2 * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
5 * Redistribution and use in source and binary forms, with or without
6 * modification, are permitted provided that the following conditions
8 * 1. Redistributions of source code must retain the above copyright
9 * notice, this list of conditions and the following disclaimer.
10 * 2. Redistributions in binary form must reproduce the above copyright
11 * notice, this list of conditions and the following disclaimer in the
12 * documentation and/or other materials provided with the distribution.
13 * 3. Neither the name of the project nor the names of its contributors
14 * may be used to endorse or promote products derived from this software
15 * without specific prior written permission.
17 * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
18 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
19 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
20 * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
21 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
22 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
23 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
24 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
25 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
26 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
32 static const char rcsid[] _U_ =
33 "@(#) $Header: /tcpdump/master/tcpdump/print-isakmp.c,v 1.61 2008-02-05 19:34:25 guy Exp $ (LBL)";
36 #define NETDISSECT_REWORKED
41 #include <tcpdump-stdinc.h>
48 #include "ipsec_doi.h"
50 #include "interface.h"
51 #include "addrtoname.h"
52 #include "extract.h" /* must come after interface.h */
59 #ifndef HAVE_SOCKADDR_STORAGE
60 #define sockaddr_storage sockaddr
63 #define DECLARE_PRINTER(func) static const u_char *ike##func##_print( \
64 netdissect_options *ndo, u_char tpay, \
65 const struct isakmp_gen *ext, \
67 const u_char *end_pointer, \
70 u_int32_t proto0, int depth)
72 DECLARE_PRINTER(v1_sa);
73 DECLARE_PRINTER(v1_p);
74 DECLARE_PRINTER(v1_t);
75 DECLARE_PRINTER(v1_ke);
76 DECLARE_PRINTER(v1_id);
77 DECLARE_PRINTER(v1_cert);
78 DECLARE_PRINTER(v1_cr);
79 DECLARE_PRINTER(v1_sig);
80 DECLARE_PRINTER(v1_hash);
81 DECLARE_PRINTER(v1_nonce);
82 DECLARE_PRINTER(v1_n);
83 DECLARE_PRINTER(v1_d);
84 DECLARE_PRINTER(v1_vid);
86 DECLARE_PRINTER(v2_sa);
87 DECLARE_PRINTER(v2_ke);
88 DECLARE_PRINTER(v2_ID);
89 DECLARE_PRINTER(v2_cert);
90 DECLARE_PRINTER(v2_cr);
91 DECLARE_PRINTER(v2_auth);
92 DECLARE_PRINTER(v2_nonce);
93 DECLARE_PRINTER(v2_n);
94 DECLARE_PRINTER(v2_d);
95 DECLARE_PRINTER(v2_vid);
96 DECLARE_PRINTER(v2_TS);
97 DECLARE_PRINTER(v2_cp);
98 DECLARE_PRINTER(v2_eap);
100 static const u_char *ikev2_e_print(netdissect_options *ndo,
103 const struct isakmp_gen *ext,
105 const u_char *end_pointer,
108 u_int32_t proto0, int depth);
111 static const u_char *ike_sub0_print(netdissect_options *ndo,u_char, const struct isakmp_gen *,
112 const u_char *, u_int32_t, u_int32_t, u_int32_t, int);
113 static const u_char *ikev1_sub_print(netdissect_options *ndo,u_char, const struct isakmp_gen *,
114 const u_char *, u_int32_t, u_int32_t, u_int32_t, int);
116 static const u_char *ikev2_sub_print(netdissect_options *ndo,
118 u_char np, const struct isakmp_gen *ext,
119 const u_char *ep, u_int32_t phase,
120 u_int32_t doi, u_int32_t proto,
124 static char *numstr(int);
125 static void safememcpy(void *, const void *, size_t);
128 ikev1_print(netdissect_options *ndo,
129 const u_char *bp, u_int length,
130 const u_char *bp2, struct isakmp *base);
132 #define MAXINITIATORS 20
136 struct sockaddr_storage iaddr;
137 struct sockaddr_storage raddr;
138 } cookiecache[MAXINITIATORS];
141 static const char *protoidstr[] = {
142 NULL, "isakmp", "ipsec-ah", "ipsec-esp", "ipcomp",
146 static const char *npstr[] = {
147 "none", "sa", "p", "t", "ke", "id", "cert", "cr", "hash", /* 0 - 8 */
148 "sig", "nonce", "n", "d", "vid", /* 9 - 13 */
149 "pay14", "pay15", "pay16", "pay17", "pay18", /* 14- 18 */
150 "pay19", "pay20", "pay21", "pay22", "pay23", /* 19- 23 */
151 "pay24", "pay25", "pay26", "pay27", "pay28", /* 24- 28 */
152 "pay29", "pay30", "pay31", "pay32", /* 29- 32 */
153 "v2sa", "v2ke", "v2IDi", "v2IDr", "v2cert",/* 33- 37 */
154 "v2cr", "v2auth","v2nonce", "v2n", "v2d", /* 38- 42 */
155 "v2vid", "v2TSi", "v2TSr", "v2e", "v2cp", /* 43- 47 */
161 static const u_char *(*npfunc[])(netdissect_options *ndo, u_char tpay,
162 const struct isakmp_gen *ext,
164 const u_char *end_pointer,
167 u_int32_t proto0, int depth) = {
181 ikev1_vid_print, /* 13 */
182 NULL, NULL, NULL, NULL, NULL, /* 14- 18 */
183 NULL, NULL, NULL, NULL, NULL, /* 19- 23 */
184 NULL, NULL, NULL, NULL, NULL, /* 24- 28 */
185 NULL, NULL, NULL, NULL, /* 29- 32 */
186 ikev2_sa_print, /* 33 */
187 ikev2_ke_print, /* 34 */
188 ikev2_ID_print, /* 35 */
189 ikev2_ID_print, /* 36 */
190 ikev2_cert_print, /* 37 */
