1 /* 2 * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project. 3 * All rights reserved. 4 * 5 * Redistribution and use in source and binary forms, with or without 6 * modification, are permitted provided that the following conditions 7 * are met: 8 * 1. Redistributions of source code must retain the above copyright 9 * notice, this list of conditions and the following disclaimer. 10 * 2. Redistributions in binary form must reproduce the above copyright 11 * notice, this list of conditions and the following disclaimer in the 12 * documentation and/or other materials provided with the distribution. 13 * 3. Neither the name of the project nor the names of its contributors 14 * may be used to endorse or promote products derived from this software 15 * without specific prior written permission. 16 * 17 * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND 18 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 19 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 20 * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE 21 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 22 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 23 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 24 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 25 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 26 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 27 * SUCH DAMAGE. 28 * 29 */ 30 31 #include <sys/cdefs.h> 32 #ifndef lint 33 __RCSID("$NetBSD: print-isakmp.c,v 1.7 2014/11/20 03:05:03 christos Exp $"); 34 #endif 35 36 #define NETDISSECT_REWORKED 37 #ifdef HAVE_CONFIG_H 38 #include "config.h" 39 #endif 40 41 /* The functions from print-esp.c used in this file are only defined when both 42 * OpenSSL and evp.h are detected. Employ the same preprocessor device here. 43 */ 44 #ifndef HAVE_OPENSSL_EVP_H 45 #undef HAVE_LIBCRYPTO 46 #endif 47 48 #include <tcpdump-stdinc.h> 49 50 #include <string.h> 51 52 #include "interface.h" 53 #include "addrtoname.h" 54 #include "extract.h" /* must come after interface.h */ 55 56 #include "ip.h" 57 #ifdef INET6 58 #include "ip6.h" 59 #endif 60 61 /* refer to RFC 2408 */ 62 63 typedef u_char cookie_t[8]; 64 typedef u_char msgid_t[4]; 65 66 #define PORT_ISAKMP 500 67 68 /* 3.1 ISAKMP Header Format (IKEv1 and IKEv2) 69 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 70 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 71 ! Initiator ! 72 ! Cookie ! 73 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 74 ! Responder ! 75 ! Cookie ! 76 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 77 ! Next Payload ! MjVer ! MnVer ! Exchange Type ! Flags ! 78 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 79 ! Message ID ! 80 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 81 ! Length ! 82 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 83 */ 84 struct isakmp { 85 cookie_t i_ck; /* Initiator Cookie */ 86 cookie_t r_ck; /* Responder Cookie */ 87 uint8_t np; /* Next Payload Type */ 88 uint8_t vers; 89 #define ISAKMP_VERS_MAJOR 0xf0 90 #define ISAKMP_VERS_MAJOR_SHIFT 4 91 #define ISAKMP_VERS_MINOR 0x0f 92 #define ISAKMP_VERS_MINOR_SHIFT 0 93 uint8_t etype; /* Exchange Type */ 94 uint8_t flags; /* Flags */ 95 msgid_t msgid; 96 uint32_t len; /* Length */ 97 }; 98 99 /* Next Payload Type */ 100 #define ISAKMP_NPTYPE_NONE 0 /* NONE*/ 101 #define ISAKMP_NPTYPE_SA 1 /* Security Association */ 102 #define ISAKMP_NPTYPE_P 2 /* Proposal */ 103 #define ISAKMP_NPTYPE_T 3 /* Transform */ 104 #define ISAKMP_NPTYPE_KE 4 /* Key Exchange */ 105 #define ISAKMP_NPTYPE_ID 5 /* Identification */ 106 #define ISAKMP_NPTYPE_CERT 6 /* Certificate */ 107 #define ISAKMP_NPTYPE_CR 7 /* Certificate Request */ 108 #define ISAKMP_NPTYPE_HASH 8 /* Hash */ 109 #define ISAKMP_NPTYPE_SIG 9 /* Signature */ 110 #define ISAKMP_NPTYPE_NONCE 10 /* Nonce */ 111 #define ISAKMP_NPTYPE_N 11 /* Notification */ 112 #define ISAKMP_NPTYPE_D 12 /* Delete */ 113 #define ISAKMP_NPTYPE_VID 13 /* Vendor ID */ 114 #define ISAKMP_NPTYPE_v2E 46 /* v2 Encrypted payload */ 115 116 #define IKEv1_MAJOR_VERSION 1 117 #define IKEv1_MINOR_VERSION 0 118 119 #define IKEv2_MAJOR_VERSION 2 120 #define IKEv2_MINOR_VERSION 0 121 122 /* Flags */ 123 #define ISAKMP_FLAG_E 0x01 /* Encryption Bit */ 124 #define ISAKMP_FLAG_C 0x02 /* Commit Bit */ 125 #define ISAKMP_FLAG_extra 0x04 126 127 /* IKEv2 */ 128 #define ISAKMP_FLAG_I (1 << 3) /* (I)nitiator */ 129 #define ISAKMP_FLAG_V (1 << 4) /* (V)ersion */ 130 #define ISAKMP_FLAG_R (1 << 5) /* (R)esponse */ 131 132 133 /* 3.2 Payload Generic Header 134 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 135 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 136 ! Next Payload ! RESERVED ! Payload Length ! 137 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 138 */ 139 struct isakmp_gen { 140 uint8_t np; /* Next Payload */ 141 uint8_t critical; /* bit 7 - critical, rest is RESERVED */ 142 uint16_t len; /* Payload Length */ 143 }; 144 145 /* 3.3 Data Attributes 146 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 147 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 148 !A! Attribute Type ! AF=0 Attribute Length ! 149 !F! ! AF=1 Attribute Value ! 150 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 151 . AF=0 Attribute Value . 152 . AF=1 Not Transmitted . 153 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 154 */ 155 struct isakmp_data { 156 uint16_t type; /* defined by DOI-spec, and Attribute Format */ 157 uint16_t lorv; /* if f equal 1, Attribute Length */ 158 /* if f equal 0, Attribute Value */ 159 /* if f equal 1, Attribute Value */ 160 }; 161 162 /* 3.4 Security Association Payload */ 163 /* MAY NOT be used, because of being defined in ipsec-doi. */ 164 /* 165 If the current payload is the last in the message, 166 then the value of the next payload field will be 0. 167 This field MUST NOT contain the 168 values for the Proposal or Transform payloads as they are considered 169 part of the security association negotiation. For example, this 170 field would contain the value "10" (Nonce payload) in the first 171 message of a Base Exchange (see Section 4.4) and the value "0" in the 172 first message of an Identity Protect Exchange (see Section 4.5). 173 */ 174 struct ikev1_pl_sa { 175 struct isakmp_gen h; 176 uint32_t doi; /* Domain of Interpretation */ 177 uint32_t sit; /* Situation */ 178 }; 179 180 /* 3.5 Proposal Payload */ 181 /* 182 The value of the next payload field MUST only contain the value "2" 183 or "0". If there are additional Proposal payloads in the message, 184 then this field will be 2. If the current Proposal payload is the 185 last within the security association proposal, then this field will 186 be 0. 187 */ 188 struct ikev1_pl_p { 189 struct isakmp_gen h; 190 uint8_t p_no; /* Proposal # */ 191 uint8_t prot_id; /* Protocol */ 192 uint8_t spi_size; /* SPI Size */ 193 uint8_t num_t; /* Number of Transforms */ 194 /* SPI */ 195 }; 196 197 /* 3.6 Transform Payload */ 198 /* 199 The value of the next payload field MUST only contain the value "3" 200 or "0". If there are additional Transform payloads in the proposal, 201 then this field will be 3. If the current Transform payload is the 202 last within the proposal, then this field will be 0. 203 */ 204 struct ikev1_pl_t { 205 struct isakmp_gen h; 206 uint8_t t_no; /* Transform # */ 207 uint8_t t_id; /* Transform-Id */ 208 uint16_t reserved; /* RESERVED2 */ 209 /* SA Attributes */ 210 }; 211 212 /* 3.7 Key Exchange Payload */ 213 struct ikev1_pl_ke { 214 struct isakmp_gen h; 215 /* Key Exchange Data */ 216 }; 217 218 /* 3.8 Identification Payload */ 219 /* MUST NOT to be used, because of being defined in ipsec-doi. */ 220 struct ikev1_pl_id { 221 struct isakmp_gen h; 222 union { 223 uint8_t id_type; /* ID Type */ 224 uint32_t doi_data; /* DOI Specific ID Data */ 225 } d; 226 /* Identification Data */ 227 }; 228 229 /* 3.9 Certificate Payload */ 230 struct ikev1_pl_cert { 231 struct isakmp_gen h; 232 uint8_t encode; /* Cert Encoding */ 233 char cert; /* Certificate Data */ 234 /* 235 This field indicates the type of 236 certificate or certificate-related information contained in the 237 Certificate Data field. 238 */ 239 }; 240 241 /* 3.10 Certificate Request Payload */ 242 struct ikev1_pl_cr { 243 struct isakmp_gen h; 244 uint8_t num_cert; /* # Cert. Types */ 245 /* 246 Certificate Types (variable length) 247 -- Contains a list of the types of certificates requested, 248 sorted in order of preference. Each individual certificate 249 type is 1 octet. This field is NOT requiredo 250 */ 251 /* # Certificate Authorities (1 octet) */ 252 /* Certificate Authorities (variable length) */ 253 }; 254 255 /* 3.11 Hash Payload */ 256 /* may not be used, because of having only data. */ 257 struct ikev1_pl_hash { 258 struct isakmp_gen h; 259 /* Hash Data */ 260 }; 261 262 /* 3.12 Signature Payload */ 263 /* may not be used, because of having only data. */ 264 struct ikev1_pl_sig { 265 struct isakmp_gen h; 266 /* Signature Data */ 267 }; 268 269 /* 3.13 Nonce Payload */ 270 /* may not be used, because of having only data. */ 271 struct ikev1_pl_nonce { 272 struct isakmp_gen h; 273 /* Nonce Data */ 274 }; 275 276 /* 3.14 Notification Payload */ 277 struct ikev1_pl_n { 278 struct isakmp_gen h; 279 uint32_t doi; /* Domain of Interpretation */ 280 uint8_t prot_id; /* Protocol-ID */ 281 uint8_t spi_size; /* SPI Size */ 282 uint16_t type; /* Notify Message Type */ 283 /* SPI */ 284 /* Notification Data */ 285 }; 286 287 /* 3.14.1 Notify Message Types */ 288 /* NOTIFY MESSAGES - ERROR TYPES */ 289 #define ISAKMP_NTYPE_INVALID_PAYLOAD_TYPE 1 290 #define ISAKMP_NTYPE_DOI_NOT_SUPPORTED 2 291 #define ISAKMP_NTYPE_SITUATION_NOT_SUPPORTED 3 292 #define ISAKMP_NTYPE_INVALID_COOKIE 4 293 #define ISAKMP_NTYPE_INVALID_MAJOR_VERSION 5 294 #define ISAKMP_NTYPE_INVALID_MINOR_VERSION 6 295 #define ISAKMP_NTYPE_INVALID_EXCHANGE_TYPE 7 296 #define ISAKMP_NTYPE_INVALID_FLAGS 8 297 #define ISAKMP_NTYPE_INVALID_MESSAGE_ID 9 298 #define ISAKMP_NTYPE_INVALID_PROTOCOL_ID 10 299 #define ISAKMP_NTYPE_INVALID_SPI 11 300 #define ISAKMP_NTYPE_INVALID_TRANSFORM_ID 12 301 #define ISAKMP_NTYPE_ATTRIBUTES_NOT_SUPPORTED 13 302 #define ISAKMP_NTYPE_NO_PROPOSAL_CHOSEN 14 303 #define ISAKMP_NTYPE_BAD_PROPOSAL_SYNTAX 15 304 #define ISAKMP_NTYPE_PAYLOAD_MALFORMED 16 305 #define ISAKMP_NTYPE_INVALID_KEY_INFORMATION 17 306 #define ISAKMP_NTYPE_INVALID_ID_INFORMATION 18 307 #define ISAKMP_NTYPE_INVALID_CERT_ENCODING 19 308 #define ISAKMP_NTYPE_INVALID_CERTIFICATE 20 309 #define ISAKMP_NTYPE_BAD_CERT_REQUEST_SYNTAX 21 310 #define ISAKMP_NTYPE_INVALID_CERT_AUTHORITY 22 311 #define ISAKMP_NTYPE_INVALID_HASH_INFORMATION 23 312 #define ISAKMP_NTYPE_AUTHENTICATION_FAILED 24 313 #define ISAKMP_NTYPE_INVALID_SIGNATURE 25 314 #define ISAKMP_NTYPE_ADDRESS_NOTIFICATION 26 315 316 /* 3.15 Delete Payload */ 317 struct ikev1_pl_d { 318 struct isakmp_gen h; 319 uint32_t doi; /* Domain of Interpretation */ 320 uint8_t prot_id; /* Protocol-Id */ 321 uint8_t spi_size; /* SPI Size */ 322 uint16_t num_spi; /* # of SPIs */ 323 /* SPI(es) */ 324 }; 325 326 struct ikev1_ph1tab { 327 struct ikev1_ph1 *head; 328 struct ikev1_ph1 *tail; 329 int len; 330 }; 331 332 struct isakmp_ph2tab { 333 struct ikev1_ph2 *head; 334 struct ikev1_ph2 *tail; 335 int len; 336 }; 337 338 /* IKEv2 (RFC4306) */ 339 340 /* 3.3 Security Association Payload -- generic header */ 341 /* 3.3.1. Proposal Substructure */ 342 struct ikev2_p { 343 struct isakmp_gen h; 344 uint8_t p_no; /* Proposal # */ 345 uint8_t prot_id; /* Protocol */ 346 uint8_t spi_size; /* SPI Size */ 347 uint8_t num_t; /* Number of Transforms */ 348 }; 349 350 /* 3.3.2. Transform Substructure */ 351 struct ikev2_t { 352 struct isakmp_gen h; 353 uint8_t t_type; /* Transform Type (ENCR,PRF,INTEG,etc.