2 * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
5 * Redistribution and use in source and binary forms, with or without
6 * modification, are permitted provided that the following conditions
8 * 1. Redistributions of source code must retain the above copyright
9 * notice, this list of conditions and the following disclaimer.
10 * 2. Redistributions in binary form must reproduce the above copyright
11 * notice, this list of conditions and the following disclaimer in the
12 * documentation and/or other materials provided with the distribution.
13 * 3. Neither the name of the project nor the names of its contributors
14 * may be used to endorse or promote products derived from this software
15 * without specific prior written permission.
17 * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
18 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
19 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
20 * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
21 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
22 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
23 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
24 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
25 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
26 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
31 /* \summary: Internet Security Association and Key Management Protocol (ISAKMP) printer */
37 /* The functions from print-esp.c used in this file are only defined when both
38 * OpenSSL and evp.h are detected. Employ the same preprocessor device here.
40 #ifndef HAVE_OPENSSL_EVP_H
44 #include <netdissect-stdinc.h>
48 #include "netdissect.h"
49 #include "addrtoname.h"
56 /* refer to RFC 2408 */
58 typedef u_char cookie_t[8];
59 typedef u_char msgid_t[4];
61 #define PORT_ISAKMP 500
63 /* 3.1 ISAKMP Header Format (IKEv1 and IKEv2)
64 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
65 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
68 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
71 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
72 ! Next Payload ! MjVer ! MnVer ! Exchange Type ! Flags !
73 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
75 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
77 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
80 cookie_t i_ck; /* Initiator Cookie */
81 cookie_t r_ck; /* Responder Cookie */
82 uint8_t np; /* Next Payload Type */
84 #define ISAKMP_VERS_MAJOR 0xf0
85 #define ISAKMP_VERS_MAJOR_SHIFT 4
86 #define ISAKMP_VERS_MINOR 0x0f
87 #define ISAKMP_VERS_MINOR_SHIFT 0
88 uint8_t etype; /* Exchange Type */
89 uint8_t flags; /* Flags */
91 uint32_t len; /* Length */
94 /* Next Payload Type */
95 #define ISAKMP_NPTYPE_NONE 0 /* NONE*/
96 #define ISAKMP_NPTYPE_SA 1 /* Security Association */
97 #define ISAKMP_NPTYPE_P 2 /* Proposal */
98 #define ISAKMP_NPTYPE_T 3 /* Transform */
99 #define ISAKMP_NPTYPE_KE 4 /* Key Exchange */
100 #define ISAKMP_NPTYPE_ID 5 /* Identification */
101 #define ISAKMP_NPTYPE_CERT 6 /* Certificate */
102 #define ISAKMP_NPTYPE_CR 7 /* Certificate Request */
103 #define ISAKMP_NPTYPE_HASH 8 /* Hash */
104 #define ISAKMP_NPTYPE_SIG 9 /* Signature */
105 #define ISAKMP_NPTYPE_NONCE 10 /* Nonce */
106 #define ISAKMP_NPTYPE_N 11 /* Notification */
107 #define ISAKMP_NPTYPE_D 12 /* Delete */
108 #define ISAKMP_NPTYPE_VID 13 /* Vendor ID */
109 #define ISAKMP_NPTYPE_v2E 46 /* v2 Encrypted payload */
111 #define IKEv1_MAJOR_VERSION 1
112 #define IKEv1_MINOR_VERSION 0
114 #define IKEv2_MAJOR_VERSION 2
115 #define IKEv2_MINOR_VERSION 0
118 #define ISAKMP_FLAG_E 0x01 /* Encryption Bit */
119 #define ISAKMP_FLAG_C 0x02 /* Commit Bit */
120 #define ISAKMP_FLAG_extra 0x04
123 #define ISAKMP_FLAG_I (1 << 3) /* (I)nitiator */
124 #define ISAKMP_FLAG_V (1 << 4) /* (V)ersion */
125 #define ISAKMP_FLAG_R (1 << 5) /* (R)esponse */
128 /* 3.2 Payload Generic Header
129 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
130 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
131 ! Next Payload ! RESERVED ! Payload Length !
132 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
135 uint8_t np; /* Next Payload */
136 uint8_t critical; /* bit 7 - critical, rest is RESERVED */
137 uint16_t len; /* Payload Length */
140 /* 3.3 Data Attributes
141 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
142 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
143 !A! Attribute Type ! AF=0 Attribute Length !
144 !F! ! AF=1 Attribute Value !
145 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
146 . AF=0 Attribute Value .
147 . AF=1 Not Transmitted .
148 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
151 uint16_t type; /* defined by DOI-spec, and Attribute Format */
152 uint16_t lorv; /* if f equal 1, Attribute Length */
153 /* if f equal 0, Attribute Value */
154 /* if f equal 1, Attribute Value */
157 /* 3.4 Security Association Payload */
158 /* MAY NOT be used, because of being defined in ipsec-doi. */
160 If the current payload is the last in the message,
161 then the value of the next payload field will be 0.
162 This field MUST NOT contain the
163 values for the Proposal or Transform payloads as they are considered
164 part of the security association negotiation. For example, this
165 field would contain the value "10" (Nonce payload) in the first
166 message of a Base Exchange (see Section 4.4) and the value "0" in the
167 first message of an Identity Protect Exchange (see Section 4.5).
171 uint32_t doi; /* Domain of Interpretation */
172 uint32_t sit; /* Situation */
175 /* 3.5 Proposal Payload */
177 The value of the next payload field MUST only contain the value "2"
178 or "0". If there are additional Proposal payloads in the message,
179 then this field will be 2. If the current Proposal payload is the
180 last within the security association proposal, then this field will
185 uint8_t p_no; /* Proposal # */
186 uint8_t prot_id; /* Protocol */
187 uint8_t spi_size; /* SPI Size */
188 uint8_t num_t; /* Number of Transforms */
192 /* 3.6 Transform Payload */
194 The value of the next payload field MUST only contain the value "3"
195 or "0". If there are additional Transform payloads in the proposal,
196 then this field will be 3. If the current Transform payload is the
197 last within the proposal, then this field will be 0.
201 uint8_t t_no; /* Transform # */
202 uint8_t t_id; /* Transform-Id */
203 uint16_t reserved; /* RESERVED2 */
207 /* 3.7 Key Exchange Payload */
210 /* Key Exchange Data */
213 /* 3.8 Identification Payload */
214 /* MUST NOT to be used, because of being defined in ipsec-doi. */
218 uint8_t id_type; /* ID Type */
219 uint32_t doi_data; /* DOI Specific ID Data */
221 /* Identification Data */
224 /* 3.9 Certificate Payload */
225 struct ikev1_pl_cert {
227 uint8_t encode; /* Cert Encoding */
228 char cert; /* Certificate Data */
230 This field indicates the type of
231 certificate or certificate-related information contained in the
232 Certificate Data field.
236 /* 3.10 Certificate Request Payload */
239 uint8_t num_cert; /* # Cert. Types */
241 Certificate Types (variable length)
242 -- Contains a list of the types of certificates requested,
243 sorted in order of preference. Each individual certificate
244 type is 1 octet. This field is NOT requiredo
246 /* # Certificate Authorities (1 octet) */
247 /* Certificate Authorities (variable length) */
250 /* 3.11 Hash Payload */
251 /* may not be used, because of having only data. */
252 struct ikev1_pl_hash {
257 /* 3.12 Signature Payload */
258 /* may not be used, because of having only data. */
259 struct ikev1_pl_sig {
264 /* 3.13 Nonce Payload */
265 /* may not be used, because of having only data. */
266 struct ikev1_pl_nonce {
271 /* 3.14 Notification Payload */
274 uint32_t doi; /* Domain of Interpretation */
275 uint8_t prot_id; /* Protocol-ID */
276 uint8_t spi_size; /* SPI Size */
277 uint16_t type; /* Notify Message Type */
279 /* Notification Data */
282 /* 3.14.1 Notify Message Types */
283 /* NOTIFY MESSAGES - ERROR TYPES */
284 #define ISAKMP_NTYPE_INVALID_PAYLOAD_TYPE 1
285 #define ISAKMP_NTYPE_DOI_NOT_SUPPORTED 2
286 #define ISAKMP_NTYPE_SITUATION_NOT_SUPPORTED 3
287 #define ISAKMP_NTYPE_INVALID_COOKIE 4
288 #define ISAKMP_NTYPE_INVALID_MAJOR_VERSION 5
289 #define ISAKMP_NTYPE_INVALID_MINOR_VERSION 6
290 #define ISAKMP_NTYPE_INVALID_EXCHANGE_TYPE 7
291 #define ISAKMP_NTYPE_INVALID_FLAGS 8
292 #define ISAKMP_NTYPE_INVALID_MESSAGE_ID 9
293 #define ISAKMP_NTYPE_INVALID_PROTOCOL_ID 10
294 #define ISAKMP_NTYPE_INVALID_SPI 11
295 #define ISAKMP_NTYPE_INVALID_TRANSFORM_ID 12
296 #define ISAKMP_NTYPE_ATTRIBUTES_NOT_SUPPORTED 13
297 #define ISAKMP_NTYPE_NO_PROPOSAL_CHOSEN 14
298 #define ISAKMP_NTYPE_BAD_PROPOSAL_SYNTAX 15
299 #define ISAKMP_NTYPE_PAYLOAD_MALFORMED 16
300 #define ISAKMP_NTYPE_INVALID_KEY_INFORMATION 17
