2 * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
5 * Redistribution and use in source and binary forms, with or without
6 * modification, are permitted provided that the following conditions
8 * 1. Redistributions of source code must retain the above copyright
9 * notice, this list of conditions and the following disclaimer.
10 * 2. Redistributions in binary form must reproduce the above copyright
11 * notice, this list of conditions and the following disclaimer in the
12 * documentation and/or other materials provided with the distribution.
13 * 3. Neither the name of the project nor the names of its contributors
14 * may be used to endorse or promote products derived from this software
15 * without specific prior written permission.
17 * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
18 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
19 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
20 * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
21 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
22 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
23 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
24 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
25 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
26 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
31 /* \summary: Internet Security Association and Key Management Protocol (ISAKMP) printer */
37 /* The functions from print-esp.c used in this file are only defined when both
38 * OpenSSL and evp.h are detected. Employ the same preprocessor device here.
40 #ifndef HAVE_OPENSSL_EVP_H
44 #include <netdissect-stdinc.h>
48 #include "netdissect.h"
49 #include "addrtoname.h"
55 /* refer to RFC 2408 */
57 typedef u_char cookie_t[8];
58 typedef u_char msgid_t[4];
60 #define PORT_ISAKMP 500
62 /* 3.1 ISAKMP Header Format (IKEv1 and IKEv2)
63 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
64 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
67 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
70 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
71 ! Next Payload ! MjVer ! MnVer ! Exchange Type ! Flags !
72 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
74 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
76 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
79 cookie_t i_ck; /* Initiator Cookie */
80 cookie_t r_ck; /* Responder Cookie */
81 uint8_t np; /* Next Payload Type */
83 #define ISAKMP_VERS_MAJOR 0xf0
84 #define ISAKMP_VERS_MAJOR_SHIFT 4
85 #define ISAKMP_VERS_MINOR 0x0f
86 #define ISAKMP_VERS_MINOR_SHIFT 0
87 uint8_t etype; /* Exchange Type */
88 uint8_t flags; /* Flags */
90 uint32_t len; /* Length */
93 /* Next Payload Type */
94 #define ISAKMP_NPTYPE_NONE 0 /* NONE*/
95 #define ISAKMP_NPTYPE_SA 1 /* Security Association */
96 #define ISAKMP_NPTYPE_P 2 /* Proposal */
97 #define ISAKMP_NPTYPE_T 3 /* Transform */
98 #define ISAKMP_NPTYPE_KE 4 /* Key Exchange */
99 #define ISAKMP_NPTYPE_ID 5 /* Identification */
100 #define ISAKMP_NPTYPE_CERT 6 /* Certificate */
101 #define ISAKMP_NPTYPE_CR 7 /* Certificate Request */
102 #define ISAKMP_NPTYPE_HASH 8 /* Hash */
103 #define ISAKMP_NPTYPE_SIG 9 /* Signature */
104 #define ISAKMP_NPTYPE_NONCE 10 /* Nonce */
105 #define ISAKMP_NPTYPE_N 11 /* Notification */
106 #define ISAKMP_NPTYPE_D 12 /* Delete */
107 #define ISAKMP_NPTYPE_VID 13 /* Vendor ID */
108 #define ISAKMP_NPTYPE_v2E 46 /* v2 Encrypted payload */
110 #define IKEv1_MAJOR_VERSION 1
111 #define IKEv1_MINOR_VERSION 0
113 #define IKEv2_MAJOR_VERSION 2
114 #define IKEv2_MINOR_VERSION 0
117 #define ISAKMP_FLAG_E 0x01 /* Encryption Bit */
118 #define ISAKMP_FLAG_C 0x02 /* Commit Bit */
119 #define ISAKMP_FLAG_extra 0x04
122 #define ISAKMP_FLAG_I (1 << 3) /* (I)nitiator */
123 #define ISAKMP_FLAG_V (1 << 4) /* (V)ersion */
124 #define ISAKMP_FLAG_R (1 << 5) /* (R)esponse */
127 /* 3.2 Payload Generic Header
128 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
129 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
130 ! Next Payload ! RESERVED ! Payload Length !
131 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
134 uint8_t np; /* Next Payload */
135 uint8_t critical; /* bit 7 - critical, rest is RESERVED */
136 uint16_t len; /* Payload Length */
139 /* 3.3 Data Attributes
140 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
141 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
142 !A! Attribute Type ! AF=0 Attribute Length !
143 !F! ! AF=1 Attribute Value !
144 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
145 . AF=0 Attribute Value .
146 . AF=1 Not Transmitted .
147 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
150 uint16_t type; /* defined by DOI-spec, and Attribute Format */
151 uint16_t lorv; /* if f equal 1, Attribute Length */
152 /* if f equal 0, Attribute Value */
153 /* if f equal 1, Attribute Value */
156 /* 3.4 Security Association Payload */
157 /* MAY NOT be used, because of being defined in ipsec-doi. */
159 If the current payload is the last in the message,
160 then the value of the next payload field will be 0.
161 This field MUST NOT contain the
162 values for the Proposal or Transform payloads as they are considered
163 part of the security association negotiation. For example, this
164 field would contain the value "10" (Nonce payload) in the first
165 message of a Base Exchange (see Section 4.4) and the value "0" in the
166 first message of an Identity Protect Exchange (see Section 4.5).
170 uint32_t doi; /* Domain of Interpretation */
171 uint32_t sit; /* Situation */
174 /* 3.5 Proposal Payload */
176 The value of the next payload field MUST only contain the value "2"
177 or "0". If there are additional Proposal payloads in the message,
178 then this field will be 2. If the current Proposal payload is the
179 last within the security association proposal, then this field will
184 uint8_t p_no; /* Proposal # */
185 uint8_t prot_id; /* Protocol */
186 uint8_t spi_size; /* SPI Size */
187 uint8_t num_t; /* Number of Transforms */
191 /* 3.6 Transform Payload */
193 The value of the next payload field MUST only contain the value "3"
194 or "0". If there are additional Transform payloads in the proposal,
195 then this field will be 3. If the current Transform payload is the
196 last within the proposal, then this field will be 0.
200 uint8_t t_no; /* Transform # */
201 uint8_t t_id; /* Transform-Id */
202 uint16_t reserved; /* RESERVED2 */
206 /* 3.7 Key Exchange Payload */
209 /* Key Exchange Data */
212 /* 3.8 Identification Payload */
213 /* MUST NOT to be used, because of being defined in ipsec-doi. */
217 uint8_t id_type; /* ID Type */
218 uint32_t doi_data; /* DOI Specific ID Data */
220 /* Identification Data */
223 /* 3.9 Certificate Payload */
224 struct ikev1_pl_cert {
226 uint8_t encode; /* Cert Encoding */
227 char cert; /* Certificate Data */
229 This field indicates the type of
230 certificate or certificate-related information contained in the
231 Certificate Data field.
235 /* 3.10 Certificate Request Payload */
238 uint8_t num_cert; /* # Cert. Types */
240 Certificate Types (variable length)
241 -- Contains a list of the types of certificates requested,
242 sorted in order of preference. Each individual certificate
243 type is 1 octet. This field is NOT requiredo
245 /* # Certificate Authorities (1 octet) */
246 /* Certificate Authorities (variable length) */
249 /* 3.11 Hash Payload */
250 /* may not be used, because of having only data. */
251 struct ikev1_pl_hash {
256 /* 3.12 Signature Payload */
257 /* may not be used, because of having only data. */
258 struct ikev1_pl_sig {
263 /* 3.13 Nonce Payload */
264 /* may not be used, because of having only data. */
265 struct ikev1_pl_nonce {
270 /* 3.14 Notification Payload */
273 uint32_t doi; /* Domain of Interpretation */
274 uint8_t prot_id; /* Protocol-ID */
275 uint8_t spi_size; /* SPI Size */
276 uint16_t type; /* Notify Message Type */
278 /* Notification Data */
281 /* 3.14.1 Notify Message Types */
282 /* NOTIFY MESSAGES - ERROR TYPES */
283 #define ISAKMP_NTYPE_INVALID_PAYLOAD_TYPE 1
284 #define ISAKMP_NTYPE_DOI_NOT_SUPPORTED 2
285 #define ISAKMP_NTYPE_SITUATION_NOT_SUPPORTED 3
286 #define ISAKMP_NTYPE_INVALID_COOKIE 4
287 #define ISAKMP_NTYPE_INVALID_MAJOR_VERSION 5
288 #define ISAKMP_NTYPE_INVALID_MINOR_VERSION 6
289 #define ISAKMP_NTYPE_INVALID_EXCHANGE_TYPE 7
290 #define ISAKMP_NTYPE_INVALID_FLAGS 8
291 #define ISAKMP_NTYPE_INVALID_MESSAGE_ID 9
292 #define ISAKMP_NTYPE_INVALID_PROTOCOL_ID 10