191 ikev2_cr_print, /* 38 */
192 ikev2_auth_print, /* 39 */
193 ikev2_nonce_print, /* 40 */
194 ikev2_n_print, /* 41 */
195 ikev2_d_print, /* 42 */
196 ikev2_vid_print, /* 43 */
197 ikev2_TS_print, /* 44 */
198 ikev2_TS_print, /* 45 */
199 NULL, /* ikev2_e_print,*/ /* 46 - special */
200 ikev2_cp_print, /* 47 */
201 ikev2_eap_print, /* 48 */
205 static const char *etypestr[] = {
206 /* IKEv1 exchange types */
207 "none", "base", "ident", "auth", "agg", "inf", NULL, NULL, /* 0-7 */
208 NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, /* 8-15 */
209 NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, /* 16-23 */
210 NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, /* 24-31 */
211 "oakley-quick", "oakley-newgroup", /* 32-33 */
212 /* IKEv2 exchange types */
213 "ikev2_init", "ikev2_auth", "child_sa", "inf2" /* 34-37 */
216 #define STR_OR_ID(x, tab) \
217 (((x) < sizeof(tab)/sizeof(tab[0]) && tab[(x)]) ? tab[(x)] : numstr(x))
218 #define PROTOIDSTR(x) STR_OR_ID(x, protoidstr)
219 #define NPSTR(x) STR_OR_ID(x, npstr)
220 #define ETYPESTR(x) STR_OR_ID(x, etypestr)
222 #define CHECKLEN(p, np) \
223 if (ep < (u_char *)(p)) { \
224 ND_PRINT((ndo," [|%s]", NPSTR(np))); \
230 (((x) < sizeof(npfunc)/sizeof(npfunc[0]) && npfunc[(x)]) \
231 ? npfunc[(x)] : NULL)
234 iszero(u_char *p, size_t l)
243 /* find cookie from initiator cache */
245 cookie_find(cookie_t *in)
249 for (i = 0; i < MAXINITIATORS; i++) {
250 if (memcmp(in, &cookiecache[i].initiator, sizeof(*in)) == 0)
257 /* record initiator */
259 cookie_record(cookie_t *in, const u_char *bp2)
263 struct sockaddr_in *sin;
266 struct sockaddr_in6 *sin6;
271 ninitiator = (i + 1) % MAXINITIATORS;
275 ip = (struct ip *)bp2;
278 memset(&cookiecache[ninitiator].iaddr, 0,
279 sizeof(cookiecache[ninitiator].iaddr));
280 memset(&cookiecache[ninitiator].raddr, 0,
281 sizeof(cookiecache[ninitiator].raddr));
283 sin = (struct sockaddr_in *)&cookiecache[ninitiator].iaddr;
284 #ifdef HAVE_SOCKADDR_SA_LEN
285 sin->sin_len = sizeof(struct sockaddr_in);
287 sin->sin_family = AF_INET;
288 memcpy(&sin->sin_addr, &ip->ip_src, sizeof(ip->ip_src));
289 sin = (struct sockaddr_in *)&cookiecache[ninitiator].raddr;
290 #ifdef HAVE_SOCKADDR_SA_LEN
291 sin->sin_len = sizeof(struct sockaddr_in);
293 sin->sin_family = AF_INET;
294 memcpy(&sin->sin_addr, &ip->ip_dst, sizeof(ip->ip_dst));
298 memset(&cookiecache[ninitiator].iaddr, 0,
299 sizeof(cookiecache[ninitiator].iaddr));
300 memset(&cookiecache[ninitiator].raddr, 0,
301 sizeof(cookiecache[ninitiator].raddr));
303 ip6 = (struct ip6_hdr *)bp2;
304 sin6 = (struct sockaddr_in6 *)&cookiecache[ninitiator].iaddr;
305 #ifdef HAVE_SOCKADDR_SA_LEN
306 sin6->sin6_len = sizeof(struct sockaddr_in6);
308 sin6->sin6_family = AF_INET6;
309 memcpy(&sin6->sin6_addr, &ip6->ip6_src, sizeof(ip6->ip6_src));
310 sin6 = (struct sockaddr_in6 *)&cookiecache[ninitiator].raddr;
311 #ifdef HAVE_SOCKADDR_SA_LEN
312 sin6->sin6_len = sizeof(struct sockaddr_in6);
314 sin6->sin6_family = AF_INET6;
315 memcpy(&sin6->sin6_addr, &ip6->ip6_dst, sizeof(ip6->ip6_dst));
321 memcpy(&cookiecache[ninitiator].initiator, in, sizeof(*in));
322 ninitiator = (ninitiator + 1) % MAXINITIATORS;
325 #define cookie_isinitiator(x, y) cookie_sidecheck((x), (y), 1)
326 #define cookie_isresponder(x, y) cookie_sidecheck((x), (y), 0)
328 cookie_sidecheck(int i, const u_char *bp2, int initiator)
330 struct sockaddr_storage ss;
333 struct sockaddr_in *sin;
336 struct sockaddr_in6 *sin6;
340 memset(&ss, 0, sizeof(ss));
341 ip = (struct ip *)bp2;
344 sin = (struct sockaddr_in *)&ss;
345 #ifdef HAVE_SOCKADDR_SA_LEN
346 sin->sin_len = sizeof(struct sockaddr_in);
348 sin->sin_family = AF_INET;
349 memcpy(&sin->sin_addr, &ip->ip_src, sizeof(ip->ip_src));
353 ip6 = (struct ip6_hdr *)bp2;
354 sin6 = (struct sockaddr_in6 *)&ss;
355 #ifdef HAVE_SOCKADDR_SA_LEN
356 sin6->sin6_len = sizeof(struct sockaddr_in6);
358 sin6->sin6_family = AF_INET6;
359 memcpy(&sin6->sin6_addr, &ip6->ip6_src, sizeof(ip6->ip6_src));
366 sa = (struct sockaddr *)&ss;
368 if (sa->sa_family != ((struct sockaddr *)&cookiecache[i].iaddr)->sa_family)
370 #ifdef HAVE_SOCKADDR_SA_LEN
374 if (sa->sa_family == AF_INET6)
375 salen = sizeof(struct sockaddr_in6);
377 salen = sizeof(struct sockaddr);
379 salen = sizeof(struct sockaddr);
382 if (memcmp(&ss, &cookiecache[i].iaddr, salen) == 0)
385 if (sa->sa_family != ((struct sockaddr *)&cookiecache[i].raddr)->sa_family)
387 #ifdef HAVE_SOCKADDR_SA_LEN
391 if (sa->sa_family == AF_INET6)
392 salen = sizeof(struct sockaddr_in6);
394 salen = sizeof(struct sockaddr);
396 salen = sizeof(struct sockaddr);
399 if (memcmp(&ss, &cookiecache[i].raddr, salen) == 0)
406 hexprint(netdissect_options *ndo, caddr_t loc, size_t len)
412 for (i = 0; i < len; i++)
413 ND_PRINT((ndo,"%02x", p[i] & 0xff));
417 rawprint(netdissect_options *ndo, caddr_t loc, size_t len)
419 ND_TCHECK2(*loc, len);
