1 /* 2 * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project. 3 * All rights reserved. 4 * 5 * Redistribution and use in source and binary forms, with or without 6 * modification, are permitted provided that the following conditions 7 * are met: 8 * 1. Redistributions of source code must retain the above copyright 9 * notice, this list of conditions and the following disclaimer. 10 * 2. Redistributions in binary form must reproduce the above copyright 11 * notice, this list of conditions and the following disclaimer in the 12 * documentation and/or other materials provided with the distribution. 13 * 3. Neither the name of the project nor the names of its contributors 14 * may be used to endorse or promote products derived from this software 15 * without specific prior written permission. 16 * 17 * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND 18 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 19 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 20 * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE 21 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 22 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 23 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 24 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 25 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 26 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 27 * SUCH DAMAGE. 28 * 29 */ 30 31 #include <sys/cdefs.h> 32 #ifndef lint 33 __RCSID("$NetBSD: print-isakmp.c,v 1.12 2023/08/17 20:19:40 christos Exp $"); 34 #endif 35 36 /* \summary: Internet Security Association and Key Management Protocol (ISAKMP) printer */ 37 38 /* specification: RFC 2407, RFC 2408, RFC 5996 */ 39 40 #ifdef HAVE_CONFIG_H 41 #include <config.h> 42 #endif 43 44 /* The functions from print-esp.c used in this file are only defined when both 45 * OpenSSL and evp.h are detected. Employ the same preprocessor device here. 46 */ 47 #ifndef HAVE_OPENSSL_EVP_H 48 #undef HAVE_LIBCRYPTO 49 #endif 50 51 #include "netdissect-stdinc.h" 52 53 #include <string.h> 54 55 #include "netdissect-ctype.h" 56 57 #include "netdissect.h" 58 #include "addrtoname.h" 59 #include "extract.h" 60 61 #include "ip.h" 62 #include "ip6.h" 63 #include "ipproto.h" 64 65 typedef nd_byte cookie_t[8]; 66 typedef nd_byte msgid_t[4]; 67 68 #define PORT_ISAKMP 500 69 70 /* 3.1 ISAKMP Header Format (IKEv1 and IKEv2) 71 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 72 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 73 ! Initiator ! 74 ! Cookie ! 75 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 76 ! Responder ! 77 ! Cookie ! 78 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 79 ! Next Payload ! MjVer ! MnVer ! Exchange Type ! Flags ! 80 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 81 ! Message ID ! 82 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 83 ! Length ! 84 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 85 */ 86 struct isakmp { 87 cookie_t i_ck; /* Initiator Cookie */ 88 cookie_t r_ck; /* Responder Cookie */ 89 nd_uint8_t np; /* Next Payload Type */ 90 nd_uint8_t vers; 91 #define ISAKMP_VERS_MAJOR 0xf0 92 #define ISAKMP_VERS_MAJOR_SHIFT 4 93 #define ISAKMP_VERS_MINOR 0x0f 94 #define ISAKMP_VERS_MINOR_SHIFT 0 95 nd_uint8_t etype; /* Exchange Type */ 96 nd_uint8_t flags; /* Flags */ 97 msgid_t msgid; 98 nd_uint32_t len; /* Length */ 99 }; 100 101 /* Next Payload Type */ 102 #define ISAKMP_NPTYPE_NONE 0 /* NONE*/ 103 #define ISAKMP_NPTYPE_SA 1 /* Security Association */ 104 #define ISAKMP_NPTYPE_P 2 /* Proposal */ 105 #define ISAKMP_NPTYPE_T 3 /* Transform */ 106 #define ISAKMP_NPTYPE_KE 4 /* Key Exchange */ 107 #define ISAKMP_NPTYPE_ID 5 /* Identification */ 108 #define ISAKMP_NPTYPE_CERT 6 /* Certificate */ 109 #define ISAKMP_NPTYPE_CR 7 /* Certificate Request */ 110 #define ISAKMP_NPTYPE_HASH 8 /* Hash */ 111 #define ISAKMP_NPTYPE_SIG 9 /* Signature */ 112 #define ISAKMP_NPTYPE_NONCE 10 /* Nonce */ 113 #define ISAKMP_NPTYPE_N 11 /* Notification */ 114 #define ISAKMP_NPTYPE_D 12 /* Delete */ 115 #define ISAKMP_NPTYPE_VID 13 /* Vendor ID */ 116 #define ISAKMP_NPTYPE_v2E 46 /* v2 Encrypted payload */ 117 118 #define IKEv1_MAJOR_VERSION 1 119 #define IKEv1_MINOR_VERSION 0 120 121 #define IKEv2_MAJOR_VERSION 2 122 #define IKEv2_MINOR_VERSION 0 123 124 /* Flags */ 125 #define ISAKMP_FLAG_E 0x01 /* Encryption Bit */ 126 #define ISAKMP_FLAG_C 0x02 /* Commit Bit */ 127 #define ISAKMP_FLAG_extra 0x04 128 129 /* IKEv2 */ 130 #define ISAKMP_FLAG_I (1 << 3) /* (I)nitiator */ 131 #define ISAKMP_FLAG_V (1 << 4) /* (V)ersion */ 132 #define ISAKMP_FLAG_R (1 << 5) /* (R)esponse */ 133 134 135 /* 3.2 Payload Generic Header 136 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 137 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 138 ! Next Payload ! RESERVED ! Payload Length ! 139 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 140 */ 141 struct isakmp_gen { 142 nd_uint8_t np; /* Next Payload */ 143 nd_uint8_t critical; /* bit 7 - critical, rest is RESERVED */ 144 nd_uint16_t len; /* Payload Length */ 145 }; 146 147 /* 3.3 Data Attributes 148 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 149 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 150 !A! Attribute Type ! AF=0 Attribute Length ! 151 !F! ! AF=1 Attribute Value ! 152 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 153 . AF=0 Attribute Value . 154 . AF=1 Not Transmitted . 155 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 156 */ 157 struct isakmp_data { 158 nd_uint16_t type; /* defined by DOI-spec, and Attribute Format */ 159 nd_uint16_t lorv; /* if f equal 1, Attribute Length */ 160 /* if f equal 0, Attribute Value */ 161 /* if f equal 1, Attribute Value */ 162 }; 163 164 /* 3.4 Security Association Payload */ 165 /* MAY NOT be used, because of being defined in ipsec-doi. */ 166 /* 167 If the current payload is the last in the message, 168 then the value of the next payload field will be 0. 169 This field MUST NOT contain the 170 values for the Proposal or Transform payloads as they are considered 171 part of the security association negotiation. For example, this 172 field would contain the value "10" (Nonce payload) in the first 173 message of a Base Exchange (see Section 4.4) and the value "0" in the 174 first message of an Identity Protect Exchange (see Section 4.5). 175 */ 176 struct ikev1_pl_sa { 177 struct isakmp_gen h; 178 nd_uint32_t doi; /* Domain of Interpretation */ 179 nd_uint32_t sit; /* Situation */ 180 }; 181 182 /* 3.5 Proposal Payload */ 183 /* 184 The value of the next payload field MUST only contain the value "2" 185 or "0". If there are additional Proposal payloads in the message, 186 then this field will be 2. If the current Proposal payload is the 187 last within the security association proposal, then this field will 188 be 0. 189 */ 190 struct ikev1_pl_p { 191 struct isakmp_gen h; 192 nd_uint8_t p_no; /* Proposal # */ 193 nd_uint8_t prot_id; /* Protocol */ 194 nd_uint8_t spi_size; /* SPI Size */ 195 nd_uint8_t num_t; /* Number of Transforms */ 196 /* SPI */ 197 }; 198 199 /* 3.6 Transform Payload */ 200 /* 201 The value of the next payload field MUST only contain the value "3" 202 or "0". If there are additional Transform payloads in the proposal, 203 then this field will be 3. If the current Transform payload is the 204 last within the proposal, then this field will be 0. 205 */ 206 struct ikev1_pl_t { 207 struct isakmp_gen h; 208 nd_uint8_t t_no; /* Transform # */ 209 nd_uint8_t t_id; /* Transform-Id */ 210 nd_byte reserved[2]; /* RESERVED2 */ 211 /* SA Attributes */ 212 }; 213 214 /* 3.7 Key Exchange Payload */ 215 struct ikev1_pl_ke { 216 struct isakmp_gen h; 217 /* Key Exchange Data */ 218 }; 219 220 /* 3.8 Identification Payload */ 221 /* MUST NOT to be used, because of being defined in ipsec-doi. */ 222 struct ikev1_pl_id { 223 struct isakmp_gen h; 224 union { 225 nd_uint8_t id_type; /* ID Type */ 226 nd_uint32_t doi_data; /* DOI Specific ID Data */ 227 } d; 228 /* Identification Data */ 229 }; 230 231 /* 3.9 Certificate Payload */ 232 struct ikev1_pl_cert { 233 struct isakmp_gen h; 234 nd_uint8_t encode; /* Cert Encoding */ 235 nd_uint8_t cert; /* Certificate Data */ 236 /* 237 This field indicates the type of 238 certificate or certificate-related information contained in the 239 Certificate Data field. 240 */ 241 }; 242 243 /* 3.10 Certificate Request Payload */ 244 struct ikev1_pl_cr { 245 struct isakmp_gen h; 246 nd_uint8_t num_cert; /* # Cert. Types */ 247 /* 248 Certificate Types (variable length) 249 -- Contains a list of the types of certificates requested, 250 sorted in order of preference. Each individual certificate 251 type is 1 octet. This field is NOT requiredo 252 */ 253 /* # Certificate Authorities (1 octet) */ 254 /* Certificate Authorities (variable length) */ 255 }; 256 257 /* 3.11 Hash Payload */ 258 /* may not be used, because of having only data. */ 259 struct ikev1_pl_hash { 260 struct isakmp_gen h; 261 /* Hash Data */ 262 }; 263 264 /* 3.12 Signature Payload */ 265 /* may not be used, because of having only data. */ 266 struct ikev1_pl_sig { 267 struct isakmp_gen h; 268 /* Signature Data */ 269 }; 270 271 /* 3.13 Nonce Payload */ 272 /* may not be used, because of having only data. */ 273 struct ikev1_pl_nonce { 274 struct isakmp_gen h; 275 /* Nonce Data */ 276 }; 277 278 /* 3.14 Notification Payload */ 279 struct ikev1_pl_n { 280 struct isakmp_gen h; 281 nd_uint32_t doi; /* Domain of Interpretation */ 282 nd_uint8_t prot_id; /* Protocol-ID */ 283 nd_uint8_t spi_size; /* SPI Size */ 284 nd_uint16_t type; /* Notify Message Type */ 285 /* SPI */ 286 /* Notification Data */ 287 }; 288 289 /* 3.14.1 Notify Message Types */ 290 /* NOTIFY MESSAGES - ERROR TYPES */ 291 #define ISAKMP_NTYPE_INVALID_PAYLOAD_TYPE 1 292 #define ISAKMP_NTYPE_DOI_NOT_SUPPORTED 2 293 #define ISAKMP_NTYPE_SITUATION_NOT_SUPPORTED 3 294 #define ISAKMP_NTYPE_INVALID_COOKIE 4 295 #define ISAKMP_NTYPE_INVALID_MAJOR_VERSION 5 296 #define ISAKMP_NTYPE_INVALID_MINOR_VERSION 6 297 #define ISAKMP_NTYPE_INVALID_EXCHANGE_TYPE 7 298 #define ISAKMP_NTYPE_INVALID_FLAGS 8 299 #define ISAKMP_NTYPE_INVALID_MESSAGE_ID 9 300 #define ISAKMP_NTYPE_INVALID_PROTOCOL_ID 10 301 #define ISAKMP_NTYPE_INVALID_SPI 11 302 #define ISAKMP_NTYPE_INVALID_TRANSFORM_ID 12 303 #define ISAKMP_NTYPE_ATTRIBUTES_NOT_SUPPORTED 13 304 #define ISAKMP_NTYPE_NO_PROPOSAL_CHOSEN 14 305 #define ISAKMP_NTYPE_BAD_PROPOSAL_SYNTAX 15 306 #define ISAKMP_NTYPE_PAYLOAD_MALFORMED 16 307 #define ISAKMP_NTYPE_INVALID_KEY_INFORMATION 17 308 #define ISAKMP_NTYPE_INVALID_ID_INFORMATION 18 309 #define ISAKMP_NTYPE_INVALID_CERT_ENCODING 19 310 #define ISAKMP_NTYPE_INVALID_CERTIFICATE 20 311 #define ISAKMP_NTYPE_BAD_CERT_REQUEST_SYNTAX 21 312 #define ISAKMP_NTYPE_INVALID_CERT_AUTHORITY 22 313 #define ISAKMP_NTYPE_INVALID_HASH_INFORMATION 23 314 #define ISAKMP_NTYPE_AUTHENTICATION_FAILED 24 315 #define ISAKMP_NTYPE_INVALID_SIGNATURE 25 316 #define ISAKMP_NTYPE_ADDRESS_NOTIFICATION 26 317 318 /* 3.15 Delete Payload */ 319 struct ikev1_pl_d { 320 struct isakmp_gen h; 321 nd_uint32_t doi; /* Domain of Interpretation */ 322 nd_uint8_t prot_id; /* Protocol-Id */ 323 nd_uint8_t spi_size; /* SPI Size */ 324 nd_uint16_t num_spi; /* # of SPIs */ 325 /* SPI(es) */ 326 }; 327 328 /* IKEv2 (RFC4306) */ 329 330 /* 3.3 Security Association Payload -- generic header */ 331 /* 3.3.1. Proposal Substructure */ 332 struct ikev2_p { 333 struct isakmp_gen h; 334 nd_uint8_t p_no; /* Proposal # */ 335 nd_uint8_t prot_id; /* Protocol */ 336 nd_uint8_t spi_size; /* SPI Size */ 337 nd_uint8_t num_t; /* Number of Transforms */ 338 }; 339 340 /* 3.3.2. Transform Substructure */ 341 struct ikev2_t { 342 struct isakmp_gen h; 343 nd_uint8_t t_type; /* Transform Type (ENCR,PRF,INTEG,etc.