1 /* 2 * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project. 3 * All rights reserved. 4 * 5 * Redistribution and use in source and binary forms, with or without 6 * modification, are permitted provided that the following conditions 7 * are met: 8 * 1. Redistributions of source code must retain the above copyright 9 * notice, this list of conditions and the following disclaimer. 10 * 2. Redistributions in binary form must reproduce the above copyright 11 * notice, this list of conditions and the following disclaimer in the 12 * documentation and/or other materials provided with the distribution. 13 * 3. Neither the name of the project nor the names of its contributors 14 * may be used to endorse or promote products derived from this software 15 * without specific prior written permission. 16 * 17 * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND 18 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 19 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 20 * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE 21 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 22 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 23 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 24 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 25 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 26 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 27 * SUCH DAMAGE. 28 * 29 */ 30 31 #include <sys/cdefs.h> 32 #ifndef lint 33 __RCSID("$NetBSD: print-isakmp.c,v 1.11 2019/10/01 16:06:16 christos Exp $"); 34 #endif 35 36 /* \summary: Internet Security Association and Key Management Protocol (ISAKMP) printer */ 37 38 #ifdef HAVE_CONFIG_H 39 #include "config.h" 40 #endif 41 42 /* The functions from print-esp.c used in this file are only defined when both 43 * OpenSSL and evp.h are detected. Employ the same preprocessor device here. 44 */ 45 #ifndef HAVE_OPENSSL_EVP_H 46 #undef HAVE_LIBCRYPTO 47 #endif 48 49 #include <netdissect-stdinc.h> 50 51 #include <string.h> 52 53 #include "netdissect.h" 54 #include "addrtoname.h" 55 #include "extract.h" 56 57 #include "ip.h" 58 #include "ip6.h" 59 #include "ipproto.h" 60 61 /* refer to RFC 2408 */ 62 63 typedef u_char cookie_t[8]; 64 typedef u_char msgid_t[4]; 65 66 #define PORT_ISAKMP 500 67 68 /* 3.1 ISAKMP Header Format (IKEv1 and IKEv2) 69 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 70 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 71 ! Initiator ! 72 ! Cookie ! 73 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 74 ! Responder ! 75 ! Cookie ! 76 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 77 ! Next Payload ! MjVer ! MnVer ! Exchange Type ! Flags ! 78 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 79 ! Message ID ! 80 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 81 ! Length ! 82 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 83 */ 84 struct isakmp { 85 cookie_t i_ck; /* Initiator Cookie */ 86 cookie_t r_ck; /* Responder Cookie */ 87 uint8_t np; /* Next Payload Type */ 88 uint8_t vers; 89 #define ISAKMP_VERS_MAJOR 0xf0 90 #define ISAKMP_VERS_MAJOR_SHIFT 4 91 #define ISAKMP_VERS_MINOR 0x0f 92 #define ISAKMP_VERS_MINOR_SHIFT 0 93 uint8_t etype; /* Exchange Type */ 94 uint8_t flags; /* Flags */ 95 msgid_t msgid; 96 uint32_t len; /* Length */ 97 }; 98 99 /* Next Payload Type */ 100 #define ISAKMP_NPTYPE_NONE 0 /* NONE*/ 101 #define ISAKMP_NPTYPE_SA 1 /* Security Association */ 102 #define ISAKMP_NPTYPE_P 2 /* Proposal */ 103 #define ISAKMP_NPTYPE_T 3 /* Transform */ 104 #define ISAKMP_NPTYPE_KE 4 /* Key Exchange */ 105 #define ISAKMP_NPTYPE_ID 5 /* Identification */ 106 #define ISAKMP_NPTYPE_CERT 6 /* Certificate */ 107 #define ISAKMP_NPTYPE_CR 7 /* Certificate Request */ 108 #define ISAKMP_NPTYPE_HASH 8 /* Hash */ 109 #define ISAKMP_NPTYPE_SIG 9 /* Signature */ 110 #define ISAKMP_NPTYPE_NONCE 10 /* Nonce */ 111 #define ISAKMP_NPTYPE_N 11 /* Notification */ 112 #define ISAKMP_NPTYPE_D 12 /* Delete */ 113 #define ISAKMP_NPTYPE_VID 13 /* Vendor ID */ 114 #define ISAKMP_NPTYPE_v2E 46 /* v2 Encrypted payload */ 115 116 #define IKEv1_MAJOR_VERSION 1 117 #define IKEv1_MINOR_VERSION 0 118 119 #define IKEv2_MAJOR_VERSION 2 120 #define IKEv2_MINOR_VERSION 0 121 122 /* Flags */ 123 #define ISAKMP_FLAG_E 0x01 /* Encryption Bit */ 124 #define ISAKMP_FLAG_C 0x02 /* Commit Bit */ 125 #define ISAKMP_FLAG_extra 0x04 126 127 /* IKEv2 */ 128 #define ISAKMP_FLAG_I (1 << 3) /* (I)nitiator */ 129 #define ISAKMP_FLAG_V (1 << 4) /* (V)ersion */ 130 #define ISAKMP_FLAG_R (1 << 5) /* (R)esponse */ 131 132 133 /* 3.2 Payload Generic Header 134 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 135 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 136 ! Next Payload ! RESERVED ! Payload Length ! 137 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 138 */ 139 struct isakmp_gen { 140 uint8_t np; /* Next Payload */ 141 uint8_t critical; /* bit 7 - critical, rest is RESERVED */ 142 uint16_t len; /* Payload Length */ 143 }; 144 145 /* 3.3 Data Attributes 146 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 147 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 148 !A! Attribute Type ! AF=0 Attribute Length ! 149 !F! ! AF=1 Attribute Value ! 150 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 151 . AF=0 Attribute Value . 152 . AF=1 Not Transmitted . 153 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 154 */ 155 struct isakmp_data { 156 uint16_t type; /* defined by DOI-spec, and Attribute Format */ 157 uint16_t lorv; /* if f equal 1, Attribute Length */ 158 /* if f equal 0, Attribute Value */ 159 /* if f equal 1, Attribute Value */ 160 }; 161 162 /* 3.4 Security Association Payload */ 163 /* MAY NOT be used, because of being defined in ipsec-doi. */ 164 /* 165 If the current payload is the last in the message, 166 then the value of the next payload field will be 0. 167 This field MUST NOT contain the 168 values for the Proposal or Transform payloads as they are considered 169 part of the security association negotiation. For example, this 170 field would contain the value "10" (Nonce payload) in the first 171 message of a Base Exchange (see Section 4.4) and the value "0" in the 172 first message of an Identity Protect Exchange (see Section 4.5). 173 */ 174 struct ikev1_pl_sa { 175 struct isakmp_gen h; 176 uint32_t doi; /* Domain of Interpretation */ 177 uint32_t sit; /* Situation */ 178 }; 179 180 /* 3.5 Proposal Payload */ 181 /* 182 The value of the next payload field MUST only contain the value "2" 183 or "0". If there are additional Proposal payloads in the message, 184 then this field will be 2. If the current Proposal payload is the 185 last within the security association proposal, then this field will 186 be 0. 187 */ 188 struct ikev1_pl_p { 189 struct isakmp_gen h; 190 uint8_t p_no; /* Proposal # */ 191 uint8_t prot_id; /* Protocol */ 192 uint8_t spi_size; /* SPI Size */ 193 uint8_t num_t; /* Number of Transforms */ 194 /* SPI */ 195 }; 196 197 /* 3.6 Transform Payload */ 198 /* 199 The value of the next payload field MUST only contain the value "3" 200 or "0". If there are additional Transform payloads in the proposal, 201 then this field will be 3. If the current Transform payload is the 202 last within the proposal, then this field will be 0. 203 */ 204 struct ikev1_pl_t { 205 struct isakmp_gen h; 206 uint8_t t_no; /* Transform # */ 207 uint8_t t_id; /* Transform-Id */ 208 uint16_t reserved; /* RESERVED2 */ 209 /* SA Attributes */ 210 }; 211 212 /* 3.7 Key Exchange Payload */ 213 struct ikev1_pl_ke { 214 struct isakmp_gen h; 215 /* Key Exchange Data */ 216 }; 217 218 /* 3.8 Identification Payload */ 219 /* MUST NOT to be used, because of being defined in ipsec-doi. */ 220 struct ikev1_pl_id { 221 struct isakmp_gen h; 222 union { 223 uint8_t id_type; /* ID Type */ 224 uint32_t doi_data; /* DOI Specific ID Data */ 225 } d; 226 /* Identification Data */ 227 }; 228 229 /* 3.9 Certificate Payload */ 230 struct ikev1_pl_cert { 231 struct isakmp_gen h; 232 uint8_t encode; /* Cert Encoding */ 233 char cert; /* Certificate Data */ 234 /* 235 This field indicates the type of 236 certificate or certificate-related information contained in the 237 Certificate Data field. 238 */ 239 }; 240 241 /* 3.10 Certificate Request Payload */ 242 struct ikev1_pl_cr { 243 struct isakmp_gen h; 244 uint8_t num_cert; /* # Cert. Types */ 245 /* 246 Certificate Types (variable length) 247 -- Contains a list of the types of certificates requested, 248 sorted in order of preference. Each individual certificate 249 type is 1 octet. This field is NOT requiredo 250 */ 251 /* # Certificate Authorities (1 octet) */ 252 /* Certificate Authorities (variable length) */ 253 }; 254 255 /* 3.11 Hash Payload */ 256 /* may not be used, because of having only data. */ 257 struct ikev1_pl_hash { 258 struct isakmp_gen h; 259 /* Hash Data */ 260 }; 261 262 /* 3.12 Signature Payload */ 263 /* may not be used, because of having only data. */ 264 struct ikev1_pl_sig { 265 struct isakmp_gen h; 266 /* Signature Data */ 267 }; 268 269 /* 3.13 Nonce Payload */ 270 /* may not be used, because of having only data. */ 271 struct ikev1_pl_nonce { 272 struct isakmp_gen h; 273 /* Nonce Data */ 274 }; 275 276 /* 3.14 Notification Payload */ 277 struct ikev1_pl_n { 278 struct isakmp_gen h; 279 uint32_t doi; /* Domain of Interpretation */ 280 uint8_t prot_id; /* Protocol-ID */ 281 uint8_t spi_size; /* SPI Size */ 282 uint16_t type; /* Notify Message Type */ 283 /* SPI */ 284 /* Notification Data */ 285 }; 286 287 /* 3.14.1 Notify Message Types */ 288 /* NOTIFY MESSAGES - ERROR TYPES */ 289 #define ISAKMP_NTYPE_INVALID_PAYLOAD_TYPE 1 290 #define ISAKMP_NTYPE_DOI_NOT_SUPPORTED 2 291 #define ISAKMP_NTYPE_SITUATION_NOT_SUPPORTED 3 292 #define ISAKMP_NTYPE_INVALID_COOKIE 4 293 #define ISAKMP_NTYPE_INVALID_MAJOR_VERSION 5 294 #define ISAKMP_NTYPE_INVALID_MINOR_VERSION 6 295 #define ISAKMP_NTYPE_INVALID_EXCHANGE_TYPE 7 296 #define ISAKMP_NTYPE_INVALID_FLAGS 8 297 #define ISAKMP_NTYPE_INVALID_MESSAGE_ID 9 298 #define ISAKMP_NTYPE_INVALID_PROTOCOL_ID 10 299 #define ISAKMP_NTYPE_INVALID_SPI 11 300 #define ISAKMP_NTYPE_INVALID_TRANSFORM_ID 12 301 #define ISAKMP_NTYPE_ATTRIBUTES_NOT_SUPPORTED 13 302 #define ISAKMP_NTYPE_NO_PROPOSAL_CHOSEN 14 303 #define ISAKMP_NTYPE_BAD_PROPOSAL_SYNTAX 15 304 #define ISAKMP_NTYPE_PAYLOAD_MALFORMED 16 305 #define ISAKMP_NTYPE_INVALID_KEY_INFORMATION 17 306 #define ISAKMP_NTYPE_INVALID_ID_INFORMATION 18 307 #define ISAKMP_NTYPE_INVALID_CERT_ENCODING 19 308 #define ISAKMP_NTYPE_INVALID_CERTIFICATE 20 309 #define ISAKMP_NTYPE_BAD_CERT_REQUEST_SYNTAX 21 310 #define ISAKMP_NTYPE_INVALID_CERT_AUTHORITY 22 311 #define ISAKMP_NTYPE_INVALID_HASH_INFORMATION 23 312 #define ISAKMP_NTYPE_AUTHENTICATION_FAILED 24 313 #define ISAKMP_NTYPE_INVALID_SIGNATURE 25 314 #define ISAKMP_NTYPE_ADDRESS_NOTIFICATION 26 315 316 /* 3.15 Delete Payload */ 317 struct ikev1_pl_d { 318 struct isakmp_gen h; 319 uint32_t doi; /* Domain of Interpretation */ 320 uint8_t prot_id; /* Protocol-Id */ 321 uint8_t spi_size; /* SPI Size */ 322 uint16_t num_spi; /* # of SPIs */ 323 /* SPI(es) */ 324 }; 325 326 struct ikev1_ph1tab { 327 struct ikev1_ph1 *head; 328 struct ikev1_ph1 *tail; 329 int len; 330 }; 331 332 struct isakmp_ph2tab { 333 struct ikev1_ph2 *head; 334 struct ikev1_ph2 *tail; 335 int len; 336 }; 337 338 /* IKEv2 (RFC4306) */ 339 340 /* 3.3 Security Association Payload -- generic header */ 341 /* 3.3.1. Proposal Substructure */ 342 struct ikev2_p { 343 struct isakmp_gen h; 344 uint8_t p_no; /* Proposal # */ 345 uint8_t prot_id; /* Protocol */ 346 uint8_t spi_size; /* SPI Size */ 347 uint8_t num_t; /* Number of Transforms */ 348 }; 349 350 /* 3.3.2. Transform Substructure */ 351 struct ikev2_t { 352 struct isakmp_gen h; 353 uint8_t t_type; /* Transform Type (ENCR,PRF,INTEG,etc.