]> The Tcpdump Group git mirrors - tcpdump/blob - print-isakmp.c
projects / tcpdump / blob
summary | shortlog | log | commit | commitdiff | tree
history | raw | HEAD
Handle very large -f files by rejecting them.
[tcpdump] / print-isakmp.c
1 /*
2 * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
3 * All rights reserved.
4 *
5 * Redistribution and use in source and binary forms, with or without
6 * modification, are permitted provided that the following conditions
7 * are met:
8 * 1. Redistributions of source code must retain the above copyright
9 * notice, this list of conditions and the following disclaimer.
10 * 2. Redistributions in binary form must reproduce the above copyright
11 * notice, this list of conditions and the following disclaimer in the
12 * documentation and/or other materials provided with the distribution.
13 * 3. Neither the name of the project nor the names of its contributors
14 * may be used to endorse or promote products derived from this software
15 * without specific prior written permission.
16 *
17 * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
18 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
19 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
20 * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
21 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
22 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
23 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
24 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
25 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
26 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
27 * SUCH DAMAGE.
28 *
29 */
30
31 /* \summary: Internet Security Association and Key Management Protocol (ISAKMP) printer */
32
33 #ifdef HAVE_CONFIG_H
34 #include "config.h"
35 #endif
36
37 /* The functions from print-esp.c used in this file are only defined when both
38 * OpenSSL and evp.h are detected. Employ the same preprocessor device here.
39 */
40 #ifndef HAVE_OPENSSL_EVP_H
41 #undef HAVE_LIBCRYPTO
42 #endif
43
44 #include <netdissect-stdinc.h>
45
46 #include <string.h>
47
48 #include "netdissect.h"
49 #include "addrtoname.h"
50 #include "extract.h"
51
52 #include "ip.h"
53 #include "ip6.h"
54 #include "ipproto.h"
55
56 /* refer to RFC 2408 */
57
58 typedef u_char cookie_t[8];
59 typedef u_char msgid_t[4];
60
61 #define PORT_ISAKMP 500
62
63 /* 3.1 ISAKMP Header Format (IKEv1 and IKEv2)
64 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
65 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
66 ! Initiator !
67 ! Cookie !
68 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
69 ! Responder !
70 ! Cookie !
71 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
72 ! Next Payload ! MjVer ! MnVer ! Exchange Type ! Flags !
73 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
74 ! Message ID !
75 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
76 ! Length !
77 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
78 */
79 struct isakmp {
80 cookie_t i_ck; /* Initiator Cookie */
81 cookie_t r_ck; /* Responder Cookie */
82 uint8_t np; /* Next Payload Type */
83 uint8_t vers;
84 #define ISAKMP_VERS_MAJOR 0xf0
85 #define ISAKMP_VERS_MAJOR_SHIFT 4
86 #define ISAKMP_VERS_MINOR 0x0f
87 #define ISAKMP_VERS_MINOR_SHIFT 0
88 uint8_t etype; /* Exchange Type */
89 uint8_t flags; /* Flags */
90 msgid_t msgid;
91 uint32_t len; /* Length */
92 };
93
94 /* Next Payload Type */
95 #define ISAKMP_NPTYPE_NONE 0 /* NONE*/
96 #define ISAKMP_NPTYPE_SA 1 /* Security Association */
97 #define ISAKMP_NPTYPE_P 2 /* Proposal */
98 #define ISAKMP_NPTYPE_T 3 /* Transform */
99 #define ISAKMP_NPTYPE_KE 4 /* Key Exchange */
100 #define ISAKMP_NPTYPE_ID 5 /* Identification */
101 #define ISAKMP_NPTYPE_CERT 6 /* Certificate */
102 #define ISAKMP_NPTYPE_CR 7 /* Certificate Request */
103 #define ISAKMP_NPTYPE_HASH 8 /* Hash */
104 #define ISAKMP_NPTYPE_SIG 9 /* Signature */
105 #define ISAKMP_NPTYPE_NONCE 10 /* Nonce */
106 #define ISAKMP_NPTYPE_N 11 /* Notification */
107 #define ISAKMP_NPTYPE_D 12 /* Delete */
108 #define ISAKMP_NPTYPE_VID 13 /* Vendor ID */
109 #define ISAKMP_NPTYPE_v2E 46 /* v2 Encrypted payload */
110
111 #define IKEv1_MAJOR_VERSION 1
112 #define IKEv1_MINOR_VERSION 0
113
114 #define IKEv2_MAJOR_VERSION 2
115 #define IKEv2_MINOR_VERSION 0
116
117 /* Flags */
118 #define ISAKMP_FLAG_E 0x01 /* Encryption Bit */
119 #define ISAKMP_FLAG_C 0x02 /* Commit Bit */
120 #define ISAKMP_FLAG_extra 0x04
121
122 /* IKEv2 */
123 #define ISAKMP_FLAG_I (1 << 3) /* (I)nitiator */
124 #define ISAKMP_FLAG_V (1 << 4) /* (V)ersion */
125 #define ISAKMP_FLAG_R (1 << 5) /* (R)esponse */
126
127
128 /* 3.2 Payload Generic Header
129 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
130 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
131 ! Next Payload ! RESERVED ! Payload Length !
132 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
133 */
134 struct isakmp_gen {
135 uint8_t np; /* Next Payload */
136 uint8_t critical; /* bit 7 - critical, rest is RESERVED */
137 uint16_t len; /* Payload Length */
138 };
139
140 /* 3.3 Data Attributes
141 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
142 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
143 !A! Attribute Type ! AF=0 Attribute Length !
144 !F! ! AF=1 Attribute Value !
145 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
146 . AF=0 Attribute Value .
147 . AF=1 Not Transmitted .
148 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
149 */
150 struct isakmp_data {
151 uint16_t type; /* defined by DOI-spec, and Attribute Format */
152 uint16_t lorv; /* if f equal 1, Attribute Length */
153 /* if f equal 0, Attribute Value */
154 /* if f equal 1, Attribute Value */
155 };
156
157 /* 3.4 Security Association Payload */
158 /* MAY NOT be used, because of being defined in ipsec-doi. */
159 /*
160 If the current payload is the last in the message,
161 then the value of the next payload field will be 0.
162 This field MUST NOT contain the
163 values for the Proposal or Transform payloads as they are considered
164 part of the security association negotiation. For example, this
165 field would contain the value "10" (Nonce payload) in the first
166 message of a Base Exchange (see Section 4.4) and the value "0" in the
167 first message of an Identity Protect Exchange (see Section 4.5).
168 */
169 struct ikev1_pl_sa {
170 struct isakmp_gen h;
171 uint32_t doi; /* Domain of Interpretation */
172 uint32_t sit; /* Situation */
173 };
174
175 /* 3.5 Proposal Payload */
176 /*
177 The value of the next payload field MUST only contain the value "2"
178 or "0". If there are additional Proposal payloads in the message,
179 then this field will be 2. If the current Proposal payload is the
180 last within the security association proposal, then this field will
181 be 0.
182 */
183 struct ikev1_pl_p {
184 struct isakmp_gen h;
185 uint8_t p_no; /* Proposal # */
186 uint8_t prot_id; /* Protocol */
187 uint8_t spi_size; /* SPI Size */
188 uint8_t num_t; /* Number of Transforms */
189 /* SPI */
190 };
191
192 /* 3.6 Transform Payload */
193 /*
194 The value of the next payload field MUST only contain the value "3"
195 or "0". If there are additional Transform payloads in the proposal,
196 then this field will be 3. If the current Transform payload is the
197 last within the proposal, then this field will be 0.
198 */
199 struct ikev1_pl_t {
200 struct isakmp_gen h;
201 uint8_t t_no; /* Transform # */
202 uint8_t t_id; /* Transform-Id */
203 uint16_t reserved; /* RESERVED2 */
204 /* SA Attributes */
205 };
206
207 /* 3.7 Key Exchange Payload */
208 struct ikev1_pl_ke {
209 struct isakmp_gen h;
210 /* Key Exchange Data */
211 };
212
213 /* 3.8 Identification Payload */
214 /* MUST NOT to be used, because of being defined in ipsec-doi. */
215 struct ikev1_pl_id {
216 struct isakmp_gen h;
217 union {
218 uint8_t id_type; /* ID Type */
219 uint32_t doi_data; /* DOI Specific ID Data */
220 } d;
221 /* Identification Data */
222 };
223
224 /* 3.9 Certificate Payload */
225 struct ikev1_pl_cert {
226 struct isakmp_gen h;
227 uint8_t encode; /* Cert Encoding */
228 char cert; /* Certificate Data */
229 /*
230 This field indicates the type of
231 certificate or certificate-related information contained in the
232 Certificate Data field.
233 */
234 };
235
236 /* 3.10 Certificate Request Payload */
237 struct ikev1_pl_cr {
238 struct isakmp_gen h;
239 uint8_t num_cert; /* # Cert. Types */
240 /*
241 Certificate Types (variable length)
242 -- Contains a list of the types of certificates requested,
243 sorted in order of preference. Each individual certificate
244 type is 1 octet. This field is NOT requiredo
245 */
246 /* # Certificate Authorities (1 octet) */
247 /* Certificate Authorities (variable length) */
248 };
249
250 /* 3.11 Hash Payload */
251 /* may not be used, because of having only data. */
252 struct ikev1_pl_hash {
253 struct isakmp_gen h;
254 /* Hash Data */
255 };
256
257 /* 3.12 Signature Payload */
258 /* may not be used, because of having only data. */
259 struct ikev1_pl_sig {
260 struct isakmp_gen h;
261 /* Signature Data */
262 };
263
264 /* 3.13 Nonce Payload */
265 /* may not be used, because of having only data. */
266 struct ikev1_pl_nonce {
267 struct isakmp_gen h;
268 /* Nonce Data */
269 };
270
271 /* 3.14 Notification Payload */
272 struct ikev1_pl_n {
273 struct isakmp_gen h;
274 uint32_t doi; /* Domain of Interpretation */
275 uint8_t prot_id; /* Protocol-ID */
276 uint8_t spi_size; /* SPI Size */
277 uint16_t type; /* Notify Message Type */
278 /* SPI */
279 /* Notification Data */
280 };
281
282 /* 3.14.1 Notify Message Types */
283 /* NOTIFY MESSAGES - ERROR TYPES */
284 #define ISAKMP_NTYPE_INVALID_PAYLOAD_TYPE 1
285 #define ISAKMP_NTYPE_DOI_NOT_SUPPORTED 2
286 #define ISAKMP_NTYPE_SITUATION_NOT_SUPPORTED 3
287 #define ISAKMP_NTYPE_INVALID_COOKIE 4
288 #define ISAKMP_NTYPE_INVALID_MAJOR_VERSION 5
289 #define ISAKMP_NTYPE_INVALID_MINOR_VERSION 6
290 #define ISAKMP_NTYPE_INVALID_EXCHANGE_TYPE 7
291 #define ISAKMP_NTYPE_INVALID_FLAGS 8
292 #define ISAKMP_NTYPE_INVALID_MESSAGE_ID 9
293 #define ISAKMP_NTYPE_INVALID_PROTOCOL_ID 10
294 #define ISAKMP_NTYPE_INVALID_SPI 11
295 #define ISAKMP_NTYPE_INVALID_TRANSFORM_ID 12
296 #define ISAKMP_NTYPE_ATTRIBUTES_NOT_SUPPORTED 13
297 #define ISAKMP_NTYPE_NO_PROPOSAL_CHOSEN 14
298 #define ISAKMP_NTYPE_BAD_PROPOSAL_SYNTAX 15
299 #define ISAKMP_NTYPE_PAYLOAD_MALFORMED 16
300 #define ISAKMP_NTYPE_INVALID_KEY_INFORMATION 17
301 #define ISAKMP_NTYPE_INVALID_ID_INFORMATION 18
302 #define ISAKMP_NTYPE_INVALID_CERT_ENCODING 19
303 #define ISAKMP_NTYPE_INVALID_CERTIFICATE 20
304 #define ISAKMP_NTYPE_BAD_CERT_REQUEST_SYNTAX 21
305 #define ISAKMP_NTYPE_INVALID_CERT_AUTHORITY 22
306 #define ISAKMP_NTYPE_INVALID_HASH_INFORMATION 23
307 #define ISAKMP_NTYPE_AUTHENTICATION_FAILED 24