*/ 354 uint8_t res2; /* reserved byte */ 355 uint16_t t_id; /* Transform ID */ 356 }; 357 358 enum ikev2_t_type { 359 IV2_T_ENCR = 1, 360 IV2_T_PRF = 2, 361 IV2_T_INTEG= 3, 362 IV2_T_DH = 4, 363 IV2_T_ESN = 5, 364 }; 365 366 /* 3.4. Key Exchange Payload */ 367 struct ikev2_ke { 368 struct isakmp_gen h; 369 uint16_t ke_group; 370 uint16_t ke_res1; 371 /* KE data */ 372 }; 373 374 375 /* 3.5. Identification Payloads */ 376 enum ikev2_id_type { 377 ID_IPV4_ADDR=1, 378 ID_FQDN=2, 379 ID_RFC822_ADDR=3, 380 ID_IPV6_ADDR=5, 381 ID_DER_ASN1_DN=9, 382 ID_DER_ASN1_GN=10, 383 ID_KEY_ID=11, 384 }; 385 struct ikev2_id { 386 struct isakmp_gen h; 387 uint8_t type; /* ID type */ 388 uint8_t res1; 389 uint16_t res2; 390 /* SPI */ 391 /* Notification Data */ 392 }; 393 394 /* 3.10 Notification Payload */ 395 struct ikev2_n { 396 struct isakmp_gen h; 397 uint8_t prot_id; /* Protocol-ID */ 398 uint8_t spi_size; /* SPI Size */ 399 uint16_t type; /* Notify Message Type */ 400 }; 401 402 enum ikev2_n_type { 403 IV2_NOTIFY_UNSUPPORTED_CRITICAL_PAYLOAD = 1, 404 IV2_NOTIFY_INVALID_IKE_SPI = 4, 405 IV2_NOTIFY_INVALID_MAJOR_VERSION = 5, 406 IV2_NOTIFY_INVALID_SYNTAX = 7, 407 IV2_NOTIFY_INVALID_MESSAGE_ID = 9, 408 IV2_NOTIFY_INVALID_SPI =11, 409 IV2_NOTIFY_NO_PROPOSAL_CHOSEN =14, 410 IV2_NOTIFY_INVALID_KE_PAYLOAD =17, 411 IV2_NOTIFY_AUTHENTICATION_FAILED =24, 412 IV2_NOTIFY_SINGLE_PAIR_REQUIRED =34, 413 IV2_NOTIFY_NO_ADDITIONAL_SAS =35, 414 IV2_NOTIFY_INTERNAL_ADDRESS_FAILURE =36, 415 IV2_NOTIFY_FAILED_CP_REQUIRED =37, 416 IV2_NOTIFY_INVALID_SELECTORS =39, 417 IV2_NOTIFY_INITIAL_CONTACT =16384, 418 IV2_NOTIFY_SET_WINDOW_SIZE =16385, 419 IV2_NOTIFY_ADDITIONAL_TS_POSSIBLE =16386, 420 IV2_NOTIFY_IPCOMP_SUPPORTED =16387, 421 IV2_NOTIFY_NAT_DETECTION_SOURCE_IP =16388, 422 IV2_NOTIFY_NAT_DETECTION_DESTINATION_IP =16389, 423 IV2_NOTIFY_COOKIE =16390, 424 IV2_NOTIFY_USE_TRANSPORT_MODE =16391, 425 IV2_NOTIFY_HTTP_CERT_LOOKUP_SUPPORTED =16392, 426 IV2_NOTIFY_REKEY_SA =16393, 427 IV2_NOTIFY_ESP_TFC_PADDING_NOT_SUPPORTED =16394, 428 IV2_NOTIFY_NON_FIRST_FRAGMENTS_ALSO =16395 429 }; 430 431 struct notify_messages { 432 uint16_t type; 433 char *msg; 434 }; 435 436 /* 3.8 Notification Payload */ 437 struct ikev2_auth { 438 struct isakmp_gen h; 439 uint8_t auth_method; /* Protocol-ID */ 440 uint8_t reserved[3]; 441 /* authentication data */ 442 }; 443 444 enum ikev2_auth_type { 445 IV2_RSA_SIG = 1, 446 IV2_SHARED = 2, 447 IV2_DSS_SIG = 3, 448 }; 449 450 /* refer to RFC 2409 */ 451 452 #if 0 453 /* isakmp sa structure */ 454 struct oakley_sa { 455 uint8_t proto_id; /* OAKLEY */ 456 vchar_t *spi; /* spi */ 457 uint8_t dhgrp; /* DH; group */ 458 uint8_t auth_t; /* method of authentication */ 459 uint8_t prf_t; /* type of prf */ 460 uint8_t hash_t; /* type of hash */ 461 uint8_t enc_t; /* type of cipher */ 462 uint8_t life_t; /* type of duration of lifetime */ 463 uint32_t ldur; /* life duration */ 464 }; 465 #endif 466 467 /* refer to RFC 2407 */ 468 469 #define IPSEC_DOI 1 470 471 /* 4.2 IPSEC Situation Definition */ 472 #define IPSECDOI_SIT_IDENTITY_ONLY 0x00000001 473 #define IPSECDOI_SIT_SECRECY 0x00000002 474 #define IPSECDOI_SIT_INTEGRITY 0x00000004 475 476 /* 4.4.1 IPSEC Security Protocol Identifiers */ 477 /* 4.4.2 IPSEC ISAKMP Transform Values */ 478 #define IPSECDOI_PROTO_ISAKMP 1 479 #define IPSECDOI_KEY_IKE 1 480 481 /* 4.4.1 IPSEC Security Protocol Identifiers */ 482 #define IPSECDOI_PROTO_IPSEC_AH 2 483 /* 4.4.3 IPSEC AH Transform Values */ 484 #define IPSECDOI_AH_MD5 2 485 #define IPSECDOI_AH_SHA 3 486 #define IPSECDOI_AH_DES 4 487 #define IPSECDOI_AH_SHA2_256 5 488 #define IPSECDOI_AH_SHA2_384 6 489 #define IPSECDOI_AH_SHA2_512 7 490 491 /* 4.4.1 IPSEC Security Protocol Identifiers */ 492 #define IPSECDOI_PROTO_IPSEC_ESP 3 493 /* 4.4.4 IPSEC ESP Transform Identifiers */ 494 #define IPSECDOI_ESP_DES_IV64 1 495 #define IPSECDOI_ESP_DES 2 496 #define IPSECDOI_ESP_3DES 3 497 #define IPSECDOI_ESP_RC5 4 498 #define IPSECDOI_ESP_IDEA 5 499 #define IPSECDOI_ESP_CAST 6 500 #define IPSECDOI_ESP_BLOWFISH 7 501 #define IPSECDOI_ESP_3IDEA 8 502 #define IPSECDOI_ESP_DES_IV32 9 503 #define IPSECDOI_ESP_RC4 10 504 #define IPSECDOI_ESP_NULL 11 505 #define IPSECDOI_ESP_RIJNDAEL 12 506 #define IPSECDOI_ESP_AES 12 507 508 /* 4.4.1 IPSEC Security Protocol Identifiers */ 509 #define IPSECDOI_PROTO_IPCOMP 4 510 /* 4.4.5 IPSEC IPCOMP Transform Identifiers */ 511 #define IPSECDOI_IPCOMP_OUI 1 512 #define IPSECDOI_IPCOMP_DEFLATE 2 513 #define IPSECDOI_IPCOMP_LZS 3 514 515 /* 4.5 IPSEC Security Association Attributes */ 516 #define IPSECDOI_ATTR_SA_LTYPE 1 /* B */ 517 #define IPSECDOI_ATTR_SA_LTYPE_DEFAULT 1 518 #define IPSECDOI_ATTR_SA_LTYPE_SEC 1 519 #define IPSECDOI_ATTR_SA_LTYPE_KB 2 520 #define IPSECDOI_ATTR_SA_LDUR 2 /* V */ 521 #define IPSECDOI_ATTR_SA_LDUR_DEFAULT 28800 /* 8 hours */ 522 #define IPSECDOI_ATTR_GRP_DESC 3 /* B */ 523 #define IPSECDOI_ATTR_ENC_MODE 4 /* B */ 524 /* default value: host dependent */ 525 #define IPSECDOI_ATTR_ENC_MODE_TUNNEL 1 526 #define IPSECDOI_ATTR_ENC_MODE_TRNS 2 527 #define IPSECDOI_ATTR_AUTH 5 /* B */ 528 /* 0 means not to use authentication. */ 529 #define IPSECDOI_ATTR_AUTH_HMAC_MD5 1 530 #define IPSECDOI_ATTR_AUTH_HMAC_SHA1 2 531 #define IPSECDOI_ATTR_AUTH_DES_MAC 3 532 #define IPSECDOI_ATTR_AUTH_KPDK 4 /*RFC-1826(Key/Pad/Data/Key)*/ 533 /* 534 * When negotiating ESP without authentication, the Auth 535 * Algorithm attribute MUST NOT be included in the proposal. 536 * When negotiating ESP without confidentiality, the Auth 537 * Algorithm attribute MUST be included in the proposal and 538 * the ESP transform ID must be ESP_NULL. 539 */ 540 #define IPSECDOI_ATTR_KEY_LENGTH 6 /* B */ 541 #define IPSECDOI_ATTR_KEY_ROUNDS 7 /* B */ 542 #define IPSECDOI_ATTR_COMP_DICT_SIZE 8 /* B */ 543 #define IPSECDOI_ATTR_COMP_PRIVALG 9 /* V */ 544 545 /* 4.6.1 Security Association Payload */ 546 struct ipsecdoi_sa { 547 struct isakmp_gen h; 548 uint32_t doi; /* Domain of Interpretation */ 549 uint32_t sit; /* Situation */ 550 }; 551 552 struct ipsecdoi_secrecy_h { 553 uint16_t len; 554 uint16_t reserved; 555 }; 556 557 /* 4.6.2.1 Identification Type Values */ 558 struct ipsecdoi_id { 559 struct isakmp_gen h; 560 uint8_t type; /* ID Type */ 561 uint8_t proto_id; /* Protocol ID */ 562 uint16_t port; /* Port */ 563 /* Identification Data */ 564 }; 565 566 #define IPSECDOI_ID_IPV4_ADDR 1 567 #define IPSECDOI_ID_FQDN 2 568 #define IPSECDOI_ID_USER_FQDN 3 569 #define IPSECDOI_ID_IPV4_ADDR_SUBNET 4 570 #define IPSECDOI_ID_IPV6_ADDR 5 571 #define IPSECDOI_ID_IPV6_ADDR_SUBNET 6 572 #define IPSECDOI_ID_IPV4_ADDR_RANGE 7 573 #define IPSECDOI_ID_IPV6_ADDR_RANGE 8 574 #define IPSECDOI_ID_DER_ASN1_DN 9 575 #define IPSECDOI_ID_DER_ASN1_GN 10 576 #define IPSECDOI_ID_KEY_ID 11 577 578 /* 4.6.3 IPSEC DOI Notify Message Types */ 579 /* Notify Messages - Status Types */ 580 #define IPSECDOI_NTYPE_RESPONDER_LIFETIME 24576 581 #define IPSECDOI_NTYPE_REPLAY_STATUS 24577 582 #define IPSECDOI_NTYPE_INITIAL_CONTACT 24578 583 584 #define DECLARE_PRINTER(func) static const u_char *ike##func##_print( \ 585 netdissect_options *ndo, u_char tpay, \ 586 const struct isakmp_gen *ext, \ 587 u_int item_len, \ 588 const u_char *end_pointer, \ 589 uint32_t phase,\ 590 uint32_t doi0, \ 591 uint32_t proto0, int depth) 592 593 DECLARE_PRINTER(v1_sa); 594 DECLARE_PRINTER(v1_p); 595 DECLARE_PRINTER(v1_t); 596 DECLARE_PRINTER(v1_ke); 597 DECLARE_PRINTER(v1_id); 598 DECLARE_PRINTER(v1_cert); 599 DECLARE_PRINTER(v1_cr); 600 DECLARE_PRINTER(v1_sig); 601 DECLARE_PRINTER(v1_hash); 602 DECLARE_PRINTER(v1_nonce); 603 DECLARE_PRINTER(v1_n); 604 DECLARE_PRINTER(v1_d); 605 DECLARE_PRINTER(v1_vid); 606 607 DECLARE_PRINTER(v2_sa); 608 DECLARE_PRINTER(v2_ke); 609 DECLARE_PRINTER(v2_ID); 610 DECLARE_PRINTER(v2_cert); 611 DECLARE_PRINTER(v2_cr); 612 DECLARE_PRINTER(v2_auth); 613 DECLARE_PRINTER(v2_nonce); 614 DECLARE_PRINTER(v2_n); 615 DECLARE_PRINTER(v2_d); 616 DECLARE_PRINTER(v2_vid); 617 DECLARE_PRINTER(v2_TS); 618 DECLARE_PRINTER(v2_cp); 619 DECLARE_PRINTER(v2_eap); 620 621 static const u_char *ikev2_e_print(netdissect_options *ndo, 622 struct isakmp *base, 623 u_char tpay, 624 const struct isakmp_gen *ext, 625 u_int item_len, 626 const u_char *end_pointer, 627 uint32_t phase, 628 uint32_t doi0, 629 uint32_t proto0, int depth); 630 631 632 static const u_char *ike_sub0_print(netdissect_options *ndo,u_char, const struct isakmp_gen *, 633 const u_char *, uint32_t, uint32_t, uint32_t, int); 634 static const u_char *ikev1_sub_print(netdissect_options *ndo,u_char, const struct isakmp_gen *, 635 const u_char *, uint32_t, uint32_t, uint32_t, int); 636 637 static const u_char *ikev2_sub_print(netdissect_options *ndo, 638 struct isakmp *base, 639 u_char np, const struct isakmp_gen *ext, 640 const u_char *ep, uint32_t phase, 641 uint32_t doi, uint32_t proto, 642 int depth); 643 644 645 static char *numstr(int); 646 647 static void 648 ikev1_print(netdissect_options *ndo, 649 const u_char *bp, u_int length, 650 const u_char *bp2, struct isakmp *base); 651 652 #define MAXINITIATORS 20 653 int ninitiator = 0; 654 union inaddr_u { 655 struct in_addr in4; 656 #ifdef INET6 657 struct in6_addr in6; 658 #endif 659 }; 660 struct { 661 cookie_t initiator; 662 u_int version; 663 union inaddr_u iaddr; 664 union inaddr_u raddr; 665 } cookiecache[MAXINITIATORS]; 666 667 /* protocol id */ 668 static const char *protoidstr[] = { 669 NULL, "isakmp", "ipsec-ah", "ipsec-esp", "ipcomp", 670 }; 671 672 /* isakmp->np */ 673 static const char *npstr[] = { 674 "none", "sa", "p", "t", "ke", "id", "cert", "cr", "hash", /* 