*/ 354 uint8_t res2; /* reserved byte */ 355 uint16_t t_id; /* Transform ID */ 356 }; 357 358 enum ikev2_t_type { 359 IV2_T_ENCR = 1, 360 IV2_T_PRF = 2, 361 IV2_T_INTEG= 3, 362 IV2_T_DH = 4, 363 IV2_T_ESN = 5 364 }; 365 366 /* 3.4. Key Exchange Payload */ 367 struct ikev2_ke { 368 struct isakmp_gen h; 369 uint16_t ke_group; 370 uint16_t ke_res1; 371 /* KE data */ 372 }; 373 374 375 /* 3.5. Identification Payloads */ 376 enum ikev2_id_type { 377 ID_IPV4_ADDR=1, 378 ID_FQDN=2, 379 ID_RFC822_ADDR=3, 380 ID_IPV6_ADDR=5, 381 ID_DER_ASN1_DN=9, 382 ID_DER_ASN1_GN=10, 383 ID_KEY_ID=11 384 }; 385 struct ikev2_id { 386 struct isakmp_gen h; 387 uint8_t type; /* ID type */ 388 uint8_t res1; 389 uint16_t res2; 390 /* SPI */ 391 /* Notification Data */ 392 }; 393 394 /* 3.10 Notification Payload */ 395 struct ikev2_n { 396 struct isakmp_gen h; 397 uint8_t prot_id; /* Protocol-ID */ 398 uint8_t spi_size; /* SPI Size */ 399 uint16_t type; /* Notify Message Type */ 400 }; 401 402 enum ikev2_n_type { 403 IV2_NOTIFY_UNSUPPORTED_CRITICAL_PAYLOAD = 1, 404 IV2_NOTIFY_INVALID_IKE_SPI = 4, 405 IV2_NOTIFY_INVALID_MAJOR_VERSION = 5, 406 IV2_NOTIFY_INVALID_SYNTAX = 7, 407 IV2_NOTIFY_INVALID_MESSAGE_ID = 9, 408 IV2_NOTIFY_INVALID_SPI =11, 409 IV2_NOTIFY_NO_PROPOSAL_CHOSEN =14, 410 IV2_NOTIFY_INVALID_KE_PAYLOAD =17, 411 IV2_NOTIFY_AUTHENTICATION_FAILED =24, 412 IV2_NOTIFY_SINGLE_PAIR_REQUIRED =34, 413 IV2_NOTIFY_NO_ADDITIONAL_SAS =35, 414 IV2_NOTIFY_INTERNAL_ADDRESS_FAILURE =36, 415 IV2_NOTIFY_FAILED_CP_REQUIRED =37, 416 IV2_NOTIFY_INVALID_SELECTORS =39, 417 IV2_NOTIFY_INITIAL_CONTACT =16384, 418 IV2_NOTIFY_SET_WINDOW_SIZE =16385, 419 IV2_NOTIFY_ADDITIONAL_TS_POSSIBLE =16386, 420 IV2_NOTIFY_IPCOMP_SUPPORTED =16387, 421 IV2_NOTIFY_NAT_DETECTION_SOURCE_IP =16388, 422 IV2_NOTIFY_NAT_DETECTION_DESTINATION_IP =16389, 423 IV2_NOTIFY_COOKIE =16390, 424 IV2_NOTIFY_USE_TRANSPORT_MODE =16391, 425 IV2_NOTIFY_HTTP_CERT_LOOKUP_SUPPORTED =16392, 426 IV2_NOTIFY_REKEY_SA =16393, 427 IV2_NOTIFY_ESP_TFC_PADDING_NOT_SUPPORTED =16394, 428 IV2_NOTIFY_NON_FIRST_FRAGMENTS_ALSO =16395 429 }; 430 431 struct notify_messages { 432 uint16_t type; 433 char *msg; 434 }; 435 436 /* 3.8 Authentication Payload */ 437 struct ikev2_auth { 438 struct isakmp_gen h; 439 uint8_t auth_method; /* Protocol-ID */ 440 uint8_t reserved[3]; 441 /* authentication data */ 442 }; 443 444 enum ikev2_auth_type { 445 IV2_RSA_SIG = 1, 446 IV2_SHARED = 2, 447 IV2_DSS_SIG = 3 448 }; 449 450 /* refer to RFC 2409 */ 451 452 #if 0 453 /* isakmp sa structure */ 454 struct oakley_sa { 455 uint8_t proto_id; /* OAKLEY */ 456 vchar_t *spi; /* spi */ 457 uint8_t dhgrp; /* DH; group */ 458 uint8_t auth_t; /* method of authentication */ 459 uint8_t prf_t; /* type of prf */ 460 uint8_t hash_t; /* type of hash */ 461 uint8_t enc_t; /* type of cipher */ 462 uint8_t life_t; /* type of duration of lifetime */ 463 uint32_t ldur; /* life duration */ 464 }; 465 #endif 466 467 /* refer to RFC 2407 */ 468 469 #define IPSEC_DOI 1 470 471 /* 4.2 IPSEC Situation Definition */ 472 #define IPSECDOI_SIT_IDENTITY_ONLY 0x00000001 473 #define IPSECDOI_SIT_SECRECY 0x00000002 474 #define IPSECDOI_SIT_INTEGRITY 0x00000004 475 476 /* 4.4.1 IPSEC Security Protocol Identifiers */ 477 /* 4.4.2 IPSEC ISAKMP Transform Values */ 478 #define IPSECDOI_PROTO_ISAKMP 1 479 #define IPSECDOI_KEY_IKE 1 480 481 /* 4.4.1 IPSEC Security Protocol Identifiers */ 482 #define IPSECDOI_PROTO_IPSEC_AH 2 483 /* 4.4.3 IPSEC AH Transform Values */ 484 #define IPSECDOI_AH_MD5 2 485 #define IPSECDOI_AH_SHA 3 486 #define IPSECDOI_AH_DES 4 487 #define IPSECDOI_AH_SHA2_256 5 488 #define IPSECDOI_AH_SHA2_384 6 489 #define IPSECDOI_AH_SHA2_512 7 490 491 /* 4.4.1 IPSEC Security Protocol Identifiers */ 492 #define IPSECDOI_PROTO_IPSEC_ESP 3 493 /* 4.4.4 IPSEC ESP Transform Identifiers */ 494 #define IPSECDOI_ESP_DES_IV64 1 495 #define IPSECDOI_ESP_DES 2 496 #define IPSECDOI_ESP_3DES 3 497 #define IPSECDOI_ESP_RC5 4 498 #define IPSECDOI_ESP_IDEA 5 499 #define IPSECDOI_ESP_CAST 6 500 #define IPSECDOI_ESP_BLOWFISH 7 501 #define IPSECDOI_ESP_3IDEA 8 502 #define IPSECDOI_ESP_DES_IV32 9 503 #define IPSECDOI_ESP_RC4 10 504 #define IPSECDOI_ESP_NULL 11 505 #define IPSECDOI_ESP_RIJNDAEL 12 506 #define IPSECDOI_ESP_AES 12 507 508 /* 4.4.1 IPSEC Security Protocol Identifiers */ 509 #define IPSECDOI_PROTO_IPCOMP 4 510 /* 4.4.5 IPSEC IPCOMP Transform Identifiers */ 511 #define IPSECDOI_IPCOMP_OUI 1 512 #define IPSECDOI_IPCOMP_DEFLATE 2 513 #define IPSECDOI_IPCOMP_LZS 3 514 515 /* 4.5 IPSEC Security Association Attributes */ 516 #define IPSECDOI_ATTR_SA_LTYPE 1 /* B */ 517 #define IPSECDOI_ATTR_SA_LTYPE_DEFAULT 1 518 #define IPSECDOI_ATTR_SA_LTYPE_SEC 1 519 #define IPSECDOI_ATTR_SA_LTYPE_KB 2 520 #define IPSECDOI_ATTR_SA_LDUR 2 /* V */ 521 #define IPSECDOI_ATTR_SA_LDUR_DEFAULT 28800 /* 8 hours */ 522 #define IPSECDOI_ATTR_GRP_DESC 3 /* B */ 523 #define IPSECDOI_ATTR_ENC_MODE 4 /* B */ 524 /* default value: host dependent */ 525 #define IPSECDOI_ATTR_ENC_MODE_TUNNEL 1 526 #define IPSECDOI_ATTR_ENC_MODE_TRNS 2 527 #define IPSECDOI_ATTR_AUTH 5 /* B */ 528 /* 0 means not to use authentication. */ 529 #define IPSECDOI_ATTR_AUTH_HMAC_MD5 1 530 #define IPSECDOI_ATTR_AUTH_HMAC_SHA1 2 531 #define IPSECDOI_ATTR_AUTH_DES_MAC 3 532 #define IPSECDOI_ATTR_AUTH_KPDK 4 /*RFC-1826(Key/Pad/Data/Key)*/ 533 /* 534 * When negotiating ESP without authentication, the Auth 535 * Algorithm attribute MUST NOT be included in the proposal. 536 * When negotiating ESP without confidentiality, the Auth 537 * Algorithm attribute MUST be included in the proposal and 538 * the ESP transform ID must be ESP_NULL. 539 */ 540 #define IPSECDOI_ATTR_KEY_LENGTH 6 /* B */ 541 #define IPSECDOI_ATTR_KEY_ROUNDS 7 /* B */ 542 #define IPSECDOI_ATTR_COMP_DICT_SIZE 8 /* B */ 543 #define IPSECDOI_ATTR_COMP_PRIVALG 9 /* V */ 544 545 /* 4.6.1 Security Association Payload */ 546 struct ipsecdoi_sa { 547 struct isakmp_gen h; 548 uint32_t doi; /* Domain of Interpretation */ 549 uint32_t sit; /* Situation */ 550 }; 551 552 struct ipsecdoi_secrecy_h { 553 uint16_t len; 554 uint16_t reserved; 555 }; 556 557 /* 4.6.2.1 Identification Type Values */ 558 struct ipsecdoi_id { 559 struct isakmp_gen h; 560 uint8_t type; /* ID Type */ 561 uint8_t proto_id; /* Protocol ID */ 562 uint16_t port; /* Port */ 563 /* Identification Data */ 564 }; 565 566 #define IPSECDOI_ID_IPV4_ADDR 1 567 #define IPSECDOI_ID_FQDN 2 568 #define IPSECDOI_ID_USER_FQDN 3 569 #define IPSECDOI_ID_IPV4_ADDR_SUBNET 4 570 #define IPSECDOI_ID_IPV6_ADDR 5 571 #define IPSECDOI_ID_IPV6_ADDR_SUBNET 6 572 #define IPSECDOI_ID_IPV4_ADDR_RANGE 7 573 #define IPSECDOI_ID_IPV6_ADDR_RANGE 8 574 #define IPSECDOI_ID_DER_ASN1_DN 9 575 #define IPSECDOI_ID_DER_ASN1_GN 10 576 #define IPSECDOI_ID_KEY_ID 11 577 578 /* 4.6.3 IPSEC DOI Notify Message Types */ 579 /* Notify Messages - Status Types */ 580 #define IPSECDOI_NTYPE_RESPONDER_LIFETIME 24576 581 #define IPSECDOI_NTYPE_REPLAY_STATUS 24577 582 #define IPSECDOI_NTYPE_INITIAL_CONTACT 24578 583 584 #define DECLARE_PRINTER(func) static const u_char *ike##func##_print( \ 585 netdissect_options *ndo, u_char tpay, \ 586 const struct isakmp_gen *ext, \ 587 u_int item_len, \ 588 const u_char *end_pointer, \ 589 uint32_t phase,\ 590 uint32_t doi0, \ 591 uint32_t proto0, int depth) 592 593 DECLARE_PRINTER(v1_sa); 594 DECLARE_PRINTER(v1_p); 595 DECLARE_PRINTER(v1_t); 596 DECLARE_PRINTER(v1_ke); 597 DECLARE_PRINTER(v1_id); 598 DECLARE_PRINTER(v1_cert); 599 DECLARE_PRINTER(v1_cr); 600 DECLARE_PRINTER(v1_sig); 601 DECLARE_PRINTER(v1_hash); 602 DECLARE_PRINTER(v1_nonce); 603 DECLARE_PRINTER(v1_n); 604 DECLARE_PRINTER(v1_d); 605 DECLARE_PRINTER(v1_vid); 606 607 DECLARE_PRINTER(v2_sa); 608 DECLARE_PRINTER(v2_ke); 609 DECLARE_PRINTER(v2_ID); 610 DECLARE_PRINTER(v2_cert); 611 DECLARE_PRINTER(v2_cr); 612 DECLARE_PRINTER(v2_auth); 613 DECLARE_PRINTER(v2_nonce); 614 DECLARE_PRINTER(v2_n); 615 DECLARE_PRINTER(v2_d); 616 DECLARE_PRINTER(v2_vid); 617 DECLARE_PRINTER(v2_TS); 618 DECLARE_PRINTER(v2_cp); 619 DECLARE_PRINTER(v2_eap); 620 621 static const u_char *ikev2_e_print(netdissect_options *ndo, 622 struct isakmp *base, 623 u_char tpay, 624 const struct isakmp_gen *ext, 625 u_int item_len, 626 const u_char *end_pointer, 627 uint32_t phase, 628 uint32_t doi0, 629 uint32_t proto0, int depth); 630 631 632 static const u_char *ike_sub0_print(netdissect_options *ndo,u_char, const struct isakmp_gen *, 633 const u_char *, uint32_t, uint32_t, uint32_t, int); 634 static const u_char *ikev1_sub_print(netdissect_options *ndo,u_char, const struct isakmp_gen *, 635 const u_char *, uint32_t, uint32_t, uint32_t, int); 636 637 static const u_char *ikev2_sub_print(netdissect_options *ndo, 638 struct isakmp *base, 639 u_char np, const struct isakmp_gen *ext, 640 const u_char *ep, uint32_t phase, 641 uint32_t doi, uint32_t proto, 642 int depth); 643 644 645 static char *numstr(int); 646 647 static void 648 ikev1_print(netdissect_options *ndo, 649 const u_char *bp, u_int length, 650 const u_char *bp2, struct isakmp *base); 651 652 #define MAXINITIATORS 20 653 static int ninitiator = 0; 654 union inaddr_u { 655 struct in_addr in4; 656 struct in6_addr in6; 657 }; 658 static struct { 659 cookie_t initiator; 660 u_int version; 661 union inaddr_u iaddr; 662 union inaddr_u raddr; 663 } cookiecache[MAXINITIATORS]; 664 665 /* protocol id */ 666 static const char *protoidstr[] = { 667 NULL, "isakmp", "ipsec-ah", "ipsec-esp", "ipcomp", 668 }; 669 670 /* isakmp->np */ 671 static const char *npstr[] = { 672 "none", "sa", "p", "t", "ke", "id", "cert", "cr", "hash", /* 0 - 8 */ 673 "sig", "nonce", "n", "d", "vid", /* 9 - 13 */ 674 "pay14", "pay15", "pay16", "pay17", "pay18", /* 14- 18 */ 675 "pay19", "pay20", "pay21", "pay22", "pay23", /* 19- 23 */ 676 "pay24", "pay25", "pay26", "pay27", "pay28", /* 24- 28 */ 677 "pay29", "pay30", "pay31", "pay32", /* 29- 32 */ 678 "v2sa", "v2ke", "v2IDi", "v2IDr", "v2cert",/* 33- 37 */ 679 "v2cr", "v2auth","v2nonce", "v2n", "v2d", /* 38- 42 */ 680 "v2vid", "v2TSi", "v2TSr", "v2e", "v2cp", /* 43- 47 */ 681 "v2eap", /* 48 */ 682 683 }; 684 685 /* isakmp->np */ 686 static const u_char *(*npfunc[])(netdissect_options *ndo, u_char tpay, 687 const struct isakmp_gen *ext, 688 u_int item_len, 689 const u_char *end_pointer, 690 uint32_t phase, 691 uint32_t doi0, 692 uint32_t proto0, int depth) = { 693 NULL, 694 ikev1_sa_print, 695 ikev1_p_print, 696 ikev1_t_print, 697 ikev1_ke_print, 698 ikev1_id_print, 699 ikev1_cert_print, 700 ikev1_cr_print, 701 ikev1_hash_print, 702 ikev1_sig_print, 703 ikev1_nonce_print, 704 ikev1_n_print, 705 ikev1_d_print, 706 