1 /*
2 * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
3 * All rights reserved.
4 *
5 * Redistribution and use in source and binary forms, with or without
6 * modification, are permitted provided that the following conditions
7 * are met:
8 * 1. Redistributions of source code must retain the above copyright
9 * notice, this list of conditions and the following disclaimer.
10 * 2. Redistributions in binary form must reproduce the above copyright
11 * notice, this list of conditions and the following disclaimer in the
12 * documentation and/or other materials provided with the distribution.
13 * 3. Neither the name of the project nor the names of its contributors
14 * may be used to endorse or promote products derived from this software
15 * without specific prior written permission.
16 *
17 * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
18 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
19 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
20 * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
21 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
22 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
23 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
24 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
25 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
26 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
27 * SUCH DAMAGE.
28 *
29 */
30
31 #include <sys/cdefs.h>
32 #ifndef lint
33 __RCSID("$NetBSD: print-isakmp.c,v 1.11 2019/10/01 16:06:16 christos Exp $");
34 #endif
35
36 /* \summary: Internet Security Association and Key Management Protocol (ISAKMP) printer */
37
38 #ifdef HAVE_CONFIG_H
39 #include "config.h"
40 #endif
41
42 /* The functions from print-esp.c used in this file are only defined when both
43 * OpenSSL and evp.h are detected. Employ the same preprocessor device here.
44 */
45 #ifndef HAVE_OPENSSL_EVP_H
46 #undef HAVE_LIBCRYPTO
47 #endif
48
49 #include <netdissect-stdinc.h>
50
51 #include <string.h>
52
53 #include "netdissect.h"
54 #include "addrtoname.h"
55 #include "extract.h"
56
57 #include "ip.h"
58 #include "ip6.h"
59 #include "ipproto.h"
60
61 /* refer to RFC 2408 */
62
63 typedef u_char cookie_t[8];
64 typedef u_char msgid_t[4];
65
66 #define PORT_ISAKMP 500
67
68 /* 3.1 ISAKMP Header Format (IKEv1 and IKEv2)
69 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
70 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
71 ! Initiator !
72 ! Cookie !
73 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
74 ! Responder !
75 ! Cookie !
76 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
77 ! Next Payload ! MjVer ! MnVer ! Exchange Type ! Flags !
78 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
79 ! Message ID !
80 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
81 ! Length !
82 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
83 */
84 struct isakmp {
85 cookie_t i_ck; /* Initiator Cookie */
86 cookie_t r_ck; /* Responder Cookie */
87 uint8_t np; /* Next Payload Type */
88 uint8_t vers;
89 #define ISAKMP_VERS_MAJOR 0xf0
90 #define ISAKMP_VERS_MAJOR_SHIFT 4
91 #define ISAKMP_VERS_MINOR 0x0f
92 #define ISAKMP_VERS_MINOR_SHIFT 0
93 uint8_t etype; /* Exchange Type */
94 uint8_t flags; /* Flags */
95 msgid_t msgid;
96 uint32_t len; /* Length */
97 };
98
99 /* Next Payload Type */
100 #define ISAKMP_NPTYPE_NONE 0 /* NONE*/
101 #define ISAKMP_NPTYPE_SA 1 /* Security Association */
102 #define ISAKMP_NPTYPE_P 2 /* Proposal */
103 #define ISAKMP_NPTYPE_T 3 /* Transform */
104 #define ISAKMP_NPTYPE_KE 4 /* Key Exchange */
105 #define ISAKMP_NPTYPE_ID 5 /* Identification */
106 #define ISAKMP_NPTYPE_CERT 6 /* Certificate */
107 #define ISAKMP_NPTYPE_CR 7 /* Certificate Request */
108 #define ISAKMP_NPTYPE_HASH 8 /* Hash */
109 #define ISAKMP_NPTYPE_SIG 9 /* Signature */
110 #define ISAKMP_NPTYPE_NONCE 10 /* Nonce */
111 #define ISAKMP_NPTYPE_N 11 /* Notification */
112 #define ISAKMP_NPTYPE_D 12 /* Delete */
113 #define ISAKMP_NPTYPE_VID 13 /* Vendor ID */
114 #define ISAKMP_NPTYPE_v2E 46 /* v2 Encrypted payload */
115
116 #define IKEv1_MAJOR_VERSION 1
117 #define IKEv1_MINOR_VERSION 0
118
119 #define IKEv2_MAJOR_VERSION 2
120 #define IKEv2_MINOR_VERSION 0
121
122 /* Flags */
123 #define ISAKMP_FLAG_E 0x01 /* Encryption Bit */
124 #define ISAKMP_FLAG_C 0x02 /* Commit Bit */
125 #define ISAKMP_FLAG_extra 0x04
126
127 /* IKEv2 */
128 #define ISAKMP_FLAG_I (1 << 3) /* (I)nitiator */
129 #define ISAKMP_FLAG_V (1 << 4) /* (V)ersion */
130 #define ISAKMP_FLAG_R (1 << 5) /* (R)esponse */
131
132
133 /* 3.2 Payload Generic Header
134 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
135 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
136 ! Next Payload ! RESERVED ! Payload Length !
137 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
138 */
139 struct isakmp_gen {
140 uint8_t np; /* Next Payload */
141 uint8_t critical; /* bit 7 - critical, rest is RESERVED */
142 uint16_t len; /* Payload Length */
143 };
144
145 /* 3.3 Data Attributes
146 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
147 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
148 !A! Attribute Type ! AF=0 Attribute Length !
149 !F! ! AF=1 Attribute Value !
150 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
151 . AF=0 Attribute Value .
152 . AF=1 Not Transmitted .
153 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
154 */
155 struct isakmp_data {
156 uint16_t type; /* defined by DOI-spec, and Attribute Format */
157 uint16_t lorv; /* if f equal 1, Attribute Length */
158 /* if f equal 0, Attribute Value */
159 /* if f equal 1, Attribute Value */
160 };
161
162 /* 3.4 Security Association Payload */
163 /* MAY NOT be used, because of being defined in ipsec-doi. */
164 /*
165 If the current payload is the last in the message,
166 then the value of the next payload field will be 0.
167 This field MUST NOT contain the
168 values for the Proposal or Transform payloads as they are considered
169 part of the security association negotiation. For example, this
170 field would contain the value "10" (Nonce payload) in the first
171 message of a Base Exchange (see Section 4.4) and the value "0" in the
172 first message of an Identity Protect Exchange (see Section 4.5).
173 */
174 struct ikev1_pl_sa {
175 struct isakmp_gen h;
176 uint32_t doi; /* Domain of Interpretation */
177 uint32_t sit; /* Situation */
178 };
179
180 /* 3.5 Proposal Payload */
181 /*
182 The value of the next payload field MUST only contain the value "2"
183 or "0". If there are additional Proposal payloads in the message,
184 then this field will be 2. If the current Proposal payload is the
185 last within the security association proposal, then this field will
186 be 0.
187 */
188 struct ikev1_pl_p {
189 struct isakmp_gen h;
190 uint8_t p_no; /* Proposal # */
191 uint8_t prot_id; /* Protocol */
192 uint8_t spi_size; /* SPI Size */
193 uint8_t num_t; /* Number of Transforms */
194 /* SPI */
195 };
196
197 /* 3.6 Transform Payload */
198 /*
199 The value of the next payload field MUST only contain the value "3"
200 or "0". If there are additional Transform payloads in the proposal,
201 then this field will be 3. If the current Transform payload is the
202 last within the proposal, then this field will be 0.
203 */
204 struct ikev1_pl_t {
205 struct isakmp_gen h;
206 uint8_t t_no; /* Transform # */
207 uint8_t t_id; /* Transform-Id */
208 uint16_t reserved; /* RESERVED2 */
209 /* SA Attributes */
210 };
211
212 /* 3.7 Key Exchange Payload */
213 struct ikev1_pl_ke {
214 struct isakmp_gen h;
215 /* Key Exchange Data */
216 };
217
218 /* 3.8 Identification Payload */
219 /* MUST NOT to be used, because of being defined in ipsec-doi. */
220 struct ikev1_pl_id {
221 struct isakmp_gen h;
222 union {
223 uint8_t id_type; /* ID Type */
224 uint32_t doi_data; /* DOI Specific ID Data */
225 } d;
226 /* Identification Data */
227 };
228
229 /* 3.9 Certificate Payload */
230 struct ikev1_pl_cert {
231 struct isakmp_gen h;
232 uint8_t encode; /* Cert Encoding */
233 char cert; /* Certificate Data */
234 /*
235 This field indicates the type of
236 certificate or certificate-related information contained in the
237 Certificate Data field.
238 */
239 };
240
241 /* 3.10 Certificate Request Payload */
242 struct ikev1_pl_cr {
243 struct isakmp_gen h;
244 uint8_t num_cert; /* # Cert. Types */
245 /*
246 Certificate Types (variable length)
247 -- Contains a list of the types of certificates requested,
248 sorted in order of preference. Each individual certificate
249 type is 1 octet. This field is NOT requiredo
250 */
251 /* # Certificate Authorities (1 octet) */
252 /* Certificate Authorities (variable length) */
253 };
254
255 /* 3.11 Hash Payload */
256 /* may not be used, because of having only data. */
257 struct ikev1_pl_hash {
258 struct isakmp_gen h;
259 /* Hash Data */
260 };
261
262 /* 3.12 Signature Payload */
263 /* may not be used, because of having only data. */
264 struct ikev1_pl_sig {
265 struct isakmp_gen h;
266 /* Signature Data */
267 };
268
269 /* 3.13 Nonce Payload */
270 /* may not be used, because of having only data. */
271 struct ikev1_pl_nonce {
272 struct isakmp_gen h;
273 /* Nonce Data */
274 };
275
276 /* 3.14 Notification Payload */
277 struct ikev1_pl_n {
278 struct isakmp_gen h;
279 uint32_t doi; /* Domain of Interpretation */
280 uint8_t prot_id; /* Protocol-ID */
281 uint8_t spi_size; /* SPI Size */
282 uint16_t type; /* Notify Message Type */
283 /* SPI */
284 /* Notification Data */
285 };
286
287 /* 3.14.1 Notify Message Types */
288 /* NOTIFY MESSAGES - ERROR TYPES */
289 #define ISAKMP_NTYPE_INVALID_PAYLOAD_TYPE 1
290 #define ISAKMP_NTYPE_DOI_NOT_SUPPORTED 2
291 #define ISAKMP_NTYPE_SITUATION_NOT_SUPPORTED 3
292 #define ISAKMP_NTYPE_INVALID_COOKIE 4
293 #define ISAKMP_NTYPE_INVALID_MAJOR_VERSION 5
294 #define ISAKMP_NTYPE_INVALID_MINOR_VERSION 6
295 #define ISAKMP_NTYPE_INVALID_EXCHANGE_TYPE 7
296 #define ISAKMP_NTYPE_INVALID_FLAGS 8
297 #define ISAKMP_NTYPE_INVALID_MESSAGE_ID 9
298 #define ISAKMP_NTYPE_INVALID_PROTOCOL_ID 10
299 #define ISAKMP_NTYPE_INVALID_SPI 11
300 #define ISAKMP_NTYPE_INVALID_TRANSFORM_ID 12
301 #define ISAKMP_NTYPE_ATTRIBUTES_NOT_SUPPORTED 13
302 #define ISAKMP_NTYPE_NO_PROPOSAL_CHOSEN 14
303 #define ISAKMP_NTYPE_BAD_PROPOSAL_SYNTAX 15
304 #define ISAKMP_NTYPE_PAYLOAD_MALFORMED 16
305 #define ISAKMP_NTYPE_INVALID_KEY_INFORMATION 17
306 #define ISAKMP_NTYPE_INVALID_ID_INFORMATION 18
307 #define ISAKMP_NTYPE_INVALID_CERT_ENCODING 19
308 #define ISAKMP_NTYPE_INVALID_CERTIFICATE 20
309 #define ISAKMP_NTYPE_BAD_CERT_REQUEST_SYNTAX 21
310 #define ISAKMP_NTYPE_INVALID_CERT_AUTHORITY 22
311 #define ISAKMP_NTYPE_INVALID_HASH_INFORMATION 23
312 #define ISAKMP_NTYPE_AUTHENTICATION_FAILED 24
313 #define ISAKMP_NTYPE_INVALID_SIGNATURE 25
314 #define ISAKMP_NTYPE_ADDRESS_NOTIFICATION 26
315
316 /* 3.15 Delete Payload */
317 struct ikev1_pl_d {
318 struct isakmp_gen h;
319 uint32_t doi; /* Domain of Interpretation */
320 uint8_t prot_id; /* Protocol-Id */
321 uint8_t spi_size; /* SPI Size */
322 uint16_t num_spi; /* # of SPIs */
323 /* SPI(es) */
324 };
325
326 struct ikev1_ph1tab {
327 struct ikev1_ph1 *head;
328 struct ikev1_ph1 *tail;
329 int len;
330 };
331
332 struct isakmp_ph2tab {
333 struct ikev1_ph2 *head;
334 struct ikev1_ph2 *tail;
335 int len;
336 };
337
338 /* IKEv2 (RFC4306) */
339
340 /* 3.3 Security Association Payload -- generic header */
341 /* 3.3.1. Proposal Substructure */
342 struct ikev2_p {
343 struct isakmp_gen h;
344 uint8_t p_no; /* Proposal # */
345 uint8_t prot_id; /* Protocol */
346 uint8_t spi_size; /* SPI Size */
347 uint8_t num_t; /* Number of Transforms */
348 };
349
350 /* 3.3.2. Transform Substructure */
351 struct ikev2_t {
352 struct isakmp_gen h;
353 uint8_t t_type; /* Transform Type (ENCR,PRF,INTEG,etc.*/
354 uint8_t res2; /* reserved byte */
355 uint16_t t_id; /* Transform ID */
356 };
357
358 enum ikev2_t_type {
359 IV2_T_ENCR = 1,
360 IV2_T_PRF = 2,
361 IV2_T_INTEG= 3,
362 IV2_T_DH = 4,
363 IV2_T_ESN = 5
364 };
365
366 /* 3.4. Key Exchange Payload */
367 struct ikev2_ke {
368 struct isakmp_gen h;
369 uint16_t ke_group;
370 uint16_t ke_res1;
371 /* KE data */
372 };
373
374
375 /* 3.5. Identification Payloads */
376 enum ikev2_id_type {
377 ID_IPV4_ADDR=1,
378 ID_FQDN=2,
379 ID_RFC822_ADDR=3,
380 ID_IPV6_ADDR=5,
381 ID_DER_ASN1_DN=9,
382 ID_DER_ASN1_GN=10,
383 ID_KEY_ID=11
384 };
385 struct ikev2_id {
386 struct isakmp_gen h;
387 uint8_t type; /* ID type */
388 uint8_t res1;
389 uint16_t res2;
390 /* SPI */
391 /* Notification Data */
392 };
393
394 /* 3.10 Notification Payload */
395 struct ikev2_n {
396 struct isakmp_gen h;
397 uint8_t prot_id; /* Protocol-ID */
398 uint8_t spi_size; /* SPI Size */
399 uint16_t type; /* Notify Message Type */
400 };
401
402 enum ikev2_n_type {
403 IV2_NOTIFY_UNSUPPORTED_CRITICAL_PAYLOAD = 1,