421 hexprint(ndo, loc, len);
429 * returns false if we run out of data buffer
431 static int ike_show_somedata(struct netdissect_options *ndo,
432 const u_char *cp, const u_char *ep)
434 /* there is too much data, just show some of it */
435 const u_char *end = ep - 20;
442 /* really shouldn't happen because of above */
448 ND_PRINT((ndo," data=("));
449 if(!rawprint(ndo, (caddr_t)(cp), len)) goto trunc;
450 ND_PRINT((ndo, "..."));
452 if(!rawprint(ndo, (caddr_t)(end), elen)) goto trunc;
464 const char *value[30]; /*XXX*/
467 static const u_char *
468 ikev1_attrmap_print(netdissect_options *ndo,
469 const u_char *p, const u_char *ep,
470 const struct attrmap *map, size_t nmap)
480 totlen = 4 + EXTRACT_16BITS(&q[1]);
481 if (ep < p + totlen) {
482 ND_PRINT((ndo,"[|attr]"));
487 t = EXTRACT_16BITS(&q[0]) & 0x7fff;
488 if (map && t < nmap && map[t].type)
489 ND_PRINT((ndo,"type=%s ", map[t].type));
491 ND_PRINT((ndo,"type=#%d ", t));
493 ND_PRINT((ndo,"value="));
494 v = EXTRACT_16BITS(&q[1]);
495 if (map && t < nmap && v < map[t].nvalue && map[t].value[v])
496 ND_PRINT((ndo,"%s", map[t].value[v]));
498 rawprint(ndo, (caddr_t)&q[1], 2);
500 ND_PRINT((ndo,"len=%d value=", EXTRACT_16BITS(&q[1])));
501 rawprint(ndo, (caddr_t)&p[4], EXTRACT_16BITS(&q[1]));
507 static const u_char *
508 ikev1_attr_print(netdissect_options *ndo, const u_char *p, const u_char *ep)
518 totlen = 4 + EXTRACT_16BITS(&q[1]);
519 if (ep < p + totlen) {
520 ND_PRINT((ndo,"[|attr]"));
525 t = EXTRACT_16BITS(&q[0]) & 0x7fff;
526 ND_PRINT((ndo,"type=#%d ", t));
528 ND_PRINT((ndo,"value="));
530 rawprint(ndo, (caddr_t)&q[1], 2);
532 ND_PRINT((ndo,"len=%d value=", EXTRACT_16BITS(&q[1])));
533 rawprint(ndo, (caddr_t)&p[2], EXTRACT_16BITS(&q[1]));
539 static const u_char *
540 ikev1_sa_print(netdissect_options *ndo, u_char tpay _U_,
541 const struct isakmp_gen *ext,
543 const u_char *ep, u_int32_t phase, u_int32_t doi0 _U_,
544 u_int32_t proto0, int depth)
546 const struct ikev1_pl_sa *p;
547 struct ikev1_pl_sa sa;
549 u_int32_t doi, sit, ident;
550 const u_char *cp, *np;
553 ND_PRINT((ndo,"%s:", NPSTR(ISAKMP_NPTYPE_SA)));
555 p = (struct ikev1_pl_sa *)ext;
557 safememcpy(&sa, ext, sizeof(sa));
561 ND_PRINT((ndo," doi=%d", doi));
562 ND_PRINT((ndo," situation=%u", (u_int32_t)ntohl(sa.sit)));
563 return (u_char *)(p + 1);
566 ND_PRINT((ndo," doi=ipsec"));
567 q = (u_int32_t *)&sa.sit;
568 ND_PRINT((ndo," situation="));
571 ND_PRINT((ndo,"identity"));
575 ND_PRINT((ndo,"%ssecrecy", t ? "+" : ""));
579 ND_PRINT((ndo,"%sintegrity", t ? "+" : ""));
581 np = (u_char *)ext + sizeof(sa);
583 ND_TCHECK2(*(ext + 1), sizeof(ident));
584 safememcpy(&ident, ext + 1, sizeof(ident));
585 ND_PRINT((ndo," ident=%u", (u_int32_t)ntohl(ident)));
589 ext = (struct isakmp_gen *)np;
592 cp = ikev1_sub_print(ndo, ISAKMP_NPTYPE_P, ext, ep, phase, doi, proto0,
597 ND_PRINT((ndo," [|%s]", NPSTR(ISAKMP_NPTYPE_SA)));
601 static const u_char *
602 ikev1_p_print(netdissect_options *ndo, u_char tpay _U_,
603 const struct isakmp_gen *ext, u_int item_len _U_,
604 const u_char *ep, u_int32_t phase, u_int32_t doi0,
605 u_int32_t proto0 _U_, int depth)
607 const struct ikev1_pl_p *p;
608 struct ikev1_pl_p prop;
611 ND_PRINT((ndo,"%s:", NPSTR(ISAKMP_NPTYPE_P)));
613 p = (struct ikev1_pl_p *)ext;
615 safememcpy(&prop, ext, sizeof(prop));
616 ND_PRINT((ndo," #%d protoid=%s transform=%d",
617 prop.p_no, PROTOIDSTR(prop.prot_id), prop.num_t));
619 ND_PRINT((ndo," spi="));
620 if (!rawprint(ndo, (caddr_t)(p + 1), prop.spi_size))
624 ext = (struct isakmp_gen *)((u_char *)(p + 1) + prop.spi_size);
627 cp = ikev1_sub_print(ndo, ISAKMP_NPTYPE_T, ext, ep, phase, doi0,
628 prop.prot_id, depth);
632 ND_PRINT((ndo," [|%s]", NPSTR(ISAKMP_NPTYPE_P)));
636 static const char *ikev1_p_map[] = {
640 static const char *ikev2_t_type_map[]={
641 NULL, "encr", "prf", "integ", "dh", "esn"
644 static const char *ah_p_map[] = {
645 NULL, "(reserved)", "md5", "sha", "1des",
646 "sha2-256", "sha2-384", "sha2-512",
649 static const char *prf_p_map[] = {
650 NULL, "hmac-md5", "hmac-sha", "hmac-tiger",
654 static const char *integ_p_map[] = {
655 NULL, "hmac-md5", "hmac-sha", "dec-mac",
656 "kpdk-md5", "aes-xcbc"
659 static const char *esn_p_map[] = {
663 static const char *dh_p_map[] = {
665 "modp1024", /* group 2 */
666 "EC2N 2^155", /* group 3 */
667 "EC2N 2^185", /* group 4 */
668 "modp1536", /* group 5 */
669 "iana-grp06", "iana-grp07", /* reserved */
670 "iana-grp08", "iana-grp09",
671 "iana-grp10", "iana-grp11",
672 "iana-grp12", "iana-grp13",
673 "modp2048", /* group 14 */
674 "modp3072", /* group 15 */
675 "modp4096", /* group 16 */
676 "modp6144", /* group 17 */
677 "modp8192", /* group 18 */
680 static const char *esp_p_map[] = {
681 NULL, "1des-iv64", "1des", "3des", "rc5", "idea", "cast",
682 "blowfish", "3idea", "1des-iv32", "rc4", "null", "aes"
685 static const char *ipcomp_p_map[] = {
