X-Git-Url: https://git.tcpdump.org/tcpdump/blobdiff_plain/ee68aa36460d7efeca48747f33b7f2adc0900bfb..296d466cd6bbf2f7e75e15bb6a01268e88c76ed0:/print-isakmp.c diff --git a/print-isakmp.c b/print-isakmp.c index fd0cb6c5..e6be3c8e 100644 --- a/print-isakmp.c +++ b/print-isakmp.c @@ -32,21 +32,14 @@ /* specification: RFC 2407, RFC 2408, RFC 5996 */ -#ifdef HAVE_CONFIG_H #include -#endif - -/* The functions from print-esp.c used in this file are only defined when both - * OpenSSL and evp.h are detected. Employ the same preprocessor device here. - */ -#ifndef HAVE_OPENSSL_EVP_H -#undef HAVE_LIBCRYPTO -#endif #include "netdissect-stdinc.h" #include +#include "netdissect-ctype.h" + #include "netdissect.h" #include "addrtoname.h" #include "extract.h" @@ -120,9 +113,9 @@ struct isakmp { #define ISAKMP_FLAG_extra 0x04 /* IKEv2 */ -#define ISAKMP_FLAG_I (1 << 3) /* (I)nitiator */ -#define ISAKMP_FLAG_V (1 << 4) /* (V)ersion */ -#define ISAKMP_FLAG_R (1 << 5) /* (R)esponse */ +#define ISAKMP_FLAG_I (1 << 3) /* Initiator */ +#define ISAKMP_FLAG_V (1 << 4) /* Version */ +#define ISAKMP_FLAG_R (1 << 5) /* Response */ /* 3.2 Payload Generic Header @@ -635,8 +628,8 @@ ikev1_print(netdissect_options *ndo, #define MAXINITIATORS 20 static int ninitiator = 0; union inaddr_u { - struct in_addr in4; - struct in6_addr in6; + nd_ipv4 in4; + nd_ipv6 in6; }; static struct { cookie_t initiator; @@ -739,10 +732,10 @@ static const char *etypestr[] = { ? npfunc[(x)] : NULL) static int -iszero(const u_char *p, size_t l) +iszero(netdissect_options *ndo, const u_char *p, size_t l) { while (l != 0) { - if (*p) + if (GET_U_1(p)) return 0; p++; l--; @@ -912,11 +905,9 @@ ikev1_attrmap_print(netdissect_options *ndo, u_int totlen; uint32_t t, v; - ND_TCHECK_1(p); if (GET_U_1(p) & 0x80) totlen = 4; else { - ND_TCHECK_2(p + 2); totlen = 4 + GET_BE_U_2(p + 2); } if (ep2 < p + totlen) { @@ -924,7 +915,6 @@ ikev1_attrmap_print(netdissect_options *ndo, return ep2 + 1; } - ND_TCHECK_2(p); ND_PRINT("("); t = GET_BE_U_2(p) & 0x7fff; if (map && t < nmap && map[t].type) @@ -933,7 +923,6 @@ ikev1_attrmap_print(netdissect_options *ndo, ND_PRINT("type=#%u ", t); if (GET_U_1(p) & 0x80) { ND_PRINT("value="); - ND_TCHECK_2(p + 2); v = GET_BE_U_2(p + 2); if (map && t < nmap && v < map[t].nvalue && map[t].value[v]) ND_PRINT("%s", map[t].value[v]); @@ -963,11 +952,9 @@ ikev1_attr_print(netdissect_options *ndo, const u_char *p, const u_char *ep2) u_int totlen; uint32_t t; - ND_TCHECK_1(p); if (GET_U_1(p) & 0x80) totlen = 4; else { - ND_TCHECK_2(p + 2); totlen = 4 + GET_BE_U_2(p + 2); } if (ep2 < p + totlen) { @@ -975,7 +962,6 @@ ikev1_attr_print(netdissect_options *ndo, const u_char *p, const u_char *ep2) return