0 - 8 */ 675 "sig", "nonce", "n", "d", "vid", /* 9 - 13 */ 676 "pay14", "pay15", "pay16", "pay17", "pay18", /* 14- 18 */ 677 "pay19", "pay20", "pay21", "pay22", "pay23", /* 19- 23 */ 678 "pay24", "pay25", "pay26", "pay27", "pay28", /* 24- 28 */ 679 "pay29", "pay30", "pay31", "pay32", /* 29- 32 */ 680 "v2sa", "v2ke", "v2IDi", "v2IDr", "v2cert",/* 33- 37 */ 681 "v2cr", "v2auth","v2nonce", "v2n", "v2d", /* 38- 42 */ 682 "v2vid", "v2TSi", "v2TSr", "v2e", "v2cp", /* 43- 47 */ 683 "v2eap", /* 48 */ 684 685 }; 686 687 /* isakmp->np */ 688 static const u_char *(*npfunc[])(netdissect_options *ndo, u_char tpay, 689 const struct isakmp_gen *ext, 690 u_int item_len, 691 const u_char *end_pointer, 692 uint32_t phase, 693 uint32_t doi0, 694 uint32_t proto0, int depth) = { 695 NULL, 696 ikev1_sa_print, 697 ikev1_p_print, 698 ikev1_t_print, 699 ikev1_ke_print, 700 ikev1_id_print, 701 ikev1_cert_print, 702 ikev1_cr_print, 703 ikev1_hash_print, 704 ikev1_sig_print, 705 ikev1_nonce_print, 706 ikev1_n_print, 707 ikev1_d_print, 708 ikev1_vid_print, /* 13 */ 709 NULL, NULL, NULL, NULL, NULL, /* 14- 18 */ 710 NULL, NULL, NULL, NULL, NULL, /* 19- 23 */ 711 NULL, NULL, NULL, NULL, NULL, /* 24- 28 */ 712 NULL, NULL, NULL, NULL, /* 29- 32 */ 713 ikev2_sa_print, /* 33 */ 714 ikev2_ke_print, /* 34 */ 715 ikev2_ID_print, /* 35 */ 716 ikev2_ID_print, /* 36 */ 717 ikev2_cert_print, /* 37 */ 718 ikev2_cr_print, /* 38 */ 719 ikev2_auth_print, /* 39 */ 720 ikev2_nonce_print, /* 40 */ 721 ikev2_n_print, /* 41 */ 722 ikev2_d_print, /* 42 */ 723 ikev2_vid_print, /* 43 */ 724 ikev2_TS_print, /* 44 */ 725 ikev2_TS_print, /* 45 */ 726 NULL, /* ikev2_e_print,*/ /* 46 - special */ 727 ikev2_cp_print, /* 47 */ 728 ikev2_eap_print, /* 48 */ 729 }; 730 731 /* isakmp->etype */ 732 static const char *etypestr[] = { 733 /* IKEv1 exchange types */ 734 "none", "base", "ident", "auth", "agg", "inf", NULL, NULL, /* 0-7 */ 735 NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, /* 8-15 */ 736 NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, /* 16-23 */ 737 NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, /* 24-31 */ 738 "oakley-quick", "oakley-newgroup", /* 32-33 */ 739 /* IKEv2 exchange types */ 740 "ikev2_init", "ikev2_auth", "child_sa", "inf2" /* 34-37 */ 741 }; 742 743 #define STR_OR_ID(x, tab) \ 744 (((x) < sizeof(tab)/sizeof(tab[0]) && tab[(x)]) ? tab[(x)] : numstr(x)) 745 #define PROTOIDSTR(x) STR_OR_ID(x, protoidstr) 746 #define NPSTR(x) STR_OR_ID(x, npstr) 747 #define ETYPESTR(x) STR_OR_ID(x, etypestr) 748 749 #define CHECKLEN(p, np) \ 750 if (ep < (u_char *)(p)) { \ 751 ND_PRINT((ndo," [|%s]", NPSTR(np))); \ 752 goto done; \ 753 } 754 755 756 #define NPFUNC(x) \ 757 (((x) < sizeof(npfunc)/sizeof(npfunc[0]) && npfunc[(x)]) \ 758 ? npfunc[(x)] : NULL) 759 760 static int 761 iszero(u_char *p, size_t l) 762 { 763 while (l--) { 764 if (*p++) 765 return 0; 766 } 767 return 1; 768 } 769 770 /* find cookie from initiator cache */ 771 static int 772 cookie_find(cookie_t *in) 773 { 774 int i; 775 776 for (i = 0; i < MAXINITIATORS; i++) { 777 if (memcmp(in, &cookiecache[i].initiator, sizeof(*in)) == 0) 778 return i; 779 } 780 781 return -1; 782 } 783 784 /* record initiator */ 785 static void 786 cookie_record(cookie_t *in, const u_char *bp2) 787 { 788 int i; 789 struct ip *ip; 790 #ifdef INET6 791 struct ip6_hdr *ip6; 792 #endif 793 794 i = cookie_find(in); 795 if (0 <= i) { 796 ninitiator = (i + 1) % MAXINITIATORS; 797 return; 798 } 799 800 ip = (struct ip *)bp2; 801 switch (IP_V(ip)) { 802 case 4: 803 cookiecache[ninitiator].version = 4; 804 UNALIGNED_MEMCPY(&cookiecache[ninitiator].iaddr.in4, &ip->ip_src, sizeof(struct in_addr)); 805 UNALIGNED_MEMCPY(&cookiecache[ninitiator].raddr.in4, &ip->ip_dst, sizeof(struct in_addr)); 806 break; 807 #ifdef INET6 808 case 6: 809 ip6 = (struct ip6_hdr *)bp2; 810 cookiecache[ninitiator].version = 6; 811 UNALIGNED_MEMCPY(&cookiecache[ninitiator].iaddr.in6, &ip6->ip6_src, sizeof(struct in6_addr)); 812 UNALIGNED_MEMCPY(&cookiecache[ninitiator].raddr.in6, &ip6->ip6_dst, sizeof(struct in6_addr)); 813 break; 814 #endif 815 default: 816 return; 817 } 818 UNALIGNED_MEMCPY(&cookiecache[ninitiator].initiator, in, sizeof(*in)); 819 ninitiator = (ninitiator + 1) % MAXINITIATORS; 820 } 821 822 #define cookie_isinitiator(x, y) cookie_sidecheck((x), (y), 1) 823 #define cookie_isresponder(x, y) cookie_sidecheck((x), (y), 0) 824 static int 825 cookie_sidecheck(int i, const u_char *bp2, int initiator) 826 { 827 struct ip *ip; 828 #ifdef INET6 829 struct ip6_hdr *ip6; 830 #endif 831 832 ip = (struct ip *)bp2; 833 switch (IP_V(ip)) { 834 case 4: 835 if (cookiecache[i].version != 4) 836 return 0; 837 if (initiator) { 838 if (UNALIGNED_MEMCMP(&ip->ip_src, &cookiecache[i].iaddr.in4, sizeof(struct in_addr)) == 0) 839 return 1; 840 } else { 841 if (UNALIGNED_MEMCMP(&ip->ip_src, &cookiecache[i].raddr.in4, sizeof(struct in_addr)) == 0) 842 return 1; 843 } 844 break; 845 #ifdef INET6 846 case 6: 847 if (cookiecache[i].version != 6) 848 return 0; 849 ip6 = (struct ip6_hdr *)bp2; 850 if (initiator) { 851 if (UNALIGNED_MEMCMP(&ip6->ip6_src, &cookiecache[i].iaddr.in6, sizeof(struct in6_addr)) == 0) 852 return 1; 853 } else { 854 if (UNALIGNED_MEMCMP(&ip6->ip6_src, &cookiecache[i].raddr.in6, sizeof(struct in6_addr)) == 0) 855 return 1; 856 } 857 break; 858 #endif /* INET6 */ 859 default: 860 break; 861 } 862 863 return 0; 864 } 865 866 static void 867 hexprint(netdissect_options *ndo, caddr_t loc, size_t len) 868 { 869 u_char *p; 870 size_t i; 871 872 p = (u_char *)loc; 873 for (i = 0; i < len; i++) 874 ND_PRINT((ndo,"%02x", p[i] & 0xff)); 875 } 876 877 static int 878 rawprint(netdissect_options *ndo, caddr_t loc, size_t len) 879 { 880 ND_TCHECK2(*loc, len); 881 882 hexprint(ndo, loc, len); 883 return 1; 884 trunc: 885 return 0; 886 } 887 888 889 /* 890 * returns false if we run out of data buffer 891 */ 892 static int ike_show_somedata(netdissect_options *ndo, 893 const u_char *cp, const u_char *ep) 894 { 895 /* there is too much data, just show some of it */ 896 const u_char *end = ep - 20; 897 int elen = 20; 898 int len = ep - cp; 899 if(len > 10) { 900 len = 10; 901 } 902 903 /* really shouldn't happen because of above */ 904 if(end < cp + len) { 905 end = cp+len; 906 elen = ep - end; 907 } 908 909 ND_PRINT((ndo," data=(")); 910 if(!rawprint(ndo, (caddr_t)(cp), len)) goto trunc; 911 ND_PRINT((ndo, "...")); 912 if(elen) { 913 if(!rawprint(ndo, (caddr_t)(end), elen)) goto trunc; 914 } 915 ND_PRINT((ndo,")")); 916 return 1; 917 918 trunc: 919 return 0; 920 } 921 922 struct attrmap { 923 const char *type; 924 u_int nvalue; 925 const char *value[30]; /*XXX*/ 926 }; 927 928 static const u_char * 929 ikev1_attrmap_print(netdissect_options *ndo, 930 const u_char *p, const u_char *ep, 931 const struct attrmap *map, size_t nmap) 932 { 933 int totlen; 934 uint32_t t, v; 935 936 if (p[0] & 0x80) 937 totlen = 4; 938 else 939 totlen = 4 + EXTRACT_16BITS(&p[2]); 940 if (ep < p + totlen) { 941 ND_PRINT((ndo,"[|attr]")); 942 return ep + 1; 943 } 944 945 ND_PRINT((ndo,"(")); 946 t = EXTRACT_16BITS(&p[0]) & 0x7fff; 947 if (map && t < nmap && map[t].type) 948 ND_PRINT((ndo,"type=%s ", map[t].type)); 949 else 950 ND_PRINT((ndo,"type=#%d ", t)); 951 if (p[0] & 0x80) { 952 ND_PRINT((ndo,"value=")); 953 v = EXTRACT_16BITS(&p[2]); 954 if (map && t < nmap && v < map[t].nvalue && map[t].value[v]) 955 ND_PRINT((ndo,"%s", map[t].value[v])); 956 else 957 rawprint(ndo, (caddr_t)&p[2], 2); 958 } else { 959 ND_PRINT((ndo,"len=%d value=", EXTRACT_16BITS(&p[2]))); 960 rawprint(ndo, (caddr_t)&p[4], EXTRACT_16BITS(&p[2])); 961 } 962 ND_PRINT((ndo,")")); 963 return p + totlen; 964 } 965 966 static const u_char * 967 ikev1_attr_print(netdissect_options *ndo, const u_char *p, const u_char *ep) 968 { 969 int totlen; 970 uint32_t t; 971 972 if (p[0] & 0x80) 973 totlen = 4; 974 else 975 totlen = 4 + EXTRACT_16BITS(&p[2]); 976 if (ep < p + totlen) { 977 ND_PRINT((ndo,"[|attr]")); 978 return ep + 1; 979 } 980 981 ND_PRINT((ndo,"(")); 982 t = EXTRACT_16BITS(&p[0]) & 0x7fff; 983 ND_PRINT((ndo,"type=#%d ", t)); 984 if (p[0] & 0x80) { 985 ND_PRINT((ndo,"value=")); 986 t = p[2]; 987 rawprint(ndo, (caddr_t)&p[2], 2); 988 } else { 989 ND_PRINT((ndo,"len=%d value=", EXTRACT_16BITS(&p[2]))); 990 rawprint(ndo, (caddr_t)&p[4], EXTRACT_16BITS(&p[2])); 991 } 992 ND_PRINT((ndo,")")); 993 return p + totlen; 994 } 995 996 static const u_char * 997 ikev1_sa_print(netdissect_options *ndo, u_char tpay _U_, 998 const struct isakmp_gen *ext, 999 u_int item_len _U_, 1000 const u_char *ep, uint32_t phase, uint32_t doi0 _U_, 1001 uint32_t proto0, int depth) 1002 { 1003 const struct ikev1_pl_sa *p; 1004 struct ikev1_pl_sa sa; 1005 uint32_t doi, sit, ident; 1006 const u_char *cp, *np; 1007 int t; 1008 1009 ND_PRINT((ndo,"%s:", NPSTR(ISAKMP_NPTYPE_SA))); 1010 1011 p = (struct ikev1_pl_sa *)ext; 1012 ND_TCHECK(*p); 1013 UNALIGNED_MEMCPY(&sa, ext, sizeof(sa)); 1014 doi = ntohl(sa.doi); 1015 sit = ntohl(sa.sit); 1016 if (doi != 1) { 1017 ND_PRINT((ndo," doi=%d", doi)); 1018 ND_PRINT((ndo," situation=%u", (uint32_t)ntohl(sa.sit))); 1019 return (u_char *)(p + 1); 1020 } 1021 1022 ND_PRINT((ndo," doi=ipsec")); 1023 ND_PRINT((ndo," situation=")); 1024 t = 0; 1025 if (sit & 0x01) { 1026 ND_PRINT((ndo,"identity")); 1027 t++; 1028 } 1029 if (sit & 0x02) { 1030 ND_PRINT((ndo,"%ssecrecy", t ? "+" : "")); 1031 t++; 1032 } 1033 if (sit & 0x04) 1034 ND_PRINT((ndo,"%sintegrity", t ? "+" : "")); 1035 1036 np = (u_char *)ext + sizeof(sa); 1037 if (sit != 0x01) { 1038 ND_TCHECK2(*(ext + 1), sizeof(ident)); 1039 UNALIGNED_MEMCPY(&ident, ext + 1, sizeof(ident)); 1040 ND_PRINT((ndo," ident=%u", (uint32_t)ntohl(ident))); 1041 np += sizeof(ident); 1042 } 1043 1044 ext = (struct isakmp_gen *)np; 1045 ND_TCHECK(*ext); 1046 1047 cp = ikev1_sub_print(ndo, ISAKMP_NPTYPE_P, ext, ep, phase, doi, proto0, 1048 depth); 1049 1050 return cp; 1051 trunc: 1052 ND_PRINT((ndo," [|%s]", NPSTR(ISAKMP_NPTYPE_SA))); 1053 return NULL; 1054 } 1055 1056 static const u_char * 1057 ikev1_p_print(netdissect_options *ndo, u_char tpay _U_, 1058 const struct isakmp_gen *ext, u_int item_len _U_, 1059 const u_char *ep, uint32_t phase, uint32_t doi0, 1060 uint32_t proto0 _U_, int depth) 1061 { 1062 const struct ikev1_pl_p *p; 1063 struct ikev1_pl_p prop; 1064 const u_char *cp; 1065 1066 ND_PRINT((ndo,"%s:", NPSTR(ISAKMP_NPTYPE_P))); 1067 1068 p = (struct ikev1_pl_p *)ext; 1069 ND_TCHECK(*p); 1070 UNALIGNED_MEMCPY(&prop, ext, sizeof(prop)); 1071 ND_PRINT((ndo," #%d protoid=%s transform=%d", 1072 prop.p_no, PROTOIDSTR(prop.prot_id), prop.num_t)); 1073 if (prop.spi_size) { 1074 ND_PRINT((ndo," spi=")); 1075 