X-Git-Url: https://git.tcpdump.org/tcpdump/blobdiff_plain/650e708afb8c6b20d49dfec794a238eac9c70736..05ec05a87b3a7c6983a16b5ae62d0f1512c4ce89:/print-isakmp.c diff --git a/print-isakmp.c b/print-isakmp.c index a97d7d97..ee82f5b7 100644 --- a/print-isakmp.c +++ b/print-isakmp.c @@ -30,13 +30,21 @@ #ifndef lint static const char rcsid[] _U_ = - "@(#) $Header: /tcpdump/master/tcpdump/print-isakmp.c,v 1.54 2007-08-29 02:38:14 mcr Exp $ (LBL)"; + "@(#) $Header: /tcpdump/master/tcpdump/print-isakmp.c,v 1.61 2008-02-05 19:34:25 guy Exp $ (LBL)"; #endif +#define NETDISSECT_REWORKED #ifdef HAVE_CONFIG_H #include "config.h" #endif +/* The functions from print-esp.c used in this file are only defined when both + * OpenSSL and evp.h are detected. Employ the same preprocessor device here. + */ +#ifndef HAVE_OPENSSL_EVP_H +#undef HAVE_LIBCRYPTO +#endif + #include #include @@ -93,16 +101,27 @@ DECLARE_PRINTER(v2_n); DECLARE_PRINTER(v2_d); DECLARE_PRINTER(v2_vid); DECLARE_PRINTER(v2_TS); -DECLARE_PRINTER(v2_e); DECLARE_PRINTER(v2_cp); DECLARE_PRINTER(v2_eap); -static const u_char *ikev1_sub0_print(netdissect_options *ndo,u_char, const struct isakmp_gen *, +static const u_char *ikev2_e_print(netdissect_options *ndo, + struct isakmp *base, + u_char tpay, + const struct isakmp_gen *ext, + u_int item_len, + const u_char *end_pointer, + u_int32_t phase, + u_int32_t doi0, + u_int32_t proto0, int depth); + + +static const u_char *ike_sub0_print(netdissect_options *ndo,u_char, const struct isakmp_gen *, const u_char *, u_int32_t, u_int32_t, u_int32_t, int); static const u_char *ikev1_sub_print(netdissect_options *ndo,u_char, const struct isakmp_gen *, const u_char *, u_int32_t, u_int32_t, u_int32_t, int); static const u_char *ikev2_sub_print(netdissect_options *ndo, + struct isakmp *base, u_char np, const struct isakmp_gen *ext, const u_char *ep, u_int32_t phase, u_int32_t doi, u_int32_t proto, @@ -184,7 +203,7 @@ static const u_char *(*npfunc[])(netdissect_options *ndo, u_char tpay, ikev2_vid_print, /* 43 */ ikev2_TS_print, /* 44 */ ikev2_TS_print, /* 45 */ - ikev2_e_print, /* 46 */ + NULL, /* ikev2_e_print,*/ /* 46 - special */ ikev2_cp_print, /* 47 */ ikev2_eap_print, /* 48 */ }; @@ -390,22 +409,29 @@ cookie_sidecheck(int i, const u_char *bp2, int initiator) return 0; } -static int -rawprint(netdissect_options *ndo, caddr_t loc, size_t len) +static void +hexprint(netdissect_options *ndo, caddr_t loc, size_t len) { - static u_char *p; + u_char *p; size_t i; - TCHECK2(*loc, len); - p = (u_char *)loc; for (i = 0; i < len; i++) ND_PRINT((ndo,"%02x", p[i] & 0xff)); +} + +static int +rawprint(netdissect_options *ndo, caddr_t loc, size_t len) +{ + ND_TCHECK2(*loc, len); + + hexprint(ndo, loc, len); return 1; trunc: return 0; } + /* * returns false if we run out of data buffer */ @@ -518,7 +544,7 @@ ikev1_attr_print(netdissect_options *ndo, const u_char *p, const u_char *ep) } static const u_char * -ikev1_sa_print(netdissect_options *ndo, u_char tpay, +ikev1_sa_print(netdissect_options *ndo, u_char tpay _U_, const struct isakmp_gen *ext, u_int item_len _U_, const u_char *ep, u_int32_t phase, u_int32_t doi0 _U_, @@ -534,7 +560,7 @@ ikev1_sa_print(netdissect_options *ndo, u_char tpay, ND_PRINT((ndo,"%s:", NPSTR(ISAKMP_NPTYPE_SA))); p = (struct ikev1_pl_sa *)ext; - TCHECK(*p); + ND_TCHECK(*p); safememcpy(&sa, ext, sizeof(sa)); doi = ntohl(sa.doi); sit = ntohl(sa.sit); @@ -561,14 +587,14 @@ ikev1_sa_print(netdissect_options *ndo, u_char tpay, np = (u_char *)ext + sizeof(sa); if (sit != 0x01) { - TCHECK2(*(ext + 1), sizeof(ident)); + ND_TCHECK2(*(ext + 1), sizeof(ident)); safememcpy(&ident, ext + 1, sizeof(ident)); ND_PRINT((ndo," ident=%u", (u_int32_t)ntohl(ident))); np += sizeof(ident); } ext = (struct isakmp_gen *)np; - TCHECK(*ext); + ND_TCHECK(*ext); cp = ikev1_sub_print(ndo, ISAKMP_NPTYPE_P, ext, ep, phase, doi, proto0, depth); @@ -580,7 +606,7 @@ trunc: } static const u_char * -ikev1_p_print(netdissect_options *ndo, u_char tpay, +ikev1_p_print(netdissect_options *ndo, u_char tpay _U_, const struct isakmp_gen *ext, u_int item_len _U_, const u_char *ep, u_int32_t phase, u_int32_t doi0, u_int32_t proto0 _U_, int depth) @@ -592,7 +618,7 @@ ikev1_p_print(netdissect_options *ndo, u_char tpay, ND_PRINT((ndo,"%s:", NPSTR(ISAKMP_NPTYPE_P))); p = (struct ikev1_pl_p *)ext; - TCHECK(*p); + ND_TCHECK(*p); safememcpy(&prop, ext, sizeof(prop)); ND_PRINT((ndo," #%d protoid=%s transform=%d", prop.p_no, PROTOIDSTR(prop.prot_id), prop.num_t)); @@ -603,7 +629,7 @@ ikev1_p_print(netdissect_options *ndo, u_char tpay, } ext = (struct isakmp_gen *)((u_char *)(p + 1) + prop.spi_size); - TCHECK(*ext); + ND_TCHECK(*ext); cp = ikev1_sub_print(ndo, ISAKMP_NPTYPE_T, ext, ep, phase, doi0, prop.prot_id, depth); @@ -618,10 +644,6 @@ static const char *ikev1_p_map[] = { NULL, "ike", }; -static const char *ikev2_p_map[] = { - NULL, "ike", -}; - static const char *ikev2_t_type_map[]={ NULL, "encr", "prf", "integ", "dh", "esn" }; @@ -747,7 +769,7 @@ const struct attrmap oakley_t_map[] = { }; static const u_char * -ikev1_t_print(netdissect_options *ndo, u_char tpay, +ikev1_t_print(netdissect_options *ndo, u_char tpay _U_, const struct isakmp_gen *ext, u_int item_len, const u_char *ep, u_int32_t phase _U_, u_int32_t doi _U_, u_int32_t proto, int depth _U_) @@ -763,7 +785,7 @@ ikev1_t_print(netdissect_options *ndo, u_char tpay, ND_PRINT((ndo,"%s:", NPSTR(ISAKMP_NPTYPE_T))); p = (struct ikev1_pl_t *)ext; - TCHECK(*p); + ND_TCHECK(*p); safememcpy(&t, ext, sizeof(t)); switch (proto) { @@ -816,7 +838,7 @@ trunc: } static const u_char * -ikev1_ke_print(netdissect_options *ndo, u_char tpay, +ikev1_ke_print(netdissect_options *ndo, u_char tpay _U_, const struct isakmp_gen *ext, u_int item_len _U_, const u_char *ep _U_, u_int32_t phase _U_, u_int32_t doi _U_, u_int32_t proto _U_, int depth _U_) @@ -825,10 +847,10 @@ ikev1_ke_print(netdissect_options *ndo, u_char tpay, ND_PRINT((ndo,"%s:", NPSTR(ISAKMP_NPTYPE_KE))); - TCHECK(*ext); + ND_TCHECK(*ext); safememcpy(&e, ext, sizeof(e)); ND_PRINT((ndo," key len=%d", ntohs(e.len) - 4)); - if (2 < vflag && 4 < ntohs(e.len)) { + if (2 < ndo->ndo_vflag && 4 < ntohs(e.len)) { ND_PRINT((ndo," ")); if (!rawprint(ndo, (caddr_t)(ext + 1), ntohs(e.len) - 4)) goto trunc; @@ -840,7 +862,7 @@ trunc: } static const u_char * -ikev1_id_print(netdissect_options *ndo, u_char tpay, +ikev1_id_print(netdissect_options *ndo, u_char tpay _U_, const struct isakmp_gen *ext, u_int item_len _U_, const u_char *ep _U_, u_int32_t phase, u_int32_t doi _U_, u_int32_t proto _U_, int depth _U_) @@ -862,7 +884,7 @@ ikev1_id_print(netdissect_options *ndo, u_char tpay, ND_PRINT((ndo,"%s:", NPSTR(ISAKMP_NPTYPE_ID))); p = (struct ikev1_pl_id *)ext; - TCHECK(*p); + ND_TCHECK(*p); safememcpy(&id, ext, sizeof(id)); if (sizeof(*p) < item_len) { data = (u_char *)(p + 1); @@ -895,7 +917,7 @@ ikev1_id_print(netdissect_options *ndo, u_char tpay, struct protoent *pe; p = (struct ipsecdoi_id *)ext; - TCHECK(*p); + ND_TCHECK(*p); safememcpy(&id, ext, sizeof(id)); ND_PRINT((ndo," idtype=%s", STR_OR_ID(id.type, ipsecidtypestr))); if (id.proto_id) { @@ -917,7 +939,7 @@ ikev1_id_print(netdissect_options *ndo, u_char tpay, break; if (data == NULL) goto trunc; - TCHECK2(*data, len); + ND_TCHECK2(*data, len); switch (id.type) { case IPSECDOI_ID_IPV4_ADDR: if (len < 4) @@ -1006,7 +1028,7 @@ ikev1_id_print(netdissect_options *ndo, u_char tpay, } if (data && len) { ND_PRINT((ndo," len=%d", len)); - if (2 < vflag) { + if (2 < ndo->ndo_vflag) { ND_PRINT((ndo," ")); if (!rawprint(ndo, (caddr_t)data, len)) goto trunc; @@ -1019,7 +1041,7 @@ trunc: } static const u_char * -ikev1_cert_print(netdissect_options *ndo, u_char tpay, +ikev1_cert_print(netdissect_options *ndo, u_char tpay _U_, const struct isakmp_gen *ext, u_int item_len _U_, const u_char *ep _U_, u_int32_t phase _U_, u_int32_t doi0 _U_, @@ -1036,11 +1058,11 @@ ikev1_cert_print(netdissect_options *ndo, u_char tpay, ND_PRINT((ndo,"%s:", NPSTR(ISAKMP_NPTYPE_CERT))); p = (struct ikev1_pl_cert *)ext; - TCHECK(*p); + ND_TCHECK(*p); safememcpy(&cert, ext, sizeof(cert)); ND_PRINT((ndo," len=%d", item_len - 4)); ND_PRINT((ndo," type=%s", STR_OR_ID((cert.encode), certstr))); - if (2 < vflag && 4 < item_len) { + if (2 < ndo->ndo_vflag && 4 < item_len) { ND_PRINT((ndo," ")); if (!rawprint(ndo, (caddr_t)(ext + 1), item_len - 4)) goto trunc; @@ -1052,7 +1074,7 @@ trunc: } static const u_char * -ikev1_cr_print(netdissect_options *ndo, u_char tpay, +ikev1_cr_print(netdissect_options *ndo, u_char tpay _U_, const struct isakmp_gen *ext, u_int item_len _U_, const u_char *ep _U_, u_int32_t phase _U_, u_int32_t doi0 _U_, u_int32_t proto0 _U_, int depth _U_) @@ -1068,11 +1090,11 @@ ikev1_cr_print(netdissect_options *ndo, u_char tpay, ND_PRINT((ndo,"%s:", NPSTR(ISAKMP_NPTYPE_CR))); p = (struct ikev1_pl_cert *)ext; - TCHECK(*p); + ND_TCHECK(*p); safememcpy(&cert, ext, sizeof(cert)); ND_PRINT((ndo," len=%d", item_len - 4)); ND_PRINT((ndo," type=%s", STR_OR_ID((cert.encode), certstr))); - if (2 < vflag && 4 < item_len) { + if (2 < ndo->ndo_vflag && 4 < item_len) { ND_PRINT((ndo," ")); if (!rawprint(ndo, (caddr_t)(ext + 1), item_len - 4)) goto trunc; @@ -1084,7 +1106,7 @@ trunc: } static const u_char * -ikev1_hash_print(netdissect_options *ndo, u_char tpay, +ikev1_hash_print(netdissect_options *ndo, u_char tpay _U_, const struct isakmp_gen *ext, u_int item_len _U_, const u_char *ep _U_, u_int32_t phase _U_, u_int32_t doi _U_, u_int32_t proto _U_, int depth _U_) @@ -1093,10 +1115,10 @@ ikev1_hash_print(netdissect_options *ndo, u_char tpay, ND_PRINT((ndo,"%s:", NPSTR(ISAKMP_NPTYPE_HASH))); - TCHECK(*ext); + ND_TCHECK(*ext); safememcpy(&e, ext, sizeof(e)); ND_PRINT((ndo," len=%d", ntohs(e.len) - 4)); - if (2 < vflag && 4 < ntohs(e.len)) { + if (2 < ndo->ndo_vflag && 4 < ntohs(e.len)) { ND_PRINT((ndo," ")); if (!rawprint(ndo, (caddr_t)(ext + 1), ntohs(e.len) - 4)) goto trunc; @@ -1108,7 +1130,7 @@ trunc: } static const u_char * -ikev1_sig_print(netdissect_options *ndo, u_char tpay, +ikev1_sig_print(netdissect_options *ndo, u_char tpay _U_, const struct isakmp_gen *ext, u_int item_len _U_, const u_char *ep _U_, u_int32_t phase _U_, u_int32_t doi _U_, u_int32_t proto _U_, int depth _U_) @@ -1117,10 +1139,10 @@ ikev1_sig_print(netdissect_options *ndo, u_char tpay, ND_PRINT((ndo,"%s:", NPSTR(ISAKMP_NPTYPE_SIG))); - TCHECK(*ext); + ND_TCHECK(*ext); safememcpy(&e, ext, sizeof(e)); ND_PRINT((ndo," len=%d", ntohs(e.len) - 4)); - if (2 < vflag && 4 < ntohs(e.len)) { + if (2 < ndo->ndo_vflag && 4 < ntohs(e.len)) { ND_PRINT((ndo," ")); if (!rawprint(ndo, (caddr_t)(ext + 1), ntohs(e.len) - 4)) goto trunc; @@ -1132,7 +1154,7 @@ trunc: } static const u_char * -ikev1_nonce_print(netdissect_options *ndo, u_char tpay, +ikev1_nonce_print(netdissect_options *ndo, u_char tpay _U_, const struct isakmp_gen *ext, u_int item_len _U_, const u_char *ep _U_, @@ -1143,14 +1165,14 @@ ikev1_nonce_print(netdissect_options *ndo, u_char tpay, ND_PRINT((ndo,"%s:", NPSTR(ISAKMP_NPTYPE_NONCE))); - TCHECK(*ext); + ND_TCHECK(*ext); safememcpy(&e, ext, sizeof(e)); ND_PRINT((ndo," n len=%d", ntohs(e.len) - 4)); - if (2 < vflag && 4 < ntohs(e.len)) { + if (2 < ndo->ndo_vflag && 4 < ntohs(e.len)) { ND_PRINT((ndo," ")); if (!rawprint(ndo, (caddr_t)(ext + 1), ntohs(e.len) - 4)) goto trunc; - } else if (1 < vflag && 4 < ntohs(e.len)) { + } else if (1 < ndo->ndo_vflag && 4 < ntohs(e.len)) { ND_PRINT((ndo," ")); if (!ike_show_somedata(ndo, (u_char *)(caddr_t)(ext + 1), ep)) goto trunc; @@ -1162,7 +1184,7 @@ trunc: } static const u_char * -ikev1_n_print(netdissect_options *ndo, u_char tpay, +ikev1_n_print(netdissect_options *ndo, u_char tpay _U_, const struct isakmp_gen *ext, u_int item_len, const u_char *ep, u_int32_t phase, u_int32_t doi0 _U_, u_int32_t proto0 _U_, int depth) @@ -1221,7 +1243,7 @@ ikev1_n_print(netdissect_options *ndo, u_char tpay, ND_PRINT((ndo,"%s:", NPSTR(ISAKMP_NPTYPE_N))); p = (struct ikev1_pl_n *)ext; - TCHECK(*p); + ND_TCHECK(*p); safememcpy(&n, ext, sizeof(n)); doi = ntohl(n.doi); proto = n.prot_id; @@ -1290,7 +1312,7 @@ ikev1_n_print(netdissect_options *ndo, u_char tpay, break; default: /* NULL is dummy */ - isakmp_print(gndo, cp, + isakmp_print(ndo, cp, item_len - sizeof(*p) - n.spi_size, NULL); } @@ -1303,7 +1325,7 @@ trunc: } static const u_char * -ikev1_d_print(netdissect_options *ndo, u_char tpay, +ikev1_d_print(netdissect_options *ndo, u_char tpay _U_, const struct isakmp_gen *ext, u_int item_len _U_, const u_char *ep _U_, u_int32_t phase _U_, u_int32_t doi0 _U_, u_int32_t proto0 _U_, int depth _U_) @@ -1318,7 +1340,7 @@ ikev1_d_print(netdissect_options *ndo, u_char tpay, ND_PRINT((ndo,"%s:", NPSTR(ISAKMP_NPTYPE_D))); p = (struct ikev1_pl_d *)ext; - TCHECK(*p); + ND_TCHECK(*p); safememcpy(&d, ext, sizeof(d)); doi = ntohl(d.doi); proto = d.prot_id; @@ -1347,7 +1369,7 @@ trunc: } static const u_char * -ikev1_vid_print(netdissect_options *ndo, u_char tpay, +ikev1_vid_print(netdissect_options *ndo, u_char tpay _U_, const struct isakmp_gen *ext, u_int item_len _U_, const u_char *ep _U_, u_int32_t phase _U_, u_int32_t doi _U_, @@ -1357,10 +1379,10 @@ ikev1_vid_print(netdissect_options *ndo, u_char tpay, ND_PRINT((ndo,"%s:", NPSTR(ISAKMP_NPTYPE_VID))); - TCHECK(*ext); + ND_TCHECK(*ext); safememcpy(&e, ext, sizeof(e)); ND_PRINT((ndo," len=%d", ntohs(e.len) - 4)); - if (2 < vflag && 4 < ntohs(e.len)) { + if (2 < ndo->ndo_vflag && 4 < ntohs(e.len)) { ND_PRINT((ndo," ")); if (!rawprint(ndo, (caddr_t)(ext + 1), ntohs(e.len) - 4)) goto trunc; @@ -1384,17 +1406,17 @@ ikev2_pay_print(netdissect_options *ndo, const char *payname, int critical) } static const u_char * -ikev2_gen_print(netdissect_options *ndo, int tpay, +ikev2_gen_print(netdissect_options *ndo, u_char tpay, const struct isakmp_gen *ext) { struct isakmp_gen e; - TCHECK(*ext); + ND_TCHECK(*ext); safememcpy(&e, ext, sizeof(e)); ikev2_pay_print(ndo, NPSTR(tpay), e.critical); ND_PRINT((ndo," len=%d", ntohs(e.len) - 4)); - if (2 < vflag && 4 < ntohs(e.len)) { + if (2 < ndo->ndo_vflag && 4 < ntohs(e.len)) { ND_PRINT((ndo," ")); if (!rawprint(ndo, (caddr_t)(ext + 1), ntohs(e.len) - 4)) goto trunc; @@ -1406,10 +1428,10 @@ trunc: } static const u_char * -ikev2_t_print(netdissect_options *ndo, u_char tpay, int pcount, +ikev2_t_print(netdissect_options *ndo, u_char tpay _U_, int pcount, const struct isakmp_gen *ext, u_int item_len, const u_char *ep, u_int32_t phase _U_, u_int32_t doi _U_, - u_int32_t proto, int depth _U_) + u_int32_t proto _U_, int depth _U_) { const struct ikev2_t *p; struct ikev2_t t; @@ -1421,7 +1443,7 @@ ikev2_t_print(netdissect_options *ndo, u_char tpay, int pcount, const u_char *ep2; p = (struct ikev2_t *)ext; - TCHECK(*p); + ND_TCHECK(*p); safememcpy(&t, ext, sizeof(t)); ikev2_pay_print(ndo, NPSTR(ISAKMP_NPTYPE_T), t.h.critical); @@ -1484,7 +1506,7 @@ trunc: } static const u_char * -ikev2_p_print(netdissect_options *ndo, u_char tpay, int pcount, +ikev2_p_print(netdissect_options *ndo, u_char tpay _U_, int pcount _U_, const struct isakmp_gen *ext, u_int item_len _U_, const u_char *ep, u_int32_t phase, u_int32_t doi0, u_int32_t proto0 _U_, int depth) @@ -1494,12 +1516,13 @@ ikev2_p_print(netdissect_options *ndo, u_char tpay, int pcount, const u_char *cp; p = (struct ikev2_p *)ext; - TCHECK(*p); + ND_TCHECK(*p); safememcpy(&prop, ext, sizeof(prop)); ikev2_pay_print(ndo, NPSTR(ISAKMP_NPTYPE_P), prop.h.critical); - ND_PRINT((ndo," #%u protoid=%s transform=%d", - prop.p_no, PROTOIDSTR(prop.prot_id), prop.num_t)); + ND_PRINT((ndo," #%u protoid=%s transform=%d len=%u", + prop.p_no, PROTOIDSTR(prop.prot_id), + prop.num_t, ntohs(prop.h.len))); if (prop.spi_size) { ND_PRINT((ndo," spi=")); if (!rawprint(ndo, (caddr_t)(p + 1), prop.spi_size)) @@ -1507,9 +1530,9 @@ ikev2_p_print(netdissect_options *ndo, u_char tpay, int pcount, } ext = (struct isakmp_gen *)((u_char *)(p + 1) + prop.spi_size); - TCHECK(*ext); - - cp = ikev2_sub_print(ndo, ISAKMP_NPTYPE_T, ext, ep, phase, doi0, + ND_TCHECK(*ext); + + cp = ikev2_sub_print(ndo, NULL, ISAKMP_NPTYPE_T, ext, ep, phase, doi0, prop.prot_id, depth); return cp; @@ -1526,22 +1549,21 @@ ikev2_sa_print(netdissect_options *ndo, u_char tpay, u_int32_t proto _U_, int depth _U_) { struct isakmp_gen e; - const struct isakmp_gen *ext; - int osa_len, sa_len, np; + int osa_length, sa_length; - TCHECK(*ext1); + ND_TCHECK(*ext1); safememcpy(&e, ext1, sizeof(e)); ikev2_pay_print(ndo, "sa", e.critical); - osa_len= ntohs(e.len); - sa_len = osa_len - 4; - ND_PRINT((ndo," len=%d", sa_len)); + osa_length= ntohs(e.len); + sa_length = osa_length - 4; + ND_PRINT((ndo," len=%d", sa_length)); - ikev2_sub_print(ndo, ISAKMP_NPTYPE_P, + ikev2_sub_print(ndo, NULL, ISAKMP_NPTYPE_P, ext1+1, ep, 0, 0, 0, depth); - return (u_char *)ext1 + osa_len; + return (u_char *)ext1 + osa_length; trunc: ND_PRINT((ndo," [|%s]", NPSTR(tpay))); return NULL; @@ -1556,18 +1578,16 @@ ikev2_ke_print(netdissect_options *ndo, u_char tpay, { struct ikev2_ke ke; struct ikev2_ke *k; - const u_char *vid; - int i, len; k = (struct ikev2_ke *)ext; - TCHECK(*ext); + ND_TCHECK(*ext); safememcpy(&ke, ext, sizeof(ke)); ikev2_pay_print(ndo, NPSTR(tpay), ke.h.critical); ND_PRINT((ndo," len=%u group=%s", ntohs(ke.h.len) - 8, STR_OR_ID(ntohs(ke.ke_group), dh_p_map))); - if (2 < vflag && 8 < ntohs(ke.h.len)) { + if (2 < ndo->ndo_vflag && 8 < ntohs(ke.h.len)) { ND_PRINT((ndo," ")); if (!rawprint(ndo, (caddr_t)(k + 1), ntohs(ke.h.len) - 8)) goto trunc; @@ -1585,7 +1605,79 @@ ikev2_ID_print(netdissect_options *ndo, u_char tpay, u_int32_t phase _U_, u_int32_t doi _U_, u_int32_t proto _U_, int depth _U_) { - return ikev2_gen_print(ndo, tpay, ext); + struct ikev2_id id; + int id_len, idtype_len, i; + unsigned int dumpascii, dumphex; + unsigned char *typedata; + + ND_TCHECK(*ext); + safememcpy(&id, ext, sizeof(id)); + ikev2_pay_print(ndo, NPSTR(tpay), id.h.critical); + + id_len = ntohs(id.h.len); + + ND_PRINT((ndo," len=%d", id_len - 4)); + if (2 < ndo->ndo_vflag && 4 < id_len) { + ND_PRINT((ndo," ")); + if (!rawprint(ndo, (caddr_t)(ext + 1), id_len - 4)) + goto trunc; + } + + idtype_len =id_len - sizeof(struct ikev2_id); + dumpascii = 0; + dumphex = 0; + typedata = (unsigned char *)(ext)+sizeof(struct ikev2_id); + + switch(id.type) { + case ID_IPV4_ADDR: + ND_PRINT((ndo, " ipv4:")); + dumphex=1; + break; + case ID_FQDN: + ND_PRINT((ndo, " fqdn:")); + dumpascii=1; + break; + case ID_RFC822_ADDR: + ND_PRINT((ndo, " rfc822:")); + dumpascii=1; + break; + case ID_IPV6_ADDR: + ND_PRINT((ndo, " ipv6:")); + dumphex=1; + break; + case ID_DER_ASN1_DN: + ND_PRINT((ndo, " dn:")); + dumphex=1; + break; + case ID_DER_ASN1_GN: + ND_PRINT((ndo, " gn:")); + dumphex=1; + break; + case ID_KEY_ID: + ND_PRINT((ndo, " keyid:")); + dumphex=1; + break; + } + + if(dumpascii) { + ND_TCHECK2(*typedata, idtype_len); + for(i=0; indo_vflag && 4 < ntohs(e.h.len)) { + if (1 < ndo->ndo_vflag && 4 < len) { ND_PRINT((ndo," authdata=(")); - if (!rawprint(ndo, (caddr_t)(ext + 1), ntohs(e.h.len) - 4)) + if (!rawprint(ndo, (caddr_t)authdata, len - sizeof(a))) goto trunc; ND_PRINT((ndo,") ")); - } else if(ndo->ndo_vflag && 4 < ntohs(e.h.len)) { - if(!ike_show_somedata(ndo, (const u_char *)(ext+1), ep)) goto trunc; + } else if(ndo->ndo_vflag && 4 < len) { + if(!ike_show_somedata(ndo, authdata, ep)) goto trunc; } - return (u_char *)ext + ntohs(e.h.len); + return (u_char *)ext + len; trunc: ND_PRINT((ndo," [|%s]", NPSTR(tpay))); return NULL; @@ -1649,7 +1745,7 @@ ikev2_nonce_print(netdissect_options *ndo, u_char tpay, { struct isakmp_gen e; - TCHECK(*ext); + ND_TCHECK(*ext); safememcpy(&e, ext, sizeof(e)); ikev2_pay_print(ndo, "nonce", e.critical); @@ -1671,7 +1767,7 @@ trunc: /* notify payloads */ static const u_char * -ikev2_n_print(netdissect_options *ndo, u_char tpay, +ikev2_n_print(netdissect_options *ndo, u_char tpay _U_, const struct isakmp_gen *ext, u_int item_len _U_, const u_char *ep _U_, u_int32_t phase _U_, u_int32_t doi _U_, @@ -1681,11 +1777,11 @@ ikev2_n_print(netdissect_options *ndo, u_char tpay, const u_char *cp; u_char *ep2; u_char showspi, showdata, showsomedata; - char *notify_name; + const char *notify_name; u_int32_t type; p = (struct ikev2_n *)ext; - TCHECK(*p); + ND_TCHECK(*p); safememcpy(&n, ext, sizeof(n)); ikev2_pay_print(ndo, NPSTR(ISAKMP_NPTYPE_N), n.h.critical); @@ -1900,19 +1996,19 @@ ikev2_vid_print(netdissect_options *ndo, u_char tpay, const u_char *vid; int i, len; - TCHECK(*ext); + ND_TCHECK(*ext); safememcpy(&e, ext, sizeof(e)); ikev2_pay_print(ndo, NPSTR(tpay), e.critical); ND_PRINT((ndo," len=%d