1 /*
2 * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
3 * All rights reserved.
4 *
5 * Redistribution and use in source and binary forms, with or without
6 * modification, are permitted provided that the following conditions
7 * are met:
8 * 1. Redistributions of source code must retain the above copyright
9 * notice, this list of conditions and the following disclaimer.
10 * 2. Redistributions in binary form must reproduce the above copyright
11 * notice, this list of conditions and the following disclaimer in the
12 * documentation and/or other materials provided with the distribution.
13 * 3. Neither the name of the project nor the names of its contributors
14 * may be used to endorse or promote products derived from this software
15 * without specific prior written permission.
16 *
17 * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
18 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
19 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
20 * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
21 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
22 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
23 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
24 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
25 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
26 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
27 * SUCH DAMAGE.
28 *
29 */
30
31 /* \summary: Internet Security Association and Key Management Protocol (ISAKMP) printer */
32
33 /* specification: RFC 2407, RFC 2408, RFC 5996 */
34
35 #include <config.h>
36
37 #include "netdissect-stdinc.h"
38
39 #include <string.h>
40
41 #include "netdissect-ctype.h"
42
43 #include "netdissect.h"
44 #include "addrtoname.h"
45 #include "extract.h"
46
47 #include "ip.h"
48 #include "ip6.h"
49 #include "ipproto.h"
50
51 typedef nd_byte cookie_t[8];
52 typedef nd_byte msgid_t[4];
53
54 #define PORT_ISAKMP 500
55
56 /* 3.1 ISAKMP Header Format (IKEv1 and IKEv2)
57 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
58 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
59 ! Initiator !
60 ! Cookie !
61 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
62 ! Responder !
63 ! Cookie !
64 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
65 ! Next Payload ! MjVer ! MnVer ! Exchange Type ! Flags !
66 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
67 ! Message ID !
68 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
69 ! Length !
70 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
71 */
72 struct isakmp {
73 cookie_t i_ck; /* Initiator Cookie */
74 cookie_t r_ck; /* Responder Cookie */
75 nd_uint8_t np; /* Next Payload Type */
76 nd_uint8_t vers;
77 #define ISAKMP_VERS_MAJOR 0xf0
78 #define ISAKMP_VERS_MAJOR_SHIFT 4
79 #define ISAKMP_VERS_MINOR 0x0f
80 #define ISAKMP_VERS_MINOR_SHIFT 0
81 nd_uint8_t etype; /* Exchange Type */
82 nd_uint8_t flags; /* Flags */
83 msgid_t msgid;
84 nd_uint32_t len; /* Length */
85 };
86
87 /* Next Payload Type */
88 #define ISAKMP_NPTYPE_NONE 0 /* NONE*/
89 #define ISAKMP_NPTYPE_SA 1 /* Security Association */
90 #define ISAKMP_NPTYPE_P 2 /* Proposal */
91 #define ISAKMP_NPTYPE_T 3 /* Transform */
92 #define ISAKMP_NPTYPE_KE 4 /* Key Exchange */
93 #define ISAKMP_NPTYPE_ID 5 /* Identification */
94 #define ISAKMP_NPTYPE_CERT 6 /* Certificate */
95 #define ISAKMP_NPTYPE_CR 7 /* Certificate Request */
96 #define ISAKMP_NPTYPE_HASH 8 /* Hash */
97 #define ISAKMP_NPTYPE_SIG 9 /* Signature */
98 #define ISAKMP_NPTYPE_NONCE 10 /* Nonce */
99 #define ISAKMP_NPTYPE_N 11 /* Notification */
100 #define ISAKMP_NPTYPE_D 12 /* Delete */
101 #define ISAKMP_NPTYPE_VID 13 /* Vendor ID */
102 #define ISAKMP_NPTYPE_v2E 46 /* v2 Encrypted payload */
103
104 #define IKEv1_MAJOR_VERSION 1
105 #define IKEv1_MINOR_VERSION 0
106
107 #define IKEv2_MAJOR_VERSION 2
108 #define IKEv2_MINOR_VERSION 0
109
110 /* Flags */
111 #define ISAKMP_FLAG_E 0x01 /* Encryption Bit */
112 #define ISAKMP_FLAG_C 0x02 /* Commit Bit */
113 #define ISAKMP_FLAG_extra 0x04
114
115 /* IKEv2 */
116 #define ISAKMP_FLAG_I (1 << 3) /* (I)nitiator */
117 #define ISAKMP_FLAG_V (1 << 4) /* (V)ersion */
118 #define ISAKMP_FLAG_R (1 << 5) /* (R)esponse */
119
120
121 /* 3.2 Payload Generic Header
122 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
123 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
124 ! Next Payload ! RESERVED ! Payload Length !
125 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
126 */
127 struct isakmp_gen {
128 nd_uint8_t np; /* Next Payload */
129 nd_uint8_t critical; /* bit 7 - critical, rest is RESERVED */
130 nd_uint16_t len; /* Payload Length */
131 };
132
133 /* 3.3 Data Attributes
134 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
135 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
136 !A! Attribute Type ! AF=0 Attribute Length !
137 !F! ! AF=1 Attribute Value !
138 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
139 . AF=0 Attribute Value .
140 . AF=1 Not Transmitted .
141 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
142 */
143 struct isakmp_data {
144 nd_uint16_t type; /* defined by DOI-spec, and Attribute Format */
145 nd_uint16_t lorv; /* if f equal 1, Attribute Length */
146 /* if f equal 0, Attribute Value */
147 /* if f equal 1, Attribute Value */
148 };
149
150 /* 3.4 Security Association Payload */
151 /* MAY NOT be used, because of being defined in ipsec-doi. */
152 /*
153 If the current payload is the last in the message,
154 then the value of the next payload field will be 0.
155 This field MUST NOT contain the
156 values for the Proposal or Transform payloads as they are considered
157 part of the security association negotiation. For example, this
158 field would contain the value "10" (Nonce payload) in the first
159 message of a Base Exchange (see Section 4.4) and the value "0" in the
160 first message of an Identity Protect Exchange (see Section 4.5).
161 */
162 struct ikev1_pl_sa {
163 struct isakmp_gen h;
164 nd_uint32_t doi; /* Domain of Interpretation */
165 nd_uint32_t sit; /* Situation */
166 };
167
168 /* 3.5 Proposal Payload */
169 /*
170 The value of the next payload field MUST only contain the value "2"
171 or "0". If there are additional Proposal payloads in the message,
172 then this field will be 2. If the current Proposal payload is the
173 last within the security association proposal, then this field will
174 be 0.
175 */
176 struct ikev1_pl_p {
177 struct isakmp_gen h;
178 nd_uint8_t p_no; /* Proposal # */
179 nd_uint8_t prot_id; /* Protocol */
180 nd_uint8_t spi_size; /* SPI Size */
181 nd_uint8_t num_t; /* Number of Transforms */
182 /* SPI */
183 };
184
185 /* 3.6 Transform Payload */
186 /*
187 The value of the next payload field MUST only contain the value "3"
188 or "0". If there are additional Transform payloads in the proposal,
189 then this field will be 3. If the current Transform payload is the
190 last within the proposal, then this field will be 0.
191 */
192 struct ikev1_pl_t {
193 struct isakmp_gen h;
194 nd_uint8_t t_no; /* Transform # */
195 nd_uint8_t t_id; /* Transform-Id */
196 nd_byte reserved[2]; /* RESERVED2 */
197 /* SA Attributes */
198 };
199
200 /* 3.7 Key Exchange Payload */
201 struct ikev1_pl_ke {
202 struct isakmp_gen h;
203 /* Key Exchange Data */
204 };
205
206 /* 3.8 Identification Payload */
207 /* MUST NOT to be used, because of being defined in ipsec-doi. */
208 struct ikev1_pl_id {
209 struct isakmp_gen h;
210 union {
211 nd_uint8_t id_type; /* ID Type */
212 nd_uint32_t doi_data; /* DOI Specific ID Data */
213 } d;
214 /* Identification Data */
215 };
216
217 /* 3.9 Certificate Payload */
218 struct ikev1_pl_cert {
219 struct isakmp_gen h;
220 nd_uint8_t encode; /* Cert Encoding */
221 nd_uint8_t cert; /* Certificate Data */
222 /*
223 This field indicates the type of
224 certificate or certificate-related information contained in the
225 Certificate Data field.
226 */
227 };
228
229 /* 3.10 Certificate Request Payload */
230 struct ikev1_pl_cr {
231 struct isakmp_gen h;
232 nd_uint8_t num_cert; /* # Cert. Types */
233 /*
234 Certificate Types (variable length)
235 -- Contains a list of the types of certificates requested,
236 sorted in order of preference. Each individual certificate
237 type is 1 octet. This field is NOT requiredo
238 */
239 /* # Certificate Authorities (1 octet) */
240 /* Certificate Authorities (variable length) */
241 };
242
243 /* 3.11 Hash Payload */
244 /* may not be used, because of having only data. */
245 struct ikev1_pl_hash {
246 struct isakmp_gen h;
247 /* Hash Data */
248 };
249
250 /* 3.12 Signature Payload */
251 /* may not be used, because of having only data. */
252 struct ikev1_pl_sig {
253 struct isakmp_gen h;
254 /* Signature Data */
255 };
256
257 /* 3.13 Nonce Payload */
258 /* may not be used, because of having only data. */
259 struct ikev1_pl_nonce {
260 struct isakmp_gen h;
261 /* Nonce Data */
262 };
263
264 /* 3.14 Notification Payload */
265 struct ikev1_pl_n {
266 struct isakmp_gen h;
267 nd_uint32_t doi; /* Domain of Interpretation */
268 nd_uint8_t prot_id; /* Protocol-ID */
269 nd_uint8_t spi_size; /* SPI Size */
270 nd_uint16_t type; /* Notify Message Type */
271 /* SPI */
272 /* Notification Data */
273 };
274
275 /* 3.14.1 Notify Message Types */
276 /* NOTIFY MESSAGES - ERROR TYPES */
277 #define ISAKMP_NTYPE_INVALID_PAYLOAD_TYPE 1
278 #define ISAKMP_NTYPE_DOI_NOT_SUPPORTED 2
279 #define ISAKMP_NTYPE_SITUATION_NOT_SUPPORTED 3
280 #define ISAKMP_NTYPE_INVALID_COOKIE 4
281 #define ISAKMP_NTYPE_INVALID_MAJOR_VERSION 5
282 #define ISAKMP_NTYPE_INVALID_MINOR_VERSION 6
283 #define ISAKMP_NTYPE_INVALID_EXCHANGE_TYPE 7
284 #define ISAKMP_NTYPE_INVALID_FLAGS 8
285 #define ISAKMP_NTYPE_INVALID_MESSAGE_ID 9
286 #define ISAKMP_NTYPE_INVALID_PROTOCOL_ID 10
287 #define ISAKMP_NTYPE_INVALID_SPI 11
288 #define ISAKMP_NTYPE_INVALID_TRANSFORM_ID 12
289 #define ISAKMP_NTYPE_ATTRIBUTES_NOT_SUPPORTED 13
290 #define ISAKMP_NTYPE_NO_PROPOSAL_CHOSEN 14
291 #define ISAKMP_NTYPE_BAD_PROPOSAL_SYNTAX 15
292 #define ISAKMP_NTYPE_PAYLOAD_MALFORMED 16
293 #define ISAKMP_NTYPE_INVALID_KEY_INFORMATION 17
294 #define ISAKMP_NTYPE_INVALID_ID_INFORMATION 18
295 #define ISAKMP_NTYPE_INVALID_CERT_ENCODING 19
296 #define ISAKMP_NTYPE_INVALID_CERTIFICATE 20
297 #define ISAKMP_NTYPE_BAD_CERT_REQUEST_SYNTAX 21
298 #define ISAKMP_NTYPE_INVALID_CERT_AUTHORITY 22
299 #define ISAKMP_NTYPE_INVALID_HASH_INFORMATION 23
300 #define ISAKMP_NTYPE_AUTHENTICATION_FAILED 24
301 #define ISAKMP_NTYPE_INVALID_SIGNATURE 25
302 #define ISAKMP_NTYPE_ADDRESS_NOTIFICATION 26
303
304 /* 3.15 Delete Payload */
305 struct ikev1_pl_d {
306 struct isakmp_gen h;
307 nd_uint32_t doi; /* Domain of Interpretation */
308 nd_uint8_t prot_id; /* Protocol-Id */
309 nd_uint8_t spi_size; /* SPI Size */
310 nd_uint16_t num_spi; /* # of SPIs */
311 /* SPI(es) */
312 };
313
314 /* IKEv2 (RFC4306) */
315
316 /* 3.3 Security Association Payload -- generic header */
317 /* 3.3.1. Proposal Substructure */
318 struct ikev2_p {
319 struct isakmp_gen h;
320 nd_uint8_t p_no; /* Proposal # */
321 nd_uint8_t prot_id; /* Protocol */
322 nd_uint8_t spi_size; /* SPI Size */
323 nd_uint8_t num_t; /* Number of Transforms */
324 };
325
326 /* 3.3.2. Transform Substructure */
327 struct ikev2_t {
328 struct isakmp_gen h;
329 nd_uint8_t t_type; /* Transform Type (ENCR,PRF,INTEG,etc.*/
330 nd_byte res2; /* reserved byte */
331 nd_uint16_t t_id; /* Transform ID */
332 };
333
334 enum ikev2_t_type {
335 IV2_T_ENCR = 1,
336 IV2_T_PRF = 2,
337 IV2_T_INTEG= 3,
338 IV2_T_DH = 4,
339 IV2_T_ESN = 5
340 };
341
342 /* 3.4. Key Exchange Payload */
343 struct ikev2_ke {
344 struct isakmp_gen h;
345 nd_uint16_t ke_group;
346 nd_uint16_t ke_res1;
347 /* KE data */
348 };
349
350
351 /* 3.5. Identification Payloads */
352 enum ikev2_id_type {
353 ID_IPV4_ADDR=1,
354 ID_FQDN=2,
355 ID_RFC822_ADDR=3,
356 ID_IPV6_ADDR=5,
357 ID_DER_ASN1_DN=9,
358 ID_DER_ASN1_GN=10,
359 ID_KEY_ID=11
360 };
361 struct ikev2_id {
362 struct isakmp_gen h;
363 nd_uint8_t type; /* ID type */
364 nd_byte res1;
365 nd_byte res2[2];
366 /* SPI */
367 /* Notification Data */
368 };
369
370 /* 3.10 Notification Payload */
371 struct ikev2_n {
372 struct isakmp_gen h;
373 nd_uint8_t prot_id; /* Protocol-ID */
374 nd_uint8_t spi_size; /* SPI Size */
375 nd_uint16_t type; /* Notify Message Type */
376 };
377
378 enum ikev2_n_type {
379 IV2_NOTIFY_UNSUPPORTED_CRITICAL_PAYLOAD = 1,
380 IV2_NOTIFY_INVALID_IKE_SPI = 4,
381 IV2_NOTIFY_INVALID_MAJOR_VERSION = 5,
382 IV2_NOTIFY_INVALID_SYNTAX = 7,
383 IV2_NOTIFY_INVALID_MESSAGE_ID = 9,
384 IV2_NOTIFY_INVALID_SPI =11,
385 IV2_NOTIFY_NO_PROPOSAL_CHOSEN =14,
386 IV2_NOTIFY_INVALID_KE_PAYLOAD =17,
387 IV2_NOTIFY_AUTHENTICATION_FAILED =24,
388 IV2_NOTIFY_SINGLE_PAIR_REQUIRED =34,
389 IV2_NOTIFY_NO_ADDITIONAL_SAS =35,
390 IV2_NOTIFY_INTERNAL_ADDRESS_FAILURE =36,
391 IV2_NOTIFY_FAILED_CP_REQUIRED =37,
392 IV2_NOTIFY_INVALID_SELECTORS =39,
393 IV2_NOTIFY_INITIAL_CONTACT =16384,
394 IV2_NOTIFY_SET_WINDOW_SIZE =16385,
395 IV2_NOTIFY_ADDITIONAL_TS_POSSIBLE =16386,
396 IV2_NOTIFY_IPCOMP_SUPPORTED =16387,
397 IV2_NOTIFY_NAT_DETECTION_SOURCE_IP =16388,
398 IV2_NOTIFY_NAT_DETECTION_DESTINATION_IP =16389,
399 IV2_NOTIFY_COOKIE =16390,
400 IV2_NOTIFY_USE_TRANSPORT_MODE =16391,
401 IV2_NOTIFY_HTTP_CERT_LOOKUP_SUPPORTED =16392,
