1 /* 2 * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project. 3 * All rights reserved. 4 * 5 * Redistribution and use in source and binary forms, with or without 6 * modification, are permitted provided that the following conditions 7 * are met: 8 * 1. Redistributions of source code must retain the above copyright 9 * notice, this list of conditions and the following disclaimer. 10 * 2. Redistributions in binary form must reproduce the above copyright 11 * notice, this list of conditions and the following disclaimer in the 12 * documentation and/or other materials provided with the distribution. 13 * 3. Neither the name of the project nor the names of its contributors 14 * may be used to endorse or promote products derived from this software 15 * without specific prior written permission. 16 * 17 * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND 18 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 19 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 20 * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE 21 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 22 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 23 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 24 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 25 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 26 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 27 * SUCH DAMAGE. 28 * 29 */ 30 31 #include <sys/cdefs.h> 32 #ifndef lint 33 __RCSID("$NetBSD: print-isakmp.c,v 1.9 2017/02/05 04:05:05 spz Exp $"); 34 #endif 35 36 /* \summary: Internet Security Association and Key Management Protocol (ISAKMP) printer */ 37 38 #ifdef HAVE_CONFIG_H 39 #include "config.h" 40 #endif 41 42 /* The functions from print-esp.c used in this file are only defined when both 43 * OpenSSL and evp.h are detected. Employ the same preprocessor device here. 44 */ 45 #ifndef HAVE_OPENSSL_EVP_H 46 #undef HAVE_LIBCRYPTO 47 #endif 48 49 #include <netdissect-stdinc.h> 50 51 #include <string.h> 52 53 #include "netdissect.h" 54 #include "addrtoname.h" 55 #include "extract.h" 56 57 #include "ip.h" 58 #include "ip6.h" 59 60 /* refer to RFC 2408 */ 61 62 typedef u_char cookie_t[8]; 63 typedef u_char msgid_t[4]; 64 65 #define PORT_ISAKMP 500 66 67 /* 3.1 ISAKMP Header Format (IKEv1 and IKEv2) 68 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 69 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 70 ! Initiator ! 71 ! Cookie ! 72 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 73 ! Responder ! 74 ! Cookie ! 75 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 76 ! Next Payload ! MjVer ! MnVer ! Exchange Type ! Flags ! 77 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 78 ! Message ID ! 79 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 80 ! Length ! 81 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 82 */ 83 struct isakmp { 84 cookie_t i_ck; /* Initiator Cookie */ 85 cookie_t r_ck; /* Responder Cookie */ 86 uint8_t np; /* Next Payload Type */ 87 uint8_t vers; 88 #define ISAKMP_VERS_MAJOR 0xf0 89 #define ISAKMP_VERS_MAJOR_SHIFT 4 90 #define ISAKMP_VERS_MINOR 0x0f 91 #define ISAKMP_VERS_MINOR_SHIFT 0 92 uint8_t etype; /* Exchange Type */ 93 uint8_t flags; /* Flags */ 94 msgid_t msgid; 95 uint32_t len; /* Length */ 96 }; 97 98 /* Next Payload Type */ 99 #define ISAKMP_NPTYPE_NONE 0 /* NONE*/ 100 #define ISAKMP_NPTYPE_SA 1 /* Security Association */ 101 #define ISAKMP_NPTYPE_P 2 /* Proposal */ 102 #define ISAKMP_NPTYPE_T 3 /* Transform */ 103 #define ISAKMP_NPTYPE_KE 4 /* Key Exchange */ 104 #define ISAKMP_NPTYPE_ID 5 /* Identification */ 105 #define ISAKMP_NPTYPE_CERT 6 /* Certificate */ 106 #define ISAKMP_NPTYPE_CR 7 /* Certificate Request */ 107 #define ISAKMP_NPTYPE_HASH 8 /* Hash */ 108 #define ISAKMP_NPTYPE_SIG 9 /* Signature */ 109 #define ISAKMP_NPTYPE_NONCE 10 /* Nonce */ 110 #define ISAKMP_NPTYPE_N 11 /* Notification */ 111 #define ISAKMP_NPTYPE_D 12 /* Delete */ 112 #define ISAKMP_NPTYPE_VID 13 /* Vendor ID */ 113 #define ISAKMP_NPTYPE_v2E 46 /* v2 Encrypted payload */ 114 115 #define IKEv1_MAJOR_VERSION 1 116 #define IKEv1_MINOR_VERSION 0 117 118 #define IKEv2_MAJOR_VERSION 2 119 #define IKEv2_MINOR_VERSION 0 120 121 /* Flags */ 122 #define ISAKMP_FLAG_E 0x01 /* Encryption Bit */ 123 #define ISAKMP_FLAG_C 0x02 /* Commit Bit */ 124 #define ISAKMP_FLAG_extra 0x04 125 126 /* IKEv2 */ 127 #define ISAKMP_FLAG_I (1 << 3) /* (I)nitiator */ 128 #define ISAKMP_FLAG_V (1 << 4) /* (V)ersion */ 129 #define ISAKMP_FLAG_R (1 << 5) /* (R)esponse */ 130 131 132 /* 3.2 Payload Generic Header 133 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 134 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 135 ! Next Payload ! RESERVED ! Payload Length ! 136 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 137 */ 138 struct isakmp_gen { 139 uint8_t np; /* Next Payload */ 140 uint8_t critical; /* bit 7 - critical, rest is RESERVED */ 141 uint16_t len; /* Payload Length */ 142 }; 143 144 /* 3.3 Data Attributes 145 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 146 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 147 !A! Attribute Type ! AF=0 Attribute Length ! 148 !F! ! AF=1 Attribute Value ! 149 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 150 . AF=0 Attribute Value . 151 . AF=1 Not Transmitted . 152 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 153 */ 154 struct isakmp_data { 155 uint16_t type; /* defined by DOI-spec, and Attribute Format */ 156 uint16_t lorv; /* if f equal 1, Attribute Length */ 157 /* if f equal 0, Attribute Value */ 158 /* if f equal 1, Attribute Value */ 159 }; 160 161 /* 3.4 Security Association Payload */ 162 /* MAY NOT be used, because of being defined in ipsec-doi. */ 163 /* 164 If the current payload is the last in the message, 165 then the value of the next payload field will be 0. 166 This field MUST NOT contain the 167 values for the Proposal or Transform payloads as they are considered 168 part of the security association negotiation. For example, this 169 field would contain the value "10" (Nonce payload) in the first 170 message of a Base Exchange (see Section 4.4) and the value "0" in the 171 first message of an Identity Protect Exchange (see Section 4.5). 172 */ 173 struct ikev1_pl_sa { 174 struct isakmp_gen h; 175 uint32_t doi; /* Domain of Interpretation */ 176 uint32_t sit; /* Situation */ 177 }; 178 179 /* 3.5 Proposal Payload */ 180 /* 181 The value of the next payload field MUST only contain the value "2" 182 or "0". If there are additional Proposal payloads in the message, 183 then this field will be 2. If the current Proposal payload is the 184 last within the security association proposal, then this field will 185 be 0. 186 */ 187 struct ikev1_pl_p { 188 struct isakmp_gen h; 189 uint8_t p_no; /* Proposal # */ 190 uint8_t prot_id; /* Protocol */ 191 uint8_t spi_size; /* SPI Size */ 192 uint8_t num_t; /* Number of Transforms */ 193 /* SPI */ 194 }; 195 196 /* 3.6 Transform Payload */ 197 /* 198 The value of the next payload field MUST only contain the value "3" 199 or "0". If there are additional Transform payloads in the proposal, 200 then this field will be 3. If the current Transform payload is the 201 last within the proposal, then this field will be 0. 202 */ 203 struct ikev1_pl_t { 204 struct isakmp_gen h; 205 uint8_t t_no; /* Transform # */ 206 uint8_t t_id; /* Transform-Id */ 207 uint16_t reserved; /* RESERVED2 */ 208 /* SA Attributes */ 209 }; 210 211 /* 3.7 Key Exchange Payload */ 212 struct ikev1_pl_ke { 213 struct isakmp_gen h; 214 /* Key Exchange Data */ 215 }; 216 217 /* 3.8 Identification Payload */ 218 /* MUST NOT to be used, because of being defined in ipsec-doi. */ 219 struct ikev1_pl_id { 220 struct isakmp_gen h; 221 union { 222 uint8_t id_type; /* ID Type */ 223 uint32_t doi_data; /* DOI Specific ID Data */ 224 } d; 225 /* Identification Data */ 226 }; 227 228 /* 3.9 Certificate Payload */ 229 struct ikev1_pl_cert { 230 struct isakmp_gen h; 231 uint8_t encode; /* Cert Encoding */ 232 char cert; /* Certificate Data */ 233 /* 234 This field indicates the type of 235 certificate or certificate-related information contained in the 236 Certificate Data field. 237 */ 238 }; 239 240 /* 3.10 Certificate Request Payload */ 241 struct ikev1_pl_cr { 242 struct isakmp_gen h; 243 uint8_t num_cert; /* # Cert. Types */ 244 /* 245 Certificate Types (variable length) 246 -- Contains a list of the types of certificates requested, 247 sorted in order of preference. Each individual certificate 248 type is 1 octet. This field is NOT requiredo 249 */ 250 /* # Certificate Authorities (1 octet) */ 251 /* Certificate Authorities (variable length) */ 252 }; 253 254 /* 3.11 Hash Payload */ 255 /* may not be used, because of having only data. */ 256 struct ikev1_pl_hash { 257 struct isakmp_gen h; 258 /* Hash Data */ 259 }; 260 261 /* 3.12 Signature Payload */ 262 /* may not be used, because of having only data. */ 263 struct ikev1_pl_sig { 264 struct isakmp_gen h; 265 /* Signature Data */ 266 }; 267 268 /* 3.13 Nonce Payload */ 269 /* may not be used, because of having only data. */ 270 struct ikev1_pl_nonce { 271 struct isakmp_gen h; 272 /* Nonce Data */ 273 }; 274 275 /* 3.14 Notification Payload */ 276 struct ikev1_pl_n { 277 struct isakmp_gen h; 278 uint32_t doi; /* Domain of Interpretation */ 279 uint8_t prot_id; /* Protocol-ID */ 280 uint8_t spi_size; /* SPI Size */ 281 uint16_t type; /* Notify Message Type */ 282 /* SPI */ 283 /* Notification Data */ 284 }; 285 286 /* 3.14.1 Notify Message Types */ 287 /* NOTIFY MESSAGES - ERROR TYPES */ 288 #define ISAKMP_NTYPE_INVALID_PAYLOAD_TYPE 1 289 #define ISAKMP_NTYPE_DOI_NOT_SUPPORTED 2 290 #define ISAKMP_NTYPE_SITUATION_NOT_SUPPORTED 3 291 #define ISAKMP_NTYPE_INVALID_COOKIE 4 292 #define ISAKMP_NTYPE_INVALID_MAJOR_VERSION 5 293 #define ISAKMP_NTYPE_INVALID_MINOR_VERSION 6 294 #define ISAKMP_NTYPE_INVALID_EXCHANGE_TYPE 7 295 #define ISAKMP_NTYPE_INVALID_FLAGS 8 296 #define ISAKMP_NTYPE_INVALID_MESSAGE_ID 9 297 #define ISAKMP_NTYPE_INVALID_PROTOCOL_ID 10 298 #define ISAKMP_NTYPE_INVALID_SPI 11 299 #define ISAKMP_NTYPE_INVALID_TRANSFORM_ID 12 300 #define ISAKMP_NTYPE_ATTRIBUTES_NOT_SUPPORTED 13 301 #define ISAKMP_NTYPE_NO_PROPOSAL_CHOSEN 14 302 #define ISAKMP_NTYPE_BAD_PROPOSAL_SYNTAX 15 303 #define ISAKMP_NTYPE_PAYLOAD_MALFORMED 16 304 #define ISAKMP_NTYPE_INVALID_KEY_INFORMATION 17 305 #define ISAKMP_NTYPE_INVALID_ID_INFORMATION 18 306 #define ISAKMP_NTYPE_INVALID_CERT_ENCODING 19 307 #define ISAKMP_NTYPE_INVALID_CERTIFICATE 20 308 #define ISAKMP_NTYPE_BAD_CERT_REQUEST_SYNTAX 21 309 #define ISAKMP_NTYPE_INVALID_CERT_AUTHORITY 22 310 #define ISAKMP_NTYPE_INVALID_HASH_INFORMATION 23 311 #define ISAKMP_NTYPE_AUTHENTICATION_FAILED 24 312 #define ISAKMP_NTYPE_INVALID_SIGNATURE 25 313 #define ISAKMP_NTYPE_ADDRESS_NOTIFICATION 26 314 315 /* 3.15 Delete Payload */ 316 struct ikev1_pl_d { 317 struct isakmp_gen h; 318 uint32_t doi; /* Domain of Interpretation */ 319 uint8_t prot_id; /* Protocol-Id */ 320 uint8_t spi_size; /* SPI Size */ 321 uint16_t num_spi; /* # of SPIs */ 322 /* SPI(es) */ 323 }; 324 325 struct ikev1_ph1tab { 326 struct ikev1_ph1 *head; 327 struct ikev1_ph1 *tail; 328 int len; 329 }; 330 331 struct isakmp_ph2tab { 332 struct ikev1_ph2 *head; 333 struct ikev1_ph2 *tail; 334 int len; 335 }; 336 337 /* IKEv2 (RFC4306) */ 338 339 /* 3.3 Security Association Payload -- generic header */ 340 /* 3.3.1. Proposal Substructure */ 341 struct ikev2_p { 342 struct isakmp_gen h; 343 uint8_t p_no; /* Proposal # */ 344 uint8_t prot_id; /* Protocol */ 345 uint8_t spi_size; /* SPI Size */ 346 uint8_t num_t; /* Number of Transforms */ 347 }; 348 349 /* 3.3.2. Transform Substructure */ 350 struct ikev2_t { 351 struct isakmp_gen h; 352 uint8_t t_type; /* Transform Type (ENCR,PRF,INTEG,etc.