308 #define ISAKMP_NTYPE_INVALID_SIGNATURE 25
309 #define ISAKMP_NTYPE_ADDRESS_NOTIFICATION 26
310
311 /* 3.15 Delete Payload */
312 struct ikev1_pl_d {
313 struct isakmp_gen h;
314 uint32_t doi; /* Domain of Interpretation */
315 uint8_t prot_id; /* Protocol-Id */
316 uint8_t spi_size; /* SPI Size */
317 uint16_t num_spi; /* # of SPIs */
318 /* SPI(es) */
319 };
320
321 struct ikev1_ph1tab {
322 struct ikev1_ph1 *head;
323 struct ikev1_ph1 *tail;
324 int len;
325 };
326
327 struct isakmp_ph2tab {
328 struct ikev1_ph2 *head;
329 struct ikev1_ph2 *tail;
330 int len;
331 };
332
333 /* IKEv2 (RFC4306) */
334
335 /* 3.3 Security Association Payload -- generic header */
336 /* 3.3.1. Proposal Substructure */
337 struct ikev2_p {
338 struct isakmp_gen h;
339 uint8_t p_no; /* Proposal # */
340 uint8_t prot_id; /* Protocol */
341 uint8_t spi_size; /* SPI Size */
342 uint8_t num_t; /* Number of Transforms */
343 };
344
345 /* 3.3.2. Transform Substructure */
346 struct ikev2_t {
347 struct isakmp_gen h;
348 uint8_t t_type; /* Transform Type (ENCR,PRF,INTEG,etc.*/
349 uint8_t res2; /* reserved byte */
350 uint16_t t_id; /* Transform ID */
351 };
352
353 enum ikev2_t_type {
354 IV2_T_ENCR = 1,
355 IV2_T_PRF = 2,
356 IV2_T_INTEG= 3,
357 IV2_T_DH = 4,
358 IV2_T_ESN = 5
359 };
360
361 /* 3.4. Key Exchange Payload */
362 struct ikev2_ke {
363 struct isakmp_gen h;
364 uint16_t ke_group;
365 uint16_t ke_res1;
366 /* KE data */
367 };
368
369
370 /* 3.5. Identification Payloads */
371 enum ikev2_id_type {
372 ID_IPV4_ADDR=1,
373 ID_FQDN=2,
374 ID_RFC822_ADDR=3,
375 ID_IPV6_ADDR=5,
376 ID_DER_ASN1_DN=9,
377 ID_DER_ASN1_GN=10,
378 ID_KEY_ID=11
379 };
380 struct ikev2_id {
381 struct isakmp_gen h;
382 uint8_t type; /* ID type */
383 uint8_t res1;
384 uint16_t res2;
385 /* SPI */
386 /* Notification Data */
387 };
388
389 /* 3.10 Notification Payload */
390 struct ikev2_n {
391 struct isakmp_gen h;
392 uint8_t prot_id; /* Protocol-ID */
393 uint8_t spi_size; /* SPI Size */
394 uint16_t type; /* Notify Message Type */
395 };
396
397 enum ikev2_n_type {
398 IV2_NOTIFY_UNSUPPORTED_CRITICAL_PAYLOAD = 1,
399 IV2_NOTIFY_INVALID_IKE_SPI = 4,
400 IV2_NOTIFY_INVALID_MAJOR_VERSION = 5,
401 IV2_NOTIFY_INVALID_SYNTAX = 7,
402 IV2_NOTIFY_INVALID_MESSAGE_ID = 9,
403 IV2_NOTIFY_INVALID_SPI =11,
404 IV2_NOTIFY_NO_PROPOSAL_CHOSEN =14,
405 IV2_NOTIFY_INVALID_KE_PAYLOAD =17,
406 IV2_NOTIFY_AUTHENTICATION_FAILED =24,
407 IV2_NOTIFY_SINGLE_PAIR_REQUIRED =34,
408 IV2_NOTIFY_NO_ADDITIONAL_SAS =35,
409 IV2_NOTIFY_INTERNAL_ADDRESS_FAILURE =36,
410 IV2_NOTIFY_FAILED_CP_REQUIRED =37,
411 IV2_NOTIFY_INVALID_SELECTORS =39,
412 IV2_NOTIFY_INITIAL_CONTACT =16384,
413 IV2_NOTIFY_SET_WINDOW_SIZE =16385,
414 IV2_NOTIFY_ADDITIONAL_TS_POSSIBLE =16386,
415 IV2_NOTIFY_IPCOMP_SUPPORTED =16387,
416 IV2_NOTIFY_NAT_DETECTION_SOURCE_IP =16388,
417 IV2_NOTIFY_NAT_DETECTION_DESTINATION_IP =16389,
418 IV2_NOTIFY_COOKIE =16390,
419 IV2_NOTIFY_USE_TRANSPORT_MODE =16391,
420 IV2_NOTIFY_HTTP_CERT_LOOKUP_SUPPORTED =16392,
421 IV2_NOTIFY_REKEY_SA =16393,
422 IV2_NOTIFY_ESP_TFC_PADDING_NOT_SUPPORTED =16394,
423 IV2_NOTIFY_NON_FIRST_FRAGMENTS_ALSO =16395
424 };
425
426 struct notify_messages {
427 uint16_t type;
428 char *msg;
429 };
430
431 /* 3.8 Authentication Payload */
432 struct ikev2_auth {
433 struct isakmp_gen h;
434 uint8_t auth_method; /* Protocol-ID */
435 uint8_t reserved[3];
436 /* authentication data */
437 };
438
439 enum ikev2_auth_type {
440 IV2_RSA_SIG = 1,
441 IV2_SHARED = 2,
442 IV2_DSS_SIG = 3
443 };
444
445 /* refer to RFC 2409 */
446
447 #if 0
448 /* isakmp sa structure */
449 struct oakley_sa {
450 uint8_t proto_id; /* OAKLEY */
451 vchar_t *spi; /* spi */
452 uint8_t dhgrp; /* DH; group */
453 uint8_t auth_t; /* method of authentication */
454 uint8_t prf_t; /* type of prf */
455 uint8_t hash_t; /* type of hash */
456 uint8_t enc_t; /* type of cipher */
457 uint8_t life_t; /* type of duration of lifetime */
458 uint32_t ldur; /* life duration */
459 };
460 #endif
461
462 /* refer to RFC 2407 */
463
464 #define IPSEC_DOI 1
465
466 /* 4.2 IPSEC Situation Definition */
467 #define IPSECDOI_SIT_IDENTITY_ONLY 0x00000001
468 #define IPSECDOI_SIT_SECRECY 0x00000002
469 #define IPSECDOI_SIT_INTEGRITY 0x00000004
470
471 /* 4.4.1 IPSEC Security Protocol Identifiers */
472 /* 4.4.2 IPSEC ISAKMP Transform Values */
473 #define IPSECDOI_PROTO_ISAKMP 1
474 #define IPSECDOI_KEY_IKE 1
475
476 /* 4.4.1 IPSEC Security Protocol Identifiers */
477 #define IPSECDOI_PROTO_IPSEC_AH 2
478 /* 4.4.3 IPSEC AH Transform Values */
479 #define IPSECDOI_AH_MD5 2
480 #define IPSECDOI_AH_SHA 3
481 #define IPSECDOI_AH_DES 4
482 #define IPSECDOI_AH_SHA2_256 5
483 #define IPSECDOI_AH_SHA2_384 6
484 #define IPSECDOI_AH_SHA2_512 7
485
486 /* 4.4.1 IPSEC Security Protocol Identifiers */
487 #define IPSECDOI_PROTO_IPSEC_ESP 3
488 /* 4.4.4 IPSEC ESP Transform Identifiers */
489 #define IPSECDOI_ESP_DES_IV64 1
490 #define IPSECDOI_ESP_DES 2
491 #define IPSECDOI_ESP_3DES 3
492 #define IPSECDOI_ESP_RC5 4
493 #define IPSECDOI_ESP_IDEA 5
494 #define IPSECDOI_ESP_CAST 6
495 #define IPSECDOI_ESP_BLOWFISH 7
496 #define IPSECDOI_ESP_3IDEA 8
497 #define IPSECDOI_ESP_DES_IV32 9
498 #define IPSECDOI_ESP_RC4 10
499 #define IPSECDOI_ESP_NULL 11
500 #define IPSECDOI_ESP_RIJNDAEL 12
501 #define IPSECDOI_ESP_AES 12
502
503 /* 4.4.1 IPSEC Security Protocol Identifiers */
504 #define IPSECDOI_PROTO_IPCOMP 4
505 /* 4.4.5 IPSEC IPCOMP Transform Identifiers */
506 #define IPSECDOI_IPCOMP_OUI 1
507 #define IPSECDOI_IPCOMP_DEFLATE 2
508 #define IPSECDOI_IPCOMP_LZS 3
509
510 /* 4.5 IPSEC Security Association Attributes */
511 #define IPSECDOI_ATTR_SA_LTYPE 1 /* B */
512 #define IPSECDOI_ATTR_SA_LTYPE_DEFAULT 1
513 #define IPSECDOI_ATTR_SA_LTYPE_SEC 1
514 #define IPSECDOI_ATTR_SA_LTYPE_KB 2
515 #define IPSECDOI_ATTR_SA_LDUR 2 /* V */
516 #define IPSECDOI_ATTR_SA_LDUR_DEFAULT 28800 /* 8 hours */
517 #define IPSECDOI_ATTR_GRP_DESC 3 /* B */
518 #define IPSECDOI_ATTR_ENC_MODE 4 /* B */
519 /* default value: host dependent */
520 #define IPSECDOI_ATTR_ENC_MODE_TUNNEL 1
521 #define IPSECDOI_ATTR_ENC_MODE_TRNS 2
522 #define IPSECDOI_ATTR_AUTH 5 /* B */
523 /* 0 means not to use authentication. */
524 #define IPSECDOI_ATTR_AUTH_HMAC_MD5 1
525 #define IPSECDOI_ATTR_AUTH_HMAC_SHA1 2
526 #define IPSECDOI_ATTR_AUTH_DES_MAC 3
527 #define IPSECDOI_ATTR_AUTH_KPDK 4 /*RFC-1826(Key/Pad/Data/Key)*/
528 /*
529 * When negotiating ESP without authentication, the Auth
530 * Algorithm attribute MUST NOT be included in the proposal.
531 * When negotiating ESP without confidentiality, the Auth
532 * Algorithm attribute MUST be included in the proposal and
533 * the ESP transform ID must be ESP_NULL.
534 */
535 #define IPSECDOI_ATTR_KEY_LENGTH 6 /* B */
536 #define IPSECDOI_ATTR_KEY_ROUNDS 7 /* B */
537 #define IPSECDOI_ATTR_COMP_DICT_SIZE 8 /* B */
538 #define IPSECDOI_ATTR_COMP_PRIVALG 9 /* V */
539
540 /* 4.6.1 Security Association Payload */
541 struct ipsecdoi_sa {
542 struct isakmp_gen h;
543 uint32_t doi; /* Domain of Interpretation */
544 uint32_t sit; /* Situation */
545 };
546
547 struct ipsecdoi_secrecy_h {
548 uint16_t len;
549 uint16_t reserved;
550 };
551
552 /* 4.6.2.1 Identification Type Values */
553 struct ipsecdoi_id {
554 struct isakmp_gen h;
555 uint8_t type; /* ID Type */
556 uint8_t proto_id; /* Protocol ID */
557 uint16_t port; /* Port */
558 /* Identification Data */
559 };
560
561 #define IPSECDOI_ID_IPV4_ADDR 1
562 #define IPSECDOI_ID_FQDN 2
563 #define IPSECDOI_ID_USER_FQDN 3
564 #define IPSECDOI_ID_IPV4_ADDR_SUBNET 4
565 #define IPSECDOI_ID_IPV6_ADDR 5
566 #define IPSECDOI_ID_IPV6_ADDR_SUBNET 6
567 #define IPSECDOI_ID_IPV4_ADDR_RANGE 7
568 #define IPSECDOI_ID_IPV6_ADDR_RANGE 8
569 #define IPSECDOI_ID_DER_ASN1_DN 9
570 #define IPSECDOI_ID_DER_ASN1_GN 10
571 #define IPSECDOI_ID_KEY_ID 11
572
573 /* 4.6.3 IPSEC DOI Notify Message Types */
574 /* Notify Messages - Status Types */
575 #define IPSECDOI_NTYPE_RESPONDER_LIFETIME 24576
576 #define IPSECDOI_NTYPE_REPLAY_STATUS 24577
577 #define IPSECDOI_NTYPE_INITIAL_CONTACT 24578
578
579 #define DECLARE_PRINTER(func) static const u_char *ike##func##_print( \
580 netdissect_options *ndo, u_char tpay, \
581 const struct isakmp_gen *ext, \
582 u_int item_len, \
583 const u_char *end_pointer, \
584 uint32_t phase,\
585 uint32_t doi0, \
586 uint32_t proto0, int depth)
587
588 DECLARE_PRINTER(v1_sa);
589 DECLARE_PRINTER(v1_p);
590 DECLARE_PRINTER(v1_t);
591 DECLARE_PRINTER(v1_ke);
592 DECLARE_PRINTER(v1_id);
593 DECLARE_PRINTER(v1_cert);
594 DECLARE_PRINTER(v1_cr);
595 DECLARE_PRINTER(v1_sig);
596 DECLARE_PRINTER(v1_hash);
597 DECLARE_PRINTER(v1_nonce);
598 DECLARE_PRINTER(v1_n);
599 DECLARE_PRINTER(v1_d);
600 DECLARE_PRINTER(v1_vid);
601
602 DECLARE_PRINTER(v2_sa);
603 DECLARE_PRINTER(v2_ke);
604 DECLARE_PRINTER(v2_ID);
605 DECLARE_PRINTER(v2_cert);
606 DECLARE_PRINTER(v2_cr);
607 DECLARE_PRINTER(v2_auth);
608 DECLARE_PRINTER(v2_nonce);
609 DECLARE_PRINTER(v2_n);
610 DECLARE_PRINTER(v2_d);
611 DECLARE_PRINTER(v2_vid);
612 DECLARE_PRINTER(v2_TS);
613 DECLARE_PRINTER(v2_cp);
614 DECLARE_PRINTER(v2_eap);
615
616 static const u_char *ikev2_e_print(netdissect_options *ndo,
617 struct isakmp *base,
618 u_char tpay,
619 const struct isakmp_gen *ext,
620 u_int item_len,
621 const u_char *end_pointer,
622 uint32_t phase,
623 uint32_t doi0,
624 uint32_t proto0, int depth);
625
626
627 static const u_char *ike_sub0_print(netdissect_options *ndo,u_char, const struct isakmp_gen *,
628 const u_char *, uint32_t, uint32_t, uint32_t, int);
629 static const u_char *ikev1_sub_print(netdissect_options *ndo,u_char, const struct isakmp_gen *,
630 const u_char *, uint32_t, uint32_t, uint32_t, int);
631
632 static const u_char *ikev2_sub_print(netdissect_options *ndo,
633 struct isakmp *base,
634 u_char np, const struct isakmp_gen *ext,
635 const u_char *ep, uint32_t phase,
636 uint32_t doi, uint32_t proto,
637 int depth);
638
639
640 static char *numstr(int);
641
642 static void
643 ikev1_print(netdissect_options *ndo,
644 const u_char *bp, u_int length,
645 const u_char *bp2, struct isakmp *base);
646
647 #define MAXINITIATORS 20
648 static int ninitiator = 0;
649 union inaddr_u {
650 struct in_addr in4;
651 struct in6_addr in6;
652 };
653 static struct {
654 cookie_t initiator;
655 u_int version;
656 union inaddr_u iaddr;
657 union inaddr_u raddr;
658 } cookiecache[MAXINITIATORS];
659
660 /* protocol id */
661 static const char *protoidstr[] = {
662 NULL, "isakmp", "ipsec-ah", "ipsec-esp", "ipcomp",
663 };
664
665 /* isakmp->np */
666 static const char *npstr[] = {
667 "none", "sa", "p", "t", "ke", "id", "cert", "cr", "hash", /* 0 - 8 */
668 "sig", "nonce", "n", "d", "vid", /* 9 - 13 */
669 "pay14", "pay15", "pay16", "pay17", "pay18", /* 14- 18 */
670 "pay19", "pay20", "pay21", "pay22", "pay23", /* 19- 23 */
