search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
hammer(8): Add inline keywords in two prototypes of inline functions.
[dragonfly.git] / contrib / tcpdump / print-isakmp.c
blob4f96afe38115032fc2b753261e055c5d2d1c1db1
1 /*
2 * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
3 * All rights reserved.
4 *
5 * Redistribution and use in source and binary forms, with or without
6 * modification, are permitted provided that the following conditions
7 * are met:
8 * 1. Redistributions of source code must retain the above copyright
9 * notice, this list of conditions and the following disclaimer.
10 * 2. Redistributions in binary form must reproduce the above copyright
11 * notice, this list of conditions and the following disclaimer in the
12 * documentation and/or other materials provided with the distribution.
13 * 3. Neither the name of the project nor the names of its contributors
14 * may be used to endorse or promote products derived from this software
15 * without specific prior written permission.
16 *
17 * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
18 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
19 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
20 * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
21 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
22 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
23 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
24 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
25 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
26 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
27 * SUCH DAMAGE.
28 *
29 */
30
31 #ifndef lint
32 static const char rcsid[] _U_ =
33 "@(#) $Header: /tcpdump/master/tcpdump/print-isakmp.c,v 1.61 2008-02-05 19:34:25 guy Exp $ (LBL)";
34 #endif
35
36 #define NETDISSECT_REWORKED
37 #ifdef HAVE_CONFIG_H
38 #include "config.h"
39 #endif
40
41 #include <tcpdump-stdinc.h>
42
43 #include <string.h>
44
45 #include <stdio.h>
46
47 #include "isakmp.h"
48 #include "ipsec_doi.h"
49 #include "oakley.h"
50 #include "interface.h"
51 #include "addrtoname.h"
52 #include "extract.h" /* must come after interface.h */
53
54 #include "ip.h"
55 #ifdef INET6
56 #include "ip6.h"
57 #endif
58
59 #ifndef HAVE_SOCKADDR_STORAGE
60 #define sockaddr_storage sockaddr
61 #endif
62
63 #define DECLARE_PRINTER(func) static const u_char *ike##func##_print( \
64 netdissect_options *ndo, u_char tpay, \
65 const struct isakmp_gen *ext, \
66 u_int item_len, \
67 const u_char *end_pointer, \
68 u_int32_t phase,\
69 u_int32_t doi0, \
70 u_int32_t proto0, int depth)
71
72 DECLARE_PRINTER(v1_sa);
73 DECLARE_PRINTER(v1_p);
74 DECLARE_PRINTER(v1_t);
75 DECLARE_PRINTER(v1_ke);
76 DECLARE_PRINTER(v1_id);
77 DECLARE_PRINTER(v1_cert);
78 DECLARE_PRINTER(v1_cr);
79 DECLARE_PRINTER(v1_sig);
80 DECLARE_PRINTER(v1_hash);
81 DECLARE_PRINTER(v1_nonce);
82 DECLARE_PRINTER(v1_n);
83 DECLARE_PRINTER(v1_d);
84 DECLARE_PRINTER(v1_vid);
85
86 DECLARE_PRINTER(v2_sa);
87 DECLARE_PRINTER(v2_ke);
88 DECLARE_PRINTER(v2_ID);
89 DECLARE_PRINTER(v2_cert);
90 DECLARE_PRINTER(v2_cr);
91 DECLARE_PRINTER(v2_auth);
92 DECLARE_PRINTER(v2_nonce);
93 DECLARE_PRINTER(v2_n);
94 DECLARE_PRINTER(v2_d);
95 DECLARE_PRINTER(v2_vid);
96 DECLARE_PRINTER(v2_TS);
97 DECLARE_PRINTER(v2_cp);
98 DECLARE_PRINTER(v2_eap);
99
100 static const u_char *ikev2_e_print(netdissect_options *ndo,
101 struct isakmp *base,
102 u_char tpay,
103 const struct isakmp_gen *ext,
104 u_int item_len,
105 const u_char *end_pointer,
106 u_int32_t phase,
107 u_int32_t doi0,
108 u_int32_t proto0, int depth);
109
110
111 static const u_char *ike_sub0_print(netdissect_options *ndo,u_char, const struct isakmp_gen *,
112 const u_char *, u_int32_t, u_int32_t, u_int32_t, int);
113 static const u_char *ikev1_sub_print(netdissect_options *ndo,u_char, const struct isakmp_gen *,
114 const u_char *, u_int32_t, u_int32_t, u_int32_t, int);
115
116 static const u_char *ikev2_sub_print(netdissect_options *ndo,
117 struct isakmp *base,
118 u_char np, const struct isakmp_gen *ext,
119 const u_char *ep, u_int32_t phase,
120 u_int32_t doi, u_int32_t proto,
121 int depth);
122
123
124 static char *numstr(int);
125 static void safememcpy(void *, const void *, size_t);
126
127 static void
128 ikev1_print(netdissect_options *ndo,
129 const u_char *bp, u_int length,
130 const u_char *bp2, struct isakmp *base);
131
132 #define MAXINITIATORS 20
133 int ninitiator = 0;
134 struct {
135 cookie_t initiator;
136 struct sockaddr_storage iaddr;
137 struct sockaddr_storage raddr;
138 } cookiecache[MAXINITIATORS];
139
140 /* protocol id */
141 static const char *protoidstr[] = {
142 NULL, "isakmp", "ipsec-ah", "ipsec-esp", "ipcomp",
143 };
144
145 /* isakmp->np */
146 static const char *npstr[] = {
147 "none", "sa", "p", "t", "ke", "id", "cert", "cr", "hash", /* 0 - 8 */
148 "sig", "nonce", "n", "d", "vid", /* 9 - 13 */
149 "pay14", "pay15", "pay16", "pay17", "pay18", /* 14- 18 */
150 "pay19", "pay20", "pay21", "pay22", "pay23", /* 19- 23 */
151 "pay24", "pay25", "pay26", "pay27", "pay28", /* 24- 28 */
152 "pay29", "pay30", "pay31", "pay32", /* 29- 32 */
153 "v2sa", "v2ke", "v2IDi", "v2IDr", "v2cert",/* 33- 37 */
154 "v2cr", "v2auth","v2nonce", "v2n", "v2d", /* 38- 42 */
155 "v2vid", "v2TSi", "v2TSr", "v2e", "v2cp", /* 43- 47 */
156 "v2eap", /* 48 */
157
158 };
159
160 /* isakmp->np */
161 static const u_char *(*npfunc[])(netdissect_options *ndo, u_char tpay,
162 const struct isakmp_gen *ext,
163 u_int item_len,
164 const u_char *end_pointer,
165 u_int32_t phase,
166 u_int32_t doi0,
167 u_int32_t proto0, int depth) = {
168 NULL,
169 ikev1_sa_print,
170 ikev1_p_print,
171 ikev1_t_print,
172 ikev1_ke_print,
173 ikev1_id_print,
174 ikev1_cert_print,
175 ikev1_cr_print,
176 ikev1_hash_print,
177 ikev1_sig_print,
178 ikev1_nonce_print,
179 ikev1_n_print,
180 ikev1_d_print,
181 ikev1_vid_print, /* 13 */
182 NULL, NULL, NULL, NULL, NULL, /* 14- 18 */
183 NULL, NULL, NULL, NULL, NULL, /* 19- 23 */
184 NULL, NULL, NULL, NULL, NULL, /* 24- 28 */
185 NULL, NULL, NULL, NULL, /* 29- 32 */
186 ikev2_sa_print, /* 33 */
187 ikev2_ke_print, /* 34 */
188 ikev2_ID_print, /* 35 */
189 ikev2_ID_print, /* 36 */
190 ikev2_cert_print, /* 37 */
191 ikev2_cr_print, /* 38 */
192 ikev2_auth_print, /* 39 */
193 ikev2_nonce_print, /* 40 */
194 ikev2_n_print, /* 41 */
195 ikev2_d_print, /* 42 */
196 ikev2_vid_print, /* 43 */
197 ikev2_TS_print, /* 44 */
198 ikev2_TS_print, /* 45 */
199 NULL, /* ikev2_e_print,*/ /* 46 - special */
200 ikev2_cp_print, /* 47 */
201 ikev2_eap_print, /* 48 */
202 };
203
204 /* isakmp->etype */
205 static const char *etypestr[] = {
206 /* IKEv1 exchange types */
207 "none", "base", "ident", "auth", "agg", "inf", NULL, NULL, /* 0-7 */
208 NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, /* 8-15 */
209 NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, /* 16-23 */
210 NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, /* 24-31 */
211 "oakley-quick", "oakley-newgroup", /* 32-33 */
212 /* IKEv2 exchange types */
213 "ikev2_init", "ikev2_auth", "child_sa", "inf2" /* 34-37 */
214 };
215
216 #define STR_OR_ID(x, tab) \
217 (((x) < sizeof(tab)/sizeof(tab[0]) && tab[(x)]) ? tab[(x)] : numstr(x))
218 #define PROTOIDSTR(x) STR_OR_ID(x, protoidstr)
219 #define NPSTR(x) STR_OR_ID(x, npstr)
220 #define ETYPESTR(x) STR_OR_ID(x, etypestr)
221
222 #define CHECKLEN(p, np) \
223 if (ep < (u_char *)(p)) { \
224 ND_PRINT((ndo," [|%s]", NPSTR(np))); \
225 goto done; \
226 }
227
228
229 #define NPFUNC(x) \
230 (((x) < sizeof(npfunc)/sizeof(npfunc[0]) && npfunc[(x)]) \
231 ? npfunc[(x)] : NULL)
232
233 static int
234 iszero(u_char *p, size_t l)
235 {
236 while (l--) {
237 if (*p++)
238 return 0;
239 }
240 return 1;
241 }
242
243 /* find cookie from initiator cache */
244 static int
245 cookie_find(cookie_t *in)
246 {
247 int i;
248
249 for (i = 0; i < MAXINITIATORS; i++) {
250 if (memcmp(in, &cookiecache[i].initiator, sizeof(*in)) == 0)
251 return i;
252 }
253
254 return -1;
255 }
256
257 /* record initiator */
258 static void
259 cookie_record(cookie_t *in, const u_char *bp2)
260 {
261 int i;
262 struct ip *ip;
263 struct sockaddr_in *sin;
264 #ifdef INET6
265 struct ip6_hdr *ip6;
266 struct sockaddr_in6 *sin6;
267 #endif
268
269 i = cookie_find(in);
270 if (0 <= i) {
271 ninitiator = (i + 1) % MAXINITIATORS;
272 return;
273 }
274
275 ip = (struct ip *)bp2;
276 switch (IP_V(ip)) {
277 case 4:
278 memset(&cookiecache[ninitiator].iaddr, 0,
279 sizeof(cookiecache[ninitiator].iaddr));
280 memset(&cookiecache[ninitiator].raddr, 0,
281 sizeof(cookiecache[ninitiator].raddr));
282
283 sin = (struct sockaddr_in *)&cookiecache[ninitiator].iaddr;
284 #ifdef HAVE_SOCKADDR_SA_LEN
285 sin->sin_len = sizeof(struct sockaddr_in);
286 #endif
287 sin->sin_family = AF_INET;
288 memcpy(&sin->sin_addr, &ip->ip_src, sizeof(ip->ip_src));