293 #define ISAKMP_NTYPE_INVALID_SPI 11
294 #define ISAKMP_NTYPE_INVALID_TRANSFORM_ID 12
295 #define ISAKMP_NTYPE_ATTRIBUTES_NOT_SUPPORTED 13
296 #define ISAKMP_NTYPE_NO_PROPOSAL_CHOSEN 14
297 #define ISAKMP_NTYPE_BAD_PROPOSAL_SYNTAX 15
298 #define ISAKMP_NTYPE_PAYLOAD_MALFORMED 16
299 #define ISAKMP_NTYPE_INVALID_KEY_INFORMATION 17
300 #define ISAKMP_NTYPE_INVALID_ID_INFORMATION 18
301 #define ISAKMP_NTYPE_INVALID_CERT_ENCODING 19
302 #define ISAKMP_NTYPE_INVALID_CERTIFICATE 20
303 #define ISAKMP_NTYPE_BAD_CERT_REQUEST_SYNTAX 21
304 #define ISAKMP_NTYPE_INVALID_CERT_AUTHORITY 22
305 #define ISAKMP_NTYPE_INVALID_HASH_INFORMATION 23
306 #define ISAKMP_NTYPE_AUTHENTICATION_FAILED 24
307 #define ISAKMP_NTYPE_INVALID_SIGNATURE 25
308 #define ISAKMP_NTYPE_ADDRESS_NOTIFICATION 26
310 /* 3.15 Delete Payload */
313 uint32_t doi; /* Domain of Interpretation */
314 uint8_t prot_id; /* Protocol-Id */
315 uint8_t spi_size; /* SPI Size */
316 uint16_t num_spi; /* # of SPIs */
320 struct ikev1_ph1tab {
321 struct ikev1_ph1 *head;
322 struct ikev1_ph1 *tail;
326 struct isakmp_ph2tab {
327 struct ikev1_ph2 *head;
328 struct ikev1_ph2 *tail;
332 /* IKEv2 (RFC4306) */
334 /* 3.3 Security Association Payload -- generic header */
335 /* 3.3.1. Proposal Substructure */
338 uint8_t p_no; /* Proposal # */
339 uint8_t prot_id; /* Protocol */
340 uint8_t spi_size; /* SPI Size */
341 uint8_t num_t; /* Number of Transforms */
344 /* 3.3.2. Transform Substructure */
347 uint8_t t_type; /* Transform Type (ENCR,PRF,INTEG,etc.*/
348 uint8_t res2; /* reserved byte */
349 uint16_t t_id; /* Transform ID */
360 /* 3.4. Key Exchange Payload */
369 /* 3.5. Identification Payloads */
381 uint8_t type; /* ID type */
385 /* Notification Data */
388 /* 3.10 Notification Payload */
391 uint8_t prot_id; /* Protocol-ID */
392 uint8_t spi_size; /* SPI Size */
393 uint16_t type; /* Notify Message Type */
397 IV2_NOTIFY_UNSUPPORTED_CRITICAL_PAYLOAD = 1,
398 IV2_NOTIFY_INVALID_IKE_SPI = 4,
399 IV2_NOTIFY_INVALID_MAJOR_VERSION = 5,
400 IV2_NOTIFY_INVALID_SYNTAX = 7,
401 IV2_NOTIFY_INVALID_MESSAGE_ID = 9,
402 IV2_NOTIFY_INVALID_SPI =11,
403 IV2_NOTIFY_NO_PROPOSAL_CHOSEN =14,
404 IV2_NOTIFY_INVALID_KE_PAYLOAD =17,
405 IV2_NOTIFY_AUTHENTICATION_FAILED =24,
406 IV2_NOTIFY_SINGLE_PAIR_REQUIRED =34,
407 IV2_NOTIFY_NO_ADDITIONAL_SAS =35,
408 IV2_NOTIFY_INTERNAL_ADDRESS_FAILURE =36,
409 IV2_NOTIFY_FAILED_CP_REQUIRED =37,
410 IV2_NOTIFY_INVALID_SELECTORS =39,
411 IV2_NOTIFY_INITIAL_CONTACT =16384,
412 IV2_NOTIFY_SET_WINDOW_SIZE =16385,
413 IV2_NOTIFY_ADDITIONAL_TS_POSSIBLE =16386,
414 IV2_NOTIFY_IPCOMP_SUPPORTED =16387,
415 IV2_NOTIFY_NAT_DETECTION_SOURCE_IP =16388,
416 IV2_NOTIFY_NAT_DETECTION_DESTINATION_IP =16389,
417 IV2_NOTIFY_COOKIE =16390,
418 IV2_NOTIFY_USE_TRANSPORT_MODE =16391,
419 IV2_NOTIFY_HTTP_CERT_LOOKUP_SUPPORTED =16392,
420 IV2_NOTIFY_REKEY_SA =16393,
421 IV2_NOTIFY_ESP_TFC_PADDING_NOT_SUPPORTED =16394,
422 IV2_NOTIFY_NON_FIRST_FRAGMENTS_ALSO =16395
425 struct notify_messages {
430 /* 3.8 Notification Payload */
433 uint8_t auth_method; /* Protocol-ID */
435 /* authentication data */
438 enum ikev2_auth_type {
444 /* refer to RFC 2409 */
447 /* isakmp sa structure */
449 uint8_t proto_id; /* OAKLEY */
450 vchar_t *spi; /* spi */
451 uint8_t dhgrp; /* DH; group */
452 uint8_t auth_t; /* method of authentication */
453 uint8_t prf_t; /* type of prf */
454 uint8_t hash_t; /* type of hash */
455 uint8_t enc_t; /* type of cipher */
456 uint8_t life_t; /* type of duration of lifetime */
457 uint32_t ldur; /* life duration */
461 /* refer to RFC 2407 */
465 /* 4.2 IPSEC Situation Definition */
466 #define IPSECDOI_SIT_IDENTITY_ONLY 0x00000001
467 #define IPSECDOI_SIT_SECRECY 0x00000002
468 #define IPSECDOI_SIT_INTEGRITY 0x00000004
470 /* 4.4.1 IPSEC Security Protocol Identifiers */
471 /* 4.4.2 IPSEC ISAKMP Transform Values */
472 #define IPSECDOI_PROTO_ISAKMP 1
473 #define IPSECDOI_KEY_IKE 1
475 /* 4.4.1 IPSEC Security Protocol Identifiers */
476 #define IPSECDOI_PROTO_IPSEC_AH 2
477 /* 4.4.3 IPSEC AH Transform Values */
478 #define IPSECDOI_AH_MD5 2
479 #define IPSECDOI_AH_SHA 3
480 #define IPSECDOI_AH_DES 4
481 #define IPSECDOI_AH_SHA2_256 5
482 #define IPSECDOI_AH_SHA2_384 6
483 #define IPSECDOI_AH_SHA2_512 7
485 /* 4.4.1 IPSEC Security Protocol Identifiers */
486 #define IPSECDOI_PROTO_IPSEC_ESP 3
487 /* 4.4.4 IPSEC ESP Transform Identifiers */
488 #define IPSECDOI_ESP_DES_IV64 1
489 #define IPSECDOI_ESP_DES 2
490 #define IPSECDOI_ESP_3DES 3
491 #define IPSECDOI_ESP_RC5 4
492 #define IPSECDOI_ESP_IDEA 5
493 #define IPSECDOI_ESP_CAST 6
494 #define IPSECDOI_ESP_BLOWFISH 7
495 #define IPSECDOI_ESP_3IDEA 8
496 #define IPSECDOI_ESP_DES_IV32 9
497 #define IPSECDOI_ESP_RC4 10
498 #define IPSECDOI_ESP_NULL 11
499 #define IPSECDOI_ESP_RIJNDAEL 12
500 #define IPSECDOI_ESP_AES 12
502 /* 4.4.1 IPSEC Security Protocol Identifiers */
503 #define IPSECDOI_PROTO_IPCOMP 4
504 /* 4.4.5 IPSEC IPCOMP Transform Identifiers */
505 #define IPSECDOI_IPCOMP_OUI 1
506 #define IPSECDOI_IPCOMP_DEFLATE 2
507 #define IPSECDOI_IPCOMP_LZS 3
509 /* 4.5 IPSEC Security Association Attributes */
510 #define IPSECDOI_ATTR_SA_LTYPE 1 /* B */
511 #define IPSECDOI_ATTR_SA_LTYPE_DEFAULT 1
512 #define IPSECDOI_ATTR_SA_LTYPE_SEC 1
513 #define IPSECDOI_ATTR_SA_LTYPE_KB 2
514 #define IPSECDOI_ATTR_SA_LDUR 2 /* V */
515 #define IPSECDOI_ATTR_SA_LDUR_DEFAULT 28800 /* 8 hours */
516 #define IPSECDOI_ATTR_GRP_DESC 3 /* B */
517 #define IPSECDOI_ATTR_ENC_MODE 4 /* B */
518 /* default value: host dependent */
519 #define IPSECDOI_ATTR_ENC_MODE_TUNNEL 1
520 #define IPSECDOI_ATTR_ENC_MODE_TRNS 2
521 #define IPSECDOI_ATTR_AUTH 5 /* B */
522 /* 0 means not to use authentication. */
523 #define IPSECDOI_ATTR_AUTH_HMAC_MD5 1
524 #define IPSECDOI_ATTR_AUTH_HMAC_SHA1 2
525 #define IPSECDOI_ATTR_AUTH_DES_MAC 3
526 #define IPSECDOI_ATTR_AUTH_KPDK 4 /*RFC-1826(Key/Pad/Data/Key)*/
528 * When negotiating ESP without authentication, the Auth
529 * Algorithm attribute MUST NOT be included in the proposal.
530 * When negotiating ESP without confidentiality, the Auth
531 * Algorithm attribute MUST be included in the proposal and
532 * the ESP transform ID must be ESP_NULL.
534 #define IPSECDOI_ATTR_KEY_LENGTH 6 /* B */
535 #define IPSECDOI_ATTR_KEY_ROUNDS 7 /* B */
536 #define IPSECDOI_ATTR_COMP_DICT_SIZE 8 /* B */
537 #define IPSECDOI_ATTR_COMP_PRIVALG 9 /* V */
539 /* 4.6.1 Security Association Payload */
542 uint32_t doi; /* Domain of Interpretation */
543 uint32_t sit; /* Situation */
546 struct ipsecdoi_secrecy_h {
551 /* 4.6.2.1 Identification Type Values */
554 uint8_t type; /* ID Type */
555 uint8_t proto_id; /* Protocol ID */
556 uint16_t port; /* Port */
557 /* Identification Data */
560 #define IPSECDOI_ID_IPV4_ADDR 1
561 #define IPSECDOI_ID_FQDN 2
562 #define IPSECDOI_ID_USER_FQDN 3
563 #define IPSECDOI_ID_IPV4_ADDR_SUBNET 4
564 #define IPSECDOI_ID_IPV6_ADDR 5
565 #define IPSECDOI_ID_IPV6_ADDR_SUBNET 6
566 #define IPSECDOI_ID_IPV4_ADDR_RANGE 7
567 #define IPSECDOI_ID_IPV6_ADDR_RANGE 8
568 #define IPSECDOI_ID_DER_ASN1_DN 9
569 #define IPSECDOI_ID_DER_ASN1_GN 10
570 #define IPSECDOI_ID_KEY_ID 11
572 /* 4.6.3 IPSEC DOI Notify Message Types */
573 /* Notify Messages - Status Types */
574 #define IPSECDOI_NTYPE_RESPONDER_LIFETIME 24576
575 #define IPSECDOI_NTYPE_REPLAY_STATUS 24577
576 #define IPSECDOI_NTYPE_INITIAL_CONTACT 24578
578 #define DECLARE_PRINTER(func) static const u_char *ike##func##_print( \
579 netdissect_options *ndo, u_char tpay, \
580 const struct isakmp_gen *ext, \
582 const u_char *end_pointer, \
585 uint32_t proto0, int depth)
587 DECLARE_PRINTER(v1_sa);
588 DECLARE_PRINTER(v1_p);
589 DECLARE_PRINTER(v1_t);
590 DECLARE_PRINTER(v1_ke);
591 DECLARE_PRINTER(v1_id);
592 DECLARE_PRINTER(v1_cert);
593 DECLARE_PRINTER(v1_cr);
594 DECLARE_PRINTER(v1_sig);
595 DECLARE_PRINTER(v1_hash);
596 DECLARE_PRINTER(v1_nonce);
597 DECLARE_PRINTER(v1_n);
598 DECLARE_PRINTER(v1_d);
599 DECLARE_PRINTER(v1_vid);
601 DECLARE_PRINTER(v2_sa);
602 DECLARE_PRINTER(v2_ke);
603 DECLARE_PRINTER(v2_ID);
604 DECLARE_PRINTER(v2_cert);
605 DECLARE_PRINTER(v2_cr);
606 DECLARE_PRINTER(v2_auth);
607 DECLARE_PRINTER(v2_nonce);
608 DECLARE_PRINTER(v2_n);
609 DECLARE_PRINTER(v2_d);
610 DECLARE_PRINTER(v2_vid);
611 DECLARE_PRINTER(v2_TS);
612 DECLARE_PRINTER(v2_cp);
613 DECLARE_PRINTER(v2_eap);
615 static const u_char *ikev2_e_print(netdissect_options *ndo,
618 const struct isakmp_gen *ext,
620 const u_char *end_pointer,
623 uint32_t proto0, int depth);
