1 /* 2 * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project. 3 * All rights reserved. 4 * 5 * Redistribution and use in source and binary forms, with or without 6 * modification, are permitted provided that the following conditions 7 * are met: 8 * 1. Redistributions of source code must retain the above copyright 9 * notice, this list of conditions and the following disclaimer. 10 * 2. Redistributions in binary form must reproduce the above copyright 11 * notice, this list of conditions and the following disclaimer in the 12 * documentation and/or other materials provided with the distribution. 13 * 3. Neither the name of the project nor the names of its contributors 14 * may be used to endorse or promote products derived from this software 15 * without specific prior written permission. 16 * 17 * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND 18 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 19 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 20 * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE 21 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 22 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 23 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 24 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 25 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 26 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 27 * SUCH DAMAGE. 28 * 29 */ 30 31 #include <sys/cdefs.h> 32 #ifndef lint 33 #if 0 34 static const char rcsid[] _U_ = 35 "@(#) Header: /tcpdump/master/tcpdump/print-isakmp.c,v 1.61 2008-02-05 19:34:25 guy Exp (LBL)"; 36 #else 37 __RCSID("$NetBSD: print-isakmp.c,v 1.5 2013/10/20 02:58:34 christos Exp $"); 38 #endif 39 #endif 40 41 #define NETDISSECT_REWORKED 42 #ifdef HAVE_CONFIG_H 43 #include "config.h" 44 #endif 45 46 #include <tcpdump-stdinc.h> 47 48 #include <string.h> 49 50 #include <stdio.h> 51 52 #include "isakmp.h" 53 #include "ipsec_doi.h" 54 #include "oakley.h" 55 #include "interface.h" 56 #include "addrtoname.h" 57 #include "extract.h" /* must come after interface.h */ 58 59 #include "ip.h" 60 #ifdef INET6 61 #include "ip6.h" 62 #endif 63 64 #ifndef HAVE_SOCKADDR_STORAGE 65 #define sockaddr_storage sockaddr 66 #endif 67 68 #define DECLARE_PRINTER(func) static const u_char *ike##func##_print( \ 69 netdissect_options *ndo, u_char tpay, \ 70 const struct isakmp_gen *ext, \ 71 u_int item_len, \ 72 const u_char *end_pointer, \ 73 u_int32_t phase,\ 74 u_int32_t doi0, \ 75 u_int32_t proto0, int depth) 76 77 DECLARE_PRINTER(v1_sa); 78 DECLARE_PRINTER(v1_p); 79 DECLARE_PRINTER(v1_t); 80 DECLARE_PRINTER(v1_ke); 81 DECLARE_PRINTER(v1_id); 82 DECLARE_PRINTER(v1_cert); 83 DECLARE_PRINTER(v1_cr); 84 DECLARE_PRINTER(v1_sig); 85 DECLARE_PRINTER(v1_hash); 86 DECLARE_PRINTER(v1_nonce); 87 DECLARE_PRINTER(v1_n); 88 DECLARE_PRINTER(v1_d); 89 DECLARE_PRINTER(v1_vid); 90 91 DECLARE_PRINTER(v2_sa); 92 DECLARE_PRINTER(v2_ke); 93 DECLARE_PRINTER(v2_ID); 94 DECLARE_PRINTER(v2_cert); 95 DECLARE_PRINTER(v2_cr); 96 DECLARE_PRINTER(v2_auth); 97 DECLARE_PRINTER(v2_nonce); 98 DECLARE_PRINTER(v2_n); 99 DECLARE_PRINTER(v2_d); 100 DECLARE_PRINTER(v2_vid); 101 DECLARE_PRINTER(v2_TS); 102 DECLARE_PRINTER(v2_cp); 103 DECLARE_PRINTER(v2_eap); 104 105 static const u_char *ikev2_e_print(netdissect_options *ndo, 106 struct isakmp *base, 107 u_char tpay, 108 const struct isakmp_gen *ext, 109 u_int item_len, 110 const u_char *end_pointer, 111 u_int32_t phase, 112 u_int32_t doi0, 113 u_int32_t proto0, int depth); 114 115 116 static const u_char *ike_sub0_print(netdissect_options *ndo,u_char, const struct isakmp_gen *, 117 const u_char *, u_int32_t, u_int32_t, u_int32_t, int); 118 static const u_char *ikev1_sub_print(netdissect_options *ndo,u_char, const struct isakmp_gen *, 119 const u_char *, u_int32_t, u_int32_t, u_int32_t, int); 120 121 static const u_char *ikev2_sub_print(netdissect_options *ndo, 122 struct isakmp *base, 123 u_char np, const struct isakmp_gen *ext, 124 const u_char *ep, u_int32_t phase, 125 u_int32_t doi, u_int32_t proto, 126 int depth); 127 128 129 static char *numstr(int); 130 static void safememcpy(void *, const void *, size_t); 131 132 static void 133 ikev1_print(netdissect_options *ndo, 134 const u_char *bp, u_int length, 135 const u_char *bp2, struct isakmp *base); 136 137 #define MAXINITIATORS 20 138 int ninitiator = 0; 139 struct { 140 cookie_t initiator; 141 struct sockaddr_storage iaddr; 142 struct sockaddr_storage raddr; 143 } cookiecache[MAXINITIATORS]; 144 145 /* protocol id */ 146 static const char *protoidstr[] = { 147 NULL, "isakmp", "ipsec-ah", "ipsec-esp", "ipcomp", 148 }; 149 150 /* isakmp->np */ 151 static const char *npstr[] = { 152 "none", "sa", "p", "t", "ke", "id", "cert", "cr", "hash", /* 0 - 8 */ 153 "sig", "nonce", "n", "d", "vid", /* 9 - 13 */ 154 "pay14", "pay15", "pay16", "pay17", "pay18", /* 14- 18 */ 155 "pay19", "pay20", "pay21", "pay22", "pay23", /* 19- 23 */ 156 "pay24", "pay25", "pay26", "pay27", "pay28", /* 24- 28 */ 157 "pay29", "pay30", "pay31", "pay32", /* 29- 32 */ 158 "v2sa", "v2ke", "v2IDi", "v2IDr", "v2cert",/* 33- 37 */ 159 "v2cr", "v2auth","v2nonce", "v2n", "v2d", /* 38- 42 */ 160 "v2vid", "v2TSi", "v2TSr", "v2e", "v2cp", /* 43- 47 */ 161 "v2eap", /* 48 */ 162 163 }; 164 165 /* isakmp->np */ 166 static const u_char *(*npfunc[])(netdissect_options *ndo, u_char tpay, 167 const struct isakmp_gen *ext, 168 u_int item_len, 169 const u_char *end_pointer, 170 u_int32_t phase, 171 u_int32_t doi0, 172 u_int32_t proto0, int depth) = { 173 NULL, 174 ikev1_sa_print, 175 ikev1_p_print, 176 ikev1_t_print, 177 ikev1_ke_print, 178 ikev1_id_print, 179 ikev1_cert_print, 180 ikev1_cr_print, 181 ikev1_hash_print, 182 ikev1_sig_print, 183 ikev1_nonce_print, 184 ikev1_n_print, 185 ikev1_d_print, 186 ikev1_vid_print, /* 13 */ 187 NULL, NULL, NULL, NULL, NULL, /* 14- 18 */ 188 NULL, NULL, NULL, NULL, NULL, /* 19- 23 */ 189 NULL, NULL, NULL, NULL, NULL, /* 24- 28 */ 190 NULL, NULL, NULL, NULL, /* 29- 32 */ 191 ikev2_sa_print, /* 33 */ 192 ikev2_ke_print, /* 34 */ 193 ikev2_ID_print, /* 35 */ 194 ikev2_ID_print, /* 36 */ 195 ikev2_cert_print, /* 37 */ 196 ikev2_cr_print, /* 38 */ 197 ikev2_auth_print, /* 39 */ 198 ikev2_nonce_print, /* 40 */ 199 ikev2_n_print, /* 41 */ 200 ikev2_d_print, /* 42 */ 201 ikev2_vid_print, /* 43 */ 202 ikev2_TS_print, /* 44 */ 203 ikev2_TS_print, /* 45 */ 204 NULL, /* ikev2_e_print,*/ /* 46 - special */ 205 ikev2_cp_print, /* 47 */ 206 ikev2_eap_print, /* 48 */ 207 }; 208 209 /* isakmp->etype */ 210 static const char *etypestr[] = { 211 /* IKEv1 exchange types */ 212 "none", "base", "ident", "auth", "agg", "inf", NULL, NULL, /* 0-7 */ 213 NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, /* 8-15 */ 214 NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, /* 16-23 */ 215 NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, /* 24-31 */ 216 "oakley-quick", "oakley-newgroup", /* 32-33 */ 217 /* IKEv2 exchange types */ 218 "ikev2_init", "ikev2_auth", "child_sa", "inf2" /* 34-37 */ 219 }; 220 221 #define STR_OR_ID(x, tab) \ 222 (((x) < sizeof(tab)/sizeof(tab[0]) && tab[(x)]) ? tab[(x)] : numstr(x)) 223 #define PROTOIDSTR(x) STR_OR_ID(x, protoidstr) 224 #define NPSTR(x) STR_OR_ID(x, npstr) 225 #define ETYPESTR(x) STR_OR_ID(x, etypestr) 226 227 #define CHECKLEN(p, np) \ 228 if (ep < (u_char *)(p)) { \ 229 ND_PRINT((ndo," [|%s]", NPSTR(np))); \ 230 goto done; \ 231 } 232 233 234 #define NPFUNC(x) \ 235 (((x) < sizeof(npfunc)/sizeof(npfunc[0]) && npfunc[(x)]) \ 236 ? npfunc[(x)] : NULL) 237 238 static int 239 iszero(u_char *p, size_t l) 240 { 241 while (l--) { 242 if (*p++) 243 return 0; 244 } 245 return 1; 246 } 247 248 /* find cookie from initiator cache */ 249 static int 250 cookie_find(cookie_t *in) 251 { 252 int i; 253 254 for (i = 0; i < MAXINITIATORS; i++) { 255 if (memcmp(in, &cookiecache[i].initiator, sizeof(*in)) == 0) 256 return i; 257 } 258 259 return -1; 260 } 261 262 /* record initiator */ 263 static void 264 cookie_record(cookie_t *in, const u_char *bp2) 265 { 266 int i; 267 struct ip *ip; 268 struct sockaddr_in *sin; 269 #ifdef INET6 270 struct ip6_hdr *ip6; 271 struct sockaddr_in6 *sin6; 272 #endif 273 274 i = cookie_find(in); 275 if (0 <= i) { 276 ninitiator = (i + 1) % MAXINITIATORS; 277 return; 278 } 279 280 ip = (struct ip *)bp2; 281 switch (IP_V(ip)) { 282 case 4: 283 memset(&cookiecache[ninitiator].iaddr, 0, 284 sizeof(cookiecache[ninitiator].iaddr)); 285 memset(&cookiecache[ninitiator].raddr, 0, 286 sizeof(cookiecache[ninitiator].raddr)); 287 288 sin = (struct sockaddr_in *)&cookiecache[ninitiator].iaddr; 289 #ifdef HAVE_SOCKADDR_SA_LEN 290 sin->sin_len = sizeof(struct sockaddr_in); 291 #endif 292 sin->sin_family = AF_INET; 293 memcpy(&sin->sin_addr, &ip->ip_src, sizeof(ip->ip_src)); 294 sin = (struct sockaddr_in *)&cookiecache[ninitiator].raddr; 