402 IV2_NOTIFY_REKEY_SA =16393,
403 IV2_NOTIFY_ESP_TFC_PADDING_NOT_SUPPORTED =16394,
404 IV2_NOTIFY_NON_FIRST_FRAGMENTS_ALSO =16395
405 };
406
407 struct notify_messages {
408 uint16_t type;
409 char *msg;
410 };
411
412 /* 3.8 Authentication Payload */
413 struct ikev2_auth {
414 struct isakmp_gen h;
415 nd_uint8_t auth_method; /* Protocol-ID */
416 nd_byte reserved[3];
417 /* authentication data */
418 };
419
420 enum ikev2_auth_type {
421 IV2_RSA_SIG = 1,
422 IV2_SHARED = 2,
423 IV2_DSS_SIG = 3
424 };
425
426 /* refer to RFC 2409 */
427
428 #if 0
429 /* isakmp sa structure */
430 struct oakley_sa {
431 uint8_t proto_id; /* OAKLEY */
432 vchar_t *spi; /* spi */
433 uint8_t dhgrp; /* DH; group */
434 uint8_t auth_t; /* method of authentication */
435 uint8_t prf_t; /* type of prf */
436 uint8_t hash_t; /* type of hash */
437 uint8_t enc_t; /* type of cipher */
438 uint8_t life_t; /* type of duration of lifetime */
439 uint32_t ldur; /* life duration */
440 };
441 #endif
442
443 /* refer to RFC 2407 */
444
445 #define IPSEC_DOI 1
446
447 /* 4.2 IPSEC Situation Definition */
448 #define IPSECDOI_SIT_IDENTITY_ONLY 0x00000001
449 #define IPSECDOI_SIT_SECRECY 0x00000002
450 #define IPSECDOI_SIT_INTEGRITY 0x00000004
451
452 /* 4.4.1 IPSEC Security Protocol Identifiers */
453 /* 4.4.2 IPSEC ISAKMP Transform Values */
454 #define IPSECDOI_PROTO_ISAKMP 1
455 #define IPSECDOI_KEY_IKE 1
456
457 /* 4.4.1 IPSEC Security Protocol Identifiers */
458 #define IPSECDOI_PROTO_IPSEC_AH 2
459 /* 4.4.3 IPSEC AH Transform Values */
460 #define IPSECDOI_AH_MD5 2
461 #define IPSECDOI_AH_SHA 3
462 #define IPSECDOI_AH_DES 4
463 #define IPSECDOI_AH_SHA2_256 5
464 #define IPSECDOI_AH_SHA2_384 6
465 #define IPSECDOI_AH_SHA2_512 7
466
467 /* 4.4.1 IPSEC Security Protocol Identifiers */
468 #define IPSECDOI_PROTO_IPSEC_ESP 3
469 /* 4.4.4 IPSEC ESP Transform Identifiers */
470 #define IPSECDOI_ESP_DES_IV64 1
471 #define IPSECDOI_ESP_DES 2
472 #define IPSECDOI_ESP_3DES 3
473 #define IPSECDOI_ESP_RC5 4
474 #define IPSECDOI_ESP_IDEA 5
475 #define IPSECDOI_ESP_CAST 6
476 #define IPSECDOI_ESP_BLOWFISH 7
477 #define IPSECDOI_ESP_3IDEA 8
478 #define IPSECDOI_ESP_DES_IV32 9
479 #define IPSECDOI_ESP_RC4 10
480 #define IPSECDOI_ESP_NULL 11
481 #define IPSECDOI_ESP_RIJNDAEL 12
482 #define IPSECDOI_ESP_AES 12
483
484 /* 4.4.1 IPSEC Security Protocol Identifiers */
485 #define IPSECDOI_PROTO_IPCOMP 4
486 /* 4.4.5 IPSEC IPCOMP Transform Identifiers */
487 #define IPSECDOI_IPCOMP_OUI 1
488 #define IPSECDOI_IPCOMP_DEFLATE 2
489 #define IPSECDOI_IPCOMP_LZS 3
490
491 /* 4.5 IPSEC Security Association Attributes */
492 #define IPSECDOI_ATTR_SA_LTYPE 1 /* B */
493 #define IPSECDOI_ATTR_SA_LTYPE_DEFAULT 1
494 #define IPSECDOI_ATTR_SA_LTYPE_SEC 1
495 #define IPSECDOI_ATTR_SA_LTYPE_KB 2
496 #define IPSECDOI_ATTR_SA_LDUR 2 /* V */
497 #define IPSECDOI_ATTR_SA_LDUR_DEFAULT 28800 /* 8 hours */
498 #define IPSECDOI_ATTR_GRP_DESC 3 /* B */
499 #define IPSECDOI_ATTR_ENC_MODE 4 /* B */
500 /* default value: host dependent */
501 #define IPSECDOI_ATTR_ENC_MODE_TUNNEL 1
502 #define IPSECDOI_ATTR_ENC_MODE_TRNS 2
503 #define IPSECDOI_ATTR_AUTH 5 /* B */
504 /* 0 means not to use authentication. */
505 #define IPSECDOI_ATTR_AUTH_HMAC_MD5 1
506 #define IPSECDOI_ATTR_AUTH_HMAC_SHA1 2
507 #define IPSECDOI_ATTR_AUTH_DES_MAC 3
508 #define IPSECDOI_ATTR_AUTH_KPDK 4 /*RFC-1826(Key/Pad/Data/Key)*/
509 /*
510 * When negotiating ESP without authentication, the Auth
511 * Algorithm attribute MUST NOT be included in the proposal.
512 * When negotiating ESP without confidentiality, the Auth
513 * Algorithm attribute MUST be included in the proposal and
514 * the ESP transform ID must be ESP_NULL.
515 */
516 #define IPSECDOI_ATTR_KEY_LENGTH 6 /* B */
517 #define IPSECDOI_ATTR_KEY_ROUNDS 7 /* B */
518 #define IPSECDOI_ATTR_COMP_DICT_SIZE 8 /* B */
519 #define IPSECDOI_ATTR_COMP_PRIVALG 9 /* V */
520
521 /* 4.6.1 Security Association Payload */
522 struct ipsecdoi_sa {
523 struct isakmp_gen h;
524 nd_uint32_t doi; /* Domain of Interpretation */
525 nd_uint32_t sit; /* Situation */
526 };
527
528 struct ipsecdoi_secrecy_h {
529 nd_uint16_t len;
530 nd_uint16_t reserved;
531 };
532
533 /* 4.6.2.1 Identification Type Values */
534 struct ipsecdoi_id {
535 struct isakmp_gen h;
536 nd_uint8_t type; /* ID Type */
537 nd_uint8_t proto_id; /* Protocol ID */
538 nd_uint16_t port; /* Port */
539 /* Identification Data */
540 };
541
542 #define IPSECDOI_ID_IPV4_ADDR 1
543 #define IPSECDOI_ID_FQDN 2
544 #define IPSECDOI_ID_USER_FQDN 3
545 #define IPSECDOI_ID_IPV4_ADDR_SUBNET 4
546 #define IPSECDOI_ID_IPV6_ADDR 5
547 #define IPSECDOI_ID_IPV6_ADDR_SUBNET 6
548 #define IPSECDOI_ID_IPV4_ADDR_RANGE 7
549 #define IPSECDOI_ID_IPV6_ADDR_RANGE 8
550 #define IPSECDOI_ID_DER_ASN1_DN 9
551 #define IPSECDOI_ID_DER_ASN1_GN 10
552 #define IPSECDOI_ID_KEY_ID 11
553
554 /* 4.6.3 IPSEC DOI Notify Message Types */
555 /* Notify Messages - Status Types */
556 #define IPSECDOI_NTYPE_RESPONDER_LIFETIME 24576
557 #define IPSECDOI_NTYPE_REPLAY_STATUS 24577
558 #define IPSECDOI_NTYPE_INITIAL_CONTACT 24578
559
560 #define DECLARE_PRINTER(func) static const u_char *ike##func##_print( \
561 netdissect_options *ndo, u_char tpay, \
562 const struct isakmp_gen *ext, \
563 u_int item_len, \
564 const u_char *end_pointer, \
565 uint32_t phase,\
566 uint32_t doi0, \
567 uint32_t proto0, int depth)
568
569 DECLARE_PRINTER(v1_sa);
570 DECLARE_PRINTER(v1_p);
571 DECLARE_PRINTER(v1_t);
572 DECLARE_PRINTER(v1_ke);
573 DECLARE_PRINTER(v1_id);
574 DECLARE_PRINTER(v1_cert);
575 DECLARE_PRINTER(v1_cr);
576 DECLARE_PRINTER(v1_sig);
577 DECLARE_PRINTER(v1_hash);
578 DECLARE_PRINTER(v1_nonce);
579 DECLARE_PRINTER(v1_n);
580 DECLARE_PRINTER(v1_d);
581 DECLARE_PRINTER(v1_vid);
582
583 DECLARE_PRINTER(v2_sa);
584 DECLARE_PRINTER(v2_ke);
585 DECLARE_PRINTER(v2_ID);
586 DECLARE_PRINTER(v2_cert);
587 DECLARE_PRINTER(v2_cr);
588 DECLARE_PRINTER(v2_auth);
589 DECLARE_PRINTER(v2_nonce);
590 DECLARE_PRINTER(v2_n);
591 DECLARE_PRINTER(v2_d);
592 DECLARE_PRINTER(v2_vid);
593 DECLARE_PRINTER(v2_TS);
594 DECLARE_PRINTER(v2_cp);
595 DECLARE_PRINTER(v2_eap);
596
597 static const u_char *ikev2_e_print(netdissect_options *ndo,
598 const struct isakmp *base,
599 u_char tpay,
600 const struct isakmp_gen *ext,
601 u_int item_len,
602 const u_char *end_pointer,
603 uint32_t phase,
604 uint32_t doi0,
605 uint32_t proto0, int depth);
606
607
608 static const u_char *ike_sub0_print(netdissect_options *ndo,u_char, const struct isakmp_gen *,
609 const u_char *, uint32_t, uint32_t, uint32_t, int);
610 static const u_char *ikev1_sub_print(netdissect_options *ndo,u_char, const struct isakmp_gen *,
611 const u_char *, uint32_t, uint32_t, uint32_t, int);
612
613 static const u_char *ikev2_sub_print(netdissect_options *ndo,
614 const struct isakmp *base,
615 u_char np, const struct isakmp_gen *ext,
616 const u_char *ep, uint32_t phase,
617 uint32_t doi, uint32_t proto,
618 int depth);
619
620
621 static char *numstr(u_int);
622
623 static void
624 ikev1_print(netdissect_options *ndo,
625 const u_char *bp, u_int length,
626 const u_char *bp2, const struct isakmp *base);
627
628 #define MAXINITIATORS 20
629 static int ninitiator = 0;
630 union inaddr_u {
631 nd_ipv4 in4;
632 nd_ipv6 in6;
633 };
634 static struct {
635 cookie_t initiator;
636 u_int version;
637 union inaddr_u iaddr;
638 union inaddr_u raddr;
639 } cookiecache[MAXINITIATORS];
640
641 /* protocol id */
642 static const char *protoidstr[] = {
643 NULL, "isakmp", "ipsec-ah", "ipsec-esp", "ipcomp",
644 };
645
646 /* isakmp->np */
647 static const char *npstr[] = {
648 "none", "sa", "p", "t", "ke", "id", "cert", "cr", "hash", /* 0 - 8 */
649 "sig", "nonce", "n", "d", "vid", /* 9 - 13 */
650 "pay14", "pay15", "pay16", "pay17", "pay18", /* 14- 18 */
651 "pay19", "pay20", "pay21", "pay22", "pay23", /* 19- 23 */
652 "pay24", "pay25", "pay26", "pay27", "pay28", /* 24- 28 */
653 "pay29", "pay30", "pay31", "pay32", /* 29- 32 */
654 "v2sa", "v2ke", "v2IDi", "v2IDr", "v2cert",/* 33- 37 */
655 "v2cr", "v2auth","v2nonce", "v2n", "v2d", /* 38- 42 */
656 "v2vid", "v2TSi", "v2TSr", "v2e", "v2cp", /* 43- 47 */
657 "v2eap", /* 48 */
658
659 };
660
661 /* isakmp->np */
662 static const u_char *(*npfunc[])(netdissect_options *ndo, u_char tpay,
663 const struct isakmp_gen *ext,
664 u_int item_len,
665 const u_char *end_pointer,
666 uint32_t phase,
667 uint32_t doi0,
668 uint32_t proto0, int depth) = {
669 NULL,
670 ikev1_sa_print,
671 ikev1_p_print,
672 ikev1_t_print,
673 ikev1_ke_print,
674 ikev1_id_print,
675 ikev1_cert_print,
676 ikev1_cr_print,
677 ikev1_hash_print,
678 ikev1_sig_print,
679 ikev1_nonce_print,
680 ikev1_n_print,
681 ikev1_d_print,
682 ikev1_vid_print, /* 13 */
683 NULL, NULL, NULL, NULL, NULL, /* 14- 18 */
684 NULL, NULL, NULL, NULL, NULL, /* 19- 23 */
685 NULL, NULL, NULL, NULL, NULL, /* 24- 28 */
686 NULL, NULL, NULL, NULL, /* 29- 32 */
687 ikev2_sa_print, /* 33 */
688 ikev2_ke_print, /* 34 */
689 ikev2_ID_print, /* 35 */
690 ikev2_ID_print, /* 36 */
691 ikev2_cert_print, /* 37 */
692 ikev2_cr_print, /* 38 */
693 ikev2_auth_print, /* 39 */
694 ikev2_nonce_print, /* 40 */
695 ikev2_n_print, /* 41 */
696 ikev2_d_print, /* 42 */
697 ikev2_vid_print, /* 43 */
698 ikev2_TS_print, /* 44 */
699 ikev2_TS_print, /* 45 */
700 NULL, /* ikev2_e_print,*/ /* 46 - special */
701 ikev2_cp_print, /* 47 */
702 ikev2_eap_print, /* 48 */
703 };
704
705 /* isakmp->etype */
706 static const char *etypestr[] = {
707 /* IKEv1 exchange types */
708 "none", "base", "ident", "auth", "agg", "inf", NULL, NULL, /* 0-7 */
709 NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, /* 8-15 */
710 NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, /* 16-23 */
711 NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, /* 24-31 */
712 "oakley-quick", "oakley-newgroup", /* 32-33 */
713 /* IKEv2 exchange types */
714 "ikev2_init", "ikev2_auth", "child_sa", "inf2" /* 34-37 */
715 };
716
717 #define STR_OR_ID(x, tab) \
718 (((x) < sizeof(tab)/sizeof(tab[0]) && tab[(x)]) ? tab[(x)] : numstr(x))
719 #define PROTOIDSTR(x) STR_OR_ID(x, protoidstr)
720 #define NPSTR(x) STR_OR_ID(x, npstr)
721 #define ETYPESTR(x) STR_OR_ID(x, etypestr)
722
723 #define CHECKLEN(p, np) \
724 if (ep < (const u_char *)(p)) { \
725 ND_PRINT(" [|%s]", NPSTR(np)); \
726 goto done; \
727 }
728
729
730 #define NPFUNC(x) \
731 (((x) < sizeof(npfunc)/sizeof(npfunc[0]) && npfunc[(x)]) \
732 ? npfunc[(x)] : NULL)
733
734 static int
iszero(netdissect_options * ndo,const u_char * p,size_t l)735 iszero(netdissect_options *ndo, const u_char *p, size_t l)
736 {
737 while (l != 0) {
738 if (GET_U_1(p))
739 return 0;
740 p++;
741 l--;
742 }
743 return 1;
744 }
745
746 /* find cookie from initiator cache */
747 static int
cookie_find(const cookie_t * in)748 cookie_find(const cookie_t *in)
749 {
750 int i;
751
752 for (i = 0; i < MAXINITIATORS; i++) {
753 if (memcmp(in, &cookiecache[i].initiator, sizeof(*in)) == 0)
754 return i;
755 }
756
757 return -1;
758 }
759
760 /* record initiator */
761 static void
cookie_record(netdissect_options * ndo,const cookie_t * in,const u_char * bp2)762 cookie_record(netdissect_options *ndo, const cookie_t *in, const u_char *bp2)
763 {
764 int i;
765 const struct ip *ip;
766 const struct ip6_hdr *ip6;
767
768 i = cookie_find(in);
769 if (0 <= i) {
770 ninitiator = (i + 1) % MAXINITIATORS;
771 return;
772 }
773
774 ip = (const struct ip *)bp2;
775 switch (IP_V(ip)) {
776 case 4:
777 cookiecache[ninitiator].version = 4;
778 UNALIGNED_MEMCPY(&cookiecache[ninitiator].iaddr.in4,
779 ip->ip_src, sizeof(nd_ipv4));
780 UNALIGNED_MEMCPY(&cookiecache[ninitiator].raddr.in4,
781 ip->ip_dst, sizeof(nd_ipv4));
782 break;
783 case 6:
784 ip6 = (const struct ip6_hdr *)bp2;
785 cookiecache[ninitiator].version = 6;
786 UNALIGNED_MEMCPY(&cookiecache[ninitiator].iaddr.in6,
787 ip6->ip6_src, sizeof(nd_ipv6));
788 UNALIGNED_MEMCPY(&cookiecache[ninitiator].raddr.in6,
789 ip6->ip6_dst, sizeof(nd_ipv6));
790 break;
791 default:
792 return;
793 }
794 UNALIGNED_MEMCPY(&cookiecache[ninitiator].initiator, in, sizeof(*in));
795 ninitiator = (ninitiator + 1) % MAXINITIATORS;
796 }
797
798 #define cookie_isinitiator(ndo, x, y) cookie_sidecheck(ndo, (x), (y), 1)
799 #define cookie_isresponder(ndo, x, y) cookie_sidecheck(ndo, (x), (y), 0)
800 static int
cookie_sidecheck(netdissect_options * ndo,int i,const u_char * bp2,int initiator)801 cookie_sidecheck(netdissect_options *ndo, int i, const u_char *bp2, int initiator)
802 {
803 const struct ip *ip;
804 const struct ip6_hdr *ip6;
805
806 ip = (const struct ip *)bp2;
807 switch (IP_V(ip)) {
808 case 4:
809 if (cookiecache[i].version != 4)
810 return 0;
811 if (initiator) {
812 if (UNALIGNED_MEMCMP(ip->ip_src, &cookiecache[i].iaddr.in4, sizeof(nd_ipv4)) == 0)
813 return 1;
814 } else {
815 if (UNALIGNED_MEMCMP(ip->ip_src, &cookiecache[i].raddr.in4, sizeof(nd_ipv4)) == 0)
816 return 1;
817 }
818 break;
819 case 6:
820 if (cookiecache[i].version != 6)
821 return 0;
822 ip6 = (const struct ip6_hdr *)bp2;
823 if (initiator) {
824 if (UNALIGNED_MEMCMP(ip6->ip6_src, &cookiecache[i].iaddr.in6, sizeof(nd_ipv6)) == 0)
825 return 1;
826 } else {
827 if (UNALIGNED_MEMCMP(ip6->ip6_src, &cookiecache[i].raddr.in6, sizeof(nd_ipv6)) == 0)
828 return 1;
829 }
830 break;
831 default:
832 break;
833 }
