631
2632 case IV2_NOTIFY_NO_NATS_ALLOWED:
2633 notify_name = "no_nats_allowed";
2634 break;
2635
2636 case IV2_NOTIFY_AUTH_LIFETIME:
2637 notify_name = "auth_lifetime";
2638 break;
2639
2640 case IV2_NOTIFY_MULTIPLE_AUTH_SUPPORTED:
2641 notify_name = "multiple_auth_supported";
2642 break;
2643
2644 case IV2_NOTIFY_ANOTHER_AUTH_FOLLOWS:
2645 notify_name = "another_auth_follows";
2646 break;
2647
2648 case IV2_NOTIFY_REDIRECT_SUPPORTED:
2649 notify_name = "redirect_supported";
2650 break;
2651
2652 case IV2_NOTIFY_REDIRECT:
2653 notify_name = "redirect";
2654 break;
2655
2656 case IV2_NOTIFY_REDIRECTED_FROM:
2657 notify_name = "redirected_from";
2658 break;
2659
2660 case IV2_NOTIFY_TICKET_LT_OPAQUE:
2661 notify_name = "ticket_lt_opaque";
2662 break;
2663
2664 case IV2_NOTIFY_TICKET_REQUEST:
2665 notify_name = "ticket_request";
2666 break;
2667
2668 case IV2_NOTIFY_TICKET_ACK:
2669 notify_name = "ticket_ack";
2670 break;
2671
2672 case IV2_NOTIFY_TICKET_NACK:
2673 notify_name = "ticket_nack";
2674 break;
2675
2676 case IV2_NOTIFY_TICKET_OPAQUE:
2677 notify_name = "ticket_opaque";
2678 break;
2679
2680 case IV2_NOTIFY_LINK_ID:
2681 notify_name = "link_id";
2682 break;
2683
2684 case IV2_NOTIFY_USE_WESP_MODE:
2685 notify_name = "use_wesp_mode";
2686 break;
2687
2688 case IV2_NOTIFY_ROHC_SUPPORTED:
2689 notify_name = "rohc_supported";
2690 break;
2691
2692 case IV2_NOTIFY_EAP_ONLY_AUTHENTICATION:
2693 notify_name = "eap_only_authentication";
2694 break;
2695
2696 case IV2_NOTIFY_CHILDLESS_IKEV2_SUPPORTED:
2697 notify_name = "childless_ikev2_supported";
2698 break;
2699
2700 case IV2_NOTIFY_QUICK_CRASH_DETECTION:
2701 notify_name = "quick_crash_detection";
2702 break;
2703
2704 case IV2_NOTIFY_IKEV2_MESSAGE_ID_SYNC_SUPPORTED:
2705 notify_name = "ikev2_message_id_sync_supported";
2706 break;
2707
2708 case IV2_NOTIFY_IPSEC_REPLAY_COUNTER_SYNC_SUPPORTED:
2709 notify_name = "ipsec_replay_counter_sync_supported";
2710 break;
2711
2712 case IV2_NOTIFY_IKEV2_MESSAGE_ID_SYNC:
2713 notify_name = "ikev2_message_id_sync";
2714 break;
2715
2716 case IV2_NOTIFY_IPSEC_REPLAY_COUNTER_SYNC:
2717 notify_name = "ipsec_replay_counter_sync";
2718 break;
2719
2720 case IV2_NOTIFY_SECURE_PASSWORD_METHODS:
2721 notify_name = "secure_password_methods";
2722 break;
2723
2724 case IV2_NOTIFY_PSK_PERSIST:
2725 notify_name = "psk_persist";
2726 break;
2727
2728 case IV2_NOTIFY_PSK_CONFIRM:
2729 notify_name = "psk_confirm";
2730 break;
2731
2732 case IV2_NOTIFY_ERX_SUPPORTED:
2733 notify_name = "erx_supported";
2734 break;
2735
2736 case IV2_NOTIFY_IFOM_CAPABILITY:
2737 notify_name = "ifom_capability";
2738 break;
2739
2740 case IV2_NOTIFY_SENDER_REQUEST_ID:
2741 notify_name = "sender_request_id";
2742 break;
2743
2744 case IV2_NOTIFY_IKEV2_FRAGMENTATION_SUPPORTED:
2745 notify_name = "ikev2_fragmentation_supported";
2746 break;
2747
2748 case IV2_NOTIFY_SIGNATURE_HASH_ALGORITHMS:
