1 /*
2 * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
3 * All rights reserved.
4 *
5 * Redistribution and use in source and binary forms, with or without
6 * modification, are permitted provided that the following conditions
7 * are met:
8 * 1. Redistributions of source code must retain the above copyright
9 * notice, this list of conditions and the following disclaimer.
10 * 2. Redistributions in binary form must reproduce the above copyright
11 * notice, this list of conditions and the following disclaimer in the
12 * documentation and/or other materials provided with the distribution.
13 * 3. Neither the name of the project nor the names of its contributors
14 * may be used to endorse or promote products derived from this software
15 * without specific prior written permission.
16 *
17 * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
18 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
19 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
20 * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
21 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
22 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
23 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
24 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
25 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
26 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
27 * SUCH DAMAGE.
28 *
29 */
30
31 #include <sys/cdefs.h>
32 #ifndef lint
33 __RCSID("$NetBSD: print-isakmp.c,v 1.7 2014/11/20 03:05:03 christos Exp $");
34 #endif
35
36 #define NETDISSECT_REWORKED
37 #ifdef HAVE_CONFIG_H
38 #include "config.h"
39 #endif
40
41 /* The functions from print-esp.c used in this file are only defined when both
42 * OpenSSL and evp.h are detected. Employ the same preprocessor device here.
43 */
44 #ifndef HAVE_OPENSSL_EVP_H
45 #undef HAVE_LIBCRYPTO
46 #endif
47
48 #include <tcpdump-stdinc.h>
49
50 #include <string.h>
51
52 #include "interface.h"
53 #include "addrtoname.h"
54 #include "extract.h" /* must come after interface.h */
55
56 #include "ip.h"
57 #ifdef INET6
58 #include "ip6.h"
59 #endif
60
61 /* refer to RFC 2408 */
62
63 typedef u_char cookie_t[8];
64 typedef u_char msgid_t[4];
65
66 #define PORT_ISAKMP 500
67
68 /* 3.1 ISAKMP Header Format (IKEv1 and IKEv2)
69 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
70 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
71 ! Initiator !
72 ! Cookie !
73 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
74 ! Responder !
75 ! Cookie !
76 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
77 ! Next Payload ! MjVer ! MnVer ! Exchange Type ! Flags !
78 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
79 ! Message ID !
80 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
81 ! Length !
82 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
83 */
84 struct isakmp {
85 cookie_t i_ck; /* Initiator Cookie */
86 cookie_t r_ck; /* Responder Cookie */
87 uint8_t np; /* Next Payload Type */
88 uint8_t vers;
89 #define ISAKMP_VERS_MAJOR 0xf0
90 #define ISAKMP_VERS_MAJOR_SHIFT 4
91 #define ISAKMP_VERS_MINOR 0x0f
92 #define ISAKMP_VERS_MINOR_SHIFT 0
93 uint8_t etype; /* Exchange Type */
94 uint8_t flags; /* Flags */
95 msgid_t msgid;
96 uint32_t len; /* Length */
97 };
98
99 /* Next Payload Type */
100 #define ISAKMP_NPTYPE_NONE 0 /* NONE*/
101 #define ISAKMP_NPTYPE_SA 1 /* Security Association */
102 #define ISAKMP_NPTYPE_P 2 /* Proposal */
103 #define ISAKMP_NPTYPE_T 3 /* Transform */
104 #define ISAKMP_NPTYPE_KE 4 /* Key Exchange */
105 #define ISAKMP_NPTYPE_ID 5 /* Identification */
106 #define ISAKMP_NPTYPE_CERT 6 /* Certificate */
107 #define ISAKMP_NPTYPE_CR 7 /* Certificate Request */
108 #define ISAKMP_NPTYPE_HASH 8 /* Hash */
109 #define ISAKMP_NPTYPE_SIG 9 /* Signature */
110 #define ISAKMP_NPTYPE_NONCE 10 /* Nonce */
111 #define ISAKMP_NPTYPE_N 11 /* Notification */
112 #define ISAKMP_NPTYPE_D 12 /* Delete */
113 #define ISAKMP_NPTYPE_VID 13 /* Vendor ID */
114 #define ISAKMP_NPTYPE_v2E 46 /* v2 Encrypted payload */
115
116 #define IKEv1_MAJOR_VERSION 1
117 #define IKEv1_MINOR_VERSION 0
118
119 #define IKEv2_MAJOR_VERSION 2
120 #define IKEv2_MINOR_VERSION 0
121
122 /* Flags */
123 #define ISAKMP_FLAG_E 0x01 /* Encryption Bit */
124 #define ISAKMP_FLAG_C 0x02 /* Commit Bit */
125 #define ISAKMP_FLAG_extra 0x04
126
127 /* IKEv2 */
128 #define ISAKMP_FLAG_I (1 << 3) /* (I)nitiator */
129 #define ISAKMP_FLAG_V (1 << 4) /* (V)ersion */
130 #define ISAKMP_FLAG_R (1 << 5) /* (R)esponse */
131
132
133 /* 3.2 Payload Generic Header
134 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
135 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
136 ! Next Payload ! RESERVED ! Payload Length !
137 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
138 */
139 struct isakmp_gen {
140 uint8_t np; /* Next Payload */
141 uint8_t critical; /* bit 7 - critical, rest is RESERVED */
142 uint16_t len; /* Payload Length */
143 };
144
145 /* 3.3 Data Attributes
146 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
147 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
148 !A! Attribute Type ! AF=0 Attribute Length !
149 !F! ! AF=1 Attribute Value !
150 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
151 . AF=0 Attribute Value .
152 . AF=1 Not Transmitted .
153 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
154 */
155 struct isakmp_data {
156 uint16_t type; /* defined by DOI-spec, and Attribute Format */
157 uint16_t lorv; /* if f equal 1, Attribute Length */
158 /* if f equal 0, Attribute Value */
159 /* if f equal 1, Attribute Value */
160 };
161
162 /* 3.4 Security Association Payload */
163 /* MAY NOT be used, because of being defined in ipsec-doi. */
164 /*
165 If the current payload is the last in the message,
166 then the value of the next payload field will be 0.
167 This field MUST NOT contain the
168 values for the Proposal or Transform payloads as they are considered
169 part of the security association negotiation. For example, this
170 field would contain the value "10" (Nonce payload) in the first
171 message of a Base Exchange (see Section 4.4) and the value "0" in the
172 first message of an Identity Protect Exchange (see Section 4.5).
173 */
174 struct ikev1_pl_sa {
175 struct isakmp_gen h;
176 uint32_t doi; /* Domain of Interpretation */
177 uint32_t sit; /* Situation */
178 };
179
180 /* 3.5 Proposal Payload */
181 /*
182 The value of the next payload field MUST only contain the value "2"
183 or "0". If there are additional Proposal payloads in the message,
184 then this field will be 2. If the current Proposal payload is the
185 last within the security association proposal, then this field will
186 be 0.
187 */
188 struct ikev1_pl_p {
189 struct isakmp_gen h;
190 uint8_t p_no; /* Proposal # */
191 uint8_t prot_id; /* Protocol */
192 uint8_t spi_size; /* SPI Size */
193 uint8_t num_t; /* Number of Transforms */
194 /* SPI */
195 };
196
197 /* 3.6 Transform Payload */
198 /*
199 The value of the next payload field MUST only contain the value "3"
200 or "0". If there are additional Transform payloads in the proposal,
201 then this field will be 3. If the current Transform payload is the
202 last within the proposal, then this field will be 0.
203 */
204 struct ikev1_pl_t {
205 struct isakmp_gen h;
206 uint8_t t_no; /* Transform # */
207 uint8_t t_id; /* Transform-Id */
208 uint16_t reserved; /* RESERVED2 */
209 /* SA Attributes */
210 };
211
212 /* 3.7 Key Exchange Payload */
213 struct ikev1_pl_ke {
214 struct isakmp_gen h;
215 /* Key Exchange Data */
216 };
217
218 /* 3.8 Identification Payload */
219 /* MUST NOT to be used, because of being defined in ipsec-doi. */
220 struct ikev1_pl_id {
221 struct isakmp_gen h;
222 union {
223 uint8_t id_type; /* ID Type */
224 uint32_t doi_data; /* DOI Specific ID Data */
225 } d;
226 /* Identification Data */
227 };
228
229 /* 3.9 Certificate Payload */
230 struct ikev1_pl_cert {
231 struct isakmp_gen h;
232 uint8_t encode; /* Cert Encoding */
233 char cert; /* Certificate Data */
234 /*
235 This field indicates the type of
236 certificate or certificate-related information contained in the
237 Certificate Data field.
238 */
239 };
240
241 /* 3.10 Certificate Request Payload */
242 struct ikev1_pl_cr {
243 struct isakmp_gen h;
244 uint8_t num_cert; /* # Cert. Types */
245 /*
246 Certificate Types (variable length)
247 -- Contains a list of the types of certificates requested,
248 sorted in order of preference. Each individual certificate
249 type is 1 octet. This field is NOT requiredo
250 */
251 /* # Certificate Authorities (1 octet) */
252 /* Certificate Authorities (variable length) */
253 };
254
255 /* 3.11 Hash Payload */
256 /* may not be used, because of having only data. */
257 struct ikev1_pl_hash {
258 struct isakmp_gen h;
259 /* Hash Data */
260 };
261
262 /* 3.12 Signature Payload */
263 /* may not be used, because of having only data. */
264 struct ikev1_pl_sig {
265 struct isakmp_gen h;
266 /* Signature Data */
267 };
268
269 /* 3.13 Nonce Payload */
270 /* may not be used, because of having only data. */
271 struct ikev1_pl_nonce {
272 struct isakmp_gen h;
273 /* Nonce Data */
274 };
275
276 /* 3.14 Notification Payload */
277 struct ikev1_pl_n {
278 struct isakmp_gen h;
279 uint32_t doi; /* Domain of Interpretation */
280 uint8_t prot_id; /* Protocol-ID */
281 uint8_t spi_size; /* SPI Size */
282 uint16_t type; /* Notify Message Type */
283 /* SPI */
284 /* Notification Data */
285 };
286
287 /* 3.14.1 Notify Message Types */
288 /* NOTIFY MESSAGES - ERROR TYPES */
289 #define ISAKMP_NTYPE_INVALID_PAYLOAD_TYPE 1
290 #define ISAKMP_NTYPE_DOI_NOT_SUPPORTED 2
291 #define ISAKMP_NTYPE_SITUATION_NOT_SUPPORTED 3
292 #define ISAKMP_NTYPE_INVALID_COOKIE 4
293 #define ISAKMP_NTYPE_INVALID_MAJOR_VERSION 5
294 #define ISAKMP_NTYPE_INVALID_MINOR_VERSION 6
295 #define ISAKMP_NTYPE_INVALID_EXCHANGE_TYPE 7
296 #define ISAKMP_NTYPE_INVALID_FLAGS 8
297 #define ISAKMP_NTYPE_INVALID_MESSAGE_ID 9
298 #define ISAKMP_NTYPE_INVALID_PROTOCOL_ID 10
299 #define ISAKMP_NTYPE_INVALID_SPI 11
300 #define ISAKMP_NTYPE_INVALID_TRANSFORM_ID 12
301 #define ISAKMP_NTYPE_ATTRIBUTES_NOT_SUPPORTED 13
302 #define ISAKMP_NTYPE_NO_PROPOSAL_CHOSEN 14
303 #define ISAKMP_NTYPE_BAD_PROPOSAL_SYNTAX 15
304 #define ISAKMP_NTYPE_PAYLOAD_MALFORMED 16
305 #define ISAKMP_NTYPE_INVALID_KEY_INFORMATION 17
306 #define ISAKMP_NTYPE_INVALID_ID_INFORMATION 18
307 #define ISAKMP_NTYPE_INVALID_CERT_ENCODING 19
308 #define ISAKMP_NTYPE_INVALID_CERTIFICATE 20
309 #define ISAKMP_NTYPE_BAD_CERT_REQUEST_SYNTAX 21
310 #define ISAKMP_NTYPE_INVALID_CERT_AUTHORITY 22
311 #define ISAKMP_NTYPE_INVALID_HASH_INFORMATION 23
312 #define ISAKMP_NTYPE_AUTHENTICATION_FAILED 24
313 #define ISAKMP_NTYPE_INVALID_SIGNATURE 25
314 #define ISAKMP_NTYPE_ADDRESS_NOTIFICATION 26
315
316 /* 3.15 Delete Payload */
317 struct ikev1_pl_d {
318 struct isakmp_gen h;
319 uint32_t doi; /* Domain of Interpretation */
320 uint8_t prot_id; /* Protocol-Id */
321 uint8_t spi_size; /* SPI Size */
322 uint16_t num_spi; /* # of SPIs */
323 /* SPI(es) */
324 };
325
326 struct ikev1_ph1tab {
327 struct ikev1_ph1 *head;
328 struct ikev1_ph1 *tail;
329 int len;
330 };
331
332 struct isakmp_ph2tab {
333 struct ikev1_ph2 *head;
334 struct ikev1_ph2 *tail;
335 int len;
336 };
337
338 /* IKEv2 (RFC4306) */
339
340 /* 3.3 Security Association Payload -- generic header */
341 /* 3.3.1. Proposal Substructure */
342 struct ikev2_p {
343 struct isakmp_gen h;
344 uint8_t p_no; /* Proposal # */
345 uint8_t prot_id; /* Protocol */
346 uint8_t spi_size; /* SPI Size */
347 uint8_t num_t; /* Number of Transforms */
348 };
349
350 /* 3.3.2. Transform Substructure */
