1 /* 2 * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project. 3 * All rights reserved. 4 * 5 * Redistribution and use in source and binary forms, with or without 6 * modification, are permitted provided that the following conditions 7 * are met: 8 * 1. Redistributions of source code must retain the above copyright 9 * notice, this list of conditions and the following disclaimer. 10 * 2. Redistributions in binary form must reproduce the above copyright 11 * notice, this list of conditions and the following disclaimer in the 12 * documentation and/or other materials provided with the distribution. 13 * 3. Neither the name of the project nor the names of its contributors 14 * may be used to endorse or promote products derived from this software 15 * without specific prior written permission. 16 * 17 * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND 18 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 19 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 20 * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE 21 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 22 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 23 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 24 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 25 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 26 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 27 * SUCH DAMAGE. 28 * 29 */ 30 31 #include <sys/cdefs.h> 32 #ifndef lint 33 __RCSID("$NetBSD: print-isakmp.c,v 1.10 2017/09/08 14:01:13 christos Exp $"); 34 #endif 35 36 /* \summary: Internet Security Association and Key Management Protocol (ISAKMP) printer */ 37 38 #ifdef HAVE_CONFIG_H 39 #include "config.h" 40 #endif 41 42 /* The functions from print-esp.c used in this file are only defined when both 43 * OpenSSL and evp.h are detected. Employ the same preprocessor device here. 44 */ 45 #ifndef HAVE_OPENSSL_EVP_H 46 #undef HAVE_LIBCRYPTO 47 #endif 48 49 #include <netdissect-stdinc.h> 50 51 #include <string.h> 52 53 #include "netdissect.h" 54 #include "addrtoname.h" 55 #include "extract.h" 56 57 #include "ip.h" 58 #include "ip6.h" 59 #include "ipproto.h" 60 61 /* refer to RFC 2408 */ 62 63 typedef u_char cookie_t[8]; 64 typedef u_char msgid_t[4]; 65 66 #define PORT_ISAKMP 500 67 68 /* 3.1 ISAKMP Header Format (IKEv1 and IKEv2) 69 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 70 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 71 ! Initiator ! 72 ! Cookie ! 73 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 74 ! Responder ! 75 ! Cookie ! 76 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 77 ! Next Payload ! MjVer ! MnVer ! Exchange Type ! Flags ! 78 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 79 ! Message ID ! 80 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 81 ! Length ! 82 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 83 */ 84 struct isakmp { 85 cookie_t i_ck; /* Initiator Cookie */ 86 cookie_t r_ck; /* Responder Cookie */ 87 uint8_t np; /* Next Payload Type */ 88 uint8_t vers; 89 #define ISAKMP_VERS_MAJOR 0xf0 90 #define ISAKMP_VERS_MAJOR_SHIFT 4 91 #define ISAKMP_VERS_MINOR 0x0f 92 #define ISAKMP_VERS_MINOR_SHIFT 0 93 uint8_t etype; /* Exchange Type */ 94 uint8_t flags; /* Flags */ 95 msgid_t msgid; 96 uint32_t len; /* Length */ 97 }; 98 99 /* Next Payload Type */ 100 #define ISAKMP_NPTYPE_NONE 0 /* NONE*/ 101 #define ISAKMP_NPTYPE_SA 1 /* Security Association */ 102 #define ISAKMP_NPTYPE_P 2 /* Proposal */ 103 #define ISAKMP_NPTYPE_T 3 /* Transform */ 104 #define ISAKMP_NPTYPE_KE 4 /* Key Exchange */ 105 #define ISAKMP_NPTYPE_ID 5 /* Identification */ 106 #define ISAKMP_NPTYPE_CERT 6 /* Certificate */ 107 #define ISAKMP_NPTYPE_CR 7 /* Certificate Request */ 108 #define ISAKMP_NPTYPE_HASH 8 /* Hash */ 109 #define ISAKMP_NPTYPE_SIG 9 /* Signature */ 110 #define ISAKMP_NPTYPE_NONCE 10 /* Nonce */ 111 #define ISAKMP_NPTYPE_N 11 /* Notification */ 112 #define ISAKMP_NPTYPE_D 12 /* Delete */ 113 #define ISAKMP_NPTYPE_VID 13 /* Vendor ID */ 114 #define ISAKMP_NPTYPE_v2E 46 /* v2 Encrypted payload */ 115 116 #define IKEv1_MAJOR_VERSION 1 117 #define IKEv1_MINOR_VERSION 0 118 119 #define IKEv2_MAJOR_VERSION 2 120 #define IKEv2_MINOR_VERSION 0 121 122 /* Flags */ 123 #define ISAKMP_FLAG_E 0x01 /* Encryption Bit */ 124 #define ISAKMP_FLAG_C 0x02 /* Commit Bit */ 125 #define ISAKMP_FLAG_extra 0x04 126 127 /* IKEv2 */ 128 #define ISAKMP_FLAG_I (1 << 3) /* (I)nitiator */ 129 #define ISAKMP_FLAG_V (1 << 4) /* (V)ersion */ 130 #define ISAKMP_FLAG_R (1 << 5) /* (R)esponse */ 131 132 133 /* 3.2 Payload Generic Header 134 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 135 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 136 ! Next Payload ! RESERVED ! Payload Length ! 137 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 138 */ 139 struct isakmp_gen { 140 uint8_t np; /* Next Payload */ 141 uint8_t critical; /* bit 7 - critical, rest is RESERVED */ 142 uint16_t len; /* Payload Length */ 143 }; 144 145 /* 3.3 Data Attributes 146 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 147 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 148 !A! Attribute Type ! AF=0 Attribute Length ! 149 !F! ! AF=1 Attribute Value ! 150 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 151 . AF=0 Attribute Value . 152 . AF=1 Not Transmitted . 153 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 154 */ 155 struct isakmp_data { 156 uint16_t type; /* defined by DOI-spec, and Attribute Format */ 157 uint16_t lorv; /* if f equal 1, Attribute Length */ 158 /* if f equal 0, Attribute Value */ 159 /* if f equal 1, Attribute Value */ 160 }; 161 162 /* 3.4 Security Association Payload */ 163 /* MAY NOT be used, because of being defined in ipsec-doi. */ 164 /* 165 If the current payload is the last in the message, 166 then the value of the next payload field will be 0. 167 This field MUST NOT contain the 168 values for the Proposal or Transform payloads as they are considered 169 part of the security association negotiation. For example, this 170 field would contain the value "10" (Nonce payload) in the first 171 message of a Base Exchange (see Section 4.4) and the value "0" in the 172 first message of an Identity Protect Exchange (see Section 4.5). 173 */ 174 struct ikev1_pl_sa { 175 struct isakmp_gen h; 176 uint32_t doi; /* Domain of Interpretation */ 177 uint32_t sit; /* Situation */ 178 }; 179 180 /* 3.5 Proposal Payload */ 181 /* 182 The value of the next payload field MUST only contain the value "2" 183 or "0". If there are additional Proposal payloads in the message, 184 then this field will be 2. If the current Proposal payload is the 185 last within the security association proposal, then this field will 186 be 0. 187 */ 188 struct ikev1_pl_p { 189 struct isakmp_gen h; 190 uint8_t p_no; /* Proposal # */ 191 uint8_t prot_id; /* Protocol */ 192 uint8_t spi_size; /* SPI Size */ 193 uint8_t num_t; /* Number of Transforms */ 194 /* SPI */ 195 }; 196 197 /* 3.6 Transform Payload */ 198 /* 199 The value of the next payload field MUST only contain the value "3" 200 or "0". If there are additional Transform payloads in the proposal, 201 then this field will be 3. If the current Transform payload is the 202 last within the proposal, then this field will be 0. 203 */ 204 struct ikev1_pl_t { 205 struct isakmp_gen h; 206 uint8_t t_no; /* Transform # */ 207 uint8_t t_id; /* Transform-Id */ 208 uint16_t reserved; /* RESERVED2 */ 209 /* SA Attributes */ 210 }; 211 212 /* 3.7 Key Exchange Payload */ 213 struct ikev1_pl_ke { 214 struct isakmp_gen h; 215 /* Key Exchange Data */ 216 }; 217 218 /* 3.8 Identification Payload */ 219 /* MUST NOT to be used, because of being defined in ipsec-doi. */ 220 struct ikev1_pl_id { 221 struct isakmp_gen h; 222 union { 223 uint8_t id_type; /* ID Type */ 224 uint32_t doi_data; /* DOI Specific ID Data */ 225 } d; 226 /* Identification Data */ 227 }; 228 229 /* 3.9 Certificate Payload */ 230 struct ikev1_pl_cert { 231 struct isakmp_gen h; 232 uint8_t encode; /* Cert Encoding */ 233 char cert; /* Certificate Data */ 234 /* 235 This field indicates the type of 236 certificate or certificate-related information contained in the 237 Certificate Data field. 238 */ 239 }; 240 241 /* 3.10 Certificate Request Payload */ 242 struct ikev1_pl_cr { 243 struct isakmp_gen h; 244 uint8_t num_cert; /* # Cert. Types */ 245 /* 246 Certificate Types (variable length) 247 -- Contains a list of the types of certificates requested, 248 sorted in order of preference. Each individual certificate 249 type is 1 octet. This field is NOT requiredo 250 */ 251 /* # Certificate Authorities (1 octet) */ 252 /* Certificate Authorities (variable length) */ 253 }; 254 255 /* 3.11 Hash Payload */ 256 /* may not be used, because of having only data. */ 257 struct ikev1_pl_hash { 258 struct isakmp_gen h; 259 /* Hash Data */ 260 }; 261 262 /* 3.12 Signature Payload */ 263 /* may not be used, because of having only data. */ 264 struct ikev1_pl_sig { 265 struct isakmp_gen h; 266 /* Signature Data */ 267 }; 268 269 /* 3.13 Nonce Payload */ 270 /* may not be used, because of having only data. */ 271 struct ikev1_pl_nonce { 272 struct isakmp_gen h; 273 /* Nonce Data */ 274 }; 275 276 /* 3.14 Notification Payload */ 277 struct ikev1_pl_n { 278 struct isakmp_gen h; 279 uint32_t doi; /* Domain of Interpretation */ 280 uint8_t prot_id; /* Protocol-ID */ 281 uint8_t spi_size; /* SPI Size */ 282 uint16_t type; /* Notify Message Type */ 283 /* SPI */ 284 /* Notification Data */ 285 }; 286 287 /* 3.14.1 Notify Message Types */ 288 /* NOTIFY MESSAGES - ERROR TYPES */ 289 #define ISAKMP_NTYPE_INVALID_PAYLOAD_TYPE 1 290 #define ISAKMP_NTYPE_DOI_NOT_SUPPORTED 2 291 #define ISAKMP_NTYPE_SITUATION_NOT_SUPPORTED 3 292 #define ISAKMP_NTYPE_INVALID_COOKIE 4 293 #define ISAKMP_NTYPE_INVALID_MAJOR_VERSION 5 294 #define ISAKMP_NTYPE_INVALID_MINOR_VERSION 6 295 #define ISAKMP_NTYPE_INVALID_EXCHANGE_TYPE 7 296 #define ISAKMP_NTYPE_INVALID_FLAGS 8 297 #define ISAKMP_NTYPE_INVALID_MESSAGE_ID 9 298 #define ISAKMP_NTYPE_INVALID_PROTOCOL_ID 10 299 #define ISAKMP_NTYPE_INVALID_SPI 11 300 #define ISAKMP_NTYPE_INVALID_TRANSFORM_ID 12 301 #define ISAKMP_NTYPE_ATTRIBUTES_NOT_SUPPORTED 13 302 #define ISAKMP_NTYPE_NO_PROPOSAL_CHOSEN 14 303 #define ISAKMP_NTYPE_BAD_PROPOSAL_SYNTAX 15 304 #define ISAKMP_NTYPE_PAYLOAD_MALFORMED 16 305 #define ISAKMP_NTYPE_INVALID_KEY_INFORMATION 17 306 #define ISAKMP_NTYPE_INVALID_ID_INFORMATION 18 307 #define ISAKMP_NTYPE_INVALID_CERT_ENCODING 19 308 #define ISAKMP_NTYPE_INVALID_CERTIFICATE 20 309 #define ISAKMP_NTYPE_BAD_CERT_REQUEST_SYNTAX 21 310 #define ISAKMP_NTYPE_INVALID_CERT_AUTHORITY 22 311 #define ISAKMP_NTYPE_INVALID_HASH_INFORMATION 23 312 #define ISAKMP_NTYPE_AUTHENTICATION_FAILED 24 313 #define ISAKMP_NTYPE_INVALID_SIGNATURE 25 314 #define ISAKMP_NTYPE_ADDRESS_NOTIFICATION 26 315 316 /* 3.15 Delete Payload */ 317 struct ikev1_pl_d { 318 struct isakmp_gen h; 319 uint32_t doi; /* Domain of Interpretation */ 320 uint8_t prot_id; /* Protocol-Id */ 321 uint8_t spi_size; /* SPI Size */ 322 uint16_t num_spi; /* # of SPIs */ 323 /* SPI(es) */ 324 }; 325 326 struct ikev1_ph1tab { 327 struct ikev1_ph1 *head; 328 struct ikev1_ph1 *tail; 329 int len; 330 }; 331 332 struct isakmp_ph2tab { 333 struct ikev1_ph2 *head; 334 struct ikev1_ph2 *tail; 335 int len; 336 }; 337 338 /* IKEv2 (RFC4306) */ 339 340 /* 3.3 Security Association Payload -- generic header */ 341 /* 3.3.1. Proposal Substructure */ 342 struct ikev2_p { 343 struct isakmp_gen h; 344 uint8_t p_no; /* Proposal # */ 345 uint8_t prot_id; /* Protocol */ 346 uint8_t spi_size; /* SPI Size */ 347 uint8_t num_t; /* Number of Transforms */ 348 }; 349 350 /* 3.3.2. Transform Substructure */ 351 struct ikev2_t { 352 struct isakmp_gen h; 353 uint8_t t_type; /* Transform Type (ENCR,PRF,INTEG,etc.