686 NULL, "oui", "deflate", "lzs",
689 const struct attrmap ipsec_t_map[] = {
690 { NULL, 0, { NULL } },
691 { "lifetype", 3, { NULL, "sec", "kb", }, },
692 { "life", 0, { NULL } },
693 { "group desc", 18, { NULL, "modp768",
694 "modp1024", /* group 2 */
695 "EC2N 2^155", /* group 3 */
696 "EC2N 2^185", /* group 4 */
697 "modp1536", /* group 5 */
698 "iana-grp06", "iana-grp07", /* reserved */
699 "iana-grp08", "iana-grp09",
700 "iana-grp10", "iana-grp11",
701 "iana-grp12", "iana-grp13",
702 "modp2048", /* group 14 */
703 "modp3072", /* group 15 */
704 "modp4096", /* group 16 */
705 "modp6144", /* group 17 */
706 "modp8192", /* group 18 */
708 { "enc mode", 3, { NULL, "tunnel", "transport", }, },
709 { "auth", 5, { NULL, "hmac-md5", "hmac-sha1", "1des-mac", "keyed", }, },
710 { "keylen", 0, { NULL } },
711 { "rounds", 0, { NULL } },
712 { "dictsize", 0, { NULL } },
713 { "privalg", 0, { NULL } },
716 const struct attrmap encr_t_map[] = {
717 { NULL, 0, { NULL } }, { NULL, 0, { NULL } }, /* 0, 1 */
718 { NULL, 0, { NULL } }, { NULL, 0, { NULL } }, /* 2, 3 */
719 { NULL, 0, { NULL } }, { NULL, 0, { NULL } }, /* 4, 5 */
720 { NULL, 0, { NULL } }, { NULL, 0, { NULL } }, /* 6, 7 */
721 { NULL, 0, { NULL } }, { NULL, 0, { NULL } }, /* 8, 9 */
722 { NULL, 0, { NULL } }, { NULL, 0, { NULL } }, /* 10,11*/
723 { NULL, 0, { NULL } }, { NULL, 0, { NULL } }, /* 12,13*/
724 { "keylen", 14, { NULL }},
727 const struct attrmap oakley_t_map[] = {
728 { NULL, 0, { NULL } },
729 { "enc", 8, { NULL, "1des", "idea", "blowfish", "rc5",
730 "3des", "cast", "aes", }, },
731 { "hash", 7, { NULL, "md5", "sha1", "tiger",
732 "sha2-256", "sha2-384", "sha2-512", }, },
733 { "auth", 6, { NULL, "preshared", "dss", "rsa sig", "rsa enc",
734 "rsa enc revised", }, },
735 { "group desc", 18, { NULL, "modp768",
736 "modp1024", /* group 2 */
737 "EC2N 2^155", /* group 3 */
738 "EC2N 2^185", /* group 4 */
739 "modp1536", /* group 5 */
740 "iana-grp06", "iana-grp07", /* reserved */
741 "iana-grp08", "iana-grp09",
742 "iana-grp10", "iana-grp11",
743 "iana-grp12", "iana-grp13",
744 "modp2048", /* group 14 */
745 "modp3072", /* group 15 */
746 "modp4096", /* group 16 */
747 "modp6144", /* group 17 */
748 "modp8192", /* group 18 */
750 { "group type", 4, { NULL, "MODP", "ECP", "EC2N", }, },
751 { "group prime", 0, { NULL } },
752 { "group gen1", 0, { NULL } },
753 { "group gen2", 0, { NULL } },
754 { "group curve A", 0, { NULL } },
755 { "group curve B", 0, { NULL } },
756 { "lifetype", 3, { NULL, "sec", "kb", }, },
757 { "lifeduration", 0, { NULL } },
758 { "prf", 0, { NULL } },
759 { "keylen", 0, { NULL } },
760 { "field", 0, { NULL } },
761 { "order", 0, { NULL } },
764 static const u_char *
765 ikev1_t_print(netdissect_options *ndo, u_char tpay _U_,
766 const struct isakmp_gen *ext, u_int item_len,
767 const u_char *ep, u_int32_t phase _U_, u_int32_t doi _U_,
768 u_int32_t proto, int depth _U_)
770 const struct ikev1_pl_t *p;
774 const struct attrmap *map;
778 ND_PRINT((ndo,"%s:", NPSTR(ISAKMP_NPTYPE_T)));
780 p = (struct ikev1_pl_t *)ext;
782 safememcpy(&t, ext, sizeof(t));
786 idstr = STR_OR_ID(t.t_id, ikev1_p_map);
788 nmap = sizeof(oakley_t_map)/sizeof(oakley_t_map[0]);
791 idstr = STR_OR_ID(t.t_id, ah_p_map);
793 nmap = sizeof(ipsec_t_map)/sizeof(ipsec_t_map[0]);
796 idstr = STR_OR_ID(t.t_id, esp_p_map);
798 nmap = sizeof(ipsec_t_map)/sizeof(ipsec_t_map[0]);
801 idstr = STR_OR_ID(t.t_id, ipcomp_p_map);
803 nmap = sizeof(ipsec_t_map)/sizeof(ipsec_t_map[0]);
813 ND_PRINT((ndo," #%d id=%s ", t.t_no, idstr));
815 ND_PRINT((ndo," #%d id=%d ", t.t_no, t.t_id));
816 cp = (u_char *)(p + 1);
817 ep2 = (u_char *)p + item_len;
818 while (cp < ep && cp < ep2) {
820 cp = ikev1_attrmap_print(ndo, cp, (ep < ep2) ? ep : ep2,
823 cp = ikev1_attr_print(ndo, cp, (ep < ep2) ? ep : ep2);
826 ND_PRINT((ndo,"..."));
829 ND_PRINT((ndo," [|%s]", NPSTR(ISAKMP_NPTYPE_T)));
833 static const u_char *
834 ikev1_ke_print(netdissect_options *ndo, u_char tpay _U_,
835 const struct isakmp_gen *ext, u_int item_len _U_,
836 const u_char *ep _U_, u_int32_t phase _U_, u_int32_t doi _U_,
837 u_int32_t proto _U_, int depth _U_)
841 ND_PRINT((ndo,"%s:", NPSTR(ISAKMP_NPTYPE_KE)));
844 safememcpy(&e, ext, sizeof(e));
845 ND_PRINT((ndo," key len=%d", ntohs(e.len) - 4));
846 if (2 < ndo->ndo_vflag && 4 < ntohs(e.len)) {
848 if (!rawprint(ndo, (caddr_t)(ext + 1), ntohs(e.len) - 4))
851 return (u_char *)ext + ntohs(e.len);
853 ND_PRINT((ndo," [|%s]", NPSTR(ISAKMP_NPTYPE_KE)));
857 static const u_char *
858 ikev1_id_print(netdissect_options *ndo, u_char tpay _U_,
859 const struct isakmp_gen *ext, u_int item_len _U_,
860 const u_char *ep _U_, u_int32_t phase, u_int32_t doi _U_,
861 u_int32_t proto _U_, int depth _U_)
863 #define USE_IPSECDOI_IN_PHASE1 1
864 const struct ikev1_pl_id *p;
865 struct ikev1_pl_id id;
866 static const char *idtypestr[] = {