289 sin = (struct sockaddr_in *)&cookiecache[ninitiator].raddr;
290 #ifdef HAVE_SOCKADDR_SA_LEN
291 sin->sin_len = sizeof(struct sockaddr_in);
292 #endif
293 sin->sin_family = AF_INET;
294 memcpy(&sin->sin_addr, &ip->ip_dst, sizeof(ip->ip_dst));
295 break;
296 #ifdef INET6
297 case 6:
298 memset(&cookiecache[ninitiator].iaddr, 0,
299 sizeof(cookiecache[ninitiator].iaddr));
300 memset(&cookiecache[ninitiator].raddr, 0,
301 sizeof(cookiecache[ninitiator].raddr));
302
303 ip6 = (struct ip6_hdr *)bp2;
304 sin6 = (struct sockaddr_in6 *)&cookiecache[ninitiator].iaddr;
305 #ifdef HAVE_SOCKADDR_SA_LEN
306 sin6->sin6_len = sizeof(struct sockaddr_in6);
307 #endif
308 sin6->sin6_family = AF_INET6;
309 memcpy(&sin6->sin6_addr, &ip6->ip6_src, sizeof(ip6->ip6_src));
310 sin6 = (struct sockaddr_in6 *)&cookiecache[ninitiator].raddr;
311 #ifdef HAVE_SOCKADDR_SA_LEN
312 sin6->sin6_len = sizeof(struct sockaddr_in6);
313 #endif
314 sin6->sin6_family = AF_INET6;
315 memcpy(&sin6->sin6_addr, &ip6->ip6_dst, sizeof(ip6->ip6_dst));
316 break;
317 #endif
318 default:
319 return;
320 }
321 memcpy(&cookiecache[ninitiator].initiator, in, sizeof(*in));
322 ninitiator = (ninitiator + 1) % MAXINITIATORS;
323 }
324
325 #define cookie_isinitiator(x, y) cookie_sidecheck((x), (y), 1)
326 #define cookie_isresponder(x, y) cookie_sidecheck((x), (y), 0)
327 static int
328 cookie_sidecheck(int i, const u_char *bp2, int initiator)
329 {
330 struct sockaddr_storage ss;
331 struct sockaddr *sa;
332 struct ip *ip;
333 struct sockaddr_in *sin;
334 #ifdef INET6
335 struct ip6_hdr *ip6;
336 struct sockaddr_in6 *sin6;
337 #endif
338 int salen;
339
340 memset(&ss, 0, sizeof(ss));
341 ip = (struct ip *)bp2;
342 switch (IP_V(ip)) {
343 case 4:
344 sin = (struct sockaddr_in *)&ss;
345 #ifdef HAVE_SOCKADDR_SA_LEN
346 sin->sin_len = sizeof(struct sockaddr_in);
347 #endif
348 sin->sin_family = AF_INET;
349 memcpy(&sin->sin_addr, &ip->ip_src, sizeof(ip->ip_src));
350 break;
351 #ifdef INET6
352 case 6:
353 ip6 = (struct ip6_hdr *)bp2;
354 sin6 = (struct sockaddr_in6 *)&ss;
355 #ifdef HAVE_SOCKADDR_SA_LEN
356 sin6->sin6_len = sizeof(struct sockaddr_in6);
357 #endif
358 sin6->sin6_family = AF_INET6;
359 memcpy(&sin6->sin6_addr, &ip6->ip6_src, sizeof(ip6->ip6_src));
360 break;
361 #endif
362 default:
363 return 0;
364 }
365
366 sa = (struct sockaddr *)&ss;
367 if (initiator) {
368 if (sa->sa_family != ((struct sockaddr *)&cookiecache[i].iaddr)->sa_family)
369 return 0;
370 #ifdef HAVE_SOCKADDR_SA_LEN
371 salen = sa->sa_len;
372 #else
373 #ifdef INET6
374 if (sa->sa_family == AF_INET6)
375 salen = sizeof(struct sockaddr_in6);
376 else
377 salen = sizeof(struct sockaddr);
378 #else
379 salen = sizeof(struct sockaddr);
380 #endif
381 #endif
382 if (memcmp(&ss, &cookiecache[i].iaddr, salen) == 0)
383 return 1;
384 } else {
385 if (sa->sa_family != ((struct sockaddr *)&cookiecache[i].raddr)->sa_family)
386 return 0;
387 #ifdef HAVE_SOCKADDR_SA_LEN
388 salen = sa->sa_len;
389 #else
390 #ifdef INET6
391 if (sa->sa_family == AF_INET6)
392 salen = sizeof(struct sockaddr_in6);
393 else
394 salen = sizeof(struct sockaddr);
395 #else
396 salen = sizeof(struct sockaddr);
397 #endif
398 #endif
399 if (memcmp(&ss, &cookiecache[i].raddr, salen) == 0)
400 return 1;
401 }
402 return 0;
403 }
404
405 static void
406 hexprint(netdissect_options *ndo, caddr_t loc, size_t len)
407 {
408 u_char *p;
409 size_t i;
410
411 p = (u_char *)loc;
412 for (i = 0; i < len; i++)
413 ND_PRINT((ndo,"%02x", p[i] & 0xff));
414 }
415
416 static int
417 rawprint(netdissect_options *ndo, caddr_t loc, size_t len)
418 {
419 ND_TCHECK2(*loc, len);
420
421 hexprint(ndo, loc, len);
422 return 1;
423 trunc:
424 return 0;
425 }
426
427
428 /*
429 * returns false if we run out of data buffer
430 */
431 static int ike_show_somedata(struct netdissect_options *ndo,
432 const u_char *cp, const u_char *ep)
433 {
434 /* there is too much data, just show some of it */
435 const u_char *end = ep - 20;
436 int elen = 20;
437 int len = ep - cp;
438 if(len > 10) {
439 len = 10;
440 }
441
442 /* really shouldn't happen because of above */
443 if(end < cp + len) {
444 end = cp+len;
445 elen = ep - end;
446 }
447
448 ND_PRINT((ndo," data=("));
449 if(!rawprint(ndo, (caddr_t)(cp), len)) goto trunc;
450 ND_PRINT((ndo, "..."));
451 if(elen) {
452 if(!rawprint(ndo, (caddr_t)(end), elen)) goto trunc;
453 }
454 ND_PRINT((ndo,")"));
455 return 1;
456
457 trunc:
458 return 0;
459 }
460
461 struct attrmap {
462 const char *type;
463 u_int nvalue;
464 const char *value[30]; /*XXX*/
465 };
466
467 static const u_char *
468 ikev1_attrmap_print(netdissect_options *ndo,
469 const u_char *p, const u_char *ep,
470 const struct attrmap *map, size_t nmap)
471 {
472 u_int16_t *q;
473 int totlen;
474 u_int32_t t, v;
475
476 q = (u_int16_t *)p;
477 if (p[0] & 0x80)
478 totlen = 4;
479 else
480 totlen = 4 + EXTRACT_16BITS(&q[1]);
481 if (ep < p + totlen) {
482 ND_PRINT((ndo,"[|attr]"));
483 return ep + 1;
484 }
485
486 ND_PRINT((ndo,"("));
487 t = EXTRACT_16BITS(&q[0]) & 0x7fff;
488 if (map && t < nmap && map[t].type)
489 ND_PRINT((ndo,"type=%s ", map[t].type));
490 else
491 ND_PRINT((ndo,"type=#%d ", t));
492 if (p[0] & 0x80) {
493 ND_PRINT((ndo,"value="));
494 v = EXTRACT_16BITS(&q[1]);
495 if (map && t < nmap && v < map[t].nvalue && map[t].value[v])
496 ND_PRINT((ndo,"%s", map[t].value[v]));
497 else
498 rawprint(ndo, (caddr_t)&q[1], 2);
499 } else {
500 ND_PRINT((ndo,"len=%d value=", EXTRACT_16BITS(&q[1])));
501 rawprint(ndo, (caddr_t)&p[4], EXTRACT_16BITS(&q[1]));
502 }
503 ND_PRINT((ndo,")"));
504 return p + totlen;
505 }
506
507 static const u_char *
508 ikev1_attr_print(netdissect_options *ndo, const u_char *p, const u_char *ep)
509 {
510 u_int16_t *q;
511 int totlen;
512 u_int32_t t;
513
514 q = (u_int16_t *)p;
515 if (p[0] & 0x80)
516 totlen = 4;
517 else
518 totlen = 4 + EXTRACT_16BITS(&q[1]);
519 if (ep < p + totlen) {
520 ND_PRINT((ndo,"[|attr]"));
521 return ep + 1;
522 }
523
524 ND_PRINT((ndo,"("));
525 t = EXTRACT_16BITS(&q[0]) & 0x7fff;
526 ND_PRINT((ndo,"type=#%d ", t));
527 if (p[0] & 0x80) {
528 ND_PRINT((ndo,"value="));
529 t = q[1];
530 rawprint(ndo, (caddr_t)&q[1], 2);
531 } else {
532 ND_PRINT((ndo,"len=%d value=", EXTRACT_16BITS(&q[1])));
533 rawprint(ndo, (caddr_t)&p[2], EXTRACT_16BITS(&q[1]));
534 }
535 ND_PRINT((ndo,")"));
536 return p + totlen;
537 }
538
539 static const u_char *
540 ikev1_sa_print(netdissect_options *ndo, u_char tpay _U_,
541 const struct isakmp_gen *ext,
542 u_int item_len _U_,
543 const u_char *ep, u_int32_t phase, u_int32_t doi0 _U_,
544 u_int32_t proto0, int depth)
545 {
546 const struct ikev1_pl_sa *p;
547 struct ikev1_pl_sa sa;
548 const u_int32_t *q;
549 u_int32_t doi, sit, ident;
550 const u_char *cp, *np;
551 int t;
552
553 ND_PRINT((ndo,"%s:", NPSTR(ISAKMP_NPTYPE_SA)));
554
555 p = (struct ikev1_pl_sa *)ext;
556 ND_TCHECK(*p);
557 safememcpy(&sa, ext, sizeof(sa));
558 doi = ntohl(sa.doi);
559 sit = ntohl(sa.sit);
560 if (doi != 1) {
561 ND_PRINT((ndo," doi=%d", doi));
562 ND_PRINT((ndo," situation=%u", (u_int32_t)ntohl(sa.sit)));
563 return (u_char *)(p + 1);
564 }
565
566 ND_PRINT((ndo," doi=ipsec"));
567 q = (u_int32_t *)&sa.sit;
568 ND_PRINT((ndo," situation="));
569 t = 0;
570 if (sit & 0x01) {
571 ND_PRINT((ndo,"identity"));
572 t++;
573 }
574 if (sit & 0x02) {
575 ND_PRINT((ndo,"%ssecrecy", t ? "+" : ""));
576 t++;
577 }
578 if (sit & 0x04)
579 ND_PRINT((ndo,"%sintegrity", t ? "+" : ""));
580
581 np = (u_char *)ext + sizeof(sa);
582 if (sit != 0x01) {
583 ND_TCHECK2(*(ext + 1), sizeof(ident));
584 safememcpy(&ident, ext + 1, sizeof(ident));
585 ND_PRINT((ndo," ident=%u", (u_int32_t)ntohl(ident)));
586 np += sizeof(ident);
587 }
588
589 ext = (struct isakmp_gen *)np;
590 ND_TCHECK(*ext);
591
592 cp = ikev1_sub_print(ndo, ISAKMP_NPTYPE_P, ext, ep, phase, doi, proto0,
593 depth);
594
595 return cp;
596 trunc:
597 ND_PRINT((ndo," [|%s]", NPSTR(ISAKMP_NPTYPE_SA)));
598 return NULL;
599 }
600
601 static const u_char *
602 ikev1_p_print(netdissect_options *ndo, u_char tpay _U_,
603 const struct isakmp_gen *ext, u_int item_len _U_,
604 const u_char *ep, u_int32_t phase, u_int32_t doi0,
605 u_int32_t proto0 _U_, int depth)
606 {
607 const struct ikev1_pl_p *p;
608 struct ikev1_pl_p prop;
609 const u_char *cp;
610
611 ND_PRINT((ndo,"%s:", NPSTR(ISAKMP_NPTYPE_P)));
612
613 p = (struct ikev1_pl_p *)ext;
614 ND_TCHECK(*p);
615 safememcpy(&prop, ext, sizeof(prop));
616 ND_PRINT((ndo," #%d protoid=%s transform=%d",
617 prop.p_no, PROTOIDSTR(prop.prot_id), prop.num_t));
618 if (prop.spi_size) {
619 ND_PRINT((ndo," spi="));
620 if (!rawprint(ndo, (caddr_t)(p + 1), prop.spi_size))
621 goto trunc;
622 }
623
624 ext = (struct isakmp_gen *)((u_char *)(p + 1) + prop.spi_size);
625 ND_TCHECK(*ext);
626
627 cp = ikev1_sub_print(ndo, ISAKMP_NPTYPE_T, ext, ep, phase, doi0,
628 prop.prot_id, depth);