*/ 354 uint8_t res2; /* reserved byte */ 355 uint16_t t_id; /* Transform ID */ 356 }; 357 358 enum ikev2_t_type { 359 IV2_T_ENCR = 1, 360 IV2_T_PRF = 2, 361 IV2_T_INTEG= 3, 362 IV2_T_DH = 4, 363 IV2_T_ESN = 5 364 }; 365 366 /* 3.4. Key Exchange Payload */ 367 struct ikev2_ke { 368 struct isakmp_gen h; 369 uint16_t ke_group; 370 uint16_t ke_res1; 371 /* KE data */ 372 }; 373 374 375 /* 3.5. Identification Payloads */ 376 enum ikev2_id_type { 377 ID_IPV4_ADDR=1, 378 ID_FQDN=2, 379 ID_RFC822_ADDR=3, 380 ID_IPV6_ADDR=5, 381 ID_DER_ASN1_DN=9, 382 ID_DER_ASN1_GN=10, 383 ID_KEY_ID=11 384 }; 385 struct ikev2_id { 386 struct isakmp_gen h; 387 uint8_t type; /* ID type */ 388 uint8_t res1; 389 uint16_t res2; 390 /* SPI */ 391 /* Notification Data */ 392 }; 393 394 /* 3.10 Notification Payload */ 395 struct ikev2_n { 396 struct isakmp_gen h; 397 uint8_t prot_id; /* Protocol-ID */ 398 uint8_t spi_size; /* SPI Size */ 399 uint16_t type; /* Notify Message Type */ 400 }; 401 402 enum ikev2_n_type { 403 IV2_NOTIFY_UNSUPPORTED_CRITICAL_PAYLOAD = 1, 404 IV2_NOTIFY_INVALID_IKE_SPI = 4, 405 IV2_NOTIFY_INVALID_MAJOR_VERSION = 5, 406 IV2_NOTIFY_INVALID_SYNTAX = 7, 407 IV2_NOTIFY_INVALID_MESSAGE_ID = 9, 408 IV2_NOTIFY_INVALID_SPI =11, 409 IV2_NOTIFY_NO_PROPOSAL_CHOSEN =14, 410 IV2_NOTIFY_INVALID_KE_PAYLOAD =17, 411 IV2_NOTIFY_AUTHENTICATION_FAILED =24, 412 IV2_NOTIFY_SINGLE_PAIR_REQUIRED =34, 413 IV2_NOTIFY_NO_ADDITIONAL_SAS =35, 414 IV2_NOTIFY_INTERNAL_ADDRESS_FAILURE =36, 415 IV2_NOTIFY_FAILED_CP_REQUIRED =37, 416 IV2_NOTIFY_INVALID_SELECTORS =39, 417 IV2_NOTIFY_INITIAL_CONTACT =16384, 418 IV2_NOTIFY_SET_WINDOW_SIZE =16385, 419 IV2_NOTIFY_ADDITIONAL_TS_POSSIBLE =16386, 420 IV2_NOTIFY_IPCOMP_SUPPORTED =16387, 421 IV2_NOTIFY_NAT_DETECTION_SOURCE_IP =16388, 422 IV2_NOTIFY_NAT_DETECTION_DESTINATION_IP =16389, 423 IV2_NOTIFY_COOKIE =16390, 424 IV2_NOTIFY_USE_TRANSPORT_MODE =16391, 425 IV2_NOTIFY_HTTP_CERT_LOOKUP_SUPPORTED =16392, 426 IV2_NOTIFY_REKEY_SA =16393, 427 IV2_NOTIFY_ESP_TFC_PADDING_NOT_SUPPORTED =16394, 428 IV2_NOTIFY_NON_FIRST_FRAGMENTS_ALSO =16395 429 }; 430 431 struct notify_messages { 432 uint16_t type; 433 char *msg; 434 }; 435 436 /* 3.8 Authentication Payload */ 437 struct ikev2_auth { 438 struct isakmp_gen h; 439 uint8_t auth_method; /* Protocol-ID */ 440 uint8_t reserved[3]; 441 /* authentication data */ 442 }; 443 444 enum ikev2_auth_type { 445 IV2_RSA_SIG = 1, 446 IV2_SHARED = 2, 447 IV2_DSS_SIG = 3 448 }; 449 450 /* refer to RFC 2409 */ 451 452 #if 0 453 /* isakmp sa structure */ 454 struct oakley_sa { 455 uint8_t proto_id; /* OAKLEY */ 456 vchar_t *spi; /* spi */ 457 uint8_t dhgrp; /* DH; group */ 458 uint8_t auth_t; /* method of authentication */ 459 uint8_t prf_t; /* type of prf */ 460 uint8_t hash_t; /* type of hash */ 461 uint8_t enc_t; /* type of cipher */ 462 uint8_t life_t; /* type of duration of lifetime */ 463 uint32_t ldur; /* life duration */ 464 }; 465 #endif 466 467 /* refer to RFC 2407 */ 468 469 #define IPSEC_DOI 1 470 471 /* 4.2 IPSEC Situation Definition */ 472 #define IPSECDOI_SIT_IDENTITY_ONLY 0x00000001 473 #define IPSECDOI_SIT_SECRECY 0x00000002 474 #define IPSECDOI_SIT_INTEGRITY 0x00000004 475 476 /* 4.4.1 IPSEC Security Protocol Identifiers */ 477 /* 4.4.2 IPSEC ISAKMP Transform Values */ 478 #define IPSECDOI_PROTO_ISAKMP 1 479 #define IPSECDOI_KEY_IKE 1 480 481 /* 4.4.1 IPSEC Security Protocol Identifiers */ 482 #define IPSECDOI_PROTO_IPSEC_AH 2 483 /* 4.4.3 IPSEC AH Transform Values */ 484 #define IPSECDOI_AH_MD5 2 485 #define IPSECDOI_AH_SHA 3 486 #define IPSECDOI_AH_DES 4 487 #define IPSECDOI_AH_SHA2_256 5 488 #define IPSECDOI_AH_SHA2_384 6 489 #define IPSECDOI_AH_SHA2_512 7 490 491 /* 4.4.1 IPSEC Security Protocol Identifiers */ 492 #define IPSECDOI_PROTO_IPSEC_ESP 3 493 /* 4.4.4 IPSEC ESP Transform Identifiers */ 494 #define IPSECDOI_ESP_DES_IV64 1 495 #define IPSECDOI_ESP_DES 2 496 #define IPSECDOI_ESP_3DES 3 497 #define IPSECDOI_ESP_RC5 4 498 #define IPSECDOI_ESP_IDEA 5 499 #define IPSECDOI_ESP_CAST 6 500 #define IPSECDOI_ESP_BLOWFISH 7 501 #define IPSECDOI_ESP_3IDEA 8 502 #define IPSECDOI_ESP_DES_IV32 9 503 #define IPSECDOI_ESP_RC4 10 504 #define IPSECDOI_ESP_NULL 11 505 #define IPSECDOI_ESP_RIJNDAEL 12 506 #define IPSECDOI_ESP_AES 12 507 508 /* 4.4.1 IPSEC Security Protocol Identifiers */ 509 #define IPSECDOI_PROTO_IPCOMP 4 510 /* 4.4.5 IPSEC IPCOMP Transform Identifiers */ 511 #define IPSECDOI_IPCOMP_OUI 1 512 #define IPSECDOI_IPCOMP_DEFLATE 2 513 #define IPSECDOI_IPCOMP_LZS 3 514 515 /* 4.5 IPSEC Security Association Attributes */ 516 #define IPSECDOI_ATTR_SA_LTYPE 1 /* B */ 517 #define IPSECDOI_ATTR_SA_LTYPE_DEFAULT 1 518 #define IPSECDOI_ATTR_SA_LTYPE_SEC 1 519 #define IPSECDOI_ATTR_SA_LTYPE_KB 2 520 #define IPSECDOI_ATTR_SA_LDUR 2 /* V */ 521 #define IPSECDOI_ATTR_SA_LDUR_DEFAULT 28800 /* 8 hours */ 522 #define IPSECDOI_ATTR_GRP_DESC 3 /* B */ 523 #define IPSECDOI_ATTR_ENC_MODE 4 /* B */ 524 /* default value: host dependent */ 525 #define IPSECDOI_ATTR_ENC_MODE_TUNNEL 1 526 #define IPSECDOI_ATTR_ENC_MODE_TRNS 2 527 #define IPSECDOI_ATTR_AUTH 5 /* B */ 528 /* 0 means not to use authentication. */ 529 #define IPSECDOI_ATTR_AUTH_HMAC_MD5 1 530 #define IPSECDOI_ATTR_AUTH_HMAC_SHA1 2 531 #define IPSECDOI_ATTR_AUTH_DES_MAC 3 532 #define IPSECDOI_ATTR_AUTH_KPDK 4 /*RFC-1826(Key/Pad/Data/Key)*/ 533 /* 534 * When negotiating ESP without authentication, the Auth 535 * Algorithm attribute MUST NOT be included in the proposal. 536 * When negotiating ESP without confidentiality, the Auth 537 * Algorithm attribute MUST be included in the proposal and 538 * the ESP transform ID must be ESP_NULL. 539 */ 540 #define IPSECDOI_ATTR_KEY_LENGTH 6 /* B */ 541 #define IPSECDOI_ATTR_KEY_ROUNDS 7 /* B */ 542 #define IPSECDOI_ATTR_COMP_DICT_SIZE 8 /* B */ 543 #define IPSECDOI_ATTR_COMP_PRIVALG 9 /* V */ 544 545 /* 4.6.1 Security Association Payload */ 546 struct ipsecdoi_sa { 547 struct isakmp_gen h; 548 uint32_t doi; /* Domain of Interpretation */ 549 uint32_t sit; /* Situation */ 550 }; 551 552 struct ipsecdoi_secrecy_h { 553 uint16_t len; 554 uint16_t reserved; 555 }; 556 557 /* 4.6.2.1 Identification Type Values */ 558 struct ipsecdoi_id { 559 struct isakmp_gen h; 560 uint8_t type; /* ID Type */ 561 uint8_t proto_id; /* Protocol ID */ 562 uint16_t port; /* Port */ 563 /* Identification Data */ 564 }; 565 566 #define IPSECDOI_ID_IPV4_ADDR 1 567 #define IPSECDOI_ID_FQDN 2 568 #define IPSECDOI_ID_USER_FQDN 3 569 #define IPSECDOI_ID_IPV4_ADDR_SUBNET 4 570 #define IPSECDOI_ID_IPV6_ADDR 5 571 #define IPSECDOI_ID_IPV6_ADDR_SUBNET 6 572 #define IPSECDOI_ID_IPV4_ADDR_RANGE 7 573 #define IPSECDOI_ID_IPV6_ADDR_RANGE 8 574 #define IPSECDOI_ID_DER_ASN1_DN 9 575 #define IPSECDOI_ID_DER_ASN1_GN 10 576 #define IPSECDOI_ID_KEY_ID 11 577 578 /* 4.6.3 IPSEC DOI Notify Message Types */ 579 /* Notify Messages - Status Types */ 580 #define IPSECDOI_NTYPE_RESPONDER_LIFETIME 24576 581 #define IPSECDOI_NTYPE_REPLAY_STATUS 24577 582 #define IPSECDOI_NTYPE_INITIAL_CONTACT 24578 583 584 #define DECLARE_PRINTER(func) static const u_char *ike##func##_print( \ 585 netdissect_options *ndo, u_char tpay, \ 586 const struct isakmp_gen *ext, \ 587 u_int item_len, \ 588 const u_char *end_pointer, \ 589 uint32_t phase,\ 590 uint32_t doi0, \ 591 uint32_t proto0, int depth) 592 593 DECLARE_PRINTER(v1_sa); 594 DECLARE_PRINTER(v1_p); 595 DECLARE_PRINTER(v1_t); 596 DECLARE_PRINTER(v1_ke); 597 DECLARE_PRINTER(v1_id); 598 DECLARE_PRINTER(v1_cert); 599 DECLARE_PRINTER(v1_cr); 600 DECLARE_PRINTER(v1_sig); 601 DECLARE_PRINTER(v1_hash); 602 DECLARE_PRINTER(v1_nonce); 603 DECLARE_PRINTER(v1_n); 604 DECLARE_PRINTER(v1_d); 605 DECLARE_PRINTER(v1_vid); 606 607 DECLARE_PRINTER(v2_sa); 608 DECLARE_PRINTER(v2_ke); 609 DECLARE_PRINTER(v2_ID); 610 DECLARE_PRINTER(v2_cert); 611 DECLARE_PRINTER(v2_cr); 612 DECLARE_PRINTER(v2_auth); 613 DECLARE_PRINTER(v2_nonce); 614 DECLARE_PRINTER(v2_n); 615 DECLARE_PRINTER(v2_d); 616 DECLARE_PRINTER(v2_vid); 617 DECLARE_PRINTER(v2_TS); 618 DECLARE_PRINTER(v2_cp); 619 DECLARE_PRINTER(v2_eap); 620 621 static const u_char *ikev2_e_print(netdissect_options *ndo, 622 struct isakmp *base, 623 u_char tpay, 624 const struct isakmp_gen *ext, 625 u_int item_len, 626 const u_char *end_pointer, 627 uint32_t phase, 628 uint32_t doi0, 629 uint32_t proto0, int depth); 630 631 632 static const u_char *ike_sub0_print(netdissect_options *ndo,u_char, const struct isakmp_gen *, 633 const u_char *, uint32_t, uint32_t, uint32_t, int); 634 static const u_char *ikev1_sub_print(netdissect_options *ndo,u_char, const struct isakmp_gen *, 635 const u_char *, uint32_t, uint32_t, uint32_t, int); 636 637 static const u_char *ikev2_sub_print(netdissect_options *ndo, 638 struct isakmp *base, 639 u_char np, const struct isakmp_gen *ext, 640 const u_char *ep, uint32_t phase, 641 uint32_t doi, uint32_t proto, 642 int depth); 643 644 645 static char *numstr(int); 646 647 static void 648 ikev1_print(netdissect_options *ndo, 649 const u_char *bp, u_int length, 650 const u_char *bp2, struct isakmp *base); 651 652 #define MAXINITIATORS 20 653 static int ninitiator = 0; 654 union inaddr_u { 655 struct in_addr in4; 656 struct in6_addr in6; 657 }; 658 static struct { 659 cookie_t initiator; 660 u_int version; 661 union inaddr_u iaddr; 662 union inaddr_u raddr; 663 } cookiecache[MAXINITIATORS]; 664 665 /* protocol id */ 666 static const char *protoidstr[] = { 667 NULL, "isakmp", "ipsec-ah", "ipsec-esp", "ipcomp", 668 }; 669 670 /* isakmp->np */ 671 static const char *npstr[] = { 672 "none", "sa", "p", "t", "ke", "id", "cert", "cr", "hash", /* 0 - 8 */ 673 "sig", "nonce", "n", "d", "vid", /* 9 - 13 */ 674 "pay14", "pay15", "pay16", "pay17", "pay18", /* 14- 18 */ 675 "pay19", "pay20", "pay21", "pay22", "pay23", /* 19- 23 */ 676 "pay24", "pay25", "pay26", "pay27", "pay28", /* 24- 28 */ 677 "pay29", "pay30", "pay31", "pay32", /* 29- 32 */ 678 "v2sa", "v2ke", "v2IDi", "v2IDr", "v2cert",/* 33- 37 */ 679 "v2cr", "v2auth","v2nonce", "v2n", "v2d", /* 38- 42 */ 680 "v2vid", "v2TSi", "v2TSr", "v2e", "v2cp", /* 43- 47 */ 681 "v2eap", /* 48 */ 682 683 }; 684 685 /* isakmp->np */ 686 static const u_char *(*npfunc[])(netdissect_options *ndo, u_char tpay, 687 const struct isakmp_gen *ext, 688 u_int item_len, 689 const u_char *end_pointer, 690 uint32_t phase, 691 uint32_t doi0, 692 uint32_t proto0, int depth) = { 693 NULL, 694 ikev1_sa_print, 695 ikev1_p_print, 696 ikev1_t_print, 697 ikev1_ke_print, 698 ikev1_id_print, 699 ikev1_cert_print, 700 ikev1_cr_print, 701 ikev1_hash_print, 702 ikev1_sig_print, 703 ikev1_nonce_print, 704 ikev1_n_print, 705 ikev1_d_print, 