*/ 353 uint8_t res2; /* reserved byte */ 354 uint16_t t_id; /* Transform ID */ 355 }; 356 357 enum ikev2_t_type { 358 IV2_T_ENCR = 1, 359 IV2_T_PRF = 2, 360 IV2_T_INTEG= 3, 361 IV2_T_DH = 4, 362 IV2_T_ESN = 5 363 }; 364 365 /* 3.4. Key Exchange Payload */ 366 struct ikev2_ke { 367 struct isakmp_gen h; 368 uint16_t ke_group; 369 uint16_t ke_res1; 370 /* KE data */ 371 }; 372 373 374 /* 3.5. Identification Payloads */ 375 enum ikev2_id_type { 376 ID_IPV4_ADDR=1, 377 ID_FQDN=2, 378 ID_RFC822_ADDR=3, 379 ID_IPV6_ADDR=5, 380 ID_DER_ASN1_DN=9, 381 ID_DER_ASN1_GN=10, 382 ID_KEY_ID=11 383 }; 384 struct ikev2_id { 385 struct isakmp_gen h; 386 uint8_t type; /* ID type */ 387 uint8_t res1; 388 uint16_t res2; 389 /* SPI */ 390 /* Notification Data */ 391 }; 392 393 /* 3.10 Notification Payload */ 394 struct ikev2_n { 395 struct isakmp_gen h; 396 uint8_t prot_id; /* Protocol-ID */ 397 uint8_t spi_size; /* SPI Size */ 398 uint16_t type; /* Notify Message Type */ 399 }; 400 401 enum ikev2_n_type { 402 IV2_NOTIFY_UNSUPPORTED_CRITICAL_PAYLOAD = 1, 403 IV2_NOTIFY_INVALID_IKE_SPI = 4, 404 IV2_NOTIFY_INVALID_MAJOR_VERSION = 5, 405 IV2_NOTIFY_INVALID_SYNTAX = 7, 406 IV2_NOTIFY_INVALID_MESSAGE_ID = 9, 407 IV2_NOTIFY_INVALID_SPI =11, 408 IV2_NOTIFY_NO_PROPOSAL_CHOSEN =14, 409 IV2_NOTIFY_INVALID_KE_PAYLOAD =17, 410 IV2_NOTIFY_AUTHENTICATION_FAILED =24, 411 IV2_NOTIFY_SINGLE_PAIR_REQUIRED =34, 412 IV2_NOTIFY_NO_ADDITIONAL_SAS =35, 413 IV2_NOTIFY_INTERNAL_ADDRESS_FAILURE =36, 414 IV2_NOTIFY_FAILED_CP_REQUIRED =37, 415 IV2_NOTIFY_INVALID_SELECTORS =39, 416 IV2_NOTIFY_INITIAL_CONTACT =16384, 417 IV2_NOTIFY_SET_WINDOW_SIZE =16385, 418 IV2_NOTIFY_ADDITIONAL_TS_POSSIBLE =16386, 419 IV2_NOTIFY_IPCOMP_SUPPORTED =16387, 420 IV2_NOTIFY_NAT_DETECTION_SOURCE_IP =16388, 421 IV2_NOTIFY_NAT_DETECTION_DESTINATION_IP =16389, 422 IV2_NOTIFY_COOKIE =16390, 423 IV2_NOTIFY_USE_TRANSPORT_MODE =16391, 424 IV2_NOTIFY_HTTP_CERT_LOOKUP_SUPPORTED =16392, 425 IV2_NOTIFY_REKEY_SA =16393, 426 IV2_NOTIFY_ESP_TFC_PADDING_NOT_SUPPORTED =16394, 427 IV2_NOTIFY_NON_FIRST_FRAGMENTS_ALSO =16395 428 }; 429 430 struct notify_messages { 431 uint16_t type; 432 char *msg; 433 }; 434 435 /* 3.8 Notification Payload */ 436 struct ikev2_auth { 437 struct isakmp_gen h; 438 uint8_t auth_method; /* Protocol-ID */ 439 uint8_t reserved[3]; 440 /* authentication data */ 441 }; 442 443 enum ikev2_auth_type { 444 IV2_RSA_SIG = 1, 445 IV2_SHARED = 2, 446 IV2_DSS_SIG = 3 447 }; 448 449 /* refer to RFC 2409 */ 450 451 #if 0 452 /* isakmp sa structure */ 453 struct oakley_sa { 454 uint8_t proto_id; /* OAKLEY */ 455 vchar_t *spi; /* spi */ 456 uint8_t dhgrp; /* DH; group */ 457 uint8_t auth_t; /* method of authentication */ 458 uint8_t prf_t; /* type of prf */ 459 uint8_t hash_t; /* type of hash */ 460 uint8_t enc_t; /* type of cipher */ 461 uint8_t life_t; /* type of duration of lifetime */ 462 uint32_t ldur; /* life duration */ 463 }; 464 #endif 465 466 /* refer to RFC 2407 */ 467 468 #define IPSEC_DOI 1 469 470 /* 4.2 IPSEC Situation Definition */ 471 #define IPSECDOI_SIT_IDENTITY_ONLY 0x00000001 472 #define IPSECDOI_SIT_SECRECY 0x00000002 473 #define IPSECDOI_SIT_INTEGRITY 0x00000004 474 475 /* 4.4.1 IPSEC Security Protocol Identifiers */ 476 /* 4.4.2 IPSEC ISAKMP Transform Values */ 477 #define IPSECDOI_PROTO_ISAKMP 1 478 #define IPSECDOI_KEY_IKE 1 479 480 /* 4.4.1 IPSEC Security Protocol Identifiers */ 481 #define IPSECDOI_PROTO_IPSEC_AH 2 482 /* 4.4.3 IPSEC AH Transform Values */ 483 #define IPSECDOI_AH_MD5 2 484 #define IPSECDOI_AH_SHA 3 485 #define IPSECDOI_AH_DES 4 486 #define IPSECDOI_AH_SHA2_256 5 487 #define IPSECDOI_AH_SHA2_384 6 488 #define IPSECDOI_AH_SHA2_512 7 489 490 /* 4.4.1 IPSEC Security Protocol Identifiers */ 491 #define IPSECDOI_PROTO_IPSEC_ESP 3 492 /* 4.4.4 IPSEC ESP Transform Identifiers */ 493 #define IPSECDOI_ESP_DES_IV64 1 494 #define IPSECDOI_ESP_DES 2 495 #define IPSECDOI_ESP_3DES 3 496 #define IPSECDOI_ESP_RC5 4 497 #define IPSECDOI_ESP_IDEA 5 498 #define IPSECDOI_ESP_CAST 6 499 #define IPSECDOI_ESP_BLOWFISH 7 500 #define IPSECDOI_ESP_3IDEA 8 501 #define IPSECDOI_ESP_DES_IV32 9 502 #define IPSECDOI_ESP_RC4 10 503 #define IPSECDOI_ESP_NULL 11 504 #define IPSECDOI_ESP_RIJNDAEL 12 505 #define IPSECDOI_ESP_AES 12 506 507 /* 4.4.1 IPSEC Security Protocol Identifiers */ 508 #define IPSECDOI_PROTO_IPCOMP 4 509 /* 4.4.5 IPSEC IPCOMP Transform Identifiers */ 510 #define IPSECDOI_IPCOMP_OUI 1 511 #define IPSECDOI_IPCOMP_DEFLATE 2 512 #define IPSECDOI_IPCOMP_LZS 3 513 514 /* 4.5 IPSEC Security Association Attributes */ 515 #define IPSECDOI_ATTR_SA_LTYPE 1 /* B */ 516 #define IPSECDOI_ATTR_SA_LTYPE_DEFAULT 1 517 #define IPSECDOI_ATTR_SA_LTYPE_SEC 1 518 #define IPSECDOI_ATTR_SA_LTYPE_KB 2 519 #define IPSECDOI_ATTR_SA_LDUR 2 /* V */ 520 #define IPSECDOI_ATTR_SA_LDUR_DEFAULT 28800 /* 8 hours */ 521 #define IPSECDOI_ATTR_GRP_DESC 3 /* B */ 522 #define IPSECDOI_ATTR_ENC_MODE 4 /* B */ 523 /* default value: host dependent */ 524 #define IPSECDOI_ATTR_ENC_MODE_TUNNEL 1 525 #define IPSECDOI_ATTR_ENC_MODE_TRNS 2 526 #define IPSECDOI_ATTR_AUTH 5 /* B */ 527 /* 0 means not to use authentication. */ 528 #define IPSECDOI_ATTR_AUTH_HMAC_MD5 1 529 #define IPSECDOI_ATTR_AUTH_HMAC_SHA1 2 530 #define IPSECDOI_ATTR_AUTH_DES_MAC 3 531 #define IPSECDOI_ATTR_AUTH_KPDK 4 /*RFC-1826(Key/Pad/Data/Key)*/ 532 /* 533 * When negotiating ESP without authentication, the Auth 534 * Algorithm attribute MUST NOT be included in the proposal. 535 * When negotiating ESP without confidentiality, the Auth 536 * Algorithm attribute MUST be included in the proposal and 537 * the ESP transform ID must be ESP_NULL. 538 */ 539 #define IPSECDOI_ATTR_KEY_LENGTH 6 /* B */ 540 #define IPSECDOI_ATTR_KEY_ROUNDS 7 /* B */ 541 #define IPSECDOI_ATTR_COMP_DICT_SIZE 8 /* B */ 542 #define IPSECDOI_ATTR_COMP_PRIVALG 9 /* V */ 543 544 /* 4.6.1 Security Association Payload */ 545 struct ipsecdoi_sa { 546 struct isakmp_gen h; 547 uint32_t doi; /* Domain of Interpretation */ 548 uint32_t sit; /* Situation */ 549 }; 550 551 struct ipsecdoi_secrecy_h { 552 uint16_t len; 553 uint16_t reserved; 554 }; 555 556 /* 4.6.2.1 Identification Type Values */ 557 struct ipsecdoi_id { 558 struct isakmp_gen h; 559 uint8_t type; /* ID Type */ 560 uint8_t proto_id; /* Protocol ID */ 561 uint16_t port; /* Port */ 562 /* Identification Data */ 563 }; 564 565 #define IPSECDOI_ID_IPV4_ADDR 1 566 #define IPSECDOI_ID_FQDN 2 567 #define IPSECDOI_ID_USER_FQDN 3 568 #define IPSECDOI_ID_IPV4_ADDR_SUBNET 4 569 #define IPSECDOI_ID_IPV6_ADDR 5 570 #define IPSECDOI_ID_IPV6_ADDR_SUBNET 6 571 #define IPSECDOI_ID_IPV4_ADDR_RANGE 7 572 #define IPSECDOI_ID_IPV6_ADDR_RANGE 8 573 #define IPSECDOI_ID_DER_ASN1_DN 9 574 #define IPSECDOI_ID_DER_ASN1_GN 10 575 #define IPSECDOI_ID_KEY_ID 11 576 577 /* 4.6.3 IPSEC DOI Notify Message Types */ 578 /* Notify Messages - Status Types */ 579 #define IPSECDOI_NTYPE_RESPONDER_LIFETIME 24576 580 #define IPSECDOI_NTYPE_REPLAY_STATUS 24577 581 #define IPSECDOI_NTYPE_INITIAL_CONTACT 24578 582 583 #define DECLARE_PRINTER(func) static const u_char *ike##func##_print( \ 584 netdissect_options *ndo, u_char tpay, \ 585 const struct isakmp_gen *ext, \ 586 u_int item_len, \ 587 const u_char *end_pointer, \ 588 uint32_t phase,\ 589 uint32_t doi0, \ 590 uint32_t proto0, int depth) 591 592 DECLARE_PRINTER(v1_sa); 593 DECLARE_PRINTER(v1_p); 594 DECLARE_PRINTER(v1_t); 595 DECLARE_PRINTER(v1_ke); 596 DECLARE_PRINTER(v1_id); 597 DECLARE_PRINTER(v1_cert); 598 DECLARE_PRINTER(v1_cr); 599 DECLARE_PRINTER(v1_sig); 600 DECLARE_PRINTER(v1_hash); 601 DECLARE_PRINTER(v1_nonce); 602 DECLARE_PRINTER(v1_n); 603 DECLARE_PRINTER(v1_d); 604 DECLARE_PRINTER(v1_vid); 605 606 DECLARE_PRINTER(v2_sa); 607 DECLARE_PRINTER(v2_ke); 608 DECLARE_PRINTER(v2_ID); 609 DECLARE_PRINTER(v2_cert); 610 DECLARE_PRINTER(v2_cr); 611 DECLARE_PRINTER(v2_auth); 612 DECLARE_PRINTER(v2_nonce); 613 DECLARE_PRINTER(v2_n); 614 DECLARE_PRINTER(v2_d); 615 DECLARE_PRINTER(v2_vid); 616 DECLARE_PRINTER(v2_TS); 617 DECLARE_PRINTER(v2_cp); 618 DECLARE_PRINTER(v2_eap); 619 620 static const u_char *ikev2_e_print(netdissect_options *ndo, 621 struct isakmp *base, 622 u_char tpay, 623 const struct isakmp_gen *ext, 624 u_int item_len, 625 const u_char *end_pointer, 626 uint32_t phase, 627 uint32_t doi0, 628 uint32_t proto0, int depth); 629 630 631 static const u_char *ike_sub0_print(netdissect_options *ndo,u_char, const struct isakmp_gen *, 632 const u_char *, uint32_t, uint32_t, uint32_t, int); 633 static const u_char *ikev1_sub_print(netdissect_options *ndo,u_char, const struct isakmp_gen *, 634 const u_char *, uint32_t, uint32_t, uint32_t, int); 635 636 static const u_char *ikev2_sub_print(netdissect_options *ndo, 637 struct isakmp *base, 638 u_char np, const struct isakmp_gen *ext, 639 const u_char *ep, uint32_t phase, 640 uint32_t doi, uint32_t proto, 641 int depth); 642 643 644 static char *numstr(int); 645 646 static void 647 ikev1_print(netdissect_options *ndo, 648 const u_char *bp, u_int length, 649 const u_char *bp2, struct isakmp *base); 650 651 #define MAXINITIATORS 20 652 static int ninitiator = 0; 653 union inaddr_u { 654 struct in_addr in4; 655 struct in6_addr in6; 656 }; 657 static struct { 658 cookie_t initiator; 659 u_int version; 660 union inaddr_u iaddr; 661 union inaddr_u raddr; 662 } cookiecache[MAXINITIATORS]; 663 664 /* protocol id */ 665 static const char *protoidstr[] = { 666 NULL, "isakmp", "ipsec-ah", "ipsec-esp", "ipcomp", 667 }; 668 669 /* isakmp->np */ 670 static const char *npstr[] = { 671 "none", "sa", "p", "t", "ke", "id", "cert", "cr", "hash", /* 0 - 8 */ 672 "sig", "nonce", "n", "d", "vid", /* 9 - 13 */ 673 "pay14", "pay15", "pay16", "pay17", "pay18", /* 14- 18 */ 674 "pay19", "pay20", "pay21", "pay22", "pay23", /* 19- 23 */ 675 "pay24", "pay25", "pay26", "pay27", "pay28", /* 24- 28 */ 676 "pay29", "pay30", "pay31", "pay32", /* 29- 32 */ 677 "v2sa", "v2ke", "v2IDi", "v2IDr", "v2cert",/* 33- 37 */ 678 "v2cr", "v2auth","v2nonce", "v2n", "v2d", /* 38- 42 */ 679 "v2vid", "v2TSi", "v2TSr", "v2e", "v2cp", /* 43- 47 */ 680 "v2eap", /* 48 */ 681 682 }; 683 684 /* isakmp->np */ 685 static const u_char *(*npfunc[])(netdissect_options *ndo, u_char tpay, 686 const struct isakmp_gen *ext, 687 u_int item_len, 688 const u_char *end_pointer, 689 uint32_t phase, 690 uint32_t doi0, 691 uint32_t