629
630 return cp;
631 trunc:
632 ND_PRINT((ndo," [|%s]", NPSTR(ISAKMP_NPTYPE_P)));
633 return NULL;
634 }
635
636 static const char *ikev1_p_map[] = {
637 NULL, "ike",
638 };
639
640 static const char *ikev2_t_type_map[]={
641 NULL, "encr", "prf", "integ", "dh", "esn"
642 };
643
644 static const char *ah_p_map[] = {
645 NULL, "(reserved)", "md5", "sha", "1des",
646 "sha2-256", "sha2-384", "sha2-512",
647 };
648
649 static const char *prf_p_map[] = {
650 NULL, "hmac-md5", "hmac-sha", "hmac-tiger",
651 "aes128_xcbc"
652 };
653
654 static const char *integ_p_map[] = {
655 NULL, "hmac-md5", "hmac-sha", "dec-mac",
656 "kpdk-md5", "aes-xcbc"
657 };
658
659 static const char *esn_p_map[] = {
660 "no-esn", "esn"
661 };
662
663 static const char *dh_p_map[] = {
664 NULL, "modp768",
665 "modp1024", /* group 2 */
666 "EC2N 2^155", /* group 3 */
667 "EC2N 2^185", /* group 4 */
668 "modp1536", /* group 5 */
669 "iana-grp06", "iana-grp07", /* reserved */
670 "iana-grp08", "iana-grp09",
671 "iana-grp10", "iana-grp11",
672 "iana-grp12", "iana-grp13",
673 "modp2048", /* group 14 */
674 "modp3072", /* group 15 */
675 "modp4096", /* group 16 */
676 "modp6144", /* group 17 */
677 "modp8192", /* group 18 */
678 };
679
680 static const char *esp_p_map[] = {
681 NULL, "1des-iv64", "1des", "3des", "rc5", "idea", "cast",
682 "blowfish", "3idea", "1des-iv32", "rc4", "null", "aes"
683 };
684
685 static const char *ipcomp_p_map[] = {
686 NULL, "oui", "deflate", "lzs",
687 };
688
689 const struct attrmap ipsec_t_map[] = {
690 { NULL, 0, { NULL } },
691 { "lifetype", 3, { NULL, "sec", "kb", }, },
692 { "life", 0, { NULL } },
693 { "group desc", 18, { NULL, "modp768",
694 "modp1024", /* group 2 */
695 "EC2N 2^155", /* group 3 */
696 "EC2N 2^185", /* group 4 */
697 "modp1536", /* group 5 */
698 "iana-grp06", "iana-grp07", /* reserved */
699 "iana-grp08", "iana-grp09",
700 "iana-grp10", "iana-grp11",
701 "iana-grp12", "iana-grp13",
702 "modp2048", /* group 14 */
703 "modp3072", /* group 15 */
704 "modp4096", /* group 16 */
705 "modp6144", /* group 17 */
706 "modp8192", /* group 18 */
707 }, },
708 { "enc mode", 3, { NULL, "tunnel", "transport", }, },
709 { "auth", 5, { NULL, "hmac-md5", "hmac-sha1", "1des-mac", "keyed", }, },
710 { "keylen", 0, { NULL } },
711 { "rounds", 0, { NULL } },
712 { "dictsize", 0, { NULL } },
713 { "privalg", 0, { NULL } },
714 };
715
716 const struct attrmap encr_t_map[] = {
717 { NULL, 0, { NULL } }, { NULL, 0, { NULL } }, /* 0, 1 */
718 { NULL, 0, { NULL } }, { NULL, 0, { NULL } }, /* 2, 3 */
719 { NULL, 0, { NULL } }, { NULL, 0, { NULL } }, /* 4, 5 */
720 { NULL, 0, { NULL } }, { NULL, 0, { NULL } }, /* 6, 7 */
721 { NULL, 0, { NULL } }, { NULL, 0, { NULL } }, /* 8, 9 */
722 { NULL, 0, { NULL } }, { NULL, 0, { NULL } }, /* 10,11*/
723 { NULL, 0, { NULL } }, { NULL, 0, { NULL } }, /* 12,13*/
724 { "keylen", 14, { NULL }},
725 };
726
727 const struct attrmap oakley_t_map[] = {
728 { NULL, 0, { NULL } },
729 { "enc", 8, { NULL, "1des", "idea", "blowfish", "rc5",
730 "3des", "cast", "aes", }, },
731 { "hash", 7, { NULL, "md5", "sha1", "tiger",
732 "sha2-256", "sha2-384", "sha2-512", }, },
733 { "auth", 6, { NULL, "preshared", "dss", "rsa sig", "rsa enc",
734 "rsa enc revised", }, },
735 { "group desc", 18, { NULL, "modp768",
736 "modp1024", /* group 2 */
737 "EC2N 2^155", /* group 3 */
738 "EC2N 2^185", /* group 4 */
739 "modp1536", /* group 5 */
740 "iana-grp06", "iana-grp07", /* reserved */
741 "iana-grp08", "iana-grp09",
742 "iana-grp10", "iana-grp11",
743 "iana-grp12", "iana-grp13",
744 "modp2048", /* group 14 */
745 "modp3072", /* group 15 */
746 "modp4096", /* group 16 */
747 "modp6144", /* group 17 */
748 "modp8192", /* group 18 */
749 }, },
750 { "group type", 4, { NULL, "MODP", "ECP", "EC2N", }, },
751 { "group prime", 0, { NULL } },
752 { "group gen1", 0, { NULL } },
753 { "group gen2", 0, { NULL } },
754 { "group curve A", 0, { NULL } },
755 { "group curve B", 0, { NULL } },
756 { "lifetype", 3, { NULL, "sec", "kb", }, },
757 { "lifeduration", 0, { NULL } },
758 { "prf", 0, { NULL } },
759 { "keylen", 0, { NULL } },
760 { "field", 0, { NULL } },
761 { "order", 0, { NULL } },
762 };
763
764 static const u_char *
765 ikev1_t_print(netdissect_options *ndo, u_char tpay _U_,
766 const struct isakmp_gen *ext, u_int item_len,
767 const u_char *ep, u_int32_t phase _U_, u_int32_t doi _U_,
768 u_int32_t proto, int depth _U_)
769 {
770 const struct ikev1_pl_t *p;
771 struct ikev1_pl_t t;
772 const u_char *cp;
773 const char *idstr;
774 const struct attrmap *map;
775 size_t nmap;
776 const u_char *ep2;
777
778 ND_PRINT((ndo,"%s:", NPSTR(ISAKMP_NPTYPE_T)));
779
780 p = (struct ikev1_pl_t *)ext;
781 ND_TCHECK(*p);
782 safememcpy(&t, ext, sizeof(t));
783
784 switch (proto) {
785 case 1:
786 idstr = STR_OR_ID(t.t_id, ikev1_p_map);
787 map = oakley_t_map;
788 nmap = sizeof(oakley_t_map)/sizeof(oakley_t_map[0]);
789 break;
790 case 2:
791 idstr = STR_OR_ID(t.t_id, ah_p_map);
792 map = ipsec_t_map;
793 nmap = sizeof(ipsec_t_map)/sizeof(ipsec_t_map[0]);
794 break;
795 case 3:
796 idstr = STR_OR_ID(t.t_id, esp_p_map);
797 map = ipsec_t_map;
798 nmap = sizeof(ipsec_t_map)/sizeof(ipsec_t_map[0]);
799 break;
800 case 4:
801 idstr = STR_OR_ID(t.t_id, ipcomp_p_map);
802 map = ipsec_t_map;
803 nmap = sizeof(ipsec_t_map)/sizeof(ipsec_t_map[0]);
804 break;
805 default:
806 idstr = NULL;
807 map = NULL;
808 nmap = 0;
809 break;
810 }
811
812 if (idstr)
813 ND_PRINT((ndo," #%d id=%s ", t.t_no, idstr));
814 else
815 ND_PRINT((ndo," #%d id=%d ", t.t_no, t.t_id));
816 cp = (u_char *)(p + 1);
817 ep2 = (u_char *)p + item_len;
818 while (cp < ep && cp < ep2) {
819 if (map && nmap) {
820 cp = ikev1_attrmap_print(ndo, cp, (ep < ep2) ? ep : ep2,
821 map, nmap);
822 } else
823 cp = ikev1_attr_print(ndo, cp, (ep < ep2) ? ep : ep2);
824 }
825 if (ep < ep2)
826 ND_PRINT((ndo,"..."));
827 return cp;
828 trunc:
829 ND_PRINT((ndo," [|%s]", NPSTR(ISAKMP_NPTYPE_T)));
830 return NULL;
831 }
832
833 static const u_char *
834 ikev1_ke_print(netdissect_options *ndo, u_char tpay _U_,
835 const struct isakmp_gen *ext, u_int item_len _U_,
836 const u_char *ep _U_, u_int32_t phase _U_, u_int32_t doi _U_,
837 u_int32_t proto _U_, int depth _U_)
838 {
839 struct isakmp_gen e;
840
841 ND_PRINT((ndo,"%s:", NPSTR(ISAKMP_NPTYPE_KE)));
842
843 ND_TCHECK(*ext);
844 safememcpy(&e, ext, sizeof(e));
845 ND_PRINT((ndo," key len=%d", ntohs(e.len) - 4));
846 if (2 < ndo->ndo_vflag && 4 < ntohs(e.len)) {
847 ND_PRINT((ndo," "));
848 if (!rawprint(ndo, (caddr_t)(ext + 1), ntohs(e.len) - 4))
849 goto trunc;
850 }
851 return (u_char *)ext + ntohs(e.len);
852 trunc:
853 ND_PRINT((ndo," [|%s]", NPSTR(ISAKMP_NPTYPE_KE)));
854 return NULL;
855 }
856
857 static const u_char *
858 ikev1_id_print(netdissect_options *ndo, u_char tpay _U_,
859 const struct isakmp_gen *ext, u_int item_len _U_,
860 const u_char *ep _U_, u_int32_t phase, u_int32_t doi _U_,
861 u_int32_t proto _U_, int depth _U_)
862 {
863 #define USE_IPSECDOI_IN_PHASE1 1
864 const struct ikev1_pl_id *p;
865 struct ikev1_pl_id id;
866 static const char *idtypestr[] = {
867 "IPv4", "IPv4net", "IPv6", "IPv6net",
868 };
869 static const char *ipsecidtypestr[] = {
870 NULL, "IPv4", "FQDN", "user FQDN", "IPv4net", "IPv6",
871 "IPv6net", "IPv4range", "IPv6range", "ASN1 DN", "ASN1 GN",
872 "keyid",
873 };
874 int len;
875 const u_char *data;
876
877 ND_PRINT((ndo,"%s:", NPSTR(ISAKMP_NPTYPE_ID)));
878
879 p = (struct ikev1_pl_id *)ext;
880 ND_TCHECK(*p);
881 safememcpy(&id, ext, sizeof(id));
882 if (sizeof(*p) < item_len) {
883 data = (u_char *)(p + 1);
884 len = item_len - sizeof(*p);
885 } else {
886 data = NULL;
887 len = 0;
888 }
889
890 #if 0 /*debug*/
891 ND_PRINT((ndo," [phase=%d doi=%d proto=%d]", phase, doi, proto));
892 #endif
893 switch (phase) {
894 #ifndef USE_IPSECDOI_IN_PHASE1
895 case 1:
896 #endif
897 default:
898 ND_PRINT((ndo," idtype=%s", STR_OR_ID(id.d.id_type, idtypestr)));
899 ND_PRINT((ndo," doi_data=%u",
900 (u_int32_t)(ntohl(id.d.doi_data) & 0xffffff)));
901 break;
902
903 #ifdef USE_IPSECDOI_IN_PHASE1
904 case 1:
905 #endif
906 case 2:
907 {
908 const struct ipsecdoi_id *p;
909 struct ipsecdoi_id id;
910 struct protoent *pe;
911
912 p = (struct ipsecdoi_id *)ext;
913 ND_TCHECK(*p);
914 safememcpy(&id, ext, sizeof(id));
915 ND_PRINT((ndo," idtype=%s", STR_OR_ID(id.type, ipsecidtypestr)));
916 if (id.proto_id) {
917 #ifndef WIN32
918 setprotoent(1);
919 #endif /* WIN32 */
920 pe = getprotobynumber(id.proto_id);
921 if (pe)
922 ND_PRINT((ndo," protoid=%s", pe->p_name));
923 #ifndef WIN32
924 endprotoent();
925 #endif /* WIN32 */
926 } else {
927 /* it DOES NOT mean IPPROTO_IP! */
928 ND_PRINT((ndo," protoid=%s", "0"));
929 }
930 ND_PRINT((ndo," port=%d", ntohs(id.port)));
931 if (!len)
932 break;
933 if (data == NULL)
934 goto trunc;
935 ND_TCHECK2(*data, len);
936 switch (id.type) {