*/ 344 nd_byte res2; /* reserved byte */ 345 nd_uint16_t t_id; /* Transform ID */ 346 }; 347 348 enum ikev2_t_type { 349 IV2_T_ENCR = 1, 350 IV2_T_PRF = 2, 351 IV2_T_INTEG= 3, 352 IV2_T_DH = 4, 353 IV2_T_ESN = 5 354 }; 355 356 /* 3.4. Key Exchange Payload */ 357 struct ikev2_ke { 358 struct isakmp_gen h; 359 nd_uint16_t ke_group; 360 nd_uint16_t ke_res1; 361 /* KE data */ 362 }; 363 364 365 /* 3.5. Identification Payloads */ 366 enum ikev2_id_type { 367 ID_IPV4_ADDR=1, 368 ID_FQDN=2, 369 ID_RFC822_ADDR=3, 370 ID_IPV6_ADDR=5, 371 ID_DER_ASN1_DN=9, 372 ID_DER_ASN1_GN=10, 373 ID_KEY_ID=11 374 }; 375 struct ikev2_id { 376 struct isakmp_gen h; 377 nd_uint8_t type; /* ID type */ 378 nd_byte res1; 379 nd_byte res2[2]; 380 /* SPI */ 381 /* Notification Data */ 382 }; 383 384 /* 3.10 Notification Payload */ 385 struct ikev2_n { 386 struct isakmp_gen h; 387 nd_uint8_t prot_id; /* Protocol-ID */ 388 nd_uint8_t spi_size; /* SPI Size */ 389 nd_uint16_t type; /* Notify Message Type */ 390 }; 391 392 enum ikev2_n_type { 393 IV2_NOTIFY_UNSUPPORTED_CRITICAL_PAYLOAD = 1, 394 IV2_NOTIFY_INVALID_IKE_SPI = 4, 395 IV2_NOTIFY_INVALID_MAJOR_VERSION = 5, 396 IV2_NOTIFY_INVALID_SYNTAX = 7, 397 IV2_NOTIFY_INVALID_MESSAGE_ID = 9, 398 IV2_NOTIFY_INVALID_SPI =11, 399 IV2_NOTIFY_NO_PROPOSAL_CHOSEN =14, 400 IV2_NOTIFY_INVALID_KE_PAYLOAD =17, 401 IV2_NOTIFY_AUTHENTICATION_FAILED =24, 402 IV2_NOTIFY_SINGLE_PAIR_REQUIRED =34, 403 IV2_NOTIFY_NO_ADDITIONAL_SAS =35, 404 IV2_NOTIFY_INTERNAL_ADDRESS_FAILURE =36, 405 IV2_NOTIFY_FAILED_CP_REQUIRED =37, 406 IV2_NOTIFY_INVALID_SELECTORS =39, 407 IV2_NOTIFY_INITIAL_CONTACT =16384, 408 IV2_NOTIFY_SET_WINDOW_SIZE =16385, 409 IV2_NOTIFY_ADDITIONAL_TS_POSSIBLE =16386, 410 IV2_NOTIFY_IPCOMP_SUPPORTED =16387, 411 IV2_NOTIFY_NAT_DETECTION_SOURCE_IP =16388, 412 IV2_NOTIFY_NAT_DETECTION_DESTINATION_IP =16389, 413 IV2_NOTIFY_COOKIE =16390, 414 IV2_NOTIFY_USE_TRANSPORT_MODE =16391, 415 IV2_NOTIFY_HTTP_CERT_LOOKUP_SUPPORTED =16392, 416 IV2_NOTIFY_REKEY_SA =16393, 417 IV2_NOTIFY_ESP_TFC_PADDING_NOT_SUPPORTED =16394, 418 IV2_NOTIFY_NON_FIRST_FRAGMENTS_ALSO =16395 419 }; 420 421 struct notify_messages { 422 uint16_t type; 423 char *msg; 424 }; 425 426 /* 3.8 Authentication Payload */ 427 struct ikev2_auth { 428 struct isakmp_gen h; 429 nd_uint8_t auth_method; /* Protocol-ID */ 430 nd_byte reserved[3]; 431 /* authentication data */ 432 }; 433 434 enum ikev2_auth_type { 435 IV2_RSA_SIG = 1, 436 IV2_SHARED = 2, 437 IV2_DSS_SIG = 3 438 }; 439 440 /* refer to RFC 2409 */ 441 442 #if 0 443 /* isakmp sa structure */ 444 struct oakley_sa { 445 uint8_t proto_id; /* OAKLEY */ 446 vchar_t *spi; /* spi */ 447 uint8_t dhgrp; /* DH; group */ 448 uint8_t auth_t; /* method of authentication */ 449 uint8_t prf_t; /* type of prf */ 450 uint8_t hash_t; /* type of hash */ 451 uint8_t enc_t; /* type of cipher */ 452 uint8_t life_t; /* type of duration of lifetime */ 453 uint32_t ldur; /* life duration */ 454 }; 455 #endif 456 457 /* refer to RFC 2407 */ 458 459 #define IPSEC_DOI 1 460 461 /* 4.2 IPSEC Situation Definition */ 462 #define IPSECDOI_SIT_IDENTITY_ONLY 0x00000001 463 #define IPSECDOI_SIT_SECRECY 0x00000002 464 #define IPSECDOI_SIT_INTEGRITY 0x00000004 465 466 /* 4.4.1 IPSEC Security Protocol Identifiers */ 467 /* 4.4.2 IPSEC ISAKMP Transform Values */ 468 #define IPSECDOI_PROTO_ISAKMP 1 469 #define IPSECDOI_KEY_IKE 1 470 471 /* 4.4.1 IPSEC Security Protocol Identifiers */ 472 #define IPSECDOI_PROTO_IPSEC_AH 2 473 /* 4.4.3 IPSEC AH Transform Values */ 474 #define IPSECDOI_AH_MD5 2 475 #define IPSECDOI_AH_SHA 3 476 #define IPSECDOI_AH_DES 4 477 #define IPSECDOI_AH_SHA2_256 5 478 #define IPSECDOI_AH_SHA2_384 6 479 #define IPSECDOI_AH_SHA2_512 7 480 481 /* 4.4.1 IPSEC Security Protocol Identifiers */ 482 #define IPSECDOI_PROTO_IPSEC_ESP 3 483 /* 4.4.4 IPSEC ESP Transform Identifiers */ 484 #define IPSECDOI_ESP_DES_IV64 1 485 #define IPSECDOI_ESP_DES 2 486 #define IPSECDOI_ESP_3DES 3 487 #define IPSECDOI_ESP_RC5 4 488 #define IPSECDOI_ESP_IDEA 5 489 #define IPSECDOI_ESP_CAST 6 490 #define IPSECDOI_ESP_BLOWFISH 7 491 #define IPSECDOI_ESP_3IDEA 8 492 #define IPSECDOI_ESP_DES_IV32 9 493 #define IPSECDOI_ESP_RC4 10 494 #define IPSECDOI_ESP_NULL 11 495 #define IPSECDOI_ESP_RIJNDAEL 12 496 #define IPSECDOI_ESP_AES 12 497 498 /* 4.4.1 IPSEC Security Protocol Identifiers */ 499 #define IPSECDOI_PROTO_IPCOMP 4 500 /* 4.4.5 IPSEC IPCOMP Transform Identifiers */ 501 #define IPSECDOI_IPCOMP_OUI 1 502 #define IPSECDOI_IPCOMP_DEFLATE 2 503 #define IPSECDOI_IPCOMP_LZS 3 504 505 /* 4.5 IPSEC Security Association Attributes */ 506 #define IPSECDOI_ATTR_SA_LTYPE 1 /* B */ 507 #define IPSECDOI_ATTR_SA_LTYPE_DEFAULT 1 508 #define IPSECDOI_ATTR_SA_LTYPE_SEC 1 509 #define IPSECDOI_ATTR_SA_LTYPE_KB 2 510 #define IPSECDOI_ATTR_SA_LDUR 2 /* V */ 511 #define IPSECDOI_ATTR_SA_LDUR_DEFAULT 28800 /* 8 hours */ 512 #define IPSECDOI_ATTR_GRP_DESC 3 /* B */ 513 #define IPSECDOI_ATTR_ENC_MODE 4 /* B */ 514 /* default value: host dependent */ 515 #define IPSECDOI_ATTR_ENC_MODE_TUNNEL 1 516 #define IPSECDOI_ATTR_ENC_MODE_TRNS 2 517 #define IPSECDOI_ATTR_AUTH 5 /* B */ 518 /* 0 means not to use authentication. */ 519 #define IPSECDOI_ATTR_AUTH_HMAC_MD5 1 520 #define IPSECDOI_ATTR_AUTH_HMAC_SHA1 2 521 #define IPSECDOI_ATTR_AUTH_DES_MAC 3 522 #define IPSECDOI_ATTR_AUTH_KPDK 4 /*RFC-1826(Key/Pad/Data/Key)*/ 523 /* 524 * When negotiating ESP without authentication, the Auth 525 * Algorithm attribute MUST NOT be included in the proposal. 526 * When negotiating ESP without confidentiality, the Auth 527 * Algorithm attribute MUST be included in the proposal and 528 * the ESP transform ID must be ESP_NULL. 529 */ 530 #define IPSECDOI_ATTR_KEY_LENGTH 6 /* B */ 531 #define IPSECDOI_ATTR_KEY_ROUNDS 7 /* B */ 532 #define IPSECDOI_ATTR_COMP_DICT_SIZE 8 /* B */ 533 #define IPSECDOI_ATTR_COMP_PRIVALG 9 /* V */ 534 535 /* 4.6.1 Security Association Payload */ 536 struct ipsecdoi_sa { 537 struct isakmp_gen h; 538 nd_uint32_t doi; /* Domain of Interpretation */ 539 nd_uint32_t sit; /* Situation */ 540 }; 541 542 struct ipsecdoi_secrecy_h { 543 nd_uint16_t len; 544 nd_uint16_t reserved; 545 }; 546 547 /* 4.6.2.1 Identification Type Values */ 548 struct ipsecdoi_id { 549 struct isakmp_gen h; 550 nd_uint8_t type; /* ID Type */ 551 nd_uint8_t proto_id; /* Protocol ID */ 552 nd_uint16_t port; /* Port */ 553 /* Identification Data */ 554 }; 555 556 #define IPSECDOI_ID_IPV4_ADDR 1 557 #define IPSECDOI_ID_FQDN 2 558 #define IPSECDOI_ID_USER_FQDN 3 559 #define IPSECDOI_ID_IPV4_ADDR_SUBNET 4 560 #define IPSECDOI_ID_IPV6_ADDR 5 561 #define IPSECDOI_ID_IPV6_ADDR_SUBNET 6 562 #define IPSECDOI_ID_IPV4_ADDR_RANGE 7 563 #define IPSECDOI_ID_IPV6_ADDR_RANGE 8 564 #define IPSECDOI_ID_DER_ASN1_DN 9 565 #define IPSECDOI_ID_DER_ASN1_GN 10 566 #define IPSECDOI_ID_KEY_ID 11 567 568 /* 4.6.3 IPSEC DOI Notify Message Types */ 569 /* Notify Messages - Status Types */ 570 #define IPSECDOI_NTYPE_RESPONDER_LIFETIME 24576 571 #define IPSECDOI_NTYPE_REPLAY_STATUS 24577 572 #define IPSECDOI_NTYPE_INITIAL_CONTACT 24578 573 574 #define DECLARE_PRINTER(func) static const u_char *ike##func##_print( \ 575 netdissect_options *ndo, u_char tpay, \ 576 const struct isakmp_gen *ext, \ 577 u_int item_len, \ 578 const u_char *end_pointer, \ 579 uint32_t phase,\ 580 uint32_t doi0, \ 581 uint32_t proto0, int depth) 582 583 DECLARE_PRINTER(v1_sa); 584 DECLARE_PRINTER(v1_p); 585 DECLARE_PRINTER(v1_t); 586 DECLARE_PRINTER(v1_ke); 587 DECLARE_PRINTER(v1_id); 588 DECLARE_PRINTER(v1_cert); 589 DECLARE_PRINTER(v1_cr); 590 DECLARE_PRINTER(v1_sig); 591 DECLARE_PRINTER(v1_hash); 592 DECLARE_PRINTER(v1_nonce); 593 DECLARE_PRINTER(v1_n); 594 DECLARE_PRINTER(v1_d); 595 DECLARE_PRINTER(v1_vid); 596 597 DECLARE_PRINTER(v2_sa); 598 DECLARE_PRINTER(v2_ke); 599 DECLARE_PRINTER(v2_ID); 600 DECLARE_PRINTER(v2_cert); 601 DECLARE_PRINTER(v2_cr); 602 DECLARE_PRINTER(v2_auth); 603 DECLARE_PRINTER(v2_nonce); 604 DECLARE_PRINTER(v2_n); 605 DECLARE_PRINTER(v2_d); 606 DECLARE_PRINTER(v2_vid); 607 DECLARE_PRINTER(v2_TS); 608 DECLARE_PRINTER(v2_cp); 609 DECLARE_PRINTER(v2_eap); 610 611 static const u_char *ikev2_e_print(netdissect_options *ndo, 612 const struct isakmp *base, 613 u_char tpay, 614 const struct isakmp_gen *ext, 615 u_int item_len, 616 const u_char *end_pointer, 617 uint32_t phase, 618 uint32_t doi0, 619 uint32_t proto0, int depth); 620 621 622 static const u_char *ike_sub0_print(netdissect_options *ndo,u_char, const struct isakmp_gen *, 623 const u_char *, uint32_t, uint32_t, uint32_t, int); 624 static const u_char *ikev1_sub_print(netdissect_options *ndo,u_char, const struct isakmp_gen *, 625 const u_char *, uint32_t, uint32_t, uint32_t, int); 626 627 static const u_char *ikev2_sub_print(netdissect_options *ndo, 628 const struct isakmp *base, 629 u_char np, const struct isakmp_gen *ext, 630 const u_char *ep, uint32_t phase, 631 uint32_t doi, uint32_t proto, 632 int depth); 633 634 635 static char *numstr(u_int); 636 637 static void 638 ikev1_print(netdissect_options *ndo, 639 const u_char *bp, u_int length, 640 const u_char *bp2, const struct isakmp *base); 641 642 #define MAXINITIATORS 20 643 static int ninitiator = 0; 644 union inaddr_u { 645 nd_ipv4 in4; 646 nd_ipv6 in6; 647 }; 648 static struct { 649 cookie_t initiator; 650 u_int version; 651 union inaddr_u iaddr; 652 union inaddr_u raddr; 653 } cookiecache[MAXINITIATORS]; 654 655 /* protocol id */ 656 static const char *protoidstr[] = { 657 NULL, "isakmp", "ipsec-ah", "ipsec-esp", "ipcomp", 658 }; 659 660 /* isakmp->np */ 661 static const char *npstr[] = { 662 "none", "sa", "p", "t", "ke", "id", "cert", "cr", "hash", /* 0 - 8 */ 663 "sig", "nonce", "n", "d", "vid", /* 9 - 13 */ 664 "pay14", "pay15", "pay16", "pay17", "pay18", /* 14- 18 */ 665 "pay19", "pay20", "pay21", "pay22", "pay23", /* 19- 23 */ 666 "pay24", "pay25", "pay26", "pay27", "pay28", /* 24- 28 */ 667 "pay29", "pay30", "pay31", "pay32", /* 29- 32 */ 668 "v2sa", "v2ke", "v2IDi", "v2IDr", "v2cert",/* 33- 37 */ 669 "v2cr", "v2auth","v2nonce", "v2n", "v2d", /* 38- 42 */ 670 "v2vid", "v2TSi", "v2TSr", "v2e", "v2cp", /* 43- 47 */ 671 "v2eap", /* 48 */ 672 673 }; 674 675 /* isakmp->np */ 676 static const u_char *(*npfunc[])(netdissect_options *ndo, u_char tpay, 677 const