834
835 return 0;
836 }
837
838 static void
hexprint(netdissect_options * ndo,const uint8_t * loc,size_t len)839 hexprint(netdissect_options *ndo, const uint8_t *loc, size_t len)
840 {
841 const uint8_t *p;
842 size_t i;
843
844 p = loc;
845 for (i = 0; i < len; i++)
846 ND_PRINT("%02x", p[i] & 0xff);
847 }
848
849 static int
rawprint(netdissect_options * ndo,const uint8_t * loc,size_t len)850 rawprint(netdissect_options *ndo, const uint8_t *loc, size_t len)
851 {
852 ND_TCHECK_LEN(loc, len);
853
854 hexprint(ndo, loc, len);
855 return 1;
856 trunc:
857 return 0;
858 }
859
860
861 /*
862 * returns false if we run out of data buffer
863 */
ike_show_somedata(netdissect_options * ndo,const u_char * cp,const u_char * ep)864 static int ike_show_somedata(netdissect_options *ndo,
865 const u_char *cp, const u_char *ep)
866 {
867 /* there is too much data, just show some of it */
868 const u_char *end = ep - 20;
869 size_t elen = 20;
870 size_t len = ep - cp;
871 if(len > 10) {
872 len = 10;
873 }
874
875 /* really shouldn't happen because of above */
876 if(end < cp + len) {
877 end = cp+len;
878 elen = ep - end;
879 }
880
881 ND_PRINT(" data=(");
882 if(!rawprint(ndo, (const uint8_t *)(cp), len)) goto trunc;
883 ND_PRINT("...");
884 if(elen) {
885 if(!rawprint(ndo, (const uint8_t *)(end), elen)) goto trunc;
886 }
887 ND_PRINT(")");
888 return 1;
889
890 trunc:
891 return 0;
892 }
893
894 struct attrmap {
895 const char *type;
896 u_int nvalue;
897 const char *value[30]; /*XXX*/
898 };
899
900 static const u_char *
ikev1_attrmap_print(netdissect_options * ndo,const u_char * p,const u_char * ep2,const struct attrmap * map,size_t nmap)901 ikev1_attrmap_print(netdissect_options *ndo,
902 const u_char *p, const u_char *ep2,
903 const struct attrmap *map, size_t nmap)
904 {
905 u_int totlen;
906 uint32_t t, v;
907
908 if (GET_U_1(p) & 0x80)
909 totlen = 4;
910 else {
911 totlen = 4 + GET_BE_U_2(p + 2);
912 }
913 if (ep2 < p + totlen) {
914 ND_PRINT("[|attr]");
915 return ep2 + 1;
916 }
917
918 ND_PRINT("(");
919 t = GET_BE_U_2(p) & 0x7fff;
920 if (map && t < nmap && map[t].type)
921 ND_PRINT("type=%s ", map[t].type);
922 else
923 ND_PRINT("type=#%u ", t);
924 if (GET_U_1(p) & 0x80) {
925 ND_PRINT("value=");
926 v = GET_BE_U_2(p + 2);
927 if (map && t < nmap && v < map[t].nvalue && map[t].value[v])
928 ND_PRINT("%s", map[t].value[v]);
929 else {
930 if (!rawprint(ndo, (const uint8_t *)(p + 2), 2)) {
931 ND_PRINT(")");
932 goto trunc;
933 }
934 }
935 } else {
936 ND_PRINT("len=%u value=", totlen - 4);
937 if (!rawprint(ndo, (const uint8_t *)(p + 4), totlen - 4)) {
938 ND_PRINT(")");
939 goto trunc;
940 }
941 }
942 ND_PRINT(")");
943 return p + totlen;
944
945 trunc:
946 return NULL;
947 }
948
949 static const u_char *
ikev1_attr_print(netdissect_options * ndo,const u_char * p,const u_char * ep2)950 ikev1_attr_print(netdissect_options *ndo, const u_char *p, const u_char *ep2)
951 {
952 u_int totlen;
953 uint32_t t;
954
955 if (GET_U_1(p) & 0x80)
956 totlen = 4;
957 else {
958 totlen = 4 + GET_BE_U_2(p + 2);
959 }
960 if (ep2 < p + totlen) {
961 ND_PRINT("[|attr]");
962 return ep2 + 1;
963 }
964
965 ND_PRINT("(");
966 t = GET_BE_U_2(p) & 0x7fff;
967 ND_PRINT("type=#%u ", t);
968 if (GET_U_1(p) & 0x80) {
969 ND_PRINT("value=");
970 t = GET_U_1(p + 2);
971 if (!rawprint(ndo, (const uint8_t *)(p + 2), 2)) {
972 ND_PRINT(")");
973 goto trunc;
974 }
975 } else {
976 ND_PRINT("len=%u value=", totlen - 4);
977 if (!rawprint(ndo, (const uint8_t *)(p + 4), totlen - 4)) {
978 ND_PRINT(")");
979 goto trunc;
980 }
981 }
982 ND_PRINT(")");
983 return p + totlen;
984
985 trunc:
986 return NULL;
987 }
988
989 static const u_char *
ikev1_sa_print(netdissect_options * ndo,u_char tpay _U_,const struct isakmp_gen * ext,u_int item_len _U_,const u_char * ep,uint32_t phase,uint32_t doi0 _U_,uint32_t proto0,int depth)990 ikev1_sa_print(netdissect_options *ndo, u_char tpay _U_,
991 const struct isakmp_gen *ext,
992 u_int item_len _U_,
993 const u_char *ep, uint32_t phase, uint32_t doi0 _U_,
994 uint32_t proto0, int depth)
995 {
996 const struct ikev1_pl_sa *p;
997 uint32_t doi, sit, ident;
998 const u_char *cp, *np;
999 int t;
1000
1001 ND_PRINT("%s:", NPSTR(ISAKMP_NPTYPE_SA));
1002
1003 p = (const struct ikev1_pl_sa *)ext;
1004 ND_TCHECK_SIZE(p);
1005 doi = GET_BE_U_4(p->doi);
1006 sit = GET_BE_U_4(p->sit);
1007 if (doi != 1) {
1008 ND_PRINT(" doi=%u", doi);
1009 ND_PRINT(" situation=%u", sit);
1010 return (const u_char *)(p + 1);
1011 }
1012
1013 ND_PRINT(" doi=ipsec");
1014 ND_PRINT(" situation=");
1015 t = 0;
1016 if (sit & 0x01) {
1017 ND_PRINT("identity");
1018 t++;
1019 }
1020 if (sit & 0x02) {
1021 ND_PRINT("%ssecrecy", t ? "+" : "");
1022 t++;
1023 }
1024 if (sit & 0x04)
1025 ND_PRINT("%sintegrity", t ? "+" : "");
1026
1027 np = (const u_char *)ext + sizeof(struct ikev1_pl_sa);
1028 if (sit != 0x01) {
1029 ident = GET_BE_U_4(ext + 1);
1030 ND_PRINT(" ident=%u", ident);
1031 np += sizeof(ident);
1032 }
1033
1034 ext = (const struct isakmp_gen *)np;
1035 ND_TCHECK_SIZE(ext);
1036
1037 cp = ikev1_sub_print(ndo, ISAKMP_NPTYPE_P, ext, ep, phase, doi, proto0,
1038 depth);
1039
1040 return cp;
1041 trunc:
1042 ND_PRINT(" [|%s]", NPSTR(ISAKMP_NPTYPE_SA));
1043 return NULL;
1044 }
1045
1046 static const u_char *
ikev1_p_print(netdissect_options * ndo,u_char tpay _U_,const struct isakmp_gen * ext,u_int item_len _U_,const u_char * ep,uint32_t phase,uint32_t doi0,uint32_t proto0 _U_,int depth)1047 ikev1_p_print(netdissect_options *ndo, u_char tpay _U_,
1048 const struct isakmp_gen *ext, u_int item_len _U_,
1049 const u_char *ep, uint32_t phase, uint32_t doi0,
1050 uint32_t proto0 _U_, int depth)
1051 {
1052 const struct ikev1_pl_p *p;
1053 const u_char *cp;
1054 uint8_t spi_size;
1055
1056 ND_PRINT("%s:", NPSTR(ISAKMP_NPTYPE_P));
1057
1058 p = (const struct ikev1_pl_p *)ext;
1059 ND_TCHECK_SIZE(p);
1060 ND_PRINT(" #%u protoid=%s transform=%u",
1061 GET_U_1(p->p_no), PROTOIDSTR(GET_U_1(p->prot_id)),
1062 GET_U_1(p->num_t));
1063 spi_size = GET_U_1(p->spi_size);
1064 if (spi_size) {
1065 ND_PRINT(" spi=");
1066 if (!rawprint(ndo, (const uint8_t *)(p + 1), spi_size))
1067 goto trunc;
1068 }
1069
1070 ext = (const struct isakmp_gen *)((const u_char *)(p + 1) + spi_size);
1071 ND_TCHECK_SIZE(ext);
1072
1073 cp = ikev1_sub_print(ndo, ISAKMP_NPTYPE_T, ext, ep, phase, doi0,
1074 GET_U_1(p->prot_id), depth);
1075
1076 return cp;
1077 trunc:
1078 ND_PRINT(" [|%s]", NPSTR(ISAKMP_NPTYPE_P));
1079 return NULL;
1080 }
1081
1082 static const char *ikev1_p_map[] = {
1083 NULL, "ike",
1084 };
1085
1086 static const char *ikev2_t_type_map[]={
1087 NULL, "encr", "prf", "integ", "dh", "esn"
1088 };
1089
1090 static const char *ah_p_map[] = {
1091 NULL, "(reserved)", "md5", "sha", "1des",
1092 "sha2-256", "sha2-384", "sha2-512",
1093 };
1094
1095 static const char *prf_p_map[] = {
1096 NULL, "hmac-md5", "hmac-sha", "hmac-tiger",
1097 "aes128_xcbc"
1098 };
1099
1100 static const char *integ_p_map[] = {
1101 NULL, "hmac-md5", "hmac-sha", "dec-mac",
1102 "kpdk-md5", "aes-xcbc"
1103 };
1104
1105 static const char *esn_p_map[] = {
1106 "no-esn", "esn"
1107 };
1108
1109 static const char *dh_p_map[] = {
1110 NULL, "modp768",
1111 "modp1024", /* group 2 */
1112 "EC2N 2^155", /* group 3 */
1113 "EC2N 2^185", /* group 4 */
1114 "modp1536", /* group 5 */
1115 "iana-grp06", "iana-grp07", /* reserved */
1116 "iana-grp08", "iana-grp09",
1117 "iana-grp10", "iana-grp11",
1118 "iana-grp12", "iana-grp13",
1119 "modp2048", /* group 14 */
1120 "modp3072", /* group 15 */
1121 "modp4096", /* group 16 */
1122 "modp6144", /* group 17 */
1123 "modp8192", /* group 18 */
1124 };
1125
1126 static const char *esp_p_map[] = {
1127 NULL, "1des-iv64", "1des", "3des", "rc5", "idea", "cast",
1128 "blowfish", "3idea", "1des-iv32", "rc4", "null", "aes"
1129 };
1130
1131 static const char *ipcomp_p_map[] = {
1132 NULL, "oui", "deflate", "lzs",
1133 };
1134
1135 static const struct attrmap ipsec_t_map[] = {
1136 { NULL, 0, { NULL } },
1137 { "lifetype", 3, { NULL, "sec", "kb", }, },
1138 { "life", 0, { NULL } },
1139 { "group desc", 18, { NULL, "modp768",
1140 "modp1024", /* group 2 */
1141 "EC2N 2^155", /* group 3 */
1142 "EC2N 2^185", /* group 4 */
1143 "modp1536", /* group 5 */
1144 "iana-grp06", "iana-grp07", /* reserved */
1145 "iana-grp08", "iana-grp09",
1146 "iana-grp10", "iana-grp11",
1147 "iana-grp12", "iana-grp13",
1148 "modp2048", /* group 14 */
1149 "modp3072", /* group 15 */
1150 "modp4096", /* group 16 */
1151 "modp6144", /* group 17 */
1152 "modp8192", /* group 18 */
1153 }, },
1154 { "enc mode", 3, { NULL, "tunnel", "transport", }, },
1155 { "auth", 5, { NULL, "hmac-md5", "hmac-sha1", "1des-mac", "keyed", }, },
1156 { "keylen", 0, { NULL } },
1157 { "rounds", 0, { NULL } },
1158 { "dictsize", 0, { NULL } },
1159 { "privalg", 0, { NULL } },
1160 };
1161
1162 static const struct attrmap encr_t_map[] = {
1163 { NULL, 0, { NULL } }, { NULL, 0, { NULL } }, /* 0, 1 */
1164 { NULL, 0, { NULL } }, { NULL, 0, { NULL } }, /* 2, 3 */
1165 { NULL, 0, { NULL } }, { NULL, 0, { NULL } }, /* 4, 5 */
1166 { NULL, 0, { NULL } }, { NULL, 0, { NULL } }, /* 6, 7 */
1167 { NULL, 0, { NULL } }, { NULL, 0, { NULL } }, /* 8, 9 */
1168 { NULL, 0, { NULL } }, { NULL, 0, { NULL } }, /* 10,11*/
1169 { NULL, 0, { NULL } }, { NULL, 0, { NULL } }, /* 12,13*/
1170 { "keylen", 14, { NULL }},
1171 };
1172
1173 static const struct attrmap oakley_t_map[] = {
1174 { NULL, 0, { NULL } },
1175 { "enc", 8, { NULL, "1des", "idea", "blowfish", "rc5",
1176 "3des", "cast", "aes", }, },
1177 { "hash", 7, { NULL, "md5", "sha1", "tiger",
1178 "sha2-256", "sha2-384", "sha2-512", }, },
1179 { "auth", 6, { NULL, "preshared", "dss", "rsa sig", "rsa enc",
1180 "rsa enc revised", }, },
1181 { "group desc", 18, { NULL, "modp768",
1182 "modp1024", /* group 2 */
1183 "EC2N 2^155", /* group 3 */
1184 "EC2N 2^185", /* group 4 */
1185 "modp1536", /* group 5 */
1186 "iana-grp06", "iana-grp07", /* reserved */
1187 "iana-grp08", "iana-grp09",
1188 "iana-grp10", "iana-grp11",
1189 "iana-grp12", "iana-grp13",
1190 "modp2048", /* group 14 */
1191 "modp3072", /* group 15 */
1192 "modp4096", /* group 16 */
1193 "modp6144", /* group 17 */
1194 "modp8192", /* group 18 */
1195 }, },
1196 { "group type", 4, { NULL, "MODP", "ECP", "EC2N", }, },
1197 { "group prime", 0, { NULL } },
1198 { "group gen1", 0, { NULL } },
1199 { "group gen2", 0, { NULL } },
1200 { "group curve A", 0, { NULL } },
1201 { "group curve B", 0, { NULL } },
1202 { "lifetype", 3, { NULL, "sec", "kb", }, },
1203 { "lifeduration", 0, { NULL } },
1204 { "prf", 0, { NULL } },
1205 { "keylen", 0, { NULL } },
1206 { "field", 0, { NULL } },
1207 { "order", 0, { NULL } },
1208 };
1209
1210 static const u_char *
ikev1_t_print(netdissect_options * ndo,u_char tpay _U_,const struct isakmp_gen * ext,u_int item_len,const u_char * ep,uint32_t phase _U_,uint32_t doi _U_,uint32_t proto,int depth _U_)1211 ikev1_t_print(netdissect_options *ndo, u_char tpay _U_,
1212 const struct isakmp_gen *ext, u_int item_len,
1213 const u_char *ep, uint32_t phase _U_, uint32_t doi _U_,
1214 uint32_t proto, int depth _U_)
1215 {
1216 const struct ikev1_pl_t *p;
1217 const u_char *cp;
1218 const char *idstr;
1219 const struct attrmap *map;
1220 size_t nmap;
1221 const u_char *ep2;
1222
1223 ND_PRINT("%s:", NPSTR(ISAKMP_NPTYPE_T));
1224
1225 p = (const struct ikev1_pl_t *)ext;
1226 ND_TCHECK_SIZE(p);
1227
1228 switch (proto) {
1229 case 1:
1230 idstr = STR_OR_ID(GET_U_1(p->t_id), ikev1_p_map);
1231 map = oakley_t_map;
1232 nmap = sizeof(oakley_t_map)/sizeof(oakley_t_map[0]);
1233 break;
1234 case 2:
1235 idstr = STR_OR_ID(GET_U_1(p->t_id), ah_p_map);
1236 map = ipsec_t_map;
1237 nmap = sizeof(ipsec_t_map)/sizeof(ipsec_t_map[0]);
1238 break;
1239 case 3:
1240 idstr = STR_OR_ID(GET_U_1(p->t_id), esp_p_map);
1241 map = ipsec_t_map;
1242 nmap = sizeof(ipsec_t_map)/sizeof(ipsec_t_map[0]);
1243 break;
1244 case 4:
1245 idstr = STR_OR_ID(GET_U_1(p->t_id), ipcomp_p_map);
1246 map = ipsec_t_map;
1247 nmap = sizeof(ipsec_t_map)/sizeof(ipsec_t_map[0]);
1248 break;
1249 default:
1250 idstr = NULL;
1251 map = NULL;
1252 nmap = 0;
1253 break;
1254 }
1255
1256 if (idstr)
1257 ND_PRINT(" #%u id=%s ", GET_U_1(p->t_no), idstr);
1258 else
1259 ND_PRINT(" #%u id=%u ", GET_U_1(p->t_no), GET_U_1(p->t_id));
1260 cp = (const u_char *)(p + 1);
1261 ep2 = (const u_char *)p + item_len;
1262 while (cp < ep && cp < ep2) {
1263 if (map && nmap)
1264 cp = ikev1_attrmap_print(ndo, cp, ep2, map, nmap);
1265 else
1266 cp = ikev1_attr_print(ndo, cp, ep2);
1267 if (cp == NULL)
1268 goto trunc;
1269 }
1270 if (ep < ep2)
1271 ND_PRINT("...");
1272 return cp;
1273 trunc:
1274 ND_PRINT(" [|%s]", NPSTR(ISAKMP_NPTYPE_T));
1275 return NULL;
1276 }
1277
1278 static const u_char *
ikev1_ke_print(netdissect_options * ndo,u_char tpay _U_,const struct isakmp_gen * ext,u_int item_len,const u_char * ep _U_,uint32_t phase _U_,uint32_t doi _U_,uint32_t proto _U_,int depth _U_)1279 ikev1_ke_print(netdissect_options *ndo, u_char tpay _U_,
1280 const struct isakmp_gen *ext, u_int item_len,
1281 const u_char *ep _U_, uint32_t phase _U_, uint32_t doi _U_,
1282 uint32_t proto _U_, int depth _U_)
1283 {
1284 ND_PRINT("%s:", NPSTR(ISAKMP_NPTYPE_KE));
1285
1286 ND_TCHECK_SIZE(ext);
1287 /*
1288 * Our caller has ensured that the length is >= 4.