937 case IPSECDOI_ID_IPV4_ADDR:
938 if (len < 4)
939 ND_PRINT((ndo," len=%d [bad: < 4]", len));
940 else
941 ND_PRINT((ndo," len=%d %s", len, ipaddr_string(data)));
942 len = 0;
943 break;
944 case IPSECDOI_ID_FQDN:
945 case IPSECDOI_ID_USER_FQDN:
946 {
947 int i;
948 ND_PRINT((ndo," len=%d ", len));
949 for (i = 0; i < len; i++)
950 safeputchar(data[i]);
951 len = 0;
952 break;
953 }
954 case IPSECDOI_ID_IPV4_ADDR_SUBNET:
955 {
956 const u_char *mask;
957 if (len < 8)
958 ND_PRINT((ndo," len=%d [bad: < 8]", len));
959 else {
960 mask = data + sizeof(struct in_addr);
961 ND_PRINT((ndo," len=%d %s/%u.%u.%u.%u", len,
962 ipaddr_string(data),
963 mask[0], mask[1], mask[2], mask[3]));
964 }
965 len = 0;
966 break;
967 }
968 #ifdef INET6
969 case IPSECDOI_ID_IPV6_ADDR:
970 if (len < 16)
971 ND_PRINT((ndo," len=%d [bad: < 16]", len));
972 else
973 ND_PRINT((ndo," len=%d %s", len, ip6addr_string(data)));
974 len = 0;
975 break;
976 case IPSECDOI_ID_IPV6_ADDR_SUBNET:
977 {
978 const u_int32_t *mask;
979 if (len < 20)
980 ND_PRINT((ndo," len=%d [bad: < 20]", len));
981 else {
982 mask = (u_int32_t *)(data + sizeof(struct in6_addr));
983 /*XXX*/
984 ND_PRINT((ndo," len=%d %s/0x%08x%08x%08x%08x", len,
985 ip6addr_string(data),
986 mask[0], mask[1], mask[2], mask[3]));
987 }
988 len = 0;
989 break;
990 }
991 #endif /*INET6*/
992 case IPSECDOI_ID_IPV4_ADDR_RANGE:
993 if (len < 8)
994 ND_PRINT((ndo," len=%d [bad: < 8]", len));
995 else {
996 ND_PRINT((ndo," len=%d %s-%s", len,
997 ipaddr_string(data),
998 ipaddr_string(data + sizeof(struct in_addr))));
999 }
1000 len = 0;
1001 break;
1002 #ifdef INET6
1003 case IPSECDOI_ID_IPV6_ADDR_RANGE:
1004 if (len < 32)
1005 ND_PRINT((ndo," len=%d [bad: < 32]", len));
1006 else {
1007 ND_PRINT((ndo," len=%d %s-%s", len,
1008 ip6addr_string(data),
1009 ip6addr_string(data + sizeof(struct in6_addr))));
1010 }
1011 len = 0;
1012 break;
1013 #endif /*INET6*/
1014 case IPSECDOI_ID_DER_ASN1_DN:
1015 case IPSECDOI_ID_DER_ASN1_GN:
1016 case IPSECDOI_ID_KEY_ID:
1017 break;
1018 }
1019 break;
1020 }
1021 }
1022 if (data && len) {
1023 ND_PRINT((ndo," len=%d", len));
1024 if (2 < ndo->ndo_vflag) {
1025 ND_PRINT((ndo," "));
1026 if (!rawprint(ndo, (caddr_t)data, len))
1027 goto trunc;
1028 }
1029 }
1030 return (u_char *)ext + item_len;
1031 trunc:
1032 ND_PRINT((ndo," [|%s]", NPSTR(ISAKMP_NPTYPE_ID)));
1033 return NULL;
1034 }
1035
1036 static const u_char *
1037 ikev1_cert_print(netdissect_options *ndo, u_char tpay _U_,
1038 const struct isakmp_gen *ext, u_int item_len _U_,
1039 const u_char *ep _U_, u_int32_t phase _U_,
1040 u_int32_t doi0 _U_,
1041 u_int32_t proto0 _U_, int depth _U_)
1042 {
1043 const struct ikev1_pl_cert *p;
1044 struct ikev1_pl_cert cert;
1045 static const char *certstr[] = {
1046 "none", "pkcs7", "pgp", "dns",
1047 "x509sign", "x509ke", "kerberos", "crl",
1048 "arl", "spki", "x509attr",
1049 };
1050
1051 ND_PRINT((ndo,"%s:", NPSTR(ISAKMP_NPTYPE_CERT)));
1052
1053 p = (struct ikev1_pl_cert *)ext;
1054 ND_TCHECK(*p);
1055 safememcpy(&cert, ext, sizeof(cert));
1056 ND_PRINT((ndo," len=%d", item_len - 4));
1057 ND_PRINT((ndo," type=%s", STR_OR_ID((cert.encode), certstr)));
1058 if (2 < ndo->ndo_vflag && 4 < item_len) {
1059 ND_PRINT((ndo," "));
1060 if (!rawprint(ndo, (caddr_t)(ext + 1), item_len - 4))
1061 goto trunc;
1062 }
1063 return (u_char *)ext + item_len;
1064 trunc:
1065 ND_PRINT((ndo," [|%s]", NPSTR(ISAKMP_NPTYPE_CERT)));
1066 return NULL;
1067 }
1068
1069 static const u_char *
1070 ikev1_cr_print(netdissect_options *ndo, u_char tpay _U_,
1071 const struct isakmp_gen *ext, u_int item_len _U_,
1072 const u_char *ep _U_, u_int32_t phase _U_, u_int32_t doi0 _U_,
1073 u_int32_t proto0 _U_, int depth _U_)
1074 {
1075 const struct ikev1_pl_cert *p;
1076 struct ikev1_pl_cert cert;
1077 static const char *certstr[] = {
1078 "none", "pkcs7", "pgp", "dns",
1079 "x509sign", "x509ke", "kerberos", "crl",
1080 "arl", "spki", "x509attr",
1081 };
1082
1083 ND_PRINT((ndo,"%s:", NPSTR(ISAKMP_NPTYPE_CR)));
1084
1085 p = (struct ikev1_pl_cert *)ext;
1086 ND_TCHECK(*p);
1087 safememcpy(&cert, ext, sizeof(cert));
1088 ND_PRINT((ndo," len=%d", item_len - 4));
1089 ND_PRINT((ndo," type=%s", STR_OR_ID((cert.encode), certstr)));
1090 if (2 < ndo->ndo_vflag && 4 < item_len) {
1091 ND_PRINT((ndo," "));
1092 if (!rawprint(ndo, (caddr_t)(ext + 1), item_len - 4))
1093 goto trunc;
1094 }
1095 return (u_char *)ext + item_len;
1096 trunc:
1097 ND_PRINT((ndo," [|%s]", NPSTR(ISAKMP_NPTYPE_CR)));
1098 return NULL;
1099 }
1100
1101 static const u_char *
1102 ikev1_hash_print(netdissect_options *ndo, u_char tpay _U_,
1103 const struct isakmp_gen *ext, u_int item_len _U_,
1104 const u_char *ep _U_, u_int32_t phase _U_, u_int32_t doi _U_,
1105 u_int32_t proto _U_, int depth _U_)
1106 {
1107 struct isakmp_gen e;
1108
1109 ND_PRINT((ndo,"%s:", NPSTR(ISAKMP_NPTYPE_HASH)));
1110
1111 ND_TCHECK(*ext);
1112 safememcpy(&e, ext, sizeof(e));
1113 ND_PRINT((ndo," len=%d", ntohs(e.len) - 4));
1114 if (2 < ndo->ndo_vflag && 4 < ntohs(e.len)) {
1115 ND_PRINT((ndo," "));
1116 if (!rawprint(ndo, (caddr_t)(ext + 1), ntohs(e.len) - 4))
1117 goto trunc;
1118 }
1119 return (u_char *)ext + ntohs(e.len);
1120 trunc:
1121 ND_PRINT((ndo," [|%s]", NPSTR(ISAKMP_NPTYPE_HASH)));
1122 return NULL;
1123 }
1124
1125 static const u_char *
1126 ikev1_sig_print(netdissect_options *ndo, u_char tpay _U_,
1127 const struct isakmp_gen *ext, u_int item_len _U_,
1128 const u_char *ep _U_, u_int32_t phase _U_, u_int32_t doi _U_,
1129 u_int32_t proto _U_, int depth _U_)
1130 {
1131 struct isakmp_gen e;
1132
1133 ND_PRINT((ndo,"%s:", NPSTR(ISAKMP_NPTYPE_SIG)));
1134
1135 ND_TCHECK(*ext);
1136 safememcpy(&e, ext, sizeof(e));
1137 ND_PRINT((ndo," len=%d", ntohs(e.len) - 4));
1138 if (2 < ndo->ndo_vflag && 4 < ntohs(e.len)) {
1139 ND_PRINT((ndo," "));
1140 if (!rawprint(ndo, (caddr_t)(ext + 1), ntohs(e.len) - 4))
1141 goto trunc;
1142 }
1143 return (u_char *)ext + ntohs(e.len);
1144 trunc:
1145 ND_PRINT((ndo," [|%s]", NPSTR(ISAKMP_NPTYPE_SIG)));
1146 return NULL;
1147 }
1148
1149 static const u_char *
1150 ikev1_nonce_print(netdissect_options *ndo, u_char tpay _U_,
1151 const struct isakmp_gen *ext,
1152 u_int item_len _U_,
1153 const u_char *ep _U_,
1154 u_int32_t phase _U_, u_int32_t doi _U_,
1155 u_int32_t proto _U_, int depth _U_)
1156 {
1157 struct isakmp_gen e;
1158
1159 ND_PRINT((ndo,"%s:", NPSTR(ISAKMP_NPTYPE_NONCE)));
1160
1161 ND_TCHECK(*ext);
1162 safememcpy(&e, ext, sizeof(e));
1163 ND_PRINT((ndo," n len=%d", ntohs(e.len) - 4));
1164 if (2 < ndo->ndo_vflag && 4 < ntohs(e.len)) {
1165 ND_PRINT((ndo," "));
1166 if (!rawprint(ndo, (caddr_t)(ext + 1), ntohs(e.len) - 4))
1167 goto trunc;
1168 } else if (1 < ndo->ndo_vflag && 4 < ntohs(e.len)) {
1169 ND_PRINT((ndo," "));
1170 if (!ike_show_somedata(ndo, (u_char *)(caddr_t)(ext + 1), ep))
1171 goto trunc;
1172 }
1173 return (u_char *)ext + ntohs(e.len);
1174 trunc:
1175 ND_PRINT((ndo," [|%s]", NPSTR(ISAKMP_NPTYPE_NONCE)));
1176 return NULL;
1177 }
1178
1179 static const u_char *
1180 ikev1_n_print(netdissect_options *ndo, u_char tpay _U_,
1181 const struct isakmp_gen *ext, u_int item_len,
1182 const u_char *ep, u_int32_t phase, u_int32_t doi0 _U_,
1183 u_int32_t proto0 _U_, int depth)
1184 {
1185 struct ikev1_pl_n *p, n;
1186 const u_char *cp;
1187 u_char *ep2;
1188 u_int32_t doi;
1189 u_int32_t proto;
1190 static const char *notify_error_str[] = {
1191 NULL, "INVALID-PAYLOAD-TYPE",
1192 "DOI-NOT-SUPPORTED", "SITUATION-NOT-SUPPORTED",
1193 "INVALID-COOKIE", "INVALID-MAJOR-VERSION",
1194 "INVALID-MINOR-VERSION", "INVALID-EXCHANGE-TYPE",
1195 "INVALID-FLAGS", "INVALID-MESSAGE-ID",
1196 "INVALID-PROTOCOL-ID", "INVALID-SPI",
1197 "INVALID-TRANSFORM-ID", "ATTRIBUTES-NOT-SUPPORTED",
1198 "NO-PROPOSAL-CHOSEN", "BAD-PROPOSAL-SYNTAX",
1199 "PAYLOAD-MALFORMED", "INVALID-KEY-INFORMATION",
1200 "INVALID-ID-INFORMATION", "INVALID-CERT-ENCODING",
1201 "INVALID-CERTIFICATE", "CERT-TYPE-UNSUPPORTED",
1202 "INVALID-CERT-AUTHORITY", "INVALID-HASH-INFORMATION",
1203 "AUTHENTICATION-FAILED", "INVALID-SIGNATURE",
1204 "ADDRESS-NOTIFICATION", "NOTIFY-SA-LIFETIME",
1205 "CERTIFICATE-UNAVAILABLE", "UNSUPPORTED-EXCHANGE-TYPE",
1206 "UNEQUAL-PAYLOAD-LENGTHS",
1207 };
1208 static const char *ipsec_notify_error_str[] = {
1209 "RESERVED",
1210 };
1211 static const char *notify_status_str[] = {
1212 "CONNECTED",
1213 };
1214 static const char *ipsec_notify_status_str[] = {
1215 "RESPONDER-LIFETIME", "REPLAY-STATUS",
1216 "INITIAL-CONTACT",
1217 };
1218 /* NOTE: these macro must be called with x in proper range */
1219
1220 /* 0 - 8191 */
1221 #define NOTIFY_ERROR_STR(x) \
1222 STR_OR_ID((x), notify_error_str)
1223
1224 /* 8192 - 16383 */
1225 #define IPSEC_NOTIFY_ERROR_STR(x) \
1226 STR_OR_ID((u_int)((x) - 8192), ipsec_notify_error_str)
1227
1228 /* 16384 - 24575 */
1229 #define NOTIFY_STATUS_STR(x) \