706 ikev1_vid_print, /* 13 */ 707 NULL, NULL, NULL, NULL, NULL, /* 14- 18 */ 708 NULL, NULL, NULL, NULL, NULL, /* 19- 23 */ 709 NULL, NULL, NULL, NULL, NULL, /* 24- 28 */ 710 NULL, NULL, NULL, NULL, /* 29- 32 */ 711 ikev2_sa_print, /* 33 */ 712 ikev2_ke_print, /* 34 */ 713 ikev2_ID_print, /* 35 */ 714 ikev2_ID_print, /* 36 */ 715 ikev2_cert_print, /* 37 */ 716 ikev2_cr_print, /* 38 */ 717 ikev2_auth_print, /* 39 */ 718 ikev2_nonce_print, /* 40 */ 719 ikev2_n_print, /* 41 */ 720 ikev2_d_print, /* 42 */ 721 ikev2_vid_print, /* 43 */ 722 ikev2_TS_print, /* 44 */ 723 ikev2_TS_print, /* 45 */ 724 NULL, /* ikev2_e_print,*/ /* 46 - special */ 725 ikev2_cp_print, /* 47 */ 726 ikev2_eap_print, /* 48 */ 727 }; 728 729 /* isakmp->etype */ 730 static const char *etypestr[] = { 731 /* IKEv1 exchange types */ 732 "none", "base", "ident", "auth", "agg", "inf", NULL, NULL, /* 0-7 */ 733 NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, /* 8-15 */ 734 NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, /* 16-23 */ 735 NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, /* 24-31 */ 736 "oakley-quick", "oakley-newgroup", /* 32-33 */ 737 /* IKEv2 exchange types */ 738 "ikev2_init", "ikev2_auth", "child_sa", "inf2" /* 34-37 */ 739 }; 740 741 #define STR_OR_ID(x, tab) \ 742 (((x) < sizeof(tab)/sizeof(tab[0]) && tab[(x)]) ? tab[(x)] : numstr(x)) 743 #define PROTOIDSTR(x) STR_OR_ID(x, protoidstr) 744 #define NPSTR(x) STR_OR_ID(x, npstr) 745 #define ETYPESTR(x) STR_OR_ID(x, etypestr) 746 747 #define CHECKLEN(p, np) \ 748 if (ep < (const u_char *)(p)) { \ 749 ND_PRINT((ndo," [|%s]", NPSTR(np))); \ 750 goto done; \ 751 } 752 753 754 #define NPFUNC(x) \ 755 (((x) < sizeof(npfunc)/sizeof(npfunc[0]) && npfunc[(x)]) \ 756 ? npfunc[(x)] : NULL) 757 758 static int 759 iszero(const u_char *p, size_t l) 760 { 761 while (l--) { 762 if (*p++) 763 return 0; 764 } 765 return 1; 766 } 767 768 /* find cookie from initiator cache */ 769 static int 770 cookie_find(cookie_t *in) 771 { 772 int i; 773 774 for (i = 0; i < MAXINITIATORS; i++) { 775 if (memcmp(in, &cookiecache[i].initiator, sizeof(*in)) == 0) 776 return i; 777 } 778 779 return -1; 780 } 781 782 /* record initiator */ 783 static void 784 cookie_record(cookie_t *in, const u_char *bp2) 785 { 786 int i; 787 const struct ip *ip; 788 const struct ip6_hdr *ip6; 789 790 i = cookie_find(in); 791 if (0 <= i) { 792 ninitiator = (i + 1) % MAXINITIATORS; 793 return; 794 } 795 796 ip = (const struct ip *)bp2; 797 switch (IP_V(ip)) { 798 case 4: 799 cookiecache[ninitiator].version = 4; 800 UNALIGNED_MEMCPY(&cookiecache[ninitiator].iaddr.in4, &ip->ip_src, sizeof(struct in_addr)); 801 UNALIGNED_MEMCPY(&cookiecache[ninitiator].raddr.in4, &ip->ip_dst, sizeof(struct in_addr)); 802 break; 803 case 6: 804 ip6 = (const struct ip6_hdr *)bp2; 805 cookiecache[ninitiator].version = 6; 806 UNALIGNED_MEMCPY(&cookiecache[ninitiator].iaddr.in6, &ip6->ip6_src, sizeof(struct in6_addr)); 807 UNALIGNED_MEMCPY(&cookiecache[ninitiator].raddr.in6, &ip6->ip6_dst, sizeof(struct in6_addr)); 808 break; 809 default: 810 return; 811 } 812 UNALIGNED_MEMCPY(&cookiecache[ninitiator].initiator, in, sizeof(*in)); 813 ninitiator = (ninitiator + 1) % MAXINITIATORS; 814 } 815 816 #define cookie_isinitiator(x, y) cookie_sidecheck((x), (y), 1) 817 #define cookie_isresponder(x, y) cookie_sidecheck((x), (y), 0) 818 static int 819 cookie_sidecheck(int i, const u_char *bp2, int initiator) 820 { 821 const struct ip *ip; 822 const struct ip6_hdr *ip6; 823 824 ip = (const struct ip *)bp2; 825 switch (IP_V(ip)) { 826 case 4: 827 if (cookiecache[i].version != 4) 828 return 0; 829 if (initiator) { 830 if (UNALIGNED_MEMCMP(&ip->ip_src, &cookiecache[i].iaddr.in4, sizeof(struct in_addr)) == 0) 831 return 1; 832 } else { 833 if (UNALIGNED_MEMCMP(&ip->ip_src, &cookiecache[i].raddr.in4, sizeof(struct in_addr)) == 0) 834 return 1; 835 } 836 break; 837 case 6: 838 if (cookiecache[i].version != 6) 839 return 0; 840 ip6 = (const struct ip6_hdr *)bp2; 841 if (initiator) { 842 if (UNALIGNED_MEMCMP(&ip6->ip6_src, &cookiecache[i].iaddr.in6, sizeof(struct in6_addr)) == 0) 843 return 1; 844 } else { 845 if (UNALIGNED_MEMCMP(&ip6->ip6_src, &cookiecache[i].raddr.in6, sizeof(struct in6_addr)) == 0) 846 return 1; 847 } 848 break; 849 default: 850 break; 851 } 852 853 return 0; 854 } 855 856 static void 857 hexprint(netdissect_options *ndo, const uint8_t *loc, size_t len) 858 { 859 const uint8_t *p; 860 size_t i; 861 862 p = loc; 863 for (i = 0; i < len; i++) 864 ND_PRINT((ndo,"%02x", p[i] & 0xff)); 865 } 866 867 static int 868 rawprint(netdissect_options *ndo, const uint8_t *loc, size_t len) 869 { 870 ND_TCHECK2(*loc, len); 871 872 hexprint(ndo, loc, len); 873 return 1; 874 trunc: 875 return 0; 876 } 877 878 879 /* 880 * returns false if we run out of data buffer 881 */ 882 static int ike_show_somedata(netdissect_options *ndo, 883 const u_char *cp, const u_char *ep) 884 { 885 /* there is too much data, just show some of it */ 886 const u_char *end = ep - 20; 887 int elen = 20; 888 int len = ep - cp; 889 if(len > 10) { 890 len = 10; 891 } 892 893 /* really shouldn't happen because of above */ 894 if(end < cp + len) { 895 end = cp+len; 896 elen = ep - end; 897 } 898 899 ND_PRINT((ndo," data=(")); 900 if(!rawprint(ndo, (const uint8_t *)(cp), len)) goto trunc; 901 ND_PRINT((ndo, "...")); 902 if(elen) { 903 if(!rawprint(ndo, (const uint8_t *)(end), elen)) goto trunc; 904 } 905 ND_PRINT((ndo,")")); 906 return 1; 907 908 trunc: 909 return 0; 910 } 911 912 struct attrmap { 913 const char *type; 914 u_int nvalue; 915 const char *value[30]; /*XXX*/ 916 }; 917 918 static const u_char * 919 ikev1_attrmap_print(netdissect_options *ndo, 920 const u_char *p, const u_char *ep2, 921 const struct attrmap *map, size_t nmap) 922 { 923 int totlen; 924 uint32_t t, v; 925 926 ND_TCHECK(p[0]); 927 if (p[0] & 0x80) 928 totlen = 4; 929 else { 930 ND_TCHECK_16BITS(&p[2]); 931 totlen = 4 + EXTRACT_16BITS(&p[2]); 932 } 933 if (ep2 < p + totlen) { 934 ND_PRINT((ndo,"[|attr]")); 935 return ep2 + 1; 936 } 937 938 ND_TCHECK_16BITS(&p[0]); 939 ND_PRINT((ndo,"(")); 940 t = EXTRACT_16BITS(&p[0]) & 0x7fff; 941 if (map && t < nmap && map[t].type) 942 ND_PRINT((ndo,"type=%s ", map[t].type)); 943 else 944 ND_PRINT((ndo,"type=#%d ", t)); 945 if (p[0] & 0x80) { 946 ND_PRINT((ndo,"value=")); 947 ND_TCHECK_16BITS(&p[2]); 948 v = EXTRACT_16BITS(&p[2]); 949 if (map && t < nmap && v < map[t].nvalue && map[t].value[v]) 950 ND_PRINT((ndo,"%s", map[t].value[v])); 951 else { 952 if (!rawprint(ndo, (const uint8_t *)&p[2], 2)) { 953 ND_PRINT((ndo,")")); 954 goto trunc; 955 } 956 } 957 } else { 958 ND_PRINT((ndo,"len=%d value=", totlen - 4)); 959 if (!rawprint(ndo, (const uint8_t *)&p[4], totlen - 4)) { 960 ND_PRINT((ndo,")")); 961 goto trunc; 962 } 963 } 964 ND_PRINT((ndo,")")); 965 return p + totlen; 966 967 trunc: 968 return NULL; 969 } 970 971 static const u_char * 972 ikev1_attr_print(netdissect_options *ndo, const u_char *p, const u_char *ep2) 973 { 974 int totlen; 975 uint32_t t; 976 977 ND_TCHECK(p[0]); 978 if (p[0] & 0x80) 979 totlen = 4; 980 else { 981 ND_TCHECK_16BITS(&p[2]); 982 totlen = 4 + EXTRACT_16BITS(&p[2]); 983 } 984 if (ep2 < p + totlen) { 985 ND_PRINT((ndo,"[|attr]")); 986 return ep2 + 1; 987 } 988 989 ND_TCHECK_16BITS(&p[0]); 990 ND_PRINT((ndo,"(")); 991 t = EXTRACT_16BITS(&p[0]) & 0x7fff; 992 ND_PRINT((ndo,"type=#%d ", t)); 993 if (p[0] & 0x80) { 994 ND_PRINT((ndo,"value=")); 995 t = p[2]; 996 if (!rawprint(ndo, (const uint8_t *)&p[2], 2)) { 997 ND_PRINT((ndo,")")); 998 goto trunc; 999 } 1000 } else { 1001 ND_PRINT((ndo,"len=%d value=", totlen - 4)); 1002 if (!rawprint(ndo, (const uint8_t *)&p[4], totlen - 4)) { 1003 ND_PRINT((ndo,")")); 1004 goto trunc; 1005 } 1006 } 1007 ND_PRINT((ndo,")")); 1008 return p + totlen; 1009 1010 trunc: 1011 return NULL; 1012 } 1013 1014 static const u_char * 1015 ikev1_sa_print(netdissect_options *ndo, u_char tpay _U_, 1016 const struct isakmp_gen *ext, 1017 u_int item_len _U_, 1018 const u_char *ep, uint32_t phase, uint32_t doi0 _U_, 1019 uint32_t proto0, int depth) 1020 { 1021 const struct ikev1_pl_sa *p; 1022 struct ikev1_pl_sa sa; 1023 uint32_t doi, sit, ident; 1024 const u_char *cp, *np; 1025 int t; 1026 1027 ND_PRINT((ndo,"%s:", NPSTR(ISAKMP_NPTYPE_SA))); 1028 1029 p = (const struct ikev1_pl_sa *)ext; 1030 ND_TCHECK(*p); 1031 UNALIGNED_MEMCPY(&sa, ext, sizeof(sa)); 1032 doi = ntohl(sa.doi); 1033 sit = ntohl(sa.sit); 1034 if (doi != 1) { 1035 ND_PRINT((ndo," doi=%d", doi)); 1036 ND_PRINT((ndo," situation=%u", (uint32_t)ntohl(sa.sit))); 1037 return (const u_char *)(p + 1); 1038 } 1039 1040 ND_PRINT((ndo," doi=ipsec")); 1041 ND_PRINT((ndo," situation=")); 1042 t = 0; 1043 if (sit & 0x01) { 1044 ND_PRINT((ndo,"identity")); 1045 t++; 1046 } 1047 if (sit & 0x02) { 1048 ND_PRINT((ndo,"%ssecrecy", t ? "+" : "")); 1049 t++; 1050 } 1051 if (sit & 0x04) 1052 ND_PRINT((ndo,"%sintegrity", t ? "+" : "")); 1053 1054 np = (const u_char *)ext + sizeof(sa); 1055 if (sit != 0x01) { 1056 ND_TCHECK2(*(ext + 1), sizeof(ident)); 1057 UNALIGNED_MEMCPY(&ident, ext + 1, sizeof(ident)); 1058 ND_PRINT((ndo," ident=%u", (uint32_t)ntohl(ident))); 1059 np += sizeof(ident); 1060 } 1061 1062 ext = (const struct isakmp_gen *)np; 1063 ND_TCHECK(*ext); 1064 1065 cp = ikev1_sub_print(ndo, ISAKMP_NPTYPE_P, ext, ep, phase, doi, proto0, 1066 depth); 1067 1068 return cp; 1069 trunc: 1070 ND_PRINT((ndo," [|%s]", NPSTR(ISAKMP_NPTYPE_SA))); 1071 return NULL; 1072 } 1073 1074 static const u_char * 1075 ikev1_p_print(netdissect_options *ndo, u_char tpay _U_, 1076 const struct isakmp_gen *ext, u_int item_len _U_, 1077 const u_char *ep, uint32_t phase, uint32_t doi0, 1078 uint32_t proto0 _U_, int depth) 1079 { 1080 const struct ikev1_pl_p *p; 1081 struct ikev1_pl_p prop; 1082 const u_char *cp; 1083 1084 ND_PRINT((ndo,"%s:", NPSTR(ISAKMP_NPTYPE_P))); 1085 1086 p = (const struct ikev1_pl_p *)ext; 1087 ND_TCHECK(*p); 1088 UNALIGNED_MEMCPY(&prop, ext, sizeof(prop)); 1089 ND_PRINT((ndo," #%d protoid=%s transform=%d", 1090 prop.p_no, PROTOIDSTR(prop.prot_id), prop.num_t)); 1091 if (prop.spi_size) { 1092 ND_PRINT((ndo," spi=")); 1093 if (!rawprint(ndo, (const uint8_t *)(p + 1), prop.spi_size)) 1094 goto trunc; 1095 } 1096 1097 ext = (const struct isakmp_gen *)((const u_char *)(p + 1) + prop.spi_size); 1098 ND_TCHECK(*ext); 1099 1100 cp = ikev1_sub_print(ndo, ISAKMP_NPTYPE_T, ext, ep, phase, doi0, 1101 prop.prot_id, depth); 1102 1103 return cp; 1104 trunc: 1105 ND_PRINT((ndo," [|%s]", NPSTR(ISAKMP_NPTYPE_P))); 1106 return NULL; 1107 } 1108 1109 static const char *ikev1_p_map[] = { 1110 NULL, "ike", 1111 }; 1112 1113 static const char *ikev2_t_type_map[]={ 1114 NULL, "encr", "prf", "integ", "dh", "esn" 1115 }; 1116 1117 static const char *ah_p_map[] = { 1118 NULL, "(reserved)", "md5", "sha", "1des", 1119 "sha2-256", "sha2-384", "sha2-512", 1120 }; 1121 1122 static const char *prf_p_map[] = { 1123 NULL, "hmac-md5", "hmac-sha", "hmac-tiger", 1124 "aes128_xcbc" 1125 }; 1126 1127 static const char *integ_p_map[] = { 1128 NULL, "hmac-md5", "hmac-sha", "dec-mac", 1129 "kpdk-md5", "aes-xcbc" 1130 }; 1131 1132 static const char *esn_p_map[] = { 1133 "no-esn", "esn" 1134 }; 1135 1136 static const char *dh_p_map[] = { 1137 NULL, "modp768", 1138 "modp1024", /* group 2 */ 1139 "EC2N 2^155", /* group 3 */ 1140 "EC2N 2^185", /* group 4 */ 1141 "modp1536", /* group 5 */ 1142 "iana-grp06", "iana-grp07", /* reserved */ 1143 "iana-grp08", "iana-grp09", 1144 "iana-grp10", "iana-grp11", 1145 "iana-grp12", "iana-grp13", 1146 "modp2048", /* group 14 */ 1147 "modp3072", /* group 15 */ 1148 "modp4096", /* group 16 */ 1149 "modp6144", /* group 17 */ 1150 "modp8192", /* group 18 */ 1151 }; 1152 1153 static const char *esp_p_map[] = { 1154 NULL, "1des-iv64", "1des", "3des", "rc5", "idea", "cast", 1155 "blowfish", "3idea", "1des-iv32", "rc4", "null", "aes" 1156 }; 1157 1158 static const char *ipcomp_p_map[] = { 1159 NULL, "oui", "deflate", "lzs", 1160 }; 1161 1162 static const struct attrmap ipsec_t_map[] = { 1163 { NULL, 0, { NULL } }, 1164 { "lifetype", 3, { NULL, "sec", "kb", }, }, 1165 { "life", 0, { NULL } }, 1166 { "group desc", 18, { NULL, "modp768", 1167 "modp1024", /* group 2 */ 1168 "EC2N 2^155", /* group 3 */ 1169 "EC2N 2^185", /* group 4 */ 1170 "modp1536", /* group 5 */ 1171 "iana-grp06", "iana-grp07", /* reserved */ 1172 "iana-grp08", "iana-grp09", 1173 "iana-grp10", "iana-grp11", 1174 "iana-grp12", "iana-grp13", 1175 "modp2048", /* group 14 */ 1176 "modp3072", /* group 15 */ 1177 "modp4096", /* group 16 */ 1178 "modp6144", /* group 17 */ 1179 "modp8192", /* group 18 */ 1180 }, }, 1181 { "enc mode", 3, { NULL, "tunnel", "transport", }, }, 1182 { "auth", 5, { NULL, "hmac-md5", "hmac-sha1", "1des-mac", "keyed", }, }, 1183 { "keylen", 0, { NULL } }, 1184 { "rounds", 0, { NULL } }, 1185 { "dictsize", 0, { NULL } }, 1186 { "privalg", 0, { NULL } }, 1187 }; 1188 1189 static const struct attrmap encr_t_map[] = { 1190 { NULL, 0, { NULL } }, { NULL, 0, { NULL } }, /* 0, 1 */ 1191 { NULL, 0, { NULL } }, { NULL, 0, { NULL } }, /* 2, 3 */ 1192 { NULL, 0, { NULL } }, { NULL, 0, { NULL } }, /* 4, 5 */ 1193 { NULL, 0, { NULL } }, { NULL, 0, { NULL } }, /* 6, 7 */ 1194 { NULL, 0, { NULL } }, { NULL, 0, { NULL } }, /* 8, 9 */ 1195 { NULL, 0, { NULL } }, { NULL, 0, { NULL } }, /* 10,11*/ 1196 { NULL, 0, { NULL } }, { NULL, 0, { NULL } }, /* 12,13*/ 1197 { "keylen", 14, { NULL }}, 1198 }; 1199 1200 static const struct attrmap oakley_t_map[] = { 1201 { NULL, 0, { NULL } }, 1202 { "enc", 8, { NULL, "1des", "idea", "blowfish", "rc5", 1203 "3des", "cast", "aes", }, }, 1204 { "hash", 7, { NULL, "md5", "sha1", "tiger", 1205 "sha2-256", "sha2-384", "sha2-512", }, }, 1206 { "auth", 6, { NULL, "preshared", "dss", "rsa sig", "rsa enc", 1207 "rsa enc revised", }, }, 1208 { "group desc", 18, { NULL, "modp768", 1209 "modp1024", /* group 2 */ 1210 "EC2N 2^155", /* group 3 */ 1211 "EC2N 2^185", /* group 4 */ 1212 "modp1536", /* group 5 */ 1213 "iana-grp06", "iana-grp07", /* reserved */ 1214 "iana-grp08", "iana-grp09", 1215 "iana-grp10", "iana-grp11", 1216 "iana-grp12", "iana-grp13", 1217 "modp2048", /* group 14 */ 1218 "modp3072", /* group 15 */ 1219 "modp4096", /* group 16 */ 1220 "modp6144", /* group 17 */ 1221 "modp8192", /* group 18 */ 1222 }, }, 1223 { "group type", 4, { NULL, "MODP", "ECP", "EC2N", }, }, 1224 { "group prime", 0, { NULL } }, 1225 { "group gen1", 0, { NULL } }, 1226 { "group gen2", 0, { NULL } }, 1227 { "group curve A", 0, { NULL } }, 1228 { "group curve B", 0, { NULL } }, 1229 { "lifetype", 3, { NULL, "sec", "kb", }, }, 1230 { "lifeduration", 0, { NULL } }, 1231 { "prf", 0, { NULL } }, 1232 { "keylen", 0, { NULL } }, 1233 { "field", 0, { NULL } }, 1234 { "order", 0, { NULL } }, 1235 }; 1236 1237 static const u_char * 1238 ikev1_t_print(netdissect_options *ndo, u_char tpay _U_, 1239 const struct isakmp_gen *ext, u_int item_len, 1240 const u_char *ep, uint32_t phase _U_, uint32_t doi _U_, 1241 uint32_t proto, int depth _U_) 1242 { 1243 const struct ikev1_pl_t *p; 1244 struct ikev1_pl_t t; 1245 const u_char *cp; 1246 const char *idstr; 1247 const struct attrmap *map; 1248 size_t nmap; 1249 const u_char *ep2; 1250 1251 ND_PRINT((ndo,"%s:", NPSTR(ISAKMP_NPTYPE_T))); 1252 1253 p = (const struct ikev1_pl_t *)ext; 1254 ND_TCHECK(*p); 1255 UNALIGNED_MEMCPY(&t, ext, sizeof(t)); 1256 1257 switch (proto) { 1258 case 1: 1259 idstr = STR_OR_ID(t.t_id, ikev1_p_map); 1260 map = oakley_t_map; 1261 nmap = sizeof(oakley_t_map)/sizeof(oakley_t_map[0]); 1262 break; 1263 case 2: 1264 idstr = STR_OR_ID(t.t_id, ah_p_map); 1265 map = ipsec_t_map; 1266 nmap = sizeof(ipsec_t_map)/sizeof(ipsec_t_map[0]); 1267 break; 1268 case 3: 1269 idstr = STR_OR_ID(t.t_id, esp_p_map); 1270 map = ipsec_t_map; 1271 nmap = sizeof(ipsec_t_map)/sizeof(ipsec_t_map[0]); 1272 break; 1273 case 4: 1274 idstr = STR_OR_ID(t.t_id, ipcomp_p_map); 1275 map = ipsec_t_map; 1276 nmap = sizeof(ipsec_t_map)/sizeof(ipsec_t_map[0]); 1277 break; 1278 default: 1279 idstr = NULL; 1280 map = NULL; 1281 nmap = 0; 1282 break; 1283 } 1284 1285 if (idstr) 1286 ND_PRINT((ndo," #%d id=%s ", t.t_no, idstr)); 1287 else 1288 ND_PRINT((ndo," #%d id=%d ", t.t_no, t.t_id)); 1289 cp = (const u_char *)(p + 1); 1290 ep2 = (const u_char *)p + item_len; 1291 while (cp < ep && cp < ep2) { 1292 if (map && nmap) 1293 cp = ikev1_attrmap_print(ndo, cp, ep2, map, nmap); 1294 else 1295 cp = ikev1_attr_print(ndo, cp, ep2); 1296 if (cp == NULL) 1297 goto trunc; 1298 } 1299 if (ep < ep2) 1300 ND_PRINT((ndo,"...")); 1301 return cp; 1302 trunc: 1303 ND_PRINT((ndo," [|%s]", NPSTR(ISAKMP_NPTYPE_T))); 1304 return NULL; 1305 } 1306 1307 static const u_char * 1308 ikev1_ke_print(netdissect_options *ndo, u_char tpay _U_, 1309 const struct isakmp_gen *ext, u_int item_len _U_, 1310 const u_char *ep _U_, uint32_t phase _U_, uint32_t doi _U_, 1311 uint32_t proto _U_, int depth _U_) 1312 { 1313 struct isakmp_gen e; 1314 1315 ND_PRINT((ndo,"%s:", NPSTR(ISAKMP_NPTYPE_KE))); 1316 1317 ND_TCHECK(*ext); 1318 UNALIGNED_MEMCPY(&e, ext, sizeof(e)); 1319 ND_PRINT((ndo," key len=%d", ntohs(e.len) - 4)); 1320 if (2 < ndo->ndo_vflag && 4 < ntohs(e.len)) { 1321 /* Print the entire payload in hex */ 1322 ND_PRINT((ndo," ")); 1323 if (!rawprint(ndo, (const uint8_t *)(ext + 1), ntohs(e.len) - 4)) 1324 goto trunc; 1325 } 1326 return (const u_char *)ext + ntohs(e.len); 1327 trunc: 1328 ND_PRINT((ndo," [|%s]", NPSTR(ISAKMP_NPTYPE_KE))); 1329 return NULL; 1330 } 1331 1332 static const u_char * 1333 ikev1_id_print(netdissect_options *ndo, u_char tpay _U_, 1334 const struct isakmp_gen *ext, u_int item_len, 1335 const u_char *ep _U_, uint32_t phase, uint32_t doi _U_, 1336 uint32_t proto _U_, int depth _U_) 1337 { 1338 #define USE_IPSECDOI_IN_PHASE1 1 1339 const struct ikev1_pl_id *p; 1340 struct ikev1_pl_id id; 1341 static const char *idtypestr[] = { 1342 "IPv4", "IPv4net", "IPv6", "IPv6net", 1343 }; 1344 static const char *ipsecidtypestr[] = { 1345 NULL, "IPv4", "FQDN", "user FQDN", "IPv4net", "IPv6", 1346 "IPv6net", "IPv4range", "IPv6range", "ASN1 DN", "ASN1 GN", 1347 "keyid", 1348 }; 1349 int len; 1350 const u_char *data; 1351 1352 ND_PRINT((ndo,"%s:", NPSTR(ISAKMP_NPTYPE_ID))); 1353 1354 p = (const struct ikev1_pl_id *)ext; 1355 ND_TCHECK(*p); 1356 UNALIGNED_MEMCPY(&id, ext, sizeof(id)); 1357 if (sizeof(*p) < item_len) { 1358 data = (const u_char *)(p + 1); 1359 len = item_len - sizeof(*p); 1360 } else { 1361 data = NULL; 1362 len = 0; 1363 } 1364 1365 #if 0 /*debug*/ 1366 ND_PRINT((ndo," [phase=%d doi=%d proto=%d]", phase, doi, proto)); 1367 #endif 1368 switch (phase) { 1369 #ifndef USE_IPSECDOI_IN_PHASE1 1370 case 1: 1371 #endif 1372 default: 1373 ND_PRINT((ndo," idtype=%s", STR_OR_ID(id.d.id_type, idtypestr))); 1374 ND_PRINT((ndo," doi_data=%u", 1375 (uint32_t)(ntohl(id.d.doi_data) & 0xffffff))); 1376 break; 1377 1378 #ifdef USE_IPSECDOI_IN_PHASE1 1379 case 1: 1380 #endif 1381 case 2: 1382 { 1383 const struct ipsecdoi_id *doi_p; 1384 struct ipsecdoi_id doi_id; 1385 const char *p_name; 1386 1387 doi_p = (const struct ipsecdoi_id *)ext; 1388 ND_TCHECK(*doi_p); 1389 UNALIGNED_MEMCPY(&doi_id, ext, sizeof(doi_id)); 1390 ND_PRINT((ndo," idtype=%s", STR_OR_ID(doi_id.type, ipsecidtypestr))); 1391 /* A protocol ID of 0 DOES NOT mean IPPROTO_IP! */ 1392 if (!ndo->ndo_nflag && doi_id.proto_id && (p_name = netdb_protoname(doi_id.proto_id)) != NULL) 1393 ND_PRINT((ndo," protoid=%s", p_name)); 1394 else 1395 ND_PRINT((ndo," protoid=%u", doi_id.proto_id)); 1396 ND_PRINT((ndo," port=%d", ntohs(doi_id.port))); 1397 if (!len) 1398 break; 1399 if (data == NULL) 1400 goto trunc; 1401 ND_TCHECK2(*data, len); 1402 switch (doi_id.type) { 1403 case IPSECDOI_ID_IPV4_ADDR: 1404 if (len < 4) 1405 ND_PRINT((ndo," len=%d [bad: < 4]", len)); 1406 else 1407 ND_PRINT((ndo," len=%d %s", len, ipaddr_string(ndo, data))); 1408 len = 0; 1409 break; 1410 case IPSECDOI_ID_FQDN: 1411 case IPSECDOI_ID_USER_FQDN: 1412 { 1413 int i; 1414 ND_PRINT((ndo," len=%d ", len)); 1415 for (i = 0; i < len; i++) 1416 safeputchar(ndo, data[i]); 1417 len = 0; 1418 break; 1419 } 1420 case IPSECDOI_ID_IPV4_ADDR_SUBNET: 1421 { 1422 const u_char *mask; 1423 if (len < 8) 1424 ND_PRINT((ndo," len=%d [bad: < 8]", len)); 1425 else { 1426 mask = data + sizeof(struct in_addr); 1427 ND_PRINT((ndo," len=%d %s/%u.%u.%u.%u", len, 1428 ipaddr_string(ndo, data), 1429 mask[0], mask[1], mask[2], mask[3])); 1430 } 1431 len = 0; 1432 break; 1433 } 1434 case IPSECDOI_ID_IPV6_ADDR: 1435 if (len < 16) 1436 ND_PRINT((ndo," len=%d [bad: < 16]", len)); 1437 else 1438 ND_PRINT((ndo," len=%d %s", len, ip6addr_string(ndo, data))); 1439 len = 0; 1440 break; 1441 case IPSECDOI_ID_IPV6_ADDR_SUBNET: 1442 { 1443 const u_char *mask; 1444 if (len < 32) 1445 ND_PRINT((ndo," len=%d [bad: < 32]", len)); 1446 else { 1447 mask = (const u_char *)(data + sizeof(struct in6_addr)); 1448 /*XXX*/ 1449 ND_PRINT((ndo," len=%d %s/0x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x", len, 1450 ip6addr_string(ndo, data), 1451 mask[0], mask[1], mask[2], mask[3], 1452 mask[4], mask[5], mask[6], mask[7], 1453 mask[8], mask[9], mask[10], mask[11], 1454 mask[12], mask[13], mask[14], mask[15])); 1455 } 1456 len = 0; 1457 break; 1458 } 1459 case IPSECDOI_ID_IPV4_ADDR_RANGE: 1460 if (len < 8) 1461 ND_PRINT((ndo," len=%d [bad: < 8]", len)); 1462 else { 1463 ND_PRINT((ndo," len=%d %s-%s", len, 1464 ipaddr_string(ndo, data), 1465 ipaddr_string(ndo, data + sizeof(struct in_addr)))); 1466 } 1467 len = 0; 1468 break; 1469 case IPSECDOI_ID_IPV6_ADDR_RANGE: 1470 if (len < 32) 1471 ND_PRINT((ndo," len=%d [bad: < 32]", len)); 1472 else { 1473 ND_PRINT((ndo," len=%d %s-%s", len, 1474 ip6addr_string(ndo, data), 1475 ip6addr_string(ndo, data + sizeof(struct in6_addr)))); 1476 } 1477 len = 0; 1478 break; 1479 case IPSECDOI_ID_DER_ASN1_DN: 1480 case IPSECDOI_ID_DER_ASN1_GN: 1481 case IPSECDOI_ID_KEY_ID: 1482 break; 1483 } 1484 break; 1485 } 1486 } 1487 if (data && len) { 1488 ND_PRINT((ndo," len=%d", len)); 1489 if (2 < ndo->ndo_vflag) { 1490 ND_PRINT((ndo," ")); 1491 if (!rawprint(ndo, (const uint8_t *)data, len)) 1492 goto trunc; 1493 } 1494 } 1495 return (const u_char *)ext + item_len; 1496 trunc: 1497 ND_PRINT((ndo," [|%s]", NPSTR(ISAKMP_NPTYPE_ID))); 1498 return NULL; 1499 } 1500 1501 static const u_char * 1502 ikev1_cert_print(netdissect_options *ndo, u_char tpay _U_, 1503 const struct isakmp_gen *ext, u_int item_len, 1504 const u_char *ep _U_, uint32_t phase _U_, 1505 uint32_t doi0 _U_, 1506 uint32_t proto0 _U_, int depth _U_) 1507 { 1508 const struct ikev1_pl_cert *p; 1509 struct ikev1_pl_cert cert; 1510 static const char *certstr[] = { 1511 "none", "pkcs7", "pgp", "dns", 1512 "x509sign", "x509ke", "kerberos", "crl", 1513 "arl", "spki", "x509attr", 1514 }; 1515 1516 ND_PRINT((ndo,"%s:", NPSTR(ISAKMP_NPTYPE_CERT))); 1517 1518 p = (const struct ikev1_pl_cert *)ext; 1519 ND_TCHECK(*p); 1520 UNALIGNED_MEMCPY(&cert, ext, sizeof(cert)); 1521 ND_PRINT((ndo," len=%d", item_len - 4)); 1522 ND_PRINT((ndo," type=%s", STR_OR_ID((cert.encode), certstr))); 1523 if (2 < ndo->ndo_vflag && 4 < item_len) { 1524 /* Print the entire payload in hex */ 1525 ND_PRINT((ndo," ")); 1526 if (!rawprint(ndo, (const uint8_t *)(ext + 1), item_len - 4)) 1527 goto trunc; 1528 } 1529 return (const u_char *)ext + item_len; 1530 trunc: 1531 ND_PRINT((ndo," [|%s]", NPSTR(ISAKMP_NPTYPE_CERT))); 1532 return NULL; 1533 } 1534 1535 static const u_char * 1536 ikev1_cr_print(netdissect_options *ndo, u_char tpay _U_, 1537 const struct isakmp_gen *ext, u_int item_len, 1538 const u_char *ep _U_, uint32_t phase _U_, uint32_t doi0 _U_, 1539 uint32_t proto0 _U_, int depth _U_) 1540 { 1541 const struct ikev1_pl_cert *p; 1542 struct ikev1_pl_cert cert; 1543 static const char *certstr[] = { 1544 "none", "pkcs7", "pgp", "dns", 1545 "x509sign", "x509ke", "kerberos", "crl", 1546 "arl", "spki", "x509attr", 1547 }; 1548 1549 ND_PRINT((ndo,"%s:", NPSTR(ISAKMP_NPTYPE_CR))); 1550 1551 p = (const struct ikev1_pl_cert *)ext; 1552 ND_TCHECK(*p); 1553 UNALIGNED_MEMCPY(&cert, ext, sizeof(cert)); 1554 ND_PRINT((ndo," len=%d", item_len - 4)); 1555 ND_PRINT((ndo," type=%s", STR_OR_ID((cert.encode), certstr))); 1556 if (2 < ndo->ndo_vflag && 4 < item_len) { 1557 /* Print the entire payload in hex */ 1558 ND_PRINT((ndo," ")); 1559 if (!rawprint(ndo, (const uint8_t *)(ext + 1), item_len - 4)) 1560 goto trunc; 1561 } 1562 return (const u_char *)ext + item_len; 1563 trunc: 1564 ND_PRINT((ndo," [|%s]", NPSTR(ISAKMP_NPTYPE_CR))); 1565 return NULL; 1566 } 1567 1568 static const u_char * 1569 ikev1_hash_print(netdissect_options *ndo, u_char tpay _U_, 1570 const struct isakmp_gen *ext, u_int item_len _U_, 1571 const u_char *ep _U_, uint32_t phase _U_, uint32_t doi _U_, 1572 uint32_t proto _U_, int depth _U_) 1573 { 1574 struct isakmp_gen e; 1575 1576 ND_PRINT((ndo,"%s:", NPSTR(ISAKMP_NPTYPE_HASH))); 1577 1578 ND_TCHECK(*ext); 1579 UNALIGNED_MEMCPY(&e, ext, sizeof(e)); 1580 ND_PRINT((ndo," len=%d", ntohs(e.len) - 4)); 1581 if (2 < ndo->ndo_vflag && 4 < ntohs(e.len)) { 1582 /* Print the entire payload in hex */ 1583 ND_PRINT((ndo," ")); 1584 if (!rawprint(ndo, (const uint8_t *)(ext + 1), ntohs(e.len) - 4)) 1585 goto trunc; 1586 } 1587 return (const u_char *)ext + ntohs(e.len); 1588 trunc: 1589 ND_PRINT((ndo," [|%s]", NPSTR(ISAKMP_NPTYPE_HASH))); 1590 return NULL; 1591 } 1592 1593 static const u_char * 1594 ikev1_sig_print(netdissect_options *ndo, u_char tpay _U_, 1595 const struct isakmp_gen *ext, u_int item_len _U_, 1596 const u_char *ep _U_, uint32_t phase _U_, uint32_t doi _U_, 1597 uint32_t proto _U_, int depth _U_) 1598 { 1599 struct isakmp_gen e; 1600 1601 ND_PRINT((ndo,"%s:", NPSTR(ISAKMP_NPTYPE_SIG))); 1602 1603 ND_TCHECK(*ext); 1604 UNALIGNED_MEMCPY(&e, ext, sizeof(e)); 1605 ND_PRINT((ndo," len=%d", ntohs(e.len) - 4)); 1606 if (2 < ndo->ndo_vflag && 4 < ntohs(e.len)) { 1607 /* Print the entire payload in hex */ 1608 ND_PRINT((ndo," ")); 1609 if (!rawprint(ndo, (const uint8_t *)(ext + 1), ntohs(e.len) - 4)) 1610 goto trunc; 1611 } 1612 return (const u_char *)ext + ntohs(e.len); 1613 trunc: 1614 ND_PRINT((ndo," [|%s]", NPSTR(ISAKMP_NPTYPE_SIG))); 1615 return NULL; 1616 } 1617 1618 static const u_char * 1619 ikev1_nonce_print(netdissect_options *ndo, u_char tpay _U_, 1620 const struct isakmp_gen *ext, 1621 u_int item_len _U_, 1622 const u_char *ep, 1623 uint32_t phase _U_, uint32_t doi _U_, 1624 uint32_t proto _U_, int depth _U_) 1625 { 1626 struct isakmp_gen e; 1627 1628 ND_PRINT((ndo,"%s:", NPSTR(ISAKMP_NPTYPE_NONCE))); 1629 1630 ND_TCHECK(*ext); 1631 UNALIGNED_MEMCPY(&e, ext, sizeof(e)); 1632 /* 1633 * Our caller has ensured that the length is >= 4. 1634 */ 1635 ND_PRINT((ndo," n len=%u", ntohs(e.len) - 4)); 1636 if (ntohs(e.len) > 4) { 1637 if (ndo->ndo_vflag > 2) { 1638 ND_PRINT((ndo, " ")); 1639 if (!rawprint(ndo, (const uint8_t *)(ext + 1), ntohs(e.len) - 4)) 1640 goto trunc; 1641 } else if (ndo->ndo_vflag > 1) { 1642 ND_PRINT((ndo, " ")); 1643 if (!ike_show_somedata(ndo, (const u_char *)(ext + 1), ep)) 1644 goto trunc; 1645 } 1646 } 1647 return (const u_char *)ext + ntohs(e.len); 1648 trunc: 1649 ND_PRINT((ndo," [|%s]", NPSTR(ISAKMP_NPTYPE_NONCE))); 1650 return NULL; 1651 } 1652 1653 static const u_char * 1654 ikev1_n_print(netdissect_options *ndo, u_char tpay _U_, 1655 const struct isakmp_gen *ext, u_int item_len, 1656 const u_char *ep, uint32_t phase _U_, uint32_t doi0 _U_, 1657 uint32_t proto0 _U_, int depth _U_) 1658 { 1659 const struct ikev1_pl_n *p; 1660 struct ikev1_pl_n n; 1661 const u_char *cp; 1662 const u_char *ep2; 1663 uint32_t doi; 1664 uint32_t proto; 1665 static const char *notify_error_str[] = { 1666 NULL, "INVALID-PAYLOAD-TYPE", 1667 "DOI-NOT-SUPPORTED", "SITUATION-NOT-SUPPORTED", 1668 "INVALID-COOKIE", "INVALID-MAJOR-VERSION", 1669 "INVALID-MINOR-VERSION", "INVALID-EXCHANGE-TYPE", 1670 "INVALID-FLAGS", "INVALID-MESSAGE-ID", 1671 "INVALID-PROTOCOL-ID", "INVALID-SPI", 1672 "INVALID-TRANSFORM-ID", "ATTRIBUTES-NOT-SUPPORTED", 1673 "NO-PROPOSAL-CHOSEN", "BAD-PROPOSAL-SYNTAX", 1674 "PAYLOAD-MALFORMED", "INVALID-KEY-INFORMATION", 1675 "INVALID-ID-INFORMATION", "INVALID-CERT-ENCODING", 1676 "INVALID-CERTIFICATE", "CERT-TYPE-UNSUPPORTED", 1677 "INVALID-CERT-AUTHORITY", "INVALID-HASH-INFORMATION", 1678 "AUTHENTICATION-FAILED", "INVALID-SIGNATURE", 1679 "ADDRESS-NOTIFICATION", "NOTIFY-SA-LIFETIME", 1680 "CERTIFICATE-UNAVAILABLE", "UNSUPPORTED-EXCHANGE-TYPE", 1681 "UNEQUAL-PAYLOAD-LENGTHS", 1682 }; 1683 static const char *ipsec_notify_error_str[] = { 1684 "RESERVED", 1685 }; 1686 static const char *notify_status_str[] = { 1687 "CONNECTED", 1688 }; 1689 static const char *ipsec_notify_status_str[] = { 1690 "RESPONDER-LIFETIME", "REPLAY-STATUS", 1691 "INITIAL-CONTACT", 1692 }; 1693 /* NOTE: these macro must be called with x in proper range */ 1694 1695 /* 0 - 8191 */ 1696 #define NOTIFY_ERROR_STR(x) \ 1697 STR_OR_ID((x), notify_error_str) 1698 1699 /* 8192 - 16383 */ 1700 #define IPSEC_NOTIFY_ERROR_STR(x) \ 1701 STR_OR_ID((u_int)((x) - 8192), ipsec_notify_error_str) 1702 1703 /* 16384 - 24575 */ 1704 #define NOTIFY_STATUS_STR(x) \ 1705 STR_OR_ID((u_int)((x) - 16384), notify_status_str) 1706 1707 /* 24576 - 32767 */ 1708 #define IPSEC_NOTIFY_STATUS_STR(x) \ 1709 STR_OR_ID((u_int)((x) - 24576), ipsec_notify_status_str) 1710 1711 ND_PRINT((ndo,"%s:", NPSTR(ISAKMP_NPTYPE_N))); 1712 1713 p = (const struct ikev1_pl_n *)ext; 1714 ND_TCHECK(*p); 1715 UNALIGNED_MEMCPY(&n, ext, sizeof(n)); 1716 doi = ntohl(n.doi); 1717 proto = n.prot_id; 1718 if (doi != 1) { 1719 ND_PRINT((ndo," doi=%d", doi)); 1720 ND_PRINT((ndo," proto=%d", proto)); 1721 if (ntohs(n.type) < 8192) 1722 ND_PRINT((ndo," type=%s", NOTIFY_ERROR_STR(ntohs(n.type)))); 1723 else if (ntohs(n.type) < 16384) 1724 ND_PRINT((ndo," type=%s", numstr(ntohs(n.type)))); 1725 else if (ntohs(n.type) < 24576) 1726 ND_PRINT((ndo," type=%s", NOTIFY_STATUS_STR(ntohs(n.type)))); 1727 else 1728 ND_PRINT((ndo," type=%s", numstr(ntohs(n.type)))); 1729 if (n.spi_size) { 1730 ND_PRINT((ndo," spi=")); 1731 if (!rawprint(ndo, (const uint8_t *)(p + 1), n.spi_size)) 1732 goto trunc; 1733 } 1734 return (const u_char *)(p + 1) + n.spi_size; 1735 } 1736 1737 ND_PRINT((ndo," doi=ipsec")); 1738 ND_PRINT((ndo," proto=%s", PROTOIDSTR(proto))); 1739 if (ntohs(n.type) < 8192) 1740 ND_PRINT((ndo," type=%s", NOTIFY_ERROR_STR(ntohs(n.type)))); 1741 else if (ntohs(n.type) < 16384) 1742 ND_PRINT((ndo," type=%s", IPSEC_NOTIFY_ERROR_STR(ntohs(n.type)))); 1743 else if (ntohs(n.type) < 24576) 1744 ND_PRINT((ndo," type=%s", NOTIFY_STATUS_STR(ntohs(n.type)))); 1745 else if (ntohs(n.type) < 32768) 1746 ND_PRINT((ndo," type=%s", IPSEC_NOTIFY_STATUS_STR(ntohs(n.type)))); 1747 else 1748 ND_PRINT((ndo," type=%s", numstr(ntohs(n.type)))); 1749 if (n.spi_size) { 1750 ND_PRINT((ndo," spi=")); 1751 if (!rawprint(ndo, (const uint8_t *)(p + 1), n.spi_size)) 1752 goto trunc; 1753 } 1754 1755 cp = (const u_char *)(p + 1) + n.spi_size; 1756 ep2 = (const u_char *)p + item_len; 1757 1758 if (cp < ep) { 1759 switch (ntohs(n.type)) { 1760 case IPSECDOI_NTYPE_RESPONDER_LIFETIME: 1761 { 1762 const struct attrmap *map = oakley_t_map; 1763 size_t nmap = sizeof(oakley_t_map)/sizeof(oakley_t_map[0]); 1764 ND_PRINT((ndo," attrs=(")); 1765 while (cp < ep && cp < ep2) { 1766 cp = ikev1_attrmap_print(ndo, cp, ep2, map, nmap); 1767 if (cp == NULL) { 1768 ND_PRINT((ndo,")")); 1769 goto trunc; 1770 } 1771 } 1772 ND_PRINT((ndo,")")); 1773 break; 1774 } 1775 case IPSECDOI_NTYPE_REPLAY_STATUS: 1776 ND_PRINT((ndo," status=(")); 1777 ND_PRINT((ndo,"replay detection %sabled", 1778 EXTRACT_32BITS(cp) ? "en" : "dis")); 1779 ND_PRINT((ndo,")")); 1780 break; 1781 default: 1782 /* 1783 * XXX - fill in more types here; see, for example, 1784 * draft-ietf-ipsec-notifymsg-04. 1785 */ 1786 if (ndo->ndo_vflag > 3) { 1787 ND_PRINT((ndo," data=(")); 1788 if (!rawprint(ndo, (const uint8_t *)(cp), ep - cp)) 1789 goto trunc; 1790 ND_PRINT((ndo,")")); 1791 } else { 1792 if (!ike_show_somedata(ndo, cp, ep)) 1793 goto trunc; 1794 } 1795 break; 1796 } 1797 } 1798 return (const u_char *)ext + item_len; 1799 trunc: 1800 ND_PRINT((ndo," [|%s]", NPSTR(ISAKMP_NPTYPE_N))); 1801 return NULL; 1802 } 1803 1804 static const u_char * 1805 ikev1_d_print(netdissect_options *ndo, u_char tpay _U_, 1806 const struct isakmp_gen *ext, u_int item_len _U_, 1807 const u_char *ep _U_, uint32_t phase _U_, uint32_t doi0 _U_, 1808 uint32_t proto0 _U_, int depth _U_) 1809 { 1810 const struct ikev1_pl_d *p; 1811 struct ikev1_pl_d d; 1812 const uint8_t *q; 1813 uint32_t doi; 1814 uint32_t proto; 1815 int i; 1816 1817 ND_PRINT((ndo,"%s:", NPSTR(ISAKMP_NPTYPE_D))); 1818 1819 p = (const struct ikev1_pl_d *)ext; 1820 ND_TCHECK(*p); 1821 UNALIGNED_MEMCPY(&d, ext, sizeof(d)); 1822 doi = ntohl(d.doi); 1823 proto = d.prot_id; 1824 if (doi != 1) { 1825 ND_PRINT((ndo," doi=%u", doi)); 1826 ND_PRINT((ndo," proto=%u", proto)); 1827 } else { 1828 ND_PRINT((ndo," doi=ipsec")); 1829 ND_PRINT((ndo," proto=%s", PROTOIDSTR(proto))); 1830 } 1831 ND_PRINT((ndo," spilen=%u", d.spi_size)); 1832 ND_PRINT((ndo," nspi=%u", ntohs(d.num_spi))); 1833 ND_PRINT((ndo," spi=")); 1834 q = (const uint8_t *)(p + 1); 1835 for (i = 0; i < ntohs(d.num_spi); i++) { 1836 if (i != 0) 1837 ND_PRINT((ndo,",")); 1838 if (!rawprint(ndo, (const uint8_t *)q, d.spi_size)) 1839 goto trunc; 1840 q += d.spi_size; 1841 } 1842 return q; 1843 trunc: 1844 ND_PRINT((ndo," [|%s]", NPSTR(ISAKMP_NPTYPE_D))); 1845 return NULL; 1846 } 1847 1848 static const u_char * 1849 ikev1_vid_print(netdissect_options *ndo, u_char tpay _U_, 1850 const struct isakmp_gen *ext, 1851 u_int item_len _U_, const u_char *ep _U_, 1852 uint32_t phase _U_, uint32_t doi _U_, 