1289 */
1290 ND_PRINT(" key len=%u", item_len - 4);
1291 if (2 < ndo->ndo_vflag && item_len > 4) {
1292 /* Print the entire payload in hex */
1293 ND_PRINT(" ");
1294 if (!rawprint(ndo, (const uint8_t *)(ext + 1), item_len - 4))
1295 goto trunc;
1296 }
1297 return (const u_char *)ext + item_len;
1298 trunc:
1299 ND_PRINT(" [|%s]", NPSTR(ISAKMP_NPTYPE_KE));
1300 return NULL;
1301 }
1302
1303 static const u_char *
ikev1_id_print(netdissect_options * ndo,u_char tpay _U_,const struct isakmp_gen * ext,u_int item_len,const u_char * ep _U_,uint32_t phase,uint32_t doi _U_,uint32_t proto _U_,int depth _U_)1304 ikev1_id_print(netdissect_options *ndo, u_char tpay _U_,
1305 const struct isakmp_gen *ext, u_int item_len,
1306 const u_char *ep _U_, uint32_t phase, uint32_t doi _U_,
1307 uint32_t proto _U_, int depth _U_)
1308 {
1309 #define USE_IPSECDOI_IN_PHASE1 1
1310 const struct ikev1_pl_id *p;
1311 static const char *idtypestr[] = {
1312 "IPv4", "IPv4net", "IPv6", "IPv6net",
1313 };
1314 static const char *ipsecidtypestr[] = {
1315 NULL, "IPv4", "FQDN", "user FQDN", "IPv4net", "IPv6",
1316 "IPv6net", "IPv4range", "IPv6range", "ASN1 DN", "ASN1 GN",
1317 "keyid",
1318 };
1319 u_int len;
1320 const u_char *data;
1321
1322 ND_PRINT("%s:", NPSTR(ISAKMP_NPTYPE_ID));
1323
1324 p = (const struct ikev1_pl_id *)ext;
1325 ND_TCHECK_SIZE(p);
1326 if (sizeof(*p) < item_len) {
1327 data = (const u_char *)(p + 1);
1328 len = item_len - sizeof(*p);
1329 } else {
1330 data = NULL;
1331 len = 0;
1332 }
1333
1334 #if 0 /*debug*/
1335 ND_PRINT(" [phase=%u doi=%u proto=%u]", phase, doi, proto);
1336 #endif
1337 switch (phase) {
1338 #ifndef USE_IPSECDOI_IN_PHASE1
1339 case 1:
1340 #endif
1341 default:
1342 ND_PRINT(" idtype=%s",
1343 STR_OR_ID(GET_U_1(p->d.id_type), idtypestr));
1344 ND_PRINT(" doi_data=%u",
1345 GET_BE_U_4(p->d.doi_data) & 0xffffff);
1346 break;
1347
1348 #ifdef USE_IPSECDOI_IN_PHASE1
1349 case 1:
1350 #endif
1351 case 2:
1352 {
1353 const struct ipsecdoi_id *doi_p;
1354 const char *p_name;
1355 uint8_t type, proto_id;
1356
1357 doi_p = (const struct ipsecdoi_id *)ext;
1358 ND_TCHECK_SIZE(doi_p);
1359 type = GET_U_1(doi_p->type);
1360 ND_PRINT(" idtype=%s", STR_OR_ID(type, ipsecidtypestr));
1361 /* A protocol ID of 0 DOES NOT mean IPPROTO_IP! */
1362 proto_id = GET_U_1(doi_p->proto_id);
1363 if (!ndo->ndo_nflag && proto_id && (p_name = netdb_protoname(proto_id)) != NULL)
1364 ND_PRINT(" protoid=%s", p_name);
1365 else
1366 ND_PRINT(" protoid=%u", proto_id);
1367 ND_PRINT(" port=%u", GET_BE_U_2(doi_p->port));
1368 if (!len)
1369 break;
1370 if (data == NULL)
1371 goto trunc;
1372 ND_TCHECK_LEN(data, len);
1373 switch (type) {
1374 case IPSECDOI_ID_IPV4_ADDR:
1375 if (len < 4)
1376 ND_PRINT(" len=%u [bad: < 4]", len);
1377 else
1378 ND_PRINT(" len=%u %s", len, GET_IPADDR_STRING(data));
1379 len = 0;
1380 break;
1381 case IPSECDOI_ID_FQDN:
1382 case IPSECDOI_ID_USER_FQDN:
1383 {
1384 u_int i;
1385 ND_PRINT(" len=%u ", len);
1386 for (i = 0; i < len; i++)
1387 fn_print_char(ndo, GET_U_1(data + i));
1388 len = 0;
1389 break;
1390 }
1391 case IPSECDOI_ID_IPV4_ADDR_SUBNET:
1392 {
1393 const u_char *mask;
1394 if (len < 8)
1395 ND_PRINT(" len=%u [bad: < 8]", len);
1396 else {
1397 mask = data + sizeof(nd_ipv4);
1398 ND_PRINT(" len=%u %s/%u.%u.%u.%u", len,
1399 GET_IPADDR_STRING(data),
1400 GET_U_1(mask), GET_U_1(mask + 1),
1401 GET_U_1(mask + 2),
1402 GET_U_1(mask + 3));
1403 }
1404 len = 0;
1405 break;
1406 }
1407 case IPSECDOI_ID_IPV6_ADDR:
1408 if (len < 16)
1409 ND_PRINT(" len=%u [bad: < 16]", len);
1410 else
1411 ND_PRINT(" len=%u %s", len, GET_IP6ADDR_STRING(data));
1412 len = 0;
1413 break;
1414 case IPSECDOI_ID_IPV6_ADDR_SUBNET:
1415 {
1416 const u_char *mask;
1417 if (len < 32)
1418 ND_PRINT(" len=%u [bad: < 32]", len);
1419 else {
1420 mask = (const u_char *)(data + sizeof(nd_ipv6));
1421 /*XXX*/
1422 ND_PRINT(" len=%u %s/0x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x", len,
1423 GET_IP6ADDR_STRING(data),
1424 GET_U_1(mask), GET_U_1(mask + 1),
1425 GET_U_1(mask + 2),
1426 GET_U_1(mask + 3),
1427 GET_U_1(mask + 4),
1428 GET_U_1(mask + 5),
1429 GET_U_1(mask + 6),
1430 GET_U_1(mask + 7),
1431 GET_U_1(mask + 8),
1432 GET_U_1(mask + 9),
1433 GET_U_1(mask + 10),
1434 GET_U_1(mask + 11),
1435 GET_U_1(mask + 12),
1436 GET_U_1(mask + 13),
1437 GET_U_1(mask + 14),
1438 GET_U_1(mask + 15));
1439 }
1440 len = 0;
1441 break;
1442 }
1443 case IPSECDOI_ID_IPV4_ADDR_RANGE:
1444 if (len < 8)
1445 ND_PRINT(" len=%u [bad: < 8]", len);
1446 else {
1447 ND_PRINT(" len=%u %s-%s", len,
1448 GET_IPADDR_STRING(data),
1449 GET_IPADDR_STRING(data + sizeof(nd_ipv4)));
1450 }
1451 len = 0;
1452 break;
1453 case IPSECDOI_ID_IPV6_ADDR_RANGE:
1454 if (len < 32)
1455 ND_PRINT(" len=%u [bad: < 32]", len);
1456 else {
1457 ND_PRINT(" len=%u %s-%s", len,
1458 GET_IP6ADDR_STRING(data),
1459 GET_IP6ADDR_STRING(data + sizeof(nd_ipv6)));
1460 }
1461 len = 0;
1462 break;
1463 case IPSECDOI_ID_DER_ASN1_DN:
1464 case IPSECDOI_ID_DER_ASN1_GN:
1465 case IPSECDOI_ID_KEY_ID:
1466 break;
1467 }
1468 break;
1469 }
1470 }
1471 if (data && len) {
1472 ND_PRINT(" len=%u", len);
1473 if (2 < ndo->ndo_vflag) {
1474 ND_PRINT(" ");
1475 if (!rawprint(ndo, (const uint8_t *)data, len))
1476 goto trunc;
1477 }
1478 }
1479 return (const u_char *)ext + item_len;
1480 trunc:
1481 ND_PRINT(" [|%s]", NPSTR(ISAKMP_NPTYPE_ID));
1482 return NULL;
1483 }
1484
1485 static const u_char *
ikev1_cert_print(netdissect_options * ndo,u_char tpay _U_,const struct isakmp_gen * ext,u_int item_len,const u_char * ep _U_,uint32_t phase _U_,uint32_t doi0 _U_,uint32_t proto0 _U_,int depth _U_)1486 ikev1_cert_print(netdissect_options *ndo, u_char tpay _U_,
1487 const struct isakmp_gen *ext, u_int item_len,
1488 const u_char *ep _U_, uint32_t phase _U_,
1489 uint32_t doi0 _U_,
1490 uint32_t proto0 _U_, int depth _U_)
1491 {
1492 const struct ikev1_pl_cert *p;
1493 static const char *certstr[] = {
1494 "none", "pkcs7", "pgp", "dns",
1495 "x509sign", "x509ke", "kerberos", "crl",
1496 "arl", "spki", "x509attr",
1497 };
1498
1499 ND_PRINT("%s:", NPSTR(ISAKMP_NPTYPE_CERT));
1500
1501 p = (const struct ikev1_pl_cert *)ext;
1502 ND_TCHECK_SIZE(p);
1503 /*
1504 * Our caller has ensured that the length is >= 4.
1505 */
1506 ND_PRINT(" len=%u", item_len - 4);
1507 ND_PRINT(" type=%s", STR_OR_ID(GET_U_1(p->encode), certstr));
1508 if (2 < ndo->ndo_vflag && 4 < item_len) {
1509 /* Print the entire payload in hex */
1510 ND_PRINT(" ");
1511 if (!rawprint(ndo, (const uint8_t *)(ext + 1), item_len - 4))
1512 goto trunc;
1513 }
1514 return (const u_char *)ext + item_len;
1515 trunc:
1516 ND_PRINT(" [|%s]", NPSTR(ISAKMP_NPTYPE_CERT));
1517 return NULL;
1518 }
1519
1520 static const u_char *
ikev1_cr_print(netdissect_options * ndo,u_char tpay _U_,const struct isakmp_gen * ext,u_int item_len,const u_char * ep _U_,uint32_t phase _U_,uint32_t doi0 _U_,uint32_t proto0 _U_,int depth _U_)1521 ikev1_cr_print(netdissect_options *ndo, u_char tpay _U_,
1522 const struct isakmp_gen *ext, u_int item_len,
1523 const u_char *ep _U_, uint32_t phase _U_, uint32_t doi0 _U_,
1524 uint32_t proto0 _U_, int depth _U_)
1525 {
1526 const struct ikev1_pl_cert *p;
1527 static const char *certstr[] = {
1528 "none", "pkcs7", "pgp", "dns",
1529 "x509sign", "x509ke", "kerberos", "crl",
1530 "arl", "spki", "x509attr",
1531 };
1532
1533 ND_PRINT("%s:", NPSTR(ISAKMP_NPTYPE_CR));
1534
1535 p = (const struct ikev1_pl_cert *)ext;
1536 ND_TCHECK_SIZE(p);
1537 /*
1538 * Our caller has ensured that the length is >= 4.