626 static const u_char *ike_sub0_print(netdissect_options *ndo,u_char, const struct isakmp_gen *,
627 const u_char *, uint32_t, uint32_t, uint32_t, int);
628 static const u_char *ikev1_sub_print(netdissect_options *ndo,u_char, const struct isakmp_gen *,
629 const u_char *, uint32_t, uint32_t, uint32_t, int);
631 static const u_char *ikev2_sub_print(netdissect_options *ndo,
633 u_char np, const struct isakmp_gen *ext,
634 const u_char *ep, uint32_t phase,
635 uint32_t doi, uint32_t proto,
639 static char *numstr(int);
642 ikev1_print(netdissect_options *ndo,
643 const u_char *bp, u_int length,
644 const u_char *bp2, struct isakmp *base);
646 #define MAXINITIATORS 20
647 static int ninitiator = 0;
655 union inaddr_u iaddr;
656 union inaddr_u raddr;
657 } cookiecache[MAXINITIATORS];
660 static const char *protoidstr[] = {
661 NULL, "isakmp", "ipsec-ah", "ipsec-esp", "ipcomp",
665 static const char *npstr[] = {
666 "none", "sa", "p", "t", "ke", "id", "cert", "cr", "hash", /* 0 - 8 */
667 "sig", "nonce", "n", "d", "vid", /* 9 - 13 */
668 "pay14", "pay15", "pay16", "pay17", "pay18", /* 14- 18 */
669 "pay19", "pay20", "pay21", "pay22", "pay23", /* 19- 23 */
670 "pay24", "pay25", "pay26", "pay27", "pay28", /* 24- 28 */
671 "pay29", "pay30", "pay31", "pay32", /* 29- 32 */
672 "v2sa", "v2ke", "v2IDi", "v2IDr", "v2cert",/* 33- 37 */
673 "v2cr", "v2auth","v2nonce", "v2n", "v2d", /* 38- 42 */
674 "v2vid", "v2TSi", "v2TSr", "v2e", "v2cp", /* 43- 47 */
680 static const u_char *(*npfunc[])(netdissect_options *ndo, u_char tpay,
681 const struct isakmp_gen *ext,
683 const u_char *end_pointer,
686 uint32_t proto0, int depth) = {
700 ikev1_vid_print, /* 13 */
701 NULL, NULL, NULL, NULL, NULL, /* 14- 18 */
702 NULL, NULL, NULL, NULL, NULL, /* 19- 23 */
703 NULL, NULL, NULL, NULL, NULL, /* 24- 28 */
704 NULL, NULL, NULL, NULL, /* 29- 32 */
705 ikev2_sa_print, /* 33 */
706 ikev2_ke_print, /* 34 */
707 ikev2_ID_print, /* 35 */
708 ikev2_ID_print, /* 36 */
709 ikev2_cert_print, /* 37 */
710 ikev2_cr_print, /* 38 */
711 ikev2_auth_print, /* 39 */
712 ikev2_nonce_print, /* 40 */
713 ikev2_n_print, /* 41 */
714 ikev2_d_print, /* 42 */
715 ikev2_vid_print, /* 43 */
716 ikev2_TS_print, /* 44 */
717 ikev2_TS_print, /* 45 */
718 NULL, /* ikev2_e_print,*/ /* 46 - special */
719 ikev2_cp_print, /* 47 */
720 ikev2_eap_print, /* 48 */
724 static const char *etypestr[] = {
725 /* IKEv1 exchange types */
726 "none", "base", "ident", "auth", "agg", "inf", NULL, NULL, /* 0-7 */
727 NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, /* 8-15 */
728 NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, /* 16-23 */
729 NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, /* 24-31 */
730 "oakley-quick", "oakley-newgroup", /* 32-33 */
731 /* IKEv2 exchange types */
732 "ikev2_init", "ikev2_auth", "child_sa", "inf2" /* 34-37 */
735 #define STR_OR_ID(x, tab) \
736 (((x) < sizeof(tab)/sizeof(tab[0]) && tab[(x)]) ? tab[(x)] : numstr(x))
737 #define PROTOIDSTR(x) STR_OR_ID(x, protoidstr)
738 #define NPSTR(x) STR_OR_ID(x, npstr)
739 #define ETYPESTR(x) STR_OR_ID(x, etypestr)
741 #define CHECKLEN(p, np) \
742 if (ep < (const u_char *)(p)) { \
743 ND_PRINT((ndo," [|%s]", NPSTR(np))); \
749 (((x) < sizeof(npfunc)/sizeof(npfunc[0]) && npfunc[(x)]) \
750 ? npfunc[(x)] : NULL)
753 iszero(const u_char *p, size_t l)
762 /* find cookie from initiator cache */
764 cookie_find(cookie_t *in)
768 for (i = 0; i < MAXINITIATORS; i++) {
769 if (memcmp(in, &cookiecache[i].initiator, sizeof(*in)) == 0)
776 /* record initiator */
778 cookie_record(cookie_t *in, const u_char *bp2)
782 const struct ip6_hdr *ip6;
786 ninitiator = (i + 1) % MAXINITIATORS;
790 ip = (const struct ip *)bp2;
793 cookiecache[ninitiator].version = 4;
794 UNALIGNED_MEMCPY(&cookiecache[ninitiator].iaddr.in4, &ip->ip_src, sizeof(struct in_addr));
795 UNALIGNED_MEMCPY(&cookiecache[ninitiator].raddr.in4, &ip->ip_dst, sizeof(struct in_addr));
798 ip6 = (const struct ip6_hdr *)bp2;
799 cookiecache[ninitiator].version = 6;
800 UNALIGNED_MEMCPY(&cookiecache[ninitiator].iaddr.in6, &ip6->ip6_src, sizeof(struct in6_addr));
801 UNALIGNED_MEMCPY(&cookiecache[ninitiator].raddr.in6, &ip6->ip6_dst, sizeof(struct in6_addr));
806 UNALIGNED_MEMCPY(&cookiecache[ninitiator].initiator, in, sizeof(*in));
807 ninitiator = (ninitiator + 1) % MAXINITIATORS;
810 #define cookie_isinitiator(x, y) cookie_sidecheck((x), (y), 1)
811 #define cookie_isresponder(x, y) cookie_sidecheck((x), (y), 0)
813 cookie_sidecheck(int i, const u_char *bp2, int initiator)
816 const struct ip6_hdr *ip6;
818 ip = (const struct ip *)bp2;
821 if (cookiecache[i].version != 4)
824 if (UNALIGNED_MEMCMP(&ip->ip_src, &cookiecache[i].iaddr.in4, sizeof(struct in_addr)) == 0)
827 if (UNALIGNED_MEMCMP(&ip->ip_src, &cookiecache[i].raddr.in4, sizeof(struct in_addr)) == 0)
832 if (cookiecache[i].version != 6)
834 ip6 = (const struct ip6_hdr *)bp2;
836 if (UNALIGNED_MEMCMP(&ip6->ip6_src, &cookiecache[i].iaddr.in6, sizeof(struct in6_addr)) == 0)
839 if (UNALIGNED_MEMCMP(&ip6->ip6_src, &cookiecache[i].raddr.in6, sizeof(struct in6_addr)) == 0)
851 hexprint(netdissect_options *ndo, const uint8_t *loc, size_t len)
857 for (i = 0; i < len; i++)
858 ND_PRINT((ndo,"%02x", p[i] & 0xff));
862 rawprint(netdissect_options *ndo, const uint8_t *loc, size_t len)
864 ND_TCHECK2(*loc, len);
866 hexprint(ndo, loc, len);
874 * returns false if we run out of data buffer
876 static int ike_show_somedata(netdissect_options *ndo,
877 const u_char *cp, const u_char *ep)
879 /* there is too much data, just show some of it */
880 const u_char *end = ep - 20;
887 /* really shouldn't happen because of above */
893 ND_PRINT((ndo," data=("));
894 if(!rawprint(ndo, (const uint8_t *)(cp), len)) goto trunc;
895 ND_PRINT((ndo, "..."));
897 if(!rawprint(ndo, (const uint8_t *)(end), elen)) goto trunc;
909 const char *value[30]; /*XXX*/
912 static const u_char *
913 ikev1_attrmap_print(netdissect_options *ndo,
914 const u_char *p, const u_char *ep,
915 const struct attrmap *map, size_t nmap)
923 totlen = 4 + EXTRACT_16BITS(&p[2]);
924 if (ep < p + totlen) {
925 ND_PRINT((ndo,"[|attr]"));
930 t = EXTRACT_16BITS(&p[0]) & 0x7fff;
931 if (map && t < nmap && map[t].type)
932 ND_PRINT((ndo,"type=%s ", map[t].type));
934 ND_PRINT((ndo,"type=#%d ", t));
936 ND_PRINT((ndo,"value="));
937 v = EXTRACT_16BITS(&p[2]);
938 if (map && t < nmap && v < map[t].nvalue && map[t].value[v])
939 ND_PRINT((ndo,"%s", map[t].value[v]));
941 rawprint(ndo, (const uint8_t *)&p[2], 2);
943 ND_PRINT((ndo,"len=%d value=", EXTRACT_16BITS(&p[2])));
944 rawprint(ndo, (const uint8_t *)&p[4], EXTRACT_16BITS(&p[2]));
950 static const u_char *
951 ikev1_attr_print(netdissect_options *ndo, const u_char *p, const u_char *ep)
959 totlen = 4 + EXTRACT_16BITS(&p[2]);
960 if (ep < p + totlen) {
961 ND_PRINT((ndo,"[|attr]"));
966 t = EXTRACT_16BITS(&p[0]) & 0x7fff;
967 ND_PRINT((ndo,"type=#%d ", t));
969 ND_PRINT((ndo,"value="));
971 rawprint(ndo, (const uint8_t *)&p[2], 2);
973 ND_PRINT((ndo,"len=%d value=", EXTRACT_16BITS(&p[2])));
974 rawprint(ndo, (const uint8_t *)&p[4], EXTRACT_16BITS(&p[2]));
980 static const u_char *
981 ikev1_sa_print(netdissect_options *ndo, u_char tpay _U_,
982 const struct isakmp_gen *ext,
984 const u_char *ep, uint32_t phase, uint32_t doi0 _U_,
985 uint32_t proto0, int depth)
987 const struct ikev1_pl_sa *p;
988 struct ikev1_pl_sa sa;
989 uint32_t doi, sit, ident;
990 const u_char *cp, *np;
993 ND_PRINT((ndo,"%s:", NPSTR(ISAKMP_NPTYPE_SA)));
995 p = (const struct ikev1_pl_sa *)ext;
997 UNALIGNED_MEMCPY(&sa, ext, sizeof(sa));
1001 ND_PRINT((ndo," doi=%d", doi));
1002 ND_PRINT((ndo," situation=%u", (uint32_t)ntohl(sa.sit)));
1003 return (const u_char *)(p + 1);
1006 ND_PRINT((ndo," doi=ipsec"));
1007 ND_PRINT((ndo," situation="));
1010 ND_PRINT((ndo,"identity"));
1014 ND_PRINT((ndo,"%ssecrecy", t ? "+" : ""));
1018 ND_PRINT((ndo,"%sintegrity", t ? "+" : ""));
1020 np = (const u_char *)ext + sizeof(sa);
1022 ND_TCHECK2(*(ext + 1), sizeof(ident));
1023 UNALIGNED_MEMCPY(&ident, ext + 1, sizeof(ident));
1024 ND_PRINT((ndo," ident=%u", (uint32_t)ntohl(ident)));
1025 np += sizeof(ident);
1028 ext = (const struct isakmp_gen *)np;
1031 cp = ikev1_sub_print(ndo, ISAKMP_NPTYPE_P, ext, ep, phase, doi, proto0,
1036 ND_PRINT((ndo," [|%s]", NPSTR(ISAKMP_NPTYPE_SA)));
1040 static const u_char *
1041 ikev1_p_print(netdissect_options *ndo, u_char tpay _U_,
1042 const struct isakmp_gen *ext, u_int item_len _U_,
1043 const u_char *ep, uint32_t phase, uint32_t doi0,