2749 notify_name = "signature_hash_algorithms";
2750 break;
2751
2752 case IV2_NOTIFY_CLONE_IKE_SA_SUPPORTED:
2753 notify_name = "clone_ike_sa_supported";
2754 break;
2755
2756 case IV2_NOTIFY_CLONE_IKE_SA:
2757 notify_name = "clone_ike_sa";
2758 break;
2759
2760 case IV2_NOTIFY_PUZZLE:
2761 notify_name = "puzzle";
2762 break;
2763
2764 case IV2_NOTIFY_USE_PPK:
2765 notify_name = "use_ppk";
2766 break;
2767
2768 case IV2_NOTIFY_PPK_IDENTITY:
2769 notify_name = "ppk_identity";
2770 break;
2771
2772 case IV2_NOTIFY_NO_PPK_AUTH:
2773 notify_name = "no_ppk_auth";
2774 break;
2775
2776 case IV2_NOTIFY_INTERMEDIATE_EXCHANGE_SUPPORTED:
2777 notify_name = "intermediate_exchange_supported";
2778 break;
2779
2780 case IV2_NOTIFY_IP4_ALLOWED:
2781 notify_name = "ip4_allowed";
2782 break;
2783
2784 case IV2_NOTIFY_IP6_ALLOWED:
2785 notify_name = "ip6_allowed";
2786 break;
2787
2788 case IV2_NOTIFY_ADDITIONAL_KEY_EXCHANGE:
2789 notify_name = "additional_key_exchange";
2790 break;
2791
2792 case IV2_NOTIFY_USE_AGGFRAG:
2793 notify_name = "use_aggfrag";
2794 break;
2795
2796 default:
2797 showspi = 1;
2798 if (type < 8192) {
2799 notify_name="error";
2800 } else if(type < 16384) {
2801 notify_name="private-error";
2802 } else if(type < 40960) {
2803 notify_name="status";
2804 } else {
2805 notify_name="private-status";
2806 }
2807 }
2808
2809 if(notify_name) {
2810 ND_PRINT(" type=%u(%s)", type, notify_name);
2811 }
2812
2813
2814 spi_size = GET_U_1(p->spi_size);
2815 if (showspi && spi_size) {
2816 ND_PRINT(" spi=");
2817 if (!rawprint(ndo, (const uint8_t *)(p + 1), spi_size))
2818 goto trunc;
2819 }
2820
2821 cp = (const u_char *)(p + 1) + spi_size;
2822
2823 if (cp < ep) {
2824 if (ndo->ndo_vflag > 3 || (showsomedata && ep-cp < 30)) {
2825 ND_PRINT(" data=(");
2826 if (!rawprint(ndo, (const uint8_t *)(cp), ep - cp))
2827 goto trunc;
2828
2829 ND_PRINT(")");
2830 } else if (showsomedata) {
2831 if (!ike_show_somedata(ndo, cp, ep))
2832 goto trunc;
2833 }
2834 }
2835
2836 return (const u_char *)ext + item_len;
2837 trunc:
2838 ND_PRINT(" [|%s]", NPSTR(ISAKMP_NPTYPE_N));
2839 return NULL;
2840 }
2841
2842 static const u_char *
2843 ikev2_d_print(netdissect_options *ndo, u_char tpay,
2844 const struct isakmp_gen *ext,
2845 u_int item_len, const u_char *ep _U_,
2846 uint32_t phase _U_, uint32_t doi _U_,
2847 uint32_t proto _U_, int depth _U_)
2848 {
2849 return ikev2_gen_print(ndo, tpay, ext, item_len);
2850 }
2851
2852 static const u_char *
2853 ikev2_vid_print(netdissect_options *ndo, u_char tpay,
2854 const struct isakmp_gen *ext,
2855 u_int item_len, const u_char *ep _U_,
2856 uint32_t phase _U_, uint32_t doi _U_,
2857 uint32_t proto _U_, int depth _U_)
2858 {
2859 const u_char *vid;
2860 u_int i, len;
2861
2862 ND_TCHECK_SIZE(ext);
2863 ikev2_pay_print(ndo, NPSTR(tpay), GET_U_1(ext->critical));
2864
2865 /*
2866 * Our caller has ensured that the length is >= 4.