301 #define ISAKMP_NTYPE_INVALID_ID_INFORMATION 18
302 #define ISAKMP_NTYPE_INVALID_CERT_ENCODING 19
303 #define ISAKMP_NTYPE_INVALID_CERTIFICATE 20
304 #define ISAKMP_NTYPE_BAD_CERT_REQUEST_SYNTAX 21
305 #define ISAKMP_NTYPE_INVALID_CERT_AUTHORITY 22
306 #define ISAKMP_NTYPE_INVALID_HASH_INFORMATION 23
307 #define ISAKMP_NTYPE_AUTHENTICATION_FAILED 24
308 #define ISAKMP_NTYPE_INVALID_SIGNATURE 25
309 #define ISAKMP_NTYPE_ADDRESS_NOTIFICATION 26
311 /* 3.15 Delete Payload */
314 uint32_t doi; /* Domain of Interpretation */
315 uint8_t prot_id; /* Protocol-Id */
316 uint8_t spi_size; /* SPI Size */
317 uint16_t num_spi; /* # of SPIs */
321 struct ikev1_ph1tab {
322 struct ikev1_ph1 *head;
323 struct ikev1_ph1 *tail;
327 struct isakmp_ph2tab {
328 struct ikev1_ph2 *head;
329 struct ikev1_ph2 *tail;
333 /* IKEv2 (RFC4306) */
335 /* 3.3 Security Association Payload -- generic header */
336 /* 3.3.1. Proposal Substructure */
339 uint8_t p_no; /* Proposal # */
340 uint8_t prot_id; /* Protocol */
341 uint8_t spi_size; /* SPI Size */
342 uint8_t num_t; /* Number of Transforms */
345 /* 3.3.2. Transform Substructure */
348 uint8_t t_type; /* Transform Type (ENCR,PRF,INTEG,etc.*/
349 uint8_t res2; /* reserved byte */
350 uint16_t t_id; /* Transform ID */
361 /* 3.4. Key Exchange Payload */
370 /* 3.5. Identification Payloads */
382 uint8_t type; /* ID type */
386 /* Notification Data */
389 /* 3.10 Notification Payload */
392 uint8_t prot_id; /* Protocol-ID */
393 uint8_t spi_size; /* SPI Size */
394 uint16_t type; /* Notify Message Type */
398 IV2_NOTIFY_UNSUPPORTED_CRITICAL_PAYLOAD = 1,
399 IV2_NOTIFY_INVALID_IKE_SPI = 4,
400 IV2_NOTIFY_INVALID_MAJOR_VERSION = 5,
401 IV2_NOTIFY_INVALID_SYNTAX = 7,
402 IV2_NOTIFY_INVALID_MESSAGE_ID = 9,
403 IV2_NOTIFY_INVALID_SPI =11,
404 IV2_NOTIFY_NO_PROPOSAL_CHOSEN =14,
405 IV2_NOTIFY_INVALID_KE_PAYLOAD =17,
406 IV2_NOTIFY_AUTHENTICATION_FAILED =24,
407 IV2_NOTIFY_SINGLE_PAIR_REQUIRED =34,
408 IV2_NOTIFY_NO_ADDITIONAL_SAS =35,
409 IV2_NOTIFY_INTERNAL_ADDRESS_FAILURE =36,
410 IV2_NOTIFY_FAILED_CP_REQUIRED =37,
411 IV2_NOTIFY_INVALID_SELECTORS =39,
412 IV2_NOTIFY_INITIAL_CONTACT =16384,
413 IV2_NOTIFY_SET_WINDOW_SIZE =16385,
414 IV2_NOTIFY_ADDITIONAL_TS_POSSIBLE =16386,
415 IV2_NOTIFY_IPCOMP_SUPPORTED =16387,
416 IV2_NOTIFY_NAT_DETECTION_SOURCE_IP =16388,
417 IV2_NOTIFY_NAT_DETECTION_DESTINATION_IP =16389,
418 IV2_NOTIFY_COOKIE =16390,
419 IV2_NOTIFY_USE_TRANSPORT_MODE =16391,
420 IV2_NOTIFY_HTTP_CERT_LOOKUP_SUPPORTED =16392,
421 IV2_NOTIFY_REKEY_SA =16393,
422 IV2_NOTIFY_ESP_TFC_PADDING_NOT_SUPPORTED =16394,
423 IV2_NOTIFY_NON_FIRST_FRAGMENTS_ALSO =16395
426 struct notify_messages {
431 /* 3.8 Authentication Payload */
434 uint8_t auth_method; /* Protocol-ID */
436 /* authentication data */
439 enum ikev2_auth_type {
445 /* refer to RFC 2409 */
448 /* isakmp sa structure */
450 uint8_t proto_id; /* OAKLEY */
451 vchar_t *spi; /* spi */
452 uint8_t dhgrp; /* DH; group */
453 uint8_t auth_t; /* method of authentication */
454 uint8_t prf_t; /* type of prf */
455 uint8_t hash_t; /* type of hash */
456 uint8_t enc_t; /* type of cipher */
457 uint8_t life_t; /* type of duration of lifetime */
458 uint32_t ldur; /* life duration */
462 /* refer to RFC 2407 */
466 /* 4.2 IPSEC Situation Definition */
467 #define IPSECDOI_SIT_IDENTITY_ONLY 0x00000001
468 #define IPSECDOI_SIT_SECRECY 0x00000002
469 #define IPSECDOI_SIT_INTEGRITY 0x00000004
471 /* 4.4.1 IPSEC Security Protocol Identifiers */
472 /* 4.4.2 IPSEC ISAKMP Transform Values */
473 #define IPSECDOI_PROTO_ISAKMP 1
474 #define IPSECDOI_KEY_IKE 1
476 /* 4.4.1 IPSEC Security Protocol Identifiers */
477 #define IPSECDOI_PROTO_IPSEC_AH 2
478 /* 4.4.3 IPSEC AH Transform Values */
479 #define IPSECDOI_AH_MD5 2
480 #define IPSECDOI_AH_SHA 3
481 #define IPSECDOI_AH_DES 4
482 #define IPSECDOI_AH_SHA2_256 5
483 #define IPSECDOI_AH_SHA2_384 6
484 #define IPSECDOI_AH_SHA2_512 7
486 /* 4.4.1 IPSEC Security Protocol Identifiers */
487 #define IPSECDOI_PROTO_IPSEC_ESP 3
488 /* 4.4.4 IPSEC ESP Transform Identifiers */
489 #define IPSECDOI_ESP_DES_IV64 1
490 #define IPSECDOI_ESP_DES 2
491 #define IPSECDOI_ESP_3DES 3
492 #define IPSECDOI_ESP_RC5 4
493 #define IPSECDOI_ESP_IDEA 5
494 #define IPSECDOI_ESP_CAST 6
495 #define IPSECDOI_ESP_BLOWFISH 7
496 #define IPSECDOI_ESP_3IDEA 8
497 #define IPSECDOI_ESP_DES_IV32 9
498 #define IPSECDOI_ESP_RC4 10
499 #define IPSECDOI_ESP_NULL 11
500 #define IPSECDOI_ESP_RIJNDAEL 12
501 #define IPSECDOI_ESP_AES 12
503 /* 4.4.1 IPSEC Security Protocol Identifiers */
504 #define IPSECDOI_PROTO_IPCOMP 4
505 /* 4.4.5 IPSEC IPCOMP Transform Identifiers */
506 #define IPSECDOI_IPCOMP_OUI 1
507 #define IPSECDOI_IPCOMP_DEFLATE 2
508 #define IPSECDOI_IPCOMP_LZS 3
510 /* 4.5 IPSEC Security Association Attributes */
511 #define IPSECDOI_ATTR_SA_LTYPE 1 /* B */
512 #define IPSECDOI_ATTR_SA_LTYPE_DEFAULT 1
513 #define IPSECDOI_ATTR_SA_LTYPE_SEC 1
514 #define IPSECDOI_ATTR_SA_LTYPE_KB 2
515 #define IPSECDOI_ATTR_SA_LDUR 2 /* V */
516 #define IPSECDOI_ATTR_SA_LDUR_DEFAULT 28800 /* 8 hours */
517 #define IPSECDOI_ATTR_GRP_DESC 3 /* B */
518 #define IPSECDOI_ATTR_ENC_MODE 4 /* B */
519 /* default value: host dependent */
520 #define IPSECDOI_ATTR_ENC_MODE_TUNNEL 1
521 #define IPSECDOI_ATTR_ENC_MODE_TRNS 2
522 #define IPSECDOI_ATTR_AUTH 5 /* B */
523 /* 0 means not to use authentication. */
524 #define IPSECDOI_ATTR_AUTH_HMAC_MD5 1
525 #define IPSECDOI_ATTR_AUTH_HMAC_SHA1 2
526 #define IPSECDOI_ATTR_AUTH_DES_MAC 3
527 #define IPSECDOI_ATTR_AUTH_KPDK 4 /*RFC-1826(Key/Pad/Data/Key)*/
529 * When negotiating ESP without authentication, the Auth
530 * Algorithm attribute MUST NOT be included in the proposal.
531 * When negotiating ESP without confidentiality, the Auth
532 * Algorithm attribute MUST be included in the proposal and
533 * the ESP transform ID must be ESP_NULL.
535 #define IPSECDOI_ATTR_KEY_LENGTH 6 /* B */
536 #define IPSECDOI_ATTR_KEY_ROUNDS 7 /* B */
537 #define IPSECDOI_ATTR_COMP_DICT_SIZE 8 /* B */
538 #define IPSECDOI_ATTR_COMP_PRIVALG 9 /* V */
540 /* 4.6.1 Security Association Payload */
543 uint32_t doi; /* Domain of Interpretation */
544 uint32_t sit; /* Situation */
547 struct ipsecdoi_secrecy_h {
552 /* 4.6.2.1 Identification Type Values */
555 uint8_t type; /* ID Type */
556 uint8_t proto_id; /* Protocol ID */
557 uint16_t port; /* Port */
558 /* Identification Data */
561 #define IPSECDOI_ID_IPV4_ADDR 1
562 #define IPSECDOI_ID_FQDN 2
563 #define IPSECDOI_ID_USER_FQDN 3
564 #define IPSECDOI_ID_IPV4_ADDR_SUBNET 4
565 #define IPSECDOI_ID_IPV6_ADDR 5
566 #define IPSECDOI_ID_IPV6_ADDR_SUBNET 6
567 #define IPSECDOI_ID_IPV4_ADDR_RANGE 7
568 #define IPSECDOI_ID_IPV6_ADDR_RANGE 8
569 #define IPSECDOI_ID_DER_ASN1_DN 9
570 #define IPSECDOI_ID_DER_ASN1_GN 10
571 #define IPSECDOI_ID_KEY_ID 11
573 /* 4.6.3 IPSEC DOI Notify Message Types */
574 /* Notify Messages - Status Types */
575 #define IPSECDOI_NTYPE_RESPONDER_LIFETIME 24576
576 #define IPSECDOI_NTYPE_REPLAY_STATUS 24577
577 #define IPSECDOI_NTYPE_INITIAL_CONTACT 24578
579 #define DECLARE_PRINTER(func) static const u_char *ike##func##_print( \
580 netdissect_options *ndo, u_char tpay, \
581 const struct isakmp_gen *ext, \
583 const u_char *end_pointer, \
586 uint32_t proto0, int depth)
588 DECLARE_PRINTER(v1_sa);
589 DECLARE_PRINTER(v1_p);
590 DECLARE_PRINTER(v1_t);
591 DECLARE_PRINTER(v1_ke);
592 DECLARE_PRINTER(v1_id);
593 DECLARE_PRINTER(v1_cert);
594 DECLARE_PRINTER(v1_cr);
595 DECLARE_PRINTER(v1_sig);
596 DECLARE_PRINTER(v1_hash);
597 DECLARE_PRINTER(v1_nonce);
598 DECLARE_PRINTER(v1_n);
599 DECLARE_PRINTER(v1_d);
600 DECLARE_PRINTER(v1_vid);
602 DECLARE_PRINTER(v2_sa);
603 DECLARE_PRINTER(v2_ke);
604 DECLARE_PRINTER(v2_ID);
605 DECLARE_PRINTER(v2_cert);
606 DECLARE_PRINTER(v2_cr);
607 DECLARE_PRINTER(v2_auth);
608 DECLARE_PRINTER(v2_nonce);
609 DECLARE_PRINTER(v2_n);
610 DECLARE_PRINTER(v2_d);
611 DECLARE_PRINTER(v2_vid);
612 DECLARE_PRINTER(v2_TS);
613 DECLARE_PRINTER(v2_cp);
614 DECLARE_PRINTER(v2_eap);
616 static const u_char *ikev2_e_print(netdissect_options *ndo,
619 const struct isakmp_gen *ext,
621 const u_char *end_pointer,
624 uint32_t proto0, int depth);
627 static const u_char *ike_sub0_print(netdissect_options *ndo,u_char, const struct isakmp_gen *,
628 const u_char *, uint32_t, uint32_t, uint32_t, int);
629 static const u_char *ikev1_sub_print(netdissect_options *ndo,u_char, const struct isakmp_gen *,
630 const u_char *, uint32_t, uint32_t, uint32_t, int);
632 static const u_char *ikev2_sub_print(netdissect_options *ndo,
634 u_char np, const struct isakmp_gen *ext,
635 const u_char *ep, uint32_t phase,
636 uint32_t doi, uint32_t proto,
640 static char *numstr(int);
643 ikev1_print(netdissect_options *ndo,
644 const u_char *bp, u_int length,
645 const u_char *bp2, struct isakmp *base);
647 #define MAXINITIATORS 20