struct isakmp_gen *ext, 678 u_int item_len, 679 const u_char *end_pointer, 680 uint32_t phase, 681 uint32_t doi0, 682 uint32_t proto0, int depth) = { 683 NULL, 684 ikev1_sa_print, 685 ikev1_p_print, 686 ikev1_t_print, 687 ikev1_ke_print, 688 ikev1_id_print, 689 ikev1_cert_print, 690 ikev1_cr_print, 691 ikev1_hash_print, 692 ikev1_sig_print, 693 ikev1_nonce_print, 694 ikev1_n_print, 695 ikev1_d_print, 696 ikev1_vid_print, /* 13 */ 697 NULL, NULL, NULL, NULL, NULL, /* 14- 18 */ 698 NULL, NULL, NULL, NULL, NULL, /* 19- 23 */ 699 NULL, NULL, NULL, NULL, NULL, /* 24- 28 */ 700 NULL, NULL, NULL, NULL, /* 29- 32 */ 701 ikev2_sa_print, /* 33 */ 702 ikev2_ke_print, /* 34 */ 703 ikev2_ID_print, /* 35 */ 704 ikev2_ID_print, /* 36 */ 705 ikev2_cert_print, /* 37 */ 706 ikev2_cr_print, /* 38 */ 707 ikev2_auth_print, /* 39 */ 708 ikev2_nonce_print, /* 40 */ 709 ikev2_n_print, /* 41 */ 710 ikev2_d_print, /* 42 */ 711 ikev2_vid_print, /* 43 */ 712 ikev2_TS_print, /* 44 */ 713 ikev2_TS_print, /* 45 */ 714 NULL, /* ikev2_e_print,*/ /* 46 - special */ 715 ikev2_cp_print, /* 47 */ 716 ikev2_eap_print, /* 48 */ 717 }; 718 719 /* isakmp->etype */ 720 static const char *etypestr[] = { 721 /* IKEv1 exchange types */ 722 "none", "base", "ident", "auth", "agg", "inf", NULL, NULL, /* 0-7 */ 723 NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, /* 8-15 */ 724 NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, /* 16-23 */ 725 NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, /* 24-31 */ 726 "oakley-quick", "oakley-newgroup", /* 32-33 */ 727 /* IKEv2 exchange types */ 728 "ikev2_init", "ikev2_auth", "child_sa", "inf2" /* 34-37 */ 729 }; 730 731 #define STR_OR_ID(x, tab) \ 732 (((x) < sizeof(tab)/sizeof(tab[0]) && tab[(x)]) ? tab[(x)] : numstr(x)) 733 #define PROTOIDSTR(x) STR_OR_ID(x, protoidstr) 734 #define NPSTR(x) STR_OR_ID(x, npstr) 735 #define ETYPESTR(x) STR_OR_ID(x, etypestr) 736 737 #define CHECKLEN(p, np) \ 738 if (ep < (const u_char *)(p)) { \ 739 ND_PRINT(" [|%s]", NPSTR(np)); \ 740 goto done; \ 741 } 742 743 744 #define NPFUNC(x) \ 745 (((x) < sizeof(npfunc)/sizeof(npfunc[0]) && npfunc[(x)]) \ 746 ? npfunc[(x)] : NULL) 747 748 static int 749 iszero(netdissect_options *ndo, const u_char *p, size_t l) 750 { 751 while (l != 0) { 752 if (GET_U_1(p)) 753 return 0; 754 p++; 755 l--; 756 } 757 return 1; 758 } 759 760 /* find cookie from initiator cache */ 761 static int 762 cookie_find(const cookie_t *in) 763 { 764 int i; 765 766 for (i = 0; i < MAXINITIATORS; i++) { 767 if (memcmp(in, &cookiecache[i].initiator, sizeof(*in)) == 0) 768 return i; 769 } 770 771 return -1; 772 } 773 774 /* record initiator */ 775 static void 776 cookie_record(netdissect_options *ndo, const cookie_t *in, const u_char *bp2) 777 { 778 int i; 779 const struct ip *ip; 780 const struct ip6_hdr *ip6; 781 782 i = cookie_find(in); 783 if (0 <= i) { 784 ninitiator = (i + 1) % MAXINITIATORS; 785 return; 786 } 787 788 ip = (const struct ip *)bp2; 789 switch (IP_V(ip)) { 790 case 4: 791 cookiecache[ninitiator].version = 4; 792 UNALIGNED_MEMCPY(&cookiecache[ninitiator].iaddr.in4, 793 ip->ip_src, sizeof(nd_ipv4)); 794 UNALIGNED_MEMCPY(&cookiecache[ninitiator].raddr.in4, 795 ip->ip_dst, sizeof(nd_ipv4)); 796 break; 797 case 6: 798 ip6 = (const struct ip6_hdr *)bp2; 799 cookiecache[ninitiator].version = 6; 800 UNALIGNED_MEMCPY(&cookiecache[ninitiator].iaddr.in6, 801 ip6->ip6_src, sizeof(nd_ipv6)); 802 UNALIGNED_MEMCPY(&cookiecache[ninitiator].raddr.in6, 803 ip6->ip6_dst, sizeof(nd_ipv6)); 804 break; 805 default: 806 return; 807 } 808 UNALIGNED_MEMCPY(&cookiecache[ninitiator].initiator, in, sizeof(*in)); 809 ninitiator = (ninitiator + 1) % MAXINITIATORS; 810 } 811 812 #define cookie_isinitiator(ndo, x, y) cookie_sidecheck(ndo, (x), (y), 1) 813 #define cookie_isresponder(ndo, x, y) cookie_sidecheck(ndo, (x), (y), 0) 814 static int 815 cookie_sidecheck(netdissect_options *ndo, int i, const u_char *bp2, int initiator) 816 { 817 const struct ip *ip; 818 const struct ip6_hdr *ip6; 819 820 ip = (const struct ip *)bp2; 821 switch (IP_V(ip)) { 822 case 4: 823 if (cookiecache[i].version != 4) 824 return 0; 825 if (initiator) { 826 if (UNALIGNED_MEMCMP(ip->ip_src, &cookiecache[i].iaddr.in4, sizeof(nd_ipv4)) == 0) 827 return 1; 828 } else { 829 if (UNALIGNED_MEMCMP(ip->ip_src, &cookiecache[i].raddr.in4, sizeof(nd_ipv4)) == 0) 830 return 1; 831 } 832 break; 833 case 6: 834 if (cookiecache[i].version != 6) 835 return 0; 836 ip6 = (const struct ip6_hdr *)bp2; 837 if (initiator) { 838 if (UNALIGNED_MEMCMP(ip6->ip6_src, &cookiecache[i].iaddr.in6, sizeof(nd_ipv6)) == 0) 839 return 1; 840 } else { 841 if (UNALIGNED_MEMCMP(ip6->ip6_src, &cookiecache[i].raddr.in6, sizeof(nd_ipv6)) == 0) 842 return 1; 843 } 844 break; 845 default: 846 break; 847 } 848 849 return 0; 850 } 851 852 static void 853 hexprint(netdissect_options *ndo, const uint8_t *loc, size_t len) 854 { 855 const uint8_t *p; 856 size_t i; 857 858 p = loc; 859 for (i = 0; i < len; i++) 860 ND_PRINT("%02x", p[i] & 0xff); 861 } 862 863 static int 864 rawprint(netdissect_options *ndo, const uint8_t *loc, size_t len) 865 { 866 ND_TCHECK_LEN(loc, len); 867 868 hexprint(ndo, loc, len); 869 return 1; 870 trunc: 871 return 0; 872 } 873 874 875 /* 876 * returns false if we run out of data buffer 877 */ 878 static int ike_show_somedata(netdissect_options *ndo, 879 const u_char *cp, const u_char *ep) 880 { 881 /* there is too much data, just show some of it */ 882 const u_char *end = ep - 20; 883 size_t elen = 20; 884 size_t len = ep - cp; 885 if(len > 10) { 886 len = 10; 887 } 888 889 /* really shouldn't happen because of above */ 890 if(end < cp + len) { 891 end = cp+len; 892 elen = ep - end; 893 } 894 895 ND_PRINT(" data=("); 896 if(!rawprint(ndo, (const uint8_t *)(cp), len)) goto trunc; 897 ND_PRINT("..."); 898 if(elen) { 899 if(!rawprint(ndo, (const uint8_t *)(end), elen)) goto trunc; 900 } 901 ND_PRINT(")"); 902 return 1; 903 904 trunc: 905 return 0; 906 } 907 908 struct attrmap { 909 const char *type; 910 u_int nvalue; 911 const char *value[30]; /*XXX*/ 912 }; 913 914 static const u_char * 915 ikev1_attrmap_print(netdissect_options *ndo, 916 const u_char *p, const u_char *ep2, 917 const struct attrmap *map, size_t nmap) 918 { 919 u_int totlen; 920 uint32_t t, v; 921 922 if (GET_U_1(p) & 0x80) 923 totlen = 4; 924 else { 925 totlen = 4 + GET_BE_U_2(p + 2); 926 } 927 if (ep2 < p + totlen) { 928 ND_PRINT("[|attr]"); 929 return ep2 + 1; 930 } 931 932 ND_PRINT("("); 933 t = GET_BE_U_2(p) & 0x7fff; 934 if (map && t < nmap && map[t].type) 935 ND_PRINT("type=%s ", map[t].type); 936 else 937 ND_PRINT("type=#%u ", t); 938 if (GET_U_1(p) & 0x80) { 939 ND_PRINT("value="); 940 v = GET_BE_U_2(p + 2); 941 if (map && t < nmap && v < map[t].nvalue && map[t].value[v]) 942 ND_PRINT("%s", map[t].value[v]); 943 else { 944 if (!rawprint(ndo, (const uint8_t *)(p + 2), 2)) { 945 ND_PRINT(")"); 946 goto trunc; 947 } 948 } 949 } else { 950 ND_PRINT("len=%u value=", totlen - 4); 951 if (!rawprint(ndo, (const uint8_t *)(p + 4), totlen - 4)) { 952 ND_PRINT(")"); 953 goto trunc; 954 } 955 } 956 ND_PRINT(")"); 957 return p + totlen; 958 959 trunc: 960 return NULL; 961 } 962 963 static const u_char * 964 ikev1_attr_print(netdissect_options *ndo, const u_char *p, const u_char *ep2) 965 { 966 u_int totlen; 967 uint32_t t; 968 969 if (GET_U_1(p) & 0x80) 970 totlen = 4; 971 else { 972 totlen = 4 + GET_BE_U_2(p + 2); 973 } 974 if (ep2 < p + totlen) { 975 ND_PRINT("[|attr]"); 976 return ep2 + 1; 977 } 978 979 ND_PRINT("("); 980 t = GET_BE_U_2(p) & 0x7fff; 981 ND_PRINT("type=#%u ", t); 982 if (GET_U_1(p) & 0x80) { 983 ND_PRINT("value="); 984 t = GET_U_1(p + 2); 985 if (!rawprint(ndo, (const uint8_t *)(p + 2), 2)) { 986 ND_PRINT(")"); 987 goto trunc; 988 } 989 } else { 990 ND_PRINT("len=%u value=", totlen - 4); 991 if (!rawprint(ndo, (const uint8_t *)(p + 4), totlen - 4)) { 992 ND_PRINT(")"); 993 goto trunc; 994 } 995 } 996 ND_PRINT(")"); 997 return p + totlen; 998 999 trunc: 1000 return NULL; 1001 } 1002 1003 static const u_char * 1004 ikev1_sa_print(netdissect_options *ndo, u_char tpay _U_, 1005 const struct isakmp_gen *ext, 1006 u_int item_len _U_, 1007 const u_char *ep, uint32_t phase, uint32_t doi0 _U_, 1008 uint32_t proto0, int depth) 1009 { 1010 const struct ikev1_pl_sa *p; 1011 uint32_t doi, sit, ident; 1012 const u_char *cp, *np; 1013 int t; 1014 1015 ND_PRINT("%s:", NPSTR(ISAKMP_NPTYPE_SA)); 1016 1017 p = (const struct ikev1_pl_sa *)ext; 1018 ND_TCHECK_SIZE(p); 1019 doi = GET_BE_U_4(p->doi); 1020 sit = GET_BE_U_4(p->sit); 1021 if (doi != 1) { 1022 ND_PRINT(" doi=%u", doi); 1023 ND_PRINT(" situation=%u", sit); 1024 return (const u_char *)(p + 1); 1025 } 1026 1027 ND_PRINT(" doi=ipsec"); 1028 ND_PRINT(" situation="); 1029 t = 0; 1030 if (sit & 0x01) { 1031 ND_PRINT("identity"); 1032 t++; 1033 } 1034 if (sit & 0x02) { 1035 ND_PRINT("%ssecrecy", t ? "+" : ""); 1036 t++; 1037 } 1038 if (sit & 0x04) 1039 ND_PRINT("%sintegrity", t ? "+" : ""); 1040 1041 np = (const u_char *)ext + sizeof(struct ikev1_pl_sa); 1042 if (sit != 0x01) { 1043 ident = GET_BE_U_4(ext + 1); 1044 ND_PRINT(" ident=%u", ident); 1045 np += sizeof(ident); 1046 } 1047 1048 ext = (const struct isakmp_gen *)np; 1049 ND_TCHECK_SIZE(ext); 1050 1051 cp = ikev1_sub_print(ndo, ISAKMP_NPTYPE_P, ext, ep, phase, doi, proto0, 1052 depth); 1053 1054 return cp; 1055 trunc: 1056 ND_PRINT(" [|%s]", NPSTR(ISAKMP_NPTYPE_SA)); 1057 return NULL; 1058 } 1059 1060 static const u_char * 1061 ikev1_p_print(netdissect_options *ndo, u_char tpay _U_, 1062 const struct isakmp_gen *ext, u_int item_len _U_, 1063 const u_char *ep, uint32_t phase, uint32_t doi0, 1064 uint32_t proto0 _U_, int depth) 1065 { 1066 const struct ikev1_pl_p *p; 1067 const u_char *cp; 1068 uint8_t spi_size; 1069 1070 ND_PRINT("%s:", NPSTR(ISAKMP_NPTYPE_P)); 1071 1072 p = (const struct ikev1_pl_p *)ext; 1073 ND_TCHECK_SIZE(p); 1074 ND_PRINT(" #%u protoid=%s transform=%u", 1075 GET_U_1(p->p_no), PROTOIDSTR(GET_U_1(p->prot_id)), 1076 GET_U_1(p->num_t)); 1077 spi_size = GET_U_1(p->spi_size); 1078 if (spi_size) { 1079 ND_PRINT(" spi="); 1080 if (!rawprint(ndo, (const uint8_t *)(p + 1), spi_size)) 1081 goto trunc; 1082 } 1083 1084 ext = (const struct isakmp_gen *)((const u_char *)(p + 1) + spi_size); 1085 ND_TCHECK_SIZE(ext); 1086 1087 cp = ikev1_sub_print(ndo, ISAKMP_NPTYPE_T, ext, ep, phase, doi0, 1088 GET_U_1(p->prot_id), depth); 1089 1090 return cp; 1091 trunc: 1092 ND_PRINT(" [|%s]", NPSTR(ISAKMP_NPTYPE_P)); 1093 return NULL; 1094 } 1095 1096 static const char *ikev1_p_map[] = { 1097 NULL, "ike", 1098 }; 1099 1100 static const char *ikev2_t_type_map[]={ 1101 NULL, "encr", "prf", "integ", "dh", "esn" 1102 }; 1103 1104 static const char *ah_p_map[] = { 1105 NULL, "(reserved)", "md5", "sha", "1des", 1106 "sha2-256", "sha2-384", "sha2-512", 1107 }; 1108 1109 static const char *prf_p_map[] = { 1110 NULL, "hmac-md5", "hmac-sha", "hmac-tiger", 1111 "aes128_xcbc" 1112 }; 1113 1114 static const char *integ_p_map[] = { 1115 NULL, "hmac-md5", "hmac-sha", "dec-mac", 