ikev1_vid_print, /* 13 */ 707 NULL, NULL, NULL, NULL, NULL, /* 14- 18 */ 708 NULL, NULL, NULL, NULL, NULL, /* 19- 23 */ 709 NULL, NULL, NULL, NULL, NULL, /* 24- 28 */ 710 NULL, NULL, NULL, NULL, /* 29- 32 */ 711 ikev2_sa_print, /* 33 */ 712 ikev2_ke_print, /* 34 */ 713 ikev2_ID_print, /* 35 */ 714 ikev2_ID_print, /* 36 */ 715 ikev2_cert_print, /* 37 */ 716 ikev2_cr_print, /* 38 */ 717 ikev2_auth_print, /* 39 */ 718 ikev2_nonce_print, /* 40 */ 719 ikev2_n_print, /* 41 */ 720 ikev2_d_print, /* 42 */ 721 ikev2_vid_print, /* 43 */ 722 ikev2_TS_print, /* 44 */ 723 ikev2_TS_print, /* 45 */ 724 NULL, /* ikev2_e_print,*/ /* 46 - special */ 725 ikev2_cp_print, /* 47 */ 726 ikev2_eap_print, /* 48 */ 727 }; 728 729 /* isakmp->etype */ 730 static const char *etypestr[] = { 731 /* IKEv1 exchange types */ 732 "none", "base", "ident", "auth", "agg", "inf", NULL, NULL, /* 0-7 */ 733 NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, /* 8-15 */ 734 NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, /* 16-23 */ 735 NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, /* 24-31 */ 736 "oakley-quick", "oakley-newgroup", /* 32-33 */ 737 /* IKEv2 exchange types */ 738 "ikev2_init", "ikev2_auth", "child_sa", "inf2" /* 34-37 */ 739 }; 740 741 #define STR_OR_ID(x, tab) \ 742 (((x) < sizeof(tab)/sizeof(tab[0]) && tab[(x)]) ? tab[(x)] : numstr(x)) 743 #define PROTOIDSTR(x) STR_OR_ID(x, protoidstr) 744 #define NPSTR(x) STR_OR_ID(x, npstr) 745 #define ETYPESTR(x) STR_OR_ID(x, etypestr) 746 747 #define CHECKLEN(p, np) \ 748 if (ep < (const u_char *)(p)) { \ 749 ND_PRINT((ndo," [|%s]", NPSTR(np))); \ 750 goto done; \ 751 } 752 753 754 #define NPFUNC(x) \ 755 (((x) < sizeof(npfunc)/sizeof(npfunc[0]) && npfunc[(x)]) \ 756 ? npfunc[(x)] : NULL) 757 758 static int 759 iszero(const u_char *p, size_t l) 760 { 761 while (l--) { 762 if (*p++) 763 return 0; 764 } 765 return 1; 766 } 767 768 /* find cookie from initiator cache */ 769 static int 770 cookie_find(cookie_t *in) 771 { 772 int i; 773 774 for (i = 0; i < MAXINITIATORS; i++) { 775 if (memcmp(in, &cookiecache[i].initiator, sizeof(*in)) == 0) 776 return i; 777 } 778 779 return -1; 780 } 781 782 /* record initiator */ 783 static void 784 cookie_record(cookie_t *in, const u_char *bp2) 785 { 786 int i; 787 const struct ip *ip; 788 const struct ip6_hdr *ip6; 789 790 i = cookie_find(in); 791 if (0 <= i) { 792 ninitiator = (i + 1) % MAXINITIATORS; 793 return; 794 } 795 796 ip = (const struct ip *)bp2; 797 switch (IP_V(ip)) { 798 case 4: 799 cookiecache[ninitiator].version = 4; 800 UNALIGNED_MEMCPY(&cookiecache[ninitiator].iaddr.in4, &ip->ip_src, sizeof(struct in_addr)); 801 UNALIGNED_MEMCPY(&cookiecache[ninitiator].raddr.in4, &ip->ip_dst, sizeof(struct in_addr)); 802 break; 803 case 6: 804 ip6 = (const struct ip6_hdr *)bp2; 805 cookiecache[ninitiator].version = 6; 806 UNALIGNED_MEMCPY(&cookiecache[ninitiator].iaddr.in6, &ip6->ip6_src, sizeof(struct in6_addr)); 807 UNALIGNED_MEMCPY(&cookiecache[ninitiator].raddr.in6, &ip6->ip6_dst, sizeof(struct in6_addr)); 808 break; 809 default: 810 return; 811 } 812 UNALIGNED_MEMCPY(&cookiecache[ninitiator].initiator, in, sizeof(*in)); 813 ninitiator = (ninitiator + 1) % MAXINITIATORS; 814 } 815 816 #define cookie_isinitiator(x, y) cookie_sidecheck((x), (y), 1) 817 #define cookie_isresponder(x, y) cookie_sidecheck((x), (y), 0) 818 static int 819 cookie_sidecheck(int i, const u_char *bp2, int initiator) 820 { 821 const struct ip *ip; 822 const struct ip6_hdr *ip6; 823 824 ip = (const struct ip *)bp2; 825 switch (IP_V(ip)) { 826 case 4: 827 if (cookiecache[i].version != 4) 828 return 0; 829 if (initiator) { 830 if (UNALIGNED_MEMCMP(&ip->ip_src, &cookiecache[i].iaddr.in4, sizeof(struct in_addr)) == 0) 831 return 1; 832 } else { 833 if (UNALIGNED_MEMCMP(&ip->ip_src, &cookiecache[i].raddr.in4, sizeof(struct in_addr)) == 0) 834 return 1; 835 } 836 break; 837 case 6: 838 if (cookiecache[i].version != 6) 839 return 0; 840 ip6 = (const struct ip6_hdr *)bp2; 841 if (initiator) { 842 if (UNALIGNED_MEMCMP(&ip6->ip6_src, &cookiecache[i].iaddr.in6, sizeof(struct in6_addr)) == 0) 843 return 1; 844 } else { 845 if (UNALIGNED_MEMCMP(&ip6->ip6_src, &cookiecache[i].raddr.in6, sizeof(struct in6_addr)) == 0) 846 return 1; 847 } 848 break; 849 default: 850 break; 851 } 852 853 return 0; 854 } 855 856 static void 857 hexprint(netdissect_options *ndo, const uint8_t *loc, size_t len) 858 { 859 const uint8_t *p; 860 size_t i; 861 862 p = loc; 863 for (i = 0; i < len; i++) 864 ND_PRINT((ndo,"%02x", p[i] & 0xff)); 865 } 866 867 static int 868 rawprint(netdissect_options *ndo, const uint8_t *loc, size_t len) 869 { 870 ND_TCHECK2(*loc, len); 871 872 hexprint(ndo, loc, len); 873 return 1; 874 trunc: 875 return 0; 876 } 877 878 879 /* 880 * returns false if we run out of data buffer 881 */ 882 static int ike_show_somedata(netdissect_options *ndo, 883 const u_char *cp, const u_char *ep) 884 { 885 /* there is too much data, just show some of it */ 886 const u_char *end = ep - 20; 887 int elen = 20; 888 int len = ep - cp; 889 if(len > 10) { 890 len = 10; 891 } 892 893 /* really shouldn't happen because of above */ 894 if(end < cp + len) { 895 end = cp+len; 896 elen = ep - end; 897 } 898 899 ND_PRINT((ndo," data=(")); 900 if(!rawprint(ndo, (const uint8_t *)(cp), len)) goto trunc; 901 ND_PRINT((ndo, "...")); 902 if(elen) { 903 if(!rawprint(ndo, (const uint8_t *)(end), elen)) goto trunc; 904 } 905 ND_PRINT((ndo,")")); 906 return 1; 907 908 trunc: 909 return 0; 910 } 911 912 struct attrmap { 913 const char *type; 914 u_int nvalue; 915 const char *value[30]; /*XXX*/ 916 }; 917 918 static const u_char * 919 ikev1_attrmap_print(netdissect_options *ndo, 920 const u_char *p, const u_char *ep2, 921 const struct attrmap *map, size_t nmap) 922 { 923 int totlen; 924 uint32_t t, v; 925 926 ND_TCHECK(p[0]); 927 if (p[0] & 0x80) 928 totlen = 4; 929 else { 930 ND_TCHECK_16BITS(&p[2]); 931 totlen = 4 + EXTRACT_16BITS(&p[2]); 932 } 933 if (ep2 < p + totlen) { 934 ND_PRINT((ndo,"[|attr]")); 935 return ep2 + 1; 936 } 937 938 ND_TCHECK_16BITS(&p[0]); 939 ND_PRINT((ndo,"(")); 940 t = EXTRACT_16BITS(&p[0]) & 0x7fff; 941 if (map && t < nmap && map[t].type) 942 ND_PRINT((ndo,"type=%s ", map[t].type)); 943 else 944 ND_PRINT((ndo,"type=#%d ", t)); 945 if (p[0] & 0x80) { 946 ND_PRINT((ndo,"value=")); 947 ND_TCHECK_16BITS(&p[2]); 948 v = EXTRACT_16BITS(&p[2]); 949 if (map && t < nmap && v < map[t].nvalue && map[t].value[v]) 950 ND_PRINT((ndo,"%s", map[t].value[v])); 951 else { 952 if (!rawprint(ndo, (const uint8_t *)&p[2], 2)) { 953 ND_PRINT((ndo,")")); 954 goto trunc; 955 } 956 } 957 } else { 958 ND_PRINT((ndo,"len=%d value=", totlen - 4)); 959 if (!rawprint(ndo, (const uint8_t *)&p[4], totlen - 4)) { 960 ND_PRINT((ndo,")")); 961 goto trunc; 962 } 963 } 964 ND_PRINT((ndo,")")); 965 return p + totlen; 966 967 trunc: 968 return NULL; 969 } 970 971 static const u_char * 972 ikev1_attr_print(netdissect_options *ndo, const u_char *p, const u_char *ep2) 973 { 974 int totlen; 975 uint32_t t; 976 977 ND_TCHECK(p[0]); 978 if (p[0] & 0x80) 979 totlen = 4; 980 else { 981 ND_TCHECK_16BITS(&p[2]); 982 totlen = 4 + EXTRACT_16BITS(&p[2]); 983 } 984 if (ep2 < p + totlen) { 985 ND_PRINT((ndo,"[|attr]")); 986 return ep2 + 1; 987 } 988 989 ND_TCHECK_16BITS(&p[0]); 990 ND_PRINT((ndo,"(")); 991 t = EXTRACT_16BITS(&p[0]) & 0x7fff; 992 ND_PRINT((ndo,"type=#%d ", t)); 993 if (p[0] & 0x80) { 994 ND_PRINT((ndo,"value=")); 995 t = p[2]; 996 if (!rawprint(ndo, (const uint8_t *)&p[2], 2)) { 997 ND_PRINT((ndo,")")); 998 goto trunc; 999 } 1000 } else { 1001 ND_PRINT((ndo,"len=%d value=", totlen - 4)); 1002 if (!rawprint(ndo, (const uint8_t *)&p[4], totlen - 4)) { 1003 ND_PRINT((ndo,")")); 1004 goto trunc; 1005 } 1006 } 1007 ND_PRINT((ndo,")")); 1008 return p + totlen; 1009 1010 trunc: 1011 return NULL; 1012 } 1013 1014 static const u_char * 1015 ikev1_sa_print(netdissect_options *ndo, u_char tpay _U_, 1016 const struct isakmp_gen *ext, 1017 u_int item_len _U_, 1018 const u_char *ep, uint32_t phase, uint32_t doi0 _U_, 1019 uint32_t proto0, int depth) 1020 { 1021 const struct ikev1_pl_sa *p; 1022 struct ikev1_pl_sa sa; 1023 uint32_t doi, sit, ident; 1024 const u_char *cp, *np; 1025 int t; 1026 1027 ND_PRINT((ndo,"%s:", NPSTR(ISAKMP_NPTYPE_SA))); 1028 1029 p = (const struct ikev1_pl_sa *)ext; 1030 ND_TCHECK(*p); 1031 UNALIGNED_MEMCPY(&sa, ext, sizeof(sa)); 1032 doi = ntohl(sa.doi); 1033 sit = ntohl(sa.sit); 1034 if (doi != 1) { 1035 ND_PRINT((ndo," doi=%d", doi)); 1036 ND_PRINT((ndo," situation=%u", (uint32_t)ntohl(sa.sit))); 1037 return (const u_char *)(p + 1); 1038 } 1039 1040 ND_PRINT((ndo," doi=ipsec")); 1041 ND_PRINT((ndo," situation=")); 1042 t = 0; 1043 if (sit & 0x01) { 1044 ND_PRINT((ndo,"identity")); 1045 t++; 1046 } 1047 if (sit & 0x02) { 1048 ND_PRINT((ndo,"%ssecrecy", t ? "+" : "")); 1049 t++; 1050 } 1051 if (sit & 0x04) 1052 ND_PRINT((ndo,"%sintegrity", t ? "+" : "")); 1053 1054 np = (const u_char *)ext + sizeof(sa); 1055 if (sit != 0x01) { 1056 ND_TCHECK2(*(ext + 1), sizeof(ident)); 1057 UNALIGNED_MEMCPY(&ident, ext + 1, sizeof(ident)); 1058 ND_PRINT((ndo," ident=%u", (uint32_t)ntohl(ident))); 1059 np += sizeof(ident); 1060 } 1061 1062 ext = (const struct isakmp_gen *)np; 1063 ND_TCHECK(*ext); 1064 1065 cp = ikev1_sub_print(ndo, ISAKMP_NPTYPE_P, ext, ep, phase, doi, proto0, 1066 depth); 1067 1068 return cp; 1069 trunc: 1070 ND_PRINT((ndo," [|%s]", NPSTR(ISAKMP_NPTYPE_SA))); 1071 return NULL; 1072 } 1073 1074 static const u_char * 1075 ikev1_p_print(netdissect_options *ndo, u_char tpay _U_, 1076 const struct isakmp_gen *ext, u_int item_len _U_, 1077 const u_char *ep, uint32_t phase, uint32_t doi0, 1078 uint32_t proto0 _U_, int depth) 1079 { 1080 const struct ikev1_pl_p *p; 1081 struct ikev1_pl_p prop; 1082 const u_char *cp; 1083 1084 ND_PRINT((ndo,"%s:", NPSTR(ISAKMP_NPTYPE_P))); 1085 1086 p = (const struct ikev1_pl_p *)ext; 1087 ND_TCHECK(*p); 1088 UNALIGNED_MEMCPY(&prop, ext, sizeof(prop)); 1089 ND_PRINT((ndo," #%d protoid=%s transform=%d", 1090 prop.p_no, PROTOIDSTR(prop.prot_id), prop.num_t)); 1091 if (prop.spi_size) { 1092 ND_PRINT((ndo," spi=")); 1093 if (!rawprint(ndo, (const uint8_t *)(p + 1), prop.spi_size)) 1094 goto trunc; 1095 } 1096 1097 ext = (const struct isakmp_gen *)((const u_char *)(p + 1) + prop.spi_size); 1098 ND_TCHECK(*ext); 1099 1100 cp = ikev1_sub_print(ndo, ISAKMP_NPTYPE_T, ext, ep, phase, doi0, 1101 prop.prot_id, depth); 1102 1103 return cp; 1104 trunc: 1105 ND_PRINT((ndo," [|%s]", NPSTR(ISAKMP_NPTYPE_P))); 1106 return NULL; 1107 } 1108 1109 static const char *ikev1_p_map[] = { 1110 NULL, "ike", 1111 }; 1112 1113 static const char *ikev2_t_type_map[]={ 1114 NULL, "encr", "prf", "integ", "dh", "esn" 1115 }; 1116 1117 static const char *ah_p_map[] = { 1118 NULL, "(reserved)", "md5", "sha", "1des", 1119 "sha2-256", "sha2-384", "sha2-512", 1120 }; 1121 1122 static const char *prf_p_map[] = { 1123 NULL, "hmac-md5", "hmac-sha", "hmac-tiger", 1124 "aes128_xcbc" 1125 }; 1126 1127 static const char *integ_p_map[] = { 1128 NULL, "hmac-md5", "hmac-sha", "dec-mac", 1129 "kpdk-md5", "aes-xcbc" 1130 }; 1131 1132 static const char *esn_p_map[] = { 1133 "no-esn", "esn" 1134 }; 1135 1136 static const char *dh_p_map[] = { 