404 IV2_NOTIFY_INVALID_IKE_SPI = 4,
405 IV2_NOTIFY_INVALID_MAJOR_VERSION = 5,
406 IV2_NOTIFY_INVALID_SYNTAX = 7,
407 IV2_NOTIFY_INVALID_MESSAGE_ID = 9,
408 IV2_NOTIFY_INVALID_SPI =11,
409 IV2_NOTIFY_NO_PROPOSAL_CHOSEN =14,
410 IV2_NOTIFY_INVALID_KE_PAYLOAD =17,
411 IV2_NOTIFY_AUTHENTICATION_FAILED =24,
412 IV2_NOTIFY_SINGLE_PAIR_REQUIRED =34,
413 IV2_NOTIFY_NO_ADDITIONAL_SAS =35,
414 IV2_NOTIFY_INTERNAL_ADDRESS_FAILURE =36,
415 IV2_NOTIFY_FAILED_CP_REQUIRED =37,
416 IV2_NOTIFY_INVALID_SELECTORS =39,
417 IV2_NOTIFY_INITIAL_CONTACT =16384,
418 IV2_NOTIFY_SET_WINDOW_SIZE =16385,
419 IV2_NOTIFY_ADDITIONAL_TS_POSSIBLE =16386,
420 IV2_NOTIFY_IPCOMP_SUPPORTED =16387,
421 IV2_NOTIFY_NAT_DETECTION_SOURCE_IP =16388,
422 IV2_NOTIFY_NAT_DETECTION_DESTINATION_IP =16389,
423 IV2_NOTIFY_COOKIE =16390,
424 IV2_NOTIFY_USE_TRANSPORT_MODE =16391,
425 IV2_NOTIFY_HTTP_CERT_LOOKUP_SUPPORTED =16392,
426 IV2_NOTIFY_REKEY_SA =16393,
427 IV2_NOTIFY_ESP_TFC_PADDING_NOT_SUPPORTED =16394,
428 IV2_NOTIFY_NON_FIRST_FRAGMENTS_ALSO =16395
429 };
430
431 struct notify_messages {
432 uint16_t type;
433 char *msg;
434 };
435
436 /* 3.8 Authentication Payload */
437 struct ikev2_auth {
438 struct isakmp_gen h;
439 uint8_t auth_method; /* Protocol-ID */
440 uint8_t reserved[3];
441 /* authentication data */
442 };
443
444 enum ikev2_auth_type {
445 IV2_RSA_SIG = 1,
446 IV2_SHARED = 2,
447 IV2_DSS_SIG = 3
448 };
449
450 /* refer to RFC 2409 */
451
452 #if 0
453 /* isakmp sa structure */
454 struct oakley_sa {
455 uint8_t proto_id; /* OAKLEY */
456 vchar_t *spi; /* spi */
457 uint8_t dhgrp; /* DH; group */
458 uint8_t auth_t; /* method of authentication */
459 uint8_t prf_t; /* type of prf */
460 uint8_t hash_t; /* type of hash */
461 uint8_t enc_t; /* type of cipher */
462 uint8_t life_t; /* type of duration of lifetime */
463 uint32_t ldur; /* life duration */
464 };
465 #endif
466
467 /* refer to RFC 2407 */
468
469 #define IPSEC_DOI 1
470
471 /* 4.2 IPSEC Situation Definition */
472 #define IPSECDOI_SIT_IDENTITY_ONLY 0x00000001
473 #define IPSECDOI_SIT_SECRECY 0x00000002
474 #define IPSECDOI_SIT_INTEGRITY 0x00000004
475
476 /* 4.4.1 IPSEC Security Protocol Identifiers */
477 /* 4.4.2 IPSEC ISAKMP Transform Values */
478 #define IPSECDOI_PROTO_ISAKMP 1
479 #define IPSECDOI_KEY_IKE 1
480
481 /* 4.4.1 IPSEC Security Protocol Identifiers */
482 #define IPSECDOI_PROTO_IPSEC_AH 2
483 /* 4.4.3 IPSEC AH Transform Values */
484 #define IPSECDOI_AH_MD5 2
485 #define IPSECDOI_AH_SHA 3
486 #define IPSECDOI_AH_DES 4
487 #define IPSECDOI_AH_SHA2_256 5
488 #define IPSECDOI_AH_SHA2_384 6
489 #define IPSECDOI_AH_SHA2_512 7
490
491 /* 4.4.1 IPSEC Security Protocol Identifiers */
492 #define IPSECDOI_PROTO_IPSEC_ESP 3
493 /* 4.4.4 IPSEC ESP Transform Identifiers */
494 #define IPSECDOI_ESP_DES_IV64 1
495 #define IPSECDOI_ESP_DES 2
496 #define IPSECDOI_ESP_3DES 3
497 #define IPSECDOI_ESP_RC5 4
498 #define IPSECDOI_ESP_IDEA 5
499 #define IPSECDOI_ESP_CAST 6
500 #define IPSECDOI_ESP_BLOWFISH 7
501 #define IPSECDOI_ESP_3IDEA 8
502 #define IPSECDOI_ESP_DES_IV32 9
503 #define IPSECDOI_ESP_RC4 10
504 #define IPSECDOI_ESP_NULL 11
505 #define IPSECDOI_ESP_RIJNDAEL 12
506 #define IPSECDOI_ESP_AES 12
507
508 /* 4.4.1 IPSEC Security Protocol Identifiers */
509 #define IPSECDOI_PROTO_IPCOMP 4
510 /* 4.4.5 IPSEC IPCOMP Transform Identifiers */
511 #define IPSECDOI_IPCOMP_OUI 1
512 #define IPSECDOI_IPCOMP_DEFLATE 2
513 #define IPSECDOI_IPCOMP_LZS 3
514
515 /* 4.5 IPSEC Security Association Attributes */
516 #define IPSECDOI_ATTR_SA_LTYPE 1 /* B */
517 #define IPSECDOI_ATTR_SA_LTYPE_DEFAULT 1
518 #define IPSECDOI_ATTR_SA_LTYPE_SEC 1
519 #define IPSECDOI_ATTR_SA_LTYPE_KB 2
520 #define IPSECDOI_ATTR_SA_LDUR 2 /* V */
521 #define IPSECDOI_ATTR_SA_LDUR_DEFAULT 28800 /* 8 hours */
522 #define IPSECDOI_ATTR_GRP_DESC 3 /* B */
523 #define IPSECDOI_ATTR_ENC_MODE 4 /* B */
524 /* default value: host dependent */
525 #define IPSECDOI_ATTR_ENC_MODE_TUNNEL 1
526 #define IPSECDOI_ATTR_ENC_MODE_TRNS 2
527 #define IPSECDOI_ATTR_AUTH 5 /* B */
528 /* 0 means not to use authentication. */
529 #define IPSECDOI_ATTR_AUTH_HMAC_MD5 1
530 #define IPSECDOI_ATTR_AUTH_HMAC_SHA1 2
531 #define IPSECDOI_ATTR_AUTH_DES_MAC 3
532 #define IPSECDOI_ATTR_AUTH_KPDK 4 /*RFC-1826(Key/Pad/Data/Key)*/
533 /*
534 * When negotiating ESP without authentication, the Auth
535 * Algorithm attribute MUST NOT be included in the proposal.
536 * When negotiating ESP without confidentiality, the Auth
537 * Algorithm attribute MUST be included in the proposal and
538 * the ESP transform ID must be ESP_NULL.
539 */
540 #define IPSECDOI_ATTR_KEY_LENGTH 6 /* B */
541 #define IPSECDOI_ATTR_KEY_ROUNDS 7 /* B */
542 #define IPSECDOI_ATTR_COMP_DICT_SIZE 8 /* B */
543 #define IPSECDOI_ATTR_COMP_PRIVALG 9 /* V */
544
545 /* 4.6.1 Security Association Payload */
546 struct ipsecdoi_sa {
547 struct isakmp_gen h;
548 uint32_t doi; /* Domain of Interpretation */
549 uint32_t sit; /* Situation */
550 };
551
552 struct ipsecdoi_secrecy_h {
553 uint16_t len;
554 uint16_t reserved;
555 };
556
557 /* 4.6.2.1 Identification Type Values */
558 struct ipsecdoi_id {
559 struct isakmp_gen h;
560 uint8_t type; /* ID Type */
561 uint8_t proto_id; /* Protocol ID */
562 uint16_t port; /* Port */
563 /* Identification Data */
564 };
565
566 #define IPSECDOI_ID_IPV4_ADDR 1
567 #define IPSECDOI_ID_FQDN 2
568 #define IPSECDOI_ID_USER_FQDN 3
569 #define IPSECDOI_ID_IPV4_ADDR_SUBNET 4
570 #define IPSECDOI_ID_IPV6_ADDR 5
571 #define IPSECDOI_ID_IPV6_ADDR_SUBNET 6
572 #define IPSECDOI_ID_IPV4_ADDR_RANGE 7
573 #define IPSECDOI_ID_IPV6_ADDR_RANGE 8
574 #define IPSECDOI_ID_DER_ASN1_DN 9
575 #define IPSECDOI_ID_DER_ASN1_GN 10
576 #define IPSECDOI_ID_KEY_ID 11
577
578 /* 4.6.3 IPSEC DOI Notify Message Types */
579 /* Notify Messages - Status Types */
580 #define IPSECDOI_NTYPE_RESPONDER_LIFETIME 24576
581 #define IPSECDOI_NTYPE_REPLAY_STATUS 24577
582 #define IPSECDOI_NTYPE_INITIAL_CONTACT 24578
583
584 #define DECLARE_PRINTER(func) static const u_char *ike##func##_print( \
585 netdissect_options *ndo, u_char tpay, \
586 const struct isakmp_gen *ext, \
587 u_int item_len, \
588 const u_char *end_pointer, \
589 uint32_t phase,\
590 uint32_t doi0, \
591 uint32_t proto0, int depth)
592
593 DECLARE_PRINTER(v1_sa);
594 DECLARE_PRINTER(v1_p);
595 DECLARE_PRINTER(v1_t);
596 DECLARE_PRINTER(v1_ke);
597 DECLARE_PRINTER(v1_id);
598 DECLARE_PRINTER(v1_cert);
599 DECLARE_PRINTER(v1_cr);
600 DECLARE_PRINTER(v1_sig);
601 DECLARE_PRINTER(v1_hash);
602 DECLARE_PRINTER(v1_nonce);
603 DECLARE_PRINTER(v1_n);
604 DECLARE_PRINTER(v1_d);
605 DECLARE_PRINTER(v1_vid);
606
607 DECLARE_PRINTER(v2_sa);
608 DECLARE_PRINTER(v2_ke);
609 DECLARE_PRINTER(v2_ID);
610 DECLARE_PRINTER(v2_cert);
611 DECLARE_PRINTER(v2_cr);
612 DECLARE_PRINTER(v2_auth);
613 DECLARE_PRINTER(v2_nonce);
614 DECLARE_PRINTER(v2_n);
615 DECLARE_PRINTER(v2_d);
616 DECLARE_PRINTER(v2_vid);
617 DECLARE_PRINTER(v2_TS);
618 DECLARE_PRINTER(v2_cp);
619 DECLARE_PRINTER(v2_eap);
620
621 static const u_char *ikev2_e_print(netdissect_options *ndo,
622 struct isakmp *base,
623 u_char tpay,
624 const struct isakmp_gen *ext,
625 u_int item_len,
626 const u_char *end_pointer,
627 uint32_t phase,
628 uint32_t doi0,
629 uint32_t proto0, int depth);
630
631
632 static const u_char *ike_sub0_print(netdissect_options *ndo,u_char, const struct isakmp_gen *,
633 const u_char *, uint32_t, uint32_t, uint32_t, int);
634 static const u_char *ikev1_sub_print(netdissect_options *ndo,u_char, const struct isakmp_gen *,
635 const u_char *, uint32_t, uint32_t, uint32_t, int);
636
637 static const u_char *ikev2_sub_print(netdissect_options *ndo,
638 struct isakmp *base,
639 u_char np, const struct isakmp_gen *ext,
640 const u_char *ep, uint32_t phase,
641 uint32_t doi, uint32_t proto,
642 int depth);
643
644
645 static char *numstr(int);
646
647 static void
648 ikev1_print(netdissect_options *ndo,
649 const u_char *bp, u_int length,
650 const u_char *bp2, struct isakmp *base);
651
652 #define MAXINITIATORS 20
653 static int ninitiator = 0;
654 union inaddr_u {
655 struct in_addr in4;
656 struct in6_addr in6;
657 };
658 static struct {
659 cookie_t initiator;
660 u_int version;
661 union inaddr_u iaddr;
662 union inaddr_u raddr;
663 } cookiecache[MAXINITIATORS];
664
665 /* protocol id */
666 static const char *protoidstr[] = {
667 NULL, "isakmp", "ipsec-ah", "ipsec-esp", "ipcomp",
668 };
669
670 /* isakmp->np */
671 static const char *npstr[] = {
672 "none", "sa", "p", "t", "ke", "id", "cert", "cr", "hash", /* 0 - 8 */
673 "sig", "nonce", "n", "d", "vid", /* 9 - 13 */
674 "pay14", "pay15", "pay16", "pay17", "pay18", /* 14- 18 */
675 "pay19", "pay20", "pay21", "pay22", "pay23", /* 19- 23 */
676 "pay24", "pay25", "pay26", "pay27", "pay28", /* 24- 28 */
677 "pay29", "pay30", "pay31", "pay32", /* 29- 32 */
678 "v2sa", "v2ke", "v2IDi", "v2IDr", "v2cert",/* 33- 37 */
679 "v2cr", "v2auth","v2nonce", "v2n", "v2d", /* 38- 42 */
680 "v2vid", "v2TSi", "v2TSr", "v2e", "v2cp", /* 43- 47 */
681 "v2eap", /* 48 */
682
683 };
684
685 /* isakmp->np */
686 static const u_char *(*npfunc[])(netdissect_options *ndo, u_char tpay,
687 const struct isakmp_gen *ext,
688 u_int item_len,
689 const u_char *end_pointer,
690 uint32_t phase,
691 uint32_t doi0,
692 uint32_t proto0, int depth) = {
693 NULL,
694 ikev1_sa_print,
695 ikev1_p_print,
696 ikev1_t_print,
697 ikev1_ke_print,
698 ikev1_id_print,
699 ikev1_cert_print,
700 ikev1_cr_print,
701 ikev1_hash_print,
702 ikev1_sig_print,
703 ikev1_nonce_print,
704 ikev1_n_print,
705 ikev1_d_print,
706 ikev1_vid_print, /* 13 */
707 NULL, NULL, NULL, NULL, NULL, /* 14- 18 */
708 NULL, NULL, NULL, NULL, NULL, /* 19- 23 */
709 NULL, NULL, NULL, NULL, NULL, /* 24- 28 */
710 NULL, NULL, NULL, NULL, /* 29- 32 */
711 ikev2_sa_print, /* 33 */
712 ikev2_ke_print, /* 34 */
713 ikev2_ID_print, /* 35 */
714 ikev2_ID_print, /* 36 */
715 ikev2_cert_print, /* 37 */
716 ikev2_cr_print, /* 38 */
717 ikev2_auth_print, /* 39 */
718 ikev2_nonce_print, /* 40 */
719 ikev2_n_print, /* 41 */
720 ikev2_d_print, /* 42 */
721 ikev2_vid_print, /* 43 */
722 ikev2_TS_print, /* 44 */
723 ikev2_TS_print, /* 45 */
724 NULL, /* ikev2_e_print,*/ /* 46 - special */
725 ikev2_cp_print, /* 47 */
726 ikev2_eap_print, /* 48 */
727 };
728
729 /* isakmp->etype */
730 static const char *etypestr[] = {
731 /* IKEv1 exchange types */
732 "none", "base", "ident", "auth", "agg", "inf", NULL, NULL, /* 0-7 */
733 NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, /* 8-15 */
734 NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, /* 16-23 */
735 NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, /* 24-31 */
736 "oakley-quick", "oakley-newgroup", /* 32-33 */
737 /* IKEv2 exchange types */
738 "ikev2_init", "ikev2_auth", "child_sa", "inf2" /* 34-37 */
739 };
740
741 #define STR_OR_ID(x, tab) \
742 (((x) < sizeof(tab)/sizeof(tab[0]) && tab[(x)]) ? tab[(x)] : numstr(x))
743 #define PROTOIDSTR(x) STR_OR_ID(x, protoidstr)
744 #define NPSTR(x) STR_OR_ID(x, npstr)
745 #define ETYPESTR(x) STR_OR_ID(x, etypestr)
746
747 #define CHECKLEN(p, np) \
748 if (ep < (const u_char *)(p)) { \
749 ND_PRINT((ndo," [|%s]", NPSTR(np))); \
750 goto done; \
751 }
752
753
754 #define NPFUNC(x) \
755 (((x) < sizeof(npfunc)/sizeof(npfunc[0]) && npfunc[(x)]) \
756 ? npfunc[(x)] : NULL)
757
758 static int
iszero(const u_char * p,size_t l)759 iszero(const u_char *p, size_t l)
760 {
761 while (l--) {
762 if (*p++)
763 return 0;
764 }
765 return 1;
766 }
767
768 /* find cookie from initiator cache */
769 static int
cookie_find(cookie_t * in)770 cookie_find(cookie_t *in)
771 {
772 int i;
773
774 for (i = 0; i < MAXINITIATORS; i++) {
775 if (memcmp(in, &cookiecache[i].initiator, sizeof(*in)) == 0)
776 return i;
777 }
778
779 return -1;
780 }
781
782 /* record initiator */
783 static void
cookie_record(cookie_t * in,const u_char * bp2)784 cookie_record(cookie_t *in, const u_char *bp2)
785 {
786 int i;
787 const struct ip *ip;
788 const struct ip6_hdr *ip6;
789
790 i = cookie_find(in);
791 if (0 <= i) {
792 ninitiator = (i + 1) % MAXINITIATORS;
793 return;
794 }
795
796 ip = (const struct ip *)bp2;
797 switch (IP_V(ip)) {
798 case 4:
799 cookiecache[ninitiator].version = 4;
800 UNALIGNED_MEMCPY(&cookiecache[ninitiator].iaddr.in4, &ip->ip_src, sizeof(struct in_addr));
801 UNALIGNED_MEMCPY(&cookiecache[ninitiator].raddr.in4, &ip->ip_dst, sizeof(struct in_addr));
802 break;
803 case 6:
804 ip6 = (const struct ip6_hdr *)bp2;
805 cookiecache[ninitiator].version = 6;
806 UNALIGNED_MEMCPY(&cookiecache[ninitiator].iaddr.in6, &ip6->ip6_src, sizeof(struct in6_addr));
807 UNALIGNED_MEMCPY(&cookiecache[ninitiator].raddr.in6, &ip6->ip6_dst, sizeof(struct in6_addr));
808 break;
809 default:
810 return;
811 }
812 UNALIGNED_MEMCPY(&cookiecache[ninitiator].initiator, in, sizeof(*in));
813 ninitiator = (ninitiator + 1) % MAXINITIATORS;
814 }
815