648 static int ninitiator = 0;
656 union inaddr_u iaddr;
657 union inaddr_u raddr;
658 } cookiecache[MAXINITIATORS];
661 static const char *protoidstr[] = {
662 NULL, "isakmp", "ipsec-ah", "ipsec-esp", "ipcomp",
666 static const char *npstr[] = {
667 "none", "sa", "p", "t", "ke", "id", "cert", "cr", "hash", /* 0 - 8 */
668 "sig", "nonce", "n", "d", "vid", /* 9 - 13 */
669 "pay14", "pay15", "pay16", "pay17", "pay18", /* 14- 18 */
670 "pay19", "pay20", "pay21", "pay22", "pay23", /* 19- 23 */
671 "pay24", "pay25", "pay26", "pay27", "pay28", /* 24- 28 */
672 "pay29", "pay30", "pay31", "pay32", /* 29- 32 */
673 "v2sa", "v2ke", "v2IDi", "v2IDr", "v2cert",/* 33- 37 */
674 "v2cr", "v2auth","v2nonce", "v2n", "v2d", /* 38- 42 */
675 "v2vid", "v2TSi", "v2TSr", "v2e", "v2cp", /* 43- 47 */
681 static const u_char *(*npfunc[])(netdissect_options *ndo, u_char tpay,
682 const struct isakmp_gen *ext,
684 const u_char *end_pointer,
687 uint32_t proto0, int depth) = {
701 ikev1_vid_print, /* 13 */
702 NULL, NULL, NULL, NULL, NULL, /* 14- 18 */
703 NULL, NULL, NULL, NULL, NULL, /* 19- 23 */
704 NULL, NULL, NULL, NULL, NULL, /* 24- 28 */
705 NULL, NULL, NULL, NULL, /* 29- 32 */
706 ikev2_sa_print, /* 33 */
707 ikev2_ke_print, /* 34 */
708 ikev2_ID_print, /* 35 */
709 ikev2_ID_print, /* 36 */
710 ikev2_cert_print, /* 37 */
711 ikev2_cr_print, /* 38 */
712 ikev2_auth_print, /* 39 */
713 ikev2_nonce_print, /* 40 */
714 ikev2_n_print, /* 41 */
715 ikev2_d_print, /* 42 */
716 ikev2_vid_print, /* 43 */
717 ikev2_TS_print, /* 44 */
718 ikev2_TS_print, /* 45 */
719 NULL, /* ikev2_e_print,*/ /* 46 - special */
720 ikev2_cp_print, /* 47 */
721 ikev2_eap_print, /* 48 */
725 static const char *etypestr[] = {
726 /* IKEv1 exchange types */
727 "none", "base", "ident", "auth", "agg", "inf", NULL, NULL, /* 0-7 */
728 NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, /* 8-15 */
729 NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, /* 16-23 */
730 NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, /* 24-31 */
731 "oakley-quick", "oakley-newgroup", /* 32-33 */
732 /* IKEv2 exchange types */
733 "ikev2_init", "ikev2_auth", "child_sa", "inf2" /* 34-37 */
736 #define STR_OR_ID(x, tab) \
737 (((x) < sizeof(tab)/sizeof(tab[0]) && tab[(x)]) ? tab[(x)] : numstr(x))
738 #define PROTOIDSTR(x) STR_OR_ID(x, protoidstr)
739 #define NPSTR(x) STR_OR_ID(x, npstr)
740 #define ETYPESTR(x) STR_OR_ID(x, etypestr)
742 #define CHECKLEN(p, np) \
743 if (ep < (const u_char *)(p)) { \
744 ND_PRINT((ndo," [|%s]", NPSTR(np))); \
750 (((x) < sizeof(npfunc)/sizeof(npfunc[0]) && npfunc[(x)]) \
751 ? npfunc[(x)] : NULL)
754 iszero(const u_char *p, size_t l)
763 /* find cookie from initiator cache */
765 cookie_find(cookie_t *in)
769 for (i = 0; i < MAXINITIATORS; i++) {
770 if (memcmp(in, &cookiecache[i].initiator, sizeof(*in)) == 0)
777 /* record initiator */
779 cookie_record(cookie_t *in, const u_char *bp2)
783 const struct ip6_hdr *ip6;
787 ninitiator = (i + 1) % MAXINITIATORS;
791 ip = (const struct ip *)bp2;
794 cookiecache[ninitiator].version = 4;
795 UNALIGNED_MEMCPY(&cookiecache[ninitiator].iaddr.in4, &ip->ip_src, sizeof(struct in_addr));
796 UNALIGNED_MEMCPY(&cookiecache[ninitiator].raddr.in4, &ip->ip_dst, sizeof(struct in_addr));
799 ip6 = (const struct ip6_hdr *)bp2;
800 cookiecache[ninitiator].version = 6;
801 UNALIGNED_MEMCPY(&cookiecache[ninitiator].iaddr.in6, &ip6->ip6_src, sizeof(struct in6_addr));
802 UNALIGNED_MEMCPY(&cookiecache[ninitiator].raddr.in6, &ip6->ip6_dst, sizeof(struct in6_addr));
807 UNALIGNED_MEMCPY(&cookiecache[ninitiator].initiator, in, sizeof(*in));
808 ninitiator = (ninitiator + 1) % MAXINITIATORS;
811 #define cookie_isinitiator(x, y) cookie_sidecheck((x), (y), 1)
812 #define cookie_isresponder(x, y) cookie_sidecheck((x), (y), 0)
814 cookie_sidecheck(int i, const u_char *bp2, int initiator)
817 const struct ip6_hdr *ip6;
819 ip = (const struct ip *)bp2;
822 if (cookiecache[i].version != 4)
825 if (UNALIGNED_MEMCMP(&ip->ip_src, &cookiecache[i].iaddr.in4, sizeof(struct in_addr)) == 0)
828 if (UNALIGNED_MEMCMP(&ip->ip_src, &cookiecache[i].raddr.in4, sizeof(struct in_addr)) == 0)
833 if (cookiecache[i].version != 6)
835 ip6 = (const struct ip6_hdr *)bp2;
837 if (UNALIGNED_MEMCMP(&ip6->ip6_src, &cookiecache[i].iaddr.in6, sizeof(struct in6_addr)) == 0)
840 if (UNALIGNED_MEMCMP(&ip6->ip6_src, &cookiecache[i].raddr.in6, sizeof(struct in6_addr)) == 0)
852 hexprint(netdissect_options *ndo, const uint8_t *loc, size_t len)
858 for (i = 0; i < len; i++)
859 ND_PRINT((ndo,"%02x", p[i] & 0xff));
863 rawprint(netdissect_options *ndo, const uint8_t *loc, size_t len)
865 ND_TCHECK2(*loc, len);
867 hexprint(ndo, loc, len);
875 * returns false if we run out of data buffer
877 static int ike_show_somedata(netdissect_options *ndo,
878 const u_char *cp, const u_char *ep)
880 /* there is too much data, just show some of it */
881 const u_char *end = ep - 20;
888 /* really shouldn't happen because of above */
894 ND_PRINT((ndo," data=("));
895 if(!rawprint(ndo, (const uint8_t *)(cp), len)) goto trunc;
896 ND_PRINT((ndo, "..."));
898 if(!rawprint(ndo, (const uint8_t *)(end), elen)) goto trunc;
910 const char *value[30]; /*XXX*/
913 static const u_char *
914 ikev1_attrmap_print(netdissect_options *ndo,
915 const u_char *p, const u_char *ep2,
916 const struct attrmap *map, size_t nmap)
925 ND_TCHECK_16BITS(&p[2]);
926 totlen = 4 + EXTRACT_16BITS(&p[2]);
928 if (ep2 < p + totlen) {
929 ND_PRINT((ndo,"[|attr]"));
933 ND_TCHECK_16BITS(&p[0]);
935 t = EXTRACT_16BITS(&p[0]) & 0x7fff;
936 if (map && t < nmap && map[t].type)
937 ND_PRINT((ndo,"type=%s ", map[t].type));
939 ND_PRINT((ndo,"type=#%d ", t));
941 ND_PRINT((ndo,"value="));
942 ND_TCHECK_16BITS(&p[2]);
943 v = EXTRACT_16BITS(&p[2]);
944 if (map && t < nmap && v < map[t].nvalue && map[t].value[v])
945 ND_PRINT((ndo,"%s", map[t].value[v]));
947 if (!rawprint(ndo, (const uint8_t *)&p[2], 2)) {
953 ND_PRINT((ndo,"len=%d value=", totlen - 4));
954 if (!rawprint(ndo, (const uint8_t *)&p[4], totlen - 4)) {
966 static const u_char *
967 ikev1_attr_print(netdissect_options *ndo, const u_char *p, const u_char *ep2)
976 ND_TCHECK_16BITS(&p[2]);
977 totlen = 4 + EXTRACT_16BITS(&p[2]);
979 if (ep2 < p + totlen) {
980 ND_PRINT((ndo,"[|attr]"));
984 ND_TCHECK_16BITS(&p[0]);
986 t = EXTRACT_16BITS(&p[0]) & 0x7fff;
987 ND_PRINT((ndo,"type=#%d ", t));
989 ND_PRINT((ndo,"value="));
991 if (!rawprint(ndo, (const uint8_t *)&p[2], 2)) {
996 ND_PRINT((ndo,"len=%d value=", totlen - 4));
997 if (!rawprint(ndo, (const uint8_t *)&p[4], totlen - 4)) {
1002 ND_PRINT((ndo,")"));
1009 static const u_char *
1010 ikev1_sa_print(netdissect_options *ndo, u_char tpay _U_,
1011 const struct isakmp_gen *ext,
1013 const u_char *ep, uint32_t phase, uint32_t doi0 _U_,
1014 uint32_t proto0, int depth)
1016 const struct ikev1_pl_sa *p;
1017 struct ikev1_pl_sa sa;
1018 uint32_t doi, sit, ident;
1019 const u_char *cp, *np;
1022 ND_PRINT((ndo,"%s:", NPSTR(ISAKMP_NPTYPE_SA)));
1024 p = (const struct ikev1_pl_sa *)ext;
1026 UNALIGNED_MEMCPY(&sa, ext, sizeof(sa));
1027 doi = ntohl(sa.doi);
1028 sit = ntohl(sa.sit);
1030 ND_PRINT((ndo," doi=%d", doi));
1031 ND_PRINT((ndo," situation=%u", (uint32_t)ntohl(sa.sit)));
1032 return (const u_char *)(p + 1);
1035 ND_PRINT((ndo," doi=ipsec"));
1036 ND_PRINT((ndo," situation="));
1039 ND_PRINT((ndo,"identity"));
1043 ND_PRINT((ndo,"%ssecrecy", t ? "+" : ""));
1047 ND_PRINT((ndo,"%sintegrity", t ? "+" : ""));
1049 np = (const u_char *)ext + sizeof(sa);
1051 ND_TCHECK2(*(ext + 1), sizeof(ident));
1052 UNALIGNED_MEMCPY(&ident, ext + 1, sizeof(ident));
1053 ND_PRINT((ndo," ident=%u", (uint32_t)ntohl(ident)));
1054 np += sizeof(ident);
1057 ext = (const struct isakmp_gen *)np;
1060 cp = ikev1_sub_print(ndo, ISAKMP_NPTYPE_P, ext, ep, phase, doi, proto0,
1065 ND_PRINT((ndo," [|%s]", NPSTR(ISAKMP_NPTYPE_SA)));
1069 static const u_char *
1070 ikev1_p_print(netdissect_options *ndo, u_char tpay _U_,
1071 const struct isakmp_gen *ext, u_int item_len _U_,
1072 const u_char *ep, uint32_t phase, uint32_t doi0,
1073 uint32_t proto0 _U_, int depth)
1075 const struct ikev1_pl_p *p;
1076 struct ikev1_pl_p prop;
1079 ND_PRINT((ndo,"%s:", NPSTR(ISAKMP_NPTYPE_P)));
1081 p = (const struct ikev1_pl_p *)ext;
1083 UNALIGNED_MEMCPY(&prop, ext, sizeof(prop));
1084 ND_PRINT((ndo," #%d protoid=%s transform=%d",
1085 prop.p_no, PROTOIDSTR(prop.prot_id), prop.num_t));
1086 if (prop.spi_size) {
1087 ND_PRINT((ndo," spi="));
1088 if (!rawprint(ndo, (const uint8_t *)(p + 1), prop.spi_size))
1092 ext = (const struct isakmp_gen *)((const u_char *)(p + 1) + prop.spi_size);
1095 cp = ikev1_sub_print(ndo, ISAKMP_NPTYPE_T, ext, ep, phase, doi0,
1096 prop.prot_id, depth);
1100 ND_PRINT((ndo," [|%s]", NPSTR(ISAKMP_NPTYPE_P)));
1104 static const char *ikev1_p_map[] = {
1108 static const char *ikev2_t_type_map[]={