867 "IPv4", "IPv4net", "IPv6", "IPv6net",
869 static const char *ipsecidtypestr[] = {
870 NULL, "IPv4", "FQDN", "user FQDN", "IPv4net", "IPv6",
871 "IPv6net", "IPv4range", "IPv6range", "ASN1 DN", "ASN1 GN",
877 ND_PRINT((ndo,"%s:", NPSTR(ISAKMP_NPTYPE_ID)));
879 p = (struct ikev1_pl_id *)ext;
881 safememcpy(&id, ext, sizeof(id));
882 if (sizeof(*p) < item_len) {
883 data = (u_char *)(p + 1);
884 len = item_len - sizeof(*p);
891 ND_PRINT((ndo," [phase=%d doi=%d proto=%d]", phase, doi, proto));
894 #ifndef USE_IPSECDOI_IN_PHASE1
898 ND_PRINT((ndo," idtype=%s", STR_OR_ID(id.d.id_type, idtypestr)));
899 ND_PRINT((ndo," doi_data=%u",
900 (u_int32_t)(ntohl(id.d.doi_data) & 0xffffff)));
903 #ifdef USE_IPSECDOI_IN_PHASE1
908 const struct ipsecdoi_id *p;
909 struct ipsecdoi_id id;
912 p = (struct ipsecdoi_id *)ext;
914 safememcpy(&id, ext, sizeof(id));
915 ND_PRINT((ndo," idtype=%s", STR_OR_ID(id.type, ipsecidtypestr)));
920 pe = getprotobynumber(id.proto_id);
922 ND_PRINT((ndo," protoid=%s", pe->p_name));
927 /* it DOES NOT mean IPPROTO_IP! */
928 ND_PRINT((ndo," protoid=%s", "0"));
930 ND_PRINT((ndo," port=%d", ntohs(id.port)));
935 ND_TCHECK2(*data, len);
937 case IPSECDOI_ID_IPV4_ADDR:
939 ND_PRINT((ndo," len=%d [bad: < 4]", len));
941 ND_PRINT((ndo," len=%d %s", len, ipaddr_string(data)));
944 case IPSECDOI_ID_FQDN:
945 case IPSECDOI_ID_USER_FQDN:
948 ND_PRINT((ndo," len=%d ", len));
949 for (i = 0; i < len; i++)
950 safeputchar(data[i]);
954 case IPSECDOI_ID_IPV4_ADDR_SUBNET:
958 ND_PRINT((ndo," len=%d [bad: < 8]", len));
960 mask = data + sizeof(struct in_addr);
961 ND_PRINT((ndo," len=%d %s/%u.%u.%u.%u", len,
963 mask[0], mask[1], mask[2], mask[3]));
969 case IPSECDOI_ID_IPV6_ADDR:
971 ND_PRINT((ndo," len=%d [bad: < 16]", len));
973 ND_PRINT((ndo," len=%d %s", len, ip6addr_string(data)));
976 case IPSECDOI_ID_IPV6_ADDR_SUBNET:
978 const u_int32_t *mask;
980 ND_PRINT((ndo," len=%d [bad: < 20]", len));
982 mask = (u_int32_t *)(data + sizeof(struct in6_addr));
984 ND_PRINT((ndo," len=%d %s/0x%08x%08x%08x%08x", len,
985 ip6addr_string(data),
986 mask[0], mask[1], mask[2], mask[3]));
992 case IPSECDOI_ID_IPV4_ADDR_RANGE:
994 ND_PRINT((ndo," len=%d [bad: < 8]", len));
996 ND_PRINT((ndo," len=%d %s-%s", len,
998 ipaddr_string(data + sizeof(struct in_addr))));
1003 case IPSECDOI_ID_IPV6_ADDR_RANGE:
1005 ND_PRINT((ndo," len=%d [bad: < 32]", len));
1007 ND_PRINT((ndo," len=%d %s-%s", len,
1008 ip6addr_string(data),
1009 ip6addr_string(data + sizeof(struct in6_addr))));
1014 case IPSECDOI_ID_DER_ASN1_DN:
1015 case IPSECDOI_ID_DER_ASN1_GN:
1016 case IPSECDOI_ID_KEY_ID:
1023 ND_PRINT((ndo," len=%d", len));
1024 if (2 < ndo->ndo_vflag) {
1025 ND_PRINT((ndo," "));
1026 if (!rawprint(ndo, (caddr_t)data, len))
1030 return (u_char *)ext + item_len;
1032 ND_PRINT((ndo," [|%s]", NPSTR(ISAKMP_NPTYPE_ID)));
1036 static const u_char *
1037 ikev1_cert_print(netdissect_options *ndo, u_char tpay _U_,
1038 const struct isakmp_gen *ext, u_int item_len _U_,
1039 const u_char *ep _U_, u_int32_t phase _U_,
1041 u_int32_t proto0 _U_, int depth _U_)
1043 const struct ikev1_pl_cert *p;
1044 struct ikev1_pl_cert cert;
1045 static const char *certstr[] = {
1046 "none", "pkcs7", "pgp", "dns",
1047 "x509sign", "x509ke", "kerberos", "crl",
1048 "arl", "spki", "x509attr",
1051 ND_PRINT((ndo,"%s:", NPSTR(ISAKMP_NPTYPE_CERT)));
1053 p = (struct ikev1_pl_cert *)ext;
1055 safememcpy(&cert, ext, sizeof(cert));
1056 ND_PRINT((ndo," len=%d", item_len - 4));
1057 ND_PRINT((ndo," type=%s", STR_OR_ID((cert.encode), certstr)));
1058 if (2 < ndo->ndo_vflag && 4 < item_len) {
1059 ND_PRINT((ndo," "));
1060 if (!rawprint(ndo, (caddr_t)(ext + 1), item_len - 4))
1063 return (u_char *)ext + item_len;
1065 ND_PRINT((ndo," [|%s]", NPSTR(ISAKMP_NPTYPE_CERT)));
1069 static const u_char *
1070 ikev1_cr_print(netdissect_options *ndo, u_char tpay _U_,
1071 const struct isakmp_gen *ext, u_int item_len _U_,
1072 const u_char *ep _U_, u_int32_t phase _U_, u_int32_t doi0 _U_,
1073 u_int32_t proto0 _U_, int depth _U_)
1075 const struct ikev1_pl_cert *p;
1076 struct ikev1_pl_cert cert;
1077 static const char *certstr[] = {
1078 "none", "pkcs7", "pgp", "dns",
1079 "x509sign", "x509ke", "kerberos", "crl",
1080 "arl", "spki", "x509attr",
1083 ND_PRINT((ndo,"%s:", NPSTR(ISAKMP_NPTYPE_CR)));
1085 p = (struct ikev1_pl_cert *)ext;
1087 safememcpy(&cert, ext, sizeof(cert));
1088 ND_PRINT((ndo," len=%d", item_len - 4));
1089 ND_PRINT((ndo," type=%s", STR_OR_ID((cert.encode), certstr)));
1090 if (2 < ndo->ndo_vflag && 4 < item_len) {
1091 ND_PRINT((ndo," "));
1092 if (!rawprint(ndo, (caddr_t)(ext + 1), item_len - 4))
1095 return (u_char *)ext + item_len;
1097 ND_PRINT((ndo," [|%s]", NPSTR(ISAKMP_NPTYPE_CR)));
1101 static const u_char *
1102 ikev1_hash_print(netdissect_options *ndo, u_char tpay _U_,
1103 const struct isakmp_gen *ext, u_int item_len _U_,