1539 */
1540 ND_PRINT(" len=%u", item_len - 4);
1541 ND_PRINT(" type=%s", STR_OR_ID(GET_U_1(p->encode), certstr));
1542 if (2 < ndo->ndo_vflag && 4 < item_len) {
1543 /* Print the entire payload in hex */
1544 ND_PRINT(" ");
1545 if (!rawprint(ndo, (const uint8_t *)(ext + 1), item_len - 4))
1546 goto trunc;
1547 }
1548 return (const u_char *)ext + item_len;
1549 trunc:
1550 ND_PRINT(" [|%s]", NPSTR(ISAKMP_NPTYPE_CR));
1551 return NULL;
1552 }
1553
1554 static const u_char *
ikev1_hash_print(netdissect_options * ndo,u_char tpay _U_,const struct isakmp_gen * ext,u_int item_len,const u_char * ep _U_,uint32_t phase _U_,uint32_t doi _U_,uint32_t proto _U_,int depth _U_)1555 ikev1_hash_print(netdissect_options *ndo, u_char tpay _U_,
1556 const struct isakmp_gen *ext, u_int item_len,
1557 const u_char *ep _U_, uint32_t phase _U_, uint32_t doi _U_,
1558 uint32_t proto _U_, int depth _U_)
1559 {
1560 ND_PRINT("%s:", NPSTR(ISAKMP_NPTYPE_HASH));
1561
1562 ND_TCHECK_SIZE(ext);
1563 /*
1564 * Our caller has ensured that the length is >= 4.
1565 */
1566 ND_PRINT(" len=%u", item_len - 4);
1567 if (2 < ndo->ndo_vflag && 4 < item_len) {
1568 /* Print the entire payload in hex */
1569 ND_PRINT(" ");
1570 if (!rawprint(ndo, (const uint8_t *)(ext + 1), item_len - 4))
1571 goto trunc;
1572 }
1573 return (const u_char *)ext + item_len;
1574 trunc:
1575 ND_PRINT(" [|%s]", NPSTR(ISAKMP_NPTYPE_HASH));
1576 return NULL;
1577 }
1578
1579 static const u_char *
ikev1_sig_print(netdissect_options * ndo,u_char tpay _U_,const struct isakmp_gen * ext,u_int item_len,const u_char * ep _U_,uint32_t phase _U_,uint32_t doi _U_,uint32_t proto _U_,int depth _U_)1580 ikev1_sig_print(netdissect_options *ndo, u_char tpay _U_,
1581 const struct isakmp_gen *ext, u_int item_len,
1582 const u_char *ep _U_, uint32_t phase _U_, uint32_t doi _U_,
1583 uint32_t proto _U_, int depth _U_)
1584 {
1585 ND_PRINT("%s:", NPSTR(ISAKMP_NPTYPE_SIG));
1586
1587 ND_TCHECK_SIZE(ext);
1588 /*
1589 * Our caller has ensured that the length is >= 4.
1590 */
1591 ND_PRINT(" len=%u", item_len - 4);
1592 if (2 < ndo->ndo_vflag && 4 < item_len) {
1593 /* Print the entire payload in hex */
1594 ND_PRINT(" ");
1595 if (!rawprint(ndo, (const uint8_t *)(ext + 1), item_len - 4))
1596 goto trunc;
1597 }
1598 return (const u_char *)ext + item_len;
1599 trunc:
1600 ND_PRINT(" [|%s]", NPSTR(ISAKMP_NPTYPE_SIG));
1601 return NULL;
1602 }
1603
1604 static const u_char *
ikev1_nonce_print(netdissect_options * ndo,u_char tpay _U_,const struct isakmp_gen * ext,u_int item_len,const u_char * ep,uint32_t phase _U_,uint32_t doi _U_,uint32_t proto _U_,int depth _U_)1605 ikev1_nonce_print(netdissect_options *ndo, u_char tpay _U_,
1606 const struct isakmp_gen *ext,
1607 u_int item_len,
1608 const u_char *ep,
1609 uint32_t phase _U_, uint32_t doi _U_,
1610 uint32_t proto _U_, int depth _U_)
1611 {
1612 ND_PRINT("%s:", NPSTR(ISAKMP_NPTYPE_NONCE));
1613
1614 ND_TCHECK_SIZE(ext);
1615 /*
1616 * Our caller has ensured that the length is >= 4.
1617 */
1618 ND_PRINT(" n len=%u", item_len - 4);
1619 if (item_len > 4) {
1620 if (ndo->ndo_vflag > 2) {
1621 ND_PRINT(" ");
1622 if (!rawprint(ndo, (const uint8_t *)(ext + 1), item_len - 4))
1623 goto trunc;
1624 } else if (ndo->ndo_vflag > 1) {
1625 ND_PRINT(" ");
1626 if (!ike_show_somedata(ndo, (const u_char *)(ext + 1), ep))
1627 goto trunc;
1628 }
1629 }
1630 return (const u_char *)ext + item_len;
1631 trunc:
1632 ND_PRINT(" [|%s]", NPSTR(ISAKMP_NPTYPE_NONCE));
1633 return NULL;
1634 }
1635
1636 static const u_char *
ikev1_n_print(netdissect_options * ndo,u_char tpay _U_,const struct isakmp_gen * ext,u_int item_len,const u_char * ep,uint32_t phase _U_,uint32_t doi0 _U_,uint32_t proto0 _U_,int depth _U_)1637 ikev1_n_print(netdissect_options *ndo, u_char tpay _U_,
1638 const struct isakmp_gen *ext, u_int item_len,
1639 const u_char *ep, uint32_t phase _U_, uint32_t doi0 _U_,
1640 uint32_t proto0 _U_, int depth _U_)
1641 {
1642 const struct ikev1_pl_n *p;
1643 const u_char *cp;
1644 const u_char *ep2;
1645 uint32_t doi;
1646 uint32_t proto;
1647 uint16_t type;
1648 uint8_t spi_size;
1649 static const char *notify_error_str[] = {
1650 NULL, "INVALID-PAYLOAD-TYPE",
1651 "DOI-NOT-SUPPORTED", "SITUATION-NOT-SUPPORTED",
1652 "INVALID-COOKIE", "INVALID-MAJOR-VERSION",
1653 "INVALID-MINOR-VERSION", "INVALID-EXCHANGE-TYPE",
1654 "INVALID-FLAGS", "INVALID-MESSAGE-ID",
1655 "INVALID-PROTOCOL-ID", "INVALID-SPI",
1656 "INVALID-TRANSFORM-ID", "ATTRIBUTES-NOT-SUPPORTED",
1657 "NO-PROPOSAL-CHOSEN", "BAD-PROPOSAL-SYNTAX",
1658 "PAYLOAD-MALFORMED", "INVALID-KEY-INFORMATION",
1659 "INVALID-ID-INFORMATION", "INVALID-CERT-ENCODING",
1660 "INVALID-CERTIFICATE", "CERT-TYPE-UNSUPPORTED",
1661 "INVALID-CERT-AUTHORITY", "INVALID-HASH-INFORMATION",
1662 "AUTHENTICATION-FAILED", "INVALID-SIGNATURE",
1663 "ADDRESS-NOTIFICATION", "NOTIFY-SA-LIFETIME",
1664 "CERTIFICATE-UNAVAILABLE", "UNSUPPORTED-EXCHANGE-TYPE",
1665 "UNEQUAL-PAYLOAD-LENGTHS",
1666 };
1667 static const char *ipsec_notify_error_str[] = {
1668 "RESERVED",
1669 };
1670 static const char *notify_status_str[] = {
1671 "CONNECTED",
1672 };
1673 static const char *ipsec_notify_status_str[] = {
1674 "RESPONDER-LIFETIME", "REPLAY-STATUS",
1675 "INITIAL-CONTACT",
1676 };
1677 /* NOTE: these macro must be called with x in proper range */
1678
1679 /* 0 - 8191 */
1680 #define NOTIFY_ERROR_STR(x) \
1681 STR_OR_ID((x), notify_error_str)
1682
1683 /* 8192 - 16383 */
1684 #define IPSEC_NOTIFY_ERROR_STR(x) \
1685 STR_OR_ID((u_int)((x) - 8192), ipsec_notify_error_str)
1686
1687 /* 16384 - 24575 */
1688 #define NOTIFY_STATUS_STR(x) \
1689 STR_OR_ID((u_int)((x) - 16384), notify_status_str)
1690
1691 /* 24576 - 32767 */
1692 #define IPSEC_NOTIFY_STATUS_STR(x) \
1693 STR_OR_ID((u_int)((x) - 24576), ipsec_notify_status_str)
1694
1695 ND_PRINT("%s:", NPSTR(ISAKMP_NPTYPE_N));
1696
1697 p = (const struct ikev1_pl_n *)ext;
1698 ND_TCHECK_SIZE(p);
1699 doi = GET_BE_U_4(p->doi);
1700 proto = GET_U_1(p->prot_id);
1701 if (doi != 1) {
1702 ND_PRINT(" doi=%u", doi);
1703 ND_PRINT(" proto=%u", proto);
1704 type = GET_BE_U_2(p->type);
1705 if (type < 8192)
1706 ND_PRINT(" type=%s", NOTIFY_ERROR_STR(type));
1707 else if (type < 16384)
1708 ND_PRINT(" type=%s", numstr(type));
1709 else if (type < 24576)
1710 ND_PRINT(" type=%s", NOTIFY_STATUS_STR(type));
1711 else
1712 ND_PRINT(" type=%s", numstr(type));
1713 spi_size = GET_U_1(p->spi_size);
1714 if (spi_size) {
1715 ND_PRINT(" spi=");
1716 if (!rawprint(ndo, (const uint8_t *)(p + 1), spi_size))
1717 goto trunc;
1718 }
1719 return (const u_char *)(p + 1) + spi_size;
1720 }
1721
1722 ND_PRINT(" doi=ipsec");
1723 ND_PRINT(" proto=%s", PROTOIDSTR(proto));
1724 type = GET_BE_U_2(p->type);
1725 if (type < 8192)
1726 ND_PRINT(" type=%s", NOTIFY_ERROR_STR(type));
1727 else if (type < 16384)
1728 ND_PRINT(" type=%s", IPSEC_NOTIFY_ERROR_STR(type));
1729 else if (type < 24576)
1730 ND_PRINT(" type=%s", NOTIFY_STATUS_STR(type));
1731 else if (type < 32768)
1732 ND_PRINT(" type=%s", IPSEC_NOTIFY_STATUS_STR(type));
1733 else
1734 ND_PRINT(" type=%s", numstr(type));
1735 spi_size = GET_U_1(p->spi_size);
1736 if (spi_size) {
1737 ND_PRINT(" spi=");
1738 if (!rawprint(ndo, (const uint8_t *)(p + 1), spi_size))
1739 goto trunc;
1740 }
1741
1742 cp = (const u_char *)(p + 1) + spi_size;
1743 ep2 = (const u_char *)p + item_len;
1744
1745 if (cp < ep) {
1746 switch (type) {
1747 case IPSECDOI_NTYPE_RESPONDER_LIFETIME:
1748 {
1749 const struct attrmap *map = oakley_t_map;
1750 size_t nmap = sizeof(oakley_t_map)/sizeof(oakley_t_map[0]);
1751 ND_PRINT(" attrs=(");
1752 while (cp < ep && cp < ep2) {
1753 cp = ikev1_attrmap_print(ndo, cp, ep2, map, nmap);
1754 if (cp == NULL) {
1755 ND_PRINT(")");
1756 goto trunc;
1757 }
1758 }
1759 ND_PRINT(")");
1760 break;
1761 }
1762 case IPSECDOI_NTYPE_REPLAY_STATUS:
1763 ND_PRINT(" status=(");
1764 ND_PRINT("replay detection %sabled",
1765 GET_BE_U_4(cp) ? "en" : "dis");
1766 ND_PRINT(")");
1767 break;
1768 default:
1769 /*
1770 * XXX - fill in more types here; see, for example,
1771 * draft-ietf-ipsec-notifymsg-04.
1772 */
1773 if (ndo->ndo_vflag > 3) {
1774 ND_PRINT(" data=(");
1775 if (!rawprint(ndo, (const uint8_t *)(cp), ep - cp))
1776 goto trunc;
1777 ND_PRINT(")");
1778 } else {
1779 if (!ike_show_somedata(ndo, cp, ep))
1780 goto trunc;
1781 }
1782 break;
1783 }
1784 }
1785 return (const u_char *)ext + item_len;
1786 trunc:
1787 ND_PRINT(" [|%s]", NPSTR(ISAKMP_NPTYPE_N));
1788 return NULL;
1789 }
1790
1791 static const u_char *
ikev1_d_print(netdissect_options * ndo,u_char tpay _U_,const struct isakmp_gen * ext,u_int item_len _U_,const u_char * ep _U_,uint32_t phase _U_,uint32_t doi0 _U_,uint32_t proto0 _U_,int depth _U_)1792 ikev1_d_print(netdissect_options *ndo, u_char tpay _U_,
1793 const struct isakmp_gen *ext, u_int item_len _U_,
1794 const u_char *ep _U_, uint32_t phase _U_, uint32_t doi0 _U_,
1795 uint32_t proto0 _U_, int depth _U_)
1796 {
1797 const struct ikev1_pl_d *p;
1798 const uint8_t *q;
1799 uint32_t doi;
1800 uint32_t proto;
1801 uint8_t spi_size;
1802 uint16_t num_spi;
1803 u_int i;
1804
1805 ND_PRINT("%s:", NPSTR(ISAKMP_NPTYPE_D));
1806
1807 p = (const struct ikev1_pl_d *)ext;
1808 ND_TCHECK_SIZE(p);
1809 doi = GET_BE_U_4(p->doi);
1810 proto = GET_U_1(p->prot_id);
1811 if (doi != 1) {
1812 ND_PRINT(" doi=%u", doi);
1813 ND_PRINT(" proto=%u", proto);
1814 } else {
1815 ND_PRINT(" doi=ipsec");
1816 ND_PRINT(" proto=%s", PROTOIDSTR(proto));
1817 }
1818 spi_size = GET_U_1(p->spi_size);
1819 ND_PRINT(" spilen=%u", spi_size);
1820 num_spi = GET_BE_U_2(p->num_spi);
1821 ND_PRINT(" nspi=%u", num_spi);
1822 q = (const uint8_t *)(p + 1);
1823 if (spi_size) {
1824 ND_PRINT(" spi=");
1825 for (i = 0; i < num_spi; i++) {
1826 if (i != 0)
1827 ND_PRINT(",");
1828 if (!rawprint(ndo, (const uint8_t *)q, spi_size))
1829 goto trunc;
1830 q += spi_size;
1831 }
1832 }
1833 return q;
1834 trunc:
1835 ND_PRINT(" [|%s]", NPSTR(ISAKMP_NPTYPE_D));
1836 return NULL;
1837 }
1838
1839 static const u_char *
ikev1_vid_print(netdissect_options * ndo,u_char tpay _U_,const struct isakmp_gen * ext,u_int item_len,const u_char * ep _U_,uint32_t phase _U_,uint32_t doi _U_,uint32_t proto _U_,int depth _U_)1840 ikev1_vid_print(netdissect_options *ndo, u_char tpay _U_,
1841 const struct isakmp_gen *ext,
1842 u_int item_len, const u_char *ep _U_,
1843 uint32_t phase _U_, uint32_t doi _U_,
1844 uint32_t proto _U_, int depth _U_)
1845 {
1846 ND_PRINT("%s:", NPSTR(ISAKMP_NPTYPE_VID));
1847
1848 ND_TCHECK_SIZE(ext);
1849 /*
1850 * Our caller has ensured that the length is >= 4.
1851 */
1852 ND_PRINT(" len=%u", item_len - 4);
1853 if (2 < ndo->ndo_vflag && 4 < item_len) {
1854 /* Print the entire payload in hex */
1855 ND_PRINT(" ");
1856 if (!rawprint(ndo, (const uint8_t *)(ext + 1), item_len - 4))
1857 goto trunc;
1858 }
1859 return (const u_char *)ext + item_len;
1860 trunc:
1861 ND_PRINT(" [|%s]", NPSTR(ISAKMP_NPTYPE_VID));
1862 return NULL;
1863 }
1864
1865 /************************************************************/
1866 /* */
1867 /* IKE v2 - rfc4306 - dissector */
1868 /* */
1869 /************************************************************/
1870
1871 static void
ikev2_pay_print(netdissect_options * ndo,const char * payname,uint8_t critical)1872 ikev2_pay_print(netdissect_options *ndo, const char *payname, uint8_t critical)
1873 {
1874 ND_PRINT("%s%s:", payname, critical&0x80 ? "[C]" : "");
1875 }
1876
1877 static const u_char *
ikev2_gen_print(netdissect_options * ndo,u_char tpay,const struct isakmp_gen * ext,u_int item_len)1878 ikev2_gen_print(netdissect_options *ndo, u_char tpay,
1879 const struct isakmp_gen *ext, u_int item_len)
1880 {
1881 const struct isakmp_gen *p = (const struct isakmp_gen *)ext;
1882
1883 ND_TCHECK_SIZE(ext);
1884 ikev2_pay_print(ndo, NPSTR(tpay), GET_U_1(p->critical));
1885
1886 /*
1887 * Our caller has ensured that the length is >= 4.