1109 NULL, "encr", "prf", "integ", "dh", "esn"
1112 static const char *ah_p_map[] = {
1113 NULL, "(reserved)", "md5", "sha", "1des",
1114 "sha2-256", "sha2-384", "sha2-512",
1117 static const char *prf_p_map[] = {
1118 NULL, "hmac-md5", "hmac-sha", "hmac-tiger",
1122 static const char *integ_p_map[] = {
1123 NULL, "hmac-md5", "hmac-sha", "dec-mac",
1124 "kpdk-md5", "aes-xcbc"
1127 static const char *esn_p_map[] = {
1131 static const char *dh_p_map[] = {
1133 "modp1024", /* group 2 */
1134 "EC2N 2^155", /* group 3 */
1135 "EC2N 2^185", /* group 4 */
1136 "modp1536", /* group 5 */
1137 "iana-grp06", "iana-grp07", /* reserved */
1138 "iana-grp08", "iana-grp09",
1139 "iana-grp10", "iana-grp11",
1140 "iana-grp12", "iana-grp13",
1141 "modp2048", /* group 14 */
1142 "modp3072", /* group 15 */
1143 "modp4096", /* group 16 */
1144 "modp6144", /* group 17 */
1145 "modp8192", /* group 18 */
1148 static const char *esp_p_map[] = {
1149 NULL, "1des-iv64", "1des", "3des", "rc5", "idea", "cast",
1150 "blowfish", "3idea", "1des-iv32", "rc4", "null", "aes"
1153 static const char *ipcomp_p_map[] = {
1154 NULL, "oui", "deflate", "lzs",
1157 static const struct attrmap ipsec_t_map[] = {
1158 { NULL, 0, { NULL } },
1159 { "lifetype", 3, { NULL, "sec", "kb", }, },
1160 { "life", 0, { NULL } },
1161 { "group desc", 18, { NULL, "modp768",
1162 "modp1024", /* group 2 */
1163 "EC2N 2^155", /* group 3 */
1164 "EC2N 2^185", /* group 4 */
1165 "modp1536", /* group 5 */
1166 "iana-grp06", "iana-grp07", /* reserved */
1167 "iana-grp08", "iana-grp09",
1168 "iana-grp10", "iana-grp11",
1169 "iana-grp12", "iana-grp13",
1170 "modp2048", /* group 14 */
1171 "modp3072", /* group 15 */
1172 "modp4096", /* group 16 */
1173 "modp6144", /* group 17 */
1174 "modp8192", /* group 18 */
1176 { "enc mode", 3, { NULL, "tunnel", "transport", }, },
1177 { "auth", 5, { NULL, "hmac-md5", "hmac-sha1", "1des-mac", "keyed", }, },
1178 { "keylen", 0, { NULL } },
1179 { "rounds", 0, { NULL } },
1180 { "dictsize", 0, { NULL } },
1181 { "privalg", 0, { NULL } },
1184 static const struct attrmap encr_t_map[] = {
1185 { NULL, 0, { NULL } }, { NULL, 0, { NULL } }, /* 0, 1 */
1186 { NULL, 0, { NULL } }, { NULL, 0, { NULL } }, /* 2, 3 */
1187 { NULL, 0, { NULL } }, { NULL, 0, { NULL } }, /* 4, 5 */
1188 { NULL, 0, { NULL } }, { NULL, 0, { NULL } }, /* 6, 7 */
1189 { NULL, 0, { NULL } }, { NULL, 0, { NULL } }, /* 8, 9 */
1190 { NULL, 0, { NULL } }, { NULL, 0, { NULL } }, /* 10,11*/
1191 { NULL, 0, { NULL } }, { NULL, 0, { NULL } }, /* 12,13*/
1192 { "keylen", 14, { NULL }},
1195 static const struct attrmap oakley_t_map[] = {
1196 { NULL, 0, { NULL } },
1197 { "enc", 8, { NULL, "1des", "idea", "blowfish", "rc5",
1198 "3des", "cast", "aes", }, },
1199 { "hash", 7, { NULL, "md5", "sha1", "tiger",
1200 "sha2-256", "sha2-384", "sha2-512", }, },
1201 { "auth", 6, { NULL, "preshared", "dss", "rsa sig", "rsa enc",
1202 "rsa enc revised", }, },
1203 { "group desc", 18, { NULL, "modp768",
1204 "modp1024", /* group 2 */
1205 "EC2N 2^155", /* group 3 */
1206 "EC2N 2^185", /* group 4 */
1207 "modp1536", /* group 5 */
1208 "iana-grp06", "iana-grp07", /* reserved */
1209 "iana-grp08", "iana-grp09",
1210 "iana-grp10", "iana-grp11",
1211 "iana-grp12", "iana-grp13",
1212 "modp2048", /* group 14 */
1213 "modp3072", /* group 15 */
1214 "modp4096", /* group 16 */
1215 "modp6144", /* group 17 */
1216 "modp8192", /* group 18 */
1218 { "group type", 4, { NULL, "MODP", "ECP", "EC2N", }, },
1219 { "group prime", 0, { NULL } },
1220 { "group gen1", 0, { NULL } },
1221 { "group gen2", 0, { NULL } },
1222 { "group curve A", 0, { NULL } },
1223 { "group curve B", 0, { NULL } },
1224 { "lifetype", 3, { NULL, "sec", "kb", }, },
1225 { "lifeduration", 0, { NULL } },
1226 { "prf", 0, { NULL } },
1227 { "keylen", 0, { NULL } },
1228 { "field", 0, { NULL } },
1229 { "order", 0, { NULL } },
1232 static const u_char *
1233 ikev1_t_print(netdissect_options *ndo, u_char tpay _U_,
1234 const struct isakmp_gen *ext, u_int item_len,
1235 const u_char *ep, uint32_t phase _U_, uint32_t doi _U_,
1236 uint32_t proto, int depth _U_)
1238 const struct ikev1_pl_t *p;
1239 struct ikev1_pl_t t;
1242 const struct attrmap *map;
1246 ND_PRINT((ndo,"%s:", NPSTR(ISAKMP_NPTYPE_T)));
1248 p = (const struct ikev1_pl_t *)ext;
1250 UNALIGNED_MEMCPY(&t, ext, sizeof(t));
1254 idstr = STR_OR_ID(t.t_id, ikev1_p_map);
1256 nmap = sizeof(oakley_t_map)/sizeof(oakley_t_map[0]);
1259 idstr = STR_OR_ID(t.t_id, ah_p_map);
1261 nmap = sizeof(ipsec_t_map)/sizeof(ipsec_t_map[0]);
1264 idstr = STR_OR_ID(t.t_id, esp_p_map);
1266 nmap = sizeof(ipsec_t_map)/sizeof(ipsec_t_map[0]);
1269 idstr = STR_OR_ID(t.t_id, ipcomp_p_map);
1271 nmap = sizeof(ipsec_t_map)/sizeof(ipsec_t_map[0]);
1281 ND_PRINT((ndo," #%d id=%s ", t.t_no, idstr));
1283 ND_PRINT((ndo," #%d id=%d ", t.t_no, t.t_id));
1284 cp = (const u_char *)(p + 1);
1285 ep2 = (const u_char *)p + item_len;
1286 while (cp < ep && cp < ep2) {
1288 cp = ikev1_attrmap_print(ndo, cp, ep2, map, nmap);
1290 cp = ikev1_attr_print(ndo, cp, ep2);
1295 ND_PRINT((ndo,"..."));
1298 ND_PRINT((ndo," [|%s]", NPSTR(ISAKMP_NPTYPE_T)));
1302 static const u_char *
1303 ikev1_ke_print(netdissect_options *ndo, u_char tpay _U_,
1304 const struct isakmp_gen *ext, u_int item_len _U_,
1305 const u_char *ep _U_, uint32_t phase _U_, uint32_t doi _U_,
1306 uint32_t proto _U_, int depth _U_)
1308 struct isakmp_gen e;
1310 ND_PRINT((ndo,"%s:", NPSTR(ISAKMP_NPTYPE_KE)));
1313 UNALIGNED_MEMCPY(&e, ext, sizeof(e));
1314 ND_PRINT((ndo," key len=%d", ntohs(e.len) - 4));
1315 if (2 < ndo->ndo_vflag && 4 < ntohs(e.len)) {
1316 /* Print the entire payload in hex */
1317 ND_PRINT((ndo," "));
1318 if (!rawprint(ndo, (const uint8_t *)(ext + 1), ntohs(e.len) - 4))
1321 return (const u_char *)ext + ntohs(e.len);
1323 ND_PRINT((ndo," [|%s]", NPSTR(ISAKMP_NPTYPE_KE)));
1327 static const u_char *
1328 ikev1_id_print(netdissect_options *ndo, u_char tpay _U_,
1329 const struct isakmp_gen *ext, u_int item_len,
1330 const u_char *ep _U_, uint32_t phase, uint32_t doi _U_,
1331 uint32_t proto _U_, int depth _U_)
1333 #define USE_IPSECDOI_IN_PHASE1 1
1334 const struct ikev1_pl_id *p;
1335 struct ikev1_pl_id id;
1336 static const char *idtypestr[] = {
1337 "IPv4", "IPv4net", "IPv6", "IPv6net",
1339 static const char *ipsecidtypestr[] = {
1340 NULL, "IPv4", "FQDN", "user FQDN", "IPv4net", "IPv6",
1341 "IPv6net", "IPv4range", "IPv6range", "ASN1 DN", "ASN1 GN",
1347 ND_PRINT((ndo,"%s:", NPSTR(ISAKMP_NPTYPE_ID)));
1349 p = (const struct ikev1_pl_id *)ext;
1351 UNALIGNED_MEMCPY(&id, ext, sizeof(id));
1352 if (sizeof(*p) < item_len) {
1353 data = (const u_char *)(p + 1);
1354 len = item_len - sizeof(*p);
1361 ND_PRINT((ndo," [phase=%d doi=%d proto=%d]", phase, doi, proto));
1364 #ifndef USE_IPSECDOI_IN_PHASE1
1368 ND_PRINT((ndo," idtype=%s", STR_OR_ID(id.d.id_type, idtypestr)));
1369 ND_PRINT((ndo," doi_data=%u",
1370 (uint32_t)(ntohl(id.d.doi_data) & 0xffffff)));
1373 #ifdef USE_IPSECDOI_IN_PHASE1
1378 const struct ipsecdoi_id *doi_p;
1379 struct ipsecdoi_id doi_id;
1382 doi_p = (const struct ipsecdoi_id *)ext;
1384 UNALIGNED_MEMCPY(&doi_id, ext, sizeof(doi_id));
1385 ND_PRINT((ndo," idtype=%s", STR_OR_ID(doi_id.type, ipsecidtypestr)));
1386 /* A protocol ID of 0 DOES NOT mean IPPROTO_IP! */
1387 if (!ndo->ndo_nflag && doi_id.proto_id && (p_name = netdb_protoname(doi_id.proto_id)) != NULL)
1388 ND_PRINT((ndo," protoid=%s", p_name));
1390 ND_PRINT((ndo," protoid=%u", doi_id.proto_id));
1391 ND_PRINT((ndo," port=%d", ntohs(doi_id.port)));
1396 ND_TCHECK2(*data, len);
1397 switch (doi_id.type) {
1398 case IPSECDOI_ID_IPV4_ADDR:
1400 ND_PRINT((ndo," len=%d [bad: < 4]", len));
1402 ND_PRINT((ndo," len=%d %s", len, ipaddr_string(ndo, data)));
1405 case IPSECDOI_ID_FQDN:
1406 case IPSECDOI_ID_USER_FQDN:
1409 ND_PRINT((ndo," len=%d ", len));
1410 for (i = 0; i < len; i++)
1411 safeputchar(ndo, data[i]);
1415 case IPSECDOI_ID_IPV4_ADDR_SUBNET:
1419 ND_PRINT((ndo," len=%d [bad: < 8]", len));
1421 mask = data + sizeof(struct in_addr);
1422 ND_PRINT((ndo," len=%d %s/%u.%u.%u.%u", len,
1423 ipaddr_string(ndo, data),
1424 mask[0], mask[1], mask[2], mask[3]));
1429 case IPSECDOI_ID_IPV6_ADDR:
1431 ND_PRINT((ndo," len=%d [bad: < 16]", len));
1433 ND_PRINT((ndo," len=%d %s", len, ip6addr_string(ndo, data)));
1436 case IPSECDOI_ID_IPV6_ADDR_SUBNET:
1440 ND_PRINT((ndo," len=%d [bad: < 32]", len));
1442 mask = (const u_char *)(data + sizeof(struct in6_addr));
1444 ND_PRINT((ndo," len=%d %s/0x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x", len,
1445 ip6addr_string(ndo, data),
1446 mask[0], mask[1], mask[2], mask[3],
1447 mask[4], mask[5], mask[6], mask[7],
1448 mask[8], mask[9], mask[10], mask[11],
1449 mask[12], mask[13], mask[14], mask[15]));
1454 case IPSECDOI_ID_IPV4_ADDR_RANGE:
1456 ND_PRINT((ndo," len=%d [bad: < 8]", len));