2867 */
2868 ND_PRINT(" len=%u vid=", item_len - 4);
2869
2870 vid = (const u_char *)(ext+1);
2871 len = item_len - 4;
2872 ND_TCHECK_LEN(vid, len);
2873 for(i=0; i<len; i++) {
2874 if(ND_ASCII_ISPRINT(GET_U_1(vid + i)))
2875 ND_PRINT("%c", GET_U_1(vid + i));
2876 else ND_PRINT(".");
2877 }
2878 if (2 < ndo->ndo_vflag && 4 < len) {
2879 /* Print the entire payload in hex */
2880 ND_PRINT(" ");
2881 if (!rawprint(ndo, (const uint8_t *)(ext + 1), item_len - 4))
2882 goto trunc;
2883 }
2884 return (const u_char *)ext + item_len;
2885 trunc:
2886 ND_PRINT(" [|%s]", NPSTR(tpay));
2887 return NULL;
2888 }
2889
2890 static const u_char *
2891 ikev2_TS_print(netdissect_options *ndo, u_char tpay,
2892 const struct isakmp_gen *ext,
2893 u_int item_len, const u_char *ep _U_,
2894 uint32_t phase _U_, uint32_t doi _U_,
2895 uint32_t proto _U_, int depth _U_)
2896 {
2897 return ikev2_gen_print(ndo, tpay, ext, item_len);
2898 }
2899
2900 static const u_char *
2901 ikev2_e_print(netdissect_options *ndo,
2902 #ifndef HAVE_LIBCRYPTO
2903 _U_
2904 #endif
2905 const struct isakmp *base,
2906 u_char tpay,
2907 const struct isakmp_gen *ext,
2908 u_int item_len, const u_char *ep _U_,
2909 #ifndef HAVE_LIBCRYPTO
2910 _U_
2911 #endif
2912 uint32_t phase,
2913 #ifndef HAVE_LIBCRYPTO
2914 _U_
2915 #endif
2916 uint32_t doi,
2917 #ifndef HAVE_LIBCRYPTO
2918 _U_
2919 #endif
2920 uint32_t proto,
2921 #ifndef HAVE_LIBCRYPTO
2922 _U_
2923 #endif
2924 int depth)
2925 {
2926 const u_char *dat;
2927 u_int dlen;
2928 #ifdef HAVE_LIBCRYPTO
2929 uint8_t np;
2930 #endif
2931
2932 ND_TCHECK_SIZE(ext);
2933 ikev2_pay_print(ndo, NPSTR(tpay), GET_U_1(ext->critical));
2934
2935 dlen = item_len-4;
2936
2937 ND_PRINT(" len=%u", dlen);
2938 if (2 < ndo->ndo_vflag && 4 < dlen) {
2939 ND_PRINT(" ");
2940 if (!rawprint(ndo, (const uint8_t *)(ext + 1), dlen))
2941 goto trunc;
2942 }
2943
2944 dat = (const u_char *)(ext+1);
2945 ND_TCHECK_LEN(dat, dlen);
2946
2947 #ifdef HAVE_LIBCRYPTO
2948 np = GET_U_1(ext->np);
2949
2950 /* try to decrypt it! */
2951 if(esp_decrypt_buffer_by_ikev2_print(ndo,
2952 GET_U_1(base->flags) & ISAKMP_FLAG_I,
2953 base->i_ck, base->r_ck,
2954 dat, dat+dlen)) {
2955
2956 ext = (const struct isakmp_gen *)ndo->ndo_packetp;
2957
2958 /* got it decrypted, print stuff inside. */
2959 ikev2_sub_print(ndo, base, np, ext,
2960 ndo->ndo_snapend, phase, doi, proto, depth+1);
2961
2962 /*
2963 * esp_decrypt_buffer_by_ikev2_print pushed information
2964 * on the buffer stack; we're done with the buffer, so
2965 * pop it (which frees the buffer)
2966 */
2967 nd_pop_packet_info(ndo);
2968 }
2969 #endif
2970
2971
2972 /* always return NULL, because E must be at end, and NP refers
2973 * to what was inside.