if (!rawprint(ndo, (caddr_t)(p + 1), prop.spi_size)) 1076 goto trunc; 1077 } 1078 1079 ext = (struct isakmp_gen *)((u_char *)(p + 1) + prop.spi_size); 1080 ND_TCHECK(*ext); 1081 1082 cp = ikev1_sub_print(ndo, ISAKMP_NPTYPE_T, ext, ep, phase, doi0, 1083 prop.prot_id, depth); 1084 1085 return cp; 1086 trunc: 1087 ND_PRINT((ndo," [|%s]", NPSTR(ISAKMP_NPTYPE_P))); 1088 return NULL; 1089 } 1090 1091 static const char *ikev1_p_map[] = { 1092 NULL, "ike", 1093 }; 1094 1095 static const char *ikev2_t_type_map[]={ 1096 NULL, "encr", "prf", "integ", "dh", "esn" 1097 }; 1098 1099 static const char *ah_p_map[] = { 1100 NULL, "(reserved)", "md5", "sha", "1des", 1101 "sha2-256", "sha2-384", "sha2-512", 1102 }; 1103 1104 static const char *prf_p_map[] = { 1105 NULL, "hmac-md5", "hmac-sha", "hmac-tiger", 1106 "aes128_xcbc" 1107 }; 1108 1109 static const char *integ_p_map[] = { 1110 NULL, "hmac-md5", "hmac-sha", "dec-mac", 1111 "kpdk-md5", "aes-xcbc" 1112 }; 1113 1114 static const char *esn_p_map[] = { 1115 "no-esn", "esn" 1116 }; 1117 1118 static const char *dh_p_map[] = { 1119 NULL, "modp768", 1120 "modp1024", /* group 2 */ 1121 "EC2N 2^155", /* group 3 */ 1122 "EC2N 2^185", /* group 4 */ 1123 "modp1536", /* group 5 */ 1124 "iana-grp06", "iana-grp07", /* reserved */ 1125 "iana-grp08", "iana-grp09", 1126 "iana-grp10", "iana-grp11", 1127 "iana-grp12", "iana-grp13", 1128 "modp2048", /* group 14 */ 1129 "modp3072", /* group 15 */ 1130 "modp4096", /* group 16 */ 1131 "modp6144", /* group 17 */ 1132 "modp8192", /* group 18 */ 1133 }; 1134 1135 static const char *esp_p_map[] = { 1136 NULL, "1des-iv64", "1des", "3des", "rc5", "idea", "cast", 1137 "blowfish", "3idea", "1des-iv32", "rc4", "null", "aes" 1138 }; 1139 1140 static const char *ipcomp_p_map[] = { 1141 NULL, "oui", "deflate", "lzs", 1142 }; 1143 1144 static const struct attrmap ipsec_t_map[] = { 1145 { NULL, 0, { NULL } }, 1146 { "lifetype", 3, { NULL, "sec", "kb", }, }, 1147 { "life", 0, { NULL } }, 1148 { "group desc", 18, { NULL, "modp768", 1149 "modp1024", /* group 2 */ 1150 "EC2N 2^155", /* group 3 */ 1151 "EC2N 2^185", /* group 4 */ 1152 "modp1536", /* group 5 */ 1153 "iana-grp06", "iana-grp07", /* reserved */ 1154 "iana-grp08", "iana-grp09", 1155 "iana-grp10", "iana-grp11", 1156 "iana-grp12", "iana-grp13", 1157 "modp2048", /* group 14 */ 1158 "modp3072", /* group 15 */ 1159 "modp4096", /* group 16 */ 1160 "modp6144", /* group 17 */ 1161 "modp8192", /* group 18 */ 1162 }, }, 1163 { "enc mode", 3, { NULL, "tunnel", "transport", }, }, 1164 { "auth", 5, { NULL, "hmac-md5", "hmac-sha1", "1des-mac", "keyed", }, }, 1165 { "keylen", 0, { NULL } }, 1166 { "rounds", 0, { NULL } }, 1167 { "dictsize", 0, { NULL } }, 1168 { "privalg", 0, { NULL } }, 1169 }; 1170 1171 static const struct attrmap encr_t_map[] = { 1172 { NULL, 0, { NULL } }, { NULL, 0, { NULL } }, /* 0, 1 */ 1173 { NULL, 0, { NULL } }, { NULL, 0, { NULL } }, /* 2, 3 */ 1174 { NULL, 0, { NULL } }, { NULL, 0, { NULL } }, /* 4, 5 */ 1175 { NULL, 0, { NULL } }, { NULL, 0, { NULL } }, /* 6, 7 */ 1176 { NULL, 0, { NULL } }, { NULL, 0, { NULL } }, /* 8, 9 */ 1177 { NULL, 0, { NULL } }, { NULL, 0, { NULL } }, /* 10,11*/ 1178 { NULL, 0, { NULL } }, { NULL, 0, { NULL } }, /* 12,13*/ 1179 { "keylen", 14, { NULL }}, 1180 }; 1181 1182 static const struct attrmap oakley_t_map[] = { 1183 { NULL, 0, { NULL } }, 1184 { "enc", 8, { NULL, "1des", "idea", "blowfish", "rc5", 1185 "3des", "cast", "aes", }, }, 1186 { "hash", 7, { NULL, "md5", "sha1", "tiger", 1187 "sha2-256", "sha2-384", "sha2-512", }, }, 1188 { "auth", 6, { NULL, "preshared", "dss", "rsa sig", "rsa enc", 1189 "rsa enc revised", }, }, 1190 { "group desc", 18, { NULL, "modp768", 1191 "modp1024", /* group 2 */ 1192 "EC2N 2^155", /* group 3 */ 1193 "EC2N 2^185", /* group 4 */ 1194 "modp1536", /* group 5 */ 1195 "iana-grp06", "iana-grp07", /* reserved */ 1196 "iana-grp08", "iana-grp09", 1197 "iana-grp10", "iana-grp11", 1198 "iana-grp12", "iana-grp13", 1199 "modp2048", /* group 14 */ 1200 "modp3072", /* group 15 */ 1201 "modp4096", /* group 16 */ 1202 "modp6144", /* group 17 */ 1203 "modp8192", /* group 18 */ 1204 }, }, 1205 { "group type", 4, { NULL, "MODP", "ECP", "EC2N", }, }, 1206 { "group prime", 0, { NULL } }, 1207 { "group gen1", 0, { NULL } }, 1208 { "group gen2", 0, { NULL } }, 1209 { "group curve A", 0, { NULL } }, 1210 { "group curve B", 0, { NULL } }, 1211 { "lifetype", 3, { NULL, "sec", "kb", }, }, 1212 { "lifeduration", 0, { NULL } }, 1213 { "prf", 0, { NULL } }, 1214 { "keylen", 0, { NULL } }, 1215 { "field", 0, { NULL } }, 1216 { "order", 0, { NULL } }, 1217 }; 1218 1219 static const u_char * 1220 ikev1_t_print(netdissect_options *ndo, u_char tpay _U_, 1221 const struct isakmp_gen *ext, u_int item_len, 1222 const u_char *ep, uint32_t phase _U_, uint32_t doi _U_, 1223 uint32_t proto, int depth _U_) 1224 { 1225 const struct ikev1_pl_t *p; 1226 struct ikev1_pl_t t; 1227 const u_char *cp; 1228 const char *idstr; 1229 const struct attrmap *map; 1230 size_t nmap; 1231 const u_char *ep2; 1232 1233 ND_PRINT((ndo,"%s:", NPSTR(ISAKMP_NPTYPE_T))); 1234 1235 p = (struct ikev1_pl_t *)ext; 1236 ND_TCHECK(*p); 1237 UNALIGNED_MEMCPY(&t, ext, sizeof(t)); 1238 1239 switch (proto) { 1240 case 1: 1241 idstr = STR_OR_ID(t.t_id, ikev1_p_map); 1242 map = oakley_t_map; 1243 nmap = sizeof(oakley_t_map)/sizeof(oakley_t_map[0]); 1244 break; 1245 case 2: 1246 idstr = STR_OR_ID(t.t_id, ah_p_map); 1247 map = ipsec_t_map; 1248 nmap = sizeof(ipsec_t_map)/sizeof(ipsec_t_map[0]); 1249 break; 1250 case 3: 1251 idstr = STR_OR_ID(t.t_id, esp_p_map); 1252 map = ipsec_t_map; 1253 nmap = sizeof(ipsec_t_map)/sizeof(ipsec_t_map[0]); 1254 break; 1255 case 4: 1256 idstr = STR_OR_ID(t.t_id, ipcomp_p_map); 1257 map = ipsec_t_map; 1258 nmap = sizeof(ipsec_t_map)/sizeof(ipsec_t_map[0]); 1259 break; 1260 default: 1261 idstr = NULL; 1262 map = NULL; 1263 nmap = 0; 1264 break; 1265 } 1266 1267 if (idstr) 1268 ND_PRINT((ndo," #%d id=%s ", t.t_no, idstr)); 1269 else 1270 ND_PRINT((ndo," #%d id=%d ", t.t_no, t.t_id)); 1271 cp = (u_char *)(p + 1); 1272 ep2 = (u_char *)p + item_len; 1273 while (cp < ep && cp < ep2) { 1274 if (map && nmap) { 1275 cp = ikev1_attrmap_print(ndo, cp, (ep < ep2) ? ep : ep2, 1276 map, nmap); 1277 } else 1278 cp = ikev1_attr_print(ndo, cp, (ep < ep2) ? ep : ep2); 1279 } 1280 if (ep < ep2) 1281 ND_PRINT((ndo,"...")); 1282 return cp; 1283 trunc: 1284 ND_PRINT((ndo," [|%s]", NPSTR(ISAKMP_NPTYPE_T))); 1285 return NULL; 1286 } 1287 1288 static const u_char * 1289 ikev1_ke_print(netdissect_options *ndo, u_char tpay _U_, 1290 const struct isakmp_gen *ext, u_int item_len _U_, 1291 const u_char *ep _U_, uint32_t phase _U_, uint32_t doi _U_, 1292 uint32_t proto _U_, int depth _U_) 1293 { 1294 struct isakmp_gen e; 1295 1296 ND_PRINT((ndo,"%s:", NPSTR(ISAKMP_NPTYPE_KE))); 1297 1298 ND_TCHECK(*ext); 1299 UNALIGNED_MEMCPY(&e, ext, sizeof(e)); 1300 ND_PRINT((ndo," key len=%d", ntohs(e.len) - 4)); 1301 if (2 < ndo->ndo_vflag && 4 < ntohs(e.len)) { 1302 ND_PRINT((ndo," ")); 1303 if (!rawprint(ndo, (caddr_t)(ext + 1), ntohs(e.len) - 4)) 1304 goto trunc; 1305 } 1306 return (u_char *)ext + ntohs(e.len); 1307 trunc: 1308 ND_PRINT((ndo," [|%s]", NPSTR(ISAKMP_NPTYPE_KE))); 1309 return NULL; 1310 } 1311 1312 static const u_char * 1313 ikev1_id_print(netdissect_options *ndo, u_char tpay _U_, 1314 const struct isakmp_gen *ext, u_int item_len, 1315 const u_char *ep _U_, uint32_t phase, uint32_t doi _U_, 1316 uint32_t proto _U_, int depth _U_) 1317 { 1318 #define USE_IPSECDOI_IN_PHASE1 1 1319 const struct ikev1_pl_id *p; 1320 struct ikev1_pl_id id; 1321 static const char *idtypestr[] = { 1322 "IPv4", "IPv4net", "IPv6", "IPv6net", 1323 }; 1324 static const char *ipsecidtypestr[] = { 1325 NULL, "IPv4", "FQDN", "user FQDN", "IPv4net", "IPv6", 1326 "IPv6net", "IPv4range", "IPv6range", "ASN1 DN", "ASN1 GN", 1327 "keyid", 1328 }; 1329 int len; 1330 const u_char *data; 1331 1332 ND_PRINT((ndo,"%s:", NPSTR(ISAKMP_NPTYPE_ID))); 1333 1334 p = (struct ikev1_pl_id *)ext; 1335 ND_TCHECK(*p); 1336 UNALIGNED_MEMCPY(&id, ext, sizeof(id)); 1337 if (sizeof(*p) < item_len) { 1338 data = (u_char *)(p + 1); 1339 len = item_len - sizeof(*p); 1340 } else { 1341 data = NULL; 1342 len = 0; 1343 } 1344 1345 #if 0 /*debug*/ 1346 ND_PRINT((ndo," [phase=%d doi=%d proto=%d]", phase, doi, proto)); 1347 #endif 1348 switch (phase) { 1349 #ifndef USE_IPSECDOI_IN_PHASE1 1350 case 1: 1351 #endif 1352 default: 1353 ND_PRINT((ndo," idtype=%s", STR_OR_ID(id.d.id_type, idtypestr))); 1354 ND_PRINT((ndo," doi_data=%u", 1355 (uint32_t)(ntohl(id.d.doi_data) & 0xffffff))); 1356 break; 1357 1358 #ifdef USE_IPSECDOI_IN_PHASE1 1359 case 1: 1360 #endif 1361 case 2: 1362 { 1363 const struct ipsecdoi_id *p; 1364 struct ipsecdoi_id id; 1365 struct protoent *pe; 1366 1367 p = (struct ipsecdoi_id *)ext; 1368 ND_TCHECK(*p); 1369 UNALIGNED_MEMCPY(&id, ext, sizeof(id)); 1370 ND_PRINT((ndo," idtype=%s", STR_OR_ID(id.type, ipsecidtypestr))); 1371 /* A protocol ID of 0 DOES NOT mean IPPROTO_IP! */ 1372 pe = id.proto_id ? getprotobynumber(id.proto_id) : NULL; 1373 if (pe) 1374 ND_PRINT((ndo," protoid=%s", pe->p_name)); 1375 else 1376 ND_PRINT((ndo," protoid=%u", id.proto_id)); 1377 ND_PRINT((ndo," port=%d", ntohs(id.port))); 1378 if (!len) 1379 break; 1380 if (data == NULL) 1381 goto trunc; 1382 ND_TCHECK2(*data, len); 1383 switch (id.type) { 1384 case IPSECDOI_ID_IPV4_ADDR: 1385 if (len < 4) 1386 ND_PRINT((ndo," len=%d [bad: < 4]", len)); 1387 else 1388 ND_PRINT((ndo," len=%d %s", len, ipaddr_string(ndo, data))); 1389 len = 0; 1390 break; 1391 case IPSECDOI_ID_FQDN: 1392 case IPSECDOI_ID_USER_FQDN: 1393 { 1394 int i; 1395 ND_PRINT((ndo," len=%d ", len)); 1396 for (i = 0; i < len; i++) 1397 safeputchar(ndo, data[i]); 1398 len = 0; 1399 break; 1400 } 1401 case IPSECDOI_ID_IPV4_ADDR_SUBNET: 1402 { 1403 const u_char *mask; 1404 if (len < 8) 1405 ND_PRINT((ndo," len=%d [bad: < 8]", len)); 1406 else { 1407 mask = data + sizeof(struct in_addr); 1408 ND_PRINT((ndo," len=%d %s/%u.%u.%u.