1888 */
1889 ND_PRINT(" len=%u", item_len - 4);
1890 if (2 < ndo->ndo_vflag && 4 < item_len) {
1891 /* Print the entire payload in hex */
1892 ND_PRINT(" ");
1893 if (!rawprint(ndo, (const uint8_t *)(ext + 1), item_len - 4))
1894 goto trunc;
1895 }
1896 return (const u_char *)ext + item_len;
1897 trunc:
1898 ND_PRINT(" [|%s]", NPSTR(tpay));
1899 return NULL;
1900 }
1901
1902 static const u_char *
ikev2_t_print(netdissect_options * ndo,int tcount,const struct isakmp_gen * ext,u_int item_len,const u_char * ep)1903 ikev2_t_print(netdissect_options *ndo, int tcount,
1904 const struct isakmp_gen *ext, u_int item_len,
1905 const u_char *ep)
1906 {
1907 const struct ikev2_t *p;
1908 uint16_t t_id;
1909 uint8_t t_type;
1910 const u_char *cp;
1911 const char *idstr;
1912 const struct attrmap *map;
1913 size_t nmap;
1914 const u_char *ep2;
1915
1916 p = (const struct ikev2_t *)ext;
1917 ND_TCHECK_SIZE(p);
1918 ikev2_pay_print(ndo, NPSTR(ISAKMP_NPTYPE_T), GET_U_1(p->h.critical));
1919
1920 t_id = GET_BE_U_2(p->t_id);
1921
1922 map = NULL;
1923 nmap = 0;
1924
1925 t_type = GET_U_1(p->t_type);
1926 switch (t_type) {
1927 case IV2_T_ENCR:
1928 idstr = STR_OR_ID(t_id, esp_p_map);
1929 map = encr_t_map;
1930 nmap = sizeof(encr_t_map)/sizeof(encr_t_map[0]);
1931 break;
1932
1933 case IV2_T_PRF:
1934 idstr = STR_OR_ID(t_id, prf_p_map);
1935 break;
1936
1937 case IV2_T_INTEG:
1938 idstr = STR_OR_ID(t_id, integ_p_map);
1939 break;
1940
1941 case IV2_T_DH:
1942 idstr = STR_OR_ID(t_id, dh_p_map);
1943 break;
1944
1945 case IV2_T_ESN:
1946 idstr = STR_OR_ID(t_id, esn_p_map);
1947 break;
1948
1949 default:
1950 idstr = NULL;
1951 break;
1952 }
1953
1954 if (idstr)
1955 ND_PRINT(" #%u type=%s id=%s ", tcount,
1956 STR_OR_ID(t_type, ikev2_t_type_map),
1957 idstr);
1958 else
1959 ND_PRINT(" #%u type=%s id=%u ", tcount,
1960 STR_OR_ID(t_type, ikev2_t_type_map),
1961 t_id);
1962 cp = (const u_char *)(p + 1);
1963 ep2 = (const u_char *)p + item_len;
1964 while (cp < ep && cp < ep2) {
1965 if (map && nmap) {
1966 cp = ikev1_attrmap_print(ndo, cp, ep2, map, nmap);
1967 } else
1968 cp = ikev1_attr_print(ndo, cp, ep2);
1969 if (cp == NULL)
1970 goto trunc;
1971 }
1972 if (ep < ep2)
1973 ND_PRINT("...");
1974 return cp;
1975 trunc:
1976 ND_PRINT(" [|%s]", NPSTR(ISAKMP_NPTYPE_T));
1977 return NULL;
1978 }
1979
1980 static const u_char *
ikev2_p_print(netdissect_options * ndo,u_char tpay _U_,int pcount _U_,const struct isakmp_gen * ext,u_int oprop_length,const u_char * ep,int depth)1981 ikev2_p_print(netdissect_options *ndo, u_char tpay _U_, int pcount _U_,
1982 const struct isakmp_gen *ext, u_int oprop_length,
1983 const u_char *ep, int depth)
1984 {
1985 const struct ikev2_p *p;
1986 u_int prop_length;
1987 uint8_t spi_size;
1988 const u_char *cp;
1989 int i;
1990 int tcount;
1991 u_char np;
1992 u_int item_len;
1993
1994 p = (const struct ikev2_p *)ext;
1995 ND_TCHECK_SIZE(p);
1996
1997 ikev2_pay_print(ndo, NPSTR(ISAKMP_NPTYPE_P), GET_U_1(p->h.critical));
1998
1999 /*
2000 * ikev2_sa_print() guarantees that this is >= 4.
2001 */
2002 prop_length = oprop_length - 4;
2003 ND_PRINT(" #%u protoid=%s transform=%u len=%u",
2004 GET_U_1(p->p_no), PROTOIDSTR(GET_U_1(p->prot_id)),
2005 GET_U_1(p->num_t), oprop_length);
2006 cp = (const u_char *)(p + 1);
2007
2008 spi_size = GET_U_1(p->spi_size);
2009 if (spi_size) {
2010 if (prop_length < spi_size)
2011 goto toolong;
2012 ND_PRINT(" spi=");
2013 if (!rawprint(ndo, (const uint8_t *)cp, spi_size))
2014 goto trunc;
2015 cp += spi_size;
2016 prop_length -= spi_size;
2017 }
2018
2019 /*
2020 * Print the transforms.
2021 */
2022 tcount = 0;
2023 for (np = ISAKMP_NPTYPE_T; np != 0; np = GET_U_1(ext->np)) {
2024 tcount++;
2025 ext = (const struct isakmp_gen *)cp;
2026 if (prop_length < sizeof(*ext))
2027 goto toolong;
2028 ND_TCHECK_SIZE(ext);
2029
2030 /*
2031 * Since we can't have a payload length of less than 4 bytes,
2032 * we need to bail out here if the generic header is nonsensical
2033 * or truncated, otherwise we could loop forever processing
2034 * zero-length items or otherwise misdissect the packet.
2035 */
2036 item_len = GET_BE_U_2(ext->len);
2037 if (item_len <= 4)
2038 goto trunc;
2039
2040 if (prop_length < item_len)
2041 goto toolong;
2042 ND_TCHECK_LEN(cp, item_len);
2043
2044 depth++;
2045 ND_PRINT("\n");
2046 for (i = 0; i < depth; i++)
2047 ND_PRINT(" ");
2048 ND_PRINT("(");
2049 if (np == ISAKMP_NPTYPE_T) {
2050 cp = ikev2_t_print(ndo, tcount, ext, item_len, ep);
2051 if (cp == NULL) {
2052 /* error, already reported */
2053 return NULL;
2054 }
2055 } else {
2056 ND_PRINT("%s", NPSTR(np));
2057 cp += item_len;
2058 }
2059 ND_PRINT(")");
2060 depth--;
2061 prop_length -= item_len;
2062 }
2063 return cp;
2064 toolong:
2065 /*
2066 * Skip the rest of the proposal.
2067 */
2068 cp += prop_length;
2069 ND_PRINT(" [|%s]", NPSTR(ISAKMP_NPTYPE_P));
2070 return cp;
2071 trunc:
2072 ND_PRINT(" [|%s]", NPSTR(ISAKMP_NPTYPE_P));
2073 return NULL;
2074 }
2075
2076 static const u_char *
ikev2_sa_print(netdissect_options * ndo,u_char tpay,const struct isakmp_gen * ext1,u_int osa_length,const u_char * ep,uint32_t phase _U_,uint32_t doi _U_,uint32_t proto _U_,int depth)2077 ikev2_sa_print(netdissect_options *ndo, u_char tpay,
2078 const struct isakmp_gen *ext1,
2079 u_int osa_length, const u_char *ep,
2080 uint32_t phase _U_, uint32_t doi _U_,
2081 uint32_t proto _U_, int depth)
2082 {
2083 const struct isakmp_gen *ext;
2084 u_int sa_length;
2085 const u_char *cp;
2086 int i;
2087 int pcount;
2088 u_char np;
2089 u_int item_len;
2090
2091 ND_TCHECK_SIZE(ext1);
2092 ikev2_pay_print(ndo, "sa", GET_U_1(ext1->critical));
2093
2094 /*
2095 * ikev2_sub0_print() guarantees that this is >= 4.
2096 */
2097 osa_length= GET_BE_U_2(ext1->len);
2098 sa_length = osa_length - 4;
2099 ND_PRINT(" len=%u", sa_length);
2100
2101 /*
2102 * Print the payloads.
2103 */
2104 cp = (const u_char *)(ext1 + 1);
2105 pcount = 0;
2106 for (np = ISAKMP_NPTYPE_P; np != 0; np = GET_U_1(ext->np)) {
2107 pcount++;
2108 ext = (const struct isakmp_gen *)cp;
2109 if (sa_length < sizeof(*ext))
2110 goto toolong;
2111 ND_TCHECK_SIZE(ext);
2112
2113 /*
2114 * Since we can't have a payload length of less than 4 bytes,
2115 * we need to bail out here if the generic header is nonsensical
2116 * or truncated, otherwise we could loop forever processing
2117 * zero-length items or otherwise misdissect the packet.
2118 */
2119 item_len = GET_BE_U_2(ext->len);
2120 if (item_len <= 4)
2121 goto trunc;
2122
2123 if (sa_length < item_len)
2124 goto toolong;
2125 ND_TCHECK_LEN(cp, item_len);
2126
2127 depth++;
2128 ND_PRINT("\n");
2129 for (i = 0; i < depth; i++)
2130 ND_PRINT(" ");
2131 ND_PRINT("(");
2132 if (np == ISAKMP_NPTYPE_P) {
2133 cp = ikev2_p_print(ndo, np, pcount, ext, item_len,
2134 ep, depth);
2135 if (cp == NULL) {
2136 /* error, already reported */
2137 return NULL;
2138 }
2139 } else {
2140 ND_PRINT("%s", NPSTR(np));
2141 cp += item_len;
2142 }
2143 ND_PRINT(")");
2144 depth--;
2145 sa_length -= item_len;
2146 }
2147 return cp;
2148 toolong:
2149 /*
2150 * Skip the rest of the SA.
2151 */
2152 cp += sa_length;
2153 ND_PRINT(" [|%s]", NPSTR(tpay));
2154 return cp;
2155 trunc:
2156 ND_PRINT(" [|%s]", NPSTR(tpay));
2157 return NULL;
2158 }
2159
2160 static const u_char *
ikev2_ke_print(netdissect_options * ndo,u_char tpay,const struct isakmp_gen * ext,u_int item_len,const u_char * ep _U_,uint32_t phase _U_,uint32_t doi _U_,uint32_t proto _U_,int depth _U_)2161 ikev2_ke_print(netdissect_options *ndo, u_char tpay,
2162 const struct isakmp_gen *ext,
2163 u_int item_len, const u_char *ep _U_,
2164 uint32_t phase _U_, uint32_t doi _U_,
2165 uint32_t proto _U_, int depth _U_)
2166 {
2167 const struct ikev2_ke *k;
2168
2169 k = (const struct ikev2_ke *)ext;
2170 ND_TCHECK_SIZE(k);
2171 ikev2_pay_print(ndo, NPSTR(tpay), GET_U_1(k->h.critical));
2172
2173 if (item_len < 8) {
2174 ND_PRINT(" len=%u < 8", item_len);
2175 return (const u_char *)ext + item_len;
2176 }
2177 ND_PRINT(" len=%u group=%s", item_len - 8,
2178 STR_OR_ID(GET_BE_U_2(k->ke_group), dh_p_map));
2179
2180 if (2 < ndo->ndo_vflag && 8 < item_len) {
2181 ND_PRINT(" ");
2182 if (!rawprint(ndo, (const uint8_t *)(k + 1), item_len - 8))
2183 goto trunc;
2184 }
2185 return (const u_char *)ext + item_len;
2186 trunc:
2187 ND_PRINT(" [|%s]", NPSTR(tpay));
2188 return NULL;
2189 }
2190
2191 static const u_char *
ikev2_ID_print(netdissect_options * ndo,u_char tpay,const struct isakmp_gen * ext,u_int item_len,const u_char * ep _U_,uint32_t phase _U_,uint32_t doi _U_,uint32_t proto _U_,int depth _U_)2192 ikev2_ID_print(netdissect_options *ndo, u_char tpay,
2193 const struct isakmp_gen *ext,
2194 u_int item_len, const u_char *ep _U_,
2195 uint32_t phase _U_, uint32_t doi _U_,
2196 uint32_t proto _U_, int depth _U_)
2197 {
2198 const struct ikev2_id *idp;
2199 u_int idtype_len, i;
2200 unsigned int dumpascii, dumphex;
2201 const unsigned char *typedata;
2202
2203 idp = (const struct ikev2_id *)ext;
2204 ND_TCHECK_SIZE(idp);
2205 ikev2_pay_print(ndo, NPSTR(tpay), GET_U_1(idp->h.critical));
2206
2207 /*
2208 * Our caller has ensured that the length is >= 4.
2209 */
2210 ND_PRINT(" len=%u", item_len - 4);
2211 if (2 < ndo->ndo_vflag && 4 < item_len) {
2212 /* Print the entire payload in hex */
2213 ND_PRINT(" ");
2214 if (!rawprint(ndo, (const uint8_t *)(ext + 1), item_len - 4))
2215 goto trunc;
2216 }
2217
2218 idtype_len =item_len - sizeof(struct ikev2_id);
2219 dumpascii = 0;
2220 dumphex = 0;
2221 typedata = (const unsigned char *)(ext)+sizeof(struct ikev2_id);
2222
2223 switch(GET_U_1(idp->type)) {
2224 case ID_IPV4_ADDR:
2225 ND_PRINT(" ipv4:");
2226 dumphex=1;
2227 break;
2228 case ID_FQDN:
2229 ND_PRINT(" fqdn:");
2230 dumpascii=1;
2231 break;
2232 case ID_RFC822_ADDR:
2233 ND_PRINT(" rfc822:");
2234 dumpascii=1;
2235 break;
2236 case ID_IPV6_ADDR:
2237 ND_PRINT(" ipv6:");
2238 dumphex=1;
2239 break;
2240 case ID_DER_ASN1_DN:
2241 ND_PRINT(" dn:");
2242 dumphex=1;
2243 break;
2244 case ID_DER_ASN1_GN:
2245 ND_PRINT(" gn:");
2246 dumphex=1;
2247 break;
2248 case ID_KEY_ID:
2249 ND_PRINT(" keyid:");
2250 dumphex=1;
2251 break;
2252 }
2253
2254 if(dumpascii) {
2255 ND_TCHECK_LEN(typedata, idtype_len);
2256 for(i=0; i<idtype_len; i++) {
2257 if(ND_ASCII_ISPRINT(GET_U_1(typedata + i))) {
2258 ND_PRINT("%c", GET_U_1(typedata + i));
2259 } else {
2260 ND_PRINT(".");
2261 }
2262 }
2263 }
2264 if(dumphex) {
2265 if (!rawprint(ndo, (const uint8_t *)typedata, idtype_len))
2266 goto trunc;
2267 }
2268
2269 return (const u_char *)ext + item_len;
2270 trunc:
2271 ND_PRINT(" [|%s]", NPSTR(tpay));
2272 return NULL;
2273 }
2274
2275 static const u_char *
ikev2_cert_print(netdissect_options * ndo,u_char tpay,const struct isakmp_gen * ext,u_int item_len,const u_char * ep _U_,uint32_t phase _U_,uint32_t doi _U_,uint32_t proto _U_,int depth _U_)2276 ikev2_cert_print(netdissect_options *ndo, u_char tpay,
2277 const struct isakmp_gen *ext,
2278 u_int item_len, const u_char *ep _U_,
2279 uint32_t phase _U_, uint32_t doi _U_,
2280 uint32_t proto _U_, int depth _U_)
2281 {
2282 return ikev2_gen_print(ndo, tpay, ext, item_len);
2283 }
2284
2285 static const u_char *
ikev2_cr_print(netdissect_options * ndo,u_char tpay,const struct isakmp_gen * ext,u_int item_len,const u_char * ep _U_,uint32_t phase _U_,uint32_t doi _U_,uint32_t proto _U_,int depth _U_)2286 ikev2_cr_print(netdissect_options *ndo, u_char tpay,
2287 const struct isakmp_gen *ext,
2288 u_int item_len, const u_char *ep _U_,
2289 uint32_t phase _U_, uint32_t doi _U_,
2290 uint32_t proto _U_, int depth _U_)
2291 {
2292 return ikev2_gen_print(ndo, tpay, ext, item_len);
2293 }
2294
2295 static const u_char *
ikev2_auth_print(netdissect_options * ndo,u_char tpay,const struct isakmp_gen * ext,u_int item_len,const u_char * ep,uint32_t phase _U_,uint32_t doi _U_,uint32_t proto _U_,int depth _U_)2296 ikev2_auth_print(netdissect_options *ndo, u_char tpay,
2297 const struct isakmp_gen *ext,
2298 u_int item_len, const u_char *ep,
2299 uint32_t phase _U_, uint32_t doi _U_,
2300 uint32_t proto _U_, int depth _U_)
2301 {
2302 const struct ikev2_auth *p;
2303 const char *v2_auth[]={ "invalid", "rsasig",
2304 "shared-secret", "dsssig" };
2305 const u_char *authdata = (const u_char *)ext + sizeof(struct ikev2_auth);
2306
2307 ND_TCHECK_LEN(ext, sizeof(struct ikev2_auth));
2308 p = (const struct ikev2_auth *)ext;
2309 ikev2_pay_print(ndo, NPSTR(tpay), GET_U_1(p->h.critical));
2310
2311 /*
2312 * Our caller has ensured that the length is >= 4.