1137 NULL, "modp768", 1138 "modp1024", /* group 2 */ 1139 "EC2N 2^155", /* group 3 */ 1140 "EC2N 2^185", /* group 4 */ 1141 "modp1536", /* group 5 */ 1142 "iana-grp06", "iana-grp07", /* reserved */ 1143 "iana-grp08", "iana-grp09", 1144 "iana-grp10", "iana-grp11", 1145 "iana-grp12", "iana-grp13", 1146 "modp2048", /* group 14 */ 1147 "modp3072", /* group 15 */ 1148 "modp4096", /* group 16 */ 1149 "modp6144", /* group 17 */ 1150 "modp8192", /* group 18 */ 1151 }; 1152 1153 static const char *esp_p_map[] = { 1154 NULL, "1des-iv64", "1des", "3des", "rc5", "idea", "cast", 1155 "blowfish", "3idea", "1des-iv32", "rc4", "null", "aes" 1156 }; 1157 1158 static const char *ipcomp_p_map[] = { 1159 NULL, "oui", "deflate", "lzs", 1160 }; 1161 1162 static const struct attrmap ipsec_t_map[] = { 1163 { NULL, 0, { NULL } }, 1164 { "lifetype", 3, { NULL, "sec", "kb", }, }, 1165 { "life", 0, { NULL } }, 1166 { "group desc", 18, { NULL, "modp768", 1167 "modp1024", /* group 2 */ 1168 "EC2N 2^155", /* group 3 */ 1169 "EC2N 2^185", /* group 4 */ 1170 "modp1536", /* group 5 */ 1171 "iana-grp06", "iana-grp07", /* reserved */ 1172 "iana-grp08", "iana-grp09", 1173 "iana-grp10", "iana-grp11", 1174 "iana-grp12", "iana-grp13", 1175 "modp2048", /* group 14 */ 1176 "modp3072", /* group 15 */ 1177 "modp4096", /* group 16 */ 1178 "modp6144", /* group 17 */ 1179 "modp8192", /* group 18 */ 1180 }, }, 1181 { "enc mode", 3, { NULL, "tunnel", "transport", }, }, 1182 { "auth", 5, { NULL, "hmac-md5", "hmac-sha1", "1des-mac", "keyed", }, }, 1183 { "keylen", 0, { NULL } }, 1184 { "rounds", 0, { NULL } }, 1185 { "dictsize", 0, { NULL } }, 1186 { "privalg", 0, { NULL } }, 1187 }; 1188 1189 static const struct attrmap encr_t_map[] = { 1190 { NULL, 0, { NULL } }, { NULL, 0, { NULL } }, /* 0, 1 */ 1191 { NULL, 0, { NULL } }, { NULL, 0, { NULL } }, /* 2, 3 */ 1192 { NULL, 0, { NULL } }, { NULL, 0, { NULL } }, /* 4, 5 */ 1193 { NULL, 0, { NULL } }, { NULL, 0, { NULL } }, /* 6, 7 */ 1194 { NULL, 0, { NULL } }, { NULL, 0, { NULL } }, /* 8, 9 */ 1195 { NULL, 0, { NULL } }, { NULL, 0, { NULL } }, /* 10,11*/ 1196 { NULL, 0, { NULL } }, { NULL, 0, { NULL } }, /* 12,13*/ 1197 { "keylen", 14, { NULL }}, 1198 }; 1199 1200 static const struct attrmap oakley_t_map[] = { 1201 { NULL, 0, { NULL } }, 1202 { "enc", 8, { NULL, "1des", "idea", "blowfish", "rc5", 1203 "3des", "cast", "aes", }, }, 1204 { "hash", 7, { NULL, "md5", "sha1", "tiger", 1205 "sha2-256", "sha2-384", "sha2-512", }, }, 1206 { "auth", 6, { NULL, "preshared", "dss", "rsa sig", "rsa enc", 1207 "rsa enc revised", }, }, 1208 { "group desc", 18, { NULL, "modp768", 1209 "modp1024", /* group 2 */ 1210 "EC2N 2^155", /* group 3 */ 1211 "EC2N 2^185", /* group 4 */ 1212 "modp1536", /* group 5 */ 1213 "iana-grp06", "iana-grp07", /* reserved */ 1214 "iana-grp08", "iana-grp09", 1215 "iana-grp10", "iana-grp11", 1216 "iana-grp12", "iana-grp13", 1217 "modp2048", /* group 14 */ 1218 "modp3072", /* group 15 */ 1219 "modp4096", /* group 16 */ 1220 "modp6144", /* group 17 */ 1221 "modp8192", /* group 18 */ 1222 }, }, 1223 { "group type", 4, { NULL, "MODP", "ECP", "EC2N", }, }, 1224 { "group prime", 0, { NULL } }, 1225 { "group gen1", 0, { NULL } }, 1226 { "group gen2", 0, { NULL } }, 1227 { "group curve A", 0, { NULL } }, 1228 { "group curve B", 0, { NULL } }, 1229 { "lifetype", 3, { NULL, "sec", "kb", }, }, 1230 { "lifeduration", 0, { NULL } }, 1231 { "prf", 0, { NULL } }, 1232 { "keylen", 0, { NULL } }, 1233 { "field", 0, { NULL } }, 1234 { "order", 0, { NULL } }, 1235 }; 1236 1237 static const u_char * 1238 ikev1_t_print(netdissect_options *ndo, u_char tpay _U_, 1239 const struct isakmp_gen *ext, u_int item_len, 1240 const u_char *ep, uint32_t phase _U_, uint32_t doi _U_, 1241 uint32_t proto, int depth _U_) 1242 { 1243 const struct ikev1_pl_t *p; 1244 struct ikev1_pl_t t; 1245 const u_char *cp; 1246 const char *idstr; 1247 const struct attrmap *map; 1248 size_t nmap; 1249 const u_char *ep2; 1250 1251 ND_PRINT((ndo,"%s:", NPSTR(ISAKMP_NPTYPE_T))); 1252 1253 p = (const struct ikev1_pl_t *)ext; 1254 ND_TCHECK(*p); 1255 UNALIGNED_MEMCPY(&t, ext, sizeof(t)); 1256 1257 switch (proto) { 1258 case 1: 1259 idstr = STR_OR_ID(t.t_id, ikev1_p_map); 1260 map = oakley_t_map; 1261 nmap = sizeof(oakley_t_map)/sizeof(oakley_t_map[0]); 1262 break; 1263 case 2: 1264 idstr = STR_OR_ID(t.t_id, ah_p_map); 1265 map = ipsec_t_map; 1266 nmap = sizeof(ipsec_t_map)/sizeof(ipsec_t_map[0]); 1267 break; 1268 case 3: 1269 idstr = STR_OR_ID(t.t_id, esp_p_map); 1270 map = ipsec_t_map; 1271 nmap = sizeof(ipsec_t_map)/sizeof(ipsec_t_map[0]); 1272 break; 1273 case 4: 1274 idstr = STR_OR_ID(t.t_id, ipcomp_p_map); 1275 map = ipsec_t_map; 1276 nmap = sizeof(ipsec_t_map)/sizeof(ipsec_t_map[0]); 1277 break; 1278 default: 1279 idstr = NULL; 1280 map = NULL; 1281 nmap = 0; 1282 break; 1283 } 1284 1285 if (idstr) 1286 ND_PRINT((ndo," #%d id=%s ", t.t_no, idstr)); 1287 else 1288 ND_PRINT((ndo," #%d id=%d ", t.t_no, t.t_id)); 1289 cp = (const u_char *)(p + 1); 1290 ep2 = (const u_char *)p + item_len; 1291 while (cp < ep && cp < ep2) { 1292 if (map && nmap) 1293 cp = ikev1_attrmap_print(ndo, cp, ep2, map, nmap); 1294 else 1295 cp = ikev1_attr_print(ndo, cp, ep2); 1296 if (cp == NULL) 1297 goto trunc; 1298 } 1299 if (ep < ep2) 1300 ND_PRINT((ndo,"...")); 1301 return cp; 1302 trunc: 1303 ND_PRINT((ndo," [|%s]", NPSTR(ISAKMP_NPTYPE_T))); 1304 return NULL; 1305 } 1306 1307 static const u_char * 1308 ikev1_ke_print(netdissect_options *ndo, u_char tpay _U_, 1309 const struct isakmp_gen *ext, u_int item_len _U_, 1310 const u_char *ep _U_, uint32_t phase _U_, uint32_t doi _U_, 1311 uint32_t proto _U_, int depth _U_) 1312 { 1313 struct isakmp_gen e; 1314 1315 ND_PRINT((ndo,"%s:", NPSTR(ISAKMP_NPTYPE_KE))); 1316 1317 ND_TCHECK(*ext); 1318 UNALIGNED_MEMCPY(&e, ext, sizeof(e)); 1319 ND_PRINT((ndo," key len=%d", ntohs(e.len) - 4)); 1320 if (2 < ndo->ndo_vflag && 4 < ntohs(e.len)) { 1321 /* Print the entire payload in hex */ 1322 ND_PRINT((ndo," ")); 1323 if (!rawprint(ndo, (const uint8_t *)(ext + 1), ntohs(e.len) - 4)) 1324 goto trunc; 1325 } 1326 return (const u_char *)ext + ntohs(e.len); 1327 trunc: 1328 ND_PRINT((ndo," [|%s]", NPSTR(ISAKMP_NPTYPE_KE))); 1329 return NULL; 1330 } 1331 1332 static const u_char * 1333 ikev1_id_print(netdissect_options *ndo, u_char tpay _U_, 1334 const struct isakmp_gen *ext, u_int item_len, 1335 const u_char *ep _U_, uint32_t phase, uint32_t doi _U_, 1336 uint32_t proto _U_, int depth _U_) 1337 { 1338 #define USE_IPSECDOI_IN_PHASE1 1 1339 const struct ikev1_pl_id *p; 1340 struct ikev1_pl_id id; 1341 static const char *idtypestr[] = { 1342 "IPv4", "IPv4net", "IPv6", "IPv6net", 1343 }; 1344 static const char *ipsecidtypestr[] = { 1345 NULL, "IPv4", "FQDN", "user FQDN", "IPv4net", "IPv6", 1346 "IPv6net", "IPv4range", "IPv6range", "ASN1 DN", "ASN1 GN", 1347 "keyid", 1348 }; 1349 int len; 1350 const u_char *data; 1351 1352 ND_PRINT((ndo,"%s:", NPSTR(ISAKMP_NPTYPE_ID))); 1353 1354 p = (const struct ikev1_pl_id *)ext; 1355 ND_TCHECK(*p); 1356 UNALIGNED_MEMCPY(&id, ext, sizeof(id)); 1357 if (sizeof(*p) < item_len) { 1358 data = (const u_char *)(p + 1); 1359 len = item_len - sizeof(*p); 1360 } else { 1361 data = NULL; 1362 len = 0; 1363 } 1364 1365 #if 0 /*debug*/ 1366 ND_PRINT((ndo," [phase=%d doi=%d proto=%d]", phase, doi, proto)); 1367 #endif 1368 switch (phase) { 1369 #ifndef USE_IPSECDOI_IN_PHASE1 1370 case 1: 1371 #endif 1372 default: 1373 ND_PRINT((ndo," idtype=%s", STR_OR_ID(id.d.id_type, idtypestr))); 1374 ND_PRINT((ndo," doi_data=%u", 1375 (uint32_t)(ntohl(id.d.doi_data) & 0xffffff))); 1376 break; 1377 1378 #ifdef USE_IPSECDOI_IN_PHASE1 1379 case 1: 1380 #endif 1381 case 2: 1382 { 1383 const struct ipsecdoi_id *doi_p; 1384 struct ipsecdoi_id doi_id; 1385 const char *p_name; 1386 1387 doi_p = (const struct ipsecdoi_id *)ext; 1388 ND_TCHECK(*doi_p); 1389 UNALIGNED_MEMCPY(&doi_id, ext, sizeof(doi_id)); 1390 ND_PRINT((ndo," idtype=%s", STR_OR_ID(doi_id.type, ipsecidtypestr))); 1391 /* A protocol ID of 0 DOES NOT mean IPPROTO_IP! */ 1392 if (!ndo->ndo_nflag && doi_id.proto_id && (p_name = netdb_protoname(doi_id.proto_id)) != NULL) 1393 ND_PRINT((ndo," protoid=%s", p_name)); 1394 else 1395 ND_PRINT((ndo," protoid=%u", doi_id.proto_id)); 1396 ND_PRINT((ndo," port=%d", ntohs(doi_id.port))); 1397 if (!len) 1398 break; 1399 if (data == NULL) 1400 goto trunc; 1401 ND_TCHECK2(*data, len); 1402 switch (doi_id.type) { 1403 case IPSECDOI_ID_IPV4_ADDR: 1404 if (len < 4) 1405 ND_PRINT((ndo," len=%d [bad: < 4]", len)); 1406 else 1407 ND_PRINT((ndo," len=%d %s", len, ipaddr_string(ndo, data))); 1408 len = 0; 1409 break; 1410 case IPSECDOI_ID_FQDN: 1411 case IPSECDOI_ID_USER_FQDN: 1412 { 1413 int i; 1414 ND_PRINT((ndo," len=%d ", len)); 1415 for (i = 0; i < len; i++) 1416 safeputchar(ndo, data[i]); 1417 len = 0; 1418 break; 1419 } 1420 case IPSECDOI_ID_IPV4_ADDR_SUBNET: 1421 { 1422 const u_char *mask; 1423 if (len < 8) 1424 ND_PRINT((ndo," len=%d [bad: < 8]", len)); 1425 else { 1426 mask = data + sizeof(struct in_addr); 1427 ND_PRINT((ndo," len=%d %s/%u.%u.%u.%u", len, 1428 ipaddr_string(ndo, data), 1429 mask[0], mask[1], mask[2], mask[3])); 1430 } 1431 len = 0; 1432 break; 1433 } 1434 case IPSECDOI_ID_IPV6_ADDR: 1435 if (len < 16) 1436 ND_PRINT((ndo," len=%d [bad: < 16]", len)); 1437 else 1438 ND_PRINT((ndo," len=%d %s", len, ip6addr_string(ndo, data))); 1439 len = 0; 1440 break; 1441 case IPSECDOI_ID_IPV6_ADDR_SUBNET: 1442 { 1443 const u_char *mask; 1444 if (len < 32) 1445 ND_PRINT((ndo," len=%d [bad: < 32]", len)); 1446 else { 1447 mask = (const u_char *)(data + sizeof(struct in6_addr)); 1448 /*XXX*/ 1449 ND_PRINT((ndo," len=%d %s/0x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x", len, 1450 ip6addr_string(ndo, data), 1451 mask[0], mask[1], mask[2], mask[3], 1452 mask[4], mask[5], mask[6], mask[7], 1453 mask[8], mask[9], mask[10], mask[11], 1454 mask[12], mask[13], mask[14], mask[15])); 1455 } 1456 len = 0; 1457 break; 1458 } 1459 case IPSECDOI_ID_IPV4_ADDR_RANGE: 1460 if (len < 8) 1461 ND_PRINT((ndo," len=%d [bad: < 8]", len)); 1462 else { 1463 ND_PRINT((ndo," len=%d %s-%s", len, 1464 ipaddr_string(ndo, data), 1465 ipaddr_string(ndo, data + sizeof(struct in_addr)))); 1466 } 1467 len = 0; 1468 break; 1469 case IPSECDOI_ID_IPV6_ADDR_RANGE: 1470 if (len < 32) 1471 ND_PRINT((ndo," len=%d [bad: < 32]", len)); 1472 else { 1473 ND_PRINT((ndo," len=%d %s-%s", len, 1474 ip6addr_string(ndo, data), 1475 ip6addr_string(ndo, data + sizeof(struct in6_addr)))); 1476 } 1477 len = 0; 1478 break; 1479 case IPSECDOI_ID_DER_ASN1_DN: 1480 case IPSECDOI_ID_DER_ASN1_GN: 1481 case IPSECDOI_ID_KEY_ID: 1482 break; 1483 } 1484 break; 1485 } 1486 } 1487 if (data && len) { 1488 ND_PRINT((ndo," len=%d", len)); 1489 if (2 < ndo->ndo_vflag) { 1490 ND_PRINT((ndo," ")); 1491 if (!rawprint(ndo, (const uint8_t *)data, len)) 1492 goto trunc; 1493 } 1494 } 1495 return (const u_char *)ext + item_len; 1496 trunc: 1497 ND_PRINT((ndo," [|%s]", NPSTR(ISAKMP_NPTYPE_ID))); 1498 return NULL; 1499 } 1500 1501 static const u_char * 1502 ikev1_cert_print(netdissect_options *ndo, u_char tpay _U_, 1503 const struct isakmp_gen *ext, u_int item_len, 1504 const u_char *ep _U_, uint32_t phase _U_, 1505 