295 #ifdef HAVE_SOCKADDR_SA_LEN 296 sin->sin_len = sizeof(struct sockaddr_in); 297 #endif 298 sin->sin_family = AF_INET; 299 memcpy(&sin->sin_addr, &ip->ip_dst, sizeof(ip->ip_dst)); 300 break; 301 #ifdef INET6 302 case 6: 303 memset(&cookiecache[ninitiator].iaddr, 0, 304 sizeof(cookiecache[ninitiator].iaddr)); 305 memset(&cookiecache[ninitiator].raddr, 0, 306 sizeof(cookiecache[ninitiator].raddr)); 307 308 ip6 = (struct ip6_hdr *)bp2; 309 sin6 = (struct sockaddr_in6 *)&cookiecache[ninitiator].iaddr; 310 #ifdef HAVE_SOCKADDR_SA_LEN 311 sin6->sin6_len = sizeof(struct sockaddr_in6); 312 #endif 313 sin6->sin6_family = AF_INET6; 314 memcpy(&sin6->sin6_addr, &ip6->ip6_src, sizeof(ip6->ip6_src)); 315 sin6 = (struct sockaddr_in6 *)&cookiecache[ninitiator].raddr; 316 #ifdef HAVE_SOCKADDR_SA_LEN 317 sin6->sin6_len = sizeof(struct sockaddr_in6); 318 #endif 319 sin6->sin6_family = AF_INET6; 320 memcpy(&sin6->sin6_addr, &ip6->ip6_dst, sizeof(ip6->ip6_dst)); 321 break; 322 #endif 323 default: 324 return; 325 } 326 memcpy(&cookiecache[ninitiator].initiator, in, sizeof(*in)); 327 ninitiator = (ninitiator + 1) % MAXINITIATORS; 328 } 329 330 #define cookie_isinitiator(x, y) cookie_sidecheck((x), (y), 1) 331 #define cookie_isresponder(x, y) cookie_sidecheck((x), (y), 0) 332 static int 333 cookie_sidecheck(int i, const u_char *bp2, int initiator) 334 { 335 struct sockaddr_storage ss; 336 struct sockaddr *sa; 337 struct ip *ip; 338 struct sockaddr_in *sin; 339 #ifdef INET6 340 struct ip6_hdr *ip6; 341 struct sockaddr_in6 *sin6; 342 #endif 343 int salen; 344 345 memset(&ss, 0, sizeof(ss)); 346 ip = (struct ip *)bp2; 347 switch (IP_V(ip)) { 348 case 4: 349 sin = (struct sockaddr_in *)&ss; 350 #ifdef HAVE_SOCKADDR_SA_LEN 351 sin->sin_len = sizeof(struct sockaddr_in); 352 #endif 353 sin->sin_family = AF_INET; 354 memcpy(&sin->sin_addr, &ip->ip_src, sizeof(ip->ip_src)); 355 break; 356 #ifdef INET6 357 case 6: 358 ip6 = (struct ip6_hdr *)bp2; 359 sin6 = (struct sockaddr_in6 *)&ss; 360 #ifdef HAVE_SOCKADDR_SA_LEN 361 sin6->sin6_len = sizeof(struct sockaddr_in6); 362 #endif 363 sin6->sin6_family = AF_INET6; 364 memcpy(&sin6->sin6_addr, &ip6->ip6_src, sizeof(ip6->ip6_src)); 365 break; 366 #endif 367 default: 368 return 0; 369 } 370 371 sa = (struct sockaddr *)&ss; 372 if (initiator) { 373 if (sa->sa_family != ((struct sockaddr *)&cookiecache[i].iaddr)->sa_family) 374 return 0; 375 #ifdef HAVE_SOCKADDR_SA_LEN 376 salen = sa->sa_len; 377 #else 378 #ifdef INET6 379 if (sa->sa_family == AF_INET6) 380 salen = sizeof(struct sockaddr_in6); 381 else 382 salen = sizeof(struct sockaddr); 383 #else 384 salen = sizeof(struct sockaddr); 385 #endif 386 #endif 387 if (memcmp(&ss, &cookiecache[i].iaddr, salen) == 0) 388 return 1; 389 } else { 390 if (sa->sa_family != ((struct sockaddr *)&cookiecache[i].raddr)->sa_family) 391 return 0; 392 #ifdef HAVE_SOCKADDR_SA_LEN 393 salen = sa->sa_len; 394 #else 395 #ifdef INET6 396 if (sa->sa_family == AF_INET6) 397 salen = sizeof(struct sockaddr_in6); 398 else 399 salen = sizeof(struct sockaddr); 400 #else 401 salen = sizeof(struct sockaddr); 402 #endif 403 #endif 404 if (memcmp(&ss, &cookiecache[i].raddr, salen) == 0) 405 return 1; 406 } 407 return 0; 408 } 409 410 static void 411 hexprint(netdissect_options *ndo, caddr_t loc, size_t len) 412 { 413 u_char *p; 414 size_t i; 415 416 p = (u_char *)loc; 417 for (i = 0; i < len; i++) 418 ND_PRINT((ndo,"%02x", p[i] & 0xff)); 419 } 420 421 static int 422 rawprint(netdissect_options *ndo, caddr_t loc, size_t len) 423 { 424 ND_TCHECK2(*loc, len); 425 426 hexprint(ndo, loc, len); 427 return 1; 428 trunc: 429 return 0; 430 } 431 432 433 /* 434 * returns false if we run out of data buffer 435 */ 436 static int ike_show_somedata(struct netdissect_options *ndo, 437 const u_char *cp, const u_char *ep) 438 { 439 /* there is too much data, just show some of it */ 440 const u_char *end = ep - 20; 441 int elen = 20; 442 int len = ep - cp; 443 if(len > 10) { 444 len = 10; 445 } 446 447 /* really shouldn't happen because of above */ 448 if(end < cp + len) { 449 end = cp+len; 450 elen = ep - end; 451 } 452 453 ND_PRINT((ndo," data=(")); 454 if(!rawprint(ndo, (caddr_t)(cp), len)) goto trunc; 455 ND_PRINT((ndo, "...")); 456 if(elen) { 457 if(!rawprint(ndo, (caddr_t)(end), elen)) goto trunc; 458 } 459 ND_PRINT((ndo,")")); 460 return 1; 461 462 trunc: 463 return 0; 464 } 465 466 struct attrmap { 467 const char *type; 468 u_int nvalue; 469 const char *value[30]; /*XXX*/ 470 }; 471 472 static const u_char * 473 ikev1_attrmap_print(netdissect_options *ndo, 474 const u_char *p, const u_char *ep, 475 const struct attrmap *map, size_t nmap) 476 { 477 u_int16_t *q; 478 int totlen; 479 u_int32_t t, v; 480 481 q = (u_int16_t *)p; 482 if (p[0] & 0x80) 483 totlen = 4; 484 else 485 totlen = 4 + EXTRACT_16BITS(&q[1]); 486 if (ep < p + totlen) { 487 ND_PRINT((ndo,"[|attr]")); 488 return ep + 1; 489 } 490 491 ND_PRINT((ndo,"(")); 492 t = EXTRACT_16BITS(&q[0]) & 0x7fff; 493 if (map && t < nmap && map[t].type) 494 ND_PRINT((ndo,"type=%s ", map[t].type)); 495 else 496 ND_PRINT((ndo,"type=#%d ", t)); 497 if (p[0] & 0x80) { 498 ND_PRINT((ndo,"value=")); 499 v = EXTRACT_16BITS(&q[1]); 500 if (map && t < nmap && v < map[t].nvalue && map[t].value[v]) 501 ND_PRINT((ndo,"%s", map[t].value[v])); 502 else 503 rawprint(ndo, (caddr_t)&q[1], 2); 504 } else { 505 ND_PRINT((ndo,"len=%d value=", EXTRACT_16BITS(&q[1]))); 506 rawprint(ndo, (caddr_t)&p[4], EXTRACT_16BITS(&q[1])); 507 } 508 ND_PRINT((ndo,")")); 509 return p + totlen; 510 } 511 512 static const u_char * 513 ikev1_attr_print(netdissect_options *ndo, const u_char *p, const u_char *ep) 514 { 515 u_int16_t *q; 516 int totlen; 517 u_int32_t t; 518 519 q = (u_int16_t *)p; 520 if (p[0] & 0x80) 521 totlen = 4; 522 else 523 totlen = 4 + EXTRACT_16BITS(&q[1]); 524 if (ep < p + totlen) { 525 ND_PRINT((ndo,"[|attr]")); 526 return ep + 1; 527 } 528 529 ND_PRINT((ndo,"(")); 530 t = EXTRACT_16BITS(&q[0]) & 0x7fff; 531 ND_PRINT((ndo,"type=#%d ", t)); 532 if (p[0] & 0x80) { 533 ND_PRINT((ndo,"value=")); 534 t = q[1]; 535 rawprint(ndo, (caddr_t)&q[1], 2); 536 } else { 537 ND_PRINT((ndo,"len=%d value=", EXTRACT_16BITS(&q[1]))); 538 rawprint(ndo, (caddr_t)&p[2], EXTRACT_16BITS(&q[1])); 539 } 540 ND_PRINT((ndo,")")); 541 return p + totlen; 542 } 543 544 static const u_char * 545 ikev1_sa_print(netdissect_options *ndo, u_char tpay _U_, 546 const struct isakmp_gen *ext, 547 u_int item_len _U_, 548 const u_char *ep, u_int32_t phase, u_int32_t doi0 _U_, 549 u_int32_t proto0, int depth) 550 { 551 const struct ikev1_pl_sa *p; 552 struct ikev1_pl_sa sa; 553 u_int32_t doi, sit, ident; 554 const u_char *cp, *np; 555 int t; 556 557 ND_PRINT((ndo,"%s:", NPSTR(ISAKMP_NPTYPE_SA))); 558 559 p = (struct ikev1_pl_sa *)ext; 560 ND_TCHECK(*p); 561 safememcpy(&sa, ext, sizeof(sa)); 562 doi = ntohl(sa.doi); 563 sit = ntohl(sa.sit); 564 if (doi != 1) { 565 ND_PRINT((ndo," doi=%d", doi)); 566 ND_PRINT((ndo," situation=%u", (u_int32_t)ntohl(sa.sit))); 567 return (u_char *)(p + 1); 568 } 569 570 ND_PRINT((ndo," doi=ipsec")); 571 ND_PRINT((ndo," situation=")); 572 t = 0; 573 if (sit & 0x01) { 574 ND_PRINT((ndo,"identity")); 575 t++; 576 } 577 if (sit & 0x02) { 578 ND_PRINT((ndo,"%ssecrecy", t ? "+" : "")); 579 t++; 580 } 581 if (sit & 0x04) 582 ND_PRINT((ndo,"%sintegrity", t ? "+" : "")); 583 584 np = (u_char *)ext + sizeof(sa); 585 if (sit != 0x01) { 586 ND_TCHECK2(*(ext + 1), sizeof(ident)); 587 safememcpy(&ident, ext + 1, sizeof(ident)); 588 ND_PRINT((ndo," ident=%u", (u_int32_t)ntohl(ident))); 589 np += sizeof(ident); 590 } 591 592 ext = (struct isakmp_gen *)np; 593 ND_TCHECK(*ext); 594 595 cp = ikev1_sub_print(ndo, ISAKMP_NPTYPE_P, ext, ep, phase, doi, proto0, 596 depth); 597 598 return cp; 599 trunc: 600 ND_PRINT((ndo," [|%s]", NPSTR(ISAKMP_NPTYPE_SA))); 601 return NULL; 602 } 603 604 static const u_char * 605 ikev1_p_print(netdissect_options *ndo, u_char tpay _U_, 606 const struct isakmp_gen *ext, u_int item_len _U_, 607 const u_char *ep, u_int32_t phase, u_int32_t doi0, 608 u_int32_t proto0 _U_, int depth) 609 { 610 const struct ikev1_pl_p *p; 611 struct ikev1_pl_p prop; 612 const u_char *cp; 613 614 ND_PRINT((ndo,"%s:", NPSTR(ISAKMP_NPTYPE_P))); 615 616 p = (struct ikev1_pl_p *)ext; 617 ND_TCHECK(*p); 618 safememcpy(&prop, ext, sizeof(prop)); 619 ND_PRINT((ndo," #%d protoid=%s transform=%d", 620 prop.p_no, PROTOIDSTR(prop.prot_id), prop.num_t)); 621 if (prop.spi_size) { 622 ND_PRINT((ndo," spi=")); 623 if (!rawprint(ndo, (caddr_t)(p + 1), prop.spi_size)) 624 goto trunc; 625 } 626 627 ext = (struct isakmp_gen *)((u_char *)(p + 1) + prop.spi_size); 628 ND_TCHECK(*ext); 629 630 cp = ikev1_sub_print(ndo, ISAKMP_NPTYPE_T, ext, ep, phase, doi0, 631 prop.prot_id, depth); 632 633 return cp; 634 trunc: 635 ND_PRINT((ndo," [|%s]", NPSTR(ISAKMP_NPTYPE_P))); 