816 #define cookie_isinitiator(x, y) cookie_sidecheck((x), (y), 1)
817 #define cookie_isresponder(x, y) cookie_sidecheck((x), (y), 0)
818 static int
cookie_sidecheck(int i,const u_char * bp2,int initiator)819 cookie_sidecheck(int i, const u_char *bp2, int initiator)
820 {
821 const struct ip *ip;
822 const struct ip6_hdr *ip6;
823
824 ip = (const struct ip *)bp2;
825 switch (IP_V(ip)) {
826 case 4:
827 if (cookiecache[i].version != 4)
828 return 0;
829 if (initiator) {
830 if (UNALIGNED_MEMCMP(&ip->ip_src, &cookiecache[i].iaddr.in4, sizeof(struct in_addr)) == 0)
831 return 1;
832 } else {
833 if (UNALIGNED_MEMCMP(&ip->ip_src, &cookiecache[i].raddr.in4, sizeof(struct in_addr)) == 0)
834 return 1;
835 }
836 break;
837 case 6:
838 if (cookiecache[i].version != 6)
839 return 0;
840 ip6 = (const struct ip6_hdr *)bp2;
841 if (initiator) {
842 if (UNALIGNED_MEMCMP(&ip6->ip6_src, &cookiecache[i].iaddr.in6, sizeof(struct in6_addr)) == 0)
843 return 1;
844 } else {
845 if (UNALIGNED_MEMCMP(&ip6->ip6_src, &cookiecache[i].raddr.in6, sizeof(struct in6_addr)) == 0)
846 return 1;
847 }
848 break;
849 default:
850 break;
851 }
852
853 return 0;
854 }
855
856 static void
hexprint(netdissect_options * ndo,const uint8_t * loc,size_t len)857 hexprint(netdissect_options *ndo, const uint8_t *loc, size_t len)
858 {
859 const uint8_t *p;
860 size_t i;
861
862 p = loc;
863 for (i = 0; i < len; i++)
864 ND_PRINT((ndo,"%02x", p[i] & 0xff));
865 }
866
867 static int
rawprint(netdissect_options * ndo,const uint8_t * loc,size_t len)868 rawprint(netdissect_options *ndo, const uint8_t *loc, size_t len)
869 {
870 ND_TCHECK2(*loc, len);
871
872 hexprint(ndo, loc, len);
873 return 1;
874 trunc:
875 return 0;
876 }
877
878
879 /*
880 * returns false if we run out of data buffer
881 */
ike_show_somedata(netdissect_options * ndo,const u_char * cp,const u_char * ep)882 static int ike_show_somedata(netdissect_options *ndo,
883 const u_char *cp, const u_char *ep)
884 {
885 /* there is too much data, just show some of it */
886 const u_char *end = ep - 20;
887 int elen = 20;
888 int len = ep - cp;
889 if(len > 10) {
890 len = 10;
891 }
892
893 /* really shouldn't happen because of above */
894 if(end < cp + len) {
895 end = cp+len;
896 elen = ep - end;
897 }
898
899 ND_PRINT((ndo," data=("));
900 if(!rawprint(ndo, (const uint8_t *)(cp), len)) goto trunc;
901 ND_PRINT((ndo, "..."));
902 if(elen) {
903 if(!rawprint(ndo, (const uint8_t *)(end), elen)) goto trunc;
904 }
905 ND_PRINT((ndo,")"));
906 return 1;
907
908 trunc:
909 return 0;
910 }
911
912 struct attrmap {
913 const char *type;
914 u_int nvalue;
915 const char *value[30]; /*XXX*/
916 };
917
918 static const u_char *
ikev1_attrmap_print(netdissect_options * ndo,const u_char * p,const u_char * ep2,const struct attrmap * map,size_t nmap)919 ikev1_attrmap_print(netdissect_options *ndo,
920 const u_char *p, const u_char *ep2,
921 const struct attrmap *map, size_t nmap)
922 {
923 int totlen;
924 uint32_t t, v;
925
926 ND_TCHECK(p[0]);
927 if (p[0] & 0x80)
928 totlen = 4;
929 else {
930 ND_TCHECK_16BITS(&p[2]);
931 totlen = 4 + EXTRACT_16BITS(&p[2]);
932 }
933 if (ep2 < p + totlen) {
934 ND_PRINT((ndo,"[|attr]"));
935 return ep2 + 1;
936 }
937
938 ND_TCHECK_16BITS(&p[0]);
939 ND_PRINT((ndo,"("));
940 t = EXTRACT_16BITS(&p[0]) & 0x7fff;
941 if (map && t < nmap && map[t].type)
942 ND_PRINT((ndo,"type=%s ", map[t].type));
943 else
944 ND_PRINT((ndo,"type=#%d ", t));
945 if (p[0] & 0x80) {
946 ND_PRINT((ndo,"value="));
947 ND_TCHECK_16BITS(&p[2]);
948 v = EXTRACT_16BITS(&p[2]);
949 if (map && t < nmap && v < map[t].nvalue && map[t].value[v])
950 ND_PRINT((ndo,"%s", map[t].value[v]));
951 else {
952 if (!rawprint(ndo, (const uint8_t *)&p[2], 2)) {
953 ND_PRINT((ndo,")"));
954 goto trunc;
955 }
956 }
957 } else {
958 ND_PRINT((ndo,"len=%d value=", totlen - 4));
959 if (!rawprint(ndo, (const uint8_t *)&p[4], totlen - 4)) {
960 ND_PRINT((ndo,")"));
961 goto trunc;
962 }
963 }
964 ND_PRINT((ndo,")"));
965 return p + totlen;
966
967 trunc:
968 return NULL;
969 }
970
971 static const u_char *
ikev1_attr_print(netdissect_options * ndo,const u_char * p,const u_char * ep2)972 ikev1_attr_print(netdissect_options *ndo, const u_char *p, const u_char *ep2)
973 {
974 int totlen;
975 uint32_t t;
976
977 ND_TCHECK(p[0]);
978 if (p[0] & 0x80)
979 totlen = 4;
980 else {
981 ND_TCHECK_16BITS(&p[2]);
982 totlen = 4 + EXTRACT_16BITS(&p[2]);
983 }
984 if (ep2 < p + totlen) {
985 ND_PRINT((ndo,"[|attr]"));
986 return ep2 + 1;
987 }
988
989 ND_TCHECK_16BITS(&p[0]);
990 ND_PRINT((ndo,"("));
991 t = EXTRACT_16BITS(&p[0]) & 0x7fff;
992 ND_PRINT((ndo,"type=#%d ", t));
993 if (p[0] & 0x80) {
994 ND_PRINT((ndo,"value="));
995 t = p[2];
996 if (!rawprint(ndo, (const uint8_t *)&p[2], 2)) {
997 ND_PRINT((ndo,")"));
998 goto trunc;
999 }
1000 } else {
1001 ND_PRINT((ndo,"len=%d value=", totlen - 4));
1002 if (!rawprint(ndo, (const uint8_t *)&p[4], totlen - 4)) {
1003 ND_PRINT((ndo,")"));
1004 goto trunc;
1005 }
1006 }
1007 ND_PRINT((ndo,")"));
1008 return p + totlen;
1009
1010 trunc:
1011 return NULL;
1012 }
1013
1014 static const u_char *
ikev1_sa_print(netdissect_options * ndo,u_char tpay _U_,const struct isakmp_gen * ext,u_int item_len _U_,const u_char * ep,uint32_t phase,uint32_t doi0 _U_,uint32_t proto0,int depth)1015 ikev1_sa_print(netdissect_options *ndo, u_char tpay _U_,
1016 const struct isakmp_gen *ext,
1017 u_int item_len _U_,
1018 const u_char *ep, uint32_t phase, uint32_t doi0 _U_,
1019 uint32_t proto0, int depth)
1020 {
1021 const struct ikev1_pl_sa *p;
1022 struct ikev1_pl_sa sa;
1023 uint32_t doi, sit, ident;
1024 const u_char *cp, *np;
1025 int t;
1026
1027 ND_PRINT((ndo,"%s:", NPSTR(ISAKMP_NPTYPE_SA)));
1028
1029 p = (const struct ikev1_pl_sa *)ext;
1030 ND_TCHECK(*p);
1031 UNALIGNED_MEMCPY(&sa, ext, sizeof(sa));
1032 doi = ntohl(sa.doi);
1033 sit = ntohl(sa.sit);
1034 if (doi != 1) {
1035 ND_PRINT((ndo," doi=%d", doi));
1036 ND_PRINT((ndo," situation=%u", (uint32_t)ntohl(sa.sit)));
1037 return (const u_char *)(p + 1);
1038 }
1039
1040 ND_PRINT((ndo," doi=ipsec"));
1041 ND_PRINT((ndo," situation="));
1042 t = 0;
1043 if (sit & 0x01) {
1044 ND_PRINT((ndo,"identity"));
1045 t++;
1046 }
1047 if (sit & 0x02) {
1048 ND_PRINT((ndo,"%ssecrecy", t ? "+" : ""));
1049 t++;
1050 }
1051 if (sit & 0x04)
1052 ND_PRINT((ndo,"%sintegrity", t ? "+" : ""));
1053
1054 np = (const u_char *)ext + sizeof(sa);
1055 if (sit != 0x01) {
1056 ND_TCHECK2(*(ext + 1), sizeof(ident));
1057 UNALIGNED_MEMCPY(&ident, ext + 1, sizeof(ident));
1058 ND_PRINT((ndo," ident=%u", (uint32_t)ntohl(ident)));
1059 np += sizeof(ident);
1060 }
1061
1062 ext = (const struct isakmp_gen *)np;
1063 ND_TCHECK(*ext);
1064
1065 cp = ikev1_sub_print(ndo, ISAKMP_NPTYPE_P, ext, ep, phase, doi, proto0,
1066 depth);
1067
1068 return cp;
1069 trunc:
1070 ND_PRINT((ndo," [|%s]", NPSTR(ISAKMP_NPTYPE_SA)));
1071 return NULL;
1072 }
1073
1074 static const u_char *
ikev1_p_print(netdissect_options * ndo,u_char tpay _U_,const struct isakmp_gen * ext,u_int item_len _U_,const u_char * ep,uint32_t phase,uint32_t doi0,uint32_t proto0 _U_,int depth)1075 ikev1_p_print(netdissect_options *ndo, u_char tpay _U_,
1076 const struct isakmp_gen *ext, u_int item_len _U_,
1077 const u_char *ep, uint32_t phase, uint32_t doi0,
1078 uint32_t proto0 _U_, int depth)
1079 {
1080 const struct ikev1_pl_p *p;
1081 struct ikev1_pl_p prop;
1082 const u_char *cp;
1083
1084 ND_PRINT((ndo,"%s:", NPSTR(ISAKMP_NPTYPE_P)));
1085
1086 p = (const struct ikev1_pl_p *)ext;
1087 ND_TCHECK(*p);
1088 UNALIGNED_MEMCPY(&prop, ext, sizeof(prop));
1089 ND_PRINT((ndo," #%d protoid=%s transform=%d",
1090 prop.p_no, PROTOIDSTR(prop.prot_id), prop.num_t));
1091 if (prop.spi_size) {
1092 ND_PRINT((ndo," spi="));
1093 if (!rawprint(ndo, (const uint8_t *)(p + 1), prop.spi_size))
1094 goto trunc;
1095 }
1096
1097 ext = (const struct isakmp_gen *)((const u_char *)(p + 1) + prop.spi_size);
1098 ND_TCHECK(*ext);
1099
1100 cp = ikev1_sub_print(ndo, ISAKMP_NPTYPE_T, ext, ep, phase, doi0,
1101 prop.prot_id, depth);
1102
1103 return cp;
1104 trunc:
1105 ND_PRINT((ndo," [|%s]", NPSTR(ISAKMP_NPTYPE_P)));
1106 return NULL;
1107 }
1108
1109 static const char *ikev1_p_map[] = {
1110 NULL, "ike",
1111 };
1112
1113 static const char *ikev2_t_type_map[]={
1114 NULL, "encr", "prf", "integ", "dh", "esn"
1115 };
1116
1117 static const char *ah_p_map[] = {
1118 NULL, "(reserved)", "md5", "sha", "1des",
1119 "sha2-256", "sha2-384", "sha2-512",
1120 };
1121
1122 static const char *prf_p_map[] = {
1123 NULL, "hmac-md5", "hmac-sha", "hmac-tiger",
1124 "aes128_xcbc"
1125 };
1126
1127 static const char *integ_p_map[] = {
1128 NULL, "hmac-md5", "hmac-sha", "dec-mac",
1129 "kpdk-md5", "aes-xcbc"
1130 };
1131
1132 static const char *esn_p_map[] = {
1133 "no-esn", "esn"
1134 };
1135
1136 static const char *dh_p_map[] = {
1137 NULL, "modp768",
1138 "modp1024", /* group 2 */
1139 "EC2N 2^155", /* group 3 */
1140 "EC2N 2^185", /* group 4 */
1141 "modp1536", /* group 5 */
1142 "iana-grp06", "iana-grp07", /* reserved */
1143 "iana-grp08", "iana-grp09",
1144 "iana-grp10", "iana-grp11",
1145 "iana-grp12", "iana-grp13",
1146 "modp2048", /* group 14 */
1147 "modp3072", /* group 15 */
1148 "modp4096", /* group 16 */
1149 "modp6144", /* group 17 */
1150 "modp8192", /* group 18 */
1151 };
1152
1153 static const char *esp_p_map[] = {
1154 NULL, "1des-iv64", "1des", "3des", "rc5", "idea", "cast",
1155 "blowfish", "3idea", "1des-iv32", "rc4", "null", "aes"
1156 };
1157
1158 static const char *ipcomp_p_map[] = {
1159 NULL, "oui", "deflate", "lzs",
1160 };
1161
1162 static const struct attrmap ipsec_t_map[] = {
1163 { NULL, 0, { NULL } },
1164 { "lifetype", 3, { NULL, "sec", "kb", }, },
1165 { "life", 0, { NULL } },
1166 { "group desc", 18, { NULL, "modp768",
1167 "modp1024", /* group 2 */
1168 "EC2N 2^155", /* group 3 */
1169 "EC2N 2^185", /* group 4 */
1170 "modp1536", /* group 5 */
1171 "iana-grp06", "iana-grp07", /* reserved */
1172 "iana-grp08", "iana-grp09",
1173 "iana-grp10", "iana-grp11",
1174 "iana-grp12", "iana-grp13",
1175 "modp2048", /* group 14 */
1176 "modp3072", /* group 15 */
1177 "modp4096", /* group 16 */
1178 "modp6144", /* group 17 */
1179 "modp8192", /* group 18 */
1180 }, },
1181 { "enc mode", 3, { NULL, "tunnel", "transport", }, },
1182 { "auth", 5, { NULL, "hmac-md5", "hmac-sha1", "1des-mac", "keyed", }, },
1183 { "keylen", 0, { NULL } },
1184 { "rounds", 0, { NULL } },
1185 { "dictsize", 0, { NULL } },
1186 { "privalg", 0, { NULL } },
1187 };
1188
1189 static const struct attrmap encr_t_map[] = {
1190 { NULL, 0, { NULL } }, { NULL, 0, { NULL } }, /* 0, 1 */
1191 { NULL, 0, { NULL } }, { NULL, 0, { NULL } }, /* 2, 3 */
1192 { NULL, 0, { NULL } }, { NULL, 0, { NULL } }, /* 4, 5 */
1193 { NULL, 0, { NULL } }, { NULL, 0, { NULL } }, /* 6, 7 */
1194 { NULL, 0, { NULL } }, { NULL, 0, { NULL } }, /* 8, 9 */
1195 { NULL, 0, { NULL } }, { NULL, 0, { NULL } }, /* 10,11*/
1196 { NULL, 0, { NULL } }, { NULL, 0, { NULL } }, /* 12,13*/
1197 { "keylen", 14, { NULL }},
1198 };
1199
1200 static const struct attrmap oakley_t_map[] = {
1201 { NULL, 0, { NULL } },
1202 { "enc", 8, { NULL, "1des", "idea", "blowfish", "rc5",
1203 "3des", "cast", "aes", }, },
1204 { "hash", 7, { NULL, "md5", "sha1", "tiger",
1205 "sha2-256", "sha2-384", "sha2-512", }, },
1206 { "auth", 6, { NULL, "preshared", "dss", "rsa sig", "rsa enc",
1207 "rsa enc revised", }, },
1208 { "group desc", 18, { NULL, "modp768",
1209 "modp1024", /* group 2 */
1210 "EC2N 2^155", /* group 3 */
1211 "EC2N 2^185", /* group 4 */
1212 "modp1536", /* group 5 */
1213 "iana-grp06", "iana-grp07", /* reserved */
1214 "iana-grp08", "iana-grp09",
1215 "iana-grp10", "iana-grp11",
1216 "iana-grp12", "iana-grp13",
1217 "modp2048", /* group 14 */
1218 "modp3072", /* group 15 */
1219 "modp4096", /* group 16 */
1220 "modp6144", /* group 17 */
1221 "modp8192", /* group 18 */
1222 }, },
1223 { "group type", 4, { NULL, "MODP", "ECP", "EC2N", }, },
1224 { "group prime", 0, { NULL } },
1225 { "group gen1", 0, { NULL } },
1226 { "group gen2", 0, { NULL } },
1227 { "group curve A", 0, { NULL } },
1228 { "group curve B", 0, { NULL } },
1229 { "lifetype", 3, { NULL, "sec", "kb", }, },
1230 { "lifeduration", 0, { NULL } },
1231 { "prf", 0, { NULL } },
1232 { "keylen", 0, { NULL } },
1233 { "field", 0, { NULL } },
1234 { "order", 0, { NULL } },
1235 };
1236
1237 static const u_char *
ikev1_t_print(netdissect_options * ndo,u_char tpay _U_,const struct isakmp_gen * ext,u_int item_len,const u_char * ep,uint32_t phase _U_,uint32_t doi _U_,uint32_t proto,int depth _U_)1238 ikev1_t_print(netdissect_options *ndo, u_char tpay _U_,
1239 const struct isakmp_gen *ext, u_int item_len,
1240 const u_char *ep, uint32_t phase _U_, uint32_t doi _U_,
1241 uint32_t proto, int depth _U_)
1242 {
1243 const struct ikev1_pl_t *p;
1244 struct ikev1_pl_t t;
1245 const u_char *cp;
1246 const char *idstr;
