char *msg;
};
-/* 3.8 Notification Payload */
+/* 3.8 Authentication Payload */
struct ikev2_auth {
struct isakmp_gen h;
uint8_t auth_method; /* Protocol-ID */
static const u_char *
ikev1_attrmap_print(netdissect_options *ndo,
- const u_char *p, const u_char *ep,
+ const u_char *p, const u_char *ep2,
const struct attrmap *map, size_t nmap)
{
int totlen;
uint32_t t, v;
+ ND_TCHECK(p[0]);
if (p[0] & 0x80)
totlen = 4;
- else
- totlen = 4 + EXTRACT_16BITS(&p[2]);
- if (ep < p + totlen) {
+ else {
+ ND_TCHECK_2(p + 2);
+ totlen = 4 + EXTRACT_BE_U_2(p + 2);
+ }
+ if (ep2 < p + totlen) {
ND_PRINT((ndo,"[|attr]"));
- return ep + 1;
+ return ep2 + 1;
}
+ ND_TCHECK_2(p);
ND_PRINT((ndo,"("));
- t = EXTRACT_16BITS(&p[0]) & 0x7fff;
+ t = EXTRACT_BE_U_2(p) & 0x7fff;
if (map && t < nmap && map[t].type)
ND_PRINT((ndo,"type=%s ", map[t].type));
else
ND_PRINT((ndo,"type=#%d ", t));
if (p[0] & 0x80) {
ND_PRINT((ndo,"value="));
- v = EXTRACT_16BITS(&p[2]);
+ ND_TCHECK_2(p + 2);
+ v = EXTRACT_BE_U_2(p + 2);
if (map && t < nmap && v < map[t].nvalue && map[t].value[v])
ND_PRINT((ndo,"%s", map[t].value[v]));
- else
- rawprint(ndo, (const uint8_t *)&p[2], 2);
+ else {
+ if (!rawprint(ndo, (const uint8_t *)&p[2], 2)) {
+ ND_PRINT((ndo,")"));
+ goto trunc;
+ }
+ }
} else {
- ND_PRINT((ndo,"len=%d value=", EXTRACT_16BITS(&p[2])));
- rawprint(ndo, (const uint8_t *)&p[4], EXTRACT_16BITS(&p[2]));
+ ND_PRINT((ndo,"len=%d value=", totlen - 4));
+ if (!rawprint(ndo, (const uint8_t *)&p[4], totlen - 4)) {
+ ND_PRINT((ndo,")"));
+ goto trunc;
+ }
}
ND_PRINT((ndo,")"));
return p + totlen;
+
+trunc:
+ return NULL;
}
static const u_char *
-ikev1_attr_print(netdissect_options *ndo, const u_char *p, const u_char *ep)
+ikev1_attr_print(netdissect_options *ndo, const u_char *p, const u_char *ep2)
{
int totlen;
uint32_t t;
+ ND_TCHECK(p[0]);
if (p[0] & 0x80)
totlen = 4;
- else
- totlen = 4 + EXTRACT_16BITS(&p[2]);
- if (ep < p + totlen) {
+ else {
+ ND_TCHECK_2(p + 2);
+ totlen = 4 + EXTRACT_BE_U_2(p + 2);
+ }
+ if (ep2 < p + totlen) {
ND_PRINT((ndo,"[|attr]"));
- return ep + 1;
+ return ep2 + 1;
}
+ ND_TCHECK_2(p);
ND_PRINT((ndo,"("));
- t = EXTRACT_16BITS(&p[0]) & 0x7fff;
+ t = EXTRACT_BE_U_2(p) & 0x7fff;
ND_PRINT((ndo,"type=#%d ", t));
if (p[0] & 0x80) {
ND_PRINT((ndo,"value="));
t = p[2];
- rawprint(ndo, (const uint8_t *)&p[2], 2);
+ if (!rawprint(ndo, (const uint8_t *)&p[2], 2)) {
+ ND_PRINT((ndo,")"));
+ goto trunc;
+ }
} else {
- ND_PRINT((ndo,"len=%d value=", EXTRACT_16BITS(&p[2])));
- rawprint(ndo, (const uint8_t *)&p[4], EXTRACT_16BITS(&p[2]));
+ ND_PRINT((ndo,"len=%d value=", totlen - 4));
+ if (!rawprint(ndo, (const uint8_t *)&p[4], totlen - 4)) {
+ ND_PRINT((ndo,")"));
+ goto trunc;
+ }
}
ND_PRINT((ndo,")"));
return p + totlen;
+
+trunc:
+ return NULL;
}
static const u_char *
cp = (const u_char *)(p + 1);
ep2 = (const u_char *)p + item_len;
while (cp < ep && cp < ep2) {
- if (map && nmap) {
- cp = ikev1_attrmap_print(ndo, cp, (ep < ep2) ? ep : ep2,
- map, nmap);
- } else
- cp = ikev1_attr_print(ndo, cp, (ep < ep2) ? ep : ep2);
+ if (map && nmap)
+ cp = ikev1_attrmap_print(ndo, cp, ep2, map, nmap);
+ else
+ cp = ikev1_attr_print(ndo, cp, ep2);
+ if (cp == NULL)
+ goto trunc;
}
if (ep < ep2)