636 return NULL; 637 } 638 639 static const char *ikev1_p_map[] = { 640 NULL, "ike", 641 }; 642 643 static const char *ikev2_t_type_map[]={ 644 NULL, "encr", "prf", "integ", "dh", "esn" 645 }; 646 647 static const char *ah_p_map[] = { 648 NULL, "(reserved)", "md5", "sha", "1des", 649 "sha2-256", "sha2-384", "sha2-512", 650 }; 651 652 static const char *prf_p_map[] = { 653 NULL, "hmac-md5", "hmac-sha", "hmac-tiger", 654 "aes128_xcbc" 655 }; 656 657 static const char *integ_p_map[] = { 658 NULL, "hmac-md5", "hmac-sha", "dec-mac", 659 "kpdk-md5", "aes-xcbc" 660 }; 661 662 static const char *esn_p_map[] = { 663 "no-esn", "esn" 664 }; 665 666 static const char *dh_p_map[] = { 667 NULL, "modp768", 668 "modp1024", /* group 2 */ 669 "EC2N 2^155", /* group 3 */ 670 "EC2N 2^185", /* group 4 */ 671 "modp1536", /* group 5 */ 672 "iana-grp06", "iana-grp07", /* reserved */ 673 "iana-grp08", "iana-grp09", 674 "iana-grp10", "iana-grp11", 675 "iana-grp12", "iana-grp13", 676 "modp2048", /* group 14 */ 677 "modp3072", /* group 15 */ 678 "modp4096", /* group 16 */ 679 "modp6144", /* group 17 */ 680 "modp8192", /* group 18 */ 681 }; 682 683 static const char *esp_p_map[] = { 684 NULL, "1des-iv64", "1des", "3des", "rc5", "idea", "cast", 685 "blowfish", "3idea", "1des-iv32", "rc4", "null", "aes" 686 }; 687 688 static const char *ipcomp_p_map[] = { 689 NULL, "oui", "deflate", "lzs", 690 }; 691 692 const struct attrmap ipsec_t_map[] = { 693 { NULL, 0, { NULL } }, 694 { "lifetype", 3, { NULL, "sec", "kb", }, }, 695 { "life", 0, { NULL } }, 696 { "group desc", 18, { NULL, "modp768", 697 "modp1024", /* group 2 */ 698 "EC2N 2^155", /* group 3 */ 699 "EC2N 2^185", /* group 4 */ 700 "modp1536", /* group 5 */ 701 "iana-grp06", "iana-grp07", /* reserved */ 702 "iana-grp08", "iana-grp09", 703 "iana-grp10", "iana-grp11", 704 "iana-grp12", "iana-grp13", 705 "modp2048", /* group 14 */ 706 "modp3072", /* group 15 */ 707 "modp4096", /* group 16 */ 708 "modp6144", /* group 17 */ 709 "modp8192", /* group 18 */ 710 }, }, 711 { "enc mode", 3, { NULL, "tunnel", "transport", }, }, 712 { "auth", 5, { NULL, "hmac-md5", "hmac-sha1", "1des-mac", "keyed", }, }, 713 { "keylen", 0, { NULL } }, 714 { "rounds", 0, { NULL } }, 715 { "dictsize", 0, { NULL } }, 716 { "privalg", 0, { NULL } }, 717 }; 718 719 const struct attrmap encr_t_map[] = { 720 { NULL, 0, { NULL } }, { NULL, 0, { NULL } }, /* 0, 1 */ 721 { NULL, 0, { NULL } }, { NULL, 0, { NULL } }, /* 2, 3 */ 722 { NULL, 0, { NULL } }, { NULL, 0, { NULL } }, /* 4, 5 */ 723 { NULL, 0, { NULL } }, { NULL, 0, { NULL } }, /* 6, 7 */ 724 { NULL, 0, { NULL } }, { NULL, 0, { NULL } }, /* 8, 9 */ 725 { NULL, 0, { NULL } }, { NULL, 0, { NULL } }, /* 10,11*/ 726 { NULL, 0, { NULL } }, { NULL, 0, { NULL } }, /* 12,13*/ 727 { "keylen", 14, { NULL }}, 728 }; 729 730 const struct attrmap oakley_t_map[] = { 731 { NULL, 0, { NULL } }, 732 { "enc", 8, { NULL, "1des", "idea", "blowfish", "rc5", 733 "3des", "cast", "aes", }, }, 734 { "hash", 7, { NULL, "md5", "sha1", "tiger", 735 "sha2-256", "sha2-384", "sha2-512", }, }, 736 { "auth", 6, { NULL, "preshared", "dss", "rsa sig", "rsa enc", 737 "rsa enc revised", }, }, 738 { "group desc", 18, { NULL, "modp768", 739 "modp1024", /* group 2 */ 740 "EC2N 2^155", /* group 3 */ 741 "EC2N 2^185", /* group 4 */ 742 "modp1536", /* group 5 */ 743 "iana-grp06", "iana-grp07", /* reserved */ 744 "iana-grp08", "iana-grp09", 745 "iana-grp10", "iana-grp11", 746 "iana-grp12", "iana-grp13", 747 "modp2048", /* group 14 */ 748 "modp3072", /* group 15 */ 749 "modp4096", /* group 16 */ 750 "modp6144", /* group 17 */ 751 "modp8192", /* group 18 */ 752 }, }, 753 { "group type", 4, { NULL, "MODP", "ECP", "EC2N", }, }, 754 { "group prime", 0, { NULL } }, 755 { "group gen1", 0, { NULL } }, 756 { "group gen2", 0, { NULL } }, 757 { "group curve A", 0, { NULL } }, 758 { "group curve B", 0, { NULL } }, 759 { "lifetype", 3, { NULL, "sec", "kb", }, }, 760 { "lifeduration", 0, { NULL } }, 761 { "prf", 0, { NULL } }, 762 { "keylen", 0, { NULL } }, 763 { "field", 0, { NULL } }, 764 { "order", 0, { NULL } }, 765 }; 766 767 static const u_char * 768 ikev1_t_print(netdissect_options *ndo, u_char tpay _U_, 769 const struct isakmp_gen *ext, u_int item_len, 770 const u_char *ep, u_int32_t phase _U_, u_int32_t doi _U_, 771 u_int32_t proto, int depth _U_) 772 { 773 const struct ikev1_pl_t *p; 774 struct ikev1_pl_t t; 775 const u_char *cp; 776 const char *idstr; 777 const struct attrmap *map; 778 size_t nmap; 779 const u_char *ep2; 780 781 ND_PRINT((ndo,"%s:", NPSTR(ISAKMP_NPTYPE_T))); 782 783 p = (struct ikev1_pl_t *)ext; 784 ND_TCHECK(*p); 785 safememcpy(&t, ext, sizeof(t)); 786 787 switch (proto) { 788 case 1: 789 idstr = STR_OR_ID(t.t_id, ikev1_p_map); 790 map = oakley_t_map; 791 nmap = sizeof(oakley_t_map)/sizeof(oakley_t_map[0]); 792 break; 793 case 2: 794 idstr = STR_OR_ID(t.t_id, ah_p_map); 795 map = ipsec_t_map; 796 nmap = sizeof(ipsec_t_map)/sizeof(ipsec_t_map[0]); 797 break; 798 case 3: 799 idstr = STR_OR_ID(t.t_id, esp_p_map); 800 map = ipsec_t_map; 801 nmap = sizeof(ipsec_t_map)/sizeof(ipsec_t_map[0]); 802 break; 803 case 4: 804 idstr = STR_OR_ID(t.t_id, ipcomp_p_map); 805 map = ipsec_t_map; 806 nmap = sizeof(ipsec_t_map)/sizeof(ipsec_t_map[0]); 807 break; 808 default: 809 idstr = NULL; 810 map = NULL; 811 nmap = 0; 812 break; 813 } 814 815 if (idstr) 816 ND_PRINT((ndo," #%d id=%s ", t.t_no, idstr)); 817 else 818 ND_PRINT((ndo," #%d id=%d ", t.t_no, t.t_id)); 819 cp = (u_char *)(p + 1); 820 ep2 = (u_char *)p + item_len; 821 while (cp < ep && cp < ep2) { 822 if (map && nmap) { 823 cp = ikev1_attrmap_print(ndo, cp, (ep < ep2) ? ep : ep2, 824 map, nmap); 825 } else 826 cp = ikev1_attr_print(ndo, cp, (ep < ep2) ? ep : ep2); 827 } 828 if (ep < ep2) 829 ND_PRINT((ndo,"...")); 830 return cp; 831 trunc: 832 ND_PRINT((ndo," [|%s]", NPSTR(ISAKMP_NPTYPE_T))); 833 return NULL; 834 } 835 836 static const u_char * 837 ikev1_ke_print(netdissect_options *ndo, u_char tpay _U_, 838 const struct isakmp_gen *ext, u_int item_len _U_, 839 const u_char *ep _U_, u_int32_t phase _U_, u_int32_t doi _U_, 840 u_int32_t proto _U_, int depth _U_) 841 { 842 struct isakmp_gen e; 843 844 ND_PRINT((ndo,"%s:", NPSTR(ISAKMP_NPTYPE_KE))); 845 846 ND_TCHECK(*ext); 847 safememcpy(&e, ext, sizeof(e)); 848 ND_PRINT((ndo," key len=%d", ntohs(e.len) - 4)); 849 if (2 < ndo->ndo_vflag && 4 < ntohs(e.len)) { 850 ND_PRINT((ndo," ")); 851 if (!rawprint(ndo, (caddr_t)(ext + 1), ntohs(e.len) - 4)) 852 goto trunc; 853 } 854 return (u_char *)ext + ntohs(e.len); 855 trunc: 856 ND_PRINT((ndo," [|%s]", NPSTR(ISAKMP_NPTYPE_KE))); 857 return NULL; 858 } 859 860 static const u_char * 861 ikev1_id_print(netdissect_options *ndo, u_char tpay _U_, 862 const struct isakmp_gen *ext, u_int item_len _U_, 863 const u_char *ep _U_, u_int32_t phase, u_int32_t doi _U_, 864 u_int32_t proto _U_, int depth _U_) 865 { 866 #define USE_IPSECDOI_IN_PHASE1 1 867 const struct ikev1_pl_id *p; 868 struct ikev1_pl_id id; 869 static const char *idtypestr[] = { 870 "IPv4", "IPv4net", "IPv6", "IPv6net", 871 }; 872 static const char *ipsecidtypestr[] = { 873 NULL, "IPv4", "FQDN", "user FQDN", "IPv4net", "IPv6", 874 "IPv6net", "IPv4range", "IPv6range", "ASN1 DN", "ASN1 GN", 875 "keyid", 876 }; 877 int len; 878 const u_char *data; 879 880 ND_PRINT((ndo,"%s:", NPSTR(ISAKMP_NPTYPE_ID))); 881 882 p = (struct ikev1_pl_id *)ext; 883 ND_TCHECK(*p); 884 safememcpy(&id, ext, sizeof(id)); 885 if (sizeof(*p) < item_len) { 886 data = (u_char *)(p + 1); 887 len = item_len - sizeof(*p); 888 } else { 889 data = NULL; 890 len = 0; 891 } 892 893 #if 0 /*debug*/ 894 ND_PRINT((ndo," [phase=%d doi=%d proto=%d]", phase, doi, proto)); 895 #endif 896 switch (phase) { 897 #ifndef USE_IPSECDOI_IN_PHASE1 898 case 1: 899 #endif 900 default: 901 ND_PRINT((ndo," idtype=%s", STR_OR_ID(id.d.id_type, idtypestr))); 902 ND_PRINT((ndo," doi_data=%u", 903 (u_int32_t)(ntohl(id.d.doi_data) & 0xffffff))); 904 break; 905 906 #ifdef USE_IPSECDOI_IN_PHASE1 907 case 1: 908 #endif 909 case 2: 910 { 911 const struct ipsecdoi_id *p; 912 struct ipsecdoi_id id; 913 struct protoent *pe; 914 915 p = (struct ipsecdoi_id *)ext; 916 ND_TCHECK(*p); 917 safememcpy(&id, ext, sizeof(id)); 918 ND_PRINT((ndo," idtype=%s", STR_OR_ID(id.type, ipsecidtypestr))); 919 if (id.proto_id) { 920 #ifndef WIN32 921 setprotoent(1); 922 #endif /* WIN32 */ 923 pe = getprotobynumber(id.proto_id); 924 if (pe) 925 ND_PRINT((ndo," protoid=%s", pe->p_name)); 926 #ifndef WIN32 927 endprotoent(); 928 #endif /* WIN32 */ 929 } else { 930 /* it DOES NOT mean IPPROTO_IP! */ 931 ND_PRINT((ndo," protoid=%s", "0")); 932 } 933 ND_PRINT((ndo," port=%d", ntohs(id.port))); 934 if (!len) 935 break; 936 if (data == NULL) 937 goto trunc; 938 ND_TCHECK2(*data, len); 939 switch (id.type) { 940 case IPSECDOI_ID_IPV4_ADDR: 941 if (len < 4) 942 ND_PRINT((ndo," len=%d [bad: < 4]", len)); 943 else 944 ND_PRINT((ndo," len=%d %s", len, ipaddr_string(data))); 945 len = 0; 946 break; 947 case IPSECDOI_ID_FQDN: 948 case IPSECDOI_ID_USER_FQDN: 949 { 950 int i; 951 ND_PRINT((ndo," len=%d ", len)); 952 for (i = 0; i < len; i++) 953 safeputchar(data[i]); 954 len = 0; 955 break; 956 } 957 case IPSECDOI_ID_IPV4_ADDR_SUBNET: 958 { 959 const u_char *mask; 960 if (len < 8) 961 ND_PRINT((ndo," len=%d [bad: < 8]", len)); 962 else { 963 mask = data + sizeof(struct in_addr); 964 ND_PRINT((ndo," len=%d %s/%u.