uint32_t doi0 _U_, 1506 uint32_t proto0 _U_, int depth _U_) 1507 { 1508 const struct ikev1_pl_cert *p; 1509 struct ikev1_pl_cert cert; 1510 static const char *certstr[] = { 1511 "none", "pkcs7", "pgp", "dns", 1512 "x509sign", "x509ke", "kerberos", "crl", 1513 "arl", "spki", "x509attr", 1514 }; 1515 1516 ND_PRINT((ndo,"%s:", NPSTR(ISAKMP_NPTYPE_CERT))); 1517 1518 p = (const struct ikev1_pl_cert *)ext; 1519 ND_TCHECK(*p); 1520 UNALIGNED_MEMCPY(&cert, ext, sizeof(cert)); 1521 ND_PRINT((ndo," len=%d", item_len - 4)); 1522 ND_PRINT((ndo," type=%s", STR_OR_ID((cert.encode), certstr))); 1523 if (2 < ndo->ndo_vflag && 4 < item_len) { 1524 /* Print the entire payload in hex */ 1525 ND_PRINT((ndo," ")); 1526 if (!rawprint(ndo, (const uint8_t *)(ext + 1), item_len - 4)) 1527 goto trunc; 1528 } 1529 return (const u_char *)ext + item_len; 1530 trunc: 1531 ND_PRINT((ndo," [|%s]", NPSTR(ISAKMP_NPTYPE_CERT))); 1532 return NULL; 1533 } 1534 1535 static const u_char * 1536 ikev1_cr_print(netdissect_options *ndo, u_char tpay _U_, 1537 const struct isakmp_gen *ext, u_int item_len, 1538 const u_char *ep _U_, uint32_t phase _U_, uint32_t doi0 _U_, 1539 uint32_t proto0 _U_, int depth _U_) 1540 { 1541 const struct ikev1_pl_cert *p; 1542 struct ikev1_pl_cert cert; 1543 static const char *certstr[] = { 1544 "none", "pkcs7", "pgp", "dns", 1545 "x509sign", "x509ke", "kerberos", "crl", 1546 "arl", "spki", "x509attr", 1547 }; 1548 1549 ND_PRINT((ndo,"%s:", NPSTR(ISAKMP_NPTYPE_CR))); 1550 1551 p = (const struct ikev1_pl_cert *)ext; 1552 ND_TCHECK(*p); 1553 UNALIGNED_MEMCPY(&cert, ext, sizeof(cert)); 1554 ND_PRINT((ndo," len=%d", item_len - 4)); 1555 ND_PRINT((ndo," type=%s", STR_OR_ID((cert.encode), certstr))); 1556 if (2 < ndo->ndo_vflag && 4 < item_len) { 1557 /* Print the entire payload in hex */ 1558 ND_PRINT((ndo," ")); 1559 if (!rawprint(ndo, (const uint8_t *)(ext + 1), item_len - 4)) 1560 goto trunc; 1561 } 1562 return (const u_char *)ext + item_len; 1563 trunc: 1564 ND_PRINT((ndo," [|%s]", NPSTR(ISAKMP_NPTYPE_CR))); 1565 return NULL; 1566 } 1567 1568 static const u_char * 1569 ikev1_hash_print(netdissect_options *ndo, u_char tpay _U_, 1570 const struct isakmp_gen *ext, u_int item_len _U_, 1571 const u_char *ep _U_, uint32_t phase _U_, uint32_t doi _U_, 1572 uint32_t proto _U_, int depth _U_) 1573 { 1574 struct isakmp_gen e; 1575 1576 ND_PRINT((ndo,"%s:", NPSTR(ISAKMP_NPTYPE_HASH))); 1577 1578 ND_TCHECK(*ext); 1579 UNALIGNED_MEMCPY(&e, ext, sizeof(e)); 1580 ND_PRINT((ndo," len=%d", ntohs(e.len) - 4)); 1581 if (2 < ndo->ndo_vflag && 4 < ntohs(e.len)) { 1582 /* Print the entire payload in hex */ 1583 ND_PRINT((ndo," ")); 1584 if (!rawprint(ndo, (const uint8_t *)(ext + 1), ntohs(e.len) - 4)) 1585 goto trunc; 1586 } 1587 return (const u_char *)ext + ntohs(e.len); 1588 trunc: 1589 ND_PRINT((ndo," [|%s]", NPSTR(ISAKMP_NPTYPE_HASH))); 1590 return NULL; 1591 } 1592 1593 static const u_char * 1594 ikev1_sig_print(netdissect_options *ndo, u_char tpay _U_, 1595 const struct isakmp_gen *ext, u_int item_len _U_, 1596 const u_char *ep _U_, uint32_t phase _U_, uint32_t doi _U_, 1597 uint32_t proto _U_, int depth _U_) 1598 { 1599 struct isakmp_gen e; 1600 1601 ND_PRINT((ndo,"%s:", NPSTR(ISAKMP_NPTYPE_SIG))); 1602 1603 ND_TCHECK(*ext); 1604 UNALIGNED_MEMCPY(&e, ext, sizeof(e)); 1605 ND_PRINT((ndo," len=%d", ntohs(e.len) - 4)); 1606 if (2 < ndo->ndo_vflag && 4 < ntohs(e.len)) { 1607 /* Print the entire payload in hex */ 1608 ND_PRINT((ndo," ")); 1609 if (!rawprint(ndo, (const uint8_t *)(ext + 1), ntohs(e.len) - 4)) 1610 goto trunc; 1611 } 1612 return (const u_char *)ext + ntohs(e.len); 1613 trunc: 1614 ND_PRINT((ndo," [|%s]", NPSTR(ISAKMP_NPTYPE_SIG))); 1615 return NULL; 1616 } 1617 1618 static const u_char * 1619 ikev1_nonce_print(netdissect_options *ndo, u_char tpay _U_, 1620 const struct isakmp_gen *ext, 1621 u_int item_len _U_, 1622 const u_char *ep, 1623 uint32_t phase _U_, uint32_t doi _U_, 1624 uint32_t proto _U_, int depth _U_) 1625 { 1626 struct isakmp_gen e; 1627 1628 ND_PRINT((ndo,"%s:", NPSTR(ISAKMP_NPTYPE_NONCE))); 1629 1630 ND_TCHECK(*ext); 1631 UNALIGNED_MEMCPY(&e, ext, sizeof(e)); 1632 /* 1633 * Our caller has ensured that the length is >= 4. 1634 */ 1635 ND_PRINT((ndo," n len=%u", ntohs(e.len) - 4)); 1636 if (ntohs(e.len) > 4) { 1637 if (ndo->ndo_vflag > 2) { 1638 ND_PRINT((ndo, " ")); 1639 if (!rawprint(ndo, (const uint8_t *)(ext + 1), ntohs(e.len) - 4)) 1640 goto trunc; 1641 } else if (ndo->ndo_vflag > 1) { 1642 ND_PRINT((ndo, " ")); 1643 if (!ike_show_somedata(ndo, (const u_char *)(ext + 1), ep)) 1644 goto trunc; 1645 } 1646 } 1647 return (const u_char *)ext + ntohs(e.len); 1648 trunc: 1649 ND_PRINT((ndo," [|%s]", NPSTR(ISAKMP_NPTYPE_NONCE))); 1650 return NULL; 1651 } 1652 1653 static const u_char * 1654 ikev1_n_print(netdissect_options *ndo, u_char tpay _U_, 1655 const struct isakmp_gen *ext, u_int item_len, 1656 const u_char *ep, uint32_t phase _U_, uint32_t doi0 _U_, 1657 uint32_t proto0 _U_, int depth _U_) 1658 { 1659 const struct ikev1_pl_n *p; 1660 struct ikev1_pl_n n; 1661 const u_char *cp; 1662 const u_char *ep2; 1663 uint32_t doi; 1664 uint32_t proto; 1665 static const char *notify_error_str[] = { 1666 NULL, "INVALID-PAYLOAD-TYPE", 1667 "DOI-NOT-SUPPORTED", "SITUATION-NOT-SUPPORTED", 1668 "INVALID-COOKIE", "INVALID-MAJOR-VERSION", 1669 "INVALID-MINOR-VERSION", "INVALID-EXCHANGE-TYPE", 1670 "INVALID-FLAGS", "INVALID-MESSAGE-ID", 1671 "INVALID-PROTOCOL-ID", "INVALID-SPI", 1672 "INVALID-TRANSFORM-ID", "ATTRIBUTES-NOT-SUPPORTED", 1673 "NO-PROPOSAL-CHOSEN", "BAD-PROPOSAL-SYNTAX", 1674 "PAYLOAD-MALFORMED", "INVALID-KEY-INFORMATION", 1675 "INVALID-ID-INFORMATION", "INVALID-CERT-ENCODING", 1676 "INVALID-CERTIFICATE", "CERT-TYPE-UNSUPPORTED", 1677 "INVALID-CERT-AUTHORITY", "INVALID-HASH-INFORMATION", 1678 "AUTHENTICATION-FAILED", "INVALID-SIGNATURE", 1679 "ADDRESS-NOTIFICATION", "NOTIFY-SA-LIFETIME", 1680 "CERTIFICATE-UNAVAILABLE", "UNSUPPORTED-EXCHANGE-TYPE", 1681 "UNEQUAL-PAYLOAD-LENGTHS", 1682 }; 1683 static const char *ipsec_notify_error_str[] = { 1684 "RESERVED", 1685 }; 1686 static const char *notify_status_str[] = { 1687 "CONNECTED", 1688 }; 1689 static const char *ipsec_notify_status_str[] = { 1690 "RESPONDER-LIFETIME", "REPLAY-STATUS", 1691 "INITIAL-CONTACT", 1692 }; 1693 /* NOTE: these macro must be called with x in proper range */ 1694 1695 /* 0 - 8191 */ 1696 #define NOTIFY_ERROR_STR(x) \ 1697 STR_OR_ID((x), notify_error_str) 1698 1699 /* 8192 - 16383 */ 1700 #define IPSEC_NOTIFY_ERROR_STR(x) \ 1701 STR_OR_ID((u_int)((x) - 8192), ipsec_notify_error_str) 1702 1703 /* 16384 - 24575 */ 1704 #define NOTIFY_STATUS_STR(x) \ 1705 STR_OR_ID((u_int)((x) - 16384), notify_status_str) 1706 1707 /* 24576 - 32767 */ 1708 #define IPSEC_NOTIFY_STATUS_STR(x) \ 1709 STR_OR_ID((u_int)((x) - 24576), ipsec_notify_status_str) 1710 1711 ND_PRINT((ndo,"%s:", NPSTR(ISAKMP_NPTYPE_N))); 1712 1713 p = (const struct ikev1_pl_n *)ext; 1714 ND_TCHECK(*p); 1715 UNALIGNED_MEMCPY(&n, ext, sizeof(n)); 1716 doi = ntohl(n.doi); 1717 proto = n.prot_id; 1718 if (doi != 1) { 1719 ND_PRINT((ndo," doi=%d", doi)); 1720 ND_PRINT((ndo," proto=%d", proto)); 1721 if (ntohs(n.type) < 8192) 1722 ND_PRINT((ndo," type=%s", NOTIFY_ERROR_STR(ntohs(n.type)))); 1723 else if (ntohs(n.type) < 16384) 1724 ND_PRINT((ndo," type=%s", numstr(ntohs(n.type)))); 1725 else if (ntohs(n.type) < 24576) 1726 ND_PRINT((ndo," type=%s", NOTIFY_STATUS_STR(ntohs(n.type)))); 1727 else 1728 ND_PRINT((ndo," type=%s", numstr(ntohs(n.type)))); 1729 if (n.spi_size) { 1730 ND_PRINT((ndo," spi=")); 1731 if (!rawprint(ndo, (const uint8_t *)(p + 1), n.spi_size)) 1732 goto trunc; 1733 } 1734 return (const u_char *)(p + 1) + n.spi_size; 1735 } 1736 1737 ND_PRINT((ndo," doi=ipsec")); 1738 ND_PRINT((ndo," proto=%s", PROTOIDSTR(proto))); 1739 if (ntohs(n.type) < 8192) 1740 ND_PRINT((ndo," type=%s", NOTIFY_ERROR_STR(ntohs(n.type)))); 1741 else if (ntohs(n.type) < 16384) 1742 ND_PRINT((ndo," type=%s", IPSEC_NOTIFY_ERROR_STR(ntohs(n.type)))); 1743 else if (ntohs(n.type) < 24576) 1744 ND_PRINT((ndo," type=%s", NOTIFY_STATUS_STR(ntohs(n.type)))); 1745 else if (ntohs(n.type) < 32768) 1746 ND_PRINT((ndo," type=%s", IPSEC_NOTIFY_STATUS_STR(ntohs(n.type)))); 1747 else 1748 ND_PRINT((ndo," type=%s", numstr(ntohs(n.type)))); 1749 if (n.spi_size) { 1750 ND_PRINT((ndo," spi=")); 1751 if (!rawprint(ndo, (const uint8_t *)(p + 1), n.spi_size)) 1752 goto trunc; 1753 } 1754 1755 cp = (const u_char *)(p + 1) + n.spi_size; 1756 ep2 = (const u_char *)p + item_len; 1757 1758 if (cp < ep) { 1759 switch (ntohs(n.type)) { 1760 case IPSECDOI_NTYPE_RESPONDER_LIFETIME: 1761 { 1762 const struct attrmap *map = oakley_t_map; 1763 size_t nmap = sizeof(oakley_t_map)/sizeof(oakley_t_map[0]); 1764 ND_PRINT((ndo," attrs=(")); 1765 while (cp < ep && cp < ep2) { 1766 cp = ikev1_attrmap_print(ndo, cp, ep2, map, nmap); 1767 if (cp == NULL) { 1768 ND_PRINT((ndo,")")); 1769 goto trunc; 1770 } 1771 } 1772 ND_PRINT((ndo,")")); 1773 break; 1774 } 1775 case IPSECDOI_NTYPE_REPLAY_STATUS: 1776 ND_PRINT((ndo," status=(")); 1777 ND_TCHECK_32BITS(cp); 1778 ND_PRINT((ndo,"replay detection %sabled", 1779 EXTRACT_32BITS(cp) ? "en" : "dis")); 1780 ND_PRINT((ndo,")")); 1781 break; 1782 default: 1783 /* 1784 * XXX - fill in more types here; see, for example, 1785 * draft-ietf-ipsec-notifymsg-04. 1786 */ 1787 if (ndo->ndo_vflag > 3) { 1788 ND_PRINT((ndo," data=(")); 1789 if (!rawprint(ndo, (const uint8_t *)(cp), ep - cp)) 1790 goto trunc; 1791 ND_PRINT((ndo,")")); 1792 } else { 1793 if (!ike_show_somedata(ndo, cp, ep)) 1794 goto trunc; 1795 } 1796 break; 1797 } 1798 } 1799 return (const u_char *)ext + item_len; 1800 trunc: 1801 ND_PRINT((ndo," [|%s]", NPSTR(ISAKMP_NPTYPE_N))); 1802 return NULL; 1803 } 1804 1805 static const u_char * 1806 ikev1_d_print(netdissect_options *ndo, u_char tpay _U_, 1807 const struct isakmp_gen *ext, u_int item_len _U_, 1808 const u_char *ep _U_, uint32_t phase _U_, uint32_t doi0 _U_, 1809 uint32_t proto0 _U_, int depth _U_) 1810 { 1811 const struct ikev1_pl_d *p; 1812 struct ikev1_pl_d d; 1813 const uint8_t *q; 1814 uint32_t doi; 1815 uint32_t proto; 1816 int i; 1817 1818 ND_PRINT((ndo,"%s:", NPSTR(ISAKMP_NPTYPE_D))); 1819 1820 p = (const struct ikev1_pl_d *)ext; 1821 ND_TCHECK(*p); 1822 UNALIGNED_MEMCPY(&d, ext, sizeof(d)); 1823 doi = ntohl(d.doi); 1824 proto = d.prot_id; 1825 if (doi != 1) { 1826 ND_PRINT((ndo," doi=%u", doi)); 1827 ND_PRINT((ndo," proto=%u", proto)); 1828 } else { 1829 ND_PRINT((ndo," doi=ipsec")); 1830 ND_PRINT((ndo," proto=%s", PROTOIDSTR(proto))); 1831 } 1832 ND_PRINT((ndo," spilen=%u", d.spi_size)); 1833 ND_PRINT((ndo," nspi=%u", ntohs(d.num_spi))); 1834 ND_PRINT((ndo," spi=")); 1835 q = (const uint8_t *)(p + 1); 1836 for (i = 0; i < ntohs(d.num_spi); i++) { 1837 if (i != 0) 1838 ND_PRINT((ndo,",")); 1839 if (!rawprint(ndo, (const uint8_t *)q, d.spi_size)) 1840 goto trunc; 1841 q += d.spi_size; 1842 } 1843 return q; 1844 trunc: 1845 ND_PRINT((ndo," [|%s]", NPSTR(ISAKMP_NPTYPE_D))); 1846 return NULL; 1847 } 1848 1849 static const u_char * 1850 ikev1_vid_print(netdissect_options *ndo, u_char tpay _U_, 1851 const struct isakmp_gen *ext, 1852 u_int item_len _U_, const u_char *ep _U_, 1853 uint32_t phase _U_, uint32_t