1230 STR_OR_ID((u_int)((x) - 16384), notify_status_str)
1231
1232 /* 24576 - 32767 */
1233 #define IPSEC_NOTIFY_STATUS_STR(x) \
1234 STR_OR_ID((u_int)((x) - 24576), ipsec_notify_status_str)
1235
1236 ND_PRINT((ndo,"%s:", NPSTR(ISAKMP_NPTYPE_N)));
1237
1238 p = (struct ikev1_pl_n *)ext;
1239 ND_TCHECK(*p);
1240 safememcpy(&n, ext, sizeof(n));
1241 doi = ntohl(n.doi);
1242 proto = n.prot_id;
1243 if (doi != 1) {
1244 ND_PRINT((ndo," doi=%d", doi));
1245 ND_PRINT((ndo," proto=%d", proto));
1246 if (ntohs(n.type) < 8192)
1247 ND_PRINT((ndo," type=%s", NOTIFY_ERROR_STR(ntohs(n.type))));
1248 else if (ntohs(n.type) < 16384)
1249 ND_PRINT((ndo," type=%s", numstr(ntohs(n.type))));
1250 else if (ntohs(n.type) < 24576)
1251 ND_PRINT((ndo," type=%s", NOTIFY_STATUS_STR(ntohs(n.type))));
1252 else
1253 ND_PRINT((ndo," type=%s", numstr(ntohs(n.type))));
1254 if (n.spi_size) {
1255 ND_PRINT((ndo," spi="));
1256 if (!rawprint(ndo, (caddr_t)(p + 1), n.spi_size))
1257 goto trunc;
1258 }
1259 return (u_char *)(p + 1) + n.spi_size;
1260 }
1261
1262 ND_PRINT((ndo," doi=ipsec"));
1263 ND_PRINT((ndo," proto=%s", PROTOIDSTR(proto)));
1264 if (ntohs(n.type) < 8192)
1265 ND_PRINT((ndo," type=%s", NOTIFY_ERROR_STR(ntohs(n.type))));
1266 else if (ntohs(n.type) < 16384)
1267 ND_PRINT((ndo," type=%s", IPSEC_NOTIFY_ERROR_STR(ntohs(n.type))));
1268 else if (ntohs(n.type) < 24576)
1269 ND_PRINT((ndo," type=%s", NOTIFY_STATUS_STR(ntohs(n.type))));
1270 else if (ntohs(n.type) < 32768)
1271 ND_PRINT((ndo," type=%s", IPSEC_NOTIFY_STATUS_STR(ntohs(n.type))));
1272 else
1273 ND_PRINT((ndo," type=%s", numstr(ntohs(n.type))));
1274 if (n.spi_size) {
1275 ND_PRINT((ndo," spi="));
1276 if (!rawprint(ndo, (caddr_t)(p + 1), n.spi_size))
1277 goto trunc;
1278 }
1279
1280 cp = (u_char *)(p + 1) + n.spi_size;
1281 ep2 = (u_char *)p + item_len;
1282
1283 if (cp < ep) {
1284 ND_PRINT((ndo," orig=("));
1285 switch (ntohs(n.type)) {
1286 case IPSECDOI_NTYPE_RESPONDER_LIFETIME:
1287 {
1288 const struct attrmap *map = oakley_t_map;
1289 size_t nmap = sizeof(oakley_t_map)/sizeof(oakley_t_map[0]);
1290 while (cp < ep && cp < ep2) {
1291 cp = ikev1_attrmap_print(ndo, cp,
1292 (ep < ep2) ? ep : ep2, map, nmap);
1293 }
1294 break;
1295 }
1296 case IPSECDOI_NTYPE_REPLAY_STATUS:
1297 ND_PRINT((ndo,"replay detection %sabled",
1298 (*(u_int32_t *)cp) ? "en" : "dis"));
1299 break;
1300 case ISAKMP_NTYPE_NO_PROPOSAL_CHOSEN:
1301 if (ikev1_sub_print(ndo, ISAKMP_NPTYPE_SA,
1302 (struct isakmp_gen *)cp, ep, phase, doi, proto,
1303 depth) == NULL)
1304 return NULL;
1305 break;
1306 default:
1307 /* NULL is dummy */
1308 isakmp_print(ndo, cp,
1309 item_len - sizeof(*p) - n.spi_size,
1310 NULL);
1311 }
1312 ND_PRINT((ndo,")"));
1313 }
1314 return (u_char *)ext + item_len;
1315 trunc:
1316 ND_PRINT((ndo," [|%s]", NPSTR(ISAKMP_NPTYPE_N)));
1317 return NULL;
1318 }
1319
1320 static const u_char *
1321 ikev1_d_print(netdissect_options *ndo, u_char tpay _U_,
1322 const struct isakmp_gen *ext, u_int item_len _U_,
1323 const u_char *ep _U_, u_int32_t phase _U_, u_int32_t doi0 _U_,
1324 u_int32_t proto0 _U_, int depth _U_)
1325 {
1326 const struct ikev1_pl_d *p;
1327 struct ikev1_pl_d d;
1328 const u_int8_t *q;
1329 u_int32_t doi;
1330 u_int32_t proto;
1331 int i;
1332
1333 ND_PRINT((ndo,"%s:", NPSTR(ISAKMP_NPTYPE_D)));
1334
1335 p = (struct ikev1_pl_d *)ext;
1336 ND_TCHECK(*p);
1337 safememcpy(&d, ext, sizeof(d));
1338 doi = ntohl(d.doi);
1339 proto = d.prot_id;
1340 if (doi != 1) {
1341 ND_PRINT((ndo," doi=%u", doi));
1342 ND_PRINT((ndo," proto=%u", proto));
1343 } else {
1344 ND_PRINT((ndo," doi=ipsec"));
1345 ND_PRINT((ndo," proto=%s", PROTOIDSTR(proto)));
1346 }
1347 ND_PRINT((ndo," spilen=%u", d.spi_size));
1348 ND_PRINT((ndo," nspi=%u", ntohs(d.num_spi)));
1349 ND_PRINT((ndo," spi="));
1350 q = (u_int8_t *)(p + 1);
1351 for (i = 0; i < ntohs(d.num_spi); i++) {
1352 if (i != 0)
1353 ND_PRINT((ndo,","));
1354 if (!rawprint(ndo, (caddr_t)q, d.spi_size))
1355 goto trunc;
1356 q += d.spi_size;
1357 }
1358 return q;
1359 trunc:
1360 ND_PRINT((ndo," [|%s]", NPSTR(ISAKMP_NPTYPE_D)));
1361 return NULL;
1362 }
1363
1364 static const u_char *
1365 ikev1_vid_print(netdissect_options *ndo, u_char tpay _U_,
1366 const struct isakmp_gen *ext,
1367 u_int item_len _U_, const u_char *ep _U_,
1368 u_int32_t phase _U_, u_int32_t doi _U_,
1369 u_int32_t proto _U_, int depth _U_)
1370 {
1371 struct isakmp_gen e;
1372
1373 ND_PRINT((ndo,"%s:", NPSTR(ISAKMP_NPTYPE_VID)));
1374
1375 ND_TCHECK(*ext);
1376 safememcpy(&e, ext, sizeof(e));
1377 ND_PRINT((ndo," len=%d", ntohs(e.len) - 4));
1378 if (2 < ndo->ndo_vflag && 4 < ntohs(e.len)) {
1379 ND_PRINT((ndo," "));
1380 if (!rawprint(ndo, (caddr_t)(ext + 1), ntohs(e.len) - 4))
1381 goto trunc;
1382 }
1383 return (u_char *)ext + ntohs(e.len);
1384 trunc:
1385 ND_PRINT((ndo," [|%s]", NPSTR(ISAKMP_NPTYPE_VID)));
1386 return NULL;
1387 }
1388
1389 /************************************************************/
1390 /* */
1391 /* IKE v2 - rfc4306 - dissector */
1392 /* */
1393 /************************************************************/
1394
1395 static void
1396 ikev2_pay_print(netdissect_options *ndo, const char *payname, int critical)
1397 {
1398 ND_PRINT((ndo,"%s%s:", payname, critical&0x80 ? "[C]" : ""));
1399 }
1400
1401 static const u_char *
1402 ikev2_gen_print(netdissect_options *ndo, u_char tpay,
1403 const struct isakmp_gen *ext)
1404 {
1405 struct isakmp_gen e;
1406
1407 ND_TCHECK(*ext);
1408 safememcpy(&e, ext, sizeof(e));
1409 ikev2_pay_print(ndo, NPSTR(tpay), e.critical);
1410
1411 ND_PRINT((ndo," len=%d", ntohs(e.len) - 4));
1412 if (2 < ndo->ndo_vflag && 4 < ntohs(e.len)) {
1413 ND_PRINT((ndo," "));
1414 if (!rawprint(ndo, (caddr_t)(ext + 1), ntohs(e.len) - 4))
1415 goto trunc;
1416 }
1417 return (u_char *)ext + ntohs(e.len);
1418 trunc:
1419 ND_PRINT((ndo," [|%s]", NPSTR(tpay)));
1420 return NULL;
1421 }
1422
1423 static const u_char *
1424 ikev2_t_print(netdissect_options *ndo, u_char tpay _U_, int pcount,
1425 const struct isakmp_gen *ext, u_int item_len,
1426 const u_char *ep, u_int32_t phase _U_, u_int32_t doi _U_,
1427 u_int32_t proto _U_, int depth _U_)
1428 {
1429 const struct ikev2_t *p;
1430 struct ikev2_t t;
1431 u_int16_t t_id;
1432 const u_char *cp;
1433 const char *idstr;
1434 const struct attrmap *map;
1435 size_t nmap;
1436 const u_char *ep2;
1437
1438 p = (struct ikev2_t *)ext;
1439 ND_TCHECK(*p);
1440 safememcpy(&t, ext, sizeof(t));
1441 ikev2_pay_print(ndo, NPSTR(ISAKMP_NPTYPE_T), t.h.critical);
1442
1443 t_id = ntohs(t.t_id);
1444
1445 map = NULL;
1446 nmap = 0;
1447
1448 switch (t.t_type) {
1449 case IV2_T_ENCR:
1450 idstr = STR_OR_ID(t_id, esp_p_map);
1451 map = encr_t_map;
1452 nmap = sizeof(encr_t_map)/sizeof(encr_t_map[0]);
1453 break;
1454
1455 case IV2_T_PRF:
1456 idstr = STR_OR_ID(t_id, prf_p_map);
1457 break;
1458
1459 case IV2_T_INTEG:
1460 idstr = STR_OR_ID(t_id, integ_p_map);
1461 break;
1462
1463 case IV2_T_DH:
1464 idstr = STR_OR_ID(t_id, dh_p_map);
1465 break;
1466
1467 case IV2_T_ESN:
1468 idstr = STR_OR_ID(t_id, esn_p_map);
1469 break;
1470
1471 default:
1472 idstr = NULL;
1473 break;
1474 }
1475
1476 if (idstr)
1477 ND_PRINT((ndo," #%u type=%s id=%s ", pcount,
1478 STR_OR_ID(t.t_type, ikev2_t_type_map),
1479 idstr));
1480 else
1481 ND_PRINT((ndo," #%u type=%s id=%u ", pcount,
1482 STR_OR_ID(t.t_type, ikev2_t_type_map),
1483 t.t_id));
1484 cp = (u_char *)(p + 1);
1485 ep2 = (u_char *)p + item_len;
1486 while (cp < ep && cp < ep2) {
1487 if (map && nmap) {
1488 cp = ikev1_attrmap_print(ndo, cp, (ep < ep2) ? ep : ep2,
1489 map, nmap);
1490 } else
1491 cp = ikev1_attr_print(ndo, cp, (ep < ep2) ? ep : ep2);
1492 }
1493 if (ep < ep2)
1494 ND_PRINT((ndo,"..."));
1495 return cp;
1496 trunc:
1497 ND_PRINT((ndo," [|%s]", NPSTR(ISAKMP_NPTYPE_T)));
1498 return NULL;
1499 }
1500
1501 static const u_char *
1502 ikev2_p_print(netdissect_options *ndo, u_char tpay _U_, int pcount _U_,
1503 const struct isakmp_gen *ext, u_int item_len _U_,
1504 const u_char *ep, u_int32_t phase, u_int32_t doi0,
1505 u_int32_t proto0 _U_, int depth)
1506 {
1507 const struct ikev2_p *p;
1508 struct ikev2_p prop;
1509 const u_char *cp;
1510
1511 p = (struct ikev2_p *)ext;
1512 ND_TCHECK(*p);
1513 safememcpy(&prop, ext, sizeof(prop));
1514 ikev2_pay_print(ndo, NPSTR(ISAKMP_NPTYPE_P), prop.h.critical);
1515
1516 ND_PRINT((ndo," #%u protoid=%s transform=%d len=%u",
1517 prop.p_no, PROTOIDSTR(prop.prot_id),
1518 prop.num_t, ntohs(prop.h.len)));
1519 if (prop.spi_size) {
1520 ND_PRINT((ndo," spi="));
1521 if (!rawprint(ndo, (caddr_t)(p + 1), prop.spi_size))
1522 goto trunc;
1523 }
1524
1525 ext = (struct isakmp_gen *)((u_char *)(p + 1) + prop.spi_size);
1526 ND_TCHECK(*ext);
1527
1528 cp = ikev2_sub_print(ndo, NULL, ISAKMP_NPTYPE_T, ext, ep, phase, doi0,
1529 prop.prot_id, depth);
1530
1531 return cp;
1532 trunc:
