1 /* 2 * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project. 3 * All rights reserved. 4 * 5 * Redistribution and use in source and binary forms, with or without 6 * modification, are permitted provided that the following conditions 7 * are met: 8 * 1. Redistributions of source code must retain the above copyright 9 * notice, this list of conditions and the following disclaimer. 10 * 2. Redistributions in binary form must reproduce the above copyright 11 * notice, this list of conditions and the following disclaimer in the 12 * documentation and/or other materials provided with the distribution. 13 * 3. Neither the name of the project nor the names of its contributors 14 * may be used to endorse or promote products derived from this software 15 * without specific prior written permission. 16 * 17 * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND 18 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 19 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 20 * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE 21 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 22 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 23 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 24 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 25 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 26 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 27 * SUCH DAMAGE. 28 * 29 */ 30 31 #include <sys/cdefs.h> 32 #ifndef lint 33 __RCSID("$NetBSD: print-isakmp.c,v 1.13 2024/09/02 16:15:31 christos Exp $"); 34 #endif 35 36 /* \summary: Internet Security Association and Key Management Protocol (ISAKMP) printer */ 37 38 /* specification: RFC 2407, RFC 2408, RFC 5996 */ 39 40 #include <config.h> 41 42 #include "netdissect-stdinc.h" 43 44 #include <string.h> 45 46 #include "netdissect-ctype.h" 47 48 #include "netdissect.h" 49 #include "addrtoname.h" 50 #include "extract.h" 51 52 #include "ip.h" 53 #include "ip6.h" 54 #include "ipproto.h" 55 56 typedef nd_byte cookie_t[8]; 57 typedef nd_byte msgid_t[4]; 58 59 #define PORT_ISAKMP 500 60 61 /* 3.1 ISAKMP Header Format (IKEv1 and IKEv2) 62 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 63 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 64 ! Initiator ! 65 ! Cookie ! 66 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 67 ! Responder ! 68 ! Cookie ! 69 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 70 ! Next Payload ! MjVer ! MnVer ! Exchange Type ! Flags ! 71 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 72 ! Message ID ! 73 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 74 ! Length ! 75 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 76 */ 77 struct isakmp { 78 cookie_t i_ck; /* Initiator Cookie */ 79 cookie_t r_ck; /* Responder Cookie */ 80 nd_uint8_t np; /* Next Payload Type */ 81 nd_uint8_t vers; 82 #define ISAKMP_VERS_MAJOR 0xf0 83 #define ISAKMP_VERS_MAJOR_SHIFT 4 84 #define ISAKMP_VERS_MINOR 0x0f 85 #define ISAKMP_VERS_MINOR_SHIFT 0 86 nd_uint8_t etype; /* Exchange Type */ 87 nd_uint8_t flags; /* Flags */ 88 msgid_t msgid; 89 nd_uint32_t len; /* Length */ 90 }; 91 92 /* Next Payload Type */ 93 #define ISAKMP_NPTYPE_NONE 0 /* NONE*/ 94 #define ISAKMP_NPTYPE_SA 1 /* Security Association */ 95 #define ISAKMP_NPTYPE_P 2 /* Proposal */ 96 #define ISAKMP_NPTYPE_T 3 /* Transform */ 97 #define ISAKMP_NPTYPE_KE 4 /* Key Exchange */ 98 #define ISAKMP_NPTYPE_ID 5 /* Identification */ 99 #define ISAKMP_NPTYPE_CERT 6 /* Certificate */ 100 #define ISAKMP_NPTYPE_CR 7 /* Certificate Request */ 101 #define ISAKMP_NPTYPE_HASH 8 /* Hash */ 102 #define ISAKMP_NPTYPE_SIG 9 /* Signature */ 103 #define ISAKMP_NPTYPE_NONCE 10 /* Nonce */ 104 #define ISAKMP_NPTYPE_N 11 /* Notification */ 105 #define ISAKMP_NPTYPE_D 12 /* Delete */ 106 #define ISAKMP_NPTYPE_VID 13 /* Vendor ID */ 107 #define ISAKMP_NPTYPE_v2E 46 /* v2 Encrypted payload */ 108 109 #define IKEv1_MAJOR_VERSION 1 110 #define IKEv1_MINOR_VERSION 0 111 112 #define IKEv2_MAJOR_VERSION 2 113 #define IKEv2_MINOR_VERSION 0 114 115 /* Flags */ 116 #define ISAKMP_FLAG_E 0x01 /* Encryption Bit */ 117 #define ISAKMP_FLAG_C 0x02 /* Commit Bit */ 118 #define ISAKMP_FLAG_extra 0x04 119 120 /* IKEv2 */ 121 #define ISAKMP_FLAG_I (1 << 3) /* (I)nitiator */ 122 #define ISAKMP_FLAG_V (1 << 4) /* (V)ersion */ 123 #define ISAKMP_FLAG_R (1 << 5) /* (R)esponse */ 124 125 126 /* 3.2 Payload Generic Header 127 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 128 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 129 ! Next Payload ! RESERVED ! Payload Length ! 130 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 131 */ 132 struct isakmp_gen { 133 nd_uint8_t np; /* Next Payload */ 134 nd_uint8_t critical; /* bit 7 - critical, rest is RESERVED */ 135 nd_uint16_t len; /* Payload Length */ 136 }; 137 138 /* 3.3 Data Attributes 139 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 140 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 141 !A! Attribute Type ! AF=0 Attribute Length ! 142 !F! ! AF=1 Attribute Value ! 143 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 144 . AF=0 Attribute Value . 145 . AF=1 Not Transmitted . 146 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 147 */ 148 struct isakmp_data { 149 nd_uint16_t type; /* defined by DOI-spec, and Attribute Format */ 150 nd_uint16_t lorv; /* if f equal 1, Attribute Length */ 151 /* if f equal 0, Attribute Value */ 152 /* if f equal 1, Attribute Value */ 153 }; 154 155 /* 3.4 Security Association Payload */ 156 /* MAY NOT be used, because of being defined in ipsec-doi. */ 157 /* 158 If the current payload is the last in the message, 159 then the value of the next payload field will be 0. 160 This field MUST NOT contain the 161 values for the Proposal or Transform payloads as they are considered 162 part of the security association negotiation. For example, this 163 field would contain the value "10" (Nonce payload) in the first 164 message of a Base Exchange (see Section 4.4) and the value "0" in the 165 first message of an Identity Protect Exchange (see Section 4.5). 166 */ 167 struct ikev1_pl_sa { 168 struct isakmp_gen h; 169 nd_uint32_t doi; /* Domain of Interpretation */ 170 nd_uint32_t sit; /* Situation */ 171 }; 172 173 /* 3.5 Proposal Payload */ 174 /* 175 The value of the next payload field MUST only contain the value "2" 176 or "0". If there are additional Proposal payloads in the message, 177 then this field will be 2. If the current Proposal payload is the 178 last within the security association proposal, then this field will 179 be 0. 180 */ 181 struct ikev1_pl_p { 182 struct isakmp_gen h; 183 nd_uint8_t p_no; /* Proposal # */ 184 nd_uint8_t prot_id; /* Protocol */ 185 nd_uint8_t spi_size; /* SPI Size */ 186 nd_uint8_t num_t; /* Number of Transforms */ 187 /* SPI */ 188 }; 189 190 /* 3.6 Transform Payload */ 191 /* 192 The value of the next payload field MUST only contain the value "3" 193 or "0". If there are additional Transform payloads in the proposal, 194 then this field will be 3. If the current Transform payload is the 195 last within the proposal, then this field will be 0. 196 */ 197 struct ikev1_pl_t { 198 struct isakmp_gen h; 199 nd_uint8_t t_no; /* Transform # */ 200 nd_uint8_t t_id; /* Transform-Id */ 201 nd_byte reserved[2]; /* RESERVED2 */ 202 /* SA Attributes */ 203 }; 204 205 /* 3.7 Key Exchange Payload */ 206 struct ikev1_pl_ke { 207 struct isakmp_gen h; 208 /* Key Exchange Data */ 209 }; 210 211 /* 3.8 Identification Payload */ 212 /* MUST NOT to be used, because of being defined in ipsec-doi. */ 213 struct ikev1_pl_id { 214 struct isakmp_gen h; 215 union { 216 nd_uint8_t id_type; /* ID Type */ 217 nd_uint32_t doi_data; /* DOI Specific ID Data */ 218 } d; 219 /* Identification Data */ 220 }; 221 222 /* 3.9 Certificate Payload */ 223 struct ikev1_pl_cert { 224 struct isakmp_gen h; 225 nd_uint8_t encode; /* Cert Encoding */ 226 nd_uint8_t cert; /* Certificate Data */ 227 /* 228 This field indicates the type of 229 certificate or certificate-related information contained in the 230 Certificate Data field. 231 */ 232 }; 233 234 /* 3.10 Certificate Request Payload */ 235 struct ikev1_pl_cr { 236 struct isakmp_gen h; 237 nd_uint8_t num_cert; /* # Cert. Types */ 238 /* 239 Certificate Types (variable length) 240 -- Contains a list of the types of certificates requested, 241 sorted in order of preference. Each individual certificate 242 type is 1 octet. This field is NOT requiredo 243 */ 244 /* # Certificate Authorities (1 octet) */ 245 /* Certificate Authorities (variable length) */ 246 }; 247 248 /* 3.11 Hash Payload */ 249 /* may not be used, because of having only data. */ 250 struct ikev1_pl_hash { 251 struct isakmp_gen h; 252 /* Hash Data */ 253 }; 254 255 /* 3.12 Signature Payload */ 256 /* may not be used, because of having only data. */ 257 struct ikev1_pl_sig { 258 struct isakmp_gen h; 259 /* Signature Data */ 260 }; 261 262 /* 3.13 Nonce Payload */ 263 /* may not be used, because of having only data. */ 264 struct ikev1_pl_nonce { 265 struct isakmp_gen h; 266 /* Nonce Data */ 267 }; 268 269 /* 3.14 Notification Payload */ 270 struct ikev1_pl_n { 271 struct isakmp_gen h; 272 nd_uint32_t doi; /* Domain of Interpretation */ 273 nd_uint8_t prot_id; /* Protocol-ID */ 274 nd_uint8_t spi_size; /* SPI Size */ 275 nd_uint16_t type; /* Notify Message Type */ 276 /* SPI */ 277 /* Notification Data */ 278 }; 279 280 /* 3.14.1 Notify Message Types */ 281 /* NOTIFY MESSAGES - ERROR TYPES */ 282 #define ISAKMP_NTYPE_INVALID_PAYLOAD_TYPE 1 283 #define ISAKMP_NTYPE_DOI_NOT_SUPPORTED 2 284 #define ISAKMP_NTYPE_SITUATION_NOT_SUPPORTED 3 285 #define ISAKMP_NTYPE_INVALID_COOKIE 4 286 #define ISAKMP_NTYPE_INVALID_MAJOR_VERSION 5 287 #define ISAKMP_NTYPE_INVALID_MINOR_VERSION 6 288 #define ISAKMP_NTYPE_INVALID_EXCHANGE_TYPE 7 289 #define ISAKMP_NTYPE_INVALID_FLAGS 8 290 #define ISAKMP_NTYPE_INVALID_MESSAGE_ID 9 291 #define ISAKMP_NTYPE_INVALID_PROTOCOL_ID 10 292 #define ISAKMP_NTYPE_INVALID_SPI 11 293 #define ISAKMP_NTYPE_INVALID_TRANSFORM_ID 12 294 #define ISAKMP_NTYPE_ATTRIBUTES_NOT_SUPPORTED 13 295 #define ISAKMP_NTYPE_NO_PROPOSAL_CHOSEN 14 296 #define ISAKMP_NTYPE_BAD_PROPOSAL_SYNTAX 15 297 #define ISAKMP_NTYPE_PAYLOAD_MALFORMED 16 298 #define ISAKMP_NTYPE_INVALID_KEY_INFORMATION 17 299 #define ISAKMP_NTYPE_INVALID_ID_INFORMATION 18 300 #define ISAKMP_NTYPE_INVALID_CERT_ENCODING 19 301 #define ISAKMP_NTYPE_INVALID_CERTIFICATE 20 302 #define ISAKMP_NTYPE_BAD_CERT_REQUEST_SYNTAX 21 303 #define ISAKMP_NTYPE_INVALID_CERT_AUTHORITY 22 304 #define ISAKMP_NTYPE_INVALID_HASH_INFORMATION 23 305 #define ISAKMP_NTYPE_AUTHENTICATION_FAILED 24 306 #define ISAKMP_NTYPE_INVALID_SIGNATURE 25 307 #define ISAKMP_NTYPE_ADDRESS_NOTIFICATION 26 308 309 /* 3.15 Delete Payload */ 310 struct ikev1_pl_d { 311 struct isakmp_gen h; 312 nd_uint32_t doi; /* Domain of Interpretation */ 313 nd_uint8_t prot_id; /* Protocol-Id */ 314 nd_uint8_t spi_size; /* SPI Size */ 315 nd_uint16_t num_spi; /* # of SPIs */ 316 /* SPI(es) */ 317 }; 318 319 /* IKEv2 (RFC4306) */ 320 321 /* 3.3 Security Association Payload -- generic header */ 322 /* 3.3.1. Proposal Substructure */ 323 struct ikev2_p { 324 struct isakmp_gen h; 325 nd_uint8_t p_no; /* Proposal # */ 326 nd_uint8_t prot_id; /* Protocol */ 327 nd_uint8_t spi_size; /* SPI Size */ 328 nd_uint8_t num_t; /* Number of Transforms */ 329 }; 330 331 /* 3.3.2. Transform Substructure */ 332 struct ikev2_t { 333 struct isakmp_gen h; 334 nd_uint8_t t_type; /* Transform Type (ENCR,PRF,INTEG,etc.