2313 */
2314 ND_PRINT(" len=%u method=%s", item_len-4,
2315 STR_OR_ID(GET_U_1(p->auth_method), v2_auth));
2316 if (item_len > 4) {
2317 if (ndo->ndo_vflag > 1) {
2318 ND_PRINT(" authdata=(");
2319 if (!rawprint(ndo, (const uint8_t *)authdata, item_len - sizeof(struct ikev2_auth)))
2320 goto trunc;
2321 ND_PRINT(") ");
2322 } else if (ndo->ndo_vflag) {
2323 if (!ike_show_somedata(ndo, authdata, ep))
2324 goto trunc;
2325 }
2326 }
2327
2328 return (const u_char *)ext + item_len;
2329 trunc:
2330 ND_PRINT(" [|%s]", NPSTR(tpay));
2331 return NULL;
2332 }
2333
2334 static const u_char *
ikev2_nonce_print(netdissect_options * ndo,u_char tpay,const struct isakmp_gen * ext,u_int item_len,const u_char * ep,uint32_t phase _U_,uint32_t doi _U_,uint32_t proto _U_,int depth _U_)2335 ikev2_nonce_print(netdissect_options *ndo, u_char tpay,
2336 const struct isakmp_gen *ext,
2337 u_int item_len, const u_char *ep,
2338 uint32_t phase _U_, uint32_t doi _U_,
2339 uint32_t proto _U_, int depth _U_)
2340 {
2341 ND_TCHECK_SIZE(ext);
2342 ikev2_pay_print(ndo, "nonce", GET_U_1(ext->critical));
2343
2344 /*
2345 * Our caller has ensured that the length is >= 4.
2346 */
2347 ND_PRINT(" len=%u", item_len - 4);
2348 if (1 < ndo->ndo_vflag && 4 < item_len) {
2349 ND_PRINT(" nonce=(");
2350 if (!rawprint(ndo, (const uint8_t *)(ext + 1), item_len - 4))
2351 goto trunc;
2352 ND_PRINT(") ");
2353 } else if(ndo->ndo_vflag && 4 < item_len) {
2354 if(!ike_show_somedata(ndo, (const u_char *)(ext+1), ep)) goto trunc;
2355 }
2356
2357 return (const u_char *)ext + item_len;
2358 trunc:
2359 ND_PRINT(" [|%s]", NPSTR(tpay));
2360 return NULL;
2361 }
2362
2363 /* notify payloads */
2364 static const u_char *
ikev2_n_print(netdissect_options * ndo,u_char tpay _U_,const struct isakmp_gen * ext,u_int item_len,const u_char * ep,uint32_t phase _U_,uint32_t doi _U_,uint32_t proto _U_,int depth _U_)2365 ikev2_n_print(netdissect_options *ndo, u_char tpay _U_,
2366 const struct isakmp_gen *ext,
2367 u_int item_len, const u_char *ep,
2368 uint32_t phase _U_, uint32_t doi _U_,
2369 uint32_t proto _U_, int depth _U_)
2370 {
2371 const struct ikev2_n *p;
2372 uint16_t type;
2373 uint8_t spi_size;
2374 const u_char *cp;
2375 u_char showspi, showsomedata;
2376 const char *notify_name;
2377
2378 p = (const struct ikev2_n *)ext;
2379 ND_TCHECK_SIZE(p);
2380 ikev2_pay_print(ndo, NPSTR(ISAKMP_NPTYPE_N), GET_U_1(p->h.critical));
2381
2382 showspi = 1;
2383 showsomedata=0;
2384 notify_name=NULL;
2385
2386 ND_PRINT(" prot_id=%s", PROTOIDSTR(GET_U_1(p->prot_id)));
2387
2388 type = GET_BE_U_2(p->type);
2389
2390 /* notify space is annoying sparse */
2391 switch(type) {
2392 case IV2_NOTIFY_UNSUPPORTED_CRITICAL_PAYLOAD:
2393 notify_name = "unsupported_critical_payload";
2394 showspi = 0;
2395 break;
2396
2397 case IV2_NOTIFY_INVALID_IKE_SPI:
2398 notify_name = "invalid_ike_spi";
2399 showspi = 1;
2400 break;
2401
2402 case IV2_NOTIFY_INVALID_MAJOR_VERSION:
2403 notify_name = "invalid_major_version";
2404 showspi = 0;
2405 break;
2406
2407 case IV2_NOTIFY_INVALID_SYNTAX:
2408 notify_name = "invalid_syntax";
2409 showspi = 1;
2410 break;
2411
2412 case IV2_NOTIFY_INVALID_MESSAGE_ID:
2413 notify_name = "invalid_message_id";
2414 showspi = 1;
2415 break;
2416
2417 case IV2_NOTIFY_INVALID_SPI:
2418 notify_name = "invalid_spi";
2419 showspi = 1;
2420 break;
2421
2422 case IV2_NOTIFY_NO_PROPOSAL_CHOSEN:
2423 notify_name = "no_protocol_chosen";
2424 showspi = 1;
2425 break;
2426
2427 case IV2_NOTIFY_INVALID_KE_PAYLOAD:
2428 notify_name = "invalid_ke_payload";
2429 showspi = 1;
2430 break;
2431
2432 case IV2_NOTIFY_AUTHENTICATION_FAILED:
2433 notify_name = "authentication_failed";
2434 showspi = 1;
2435 break;
2436
2437 case IV2_NOTIFY_SINGLE_PAIR_REQUIRED:
2438 notify_name = "single_pair_required";
2439 showspi = 1;
2440 break;
2441
2442 case IV2_NOTIFY_NO_ADDITIONAL_SAS:
2443 notify_name = "no_additional_sas";
2444 showspi = 0;
2445 break;
2446
2447 case IV2_NOTIFY_INTERNAL_ADDRESS_FAILURE:
2448 notify_name = "internal_address_failure";
2449 showspi = 0;
2450 break;
2451
2452 case IV2_NOTIFY_FAILED_CP_REQUIRED:
2453 notify_name = "failed:cp_required";
2454 showspi = 0;
2455 break;
2456
2457 case IV2_NOTIFY_INVALID_SELECTORS:
2458 notify_name = "invalid_selectors";
2459 showspi = 0;
2460 break;
2461
2462 case IV2_NOTIFY_INITIAL_CONTACT:
2463 notify_name = "initial_contact";
2464 showspi = 0;
2465 break;
2466
2467 case IV2_NOTIFY_SET_WINDOW_SIZE:
2468 notify_name = "set_window_size";
2469 showspi = 0;
2470 break;
2471
2472 case IV2_NOTIFY_ADDITIONAL_TS_POSSIBLE:
2473 notify_name = "additional_ts_possible";
2474 showspi = 0;
2475 break;
2476
2477 case IV2_NOTIFY_IPCOMP_SUPPORTED:
2478 notify_name = "ipcomp_supported";
2479 showspi = 0;
2480 break;
2481
2482 case IV2_NOTIFY_NAT_DETECTION_SOURCE_IP:
2483 notify_name = "nat_detection_source_ip";
2484 showspi = 1;
2485 break;
2486
2487 case IV2_NOTIFY_NAT_DETECTION_DESTINATION_IP:
2488 notify_name = "nat_detection_destination_ip";
2489 showspi = 1;
2490 break;
2491
2492 case IV2_NOTIFY_COOKIE:
2493 notify_name = "cookie";
2494 showspi = 1;
2495 showsomedata= 1;
2496 break;
2497
2498 case IV2_NOTIFY_USE_TRANSPORT_MODE:
2499 notify_name = "use_transport_mode";
2500 showspi = 0;
2501 break;
2502
2503 case IV2_NOTIFY_HTTP_CERT_LOOKUP_SUPPORTED:
2504 notify_name = "http_cert_lookup_supported";
2505 showspi = 0;
2506 break;
2507
2508 case IV2_NOTIFY_REKEY_SA:
2509 notify_name = "rekey_sa";
2510 showspi = 1;
2511 break;
2512
2513 case IV2_NOTIFY_ESP_TFC_PADDING_NOT_SUPPORTED:
2514 notify_name = "tfc_padding_not_supported";
2515 showspi = 0;
2516 break;
2517
2518 case IV2_NOTIFY_NON_FIRST_FRAGMENTS_ALSO:
2519 notify_name = "non_first_fragment_also";
2520 showspi = 0;
2521 break;
2522
2523 default:
2524 if (type < 8192) {
2525 notify_name="error";
2526 } else if(type < 16384) {
2527 notify_name="private-error";
2528 } else if(type < 40960) {
2529 notify_name="status";
2530 } else {
2531 notify_name="private-status";
2532 }
2533 }
2534
2535 if(notify_name) {
2536 ND_PRINT(" type=%u(%s)", type, notify_name);
2537 }
2538
2539
2540 spi_size = GET_U_1(p->spi_size);
2541 if (showspi && spi_size) {
2542 ND_PRINT(" spi=");
2543 if (!rawprint(ndo, (const uint8_t *)(p + 1), spi_size))
2544 goto trunc;
2545 }
2546
2547 cp = (const u_char *)(p + 1) + spi_size;
2548
2549 if (cp < ep) {
2550 if (ndo->ndo_vflag > 3 || (showsomedata && ep-cp < 30)) {
2551 ND_PRINT(" data=(");
2552 if (!rawprint(ndo, (const uint8_t *)(cp), ep - cp))
2553 goto trunc;
2554
2555 ND_PRINT(")");
2556 } else if (showsomedata) {
2557 if (!ike_show_somedata(ndo, cp, ep))
2558 goto trunc;
2559 }
2560 }
2561
2562 return (const u_char *)ext + item_len;
2563 trunc:
2564 ND_PRINT(" [|%s]", NPSTR(ISAKMP_NPTYPE_N));
2565 return NULL;
2566 }
2567
2568 static const u_char *
ikev2_d_print(netdissect_options * ndo,u_char tpay,const struct isakmp_gen * ext,u_int item_len,const u_char * ep _U_,uint32_t phase _U_,uint32_t doi _U_,uint32_t proto _U_,int depth _U_)2569 ikev2_d_print(netdissect_options *ndo, u_char tpay,
2570 const struct isakmp_gen *ext,
2571 u_int item_len, const u_char *ep _U_,
2572 uint32_t phase _U_, uint32_t doi _U_,
2573 uint32_t proto _U_, int depth _U_)
2574 {
2575 return ikev2_gen_print(ndo, tpay, ext, item_len);
2576 }
2577
2578 static const u_char *
ikev2_vid_print(netdissect_options * ndo,u_char tpay,const struct isakmp_gen * ext,u_int item_len,const u_char * ep _U_,uint32_t phase _U_,uint32_t doi _U_,uint32_t proto _U_,int depth _U_)2579 ikev2_vid_print(netdissect_options *ndo, u_char tpay,
2580 const struct isakmp_gen *ext,
2581 u_int item_len, const u_char *ep _U_,
2582 uint32_t phase _U_, uint32_t doi _U_,
2583 uint32_t proto _U_, int depth _U_)
2584 {
2585 const u_char *vid;
2586 u_int i, len;
2587
2588 ND_TCHECK_SIZE(ext);
2589 ikev2_pay_print(ndo, NPSTR(tpay), GET_U_1(ext->critical));
2590
2591 /*
2592 * Our caller has ensured that the length is >= 4.
2593 */
2594 ND_PRINT(" len=%u vid=", item_len - 4);
2595
2596 vid = (const u_char *)(ext+1);
2597 len = item_len - 4;
2598 ND_TCHECK_LEN(vid, len);
2599 for(i=0; i<len; i++) {
2600 if(ND_ASCII_ISPRINT(GET_U_1(vid + i)))
2601 ND_PRINT("%c", GET_U_1(vid + i));
2602 else ND_PRINT(".");
2603 }
2604 if (2 < ndo->ndo_vflag && 4 < len) {
2605 /* Print the entire payload in hex */
2606 ND_PRINT(" ");
2607 if (!rawprint(ndo, (const uint8_t *)(ext + 1), item_len - 4))
2608 goto trunc;
2609 }
2610 return (const u_char *)ext + item_len;
2611 trunc:
2612 ND_PRINT(" [|%s]", NPSTR(tpay));
2613 return NULL;
2614 }
2615
2616 static const u_char *
ikev2_TS_print(netdissect_options * ndo,u_char tpay,const struct isakmp_gen * ext,u_int item_len,const u_char * ep _U_,uint32_t phase _U_,uint32_t doi _U_,uint32_t proto _U_,int depth _U_)2617 ikev2_TS_print(netdissect_options *ndo, u_char tpay,
2618 const struct isakmp_gen *ext,
2619 u_int item_len, const u_char *ep _U_,
2620 uint32_t phase _U_, uint32_t doi _U_,
2621 uint32_t proto _U_, int depth _U_)
2622 {
2623 return ikev2_gen_print(ndo, tpay, ext, item_len);
2624 }
2625
2626 static const u_char *
ikev2_e_print(netdissect_options * ndo,_U_ const struct isakmp * base,u_char tpay,const struct isakmp_gen * ext,u_int item_len,const u_char * ep _U_,_U_ uint32_t phase,_U_ uint32_t doi,_U_ uint32_t proto,_U_ int depth)2627 ikev2_e_print(netdissect_options *ndo,
2628 #ifndef HAVE_LIBCRYPTO
2629 _U_
2630 #endif
2631 const struct isakmp *base,
2632 u_char tpay,
2633 const struct isakmp_gen *ext,
2634 u_int item_len, const u_char *ep _U_,
2635 #ifndef HAVE_LIBCRYPTO
2636 _U_
2637 #endif
2638 uint32_t phase,
2639 #ifndef HAVE_LIBCRYPTO
2640 _U_
2641 #endif
2642 uint32_t doi,
2643 #ifndef HAVE_LIBCRYPTO
2644 _U_
2645 #endif
2646 uint32_t proto,
2647 #ifndef HAVE_LIBCRYPTO
2648 _U_
2649 #endif
2650 int depth)
2651 {
2652 const u_char *dat;
2653 u_int dlen;
2654 #ifdef HAVE_LIBCRYPTO
2655 uint8_t np;
2656 #endif
2657
2658 ND_TCHECK_SIZE(ext);
2659 ikev2_pay_print(ndo, NPSTR(tpay), GET_U_1(ext->critical));
2660
2661 dlen = item_len-4;
2662
2663 ND_PRINT(" len=%u", dlen);
2664 if (2 < ndo->ndo_vflag && 4 < dlen) {
2665 ND_PRINT(" ");
2666 if (!rawprint(ndo, (const uint8_t *)(ext + 1), dlen))
2667 goto trunc;
2668 }
2669
2670 dat = (const u_char *)(ext+1);
2671 ND_TCHECK_LEN(dat, dlen);
2672
2673 #ifdef HAVE_LIBCRYPTO
2674 np = GET_U_1(ext->np);
2675
2676 /* try to decrypt it! */
2677 if(esp_decrypt_buffer_by_ikev2_print(ndo,
2678 GET_U_1(base->flags) & ISAKMP_FLAG_I,
2679 base->i_ck, base->r_ck,
2680 dat, dat+dlen)) {
2681
2682 ext = (const struct isakmp_gen *)ndo->ndo_packetp;
2683
2684 /* got it decrypted, print stuff inside. */
2685 ikev2_sub_print(ndo, base, np, ext,
2686 ndo->ndo_snapend, phase, doi, proto, depth+1);
2687
2688 /*
2689 * esp_decrypt_buffer_by_ikev2_print pushed information
2690 * on the buffer stack; we're done with the buffer, so
2691 * pop it (which frees the buffer)
2692 */
2693 nd_pop_packet_info(ndo);
2694 }
2695 #endif
2696
2697
2698 /* always return NULL, because E must be at end, and NP refers
2699 * to what was inside.