1853 uint32_t proto _U_, int depth _U_) 1854 { 1855 struct isakmp_gen e; 1856 1857 ND_PRINT((ndo,"%s:", NPSTR(ISAKMP_NPTYPE_VID))); 1858 1859 ND_TCHECK(*ext); 1860 UNALIGNED_MEMCPY(&e, ext, sizeof(e)); 1861 ND_PRINT((ndo," len=%d", ntohs(e.len) - 4)); 1862 if (2 < ndo->ndo_vflag && 4 < ntohs(e.len)) { 1863 /* Print the entire payload in hex */ 1864 ND_PRINT((ndo," ")); 1865 if (!rawprint(ndo, (const uint8_t *)(ext + 1), ntohs(e.len) - 4)) 1866 goto trunc; 1867 } 1868 return (const u_char *)ext + ntohs(e.len); 1869 trunc: 1870 ND_PRINT((ndo," [|%s]", NPSTR(ISAKMP_NPTYPE_VID))); 1871 return NULL; 1872 } 1873 1874 /************************************************************/ 1875 /* */ 1876 /* IKE v2 - rfc4306 - dissector */ 1877 /* */ 1878 /************************************************************/ 1879 1880 static void 1881 ikev2_pay_print(netdissect_options *ndo, const char *payname, int critical) 1882 { 1883 ND_PRINT((ndo,"%s%s:", payname, critical&0x80 ? "[C]" : "")); 1884 } 1885 1886 static const u_char * 1887 ikev2_gen_print(netdissect_options *ndo, u_char tpay, 1888 const struct isakmp_gen *ext) 1889 { 1890 struct isakmp_gen e; 1891 1892 ND_TCHECK(*ext); 1893 UNALIGNED_MEMCPY(&e, ext, sizeof(e)); 1894 ikev2_pay_print(ndo, NPSTR(tpay), e.critical); 1895 1896 ND_PRINT((ndo," len=%d", ntohs(e.len) - 4)); 1897 if (2 < ndo->ndo_vflag && 4 < ntohs(e.len)) { 1898 /* Print the entire payload in hex */ 1899 ND_PRINT((ndo," ")); 1900 if (!rawprint(ndo, (const uint8_t *)(ext + 1), ntohs(e.len) - 4)) 1901 goto trunc; 1902 } 1903 return (const u_char *)ext + ntohs(e.len); 1904 trunc: 1905 ND_PRINT((ndo," [|%s]", NPSTR(tpay))); 1906 return NULL; 1907 } 1908 1909 static const u_char * 1910 ikev2_t_print(netdissect_options *ndo, int tcount, 1911 const struct isakmp_gen *ext, u_int item_len, 1912 const u_char *ep) 1913 { 1914 const struct ikev2_t *p; 1915 struct ikev2_t t; 1916 uint16_t t_id; 1917 const u_char *cp; 1918 const char *idstr; 1919 const struct attrmap *map; 1920 size_t nmap; 1921 const u_char *ep2; 1922 1923 p = (const struct ikev2_t *)ext; 1924 ND_TCHECK(*p); 1925 UNALIGNED_MEMCPY(&t, ext, sizeof(t)); 1926 ikev2_pay_print(ndo, NPSTR(ISAKMP_NPTYPE_T), t.h.critical); 1927 1928 t_id = ntohs(t.t_id); 1929 1930 map = NULL; 1931 nmap = 0; 1932 1933 switch (t.t_type) { 1934 case IV2_T_ENCR: 1935 idstr = STR_OR_ID(t_id, esp_p_map); 1936 map = encr_t_map; 1937 nmap = sizeof(encr_t_map)/sizeof(encr_t_map[0]); 1938 break; 1939 1940 case IV2_T_PRF: 1941 idstr = STR_OR_ID(t_id, prf_p_map); 1942 break; 1943 1944 case IV2_T_INTEG: 1945 idstr = STR_OR_ID(t_id, integ_p_map); 1946 break; 1947 1948 case IV2_T_DH: 1949 idstr = STR_OR_ID(t_id, dh_p_map); 1950 break; 1951 1952 case IV2_T_ESN: 1953 idstr = STR_OR_ID(t_id, esn_p_map); 1954 break; 1955 1956 default: 1957 idstr = NULL; 1958 break; 1959 } 1960 1961 if (idstr) 1962 ND_PRINT((ndo," #%u type=%s id=%s ", tcount, 1963 STR_OR_ID(t.t_type, ikev2_t_type_map), 1964 idstr)); 1965 else 1966 ND_PRINT((ndo," #%u type=%s id=%u ", tcount, 1967 STR_OR_ID(t.t_type, ikev2_t_type_map), 1968 t.t_id)); 1969 cp = (const u_char *)(p + 1); 1970 ep2 = (const u_char *)p + item_len; 1971 while (cp < ep && cp < ep2) { 1972 if (map && nmap) { 1973 cp = ikev1_attrmap_print(ndo, cp, ep2, map, nmap); 1974 } else 1975 cp = ikev1_attr_print(ndo, cp, ep2); 1976 if (cp == NULL) 1977 goto trunc; 1978 } 1979 if (ep < ep2) 1980 ND_PRINT((ndo,"...")); 1981 return cp; 1982 trunc: 1983 ND_PRINT((ndo," [|%s]", NPSTR(ISAKMP_NPTYPE_T))); 1984 return NULL; 1985 } 1986 1987 static const u_char * 1988 ikev2_p_print(netdissect_options *ndo, u_char tpay _U_, int pcount _U_, 1989 const struct isakmp_gen *ext, u_int oprop_length, 1990 const u_char *ep, int depth) 1991 { 1992 const struct ikev2_p *p; 1993 struct ikev2_p prop; 1994 u_int prop_length; 1995 const u_char *cp; 1996 int i; 1997 int tcount; 1998 u_char np; 1999 struct isakmp_gen e; 2000 u_int item_len; 2001 2002 p = (const struct ikev2_p *)ext; 2003 ND_TCHECK(*p); 2004 UNALIGNED_MEMCPY(&prop, ext, sizeof(prop)); 2005 2006 ikev2_pay_print(ndo, NPSTR(ISAKMP_NPTYPE_P), prop.h.critical); 2007 2008 /* 2009 * ikev2_sa_print() guarantees that this is >= 4. 2010 */ 2011 prop_length = oprop_length - 4; 2012 ND_PRINT((ndo," #%u protoid=%s transform=%d len=%u", 2013 prop.p_no, PROTOIDSTR(prop.prot_id), 2014 prop.num_t, oprop_length)); 2015 cp = (const u_char *)(p + 1); 2016 2017 if (prop.spi_size) { 2018 if (prop_length < prop.spi_size) 2019 goto toolong; 2020 ND_PRINT((ndo," spi=")); 2021 if (!rawprint(ndo, (const uint8_t *)cp, prop.spi_size)) 2022 goto trunc; 2023 cp += prop.spi_size; 2024 prop_length -= prop.spi_size; 2025 } 2026 2027 /* 2028 * Print the transforms. 2029 */ 2030 tcount = 0; 2031 for (np = ISAKMP_NPTYPE_T; np != 0; np = e.np) { 2032 tcount++; 2033 ext = (const struct isakmp_gen *)cp; 2034 if (prop_length < sizeof(*ext)) 2035 goto toolong; 2036 ND_TCHECK(*ext); 2037 UNALIGNED_MEMCPY(&e, ext, sizeof(e)); 2038 2039 /* 2040 * Since we can't have a payload length of less than 4 bytes, 2041 * we need to bail out here if the generic header is nonsensical 2042 * or truncated, otherwise we could loop forever processing 2043 * zero-length items or otherwise misdissect the packet. 2044 */ 2045 item_len = ntohs(e.len); 2046 if (item_len <= 4) 2047 goto trunc; 2048 2049 if (prop_length < item_len) 2050 goto toolong; 2051 ND_TCHECK2(*cp, item_len); 2052 2053 depth++; 2054 ND_PRINT((ndo,"\n")); 2055 for (i = 0; i < depth; i++) 2056 ND_PRINT((ndo," ")); 2057 ND_PRINT((ndo,"(")); 2058 if (np == ISAKMP_NPTYPE_T) { 2059 cp = ikev2_t_print(ndo, tcount, ext, item_len, ep); 2060 if (cp == NULL) { 2061 /* error, already reported */ 2062 return NULL; 2063 } 2064 } else { 2065 ND_PRINT((ndo, "%s", NPSTR(np))); 2066 cp += item_len; 2067 } 2068 ND_PRINT((ndo,")")); 2069 depth--; 2070 prop_length -= item_len; 2071 } 2072 return cp; 2073 toolong: 2074 /* 2075 * Skip the rest of the proposal. 2076 */ 2077 cp += prop_length; 2078 ND_PRINT((ndo," [|%s]", NPSTR(ISAKMP_NPTYPE_P))); 2079 return cp; 2080 trunc: 2081 ND_PRINT((ndo," [|%s]", NPSTR(ISAKMP_NPTYPE_P))); 2082 return NULL; 2083 } 2084 2085 static const u_char * 2086 ikev2_sa_print(netdissect_options *ndo, u_char tpay, 2087 const struct isakmp_gen *ext1, 2088 u_int osa_length, const u_char *ep, 2089 uint32_t phase _U_, uint32_t doi _U_, 2090 uint32_t proto _U_, int depth) 2091 { 2092 const struct isakmp_gen *ext; 2093 struct isakmp_gen e; 2094 u_int sa_length; 2095 const u_char *cp; 2096 int i; 2097 int pcount; 2098 u_char np; 2099 u_int item_len; 2100 2101 ND_TCHECK(*ext1); 2102 UNALIGNED_MEMCPY(&e, ext1, sizeof(e)); 2103 ikev2_pay_print(ndo, "sa", e.critical); 2104 2105 /* 2106 * ikev2_sub0_print() guarantees that this is >= 4. 2107 */ 2108 osa_length= ntohs(e.len); 2109 sa_length = osa_length - 4; 2110 ND_PRINT((ndo," len=%d", sa_length)); 2111 2112 /* 2113 * Print the payloads. 2114 */ 2115 cp = (const u_char *)(ext1 + 1); 2116 pcount = 0; 2117 for (np = ISAKMP_NPTYPE_P; np != 0; np = e.np) { 2118 pcount++; 2119 ext = (const struct isakmp_gen *)cp; 2120 if (sa_length < sizeof(*ext)) 2121 goto toolong; 2122 ND_TCHECK(*ext); 2123 UNALIGNED_MEMCPY(&e, ext, sizeof(e)); 2124 2125 /* 2126 * Since we can't have a payload length of less than 4 bytes, 2127 * we need to bail out here if the generic header is nonsensical 2128 * or truncated, otherwise we could loop forever processing 2129 * zero-length items or otherwise misdissect the packet. 2130 */ 2131 item_len = ntohs(e.len); 2132 if (item_len <= 4) 2133 goto trunc; 2134 2135 if (sa_length < item_len) 2136 goto toolong; 2137 ND_TCHECK2(*cp, item_len); 2138 2139 depth++; 2140 ND_PRINT((ndo,"\n")); 2141 for (i = 0; i < depth; i++) 2142 ND_PRINT((ndo," ")); 2143 ND_PRINT((ndo,"(")); 2144 if (np == ISAKMP_NPTYPE_P) { 2145 cp = ikev2_p_print(ndo, np, pcount, ext, item_len, 2146 ep, depth); 2147 if (cp == NULL) { 2148 /* error, already reported */ 2149 return NULL; 2150 } 2151 } else { 2152 ND_PRINT((ndo, "%s", NPSTR(np))); 2153 cp += item_len; 2154 } 2155 ND_PRINT((ndo,")")); 2156 depth--; 2157 sa_length -= item_len; 2158 } 2159 return cp; 2160 toolong: 2161 /* 2162 * Skip the rest of the SA. 2163 */ 2164 cp += sa_length; 2165 ND_PRINT((ndo," [|%s]", NPSTR(tpay))); 2166 return cp; 2167 trunc: 2168 ND_PRINT((ndo," [|%s]", NPSTR(tpay))); 2169 return NULL; 2170 } 2171 2172 static const u_char * 2173 ikev2_ke_print(netdissect_options *ndo, u_char tpay, 2174 const struct isakmp_gen *ext, 2175 u_int item_len _U_, const u_char *ep _U_, 2176 uint32_t phase _U_, uint32_t doi _U_, 2177 uint32_t proto _U_, int depth _U_) 2178 { 2179 struct ikev2_ke ke; 2180 const struct ikev2_ke *k; 2181 2182 k = (const struct ikev2_ke *)ext; 2183 ND_TCHECK(*k); 2184 UNALIGNED_MEMCPY(&ke, ext, sizeof(ke)); 2185 ikev2_pay_print(ndo, NPSTR(tpay), ke.h.critical); 2186 2187 ND_PRINT((ndo," len=%u group=%s", ntohs(ke.h.len) - 8, 2188 STR_OR_ID(ntohs(ke.ke_group), dh_p_map))); 2189 2190 if (2 < ndo->ndo_vflag && 8 < ntohs(ke.h.len)) { 2191 ND_PRINT((ndo," ")); 2192 if (!rawprint(ndo, (const uint8_t *)(k + 1), ntohs(ke.h.len) - 8)) 2193 goto trunc; 2194 } 2195 return (const u_char *)ext + ntohs(ke.h.len); 2196 trunc: 2197 ND_PRINT((ndo," [|%s]", NPSTR(tpay))); 2198 return NULL; 2199 } 2200 2201 static const u_char * 2202 ikev2_ID_print(netdissect_options *ndo, u_char tpay, 2203 const struct isakmp_gen *ext, 2204 u_int item_len _U_, const u_char *ep _U_, 2205 uint32_t phase _U_, uint32_t doi _U_, 2206 uint32_t proto _U_, int depth _U_) 2207 { 2208 const struct ikev2_id *idp; 2209 struct ikev2_id id; 2210 int id_len, idtype_len, i; 2211 unsigned int dumpascii, dumphex; 2212 const unsigned char *typedata; 2213 2214 idp = (const struct ikev2_id *)ext; 2215 ND_TCHECK(*idp); 2216 UNALIGNED_MEMCPY(&id, ext, sizeof(id)); 2217 ikev2_pay_print(ndo, NPSTR(tpay), id.h.critical); 2218 2219 id_len = ntohs(id.h.len); 2220 2221 ND_PRINT((ndo," len=%d", id_len - 4)); 2222 if (2 < ndo->ndo_vflag && 4 < id_len) { 2223 /* Print the entire payload in hex */ 2224 ND_PRINT((ndo," ")); 2225 if (!rawprint(ndo, (const uint8_t *)(ext + 1), id_len - 4)) 2226 goto trunc; 2227 } 2228 2229 idtype_len =id_len - sizeof(struct ikev2_id); 2230 dumpascii = 0; 2231 dumphex = 0; 2232 typedata = (const unsigned char *)(ext)+sizeof(struct ikev2_id); 2233 2234 switch(id.type) { 2235 case ID_IPV4_ADDR: 2236 ND_PRINT((ndo, " ipv4:")); 2237 dumphex=1; 2238 break; 2239 case ID_FQDN: 2240 ND_PRINT((ndo, " fqdn:")); 2241 dumpascii=1; 2242 break; 2243 case ID_RFC822_ADDR: 2244 ND_PRINT((ndo, " rfc822:")); 2245 dumpascii=1; 2246 break; 2247 case ID_IPV6_ADDR: 2248 ND_PRINT((ndo, " ipv6:")); 2249 dumphex=1; 2250 break; 2251 case ID_DER_ASN1_DN: 2252 ND_PRINT((ndo, " dn:")); 2253 dumphex=1; 2254 break; 2255 case ID_DER_ASN1_GN: 2256 ND_PRINT((ndo, " gn:")); 2257 dumphex=1; 2258 break; 2259 case ID_KEY_ID: 2260 ND_PRINT((ndo, " keyid:")); 2261 dumphex=1; 2262 break; 2263 } 2264 2265 if(dumpascii) { 2266 ND_TCHECK2(*typedata, idtype_len); 2267 for(i=0; i<idtype_len; i++) { 2268 if(ND_ISPRINT(typedata[i])) { 2269 ND_PRINT((ndo, "%c", typedata[i])); 2270 } else { 2271 ND_PRINT((ndo, ".")); 2272 } 2273 } 2274 } 2275 if(dumphex) { 2276 if (!rawprint(ndo, (const uint8_t *)typedata, idtype_len)) 2277 goto trunc; 2278 } 2279 2280 return (const u_char *)ext + id_len; 2281 trunc: 2282 ND_PRINT((ndo," [|%s]", NPSTR(tpay))); 2283 return NULL; 2284 } 2285 2286 static const u_char * 2287 ikev2_cert_print(netdissect_options *ndo, u_char tpay, 2288 const struct isakmp_gen *ext, 2289 u_int item_len _U_, const u_char *ep _U_, 2290 uint32_t phase _U_, uint32_t doi _U_, 2291 uint32_t proto _U_, int depth _U_) 2292 { 2293 return ikev2_gen_print(ndo, tpay, ext); 2294 } 2295 2296 static const u_char * 2297 ikev2_cr_print(netdissect_options *ndo, u_char tpay, 2298 const struct isakmp_gen *ext, 2299 u_int item_len _U_, const u_char *ep _U_, 2300 uint32_t phase _U_, uint32_t doi _U_, 2301 uint32_t proto _U_, int depth _U_) 2302 { 2303 return ikev2_gen_print(ndo, tpay, ext); 2304 } 2305 2306 static const u_char * 2307 ikev2_auth_print(netdissect_options *ndo, u_char tpay, 2308 const struct isakmp_gen *ext, 2309 u_int item_len _U_, const u_char *ep, 2310 uint32_t phase _U_, uint32_t doi _U_, 2311 uint32_t proto _U_, int depth _U_) 2312 { 2313 struct ikev2_auth a; 2314 const char *v2_auth[]={ "invalid", "rsasig", 2315 "shared-secret", "dsssig" }; 2316 const u_char *authdata = (const u_char*)ext + sizeof(a); 2317 unsigned int len; 2318 2319 ND_TCHECK2(*ext, sizeof(a)); 2320 UNALIGNED_MEMCPY(&a, ext, sizeof(a)); 2321 ikev2_pay_print(ndo, NPSTR(tpay), a.h.critical); 2322 len = ntohs(a.h.len); 2323 2324 /* 2325 * Our caller has ensured that the length is >= 4. 