1247 const struct attrmap *map;
1248 size_t nmap;
1249 const u_char *ep2;
1250
1251 ND_PRINT((ndo,"%s:", NPSTR(ISAKMP_NPTYPE_T)));
1252
1253 p = (const struct ikev1_pl_t *)ext;
1254 ND_TCHECK(*p);
1255 UNALIGNED_MEMCPY(&t, ext, sizeof(t));
1256
1257 switch (proto) {
1258 case 1:
1259 idstr = STR_OR_ID(t.t_id, ikev1_p_map);
1260 map = oakley_t_map;
1261 nmap = sizeof(oakley_t_map)/sizeof(oakley_t_map[0]);
1262 break;
1263 case 2:
1264 idstr = STR_OR_ID(t.t_id, ah_p_map);
1265 map = ipsec_t_map;
1266 nmap = sizeof(ipsec_t_map)/sizeof(ipsec_t_map[0]);
1267 break;
1268 case 3:
1269 idstr = STR_OR_ID(t.t_id, esp_p_map);
1270 map = ipsec_t_map;
1271 nmap = sizeof(ipsec_t_map)/sizeof(ipsec_t_map[0]);
1272 break;
1273 case 4:
1274 idstr = STR_OR_ID(t.t_id, ipcomp_p_map);
1275 map = ipsec_t_map;
1276 nmap = sizeof(ipsec_t_map)/sizeof(ipsec_t_map[0]);
1277 break;
1278 default:
1279 idstr = NULL;
1280 map = NULL;
1281 nmap = 0;
1282 break;
1283 }
1284
1285 if (idstr)
1286 ND_PRINT((ndo," #%d id=%s ", t.t_no, idstr));
1287 else
1288 ND_PRINT((ndo," #%d id=%d ", t.t_no, t.t_id));
1289 cp = (const u_char *)(p + 1);
1290 ep2 = (const u_char *)p + item_len;
1291 while (cp < ep && cp < ep2) {
1292 if (map && nmap)
1293 cp = ikev1_attrmap_print(ndo, cp, ep2, map, nmap);
1294 else
1295 cp = ikev1_attr_print(ndo, cp, ep2);
1296 if (cp == NULL)
1297 goto trunc;
1298 }
1299 if (ep < ep2)
1300 ND_PRINT((ndo,"..."));
1301 return cp;
1302 trunc:
1303 ND_PRINT((ndo," [|%s]", NPSTR(ISAKMP_NPTYPE_T)));
1304 return NULL;
1305 }
1306
1307 static const u_char *
ikev1_ke_print(netdissect_options * ndo,u_char tpay _U_,const struct isakmp_gen * ext,u_int item_len _U_,const u_char * ep _U_,uint32_t phase _U_,uint32_t doi _U_,uint32_t proto _U_,int depth _U_)1308 ikev1_ke_print(netdissect_options *ndo, u_char tpay _U_,
1309 const struct isakmp_gen *ext, u_int item_len _U_,
1310 const u_char *ep _U_, uint32_t phase _U_, uint32_t doi _U_,
1311 uint32_t proto _U_, int depth _U_)
1312 {
1313 struct isakmp_gen e;
1314
1315 ND_PRINT((ndo,"%s:", NPSTR(ISAKMP_NPTYPE_KE)));
1316
1317 ND_TCHECK(*ext);
1318 UNALIGNED_MEMCPY(&e, ext, sizeof(e));
1319 ND_PRINT((ndo," key len=%d", ntohs(e.len) - 4));
1320 if (2 < ndo->ndo_vflag && 4 < ntohs(e.len)) {
1321 /* Print the entire payload in hex */
1322 ND_PRINT((ndo," "));
1323 if (!rawprint(ndo, (const uint8_t *)(ext + 1), ntohs(e.len) - 4))
1324 goto trunc;
1325 }
1326 return (const u_char *)ext + ntohs(e.len);
1327 trunc:
1328 ND_PRINT((ndo," [|%s]", NPSTR(ISAKMP_NPTYPE_KE)));
1329 return NULL;
1330 }
1331
1332 static const u_char *
ikev1_id_print(netdissect_options * ndo,u_char tpay _U_,const struct isakmp_gen * ext,u_int item_len,const u_char * ep _U_,uint32_t phase,uint32_t doi _U_,uint32_t proto _U_,int depth _U_)1333 ikev1_id_print(netdissect_options *ndo, u_char tpay _U_,
1334 const struct isakmp_gen *ext, u_int item_len,
1335 const u_char *ep _U_, uint32_t phase, uint32_t doi _U_,
1336 uint32_t proto _U_, int depth _U_)
1337 {
1338 #define USE_IPSECDOI_IN_PHASE1 1
1339 const struct ikev1_pl_id *p;
1340 struct ikev1_pl_id id;
1341 static const char *idtypestr[] = {
1342 "IPv4", "IPv4net", "IPv6", "IPv6net",
1343 };
1344 static const char *ipsecidtypestr[] = {
1345 NULL, "IPv4", "FQDN", "user FQDN", "IPv4net", "IPv6",
1346 "IPv6net", "IPv4range", "IPv6range", "ASN1 DN", "ASN1 GN",
1347 "keyid",
1348 };
1349 int len;
1350 const u_char *data;
1351
1352 ND_PRINT((ndo,"%s:", NPSTR(ISAKMP_NPTYPE_ID)));
1353
1354 p = (const struct ikev1_pl_id *)ext;
1355 ND_TCHECK(*p);
1356 UNALIGNED_MEMCPY(&id, ext, sizeof(id));
1357 if (sizeof(*p) < item_len) {
1358 data = (const u_char *)(p + 1);
1359 len = item_len - sizeof(*p);
1360 } else {
1361 data = NULL;
1362 len = 0;
1363 }
1364
1365 #if 0 /*debug*/
1366 ND_PRINT((ndo," [phase=%d doi=%d proto=%d]", phase, doi, proto));
1367 #endif
1368 switch (phase) {
1369 #ifndef USE_IPSECDOI_IN_PHASE1
1370 case 1:
1371 #endif
1372 default:
1373 ND_PRINT((ndo," idtype=%s", STR_OR_ID(id.d.id_type, idtypestr)));
1374 ND_PRINT((ndo," doi_data=%u",
1375 (uint32_t)(ntohl(id.d.doi_data) & 0xffffff)));
1376 break;
1377
1378 #ifdef USE_IPSECDOI_IN_PHASE1
1379 case 1:
1380 #endif
1381 case 2:
1382 {
1383 const struct ipsecdoi_id *doi_p;
1384 struct ipsecdoi_id doi_id;
1385 const char *p_name;
1386
1387 doi_p = (const struct ipsecdoi_id *)ext;
1388 ND_TCHECK(*doi_p);
1389 UNALIGNED_MEMCPY(&doi_id, ext, sizeof(doi_id));
1390 ND_PRINT((ndo," idtype=%s", STR_OR_ID(doi_id.type, ipsecidtypestr)));
1391 /* A protocol ID of 0 DOES NOT mean IPPROTO_IP! */
1392 if (!ndo->ndo_nflag && doi_id.proto_id && (p_name = netdb_protoname(doi_id.proto_id)) != NULL)
1393 ND_PRINT((ndo," protoid=%s", p_name));
1394 else
1395 ND_PRINT((ndo," protoid=%u", doi_id.proto_id));
1396 ND_PRINT((ndo," port=%d", ntohs(doi_id.port)));
1397 if (!len)
1398 break;
1399 if (data == NULL)
1400 goto trunc;
1401 ND_TCHECK2(*data, len);
1402 switch (doi_id.type) {
1403 case IPSECDOI_ID_IPV4_ADDR:
1404 if (len < 4)
1405 ND_PRINT((ndo," len=%d [bad: < 4]", len));
1406 else
1407 ND_PRINT((ndo," len=%d %s", len, ipaddr_string(ndo, data)));
1408 len = 0;
1409 break;
1410 case IPSECDOI_ID_FQDN:
1411 case IPSECDOI_ID_USER_FQDN:
1412 {
1413 int i;
1414 ND_PRINT((ndo," len=%d ", len));
1415 for (i = 0; i < len; i++)
1416 safeputchar(ndo, data[i]);
1417 len = 0;
1418 break;
1419 }
1420 case IPSECDOI_ID_IPV4_ADDR_SUBNET:
1421 {
1422 const u_char *mask;
1423 if (len < 8)
1424 ND_PRINT((ndo," len=%d [bad: < 8]", len));
1425 else {
1426 mask = data + sizeof(struct in_addr);
1427 ND_PRINT((ndo," len=%d %s/%u.%u.%u.%u", len,
1428 ipaddr_string(ndo, data),
1429 mask[0], mask[1], mask[2], mask[3]));
1430 }
1431 len = 0;
1432 break;
1433 }
1434 case IPSECDOI_ID_IPV6_ADDR:
1435 if (len < 16)
1436 ND_PRINT((ndo," len=%d [bad: < 16]", len));
1437 else
1438 ND_PRINT((ndo," len=%d %s", len, ip6addr_string(ndo, data)));
1439 len = 0;
1440 break;
1441 case IPSECDOI_ID_IPV6_ADDR_SUBNET:
1442 {
1443 const u_char *mask;
1444 if (len < 32)
1445 ND_PRINT((ndo," len=%d [bad: < 32]", len));
1446 else {
1447 mask = (const u_char *)(data + sizeof(struct in6_addr));
1448 /*XXX*/
1449 ND_PRINT((ndo," len=%d %s/0x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x", len,
1450 ip6addr_string(ndo, data),
1451 mask[0], mask[1], mask[2], mask[3],
1452 mask[4], mask[5], mask[6], mask[7],
1453 mask[8], mask[9], mask[10], mask[11],
1454 mask[12], mask[13], mask[14], mask[15]));
1455 }
1456 len = 0;
1457 break;
1458 }
1459 case IPSECDOI_ID_IPV4_ADDR_RANGE:
1460 if (len < 8)
1461 ND_PRINT((ndo," len=%d [bad: < 8]", len));
1462 else {
1463 ND_PRINT((ndo," len=%d %s-%s", len,
1464 ipaddr_string(ndo, data),
1465 ipaddr_string(ndo, data + sizeof(struct in_addr))));
1466 }
1467 len = 0;
1468 break;
1469 case IPSECDOI_ID_IPV6_ADDR_RANGE:
1470 if (len < 32)
1471 ND_PRINT((ndo," len=%d [bad: < 32]", len));
1472 else {
1473 ND_PRINT((ndo," len=%d %s-%s", len,
1474 ip6addr_string(ndo, data),
1475 ip6addr_string(ndo, data + sizeof(struct in6_addr))));
1476 }
1477 len = 0;
1478 break;
1479 case IPSECDOI_ID_DER_ASN1_DN:
1480 case IPSECDOI_ID_DER_ASN1_GN:
1481 case IPSECDOI_ID_KEY_ID:
1482 break;
1483 }
1484 break;
1485 }
1486 }
1487 if (data && len) {
1488 ND_PRINT((ndo," len=%d", len));
1489 if (2 < ndo->ndo_vflag) {
1490 ND_PRINT((ndo," "));
1491 if (!rawprint(ndo, (const uint8_t *)data, len))
1492 goto trunc;
1493 }
1494 }
1495 return (const u_char *)ext + item_len;
1496 trunc:
1497 ND_PRINT((ndo," [|%s]", NPSTR(ISAKMP_NPTYPE_ID)));
1498 return NULL;
1499 }
1500
1501 static const u_char *
ikev1_cert_print(netdissect_options * ndo,u_char tpay _U_,const struct isakmp_gen * ext,u_int item_len,const u_char * ep _U_,uint32_t phase _U_,uint32_t doi0 _U_,uint32_t proto0 _U_,int depth _U_)1502 ikev1_cert_print(netdissect_options *ndo, u_char tpay _U_,
1503 const struct isakmp_gen *ext, u_int item_len,
1504 const u_char *ep _U_, uint32_t phase _U_,
1505 uint32_t doi0 _U_,
1506 uint32_t proto0 _U_, int depth _U_)
1507 {
1508 const struct ikev1_pl_cert *p;
1509 struct ikev1_pl_cert cert;
1510 static const char *certstr[] = {
1511 "none", "pkcs7", "pgp", "dns",
1512 "x509sign", "x509ke", "kerberos", "crl",
1513 "arl", "spki", "x509attr",
1514 };
1515
1516 ND_PRINT((ndo,"%s:", NPSTR(ISAKMP_NPTYPE_CERT)));
1517
1518 p = (const struct ikev1_pl_cert *)ext;
1519 ND_TCHECK(*p);
1520 UNALIGNED_MEMCPY(&cert, ext, sizeof(cert));
1521 ND_PRINT((ndo," len=%d", item_len - 4));
1522 ND_PRINT((ndo," type=%s", STR_OR_ID((cert.encode), certstr)));
1523 if (2 < ndo->ndo_vflag && 4 < item_len) {
1524 /* Print the entire payload in hex */
1525 ND_PRINT((ndo," "));
1526 if (!rawprint(ndo, (const uint8_t *)(ext + 1), item_len - 4))
1527 goto trunc;
1528 }
1529 return (const u_char *)ext + item_len;
1530 trunc:
1531 ND_PRINT((ndo," [|%s]", NPSTR(ISAKMP_NPTYPE_CERT)));
1532 return NULL;
1533 }
1534
1535 static const u_char *
ikev1_cr_print(netdissect_options * ndo,u_char tpay _U_,const struct isakmp_gen * ext,u_int item_len,const u_char * ep _U_,uint32_t phase _U_,uint32_t doi0 _U_,uint32_t proto0 _U_,int depth _U_)1536 ikev1_cr_print(netdissect_options *ndo, u_char tpay _U_,
1537 const struct isakmp_gen *ext, u_int item_len,
1538 const u_char *ep _U_, uint32_t phase _U_, uint32_t doi0 _U_,
1539 uint32_t proto0 _U_, int depth _U_)
1540 {
1541 const struct ikev1_pl_cert *p;
1542 struct ikev1_pl_cert cert;
1543 static const char *certstr[] = {
1544 "none", "pkcs7", "pgp", "dns",
1545 "x509sign", "x509ke", "kerberos", "crl",
1546 "arl", "spki", "x509attr",
1547 };
1548
1549 ND_PRINT((ndo,"%s:", NPSTR(ISAKMP_NPTYPE_CR)));
1550
1551 p = (const struct ikev1_pl_cert *)ext;
1552 ND_TCHECK(*p);
1553 UNALIGNED_MEMCPY(&cert, ext, sizeof(cert));
1554 ND_PRINT((ndo," len=%d", item_len - 4));
1555 ND_PRINT((ndo," type=%s", STR_OR_ID((cert.encode), certstr)));
1556 if (2 < ndo->ndo_vflag && 4 < item_len) {
1557 /* Print the entire payload in hex */
1558 ND_PRINT((ndo," "));
1559 if (!rawprint(ndo, (const uint8_t *)(ext + 1), item_len - 4))
1560 goto trunc;
1561 }
1562 return (const u_char *)ext + item_len;
1563 trunc:
1564 ND_PRINT((ndo," [|%s]", NPSTR(ISAKMP_NPTYPE_CR)));
1565 return NULL;
1566 }
1567
1568 static const u_char *
ikev1_hash_print(netdissect_options * ndo,u_char tpay _U_,const struct isakmp_gen * ext,u_int item_len _U_,const u_char * ep _U_,uint32_t phase _U_,uint32_t doi _U_,uint32_t proto _U_,int depth _U_)1569 ikev1_hash_print(netdissect_options *ndo, u_char tpay _U_,
1570 const struct isakmp_gen *ext, u_int item_len _U_,
1571 const u_char *ep _U_, uint32_t phase _U_, uint32_t doi _U_,
1572 uint32_t proto _U_, int depth _U_)
1573 {
1574 struct isakmp_gen e;
1575
1576 ND_PRINT((ndo,"%s:", NPSTR(ISAKMP_NPTYPE_HASH)));
1577
1578 ND_TCHECK(*ext);
1579 UNALIGNED_MEMCPY(&e, ext, sizeof(e));
1580 ND_PRINT((ndo," len=%d", ntohs(e.len) - 4));
1581 if (2 < ndo->ndo_vflag && 4 < ntohs(e.len)) {
1582 /* Print the entire payload in hex */
1583 ND_PRINT((ndo," "));
1584 if (!rawprint(ndo, (const uint8_t *)(ext + 1), ntohs(e.len) - 4))
1585 goto trunc;
1586 }
1587 return (const u_char *)ext + ntohs(e.len);
1588 trunc:
1589 ND_PRINT((ndo," [|%s]", NPSTR(ISAKMP_NPTYPE_HASH)));
1590 return NULL;
1591 }
1592
1593 static const u_char *
ikev1_sig_print(netdissect_options * ndo,u_char tpay _U_,const struct isakmp_gen * ext,u_int item_len _U_,const u_char * ep _U_,uint32_t phase _U_,uint32_t doi _U_,uint32_t proto _U_,int depth _U_)1594 ikev1_sig_print(netdissect_options *ndo, u_char tpay _U_,
1595 const struct isakmp_gen *ext, u_int item_len _U_,
1596 const u_char *ep _U_, uint32_t phase _U_, uint32_t doi _U_,
1597 uint32_t proto _U_, int depth _U_)
1598 {
1599 struct isakmp_gen e;
1600
1601 ND_PRINT((ndo,"%s:", NPSTR(ISAKMP_NPTYPE_SIG)));
1602
1603 ND_TCHECK(*ext);
1604 UNALIGNED_MEMCPY(&e, ext, sizeof(e));
1605 ND_PRINT((ndo," len=%d", ntohs(e.len) - 4));
1606 if (2 < ndo->ndo_vflag && 4 < ntohs(e.len)) {
1607 /* Print the entire payload in hex */
1608 ND_PRINT((ndo," "));
1609 if (!rawprint(ndo, (const uint8_t *)(ext + 1), ntohs(e.len) - 4))
1610 goto trunc;
1611 }
1612 return (const u_char *)ext + ntohs(e.len);
1613 trunc:
1614 ND_PRINT((ndo," [|%s]", NPSTR(ISAKMP_NPTYPE_SIG)));
1615 return NULL;
1616 }
1617
1618 static const u_char *
ikev1_nonce_print(netdissect_options * ndo,u_char tpay _U_,const struct isakmp_gen * ext,u_int item_len _U_,const u_char * ep,uint32_t phase _U_,uint32_t doi _U_,uint32_t proto _U_,int depth _U_)1619 ikev1_nonce_print(netdissect_options *ndo, u_char tpay _U_,
1620 const struct isakmp_gen *ext,
1621 u_int item_len _U_,
1622 const u_char *ep,
1623 uint32_t phase _U_, uint32_t doi _U_,
1624 uint32_t proto _U_, int depth _U_)
1625 {
1626 struct isakmp_gen e;
1627
1628 ND_PRINT((ndo,"%s:", NPSTR(ISAKMP_NPTYPE_NONCE)));
1629
1630 ND_TCHECK(*ext);
1631 UNALIGNED_MEMCPY(&e, ext, sizeof(e));
1632 /*
1633 * Our caller has ensured that the length is >= 4.