*/ 335 nd_byte res2; /* reserved byte */ 336 nd_uint16_t t_id; /* Transform ID */ 337 }; 338 339 enum ikev2_t_type { 340 IV2_T_ENCR = 1, 341 IV2_T_PRF = 2, 342 IV2_T_INTEG= 3, 343 IV2_T_DH = 4, 344 IV2_T_ESN = 5 345 }; 346 347 /* 3.4. Key Exchange Payload */ 348 struct ikev2_ke { 349 struct isakmp_gen h; 350 nd_uint16_t ke_group; 351 nd_uint16_t ke_res1; 352 /* KE data */ 353 }; 354 355 356 /* 3.5. Identification Payloads */ 357 enum ikev2_id_type { 358 ID_IPV4_ADDR=1, 359 ID_FQDN=2, 360 ID_RFC822_ADDR=3, 361 ID_IPV6_ADDR=5, 362 ID_DER_ASN1_DN=9, 363 ID_DER_ASN1_GN=10, 364 ID_KEY_ID=11 365 }; 366 struct ikev2_id { 367 struct isakmp_gen h; 368 nd_uint8_t type; /* ID type */ 369 nd_byte res1; 370 nd_byte res2[2]; 371 /* SPI */ 372 /* Notification Data */ 373 }; 374 375 /* 3.10 Notification Payload */ 376 struct ikev2_n { 377 struct isakmp_gen h; 378 nd_uint8_t prot_id; /* Protocol-ID */ 379 nd_uint8_t spi_size; /* SPI Size */ 380 nd_uint16_t type; /* Notify Message Type */ 381 }; 382 383 enum ikev2_n_type { 384 IV2_NOTIFY_UNSUPPORTED_CRITICAL_PAYLOAD = 1, 385 IV2_NOTIFY_INVALID_IKE_SPI = 4, 386 IV2_NOTIFY_INVALID_MAJOR_VERSION = 5, 387 IV2_NOTIFY_INVALID_SYNTAX = 7, 388 IV2_NOTIFY_INVALID_MESSAGE_ID = 9, 389 IV2_NOTIFY_INVALID_SPI =11, 390 IV2_NOTIFY_NO_PROPOSAL_CHOSEN =14, 391 IV2_NOTIFY_INVALID_KE_PAYLOAD =17, 392 IV2_NOTIFY_AUTHENTICATION_FAILED =24, 393 IV2_NOTIFY_SINGLE_PAIR_REQUIRED =34, 394 IV2_NOTIFY_NO_ADDITIONAL_SAS =35, 395 IV2_NOTIFY_INTERNAL_ADDRESS_FAILURE =36, 396 IV2_NOTIFY_FAILED_CP_REQUIRED =37, 397 IV2_NOTIFY_INVALID_SELECTORS =39, 398 IV2_NOTIFY_INITIAL_CONTACT =16384, 399 IV2_NOTIFY_SET_WINDOW_SIZE =16385, 400 IV2_NOTIFY_ADDITIONAL_TS_POSSIBLE =16386, 401 IV2_NOTIFY_IPCOMP_SUPPORTED =16387, 402 IV2_NOTIFY_NAT_DETECTION_SOURCE_IP =16388, 403 IV2_NOTIFY_NAT_DETECTION_DESTINATION_IP =16389, 404 IV2_NOTIFY_COOKIE =16390, 405 IV2_NOTIFY_USE_TRANSPORT_MODE =16391, 406 IV2_NOTIFY_HTTP_CERT_LOOKUP_SUPPORTED =16392, 407 IV2_NOTIFY_REKEY_SA =16393, 408 IV2_NOTIFY_ESP_TFC_PADDING_NOT_SUPPORTED =16394, 409 IV2_NOTIFY_NON_FIRST_FRAGMENTS_ALSO =16395 410 }; 411 412 struct notify_messages { 413 uint16_t type; 414 char *msg; 415 }; 416 417 /* 3.8 Authentication Payload */ 418 struct ikev2_auth { 419 struct isakmp_gen h; 420 nd_uint8_t auth_method; /* Protocol-ID */ 421 nd_byte reserved[3]; 422 /* authentication data */ 423 }; 424 425 enum ikev2_auth_type { 426 IV2_RSA_SIG = 1, 427 IV2_SHARED = 2, 428 IV2_DSS_SIG = 3 429 }; 430 431 /* refer to RFC 2409 */ 432 433 #if 0 434 /* isakmp sa structure */ 435 struct oakley_sa { 436 uint8_t proto_id; /* OAKLEY */ 437 vchar_t *spi; /* spi */ 438 uint8_t dhgrp; /* DH; group */ 439 uint8_t auth_t; /* method of authentication */ 440 uint8_t prf_t; /* type of prf */ 441 uint8_t hash_t; /* type of hash */ 442 uint8_t enc_t; /* type of cipher */ 443 uint8_t life_t; /* type of duration of lifetime */ 444 uint32_t ldur; /* life duration */ 445 }; 446 #endif 447 448 /* refer to RFC 2407 */ 449 450 #define IPSEC_DOI 1 451 452 /* 4.2 IPSEC Situation Definition */ 453 #define IPSECDOI_SIT_IDENTITY_ONLY 0x00000001 454 #define IPSECDOI_SIT_SECRECY 0x00000002 455 #define IPSECDOI_SIT_INTEGRITY 0x00000004 456 457 /* 4.4.1 IPSEC Security Protocol Identifiers */ 458 /* 4.4.2 IPSEC ISAKMP Transform Values */ 459 #define IPSECDOI_PROTO_ISAKMP 1 460 #define IPSECDOI_KEY_IKE 1 461 462 /* 4.4.1 IPSEC Security Protocol Identifiers */ 463 #define IPSECDOI_PROTO_IPSEC_AH 2 464 /* 4.4.3 IPSEC AH Transform Values */ 465 #define IPSECDOI_AH_MD5 2 466 #define IPSECDOI_AH_SHA 3 467 #define IPSECDOI_AH_DES 4 468 #define IPSECDOI_AH_SHA2_256 5 469 #define IPSECDOI_AH_SHA2_384 6 470 #define IPSECDOI_AH_SHA2_512 7 471 472 /* 4.4.1 IPSEC Security Protocol Identifiers */ 473 #define IPSECDOI_PROTO_IPSEC_ESP 3 474 /* 4.4.4 IPSEC ESP Transform Identifiers */ 475 #define IPSECDOI_ESP_DES_IV64 1 476 #define IPSECDOI_ESP_DES 2 477 #define IPSECDOI_ESP_3DES 3 478 #define IPSECDOI_ESP_RC5 4 479 #define IPSECDOI_ESP_IDEA 5 480 #define IPSECDOI_ESP_CAST 6 481 #define IPSECDOI_ESP_BLOWFISH 7 482 #define IPSECDOI_ESP_3IDEA 8 483 #define IPSECDOI_ESP_DES_IV32 9 484 #define IPSECDOI_ESP_RC4 10 485 #define IPSECDOI_ESP_NULL 11 486 #define IPSECDOI_ESP_RIJNDAEL 12 487 #define IPSECDOI_ESP_AES 12 488 489 /* 4.4.1 IPSEC Security Protocol Identifiers */ 490 #define IPSECDOI_PROTO_IPCOMP 4 491 /* 4.4.5 IPSEC IPCOMP Transform Identifiers */ 492 #define IPSECDOI_IPCOMP_OUI 1 493 #define IPSECDOI_IPCOMP_DEFLATE 2 494 #define IPSECDOI_IPCOMP_LZS 3 495 496 /* 4.5 IPSEC Security Association Attributes */ 497 #define IPSECDOI_ATTR_SA_LTYPE 1 /* B */ 498 #define IPSECDOI_ATTR_SA_LTYPE_DEFAULT 1 499 #define IPSECDOI_ATTR_SA_LTYPE_SEC 1 500 #define IPSECDOI_ATTR_SA_LTYPE_KB 2 501 #define IPSECDOI_ATTR_SA_LDUR 2 /* V */ 502 #define IPSECDOI_ATTR_SA_LDUR_DEFAULT 28800 /* 8 hours */ 503 #define IPSECDOI_ATTR_GRP_DESC 3 /* B */ 504 #define IPSECDOI_ATTR_ENC_MODE 4 /* B */ 505 /* default value: host dependent */ 506 #define IPSECDOI_ATTR_ENC_MODE_TUNNEL 1 507 #define IPSECDOI_ATTR_ENC_MODE_TRNS 2 508 #define IPSECDOI_ATTR_AUTH 5 /* B */ 509 /* 0 means not to use authentication. */ 510 #define IPSECDOI_ATTR_AUTH_HMAC_MD5 1 511 #define IPSECDOI_ATTR_AUTH_HMAC_SHA1 2 512 #define IPSECDOI_ATTR_AUTH_DES_MAC 3 513 #define IPSECDOI_ATTR_AUTH_KPDK 4 /*RFC-1826(Key/Pad/Data/Key)*/ 514 /* 515 * When negotiating ESP without authentication, the Auth 516 * Algorithm attribute MUST NOT be included in the proposal. 517 * When negotiating ESP without confidentiality, the Auth 518 * Algorithm attribute MUST be included in the proposal and 519 * the ESP transform ID must be ESP_NULL. 520 */ 521 #define IPSECDOI_ATTR_KEY_LENGTH 6 /* B */ 522 #define IPSECDOI_ATTR_KEY_ROUNDS 7 /* B */ 523 #define IPSECDOI_ATTR_COMP_DICT_SIZE 8 /* B */ 524 #define IPSECDOI_ATTR_COMP_PRIVALG 9 /* V */ 525 526 /* 4.6.1 Security Association Payload */ 527 struct ipsecdoi_sa { 528 struct isakmp_gen h; 529 nd_uint32_t doi; /* Domain of Interpretation */ 530 nd_uint32_t sit; /* Situation */ 531 }; 532 533 struct ipsecdoi_secrecy_h { 534 nd_uint16_t len; 535 nd_uint16_t reserved; 536 }; 537 538 /* 4.6.2.1 Identification Type Values */ 539 struct ipsecdoi_id { 540 struct isakmp_gen h; 541 nd_uint8_t type; /* ID Type */ 542 nd_uint8_t proto_id; /* Protocol ID */ 543 nd_uint16_t port; /* Port */ 544 /* Identification Data */ 545 }; 546 547 #define IPSECDOI_ID_IPV4_ADDR 1 548 #define IPSECDOI_ID_FQDN 2 549 #define IPSECDOI_ID_USER_FQDN 3 550 #define IPSECDOI_ID_IPV4_ADDR_SUBNET 4 551 #define IPSECDOI_ID_IPV6_ADDR 5 552 #define IPSECDOI_ID_IPV6_ADDR_SUBNET 6 553 #define IPSECDOI_ID_IPV4_ADDR_RANGE 7 554 #define IPSECDOI_ID_IPV6_ADDR_RANGE 8 555 #define IPSECDOI_ID_DER_ASN1_DN 9 556 #define IPSECDOI_ID_DER_ASN1_GN 10 557 #define IPSECDOI_ID_KEY_ID 11 558 559 /* 4.6.3 IPSEC DOI Notify Message Types */ 560 /* Notify Messages - Status Types */ 561 #define IPSECDOI_NTYPE_RESPONDER_LIFETIME 24576 562 #define IPSECDOI_NTYPE_REPLAY_STATUS 24577 563 #define IPSECDOI_NTYPE_INITIAL_CONTACT 24578 564 565 #define DECLARE_PRINTER(func) static const u_char *ike##func##_print( \ 566 netdissect_options *ndo, u_char tpay, \ 567 const struct isakmp_gen *ext, \ 568 u_int item_len, \ 569 const u_char *end_pointer, \ 570 uint32_t phase,\ 571 uint32_t doi0, \ 572 uint32_t proto0, int depth) 573 574 DECLARE_PRINTER(v1_sa); 575 DECLARE_PRINTER(v1_p); 576 DECLARE_PRINTER(v1_t); 577 DECLARE_PRINTER(v1_ke); 578 DECLARE_PRINTER(v1_id); 579 DECLARE_PRINTER(v1_cert); 580 DECLARE_PRINTER(v1_cr); 581 DECLARE_PRINTER(v1_sig); 582 DECLARE_PRINTER(v1_hash); 583 DECLARE_PRINTER(v1_nonce); 584 DECLARE_PRINTER(v1_n); 585 DECLARE_PRINTER(v1_d); 586 DECLARE_PRINTER(v1_vid); 587 588 DECLARE_PRINTER(v2_sa); 589 DECLARE_PRINTER(v2_ke); 590 DECLARE_PRINTER(v2_ID); 591 DECLARE_PRINTER(v2_cert); 592 DECLARE_PRINTER(v2_cr); 593 DECLARE_PRINTER(v2_auth); 594 DECLARE_PRINTER(v2_nonce); 595 DECLARE_PRINTER(v2_n); 596 DECLARE_PRINTER(v2_d); 597 DECLARE_PRINTER(v2_vid); 598 DECLARE_PRINTER(v2_TS); 599 DECLARE_PRINTER(v2_cp); 600 DECLARE_PRINTER(v2_eap); 601 602 static const u_char *ikev2_e_print(netdissect_options *ndo, 603 const struct isakmp *base, 604 u_char tpay, 605 const struct isakmp_gen *ext, 606 u_int item_len, 607 const u_char *end_pointer, 608 uint32_t phase, 609 uint32_t doi0, 610 uint32_t proto0, int depth); 611 612 613 static const u_char *ike_sub0_print(netdissect_options *ndo,u_char, const struct isakmp_gen *, 614 const u_char *, uint32_t, uint32_t, uint32_t, int); 615 static const u_char *ikev1_sub_print(netdissect_options *ndo,u_char, const struct isakmp_gen *, 616 const u_char *, uint32_t, uint32_t, uint32_t, int); 617 618 static const u_char *ikev2_sub_print(netdissect_options *ndo, 619 const struct isakmp *base, 620 u_char np, const struct isakmp_gen *ext, 621 const u_char *ep, uint32_t phase, 622 uint32_t doi, uint32_t proto, 623 int depth); 624 625 626 static char *numstr(u_int); 627 628 static void 629 ikev1_print(netdissect_options *ndo, 630 const u_char *bp, u_int length, 631 const u_char *bp2, const struct isakmp *base); 632 633 #define MAXINITIATORS 20 634 static int ninitiator = 0; 635 union inaddr_u { 636 nd_ipv4 in4; 637 nd_ipv6 in6; 638 }; 639 static struct { 640 cookie_t initiator; 641 u_int version; 642 union inaddr_u iaddr; 643 union inaddr_u raddr; 644 } cookiecache[MAXINITIATORS]; 645 646 /* protocol id */ 647 static const char *protoidstr[] = { 648 NULL, "isakmp", "ipsec-ah", "ipsec-esp", "ipcomp", 649 }; 650 651 /* isakmp->np */ 652 static const char *npstr[] = { 653 "none", "sa", "p", "t", "ke", "id", "cert", "cr", "hash", /* 0 - 8 */ 654 "sig", "nonce", "n", "d", "vid", /* 9 - 13 */ 655 "pay14", "pay15", "pay16", "pay17", "pay18", /* 14- 18 */ 656 "pay19", "pay20", "pay21", "pay22", "pay23", /* 19- 23 */ 657 "pay24", "pay25", "pay26", "pay27", "pay28", /* 24- 28 */ 658 "pay29", "pay30", "pay31", "pay32", /* 29- 32 */ 659 "v2sa", "v2ke", "v2IDi", "v2IDr", "v2cert",/* 33- 37 */ 660 "v2cr", "v2auth","v2nonce", "v2n", "v2d", /* 38- 42 */ 661 "v2vid", "v2TSi", "v2TSr", "v2e", "v2cp", /* 43- 47 */ 662 "v2eap", /* 48 */ 663 664 }; 665 666 /* isakmp->np */ 667 static const u_char *(*npfunc[])(netdissect_options *ndo, u_char tpay, 668 const struct isakmp_gen *ext, 669 u_int item_len, 670 const u_char *end_pointer, 671 uint32_t phase, 672 uint32_t doi0, 673 uint32_t proto0, int depth) = { 674 NULL, 675 ikev1_sa_print, 676 ikev1_p_print, 677 ikev1_t_print, 