ND_PRINT((ndo,"..."));
UNALIGNED_MEMCPY(&e, ext, sizeof(e));
ND_PRINT((ndo," key len=%d", ntohs(e.len) - 4));
if (2 < ndo->ndo_vflag && 4 < ntohs(e.len)) {
+ /* Print the entire payload in hex */
ND_PRINT((ndo," "));
if (!rawprint(ndo, (const uint8_t *)(ext + 1), ntohs(e.len) - 4))
goto trunc;
int i;
ND_PRINT((ndo," len=%d ", len));
for (i = 0; i < len; i++)
- safeputchar(ndo, data[i]);
+ safeputchar(ndo, EXTRACT_U_1(data + i));
len = 0;
break;
}
mask = data + sizeof(struct in_addr);
ND_PRINT((ndo," len=%d %s/%u.%u.%u.%u", len,
ipaddr_string(ndo, data),
- mask[0], mask[1], mask[2], mask[3]));
+ EXTRACT_U_1(mask), EXTRACT_U_1(mask + 1),
+ EXTRACT_U_1(mask + 2), EXTRACT_U_1(mask + 3)));
}
len = 0;
break;
case IPSECDOI_ID_IPV6_ADDR_SUBNET:
{
const u_char *mask;
- if (len < 20)
- ND_PRINT((ndo," len=%d [bad: < 20]", len));
+ if (len < 32)
+ ND_PRINT((ndo," len=%d [bad: < 32]", len));
else {
mask = (const u_char *)(data + sizeof(struct in6_addr));
/*XXX*/
ND_PRINT((ndo," len=%d %s/0x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x", len,
ip6addr_string(ndo, data),
- mask[0], mask[1], mask[2], mask[3],
- mask[4], mask[5], mask[6], mask[7],
- mask[8], mask[9], mask[10], mask[11],
- mask[12], mask[13], mask[14], mask[15]));
+ EXTRACT_U_1(mask), EXTRACT_U_1(mask + 1), EXTRACT_U_1(mask + 2), EXTRACT_U_1(mask + 3),
+ EXTRACT_U_1(mask + 4), EXTRACT_U_1(mask + 5), EXTRACT_U_1(mask + 6), EXTRACT_U_1(mask + 7),
+ EXTRACT_U_1(mask + 8), EXTRACT_U_1(mask + 9), EXTRACT_U_1(mask + 10), EXTRACT_U_1(mask + 11),
+ EXTRACT_U_1(mask + 12), EXTRACT_U_1(mask + 13), EXTRACT_U_1(mask + 14), EXTRACT_U_1(mask + 15)));
}
len = 0;
break;
ND_PRINT((ndo," len=%d", item_len - 4));
ND_PRINT((ndo," type=%s", STR_OR_ID((cert.encode), certstr)));
if (2 < ndo->ndo_vflag && 4 < item_len) {
+ /* Print the entire payload in hex */
ND_PRINT((ndo," "));
if (!rawprint(ndo, (const uint8_t *)(ext + 1), item_len - 4))
goto trunc;
ND_PRINT((ndo," len=%d", item_len - 4));
ND_PRINT((ndo," type=%s", STR_OR_ID((cert.encode), certstr)));
if (2 < ndo->ndo_vflag && 4 < item_len) {
+ /* Print the entire payload in hex */
ND_PRINT((ndo," "));
if (!rawprint(ndo, (const uint8_t *)(ext + 1), item_len - 4))
goto trunc;
UNALIGNED_MEMCPY(&e, ext, sizeof(e));
ND_PRINT((ndo," len=%d", ntohs(e.len) - 4));
if (2 < ndo->ndo_vflag && 4 < ntohs(e.len)) {
+ /* Print the entire payload in hex */
ND_PRINT((ndo," "));
if (!rawprint(ndo, (const uint8_t *)(ext + 1), ntohs(e.len) - 4))
goto trunc;
UNALIGNED_MEMCPY(&e, ext, sizeof(e));
ND_PRINT((ndo," len=%d", ntohs(e.len) - 4));
if (2 < ndo->ndo_vflag && 4 < ntohs(e.len)) {
+ /* Print the entire payload in hex */
ND_PRINT((ndo," "));
if (!rawprint(ndo, (const uint8_t *)(ext + 1), ntohs(e.len) - 4))
goto trunc;
ND_TCHECK(*ext);
UNALIGNED_MEMCPY(&e, ext, sizeof(e));
- ND_PRINT((ndo," n len=%d", ntohs(e.len) - 4));
- if (2 < ndo->ndo_vflag && 4 < ntohs(e.len)) {
- ND_PRINT((ndo," "));
- if (!rawprint(ndo, (const uint8_t *)(ext + 1), ntohs(e.len) - 4))
- goto trunc;
- } else if (1 < ndo->ndo_vflag && 4 < ntohs(e.len)) {
- ND_PRINT((ndo," "));
- if (!ike_show_somedata(ndo, (const u_char *)(const uint8_t *)(ext + 1), ep))
- goto trunc;
+ /*
+ * Our caller has ensured that the length is >= 4.