1116 "kpdk-md5", "aes-xcbc" 1117 }; 1118 1119 static const char *esn_p_map[] = { 1120 "no-esn", "esn" 1121 }; 1122 1123 static const char *dh_p_map[] = { 1124 NULL, "modp768", 1125 "modp1024", /* group 2 */ 1126 "EC2N 2^155", /* group 3 */ 1127 "EC2N 2^185", /* group 4 */ 1128 "modp1536", /* group 5 */ 1129 "iana-grp06", "iana-grp07", /* reserved */ 1130 "iana-grp08", "iana-grp09", 1131 "iana-grp10", "iana-grp11", 1132 "iana-grp12", "iana-grp13", 1133 "modp2048", /* group 14 */ 1134 "modp3072", /* group 15 */ 1135 "modp4096", /* group 16 */ 1136 "modp6144", /* group 17 */ 1137 "modp8192", /* group 18 */ 1138 }; 1139 1140 static const char *esp_p_map[] = { 1141 NULL, "1des-iv64", "1des", "3des", "rc5", "idea", "cast", 1142 "blowfish", "3idea", "1des-iv32", "rc4", "null", "aes" 1143 }; 1144 1145 static const char *ipcomp_p_map[] = { 1146 NULL, "oui", "deflate", "lzs", 1147 }; 1148 1149 static const struct attrmap ipsec_t_map[] = { 1150 { NULL, 0, { NULL } }, 1151 { "lifetype", 3, { NULL, "sec", "kb", }, }, 1152 { "life", 0, { NULL } }, 1153 { "group desc", 18, { NULL, "modp768", 1154 "modp1024", /* group 2 */ 1155 "EC2N 2^155", /* group 3 */ 1156 "EC2N 2^185", /* group 4 */ 1157 "modp1536", /* group 5 */ 1158 "iana-grp06", "iana-grp07", /* reserved */ 1159 "iana-grp08", "iana-grp09", 1160 "iana-grp10", "iana-grp11", 1161 "iana-grp12", "iana-grp13", 1162 "modp2048", /* group 14 */ 1163 "modp3072", /* group 15 */ 1164 "modp4096", /* group 16 */ 1165 "modp6144", /* group 17 */ 1166 "modp8192", /* group 18 */ 1167 }, }, 1168 { "enc mode", 3, { NULL, "tunnel", "transport", }, }, 1169 { "auth", 5, { NULL, "hmac-md5", "hmac-sha1", "1des-mac", "keyed", }, }, 1170 { "keylen", 0, { NULL } }, 1171 { "rounds", 0, { NULL } }, 1172 { "dictsize", 0, { NULL } }, 1173 { "privalg", 0, { NULL } }, 1174 }; 1175 1176 static const struct attrmap encr_t_map[] = { 1177 { NULL, 0, { NULL } }, { NULL, 0, { NULL } }, /* 0, 1 */ 1178 { NULL, 0, { NULL } }, { NULL, 0, { NULL } }, /* 2, 3 */ 1179 { NULL, 0, { NULL } }, { NULL, 0, { NULL } }, /* 4, 5 */ 1180 { NULL, 0, { NULL } }, { NULL, 0, { NULL } }, /* 6, 7 */ 1181 { NULL, 0, { NULL } }, { NULL, 0, { NULL } }, /* 8, 9 */ 1182 { NULL, 0, { NULL } }, { NULL, 0, { NULL } }, /* 10,11*/ 1183 { NULL, 0, { NULL } }, { NULL, 0, { NULL } }, /* 12,13*/ 1184 { "keylen", 14, { NULL }}, 1185 }; 1186 1187 static const struct attrmap oakley_t_map[] = { 1188 { NULL, 0, { NULL } }, 1189 { "enc", 8, { NULL, "1des", "idea", "blowfish", "rc5", 1190 "3des", "cast", "aes", }, }, 1191 { "hash", 7, { NULL, "md5", "sha1", "tiger", 1192 "sha2-256", "sha2-384", "sha2-512", }, }, 1193 { "auth", 6, { NULL, "preshared", "dss", "rsa sig", "rsa enc", 1194 "rsa enc revised", }, }, 1195 { "group desc", 18, { NULL, "modp768", 1196 "modp1024", /* group 2 */ 1197 "EC2N 2^155", /* group 3 */ 1198 "EC2N 2^185", /* group 4 */ 1199 "modp1536", /* group 5 */ 1200 "iana-grp06", "iana-grp07", /* reserved */ 1201 "iana-grp08", "iana-grp09", 1202 "iana-grp10", "iana-grp11", 1203 "iana-grp12", "iana-grp13", 1204 "modp2048", /* group 14 */ 1205 "modp3072", /* group 15 */ 1206 "modp4096", /* group 16 */ 1207 "modp6144", /* group 17 */ 1208 "modp8192", /* group 18 */ 1209 }, }, 1210 { "group type", 4, { NULL, "MODP", "ECP", "EC2N", }, }, 1211 { "group prime", 0, { NULL } }, 1212 { "group gen1", 0, { NULL } }, 1213 { "group gen2", 0, { NULL } }, 1214 { "group curve A", 0, { NULL } }, 1215 { "group curve B", 0, { NULL } }, 1216 { "lifetype", 3, { NULL, "sec", "kb", }, }, 1217 { "lifeduration", 0, { NULL } }, 1218 { "prf", 0, { NULL } }, 1219 { "keylen", 0, { NULL } }, 1220 { "field", 0, { NULL } }, 1221 { "order", 0, { NULL } }, 1222 }; 1223 1224 static const u_char * 1225 ikev1_t_print(netdissect_options *ndo, u_char tpay _U_, 1226 const struct isakmp_gen *ext, u_int item_len, 1227 const u_char *ep, uint32_t phase _U_, uint32_t doi _U_, 1228 uint32_t proto, int depth _U_) 1229 { 1230 const struct ikev1_pl_t *p; 1231 const u_char *cp; 1232 const char *idstr; 1233 const struct attrmap *map; 1234 size_t nmap; 1235 const u_char *ep2; 1236 1237 ND_PRINT("%s:", NPSTR(ISAKMP_NPTYPE_T)); 1238 1239 p = (const struct ikev1_pl_t *)ext; 1240 ND_TCHECK_SIZE(p); 1241 1242 switch (proto) { 1243 case 1: 1244 idstr = STR_OR_ID(GET_U_1(p->t_id), ikev1_p_map); 1245 map = oakley_t_map; 1246 nmap = sizeof(oakley_t_map)/sizeof(oakley_t_map[0]); 1247 break; 1248 case 2: 1249 idstr = STR_OR_ID(GET_U_1(p->t_id), ah_p_map); 1250 map = ipsec_t_map; 1251 nmap = sizeof(ipsec_t_map)/sizeof(ipsec_t_map[0]); 1252 break; 1253 case 3: 1254 idstr = STR_OR_ID(GET_U_1(p->t_id), esp_p_map); 1255 map = ipsec_t_map; 1256 nmap = sizeof(ipsec_t_map)/sizeof(ipsec_t_map[0]); 1257 break; 1258 case 4: 1259 idstr = STR_OR_ID(GET_U_1(p->t_id), ipcomp_p_map); 1260 map = ipsec_t_map; 1261 nmap = sizeof(ipsec_t_map)/sizeof(ipsec_t_map[0]); 1262 break; 1263 default: 1264 idstr = NULL; 1265 map = NULL; 1266 nmap = 0; 1267 break; 1268 } 1269 1270 if (idstr) 1271 ND_PRINT(" #%u id=%s ", GET_U_1(p->t_no), idstr); 1272 else 1273 ND_PRINT(" #%u id=%u ", GET_U_1(p->t_no), GET_U_1(p->t_id)); 1274 cp = (const u_char *)(p + 1); 1275 ep2 = (const u_char *)p + item_len; 1276 while (cp < ep && cp < ep2) { 1277 if (map && nmap) 1278 cp = ikev1_attrmap_print(ndo, cp, ep2, map, nmap); 1279 else 1280 cp = ikev1_attr_print(ndo, cp, ep2); 1281 if (cp == NULL) 1282 goto trunc; 1283 } 1284 if (ep < ep2) 1285 ND_PRINT("..."); 1286 return cp; 1287 trunc: 1288 ND_PRINT(" [|%s]", NPSTR(ISAKMP_NPTYPE_T)); 1289 return NULL; 1290 } 1291 1292 static const u_char * 1293 ikev1_ke_print(netdissect_options *ndo, u_char tpay _U_, 1294 const struct isakmp_gen *ext, u_int item_len, 1295 const u_char *ep _U_, uint32_t phase _U_, uint32_t doi _U_, 1296 uint32_t proto _U_, int depth _U_) 1297 { 1298 ND_PRINT("%s:", NPSTR(ISAKMP_NPTYPE_KE)); 1299 1300 ND_TCHECK_SIZE(ext); 1301 /* 1302 * Our caller has ensured that the length is >= 4. 1303 */ 1304 ND_PRINT(" key len=%u", item_len - 4); 1305 if (2 < ndo->ndo_vflag && item_len > 4) { 1306 /* Print the entire payload in hex */ 1307 ND_PRINT(" "); 1308 if (!rawprint(ndo, (const uint8_t *)(ext + 1), item_len - 4)) 1309 goto trunc; 1310 } 1311 return (const u_char *)ext + item_len; 1312 trunc: 1313 ND_PRINT(" [|%s]", NPSTR(ISAKMP_NPTYPE_KE)); 1314 return NULL; 1315 } 1316 1317 static const u_char * 1318 ikev1_id_print(netdissect_options *ndo, u_char tpay _U_, 1319 const struct isakmp_gen *ext, u_int item_len, 1320 const u_char *ep _U_, uint32_t phase, uint32_t doi _U_, 1321 uint32_t proto _U_, int depth _U_) 1322 { 1323 #define USE_IPSECDOI_IN_PHASE1 1 1324 const struct ikev1_pl_id *p; 1325 static const char *idtypestr[] = { 1326 "IPv4", "IPv4net", "IPv6", "IPv6net", 1327 }; 1328 static const char *ipsecidtypestr[] = { 1329 NULL, "IPv4", "FQDN", "user FQDN", "IPv4net", "IPv6", 1330 "IPv6net", "IPv4range", "IPv6range", "ASN1 DN", "ASN1 GN", 1331 "keyid", 1332 }; 1333 u_int len; 1334 const u_char *data; 1335 1336 ND_PRINT("%s:", NPSTR(ISAKMP_NPTYPE_ID)); 1337 1338 p = (const struct ikev1_pl_id *)ext; 1339 ND_TCHECK_SIZE(p); 1340 if (sizeof(*p) < item_len) { 1341 data = (const u_char *)(p + 1); 1342 len = item_len - sizeof(*p); 1343 } else { 1344 data = NULL; 1345 len = 0; 1346 } 1347 1348 #if 0 /*debug*/ 1349 ND_PRINT(" [phase=%u doi=%u proto=%u]", phase, doi, proto); 1350 #endif 1351 switch (phase) { 1352 #ifndef USE_IPSECDOI_IN_PHASE1 1353 case 1: 1354 #endif 1355 default: 1356 ND_PRINT(" idtype=%s", 1357 STR_OR_ID(GET_U_1(p->d.id_type), idtypestr)); 1358 ND_PRINT(" doi_data=%u", 1359 GET_BE_U_4(p->d.doi_data) & 0xffffff); 1360 break; 1361 1362 #ifdef USE_IPSECDOI_IN_PHASE1 1363 case 1: 1364 #endif 1365 case 2: 1366 { 1367 const struct ipsecdoi_id *doi_p; 1368 const char *p_name; 1369 uint8_t type, proto_id; 1370 1371 doi_p = (const struct ipsecdoi_id *)ext; 1372 ND_TCHECK_SIZE(doi_p); 1373 type = GET_U_1(doi_p->type); 1374 ND_PRINT(" idtype=%s", STR_OR_ID(type, ipsecidtypestr)); 1375 /* A protocol ID of 0 DOES NOT mean IPPROTO_IP! */ 1376 proto_id = GET_U_1(doi_p->proto_id); 1377 if (!ndo->ndo_nflag && proto_id && (p_name = netdb_protoname(proto_id)) != NULL) 1378 ND_PRINT(" protoid=%s", p_name); 1379 else 1380 ND_PRINT(" protoid=%u", proto_id); 1381 ND_PRINT(" port=%u", GET_BE_U_2(doi_p->port)); 1382 if (!len) 1383 break; 1384 if (data == NULL) 1385 goto trunc; 1386 ND_TCHECK_LEN(data, len); 1387 switch (type) { 1388 case IPSECDOI_ID_IPV4_ADDR: 1389 if (len < 4) 1390 ND_PRINT(" len=%u [bad: < 4]", len); 1391 else 1392 ND_PRINT(" len=%u %s", len, GET_IPADDR_STRING(data)); 1393 len = 0; 1394 break; 1395 case IPSECDOI_ID_FQDN: 1396 case IPSECDOI_ID_USER_FQDN: 1397 { 1398 u_int i; 1399 ND_PRINT(" len=%u ", len); 1400 for (i = 0; i < len; i++) 1401 fn_print_char(ndo, GET_U_1(data + i)); 1402 len = 0; 1403 break; 1404 } 1405 case IPSECDOI_ID_IPV4_ADDR_SUBNET: 1406 { 1407 const u_char *mask; 1408 if (len < 8) 1409 ND_PRINT(" len=%u [bad: < 8]", len); 1410 else { 1411 mask = data + sizeof(nd_ipv4); 1412 ND_PRINT(" len=%u %s/%u.%u.%u.%u", len, 1413 GET_IPADDR_STRING(data), 1414 GET_U_1(mask), GET_U_1(mask + 1), 1415 GET_U_1(mask + 2), 1416 GET_U_1(mask + 3)); 1417 } 1418 len = 0; 1419 break; 1420 } 1421 case IPSECDOI_ID_IPV6_ADDR: 1422 if (len < 16) 1423 ND_PRINT(" len=%u [bad: < 16]", len); 1424 else 1425 ND_PRINT(" len=%u %s", len, GET_IP6ADDR_STRING(data)); 1426 len = 0; 1427 break; 1428 case IPSECDOI_ID_IPV6_ADDR_SUBNET: 1429 { 1430 const u_char *mask; 1431 if (len < 32) 1432 ND_PRINT(" len=%u [bad: < 32]", len); 1433 else { 1434 mask = (const u_char *)(data + sizeof(nd_ipv6)); 1435 /*XXX*/ 1436 ND_PRINT(" len=%u %s/0x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x", len, 1437 GET_IP6ADDR_STRING(data), 1438 GET_U_1(mask), GET_U_1(mask + 1), 1439 GET_U_1(mask + 2), 1440 GET_U_1(mask + 3), 1441 GET_U_1(mask + 4), 1442 GET_U_1(mask + 5), 1443 GET_U_1(mask + 6), 1444 GET_U_1(mask + 7), 1445 GET_U_1(mask + 8), 1446 GET_U_1(mask + 9), 1447 GET_U_1(mask + 10), 1448 GET_U_1(mask + 11), 1449 GET_U_1(mask + 12), 1450 GET_U_1(mask + 13), 1451 GET_U_1(mask + 14), 1452 GET_U_1(mask + 15)); 1453 } 1454 len = 0; 1455 break; 1456 } 1457 case IPSECDOI_ID_IPV4_ADDR_RANGE: 1458 if (len < 8) 1459 ND_PRINT(" len=%u [bad: < 8]", len); 1460 else { 1461 ND_PRINT(" len=%u %s-%s", len, 1462 GET_IPADDR_STRING(data), 1463 GET_IPADDR_STRING(data + sizeof(nd_ipv4))); 1464 } 1465 len = 0; 1466 break; 1467 case IPSECDOI_ID_IPV6_ADDR_RANGE: 1468 if (len < 32) 1469 ND_PRINT(" len=%u [bad: < 32]", len); 1470 else { 1471 ND_PRINT(" len=%u %s-%s", len, 1472 GET_IP6ADDR_STRING(data), 1473 GET_IP6ADDR_STRING(data + sizeof(nd_ipv6))); 1474 } 1475 len = 0; 1476 break; 1477 case IPSECDOI_ID_DER_ASN1_DN: 1478 case IPSECDOI_ID_DER_ASN1_GN: 1479 case IPSECDOI_ID_KEY_ID: 1480 break; 1481 } 1482 break; 1483 } 1484 } 1485 if (data && len) { 1486 ND_PRINT(" len=%u", len); 1487 if (2 < ndo->ndo_vflag) { 1488 ND_PRINT(" "); 1489 if (!rawprint(ndo, (const uint8_t *)data, len)) 1490 goto trunc; 1491 } 1492 } 1493 return (const u_char *)ext + item_len; 1494 trunc: 1495 ND_PRINT(" [|%s]", NPSTR(ISAKMP_NPTYPE_ID)); 1496 return NULL; 1497 } 1498 1499 static const u_char * 1500 ikev1_cert_print(netdissect_options *ndo, u_char tpay _U_, 1501 const struct isakmp_gen *ext, u_int item_len, 1502 const u_char *ep _U_, uint32_t phase _U_, 1503 uint32_t doi0 _U_, 1504 uint32_t proto0 _U_, int depth _U_) 1505 { 1506 const struct ikev1_pl_cert *p; 1507 static const char *certstr[] = { 1508 "none", "pkcs7", "pgp", "dns", 1509 "x509sign", "x509ke", "kerberos", "crl", 1510 "arl", "spki", "x509attr", 1511 }; 1512 1513 ND_PRINT("%s:", NPSTR(ISAKMP_NPTYPE_CERT)); 1514 1515 p = (const struct ikev1_pl_cert *)ext; 1516 ND_TCHECK_SIZE(p); 1517 /* 1518 * Our caller has ensured that the length is >= 4. 