1533 ND_PRINT((ndo," [|%s]", NPSTR(ISAKMP_NPTYPE_P)));
1534 return NULL;
1535 }
1536
1537 static const u_char *
1538 ikev2_sa_print(netdissect_options *ndo, u_char tpay,
1539 const struct isakmp_gen *ext1,
1540 u_int item_len _U_, const u_char *ep _U_,
1541 u_int32_t phase _U_, u_int32_t doi _U_,
1542 u_int32_t proto _U_, int depth _U_)
1543 {
1544 struct isakmp_gen e;
1545 int osa_length, sa_length;
1546
1547 ND_TCHECK(*ext1);
1548 safememcpy(&e, ext1, sizeof(e));
1549 ikev2_pay_print(ndo, "sa", e.critical);
1550
1551 osa_length= ntohs(e.len);
1552 sa_length = osa_length - 4;
1553 ND_PRINT((ndo," len=%d", sa_length));
1554
1555 ikev2_sub_print(ndo, NULL, ISAKMP_NPTYPE_P,
1556 ext1+1, ep,
1557 0, 0, 0, depth);
1558
1559 return (u_char *)ext1 + osa_length;
1560 trunc:
1561 ND_PRINT((ndo," [|%s]", NPSTR(tpay)));
1562 return NULL;
1563 }
1564
1565 static const u_char *
1566 ikev2_ke_print(netdissect_options *ndo, u_char tpay,
1567 const struct isakmp_gen *ext,
1568 u_int item_len _U_, const u_char *ep _U_,
1569 u_int32_t phase _U_, u_int32_t doi _U_,
1570 u_int32_t proto _U_, int depth _U_)
1571 {
1572 struct ikev2_ke ke;
1573 struct ikev2_ke *k;
1574
1575 k = (struct ikev2_ke *)ext;
1576 ND_TCHECK(*ext);
1577 safememcpy(&ke, ext, sizeof(ke));
1578 ikev2_pay_print(ndo, NPSTR(tpay), ke.h.critical);
1579
1580 ND_PRINT((ndo," len=%u group=%s", ntohs(ke.h.len) - 8,
1581 STR_OR_ID(ntohs(ke.ke_group), dh_p_map)));
1582
1583 if (2 < ndo->ndo_vflag && 8 < ntohs(ke.h.len)) {
1584 ND_PRINT((ndo," "));
1585 if (!rawprint(ndo, (caddr_t)(k + 1), ntohs(ke.h.len) - 8))
1586 goto trunc;
1587 }
1588 return (u_char *)ext + ntohs(ke.h.len);
1589 trunc:
1590 ND_PRINT((ndo," [|%s]", NPSTR(tpay)));
1591 return NULL;
1592 }
1593
1594 static const u_char *
1595 ikev2_ID_print(netdissect_options *ndo, u_char tpay,
1596 const struct isakmp_gen *ext,
1597 u_int item_len _U_, const u_char *ep _U_,
1598 u_int32_t phase _U_, u_int32_t doi _U_,
1599 u_int32_t proto _U_, int depth _U_)
1600 {
1601 struct ikev2_id id;
1602 int id_len, idtype_len, i;
1603 unsigned int dumpascii, dumphex;
1604 unsigned char *typedata;
1605
1606 ND_TCHECK(*ext);
1607 safememcpy(&id, ext, sizeof(id));
1608 ikev2_pay_print(ndo, NPSTR(tpay), id.h.critical);
1609
1610 id_len = ntohs(id.h.len);
1611
1612 ND_PRINT((ndo," len=%d", id_len - 4));
1613 if (2 < ndo->ndo_vflag && 4 < id_len) {
1614 ND_PRINT((ndo," "));
1615 if (!rawprint(ndo, (caddr_t)(ext + 1), id_len - 4))
1616 goto trunc;
1617 }
1618
1619 idtype_len =id_len - sizeof(struct ikev2_id);
1620 dumpascii = 0;
1621 dumphex = 0;
1622 typedata = (unsigned char *)(ext)+sizeof(struct ikev2_id);
1623
1624 switch(id.type) {
1625 case ID_IPV4_ADDR:
1626 ND_PRINT((ndo, " ipv4:"));
1627 dumphex=1;
1628 break;
1629 case ID_FQDN:
1630 ND_PRINT((ndo, " fqdn:"));
1631 dumpascii=1;
1632 break;
1633 case ID_RFC822_ADDR:
1634 ND_PRINT((ndo, " rfc822:"));
1635 dumpascii=1;
1636 break;
1637 case ID_IPV6_ADDR:
1638 ND_PRINT((ndo, " ipv6:"));
1639 dumphex=1;
1640 break;
1641 case ID_DER_ASN1_DN:
1642 ND_PRINT((ndo, " dn:"));
1643 dumphex=1;
1644 break;
1645 case ID_DER_ASN1_GN:
1646 ND_PRINT((ndo, " gn:"));
1647 dumphex=1;
1648 break;
1649 case ID_KEY_ID:
1650 ND_PRINT((ndo, " keyid:"));
1651 dumphex=1;
1652 break;
1653 }
1654
1655 if(dumpascii) {
1656 ND_TCHECK2(*typedata, idtype_len);
1657 for(i=0; i<idtype_len; i++) {
1658 if(isprint(typedata[i])) {
1659 ND_PRINT((ndo, "%c", typedata[i]));
1660 } else {
1661 ND_PRINT((ndo, "."));
1662 }
1663 }
1664 }
1665 if(dumphex) {
1666 if (!rawprint(ndo, (caddr_t)typedata, idtype_len))
1667 goto trunc;
1668 }
1669
1670 return (u_char *)ext + id_len;
1671 trunc:
1672 ND_PRINT((ndo," [|%s]", NPSTR(tpay)));
1673 return NULL;
1674 }
1675
1676 static const u_char *
1677 ikev2_cert_print(netdissect_options *ndo, u_char tpay,
1678 const struct isakmp_gen *ext,
1679 u_int item_len _U_, const u_char *ep _U_,
1680 u_int32_t phase _U_, u_int32_t doi _U_,
1681 u_int32_t proto _U_, int depth _U_)
1682 {
1683 return ikev2_gen_print(ndo, tpay, ext);
1684 }
1685
1686 static const u_char *
1687 ikev2_cr_print(netdissect_options *ndo, u_char tpay,
1688 const struct isakmp_gen *ext,
1689 u_int item_len _U_, const u_char *ep _U_,
1690 u_int32_t phase _U_, u_int32_t doi _U_,
1691 u_int32_t proto _U_, int depth _U_)
1692 {
1693 return ikev2_gen_print(ndo, tpay, ext);
1694 }
1695
1696 static const u_char *
1697 ikev2_auth_print(netdissect_options *ndo, u_char tpay,
1698 const struct isakmp_gen *ext,
1699 u_int item_len _U_, const u_char *ep _U_,
1700 u_int32_t phase _U_, u_int32_t doi _U_,
1701 u_int32_t proto _U_, int depth _U_)
1702 {
1703 struct ikev2_auth a;
1704 const char *v2_auth[]={ "invalid", "rsasig",
1705 "shared-secret", "dsssig" };
1706 u_char *authdata = (u_char*)ext + sizeof(a);
1707 unsigned int len;
1708
1709 ND_TCHECK(*ext);
1710 safememcpy(&a, ext, sizeof(a));
1711 ikev2_pay_print(ndo, NPSTR(tpay), a.h.critical);
1712 len = ntohs(a.h.len);
1713
1714 ND_PRINT((ndo," len=%d method=%s", len-4,
1715 STR_OR_ID(a.auth_method, v2_auth)));
1716
1717 if (1 < ndo->ndo_vflag && 4 < len) {
1718 ND_PRINT((ndo," authdata=("));
1719 if (!rawprint(ndo, (caddr_t)authdata, len - sizeof(a)))
1720 goto trunc;
1721 ND_PRINT((ndo,") "));
1722 } else if(ndo->ndo_vflag && 4 < len) {
1723 if(!ike_show_somedata(ndo, authdata, ep)) goto trunc;
1724 }
1725
1726 return (u_char *)ext + len;
1727 trunc:
1728 ND_PRINT((ndo," [|%s]", NPSTR(tpay)));
1729 return NULL;
1730 }
1731
1732 static const u_char *
1733 ikev2_nonce_print(netdissect_options *ndo, u_char tpay,
1734 const struct isakmp_gen *ext,
1735 u_int item_len _U_, const u_char *ep _U_,
1736 u_int32_t phase _U_, u_int32_t doi _U_,
1737 u_int32_t proto _U_, int depth _U_)
1738 {
1739 struct isakmp_gen e;
1740
1741 ND_TCHECK(*ext);
1742 safememcpy(&e, ext, sizeof(e));
1743 ikev2_pay_print(ndo, "nonce", e.critical);
1744
1745 ND_PRINT((ndo," len=%d", ntohs(e.len) - 4));
1746 if (1 < ndo->ndo_vflag && 4 < ntohs(e.len)) {
1747 ND_PRINT((ndo," nonce=("));
1748 if (!rawprint(ndo, (caddr_t)(ext + 1), ntohs(e.len) - 4))
1749 goto trunc;
1750 ND_PRINT((ndo,") "));
1751 } else if(ndo->ndo_vflag && 4 < ntohs(e.len)) {
1752 if(!ike_show_somedata(ndo, (const u_char *)(ext+1), ep)) goto trunc;
1753 }
1754
1755 return (u_char *)ext + ntohs(e.len);
1756 trunc:
1757 ND_PRINT((ndo," [|%s]", NPSTR(tpay)));
1758 return NULL;
1759 }
1760
1761 /* notify payloads */
1762 static const u_char *
1763 ikev2_n_print(netdissect_options *ndo, u_char tpay _U_,
1764 const struct isakmp_gen *ext,
1765 u_int item_len _U_, const u_char *ep _U_,
1766 u_int32_t phase _U_, u_int32_t doi _U_,
1767 u_int32_t proto _U_, int depth _U_)
1768 {
1769 struct ikev2_n *p, n;
1770 const u_char *cp;
1771 u_char *ep2;
1772 u_char showspi, showdata, showsomedata;
1773 const char *notify_name;
1774 u_int32_t type;
1775
1776 p = (struct ikev2_n *)ext;
1777 ND_TCHECK(*p);
1778 safememcpy(&n, ext, sizeof(n));
1779 ikev2_pay_print(ndo, NPSTR(ISAKMP_NPTYPE_N), n.h.critical);
1780
1781 showspi = 1;
1782 showdata = 0;
1783 showsomedata=0;
1784 notify_name=NULL;
1785
1786 ND_PRINT((ndo," prot_id=%s", PROTOIDSTR(n.prot_id)));
1787
1788 type = ntohs(n.type);
1789
1790 /* notify space is annoying sparse */
1791 switch(type) {
1792 case IV2_NOTIFY_UNSUPPORTED_CRITICAL_PAYLOAD:
1793 notify_name = "unsupported_critical_payload";
1794 showspi = 0;
1795 break;
1796
1797 case IV2_NOTIFY_INVALID_IKE_SPI:
1798 notify_name = "invalid_ike_spi";
1799 showspi = 1;
1800 break;
1801
1802 case IV2_NOTIFY_INVALID_MAJOR_VERSION:
1803 notify_name = "invalid_major_version";
1804 showspi = 0;
1805 break;
1806
1807 case IV2_NOTIFY_INVALID_SYNTAX:
1808 notify_name = "invalid_syntax";
1809 showspi = 1;
1810 break;
1811
1812 case IV2_NOTIFY_INVALID_MESSAGE_ID:
1813 notify_name = "invalid_message_id";
1814 showspi = 1;
1815 break;
1816
1817 case IV2_NOTIFY_INVALID_SPI:
1818 notify_name = "invalid_spi";
1819 showspi = 1;
1820 break;
1821
1822 case IV2_NOTIFY_NO_PROPOSAL_CHOSEN:
1823 notify_name = "no_protocol_chosen";
1824 showspi = 1;
1825 break;
1826
1827 case IV2_NOTIFY_INVALID_KE_PAYLOAD:
1828 notify_name = "invalid_ke_payload";
1829 showspi = 1;
1830 break;
1831
1832 case IV2_NOTIFY_AUTHENTICATION_FAILED:
1833 notify_name = "authentication_failed";
1834 showspi = 1;
1835 break;
1836
1837 case IV2_NOTIFY_SINGLE_PAIR_REQUIRED:
1838 notify_name = "single_pair_required";
1839 showspi = 1;
1840 break;
1841
1842 case IV2_NOTIFY_NO_ADDITIONAL_SAS:
1843 notify_name = "no_additional_sas";
1844 showspi = 0;
1845 break;
1846
1847 case IV2_NOTIFY_INTERNAL_ADDRESS_FAILURE:
1848 notify_name = "internal_address_failure";
1849 showspi = 0;
1850 break;
1851
1852 case IV2_NOTIFY_FAILED_CP_REQUIRED:
1853 notify_name = "failed:cp_required";
1854 showspi = 0;
1855 break;
1856
1857 case IV2_NOTIFY_INVALID_SELECTORS:
1858 notify_name = "invalid_selectors";
