2 * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
5 * Redistribution and use in source and binary forms, with or without
6 * modification, are permitted provided that the following conditions
8 * 1. Redistributions of source code must retain the above copyright
9 * notice, this list of conditions and the following disclaimer.
10 * 2. Redistributions in binary form must reproduce the above copyright
11 * notice, this list of conditions and the following disclaimer in the
12 * documentation and/or other materials provided with the distribution.
13 * 3. Neither the name of the project nor the names of its contributors
14 * may be used to endorse or promote products derived from this software
15 * without specific prior written permission.
17 * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
18 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
19 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
20 * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
21 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
22 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
23 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
24 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
25 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
26 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
31 #define NETDISSECT_REWORKED
36 /* The functions from print-esp.c used in this file are only defined when both
37 * OpenSSL and evp.h are detected. Employ the same preprocessor device here.
39 #ifndef HAVE_OPENSSL_EVP_H
43 #include <tcpdump-stdinc.h>
47 #include "interface.h"
48 #include "addrtoname.h"
49 #include "extract.h" /* must come after interface.h */
56 /* refer to RFC 2408 */
58 typedef u_char cookie_t[8];
59 typedef u_char msgid_t[4];
61 #define PORT_ISAKMP 500
63 /* 3.1 ISAKMP Header Format (IKEv1 and IKEv2)
64 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
65 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
68 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
71 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
72 ! Next Payload ! MjVer ! MnVer ! Exchange Type ! Flags !
73 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
75 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
77 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
80 cookie_t i_ck; /* Initiator Cookie */
81 cookie_t r_ck; /* Responder Cookie */
82 uint8_t np; /* Next Payload Type */
84 #define ISAKMP_VERS_MAJOR 0xf0
85 #define ISAKMP_VERS_MAJOR_SHIFT 4
86 #define ISAKMP_VERS_MINOR 0x0f
87 #define ISAKMP_VERS_MINOR_SHIFT 0
88 uint8_t etype; /* Exchange Type */
89 uint8_t flags; /* Flags */
91 uint32_t len; /* Length */
94 /* Next Payload Type */
95 #define ISAKMP_NPTYPE_NONE 0 /* NONE*/
96 #define ISAKMP_NPTYPE_SA 1 /* Security Association */
97 #define ISAKMP_NPTYPE_P 2 /* Proposal */
98 #define ISAKMP_NPTYPE_T 3 /* Transform */
99 #define ISAKMP_NPTYPE_KE 4 /* Key Exchange */
100 #define ISAKMP_NPTYPE_ID 5 /* Identification */
101 #define ISAKMP_NPTYPE_CERT 6 /* Certificate */
102 #define ISAKMP_NPTYPE_CR 7 /* Certificate Request */
103 #define ISAKMP_NPTYPE_HASH 8 /* Hash */
104 #define ISAKMP_NPTYPE_SIG 9 /* Signature */
105 #define ISAKMP_NPTYPE_NONCE 10 /* Nonce */
106 #define ISAKMP_NPTYPE_N 11 /* Notification */
107 #define ISAKMP_NPTYPE_D 12 /* Delete */
108 #define ISAKMP_NPTYPE_VID 13 /* Vendor ID */
109 #define ISAKMP_NPTYPE_v2E 46 /* v2 Encrypted payload */
111 #define IKEv1_MAJOR_VERSION 1
112 #define IKEv1_MINOR_VERSION 0
114 #define IKEv2_MAJOR_VERSION 2
115 #define IKEv2_MINOR_VERSION 0
118 #define ISAKMP_FLAG_E 0x01 /* Encryption Bit */
119 #define ISAKMP_FLAG_C 0x02 /* Commit Bit */
120 #define ISAKMP_FLAG_extra 0x04
123 #define ISAKMP_FLAG_I (1 << 3) /* (I)nitiator */
124 #define ISAKMP_FLAG_V (1 << 4) /* (V)ersion */
125 #define ISAKMP_FLAG_R (1 << 5) /* (R)esponse */
128 /* 3.2 Payload Generic Header
129 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
130 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
131 ! Next Payload ! RESERVED ! Payload Length !
132 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
135 uint8_t np; /* Next Payload */
136 uint8_t critical; /* bit 7 - critical, rest is RESERVED */
137 uint16_t len; /* Payload Length */
140 /* 3.3 Data Attributes
141 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
142 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
143 !A! Attribute Type ! AF=0 Attribute Length !
144 !F! ! AF=1 Attribute Value !
145 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
146 . AF=0 Attribute Value .
147 . AF=1 Not Transmitted .
148 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
151 uint16_t type; /* defined by DOI-spec, and Attribute Format */
152 uint16_t lorv; /* if f equal 1, Attribute Length */
153 /* if f equal 0, Attribute Value */
154 /* if f equal 1, Attribute Value */
157 /* 3.4 Security Association Payload */
158 /* MAY NOT be used, because of being defined in ipsec-doi. */
160 If the current payload is the last in the message,
161 then the value of the next payload field will be 0.
162 This field MUST NOT contain the
163 values for the Proposal or Transform payloads as they are considered
164 part of the security association negotiation. For example, this
165 field would contain the value "10" (Nonce payload) in the first
166 message of a Base Exchange (see Section 4.4) and the value "0" in the
167 first message of an Identity Protect Exchange (see Section 4.5).
171 uint32_t doi; /* Domain of Interpretation */
172 uint32_t sit; /* Situation */
175 /* 3.5 Proposal Payload */
177 The value of the next payload field MUST only contain the value "2"
178 or "0". If there are additional Proposal payloads in the message,
179 then this field will be 2. If the current Proposal payload is the
180 last within the security association proposal, then this field will
185 uint8_t p_no; /* Proposal # */
186 uint8_t prot_id; /* Protocol */
187 uint8_t spi_size; /* SPI Size */
188 uint8_t num_t; /* Number of Transforms */
192 /* 3.6 Transform Payload */
194 The value of the next payload field MUST only contain the value "3"
195 or "0". If there are additional Transform payloads in the proposal,
196 then this field will be 3. If the current Transform payload is the
197 last within the proposal, then this field will be 0.
201 uint8_t t_no; /* Transform # */
202 uint8_t t_id; /* Transform-Id */
203 uint16_t reserved; /* RESERVED2 */
207 /* 3.7 Key Exchange Payload */
210 /* Key Exchange Data */
213 /* 3.8 Identification Payload */
214 /* MUST NOT to be used, because of being defined in ipsec-doi. */
218 uint8_t id_type; /* ID Type */
219 uint32_t doi_data; /* DOI Specific ID Data */
221 /* Identification Data */
224 /* 3.9 Certificate Payload */
225 struct ikev1_pl_cert {
227 uint8_t encode; /* Cert Encoding */
228 char cert; /* Certificate Data */
230 This field indicates the type of
231 certificate or certificate-related information contained in the
232 Certificate Data field.
236 /* 3.10 Certificate Request Payload */
239 uint8_t num_cert; /* # Cert. Types */
241 Certificate Types (variable length)
242 -- Contains a list of the types of certificates requested,
243 sorted in order of preference. Each individual certificate
244 type is 1 octet. This field is NOT requiredo
246 /* # Certificate Authorities (1 octet) */
247 /* Certificate Authorities (variable length) */
250 /* 3.11 Hash Payload */
251 /* may not be used, because of having only data. */
252 struct ikev1_pl_hash {
257 /* 3.12 Signature Payload */
258 /* may not be used, because of having only data. */
259 struct ikev1_pl_sig {
264 /* 3.13 Nonce Payload */
265 /* may not be used, because of having only data. */
266 struct ikev1_pl_nonce {
271 /* 3.14 Notification Payload */
274 uint32_t doi; /* Domain of Interpretation */
275 uint8_t prot_id; /* Protocol-ID */
276 uint8_t spi_size; /* SPI Size */
277 uint16_t type; /* Notify Message Type */
279 /* Notification Data */
282 /* 3.14.1 Notify Message Types */
283 /* NOTIFY MESSAGES - ERROR TYPES */
284 #define ISAKMP_NTYPE_INVALID_PAYLOAD_TYPE 1
285 #define ISAKMP_NTYPE_DOI_NOT_SUPPORTED 2
286 #define ISAKMP_NTYPE_SITUATION_NOT_SUPPORTED 3
287 #define ISAKMP_NTYPE_INVALID_COOKIE 4
288 #define ISAKMP_NTYPE_INVALID_MAJOR_VERSION 5
289 #define ISAKMP_NTYPE_INVALID_MINOR_VERSION 6
290 #define ISAKMP_NTYPE_INVALID_EXCHANGE_TYPE 7
291 #define ISAKMP_NTYPE_INVALID_FLAGS 8
292 #define ISAKMP_NTYPE_INVALID_MESSAGE_ID 9
