/* specification: RFC 2407, RFC 2408, RFC 5996 */
-#ifdef HAVE_CONFIG_H
#include <config.h>
-#endif
-
-/* The functions from print-esp.c used in this file are only defined when both
- * OpenSSL and evp.h are detected. Employ the same preprocessor device here.
- */
-#ifndef HAVE_OPENSSL_EVP_H
-#undef HAVE_LIBCRYPTO
-#endif
#include "netdissect-stdinc.h"
#include <string.h>
+#include "netdissect-ctype.h"
+
#include "netdissect.h"
#include "addrtoname.h"
#include "extract.h"
#define ISAKMP_FLAG_extra 0x04
/* IKEv2 */
-#define ISAKMP_FLAG_I (1 << 3) /* (I)nitiator */
-#define ISAKMP_FLAG_V (1 << 4) /* (V)ersion */
-#define ISAKMP_FLAG_R (1 << 5) /* (R)esponse */
+#define ISAKMP_FLAG_I (1 << 3) /* Initiator */
+#define ISAKMP_FLAG_V (1 << 4) /* Version */
+#define ISAKMP_FLAG_R (1 << 5) /* Response */
/* 3.2 Payload Generic Header
#define MAXINITIATORS 20
static int ninitiator = 0;
union inaddr_u {
- struct in_addr in4;
- struct in6_addr in6;
+ nd_ipv4 in4;
+ nd_ipv6 in6;
};
static struct {
cookie_t initiator;
? npfunc[(x)] : NULL)
static int
-iszero(const u_char *p, size_t l)
+iszero(netdissect_options *ndo, const u_char *p, size_t l)
{
while (l != 0) {
- if (*p)
+ if (GET_U_1(p))
return 0;
p++;
l--;
u_int totlen;
uint32_t t, v;
- ND_TCHECK_1(p);
if (GET_U_1(p) & 0x80)
totlen = 4;
else {
- ND_TCHECK_2(p + 2);
totlen = 4 + GET_BE_U_2(p + 2);
}
if (ep2 < p + totlen) {
return ep2 + 1;
}
- ND_TCHECK_2(p);
ND_PRINT("(");
t = GET_BE_U_2(p) & 0x7fff;
if (map && t < nmap && map[t].type)
ND_PRINT("type=#%u ", t);
if (GET_U_1(p) & 0x80) {
ND_PRINT("value=");
- ND_TCHECK_2(p + 2);
v = GET_BE_U_2(p + 2);
if (map && t < nmap && v < map[t].nvalue && map[t].value[v])
ND_PRINT("%s", map[t].value[v]);
u_int totlen;
uint32_t t;
- ND_TCHECK_1(p);
if (GET_U_1(p) & 0x80)
totlen = 4;
else {
- ND_TCHECK_2(p + 2);
totlen = 4 + GET_BE_U_2(p + 2);
}
if (ep2 < p + totlen) {
return ep2 + 1;
}
- ND_TCHECK_2(p);
ND_PRINT("(");
t = GET_BE_U_2(p) & 0x7fff;
ND_PRINT("type=#%u ", t);
np = (const u_char *)ext + sizeof(struct ikev1_pl_sa);
if (sit != 0x01) {
- ND_TCHECK_4(ext + 1);
ident = GET_BE_U_4(ext + 1);
ND_PRINT(" ident=%u", ident);
np += sizeof(ident);
if (len < 4)
ND_PRINT(" len=%u [bad: < 4]", len);
else
- ND_PRINT(" len=%u %s", len, ipaddr_string(ndo, data));
+ ND_PRINT(" len=%u %s", len, GET_IPADDR_STRING(data));
len = 0;
break;
case IPSECDOI_ID_FQDN:
else {
mask = data + sizeof(nd_ipv4);
ND_PRINT(" len=%u %s/%u.%u.%u.%u", len,
- ipaddr_string(ndo, data),
+ GET_IPADDR_STRING(data),
GET_U_1(mask), GET_U_1(mask + 1),
GET_U_1(mask + 2),
GET_U_1(mask + 3));
if (len < 16)
ND_PRINT(" len=%u [bad: < 16]", len);
else
- ND_PRINT(" len=%u %s", len, ip6addr_string(ndo, data));
+ ND_PRINT(" len=%u %s", len, GET_IP6ADDR_STRING(data));
len = 0;
break;
case IPSECDOI_ID_IPV6_ADDR_SUBNET:
mask = (const u_char *)(data + sizeof(nd_ipv6));
/*XXX*/
ND_PRINT(" len=%u %s/0x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x", len,
- ip6addr_string(ndo, data),
+ GET_IP6ADDR_STRING(data),
GET_U_1(mask), GET_U_1(mask + 1),
GET_U_1(mask + 2),
GET_U_1(mask + 3),
ND_PRINT(" len=%u [bad: < 8]", len);
else {
ND_PRINT(" len=%u %s-%s", len,
- ipaddr_string(ndo, data),
- ipaddr_string(ndo, data + sizeof(nd_ipv4)));
+ GET_IPADDR_STRING(data),
+ GET_IPADDR_STRING(data + sizeof(nd_ipv4)));
}
len = 0;
break;
ND_PRINT(" len=%u [bad: < 32]", len);
else {
ND_PRINT(" len=%u %s-%s", len,
- ip6addr_string(ndo, data),
- ip6addr_string(ndo, data + sizeof(nd_ipv6)));