1458 ND_PRINT((ndo," len=%d %s-%s", len,
1459 ipaddr_string(ndo, data),
1460 ipaddr_string(ndo, data + sizeof(struct in_addr))));
1464 case IPSECDOI_ID_IPV6_ADDR_RANGE:
1466 ND_PRINT((ndo," len=%d [bad: < 32]", len));
1468 ND_PRINT((ndo," len=%d %s-%s", len,
1469 ip6addr_string(ndo, data),
1470 ip6addr_string(ndo, data + sizeof(struct in6_addr))));
1474 case IPSECDOI_ID_DER_ASN1_DN:
1475 case IPSECDOI_ID_DER_ASN1_GN:
1476 case IPSECDOI_ID_KEY_ID:
1483 ND_PRINT((ndo," len=%d", len));
1484 if (2 < ndo->ndo_vflag) {
1485 ND_PRINT((ndo," "));
1486 if (!rawprint(ndo, (const uint8_t *)data, len))
1490 return (const u_char *)ext + item_len;
1492 ND_PRINT((ndo," [|%s]", NPSTR(ISAKMP_NPTYPE_ID)));
1496 static const u_char *
1497 ikev1_cert_print(netdissect_options *ndo, u_char tpay _U_,
1498 const struct isakmp_gen *ext, u_int item_len,
1499 const u_char *ep _U_, uint32_t phase _U_,
1501 uint32_t proto0 _U_, int depth _U_)
1503 const struct ikev1_pl_cert *p;
1504 struct ikev1_pl_cert cert;
1505 static const char *certstr[] = {
1506 "none", "pkcs7", "pgp", "dns",
1507 "x509sign", "x509ke", "kerberos", "crl",
1508 "arl", "spki", "x509attr",
1511 ND_PRINT((ndo,"%s:", NPSTR(ISAKMP_NPTYPE_CERT)));
1513 p = (const struct ikev1_pl_cert *)ext;
1515 UNALIGNED_MEMCPY(&cert, ext, sizeof(cert));
1516 ND_PRINT((ndo," len=%d", item_len - 4));
1517 ND_PRINT((ndo," type=%s", STR_OR_ID((cert.encode), certstr)));
1518 if (2 < ndo->ndo_vflag && 4 < item_len) {
1519 /* Print the entire payload in hex */
1520 ND_PRINT((ndo," "));
1521 if (!rawprint(ndo, (const uint8_t *)(ext + 1), item_len - 4))
1524 return (const u_char *)ext + item_len;
1526 ND_PRINT((ndo," [|%s]", NPSTR(ISAKMP_NPTYPE_CERT)));
1530 static const u_char *
1531 ikev1_cr_print(netdissect_options *ndo, u_char tpay _U_,
1532 const struct isakmp_gen *ext, u_int item_len,
1533 const u_char *ep _U_, uint32_t phase _U_, uint32_t doi0 _U_,
1534 uint32_t proto0 _U_, int depth _U_)
1536 const struct ikev1_pl_cert *p;
1537 struct ikev1_pl_cert cert;
1538 static const char *certstr[] = {
1539 "none", "pkcs7", "pgp", "dns",
1540 "x509sign", "x509ke", "kerberos", "crl",
1541 "arl", "spki", "x509attr",
1544 ND_PRINT((ndo,"%s:", NPSTR(ISAKMP_NPTYPE_CR)));
1546 p = (const struct ikev1_pl_cert *)ext;
1548 UNALIGNED_MEMCPY(&cert, ext, sizeof(cert));
1549 ND_PRINT((ndo," len=%d", item_len - 4));
1550 ND_PRINT((ndo," type=%s", STR_OR_ID((cert.encode), certstr)));
1551 if (2 < ndo->ndo_vflag && 4 < item_len) {
1552 /* Print the entire payload in hex */
1553 ND_PRINT((ndo," "));
1554 if (!rawprint(ndo, (const uint8_t *)(ext + 1), item_len - 4))
1557 return (const u_char *)ext + item_len;
1559 ND_PRINT((ndo," [|%s]", NPSTR(ISAKMP_NPTYPE_CR)));
1563 static const u_char *
1564 ikev1_hash_print(netdissect_options *ndo, u_char tpay _U_,
1565 const struct isakmp_gen *ext, u_int item_len _U_,
1566 const u_char *ep _U_, uint32_t phase _U_, uint32_t doi _U_,
1567 uint32_t proto _U_, int depth _U_)
1569 struct isakmp_gen e;
1571 ND_PRINT((ndo,"%s:", NPSTR(ISAKMP_NPTYPE_HASH)));
1574 UNALIGNED_MEMCPY(&e, ext, sizeof(e));
1575 ND_PRINT((ndo," len=%d", ntohs(e.len) - 4));
1576 if (2 < ndo->ndo_vflag && 4 < ntohs(e.len)) {
1577 /* Print the entire payload in hex */
1578 ND_PRINT((ndo," "));
1579 if (!rawprint(ndo, (const uint8_t *)(ext + 1), ntohs(e.len) - 4))
1582 return (const u_char *)ext + ntohs(e.len);
1584 ND_PRINT((ndo," [|%s]", NPSTR(ISAKMP_NPTYPE_HASH)));
1588 static const u_char *
1589 ikev1_sig_print(netdissect_options *ndo, u_char tpay _U_,
1590 const struct isakmp_gen *ext, u_int item_len _U_,
1591 const u_char *ep _U_, uint32_t phase _U_, uint32_t doi _U_,
1592 uint32_t proto _U_, int depth _U_)
1594 struct isakmp_gen e;
1596 ND_PRINT((ndo,"%s:", NPSTR(ISAKMP_NPTYPE_SIG)));
1599 UNALIGNED_MEMCPY(&e, ext, sizeof(e));
1600 ND_PRINT((ndo," len=%d", ntohs(e.len) - 4));
1601 if (2 < ndo->ndo_vflag && 4 < ntohs(e.len)) {
1602 /* Print the entire payload in hex */
1603 ND_PRINT((ndo," "));
1604 if (!rawprint(ndo, (const uint8_t *)(ext + 1), ntohs(e.len) - 4))
1607 return (const u_char *)ext + ntohs(e.len);
1609 ND_PRINT((ndo," [|%s]", NPSTR(ISAKMP_NPTYPE_SIG)));
1613 static const u_char *
1614 ikev1_nonce_print(netdissect_options *ndo, u_char tpay _U_,
1615 const struct isakmp_gen *ext,
1618 uint32_t phase _U_, uint32_t doi _U_,
1619 uint32_t proto _U_, int depth _U_)
1621 struct isakmp_gen e;
1623 ND_PRINT((ndo,"%s:", NPSTR(ISAKMP_NPTYPE_NONCE)));
1626 UNALIGNED_MEMCPY(&e, ext, sizeof(e));
1628 * Our caller has ensured that the length is >= 4.
1630 ND_PRINT((ndo," n len=%u", ntohs(e.len) - 4));
1631 if (ntohs(e.len) > 4) {
1632 if (ndo->ndo_vflag > 2) {
1633 ND_PRINT((ndo, " "));
1634 if (!rawprint(ndo, (const uint8_t *)(ext + 1), ntohs(e.len) - 4))
1636 } else if (ndo->ndo_vflag > 1) {
1637 ND_PRINT((ndo, " "));
1638 if (!ike_show_somedata(ndo, (const u_char *)(ext + 1), ep))
1642 return (const u_char *)ext + ntohs(e.len);
1644 ND_PRINT((ndo," [|%s]", NPSTR(ISAKMP_NPTYPE_NONCE)));
1648 static const u_char *
1649 ikev1_n_print(netdissect_options *ndo, u_char tpay _U_,
1650 const struct isakmp_gen *ext, u_int item_len,
1651 const u_char *ep, uint32_t phase _U_, uint32_t doi0 _U_,
1652 uint32_t proto0 _U_, int depth _U_)
1654 const struct ikev1_pl_n *p;
1655 struct ikev1_pl_n n;
1660 static const char *notify_error_str[] = {
1661 NULL, "INVALID-PAYLOAD-TYPE",
1662 "DOI-NOT-SUPPORTED", "SITUATION-NOT-SUPPORTED",
1663 "INVALID-COOKIE", "INVALID-MAJOR-VERSION",
1664 "INVALID-MINOR-VERSION", "INVALID-EXCHANGE-TYPE",
1665 "INVALID-FLAGS", "INVALID-MESSAGE-ID",
1666 "INVALID-PROTOCOL-ID", "INVALID-SPI",
1667 "INVALID-TRANSFORM-ID", "ATTRIBUTES-NOT-SUPPORTED",
1668 "NO-PROPOSAL-CHOSEN", "BAD-PROPOSAL-SYNTAX",
1669 "PAYLOAD-MALFORMED", "INVALID-KEY-INFORMATION",
1670 "INVALID-ID-INFORMATION", "INVALID-CERT-ENCODING",
1671 "INVALID-CERTIFICATE", "CERT-TYPE-UNSUPPORTED",
1672 "INVALID-CERT-AUTHORITY", "INVALID-HASH-INFORMATION",
1673 "AUTHENTICATION-FAILED", "INVALID-SIGNATURE",
1674 "ADDRESS-NOTIFICATION", "NOTIFY-SA-LIFETIME",
1675 "CERTIFICATE-UNAVAILABLE", "UNSUPPORTED-EXCHANGE-TYPE",
1676 "UNEQUAL-PAYLOAD-LENGTHS",
1678 static const char *ipsec_notify_error_str[] = {
1681 static const char *notify_status_str[] = {
1684 static const char *ipsec_notify_status_str[] = {
1685 "RESPONDER-LIFETIME", "REPLAY-STATUS",
1688 /* NOTE: these macro must be called with x in proper range */
1691 #define NOTIFY_ERROR_STR(x) \
1692 STR_OR_ID((x), notify_error_str)
1695 #define IPSEC_NOTIFY_ERROR_STR(x) \
1696 STR_OR_ID((u_int)((x) - 8192), ipsec_notify_error_str)
1699 #define NOTIFY_STATUS_STR(x) \
1700 STR_OR_ID((u_int)((x) - 16384), notify_status_str)
1703 #define IPSEC_NOTIFY_STATUS_STR(x) \
1704 STR_OR_ID((u_int)((x) - 24576), ipsec_notify_status_str)
1706 ND_PRINT((ndo,"%s:", NPSTR(ISAKMP_NPTYPE_N)));
1708 p = (const struct ikev1_pl_n *)ext;
1710 UNALIGNED_MEMCPY(&n, ext, sizeof(n));
1714 ND_PRINT((ndo," doi=%d", doi));
1715 ND_PRINT((ndo," proto=%d", proto));
1716 if (ntohs(n.type) < 8192)
1717 ND_PRINT((ndo," type=%s", NOTIFY_ERROR_STR(ntohs(n.type))));
1718 else if (ntohs(n.type) < 16384)
1719 ND_PRINT((ndo," type=%s", numstr(ntohs(n.type))));
1720 else if (ntohs(n.type) < 24576)
1721 ND_PRINT((ndo," type=%s", NOTIFY_STATUS_STR(ntohs(n.type))));
1723 ND_PRINT((ndo," type=%s", numstr(ntohs(n.type))));
1725 ND_PRINT((ndo," spi="));
1726 if (!rawprint(ndo, (const uint8_t *)(p + 1), n.spi_size))
1729 return (const u_char *)(p + 1) + n.spi_size;
1732 ND_PRINT((ndo," doi=ipsec"));
1733 ND_PRINT((ndo," proto=%s", PROTOIDSTR(proto)));
1734 if (ntohs(n.type) < 8192)
1735 ND_PRINT((ndo," type=%s", NOTIFY_ERROR_STR(ntohs(n.type))));
1736 else if (ntohs(n.type) < 16384)
1737 ND_PRINT((ndo," type=%s", IPSEC_NOTIFY_ERROR_STR(ntohs(n.type))));
1738 else if (ntohs(n.type) < 24576)
1739 ND_PRINT((ndo," type=%s", NOTIFY_STATUS_STR(ntohs(n.type))));
1740 else if (ntohs(n.type) < 32768)
1741 ND_PRINT((ndo," type=%s", IPSEC_NOTIFY_STATUS_STR(ntohs(n.type))));
1743 ND_PRINT((ndo," type=%s", numstr(ntohs(n.type))));
1745 ND_PRINT((ndo," spi="));
1746 if (!rawprint(ndo, (const uint8_t *)(p + 1), n.spi_size))
1750 cp = (const u_char *)(p + 1) + n.spi_size;
1751 ep2 = (const u_char *)p + item_len;
1754 switch (ntohs(n.type)) {
1755 case IPSECDOI_NTYPE_RESPONDER_LIFETIME:
1757 const struct attrmap *map = oakley_t_map;
1758 size_t nmap = sizeof(oakley_t_map)/sizeof(oakley_t_map[0]);
1759 ND_PRINT((ndo," attrs=("));
1760 while (cp < ep && cp < ep2) {
1761 cp = ikev1_attrmap_print(ndo, cp, ep2, map, nmap);
1763 ND_PRINT((ndo,")"));
1767 ND_PRINT((ndo,")"));
1770 case IPSECDOI_NTYPE_REPLAY_STATUS:
1771 ND_PRINT((ndo," status=("));
1772 ND_PRINT((ndo,"replay detection %sabled",
1773 EXTRACT_32BITS(cp) ? "en" : "dis"));
1774 ND_PRINT((ndo,")"));
1778 * XXX - fill in more types here; see, for example,
1779 * draft-ietf-ipsec-notifymsg-04.