1104 const u_char *ep _U_, u_int32_t phase _U_, u_int32_t doi _U_,
1105 u_int32_t proto _U_, int depth _U_)
1107 struct isakmp_gen e;
1109 ND_PRINT((ndo,"%s:", NPSTR(ISAKMP_NPTYPE_HASH)));
1112 safememcpy(&e, ext, sizeof(e));
1113 ND_PRINT((ndo," len=%d", ntohs(e.len) - 4));
1114 if (2 < ndo->ndo_vflag && 4 < ntohs(e.len)) {
1115 ND_PRINT((ndo," "));
1116 if (!rawprint(ndo, (caddr_t)(ext + 1), ntohs(e.len) - 4))
1119 return (u_char *)ext + ntohs(e.len);
1121 ND_PRINT((ndo," [|%s]", NPSTR(ISAKMP_NPTYPE_HASH)));
1125 static const u_char *
1126 ikev1_sig_print(netdissect_options *ndo, u_char tpay _U_,
1127 const struct isakmp_gen *ext, u_int item_len _U_,
1128 const u_char *ep _U_, u_int32_t phase _U_, u_int32_t doi _U_,
1129 u_int32_t proto _U_, int depth _U_)
1131 struct isakmp_gen e;
1133 ND_PRINT((ndo,"%s:", NPSTR(ISAKMP_NPTYPE_SIG)));
1136 safememcpy(&e, ext, sizeof(e));
1137 ND_PRINT((ndo," len=%d", ntohs(e.len) - 4));
1138 if (2 < ndo->ndo_vflag && 4 < ntohs(e.len)) {
1139 ND_PRINT((ndo," "));
1140 if (!rawprint(ndo, (caddr_t)(ext + 1), ntohs(e.len) - 4))
1143 return (u_char *)ext + ntohs(e.len);
1145 ND_PRINT((ndo," [|%s]", NPSTR(ISAKMP_NPTYPE_SIG)));
1149 static const u_char *
1150 ikev1_nonce_print(netdissect_options *ndo, u_char tpay _U_,
1151 const struct isakmp_gen *ext,
1153 const u_char *ep _U_,
1154 u_int32_t phase _U_, u_int32_t doi _U_,
1155 u_int32_t proto _U_, int depth _U_)
1157 struct isakmp_gen e;
1159 ND_PRINT((ndo,"%s:", NPSTR(ISAKMP_NPTYPE_NONCE)));
1162 safememcpy(&e, ext, sizeof(e));
1163 ND_PRINT((ndo," n len=%d", ntohs(e.len) - 4));
1164 if (2 < ndo->ndo_vflag && 4 < ntohs(e.len)) {
1165 ND_PRINT((ndo," "));
1166 if (!rawprint(ndo, (caddr_t)(ext + 1), ntohs(e.len) - 4))
1168 } else if (1 < ndo->ndo_vflag && 4 < ntohs(e.len)) {
1169 ND_PRINT((ndo," "));
1170 if (!ike_show_somedata(ndo, (u_char *)(caddr_t)(ext + 1), ep))
1173 return (u_char *)ext + ntohs(e.len);
1175 ND_PRINT((ndo," [|%s]", NPSTR(ISAKMP_NPTYPE_NONCE)));
1179 static const u_char *
1180 ikev1_n_print(netdissect_options *ndo, u_char tpay _U_,
1181 const struct isakmp_gen *ext, u_int item_len,
1182 const u_char *ep, u_int32_t phase, u_int32_t doi0 _U_,
1183 u_int32_t proto0 _U_, int depth)
1185 struct ikev1_pl_n *p, n;
1190 static const char *notify_error_str[] = {
1191 NULL, "INVALID-PAYLOAD-TYPE",
1192 "DOI-NOT-SUPPORTED", "SITUATION-NOT-SUPPORTED",
1193 "INVALID-COOKIE", "INVALID-MAJOR-VERSION",
1194 "INVALID-MINOR-VERSION", "INVALID-EXCHANGE-TYPE",
1195 "INVALID-FLAGS", "INVALID-MESSAGE-ID",
1196 "INVALID-PROTOCOL-ID", "INVALID-SPI",
1197 "INVALID-TRANSFORM-ID", "ATTRIBUTES-NOT-SUPPORTED",
1198 "NO-PROPOSAL-CHOSEN", "BAD-PROPOSAL-SYNTAX",
1199 "PAYLOAD-MALFORMED", "INVALID-KEY-INFORMATION",
1200 "INVALID-ID-INFORMATION", "INVALID-CERT-ENCODING",
1201 "INVALID-CERTIFICATE", "CERT-TYPE-UNSUPPORTED",
1202 "INVALID-CERT-AUTHORITY", "INVALID-HASH-INFORMATION",
1203 "AUTHENTICATION-FAILED", "INVALID-SIGNATURE",
1204 "ADDRESS-NOTIFICATION", "NOTIFY-SA-LIFETIME",
1205 "CERTIFICATE-UNAVAILABLE", "UNSUPPORTED-EXCHANGE-TYPE",
1206 "UNEQUAL-PAYLOAD-LENGTHS",
1208 static const char *ipsec_notify_error_str[] = {
1211 static const char *notify_status_str[] = {
1214 static const char *ipsec_notify_status_str[] = {
1215 "RESPONDER-LIFETIME", "REPLAY-STATUS",
1218 /* NOTE: these macro must be called with x in proper range */
1221 #define NOTIFY_ERROR_STR(x) \
1222 STR_OR_ID((x), notify_error_str)
1225 #define IPSEC_NOTIFY_ERROR_STR(x) \
1226 STR_OR_ID((u_int)((x) - 8192), ipsec_notify_error_str)
1229 #define NOTIFY_STATUS_STR(x) \
1230 STR_OR_ID((u_int)((x) - 16384), notify_status_str)
1233 #define IPSEC_NOTIFY_STATUS_STR(x) \
1234 STR_OR_ID((u_int)((x) - 24576), ipsec_notify_status_str)
1236 ND_PRINT((ndo,"%s:", NPSTR(ISAKMP_NPTYPE_N)));
1238 p = (struct ikev1_pl_n *)ext;
1240 safememcpy(&n, ext, sizeof(n));
1244 ND_PRINT((ndo," doi=%d", doi));
1245 ND_PRINT((ndo," proto=%d", proto));
1246 if (ntohs(n.type) < 8192)
1247 ND_PRINT((ndo," type=%s", NOTIFY_ERROR_STR(ntohs(n.type))));
1248 else if (ntohs(n.type) < 16384)
1249 ND_PRINT((ndo," type=%s", numstr(ntohs(n.type))));
1250 else if (ntohs(n.type) < 24576)
1251 ND_PRINT((ndo," type=%s", NOTIFY_STATUS_STR(ntohs(n.type))));
1253 ND_PRINT((ndo," type=%s", numstr(ntohs(n.type))));
1255 ND_PRINT((ndo," spi="));
1256 if (!rawprint(ndo, (caddr_t)(p + 1), n.spi_size))
1259 return (u_char *)(p + 1) + n.spi_size;
1262 ND_PRINT((ndo," doi=ipsec"));
1263 ND_PRINT((ndo," proto=%s", PROTOIDSTR(proto)));
1264 if (ntohs(n.type) < 8192)
1265 ND_PRINT((ndo," type=%s", NOTIFY_ERROR_STR(ntohs(n.type))));
1266 else if (ntohs(n.type) < 16384)
1267 ND_PRINT((ndo," type=%s", IPSEC_NOTIFY_ERROR_STR(ntohs(n.type))));
1268 else if (ntohs(n.type) < 24576)
1269 ND_PRINT((ndo," type=%s", NOTIFY_STATUS_STR(ntohs(n.type))));
1270 else if (ntohs(n.type) < 32768)
1271 ND_PRINT((ndo," type=%s", IPSEC_NOTIFY_STATUS_STR(ntohs(n.type))));