1634 */
1635 ND_PRINT((ndo," n len=%u", ntohs(e.len) - 4));
1636 if (ntohs(e.len) > 4) {
1637 if (ndo->ndo_vflag > 2) {
1638 ND_PRINT((ndo, " "));
1639 if (!rawprint(ndo, (const uint8_t *)(ext + 1), ntohs(e.len) - 4))
1640 goto trunc;
1641 } else if (ndo->ndo_vflag > 1) {
1642 ND_PRINT((ndo, " "));
1643 if (!ike_show_somedata(ndo, (const u_char *)(ext + 1), ep))
1644 goto trunc;
1645 }
1646 }
1647 return (const u_char *)ext + ntohs(e.len);
1648 trunc:
1649 ND_PRINT((ndo," [|%s]", NPSTR(ISAKMP_NPTYPE_NONCE)));
1650 return NULL;
1651 }
1652
1653 static const u_char *
ikev1_n_print(netdissect_options * ndo,u_char tpay _U_,const struct isakmp_gen * ext,u_int item_len,const u_char * ep,uint32_t phase _U_,uint32_t doi0 _U_,uint32_t proto0 _U_,int depth _U_)1654 ikev1_n_print(netdissect_options *ndo, u_char tpay _U_,
1655 const struct isakmp_gen *ext, u_int item_len,
1656 const u_char *ep, uint32_t phase _U_, uint32_t doi0 _U_,
1657 uint32_t proto0 _U_, int depth _U_)
1658 {
1659 const struct ikev1_pl_n *p;
1660 struct ikev1_pl_n n;
1661 const u_char *cp;
1662 const u_char *ep2;
1663 uint32_t doi;
1664 uint32_t proto;
1665 static const char *notify_error_str[] = {
1666 NULL, "INVALID-PAYLOAD-TYPE",
1667 "DOI-NOT-SUPPORTED", "SITUATION-NOT-SUPPORTED",
1668 "INVALID-COOKIE", "INVALID-MAJOR-VERSION",
1669 "INVALID-MINOR-VERSION", "INVALID-EXCHANGE-TYPE",
1670 "INVALID-FLAGS", "INVALID-MESSAGE-ID",
1671 "INVALID-PROTOCOL-ID", "INVALID-SPI",
1672 "INVALID-TRANSFORM-ID", "ATTRIBUTES-NOT-SUPPORTED",
1673 "NO-PROPOSAL-CHOSEN", "BAD-PROPOSAL-SYNTAX",
1674 "PAYLOAD-MALFORMED", "INVALID-KEY-INFORMATION",
1675 "INVALID-ID-INFORMATION", "INVALID-CERT-ENCODING",
1676 "INVALID-CERTIFICATE", "CERT-TYPE-UNSUPPORTED",
1677 "INVALID-CERT-AUTHORITY", "INVALID-HASH-INFORMATION",
1678 "AUTHENTICATION-FAILED", "INVALID-SIGNATURE",
1679 "ADDRESS-NOTIFICATION", "NOTIFY-SA-LIFETIME",
1680 "CERTIFICATE-UNAVAILABLE", "UNSUPPORTED-EXCHANGE-TYPE",
1681 "UNEQUAL-PAYLOAD-LENGTHS",
1682 };
1683 static const char *ipsec_notify_error_str[] = {
1684 "RESERVED",
1685 };
1686 static const char *notify_status_str[] = {
1687 "CONNECTED",
1688 };
1689 static const char *ipsec_notify_status_str[] = {
1690 "RESPONDER-LIFETIME", "REPLAY-STATUS",
1691 "INITIAL-CONTACT",
1692 };
1693 /* NOTE: these macro must be called with x in proper range */
1694
1695 /* 0 - 8191 */
1696 #define NOTIFY_ERROR_STR(x) \
1697 STR_OR_ID((x), notify_error_str)
1698
1699 /* 8192 - 16383 */
1700 #define IPSEC_NOTIFY_ERROR_STR(x) \
1701 STR_OR_ID((u_int)((x) - 8192), ipsec_notify_error_str)
1702
1703 /* 16384 - 24575 */
1704 #define NOTIFY_STATUS_STR(x) \
1705 STR_OR_ID((u_int)((x) - 16384), notify_status_str)
1706
1707 /* 24576 - 32767 */
1708 #define IPSEC_NOTIFY_STATUS_STR(x) \
1709 STR_OR_ID((u_int)((x) - 24576), ipsec_notify_status_str)
1710
1711 ND_PRINT((ndo,"%s:", NPSTR(ISAKMP_NPTYPE_N)));
1712
1713 p = (const struct ikev1_pl_n *)ext;
1714 ND_TCHECK(*p);
1715 UNALIGNED_MEMCPY(&n, ext, sizeof(n));
1716 doi = ntohl(n.doi);
1717 proto = n.prot_id;
1718 if (doi != 1) {
1719 ND_PRINT((ndo," doi=%d", doi));
1720 ND_PRINT((ndo," proto=%d", proto));
1721 if (ntohs(n.type) < 8192)
1722 ND_PRINT((ndo," type=%s", NOTIFY_ERROR_STR(ntohs(n.type))));
1723 else if (ntohs(n.type) < 16384)
1724 ND_PRINT((ndo," type=%s", numstr(ntohs(n.type))));
1725 else if (ntohs(n.type) < 24576)
1726 ND_PRINT((ndo," type=%s", NOTIFY_STATUS_STR(ntohs(n.type))));
1727 else
1728 ND_PRINT((ndo," type=%s", numstr(ntohs(n.type))));
1729 if (n.spi_size) {
1730 ND_PRINT((ndo," spi="));
1731 if (!rawprint(ndo, (const uint8_t *)(p + 1), n.spi_size))
1732 goto trunc;
1733 }
1734 return (const u_char *)(p + 1) + n.spi_size;
1735 }
1736
1737 ND_PRINT((ndo," doi=ipsec"));
1738 ND_PRINT((ndo," proto=%s", PROTOIDSTR(proto)));
1739 if (ntohs(n.type) < 8192)
1740 ND_PRINT((ndo," type=%s", NOTIFY_ERROR_STR(ntohs(n.type))));
1741 else if (ntohs(n.type) < 16384)
1742 ND_PRINT((ndo," type=%s", IPSEC_NOTIFY_ERROR_STR(ntohs(n.type))));
1743 else if (ntohs(n.type) < 24576)
1744 ND_PRINT((ndo," type=%s", NOTIFY_STATUS_STR(ntohs(n.type))));
1745 else if (ntohs(n.type) < 32768)
1746 ND_PRINT((ndo," type=%s", IPSEC_NOTIFY_STATUS_STR(ntohs(n.type))));
1747 else
1748 ND_PRINT((ndo," type=%s", numstr(ntohs(n.type))));
1749 if (n.spi_size) {
1750 ND_PRINT((ndo," spi="));
1751 if (!rawprint(ndo, (const uint8_t *)(p + 1), n.spi_size))
1752 goto trunc;
1753 }
1754
1755 cp = (const u_char *)(p + 1) + n.spi_size;
1756 ep2 = (const u_char *)p + item_len;
1757
1758 if (cp < ep) {
1759 switch (ntohs(n.type)) {
1760 case IPSECDOI_NTYPE_RESPONDER_LIFETIME:
1761 {
1762 const struct attrmap *map = oakley_t_map;
1763 size_t nmap = sizeof(oakley_t_map)/sizeof(oakley_t_map[0]);
1764 ND_PRINT((ndo," attrs=("));
1765 while (cp < ep && cp < ep2) {
1766 cp = ikev1_attrmap_print(ndo, cp, ep2, map, nmap);
1767 if (cp == NULL) {
1768 ND_PRINT((ndo,")"));
1769 goto trunc;
1770 }
1771 }
1772 ND_PRINT((ndo,")"));
1773 break;
1774 }
1775 case IPSECDOI_NTYPE_REPLAY_STATUS:
1776 ND_PRINT((ndo," status=("));
1777 ND_TCHECK_32BITS(cp);
1778 ND_PRINT((ndo,"replay detection %sabled",
1779 EXTRACT_32BITS(cp) ? "en" : "dis"));
1780 ND_PRINT((ndo,")"));
1781 break;
1782 default:
1783 /*
1784 * XXX - fill in more types here; see, for example,
1785 * draft-ietf-ipsec-notifymsg-04.
1786 */
1787 if (ndo->ndo_vflag > 3) {
1788 ND_PRINT((ndo," data=("));
1789 if (!rawprint(ndo, (const uint8_t *)(cp), ep - cp))
1790 goto trunc;
1791 ND_PRINT((ndo,")"));
1792 } else {
1793 if (!ike_show_somedata(ndo, cp, ep))
1794 goto trunc;
1795 }
1796 break;
1797 }
1798 }
1799 return (const u_char *)ext + item_len;
1800 trunc:
1801 ND_PRINT((ndo," [|%s]", NPSTR(ISAKMP_NPTYPE_N)));
1802 return NULL;
1803 }
1804
1805 static const u_char *
ikev1_d_print(netdissect_options * ndo,u_char tpay _U_,const struct isakmp_gen * ext,u_int item_len _U_,const u_char * ep _U_,uint32_t phase _U_,uint32_t doi0 _U_,uint32_t proto0 _U_,int depth _U_)1806 ikev1_d_print(netdissect_options *ndo, u_char tpay _U_,
1807 const struct isakmp_gen *ext, u_int item_len _U_,
1808 const u_char *ep _U_, uint32_t phase _U_, uint32_t doi0 _U_,
1809 uint32_t proto0 _U_, int depth _U_)
1810 {
1811 const struct ikev1_pl_d *p;
1812 struct ikev1_pl_d d;
1813 const uint8_t *q;
1814 uint32_t doi;
1815 uint32_t proto;
1816 int i;
1817
1818 ND_PRINT((ndo,"%s:", NPSTR(ISAKMP_NPTYPE_D)));
1819
1820 p = (const struct ikev1_pl_d *)ext;
1821 ND_TCHECK(*p);
1822 UNALIGNED_MEMCPY(&d, ext, sizeof(d));
1823 doi = ntohl(d.doi);
1824 proto = d.prot_id;
1825 if (doi != 1) {
1826 ND_PRINT((ndo," doi=%u", doi));
1827 ND_PRINT((ndo," proto=%u", proto));
1828 } else {
1829 ND_PRINT((ndo," doi=ipsec"));
1830 ND_PRINT((ndo," proto=%s", PROTOIDSTR(proto)));
1831 }
1832 ND_PRINT((ndo," spilen=%u", d.spi_size));
1833 ND_PRINT((ndo," nspi=%u", ntohs(d.num_spi)));
1834 ND_PRINT((ndo," spi="));
1835 q = (const uint8_t *)(p + 1);
1836 for (i = 0; i < ntohs(d.num_spi); i++) {
1837 if (i != 0)
1838 ND_PRINT((ndo,","));
1839 if (!rawprint(ndo, (const uint8_t *)q, d.spi_size))
1840 goto trunc;
1841 q += d.spi_size;
1842 }
1843 return q;
1844 trunc:
1845 ND_PRINT((ndo," [|%s]", NPSTR(ISAKMP_NPTYPE_D)));
1846 return NULL;
1847 }
1848
1849 static const u_char *
ikev1_vid_print(netdissect_options * ndo,u_char tpay _U_,const struct isakmp_gen * ext,u_int item_len _U_,const u_char * ep _U_,uint32_t phase _U_,uint32_t doi _U_,uint32_t proto _U_,int depth _U_)1850 ikev1_vid_print(netdissect_options *ndo, u_char tpay _U_,
1851 const struct isakmp_gen *ext,
1852 u_int item_len _U_, const u_char *ep _U_,
1853 uint32_t phase _U_, uint32_t doi _U_,
1854 uint32_t proto _U_, int depth _U_)
1855 {
1856 struct isakmp_gen e;
1857
1858 ND_PRINT((ndo,"%s:", NPSTR(ISAKMP_NPTYPE_VID)));
1859
1860 ND_TCHECK(*ext);
1861 UNALIGNED_MEMCPY(&e, ext, sizeof(e));
1862 ND_PRINT((ndo," len=%d", ntohs(e.len) - 4));
1863 if (2 < ndo->ndo_vflag && 4 < ntohs(e.len)) {
1864 /* Print the entire payload in hex */
1865 ND_PRINT((ndo," "));
1866 if (!rawprint(ndo, (const uint8_t *)(ext + 1), ntohs(e.len) - 4))
1867 goto trunc;
1868 }
1869 return (const u_char *)ext + ntohs(e.len);
1870 trunc:
1871 ND_PRINT((ndo," [|%s]", NPSTR(ISAKMP_NPTYPE_VID)));
1872 return NULL;
1873 }
1874
1875 /************************************************************/
1876 /* */
1877 /* IKE v2 - rfc4306 - dissector */
1878 /* */
1879 /************************************************************/
1880
1881 static void
ikev2_pay_print(netdissect_options * ndo,const char * payname,int critical)1882 ikev2_pay_print(netdissect_options *ndo, const char *payname, int critical)
1883 {
1884 ND_PRINT((ndo,"%s%s:", payname, critical&0x80 ? "[C]" : ""));
1885 }
1886
1887 static const u_char *
ikev2_gen_print(netdissect_options * ndo,u_char tpay,const struct isakmp_gen * ext)1888 ikev2_gen_print(netdissect_options *ndo, u_char tpay,
1889 const struct isakmp_gen *ext)
1890 {
1891 struct isakmp_gen e;
1892
1893 ND_TCHECK(*ext);
1894 UNALIGNED_MEMCPY(&e, ext, sizeof(e));
1895 ikev2_pay_print(ndo, NPSTR(tpay), e.critical);
1896
1897 ND_PRINT((ndo," len=%d", ntohs(e.len) - 4));
1898 if (2 < ndo->ndo_vflag && 4 < ntohs(e.len)) {
1899 /* Print the entire payload in hex */
1900 ND_PRINT((ndo," "));
1901 if (!rawprint(ndo, (const uint8_t *)(ext + 1), ntohs(e.len) - 4))
1902 goto trunc;
1903 }
1904 return (const u_char *)ext + ntohs(e.len);
1905 trunc:
1906 ND_PRINT((ndo," [|%s]", NPSTR(tpay)));
1907 return NULL;
1908 }
1909
1910 static const u_char *
ikev2_t_print(netdissect_options * ndo,int tcount,const struct isakmp_gen * ext,u_int item_len,const u_char * ep)1911 ikev2_t_print(netdissect_options *ndo, int tcount,
1912 const struct isakmp_gen *ext, u_int item_len,
1913 const u_char *ep)
1914 {
1915 const struct ikev2_t *p;
1916 struct ikev2_t t;
1917 uint16_t t_id;
1918 const u_char *cp;
1919 const char *idstr;
1920 const struct attrmap *map;
1921 size_t nmap;
1922 const u_char *ep2;
1923
1924 p = (const struct ikev2_t *)ext;
1925 ND_TCHECK(*p);
1926 UNALIGNED_MEMCPY(&t, ext, sizeof(t));
1927 ikev2_pay_print(ndo, NPSTR(ISAKMP_NPTYPE_T), t.h.critical);
1928
1929 t_id = ntohs(t.t_id);
1930
1931 map = NULL;
1932 nmap = 0;
1933
1934 switch (t.t_type) {
1935 case IV2_T_ENCR:
1936 idstr = STR_OR_ID(t_id, esp_p_map);
1937 map = encr_t_map;
1938 nmap = sizeof(encr_t_map)/sizeof(encr_t_map[0]);
1939 break;
1940
1941 case IV2_T_PRF:
1942 idstr = STR_OR_ID(t_id, prf_p_map);
1943 break;
1944
1945 case IV2_T_INTEG:
1946 idstr = STR_OR_ID(t_id, integ_p_map);
1947 break;
1948
1949 case IV2_T_DH:
1950 idstr = STR_OR_ID(t_id, dh_p_map);
1951 break;
1952
1953 case IV2_T_ESN:
1954 idstr = STR_OR_ID(t_id, esn_p_map);
1955 break;
1956
1957 default:
1958 idstr = NULL;
1959 break;
1960 }
1961
1962 if (idstr)
1963 ND_PRINT((ndo," #%u type=%s id=%s ", tcount,
1964 STR_OR_ID(t.t_type, ikev2_t_type_map),
1965 idstr));
1966 else
1967 ND_PRINT((ndo," #%u type=%s id=%u ", tcount,
1968 STR_OR_ID(t.t_type, ikev2_t_type_map),
1969 t.t_id));
1970 cp = (const u_char *)(p + 1);
1971 ep2 = (const u_char *)p + item_len;
1972 while (cp < ep && cp < ep2) {
1973 if (map && nmap) {
1974 cp = ikev1_attrmap_print(ndo, cp, ep2, map, nmap);
1975 } else
1976 cp = ikev1_attr_print(ndo, cp, ep2);
1977 if (cp == NULL)
1978 goto trunc;
1979 }
1980 if (ep < ep2)
1981 ND_PRINT((ndo,"..."));
1982 return cp;
1983 trunc:
1984 ND_PRINT((ndo," [|%s]", NPSTR(ISAKMP_NPTYPE_T)));
1985 return NULL;
1986 }
1987
1988 static const u_char *
ikev2_p_print(netdissect_options * ndo,u_char tpay _U_,int pcount _U_,const struct isakmp_gen * ext,u_int oprop_length,const u_char * ep,int depth)1989 ikev2_p_print(netdissect_options *ndo, u_char tpay _U_, int pcount _U_,
1990 const struct isakmp_gen *ext, u_int oprop_length,
1991 const u_char *ep, int depth)
1992 {
1993 const struct ikev2_p *p;
1994 struct ikev2_p prop;
1995 u_int prop_length;
1996 const u_char *cp;
1997 int i;
1998 int tcount;
1999 u_char np;
2000 struct isakmp_gen e;
2001 u_int item_len;
2002
2003 p = (const struct ikev2_p *)ext;
2004 ND_TCHECK(*p);
2005 UNALIGNED_MEMCPY(&prop, ext, sizeof(prop));
2006
2007 ikev2_pay_print(ndo, NPSTR(ISAKMP_NPTYPE_P), prop.h.critical);
2008
2009 /*
2010 * ikev2_sa_print() guarantees that this is >= 4.