proto0, int depth) = { 692 NULL, 693 ikev1_sa_print, 694 ikev1_p_print, 695 ikev1_t_print, 696 ikev1_ke_print, 697 ikev1_id_print, 698 ikev1_cert_print, 699 ikev1_cr_print, 700 ikev1_hash_print, 701 ikev1_sig_print, 702 ikev1_nonce_print, 703 ikev1_n_print, 704 ikev1_d_print, 705 ikev1_vid_print, /* 13 */ 706 NULL, NULL, NULL, NULL, NULL, /* 14- 18 */ 707 NULL, NULL, NULL, NULL, NULL, /* 19- 23 */ 708 NULL, NULL, NULL, NULL, NULL, /* 24- 28 */ 709 NULL, NULL, NULL, NULL, /* 29- 32 */ 710 ikev2_sa_print, /* 33 */ 711 ikev2_ke_print, /* 34 */ 712 ikev2_ID_print, /* 35 */ 713 ikev2_ID_print, /* 36 */ 714 ikev2_cert_print, /* 37 */ 715 ikev2_cr_print, /* 38 */ 716 ikev2_auth_print, /* 39 */ 717 ikev2_nonce_print, /* 40 */ 718 ikev2_n_print, /* 41 */ 719 ikev2_d_print, /* 42 */ 720 ikev2_vid_print, /* 43 */ 721 ikev2_TS_print, /* 44 */ 722 ikev2_TS_print, /* 45 */ 723 NULL, /* ikev2_e_print,*/ /* 46 - special */ 724 ikev2_cp_print, /* 47 */ 725 ikev2_eap_print, /* 48 */ 726 }; 727 728 /* isakmp->etype */ 729 static const char *etypestr[] = { 730 /* IKEv1 exchange types */ 731 "none", "base", "ident", "auth", "agg", "inf", NULL, NULL, /* 0-7 */ 732 NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, /* 8-15 */ 733 NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, /* 16-23 */ 734 NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, /* 24-31 */ 735 "oakley-quick", "oakley-newgroup", /* 32-33 */ 736 /* IKEv2 exchange types */ 737 "ikev2_init", "ikev2_auth", "child_sa", "inf2" /* 34-37 */ 738 }; 739 740 #define STR_OR_ID(x, tab) \ 741 (((x) < sizeof(tab)/sizeof(tab[0]) && tab[(x)]) ? tab[(x)] : numstr(x)) 742 #define PROTOIDSTR(x) STR_OR_ID(x, protoidstr) 743 #define NPSTR(x) STR_OR_ID(x, npstr) 744 #define ETYPESTR(x) STR_OR_ID(x, etypestr) 745 746 #define CHECKLEN(p, np) \ 747 if (ep < (const u_char *)(p)) { \ 748 ND_PRINT((ndo," [|%s]", NPSTR(np))); \ 749 goto done; \ 750 } 751 752 753 #define NPFUNC(x) \ 754 (((x) < sizeof(npfunc)/sizeof(npfunc[0]) && npfunc[(x)]) \ 755 ? npfunc[(x)] : NULL) 756 757 static int 758 iszero(const u_char *p, size_t l) 759 { 760 while (l--) { 761 if (*p++) 762 return 0; 763 } 764 return 1; 765 } 766 767 /* find cookie from initiator cache */ 768 static int 769 cookie_find(cookie_t *in) 770 { 771 int i; 772 773 for (i = 0; i < MAXINITIATORS; i++) { 774 if (memcmp(in, &cookiecache[i].initiator, sizeof(*in)) == 0) 775 return i; 776 } 777 778 return -1; 779 } 780 781 /* record initiator */ 782 static void 783 cookie_record(cookie_t *in, const u_char *bp2) 784 { 785 int i; 786 const struct ip *ip; 787 const struct ip6_hdr *ip6; 788 789 i = cookie_find(in); 790 if (0 <= i) { 791 ninitiator = (i + 1) % MAXINITIATORS; 792 return; 793 } 794 795 ip = (const struct ip *)bp2; 796 switch (IP_V(ip)) { 797 case 4: 798 cookiecache[ninitiator].version = 4; 799 UNALIGNED_MEMCPY(&cookiecache[ninitiator].iaddr.in4, &ip->ip_src, sizeof(struct in_addr)); 800 UNALIGNED_MEMCPY(&cookiecache[ninitiator].raddr.in4, &ip->ip_dst, sizeof(struct in_addr)); 801 break; 802 case 6: 803 ip6 = (const struct ip6_hdr *)bp2; 804 cookiecache[ninitiator].version = 6; 805 UNALIGNED_MEMCPY(&cookiecache[ninitiator].iaddr.in6, &ip6->ip6_src, sizeof(struct in6_addr)); 806 UNALIGNED_MEMCPY(&cookiecache[ninitiator].raddr.in6, &ip6->ip6_dst, sizeof(struct in6_addr)); 807 break; 808 default: 809 return; 810 } 811 UNALIGNED_MEMCPY(&cookiecache[ninitiator].initiator, in, sizeof(*in)); 812 ninitiator = (ninitiator + 1) % MAXINITIATORS; 813 } 814 815 #define cookie_isinitiator(x, y) cookie_sidecheck((x), (y), 1) 816 #define cookie_isresponder(x, y) cookie_sidecheck((x), (y), 0) 817 static int 818 cookie_sidecheck(int i, const u_char *bp2, int initiator) 819 { 820 const struct ip *ip; 821 const struct ip6_hdr *ip6; 822 823 ip = (const struct ip *)bp2; 824 switch (IP_V(ip)) { 825 case 4: 826 if (cookiecache[i].version != 4) 827 return 0; 828 if (initiator) { 829 if (UNALIGNED_MEMCMP(&ip->ip_src, &cookiecache[i].iaddr.in4, sizeof(struct in_addr)) == 0) 830 return 1; 831 } else { 832 if (UNALIGNED_MEMCMP(&ip->ip_src, &cookiecache[i].raddr.in4, sizeof(struct in_addr)) == 0) 833 return 1; 834 } 835 break; 836 case 6: 837 if (cookiecache[i].version != 6) 838 return 0; 839 ip6 = (const struct ip6_hdr *)bp2; 840 if (initiator) { 841 if (UNALIGNED_MEMCMP(&ip6->ip6_src, &cookiecache[i].iaddr.in6, sizeof(struct in6_addr)) == 0) 842 return 1; 843 } else { 844 if (UNALIGNED_MEMCMP(&ip6->ip6_src, &cookiecache[i].raddr.in6, sizeof(struct in6_addr)) == 0) 845 return 1; 846 } 847 break; 848 default: 849 break; 850 } 851 852 return 0; 853 } 854 855 static void 856 hexprint(netdissect_options *ndo, const uint8_t *loc, size_t len) 857 { 858 const uint8_t *p; 859 size_t i; 860 861 p = loc; 862 for (i = 0; i < len; i++) 863 ND_PRINT((ndo,"%02x", p[i] & 0xff)); 864 } 865 866 static int 867 rawprint(netdissect_options *ndo, const uint8_t *loc, size_t len) 868 { 869 ND_TCHECK2(*loc, len); 870 871 hexprint(ndo, loc, len); 872 return 1; 873 trunc: 874 return 0; 875 } 876 877 878 /* 879 * returns false if we run out of data buffer 880 */ 881 static int ike_show_somedata(netdissect_options *ndo, 882 const u_char *cp, const u_char *ep) 883 { 884 /* there is too much data, just show some of it */ 885 const u_char *end = ep - 20; 886 int elen = 20; 887 int len = ep - cp; 888 if(len > 10) { 889 len = 10; 890 } 891 892 /* really shouldn't happen because of above */ 893 if(end < cp + len) { 894 end = cp+len; 895 elen = ep - end; 896 } 897 898 ND_PRINT((ndo," data=(")); 899 if(!rawprint(ndo, (const uint8_t *)(cp), len)) goto trunc; 900 ND_PRINT((ndo, "...")); 901 if(elen) { 902 if(!rawprint(ndo, (const uint8_t *)(end), elen)) goto trunc; 903 } 904 ND_PRINT((ndo,")")); 905 return 1; 906 907 trunc: 908 return 0; 909 } 910 911 struct attrmap { 912 const char *type; 913 u_int nvalue; 914 const char *value[30]; /*XXX*/ 915 }; 916 917 static const u_char * 918 ikev1_attrmap_print(netdissect_options *ndo, 919 const u_char *p, const u_char *ep, 920 const struct attrmap *map, size_t nmap) 921 { 922 int totlen; 923 uint32_t t, v; 924 925 if (p[0] & 0x80) 926 totlen = 4; 927 else 928 totlen = 4 + EXTRACT_16BITS(&p[2]); 929 if (ep < p + totlen) { 930 ND_PRINT((ndo,"[|attr]")); 931 return ep + 1; 932 } 933 934 ND_PRINT((ndo,"(")); 935 t = EXTRACT_16BITS(&p[0]) & 0x7fff; 936 if (map && t < nmap && map[t].type) 937 ND_PRINT((ndo,"type=%s ", map[t].type)); 938 else 939 ND_PRINT((ndo,"type=#%d ", t)); 940 if (p[0] & 0x80) { 941 ND_PRINT((ndo,"value=")); 942 v = EXTRACT_16BITS(&p[2]); 943 if (map && t < nmap && v < map[t].nvalue && map[t].value[v]) 944 ND_PRINT((ndo,"%s", map[t].value[v])); 945 else 946 rawprint(ndo, (const uint8_t *)&p[2], 2); 947 } else { 948 ND_PRINT((ndo,"len=%d value=", EXTRACT_16BITS(&p[2]))); 949 rawprint(ndo, (const uint8_t *)&p[4], EXTRACT_16BITS(&p[2])); 950 } 951 ND_PRINT((ndo,")")); 952 return p + totlen; 953 } 954 955 static const u_char * 956 ikev1_attr_print(netdissect_options *ndo, const u_char *p, const u_char *ep) 957 { 958 int totlen; 959 uint32_t t; 960 961 if (p[0] & 0x80) 962 totlen = 4; 963 else 964 totlen = 4 + EXTRACT_16BITS(&p[2]); 965 if (ep < p + totlen) { 966 ND_PRINT((ndo,"[|attr]")); 967 return ep + 1; 968 } 969 970 ND_PRINT((ndo,"(")); 971 t = EXTRACT_16BITS(&p[0]) & 0x7fff; 972 ND_PRINT((ndo,"type=#%d ", t)); 973 if (p[0] & 0x80) { 974 ND_PRINT((ndo,"value=")); 975 t = p[2]; 976 rawprint(ndo, (const uint8_t *)&p[2], 2); 977 } else { 978 ND_PRINT((ndo,"len=%d value=", EXTRACT_16BITS(&p[2]))); 979 rawprint(ndo, (const uint8_t *)&p[4], EXTRACT_16BITS(&p[2])); 980 } 981 ND_PRINT((ndo,")")); 982 return p + totlen; 983 } 984 985 static const u_char * 986 ikev1_sa_print(netdissect_options *ndo, u_char tpay _U_, 987 const struct isakmp_gen *ext, 988 u_int item_len _U_, 989 const u_char *ep, uint32_t phase, uint32_t doi0 _U_, 990 uint32_t proto0, int depth) 991 { 992 const struct ikev1_pl_sa *p; 993 struct ikev1_pl_sa sa; 994 uint32_t doi, sit, ident; 995 const u_char *cp, *np; 996 int t; 997 998 ND_PRINT((ndo,"%s:", NPSTR(ISAKMP_NPTYPE_SA))); 999 1000 p = (const struct ikev1_pl_sa *)ext; 1001 ND_TCHECK(*p); 1002 UNALIGNED_MEMCPY(&sa, ext, sizeof(sa)); 1003 doi = ntohl(sa.doi); 1004 sit = ntohl(sa.sit); 1005 if (doi != 1) { 1006 ND_PRINT((ndo," doi=%d", doi)); 1007 ND_PRINT((ndo," situation=%u", (uint32_t)ntohl(sa.sit))); 1008 return (const u_char *)(p + 1); 1009 } 1010 1011 ND_PRINT((ndo," doi=ipsec")); 1012 ND_PRINT((ndo," situation=")); 1013 t = 0; 1014 if (sit & 0x01) { 1015 ND_PRINT((ndo,"identity")); 1016 t++; 1017 } 1018 if (sit & 0x02) { 1019 ND_PRINT((ndo,"%ssecrecy", t ? "+" : "")); 1020 t++; 1021 } 1022 if (sit & 0x04) 1023 ND_PRINT((ndo,"%sintegrity", t ? "+" : "")); 1024 1025 np = (const u_char *)ext + sizeof(sa); 1026 if (sit != 0x01) { 1027 ND_TCHECK2(*(ext + 1), sizeof(ident)); 1028 UNALIGNED_MEMCPY(&ident, ext + 1, sizeof(ident)); 1029 ND_PRINT((ndo," ident=%u", (uint32_t)ntohl(ident))); 1030 np += sizeof(ident); 1031 } 1032 1033 ext = (const struct isakmp_gen *)np; 1034 ND_TCHECK(*ext); 1035 1036 cp = ikev1_sub_print(ndo, ISAKMP_NPTYPE_P, ext, ep, phase, doi, proto0, 1037 depth); 1038 1039 return cp; 1040 trunc: 1041 ND_PRINT((ndo," [|%s]", NPSTR(ISAKMP_NPTYPE_SA))); 1042 return NULL; 1043 } 1044 1045 static const u_char * 1046 ikev1_p_print(netdissect_options *ndo, u_char tpay _U_, 1047 const struct isakmp_gen *ext, u_int item_len _U_, 1048 const u_char *ep, uint32_t phase, uint32_t doi0, 1049 uint32_t proto0 _U_, int depth) 1050 { 1051 const struct ikev1_pl_p *p; 1052 struct ikev1_pl_p prop; 1053 const u_char *cp; 1054 1055 ND_PRINT((ndo,"%s:", NPSTR(ISAKMP_NPTYPE_P))); 1056 1057 p = (const struct ikev1_pl_p *)ext; 1058 ND_TCHECK(*p); 1059 UNALIGNED_MEMCPY(&prop, ext, sizeof(prop)); 1060 ND_PRINT((ndo," #%d protoid=%s transform=%d", 1061 prop.p_no, PROTOIDSTR(prop.prot_id), prop.num_t)); 1062 if (prop.spi_size) { 1063 ND_PRINT((ndo," spi=")); 1064 if (!rawprint(ndo, (const uint8_t *)(p + 1), prop.spi_size)) 1065 goto trunc; 1066 } 1067 1068 ext = (const struct isakmp_gen *)((const u_char *)(p + 1) + prop.spi_size); 1069 ND_TCHECK(*ext); 1070 1071 cp = ikev1_sub_print(ndo, ISAKMP_NPTYPE_T, ext, ep, phase, doi0, 1072 prop.prot_id, depth); 1073 1074 return cp; 1075 trunc: 1076 ND_PRINT((ndo," [|%s]", NPSTR(ISAKMP_NPTYPE_P))); 1077 return NULL; 1078 } 1079 1080 static const char *ikev1_p_map[] = { 1081 NULL, "ike", 1082 }; 1083 1084 static const char *ikev2_t_type_map[]={ 1085 NULL, "encr", "prf", "integ", "dh", "esn" 1086 }; 1087 1088 static const char *ah_p_map[] = { 1089 NULL, "(reserved)", "md5", "sha", "1des", 1090 "sha2-256", "sha2-384", "sha2-512", 1091 }; 1092 1093 static const char *prf_p_map[] = { 1094 NULL, "hmac-md5", "hmac-sha", "hmac-tiger", 1095 "aes128_xcbc" 1096 }; 1097 1098 static const char *integ_p_map[] = { 1099 NULL, "hmac-md5", "hmac-sha", "dec-mac", 1100 "kpdk-md5", "aes-xcbc" 1101 }; 1102 1103 static const char *esn_p_map[] = { 1104 "no-esn", "esn" 1105 }; 1106 1107 static const char *dh_p_map[] = { 1108 NULL, "modp768", 1109 "modp1024", /* group 2 */ 1110 "EC2N 2^155", /* group 3 */ 1111 "EC2N 2^185", /* group 4 */ 1112 "modp1536", /* group 5 */ 1113 "iana-grp06", "iana-grp07", /* reserved */ 1114 "iana-grp08", "iana-grp09", 1115 "iana-grp10", "iana-grp11", 1116 "iana-grp12", "iana-grp13", 1117 "modp2048", /* group 14 */ 1118 "modp3072", /* group 15 */ 1119 "modp4096", /* group 16 */ 1120 "modp6144", /* group 17 */ 1121 "modp8192", /* group 18 */ 1122 }; 1123 1124 static const char *esp_p_map[] = { 1125 NULL, "1des-iv64", "1des", "3des", "rc5", "idea", "cast", 1126 "blowfish", "3idea", "1des-iv32", "rc4", "null", "aes" 1127 }; 1128 1129 static const char *ipcomp_p_map[] = { 1130 NULL, "oui", "deflate", "lzs", 1131 }; 1132 1133 static const struct attrmap ipsec_t_map[] = { 1134 { NULL, 0, { NULL } }, 1135 { "lifetype", 3, { NULL, "sec", "kb", }, }, 1136 { "life", 0, { NULL } }, 1137 { "group desc", 18, { NULL, "modp768", 1138 "modp1024", /* group 2 */ 1139 "EC2N 2^155", /* group 3 */ 1140 "EC2N 2^185", /* group 4 */ 1141 "modp1536", /* group 5 */ 1142 "iana-grp06", "iana-grp07", /* reserved */ 1143 "iana-grp08", "iana-grp09", 1144 "iana-grp10", "iana-grp11", 1145 "iana-grp12", "iana-grp13", 1146 "modp2048", /* group 14 */ 1147 "modp3072", /* group 15 */ 1148 "modp4096", /* group 16 */ 1149 "modp6144", /* group 17 */ 1150 "modp8192", /* group 18 */ 1151 }, }, 1152 { "enc mode", 3, { NULL, "tunnel", "transport", }, }, 1153 { "auth", 5, { NULL, "hmac-md5", "hmac-sha1", "1des-mac", "keyed", }, }, 1154 { "keylen", 0, { NULL } }, 1155 { "rounds", 0, { NULL } }, 1156 { "dictsize", 0, { NULL } }, 1157 { "privalg", 0, { NULL } }, 1158 }; 1159 1160 static const struct attrmap encr_t_map[] = { 1161 { NULL, 0, { NULL } }, { NULL, 0, { NULL } }, /* 0, 1 */ 1162 { NULL, 0, { NULL } }, { NULL, 0, { NULL } }, /* 2, 3 */ 1163 { NULL, 0, { NULL } }, { NULL, 0, { NULL } }, /* 4, 5 */ 1164 { NULL, 0, { NULL } }, { NULL, 0, { NULL } }, /* 6, 7 */ 1165 { NULL, 0, { NULL } }, { NULL, 0, { NULL } }, /* 8, 9 */ 1166 { NULL, 0, { NULL } }, { NULL, 0, { NULL } }, /* 10,11*/ 1167 { NULL, 0, { NULL } }, { NULL, 0, { NULL } }, /* 12,13*/ 1168 { "keylen", 14, { NULL }}, 1169 }; 1170 1171 static const struct attrmap oakley_t_map[] = { 1172 { NULL, 0, { NULL } }, 1173 { "enc", 8, { NULL, "1des", "idea", "blowfish", "rc5", 1174 "3des", "cast", "aes", }, }, 1175 { "hash", 7, { NULL, "md5", "sha1", "tiger", 1176 "sha2-256", "sha2-384", "sha2-512", }, }, 1177 { "auth", 6, { NULL, "preshared", "dss", "rsa sig", "rsa enc", 1178 "rsa enc revised", }, }, 1179 { "group desc", 18, { NULL, "modp768", 1180 "modp1024", /* group 2 */ 1181 "EC2N 2^155", /* group 3 */ 1182 "EC2N 2^185", /* group 4 */ 1183 "modp1536", /* group 5 */ 1184 "iana-grp06", "iana-grp07", /* reserved */ 1185 "iana-grp08", "iana-grp09", 1186 "iana-grp10", "iana-grp11", 1187 "iana-grp12", "iana-grp13", 1188 "modp2048", /* group 14 */ 1189 "modp3072", /* group 15 */ 1190 "modp4096", /* group 16 */ 1191 "modp6144", /* group 17 */ 1192 "modp8192", /* group 18 */ 1193 }, }, 1194 { "group type", 4, { NULL, "MODP", "ECP", "EC2N", }, }, 1195 { "group prime", 0, { NULL } }, 1196 { "group gen1", 0, { NULL } }, 1197 { "group gen2", 0, { NULL } }, 1198 { "group curve A", 0, { NULL } }, 1199 { "group curve B", 0, { NULL } }, 1200 { "lifetype", 3, { NULL, "sec", "kb", }, }, 1201 { "lifeduration", 0, { NULL } }, 1202 { "prf", 0, { NULL } }, 1203 { "keylen", 0, { NULL } }, 1204 { "field", 0, { NULL } }, 1205 { "order", 0, { NULL } }, 1206 }; 1207 1208 static const u_char * 1209 ikev1_t_print(netdissect_options *ndo, u_char tpay _U_, 1210 const struct isakmp_gen *ext, u_int item_len, 1211 const u_char *ep, uint32_t phase _U_, uint32_t doi _U_, 1212 uint32_t proto, int depth _U_) 1213 { 1214 const struct ikev1_pl_t *p; 1215 struct ikev1_pl_t t; 1216 const u_char *cp; 1217 const char *idstr; 1218 const struct attrmap *map; 1219 size_t nmap; 1220 const u_char *ep2; 1221 1222 ND_PRINT((ndo,"%s:", NPSTR(ISAKMP_NPTYPE_T))); 1223 1224 p = (const struct ikev1_pl_t *)ext; 1225 ND_TCHECK(*p); 1226 UNALIGNED_MEMCPY(&t, ext, sizeof(t)); 1227 1228 switch (proto) { 1229 case 1: 1230 idstr = STR_OR_ID(t.t_id, ikev1_p_map); 1231 map = oakley_t_map; 1232 nmap = sizeof(oakley_t_map)/sizeof(oakley_t_map[0]); 1233 break; 1234 case 2: 1235 idstr = STR_OR_ID(t.t_id, ah_p_map); 1236 map = ipsec_t_map; 1237 nmap = sizeof(ipsec_t_map)/sizeof(ipsec_t_map[0]); 1238 break; 1239 case 3: 1240 idstr = STR_OR_ID(t.t_id, esp_p_map); 1241 map = ipsec_t_map; 1242 nmap = sizeof(ipsec_t_map)/sizeof(ipsec_t_map[0]); 1243 break; 1244 case 4: 1245 idstr = STR_OR_ID(t.t_id, ipcomp_p_map); 1246 map = ipsec_t_map; 1247 nmap = sizeof(ipsec_t_map)/sizeof(ipsec_t_map[0]); 1248 break; 1249 default: 1250 idstr = NULL; 1251 map = NULL; 1252 nmap = 0; 1253 break; 1254 } 1255 1256 if (idstr) 1257 ND_PRINT((ndo," #%d id=%s ", t.t_no, idstr)); 1258 else 1259 ND_PRINT((ndo," #%d id=%d ", t.t_no, t.t_id)); 1260 cp = (const u_char *)(p + 1); 1261 ep2 = (const u_char *)p + item_len; 1262 while (cp < ep && cp < ep2) { 1263 if (map && nmap) { 1264 cp = ikev1_attrmap_print(ndo, cp, (ep < ep2) ? ep : ep2, 1265 map, nmap); 1266 } else 1267 cp = ikev1_attr_print(ndo, cp, (ep < ep2) ? ep : ep2); 1268 } 1269 if (ep < ep2) 1270 ND_PRINT((ndo,"...")); 1271 return cp; 1272 trunc: 1273 ND_PRINT((ndo," [|%s]", NPSTR(ISAKMP_NPTYPE_T))); 1274 return NULL; 1275 } 1276 1277 static const u_char * 1278 ikev1_ke_print(netdissect_options *ndo, u_char tpay _U_, 1279 const struct isakmp_gen *ext, u_int item_len _U_, 1280 const u_char *ep _U_, uint32_t phase _U_, uint32_t doi _U_, 1281 uint32_t proto _U_, int depth _U_) 1282 { 1283 struct isakmp_gen e; 1284 1285 ND_PRINT((ndo,"%s:", NPSTR(ISAKMP_NPTYPE_KE))); 1286 1287 ND_TCHECK(*ext); 1288 UNALIGNED_MEMCPY(&e, ext, sizeof(e)); 1289 ND_PRINT((ndo," key len=%d", ntohs(e.len) - 4)); 1290 if (2 < ndo->ndo_vflag && 4 < ntohs(e.len)) { 1291 ND_PRINT((ndo," ")); 1292 if (!rawprint(ndo, (const uint8_t *)(ext + 1), ntohs(e.len) - 4)) 1293 goto trunc; 1294 } 1295 return (const u_char *)ext + ntohs(e.len); 1296 trunc: 1297 ND_PRINT((ndo," [|%s]", NPSTR(ISAKMP_NPTYPE_KE))); 1298 return NULL; 1299 } 1300 1301 static const u_char * 1302 ikev1_id_print(netdissect_options *ndo, u_char tpay _U_, 1303 const struct isakmp_gen *ext, u_int item_len, 1304 const u_char *ep _U_, uint32_t phase, uint32_t doi _U_, 1305 uint32_t proto _U_, int depth _U_) 1306 { 1307 #define USE_IPSECDOI_IN_PHASE1 1 1308 const struct ikev1_pl_id *p; 1309 struct ikev1_pl_id id; 1310 static const char *idtypestr[] = { 1311 "IPv4", "IPv4net", "IPv6", "IPv6net", 1312 }; 1313 static const char *ipsecidtypestr[] = { 1314 NULL, "IPv4", "FQDN", "user FQDN", "IPv4net", "IPv6", 1315 "IPv6net", "IPv4range", "IPv6range", "ASN1 DN", "ASN1 GN", 1316 "keyid", 1317 }; 1318 int len; 1319 const u_char *data; 1320 1321 ND_PRINT((ndo,"%s:", NPSTR(ISAKMP_NPTYPE_ID))); 1322 1323 p = (const struct ikev1_pl_id *)ext; 1324 ND_TCHECK(*p); 1325 UNALIGNED_MEMCPY(&id, ext, sizeof(id)); 1326 if (sizeof(*p) < item_len) { 1327 data = (const u_char *)(p + 1); 1328 len = item_len - sizeof(*p); 1329 } else { 1330 data = NULL; 1331 len = 0; 1332 } 1333 1334 #if 0 /*debug*/ 1335 ND_PRINT((ndo," [phase=%d doi=%d proto=%d]", phase, doi, proto)); 1336 #endif 1337 switch (phase) { 1338 #ifndef USE_IPSECDOI_IN_PHASE1 1339 case 1: 1340 #endif 1341 default: 1342 ND_PRINT((ndo," idtype=%s", STR_OR_ID(id.d.id_type, idtypestr))); 1343 ND_PRINT((ndo," doi_data=%u", 1344 (uint32_t)(ntohl(id.d.doi_data) & 0xffffff))); 1345 break; 1346 1347 #ifdef USE_IPSECDOI_IN_PHASE1 1348 case 1: 1349 #endif 1350 case 2: 1351 { 1352 const struct ipsecdoi_id *doi_p; 1353 struct ipsecdoi_id doi_id; 1354 struct protoent *pe; 1355 1356 doi_p = (const struct ipsecdoi_id *)ext; 1357 ND_TCHECK(*doi_p); 1358 UNALIGNED_MEMCPY(&doi_id, ext, sizeof(doi_id)); 1359 ND_PRINT((ndo," idtype=%s", STR_OR_ID(doi_id.type, ipsecidtypestr))); 1360 /* A protocol ID of 0 DOES NOT mean IPPROTO_IP! */ 1361 pe = doi_id.proto_id ? getprotobynumber(doi_id.proto_id) : NULL; 1362 if (pe) 1363 ND_PRINT((ndo," protoid=%s", pe->p_name)); 1364 else 1365 ND_PRINT((ndo," protoid=%u", doi_id.proto_id)); 1366 ND_PRINT((ndo," port=%d", ntohs(doi_id.port))); 1367 if (!len) 1368 break; 1369 if (data == NULL) 1370 goto trunc; 1371 ND_TCHECK2(*data, len); 1372 switch (doi_id.type) { 1373 case IPSECDOI_ID_IPV4_ADDR: 1374 if (len < 4) 1375 ND_PRINT((ndo," len=%d [bad: < 4]", len)); 1376 else 1377 ND_PRINT((ndo," len=%d %s", len, ipaddr_string(ndo, data))); 1378 len = 0; 1379 break; 1380 case IPSECDOI_ID_FQDN: 1381 case IPSECDOI_ID_USER_FQDN: 1382 { 1383 int i; 1384 ND_PRINT((ndo," len=%d ", len)); 1385 for (i = 0; i < len; i++) 1386 safeputchar(ndo, data[i]); 1387 len = 0; 1388 break; 1389 } 1390 case IPSECDOI_ID_IPV4_ADDR_SUBNET: 1391 { 1392 const u_char *mask; 1393 if (len < 8) 1394 ND_PRINT((ndo," len=%d [bad: < 8]", len)); 1395 else { 1396 mask = data + sizeof(struct in_addr); 1397 ND_PRINT((ndo," len=%d %s/%u.%u.%u.%u", len, 1398 ipaddr_string(ndo, data), 1399 mask[0], mask[1], mask[2], mask[3])); 1400 } 1401 len = 0; 1402 break; 1403 } 1404 case IPSECDOI_ID_IPV6_ADDR: 1405 if (len < 16) 1406 ND_PRINT((ndo," len=%d [bad: < 16]", len)); 1407 else 1408 ND_PRINT((ndo," len=%d %s", len, ip6addr_string(ndo, data))); 1409 len = 0; 1410 break; 1411 case IPSECDOI_ID_IPV6_ADDR_SUBNET: 1412 { 1413 const u_char *mask; 1414 if (len < 20) 1415 ND_PRINT((ndo," len=%d [bad: < 20]", len)); 1416 else { 1417 mask = (const u_char *)(data + sizeof(struct in6_addr)); 1418 /*XXX*/ 1419 ND_PRINT((ndo," len=%d %s/0x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x", len, 1420 ip6addr_string(ndo, data), 1421 mask[0], mask[1], mask[2], mask[3], 1422 mask[4], mask[5], mask[6], mask[7], 1423 mask[8], mask[9], mask[10], mask[11], 1424 mask[12], mask[13], mask[14], mask[15])); 1425 } 1426 len = 0; 1427 break; 1428 } 1429 case IPSECDOI_ID_IPV4_ADDR_RANGE: 1430 if (len < 8) 1431 ND_PRINT((ndo," len=%d [bad: < 8]", len)); 1432 else { 1433 ND_PRINT((ndo," len=%d %s-%s", len, 1434 ipaddr_string(ndo, data), 1435 ipaddr_string(ndo, data + sizeof(struct in_addr)))); 1436 } 1437 len = 0; 1438 break; 1439 case IPSECDOI_ID_IPV6_ADDR_RANGE: 1440 if (len < 32) 1441 ND_PRINT((ndo," len=%d [bad: < 32]", len)); 1442 else { 1443 ND_PRINT((ndo," len=%d %s-%s", len, 1444 ip6addr_string(ndo, data), 1445 ip6addr_string(ndo, data + sizeof(struct in6_addr)))); 1446 } 1447 len = 0; 1448 break; 1449 case IPSECDOI_ID_DER_ASN1_DN: 1450 case IPSECDOI_ID_DER_ASN1_GN: 1451 case IPSECDOI_ID_KEY_ID: 1452 break; 1453 } 1454 break; 1455 } 1456 } 1457 if (data && len) { 1458 ND_PRINT((ndo," len=%d", len)); 1459 if (2 < ndo->ndo_vflag) { 1460 ND_PRINT((ndo," ")); 1461 if (!rawprint(ndo, (const uint8_t *)data, len)) 1462 goto trunc; 1463 } 1464 } 1465 return (const u_char *)ext + item_len; 1466 trunc: 1467 ND_PRINT((ndo," [|%s]", NPSTR(ISAKMP_NPTYPE_ID))); 1468 return NULL; 1469 } 1470 1471 static const u_char * 1472 ikev1_cert_print(netdissect_options *ndo, u_char tpay _U_, 1473 const struct isakmp_gen *ext, u_int item_len, 