1519 */ 1520 ND_PRINT(" len=%u", item_len - 4); 1521 ND_PRINT(" type=%s", STR_OR_ID(GET_U_1(p->encode), certstr)); 1522 if (2 < ndo->ndo_vflag && 4 < item_len) { 1523 /* Print the entire payload in hex */ 1524 ND_PRINT(" "); 1525 if (!rawprint(ndo, (const uint8_t *)(ext + 1), item_len - 4)) 1526 goto trunc; 1527 } 1528 return (const u_char *)ext + item_len; 1529 trunc: 1530 ND_PRINT(" [|%s]", NPSTR(ISAKMP_NPTYPE_CERT)); 1531 return NULL; 1532 } 1533 1534 static const u_char * 1535 ikev1_cr_print(netdissect_options *ndo, u_char tpay _U_, 1536 const struct isakmp_gen *ext, u_int item_len, 1537 const u_char *ep _U_, uint32_t phase _U_, uint32_t doi0 _U_, 1538 uint32_t proto0 _U_, int depth _U_) 1539 { 1540 const struct ikev1_pl_cert *p; 1541 static const char *certstr[] = { 1542 "none", "pkcs7", "pgp", "dns", 1543 "x509sign", "x509ke", "kerberos", "crl", 1544 "arl", "spki", "x509attr", 1545 }; 1546 1547 ND_PRINT("%s:", NPSTR(ISAKMP_NPTYPE_CR)); 1548 1549 p = (const struct ikev1_pl_cert *)ext; 1550 ND_TCHECK_SIZE(p); 1551 /* 1552 * Our caller has ensured that the length is >= 4. 1553 */ 1554 ND_PRINT(" len=%u", item_len - 4); 1555 ND_PRINT(" type=%s", STR_OR_ID(GET_U_1(p->encode), certstr)); 1556 if (2 < ndo->ndo_vflag && 4 < item_len) { 1557 /* Print the entire payload in hex */ 1558 ND_PRINT(" "); 1559 if (!rawprint(ndo, (const uint8_t *)(ext + 1), item_len - 4)) 1560 goto trunc; 1561 } 1562 return (const u_char *)ext + item_len; 1563 trunc: 1564 ND_PRINT(" [|%s]", NPSTR(ISAKMP_NPTYPE_CR)); 1565 return NULL; 1566 } 1567 1568 static const u_char * 1569 ikev1_hash_print(netdissect_options *ndo, u_char tpay _U_, 1570 const struct isakmp_gen *ext, u_int item_len, 1571 const u_char *ep _U_, uint32_t phase _U_, uint32_t doi _U_, 1572 uint32_t proto _U_, int depth _U_) 1573 { 1574 ND_PRINT("%s:", NPSTR(ISAKMP_NPTYPE_HASH)); 1575 1576 ND_TCHECK_SIZE(ext); 1577 /* 1578 * Our caller has ensured that the length is >= 4. 1579 */ 1580 ND_PRINT(" len=%u", item_len - 4); 1581 if (2 < ndo->ndo_vflag && 4 < item_len) { 1582 /* Print the entire payload in hex */ 1583 ND_PRINT(" "); 1584 if (!rawprint(ndo, (const uint8_t *)(ext + 1), item_len - 4)) 1585 goto trunc; 1586 } 1587 return (const u_char *)ext + item_len; 1588 trunc: 1589 ND_PRINT(" [|%s]", NPSTR(ISAKMP_NPTYPE_HASH)); 1590 return NULL; 1591 } 1592 1593 static const u_char * 1594 ikev1_sig_print(netdissect_options *ndo, u_char tpay _U_, 1595 const struct isakmp_gen *ext, u_int item_len, 1596 const u_char *ep _U_, uint32_t phase _U_, uint32_t doi _U_, 1597 uint32_t proto _U_, int depth _U_) 1598 { 1599 ND_PRINT("%s:", NPSTR(ISAKMP_NPTYPE_SIG)); 1600 1601 ND_TCHECK_SIZE(ext); 1602 /* 1603 * Our caller has ensured that the length is >= 4. 1604 */ 1605 ND_PRINT(" len=%u", item_len - 4); 1606 if (2 < ndo->ndo_vflag && 4 < item_len) { 1607 /* Print the entire payload in hex */ 1608 ND_PRINT(" "); 1609 if (!rawprint(ndo, (const uint8_t *)(ext + 1), item_len - 4)) 1610 goto trunc; 1611 } 1612 return (const u_char *)ext + item_len; 1613 trunc: 1614 ND_PRINT(" [|%s]", NPSTR(ISAKMP_NPTYPE_SIG)); 1615 return NULL; 1616 } 1617 1618 static const u_char * 1619 ikev1_nonce_print(netdissect_options *ndo, u_char tpay _U_, 1620 const struct isakmp_gen *ext, 1621 u_int item_len, 1622 const u_char *ep, 1623 uint32_t phase _U_, uint32_t doi _U_, 1624 uint32_t proto _U_, int depth _U_) 1625 { 1626 ND_PRINT("%s:", NPSTR(ISAKMP_NPTYPE_NONCE)); 1627 1628 ND_TCHECK_SIZE(ext); 1629 /* 1630 * Our caller has ensured that the length is >= 4. 1631 */ 1632 ND_PRINT(" n len=%u", item_len - 4); 1633 if (item_len > 4) { 1634 if (ndo->ndo_vflag > 2) { 1635 ND_PRINT(" "); 1636 if (!rawprint(ndo, (const uint8_t *)(ext + 1), item_len - 4)) 1637 goto trunc; 1638 } else if (ndo->ndo_vflag > 1) { 1639 ND_PRINT(" "); 1640 if (!ike_show_somedata(ndo, (const u_char *)(ext + 1), ep)) 1641 goto trunc; 1642 } 1643 } 1644 return (const u_char *)ext + item_len; 1645 trunc: 1646 ND_PRINT(" [|%s]", NPSTR(ISAKMP_NPTYPE_NONCE)); 1647 return NULL; 1648 } 1649 1650 static const u_char * 1651 ikev1_n_print(netdissect_options *ndo, u_char tpay _U_, 1652 const struct isakmp_gen *ext, u_int item_len, 1653 const u_char *ep, uint32_t phase _U_, uint32_t doi0 _U_, 1654 uint32_t proto0 _U_, int depth _U_) 1655 { 1656 const struct ikev1_pl_n *p; 1657 const u_char *cp; 1658 const u_char *ep2; 1659 uint32_t doi; 1660 uint32_t proto; 1661 uint16_t type; 1662 uint8_t spi_size; 1663 static const char *notify_error_str[] = { 1664 NULL, "INVALID-PAYLOAD-TYPE", 1665 "DOI-NOT-SUPPORTED", "SITUATION-NOT-SUPPORTED", 1666 "INVALID-COOKIE", "INVALID-MAJOR-VERSION", 1667 "INVALID-MINOR-VERSION", "INVALID-EXCHANGE-TYPE", 1668 "INVALID-FLAGS", "INVALID-MESSAGE-ID", 1669 "INVALID-PROTOCOL-ID", "INVALID-SPI", 1670 "INVALID-TRANSFORM-ID", "ATTRIBUTES-NOT-SUPPORTED", 1671 "NO-PROPOSAL-CHOSEN", "BAD-PROPOSAL-SYNTAX", 1672 "PAYLOAD-MALFORMED", "INVALID-KEY-INFORMATION", 1673 "INVALID-ID-INFORMATION", "INVALID-CERT-ENCODING", 1674 "INVALID-CERTIFICATE", "CERT-TYPE-UNSUPPORTED", 1675 "INVALID-CERT-AUTHORITY", "INVALID-HASH-INFORMATION", 1676 "AUTHENTICATION-FAILED", "INVALID-SIGNATURE", 1677 "ADDRESS-NOTIFICATION", "NOTIFY-SA-LIFETIME", 1678 "CERTIFICATE-UNAVAILABLE", "UNSUPPORTED-EXCHANGE-TYPE", 1679 "UNEQUAL-PAYLOAD-LENGTHS", 1680 }; 1681 static const char *ipsec_notify_error_str[] = { 1682 "RESERVED", 1683 }; 1684 static const char *notify_status_str[] = { 1685 "CONNECTED", 1686 }; 1687 static const char *ipsec_notify_status_str[] = { 1688 "RESPONDER-LIFETIME", "REPLAY-STATUS", 1689 "INITIAL-CONTACT", 1690 }; 1691 /* NOTE: these macro must be called with x in proper range */ 1692 1693 /* 0 - 8191 */ 1694 #define NOTIFY_ERROR_STR(x) \ 1695 STR_OR_ID((x), notify_error_str) 1696 1697 /* 8192 - 16383 */ 1698 #define IPSEC_NOTIFY_ERROR_STR(x) \ 1699 STR_OR_ID((u_int)((x) - 8192), ipsec_notify_error_str) 1700 1701 /* 16384 - 24575 */ 1702 #define NOTIFY_STATUS_STR(x) \ 1703 STR_OR_ID((u_int)((x) - 16384), notify_status_str) 1704 1705 /* 24576 - 32767 */ 1706 #define IPSEC_NOTIFY_STATUS_STR(x) \ 1707 STR_OR_ID((u_int)((x) - 24576), ipsec_notify_status_str) 1708 1709 ND_PRINT("%s:", NPSTR(ISAKMP_NPTYPE_N)); 1710 1711 p = (const struct ikev1_pl_n *)ext; 1712 ND_TCHECK_SIZE(p); 1713 doi = GET_BE_U_4(p->doi); 1714 proto = GET_U_1(p->prot_id); 1715 if (doi != 1) { 1716 ND_PRINT(" doi=%u", doi); 1717 ND_PRINT(" proto=%u", proto); 1718 type = GET_BE_U_2(p->type); 1719 if (type < 8192) 1720 ND_PRINT(" type=%s", NOTIFY_ERROR_STR(type)); 1721 else if (type < 16384) 1722 ND_PRINT(" type=%s", numstr(type)); 1723 else if (type < 24576) 1724 ND_PRINT(" type=%s", NOTIFY_STATUS_STR(type)); 1725 else 1726 ND_PRINT(" type=%s", numstr(type)); 1727 spi_size = GET_U_1(p->spi_size); 1728 if (spi_size) { 1729 ND_PRINT(" spi="); 1730 if (!rawprint(ndo, (const uint8_t *)(p + 1), spi_size)) 1731 goto trunc; 1732 } 1733 return (const u_char *)(p + 1) + spi_size; 1734 } 1735 1736 ND_PRINT(" doi=ipsec"); 1737 ND_PRINT(" proto=%s", PROTOIDSTR(proto)); 1738 type = GET_BE_U_2(p->type); 1739 if (type < 8192) 1740 ND_PRINT(" type=%s", NOTIFY_ERROR_STR(type)); 1741 else if (type < 16384) 1742 ND_PRINT(" type=%s", IPSEC_NOTIFY_ERROR_STR(type)); 1743 else if (type < 24576) 1744 ND_PRINT(" type=%s", NOTIFY_STATUS_STR(type)); 1745 else if (type < 32768) 1746 ND_PRINT(" type=%s", IPSEC_NOTIFY_STATUS_STR(type)); 1747 else 1748 ND_PRINT(" type=%s", numstr(type)); 1749 spi_size = GET_U_1(p->spi_size); 1750 if (spi_size) { 1751 ND_PRINT(" spi="); 1752 if (!rawprint(ndo, (const uint8_t *)(p + 1), spi_size)) 1753 goto trunc; 1754 } 1755 1756 cp = (const u_char *)(p + 1) + spi_size; 1757 ep2 = (const u_char *)p + item_len; 1758 1759 if (cp < ep) { 1760 switch (type) { 1761 case IPSECDOI_NTYPE_RESPONDER_LIFETIME: 1762 { 1763 const struct attrmap *map = oakley_t_map; 1764 size_t nmap = sizeof(oakley_t_map)/sizeof(oakley_t_map[0]); 1765 ND_PRINT(" attrs=("); 1766 while (cp < ep && cp < ep2) { 1767 cp = ikev1_attrmap_print(ndo, cp, ep2, map, nmap); 1768 if (cp == NULL) { 1769 ND_PRINT(")"); 1770 goto trunc; 1771 } 1772 } 1773 ND_PRINT(")"); 1774 break; 1775 } 1776 case IPSECDOI_NTYPE_REPLAY_STATUS: 1777 ND_PRINT(" status=("); 1778 ND_PRINT("replay detection %sabled", 1779 GET_BE_U_4(cp) ? "en" : "dis"); 1780 ND_PRINT(")"); 1781 break; 1782 default: 1783 /* 1784 * XXX - fill in more types here; see, for example, 1785 * draft-ietf-ipsec-notifymsg-04. 1786 */ 1787 if (ndo->ndo_vflag > 3) { 1788 ND_PRINT(" data=("); 1789 if (!rawprint(ndo, (const uint8_t *)(cp), ep - cp)) 1790 goto trunc; 1791 ND_PRINT(")"); 1792 } else { 1793 if (!ike_show_somedata(ndo, cp, ep)) 1794 goto trunc; 1795 } 1796 break; 1797 } 1798 } 1799 return (const u_char *)ext + item_len; 1800 trunc: 1801 ND_PRINT(" [|%s]", NPSTR(ISAKMP_NPTYPE_N)); 1802 return NULL; 1803 } 1804 1805 static const u_char * 1806 ikev1_d_print(netdissect_options *ndo, u_char tpay _U_, 1807 const struct isakmp_gen *ext, u_int item_len _U_, 1808 const u_char *ep _U_, uint32_t phase _U_, uint32_t doi0 _U_, 1809 uint32_t proto0 _U_, int depth _U_) 1810 { 1811 const struct ikev1_pl_d *p; 1812 const uint8_t *q; 1813 uint32_t doi; 1814 uint32_t proto; 1815 uint8_t spi_size; 1816 uint16_t num_spi; 1817 u_int i; 1818 1819 ND_PRINT("%s:", NPSTR(ISAKMP_NPTYPE_D)); 1820 1821 p = (const struct ikev1_pl_d *)ext; 1822 ND_TCHECK_SIZE(p); 1823 doi = GET_BE_U_4(p->doi); 1824 proto = GET_U_1(p->prot_id); 1825 if (doi != 1) { 1826 ND_PRINT(" doi=%u", doi); 1827 ND_PRINT(" proto=%u", proto); 1828 } else { 1829 ND_PRINT(" doi=ipsec"); 1830 ND_PRINT(" proto=%s", PROTOIDSTR(proto)); 1831 } 1832 spi_size = GET_U_1(p->spi_size); 1833 ND_PRINT(" spilen=%u", spi_size); 1834 num_spi = GET_BE_U_2(p->num_spi); 1835 ND_PRINT(" nspi=%u", num_spi); 1836 ND_PRINT(" spi="); 1837 q = (const uint8_t *)(p + 1); 1838 for (i = 0; i < num_spi; i++) { 1839 if (i != 0) 1840 ND_PRINT(","); 1841 if (!rawprint(ndo, (const uint8_t *)q, spi_size)) 1842 goto trunc; 1843 q += spi_size; 1844 } 1845 return q; 1846 trunc: 1847 ND_PRINT(" [|%s]", NPSTR(ISAKMP_NPTYPE_D)); 1848 return NULL; 1849 } 1850 1851 static const u_char * 1852 ikev1_vid_print(netdissect_options *ndo, u_char tpay _U_, 1853 const struct isakmp_gen *ext, 1854 u_int item_len, const u_char *ep _U_, 1855 uint32_t phase _U_, uint32_t doi _U_, 1856 uint32_t proto _U_, int depth _U_) 1857 { 1858 ND_PRINT("%s:", NPSTR(ISAKMP_NPTYPE_VID)); 1859 1860 ND_TCHECK_SIZE(ext); 1861 /* 1862 * Our caller has ensured that the length is >= 4. 