678 ikev1_ke_print, 679 ikev1_id_print, 680 ikev1_cert_print, 681 ikev1_cr_print, 682 ikev1_hash_print, 683 ikev1_sig_print, 684 ikev1_nonce_print, 685 ikev1_n_print, 686 ikev1_d_print, 687 ikev1_vid_print, /* 13 */ 688 NULL, NULL, NULL, NULL, NULL, /* 14- 18 */ 689 NULL, NULL, NULL, NULL, NULL, /* 19- 23 */ 690 NULL, NULL, NULL, NULL, NULL, /* 24- 28 */ 691 NULL, NULL, NULL, NULL, /* 29- 32 */ 692 ikev2_sa_print, /* 33 */ 693 ikev2_ke_print, /* 34 */ 694 ikev2_ID_print, /* 35 */ 695 ikev2_ID_print, /* 36 */ 696 ikev2_cert_print, /* 37 */ 697 ikev2_cr_print, /* 38 */ 698 ikev2_auth_print, /* 39 */ 699 ikev2_nonce_print, /* 40 */ 700 ikev2_n_print, /* 41 */ 701 ikev2_d_print, /* 42 */ 702 ikev2_vid_print, /* 43 */ 703 ikev2_TS_print, /* 44 */ 704 ikev2_TS_print, /* 45 */ 705 NULL, /* ikev2_e_print,*/ /* 46 - special */ 706 ikev2_cp_print, /* 47 */ 707 ikev2_eap_print, /* 48 */ 708 }; 709 710 /* isakmp->etype */ 711 static const char *etypestr[] = { 712 /* IKEv1 exchange types */ 713 "none", "base", "ident", "auth", "agg", "inf", NULL, NULL, /* 0-7 */ 714 NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, /* 8-15 */ 715 NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, /* 16-23 */ 716 NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, /* 24-31 */ 717 "oakley-quick", "oakley-newgroup", /* 32-33 */ 718 /* IKEv2 exchange types */ 719 "ikev2_init", "ikev2_auth", "child_sa", "inf2" /* 34-37 */ 720 }; 721 722 #define STR_OR_ID(x, tab) \ 723 (((x) < sizeof(tab)/sizeof(tab[0]) && tab[(x)]) ? tab[(x)] : numstr(x)) 724 #define PROTOIDSTR(x) STR_OR_ID(x, protoidstr) 725 #define NPSTR(x) STR_OR_ID(x, npstr) 726 #define ETYPESTR(x) STR_OR_ID(x, etypestr) 727 728 #define CHECKLEN(p, np) \ 729 if (ep < (const u_char *)(p)) { \ 730 ND_PRINT(" [|%s]", NPSTR(np)); \ 731 goto done; \ 732 } 733 734 735 #define NPFUNC(x) \ 736 (((x) < sizeof(npfunc)/sizeof(npfunc[0]) && npfunc[(x)]) \ 737 ? npfunc[(x)] : NULL) 738 739 static int 740 iszero(netdissect_options *ndo, const u_char *p, size_t l) 741 { 742 while (l != 0) { 743 if (GET_U_1(p)) 744 return 0; 745 p++; 746 l--; 747 } 748 return 1; 749 } 750 751 /* find cookie from initiator cache */ 752 static int 753 cookie_find(const cookie_t *in) 754 { 755 int i; 756 757 for (i = 0; i < MAXINITIATORS; i++) { 758 if (memcmp(in, &cookiecache[i].initiator, sizeof(*in)) == 0) 759 return i; 760 } 761 762 return -1; 763 } 764 765 /* record initiator */ 766 static void 767 cookie_record(netdissect_options *ndo, const cookie_t *in, const u_char *bp2) 768 { 769 int i; 770 const struct ip *ip; 771 const struct ip6_hdr *ip6; 772 773 i = cookie_find(in); 774 if (0 <= i) { 775 ninitiator = (i + 1) % MAXINITIATORS; 776 return; 777 } 778 779 ip = (const struct ip *)bp2; 780 switch (IP_V(ip)) { 781 case 4: 782 cookiecache[ninitiator].version = 4; 783 UNALIGNED_MEMCPY(&cookiecache[ninitiator].iaddr.in4, 784 ip->ip_src, sizeof(nd_ipv4)); 785 UNALIGNED_MEMCPY(&cookiecache[ninitiator].raddr.in4, 786 ip->ip_dst, sizeof(nd_ipv4)); 787 break; 788 case 6: 789 ip6 = (const struct ip6_hdr *)bp2; 790 cookiecache[ninitiator].version = 6; 791 UNALIGNED_MEMCPY(&cookiecache[ninitiator].iaddr.in6, 792 ip6->ip6_src, sizeof(nd_ipv6)); 793 UNALIGNED_MEMCPY(&cookiecache[ninitiator].raddr.in6, 794 ip6->ip6_dst, sizeof(nd_ipv6)); 795 break; 796 default: 797 return; 798 } 799 UNALIGNED_MEMCPY(&cookiecache[ninitiator].initiator, in, sizeof(*in)); 800 ninitiator = (ninitiator + 1) % MAXINITIATORS; 801 } 802 803 #define cookie_isinitiator(ndo, x, y) cookie_sidecheck(ndo, (x), (y), 1) 804 #define cookie_isresponder(ndo, x, y) cookie_sidecheck(ndo, (x), (y), 0) 805 static int 806 cookie_sidecheck(netdissect_options *ndo, int i, const u_char *bp2, int initiator) 807 { 808 const struct ip *ip; 809 const struct ip6_hdr *ip6; 810 811 ip = (const struct ip *)bp2; 812 switch (IP_V(ip)) { 813 case 4: 814 if (cookiecache[i].version != 4) 815 return 0; 816 if (initiator) { 817 if (UNALIGNED_MEMCMP(ip->ip_src, &cookiecache[i].iaddr.in4, sizeof(nd_ipv4)) == 0) 818 return 1; 819 } else { 820 if (UNALIGNED_MEMCMP(ip->ip_src, &cookiecache[i].raddr.in4, sizeof(nd_ipv4)) == 0) 821 return 1; 822 } 823 break; 824 case 6: 825 if (cookiecache[i].version != 6) 826 return 0; 827 ip6 = (const struct ip6_hdr *)bp2; 828 if (initiator) { 829 if (UNALIGNED_MEMCMP(ip6->ip6_src, &cookiecache[i].iaddr.in6, sizeof(nd_ipv6)) == 0) 830 return 1; 831 } else { 832 if (UNALIGNED_MEMCMP(ip6->ip6_src, &cookiecache[i].raddr.in6, sizeof(nd_ipv6)) == 0) 833 return 1; 834 } 835 break; 836 default: 837 break; 838 } 839 840 return 0; 841 } 842 843 static void 844 hexprint(netdissect_options *ndo, const uint8_t *loc, size_t len) 845 { 846 const uint8_t *p; 847 size_t i; 848 849 p = loc; 850 for (i = 0; i < len; i++) 851 ND_PRINT("%02x", p[i] & 0xff); 852 } 853 854 static int 855 rawprint(netdissect_options *ndo, const uint8_t *loc, size_t len) 856 { 857 ND_TCHECK_LEN(loc, len); 858 859 hexprint(ndo, loc, len); 860 return 1; 861 trunc: 862 return 0; 863 } 864 865 866 /* 867 * returns false if we run out of data buffer 868 */ 869 static int ike_show_somedata(netdissect_options *ndo, 870 const u_char *cp, const u_char *ep) 871 { 872 /* there is too much data, just show some of it */ 873 const u_char *end = ep - 20; 874 size_t elen = 20; 875 size_t len = ep - cp; 876 if(len > 10) { 877 len = 10; 878 } 879 880 /* really shouldn't happen because of above */ 881 if(end < cp + len) { 882 end = cp+len; 883 elen = ep - end; 884 } 885 886 ND_PRINT(" data=("); 887 if(!rawprint(ndo, (const uint8_t *)(cp), len)) goto trunc; 888 ND_PRINT("..."); 889 if(elen) { 890 if(!rawprint(ndo, (const uint8_t *)(end), elen)) goto trunc; 891 } 892 ND_PRINT(")"); 893 return 1; 894 895 trunc: 896 return 0; 897 } 898 899 struct attrmap { 900 const char *type; 901 u_int nvalue; 902 const char *value[30]; /*XXX*/ 903 }; 904 905 static const u_char * 906 ikev1_attrmap_print(netdissect_options *ndo, 907 const u_char *p, const u_char *ep2, 908 const struct attrmap *map, size_t nmap) 909 { 910 u_int totlen; 911 uint32_t t, v; 912 913 if (GET_U_1(p) & 0x80) 914 totlen = 4; 915 else { 916 totlen = 4 + GET_BE_U_2(p + 2); 917 } 918 if (ep2 < p + totlen) { 919 ND_PRINT("[|attr]"); 920 return ep2 + 1; 921 } 922 923 ND_PRINT("("); 924 t = GET_BE_U_2(p) & 0x7fff; 925 if (map && t < nmap && map[t].type) 926 ND_PRINT("type=%s ", map[t].type); 927 else 928 ND_PRINT("type=#%u ", t); 929 if (GET_U_1(p) & 0x80) { 930 ND_PRINT("value="); 931 v = GET_BE_U_2(p + 2); 932 if (map && t < nmap && v < map[t].nvalue && map[t].value[v]) 933 ND_PRINT("%s", map[t].value[v]); 934 else { 935 if (!rawprint(ndo, (const uint8_t *)(p + 2), 2)) { 936 ND_PRINT(")"); 937 goto trunc; 938 } 939 } 940 } else { 941 ND_PRINT("len=%u value=", totlen - 4); 942 if (!rawprint(ndo, (const uint8_t *)(p + 4), totlen - 4)) { 943 ND_PRINT(")"); 944 goto trunc; 945 } 946 } 947 ND_PRINT(")"); 948 return p + totlen; 949 950 trunc: 951 return NULL; 952 } 953 954 static const u_char * 955 ikev1_attr_print(netdissect_options *ndo, const u_char *p, const u_char *ep2) 956 { 957 u_int totlen; 958 uint32_t t; 959 960 if (GET_U_1(p) & 0x80) 961 totlen = 4; 962 else { 963 totlen = 4 + GET_BE_U_2(p + 2); 964 } 965 if (ep2 < p + totlen) { 966 ND_PRINT("[|attr]"); 967 return ep2 + 1; 968 } 969 970 ND_PRINT("("); 971 t = GET_BE_U_2(p) & 0x7fff; 972 ND_PRINT("type=#%u ", t); 973 if (GET_U_1(p) & 0x80) { 974 ND_PRINT("value="); 975 t = GET_U_1(p + 2); 976 if (!rawprint(ndo, (const uint8_t *)(p + 2), 2)) { 977 ND_PRINT(")"); 978 goto trunc; 979 } 980 } else { 981 ND_PRINT("len=%u value=", totlen - 4); 982 if (!rawprint(ndo, (const uint8_t *)(p + 4), totlen - 4)) { 983 ND_PRINT(")"); 984 goto trunc; 985 } 986 } 987 ND_PRINT(")"); 988 return p + totlen; 989 990 trunc: 991 return NULL; 992 } 993 994 static const u_char * 995 ikev1_sa_print(netdissect_options *ndo, u_char tpay _U_, 996 const struct isakmp_gen *ext, 997 u_int item_len _U_, 998 const u_char *ep, uint32_t phase, uint32_t doi0 _U_, 999 uint32_t proto0, int depth) 1000 { 1001 const struct ikev1_pl_sa *p; 1002 uint32_t doi, sit, ident; 1003 const u_char *cp, *np; 1004 int t; 1005 1006 ND_PRINT("%s:", NPSTR(ISAKMP_NPTYPE_SA)); 1007 1008 p = (const struct ikev1_pl_sa *)ext; 1009 ND_TCHECK_SIZE(p); 1010 doi = GET_BE_U_4(p->doi); 1011 sit = GET_BE_U_4(p->sit); 1012 if (doi != 1) { 1013 ND_PRINT(" doi=%u", doi); 1014 ND_PRINT(" situation=%u", sit); 1015 return (const u_char *)(p + 1); 1016 } 1017 1018 ND_PRINT(" doi=ipsec"); 1019 ND_PRINT(" situation="); 1020 t = 0; 1021 if (sit & 0x01) { 1022 ND_PRINT("identity"); 1023 t++; 1024 } 1025 if (sit & 0x02) { 1026 ND_PRINT("%ssecrecy", t ? "+" : ""); 1027 t++; 1028 } 1029 if (sit & 0x04) 1030 ND_PRINT("%sintegrity", t ? "+" : ""); 1031 1032 np = (const u_char *)ext + sizeof(struct ikev1_pl_sa); 1033 if (sit != 0x01) { 1034 ident = GET_BE_U_4(ext + 1); 1035 ND_PRINT(" ident=%u", ident); 1036 np += sizeof(ident); 1037 } 1038 1039 ext = (const struct isakmp_gen *)np; 1040 ND_TCHECK_SIZE(ext); 1041 1042 cp = ikev1_sub_print(ndo, ISAKMP_NPTYPE_P, ext, ep, phase, doi, proto0, 1043 depth); 1044 1045 return cp; 1046 trunc: 1047 ND_PRINT(" [|%s]", NPSTR(ISAKMP_NPTYPE_SA)); 1048 return NULL; 1049 } 1050 1051 static const u_char * 1052 ikev1_p_print(netdissect_options *ndo, u_char tpay _U_, 1053 const struct isakmp_gen *ext, u_int item_len _U_, 1054 const u_char *ep, uint32_t phase, uint32_t doi0, 1055 uint32_t proto0 _U_, int depth) 1056 { 1057 const struct ikev1_pl_p *p; 1058 const u_char *cp; 1059 uint8_t spi_size; 1060 1061 ND_PRINT("%s:", NPSTR(ISAKMP_NPTYPE_P)); 1062 1063 p = (const struct ikev1_pl_p *)ext; 1064 ND_TCHECK_SIZE(p); 1065 ND_PRINT(" #%u protoid=%s transform=%u", 1066 GET_U_1(p->p_no), PROTOIDSTR(GET_U_1(p->prot_id)), 1067 GET_U_1(p->num_t)); 1068 spi_size = GET_U_1(p->spi_size); 1069 if (spi_size) { 1070 ND_PRINT(" spi="); 1071 if (!rawprint(ndo, (const uint8_t *)(p + 1), spi_size)) 1072 goto trunc; 1073 } 1074 1075 ext = (const struct isakmp_gen *)((const u_char *)(p + 1) + spi_size); 1076 ND_TCHECK_SIZE(ext); 1077 1078 cp = ikev1_sub_print(ndo, ISAKMP_NPTYPE_T, ext, ep, phase, doi0, 1079 GET_U_1(p->prot_id), depth); 1080 1081 return cp; 1082 trunc: 1083 ND_PRINT(" [|%s]", NPSTR(ISAKMP_NPTYPE_P)); 1084 return NULL; 1085 } 1086 1087 static const char *ikev1_p_map[] = { 1088 NULL, "ike", 1089 }; 1090 1091 static const char *ikev2_t_type_map[]={ 1092 NULL, "encr", "prf", "integ", "dh", "esn" 1093 }; 1094 1095 static const char *ah_p_map[] = { 1096 NULL, "(reserved)", "md5", "sha", "1des", 1097 "sha2-256", "sha2-384", "sha2-512", 1098 }; 1099 1100 static const char *prf_p_map[] = { 1101 NULL, "hmac-md5", "hmac-sha", "hmac-tiger", 1102 "aes128_xcbc" 1103 }; 1104 1105 static const char *integ_p_map[] = { 1106 NULL, "hmac-md5", "hmac-sha", "dec-mac", 1107 "kpdk-md5", "aes-xcbc" 1108 }; 1109 1110 static const char *esn_p_map[] = { 1111 "no-esn", "esn" 1112 }; 1113 1114 static const char *dh_p_map[] = { 1115 NULL, "modp768", 1116 "modp1024", /* group 2 */ 1117 "EC2N 2^155", /* group 3 */ 1118 "EC2N 2^185", /* group 4 */ 1119 "modp1536", /* group 5 */ 1120 "iana-grp06", "iana-grp07", /* reserved */ 1121 "iana-grp08", "iana-grp09", 1122 "iana-grp10", "iana-grp11", 1123 "iana-grp12", "iana-grp13", 1124 "modp2048", /* group 14 */ 1125 "modp3072", /* group 15 */ 1126 "modp4096", /* group 16 */ 1127 "modp6144", /* group 17 */ 1128 "modp8192", /* group 18 */ 1129 }; 1130 1131 static const char *esp_p_map[] = { 1132 NULL, "1des-iv64", "1des", "3des", "rc5", "idea", "cast", 1133 "blowfish", "3idea", "1des-iv32", "rc4", "null", "aes" 1134 }; 1135 1136 static const char *ipcomp_p_map[] = { 1137 NULL, "oui", "deflate", "lzs", 1138 }; 1139 1140 static const struct attrmap ipsec_t_map[] = { 1141 { NULL, 0, { NULL } }, 1142 { "lifetype", 3, { NULL, "sec", "kb", }, }, 1143 { "life", 0, { NULL } }, 1144 { "group desc", 18, { NULL, "modp768", 1145 "modp1024", /* group 2 */ 1146 "EC2N 2^155", /* group 3 */ 1147 "EC2N 2^185", /* group 4 */ 1148 "modp1536", /* group 5 */ 1149 "iana-grp06", "iana-grp07", /* reserved */ 1150 "iana-grp08", "iana-grp09", 1151 "iana-grp10", "iana-grp11", 1152 "iana-grp12", "iana-grp13", 1153 "modp2048", /* group 14 */ 1154 "modp3072", /* group 15 */ 1155 "modp4096", /* group 16 */ 1156 "modp6144", /* group 17 */ 1157 "modp8192", /* group 18 */ 1158 }, }, 1159 { "enc mode", 3, { NULL, "tunnel", "transport", }, }, 1160 { "auth", 5, { NULL, "hmac-md5", "hmac-sha1", "1des-mac", "keyed", }, }, 1161 { "keylen", 0, { NULL } }, 1162 { "rounds", 0, { NULL } }, 1163 { "dictsize", 0, { NULL } }, 1164 { "privalg", 0, { NULL } }, 1165 }; 1166 1167 static const struct attrmap encr_t_map[] = { 1168 { NULL, 0, { NULL } }, { NULL, 0, { NULL } }, /* 0, 1 */ 1169 { NULL, 0, { NULL } }, { NULL, 0, { NULL } }, /* 2, 3 */ 1170 { NULL, 0, { NULL } }, { NULL, 0, { NULL } }, /* 4, 5 */ 1171 { NULL, 0, { NULL } }, { NULL, 0, { NULL } }, /* 6, 7 */ 1172 { NULL, 0, { NULL } }, { NULL, 0, { NULL } }, /* 8, 9 */ 1173 { NULL, 0, { NULL } }, { NULL, 0, { NULL } }, /* 10,11*/ 1174 { NULL, 0, { NULL } }, { NULL, 0, { NULL } }, /* 12,13*/ 1175 { "keylen", 14, { NULL }}, 1176 }; 1177 1178 static const struct attrmap oakley_t_map[] = { 1179 { NULL, 0, { NULL } }, 1180 { "enc", 8, { NULL, "1des", "idea", "blowfish", "rc5", 1181 "3des", "cast", "aes", }, }, 1182 { "hash", 7, { NULL, "md5", "sha1", "tiger", 1183 "sha2-256", "sha2-384", "sha2-512", }, }, 1184 { "auth", 6, { NULL, "preshared", "dss", "rsa sig", "rsa enc", 1185 "rsa enc revised", }, }, 1186 { "group desc", 18, { NULL, "modp768", 1187 "modp1024", /* group 2 */ 1188 "EC2N 2^155", /* group 3 */ 1189 "EC2N 2^185", /* group 4 */ 1190 "modp1536", /* group 5 */ 1191 "iana-grp06", "iana-grp07", /* reserved */ 1192 "iana-grp08", "iana-grp09", 1193 "iana-grp10", "iana-grp11", 1194 "iana-grp12", "iana-grp13", 1195 "modp2048", /* group 14 */ 1196 "modp3072", /* group 15 */ 1197 "modp4096", /* group 16 */ 1198 "modp6144", /* group 17 */ 1199 "modp8192", /* group 18 */ 1200 }, }, 1201 { "group type", 4, { NULL, "MODP", "ECP", "EC2N", }, }, 1202 { "group prime", 0, { NULL } }, 1203 { "group gen1", 0, { NULL } }, 1204 { "group gen2", 0, { NULL } }, 1205 { "group curve A", 0, { NULL } }, 1206 { "group curve B", 0, { NULL } }, 1207 { "lifetype", 3, { NULL, "sec", "kb", }, }, 1208 { "lifeduration", 0, { NULL } }, 1209 { "prf", 0, { NULL } }, 1210 { "keylen", 0, { NULL } }, 1211 { "field", 0, { NULL } }, 1212 { "order", 0, { NULL } }, 1213 }; 1214 1215 static const u_char * 1216 ikev1_t_print(netdissect_options *ndo, u_char tpay _U_, 1217 const struct isakmp_gen *ext, u_int item_len, 1218 const u_char *ep, uint32_t phase _U_, uint32_t doi _U_, 1219 uint32_t proto, int depth _U_) 1220 { 1221 const struct ikev1_pl_t *p; 1222 const u_char *cp; 1223 const char *idstr; 1224 const struct attrmap *map; 1225 size_t nmap; 1226 const u_char *ep2; 1227 1228 ND_PRINT("%s:", NPSTR(ISAKMP_NPTYPE_T)); 1229 1230 p = (const struct ikev1_pl_t *)ext; 1231 ND_TCHECK_SIZE(p); 1232 1233 switch (proto) { 1234 case 1: 1235 idstr = STR_OR_ID(GET_U_1(p->t_id), ikev1_p_map); 1236 map = oakley_t_map; 1237 nmap = sizeof(oakley_t_map)/sizeof(oakley_t_map[0]); 1238 break; 1239 case 2: 1240 idstr = STR_OR_ID(GET_U_1(p->t_id), ah_p_map); 1241 map = ipsec_t_map; 1242 nmap = sizeof(ipsec_t_map)/sizeof(ipsec_t_map[0]); 1243 break; 1244 case 3: 1245 idstr = STR_OR_ID(GET_U_1(p->t_id), esp_p_map); 1246 map = ipsec_t_map; 1247 nmap = sizeof(ipsec_t_map)/sizeof(ipsec_t_map[0]); 1248 break; 1249 case 4: 1250 idstr = STR_OR_ID(GET_U_1(p->t_id), ipcomp_p_map); 1251 map = ipsec_t_map; 1252 nmap = sizeof(ipsec_t_map)/sizeof(ipsec_t_map[0]); 1253 break; 1254 default: 1255 idstr = NULL; 1256 map = NULL; 1257 nmap = 0; 1258 break; 1259 } 1260 1261 if (idstr) 1262 ND_PRINT(" #%u id=%s ", GET_U_1(p->t_no), idstr); 1263 else 1264 ND_PRINT(" #%u id=%u ", GET_U_1(p->t_no), GET_U_1(p->t_id)); 1265 cp = (const u_char *)(p + 1); 1266 ep2 = (const u_char *)p + item_len; 1267 while (cp < ep && cp < ep2) { 1268 if (map && nmap) 1269 cp = ikev1_attrmap_print(ndo, cp, ep2, map, nmap); 1270 else 1271 cp = ikev1_attr_print(ndo, cp, ep2); 1272 if (cp == NULL) 1273 goto trunc; 1274 } 1275 if (ep < ep2) 1276 ND_PRINT("..."); 1277 return cp; 1278 trunc: 1279 ND_PRINT(" [|%s]", NPSTR(ISAKMP_NPTYPE_T)); 1280 return NULL; 1281 } 1282 1283 static const u_char * 1284 ikev1_ke_print(netdissect_options *ndo, u_char tpay _U_, 1285 const struct isakmp_gen *ext, u_int item_len, 1286 const u_char *ep _U_, uint32_t phase _U_, uint32_t doi _U_, 1287 uint32_t proto _U_, int depth _U_) 1288 { 1289 ND_PRINT("%s:", NPSTR(ISAKMP_NPTYPE_KE)); 1290 1291 ND_TCHECK_SIZE(ext); 1292 /* 1293 * Our caller has ensured that the length is >= 4. 1294 */ 1295 ND_PRINT(" key len=%u", item_len - 4); 1296 if (2 < ndo->ndo_vflag && item_len > 4) { 1297 /* Print the entire payload in hex */ 1298 ND_PRINT(" "); 1299 if (!rawprint(ndo, (const uint8_t *)(ext + 1), item_len - 4)) 1300 goto trunc; 1301 } 1302 return (const u_char *)ext + item_len; 1303 trunc: 1304 ND_PRINT(" [|%s]", NPSTR(ISAKMP_NPTYPE_KE)); 1305 return NULL; 1306 } 1307 1308 static const u_char * 1309 ikev1_id_print(netdissect_options *ndo, u_char tpay _U_, 1310 const struct isakmp_gen *ext, u_int item_len, 1311 const u_char *ep _U_, uint32_t phase, uint32_t doi _U_, 1312 uint32_t proto _U_, int depth _U_) 1313 { 1314 #define USE_IPSECDOI_IN_PHASE1 1 1315 const struct ikev1_pl_id *p; 1316 static const char *idtypestr[] = { 1317 "IPv4", "IPv4net", "IPv6", "IPv6net", 1318 }; 1319 static const char *ipsecidtypestr[] = { 1320 NULL, "IPv4", "FQDN", "user FQDN", "IPv4net", "IPv6", 1321 "IPv6net", "IPv4range", "IPv6range", "ASN1 DN", "ASN1 GN", 1322 "keyid", 1323 }; 1324 u_int len; 1325 const u_char *data; 1326 1327 ND_PRINT("%s:", NPSTR(ISAKMP_NPTYPE_ID)); 1328 1329 p = (const struct ikev1_pl_id *)ext; 1330 ND_TCHECK_SIZE(p); 1331 if (sizeof(*p) < item_len) { 1332 data = (const u_char *)(p + 1); 1333 len = item_len - sizeof(*p); 1334 } else { 1335 data = NULL; 1336 len = 0; 1337 } 1338 1339 #if 0 /*debug*/ 1340 ND_PRINT(" [phase=%u doi=%u proto=%u]", phase, doi, proto); 1341 #endif 1342 switch (phase) { 1343 #ifndef USE_IPSECDOI_IN_PHASE1 1344 case 1: 1345 #endif 1346 default: 1347 ND_PRINT(" idtype=%s", 1348 STR_OR_ID(GET_U_1(p->d.id_type), idtypestr)); 1349 ND_PRINT(" doi_data=%u", 1350 GET_BE_U_4(p->d.doi_data) & 0xffffff); 1351 break; 1352 1353 #ifdef USE_IPSECDOI_IN_PHASE1 1354 case 1: 1355 #endif 1356 case 2: 1357 { 1358 const struct ipsecdoi_id *doi_p; 1359 const char *p_name; 1360 uint8_t type, proto_id; 1361 1362 doi_p = (const struct ipsecdoi_id *)ext; 1363 ND_TCHECK_SIZE(doi_p); 1364 type = GET_U_1(doi_p->type); 1365 ND_PRINT(" idtype=%s", STR_OR_ID(type, ipsecidtypestr)); 1366 /* A protocol ID of 0 DOES NOT mean IPPROTO_IP! */ 1367 proto_id = GET_U_1(doi_p->proto_id); 1368 if (!ndo->ndo_nflag && proto_id && (p_name = netdb_protoname(proto_id)) != NULL) 1369 ND_PRINT(" protoid=%s", p_name); 1370 else 1371 ND_PRINT(" protoid=%u", proto_id); 1372 ND_PRINT(" port=%u", GET_BE_U_2(doi_p->port)); 1373 if (!len) 1374 break; 1375 if (data == NULL) 1376 goto trunc; 1377 ND_TCHECK_LEN(data, len); 1378 switch (type) { 1379 case IPSECDOI_ID_IPV4_ADDR: 1380 if (len < 4) 1381 ND_PRINT(" len=%u [bad: < 4]", len); 1382 else 1383 ND_PRINT(" len=%u %s", len, GET_IPADDR_STRING(data)); 1384 len = 0; 1385 break; 1386 case IPSECDOI_ID_FQDN: 1387 case IPSECDOI_ID_USER_FQDN: 1388 { 1389 u_int i; 1390 ND_PRINT(" len=%u ", len); 1391 for (i = 0; i < len; i++) 1392 fn_print_char(ndo, GET_U_1(data + i)); 1393 len = 0; 1394 break; 1395 } 1396 case IPSECDOI_ID_IPV4_ADDR_SUBNET: 1397 { 1398 const u_char *mask; 1399 if (len < 8) 1400 ND_PRINT(" len=%u [bad: < 8]", len); 1401 else { 1402 mask = data + sizeof(nd_ipv4); 1403 ND_PRINT(" len=%u %s/%u.%u.%u.%u", len, 1404 GET_IPADDR_STRING(data), 1405 GET_U_1(mask), GET_U_1(mask + 1), 1406 GET_U_1(mask + 2), 1407 GET_U_1(mask + 3)); 1408 } 1409 len = 0; 1410 break; 1411 } 1412 case IPSECDOI_ID_IPV6_ADDR: 1413 if (len < 16) 1414 ND_PRINT(" len=%u [bad: < 16]", len); 1415 else 1416 ND_PRINT(" len=%u %s", len, GET_IP6ADDR_STRING(data)); 1417 len = 0; 1418 break; 1419 case IPSECDOI_ID_IPV6_ADDR_SUBNET: 1420 { 1421 const u_char *mask; 1422 if (len < 32) 1423 ND_PRINT(" len=%u [bad: < 32]", len); 1424 else { 1425 mask = (const u_char *)(data + sizeof(nd_ipv6)); 1426 /*XXX*/ 1427 ND_PRINT(" len=%u %s/0x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x", len, 1428 GET_IP6ADDR_STRING(data), 1429 GET_U_1(mask), GET_U_1(mask + 1), 1430 GET_U_1(mask + 2), 1431 GET_U_1(mask + 3), 1432 GET_U_1(mask + 4), 1433 GET_U_1(mask + 5), 1434 GET_U_1(mask + 6), 1435 GET_U_1(mask + 7), 1436 GET_U_1(mask + 8), 1437 GET_U_1(mask + 9), 1438 GET_U_1(mask + 10), 1439 GET_U_1(mask + 11), 1440 GET_U_1(mask + 12), 1441 GET_U_1(mask + 13), 1442 GET_U_1(mask + 14), 1443 GET_U_1(mask + 15)); 1444 } 1445 len = 0; 1446 break; 1447 } 1448 case IPSECDOI_ID_IPV4_ADDR_RANGE: 1449 if (len < 8) 1450 ND_PRINT(" len=%u [bad: < 8]", len); 1451 else { 1452 ND_PRINT(" len=%u %s-%s", len, 1453 GET_IPADDR_STRING(data), 1454 GET_IPADDR_STRING(data + sizeof(nd_ipv4))); 1455 } 1456 len = 0; 1457 break; 1458 case IPSECDOI_ID_IPV6_ADDR_RANGE: 1459 if (len < 32) 1460 ND_PRINT(" len=%u [bad: < 32]", len); 1461 else { 1462 ND_PRINT(" len=%u %s-%s", len, 1463 GET_IP6ADDR_STRING(data), 1464 GET_IP6ADDR_STRING(data + sizeof(nd_ipv6))); 1465 } 1466 len = 0; 1467 break; 1468 case IPSECDOI_ID_DER_ASN1_DN: 1469 case IPSECDOI_ID_DER_ASN1_GN: 1470 case IPSECDOI_ID_KEY_ID: 1471 break; 1472 } 1473 break; 1474 } 1475 } 1476 if (data && len) { 1477 ND_PRINT(" len=%u", len); 1478 if (2 < ndo->ndo_vflag) { 1479 ND_PRINT(" "); 1480 if (!rawprint(ndo, (const uint8_t *)data, len)) 1481 goto trunc; 1482 } 1483 } 1484 return (const u_char *)ext + item_len; 1485 trunc: 1486 ND_PRINT(" [|%s]", NPSTR(ISAKMP_NPTYPE_ID)); 1487 return NULL; 1488 } 1489 1490 static const u_char * 1491 ikev1_cert_print(netdissect_options *ndo, u_char tpay _U_, 1492 const struct isakmp_gen *ext, u_int item_len, 1493 const u_char *ep _U_, uint32_t phase _U_, 1494 uint32_t doi0 _U_, 1495 uint32_t proto0 _U_, int depth _U_) 1496 { 1497 const struct ikev1_pl_cert *p; 1498 static const char *certstr[] = { 1499 "none", "pkcs7", "pgp", "dns", 1500 "x509sign", "x509ke", "kerberos", "crl", 1501 "arl", "spki", "x509attr", 1502 }; 1503 1504 ND_PRINT("%s:", NPSTR(ISAKMP_NPTYPE_CERT)); 1505 1506 p = (const struct ikev1_pl_cert *)ext; 1507 ND_TCHECK_SIZE(p); 1508 /* 1509 * Our caller has ensured that the length is >= 4. 