doi _U_, 1854 uint32_t proto _U_, int depth _U_) 1855 { 1856 struct isakmp_gen e; 1857 1858 ND_PRINT((ndo,"%s:", NPSTR(ISAKMP_NPTYPE_VID))); 1859 1860 ND_TCHECK(*ext); 1861 UNALIGNED_MEMCPY(&e, ext, sizeof(e)); 1862 ND_PRINT((ndo," len=%d", ntohs(e.len) - 4)); 1863 if (2 < ndo->ndo_vflag && 4 < ntohs(e.len)) { 1864 /* Print the entire payload in hex */ 1865 ND_PRINT((ndo," ")); 1866 if (!rawprint(ndo, (const uint8_t *)(ext + 1), ntohs(e.len) - 4)) 1867 goto trunc; 1868 } 1869 return (const u_char *)ext + ntohs(e.len); 1870 trunc: 1871 ND_PRINT((ndo," [|%s]", NPSTR(ISAKMP_NPTYPE_VID))); 1872 return NULL; 1873 } 1874 1875 /************************************************************/ 1876 /* */ 1877 /* IKE v2 - rfc4306 - dissector */ 1878 /* */ 1879 /************************************************************/ 1880 1881 static void 1882 ikev2_pay_print(netdissect_options *ndo, const char *payname, int critical) 1883 { 1884 ND_PRINT((ndo,"%s%s:", payname, critical&0x80 ? "[C]" : "")); 1885 } 1886 1887 static const u_char * 1888 ikev2_gen_print(netdissect_options *ndo, u_char tpay, 1889 const struct isakmp_gen *ext) 1890 { 1891 struct isakmp_gen e; 1892 1893 ND_TCHECK(*ext); 1894 UNALIGNED_MEMCPY(&e, ext, sizeof(e)); 1895 ikev2_pay_print(ndo, NPSTR(tpay), e.critical); 1896 1897 ND_PRINT((ndo," len=%d", ntohs(e.len) - 4)); 1898 if (2 < ndo->ndo_vflag && 4 < ntohs(e.len)) { 1899 /* Print the entire payload in hex */ 1900 ND_PRINT((ndo," ")); 1901 if (!rawprint(ndo, (const uint8_t *)(ext + 1), ntohs(e.len) - 4)) 1902 goto trunc; 1903 } 1904 return (const u_char *)ext + ntohs(e.len); 1905 trunc: 1906 ND_PRINT((ndo," [|%s]", NPSTR(tpay))); 1907 return NULL; 1908 } 1909 1910 static const u_char * 1911 ikev2_t_print(netdissect_options *ndo, int tcount, 1912 const struct isakmp_gen *ext, u_int item_len, 1913 const u_char *ep) 1914 { 1915 const struct ikev2_t *p; 1916 struct ikev2_t t; 1917 uint16_t t_id; 1918 const u_char *cp; 1919 const char *idstr; 1920 const struct attrmap *map; 1921 size_t nmap; 1922 const u_char *ep2; 1923 1924 p = (const struct ikev2_t *)ext; 1925 ND_TCHECK(*p); 1926 UNALIGNED_MEMCPY(&t, ext, sizeof(t)); 1927 ikev2_pay_print(ndo, NPSTR(ISAKMP_NPTYPE_T), t.h.critical); 1928 1929 t_id = ntohs(t.t_id); 1930 1931 map = NULL; 1932 nmap = 0; 1933 1934 switch (t.t_type) { 1935 case IV2_T_ENCR: 1936 idstr = STR_OR_ID(t_id, esp_p_map); 1937 map = encr_t_map; 1938 nmap = sizeof(encr_t_map)/sizeof(encr_t_map[0]); 1939 break; 1940 1941 case IV2_T_PRF: 1942 idstr = STR_OR_ID(t_id, prf_p_map); 1943 break; 1944 1945 case IV2_T_INTEG: 1946 idstr = STR_OR_ID(t_id, integ_p_map); 1947 break; 1948 1949 case IV2_T_DH: 1950 idstr = STR_OR_ID(t_id, dh_p_map); 1951 break; 1952 1953 case IV2_T_ESN: 1954 idstr = STR_OR_ID(t_id, esn_p_map); 1955 break; 1956 1957 default: 1958 idstr = NULL; 1959 break; 1960 } 1961 1962 if (idstr) 1963 ND_PRINT((ndo," #%u type=%s id=%s ", tcount, 1964 STR_OR_ID(t.t_type, ikev2_t_type_map), 1965 idstr)); 1966 else 1967 ND_PRINT((ndo," #%u type=%s id=%u ", tcount, 1968 STR_OR_ID(t.t_type, ikev2_t_type_map), 1969 t.t_id)); 1970 cp = (const u_char *)(p + 1); 1971 ep2 = (const u_char *)p + item_len; 1972 while (cp < ep && cp < ep2) { 1973 if (map && nmap) { 1974 cp = ikev1_attrmap_print(ndo, cp, ep2, map, nmap); 1975 } else 1976 cp = ikev1_attr_print(ndo, cp, ep2); 1977 if (cp == NULL) 1978 goto trunc; 1979 } 1980 if (ep < ep2) 1981 ND_PRINT((ndo,"...")); 1982 return cp; 1983 trunc: 1984 ND_PRINT((ndo," [|%s]", NPSTR(ISAKMP_NPTYPE_T))); 1985 return NULL; 1986 } 1987 1988 static const u_char * 1989 ikev2_p_print(netdissect_options *ndo, u_char tpay _U_, int pcount _U_, 1990 const struct isakmp_gen *ext, u_int oprop_length, 1991 const u_char *ep, int depth) 1992 { 1993 const struct ikev2_p *p; 1994 struct ikev2_p prop; 1995 u_int prop_length; 1996 const u_char *cp; 1997 int i; 1998 int tcount; 1999 u_char np; 2000 struct isakmp_gen e; 2001 u_int item_len; 2002 2003 p = (const struct ikev2_p *)ext; 2004 ND_TCHECK(*p); 2005 UNALIGNED_MEMCPY(&prop, ext, sizeof(prop)); 2006 2007 ikev2_pay_print(ndo, NPSTR(ISAKMP_NPTYPE_P), prop.h.critical); 2008 2009 /* 2010 * ikev2_sa_print() guarantees that this is >= 4. 2011 */ 2012 prop_length = oprop_length - 4; 2013 ND_PRINT((ndo," #%u protoid=%s transform=%d len=%u", 2014 prop.p_no, PROTOIDSTR(prop.prot_id), 2015 prop.num_t, oprop_length)); 2016 cp = (const u_char *)(p + 1); 2017 2018 if (prop.spi_size) { 2019 if (prop_length < prop.spi_size) 2020 goto toolong; 2021 ND_PRINT((ndo," spi=")); 2022 if (!rawprint(ndo, (const uint8_t *)cp, prop.spi_size)) 2023 goto trunc; 2024 cp += prop.spi_size; 2025 prop_length -= prop.spi_size; 2026 } 2027 2028 /* 2029 * Print the transforms. 2030 */ 2031 tcount = 0; 2032 for (np = ISAKMP_NPTYPE_T; np != 0; np = e.np) { 2033 tcount++; 2034 ext = (const struct isakmp_gen *)cp; 2035 if (prop_length < sizeof(*ext)) 2036 goto toolong; 2037 ND_TCHECK(*ext); 2038 UNALIGNED_MEMCPY(&e, ext, sizeof(e)); 2039 2040 /* 2041 * Since we can't have a payload length of less than 4 bytes, 2042 * we need to bail out here if the generic header is nonsensical 2043 * or truncated, otherwise we could loop forever processing 2044 * zero-length items or otherwise misdissect the packet. 2045 */ 2046 item_len = ntohs(e.len); 2047 if (item_len <= 4) 2048 goto trunc; 2049 2050 if (prop_length < item_len) 2051 goto toolong; 2052 ND_TCHECK2(*cp, item_len); 2053 2054 depth++; 2055 ND_PRINT((ndo,"\n")); 2056 for (i = 0; i < depth; i++) 2057 ND_PRINT((ndo," ")); 2058 ND_PRINT((ndo,"(")); 2059 if (np == ISAKMP_NPTYPE_T) { 2060 cp = ikev2_t_print(ndo, tcount, ext, item_len, ep); 2061 if (cp == NULL) { 2062 /* error, already reported */ 2063 return NULL; 2064 } 2065 } else { 2066 ND_PRINT((ndo, "%s", NPSTR(np))); 2067 cp += item_len; 2068 } 2069 ND_PRINT((ndo,")")); 2070 depth--; 2071 prop_length -= item_len; 2072 } 2073 return cp; 2074 toolong: 2075 /* 2076 * Skip the rest of the proposal. 2077 */ 2078 cp += prop_length; 2079 ND_PRINT((ndo," [|%s]", NPSTR(ISAKMP_NPTYPE_P))); 2080 return cp; 2081 trunc: 2082 ND_PRINT((ndo," [|%s]", NPSTR(ISAKMP_NPTYPE_P))); 2083 return NULL; 2084 } 2085 2086 static const u_char * 2087 ikev2_sa_print(netdissect_options *ndo, u_char tpay, 2088 const struct isakmp_gen *ext1, 2089 u_int osa_length, const u_char *ep, 2090 uint32_t phase _U_, uint32_t doi _U_, 2091 uint32_t proto _U_, int depth) 2092 { 2093 const struct isakmp_gen *ext; 2094 struct isakmp_gen e; 2095 u_int sa_length; 2096 const u_char *cp; 2097 int i; 2098 int pcount; 2099 u_char np; 2100 u_int item_len; 2101 2102 ND_TCHECK(*ext1); 2103 UNALIGNED_MEMCPY(&e, ext1, sizeof(e)); 2104 ikev2_pay_print(ndo, "sa", e.critical); 2105 2106 /* 2107 * ikev2_sub0_print() guarantees that this is >= 4. 2108 */ 2109 osa_length= ntohs(e.len); 2110 sa_length = osa_length - 4; 2111 ND_PRINT((ndo," len=%d", sa_length)); 2112 2113 /* 2114 * Print the payloads. 2115 */ 2116 cp = (const u_char *)(ext1 + 1); 2117 pcount = 0; 2118 for (np = ISAKMP_NPTYPE_P; np != 0; np = e.np) { 2119 pcount++; 2120 ext = (const struct isakmp_gen *)cp; 2121 if (sa_length < sizeof(*ext)) 2122 goto toolong; 2123 ND_TCHECK(*ext); 2124 UNALIGNED_MEMCPY(&e, ext, sizeof(e)); 2125 2126 /* 2127 * Since we can't have a payload length of less than 4 bytes, 2128 * we need to bail out here if the generic header is nonsensical 2129 * or truncated, otherwise we could loop forever processing 2130 * zero-length items or otherwise misdissect the packet. 2131 */ 2132 item_len = ntohs(e.len); 2133 if (item_len <= 4) 2134 goto trunc; 2135 2136 if (sa_length < item_len) 2137 goto toolong; 2138 ND_TCHECK2(*cp, item_len); 2139 2140 depth++; 2141 ND_PRINT((ndo,"\n")); 2142 for (i = 0; i < depth; i++) 2143 ND_PRINT((ndo," ")); 2144 ND_PRINT((ndo,"(")); 2145 if (np == ISAKMP_NPTYPE_P) { 2146 cp = ikev2_p_print(ndo, np, pcount, ext, item_len, 2147 ep, depth); 2148 if (cp == NULL) { 2149 /* error, already reported */ 2150 return NULL; 2151 } 2152 } else { 2153 ND_PRINT((ndo, "%s", NPSTR(np))); 2154 cp += item_len; 2155 } 2156 ND_PRINT((ndo,")")); 2157 depth--; 2158 sa_length -= item_len; 2159 } 2160 return cp; 2161 toolong: 2162 /* 2163 * Skip the rest of the SA. 2164 */ 2165 cp += sa_length; 2166 ND_PRINT((ndo," [|%s]", NPSTR(tpay))); 2167 return cp; 2168 trunc: 2169 ND_PRINT((ndo," [|%s]", NPSTR(tpay))); 2170 return NULL; 2171 } 2172 2173 static const u_char * 2174 ikev2_ke_print(netdissect_options *ndo, u_char tpay, 2175 const struct isakmp_gen *ext, 2176 u_int item_len _U_, const u_char *ep _U_, 2177 uint32_t phase _U_, uint32_t doi _U_, 2178 uint32_t proto _U_, int depth _U_) 2179 { 2180 struct ikev2_ke ke; 2181 const struct ikev2_ke *k; 2182 2183 k = (const struct ikev2_ke *)ext; 2184 ND_TCHECK(*k); 2185 UNALIGNED_MEMCPY(&ke, ext, sizeof(ke)); 2186 ikev2_pay_print(ndo, NPSTR(tpay), ke.h.critical); 2187 2188 ND_PRINT((ndo," len=%u group=%s", ntohs(ke.h.len) - 8, 2189 STR_OR_ID(ntohs(ke.ke_group), dh_p_map))); 2190 2191 if (2 < ndo->ndo_vflag && 8 < ntohs(ke.h.len)) { 2192 ND_PRINT((ndo," ")); 2193 if (!rawprint(ndo, (const uint8_t *)(k + 1), ntohs(ke.h.len) - 8)) 2194 goto trunc; 2195 } 2196 return (const u_char *)ext + ntohs(ke.h.len); 2197 trunc: 2198 ND_PRINT((ndo," [|%s]", NPSTR(tpay))); 2199 return NULL; 2200 } 2201 2202 static const u_char * 2203 ikev2_ID_print(netdissect_options *ndo, u_char tpay, 2204 const struct isakmp_gen *ext, 2205 u_int item_len _U_, const u_char *ep _U_, 2206 uint32_t phase _U_, uint32_t doi _U_, 2207 uint32_t proto _U_, int depth _U_) 2208 { 2209 const struct ikev2_id *idp; 2210 struct ikev2_id id; 2211 int id_len, idtype_len, i; 2212 unsigned int dumpascii, dumphex; 2213 const unsigned char *typedata; 2214 2215 idp = (const struct ikev2_id *)ext; 2216 ND_TCHECK(*idp); 2217 UNALIGNED_MEMCPY(&id, ext, sizeof(id)); 2218 ikev2_pay_print(ndo, NPSTR(tpay), id.h.critical); 2219 2220 id_len = ntohs(id.h.len); 2221 2222 ND_PRINT((ndo," len=%d", id_len - 4)); 2223 if (2 < ndo->ndo_vflag && 4 < id_len) { 2224 /* Print the entire payload in hex */ 2225 ND_PRINT((ndo," ")); 2226 if (!rawprint(ndo, (const uint8_t *)(ext + 1), id_len - 4)) 2227 goto trunc; 2228 } 2229 2230 idtype_len =id_len - sizeof(struct ikev2_id); 2231 dumpascii = 0; 2232 dumphex = 0; 2233 typedata = (const unsigned char *)(ext)+sizeof(struct ikev2_id); 2234 2235 switch(id.type) { 2236 case ID_IPV4_ADDR: 2237 ND_PRINT((ndo, " ipv4:")); 2238 dumphex=1; 2239 break; 2240 case ID_FQDN: 2241 ND_PRINT((ndo, " fqdn:")); 2242 dumpascii=1; 2243 break; 2244 case ID_RFC822_ADDR: 2245 ND_PRINT((ndo, " rfc822:")); 2246 dumpascii=1; 2247 break; 2248 case ID_IPV6_ADDR: 2249 ND_PRINT((ndo, " ipv6:")); 2250 dumphex=1; 2251 break; 2252 case ID_DER_ASN1_DN: 2253 ND_PRINT((ndo, " dn:")); 2254 dumphex=1; 2255 break; 2256 case ID_DER_ASN1_GN: 2257 ND_PRINT((ndo, " gn:")); 2258 dumphex=1; 2259 break; 2260 case ID_KEY_ID: 2261 ND_PRINT((ndo, " keyid:")); 2262 dumphex=1; 2263 break; 2264 } 2265 2266 if(dumpascii) { 2267 ND_TCHECK2(*typedata, idtype_len); 2268 for(i=0; i<idtype_len; i++) { 2269 if(ND_ISPRINT(typedata[i])) { 2270 ND_PRINT((ndo, "%c", typedata[i])); 2271 } else { 2272 ND_PRINT((ndo, ".")); 2273 } 2274 } 2275 } 2276 if(dumphex) { 2277 if (!rawprint(ndo, (const uint8_t *)typedata, idtype_len)) 2278 goto trunc; 2279 } 2280 2281 return (const u_char *)ext + id_len; 2282 trunc: 2283 ND_PRINT((ndo," [|%s]", NPSTR(tpay))); 2284 return NULL; 2285 } 2286 2287 static const u_char * 2288 ikev2_cert_print(netdissect_options *ndo, u_char tpay, 2289 const struct isakmp_gen *ext, 2290 u_int item_len _U_, const u_char *ep _U_, 2291 uint32_t phase _U_, uint32_t doi _U_, 2292 uint32_t proto _U_, int depth _U_) 2293 { 2294 return ikev2_gen_print(ndo, tpay, ext); 2295 } 2296 2297 static const u_char * 2298 ikev2_cr_print(netdissect_options *ndo, u_char tpay, 2299 const struct isakmp_gen *ext, 2300 u_int item_len _U_, const u_char *ep _U_, 2301 uint32_t phase _U_, uint32_t doi _U_, 2302 uint32_t proto _U_, int depth _U_) 2303 { 2304 return ikev2_gen_print(ndo, tpay, ext); 2305 } 2306 2307 static const u_char * 2308 ikev2_auth_print(netdissect_options *ndo, u_char tpay, 2309 const struct isakmp_gen *ext, 2310 u_int item_len _U_, const u_char *ep, 2311 uint32_t phase _U_, uint32_t doi _U_, 2312 uint32_t proto _U_, int depth _U_) 2313 { 2314 struct ikev2_auth a; 2315 const char *v2_auth[]={ "invalid", "rsasig", 2316 "shared-secret", "dsssig" }; 2317 const u_char *authdata = (const u_char*)ext + sizeof(a); 2318 unsigned int len; 2319 2320 ND_TCHECK2(*ext, sizeof(a)); 2321 UNALIGNED_MEMCPY(&a, ext, sizeof(a)); 2322 ikev2_pay_print(ndo, NPSTR(tpay), a.h.critical); 2323 len = ntohs(a.h.len); 2324 2325 /* 2326 * Our caller has ensured that the length is >= 4. 