+ */
+ ND_PRINT((ndo," n len=%u", ntohs(e.len) - 4));
+ if (ntohs(e.len) > 4) {
+ if (ndo->ndo_vflag > 2) {
+ ND_PRINT((ndo, " "));
+ if (!rawprint(ndo, (const uint8_t *)(ext + 1), ntohs(e.len) - 4))
+ goto trunc;
+ } else if (ndo->ndo_vflag > 1) {
+ ND_PRINT((ndo, " "));
+ if (!ike_show_somedata(ndo, (const u_char *)(ext + 1), ep))
+ goto trunc;
+ }
}
return (const u_char *)ext + ntohs(e.len);
trunc:
static const u_char *
ikev1_n_print(netdissect_options *ndo, u_char tpay _U_,
const struct isakmp_gen *ext, u_int item_len,
- const u_char *ep, uint32_t phase, uint32_t doi0 _U_,
- uint32_t proto0 _U_, int depth)
+ const u_char *ep, uint32_t phase _U_, uint32_t doi0 _U_,
+ uint32_t proto0 _U_, int depth _U_)
{
const struct ikev1_pl_n *p;
struct ikev1_pl_n n;
ep2 = (const u_char *)p + item_len;
if (cp < ep) {
- ND_PRINT((ndo," orig=("));
switch (ntohs(n.type)) {
case IPSECDOI_NTYPE_RESPONDER_LIFETIME:
{
const struct attrmap *map = oakley_t_map;
size_t nmap = sizeof(oakley_t_map)/sizeof(oakley_t_map[0]);
+ ND_PRINT((ndo," attrs=("));
while (cp < ep && cp < ep2) {
- cp = ikev1_attrmap_print(ndo, cp,
- (ep < ep2) ? ep : ep2, map, nmap);
+ cp = ikev1_attrmap_print(ndo, cp, ep2, map, nmap);
+ if (cp == NULL) {
+ ND_PRINT((ndo,")"));
+ goto trunc;
+ }
}
+ ND_PRINT((ndo,")"));
break;
}
case IPSECDOI_NTYPE_REPLAY_STATUS:
+ ND_PRINT((ndo," status=("));
ND_PRINT((ndo,"replay detection %sabled",
- EXTRACT_32BITS(cp) ? "en" : "dis"));
- break;
- case ISAKMP_NTYPE_NO_PROPOSAL_CHOSEN:
- if (ikev1_sub_print(ndo, ISAKMP_NPTYPE_SA,
- (const struct isakmp_gen *)cp, ep, phase, doi, proto,
- depth) == NULL)
- return NULL;
+ EXTRACT_BE_U_4(cp) ? "en" : "dis"));
+ ND_PRINT((ndo,")"));
break;
default:
- /* NULL is dummy */
- isakmp_print(ndo, cp,
- item_len - sizeof(*p) - n.spi_size,
- NULL);
+ /*
+ * XXX - fill in more types here; see, for example,
+ * draft-ietf-ipsec-notifymsg-04.