293 #define ISAKMP_NTYPE_INVALID_PROTOCOL_ID 10
294 #define ISAKMP_NTYPE_INVALID_SPI 11
295 #define ISAKMP_NTYPE_INVALID_TRANSFORM_ID 12
296 #define ISAKMP_NTYPE_ATTRIBUTES_NOT_SUPPORTED 13
297 #define ISAKMP_NTYPE_NO_PROPOSAL_CHOSEN 14
298 #define ISAKMP_NTYPE_BAD_PROPOSAL_SYNTAX 15
299 #define ISAKMP_NTYPE_PAYLOAD_MALFORMED 16
300 #define ISAKMP_NTYPE_INVALID_KEY_INFORMATION 17
301 #define ISAKMP_NTYPE_INVALID_ID_INFORMATION 18
302 #define ISAKMP_NTYPE_INVALID_CERT_ENCODING 19
303 #define ISAKMP_NTYPE_INVALID_CERTIFICATE 20
304 #define ISAKMP_NTYPE_BAD_CERT_REQUEST_SYNTAX 21
305 #define ISAKMP_NTYPE_INVALID_CERT_AUTHORITY 22
306 #define ISAKMP_NTYPE_INVALID_HASH_INFORMATION 23
307 #define ISAKMP_NTYPE_AUTHENTICATION_FAILED 24
308 #define ISAKMP_NTYPE_INVALID_SIGNATURE 25
309 #define ISAKMP_NTYPE_ADDRESS_NOTIFICATION 26
311 /* 3.15 Delete Payload */
314 uint32_t doi; /* Domain of Interpretation */
315 uint8_t prot_id; /* Protocol-Id */
316 uint8_t spi_size; /* SPI Size */
317 uint16_t num_spi; /* # of SPIs */
321 struct ikev1_ph1tab {
322 struct ikev1_ph1 *head;
323 struct ikev1_ph1 *tail;
327 struct isakmp_ph2tab {
328 struct ikev1_ph2 *head;
329 struct ikev1_ph2 *tail;
333 /* IKEv2 (RFC4306) */
335 /* 3.3 Security Association Payload -- generic header */
336 /* 3.3.1. Proposal Substructure */
339 uint8_t p_no; /* Proposal # */
340 uint8_t prot_id; /* Protocol */
341 uint8_t spi_size; /* SPI Size */
342 uint8_t num_t; /* Number of Transforms */
345 /* 3.3.2. Transform Substructure */
348 uint8_t t_type; /* Transform Type (ENCR,PRF,INTEG,etc.*/
349 uint8_t res2; /* reserved byte */
350 uint16_t t_id; /* Transform ID */
361 /* 3.4. Key Exchange Payload */
370 /* 3.5. Identification Payloads */
382 uint8_t type; /* ID type */
386 /* Notification Data */
389 /* 3.10 Notification Payload */
392 uint8_t prot_id; /* Protocol-ID */
393 uint8_t spi_size; /* SPI Size */
394 uint16_t type; /* Notify Message Type */
398 IV2_NOTIFY_UNSUPPORTED_CRITICAL_PAYLOAD = 1,
399 IV2_NOTIFY_INVALID_IKE_SPI = 4,
400 IV2_NOTIFY_INVALID_MAJOR_VERSION = 5,
401 IV2_NOTIFY_INVALID_SYNTAX = 7,
402 IV2_NOTIFY_INVALID_MESSAGE_ID = 9,
403 IV2_NOTIFY_INVALID_SPI =11,
404 IV2_NOTIFY_NO_PROPOSAL_CHOSEN =14,
405 IV2_NOTIFY_INVALID_KE_PAYLOAD =17,
406 IV2_NOTIFY_AUTHENTICATION_FAILED =24,
407 IV2_NOTIFY_SINGLE_PAIR_REQUIRED =34,
408 IV2_NOTIFY_NO_ADDITIONAL_SAS =35,
409 IV2_NOTIFY_INTERNAL_ADDRESS_FAILURE =36,
410 IV2_NOTIFY_FAILED_CP_REQUIRED =37,
411 IV2_NOTIFY_INVALID_SELECTORS =39,
412 IV2_NOTIFY_INITIAL_CONTACT =16384,
413 IV2_NOTIFY_SET_WINDOW_SIZE =16385,
414 IV2_NOTIFY_ADDITIONAL_TS_POSSIBLE =16386,
415 IV2_NOTIFY_IPCOMP_SUPPORTED =16387,
416 IV2_NOTIFY_NAT_DETECTION_SOURCE_IP =16388,
417 IV2_NOTIFY_NAT_DETECTION_DESTINATION_IP =16389,
418 IV2_NOTIFY_COOKIE =16390,
419 IV2_NOTIFY_USE_TRANSPORT_MODE =16391,
420 IV2_NOTIFY_HTTP_CERT_LOOKUP_SUPPORTED =16392,
421 IV2_NOTIFY_REKEY_SA =16393,
422 IV2_NOTIFY_ESP_TFC_PADDING_NOT_SUPPORTED =16394,
423 IV2_NOTIFY_NON_FIRST_FRAGMENTS_ALSO =16395
426 struct notify_messages {
431 /* 3.8 Notification Payload */
434 uint8_t auth_method; /* Protocol-ID */
436 /* authentication data */
439 enum ikev2_auth_type {
445 /* refer to RFC 2409 */
448 /* isakmp sa structure */
450 uint8_t proto_id; /* OAKLEY */
451 vchar_t *spi; /* spi */
452 uint8_t dhgrp; /* DH; group */
453 uint8_t auth_t; /* method of authentication */
454 uint8_t prf_t; /* type of prf */
455 uint8_t hash_t; /* type of hash */
456 uint8_t enc_t; /* type of cipher */
457 uint8_t life_t; /* type of duration of lifetime */
458 uint32_t ldur; /* life duration */
462 /* refer to RFC 2407 */
466 /* 4.2 IPSEC Situation Definition */
467 #define IPSECDOI_SIT_IDENTITY_ONLY 0x00000001
468 #define IPSECDOI_SIT_SECRECY 0x00000002
469 #define IPSECDOI_SIT_INTEGRITY 0x00000004
471 /* 4.4.1 IPSEC Security Protocol Identifiers */
472 /* 4.4.2 IPSEC ISAKMP Transform Values */
473 #define IPSECDOI_PROTO_ISAKMP 1
474 #define IPSECDOI_KEY_IKE 1
476 /* 4.4.1 IPSEC Security Protocol Identifiers */
477 #define IPSECDOI_PROTO_IPSEC_AH 2
478 /* 4.4.3 IPSEC AH Transform Values */
479 #define IPSECDOI_AH_MD5 2
480 #define IPSECDOI_AH_SHA 3
481 #define IPSECDOI_AH_DES 4
482 #define IPSECDOI_AH_SHA2_256 5
483 #define IPSECDOI_AH_SHA2_384 6
484 #define IPSECDOI_AH_SHA2_512 7
486 /* 4.4.1 IPSEC Security Protocol Identifiers */
487 #define IPSECDOI_PROTO_IPSEC_ESP 3
488 /* 4.4.4 IPSEC ESP Transform Identifiers */
489 #define IPSECDOI_ESP_DES_IV64 1
490 #define IPSECDOI_ESP_DES 2
491 #define IPSECDOI_ESP_3DES 3
492 #define IPSECDOI_ESP_RC5 4
493 #define IPSECDOI_ESP_IDEA 5
494 #define IPSECDOI_ESP_CAST 6
495 #define IPSECDOI_ESP_BLOWFISH 7
496 #define IPSECDOI_ESP_3IDEA 8
497 #define IPSECDOI_ESP_DES_IV32 9
498 #define IPSECDOI_ESP_RC4 10
499 #define IPSECDOI_ESP_NULL 11
500 #define IPSECDOI_ESP_RIJNDAEL 12
501 #define IPSECDOI_ESP_AES 12
503 /* 4.4.1 IPSEC Security Protocol Identifiers */
504 #define IPSECDOI_PROTO_IPCOMP 4
505 /* 4.4.5 IPSEC IPCOMP Transform Identifiers */
506 #define IPSECDOI_IPCOMP_OUI 1
507 #define IPSECDOI_IPCOMP_DEFLATE 2
508 #define IPSECDOI_IPCOMP_LZS 3
510 /* 4.5 IPSEC Security Association Attributes */
511 #define IPSECDOI_ATTR_SA_LTYPE 1 /* B */
512 #define IPSECDOI_ATTR_SA_LTYPE_DEFAULT 1
513 #define IPSECDOI_ATTR_SA_LTYPE_SEC 1
514 #define IPSECDOI_ATTR_SA_LTYPE_KB 2
515 #define IPSECDOI_ATTR_SA_LDUR 2 /* V */
516 #define IPSECDOI_ATTR_SA_LDUR_DEFAULT 28800 /* 8 hours */
517 #define IPSECDOI_ATTR_GRP_DESC 3 /* B */
518 #define IPSECDOI_ATTR_ENC_MODE 4 /* B */
519 /* default value: host dependent */
520 #define IPSECDOI_ATTR_ENC_MODE_TUNNEL 1
521 #define IPSECDOI_ATTR_ENC_MODE_TRNS 2
522 #define IPSECDOI_ATTR_AUTH 5 /* B */
523 /* 0 means not to use authentication. */
524 #define IPSECDOI_ATTR_AUTH_HMAC_MD5 1
525 #define IPSECDOI_ATTR_AUTH_HMAC_SHA1 2
526 #define IPSECDOI_ATTR_AUTH_DES_MAC 3
527 #define IPSECDOI_ATTR_AUTH_KPDK 4 /*RFC-1826(Key/Pad/Data/Key)*/
529 * When negotiating ESP without authentication, the Auth
530 * Algorithm attribute MUST NOT be included in the proposal.
531 * When negotiating ESP without confidentiality, the Auth
532 * Algorithm attribute MUST be included in the proposal and
533 * the ESP transform ID must be ESP_NULL.
535 #define IPSECDOI_ATTR_KEY_LENGTH 6 /* B */
536 #define IPSECDOI_ATTR_KEY_ROUNDS 7 /* B */
537 #define IPSECDOI_ATTR_COMP_DICT_SIZE 8 /* B */
538 #define IPSECDOI_ATTR_COMP_PRIVALG 9 /* V */
540 /* 4.6.1 Security Association Payload */
543 uint32_t doi; /* Domain of Interpretation */
544 uint32_t sit; /* Situation */
547 struct ipsecdoi_secrecy_h {
552 /* 4.6.2.1 Identification Type Values */
555 uint8_t type; /* ID Type */
556 uint8_t proto_id; /* Protocol ID */
557 uint16_t port; /* Port */
558 /* Identification Data */
561 #define IPSECDOI_ID_IPV4_ADDR 1
562 #define IPSECDOI_ID_FQDN 2
563 #define IPSECDOI_ID_USER_FQDN 3
564 #define IPSECDOI_ID_IPV4_ADDR_SUBNET 4
565 #define IPSECDOI_ID_IPV6_ADDR 5
566 #define IPSECDOI_ID_IPV6_ADDR_SUBNET 6
567 #define IPSECDOI_ID_IPV4_ADDR_RANGE 7
568 #define IPSECDOI_ID_IPV6_ADDR_RANGE 8
569 #define IPSECDOI_ID_DER_ASN1_DN 9
570 #define IPSECDOI_ID_DER_ASN1_GN 10
571 #define IPSECDOI_ID_KEY_ID 11
573 /* 4.6.3 IPSEC DOI Notify Message Types */
574 /* Notify Messages - Status Types */
575 #define IPSECDOI_NTYPE_RESPONDER_LIFETIME 24576
576 #define IPSECDOI_NTYPE_REPLAY_STATUS 24577
577 #define IPSECDOI_NTYPE_INITIAL_CONTACT 24578
579 #define DECLARE_PRINTER(func) static const u_char *ike##func##_print( \
580 netdissect_options *ndo, u_char tpay, \
581 const struct isakmp_gen *ext, \
583 const u_char *end_pointer, \
586 uint32_t proto0, int depth)
588 DECLARE_PRINTER(v1_sa);
589 DECLARE_PRINTER(v1_p);
590 DECLARE_PRINTER(v1_t);
591 DECLARE_PRINTER(v1_ke);
592 DECLARE_PRINTER(v1_id);
593 DECLARE_PRINTER(v1_cert);
594 DECLARE_PRINTER(v1_cr);
595 DECLARE_PRINTER(v1_sig);
596 DECLARE_PRINTER(v1_hash);
597 DECLARE_PRINTER(v1_nonce);
598 DECLARE_PRINTER(v1_n);
599 DECLARE_PRINTER(v1_d);
600 DECLARE_PRINTER(v1_vid);
602 DECLARE_PRINTER(v2_sa);
603 DECLARE_PRINTER(v2_ke);
604 DECLARE_PRINTER(v2_ID);
605 DECLARE_PRINTER(v2_cert);
606 DECLARE_PRINTER(v2_cr);
607 DECLARE_PRINTER(v2_auth);
608 DECLARE_PRINTER(v2_nonce);
609 DECLARE_PRINTER(v2_n);
610 DECLARE_PRINTER(v2_d);
611 DECLARE_PRINTER(v2_vid);
612 DECLARE_PRINTER(v2_TS);
613 DECLARE_PRINTER(v2_cp);
614 DECLARE_PRINTER(v2_eap);
616 static const u_char *ikev2_e_print(netdissect_options *ndo,
619 const struct isakmp_gen *ext,
621 const u_char *end_pointer,