%u", len, 1409 ipaddr_string(ndo, data), 1410 mask[0], mask[1], mask[2], mask[3])); 1411 } 1412 len = 0; 1413 break; 1414 } 1415 #ifdef INET6 1416 case IPSECDOI_ID_IPV6_ADDR: 1417 if (len < 16) 1418 ND_PRINT((ndo," len=%d [bad: < 16]", len)); 1419 else 1420 ND_PRINT((ndo," len=%d %s", len, ip6addr_string(ndo, data))); 1421 len = 0; 1422 break; 1423 case IPSECDOI_ID_IPV6_ADDR_SUBNET: 1424 { 1425 const u_char *mask; 1426 if (len < 20) 1427 ND_PRINT((ndo," len=%d [bad: < 20]", len)); 1428 else { 1429 mask = (u_char *)(data + sizeof(struct in6_addr)); 1430 /*XXX*/ 1431 ND_PRINT((ndo," len=%d %s/0x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x", len, 1432 ip6addr_string(ndo, data), 1433 mask[0], mask[1], mask[2], mask[3], 1434 mask[4], mask[5], mask[6], mask[7], 1435 mask[8], mask[9], mask[10], mask[11], 1436 mask[12], mask[13], mask[14], mask[15])); 1437 } 1438 len = 0; 1439 break; 1440 } 1441 #endif /*INET6*/ 1442 case IPSECDOI_ID_IPV4_ADDR_RANGE: 1443 if (len < 8) 1444 ND_PRINT((ndo," len=%d [bad: < 8]", len)); 1445 else { 1446 ND_PRINT((ndo," len=%d %s-%s", len, 1447 ipaddr_string(ndo, data), 1448 ipaddr_string(ndo, data + sizeof(struct in_addr)))); 1449 } 1450 len = 0; 1451 break; 1452 #ifdef INET6 1453 case IPSECDOI_ID_IPV6_ADDR_RANGE: 1454 if (len < 32) 1455 ND_PRINT((ndo," len=%d [bad: < 32]", len)); 1456 else { 1457 ND_PRINT((ndo," len=%d %s-%s", len, 1458 ip6addr_string(ndo, data), 1459 ip6addr_string(ndo, data + sizeof(struct in6_addr)))); 1460 } 1461 len = 0; 1462 break; 1463 #endif /*INET6*/ 1464 case IPSECDOI_ID_DER_ASN1_DN: 1465 case IPSECDOI_ID_DER_ASN1_GN: 1466 case IPSECDOI_ID_KEY_ID: 1467 break; 1468 } 1469 break; 1470 } 1471 } 1472 if (data && len) { 1473 ND_PRINT((ndo," len=%d", len)); 1474 if (2 < ndo->ndo_vflag) { 1475 ND_PRINT((ndo," ")); 1476 if (!rawprint(ndo, (caddr_t)data, len)) 1477 goto trunc; 1478 } 1479 } 1480 return (u_char *)ext + item_len; 1481 trunc: 1482 ND_PRINT((ndo," [|%s]", NPSTR(ISAKMP_NPTYPE_ID))); 1483 return NULL; 1484 } 1485 1486 static const u_char * 1487 ikev1_cert_print(netdissect_options *ndo, u_char tpay _U_, 1488 const struct isakmp_gen *ext, u_int item_len _U_, 1489 const u_char *ep _U_, uint32_t phase _U_, 1490 uint32_t doi0 _U_, 1491 uint32_t proto0 _U_, int depth _U_) 1492 { 1493 const struct ikev1_pl_cert *p; 1494 struct ikev1_pl_cert cert; 1495 static const char *certstr[] = { 1496 "none", "pkcs7", "pgp", "dns", 1497 "x509sign", "x509ke", "kerberos", "crl", 1498 "arl", "spki", "x509attr", 1499 }; 1500 1501 ND_PRINT((ndo,"%s:", NPSTR(ISAKMP_NPTYPE_CERT))); 1502 1503 p = (struct ikev1_pl_cert *)ext; 1504 ND_TCHECK(*p); 1505 UNALIGNED_MEMCPY(&cert, ext, sizeof(cert)); 1506 ND_PRINT((ndo," len=%d", item_len - 4)); 1507 ND_PRINT((ndo," type=%s", STR_OR_ID((cert.encode), certstr))); 1508 if (2 < ndo->ndo_vflag && 4 < item_len) { 1509 ND_PRINT((ndo," ")); 1510 if (!rawprint(ndo, (caddr_t)(ext + 1), item_len - 4)) 1511 goto trunc; 1512 } 1513 return (u_char *)ext + item_len; 1514 trunc: 1515 ND_PRINT((ndo," [|%s]", NPSTR(ISAKMP_NPTYPE_CERT))); 1516 return NULL; 1517 } 1518 1519 static const u_char * 1520 ikev1_cr_print(netdissect_options *ndo, u_char tpay _U_, 1521 const struct isakmp_gen *ext, u_int item_len _U_, 1522 const u_char *ep _U_, uint32_t phase _U_, uint32_t doi0 _U_, 1523 uint32_t proto0 _U_, int depth _U_) 1524 { 1525 const struct ikev1_pl_cert *p; 1526 struct ikev1_pl_cert cert; 1527 static const char *certstr[] = { 1528 "none", "pkcs7", "pgp", "dns", 1529 "x509sign", "x509ke", "kerberos", "crl", 1530 "arl", "spki", "x509attr", 1531 }; 1532 1533 ND_PRINT((ndo,"%s:", NPSTR(ISAKMP_NPTYPE_CR))); 1534 1535 p = (struct ikev1_pl_cert *)ext; 1536 ND_TCHECK(*p); 1537 UNALIGNED_MEMCPY(&cert, ext, sizeof(cert)); 1538 ND_PRINT((ndo," len=%d", item_len - 4)); 1539 ND_PRINT((ndo," type=%s", STR_OR_ID((cert.encode), certstr))); 1540 if (2 < ndo->ndo_vflag && 4 < item_len) { 1541 ND_PRINT((ndo," ")); 1542 if (!rawprint(ndo, (caddr_t)(ext + 1), item_len - 4)) 1543 goto trunc; 1544 } 1545 return (u_char *)ext + item_len; 1546 trunc: 1547 ND_PRINT((ndo," [|%s]", NPSTR(ISAKMP_NPTYPE_CR))); 1548 return NULL; 1549 } 1550 1551 static const u_char * 1552 ikev1_hash_print(netdissect_options *ndo, u_char tpay _U_, 1553 const struct isakmp_gen *ext, u_int item_len _U_, 1554 const u_char *ep _U_, uint32_t phase _U_, uint32_t doi _U_, 1555 uint32_t proto _U_, int depth _U_) 1556 { 1557 struct isakmp_gen e; 1558 1559 ND_PRINT((ndo,"%s:", NPSTR(ISAKMP_NPTYPE_HASH))); 1560 1561 ND_TCHECK(*ext); 1562 UNALIGNED_MEMCPY(&e, ext, sizeof(e)); 1563 ND_PRINT((ndo," len=%d", ntohs(e.len) - 4)); 1564 if (2 < ndo->ndo_vflag && 4 < ntohs(e.len)) { 1565 ND_PRINT((ndo," ")); 1566 if (!rawprint(ndo, (caddr_t)(ext + 1), ntohs(e.len) - 4)) 1567 goto trunc; 1568 } 1569 return (u_char *)ext + ntohs(e.len); 1570 trunc: 1571 ND_PRINT((ndo," [|%s]", NPSTR(ISAKMP_NPTYPE_HASH))); 1572 return NULL; 1573 } 1574 1575 static const u_char * 1576 ikev1_sig_print(netdissect_options *ndo, u_char tpay _U_, 1577 const struct isakmp_gen *ext, u_int item_len _U_, 1578 const u_char *ep _U_, uint32_t phase _U_, uint32_t doi _U_, 1579 uint32_t proto _U_, int depth _U_) 1580 { 1581 struct isakmp_gen e; 1582 1583 ND_PRINT((ndo,"%s:", NPSTR(ISAKMP_NPTYPE_SIG))); 1584 1585 ND_TCHECK(*ext); 1586 UNALIGNED_MEMCPY(&e, ext, sizeof(e)); 1587 ND_PRINT((ndo," len=%d", ntohs(e.len) - 4)); 1588 if (2 < ndo->ndo_vflag && 4 < ntohs(e.len)) { 1589 ND_PRINT((ndo," ")); 1590 if (!rawprint(ndo, (caddr_t)(ext + 1), ntohs(e.len) - 4)) 1591 goto trunc; 1592 } 1593 return (u_char *)ext + ntohs(e.len); 1594 trunc: 1595 ND_PRINT((ndo," [|%s]", NPSTR(ISAKMP_NPTYPE_SIG))); 1596 return NULL; 1597 } 1598 1599 static const u_char * 1600 ikev1_nonce_print(netdissect_options *ndo, u_char tpay _U_, 1601 const struct isakmp_gen *ext, 1602 u_int item_len _U_, 1603 const u_char *ep _U_, 1604 uint32_t phase _U_, uint32_t doi _U_, 1605 uint32_t proto _U_, int depth _U_) 1606 { 1607 struct isakmp_gen e; 1608 1609 ND_PRINT((ndo,"%s:", NPSTR(ISAKMP_NPTYPE_NONCE))); 1610 1611 ND_TCHECK(*ext); 1612 UNALIGNED_MEMCPY(&e, ext, sizeof(e)); 1613 ND_PRINT((ndo," n len=%d", ntohs(e.len) - 4)); 1614 if (2 < ndo->ndo_vflag && 4 < ntohs(e.len)) { 1615 ND_PRINT((ndo," ")); 1616 if (!rawprint(ndo, (caddr_t)(ext + 1), ntohs(e.len) - 4)) 1617 goto trunc; 1618 } else if (1 < ndo->ndo_vflag && 4 < ntohs(e.len)) { 1619 ND_PRINT((ndo," ")); 1620 if (!ike_show_somedata(ndo, (u_char *)(caddr_t)(ext + 1), ep)) 1621 goto trunc; 1622 } 1623 return (u_char *)ext + ntohs(e.len); 1624 trunc: 1625 ND_PRINT((ndo," [|%s]", NPSTR(ISAKMP_NPTYPE_NONCE))); 1626 return NULL; 1627 } 1628 1629 static const u_char * 1630 ikev1_n_print(netdissect_options *ndo, u_char tpay _U_, 1631 const struct isakmp_gen *ext, u_int item_len, 1632 const u_char *ep, uint32_t phase, uint32_t doi0 _U_, 1633 uint32_t proto0 _U_, int depth) 1634 { 1635 struct ikev1_pl_n *p, n; 1636 const u_char *cp; 1637 u_char *ep2; 1638 uint32_t doi; 1639 uint32_t proto; 1640 static const char *notify_error_str[] = { 1641 NULL, "INVALID-PAYLOAD-TYPE", 1642 "DOI-NOT-SUPPORTED", "SITUATION-NOT-SUPPORTED", 1643 "INVALID-COOKIE", "INVALID-MAJOR-VERSION", 1644 "INVALID-MINOR-VERSION", "INVALID-EXCHANGE-TYPE", 1645 "INVALID-FLAGS", "INVALID-MESSAGE-ID", 1646 "INVALID-PROTOCOL-ID", "INVALID-SPI", 1647 "INVALID-TRANSFORM-ID", "ATTRIBUTES-NOT-SUPPORTED", 1648 "NO-PROPOSAL-CHOSEN", "BAD-PROPOSAL-SYNTAX", 1649 "PAYLOAD-MALFORMED", "INVALID-KEY-INFORMATION", 1650 "INVALID-ID-INFORMATION", "INVALID-CERT-ENCODING", 1651 "INVALID-CERTIFICATE", "CERT-TYPE-UNSUPPORTED", 1652 "INVALID-CERT-AUTHORITY", "INVALID-HASH-INFORMATION", 1653 "AUTHENTICATION-FAILED", "INVALID-SIGNATURE", 1654 "ADDRESS-NOTIFICATION", "NOTIFY-SA-LIFETIME", 1655 "CERTIFICATE-UNAVAILABLE", "UNSUPPORTED-EXCHANGE-TYPE", 1656 "UNEQUAL-PAYLOAD-LENGTHS", 1657 }; 1658 static const char *ipsec_notify_error_str[] = { 1659 "RESERVED", 1660 }; 1661 static const char *notify_status_str[] = { 1662 "CONNECTED", 1663 }; 1664 static const char *ipsec_notify_status_str[] = { 1665 "RESPONDER-LIFETIME", "REPLAY-STATUS", 1666 "INITIAL-CONTACT", 1667 }; 1668 /* NOTE: these macro must be called with x in proper range */ 1669 1670 /* 0 - 8191 */ 1671 #define NOTIFY_ERROR_STR(x) \ 1672 STR_OR_ID((x), notify_error_str) 1673 1674 /* 8192 - 16383 */ 1675 #define IPSEC_NOTIFY_ERROR_STR(x) \ 1676 STR_OR_ID((u_int)((x) - 8192), ipsec_notify_error_str) 1677 1678 /* 16384 - 24575 */ 1679 #define NOTIFY_STATUS_STR(x) \ 1680 STR_OR_ID((u_int)((x) - 16384), notify_status_str) 1681 1682 /* 24576 - 32767 */ 1683 #define IPSEC_NOTIFY_STATUS_STR(x) \ 1684 STR_OR_ID((u_int)((x) - 24576), ipsec_notify_status_str) 1685 1686 ND_PRINT((ndo,"%s:", NPSTR(ISAKMP_NPTYPE_N))); 1687 1688 p = (struct ikev1_pl_n *)ext; 1689 ND_TCHECK(*p); 1690 UNALIGNED_MEMCPY(&n, ext, sizeof(n)); 1691 doi = ntohl(n.doi); 1692 proto = n.prot_id; 1693 if (doi != 1) { 1694 ND_PRINT((ndo," doi=%d", doi)); 1695 ND_PRINT((ndo," proto=%d", proto)); 1696 if (ntohs(n.type) < 8192) 1697 ND_PRINT((ndo," type=%s", NOTIFY_ERROR_STR(ntohs(n.type)))); 1698 else if (ntohs(n.type) < 16384) 1699 ND_PRINT((ndo," type=%s", numstr(ntohs(n.type)))); 1700 else if (ntohs(n.type) < 24576) 1701 ND_PRINT((ndo," type=%s", NOTIFY_STATUS_STR(ntohs(n.type)))); 1702 else 1703 ND_PRINT((ndo," type=%s", numstr(ntohs(n.type)))); 1704 if (n.spi_size) { 1705 ND_PRINT((ndo," spi=")); 1706 if (!rawprint(ndo, (caddr_t)(p + 1), n.spi_size)) 1707 goto trunc; 1708 } 1709 return (u_char *)(p + 1) + n.spi_size; 1710 } 1711 1712 ND_PRINT((ndo," doi=ipsec")); 1713 ND_PRINT((ndo," proto=%s", PROTOIDSTR(proto))); 1714 if (ntohs(n.type) < 8192) 1715 ND_PRINT((ndo," type=%s", NOTIFY_ERROR_STR(ntohs(n.type)))); 1716 else if (ntohs(n.type) < 16384) 1717 ND_PRINT((ndo," type=%s", IPSEC_NOTIFY_ERROR_STR(ntohs(n.type)))); 1718 else if (ntohs(n.type) < 24576) 1719 ND_PRINT((ndo," type=%s", NOTIFY_STATUS_STR(ntohs(n.type)))); 1720 else if (ntohs(n.type) < 32768) 1721 ND_PRINT((ndo," type=%s", IPSEC_NOTIFY_STATUS_STR(ntohs(n.type)))); 1722 else 1723 ND_PRINT((ndo," type=%s", numstr(ntohs(n.type)))); 1724 if (n.spi_size) { 1725 ND_PRINT((ndo," spi=")); 1726 if (!rawprint(ndo, (caddr_t)(p + 1), n.spi_size)) 1727 goto trunc; 1728 } 1729 1730 cp = (u_char *)(p + 1) + n.spi_size; 1731 ep2 = (u_char *)p + item_len; 1732 1733 if (cp < ep) { 1734 ND_PRINT((ndo," orig=(")); 1735 switch (ntohs(n.type)) { 1736 case IPSECDOI_NTYPE_RESPONDER_LIFETIME: 1737 { 1738 const struct attrmap *map = oakley_t_map; 1739 size_t nmap = sizeof(oakley_t_map)/sizeof(oakley_t_map[0]); 1740 while (cp < ep && cp < ep2) { 1741 cp = ikev1_attrmap_print(ndo, cp, 1742 (ep < ep2) ? ep : ep2, map, nmap); 1743 } 1744 break; 1745 } 1746 case IPSECDOI_NTYPE_REPLAY_STATUS: 1747 ND_PRINT((ndo,"replay detection %sabled", 1748 EXTRACT_32BITS(cp) ? "en" : "dis")); 1749 break; 1750 case ISAKMP_NTYPE_NO_PROPOSAL_CHOSEN: 1751 if (ikev1_sub_print(ndo, ISAKMP_NPTYPE_SA, 1752 (struct isakmp_gen *)cp, ep, phase, doi, proto, 1753 depth) == NULL) 1754 return NULL; 1755 break; 1756 default: 1757 /* NULL is dummy */ 1758 isakmp_print(ndo, cp, 1759 item_len - sizeof(*p) - n.spi_size, 1760 NULL); 1761 } 1762 ND_PRINT((ndo,")")); 1763 } 1764 return (u_char *)ext + item_len; 1765 trunc: 1766 ND_PRINT((ndo," [|%s]", NPSTR(ISAKMP_NPTYPE_N))); 1767 return NULL; 1768 } 1769 1770 static const u_char * 