1474 const u_char *ep _U_, uint32_t phase _U_, 1475 uint32_t doi0 _U_, 1476 uint32_t proto0 _U_, int depth _U_) 1477 { 1478 const struct ikev1_pl_cert *p; 1479 struct ikev1_pl_cert cert; 1480 static const char *certstr[] = { 1481 "none", "pkcs7", "pgp", "dns", 1482 "x509sign", "x509ke", "kerberos", "crl", 1483 "arl", "spki", "x509attr", 1484 }; 1485 1486 ND_PRINT((ndo,"%s:", NPSTR(ISAKMP_NPTYPE_CERT))); 1487 1488 p = (const struct ikev1_pl_cert *)ext; 1489 ND_TCHECK(*p); 1490 UNALIGNED_MEMCPY(&cert, ext, sizeof(cert)); 1491 ND_PRINT((ndo," len=%d", item_len - 4)); 1492 ND_PRINT((ndo," type=%s", STR_OR_ID((cert.encode), certstr))); 1493 if (2 < ndo->ndo_vflag && 4 < item_len) { 1494 ND_PRINT((ndo," ")); 1495 if (!rawprint(ndo, (const uint8_t *)(ext + 1), item_len - 4)) 1496 goto trunc; 1497 } 1498 return (const u_char *)ext + item_len; 1499 trunc: 1500 ND_PRINT((ndo," [|%s]", NPSTR(ISAKMP_NPTYPE_CERT))); 1501 return NULL; 1502 } 1503 1504 static const u_char * 1505 ikev1_cr_print(netdissect_options *ndo, u_char tpay _U_, 1506 const struct isakmp_gen *ext, u_int item_len, 1507 const u_char *ep _U_, uint32_t phase _U_, uint32_t doi0 _U_, 1508 uint32_t proto0 _U_, int depth _U_) 1509 { 1510 const struct ikev1_pl_cert *p; 1511 struct ikev1_pl_cert cert; 1512 static const char *certstr[] = { 1513 "none", "pkcs7", "pgp", "dns", 1514 "x509sign", "x509ke", "kerberos", "crl", 1515 "arl", "spki", "x509attr", 1516 }; 1517 1518 ND_PRINT((ndo,"%s:", NPSTR(ISAKMP_NPTYPE_CR))); 1519 1520 p = (const struct ikev1_pl_cert *)ext; 1521 ND_TCHECK(*p); 1522 UNALIGNED_MEMCPY(&cert, ext, sizeof(cert)); 1523 ND_PRINT((ndo," len=%d", item_len - 4)); 1524 ND_PRINT((ndo," type=%s", STR_OR_ID((cert.encode), certstr))); 1525 if (2 < ndo->ndo_vflag && 4 < item_len) { 1526 ND_PRINT((ndo," ")); 1527 if (!rawprint(ndo, (const uint8_t *)(ext + 1), item_len - 4)) 1528 goto trunc; 1529 } 1530 return (const u_char *)ext + item_len; 1531 trunc: 1532 ND_PRINT((ndo," [|%s]", NPSTR(ISAKMP_NPTYPE_CR))); 1533 return NULL; 1534 } 1535 1536 static const u_char * 1537 ikev1_hash_print(netdissect_options *ndo, u_char tpay _U_, 1538 const struct isakmp_gen *ext, u_int item_len _U_, 1539 const u_char *ep _U_, uint32_t phase _U_, uint32_t doi _U_, 1540 uint32_t proto _U_, int depth _U_) 1541 { 1542 struct isakmp_gen e; 1543 1544 ND_PRINT((ndo,"%s:", NPSTR(ISAKMP_NPTYPE_HASH))); 1545 1546 ND_TCHECK(*ext); 1547 UNALIGNED_MEMCPY(&e, ext, sizeof(e)); 1548 ND_PRINT((ndo," len=%d", ntohs(e.len) - 4)); 1549 if (2 < ndo->ndo_vflag && 4 < ntohs(e.len)) { 1550 ND_PRINT((ndo," ")); 1551 if (!rawprint(ndo, (const uint8_t *)(ext + 1), ntohs(e.len) - 4)) 1552 goto trunc; 1553 } 1554 return (const u_char *)ext + ntohs(e.len); 1555 trunc: 1556 ND_PRINT((ndo," [|%s]", NPSTR(ISAKMP_NPTYPE_HASH))); 1557 return NULL; 1558 } 1559 1560 static const u_char * 1561 ikev1_sig_print(netdissect_options *ndo, u_char tpay _U_, 1562 const struct isakmp_gen *ext, u_int item_len _U_, 1563 const u_char *ep _U_, uint32_t phase _U_, uint32_t doi _U_, 1564 uint32_t proto _U_, int depth _U_) 1565 { 1566 struct isakmp_gen e; 1567 1568 ND_PRINT((ndo,"%s:", NPSTR(ISAKMP_NPTYPE_SIG))); 1569 1570 ND_TCHECK(*ext); 1571 UNALIGNED_MEMCPY(&e, ext, sizeof(e)); 1572 ND_PRINT((ndo," len=%d", ntohs(e.len) - 4)); 1573 if (2 < ndo->ndo_vflag && 4 < ntohs(e.len)) { 1574 ND_PRINT((ndo," ")); 1575 if (!rawprint(ndo, (const uint8_t *)(ext + 1), ntohs(e.len) - 4)) 1576 goto trunc; 1577 } 1578 return (const u_char *)ext + ntohs(e.len); 1579 trunc: 1580 ND_PRINT((ndo," [|%s]", NPSTR(ISAKMP_NPTYPE_SIG))); 1581 return NULL; 1582 } 1583 1584 static const u_char * 1585 ikev1_nonce_print(netdissect_options *ndo, u_char tpay _U_, 1586 const struct isakmp_gen *ext, 1587 u_int item_len _U_, 1588 const u_char *ep, 1589 uint32_t phase _U_, uint32_t doi _U_, 1590 uint32_t proto _U_, int depth _U_) 1591 { 1592 struct isakmp_gen e; 1593 1594 ND_PRINT((ndo,"%s:", NPSTR(ISAKMP_NPTYPE_NONCE))); 1595 1596 ND_TCHECK(*ext); 1597 UNALIGNED_MEMCPY(&e, ext, sizeof(e)); 1598 ND_PRINT((ndo," n len=%d", ntohs(e.len) - 4)); 1599 if (2 < ndo->ndo_vflag && 4 < ntohs(e.len)) { 1600 ND_PRINT((ndo," ")); 1601 if (!rawprint(ndo, (const uint8_t *)(ext + 1), ntohs(e.len) - 4)) 1602 goto trunc; 1603 } else if (1 < ndo->ndo_vflag && 4 < ntohs(e.len)) { 1604 ND_PRINT((ndo," ")); 1605 if (!ike_show_somedata(ndo, (const u_char *)(const uint8_t *)(ext + 1), ep)) 1606 goto trunc; 1607 } 1608 return (const u_char *)ext + ntohs(e.len); 1609 trunc: 1610 ND_PRINT((ndo," [|%s]", NPSTR(ISAKMP_NPTYPE_NONCE))); 1611 return NULL; 1612 } 1613 1614 static const u_char * 1615 ikev1_n_print(netdissect_options *ndo, u_char tpay _U_, 1616 const struct isakmp_gen *ext, u_int item_len, 1617 const u_char *ep, uint32_t phase, uint32_t doi0 _U_, 1618 uint32_t proto0 _U_, int depth) 1619 { 1620 const struct ikev1_pl_n *p; 1621 struct ikev1_pl_n n; 1622 const u_char *cp; 1623 const u_char *ep2; 1624 uint32_t doi; 1625 uint32_t proto; 1626 static const char *notify_error_str[] = { 1627 NULL, "INVALID-PAYLOAD-TYPE", 1628 "DOI-NOT-SUPPORTED", "SITUATION-NOT-SUPPORTED", 1629 "INVALID-COOKIE", "INVALID-MAJOR-VERSION", 1630 "INVALID-MINOR-VERSION", "INVALID-EXCHANGE-TYPE", 1631 "INVALID-FLAGS", "INVALID-MESSAGE-ID", 1632 "INVALID-PROTOCOL-ID", "INVALID-SPI", 1633 "INVALID-TRANSFORM-ID", "ATTRIBUTES-NOT-SUPPORTED", 1634 "NO-PROPOSAL-CHOSEN", "BAD-PROPOSAL-SYNTAX", 1635 "PAYLOAD-MALFORMED", "INVALID-KEY-INFORMATION", 1636 "INVALID-ID-INFORMATION", "INVALID-CERT-ENCODING", 1637 "INVALID-CERTIFICATE", "CERT-TYPE-UNSUPPORTED", 1638 "INVALID-CERT-AUTHORITY", "INVALID-HASH-INFORMATION", 1639 "AUTHENTICATION-FAILED", "INVALID-SIGNATURE", 1640 "ADDRESS-NOTIFICATION", "NOTIFY-SA-LIFETIME", 1641 "CERTIFICATE-UNAVAILABLE", "UNSUPPORTED-EXCHANGE-TYPE", 1642 "UNEQUAL-PAYLOAD-LENGTHS", 1643 }; 1644 static const char *ipsec_notify_error_str[] = { 1645 "RESERVED", 1646 }; 1647 static const char *notify_status_str[] = { 1648 "CONNECTED", 1649 }; 1650 static const char *ipsec_notify_status_str[] = { 1651 "RESPONDER-LIFETIME", "REPLAY-STATUS", 1652 "INITIAL-CONTACT", 1653 }; 1654 /* NOTE: these macro must be called with x in proper range */ 1655 1656 /* 0 - 8191 */ 1657 #define NOTIFY_ERROR_STR(x) \ 1658 STR_OR_ID((x), notify_error_str) 1659 1660 /* 8192 - 16383 */ 1661 #define IPSEC_NOTIFY_ERROR_STR(x) \ 1662 STR_OR_ID((u_int)((x) - 8192), ipsec_notify_error_str) 1663 1664 /* 16384 - 24575 */ 1665 #define NOTIFY_STATUS_STR(x) \ 1666 STR_OR_ID((u_int)((x) - 16384), notify_status_str) 1667 1668 /* 24576 - 32767 */ 1669 #define IPSEC_NOTIFY_STATUS_STR(x) \ 1670 STR_OR_ID((u_int)((x) - 24576), ipsec_notify_status_str) 1671 1672 ND_PRINT((ndo,"%s:", NPSTR(ISAKMP_NPTYPE_N))); 1673 1674 p = (const struct ikev1_pl_n *)ext; 1675 ND_TCHECK(*p); 1676 UNALIGNED_MEMCPY(&n, ext, sizeof(n)); 1677 doi = ntohl(n.doi); 1678 proto = n.prot_id; 1679 if (doi != 1) { 1680 ND_PRINT((ndo," doi=%d", doi)); 1681 ND_PRINT((ndo," proto=%d", proto)); 1682 if (ntohs(n.type) < 8192) 1683 ND_PRINT((ndo," type=%s", NOTIFY_ERROR_STR(ntohs(n.type)))); 1684 else if (ntohs(n.type) < 16384) 1685 ND_PRINT((ndo," type=%s", numstr(ntohs(n.type)))); 1686 else if (ntohs(n.type) < 24576) 1687 ND_PRINT((ndo," type=%s", NOTIFY_STATUS_STR(ntohs(n.type)))); 1688 else 1689 ND_PRINT((ndo," type=%s", numstr(ntohs(n.type)))); 1690 if (n.spi_size) { 1691 ND_PRINT((ndo," spi=")); 1692 if (!rawprint(ndo, (const uint8_t *)(p + 1), n.spi_size)) 1693 goto trunc; 1694 } 1695 return (const u_char *)(p + 1) + n.spi_size; 1696 } 1697 1698 ND_PRINT((ndo," doi=ipsec")); 1699 ND_PRINT((ndo," proto=%s", PROTOIDSTR(proto))); 1700 if (ntohs(n.type) < 8192) 1701 ND_PRINT((ndo," type=%s", NOTIFY_ERROR_STR(ntohs(n.type)))); 1702 else if (ntohs(n.type) < 16384) 1703 ND_PRINT((ndo," type=%s", IPSEC_NOTIFY_ERROR_STR(ntohs(n.type)))); 1704 else if (ntohs(n.type) < 24576) 1705 ND_PRINT((ndo," type=%s", NOTIFY_STATUS_STR(ntohs(n.type)))); 1706 else if (ntohs(n.type) < 32768) 1707 ND_PRINT((ndo," type=%s", IPSEC_NOTIFY_STATUS_STR(ntohs(n.type)))); 1708 else 1709 ND_PRINT((ndo," type=%s", numstr(ntohs(n.type)))); 1710 if (n.spi_size) { 1711 ND_PRINT((ndo," spi=")); 1712 if (!rawprint(ndo, (const uint8_t *)(p + 1), n.spi_size)) 1713 goto trunc; 1714 } 1715 1716 cp = (const u_char *)(p + 1) + n.spi_size; 1717 ep2 = (const u_char *)p + item_len; 1718 1719 if (cp < ep) { 1720 ND_PRINT((ndo," orig=(")); 1721 switch (ntohs(n.type)) { 1722 case IPSECDOI_NTYPE_RESPONDER_LIFETIME: 1723 { 1724 const struct attrmap *map = oakley_t_map; 1725 size_t nmap = sizeof(oakley_t_map)/sizeof(oakley_t_map[0]); 1726 while (cp < ep && cp < ep2) { 1727 cp = ikev1_attrmap_print(ndo, cp, 1728 (ep < ep2) ? ep : ep2, map, nmap); 1729 } 1730 break; 1731 } 1732 case IPSECDOI_NTYPE_REPLAY_STATUS: 1733 ND_PRINT((ndo,"replay detection %sabled", 1734 EXTRACT_32BITS(cp) ? "en" : "dis")); 1735 break; 1736 case ISAKMP_NTYPE_NO_PROPOSAL_CHOSEN: 1737 if (ikev1_sub_print(ndo, ISAKMP_NPTYPE_SA, 1738 (const struct isakmp_gen *)cp, ep, phase, doi, proto, 1739 depth) == NULL) 1740 return NULL; 1741 break; 1742 default: 1743 /* NULL is dummy */ 1744 isakmp_print(ndo, cp, 1745 item_len - sizeof(*p) - n.spi_size, 1746 NULL); 1747 } 1748 ND_PRINT((ndo,")")); 1749 } 1750 return (const u_char *)ext + item_len; 1751 trunc: 1752 ND_PRINT((ndo," [|%s]", NPSTR(ISAKMP_NPTYPE_N))); 1753 return NULL; 1754 } 1755 1756 static const u_char * 1757 ikev1_d_print(netdissect_options *ndo, u_char tpay _U_, 1758 const struct isakmp_gen *ext, u_int item_len _U_, 1759 const u_char *ep _U_, uint32_t phase _U_, uint32_t doi0 _U_, 1760 uint32_t proto0 _U_, int depth _U_) 1761 { 1762 const struct ikev1_pl_d *p; 1763 struct ikev1_pl_d d; 1764 const uint8_t *q; 1765 uint32_t doi; 1766 uint32_t proto; 1767 int i; 1768 1769 ND_PRINT((ndo,"%s:", NPSTR(ISAKMP_NPTYPE_D))); 1770 1771 p = (const struct ikev1_pl_d *)ext; 1772 ND_TCHECK(*p); 1773 UNALIGNED_MEMCPY(&d, ext, sizeof(d)); 1774 doi = ntohl(d.doi); 1775 proto = d.prot_id; 1776 if (doi != 1) { 1777 ND_PRINT((ndo," doi=%u", doi)); 1778 ND_PRINT((ndo," proto=%u", proto)); 1779 } else { 1780 ND_PRINT((ndo," doi=ipsec")); 1781 ND_PRINT((ndo," proto=%s", PROTOIDSTR(proto))); 1782 } 1783 ND_PRINT((ndo," spilen=%u", d.spi_size)); 1784 ND_PRINT((ndo," nspi=%u", ntohs(d.num_spi))); 1785 ND_PRINT((ndo," spi=")); 1786 q = (const uint8_t *)(p + 1); 1787 for (i = 0; i < ntohs(d.num_spi); i++) { 1788 if (i != 0) 1789 ND_PRINT((ndo,",")); 1790 if (!rawprint(ndo, (const uint8_t *)q, d.spi_size)) 1791 goto trunc; 1792 q += d.spi_size; 1793 } 1794 return q; 1795 trunc: 1796 ND_PRINT((ndo," [|%s]", NPSTR(ISAKMP_NPTYPE_D))); 1797 return NULL; 1798 } 1799 1800 static const u_char * 1801 ikev1_vid_print(netdissect_options *ndo, u_char tpay _U_, 1802 const struct isakmp_gen *ext, 1803 u_int item_len _U_, const u_char *ep _U_, 1804 uint32_t phase _U_, uint32_t doi _U_, 1805 uint32_t proto _U_, int depth _U_) 1806 { 1807 struct isakmp_gen e; 1808 1809 ND_PRINT((ndo,"%s:", NPSTR(ISAKMP_NPTYPE_VID))); 1810 1811 ND_TCHECK(*ext); 1812 UNALIGNED_MEMCPY(&e, ext, sizeof(e)); 1813 