624 uint32_t proto0, int depth);
627 static const u_char *ike_sub0_print(netdissect_options *ndo,u_char, const struct isakmp_gen *,
628 const u_char *, uint32_t, uint32_t, uint32_t, int);
629 static const u_char *ikev1_sub_print(netdissect_options *ndo,u_char, const struct isakmp_gen *,
630 const u_char *, uint32_t, uint32_t, uint32_t, int);
632 static const u_char *ikev2_sub_print(netdissect_options *ndo,
634 u_char np, const struct isakmp_gen *ext,
635 const u_char *ep, uint32_t phase,
636 uint32_t doi, uint32_t proto,
640 static char *numstr(int);
643 ikev1_print(netdissect_options *ndo,
644 const u_char *bp, u_int length,
645 const u_char *bp2, struct isakmp *base);
647 #define MAXINITIATORS 20
658 union inaddr_u iaddr;
659 union inaddr_u raddr;
660 } cookiecache[MAXINITIATORS];
663 static const char *protoidstr[] = {
664 NULL, "isakmp", "ipsec-ah", "ipsec-esp", "ipcomp",
668 static const char *npstr[] = {
669 "none", "sa", "p", "t", "ke", "id", "cert", "cr", "hash", /* 0 - 8 */
670 "sig", "nonce", "n", "d", "vid", /* 9 - 13 */
671 "pay14", "pay15", "pay16", "pay17", "pay18", /* 14- 18 */
672 "pay19", "pay20", "pay21", "pay22", "pay23", /* 19- 23 */
673 "pay24", "pay25", "pay26", "pay27", "pay28", /* 24- 28 */
674 "pay29", "pay30", "pay31", "pay32", /* 29- 32 */
675 "v2sa", "v2ke", "v2IDi", "v2IDr", "v2cert",/* 33- 37 */
676 "v2cr", "v2auth","v2nonce", "v2n", "v2d", /* 38- 42 */
677 "v2vid", "v2TSi", "v2TSr", "v2e", "v2cp", /* 43- 47 */
683 static const u_char *(*npfunc[])(netdissect_options *ndo, u_char tpay,
684 const struct isakmp_gen *ext,
686 const u_char *end_pointer,
689 uint32_t proto0, int depth) = {
703 ikev1_vid_print, /* 13 */
704 NULL, NULL, NULL, NULL, NULL, /* 14- 18 */
705 NULL, NULL, NULL, NULL, NULL, /* 19- 23 */
706 NULL, NULL, NULL, NULL, NULL, /* 24- 28 */
707 NULL, NULL, NULL, NULL, /* 29- 32 */
708 ikev2_sa_print, /* 33 */
709 ikev2_ke_print, /* 34 */
710 ikev2_ID_print, /* 35 */
711 ikev2_ID_print, /* 36 */
712 ikev2_cert_print, /* 37 */
713 ikev2_cr_print, /* 38 */
714 ikev2_auth_print, /* 39 */
715 ikev2_nonce_print, /* 40 */
716 ikev2_n_print, /* 41 */
717 ikev2_d_print, /* 42 */
718 ikev2_vid_print, /* 43 */
719 ikev2_TS_print, /* 44 */
720 ikev2_TS_print, /* 45 */
721 NULL, /* ikev2_e_print,*/ /* 46 - special */
722 ikev2_cp_print, /* 47 */
723 ikev2_eap_print, /* 48 */
727 static const char *etypestr[] = {
728 /* IKEv1 exchange types */
729 "none", "base", "ident", "auth", "agg", "inf", NULL, NULL, /* 0-7 */
730 NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, /* 8-15 */
731 NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, /* 16-23 */
732 NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, /* 24-31 */
733 "oakley-quick", "oakley-newgroup", /* 32-33 */
734 /* IKEv2 exchange types */
735 "ikev2_init", "ikev2_auth", "child_sa", "inf2" /* 34-37 */
738 #define STR_OR_ID(x, tab) \
739 (((x) < sizeof(tab)/sizeof(tab[0]) && tab[(x)]) ? tab[(x)] : numstr(x))
740 #define PROTOIDSTR(x) STR_OR_ID(x, protoidstr)
741 #define NPSTR(x) STR_OR_ID(x, npstr)
742 #define ETYPESTR(x) STR_OR_ID(x, etypestr)
744 #define CHECKLEN(p, np) \
745 if (ep < (u_char *)(p)) { \
746 ND_PRINT((ndo," [|%s]", NPSTR(np))); \
752 (((x) < sizeof(npfunc)/sizeof(npfunc[0]) && npfunc[(x)]) \
753 ? npfunc[(x)] : NULL)
756 iszero(u_char *p, size_t l)
765 /* find cookie from initiator cache */
767 cookie_find(cookie_t *in)
771 for (i = 0; i < MAXINITIATORS; i++) {
772 if (memcmp(in, &cookiecache[i].initiator, sizeof(*in)) == 0)
779 /* record initiator */
781 cookie_record(cookie_t *in, const u_char *bp2)
791 ninitiator = (i + 1) % MAXINITIATORS;
795 ip = (struct ip *)bp2;
798 cookiecache[ninitiator].version = 4;
799 UNALIGNED_MEMCPY(&cookiecache[ninitiator].iaddr.in4, &ip->ip_src, sizeof(struct in_addr));
800 UNALIGNED_MEMCPY(&cookiecache[ninitiator].raddr.in4, &ip->ip_dst, sizeof(struct in_addr));
804 ip6 = (struct ip6_hdr *)bp2;
805 cookiecache[ninitiator].version = 6;
806 UNALIGNED_MEMCPY(&cookiecache[ninitiator].iaddr.in6, &ip6->ip6_src, sizeof(struct in6_addr));
807 UNALIGNED_MEMCPY(&cookiecache[ninitiator].raddr.in6, &ip6->ip6_dst, sizeof(struct in6_addr));
813 UNALIGNED_MEMCPY(&cookiecache[ninitiator].initiator, in, sizeof(*in));
814 ninitiator = (ninitiator + 1) % MAXINITIATORS;
817 #define cookie_isinitiator(x, y) cookie_sidecheck((x), (y), 1)
818 #define cookie_isresponder(x, y) cookie_sidecheck((x), (y), 0)
820 cookie_sidecheck(int i, const u_char *bp2, int initiator)
827 ip = (struct ip *)bp2;
830 if (cookiecache[i].version != 4)
833 if (UNALIGNED_MEMCMP(&ip->ip_src, &cookiecache[i].iaddr.in4, sizeof(struct in_addr)) == 0)
836 if (UNALIGNED_MEMCMP(&ip->ip_src, &cookiecache[i].raddr.in4, sizeof(struct in_addr)) == 0)
842 if (cookiecache[i].version != 6)
844 ip6 = (struct ip6_hdr *)bp2;
846 if (UNALIGNED_MEMCMP(&ip6->ip6_src, &cookiecache[i].iaddr.in6, sizeof(struct in6_addr)) == 0)
849 if (UNALIGNED_MEMCMP(&ip6->ip6_src, &cookiecache[i].raddr.in6, sizeof(struct in6_addr)) == 0)
862 hexprint(netdissect_options *ndo, caddr_t loc, size_t len)
868 for (i = 0; i < len; i++)
869 ND_PRINT((ndo,"%02x", p[i] & 0xff));
873 rawprint(netdissect_options *ndo, caddr_t loc, size_t len)
875 ND_TCHECK2(*loc, len);
877 hexprint(ndo, loc, len);
885 * returns false if we run out of data buffer
887 static int ike_show_somedata(netdissect_options *ndo,
888 const u_char *cp, const u_char *ep)
890 /* there is too much data, just show some of it */
891 const u_char *end = ep - 20;
898 /* really shouldn't happen because of above */
904 ND_PRINT((ndo," data=("));
905 if(!rawprint(ndo, (caddr_t)(cp), len)) goto trunc;
906 ND_PRINT((ndo, "..."));
908 if(!rawprint(ndo, (caddr_t)(end), elen)) goto trunc;
920 const char *value[30]; /*XXX*/
923 static const u_char *
924 ikev1_attrmap_print(netdissect_options *ndo,
925 const u_char *p, const u_char *ep,
926 const struct attrmap *map, size_t nmap)
934 totlen = 4 + EXTRACT_16BITS(&p[2]);
935 if (ep < p + totlen) {
936 ND_PRINT((ndo,"[|attr]"));
941 t = EXTRACT_16BITS(&p[0]) & 0x7fff;
942 if (map && t < nmap && map[t].type)
943 ND_PRINT((ndo,"type=%s ", map[t].type));
945 ND_PRINT((ndo,"type=#%d ", t));
947 ND_PRINT((ndo,"value="));
948 v = EXTRACT_16BITS(&p[2]);
949 if (map && t < nmap && v < map[t].nvalue && map[t].value[v])
950 ND_PRINT((ndo,"%s", map[t].value[v]));
952 rawprint(ndo, (caddr_t)&p[2], 2);
954 ND_PRINT((ndo,"len=%d value=", EXTRACT_16BITS(&p[2])));
955 rawprint(ndo, (caddr_t)&p[4], EXTRACT_16BITS(&p[2]));
961 static const u_char *
962 ikev1_attr_print(netdissect_options *ndo, const u_char *p, const u_char *ep)
970 totlen = 4 + EXTRACT_16BITS(&p[2]);
971 if (ep < p + totlen) {
972 ND_PRINT((ndo,"[|attr]"));
977 t = EXTRACT_16BITS(&p[0]) & 0x7fff;
978 ND_PRINT((ndo,"type=#%d ", t));
980 ND_PRINT((ndo,"value="));
982 rawprint(ndo, (caddr_t)&p[2], 2);
984 ND_PRINT((ndo,"len=%d value=", EXTRACT_16BITS(&p[2])));
985 rawprint(ndo, (caddr_t)&p[4], EXTRACT_16BITS(&p[2]));
991 static const u_char *
992 ikev1_sa_print(netdissect_options *ndo, u_char tpay _U_,
993 const struct isakmp_gen *ext,
995 const u_char *ep, uint32_t phase, uint32_t doi0 _U_,
996 uint32_t proto0, int depth)
998 const struct ikev1_pl_sa *p;
999 struct ikev1_pl_sa sa;
1000 uint32_t doi, sit, ident;
1001 const u_char *cp, *np;
1004 ND_PRINT((ndo,"%s:", NPSTR(ISAKMP_NPTYPE_SA)));
1006 p = (struct ikev1_pl_sa *)ext;
1008 UNALIGNED_MEMCPY(&sa, ext, sizeof(sa));
1009 doi = ntohl(sa.doi);
1010 sit = ntohl(sa.sit);
1012 ND_PRINT((ndo," doi=%d", doi));
1013 ND_PRINT((ndo," situation=%u", (uint32_t)ntohl(sa.sit)));
1014 return (u_char *)(p + 1);
1017 ND_PRINT((ndo," doi=ipsec"));
1018 ND_PRINT((ndo," situation="));
1021 ND_PRINT((ndo,"identity"));
1025 ND_PRINT((ndo,"%ssecrecy", t ? "+" : ""));
1029 ND_PRINT((ndo,"%sintegrity", t ? "+" : ""));
1031 np = (u_char *)ext + sizeof(sa);
1033 ND_TCHECK2(*(ext + 1), sizeof(ident));
1034 UNALIGNED_MEMCPY(&ident, ext + 1, sizeof(ident));
1035 ND_PRINT((ndo," ident=%u", (uint32_t)ntohl(ident)));
1036 np += sizeof(ident);
1039 ext = (struct isakmp_gen *)np;
1042 cp = ikev1_sub_print(ndo, ISAKMP_NPTYPE_P, ext, ep, phase, doi, proto0,
1047 ND_PRINT((ndo," [|%s]", NPSTR(ISAKMP_NPTYPE_SA)));
1051 static const u_char *
1052 ikev1_p_print(netdissect_options *ndo, u_char tpay _U_,
1053 const struct isakmp_gen *ext, u_int item_len _U_,
1054 const u_char *ep, uint32_t phase, uint32_t doi0,
1055 uint32_t proto0 _U_, int depth)
1057 const struct ikev1_pl_p *p;
1058 struct ikev1_pl_p prop;