2011 */
2012 prop_length = oprop_length - 4;
2013 ND_PRINT((ndo," #%u protoid=%s transform=%d len=%u",
2014 prop.p_no, PROTOIDSTR(prop.prot_id),
2015 prop.num_t, oprop_length));
2016 cp = (const u_char *)(p + 1);
2017
2018 if (prop.spi_size) {
2019 if (prop_length < prop.spi_size)
2020 goto toolong;
2021 ND_PRINT((ndo," spi="));
2022 if (!rawprint(ndo, (const uint8_t *)cp, prop.spi_size))
2023 goto trunc;
2024 cp += prop.spi_size;
2025 prop_length -= prop.spi_size;
2026 }
2027
2028 /*
2029 * Print the transforms.
2030 */
2031 tcount = 0;
2032 for (np = ISAKMP_NPTYPE_T; np != 0; np = e.np) {
2033 tcount++;
2034 ext = (const struct isakmp_gen *)cp;
2035 if (prop_length < sizeof(*ext))
2036 goto toolong;
2037 ND_TCHECK(*ext);
2038 UNALIGNED_MEMCPY(&e, ext, sizeof(e));
2039
2040 /*
2041 * Since we can't have a payload length of less than 4 bytes,
2042 * we need to bail out here if the generic header is nonsensical
2043 * or truncated, otherwise we could loop forever processing
2044 * zero-length items or otherwise misdissect the packet.
2045 */
2046 item_len = ntohs(e.len);
2047 if (item_len <= 4)
2048 goto trunc;
2049
2050 if (prop_length < item_len)
2051 goto toolong;
2052 ND_TCHECK2(*cp, item_len);
2053
2054 depth++;
2055 ND_PRINT((ndo,"\n"));
2056 for (i = 0; i < depth; i++)
2057 ND_PRINT((ndo," "));
2058 ND_PRINT((ndo,"("));
2059 if (np == ISAKMP_NPTYPE_T) {
2060 cp = ikev2_t_print(ndo, tcount, ext, item_len, ep);
2061 if (cp == NULL) {
2062 /* error, already reported */
2063 return NULL;
2064 }
2065 } else {
2066 ND_PRINT((ndo, "%s", NPSTR(np)));
2067 cp += item_len;
2068 }
2069 ND_PRINT((ndo,")"));
2070 depth--;
2071 prop_length -= item_len;
2072 }
2073 return cp;
2074 toolong:
2075 /*
2076 * Skip the rest of the proposal.
2077 */
2078 cp += prop_length;
2079 ND_PRINT((ndo," [|%s]", NPSTR(ISAKMP_NPTYPE_P)));
2080 return cp;
2081 trunc:
2082 ND_PRINT((ndo," [|%s]", NPSTR(ISAKMP_NPTYPE_P)));
2083 return NULL;
2084 }
2085
2086 static const u_char *
ikev2_sa_print(netdissect_options * ndo,u_char tpay,const struct isakmp_gen * ext1,u_int osa_length,const u_char * ep,uint32_t phase _U_,uint32_t doi _U_,uint32_t proto _U_,int depth)2087 ikev2_sa_print(netdissect_options *ndo, u_char tpay,
2088 const struct isakmp_gen *ext1,
2089 u_int osa_length, const u_char *ep,
2090 uint32_t phase _U_, uint32_t doi _U_,
2091 uint32_t proto _U_, int depth)
2092 {
2093 const struct isakmp_gen *ext;
2094 struct isakmp_gen e;
2095 u_int sa_length;
2096 const u_char *cp;
2097 int i;
2098 int pcount;
2099 u_char np;
2100 u_int item_len;
2101
2102 ND_TCHECK(*ext1);
2103 UNALIGNED_MEMCPY(&e, ext1, sizeof(e));
2104 ikev2_pay_print(ndo, "sa", e.critical);
2105
2106 /*
2107 * ikev2_sub0_print() guarantees that this is >= 4.
2108 */
2109 osa_length= ntohs(e.len);
2110 sa_length = osa_length - 4;
2111 ND_PRINT((ndo," len=%d", sa_length));
2112
2113 /*
2114 * Print the payloads.
2115 */
2116 cp = (const u_char *)(ext1 + 1);
2117 pcount = 0;
2118 for (np = ISAKMP_NPTYPE_P; np != 0; np = e.np) {
2119 pcount++;
2120 ext = (const struct isakmp_gen *)cp;
2121 if (sa_length < sizeof(*ext))
2122 goto toolong;
2123 ND_TCHECK(*ext);
2124 UNALIGNED_MEMCPY(&e, ext, sizeof(e));
2125
2126 /*
2127 * Since we can't have a payload length of less than 4 bytes,
2128 * we need to bail out here if the generic header is nonsensical
2129 * or truncated, otherwise we could loop forever processing
2130 * zero-length items or otherwise misdissect the packet.
2131 */
2132 item_len = ntohs(e.len);
2133 if (item_len <= 4)
2134 goto trunc;
2135
2136 if (sa_length < item_len)
2137 goto toolong;
2138 ND_TCHECK2(*cp, item_len);
2139
2140 depth++;
2141 ND_PRINT((ndo,"\n"));
2142 for (i = 0; i < depth; i++)
2143 ND_PRINT((ndo," "));
2144 ND_PRINT((ndo,"("));
2145 if (np == ISAKMP_NPTYPE_P) {
2146 cp = ikev2_p_print(ndo, np, pcount, ext, item_len,
2147 ep, depth);
2148 if (cp == NULL) {
2149 /* error, already reported */
2150 return NULL;
2151 }
2152 } else {
2153 ND_PRINT((ndo, "%s", NPSTR(np)));
2154 cp += item_len;
2155 }
2156 ND_PRINT((ndo,")"));
2157 depth--;
2158 sa_length -= item_len;
2159 }
2160 return cp;
2161 toolong:
2162 /*
2163 * Skip the rest of the SA.
2164 */
2165 cp += sa_length;
2166 ND_PRINT((ndo," [|%s]", NPSTR(tpay)));
2167 return cp;
2168 trunc:
2169 ND_PRINT((ndo," [|%s]", NPSTR(tpay)));
2170 return NULL;
2171 }
2172
2173 static const u_char *
ikev2_ke_print(netdissect_options * ndo,u_char tpay,const struct isakmp_gen * ext,u_int item_len _U_,const u_char * ep _U_,uint32_t phase _U_,uint32_t doi _U_,uint32_t proto _U_,int depth _U_)2174 ikev2_ke_print(netdissect_options *ndo, u_char tpay,
2175 const struct isakmp_gen *ext,
2176 u_int item_len _U_, const u_char *ep _U_,
2177 uint32_t phase _U_, uint32_t doi _U_,
2178 uint32_t proto _U_, int depth _U_)
2179 {
2180 struct ikev2_ke ke;
2181 const struct ikev2_ke *k;
2182
2183 k = (const struct ikev2_ke *)ext;
2184 ND_TCHECK(*k);
2185 UNALIGNED_MEMCPY(&ke, ext, sizeof(ke));
2186 ikev2_pay_print(ndo, NPSTR(tpay), ke.h.critical);
2187
2188 ND_PRINT((ndo," len=%u group=%s", ntohs(ke.h.len) - 8,
2189 STR_OR_ID(ntohs(ke.ke_group), dh_p_map)));
2190
2191 if (2 < ndo->ndo_vflag && 8 < ntohs(ke.h.len)) {
2192 ND_PRINT((ndo," "));
2193 if (!rawprint(ndo, (const uint8_t *)(k + 1), ntohs(ke.h.len) - 8))
2194 goto trunc;
2195 }
2196 return (const u_char *)ext + ntohs(ke.h.len);
2197 trunc:
2198 ND_PRINT((ndo," [|%s]", NPSTR(tpay)));
2199 return NULL;
2200 }
2201
2202 static const u_char *
ikev2_ID_print(netdissect_options * ndo,u_char tpay,const struct isakmp_gen * ext,u_int item_len _U_,const u_char * ep _U_,uint32_t phase _U_,uint32_t doi _U_,uint32_t proto _U_,int depth _U_)2203 ikev2_ID_print(netdissect_options *ndo, u_char tpay,
2204 const struct isakmp_gen *ext,
2205 u_int item_len _U_, const u_char *ep _U_,
2206 uint32_t phase _U_, uint32_t doi _U_,
2207 uint32_t proto _U_, int depth _U_)
2208 {
2209 const struct ikev2_id *idp;
2210 struct ikev2_id id;
2211 int id_len, idtype_len, i;
2212 unsigned int dumpascii, dumphex;
2213 const unsigned char *typedata;
2214
2215 idp = (const struct ikev2_id *)ext;
2216 ND_TCHECK(*idp);
2217 UNALIGNED_MEMCPY(&id, ext, sizeof(id));
2218 ikev2_pay_print(ndo, NPSTR(tpay), id.h.critical);
2219
2220 id_len = ntohs(id.h.len);
2221
2222 ND_PRINT((ndo," len=%d", id_len - 4));
2223 if (2 < ndo->ndo_vflag && 4 < id_len) {
2224 /* Print the entire payload in hex */
2225 ND_PRINT((ndo," "));
2226 if (!rawprint(ndo, (const uint8_t *)(ext + 1), id_len - 4))
2227 goto trunc;
2228 }
2229
2230 idtype_len =id_len - sizeof(struct ikev2_id);
2231 dumpascii = 0;
2232 dumphex = 0;
2233 typedata = (const unsigned char *)(ext)+sizeof(struct ikev2_id);
2234
2235 switch(id.type) {
2236 case ID_IPV4_ADDR:
2237 ND_PRINT((ndo, " ipv4:"));
2238 dumphex=1;
2239 break;
2240 case ID_FQDN:
2241 ND_PRINT((ndo, " fqdn:"));
2242 dumpascii=1;
2243 break;
2244 case ID_RFC822_ADDR:
2245 ND_PRINT((ndo, " rfc822:"));
2246 dumpascii=1;
2247 break;
2248 case ID_IPV6_ADDR:
2249 ND_PRINT((ndo, " ipv6:"));
2250 dumphex=1;
2251 break;
2252 case ID_DER_ASN1_DN:
2253 ND_PRINT((ndo, " dn:"));
2254 dumphex=1;
2255 break;
2256 case ID_DER_ASN1_GN:
2257 ND_PRINT((ndo, " gn:"));
2258 dumphex=1;
2259 break;
2260 case ID_KEY_ID:
2261 ND_PRINT((ndo, " keyid:"));
2262 dumphex=1;
2263 break;
2264 }
2265
2266 if(dumpascii) {
2267 ND_TCHECK2(*typedata, idtype_len);
2268 for(i=0; i<idtype_len; i++) {
2269 if(ND_ISPRINT(typedata[i])) {
2270 ND_PRINT((ndo, "%c", typedata[i]));
2271 } else {
2272 ND_PRINT((ndo, "."));
2273 }
2274 }
2275 }
2276 if(dumphex) {
2277 if (!rawprint(ndo, (const uint8_t *)typedata, idtype_len))
2278 goto trunc;
2279 }
2280
2281 return (const u_char *)ext + id_len;
2282 trunc:
2283 ND_PRINT((ndo," [|%s]", NPSTR(tpay)));
2284 return NULL;
2285 }
2286
2287 static const u_char *
ikev2_cert_print(netdissect_options * ndo,u_char tpay,const struct isakmp_gen * ext,u_int item_len _U_,const u_char * ep _U_,uint32_t phase _U_,uint32_t doi _U_,uint32_t proto _U_,int depth _U_)2288 ikev2_cert_print(netdissect_options *ndo, u_char tpay,
2289 const struct isakmp_gen *ext,
2290 u_int item_len _U_, const u_char *ep _U_,
2291 uint32_t phase _U_, uint32_t doi _U_,
2292 uint32_t proto _U_, int depth _U_)
2293 {
2294 return ikev2_gen_print(ndo, tpay, ext);
2295 }
2296
2297 static const u_char *
ikev2_cr_print(netdissect_options * ndo,u_char tpay,const struct isakmp_gen * ext,u_int item_len _U_,const u_char * ep _U_,uint32_t phase _U_,uint32_t doi _U_,uint32_t proto _U_,int depth _U_)2298 ikev2_cr_print(netdissect_options *ndo, u_char tpay,
2299 const struct isakmp_gen *ext,
2300 u_int item_len _U_, const u_char *ep _U_,
2301 uint32_t phase _U_, uint32_t doi _U_,
2302 uint32_t proto _U_, int depth _U_)
2303 {
2304 return ikev2_gen_print(ndo, tpay, ext);
2305 }
2306
2307 static const u_char *
ikev2_auth_print(netdissect_options * ndo,u_char tpay,const struct isakmp_gen * ext,u_int item_len _U_,const u_char * ep,uint32_t phase _U_,uint32_t doi _U_,uint32_t proto _U_,int depth _U_)2308 ikev2_auth_print(netdissect_options *ndo, u_char tpay,
2309 const struct isakmp_gen *ext,
2310 u_int item_len _U_, const u_char *ep,
2311 uint32_t phase _U_, uint32_t doi _U_,
2312 uint32_t proto _U_, int depth _U_)
2313 {
2314 struct ikev2_auth a;
2315 const char *v2_auth[]={ "invalid", "rsasig",
2316 "shared-secret", "dsssig" };
2317 const u_char *authdata = (const u_char*)ext + sizeof(a);
2318 unsigned int len;
2319
2320 ND_TCHECK2(*ext, sizeof(a));
2321 UNALIGNED_MEMCPY(&a, ext, sizeof(a));
2322 ikev2_pay_print(ndo, NPSTR(tpay), a.h.critical);
2323 len = ntohs(a.h.len);
2324
2325 /*
2326 * Our caller has ensured that the length is >= 4.