2327 */ 2328 ND_PRINT((ndo," len=%u method=%s", len-4, 2329 STR_OR_ID(a.auth_method, v2_auth))); 2330 if (len > 4) { 2331 if (ndo->ndo_vflag > 1) { 2332 ND_PRINT((ndo, " authdata=(")); 2333 if (!rawprint(ndo, (const uint8_t *)authdata, len - sizeof(a))) 2334 goto trunc; 2335 ND_PRINT((ndo, ") ")); 2336 } else if (ndo->ndo_vflag) { 2337 if (!ike_show_somedata(ndo, authdata, ep)) 2338 goto trunc; 2339 } 2340 } 2341 2342 return (const u_char *)ext + len; 2343 trunc: 2344 ND_PRINT((ndo," [|%s]", NPSTR(tpay))); 2345 return NULL; 2346 } 2347 2348 static const u_char * 2349 ikev2_nonce_print(netdissect_options *ndo, u_char tpay, 2350 const struct isakmp_gen *ext, 2351 u_int item_len _U_, const u_char *ep, 2352 uint32_t phase _U_, uint32_t doi _U_, 2353 uint32_t proto _U_, int depth _U_) 2354 { 2355 struct isakmp_gen e; 2356 2357 ND_TCHECK(*ext); 2358 UNALIGNED_MEMCPY(&e, ext, sizeof(e)); 2359 ikev2_pay_print(ndo, "nonce", e.critical); 2360 2361 ND_PRINT((ndo," len=%d", ntohs(e.len) - 4)); 2362 if (1 < ndo->ndo_vflag && 4 < ntohs(e.len)) { 2363 ND_PRINT((ndo," nonce=(")); 2364 if (!rawprint(ndo, (const uint8_t *)(ext + 1), ntohs(e.len) - 4)) 2365 goto trunc; 2366 ND_PRINT((ndo,") ")); 2367 } else if(ndo->ndo_vflag && 4 < ntohs(e.len)) { 2368 if(!ike_show_somedata(ndo, (const u_char *)(ext+1), ep)) goto trunc; 2369 } 2370 2371 return (const u_char *)ext + ntohs(e.len); 2372 trunc: 2373 ND_PRINT((ndo," [|%s]", NPSTR(tpay))); 2374 return NULL; 2375 } 2376 2377 /* notify payloads */ 2378 static const u_char * 2379 ikev2_n_print(netdissect_options *ndo, u_char tpay _U_, 2380 const struct isakmp_gen *ext, 2381 u_int item_len, const u_char *ep, 2382 uint32_t phase _U_, uint32_t doi _U_, 2383 uint32_t proto _U_, int depth _U_) 2384 { 2385 const struct ikev2_n *p; 2386 struct ikev2_n n; 2387 const u_char *cp; 2388 u_char showspi, showsomedata; 2389 const char *notify_name; 2390 uint32_t type; 2391 2392 p = (const struct ikev2_n *)ext; 2393 ND_TCHECK(*p); 2394 UNALIGNED_MEMCPY(&n, ext, sizeof(n)); 2395 ikev2_pay_print(ndo, NPSTR(ISAKMP_NPTYPE_N), n.h.critical); 2396 2397 showspi = 1; 2398 showsomedata=0; 2399 notify_name=NULL; 2400 2401 ND_PRINT((ndo," prot_id=%s", PROTOIDSTR(n.prot_id))); 2402 2403 type = ntohs(n.type); 2404 2405 /* notify space is annoying sparse */ 2406 switch(type) { 2407 case IV2_NOTIFY_UNSUPPORTED_CRITICAL_PAYLOAD: 2408 notify_name = "unsupported_critical_payload"; 2409 showspi = 0; 2410 break; 2411 2412 case IV2_NOTIFY_INVALID_IKE_SPI: 2413 notify_name = "invalid_ike_spi"; 2414 showspi = 1; 2415 break; 2416 2417 case IV2_NOTIFY_INVALID_MAJOR_VERSION: 2418 notify_name = "invalid_major_version"; 2419 showspi = 0; 2420 break; 2421 2422 case IV2_NOTIFY_INVALID_SYNTAX: 2423 notify_name = "invalid_syntax"; 2424 showspi = 1; 2425 break; 2426 2427 case IV2_NOTIFY_INVALID_MESSAGE_ID: 2428 notify_name = "invalid_message_id"; 2429 showspi = 1; 2430 break; 2431 2432 case IV2_NOTIFY_INVALID_SPI: 2433 notify_name = "invalid_spi"; 2434 showspi = 1; 2435 break; 2436 2437 case IV2_NOTIFY_NO_PROPOSAL_CHOSEN: 2438 notify_name = "no_protocol_chosen"; 2439 showspi = 1; 2440 break; 2441 2442 case IV2_NOTIFY_INVALID_KE_PAYLOAD: 2443 notify_name = "invalid_ke_payload"; 2444 showspi = 1; 2445 break; 2446 2447 case IV2_NOTIFY_AUTHENTICATION_FAILED: 2448 notify_name = "authentication_failed"; 2449 showspi = 1; 2450 break; 2451 2452 case IV2_NOTIFY_SINGLE_PAIR_REQUIRED: 2453 notify_name = "single_pair_required"; 2454 showspi = 1; 2455 break; 2456 2457 case IV2_NOTIFY_NO_ADDITIONAL_SAS: 2458 notify_name = "no_additional_sas"; 2459 showspi = 0; 2460 break; 2461 2462 case IV2_NOTIFY_INTERNAL_ADDRESS_FAILURE: 2463 notify_name = "internal_address_failure"; 2464 showspi = 0; 2465 break; 2466 2467 case IV2_NOTIFY_FAILED_CP_REQUIRED: 2468 notify_name = "failed:cp_required"; 2469 showspi = 0; 2470 break; 2471 2472 case IV2_NOTIFY_INVALID_SELECTORS: 2473 notify_name = "invalid_selectors"; 2474 showspi = 0; 2475 break; 2476 2477 case IV2_NOTIFY_INITIAL_CONTACT: 2478 notify_name = "initial_contact"; 2479 showspi = 0; 2480 break; 2481 2482 case IV2_NOTIFY_SET_WINDOW_SIZE: 2483 notify_name = "set_window_size"; 2484 showspi = 0; 2485 break; 2486 2487 case IV2_NOTIFY_ADDITIONAL_TS_POSSIBLE: 2488 notify_name = "additional_ts_possible"; 2489 showspi = 0; 2490 break; 2491 2492 case IV2_NOTIFY_IPCOMP_SUPPORTED: 2493 notify_name = "ipcomp_supported"; 2494 showspi = 0; 2495 break; 2496 2497 case IV2_NOTIFY_NAT_DETECTION_SOURCE_IP: 2498 notify_name = "nat_detection_source_ip"; 2499 showspi = 1; 2500 break; 2501 2502 case IV2_NOTIFY_NAT_DETECTION_DESTINATION_IP: 2503 notify_name = "nat_detection_destination_ip"; 2504 showspi = 1; 2505 break; 2506 2507 case IV2_NOTIFY_COOKIE: 2508 notify_name = "cookie"; 2509 showspi = 1; 2510 showsomedata= 1; 2511 break; 2512 2513 case IV2_NOTIFY_USE_TRANSPORT_MODE: 2514 notify_name = "use_transport_mode"; 2515 showspi = 0; 2516 break; 2517 2518 case IV2_NOTIFY_HTTP_CERT_LOOKUP_SUPPORTED: 2519 notify_name = "http_cert_lookup_supported"; 2520 showspi = 0; 2521 break; 2522 2523 case IV2_NOTIFY_REKEY_SA: 2524 notify_name = "rekey_sa"; 2525 showspi = 1; 2526 break; 2527 2528 case IV2_NOTIFY_ESP_TFC_PADDING_NOT_SUPPORTED: 2529 notify_name = "tfc_padding_not_supported"; 2530 showspi = 0; 2531 break; 2532 2533 case IV2_NOTIFY_NON_FIRST_FRAGMENTS_ALSO: 2534 notify_name = "non_first_fragment_also"; 2535 showspi = 0; 2536 break; 2537 2538 default: 2539 if (type < 8192) { 2540 notify_name="error"; 2541 } else if(type < 16384) { 2542 notify_name="private-error"; 2543 } else if(type < 40960) { 2544 notify_name="status"; 2545 } else { 2546 notify_name="private-status"; 2547 } 2548 } 2549 2550 if(notify_name) { 2551 ND_PRINT((ndo," type=%u(%s)", type, notify_name)); 2552 } 2553 2554 2555 if (showspi && n.spi_size) { 2556 ND_PRINT((ndo," spi=")); 2557 if (!rawprint(ndo, (const uint8_t *)(p + 1), n.spi_size)) 2558 goto trunc; 2559 } 2560 2561 cp = (const u_char *)(p + 1) + n.spi_size; 2562 2563 if (cp < ep) { 2564 if (ndo->ndo_vflag > 3 || (showsomedata && ep-cp < 30)) { 2565 ND_PRINT((ndo," data=(")); 2566 if (!rawprint(ndo, (const uint8_t *)(cp), ep - cp)) 2567 goto trunc; 2568 2569 ND_PRINT((ndo,")")); 2570 } else if (showsomedata) { 2571 if (!ike_show_somedata(ndo, cp, ep)) 2572 goto trunc; 2573 } 2574 } 2575 2576 return (const u_char *)ext + item_len; 2577 trunc: 2578 ND_PRINT((ndo," [|%s]", NPSTR(ISAKMP_NPTYPE_N))); 2579 return NULL; 2580 } 2581 2582 static const u_char * 2583 ikev2_d_print(netdissect_options *ndo, u_char tpay, 2584 const struct isakmp_gen *ext, 2585 u_int item_len _U_, const u_char *ep _U_, 2586 uint32_t phase _U_, uint32_t doi _U_, 2587 uint32_t proto _U_, int depth _U_) 2588 { 2589 return ikev2_gen_print(ndo, tpay, ext); 2590 } 2591 2592 static const u_char * 2593 ikev2_vid_print(netdissect_options *ndo, u_char tpay, 2594 const struct isakmp_gen *ext, 2595 u_int item_len _U_, const u_char *ep _U_, 2596 uint32_t phase _U_, uint32_t doi _U_, 2597 uint32_t proto _U_, int depth _U_) 2598 { 2599 struct isakmp_gen e; 2600 const u_char *vid; 2601 int i, len; 2602 2603 ND_TCHECK(*ext); 2604 UNALIGNED_MEMCPY(&e, ext, sizeof(e)); 2605 ikev2_pay_print(ndo, NPSTR(tpay), e.critical); 2606 ND_PRINT((ndo," len=%d vid=", ntohs(e.len) - 4)); 2607 2608 vid = (const u_char *)(ext+1); 2609 len = ntohs(e.len) - 4; 2610 ND_TCHECK2(*vid, len); 2611 for(i=0; i<len; i++) { 2612 if(ND_ISPRINT(vid[i])) ND_PRINT((ndo, "%c", vid[i])); 2613 else ND_PRINT((ndo, ".")); 2614 } 2615 if (2 < ndo->ndo_vflag && 4 < len) { 2616 /* Print the entire payload in hex */ 2617 ND_PRINT((ndo," ")); 2618 if (!rawprint(ndo, (const uint8_t *)(ext + 1), ntohs(e.len) - 4)) 2619 goto trunc; 2620 } 2621 return (const u_char *)ext + ntohs(e.len); 2622 trunc: 2623 ND_PRINT((ndo," [|%s]", NPSTR(tpay))); 2624 return NULL; 2625 } 2626 2627 static const u_char * 2628 ikev2_TS_print(netdissect_options *ndo, u_char tpay, 2629 const struct isakmp_gen *ext, 2630 u_int item_len _U_, const u_char *ep _U_, 2631 uint32_t phase _U_, uint32_t doi _U_, 2632 uint32_t proto _U_, int depth _U_) 2633 { 2634 return ikev2_gen_print(ndo, tpay, ext); 2635 } 2636 2637 static const u_char * 2638 ikev2_e_print(netdissect_options *ndo, 2639 #ifndef HAVE_LIBCRYPTO 2640 _U_ 2641 #endif 2642 struct isakmp *base, 2643 u_char tpay, 2644 const struct isakmp_gen *ext, 2645 u_int item_len _U_, const u_char *ep _U_, 2646 #ifndef HAVE_LIBCRYPTO 2647 _U_ 2648 #endif 2649 uint32_t phase, 2650 #ifndef HAVE_LIBCRYPTO 2651 _U_ 2652 #endif 2653 uint32_t doi, 2654 #ifndef HAVE_LIBCRYPTO 2655 _U_ 2656 #endif 2657 uint32_t proto, 2658 #ifndef HAVE_LIBCRYPTO 2659 _U_ 2660 #endif 2661 int depth) 2662 { 2663 struct isakmp_gen e; 2664 const u_char *dat; 2665 volatile int dlen; 2666 2667 ND_TCHECK(*ext); 2668 UNALIGNED_MEMCPY(&e, ext, sizeof(e)); 2669 ikev2_pay_print(ndo, NPSTR(tpay), e.critical); 2670 2671 dlen = ntohs(e.len)-4; 2672 2673 ND_PRINT((ndo," len=%d", dlen)); 2674 if (2 < ndo->ndo_vflag && 4 < dlen) { 2675 ND_PRINT((ndo," ")); 2676 if (!rawprint(ndo, (const uint8_t *)(ext + 1), dlen)) 2677 goto trunc; 2678 } 2679 2680 dat = (const u_char *)(ext+1); 2681 ND_TCHECK2(*dat, dlen); 2682 2683 #ifdef HAVE_LIBCRYPTO 2684 /* try to decypt it! */ 2685 if(esp_print_decrypt_buffer_by_ikev2(ndo, 2686 base->flags & ISAKMP_FLAG_I, 2687 base->i_ck, base->r_ck, 2688 dat, dat+dlen)) { 2689 2690 ext = (const struct isakmp_gen *)ndo->ndo_packetp; 2691 2692 /* got it decrypted, print stuff inside. */ 2693 ikev2_sub_print(ndo, base, e.np, ext, ndo->ndo_snapend, 2694 phase, doi, proto, depth+1); 2695 } 2696 #endif 2697 2698 2699 /* always return NULL, because E must be at end, and NP refers 2700 * to what was inside. 