1061 ND_PRINT((ndo,"%s:", NPSTR(ISAKMP_NPTYPE_P)));
1063 p = (struct ikev1_pl_p *)ext;
1065 UNALIGNED_MEMCPY(&prop, ext, sizeof(prop));
1066 ND_PRINT((ndo," #%d protoid=%s transform=%d",
1067 prop.p_no, PROTOIDSTR(prop.prot_id), prop.num_t));
1068 if (prop.spi_size) {
1069 ND_PRINT((ndo," spi="));
1070 if (!rawprint(ndo, (caddr_t)(p + 1), prop.spi_size))
1074 ext = (struct isakmp_gen *)((u_char *)(p + 1) + prop.spi_size);
1077 cp = ikev1_sub_print(ndo, ISAKMP_NPTYPE_T, ext, ep, phase, doi0,
1078 prop.prot_id, depth);
1082 ND_PRINT((ndo," [|%s]", NPSTR(ISAKMP_NPTYPE_P)));
1086 static const char *ikev1_p_map[] = {
1090 static const char *ikev2_t_type_map[]={
1091 NULL, "encr", "prf", "integ", "dh", "esn"
1094 static const char *ah_p_map[] = {
1095 NULL, "(reserved)", "md5", "sha", "1des",
1096 "sha2-256", "sha2-384", "sha2-512",
1099 static const char *prf_p_map[] = {
1100 NULL, "hmac-md5", "hmac-sha", "hmac-tiger",
1104 static const char *integ_p_map[] = {
1105 NULL, "hmac-md5", "hmac-sha", "dec-mac",
1106 "kpdk-md5", "aes-xcbc"
1109 static const char *esn_p_map[] = {
1113 static const char *dh_p_map[] = {
1115 "modp1024", /* group 2 */
1116 "EC2N 2^155", /* group 3 */
1117 "EC2N 2^185", /* group 4 */
1118 "modp1536", /* group 5 */
1119 "iana-grp06", "iana-grp07", /* reserved */
1120 "iana-grp08", "iana-grp09",
1121 "iana-grp10", "iana-grp11",
1122 "iana-grp12", "iana-grp13",
1123 "modp2048", /* group 14 */
1124 "modp3072", /* group 15 */
1125 "modp4096", /* group 16 */
1126 "modp6144", /* group 17 */
1127 "modp8192", /* group 18 */
1130 static const char *esp_p_map[] = {
1131 NULL, "1des-iv64", "1des", "3des", "rc5", "idea", "cast",
1132 "blowfish", "3idea", "1des-iv32", "rc4", "null", "aes"
1135 static const char *ipcomp_p_map[] = {
1136 NULL, "oui", "deflate", "lzs",
1139 static const struct attrmap ipsec_t_map[] = {
1140 { NULL, 0, { NULL } },
1141 { "lifetype", 3, { NULL, "sec", "kb", }, },
1142 { "life", 0, { NULL } },
1143 { "group desc", 18, { NULL, "modp768",
1144 "modp1024", /* group 2 */
1145 "EC2N 2^155", /* group 3 */
1146 "EC2N 2^185", /* group 4 */
1147 "modp1536", /* group 5 */
1148 "iana-grp06", "iana-grp07", /* reserved */
1149 "iana-grp08", "iana-grp09",
1150 "iana-grp10", "iana-grp11",
1151 "iana-grp12", "iana-grp13",
1152 "modp2048", /* group 14 */
1153 "modp3072", /* group 15 */
1154 "modp4096", /* group 16 */
1155 "modp6144", /* group 17 */
1156 "modp8192", /* group 18 */
1158 { "enc mode", 3, { NULL, "tunnel", "transport", }, },
1159 { "auth", 5, { NULL, "hmac-md5", "hmac-sha1", "1des-mac", "keyed", }, },
1160 { "keylen", 0, { NULL } },
1161 { "rounds", 0, { NULL } },
1162 { "dictsize", 0, { NULL } },
1163 { "privalg", 0, { NULL } },
1166 static const struct attrmap encr_t_map[] = {
1167 { NULL, 0, { NULL } }, { NULL, 0, { NULL } }, /* 0, 1 */
1168 { NULL, 0, { NULL } }, { NULL, 0, { NULL } }, /* 2, 3 */
1169 { NULL, 0, { NULL } }, { NULL, 0, { NULL } }, /* 4, 5 */
1170 { NULL, 0, { NULL } }, { NULL, 0, { NULL } }, /* 6, 7 */
1171 { NULL, 0, { NULL } }, { NULL, 0, { NULL } }, /* 8, 9 */
1172 { NULL, 0, { NULL } }, { NULL, 0, { NULL } }, /* 10,11*/
1173 { NULL, 0, { NULL } }, { NULL, 0, { NULL } }, /* 12,13*/
1174 { "keylen", 14, { NULL }},
1177 static const struct attrmap oakley_t_map[] = {
1178 { NULL, 0, { NULL } },
1179 { "enc", 8, { NULL, "1des", "idea", "blowfish", "rc5",
1180 "3des", "cast", "aes", }, },
1181 { "hash", 7, { NULL, "md5", "sha1", "tiger",
1182 "sha2-256", "sha2-384", "sha2-512", }, },
1183 { "auth", 6, { NULL, "preshared", "dss", "rsa sig", "rsa enc",
1184 "rsa enc revised", }, },
1185 { "group desc", 18, { NULL, "modp768",
1186 "modp1024", /* group 2 */
1187 "EC2N 2^155", /* group 3 */
1188 "EC2N 2^185", /* group 4 */
1189 "modp1536", /* group 5 */
1190 "iana-grp06", "iana-grp07", /* reserved */
1191 "iana-grp08", "iana-grp09",
1192 "iana-grp10", "iana-grp11",
1193 "iana-grp12", "iana-grp13",
1194 "modp2048", /* group 14 */
1195 "modp3072", /* group 15 */
1196 "modp4096", /* group 16 */
1197 "modp6144", /* group 17 */
1198 "modp8192", /* group 18 */
1200 { "group type", 4, { NULL, "MODP", "ECP", "EC2N", }, },
1201 { "group prime", 0, { NULL } },
1202 { "group gen1", 0, { NULL } },
1203 { "group gen2", 0, { NULL } },
1204 { "group curve A", 0, { NULL } },
1205 { "group curve B", 0, { NULL } },
1206 { "lifetype", 3, { NULL, "sec", "kb", }, },
1207 { "lifeduration", 0, { NULL } },
1208 { "prf", 0, { NULL } },
1209 { "keylen", 0, { NULL } },
1210 { "field", 0, { NULL } },
1211 { "order", 0, { NULL } },
1214 static const u_char *
1215 ikev1_t_print(netdissect_options *ndo, u_char tpay _U_,
1216 const struct isakmp_gen *ext, u_int item_len,
1217 const u_char *ep, uint32_t phase _U_, uint32_t doi _U_,
1218 uint32_t proto, int depth _U_)
1220 const struct ikev1_pl_t *p;
1221 struct ikev1_pl_t t;
1224 const struct attrmap *map;
1228 ND_PRINT((ndo,"%s:", NPSTR(ISAKMP_NPTYPE_T)));
1230 p = (struct ikev1_pl_t *)ext;
1232 UNALIGNED_MEMCPY(&t, ext, sizeof(t));
1236 idstr = STR_OR_ID(t.t_id, ikev1_p_map);
1238 nmap = sizeof(oakley_t_map)/sizeof(oakley_t_map[0]);
1241 idstr = STR_OR_ID(t.t_id, ah_p_map);
1243 nmap = sizeof(ipsec_t_map)/sizeof(ipsec_t_map[0]);
1246 idstr = STR_OR_ID(t.t_id, esp_p_map);
1248 nmap = sizeof(ipsec_t_map)/sizeof(ipsec_t_map[0]);
1251 idstr = STR_OR_ID(t.t_id, ipcomp_p_map);
1253 nmap = sizeof(ipsec_t_map)/sizeof(ipsec_t_map[0]);
1263 ND_PRINT((ndo," #%d id=%s ", t.t_no, idstr));
1265 ND_PRINT((ndo," #%d id=%d ", t.t_no, t.t_id));
1266 cp = (u_char *)(p + 1);
1267 ep2 = (u_char *)p + item_len;
1268 while (cp < ep && cp < ep2) {
1270 cp = ikev1_attrmap_print(ndo, cp, (ep < ep2) ? ep : ep2,
1273 cp = ikev1_attr_print(ndo, cp, (ep < ep2) ? ep : ep2);
1276 ND_PRINT((ndo,"..."));
1279 ND_PRINT((ndo," [|%s]", NPSTR(ISAKMP_NPTYPE_T)));
1283 static const u_char *
1284 ikev1_ke_print(netdissect_options *ndo, u_char tpay _U_,
1285 const struct isakmp_gen *ext, u_int item_len _U_,
1286 const u_char *ep _U_, uint32_t phase _U_, uint32_t doi _U_,
1287 uint32_t proto _U_, int depth _U_)
1289 struct isakmp_gen e;
1291 ND_PRINT((ndo,"%s:", NPSTR(ISAKMP_NPTYPE_KE)));
1294 UNALIGNED_MEMCPY(&e, ext, sizeof(e));
1295 ND_PRINT((ndo," key len=%d", ntohs(e.len) - 4));
1296 if (2 < ndo->ndo_vflag && 4 < ntohs(e.len)) {
1297 ND_PRINT((ndo," "));
1298 if (!rawprint(ndo, (caddr_t)(ext + 1), ntohs(e.len) - 4))
1301 return (u_char *)ext + ntohs(e.len);
1303 ND_PRINT((ndo," [|%s]", NPSTR(ISAKMP_NPTYPE_KE)));
1307 static const u_char *
1308 ikev1_id_print(netdissect_options *ndo, u_char tpay _U_,
1309 const struct isakmp_gen *ext, u_int item_len,
1310 const u_char *ep _U_, uint32_t phase, uint32_t doi _U_,
1311 uint32_t proto _U_, int depth _U_)
1313 #define USE_IPSECDOI_IN_PHASE1 1
1314 const struct ikev1_pl_id *p;
1315 struct ikev1_pl_id id;
1316 static const char *idtypestr[] = {
1317 "IPv4", "IPv4net", "IPv6", "IPv6net",
1319 static const char *ipsecidtypestr[] = {
1320 NULL, "IPv4", "FQDN", "user FQDN", "IPv4net", "IPv6",
1321 "IPv6net", "IPv4range", "IPv6range", "ASN1 DN", "ASN1 GN",
1327 ND_PRINT((ndo,"%s:", NPSTR(ISAKMP_NPTYPE_ID)));
1329 p = (struct ikev1_pl_id *)ext;
1331 UNALIGNED_MEMCPY(&id, ext, sizeof(id));
1332 if (sizeof(*p) < item_len) {
1333 data = (u_char *)(p + 1);
1334 len = item_len - sizeof(*p);
1341 ND_PRINT((ndo," [phase=%d doi=%d proto=%d]", phase, doi, proto));
1344 #ifndef USE_IPSECDOI_IN_PHASE1
1348 ND_PRINT((ndo," idtype=%s", STR_OR_ID(id.d.id_type, idtypestr)));
1349 ND_PRINT((ndo," doi_data=%u",
1350 (uint32_t)(ntohl(id.d.doi_data) & 0xffffff)));
1353 #ifdef USE_IPSECDOI_IN_PHASE1
1358 const struct ipsecdoi_id *p;
1359 struct ipsecdoi_id id;
1360 struct protoent *pe;
1362 p = (struct ipsecdoi_id *)ext;
1364 UNALIGNED_MEMCPY(&id, ext, sizeof(id));
1365 ND_PRINT((ndo," idtype=%s", STR_OR_ID(id.type, ipsecidtypestr)));
1366 /* A protocol ID of 0 DOES NOT mean IPPROTO_IP! */
1367 pe = id.proto_id ? getprotobynumber(id.proto_id) : NULL;
1369 ND_PRINT((ndo," protoid=%s", pe->p_name));
1371 ND_PRINT((ndo," protoid=%u", id.proto_id));
1372 ND_PRINT((ndo," port=%d", ntohs(id.port)));
1377 ND_TCHECK2(*data, len);
1379 case IPSECDOI_ID_IPV4_ADDR:
1381 ND_PRINT((ndo," len=%d [bad: < 4]", len));
1383 ND_PRINT((ndo," len=%d %s", len, ipaddr_string(ndo, data)));
1386 case IPSECDOI_ID_FQDN:
1387 case IPSECDOI_ID_USER_FQDN:
1390 ND_PRINT((ndo," len=%d ", len));
1391 for (i = 0; i < len; i++)
1392 safeputchar(ndo, data[i]);
1396 case IPSECDOI_ID_IPV4_ADDR_SUBNET:
1400 ND_PRINT((ndo," len=%d [bad: < 8]", len));