1863 */ 1864 ND_PRINT(" len=%u", item_len - 4); 1865 if (2 < ndo->ndo_vflag && 4 < item_len) { 1866 /* Print the entire payload in hex */ 1867 ND_PRINT(" "); 1868 if (!rawprint(ndo, (const uint8_t *)(ext + 1), item_len - 4)) 1869 goto trunc; 1870 } 1871 return (const u_char *)ext + item_len; 1872 trunc: 1873 ND_PRINT(" [|%s]", NPSTR(ISAKMP_NPTYPE_VID)); 1874 return NULL; 1875 } 1876 1877 /************************************************************/ 1878 /* */ 1879 /* IKE v2 - rfc4306 - dissector */ 1880 /* */ 1881 /************************************************************/ 1882 1883 static void 1884 ikev2_pay_print(netdissect_options *ndo, const char *payname, uint8_t critical) 1885 { 1886 ND_PRINT("%s%s:", payname, critical&0x80 ? "[C]" : ""); 1887 } 1888 1889 static const u_char * 1890 ikev2_gen_print(netdissect_options *ndo, u_char tpay, 1891 const struct isakmp_gen *ext, u_int item_len) 1892 { 1893 const struct isakmp_gen *p = (const struct isakmp_gen *)ext; 1894 1895 ND_TCHECK_SIZE(ext); 1896 ikev2_pay_print(ndo, NPSTR(tpay), GET_U_1(p->critical)); 1897 1898 /* 1899 * Our caller has ensured that the length is >= 4. 1900 */ 1901 ND_PRINT(" len=%u", item_len - 4); 1902 if (2 < ndo->ndo_vflag && 4 < item_len) { 1903 /* Print the entire payload in hex */ 1904 ND_PRINT(" "); 1905 if (!rawprint(ndo, (const uint8_t *)(ext + 1), item_len - 4)) 1906 goto trunc; 1907 } 1908 return (const u_char *)ext + item_len; 1909 trunc: 1910 ND_PRINT(" [|%s]", NPSTR(tpay)); 1911 return NULL; 1912 } 1913 1914 static const u_char * 1915 ikev2_t_print(netdissect_options *ndo, int tcount, 1916 const struct isakmp_gen *ext, u_int item_len, 1917 const u_char *ep) 1918 { 1919 const struct ikev2_t *p; 1920 uint16_t t_id; 1921 uint8_t t_type; 1922 const u_char *cp; 1923 const char *idstr; 1924 const struct attrmap *map; 1925 size_t nmap; 1926 const u_char *ep2; 1927 1928 p = (const struct ikev2_t *)ext; 1929 ND_TCHECK_SIZE(p); 1930 ikev2_pay_print(ndo, NPSTR(ISAKMP_NPTYPE_T), GET_U_1(p->h.critical)); 1931 1932 t_id = GET_BE_U_2(p->t_id); 1933 1934 map = NULL; 1935 nmap = 0; 1936 1937 t_type = GET_U_1(p->t_type); 1938 switch (t_type) { 1939 case IV2_T_ENCR: 1940 idstr = STR_OR_ID(t_id, esp_p_map); 1941 map = encr_t_map; 1942 nmap = sizeof(encr_t_map)/sizeof(encr_t_map[0]); 1943 break; 1944 1945 case IV2_T_PRF: 1946 idstr = STR_OR_ID(t_id, prf_p_map); 1947 break; 1948 1949 case IV2_T_INTEG: 1950 idstr = STR_OR_ID(t_id, integ_p_map); 1951 break; 1952 1953 case IV2_T_DH: 1954 idstr = STR_OR_ID(t_id, dh_p_map); 1955 break; 1956 1957 case IV2_T_ESN: 1958 idstr = STR_OR_ID(t_id, esn_p_map); 1959 break; 1960 1961 default: 1962 idstr = NULL; 1963 break; 1964 } 1965 1966 if (idstr) 1967 ND_PRINT(" #%u type=%s id=%s ", tcount, 1968 STR_OR_ID(t_type, ikev2_t_type_map), 1969 idstr); 1970 else 1971 ND_PRINT(" #%u type=%s id=%u ", tcount, 1972 STR_OR_ID(t_type, ikev2_t_type_map), 1973 t_id); 1974 cp = (const u_char *)(p + 1); 1975 ep2 = (const u_char *)p + item_len; 1976 while (cp < ep && cp < ep2) { 1977 if (map && nmap) { 1978 cp = ikev1_attrmap_print(ndo, cp, ep2, map, nmap); 1979 } else 1980 cp = ikev1_attr_print(ndo, cp, ep2); 1981 if (cp == NULL) 1982 goto trunc; 1983 } 1984 if (ep < ep2) 1985 ND_PRINT("..."); 1986 return cp; 1987 trunc: 1988 ND_PRINT(" [|%s]", NPSTR(ISAKMP_NPTYPE_T)); 1989 return NULL; 1990 } 1991 1992 static const u_char * 1993 ikev2_p_print(netdissect_options *ndo, u_char tpay _U_, int pcount _U_, 1994 const struct isakmp_gen *ext, u_int oprop_length, 1995 const u_char *ep, int depth) 1996 { 1997 const struct ikev2_p *p; 1998 u_int prop_length; 1999 uint8_t spi_size; 2000 const u_char *cp; 2001 int i; 2002 int tcount; 2003 u_char np; 2004 u_int item_len; 2005 2006 p = (const struct ikev2_p *)ext; 2007 ND_TCHECK_SIZE(p); 2008 2009 ikev2_pay_print(ndo, NPSTR(ISAKMP_NPTYPE_P), GET_U_1(p->h.critical)); 2010 2011 /* 2012 * ikev2_sa_print() guarantees that this is >= 4. 2013 */ 2014 prop_length = oprop_length - 4; 2015 ND_PRINT(" #%u protoid=%s transform=%u len=%u", 2016 GET_U_1(p->p_no), PROTOIDSTR(GET_U_1(p->prot_id)), 2017 GET_U_1(p->num_t), oprop_length); 2018 cp = (const u_char *)(p + 1); 2019 2020 spi_size = GET_U_1(p->spi_size); 2021 if (spi_size) { 2022 if (prop_length < spi_size) 2023 goto toolong; 2024 ND_PRINT(" spi="); 2025 if (!rawprint(ndo, (const uint8_t *)cp, spi_size)) 2026 goto trunc; 2027 cp += spi_size; 2028 prop_length -= spi_size; 2029 } 2030 2031 /* 2032 * Print the transforms. 2033 */ 2034 tcount = 0; 2035 for (np = ISAKMP_NPTYPE_T; np != 0; np = GET_U_1(ext->np)) { 2036 tcount++; 2037 ext = (const struct isakmp_gen *)cp; 2038 if (prop_length < sizeof(*ext)) 2039 goto toolong; 2040 ND_TCHECK_SIZE(ext); 2041 2042 /* 2043 * Since we can't have a payload length of less than 4 bytes, 2044 * we need to bail out here if the generic header is nonsensical 2045 * or truncated, otherwise we could loop forever processing 2046 * zero-length items or otherwise misdissect the packet. 2047 */ 2048 item_len = GET_BE_U_2(ext->len); 2049 if (item_len <= 4) 2050 goto trunc; 2051 2052 if (prop_length < item_len) 2053 goto toolong; 2054 ND_TCHECK_LEN(cp, item_len); 2055 2056 depth++; 2057 ND_PRINT("\n"); 2058 for (i = 0; i < depth; i++) 2059 ND_PRINT(" "); 2060 ND_PRINT("("); 2061 if (np == ISAKMP_NPTYPE_T) { 2062 cp = ikev2_t_print(ndo, tcount, ext, item_len, ep); 2063 if (cp == NULL) { 2064 /* error, already reported */ 2065 return NULL; 2066 } 2067 } else { 2068 ND_PRINT("%s", NPSTR(np)); 2069 cp += item_len; 2070 } 2071 ND_PRINT(")"); 2072 depth--; 2073 prop_length -= item_len; 2074 } 2075 return cp; 2076 toolong: 2077 /* 2078 * Skip the rest of the proposal. 2079 */ 2080 cp += prop_length; 2081 ND_PRINT(" [|%s]", NPSTR(ISAKMP_NPTYPE_P)); 2082 return cp; 2083 trunc: 2084 ND_PRINT(" [|%s]", NPSTR(ISAKMP_NPTYPE_P)); 2085 return NULL; 2086 } 2087 2088 static const u_char * 2089 ikev2_sa_print(netdissect_options *ndo, u_char tpay, 2090 const struct isakmp_gen *ext1, 2091 u_int osa_length, const u_char *ep, 2092 uint32_t phase _U_, uint32_t doi _U_, 2093 uint32_t proto _U_, int depth) 2094 { 2095 const struct isakmp_gen *ext; 2096 u_int sa_length; 2097 const u_char *cp; 2098 int i; 2099 int pcount; 2100 u_char np; 2101 u_int item_len; 2102 2103 ND_TCHECK_SIZE(ext1); 2104 ikev2_pay_print(ndo, "sa", GET_U_1(ext1->critical)); 2105 2106 /* 2107 * ikev2_sub0_print() guarantees that this is >= 4. 2108 */ 2109 osa_length= GET_BE_U_2(ext1->len); 2110 sa_length = osa_length - 4; 2111 ND_PRINT(" len=%u", sa_length); 2112 2113 /* 2114 * Print the payloads. 2115 */ 2116 cp = (const u_char *)(ext1 + 1); 2117 pcount = 0; 2118 for (np = ISAKMP_NPTYPE_P; np != 0; np = GET_U_1(ext->np)) { 2119 pcount++; 2120 ext = (const struct isakmp_gen *)cp; 2121 if (sa_length < sizeof(*ext)) 2122 goto toolong; 2123 ND_TCHECK_SIZE(ext); 2124 2125 /* 2126 * Since we can't have a payload length of less than 4 bytes, 2127 * we need to bail out here if the generic header is nonsensical 2128 * or truncated, otherwise we could loop forever processing 2129 * zero-length items or otherwise misdissect the packet. 2130 */ 2131 item_len = GET_BE_U_2(ext->len); 2132 if (item_len <= 4) 2133 goto trunc; 2134 2135 if (sa_length < item_len) 2136 goto toolong; 2137 ND_TCHECK_LEN(cp, item_len); 2138 2139 depth++; 2140 ND_PRINT("\n"); 2141 for (i = 0; i < depth; i++) 2142 ND_PRINT(" "); 2143 ND_PRINT("("); 2144 if (np == ISAKMP_NPTYPE_P) { 2145 cp = ikev2_p_print(ndo, np, pcount, ext, item_len, 2146 ep, depth); 2147 if (cp == NULL) { 2148 /* error, already reported */ 2149 return NULL; 2150 } 2151 } else { 2152 ND_PRINT("%s", NPSTR(np)); 2153 cp += item_len; 2154 } 2155 ND_PRINT(")"); 2156 depth--; 2157 sa_length -= item_len; 2158 } 2159 return cp; 2160 toolong: 2161 /* 2162 * Skip the rest of the SA. 2163 */ 2164 cp += sa_length; 2165 ND_PRINT(" [|%s]", NPSTR(tpay)); 2166 return cp; 2167 trunc: 2168 ND_PRINT(" [|%s]", NPSTR(tpay)); 2169 return NULL; 2170 } 2171 2172 static const u_char * 2173 ikev2_ke_print(netdissect_options *ndo, u_char tpay, 2174 const struct isakmp_gen *ext, 2175 u_int item_len, const u_char *ep _U_, 2176 uint32_t phase _U_, uint32_t doi _U_, 2177 uint32_t proto _U_, int depth _U_) 2178 { 2179 const struct ikev2_ke *k; 2180 2181 k = (const struct ikev2_ke *)ext; 2182 ND_TCHECK_SIZE(k); 2183 ikev2_pay_print(ndo, NPSTR(tpay), GET_U_1(k->h.critical)); 2184 2185 if (item_len < 8) { 2186 ND_PRINT(" len=%u < 8", item_len); 2187 return (const u_char *)ext + item_len; 2188 } 2189 ND_PRINT(" len=%u group=%s", item_len - 8, 2190 STR_OR_ID(GET_BE_U_2(k->ke_group), dh_p_map)); 2191 2192 if (2 < ndo->ndo_vflag && 8 < item_len) { 2193 ND_PRINT(" "); 2194 if (!rawprint(ndo, (const uint8_t *)(k + 1), item_len - 8)) 2195 goto trunc; 2196 } 2197 return (const u_char *)ext + item_len; 2198 trunc: 2199 ND_PRINT(" [|%s]", NPSTR(tpay)); 2200 return NULL; 2201 } 2202 2203 static const u_char * 2204 ikev2_ID_print(netdissect_options *ndo, u_char tpay, 2205 const struct isakmp_gen *ext, 2206 u_int item_len, const u_char *ep _U_, 2207 uint32_t phase _U_, uint32_t doi _U_, 2208 uint32_t proto _U_, int depth _U_) 2209 { 2210 const struct ikev2_id *idp; 2211 u_int idtype_len, i; 2212 unsigned int dumpascii, dumphex; 2213 const unsigned char *typedata; 2214 2215 idp = (const struct ikev2_id *)ext; 2216 ND_TCHECK_SIZE(idp); 2217 ikev2_pay_print(ndo, NPSTR(tpay), GET_U_1(idp->h.critical)); 2218 2219 /* 2220 * Our caller has ensured that the length is >= 4. 