671 "pay24", "pay25", "pay26", "pay27", "pay28", /* 24- 28 */
672 "pay29", "pay30", "pay31", "pay32", /* 29- 32 */
673 "v2sa", "v2ke", "v2IDi", "v2IDr", "v2cert",/* 33- 37 */
674 "v2cr", "v2auth","v2nonce", "v2n", "v2d", /* 38- 42 */
675 "v2vid", "v2TSi", "v2TSr", "v2e", "v2cp", /* 43- 47 */
676 "v2eap", /* 48 */
677
678 };
679
680 /* isakmp->np */
681 static const u_char *(*npfunc[])(netdissect_options *ndo, u_char tpay,
682 const struct isakmp_gen *ext,
683 u_int item_len,
684 const u_char *end_pointer,
685 uint32_t phase,
686 uint32_t doi0,
687 uint32_t proto0, int depth) = {
688 NULL,
689 ikev1_sa_print,
690 ikev1_p_print,
691 ikev1_t_print,
692 ikev1_ke_print,
693 ikev1_id_print,
694 ikev1_cert_print,
695 ikev1_cr_print,
696 ikev1_hash_print,
697 ikev1_sig_print,
698 ikev1_nonce_print,
699 ikev1_n_print,
700 ikev1_d_print,
701 ikev1_vid_print, /* 13 */
702 NULL, NULL, NULL, NULL, NULL, /* 14- 18 */
703 NULL, NULL, NULL, NULL, NULL, /* 19- 23 */
704 NULL, NULL, NULL, NULL, NULL, /* 24- 28 */
705 NULL, NULL, NULL, NULL, /* 29- 32 */
706 ikev2_sa_print, /* 33 */
707 ikev2_ke_print, /* 34 */
708 ikev2_ID_print, /* 35 */
709 ikev2_ID_print, /* 36 */
710 ikev2_cert_print, /* 37 */
711 ikev2_cr_print, /* 38 */
712 ikev2_auth_print, /* 39 */
713 ikev2_nonce_print, /* 40 */
714 ikev2_n_print, /* 41 */
715 ikev2_d_print, /* 42 */
716 ikev2_vid_print, /* 43 */
717 ikev2_TS_print, /* 44 */
718 ikev2_TS_print, /* 45 */
719 NULL, /* ikev2_e_print,*/ /* 46 - special */
720 ikev2_cp_print, /* 47 */
721 ikev2_eap_print, /* 48 */
722 };
723
724 /* isakmp->etype */
725 static const char *etypestr[] = {
726 /* IKEv1 exchange types */
727 "none", "base", "ident", "auth", "agg", "inf", NULL, NULL, /* 0-7 */
728 NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, /* 8-15 */
729 NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, /* 16-23 */
730 NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, /* 24-31 */
731 "oakley-quick", "oakley-newgroup", /* 32-33 */
732 /* IKEv2 exchange types */
733 "ikev2_init", "ikev2_auth", "child_sa", "inf2" /* 34-37 */
734 };
735
736 #define STR_OR_ID(x, tab) \
737 (((x) < sizeof(tab)/sizeof(tab[0]) && tab[(x)]) ? tab[(x)] : numstr(x))
738 #define PROTOIDSTR(x) STR_OR_ID(x, protoidstr)
739 #define NPSTR(x) STR_OR_ID(x, npstr)
740 #define ETYPESTR(x) STR_OR_ID(x, etypestr)
741
742 #define CHECKLEN(p, np) \
743 if (ep < (const u_char *)(p)) { \
744 ND_PRINT((ndo," [|%s]", NPSTR(np))); \
745 goto done; \
746 }
747
748
749 #define NPFUNC(x) \
750 (((x) < sizeof(npfunc)/sizeof(npfunc[0]) && npfunc[(x)]) \
751 ? npfunc[(x)] : NULL)
752
753 static int
754 iszero(const u_char *p, size_t l)
755 {
756 while (l--) {
757 if (*p++)
758 return 0;
759 }
760 return 1;
761 }
762
763 /* find cookie from initiator cache */
764 static int
765 cookie_find(cookie_t *in)
766 {
767 int i;
768
769 for (i = 0; i < MAXINITIATORS; i++) {
770 if (memcmp(in, &cookiecache[i].initiator, sizeof(*in)) == 0)
771 return i;
772 }
773
774 return -1;
775 }
776
777 /* record initiator */
778 static void
779 cookie_record(cookie_t *in, const u_char *bp2)
780 {
781 int i;
782 const struct ip *ip;
783 const struct ip6_hdr *ip6;
784
785 i = cookie_find(in);
786 if (0 <= i) {
787 ninitiator = (i + 1) % MAXINITIATORS;
788 return;
789 }
790
791 ip = (const struct ip *)bp2;
792 switch (IP_V(ip)) {
793 case 4:
794 cookiecache[ninitiator].version = 4;
795 UNALIGNED_MEMCPY(&cookiecache[ninitiator].iaddr.in4, &ip->ip_src, sizeof(struct in_addr));
796 UNALIGNED_MEMCPY(&cookiecache[ninitiator].raddr.in4, &ip->ip_dst, sizeof(struct in_addr));
797 break;
798 case 6:
799 ip6 = (const struct ip6_hdr *)bp2;
800 cookiecache[ninitiator].version = 6;
801 UNALIGNED_MEMCPY(&cookiecache[ninitiator].iaddr.in6, &ip6->ip6_src, sizeof(struct in6_addr));
802 UNALIGNED_MEMCPY(&cookiecache[ninitiator].raddr.in6, &ip6->ip6_dst, sizeof(struct in6_addr));
803 break;
804 default:
805 return;
806 }
807 UNALIGNED_MEMCPY(&cookiecache[ninitiator].initiator, in, sizeof(*in));
808 ninitiator = (ninitiator + 1) % MAXINITIATORS;
809 }
810
811 #define cookie_isinitiator(x, y) cookie_sidecheck((x), (y), 1)
812 #define cookie_isresponder(x, y) cookie_sidecheck((x), (y), 0)
813 static int
814 cookie_sidecheck(int i, const u_char *bp2, int initiator)
815 {
816 const struct ip *ip;
817 const struct ip6_hdr *ip6;
818
819 ip = (const struct ip *)bp2;
820 switch (IP_V(ip)) {
821 case 4:
822 if (cookiecache[i].version != 4)
823 return 0;
824 if (initiator) {
825 if (UNALIGNED_MEMCMP(&ip->ip_src, &cookiecache[i].iaddr.in4, sizeof(struct in_addr)) == 0)
826 return 1;
827 } else {
828 if (UNALIGNED_MEMCMP(&ip->ip_src, &cookiecache[i].raddr.in4, sizeof(struct in_addr)) == 0)
829 return 1;
830 }
831 break;
832 case 6:
833 if (cookiecache[i].version != 6)
834 return 0;
835 ip6 = (const struct ip6_hdr *)bp2;
836 if (initiator) {
837 if (UNALIGNED_MEMCMP(&ip6->ip6_src, &cookiecache[i].iaddr.in6, sizeof(struct in6_addr)) == 0)
838 return 1;
839 } else {
840 if (UNALIGNED_MEMCMP(&ip6->ip6_src, &cookiecache[i].raddr.in6, sizeof(struct in6_addr)) == 0)
841 return 1;
842 }
843 break;
844 default:
845 break;
846 }
847
848 return 0;
849 }
850
851 static void
852 hexprint(netdissect_options *ndo, const uint8_t *loc, size_t len)
853 {
854 const uint8_t *p;
855 size_t i;
856
857 p = loc;
858 for (i = 0; i < len; i++)
859 ND_PRINT((ndo,"%02x", p[i] & 0xff));
860 }
861
862 static int
863 rawprint(netdissect_options *ndo, const uint8_t *loc, size_t len)
864 {
865 ND_TCHECK2(*loc, len);
866
867 hexprint(ndo, loc, len);
868 return 1;
869 trunc:
870 return 0;
871 }
872
873
874 /*
875 * returns false if we run out of data buffer
876 */
877 static int ike_show_somedata(netdissect_options *ndo,
878 const u_char *cp, const u_char *ep)
879 {
880 /* there is too much data, just show some of it */
881 const u_char *end = ep - 20;
882 int elen = 20;
883 int len = ep - cp;
884 if(len > 10) {
885 len = 10;
886 }
887
888 /* really shouldn't happen because of above */
889 if(end < cp + len) {
890 end = cp+len;
891 elen = ep - end;
892 }
893
894 ND_PRINT((ndo," data=("));
895 if(!rawprint(ndo, (const uint8_t *)(cp), len)) goto trunc;
896 ND_PRINT((ndo, "..."));
897 if(elen) {
898 if(!rawprint(ndo, (const uint8_t *)(end), elen)) goto trunc;
899 }
900 ND_PRINT((ndo,")"));
901 return 1;
902
903 trunc:
904 return 0;
905 }
906
907 struct attrmap {
908 const char *type;
909 u_int nvalue;
910 const char *value[30]; /*XXX*/
911 };
912
913 static const u_char *
914 ikev1_attrmap_print(netdissect_options *ndo,
915 const u_char *p, const u_char *ep2,
916 const struct attrmap *map, size_t nmap)
917 {
918 int totlen;
919 uint32_t t, v;
920
921 ND_TCHECK(p[0]);
922 if (p[0] & 0x80)
923 totlen = 4;
924 else {
925 ND_TCHECK_16BITS(&p[2]);
926 totlen = 4 + EXTRACT_16BITS(&p[2]);
927 }
928 if (ep2 < p + totlen) {
929 ND_PRINT((ndo,"[|attr]"));
930 return ep2 + 1;
931 }
932
933 ND_TCHECK_16BITS(&p[0]);
934 ND_PRINT((ndo,"("));
935 t = EXTRACT_16BITS(&p[0]) & 0x7fff;
936 if (map && t < nmap && map[t].type)
937 ND_PRINT((ndo,"type=%s ", map[t].type));
938 else
939 ND_PRINT((ndo,"type=#%d ", t));
940 if (p[0] & 0x80) {
941 ND_PRINT((ndo,"value="));
942 ND_TCHECK_16BITS(&p[2]);
943 v = EXTRACT_16BITS(&p[2]);
944 if (map && t < nmap && v < map[t].nvalue && map[t].value[v])
945 ND_PRINT((ndo,"%s", map[t].value[v]));
946 else {
947 if (!rawprint(ndo, (const uint8_t *)&p[2], 2)) {
948 ND_PRINT((ndo,")"));
949 goto trunc;
950 }
951 }
952 } else {
953 ND_PRINT((ndo,"len=%d value=", totlen - 4));
954 if (!rawprint(ndo, (const uint8_t *)&p[4], totlen - 4)) {
955 ND_PRINT((ndo,")"));
956 goto trunc;
957 }
958 }
959 ND_PRINT((ndo,")"));
960 return p + totlen;
961
962 trunc:
963 return NULL;
964 }
965
966 static const u_char *
967 ikev1_attr_print(netdissect_options *ndo, const u_char *p, const u_char *ep2)
968 {
969 int totlen;
970 uint32_t t;
971
972 ND_TCHECK(p[0]);
973 if (p[0] & 0x80)
974 totlen = 4;
975 else {
976 ND_TCHECK_16BITS(&p[2]);
977 totlen = 4 + EXTRACT_16BITS(&p[2]);
978 }
979 if (ep2 < p + totlen) {
980 ND_PRINT((ndo,"[|attr]"));
981 return ep2 + 1;
982 }
983
984 ND_TCHECK_16BITS(&p[0]);
985 ND_PRINT((ndo,"("));
986 t = EXTRACT_16BITS(&p[0]) & 0x7fff;
987 ND_PRINT((ndo,"type=#%d ", t));
988 if (p[0] & 0x80) {
989 ND_PRINT((ndo,"value="));
990 t = p[2];
991 if (!rawprint(ndo, (const uint8_t *)&p[2], 2)) {
992 ND_PRINT((ndo,")"));
993 goto trunc;
994 }
995 } else {
996 ND_PRINT((ndo,"len=%d value=", totlen - 4));
997 if (!rawprint(ndo, (const uint8_t *)&p[4], totlen - 4)) {
998 ND_PRINT((ndo,")"));
999 goto trunc;
1000 }
1001 }
1002 ND_PRINT((ndo,")"));
1003 return p + totlen;
1004
1005 trunc:
1006 return NULL;
1007 }
1008
1009 static const u_char *
1010 ikev1_sa_print(netdissect_options *ndo, u_char tpay _U_,
1011 const struct isakmp_gen *ext,
1012 u_int item_len _U_,
1013 const u_char *ep, uint32_t phase, uint32_t doi0 _U_,
1014 uint32_t proto0, int depth)
1015 {
1016 const struct ikev1_pl_sa *p;
1017 struct ikev1_pl_sa sa;
1018 uint32_t doi, sit, ident;
1019 const u_char *cp, *np;
1020 int t;
1021
1022 ND_PRINT((ndo,"%s:", NPSTR(ISAKMP_NPTYPE_SA)));
1023
1024 p = (const struct ikev1_pl_sa *)ext;
1025 ND_TCHECK(*p);
1026 UNALIGNED_MEMCPY(&sa, ext, sizeof(sa));
1027 doi = ntohl(sa.doi);
1028 sit = ntohl(sa.sit);
1029 if (doi != 1) {
1030 ND_PRINT((ndo," doi=%d", doi));
1031 ND_PRINT((ndo," situation=%u", (uint32_t)ntohl(sa.sit)));
1032 return (const u_char *)(p + 1);
1033 }
1034
1035 ND_PRINT((ndo," doi=ipsec"));
1036 ND_PRINT((ndo," situation="));
1037 t = 0;
1038 if (sit & 0x01) {
1039 ND_PRINT((ndo,"identity"));
1040 t++;
1041 }
1042 if (sit & 0x02) {
1043 ND_PRINT((ndo,"%ssecrecy", t ? "+" : ""));
1044 t++;
1045 }
1046 if (sit & 0x04)
1047 ND_PRINT((ndo,"%sintegrity", t ? "+" : ""));
1048
1049 np = (const u_char *)ext + sizeof(sa);
1050 if (sit != 0x01) {
1051 ND_TCHECK2(*(ext + 1), sizeof(ident));
1052 UNALIGNED_MEMCPY(&ident, ext + 1, sizeof(ident));
1053 ND_PRINT((ndo," ident=%u", (uint32_t)ntohl(ident)));
1054 np += sizeof(ident);
1055 }
1056
1057 ext = (const struct isakmp_gen *)np;
1058 ND_TCHECK(*ext);
1059
1060 cp = ikev1_sub_print(ndo, ISAKMP_NPTYPE_P, ext, ep, phase, doi, proto0,
1061 depth);
1062
1063 return cp;
1064 trunc:
1065 ND_PRINT((ndo," [|%s]", NPSTR(ISAKMP_NPTYPE_SA)));
1066 return NULL;
1067 }
1068
1069 static const u_char *
1070 ikev1_p_print(netdissect_options *ndo, u_char tpay _U_,
1071 const struct isakmp_gen *ext, u_int item_len _U_,
1072 const u_char *ep, uint32_t phase, uint32_t doi0,
1073 uint32_t proto0 _U_, int depth)
1074 {
1075 const struct ikev1_pl_p *p;
1076 struct ikev1_pl_p prop;
1077 const u_char *cp;
1078
1079 ND_PRINT((ndo,"%s:", NPSTR(ISAKMP_NPTYPE_P)));
1080
1081 p = (const struct ikev1_pl_p *)ext;
1082 ND_TCHECK(*p);
1083 UNALIGNED_MEMCPY(&prop, ext, sizeof(prop));
1084 ND_PRINT((ndo," #%d protoid=%s transform=%d",
1085 prop.p_no, PROTOIDSTR(prop.prot_id), prop.num_t));