1044 uint32_t proto0 _U_, int depth)
1046 const struct ikev1_pl_p *p;
1047 struct ikev1_pl_p prop;
1050 ND_PRINT((ndo,"%s:", NPSTR(ISAKMP_NPTYPE_P)));
1052 p = (const struct ikev1_pl_p *)ext;
1054 UNALIGNED_MEMCPY(&prop, ext, sizeof(prop));
1055 ND_PRINT((ndo," #%d protoid=%s transform=%d",
1056 prop.p_no, PROTOIDSTR(prop.prot_id), prop.num_t));
1057 if (prop.spi_size) {
1058 ND_PRINT((ndo," spi="));
1059 if (!rawprint(ndo, (const uint8_t *)(p + 1), prop.spi_size))
1063 ext = (const struct isakmp_gen *)((const u_char *)(p + 1) + prop.spi_size);
1066 cp = ikev1_sub_print(ndo, ISAKMP_NPTYPE_T, ext, ep, phase, doi0,
1067 prop.prot_id, depth);
1071 ND_PRINT((ndo," [|%s]", NPSTR(ISAKMP_NPTYPE_P)));
1075 static const char *ikev1_p_map[] = {
1079 static const char *ikev2_t_type_map[]={
1080 NULL, "encr", "prf", "integ", "dh", "esn"
1083 static const char *ah_p_map[] = {
1084 NULL, "(reserved)", "md5", "sha", "1des",
1085 "sha2-256", "sha2-384", "sha2-512",
1088 static const char *prf_p_map[] = {
1089 NULL, "hmac-md5", "hmac-sha", "hmac-tiger",
1093 static const char *integ_p_map[] = {
1094 NULL, "hmac-md5", "hmac-sha", "dec-mac",
1095 "kpdk-md5", "aes-xcbc"
1098 static const char *esn_p_map[] = {
1102 static const char *dh_p_map[] = {
1104 "modp1024", /* group 2 */
1105 "EC2N 2^155", /* group 3 */
1106 "EC2N 2^185", /* group 4 */
1107 "modp1536", /* group 5 */
1108 "iana-grp06", "iana-grp07", /* reserved */
1109 "iana-grp08", "iana-grp09",
1110 "iana-grp10", "iana-grp11",
1111 "iana-grp12", "iana-grp13",
1112 "modp2048", /* group 14 */
1113 "modp3072", /* group 15 */
1114 "modp4096", /* group 16 */
1115 "modp6144", /* group 17 */
1116 "modp8192", /* group 18 */
1119 static const char *esp_p_map[] = {
1120 NULL, "1des-iv64", "1des", "3des", "rc5", "idea", "cast",
1121 "blowfish", "3idea", "1des-iv32", "rc4", "null", "aes"
1124 static const char *ipcomp_p_map[] = {
1125 NULL, "oui", "deflate", "lzs",
1128 static const struct attrmap ipsec_t_map[] = {
1129 { NULL, 0, { NULL } },
1130 { "lifetype", 3, { NULL, "sec", "kb", }, },
1131 { "life", 0, { NULL } },
1132 { "group desc", 18, { NULL, "modp768",
1133 "modp1024", /* group 2 */
1134 "EC2N 2^155", /* group 3 */
1135 "EC2N 2^185", /* group 4 */
1136 "modp1536", /* group 5 */
1137 "iana-grp06", "iana-grp07", /* reserved */
1138 "iana-grp08", "iana-grp09",
1139 "iana-grp10", "iana-grp11",
1140 "iana-grp12", "iana-grp13",
1141 "modp2048", /* group 14 */
1142 "modp3072", /* group 15 */
1143 "modp4096", /* group 16 */
1144 "modp6144", /* group 17 */
1145 "modp8192", /* group 18 */
1147 { "enc mode", 3, { NULL, "tunnel", "transport", }, },
1148 { "auth", 5, { NULL, "hmac-md5", "hmac-sha1", "1des-mac", "keyed", }, },
1149 { "keylen", 0, { NULL } },
1150 { "rounds", 0, { NULL } },
1151 { "dictsize", 0, { NULL } },
1152 { "privalg", 0, { NULL } },
1155 static const struct attrmap encr_t_map[] = {
1156 { NULL, 0, { NULL } }, { NULL, 0, { NULL } }, /* 0, 1 */
1157 { NULL, 0, { NULL } }, { NULL, 0, { NULL } }, /* 2, 3 */
1158 { NULL, 0, { NULL } }, { NULL, 0, { NULL } }, /* 4, 5 */
1159 { NULL, 0, { NULL } }, { NULL, 0, { NULL } }, /* 6, 7 */
1160 { NULL, 0, { NULL } }, { NULL, 0, { NULL } }, /* 8, 9 */
1161 { NULL, 0, { NULL } }, { NULL, 0, { NULL } }, /* 10,11*/
1162 { NULL, 0, { NULL } }, { NULL, 0, { NULL } }, /* 12,13*/
1163 { "keylen", 14, { NULL }},
1166 static const struct attrmap oakley_t_map[] = {
1167 { NULL, 0, { NULL } },
1168 { "enc", 8, { NULL, "1des", "idea", "blowfish", "rc5",
1169 "3des", "cast", "aes", }, },
1170 { "hash", 7, { NULL, "md5", "sha1", "tiger",
1171 "sha2-256", "sha2-384", "sha2-512", }, },
1172 { "auth", 6, { NULL, "preshared", "dss", "rsa sig", "rsa enc",
1173 "rsa enc revised", }, },
1174 { "group desc", 18, { NULL, "modp768",
1175 "modp1024", /* group 2 */
1176 "EC2N 2^155", /* group 3 */
1177 "EC2N 2^185", /* group 4 */
1178 "modp1536", /* group 5 */
1179 "iana-grp06", "iana-grp07", /* reserved */
1180 "iana-grp08", "iana-grp09",
1181 "iana-grp10", "iana-grp11",
1182 "iana-grp12", "iana-grp13",
1183 "modp2048", /* group 14 */
1184 "modp3072", /* group 15 */
1185 "modp4096", /* group 16 */
1186 "modp6144", /* group 17 */
1187 "modp8192", /* group 18 */
1189 { "group type", 4, { NULL, "MODP", "ECP", "EC2N", }, },
1190 { "group prime", 0, { NULL } },
1191 { "group gen1", 0, { NULL } },
1192 { "group gen2", 0, { NULL } },
1193 { "group curve A", 0, { NULL } },
1194 { "group curve B", 0, { NULL } },
1195 { "lifetype", 3, { NULL, "sec", "kb", }, },
1196 { "lifeduration", 0, { NULL } },
1197 { "prf", 0, { NULL } },
1198 { "keylen", 0, { NULL } },
1199 { "field", 0, { NULL } },
1200 { "order", 0, { NULL } },
1203 static const u_char *
1204 ikev1_t_print(netdissect_options *ndo, u_char tpay _U_,
1205 const struct isakmp_gen *ext, u_int item_len,
1206 const u_char *ep, uint32_t phase _U_, uint32_t doi _U_,
1207 uint32_t proto, int depth _U_)
1209 const struct ikev1_pl_t *p;
1210 struct ikev1_pl_t t;
1213 const struct attrmap *map;
1217 ND_PRINT((ndo,"%s:", NPSTR(ISAKMP_NPTYPE_T)));
1219 p = (const struct ikev1_pl_t *)ext;
1221 UNALIGNED_MEMCPY(&t, ext, sizeof(t));
1225 idstr = STR_OR_ID(t.t_id, ikev1_p_map);
1227 nmap = sizeof(oakley_t_map)/sizeof(oakley_t_map[0]);
1230 idstr = STR_OR_ID(t.t_id, ah_p_map);
1232 nmap = sizeof(ipsec_t_map)/sizeof(ipsec_t_map[0]);
1235 idstr = STR_OR_ID(t.t_id, esp_p_map);
1237 nmap = sizeof(ipsec_t_map)/sizeof(ipsec_t_map[0]);
1240 idstr = STR_OR_ID(t.t_id, ipcomp_p_map);
1242 nmap = sizeof(ipsec_t_map)/sizeof(ipsec_t_map[0]);
1252 ND_PRINT((ndo," #%d id=%s ", t.t_no, idstr));
1254 ND_PRINT((ndo," #%d id=%d ", t.t_no, t.t_id));
1255 cp = (const u_char *)(p + 1);
1256 ep2 = (const u_char *)p + item_len;
1257 while (cp < ep && cp < ep2) {
1259 cp = ikev1_attrmap_print(ndo, cp, (ep < ep2) ? ep : ep2,
1262 cp = ikev1_attr_print(ndo, cp, (ep < ep2) ? ep : ep2);
1265 ND_PRINT((ndo,"..."));
1268 ND_PRINT((ndo," [|%s]", NPSTR(ISAKMP_NPTYPE_T)));
1272 static const u_char *
1273 ikev1_ke_print(netdissect_options *ndo, u_char tpay _U_,
1274 const struct isakmp_gen *ext, u_int item_len _U_,
1275 const u_char *ep _U_, uint32_t phase _U_, uint32_t doi _U_,
1276 uint32_t proto _U_, int depth _U_)
1278 struct isakmp_gen e;
1280 ND_PRINT((ndo,"%s:", NPSTR(ISAKMP_NPTYPE_KE)));
1283 UNALIGNED_MEMCPY(&e, ext, sizeof(e));
1284 ND_PRINT((ndo," key len=%d", ntohs(e.len) - 4));
1285 if (2 < ndo->ndo_vflag && 4 < ntohs(e.len)) {
1286 ND_PRINT((ndo," "));
1287 if (!rawprint(ndo, (const uint8_t *)(ext + 1), ntohs(e.len) - 4))
1290 return (const u_char *)ext + ntohs(e.len);
1292 ND_PRINT((ndo," [|%s]", NPSTR(ISAKMP_NPTYPE_KE)));
1296 static const u_char *
1297 ikev1_id_print(netdissect_options *ndo, u_char tpay _U_,
1298 const struct isakmp_gen *ext, u_int item_len,
1299 const u_char *ep _U_, uint32_t phase, uint32_t doi _U_,
1300 uint32_t proto _U_, int depth _U_)
1302 #define USE_IPSECDOI_IN_PHASE1 1
1303 const struct ikev1_pl_id *p;
1304 struct ikev1_pl_id id;
1305 static const char *idtypestr[] = {
1306 "IPv4", "IPv4net", "IPv6", "IPv6net",
1308 static const char *ipsecidtypestr[] = {
1309 NULL, "IPv4", "FQDN", "user FQDN", "IPv4net", "IPv6",
1310 "IPv6net", "IPv4range", "IPv6range", "ASN1 DN", "ASN1 GN",
1316 ND_PRINT((ndo,"%s:", NPSTR(ISAKMP_NPTYPE_ID)));
1318 p = (const struct ikev1_pl_id *)ext;
1320 UNALIGNED_MEMCPY(&id, ext, sizeof(id));
1321 if (sizeof(*p) < item_len) {
1322 data = (const u_char *)(p + 1);
1323 len = item_len - sizeof(*p);
1330 ND_PRINT((ndo," [phase=%d doi=%d proto=%d]", phase, doi, proto));
1333 #ifndef USE_IPSECDOI_IN_PHASE1
1337 ND_PRINT((ndo," idtype=%s", STR_OR_ID(id.d.id_type, idtypestr)));
1338 ND_PRINT((ndo," doi_data=%u",
1339 (uint32_t)(ntohl(id.d.doi_data) & 0xffffff)));
1342 #ifdef USE_IPSECDOI_IN_PHASE1
1347 const struct ipsecdoi_id *doi_p;
1348 struct ipsecdoi_id doi_id;
1349 struct protoent *pe;
1351 doi_p = (const struct ipsecdoi_id *)ext;
1353 UNALIGNED_MEMCPY(&doi_id, ext, sizeof(doi_id));
1354 ND_PRINT((ndo," idtype=%s", STR_OR_ID(doi_id.type, ipsecidtypestr)));
1355 /* A protocol ID of 0 DOES NOT mean IPPROTO_IP! */
1356 pe = doi_id.proto_id ? getprotobynumber(doi_id.proto_id) : NULL;
1358 ND_PRINT((ndo," protoid=%s", pe->p_name));
1360 ND_PRINT((ndo," protoid=%u", doi_id.proto_id));
1361 ND_PRINT((ndo," port=%d", ntohs(doi_id.port)));
1366 ND_TCHECK2(*data, len);
1367 switch (doi_id.type) {
1368 case IPSECDOI_ID_IPV4_ADDR:
1370 ND_PRINT((ndo," len=%d [bad: < 4]", len));
1372 ND_PRINT((ndo," len=%d %s", len, ipaddr_string(ndo, data)));