2221 */ 2222 ND_PRINT(" len=%u", item_len - 4); 2223 if (2 < ndo->ndo_vflag && 4 < item_len) { 2224 /* Print the entire payload in hex */ 2225 ND_PRINT(" "); 2226 if (!rawprint(ndo, (const uint8_t *)(ext + 1), item_len - 4)) 2227 goto trunc; 2228 } 2229 2230 idtype_len =item_len - sizeof(struct ikev2_id); 2231 dumpascii = 0; 2232 dumphex = 0; 2233 typedata = (const unsigned char *)(ext)+sizeof(struct ikev2_id); 2234 2235 switch(GET_U_1(idp->type)) { 2236 case ID_IPV4_ADDR: 2237 ND_PRINT(" ipv4:"); 2238 dumphex=1; 2239 break; 2240 case ID_FQDN: 2241 ND_PRINT(" fqdn:"); 2242 dumpascii=1; 2243 break; 2244 case ID_RFC822_ADDR: 2245 ND_PRINT(" rfc822:"); 2246 dumpascii=1; 2247 break; 2248 case ID_IPV6_ADDR: 2249 ND_PRINT(" ipv6:"); 2250 dumphex=1; 2251 break; 2252 case ID_DER_ASN1_DN: 2253 ND_PRINT(" dn:"); 2254 dumphex=1; 2255 break; 2256 case ID_DER_ASN1_GN: 2257 ND_PRINT(" gn:"); 2258 dumphex=1; 2259 break; 2260 case ID_KEY_ID: 2261 ND_PRINT(" keyid:"); 2262 dumphex=1; 2263 break; 2264 } 2265 2266 if(dumpascii) { 2267 ND_TCHECK_LEN(typedata, idtype_len); 2268 for(i=0; i<idtype_len; i++) { 2269 if(ND_ASCII_ISPRINT(GET_U_1(typedata + i))) { 2270 ND_PRINT("%c", GET_U_1(typedata + i)); 2271 } else { 2272 ND_PRINT("."); 2273 } 2274 } 2275 } 2276 if(dumphex) { 2277 if (!rawprint(ndo, (const uint8_t *)typedata, idtype_len)) 2278 goto trunc; 2279 } 2280 2281 return (const u_char *)ext + item_len; 2282 trunc: 2283 ND_PRINT(" [|%s]", NPSTR(tpay)); 2284 return NULL; 2285 } 2286 2287 static const u_char * 2288 ikev2_cert_print(netdissect_options *ndo, u_char tpay, 2289 const struct isakmp_gen *ext, 2290 u_int item_len, const u_char *ep _U_, 2291 uint32_t phase _U_, uint32_t doi _U_, 2292 uint32_t proto _U_, int depth _U_) 2293 { 2294 return ikev2_gen_print(ndo, tpay, ext, item_len); 2295 } 2296 2297 static const u_char * 2298 ikev2_cr_print(netdissect_options *ndo, u_char tpay, 2299 const struct isakmp_gen *ext, 2300 u_int item_len, const u_char *ep _U_, 2301 uint32_t phase _U_, uint32_t doi _U_, 2302 uint32_t proto _U_, int depth _U_) 2303 { 2304 return ikev2_gen_print(ndo, tpay, ext, item_len); 2305 } 2306 2307 static const u_char * 2308 ikev2_auth_print(netdissect_options *ndo, u_char tpay, 2309 const struct isakmp_gen *ext, 2310 u_int item_len, const u_char *ep, 2311 uint32_t phase _U_, uint32_t doi _U_, 2312 uint32_t proto _U_, int depth _U_) 2313 { 2314 const struct ikev2_auth *p; 2315 const char *v2_auth[]={ "invalid", "rsasig", 2316 "shared-secret", "dsssig" }; 2317 const u_char *authdata = (const u_char *)ext + sizeof(struct ikev2_auth); 2318 2319 ND_TCHECK_LEN(ext, sizeof(struct ikev2_auth)); 2320 p = (const struct ikev2_auth *)ext; 2321 ikev2_pay_print(ndo, NPSTR(tpay), GET_U_1(p->h.critical)); 2322 2323 /* 2324 * Our caller has ensured that the length is >= 4. 2325 */ 2326 ND_PRINT(" len=%u method=%s", item_len-4, 2327 STR_OR_ID(GET_U_1(p->auth_method), v2_auth)); 2328 if (item_len > 4) { 2329 if (ndo->ndo_vflag > 1) { 2330 ND_PRINT(" authdata=("); 2331 if (!rawprint(ndo, (const uint8_t *)authdata, item_len - sizeof(struct ikev2_auth))) 2332 goto trunc; 2333 ND_PRINT(") "); 2334 } else if (ndo->ndo_vflag) { 2335 if (!ike_show_somedata(ndo, authdata, ep)) 2336 goto trunc; 2337 } 2338 } 2339 2340 return (const u_char *)ext + item_len; 2341 trunc: 2342 ND_PRINT(" [|%s]", NPSTR(tpay)); 2343 return NULL; 2344 } 2345 2346 static const u_char * 2347 ikev2_nonce_print(netdissect_options *ndo, u_char tpay, 2348 const struct isakmp_gen *ext, 2349 u_int item_len, const u_char *ep, 2350 uint32_t phase _U_, uint32_t doi _U_, 2351 uint32_t proto _U_, int depth _U_) 2352 { 2353 ND_TCHECK_SIZE(ext); 2354 ikev2_pay_print(ndo, "nonce", GET_U_1(ext->critical)); 2355 2356 /* 2357 * Our caller has ensured that the length is >= 4. 2358 */ 2359 ND_PRINT(" len=%u", item_len - 4); 2360 if (1 < ndo->ndo_vflag && 4 < item_len) { 2361 ND_PRINT(" nonce=("); 2362 if (!rawprint(ndo, (const uint8_t *)(ext + 1), item_len - 4)) 2363 goto trunc; 2364 ND_PRINT(") "); 2365 } else if(ndo->ndo_vflag && 4 < item_len) { 2366 if(!ike_show_somedata(ndo, (const u_char *)(ext+1), ep)) goto trunc; 2367 } 2368 2369 return (const u_char *)ext + item_len; 2370 trunc: 2371 ND_PRINT(" [|%s]", NPSTR(tpay)); 2372 return NULL; 2373 } 2374 2375 /* notify payloads */ 2376 static const u_char * 2377 ikev2_n_print(netdissect_options *ndo, u_char tpay _U_, 2378 const struct isakmp_gen *ext, 2379 u_int item_len, const u_char *ep, 2380 uint32_t phase _U_, uint32_t doi _U_, 2381 uint32_t proto _U_, int depth _U_) 2382 { 2383 const struct ikev2_n *p; 2384 uint16_t type; 2385 uint8_t spi_size; 2386 const u_char *cp; 2387 u_char showspi, showsomedata; 2388 const char *notify_name; 2389 2390 p = (const struct ikev2_n *)ext; 2391 ND_TCHECK_SIZE(p); 2392 ikev2_pay_print(ndo, NPSTR(ISAKMP_NPTYPE_N), GET_U_1(p->h.critical)); 2393 2394 showspi = 1; 2395 showsomedata=0; 2396 notify_name=NULL; 2397 2398 ND_PRINT(" prot_id=%s", PROTOIDSTR(GET_U_1(p->prot_id))); 2399 2400 type = GET_BE_U_2(p->type); 2401 2402 /* notify space is annoying sparse */ 2403 switch(type) { 2404 case IV2_NOTIFY_UNSUPPORTED_CRITICAL_PAYLOAD: 2405 notify_name = "unsupported_critical_payload"; 2406 showspi = 0; 2407 break; 2408 2409 case IV2_NOTIFY_INVALID_IKE_SPI: 2410 notify_name = "invalid_ike_spi"; 2411 showspi = 1; 2412 break; 2413 2414 case IV2_NOTIFY_INVALID_MAJOR_VERSION: 2415 notify_name = "invalid_major_version"; 2416 showspi = 0; 2417 break; 2418 2419 case IV2_NOTIFY_INVALID_SYNTAX: 2420 notify_name = "invalid_syntax"; 2421 showspi = 1; 2422 break; 2423 2424 case IV2_NOTIFY_INVALID_MESSAGE_ID: 2425 notify_name = "invalid_message_id"; 2426 showspi = 1; 2427 break; 2428 2429 case IV2_NOTIFY_INVALID_SPI: 2430 notify_name = "invalid_spi"; 2431 showspi = 1; 2432 break; 2433 2434 case IV2_NOTIFY_NO_PROPOSAL_CHOSEN: 2435 notify_name = "no_protocol_chosen"; 2436 showspi = 1; 2437 break; 2438 2439 case IV2_NOTIFY_INVALID_KE_PAYLOAD: 2440 notify_name = "invalid_ke_payload"; 2441 showspi = 1; 2442 break; 2443 2444 case IV2_NOTIFY_AUTHENTICATION_FAILED: 2445 notify_name = "authentication_failed"; 2446 showspi = 1; 2447 break; 2448 2449 case IV2_NOTIFY_SINGLE_PAIR_REQUIRED: 2450 notify_name = "single_pair_required"; 2451 showspi = 1; 2452 break; 2453 2454 case IV2_NOTIFY_NO_ADDITIONAL_SAS: 2455 notify_name = "no_additional_sas"; 2456 showspi = 0; 2457 break; 2458 2459 case IV2_NOTIFY_INTERNAL_ADDRESS_FAILURE: 2460 notify_name = "internal_address_failure"; 2461 showspi = 0; 2462 break; 2463 2464 case IV2_NOTIFY_FAILED_CP_REQUIRED: 2465 notify_name = "failed:cp_required"; 2466 showspi = 0; 2467 break; 2468 2469 case IV2_NOTIFY_INVALID_SELECTORS: 2470 notify_name = "invalid_selectors"; 2471 showspi = 0; 2472 break; 2473 2474 case IV2_NOTIFY_INITIAL_CONTACT: 2475 notify_name = "initial_contact"; 2476 showspi = 0; 2477 break; 2478 2479 case IV2_NOTIFY_SET_WINDOW_SIZE: 2480 notify_name = "set_window_size"; 2481 showspi = 0; 2482 break; 2483 2484 case IV2_NOTIFY_ADDITIONAL_TS_POSSIBLE: 2485 notify_name = "additional_ts_possible"; 2486 showspi = 0; 2487 break; 2488 2489 case IV2_NOTIFY_IPCOMP_SUPPORTED: 2490 notify_name = "ipcomp_supported"; 2491 showspi = 0; 2492 break; 2493 2494 case IV2_NOTIFY_NAT_DETECTION_SOURCE_IP: 2495 notify_name = "nat_detection_source_ip"; 2496 showspi = 1; 2497 break; 2498 2499 case IV2_NOTIFY_NAT_DETECTION_DESTINATION_IP: 2500 notify_name = "nat_detection_destination_ip"; 2501 showspi = 1; 2502 break; 2503 2504 case IV2_NOTIFY_COOKIE: 2505 notify_name = "cookie"; 2506 showspi = 1; 2507 showsomedata= 1; 2508 break; 2509 2510 case IV2_NOTIFY_USE_TRANSPORT_MODE: 2511 notify_name = "use_transport_mode"; 2512 showspi = 0; 2513 break; 2514 2515 case IV2_NOTIFY_HTTP_CERT_LOOKUP_SUPPORTED: 2516 notify_name = "http_cert_lookup_supported"; 2517 showspi = 0; 2518 break; 2519 2520 case IV2_NOTIFY_REKEY_SA: 2521 notify_name = "rekey_sa"; 2522 showspi = 1; 2523 break; 2524 2525 case IV2_NOTIFY_ESP_TFC_PADDING_NOT_SUPPORTED: 2526 notify_name = "tfc_padding_not_supported"; 2527 showspi = 0; 2528 break; 2529 2530 case IV2_NOTIFY_NON_FIRST_FRAGMENTS_ALSO: 2531 notify_name = "non_first_fragment_also"; 2532 showspi = 0; 2533 break; 2534 2535 default: 2536 if (type < 8192) { 2537 notify_name="error"; 2538 } else if(type < 16384) { 2539 notify_name="private-error"; 2540 } else if(type < 40960) { 2541 notify_name="status"; 2542 } else { 2543 notify_name="private-status"; 2544 } 2545 } 2546 2547 if(notify_name) { 2548 ND_PRINT(" type=%u(%s)", type, notify_name); 2549 } 2550 2551 2552 spi_size = GET_U_1(p->spi_size); 2553 if (showspi && spi_size) { 2554 ND_PRINT(" spi="); 2555 if (!rawprint(ndo, (const uint8_t *)(p + 1), spi_size)) 2556 goto trunc; 2557 } 2558 2559 cp = (const u_char *)(p + 1) + spi_size; 2560 2561 if (cp < ep) { 2562 if (ndo->ndo_vflag > 3 || (showsomedata && ep-cp < 30)) { 2563 ND_PRINT(" data=("); 2564 if (!rawprint(ndo, (const uint8_t *)(cp), ep - cp)) 2565 goto trunc; 2566 2567 ND_PRINT(")"); 2568 } else if (showsomedata) { 2569 if (!ike_show_somedata(ndo, cp, ep)) 2570 goto trunc; 2571 } 2572 } 2573 2574 return (const u_char *)ext + item_len; 2575 trunc: 2576 ND_PRINT(" [|%s]", NPSTR(ISAKMP_NPTYPE_N)); 2577 return NULL; 2578 } 2579 2580 static const u_char * 2581 ikev2_d_print(netdissect_options *ndo, u_char tpay, 2582 const struct isakmp_gen *ext, 2583 u_int item_len, const u_char *ep _U_, 2584 uint32_t phase _U_, uint32_t doi _U_, 2585 uint32_t proto _U_, int depth _U_) 2586 { 2587 return ikev2_gen_print(ndo, tpay, ext, item_len); 2588 } 2589 2590 static const u_char * 2591 ikev2_vid_print(netdissect_options *ndo, u_char tpay, 2592 const struct isakmp_gen *ext, 2593 u_int item_len, const u_char *ep _U_, 2594 uint32_t phase _U_, uint32_t doi _U_, 2595 uint32_t proto _U_, int depth _U_) 2596 { 2597 const u_char *vid; 2598 u_int i, len; 2599 2600 ND_TCHECK_SIZE(ext); 2601 ikev2_pay_print(ndo, NPSTR(tpay), GET_U_1(ext->critical)); 2602 2603 /* 2604 * Our caller has ensured that the length is >= 4. 2605 */ 2606 ND_PRINT(" len=%u vid=", item_len - 4); 2607 2608 vid = (const u_char *)(ext+1); 2609 len = item_len - 4; 2610 ND_TCHECK_LEN(vid, len); 2611 for(i=0; i<len; i++) { 2612 if(ND_ASCII_ISPRINT(GET_U_1(vid + i))) 2613 ND_PRINT("%c", GET_U_1(vid + i)); 2614 else ND_PRINT("."); 2615 } 2616 if (2 < ndo->ndo_vflag && 4 < len) { 2617 /* Print the entire payload in hex */ 2618 ND_PRINT(" "); 2619 if (!rawprint(ndo, (const uint8_t *)(ext + 1), item_len - 4)) 2620 goto trunc; 2621 } 2622 return (const u_char *)ext + item_len; 2623 trunc: 2624 ND_PRINT(" [|%s]", NPSTR(tpay)); 2625 return NULL; 2626 } 2627 2628 static const u_char * 2629 ikev2_TS_print(netdissect_options *ndo, u_char tpay, 2630 const struct isakmp_gen *ext, 2631 u_int item_len, const u_char *ep _U_, 2632 uint32_t phase _U_, uint32_t doi _U_, 2633 uint32_t proto _U_, int depth _U_) 2634 { 2635 return ikev2_gen_print(ndo, tpay, ext, item_len); 2636 } 2637 2638 static const u_char * 2639 ikev2_e_print(netdissect_options *ndo, 2640 #ifndef HAVE_LIBCRYPTO 2641 _U_ 2642 #endif 2643 const struct isakmp *base, 2644 u_char tpay, 2645 const struct isakmp_gen *ext, 2646 u_int item_len, const u_char *ep _U_, 2647 #ifndef HAVE_LIBCRYPTO 2648 _U_ 2649 #endif 2650 uint32_t phase, 2651 #ifndef HAVE_LIBCRYPTO 2652 _U_ 2653 #endif 2654 uint32_t doi, 2655 #ifndef HAVE_LIBCRYPTO 2656 _U_ 2657 #endif 2658 uint32_t proto, 2659 #ifndef HAVE_LIBCRYPTO 2660 _U_ 2661 #endif 2662 int depth) 2663 { 2664 const u_char *dat; 2665 u_int dlen; 2666 #ifdef HAVE_LIBCRYPTO 2667 uint8_t np; 2668 #endif 2669 2670 ND_TCHECK_SIZE(ext); 2671 ikev2_pay_print(ndo, NPSTR(tpay), GET_U_1(ext->critical)); 2672 2673 dlen = item_len-4; 2674 2675 ND_PRINT(" len=%u", dlen); 2676 if (2 < ndo->ndo_vflag && 4 < dlen) { 2677 ND_PRINT(" "); 2678 if (!rawprint(ndo, (const uint8_t *)(ext + 1), dlen)) 2679 goto trunc; 2680 } 2681 2682 dat = (const u_char *)(ext+1); 2683 ND_TCHECK_LEN(dat, dlen); 2684 2685 #ifdef HAVE_LIBCRYPTO 2686 np = GET_U_1(ext->np); 2687 2688 /* try to decrypt it! */ 2689 if(esp_decrypt_buffer_by_ikev2_print(ndo, 2690 GET_U_1(base->flags) & ISAKMP_FLAG_I, 2691 base->i_ck, base->r_ck, 2692 dat, dat+dlen)) { 2693 2694 ext = (const struct isakmp_gen *)ndo->ndo_packetp; 2695 2696 /* got it decrypted, print stuff inside. */ 2697 ikev2_sub_print(ndo, base, np, ext, 2698 ndo->ndo_snapend, phase, doi, proto, depth+1); 2699 2700 /* 2701 * esp_decrypt_buffer_by_ikev2_print pushed information 2702 * on the buffer stack; we're done with the buffer, so 2703 * pop it (which frees the buffer) 2704 */ 2705 nd_pop_packet_info(ndo); 2706 } 2707 #endif 2708 2709 2710 /* always return NULL, because E must be at end, and NP refers 2711 * to what was inside. 