351 struct ikev2_t {
352 struct isakmp_gen h;
353 uint8_t t_type; /* Transform Type (ENCR,PRF,INTEG,etc.*/
354 uint8_t res2; /* reserved byte */
355 uint16_t t_id; /* Transform ID */
356 };
357
358 enum ikev2_t_type {
359 IV2_T_ENCR = 1,
360 IV2_T_PRF = 2,
361 IV2_T_INTEG= 3,
362 IV2_T_DH = 4,
363 IV2_T_ESN = 5,
364 };
365
366 /* 3.4. Key Exchange Payload */
367 struct ikev2_ke {
368 struct isakmp_gen h;
369 uint16_t ke_group;
370 uint16_t ke_res1;
371 /* KE data */
372 };
373
374
375 /* 3.5. Identification Payloads */
376 enum ikev2_id_type {
377 ID_IPV4_ADDR=1,
378 ID_FQDN=2,
379 ID_RFC822_ADDR=3,
380 ID_IPV6_ADDR=5,
381 ID_DER_ASN1_DN=9,
382 ID_DER_ASN1_GN=10,
383 ID_KEY_ID=11,
384 };
385 struct ikev2_id {
386 struct isakmp_gen h;
387 uint8_t type; /* ID type */
388 uint8_t res1;
389 uint16_t res2;
390 /* SPI */
391 /* Notification Data */
392 };
393
394 /* 3.10 Notification Payload */
395 struct ikev2_n {
396 struct isakmp_gen h;
397 uint8_t prot_id; /* Protocol-ID */
398 uint8_t spi_size; /* SPI Size */
399 uint16_t type; /* Notify Message Type */
400 };
401
402 enum ikev2_n_type {
403 IV2_NOTIFY_UNSUPPORTED_CRITICAL_PAYLOAD = 1,
404 IV2_NOTIFY_INVALID_IKE_SPI = 4,
405 IV2_NOTIFY_INVALID_MAJOR_VERSION = 5,
406 IV2_NOTIFY_INVALID_SYNTAX = 7,
407 IV2_NOTIFY_INVALID_MESSAGE_ID = 9,
408 IV2_NOTIFY_INVALID_SPI =11,
409 IV2_NOTIFY_NO_PROPOSAL_CHOSEN =14,
410 IV2_NOTIFY_INVALID_KE_PAYLOAD =17,
411 IV2_NOTIFY_AUTHENTICATION_FAILED =24,
412 IV2_NOTIFY_SINGLE_PAIR_REQUIRED =34,
413 IV2_NOTIFY_NO_ADDITIONAL_SAS =35,
414 IV2_NOTIFY_INTERNAL_ADDRESS_FAILURE =36,
415 IV2_NOTIFY_FAILED_CP_REQUIRED =37,
416 IV2_NOTIFY_INVALID_SELECTORS =39,
417 IV2_NOTIFY_INITIAL_CONTACT =16384,
418 IV2_NOTIFY_SET_WINDOW_SIZE =16385,
419 IV2_NOTIFY_ADDITIONAL_TS_POSSIBLE =16386,
420 IV2_NOTIFY_IPCOMP_SUPPORTED =16387,
421 IV2_NOTIFY_NAT_DETECTION_SOURCE_IP =16388,
422 IV2_NOTIFY_NAT_DETECTION_DESTINATION_IP =16389,
423 IV2_NOTIFY_COOKIE =16390,
424 IV2_NOTIFY_USE_TRANSPORT_MODE =16391,
425 IV2_NOTIFY_HTTP_CERT_LOOKUP_SUPPORTED =16392,
426 IV2_NOTIFY_REKEY_SA =16393,
427 IV2_NOTIFY_ESP_TFC_PADDING_NOT_SUPPORTED =16394,
428 IV2_NOTIFY_NON_FIRST_FRAGMENTS_ALSO =16395
429 };
430
431 struct notify_messages {
432 uint16_t type;
433 char *msg;
434 };
435
436 /* 3.8 Notification Payload */
437 struct ikev2_auth {
438 struct isakmp_gen h;
439 uint8_t auth_method; /* Protocol-ID */
440 uint8_t reserved[3];
441 /* authentication data */
442 };
443
444 enum ikev2_auth_type {
445 IV2_RSA_SIG = 1,
446 IV2_SHARED = 2,
447 IV2_DSS_SIG = 3,
448 };
449
450 /* refer to RFC 2409 */
451
452 #if 0
453 /* isakmp sa structure */
454 struct oakley_sa {
455 uint8_t proto_id; /* OAKLEY */
456 vchar_t *spi; /* spi */
457 uint8_t dhgrp; /* DH; group */
458 uint8_t auth_t; /* method of authentication */
459 uint8_t prf_t; /* type of prf */
460 uint8_t hash_t; /* type of hash */
461 uint8_t enc_t; /* type of cipher */
462 uint8_t life_t; /* type of duration of lifetime */
463 uint32_t ldur; /* life duration */
464 };
465 #endif
466
467 /* refer to RFC 2407 */
468
469 #define IPSEC_DOI 1
470
471 /* 4.2 IPSEC Situation Definition */
472 #define IPSECDOI_SIT_IDENTITY_ONLY 0x00000001
473 #define IPSECDOI_SIT_SECRECY 0x00000002
474 #define IPSECDOI_SIT_INTEGRITY 0x00000004
475
476 /* 4.4.1 IPSEC Security Protocol Identifiers */
477 /* 4.4.2 IPSEC ISAKMP Transform Values */
478 #define IPSECDOI_PROTO_ISAKMP 1
479 #define IPSECDOI_KEY_IKE 1
480
481 /* 4.4.1 IPSEC Security Protocol Identifiers */
482 #define IPSECDOI_PROTO_IPSEC_AH 2
483 /* 4.4.3 IPSEC AH Transform Values */
484 #define IPSECDOI_AH_MD5 2
485 #define IPSECDOI_AH_SHA 3
486 #define IPSECDOI_AH_DES 4
487 #define IPSECDOI_AH_SHA2_256 5
488 #define IPSECDOI_AH_SHA2_384 6
489 #define IPSECDOI_AH_SHA2_512 7
490
491 /* 4.4.1 IPSEC Security Protocol Identifiers */
492 #define IPSECDOI_PROTO_IPSEC_ESP 3
493 /* 4.4.4 IPSEC ESP Transform Identifiers */
494 #define IPSECDOI_ESP_DES_IV64 1
495 #define IPSECDOI_ESP_DES 2
496 #define IPSECDOI_ESP_3DES 3
497 #define IPSECDOI_ESP_RC5 4
498 #define IPSECDOI_ESP_IDEA 5
499 #define IPSECDOI_ESP_CAST 6
500 #define IPSECDOI_ESP_BLOWFISH 7
501 #define IPSECDOI_ESP_3IDEA 8
502 #define IPSECDOI_ESP_DES_IV32 9
503 #define IPSECDOI_ESP_RC4 10
504 #define IPSECDOI_ESP_NULL 11
505 #define IPSECDOI_ESP_RIJNDAEL 12
506 #define IPSECDOI_ESP_AES 12
507
508 /* 4.4.1 IPSEC Security Protocol Identifiers */
509 #define IPSECDOI_PROTO_IPCOMP 4
510 /* 4.4.5 IPSEC IPCOMP Transform Identifiers */
511 #define IPSECDOI_IPCOMP_OUI 1
512 #define IPSECDOI_IPCOMP_DEFLATE 2
513 #define IPSECDOI_IPCOMP_LZS 3
514
515 /* 4.5 IPSEC Security Association Attributes */
516 #define IPSECDOI_ATTR_SA_LTYPE 1 /* B */
517 #define IPSECDOI_ATTR_SA_LTYPE_DEFAULT 1
518 #define IPSECDOI_ATTR_SA_LTYPE_SEC 1
519 #define IPSECDOI_ATTR_SA_LTYPE_KB 2
520 #define IPSECDOI_ATTR_SA_LDUR 2 /* V */
521 #define IPSECDOI_ATTR_SA_LDUR_DEFAULT 28800 /* 8 hours */
522 #define IPSECDOI_ATTR_GRP_DESC 3 /* B */
523 #define IPSECDOI_ATTR_ENC_MODE 4 /* B */
524 /* default value: host dependent */
525 #define IPSECDOI_ATTR_ENC_MODE_TUNNEL 1
526 #define IPSECDOI_ATTR_ENC_MODE_TRNS 2
527 #define IPSECDOI_ATTR_AUTH 5 /* B */
528 /* 0 means not to use authentication. */
529 #define IPSECDOI_ATTR_AUTH_HMAC_MD5 1
530 #define IPSECDOI_ATTR_AUTH_HMAC_SHA1 2
531 #define IPSECDOI_ATTR_AUTH_DES_MAC 3
532 #define IPSECDOI_ATTR_AUTH_KPDK 4 /*RFC-1826(Key/Pad/Data/Key)*/
533 /*
534 * When negotiating ESP without authentication, the Auth
535 * Algorithm attribute MUST NOT be included in the proposal.
536 * When negotiating ESP without confidentiality, the Auth
537 * Algorithm attribute MUST be included in the proposal and
538 * the ESP transform ID must be ESP_NULL.
539 */
540 #define IPSECDOI_ATTR_KEY_LENGTH 6 /* B */
541 #define IPSECDOI_ATTR_KEY_ROUNDS 7 /* B */
542 #define IPSECDOI_ATTR_COMP_DICT_SIZE 8 /* B */
543 #define IPSECDOI_ATTR_COMP_PRIVALG 9 /* V */
544
545 /* 4.6.1 Security Association Payload */
546 struct ipsecdoi_sa {
547 struct isakmp_gen h;
548 uint32_t doi; /* Domain of Interpretation */
549 uint32_t sit; /* Situation */
550 };
551
552 struct ipsecdoi_secrecy_h {
553 uint16_t len;
554 uint16_t reserved;
555 };
556
557 /* 4.6.2.1 Identification Type Values */
558 struct ipsecdoi_id {
559 struct isakmp_gen h;
560 uint8_t type; /* ID Type */
561 uint8_t proto_id; /* Protocol ID */
562 uint16_t port; /* Port */
563 /* Identification Data */
564 };
565
566 #define IPSECDOI_ID_IPV4_ADDR 1
567 #define IPSECDOI_ID_FQDN 2
568 #define IPSECDOI_ID_USER_FQDN 3
569 #define IPSECDOI_ID_IPV4_ADDR_SUBNET 4
570 #define IPSECDOI_ID_IPV6_ADDR 5
571 #define IPSECDOI_ID_IPV6_ADDR_SUBNET 6
572 #define IPSECDOI_ID_IPV4_ADDR_RANGE 7
573 #define IPSECDOI_ID_IPV6_ADDR_RANGE 8
574 #define IPSECDOI_ID_DER_ASN1_DN 9
575 #define IPSECDOI_ID_DER_ASN1_GN 10
576 #define IPSECDOI_ID_KEY_ID 11
577
578 /* 4.6.3 IPSEC DOI Notify Message Types */
579 /* Notify Messages - Status Types */
580 #define IPSECDOI_NTYPE_RESPONDER_LIFETIME 24576
581 #define IPSECDOI_NTYPE_REPLAY_STATUS 24577
582 #define IPSECDOI_NTYPE_INITIAL_CONTACT 24578
583
584 #define DECLARE_PRINTER(func) static const u_char *ike##func##_print( \
585 netdissect_options *ndo, u_char tpay, \
586 const struct isakmp_gen *ext, \
587 u_int item_len, \
588 const u_char *end_pointer, \
589 uint32_t phase,\
590 uint32_t doi0, \
591 uint32_t proto0, int depth)
592
593 DECLARE_PRINTER(v1_sa);
594 DECLARE_PRINTER(v1_p);
595 DECLARE_PRINTER(v1_t);
596 DECLARE_PRINTER(v1_ke);
597 DECLARE_PRINTER(v1_id);
598 DECLARE_PRINTER(v1_cert);
599 DECLARE_PRINTER(v1_cr);
600 DECLARE_PRINTER(v1_sig);
601 DECLARE_PRINTER(v1_hash);
602 DECLARE_PRINTER(v1_nonce);
603 DECLARE_PRINTER(v1_n);
604 DECLARE_PRINTER(v1_d);
605 DECLARE_PRINTER(v1_vid);
606
607 DECLARE_PRINTER(v2_sa);
608 DECLARE_PRINTER(v2_ke);
609 DECLARE_PRINTER(v2_ID);
610 DECLARE_PRINTER(v2_cert);
611 DECLARE_PRINTER(v2_cr);
612 DECLARE_PRINTER(v2_auth);
613 DECLARE_PRINTER(v2_nonce);
614 DECLARE_PRINTER(v2_n);
615 DECLARE_PRINTER(v2_d);
616 DECLARE_PRINTER(v2_vid);
617 DECLARE_PRINTER(v2_TS);
618 DECLARE_PRINTER(v2_cp);
619 DECLARE_PRINTER(v2_eap);
620
621 static const u_char *ikev2_e_print(netdissect_options *ndo,
622 struct isakmp *base,
623 u_char tpay,
624 const struct isakmp_gen *ext,
625 u_int item_len,
626 const u_char *end_pointer,
627 uint32_t phase,
628 uint32_t doi0,
629 uint32_t proto0, int depth);
630
631
632 static const u_char *ike_sub0_print(netdissect_options *ndo,u_char, const struct isakmp_gen *,
633 const u_char *, uint32_t, uint32_t, uint32_t, int);
634 static const u_char *ikev1_sub_print(netdissect_options *ndo,u_char, const struct isakmp_gen *,
635 const u_char *, uint32_t, uint32_t, uint32_t, int);
636
637 static const u_char *ikev2_sub_print(netdissect_options *ndo,
638 struct isakmp *base,
639 u_char np, const struct isakmp_gen *ext,
640 const u_char *ep, uint32_t phase,
641 uint32_t doi, uint32_t proto,
642 int depth);
643
644
645 static char *numstr(int);
646
647 static void
648 ikev1_print(netdissect_options *ndo,
649 const u_char *bp, u_int length,
650 const u_char *bp2, struct isakmp *base);
651
652 #define MAXINITIATORS 20
653 int ninitiator = 0;
654 union inaddr_u {
655 struct in_addr in4;
656 #ifdef INET6
657 struct in6_addr in6;
658 #endif
659 };
660 struct {
661 cookie_t initiator;
662 u_int version;
663 union inaddr_u iaddr;
664 union inaddr_u raddr;
665 } cookiecache[MAXINITIATORS];
666
667 /* protocol id */
668 static const char *protoidstr[] = {
669 NULL, "isakmp", "ipsec-ah", "ipsec-esp", "ipcomp",
670 };
671
672 /* isakmp->np */
673 static const char *npstr[] = {
674 "none", "sa", "p", "t", "ke", "id", "cert", "cr", "hash", /* 0 - 8 */
675 "sig", "nonce", "n", "d", "vid", /* 9 - 13 */
676 "pay14", "pay15", "pay16", "pay17", "pay18", /* 14- 18 */
677 "pay19", "pay20", "pay21", "pay22", "pay23", /* 19- 23 */
678 "pay24", "pay25", "pay26", "pay27", "pay28", /* 24- 28 */
679 "pay29", "pay30", "pay31", "pay32", /* 29- 32 */
680 "v2sa", "v2ke", "v2IDi", "v2IDr", "v2cert",/* 33- 37 */
681 "v2cr", "v2auth","v2nonce", "v2n", "v2d", /* 38- 42 */
682 "v2vid", "v2TSi", "v2TSr", "v2e", "v2cp", /* 43- 47 */
683 "v2eap", /* 48 */
684
685 };
686
687 /* isakmp->np */
688 static const u_char *(*npfunc[])(netdissect_options *ndo, u_char tpay,
689 const struct isakmp_gen *ext,
690 u_int item_len,
691 const u_char *end_pointer,
692 uint32_t phase,
693 uint32_t doi0,
694 uint32_t proto0, int depth) = {
695 NULL,
696 ikev1_sa_print,
697 ikev1_p_print,
698 ikev1_t_print,
699 ikev1_ke_print,
700 ikev1_id_print,
701 ikev1_cert_print,
702 ikev1_cr_print,
703 ikev1_hash_print,
704 ikev1_sig_print,
705 ikev1_nonce_print,
706 ikev1_n_print,
707 ikev1_d_print,
708 ikev1_vid_print, /* 13 */
709 NULL, NULL, NULL, NULL, NULL, /* 14- 18 */
710 NULL, NULL, NULL, NULL, NULL, /* 19- 23 */
711 NULL, NULL, NULL, NULL, NULL, /* 24- 28 */
712 NULL, NULL, NULL, NULL, /* 29- 32 */
713 ikev2_sa_print, /* 33 */
714 ikev2_ke_print, /* 34 */
715 ikev2_ID_print, /* 35 */
716 ikev2_ID_print, /* 36 */
717 ikev2_cert_print, /* 37 */
718 ikev2_cr_print, /* 38 */
719 ikev2_auth_print, /* 39 */
720 ikev2_nonce_print, /* 40 */
721 ikev2_n_print, /* 41 */
722 ikev2_d_print, /* 42 */
723 ikev2_vid_print, /* 43 */
724 ikev2_TS_print, /* 44 */
725 ikev2_TS_print, /* 45 */
726 NULL, /* ikev2_e_print,*/ /* 46 - special */
727 ikev2_cp_print, /* 47 */
728 ikev2_eap_print, /* 48 */
729 };
730
731 /* isakmp->etype */
732 static const char *etypestr[] = {
733 /* IKEv1 exchange types */
734 "none", "base", "ident", "auth", "agg", "inf", NULL, NULL, /* 0-7 */
735 NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, /* 8-15 */