1375 case IPSECDOI_ID_FQDN:
1376 case IPSECDOI_ID_USER_FQDN:
1379 ND_PRINT((ndo," len=%d ", len));
1380 for (i = 0; i < len; i++)
1381 safeputchar(ndo, data[i]);
1385 case IPSECDOI_ID_IPV4_ADDR_SUBNET:
1389 ND_PRINT((ndo," len=%d [bad: < 8]", len));
1391 mask = data + sizeof(struct in_addr);
1392 ND_PRINT((ndo," len=%d %s/%u.%u.%u.%u", len,
1393 ipaddr_string(ndo, data),
1394 mask[0], mask[1], mask[2], mask[3]));
1399 case IPSECDOI_ID_IPV6_ADDR:
1401 ND_PRINT((ndo," len=%d [bad: < 16]", len));
1403 ND_PRINT((ndo," len=%d %s", len, ip6addr_string(ndo, data)));
1406 case IPSECDOI_ID_IPV6_ADDR_SUBNET:
1410 ND_PRINT((ndo," len=%d [bad: < 20]", len));
1412 mask = (const u_char *)(data + sizeof(struct in6_addr));
1414 ND_PRINT((ndo," len=%d %s/0x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x", len,
1415 ip6addr_string(ndo, data),
1416 mask[0], mask[1], mask[2], mask[3],
1417 mask[4], mask[5], mask[6], mask[7],
1418 mask[8], mask[9], mask[10], mask[11],
1419 mask[12], mask[13], mask[14], mask[15]));
1424 case IPSECDOI_ID_IPV4_ADDR_RANGE:
1426 ND_PRINT((ndo," len=%d [bad: < 8]", len));
1428 ND_PRINT((ndo," len=%d %s-%s", len,
1429 ipaddr_string(ndo, data),
1430 ipaddr_string(ndo, data + sizeof(struct in_addr))));
1434 case IPSECDOI_ID_IPV6_ADDR_RANGE:
1436 ND_PRINT((ndo," len=%d [bad: < 32]", len));
1438 ND_PRINT((ndo," len=%d %s-%s", len,
1439 ip6addr_string(ndo, data),
1440 ip6addr_string(ndo, data + sizeof(struct in6_addr))));
1444 case IPSECDOI_ID_DER_ASN1_DN:
1445 case IPSECDOI_ID_DER_ASN1_GN:
1446 case IPSECDOI_ID_KEY_ID:
1453 ND_PRINT((ndo," len=%d", len));
1454 if (2 < ndo->ndo_vflag) {
1455 ND_PRINT((ndo," "));
1456 if (!rawprint(ndo, (const uint8_t *)data, len))
1460 return (const u_char *)ext + item_len;
1462 ND_PRINT((ndo," [|%s]", NPSTR(ISAKMP_NPTYPE_ID)));
1466 static const u_char *
1467 ikev1_cert_print(netdissect_options *ndo, u_char tpay _U_,
1468 const struct isakmp_gen *ext, u_int item_len,
1469 const u_char *ep _U_, uint32_t phase _U_,
1471 uint32_t proto0 _U_, int depth _U_)
1473 const struct ikev1_pl_cert *p;
1474 struct ikev1_pl_cert cert;
1475 static const char *certstr[] = {
1476 "none", "pkcs7", "pgp", "dns",
1477 "x509sign", "x509ke", "kerberos", "crl",
1478 "arl", "spki", "x509attr",
1481 ND_PRINT((ndo,"%s:", NPSTR(ISAKMP_NPTYPE_CERT)));
1483 p = (const struct ikev1_pl_cert *)ext;
1485 UNALIGNED_MEMCPY(&cert, ext, sizeof(cert));
1486 ND_PRINT((ndo," len=%d", item_len - 4));
1487 ND_PRINT((ndo," type=%s", STR_OR_ID((cert.encode), certstr)));
1488 if (2 < ndo->ndo_vflag && 4 < item_len) {
1489 ND_PRINT((ndo," "));
1490 if (!rawprint(ndo, (const uint8_t *)(ext + 1), item_len - 4))
1493 return (const u_char *)ext + item_len;
1495 ND_PRINT((ndo," [|%s]", NPSTR(ISAKMP_NPTYPE_CERT)));
1499 static const u_char *
1500 ikev1_cr_print(netdissect_options *ndo, u_char tpay _U_,
1501 const struct isakmp_gen *ext, u_int item_len,
1502 const u_char *ep _U_, uint32_t phase _U_, uint32_t doi0 _U_,
1503 uint32_t proto0 _U_, int depth _U_)
1505 const struct ikev1_pl_cert *p;
1506 struct ikev1_pl_cert cert;
1507 static const char *certstr[] = {
1508 "none", "pkcs7", "pgp", "dns",
1509 "x509sign", "x509ke", "kerberos", "crl",
1510 "arl", "spki", "x509attr",
1513 ND_PRINT((ndo,"%s:", NPSTR(ISAKMP_NPTYPE_CR)));
1515 p = (const struct ikev1_pl_cert *)ext;
1517 UNALIGNED_MEMCPY(&cert, ext, sizeof(cert));
1518 ND_PRINT((ndo," len=%d", item_len - 4));
1519 ND_PRINT((ndo," type=%s", STR_OR_ID((cert.encode), certstr)));
1520 if (2 < ndo->ndo_vflag && 4 < item_len) {
1521 ND_PRINT((ndo," "));
1522 if (!rawprint(ndo, (const uint8_t *)(ext + 1), item_len - 4))
1525 return (const u_char *)ext + item_len;
1527 ND_PRINT((ndo," [|%s]", NPSTR(ISAKMP_NPTYPE_CR)));
1531 static const u_char *
1532 ikev1_hash_print(netdissect_options *ndo, u_char tpay _U_,
1533 const struct isakmp_gen *ext, u_int item_len _U_,
1534 const u_char *ep _U_, uint32_t phase _U_, uint32_t doi _U_,
1535 uint32_t proto _U_, int depth _U_)
1537 struct isakmp_gen e;
1539 ND_PRINT((ndo,"%s:", NPSTR(ISAKMP_NPTYPE_HASH)));
1542 UNALIGNED_MEMCPY(&e, ext, sizeof(e));
1543 ND_PRINT((ndo," len=%d", ntohs(e.len) - 4));
1544 if (2 < ndo->ndo_vflag && 4 < ntohs(e.len)) {
1545 ND_PRINT((ndo," "));
1546 if (!rawprint(ndo, (const uint8_t *)(ext + 1), ntohs(e.len) - 4))
1549 return (const u_char *)ext + ntohs(e.len);
1551 ND_PRINT((ndo," [|%s]", NPSTR(ISAKMP_NPTYPE_HASH)));
1555 static const u_char *
1556 ikev1_sig_print(netdissect_options *ndo, u_char tpay _U_,
1557 const struct isakmp_gen *ext, u_int item_len _U_,
1558 const u_char *ep _U_, uint32_t phase _U_, uint32_t doi _U_,
1559 uint32_t proto _U_, int depth _U_)
1561 struct isakmp_gen e;
1563 ND_PRINT((ndo,"%s:", NPSTR(ISAKMP_NPTYPE_SIG)));
1566 UNALIGNED_MEMCPY(&e, ext, sizeof(e));
1567 ND_PRINT((ndo," len=%d", ntohs(e.len) - 4));
1568 if (2 < ndo->ndo_vflag && 4 < ntohs(e.len)) {
1569 ND_PRINT((ndo," "));
1570 if (!rawprint(ndo, (const uint8_t *)(ext + 1), ntohs(e.len) - 4))
1573 return (const u_char *)ext + ntohs(e.len);
1575 ND_PRINT((ndo," [|%s]", NPSTR(ISAKMP_NPTYPE_SIG)));
1579 static const u_char *
1580 ikev1_nonce_print(netdissect_options *ndo, u_char tpay _U_,
1581 const struct isakmp_gen *ext,
1584 uint32_t phase _U_, uint32_t doi _U_,
1585 uint32_t proto _U_, int depth _U_)
1587 struct isakmp_gen e;
1589 ND_PRINT((ndo,"%s:", NPSTR(ISAKMP_NPTYPE_NONCE)));
1592 UNALIGNED_MEMCPY(&e, ext, sizeof(e));
1593 ND_PRINT((ndo," n len=%d", ntohs(e.len) - 4));
1594 if (2 < ndo->ndo_vflag && 4 < ntohs(e.len)) {
1595 ND_PRINT((ndo," "));
1596 if (!rawprint(ndo, (const uint8_t *)(ext + 1), ntohs(e.len) - 4))
1598 } else if (1 < ndo->ndo_vflag && 4 < ntohs(e.len)) {
1599 ND_PRINT((ndo," "));
1600 if (!ike_show_somedata(ndo, (const u_char *)(const uint8_t *)(ext + 1), ep))
1603 return (const u_char *)ext + ntohs(e.len);
1605 ND_PRINT((ndo," [|%s]", NPSTR(ISAKMP_NPTYPE_NONCE)));
1609 static const u_char *
1610 ikev1_n_print(netdissect_options *ndo, u_char tpay _U_,
1611 const struct isakmp_gen *ext, u_int item_len,
1612 const u_char *ep, uint32_t phase, uint32_t doi0 _U_,
1613 uint32_t proto0 _U_, int depth)
1615 const struct ikev1_pl_n *p;
1616 struct ikev1_pl_n n;
1621 static const char *notify_error_str[] = {
1622 NULL, "INVALID-PAYLOAD-TYPE",
1623 "DOI-NOT-SUPPORTED", "SITUATION-NOT-SUPPORTED",
1624 "INVALID-COOKIE", "INVALID-MAJOR-VERSION",
1625 "INVALID-MINOR-VERSION", "INVALID-EXCHANGE-TYPE",
1626 "INVALID-FLAGS", "INVALID-MESSAGE-ID",
1627 "INVALID-PROTOCOL-ID", "INVALID-SPI",
1628 "INVALID-TRANSFORM-ID", "ATTRIBUTES-NOT-SUPPORTED",
1629 "NO-PROPOSAL-CHOSEN", "BAD-PROPOSAL-SYNTAX",
1630 "PAYLOAD-MALFORMED", "INVALID-KEY-INFORMATION",
1631 "INVALID-ID-INFORMATION", "INVALID-CERT-ENCODING",
1632 "INVALID-CERTIFICATE", "CERT-TYPE-UNSUPPORTED",
1633 "INVALID-CERT-AUTHORITY", "INVALID-HASH-INFORMATION",
1634 "AUTHENTICATION-FAILED", "INVALID-SIGNATURE",
1635 "ADDRESS-NOTIFICATION", "NOTIFY-SA-LIFETIME",
1636 "CERTIFICATE-UNAVAILABLE", "UNSUPPORTED-EXCHANGE-TYPE",
1637 "UNEQUAL-PAYLOAD-LENGTHS",
1639 static const char *ipsec_notify_error_str[] = {
1642 static const char *notify_status_str[] = {
1645 static const char *ipsec_notify_status_str[] = {
1646 "RESPONDER-LIFETIME", "REPLAY-STATUS",
1649 /* NOTE: these macro must be called with x in proper range */
1652 #define NOTIFY_ERROR_STR(x) \
1653 STR_OR_ID((x), notify_error_str)
1656 #define IPSEC_NOTIFY_ERROR_STR(x) \
1657 STR_OR_ID((u_int)((x) - 8192), ipsec_notify_error_str)
1660 #define NOTIFY_STATUS_STR(x) \
1661 STR_OR_ID((u_int)((x) - 16384), notify_status_str)
1664 #define IPSEC_NOTIFY_STATUS_STR(x) \
1665 STR_OR_ID((u_int)((x) - 24576), ipsec_notify_status_str)
1667 ND_PRINT((ndo,"%s:", NPSTR(ISAKMP_NPTYPE_N)));
1669 p = (const struct ikev1_pl_n *)ext;
1671 UNALIGNED_MEMCPY(&n, ext, sizeof(n));
1675 ND_PRINT((ndo," doi=%d", doi));
1676 ND_PRINT((ndo," proto=%d", proto));
1677 if (ntohs(n.type) < 8192)
1678 ND_PRINT((ndo," type=%s", NOTIFY_ERROR_STR(ntohs(n.type))));
1679 else if (ntohs(n.type) < 16384)
1680 ND_PRINT((ndo," type=%s", numstr(ntohs(n.type))));
1681 else if (ntohs(n.type) < 24576)
1682 ND_PRINT((ndo," type=%s", NOTIFY_STATUS_STR(ntohs(n.type))));
1684 ND_PRINT((ndo," type=%s", numstr(ntohs(n.type))));
1686 ND_PRINT((ndo," spi="));
1687 if (!rawprint(ndo, (const uint8_t *)(p + 1), n.spi_size))
1690 return (const u_char *)(p + 1) + n.spi_size;
1693 ND_PRINT((ndo," doi=ipsec"));
1694 ND_PRINT((ndo," proto=%s", PROTOIDSTR(proto)));
1695 if (ntohs(n.type) < 8192)