1781 if (ndo->ndo_vflag > 3) {
1782 ND_PRINT((ndo," data=("));
1783 if (!rawprint(ndo, (const uint8_t *)(cp), ep - cp))
1785 ND_PRINT((ndo,")"));
1787 if (!ike_show_somedata(ndo, cp, ep))
1793 return (const u_char *)ext + item_len;
1795 ND_PRINT((ndo," [|%s]", NPSTR(ISAKMP_NPTYPE_N)));
1799 static const u_char *
1800 ikev1_d_print(netdissect_options *ndo, u_char tpay _U_,
1801 const struct isakmp_gen *ext, u_int item_len _U_,
1802 const u_char *ep _U_, uint32_t phase _U_, uint32_t doi0 _U_,
1803 uint32_t proto0 _U_, int depth _U_)
1805 const struct ikev1_pl_d *p;
1806 struct ikev1_pl_d d;
1812 ND_PRINT((ndo,"%s:", NPSTR(ISAKMP_NPTYPE_D)));
1814 p = (const struct ikev1_pl_d *)ext;
1816 UNALIGNED_MEMCPY(&d, ext, sizeof(d));
1820 ND_PRINT((ndo," doi=%u", doi));
1821 ND_PRINT((ndo," proto=%u", proto));
1823 ND_PRINT((ndo," doi=ipsec"));
1824 ND_PRINT((ndo," proto=%s", PROTOIDSTR(proto)));
1826 ND_PRINT((ndo," spilen=%u", d.spi_size));
1827 ND_PRINT((ndo," nspi=%u", ntohs(d.num_spi)));
1828 ND_PRINT((ndo," spi="));
1829 q = (const uint8_t *)(p + 1);
1830 for (i = 0; i < ntohs(d.num_spi); i++) {
1832 ND_PRINT((ndo,","));
1833 if (!rawprint(ndo, (const uint8_t *)q, d.spi_size))
1839 ND_PRINT((ndo," [|%s]", NPSTR(ISAKMP_NPTYPE_D)));
1843 static const u_char *
1844 ikev1_vid_print(netdissect_options *ndo, u_char tpay _U_,
1845 const struct isakmp_gen *ext,
1846 u_int item_len _U_, const u_char *ep _U_,
1847 uint32_t phase _U_, uint32_t doi _U_,
1848 uint32_t proto _U_, int depth _U_)
1850 struct isakmp_gen e;
1852 ND_PRINT((ndo,"%s:", NPSTR(ISAKMP_NPTYPE_VID)));
1855 UNALIGNED_MEMCPY(&e, ext, sizeof(e));
1856 ND_PRINT((ndo," len=%d", ntohs(e.len) - 4));
1857 if (2 < ndo->ndo_vflag && 4 < ntohs(e.len)) {
1858 /* Print the entire payload in hex */
1859 ND_PRINT((ndo," "));
1860 if (!rawprint(ndo, (const uint8_t *)(ext + 1), ntohs(e.len) - 4))
1863 return (const u_char *)ext + ntohs(e.len);
1865 ND_PRINT((ndo," [|%s]", NPSTR(ISAKMP_NPTYPE_VID)));
1869 /************************************************************/
1871 /* IKE v2 - rfc4306 - dissector */
1873 /************************************************************/
1876 ikev2_pay_print(netdissect_options *ndo, const char *payname, int critical)
1878 ND_PRINT((ndo,"%s%s:", payname, critical&0x80 ? "[C]" : ""));
1881 static const u_char *
1882 ikev2_gen_print(netdissect_options *ndo, u_char tpay,
1883 const struct isakmp_gen *ext)
1885 struct isakmp_gen e;
1888 UNALIGNED_MEMCPY(&e, ext, sizeof(e));
1889 ikev2_pay_print(ndo, NPSTR(tpay), e.critical);
1891 ND_PRINT((ndo," len=%d", ntohs(e.len) - 4));
1892 if (2 < ndo->ndo_vflag && 4 < ntohs(e.len)) {
1893 /* Print the entire payload in hex */
1894 ND_PRINT((ndo," "));
1895 if (!rawprint(ndo, (const uint8_t *)(ext + 1), ntohs(e.len) - 4))
1898 return (const u_char *)ext + ntohs(e.len);
1900 ND_PRINT((ndo," [|%s]", NPSTR(tpay)));
1904 static const u_char *
1905 ikev2_t_print(netdissect_options *ndo, int tcount,
1906 const struct isakmp_gen *ext, u_int item_len,
1909 const struct ikev2_t *p;
1914 const struct attrmap *map;
1918 p = (const struct ikev2_t *)ext;
1920 UNALIGNED_MEMCPY(&t, ext, sizeof(t));
1921 ikev2_pay_print(ndo, NPSTR(ISAKMP_NPTYPE_T), t.h.critical);
1923 t_id = ntohs(t.t_id);
1930 idstr = STR_OR_ID(t_id, esp_p_map);
1932 nmap = sizeof(encr_t_map)/sizeof(encr_t_map[0]);
1936 idstr = STR_OR_ID(t_id, prf_p_map);
1940 idstr = STR_OR_ID(t_id, integ_p_map);
1944 idstr = STR_OR_ID(t_id, dh_p_map);
1948 idstr = STR_OR_ID(t_id, esn_p_map);
1957 ND_PRINT((ndo," #%u type=%s id=%s ", tcount,
1958 STR_OR_ID(t.t_type, ikev2_t_type_map),
1961 ND_PRINT((ndo," #%u type=%s id=%u ", tcount,
1962 STR_OR_ID(t.t_type, ikev2_t_type_map),
1964 cp = (const u_char *)(p + 1);
1965 ep2 = (const u_char *)p + item_len;
1966 while (cp < ep && cp < ep2) {
1968 cp = ikev1_attrmap_print(ndo, cp, ep2, map, nmap);
1970 cp = ikev1_attr_print(ndo, cp, ep2);
1975 ND_PRINT((ndo,"..."));
1978 ND_PRINT((ndo," [|%s]", NPSTR(ISAKMP_NPTYPE_T)));
1982 static const u_char *
1983 ikev2_p_print(netdissect_options *ndo, u_char tpay _U_, int pcount _U_,
1984 const struct isakmp_gen *ext, u_int oprop_length,
1985 const u_char *ep, int depth)
1987 const struct ikev2_p *p;
1988 struct ikev2_p prop;
1994 struct isakmp_gen e;
1997 p = (const struct ikev2_p *)ext;
1999 UNALIGNED_MEMCPY(&prop, ext, sizeof(prop));
2001 ikev2_pay_print(ndo, NPSTR(ISAKMP_NPTYPE_P), prop.h.critical);
2004 * ikev2_sa_print() guarantees that this is >= 4.
2006 prop_length = oprop_length - 4;
2007 ND_PRINT((ndo," #%u protoid=%s transform=%d len=%u",
2008 prop.p_no, PROTOIDSTR(prop.prot_id),
2009 prop.num_t, oprop_length));
2010 cp = (const u_char *)(p + 1);
2012 if (prop.spi_size) {
2013 if (prop_length < prop.spi_size)
2015 ND_PRINT((ndo," spi="));
2016 if (!rawprint(ndo, (const uint8_t *)cp, prop.spi_size))
2018 cp += prop.spi_size;
2019 prop_length -= prop.spi_size;
2023 * Print the transforms.
2026 for (np = ISAKMP_NPTYPE_T; np != 0; np = e.np) {
2028 ext = (const struct isakmp_gen *)cp;
2029 if (prop_length < sizeof(*ext))
2032 UNALIGNED_MEMCPY(&e, ext, sizeof(e));
2035 * Since we can't have a payload length of less than 4 bytes,
2036 * we need to bail out here if the generic header is nonsensical
2037 * or truncated, otherwise we could loop forever processing
2038 * zero-length items or otherwise misdissect the packet.
2040 item_len = ntohs(e.len);
2044 if (prop_length < item_len)
2046 ND_TCHECK2(*cp, item_len);
2049 ND_PRINT((ndo,"\n"));
2050 for (i = 0; i < depth; i++)
2051 ND_PRINT((ndo," "));
2052 ND_PRINT((ndo,"("));
2053 if (np == ISAKMP_NPTYPE_T) {
2054 cp = ikev2_t_print(ndo, tcount, ext, item_len, ep);
2056 /* error, already reported */
2060 ND_PRINT((ndo, "%s", NPSTR(np)));
2063 ND_PRINT((ndo,")"));
2065 prop_length -= item_len;
2070 * Skip the rest of the proposal.
2073 ND_PRINT((ndo," [|%s]", NPSTR(ISAKMP_NPTYPE_P)));
2076 ND_PRINT((ndo," [|%s]", NPSTR(ISAKMP_NPTYPE_P)));
2080 static const u_char *
2081 ikev2_sa_print(netdissect_options *ndo, u_char tpay,
2082 const struct isakmp_gen *ext1,
2083 u_int osa_length, const u_char *ep,
2084 uint32_t phase _U_, uint32_t doi _U_,
2085 uint32_t proto _U_, int depth)
2087 const struct isakmp_gen *ext;
2088 struct isakmp_gen e;
2097 UNALIGNED_MEMCPY(&e, ext1, sizeof(e));
2098 ikev2_pay_print(ndo, "sa", e.critical);
2101 * ikev2_sub0_print() guarantees that this is >= 4.
2103 osa_length= ntohs(e.len);
2104 sa_length = osa_length - 4;
2105 ND_PRINT((ndo," len=%d", sa_length));
2108 * Print the payloads.
2110 cp = (const u_char *)(ext1 + 1);
2112 for (np = ISAKMP_NPTYPE_P; np != 0; np = e.np) {
2114 ext = (const struct isakmp_gen *)cp;
2115 if (sa_length < sizeof(*ext))
2118 UNALIGNED_MEMCPY(&e, ext, sizeof(e));
2121 * Since we can't have a payload length of less than 4 bytes,
2122 * we need to bail out here if the generic header is nonsensical
2123 * or truncated, otherwise we could loop forever processing
2124 * zero-length items or otherwise misdissect the packet.
2126 item_len = ntohs(e.len);
2130 if (sa_length < item_len)
2132 ND_TCHECK2(*cp, item_len);
2135 ND_PRINT((ndo,"\n"));
2136 for (i = 0; i < depth; i++)
2137 ND_PRINT((ndo," "));
2138 ND_PRINT((ndo,"("));
2139 if (np == ISAKMP_NPTYPE_P) {
2140 cp = ikev2_p_print(ndo, np, pcount, ext, item_len,
2143 /* error, already reported */
2147 ND_PRINT((ndo, "%s", NPSTR(np)));
2150 ND_PRINT((ndo,")"));
2152 sa_length -= item_len;
2157 * Skip the rest of the SA.
2160 ND_PRINT((ndo," [|%s]", NPSTR(tpay)));
2163 ND_PRINT((ndo," [|%s]", NPSTR(tpay)));
2167 static const u_char *
2168 ikev2_ke_print(netdissect_options *ndo, u_char tpay,
2169 const struct isakmp_gen *ext,
2170 u_int item_len _U_, const u_char *ep _U_,
2171 uint32_t phase _U_, uint32_t doi _U_,
2172 uint32_t proto _U_, int depth _U_)
2175 const struct ikev2_ke *k;
2177 k = (const struct ikev2_ke *)ext;
2179 UNALIGNED_MEMCPY(&ke, ext, sizeof(ke));
2180 ikev2_pay_print(ndo, NPSTR(tpay), ke.h.critical);
2182 ND_PRINT((ndo," len=%u group=%s", ntohs(ke.h.len) - 8,
2183 STR_OR_ID(ntohs(ke.ke_group), dh_p_map)));
2185 if (2 < ndo->ndo_vflag && 8 < ntohs(ke.h.len)) {
2186 ND_PRINT((ndo," "));
2187 if (!rawprint(ndo, (const uint8_t *)(k + 1), ntohs(ke.h.len) - 8))
2190 return (const u_char *)ext + ntohs(ke.h.len);
2192 ND_PRINT((ndo," [|%s]", NPSTR(tpay)));
2196 static const u_char *
2197 ikev2_ID_print(netdissect_options *ndo, u_char tpay,
2198 const struct isakmp_gen *ext,
2199 u_int item_len _U_, const u_char *ep _U_,
2200 uint32_t phase _U_, uint32_t doi _U_,
2201 uint32_t proto _U_, int depth _U_)
2203 const struct ikev2_id *idp;
2205 int id_len, idtype_len, i;
2206 unsigned int dumpascii, dumphex;
2207 const unsigned char *typedata;
2209 idp = (const struct ikev2_id *)ext;
2211 UNALIGNED_MEMCPY(&id, ext, sizeof(id));
2212 ikev2_pay_print(ndo, NPSTR(tpay), id.h.critical);
2214 id_len = ntohs(id.h.len);
2216 ND_PRINT((ndo," len=%d", id_len - 4));
2217 if (2 < ndo->ndo_vflag && 4 < id_len) {
2218 /* Print the entire payload in hex */
2219 ND_PRINT((ndo," "));
2220 if (!rawprint(ndo, (const uint8_t *)(ext + 1), id_len - 4))
2224 idtype_len =id_len - sizeof(struct ikev2_id);
2227 typedata = (const unsigned char *)(ext)+sizeof(struct ikev2_id);
2231 ND_PRINT((ndo, " ipv4:"));
2235 ND_PRINT((ndo, " fqdn:"));
2238 case ID_RFC822_ADDR:
2239 ND_PRINT((ndo, " rfc822:"));
2243 ND_PRINT((ndo, " ipv6:"));
2246 case ID_DER_ASN1_DN:
2247 ND_PRINT((ndo, " dn:"));
2250 case ID_DER_ASN1_GN:
2251 ND_PRINT((ndo, " gn:"));
2255 ND_PRINT((ndo, " keyid:"));
2261 ND_TCHECK2(*typedata, idtype_len);
2262 for(i=0; i<idtype_len; i++) {
2263 if(ND_ISPRINT(typedata[i])) {
2264 ND_PRINT((ndo, "%c", typedata[i]));
2266 ND_PRINT((ndo, "."));
2271 if (!rawprint(ndo, (const uint8_t *)typedata, idtype_len))
2275 return (const u_char *)ext + id_len;
2277 ND_PRINT((ndo," [|%s]", NPSTR(tpay)));
2281 static const u_char *
2282 ikev2_cert_print(netdissect_options *ndo, u_char tpay,
2283 const struct isakmp_gen *ext,
2284 u_int item_len _U_, const u_char *ep _U_,
2285 uint32_t phase _U_, uint32_t doi _U_,
2286 uint32_t proto _U_, int depth _U_)
2288 return ikev2_gen_print(ndo, tpay, ext);
2291 static const u_char *
2292 ikev2_cr_print(netdissect_options *ndo, u_char tpay,
2293 const struct isakmp_gen *ext,
2294 u_int item_len _U_, const u_char *ep _U_,
2295 uint32_t phase _U_, uint32_t doi _U_,
2296 uint32_t proto _U_, int depth _U_)
2298 return ikev2_gen_print(ndo, tpay, ext);
2301 static const u_char *
2302 ikev2_auth_print(netdissect_options *ndo, u_char tpay,
2303 const struct isakmp_gen *ext,
2304 u_int item_len _U_, const u_char *ep,
2305 uint32_t phase _U_, uint32_t doi _U_,
2306 uint32_t proto _U_, int depth _U_)
2308 struct ikev2_auth a;
2309 const char *v2_auth[]={ "invalid", "rsasig",
2310 "shared-secret", "dsssig" };
2311 const u_char *authdata = (const u_char*)ext + sizeof(a);
2314 ND_TCHECK2(*ext, sizeof(a));
2315 UNALIGNED_MEMCPY(&a, ext, sizeof(a));
2316 ikev2_pay_print(ndo, NPSTR(tpay), a.h.critical);
2317 len = ntohs(a.h.len);
2320 * Our caller has ensured that the length is >= 4.