2327 */
2328 ND_PRINT((ndo," len=%u method=%s", len-4,
2329 STR_OR_ID(a.auth_method, v2_auth)));
2330 if (len > 4) {
2331 if (ndo->ndo_vflag > 1) {
2332 ND_PRINT((ndo, " authdata=("));
2333 if (!rawprint(ndo, (const uint8_t *)authdata, len - sizeof(a)))
2334 goto trunc;
2335 ND_PRINT((ndo, ") "));
2336 } else if (ndo->ndo_vflag) {
2337 if (!ike_show_somedata(ndo, authdata, ep))
2338 goto trunc;
2339 }
2340 }
2341
2342 return (const u_char *)ext + len;
2343 trunc:
2344 ND_PRINT((ndo," [|%s]", NPSTR(tpay)));
2345 return NULL;
2346 }
2347
2348 static const u_char *
ikev2_nonce_print(netdissect_options * ndo,u_char tpay,const struct isakmp_gen * ext,u_int item_len _U_,const u_char * ep,uint32_t phase _U_,uint32_t doi _U_,uint32_t proto _U_,int depth _U_)2349 ikev2_nonce_print(netdissect_options *ndo, u_char tpay,
2350 const struct isakmp_gen *ext,
2351 u_int item_len _U_, const u_char *ep,
2352 uint32_t phase _U_, uint32_t doi _U_,
2353 uint32_t proto _U_, int depth _U_)
2354 {
2355 struct isakmp_gen e;
2356
2357 ND_TCHECK(*ext);
2358 UNALIGNED_MEMCPY(&e, ext, sizeof(e));
2359 ikev2_pay_print(ndo, "nonce", e.critical);
2360
2361 ND_PRINT((ndo," len=%d", ntohs(e.len) - 4));
2362 if (1 < ndo->ndo_vflag && 4 < ntohs(e.len)) {
2363 ND_PRINT((ndo," nonce=("));
2364 if (!rawprint(ndo, (const uint8_t *)(ext + 1), ntohs(e.len) - 4))
2365 goto trunc;
2366 ND_PRINT((ndo,") "));
2367 } else if(ndo->ndo_vflag && 4 < ntohs(e.len)) {
2368 if(!ike_show_somedata(ndo, (const u_char *)(ext+1), ep)) goto trunc;
2369 }
2370
2371 return (const u_char *)ext + ntohs(e.len);
2372 trunc:
2373 ND_PRINT((ndo," [|%s]", NPSTR(tpay)));
2374 return NULL;
2375 }
2376
2377 /* notify payloads */
2378 static const u_char *
ikev2_n_print(netdissect_options * ndo,u_char tpay _U_,const struct isakmp_gen * ext,u_int item_len,const u_char * ep,uint32_t phase _U_,uint32_t doi _U_,uint32_t proto _U_,int depth _U_)2379 ikev2_n_print(netdissect_options *ndo, u_char tpay _U_,
2380 const struct isakmp_gen *ext,
2381 u_int item_len, const u_char *ep,
2382 uint32_t phase _U_, uint32_t doi _U_,
2383 uint32_t proto _U_, int depth _U_)
2384 {
2385 const struct ikev2_n *p;
2386 struct ikev2_n n;
2387 const u_char *cp;
2388 u_char showspi, showsomedata;
2389 const char *notify_name;
2390 uint32_t type;
2391
2392 p = (const struct ikev2_n *)ext;
2393 ND_TCHECK(*p);
2394 UNALIGNED_MEMCPY(&n, ext, sizeof(n));
2395 ikev2_pay_print(ndo, NPSTR(ISAKMP_NPTYPE_N), n.h.critical);
2396
2397 showspi = 1;
2398 showsomedata=0;
2399 notify_name=NULL;
2400
2401 ND_PRINT((ndo," prot_id=%s", PROTOIDSTR(n.prot_id)));
2402
2403 type = ntohs(n.type);
2404
2405 /* notify space is annoying sparse */
2406 switch(type) {
2407 case IV2_NOTIFY_UNSUPPORTED_CRITICAL_PAYLOAD:
2408 notify_name = "unsupported_critical_payload";
2409 showspi = 0;
2410 break;
2411
2412 case IV2_NOTIFY_INVALID_IKE_SPI:
2413 notify_name = "invalid_ike_spi";
2414 showspi = 1;
2415 break;
2416
2417 case IV2_NOTIFY_INVALID_MAJOR_VERSION:
2418 notify_name = "invalid_major_version";
2419 showspi = 0;
2420 break;
2421
2422 case IV2_NOTIFY_INVALID_SYNTAX:
2423 notify_name = "invalid_syntax";
2424 showspi = 1;
2425 break;
2426
2427 case IV2_NOTIFY_INVALID_MESSAGE_ID:
2428 notify_name = "invalid_message_id";
2429 showspi = 1;
2430 break;
2431
2432 case IV2_NOTIFY_INVALID_SPI:
2433 notify_name = "invalid_spi";
2434 showspi = 1;
2435 break;
2436
2437 case IV2_NOTIFY_NO_PROPOSAL_CHOSEN:
2438 notify_name = "no_protocol_chosen";
2439 showspi = 1;
2440 break;
2441
2442 case IV2_NOTIFY_INVALID_KE_PAYLOAD:
2443 notify_name = "invalid_ke_payload";
2444 showspi = 1;
2445 break;
2446
2447 case IV2_NOTIFY_AUTHENTICATION_FAILED:
2448 notify_name = "authentication_failed";
2449 showspi = 1;
2450 break;
2451
2452 case IV2_NOTIFY_SINGLE_PAIR_REQUIRED:
2453 notify_name = "single_pair_required";
2454 showspi = 1;
2455 break;
2456
2457 case IV2_NOTIFY_NO_ADDITIONAL_SAS:
2458 notify_name = "no_additional_sas";
2459 showspi = 0;
2460 break;
2461
2462 case IV2_NOTIFY_INTERNAL_ADDRESS_FAILURE:
2463 notify_name = "internal_address_failure";
2464 showspi = 0;
2465 break;
2466
2467 case IV2_NOTIFY_FAILED_CP_REQUIRED:
2468 notify_name = "failed:cp_required";
2469 showspi = 0;
2470 break;
2471
2472 case IV2_NOTIFY_INVALID_SELECTORS:
2473 notify_name = "invalid_selectors";
2474 showspi = 0;
2475 break;
2476
2477 case IV2_NOTIFY_INITIAL_CONTACT:
2478 notify_name = "initial_contact";
2479 showspi = 0;
2480 break;
2481
2482 case IV2_NOTIFY_SET_WINDOW_SIZE:
2483 notify_name = "set_window_size";
2484 showspi = 0;
2485 break;
2486
2487 case IV2_NOTIFY_ADDITIONAL_TS_POSSIBLE:
2488 notify_name = "additional_ts_possible";
2489 showspi = 0;
2490 break;
2491
2492 case IV2_NOTIFY_IPCOMP_SUPPORTED:
2493 notify_name = "ipcomp_supported";
2494 showspi = 0;
2495 break;
2496
2497 case IV2_NOTIFY_NAT_DETECTION_SOURCE_IP:
2498 notify_name = "nat_detection_source_ip";
2499 showspi = 1;
2500 break;
2501
2502 case IV2_NOTIFY_NAT_DETECTION_DESTINATION_IP:
2503 notify_name = "nat_detection_destination_ip";
2504 showspi = 1;
2505 break;
2506
2507 case IV2_NOTIFY_COOKIE:
2508 notify_name = "cookie";
2509 showspi = 1;
2510 showsomedata= 1;
2511 break;
2512
2513 case IV2_NOTIFY_USE_TRANSPORT_MODE:
2514 notify_name = "use_transport_mode";
2515 showspi = 0;
2516 break;
2517
2518 case IV2_NOTIFY_HTTP_CERT_LOOKUP_SUPPORTED:
2519 notify_name = "http_cert_lookup_supported";
2520 showspi = 0;
2521 break;
2522
2523 case IV2_NOTIFY_REKEY_SA:
2524 notify_name = "rekey_sa";
2525 showspi = 1;
2526 break;
2527
2528 case IV2_NOTIFY_ESP_TFC_PADDING_NOT_SUPPORTED:
2529 notify_name = "tfc_padding_not_supported";
2530 showspi = 0;
2531 break;
2532
2533 case IV2_NOTIFY_NON_FIRST_FRAGMENTS_ALSO:
2534 notify_name = "non_first_fragment_also";
2535 showspi = 0;
2536 break;
2537
2538 default:
2539 if (type < 8192) {
2540 notify_name="error";
2541 } else if(type < 16384) {
2542 notify_name="private-error";
2543 } else if(type < 40960) {
2544 notify_name="status";
2545 } else {
2546 notify_name="private-status";
2547 }
2548 }
2549
2550 if(notify_name) {
2551 ND_PRINT((ndo," type=%u(%s)", type, notify_name));
2552 }
2553
2554
2555 if (showspi && n.spi_size) {
2556 ND_PRINT((ndo," spi="));
2557 if (!rawprint(ndo, (const uint8_t *)(p + 1), n.spi_size))
2558 goto trunc;
2559 }
2560
2561 cp = (const u_char *)(p + 1) + n.spi_size;
2562
2563 if (cp < ep) {
2564 if (ndo->ndo_vflag > 3 || (showsomedata && ep-cp < 30)) {
2565 ND_PRINT((ndo," data=("));
2566 if (!rawprint(ndo, (const uint8_t *)(cp), ep - cp))
2567 goto trunc;
2568
2569 ND_PRINT((ndo,")"));
2570 } else if (showsomedata) {
2571 if (!ike_show_somedata(ndo, cp, ep))
2572 goto trunc;
2573 }
2574 }
2575
2576 return (const u_char *)ext + item_len;
2577 trunc:
2578 ND_PRINT((ndo," [|%s]", NPSTR(ISAKMP_NPTYPE_N)));
2579 return NULL;
2580 }
2581
2582 static const u_char *
ikev2_d_print(netdissect_options * ndo,u_char tpay,const struct isakmp_gen * ext,u_int item_len _U_,const u_char * ep _U_,uint32_t phase _U_,uint32_t doi _U_,uint32_t proto _U_,int depth _U_)2583 ikev2_d_print(netdissect_options *ndo, u_char tpay,
2584 const struct isakmp_gen *ext,
2585 u_int item_len _U_, const u_char *ep _U_,
2586 uint32_t phase _U_, uint32_t doi _U_,
2587 uint32_t proto _U_, int depth _U_)
2588 {
2589 return ikev2_gen_print(ndo, tpay, ext);
2590 }
2591
2592 static const u_char *
ikev2_vid_print(netdissect_options * ndo,u_char tpay,const struct isakmp_gen * ext,u_int item_len _U_,const u_char * ep _U_,uint32_t phase _U_,uint32_t doi _U_,uint32_t proto _U_,int depth _U_)2593 ikev2_vid_print(netdissect_options *ndo, u_char tpay,
2594 const struct isakmp_gen *ext,
2595 u_int item_len _U_, const u_char *ep _U_,
2596 uint32_t phase _U_, uint32_t doi _U_,
2597 uint32_t proto _U_, int depth _U_)
2598 {
2599 struct isakmp_gen e;
2600 const u_char *vid;
2601 int i, len;
2602
2603 ND_TCHECK(*ext);
2604 UNALIGNED_MEMCPY(&e, ext, sizeof(e));
2605 ikev2_pay_print(ndo, NPSTR(tpay), e.critical);
2606 ND_PRINT((ndo," len=%d vid=", ntohs(e.len) - 4));
2607
2608 vid = (const u_char *)(ext+1);
2609 len = ntohs(e.len) - 4;
2610 ND_TCHECK2(*vid, len);
2611 for(i=0; i<len; i++) {
2612 if(ND_ISPRINT(vid[i])) ND_PRINT((ndo, "%c", vid[i]));
2613 else ND_PRINT((ndo, "."));
2614 }
2615 if (2 < ndo->ndo_vflag && 4 < len) {
2616 /* Print the entire payload in hex */
2617 ND_PRINT((ndo," "));
2618 if (!rawprint(ndo, (const uint8_t *)(ext + 1), ntohs(e.len) - 4))
2619 goto trunc;
2620 }
2621 return (const u_char *)ext + ntohs(e.len);
2622 trunc:
2623 ND_PRINT((ndo," [|%s]", NPSTR(tpay)));
2624 return NULL;
2625 }
2626
2627 static const u_char *
ikev2_TS_print(netdissect_options * ndo,u_char tpay,const struct isakmp_gen * ext,u_int item_len _U_,const u_char * ep _U_,uint32_t phase _U_,uint32_t doi _U_,uint32_t proto _U_,int depth _U_)2628 ikev2_TS_print(netdissect_options *ndo, u_char tpay,
2629 const struct isakmp_gen *ext,
2630 u_int item_len _U_, const u_char *ep _U_,
2631 uint32_t phase _U_, uint32_t doi _U_,
2632 uint32_t proto _U_, int depth _U_)
2633 {
2634 return ikev2_gen_print(ndo, tpay, ext);
2635 }
2636
2637 static const u_char *
ikev2_e_print(netdissect_options * ndo,_U_ struct isakmp * base,u_char tpay,const struct isakmp_gen * ext,u_int item_len _U_,const u_char * ep _U_,_U_ uint32_t phase,_U_ uint32_t doi,_U_ uint32_t proto,_U_ int depth)2638 ikev2_e_print(netdissect_options *ndo,
2639 #ifndef HAVE_LIBCRYPTO
2640 _U_
2641 #endif
2642 struct isakmp *base,
2643 u_char tpay,
2644 const struct isakmp_gen *ext,
2645 u_int item_len _U_, const u_char *ep _U_,
2646 #ifndef HAVE_LIBCRYPTO
2647 _U_
2648 #endif
2649 uint32_t phase,
2650 #ifndef HAVE_LIBCRYPTO
2651 _U_
2652 #endif
2653 uint32_t doi,
2654 #ifndef HAVE_LIBCRYPTO
2655 _U_
2656 #endif
2657 uint32_t proto,
2658 #ifndef HAVE_LIBCRYPTO
2659 _U_
2660 #endif
2661 int depth)
2662 {
2663 struct isakmp_gen e;
2664 const u_char *dat;
2665 volatile int dlen;
2666
2667 ND_TCHECK(*ext);
2668 UNALIGNED_MEMCPY(&e, ext, sizeof(e));
2669 ikev2_pay_print(ndo, NPSTR(tpay), e.critical);
2670
2671 dlen = ntohs(e.len)-4;
2672
2673 ND_PRINT((ndo," len=%d", dlen));
2674 if (2 < ndo->ndo_vflag && 4 < dlen) {
2675 ND_PRINT((ndo," "));
2676 if (!rawprint(ndo, (const uint8_t *)(ext + 1), dlen))
2677 goto trunc;
2678 }
2679
2680 dat = (const u_char *)(ext+1);
2681 ND_TCHECK2(*dat, dlen);
2682
2683 #ifdef HAVE_LIBCRYPTO
2684 /* try to decypt it! */
2685 if(esp_print_decrypt_buffer_by_ikev2(ndo,
2686 base->flags & ISAKMP_FLAG_I,
2687 base->i_ck, base->r_ck,
2688 dat, dat+dlen)) {
2689
2690 ext = (const struct isakmp_gen *)ndo->ndo_packetp;
2691
2692 /* got it decrypted, print stuff inside. */
2693 ikev2_sub_print(ndo, base, e.np, ext, ndo->ndo_snapend,
2694 phase, doi, proto, depth+1);
2695 }
2696 #endif
2697
2698
2699 /* always return NULL, because E must be at end, and NP refers
2700 * to what was inside.