2700 */
2701 return NULL;
2702 trunc:
2703 ND_PRINT(" [|%s]", NPSTR(tpay));
2704 return NULL;
2705 }
2706
2707 static const u_char *
ikev2_cp_print(netdissect_options * ndo,u_char tpay,const struct isakmp_gen * ext,u_int item_len,const u_char * ep _U_,uint32_t phase _U_,uint32_t doi _U_,uint32_t proto _U_,int depth _U_)2708 ikev2_cp_print(netdissect_options *ndo, u_char tpay,
2709 const struct isakmp_gen *ext,
2710 u_int item_len, const u_char *ep _U_,
2711 uint32_t phase _U_, uint32_t doi _U_,
2712 uint32_t proto _U_, int depth _U_)
2713 {
2714 return ikev2_gen_print(ndo, tpay, ext, item_len);
2715 }
2716
2717 static const u_char *
ikev2_eap_print(netdissect_options * ndo,u_char tpay,const struct isakmp_gen * ext,u_int item_len,const u_char * ep _U_,uint32_t phase _U_,uint32_t doi _U_,uint32_t proto _U_,int depth _U_)2718 ikev2_eap_print(netdissect_options *ndo, u_char tpay,
2719 const struct isakmp_gen *ext,
2720 u_int item_len, const u_char *ep _U_,
2721 uint32_t phase _U_, uint32_t doi _U_,
2722 uint32_t proto _U_, int depth _U_)
2723 {
2724 return ikev2_gen_print(ndo, tpay, ext, item_len);
2725 }
2726
2727 static const u_char *
ike_sub0_print(netdissect_options * ndo,u_char np,const struct isakmp_gen * ext,const u_char * ep,uint32_t phase,uint32_t doi,uint32_t proto,int depth)2728 ike_sub0_print(netdissect_options *ndo,
2729 u_char np, const struct isakmp_gen *ext, const u_char *ep,
2730
2731 uint32_t phase, uint32_t doi, uint32_t proto, int depth)
2732 {
2733 const u_char *cp;
2734 u_int item_len;
2735
2736 cp = (const u_char *)ext;
2737 ND_TCHECK_SIZE(ext);
2738
2739 /*
2740 * Since we can't have a payload length of less than 4 bytes,
2741 * we need to bail out here if the generic header is nonsensical
2742 * or truncated, otherwise we could loop forever processing
2743 * zero-length items or otherwise misdissect the packet.
2744 */
2745 item_len = GET_BE_U_2(ext->len);
2746 if (item_len <= 4)
2747 return NULL;
2748
2749 if (NPFUNC(np)) {
2750 /*
2751 * XXX - what if item_len is too short, or too long,
2752 * for this payload type?
2753 */
2754 cp = (*npfunc[np])(ndo, np, ext, item_len, ep, phase, doi, proto, depth);
2755 } else {
2756 ND_PRINT("%s", NPSTR(np));
2757 cp += item_len;
2758 }
2759
2760 return cp;
2761 trunc:
2762 nd_print_trunc(ndo);
2763 return NULL;
2764 }
2765
2766 static const u_char *
ikev1_sub_print(netdissect_options * ndo,u_char np,const struct isakmp_gen * ext,const u_char * ep,uint32_t phase,uint32_t doi,uint32_t proto,int depth)2767 ikev1_sub_print(netdissect_options *ndo,
2768 u_char np, const struct isakmp_gen *ext, const u_char *ep,
2769 uint32_t phase, uint32_t doi, uint32_t proto, int depth)
2770 {
2771 const u_char *cp;
2772 int i;
2773 u_int item_len;
2774
2775 cp = (const u_char *)ext;
2776
2777 while (np) {
2778 ND_TCHECK_SIZE(ext);
2779
2780 item_len = GET_BE_U_2(ext->len);
2781 ND_TCHECK_LEN(ext, item_len);
2782
2783 depth++;
2784 ND_PRINT("\n");
2785 for (i = 0; i < depth; i++)
2786 ND_PRINT(" ");
2787 ND_PRINT("(");
2788 cp = ike_sub0_print(ndo, np, ext, ep, phase, doi, proto, depth);
2789 ND_PRINT(")");
2790 depth--;
2791
2792 if (cp == NULL) {
2793 /* Zero-length subitem */
2794 return NULL;
2795 }
2796
2797 np = GET_U_1(ext->np);
2798 ext = (const struct isakmp_gen *)cp;
2799 }
2800 return cp;
2801 trunc:
2802 ND_PRINT(" [|%s]", NPSTR(np));
2803 return NULL;
2804 }
2805
2806 static char *
numstr(u_int x)2807 numstr(u_int x)
2808 {
2809 static char buf[20];
2810 snprintf(buf, sizeof(buf), "#%u", x);
2811 return buf;
2812 }
2813
2814 static void
ikev1_print(netdissect_options * ndo,const u_char * bp,u_int length,const u_char * bp2,const struct isakmp * base)2815 ikev1_print(netdissect_options *ndo,
2816 const u_char *bp, u_int length,
2817 const u_char *bp2, const struct isakmp *base)
2818 {
2819 const struct isakmp *p;
2820 const u_char *ep;
2821 u_int flags;
2822 u_char np;
2823 int i;
2824 u_int phase;
2825
2826 p = (const struct isakmp *)bp;
2827 ep = ndo->ndo_snapend;
2828
2829 phase = (GET_BE_U_4(base->msgid) == 0) ? 1 : 2;
2830 if (phase == 1)
2831 ND_PRINT(" phase %u", phase);
2832 else
2833 ND_PRINT(" phase %u/others", phase);
2834
2835 i = cookie_find(&base->i_ck);
2836 if (i < 0) {
2837 if (iszero(ndo, base->r_ck, sizeof(base->r_ck))) {
2838 /* the first packet */
2839 ND_PRINT(" I");
2840 if (bp2)
2841 cookie_record(ndo, &base->i_ck, bp2);
2842 } else
2843 ND_PRINT(" ?");
2844 } else {
2845 if (bp2 && cookie_isinitiator(ndo, i, bp2))
2846 ND_PRINT(" I");
2847 else if (bp2 && cookie_isresponder(ndo, i, bp2))
2848 ND_PRINT(" R");
2849 else
2850 ND_PRINT(" ?");
2851 }
2852
2853 ND_PRINT(" %s", ETYPESTR(GET_U_1(base->etype)));
2854 flags = GET_U_1(base->flags);
2855 if (flags) {
2856 ND_PRINT("[%s%s]", flags & ISAKMP_FLAG_E ? "E" : "",
2857 flags & ISAKMP_FLAG_C ? "C" : "");
2858 }
2859
2860 if (ndo->ndo_vflag) {
2861 const struct isakmp_gen *ext;
2862
2863 ND_PRINT(":");
2864
2865 np = GET_U_1(base->np);
2866
2867 /* regardless of phase... */
2868 if (flags & ISAKMP_FLAG_E) {
2869 /*
2870 * encrypted, nothing we can do right now.
2871 * we hope to decrypt the packet in the future...
2872 */
2873 ND_PRINT(" [encrypted %s]", NPSTR(np));
2874 goto done;
2875 }
2876
2877 CHECKLEN(p + 1, np);
2878 ext = (const struct isakmp_gen *)(p + 1);
2879 ikev1_sub_print(ndo, np, ext, ep, phase, 0, 0, 0);
2880 }
2881
2882 done:
2883 if (ndo->ndo_vflag) {
2884 if (GET_BE_U_4(base->len) != length) {
2885 ND_PRINT(" (len mismatch: isakmp %u/ip %u)",
2886 GET_BE_U_4(base->len), length);
2887 }
2888 }
2889 }
2890
2891 static const u_char *
ikev2_sub0_print(netdissect_options * ndo,const struct isakmp * base,u_char np,const struct isakmp_gen * ext,const u_char * ep,uint32_t phase,uint32_t doi,uint32_t proto,int depth)2892 ikev2_sub0_print(netdissect_options *ndo, const struct isakmp *base,
2893 u_char np,
2894 const struct isakmp_gen *ext, const u_char *ep,
2895 uint32_t phase, uint32_t doi, uint32_t proto, int depth)
2896 {
2897 const u_char *cp;
2898 u_int item_len;
2899
2900 cp = (const u_char *)ext;
2901 ND_TCHECK_SIZE(ext);
2902
2903 /*
2904 * Since we can't have a payload length of less than 4 bytes,
2905 * we need to bail out here if the generic header is nonsensical
2906 * or truncated, otherwise we could loop forever processing
2907 * zero-length items or otherwise misdissect the packet.
2908 */
2909 item_len = GET_BE_U_2(ext->len);
2910 if (item_len <= 4)
2911 return NULL;
2912
2913 if (np == ISAKMP_NPTYPE_v2E) {
2914 cp = ikev2_e_print(ndo, base, np, ext, item_len,
2915 ep, phase, doi, proto, depth);
2916 } else if (NPFUNC(np)) {
2917 /*
2918 * XXX - what if item_len is too short, or too long,
2919 * for this payload type?
2920 */
2921 cp = (*npfunc[np])(ndo, np, ext, item_len,
2922 ep, phase, doi, proto, depth);
2923 } else {
2924 ND_PRINT("%s", NPSTR(np));
2925 cp += item_len;
2926 }
2927
2928 return cp;
2929 trunc:
2930 nd_print_trunc(ndo);
2931 return NULL;
2932 }
2933
2934 static const u_char *
ikev2_sub_print(netdissect_options * ndo,const struct isakmp * base,u_char np,const struct isakmp_gen * ext,const u_char * ep,uint32_t phase,uint32_t doi,uint32_t proto,int depth)2935 ikev2_sub_print(netdissect_options *ndo,
2936 const struct isakmp *base,
2937 u_char np, const struct isakmp_gen *ext, const u_char *ep,
2938 uint32_t phase, uint32_t doi, uint32_t proto, int depth)
2939 {
2940 const u_char *cp;
2941 int i;
2942
2943 cp = (const u_char *)ext;
2944 while (np) {
2945 ND_TCHECK_SIZE(ext);
2946
2947 ND_TCHECK_LEN(ext, GET_BE_U_2(ext->len));
2948
2949 depth++;
2950 ND_PRINT("\n");
2951 for (i = 0; i < depth; i++)
2952 ND_PRINT(" ");
2953 ND_PRINT("(");
2954 cp = ikev2_sub0_print(ndo, base, np,
2955 ext, ep, phase, doi, proto, depth);
2956 ND_PRINT(")");
2957 depth--;
2958
2959 if (cp == NULL) {
2960 /* Zero-length subitem */
2961 return NULL;
2962 }
2963
2964 np = GET_U_1(ext->np);
2965 ext = (const struct isakmp_gen *)cp;
2966 }
2967 return cp;
2968 trunc:
2969 ND_PRINT(" [|%s]", NPSTR(np));
2970 return NULL;
2971 }
2972
2973 static void
ikev2_print(netdissect_options * ndo,const u_char * bp,u_int length,const u_char * bp2 _U_,const struct isakmp * base)2974 ikev2_print(netdissect_options *ndo,
2975 const u_char *bp, u_int length,
2976 const u_char *bp2 _U_, const struct isakmp *base)
2977 {
2978 const struct isakmp *p;
2979 const u_char *ep;
2980 uint8_t flags;
2981 u_char np;
2982 u_int phase;
2983
2984 p = (const struct isakmp *)bp;
2985 ep = ndo->ndo_snapend;
2986
2987 phase = (GET_BE_U_4(base->msgid) == 0) ? 1 : 2;
2988 if (phase == 1)
2989 ND_PRINT(" parent_sa");
2990 else
2991 ND_PRINT(" child_sa ");
2992
2993 ND_PRINT(" %s", ETYPESTR(GET_U_1(base->etype)));
2994 flags = GET_U_1(base->flags);
2995 if (flags) {
2996 ND_PRINT("[%s%s%s]",
2997 flags & ISAKMP_FLAG_I ? "I" : "",
2998 flags & ISAKMP_FLAG_V ? "V" : "",
2999 flags & ISAKMP_FLAG_R ? "R" : "");
3000 }
3001
3002 if (ndo->ndo_vflag) {
3003 const struct isakmp_gen *ext;
3004
3005 ND_PRINT(":");
3006
3007 np = GET_U_1(base->np);
3008
3009 /* regardless of phase... */
3010 if (flags & ISAKMP_FLAG_E) {
3011 /*
3012 * encrypted, nothing we can do right now.
3013 * we hope to decrypt the packet in the future...
3014 */
3015 ND_PRINT(" [encrypted %s]", NPSTR(np));
3016 goto done;
3017 }
3018
3019 CHECKLEN(p + 1, np)
3020 ext = (const struct isakmp_gen *)(p + 1);
3021 ikev2_sub_print(ndo, base, np, ext, ep, phase, 0, 0, 0);
3022 }
3023
3024 done:
3025 if (ndo->ndo_vflag) {
3026 if (GET_BE_U_4(base->len) != length) {
3027 ND_PRINT(" (len mismatch: isakmp %u/ip %u)",
3028 GET_BE_U_4(base->len), length);
3029 }
3030 }
3031 }
3032
3033 void
isakmp_print(netdissect_options * ndo,const u_char * bp,u_int length,const u_char * bp2)3034 isakmp_print(netdissect_options *ndo,
3035 const u_char *bp, u_int length,
3036 const u_char *bp2)
3037 {
3038 const struct isakmp *p;
3039 const u_char *ep;
3040 u_int major, minor;
3041
3042 ndo->ndo_protocol = "isakmp";
3043 #ifdef HAVE_LIBCRYPTO
3044 /* initialize SAs */
3045 if (ndo->ndo_sa_list_head == NULL) {
3046 if (ndo->ndo_espsecret)
3047 esp_decodesecret_print(ndo);
3048 }
3049 #endif
3050
3051 p = (const struct isakmp *)bp;
3052 ep = ndo->ndo_snapend;
3053
3054 if ((const struct isakmp *)ep < p + 1) {
3055 nd_print_trunc(ndo);
3056 return;
3057 }
3058
3059 ND_PRINT("isakmp");
3060 major = (GET_U_1(p->vers) & ISAKMP_VERS_MAJOR)
3061 >> ISAKMP_VERS_MAJOR_SHIFT;
3062 minor = (GET_U_1(p->vers) & ISAKMP_VERS_MINOR)
3063 >> ISAKMP_VERS_MINOR_SHIFT;
3064
3065 if (ndo->ndo_vflag) {
3066 ND_PRINT(" %u.%u", major, minor);
3067 }
3068
3069 if (ndo->ndo_vflag) {
3070 ND_PRINT(" msgid ");
3071 hexprint(ndo, p->msgid, sizeof(p->msgid));
3072 }
3073
3074 if (1 < ndo->ndo_vflag) {
3075 ND_PRINT(" cookie ");
3076 hexprint(ndo, p->i_ck, sizeof(p->i_ck));
3077 ND_PRINT("->");
3078 hexprint(ndo, p->r_ck, sizeof(p->r_ck));
3079 }
3080 ND_PRINT(":");
3081
3082 switch(major) {
3083 case IKEv1_MAJOR_VERSION:
3084 ikev1_print(ndo, bp, length, bp2, p);
3085 break;
3086
3087 case IKEv2_MAJOR_VERSION:
3088 ikev2_print(ndo, bp, length, bp2, p);
3089 break;
3090 }
3091 }
3092
3093 void
isakmp_rfc3948_print(netdissect_options * ndo,const u_char * bp,u_int length,const u_char * bp2,int ver,int fragmented,u_int ttl_hl)3094 isakmp_rfc3948_print(netdissect_options *ndo,
3095 const u_char *bp, u_int length,
3096 const u_char *bp2, int ver, int fragmented, u_int ttl_hl)
3097 {
3098 ndo->ndo_protocol = "isakmp_rfc3948";
3099 if(length == 1 && GET_U_1(bp)==0xff) {
3100 ND_PRINT("isakmp-nat-keep-alive");
3101 return;
3102 }
3103
3104 if(length < 4) {
3105 goto trunc;
3106 }
3107
3108 /*
3109 * see if this is an IKE packet
3110 */
3111 if (GET_BE_U_4(bp) == 0) {
3112 ND_PRINT("NONESP-encap: ");
3113 isakmp_print(ndo, bp+4, length-4, bp2);
3114 return;
3115 }
3116
3117 /* must be an ESP packet */
3118 {
3119 ND_PRINT("UDP-encap: ");
3120
3121 esp_print(ndo, bp, length, bp2, ver, fragmented, ttl_hl);
3122
3123 /*
3124 * Either this has decrypted the payload and
3125 * printed it, in which case there's nothing more
3126 * to do, or it hasn't, in which case there's
3127 * nothing more to do.
3128 */
3129 return;
3130 }
3131
3132 trunc:
3133 nd_print_trunc(ndo);
3134 }
3135