%u.%u.%u", len, 965 ipaddr_string(data), 966 mask[0], mask[1], mask[2], mask[3])); 967 } 968 len = 0; 969 break; 970 } 971 #ifdef INET6 972 case IPSECDOI_ID_IPV6_ADDR: 973 if (len < 16) 974 ND_PRINT((ndo," len=%d [bad: < 16]", len)); 975 else 976 ND_PRINT((ndo," len=%d %s", len, ip6addr_string(data))); 977 len = 0; 978 break; 979 case IPSECDOI_ID_IPV6_ADDR_SUBNET: 980 { 981 const u_int32_t *mask; 982 if (len < 20) 983 ND_PRINT((ndo," len=%d [bad: < 20]", len)); 984 else { 985 mask = (u_int32_t *)(data + sizeof(struct in6_addr)); 986 /*XXX*/ 987 ND_PRINT((ndo," len=%d %s/0x%08x%08x%08x%08x", len, 988 ip6addr_string(data), 989 mask[0], mask[1], mask[2], mask[3])); 990 } 991 len = 0; 992 break; 993 } 994 #endif /*INET6*/ 995 case IPSECDOI_ID_IPV4_ADDR_RANGE: 996 if (len < 8) 997 ND_PRINT((ndo," len=%d [bad: < 8]", len)); 998 else { 999 ND_PRINT((ndo," len=%d %s-%s", len, 1000 ipaddr_string(data), 1001 ipaddr_string(data + sizeof(struct in_addr)))); 1002 } 1003 len = 0; 1004 break; 1005 #ifdef INET6 1006 case IPSECDOI_ID_IPV6_ADDR_RANGE: 1007 if (len < 32) 1008 ND_PRINT((ndo," len=%d [bad: < 32]", len)); 1009 else { 1010 ND_PRINT((ndo," len=%d %s-%s", len, 1011 ip6addr_string(data), 1012 ip6addr_string(data + sizeof(struct in6_addr)))); 1013 } 1014 len = 0; 1015 break; 1016 #endif /*INET6*/ 1017 case IPSECDOI_ID_DER_ASN1_DN: 1018 case IPSECDOI_ID_DER_ASN1_GN: 1019 case IPSECDOI_ID_KEY_ID: 1020 break; 1021 } 1022 break; 1023 } 1024 } 1025 if (data && len) { 1026 ND_PRINT((ndo," len=%d", len)); 1027 if (2 < ndo->ndo_vflag) { 1028 ND_PRINT((ndo," ")); 1029 if (!rawprint(ndo, (caddr_t)data, len)) 1030 goto trunc; 1031 } 1032 } 1033 return (u_char *)ext + item_len; 1034 trunc: 1035 ND_PRINT((ndo," [|%s]", NPSTR(ISAKMP_NPTYPE_ID))); 1036 return NULL; 1037 } 1038 1039 static const u_char * 1040 ikev1_cert_print(netdissect_options *ndo, u_char tpay _U_, 1041 const struct isakmp_gen *ext, u_int item_len _U_, 1042 const u_char *ep _U_, u_int32_t phase _U_, 1043 u_int32_t doi0 _U_, 1044 u_int32_t proto0 _U_, int depth _U_) 1045 { 1046 const struct ikev1_pl_cert *p; 1047 struct ikev1_pl_cert cert; 1048 static const char *certstr[] = { 1049 "none", "pkcs7", "pgp", "dns", 1050 "x509sign", "x509ke", "kerberos", "crl", 1051 "arl", "spki", "x509attr", 1052 }; 1053 1054 ND_PRINT((ndo,"%s:", NPSTR(ISAKMP_NPTYPE_CERT))); 1055 1056 p = (struct ikev1_pl_cert *)ext; 1057 ND_TCHECK(*p); 1058 safememcpy(&cert, ext, sizeof(cert)); 1059 ND_PRINT((ndo," len=%d", item_len - 4)); 1060 ND_PRINT((ndo," type=%s", STR_OR_ID((cert.encode), certstr))); 1061 if (2 < ndo->ndo_vflag && 4 < item_len) { 1062 ND_PRINT((ndo," ")); 1063 if (!rawprint(ndo, (caddr_t)(ext + 1), item_len - 4)) 1064 goto trunc; 1065 } 1066 return (u_char *)ext + item_len; 1067 trunc: 1068 ND_PRINT((ndo," [|%s]", NPSTR(ISAKMP_NPTYPE_CERT))); 1069 return NULL; 1070 } 1071 1072 static const u_char * 1073 ikev1_cr_print(netdissect_options *ndo, u_char tpay _U_, 1074 const struct isakmp_gen *ext, u_int item_len _U_, 1075 const u_char *ep _U_, u_int32_t phase _U_, u_int32_t doi0 _U_, 1076 u_int32_t proto0 _U_, int depth _U_) 1077 { 1078 const struct ikev1_pl_cert *p; 1079 struct ikev1_pl_cert cert; 1080 static const char *certstr[] = { 1081 "none", "pkcs7", "pgp", "dns", 1082 "x509sign", "x509ke", "kerberos", "crl", 1083 "arl", "spki", "x509attr", 1084 }; 1085 1086 ND_PRINT((ndo,"%s:", NPSTR(ISAKMP_NPTYPE_CR))); 1087 1088 p = (struct ikev1_pl_cert *)ext; 1089 ND_TCHECK(*p); 1090 safememcpy(&cert, ext, sizeof(cert)); 1091 ND_PRINT((ndo," len=%d", item_len - 4)); 1092 ND_PRINT((ndo," type=%s", STR_OR_ID((cert.encode), certstr))); 1093 if (2 < ndo->ndo_vflag && 4 < item_len) { 1094 ND_PRINT((ndo," ")); 1095 if (!rawprint(ndo, (caddr_t)(ext + 1), item_len - 4)) 1096 goto trunc; 1097 } 1098 return (u_char *)ext + item_len; 1099 trunc: 1100 ND_PRINT((ndo," [|%s]", NPSTR(ISAKMP_NPTYPE_CR))); 1101 return NULL; 1102 } 1103 1104 static const u_char * 1105 ikev1_hash_print(netdissect_options *ndo, u_char tpay _U_, 1106 const struct isakmp_gen *ext, u_int item_len _U_, 1107 const u_char *ep _U_, u_int32_t phase _U_, u_int32_t doi _U_, 1108 u_int32_t proto _U_, int depth _U_) 1109 { 1110 struct isakmp_gen e; 1111 1112 ND_PRINT((ndo,"%s:", NPSTR(ISAKMP_NPTYPE_HASH))); 1113 1114 ND_TCHECK(*ext); 1115 safememcpy(&e, ext, sizeof(e)); 1116 ND_PRINT((ndo," len=%d", ntohs(e.len) - 4)); 1117 if (2 < ndo->ndo_vflag && 4 < ntohs(e.len)) { 1118 ND_PRINT((ndo," ")); 1119 if (!rawprint(ndo, (caddr_t)(ext + 1), ntohs(e.len) - 4)) 1120 goto trunc; 1121 } 1122 return (u_char *)ext + ntohs(e.len); 1123 trunc: 1124 ND_PRINT((ndo," [|%s]", NPSTR(ISAKMP_NPTYPE_HASH))); 1125 return NULL; 1126 } 1127 1128 static const u_char * 1129 ikev1_sig_print(netdissect_options *ndo, u_char tpay _U_, 1130 const struct isakmp_gen *ext, u_int item_len _U_, 1131 const u_char *ep _U_, u_int32_t phase _U_, u_int32_t doi _U_, 1132 u_int32_t proto _U_, int depth _U_) 1133 { 1134 struct isakmp_gen e; 1135 1136 ND_PRINT((ndo,"%s:", NPSTR(ISAKMP_NPTYPE_SIG))); 1137 1138 ND_TCHECK(*ext); 1139 safememcpy(&e, ext, sizeof(e)); 1140 ND_PRINT((ndo," len=%d", ntohs(e.len) - 4)); 1141 if (2 < ndo->ndo_vflag && 4 < ntohs(e.len)) { 1142 ND_PRINT((ndo," ")); 1143 if (!rawprint(ndo, (caddr_t)(ext + 1), ntohs(e.len) - 4)) 1144 goto trunc; 1145 } 1146 return (u_char *)ext + ntohs(e.len); 1147 trunc: 1148 ND_PRINT((ndo," [|%s]", NPSTR(ISAKMP_NPTYPE_SIG))); 1149 return NULL; 1150 } 1151 1152 static const u_char * 1153 ikev1_nonce_print(netdissect_options *ndo, u_char tpay _U_, 1154 const struct isakmp_gen *ext, 1155 u_int item_len _U_, 1156 const u_char *ep _U_, 1157 u_int32_t phase _U_, u_int32_t doi _U_, 1158 u_int32_t proto _U_, int depth _U_) 1159 { 1160 struct isakmp_gen e; 1161 1162 ND_PRINT((ndo,"%s:", NPSTR(ISAKMP_NPTYPE_NONCE))); 1163 1164 ND_TCHECK(*ext); 1165 safememcpy(&e, ext, sizeof(e)); 1166 ND_PRINT((ndo," n len=%d", ntohs(e.len) - 4)); 1167 if (2 < ndo->ndo_vflag && 4 < ntohs(e.len)) { 1168 ND_PRINT((ndo," ")); 1169 if (!rawprint(ndo, (caddr_t)(ext + 1), ntohs(e.len) - 4)) 1170 goto trunc; 1171 } else if (1 < ndo->ndo_vflag && 4 < ntohs(e.len)) { 1172 ND_PRINT((ndo," ")); 1173 if (!ike_show_somedata(ndo, (u_char *)(caddr_t)(ext + 1), ep)) 1174 goto trunc; 1175 } 1176 return (u_char *)ext + ntohs(e.len); 1177 trunc: 1178 ND_PRINT((ndo," [|%s]", NPSTR(ISAKMP_NPTYPE_NONCE))); 1179 return NULL; 1180 } 1181 1182 static const u_char * 1183 ikev1_n_print(netdissect_options *ndo, u_char tpay _U_, 1184 const struct isakmp_gen *ext, u_int item_len, 1185 const u_char *ep, u_int32_t phase, u_int32_t doi0 _U_, 1186 u_int32_t proto0 _U_, int depth) 1187 { 1188 struct ikev1_pl_n *p, n; 1189 const u_char *cp; 1190 u_char *ep2; 1191 u_int32_t doi; 1192 u_int32_t proto; 1193 static const char *notify_error_str[] = { 1194 NULL, "INVALID-PAYLOAD-TYPE", 1195 "DOI-NOT-SUPPORTED", "SITUATION-NOT-SUPPORTED", 1196 "INVALID-COOKIE", "INVALID-MAJOR-VERSION", 1197 "INVALID-MINOR-VERSION", "INVALID-EXCHANGE-TYPE", 1198 "INVALID-FLAGS", "INVALID-MESSAGE-ID", 1199 "INVALID-PROTOCOL-ID", "INVALID-SPI", 1200 "INVALID-TRANSFORM-ID", "ATTRIBUTES-NOT-SUPPORTED", 1201 "NO-PROPOSAL-CHOSEN", "BAD-PROPOSAL-SYNTAX", 1202 "PAYLOAD-MALFORMED", "INVALID-KEY-INFORMATION", 1203 "INVALID-ID-INFORMATION", "INVALID-CERT-ENCODING", 1204 "INVALID-CERTIFICATE", "CERT-TYPE-UNSUPPORTED", 1205 "INVALID-CERT-AUTHORITY", "INVALID-HASH-INFORMATION", 1206 "AUTHENTICATION-FAILED", "INVALID-SIGNATURE", 1207 "ADDRESS-NOTIFICATION", "NOTIFY-SA-LIFETIME", 1208 "CERTIFICATE-UNAVAILABLE", "UNSUPPORTED-EXCHANGE-TYPE", 1209 "UNEQUAL-PAYLOAD-LENGTHS", 1210 }; 1211 static const char *ipsec_notify_error_str[] = { 1212 "RESERVED", 1213 }; 1214 static const char *notify_status_str[] = { 1215 "CONNECTED", 1216 }; 1217 static const char *ipsec_notify_status_str[] = { 1218 "RESPONDER-LIFETIME", "REPLAY-STATUS", 1219 "INITIAL-CONTACT", 1220 }; 1221 /* NOTE: these macro must be called with x in proper range */ 1222 1223 /* 0 - 8191 */ 1224 #define NOTIFY_ERROR_STR(x) \ 1225 STR_OR_ID((x), notify_error_str) 1226 1227 /* 8192 - 16383 */ 1228 #define IPSEC_NOTIFY_ERROR_STR(x) \ 1229 STR_OR_ID((u_int)((x) - 8192), ipsec_notify_error_str) 1230 1231 /* 16384 - 24575 */ 1232 #define NOTIFY_STATUS_STR(x) \ 