1696 ND_PRINT((ndo," type=%s", NOTIFY_ERROR_STR(ntohs(n.type))));
1697 else if (ntohs(n.type) < 16384)
1698 ND_PRINT((ndo," type=%s", IPSEC_NOTIFY_ERROR_STR(ntohs(n.type))));
1699 else if (ntohs(n.type) < 24576)
1700 ND_PRINT((ndo," type=%s", NOTIFY_STATUS_STR(ntohs(n.type))));
1701 else if (ntohs(n.type) < 32768)
1702 ND_PRINT((ndo," type=%s", IPSEC_NOTIFY_STATUS_STR(ntohs(n.type))));
1704 ND_PRINT((ndo," type=%s", numstr(ntohs(n.type))));
1706 ND_PRINT((ndo," spi="));
1707 if (!rawprint(ndo, (const uint8_t *)(p + 1), n.spi_size))
1711 cp = (const u_char *)(p + 1) + n.spi_size;
1712 ep2 = (const u_char *)p + item_len;
1715 ND_PRINT((ndo," orig=("));
1716 switch (ntohs(n.type)) {
1717 case IPSECDOI_NTYPE_RESPONDER_LIFETIME:
1719 const struct attrmap *map = oakley_t_map;
1720 size_t nmap = sizeof(oakley_t_map)/sizeof(oakley_t_map[0]);
1721 while (cp < ep && cp < ep2) {
1722 cp = ikev1_attrmap_print(ndo, cp,
1723 (ep < ep2) ? ep : ep2, map, nmap);
1727 case IPSECDOI_NTYPE_REPLAY_STATUS:
1728 ND_PRINT((ndo,"replay detection %sabled",
1729 EXTRACT_32BITS(cp) ? "en" : "dis"));
1731 case ISAKMP_NTYPE_NO_PROPOSAL_CHOSEN:
1732 if (ikev1_sub_print(ndo, ISAKMP_NPTYPE_SA,
1733 (const struct isakmp_gen *)cp, ep, phase, doi, proto,
1739 isakmp_print(ndo, cp,
1740 item_len - sizeof(*p) - n.spi_size,
1743 ND_PRINT((ndo,")"));
1745 return (const u_char *)ext + item_len;
1747 ND_PRINT((ndo," [|%s]", NPSTR(ISAKMP_NPTYPE_N)));
1751 static const u_char *
1752 ikev1_d_print(netdissect_options *ndo, u_char tpay _U_,
1753 const struct isakmp_gen *ext, u_int item_len _U_,
1754 const u_char *ep _U_, uint32_t phase _U_, uint32_t doi0 _U_,
1755 uint32_t proto0 _U_, int depth _U_)
1757 const struct ikev1_pl_d *p;
1758 struct ikev1_pl_d d;
1764 ND_PRINT((ndo,"%s:", NPSTR(ISAKMP_NPTYPE_D)));
1766 p = (const struct ikev1_pl_d *)ext;
1768 UNALIGNED_MEMCPY(&d, ext, sizeof(d));
1772 ND_PRINT((ndo," doi=%u", doi));
1773 ND_PRINT((ndo," proto=%u", proto));
1775 ND_PRINT((ndo," doi=ipsec"));
1776 ND_PRINT((ndo," proto=%s", PROTOIDSTR(proto)));
1778 ND_PRINT((ndo," spilen=%u", d.spi_size));
1779 ND_PRINT((ndo," nspi=%u", ntohs(d.num_spi)));
1780 ND_PRINT((ndo," spi="));
1781 q = (const uint8_t *)(p + 1);
1782 for (i = 0; i < ntohs(d.num_spi); i++) {
1784 ND_PRINT((ndo,","));
1785 if (!rawprint(ndo, (const uint8_t *)q, d.spi_size))
1791 ND_PRINT((ndo," [|%s]", NPSTR(ISAKMP_NPTYPE_D)));
1795 static const u_char *
1796 ikev1_vid_print(netdissect_options *ndo, u_char tpay _U_,
1797 const struct isakmp_gen *ext,
1798 u_int item_len _U_, const u_char *ep _U_,
1799 uint32_t phase _U_, uint32_t doi _U_,
1800 uint32_t proto _U_, int depth _U_)
1802 struct isakmp_gen e;
1804 ND_PRINT((ndo,"%s:", NPSTR(ISAKMP_NPTYPE_VID)));
1807 UNALIGNED_MEMCPY(&e, ext, sizeof(e));
1808 ND_PRINT((ndo," len=%d", ntohs(e.len) - 4));
1809 if (2 < ndo->ndo_vflag && 4 < ntohs(e.len)) {
1810 ND_PRINT((ndo," "));
1811 if (!rawprint(ndo, (const uint8_t *)(ext + 1), ntohs(e.len) - 4))
1814 return (const u_char *)ext + ntohs(e.len);
1816 ND_PRINT((ndo," [|%s]", NPSTR(ISAKMP_NPTYPE_VID)));
1820 /************************************************************/
1822 /* IKE v2 - rfc4306 - dissector */
1824 /************************************************************/
1827 ikev2_pay_print(netdissect_options *ndo, const char *payname, int critical)
1829 ND_PRINT((ndo,"%s%s:", payname, critical&0x80 ? "[C]" : ""));
1832 static const u_char *
1833 ikev2_gen_print(netdissect_options *ndo, u_char tpay,
1834 const struct isakmp_gen *ext)
1836 struct isakmp_gen e;
1839 UNALIGNED_MEMCPY(&e, ext, sizeof(e));
1840 ikev2_pay_print(ndo, NPSTR(tpay), e.critical);
1842 ND_PRINT((ndo," len=%d", ntohs(e.len) - 4));
1843 if (2 < ndo->ndo_vflag && 4 < ntohs(e.len)) {
1844 ND_PRINT((ndo," "));
1845 if (!rawprint(ndo, (const uint8_t *)(ext + 1), ntohs(e.len) - 4))
1848 return (const u_char *)ext + ntohs(e.len);
1850 ND_PRINT((ndo," [|%s]", NPSTR(tpay)));
1854 static const u_char *
1855 ikev2_t_print(netdissect_options *ndo, int tcount,
1856 const struct isakmp_gen *ext, u_int item_len,
1859 const struct ikev2_t *p;
1864 const struct attrmap *map;
1868 p = (const struct ikev2_t *)ext;
1870 UNALIGNED_MEMCPY(&t, ext, sizeof(t));
1871 ikev2_pay_print(ndo, NPSTR(ISAKMP_NPTYPE_T), t.h.critical);
1873 t_id = ntohs(t.t_id);
1880 idstr = STR_OR_ID(t_id, esp_p_map);
1882 nmap = sizeof(encr_t_map)/sizeof(encr_t_map[0]);
1886 idstr = STR_OR_ID(t_id, prf_p_map);
1890 idstr = STR_OR_ID(t_id, integ_p_map);
1894 idstr = STR_OR_ID(t_id, dh_p_map);
1898 idstr = STR_OR_ID(t_id, esn_p_map);
1907 ND_PRINT((ndo," #%u type=%s id=%s ", tcount,
1908 STR_OR_ID(t.t_type, ikev2_t_type_map),
1911 ND_PRINT((ndo," #%u type=%s id=%u ", tcount,
1912 STR_OR_ID(t.t_type, ikev2_t_type_map),
1914 cp = (const u_char *)(p + 1);
1915 ep2 = (const u_char *)p + item_len;
1916 while (cp < ep && cp < ep2) {
1918 cp = ikev1_attrmap_print(ndo, cp, (ep < ep2) ? ep : ep2,
1921 cp = ikev1_attr_print(ndo, cp, (ep < ep2) ? ep : ep2);
1924 ND_PRINT((ndo,"..."));
1927 ND_PRINT((ndo," [|%s]", NPSTR(ISAKMP_NPTYPE_T)));
1931 static const u_char *
1932 ikev2_p_print(netdissect_options *ndo, u_char tpay _U_, int pcount _U_,
1933 const struct isakmp_gen *ext, u_int oprop_length,
1934 const u_char *ep, int depth)
1936 const struct ikev2_p *p;
1937 struct ikev2_p prop;
1943 struct isakmp_gen e;
1946 p = (const struct ikev2_p *)ext;
1948 UNALIGNED_MEMCPY(&prop, ext, sizeof(prop));
1950 ikev2_pay_print(ndo, NPSTR(ISAKMP_NPTYPE_P), prop.h.critical);
1953 * ikev2_sa_print() guarantees that this is >= 4.
1955 prop_length = oprop_length - 4;
1956 ND_PRINT((ndo," #%u protoid=%s transform=%d len=%u",
1957 prop.p_no, PROTOIDSTR(prop.prot_id),
1958 prop.num_t, oprop_length));
1959 cp = (const u_char *)(p + 1);
1961 if (prop.spi_size) {
1962 if (prop_length < prop.spi_size)
1964 ND_PRINT((ndo," spi="));
1965 if (!rawprint(ndo, (const uint8_t *)cp, prop.spi_size))
1967 cp += prop.spi_size;
1968 prop_length -= prop.spi_size;
1972 * Print the transforms.
1975 for (np = ISAKMP_NPTYPE_T; np != 0; np = e.np) {
1977 ext = (const struct isakmp_gen *)cp;
1978 if (prop_length < sizeof(*ext))
1982 UNALIGNED_MEMCPY(&e, ext, sizeof(e));
1985 * Since we can't have a payload length of less than 4 bytes,
1986 * we need to bail out here if the generic header is nonsensical
1987 * or truncated, otherwise we could loop forever processing
1988 * zero-length items or otherwise misdissect the packet.
1990 item_len = ntohs(e.len);
1994 if (prop_length < item_len)
1996 ND_TCHECK2(*cp, item_len);
1999 ND_PRINT((ndo,"\n"));
2000 for (i = 0; i < depth; i++)
2001 ND_PRINT((ndo," "));
2002 ND_PRINT((ndo,"("));
2003 if (np == ISAKMP_NPTYPE_T) {
2004 cp = ikev2_t_print(ndo, tcount, ext, item_len, ep);
2006 /* error, already reported */
2010 ND_PRINT((ndo, "%s", NPSTR(np)));
2013 ND_PRINT((ndo,")"));
2015 prop_length -= item_len;
2020 * Skip the rest of the proposal.
2023 ND_PRINT((ndo," [|%s]", NPSTR(ISAKMP_NPTYPE_P)));
2026 ND_PRINT((ndo," [|%s]", NPSTR(ISAKMP_NPTYPE_P)));
2030 static const u_char *
2031 ikev2_sa_print(netdissect_options *ndo, u_char tpay,
2032 const struct isakmp_gen *ext1,
2033 u_int osa_length, const u_char *ep,
2034 uint32_t phase _U_, uint32_t doi _U_,
2035 uint32_t proto _U_, int depth)
2037 const struct isakmp_gen *ext;
2038 struct isakmp_gen e;
2047 UNALIGNED_MEMCPY(&e, ext1, sizeof(e));
2048 ikev2_pay_print(ndo, "sa", e.critical);
2051 * ikev2_sub0_print() guarantees that this is >= 4.
2053 osa_length= ntohs(e.len);
2054 sa_length = osa_length - 4;
2055 ND_PRINT((ndo," len=%d", sa_length));
2058 * Print the payloads.
2060 cp = (const u_char *)(ext1 + 1);
2062 for (np = ISAKMP_NPTYPE_P; np != 0; np = e.np) {
2064 ext = (const struct isakmp_gen *)cp;
2065 if (sa_length < sizeof(*ext))
2069 UNALIGNED_MEMCPY(&e, ext, sizeof(e));
2072 * Since we can't have a payload length of less than 4 bytes,
2073 * we need to bail out here if the generic header is nonsensical
2074 * or truncated, otherwise we could loop forever processing
2075 * zero-length items or otherwise misdissect the packet.
2077 item_len = ntohs(e.len);
2081 if (sa_length < item_len)
2083 ND_TCHECK2(*cp, item_len);
2086 ND_PRINT((ndo,"\n"));
2087 for (i = 0; i < depth; i++)
2088 ND_PRINT((ndo," "));
2089 ND_PRINT((ndo,"("));
2090 if (np == ISAKMP_NPTYPE_P) {
2091 cp = ikev2_p_print(ndo, np, pcount, ext, item_len,
2094 /* error, already reported */
2098 ND_PRINT((ndo, "%s", NPSTR(np)));
2101 ND_PRINT((ndo,")"));
2103 sa_length -= item_len;
2108 * Skip the rest of the SA.