1086 if (prop.spi_size) {
1087 ND_PRINT((ndo," spi="));
1088 if (!rawprint(ndo, (const uint8_t *)(p + 1), prop.spi_size))
1089 goto trunc;
1090 }
1091
1092 ext = (const struct isakmp_gen *)((const u_char *)(p + 1) + prop.spi_size);
1093 ND_TCHECK(*ext);
1094
1095 cp = ikev1_sub_print(ndo, ISAKMP_NPTYPE_T, ext, ep, phase, doi0,
1096 prop.prot_id, depth);
1097
1098 return cp;
1099 trunc:
1100 ND_PRINT((ndo," [|%s]", NPSTR(ISAKMP_NPTYPE_P)));
1101 return NULL;
1102 }
1103
1104 static const char *ikev1_p_map[] = {
1105 NULL, "ike",
1106 };
1107
1108 static const char *ikev2_t_type_map[]={
1109 NULL, "encr", "prf", "integ", "dh", "esn"
1110 };
1111
1112 static const char *ah_p_map[] = {
1113 NULL, "(reserved)", "md5", "sha", "1des",
1114 "sha2-256", "sha2-384", "sha2-512",
1115 };
1116
1117 static const char *prf_p_map[] = {
1118 NULL, "hmac-md5", "hmac-sha", "hmac-tiger",
1119 "aes128_xcbc"
1120 };
1121
1122 static const char *integ_p_map[] = {
1123 NULL, "hmac-md5", "hmac-sha", "dec-mac",
1124 "kpdk-md5", "aes-xcbc"
1125 };
1126
1127 static const char *esn_p_map[] = {
1128 "no-esn", "esn"
1129 };
1130
1131 static const char *dh_p_map[] = {
1132 NULL, "modp768",
1133 "modp1024", /* group 2 */
1134 "EC2N 2^155", /* group 3 */
1135 "EC2N 2^185", /* group 4 */
1136 "modp1536", /* group 5 */
1137 "iana-grp06", "iana-grp07", /* reserved */
1138 "iana-grp08", "iana-grp09",
1139 "iana-grp10", "iana-grp11",
1140 "iana-grp12", "iana-grp13",
1141 "modp2048", /* group 14 */
1142 "modp3072", /* group 15 */
1143 "modp4096", /* group 16 */
1144 "modp6144", /* group 17 */
1145 "modp8192", /* group 18 */
1146 };
1147
1148 static const char *esp_p_map[] = {
1149 NULL, "1des-iv64", "1des", "3des", "rc5", "idea", "cast",
1150 "blowfish", "3idea", "1des-iv32", "rc4", "null", "aes"
1151 };
1152
1153 static const char *ipcomp_p_map[] = {
1154 NULL, "oui", "deflate", "lzs",
1155 };
1156
1157 static const struct attrmap ipsec_t_map[] = {
1158 { NULL, 0, { NULL } },
1159 { "lifetype", 3, { NULL, "sec", "kb", }, },
1160 { "life", 0, { NULL } },
1161 { "group desc", 18, { NULL, "modp768",
1162 "modp1024", /* group 2 */
1163 "EC2N 2^155", /* group 3 */
1164 "EC2N 2^185", /* group 4 */
1165 "modp1536", /* group 5 */
1166 "iana-grp06", "iana-grp07", /* reserved */
1167 "iana-grp08", "iana-grp09",
1168 "iana-grp10", "iana-grp11",
1169 "iana-grp12", "iana-grp13",
1170 "modp2048", /* group 14 */
1171 "modp3072", /* group 15 */
1172 "modp4096", /* group 16 */
1173 "modp6144", /* group 17 */
1174 "modp8192", /* group 18 */
1175 }, },
1176 { "enc mode", 3, { NULL, "tunnel", "transport", }, },
1177 { "auth", 5, { NULL, "hmac-md5", "hmac-sha1", "1des-mac", "keyed", }, },
1178 { "keylen", 0, { NULL } },
1179 { "rounds", 0, { NULL } },
1180 { "dictsize", 0, { NULL } },
1181 { "privalg", 0, { NULL } },
1182 };
1183
1184 static const struct attrmap encr_t_map[] = {
1185 { NULL, 0, { NULL } }, { NULL, 0, { NULL } }, /* 0, 1 */
1186 { NULL, 0, { NULL } }, { NULL, 0, { NULL } }, /* 2, 3 */
1187 { NULL, 0, { NULL } }, { NULL, 0, { NULL } }, /* 4, 5 */
1188 { NULL, 0, { NULL } }, { NULL, 0, { NULL } }, /* 6, 7 */
1189 { NULL, 0, { NULL } }, { NULL, 0, { NULL } }, /* 8, 9 */
1190 { NULL, 0, { NULL } }, { NULL, 0, { NULL } }, /* 10,11*/
1191 { NULL, 0, { NULL } }, { NULL, 0, { NULL } }, /* 12,13*/
1192 { "keylen", 14, { NULL }},
1193 };
1194
1195 static const struct attrmap oakley_t_map[] = {
1196 { NULL, 0, { NULL } },
1197 { "enc", 8, { NULL, "1des", "idea", "blowfish", "rc5",
1198 "3des", "cast", "aes", }, },
1199 { "hash", 7, { NULL, "md5", "sha1", "tiger",
1200 "sha2-256", "sha2-384", "sha2-512", }, },
1201 { "auth", 6, { NULL, "preshared", "dss", "rsa sig", "rsa enc",
1202 "rsa enc revised", }, },
1203 { "group desc", 18, { NULL, "modp768",
1204 "modp1024", /* group 2 */
1205 "EC2N 2^155", /* group 3 */
1206 "EC2N 2^185", /* group 4 */
1207 "modp1536", /* group 5 */
1208 "iana-grp06", "iana-grp07", /* reserved */
1209 "iana-grp08", "iana-grp09",
1210 "iana-grp10", "iana-grp11",
1211 "iana-grp12", "iana-grp13",
1212 "modp2048", /* group 14 */
1213 "modp3072", /* group 15 */
1214 "modp4096", /* group 16 */
1215 "modp6144", /* group 17 */
1216 "modp8192", /* group 18 */
1217 }, },
1218 { "group type", 4, { NULL, "MODP", "ECP", "EC2N", }, },
1219 { "group prime", 0, { NULL } },
1220 { "group gen1", 0, { NULL } },
1221 { "group gen2", 0, { NULL } },
1222 { "group curve A", 0, { NULL } },
1223 { "group curve B", 0, { NULL } },
1224 { "lifetype", 3, { NULL, "sec", "kb", }, },
1225 { "lifeduration", 0, { NULL } },
1226 { "prf", 0, { NULL } },
1227 { "keylen", 0, { NULL } },
1228 { "field", 0, { NULL } },
1229 { "order", 0, { NULL } },
1230 };
1231
1232 static const u_char *
1233 ikev1_t_print(netdissect_options *ndo, u_char tpay _U_,
1234 const struct isakmp_gen *ext, u_int item_len,
1235 const u_char *ep, uint32_t phase _U_, uint32_t doi _U_,
1236 uint32_t proto, int depth _U_)
1237 {
1238 const struct ikev1_pl_t *p;
1239 struct ikev1_pl_t t;
1240 const u_char *cp;
1241 const char *idstr;
1242 const struct attrmap *map;
1243 size_t nmap;
1244 const u_char *ep2;
1245
1246 ND_PRINT((ndo,"%s:", NPSTR(ISAKMP_NPTYPE_T)));
1247
1248 p = (const struct ikev1_pl_t *)ext;
1249 ND_TCHECK(*p);
1250 UNALIGNED_MEMCPY(&t, ext, sizeof(t));
1251
1252 switch (proto) {
1253 case 1:
1254 idstr = STR_OR_ID(t.t_id, ikev1_p_map);
1255 map = oakley_t_map;
1256 nmap = sizeof(oakley_t_map)/sizeof(oakley_t_map[0]);
1257 break;
1258 case 2:
1259 idstr = STR_OR_ID(t.t_id, ah_p_map);
1260 map = ipsec_t_map;
1261 nmap = sizeof(ipsec_t_map)/sizeof(ipsec_t_map[0]);
1262 break;
1263 case 3:
1264 idstr = STR_OR_ID(t.t_id, esp_p_map);
1265 map = ipsec_t_map;
1266 nmap = sizeof(ipsec_t_map)/sizeof(ipsec_t_map[0]);
1267 break;
1268 case 4:
1269 idstr = STR_OR_ID(t.t_id, ipcomp_p_map);
1270 map = ipsec_t_map;
1271 nmap = sizeof(ipsec_t_map)/sizeof(ipsec_t_map[0]);
1272 break;
1273 default:
1274 idstr = NULL;
1275 map = NULL;
1276 nmap = 0;
1277 break;
1278 }
1279
1280 if (idstr)
1281 ND_PRINT((ndo," #%d id=%s ", t.t_no, idstr));
1282 else
1283 ND_PRINT((ndo," #%d id=%d ", t.t_no, t.t_id));
1284 cp = (const u_char *)(p + 1);
1285 ep2 = (const u_char *)p + item_len;
1286 while (cp < ep && cp < ep2) {
1287 if (map && nmap)
1288 cp = ikev1_attrmap_print(ndo, cp, ep2, map, nmap);
1289 else
1290 cp = ikev1_attr_print(ndo, cp, ep2);
1291 if (cp == NULL)
1292 goto trunc;
1293 }
1294 if (ep < ep2)
1295 ND_PRINT((ndo,"..."));
1296 return cp;
1297 trunc:
1298 ND_PRINT((ndo," [|%s]", NPSTR(ISAKMP_NPTYPE_T)));
1299 return NULL;
1300 }
1301
1302 static const u_char *
1303 ikev1_ke_print(netdissect_options *ndo, u_char tpay _U_,
1304 const struct isakmp_gen *ext, u_int item_len _U_,
1305 const u_char *ep _U_, uint32_t phase _U_, uint32_t doi _U_,
1306 uint32_t proto _U_, int depth _U_)
1307 {
1308 struct isakmp_gen e;
1309
1310 ND_PRINT((ndo,"%s:", NPSTR(ISAKMP_NPTYPE_KE)));
1311
1312 ND_TCHECK(*ext);
1313 UNALIGNED_MEMCPY(&e, ext, sizeof(e));
1314 ND_PRINT((ndo," key len=%d", ntohs(e.len) - 4));
1315 if (2 < ndo->ndo_vflag && 4 < ntohs(e.len)) {
1316 /* Print the entire payload in hex */
1317 ND_PRINT((ndo," "));
1318 if (!rawprint(ndo, (const uint8_t *)(ext + 1), ntohs(e.len) - 4))
1319 goto trunc;
1320 }
1321 return (const u_char *)ext + ntohs(e.len);
1322 trunc:
1323 ND_PRINT((ndo," [|%s]", NPSTR(ISAKMP_NPTYPE_KE)));
1324 return NULL;
1325 }
1326
1327 static const u_char *
1328 ikev1_id_print(netdissect_options *ndo, u_char tpay _U_,
1329 const struct isakmp_gen *ext, u_int item_len,
1330 const u_char *ep _U_, uint32_t phase, uint32_t doi _U_,
1331 uint32_t proto _U_, int depth _U_)
1332 {
1333 #define USE_IPSECDOI_IN_PHASE1 1
1334 const struct ikev1_pl_id *p;
1335 struct ikev1_pl_id id;
1336 static const char *idtypestr[] = {
1337 "IPv4", "IPv4net", "IPv6", "IPv6net",
1338 };
1339 static const char *ipsecidtypestr[] = {
1340 NULL, "IPv4", "FQDN", "user FQDN", "IPv4net", "IPv6",
1341 "IPv6net", "IPv4range", "IPv6range", "ASN1 DN", "ASN1 GN",
1342 "keyid",
1343 };
1344 int len;
1345 const u_char *data;
1346
1347 ND_PRINT((ndo,"%s:", NPSTR(ISAKMP_NPTYPE_ID)));
1348
1349 p = (const struct ikev1_pl_id *)ext;
1350 ND_TCHECK(*p);
1351 UNALIGNED_MEMCPY(&id, ext, sizeof(id));
1352 if (sizeof(*p) < item_len) {
1353 data = (const u_char *)(p + 1);
1354 len = item_len - sizeof(*p);
1355 } else {
1356 data = NULL;
1357 len = 0;
1358 }
1359
1360 #if 0 /*debug*/
1361 ND_PRINT((ndo," [phase=%d doi=%d proto=%d]", phase, doi, proto));
1362 #endif
1363 switch (phase) {
1364 #ifndef USE_IPSECDOI_IN_PHASE1
1365 case 1:
1366 #endif
1367 default:
1368 ND_PRINT((ndo," idtype=%s", STR_OR_ID(id.d.id_type, idtypestr)));
1369 ND_PRINT((ndo," doi_data=%u",
1370 (uint32_t)(ntohl(id.d.doi_data) & 0xffffff)));
1371 break;
1372
1373 #ifdef USE_IPSECDOI_IN_PHASE1
1374 case 1:
1375 #endif
1376 case 2:
1377 {
1378 const struct ipsecdoi_id *doi_p;
1379 struct ipsecdoi_id doi_id;
1380 const char *p_name;
1381
1382 doi_p = (const struct ipsecdoi_id *)ext;
1383 ND_TCHECK(*doi_p);
1384 UNALIGNED_MEMCPY(&doi_id, ext, sizeof(doi_id));
1385 ND_PRINT((ndo," idtype=%s", STR_OR_ID(doi_id.type, ipsecidtypestr)));
1386 /* A protocol ID of 0 DOES NOT mean IPPROTO_IP! */
1387 if (!ndo->ndo_nflag && doi_id.proto_id && (p_name = netdb_protoname(doi_id.proto_id)) != NULL)
1388 ND_PRINT((ndo," protoid=%s", p_name));
1389 else
1390 ND_PRINT((ndo," protoid=%u", doi_id.proto_id));
1391 ND_PRINT((ndo," port=%d", ntohs(doi_id.port)));
1392 if (!len)
1393 break;
1394 if (data == NULL)
1395 goto trunc;
1396 ND_TCHECK2(*data, len);
1397 switch (doi_id.type) {
1398 case IPSECDOI_ID_IPV4_ADDR:
1399 if (len < 4)
1400 ND_PRINT((ndo," len=%d [bad: < 4]", len));
1401 else
1402 ND_PRINT((ndo," len=%d %s", len, ipaddr_string(ndo, data)));
1403 len = 0;
1404 break;
1405 case IPSECDOI_ID_FQDN:
1406 case IPSECDOI_ID_USER_FQDN:
1407 {
1408 int i;
1409 ND_PRINT((ndo," len=%d ", len));
1410 for (i = 0; i < len; i++)
1411 safeputchar(ndo, data[i]);
1412 len = 0;
1413 break;
1414 }
1415 case IPSECDOI_ID_IPV4_ADDR_SUBNET:
1416 {
1417 const u_char *mask;
1418 if (len < 8)
1419 ND_PRINT((ndo," len=%d [bad: < 8]", len));
1420 else {
1421 mask = data + sizeof(struct in_addr);
1422 ND_PRINT((ndo," len=%d %s/%u.%u.%u.%u", len,
1423 ipaddr_string(ndo, data),
1424 mask[0], mask[1], mask[2], mask[3]));
1425 }
1426 len = 0;
1427 break;
1428 }
1429 case IPSECDOI_ID_IPV6_ADDR:
1430 if (len < 16)
1431 ND_PRINT((ndo," len=%d [bad: < 16]", len));
1432 else
1433 ND_PRINT((ndo," len=%d %s", len, ip6addr_string(ndo, data)));
1434 len = 0;
1435 break;
1436 case IPSECDOI_ID_IPV6_ADDR_SUBNET:
1437 {
1438 const u_char *mask;
1439 if (len < 32)
1440 ND_PRINT((ndo," len=%d [bad: < 32]", len));
1441 else {
1442 mask = (const u_char *)(data + sizeof(struct in6_addr));
1443 /*XXX*/
1444 ND_PRINT((ndo," len=%d %s/0x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x", len,