1233 STR_OR_ID((u_int)((x) - 16384), notify_status_str) 1234 1235 /* 24576 - 32767 */ 1236 #define IPSEC_NOTIFY_STATUS_STR(x) \ 1237 STR_OR_ID((u_int)((x) - 24576), ipsec_notify_status_str) 1238 1239 ND_PRINT((ndo,"%s:", NPSTR(ISAKMP_NPTYPE_N))); 1240 1241 p = (struct ikev1_pl_n *)ext; 1242 ND_TCHECK(*p); 1243 safememcpy(&n, ext, sizeof(n)); 1244 doi = ntohl(n.doi); 1245 proto = n.prot_id; 1246 if (doi != 1) { 1247 ND_PRINT((ndo," doi=%d", doi)); 1248 ND_PRINT((ndo," proto=%d", proto)); 1249 if (ntohs(n.type) < 8192) 1250 ND_PRINT((ndo," type=%s", NOTIFY_ERROR_STR(ntohs(n.type)))); 1251 else if (ntohs(n.type) < 16384) 1252 ND_PRINT((ndo," type=%s", numstr(ntohs(n.type)))); 1253 else if (ntohs(n.type) < 24576) 1254 ND_PRINT((ndo," type=%s", NOTIFY_STATUS_STR(ntohs(n.type)))); 1255 else 1256 ND_PRINT((ndo," type=%s", numstr(ntohs(n.type)))); 1257 if (n.spi_size) { 1258 ND_PRINT((ndo," spi=")); 1259 if (!rawprint(ndo, (caddr_t)(p + 1), n.spi_size)) 1260 goto trunc; 1261 } 1262 return (u_char *)(p + 1) + n.spi_size; 1263 } 1264 1265 ND_PRINT((ndo," doi=ipsec")); 1266 ND_PRINT((ndo," proto=%s", PROTOIDSTR(proto))); 1267 if (ntohs(n.type) < 8192) 1268 ND_PRINT((ndo," type=%s", NOTIFY_ERROR_STR(ntohs(n.type)))); 1269 else if (ntohs(n.type) < 16384) 1270 ND_PRINT((ndo," type=%s", IPSEC_NOTIFY_ERROR_STR(ntohs(n.type)))); 1271 else if (ntohs(n.type) < 24576) 1272 ND_PRINT((ndo," type=%s", NOTIFY_STATUS_STR(ntohs(n.type)))); 1273 else if (ntohs(n.type) < 32768) 1274 ND_PRINT((ndo," type=%s", IPSEC_NOTIFY_STATUS_STR(ntohs(n.type)))); 1275 else 1276 ND_PRINT((ndo," type=%s", numstr(ntohs(n.type)))); 1277 if (n.spi_size) { 1278 ND_PRINT((ndo," spi=")); 1279 if (!rawprint(ndo, (caddr_t)(p + 1), n.spi_size)) 1280 goto trunc; 1281 } 1282 1283 cp = (u_char *)(p + 1) + n.spi_size; 1284 ep2 = (u_char *)p + item_len; 1285 1286 if (cp < ep) { 1287 ND_PRINT((ndo," orig=(")); 1288 switch (ntohs(n.type)) { 1289 case IPSECDOI_NTYPE_RESPONDER_LIFETIME: 1290 { 1291 const struct attrmap *map = oakley_t_map; 1292 size_t nmap = sizeof(oakley_t_map)/sizeof(oakley_t_map[0]); 1293 while (cp < ep && cp < ep2) { 1294 cp = ikev1_attrmap_print(ndo, cp, 1295 (ep < ep2) ? ep : ep2, map, nmap); 1296 } 1297 break; 1298 } 1299 case IPSECDOI_NTYPE_REPLAY_STATUS: 1300 ND_PRINT((ndo,"replay detection %sabled", 1301 (*(u_int32_t *)cp) ? "en" : "dis")); 1302 break; 1303 case ISAKMP_NTYPE_NO_PROPOSAL_CHOSEN: 1304 if (ikev1_sub_print(ndo, ISAKMP_NPTYPE_SA, 1305 (struct isakmp_gen *)cp, ep, phase, doi, proto, 1306 depth) == NULL) 1307 return NULL; 1308 break; 1309 default: 1310 /* NULL is dummy */ 1311 isakmp_print(ndo, cp, 1312 item_len - sizeof(*p) - n.spi_size, 1313 NULL); 1314 } 1315 ND_PRINT((ndo,")")); 1316 } 1317 return (u_char *)ext + item_len; 1318 trunc: 1319 ND_PRINT((ndo," [|%s]", NPSTR(ISAKMP_NPTYPE_N))); 1320 return NULL; 1321 } 1322 1323 static const u_char * 1324 ikev1_d_print(netdissect_options *ndo, u_char tpay _U_, 1325 const struct isakmp_gen *ext, u_int item_len _U_, 1326 const u_char *ep _U_, u_int32_t phase _U_, u_int32_t doi0 _U_, 1327 u_int32_t proto0 _U_, int depth _U_) 1328 { 1329 const struct ikev1_pl_d *p; 1330 struct ikev1_pl_d d; 1331 const u_int8_t *q; 1332 u_int32_t doi; 1333 u_int32_t proto; 1334 int i; 1335 1336 ND_PRINT((ndo,"%s:", NPSTR(ISAKMP_NPTYPE_D))); 1337 1338 p = (struct ikev1_pl_d *)ext; 1339 ND_TCHECK(*p); 1340 safememcpy(&d, ext, sizeof(d)); 1341 doi = ntohl(d.doi); 1342 proto = d.prot_id; 1343 if (doi != 1) { 1344 ND_PRINT((ndo," doi=%u", doi)); 1345 ND_PRINT((ndo," proto=%u", proto)); 1346 } else { 1347 ND_PRINT((ndo," doi=ipsec")); 1348 ND_PRINT((ndo," proto=%s", PROTOIDSTR(proto))); 1349 } 1350 ND_PRINT((ndo," spilen=%u", d.spi_size)); 1351 ND_PRINT((ndo," nspi=%u", ntohs(d.num_spi))); 1352 ND_PRINT((ndo," spi=")); 1353 q = (u_int8_t *)(p + 1); 1354 for (i = 0; i < ntohs(d.num_spi); i++) { 1355 if (i != 0) 1356 ND_PRINT((ndo,",")); 1357 if (!rawprint(ndo, (caddr_t)q, d.spi_size)) 1358 goto trunc; 1359 q += d.spi_size; 1360 } 1361 return q; 1362 trunc: 1363 ND_PRINT((ndo," [|%s]", NPSTR(ISAKMP_NPTYPE_D))); 1364 return NULL; 1365 } 1366 1367 static const u_char * 1368 ikev1_vid_print(netdissect_options *ndo, u_char tpay _U_, 1369 const struct isakmp_gen *ext, 1370 u_int item_len _U_, const u_char *ep _U_, 1371 u_int32_t phase _U_, u_int32_t doi _U_, 1372 u_int32_t proto _U_, int depth _U_) 1373 { 1374 struct isakmp_gen e; 1375 1376 ND_PRINT((ndo,"%s:", NPSTR(ISAKMP_NPTYPE_VID))); 1377 1378 ND_TCHECK(*ext); 1379 safememcpy(&e, ext, sizeof(e)); 1380 ND_PRINT((ndo," len=%d", ntohs(e.len) - 4)); 1381 if (2 < ndo->ndo_vflag && 4 < ntohs(e.len)) { 1382 ND_PRINT((ndo," ")); 1383 if (!rawprint(ndo, (caddr_t)(ext + 1), ntohs(e.len) - 4)) 1384 goto trunc; 1385 } 1386 return (u_char *)ext + ntohs(e.len); 1387 trunc: 1388 ND_PRINT((ndo," [|%s]", NPSTR(ISAKMP_NPTYPE_VID))); 1389 return NULL; 1390 } 1391 1392 /************************************************************/ 1393 /* */ 1394 /* IKE v2 - rfc4306 - dissector */ 1395 /* */ 1396 /************************************************************/ 1397 1398 static void 1399 ikev2_pay_print(netdissect_options *ndo, const char *payname, int critical) 1400 { 1401 ND_PRINT((ndo,"%s%s:", payname, critical&0x80 ? "[C]" : "")); 1402 } 1403 1404 static const u_char * 1405 ikev2_gen_print(netdissect_options *ndo, u_char tpay, 1406 const struct isakmp_gen *ext) 1407 { 1408 struct isakmp_gen e; 1409 1410 ND_TCHECK(*ext); 1411 safememcpy(&e, ext, sizeof(e)); 1412 ikev2_pay_print(ndo, NPSTR(tpay), e.critical); 1413 1414 ND_PRINT((ndo," len=%d", ntohs(e.len) - 4)); 1415 if (2 < ndo->ndo_vflag && 4 < ntohs(e.len)) { 1416 ND_PRINT((ndo," ")); 1417 if (!rawprint(ndo, (caddr_t)(ext + 1), ntohs(e.len) - 4)) 1418 goto trunc; 1419 } 1420 return (u_char *)ext + ntohs(e.len); 1421 trunc: 1422 ND_PRINT((ndo," [|%s]", NPSTR(tpay))); 1423 return NULL; 1424 } 1425 1426 static const u_char * 1427 ikev2_t_print(netdissect_options *ndo, u_char tpay _U_, int pcount, 1428 const struct isakmp_gen *ext, u_int item_len, 1429 const u_char *ep, u_int32_t phase _U_, u_int32_t doi _U_, 1430 u_int32_t proto _U_, int depth _U_) 1431 { 1432 const struct ikev2_t *p; 1433 struct ikev2_t t; 1434 u_int16_t t_id; 1435 const u_char *cp; 1436 const char *idstr; 1437 const struct attrmap *map; 1438 size_t nmap; 1439 const u_char *ep2; 1440 1441 p = (struct ikev2_t *)ext; 1442 ND_TCHECK(*p); 1443 safememcpy(&t, ext, sizeof(t)); 1444 ikev2_pay_print(ndo, NPSTR(ISAKMP_NPTYPE_T), t.h.critical); 1445 1446 t_id = ntohs(t.t_id); 1447 1448 map = NULL; 1449 nmap = 0; 1450 1451 switch (t.t_type) { 1452 case IV2_T_ENCR: 1453 idstr = STR_OR_ID(t_id, esp_p_map); 1454 map = encr_t_map; 1455 nmap = sizeof(encr_t_map)/sizeof(encr_t_map[0]); 1456 break; 1457 1458 case IV2_T_PRF: 1459 idstr = STR_OR_ID(t_id, prf_p_map); 1460 break; 1461 1462 case IV2_T_INTEG: 1463 idstr = STR_OR_ID(t_id, integ_p_map); 1464 break; 1465 1466 case IV2_T_DH: 1467 idstr = STR_OR_ID(t_id, dh_p_map); 1468 break; 1469 1470 case IV2_T_ESN: 1471 idstr = STR_OR_ID(t_id, esn_p_map); 1472 break; 1473 1474 default: 1475 idstr = NULL; 1476 break; 1477 } 1478 1479 if (idstr) 1480 ND_PRINT((ndo," #%u type=%s id=%s ", pcount, 1481 STR_OR_ID(t.t_type, ikev2_t_type_map), 1482 idstr)); 1483 else 1484 ND_PRINT((ndo," #%u type=%s id=%u ", pcount, 1485 STR_OR_ID(t.t_type, ikev2_t_type_map), 1486 t.t_id)); 1487 cp = (u_char *)(p + 1); 1488 ep2 = (u_char *)p + item_len; 1489 while (cp < ep && cp < ep2) { 1490 if (map && nmap) { 1491 cp = ikev1_attrmap_print(ndo, cp, (ep < ep2) ? ep : ep2, 1492 map, nmap); 1493 } else 1494 cp = ikev1_attr_print(ndo, cp, (ep < ep2) ? ep : ep2); 1495 } 1496 if (ep < ep2) 1497 ND_PRINT((ndo,"...")); 1498 return cp; 1499 trunc: 1500 ND_PRINT((ndo," [|%s]", NPSTR(ISAKMP_NPTYPE_T))); 1501 return NULL; 1502 } 1503 1504 static const u_char * 1505 ikev2_p_print(netdissect_options *ndo, u_char tpay _U_, int pcount _U_, 1506 const struct isakmp_gen *ext, u_int item_len _U_, 1507 const u_char *ep, u_int32_t phase, u_int32_t doi0, 1508 u_int32_t proto0 _U_, int depth) 1509 { 1510 const struct ikev2_p *p; 1511 struct ikev2_p prop; 1512 const u_char *cp; 1513 1514 p = (struct ikev2_p *)ext; 1515 ND_TCHECK(*p); 1516 safememcpy(&prop, ext, sizeof(prop)); 1517 ikev2_pay_print(ndo, NPSTR(ISAKMP_NPTYPE_P), prop.h.critical); 1518 1519 ND_PRINT((ndo," #%u protoid=%s transform=%d len=%u", 1520 prop.p_no, PROTOIDSTR(prop.prot_id), 1521 prop.num_t, ntohs(prop.h.len))); 1522 if (prop.spi_size) { 1523 ND_PRINT((ndo," spi=")); 1524 if (!rawprint(ndo, (caddr_t)(p + 1), prop.spi_size)) 1525 goto trunc; 1526 } 1527 1528 ext = (struct isakmp_gen *)((u_char *)(p + 1) + prop.spi_size); 1529 ND_TCHECK(*ext); 1530 1531 cp = ikev2_sub_print(ndo, NULL, ISAKMP_NPTYPE_T, ext, ep, phase, doi0, 1532 prop.prot_id, depth); 1533 1534 