2974 */
2975 return NULL;
2976 trunc:
2977 ND_PRINT(" [|%s]", NPSTR(tpay));
2978 return NULL;
2979 }
2980
2981 static const u_char *
2982 ikev2_cp_print(netdissect_options *ndo, u_char tpay,
2983 const struct isakmp_gen *ext,
2984 u_int item_len, const u_char *ep _U_,
2985 uint32_t phase _U_, uint32_t doi _U_,
2986 uint32_t proto _U_, int depth _U_)
2987 {
2988 return ikev2_gen_print(ndo, tpay, ext, item_len);
2989 }
2990
2991 static const u_char *
2992 ikev2_eap_print(netdissect_options *ndo, u_char tpay,
2993 const struct isakmp_gen *ext,
2994 u_int item_len, const u_char *ep _U_,
2995 uint32_t phase _U_, uint32_t doi _U_,
2996 uint32_t proto _U_, int depth _U_)
2997 {
2998 return ikev2_gen_print(ndo, tpay, ext, item_len);
2999 }
3000
3001 static const u_char *
3002 ike_sub0_print(netdissect_options *ndo,
3003 u_char np, const struct isakmp_gen *ext, const u_char *ep,
3004
3005 uint32_t phase, uint32_t doi, uint32_t proto, int depth)
3006 {
3007 const u_char *cp;
3008 u_int item_len;
3009
3010 cp = (const u_char *)ext;
3011 ND_TCHECK_SIZE(ext);
3012
3013 /*
3014 * Since we can't have a payload length of less than 4 bytes,
3015 * we need to bail out here if the generic header is nonsensical
3016 * or truncated, otherwise we could loop forever processing
3017 * zero-length items or otherwise misdissect the packet.
3018 */
3019 item_len = GET_BE_U_2(ext->len);
3020 if (item_len <= 4)
3021 return NULL;
3022
3023 if (NPFUNC(np)) {
3024 /*
3025 * XXX - what if item_len is too short, or too long,
3026 * for this payload type?
3027 */
3028 cp = (*npfunc[np])(ndo, np, ext, item_len, ep, phase, doi, proto, depth);
3029 } else {
3030 ND_PRINT("%s", NPSTR(np));
3031 cp += item_len;
3032 }
3033
3034 return cp;
3035 trunc:
3036 nd_print_trunc(ndo);
3037 return NULL;
3038 }
3039
3040 static const u_char *
3041 ikev1_sub_print(netdissect_options *ndo,
3042 u_char np, const struct isakmp_gen *ext, const u_char *ep,
3043 uint32_t phase, uint32_t doi, uint32_t proto, int depth)
3044 {
3045 const u_char *cp;
3046 int i;
3047 u_int item_len;
3048
3049 cp = (const u_char *)ext;
3050
3051 while (np) {
3052 ND_TCHECK_SIZE(ext);
3053
3054 item_len = GET_BE_U_2(ext->len);
3055 ND_TCHECK_LEN(ext, item_len);
3056
3057 depth++;
3058 ND_PRINT("\n");
3059 for (i = 0; i < depth; i++)
3060 ND_PRINT(" ");
3061 ND_PRINT("(");
3062 cp = ike_sub0_print(ndo, np, ext, ep, phase, doi, proto, depth);
3063 ND_PRINT(")");
3064 depth--;
3065
3066 if (cp == NULL) {
3067 /* Zero-length subitem */
3068 return NULL;
3069 }
3070
3071 np = GET_U_1(ext->np);
3072 ext = (const struct isakmp_gen *)cp;
3073 }
3074 return cp;
3075 trunc:
3076 ND_PRINT(" [|%s]", NPSTR(np));
3077 return NULL;