1859 showspi = 0;
1860 break;
1861
1862 case IV2_NOTIFY_INITIAL_CONTACT:
1863 notify_name = "initial_contact";
1864 showspi = 0;
1865 break;
1866
1867 case IV2_NOTIFY_SET_WINDOW_SIZE:
1868 notify_name = "set_window_size";
1869 showspi = 0;
1870 break;
1871
1872 case IV2_NOTIFY_ADDITIONAL_TS_POSSIBLE:
1873 notify_name = "additional_ts_possible";
1874 showspi = 0;
1875 break;
1876
1877 case IV2_NOTIFY_IPCOMP_SUPPORTED:
1878 notify_name = "ipcomp_supported";
1879 showspi = 0;
1880 break;
1881
1882 case IV2_NOTIFY_NAT_DETECTION_SOURCE_IP:
1883 notify_name = "nat_detection_source_ip";
1884 showspi = 1;
1885 break;
1886
1887 case IV2_NOTIFY_NAT_DETECTION_DESTINATION_IP:
1888 notify_name = "nat_detection_destination_ip";
1889 showspi = 1;
1890 break;
1891
1892 case IV2_NOTIFY_COOKIE:
1893 notify_name = "cookie";
1894 showspi = 1;
1895 showsomedata= 1;
1896 showdata= 0;
1897 break;
1898
1899 case IV2_NOTIFY_USE_TRANSPORT_MODE:
1900 notify_name = "use_transport_mode";
1901 showspi = 0;
1902 break;
1903
1904 case IV2_NOTIFY_HTTP_CERT_LOOKUP_SUPPORTED:
1905 notify_name = "http_cert_lookup_supported";
1906 showspi = 0;
1907 break;
1908
1909 case IV2_NOTIFY_REKEY_SA:
1910 notify_name = "rekey_sa";
1911 showspi = 1;
1912 break;
1913
1914 case IV2_NOTIFY_ESP_TFC_PADDING_NOT_SUPPORTED:
1915 notify_name = "tfc_padding_not_supported";
1916 showspi = 0;
1917 break;
1918
1919 case IV2_NOTIFY_NON_FIRST_FRAGMENTS_ALSO:
1920 notify_name = "non_first_fragment_also";
1921 showspi = 0;
1922 break;
1923
1924 default:
1925 if (type < 8192) {
1926 notify_name="error";
1927 } else if(type < 16384) {
1928 notify_name="private-error";
1929 } else if(type < 40960) {
1930 notify_name="status";
1931 } else {
1932 notify_name="private-status";
1933 }
1934 }
1935
1936 if(notify_name) {
1937 ND_PRINT((ndo," type=%u(%s)", type, notify_name));
1938 }
1939
1940
1941 if (showspi && n.spi_size) {
1942 ND_PRINT((ndo," spi="));
1943 if (!rawprint(ndo, (caddr_t)(p + 1), n.spi_size))
1944 goto trunc;
1945 }
1946
1947 cp = (u_char *)(p + 1) + n.spi_size;
1948 ep2 = (u_char *)p + item_len;
1949
1950 if(3 < ndo->ndo_vflag) {
1951 showdata = 1;
1952 }
1953
1954 if ((showdata || (showsomedata && ep-cp < 30)) && cp < ep) {
1955 ND_PRINT((ndo," data=("));
1956 if (!rawprint(ndo, (caddr_t)(cp), ep - cp))
1957 goto trunc;
1958
1959 ND_PRINT((ndo,")"));
1960
1961 } else if(showsomedata && cp < ep) {
1962 if(!ike_show_somedata(ndo, cp, ep)) goto trunc;
1963 }
1964
1965 return (u_char *)ext + item_len;
1966 trunc:
1967 ND_PRINT((ndo," [|%s]", NPSTR(ISAKMP_NPTYPE_N)));
1968 return NULL;
1969 }
1970
1971 static const u_char *
1972 ikev2_d_print(netdissect_options *ndo, u_char tpay,
1973 const struct isakmp_gen *ext,
1974 u_int item_len _U_, const u_char *ep _U_,
1975 u_int32_t phase _U_, u_int32_t doi _U_,
1976 u_int32_t proto _U_, int depth _U_)
1977 {
1978 return ikev2_gen_print(ndo, tpay, ext);
1979 }
1980
1981 static const u_char *
1982 ikev2_vid_print(netdissect_options *ndo, u_char tpay,
1983 const struct isakmp_gen *ext,
1984 u_int item_len _U_, const u_char *ep _U_,
1985 u_int32_t phase _U_, u_int32_t doi _U_,
1986 u_int32_t proto _U_, int depth _U_)
1987 {
1988 struct isakmp_gen e;
1989 const u_char *vid;
1990 int i, len;
1991
1992 ND_TCHECK(*ext);
1993 safememcpy(&e, ext, sizeof(e));
1994 ikev2_pay_print(ndo, NPSTR(tpay), e.critical);
1995 ND_PRINT((ndo," len=%d vid=", ntohs(e.len) - 4));
1996
1997 vid = (const u_char *)(ext+1);
1998 len = ntohs(e.len) - 4;
1999 ND_TCHECK2(*vid, len);
2000 for(i=0; i<len; i++) {
2001 if(isprint(vid[i])) ND_PRINT((ndo, "%c", vid[i]));
2002 else ND_PRINT((ndo, "."));
2003 }
2004 if (2 < ndo->ndo_vflag && 4 < len) {
2005 ND_PRINT((ndo," "));
2006 if (!rawprint(ndo, (caddr_t)(ext + 1), ntohs(e.len) - 4))
2007 goto trunc;
2008 }
2009 return (u_char *)ext + ntohs(e.len);
2010 trunc:
2011 ND_PRINT((ndo," [|%s]", NPSTR(tpay)));
2012 return NULL;
2013 }
2014
2015 static const u_char *
2016 ikev2_TS_print(netdissect_options *ndo, u_char tpay,
2017 const struct isakmp_gen *ext,
2018 u_int item_len _U_, const u_char *ep _U_,
2019 u_int32_t phase _U_, u_int32_t doi _U_,
2020 u_int32_t proto _U_, int depth _U_)
2021 {
2022 return ikev2_gen_print(ndo, tpay, ext);
2023 }
2024
2025 static const u_char *
2026 ikev2_e_print(netdissect_options *ndo,
2027 #ifndef HAVE_LIBCRYPTO
2028 _U_
2029 #endif
2030 struct isakmp *base,
2031 u_char tpay,
2032 const struct isakmp_gen *ext,
2033 u_int item_len _U_, const u_char *ep _U_,
2034 #ifndef HAVE_LIBCRYPTO
2035 _U_
2036 #endif
2037 u_int32_t phase,
2038 #ifndef HAVE_LIBCRYPTO
2039 _U_
2040 #endif
2041 u_int32_t doi,
2042 #ifndef HAVE_LIBCRYPTO
2043 _U_
2044 #endif
2045 u_int32_t proto,
2046 #ifndef HAVE_LIBCRYPTO
2047 _U_
2048 #endif
2049 int depth)
2050 {
2051 struct isakmp_gen e;
2052 u_char *dat;
2053 volatile int dlen;
2054
2055 ND_TCHECK(*ext);
2056 safememcpy(&e, ext, sizeof(e));
2057 ikev2_pay_print(ndo, NPSTR(tpay), e.critical);
2058
2059 dlen = ntohs(e.len)-4;
2060
2061 ND_PRINT((ndo," len=%d", dlen));
2062 if (2 < ndo->ndo_vflag && 4 < dlen) {
2063 ND_PRINT((ndo," "));
2064 if (!rawprint(ndo, (caddr_t)(ext + 1), dlen))
2065 goto trunc;
2066 }
2067
2068 dat = (u_char *)(ext+1);
2069 ND_TCHECK2(*dat, dlen);
2070
2071 #ifdef HAVE_LIBCRYPTO
2072 /* try to decypt it! */
2073 if(esp_print_decrypt_buffer_by_ikev2(ndo,
2074 base->flags & ISAKMP_FLAG_I,
2075 base->i_ck, base->r_ck,
2076 dat, dat+dlen)) {
2077
2078 ext = (const struct isakmp_gen *)ndo->ndo_packetp;
2079
2080 /* got it decrypted, print stuff inside. */
2081 ikev2_sub_print(ndo, base, e.np, ext, ndo->ndo_snapend,
2082 phase, doi, proto, depth+1);
2083 }
2084 #endif
2085
2086
2087 /* always return NULL, because E must be at end, and NP refers
2088 * to what was inside.
2089 */
2090 return NULL;
2091 trunc:
2092 ND_PRINT((ndo," [|%s]", NPSTR(tpay)));
2093 return NULL;
2094 }
2095
2096 static const u_char *
2097 ikev2_cp_print(netdissect_options *ndo, u_char tpay,
2098 const struct isakmp_gen *ext,
2099 u_int item_len _U_, const u_char *ep _U_,
2100 u_int32_t phase _U_, u_int32_t doi _U_,
2101 u_int32_t proto _U_, int depth _U_)
2102 {
2103 return ikev2_gen_print(ndo, tpay, ext);
2104 }
2105
2106 static const u_char *
2107 ikev2_eap_print(netdissect_options *ndo, u_char tpay,
2108 const struct isakmp_gen *ext,
2109 u_int item_len _U_, const u_char *ep _U_,
2110 u_int32_t phase _U_, u_int32_t doi _U_,
2111 u_int32_t proto _U_, int depth _U_)
2112 {
2113 return ikev2_gen_print(ndo, tpay, ext);
2114 }
2115
2116 static const u_char *
2117 ike_sub0_print(netdissect_options *ndo,
2118 u_char np, const struct isakmp_gen *ext, const u_char *ep,
2119
2120 u_int32_t phase, u_int32_t doi, u_int32_t proto, int depth)
2121 {
2122 const u_char *cp;
2123 struct isakmp_gen e;
2124 u_int item_len;
2125
2126 cp = (u_char *)ext;
2127 ND_TCHECK(*ext);
2128 safememcpy(&e, ext, sizeof(e));
2129
2130 /*
2131 * Since we can't have a payload length of less than 4 bytes,
2132 * we need to bail out here if the generic header is nonsensical
2133 * or truncated, otherwise we could loop forever processing
2134 * zero-length items or otherwise misdissect the packet.
2135 */
2136 item_len = ntohs(e.len);
2137 if (item_len <= 4)
2138 return NULL;
2139
2140 if (NPFUNC(np)) {
2141 /*
2142 * XXX - what if item_len is too short, or too long,
2143 * for this payload type?
2144 */
2145 cp = (*npfunc[np])(ndo, np, ext, item_len, ep, phase, doi, proto, depth);
2146 } else {
2147 ND_PRINT((ndo,"%s", NPSTR(np)));
2148 cp += item_len;
2149 }
2150
2151 return cp;
2152 trunc:
2153 ND_PRINT((ndo," [|isakmp]"));
2154 return NULL;
2155 }
2156
2157 static const u_char *
2158 ikev1_sub_print(netdissect_options *ndo,
2159 u_char np, const struct isakmp_gen *ext, const u_char *ep,
2160 u_int32_t phase, u_int32_t doi, u_int32_t proto, int depth)
2161 {
2162 const u_char *cp;
2163 int i;
2164 struct isakmp_gen e;
2165
2166 cp = (const u_char *)ext;
2167
2168 while (np) {
2169 ND_TCHECK(*ext);
2170
2171 safememcpy(&e, ext, sizeof(e));
2172
2173 ND_TCHECK2(*ext, ntohs(e.len));
2174
2175 depth++;
2176 ND_PRINT((ndo,"\n"));
2177 for (i = 0; i < depth; i++)
2178 ND_PRINT((ndo," "));
2179 ND_PRINT((ndo,"("));
2180 cp = ike_sub0_print(ndo, np, ext, ep, phase, doi, proto, depth);
2181 ND_PRINT((ndo,")"));
2182 depth--;
2183
2184 if (cp == NULL) {
2185 /* Zero-length subitem */
2186 return NULL;
2187 }
2188
2189 np = e.np;
2190 ext = (struct isakmp_gen *)cp;
2191 }
2192 return cp;
2193 trunc:
2194 ND_PRINT((ndo," [|%s]", NPSTR(np)));
2195 return NULL;
2196 }
2197
2198 static char *
2199 numstr(int x)
2200 {
2201 static char buf[20];
2202 snprintf(buf, sizeof(buf), "#%d", x);
2203 return buf;
2204 }
2205
2206 /*
2207 * some compiler tries to optimize memcpy(), using the alignment constraint
2208 * on the argument pointer type. by using this function, we try to avoid the
2209 * optimization.