return cp; 1535 trunc: 1536 ND_PRINT((ndo," [|%s]", NPSTR(ISAKMP_NPTYPE_P))); 1537 return NULL; 1538 } 1539 1540 static const u_char * 1541 ikev2_sa_print(netdissect_options *ndo, u_char tpay, 1542 const struct isakmp_gen *ext1, 1543 u_int item_len _U_, const u_char *ep _U_, 1544 u_int32_t phase _U_, u_int32_t doi _U_, 1545 u_int32_t proto _U_, int depth _U_) 1546 { 1547 struct isakmp_gen e; 1548 int osa_length, sa_length; 1549 1550 ND_TCHECK(*ext1); 1551 safememcpy(&e, ext1, sizeof(e)); 1552 ikev2_pay_print(ndo, "sa", e.critical); 1553 1554 osa_length= ntohs(e.len); 1555 sa_length = osa_length - 4; 1556 ND_PRINT((ndo," len=%d", sa_length)); 1557 1558 ikev2_sub_print(ndo, NULL, ISAKMP_NPTYPE_P, 1559 ext1+1, ep, 1560 0, 0, 0, depth); 1561 1562 return (u_char *)ext1 + osa_length; 1563 trunc: 1564 ND_PRINT((ndo," [|%s]", NPSTR(tpay))); 1565 return NULL; 1566 } 1567 1568 static const u_char * 1569 ikev2_ke_print(netdissect_options *ndo, u_char tpay, 1570 const struct isakmp_gen *ext, 1571 u_int item_len _U_, const u_char *ep _U_, 1572 u_int32_t phase _U_, u_int32_t doi _U_, 1573 u_int32_t proto _U_, int depth _U_) 1574 { 1575 struct ikev2_ke ke; 1576 struct ikev2_ke *k; 1577 1578 k = (struct ikev2_ke *)ext; 1579 ND_TCHECK(*ext); 1580 safememcpy(&ke, ext, sizeof(ke)); 1581 ikev2_pay_print(ndo, NPSTR(tpay), ke.h.critical); 1582 1583 ND_PRINT((ndo," len=%u group=%s", ntohs(ke.h.len) - 8, 1584 STR_OR_ID(ntohs(ke.ke_group), dh_p_map))); 1585 1586 if (2 < ndo->ndo_vflag && 8 < ntohs(ke.h.len)) { 1587 ND_PRINT((ndo," ")); 1588 if (!rawprint(ndo, (caddr_t)(k + 1), ntohs(ke.h.len) - 8)) 1589 goto trunc; 1590 } 1591 return (u_char *)ext + ntohs(ke.h.len); 1592 trunc: 1593 ND_PRINT((ndo," [|%s]", NPSTR(tpay))); 1594 return NULL; 1595 } 1596 1597 static const u_char * 1598 ikev2_ID_print(netdissect_options *ndo, u_char tpay, 1599 const struct isakmp_gen *ext, 1600 u_int item_len _U_, const u_char *ep _U_, 1601 u_int32_t phase _U_, u_int32_t doi _U_, 1602 u_int32_t proto _U_, int depth _U_) 1603 { 1604 struct ikev2_id id; 1605 int id_len, idtype_len, i; 1606 unsigned int dumpascii, dumphex; 1607 unsigned char *typedata; 1608 1609 ND_TCHECK(*ext); 1610 safememcpy(&id, ext, sizeof(id)); 1611 ikev2_pay_print(ndo, NPSTR(tpay), id.h.critical); 1612 1613 id_len = ntohs(id.h.len); 1614 1615 ND_PRINT((ndo," len=%d", id_len - 4)); 1616 if (2 < ndo->ndo_vflag && 4 < id_len) { 1617 ND_PRINT((ndo," ")); 1618 if (!rawprint(ndo, (caddr_t)(ext + 1), id_len - 4)) 1619 goto trunc; 1620 } 1621 1622 idtype_len =id_len - sizeof(struct ikev2_id); 1623 dumpascii = 0; 1624 dumphex = 0; 1625 typedata = (unsigned char *)(ext)+sizeof(struct ikev2_id); 1626 1627 switch(id.type) { 1628 case ID_IPV4_ADDR: 1629 ND_PRINT((ndo, " ipv4:")); 1630 dumphex=1; 1631 break; 1632 case ID_FQDN: 1633 ND_PRINT((ndo, " fqdn:")); 1634 dumpascii=1; 1635 break; 1636 case ID_RFC822_ADDR: 1637 ND_PRINT((ndo, " rfc822:")); 1638 dumpascii=1; 1639 break; 1640 case ID_IPV6_ADDR: 1641 ND_PRINT((ndo, " ipv6:")); 1642 dumphex=1; 1643 break; 1644 case ID_DER_ASN1_DN: 1645 ND_PRINT((ndo, " dn:")); 1646 dumphex=1; 1647 break; 1648 case ID_DER_ASN1_GN: 1649 ND_PRINT((ndo, " gn:")); 1650 dumphex=1; 1651 break; 1652 case ID_KEY_ID: 1653 ND_PRINT((ndo, " keyid:")); 1654 dumphex=1; 1655 break; 1656 } 1657 1658 if(dumpascii) { 1659 ND_TCHECK2(*typedata, idtype_len); 1660 for(i=0; i<idtype_len; i++) { 1661 if(isprint(typedata[i])) { 1662 ND_PRINT((ndo, "%c", typedata[i])); 1663 } else { 1664 ND_PRINT((ndo, ".")); 1665 } 1666 } 1667 } 1668 if(dumphex) { 1669 if (!rawprint(ndo, (caddr_t)typedata, idtype_len)) 1670 goto trunc; 1671 } 1672 1673 return (u_char *)ext + id_len; 1674 trunc: 1675 ND_PRINT((ndo," [|%s]", NPSTR(tpay))); 1676 return NULL; 1677 } 1678 1679 static const u_char * 1680 ikev2_cert_print(netdissect_options *ndo, u_char tpay, 1681 const struct isakmp_gen *ext, 1682 u_int item_len _U_, const u_char *ep _U_, 1683 u_int32_t phase _U_, u_int32_t doi _U_, 1684 u_int32_t proto _U_, int depth _U_) 1685 { 1686 return ikev2_gen_print(ndo, tpay, ext); 1687 } 1688 1689 static const u_char * 1690 ikev2_cr_print(netdissect_options *ndo, u_char tpay, 1691 const struct isakmp_gen *ext, 1692 u_int item_len _U_, const u_char *ep _U_, 1693 u_int32_t phase _U_, u_int32_t doi _U_, 1694 u_int32_t proto _U_, int depth _U_) 1695 { 1696 return ikev2_gen_print(ndo, tpay, ext); 1697 } 1698 1699 static const u_char * 1700 ikev2_auth_print(netdissect_options *ndo, u_char tpay, 1701 const struct isakmp_gen *ext, 1702 u_int item_len _U_, const u_char *ep _U_, 1703 u_int32_t phase _U_, u_int32_t doi _U_, 1704 u_int32_t proto _U_, int depth _U_) 1705 { 1706 struct ikev2_auth a; 1707 const char *v2_auth[]={ "invalid", "rsasig", 1708 "shared-secret", "dsssig" }; 1709 u_char *authdata = (u_char*)ext + sizeof(a); 1710 unsigned int len; 1711 1712 ND_TCHECK(*ext); 1713 safememcpy(&a, ext, sizeof(a)); 1714 ikev2_pay_print(ndo, NPSTR(tpay), a.h.critical); 1715 len = ntohs(a.h.len); 1716 1717 ND_PRINT((ndo," len=%d method=%s", len-4, 1718 STR_OR_ID(a.auth_method, v2_auth))); 1719 1720 if (1 < ndo->ndo_vflag && 4 < len) { 1721 ND_PRINT((ndo," authdata=(")); 1722 if (!rawprint(ndo, (caddr_t)authdata, len - sizeof(a))) 1723 goto trunc; 1724 ND_PRINT((ndo,") ")); 1725 } else if(ndo->ndo_vflag && 4 < len) { 1726 if(!ike_show_somedata(ndo, authdata, ep)) goto trunc; 1727 } 1728 1729 return (u_char *)ext + len; 1730 trunc: 1731 ND_PRINT((ndo," [|%s]", NPSTR(tpay))); 1732 return NULL; 1733 } 1734 1735 static const u_char * 1736 ikev2_nonce_print(netdissect_options *ndo, u_char tpay, 1737 const struct isakmp_gen *ext, 1738 u_int item_len _U_, const u_char *ep _U_, 1739 u_int32_t phase _U_, u_int32_t doi _U_, 1740 u_int32_t proto _U_, int depth _U_) 1741 { 1742 struct isakmp_gen e; 1743 1744 ND_TCHECK(*ext); 1745 safememcpy(&e, ext, sizeof(e)); 1746 ikev2_pay_print(ndo, "nonce", e.critical); 1747 1748 ND_PRINT((ndo," len=%d", ntohs(e.len) - 4)); 1749 if (1 < ndo->ndo_vflag && 4 < ntohs(e.len)) { 1750 ND_PRINT((ndo," nonce=(")); 1751 if (!rawprint(ndo, (caddr_t)(ext + 1), ntohs(e.len) - 4)) 1752 goto trunc; 1753 ND_PRINT((ndo,") ")); 1754 } else if(ndo->ndo_vflag && 4 < ntohs(e.len)) { 1755 if(!ike_show_somedata(ndo, (const u_char *)(ext+1), ep)) goto trunc; 1756 } 1757 1758 return (u_char *)ext + ntohs(e.len); 1759 trunc: 1760 ND_PRINT((ndo," [|%s]", NPSTR(tpay))); 1761 return NULL; 1762 } 1763 1764 /* notify payloads */ 1765 static const u_char * 1766 ikev2_n_print(netdissect_options *ndo, u_char tpay _U_, 1767 const struct isakmp_gen *ext, 1768 u_int item_len _U_, const u_char *ep _U_, 1769 u_int32_t phase _U_, u_int32_t doi _U_, 1770 u_int32_t proto _U_, int depth _U_) 1771 { 1772 struct ikev2_n *p, n; 1773 const u_char *cp; 1774 u_char showspi, showdata, showsomedata; 1775 const char *notify_name; 1776 u_int32_t type; 1777 1778 p = (struct ikev2_n *)ext; 1779 ND_TCHECK(*p); 1780 safememcpy(&n, ext, sizeof(n)); 1781 ikev2_pay_print(ndo, NPSTR(ISAKMP_NPTYPE_N), n.h.critical); 1782 1783 showspi = 1; 1784 showdata = 0; 1785 showsomedata=0; 1786 notify_name=NULL; 1787 1788 ND_PRINT((ndo," prot_id=%s", PROTOIDSTR(n.prot_id))); 1789 1790 type = ntohs(n.type); 1791 1792 /* notify space is annoying sparse */ 1793 switch(type) { 1794 case IV2_NOTIFY_UNSUPPORTED_CRITICAL_PAYLOAD: 1795 notify_name = "unsupported_critical_payload"; 1796 showspi = 0; 1797 break; 1798 1799 case IV2_NOTIFY_INVALID_IKE_SPI: 1800 notify_name = "invalid_ike_spi"; 1801 showspi = 1; 1802 break; 1803 1804 case IV2_NOTIFY_INVALID_MAJOR_VERSION: 1805 notify_name = "invalid_major_version"; 1806 showspi = 0; 1807 break; 1808 1809 case IV2_NOTIFY_INVALID_SYNTAX: 1810 notify_name = "invalid_syntax"; 1811 showspi = 1; 1812 break; 1813 1814 case IV2_NOTIFY_INVALID_MESSAGE_ID: 1815 notify_name = "invalid_message_id"; 1816 showspi = 1; 1817 break; 1818 1819 case IV2_NOTIFY_INVALID_SPI: 1820 notify_name = "invalid_spi"; 1821 showspi = 1; 1822 break; 1823 1824 case IV2_NOTIFY_NO_PROPOSAL_CHOSEN: 1825 notify_name = "no_protocol_chosen"; 1826 showspi = 1; 1827 break; 1828 1829 case IV2_NOTIFY_INVALID_KE_PAYLOAD: 1830 notify_name = "invalid_ke_payload"; 1831 showspi = 1; 1832 break; 1833 1834 case IV2_NOTIFY_AUTHENTICATION_FAILED: 1835 notify_name = "authentication_failed"; 1836 showspi = 1; 1837 break; 1838 1839 case IV2_NOTIFY_SINGLE_PAIR_REQUIRED: 1840 notify_name = "single_pair_required"; 1841 showspi = 1; 1842 break; 1843 1844 case IV2_NOTIFY_NO_ADDITIONAL_SAS: 1845 notify_name = "no_additional_sas"; 1846 showspi = 0; 1847 break; 1848 1849 case IV2_NOTIFY_INTERNAL_ADDRESS_FAILURE: 1850 notify_name = "internal_address_failure"; 1851 showspi = 0; 1852 break; 1853 1854 case IV2_NOTIFY_FAILED_CP_REQUIRED: 1855 notify_name = "failed:cp_required"; 1856 showspi = 0; 1857 break; 1858 1859 case IV2_NOTIFY_INVALID_SELECTORS: 1860 