1771 ikev1_d_print(netdissect_options *ndo, u_char tpay _U_, 1772 const struct isakmp_gen *ext, u_int item_len _U_, 1773 const u_char *ep _U_, uint32_t phase _U_, uint32_t doi0 _U_, 1774 uint32_t proto0 _U_, int depth _U_) 1775 { 1776 const struct ikev1_pl_d *p; 1777 struct ikev1_pl_d d; 1778 const uint8_t *q; 1779 uint32_t doi; 1780 uint32_t proto; 1781 int i; 1782 1783 ND_PRINT((ndo,"%s:", NPSTR(ISAKMP_NPTYPE_D))); 1784 1785 p = (struct ikev1_pl_d *)ext; 1786 ND_TCHECK(*p); 1787 UNALIGNED_MEMCPY(&d, ext, sizeof(d)); 1788 doi = ntohl(d.doi); 1789 proto = d.prot_id; 1790 if (doi != 1) { 1791 ND_PRINT((ndo," doi=%u", doi)); 1792 ND_PRINT((ndo," proto=%u", proto)); 1793 } else { 1794 ND_PRINT((ndo," doi=ipsec")); 1795 ND_PRINT((ndo," proto=%s", PROTOIDSTR(proto))); 1796 } 1797 ND_PRINT((ndo," spilen=%u", d.spi_size)); 1798 ND_PRINT((ndo," nspi=%u", ntohs(d.num_spi))); 1799 ND_PRINT((ndo," spi=")); 1800 q = (uint8_t *)(p + 1); 1801 for (i = 0; i < ntohs(d.num_spi); i++) { 1802 if (i != 0) 1803 ND_PRINT((ndo,",")); 1804 if (!rawprint(ndo, (caddr_t)q, d.spi_size)) 1805 goto trunc; 1806 q += d.spi_size; 1807 } 1808 return q; 1809 trunc: 1810 ND_PRINT((ndo," [|%s]", NPSTR(ISAKMP_NPTYPE_D))); 1811 return NULL; 1812 } 1813 1814 static const u_char * 1815 ikev1_vid_print(netdissect_options *ndo, u_char tpay _U_, 1816 const struct isakmp_gen *ext, 1817 u_int item_len _U_, const u_char *ep _U_, 1818 uint32_t phase _U_, uint32_t doi _U_, 1819 uint32_t proto _U_, int depth _U_) 1820 { 1821 struct isakmp_gen e; 1822 1823 ND_PRINT((ndo,"%s:", NPSTR(ISAKMP_NPTYPE_VID))); 1824 1825 ND_TCHECK(*ext); 1826 UNALIGNED_MEMCPY(&e, ext, sizeof(e)); 1827 ND_PRINT((ndo," len=%d", ntohs(e.len) - 4)); 1828 if (2 < ndo->ndo_vflag && 4 < ntohs(e.len)) { 1829 ND_PRINT((ndo," ")); 1830 if (!rawprint(ndo, (caddr_t)(ext + 1), ntohs(e.len) - 4)) 1831 goto trunc; 1832 } 1833 return (u_char *)ext + ntohs(e.len); 1834 trunc: 1835 ND_PRINT((ndo," [|%s]", NPSTR(ISAKMP_NPTYPE_VID))); 1836 return NULL; 1837 } 1838 1839 /************************************************************/ 1840 /* */ 1841 /* IKE v2 - rfc4306 - dissector */ 1842 /* */ 1843 /************************************************************/ 1844 1845 static void 1846 ikev2_pay_print(netdissect_options *ndo, const char *payname, int critical) 1847 { 1848 ND_PRINT((ndo,"%s%s:", payname, critical&0x80 ? "[C]" : "")); 1849 } 1850 1851 static const u_char * 1852 ikev2_gen_print(netdissect_options *ndo, u_char tpay, 1853 const struct isakmp_gen *ext) 1854 { 1855 struct isakmp_gen e; 1856 1857 ND_TCHECK(*ext); 1858 UNALIGNED_MEMCPY(&e, ext, sizeof(e)); 1859 ikev2_pay_print(ndo, NPSTR(tpay), e.critical); 1860 1861 ND_PRINT((ndo," len=%d", ntohs(e.len) - 4)); 1862 if (2 < ndo->ndo_vflag && 4 < ntohs(e.len)) { 1863 ND_PRINT((ndo," ")); 1864 if (!rawprint(ndo, (caddr_t)(ext + 1), ntohs(e.len) - 4)) 1865 goto trunc; 1866 } 1867 return (u_char *)ext + ntohs(e.len); 1868 trunc: 1869 ND_PRINT((ndo," [|%s]", NPSTR(tpay))); 1870 return NULL; 1871 } 1872 1873 static const u_char * 1874 ikev2_t_print(netdissect_options *ndo, u_char tpay _U_, int pcount, 1875 const struct isakmp_gen *ext, u_int item_len, 1876 const u_char *ep, uint32_t phase _U_, uint32_t doi _U_, 1877 uint32_t proto _U_, int depth _U_) 1878 { 1879 const struct ikev2_t *p; 1880 struct ikev2_t t; 1881 uint16_t t_id; 1882 const u_char *cp; 1883 const char *idstr; 1884 const struct attrmap *map; 1885 size_t nmap; 1886 const u_char *ep2; 1887 1888 p = (struct ikev2_t *)ext; 1889 ND_TCHECK(*p); 1890 UNALIGNED_MEMCPY(&t, ext, sizeof(t)); 1891 ikev2_pay_print(ndo, NPSTR(ISAKMP_NPTYPE_T), t.h.critical); 1892 1893 t_id = ntohs(t.t_id); 1894 1895 map = NULL; 1896 nmap = 0; 1897 1898 switch (t.t_type) { 1899 case IV2_T_ENCR: 1900 idstr = STR_OR_ID(t_id, esp_p_map); 1901 map = encr_t_map; 1902 nmap = sizeof(encr_t_map)/sizeof(encr_t_map[0]); 1903 break; 1904 1905 case IV2_T_PRF: 1906 idstr = STR_OR_ID(t_id, prf_p_map); 1907 break; 1908 1909 case IV2_T_INTEG: 1910 idstr = STR_OR_ID(t_id, integ_p_map); 1911 break; 1912 1913 case IV2_T_DH: 1914 idstr = STR_OR_ID(t_id, dh_p_map); 1915 break; 1916 1917 case IV2_T_ESN: 1918 idstr = STR_OR_ID(t_id, esn_p_map); 1919 break; 1920 1921 default: 1922 idstr = NULL; 1923 break; 1924 } 1925 1926 if (idstr) 1927 ND_PRINT((ndo," #%u type=%s id=%s ", pcount, 1928 STR_OR_ID(t.t_type, ikev2_t_type_map), 1929 idstr)); 1930 else 1931 ND_PRINT((ndo," #%u type=%s id=%u ", pcount, 1932 STR_OR_ID(t.t_type, ikev2_t_type_map), 1933 t.t_id)); 1934 cp = (u_char *)(p + 1); 1935 ep2 = (u_char *)p + item_len; 1936 while (cp < ep && cp < ep2) { 1937 if (map && nmap) { 1938 cp = ikev1_attrmap_print(ndo, cp, (ep < ep2) ? ep : ep2, 1939 map, nmap); 1940 } else 1941 cp = ikev1_attr_print(ndo, cp, (ep < ep2) ? ep : ep2); 1942 } 1943 if (ep < ep2) 1944 ND_PRINT((ndo,"...")); 1945 return cp; 1946 trunc: 1947 ND_PRINT((ndo," [|%s]", NPSTR(ISAKMP_NPTYPE_T))); 1948 return NULL; 1949 } 1950 1951 static const u_char * 1952 ikev2_p_print(netdissect_options *ndo, u_char tpay _U_, int pcount _U_, 1953 const struct isakmp_gen *ext, u_int item_len _U_, 1954 const u_char *ep, uint32_t phase, uint32_t doi0, 1955 uint32_t proto0 _U_, int depth) 1956 { 1957 const struct ikev2_p *p; 1958 struct ikev2_p prop; 1959 const u_char *cp; 1960 1961 p = (struct ikev2_p *)ext; 1962 ND_TCHECK(*p); 1963 UNALIGNED_MEMCPY(&prop, ext, sizeof(prop)); 1964 ikev2_pay_print(ndo, NPSTR(ISAKMP_NPTYPE_P), prop.h.critical); 1965 1966 ND_PRINT((ndo," #%u protoid=%s transform=%d len=%u", 1967 prop.p_no, PROTOIDSTR(prop.prot_id), 1968 prop.num_t, ntohs(prop.h.len))); 1969 if (prop.spi_size) { 1970 ND_PRINT((ndo," spi=")); 1971 if (!rawprint(ndo, (caddr_t)(p + 1), prop.spi_size)) 1972 goto trunc; 1973 } 1974 1975 ext = (struct isakmp_gen *)((u_char *)(p + 1) + prop.spi_size); 1976 ND_TCHECK(*ext); 1977 1978 cp = ikev2_sub_print(ndo, NULL, ISAKMP_NPTYPE_T, ext, ep, phase, doi0, 1979 prop.prot_id, depth); 1980 1981 return cp; 1982 trunc: 1983 ND_PRINT((ndo," [|%s]", NPSTR(ISAKMP_NPTYPE_P))); 1984 return NULL; 1985 } 1986 1987 static const u_char * 1988 ikev2_sa_print(netdissect_options *ndo, u_char tpay, 1989 const struct isakmp_gen *ext1, 1990 u_int item_len _U_, const u_char *ep _U_, 1991 uint32_t phase _U_, uint32_t doi _U_, 1992 uint32_t proto _U_, int depth _U_) 1993 { 1994 struct isakmp_gen e; 1995 int osa_length, sa_length; 1996 1997 ND_TCHECK(*ext1); 1998 UNALIGNED_MEMCPY(&e, ext1, sizeof(e)); 1999 ikev2_pay_print(ndo, "sa", e.critical); 2000 2001 osa_length= ntohs(e.len); 2002 sa_length = osa_length - 4; 2003 ND_PRINT((ndo," len=%d", sa_length)); 2004 2005 ikev2_sub_print(ndo, NULL, ISAKMP_NPTYPE_P, 2006 ext1+1, ep, 2007 0, 0, 0, depth); 2008 2009 return (u_char *)ext1 + osa_length; 2010 trunc: 2011 ND_PRINT((ndo," [|%s]", NPSTR(tpay))); 2012 return NULL; 2013 } 2014 2015 static const u_char * 2016 ikev2_ke_print(netdissect_options *ndo, u_char tpay, 2017 const struct isakmp_gen *ext, 2018 u_int item_len _U_, const u_char *ep _U_, 2019 uint32_t phase _U_, uint32_t doi _U_, 2020 uint32_t proto _U_, int depth _U_) 2021 { 2022 struct ikev2_ke ke; 2023 struct ikev2_ke *k; 2024 2025 k = (struct ikev2_ke *)ext; 2026 ND_TCHECK(*ext); 2027 UNALIGNED_MEMCPY(&ke, ext, sizeof(ke)); 2028 ikev2_pay_print(ndo, NPSTR(tpay), ke.h.critical); 2029 2030 ND_PRINT((ndo," len=%u group=%s", ntohs(ke.h.len) - 8, 2031 STR_OR_ID(ntohs(ke.ke_group), dh_p_map))); 2032 2033 if (2 < ndo->ndo_vflag && 8 < ntohs(ke.h.len)) { 2034 ND_PRINT((ndo," ")); 2035 if (!rawprint(ndo, (caddr_t)(k + 1), ntohs(ke.h.len) - 8)) 2036 goto trunc; 2037 } 2038 return (u_char *)ext + ntohs(ke.h.len); 2039 trunc: 2040 ND_PRINT((ndo," [|%s]", NPSTR(tpay))); 2041 return NULL; 2042 } 2043 2044 static const u_char * 2045 ikev2_ID_print(netdissect_options *ndo, u_char tpay, 2046 const struct isakmp_gen *ext, 2047 u_int item_len _U_, const u_char *ep _U_, 2048 uint32_t phase _U_, uint32_t doi _U_, 2049 uint32_t proto _U_, int depth _U_) 2050 { 2051 struct ikev2_id id; 2052 int id_len, idtype_len, i; 2053 unsigned int dumpascii, dumphex; 2054 unsigned char *typedata; 2055 2056 ND_TCHECK(*ext); 2057 UNALIGNED_MEMCPY(&id, ext, sizeof(id)); 2058 ikev2_pay_print(ndo, NPSTR(tpay), id.h.critical); 2059 2060 id_len = ntohs(id.h.len); 2061 2062 ND_PRINT((ndo," len=%d", id_len - 4)); 2063 if (2 < ndo->ndo_vflag && 4 < id_len) { 2064 ND_PRINT((ndo," ")); 2065 if (!rawprint(ndo, (caddr_t)(ext + 1), id_len - 4)) 2066 goto trunc; 2067 } 2068 2069 idtype_len =id_len - sizeof(struct ikev2_id); 2070 dumpascii = 0; 2071 dumphex = 0; 2072 typedata = (unsigned char *)(ext)+sizeof(struct ikev2_id); 2073 2074 switch(id.type) { 2075 case ID_IPV4_ADDR: 2076 ND_PRINT((ndo, " ipv4:")); 2077 dumphex=1; 2078 break; 2079 case ID_FQDN: 2080 ND_PRINT((ndo, " fqdn:")); 2081 dumpascii=1; 2082 break; 2083 case ID_RFC822_ADDR: 2084 ND_PRINT((ndo, " rfc822:")); 2085 dumpascii=1; 2086 break; 2087 case ID_IPV6_ADDR: 2088 ND_PRINT((ndo, " ipv6:")); 2089 dumphex=1; 2090 break; 2091 case ID_DER_ASN1_DN: 2092 ND_PRINT((ndo, " dn:")); 2093 dumphex=1; 2094 break; 2095 case ID_DER_ASN1_GN: 2096 ND_PRINT((ndo, " gn:")); 2097 dumphex=1; 2098 break; 2099 case ID_KEY_ID: 2100 ND_PRINT((ndo, " keyid:")); 2101 dumphex=1; 2102 break; 2103 } 2104 2105 if(dumpascii) { 2106 ND_TCHECK2(*typedata, idtype_len); 2107 for(i=0; i<idtype_len; i++) { 2108 if(ND_ISPRINT(typedata[i])) { 2109 ND_PRINT((ndo, "%c", typedata[i])); 2110 } else { 2111 ND_PRINT((ndo, ".")); 2112 } 2113 } 2114 } 2115 if(dumphex) { 2116 if (!rawprint(ndo, (caddr_t)typedata, idtype_len)) 2117 goto trunc; 2118 } 2119 2120 return (u_char *)ext + id_len; 2121 trunc: 2122 ND_PRINT((ndo," [|%s]", NPSTR(tpay))); 2123 return NULL; 2124 } 2125 2126 static const u_char * 2127 ikev2_cert_print(netdissect_options *ndo, u_char tpay, 2128 const struct isakmp_gen *ext, 2129 u_int item_len _U_, const u_char *ep _U_, 2130 uint32_t phase _U_, uint32_t doi _U_, 2131 uint32_t proto _U_, int depth _U_) 2132 { 2133 return ikev2_gen_print(ndo, tpay, ext); 2134 } 2135 2136 static const u_char * 2137 ikev2_cr_print(netdissect_options *ndo, u_char tpay, 2138 const struct isakmp_gen *ext, 2139 u_int item_len _U_, const u_char *ep _U_, 2140 uint32_t phase _U_, uint32_t doi _U_, 2141 uint32_t proto _U_, int depth _U_) 2142 { 2143 return ikev2_gen_print(ndo, tpay, ext); 2144 } 2145 2146 static const u_char * 2147 ikev2_auth_print(netdissect_options *ndo, u_char tpay, 2148 const struct isakmp_gen *ext, 2149 u_int item_len _U_, const u_char *ep _U_, 2150 uint32_t phase _U_, uint32_t doi _U_, 2151 uint32_t proto _U_, int depth _U_) 2152 { 2153 struct ikev2_auth a; 2154 const char *v2_auth[]={ "invalid", "rsasig", 2155 "shared-secret", "dsssig" }; 2156 u_char *authdata = (u_char*)ext + sizeof(a); 2157 unsigned int len; 2158 2159 ND_TCHECK(*ext); 2160 UNALIGNED_MEMCPY(&a, ext, sizeof(a)); 2161 ikev2_pay_print(ndo, NPSTR(tpay), a.h.critical); 2162 len = ntohs(a.h.len); 2163 2164 ND_PRINT((ndo," len=%d method=%s", len-4, 2165 STR_OR_ID(a.auth_method, v2_auth))); 2166 2167 if (1 < ndo->ndo_vflag && 4 < len) { 2168 ND_PRINT((ndo," authdata=(")); 2169 if (!rawprint(ndo, (caddr_t)authdata, len - sizeof(a))) 2170 goto trunc; 2171 ND_PRINT((ndo,") ")); 2172 } else if(ndo->ndo_vflag && 4 < len) { 2173 if(!ike_show_somedata(ndo, authdata, ep)) goto trunc; 2174 } 2175 2176 return (u_char *)ext + len; 2177 trunc: 2178 ND_PRINT((ndo," [|%s]", NPSTR(tpay))); 2179 return NULL; 2180 } 2181 2182 static const u_char * 2183 ikev2_nonce_print(netdissect_options *ndo, u_char tpay, 2184 const struct isakmp_gen *ext, 2185 u_int item_len _U_, const u_char *ep _U_, 2186 uint32_t phase _U_, uint32_t doi _U_, 2187 uint32_t proto _U_, int depth _U_) 2188 { 2189 struct isakmp_gen e; 2190 2191 ND_TCHECK(*ext); 2192 UNALIGNED_MEMCPY(&e, ext, sizeof(e)); 2193 ikev2_pay_print(ndo, "nonce", e.critical); 2194 2195 ND_PRINT((ndo," len=%d", ntohs(e.len) - 4)); 2196 if (1 < ndo->ndo_vflag && 4 < ntohs(e.len)) { 2197 ND_PRINT((ndo," nonce=(")); 2198 if (!rawprint(ndo, (caddr_t)(ext + 1), ntohs(e.len) - 4)) 2199 goto trunc; 2200 ND_PRINT((ndo,") ")); 2201 } else if(ndo->ndo_vflag && 4 < ntohs(e.len)) { 2202 if(!ike_show_somedata(ndo, (const u_char *)(ext+1), ep)) goto trunc; 2203 } 2204 2205 return (u_char *)ext + ntohs(e.len); 2206 trunc: 2207 ND_PRINT((ndo," [|%s]", NPSTR(tpay))); 2208 return NULL; 2209 } 2210 2211 /* notify payloads */ 2212 static const u_char * 2213 ikev2_n_print(netdissect_options *ndo, u_char tpay _U_, 2214 const struct isakmp_gen *ext, 2215 u_int item_len _U_, const u_char *ep _U_, 2216 uint32_t phase _U_, uint32_t doi _U_, 2217 uint32_t proto _U_, int depth _U_) 2218 { 2219 struct ikev2_n *p, n; 2220 const u_char *cp; 2221 u_char showspi, showdata, showsomedata; 2222 const char *notify_name; 2223 uint32_t type; 2224 2225 p = (struct ikev2_n *)ext; 2226 ND_TCHECK(*p); 2227 UNALIGNED_MEMCPY(&n, ext, sizeof(n)); 2228 ikev2_pay_print(ndo, NPSTR(ISAKMP_NPTYPE_N), n.h.critical); 2229 2230 showspi = 1; 2231 showdata = 0; 2232 showsomedata=0; 2233 notify_name=NULL; 2234 2235 ND_PRINT((ndo," prot_id=%s", PROTOIDSTR(n.prot_id))); 2236 2237 type = ntohs(n.type); 2238 2239 /* notify space is annoying sparse */ 2240 switch(type) { 2241 case IV2_NOTIFY_UNSUPPORTED_CRITICAL_PAYLOAD: 2242 notify_name = "unsupported_critical_payload"; 2243 showspi = 0; 2244 break; 2245 2246 case IV2_NOTIFY_INVALID_IKE_SPI: 2247 notify_name = "invalid_ike_spi"; 2248 showspi = 1; 2249 break; 2250 2251 case IV2_NOTIFY_INVALID_MAJOR_VERSION: 2252 notify_name = "invalid_major_version"; 2253 showspi = 0; 2254 break; 2255 2256 case IV2_NOTIFY_INVALID_SYNTAX: 2257 notify_name = "invalid_syntax"; 2258 showspi = 1; 2259 break; 2260 2261 case IV2_NOTIFY_INVALID_MESSAGE_ID: 2262 notify_name = "invalid_message_id"; 2263 showspi = 1; 2264 break; 2265 2266 case IV2_NOTIFY_INVALID_SPI: 2267 notify_name = "invalid_spi"; 2268 showspi = 1; 2269 break; 2270 2271 case IV2_NOTIFY_NO_PROPOSAL_CHOSEN: 2272 notify_name = "no_protocol_chosen"; 2273 showspi = 1; 2274 break; 2275 2276 case IV2_NOTIFY_INVALID_KE_PAYLOAD: 2277 notify_name = "invalid_ke_payload"; 2278 showspi = 1; 2279 break; 2280 2281 case IV2_NOTIFY_AUTHENTICATION_FAILED: 2282 notify_name = "authentication_failed"; 2283 showspi = 1; 2284 break; 2285 2286 case IV2_NOTIFY_SINGLE_PAIR_REQUIRED: 2287 notify_name = "single_pair_required"; 2288 showspi = 1; 2289 break; 2290 2291 case IV2_NOTIFY_NO_ADDITIONAL_SAS: 2292 notify_name = "no_additional_sas"; 2293 showspi = 0; 2294 break; 2295 2296 case IV2_NOTIFY_INTERNAL_ADDRESS_FAILURE: 2297 notify_name = "internal_address_failure"; 2298 showspi = 0; 2299 break; 2300 2301 case IV2_NOTIFY_FAILED_CP_REQUIRED: 2302 notify_name = "failed:cp_required"; 2303 showspi = 0; 2304 break; 2305 2306 case IV2_NOTIFY_INVALID_SELECTORS: 2307 notify_name = "invalid_selectors"; 2308 showspi = 0; 2309 break; 2310 2311 case IV2_NOTIFY_INITIAL_CONTACT: 2312 notify_name = "initial_contact"; 2313 showspi = 0; 2314 break; 2315 2316 case IV2_NOTIFY_SET_WINDOW_SIZE: 2317 notify_name = "set_window_size"; 2318 showspi = 0; 2319 break; 2320 2321 case IV2_NOTIFY_ADDITIONAL_TS_POSSIBLE: 2322 notify_name = "additional_ts_possible"; 2323 showspi = 0; 2324 break; 2325 2326 case IV2_NOTIFY_IPCOMP_SUPPORTED: 2327 notify_name = "ipcomp_supported"; 2328 showspi = 0; 2329 break; 2330 2331 case IV2_NOTIFY_NAT_DETECTION_SOURCE_IP: 2332 notify_name = "nat_detection_source_ip"; 2333 showspi = 1; 2334 break; 2335 2336 case IV2_NOTIFY_NAT_DETECTION_DESTINATION_IP: 2337 notify_name = "nat_detection_destination_ip"; 2338 showspi = 1; 2339 break; 2340 2341 case IV2_NOTIFY_COOKIE: 2342 notify_name = "cookie"; 2343 showspi = 1; 2344 showsomedata= 1; 2345 showdata= 0; 2346 break; 2347 2348 case IV2_NOTIFY_USE_TRANSPORT_MODE: 2349 notify_name = "use_transport_mode"; 2350 showspi = 0; 2351 break; 2352 2353 case IV2_NOTIFY_HTTP_CERT_LOOKUP_SUPPORTED: 2354 notify_name = "http_cert_lookup_supported"; 2355 showspi = 0; 2356 break; 2357 2358 case IV2_NOTIFY_REKEY_SA: 2359 notify_name = "rekey_sa"; 2360 showspi = 1; 2361 break; 2362 2363 case IV2_NOTIFY_ESP_TFC_PADDING_NOT_SUPPORTED: 2364 notify_name = "tfc_padding_not_supported"; 2365 showspi = 0; 2366 break; 2367 2368 case IV2_NOTIFY_NON_FIRST_FRAGMENTS_ALSO: 2369 notify_name = "non_first_fragment_also"; 2370 showspi = 0; 2371 break; 2372 2373 default: 2374 if (type < 8192) { 2375 notify_name="error"; 2376 } else if(type < 16384) { 2377 notify_name="private-error"; 2378 } else if(type < 40960) { 2379 notify_name="status"; 2380 } else { 2381 notify_name="private-status"; 2382 } 2383 } 2384 2385 if(notify_name) { 2386 ND_PRINT((ndo," type=%u(%s)", type, notify_name)); 2387 } 2388 2389 2390 if (showspi && n.spi_size) { 2391 ND_PRINT((ndo," spi=")); 2392 if (!rawprint(ndo, (caddr_t)(p + 1), n.spi_size)) 2393 goto trunc; 2394 } 2395 2396 cp = (u_char *)(p + 1) + n.spi_size; 2397 2398 if(3 < ndo->ndo_vflag) { 2399 showdata = 1; 2400 } 2401 2402 if ((showdata || (showsomedata && ep-cp < 30)) && cp < ep) { 2403 ND_PRINT((ndo," data=(")); 2404 if (!rawprint(ndo, (caddr_t)(cp), ep - cp)) 2405 goto trunc; 2406 2407 ND_PRINT((ndo,")")); 2408 2409 } else if(showsomedata && cp < ep) { 2410 if(!ike_show_somedata(ndo, cp, ep)) goto trunc; 2411 } 2412 2413 return (u_char *)ext + item_len; 2414 trunc: 2415 ND_PRINT((ndo," [|%s]", NPSTR(ISAKMP_NPTYPE_N))); 2416 return NULL; 2417 } 2418 2419 static const u_char * 2420 ikev2_d_print(netdissect_options *ndo, u_char tpay, 2421 const struct isakmp_gen *ext, 2422 u_int item_len _U_, const u_char *ep _U_, 2423 uint32_t phase _U_, uint32_t doi _U_, 2424 uint32_t proto _U_, int depth _U_) 2425 { 2426 return ikev2_gen_print(ndo, tpay, ext); 2427 } 2428 2429 static const u_char * 2430 ikev2_vid_print(netdissect_options *ndo, u_char tpay, 2431 const struct isakmp_gen *ext, 2432 u_int item_len _U_, const u_char *ep _U_, 2433 uint32_t phase _U_, uint32_t doi _U_, 2434 uint32_t proto _U_, int depth _U_) 2435 { 2436 struct isakmp_gen e; 2437 const u_char *vid; 2438 int i, len; 2439 2440 ND_TCHECK(*ext); 2441 UNALIGNED_MEMCPY(&e, ext, sizeof(e)); 2442 ikev2_pay_print(ndo, NPSTR(tpay), e.critical); 2443 ND_PRINT((ndo," len=%d vid=", ntohs(e.len) - 4)); 2444 2445 vid = (const u_char *)(ext+1); 2446 len = ntohs(e.len) - 4; 2447 ND_TCHECK2(*vid, len); 2448 for(i=0; i<len; i++) { 2449 if(ND_ISPRINT(vid[i])) ND_PRINT((ndo, "%c", vid[i])); 2450 else ND_PRINT((ndo, ".")); 2451 } 2452 if (2 < ndo->ndo_vflag && 4 < len) { 2453 ND_PRINT((ndo," ")); 2454 if (!rawprint(ndo, (caddr_t)(ext + 1), ntohs(e.len) - 4)) 2455 goto trunc; 2456 } 2457 return (u_char *)ext + ntohs(e.len); 2458 trunc: 2459 ND_PRINT((ndo," [|%s]", NPSTR(tpay))); 2460 return NULL; 2461 } 2462 2463 static const u_char * 2464 ikev2_TS_print(netdissect_options *ndo, u_char tpay, 2465 const struct isakmp_gen *ext, 2466 u_int item_len _U_, const u_char *ep _U_, 2467 uint32_t phase _U_, uint32_t doi _U_, 2468 uint32_t proto _U_, int depth _U_) 2469 { 2470 return ikev2_gen_print(ndo, tpay, ext); 2471 } 2472 2473 static const u_char * 2474 ikev2_e_print(netdissect_options *ndo, 2475 #ifndef HAVE_LIBCRYPTO 2476 _U_ 2477 #endif 2478 struct isakmp *base, 2479 u_char tpay, 2480 const struct isakmp_gen *ext, 2481 u_int item_len _U_, const u_char *ep _U_, 2482 #ifndef HAVE_LIBCRYPTO 2483 _U_ 2484 #endif 2485 uint32_t phase, 2486 #ifndef HAVE_LIBCRYPTO 2487 _U_ 2488 #endif 2489 uint32_t doi, 2490 #ifndef HAVE_LIBCRYPTO 2491 _U_ 2492 #endif 2493 uint32_t proto, 2494 #ifndef HAVE_LIBCRYPTO 2495 _U_ 2496 #endif 2497 int depth) 2498 { 2499 struct isakmp_gen e; 2500 u_char *dat; 2501 volatile int dlen; 2502 2503 ND_TCHECK(*ext); 2504 UNALIGNED_MEMCPY(&e, ext, sizeof(e)); 2505 ikev2_pay_print(ndo, NPSTR(tpay), e.critical); 2506 2507 dlen = ntohs(e.len)-4; 2508 2509 ND_PRINT((ndo," len=%d", dlen)); 2510 if (2 < ndo->ndo_vflag && 4 < dlen) { 2511 ND_PRINT((ndo," ")); 2512 if (!rawprint(ndo, (caddr_t)(ext + 1), dlen)) 2513 goto trunc; 2514 } 2515 2516 dat = (u_char *)(ext+1); 2517 ND_TCHECK2(*dat, dlen); 2518 2519 #ifdef HAVE_LIBCRYPTO 2520 /* try to decypt it! */ 2521 if(esp_print_decrypt_buffer_by_ikev2(ndo, 2522 base->flags & ISAKMP_FLAG_I, 2523 base->i_ck, base->r_ck, 2524 dat, dat+dlen)) { 2525 2526 ext = (const struct isakmp_gen *)ndo->ndo_packetp; 2527 2528 /* got it decrypted, print stuff inside. */ 2529 ikev2_sub_print(ndo, base, e.np, ext, ndo->ndo_snapend, 2530 phase, doi, proto, depth+1); 2531 } 2532 #endif 2533 2534 2535 /* always return NULL, because E must be at end, and NP refers 2536 * to what was inside. 2537 */ 2538 return NULL; 2539 trunc: 2540 ND_PRINT((ndo," [|%s]", NPSTR(tpay))); 2541 return NULL; 2542 } 2543 2544 static const u_char * 2545 ikev2_cp_print(netdissect_options *ndo, u_char tpay, 2546 const struct isakmp_gen *ext, 2547 u_int item_len _U_, const u_char *ep _U_, 2548 uint32_t phase _U_, uint32_t doi _U_, 2549 uint32_t proto _U_, int depth _U_) 2550 { 2551 return ikev2_gen_print(ndo, tpay, ext); 2552 } 2553 2554 static const u_char * 2555 ikev2_eap_print(netdissect_options *ndo, u_char tpay, 2556 const struct isakmp_gen *ext, 2557 u_int item_len _U_, const u_char *ep _U_, 2558 uint32_t phase _U_, uint32_t doi _U_, 2559 uint32_t proto _U_, int depth _U_) 2560 { 2561 return ikev2_gen_print(ndo, tpay, ext); 2562 } 2563 2564 static const u_char * 2565 ike_sub0_print(netdissect_options *ndo, 2566 u_char np, const struct isakmp_gen *ext, const u_char *ep, 2567 2568 uint32_t phase, uint32_t doi, uint32_t proto, int depth) 2569 { 2570 const u_char *cp; 2571 struct isakmp_gen e; 2572 u_int item_len; 2573 2574 cp = (u_char *)ext; 2575 ND_TCHECK(*ext); 2576 UNALIGNED_MEMCPY(&e, ext, sizeof(e)); 2577 2578 /* 2579 * Since we can't have a payload length of less than 4 bytes, 2580 * we need to bail out here if the generic header is nonsensical 2581 * or truncated, otherwise we could loop forever processing 2582 * zero-length items or otherwise misdissect the packet. 