3078 }
3079
3080 static char *
3081 numstr(u_int x)
3082 {
3083 static char buf[20];
3084 snprintf(buf, sizeof(buf), "#%u", x);
3085 return buf;
3086 }
3087
3088 static void
3089 ikev1_print(netdissect_options *ndo,
3090 const u_char *bp, u_int length,
3091 const u_char *bp2, const struct isakmp *base)
3092 {
3093 const struct isakmp *p;
3094 const u_char *ep;
3095 u_int flags;
3096 u_char np;
3097 int i;
3098 u_int phase;
3099
3100 p = (const struct isakmp *)bp;
3101 ep = ndo->ndo_snapend;
3102
3103 phase = (GET_BE_U_4(base->msgid) == 0) ? 1 : 2;
3104 if (phase == 1)
3105 ND_PRINT(" phase %u", phase);
3106 else
3107 ND_PRINT(" phase %u/others", phase);
3108
3109 i = cookie_find(&base->i_ck);
3110 if (i < 0) {
3111 if (iszero(ndo, base->r_ck, sizeof(base->r_ck))) {
3112 /* the first packet */
3113 ND_PRINT(" I");
3114 if (bp2)
3115 cookie_record(ndo, &base->i_ck, bp2);
3116 } else
3117 ND_PRINT(" ?");
3118 } else {
3119 if (bp2 && cookie_isinitiator(ndo, i, bp2))
3120 ND_PRINT(" I");
3121 else if (bp2 && cookie_isresponder(ndo, i, bp2))
3122 ND_PRINT(" R");
3123 else
3124 ND_PRINT(" ?");
3125 }
3126
3127 ND_PRINT(" %s", ETYPESTR(GET_U_1(base->etype)));
3128 flags = GET_U_1(base->flags);
3129 if (flags) {
3130 ND_PRINT("[%s%s]", flags & ISAKMP_FLAG_E ? "E" : "",
3131 flags & ISAKMP_FLAG_C ? "C" : "");
3132 }
3133
3134 if (ndo->ndo_vflag) {
3135 const struct isakmp_gen *ext;
3136
3137 ND_PRINT(":");
3138
3139 np = GET_U_1(base->np);
3140
3141 /* regardless of phase... */
3142 if (flags & ISAKMP_FLAG_E) {
3143 /*
3144 * encrypted, nothing we can do right now.
3145 * we hope to decrypt the packet in the future...
3146 */
3147 ND_PRINT(" [encrypted %s]", NPSTR(np));
3148 goto done;
3149 }
3150
3151 CHECKLEN(p + 1, np);
3152 ext = (const struct isakmp_gen *)(p + 1);
3153 ikev1_sub_print(ndo, np, ext, ep, phase, 0, 0, 0);
3154 }
3155
3156 done:
3157 if (ndo->ndo_vflag) {
3158 if (GET_BE_U_4(base->len) != length) {
3159 ND_PRINT(" (len mismatch: isakmp %u/ip %u)",
3160 GET_BE_U_4(base->len), length);
3161 }
3162 }
3163 }
3164
3165 static const u_char *
3166 ikev2_sub0_print(netdissect_options *ndo, const struct isakmp *base,
3167 u_char np,
3168 const struct isakmp_gen *ext, const u_char *ep,
3169 uint32_t phase, uint32_t doi, uint32_t proto, int depth)
3170 {
3171 const u_char *cp;
3172 u_int item_len;
3173
3174 cp = (const u_char *)ext;
3175 ND_TCHECK_SIZE(ext);
3176
3177 /*
3178 * Since we can't have a payload length of less than 4 bytes,
3179 * we need to bail out here if the generic header is nonsensical
3180 * or truncated, otherwise we could loop forever processing
3181 * zero-length items or otherwise misdissect the packet.