736 NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, /* 16-23 */
737 NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, /* 24-31 */
738 "oakley-quick", "oakley-newgroup", /* 32-33 */
739 /* IKEv2 exchange types */
740 "ikev2_init", "ikev2_auth", "child_sa", "inf2" /* 34-37 */
741 };
742
743 #define STR_OR_ID(x, tab) \
744 (((x) < sizeof(tab)/sizeof(tab[0]) && tab[(x)]) ? tab[(x)] : numstr(x))
745 #define PROTOIDSTR(x) STR_OR_ID(x, protoidstr)
746 #define NPSTR(x) STR_OR_ID(x, npstr)
747 #define ETYPESTR(x) STR_OR_ID(x, etypestr)
748
749 #define CHECKLEN(p, np) \
750 if (ep < (u_char *)(p)) { \
751 ND_PRINT((ndo," [|%s]", NPSTR(np))); \
752 goto done; \
753 }
754
755
756 #define NPFUNC(x) \
757 (((x) < sizeof(npfunc)/sizeof(npfunc[0]) && npfunc[(x)]) \
758 ? npfunc[(x)] : NULL)
759
760 static int
iszero(u_char * p,size_t l)761 iszero(u_char *p, size_t l)
762 {
763 while (l--) {
764 if (*p++)
765 return 0;
766 }
767 return 1;
768 }
769
770 /* find cookie from initiator cache */
771 static int
cookie_find(cookie_t * in)772 cookie_find(cookie_t *in)
773 {
774 int i;
775
776 for (i = 0; i < MAXINITIATORS; i++) {
777 if (memcmp(in, &cookiecache[i].initiator, sizeof(*in)) == 0)
778 return i;
779 }
780
781 return -1;
782 }
783
784 /* record initiator */
785 static void
cookie_record(cookie_t * in,const u_char * bp2)786 cookie_record(cookie_t *in, const u_char *bp2)
787 {
788 int i;
789 struct ip *ip;
790 #ifdef INET6
791 struct ip6_hdr *ip6;
792 #endif
793
794 i = cookie_find(in);
795 if (0 <= i) {
796 ninitiator = (i + 1) % MAXINITIATORS;
797 return;
798 }
799
800 ip = (struct ip *)bp2;
801 switch (IP_V(ip)) {
802 case 4:
803 cookiecache[ninitiator].version = 4;
804 UNALIGNED_MEMCPY(&cookiecache[ninitiator].iaddr.in4, &ip->ip_src, sizeof(struct in_addr));
805 UNALIGNED_MEMCPY(&cookiecache[ninitiator].raddr.in4, &ip->ip_dst, sizeof(struct in_addr));
806 break;
807 #ifdef INET6
808 case 6:
809 ip6 = (struct ip6_hdr *)bp2;
810 cookiecache[ninitiator].version = 6;
811 UNALIGNED_MEMCPY(&cookiecache[ninitiator].iaddr.in6, &ip6->ip6_src, sizeof(struct in6_addr));
812 UNALIGNED_MEMCPY(&cookiecache[ninitiator].raddr.in6, &ip6->ip6_dst, sizeof(struct in6_addr));
813 break;
814 #endif
815 default:
816 return;
817 }
818 UNALIGNED_MEMCPY(&cookiecache[ninitiator].initiator, in, sizeof(*in));
819 ninitiator = (ninitiator + 1) % MAXINITIATORS;
820 }
821
822 #define cookie_isinitiator(x, y) cookie_sidecheck((x), (y), 1)
823 #define cookie_isresponder(x, y) cookie_sidecheck((x), (y), 0)
824 static int
cookie_sidecheck(int i,const u_char * bp2,int initiator)825 cookie_sidecheck(int i, const u_char *bp2, int initiator)
826 {
827 struct ip *ip;
828 #ifdef INET6
829 struct ip6_hdr *ip6;
830 #endif
831
832 ip = (struct ip *)bp2;
833 switch (IP_V(ip)) {
834 case 4:
835 if (cookiecache[i].version != 4)
836 return 0;
837 if (initiator) {
838 if (UNALIGNED_MEMCMP(&ip->ip_src, &cookiecache[i].iaddr.in4, sizeof(struct in_addr)) == 0)
839 return 1;
840 } else {
841 if (UNALIGNED_MEMCMP(&ip->ip_src, &cookiecache[i].raddr.in4, sizeof(struct in_addr)) == 0)
842 return 1;
843 }
844 break;
845 #ifdef INET6
846 case 6:
847 if (cookiecache[i].version != 6)
848 return 0;
849 ip6 = (struct ip6_hdr *)bp2;
850 if (initiator) {
851 if (UNALIGNED_MEMCMP(&ip6->ip6_src, &cookiecache[i].iaddr.in6, sizeof(struct in6_addr)) == 0)
852 return 1;
853 } else {
854 if (UNALIGNED_MEMCMP(&ip6->ip6_src, &cookiecache[i].raddr.in6, sizeof(struct in6_addr)) == 0)
855 return 1;
856 }
857 break;
858 #endif /* INET6 */
859 default:
860 break;
861 }
862
863 return 0;
864 }
865
866 static void
hexprint(netdissect_options * ndo,caddr_t loc,size_t len)867 hexprint(netdissect_options *ndo, caddr_t loc, size_t len)
868 {
869 u_char *p;
870 size_t i;
871
872 p = (u_char *)loc;
873 for (i = 0; i < len; i++)
874 ND_PRINT((ndo,"%02x", p[i] & 0xff));
875 }
876
877 static int
rawprint(netdissect_options * ndo,caddr_t loc,size_t len)878 rawprint(netdissect_options *ndo, caddr_t loc, size_t len)
879 {
880 ND_TCHECK2(*loc, len);
881
882 hexprint(ndo, loc, len);
883 return 1;
884 trunc:
885 return 0;
886 }
887
888
889 /*
890 * returns false if we run out of data buffer
891 */
ike_show_somedata(netdissect_options * ndo,const u_char * cp,const u_char * ep)892 static int ike_show_somedata(netdissect_options *ndo,
893 const u_char *cp, const u_char *ep)
894 {
895 /* there is too much data, just show some of it */
896 const u_char *end = ep - 20;
897 int elen = 20;
898 int len = ep - cp;
899 if(len > 10) {
900 len = 10;
901 }
902
903 /* really shouldn't happen because of above */
904 if(end < cp + len) {
905 end = cp+len;
906 elen = ep - end;
907 }
908
909 ND_PRINT((ndo," data=("));
910 if(!rawprint(ndo, (caddr_t)(cp), len)) goto trunc;
911 ND_PRINT((ndo, "..."));
912 if(elen) {
913 if(!rawprint(ndo, (caddr_t)(end), elen)) goto trunc;
914 }
915 ND_PRINT((ndo,")"));
916 return 1;
917
918 trunc:
919 return 0;
920 }
921
922 struct attrmap {
923 const char *type;
924 u_int nvalue;
925 const char *value[30]; /*XXX*/
926 };
927
928 static const u_char *
ikev1_attrmap_print(netdissect_options * ndo,const u_char * p,const u_char * ep,const struct attrmap * map,size_t nmap)929 ikev1_attrmap_print(netdissect_options *ndo,
930 const u_char *p, const u_char *ep,
931 const struct attrmap *map, size_t nmap)
932 {
933 int totlen;
934 uint32_t t, v;
935
936 if (p[0] & 0x80)
937 totlen = 4;
938 else
939 totlen = 4 + EXTRACT_16BITS(&p[2]);
940 if (ep < p + totlen) {
941 ND_PRINT((ndo,"[|attr]"));
942 return ep + 1;
943 }
944
945 ND_PRINT((ndo,"("));
946 t = EXTRACT_16BITS(&p[0]) & 0x7fff;
947 if (map && t < nmap && map[t].type)
948 ND_PRINT((ndo,"type=%s ", map[t].type));
949 else
950 ND_PRINT((ndo,"type=#%d ", t));
951 if (p[0] & 0x80) {
952 ND_PRINT((ndo,"value="));
953 v = EXTRACT_16BITS(&p[2]);
954 if (map && t < nmap && v < map[t].nvalue && map[t].value[v])
955 ND_PRINT((ndo,"%s", map[t].value[v]));
956 else
957 rawprint(ndo, (caddr_t)&p[2], 2);
958 } else {
959 ND_PRINT((ndo,"len=%d value=", EXTRACT_16BITS(&p[2])));
960 rawprint(ndo, (caddr_t)&p[4], EXTRACT_16BITS(&p[2]));
961 }
962 ND_PRINT((ndo,")"));
963 return p + totlen;
964 }
965
966 static const u_char *
ikev1_attr_print(netdissect_options * ndo,const u_char * p,const u_char * ep)967 ikev1_attr_print(netdissect_options *ndo, const u_char *p, const u_char *ep)
968 {
969 int totlen;
970 uint32_t t;
971
972 if (p[0] & 0x80)
973 totlen = 4;
974 else
975 totlen = 4 + EXTRACT_16BITS(&p[2]);
976 if (ep < p + totlen) {
977 ND_PRINT((ndo,"[|attr]"));
978 return ep + 1;
979 }
980
981 ND_PRINT((ndo,"("));
982 t = EXTRACT_16BITS(&p[0]) & 0x7fff;
983 ND_PRINT((ndo,"type=#%d ", t));
984 if (p[0] & 0x80) {
985 ND_PRINT((ndo,"value="));
986 t = p[2];
987 rawprint(ndo, (caddr_t)&p[2], 2);
988 } else {
989 ND_PRINT((ndo,"len=%d value=", EXTRACT_16BITS(&p[2])));
990 rawprint(ndo, (caddr_t)&p[4], EXTRACT_16BITS(&p[2]));
991 }
992 ND_PRINT((ndo,")"));
993 return p + totlen;
994 }
995
996 static const u_char *
ikev1_sa_print(netdissect_options * ndo,u_char tpay _U_,const struct isakmp_gen * ext,u_int item_len _U_,const u_char * ep,uint32_t phase,uint32_t doi0 _U_,uint32_t proto0,int depth)997 ikev1_sa_print(netdissect_options *ndo, u_char tpay _U_,
998 const struct isakmp_gen *ext,
999 u_int item_len _U_,
1000 const u_char *ep, uint32_t phase, uint32_t doi0 _U_,
1001 uint32_t proto0, int depth)
1002 {
1003 const struct ikev1_pl_sa *p;
1004 struct ikev1_pl_sa sa;
1005 uint32_t doi, sit, ident;
1006 const u_char *cp, *np;
1007 int t;
1008
1009 ND_PRINT((ndo,"%s:", NPSTR(ISAKMP_NPTYPE_SA)));
1010
1011 p = (struct ikev1_pl_sa *)ext;
1012 ND_TCHECK(*p);
1013 UNALIGNED_MEMCPY(&sa, ext, sizeof(sa));
1014 doi = ntohl(sa.doi);
1015 sit = ntohl(sa.sit);
1016 if (doi != 1) {
1017 ND_PRINT((ndo," doi=%d", doi));
1018 ND_PRINT((ndo," situation=%u", (uint32_t)ntohl(sa.sit)));
1019 return (u_char *)(p + 1);
1020 }
1021
1022 ND_PRINT((ndo," doi=ipsec"));
1023 ND_PRINT((ndo," situation="));
1024 t = 0;
1025 if (sit & 0x01) {
1026 ND_PRINT((ndo,"identity"));
1027 t++;
1028 }
1029 if (sit & 0x02) {
1030 ND_PRINT((ndo,"%ssecrecy", t ? "+" : ""));
1031 t++;
1032 }
1033 if (sit & 0x04)
1034 ND_PRINT((ndo,"%sintegrity", t ? "+" : ""));
1035
1036 np = (u_char *)ext + sizeof(sa);
1037 if (sit != 0x01) {
1038 ND_TCHECK2(*(ext + 1), sizeof(ident));
1039 UNALIGNED_MEMCPY(&ident, ext + 1, sizeof(ident));
1040 ND_PRINT((ndo," ident=%u", (uint32_t)ntohl(ident)));
1041 np += sizeof(ident);
1042 }
1043
1044 ext = (struct isakmp_gen *)np;
1045 ND_TCHECK(*ext);
1046
1047 cp = ikev1_sub_print(ndo, ISAKMP_NPTYPE_P, ext, ep, phase, doi, proto0,
1048 depth);
1049
1050 return cp;
1051 trunc:
1052 ND_PRINT((ndo," [|%s]", NPSTR(ISAKMP_NPTYPE_SA)));
1053 return NULL;
1054 }
1055
1056 static const u_char *
ikev1_p_print(netdissect_options * ndo,u_char tpay _U_,const struct isakmp_gen * ext,u_int item_len _U_,const u_char * ep,uint32_t phase,uint32_t doi0,uint32_t proto0 _U_,int depth)1057 ikev1_p_print(netdissect_options *ndo, u_char tpay _U_,
1058 const struct isakmp_gen *ext, u_int item_len _U_,
1059 const u_char *ep, uint32_t phase, uint32_t doi0,
1060 uint32_t proto0 _U_, int depth)
1061 {
1062 const struct ikev1_pl_p *p;
1063 struct ikev1_pl_p prop;
1064 const u_char *cp;
1065
1066 ND_PRINT((ndo,"%s:", NPSTR(ISAKMP_NPTYPE_P)));
1067
1068 p = (struct ikev1_pl_p *)ext;
1069 ND_TCHECK(*p);
1070 UNALIGNED_MEMCPY(&prop, ext, sizeof(prop));
1071 ND_PRINT((ndo," #%d protoid=%s transform=%d",
1072 prop.p_no, PROTOIDSTR(prop.prot_id), prop.num_t));
1073 if (prop.spi_size) {
1074 ND_PRINT((ndo," spi="));
1075 if (!rawprint(ndo, (caddr_t)(p + 1), prop.spi_size))
1076 goto trunc;
1077 }
1078
1079 ext = (struct isakmp_gen *)((u_char *)(p + 1) + prop.spi_size);
1080 ND_TCHECK(*ext);
1081
1082 cp = ikev1_sub_print(ndo, ISAKMP_NPTYPE_T, ext, ep, phase, doi0,
1083 prop.prot_id, depth);
1084
1085 return cp;
1086 trunc:
1087 ND_PRINT((ndo," [|%s]", NPSTR(ISAKMP_NPTYPE_P)));
1088 return NULL;
1089 }
1090
1091 static const char *ikev1_p_map[] = {
1092 NULL, "ike",
1093 };
1094
1095 static const char *ikev2_t_type_map[]={
1096 NULL, "encr", "prf", "integ", "dh", "esn"
1097 };
1098
1099 static const char *ah_p_map[] = {
1100 NULL, "(reserved)", "md5", "sha", "1des",
1101 "sha2-256", "sha2-384", "sha2-512",
1102 };
1103
1104 static const char *prf_p_map[] = {
1105 NULL, "hmac-md5", "hmac-sha", "hmac-tiger",
1106 "aes128_xcbc"
1107 };
1108
1109 static const char *integ_p_map[] = {
1110 NULL, "hmac-md5", "hmac-sha", "dec-mac",
1111 "kpdk-md5", "aes-xcbc"
1112 };
1113
1114 static const char *esn_p_map[] = {
1115 "no-esn", "esn"
1116 };
1117
1118 static const char *dh_p_map[] = {
1119 NULL, "modp768",
1120 "modp1024", /* group 2 */
1121 "EC2N 2^155", /* group 3 */
1122 "EC2N 2^185", /* group 4 */
1123 "modp1536", /* group 5 */
1124 "iana-grp06", "iana-grp07", /* reserved */
1125 "iana-grp08", "iana-grp09",
1126 "iana-grp10", "iana-grp11",
1127 "iana-grp12", "iana-grp13",
1128 "modp2048", /* group 14 */
1129 "modp3072", /* group 15 */
1130 "modp4096", /* group 16 */
1131 "modp6144", /* group 17 */
1132 "modp8192", /* group 18 */
1133 };
1134
1135 static const char *esp_p_map[] = {
1136 NULL, "1des-iv64", "1des", "3des", "rc5", "idea", "cast",
1137 "blowfish", "3idea", "1des-iv32", "rc4", "null", "aes"
1138 };
1139
1140 static const char *ipcomp_p_map[] = {
1141 NULL, "oui", "deflate", "lzs",
1142 };
1143
1144 static const struct attrmap ipsec_t_map[] = {
1145 { NULL, 0, { NULL } },
1146 { "lifetype", 3, { NULL, "sec", "kb", }, },
1147 { "life", 0, { NULL } },
1148 { "group desc", 18, { NULL, "modp768",
1149 "modp1024", /* group 2 */
1150 "EC2N 2^155", /* group 3 */
1151 "EC2N 2^185", /* group 4 */