1445 ip6addr_string(ndo, data),
1446 mask[0], mask[1], mask[2], mask[3],
1447 mask[4], mask[5], mask[6], mask[7],
1448 mask[8], mask[9], mask[10], mask[11],
1449 mask[12], mask[13], mask[14], mask[15]));
1450 }
1451 len = 0;
1452 break;
1453 }
1454 case IPSECDOI_ID_IPV4_ADDR_RANGE:
1455 if (len < 8)
1456 ND_PRINT((ndo," len=%d [bad: < 8]", len));
1457 else {
1458 ND_PRINT((ndo," len=%d %s-%s", len,
1459 ipaddr_string(ndo, data),
1460 ipaddr_string(ndo, data + sizeof(struct in_addr))));
1461 }
1462 len = 0;
1463 break;
1464 case IPSECDOI_ID_IPV6_ADDR_RANGE:
1465 if (len < 32)
1466 ND_PRINT((ndo," len=%d [bad: < 32]", len));
1467 else {
1468 ND_PRINT((ndo," len=%d %s-%s", len,
1469 ip6addr_string(ndo, data),
1470 ip6addr_string(ndo, data + sizeof(struct in6_addr))));
1471 }
1472 len = 0;
1473 break;
1474 case IPSECDOI_ID_DER_ASN1_DN:
1475 case IPSECDOI_ID_DER_ASN1_GN:
1476 case IPSECDOI_ID_KEY_ID:
1477 break;
1478 }
1479 break;
1480 }
1481 }
1482 if (data && len) {
1483 ND_PRINT((ndo," len=%d", len));
1484 if (2 < ndo->ndo_vflag) {
1485 ND_PRINT((ndo," "));
1486 if (!rawprint(ndo, (const uint8_t *)data, len))
1487 goto trunc;
1488 }
1489 }
1490 return (const u_char *)ext + item_len;
1491 trunc:
1492 ND_PRINT((ndo," [|%s]", NPSTR(ISAKMP_NPTYPE_ID)));
1493 return NULL;
1494 }
1495
1496 static const u_char *
1497 ikev1_cert_print(netdissect_options *ndo, u_char tpay _U_,
1498 const struct isakmp_gen *ext, u_int item_len,
1499 const u_char *ep _U_, uint32_t phase _U_,
1500 uint32_t doi0 _U_,
1501 uint32_t proto0 _U_, int depth _U_)
1502 {
1503 const struct ikev1_pl_cert *p;
1504 struct ikev1_pl_cert cert;
1505 static const char *certstr[] = {
1506 "none", "pkcs7", "pgp", "dns",
1507 "x509sign", "x509ke", "kerberos", "crl",
1508 "arl", "spki", "x509attr",
1509 };
1510
1511 ND_PRINT((ndo,"%s:", NPSTR(ISAKMP_NPTYPE_CERT)));
1512
1513 p = (const struct ikev1_pl_cert *)ext;
1514 ND_TCHECK(*p);
1515 UNALIGNED_MEMCPY(&cert, ext, sizeof(cert));
1516 ND_PRINT((ndo," len=%d", item_len - 4));
1517 ND_PRINT((ndo," type=%s", STR_OR_ID((cert.encode), certstr)));
1518 if (2 < ndo->ndo_vflag && 4 < item_len) {
1519 /* Print the entire payload in hex */
1520 ND_PRINT((ndo," "));
1521 if (!rawprint(ndo, (const uint8_t *)(ext + 1), item_len - 4))
1522 goto trunc;
1523 }
1524 return (const u_char *)ext + item_len;
1525 trunc:
1526 ND_PRINT((ndo," [|%s]", NPSTR(ISAKMP_NPTYPE_CERT)));
1527 return NULL;
1528 }
1529
1530 static const u_char *
1531 ikev1_cr_print(netdissect_options *ndo, u_char tpay _U_,
1532 const struct isakmp_gen *ext, u_int item_len,
1533 const u_char *ep _U_, uint32_t phase _U_, uint32_t doi0 _U_,
1534 uint32_t proto0 _U_, int depth _U_)
1535 {
1536 const struct ikev1_pl_cert *p;
1537 struct ikev1_pl_cert cert;
1538 static const char *certstr[] = {
1539 "none", "pkcs7", "pgp", "dns",
1540 "x509sign", "x509ke", "kerberos", "crl",
1541 "arl", "spki", "x509attr",
1542 };
1543
1544 ND_PRINT((ndo,"%s:", NPSTR(ISAKMP_NPTYPE_CR)));
1545
1546 p = (const struct ikev1_pl_cert *)ext;
1547 ND_TCHECK(*p);
1548 UNALIGNED_MEMCPY(&cert, ext, sizeof(cert));
1549 ND_PRINT((ndo," len=%d", item_len - 4));
1550 ND_PRINT((ndo," type=%s", STR_OR_ID((cert.encode), certstr)));
1551 if (2 < ndo->ndo_vflag && 4 < item_len) {
1552 /* Print the entire payload in hex */
1553 ND_PRINT((ndo," "));
1554 if (!rawprint(ndo, (const uint8_t *)(ext + 1), item_len - 4))
1555 goto trunc;
1556 }
1557 return (const u_char *)ext + item_len;
1558 trunc:
1559 ND_PRINT((ndo," [|%s]", NPSTR(ISAKMP_NPTYPE_CR)));
1560 return NULL;
1561 }
1562
1563 static const u_char *
1564 ikev1_hash_print(netdissect_options *ndo, u_char tpay _U_,
1565 const struct isakmp_gen *ext, u_int item_len _U_,
1566 const u_char *ep _U_, uint32_t phase _U_, uint32_t doi _U_,
1567 uint32_t proto _U_, int depth _U_)
1568 {
1569 struct isakmp_gen e;
1570
1571 ND_PRINT((ndo,"%s:", NPSTR(ISAKMP_NPTYPE_HASH)));
1572
1573 ND_TCHECK(*ext);
1574 UNALIGNED_MEMCPY(&e, ext, sizeof(e));
1575 ND_PRINT((ndo," len=%d", ntohs(e.len) - 4));
1576 if (2 < ndo->ndo_vflag && 4 < ntohs(e.len)) {
1577 /* Print the entire payload in hex */
1578 ND_PRINT((ndo," "));
1579 if (!rawprint(ndo, (const uint8_t *)(ext + 1), ntohs(e.len) - 4))
1580 goto trunc;
1581 }
1582 return (const u_char *)ext + ntohs(e.len);
1583 trunc:
1584 ND_PRINT((ndo," [|%s]", NPSTR(ISAKMP_NPTYPE_HASH)));
1585 return NULL;
1586 }
1587
1588 static const u_char *
1589 ikev1_sig_print(netdissect_options *ndo, u_char tpay _U_,
1590 const struct isakmp_gen *ext, u_int item_len _U_,
1591 const u_char *ep _U_, uint32_t phase _U_, uint32_t doi _U_,
1592 uint32_t proto _U_, int depth _U_)
1593 {
1594 struct isakmp_gen e;
1595
1596 ND_PRINT((ndo,"%s:", NPSTR(ISAKMP_NPTYPE_SIG)));
1597
1598 ND_TCHECK(*ext);
1599 UNALIGNED_MEMCPY(&e, ext, sizeof(e));
1600 ND_PRINT((ndo," len=%d", ntohs(e.len) - 4));
1601 if (2 < ndo->ndo_vflag && 4 < ntohs(e.len)) {
1602 /* Print the entire payload in hex */
1603 ND_PRINT((ndo," "));
1604 if (!rawprint(ndo, (const uint8_t *)(ext + 1), ntohs(e.len) - 4))
1605 goto trunc;
1606 }
1607 return (const u_char *)ext + ntohs(e.len);
1608 trunc:
1609 ND_PRINT((ndo," [|%s]", NPSTR(ISAKMP_NPTYPE_SIG)));
1610 return NULL;
1611 }
1612
1613 static const u_char *
1614 ikev1_nonce_print(netdissect_options *ndo, u_char tpay _U_,
1615 const struct isakmp_gen *ext,
1616 u_int item_len _U_,
1617 const u_char *ep,
1618 uint32_t phase _U_, uint32_t doi _U_,
1619 uint32_t proto _U_, int depth _U_)
1620 {
1621 struct isakmp_gen e;
1622
1623 ND_PRINT((ndo,"%s:", NPSTR(ISAKMP_NPTYPE_NONCE)));
1624
1625 ND_TCHECK(*ext);
1626 UNALIGNED_MEMCPY(&e, ext, sizeof(e));
1627 /*
1628 * Our caller has ensured that the length is >= 4.
1629 */
1630 ND_PRINT((ndo," n len=%u", ntohs(e.len) - 4));
1631 if (ntohs(e.len) > 4) {
1632 if (ndo->ndo_vflag > 2) {
1633 ND_PRINT((ndo, " "));
1634 if (!rawprint(ndo, (const uint8_t *)(ext + 1), ntohs(e.len) - 4))
1635 goto trunc;
1636 } else if (ndo->ndo_vflag > 1) {
1637 ND_PRINT((ndo, " "));
1638 if (!ike_show_somedata(ndo, (const u_char *)(ext + 1), ep))
1639 goto trunc;
1640 }
1641 }
1642 return (const u_char *)ext + ntohs(e.len);
1643 trunc:
1644 ND_PRINT((ndo," [|%s]", NPSTR(ISAKMP_NPTYPE_NONCE)));
1645 return NULL;
1646 }
1647
1648 static const u_char *
1649 ikev1_n_print(netdissect_options *ndo, u_char tpay _U_,
1650 const struct isakmp_gen *ext, u_int item_len,
1651 const u_char *ep, uint32_t phase _U_, uint32_t doi0 _U_,
1652 uint32_t proto0 _U_, int depth _U_)
1653 {
1654 const struct ikev1_pl_n *p;
1655 struct ikev1_pl_n n;
1656 const u_char *cp;
1657 const u_char *ep2;
1658 uint32_t doi;
1659 uint32_t proto;
1660 static const char *notify_error_str[] = {
1661 NULL, "INVALID-PAYLOAD-TYPE",
1662 "DOI-NOT-SUPPORTED", "SITUATION-NOT-SUPPORTED",
1663 "INVALID-COOKIE", "INVALID-MAJOR-VERSION",
1664 "INVALID-MINOR-VERSION", "INVALID-EXCHANGE-TYPE",
1665 "INVALID-FLAGS", "INVALID-MESSAGE-ID",
1666 "INVALID-PROTOCOL-ID", "INVALID-SPI",
1667 "INVALID-TRANSFORM-ID", "ATTRIBUTES-NOT-SUPPORTED",
1668 "NO-PROPOSAL-CHOSEN", "BAD-PROPOSAL-SYNTAX",
1669 "PAYLOAD-MALFORMED", "INVALID-KEY-INFORMATION",
1670 "INVALID-ID-INFORMATION", "INVALID-CERT-ENCODING",
1671 "INVALID-CERTIFICATE", "CERT-TYPE-UNSUPPORTED",
1672 "INVALID-CERT-AUTHORITY", "INVALID-HASH-INFORMATION",
1673 "AUTHENTICATION-FAILED", "INVALID-SIGNATURE",
1674 "ADDRESS-NOTIFICATION", "NOTIFY-SA-LIFETIME",
1675 "CERTIFICATE-UNAVAILABLE", "UNSUPPORTED-EXCHANGE-TYPE",
1676 "UNEQUAL-PAYLOAD-LENGTHS",
1677 };
1678 static const char *ipsec_notify_error_str[] = {
1679 "RESERVED",
1680 };
1681 static const char *notify_status_str[] = {
1682 "CONNECTED",
1683 };
1684 static const char *ipsec_notify_status_str[] = {
1685 "RESPONDER-LIFETIME", "REPLAY-STATUS",
1686 "INITIAL-CONTACT",
1687 };
1688 /* NOTE: these macro must be called with x in proper range */
1689
1690 /* 0 - 8191 */
1691 #define NOTIFY_ERROR_STR(x) \
1692 STR_OR_ID((x), notify_error_str)
1693
1694 /* 8192 - 16383 */
1695 #define IPSEC_NOTIFY_ERROR_STR(x) \
1696 STR_OR_ID((u_int)((x) - 8192), ipsec_notify_error_str)
1697
1698 /* 16384 - 24575 */
1699 #define NOTIFY_STATUS_STR(x) \
1700 STR_OR_ID((u_int)((x) - 16384), notify_status_str)
1701
1702 /* 24576 - 32767 */
1703 #define IPSEC_NOTIFY_STATUS_STR(x) \
1704 STR_OR_ID((u_int)((x) - 24576), ipsec_notify_status_str)
1705
1706 ND_PRINT((ndo,"%s:", NPSTR(ISAKMP_NPTYPE_N)));
1707
1708 p = (const struct ikev1_pl_n *)ext;
1709 ND_TCHECK(*p);
1710 UNALIGNED_MEMCPY(&n, ext, sizeof(n));
1711 doi = ntohl(n.doi);
1712 proto = n.prot_id;
1713 if (doi != 1) {
1714 ND_PRINT((ndo," doi=%d", doi));
1715 ND_PRINT((ndo," proto=%d", proto));
1716 if (ntohs(n.type) < 8192)
1717 ND_PRINT((ndo," type=%s", NOTIFY_ERROR_STR(ntohs(n.type))));
1718 else if (ntohs(n.type) < 16384)
1719 ND_PRINT((ndo," type=%s", numstr(ntohs(n.type))));
1720 else if (ntohs(n.type) < 24576)
1721 ND_PRINT((ndo," type=%s", NOTIFY_STATUS_STR(ntohs(n.type))));
1722 else
1723 ND_PRINT((ndo," type=%s", numstr(ntohs(n.type))));
1724 if (n.spi_size) {
1725 ND_PRINT((ndo," spi="));
1726 if (!rawprint(ndo, (const uint8_t *)(p + 1), n.spi_size))
1727 goto trunc;
1728 }
1729 return (const u_char *)(p + 1) + n.spi_size;
1730 }
1731
1732 ND_PRINT((ndo," doi=ipsec"));
1733 ND_PRINT((ndo," proto=%s", PROTOIDSTR(proto)));
1734 if (ntohs(n.type) < 8192)
1735 ND_PRINT((ndo," type=%s", NOTIFY_ERROR_STR(ntohs(n.type))));
1736 else if (ntohs(n.type) < 16384)
1737 ND_PRINT((ndo," type=%s", IPSEC_NOTIFY_ERROR_STR(ntohs(n.type))));
1738 else if (ntohs(n.type) < 24576)
1739 ND_PRINT((ndo," type=%s", NOTIFY_STATUS_STR(ntohs(n.type))));
1740 else if (ntohs(n.type) < 32768)
1741 ND_PRINT((ndo," type=%s", IPSEC_NOTIFY_STATUS_STR(ntohs(n.type))));
1742 else
1743 ND_PRINT((ndo," type=%s", numstr(ntohs(n.type))));
1744 if (n.spi_size) {
1745 ND_PRINT((ndo," spi="));
1746 if (!rawprint(ndo, (const uint8_t *)(p + 1), n.spi_size))
1747 goto trunc;
1748 }
1749
1750 cp = (const u_char *)(p + 1) + n.spi_size;
1751 ep2 = (const u_char *)p + item_len;
1752
1753 if (cp < ep) {
1754 switch (ntohs(n.type)) {
1755 case IPSECDOI_NTYPE_RESPONDER_LIFETIME:
1756 {
1757 const struct attrmap *map = oakley_t_map;
1758 size_t nmap = sizeof(oakley_t_map)/sizeof(oakley_t_map[0]);
1759 ND_PRINT((ndo," attrs=("));
1760 while (cp < ep && cp < ep2) {
1761 cp = ikev1_attrmap_print(ndo, cp, ep2, map, nmap);
1762 if (cp == NULL) {
1763 ND_PRINT((ndo,")"));
1764 goto trunc;
1765 }
1766 }
1767 ND_PRINT((ndo,")"));
1768 break;
1769 }
1770 case IPSECDOI_NTYPE_REPLAY_STATUS:
1771 ND_PRINT((ndo," status=("));
1772 ND_TCHECK_32BITS(cp);
1773 ND_PRINT((ndo,"replay detection %sabled",
1774 EXTRACT_32BITS(cp) ? "en" : "dis"));
1775 ND_PRINT((ndo,")"));
1776 break;
1777 default:
1778 /*
1779 * XXX - fill in more types here; see, for example,
1780 * draft-ietf-ipsec-notifymsg-04.