2111 ND_PRINT((ndo," [|%s]", NPSTR(tpay)));
2114 ND_PRINT((ndo," [|%s]", NPSTR(tpay)));
2118 static const u_char *
2119 ikev2_ke_print(netdissect_options *ndo, u_char tpay,
2120 const struct isakmp_gen *ext,
2121 u_int item_len _U_, const u_char *ep _U_,
2122 uint32_t phase _U_, uint32_t doi _U_,
2123 uint32_t proto _U_, int depth _U_)
2126 const struct ikev2_ke *k;
2128 k = (const struct ikev2_ke *)ext;
2130 UNALIGNED_MEMCPY(&ke, ext, sizeof(ke));
2131 ikev2_pay_print(ndo, NPSTR(tpay), ke.h.critical);
2133 ND_PRINT((ndo," len=%u group=%s", ntohs(ke.h.len) - 8,
2134 STR_OR_ID(ntohs(ke.ke_group), dh_p_map)));
2136 if (2 < ndo->ndo_vflag && 8 < ntohs(ke.h.len)) {
2137 ND_PRINT((ndo," "));
2138 if (!rawprint(ndo, (const uint8_t *)(k + 1), ntohs(ke.h.len) - 8))
2141 return (const u_char *)ext + ntohs(ke.h.len);
2143 ND_PRINT((ndo," [|%s]", NPSTR(tpay)));
2147 static const u_char *
2148 ikev2_ID_print(netdissect_options *ndo, u_char tpay,
2149 const struct isakmp_gen *ext,
2150 u_int item_len _U_, const u_char *ep _U_,
2151 uint32_t phase _U_, uint32_t doi _U_,
2152 uint32_t proto _U_, int depth _U_)
2155 int id_len, idtype_len, i;
2156 unsigned int dumpascii, dumphex;
2157 const unsigned char *typedata;
2160 UNALIGNED_MEMCPY(&id, ext, sizeof(id));
2161 ikev2_pay_print(ndo, NPSTR(tpay), id.h.critical);
2163 id_len = ntohs(id.h.len);
2165 ND_PRINT((ndo," len=%d", id_len - 4));
2166 if (2 < ndo->ndo_vflag && 4 < id_len) {
2167 ND_PRINT((ndo," "));
2168 if (!rawprint(ndo, (const uint8_t *)(ext + 1), id_len - 4))
2172 idtype_len =id_len - sizeof(struct ikev2_id);
2175 typedata = (const unsigned char *)(ext)+sizeof(struct ikev2_id);
2179 ND_PRINT((ndo, " ipv4:"));
2183 ND_PRINT((ndo, " fqdn:"));
2186 case ID_RFC822_ADDR:
2187 ND_PRINT((ndo, " rfc822:"));
2191 ND_PRINT((ndo, " ipv6:"));
2194 case ID_DER_ASN1_DN:
2195 ND_PRINT((ndo, " dn:"));
2198 case ID_DER_ASN1_GN:
2199 ND_PRINT((ndo, " gn:"));
2203 ND_PRINT((ndo, " keyid:"));
2209 ND_TCHECK2(*typedata, idtype_len);
2210 for(i=0; i<idtype_len; i++) {
2211 if(ND_ISPRINT(typedata[i])) {
2212 ND_PRINT((ndo, "%c", typedata[i]));
2214 ND_PRINT((ndo, "."));
2219 if (!rawprint(ndo, (const uint8_t *)typedata, idtype_len))
2223 return (const u_char *)ext + id_len;
2225 ND_PRINT((ndo," [|%s]", NPSTR(tpay)));
2229 static const u_char *
2230 ikev2_cert_print(netdissect_options *ndo, u_char tpay,
2231 const struct isakmp_gen *ext,
2232 u_int item_len _U_, const u_char *ep _U_,
2233 uint32_t phase _U_, uint32_t doi _U_,
2234 uint32_t proto _U_, int depth _U_)
2236 return ikev2_gen_print(ndo, tpay, ext);
2239 static const u_char *
2240 ikev2_cr_print(netdissect_options *ndo, u_char tpay,
2241 const struct isakmp_gen *ext,
2242 u_int item_len _U_, const u_char *ep _U_,
2243 uint32_t phase _U_, uint32_t doi _U_,
2244 uint32_t proto _U_, int depth _U_)
2246 return ikev2_gen_print(ndo, tpay, ext);
2249 static const u_char *
2250 ikev2_auth_print(netdissect_options *ndo, u_char tpay,
2251 const struct isakmp_gen *ext,
2252 u_int item_len _U_, const u_char *ep,
2253 uint32_t phase _U_, uint32_t doi _U_,
2254 uint32_t proto _U_, int depth _U_)
2256 struct ikev2_auth a;
2257 const char *v2_auth[]={ "invalid", "rsasig",
2258 "shared-secret", "dsssig" };
2259 const u_char *authdata = (const u_char*)ext + sizeof(a);
2263 UNALIGNED_MEMCPY(&a, ext, sizeof(a));
2264 ikev2_pay_print(ndo, NPSTR(tpay), a.h.critical);
2265 len = ntohs(a.h.len);
2267 ND_PRINT((ndo," len=%d method=%s", len-4,
2268 STR_OR_ID(a.auth_method, v2_auth)));
2270 if (1 < ndo->ndo_vflag && 4 < len) {
2271 ND_PRINT((ndo," authdata=("));
2272 if (!rawprint(ndo, (const uint8_t *)authdata, len - sizeof(a)))
2274 ND_PRINT((ndo,") "));
2275 } else if(ndo->ndo_vflag && 4 < len) {
2276 if(!ike_show_somedata(ndo, authdata, ep)) goto trunc;
2279 return (const u_char *)ext + len;
2281 ND_PRINT((ndo," [|%s]", NPSTR(tpay)));
2285 static const u_char *
2286 ikev2_nonce_print(netdissect_options *ndo, u_char tpay,
2287 const struct isakmp_gen *ext,
2288 u_int item_len _U_, const u_char *ep,
2289 uint32_t phase _U_, uint32_t doi _U_,
2290 uint32_t proto _U_, int depth _U_)
2292 struct isakmp_gen e;
2295 UNALIGNED_MEMCPY(&e, ext, sizeof(e));
2296 ikev2_pay_print(ndo, "nonce", e.critical);
2298 ND_PRINT((ndo," len=%d", ntohs(e.len) - 4));
2299 if (1 < ndo->ndo_vflag && 4 < ntohs(e.len)) {
2300 ND_PRINT((ndo," nonce=("));
2301 if (!rawprint(ndo, (const uint8_t *)(ext + 1), ntohs(e.len) - 4))
2303 ND_PRINT((ndo,") "));
2304 } else if(ndo->ndo_vflag && 4 < ntohs(e.len)) {
2305 if(!ike_show_somedata(ndo, (const u_char *)(ext+1), ep)) goto trunc;
2308 return (const u_char *)ext + ntohs(e.len);
2310 ND_PRINT((ndo," [|%s]", NPSTR(tpay)));
2314 /* notify payloads */
2315 static const u_char *
2316 ikev2_n_print(netdissect_options *ndo, u_char tpay _U_,
2317 const struct isakmp_gen *ext,
2318 u_int item_len, const u_char *ep,
2319 uint32_t phase _U_, uint32_t doi _U_,
2320 uint32_t proto _U_, int depth _U_)
2322 const struct ikev2_n *p;
2325 u_char showspi, showdata, showsomedata;
2326 const char *notify_name;
2329 p = (const struct ikev2_n *)ext;
2331 UNALIGNED_MEMCPY(&n, ext, sizeof(n));
2332 ikev2_pay_print(ndo, NPSTR(ISAKMP_NPTYPE_N), n.h.critical);
2339 ND_PRINT((ndo," prot_id=%s", PROTOIDSTR(n.prot_id)));
2341 type = ntohs(n.type);
2343 /* notify space is annoying sparse */
2345 case IV2_NOTIFY_UNSUPPORTED_CRITICAL_PAYLOAD:
2346 notify_name = "unsupported_critical_payload";
2350 case IV2_NOTIFY_INVALID_IKE_SPI:
2351 notify_name = "invalid_ike_spi";
2355 case IV2_NOTIFY_INVALID_MAJOR_VERSION:
2356 notify_name = "invalid_major_version";
2360 case IV2_NOTIFY_INVALID_SYNTAX:
2361 notify_name = "invalid_syntax";
2365 case IV2_NOTIFY_INVALID_MESSAGE_ID:
2366 notify_name = "invalid_message_id";
2370 case IV2_NOTIFY_INVALID_SPI:
2371 notify_name = "invalid_spi";
2375 case IV2_NOTIFY_NO_PROPOSAL_CHOSEN:
2376 notify_name = "no_protocol_chosen";
2380 case IV2_NOTIFY_INVALID_KE_PAYLOAD:
2381 notify_name = "invalid_ke_payload";
2385 case IV2_NOTIFY_AUTHENTICATION_FAILED:
2386 notify_name = "authentication_failed";
2390 case IV2_NOTIFY_SINGLE_PAIR_REQUIRED:
2391 notify_name = "single_pair_required";
2395 case IV2_NOTIFY_NO_ADDITIONAL_SAS:
2396 notify_name = "no_additional_sas";
2400 case IV2_NOTIFY_INTERNAL_ADDRESS_FAILURE:
2401 notify_name = "internal_address_failure";
2405 case IV2_NOTIFY_FAILED_CP_REQUIRED:
2406 notify_name = "failed:cp_required";
2410 case IV2_NOTIFY_INVALID_SELECTORS:
2411 notify_name = "invalid_selectors";
2415 case IV2_NOTIFY_INITIAL_CONTACT:
2416 notify_name = "initial_contact";
2420 case IV2_NOTIFY_SET_WINDOW_SIZE:
2421 notify_name = "set_window_size";
2425 case IV2_NOTIFY_ADDITIONAL_TS_POSSIBLE:
2426 notify_name = "additional_ts_possible";
2430 case IV2_NOTIFY_IPCOMP_SUPPORTED:
2431 notify_name = "ipcomp_supported";
2435 case IV2_NOTIFY_NAT_DETECTION_SOURCE_IP:
2436 notify_name = "nat_detection_source_ip";
2440 case IV2_NOTIFY_NAT_DETECTION_DESTINATION_IP:
2441 notify_name = "nat_detection_destination_ip";
2445 case IV2_NOTIFY_COOKIE:
2446 notify_name = "cookie";
2452 case IV2_NOTIFY_USE_TRANSPORT_MODE:
2453 notify_name = "use_transport_mode";
2457 case IV2_NOTIFY_HTTP_CERT_LOOKUP_SUPPORTED:
2458 notify_name = "http_cert_lookup_supported";
2462 case IV2_NOTIFY_REKEY_SA:
2463 notify_name = "rekey_sa";
2467 case IV2_NOTIFY_ESP_TFC_PADDING_NOT_SUPPORTED:
2468 notify_name = "tfc_padding_not_supported";
2472 case IV2_NOTIFY_NON_FIRST_FRAGMENTS_ALSO:
2473 notify_name = "non_first_fragment_also";
2479 notify_name="error";
2480 } else if(type < 16384) {
2481 notify_name="private-error";
2482 } else if(type < 40960) {
2483 notify_name="status";
2485 notify_name="private-status";
2490 ND_PRINT((ndo," type=%u(%s)", type, notify_name));
2494 if (showspi && n.spi_size) {
2495 ND_PRINT((ndo," spi="));
2496 if (!rawprint(ndo, (const uint8_t *)(p + 1), n.spi_size))
2500 cp = (const u_char *)(p + 1) + n.spi_size;
2502 if(3 < ndo->ndo_vflag) {
2506 if ((showdata || (showsomedata && ep-cp < 30)) && cp < ep) {
2507 ND_PRINT((ndo," data=("));
2508 if (!rawprint(ndo, (const uint8_t *)(cp), ep - cp))
2511 ND_PRINT((ndo,")"));
2513 } else if(showsomedata && cp < ep) {
2514 if(!ike_show_somedata(ndo, cp, ep)) goto trunc;
2517 return (const u_char *)ext + item_len;
2519 ND_PRINT((ndo," [|%s]", NPSTR(ISAKMP_NPTYPE_N)));
2523 static const u_char *
2524 ikev2_d_print(netdissect_options *ndo, u_char tpay,
2525 const struct isakmp_gen *ext,
2526 u_int item_len _U_, const u_char *ep _U_,
2527 uint32_t phase _U_, uint32_t doi _U_,
2528 uint32_t proto _U_, int depth _U_)
2530 return ikev2_gen_print(ndo, tpay, ext);
2533 static const u_char *
2534 ikev2_vid_print(netdissect_options *ndo, u_char tpay,
2535 const struct isakmp_gen *ext,
2536 u_int item_len _U_, const u_char *ep _U_,
2537 uint32_t phase _U_, uint32_t doi _U_,
2538 uint32_t proto _U_, int depth _U_)
2540 struct isakmp_gen e;
2545 UNALIGNED_MEMCPY(&e, ext, sizeof(e));
2546 ikev2_pay_print(ndo, NPSTR(tpay), e.critical);
2547 ND_PRINT((ndo," len=%d vid=", ntohs(e.len) - 4));
2549 vid = (const u_char *)(ext+1);
2550 len = ntohs(e.len) - 4;
2551 ND_TCHECK2(*vid, len);
2552 for(i=0; i<len; i++) {
2553 if(ND_ISPRINT(vid[i])) ND_PRINT((ndo, "%c", vid[i]));
2554 else ND_PRINT((ndo, "."));
2556 if (2 < ndo->ndo_vflag && 4 < len) {
2557 ND_PRINT((ndo," "));
2558 if (!rawprint(ndo, (const uint8_t *)(ext + 1), ntohs(e.len) - 4))
2561 return (const u_char *)ext + ntohs(e.len);
2563 ND_PRINT((ndo," [|%s]", NPSTR(tpay)));
2567 static const u_char *
2568 ikev2_TS_print(netdissect_options *ndo, u_char tpay,
2569 const struct isakmp_gen *ext,
2570 u_int item_len _U_, const u_char *ep _U_,
2571 uint32_t phase _U_, uint32_t doi _U_,
2572 uint32_t proto _U_, int depth _U_)
2574 return ikev2_gen_print(ndo, tpay, ext);
2577 static const u_char *
2578 ikev2_e_print(netdissect_options *ndo,
2579 #ifndef HAVE_LIBCRYPTO
2582 struct isakmp *base,
2584 const struct isakmp_gen *ext,
2585 u_int item_len _U_, const u_char *ep _U_,
2586 #ifndef HAVE_LIBCRYPTO
2590 #ifndef HAVE_LIBCRYPTO
2594 #ifndef HAVE_LIBCRYPTO
2598 #ifndef HAVE_LIBCRYPTO
2603 struct isakmp_gen e;
2608 UNALIGNED_MEMCPY(&e, ext, sizeof(e));
2609 ikev2_pay_print(ndo, NPSTR(tpay), e.critical);
2611 dlen = ntohs(e.len)-4;
2613 ND_PRINT((ndo," len=%d", dlen));
2614 if (2 < ndo->ndo_vflag && 4 < dlen) {
2615 ND_PRINT((ndo," "));
2616 if (!rawprint(ndo, (const uint8_t *)(ext + 1), dlen))
2620 dat = (const u_char *)(ext+1);
2621 ND_TCHECK2(*dat, dlen);
2623 #ifdef HAVE_LIBCRYPTO
2624 /* try to decypt it! */
2625 if(esp_print_decrypt_buffer_by_ikev2(ndo,
2626 base->flags & ISAKMP_FLAG_I,
2627 base->i_ck, base->r_ck,
2630 ext = (const struct isakmp_gen *)ndo->ndo_packetp;
2632 /* got it decrypted, print stuff inside. */
2633 ikev2_sub_print(ndo, base, e.np, ext, ndo->ndo_snapend,
2634 phase, doi, proto, depth+1);
2639 /* always return NULL, because E must be at end, and NP refers
2640 * to what was inside.