1273 ND_PRINT((ndo," type=%s", numstr(ntohs(n.type))));
1275 ND_PRINT((ndo," spi="));
1276 if (!rawprint(ndo, (caddr_t)(p + 1), n.spi_size))
1280 cp = (u_char *)(p + 1) + n.spi_size;
1281 ep2 = (u_char *)p + item_len;
1284 ND_PRINT((ndo," orig=("));
1285 switch (ntohs(n.type)) {
1286 case IPSECDOI_NTYPE_RESPONDER_LIFETIME:
1288 const struct attrmap *map = oakley_t_map;
1289 size_t nmap = sizeof(oakley_t_map)/sizeof(oakley_t_map[0]);
1290 while (cp < ep && cp < ep2) {
1291 cp = ikev1_attrmap_print(ndo, cp,
1292 (ep < ep2) ? ep : ep2, map, nmap);
1296 case IPSECDOI_NTYPE_REPLAY_STATUS:
1297 ND_PRINT((ndo,"replay detection %sabled",
1298 (*(u_int32_t *)cp) ? "en" : "dis"));
1300 case ISAKMP_NTYPE_NO_PROPOSAL_CHOSEN:
1301 if (ikev1_sub_print(ndo, ISAKMP_NPTYPE_SA,
1302 (struct isakmp_gen *)cp, ep, phase, doi, proto,
1308 isakmp_print(ndo, cp,
1309 item_len - sizeof(*p) - n.spi_size,
1312 ND_PRINT((ndo,")"));
1314 return (u_char *)ext + item_len;
1316 ND_PRINT((ndo," [|%s]", NPSTR(ISAKMP_NPTYPE_N)));
1320 static const u_char *
1321 ikev1_d_print(netdissect_options *ndo, u_char tpay _U_,
1322 const struct isakmp_gen *ext, u_int item_len _U_,
1323 const u_char *ep _U_, u_int32_t phase _U_, u_int32_t doi0 _U_,
1324 u_int32_t proto0 _U_, int depth _U_)
1326 const struct ikev1_pl_d *p;
1327 struct ikev1_pl_d d;
1333 ND_PRINT((ndo,"%s:", NPSTR(ISAKMP_NPTYPE_D)));
1335 p = (struct ikev1_pl_d *)ext;
1337 safememcpy(&d, ext, sizeof(d));
1341 ND_PRINT((ndo," doi=%u", doi));
1342 ND_PRINT((ndo," proto=%u", proto));
1344 ND_PRINT((ndo," doi=ipsec"));
1345 ND_PRINT((ndo," proto=%s", PROTOIDSTR(proto)));
1347 ND_PRINT((ndo," spilen=%u", d.spi_size));
1348 ND_PRINT((ndo," nspi=%u", ntohs(d.num_spi)));
1349 ND_PRINT((ndo," spi="));
1350 q = (u_int8_t *)(p + 1);
1351 for (i = 0; i < ntohs(d.num_spi); i++) {
1353 ND_PRINT((ndo,","));
1354 if (!rawprint(ndo, (caddr_t)q, d.spi_size))
1360 ND_PRINT((ndo," [|%s]", NPSTR(ISAKMP_NPTYPE_D)));
1364 static const u_char *
1365 ikev1_vid_print(netdissect_options *ndo, u_char tpay _U_,
1366 const struct isakmp_gen *ext,
1367 u_int item_len _U_, const u_char *ep _U_,
1368 u_int32_t phase _U_, u_int32_t doi _U_,
1369 u_int32_t proto _U_, int depth _U_)
1371 struct isakmp_gen e;
1373 ND_PRINT((ndo,"%s:", NPSTR(ISAKMP_NPTYPE_VID)));
1376 safememcpy(&e, ext, sizeof(e));
1377 ND_PRINT((ndo," len=%d", ntohs(e.len) - 4));
1378 if (2 < ndo->ndo_vflag && 4 < ntohs(e.len)) {
1379 ND_PRINT((ndo," "));
1380 if (!rawprint(ndo, (caddr_t)(ext + 1), ntohs(e.len) - 4))
1383 return (u_char *)ext + ntohs(e.len);
1385 ND_PRINT((ndo," [|%s]", NPSTR(ISAKMP_NPTYPE_VID)));
1389 /************************************************************/
1391 /* IKE v2 - rfc4306 - dissector */
1393 /************************************************************/
1396 ikev2_pay_print(netdissect_options *ndo, const char *payname, int critical)
1398 ND_PRINT((ndo,"%s%s:", payname, critical&0x80 ? "[C]" : ""));
1401 static const u_char *
1402 ikev2_gen_print(netdissect_options *ndo, u_char tpay,
1403 const struct isakmp_gen *ext)
1405 struct isakmp_gen e;
1408 safememcpy(&e, ext, sizeof(e));
1409 ikev2_pay_print(ndo, NPSTR(tpay), e.critical);
1411 ND_PRINT((ndo," len=%d", ntohs(e.len) - 4));
1412 if (2 < ndo->ndo_vflag && 4 < ntohs(e.len)) {
1413 ND_PRINT((ndo," "));
1414 if (!rawprint(ndo, (caddr_t)(ext + 1), ntohs(e.len) - 4))
1417 return (u_char *)ext + ntohs(e.len);
1419 ND_PRINT((ndo," [|%s]", NPSTR(tpay)));
1423 static const u_char *
1424 ikev2_t_print(netdissect_options *ndo, u_char tpay _U_, int pcount,
1425 const struct isakmp_gen *ext, u_int item_len,
1426 const u_char *ep, u_int32_t phase _U_, u_int32_t doi _U_,
1427 u_int32_t proto _U_, int depth _U_)
1429 const struct ikev2_t *p;
1434 const struct attrmap *map;
1438 p = (struct ikev2_t *)ext;
1440 safememcpy(&t, ext, sizeof(t));
1441 ikev2_pay_print(ndo, NPSTR(ISAKMP_NPTYPE_T), t.h.critical);
1443 t_id = ntohs(t.t_id);
1450 idstr = STR_OR_ID(t_id, esp_p_map);
1452 nmap = sizeof(encr_t_map)/sizeof(encr_t_map[0]);
1456 idstr = STR_OR_ID(t_id, prf_p_map);
1460 idstr = STR_OR_ID(t_id, integ_p_map);
1464 idstr = STR_OR_ID(t_id, dh_p_map);
1468 idstr = STR_OR_ID(t_id, esn_p_map);
1477 ND_PRINT((ndo," #%u type=%s id=%s ", pcount,
1478 STR_OR_ID(t.t_type, ikev2_t_type_map),
1481 ND_PRINT((ndo," #%u type=%s id=%u ", pcount,
1482 STR_OR_ID(t.t_type, ikev2_t_type_map),
1484 cp = (u_char *)(p + 1);
1485 ep2 = (u_char *)p + item_len;
1486 while (cp < ep && cp < ep2) {
1488 cp = ikev1_attrmap_print(ndo, cp, (ep < ep2) ? ep : ep2,
1491 cp = ikev1_attr_print(ndo, cp, (ep < ep2) ? ep : ep2);
1494 ND_PRINT((ndo,"..."));
1497 ND_PRINT((ndo," [|%s]", NPSTR(ISAKMP_NPTYPE_T)));
1501 static const u_char *
1502 ikev2_p_print(netdissect_options *ndo, u_char tpay _U_, int pcount _U_,
1503 const struct isakmp_gen *ext, u_int item_len _U_,