2701 */ 2702 return NULL; 2703 trunc: 2704 ND_PRINT((ndo," [|%s]", NPSTR(tpay))); 2705 return NULL; 2706 } 2707 2708 static const u_char * 2709 ikev2_cp_print(netdissect_options *ndo, u_char tpay, 2710 const struct isakmp_gen *ext, 2711 u_int item_len _U_, const u_char *ep _U_, 2712 uint32_t phase _U_, uint32_t doi _U_, 2713 uint32_t proto _U_, int depth _U_) 2714 { 2715 return ikev2_gen_print(ndo, tpay, ext); 2716 } 2717 2718 static const u_char * 2719 ikev2_eap_print(netdissect_options *ndo, u_char tpay, 2720 const struct isakmp_gen *ext, 2721 u_int item_len _U_, const u_char *ep _U_, 2722 uint32_t phase _U_, uint32_t doi _U_, 2723 uint32_t proto _U_, int depth _U_) 2724 { 2725 return ikev2_gen_print(ndo, tpay, ext); 2726 } 2727 2728 static const u_char * 2729 ike_sub0_print(netdissect_options *ndo, 2730 u_char np, const struct isakmp_gen *ext, const u_char *ep, 2731 2732 uint32_t phase, uint32_t doi, uint32_t proto, int depth) 2733 { 2734 const u_char *cp; 2735 struct isakmp_gen e; 2736 u_int item_len; 2737 2738 cp = (const u_char *)ext; 2739 ND_TCHECK(*ext); 2740 UNALIGNED_MEMCPY(&e, ext, sizeof(e)); 2741 2742 /* 2743 * Since we can't have a payload length of less than 4 bytes, 2744 * we need to bail out here if the generic header is nonsensical 2745 * or truncated, otherwise we could loop forever processing 2746 * zero-length items or otherwise misdissect the packet. 2747 */ 2748 item_len = ntohs(e.len); 2749 if (item_len <= 4) 2750 return NULL; 2751 2752 if (NPFUNC(np)) { 2753 /* 2754 * XXX - what if item_len is too short, or too long, 2755 * for this payload type? 2756 */ 2757 cp = (*npfunc[np])(ndo, np, ext, item_len, ep, phase, doi, proto, depth); 2758 } else { 2759 ND_PRINT((ndo,"%s", NPSTR(np))); 2760 cp += item_len; 2761 } 2762 2763 return cp; 2764 trunc: 2765 ND_PRINT((ndo," [|isakmp]")); 2766 return NULL; 2767 } 2768 2769 static const u_char * 2770 ikev1_sub_print(netdissect_options *ndo, 2771 u_char np, const struct isakmp_gen *ext, const u_char *ep, 2772 uint32_t phase, uint32_t doi, uint32_t proto, int depth) 2773 { 2774 const u_char *cp; 2775 int i; 2776 struct isakmp_gen e; 2777 2778 cp = (const u_char *)ext; 2779 2780 while (np) { 2781 ND_TCHECK(*ext); 2782 UNALIGNED_MEMCPY(&e, ext, sizeof(e)); 2783 2784 ND_TCHECK2(*ext, ntohs(e.len)); 2785 2786 depth++; 2787 ND_PRINT((ndo,"\n")); 2788 for (i = 0; i < depth; i++) 2789 ND_PRINT((ndo," ")); 2790 ND_PRINT((ndo,"(")); 2791 cp = ike_sub0_print(ndo, np, ext, ep, phase, doi, proto, depth); 2792 ND_PRINT((ndo,")")); 2793 depth--; 2794 2795 if (cp == NULL) { 2796 /* Zero-length subitem */ 2797 return NULL; 2798 } 2799 2800 np = e.np; 2801 ext = (const struct isakmp_gen *)cp; 2802 } 2803 return cp; 2804 trunc: 2805 ND_PRINT((ndo," [|%s]", NPSTR(np))); 2806 return NULL; 2807 } 2808 2809 static char * 2810 numstr(int x) 2811 { 2812 static char buf[20]; 2813 snprintf(buf, sizeof(buf), "#%d", x); 2814 return buf; 2815 } 2816 2817 static void 2818 ikev1_print(netdissect_options *ndo, 2819 const u_char *bp, u_int length, 2820 const u_char *bp2, struct isakmp *base) 2821 { 2822 const struct isakmp *p; 2823 const u_char *ep; 2824 u_char np; 2825 int i; 2826 int phase; 2827 2828 p = (const struct isakmp *)bp; 2829 ep = ndo->ndo_snapend; 2830 2831 phase = (EXTRACT_32BITS(base->msgid) == 0) ? 1 : 2; 2832 if (phase == 1) 2833 ND_PRINT((ndo," phase %d", phase)); 2834 else 2835 ND_PRINT((ndo," phase %d/others", phase)); 2836 2837 i = cookie_find(&base->i_ck); 2838 if (i < 0) { 2839 if (iszero((const u_char *)&base->r_ck, sizeof(base->r_ck))) { 2840 /* the first packet */ 2841 ND_PRINT((ndo," I")); 2842 if (bp2) 2843 cookie_record(&base->i_ck, bp2); 2844 } else 2845 ND_PRINT((ndo," ?")); 2846 } else { 2847 if (bp2 && cookie_isinitiator(i, bp2)) 2848 ND_PRINT((ndo," I")); 2849 else if (bp2 && cookie_isresponder(i, bp2)) 2850 ND_PRINT((ndo," R")); 2851 else 2852 ND_PRINT((ndo," ?")); 2853 } 2854 2855 ND_PRINT((ndo," %s", ETYPESTR(base->etype))); 2856 if (base->flags) { 2857 ND_PRINT((ndo,"[%s%s]", base->flags & ISAKMP_FLAG_E ? "E" : "", 2858 base->flags & ISAKMP_FLAG_C ? "C" : "")); 2859 } 2860 2861 if (ndo->ndo_vflag) { 2862 const struct isakmp_gen *ext; 2863 2864 ND_PRINT((ndo,":")); 2865 2866 /* regardless of phase... */ 2867 if (base->flags & ISAKMP_FLAG_E) { 2868 /* 2869 * encrypted, nothing we can do right now. 2870 * we hope to decrypt the packet in the future... 2871 */ 2872 ND_PRINT((ndo," [encrypted %s]", NPSTR(base->np))); 2873 goto done; 2874 } 2875 2876 CHECKLEN(p + 1, base->np); 2877 np = base->np; 2878 ext = (const struct isakmp_gen *)(p + 1); 2879 ikev1_sub_print(ndo, np, ext, ep, phase, 0, 0, 0); 2880 } 2881 2882 done: 2883 if (ndo->ndo_vflag) { 2884 if (ntohl(base->len) != length) { 2885 ND_PRINT((ndo," (len mismatch: isakmp %u/ip %u)", 2886 (uint32_t)ntohl(base->len), length)); 2887 } 2888 } 2889 } 2890 2891 static const u_char * 2892 ikev2_sub0_print(netdissect_options *ndo, struct isakmp *base, 2893 u_char np, 2894 const struct isakmp_gen *ext, const u_char *ep, 2895 uint32_t phase, uint32_t doi, uint32_t proto, int depth) 2896 { 2897 const u_char *cp; 2898 struct isakmp_gen e; 2899 u_int item_len; 2900 2901 cp = (const u_char *)ext; 2902 ND_TCHECK(*ext); 2903 UNALIGNED_MEMCPY(&e, ext, sizeof(e)); 2904 2905 /* 2906 * Since we can't have a payload length of less than 4 bytes, 2907 * we need to bail out here if the generic header is nonsensical 2908 * or truncated, otherwise we could loop forever processing 2909 * zero-length items or otherwise misdissect the packet. 2910 */ 2911 item_len = ntohs(e.len); 2912 if (item_len <= 4) 2913 return NULL; 2914 2915 if (np == ISAKMP_NPTYPE_v2E) { 2916 cp = ikev2_e_print(ndo, base, np, ext, item_len, 2917 ep, phase, doi, proto, depth); 2918 } else if (NPFUNC(np)) { 2919 /* 2920 * XXX - what if item_len is too short, or too long, 2921 * for this payload type? 2922 */ 2923 cp = (*npfunc[np])(ndo, np, ext, item_len, 2924 ep, phase, doi, proto, depth); 2925 } else { 2926 ND_PRINT((ndo,"%s", NPSTR(np))); 2927 cp += item_len; 2928 } 2929 2930 return cp; 2931 trunc: 2932 ND_PRINT((ndo," [|isakmp]")); 2933 return NULL; 2934 } 2935 2936 static const u_char * 2937 ikev2_sub_print(netdissect_options *ndo, 2938 struct isakmp *base, 2939 u_char np, const struct isakmp_gen *ext, const u_char *ep, 2940 uint32_t phase, uint32_t doi, uint32_t proto, int depth) 2941 { 2942 const u_char *cp; 2943 int i; 2944 struct isakmp_gen e; 2945 2946 cp = (const u_char *)ext; 2947 while (np) { 2948 ND_TCHECK(*ext); 2949 UNALIGNED_MEMCPY(&e, ext, sizeof(e)); 2950 2951 ND_TCHECK2(*ext, ntohs(e.len)); 2952 2953 depth++; 2954 ND_PRINT((ndo,"\n")); 2955 for (i = 0; i < depth; i++) 2956 ND_PRINT((ndo," ")); 2957 ND_PRINT((ndo,"(")); 2958 cp = ikev2_sub0_print(ndo, base, np, 2959 ext, ep, phase, doi, proto, depth); 2960 ND_PRINT((ndo,")")); 2961 depth--; 2962 2963 if (cp == NULL) { 2964 /* Zero-length subitem */ 2965 return NULL; 2966 } 2967 2968 np = e.np; 2969 ext = (const struct isakmp_gen *)cp; 2970 } 2971 return cp; 2972 trunc: 2973 ND_PRINT((ndo," [|%s]", NPSTR(np))); 2974 return NULL; 2975 } 2976 2977 static void 2978 ikev2_print(netdissect_options *ndo, 2979 const u_char *bp, u_int length, 2980 const u_char *bp2 _U_, struct isakmp *base) 2981 { 2982 const struct isakmp *p; 2983 const u_char *ep; 2984 u_char np; 2985 int phase; 2986 2987 p = (const struct isakmp *)bp; 2988 ep = ndo->ndo_snapend; 2989 2990 phase = (EXTRACT_32BITS(base->msgid) == 0) ? 1 : 2; 2991 if (phase == 1) 2992 ND_PRINT((ndo, " parent_sa")); 2993 else 2994 ND_PRINT((ndo, " child_sa ")); 2995 2996 ND_PRINT((ndo, " %s", ETYPESTR(base->etype))); 2997 if (base->flags) { 2998 ND_PRINT((ndo, "[%s%s%s]", 2999 base->flags & ISAKMP_FLAG_I ? "I" : "", 3000 base->flags & ISAKMP_FLAG_V ? "V" : "", 3001 base->flags & ISAKMP_FLAG_R ? "R" : "")); 3002 } 3003 3004 if (ndo->ndo_vflag) { 3005 const struct isakmp_gen *ext; 3006 3007 ND_PRINT((ndo, ":")); 3008 3009 /* regardless of phase... */ 3010 if (base->flags & ISAKMP_FLAG_E) { 3011 /* 3012 * encrypted, nothing we can do right now. 3013 * we hope to decrypt the packet in the future... 3014 */ 3015 ND_PRINT((ndo, " [encrypted %s]", NPSTR(base->np))); 3016 goto done; 3017 } 3018 3019 CHECKLEN(p + 1, base->np) 3020 3021 np = base->np; 3022 ext = (const struct isakmp_gen *)(p + 1); 3023 ikev2_sub_print(ndo, base, np, ext, ep, phase, 0, 0, 0); 3024 } 3025 3026 done: 3027 if (ndo->ndo_vflag) { 3028 if (ntohl(base->len) != length) { 3029 ND_PRINT((ndo, " (len mismatch: isakmp %u/ip %u)", 3030 (uint32_t)ntohl(base->len), length)); 3031 } 3032 } 3033 } 3034 3035 void 3036 isakmp_print(netdissect_options *ndo, 3037 const u_char *bp, u_int length, 3038 const u_char *bp2) 3039 { 3040 const struct isakmp *p; 3041 struct isakmp base; 3042 const u_char *ep; 3043 int major, minor; 3044 3045 #ifdef HAVE_LIBCRYPTO 3046 /* initialize SAs */ 3047 if (ndo->ndo_sa_list_head == NULL) { 3048 if (ndo->ndo_espsecret) 3049 esp_print_decodesecret(ndo); 3050 } 3051 #endif 3052 3053 p = (const struct isakmp *)bp; 3054 ep = ndo->ndo_snapend; 3055 3056 if ((const struct isakmp *)ep < p + 1) { 3057 ND_PRINT((ndo,"[|isakmp]")); 3058 return; 3059 } 3060 3061 UNALIGNED_MEMCPY(&base, p, sizeof(base)); 3062 3063 ND_PRINT((ndo,"isakmp")); 3064 major = (base.vers & ISAKMP_VERS_MAJOR) 3065 >> ISAKMP_VERS_MAJOR_SHIFT; 3066 minor = (base.vers & ISAKMP_VERS_MINOR) 3067 >> ISAKMP_VERS_MINOR_SHIFT; 3068 3069 if (ndo->ndo_vflag) { 3070 ND_PRINT((ndo," %d.%d", major, minor)); 3071 } 3072 3073 if (ndo->ndo_vflag) { 3074 ND_PRINT((ndo," msgid ")); 3075 hexprint(ndo, (const uint8_t *)&base.msgid, sizeof(base.msgid)); 3076 } 3077 3078 if (1 < ndo->ndo_vflag) { 3079 ND_PRINT((ndo," cookie ")); 3080 hexprint(ndo, (const uint8_t *)&base.i_ck, sizeof(base.i_ck)); 3081 ND_PRINT((ndo,"->")); 3082 hexprint(ndo, (const uint8_t *)&base.r_ck, sizeof(base.r_ck)); 3083 } 3084 ND_PRINT((ndo,":")); 3085 3086 switch(major) { 3087 case IKEv1_MAJOR_VERSION: 3088 ikev1_print(ndo, bp, length, bp2, &base); 3089 break; 3090 3091 case IKEv2_MAJOR_VERSION: 3092 ikev2_print(ndo, bp, length, bp2, &base); 3093 break; 3094 } 3095 } 3096 3097 void 3098 isakmp_rfc3948_print(netdissect_options *ndo, 3099 const u_char *bp, u_int length, 3100 const u_char *bp2) 3101 { 3102 ND_TCHECK(bp[0]); 3103 if(length == 1 && bp[0]==0xff) { 3104 ND_PRINT((ndo, "isakmp-nat-keep-alive")); 3105 return; 3106 } 3107 3108 if(length < 4) { 3109 goto trunc; 3110 } 3111 ND_TCHECK(bp[3]); 3112 3113 /* 3114 * see if this is an IKE packet 3115 */ 3116 if(bp[0]==0 && bp[1]==0 && bp[2]==0 && bp[3]==0) { 3117 ND_PRINT((ndo, "NONESP-encap: ")); 3118 isakmp_print(ndo, bp+4, length-4, bp2); 3119 return; 3120 } 3121 3122 /* must be an ESP packet */ 3123 { 3124 int nh, enh, padlen; 3125 int advance; 3126 3127 ND_PRINT((ndo, "UDP-encap: ")); 3128 3129 advance = esp_print(ndo, bp, length, bp2, &enh, &padlen); 3130 if(advance <= 0) 3131 return; 3132 3133 bp += advance; 3134 length -= advance + padlen; 3135 nh = enh & 0xff; 3136 3137 ip_print_inner(ndo, bp, length, nh, bp2); 3138 return; 3139 } 3140 3141 trunc: 3142 ND_PRINT((ndo,"[|isakmp]")); 3143 return; 3144 } 3145 3146 /* 3147 * Local Variables: 3148 * c-style: whitesmith 3149 * c-basic-offset: 8 3150 * End: 3151 */ 3152