notify_name = "invalid_selectors"; 1861 showspi = 0; 1862 break; 1863 1864 case IV2_NOTIFY_INITIAL_CONTACT: 1865 notify_name = "initial_contact"; 1866 showspi = 0; 1867 break; 1868 1869 case IV2_NOTIFY_SET_WINDOW_SIZE: 1870 notify_name = "set_window_size"; 1871 showspi = 0; 1872 break; 1873 1874 case IV2_NOTIFY_ADDITIONAL_TS_POSSIBLE: 1875 notify_name = "additional_ts_possible"; 1876 showspi = 0; 1877 break; 1878 1879 case IV2_NOTIFY_IPCOMP_SUPPORTED: 1880 notify_name = "ipcomp_supported"; 1881 showspi = 0; 1882 break; 1883 1884 case IV2_NOTIFY_NAT_DETECTION_SOURCE_IP: 1885 notify_name = "nat_detection_source_ip"; 1886 showspi = 1; 1887 break; 1888 1889 case IV2_NOTIFY_NAT_DETECTION_DESTINATION_IP: 1890 notify_name = "nat_detection_destination_ip"; 1891 showspi = 1; 1892 break; 1893 1894 case IV2_NOTIFY_COOKIE: 1895 notify_name = "cookie"; 1896 showspi = 1; 1897 showsomedata= 1; 1898 showdata= 0; 1899 break; 1900 1901 case IV2_NOTIFY_USE_TRANSPORT_MODE: 1902 notify_name = "use_transport_mode"; 1903 showspi = 0; 1904 break; 1905 1906 case IV2_NOTIFY_HTTP_CERT_LOOKUP_SUPPORTED: 1907 notify_name = "http_cert_lookup_supported"; 1908 showspi = 0; 1909 break; 1910 1911 case IV2_NOTIFY_REKEY_SA: 1912 notify_name = "rekey_sa"; 1913 showspi = 1; 1914 break; 1915 1916 case IV2_NOTIFY_ESP_TFC_PADDING_NOT_SUPPORTED: 1917 notify_name = "tfc_padding_not_supported"; 1918 showspi = 0; 1919 break; 1920 1921 case IV2_NOTIFY_NON_FIRST_FRAGMENTS_ALSO: 1922 notify_name = "non_first_fragment_also"; 1923 showspi = 0; 1924 break; 1925 1926 default: 1927 if (type < 8192) { 1928 notify_name="error"; 1929 } else if(type < 16384) { 1930 notify_name="private-error"; 1931 } else if(type < 40960) { 1932 notify_name="status"; 1933 } else { 1934 notify_name="private-status"; 1935 } 1936 } 1937 1938 if(notify_name) { 1939 ND_PRINT((ndo," type=%u(%s)", type, notify_name)); 1940 } 1941 1942 1943 if (showspi && n.spi_size) { 1944 ND_PRINT((ndo," spi=")); 1945 if (!rawprint(ndo, (caddr_t)(p + 1), n.spi_size)) 1946 goto trunc; 1947 } 1948 1949 cp = (u_char *)(p + 1) + n.spi_size; 1950 1951 if(3 < ndo->ndo_vflag) { 1952 showdata = 1; 1953 } 1954 1955 if ((showdata || (showsomedata && ep-cp < 30)) && cp < ep) { 1956 ND_PRINT((ndo," data=(")); 1957 if (!rawprint(ndo, (caddr_t)(cp), ep - cp)) 1958 goto trunc; 1959 1960 ND_PRINT((ndo,")")); 1961 1962 } else if(showsomedata && cp < ep) { 1963 if(!ike_show_somedata(ndo, cp, ep)) goto trunc; 1964 } 1965 1966 return (u_char *)ext + item_len; 1967 trunc: 1968 ND_PRINT((ndo," [|%s]", NPSTR(ISAKMP_NPTYPE_N))); 1969 return NULL; 1970 } 1971 1972 static const u_char * 1973 ikev2_d_print(netdissect_options *ndo, u_char tpay, 1974 const struct isakmp_gen *ext, 1975 u_int item_len _U_, const u_char *ep _U_, 1976 u_int32_t phase _U_, u_int32_t doi _U_, 1977 u_int32_t proto _U_, int depth _U_) 1978 { 1979 return ikev2_gen_print(ndo, tpay, ext); 1980 } 1981 1982 static const u_char * 1983 ikev2_vid_print(netdissect_options *ndo, u_char tpay, 1984 const struct isakmp_gen *ext, 1985 u_int item_len _U_, const u_char *ep _U_, 1986 u_int32_t phase _U_, u_int32_t doi _U_, 1987 u_int32_t proto _U_, int depth _U_) 1988 { 1989 struct isakmp_gen e; 1990 const u_char *vid; 1991 int i, len; 1992 1993 ND_TCHECK(*ext); 1994 safememcpy(&e, ext, sizeof(e)); 1995 ikev2_pay_print(ndo, NPSTR(tpay), e.critical); 1996 ND_PRINT((ndo," len=%d vid=", ntohs(e.len) - 4)); 1997 1998 vid = (const u_char *)(ext+1); 1999 len = ntohs(e.len) - 4; 2000 ND_TCHECK2(*vid, len); 2001 for(i=0; i<len; i++) { 2002 if(isprint(vid[i])) ND_PRINT((ndo, "%c", vid[i])); 2003 else ND_PRINT((ndo, ".")); 2004 } 2005 if (2 < ndo->ndo_vflag && 4 < len) { 2006 ND_PRINT((ndo," ")); 2007 if (!rawprint(ndo, (caddr_t)(ext + 1), ntohs(e.len) - 4)) 2008 goto trunc; 2009 } 2010 return (u_char *)ext + ntohs(e.len); 2011 trunc: 2012 ND_PRINT((ndo," [|%s]", NPSTR(tpay))); 2013 return NULL; 2014 } 2015 2016 static const u_char * 2017 ikev2_TS_print(netdissect_options *ndo, u_char tpay, 2018 const struct isakmp_gen *ext, 2019 u_int item_len _U_, const u_char *ep _U_, 2020 u_int32_t phase _U_, u_int32_t doi _U_, 2021 u_int32_t proto _U_, int depth _U_) 2022 { 2023 return ikev2_gen_print(ndo, tpay, ext); 2024 } 2025 2026 static const u_char * 2027 ikev2_e_print(netdissect_options *ndo, 2028 #ifndef HAVE_LIBCRYPTO 2029 _U_ 2030 #endif 2031 struct isakmp *base, 2032 u_char tpay, 2033 const struct isakmp_gen *ext, 2034 u_int item_len _U_, const u_char *ep _U_, 2035 #ifndef HAVE_LIBCRYPTO 2036 _U_ 2037 #endif 2038 u_int32_t phase, 2039 #ifndef HAVE_LIBCRYPTO 2040 _U_ 2041 #endif 2042 u_int32_t doi, 2043 #ifndef HAVE_LIBCRYPTO 2044 _U_ 2045 #endif 2046 u_int32_t proto, 2047 #ifndef HAVE_LIBCRYPTO 2048 _U_ 2049 #endif 2050 int depth) 2051 { 2052 struct isakmp_gen e; 2053 u_char *dat; 2054 volatile int dlen; 2055 2056 ND_TCHECK(*ext); 2057 safememcpy(&e, ext, sizeof(e)); 2058 ikev2_pay_print(ndo, NPSTR(tpay), e.critical); 2059 2060 dlen = ntohs(e.len)-4; 2061 2062 ND_PRINT((ndo," len=%d", dlen)); 2063 if (2 < ndo->ndo_vflag && 4 < dlen) { 2064 ND_PRINT((ndo," ")); 2065 if (!rawprint(ndo, (caddr_t)(ext + 1), dlen)) 2066 goto trunc; 2067 } 2068 2069 dat = (u_char *)(ext+1); 2070 ND_TCHECK2(*dat, dlen); 2071 2072 #ifdef HAVE_LIBCRYPTO 2073 /* try to decypt it! */ 2074 if(esp_print_decrypt_buffer_by_ikev2(ndo, 2075 base->flags & ISAKMP_FLAG_I, 2076 base->i_ck, base->r_ck, 2077 dat, dat+dlen)) { 2078 2079 ext = (const struct isakmp_gen *)ndo->ndo_packetp; 2080 2081 /* got it decrypted, print stuff inside. */ 2082 ikev2_sub_print(ndo, base, e.np, ext, ndo->ndo_snapend, 2083 phase, doi, proto, depth+1); 2084 } 2085 #endif 2086 2087 2088 /* always return NULL, because E must be at end, and NP refers 2089 * to what was inside. 2090 */ 2091 return NULL; 2092 trunc: 2093 ND_PRINT((ndo," [|%s]", NPSTR(tpay))); 2094 return NULL; 2095 } 2096 2097 static const u_char * 2098 ikev2_cp_print(netdissect_options *ndo, u_char tpay, 2099 const struct isakmp_gen *ext, 2100 u_int item_len _U_, const u_char *ep _U_, 2101 u_int32_t phase _U_, u_int32_t doi _U_, 2102 u_int32_t proto _U_, int depth _U_) 2103 { 2104 return ikev2_gen_print(ndo, tpay, ext); 2105 } 2106 2107 static const u_char * 2108 ikev2_eap_print(netdissect_options *ndo, u_char tpay, 2109 const struct isakmp_gen *ext, 2110 u_int item_len _U_, const u_char *ep _U_, 2111 u_int32_t phase _U_, u_int32_t doi _U_, 2112 u_int32_t proto _U_, int depth _U_) 2113 { 2114 return ikev2_gen_print(ndo, tpay, ext); 2115 } 2116 2117 static const u_char * 2118 ike_sub0_print(netdissect_options *ndo, 2119 u_char np, const struct isakmp_gen *ext, const u_char *ep, 2120 2121 u_int32_t phase, u_int32_t doi, u_int32_t proto, int depth) 2122 { 2123 const u_char *cp; 2124 struct isakmp_gen e; 2125 u_int item_len; 2126 2127 cp = (u_char *)ext; 2128 ND_TCHECK(*ext); 2129 safememcpy(&e, ext, sizeof(e)); 2130 2131 /* 2132 * Since we can't have a payload length of less than 4 bytes, 2133 * we need to bail out here if the generic header is nonsensical 2134 * or truncated, otherwise we could loop forever processing 2135 * zero-length items or otherwise misdissect the packet. 2136 */ 2137 item_len = ntohs(e.len); 2138 if (item_len <= 4) 2139 return NULL; 2140 2141 if (NPFUNC(np)) { 2142 /* 2143 * XXX - what if item_len is too short, or too long, 2144 * for this payload type? 2145 */ 2146 cp = (*npfunc[np])(ndo, np, ext, item_len, ep, phase, doi, proto, depth); 2147 } else { 2148 ND_PRINT((ndo,"%s", NPSTR(np))); 2149 cp += item_len; 2150 } 2151 2152 return cp; 2153 trunc: 2154 ND_PRINT((ndo," [|isakmp]")); 2155 return NULL; 2156 } 2157 2158 static const u_char * 2159 ikev1_sub_print(netdissect_options *ndo, 2160 u_char np, const struct isakmp_gen *ext, const u_char *ep, 2161 u_int32_t phase, u_int32_t doi, u_int32_t proto, int depth) 2162 { 2163 const u_char *cp; 2164 int i; 2165 struct isakmp_gen e; 2166 2167 cp = (const u_char *)ext; 2168 2169 while (np) { 2170 ND_TCHECK(*ext); 2171 2172 safememcpy(&e, ext, sizeof(e)); 2173 2174 ND_TCHECK2(*ext, ntohs(e.len)); 2175 2176 depth++; 2177 ND_PRINT((ndo,"\n")); 2178 for (i = 0; i < depth; i++) 2179 ND_PRINT((ndo," ")); 2180 ND_PRINT((ndo,"(")); 2181 cp = ike_sub0_print(ndo, np, ext, ep, phase, doi, proto, depth); 2182 ND_PRINT((ndo,")")); 2183 depth--; 2184 2185 if (cp == NULL) { 2186 /* Zero-length subitem */ 2187 return NULL; 2188 } 2189 2190 np = e.np; 2191 ext = (struct isakmp_gen *)cp; 2192 } 2193 return cp; 2194 trunc: 2195 ND_PRINT((ndo," [|%s]", NPSTR(np))); 2196 return NULL; 2197 } 2198 2199 static char * 2200 numstr(int x) 2201 { 2202 static char buf[20]; 2203 snprintf(buf, sizeof(buf), "#%d", x); 2204 return buf; 2205 } 2206 2207 /* 2208 * some compiler tries to optimize memcpy(), using the alignment constraint 2209 * on the argument pointer type. by using this function, we try to avoid the 2210 * optimization. 