1510 */ 1511 ND_PRINT(" len=%u", item_len - 4); 1512 ND_PRINT(" type=%s", STR_OR_ID(GET_U_1(p->encode), certstr)); 1513 if (2 < ndo->ndo_vflag && 4 < item_len) { 1514 /* Print the entire payload in hex */ 1515 ND_PRINT(" "); 1516 if (!rawprint(ndo, (const uint8_t *)(ext + 1), item_len - 4)) 1517 goto trunc; 1518 } 1519 return (const u_char *)ext + item_len; 1520 trunc: 1521 ND_PRINT(" [|%s]", NPSTR(ISAKMP_NPTYPE_CERT)); 1522 return NULL; 1523 } 1524 1525 static const u_char * 1526 ikev1_cr_print(netdissect_options *ndo, u_char tpay _U_, 1527 const struct isakmp_gen *ext, u_int item_len, 1528 const u_char *ep _U_, uint32_t phase _U_, uint32_t doi0 _U_, 1529 uint32_t proto0 _U_, int depth _U_) 1530 { 1531 const struct ikev1_pl_cert *p; 1532 static const char *certstr[] = { 1533 "none", "pkcs7", "pgp", "dns", 1534 "x509sign", "x509ke", "kerberos", "crl", 1535 "arl", "spki", "x509attr", 1536 }; 1537 1538 ND_PRINT("%s:", NPSTR(ISAKMP_NPTYPE_CR)); 1539 1540 p = (const struct ikev1_pl_cert *)ext; 1541 ND_TCHECK_SIZE(p); 1542 /* 1543 * Our caller has ensured that the length is >= 4. 1544 */ 1545 ND_PRINT(" len=%u", item_len - 4); 1546 ND_PRINT(" type=%s", STR_OR_ID(GET_U_1(p->encode), certstr)); 1547 if (2 < ndo->ndo_vflag && 4 < item_len) { 1548 /* Print the entire payload in hex */ 1549 ND_PRINT(" "); 1550 if (!rawprint(ndo, (const uint8_t *)(ext + 1), item_len - 4)) 1551 goto trunc; 1552 } 1553 return (const u_char *)ext + item_len; 1554 trunc: 1555 ND_PRINT(" [|%s]", NPSTR(ISAKMP_NPTYPE_CR)); 1556 return NULL; 1557 } 1558 1559 static const u_char * 1560 ikev1_hash_print(netdissect_options *ndo, u_char tpay _U_, 1561 const struct isakmp_gen *ext, u_int item_len, 1562 const u_char *ep _U_, uint32_t phase _U_, uint32_t doi _U_, 1563 uint32_t proto _U_, int depth _U_) 1564 { 1565 ND_PRINT("%s:", NPSTR(ISAKMP_NPTYPE_HASH)); 1566 1567 ND_TCHECK_SIZE(ext); 1568 /* 1569 * Our caller has ensured that the length is >= 4. 1570 */ 1571 ND_PRINT(" len=%u", item_len - 4); 1572 if (2 < ndo->ndo_vflag && 4 < item_len) { 1573 /* Print the entire payload in hex */ 1574 ND_PRINT(" "); 1575 if (!rawprint(ndo, (const uint8_t *)(ext + 1), item_len - 4)) 1576 goto trunc; 1577 } 1578 return (const u_char *)ext + item_len; 1579 trunc: 1580 ND_PRINT(" [|%s]", NPSTR(ISAKMP_NPTYPE_HASH)); 1581 return NULL; 1582 } 1583 1584 static const u_char * 1585 ikev1_sig_print(netdissect_options *ndo, u_char tpay _U_, 1586 const struct isakmp_gen *ext, u_int item_len, 1587 const u_char *ep _U_, uint32_t phase _U_, uint32_t doi _U_, 1588 uint32_t proto _U_, int depth _U_) 1589 { 1590 ND_PRINT("%s:", NPSTR(ISAKMP_NPTYPE_SIG)); 1591 1592 ND_TCHECK_SIZE(ext); 1593 /* 1594 * Our caller has ensured that the length is >= 4. 1595 */ 1596 ND_PRINT(" len=%u", item_len - 4); 1597 if (2 < ndo->ndo_vflag && 4 < item_len) { 1598 /* Print the entire payload in hex */ 1599 ND_PRINT(" "); 1600 if (!rawprint(ndo, (const uint8_t *)(ext + 1), item_len - 4)) 1601 goto trunc; 1602 } 1603 return (const u_char *)ext + item_len; 1604 trunc: 1605 ND_PRINT(" [|%s]", NPSTR(ISAKMP_NPTYPE_SIG)); 1606 return NULL; 1607 } 1608 1609 static const u_char * 1610 ikev1_nonce_print(netdissect_options *ndo, u_char tpay _U_, 1611 const struct isakmp_gen *ext, 1612 u_int item_len, 1613 const u_char *ep, 1614 uint32_t phase _U_, uint32_t doi _U_, 1615 uint32_t proto _U_, int depth _U_) 1616 { 1617 ND_PRINT("%s:", NPSTR(ISAKMP_NPTYPE_NONCE)); 1618 1619 ND_TCHECK_SIZE(ext); 1620 /* 1621 * Our caller has ensured that the length is >= 4. 1622 */ 1623 ND_PRINT(" n len=%u", item_len - 4); 1624 if (item_len > 4) { 1625 if (ndo->ndo_vflag > 2) { 1626 ND_PRINT(" "); 1627 if (!rawprint(ndo, (const uint8_t *)(ext + 1), item_len - 4)) 1628 goto trunc; 1629 } else if (ndo->ndo_vflag > 1) { 1630 ND_PRINT(" "); 1631 if (!ike_show_somedata(ndo, (const u_char *)(ext + 1), ep)) 1632 goto trunc; 1633 } 1634 } 1635 return (const u_char *)ext + item_len; 1636 trunc: 1637 ND_PRINT(" [|%s]", NPSTR(ISAKMP_NPTYPE_NONCE)); 1638 return NULL; 1639 } 1640 1641 static const u_char * 1642 ikev1_n_print(netdissect_options *ndo, u_char tpay _U_, 1643 const struct isakmp_gen *ext, u_int item_len, 1644 const u_char *ep, uint32_t phase _U_, uint32_t doi0 _U_, 1645 uint32_t proto0 _U_, int depth _U_) 1646 { 1647 const struct ikev1_pl_n *p; 1648 const u_char *cp; 1649 const u_char *ep2; 1650 uint32_t doi; 1651 uint32_t proto; 1652 uint16_t type; 1653 uint8_t spi_size; 1654 static const char *notify_error_str[] = { 1655 NULL, "INVALID-PAYLOAD-TYPE", 1656 "DOI-NOT-SUPPORTED", "SITUATION-NOT-SUPPORTED", 1657 "INVALID-COOKIE", "INVALID-MAJOR-VERSION", 1658 "INVALID-MINOR-VERSION", "INVALID-EXCHANGE-TYPE", 1659 "INVALID-FLAGS", "INVALID-MESSAGE-ID", 1660 "INVALID-PROTOCOL-ID", "INVALID-SPI", 1661 "INVALID-TRANSFORM-ID", "ATTRIBUTES-NOT-SUPPORTED", 1662 "NO-PROPOSAL-CHOSEN", "BAD-PROPOSAL-SYNTAX", 1663 "PAYLOAD-MALFORMED", "INVALID-KEY-INFORMATION", 1664 "INVALID-ID-INFORMATION", "INVALID-CERT-ENCODING", 1665 "INVALID-CERTIFICATE", "CERT-TYPE-UNSUPPORTED", 1666 "INVALID-CERT-AUTHORITY", "INVALID-HASH-INFORMATION", 1667 "AUTHENTICATION-FAILED", "INVALID-SIGNATURE", 1668 "ADDRESS-NOTIFICATION", "NOTIFY-SA-LIFETIME", 1669 "CERTIFICATE-UNAVAILABLE", "UNSUPPORTED-EXCHANGE-TYPE", 1670 "UNEQUAL-PAYLOAD-LENGTHS", 1671 }; 1672 static const char *ipsec_notify_error_str[] = { 1673 "RESERVED", 1674 }; 1675 static const char *notify_status_str[] = { 1676 "CONNECTED", 1677 }; 1678 static const char *ipsec_notify_status_str[] = { 1679 "RESPONDER-LIFETIME", "REPLAY-STATUS", 1680 "INITIAL-CONTACT", 1681 }; 1682 /* NOTE: these macro must be called with x in proper range */ 1683 1684 /* 0 - 8191 */ 1685 #define NOTIFY_ERROR_STR(x) \ 1686 STR_OR_ID((x), notify_error_str) 1687 1688 /* 8192 - 16383 */ 1689 #define IPSEC_NOTIFY_ERROR_STR(x) \ 1690 STR_OR_ID((u_int)((x) - 8192), ipsec_notify_error_str) 1691 1692 /* 16384 - 24575 */ 1693 #define NOTIFY_STATUS_STR(x) \ 1694 STR_OR_ID((u_int)((x) - 16384), notify_status_str) 1695 1696 /* 24576 - 32767 */ 1697 #define IPSEC_NOTIFY_STATUS_STR(x) \ 1698 STR_OR_ID((u_int)((x) - 24576), ipsec_notify_status_str) 1699 1700 ND_PRINT("%s:", NPSTR(ISAKMP_NPTYPE_N)); 1701 1702 p = (const struct ikev1_pl_n *)ext; 1703 ND_TCHECK_SIZE(p); 1704 doi = GET_BE_U_4(p->doi); 1705 proto = GET_U_1(p->prot_id); 1706 if (doi != 1) { 1707 ND_PRINT(" doi=%u", doi); 1708 ND_PRINT(" proto=%u", proto); 1709 type = GET_BE_U_2(p->type); 1710 if (type < 8192) 1711 ND_PRINT(" type=%s", NOTIFY_ERROR_STR(type)); 1712 else if (type < 16384) 1713 ND_PRINT(" type=%s", numstr(type)); 1714 else if (type < 24576) 1715 ND_PRINT(" type=%s", NOTIFY_STATUS_STR(type)); 1716 else 1717 ND_PRINT(" type=%s", numstr(type)); 1718 spi_size = GET_U_1(p->spi_size); 1719 if (spi_size) { 1720 ND_PRINT(" spi="); 1721 if (!rawprint(ndo, (const uint8_t *)(p + 1), spi_size)) 1722 goto trunc; 1723 } 1724 return (const u_char *)(p + 1) + spi_size; 1725 } 1726 1727 ND_PRINT(" doi=ipsec"); 1728 ND_PRINT(" proto=%s", PROTOIDSTR(proto)); 1729 type = GET_BE_U_2(p->type); 1730 if (type < 8192) 1731 ND_PRINT(" type=%s", NOTIFY_ERROR_STR(type)); 1732 else if (type < 16384) 1733 ND_PRINT(" type=%s", IPSEC_NOTIFY_ERROR_STR(type)); 1734 else if (type < 24576) 1735 ND_PRINT(" type=%s", NOTIFY_STATUS_STR(type)); 1736 else if (type < 32768) 1737 ND_PRINT(" type=%s", IPSEC_NOTIFY_STATUS_STR(type)); 1738 else 1739 ND_PRINT(" type=%s", numstr(type)); 1740 spi_size = GET_U_1(p->spi_size); 1741 if (spi_size) { 1742 ND_PRINT(" spi="); 1743 if (!rawprint(ndo, (const uint8_t *)(p + 1), spi_size)) 1744 goto trunc; 1745 } 1746 1747 cp = (const u_char *)(p + 1) + spi_size; 1748 ep2 = (const u_char *)p + item_len; 1749 1750 if (cp < ep) { 1751 switch (type) { 1752 case IPSECDOI_NTYPE_RESPONDER_LIFETIME: 1753 { 1754 const struct attrmap *map = oakley_t_map; 1755 size_t nmap = sizeof(oakley_t_map)/sizeof(oakley_t_map[0]); 1756 ND_PRINT(" attrs=("); 1757 while (cp < ep && cp < ep2) { 1758 cp = ikev1_attrmap_print(ndo, cp, ep2, map, nmap); 1759 if (cp == NULL) { 1760 ND_PRINT(")"); 1761 goto trunc; 1762 } 1763 } 1764 ND_PRINT(")"); 1765 break; 1766 } 1767 case IPSECDOI_NTYPE_REPLAY_STATUS: 1768 ND_PRINT(" status=("); 1769 ND_PRINT("replay detection %sabled", 1770 GET_BE_U_4(cp) ? "en" : "dis"); 1771 ND_PRINT(")"); 1772 break; 1773 default: 1774 /* 1775 * XXX - fill in more types here; see, for example, 1776 * draft-ietf-ipsec-notifymsg-04. 1777 */ 1778 if (ndo->ndo_vflag > 3) { 1779 ND_PRINT(" data=("); 1780 if (!rawprint(ndo, (const uint8_t *)(cp), ep - cp)) 1781 goto trunc; 1782 ND_PRINT(")"); 1783 } else { 1784 if (!ike_show_somedata(ndo, cp, ep)) 1785 goto trunc; 1786 } 1787 break; 1788 } 1789 } 1790 return (const u_char *)ext + item_len; 1791 trunc: 1792 ND_PRINT(" [|%s]", NPSTR(ISAKMP_NPTYPE_N)); 1793 return NULL; 1794 } 1795 1796 static const u_char * 1797 ikev1_d_print(netdissect_options *ndo, u_char tpay _U_, 1798 const struct isakmp_gen *ext, u_int item_len _U_, 1799 const u_char *ep _U_, uint32_t phase _U_, uint32_t doi0 _U_, 1800 uint32_t proto0 _U_, int depth _U_) 1801 { 1802 const struct ikev1_pl_d *p; 1803 const uint8_t *q; 1804 uint32_t doi; 1805 uint32_t proto; 1806 uint8_t spi_size; 1807 uint16_t num_spi; 1808 u_int i; 1809 1810 ND_PRINT("%s:", NPSTR(ISAKMP_NPTYPE_D)); 1811 1812 p = (const struct ikev1_pl_d *)ext; 1813 ND_TCHECK_SIZE(p); 1814 doi = GET_BE_U_4(p->doi); 1815 proto = GET_U_1(p->prot_id); 1816 if (doi != 1) { 1817 ND_PRINT(" doi=%u", doi); 1818 ND_PRINT(" proto=%u", proto); 1819 } else { 1820 ND_PRINT(" doi=ipsec"); 1821 ND_PRINT(" proto=%s", PROTOIDSTR(proto)); 1822 } 1823 spi_size = GET_U_1(p->spi_size); 1824 ND_PRINT(" spilen=%u", spi_size); 1825 num_spi = GET_BE_U_2(p->num_spi); 1826 ND_PRINT(" nspi=%u", num_spi); 1827 q = (const uint8_t *)(p + 1); 1828 if (spi_size) { 1829 ND_PRINT(" spi="); 1830 for (i = 0; i < num_spi; i++) { 1831 if (i != 0) 1832 ND_PRINT(","); 1833 if (!rawprint(ndo, (const uint8_t *)q, spi_size)) 1834 goto trunc; 1835 q += spi_size; 1836 } 1837 } 1838 return q; 1839 trunc: 1840 ND_PRINT(" [|%s]", NPSTR(ISAKMP_NPTYPE_D)); 1841 return NULL; 1842 } 1843 1844 static const u_char * 1845 ikev1_vid_print(netdissect_options *ndo, u_char tpay _U_, 1846 const struct isakmp_gen *ext, 1847 u_int item_len, const u_char *ep _U_, 1848 uint32_t phase _U_, uint32_t doi _U_, 1849 uint32_t proto _U_, int depth _U_) 1850 { 1851 ND_PRINT("%s:", NPSTR(ISAKMP_NPTYPE_VID)); 1852 1853 ND_TCHECK_SIZE(ext); 1854 /* 1855 * Our caller has ensured that the length is >= 4. 