2326 */ 2327 ND_PRINT((ndo," len=%u method=%s", len-4, 2328 STR_OR_ID(a.auth_method, v2_auth))); 2329 if (len > 4) { 2330 if (ndo->ndo_vflag > 1) { 2331 ND_PRINT((ndo, " authdata=(")); 2332 if (!rawprint(ndo, (const uint8_t *)authdata, len - sizeof(a))) 2333 goto trunc; 2334 ND_PRINT((ndo, ") ")); 2335 } else if (ndo->ndo_vflag) { 2336 if (!ike_show_somedata(ndo, authdata, ep)) 2337 goto trunc; 2338 } 2339 } 2340 2341 return (const u_char *)ext + len; 2342 trunc: 2343 ND_PRINT((ndo," [|%s]", NPSTR(tpay))); 2344 return NULL; 2345 } 2346 2347 static const u_char * 2348 ikev2_nonce_print(netdissect_options *ndo, u_char tpay, 2349 const struct isakmp_gen *ext, 2350 u_int item_len _U_, const u_char *ep, 2351 uint32_t phase _U_, uint32_t doi _U_, 2352 uint32_t proto _U_, int depth _U_) 2353 { 2354 struct isakmp_gen e; 2355 2356 ND_TCHECK(*ext); 2357 UNALIGNED_MEMCPY(&e, ext, sizeof(e)); 2358 ikev2_pay_print(ndo, "nonce", e.critical); 2359 2360 ND_PRINT((ndo," len=%d", ntohs(e.len) - 4)); 2361 if (1 < ndo->ndo_vflag && 4 < ntohs(e.len)) { 2362 ND_PRINT((ndo," nonce=(")); 2363 if (!rawprint(ndo, (const uint8_t *)(ext + 1), ntohs(e.len) - 4)) 2364 goto trunc; 2365 ND_PRINT((ndo,") ")); 2366 } else if(ndo->ndo_vflag && 4 < ntohs(e.len)) { 2367 if(!ike_show_somedata(ndo, (const u_char *)(ext+1), ep)) goto trunc; 2368 } 2369 2370 return (const u_char *)ext + ntohs(e.len); 2371 trunc: 2372 ND_PRINT((ndo," [|%s]", NPSTR(tpay))); 2373 return NULL; 2374 } 2375 2376 /* notify payloads */ 2377 static const u_char * 2378 ikev2_n_print(netdissect_options *ndo, u_char tpay _U_, 2379 const struct isakmp_gen *ext, 2380 u_int item_len, const u_char *ep, 2381 uint32_t phase _U_, uint32_t doi _U_, 2382 uint32_t proto _U_, int depth _U_) 2383 { 2384 const struct ikev2_n *p; 2385 struct ikev2_n n; 2386 const u_char *cp; 2387 u_char showspi, showsomedata; 2388 const char *notify_name; 2389 uint32_t type; 2390 2391 p = (const struct ikev2_n *)ext; 2392 ND_TCHECK(*p); 2393 UNALIGNED_MEMCPY(&n, ext, sizeof(n)); 2394 ikev2_pay_print(ndo, NPSTR(ISAKMP_NPTYPE_N), n.h.critical); 2395 2396 showspi = 1; 2397 showsomedata=0; 2398 notify_name=NULL; 2399 2400 ND_PRINT((ndo," prot_id=%s", PROTOIDSTR(n.prot_id))); 2401 2402 type = ntohs(n.type); 2403 2404 /* notify space is annoying sparse */ 2405 switch(type) { 2406 case IV2_NOTIFY_UNSUPPORTED_CRITICAL_PAYLOAD: 2407 notify_name = "unsupported_critical_payload"; 2408 showspi = 0; 2409 break; 2410 2411 case IV2_NOTIFY_INVALID_IKE_SPI: 2412 notify_name = "invalid_ike_spi"; 2413 showspi = 1; 2414 break; 2415 2416 case IV2_NOTIFY_INVALID_MAJOR_VERSION: 2417 notify_name = "invalid_major_version"; 2418 showspi = 0; 2419 break; 2420 2421 case IV2_NOTIFY_INVALID_SYNTAX: 2422 notify_name = "invalid_syntax"; 2423 showspi = 1; 2424 break; 2425 2426 case IV2_NOTIFY_INVALID_MESSAGE_ID: 2427 notify_name = "invalid_message_id"; 2428 showspi = 1; 2429 break; 2430 2431 case IV2_NOTIFY_INVALID_SPI: 2432 notify_name = "invalid_spi"; 2433 showspi = 1; 2434 break; 2435 2436 case IV2_NOTIFY_NO_PROPOSAL_CHOSEN: 2437 notify_name = "no_protocol_chosen"; 2438 showspi = 1; 2439 break; 2440 2441 case IV2_NOTIFY_INVALID_KE_PAYLOAD: 2442 notify_name = "invalid_ke_payload"; 2443 showspi = 1; 2444 break; 2445 2446 case IV2_NOTIFY_AUTHENTICATION_FAILED: 2447 notify_name = "authentication_failed"; 2448 showspi = 1; 2449 break; 2450 2451 case IV2_NOTIFY_SINGLE_PAIR_REQUIRED: 2452 notify_name = "single_pair_required"; 2453 showspi = 1; 2454 break; 2455 2456 case IV2_NOTIFY_NO_ADDITIONAL_SAS: 2457 notify_name = "no_additional_sas"; 2458 showspi = 0; 2459 break; 2460 2461 case IV2_NOTIFY_INTERNAL_ADDRESS_FAILURE: 2462 notify_name = "internal_address_failure"; 2463 showspi = 0; 2464 break; 2465 2466 case IV2_NOTIFY_FAILED_CP_REQUIRED: 2467 notify_name = "failed:cp_required"; 2468 showspi = 0; 2469 break; 2470 2471 case IV2_NOTIFY_INVALID_SELECTORS: 2472 notify_name = "invalid_selectors"; 2473 showspi = 0; 2474 break; 2475 2476 case IV2_NOTIFY_INITIAL_CONTACT: 2477 notify_name = "initial_contact"; 2478 showspi = 0; 2479 break; 2480 2481 case IV2_NOTIFY_SET_WINDOW_SIZE: 2482 notify_name = "set_window_size"; 2483 showspi = 0; 2484 break; 2485 2486 case IV2_NOTIFY_ADDITIONAL_TS_POSSIBLE: 2487 notify_name = "additional_ts_possible"; 2488 showspi = 0; 2489 break; 2490 2491 case IV2_NOTIFY_IPCOMP_SUPPORTED: 2492 notify_name = "ipcomp_supported"; 2493 showspi = 0; 2494 break; 2495 2496 case IV2_NOTIFY_NAT_DETECTION_SOURCE_IP: 2497 notify_name = "nat_detection_source_ip"; 2498 showspi = 1; 2499 break; 2500 2501 case IV2_NOTIFY_NAT_DETECTION_DESTINATION_IP: 2502 notify_name = "nat_detection_destination_ip"; 2503 showspi = 1; 2504 break; 2505 2506 case IV2_NOTIFY_COOKIE: 2507 notify_name = "cookie"; 2508 showspi = 1; 2509 showsomedata= 1; 2510 break; 2511 2512 case IV2_NOTIFY_USE_TRANSPORT_MODE: 2513 notify_name = "use_transport_mode"; 2514 showspi = 0; 2515 break; 2516 2517 case IV2_NOTIFY_HTTP_CERT_LOOKUP_SUPPORTED: 2518 notify_name = "http_cert_lookup_supported"; 2519 showspi = 0; 2520 break; 2521 2522 case IV2_NOTIFY_REKEY_SA: 2523 notify_name = "rekey_sa"; 2524 showspi = 1; 2525 break; 2526 2527 case IV2_NOTIFY_ESP_TFC_PADDING_NOT_SUPPORTED: 2528 notify_name = "tfc_padding_not_supported"; 2529 showspi = 0; 2530 break; 2531 2532 case IV2_NOTIFY_NON_FIRST_FRAGMENTS_ALSO: 2533 notify_name = "non_first_fragment_also"; 2534 showspi = 0; 2535 break; 2536 2537 default: 2538 if (type < 8192) { 2539 notify_name="error"; 2540 } else if(type < 16384) { 2541 notify_name="private-error"; 2542 } else if(type < 40960) { 2543 notify_name="status"; 2544 } else { 2545 notify_name="private-status"; 2546 } 2547 } 2548 2549 if(notify_name) { 2550 ND_PRINT((ndo," type=%u(%s)", type, notify_name)); 2551 } 2552 2553 2554 if (showspi && n.spi_size) { 2555 ND_PRINT((ndo," spi=")); 2556 if (!rawprint(ndo, (const uint8_t *)(p + 1), n.spi_size)) 2557 goto trunc; 2558 } 2559 2560 cp = (const u_char *)(p + 1) + n.spi_size; 2561 2562 if (cp < ep) { 2563 if (ndo->ndo_vflag > 3 || (showsomedata && ep-cp < 30)) { 2564 ND_PRINT((ndo," data=(")); 2565 if (!rawprint(ndo, (const uint8_t *)(cp), ep - cp)) 2566 goto trunc; 2567 2568 ND_PRINT((ndo,")")); 2569 } else if (showsomedata) { 2570 if (!ike_show_somedata(ndo, cp, ep)) 2571 goto trunc; 2572 } 2573 } 2574 2575 return (const u_char *)ext + item_len; 2576 trunc: 2577 ND_PRINT((ndo," [|%s]", NPSTR(ISAKMP_NPTYPE_N))); 2578 return NULL; 2579 } 2580 2581 static const u_char * 2582 ikev2_d_print(netdissect_options *ndo, u_char tpay, 2583 const struct isakmp_gen *ext, 2584 u_int item_len _U_, const u_char *ep _U_, 2585 uint32_t phase _U_, uint32_t doi _U_, 2586 uint32_t proto _U_, int depth _U_) 2587 { 2588 return ikev2_gen_print(ndo, tpay, ext); 2589 } 2590 2591 static const u_char * 2592 ikev2_vid_print(netdissect_options *ndo, u_char tpay, 2593 const struct isakmp_gen *ext, 2594 u_int item_len _U_, const u_char *ep _U_, 2595 uint32_t phase _U_, uint32_t doi _U_, 2596 uint32_t proto _U_, int depth _U_) 2597 { 2598 struct isakmp_gen e; 2599 const u_char *vid; 2600 int i, len; 2601 2602 ND_TCHECK(*ext); 2603 UNALIGNED_MEMCPY(&e, ext, sizeof(e)); 2604 ikev2_pay_print(ndo, NPSTR(tpay), e.critical); 2605 ND_PRINT((ndo," len=%d vid=", ntohs(e.len) - 4)); 2606 2607 vid = (const u_char *)(ext+1); 2608 len = ntohs(e.len) - 4; 2609 ND_TCHECK2(*vid, len); 2610 for(i=0; i<len; i++) { 2611 if(ND_ISPRINT(vid[i])) ND_PRINT((ndo, "%c", vid[i])); 2612 else ND_PRINT((ndo, ".")); 2613 } 2614 if (2 < ndo->ndo_vflag && 4 < len) { 2615 /* Print the entire payload in hex */ 2616 ND_PRINT((ndo," ")); 2617 if (!rawprint(ndo, (const uint8_t *)(ext + 1), ntohs(e.len) - 4)) 2618 goto trunc; 2619 } 2620 return (const u_char *)ext + ntohs(e.len); 2621 trunc: 2622 ND_PRINT((ndo," [|%s]", NPSTR(tpay))); 2623 return NULL; 2624 } 2625 2626 static const u_char * 2627 ikev2_TS_print(netdissect_options *ndo, u_char tpay, 2628 const struct isakmp_gen *ext, 2629 u_int item_len _U_, const u_char *ep _U_, 2630 uint32_t phase _U_, uint32_t doi _U_, 2631 uint32_t proto _U_, int depth _U_) 2632 { 2633 return ikev2_gen_print(ndo, tpay, ext); 2634 } 2635 2636 static const u_char * 2637 ikev2_e_print(netdissect_options *ndo, 2638 #ifndef HAVE_LIBCRYPTO 2639 _U_ 2640 #endif 2641 struct isakmp *base, 2642 u_char tpay, 2643 const struct isakmp_gen *ext, 2644 u_int item_len _U_, const u_char *ep _U_, 2645 #ifndef HAVE_LIBCRYPTO 2646 _U_ 2647 #endif 2648 uint32_t phase, 2649 #ifndef HAVE_LIBCRYPTO 2650 _U_ 2651 #endif 2652 uint32_t doi, 2653 #ifndef HAVE_LIBCRYPTO 2654 _U_ 2655 #endif 2656 uint32_t proto, 2657 #ifndef HAVE_LIBCRYPTO 2658 _U_ 2659 #endif 2660 int depth) 2661 { 2662 struct isakmp_gen e; 2663 const u_char *dat; 2664 volatile int dlen; 2665 2666 ND_TCHECK(*ext); 2667 UNALIGNED_MEMCPY(&e, ext, sizeof(e)); 2668 ikev2_pay_print(ndo, NPSTR(tpay), e.critical); 2669 2670 dlen = ntohs(e.len)-4; 2671 2672 ND_PRINT((ndo," len=%d", dlen)); 2673 if (2 < ndo->ndo_vflag && 4 < dlen) { 2674 ND_PRINT((ndo," ")); 2675 if (!rawprint(ndo, (const uint8_t *)(ext + 1), dlen)) 2676 goto trunc; 2677 } 2678 2679 dat = (const u_char *)(ext+1); 2680 ND_TCHECK2(*dat, dlen); 2681 2682 #ifdef HAVE_LIBCRYPTO 2683 /* try to decypt it! */ 2684 if(esp_print_decrypt_buffer_by_ikev2(ndo, 2685 base->flags & ISAKMP_FLAG_I, 2686 base->i_ck, base->r_ck, 2687 dat, dat+dlen)) { 2688 2689 ext = (const struct isakmp_gen *)ndo->ndo_packetp; 2690 2691 /* got it decrypted, print stuff inside. */ 2692 ikev2_sub_print(ndo, base, e.np, ext, ndo->ndo_snapend, 2693 phase, doi, proto, depth+1); 2694 } 2695 #endif 2696 2697 2698 /* always return NULL, because E must be at end, and NP refers 2699 * to what was inside. 