2211 */ 2212 static void 2213 safememcpy(void *p, const void *q, size_t l) 2214 { 2215 memcpy(p, q, l); 2216 } 2217 2218 static void 2219 ikev1_print(netdissect_options *ndo, 2220 const u_char *bp, u_int length, 2221 const u_char *bp2, struct isakmp *base) 2222 { 2223 const struct isakmp *p; 2224 const u_char *ep; 2225 u_char np; 2226 int i; 2227 int phase; 2228 uint32_t msgid; 2229 2230 p = (const struct isakmp *)bp; 2231 ep = ndo->ndo_snapend; 2232 2233 memcpy(&msgid, base->msgid, sizeof(msgid)); 2234 phase = (msgid == 0) ? 1 : 2; 2235 if (phase == 1) 2236 ND_PRINT((ndo," phase %d", phase)); 2237 else 2238 ND_PRINT((ndo," phase %d/others", phase)); 2239 2240 i = cookie_find(&base->i_ck); 2241 if (i < 0) { 2242 if (iszero((u_char *)&base->r_ck, sizeof(base->r_ck))) { 2243 /* the first packet */ 2244 ND_PRINT((ndo," I")); 2245 if (bp2) 2246 cookie_record(&base->i_ck, bp2); 2247 } else 2248 ND_PRINT((ndo," ?")); 2249 } else { 2250 if (bp2 && cookie_isinitiator(i, bp2)) 2251 ND_PRINT((ndo," I")); 2252 else if (bp2 && cookie_isresponder(i, bp2)) 2253 ND_PRINT((ndo," R")); 2254 else 2255 ND_PRINT((ndo," ?")); 2256 } 2257 2258 ND_PRINT((ndo," %s", ETYPESTR(base->etype))); 2259 if (base->flags) { 2260 ND_PRINT((ndo,"[%s%s]", base->flags & ISAKMP_FLAG_E ? "E" : "", 2261 base->flags & ISAKMP_FLAG_C ? "C" : "")); 2262 } 2263 2264 if (ndo->ndo_vflag) { 2265 const struct isakmp_gen *ext; 2266 2267 ND_PRINT((ndo,":")); 2268 2269 /* regardless of phase... */ 2270 if (base->flags & ISAKMP_FLAG_E) { 2271 /* 2272 * encrypted, nothing we can do right now. 2273 * we hope to decrypt the packet in the future... 2274 */ 2275 ND_PRINT((ndo," [encrypted %s]", NPSTR(base->np))); 2276 goto done; 2277 } 2278 2279 CHECKLEN(p + 1, base->np); 2280 np = base->np; 2281 ext = (struct isakmp_gen *)(p + 1); 2282 ikev1_sub_print(ndo, np, ext, ep, phase, 0, 0, 0); 2283 } 2284 2285 done: 2286 if (ndo->ndo_vflag) { 2287 if (ntohl(base->len) != length) { 2288 ND_PRINT((ndo," (len mismatch: isakmp %u/ip %u)", 2289 (u_int32_t)ntohl(base->len), length)); 2290 } 2291 } 2292 } 2293 2294 static const u_char * 2295 ikev2_sub0_print(netdissect_options *ndo, struct isakmp *base, 2296 u_char np, int pcount, 2297 const struct isakmp_gen *ext, const u_char *ep, 2298 u_int32_t phase, u_int32_t doi, u_int32_t proto, int depth) 2299 { 2300 const u_char *cp; 2301 struct isakmp_gen e; 2302 u_int item_len; 2303 2304 cp = (u_char *)ext; 2305 ND_TCHECK(*ext); 2306 safememcpy(&e, ext, sizeof(e)); 2307 2308 /* 2309 * Since we can't have a payload length of less than 4 bytes, 2310 * we need to bail out here if the generic header is nonsensical 2311 * or truncated, otherwise we could loop forever processing 2312 * zero-length items or otherwise misdissect the packet. 2313 */ 2314 item_len = ntohs(e.len); 2315 if (item_len <= 4) 2316 return NULL; 2317 2318 if(np == ISAKMP_NPTYPE_P) { 2319 cp = ikev2_p_print(ndo, np, pcount, ext, item_len, 2320 ep, phase, doi, proto, depth); 2321 } else if(np == ISAKMP_NPTYPE_T) { 2322 cp = ikev2_t_print(ndo, np, pcount, ext, item_len, 2323 ep, phase, doi, proto, depth); 2324 } else if(np == ISAKMP_NPTYPE_v2E) { 2325 cp = ikev2_e_print(ndo, base, np, ext, item_len, 2326 ep, phase, doi, proto, depth); 2327 } else if (NPFUNC(np)) { 2328 /* 2329 * XXX - what if item_len is too short, or too long, 2330 * for this payload type? 2331 */ 2332 cp = (*npfunc[np])(ndo, np, /*pcount,*/ ext, item_len, 2333 ep, phase, doi, proto, depth); 2334 } else { 2335 ND_PRINT((ndo,"%s", NPSTR(np))); 2336 cp += item_len; 2337 } 2338 2339 return cp; 2340 trunc: 2341 ND_PRINT((ndo," [|isakmp]")); 2342 return NULL; 2343 } 2344 2345 static const u_char * 2346 ikev2_sub_print(netdissect_options *ndo, 2347 struct isakmp *base, 2348 u_char np, const struct isakmp_gen *ext, const u_char *ep, 2349 u_int32_t phase, u_int32_t doi, u_int32_t proto, int depth) 2350 { 2351 const u_char *cp; 2352 int i; 2353 int pcount; 2354 struct isakmp_gen e; 2355 2356 cp = (const u_char *)ext; 2357 pcount = 0; 2358 while (np) { 2359 pcount++; 2360 ND_TCHECK(*ext); 2361 2362 safememcpy(&e, ext, sizeof(e)); 2363 2364 ND_TCHECK2(*ext, ntohs(e.len)); 2365 2366 depth++; 2367 ND_PRINT((ndo,"\n")); 2368 for (i = 0; i < depth; i++) 2369 ND_PRINT((ndo," ")); 2370 ND_PRINT((ndo,"(")); 2371 cp = ikev2_sub0_print(ndo, base, np, pcount, 2372 ext, ep, phase, doi, proto, depth); 2373 ND_PRINT((ndo,")")); 2374 depth--; 2375 2376 if (cp == NULL) { 2377 /* Zero-length subitem */ 2378 return NULL; 2379 } 2380 2381 np = e.np; 2382 ext = (struct isakmp_gen *)cp; 2383 } 2384 return cp; 2385 trunc: 2386 ND_PRINT((ndo," [|%s]", NPSTR(np))); 2387 return NULL; 2388 } 2389 2390 static void 2391 ikev2_print(netdissect_options *ndo, 2392 const u_char *bp, u_int length, 2393 const u_char *bp2 _U_, struct isakmp *base) 2394 { 2395 const struct isakmp *p; 2396 const u_char *ep; 2397 u_char np; 2398 int phase; 2399 uint32_t msgid; 2400 2401 p = (const struct isakmp *)bp; 2402 ep = ndo->ndo_snapend; 2403 2404 memcpy(&msgid, base->msgid, sizeof(msgid)); 2405 phase = (msgid == 0) ? 1 : 2; 2406 if (phase == 1) 2407 ND_PRINT((ndo, " parent_sa")); 2408 else 2409 ND_PRINT((ndo, " child_sa ")); 2410 2411 ND_PRINT((ndo, " %s", ETYPESTR(base->etype))); 2412 if (base->flags) { 2413 ND_PRINT((ndo, "[%s%s%s]", 2414 base->flags & ISAKMP_FLAG_I ? "I" : "", 2415 base->flags & ISAKMP_FLAG_V ? "V" : "", 2416 base->flags & ISAKMP_FLAG_R ? "R" : "")); 2417 } 2418 2419 if (ndo->ndo_vflag) { 2420 const struct isakmp_gen *ext; 2421 2422 ND_PRINT((ndo, ":")); 2423 2424 /* regardless of phase... */ 2425 if (base->flags & ISAKMP_FLAG_E) { 2426 /* 2427 * encrypted, nothing we can do right now. 2428 * we hope to decrypt the packet in the future... 2429 */ 2430 ND_PRINT((ndo, " [encrypted %s]", NPSTR(base->np))); 2431 goto done; 2432 } 2433 2434 CHECKLEN(p + 1, base->np) 2435 2436 np = base->np; 2437 ext = (struct isakmp_gen *)(p + 1); 2438 ikev2_sub_print(ndo, base, np, ext, ep, phase, 0, 0, 0); 2439 } 2440 2441 done: 2442 if (ndo->ndo_vflag) { 2443 if (ntohl(base->len) != length) { 2444 ND_PRINT((ndo, " (len mismatch: isakmp %u/ip %u)", 2445 (u_int32_t)ntohl(base->len), length)); 2446 } 2447 } 2448 } 2449 2450 void 2451 isakmp_print(netdissect_options *ndo, 2452 const u_char *bp, u_int length, 2453 const u_char *bp2) 2454 { 2455 const struct isakmp *p; 2456 struct isakmp base; 2457 const u_char *ep; 2458 int major, minor; 2459 2460 #ifdef HAVE_LIBCRYPTO 2461 /* initialize SAs */ 2462 if (ndo->ndo_sa_list_head == NULL) { 2463 if (ndo->ndo_espsecret) 2464 esp_print_decodesecret(ndo); 2465 } 2466 #endif 2467 2468 p = (const struct isakmp *)bp; 2469 ep = ndo->ndo_snapend; 2470 2471 if ((struct isakmp *)ep < p + 1) { 2472 ND_PRINT((ndo,"[|isakmp]")); 2473 return; 2474 } 2475 2476 safememcpy(&base, p, sizeof(base)); 2477 2478 ND_PRINT((ndo,"isakmp")); 2479 major = (base.vers & ISAKMP_VERS_MAJOR) 2480 >> ISAKMP_VERS_MAJOR_SHIFT; 2481 minor = (base.vers & ISAKMP_VERS_MINOR) 2482 >> ISAKMP_VERS_MINOR_SHIFT; 2483 2484 if (ndo->ndo_vflag) { 2485 ND_PRINT((ndo," %d.%d", major, minor)); 2486 } 2487 2488 if (ndo->ndo_vflag) { 2489 ND_PRINT((ndo," msgid ")); 2490 hexprint(ndo, (caddr_t)&base.msgid, sizeof(base.msgid)); 2491 } 2492 2493 if (1 < ndo->ndo_vflag) { 2494 ND_PRINT((ndo," cookie ")); 2495 hexprint(ndo, (caddr_t)&base.i_ck, sizeof(base.i_ck)); 2496 ND_PRINT((ndo,"->")); 2497 hexprint(ndo, (caddr_t)&base.r_ck, sizeof(base.r_ck)); 2498 } 2499 ND_PRINT((ndo,":")); 2500 2501 switch(major) { 2502 case IKEv1_MAJOR_VERSION: 2503 ikev1_print(ndo, bp, length, bp2, &base); 2504 break; 2505 2506 case IKEv2_MAJOR_VERSION: 2507 ikev2_print(ndo, bp, length, bp2, &base); 2508 break; 2509 } 2510 } 2511 2512 void 2513 isakmp_rfc3948_print(netdissect_options *ndo, 2514 const u_char *bp, u_int length, 2515 const u_char *bp2) 2516 { 2517 if(length == 1 && bp[0]==0xff) { 2518 ND_PRINT((ndo, "isakmp-nat-keep-alive")); 2519 return; 2520 } 2521 2522 if(length < 4) { 2523 goto trunc; 2524 } 2525 2526 /* 2527 * see if this is an IKE packet 2528 */ 2529 if(bp[0]==0 && bp[1]==0 && bp[2]==0 && bp[3]==0) { 2530 ND_PRINT((ndo, "NONESP-encap: ")); 2531 isakmp_print(ndo, bp+4, length-4, bp2); 2532 return; 2533 } 2534 2535 /* must be an ESP packet */ 2536 { 2537 int nh, enh, padlen; 2538 int advance; 2539 2540 ND_PRINT((ndo, "UDP-encap: ")); 2541 2542 advance = esp_print(ndo, bp, length, bp2, &enh, &padlen); 2543 if(advance <= 0) 2544 return; 2545 2546 bp += advance; 2547 length -= advance + padlen; 2548 nh = enh & 0xff; 2549 2550 ip_print_inner(ndo, bp, length, nh, bp2); 2551 return; 2552 } 2553 2554 trunc: 2555 ND_PRINT((ndo,"[|isakmp]")); 2556 return; 2557 } 2558 2559 /* 2560 * Local Variables: 2561 * c-style: whitesmith 2562 * c-basic-offset: 8 2563 * End: 2564 */ 2565 2566 2567 2568 2569