1152 "modp1536", /* group 5 */
1153 "iana-grp06", "iana-grp07", /* reserved */
1154 "iana-grp08", "iana-grp09",
1155 "iana-grp10", "iana-grp11",
1156 "iana-grp12", "iana-grp13",
1157 "modp2048", /* group 14 */
1158 "modp3072", /* group 15 */
1159 "modp4096", /* group 16 */
1160 "modp6144", /* group 17 */
1161 "modp8192", /* group 18 */
1162 }, },
1163 { "enc mode", 3, { NULL, "tunnel", "transport", }, },
1164 { "auth", 5, { NULL, "hmac-md5", "hmac-sha1", "1des-mac", "keyed", }, },
1165 { "keylen", 0, { NULL } },
1166 { "rounds", 0, { NULL } },
1167 { "dictsize", 0, { NULL } },
1168 { "privalg", 0, { NULL } },
1169 };
1170
1171 static const struct attrmap encr_t_map[] = {
1172 { NULL, 0, { NULL } }, { NULL, 0, { NULL } }, /* 0, 1 */
1173 { NULL, 0, { NULL } }, { NULL, 0, { NULL } }, /* 2, 3 */
1174 { NULL, 0, { NULL } }, { NULL, 0, { NULL } }, /* 4, 5 */
1175 { NULL, 0, { NULL } }, { NULL, 0, { NULL } }, /* 6, 7 */
1176 { NULL, 0, { NULL } }, { NULL, 0, { NULL } }, /* 8, 9 */
1177 { NULL, 0, { NULL } }, { NULL, 0, { NULL } }, /* 10,11*/
1178 { NULL, 0, { NULL } }, { NULL, 0, { NULL } }, /* 12,13*/
1179 { "keylen", 14, { NULL }},
1180 };
1181
1182 static const struct attrmap oakley_t_map[] = {
1183 { NULL, 0, { NULL } },
1184 { "enc", 8, { NULL, "1des", "idea", "blowfish", "rc5",
1185 "3des", "cast", "aes", }, },
1186 { "hash", 7, { NULL, "md5", "sha1", "tiger",
1187 "sha2-256", "sha2-384", "sha2-512", }, },
1188 { "auth", 6, { NULL, "preshared", "dss", "rsa sig", "rsa enc",
1189 "rsa enc revised", }, },
1190 { "group desc", 18, { NULL, "modp768",
1191 "modp1024", /* group 2 */
1192 "EC2N 2^155", /* group 3 */
1193 "EC2N 2^185", /* group 4 */
1194 "modp1536", /* group 5 */
1195 "iana-grp06", "iana-grp07", /* reserved */
1196 "iana-grp08", "iana-grp09",
1197 "iana-grp10", "iana-grp11",
1198 "iana-grp12", "iana-grp13",
1199 "modp2048", /* group 14 */
1200 "modp3072", /* group 15 */
1201 "modp4096", /* group 16 */
1202 "modp6144", /* group 17 */
1203 "modp8192", /* group 18 */
1204 }, },
1205 { "group type", 4, { NULL, "MODP", "ECP", "EC2N", }, },
1206 { "group prime", 0, { NULL } },
1207 { "group gen1", 0, { NULL } },
1208 { "group gen2", 0, { NULL } },
1209 { "group curve A", 0, { NULL } },
1210 { "group curve B", 0, { NULL } },
1211 { "lifetype", 3, { NULL, "sec", "kb", }, },
1212 { "lifeduration", 0, { NULL } },
1213 { "prf", 0, { NULL } },
1214 { "keylen", 0, { NULL } },
1215 { "field", 0, { NULL } },
1216 { "order", 0, { NULL } },
1217 };
1218
1219 static const u_char *
ikev1_t_print(netdissect_options * ndo,u_char tpay _U_,const struct isakmp_gen * ext,u_int item_len,const u_char * ep,uint32_t phase _U_,uint32_t doi _U_,uint32_t proto,int depth _U_)1220 ikev1_t_print(netdissect_options *ndo, u_char tpay _U_,
1221 const struct isakmp_gen *ext, u_int item_len,
1222 const u_char *ep, uint32_t phase _U_, uint32_t doi _U_,
1223 uint32_t proto, int depth _U_)
1224 {
1225 const struct ikev1_pl_t *p;
1226 struct ikev1_pl_t t;
1227 const u_char *cp;
1228 const char *idstr;
1229 const struct attrmap *map;
1230 size_t nmap;
1231 const u_char *ep2;
1232
1233 ND_PRINT((ndo,"%s:", NPSTR(ISAKMP_NPTYPE_T)));
1234
1235 p = (struct ikev1_pl_t *)ext;
1236 ND_TCHECK(*p);
1237 UNALIGNED_MEMCPY(&t, ext, sizeof(t));
1238
1239 switch (proto) {
1240 case 1:
1241 idstr = STR_OR_ID(t.t_id, ikev1_p_map);
1242 map = oakley_t_map;
1243 nmap = sizeof(oakley_t_map)/sizeof(oakley_t_map[0]);
1244 break;
1245 case 2:
1246 idstr = STR_OR_ID(t.t_id, ah_p_map);
1247 map = ipsec_t_map;
1248 nmap = sizeof(ipsec_t_map)/sizeof(ipsec_t_map[0]);
1249 break;
1250 case 3:
1251 idstr = STR_OR_ID(t.t_id, esp_p_map);
1252 map = ipsec_t_map;
1253 nmap = sizeof(ipsec_t_map)/sizeof(ipsec_t_map[0]);
1254 break;
1255 case 4:
1256 idstr = STR_OR_ID(t.t_id, ipcomp_p_map);
1257 map = ipsec_t_map;
1258 nmap = sizeof(ipsec_t_map)/sizeof(ipsec_t_map[0]);
1259 break;
1260 default:
1261 idstr = NULL;
1262 map = NULL;
1263 nmap = 0;
1264 break;
1265 }
1266
1267 if (idstr)
1268 ND_PRINT((ndo," #%d id=%s ", t.t_no, idstr));
1269 else
1270 ND_PRINT((ndo," #%d id=%d ", t.t_no, t.t_id));
1271 cp = (u_char *)(p + 1);
1272 ep2 = (u_char *)p + item_len;
1273 while (cp < ep && cp < ep2) {
1274 if (map && nmap) {
1275 cp = ikev1_attrmap_print(ndo, cp, (ep < ep2) ? ep : ep2,
1276 map, nmap);
1277 } else
1278 cp = ikev1_attr_print(ndo, cp, (ep < ep2) ? ep : ep2);
1279 }
1280 if (ep < ep2)
1281 ND_PRINT((ndo,"..."));
1282 return cp;
1283 trunc:
1284 ND_PRINT((ndo," [|%s]", NPSTR(ISAKMP_NPTYPE_T)));
1285 return NULL;
1286 }
1287
1288 static const u_char *
ikev1_ke_print(netdissect_options * ndo,u_char tpay _U_,const struct isakmp_gen * ext,u_int item_len _U_,const u_char * ep _U_,uint32_t phase _U_,uint32_t doi _U_,uint32_t proto _U_,int depth _U_)1289 ikev1_ke_print(netdissect_options *ndo, u_char tpay _U_,
1290 const struct isakmp_gen *ext, u_int item_len _U_,
1291 const u_char *ep _U_, uint32_t phase _U_, uint32_t doi _U_,
1292 uint32_t proto _U_, int depth _U_)
1293 {
1294 struct isakmp_gen e;
1295
1296 ND_PRINT((ndo,"%s:", NPSTR(ISAKMP_NPTYPE_KE)));
1297
1298 ND_TCHECK(*ext);
1299 UNALIGNED_MEMCPY(&e, ext, sizeof(e));
1300 ND_PRINT((ndo," key len=%d", ntohs(e.len) - 4));
1301 if (2 < ndo->ndo_vflag && 4 < ntohs(e.len)) {
1302 ND_PRINT((ndo," "));
1303 if (!rawprint(ndo, (caddr_t)(ext + 1), ntohs(e.len) - 4))
1304 goto trunc;
1305 }
1306 return (u_char *)ext + ntohs(e.len);
1307 trunc:
1308 ND_PRINT((ndo," [|%s]", NPSTR(ISAKMP_NPTYPE_KE)));
1309 return NULL;
1310 }
1311
1312 static const u_char *
ikev1_id_print(netdissect_options * ndo,u_char tpay _U_,const struct isakmp_gen * ext,u_int item_len,const u_char * ep _U_,uint32_t phase,uint32_t doi _U_,uint32_t proto _U_,int depth _U_)1313 ikev1_id_print(netdissect_options *ndo, u_char tpay _U_,
1314 const struct isakmp_gen *ext, u_int item_len,
1315 const u_char *ep _U_, uint32_t phase, uint32_t doi _U_,
1316 uint32_t proto _U_, int depth _U_)
1317 {
1318 #define USE_IPSECDOI_IN_PHASE1 1
1319 const struct ikev1_pl_id *p;
1320 struct ikev1_pl_id id;
1321 static const char *idtypestr[] = {
1322 "IPv4", "IPv4net", "IPv6", "IPv6net",
1323 };
1324 static const char *ipsecidtypestr[] = {
1325 NULL, "IPv4", "FQDN", "user FQDN", "IPv4net", "IPv6",
1326 "IPv6net", "IPv4range", "IPv6range", "ASN1 DN", "ASN1 GN",
1327 "keyid",
1328 };
1329 int len;
1330 const u_char *data;
1331
1332 ND_PRINT((ndo,"%s:", NPSTR(ISAKMP_NPTYPE_ID)));
1333
1334 p = (struct ikev1_pl_id *)ext;
1335 ND_TCHECK(*p);
1336 UNALIGNED_MEMCPY(&id, ext, sizeof(id));
1337 if (sizeof(*p) < item_len) {
1338 data = (u_char *)(p + 1);
1339 len = item_len - sizeof(*p);
1340 } else {
1341 data = NULL;
1342 len = 0;
1343 }
1344
1345 #if 0 /*debug*/
1346 ND_PRINT((ndo," [phase=%d doi=%d proto=%d]", phase, doi, proto));
1347 #endif
1348 switch (phase) {
1349 #ifndef USE_IPSECDOI_IN_PHASE1
1350 case 1:
1351 #endif
1352 default:
1353 ND_PRINT((ndo," idtype=%s", STR_OR_ID(id.d.id_type, idtypestr)));
1354 ND_PRINT((ndo," doi_data=%u",
1355 (uint32_t)(ntohl(id.d.doi_data) & 0xffffff)));
1356 break;
1357
1358 #ifdef USE_IPSECDOI_IN_PHASE1
1359 case 1:
1360 #endif
1361 case 2:
1362 {
1363 const struct ipsecdoi_id *p;
1364 struct ipsecdoi_id id;
1365 struct protoent *pe;
1366
1367 p = (struct ipsecdoi_id *)ext;
1368 ND_TCHECK(*p);
1369 UNALIGNED_MEMCPY(&id, ext, sizeof(id));
1370 ND_PRINT((ndo," idtype=%s", STR_OR_ID(id.type, ipsecidtypestr)));
1371 /* A protocol ID of 0 DOES NOT mean IPPROTO_IP! */
1372 pe = id.proto_id ? getprotobynumber(id.proto_id) : NULL;
1373 if (pe)
1374 ND_PRINT((ndo," protoid=%s", pe->p_name));
1375 else
1376 ND_PRINT((ndo," protoid=%u", id.proto_id));
1377 ND_PRINT((ndo," port=%d", ntohs(id.port)));
1378 if (!len)
1379 break;
1380 if (data == NULL)
1381 goto trunc;
1382 ND_TCHECK2(*data, len);
1383 switch (id.type) {
1384 case IPSECDOI_ID_IPV4_ADDR:
1385 if (len < 4)
1386 ND_PRINT((ndo," len=%d [bad: < 4]", len));
1387 else
1388 ND_PRINT((ndo," len=%d %s", len, ipaddr_string(ndo, data)));
1389 len = 0;
1390 break;
1391 case IPSECDOI_ID_FQDN:
1392 case IPSECDOI_ID_USER_FQDN:
1393 {
1394 int i;
1395 ND_PRINT((ndo," len=%d ", len));
1396 for (i = 0; i < len; i++)
1397 safeputchar(ndo, data[i]);
1398 len = 0;
1399 break;
1400 }
1401 case IPSECDOI_ID_IPV4_ADDR_SUBNET:
1402 {
1403 const u_char *mask;
1404 if (len < 8)
1405 ND_PRINT((ndo," len=%d [bad: < 8]", len));
1406 else {
1407 mask = data + sizeof(struct in_addr);
1408 ND_PRINT((ndo," len=%d %s/%u.%u.%u.%u", len,
1409 ipaddr_string(ndo, data),
1410 mask[0], mask[1], mask[2], mask[3]));
1411 }
1412 len = 0;
1413 break;
1414 }
1415 #ifdef INET6
1416 case IPSECDOI_ID_IPV6_ADDR:
1417 if (len < 16)
1418 ND_PRINT((ndo," len=%d [bad: < 16]", len));
1419 else
1420 ND_PRINT((ndo," len=%d %s", len, ip6addr_string(ndo, data)));
1421 len = 0;
1422 break;
1423 case IPSECDOI_ID_IPV6_ADDR_SUBNET:
1424 {
1425 const u_char *mask;
1426 if (len < 20)
1427 ND_PRINT((ndo," len=%d [bad: < 20]", len));
1428 else {
1429 mask = (u_char *)(data + sizeof(struct in6_addr));
1430 /*XXX*/
1431 ND_PRINT((ndo," len=%d %s/0x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x", len,
1432 ip6addr_string(ndo, data),
1433 mask[0], mask[1], mask[2], mask[3],
1434 mask[4], mask[5], mask[6], mask[7],
1435 mask[8], mask[9], mask[10], mask[11],
1436 mask[12], mask[13], mask[14], mask[15]));
1437 }
1438 len = 0;
1439 break;
1440 }
1441 #endif /*INET6*/
1442 case IPSECDOI_ID_IPV4_ADDR_RANGE:
1443 if (len < 8)
1444 ND_PRINT((ndo," len=%d [bad: < 8]", len));
1445 else {
1446 ND_PRINT((ndo," len=%d %s-%s", len,
1447 ipaddr_string(ndo, data),
1448 ipaddr_string(ndo, data + sizeof(struct in_addr))));
1449 }
1450 len = 0;
1451 break;
1452 #ifdef INET6
1453 case IPSECDOI_ID_IPV6_ADDR_RANGE:
1454 if (len < 32)
1455 ND_PRINT((ndo," len=%d [bad: < 32]", len));
1456 else {
1457 ND_PRINT((ndo," len=%d %s-%s", len,
1458 ip6addr_string(ndo, data),
1459 ip6addr_string(ndo, data + sizeof(struct in6_addr))));
1460 }
1461 len = 0;
1462 break;
1463 #endif /*INET6*/
1464 case IPSECDOI_ID_DER_ASN1_DN:
1465 case IPSECDOI_ID_DER_ASN1_GN:
1466 case IPSECDOI_ID_KEY_ID:
1467 break;
1468 }
1469 break;
1470 }
1471 }
1472 if (data && len) {
1473 ND_PRINT((ndo," len=%d", len));
1474 if (2 < ndo->ndo_vflag) {
1475 ND_PRINT((ndo," "));
1476 if (!rawprint(ndo, (caddr_t)data, len))
1477 goto trunc;
1478 }
1479 }
1480 return (u_char *)ext + item_len;
1481 trunc:
1482 ND_PRINT((ndo," [|%s]", NPSTR(ISAKMP_NPTYPE_ID)));
1483 return NULL;
1484 }
1485
1486 static const u_char *
ikev1_cert_print(netdissect_options * ndo,u_char tpay _U_,const struct isakmp_gen * ext,u_int item_len _U_,const u_char * ep _U_,uint32_t phase _U_,uint32_t doi0 _U_,uint32_t proto0 _U_,int depth _U_)1487 ikev1_cert_print(netdissect_options *ndo, u_char tpay _U_,
1488 const struct isakmp_gen *ext, u_int item_len _U_,
1489 const u_char *ep _U_, uint32_t phase _U_,
1490 uint32_t doi0 _U_,
1491 uint32_t proto0 _U_, int depth _U_)
1492 {
1493 const struct ikev1_pl_cert *p;
1494 struct ikev1_pl_cert cert;
1495 static const char *certstr[] = {
1496 "none", "pkcs7", "pgp", "dns",
1497 "x509sign", "x509ke", "kerberos", "crl",
1498 "arl", "spki", "x509attr",
1499 };
1500
1501 ND_PRINT((ndo,"%s:", NPSTR(ISAKMP_NPTYPE_CERT)));
1502
1503 p = (struct ikev1_pl_cert *)ext;
1504 ND_TCHECK(*p);
1505 UNALIGNED_MEMCPY(&cert, ext, sizeof(cert));
1506 ND_PRINT((ndo," len=%d", item_len - 4));
1507 ND_PRINT((ndo," type=%s", STR_OR_ID((cert.encode), certstr)));
1508 if (2 < ndo->ndo_vflag && 4 < item_len) {
1509 ND_PRINT((ndo," "));
1510 if (!rawprint(ndo, (caddr_t)(ext + 1), item_len - 4))
1511 goto trunc;
1512 }
1513 return (u_char *)ext + item_len;
1514 trunc:
1515 ND_PRINT((ndo," [|%s]", NPSTR(ISAKMP_NPTYPE_CERT)));