ep2 + 1; } - ND_TCHECK_2(p); ND_PRINT("("); t = GET_BE_U_2(p) & 0x7fff; ND_PRINT("type=#%u ", t); @@ -1040,7 +1026,6 @@ ikev1_sa_print(netdissect_options *ndo, u_char tpay _U_, np = (const u_char *)ext + sizeof(struct ikev1_pl_sa); if (sit != 0x01) { - ND_TCHECK_4(ext + 1); ident = GET_BE_U_4(ext + 1); ND_PRINT(" ident=%u", ident); np += sizeof(ident); @@ -1390,7 +1375,7 @@ ikev1_id_print(netdissect_options *ndo, u_char tpay _U_, if (len < 4) ND_PRINT(" len=%u [bad: < 4]", len); else - ND_PRINT(" len=%u %s", len, ipaddr_string(ndo, data)); + ND_PRINT(" len=%u %s", len, GET_IPADDR_STRING(data)); len = 0; break; case IPSECDOI_ID_FQDN: @@ -1411,7 +1396,7 @@ ikev1_id_print(netdissect_options *ndo, u_char tpay _U_, else { mask = data + sizeof(nd_ipv4); ND_PRINT(" len=%u %s/%u.%u.%u.%u", len, - ipaddr_string(ndo, data), + GET_IPADDR_STRING(data), GET_U_1(mask), GET_U_1(mask + 1), GET_U_1(mask + 2), GET_U_1(mask + 3)); @@ -1423,7 +1408,7 @@ ikev1_id_print(netdissect_options *ndo, u_char tpay _U_, if (len < 16) ND_PRINT(" len=%u [bad: < 16]", len); else - ND_PRINT(" len=%u %s", len, ip6addr_string(ndo, data)); + ND_PRINT(" len=%u %s", len, GET_IP6ADDR_STRING(data)); len = 0; break; case IPSECDOI_ID_IPV6_ADDR_SUBNET: @@ -1435,7 +1420,7 @@ ikev1_id_print(netdissect_options *ndo, u_char tpay _U_, mask = (const u_char *)(data + sizeof(nd_ipv6)); /*XXX*/ ND_PRINT(" len=%u %s/0x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x", len, - ip6addr_string(ndo, data), + GET_IP6ADDR_STRING(data), GET_U_1(mask), GET_U_1(mask + 1), GET_U_1(mask + 2), GET_U_1(mask + 3), @@ -1460,8 +1445,8 @@ ikev1_id_print(netdissect_options *ndo, u_char tpay _U_, ND_PRINT(" len=%u [bad: < 8]", len); else { ND_PRINT(" len=%u %s-%s", len, - ipaddr_string(ndo, data), - ipaddr_string(ndo, data + sizeof(nd_ipv4))); + GET_IPADDR_STRING(data), + GET_IPADDR_STRING(data + sizeof(nd_ipv4))); } len = 0; break; @@ -1470,8 +1455,8 @@ ikev1_id_print(netdissect_options *ndo, u_char tpay _U_, ND_PRINT(" len=%u [bad: < 32]", len); else { ND_PRINT(" len=%u %s-%s", len, - ip6addr_string(ndo, data), - ip6addr_string(ndo, data + sizeof(nd_ipv6))); + GET_IP6ADDR_STRING(data), + GET_IP6ADDR_STRING(data + sizeof(nd_ipv6))); } len = 0; break; @@ -1834,14 +1819,16 @@ ikev1_d_print(netdissect_options *ndo, u_char tpay _U_, ND_PRINT(" spilen=%u", spi_size); num_spi = GET_BE_U_2(p->num_spi); ND_PRINT(" nspi=%u", num_spi); - ND_PRINT(" spi="); q = (const uint8_t *)(p + 1); - for (i = 0; i < num_spi; i++) { - if (i != 0) - ND_PRINT(","); - if (!rawprint(ndo, (const uint8_t *)q, spi_size)) - goto trunc; - q += spi_size; + if (spi_size) { + ND_PRINT(" spi="); + for (i = 0; i < num_spi; i++) { + if (i != 