2583 */ 2584 item_len = ntohs(e.len); 2585 if (item_len <= 4) 2586 return NULL; 2587 2588 if (NPFUNC(np)) { 2589 /* 2590 * XXX - what if item_len is too short, or too long, 2591 * for this payload type? 2592 */ 2593 cp = (*npfunc[np])(ndo, np, ext, item_len, ep, phase, doi, proto, depth); 2594 } else { 2595 ND_PRINT((ndo,"%s", NPSTR(np))); 2596 cp += item_len; 2597 } 2598 2599 return cp; 2600 trunc: 2601 ND_PRINT((ndo," [|isakmp]")); 2602 return NULL; 2603 } 2604 2605 static const u_char * 2606 ikev1_sub_print(netdissect_options *ndo, 2607 u_char np, const struct isakmp_gen *ext, const u_char *ep, 2608 uint32_t phase, uint32_t doi, uint32_t proto, int depth) 2609 { 2610 const u_char *cp; 2611 int i; 2612 struct isakmp_gen e; 2613 2614 cp = (const u_char *)ext; 2615 2616 while (np) { 2617 ND_TCHECK(*ext); 2618 2619 UNALIGNED_MEMCPY(&e, ext, sizeof(e)); 2620 2621 ND_TCHECK2(*ext, ntohs(e.len)); 2622 2623 depth++; 2624 ND_PRINT((ndo,"\n")); 2625 for (i = 0; i < depth; i++) 2626 ND_PRINT((ndo," ")); 2627 ND_PRINT((ndo,"(")); 2628 cp = ike_sub0_print(ndo, np, ext, ep, phase, doi, proto, depth); 2629 ND_PRINT((ndo,")")); 2630 depth--; 2631 2632 if (cp == NULL) { 2633 /* Zero-length subitem */ 2634 return NULL; 2635 } 2636 2637 np = e.np; 2638 ext = (struct isakmp_gen *)cp; 2639 } 2640 return cp; 2641 trunc: 2642 ND_PRINT((ndo," [|%s]", NPSTR(np))); 2643 return NULL; 2644 } 2645 2646 static char * 2647 numstr(int x) 2648 { 2649 static char buf[20]; 2650 snprintf(buf, sizeof(buf), "#%d", x); 2651 return buf; 2652 } 2653 2654 static void 2655 ikev1_print(netdissect_options *ndo, 2656 const u_char *bp, u_int length, 2657 const u_char *bp2, struct isakmp *base) 2658 { 2659 const struct isakmp *p; 2660 const u_char *ep; 2661 u_char np; 2662 int i; 2663 int phase; 2664 2665 p = (const struct isakmp *)bp; 2666 ep = ndo->ndo_snapend; 2667 2668 phase = (EXTRACT_32BITS(base->msgid) == 0) ? 1 : 2; 2669 if (phase == 1) 2670 ND_PRINT((ndo," phase %d", phase)); 2671 else 2672 ND_PRINT((ndo," phase %d/others", phase)); 2673 2674 i = cookie_find(&base->i_ck); 2675 if (i < 0) { 2676 if (iszero((u_char *)&base->r_ck, sizeof(base->r_ck))) { 2677 /* the first packet */ 2678 ND_PRINT((ndo," I")); 2679 if (bp2) 2680 cookie_record(&base->i_ck, bp2); 2681 } else 2682 ND_PRINT((ndo," ?")); 2683 } else { 2684 if (bp2 && cookie_isinitiator(i, bp2)) 2685 ND_PRINT((ndo," I")); 2686 else if (bp2 && cookie_isresponder(i, bp2)) 2687 ND_PRINT((ndo," R")); 2688 else 2689 ND_PRINT((ndo," ?")); 2690 } 2691 2692 ND_PRINT((ndo," %s", ETYPESTR(base->etype))); 2693 if (base->flags) { 2694 ND_PRINT((ndo,"[%s%s]", base->flags & ISAKMP_FLAG_E ? "E" : "", 2695 base->flags & ISAKMP_FLAG_C ? "C" : "")); 2696 } 2697 2698 if (ndo->ndo_vflag) { 2699 const struct isakmp_gen *ext; 2700 2701 ND_PRINT((ndo,":")); 2702 2703 /* regardless of phase... */ 2704 if (base->flags & ISAKMP_FLAG_E) { 2705 /* 2706 * encrypted, nothing we can do right now. 2707 * we hope to decrypt the packet in the future... 2708 */ 2709 ND_PRINT((ndo," [encrypted %s]", NPSTR(base->np))); 2710 goto done; 2711 } 2712 2713 CHECKLEN(p + 1, base->np); 2714 np = base->np; 2715 ext = (struct isakmp_gen *)(p + 1); 2716 ikev1_sub_print(ndo, np, ext, ep, phase, 0, 0, 0); 2717 } 2718 2719 done: 2720 if (ndo->ndo_vflag) { 2721 if (ntohl(base->len) != length) { 2722 ND_PRINT((ndo," (len mismatch: isakmp %u/ip %u)", 2723 (uint32_t)ntohl(base->len), length)); 2724 } 2725 } 2726 } 2727 2728 static const u_char * 2729 ikev2_sub0_print(netdissect_options *ndo, struct isakmp *base, 2730 u_char np, int pcount, 2731 const struct isakmp_gen *ext, const u_char *ep, 2732 uint32_t phase, uint32_t doi, uint32_t proto, int depth) 2733 { 2734 const u_char *cp; 2735 struct isakmp_gen e; 2736 u_int item_len; 2737 2738 cp = (u_char *)ext; 2739 ND_TCHECK(*ext); 2740 UNALIGNED_MEMCPY(&e, ext, sizeof(e)); 2741 2742 /* 2743 * Since we can't have a payload length of less than 4 bytes, 2744 * we need to bail out here if the generic header is nonsensical 2745 * or truncated, otherwise we could loop forever processing 2746 * zero-length items or otherwise misdissect the packet. 2747 */ 2748 item_len = ntohs(e.len); 2749 if (item_len <= 4) 2750 return NULL; 2751 2752 if(np == ISAKMP_NPTYPE_P) { 2753 cp = ikev2_p_print(ndo, np, pcount, ext, item_len, 2754 ep, phase, doi, proto, depth); 2755 } else if(np == ISAKMP_NPTYPE_T) { 2756 cp = ikev2_t_print(ndo, np, pcount, ext, item_len, 2757 ep, phase, doi, proto, depth); 2758 } else if(np == ISAKMP_NPTYPE_v2E) { 2759 cp = ikev2_e_print(ndo, base, np, ext, item_len, 2760 ep, phase, doi, proto, depth); 2761 } else if (NPFUNC(np)) { 2762 /* 2763 * XXX - what if item_len is too short, or too long, 2764 * for this payload type? 2765 */ 2766 cp = (*npfunc[np])(ndo, np, /*pcount,*/ ext, item_len, 2767 ep, phase, doi, proto, depth); 2768 } else { 2769 ND_PRINT((ndo,"%s", NPSTR(np))); 2770 cp += item_len; 2771 } 2772 2773 return cp; 2774 trunc: 2775 ND_PRINT((ndo," [|isakmp]")); 2776 return NULL; 2777 } 2778 2779 static const u_char * 2780 ikev2_sub_print(netdissect_options *ndo, 2781 struct isakmp *base, 2782 u_char np, const struct isakmp_gen *ext, const u_char *ep, 2783 uint32_t phase, uint32_t doi, uint32_t proto, int depth) 2784 { 2785 const u_char *cp; 2786 int i; 2787 int pcount; 2788 struct isakmp_gen e; 2789 2790 cp = (const u_char *)ext; 2791 pcount = 0; 2792 while (np) { 2793 pcount++; 2794 ND_TCHECK(*ext); 2795 2796 UNALIGNED_MEMCPY(&e, ext, sizeof(e)); 2797 2798 ND_TCHECK2(*ext, ntohs(e.len)); 2799 2800 depth++; 2801 ND_PRINT((ndo,"\n")); 2802 for (i = 0; i < depth; i++) 2803 ND_PRINT((ndo," ")); 2804 ND_PRINT((ndo,"(")); 2805 cp = ikev2_sub0_print(ndo, base, np, pcount, 2806 ext, ep, phase, doi, proto, depth); 2807 ND_PRINT((ndo,")")); 2808 depth--; 2809 2810 if (cp == NULL) { 2811 /* Zero-length subitem */ 2812 return NULL; 2813 } 2814 2815 np = e.np; 2816 ext = (struct isakmp_gen *)cp; 2817 } 2818 return cp; 2819 trunc: 2820 ND_PRINT((ndo," [|%s]", NPSTR(np))); 2821 return NULL; 2822 } 2823 2824 static void 2825 ikev2_print(netdissect_options *ndo, 2826 const u_char *bp, u_int length, 2827 const u_char *bp2 _U_, struct isakmp *base) 2828 { 2829 const struct isakmp *p; 2830 const u_char *ep; 2831 u_char np; 2832 int phase; 2833 2834 p = (const struct isakmp *)bp; 2835 ep = ndo->ndo_snapend; 2836 2837 phase = (EXTRACT_32BITS(base->msgid) == 0) ? 1 : 2; 2838 if (phase == 1) 2839 ND_PRINT((ndo, " parent_sa")); 2840 else 2841 ND_PRINT((ndo, " child_sa ")); 2842 2843 ND_PRINT((ndo, " %s", ETYPESTR(base->etype))); 2844 if (base->flags) { 2845 ND_PRINT((ndo, "[%s%s%s]", 2846 base->flags & ISAKMP_FLAG_I ? "I" : "", 2847 base->flags & ISAKMP_FLAG_V ? "V" : "", 2848 base->flags & ISAKMP_FLAG_R ? "R" : "")); 2849 } 2850 2851 if (ndo->ndo_vflag) { 2852 const struct isakmp_gen *ext; 2853 2854 ND_PRINT((ndo, ":")); 2855 2856 /* regardless of phase... */ 2857 if (base->flags & ISAKMP_FLAG_E) { 2858 /* 2859 * encrypted, nothing we can do right now. 2860 * we hope to decrypt the packet in the future... 2861 */ 2862 ND_PRINT((ndo, " [encrypted %s]", NPSTR(base->np))); 2863 goto done; 2864 } 2865 2866 CHECKLEN(p + 1, base->np) 2867 2868 np = base->np; 2869 ext = (struct isakmp_gen *)(p + 1); 2870 ikev2_sub_print(ndo, base, np, ext, ep, phase, 0, 0, 0); 2871 } 2872 2873 done: 2874 if (ndo->ndo_vflag) { 2875 if (ntohl(base->len) != length) { 2876 ND_PRINT((ndo, " (len mismatch: isakmp %u/ip %u)", 2877 (uint32_t)ntohl(base->len), length)); 2878 } 2879 } 2880 } 2881 2882 void 2883 isakmp_print(netdissect_options *ndo, 2884 const u_char *bp, u_int length, 2885 const u_char *bp2) 2886 { 2887 const struct isakmp *p; 2888 struct isakmp base; 2889 const u_char *ep; 2890 int major, minor; 2891 2892 #ifdef HAVE_LIBCRYPTO 2893 /* initialize SAs */ 2894 if (ndo->ndo_sa_list_head == NULL) { 2895 if (ndo->ndo_espsecret) 2896 esp_print_decodesecret(ndo); 2897 } 2898 #endif 2899 2900 p = (const struct isakmp *)bp; 2901 ep = ndo->ndo_snapend; 2902 2903 if ((struct isakmp *)ep < p + 1) { 2904 ND_PRINT((ndo,"[|isakmp]")); 2905 return; 2906 } 2907 2908 UNALIGNED_MEMCPY(&base, p, sizeof(base)); 2909 2910 ND_PRINT((ndo,"isakmp")); 2911 major = (base.vers & ISAKMP_VERS_MAJOR) 2912 >> ISAKMP_VERS_MAJOR_SHIFT; 2913 minor = (base.vers & ISAKMP_VERS_MINOR) 2914 >> ISAKMP_VERS_MINOR_SHIFT; 2915 2916 if (ndo->ndo_vflag) { 2917 ND_PRINT((ndo," %d.%d", major, minor)); 2918 } 2919 2920 if (ndo->ndo_vflag) { 2921 ND_PRINT((ndo," msgid ")); 2922 hexprint(ndo, (caddr_t)&base.msgid, sizeof(base.msgid)); 2923 } 2924 2925 if (1 < ndo->ndo_vflag) { 2926 ND_PRINT((ndo," cookie ")); 2927 hexprint(ndo, (caddr_t)&base.i_ck, sizeof(base.i_ck)); 2928 ND_PRINT((ndo,"->")); 2929 hexprint(ndo, (caddr_t)&base.r_ck, sizeof(base.r_ck)); 2930 } 2931 ND_PRINT((ndo,":")); 2932 2933 switch(major) { 2934 case IKEv1_MAJOR_VERSION: 2935 ikev1_print(ndo, bp, length, bp2, &base); 2936 break; 2937 2938 case IKEv2_MAJOR_VERSION: 2939 ikev2_print(ndo, bp, length, bp2, &base); 2940 break; 2941 } 2942 } 2943 2944 void 2945 isakmp_rfc3948_print(netdissect_options *ndo, 2946 const u_char *bp, u_int length, 2947 const u_char *bp2) 2948 { 2949 2950 if(length == 1 && bp[0]==0xff) { 2951 ND_PRINT((ndo, "isakmp-nat-keep-alive")); 2952 return; 2953 } 2954 2955 if(length < 4) { 2956 goto trunc; 2957 } 2958 2959 /* 2960 * see if this is an IKE packet 2961 */ 2962 if(bp[0]==0 && bp[1]==0 && bp[2]==0 && bp[3]==0) { 2963 ND_PRINT((ndo, "NONESP-encap: ")); 2964 isakmp_print(ndo, bp+4, length-4, bp2); 2965 return; 2966 } 2967 2968 /* must be an ESP packet */ 2969 { 2970 int nh, enh, padlen; 2971 int advance; 2972 2973 ND_PRINT((ndo, "UDP-encap: ")); 2974 2975 advance = esp_print(ndo, bp, length, bp2, &enh, &padlen); 2976 if(advance <= 0) 2977 return; 2978 2979 bp += advance; 2980 length -= advance + padlen; 2981 nh = enh & 0xff; 2982 2983 ip_print_inner(ndo, bp, length, nh, bp2); 2984 return; 2985 } 2986 2987 trunc: 2988 ND_PRINT((ndo,"[|isakmp]")); 2989 return; 2990 } 2991 2992 /* 2993 * Local Variables: 2994 * c-style: whitesmith 2995 * c-basic-offset: 8 2996 * End: 2997 */ 2998 2999 3000 3001 3002