1402 mask = data + sizeof(struct in_addr);
1403 ND_PRINT((ndo," len=%d %s/%u.%u.%u.%u", len,
1404 ipaddr_string(ndo, data),
1405 mask[0], mask[1], mask[2], mask[3]));
1411 case IPSECDOI_ID_IPV6_ADDR:
1413 ND_PRINT((ndo," len=%d [bad: < 16]", len));
1415 ND_PRINT((ndo," len=%d %s", len, ip6addr_string(ndo, data)));
1418 case IPSECDOI_ID_IPV6_ADDR_SUBNET:
1422 ND_PRINT((ndo," len=%d [bad: < 20]", len));
1424 mask = (u_char *)(data + sizeof(struct in6_addr));
1426 ND_PRINT((ndo," len=%d %s/0x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x", len,
1427 ip6addr_string(ndo, data),
1428 mask[0], mask[1], mask[2], mask[3],
1429 mask[4], mask[5], mask[6], mask[7],
1430 mask[8], mask[9], mask[10], mask[11],
1431 mask[12], mask[13], mask[14], mask[15]));
1437 case IPSECDOI_ID_IPV4_ADDR_RANGE:
1439 ND_PRINT((ndo," len=%d [bad: < 8]", len));
1441 ND_PRINT((ndo," len=%d %s-%s", len,
1442 ipaddr_string(ndo, data),
1443 ipaddr_string(ndo, data + sizeof(struct in_addr))));
1448 case IPSECDOI_ID_IPV6_ADDR_RANGE:
1450 ND_PRINT((ndo," len=%d [bad: < 32]", len));
1452 ND_PRINT((ndo," len=%d %s-%s", len,
1453 ip6addr_string(ndo, data),
1454 ip6addr_string(ndo, data + sizeof(struct in6_addr))));
1459 case IPSECDOI_ID_DER_ASN1_DN:
1460 case IPSECDOI_ID_DER_ASN1_GN:
1461 case IPSECDOI_ID_KEY_ID:
1468 ND_PRINT((ndo," len=%d", len));
1469 if (2 < ndo->ndo_vflag) {
1470 ND_PRINT((ndo," "));
1471 if (!rawprint(ndo, (caddr_t)data, len))
1475 return (u_char *)ext + item_len;
1477 ND_PRINT((ndo," [|%s]", NPSTR(ISAKMP_NPTYPE_ID)));
1481 static const u_char *
1482 ikev1_cert_print(netdissect_options *ndo, u_char tpay _U_,
1483 const struct isakmp_gen *ext, u_int item_len _U_,
1484 const u_char *ep _U_, uint32_t phase _U_,
1486 uint32_t proto0 _U_, int depth _U_)
1488 const struct ikev1_pl_cert *p;
1489 struct ikev1_pl_cert cert;
1490 static const char *certstr[] = {
1491 "none", "pkcs7", "pgp", "dns",
1492 "x509sign", "x509ke", "kerberos", "crl",
1493 "arl", "spki", "x509attr",
1496 ND_PRINT((ndo,"%s:", NPSTR(ISAKMP_NPTYPE_CERT)));
1498 p = (struct ikev1_pl_cert *)ext;
1500 UNALIGNED_MEMCPY(&cert, ext, sizeof(cert));
1501 ND_PRINT((ndo," len=%d", item_len - 4));
1502 ND_PRINT((ndo," type=%s", STR_OR_ID((cert.encode), certstr)));
1503 if (2 < ndo->ndo_vflag && 4 < item_len) {
1504 ND_PRINT((ndo," "));
1505 if (!rawprint(ndo, (caddr_t)(ext + 1), item_len - 4))
1508 return (u_char *)ext + item_len;
1510 ND_PRINT((ndo," [|%s]", NPSTR(ISAKMP_NPTYPE_CERT)));
1514 static const u_char *
1515 ikev1_cr_print(netdissect_options *ndo, u_char tpay _U_,
1516 const struct isakmp_gen *ext, u_int item_len _U_,
1517 const u_char *ep _U_, uint32_t phase _U_, uint32_t doi0 _U_,
1518 uint32_t proto0 _U_, int depth _U_)
1520 const struct ikev1_pl_cert *p;
1521 struct ikev1_pl_cert cert;
1522 static const char *certstr[] = {
1523 "none", "pkcs7", "pgp", "dns",
1524 "x509sign", "x509ke", "kerberos", "crl",
1525 "arl", "spki", "x509attr",
1528 ND_PRINT((ndo,"%s:", NPSTR(ISAKMP_NPTYPE_CR)));
1530 p = (struct ikev1_pl_cert *)ext;
1532 UNALIGNED_MEMCPY(&cert, ext, sizeof(cert));
1533 ND_PRINT((ndo," len=%d", item_len - 4));
1534 ND_PRINT((ndo," type=%s", STR_OR_ID((cert.encode), certstr)));
1535 if (2 < ndo->ndo_vflag && 4 < item_len) {
1536 ND_PRINT((ndo," "));
1537 if (!rawprint(ndo, (caddr_t)(ext + 1), item_len - 4))
1540 return (u_char *)ext + item_len;
1542 ND_PRINT((ndo," [|%s]", NPSTR(ISAKMP_NPTYPE_CR)));
1546 static const u_char *
1547 ikev1_hash_print(netdissect_options *ndo, u_char tpay _U_,
1548 const struct isakmp_gen *ext, u_int item_len _U_,
1549 const u_char *ep _U_, uint32_t phase _U_, uint32_t doi _U_,
1550 uint32_t proto _U_, int depth _U_)
1552 struct isakmp_gen e;
1554 ND_PRINT((ndo,"%s:", NPSTR(ISAKMP_NPTYPE_HASH)));
1557 UNALIGNED_MEMCPY(&e, ext, sizeof(e));
1558 ND_PRINT((ndo," len=%d", ntohs(e.len) - 4));
1559 if (2 < ndo->ndo_vflag && 4 < ntohs(e.len)) {
1560 ND_PRINT((ndo," "));
1561 if (!rawprint(ndo, (caddr_t)(ext + 1), ntohs(e.len) - 4))
1564 return (u_char *)ext + ntohs(e.len);
1566 ND_PRINT((ndo," [|%s]", NPSTR(ISAKMP_NPTYPE_HASH)));
1570 static const u_char *
1571 ikev1_sig_print(netdissect_options *ndo, u_char tpay _U_,
1572 const struct isakmp_gen *ext, u_int item_len _U_,
1573 const u_char *ep _U_, uint32_t phase _U_, uint32_t doi _U_,
1574 uint32_t proto _U_, int depth _U_)
1576 struct isakmp_gen e;
1578 ND_PRINT((ndo,"%s:", NPSTR(ISAKMP_NPTYPE_SIG)));
1581 UNALIGNED_MEMCPY(&e, ext, sizeof(e));
1582 ND_PRINT((ndo," len=%d", ntohs(e.len) - 4));
1583 if (2 < ndo->ndo_vflag && 4 < ntohs(e.len)) {
1584 ND_PRINT((ndo," "));
1585 if (!rawprint(ndo, (caddr_t)(ext + 1), ntohs(e.len) - 4))
1588 return (u_char *)ext + ntohs(e.len);
1590 ND_PRINT((ndo," [|%s]", NPSTR(ISAKMP_NPTYPE_SIG)));
1594 static const u_char *
1595 ikev1_nonce_print(netdissect_options *ndo, u_char tpay _U_,
1596 const struct isakmp_gen *ext,
1598 const u_char *ep _U_,
1599 uint32_t phase _U_, uint32_t doi _U_,
1600 uint32_t proto _U_, int depth _U_)
1602 struct isakmp_gen e;
1604 ND_PRINT((ndo,"%s:", NPSTR(ISAKMP_NPTYPE_NONCE)));
1607 UNALIGNED_MEMCPY(&e, ext, sizeof(e));
1608 ND_PRINT((ndo," n len=%d", ntohs(e.len) - 4));
1609 if (2 < ndo->ndo_vflag && 4 < ntohs(e.len)) {
1610 ND_PRINT((ndo," "));
1611 if (!rawprint(ndo, (caddr_t)(ext + 1), ntohs(e.len) - 4))
1613 } else if (1 < ndo->ndo_vflag && 4 < ntohs(e.len)) {
1614 ND_PRINT((ndo," "));
1615 if (!ike_show_somedata(ndo, (u_char *)(caddr_t)(ext + 1), ep))
1618 return (u_char *)ext + ntohs(e.len);
1620 ND_PRINT((ndo," [|%s]", NPSTR(ISAKMP_NPTYPE_NONCE)));
1624 static const u_char *
1625 ikev1_n_print(netdissect_options *ndo, u_char tpay _U_,
1626 const struct isakmp_gen *ext, u_int item_len,
1627 const u_char *ep, uint32_t phase, uint32_t doi0 _U_,
1628 uint32_t proto0 _U_, int depth)
1630 struct ikev1_pl_n *p, n;
1635 static const char *notify_error_str[] = {
1636 NULL, "INVALID-PAYLOAD-TYPE",
1637 "DOI-NOT-SUPPORTED", "SITUATION-NOT-SUPPORTED",
1638 "INVALID-COOKIE", "INVALID-MAJOR-VERSION",
1639 "INVALID-MINOR-VERSION", "INVALID-EXCHANGE-TYPE",
1640 "INVALID-FLAGS", "INVALID-MESSAGE-ID",
1641 "INVALID-PROTOCOL-ID", "INVALID-SPI",
1642 "INVALID-TRANSFORM-ID", "ATTRIBUTES-NOT-SUPPORTED",
1643 "NO-PROPOSAL-CHOSEN", "BAD-PROPOSAL-SYNTAX",
1644 "PAYLOAD-MALFORMED", "INVALID-KEY-INFORMATION",
1645 "INVALID-ID-INFORMATION", "INVALID-CERT-ENCODING",
1646 "INVALID-CERTIFICATE", "CERT-TYPE-UNSUPPORTED",
1647 "INVALID-CERT-AUTHORITY", "INVALID-HASH-INFORMATION",
1648 "AUTHENTICATION-FAILED", "INVALID-SIGNATURE",
1649 "ADDRESS-NOTIFICATION", "NOTIFY-SA-LIFETIME",
1650 "CERTIFICATE-UNAVAILABLE", "UNSUPPORTED-EXCHANGE-TYPE",
1651 "UNEQUAL-PAYLOAD-LENGTHS",
1653 static const char *ipsec_notify_error_str[] = {
1656 static const char *notify_status_str[] = {
1659 static const char *ipsec_notify_status_str[] = {
1660 "RESPONDER-LIFETIME", "REPLAY-STATUS",
1663 /* NOTE: these macro must be called with x in proper range */
1666 #define NOTIFY_ERROR_STR(x) \
1667 STR_OR_ID((x), notify_error_str)
1670 #define IPSEC_NOTIFY_ERROR_STR(x) \
1671 STR_OR_ID((u_int)((x) - 8192), ipsec_notify_error_str)
1674 #define NOTIFY_STATUS_STR(x) \
1675 STR_OR_ID((u_int)((x) - 16384), notify_status_str)
1678 #define IPSEC_NOTIFY_STATUS_STR(x) \
1679 STR_OR_ID((u_int)((x) - 24576), ipsec_notify_status_str)
1681 ND_PRINT((ndo,"%s:", NPSTR(ISAKMP_NPTYPE_N)));
1683 p = (struct ikev1_pl_n *)ext;
1685 UNALIGNED_MEMCPY(&n, ext, sizeof(n));
1689 ND_PRINT((ndo," doi=%d", doi));
1690 ND_PRINT((ndo," proto=%d", proto));
1691 if (ntohs(n.type) < 8192)
1692 ND_PRINT((ndo," type=%s", NOTIFY_ERROR_STR(ntohs(n.type))));
1693 else if (ntohs(n.type) < 16384)
1694 ND_PRINT((ndo," type=%s", numstr(ntohs(n.type))));
1695 else if (ntohs(n.type) < 24576)
1696 ND_PRINT((ndo," type=%s", NOTIFY_STATUS_STR(ntohs(n.type))));
1698 ND_PRINT((ndo," type=%s", numstr(ntohs(n.type))));
1700 ND_PRINT((ndo," spi="));
1701 if (!rawprint(ndo, (caddr_t)(p + 1), n.spi_size))
1704 return (u_char *)(p + 1) + n.spi_size;
1707 ND_PRINT((ndo," doi=ipsec"));
1708 ND_PRINT((ndo," proto=%s", PROTOIDSTR(proto)));
1709 if (ntohs(n.type) < 8192)
1710 ND_PRINT((ndo," type=%s", NOTIFY_ERROR_STR(ntohs(n.type))));
1711 else if (ntohs(n.type) < 16384)
1712 ND_PRINT((ndo," type=%s", IPSEC_NOTIFY_ERROR_STR(ntohs(n.type))));
1713 else if (ntohs(n.type) < 24576)
1714 ND_PRINT((ndo," type=%s", NOTIFY_STATUS_STR(ntohs(n.type))));
1715 else if (ntohs(n.type) < 32768)
1716 ND_PRINT((ndo," type=%s", IPSEC_NOTIFY_STATUS_STR(ntohs(n.type))));