2322 ND_PRINT((ndo," len=%u method=%s", len-4,
2323 STR_OR_ID(a.auth_method, v2_auth)));
2325 if (ndo->ndo_vflag > 1) {
2326 ND_PRINT((ndo, " authdata=("));
2327 if (!rawprint(ndo, (const uint8_t *)authdata, len - sizeof(a)))
2329 ND_PRINT((ndo, ") "));
2330 } else if (ndo->ndo_vflag) {
2331 if (!ike_show_somedata(ndo, authdata, ep))
2336 return (const u_char *)ext + len;
2338 ND_PRINT((ndo," [|%s]", NPSTR(tpay)));
2342 static const u_char *
2343 ikev2_nonce_print(netdissect_options *ndo, u_char tpay,
2344 const struct isakmp_gen *ext,
2345 u_int item_len _U_, const u_char *ep,
2346 uint32_t phase _U_, uint32_t doi _U_,
2347 uint32_t proto _U_, int depth _U_)
2349 struct isakmp_gen e;
2352 UNALIGNED_MEMCPY(&e, ext, sizeof(e));
2353 ikev2_pay_print(ndo, "nonce", e.critical);
2355 ND_PRINT((ndo," len=%d", ntohs(e.len) - 4));
2356 if (1 < ndo->ndo_vflag && 4 < ntohs(e.len)) {
2357 ND_PRINT((ndo," nonce=("));
2358 if (!rawprint(ndo, (const uint8_t *)(ext + 1), ntohs(e.len) - 4))
2360 ND_PRINT((ndo,") "));
2361 } else if(ndo->ndo_vflag && 4 < ntohs(e.len)) {
2362 if(!ike_show_somedata(ndo, (const u_char *)(ext+1), ep)) goto trunc;
2365 return (const u_char *)ext + ntohs(e.len);
2367 ND_PRINT((ndo," [|%s]", NPSTR(tpay)));
2371 /* notify payloads */
2372 static const u_char *
2373 ikev2_n_print(netdissect_options *ndo, u_char tpay _U_,
2374 const struct isakmp_gen *ext,
2375 u_int item_len, const u_char *ep,
2376 uint32_t phase _U_, uint32_t doi _U_,
2377 uint32_t proto _U_, int depth _U_)
2379 const struct ikev2_n *p;
2382 u_char showspi, showsomedata;
2383 const char *notify_name;
2386 p = (const struct ikev2_n *)ext;
2388 UNALIGNED_MEMCPY(&n, ext, sizeof(n));
2389 ikev2_pay_print(ndo, NPSTR(ISAKMP_NPTYPE_N), n.h.critical);
2395 ND_PRINT((ndo," prot_id=%s", PROTOIDSTR(n.prot_id)));
2397 type = ntohs(n.type);
2399 /* notify space is annoying sparse */
2401 case IV2_NOTIFY_UNSUPPORTED_CRITICAL_PAYLOAD:
2402 notify_name = "unsupported_critical_payload";
2406 case IV2_NOTIFY_INVALID_IKE_SPI:
2407 notify_name = "invalid_ike_spi";
2411 case IV2_NOTIFY_INVALID_MAJOR_VERSION:
2412 notify_name = "invalid_major_version";
2416 case IV2_NOTIFY_INVALID_SYNTAX:
2417 notify_name = "invalid_syntax";
2421 case IV2_NOTIFY_INVALID_MESSAGE_ID:
2422 notify_name = "invalid_message_id";
2426 case IV2_NOTIFY_INVALID_SPI:
2427 notify_name = "invalid_spi";
2431 case IV2_NOTIFY_NO_PROPOSAL_CHOSEN:
2432 notify_name = "no_protocol_chosen";
2436 case IV2_NOTIFY_INVALID_KE_PAYLOAD:
2437 notify_name = "invalid_ke_payload";
2441 case IV2_NOTIFY_AUTHENTICATION_FAILED:
2442 notify_name = "authentication_failed";
2446 case IV2_NOTIFY_SINGLE_PAIR_REQUIRED:
2447 notify_name = "single_pair_required";
2451 case IV2_NOTIFY_NO_ADDITIONAL_SAS:
2452 notify_name = "no_additional_sas";
2456 case IV2_NOTIFY_INTERNAL_ADDRESS_FAILURE:
2457 notify_name = "internal_address_failure";
2461 case IV2_NOTIFY_FAILED_CP_REQUIRED:
2462 notify_name = "failed:cp_required";
2466 case IV2_NOTIFY_INVALID_SELECTORS:
2467 notify_name = "invalid_selectors";
2471 case IV2_NOTIFY_INITIAL_CONTACT:
2472 notify_name = "initial_contact";
2476 case IV2_NOTIFY_SET_WINDOW_SIZE:
2477 notify_name = "set_window_size";
2481 case IV2_NOTIFY_ADDITIONAL_TS_POSSIBLE:
2482 notify_name = "additional_ts_possible";
2486 case IV2_NOTIFY_IPCOMP_SUPPORTED:
2487 notify_name = "ipcomp_supported";
2491 case IV2_NOTIFY_NAT_DETECTION_SOURCE_IP:
2492 notify_name = "nat_detection_source_ip";
2496 case IV2_NOTIFY_NAT_DETECTION_DESTINATION_IP:
2497 notify_name = "nat_detection_destination_ip";
2501 case IV2_NOTIFY_COOKIE:
2502 notify_name = "cookie";
2507 case IV2_NOTIFY_USE_TRANSPORT_MODE:
2508 notify_name = "use_transport_mode";
2512 case IV2_NOTIFY_HTTP_CERT_LOOKUP_SUPPORTED:
2513 notify_name = "http_cert_lookup_supported";
2517 case IV2_NOTIFY_REKEY_SA:
2518 notify_name = "rekey_sa";
2522 case IV2_NOTIFY_ESP_TFC_PADDING_NOT_SUPPORTED:
2523 notify_name = "tfc_padding_not_supported";
2527 case IV2_NOTIFY_NON_FIRST_FRAGMENTS_ALSO:
2528 notify_name = "non_first_fragment_also";
2534 notify_name="error";
2535 } else if(type < 16384) {
2536 notify_name="private-error";
2537 } else if(type < 40960) {
2538 notify_name="status";
2540 notify_name="private-status";
2545 ND_PRINT((ndo," type=%u(%s)", type, notify_name));
2549 if (showspi && n.spi_size) {
2550 ND_PRINT((ndo," spi="));
2551 if (!rawprint(ndo, (const uint8_t *)(p + 1), n.spi_size))
2555 cp = (const u_char *)(p + 1) + n.spi_size;
2558 if (ndo->ndo_vflag > 3 || (showsomedata && ep-cp < 30)) {
2559 ND_PRINT((ndo," data=("));
2560 if (!rawprint(ndo, (const uint8_t *)(cp), ep - cp))
2563 ND_PRINT((ndo,")"));
2564 } else if (showsomedata) {
2565 if (!ike_show_somedata(ndo, cp, ep))
2570 return (const u_char *)ext + item_len;
2572 ND_PRINT((ndo," [|%s]", NPSTR(ISAKMP_NPTYPE_N)));
2576 static const u_char *
2577 ikev2_d_print(netdissect_options *ndo, u_char tpay,
2578 const struct isakmp_gen *ext,
2579 u_int item_len _U_, const u_char *ep _U_,
2580 uint32_t phase _U_, uint32_t doi _U_,
2581 uint32_t proto _U_, int depth _U_)
2583 return ikev2_gen_print(ndo, tpay, ext);
2586 static const u_char *
2587 ikev2_vid_print(netdissect_options *ndo, u_char tpay,
2588 const struct isakmp_gen *ext,
2589 u_int item_len _U_, const u_char *ep _U_,
2590 uint32_t phase _U_, uint32_t doi _U_,
2591 uint32_t proto _U_, int depth _U_)
2593 struct isakmp_gen e;
2598 UNALIGNED_MEMCPY(&e, ext, sizeof(e));
2599 ikev2_pay_print(ndo, NPSTR(tpay), e.critical);
2600 ND_PRINT((ndo," len=%d vid=", ntohs(e.len) - 4));
2602 vid = (const u_char *)(ext+1);
2603 len = ntohs(e.len) - 4;
2604 ND_TCHECK2(*vid, len);
2605 for(i=0; i<len; i++) {
2606 if(ND_ISPRINT(vid[i])) ND_PRINT((ndo, "%c", vid[i]));
2607 else ND_PRINT((ndo, "."));
2609 if (2 < ndo->ndo_vflag && 4 < len) {
2610 /* Print the entire payload in hex */
2611 ND_PRINT((ndo," "));
2612 if (!rawprint(ndo, (const uint8_t *)(ext + 1), ntohs(e.len) - 4))
2615 return (const u_char *)ext + ntohs(e.len);
2617 ND_PRINT((ndo," [|%s]", NPSTR(tpay)));
2621 static const u_char *
2622 ikev2_TS_print(netdissect_options *ndo, u_char tpay,
2623 const struct isakmp_gen *ext,
2624 u_int item_len _U_, const u_char *ep _U_,
2625 uint32_t phase _U_, uint32_t doi _U_,
2626 uint32_t proto _U_, int depth _U_)
2628 return ikev2_gen_print(ndo, tpay, ext);
2631 static const u_char *
2632 ikev2_e_print(netdissect_options *ndo,
2633 #ifndef HAVE_LIBCRYPTO
2636 struct isakmp *base,
2638 const struct isakmp_gen *ext,
2639 u_int item_len _U_, const u_char *ep _U_,
2640 #ifndef HAVE_LIBCRYPTO
2644 #ifndef HAVE_LIBCRYPTO
2648 #ifndef HAVE_LIBCRYPTO
2652 #ifndef HAVE_LIBCRYPTO
2657 struct isakmp_gen e;
2662 UNALIGNED_MEMCPY(&e, ext, sizeof(e));
2663 ikev2_pay_print(ndo, NPSTR(tpay), e.critical);
2665 dlen = ntohs(e.len)-4;
2667 ND_PRINT((ndo," len=%d", dlen));
2668 if (2 < ndo->ndo_vflag && 4 < dlen) {
2669 ND_PRINT((ndo," "));
2670 if (!rawprint(ndo, (const uint8_t *)(ext + 1), dlen))
2674 dat = (const u_char *)(ext+1);
2675 ND_TCHECK2(*dat, dlen);
2677 #ifdef HAVE_LIBCRYPTO
2678 /* try to decypt it! */
2679 if(esp_print_decrypt_buffer_by_ikev2(ndo,
2680 base->flags & ISAKMP_FLAG_I,
2681 base->i_ck, base->r_ck,
2684 ext = (const struct isakmp_gen *)ndo->ndo_packetp;
2686 /* got it decrypted, print stuff inside. */
2687 ikev2_sub_print(ndo, base, e.np, ext, ndo->ndo_snapend,
2688 phase, doi, proto, depth+1);
2693 /* always return NULL, because E must be at end, and NP refers
2694 * to what was inside.