2701 */
2702 return NULL;
2703 trunc:
2704 ND_PRINT((ndo," [|%s]", NPSTR(tpay)));
2705 return NULL;
2706 }
2707
2708 static const u_char *
ikev2_cp_print(netdissect_options * ndo,u_char tpay,const struct isakmp_gen * ext,u_int item_len _U_,const u_char * ep _U_,uint32_t phase _U_,uint32_t doi _U_,uint32_t proto _U_,int depth _U_)2709 ikev2_cp_print(netdissect_options *ndo, u_char tpay,
2710 const struct isakmp_gen *ext,
2711 u_int item_len _U_, const u_char *ep _U_,
2712 uint32_t phase _U_, uint32_t doi _U_,
2713 uint32_t proto _U_, int depth _U_)
2714 {
2715 return ikev2_gen_print(ndo, tpay, ext);
2716 }
2717
2718 static const u_char *
ikev2_eap_print(netdissect_options * ndo,u_char tpay,const struct isakmp_gen * ext,u_int item_len _U_,const u_char * ep _U_,uint32_t phase _U_,uint32_t doi _U_,uint32_t proto _U_,int depth _U_)2719 ikev2_eap_print(netdissect_options *ndo, u_char tpay,
2720 const struct isakmp_gen *ext,
2721 u_int item_len _U_, const u_char *ep _U_,
2722 uint32_t phase _U_, uint32_t doi _U_,
2723 uint32_t proto _U_, int depth _U_)
2724 {
2725 return ikev2_gen_print(ndo, tpay, ext);
2726 }
2727
2728 static const u_char *
ike_sub0_print(netdissect_options * ndo,u_char np,const struct isakmp_gen * ext,const u_char * ep,uint32_t phase,uint32_t doi,uint32_t proto,int depth)2729 ike_sub0_print(netdissect_options *ndo,
2730 u_char np, const struct isakmp_gen *ext, const u_char *ep,
2731
2732 uint32_t phase, uint32_t doi, uint32_t proto, int depth)
2733 {
2734 const u_char *cp;
2735 struct isakmp_gen e;
2736 u_int item_len;
2737
2738 cp = (const u_char *)ext;
2739 ND_TCHECK(*ext);
2740 UNALIGNED_MEMCPY(&e, ext, sizeof(e));
2741
2742 /*
2743 * Since we can't have a payload length of less than 4 bytes,
2744 * we need to bail out here if the generic header is nonsensical
2745 * or truncated, otherwise we could loop forever processing
2746 * zero-length items or otherwise misdissect the packet.
2747 */
2748 item_len = ntohs(e.len);
2749 if (item_len <= 4)
2750 return NULL;
2751
2752 if (NPFUNC(np)) {
2753 /*
2754 * XXX - what if item_len is too short, or too long,
2755 * for this payload type?
2756 */
2757 cp = (*npfunc[np])(ndo, np, ext, item_len, ep, phase, doi, proto, depth);
2758 } else {
2759 ND_PRINT((ndo,"%s", NPSTR(np)));
2760 cp += item_len;
2761 }
2762
2763 return cp;
2764 trunc:
2765 ND_PRINT((ndo," [|isakmp]"));
2766 return NULL;
2767 }
2768
2769 static const u_char *
ikev1_sub_print(netdissect_options * ndo,u_char np,const struct isakmp_gen * ext,const u_char * ep,uint32_t phase,uint32_t doi,uint32_t proto,int depth)2770 ikev1_sub_print(netdissect_options *ndo,
2771 u_char np, const struct isakmp_gen *ext, const u_char *ep,
2772 uint32_t phase, uint32_t doi, uint32_t proto, int depth)
2773 {
2774 const u_char *cp;
2775 int i;
2776 struct isakmp_gen e;
2777
2778 cp = (const u_char *)ext;
2779
2780 while (np) {
2781 ND_TCHECK(*ext);
2782 UNALIGNED_MEMCPY(&e, ext, sizeof(e));
2783
2784 ND_TCHECK2(*ext, ntohs(e.len));
2785
2786 depth++;
2787 ND_PRINT((ndo,"\n"));
2788 for (i = 0; i < depth; i++)
2789 ND_PRINT((ndo," "));
2790 ND_PRINT((ndo,"("));
2791 cp = ike_sub0_print(ndo, np, ext, ep, phase, doi, proto, depth);
2792 ND_PRINT((ndo,")"));
2793 depth--;
2794
2795 if (cp == NULL) {
2796 /* Zero-length subitem */
2797 return NULL;
2798 }
2799
2800 np = e.np;
2801 ext = (const struct isakmp_gen *)cp;
2802 }
2803 return cp;
2804 trunc:
2805 ND_PRINT((ndo," [|%s]", NPSTR(np)));
2806 return NULL;
2807 }
2808
2809 static char *
numstr(int x)2810 numstr(int x)
2811 {
2812 static char buf[20];
2813 snprintf(buf, sizeof(buf), "#%d", x);
2814 return buf;
2815 }
2816
2817 static void
ikev1_print(netdissect_options * ndo,const u_char * bp,u_int length,const u_char * bp2,struct isakmp * base)2818 ikev1_print(netdissect_options *ndo,
2819 const u_char *bp, u_int length,
2820 const u_char *bp2, struct isakmp *base)
2821 {
2822 const struct isakmp *p;
2823 const u_char *ep;
2824 u_char np;
2825 int i;
2826 int phase;
2827
2828 p = (const struct isakmp *)bp;
2829 ep = ndo->ndo_snapend;
2830
2831 phase = (EXTRACT_32BITS(base->msgid) == 0) ? 1 : 2;
2832 if (phase == 1)
2833 ND_PRINT((ndo," phase %d", phase));
2834 else
2835 ND_PRINT((ndo," phase %d/others", phase));
2836
2837 i = cookie_find(&base->i_ck);
2838 if (i < 0) {
2839 if (iszero((const u_char *)&base->r_ck, sizeof(base->r_ck))) {
2840 /* the first packet */
2841 ND_PRINT((ndo," I"));
2842 if (bp2)
2843 cookie_record(&base->i_ck, bp2);
2844 } else
2845 ND_PRINT((ndo," ?"));
2846 } else {
2847 if (bp2 && cookie_isinitiator(i, bp2))
2848 ND_PRINT((ndo," I"));
2849 else if (bp2 && cookie_isresponder(i, bp2))
2850 ND_PRINT((ndo," R"));
2851 else
2852 ND_PRINT((ndo," ?"));
2853 }
2854
2855 ND_PRINT((ndo," %s", ETYPESTR(base->etype)));
2856 if (base->flags) {
2857 ND_PRINT((ndo,"[%s%s]", base->flags & ISAKMP_FLAG_E ? "E" : "",
2858 base->flags & ISAKMP_FLAG_C ? "C" : ""));
2859 }
2860
2861 if (ndo->ndo_vflag) {
2862 const struct isakmp_gen *ext;
2863
2864 ND_PRINT((ndo,":"));
2865
2866 /* regardless of phase... */
2867 if (base->flags & ISAKMP_FLAG_E) {
2868 /*
2869 * encrypted, nothing we can do right now.
2870 * we hope to decrypt the packet in the future...
2871 */
2872 ND_PRINT((ndo," [encrypted %s]", NPSTR(base->np)));
2873 goto done;
2874 }
2875
2876 CHECKLEN(p + 1, base->np);
2877 np = base->np;
2878 ext = (const struct isakmp_gen *)(p + 1);
2879 ikev1_sub_print(ndo, np, ext, ep, phase, 0, 0, 0);
2880 }
2881
2882 done:
2883 if (ndo->ndo_vflag) {
2884 if (ntohl(base->len) != length) {
2885 ND_PRINT((ndo," (len mismatch: isakmp %u/ip %u)",
2886 (uint32_t)ntohl(base->len), length));
2887 }
2888 }
2889 }
2890
2891 static const u_char *
ikev2_sub0_print(netdissect_options * ndo,struct isakmp * base,u_char np,const struct isakmp_gen * ext,const u_char * ep,uint32_t phase,uint32_t doi,uint32_t proto,int depth)2892 ikev2_sub0_print(netdissect_options *ndo, struct isakmp *base,
2893 u_char np,
2894 const struct isakmp_gen *ext, const u_char *ep,
2895 uint32_t phase, uint32_t doi, uint32_t proto, int depth)
2896 {
2897 const u_char *cp;
2898 struct isakmp_gen e;
2899 u_int item_len;
2900
2901 cp = (const u_char *)ext;
2902 ND_TCHECK(*ext);
2903 UNALIGNED_MEMCPY(&e, ext, sizeof(e));
2904
2905 /*
2906 * Since we can't have a payload length of less than 4 bytes,
2907 * we need to bail out here if the generic header is nonsensical
2908 * or truncated, otherwise we could loop forever processing
2909 * zero-length items or otherwise misdissect the packet.
2910 */
2911 item_len = ntohs(e.len);
2912 if (item_len <= 4)
2913 return NULL;
2914
2915 if (np == ISAKMP_NPTYPE_v2E) {
2916 cp = ikev2_e_print(ndo, base, np, ext, item_len,
2917 ep, phase, doi, proto, depth);
2918 } else if (NPFUNC(np)) {
2919 /*
2920 * XXX - what if item_len is too short, or too long,
2921 * for this payload type?
2922 */
2923 cp = (*npfunc[np])(ndo, np, ext, item_len,
2924 ep, phase, doi, proto, depth);
2925 } else {
2926 ND_PRINT((ndo,"%s", NPSTR(np)));
2927 cp += item_len;
2928 }
2929
2930 return cp;
2931 trunc:
2932 ND_PRINT((ndo," [|isakmp]"));
2933 return NULL;
2934 }
2935
2936 static const u_char *
ikev2_sub_print(netdissect_options * ndo,struct isakmp * base,u_char np,const struct isakmp_gen * ext,const u_char * ep,uint32_t phase,uint32_t doi,uint32_t proto,int depth)2937 ikev2_sub_print(netdissect_options *ndo,
2938 struct isakmp *base,
2939 u_char np, const struct isakmp_gen *ext, const u_char *ep,
2940 uint32_t phase, uint32_t doi, uint32_t proto, int depth)
2941 {
2942 const u_char *cp;
2943 int i;
2944 struct isakmp_gen e;
2945
2946 cp = (const u_char *)ext;
2947 while (np) {
2948 ND_TCHECK(*ext);
2949 UNALIGNED_MEMCPY(&e, ext, sizeof(e));
2950
2951 ND_TCHECK2(*ext, ntohs(e.len));
2952
2953 depth++;
2954 ND_PRINT((ndo,"\n"));
2955 for (i = 0; i < depth; i++)
2956 ND_PRINT((ndo," "));
2957 ND_PRINT((ndo,"("));
2958 cp = ikev2_sub0_print(ndo, base, np,
2959 ext, ep, phase, doi, proto, depth);
2960 ND_PRINT((ndo,")"));
2961 depth--;
2962
2963 if (cp == NULL) {
2964 /* Zero-length subitem */
2965 return NULL;
2966 }
2967
2968 np = e.np;
2969 ext = (const struct isakmp_gen *)cp;
2970 }
2971 return cp;
2972 trunc:
2973 ND_PRINT((ndo," [|%s]", NPSTR(np)));
2974 return NULL;
2975 }
2976
2977 static void
ikev2_print(netdissect_options * ndo,const u_char * bp,u_int length,const u_char * bp2 _U_,struct isakmp * base)2978 ikev2_print(netdissect_options *ndo,
2979 const u_char *bp, u_int length,
2980 const u_char *bp2 _U_, struct isakmp *base)
2981 {
2982 const struct isakmp *p;
2983 const u_char *ep;
2984 u_char np;
2985 int phase;
2986
2987 p = (const struct isakmp *)bp;
2988 ep = ndo->ndo_snapend;
2989
2990 phase = (EXTRACT_32BITS(base->msgid) == 0) ? 1 : 2;
2991 if (phase == 1)
2992 ND_PRINT((ndo, " parent_sa"));
2993 else
2994 ND_PRINT((ndo, " child_sa "));
2995
2996 ND_PRINT((ndo, " %s", ETYPESTR(base->etype)));
2997 if (base->flags) {
2998 ND_PRINT((ndo, "[%s%s%s]",
2999 base->flags & ISAKMP_FLAG_I ? "I" : "",
3000 base->flags & ISAKMP_FLAG_V ? "V" : "",
3001 base->flags & ISAKMP_FLAG_R ? "R" : ""));
3002 }
3003
3004 if (ndo->ndo_vflag) {
3005 const struct isakmp_gen *ext;
3006
3007 ND_PRINT((ndo, ":"));
3008
3009 /* regardless of phase... */
3010 if (base->flags & ISAKMP_FLAG_E) {
3011 /*
3012 * encrypted, nothing we can do right now.
3013 * we hope to decrypt the packet in the future...
3014 */
3015 ND_PRINT((ndo, " [encrypted %s]", NPSTR(base->np)));
3016 goto done;
3017 }
3018
3019 CHECKLEN(p + 1, base->np)
3020
3021 np = base->np;
3022 ext = (const struct isakmp_gen *)(p + 1);
3023 ikev2_sub_print(ndo, base, np, ext, ep, phase, 0, 0, 0);
3024 }
3025
3026 done:
3027 if (ndo->ndo_vflag) {
3028 if (ntohl(base->len) != length) {
3029 ND_PRINT((ndo, " (len mismatch: isakmp %u/ip %u)",
3030 (uint32_t)ntohl(base->len), length));
3031 }
3032 }
3033 }
3034
3035 void
isakmp_print(netdissect_options * ndo,const u_char * bp,u_int length,const u_char * bp2)3036 isakmp_print(netdissect_options *ndo,
3037 const u_char *bp, u_int length,
3038 const u_char *bp2)
3039 {
3040 const struct isakmp *p;
3041 struct isakmp base;
3042 const u_char *ep;
3043 int major, minor;
3044
3045 #ifdef HAVE_LIBCRYPTO
3046 /* initialize SAs */
3047 if (ndo->ndo_sa_list_head == NULL) {
3048 if (ndo->ndo_espsecret)
3049 esp_print_decodesecret(ndo);
3050 }
3051 #endif
3052
3053 p = (const struct isakmp *)bp;
3054 ep = ndo->ndo_snapend;
3055
3056 if ((const struct isakmp *)ep < p + 1) {
3057 ND_PRINT((ndo,"[|isakmp]"));
3058 return;
3059 }
3060
3061 UNALIGNED_MEMCPY(&base, p, sizeof(base));
3062
3063 ND_PRINT((ndo,"isakmp"));
3064 major = (base.vers & ISAKMP_VERS_MAJOR)
3065 >> ISAKMP_VERS_MAJOR_SHIFT;
3066 minor = (base.vers & ISAKMP_VERS_MINOR)
3067 >> ISAKMP_VERS_MINOR_SHIFT;
3068
3069 if (ndo->ndo_vflag) {
3070 ND_PRINT((ndo," %d.%d", major, minor));
3071 }
3072
3073 if (ndo->ndo_vflag) {
3074 ND_PRINT((ndo," msgid "));
3075 hexprint(ndo, (const uint8_t *)&base.msgid, sizeof(base.msgid));
3076 }
3077
3078 if (1 < ndo->ndo_vflag) {
3079 ND_PRINT((ndo," cookie "));
3080 hexprint(ndo, (const uint8_t *)&base.i_ck, sizeof(base.i_ck));
3081 ND_PRINT((ndo,"->"));
3082 hexprint(ndo, (const uint8_t *)&base.r_ck, sizeof(base.r_ck));
3083 }
3084 ND_PRINT((ndo,":"));
3085
3086 switch(major) {
3087 case IKEv1_MAJOR_VERSION:
3088 ikev1_print(ndo, bp, length, bp2, &base);
3089 break;
3090
3091 case IKEv2_MAJOR_VERSION:
3092 ikev2_print(ndo, bp, length, bp2, &base);
3093 break;
3094 }
3095 }
3096
3097 void
isakmp_rfc3948_print(netdissect_options * ndo,const u_char * bp,u_int length,const u_char * bp2)3098 isakmp_rfc3948_print(netdissect_options *ndo,
3099 const u_char *bp, u_int length,
3100 const u_char *bp2)
3101 {
3102 ND_TCHECK(bp[0]);
3103 if(length == 1 && bp[0]==0xff) {
3104 ND_PRINT((ndo, "isakmp-nat-keep-alive"));
3105 return;
3106 }
3107
3108 if(length < 4) {
3109 goto trunc;
3110 }
3111 ND_TCHECK(bp[3]);
3112
3113 /*
3114 * see if this is an IKE packet
3115 */
3116 if(bp[0]==0 && bp[1]==0 && bp[2]==0 && bp[3]==0) {
3117 ND_PRINT((ndo, "NONESP-encap: "));
3118 isakmp_print(ndo, bp+4, length-4, bp2);
3119 return;
3120 }
3121
3122 /* must be an ESP packet */
3123 {
3124 int nh, enh, padlen;
3125 int advance;
3126
3127 ND_PRINT((ndo, "UDP-encap: "));
3128
3129 advance = esp_print(ndo, bp, length, bp2, &enh, &padlen);
3130 if(advance <= 0)
3131 return;
3132
3133 bp += advance;
3134 length -= advance + padlen;
3135 nh = enh & 0xff;
3136
3137 ip_print_inner(ndo, bp, length, nh, bp2);
3138 return;
3139 }
3140
3141 trunc:
3142 ND_PRINT((ndo,"[|isakmp]"));
3143 return;
3144 }
3145
3146 /*
3147 * Local Variables:
3148 * c-style: whitesmith
3149 * c-basic-offset: 8
3150 * End:
3151 */
3152