3182 */
3183 item_len = GET_BE_U_2(ext->len);
3184 if (item_len <= 4)
3185 return NULL;
3186
3187 if (np == ISAKMP_NPTYPE_v2E) {
3188 cp = ikev2_e_print(ndo, base, np, ext, item_len,
3189 ep, phase, doi, proto, depth);
3190 } else if (NPFUNC(np)) {
3191 /*
3192 * XXX - what if item_len is too short, or too long,
3193 * for this payload type?
3194 */
3195 cp = (*npfunc[np])(ndo, np, ext, item_len,
3196 ep, phase, doi, proto, depth);
3197 } else {
3198 ND_PRINT("%s", NPSTR(np));
3199 cp += item_len;
3200 }
3201
3202 return cp;
3203 trunc:
3204 nd_print_trunc(ndo);
3205 return NULL;
3206 }
3207
3208 static const u_char *
3209 ikev2_sub_print(netdissect_options *ndo,
3210 const struct isakmp *base,
3211 u_char np, const struct isakmp_gen *ext, const u_char *ep,
3212 uint32_t phase, uint32_t doi, uint32_t proto, int depth)
3213 {
3214 const u_char *cp;
3215 int i;
3216
3217 cp = (const u_char *)ext;
3218 while (np) {
3219 ND_TCHECK_SIZE(ext);
3220
3221 ND_TCHECK_LEN(ext, GET_BE_U_2(ext->len));
3222
3223 depth++;
3224 ND_PRINT("\n");
3225 for (i = 0; i < depth; i++)
3226 ND_PRINT(" ");
3227 ND_PRINT("(");
3228 cp = ikev2_sub0_print(ndo, base, np,
3229 ext, ep, phase, doi, proto, depth);
3230 ND_PRINT(")");
3231 depth--;
3232
3233 if (cp == NULL) {
3234 /* Zero-length subitem */
3235 return NULL;
3236 }
3237
3238 np = GET_U_1(ext->np);
3239 ext = (const struct isakmp_gen *)cp;
3240 }
3241 return cp;
3242 trunc:
3243 ND_PRINT(" [|%s]", NPSTR(np));
3244 return NULL;
3245 }
3246
3247 static void
3248 ikev2_print(netdissect_options *ndo,
3249 const u_char *bp, u_int length,
3250 const u_char *bp2 _U_, const struct isakmp *base)
3251 {
3252 const struct isakmp *p;
3253 const u_char *ep;
3254 uint8_t flags;
3255 u_char np;
3256 u_int phase;
3257
3258 p = (const struct isakmp *)bp;
3259 ep = ndo->ndo_snapend;
3260
3261 phase = (GET_BE_U_4(base->msgid) == 0) ? 1 : 2;
3262 if (phase == 1)
3263 ND_PRINT(" parent_sa");
3264 else
3265 ND_PRINT(" child_sa ");
3266
3267 ND_PRINT(" %s", ETYPESTR(GET_U_1(base->etype)));
3268 flags = GET_U_1(base->flags);
3269 if (flags) {
3270 ND_PRINT("[%s%s%s]",
3271 flags & ISAKMP_FLAG_I ? "I" : "",
3272 flags & ISAKMP_FLAG_V ? "V" : "",
3273 flags & ISAKMP_FLAG_R ? "R" : "");
3274 }
3275
3276 if (ndo->ndo_vflag) {
3277 const struct isakmp_gen *ext;
3278
3279 ND_PRINT(":");
3280
3281 np = GET_U_1(base->np);
3282
3283 /* regardless of phase... */
3284 if (flags & ISAKMP_FLAG_E) {
3285 /*
3286 * encrypted, nothing we can do right now.
3287 * we hope to decrypt the packet in the future...