0) + ND_PRINT(","); + if (!rawprint(ndo, (const uint8_t *)q, spi_size)) + goto trunc; + q += spi_size; + } } return q; trunc: @@ -2267,7 +2254,7 @@ ikev2_ID_print(netdissect_options *ndo, u_char tpay, if(dumpascii) { ND_TCHECK_LEN(typedata, idtype_len); for(i=0; inp); - /* try to decypt it! */ - if(esp_print_decrypt_buffer_by_ikev2(ndo, + /* try to decrypt it! */ + if(esp_decrypt_buffer_by_ikev2_print(ndo, GET_U_1(base->flags) & ISAKMP_FLAG_I, base->i_ck, base->r_ck, dat, dat+dlen)) { @@ -2697,6 +2684,13 @@ ikev2_e_print(netdissect_options *ndo, /* got it decrypted, print stuff inside. */ ikev2_sub_print(ndo, base, np, ext, ndo->ndo_snapend, phase, doi, proto, depth+1); + + /* + * esp_decrypt_buffer_by_ikev2_print pushed information + * on the buffer stack; we're done with the buffer, so + * pop it (which frees the buffer) + */ + nd_pop_packet_info(ndo); } #endif @@ -2813,7 +2807,7 @@ static char * numstr(u_int x) { static char buf[20]; - nd_snprintf(buf, sizeof(buf), "#%u", x); + snprintf(buf, sizeof(buf), "#%u", x); return buf; } @@ -2840,7 +2834,7 @@ ikev1_print(netdissect_options *ndo, i = cookie_find(&base->i_ck); if (i < 0) { - if (iszero((const u_char *)&base->r_ck, sizeof(base->r_ck))) { + if (iszero(ndo, base->r_ck, sizeof(base->r_ck))) { /* the first packet */ ND_PRINT(" I"); if (bp2) @@ -3050,7 +3044,7 @@ isakmp_print(netdissect_options *ndo, /* initialize SAs */ if (ndo->ndo_sa_list_head == NULL) { if (ndo->ndo_espsecret) - esp_print_decodesecret(ndo); + esp_decodesecret_print(ndo); } #endif @@ -3099,10 +3093,9 @@ isakmp_print(netdissect_options *ndo, void isakmp_rfc3948_print(netdissect_options *ndo, const u_char *bp, u_int length, - const u_char *bp2) + const u_char *bp2, int ver, int fragmented, u_int ttl_hl) { ndo->ndo_protocol = "isakmp_rfc3948"; - ND_TCHECK_1(bp); if(length == 1 && GET_U_1(bp)==0xff) { ND_PRINT("isakmp-nat-keep-alive"); return; @@ -3111,7 +3104,6 @@ isakmp_rfc3948_print(netdissect_options *ndo, if(length < 4) { goto trunc; } - ND_TCHECK_1(bp + 3); /* * see if this is an IKE packet @@ -3124,24 +3116,19 @@ isakmp_rfc3948_print(netdissect_options *ndo, /* must be an ESP packet */ { - u_int nh, enh, padlen; - int advance; - ND_PRINT("UDP-encap: "); - advance = esp_print(ndo, bp, length, bp2, &enh, &padlen); - if(advance <= 0) - return; - - bp += advance; - length -= advance + padlen; - nh = enh & 0xff; + esp_print(ndo, bp, length, bp2, ver, fragmented, ttl_hl); - ip_inner_print(ndo, bp, length, nh, bp2); + /* + * Either this has decrypted the payload and + * printed it, in which case there's nothing more + * to do, or it hasn't, in which case there's + * nothing more to do. + */ return; } trunc: nd_print_trunc(ndo); - return; }