1516 return NULL;
1517 }
1518
1519 static const u_char *
ikev1_cr_print(netdissect_options * ndo,u_char tpay _U_,const struct isakmp_gen * ext,u_int item_len _U_,const u_char * ep _U_,uint32_t phase _U_,uint32_t doi0 _U_,uint32_t proto0 _U_,int depth _U_)1520 ikev1_cr_print(netdissect_options *ndo, u_char tpay _U_,
1521 const struct isakmp_gen *ext, u_int item_len _U_,
1522 const u_char *ep _U_, uint32_t phase _U_, uint32_t doi0 _U_,
1523 uint32_t proto0 _U_, int depth _U_)
1524 {
1525 const struct ikev1_pl_cert *p;
1526 struct ikev1_pl_cert cert;
1527 static const char *certstr[] = {
1528 "none", "pkcs7", "pgp", "dns",
1529 "x509sign", "x509ke", "kerberos", "crl",
1530 "arl", "spki", "x509attr",
1531 };
1532
1533 ND_PRINT((ndo,"%s:", NPSTR(ISAKMP_NPTYPE_CR)));
1534
1535 p = (struct ikev1_pl_cert *)ext;
1536 ND_TCHECK(*p);
1537 UNALIGNED_MEMCPY(&cert, ext, sizeof(cert));
1538 ND_PRINT((ndo," len=%d", item_len - 4));
1539 ND_PRINT((ndo," type=%s", STR_OR_ID((cert.encode), certstr)));
1540 if (2 < ndo->ndo_vflag && 4 < item_len) {
1541 ND_PRINT((ndo," "));
1542 if (!rawprint(ndo, (caddr_t)(ext + 1), item_len - 4))
1543 goto trunc;
1544 }
1545 return (u_char *)ext + item_len;
1546 trunc:
1547 ND_PRINT((ndo," [|%s]", NPSTR(ISAKMP_NPTYPE_CR)));
1548 return NULL;
1549 }
1550
1551 static const u_char *
ikev1_hash_print(netdissect_options * ndo,u_char tpay _U_,const struct isakmp_gen * ext,u_int item_len _U_,const u_char * ep _U_,uint32_t phase _U_,uint32_t doi _U_,uint32_t proto _U_,int depth _U_)1552 ikev1_hash_print(netdissect_options *ndo, u_char tpay _U_,
1553 const struct isakmp_gen *ext, u_int item_len _U_,
1554 const u_char *ep _U_, uint32_t phase _U_, uint32_t doi _U_,
1555 uint32_t proto _U_, int depth _U_)
1556 {
1557 struct isakmp_gen e;
1558
1559 ND_PRINT((ndo,"%s:", NPSTR(ISAKMP_NPTYPE_HASH)));
1560
1561 ND_TCHECK(*ext);
1562 UNALIGNED_MEMCPY(&e, ext, sizeof(e));
1563 ND_PRINT((ndo," len=%d", ntohs(e.len) - 4));
1564 if (2 < ndo->ndo_vflag && 4 < ntohs(e.len)) {
1565 ND_PRINT((ndo," "));
1566 if (!rawprint(ndo, (caddr_t)(ext + 1), ntohs(e.len) - 4))
1567 goto trunc;
1568 }
1569 return (u_char *)ext + ntohs(e.len);
1570 trunc:
1571 ND_PRINT((ndo," [|%s]", NPSTR(ISAKMP_NPTYPE_HASH)));
1572 return NULL;
1573 }
1574
1575 static const u_char *
ikev1_sig_print(netdissect_options * ndo,u_char tpay _U_,const struct isakmp_gen * ext,u_int item_len _U_,const u_char * ep _U_,uint32_t phase _U_,uint32_t doi _U_,uint32_t proto _U_,int depth _U_)1576 ikev1_sig_print(netdissect_options *ndo, u_char tpay _U_,
1577 const struct isakmp_gen *ext, u_int item_len _U_,
1578 const u_char *ep _U_, uint32_t phase _U_, uint32_t doi _U_,
1579 uint32_t proto _U_, int depth _U_)
1580 {
1581 struct isakmp_gen e;
1582
1583 ND_PRINT((ndo,"%s:", NPSTR(ISAKMP_NPTYPE_SIG)));
1584
1585 ND_TCHECK(*ext);
1586 UNALIGNED_MEMCPY(&e, ext, sizeof(e));
1587 ND_PRINT((ndo," len=%d", ntohs(e.len) - 4));
1588 if (2 < ndo->ndo_vflag && 4 < ntohs(e.len)) {
1589 ND_PRINT((ndo," "));
1590 if (!rawprint(ndo, (caddr_t)(ext + 1), ntohs(e.len) - 4))
1591 goto trunc;
1592 }
1593 return (u_char *)ext + ntohs(e.len);
1594 trunc:
1595 ND_PRINT((ndo," [|%s]", NPSTR(ISAKMP_NPTYPE_SIG)));
1596 return NULL;
1597 }
1598
1599 static const u_char *
ikev1_nonce_print(netdissect_options * ndo,u_char tpay _U_,const struct isakmp_gen * ext,u_int item_len _U_,const u_char * ep _U_,uint32_t phase _U_,uint32_t doi _U_,uint32_t proto _U_,int depth _U_)1600 ikev1_nonce_print(netdissect_options *ndo, u_char tpay _U_,
1601 const struct isakmp_gen *ext,
1602 u_int item_len _U_,
1603 const u_char *ep _U_,
1604 uint32_t phase _U_, uint32_t doi _U_,
1605 uint32_t proto _U_, int depth _U_)
1606 {
1607 struct isakmp_gen e;
1608
1609 ND_PRINT((ndo,"%s:", NPSTR(ISAKMP_NPTYPE_NONCE)));
1610
1611 ND_TCHECK(*ext);
1612 UNALIGNED_MEMCPY(&e, ext, sizeof(e));
1613 ND_PRINT((ndo," n len=%d", ntohs(e.len) - 4));
1614 if (2 < ndo->ndo_vflag && 4 < ntohs(e.len)) {
1615 ND_PRINT((ndo," "));
1616 if (!rawprint(ndo, (caddr_t)(ext + 1), ntohs(e.len) - 4))
1617 goto trunc;
1618 } else if (1 < ndo->ndo_vflag && 4 < ntohs(e.len)) {
1619 ND_PRINT((ndo," "));
1620 if (!ike_show_somedata(ndo, (u_char *)(caddr_t)(ext + 1), ep))
1621 goto trunc;
1622 }
1623 return (u_char *)ext + ntohs(e.len);
1624 trunc:
1625 ND_PRINT((ndo," [|%s]", NPSTR(ISAKMP_NPTYPE_NONCE)));
1626 return NULL;
1627 }
1628
1629 static const u_char *
ikev1_n_print(netdissect_options * ndo,u_char tpay _U_,const struct isakmp_gen * ext,u_int item_len,const u_char * ep,uint32_t phase,uint32_t doi0 _U_,uint32_t proto0 _U_,int depth)1630 ikev1_n_print(netdissect_options *ndo, u_char tpay _U_,
1631 const struct isakmp_gen *ext, u_int item_len,
1632 const u_char *ep, uint32_t phase, uint32_t doi0 _U_,
1633 uint32_t proto0 _U_, int depth)
1634 {
1635 struct ikev1_pl_n *p, n;
1636 const u_char *cp;
1637 u_char *ep2;
1638 uint32_t doi;
1639 uint32_t proto;
1640 static const char *notify_error_str[] = {
1641 NULL, "INVALID-PAYLOAD-TYPE",
1642 "DOI-NOT-SUPPORTED", "SITUATION-NOT-SUPPORTED",
1643 "INVALID-COOKIE", "INVALID-MAJOR-VERSION",
1644 "INVALID-MINOR-VERSION", "INVALID-EXCHANGE-TYPE",
1645 "INVALID-FLAGS", "INVALID-MESSAGE-ID",
1646 "INVALID-PROTOCOL-ID", "INVALID-SPI",
1647 "INVALID-TRANSFORM-ID", "ATTRIBUTES-NOT-SUPPORTED",
1648 "NO-PROPOSAL-CHOSEN", "BAD-PROPOSAL-SYNTAX",
1649 "PAYLOAD-MALFORMED", "INVALID-KEY-INFORMATION",
1650 "INVALID-ID-INFORMATION", "INVALID-CERT-ENCODING",
1651 "INVALID-CERTIFICATE", "CERT-TYPE-UNSUPPORTED",
1652 "INVALID-CERT-AUTHORITY", "INVALID-HASH-INFORMATION",
1653 "AUTHENTICATION-FAILED", "INVALID-SIGNATURE",
1654 "ADDRESS-NOTIFICATION", "NOTIFY-SA-LIFETIME",
1655 "CERTIFICATE-UNAVAILABLE", "UNSUPPORTED-EXCHANGE-TYPE",
1656 "UNEQUAL-PAYLOAD-LENGTHS",
1657 };
1658 static const char *ipsec_notify_error_str[] = {
1659 "RESERVED",
1660 };
1661 static const char *notify_status_str[] = {
1662 "CONNECTED",
1663 };
1664 static const char *ipsec_notify_status_str[] = {
1665 "RESPONDER-LIFETIME", "REPLAY-STATUS",
1666 "INITIAL-CONTACT",
1667 };
1668 /* NOTE: these macro must be called with x in proper range */
1669
1670 /* 0 - 8191 */
1671 #define NOTIFY_ERROR_STR(x) \
1672 STR_OR_ID((x), notify_error_str)
1673
1674 /* 8192 - 16383 */
1675 #define IPSEC_NOTIFY_ERROR_STR(x) \
1676 STR_OR_ID((u_int)((x) - 8192), ipsec_notify_error_str)
1677
1678 /* 16384 - 24575 */
1679 #define NOTIFY_STATUS_STR(x) \
1680 STR_OR_ID((u_int)((x) - 16384), notify_status_str)
1681
1682 /* 24576 - 32767 */
1683 #define IPSEC_NOTIFY_STATUS_STR(x) \
1684 STR_OR_ID((u_int)((x) - 24576), ipsec_notify_status_str)
1685
1686 ND_PRINT((ndo,"%s:", NPSTR(ISAKMP_NPTYPE_N)));
1687
1688 p = (struct ikev1_pl_n *)ext;
1689 ND_TCHECK(*p);
1690 UNALIGNED_MEMCPY(&n, ext, sizeof(n));
1691 doi = ntohl(n.doi);
1692 proto = n.prot_id;
1693 if (doi != 1) {
1694 ND_PRINT((ndo," doi=%d", doi));
1695 ND_PRINT((ndo," proto=%d", proto));
1696 if (ntohs(n.type) < 8192)
1697 ND_PRINT((ndo," type=%s", NOTIFY_ERROR_STR(ntohs(n.type))));
1698 else if (ntohs(n.type) < 16384)
1699 ND_PRINT((ndo," type=%s", numstr(ntohs(n.type))));
1700 else if (ntohs(n.type) < 24576)
1701 ND_PRINT((ndo," type=%s", NOTIFY_STATUS_STR(ntohs(n.type))));
1702 else
1703 ND_PRINT((ndo," type=%s", numstr(ntohs(n.type))));
1704 if (n.spi_size) {
1705 ND_PRINT((ndo," spi="));
1706 if (!rawprint(ndo, (caddr_t)(p + 1), n.spi_size))
1707 goto trunc;
1708 }
1709 return (u_char *)(p + 1) + n.spi_size;
1710 }
1711
1712 ND_PRINT((ndo," doi=ipsec"));
1713 ND_PRINT((ndo," proto=%s", PROTOIDSTR(proto)));
1714 if (ntohs(n.type) < 8192)
1715 ND_PRINT((ndo," type=%s", NOTIFY_ERROR_STR(ntohs(n.type))));
1716 else if (ntohs(n.type) < 16384)
1717 ND_PRINT((ndo," type=%s", IPSEC_NOTIFY_ERROR_STR(ntohs(n.type))));
1718 else if (ntohs(n.type) < 24576)
1719 ND_PRINT((ndo," type=%s", NOTIFY_STATUS_STR(ntohs(n.type))));
1720 else if (ntohs(n.type) < 32768)
1721 ND_PRINT((ndo," type=%s", IPSEC_NOTIFY_STATUS_STR(ntohs(n.type))));
1722 else
1723 ND_PRINT((ndo," type=%s", numstr(ntohs(n.type))));
1724 if (n.spi_size) {
1725 ND_PRINT((ndo," spi="));
1726 if (!rawprint(ndo, (caddr_t)(p + 1), n.spi_size))
1727 goto trunc;
1728 }
1729
1730 cp = (u_char *)(p + 1) + n.spi_size;
1731 ep2 = (u_char *)p + item_len;
1732
1733 if (cp < ep) {
1734 ND_PRINT((ndo," orig=("));
1735 switch (ntohs(n.type)) {
1736 case IPSECDOI_NTYPE_RESPONDER_LIFETIME:
1737 {
1738 const struct attrmap *map = oakley_t_map;
1739 size_t nmap = sizeof(oakley_t_map)/sizeof(oakley_t_map[0]);
1740 while (cp < ep && cp < ep2) {
1741 cp = ikev1_attrmap_print(ndo, cp,
1742 (ep < ep2) ? ep : ep2, map, nmap);
1743 }
1744 break;
1745 }
1746 case IPSECDOI_NTYPE_REPLAY_STATUS:
1747 ND_PRINT((ndo,"replay detection %sabled",
1748 EXTRACT_32BITS(cp) ? "en" : "dis"));
1749 break;
1750 case ISAKMP_NTYPE_NO_PROPOSAL_CHOSEN:
1751 if (ikev1_sub_print(ndo, ISAKMP_NPTYPE_SA,
1752 (struct isakmp_gen *)cp, ep, phase, doi, proto,
1753 depth) == NULL)
1754 return NULL;
1755 break;
1756 default:
1757 /* NULL is dummy */
1758 isakmp_print(ndo, cp,
1759 item_len - sizeof(*p) - n.spi_size,
1760 NULL);
1761 }
1762 ND_PRINT((ndo,")"));
1763 }
1764 return (u_char *)ext + item_len;
1765 trunc:
1766 ND_PRINT((ndo," [|%s]", NPSTR(ISAKMP_NPTYPE_N)));
1767 return NULL;
1768 }
1769
1770 static const u_char *
ikev1_d_print(netdissect_options * ndo,u_char tpay _U_,const struct isakmp_gen * ext,u_int item_len _U_,const u_char * ep _U_,uint32_t phase _U_,uint32_t doi0 _U_,uint32_t proto0 _U_,int depth _U_)1771 ikev1_d_print(netdissect_options *ndo, u_char tpay _U_,
1772 const struct isakmp_gen *ext, u_int item_len _U_,
1773 const u_char *ep _U_, uint32_t phase _U_, uint32_t doi0 _U_,
1774 uint32_t proto0 _U_, int depth _U_)
1775 {
1776 const struct ikev1_pl_d *p;
1777 struct ikev1_pl_d d;
1778 const uint8_t *q;
1779 uint32_t doi;
1780 uint32_t proto;
1781 int i;
1782
1783 ND_PRINT((ndo,"%s:", NPSTR(ISAKMP_NPTYPE_D)));
1784
1785 p = (struct ikev1_pl_d *)ext;
1786 ND_TCHECK(*p);
1787 UNALIGNED_MEMCPY(&d, ext, sizeof(d));
1788 doi = ntohl(d.doi);
1789 proto = d.prot_id;
1790 if (doi != 1) {
1791 ND_PRINT((ndo," doi=%u", doi));
1792 ND_PRINT((ndo," proto=%u", proto));
1793 } else {
1794 ND_PRINT((ndo," doi=ipsec"));
1795 ND_PRINT((ndo," proto=%s", PROTOIDSTR(proto)));
1796 }
1797 ND_PRINT((ndo," spilen=%u", d.spi_size));
1798 ND_PRINT((ndo," nspi=%u", ntohs(d.num_spi)));
1799 ND_PRINT((ndo," spi="));
1800 q = (uint8_t *)(p + 1);
1801 for (i = 0; i < ntohs(d.num_spi); i++) {
1802 if (i != 0)
1803 ND_PRINT((ndo,","));
1804 if (!rawprint(ndo, (caddr_t)q, d.spi_size))
1805 goto trunc;
1806 q += d.spi_size;
1807 }
1808 return q;
1809 trunc:
1810 ND_PRINT((ndo," [|%s]", NPSTR(ISAKMP_NPTYPE_D)));
1811 return NULL;
1812 }
1813
1814 static const u_char *
ikev1_vid_print(netdissect_options * ndo,u_char tpay _U_,const struct isakmp_gen * ext,u_int item_len _U_,const u_char * ep _U_,uint32_t phase _U_,uint32_t doi _U_,uint32_t proto _U_,int depth _U_)1815 ikev1_vid_print(netdissect_options *ndo, u_char tpay _U_,
1816 const struct isakmp_gen *ext,
1817 u_int item_len _U_, const u_char *ep _U_,
1818 uint32_t phase _U_, uint32_t doi _U_,
1819 uint32_t proto _U_, int depth _U_)
1820 {
1821 struct isakmp_gen e;
1822
1823 ND_PRINT((ndo,"%s:", NPSTR(ISAKMP_NPTYPE_VID)));
1824
1825 ND_TCHECK(*ext);
1826 UNALIGNED_MEMCPY(&e, ext, sizeof(e));
1827 ND_PRINT((ndo," len=%d", ntohs(e.len) - 4));
1828 if (2 < ndo->ndo_vflag && 4 < ntohs(e.len)) {
1829 ND_PRINT((ndo," "));
1830 if (!rawprint(ndo, (caddr_t)(ext + 1), ntohs(e.len) - 4))
1831 goto trunc;
1832 }
1833 return (u_char *)ext + ntohs(e.len);
1834 trunc:
1835 ND_PRINT((ndo," [|%s]", NPSTR(ISAKMP_NPTYPE_VID)));
1836 return NULL;