+ */
+ if (ndo->ndo_vflag > 3) {
+ ND_PRINT((ndo," data=("));
+ if (!rawprint(ndo, (const uint8_t *)(cp), ep - cp))
+ goto trunc;
+ ND_PRINT((ndo,")"));
+ } else {
+ if (!ike_show_somedata(ndo, cp, ep))
+ goto trunc;
+ }
+ break;
}
- ND_PRINT((ndo,")"));
}
return (const u_char *)ext + item_len;
trunc:
UNALIGNED_MEMCPY(&e, ext, sizeof(e));
ND_PRINT((ndo," len=%d", ntohs(e.len) - 4));
if (2 < ndo->ndo_vflag && 4 < ntohs(e.len)) {
+ /* Print the entire payload in hex */
ND_PRINT((ndo," "));
if (!rawprint(ndo, (const uint8_t *)(ext + 1), ntohs(e.len) - 4))
goto trunc;
ND_PRINT((ndo," len=%d", ntohs(e.len) - 4));
if (2 < ndo->ndo_vflag && 4 < ntohs(e.len)) {
+ /* Print the entire payload in hex */
ND_PRINT((ndo," "));
if (!rawprint(ndo, (const uint8_t *)(ext + 1), ntohs(e.len) - 4))
goto trunc;
ep2 = (const u_char *)p + item_len;
while (cp < ep && cp < ep2) {
if (map && nmap) {
- cp = ikev1_attrmap_print(ndo, cp, (ep < ep2) ? ep : ep2,
- map, nmap);
+ cp = ikev1_attrmap_print(ndo, cp, ep2, map, nmap);
} else
- cp = ikev1_attr_print(ndo, cp, (ep < ep2) ? ep : ep2);
+ cp = ikev1_attr_print(ndo, cp, ep2);
+ if (cp == NULL)
+ goto trunc;
}
if (ep < ep2)
ND_PRINT((ndo,"..."));
if (prop_length < sizeof(*ext))
goto toolong;
ND_TCHECK(*ext);
-
UNALIGNED_MEMCPY(&e, ext, sizeof(e));
/*
if (sa_length < sizeof(*ext))
goto toolong;
ND_TCHECK(*ext);
-
UNALIGNED_MEMCPY(&e, ext, sizeof(e));
/*
const struct ikev2_ke *k;
k = (const struct ikev2_ke *)ext;
- ND_TCHECK(*ext);
+ ND_TCHECK(*k);
UNALIGNED_MEMCPY(&ke, ext, sizeof(ke));
ikev2_pay_print(ndo, NPSTR(tpay), ke.h.critical);
uint32_t phase _U_, uint32_t doi _U_,
uint32_t proto _U_, int depth _U_)
{
+ const struct ikev2_id *idp;
struct ikev2_id id;
int id_len, idtype_len, i;
unsigned int dumpascii, dumphex;
const unsigned char *typedata;
- ND_TCHECK(*ext);
+ idp = (const struct ikev2_id *)ext;
+ ND_TCHECK(*idp);
UNALIGNED_MEMCPY(&id, ext, sizeof(id));
ikev2_pay_print(ndo, NPSTR(tpay), id.h.critical);
ND_PRINT((ndo," len=%d", id_len - 4));
if (2 < ndo->ndo_vflag && 4 < id_len) {
+ /* Print the entire payload in hex */
ND_PRINT((ndo," "));
if (!rawprint(ndo, (const uint8_t *)(ext + 1), id_len - 4))
goto trunc;
if(dumpascii) {
ND_TCHECK2(*typedata, idtype_len);
for(i=0; i<idtype_len; i++) {
- if(ND_ISPRINT(typedata[i])) {
- ND_PRINT((ndo, "%c", typedata[i]));
+ if(ND_ISPRINT(EXTRACT_U_1(typedata + i))) {
+ ND_PRINT((ndo, "%c", EXTRACT_U_1(typedata + i)));
} else {
ND_PRINT((ndo, "."));
}
const u_char *authdata = (const u_char*)ext + sizeof(a);
unsigned int len;
- ND_TCHECK(*ext);
+ ND_TCHECK2(*ext, sizeof(a));
UNALIGNED_MEMCPY(&a, ext, sizeof(a));
ikev2_pay_print(ndo, NPSTR(tpay), a.h.critical);
len = ntohs(a.h.len);
- ND_PRINT((ndo," len=%d method=%s", len-4,
+ /*
+ * Our caller has ensured that the length is >= 4.