vid=", ntohs(e.len) - 4)); vid = (const u_char *)(ext+1); len = ntohs(e.len) - 4; - TCHECK2(*vid, len); + ND_TCHECK2(*vid, len); for(i=0; indo_vflag && 4 < len) { ND_PRINT((ndo," ")); if (!rawprint(ndo, (caddr_t)(ext + 1), ntohs(e.len) - 4)) goto trunc; @@ -1934,13 +2030,74 @@ ikev2_TS_print(netdissect_options *ndo, u_char tpay, } static const u_char * -ikev2_e_print(netdissect_options *ndo, u_char tpay, - const struct isakmp_gen *ext, - u_int item_len _U_, const u_char *ep _U_, - u_int32_t phase _U_, u_int32_t doi _U_, - u_int32_t proto _U_, int depth _U_) +ikev2_e_print(netdissect_options *ndo, +#ifndef HAVE_LIBCRYPTO + _U_ +#endif + struct isakmp *base, + u_char tpay, + const struct isakmp_gen *ext, + u_int item_len _U_, const u_char *ep _U_, +#ifndef HAVE_LIBCRYPTO + _U_ +#endif + u_int32_t phase, +#ifndef HAVE_LIBCRYPTO + _U_ +#endif + u_int32_t doi, +#ifndef HAVE_LIBCRYPTO + _U_ +#endif + u_int32_t proto, +#ifndef HAVE_LIBCRYPTO + _U_ +#endif + int depth) { - return ikev2_gen_print(ndo, tpay, ext); + struct isakmp_gen e; + u_char *dat; + volatile int dlen; + + ND_TCHECK(*ext); + safememcpy(&e, ext, sizeof(e)); + ikev2_pay_print(ndo, NPSTR(tpay), e.critical); + + dlen = ntohs(e.len)-4; + + ND_PRINT((ndo," len=%d", dlen)); + if (2 < ndo->ndo_vflag && 4 < dlen) { + ND_PRINT((ndo," ")); + if (!rawprint(ndo, (caddr_t)(ext + 1), dlen)) + goto trunc; + } + + dat = (u_char *)(ext+1); + ND_TCHECK2(*dat, dlen); + +#ifdef HAVE_LIBCRYPTO + /* try to decypt it! */ + if(esp_print_decrypt_buffer_by_ikev2(ndo, + base->flags & ISAKMP_FLAG_I, + base->i_ck, base->r_ck, + dat, dat+dlen)) { + + ext = (const struct isakmp_gen *)ndo->ndo_packetp; + + /* got it decrypted, print stuff inside. */ + ikev2_sub_print(ndo, base, e.np, ext, ndo->ndo_snapend, + phase, doi, proto, depth+1); + } +#endif + + + /* always return NULL, because E must be at end, and NP refers + * to what was inside. + */ + return NULL; +trunc: + ND_PRINT((ndo," [|%s]", NPSTR(tpay))); + return NULL; } static const u_char * @@ -1966,14 +2123,15 @@ ikev2_eap_print(netdissect_options *ndo, u_char tpay, static const u_char * ike_sub0_print(netdissect_options *ndo, u_char np, const struct isakmp_gen *ext, const u_char *ep, - u_int32_t phase, u_int32_t doi, u_int32_t proto, int depth) + + u_int32_t phase, u_int32_t doi, u_int32_t proto, int depth) { const u_char *cp; struct isakmp_gen e; u_int item_len; cp = (u_char *)ext; - TCHECK(*ext); + ND_TCHECK(*ext); safememcpy(&e, ext, sizeof(e)); /* @@ -2015,11 +2173,11 @@ ikev1_sub_print(netdissect_options *ndo, cp = (const u_char *)ext; while (np) { - TCHECK(*ext); + ND_TCHECK(*ext); safememcpy(&e, ext, sizeof(e)); - TCHECK2(*ext, ntohs(e.len)); + ND_TCHECK2(*ext, ntohs(e.len)); depth++; ND_PRINT((ndo,"\n")); @@ -2063,7 +2221,7 @@ safememcpy(void *p, const void *q, size_t l) memcpy(p, q, l); } -void +static void ikev1_print(netdissect_options *ndo, const u_char *bp, u_int length, const u_char *bp2, struct isakmp *base) @@ -2107,7 +2265,7 @@ ikev1_print(netdissect_options *ndo, base->flags & ISAKMP_FLAG_C ? "C" : "")); } - if (vflag) { + if (ndo->ndo_vflag) { const struct isakmp_gen *ext; int nparen; @@ -2131,7 +2289,7 @@ ikev1_print(netdissect_options *ndo, } done: - if (vflag) { + if (ndo->ndo_vflag) { if (ntohl(base->len) != length) { ND_PRINT((ndo," (len mismatch: isakmp %u/ip %u)", (u_int32_t)ntohl(base->len), length)); @@ -2140,7 +2298,8 @@ done: } static const u_char * -ikev2_sub0_print(netdissect_options *ndo, u_char np, int pcount, +ikev2_sub0_print(netdissect_options *ndo, struct isakmp *base, + u_char np, int pcount, const struct isakmp_gen *ext, const u_char *ep, u_int32_t phase, u_int32_t doi, u_int32_t proto, int depth) { @@ -2149,7 +2308,7 @@ ikev2_sub0_print(netdissect_options *ndo, u_char np, int pcount, u_int item_len; cp = (u_char *)ext; - TCHECK(*ext); + ND_TCHECK(*ext); safememcpy(&e, ext, sizeof(e)); /* @@ -2168,6 +2327,9 @@ ikev2_sub0_print(netdissect_options *ndo, u_char np, int pcount, } else if(np == ISAKMP_NPTYPE_T) { cp = ikev2_t_print(ndo, np, pcount, ext, item_len, ep, phase, doi, proto, depth); + } else if(np == ISAKMP_NPTYPE_v2E) { + cp = ikev2_e_print(ndo, base, np, ext, item_len, + ep, phase, doi, proto, depth); } else if (NPFUNC(np)) { /* * XXX - what if item_len is too short, or too long, @@ -2188,6 +2350,7 @@ trunc: static const u_char * ikev2_sub_print(netdissect_options *ndo, + struct isakmp *base, u_char np, const struct isakmp_gen *ext, const u_char *ep, u_int32_t phase, u_int32_t doi, u_int32_t proto, int depth) { @@ -2200,18 +2363,18 @@ ikev2_sub_print(netdissect_options *ndo, pcount = 0; while (np) { pcount++; - TCHECK(*ext); + ND_TCHECK(*ext); safememcpy(&e, ext, sizeof(e)); - TCHECK2(*ext, ntohs(e.len)); + ND_TCHECK2(*ext, ntohs(e.len)); depth++; ND_PRINT((ndo,"\n")); for (i = 0; i < depth; i++) ND_PRINT((ndo," ")); ND_PRINT((ndo,"(")); - cp = ikev2_sub0_print(ndo, np, pcount, + cp = ikev2_sub0_print(ndo, base, np, pcount, ext, ep, phase, doi, proto, depth); ND_PRINT((ndo,")")); depth--; @@ -2230,15 +2393,14 @@ trunc: return NULL; } -void +static void ikev2_print(netdissect_options *ndo, const u_char *bp, u_int length, - const u_char *bp2, struct isakmp *base) + const u_char *bp2 _U_, struct isakmp *base) { const struct isakmp *p; const u_char *ep; u_char np; - int i; int phase; p = (const struct isakmp *)bp; @@ -2252,7 +2414,7 @@ ikev2_print(netdissect_options *ndo, ND_PRINT((ndo, " %s", ETYPESTR(base->etype))); if (base->flags) { - ND_PRINT((ndo, "[%s%s]", + ND_PRINT((ndo, "[%s%s%s]", base->flags & ISAKMP_FLAG_I ? "I" : "", base->flags & ISAKMP_FLAG_V ? "V" : "", base->flags & ISAKMP_FLAG_R ? "R" : "")); @@ -2279,7 +2441,7 @@ ikev2_print(netdissect_options *ndo, np = base->np; ext = (struct isakmp_gen *)(p + 1); - ikev2_sub_print(ndo, np, ext, ep, phase, 0, 0, 0); + ikev2_sub_print(ndo, base, np, ext, ep, phase, 0, 0, 0); } done: @@ -2299,11 +2461,16 @@ isakmp_print(netdissect_options *ndo, const struct isakmp *p; struct isakmp base; const u_char *ep; - u_char np; - int i; - int phase; int major, minor; +#ifdef HAVE_LIBCRYPTO + /* initialize SAs */ + if (ndo->ndo_sa_list_head == NULL) { + if (ndo->ndo_espsecret) + esp_print_decodesecret(ndo); + } +#endif + p = (const struct isakmp *)bp; ep = ndo->ndo_snapend; @@ -2326,14 +2493,14 @@ isakmp_print(netdissect_options *ndo, if (ndo->ndo_vflag) { ND_PRINT((ndo," msgid ")); - rawprint(ndo, (caddr_t)&base.msgid, sizeof(base.msgid)); + hexprint(ndo, (caddr_t)&base.msgid, sizeof(base.msgid)); } if (1 < ndo->ndo_vflag) { ND_PRINT((ndo," cookie ")); - rawprint(ndo, (caddr_t)&base.i_ck, sizeof(base.i_ck)); + hexprint(ndo, (caddr_t)&base.i_ck, sizeof(base.i_ck)); ND_PRINT((ndo,"->")); - rawprint(ndo, (caddr_t)&base.r_ck, sizeof(base.r_ck)); + hexprint(ndo, (caddr_t)&base.r_ck, sizeof(base.r_ck)); } ND_PRINT((ndo,":"));