1718 ND_PRINT((ndo," type=%s", numstr(ntohs(n.type))));
1720 ND_PRINT((ndo," spi="));
1721 if (!rawprint(ndo, (caddr_t)(p + 1), n.spi_size))
1725 cp = (u_char *)(p + 1) + n.spi_size;
1726 ep2 = (u_char *)p + item_len;
1729 ND_PRINT((ndo," orig=("));
1730 switch (ntohs(n.type)) {
1731 case IPSECDOI_NTYPE_RESPONDER_LIFETIME:
1733 const struct attrmap *map = oakley_t_map;
1734 size_t nmap = sizeof(oakley_t_map)/sizeof(oakley_t_map[0]);
1735 while (cp < ep && cp < ep2) {
1736 cp = ikev1_attrmap_print(ndo, cp,
1737 (ep < ep2) ? ep : ep2, map, nmap);
1741 case IPSECDOI_NTYPE_REPLAY_STATUS:
1742 ND_PRINT((ndo,"replay detection %sabled",
1743 EXTRACT_32BITS(cp) ? "en" : "dis"));
1745 case ISAKMP_NTYPE_NO_PROPOSAL_CHOSEN:
1746 if (ikev1_sub_print(ndo, ISAKMP_NPTYPE_SA,
1747 (struct isakmp_gen *)cp, ep, phase, doi, proto,
1753 isakmp_print(ndo, cp,
1754 item_len - sizeof(*p) - n.spi_size,
1757 ND_PRINT((ndo,")"));
1759 return (u_char *)ext + item_len;
1761 ND_PRINT((ndo," [|%s]", NPSTR(ISAKMP_NPTYPE_N)));
1765 static const u_char *
1766 ikev1_d_print(netdissect_options *ndo, u_char tpay _U_,
1767 const struct isakmp_gen *ext, u_int item_len _U_,
1768 const u_char *ep _U_, uint32_t phase _U_, uint32_t doi0 _U_,
1769 uint32_t proto0 _U_, int depth _U_)
1771 const struct ikev1_pl_d *p;
1772 struct ikev1_pl_d d;
1778 ND_PRINT((ndo,"%s:", NPSTR(ISAKMP_NPTYPE_D)));
1780 p = (struct ikev1_pl_d *)ext;
1782 UNALIGNED_MEMCPY(&d, ext, sizeof(d));
1786 ND_PRINT((ndo," doi=%u", doi));
1787 ND_PRINT((ndo," proto=%u", proto));
1789 ND_PRINT((ndo," doi=ipsec"));
1790 ND_PRINT((ndo," proto=%s", PROTOIDSTR(proto)));
1792 ND_PRINT((ndo," spilen=%u", d.spi_size));
1793 ND_PRINT((ndo," nspi=%u", ntohs(d.num_spi)));
1794 ND_PRINT((ndo," spi="));
1795 q = (uint8_t *)(p + 1);
1796 for (i = 0; i < ntohs(d.num_spi); i++) {
1798 ND_PRINT((ndo,","));
1799 if (!rawprint(ndo, (caddr_t)q, d.spi_size))
1805 ND_PRINT((ndo," [|%s]", NPSTR(ISAKMP_NPTYPE_D)));
1809 static const u_char *
1810 ikev1_vid_print(netdissect_options *ndo, u_char tpay _U_,
1811 const struct isakmp_gen *ext,
1812 u_int item_len _U_, const u_char *ep _U_,
1813 uint32_t phase _U_, uint32_t doi _U_,
1814 uint32_t proto _U_, int depth _U_)
1816 struct isakmp_gen e;
1818 ND_PRINT((ndo,"%s:", NPSTR(ISAKMP_NPTYPE_VID)));
1821 UNALIGNED_MEMCPY(&e, ext, sizeof(e));
1822 ND_PRINT((ndo," len=%d", ntohs(e.len) - 4));
1823 if (2 < ndo->ndo_vflag && 4 < ntohs(e.len)) {
1824 ND_PRINT((ndo," "));
1825 if (!rawprint(ndo, (caddr_t)(ext + 1), ntohs(e.len) - 4))
1828 return (u_char *)ext + ntohs(e.len);
1830 ND_PRINT((ndo," [|%s]", NPSTR(ISAKMP_NPTYPE_VID)));
1834 /************************************************************/
1836 /* IKE v2 - rfc4306 - dissector */
1838 /************************************************************/
1841 ikev2_pay_print(netdissect_options *ndo, const char *payname, int critical)
1843 ND_PRINT((ndo,"%s%s:", payname, critical&0x80 ? "[C]" : ""));
1846 static const u_char *
1847 ikev2_gen_print(netdissect_options *ndo, u_char tpay,
1848 const struct isakmp_gen *ext)
1850 struct isakmp_gen e;
1853 UNALIGNED_MEMCPY(&e, ext, sizeof(e));
1854 ikev2_pay_print(ndo, NPSTR(tpay), e.critical);
1856 ND_PRINT((ndo," len=%d", ntohs(e.len) - 4));
1857 if (2 < ndo->ndo_vflag && 4 < ntohs(e.len)) {
1858 ND_PRINT((ndo," "));
1859 if (!rawprint(ndo, (caddr_t)(ext + 1), ntohs(e.len) - 4))
1862 return (u_char *)ext + ntohs(e.len);
1864 ND_PRINT((ndo," [|%s]", NPSTR(tpay)));
1868 static const u_char *
1869 ikev2_t_print(netdissect_options *ndo, u_char tpay _U_, int pcount,
1870 const struct isakmp_gen *ext, u_int item_len,
1871 const u_char *ep, uint32_t phase _U_, uint32_t doi _U_,
1872 uint32_t proto _U_, int depth _U_)
1874 const struct ikev2_t *p;
1879 const struct attrmap *map;
1883 p = (struct ikev2_t *)ext;
1885 UNALIGNED_MEMCPY(&t, ext, sizeof(t));
1886 ikev2_pay_print(ndo, NPSTR(ISAKMP_NPTYPE_T), t.h.critical);
1888 t_id = ntohs(t.t_id);
1895 idstr = STR_OR_ID(t_id, esp_p_map);
1897 nmap = sizeof(encr_t_map)/sizeof(encr_t_map[0]);
1901 idstr = STR_OR_ID(t_id, prf_p_map);
1905 idstr = STR_OR_ID(t_id, integ_p_map);
1909 idstr = STR_OR_ID(t_id, dh_p_map);
1913 idstr = STR_OR_ID(t_id, esn_p_map);
1922 ND_PRINT((ndo," #%u type=%s id=%s ", pcount,
1923 STR_OR_ID(t.t_type, ikev2_t_type_map),
1926 ND_PRINT((ndo," #%u type=%s id=%u ", pcount,
1927 STR_OR_ID(t.t_type, ikev2_t_type_map),
1929 cp = (u_char *)(p + 1);
1930 ep2 = (u_char *)p + item_len;
1931 while (cp < ep && cp < ep2) {
1933 cp = ikev1_attrmap_print(ndo, cp, (ep < ep2) ? ep : ep2,
1936 cp = ikev1_attr_print(ndo, cp, (ep < ep2) ? ep : ep2);
1939 ND_PRINT((ndo,"..."));
1942 ND_PRINT((ndo," [|%s]", NPSTR(ISAKMP_NPTYPE_T)));
1946 static const u_char *
1947 ikev2_p_print(netdissect_options *ndo, u_char tpay _U_, int pcount _U_,
1948 const struct isakmp_gen *ext, u_int item_len _U_,
1949 const u_char *ep, uint32_t phase, uint32_t doi0,
1950 uint32_t proto0 _U_, int depth)
1952 const struct ikev2_p *p;
1953 struct ikev2_p prop;
1956 p = (struct ikev2_p *)ext;
1958 UNALIGNED_MEMCPY(&prop, ext, sizeof(prop));
1959 ikev2_pay_print(ndo, NPSTR(ISAKMP_NPTYPE_P), prop.h.critical);
1961 ND_PRINT((ndo," #%u protoid=%s transform=%d len=%u",
1962 prop.p_no, PROTOIDSTR(prop.prot_id),
1963 prop.num_t, ntohs(prop.h.len)));
1964 if (prop.spi_size) {
1965 ND_PRINT((ndo," spi="));
1966 if (!rawprint(ndo, (caddr_t)(p + 1), prop.spi_size))
1970 ext = (struct isakmp_gen *)((u_char *)(p + 1) + prop.spi_size);
1973 cp = ikev2_sub_print(ndo, NULL, ISAKMP_NPTYPE_T, ext, ep, phase, doi0,
1974 prop.prot_id, depth);
1978 ND_PRINT((ndo," [|%s]", NPSTR(ISAKMP_NPTYPE_P)));
1982 static const u_char *
1983 ikev2_sa_print(netdissect_options *ndo, u_char tpay,
1984 const struct isakmp_gen *ext1,
1985 u_int item_len _U_, const u_char *ep _U_,
1986 uint32_t phase _U_, uint32_t doi _U_,
1987 uint32_t proto _U_, int depth _U_)
1989 struct isakmp_gen e;
1990 int osa_length, sa_length;
1993 UNALIGNED_MEMCPY(&e, ext1, sizeof(e));
1994 ikev2_pay_print(ndo, "sa", e.critical);
1996 osa_length= ntohs(e.len);
1997 sa_length = osa_length - 4;
1998 ND_PRINT((ndo," len=%d", sa_length));
2000 ikev2_sub_print(ndo, NULL, ISAKMP_NPTYPE_P,
2004 return (u_char *)ext1 + osa_length;
2006 ND_PRINT((ndo," [|%s]", NPSTR(tpay)));
2010 static const u_char *
2011 ikev2_ke_print(netdissect_options *ndo, u_char tpay,
2012 const struct isakmp_gen *ext,
2013 u_int item_len _U_, const u_char *ep _U_,
2014 uint32_t phase _U_, uint32_t doi _U_,
2015 uint32_t proto _U_, int depth _U_)
2020 k = (struct ikev2_ke *)ext;
2022 UNALIGNED_MEMCPY(&ke, ext, sizeof(ke));
2023 ikev2_pay_print(ndo, NPSTR(tpay), ke.h.critical);
2025 ND_PRINT((ndo," len=%u group=%s", ntohs(ke.h.len) - 8,
2026 STR_OR_ID(ntohs(ke.ke_group), dh_p_map)));
2028 if (2 < ndo->ndo_vflag && 8 < ntohs(ke.h.len)) {
2029 ND_PRINT((ndo," "));
2030 if (!rawprint(ndo, (caddr_t)(k + 1), ntohs(ke.h.len) - 8))
2033 return (u_char *)ext + ntohs(ke.h.len);
2035 ND_PRINT((ndo," [|%s]", NPSTR(tpay)));
2039 static const u_char *
2040 ikev2_ID_print(netdissect_options *ndo, u_char tpay,
2041 const struct isakmp_gen *ext,
2042 u_int item_len _U_, const u_char *ep _U_,
2043 uint32_t phase _U_, uint32_t doi _U_,
2044 uint32_t proto _U_, int depth _U_)
2047 int id_len, idtype_len, i;
2048 unsigned int dumpascii, dumphex;
2049 unsigned char *typedata;
2052 UNALIGNED_MEMCPY(&id, ext, sizeof(id));
2053 ikev2_pay_print(ndo, NPSTR(tpay), id.h.critical);
2055 id_len = ntohs(id.h.len);
2057 ND_PRINT((ndo," len=%d", id_len - 4));
2058 if (2 < ndo->ndo_vflag && 4 < id_len) {
2059 ND_PRINT((ndo," "));
2060 if (!rawprint(ndo, (caddr_t)(ext + 1), id_len - 4))
2064 idtype_len =id_len - sizeof(struct ikev2_id);
2067 typedata = (unsigned char *)(ext)+sizeof(struct ikev2_id);
2071 ND_PRINT((ndo, " ipv4:"));
2075 ND_PRINT((ndo, " fqdn:"));
2078 case ID_RFC822_ADDR:
2079 ND_PRINT((ndo, " rfc822:"));
2083 ND_PRINT((ndo, " ipv6:"));
2086 case ID_DER_ASN1_DN:
2087 ND_PRINT((ndo, " dn:"));
2090 case ID_DER_ASN1_GN:
2091 ND_PRINT((ndo, " gn:"));
2095 ND_PRINT((ndo, " keyid:"));
2101 ND_TCHECK2(*typedata, idtype_len);
2102 for(i=0; i<idtype_len; i++) {
2103 if(ND_ISPRINT(typedata[i])) {
2104 ND_PRINT((ndo, "%c", typedata[i]));
2106 ND_PRINT((ndo, "."));
2111 if (!rawprint(ndo, (caddr_t)typedata, idtype_len))
2115 return (u_char *)ext + id_len;
2117 ND_PRINT((ndo," [|%s]", NPSTR(tpay)));
2121 static const u_char *
2122 ikev2_cert_print(netdissect_options *ndo, u_char tpay,