ND_PRINT((ndo," len=%d", ntohs(e.len) - 4)); 1814 if (2 < ndo->ndo_vflag && 4 < ntohs(e.len)) { 1815 ND_PRINT((ndo," ")); 1816 if (!rawprint(ndo, (const uint8_t *)(ext + 1), ntohs(e.len) - 4)) 1817 goto trunc; 1818 } 1819 return (const u_char *)ext + ntohs(e.len); 1820 trunc: 1821 ND_PRINT((ndo," [|%s]", NPSTR(ISAKMP_NPTYPE_VID))); 1822 return NULL; 1823 } 1824 1825 /************************************************************/ 1826 /* */ 1827 /* IKE v2 - rfc4306 - dissector */ 1828 /* */ 1829 /************************************************************/ 1830 1831 static void 1832 ikev2_pay_print(netdissect_options *ndo, const char *payname, int critical) 1833 { 1834 ND_PRINT((ndo,"%s%s:", payname, critical&0x80 ? "[C]" : "")); 1835 } 1836 1837 static const u_char * 1838 ikev2_gen_print(netdissect_options *ndo, u_char tpay, 1839 const struct isakmp_gen *ext) 1840 { 1841 struct isakmp_gen e; 1842 1843 ND_TCHECK(*ext); 1844 UNALIGNED_MEMCPY(&e, ext, sizeof(e)); 1845 ikev2_pay_print(ndo, NPSTR(tpay), e.critical); 1846 1847 ND_PRINT((ndo," len=%d", ntohs(e.len) - 4)); 1848 if (2 < ndo->ndo_vflag && 4 < ntohs(e.len)) { 1849 ND_PRINT((ndo," ")); 1850 if (!rawprint(ndo, (const uint8_t *)(ext + 1), ntohs(e.len) - 4)) 1851 goto trunc; 1852 } 1853 return (const u_char *)ext + ntohs(e.len); 1854 trunc: 1855 ND_PRINT((ndo," [|%s]", NPSTR(tpay))); 1856 return NULL; 1857 } 1858 1859 static const u_char * 1860 ikev2_t_print(netdissect_options *ndo, int tcount, 1861 const struct isakmp_gen *ext, u_int item_len, 1862 const u_char *ep) 1863 { 1864 const struct ikev2_t *p; 1865 struct ikev2_t t; 1866 uint16_t t_id; 1867 const u_char *cp; 1868 const char *idstr; 1869 const struct attrmap *map; 1870 size_t nmap; 1871 const u_char *ep2; 1872 1873 p = (const struct ikev2_t *)ext; 1874 ND_TCHECK(*p); 1875 UNALIGNED_MEMCPY(&t, ext, sizeof(t)); 1876 ikev2_pay_print(ndo, NPSTR(ISAKMP_NPTYPE_T), t.h.critical); 1877 1878 t_id = ntohs(t.t_id); 1879 1880 map = NULL; 1881 nmap = 0; 1882 1883 switch (t.t_type) { 1884 case IV2_T_ENCR: 1885 idstr = STR_OR_ID(t_id, esp_p_map); 1886 map = encr_t_map; 1887 nmap = sizeof(encr_t_map)/sizeof(encr_t_map[0]); 1888 break; 1889 1890 case IV2_T_PRF: 1891 idstr = STR_OR_ID(t_id, prf_p_map); 1892 break; 1893 1894 case IV2_T_INTEG: 1895 idstr = STR_OR_ID(t_id, integ_p_map); 1896 break; 1897 1898 case IV2_T_DH: 1899 idstr = STR_OR_ID(t_id, dh_p_map); 1900 break; 1901 1902 case IV2_T_ESN: 1903 idstr = STR_OR_ID(t_id, esn_p_map); 1904 break; 1905 1906 default: 1907 idstr = NULL; 1908 break; 1909 } 1910 1911 if (idstr) 1912 ND_PRINT((ndo," #%u type=%s id=%s ", tcount, 1913 STR_OR_ID(t.t_type, ikev2_t_type_map), 1914 idstr)); 1915 else 1916 ND_PRINT((ndo," #%u type=%s id=%u ", tcount, 1917 STR_OR_ID(t.t_type, ikev2_t_type_map), 1918 t.t_id)); 1919 cp = (const u_char *)(p + 1); 1920 ep2 = (const u_char *)p + item_len; 1921 while (cp < ep && cp < ep2) { 1922 if (map && nmap) { 1923 cp = ikev1_attrmap_print(ndo, cp, (ep < ep2) ? ep : ep2, 1924 map, nmap); 1925 } else 1926 cp = ikev1_attr_print(ndo, cp, (ep < ep2) ? ep : ep2); 1927 } 1928 if (ep < ep2) 1929 ND_PRINT((ndo,"...")); 1930 return cp; 1931 trunc: 1932 ND_PRINT((ndo," [|%s]", NPSTR(ISAKMP_NPTYPE_T))); 1933 return NULL; 1934 } 1935 1936 static const u_char * 1937 ikev2_p_print(netdissect_options *ndo, u_char tpay _U_, int pcount _U_, 1938 const struct isakmp_gen *ext, u_int oprop_length, 1939 const u_char *ep, int depth) 1940 { 1941 const struct ikev2_p *p; 1942 struct ikev2_p prop; 1943 u_int prop_length; 1944 const u_char *cp; 1945 int i; 1946 int tcount; 1947 u_char np; 1948 struct isakmp_gen e; 1949 u_int item_len; 1950 1951 p = (const struct ikev2_p *)ext; 1952 ND_TCHECK(*p); 1953 UNALIGNED_MEMCPY(&prop, ext, sizeof(prop)); 1954 1955 ikev2_pay_print(ndo, NPSTR(ISAKMP_NPTYPE_P), prop.h.critical); 1956 1957 /* 1958 * ikev2_sa_print() guarantees that this is >= 4. 1959 */ 1960 prop_length = oprop_length - 4; 1961 ND_PRINT((ndo," #%u protoid=%s transform=%d len=%u", 1962 prop.p_no, PROTOIDSTR(prop.prot_id), 1963 prop.num_t, oprop_length)); 1964 cp = (const u_char *)(p + 1); 1965 1966 if (prop.spi_size) { 1967 if (prop_length < prop.spi_size) 1968 goto toolong; 1969 ND_PRINT((ndo," spi=")); 1970 if (!rawprint(ndo, (const uint8_t *)cp, prop.spi_size)) 1971 goto trunc; 1972 cp += prop.spi_size; 1973 prop_length -= prop.spi_size; 1974 } 1975 1976 /* 1977 * Print the transforms. 1978 */ 1979 tcount = 0; 1980 for (np = ISAKMP_NPTYPE_T; np != 0; np = e.np) { 1981 tcount++; 1982 ext = (const struct isakmp_gen *)cp; 1983 if (prop_length < sizeof(*ext)) 1984 goto toolong; 1985 ND_TCHECK(*ext); 1986 1987 UNALIGNED_MEMCPY(&e, ext, sizeof(e)); 1988 1989 /* 1990 * Since we can't have a payload length of less than 4 bytes, 1991 * we need to bail out here if the generic header is nonsensical 1992 * or truncated, otherwise we could loop forever processing 1993 * zero-length items or otherwise misdissect the packet. 1994 */ 1995 item_len = ntohs(e.len); 1996 if (item_len <= 4) 1997 goto trunc; 1998 1999 if (prop_length < item_len) 2000 goto toolong; 2001 ND_TCHECK2(*cp, item_len); 2002 2003 depth++; 2004 ND_PRINT((ndo,"\n")); 2005 for (i = 0; i < depth; i++) 2006 ND_PRINT((ndo," ")); 2007 ND_PRINT((ndo,"(")); 2008 if (np == ISAKMP_NPTYPE_T) { 2009 cp = ikev2_t_print(ndo, tcount, ext, item_len, ep); 2010 if (cp == NULL) { 2011 /* error, already reported */ 2012 return NULL; 2013 } 2014 } else { 2015 ND_PRINT((ndo, "%s", NPSTR(np))); 2016 cp += item_len; 2017 } 2018 ND_PRINT((ndo,")")); 2019 depth--; 2020 prop_length -= item_len; 2021 } 2022 return cp; 2023 toolong: 2024 /* 2025 * Skip the rest of the proposal. 2026 */ 2027 cp += prop_length; 2028 ND_PRINT((ndo," [|%s]", NPSTR(ISAKMP_NPTYPE_P))); 2029 return cp; 2030 trunc: 2031 ND_PRINT((ndo," [|%s]", NPSTR(ISAKMP_NPTYPE_P))); 2032 return NULL; 2033 } 2034 2035 static const u_char * 2036 ikev2_sa_print(netdissect_options *ndo, u_char tpay, 2037 const struct isakmp_gen *ext1, 2038 u_int osa_length, const u_char *ep, 2039 uint32_t phase _U_, uint32_t doi _U_, 2040 uint32_t proto _U_, int depth) 2041 { 2042 const struct isakmp_gen *ext; 2043 struct isakmp_gen e; 2044 u_int sa_length; 2045 const u_char *cp; 2046 int i; 2047 int pcount; 2048 u_char np; 2049 u_int item_len; 2050 2051 ND_TCHECK(*ext1); 2052 UNALIGNED_MEMCPY(&e, ext1, sizeof(e)); 2053 ikev2_pay_print(ndo, "sa", e.critical); 2054 2055 /* 2056 * ikev2_sub0_print() guarantees that this is >= 4. 2057 */ 2058 osa_length= ntohs(e.len); 2059 sa_length = osa_length - 4; 2060 ND_PRINT((ndo," len=%d", sa_length)); 2061 2062 /* 2063 * Print the payloads. 2064 */ 2065 cp = (const u_char *)(ext1 + 1); 2066 pcount = 0; 2067 for (np = ISAKMP_NPTYPE_P; np != 0; np = e.np) { 2068 pcount++; 2069 ext = (const struct isakmp_gen *)cp; 2070 if (sa_length < sizeof(*ext)) 2071 goto toolong; 2072 ND_TCHECK(*ext); 2073 2074 UNALIGNED_MEMCPY(&e, ext, sizeof(e)); 2075 2076 /* 2077 * Since we can't have a payload length of less than 4 bytes, 2078 * we need to bail out here if the generic header is nonsensical 2079 * or truncated, otherwise we could loop forever processing 2080 * zero-length items or otherwise misdissect the packet. 2081 */ 2082 item_len = ntohs(e.len); 2083 if (item_len <= 4) 2084 goto trunc; 2085 2086 if (sa_length < item_len) 2087 goto toolong; 2088 ND_TCHECK2(*cp, item_len); 2089 2090 depth++; 2091 ND_PRINT((ndo,"\n")); 2092 for (i = 0; i < depth; i++) 2093 ND_PRINT((ndo," ")); 2094 ND_PRINT((ndo,"(")); 2095 if (np == ISAKMP_NPTYPE_P) { 2096 cp = ikev2_p_print(ndo, np, pcount, ext, item_len, 2097 ep, depth); 2098 if (cp == NULL) { 2099 /* error, already reported */ 2100 return NULL; 2101 } 2102 } else { 2103 ND_PRINT((ndo, "%s", NPSTR(np))); 2104 cp += item_len; 2105 } 2106 ND_PRINT((ndo,")")); 2107 depth--; 2108 sa_length -= item_len; 2109 } 2110 return cp; 2111 toolong: 2112 /* 2113 * Skip the rest of the SA. 2114 */ 2115 cp += sa_length; 2116 ND_PRINT((ndo," [|%s]", NPSTR(tpay))); 2117 return cp; 2118 trunc: 2119 ND_PRINT((ndo," [|%s]", NPSTR(tpay))); 2120 return NULL; 2121 } 2122 2123 static const u_char * 2124 ikev2_ke_print(netdissect_options *ndo, u_char tpay, 2125 const struct isakmp_gen *ext, 2126 u_int item_len _U_, const u_char *ep _U_, 2127 uint32_t phase _U_, uint32_t doi _U_, 2128 uint32_t proto _U_, int depth _U_) 2129 { 2130 struct ikev2_ke ke; 2131 const struct ikev2_ke *k; 2132 2133 k = (const struct ikev2_ke *)ext; 2134 ND_TCHECK(*ext); 2135 UNALIGNED_MEMCPY(&ke, ext, sizeof(ke)); 2136 ikev2_pay_print(ndo, NPSTR(tpay), ke.h.critical); 2137 2138 ND_PRINT((ndo," len=%u group=%s", ntohs(ke.h.len) - 8, 2139 STR_OR_ID(ntohs(ke.ke_group), dh_p_map))); 2140 2141 if (2 < ndo->ndo_vflag && 8 < ntohs(ke.h.len)) { 2142 ND_PRINT((ndo," ")); 2143 if (!rawprint(ndo, (const uint8_t *)(k + 1), ntohs(ke.h.len) - 8)) 2144 goto trunc; 2145 } 2146 return (const u_char *)ext + ntohs(ke.h.len); 2147 trunc: 2148 ND_PRINT((ndo," [|%s]", NPSTR(tpay))); 2149 return NULL; 2150 } 2151 2152 static const u_char * 2153 ikev2_ID_print(netdissect_options *ndo, u_char tpay, 2154 const struct isakmp_gen *ext, 2155 u_int item_len _U_, const u_char *ep _U_, 2156 uint32_t phase _U_, uint32_t doi _U_, 2157 uint32_t proto _U_, int depth _U_) 2158 { 2159 struct ikev2_id id; 2160 int id_len, idtype_len, i; 2161 unsigned int dumpascii, dumphex; 2162 const unsigned char *typedata; 2163 2164 ND_TCHECK(*ext); 2165 UNALIGNED_MEMCPY(&id, ext, sizeof(id)); 2166 ikev2_pay_print(ndo, NPSTR(tpay), id.h.critical); 2167 2168 id_len = ntohs(id.h.len); 2169 2170 ND_PRINT((ndo," len=%d", id_len - 4)); 2171 if (2 < ndo->ndo_vflag && 4 < id_len) { 2172 ND_PRINT((ndo," ")); 2173 if (!rawprint(ndo, (const uint8_t *)(ext + 1), id_len - 4)) 2174 goto trunc; 2175 } 2176 2177 idtype_len =id_len - sizeof(struct ikev2_id); 2178 dumpascii = 0; 2179 dumphex = 0; 2180 typedata = (const unsigned char *)(ext)+sizeof(struct ikev2_id); 2181 2182 switch(id.type) { 2183 case ID_IPV4_ADDR: 2184 ND_PRINT((ndo, " ipv4:")); 2185 dumphex=1; 2186 break; 2187 case ID_FQDN: 2188 ND_PRINT((ndo, " fqdn:")); 2189 dumpascii=1; 2190 break; 2191 case ID_RFC822_ADDR: 2192 ND_PRINT((ndo, " rfc822:")); 2193 dumpascii=1; 2194 break; 2195 case ID_IPV6_ADDR: 2196 ND_PRINT((ndo, " ipv6:")); 2197 dumphex=1; 2198 break; 2199 case ID_DER_ASN1_DN: 2200 ND_PRINT((ndo, " dn:")); 2201 dumphex=1; 2202 break; 2203 case ID_DER_ASN1_GN: 2204 ND_PRINT((ndo, " gn:")); 2205 dumphex=1; 2206 break; 2207 case ID_KEY_ID: 2208 ND_PRINT((ndo, " keyid:")); 2209 dumphex=1; 2210 break; 2211 } 2212 2213 if(dumpascii) { 2214 ND_TCHECK2(*typedata, idtype_len); 2215 for(i=0; i<idtype_len; i++) { 2216 if(ND_ISPRINT(typedata[i])) { 2217 ND_PRINT((ndo, "%c", typedata[i])); 2218 } else { 2219 ND_PRINT((ndo, ".")); 2220 } 2221 } 2222 } 2223 if(dumphex) { 2224 if (!rawprint(ndo, (const uint8_t *)typedata, idtype_len)) 2225 goto trunc; 2226 } 2227 2228 return (const u_char *)ext + id_len; 2229 trunc: 2230 ND_PRINT((ndo," [|%s]", NPSTR(tpay))); 2231 return NULL; 2232 } 2233 2234 static const u_char * 2235 ikev2_cert_print(netdissect_options *ndo, u_char tpay, 2236 const struct isakmp_gen *ext, 2237 u_int item_len _U_, const u_char *ep _U_, 2238 uint32_t phase _U_, uint32_t doi _U_, 2239 uint32_t proto _U_, int depth _U_) 2240 { 2241 return ikev2_gen_print(ndo, tpay, ext); 2242 } 2243 2244 static const u_char * 2245 ikev2_cr_print(netdissect_options *ndo, u_char tpay, 2246 const struct isakmp_gen *ext, 2247 u_int item_len _U_, const u_char *ep _U_, 2248 uint32_t phase _U_, uint32_t doi _U_, 2249 uint32_t proto _U_, int depth _U_) 2250 { 2251 return ikev2_gen_print(ndo, tpay, ext); 2252 } 2253 2254 static const u_char * 2255 ikev2_auth_print(netdissect_options *ndo, u_char tpay, 2256 const struct isakmp_gen *ext, 2257 u_int item_len _U_, const u_char *ep, 2258 uint32_t phase _U_, uint32_t doi _U_, 2259 uint32_t proto _U_, int depth _U_) 2260 { 2261 struct ikev2_auth a; 2262 const char *v2_auth[]={ "invalid", "rsasig", 2263 "shared-secret", "dsssig" }; 2264 const u_char *authdata = (const u_char*)ext + sizeof(a); 2265 unsigned int len; 2266 2267 ND_TCHECK(*ext); 2268 UNALIGNED_MEMCPY(&a, ext, sizeof(a)); 2269 ikev2_pay_print(ndo, NPSTR(tpay), a.h.critical); 2270 len = ntohs(a.h.len); 2271 2272 ND_PRINT((ndo," len=%d method=%s", len-4, 2273 STR_OR_ID(a.auth_method, v2_auth))); 2274 2275 if (1 < ndo->ndo_vflag && 4 < len) { 2276 ND_PRINT((ndo," authdata=(")); 2277 if (!rawprint(ndo, (const uint8_t *)authdata, len - sizeof(a))) 2278 goto trunc; 2279 ND_PRINT((ndo,") ")); 2280 } else if(ndo->ndo_vflag && 4 < len) { 2281 if(!ike_show_somedata(ndo, authdata, ep)) goto trunc; 2282 } 2283 2284 return (const u_char *)ext + len; 2285 trunc: 2286 ND_PRINT((ndo," [|%s]", NPSTR(tpay))); 2287 return NULL; 2288 } 2289 2290 static const u_char * 2291 ikev2_nonce_print(netdissect_options *ndo, u_char tpay, 2292 const struct isakmp_gen *ext, 2293 u_int item_len _U_, const u_char *ep, 2294 uint32_t phase _U_, uint32_t doi _U_, 2295 uint32_t proto _U_, int depth _U_) 2296 { 2297 struct isakmp_gen e; 2298 2299 ND_TCHECK(*ext); 2300 UNALIGNED_MEMCPY(&e, ext, sizeof(e)); 2301 ikev2_pay_print(ndo, "nonce", e.critical); 2302 2303 ND_PRINT((ndo," len=%d", ntohs(e.len) - 4)); 2304 if (1 < ndo->ndo_vflag && 4 < ntohs(e.len)) { 2305 ND_PRINT((ndo," nonce=(")); 2306 if (!rawprint(ndo, (const uint8_t *)(ext + 1), ntohs(e.len) - 4)) 2307 goto trunc; 2308 ND_PRINT((ndo,") ")); 2309 } else if(ndo->ndo_vflag && 4 < ntohs(e.len)) { 2310 if(!ike_show_somedata(ndo, (const u_char *)(ext+1), ep)) goto trunc; 2311 } 2312 2313 return (const u_char *)ext + ntohs(e.len); 2314 trunc: 2315 ND_PRINT((ndo," [|%s]", NPSTR(tpay))); 2316 return NULL; 2317 } 2318 2319 /* notify payloads */ 2320 static const u_char * 2321 ikev2_n_print(netdissect_options *ndo, u_char tpay _U_, 2322 const struct isakmp_gen *ext, 2323 u_int item_len, const u_char *ep, 2324 uint32_t phase _U_, uint32_t doi _U_, 2325 uint32_t proto _U_, int depth _U_) 2326 { 2327 const struct ikev2_n *p; 2328 struct ikev2_n n; 2329 const u_char *cp; 2330 u_char showspi, showdata, showsomedata; 2331 const char *notify_name; 2332 uint32_t type; 2333 2334 p = (const struct ikev2_n *)ext; 2335 ND_TCHECK(*p); 2336 UNALIGNED_MEMCPY(&n, ext, sizeof(n)); 2337 ikev2_pay_print(ndo, NPSTR(ISAKMP_NPTYPE_N), n.h.critical); 2338 2339 showspi = 1; 2340 showdata = 0; 2341 showsomedata=0; 2342 notify_name=NULL; 2343 2344 ND_PRINT((ndo," prot_id=%s", PROTOIDSTR(n.prot_id))); 2345 2346 type = ntohs(n.type); 2347 2348 /* notify space is annoying sparse */ 2349 switch(type) { 2350 case IV2_NOTIFY_UNSUPPORTED_CRITICAL_PAYLOAD: 2351 notify_name = "unsupported_critical_payload"; 2352 showspi = 0; 2353 break; 2354 2355 case IV2_NOTIFY_INVALID_IKE_SPI: 2356 notify_name = "invalid_ike_spi"; 2357 showspi = 1; 2358 break; 2359 2360 case IV2_NOTIFY_INVALID_MAJOR_VERSION: 2361 notify_name = "invalid_major_version"; 2362 showspi = 0; 2363 break; 2364 2365 case IV2_NOTIFY_INVALID_SYNTAX: 2366 notify_name = "invalid_syntax"; 2367 showspi = 1; 2368 break; 2369 2370 case IV2_NOTIFY_INVALID_MESSAGE_ID: 2371 notify_name = "invalid_message_id"; 2372 showspi = 1; 2373 break; 2374 2375 case IV2_NOTIFY_INVALID_SPI: 2376 notify_name = "invalid_spi"; 2377 showspi = 1; 2378 break; 2379 2380 case IV2_NOTIFY_NO_PROPOSAL_CHOSEN: 2381 notify_name = "no_protocol_chosen"; 2382 showspi = 1; 2383 break; 2384 2385 case IV2_NOTIFY_INVALID_KE_PAYLOAD: 2386 notify_name = "invalid_ke_payload"; 2387 showspi = 1; 2388 break; 2389 2390 case IV2_NOTIFY_AUTHENTICATION_FAILED: 2391 notify_name = "authentication_failed"; 2392 showspi = 1; 2393 break; 2394 2395 case IV2_NOTIFY_SINGLE_PAIR_REQUIRED: 2396 notify_name = "single_pair_required"; 2397 showspi = 1; 2398 break; 2399 2400 case IV2_NOTIFY_NO_ADDITIONAL_SAS: 2401 notify_name = "no_additional_sas"; 2402 showspi = 0; 2403 break; 2404 2405 case IV2_NOTIFY_INTERNAL_ADDRESS_FAILURE: 2406 notify_name = "internal_address_failure"; 2407 showspi = 0; 2408 break; 2409 2410 case IV2_NOTIFY_FAILED_CP_REQUIRED: 2411 notify_name = "failed:cp_required"; 2412 showspi = 0; 2413 break; 2414 2415 case IV2_NOTIFY_INVALID_SELECTORS: 2416 notify_name = "invalid_selectors"; 2417 showspi = 0; 2418 break; 2419 2420 case IV2_NOTIFY_INITIAL_CONTACT: 2421 notify_name = "initial_contact"; 2422 showspi = 0; 2423 break; 2424 2425 case IV2_NOTIFY_SET_WINDOW_SIZE: 2426 notify_name = "set_window_size"; 2427 showspi = 0; 2428 break; 2429 2430 case IV2_NOTIFY_ADDITIONAL_TS_POSSIBLE: 2431 notify_name = "additional_ts_possible"; 2432 showspi = 0; 2433 break; 2434 2435 case IV2_NOTIFY_IPCOMP_SUPPORTED: 2436 notify_name = "ipcomp_supported"; 2437 showspi = 0; 2438 break; 2439 2440 case IV2_NOTIFY_NAT_DETECTION_SOURCE_IP: 2441 notify_name = "nat_detection_source_ip"; 2442 showspi = 1; 2443 break; 2444 2445 case IV2_NOTIFY_NAT_DETECTION_DESTINATION_IP: 2446 notify_name = "nat_detection_destination_ip"; 2447 showspi = 1; 2448 break; 2449 2450 case IV2_NOTIFY_COOKIE: 2451 notify_name = "cookie"; 2452 showspi = 1; 2453 showsomedata= 1; 2454 showdata= 0; 2455 break; 2456 2457 case IV2_NOTIFY_USE_TRANSPORT_MODE: 2458 notify_name = "use_transport_mode"; 2459 showspi = 0; 2460 break; 2461 2462 case IV2_NOTIFY_HTTP_CERT_LOOKUP_SUPPORTED: 2463 notify_name = "http_cert_lookup_supported"; 2464 showspi = 0; 2465 break; 2466 2467 case IV2_NOTIFY_REKEY_SA: 2468 notify_name = "rekey_sa"; 2469 showspi = 1; 2470 break; 2471 2472 case IV2_NOTIFY_ESP_TFC_PADDING_NOT_SUPPORTED: 2473 notify_name = "tfc_padding_not_supported"; 2474 showspi = 0; 2475 break; 2476 2477 case IV2_NOTIFY_NON_FIRST_FRAGMENTS_ALSO: 2478 notify_name = "non_first_fragment_also"; 2479 showspi = 0; 2480 break; 2481 2482 default: 2483 if (type < 8192) { 2484 notify_name="error"; 2485 } else if(type < 16384) { 2486 notify_name="private-error"; 2487 } else if(type < 40960) { 2488 notify_name="status"; 2489 } else { 2490 notify_name="private-status"; 2491 } 2492 } 2493 2494 if(notify_name) { 2495 ND_PRINT((ndo," type=%u(%s)", type, notify_name)); 2496 } 2497 2498 2499 if (showspi && n.spi_size) { 2500 ND_PRINT((ndo," spi=")); 2501 if (!rawprint(ndo, (const uint8_t *)(p + 1), n.spi_size)) 2502 goto trunc; 2503 } 2504 2505 cp = (const u_char *)(p + 1) + n.spi_size; 2506 2507 if(3 < ndo->ndo_vflag) { 2508 showdata = 1; 2509 } 2510 2511 if ((showdata || (showsomedata && ep-cp < 30)) && cp < ep) { 2512 ND_PRINT((ndo," data=(")); 2513 if (!rawprint(ndo, (const uint8_t *)(cp), ep - cp)) 2514 goto trunc; 2515 2516 ND_PRINT((ndo,")")); 2517 2518 } else if(showsomedata && cp < ep) { 2519 if(!ike_show_somedata(ndo, cp, ep)) goto trunc; 2520 } 2521 2522 return (const u_char *)ext + item_len; 2523 trunc: 2524 ND_PRINT((ndo," [|%s]", NPSTR(ISAKMP_NPTYPE_N))); 2525 return NULL; 2526 } 2527 2528 static const u_char * 2529 ikev2_d_print(netdissect_options *ndo, u_char tpay, 2530 const struct isakmp_gen *ext, 2531 u_int item_len _U_, const u_char *ep _U_, 2532 uint32_t phase _U_, uint32_t doi _U_, 2533 uint32_t proto _U_, int depth _U_) 2534 { 2535 return ikev2_gen_print(ndo, tpay, ext); 2536 } 2537 2538 static const u_char * 2539 ikev2_vid_print(netdissect_options *ndo, u_char tpay, 2540 const struct isakmp_gen *ext, 2541 u_int item_len _U_, const u_char *ep _U_, 2542 uint32_t phase _U_, uint32_t doi _U_, 2543 uint32_t proto _U_, int depth _U_) 2544 { 2545 struct isakmp_gen e; 2546 const u_char *vid; 2547 int i, len; 2548 2549 ND_TCHECK(*ext); 2550 UNALIGNED_MEMCPY(&e, ext, sizeof(e)); 2551 ikev2_pay_print(ndo, NPSTR(tpay), e.critical); 2552 ND_PRINT((ndo," len=%d vid=", ntohs(e.len) - 4)); 2553 2554 vid = (const u_char *)(ext+1); 2555 len = ntohs(e.len) - 4; 2556 ND_TCHECK2(*vid, len); 2557 for(i=0; i<len; i++) { 2558 if(ND_ISPRINT(vid[i])) ND_PRINT((ndo, "%c", vid[i])); 2559 else ND_PRINT((ndo, ".")); 2560 } 2561 if (2 < ndo->ndo_vflag && 4 < len) { 2562 ND_PRINT((ndo," ")); 2563 if (!rawprint(ndo, (const uint8_t *)(ext + 1), ntohs(e.len) - 4)) 2564 goto trunc; 2565 } 2566 return (const u_char *)ext + ntohs(e.len); 2567 trunc: 2568 ND_PRINT((ndo," [|%s]", NPSTR(tpay))); 2569 return NULL; 2570 } 2571 2572 static const u_char * 2573 ikev2_TS_print(netdissect_options *ndo, u_char tpay, 2574 const struct isakmp_gen *ext, 2575 u_int item_len _U_, const u_char *ep _U_, 2576 uint32_t phase _U_, uint32_t doi _U_, 2577 uint32_t proto _U_, int depth _U_) 2578 { 2579 return ikev2_gen_print(ndo, tpay, ext); 2580 } 2581 2582 static const u_char * 2583 ikev2_e_print(netdissect_options *ndo, 2584 #ifndef HAVE_LIBCRYPTO 2585 _U_ 2586 #endif 2587 struct isakmp *base, 2588 u_char tpay, 2589 const struct isakmp_gen *ext, 2590 u_int item_len _U_, const u_char *ep _U_, 2591 #ifndef HAVE_LIBCRYPTO 2592 _U_ 2593 #endif 2594 uint32_t phase, 2595 #ifndef HAVE_LIBCRYPTO 2596 _U_ 2597 #endif 2598 uint32_t doi, 2599 #ifndef HAVE_LIBCRYPTO 2600 _U_ 2601 #endif 2602 uint32_t proto, 2603 #ifndef HAVE_LIBCRYPTO 2604 _U_ 2605 #endif 2606 int depth) 2607 { 2608 struct isakmp_gen e; 2609 const u_char *dat; 2610 volatile int dlen; 2611 2612 ND_TCHECK(*ext); 2613 UNALIGNED_MEMCPY(&e, ext, sizeof(e)); 2614 ikev2_pay_print(ndo, NPSTR(tpay), e.critical); 2615 2616 dlen = ntohs(e.len)-4; 2617 2618 ND_PRINT((ndo," len=%d", dlen)); 2619 if (2 < ndo->ndo_vflag && 4 < dlen) { 2620 ND_PRINT((ndo," ")); 2621 if (!rawprint(ndo, (const uint8_t *)(ext + 1), dlen)) 2622 goto trunc; 2623 } 2624 2625 dat = (const u_char *)(ext+1); 2626 ND_TCHECK2(*dat, dlen); 2627 2628 #ifdef HAVE_LIBCRYPTO 2629 /* try to decypt it! */ 2630 if(esp_print_decrypt_buffer_by_ikev2(ndo, 2631 base->flags & ISAKMP_FLAG_I, 2632 base->i_ck, base->r_ck, 2633 dat, dat+dlen)) { 2634 2635 ext = (const struct isakmp_gen *)ndo->ndo_packetp; 2636 2637 /* got it decrypted, print stuff inside. */ 2638 ikev2_sub_print(ndo, base, e.np, ext, ndo->ndo_snapend, 2639 phase, doi, proto, depth+1); 2640 } 2641 #endif 2642 2643 2644 /* always return NULL, because E must be at end, and NP refers 2645 * to what was inside. 