1856 */ 1857 ND_PRINT(" len=%u", item_len - 4); 1858 if (2 < ndo->ndo_vflag && 4 < item_len) { 1859 /* Print the entire payload in hex */ 1860 ND_PRINT(" "); 1861 if (!rawprint(ndo, (const uint8_t *)(ext + 1), item_len - 4)) 1862 goto trunc; 1863 } 1864 return (const u_char *)ext + item_len; 1865 trunc: 1866 ND_PRINT(" [|%s]", NPSTR(ISAKMP_NPTYPE_VID)); 1867 return NULL; 1868 } 1869 1870 /************************************************************/ 1871 /* */ 1872 /* IKE v2 - rfc4306 - dissector */ 1873 /* */ 1874 /************************************************************/ 1875 1876 static void 1877 ikev2_pay_print(netdissect_options *ndo, const char *payname, uint8_t critical) 1878 { 1879 ND_PRINT("%s%s:", payname, critical&0x80 ? "[C]" : ""); 1880 } 1881 1882 static const u_char * 1883 ikev2_gen_print(netdissect_options *ndo, u_char tpay, 1884 const struct isakmp_gen *ext, u_int item_len) 1885 { 1886 const struct isakmp_gen *p = (const struct isakmp_gen *)ext; 1887 1888 ND_TCHECK_SIZE(ext); 1889 ikev2_pay_print(ndo, NPSTR(tpay), GET_U_1(p->critical)); 1890 1891 /* 1892 * Our caller has ensured that the length is >= 4. 1893 */ 1894 ND_PRINT(" len=%u", item_len - 4); 1895 if (2 < ndo->ndo_vflag && 4 < item_len) { 1896 /* Print the entire payload in hex */ 1897 ND_PRINT(" "); 1898 if (!rawprint(ndo, (const uint8_t *)(ext + 1), item_len - 4)) 1899 goto trunc; 1900 } 1901 return (const u_char *)ext + item_len; 1902 trunc: 1903 ND_PRINT(" [|%s]", NPSTR(tpay)); 1904 return NULL; 1905 } 1906 1907 static const u_char * 1908 ikev2_t_print(netdissect_options *ndo, int tcount, 1909 const struct isakmp_gen *ext, u_int item_len, 1910 const u_char *ep) 1911 { 1912 const struct ikev2_t *p; 1913 uint16_t t_id; 1914 uint8_t t_type; 1915 const u_char *cp; 1916 const char *idstr; 1917 const struct attrmap *map; 1918 size_t nmap; 1919 const u_char *ep2; 1920 1921 p = (const struct ikev2_t *)ext; 1922 ND_TCHECK_SIZE(p); 1923 ikev2_pay_print(ndo, NPSTR(ISAKMP_NPTYPE_T), GET_U_1(p->h.critical)); 1924 1925 t_id = GET_BE_U_2(p->t_id); 1926 1927 map = NULL; 1928 nmap = 0; 1929 1930 t_type = GET_U_1(p->t_type); 1931 switch (t_type) { 1932 case IV2_T_ENCR: 1933 idstr = STR_OR_ID(t_id, esp_p_map); 1934 map = encr_t_map; 1935 nmap = sizeof(encr_t_map)/sizeof(encr_t_map[0]); 1936 break; 1937 1938 case IV2_T_PRF: 1939 idstr = STR_OR_ID(t_id, prf_p_map); 1940 break; 1941 1942 case IV2_T_INTEG: 1943 idstr = STR_OR_ID(t_id, integ_p_map); 1944 break; 1945 1946 case IV2_T_DH: 1947 idstr = STR_OR_ID(t_id, dh_p_map); 1948 break; 1949 1950 case IV2_T_ESN: 1951 idstr = STR_OR_ID(t_id, esn_p_map); 1952 break; 1953 1954 default: 1955 idstr = NULL; 1956 break; 1957 } 1958 1959 if (idstr) 1960 ND_PRINT(" #%u type=%s id=%s ", tcount, 1961 STR_OR_ID(t_type, ikev2_t_type_map), 1962 idstr); 1963 else 1964 ND_PRINT(" #%u type=%s id=%u ", tcount, 1965 STR_OR_ID(t_type, ikev2_t_type_map), 1966 t_id); 1967 cp = (const u_char *)(p + 1); 1968 ep2 = (const u_char *)p + item_len; 1969 while (cp < ep && cp < ep2) { 1970 if (map && nmap) { 1971 cp = ikev1_attrmap_print(ndo, cp, ep2, map, nmap); 1972 } else 1973 cp = ikev1_attr_print(ndo, cp, ep2); 1974 if (cp == NULL) 1975 goto trunc; 1976 } 1977 if (ep < ep2) 1978 ND_PRINT("..."); 1979 return cp; 1980 trunc: 1981 ND_PRINT(" [|%s]", NPSTR(ISAKMP_NPTYPE_T)); 1982 return NULL; 1983 } 1984 1985 static const u_char * 1986 ikev2_p_print(netdissect_options *ndo, u_char tpay _U_, int pcount _U_, 1987 const struct isakmp_gen *ext, u_int oprop_length, 1988 const u_char *ep, int depth) 1989 { 1990 const struct ikev2_p *p; 1991 u_int prop_length; 1992 uint8_t spi_size; 1993 const u_char *cp; 1994 int i; 1995 int tcount; 1996 u_char np; 1997 u_int item_len; 1998 1999 p = (const struct ikev2_p *)ext; 2000 ND_TCHECK_SIZE(p); 2001 2002 ikev2_pay_print(ndo, NPSTR(ISAKMP_NPTYPE_P), GET_U_1(p->h.critical)); 2003 2004 /* 2005 * ikev2_sa_print() guarantees that this is >= 4. 2006 */ 2007 prop_length = oprop_length - 4; 2008 ND_PRINT(" #%u protoid=%s transform=%u len=%u", 2009 GET_U_1(p->p_no), PROTOIDSTR(GET_U_1(p->prot_id)), 2010 GET_U_1(p->num_t), oprop_length); 2011 cp = (const u_char *)(p + 1); 2012 2013 spi_size = GET_U_1(p->spi_size); 2014 if (spi_size) { 2015 if (prop_length < spi_size) 2016 goto toolong; 2017 ND_PRINT(" spi="); 2018 if (!rawprint(ndo, (const uint8_t *)cp, spi_size)) 2019 goto trunc; 2020 cp += spi_size; 2021 prop_length -= spi_size; 2022 } 2023 2024 /* 2025 * Print the transforms. 2026 */ 2027 tcount = 0; 2028 for (np = ISAKMP_NPTYPE_T; np != 0; np = GET_U_1(ext->np)) { 2029 tcount++; 2030 ext = (const struct isakmp_gen *)cp; 2031 if (prop_length < sizeof(*ext)) 2032 goto toolong; 2033 ND_TCHECK_SIZE(ext); 2034 2035 /* 2036 * Since we can't have a payload length of less than 4 bytes, 2037 * we need to bail out here if the generic header is nonsensical 2038 * or truncated, otherwise we could loop forever processing 2039 * zero-length items or otherwise misdissect the packet. 2040 */ 2041 item_len = GET_BE_U_2(ext->len); 2042 if (item_len <= 4) 2043 goto trunc; 2044 2045 if (prop_length < item_len) 2046 goto toolong; 2047 ND_TCHECK_LEN(cp, item_len); 2048 2049 depth++; 2050 ND_PRINT("\n"); 2051 for (i = 0; i < depth; i++) 2052 ND_PRINT(" "); 2053 ND_PRINT("("); 2054 if (np == ISAKMP_NPTYPE_T) { 2055 cp = ikev2_t_print(ndo, tcount, ext, item_len, ep); 2056 if (cp == NULL) { 2057 /* error, already reported */ 2058 return NULL; 2059 } 2060 } else { 2061 ND_PRINT("%s", NPSTR(np)); 2062 cp += item_len; 2063 } 2064 ND_PRINT(")"); 2065 depth--; 2066 prop_length -= item_len; 2067 } 2068 return cp; 2069 toolong: 2070 /* 2071 * Skip the rest of the proposal. 2072 */ 2073 cp += prop_length; 2074 ND_PRINT(" [|%s]", NPSTR(ISAKMP_NPTYPE_P)); 2075 return cp; 2076 trunc: 2077 ND_PRINT(" [|%s]", NPSTR(ISAKMP_NPTYPE_P)); 2078 return NULL; 2079 } 2080 2081 static const u_char * 2082 ikev2_sa_print(netdissect_options *ndo, u_char tpay, 2083 const struct isakmp_gen *ext1, 2084 u_int osa_length, const u_char *ep, 2085 uint32_t phase _U_, uint32_t doi _U_, 2086 uint32_t proto _U_, int depth) 2087 { 2088 const struct isakmp_gen *ext; 2089 u_int sa_length; 2090 const u_char *cp; 2091 int i; 2092 int pcount; 2093 u_char np; 2094 u_int item_len; 2095 2096 ND_TCHECK_SIZE(ext1); 2097 ikev2_pay_print(ndo, "sa", GET_U_1(ext1->critical)); 2098 2099 /* 2100 * ikev2_sub0_print() guarantees that this is >= 4. 2101 */ 2102 osa_length= GET_BE_U_2(ext1->len); 2103 sa_length = osa_length - 4; 2104 ND_PRINT(" len=%u", sa_length); 2105 2106 /* 2107 * Print the payloads. 2108 */ 2109 cp = (const u_char *)(ext1 + 1); 2110 pcount = 0; 2111 for (np = ISAKMP_NPTYPE_P; np != 0; np = GET_U_1(ext->np)) { 2112 pcount++; 2113 ext = (const struct isakmp_gen *)cp; 2114 if (sa_length < sizeof(*ext)) 2115 goto toolong; 2116 ND_TCHECK_SIZE(ext); 2117 2118 /* 2119 * Since we can't have a payload length of less than 4 bytes, 2120 * we need to bail out here if the generic header is nonsensical 2121 * or truncated, otherwise we could loop forever processing 2122 * zero-length items or otherwise misdissect the packet. 2123 */ 2124 item_len = GET_BE_U_2(ext->len); 2125 if (item_len <= 4) 2126 goto trunc; 2127 2128 if (sa_length < item_len) 2129 goto toolong; 2130 ND_TCHECK_LEN(cp, item_len); 2131 2132 depth++; 2133 ND_PRINT("\n"); 2134 for (i = 0; i < depth; i++) 2135 ND_PRINT(" "); 2136 ND_PRINT("("); 2137 if (np == ISAKMP_NPTYPE_P) { 2138 cp = ikev2_p_print(ndo, np, pcount, ext, item_len, 2139 ep, depth); 2140 if (cp == NULL) { 2141 /* error, already reported */ 2142 return NULL; 2143 } 2144 } else { 2145 ND_PRINT("%s", NPSTR(np)); 2146 cp += item_len; 2147 } 2148 ND_PRINT(")"); 2149 depth--; 2150 sa_length -= item_len; 2151 } 2152 return cp; 2153 toolong: 2154 /* 2155 * Skip the rest of the SA. 2156 */ 2157 cp += sa_length; 2158 ND_PRINT(" [|%s]", NPSTR(tpay)); 2159 return cp; 2160 trunc: 2161 ND_PRINT(" [|%s]", NPSTR(tpay)); 2162 return NULL; 2163 } 2164 2165 static const u_char * 2166 ikev2_ke_print(netdissect_options *ndo, u_char tpay, 2167 const struct isakmp_gen *ext, 2168 u_int item_len, const u_char *ep _U_, 2169 uint32_t phase _U_, uint32_t doi _U_, 2170 uint32_t proto _U_, int depth _U_) 2171 { 2172 const struct ikev2_ke *k; 2173 2174 k = (const struct ikev2_ke *)ext; 2175 ND_TCHECK_SIZE(k); 2176 ikev2_pay_print(ndo, NPSTR(tpay), GET_U_1(k->h.critical)); 2177 2178 if (item_len < 8) { 2179 ND_PRINT(" len=%u < 8", item_len); 2180 return (const u_char *)ext + item_len; 2181 } 2182 ND_PRINT(" len=%u group=%s", item_len - 8, 2183 STR_OR_ID(GET_BE_U_2(k->ke_group), dh_p_map)); 2184 2185 if (2 < ndo->ndo_vflag && 8 < item_len) { 2186 ND_PRINT(" "); 2187 if (!rawprint(ndo, (const uint8_t *)(k + 1), item_len - 8)) 2188 goto trunc; 2189 } 2190 return (const u_char *)ext + item_len; 2191 trunc: 2192 ND_PRINT(" [|%s]", NPSTR(tpay)); 2193 return NULL; 2194 } 2195 2196 static const u_char * 2197 ikev2_ID_print(netdissect_options *ndo, u_char tpay, 2198 const struct isakmp_gen *ext, 2199 u_int item_len, const u_char *ep _U_, 2200 uint32_t phase _U_, uint32_t doi _U_, 2201 uint32_t proto _U_, int depth _U_) 2202 { 2203 const struct ikev2_id *idp; 2204 u_int idtype_len, i; 2205 unsigned int dumpascii, dumphex; 2206 const unsigned char *typedata; 2207 2208 idp = (const struct ikev2_id *)ext; 2209 ND_TCHECK_SIZE(idp); 2210 ikev2_pay_print(ndo, NPSTR(tpay), GET_U_1(idp->h.critical)); 2211 2212 /* 2213 * Our caller has ensured that the length is >= 4. 2214 */ 2215 ND_PRINT(" len=%u", item_len - 4); 2216 if (2 < ndo->ndo_vflag && 4 < item_len) { 2217 /* Print the entire payload in hex */ 2218 ND_PRINT(" "); 2219 if (!rawprint(ndo, (const uint8_t *)(ext + 1), item_len - 4)) 2220 goto trunc; 2221 } 2222 2223 idtype_len =item_len - sizeof(struct ikev2_id); 2224 dumpascii = 0; 2225 dumphex = 0; 2226 typedata = (const unsigned char *)(ext)+sizeof(struct ikev2_id); 2227 2228 switch(GET_U_1(idp->type)) { 2229 case ID_IPV4_ADDR: 2230 ND_PRINT(" ipv4:"); 2231 dumphex=1; 2232 break; 2233 case ID_FQDN: 2234 ND_PRINT(" fqdn:"); 2235 dumpascii=1; 2236 break; 2237 case ID_RFC822_ADDR: 2238 ND_PRINT(" rfc822:"); 2239 dumpascii=1; 2240 break; 2241 case ID_IPV6_ADDR: 2242 ND_PRINT(" ipv6:"); 2243 dumphex=1; 2244 break; 2245 case ID_DER_ASN1_DN: 2246 ND_PRINT(" dn:"); 2247 dumphex=1; 2248 break; 2249 case ID_DER_ASN1_GN: 2250 ND_PRINT(" gn:"); 2251 dumphex=1; 2252 break; 2253 case ID_KEY_ID: 2254 ND_PRINT(" keyid:"); 2255 dumphex=1; 2256 break; 2257 } 2258 2259 if(dumpascii) { 2260 ND_TCHECK_LEN(typedata, idtype_len); 2261 for(i=0; i<idtype_len; i++) { 2262 if(ND_ASCII_ISPRINT(GET_U_1(typedata + i))) { 2263 ND_PRINT("%c", GET_U_1(typedata + i)); 2264 } else { 2265 ND_PRINT("."); 2266 } 2267 } 2268 } 2269 if(dumphex) { 2270 if (!rawprint(ndo, (const uint8_t *)typedata, idtype_len)) 2271 goto trunc; 2272 } 2273 2274 return (const u_char *)ext + item_len; 2275 trunc: 2276 ND_PRINT(" [|%s]", NPSTR(tpay)); 2277 return NULL; 2278 } 2279 2280 static const u_char * 2281 ikev2_cert_print(netdissect_options *ndo, u_char tpay, 2282 const struct isakmp_gen *ext, 2283 u_int item_len, const u_char *ep _U_, 2284 uint32_t phase _U_, uint32_t doi _U_, 2285 uint32_t proto _U_, int depth _U_) 2286 { 2287 return ikev2_gen_print(ndo, tpay, ext, item_len); 2288 } 2289 2290 static const u_char * 2291 ikev2_cr_print(netdissect_options *ndo, u_char tpay, 2292 const struct isakmp_gen *ext, 2293 u_int item_len, const u_char *ep _U_, 2294 uint32_t phase _U_, uint32_t doi _U_, 2295 uint32_t proto _U_, int depth _U_) 2296 { 2297 return ikev2_gen_print(ndo, tpay, ext, item_len); 2298 } 2299 2300 static const u_char * 2301 ikev2_auth_print(netdissect_options *ndo, u_char tpay, 2302 const struct isakmp_gen *ext, 2303 u_int item_len, const u_char *ep, 2304 uint32_t phase _U_, uint32_t doi _U_, 2305 uint32_t proto _U_, int depth _U_) 2306 { 2307 const struct ikev2_auth *p; 2308 const char *v2_auth[]={ "invalid", "rsasig", 2309 "shared-secret", "dsssig" }; 2310 const u_char *authdata = (const u_char *)ext + sizeof(struct ikev2_auth); 2311 2312 ND_TCHECK_LEN(ext, sizeof(struct ikev2_auth)); 2313 p = (const struct ikev2_auth *)ext; 2314 ikev2_pay_print(ndo, NPSTR(tpay), GET_U_1(p->h.critical)); 2315 2316 /* 2317 * Our caller has ensured that the length is >= 4. 