2210 */
2211 static void
2212 safememcpy(void *p, const void *q, size_t l)
2213 {
2214 memcpy(p, q, l);
2215 }
2216
2217 static void
2218 ikev1_print(netdissect_options *ndo,
2219 const u_char *bp, u_int length,
2220 const u_char *bp2, struct isakmp *base)
2221 {
2222 const struct isakmp *p;
2223 const u_char *ep;
2224 u_char np;
2225 int i;
2226 int phase;
2227
2228 p = (const struct isakmp *)bp;
2229 ep = ndo->ndo_snapend;
2230
2231 phase = (*(u_int32_t *)base->msgid == 0) ? 1 : 2;
2232 if (phase == 1)
2233 ND_PRINT((ndo," phase %d", phase));
2234 else
2235 ND_PRINT((ndo," phase %d/others", phase));
2236
2237 i = cookie_find(&base->i_ck);
2238 if (i < 0) {
2239 if (iszero((u_char *)&base->r_ck, sizeof(base->r_ck))) {
2240 /* the first packet */
2241 ND_PRINT((ndo," I"));
2242 if (bp2)
2243 cookie_record(&base->i_ck, bp2);
2244 } else
2245 ND_PRINT((ndo," ?"));
2246 } else {
2247 if (bp2 && cookie_isinitiator(i, bp2))
2248 ND_PRINT((ndo," I"));
2249 else if (bp2 && cookie_isresponder(i, bp2))
2250 ND_PRINT((ndo," R"));
2251 else
2252 ND_PRINT((ndo," ?"));
2253 }
2254
2255 ND_PRINT((ndo," %s", ETYPESTR(base->etype)));
2256 if (base->flags) {
2257 ND_PRINT((ndo,"[%s%s]", base->flags & ISAKMP_FLAG_E ? "E" : "",
2258 base->flags & ISAKMP_FLAG_C ? "C" : ""));
2259 }
2260
2261 if (ndo->ndo_vflag) {
2262 const struct isakmp_gen *ext;
2263 int nparen;
2264
2265 ND_PRINT((ndo,":"));
2266
2267 /* regardless of phase... */
2268 if (base->flags & ISAKMP_FLAG_E) {
2269 /*
2270 * encrypted, nothing we can do right now.
2271 * we hope to decrypt the packet in the future...
2272 */
2273 ND_PRINT((ndo," [encrypted %s]", NPSTR(base->np)));
2274 goto done;
2275 }
2276
2277 nparen = 0;
2278 CHECKLEN(p + 1, base->np);
2279 np = base->np;
2280 ext = (struct isakmp_gen *)(p + 1);
2281 ikev1_sub_print(ndo, np, ext, ep, phase, 0, 0, 0);
2282 }
2283
2284 done:
2285 if (ndo->ndo_vflag) {
2286 if (ntohl(base->len) != length) {
2287 ND_PRINT((ndo," (len mismatch: isakmp %u/ip %u)",
2288 (u_int32_t)ntohl(base->len), length));
2289 }
2290 }
2291 }
2292
2293 static const u_char *
2294 ikev2_sub0_print(netdissect_options *ndo, struct isakmp *base,
2295 u_char np, int pcount,
2296 const struct isakmp_gen *ext, const u_char *ep,
2297 u_int32_t phase, u_int32_t doi, u_int32_t proto, int depth)
2298 {
2299 const u_char *cp;
2300 struct isakmp_gen e;
2301 u_int item_len;
2302
2303 cp = (u_char *)ext;
2304 ND_TCHECK(*ext);
2305 safememcpy(&e, ext, sizeof(e));
2306
2307 /*
2308 * Since we can't have a payload length of less than 4 bytes,
2309 * we need to bail out here if the generic header is nonsensical
2310 * or truncated, otherwise we could loop forever processing
2311 * zero-length items or otherwise misdissect the packet.
2312 */
2313 item_len = ntohs(e.len);
2314 if (item_len <= 4)
2315 return NULL;
2316
2317 if(np == ISAKMP_NPTYPE_P) {
2318 cp = ikev2_p_print(ndo, np, pcount, ext, item_len,
2319 ep, phase, doi, proto, depth);
2320 } else if(np == ISAKMP_NPTYPE_T) {
2321 cp = ikev2_t_print(ndo, np, pcount, ext, item_len,
2322 ep, phase, doi, proto, depth);
2323 } else if(np == ISAKMP_NPTYPE_v2E) {
2324 cp = ikev2_e_print(ndo, base, np, ext, item_len,
2325 ep, phase, doi, proto, depth);
2326 } else if (NPFUNC(np)) {
2327 /*
2328 * XXX - what if item_len is too short, or too long,
2329 * for this payload type?
2330 */
2331 cp = (*npfunc[np])(ndo, np, /*pcount,*/ ext, item_len,
2332 ep, phase, doi, proto, depth);
2333 } else {
2334 ND_PRINT((ndo,"%s", NPSTR(np)));
2335 cp += item_len;
2336 }
2337
2338 return cp;
2339 trunc:
2340 ND_PRINT((ndo," [|isakmp]"));
2341 return NULL;
2342 }
2343
2344 static const u_char *
2345 ikev2_sub_print(netdissect_options *ndo,
2346 struct isakmp *base,
2347 u_char np, const struct isakmp_gen *ext, const u_char *ep,
2348 u_int32_t phase, u_int32_t doi, u_int32_t proto, int depth)
2349 {
2350 const u_char *cp;
2351 int i;
2352 int pcount;
2353 struct isakmp_gen e;
2354
2355 cp = (const u_char *)ext;
2356 pcount = 0;
2357 while (np) {
2358 pcount++;
2359 ND_TCHECK(*ext);
2360
2361 safememcpy(&e, ext, sizeof(e));
2362
2363 ND_TCHECK2(*ext, ntohs(e.len));
2364
2365 depth++;
2366 ND_PRINT((ndo,"\n"));
2367 for (i = 0; i < depth; i++)
2368 ND_PRINT((ndo," "));
2369 ND_PRINT((ndo,"("));
2370 cp = ikev2_sub0_print(ndo, base, np, pcount,
2371 ext, ep, phase, doi, proto, depth);
2372 ND_PRINT((ndo,")"));
2373 depth--;
2374
2375 if (cp == NULL) {
2376 /* Zero-length subitem */
2377 return NULL;
2378 }
2379
2380 np = e.np;
2381 ext = (struct isakmp_gen *)cp;
2382 }
2383 return cp;
2384 trunc:
2385 ND_PRINT((ndo," [|%s]", NPSTR(np)));
2386 return NULL;
2387 }
2388
2389 static void
2390 ikev2_print(netdissect_options *ndo,
2391 const u_char *bp, u_int length,
2392 const u_char *bp2 _U_, struct isakmp *base)
2393 {
2394 const struct isakmp *p;
2395 const u_char *ep;
2396 u_char np;
2397 int phase;
2398
2399 p = (const struct isakmp *)bp;
2400 ep = ndo->ndo_snapend;
2401
2402 phase = (*(u_int32_t *)base->msgid == 0) ? 1 : 2;
2403 if (phase == 1)
2404 ND_PRINT((ndo, " parent_sa"));
2405 else
2406 ND_PRINT((ndo, " child_sa "));
2407
2408 ND_PRINT((ndo, " %s", ETYPESTR(base->etype)));
2409 if (base->flags) {
2410 ND_PRINT((ndo, "[%s%s%s]",
2411 base->flags & ISAKMP_FLAG_I ? "I" : "",
2412 base->flags & ISAKMP_FLAG_V ? "V" : "",
2413 base->flags & ISAKMP_FLAG_R ? "R" : ""));
2414 }
2415
2416 if (ndo->ndo_vflag) {
2417 const struct isakmp_gen *ext;
2418 int nparen;
2419
2420 ND_PRINT((ndo, ":"));
2421
2422 /* regardless of phase... */
2423 if (base->flags & ISAKMP_FLAG_E) {
2424 /*
2425 * encrypted, nothing we can do right now.
2426 * we hope to decrypt the packet in the future...
2427 */
2428 ND_PRINT((ndo, " [encrypted %s]", NPSTR(base->np)));
2429 goto done;
2430 }
2431
2432 nparen = 0;
2433 CHECKLEN(p + 1, base->np)
2434
2435 np = base->np;
2436 ext = (struct isakmp_gen *)(p + 1);
2437 ikev2_sub_print(ndo, base, np, ext, ep, phase, 0, 0, 0);
2438 }
2439
2440 done:
2441 if (ndo->ndo_vflag) {
2442 if (ntohl(base->len) != length) {
2443 ND_PRINT((ndo, " (len mismatch: isakmp %u/ip %u)",
2444 (u_int32_t)ntohl(base->len), length));
2445 }
2446 }
2447 }
2448
2449 void
2450 isakmp_print(netdissect_options *ndo,
2451 const u_char *bp, u_int length,
2452 const u_char *bp2)
2453 {
2454 const struct isakmp *p;
2455 struct isakmp base;
2456 const u_char *ep;
2457 int major, minor;
2458
2459 #ifdef HAVE_LIBCRYPTO
2460 /* initialize SAs */
2461 if (ndo->ndo_sa_list_head == NULL) {
2462 if (ndo->ndo_espsecret)
2463 esp_print_decodesecret(ndo);
2464 }
2465 #endif
2466
2467 p = (const struct isakmp *)bp;
2468 ep = ndo->ndo_snapend;
2469
2470 if ((struct isakmp *)ep < p + 1) {
2471 ND_PRINT((ndo,"[|isakmp]"));
2472 return;
2473 }
2474
2475 safememcpy(&base, p, sizeof(base));
2476
2477 ND_PRINT((ndo,"isakmp"));
2478 major = (base.vers & ISAKMP_VERS_MAJOR)
2479 >> ISAKMP_VERS_MAJOR_SHIFT;
2480 minor = (base.vers & ISAKMP_VERS_MINOR)
2481 >> ISAKMP_VERS_MINOR_SHIFT;
2482
2483 if (ndo->ndo_vflag) {
2484 ND_PRINT((ndo," %d.%d", major, minor));
2485 }
2486
2487 if (ndo->ndo_vflag) {
2488 ND_PRINT((ndo," msgid "));
2489 hexprint(ndo, (caddr_t)&base.msgid, sizeof(base.msgid));
2490 }
2491
2492 if (1 < ndo->ndo_vflag) {
2493 ND_PRINT((ndo," cookie "));
2494 hexprint(ndo, (caddr_t)&base.i_ck, sizeof(base.i_ck));
2495 ND_PRINT((ndo,"->"));
2496 hexprint(ndo, (caddr_t)&base.r_ck, sizeof(base.r_ck));
2497 }
2498 ND_PRINT((ndo,":"));
2499
2500 switch(major) {
2501 case IKEv1_MAJOR_VERSION:
2502 ikev1_print(ndo, bp, length, bp2, &base);
2503 break;
2504
2505 case IKEv2_MAJOR_VERSION:
2506 ikev2_print(ndo, bp, length, bp2, &base);
2507 break;
2508 }
2509 }
2510
2511 void
2512 isakmp_rfc3948_print(netdissect_options *ndo,
2513 const u_char *bp, u_int length,
2514 const u_char *bp2)
2515 {
2516 const u_char *ep;
2517 ep = ndo->ndo_snapend;
2518
2519 if(length == 1 && bp[0]==0xff) {
2520 ND_PRINT((ndo, "isakmp-nat-keep-alive"));
2521 return;
2522 }
2523
2524 if(length < 4) {
2525 goto trunc;
2526 }
2527
2528 /*
2529 * see if this is an IKE packet
2530 */
2531 if(bp[0]==0 && bp[1]==0 && bp[2]==0 && bp[3]==0) {
2532 ND_PRINT((ndo, "NONESP-encap: "));
2533 isakmp_print(ndo, bp+4, length-4, bp2);
2534 return;
2535 }
2536
2537 /* must be an ESP packet */
2538 {
2539 int nh, enh, padlen;
2540 int advance;
2541
2542 ND_PRINT((ndo, "UDP-encap: "));
2543
2544 advance = esp_print(ndo, bp, length, bp2, &enh, &padlen);
2545 if(advance <= 0)
2546 return;
2547
2548 bp += advance;
2549 length -= advance + padlen;
2550 nh = enh & 0xff;
2551
2552 ip_print_inner(ndo, bp, length, nh, bp2);
2553 return;
2554 }
2555
2556 trunc:
2557 ND_PRINT((ndo,"[|isakmp]"));
2558 return;
2559 }
2560
2561 /*
2562 * Local Variables:
2563 * c-style: whitesmith
2564 * c-basic-offset: 8
2565 * End:
2566 */
2567
2568
2569
2570
DragonFly BSD