1837 }
1838
1839 /************************************************************/
1840 /* */
1841 /* IKE v2 - rfc4306 - dissector */
1842 /* */
1843 /************************************************************/
1844
1845 static void
ikev2_pay_print(netdissect_options * ndo,const char * payname,int critical)1846 ikev2_pay_print(netdissect_options *ndo, const char *payname, int critical)
1847 {
1848 ND_PRINT((ndo,"%s%s:", payname, critical&0x80 ? "[C]" : ""));
1849 }
1850
1851 static const u_char *
ikev2_gen_print(netdissect_options * ndo,u_char tpay,const struct isakmp_gen * ext)1852 ikev2_gen_print(netdissect_options *ndo, u_char tpay,
1853 const struct isakmp_gen *ext)
1854 {
1855 struct isakmp_gen e;
1856
1857 ND_TCHECK(*ext);
1858 UNALIGNED_MEMCPY(&e, ext, sizeof(e));
1859 ikev2_pay_print(ndo, NPSTR(tpay), e.critical);
1860
1861 ND_PRINT((ndo," len=%d", ntohs(e.len) - 4));
1862 if (2 < ndo->ndo_vflag && 4 < ntohs(e.len)) {
1863 ND_PRINT((ndo," "));
1864 if (!rawprint(ndo, (caddr_t)(ext + 1), ntohs(e.len) - 4))
1865 goto trunc;
1866 }
1867 return (u_char *)ext + ntohs(e.len);
1868 trunc:
1869 ND_PRINT((ndo," [|%s]", NPSTR(tpay)));
1870 return NULL;
1871 }
1872
1873 static const u_char *
ikev2_t_print(netdissect_options * ndo,u_char tpay _U_,int pcount,const struct isakmp_gen * ext,u_int item_len,const u_char * ep,uint32_t phase _U_,uint32_t doi _U_,uint32_t proto _U_,int depth _U_)1874 ikev2_t_print(netdissect_options *ndo, u_char tpay _U_, int pcount,
1875 const struct isakmp_gen *ext, u_int item_len,
1876 const u_char *ep, uint32_t phase _U_, uint32_t doi _U_,
1877 uint32_t proto _U_, int depth _U_)
1878 {
1879 const struct ikev2_t *p;
1880 struct ikev2_t t;
1881 uint16_t t_id;
1882 const u_char *cp;
1883 const char *idstr;
1884 const struct attrmap *map;
1885 size_t nmap;
1886 const u_char *ep2;
1887
1888 p = (struct ikev2_t *)ext;
1889 ND_TCHECK(*p);
1890 UNALIGNED_MEMCPY(&t, ext, sizeof(t));
1891 ikev2_pay_print(ndo, NPSTR(ISAKMP_NPTYPE_T), t.h.critical);
1892
1893 t_id = ntohs(t.t_id);
1894
1895 map = NULL;
1896 nmap = 0;
1897
1898 switch (t.t_type) {
1899 case IV2_T_ENCR:
1900 idstr = STR_OR_ID(t_id, esp_p_map);
1901 map = encr_t_map;
1902 nmap = sizeof(encr_t_map)/sizeof(encr_t_map[0]);
1903 break;
1904
1905 case IV2_T_PRF:
1906 idstr = STR_OR_ID(t_id, prf_p_map);
1907 break;
1908
1909 case IV2_T_INTEG:
1910 idstr = STR_OR_ID(t_id, integ_p_map);
1911 break;
1912
1913 case IV2_T_DH:
1914 idstr = STR_OR_ID(t_id, dh_p_map);
1915 break;
1916
1917 case IV2_T_ESN:
1918 idstr = STR_OR_ID(t_id, esn_p_map);
1919 break;
1920
1921 default:
1922 idstr = NULL;
1923 break;
1924 }
1925
1926 if (idstr)
1927 ND_PRINT((ndo," #%u type=%s id=%s ", pcount,
1928 STR_OR_ID(t.t_type, ikev2_t_type_map),
1929 idstr));
1930 else
1931 ND_PRINT((ndo," #%u type=%s id=%u ", pcount,
1932 STR_OR_ID(t.t_type, ikev2_t_type_map),
1933 t.t_id));
1934 cp = (u_char *)(p + 1);
1935 ep2 = (u_char *)p + item_len;
1936 while (cp < ep && cp < ep2) {
1937 if (map && nmap) {
1938 cp = ikev1_attrmap_print(ndo, cp, (ep < ep2) ? ep : ep2,
1939 map, nmap);
1940 } else
1941 cp = ikev1_attr_print(ndo, cp, (ep < ep2) ? ep : ep2);
1942 }
1943 if (ep < ep2)
1944 ND_PRINT((ndo,"..."));
1945 return cp;
1946 trunc:
1947 ND_PRINT((ndo," [|%s]", NPSTR(ISAKMP_NPTYPE_T)));
1948 return NULL;
1949 }
1950
1951 static const u_char *
ikev2_p_print(netdissect_options * ndo,u_char tpay _U_,int pcount _U_,const struct isakmp_gen * ext,u_int item_len _U_,const u_char * ep,uint32_t phase,uint32_t doi0,uint32_t proto0 _U_,int depth)1952 ikev2_p_print(netdissect_options *ndo, u_char tpay _U_, int pcount _U_,
1953 const struct isakmp_gen *ext, u_int item_len _U_,
1954 const u_char *ep, uint32_t phase, uint32_t doi0,
1955 uint32_t proto0 _U_, int depth)
1956 {
1957 const struct ikev2_p *p;
1958 struct ikev2_p prop;
1959 const u_char *cp;
1960
1961 p = (struct ikev2_p *)ext;
1962 ND_TCHECK(*p);
1963 UNALIGNED_MEMCPY(&prop, ext, sizeof(prop));
1964 ikev2_pay_print(ndo, NPSTR(ISAKMP_NPTYPE_P), prop.h.critical);
1965
1966 ND_PRINT((ndo," #%u protoid=%s transform=%d len=%u",
1967 prop.p_no, PROTOIDSTR(prop.prot_id),
1968 prop.num_t, ntohs(prop.h.len)));
1969 if (prop.spi_size) {
1970 ND_PRINT((ndo," spi="));
1971 if (!rawprint(ndo, (caddr_t)(p + 1), prop.spi_size))
1972 goto trunc;
1973 }
1974
1975 ext = (struct isakmp_gen *)((u_char *)(p + 1) + prop.spi_size);
1976 ND_TCHECK(*ext);
1977
1978 cp = ikev2_sub_print(ndo, NULL, ISAKMP_NPTYPE_T, ext, ep, phase, doi0,
1979 prop.prot_id, depth);
1980
1981 return cp;
1982 trunc:
1983 ND_PRINT((ndo," [|%s]", NPSTR(ISAKMP_NPTYPE_P)));
1984 return NULL;
1985 }
1986
1987 static const u_char *
ikev2_sa_print(netdissect_options * ndo,u_char tpay,const struct isakmp_gen * ext1,u_int item_len _U_,const u_char * ep _U_,uint32_t phase _U_,uint32_t doi _U_,uint32_t proto _U_,int depth _U_)1988 ikev2_sa_print(netdissect_options *ndo, u_char tpay,
1989 const struct isakmp_gen *ext1,
1990 u_int item_len _U_, const u_char *ep _U_,
1991 uint32_t phase _U_, uint32_t doi _U_,
1992 uint32_t proto _U_, int depth _U_)
1993 {
1994 struct isakmp_gen e;
1995 int osa_length, sa_length;
1996
1997 ND_TCHECK(*ext1);
1998 UNALIGNED_MEMCPY(&e, ext1, sizeof(e));
1999 ikev2_pay_print(ndo, "sa", e.critical);
2000
2001 osa_length= ntohs(e.len);
2002 sa_length = osa_length - 4;
2003 ND_PRINT((ndo," len=%d", sa_length));
2004
2005 ikev2_sub_print(ndo, NULL, ISAKMP_NPTYPE_P,
2006 ext1+1, ep,
2007 0, 0, 0, depth);
2008
2009 return (u_char *)ext1 + osa_length;
2010 trunc:
2011 ND_PRINT((ndo," [|%s]", NPSTR(tpay)));
2012 return NULL;
2013 }
2014
2015 static const u_char *
ikev2_ke_print(netdissect_options * ndo,u_char tpay,const struct isakmp_gen * ext,u_int item_len _U_,const u_char * ep _U_,uint32_t phase _U_,uint32_t doi _U_,uint32_t proto _U_,int depth _U_)2016 ikev2_ke_print(netdissect_options *ndo, u_char tpay,
2017 const struct isakmp_gen *ext,
2018 u_int item_len _U_, const u_char *ep _U_,
2019 uint32_t phase _U_, uint32_t doi _U_,
2020 uint32_t proto _U_, int depth _U_)
2021 {
2022 struct ikev2_ke ke;
2023 struct ikev2_ke *k;
2024
2025 k = (struct ikev2_ke *)ext;
2026 ND_TCHECK(*ext);
2027 UNALIGNED_MEMCPY(&ke, ext, sizeof(ke));
2028 ikev2_pay_print(ndo, NPSTR(tpay), ke.h.critical);
2029
2030 ND_PRINT((ndo," len=%u group=%s", ntohs(ke.h.len) - 8,
2031 STR_OR_ID(ntohs(ke.ke_group), dh_p_map)));
2032
2033 if (2 < ndo->ndo_vflag && 8 < ntohs(ke.h.len)) {
2034 ND_PRINT((ndo," "));
2035 if (!rawprint(ndo, (caddr_t)(k + 1), ntohs(ke.h.len) - 8))
2036 goto trunc;
2037 }
2038 return (u_char *)ext + ntohs(ke.h.len);
2039 trunc:
2040 ND_PRINT((ndo," [|%s]", NPSTR(tpay)));
2041 return NULL;
2042 }
2043
2044 static const u_char *
ikev2_ID_print(netdissect_options * ndo,u_char tpay,const struct isakmp_gen * ext,u_int item_len _U_,const u_char * ep _U_,uint32_t phase _U_,uint32_t doi _U_,uint32_t proto _U_,int depth _U_)2045 ikev2_ID_print(netdissect_options *ndo, u_char tpay,
2046 const struct isakmp_gen *ext,
2047 u_int item_len _U_, const u_char *ep _U_,
2048 uint32_t phase _U_, uint32_t doi _U_,
2049 uint32_t proto _U_, int depth _U_)
2050 {
2051 struct ikev2_id id;
2052 int id_len, idtype_len, i;
2053 unsigned int dumpascii, dumphex;
2054 unsigned char *typedata;
2055
2056 ND_TCHECK(*ext);
2057 UNALIGNED_MEMCPY(&id, ext, sizeof(id));
2058 ikev2_pay_print(ndo, NPSTR(tpay), id.h.critical);
2059
2060 id_len = ntohs(id.h.len);
2061
2062 ND_PRINT((ndo," len=%d", id_len - 4));
2063 if (2 < ndo->ndo_vflag && 4 < id_len) {
2064 ND_PRINT((ndo," "));
2065 if (!rawprint(ndo, (caddr_t)(ext + 1), id_len - 4))
2066 goto trunc;
2067 }
2068
2069 idtype_len =id_len - sizeof(struct ikev2_id);
2070 dumpascii = 0;
2071 dumphex = 0;
2072 typedata = (unsigned char *)(ext)+sizeof(struct ikev2_id);
2073
2074 switch(id.type) {
2075 case ID_IPV4_ADDR:
2076 ND_PRINT((ndo, " ipv4:"));
2077 dumphex=1;
2078 break;
2079 case ID_FQDN:
2080 ND_PRINT((ndo, " fqdn:"));
2081 dumpascii=1;
2082 break;
2083 case ID_RFC822_ADDR:
2084 ND_PRINT((ndo, " rfc822:"));
2085 dumpascii=1;
2086 break;
2087 case ID_IPV6_ADDR:
2088 ND_PRINT((ndo, " ipv6:"));
2089 dumphex=1;
2090 break;
2091 case ID_DER_ASN1_DN:
2092 ND_PRINT((ndo, " dn:"));
2093 dumphex=1;
2094 break;
2095 case ID_DER_ASN1_GN:
2096 ND_PRINT((ndo, " gn:"));
2097 dumphex=1;
2098 break;
2099 case ID_KEY_ID:
2100 ND_PRINT((ndo, " keyid:"));
2101 dumphex=1;
2102 break;
2103 }
2104
2105 if(dumpascii) {
2106 ND_TCHECK2(*typedata, idtype_len);
2107 for(i=0; i<idtype_len; i++) {
2108 if(ND_ISPRINT(typedata[i])) {
2109 ND_PRINT((ndo, "%c", typedata[i]));
2110 } else {
2111 ND_PRINT((ndo, "."));
2112 }
2113 }
2114 }
2115 if(dumphex) {
2116 if (!rawprint(ndo, (caddr_t)typedata, idtype_len))
2117 goto trunc;
2118 }
2119
2120 return (u_char *)ext + id_len;
2121 trunc:
2122 ND_PRINT((ndo," [|%s]", NPSTR(tpay)));
2123 return NULL;
2124 }
2125
2126 static const u_char *
ikev2_cert_print(netdissect_options * ndo,u_char tpay,const struct isakmp_gen * ext,u_int item_len _U_,const u_char * ep _U_,uint32_t phase _U_,uint32_t doi _U_,uint32_t proto _U_,int depth _U_)2127 ikev2_cert_print(netdissect_options *ndo, u_char tpay,
2128 const struct isakmp_gen *ext,
2129 u_int item_len _U_, const u_char *ep _U_,
2130 uint32_t phase _U_, uint32_t doi _U_,
2131 uint32_t proto _U_, int depth _U_)
2132 {
2133 return ikev2_gen_print(ndo, tpay, ext);
2134 }
2135
2136 static const u_char *
ikev2_cr_print(netdissect_options * ndo,u_char tpay,const struct isakmp_gen * ext,u_int item_len _U_,const u_char * ep _U_,uint32_t phase _U_,uint32_t doi _U_,uint32_t proto _U_,int depth _U_)2137 ikev2_cr_print(netdissect_options *ndo, u_char tpay,
2138 const struct isakmp_gen *ext,
2139 u_int item_len _U_, const u_char *ep _U_,
2140 uint32_t phase _U_, uint32_t doi _U_,
2141 uint32_t proto _U_, int depth _U_)
2142 {
2143 return ikev2_gen_print(ndo, tpay, ext);
2144 }
2145
2146 static const u_char *
ikev2_auth_print(netdissect_options * ndo,u_char tpay,const struct isakmp_gen * ext,u_int item_len _U_,const u_char * ep _U_,uint32_t phase _U_,uint32_t doi _U_,uint32_t proto _U_,int depth _U_)2147 ikev2_auth_print(netdissect_options *ndo, u_char tpay,
2148 const struct isakmp_gen *ext,
2149 u_int item_len _U_, const u_char *ep _U_,
2150 uint32_t phase _U_, uint32_t doi _U_,
2151 uint32_t proto _U_, int depth _U_)
2152 {
2153 struct ikev2_auth a;
2154 const char *v2_auth[]={ "invalid", "rsasig",
2155 "shared-secret", "dsssig" };
2156 u_char *authdata = (u_char*)ext + sizeof(a);
2157 unsigned int len;
2158
2159 ND_TCHECK(*ext);
2160 UNALIGNED_MEMCPY(&a, ext, sizeof(a));
2161 ikev2_pay_print(ndo, NPSTR(tpay), a.h.critical);
2162 len = ntohs(a.h.len);
2163
2164 ND_PRINT((ndo," len=%d method=%s", len-4,
2165 STR_OR_ID(a.auth_method, v2_auth)));
2166
2167 if (1 < ndo->ndo_vflag && 4 < len) {
2168 ND_PRINT((ndo," authdata=("));
2169 if (!rawprint(ndo, (caddr_t)authdata, len - sizeof(a)))
2170 goto trunc;
2171 ND_PRINT((ndo,") "));
2172 } else if(ndo->ndo_vflag && 4 < len) {
2173 if(!ike_show_somedata(ndo, authdata, ep)) goto trunc;
2174 }
2175
2176 return (u_char *)ext + len;
2177 trunc:
2178 ND_PRINT((ndo," [|%s]", NPSTR(tpay)));
2179 return NULL;
2180 }
2181
2182 static const u_char *
ikev2_nonce_print(netdissect_options * ndo,u_char tpay,const struct isakmp_gen * ext,u_int item_len _U_,const u_char * ep _U_,uint32_t phase _U_,uint32_t doi _U_,uint32_t proto _U_,int depth _U_)2183 ikev2_nonce_print(netdissect_options *ndo, u_char tpay,
2184 const struct isakmp_gen *ext,
2185 u_int item_len _U_, const u_char *ep _U_,
2186 uint32_t phase _U_, uint32_t doi _U_,
2187 uint32_t proto _U_, int depth _U_)
2188 {
2189 struct isakmp_gen e;
2190
2191 ND_TCHECK(*ext);