2712 */ 2713 return NULL; 2714 trunc: 2715 ND_PRINT(" [|%s]", NPSTR(tpay)); 2716 return NULL; 2717 } 2718 2719 static const u_char * 2720 ikev2_cp_print(netdissect_options *ndo, u_char tpay, 2721 const struct isakmp_gen *ext, 2722 u_int item_len, const u_char *ep _U_, 2723 uint32_t phase _U_, uint32_t doi _U_, 2724 uint32_t proto _U_, int depth _U_) 2725 { 2726 return ikev2_gen_print(ndo, tpay, ext, item_len); 2727 } 2728 2729 static const u_char * 2730 ikev2_eap_print(netdissect_options *ndo, u_char tpay, 2731 const struct isakmp_gen *ext, 2732 u_int item_len, const u_char *ep _U_, 2733 uint32_t phase _U_, uint32_t doi _U_, 2734 uint32_t proto _U_, int depth _U_) 2735 { 2736 return ikev2_gen_print(ndo, tpay, ext, item_len); 2737 } 2738 2739 static const u_char * 2740 ike_sub0_print(netdissect_options *ndo, 2741 u_char np, const struct isakmp_gen *ext, const u_char *ep, 2742 2743 uint32_t phase, uint32_t doi, uint32_t proto, int depth) 2744 { 2745 const u_char *cp; 2746 u_int item_len; 2747 2748 cp = (const u_char *)ext; 2749 ND_TCHECK_SIZE(ext); 2750 2751 /* 2752 * Since we can't have a payload length of less than 4 bytes, 2753 * we need to bail out here if the generic header is nonsensical 2754 * or truncated, otherwise we could loop forever processing 2755 * zero-length items or otherwise misdissect the packet. 2756 */ 2757 item_len = GET_BE_U_2(ext->len); 2758 if (item_len <= 4) 2759 return NULL; 2760 2761 if (NPFUNC(np)) { 2762 /* 2763 * XXX - what if item_len is too short, or too long, 2764 * for this payload type? 2765 */ 2766 cp = (*npfunc[np])(ndo, np, ext, item_len, ep, phase, doi, proto, depth); 2767 } else { 2768 ND_PRINT("%s", NPSTR(np)); 2769 cp += item_len; 2770 } 2771 2772 return cp; 2773 trunc: 2774 nd_print_trunc(ndo); 2775 return NULL; 2776 } 2777 2778 static const u_char * 2779 ikev1_sub_print(netdissect_options *ndo, 2780 u_char np, const struct isakmp_gen *ext, const u_char *ep, 2781 uint32_t phase, uint32_t doi, uint32_t proto, int depth) 2782 { 2783 const u_char *cp; 2784 int i; 2785 u_int item_len; 2786 2787 cp = (const u_char *)ext; 2788 2789 while (np) { 2790 ND_TCHECK_SIZE(ext); 2791 2792 item_len = GET_BE_U_2(ext->len); 2793 ND_TCHECK_LEN(ext, item_len); 2794 2795 depth++; 2796 ND_PRINT("\n"); 2797 for (i = 0; i < depth; i++) 2798 ND_PRINT(" "); 2799 ND_PRINT("("); 2800 cp = ike_sub0_print(ndo, np, ext, ep, phase, doi, proto, depth); 2801 ND_PRINT(")"); 2802 depth--; 2803 2804 if (cp == NULL) { 2805 /* Zero-length subitem */ 2806 return NULL; 2807 } 2808 2809 np = GET_U_1(ext->np); 2810 ext = (const struct isakmp_gen *)cp; 2811 } 2812 return cp; 2813 trunc: 2814 ND_PRINT(" [|%s]", NPSTR(np)); 2815 return NULL; 2816 } 2817 2818 static char * 2819 numstr(u_int x) 2820 { 2821 static char buf[20]; 2822 snprintf(buf, sizeof(buf), "#%u", x); 2823 return buf; 2824 } 2825 2826 static void 2827 ikev1_print(netdissect_options *ndo, 2828 const u_char *bp, u_int length, 2829 const u_char *bp2, const struct isakmp *base) 2830 { 2831 const struct isakmp *p; 2832 const u_char *ep; 2833 u_int flags; 2834 u_char np; 2835 int i; 2836 u_int phase; 2837 2838 p = (const struct isakmp *)bp; 2839 ep = ndo->ndo_snapend; 2840 2841 phase = (GET_BE_U_4(base->msgid) == 0) ? 1 : 2; 2842 if (phase == 1) 2843 ND_PRINT(" phase %u", phase); 2844 else 2845 ND_PRINT(" phase %u/others", phase); 2846 2847 i = cookie_find(&base->i_ck); 2848 if (i < 0) { 2849 if (iszero(ndo, base->r_ck, sizeof(base->r_ck))) { 2850 /* the first packet */ 2851 ND_PRINT(" I"); 2852 if (bp2) 2853 cookie_record(ndo, &base->i_ck, bp2); 2854 } else 2855 ND_PRINT(" ?"); 2856 } else { 2857 if (bp2 && cookie_isinitiator(ndo, i, bp2)) 2858 ND_PRINT(" I"); 2859 else if (bp2 && cookie_isresponder(ndo, i, bp2)) 2860 ND_PRINT(" R"); 2861 else 2862 ND_PRINT(" ?"); 2863 } 2864 2865 ND_PRINT(" %s", ETYPESTR(GET_U_1(base->etype))); 2866 flags = GET_U_1(base->flags); 2867 if (flags) { 2868 ND_PRINT("[%s%s]", flags & ISAKMP_FLAG_E ? "E" : "", 2869 flags & ISAKMP_FLAG_C ? "C" : ""); 2870 } 2871 2872 if (ndo->ndo_vflag) { 2873 const struct isakmp_gen *ext; 2874 2875 ND_PRINT(":"); 2876 2877 np = GET_U_1(base->np); 2878 2879 /* regardless of phase... */ 2880 if (flags & ISAKMP_FLAG_E) { 2881 /* 2882 * encrypted, nothing we can do right now. 2883 * we hope to decrypt the packet in the future... 2884 */ 2885 ND_PRINT(" [encrypted %s]", NPSTR(np)); 2886 goto done; 2887 } 2888 2889 CHECKLEN(p + 1, np); 2890 ext = (const struct isakmp_gen *)(p + 1); 2891 ikev1_sub_print(ndo, np, ext, ep, phase, 0, 0, 0); 2892 } 2893 2894 done: 2895 if (ndo->ndo_vflag) { 2896 if (GET_BE_U_4(base->len) != length) { 2897 ND_PRINT(" (len mismatch: isakmp %u/ip %u)", 2898 GET_BE_U_4(base->len), length); 2899 } 2900 } 2901 } 2902 2903 static const u_char * 2904 ikev2_sub0_print(netdissect_options *ndo, const struct isakmp *base, 2905 u_char np, 2906 const struct isakmp_gen *ext, const u_char *ep, 2907 uint32_t phase, uint32_t doi, uint32_t proto, int depth) 2908 { 2909 const u_char *cp; 2910 u_int item_len; 2911 2912 cp = (const u_char *)ext; 2913 ND_TCHECK_SIZE(ext); 2914 2915 /* 2916 * Since we can't have a payload length of less than 4 bytes, 2917 * we need to bail out here if the generic header is nonsensical 2918 * or truncated, otherwise we could loop forever processing 2919 * zero-length items or otherwise misdissect the packet. 2920 */ 2921 item_len = GET_BE_U_2(ext->len); 2922 if (item_len <= 4) 2923 return NULL; 2924 2925 if (np == ISAKMP_NPTYPE_v2E) { 2926 cp = ikev2_e_print(ndo, base, np, ext, item_len, 2927 ep, phase, doi, proto, depth); 2928 } else if (NPFUNC(np)) { 2929 /* 2930 * XXX - what if item_len is too short, or too long, 2931 * for this payload type? 2932 */ 2933 cp = (*npfunc[np])(ndo, np, ext, item_len, 2934 ep, phase, doi, proto, depth); 2935 } else { 2936 ND_PRINT("%s", NPSTR(np)); 2937 cp += item_len; 2938 } 2939 2940 return cp; 2941 trunc: 2942 nd_print_trunc(ndo); 2943 return NULL; 2944 } 2945 2946 static const u_char * 2947 ikev2_sub_print(netdissect_options *ndo, 2948 const struct isakmp *base, 2949 u_char np, const struct isakmp_gen *ext, const u_char *ep, 2950 uint32_t phase, uint32_t doi, uint32_t proto, int depth) 2951 { 2952 const u_char *cp; 2953 int i; 2954 2955 cp = (const u_char *)ext; 2956 while (np) { 2957 ND_TCHECK_SIZE(ext); 2958 2959 ND_TCHECK_LEN(ext, GET_BE_U_2(ext->len)); 2960 2961 depth++; 2962 ND_PRINT("\n"); 2963 for (i = 0; i < depth; i++) 2964 ND_PRINT(" "); 2965 ND_PRINT("("); 2966 cp = ikev2_sub0_print(ndo, base, np, 2967 ext, ep, phase, doi, proto, depth); 2968 ND_PRINT(")"); 2969 depth--; 2970 2971 if (cp == NULL) { 2972 /* Zero-length subitem */ 2973 return NULL; 2974 } 2975 2976 np = GET_U_1(ext->np); 2977 ext = (const struct isakmp_gen *)cp; 2978 } 2979 return cp; 2980 trunc: 2981 ND_PRINT(" [|%s]", NPSTR(np)); 2982 return NULL; 2983 } 2984 2985 static void 2986 ikev2_print(netdissect_options *ndo, 2987 const u_char *bp, u_int length, 2988 const u_char *bp2 _U_, const struct isakmp *base) 2989 { 2990 const struct isakmp *p; 2991 const u_char *ep; 2992 uint8_t flags; 2993 u_char np; 2994 u_int phase; 2995 2996 p = (const struct isakmp *)bp; 2997 ep = ndo->ndo_snapend; 2998 2999 phase = (GET_BE_U_4(base->msgid) == 0) ? 1 : 2; 3000 if (phase == 1) 3001 ND_PRINT(" parent_sa"); 3002 else 3003 ND_PRINT(" child_sa "); 3004 3005 ND_PRINT(" %s", ETYPESTR(GET_U_1(base->etype))); 3006 flags = GET_U_1(base->flags); 3007 if (flags) { 3008 ND_PRINT("[%s%s%s]", 3009 flags & ISAKMP_FLAG_I ? "I" : "", 3010 flags & ISAKMP_FLAG_V ? "V" : "", 3011 flags & ISAKMP_FLAG_R ? "R" : ""); 3012 } 3013 3014 if (ndo->ndo_vflag) { 3015 const struct isakmp_gen *ext; 3016 3017 ND_PRINT(":"); 3018 3019 np = GET_U_1(base->np); 3020 3021 /* regardless of phase... */ 3022 if (flags & ISAKMP_FLAG_E) { 3023 /* 3024 * encrypted, nothing we can do right now. 3025 * we hope to decrypt the packet in the future... 3026 */ 3027 ND_PRINT(" [encrypted %s]", NPSTR(np)); 3028 goto done; 3029 } 3030 3031 CHECKLEN(p + 1, np) 3032 ext = (const struct isakmp_gen *)(p + 1); 3033 ikev2_sub_print(ndo, base, np, ext, ep, phase, 0, 0, 0); 3034 } 3035 3036 done: 3037 if (ndo->ndo_vflag) { 3038 if (GET_BE_U_4(base->len) != length) { 3039 ND_PRINT(" (len mismatch: isakmp %u/ip %u)", 3040 GET_BE_U_4(base->len), length); 3041 } 3042 } 3043 } 3044 3045 void 3046 isakmp_print(netdissect_options *ndo, 3047 const u_char *bp, u_int length, 3048 const u_char *bp2) 3049 { 3050 const struct isakmp *p; 3051 const u_char *ep; 3052 u_int major, minor; 3053 3054 ndo->ndo_protocol = "isakmp"; 3055 #ifdef HAVE_LIBCRYPTO 3056 /* initialize SAs */ 3057 if (ndo->ndo_sa_list_head == NULL) { 3058 if (ndo->ndo_espsecret) 3059 esp_decodesecret_print(ndo); 3060 } 3061 #endif 3062 3063 p = (const struct isakmp *)bp; 3064 ep = ndo->ndo_snapend; 3065 3066 if ((const struct isakmp *)ep < p + 1) { 3067 nd_print_trunc(ndo); 3068 return; 3069 } 3070 3071 ND_PRINT("isakmp"); 3072 major = (GET_U_1(p->vers) & ISAKMP_VERS_MAJOR) 3073 >> ISAKMP_VERS_MAJOR_SHIFT; 3074 minor = (GET_U_1(p->vers) & ISAKMP_VERS_MINOR) 3075 >> ISAKMP_VERS_MINOR_SHIFT; 3076 3077 if (ndo->ndo_vflag) { 3078 ND_PRINT(" %u.%u", major, minor); 3079 } 3080 3081 if (ndo->ndo_vflag) { 3082 ND_PRINT(" msgid "); 3083 hexprint(ndo, p->msgid, sizeof(p->msgid)); 3084 } 3085 3086 if (1 < ndo->ndo_vflag) { 3087 ND_PRINT(" cookie "); 3088 hexprint(ndo, p->i_ck, sizeof(p->i_ck)); 3089 ND_PRINT("->"); 3090 hexprint(ndo, p->r_ck, sizeof(p->r_ck)); 3091 } 3092 ND_PRINT(":"); 3093 3094 switch(major) { 3095 case IKEv1_MAJOR_VERSION: 3096 ikev1_print(ndo, bp, length, bp2, p); 3097 break; 3098 3099 case IKEv2_MAJOR_VERSION: 3100 ikev2_print(ndo, bp, length, bp2, p); 3101 break; 3102 } 3103 } 3104 3105 void 3106 isakmp_rfc3948_print(netdissect_options *ndo, 3107 const u_char *bp, u_int length, 3108 const u_char *bp2, int ver, int fragmented, u_int ttl_hl) 3109 { 3110 ndo->ndo_protocol = "isakmp_rfc3948"; 3111 if(length == 1 && GET_U_1(bp)==0xff) { 3112 ND_PRINT("isakmp-nat-keep-alive"); 3113 return; 3114 } 3115 3116 if(length < 4) { 3117 goto trunc; 3118 } 3119 3120 /* 3121 * see if this is an IKE packet 3122 */ 3123 if (GET_BE_U_4(bp) == 0) { 3124 ND_PRINT("NONESP-encap: "); 3125 isakmp_print(ndo, bp+4, length-4, bp2); 3126 return; 3127 } 3128 3129 /* must be an ESP packet */ 3130 { 3131 ND_PRINT("UDP-encap: "); 3132 3133 esp_print(ndo, bp, length, bp2, ver, fragmented, ttl_hl); 3134 3135 /* 3136 * Either this has decrypted the payload and 3137 * printed it, in which case there's nothing more 3138 * to do, or it hasn't, in which case there's 3139 * nothing more to do. 3140 */ 3141 return; 3142 } 3143 3144 trunc: 3145 nd_print_trunc(ndo); 3146 } 3147