2698 ND_PRINT((ndo," [|%s]", NPSTR(tpay)));
2702 static const u_char *
2703 ikev2_cp_print(netdissect_options *ndo, u_char tpay,
2704 const struct isakmp_gen *ext,
2705 u_int item_len _U_, const u_char *ep _U_,
2706 uint32_t phase _U_, uint32_t doi _U_,
2707 uint32_t proto _U_, int depth _U_)
2709 return ikev2_gen_print(ndo, tpay, ext);
2712 static const u_char *
2713 ikev2_eap_print(netdissect_options *ndo, u_char tpay,
2714 const struct isakmp_gen *ext,
2715 u_int item_len _U_, const u_char *ep _U_,
2716 uint32_t phase _U_, uint32_t doi _U_,
2717 uint32_t proto _U_, int depth _U_)
2719 return ikev2_gen_print(ndo, tpay, ext);
2722 static const u_char *
2723 ike_sub0_print(netdissect_options *ndo,
2724 u_char np, const struct isakmp_gen *ext, const u_char *ep,
2726 uint32_t phase, uint32_t doi, uint32_t proto, int depth)
2729 struct isakmp_gen e;
2732 cp = (const u_char *)ext;
2734 UNALIGNED_MEMCPY(&e, ext, sizeof(e));
2737 * Since we can't have a payload length of less than 4 bytes,
2738 * we need to bail out here if the generic header is nonsensical
2739 * or truncated, otherwise we could loop forever processing
2740 * zero-length items or otherwise misdissect the packet.
2742 item_len = ntohs(e.len);
2748 * XXX - what if item_len is too short, or too long,
2749 * for this payload type?
2751 cp = (*npfunc[np])(ndo, np, ext, item_len, ep, phase, doi, proto, depth);
2753 ND_PRINT((ndo,"%s", NPSTR(np)));
2759 ND_PRINT((ndo," [|isakmp]"));
2763 static const u_char *
2764 ikev1_sub_print(netdissect_options *ndo,
2765 u_char np, const struct isakmp_gen *ext, const u_char *ep,
2766 uint32_t phase, uint32_t doi, uint32_t proto, int depth)
2770 struct isakmp_gen e;
2772 cp = (const u_char *)ext;
2776 UNALIGNED_MEMCPY(&e, ext, sizeof(e));
2778 ND_TCHECK2(*ext, ntohs(e.len));
2781 ND_PRINT((ndo,"\n"));
2782 for (i = 0; i < depth; i++)
2783 ND_PRINT((ndo," "));
2784 ND_PRINT((ndo,"("));
2785 cp = ike_sub0_print(ndo, np, ext, ep, phase, doi, proto, depth);
2786 ND_PRINT((ndo,")"));
2790 /* Zero-length subitem */
2795 ext = (const struct isakmp_gen *)cp;
2799 ND_PRINT((ndo," [|%s]", NPSTR(np)));
2806 static char buf[20];
2807 snprintf(buf, sizeof(buf), "#%d", x);
2812 ikev1_print(netdissect_options *ndo,
2813 const u_char *bp, u_int length,
2814 const u_char *bp2, struct isakmp *base)
2816 const struct isakmp *p;
2822 p = (const struct isakmp *)bp;
2823 ep = ndo->ndo_snapend;
2825 phase = (EXTRACT_32BITS(base->msgid) == 0) ? 1 : 2;
2827 ND_PRINT((ndo," phase %d", phase));
2829 ND_PRINT((ndo," phase %d/others", phase));
2831 i = cookie_find(&base->i_ck);
2833 if (iszero((const u_char *)&base->r_ck, sizeof(base->r_ck))) {
2834 /* the first packet */
2835 ND_PRINT((ndo," I"));
2837 cookie_record(&base->i_ck, bp2);
2839 ND_PRINT((ndo," ?"));
2841 if (bp2 && cookie_isinitiator(i, bp2))
2842 ND_PRINT((ndo," I"));
2843 else if (bp2 && cookie_isresponder(i, bp2))
2844 ND_PRINT((ndo," R"));
2846 ND_PRINT((ndo," ?"));
2849 ND_PRINT((ndo," %s", ETYPESTR(base->etype)));
2851 ND_PRINT((ndo,"[%s%s]", base->flags & ISAKMP_FLAG_E ? "E" : "",
2852 base->flags & ISAKMP_FLAG_C ? "C" : ""));
2855 if (ndo->ndo_vflag) {
2856 const struct isakmp_gen *ext;
2858 ND_PRINT((ndo,":"));
2860 /* regardless of phase... */
2861 if (base->flags & ISAKMP_FLAG_E) {
2863 * encrypted, nothing we can do right now.
2864 * we hope to decrypt the packet in the future...
2866 ND_PRINT((ndo," [encrypted %s]", NPSTR(base->np)));
2870 CHECKLEN(p + 1, base->np);
2872 ext = (const struct isakmp_gen *)(p + 1);
2873 ikev1_sub_print(ndo, np, ext, ep, phase, 0, 0, 0);
2877 if (ndo->ndo_vflag) {
2878 if (ntohl(base->len) != length) {
2879 ND_PRINT((ndo," (len mismatch: isakmp %u/ip %u)",
2880 (uint32_t)ntohl(base->len), length));
2885 static const u_char *
2886 ikev2_sub0_print(netdissect_options *ndo, struct isakmp *base,
2888 const struct isakmp_gen *ext, const u_char *ep,
2889 uint32_t phase, uint32_t doi, uint32_t proto, int depth)
2892 struct isakmp_gen e;
2895 cp = (const u_char *)ext;
2897 UNALIGNED_MEMCPY(&e, ext, sizeof(e));
2900 * Since we can't have a payload length of less than 4 bytes,
2901 * we need to bail out here if the generic header is nonsensical
2902 * or truncated, otherwise we could loop forever processing
2903 * zero-length items or otherwise misdissect the packet.
2905 item_len = ntohs(e.len);
2909 if (np == ISAKMP_NPTYPE_v2E) {
2910 cp = ikev2_e_print(ndo, base, np, ext, item_len,
2911 ep, phase, doi, proto, depth);
2912 } else if (NPFUNC(np)) {
2914 * XXX - what if item_len is too short, or too long,
2915 * for this payload type?
2917 cp = (*npfunc[np])(ndo, np, ext, item_len,
2918 ep, phase, doi, proto, depth);
2920 ND_PRINT((ndo,"%s", NPSTR(np)));
2926 ND_PRINT((ndo," [|isakmp]"));
2930 static const u_char *
2931 ikev2_sub_print(netdissect_options *ndo,
2932 struct isakmp *base,
2933 u_char np, const struct isakmp_gen *ext, const u_char *ep,
2934 uint32_t phase, uint32_t doi, uint32_t proto, int depth)
2938 struct isakmp_gen e;
2940 cp = (const u_char *)ext;
2943 UNALIGNED_MEMCPY(&e, ext, sizeof(e));
2945 ND_TCHECK2(*ext, ntohs(e.len));
2948 ND_PRINT((ndo,"\n"));
2949 for (i = 0; i < depth; i++)
2950 ND_PRINT((ndo," "));
2951 ND_PRINT((ndo,"("));
2952 cp = ikev2_sub0_print(ndo, base, np,
2953 ext, ep, phase, doi, proto, depth);
2954 ND_PRINT((ndo,")"));
2958 /* Zero-length subitem */
2963 ext = (const struct isakmp_gen *)cp;
2967 ND_PRINT((ndo," [|%s]", NPSTR(np)));
2972 ikev2_print(netdissect_options *ndo,
2973 const u_char *bp, u_int length,
2974 const u_char *bp2 _U_, struct isakmp *base)
2976 const struct isakmp *p;
2981 p = (const struct isakmp *)bp;
2982 ep = ndo->ndo_snapend;
2984 phase = (EXTRACT_32BITS(base->msgid) == 0) ? 1 : 2;
2986 ND_PRINT((ndo, " parent_sa"));
2988 ND_PRINT((ndo, " child_sa "));
2990 ND_PRINT((ndo, " %s", ETYPESTR(base->etype)));
2992 ND_PRINT((ndo, "[%s%s%s]",
2993 base->flags & ISAKMP_FLAG_I ? "I" : "",
2994 base->flags & ISAKMP_FLAG_V ? "V" : "",
2995 base->flags & ISAKMP_FLAG_R ? "R" : ""));
2998 if (ndo->ndo_vflag) {
2999 const struct isakmp_gen *ext;
3001 ND_PRINT((ndo, ":"));
3003 /* regardless of phase... */
3004 if (base->flags & ISAKMP_FLAG_E) {
3006 * encrypted, nothing we can do right now.
3007 * we hope to decrypt the packet in the future...
3009 ND_PRINT((ndo, " [encrypted %s]", NPSTR(base->np)));
3013 CHECKLEN(p + 1, base->np)
3016 ext = (const struct isakmp_gen *)(p + 1);
3017 ikev2_sub_print(ndo, base, np, ext, ep, phase, 0, 0, 0);
3021 if (ndo->ndo_vflag) {
3022 if (ntohl(base->len) != length) {
3023 ND_PRINT((ndo, " (len mismatch: isakmp %u/ip %u)",
3024 (uint32_t)ntohl(base->len), length));
3030 isakmp_print(netdissect_options *ndo,
3031 const u_char *bp, u_int length,
3034 const struct isakmp *p;
3039 #ifdef HAVE_LIBCRYPTO
3040 /* initialize SAs */
3041 if (ndo->ndo_sa_list_head == NULL) {
3042 if (ndo->ndo_espsecret)
3043 esp_print_decodesecret(ndo);
3047 p = (const struct isakmp *)bp;
3048 ep = ndo->ndo_snapend;
3050 if ((const struct isakmp *)ep < p + 1) {
3051 ND_PRINT((ndo,"[|isakmp]"));
3055 UNALIGNED_MEMCPY(&base, p, sizeof(base));
3057 ND_PRINT((ndo,"isakmp"));
3058 major = (base.vers & ISAKMP_VERS_MAJOR)
3059 >> ISAKMP_VERS_MAJOR_SHIFT;
3060 minor = (base.vers & ISAKMP_VERS_MINOR)
3061 >> ISAKMP_VERS_MINOR_SHIFT;
3063 if (ndo->ndo_vflag) {
3064 ND_PRINT((ndo," %d.%d", major, minor));
3067 if (ndo->ndo_vflag) {
3068 ND_PRINT((ndo," msgid "));
3069 hexprint(ndo, (const uint8_t *)&base.msgid, sizeof(base.msgid));
3072 if (1 < ndo->ndo_vflag) {
3073 ND_PRINT((ndo," cookie "));
3074 hexprint(ndo, (const uint8_t *)&base.i_ck, sizeof(base.i_ck));
3075 ND_PRINT((ndo,"->"));
3076 hexprint(ndo, (const uint8_t *)&base.r_ck, sizeof(base.r_ck));
3078 ND_PRINT((ndo,":"));
3081 case IKEv1_MAJOR_VERSION:
3082 ikev1_print(ndo, bp, length, bp2, &base);
3085 case IKEv2_MAJOR_VERSION:
3086 ikev2_print(ndo, bp, length, bp2, &base);
3092 isakmp_rfc3948_print(netdissect_options *ndo,
3093 const u_char *bp, u_int length,
3097 if(length == 1 && bp[0]==0xff) {
3098 ND_PRINT((ndo, "isakmp-nat-keep-alive"));
3108 * see if this is an IKE packet
3110 if(bp[0]==0 && bp[1]==0 && bp[2]==0 && bp[3]==0) {
3111 ND_PRINT((ndo, "NONESP-encap: "));
3112 isakmp_print(ndo, bp+4, length-4, bp2);
3116 /* must be an ESP packet */
3118 int nh, enh, padlen;
3121 ND_PRINT((ndo, "UDP-encap: "));
3123 advance = esp_print(ndo, bp, length, bp2, &enh, &padlen);
3128 length -= advance + padlen;
3131 ip_print_inner(ndo, bp, length, nh, bp2);
3136 ND_PRINT((ndo,"[|isakmp]"));
3142 * c-style: whitesmith
projects / FreeBSD / FreeBSD.git / blob