1781 */
1782 if (ndo->ndo_vflag > 3) {
1783 ND_PRINT((ndo," data=("));
1784 if (!rawprint(ndo, (const uint8_t *)(cp), ep - cp))
1785 goto trunc;
1786 ND_PRINT((ndo,")"));
1787 } else {
1788 if (!ike_show_somedata(ndo, cp, ep))
1789 goto trunc;
1790 }
1791 break;
1792 }
1793 }
1794 return (const u_char *)ext + item_len;
1795 trunc:
1796 ND_PRINT((ndo," [|%s]", NPSTR(ISAKMP_NPTYPE_N)));
1797 return NULL;
1798 }
1799
1800 static const u_char *
1801 ikev1_d_print(netdissect_options *ndo, u_char tpay _U_,
1802 const struct isakmp_gen *ext, u_int item_len _U_,
1803 const u_char *ep _U_, uint32_t phase _U_, uint32_t doi0 _U_,
1804 uint32_t proto0 _U_, int depth _U_)
1805 {
1806 const struct ikev1_pl_d *p;
1807 struct ikev1_pl_d d;
1808 const uint8_t *q;
1809 uint32_t doi;
1810 uint32_t proto;
1811 int i;
1812
1813 ND_PRINT((ndo,"%s:", NPSTR(ISAKMP_NPTYPE_D)));
1814
1815 p = (const struct ikev1_pl_d *)ext;
1816 ND_TCHECK(*p);
1817 UNALIGNED_MEMCPY(&d, ext, sizeof(d));
1818 doi = ntohl(d.doi);
1819 proto = d.prot_id;
1820 if (doi != 1) {
1821 ND_PRINT((ndo," doi=%u", doi));
1822 ND_PRINT((ndo," proto=%u", proto));
1823 } else {
1824 ND_PRINT((ndo," doi=ipsec"));
1825 ND_PRINT((ndo," proto=%s", PROTOIDSTR(proto)));
1826 }
1827 ND_PRINT((ndo," spilen=%u", d.spi_size));
1828 ND_PRINT((ndo," nspi=%u", ntohs(d.num_spi)));
1829 ND_PRINT((ndo," spi="));
1830 q = (const uint8_t *)(p + 1);
1831 for (i = 0; i < ntohs(d.num_spi); i++) {
1832 if (i != 0)
1833 ND_PRINT((ndo,","));
1834 if (!rawprint(ndo, (const uint8_t *)q, d.spi_size))
1835 goto trunc;
1836 q += d.spi_size;
1837 }
1838 return q;
1839 trunc:
1840 ND_PRINT((ndo," [|%s]", NPSTR(ISAKMP_NPTYPE_D)));
1841 return NULL;
1842 }
1843
1844 static const u_char *
1845 ikev1_vid_print(netdissect_options *ndo, u_char tpay _U_,
1846 const struct isakmp_gen *ext,
1847 u_int item_len _U_, const u_char *ep _U_,
1848 uint32_t phase _U_, uint32_t doi _U_,
1849 uint32_t proto _U_, int depth _U_)
1850 {
1851 struct isakmp_gen e;
1852
1853 ND_PRINT((ndo,"%s:", NPSTR(ISAKMP_NPTYPE_VID)));
1854
1855 ND_TCHECK(*ext);
1856 UNALIGNED_MEMCPY(&e, ext, sizeof(e));
1857 ND_PRINT((ndo," len=%d", ntohs(e.len) - 4));
1858 if (2 < ndo->ndo_vflag && 4 < ntohs(e.len)) {
1859 /* Print the entire payload in hex */
1860 ND_PRINT((ndo," "));
1861 if (!rawprint(ndo, (const uint8_t *)(ext + 1), ntohs(e.len) - 4))
1862 goto trunc;
1863 }
1864 return (const u_char *)ext + ntohs(e.len);
1865 trunc:
1866 ND_PRINT((ndo," [|%s]", NPSTR(ISAKMP_NPTYPE_VID)));
1867 return NULL;
1868 }
1869
1870 /************************************************************/
1871 /* */
1872 /* IKE v2 - rfc4306 - dissector */
1873 /* */
1874 /************************************************************/
1875
1876 static void
1877 ikev2_pay_print(netdissect_options *ndo, const char *payname, int critical)
1878 {
1879 ND_PRINT((ndo,"%s%s:", payname, critical&0x80 ? "[C]" : ""));
1880 }
1881
1882 static const u_char *
1883 ikev2_gen_print(netdissect_options *ndo, u_char tpay,
1884 const struct isakmp_gen *ext)
1885 {
1886 struct isakmp_gen e;
1887
1888 ND_TCHECK(*ext);
1889 UNALIGNED_MEMCPY(&e, ext, sizeof(e));
1890 ikev2_pay_print(ndo, NPSTR(tpay), e.critical);
1891
1892 ND_PRINT((ndo," len=%d", ntohs(e.len) - 4));
1893 if (2 < ndo->ndo_vflag && 4 < ntohs(e.len)) {
1894 /* Print the entire payload in hex */
1895 ND_PRINT((ndo," "));
1896 if (!rawprint(ndo, (const uint8_t *)(ext + 1), ntohs(e.len) - 4))
1897 goto trunc;
1898 }
1899 return (const u_char *)ext + ntohs(e.len);
1900 trunc:
1901 ND_PRINT((ndo," [|%s]", NPSTR(tpay)));
1902 return NULL;
1903 }
1904
1905 static const u_char *
1906 ikev2_t_print(netdissect_options *ndo, int tcount,
1907 const struct isakmp_gen *ext, u_int item_len,
1908 const u_char *ep)
1909 {
1910 const struct ikev2_t *p;
1911 struct ikev2_t t;
1912 uint16_t t_id;
1913 const u_char *cp;
1914 const char *idstr;
1915 const struct attrmap *map;
1916 size_t nmap;
1917 const u_char *ep2;
1918
1919 p = (const struct ikev2_t *)ext;
1920 ND_TCHECK(*p);
1921 UNALIGNED_MEMCPY(&t, ext, sizeof(t));
1922 ikev2_pay_print(ndo, NPSTR(ISAKMP_NPTYPE_T), t.h.critical);
1923
1924 t_id = ntohs(t.t_id);
1925
1926 map = NULL;
1927 nmap = 0;
1928
1929 switch (t.t_type) {
1930 case IV2_T_ENCR:
1931 idstr = STR_OR_ID(t_id, esp_p_map);
1932 map = encr_t_map;
1933 nmap = sizeof(encr_t_map)/sizeof(encr_t_map[0]);
1934 break;
1935
1936 case IV2_T_PRF:
1937 idstr = STR_OR_ID(t_id, prf_p_map);
1938 break;
1939
1940 case IV2_T_INTEG:
1941 idstr = STR_OR_ID(t_id, integ_p_map);
1942 break;
1943
1944 case IV2_T_DH:
1945 idstr = STR_OR_ID(t_id, dh_p_map);
1946 break;
1947
1948 case IV2_T_ESN:
1949 idstr = STR_OR_ID(t_id, esn_p_map);
1950 break;
1951
1952 default:
1953 idstr = NULL;
1954 break;
1955 }
1956
1957 if (idstr)
1958 ND_PRINT((ndo," #%u type=%s id=%s ", tcount,
1959 STR_OR_ID(t.t_type, ikev2_t_type_map),
1960 idstr));
1961 else
1962 ND_PRINT((ndo," #%u type=%s id=%u ", tcount,
1963 STR_OR_ID(t.t_type, ikev2_t_type_map),
1964 t.t_id));
1965 cp = (const u_char *)(p + 1);
1966 ep2 = (const u_char *)p + item_len;
1967 while (cp < ep && cp < ep2) {
1968 if (map && nmap) {
1969 cp = ikev1_attrmap_print(ndo, cp, ep2, map, nmap);
1970 } else
1971 cp = ikev1_attr_print(ndo, cp, ep2);
1972 if (cp == NULL)
1973 goto trunc;
1974 }
1975 if (ep < ep2)
1976 ND_PRINT((ndo,"..."));
1977 return cp;
1978 trunc:
1979 ND_PRINT((ndo," [|%s]", NPSTR(ISAKMP_NPTYPE_T)));
1980 return NULL;
1981 }
1982
1983 static const u_char *
1984 ikev2_p_print(netdissect_options *ndo, u_char tpay _U_, int pcount _U_,
1985 const struct isakmp_gen *ext, u_int oprop_length,
1986 const u_char *ep, int depth)
1987 {
1988 const struct ikev2_p *p;
1989 struct ikev2_p prop;
1990 u_int prop_length;
1991 const u_char *cp;
1992 int i;
1993 int tcount;
1994 u_char np;
1995 struct isakmp_gen e;
1996 u_int item_len;
1997
1998 p = (const struct ikev2_p *)ext;
1999 ND_TCHECK(*p);
2000 UNALIGNED_MEMCPY(&prop, ext, sizeof(prop));
2001
2002 ikev2_pay_print(ndo, NPSTR(ISAKMP_NPTYPE_P), prop.h.critical);
2003
2004 /*
2005 * ikev2_sa_print() guarantees that this is >= 4.
2006 */
2007 prop_length = oprop_length - 4;
2008 ND_PRINT((ndo," #%u protoid=%s transform=%d len=%u",
2009 prop.p_no, PROTOIDSTR(prop.prot_id),
2010 prop.num_t, oprop_length));
2011 cp = (const u_char *)(p + 1);
2012
2013 if (prop.spi_size) {
2014 if (prop_length < prop.spi_size)
2015 goto toolong;
2016 ND_PRINT((ndo," spi="));
2017 if (!rawprint(ndo, (const uint8_t *)cp, prop.spi_size))
2018 goto trunc;
2019 cp += prop.spi_size;
2020 prop_length -= prop.spi_size;
2021 }
2022
2023 /*
2024 * Print the transforms.
2025 */
2026 tcount = 0;
2027 for (np = ISAKMP_NPTYPE_T; np != 0; np = e.np) {
2028 tcount++;
2029 ext = (const struct isakmp_gen *)cp;
2030 if (prop_length < sizeof(*ext))
2031 goto toolong;
2032 ND_TCHECK(*ext);
2033 UNALIGNED_MEMCPY(&e, ext, sizeof(e));
2034
2035 /*
2036 * Since we can't have a payload length of less than 4 bytes,
2037 * we need to bail out here if the generic header is nonsensical
2038 * or truncated, otherwise we could loop forever processing
2039 * zero-length items or otherwise misdissect the packet.
2040 */
2041 item_len = ntohs(e.len);
2042 if (item_len <= 4)
2043 goto trunc;
2044
2045 if (prop_length < item_len)
2046 goto toolong;
2047 ND_TCHECK2(*cp, item_len);
2048
2049 depth++;
2050 ND_PRINT((ndo,"\n"));
2051 for (i = 0; i < depth; i++)
2052 ND_PRINT((ndo," "));
2053 ND_PRINT((ndo,"("));
2054 if (np == ISAKMP_NPTYPE_T) {
2055 cp = ikev2_t_print(ndo, tcount, ext, item_len, ep);
2056 if (cp == NULL) {
2057 /* error, already reported */
2058 return NULL;
2059 }
2060 } else {
2061 ND_PRINT((ndo, "%s", NPSTR(np)));
2062 cp += item_len;
2063 }
2064 ND_PRINT((ndo,")"));
2065 depth--;
2066 prop_length -= item_len;
2067 }
2068 return cp;
2069 toolong:
2070 /*
2071 * Skip the rest of the proposal.
2072 */
2073 cp += prop_length;
2074 ND_PRINT((ndo," [|%s]", NPSTR(ISAKMP_NPTYPE_P)));
2075 return cp;
2076 trunc:
2077 ND_PRINT((ndo," [|%s]", NPSTR(ISAKMP_NPTYPE_P)));
2078 return NULL;
2079 }
2080
2081 static const u_char *
2082 ikev2_sa_print(netdissect_options *ndo, u_char tpay,
2083 const struct isakmp_gen *ext1,
2084 u_int osa_length, const u_char *ep,
2085 uint32_t phase _U_, uint32_t doi _U_,
2086 uint32_t proto _U_, int depth)
2087 {
2088 const struct isakmp_gen *ext;
2089 struct isakmp_gen e;
2090 u_int sa_length;
2091 const u_char *cp;
2092 int i;
2093 int pcount;
2094 u_char np;
2095 u_int item_len;
2096
2097 ND_TCHECK(*ext1);
2098 UNALIGNED_MEMCPY(&e, ext1, sizeof(e));
2099 ikev2_pay_print(ndo, "sa", e.critical);
2100
2101 /*
2102 * ikev2_sub0_print() guarantees that this is >= 4.
2103 */
2104 osa_length= ntohs(e.len);
2105 sa_length = osa_length - 4;
2106 ND_PRINT((ndo," len=%d", sa_length));
2107
2108 /*
2109 * Print the payloads.
2110 */
2111 cp = (const u_char *)(ext1 + 1);
2112 pcount = 0;
2113 for (np = ISAKMP_NPTYPE_P; np != 0; np = e.np) {
2114 pcount++;
2115 ext = (const struct isakmp_gen *)cp;
2116 if (sa_length < sizeof(*ext))
2117 goto toolong;
2118 ND_TCHECK(*ext);
2119 UNALIGNED_MEMCPY(&e, ext, sizeof(e));
2120
2121 /*
2122 * Since we can't have a payload length of less than 4 bytes,
2123 * we need to bail out here if the generic header is nonsensical
2124 * or truncated, otherwise we could loop forever processing
2125 * zero-length items or otherwise misdissect the packet.
2126 */
2127 item_len = ntohs(e.len);
2128 if (item_len <= 4)
2129 goto trunc;
2130
2131 if (sa_length < item_len)
2132 goto toolong;
2133 ND_TCHECK2(*cp, item_len);
2134
2135 depth++;
2136 ND_PRINT((ndo,"\n"));
2137 for (i = 0; i < depth; i++)
2138 ND_PRINT((ndo," "));
2139 ND_PRINT((ndo,"("));
2140 if (np == ISAKMP_NPTYPE_P) {
2141 cp = ikev2_p_print(ndo, np, pcount, ext, item_len,
2142 ep, depth);
2143 if (cp == NULL) {
2144 /* error, already reported */
2145 return NULL;
2146 }
2147 } else {
2148 ND_PRINT((ndo, "%s", NPSTR(np)));
2149 cp += item_len;
2150 }
2151 ND_PRINT((ndo,")"));
2152 depth--;
2153 sa_length -= item_len;
2154 }
2155 return cp;
2156 toolong:
2157 /*
2158 * Skip the rest of the SA.
2159 */
2160 cp += sa_length;
2161 ND_PRINT((ndo," [|%s]", NPSTR(tpay)));
2162 return cp;
2163 trunc:
2164 ND_PRINT((ndo," [|%s]", NPSTR(tpay)));
2165 return NULL;
2166 }
2167
2168 static const u_char *
2169 ikev2_ke_print(netdissect_options *ndo, u_char tpay,
2170 const struct isakmp_gen *ext,
2171 u_int item_len _U_, const u_char *ep _U_,
2172 uint32_t phase _U_, uint32_t doi _U_,
2173 uint32_t proto _U_, int depth _U_)
2174 {
2175 struct ikev2_ke ke;
2176 const struct ikev2_ke *k;
2177
2178 k = (const struct ikev2_ke *)ext;
2179 ND_TCHECK(*k);
2180 UNALIGNED_MEMCPY(&ke, ext, sizeof(ke));
2181 ikev2_pay_print(ndo, NPSTR(tpay), ke.h.critical);
2182
2183 ND_PRINT((ndo," len=%u group=%s", ntohs(ke.h.len) - 8,
2184 STR_OR_ID(ntohs(ke.ke_group), dh_p_map)));
2185
2186 if (2 < ndo->ndo_vflag && 8 < ntohs(ke.h.len)) {
2187 ND_PRINT((ndo," "));
2188 if (!rawprint(ndo, (const uint8_t *)(k + 1), ntohs(ke.h.len) - 8))
2189 goto trunc;
2190 }
2191 return (const u_char *)ext + ntohs(ke.h.len);
2192 trunc:
2193 ND_PRINT((ndo," [|%s]", NPSTR(tpay)));
2194 return NULL;
2195 }
2196
2197 static const u_char *
2198 ikev2_ID_print(netdissect_options *ndo, u_char tpay,
2199 const struct isakmp_gen *ext,
2200 u_int item_len _U_, const u_char *ep _U_,
2201 uint32_t phase _U_, uint32_t doi _U_,
2202 uint32_t proto _U_, int depth _U_)
2203 {
2204 const struct ikev2_id *idp;
2205 struct ikev2_id id;
2206 int id_len, idtype_len, i;
2207 unsigned int dumpascii, dumphex;
2208 const unsigned char *typedata;
2209
2210 idp = (const struct ikev2_id *)ext;
2211 ND_TCHECK(*idp);
2212 UNALIGNED_MEMCPY(&id, ext, sizeof(id));
2213 ikev2_pay_print(ndo, NPSTR(tpay), id.h.critical);
2214
2215 id_len = ntohs(id.h.len);
2216
2217 ND_PRINT((ndo," len=%d", id_len - 4));
2218 if (2 < ndo->ndo_vflag && 4 < id_len) {
2219 /* Print the entire payload in hex */
2220 ND_PRINT((ndo," "));
2221 if (!rawprint(ndo, (const uint8_t *)(ext + 1), id_len - 4))
2222 goto trunc;
2223 }
2224
2225 idtype_len =id_len - sizeof(struct ikev2_id);
2226 dumpascii = 0;
2227 dumphex = 0;
2228 typedata = (const unsigned char *)(ext)+sizeof(struct ikev2_id);
2229
2230 switch(id.type) {
2231 case ID_IPV4_ADDR:
2232 ND_PRINT((ndo, " ipv4:"));
2233 dumphex=1;
2234 break;
2235 case ID_FQDN:
2236 ND_PRINT((ndo, " fqdn:"));
2237 dumpascii=1;
2238 break;
2239 case ID_RFC822_ADDR:
2240 ND_PRINT((ndo, " rfc822:"));
2241 dumpascii=1;
2242 break;
2243 case ID_IPV6_ADDR:
2244 ND_PRINT((ndo, " ipv6:"));
2245 dumphex=1;
2246 break;
2247 case ID_DER_ASN1_DN:
2248 ND_PRINT((ndo, " dn:"));
2249 dumphex=1;
2250 break;
2251 case ID_DER_ASN1_GN:
2252 ND_PRINT((ndo, " gn:"));
2253 dumphex=1;
2254 break;
2255 case ID_KEY_ID:
2256 ND_PRINT((ndo, " keyid:"));
2257 dumphex=1;
2258 break;
2259 }
2260
2261 if(dumpascii) {
2262 ND_TCHECK2(*typedata, idtype_len);
2263 for(i=0; i<idtype_len; i++) {
2264 if(ND_ISPRINT(typedata[i])) {
2265 ND_PRINT((ndo, "%c", typedata[i]));
2266 } else {
2267 ND_PRINT((ndo, "."));
2268 }
2269 }
2270 }
2271 if(dumphex) {
2272 if (!rawprint(ndo, (const uint8_t *)typedata, idtype_len))
2273 goto trunc;
2274 }
2275
2276 return (const u_char *)ext + id_len;
2277 trunc:
2278 ND_PRINT((ndo," [|%s]", NPSTR(tpay)));
2279 return NULL;
2280 }
2281
2282 static const u_char *
2283 ikev2_cert_print(netdissect_options *ndo, u_char tpay,
2284 const struct isakmp_gen *ext,
2285 u_int item_len _U_, const u_char *ep _U_,
2286 uint32_t phase _U_, uint32_t doi _U_,
2287 uint32_t proto _U_, int depth _U_)
2288 {
2289 return ikev2_gen_print(ndo, tpay, ext);
2290 }
2291
2292 static const u_char *
2293 ikev2_cr_print(netdissect_options *ndo, u_char tpay,
2294 const struct isakmp_gen *ext,
2295 u_int item_len _U_, const u_char *ep _U_,
2296 uint32_t phase _U_, uint32_t doi _U_,
2297 uint32_t proto _U_, int depth _U_)
2298 {
2299 return ikev2_gen_print(ndo, tpay, ext);
2300 }
2301
2302 static const u_char *
2303 ikev2_auth_print(netdissect_options *ndo, u_char tpay,
2304 const struct isakmp_gen *ext,
2305 u_int item_len _U_, const u_char *ep,
2306 uint32_t phase _U_, uint32_t doi _U_,
2307 uint32_t proto _U_, int depth _U_)
2308 {
2309 struct ikev2_auth a;
2310 const char *v2_auth[]={ "invalid", "rsasig",
2311 "shared-secret", "dsssig" };
2312 const u_char *authdata = (const u_char*)ext + sizeof(a);
2313 unsigned int len;
2314
2315 ND_TCHECK2(*ext, sizeof(a));
2316 UNALIGNED_MEMCPY(&a, ext, sizeof(a));
2317 ikev2_pay_print(ndo, NPSTR(tpay), a.h.critical);
2318 len = ntohs(a.h.len);
2319
2320 /*
2321 * Our caller has ensured that the length is >= 4.