2192 UNALIGNED_MEMCPY(&e, ext, sizeof(e));
2193 ikev2_pay_print(ndo, "nonce", e.critical);
2194
2195 ND_PRINT((ndo," len=%d", ntohs(e.len) - 4));
2196 if (1 < ndo->ndo_vflag && 4 < ntohs(e.len)) {
2197 ND_PRINT((ndo," nonce=("));
2198 if (!rawprint(ndo, (caddr_t)(ext + 1), ntohs(e.len) - 4))
2199 goto trunc;
2200 ND_PRINT((ndo,") "));
2201 } else if(ndo->ndo_vflag && 4 < ntohs(e.len)) {
2202 if(!ike_show_somedata(ndo, (const u_char *)(ext+1), ep)) goto trunc;
2203 }
2204
2205 return (u_char *)ext + ntohs(e.len);
2206 trunc:
2207 ND_PRINT((ndo," [|%s]", NPSTR(tpay)));
2208 return NULL;
2209 }
2210
2211 /* notify payloads */
2212 static const u_char *
ikev2_n_print(netdissect_options * ndo,u_char tpay _U_,const struct isakmp_gen * ext,u_int item_len _U_,const u_char * ep _U_,uint32_t phase _U_,uint32_t doi _U_,uint32_t proto _U_,int depth _U_)2213 ikev2_n_print(netdissect_options *ndo, u_char tpay _U_,
2214 const struct isakmp_gen *ext,
2215 u_int item_len _U_, const u_char *ep _U_,
2216 uint32_t phase _U_, uint32_t doi _U_,
2217 uint32_t proto _U_, int depth _U_)
2218 {
2219 struct ikev2_n *p, n;
2220 const u_char *cp;
2221 u_char showspi, showdata, showsomedata;
2222 const char *notify_name;
2223 uint32_t type;
2224
2225 p = (struct ikev2_n *)ext;
2226 ND_TCHECK(*p);
2227 UNALIGNED_MEMCPY(&n, ext, sizeof(n));
2228 ikev2_pay_print(ndo, NPSTR(ISAKMP_NPTYPE_N), n.h.critical);
2229
2230 showspi = 1;
2231 showdata = 0;
2232 showsomedata=0;
2233 notify_name=NULL;
2234
2235 ND_PRINT((ndo," prot_id=%s", PROTOIDSTR(n.prot_id)));
2236
2237 type = ntohs(n.type);
2238
2239 /* notify space is annoying sparse */
2240 switch(type) {
2241 case IV2_NOTIFY_UNSUPPORTED_CRITICAL_PAYLOAD:
2242 notify_name = "unsupported_critical_payload";
2243 showspi = 0;
2244 break;
2245
2246 case IV2_NOTIFY_INVALID_IKE_SPI:
2247 notify_name = "invalid_ike_spi";
2248 showspi = 1;
2249 break;
2250
2251 case IV2_NOTIFY_INVALID_MAJOR_VERSION:
2252 notify_name = "invalid_major_version";
2253 showspi = 0;
2254 break;
2255
2256 case IV2_NOTIFY_INVALID_SYNTAX:
2257 notify_name = "invalid_syntax";
2258 showspi = 1;
2259 break;
2260
2261 case IV2_NOTIFY_INVALID_MESSAGE_ID:
2262 notify_name = "invalid_message_id";
2263 showspi = 1;
2264 break;
2265
2266 case IV2_NOTIFY_INVALID_SPI:
2267 notify_name = "invalid_spi";
2268 showspi = 1;
2269 break;
2270
2271 case IV2_NOTIFY_NO_PROPOSAL_CHOSEN:
2272 notify_name = "no_protocol_chosen";
2273 showspi = 1;
2274 break;
2275
2276 case IV2_NOTIFY_INVALID_KE_PAYLOAD:
2277 notify_name = "invalid_ke_payload";
2278 showspi = 1;
2279 break;
2280
2281 case IV2_NOTIFY_AUTHENTICATION_FAILED:
2282 notify_name = "authentication_failed";
2283 showspi = 1;
2284 break;
2285
2286 case IV2_NOTIFY_SINGLE_PAIR_REQUIRED:
2287 notify_name = "single_pair_required";
2288 showspi = 1;
2289 break;
2290
2291 case IV2_NOTIFY_NO_ADDITIONAL_SAS:
2292 notify_name = "no_additional_sas";
2293 showspi = 0;
2294 break;
2295
2296 case IV2_NOTIFY_INTERNAL_ADDRESS_FAILURE:
2297 notify_name = "internal_address_failure";
2298 showspi = 0;
2299 break;
2300
2301 case IV2_NOTIFY_FAILED_CP_REQUIRED:
2302 notify_name = "failed:cp_required";
2303 showspi = 0;
2304 break;
2305
2306 case IV2_NOTIFY_INVALID_SELECTORS:
2307 notify_name = "invalid_selectors";
2308 showspi = 0;
2309 break;
2310
2311 case IV2_NOTIFY_INITIAL_CONTACT:
2312 notify_name = "initial_contact";
2313 showspi = 0;
2314 break;
2315
2316 case IV2_NOTIFY_SET_WINDOW_SIZE:
2317 notify_name = "set_window_size";
2318 showspi = 0;
2319 break;
2320
2321 case IV2_NOTIFY_ADDITIONAL_TS_POSSIBLE:
2322 notify_name = "additional_ts_possible";
2323 showspi = 0;
2324 break;
2325
2326 case IV2_NOTIFY_IPCOMP_SUPPORTED:
2327 notify_name = "ipcomp_supported";
2328 showspi = 0;
2329 break;
2330
2331 case IV2_NOTIFY_NAT_DETECTION_SOURCE_IP:
2332 notify_name = "nat_detection_source_ip";
2333 showspi = 1;
2334 break;
2335
2336 case IV2_NOTIFY_NAT_DETECTION_DESTINATION_IP:
2337 notify_name = "nat_detection_destination_ip";
2338 showspi = 1;
2339 break;
2340
2341 case IV2_NOTIFY_COOKIE:
2342 notify_name = "cookie";
2343 showspi = 1;
2344 showsomedata= 1;
2345 showdata= 0;
2346 break;
2347
2348 case IV2_NOTIFY_USE_TRANSPORT_MODE:
2349 notify_name = "use_transport_mode";
2350 showspi = 0;
2351 break;
2352
2353 case IV2_NOTIFY_HTTP_CERT_LOOKUP_SUPPORTED:
2354 notify_name = "http_cert_lookup_supported";
2355 showspi = 0;
2356 break;
2357
2358 case IV2_NOTIFY_REKEY_SA:
2359 notify_name = "rekey_sa";
2360 showspi = 1;
2361 break;
2362
2363 case IV2_NOTIFY_ESP_TFC_PADDING_NOT_SUPPORTED:
2364 notify_name = "tfc_padding_not_supported";
2365 showspi = 0;
2366 break;
2367
2368 case IV2_NOTIFY_NON_FIRST_FRAGMENTS_ALSO:
2369 notify_name = "non_first_fragment_also";
2370 showspi = 0;
2371 break;
2372
2373 default:
2374 if (type < 8192) {
2375 notify_name="error";
2376 } else if(type < 16384) {
2377 notify_name="private-error";
2378 } else if(type < 40960) {
2379 notify_name="status";
2380 } else {
2381 notify_name="private-status";
2382 }
2383 }
2384
2385 if(notify_name) {
2386 ND_PRINT((ndo," type=%u(%s)", type, notify_name));
2387 }
2388
2389
2390 if (showspi && n.spi_size) {
2391 ND_PRINT((ndo," spi="));
2392 if (!rawprint(ndo, (caddr_t)(p + 1), n.spi_size))
2393 goto trunc;
2394 }
2395
2396 cp = (u_char *)(p + 1) + n.spi_size;
2397
2398 if(3 < ndo->ndo_vflag) {
2399 showdata = 1;
2400 }
2401
2402 if ((showdata || (showsomedata && ep-cp < 30)) && cp < ep) {
2403 ND_PRINT((ndo," data=("));
2404 if (!rawprint(ndo, (caddr_t)(cp), ep - cp))
2405 goto trunc;
2406
2407 ND_PRINT((ndo,")"));
2408
2409 } else if(showsomedata && cp < ep) {
2410 if(!ike_show_somedata(ndo, cp, ep)) goto trunc;
2411 }
2412
2413 return (u_char *)ext + item_len;
2414 trunc:
2415 ND_PRINT((ndo," [|%s]", NPSTR(ISAKMP_NPTYPE_N)));
2416 return NULL;
2417 }
2418
2419 static const u_char *
ikev2_d_print(netdissect_options * ndo,u_char tpay,const struct isakmp_gen * ext,u_int item_len _U_,const u_char * ep _U_,uint32_t phase _U_,uint32_t doi _U_,uint32_t proto _U_,int depth _U_)2420 ikev2_d_print(netdissect_options *ndo, u_char tpay,
2421 const struct isakmp_gen *ext,
2422 u_int item_len _U_, const u_char *ep _U_,
2423 uint32_t phase _U_, uint32_t doi _U_,
2424 uint32_t proto _U_, int depth _U_)
2425 {
2426 return ikev2_gen_print(ndo, tpay, ext);
2427 }
2428
2429 static const u_char *
ikev2_vid_print(netdissect_options * ndo,u_char tpay,const struct isakmp_gen * ext,u_int item_len _U_,const u_char * ep _U_,uint32_t phase _U_,uint32_t doi _U_,uint32_t proto _U_,int depth _U_)2430 ikev2_vid_print(netdissect_options *ndo, u_char tpay,
2431 const struct isakmp_gen *ext,
2432 u_int item_len _U_, const u_char *ep _U_,
2433 uint32_t phase _U_, uint32_t doi _U_,
2434 uint32_t proto _U_, int depth _U_)
2435 {
2436 struct isakmp_gen e;
2437 const u_char *vid;
2438 int i, len;
2439
2440 ND_TCHECK(*ext);
2441 UNALIGNED_MEMCPY(&e, ext, sizeof(e));
2442 ikev2_pay_print(ndo, NPSTR(tpay), e.critical);
2443 ND_PRINT((ndo," len=%d vid=", ntohs(e.len) - 4));
2444
2445 vid = (const u_char *)(ext+1);
2446 len = ntohs(e.len) - 4;
2447 ND_TCHECK2(*vid, len);
2448 for(i=0; i<len; i++) {
2449 if(ND_ISPRINT(vid[i])) ND_PRINT((ndo, "%c", vid[i]));
2450 else ND_PRINT((ndo, "."));
2451 }
2452 if (2 < ndo->ndo_vflag && 4 < len) {
2453 ND_PRINT((ndo," "));
2454 if (!rawprint(ndo, (caddr_t)(ext + 1), ntohs(e.len) - 4))
2455 goto trunc;
2456 }
2457 return (u_char *)ext + ntohs(e.len);
2458 trunc:
2459 ND_PRINT((ndo," [|%s]", NPSTR(tpay)));
2460 return NULL;
2461 }
2462
2463 static const u_char *
ikev2_TS_print(netdissect_options * ndo,u_char tpay,const struct isakmp_gen * ext,u_int item_len _U_,const u_char * ep _U_,uint32_t phase _U_,uint32_t doi _U_,uint32_t proto _U_,int depth _U_)2464 ikev2_TS_print(netdissect_options *ndo, u_char tpay,
2465 const struct isakmp_gen *ext,
2466 u_int item_len _U_, const u_char *ep _U_,
2467 uint32_t phase _U_, uint32_t doi _U_,
2468 uint32_t proto _U_, int depth _U_)
2469 {
2470 return ikev2_gen_print(ndo, tpay, ext);
2471 }
2472
2473 static const u_char *
ikev2_e_print(netdissect_options * ndo,_U_ struct isakmp * base,u_char tpay,const struct isakmp_gen * ext,u_int item_len _U_,const u_char * ep _U_,_U_ uint32_t phase,_U_ uint32_t doi,_U_ uint32_t proto,_U_ int depth)2474 ikev2_e_print(netdissect_options *ndo,
2475 #ifndef HAVE_LIBCRYPTO
2476 _U_
2477 #endif
2478 struct isakmp *base,
2479 u_char tpay,
2480 const struct isakmp_gen *ext,
2481 u_int item_len _U_, const u_char *ep _U_,
2482 #ifndef HAVE_LIBCRYPTO
2483 _U_
2484 #endif
2485 uint32_t phase,
2486 #ifndef HAVE_LIBCRYPTO
2487 _U_
2488 #endif
2489 uint32_t doi,
2490 #ifndef HAVE_LIBCRYPTO
2491 _U_
2492 #endif
2493 uint32_t proto,
2494 #ifndef HAVE_LIBCRYPTO
2495 _U_
2496 #endif
2497 int depth)
2498 {
2499 struct isakmp_gen e;
2500 u_char *dat;
2501 volatile int dlen;
2502
2503 ND_TCHECK(*ext);
2504 UNALIGNED_MEMCPY(&e, ext, sizeof(e));
2505 ikev2_pay_print(ndo, NPSTR(tpay), e.critical);
2506
2507 dlen = ntohs(e.len)-4;
2508
2509 ND_PRINT((ndo," len=%d", dlen));
2510 if (2 < ndo->ndo_vflag && 4 < dlen) {
2511 ND_PRINT((ndo," "));
2512 if (!rawprint(ndo, (caddr_t)(ext + 1), dlen))
2513 goto trunc;
2514 }
2515
2516 dat = (u_char *)(ext+1);
2517 ND_TCHECK2(*dat, dlen);
2518
2519 #ifdef HAVE_LIBCRYPTO
2520 /* try to decypt it! */
2521 if(esp_print_decrypt_buffer_by_ikev2(ndo,
2522 base->flags & ISAKMP_FLAG_I,
2523 base->i_ck, base->r_ck,
2524 dat, dat+dlen)) {
2525
2526 ext = (const struct isakmp_gen *)ndo->ndo_packetp;
2527
2528 /* got it decrypted, print stuff inside. */
2529 ikev2_sub_print(ndo, base, e.np, ext, ndo->ndo_snapend,
2530 phase, doi, proto, depth+1);
2531 }
2532 #endif
2533
2534
2535 /* always return NULL, because E must be at end, and NP refers
2536 * to what was inside.
2537 */
2538 return NULL;
2539 trunc:
2540 ND_PRINT((ndo," [|%s]", NPSTR(tpay)));
2541 return NULL;
2542 }
2543
2544 static const u_char *
ikev2_cp_print(netdissect_options * ndo,u_char tpay,const struct isakmp_gen * ext,u_int item_len _U_,const u_char * ep _U_,uint32_t phase _U_,uint32_t doi _U_,uint32_t proto _U_,int depth _U_)2545 ikev2_cp_print(netdissect_options *ndo, u_char tpay,
2546 const struct isakmp_gen *ext,
2547 u_int item_len _U_, const u_char *ep _U_,
2548 uint32_t phase _U_, uint32_t doi _U_,
2549 uint32_t proto _U_, int depth _U_)
2550 {
2551 return ikev2_gen_print(ndo, tpay, ext);
2552 }
2553
2554 static const u_char *
ikev2_eap_print(netdissect_options * ndo,u_char tpay,const struct isakmp_gen * ext,u_int item_len _U_,const u_char * ep _U_,uint32_t phase _U_,uint32_t doi _U_,uint32_t proto _U_,int depth _U_)2555 ikev2_eap_print(netdissect_options *ndo, u_char tpay,
2556 const struct isakmp_gen *ext,
2557 u_int item_len _U_, const u_char *ep _U_,
2558 uint32_t phase _U_, uint32_t doi _U_,
2559 uint32_t proto _U_, int depth _U_)
2560 {
2561 return ikev2_gen_print(ndo, tpay, ext);
2562 }
2563
2564 static const u_char *
ike_sub0_print(netdissect_options * ndo,u_char np,const struct isakmp_gen * ext,const u_char * ep,uint32_t phase,uint32_t doi,uint32_t proto,int depth)2565 ike_sub0_print(netdissect_options *ndo,
2566 u_char np, const struct isakmp_gen *ext, const u_char *ep,
2567
2568 uint32_t phase, uint32_t doi, uint32_t proto, int depth)
2569 {
2570 const u_char *cp;
2571 struct isakmp_gen e;
2572 u_int item_len;
2573
2574 cp = (u_char *)ext;
2575 ND_TCHECK(*ext);
2576 UNALIGNED_MEMCPY(&e, ext, sizeof(e));
2577
2578 /*
2579 * Since we can't have a payload length of less than 4 bytes,
2580 * we need to bail out here if the generic header is nonsensical
2581 * or truncated, otherwise we could loop forever processing
2582 * zero-length items or otherwise misdissect the packet.