2700 */ 2701 return NULL; 2702 trunc: 2703 ND_PRINT((ndo," [|%s]", NPSTR(tpay))); 2704 return NULL; 2705 } 2706 2707 static const u_char * 2708 ikev2_cp_print(netdissect_options *ndo, u_char tpay, 2709 const struct isakmp_gen *ext, 2710 u_int item_len _U_, const u_char *ep _U_, 2711 uint32_t phase _U_, uint32_t doi _U_, 2712 uint32_t proto _U_, int depth _U_) 2713 { 2714 return ikev2_gen_print(ndo, tpay, ext); 2715 } 2716 2717 static const u_char * 2718 ikev2_eap_print(netdissect_options *ndo, u_char tpay, 2719 const struct isakmp_gen *ext, 2720 u_int item_len _U_, const u_char *ep _U_, 2721 uint32_t phase _U_, uint32_t doi _U_, 2722 uint32_t proto _U_, int depth _U_) 2723 { 2724 return ikev2_gen_print(ndo, tpay, ext); 2725 } 2726 2727 static const u_char * 2728 ike_sub0_print(netdissect_options *ndo, 2729 u_char np, const struct isakmp_gen *ext, const u_char *ep, 2730 2731 uint32_t phase, uint32_t doi, uint32_t proto, int depth) 2732 { 2733 const u_char *cp; 2734 struct isakmp_gen e; 2735 u_int item_len; 2736 2737 cp = (const u_char *)ext; 2738 ND_TCHECK(*ext); 2739 UNALIGNED_MEMCPY(&e, ext, sizeof(e)); 2740 2741 /* 2742 * Since we can't have a payload length of less than 4 bytes, 2743 * we need to bail out here if the generic header is nonsensical 2744 * or truncated, otherwise we could loop forever processing 2745 * zero-length items or otherwise misdissect the packet. 2746 */ 2747 item_len = ntohs(e.len); 2748 if (item_len <= 4) 2749 return NULL; 2750 2751 if (NPFUNC(np)) { 2752 /* 2753 * XXX - what if item_len is too short, or too long, 2754 * for this payload type? 2755 */ 2756 cp = (*npfunc[np])(ndo, np, ext, item_len, ep, phase, doi, proto, depth); 2757 } else { 2758 ND_PRINT((ndo,"%s", NPSTR(np))); 2759 cp += item_len; 2760 } 2761 2762 return cp; 2763 trunc: 2764 ND_PRINT((ndo," [|isakmp]")); 2765 return NULL; 2766 } 2767 2768 static const u_char * 2769 ikev1_sub_print(netdissect_options *ndo, 2770 u_char np, const struct isakmp_gen *ext, const u_char *ep, 2771 uint32_t phase, uint32_t doi, uint32_t proto, int depth) 2772 { 2773 const u_char *cp; 2774 int i; 2775 struct isakmp_gen e; 2776 2777 cp = (const u_char *)ext; 2778 2779 while (np) { 2780 ND_TCHECK(*ext); 2781 UNALIGNED_MEMCPY(&e, ext, sizeof(e)); 2782 2783 ND_TCHECK2(*ext, ntohs(e.len)); 2784 2785 depth++; 2786 ND_PRINT((ndo,"\n")); 2787 for (i = 0; i < depth; i++) 2788 ND_PRINT((ndo," ")); 2789 ND_PRINT((ndo,"(")); 2790 cp = ike_sub0_print(ndo, np, ext, ep, phase, doi, proto, depth); 2791 ND_PRINT((ndo,")")); 2792 depth--; 2793 2794 if (cp == NULL) { 2795 /* Zero-length subitem */ 2796 return NULL; 2797 } 2798 2799 np = e.np; 2800 ext = (const struct isakmp_gen *)cp; 2801 } 2802 return cp; 2803 trunc: 2804 ND_PRINT((ndo," [|%s]", NPSTR(np))); 2805 return NULL; 2806 } 2807 2808 static char * 2809 numstr(int x) 2810 { 2811 static char buf[20]; 2812 snprintf(buf, sizeof(buf), "#%d", x); 2813 return buf; 2814 } 2815 2816 static void 2817 ikev1_print(netdissect_options *ndo, 2818 const u_char *bp, u_int length, 2819 const u_char *bp2, struct isakmp *base) 2820 { 2821 const struct isakmp *p; 2822 const u_char *ep; 2823 u_char np; 2824 int i; 2825 int phase; 2826 2827 p = (const struct isakmp *)bp; 2828 ep = ndo->ndo_snapend; 2829 2830 phase = (EXTRACT_32BITS(base->msgid) == 0) ? 1 : 2; 2831 if (phase == 1) 2832 ND_PRINT((ndo," phase %d", phase)); 2833 else 2834 ND_PRINT((ndo," phase %d/others", phase)); 2835 2836 i = cookie_find(&base->i_ck); 2837 if (i < 0) { 2838 if (iszero((const u_char *)&base->r_ck, sizeof(base->r_ck))) { 2839 /* the first packet */ 2840 ND_PRINT((ndo," I")); 2841 if (bp2) 2842 cookie_record(&base->i_ck, bp2); 2843 } else 2844 ND_PRINT((ndo," ?")); 2845 } else { 2846 if (bp2 && cookie_isinitiator(i, bp2)) 2847 ND_PRINT((ndo," I")); 2848 else if (bp2 && cookie_isresponder(i, bp2)) 2849 ND_PRINT((ndo," R")); 2850 else 2851 ND_PRINT((ndo," ?")); 2852 } 2853 2854 ND_PRINT((ndo," %s", ETYPESTR(base->etype))); 2855 if (base->flags) { 2856 ND_PRINT((ndo,"[%s%s]", base->flags & ISAKMP_FLAG_E ? "E" : "", 2857 base->flags & ISAKMP_FLAG_C ? "C" : "")); 2858 } 2859 2860 if (ndo->ndo_vflag) { 2861 const struct isakmp_gen *ext; 2862 2863 ND_PRINT((ndo,":")); 2864 2865 /* regardless of phase... */ 2866 if (base->flags & ISAKMP_FLAG_E) { 2867 /* 2868 * encrypted, nothing we can do right now. 2869 * we hope to decrypt the packet in the future... 2870 */ 2871 ND_PRINT((ndo," [encrypted %s]", NPSTR(base->np))); 2872 goto done; 2873 } 2874 2875 CHECKLEN(p + 1, base->np); 2876 np = base->np; 2877 ext = (const struct isakmp_gen *)(p + 1); 2878 ikev1_sub_print(ndo, np, ext, ep, phase, 0, 0, 0); 2879 } 2880 2881 done: 2882 if (ndo->ndo_vflag) { 2883 if (ntohl(base->len) != length) { 2884 ND_PRINT((ndo," (len mismatch: isakmp %u/ip %u)", 2885 (uint32_t)ntohl(base->len), length)); 2886 } 2887 } 2888 } 2889 2890 static const u_char * 2891 ikev2_sub0_print(netdissect_options *ndo, struct isakmp *base, 2892 u_char np, 2893 const struct isakmp_gen *ext, const u_char *ep, 2894 uint32_t phase, uint32_t doi, uint32_t proto, int depth) 2895 { 2896 const u_char *cp; 2897 struct isakmp_gen e; 2898 u_int item_len; 2899 2900 cp = (const u_char *)ext; 2901 ND_TCHECK(*ext); 2902 UNALIGNED_MEMCPY(&e, ext, sizeof(e)); 2903 2904 /* 2905 * Since we can't have a payload length of less than 4 bytes, 2906 * we need to bail out here if the generic header is nonsensical 2907 * or truncated, otherwise we could loop forever processing 2908 * zero-length items or otherwise misdissect the packet. 2909 */ 2910 item_len = ntohs(e.len); 2911 if (item_len <= 4) 2912 return NULL; 2913 2914 if (np == ISAKMP_NPTYPE_v2E) { 2915 cp = ikev2_e_print(ndo, base, np, ext, item_len, 2916 ep, phase, doi, proto, depth); 2917 } else if (NPFUNC(np)) { 2918 /* 2919 * XXX - what if item_len is too short, or too long, 2920 * for this payload type? 2921 */ 2922 cp = (*npfunc[np])(ndo, np, ext, item_len, 2923 ep, phase, doi, proto, depth); 2924 } else { 2925 ND_PRINT((ndo,"%s", NPSTR(np))); 2926 cp += item_len; 2927 } 2928 2929 return cp; 2930 trunc: 2931 ND_PRINT((ndo," [|isakmp]")); 2932 return NULL; 2933 } 2934 2935 static const u_char * 2936 ikev2_sub_print(netdissect_options *ndo, 2937 struct isakmp *base, 2938 u_char np, const struct isakmp_gen *ext, const u_char *ep, 2939 uint32_t phase, uint32_t doi, uint32_t proto, int depth) 2940 { 2941 const u_char *cp; 2942 int i; 2943 struct isakmp_gen e; 2944 2945 cp = (const u_char *)ext; 2946 while (np) { 2947 ND_TCHECK(*ext); 2948 UNALIGNED_MEMCPY(&e, ext, sizeof(e)); 2949 2950 ND_TCHECK2(*ext, ntohs(e.len)); 2951 2952 depth++; 2953 ND_PRINT((ndo,"\n")); 2954 for (i = 0; i < depth; i++) 2955 ND_PRINT((ndo," ")); 2956 ND_PRINT((ndo,"(")); 2957 cp = ikev2_sub0_print(ndo, base, np, 2958 ext, ep, phase, doi, proto, depth); 2959 ND_PRINT((ndo,")")); 2960 depth--; 2961 2962 if (cp == NULL) { 2963 /* Zero-length subitem */ 2964 return NULL; 2965 } 2966 2967 np = e.np; 2968 ext = (const struct isakmp_gen *)cp; 2969 } 2970 return cp; 2971 trunc: 2972 ND_PRINT((ndo," [|%s]", NPSTR(np))); 2973 return NULL; 2974 } 2975 2976 static void 2977 ikev2_print(netdissect_options *ndo, 2978 const u_char *bp, u_int length, 2979 const u_char *bp2 _U_, struct isakmp *base) 2980 { 2981 const struct isakmp *p; 2982 const u_char *ep; 2983 u_char np; 2984 int phase; 2985 2986 p = (const struct isakmp *)bp; 2987 ep = ndo->ndo_snapend; 2988 2989 phase = (EXTRACT_32BITS(base->msgid) == 0) ? 1 : 2; 2990 if (phase == 1) 2991 ND_PRINT((ndo, " parent_sa")); 2992 else 2993 ND_PRINT((ndo, " child_sa ")); 2994 2995 ND_PRINT((ndo, " %s", ETYPESTR(base->etype))); 2996 if (base->flags) { 2997 ND_PRINT((ndo, "[%s%s%s]", 2998 base->flags & ISAKMP_FLAG_I ? "I" : "", 2999 base->flags & ISAKMP_FLAG_V ? "V" : "", 3000 base->flags & ISAKMP_FLAG_R ? "R" : "")); 3001 } 3002 3003 if (ndo->ndo_vflag) { 3004 const struct isakmp_gen *ext; 3005 3006 ND_PRINT((ndo, ":")); 3007 3008 /* regardless of phase... */ 3009 if (base->flags & ISAKMP_FLAG_E) { 3010 /* 3011 * encrypted, nothing we can do right now. 3012 * we hope to decrypt the packet in the future... 3013 */ 3014 ND_PRINT((ndo, " [encrypted %s]", NPSTR(base->np))); 3015 goto done; 3016 } 3017 3018 CHECKLEN(p + 1, base->np) 3019 3020 np = base->np; 3021 ext = (const struct isakmp_gen *)(p + 1); 3022 ikev2_sub_print(ndo, base, np, ext, ep, phase, 0, 0, 0); 3023 } 3024 3025 done: 3026 if (ndo->ndo_vflag) { 3027 if (ntohl(base->len) != length) { 3028 ND_PRINT((ndo, " (len mismatch: isakmp %u/ip %u)", 3029 (uint32_t)ntohl(base->len), length)); 3030 } 3031 } 3032 } 3033 3034 void 3035 isakmp_print(netdissect_options *ndo, 3036 const u_char *bp, u_int length, 3037 const u_char *bp2) 3038 { 3039 const struct isakmp *p; 3040 struct isakmp base; 3041 const u_char *ep; 3042 int major, minor; 3043 3044 #ifdef HAVE_LIBCRYPTO 3045 /* initialize SAs */ 3046 if (ndo->ndo_sa_list_head == NULL) { 3047 if (ndo->ndo_espsecret) 3048 esp_print_decodesecret(ndo); 3049 } 3050 #endif 3051 3052 p = (const struct isakmp *)bp; 3053 ep = ndo->ndo_snapend; 3054 3055 if ((const struct isakmp *)ep < p + 1) { 3056 ND_PRINT((ndo,"[|isakmp]")); 3057 return; 3058 } 3059 3060 UNALIGNED_MEMCPY(&base, p, sizeof(base)); 3061 3062 ND_PRINT((ndo,"isakmp")); 3063 major = (base.vers & ISAKMP_VERS_MAJOR) 3064 >> ISAKMP_VERS_MAJOR_SHIFT; 3065 minor = (base.vers & ISAKMP_VERS_MINOR) 3066 >> ISAKMP_VERS_MINOR_SHIFT; 3067 3068 if (ndo->ndo_vflag) { 3069 ND_PRINT((ndo," %d.%d", major, minor)); 3070 } 3071 3072 if (ndo->ndo_vflag) { 3073 ND_PRINT((ndo," msgid ")); 3074 hexprint(ndo, (const uint8_t *)&base.msgid, sizeof(base.msgid)); 3075 } 3076 3077 if (1 < ndo->ndo_vflag) { 3078 ND_PRINT((ndo," cookie ")); 3079 hexprint(ndo, (const uint8_t *)&base.i_ck, sizeof(base.i_ck)); 3080 ND_PRINT((ndo,"->")); 3081 hexprint(ndo, (const uint8_t *)&base.r_ck, sizeof(base.r_ck)); 3082 } 3083 ND_PRINT((ndo,":")); 3084 3085 switch(major) { 3086 case IKEv1_MAJOR_VERSION: 3087 ikev1_print(ndo, bp, length, bp2, &base); 3088 break; 3089 3090 case IKEv2_MAJOR_VERSION: 3091 ikev2_print(ndo, bp, length, bp2, &base); 3092 break; 3093 } 3094 } 3095 3096 void 3097 isakmp_rfc3948_print(netdissect_options *ndo, 3098 const u_char *bp, u_int length, 3099 const u_char *bp2) 3100 { 3101 ND_TCHECK(bp[0]); 3102 if(length == 1 && bp[0]==0xff) { 3103 ND_PRINT((ndo, "isakmp-nat-keep-alive")); 3104 return; 3105 } 3106 3107 if(length < 4) { 3108 goto trunc; 3109 } 3110 ND_TCHECK(bp[3]); 3111 3112 /* 3113 * see if this is an IKE packet 3114 */ 3115 if(bp[0]==0 && bp[1]==0 && bp[2]==0 && bp[3]==0) { 3116 ND_PRINT((ndo, "NONESP-encap: ")); 3117 isakmp_print(ndo, bp+4, length-4, bp2); 3118 return; 3119 } 3120 3121 /* must be an ESP packet */ 3122 { 3123 int nh, enh, padlen; 3124 int advance; 3125 3126 ND_PRINT((ndo, "UDP-encap: ")); 3127 3128 advance = esp_print(ndo, bp, length, bp2, &enh, &padlen); 3129 if(advance <= 0) 3130 return; 3131 3132 bp += advance; 3133 length -= advance + padlen; 3134 nh = enh & 0xff; 3135 3136 ip_print_inner(ndo, bp, length, nh, bp2); 3137 return; 3138 } 3139 3140 trunc: 3141 ND_PRINT((ndo,"[|isakmp]")); 3142 return; 3143 } 3144 3145 /* 3146 * Local Variables: 3147 * c-style: whitesmith 3148 * c-basic-offset: 8 3149 * End: 3150 */ 3151