2322 */
2323 ND_PRINT((ndo," len=%u method=%s", len-4,
2324 STR_OR_ID(a.auth_method, v2_auth)));
2325 if (len > 4) {
2326 if (ndo->ndo_vflag > 1) {
2327 ND_PRINT((ndo, " authdata=("));
2328 if (!rawprint(ndo, (const uint8_t *)authdata, len - sizeof(a)))
2329 goto trunc;
2330 ND_PRINT((ndo, ") "));
2331 } else if (ndo->ndo_vflag) {
2332 if (!ike_show_somedata(ndo, authdata, ep))
2333 goto trunc;
2334 }
2335 }
2336
2337 return (const u_char *)ext + len;
2338 trunc:
2339 ND_PRINT((ndo," [|%s]", NPSTR(tpay)));
2340 return NULL;
2341 }
2342
2343 static const u_char *
2344 ikev2_nonce_print(netdissect_options *ndo, u_char tpay,
2345 const struct isakmp_gen *ext,
2346 u_int item_len _U_, const u_char *ep,
2347 uint32_t phase _U_, uint32_t doi _U_,
2348 uint32_t proto _U_, int depth _U_)
2349 {
2350 struct isakmp_gen e;
2351
2352 ND_TCHECK(*ext);
2353 UNALIGNED_MEMCPY(&e, ext, sizeof(e));
2354 ikev2_pay_print(ndo, "nonce", e.critical);
2355
2356 ND_PRINT((ndo," len=%d", ntohs(e.len) - 4));
2357 if (1 < ndo->ndo_vflag && 4 < ntohs(e.len)) {
2358 ND_PRINT((ndo," nonce=("));
2359 if (!rawprint(ndo, (const uint8_t *)(ext + 1), ntohs(e.len) - 4))
2360 goto trunc;
2361 ND_PRINT((ndo,") "));
2362 } else if(ndo->ndo_vflag && 4 < ntohs(e.len)) {
2363 if(!ike_show_somedata(ndo, (const u_char *)(ext+1), ep)) goto trunc;
2364 }
2365
2366 return (const u_char *)ext + ntohs(e.len);
2367 trunc:
2368 ND_PRINT((ndo," [|%s]", NPSTR(tpay)));
2369 return NULL;
2370 }
2371
2372 /* notify payloads */
2373 static const u_char *
2374 ikev2_n_print(netdissect_options *ndo, u_char tpay _U_,
2375 const struct isakmp_gen *ext,
2376 u_int item_len, const u_char *ep,
2377 uint32_t phase _U_, uint32_t doi _U_,
2378 uint32_t proto _U_, int depth _U_)
2379 {
2380 const struct ikev2_n *p;
2381 struct ikev2_n n;
2382 const u_char *cp;
2383 u_char showspi, showsomedata;
2384 const char *notify_name;
2385 uint32_t type;
2386
2387 p = (const struct ikev2_n *)ext;
2388 ND_TCHECK(*p);
2389 UNALIGNED_MEMCPY(&n, ext, sizeof(n));
2390 ikev2_pay_print(ndo, NPSTR(ISAKMP_NPTYPE_N), n.h.critical);
2391
2392 showspi = 1;
2393 showsomedata=0;
2394 notify_name=NULL;
2395
2396 ND_PRINT((ndo," prot_id=%s", PROTOIDSTR(n.prot_id)));
2397
2398 type = ntohs(n.type);
2399
2400 /* notify space is annoying sparse */
2401 switch(type) {
2402 case IV2_NOTIFY_UNSUPPORTED_CRITICAL_PAYLOAD:
2403 notify_name = "unsupported_critical_payload";
2404 showspi = 0;
2405 break;
2406
2407 case IV2_NOTIFY_INVALID_IKE_SPI:
2408 notify_name = "invalid_ike_spi";
2409 showspi = 1;
2410 break;
2411
2412 case IV2_NOTIFY_INVALID_MAJOR_VERSION:
2413 notify_name = "invalid_major_version";
2414 showspi = 0;
2415 break;
2416
2417 case IV2_NOTIFY_INVALID_SYNTAX:
2418 notify_name = "invalid_syntax";
2419 showspi = 1;
2420 break;
2421
2422 case IV2_NOTIFY_INVALID_MESSAGE_ID:
2423 notify_name = "invalid_message_id";
2424 showspi = 1;
2425 break;
2426
2427 case IV2_NOTIFY_INVALID_SPI:
2428 notify_name = "invalid_spi";
2429 showspi = 1;
2430 break;
2431
2432 case IV2_NOTIFY_NO_PROPOSAL_CHOSEN:
2433 notify_name = "no_protocol_chosen";
2434 showspi = 1;
2435 break;
2436
2437 case IV2_NOTIFY_INVALID_KE_PAYLOAD:
2438 notify_name = "invalid_ke_payload";
2439 showspi = 1;
2440 break;
2441
2442 case IV2_NOTIFY_AUTHENTICATION_FAILED:
2443 notify_name = "authentication_failed";
2444 showspi = 1;
2445 break;
2446
2447 case IV2_NOTIFY_SINGLE_PAIR_REQUIRED:
2448 notify_name = "single_pair_required";
2449 showspi = 1;
2450 break;
2451
2452 case IV2_NOTIFY_NO_ADDITIONAL_SAS:
2453 notify_name = "no_additional_sas";
2454 showspi = 0;
2455 break;
2456
2457 case IV2_NOTIFY_INTERNAL_ADDRESS_FAILURE:
2458 notify_name = "internal_address_failure";
2459 showspi = 0;
2460 break;
2461
2462 case IV2_NOTIFY_FAILED_CP_REQUIRED:
2463 notify_name = "failed:cp_required";
2464 showspi = 0;
2465 break;
2466
2467 case IV2_NOTIFY_INVALID_SELECTORS:
2468 notify_name = "invalid_selectors";
2469 showspi = 0;
2470 break;
2471
2472 case IV2_NOTIFY_INITIAL_CONTACT:
2473 notify_name = "initial_contact";
2474 showspi = 0;
2475 break;
2476
2477 case IV2_NOTIFY_SET_WINDOW_SIZE:
2478 notify_name = "set_window_size";
2479 showspi = 0;
2480 break;
2481
2482 case IV2_NOTIFY_ADDITIONAL_TS_POSSIBLE:
2483 notify_name = "additional_ts_possible";
2484 showspi = 0;
2485 break;
2486
2487 case IV2_NOTIFY_IPCOMP_SUPPORTED:
2488 notify_name = "ipcomp_supported";
2489 showspi = 0;
2490 break;
2491
2492 case IV2_NOTIFY_NAT_DETECTION_SOURCE_IP:
2493 notify_name = "nat_detection_source_ip";
2494 showspi = 1;
2495 break;
2496
2497 case IV2_NOTIFY_NAT_DETECTION_DESTINATION_IP:
2498 notify_name = "nat_detection_destination_ip";
2499 showspi = 1;
2500 break;
2501
2502 case IV2_NOTIFY_COOKIE:
2503 notify_name = "cookie";
2504 showspi = 1;
2505 showsomedata= 1;
2506 break;
2507
2508 case IV2_NOTIFY_USE_TRANSPORT_MODE:
2509 notify_name = "use_transport_mode";
2510 showspi = 0;
2511 break;
2512
2513 case IV2_NOTIFY_HTTP_CERT_LOOKUP_SUPPORTED:
2514 notify_name = "http_cert_lookup_supported";
2515 showspi = 0;
2516 break;
2517
2518 case IV2_NOTIFY_REKEY_SA:
2519 notify_name = "rekey_sa";
2520 showspi = 1;
2521 break;
2522
2523 case IV2_NOTIFY_ESP_TFC_PADDING_NOT_SUPPORTED:
2524 notify_name = "tfc_padding_not_supported";
2525 showspi = 0;
2526 break;
2527
2528 case IV2_NOTIFY_NON_FIRST_FRAGMENTS_ALSO:
2529 notify_name = "non_first_fragment_also";
2530 showspi = 0;
2531 break;
2532
2533 default:
2534 if (type < 8192) {
2535 notify_name="error";
2536 } else if(type < 16384) {
2537 notify_name="private-error";
2538 } else if(type < 40960) {
2539 notify_name="status";
2540 } else {
2541 notify_name="private-status";
2542 }
2543 }
2544
2545 if(notify_name) {
2546 ND_PRINT((ndo," type=%u(%s)", type, notify_name));
2547 }
2548
2549
2550 if (showspi && n.spi_size) {
2551 ND_PRINT((ndo," spi="));
2552 if (!rawprint(ndo, (const uint8_t *)(p + 1), n.spi_size))
2553 goto trunc;
2554 }
2555
2556 cp = (const u_char *)(p + 1) + n.spi_size;
2557
2558 if (cp < ep) {
2559 if (ndo->ndo_vflag > 3 || (showsomedata && ep-cp < 30)) {
2560 ND_PRINT((ndo," data=("));
2561 if (!rawprint(ndo, (const uint8_t *)(cp), ep - cp))
2562 goto trunc;
2563
2564 ND_PRINT((ndo,")"));
2565 } else if (showsomedata) {
2566 if (!ike_show_somedata(ndo, cp, ep))
2567 goto trunc;
2568 }
2569 }
2570
2571 return (const u_char *)ext + item_len;
2572 trunc:
2573 ND_PRINT((ndo," [|%s]", NPSTR(ISAKMP_NPTYPE_N)));
2574 return NULL;
2575 }
2576
2577 static const u_char *
2578 ikev2_d_print(netdissect_options *ndo, u_char tpay,
2579 const struct isakmp_gen *ext,
2580 u_int item_len _U_, const u_char *ep _U_,
2581 uint32_t phase _U_, uint32_t doi _U_,
2582 uint32_t proto _U_, int depth _U_)
2583 {
2584 return ikev2_gen_print(ndo, tpay, ext);
2585 }
2586
2587 static const u_char *
2588 ikev2_vid_print(netdissect_options *ndo, u_char tpay,
2589 const struct isakmp_gen *ext,
2590 u_int item_len _U_, const u_char *ep _U_,
2591 uint32_t phase _U_, uint32_t doi _U_,
2592 uint32_t proto _U_, int depth _U_)
2593 {
2594 struct isakmp_gen e;
2595 const u_char *vid;
2596 int i, len;
2597
2598 ND_TCHECK(*ext);
2599 UNALIGNED_MEMCPY(&e, ext, sizeof(e));
2600 ikev2_pay_print(ndo, NPSTR(tpay), e.critical);
2601 ND_PRINT((ndo," len=%d vid=", ntohs(e.len) - 4));
2602
2603 vid = (const u_char *)(ext+1);
2604 len = ntohs(e.len) - 4;
2605 ND_TCHECK2(*vid, len);
2606 for(i=0; i<len; i++) {
2607 if(ND_ISPRINT(vid[i])) ND_PRINT((ndo, "%c", vid[i]));
2608 else ND_PRINT((ndo, "."));
2609 }
2610 if (2 < ndo->ndo_vflag && 4 < len) {
2611 /* Print the entire payload in hex */
2612 ND_PRINT((ndo," "));
2613 if (!rawprint(ndo, (const uint8_t *)(ext + 1), ntohs(e.len) - 4))
2614 goto trunc;
2615 }
2616 return (const u_char *)ext + ntohs(e.len);
2617 trunc:
2618 ND_PRINT((ndo," [|%s]", NPSTR(tpay)));
2619 return NULL;
2620 }
2621
2622 static const u_char *
2623 ikev2_TS_print(netdissect_options *ndo, u_char tpay,
2624 const struct isakmp_gen *ext,
2625 u_int item_len _U_, const u_char *ep _U_,
2626 uint32_t phase _U_, uint32_t doi _U_,
2627 uint32_t proto _U_, int depth _U_)
2628 {
2629 return ikev2_gen_print(ndo, tpay, ext);
2630 }
2631
2632 static const u_char *
2633 ikev2_e_print(netdissect_options *ndo,
2634 #ifndef HAVE_LIBCRYPTO
2635 _U_
2636 #endif
2637 struct isakmp *base,
2638 u_char tpay,
2639 const struct isakmp_gen *ext,
2640 u_int item_len _U_, const u_char *ep _U_,
2641 #ifndef HAVE_LIBCRYPTO
2642 _U_
2643 #endif
2644 uint32_t phase,
2645 #ifndef HAVE_LIBCRYPTO
2646 _U_
2647 #endif
2648 uint32_t doi,
2649 #ifndef HAVE_LIBCRYPTO
2650 _U_
2651 #endif
2652 uint32_t proto,
2653 #ifndef HAVE_LIBCRYPTO
2654 _U_
2655 #endif
2656 int depth)
2657 {
2658 struct isakmp_gen e;
2659 const u_char *dat;
2660 volatile int dlen;
2661
2662 ND_TCHECK(*ext);
2663 UNALIGNED_MEMCPY(&e, ext, sizeof(e));
2664 ikev2_pay_print(ndo, NPSTR(tpay), e.critical);
2665
2666 dlen = ntohs(e.len)-4;
2667
2668 ND_PRINT((ndo," len=%d", dlen));
2669 if (2 < ndo->ndo_vflag && 4 < dlen) {
2670 ND_PRINT((ndo," "));
2671 if (!rawprint(ndo, (const uint8_t *)(ext + 1), dlen))
2672 goto trunc;
2673 }
2674
2675 dat = (const u_char *)(ext+1);
2676 ND_TCHECK2(*dat, dlen);
2677
2678 #ifdef HAVE_LIBCRYPTO
2679 /* try to decypt it! */
2680 if(esp_print_decrypt_buffer_by_ikev2(ndo,
2681 base->flags & ISAKMP_FLAG_I,
2682 base->i_ck, base->r_ck,
2683 dat, dat+dlen)) {
2684
2685 ext = (const struct isakmp_gen *)ndo->ndo_packetp;
2686
2687 /* got it decrypted, print stuff inside. */
2688 ikev2_sub_print(ndo, base, e.np, ext, ndo->ndo_snapend,
2689 phase, doi, proto, depth+1);
2690 }
2691 #endif
2692
2693
2694 /* always return NULL, because E must be at end, and NP refers
2695 * to what was inside.