2646 */ 2647 return NULL; 2648 trunc: 2649 ND_PRINT((ndo," [|%s]", NPSTR(tpay))); 2650 return NULL; 2651 } 2652 2653 static const u_char * 2654 ikev2_cp_print(netdissect_options *ndo, u_char tpay, 2655 const struct isakmp_gen *ext, 2656 u_int item_len _U_, const u_char *ep _U_, 2657 uint32_t phase _U_, uint32_t doi _U_, 2658 uint32_t proto _U_, int depth _U_) 2659 { 2660 return ikev2_gen_print(ndo, tpay, ext); 2661 } 2662 2663 static const u_char * 2664 ikev2_eap_print(netdissect_options *ndo, u_char tpay, 2665 const struct isakmp_gen *ext, 2666 u_int item_len _U_, const u_char *ep _U_, 2667 uint32_t phase _U_, uint32_t doi _U_, 2668 uint32_t proto _U_, int depth _U_) 2669 { 2670 return ikev2_gen_print(ndo, tpay, ext); 2671 } 2672 2673 static const u_char * 2674 ike_sub0_print(netdissect_options *ndo, 2675 u_char np, const struct isakmp_gen *ext, const u_char *ep, 2676 2677 uint32_t phase, uint32_t doi, uint32_t proto, int depth) 2678 { 2679 const u_char *cp; 2680 struct isakmp_gen e; 2681 u_int item_len; 2682 2683 cp = (const u_char *)ext; 2684 ND_TCHECK(*ext); 2685 UNALIGNED_MEMCPY(&e, ext, sizeof(e)); 2686 2687 /* 2688 * Since we can't have a payload length of less than 4 bytes, 2689 * we need to bail out here if the generic header is nonsensical 2690 * or truncated, otherwise we could loop forever processing 2691 * zero-length items or otherwise misdissect the packet. 2692 */ 2693 item_len = ntohs(e.len); 2694 if (item_len <= 4) 2695 return NULL; 2696 2697 if (NPFUNC(np)) { 2698 /* 2699 * XXX - what if item_len is too short, or too long, 2700 * for this payload type? 2701 */ 2702 cp = (*npfunc[np])(ndo, np, ext, item_len, ep, phase, doi, proto, depth); 2703 } else { 2704 ND_PRINT((ndo,"%s", NPSTR(np))); 2705 cp += item_len; 2706 } 2707 2708 return cp; 2709 trunc: 2710 ND_PRINT((ndo," [|isakmp]")); 2711 return NULL; 2712 } 2713 2714 static const u_char * 2715 ikev1_sub_print(netdissect_options *ndo, 2716 u_char np, const struct isakmp_gen *ext, const u_char *ep, 2717 uint32_t phase, uint32_t doi, uint32_t proto, int depth) 2718 { 2719 const u_char *cp; 2720 int i; 2721 struct isakmp_gen e; 2722 2723 cp = (const u_char *)ext; 2724 2725 while (np) { 2726 ND_TCHECK(*ext); 2727 2728 UNALIGNED_MEMCPY(&e, ext, sizeof(e)); 2729 2730 ND_TCHECK2(*ext, ntohs(e.len)); 2731 2732 depth++; 2733 ND_PRINT((ndo,"\n")); 2734 for (i = 0; i < depth; i++) 2735 ND_PRINT((ndo," ")); 2736 ND_PRINT((ndo,"(")); 2737 cp = ike_sub0_print(ndo, np, ext, ep, phase, doi, proto, depth); 2738 ND_PRINT((ndo,")")); 2739 depth--; 2740 2741 if (cp == NULL) { 2742 /* Zero-length subitem */ 2743 return NULL; 2744 } 2745 2746 np = e.np; 2747 ext = (const struct isakmp_gen *)cp; 2748 } 2749 return cp; 2750 trunc: 2751 ND_PRINT((ndo," [|%s]", NPSTR(np))); 2752 return NULL; 2753 } 2754 2755 static char * 2756 numstr(int x) 2757 { 2758 static char buf[20]; 2759 snprintf(buf, sizeof(buf), "#%d", x); 2760 return buf; 2761 } 2762 2763 static void 2764 ikev1_print(netdissect_options *ndo, 2765 const u_char *bp, u_int length, 2766 const u_char *bp2, struct isakmp *base) 2767 { 2768 const struct isakmp *p; 2769 const u_char *ep; 2770 u_char np; 2771 int i; 2772 int phase; 2773 2774 p = (const struct isakmp *)bp; 2775 ep = ndo->ndo_snapend; 2776 2777 phase = (EXTRACT_32BITS(base->msgid) == 0) ? 1 : 2; 2778 if (phase == 1) 2779 ND_PRINT((ndo," phase %d", phase)); 2780 else 2781 ND_PRINT((ndo," phase %d/others", phase)); 2782 2783 i = cookie_find(&base->i_ck); 2784 if (i < 0) { 2785 if (iszero((const u_char *)&base->r_ck, sizeof(base->r_ck))) { 2786 /* the first packet */ 2787 ND_PRINT((ndo," I")); 2788 if (bp2) 2789 cookie_record(&base->i_ck, bp2); 2790 } else 2791 ND_PRINT((ndo," ?")); 2792 } else { 2793 if (bp2 && cookie_isinitiator(i, bp2)) 2794 ND_PRINT((ndo," I")); 2795 else if (bp2 && cookie_isresponder(i, bp2)) 2796 ND_PRINT((ndo," R")); 2797 else 2798 ND_PRINT((ndo," ?")); 2799 } 2800 2801 ND_PRINT((ndo," %s", ETYPESTR(base->etype))); 2802 if (base->flags) { 2803 ND_PRINT((ndo,"[%s%s]", base->flags & ISAKMP_FLAG_E ? "E" : "", 2804 base->flags & ISAKMP_FLAG_C ? "C" : "")); 2805 } 2806 2807 if (ndo->ndo_vflag) { 2808 const struct isakmp_gen *ext; 2809 2810 ND_PRINT((ndo,":")); 2811 2812 /* regardless of phase... */ 2813 if (base->flags & ISAKMP_FLAG_E) { 2814 /* 2815 * encrypted, nothing we can do right now. 2816 * we hope to decrypt the packet in the future... 2817 */ 2818 ND_PRINT((ndo," [encrypted %s]", NPSTR(base->np))); 2819 goto done; 2820 } 2821 2822 CHECKLEN(p + 1, base->np); 2823 np = base->np; 2824 ext = (const struct isakmp_gen *)(p + 1); 2825 ikev1_sub_print(ndo, np, ext, ep, phase, 0, 0, 0); 2826 } 2827 2828 done: 2829 if (ndo->ndo_vflag) { 2830 if (ntohl(base->len) != length) { 2831 ND_PRINT((ndo," (len mismatch: isakmp %u/ip %u)", 2832 (uint32_t)ntohl(base->len), length)); 2833 } 2834 } 2835 } 2836 2837 static const u_char * 2838 ikev2_sub0_print(netdissect_options *ndo, struct isakmp *base, 2839 u_char np, 2840 const struct isakmp_gen *ext, const u_char *ep, 2841 uint32_t phase, uint32_t doi, uint32_t proto, int depth) 2842 { 2843 const u_char *cp; 2844 struct isakmp_gen e; 2845 u_int item_len; 2846 2847 cp = (const u_char *)ext; 2848 ND_TCHECK(*ext); 2849 UNALIGNED_MEMCPY(&e, ext, sizeof(e)); 2850 2851 /* 2852 * Since we can't have a payload length of less than 4 bytes, 2853 * we need to bail out here if the generic header is nonsensical 2854 * or truncated, otherwise we could loop forever processing 2855 * zero-length items or otherwise misdissect the packet. 2856 */ 2857 item_len = ntohs(e.len); 2858 if (item_len <= 4) 2859 return NULL; 2860 2861 if (np == ISAKMP_NPTYPE_v2E) { 2862 cp = ikev2_e_print(ndo, base, np, ext, item_len, 2863 ep, phase, doi, proto, depth); 2864 } else if (NPFUNC(np)) { 2865 /* 2866 * XXX - what if item_len is too short, or too long, 2867 * for this payload type? 2868 */ 2869 cp = (*npfunc[np])(ndo, np, ext, item_len, 2870 ep, phase, doi, proto, depth); 2871 } else { 2872 ND_PRINT((ndo,"%s", NPSTR(np))); 2873 cp += item_len; 2874 } 2875 2876 return cp; 2877 trunc: 2878 ND_PRINT((ndo," [|isakmp]")); 2879 return NULL; 2880 } 2881 2882 static const u_char * 2883 ikev2_sub_print(netdissect_options *ndo, 2884 struct isakmp *base, 2885 u_char np, const struct isakmp_gen *ext, const u_char *ep, 2886 uint32_t phase, uint32_t doi, uint32_t proto, int depth) 2887 { 2888 const u_char *cp; 2889 int i; 2890 struct isakmp_gen e; 2891 2892 cp = (const u_char *)ext; 2893 while (np) { 2894 ND_TCHECK(*ext); 2895 2896 UNALIGNED_MEMCPY(&e, ext, sizeof(e)); 2897 2898 ND_TCHECK2(*ext, ntohs(e.len)); 2899 2900 depth++; 2901 ND_PRINT((ndo,"\n")); 2902 for (i = 0; i < depth; i++) 2903 ND_PRINT((ndo," ")); 2904 ND_PRINT((ndo,"(")); 2905 cp = ikev2_sub0_print(ndo, base, np, 2906 ext, ep, phase, doi, proto, depth); 2907 ND_PRINT((ndo,")")); 2908 depth--; 2909 2910 if (cp == NULL) { 2911 /* Zero-length subitem */ 2912 return NULL; 2913 } 2914 2915 np = e.np; 2916 ext = (const struct isakmp_gen *)cp; 2917 } 2918 return cp; 2919 trunc: 2920 ND_PRINT((ndo," [|%s]", NPSTR(np))); 2921 return NULL; 2922 } 2923 2924 static void 2925 ikev2_print(netdissect_options *ndo, 2926 const u_char *bp, u_int length, 2927 const u_char *bp2 _U_, struct isakmp *base) 2928 { 2929 const struct isakmp *p; 2930 const u_char *ep; 2931 u_char np; 2932 int phase; 2933 2934 p = (const struct isakmp *)bp; 2935 ep = ndo->ndo_snapend; 2936 2937 phase = (EXTRACT_32BITS(base->msgid) == 0) ? 1 : 2; 2938 if (phase == 1) 2939 ND_PRINT((ndo, " parent_sa")); 2940 else 2941 ND_PRINT((ndo, " child_sa ")); 2942 2943 ND_PRINT((ndo, " %s", ETYPESTR(base->etype))); 2944 if (base->flags) { 2945 ND_PRINT((ndo, "[%s%s%s]", 2946 base->flags & ISAKMP_FLAG_I ? "I" : "", 2947 base->flags & ISAKMP_FLAG_V ? "V" : "", 2948 base->flags & ISAKMP_FLAG_R ? "R" : "")); 2949 } 2950 2951 if (ndo->ndo_vflag) { 2952 const struct isakmp_gen *ext; 2953 2954 ND_PRINT((ndo, ":")); 2955 2956 /* regardless of phase... */ 2957 if (base->flags & ISAKMP_FLAG_E) { 2958 /* 2959 * encrypted, nothing we can do right now. 2960 * we hope to decrypt the packet in the future... 2961 */ 2962 ND_PRINT((ndo, " [encrypted %s]", NPSTR(base->np))); 2963 goto done; 2964 } 2965 2966 CHECKLEN(p + 1, base->np) 2967 2968 np = base->np; 2969 ext = (const struct isakmp_gen *)(p + 1); 2970 ikev2_sub_print(ndo, base, np, ext, ep, phase, 0, 0, 0); 2971 } 2972 2973 done: 2974 if (ndo->ndo_vflag) { 2975 if (ntohl(base->len) != length) { 2976 ND_PRINT((ndo, " (len mismatch: isakmp %u/ip %u)", 2977 (uint32_t)ntohl(base->len), length)); 2978 } 2979 } 2980 } 2981 2982 void 2983 isakmp_print(netdissect_options *ndo, 2984 const u_char *bp, u_int length, 2985 const u_char *bp2) 2986 { 2987 const struct isakmp *p; 2988 struct isakmp base; 2989 const u_char *ep; 2990 int major, minor; 2991 2992 #ifdef HAVE_LIBCRYPTO 2993 /* initialize SAs */ 2994 if (ndo->ndo_sa_list_head == NULL) { 2995 if (ndo->ndo_espsecret) 2996 esp_print_decodesecret(ndo); 2997 } 2998 #endif 2999 3000 p = (const struct isakmp *)bp; 3001 ep = ndo->ndo_snapend; 3002 3003 if ((const struct isakmp *)ep < p + 1) { 3004 ND_PRINT((ndo,"[|isakmp]")); 3005 return; 3006 } 3007 3008 UNALIGNED_MEMCPY(&base, p, sizeof(base)); 3009 3010 ND_PRINT((ndo,"isakmp")); 3011 major = (base.vers & ISAKMP_VERS_MAJOR) 3012 >> ISAKMP_VERS_MAJOR_SHIFT; 3013 minor = (base.vers & ISAKMP_VERS_MINOR) 3014 >> ISAKMP_VERS_MINOR_SHIFT; 3015 3016 if (ndo->ndo_vflag) { 3017 ND_PRINT((ndo," %d.%d", major, minor)); 3018 } 3019 3020 if (ndo->ndo_vflag) { 3021 ND_PRINT((ndo," msgid ")); 3022 hexprint(ndo, (const uint8_t *)&base.msgid, sizeof(base.msgid)); 3023 } 3024 3025 if (1 < ndo->ndo_vflag) { 3026 ND_PRINT((ndo," cookie ")); 3027 hexprint(ndo, (const uint8_t *)&base.i_ck, sizeof(base.i_ck)); 3028 ND_PRINT((ndo,"->")); 3029 hexprint(ndo, (const uint8_t *)&base.r_ck, sizeof(base.r_ck)); 3030 } 3031 ND_PRINT((ndo,":")); 3032 3033 switch(major) { 3034 case IKEv1_MAJOR_VERSION: 3035 ikev1_print(ndo, bp, length, bp2, &base); 3036 break; 3037 3038 case IKEv2_MAJOR_VERSION: 3039 ikev2_print(ndo, bp, length, bp2, &base); 3040 break; 3041 } 3042 } 3043 3044 void 3045 isakmp_rfc3948_print(netdissect_options *ndo, 3046 const u_char *bp, u_int length, 3047 const u_char *bp2) 3048 { 3049 3050 if(length == 1 && bp[0]==0xff) { 3051 ND_PRINT((ndo, "isakmp-nat-keep-alive")); 3052 return; 3053 } 3054 3055 if(length < 4) { 3056 goto trunc; 3057 } 3058 3059 /* 3060 * see if this is an IKE packet 3061 */ 3062 if(bp[0]==0 && bp[1]==0 && bp[2]==0 && bp[3]==0) { 3063 ND_PRINT((ndo, "NONESP-encap: ")); 3064 isakmp_print(ndo, bp+4, length-4, bp2); 3065 return; 3066 } 3067 3068 /* must be an ESP packet */ 3069 { 3070 int nh, enh, padlen; 3071 int advance; 3072 3073 ND_PRINT((ndo, "UDP-encap: ")); 3074 3075 advance = esp_print(ndo, bp, length, bp2, &enh, &padlen); 3076 if(advance <= 0) 3077 return; 3078 3079 bp += advance; 3080 length -= advance + padlen; 3081 nh = enh & 0xff; 3082 3083 ip_print_inner(ndo, bp, length, nh, bp2); 3084 return; 3085 } 3086 3087 trunc: 3088 ND_PRINT((ndo,"[|isakmp]")); 3089 return; 3090 } 3091 3092 /* 3093 * Local Variables: 3094 * c-style: whitesmith 3095 * c-basic-offset: 8 3096 * End: 3097 */ 3098 3099 3100 3101 3102