2123 const struct isakmp_gen *ext,
2124 u_int item_len _U_, const u_char *ep _U_,
2125 uint32_t phase _U_, uint32_t doi _U_,
2126 uint32_t proto _U_, int depth _U_)
2128 return ikev2_gen_print(ndo, tpay, ext);
2131 static const u_char *
2132 ikev2_cr_print(netdissect_options *ndo, u_char tpay,
2133 const struct isakmp_gen *ext,
2134 u_int item_len _U_, const u_char *ep _U_,
2135 uint32_t phase _U_, uint32_t doi _U_,
2136 uint32_t proto _U_, int depth _U_)
2138 return ikev2_gen_print(ndo, tpay, ext);
2141 static const u_char *
2142 ikev2_auth_print(netdissect_options *ndo, u_char tpay,
2143 const struct isakmp_gen *ext,
2144 u_int item_len _U_, const u_char *ep _U_,
2145 uint32_t phase _U_, uint32_t doi _U_,
2146 uint32_t proto _U_, int depth _U_)
2148 struct ikev2_auth a;
2149 const char *v2_auth[]={ "invalid", "rsasig",
2150 "shared-secret", "dsssig" };
2151 u_char *authdata = (u_char*)ext + sizeof(a);
2155 UNALIGNED_MEMCPY(&a, ext, sizeof(a));
2156 ikev2_pay_print(ndo, NPSTR(tpay), a.h.critical);
2157 len = ntohs(a.h.len);
2159 ND_PRINT((ndo," len=%d method=%s", len-4,
2160 STR_OR_ID(a.auth_method, v2_auth)));
2162 if (1 < ndo->ndo_vflag && 4 < len) {
2163 ND_PRINT((ndo," authdata=("));
2164 if (!rawprint(ndo, (caddr_t)authdata, len - sizeof(a)))
2166 ND_PRINT((ndo,") "));
2167 } else if(ndo->ndo_vflag && 4 < len) {
2168 if(!ike_show_somedata(ndo, authdata, ep)) goto trunc;
2171 return (u_char *)ext + len;
2173 ND_PRINT((ndo," [|%s]", NPSTR(tpay)));
2177 static const u_char *
2178 ikev2_nonce_print(netdissect_options *ndo, u_char tpay,
2179 const struct isakmp_gen *ext,
2180 u_int item_len _U_, const u_char *ep _U_,
2181 uint32_t phase _U_, uint32_t doi _U_,
2182 uint32_t proto _U_, int depth _U_)
2184 struct isakmp_gen e;
2187 UNALIGNED_MEMCPY(&e, ext, sizeof(e));
2188 ikev2_pay_print(ndo, "nonce", e.critical);
2190 ND_PRINT((ndo," len=%d", ntohs(e.len) - 4));
2191 if (1 < ndo->ndo_vflag && 4 < ntohs(e.len)) {
2192 ND_PRINT((ndo," nonce=("));
2193 if (!rawprint(ndo, (caddr_t)(ext + 1), ntohs(e.len) - 4))
2195 ND_PRINT((ndo,") "));
2196 } else if(ndo->ndo_vflag && 4 < ntohs(e.len)) {
2197 if(!ike_show_somedata(ndo, (const u_char *)(ext+1), ep)) goto trunc;
2200 return (u_char *)ext + ntohs(e.len);
2202 ND_PRINT((ndo," [|%s]", NPSTR(tpay)));
2206 /* notify payloads */
2207 static const u_char *
2208 ikev2_n_print(netdissect_options *ndo, u_char tpay _U_,
2209 const struct isakmp_gen *ext,
2210 u_int item_len _U_, const u_char *ep _U_,
2211 uint32_t phase _U_, uint32_t doi _U_,
2212 uint32_t proto _U_, int depth _U_)
2214 struct ikev2_n *p, n;
2216 u_char showspi, showdata, showsomedata;
2217 const char *notify_name;
2220 p = (struct ikev2_n *)ext;
2222 UNALIGNED_MEMCPY(&n, ext, sizeof(n));
2223 ikev2_pay_print(ndo, NPSTR(ISAKMP_NPTYPE_N), n.h.critical);
2230 ND_PRINT((ndo," prot_id=%s", PROTOIDSTR(n.prot_id)));
2232 type = ntohs(n.type);
2234 /* notify space is annoying sparse */
2236 case IV2_NOTIFY_UNSUPPORTED_CRITICAL_PAYLOAD:
2237 notify_name = "unsupported_critical_payload";
2241 case IV2_NOTIFY_INVALID_IKE_SPI:
2242 notify_name = "invalid_ike_spi";
2246 case IV2_NOTIFY_INVALID_MAJOR_VERSION:
2247 notify_name = "invalid_major_version";
2251 case IV2_NOTIFY_INVALID_SYNTAX:
2252 notify_name = "invalid_syntax";
2256 case IV2_NOTIFY_INVALID_MESSAGE_ID:
2257 notify_name = "invalid_message_id";
2261 case IV2_NOTIFY_INVALID_SPI:
2262 notify_name = "invalid_spi";
2266 case IV2_NOTIFY_NO_PROPOSAL_CHOSEN:
2267 notify_name = "no_protocol_chosen";
2271 case IV2_NOTIFY_INVALID_KE_PAYLOAD:
2272 notify_name = "invalid_ke_payload";
2276 case IV2_NOTIFY_AUTHENTICATION_FAILED:
2277 notify_name = "authentication_failed";
2281 case IV2_NOTIFY_SINGLE_PAIR_REQUIRED:
2282 notify_name = "single_pair_required";
2286 case IV2_NOTIFY_NO_ADDITIONAL_SAS:
2287 notify_name = "no_additional_sas";
2291 case IV2_NOTIFY_INTERNAL_ADDRESS_FAILURE:
2292 notify_name = "internal_address_failure";
2296 case IV2_NOTIFY_FAILED_CP_REQUIRED:
2297 notify_name = "failed:cp_required";
2301 case IV2_NOTIFY_INVALID_SELECTORS:
2302 notify_name = "invalid_selectors";
2306 case IV2_NOTIFY_INITIAL_CONTACT:
2307 notify_name = "initial_contact";
2311 case IV2_NOTIFY_SET_WINDOW_SIZE:
2312 notify_name = "set_window_size";
2316 case IV2_NOTIFY_ADDITIONAL_TS_POSSIBLE:
2317 notify_name = "additional_ts_possible";
2321 case IV2_NOTIFY_IPCOMP_SUPPORTED:
2322 notify_name = "ipcomp_supported";
2326 case IV2_NOTIFY_NAT_DETECTION_SOURCE_IP:
2327 notify_name = "nat_detection_source_ip";
2331 case IV2_NOTIFY_NAT_DETECTION_DESTINATION_IP:
2332 notify_name = "nat_detection_destination_ip";
2336 case IV2_NOTIFY_COOKIE:
2337 notify_name = "cookie";
2343 case IV2_NOTIFY_USE_TRANSPORT_MODE:
2344 notify_name = "use_transport_mode";
2348 case IV2_NOTIFY_HTTP_CERT_LOOKUP_SUPPORTED:
2349 notify_name = "http_cert_lookup_supported";
2353 case IV2_NOTIFY_REKEY_SA:
2354 notify_name = "rekey_sa";
2358 case IV2_NOTIFY_ESP_TFC_PADDING_NOT_SUPPORTED:
2359 notify_name = "tfc_padding_not_supported";
2363 case IV2_NOTIFY_NON_FIRST_FRAGMENTS_ALSO:
2364 notify_name = "non_first_fragment_also";
2370 notify_name="error";
2371 } else if(type < 16384) {
2372 notify_name="private-error";
2373 } else if(type < 40960) {
2374 notify_name="status";
2376 notify_name="private-status";
2381 ND_PRINT((ndo," type=%u(%s)", type, notify_name));
2385 if (showspi && n.spi_size) {
2386 ND_PRINT((ndo," spi="));
2387 if (!rawprint(ndo, (caddr_t)(p + 1), n.spi_size))
2391 cp = (u_char *)(p + 1) + n.spi_size;
2393 if(3 < ndo->ndo_vflag) {
2397 if ((showdata || (showsomedata && ep-cp < 30)) && cp < ep) {
2398 ND_PRINT((ndo," data=("));
2399 if (!rawprint(ndo, (caddr_t)(cp), ep - cp))
2402 ND_PRINT((ndo,")"));
2404 } else if(showsomedata && cp < ep) {
2405 if(!ike_show_somedata(ndo, cp, ep)) goto trunc;
2408 return (u_char *)ext + item_len;
2410 ND_PRINT((ndo," [|%s]", NPSTR(ISAKMP_NPTYPE_N)));
2414 static const u_char *
2415 ikev2_d_print(netdissect_options *ndo, u_char tpay,
2416 const struct isakmp_gen *ext,
2417 u_int item_len _U_, const u_char *ep _U_,
2418 uint32_t phase _U_, uint32_t doi _U_,
2419 uint32_t proto _U_, int depth _U_)
2421 return ikev2_gen_print(ndo, tpay, ext);
2424 static const u_char *
2425 ikev2_vid_print(netdissect_options *ndo, u_char tpay,
2426 const struct isakmp_gen *ext,
2427 u_int item_len _U_, const u_char *ep _U_,
2428 uint32_t phase _U_, uint32_t doi _U_,
2429 uint32_t proto _U_, int depth _U_)
2431 struct isakmp_gen e;
2436 UNALIGNED_MEMCPY(&e, ext, sizeof(e));
2437 ikev2_pay_print(ndo, NPSTR(tpay), e.critical);
2438 ND_PRINT((ndo," len=%d vid=", ntohs(e.len) - 4));
2440 vid = (const u_char *)(ext+1);
2441 len = ntohs(e.len) - 4;
2442 ND_TCHECK2(*vid, len);
2443 for(i=0; i<len; i++) {
2444 if(ND_ISPRINT(vid[i])) ND_PRINT((ndo, "%c", vid[i]));
2445 else ND_PRINT((ndo, "."));
2447 if (2 < ndo->ndo_vflag && 4 < len) {
2448 ND_PRINT((ndo," "));
2449 if (!rawprint(ndo, (caddr_t)(ext + 1), ntohs(e.len) - 4))
2452 return (u_char *)ext + ntohs(e.len);
2454 ND_PRINT((ndo," [|%s]", NPSTR(tpay)));
2458 static const u_char *
2459 ikev2_TS_print(netdissect_options *ndo, u_char tpay,
2460 const struct isakmp_gen *ext,
2461 u_int item_len _U_, const u_char *ep _U_,
2462 uint32_t phase _U_, uint32_t doi _U_,
2463 uint32_t proto _U_, int depth _U_)
2465 return ikev2_gen_print(ndo, tpay, ext);
2468 static const u_char *
2469 ikev2_e_print(netdissect_options *ndo,
2470 #ifndef HAVE_LIBCRYPTO
2473 struct isakmp *base,
2475 const struct isakmp_gen *ext,
2476 u_int item_len _U_, const u_char *ep _U_,
2477 #ifndef HAVE_LIBCRYPTO
2481 #ifndef HAVE_LIBCRYPTO
2485 #ifndef HAVE_LIBCRYPTO
2489 #ifndef HAVE_LIBCRYPTO
2494 struct isakmp_gen e;
2499 UNALIGNED_MEMCPY(&e, ext, sizeof(e));
2500 ikev2_pay_print(ndo, NPSTR(tpay), e.critical);
2502 dlen = ntohs(e.len)-4;
2504 ND_PRINT((ndo," len=%d", dlen));
2505 if (2 < ndo->ndo_vflag && 4 < dlen) {
2506 ND_PRINT((ndo," "));
2507 if (!rawprint(ndo, (caddr_t)(ext + 1), dlen))
2511 dat = (u_char *)(ext+1);
2512 ND_TCHECK2(*dat, dlen);
2514 #ifdef HAVE_LIBCRYPTO
2515 /* try to decypt it! */
2516 if(esp_print_decrypt_buffer_by_ikev2(ndo,
2517 base->flags & ISAKMP_FLAG_I,
2518 base->i_ck, base->r_ck,
2521 ext = (const struct isakmp_gen *)ndo->ndo_packetp;
2523 /* got it decrypted, print stuff inside. */
2524 ikev2_sub_print(ndo, base, e.np, ext, ndo->ndo_snapend,
2525 phase, doi, proto, depth+1);
2530 /* always return NULL, because E must be at end, and NP refers
2531 * to what was inside.