2583 */
2584 item_len = ntohs(e.len);
2585 if (item_len <= 4)
2586 return NULL;
2587
2588 if (NPFUNC(np)) {
2589 /*
2590 * XXX - what if item_len is too short, or too long,
2591 * for this payload type?
2592 */
2593 cp = (*npfunc[np])(ndo, np, ext, item_len, ep, phase, doi, proto, depth);
2594 } else {
2595 ND_PRINT((ndo,"%s", NPSTR(np)));
2596 cp += item_len;
2597 }
2598
2599 return cp;
2600 trunc:
2601 ND_PRINT((ndo," [|isakmp]"));
2602 return NULL;
2603 }
2604
2605 static const u_char *
ikev1_sub_print(netdissect_options * ndo,u_char np,const struct isakmp_gen * ext,const u_char * ep,uint32_t phase,uint32_t doi,uint32_t proto,int depth)2606 ikev1_sub_print(netdissect_options *ndo,
2607 u_char np, const struct isakmp_gen *ext, const u_char *ep,
2608 uint32_t phase, uint32_t doi, uint32_t proto, int depth)
2609 {
2610 const u_char *cp;
2611 int i;
2612 struct isakmp_gen e;
2613
2614 cp = (const u_char *)ext;
2615
2616 while (np) {
2617 ND_TCHECK(*ext);
2618
2619 UNALIGNED_MEMCPY(&e, ext, sizeof(e));
2620
2621 ND_TCHECK2(*ext, ntohs(e.len));
2622
2623 depth++;
2624 ND_PRINT((ndo,"\n"));
2625 for (i = 0; i < depth; i++)
2626 ND_PRINT((ndo," "));
2627 ND_PRINT((ndo,"("));
2628 cp = ike_sub0_print(ndo, np, ext, ep, phase, doi, proto, depth);
2629 ND_PRINT((ndo,")"));
2630 depth--;
2631
2632 if (cp == NULL) {
2633 /* Zero-length subitem */
2634 return NULL;
2635 }
2636
2637 np = e.np;
2638 ext = (struct isakmp_gen *)cp;
2639 }
2640 return cp;
2641 trunc:
2642 ND_PRINT((ndo," [|%s]", NPSTR(np)));
2643 return NULL;
2644 }
2645
2646 static char *
numstr(int x)2647 numstr(int x)
2648 {
2649 static char buf[20];
2650 snprintf(buf, sizeof(buf), "#%d", x);
2651 return buf;
2652 }
2653
2654 static void
ikev1_print(netdissect_options * ndo,const u_char * bp,u_int length,const u_char * bp2,struct isakmp * base)2655 ikev1_print(netdissect_options *ndo,
2656 const u_char *bp, u_int length,
2657 const u_char *bp2, struct isakmp *base)
2658 {
2659 const struct isakmp *p;
2660 const u_char *ep;
2661 u_char np;
2662 int i;
2663 int phase;
2664
2665 p = (const struct isakmp *)bp;
2666 ep = ndo->ndo_snapend;
2667
2668 phase = (EXTRACT_32BITS(base->msgid) == 0) ? 1 : 2;
2669 if (phase == 1)
2670 ND_PRINT((ndo," phase %d", phase));
2671 else
2672 ND_PRINT((ndo," phase %d/others", phase));
2673
2674 i = cookie_find(&base->i_ck);
2675 if (i < 0) {
2676 if (iszero((u_char *)&base->r_ck, sizeof(base->r_ck))) {
2677 /* the first packet */
2678 ND_PRINT((ndo," I"));
2679 if (bp2)
2680 cookie_record(&base->i_ck, bp2);
2681 } else
2682 ND_PRINT((ndo," ?"));
2683 } else {
2684 if (bp2 && cookie_isinitiator(i, bp2))
2685 ND_PRINT((ndo," I"));
2686 else if (bp2 && cookie_isresponder(i, bp2))
2687 ND_PRINT((ndo," R"));
2688 else
2689 ND_PRINT((ndo," ?"));
2690 }
2691
2692 ND_PRINT((ndo," %s", ETYPESTR(base->etype)));
2693 if (base->flags) {
2694 ND_PRINT((ndo,"[%s%s]", base->flags & ISAKMP_FLAG_E ? "E" : "",
2695 base->flags & ISAKMP_FLAG_C ? "C" : ""));
2696 }
2697
2698 if (ndo->ndo_vflag) {
2699 const struct isakmp_gen *ext;
2700
2701 ND_PRINT((ndo,":"));
2702
2703 /* regardless of phase... */
2704 if (base->flags & ISAKMP_FLAG_E) {
2705 /*
2706 * encrypted, nothing we can do right now.
2707 * we hope to decrypt the packet in the future...
2708 */
2709 ND_PRINT((ndo," [encrypted %s]", NPSTR(base->np)));
2710 goto done;
2711 }
2712
2713 CHECKLEN(p + 1, base->np);
2714 np = base->np;
2715 ext = (struct isakmp_gen *)(p + 1);
2716 ikev1_sub_print(ndo, np, ext, ep, phase, 0, 0, 0);
2717 }
2718
2719 done:
2720 if (ndo->ndo_vflag) {
2721 if (ntohl(base->len) != length) {
2722 ND_PRINT((ndo," (len mismatch: isakmp %u/ip %u)",
2723 (uint32_t)ntohl(base->len), length));
2724 }
2725 }
2726 }
2727
2728 static const u_char *
ikev2_sub0_print(netdissect_options * ndo,struct isakmp * base,u_char np,int pcount,const struct isakmp_gen * ext,const u_char * ep,uint32_t phase,uint32_t doi,uint32_t proto,int depth)2729 ikev2_sub0_print(netdissect_options *ndo, struct isakmp *base,
2730 u_char np, int pcount,
2731 const struct isakmp_gen *ext, const u_char *ep,
2732 uint32_t phase, uint32_t doi, uint32_t proto, int depth)
2733 {
2734 const u_char *cp;
2735 struct isakmp_gen e;
2736 u_int item_len;
2737
2738 cp = (u_char *)ext;
2739 ND_TCHECK(*ext);
2740 UNALIGNED_MEMCPY(&e, ext, sizeof(e));
2741
2742 /*
2743 * Since we can't have a payload length of less than 4 bytes,
2744 * we need to bail out here if the generic header is nonsensical
2745 * or truncated, otherwise we could loop forever processing
2746 * zero-length items or otherwise misdissect the packet.
2747 */
2748 item_len = ntohs(e.len);
2749 if (item_len <= 4)
2750 return NULL;
2751
2752 if(np == ISAKMP_NPTYPE_P) {
2753 cp = ikev2_p_print(ndo, np, pcount, ext, item_len,
2754 ep, phase, doi, proto, depth);
2755 } else if(np == ISAKMP_NPTYPE_T) {
2756 cp = ikev2_t_print(ndo, np, pcount, ext, item_len,
2757 ep, phase, doi, proto, depth);
2758 } else if(np == ISAKMP_NPTYPE_v2E) {
2759 cp = ikev2_e_print(ndo, base, np, ext, item_len,
2760 ep, phase, doi, proto, depth);
2761 } else if (NPFUNC(np)) {
2762 /*
2763 * XXX - what if item_len is too short, or too long,
2764 * for this payload type?
2765 */
2766 cp = (*npfunc[np])(ndo, np, /*pcount,*/ ext, item_len,
2767 ep, phase, doi, proto, depth);
2768 } else {
2769 ND_PRINT((ndo,"%s", NPSTR(np)));
2770 cp += item_len;
2771 }
2772
2773 return cp;
2774 trunc:
2775 ND_PRINT((ndo," [|isakmp]"));
2776 return NULL;
2777 }
2778
2779 static const u_char *
ikev2_sub_print(netdissect_options * ndo,struct isakmp * base,u_char np,const struct isakmp_gen * ext,const u_char * ep,uint32_t phase,uint32_t doi,uint32_t proto,int depth)2780 ikev2_sub_print(netdissect_options *ndo,
2781 struct isakmp *base,
2782 u_char np, const struct isakmp_gen *ext, const u_char *ep,
2783 uint32_t phase, uint32_t doi, uint32_t proto, int depth)
2784 {
2785 const u_char *cp;
2786 int i;
2787 int pcount;
2788 struct isakmp_gen e;
2789
2790 cp = (const u_char *)ext;
2791 pcount = 0;
2792 while (np) {
2793 pcount++;
2794 ND_TCHECK(*ext);
2795
2796 UNALIGNED_MEMCPY(&e, ext, sizeof(e));
2797
2798 ND_TCHECK2(*ext, ntohs(e.len));
2799
2800 depth++;
2801 ND_PRINT((ndo,"\n"));
2802 for (i = 0; i < depth; i++)
2803 ND_PRINT((ndo," "));
2804 ND_PRINT((ndo,"("));
2805 cp = ikev2_sub0_print(ndo, base, np, pcount,
2806 ext, ep, phase, doi, proto, depth);
2807 ND_PRINT((ndo,")"));
2808 depth--;
2809
2810 if (cp == NULL) {
2811 /* Zero-length subitem */
2812 return NULL;
2813 }
2814
2815 np = e.np;
2816 ext = (struct isakmp_gen *)cp;
2817 }
2818 return cp;
2819 trunc:
2820 ND_PRINT((ndo," [|%s]", NPSTR(np)));
2821 return NULL;
2822 }
2823
2824 static void
ikev2_print(netdissect_options * ndo,const u_char * bp,u_int length,const u_char * bp2 _U_,struct isakmp * base)2825 ikev2_print(netdissect_options *ndo,
2826 const u_char *bp, u_int length,
2827 const u_char *bp2 _U_, struct isakmp *base)
2828 {
2829 const struct isakmp *p;
2830 const u_char *ep;
2831 u_char np;
2832 int phase;
2833
2834 p = (const struct isakmp *)bp;
2835 ep = ndo->ndo_snapend;
2836
2837 phase = (EXTRACT_32BITS(base->msgid) == 0) ? 1 : 2;
2838 if (phase == 1)
2839 ND_PRINT((ndo, " parent_sa"));
2840 else
2841 ND_PRINT((ndo, " child_sa "));
2842
2843 ND_PRINT((ndo, " %s", ETYPESTR(base->etype)));
2844 if (base->flags) {
2845 ND_PRINT((ndo, "[%s%s%s]",
2846 base->flags & ISAKMP_FLAG_I ? "I" : "",
2847 base->flags & ISAKMP_FLAG_V ? "V" : "",
2848 base->flags & ISAKMP_FLAG_R ? "R" : ""));
2849 }
2850
2851 if (ndo->ndo_vflag) {
2852 const struct isakmp_gen *ext;
2853
2854 ND_PRINT((ndo, ":"));
2855
2856 /* regardless of phase... */
2857 if (base->flags & ISAKMP_FLAG_E) {
2858 /*
2859 * encrypted, nothing we can do right now.
2860 * we hope to decrypt the packet in the future...
2861 */
2862 ND_PRINT((ndo, " [encrypted %s]", NPSTR(base->np)));
2863 goto done;
2864 }
2865
2866 CHECKLEN(p + 1, base->np)
2867
2868 np = base->np;
2869 ext = (struct isakmp_gen *)(p + 1);
2870 ikev2_sub_print(ndo, base, np, ext, ep, phase, 0, 0, 0);
2871 }
2872
2873 done:
2874 if (ndo->ndo_vflag) {
2875 if (ntohl(base->len) != length) {
2876 ND_PRINT((ndo, " (len mismatch: isakmp %u/ip %u)",
2877 (uint32_t)ntohl(base->len), length));
2878 }
2879 }
2880 }
2881
2882 void
isakmp_print(netdissect_options * ndo,const u_char * bp,u_int length,const u_char * bp2)2883 isakmp_print(netdissect_options *ndo,
2884 const u_char *bp, u_int length,
2885 const u_char *bp2)
2886 {
2887 const struct isakmp *p;
2888 struct isakmp base;
2889 const u_char *ep;
2890 int major, minor;
2891
2892 #ifdef HAVE_LIBCRYPTO
2893 /* initialize SAs */
2894 if (ndo->ndo_sa_list_head == NULL) {
2895 if (ndo->ndo_espsecret)
2896 esp_print_decodesecret(ndo);
2897 }
2898 #endif
2899
2900 p = (const struct isakmp *)bp;
2901 ep = ndo->ndo_snapend;
2902
2903 if ((struct isakmp *)ep < p + 1) {
2904 ND_PRINT((ndo,"[|isakmp]"));
2905 return;
2906 }
2907
2908 UNALIGNED_MEMCPY(&base, p, sizeof(base));
2909
2910 ND_PRINT((ndo,"isakmp"));
2911 major = (base.vers & ISAKMP_VERS_MAJOR)
2912 >> ISAKMP_VERS_MAJOR_SHIFT;
2913 minor = (base.vers & ISAKMP_VERS_MINOR)
2914 >> ISAKMP_VERS_MINOR_SHIFT;
2915
2916 if (ndo->ndo_vflag) {
2917 ND_PRINT((ndo," %d.%d", major, minor));
2918 }
2919
2920 if (ndo->ndo_vflag) {
2921 ND_PRINT((ndo," msgid "));
2922 hexprint(ndo, (caddr_t)&base.msgid, sizeof(base.msgid));
2923 }
2924
2925 if (1 < ndo->ndo_vflag) {
2926 ND_PRINT((ndo," cookie "));
2927 hexprint(ndo, (caddr_t)&base.i_ck, sizeof(base.i_ck));
2928 ND_PRINT((ndo,"->"));
2929 hexprint(ndo, (caddr_t)&base.r_ck, sizeof(base.r_ck));
2930 }
2931 ND_PRINT((ndo,":"));
2932
2933 switch(major) {
2934 case IKEv1_MAJOR_VERSION:
2935 ikev1_print(ndo, bp, length, bp2, &base);
2936 break;
2937
2938 case IKEv2_MAJOR_VERSION:
2939 ikev2_print(ndo, bp, length, bp2, &base);
2940 break;
2941 }
2942 }
2943
2944 void
isakmp_rfc3948_print(netdissect_options * ndo,const u_char * bp,u_int length,const u_char * bp2)2945 isakmp_rfc3948_print(netdissect_options *ndo,
2946 const u_char *bp, u_int length,
2947 const u_char *bp2)
2948 {
2949
2950 if(length == 1 && bp[0]==0xff) {
2951 ND_PRINT((ndo, "isakmp-nat-keep-alive"));
2952 return;
2953 }
2954
2955 if(length < 4) {
2956 goto trunc;
2957 }
2958
2959 /*
2960 * see if this is an IKE packet
2961 */
2962 if(bp[0]==0 && bp[1]==0 && bp[2]==0 && bp[3]==0) {
2963 ND_PRINT((ndo, "NONESP-encap: "));
2964 isakmp_print(ndo, bp+4, length-4, bp2);
2965 return;
2966 }
2967
2968 /* must be an ESP packet */
2969 {
2970 int nh, enh, padlen;
2971 int advance;
2972
2973 ND_PRINT((ndo, "UDP-encap: "));
2974
2975 advance = esp_print(ndo, bp, length, bp2, &enh, &padlen);
2976 if(advance <= 0)
2977 return;
2978
2979 bp += advance;
2980 length -= advance + padlen;
2981 nh = enh & 0xff;
2982
2983 ip_print_inner(ndo, bp, length, nh, bp2);
2984 return;
2985 }
2986
2987 trunc:
2988 ND_PRINT((ndo,"[|isakmp]"));
2989 return;
2990 }
2991
2992 /*
2993 * Local Variables:
2994 * c-style: whitesmith
2995 * c-basic-offset: 8
2996 * End:
2997 */
2998
2999
3000
3001
3002