3288 */
3289 ND_PRINT(" [encrypted %s]", NPSTR(np));
3290 goto done;
3291 }
3292
3293 CHECKLEN(p + 1, np)
3294 ext = (const struct isakmp_gen *)(p + 1);
3295 ikev2_sub_print(ndo, base, np, ext, ep, phase, 0, 0, 0);
3296 }
3297
3298 done:
3299 if (ndo->ndo_vflag) {
3300 if (GET_BE_U_4(base->len) != length) {
3301 ND_PRINT(" (len mismatch: isakmp %u/ip %u)",
3302 GET_BE_U_4(base->len), length);
3303 }
3304 }
3305 }
3306
3307 void
3308 isakmp_print(netdissect_options *ndo,
3309 const u_char *bp, u_int length,
3310 const u_char *bp2)
3311 {
3312 const struct isakmp *p;
3313 const u_char *ep;
3314 u_int major, minor;
3315
3316 ndo->ndo_protocol = "isakmp";
3317 #ifdef HAVE_LIBCRYPTO
3318 /* initialize SAs */
3319 if (ndo->ndo_sa_list_head == NULL) {
3320 if (ndo->ndo_espsecret)
3321 esp_decodesecret_print(ndo);
3322 }
3323 #endif
3324
3325 p = (const struct isakmp *)bp;
3326 ep = ndo->ndo_snapend;
3327
3328 if ((const struct isakmp *)ep < p + 1) {
3329 nd_print_trunc(ndo);
3330 return;
3331 }
3332
3333 ND_PRINT("isakmp");
3334 major = (GET_U_1(p->vers) & ISAKMP_VERS_MAJOR)
3335 >> ISAKMP_VERS_MAJOR_SHIFT;
3336 minor = (GET_U_1(p->vers) & ISAKMP_VERS_MINOR)
3337 >> ISAKMP_VERS_MINOR_SHIFT;
3338
3339 if (ndo->ndo_vflag) {
3340 ND_PRINT(" %u.%u", major, minor);
3341 }
3342
3343 if (ndo->ndo_vflag) {
3344 ND_PRINT(" msgid ");
3345 hexprint(ndo, p->msgid, sizeof(p->msgid));
3346 }
3347
3348 if (1 < ndo->ndo_vflag) {
3349 ND_PRINT(" cookie ");
3350 hexprint(ndo, p->i_ck, sizeof(p->i_ck));
3351 ND_PRINT("->");
3352 hexprint(ndo, p->r_ck, sizeof(p->r_ck));
3353 }
3354 ND_PRINT(":");
3355
3356 switch(major) {
3357 case IKEv1_MAJOR_VERSION:
3358 ikev1_print(ndo, bp, length, bp2, p);
3359 break;
3360
3361 case IKEv2_MAJOR_VERSION:
3362 ikev2_print(ndo, bp, length, bp2, p);
3363 break;
3364 }
3365 }
3366
3367 void
3368 isakmp_rfc3948_print(netdissect_options *ndo,
3369 const u_char *bp, u_int length,
3370 const u_char *bp2, int ver, int fragmented, u_int ttl_hl)
3371 {
3372 ndo->ndo_protocol = "isakmp_rfc3948";
3373 if(length == 1 && GET_U_1(bp)==0xff) {
3374 ND_PRINT("isakmp-nat-keep-alive");
3375 return;
3376 }
3377
3378 if(length < 4) {
3379 goto trunc;
3380 }
3381
3382 /*
3383 * see if this is an IKE packet
3384 */
3385 if (GET_BE_U_4(bp) == 0) {
3386 ND_PRINT("NONESP-encap: ");
3387 isakmp_print(ndo, bp+4, length-4, bp2);
3388 return;
3389 }
3390
3391 /* must be an ESP packet */
3392 {
3393 ND_PRINT("UDP-encap: ");
3394
3395 esp_print(ndo, bp, length, bp2, ver, fragmented, ttl_hl);
3396
3397 /*
3398 * Either this has decrypted the payload and
3399 * printed it, in which case there's nothing more
3400 * to do, or it hasn't, in which case there's
3401 * nothing more to do.
3402 */
3403 return;
3404 }
3405
3406 trunc:
3407 nd_print_trunc(ndo);
3408 }
[mirror] the TCPdump network dissector