+ */
+ ND_PRINT((ndo," len=%u method=%s", len-4,
STR_OR_ID(a.auth_method, v2_auth)));
-
- if (1 < ndo->ndo_vflag && 4 < len) {
- ND_PRINT((ndo," authdata=("));
- if (!rawprint(ndo, (const uint8_t *)authdata, len - sizeof(a)))
- goto trunc;
- ND_PRINT((ndo,") "));
- } else if(ndo->ndo_vflag && 4 < len) {
- if(!ike_show_somedata(ndo, authdata, ep)) goto trunc;
+ if (len > 4) {
+ if (ndo->ndo_vflag > 1) {
+ ND_PRINT((ndo, " authdata=("));
+ if (!rawprint(ndo, (const uint8_t *)authdata, len - sizeof(a)))
+ goto trunc;
+ ND_PRINT((ndo, ") "));
+ } else if (ndo->ndo_vflag) {
+ if (!ike_show_somedata(ndo, authdata, ep))
+ goto trunc;
+ }
}
return (const u_char *)ext + len;
const struct ikev2_n *p;
struct ikev2_n n;
const u_char *cp;
- u_char showspi, showdata, showsomedata;
+ u_char showspi, showsomedata;
const char *notify_name;
uint32_t type;
ikev2_pay_print(ndo, NPSTR(ISAKMP_NPTYPE_N), n.h.critical);
showspi = 1;
- showdata = 0;
showsomedata=0;
notify_name=NULL;
notify_name = "cookie";
showspi = 1;
showsomedata= 1;
- showdata= 0;
break;
case IV2_NOTIFY_USE_TRANSPORT_MODE:
cp = (const u_char *)(p + 1) + n.spi_size;
- if(3 < ndo->ndo_vflag) {
- showdata = 1;
- }
-
- if ((showdata || (showsomedata && ep-cp < 30)) && cp < ep) {
- ND_PRINT((ndo," data=("));
- if (!rawprint(ndo, (const uint8_t *)(cp), ep - cp))
- goto trunc;
-
- ND_PRINT((ndo,")"));
+ if (cp < ep) {
+ if (ndo->ndo_vflag > 3 || (showsomedata && ep-cp < 30)) {
+ ND_PRINT((ndo," data=("));
+ if (!rawprint(ndo, (const uint8_t *)(cp), ep - cp))
+ goto trunc;
- } else if(showsomedata && cp < ep) {
- if(!ike_show_somedata(ndo, cp, ep)) goto trunc;
+ ND_PRINT((ndo,")"));
+ } else if (showsomedata) {
+ if (!ike_show_somedata(ndo, cp, ep))
+ goto trunc;
+ }
}
return (const u_char *)ext + item_len;
len = ntohs(e.len) - 4;
ND_TCHECK2(*vid, len);
for(i=0; i<len; i++) {
- if(ND_ISPRINT(vid[i])) ND_PRINT((ndo, "%c", vid[i]));
+ if(ND_ISPRINT(EXTRACT_U_1(vid + i)))
+ ND_PRINT((ndo, "%c", EXTRACT_U_1(vid + i)));
else ND_PRINT((ndo, "."));
}
if (2 < ndo->ndo_vflag && 4 < len) {
+ /* Print the entire payload in hex */
ND_PRINT((ndo," "));
if (!rawprint(ndo, (const uint8_t *)(ext + 1), ntohs(e.len) - 4))
goto trunc;
while (np) {
ND_TCHECK(*ext);
-
UNALIGNED_MEMCPY(&e, ext, sizeof(e));
ND_TCHECK2(*ext, ntohs(e.len));
p = (const struct isakmp *)bp;
ep = ndo->ndo_snapend;
- phase = (EXTRACT_32BITS(base->msgid) == 0) ? 1 : 2;
+ phase = (EXTRACT_BE_U_4(base->msgid) == 0) ? 1 : 2;
if (phase == 1)
ND_PRINT((ndo," phase %d", phase));
else
cp = (const u_char *)ext;
while (np) {
ND_TCHECK(*ext);
-
UNALIGNED_MEMCPY(&e, ext, sizeof(e));
ND_TCHECK2(*ext, ntohs(e.len));
p = (const struct isakmp *)bp;
ep = ndo->ndo_snapend;
- phase = (EXTRACT_32BITS(base->msgid) == 0) ? 1 : 2;
+ phase = (EXTRACT_BE_U_4(base->msgid) == 0) ? 1 : 2;
if (phase == 1)
ND_PRINT((ndo, " parent_sa"));
else
/* must be an ESP packet */
{
- int nh, enh, padlen;
+ u_int nh, enh, padlen;
int advance;
ND_PRINT((ndo, "UDP-encap: "));
* c-basic-offset: 8
* End:
*/
-
-
-
-
projects / tcpdump / blobdiff