2318 */ 2319 ND_PRINT(" len=%u method=%s", item_len-4, 2320 STR_OR_ID(GET_U_1(p->auth_method), v2_auth)); 2321 if (item_len > 4) { 2322 if (ndo->ndo_vflag > 1) { 2323 ND_PRINT(" authdata=("); 2324 if (!rawprint(ndo, (const uint8_t *)authdata, item_len - sizeof(struct ikev2_auth))) 2325 goto trunc; 2326 ND_PRINT(") "); 2327 } else if (ndo->ndo_vflag) { 2328 if (!ike_show_somedata(ndo, authdata, ep)) 2329 goto trunc; 2330 } 2331 } 2332 2333 return (const u_char *)ext + item_len; 2334 trunc: 2335 ND_PRINT(" [|%s]", NPSTR(tpay)); 2336 return NULL; 2337 } 2338 2339 static const u_char * 2340 ikev2_nonce_print(netdissect_options *ndo, u_char tpay, 2341 const struct isakmp_gen *ext, 2342 u_int item_len, const u_char *ep, 2343 uint32_t phase _U_, uint32_t doi _U_, 2344 uint32_t proto _U_, int depth _U_) 2345 { 2346 ND_TCHECK_SIZE(ext); 2347 ikev2_pay_print(ndo, "nonce", GET_U_1(ext->critical)); 2348 2349 /* 2350 * Our caller has ensured that the length is >= 4. 2351 */ 2352 ND_PRINT(" len=%u", item_len - 4); 2353 if (1 < ndo->ndo_vflag && 4 < item_len) { 2354 ND_PRINT(" nonce=("); 2355 if (!rawprint(ndo, (const uint8_t *)(ext + 1), item_len - 4)) 2356 goto trunc; 2357 ND_PRINT(") "); 2358 } else if(ndo->ndo_vflag && 4 < item_len) { 2359 if(!ike_show_somedata(ndo, (const u_char *)(ext+1), ep)) goto trunc; 2360 } 2361 2362 return (const u_char *)ext + item_len; 2363 trunc: 2364 ND_PRINT(" [|%s]", NPSTR(tpay)); 2365 return NULL; 2366 } 2367 2368 /* notify payloads */ 2369 static const u_char * 2370 ikev2_n_print(netdissect_options *ndo, u_char tpay _U_, 2371 const struct isakmp_gen *ext, 2372 u_int item_len, const u_char *ep, 2373 uint32_t phase _U_, uint32_t doi _U_, 2374 uint32_t proto _U_, int depth _U_) 2375 { 2376 const struct ikev2_n *p; 2377 uint16_t type; 2378 uint8_t spi_size; 2379 const u_char *cp; 2380 u_char showspi, showsomedata; 2381 const char *notify_name; 2382 2383 p = (const struct ikev2_n *)ext; 2384 ND_TCHECK_SIZE(p); 2385 ikev2_pay_print(ndo, NPSTR(ISAKMP_NPTYPE_N), GET_U_1(p->h.critical)); 2386 2387 showspi = 1; 2388 showsomedata=0; 2389 notify_name=NULL; 2390 2391 ND_PRINT(" prot_id=%s", PROTOIDSTR(GET_U_1(p->prot_id))); 2392 2393 type = GET_BE_U_2(p->type); 2394 2395 /* notify space is annoying sparse */ 2396 switch(type) { 2397 case IV2_NOTIFY_UNSUPPORTED_CRITICAL_PAYLOAD: 2398 notify_name = "unsupported_critical_payload"; 2399 showspi = 0; 2400 break; 2401 2402 case IV2_NOTIFY_INVALID_IKE_SPI: 2403 notify_name = "invalid_ike_spi"; 2404 showspi = 1; 2405 break; 2406 2407 case IV2_NOTIFY_INVALID_MAJOR_VERSION: 2408 notify_name = "invalid_major_version"; 2409 showspi = 0; 2410 break; 2411 2412 case IV2_NOTIFY_INVALID_SYNTAX: 2413 notify_name = "invalid_syntax"; 2414 showspi = 1; 2415 break; 2416 2417 case IV2_NOTIFY_INVALID_MESSAGE_ID: 2418 notify_name = "invalid_message_id"; 2419 showspi = 1; 2420 break; 2421 2422 case IV2_NOTIFY_INVALID_SPI: 2423 notify_name = "invalid_spi"; 2424 showspi = 1; 2425 break; 2426 2427 case IV2_NOTIFY_NO_PROPOSAL_CHOSEN: 2428 notify_name = "no_protocol_chosen"; 2429 showspi = 1; 2430 break; 2431 2432 case IV2_NOTIFY_INVALID_KE_PAYLOAD: 2433 notify_name = "invalid_ke_payload"; 2434 showspi = 1; 2435 break; 2436 2437 case IV2_NOTIFY_AUTHENTICATION_FAILED: 2438 notify_name = "authentication_failed"; 2439 showspi = 1; 2440 break; 2441 2442 case IV2_NOTIFY_SINGLE_PAIR_REQUIRED: 2443 notify_name = "single_pair_required"; 2444 showspi = 1; 2445 break; 2446 2447 case IV2_NOTIFY_NO_ADDITIONAL_SAS: 2448 notify_name = "no_additional_sas"; 2449 showspi = 0; 2450 break; 2451 2452 case IV2_NOTIFY_INTERNAL_ADDRESS_FAILURE: 2453 notify_name = "internal_address_failure"; 2454 showspi = 0; 2455 break; 2456 2457 case IV2_NOTIFY_FAILED_CP_REQUIRED: 2458 notify_name = "failed:cp_required"; 2459 showspi = 0; 2460 break; 2461 2462 case IV2_NOTIFY_INVALID_SELECTORS: 2463 notify_name = "invalid_selectors"; 2464 showspi = 0; 2465 break; 2466 2467 case IV2_NOTIFY_INITIAL_CONTACT: 2468 notify_name = "initial_contact"; 2469 showspi = 0; 2470 break; 2471 2472 case IV2_NOTIFY_SET_WINDOW_SIZE: 2473 notify_name = "set_window_size"; 2474 showspi = 0; 2475 break; 2476 2477 case IV2_NOTIFY_ADDITIONAL_TS_POSSIBLE: 2478 notify_name = "additional_ts_possible"; 2479 showspi = 0; 2480 break; 2481 2482 case IV2_NOTIFY_IPCOMP_SUPPORTED: 2483 notify_name = "ipcomp_supported"; 2484 showspi = 0; 2485 break; 2486 2487 case IV2_NOTIFY_NAT_DETECTION_SOURCE_IP: 2488 notify_name = "nat_detection_source_ip"; 2489 showspi = 1; 2490 break; 2491 2492 case IV2_NOTIFY_NAT_DETECTION_DESTINATION_IP: 2493 notify_name = "nat_detection_destination_ip"; 2494 showspi = 1; 2495 break; 2496 2497 case IV2_NOTIFY_COOKIE: 2498 notify_name = "cookie"; 2499 showspi = 1; 2500 showsomedata= 1; 2501 break; 2502 2503 case IV2_NOTIFY_USE_TRANSPORT_MODE: 2504 notify_name = "use_transport_mode"; 2505 showspi = 0; 2506 break; 2507 2508 case IV2_NOTIFY_HTTP_CERT_LOOKUP_SUPPORTED: 2509 notify_name = "http_cert_lookup_supported"; 2510 showspi = 0; 2511 break; 2512 2513 case IV2_NOTIFY_REKEY_SA: 2514 notify_name = "rekey_sa"; 2515 showspi = 1; 2516 break; 2517 2518 case IV2_NOTIFY_ESP_TFC_PADDING_NOT_SUPPORTED: 2519 notify_name = "tfc_padding_not_supported"; 2520 showspi = 0; 2521 break; 2522 2523 case IV2_NOTIFY_NON_FIRST_FRAGMENTS_ALSO: 2524 notify_name = "non_first_fragment_also"; 2525 showspi = 0; 2526 break; 2527 2528 default: 2529 if (type < 8192) { 2530 notify_name="error"; 2531 } else if(type < 16384) { 2532 notify_name="private-error"; 2533 } else if(type < 40960) { 2534 notify_name="status"; 2535 } else { 2536 notify_name="private-status"; 2537 } 2538 } 2539 2540 if(notify_name) { 2541 ND_PRINT(" type=%u(%s)", type, notify_name); 2542 } 2543 2544 2545 spi_size = GET_U_1(p->spi_size); 2546 if (showspi && spi_size) { 2547 ND_PRINT(" spi="); 2548 if (!rawprint(ndo, (const uint8_t *)(p + 1), spi_size)) 2549 goto trunc; 2550 } 2551 2552 cp = (const u_char *)(p + 1) + spi_size; 2553 2554 if (cp < ep) { 2555 if (ndo->ndo_vflag > 3 || (showsomedata && ep-cp < 30)) { 2556 ND_PRINT(" data=("); 2557 if (!rawprint(ndo, (const uint8_t *)(cp), ep - cp)) 2558 goto trunc; 2559 2560 ND_PRINT(")"); 2561 } else if (showsomedata) { 2562 if (!ike_show_somedata(ndo, cp, ep)) 2563 goto trunc; 2564 } 2565 } 2566 2567 return (const u_char *)ext + item_len; 2568 trunc: 2569 ND_PRINT(" [|%s]", NPSTR(ISAKMP_NPTYPE_N)); 2570 return NULL; 2571 } 2572 2573 static const u_char * 2574 ikev2_d_print(netdissect_options *ndo, u_char tpay, 2575 const struct isakmp_gen *ext, 2576 u_int item_len, const u_char *ep _U_, 2577 uint32_t phase _U_, uint32_t doi _U_, 2578 uint32_t proto _U_, int depth _U_) 2579 { 2580 return ikev2_gen_print(ndo, tpay, ext, item_len); 2581 } 2582 2583 static const u_char * 2584 ikev2_vid_print(netdissect_options *ndo, u_char tpay, 2585 const struct isakmp_gen *ext, 2586 u_int item_len, const u_char *ep _U_, 2587 uint32_t phase _U_, uint32_t doi _U_, 2588 uint32_t proto _U_, int depth _U_) 2589 { 2590 const u_char *vid; 2591 u_int i, len; 2592 2593 ND_TCHECK_SIZE(ext); 2594 ikev2_pay_print(ndo, NPSTR(tpay), GET_U_1(ext->critical)); 2595 2596 /* 2597 * Our caller has ensured that the length is >= 4. 2598 */ 2599 ND_PRINT(" len=%u vid=", item_len - 4); 2600 2601 vid = (const u_char *)(ext+1); 2602 len = item_len - 4; 2603 ND_TCHECK_LEN(vid, len); 2604 for(i=0; i<len; i++) { 2605 if(ND_ASCII_ISPRINT(GET_U_1(vid + i))) 2606 ND_PRINT("%c", GET_U_1(vid + i)); 2607 else ND_PRINT("."); 2608 } 2609 if (2 < ndo->ndo_vflag && 4 < len) { 2610 /* Print the entire payload in hex */ 2611 ND_PRINT(" "); 2612 if (!rawprint(ndo, (const uint8_t *)(ext + 1), item_len - 4)) 2613 goto trunc; 2614 } 2615 return (const u_char *)ext + item_len; 2616 trunc: 2617 ND_PRINT(" [|%s]", NPSTR(tpay)); 2618 return NULL; 2619 } 2620 2621 static const u_char * 2622 ikev2_TS_print(netdissect_options *ndo, u_char tpay, 2623 const struct isakmp_gen *ext, 2624 u_int item_len, const u_char *ep _U_, 2625 uint32_t phase _U_, uint32_t doi _U_, 2626 uint32_t proto _U_, int depth _U_) 2627 { 2628 return ikev2_gen_print(ndo, tpay, ext, item_len); 2629 } 2630 2631 static const u_char * 2632 ikev2_e_print(netdissect_options *ndo, 2633 #ifndef HAVE_LIBCRYPTO 2634 _U_ 2635 #endif 2636 const struct isakmp *base, 2637 u_char tpay, 2638 const struct isakmp_gen *ext, 2639 u_int item_len, const u_char *ep _U_, 2640 #ifndef HAVE_LIBCRYPTO 2641 _U_ 2642 #endif 2643 uint32_t phase, 2644 #ifndef HAVE_LIBCRYPTO 2645 _U_ 2646 #endif 2647 uint32_t doi, 2648 #ifndef HAVE_LIBCRYPTO 2649 _U_ 2650 #endif 2651 uint32_t proto, 2652 #ifndef HAVE_LIBCRYPTO 2653 _U_ 2654 #endif 2655 int depth) 2656 { 2657 const u_char *dat; 2658 u_int dlen; 2659 #ifdef HAVE_LIBCRYPTO 2660 uint8_t np; 2661 #endif 2662 2663 ND_TCHECK_SIZE(ext); 2664 ikev2_pay_print(ndo, NPSTR(tpay), GET_U_1(ext->critical)); 2665 2666 dlen = item_len-4; 2667 2668 ND_PRINT(" len=%u", dlen); 2669 if (2 < ndo->ndo_vflag && 4 < dlen) { 2670 ND_PRINT(" "); 2671 if (!rawprint(ndo, (const uint8_t *)(ext + 1), dlen)) 2672 goto trunc; 2673 } 2674 2675 dat = (const u_char *)(ext+1); 2676 ND_TCHECK_LEN(dat, dlen); 2677 2678 #ifdef HAVE_LIBCRYPTO 2679 np = GET_U_1(ext->np); 2680 2681 /* try to decrypt it! */ 2682 if(esp_decrypt_buffer_by_ikev2_print(ndo, 2683 GET_U_1(base->flags) & ISAKMP_FLAG_I, 2684 base->i_ck, base->r_ck, 2685 dat, dat+dlen)) { 2686 2687 ext = (const struct isakmp_gen *)ndo->ndo_packetp; 2688 2689 /* got it decrypted, print stuff inside. */ 2690 ikev2_sub_print(ndo, base, np, ext, 2691 ndo->ndo_snapend, phase, doi, proto, depth+1); 2692 2693 /* 2694 * esp_decrypt_buffer_by_ikev2_print pushed information 2695 * on the buffer stack; we're done with the buffer, so 2696 * pop it (which frees the buffer) 2697 */ 2698 nd_pop_packet_info(ndo); 2699 } 2700 #endif 2701 2702 2703 /* always return NULL, because E must be at end, and NP refers 2704 * to what was inside. 