2644 ND_PRINT((ndo," [|%s]", NPSTR(tpay)));
2648 static const u_char *
2649 ikev2_cp_print(netdissect_options *ndo, u_char tpay,
2650 const struct isakmp_gen *ext,
2651 u_int item_len _U_, const u_char *ep _U_,
2652 uint32_t phase _U_, uint32_t doi _U_,
2653 uint32_t proto _U_, int depth _U_)
2655 return ikev2_gen_print(ndo, tpay, ext);
2658 static const u_char *
2659 ikev2_eap_print(netdissect_options *ndo, u_char tpay,
2660 const struct isakmp_gen *ext,
2661 u_int item_len _U_, const u_char *ep _U_,
2662 uint32_t phase _U_, uint32_t doi _U_,
2663 uint32_t proto _U_, int depth _U_)
2665 return ikev2_gen_print(ndo, tpay, ext);
2668 static const u_char *
2669 ike_sub0_print(netdissect_options *ndo,
2670 u_char np, const struct isakmp_gen *ext, const u_char *ep,
2672 uint32_t phase, uint32_t doi, uint32_t proto, int depth)
2675 struct isakmp_gen e;
2678 cp = (const u_char *)ext;
2680 UNALIGNED_MEMCPY(&e, ext, sizeof(e));
2683 * Since we can't have a payload length of less than 4 bytes,
2684 * we need to bail out here if the generic header is nonsensical
2685 * or truncated, otherwise we could loop forever processing
2686 * zero-length items or otherwise misdissect the packet.
2688 item_len = ntohs(e.len);
2694 * XXX - what if item_len is too short, or too long,
2695 * for this payload type?
2697 cp = (*npfunc[np])(ndo, np, ext, item_len, ep, phase, doi, proto, depth);
2699 ND_PRINT((ndo,"%s", NPSTR(np)));
2705 ND_PRINT((ndo," [|isakmp]"));
2709 static const u_char *
2710 ikev1_sub_print(netdissect_options *ndo,
2711 u_char np, const struct isakmp_gen *ext, const u_char *ep,
2712 uint32_t phase, uint32_t doi, uint32_t proto, int depth)
2716 struct isakmp_gen e;
2718 cp = (const u_char *)ext;
2723 UNALIGNED_MEMCPY(&e, ext, sizeof(e));
2725 ND_TCHECK2(*ext, ntohs(e.len));
2728 ND_PRINT((ndo,"\n"));
2729 for (i = 0; i < depth; i++)
2730 ND_PRINT((ndo," "));
2731 ND_PRINT((ndo,"("));
2732 cp = ike_sub0_print(ndo, np, ext, ep, phase, doi, proto, depth);
2733 ND_PRINT((ndo,")"));
2737 /* Zero-length subitem */
2742 ext = (const struct isakmp_gen *)cp;
2746 ND_PRINT((ndo," [|%s]", NPSTR(np)));
2753 static char buf[20];
2754 snprintf(buf, sizeof(buf), "#%d", x);
2759 ikev1_print(netdissect_options *ndo,
2760 const u_char *bp, u_int length,
2761 const u_char *bp2, struct isakmp *base)
2763 const struct isakmp *p;
2769 p = (const struct isakmp *)bp;
2770 ep = ndo->ndo_snapend;
2772 phase = (EXTRACT_32BITS(base->msgid) == 0) ? 1 : 2;
2774 ND_PRINT((ndo," phase %d", phase));
2776 ND_PRINT((ndo," phase %d/others", phase));
2778 i = cookie_find(&base->i_ck);
2780 if (iszero((const u_char *)&base->r_ck, sizeof(base->r_ck))) {
2781 /* the first packet */
2782 ND_PRINT((ndo," I"));
2784 cookie_record(&base->i_ck, bp2);
2786 ND_PRINT((ndo," ?"));
2788 if (bp2 && cookie_isinitiator(i, bp2))
2789 ND_PRINT((ndo," I"));
2790 else if (bp2 && cookie_isresponder(i, bp2))
2791 ND_PRINT((ndo," R"));
2793 ND_PRINT((ndo," ?"));
2796 ND_PRINT((ndo," %s", ETYPESTR(base->etype)));
2798 ND_PRINT((ndo,"[%s%s]", base->flags & ISAKMP_FLAG_E ? "E" : "",
2799 base->flags & ISAKMP_FLAG_C ? "C" : ""));
2802 if (ndo->ndo_vflag) {
2803 const struct isakmp_gen *ext;
2805 ND_PRINT((ndo,":"));
2807 /* regardless of phase... */
2808 if (base->flags & ISAKMP_FLAG_E) {
2810 * encrypted, nothing we can do right now.
2811 * we hope to decrypt the packet in the future...
2813 ND_PRINT((ndo," [encrypted %s]", NPSTR(base->np)));
2817 CHECKLEN(p + 1, base->np);
2819 ext = (const struct isakmp_gen *)(p + 1);
2820 ikev1_sub_print(ndo, np, ext, ep, phase, 0, 0, 0);
2824 if (ndo->ndo_vflag) {
2825 if (ntohl(base->len) != length) {
2826 ND_PRINT((ndo," (len mismatch: isakmp %u/ip %u)",
2827 (uint32_t)ntohl(base->len), length));
2832 static const u_char *
2833 ikev2_sub0_print(netdissect_options *ndo, struct isakmp *base,
2835 const struct isakmp_gen *ext, const u_char *ep,
2836 uint32_t phase, uint32_t doi, uint32_t proto, int depth)
2839 struct isakmp_gen e;
2842 cp = (const u_char *)ext;
2844 UNALIGNED_MEMCPY(&e, ext, sizeof(e));
2847 * Since we can't have a payload length of less than 4 bytes,
2848 * we need to bail out here if the generic header is nonsensical
2849 * or truncated, otherwise we could loop forever processing
2850 * zero-length items or otherwise misdissect the packet.
2852 item_len = ntohs(e.len);
2856 if (np == ISAKMP_NPTYPE_v2E) {
2857 cp = ikev2_e_print(ndo, base, np, ext, item_len,
2858 ep, phase, doi, proto, depth);
2859 } else if (NPFUNC(np)) {
2861 * XXX - what if item_len is too short, or too long,
2862 * for this payload type?
2864 cp = (*npfunc[np])(ndo, np, ext, item_len,
2865 ep, phase, doi, proto, depth);
2867 ND_PRINT((ndo,"%s", NPSTR(np)));
2873 ND_PRINT((ndo," [|isakmp]"));
2877 static const u_char *
2878 ikev2_sub_print(netdissect_options *ndo,
2879 struct isakmp *base,
2880 u_char np, const struct isakmp_gen *ext, const u_char *ep,
2881 uint32_t phase, uint32_t doi, uint32_t proto, int depth)
2885 struct isakmp_gen e;
2887 cp = (const u_char *)ext;
2891 UNALIGNED_MEMCPY(&e, ext, sizeof(e));
2893 ND_TCHECK2(*ext, ntohs(e.len));
2896 ND_PRINT((ndo,"\n"));
2897 for (i = 0; i < depth; i++)
2898 ND_PRINT((ndo," "));
2899 ND_PRINT((ndo,"("));
2900 cp = ikev2_sub0_print(ndo, base, np,
2901 ext, ep, phase, doi, proto, depth);
2902 ND_PRINT((ndo,")"));
2906 /* Zero-length subitem */
2911 ext = (const struct isakmp_gen *)cp;
2915 ND_PRINT((ndo," [|%s]", NPSTR(np)));
2920 ikev2_print(netdissect_options *ndo,
2921 const u_char *bp, u_int length,
2922 const u_char *bp2 _U_, struct isakmp *base)
2924 const struct isakmp *p;
2929 p = (const struct isakmp *)bp;
2930 ep = ndo->ndo_snapend;
2932 phase = (EXTRACT_32BITS(base->msgid) == 0) ? 1 : 2;
2934 ND_PRINT((ndo, " parent_sa"));
2936 ND_PRINT((ndo, " child_sa "));
2938 ND_PRINT((ndo, " %s", ETYPESTR(base->etype)));
2940 ND_PRINT((ndo, "[%s%s%s]",
2941 base->flags & ISAKMP_FLAG_I ? "I" : "",
2942 base->flags & ISAKMP_FLAG_V ? "V" : "",
2943 base->flags & ISAKMP_FLAG_R ? "R" : ""));
2946 if (ndo->ndo_vflag) {
2947 const struct isakmp_gen *ext;
2949 ND_PRINT((ndo, ":"));
2951 /* regardless of phase... */
2952 if (base->flags & ISAKMP_FLAG_E) {
2954 * encrypted, nothing we can do right now.
2955 * we hope to decrypt the packet in the future...
2957 ND_PRINT((ndo, " [encrypted %s]", NPSTR(base->np)));
2961 CHECKLEN(p + 1, base->np)
2964 ext = (const struct isakmp_gen *)(p + 1);
2965 ikev2_sub_print(ndo, base, np, ext, ep, phase, 0, 0, 0);
2969 if (ndo->ndo_vflag) {
2970 if (ntohl(base->len) != length) {
2971 ND_PRINT((ndo, " (len mismatch: isakmp %u/ip %u)",
2972 (uint32_t)ntohl(base->len), length));
2978 isakmp_print(netdissect_options *ndo,
2979 const u_char *bp, u_int length,
2982 const struct isakmp *p;
2987 #ifdef HAVE_LIBCRYPTO
2988 /* initialize SAs */
2989 if (ndo->ndo_sa_list_head == NULL) {
2990 if (ndo->ndo_espsecret)
2991 esp_print_decodesecret(ndo);
2995 p = (const struct isakmp *)bp;
2996 ep = ndo->ndo_snapend;
2998 if ((const struct isakmp *)ep < p + 1) {
2999 ND_PRINT((ndo,"[|isakmp]"));
3003 UNALIGNED_MEMCPY(&base, p, sizeof(base));
3005 ND_PRINT((ndo,"isakmp"));
3006 major = (base.vers & ISAKMP_VERS_MAJOR)
3007 >> ISAKMP_VERS_MAJOR_SHIFT;
3008 minor = (base.vers & ISAKMP_VERS_MINOR)
3009 >> ISAKMP_VERS_MINOR_SHIFT;
3011 if (ndo->ndo_vflag) {
3012 ND_PRINT((ndo," %d.%d", major, minor));
3015 if (ndo->ndo_vflag) {
3016 ND_PRINT((ndo," msgid "));
3017 hexprint(ndo, (const uint8_t *)&base.msgid, sizeof(base.msgid));
3020 if (1 < ndo->ndo_vflag) {
3021 ND_PRINT((ndo," cookie "));
3022 hexprint(ndo, (const uint8_t *)&base.i_ck, sizeof(base.i_ck));
3023 ND_PRINT((ndo,"->"));
3024 hexprint(ndo, (const uint8_t *)&base.r_ck, sizeof(base.r_ck));
3026 ND_PRINT((ndo,":"));
3029 case IKEv1_MAJOR_VERSION:
3030 ikev1_print(ndo, bp, length, bp2, &base);
3033 case IKEv2_MAJOR_VERSION:
3034 ikev2_print(ndo, bp, length, bp2, &base);
3040 isakmp_rfc3948_print(netdissect_options *ndo,
3041 const u_char *bp, u_int length,
3045 if(length == 1 && bp[0]==0xff) {
3046 ND_PRINT((ndo, "isakmp-nat-keep-alive"));
3055 * see if this is an IKE packet
3057 if(bp[0]==0 && bp[1]==0 && bp[2]==0 && bp[3]==0) {
3058 ND_PRINT((ndo, "NONESP-encap: "));
3059 isakmp_print(ndo, bp+4, length-4, bp2);
3063 /* must be an ESP packet */
3065 int nh, enh, padlen;
3068 ND_PRINT((ndo, "UDP-encap: "));
3070 advance = esp_print(ndo, bp, length, bp2, &enh, &padlen);
3075 length -= advance + padlen;
3078 ip_print_inner(ndo, bp, length, nh, bp2);
3083 ND_PRINT((ndo,"[|isakmp]"));
3089 * c-style: whitesmith
projects / FreeBSD / FreeBSD.git / blob