2696 */
2697 return NULL;
2698 trunc:
2699 ND_PRINT((ndo," [|%s]", NPSTR(tpay)));
2700 return NULL;
2701 }
2702
2703 static const u_char *
2704 ikev2_cp_print(netdissect_options *ndo, u_char tpay,
2705 const struct isakmp_gen *ext,
2706 u_int item_len _U_, const u_char *ep _U_,
2707 uint32_t phase _U_, uint32_t doi _U_,
2708 uint32_t proto _U_, int depth _U_)
2709 {
2710 return ikev2_gen_print(ndo, tpay, ext);
2711 }
2712
2713 static const u_char *
2714 ikev2_eap_print(netdissect_options *ndo, u_char tpay,
2715 const struct isakmp_gen *ext,
2716 u_int item_len _U_, const u_char *ep _U_,
2717 uint32_t phase _U_, uint32_t doi _U_,
2718 uint32_t proto _U_, int depth _U_)
2719 {
2720 return ikev2_gen_print(ndo, tpay, ext);
2721 }
2722
2723 static const u_char *
2724 ike_sub0_print(netdissect_options *ndo,
2725 u_char np, const struct isakmp_gen *ext, const u_char *ep,
2726
2727 uint32_t phase, uint32_t doi, uint32_t proto, int depth)
2728 {
2729 const u_char *cp;
2730 struct isakmp_gen e;
2731 u_int item_len;
2732
2733 cp = (const u_char *)ext;
2734 ND_TCHECK(*ext);
2735 UNALIGNED_MEMCPY(&e, ext, sizeof(e));
2736
2737 /*
2738 * Since we can't have a payload length of less than 4 bytes,
2739 * we need to bail out here if the generic header is nonsensical
2740 * or truncated, otherwise we could loop forever processing
2741 * zero-length items or otherwise misdissect the packet.
2742 */
2743 item_len = ntohs(e.len);
2744 if (item_len <= 4)
2745 return NULL;
2746
2747 if (NPFUNC(np)) {
2748 /*
2749 * XXX - what if item_len is too short, or too long,
2750 * for this payload type?
2751 */
2752 cp = (*npfunc[np])(ndo, np, ext, item_len, ep, phase, doi, proto, depth);
2753 } else {
2754 ND_PRINT((ndo,"%s", NPSTR(np)));
2755 cp += item_len;
2756 }
2757
2758 return cp;
2759 trunc:
2760 ND_PRINT((ndo," [|isakmp]"));
2761 return NULL;
2762 }
2763
2764 static const u_char *
2765 ikev1_sub_print(netdissect_options *ndo,
2766 u_char np, const struct isakmp_gen *ext, const u_char *ep,
2767 uint32_t phase, uint32_t doi, uint32_t proto, int depth)
2768 {
2769 const u_char *cp;
2770 int i;
2771 struct isakmp_gen e;
2772
2773 cp = (const u_char *)ext;
2774
2775 while (np) {
2776 ND_TCHECK(*ext);
2777 UNALIGNED_MEMCPY(&e, ext, sizeof(e));
2778
2779 ND_TCHECK2(*ext, ntohs(e.len));
2780
2781 depth++;
2782 ND_PRINT((ndo,"\n"));
2783 for (i = 0; i < depth; i++)
2784 ND_PRINT((ndo," "));
2785 ND_PRINT((ndo,"("));
2786 cp = ike_sub0_print(ndo, np, ext, ep, phase, doi, proto, depth);
2787 ND_PRINT((ndo,")"));
2788 depth--;
2789
2790 if (cp == NULL) {
2791 /* Zero-length subitem */
2792 return NULL;
2793 }
2794
2795 np = e.np;
2796 ext = (const struct isakmp_gen *)cp;
2797 }
2798 return cp;
2799 trunc:
2800 ND_PRINT((ndo," [|%s]", NPSTR(np)));
2801 return NULL;
2802 }
2803
2804 static char *
2805 numstr(int x)
2806 {
2807 static char buf[20];
2808 snprintf(buf, sizeof(buf), "#%d", x);
2809 return buf;
2810 }
2811
2812 static void
2813 ikev1_print(netdissect_options *ndo,
2814 const u_char *bp, u_int length,
2815 const u_char *bp2, struct isakmp *base)
2816 {
2817 const struct isakmp *p;
2818 const u_char *ep;
2819 u_char np;
2820 int i;
2821 int phase;
2822
2823 p = (const struct isakmp *)bp;
2824 ep = ndo->ndo_snapend;
2825
2826 phase = (EXTRACT_32BITS(base->msgid) == 0) ? 1 : 2;
2827 if (phase == 1)
2828 ND_PRINT((ndo," phase %d", phase));
2829 else
2830 ND_PRINT((ndo," phase %d/others", phase));
2831
2832 i = cookie_find(&base->i_ck);
2833 if (i < 0) {
2834 if (iszero((const u_char *)&base->r_ck, sizeof(base->r_ck))) {
2835 /* the first packet */
2836 ND_PRINT((ndo," I"));
2837 if (bp2)
2838 cookie_record(&base->i_ck, bp2);
2839 } else
2840 ND_PRINT((ndo," ?"));
2841 } else {
2842 if (bp2 && cookie_isinitiator(i, bp2))
2843 ND_PRINT((ndo," I"));
2844 else if (bp2 && cookie_isresponder(i, bp2))
2845 ND_PRINT((ndo," R"));
2846 else
2847 ND_PRINT((ndo," ?"));
2848 }
2849
2850 ND_PRINT((ndo," %s", ETYPESTR(base->etype)));
2851 if (base->flags) {
2852 ND_PRINT((ndo,"[%s%s]", base->flags & ISAKMP_FLAG_E ? "E" : "",
2853 base->flags & ISAKMP_FLAG_C ? "C" : ""));
2854 }
2855
2856 if (ndo->ndo_vflag) {
2857 const struct isakmp_gen *ext;
2858
2859 ND_PRINT((ndo,":"));
2860
2861 /* regardless of phase... */
2862 if (base->flags & ISAKMP_FLAG_E) {
2863 /*
2864 * encrypted, nothing we can do right now.
2865 * we hope to decrypt the packet in the future...
2866 */
2867 ND_PRINT((ndo," [encrypted %s]", NPSTR(base->np)));
2868 goto done;
2869 }
2870
2871 CHECKLEN(p + 1, base->np);
2872 np = base->np;
2873 ext = (const struct isakmp_gen *)(p + 1);
2874 ikev1_sub_print(ndo, np, ext, ep, phase, 0, 0, 0);
2875 }
2876
2877 done:
2878 if (ndo->ndo_vflag) {
2879 if (ntohl(base->len) != length) {
2880 ND_PRINT((ndo," (len mismatch: isakmp %u/ip %u)",
2881 (uint32_t)ntohl(base->len), length));
2882 }
2883 }
2884 }
2885
2886 static const u_char *
2887 ikev2_sub0_print(netdissect_options *ndo, struct isakmp *base,
2888 u_char np,
2889 const struct isakmp_gen *ext, const u_char *ep,
2890 uint32_t phase, uint32_t doi, uint32_t proto, int depth)
2891 {
2892 const u_char *cp;
2893 struct isakmp_gen e;
2894 u_int item_len;
2895
2896 cp = (const u_char *)ext;
2897 ND_TCHECK(*ext);
2898 UNALIGNED_MEMCPY(&e, ext, sizeof(e));
2899
2900 /*
2901 * Since we can't have a payload length of less than 4 bytes,
2902 * we need to bail out here if the generic header is nonsensical
2903 * or truncated, otherwise we could loop forever processing
2904 * zero-length items or otherwise misdissect the packet.
2905 */
2906 item_len = ntohs(e.len);
2907 if (item_len <= 4)
2908 return NULL;
2909
2910 if (np == ISAKMP_NPTYPE_v2E) {
2911 cp = ikev2_e_print(ndo, base, np, ext, item_len,
2912 ep, phase, doi, proto, depth);
2913 } else if (NPFUNC(np)) {
2914 /*
2915 * XXX - what if item_len is too short, or too long,
2916 * for this payload type?
2917 */
2918 cp = (*npfunc[np])(ndo, np, ext, item_len,
2919 ep, phase, doi, proto, depth);
2920 } else {
2921 ND_PRINT((ndo,"%s", NPSTR(np)));
2922 cp += item_len;
2923 }
2924
2925 return cp;
2926 trunc:
2927 ND_PRINT((ndo," [|isakmp]"));
2928 return NULL;
2929 }
2930
2931 static const u_char *
2932 ikev2_sub_print(netdissect_options *ndo,
2933 struct isakmp *base,
2934 u_char np, const struct isakmp_gen *ext, const u_char *ep,
2935 uint32_t phase, uint32_t doi, uint32_t proto, int depth)
2936 {
2937 const u_char *cp;
2938 int i;
2939 struct isakmp_gen e;
2940
2941 cp = (const u_char *)ext;
2942 while (np) {
2943 ND_TCHECK(*ext);
2944 UNALIGNED_MEMCPY(&e, ext, sizeof(e));
2945
2946 ND_TCHECK2(*ext, ntohs(e.len));
2947
2948 depth++;
2949 ND_PRINT((ndo,"\n"));
2950 for (i = 0; i < depth; i++)
2951 ND_PRINT((ndo," "));
2952 ND_PRINT((ndo,"("));
2953 cp = ikev2_sub0_print(ndo, base, np,
2954 ext, ep, phase, doi, proto, depth);
2955 ND_PRINT((ndo,")"));
2956 depth--;
2957
2958 if (cp == NULL) {
2959 /* Zero-length subitem */
2960 return NULL;
2961 }
2962
2963 np = e.np;
2964 ext = (const struct isakmp_gen *)cp;
2965 }
2966 return cp;
2967 trunc:
2968 ND_PRINT((ndo," [|%s]", NPSTR(np)));
2969 return NULL;
2970 }
2971
2972 static void
2973 ikev2_print(netdissect_options *ndo,
2974 const u_char *bp, u_int length,
2975 const u_char *bp2 _U_, struct isakmp *base)
2976 {
2977 const struct isakmp *p;
2978 const u_char *ep;
2979 u_char np;
2980 int phase;
2981
2982 p = (const struct isakmp *)bp;
2983 ep = ndo->ndo_snapend;
2984
2985 phase = (EXTRACT_32BITS(base->msgid) == 0) ? 1 : 2;
2986 if (phase == 1)
2987 ND_PRINT((ndo, " parent_sa"));
2988 else
2989 ND_PRINT((ndo, " child_sa "));
2990
2991 ND_PRINT((ndo, " %s", ETYPESTR(base->etype)));
2992 if (base->flags) {
2993 ND_PRINT((ndo, "[%s%s%s]",
2994 base->flags & ISAKMP_FLAG_I ? "I" : "",
2995 base->flags & ISAKMP_FLAG_V ? "V" : "",
2996 base->flags & ISAKMP_FLAG_R ? "R" : ""));
2997 }
2998
2999 if (ndo->ndo_vflag) {
3000 const struct isakmp_gen *ext;
3001
3002 ND_PRINT((ndo, ":"));
3003
3004 /* regardless of phase... */
3005 if (base->flags & ISAKMP_FLAG_E) {
3006 /*
3007 * encrypted, nothing we can do right now.
3008 * we hope to decrypt the packet in the future...
3009 */
3010 ND_PRINT((ndo, " [encrypted %s]", NPSTR(base->np)));
3011 goto done;
3012 }
3013
3014 CHECKLEN(p + 1, base->np)
3015
3016 np = base->np;
3017 ext = (const struct isakmp_gen *)(p + 1);
3018 ikev2_sub_print(ndo, base, np, ext, ep, phase, 0, 0, 0);
3019 }
3020
3021 done:
3022 if (ndo->ndo_vflag) {
3023 if (ntohl(base->len) != length) {
3024 ND_PRINT((ndo, " (len mismatch: isakmp %u/ip %u)",
3025 (uint32_t)ntohl(base->len), length));
3026 }
3027 }
3028 }
3029
3030 void
3031 isakmp_print(netdissect_options *ndo,
3032 const u_char *bp, u_int length,
3033 const u_char *bp2)
3034 {
3035 const struct isakmp *p;
3036 struct isakmp base;
3037 const u_char *ep;
3038 int major, minor;
3039
3040 #ifdef HAVE_LIBCRYPTO
3041 /* initialize SAs */
3042 if (ndo->ndo_sa_list_head == NULL) {
3043 if (ndo->ndo_espsecret)
3044 esp_print_decodesecret(ndo);
3045 }
3046 #endif
3047
3048 p = (const struct isakmp *)bp;
3049 ep = ndo->ndo_snapend;
3050
3051 if ((const struct isakmp *)ep < p + 1) {
3052 ND_PRINT((ndo,"[|isakmp]"));
3053 return;
3054 }
3055
3056 UNALIGNED_MEMCPY(&base, p, sizeof(base));
3057
3058 ND_PRINT((ndo,"isakmp"));
3059 major = (base.vers & ISAKMP_VERS_MAJOR)
3060 >> ISAKMP_VERS_MAJOR_SHIFT;
3061 minor = (base.vers & ISAKMP_VERS_MINOR)
3062 >> ISAKMP_VERS_MINOR_SHIFT;
3063
3064 if (ndo->ndo_vflag) {
3065 ND_PRINT((ndo," %d.%d", major, minor));
3066 }
3067
3068 if (ndo->ndo_vflag) {
3069 ND_PRINT((ndo," msgid "));
3070 hexprint(ndo, (const uint8_t *)&base.msgid, sizeof(base.msgid));
3071 }
3072
3073 if (1 < ndo->ndo_vflag) {
3074 ND_PRINT((ndo," cookie "));
3075 hexprint(ndo, (const uint8_t *)&base.i_ck, sizeof(base.i_ck));
3076 ND_PRINT((ndo,"->"));
3077 hexprint(ndo, (const uint8_t *)&base.r_ck, sizeof(base.r_ck));
3078 }
3079 ND_PRINT((ndo,":"));
3080
3081 switch(major) {
3082 case IKEv1_MAJOR_VERSION:
3083 ikev1_print(ndo, bp, length, bp2, &base);
3084 break;
3085
3086 case IKEv2_MAJOR_VERSION:
3087 ikev2_print(ndo, bp, length, bp2, &base);
3088 break;
3089 }
3090 }
3091
3092 void
3093 isakmp_rfc3948_print(netdissect_options *ndo,
3094 const u_char *bp, u_int length,
3095 const u_char *bp2)
3096 {
3097 ND_TCHECK(bp[0]);
3098 if(length == 1 && bp[0]==0xff) {
3099 ND_PRINT((ndo, "isakmp-nat-keep-alive"));
3100 return;
3101 }
3102
3103 if(length < 4) {
3104 goto trunc;
3105 }
3106 ND_TCHECK(bp[3]);
3107
3108 /*
3109 * see if this is an IKE packet
3110 */
3111 if(bp[0]==0 && bp[1]==0 && bp[2]==0 && bp[3]==0) {
3112 ND_PRINT((ndo, "NONESP-encap: "));
3113 isakmp_print(ndo, bp+4, length-4, bp2);
3114 return;
3115 }
3116
3117 /* must be an ESP packet */
3118 {
3119 int nh, enh, padlen;
3120 int advance;
3121
3122 ND_PRINT((ndo, "UDP-encap: "));
3123
3124 advance = esp_print(ndo, bp, length, bp2, &enh, &padlen);
3125 if(advance <= 0)
3126 return;
3127
3128 bp += advance;
3129 length -= advance + padlen;
3130 nh = enh & 0xff;
3131
3132 ip_print_inner(ndo, bp, length, nh, bp2);
3133 return;
3134 }
3135
3136 trunc:
3137 ND_PRINT((ndo,"[|isakmp]"));
3138 return;
3139 }
3140
3141 /*
3142 * Local Variables:
3143 * c-style: whitesmith
3144 * c-basic-offset: 8
3145 * End:
3146 */
[mirror] the TCPdump network dissector