2705 */ 2706 return NULL; 2707 trunc: 2708 ND_PRINT(" [|%s]", NPSTR(tpay)); 2709 return NULL; 2710 } 2711 2712 static const u_char * 2713 ikev2_cp_print(netdissect_options *ndo, u_char tpay, 2714 const struct isakmp_gen *ext, 2715 u_int item_len, const u_char *ep _U_, 2716 uint32_t phase _U_, uint32_t doi _U_, 2717 uint32_t proto _U_, int depth _U_) 2718 { 2719 return ikev2_gen_print(ndo, tpay, ext, item_len); 2720 } 2721 2722 static const u_char * 2723 ikev2_eap_print(netdissect_options *ndo, u_char tpay, 2724 const struct isakmp_gen *ext, 2725 u_int item_len, const u_char *ep _U_, 2726 uint32_t phase _U_, uint32_t doi _U_, 2727 uint32_t proto _U_, int depth _U_) 2728 { 2729 return ikev2_gen_print(ndo, tpay, ext, item_len); 2730 } 2731 2732 static const u_char * 2733 ike_sub0_print(netdissect_options *ndo, 2734 u_char np, const struct isakmp_gen *ext, const u_char *ep, 2735 2736 uint32_t phase, uint32_t doi, uint32_t proto, int depth) 2737 { 2738 const u_char *cp; 2739 u_int item_len; 2740 2741 cp = (const u_char *)ext; 2742 ND_TCHECK_SIZE(ext); 2743 2744 /* 2745 * Since we can't have a payload length of less than 4 bytes, 2746 * we need to bail out here if the generic header is nonsensical 2747 * or truncated, otherwise we could loop forever processing 2748 * zero-length items or otherwise misdissect the packet. 2749 */ 2750 item_len = GET_BE_U_2(ext->len); 2751 if (item_len <= 4) 2752 return NULL; 2753 2754 if (NPFUNC(np)) { 2755 /* 2756 * XXX - what if item_len is too short, or too long, 2757 * for this payload type? 2758 */ 2759 cp = (*npfunc[np])(ndo, np, ext, item_len, ep, phase, doi, proto, depth); 2760 } else { 2761 ND_PRINT("%s", NPSTR(np)); 2762 cp += item_len; 2763 } 2764 2765 return cp; 2766 trunc: 2767 nd_print_trunc(ndo); 2768 return NULL; 2769 } 2770 2771 static const u_char * 2772 ikev1_sub_print(netdissect_options *ndo, 2773 u_char np, const struct isakmp_gen *ext, const u_char *ep, 2774 uint32_t phase, uint32_t doi, uint32_t proto, int depth) 2775 { 2776 const u_char *cp; 2777 int i; 2778 u_int item_len; 2779 2780 cp = (const u_char *)ext; 2781 2782 while (np) { 2783 ND_TCHECK_SIZE(ext); 2784 2785 item_len = GET_BE_U_2(ext->len); 2786 ND_TCHECK_LEN(ext, item_len); 2787 2788 depth++; 2789 ND_PRINT("\n"); 2790 for (i = 0; i < depth; i++) 2791 ND_PRINT(" "); 2792 ND_PRINT("("); 2793 cp = ike_sub0_print(ndo, np, ext, ep, phase, doi, proto, depth); 2794 ND_PRINT(")"); 2795 depth--; 2796 2797 if (cp == NULL) { 2798 /* Zero-length subitem */ 2799 return NULL; 2800 } 2801 2802 np = GET_U_1(ext->np); 2803 ext = (const struct isakmp_gen *)cp; 2804 } 2805 return cp; 2806 trunc: 2807 ND_PRINT(" [|%s]", NPSTR(np)); 2808 return NULL; 2809 } 2810 2811 static char * 2812 numstr(u_int x) 2813 { 2814 static char buf[20]; 2815 snprintf(buf, sizeof(buf), "#%u", x); 2816 return buf; 2817 } 2818 2819 static void 2820 ikev1_print(netdissect_options *ndo, 2821 const u_char *bp, u_int length, 2822 const u_char *bp2, const struct isakmp *base) 2823 { 2824 const struct isakmp *p; 2825 const u_char *ep; 2826 u_int flags; 2827 u_char np; 2828 int i; 2829 u_int phase; 2830 2831 p = (const struct isakmp *)bp; 2832 ep = ndo->ndo_snapend; 2833 2834 phase = (GET_BE_U_4(base->msgid) == 0) ? 1 : 2; 2835 if (phase == 1) 2836 ND_PRINT(" phase %u", phase); 2837 else 2838 ND_PRINT(" phase %u/others", phase); 2839 2840 i = cookie_find(&base->i_ck); 2841 if (i < 0) { 2842 if (iszero(ndo, base->r_ck, sizeof(base->r_ck))) { 2843 /* the first packet */ 2844 ND_PRINT(" I"); 2845 if (bp2) 2846 cookie_record(ndo, &base->i_ck, bp2); 2847 } else 2848 ND_PRINT(" ?"); 2849 } else { 2850 if (bp2 && cookie_isinitiator(ndo, i, bp2)) 2851 ND_PRINT(" I"); 2852 else if (bp2 && cookie_isresponder(ndo, i, bp2)) 2853 ND_PRINT(" R"); 2854 else 2855 ND_PRINT(" ?"); 2856 } 2857 2858 ND_PRINT(" %s", ETYPESTR(GET_U_1(base->etype))); 2859 flags = GET_U_1(base->flags); 2860 if (flags) { 2861 ND_PRINT("[%s%s]", flags & ISAKMP_FLAG_E ? "E" : "", 2862 flags & ISAKMP_FLAG_C ? "C" : ""); 2863 } 2864 2865 if (ndo->ndo_vflag) { 2866 const struct isakmp_gen *ext; 2867 2868 ND_PRINT(":"); 2869 2870 np = GET_U_1(base->np); 2871 2872 /* regardless of phase... */ 2873 if (flags & ISAKMP_FLAG_E) { 2874 /* 2875 * encrypted, nothing we can do right now. 2876 * we hope to decrypt the packet in the future... 2877 */ 2878 ND_PRINT(" [encrypted %s]", NPSTR(np)); 2879 goto done; 2880 } 2881 2882 CHECKLEN(p + 1, np); 2883 ext = (const struct isakmp_gen *)(p + 1); 2884 ikev1_sub_print(ndo, np, ext, ep, phase, 0, 0, 0); 2885 } 2886 2887 done: 2888 if (ndo->ndo_vflag) { 2889 if (GET_BE_U_4(base->len) != length) { 2890 ND_PRINT(" (len mismatch: isakmp %u/ip %u)", 2891 GET_BE_U_4(base->len), length); 2892 } 2893 } 2894 } 2895 2896 static const u_char * 2897 ikev2_sub0_print(netdissect_options *ndo, const struct isakmp *base, 2898 u_char np, 2899 const struct isakmp_gen *ext, const u_char *ep, 2900 uint32_t phase, uint32_t doi, uint32_t proto, int depth) 2901 { 2902 const u_char *cp; 2903 u_int item_len; 2904 2905 cp = (const u_char *)ext; 2906 ND_TCHECK_SIZE(ext); 2907 2908 /* 2909 * Since we can't have a payload length of less than 4 bytes, 2910 * we need to bail out here if the generic header is nonsensical 2911 * or truncated, otherwise we could loop forever processing 2912 * zero-length items or otherwise misdissect the packet. 2913 */ 2914 item_len = GET_BE_U_2(ext->len); 2915 if (item_len <= 4) 2916 return NULL; 2917 2918 if (np == ISAKMP_NPTYPE_v2E) { 2919 cp = ikev2_e_print(ndo, base, np, ext, item_len, 2920 ep, phase, doi, proto, depth); 2921 } else if (NPFUNC(np)) { 2922 /* 2923 * XXX - what if item_len is too short, or too long, 2924 * for this payload type? 2925 */ 2926 cp = (*npfunc[np])(ndo, np, ext, item_len, 2927 ep, phase, doi, proto, depth); 2928 } else { 2929 ND_PRINT("%s", NPSTR(np)); 2930 cp += item_len; 2931 } 2932 2933 return cp; 2934 trunc: 2935 nd_print_trunc(ndo); 2936 return NULL; 2937 } 2938 2939 static const u_char * 2940 ikev2_sub_print(netdissect_options *ndo, 2941 const struct isakmp *base, 2942 u_char np, const struct isakmp_gen *ext, const u_char *ep, 2943 uint32_t phase, uint32_t doi, uint32_t proto, int depth) 2944 { 2945 const u_char *cp; 2946 int i; 2947 2948 cp = (const u_char *)ext; 2949 while (np) { 2950 ND_TCHECK_SIZE(ext); 2951 2952 ND_TCHECK_LEN(ext, GET_BE_U_2(ext->len)); 2953 2954 depth++; 2955 ND_PRINT("\n"); 2956 for (i = 0; i < depth; i++) 2957 ND_PRINT(" "); 2958 ND_PRINT("("); 2959 cp = ikev2_sub0_print(ndo, base, np, 2960 ext, ep, phase, doi, proto, depth); 2961 ND_PRINT(")"); 2962 depth--; 2963 2964 if (cp == NULL) { 2965 /* Zero-length subitem */ 2966 return NULL; 2967 } 2968 2969 np = GET_U_1(ext->np); 2970 ext = (const struct isakmp_gen *)cp; 2971 } 2972 return cp; 2973 trunc: 2974 ND_PRINT(" [|%s]", NPSTR(np)); 2975 return NULL; 2976 } 2977 2978 static void 2979 ikev2_print(netdissect_options *ndo, 2980 const u_char *bp, u_int length, 2981 const u_char *bp2 _U_, const struct isakmp *base) 2982 { 2983 const struct isakmp *p; 2984 const u_char *ep; 2985 uint8_t flags; 2986 u_char np; 2987 u_int phase; 2988 2989 p = (const struct isakmp *)bp; 2990 ep = ndo->ndo_snapend; 2991 2992 phase = (GET_BE_U_4(base->msgid) == 0) ? 1 : 2; 2993 if (phase == 1) 2994 ND_PRINT(" parent_sa"); 2995 else 2996 ND_PRINT(" child_sa "); 2997 2998 ND_PRINT(" %s", ETYPESTR(GET_U_1(base->etype))); 2999 flags = GET_U_1(base->flags); 3000 if (flags) { 3001 ND_PRINT("[%s%s%s]", 3002 flags & ISAKMP_FLAG_I ? "I" : "", 3003 flags & ISAKMP_FLAG_V ? "V" : "", 3004 flags & ISAKMP_FLAG_R ? "R" : ""); 3005 } 3006 3007 if (ndo->ndo_vflag) { 3008 const struct isakmp_gen *ext; 3009 3010 ND_PRINT(":"); 3011 3012 np = GET_U_1(base->np); 3013 3014 /* regardless of phase... */ 3015 if (flags & ISAKMP_FLAG_E) { 3016 /* 3017 * encrypted, nothing we can do right now. 3018 * we hope to decrypt the packet in the future... 3019 */ 3020 ND_PRINT(" [encrypted %s]", NPSTR(np)); 3021 goto done; 3022 } 3023 3024 CHECKLEN(p + 1, np) 3025 ext = (const struct isakmp_gen *)(p + 1); 3026 ikev2_sub_print(ndo, base, np, ext, ep, phase, 0, 0, 0); 3027 } 3028 3029 done: 3030 if (ndo->ndo_vflag) { 3031 if (GET_BE_U_4(base->len) != length) { 3032 ND_PRINT(" (len mismatch: isakmp %u/ip %u)", 3033 GET_BE_U_4(base->len), length); 3034 } 3035 } 3036 } 3037 3038 void 3039 isakmp_print(netdissect_options *ndo, 3040 const u_char *bp, u_int length, 3041 const u_char *bp2) 3042 { 3043 const struct isakmp *p; 3044 const u_char *ep; 3045 u_int major, minor; 3046 3047 ndo->ndo_protocol = "isakmp"; 3048 #ifdef HAVE_LIBCRYPTO 3049 /* initialize SAs */ 3050 if (ndo->ndo_sa_list_head == NULL) { 3051 if (ndo->ndo_espsecret) 3052 esp_decodesecret_print(ndo); 3053 } 3054 #endif 3055 3056 p = (const struct isakmp *)bp; 3057 ep = ndo->ndo_snapend; 3058 3059 if ((const struct isakmp *)ep < p + 1) { 3060 nd_print_trunc(ndo); 3061 return; 3062 } 3063 3064 ND_PRINT("isakmp"); 3065 major = (GET_U_1(p->vers) & ISAKMP_VERS_MAJOR) 3066 >> ISAKMP_VERS_MAJOR_SHIFT; 3067 minor = (GET_U_1(p->vers) & ISAKMP_VERS_MINOR) 3068 >> ISAKMP_VERS_MINOR_SHIFT; 3069 3070 if (ndo->ndo_vflag) { 3071 ND_PRINT(" %u.%u", major, minor); 3072 } 3073 3074 if (ndo->ndo_vflag) { 3075 ND_PRINT(" msgid "); 3076 hexprint(ndo, p->msgid, sizeof(p->msgid)); 3077 } 3078 3079 if (1 < ndo->ndo_vflag) { 3080 ND_PRINT(" cookie "); 3081 hexprint(ndo, p->i_ck, sizeof(p->i_ck)); 3082 ND_PRINT("->"); 3083 hexprint(ndo, p->r_ck, sizeof(p->r_ck)); 3084 } 3085 ND_PRINT(":"); 3086 3087 switch(major) { 3088 case IKEv1_MAJOR_VERSION: 3089 ikev1_print(ndo, bp, length, bp2, p); 3090 break; 3091 3092 case IKEv2_MAJOR_VERSION: 3093 ikev2_print(ndo, bp, length, bp2, p); 3094 break; 3095 } 3096 } 3097 3098 void 3099 isakmp_rfc3948_print(netdissect_options *ndo, 3100 const u_char *bp, u_int length, 3101 const u_char *bp2, int ver, int fragmented, u_int ttl_hl) 3102 { 3103 ndo->ndo_protocol = "isakmp_rfc3948"; 3104 if(length == 1 && GET_U_1(bp)==0xff) { 3105 ND_PRINT("isakmp-nat-keep-alive"); 3106 return; 3107 } 3108 3109 if(length < 4) { 3110 goto trunc; 3111 } 3112 3113 /* 3114 * see if this is an IKE packet 3115 */ 3116 if (GET_BE_U_4(bp) == 0) { 3117 ND_PRINT("NONESP-encap: "); 3118 isakmp_print(ndo, bp+4, length-4, bp2); 3119 return; 3120 } 3121 3122 /* must be an ESP packet */ 3123 { 3124 ND_PRINT("UDP-encap: "); 3125 3126 esp_print(ndo, bp, length, bp2, ver, fragmented, ttl_hl); 3127 3128 /* 3129 * Either this has decrypted the payload and 3130 * printed it, in which case there's nothing more 3131 * to do, or it hasn't, in which case there's 3132 * nothing more to do. 3133 */ 3134 return; 3135 } 3136 3137 trunc: 3138 nd_print_trunc(ndo); 3139 } 3140