+ GET_IP6ADDR_STRING(data),
+ GET_IP6ADDR_STRING(data + sizeof(nd_ipv6)));
}
len = 0;
break;
ND_PRINT(" spilen=%u", spi_size);
num_spi = GET_BE_U_2(p->num_spi);
ND_PRINT(" nspi=%u", num_spi);
- ND_PRINT(" spi=");
q = (const uint8_t *)(p + 1);
- for (i = 0; i < num_spi; i++) {
- if (i != 0)
- ND_PRINT(",");
- if (!rawprint(ndo, (const uint8_t *)q, spi_size))
- goto trunc;
- q += spi_size;
+ if (spi_size) {
+ ND_PRINT(" spi=");
+ for (i = 0; i < num_spi; i++) {
+ if (i != 0)
+ ND_PRINT(",");
+ if (!rawprint(ndo, (const uint8_t *)q, spi_size))
+ goto trunc;
+ q += spi_size;
+ }
}
return q;
trunc:
if(dumpascii) {
ND_TCHECK_LEN(typedata, idtype_len);
for(i=0; i<idtype_len; i++) {
- if(ND_ISPRINT(GET_U_1(typedata + i))) {
+ if(ND_ASCII_ISPRINT(GET_U_1(typedata + i))) {
ND_PRINT("%c", GET_U_1(typedata + i));
} else {
ND_PRINT(".");
const struct ikev2_auth *p;
const char *v2_auth[]={ "invalid", "rsasig",
"shared-secret", "dsssig" };
- const u_char *authdata = (const u_char*)ext + sizeof(struct ikev2_auth);
+ const u_char *authdata = (const u_char *)ext + sizeof(struct ikev2_auth);
ND_TCHECK_LEN(ext, sizeof(struct ikev2_auth));
p = (const struct ikev2_auth *)ext;
len = item_len - 4;
ND_TCHECK_LEN(vid, len);
for(i=0; i<len; i++) {
- if(ND_ISPRINT(GET_U_1(vid + i)))
+ if(ND_ASCII_ISPRINT(GET_U_1(vid + i)))
ND_PRINT("%c", GET_U_1(vid + i));
else ND_PRINT(".");
}
#ifdef HAVE_LIBCRYPTO
np = GET_U_1(ext->np);
- /* try to decypt it! */
- if(esp_print_decrypt_buffer_by_ikev2(ndo,
+ /* try to decrypt it! */
+ if(esp_decrypt_buffer_by_ikev2_print(ndo,
GET_U_1(base->flags) & ISAKMP_FLAG_I,
base->i_ck, base->r_ck,
dat, dat+dlen)) {
/* got it decrypted, print stuff inside. */
ikev2_sub_print(ndo, base, np, ext,
ndo->ndo_snapend, phase, doi, proto, depth+1);
+
+ /*
+ * esp_decrypt_buffer_by_ikev2_print pushed information
+ * on the buffer stack; we're done with the buffer, so
+ * pop it (which frees the buffer)
+ */
+ nd_pop_packet_info(ndo);
}
#endif
numstr(u_int x)
{
static char buf[20];
- nd_snprintf(buf, sizeof(buf), "#%u", x);
+ snprintf(buf, sizeof(buf), "#%u", x);
return buf;
}
i = cookie_find(&base->i_ck);
if (i < 0) {
- if (iszero((const u_char *)&base->r_ck, sizeof(base->r_ck))) {
+ if (iszero(ndo, base->r_ck, sizeof(base->r_ck))) {
/* the first packet */
ND_PRINT(" I");
if (bp2)
/* initialize SAs */
if (ndo->ndo_sa_list_head == NULL) {
if (ndo->ndo_espsecret)
- esp_print_decodesecret(ndo);
+ esp_decodesecret_print(ndo);
}
#endif
void
isakmp_rfc3948_print(netdissect_options *ndo,
const u_char *bp, u_int length,
- const u_char *bp2)
+ const u_char *bp2, int ver, int fragmented, u_int ttl_hl)
{
ndo->ndo_protocol = "isakmp_rfc3948";
- ND_TCHECK_1(bp);
if(length == 1 && GET_U_1(bp)==0xff) {
ND_PRINT("isakmp-nat-keep-alive");
return;
if(length < 4) {
goto trunc;
}
- ND_TCHECK_1(bp + 3);
/*
* see if this is an IKE packet
/* must be an ESP packet */
{
- u_int nh, enh, padlen;
- int advance;
-
ND_PRINT("UDP-encap: ");
- advance = esp_print(ndo, bp, length, bp2, &enh, &padlen);
- if(advance <= 0)
- return;
-
- bp += advance;
- length -= advance + padlen;
- nh = enh & 0xff;
+ esp_print(ndo, bp, length, bp2, ver, fragmented, ttl_hl);
- ip_inner_print(ndo, bp, length, nh, bp2);
+ /*
+ * Either this has decrypted the payload and
+ * printed it, in which case there's nothing more
+ * to do, or it hasn't, in which case there's
+ * nothing more to do.
+ */
return;
}
trunc:
nd_print_trunc(ndo);
- return;
}
projects / tcpdump / blobdiff