2535 ND_PRINT((ndo," [|%s]", NPSTR(tpay)));
2539 static const u_char *
2540 ikev2_cp_print(netdissect_options *ndo, u_char tpay,
2541 const struct isakmp_gen *ext,
2542 u_int item_len _U_, const u_char *ep _U_,
2543 uint32_t phase _U_, uint32_t doi _U_,
2544 uint32_t proto _U_, int depth _U_)
2546 return ikev2_gen_print(ndo, tpay, ext);
2549 static const u_char *
2550 ikev2_eap_print(netdissect_options *ndo, u_char tpay,
2551 const struct isakmp_gen *ext,
2552 u_int item_len _U_, const u_char *ep _U_,
2553 uint32_t phase _U_, uint32_t doi _U_,
2554 uint32_t proto _U_, int depth _U_)
2556 return ikev2_gen_print(ndo, tpay, ext);
2559 static const u_char *
2560 ike_sub0_print(netdissect_options *ndo,
2561 u_char np, const struct isakmp_gen *ext, const u_char *ep,
2563 uint32_t phase, uint32_t doi, uint32_t proto, int depth)
2566 struct isakmp_gen e;
2571 UNALIGNED_MEMCPY(&e, ext, sizeof(e));
2574 * Since we can't have a payload length of less than 4 bytes,
2575 * we need to bail out here if the generic header is nonsensical
2576 * or truncated, otherwise we could loop forever processing
2577 * zero-length items or otherwise misdissect the packet.
2579 item_len = ntohs(e.len);
2585 * XXX - what if item_len is too short, or too long,
2586 * for this payload type?
2588 cp = (*npfunc[np])(ndo, np, ext, item_len, ep, phase, doi, proto, depth);
2590 ND_PRINT((ndo,"%s", NPSTR(np)));
2596 ND_PRINT((ndo," [|isakmp]"));
2600 static const u_char *
2601 ikev1_sub_print(netdissect_options *ndo,
2602 u_char np, const struct isakmp_gen *ext, const u_char *ep,
2603 uint32_t phase, uint32_t doi, uint32_t proto, int depth)
2607 struct isakmp_gen e;
2609 cp = (const u_char *)ext;
2614 UNALIGNED_MEMCPY(&e, ext, sizeof(e));
2616 ND_TCHECK2(*ext, ntohs(e.len));
2619 ND_PRINT((ndo,"\n"));
2620 for (i = 0; i < depth; i++)
2621 ND_PRINT((ndo," "));
2622 ND_PRINT((ndo,"("));
2623 cp = ike_sub0_print(ndo, np, ext, ep, phase, doi, proto, depth);
2624 ND_PRINT((ndo,")"));
2628 /* Zero-length subitem */
2633 ext = (struct isakmp_gen *)cp;
2637 ND_PRINT((ndo," [|%s]", NPSTR(np)));
2644 static char buf[20];
2645 snprintf(buf, sizeof(buf), "#%d", x);
2650 ikev1_print(netdissect_options *ndo,
2651 const u_char *bp, u_int length,
2652 const u_char *bp2, struct isakmp *base)
2654 const struct isakmp *p;
2660 p = (const struct isakmp *)bp;
2661 ep = ndo->ndo_snapend;
2663 phase = (EXTRACT_32BITS(base->msgid) == 0) ? 1 : 2;
2665 ND_PRINT((ndo," phase %d", phase));
2667 ND_PRINT((ndo," phase %d/others", phase));
2669 i = cookie_find(&base->i_ck);
2671 if (iszero((u_char *)&base->r_ck, sizeof(base->r_ck))) {
2672 /* the first packet */
2673 ND_PRINT((ndo," I"));
2675 cookie_record(&base->i_ck, bp2);
2677 ND_PRINT((ndo," ?"));
2679 if (bp2 && cookie_isinitiator(i, bp2))
2680 ND_PRINT((ndo," I"));
2681 else if (bp2 && cookie_isresponder(i, bp2))
2682 ND_PRINT((ndo," R"));
2684 ND_PRINT((ndo," ?"));
2687 ND_PRINT((ndo," %s", ETYPESTR(base->etype)));
2689 ND_PRINT((ndo,"[%s%s]", base->flags & ISAKMP_FLAG_E ? "E" : "",
2690 base->flags & ISAKMP_FLAG_C ? "C" : ""));
2693 if (ndo->ndo_vflag) {
2694 const struct isakmp_gen *ext;
2696 ND_PRINT((ndo,":"));
2698 /* regardless of phase... */
2699 if (base->flags & ISAKMP_FLAG_E) {
2701 * encrypted, nothing we can do right now.
2702 * we hope to decrypt the packet in the future...
2704 ND_PRINT((ndo," [encrypted %s]", NPSTR(base->np)));
2708 CHECKLEN(p + 1, base->np);
2710 ext = (struct isakmp_gen *)(p + 1);
2711 ikev1_sub_print(ndo, np, ext, ep, phase, 0, 0, 0);
2715 if (ndo->ndo_vflag) {
2716 if (ntohl(base->len) != length) {
2717 ND_PRINT((ndo," (len mismatch: isakmp %u/ip %u)",
2718 (uint32_t)ntohl(base->len), length));
2723 static const u_char *
2724 ikev2_sub0_print(netdissect_options *ndo, struct isakmp *base,
2725 u_char np, int pcount,
2726 const struct isakmp_gen *ext, const u_char *ep,
2727 uint32_t phase, uint32_t doi, uint32_t proto, int depth)
2730 struct isakmp_gen e;
2735 UNALIGNED_MEMCPY(&e, ext, sizeof(e));
2738 * Since we can't have a payload length of less than 4 bytes,
2739 * we need to bail out here if the generic header is nonsensical
2740 * or truncated, otherwise we could loop forever processing
2741 * zero-length items or otherwise misdissect the packet.
2743 item_len = ntohs(e.len);
2747 if(np == ISAKMP_NPTYPE_P) {
2748 cp = ikev2_p_print(ndo, np, pcount, ext, item_len,
2749 ep, phase, doi, proto, depth);
2750 } else if(np == ISAKMP_NPTYPE_T) {
2751 cp = ikev2_t_print(ndo, np, pcount, ext, item_len,
2752 ep, phase, doi, proto, depth);
2753 } else if(np == ISAKMP_NPTYPE_v2E) {
2754 cp = ikev2_e_print(ndo, base, np, ext, item_len,
2755 ep, phase, doi, proto, depth);
2756 } else if (NPFUNC(np)) {
2758 * XXX - what if item_len is too short, or too long,
2759 * for this payload type?
2761 cp = (*npfunc[np])(ndo, np, /*pcount,*/ ext, item_len,
2762 ep, phase, doi, proto, depth);
2764 ND_PRINT((ndo,"%s", NPSTR(np)));
2770 ND_PRINT((ndo," [|isakmp]"));
2774 static const u_char *
2775 ikev2_sub_print(netdissect_options *ndo,
2776 struct isakmp *base,
2777 u_char np, const struct isakmp_gen *ext, const u_char *ep,
2778 uint32_t phase, uint32_t doi, uint32_t proto, int depth)
2783 struct isakmp_gen e;
2785 cp = (const u_char *)ext;
2791 UNALIGNED_MEMCPY(&e, ext, sizeof(e));
2793 ND_TCHECK2(*ext, ntohs(e.len));
2796 ND_PRINT((ndo,"\n"));
2797 for (i = 0; i < depth; i++)
2798 ND_PRINT((ndo," "));
2799 ND_PRINT((ndo,"("));
2800 cp = ikev2_sub0_print(ndo, base, np, pcount,
2801 ext, ep, phase, doi, proto, depth);
2802 ND_PRINT((ndo,")"));
2806 /* Zero-length subitem */
2811 ext = (struct isakmp_gen *)cp;
2815 ND_PRINT((ndo," [|%s]", NPSTR(np)));
2820 ikev2_print(netdissect_options *ndo,
2821 const u_char *bp, u_int length,
2822 const u_char *bp2 _U_, struct isakmp *base)
2824 const struct isakmp *p;
2829 p = (const struct isakmp *)bp;
2830 ep = ndo->ndo_snapend;
2832 phase = (EXTRACT_32BITS(base->msgid) == 0) ? 1 : 2;
2834 ND_PRINT((ndo, " parent_sa"));
2836 ND_PRINT((ndo, " child_sa "));
2838 ND_PRINT((ndo, " %s", ETYPESTR(base->etype)));
2840 ND_PRINT((ndo, "[%s%s%s]",
2841 base->flags & ISAKMP_FLAG_I ? "I" : "",
2842 base->flags & ISAKMP_FLAG_V ? "V" : "",
2843 base->flags & ISAKMP_FLAG_R ? "R" : ""));
2846 if (ndo->ndo_vflag) {
2847 const struct isakmp_gen *ext;
2849 ND_PRINT((ndo, ":"));
2851 /* regardless of phase... */
2852 if (base->flags & ISAKMP_FLAG_E) {
2854 * encrypted, nothing we can do right now.
2855 * we hope to decrypt the packet in the future...
2857 ND_PRINT((ndo, " [encrypted %s]", NPSTR(base->np)));
2861 CHECKLEN(p + 1, base->np)
2864 ext = (struct isakmp_gen *)(p + 1);
2865 ikev2_sub_print(ndo, base, np, ext, ep, phase, 0, 0, 0);
2869 if (ndo->ndo_vflag) {
2870 if (ntohl(base->len) != length) {
2871 ND_PRINT((ndo, " (len mismatch: isakmp %u/ip %u)",
2872 (uint32_t)ntohl(base->len), length));
2878 isakmp_print(netdissect_options *ndo,
2879 const u_char *bp, u_int length,
2882 const struct isakmp *p;
2887 #ifdef HAVE_LIBCRYPTO
2888 /* initialize SAs */
2889 if (ndo->ndo_sa_list_head == NULL) {
2890 if (ndo->ndo_espsecret)
2891 esp_print_decodesecret(ndo);
2895 p = (const struct isakmp *)bp;
2896 ep = ndo->ndo_snapend;
2898 if ((struct isakmp *)ep < p + 1) {
2899 ND_PRINT((ndo,"[|isakmp]"));
2903 UNALIGNED_MEMCPY(&base, p, sizeof(base));
2905 ND_PRINT((ndo,"isakmp"));
2906 major = (base.vers & ISAKMP_VERS_MAJOR)
2907 >> ISAKMP_VERS_MAJOR_SHIFT;
2908 minor = (base.vers & ISAKMP_VERS_MINOR)
2909 >> ISAKMP_VERS_MINOR_SHIFT;
2911 if (ndo->ndo_vflag) {
2912 ND_PRINT((ndo," %d.%d", major, minor));
2915 if (ndo->ndo_vflag) {
2916 ND_PRINT((ndo," msgid "));
2917 hexprint(ndo, (caddr_t)&base.msgid, sizeof(base.msgid));
2920 if (1 < ndo->ndo_vflag) {
2921 ND_PRINT((ndo," cookie "));
2922 hexprint(ndo, (caddr_t)&base.i_ck, sizeof(base.i_ck));
2923 ND_PRINT((ndo,"->"));
2924 hexprint(ndo, (caddr_t)&base.r_ck, sizeof(base.r_ck));
2926 ND_PRINT((ndo,":"));
2929 case IKEv1_MAJOR_VERSION:
2930 ikev1_print(ndo, bp, length, bp2, &base);
2933 case IKEv2_MAJOR_VERSION:
2934 ikev2_print(ndo, bp, length, bp2, &base);
2940 isakmp_rfc3948_print(netdissect_options *ndo,
2941 const u_char *bp, u_int length,
2945 if(length == 1 && bp[0]==0xff) {
2946 ND_PRINT((ndo, "isakmp-nat-keep-alive"));
2955 * see if this is an IKE packet
2957 if(bp[0]==0 && bp[1]==0 && bp[2]==0 && bp[3]==0) {
2958 ND_PRINT((ndo, "NONESP-encap: "));
2959 isakmp_print(ndo, bp+4, length-4, bp2);
2963 /* must be an ESP packet */
2965 int nh, enh, padlen;
2968 ND_PRINT((ndo, "UDP-encap: "));
2970 advance = esp_print(ndo, bp, length, bp2, &enh, &padlen);
2975 length -= advance + padlen;
2978 ip_print_inner(ndo, bp, length, nh, bp2);
2983 ND_PRINT((ndo,"[|isakmp]"));
2989 * c-style: whitesmith
projects / FreeBSD / FreeBSD.git / blob