1504 const u_char *ep, u_int32_t phase, u_int32_t doi0,
1505 u_int32_t proto0 _U_, int depth)
1507 const struct ikev2_p *p;
1508 struct ikev2_p prop;
1511 p = (struct ikev2_p *)ext;
1513 safememcpy(&prop, ext, sizeof(prop));
1514 ikev2_pay_print(ndo, NPSTR(ISAKMP_NPTYPE_P), prop.h.critical);
1516 ND_PRINT((ndo," #%u protoid=%s transform=%d len=%u",
1517 prop.p_no, PROTOIDSTR(prop.prot_id),
1518 prop.num_t, ntohs(prop.h.len)));
1519 if (prop.spi_size) {
1520 ND_PRINT((ndo," spi="));
1521 if (!rawprint(ndo, (caddr_t)(p + 1), prop.spi_size))
1525 ext = (struct isakmp_gen *)((u_char *)(p + 1) + prop.spi_size);
1528 cp = ikev2_sub_print(ndo, NULL, ISAKMP_NPTYPE_T, ext, ep, phase, doi0,
1529 prop.prot_id, depth);
1533 ND_PRINT((ndo," [|%s]", NPSTR(ISAKMP_NPTYPE_P)));
1537 static const u_char *
1538 ikev2_sa_print(netdissect_options *ndo, u_char tpay,
1539 const struct isakmp_gen *ext1,
1540 u_int item_len _U_, const u_char *ep _U_,
1541 u_int32_t phase _U_, u_int32_t doi _U_,
1542 u_int32_t proto _U_, int depth _U_)
1544 struct isakmp_gen e;
1545 int osa_length, sa_length;
1548 safememcpy(&e, ext1, sizeof(e));
1549 ikev2_pay_print(ndo, "sa", e.critical);
1551 osa_length= ntohs(e.len);
1552 sa_length = osa_length - 4;
1553 ND_PRINT((ndo," len=%d", sa_length));
1555 ikev2_sub_print(ndo, NULL, ISAKMP_NPTYPE_P,
1559 return (u_char *)ext1 + osa_length;
1561 ND_PRINT((ndo," [|%s]", NPSTR(tpay)));
1565 static const u_char *
1566 ikev2_ke_print(netdissect_options *ndo, u_char tpay,
1567 const struct isakmp_gen *ext,
1568 u_int item_len _U_, const u_char *ep _U_,
1569 u_int32_t phase _U_, u_int32_t doi _U_,
1570 u_int32_t proto _U_, int depth _U_)
1575 k = (struct ikev2_ke *)ext;
1577 safememcpy(&ke, ext, sizeof(ke));
1578 ikev2_pay_print(ndo, NPSTR(tpay), ke.h.critical);
1580 ND_PRINT((ndo," len=%u group=%s", ntohs(ke.h.len) - 8,
1581 STR_OR_ID(ntohs(ke.ke_group), dh_p_map)));
1583 if (2 < ndo->ndo_vflag && 8 < ntohs(ke.h.len)) {
1584 ND_PRINT((ndo," "));
1585 if (!rawprint(ndo, (caddr_t)(k + 1), ntohs(ke.h.len) - 8))
1588 return (u_char *)ext + ntohs(ke.h.len);
1590 ND_PRINT((ndo," [|%s]", NPSTR(tpay)));
1594 static const u_char *
1595 ikev2_ID_print(netdissect_options *ndo, u_char tpay,
1596 const struct isakmp_gen *ext,
1597 u_int item_len _U_, const u_char *ep _U_,
1598 u_int32_t phase _U_, u_int32_t doi _U_,
1599 u_int32_t proto _U_, int depth _U_)
1602 int id_len, idtype_len, i;
1603 unsigned int dumpascii, dumphex;
1604 unsigned char *typedata;
1607 safememcpy(&id, ext, sizeof(id));
1608 ikev2_pay_print(ndo, NPSTR(tpay), id.h.critical);
1610 id_len = ntohs(id.h.len);
1612 ND_PRINT((ndo," len=%d", id_len - 4));
1613 if (2 < ndo->ndo_vflag && 4 < id_len) {
1614 ND_PRINT((ndo," "));
1615 if (!rawprint(ndo, (caddr_t)(ext + 1), id_len - 4))
1619 idtype_len =id_len - sizeof(struct ikev2_id);
1622 typedata = (unsigned char *)(ext)+sizeof(struct ikev2_id);
1626 ND_PRINT((ndo, " ipv4:"));
1630 ND_PRINT((ndo, " fqdn:"));
1633 case ID_RFC822_ADDR:
1634 ND_PRINT((ndo, " rfc822:"));
1638 ND_PRINT((ndo, " ipv6:"));
1641 case ID_DER_ASN1_DN:
1642 ND_PRINT((ndo, " dn:"));
1645 case ID_DER_ASN1_GN:
1646 ND_PRINT((ndo, " gn:"));
1650 ND_PRINT((ndo, " keyid:"));
1656 ND_TCHECK2(*typedata, idtype_len);
1657 for(i=0; i<idtype_len; i++) {
1658 if(isprint(typedata[i])) {
1659 ND_PRINT((ndo, "%c", typedata[i]));
1661 ND_PRINT((ndo, "."));
1666 if (!rawprint(ndo, (caddr_t)typedata, idtype_len))
1670 return (u_char *)ext + id_len;
1672 ND_PRINT((ndo," [|%s]", NPSTR(tpay)));
1676 static const u_char *
1677 ikev2_cert_print(netdissect_options *ndo, u_char tpay,
1678 const struct isakmp_gen *ext,
1679 u_int item_len _U_, const u_char *ep _U_,
1680 u_int32_t phase _U_, u_int32_t doi _U_,
1681 u_int32_t proto _U_, int depth _U_)
1683 return ikev2_gen_print(ndo, tpay, ext);
1686 static const u_char *
1687 ikev2_cr_print(netdissect_options *ndo, u_char tpay,
1688 const struct isakmp_gen *ext,
1689 u_int item_len _U_, const u_char *ep _U_,
1690 u_int32_t phase _U_, u_int32_t doi _U_,
1691 u_int32_t proto _U_, int depth _U_)
1693 return ikev2_gen_print(ndo, tpay, ext);
1696 static const u_char *
1697 ikev2_auth_print(netdissect_options *ndo, u_char tpay,
1698 const struct isakmp_gen *ext,
1699 u_int item_len _U_, const u_char *ep _U_,
1700 u_int32_t phase _U_, u_int32_t doi _U_,
1701 u_int32_t proto _U_, int depth _U_)
1703 struct ikev2_auth a;
1704 const char *v2_auth[]={ "invalid", "rsasig",
1705 "shared-secret", "dsssig" };
1706 u_char *authdata = (u_char*)ext + sizeof(a);
1710 safememcpy(&a, ext, sizeof(a));
1711 ikev2_pay_print(ndo, NPSTR(tpay), a.h.critical);
1712 len = ntohs(a.h.len);
1714 ND_PRINT((ndo," len=%d method=%s", len-4,
1715 STR_OR_ID(a.auth_method, v2_auth)));
1717 if (1 < ndo->ndo_vflag && 4 < len) {
1718 ND_PRINT((ndo," authdata=("));
1719 if (!rawprint(ndo, (caddr_t)authdata, len - sizeof(a)))
1721 ND_PRINT((ndo,") "));
1722 } else if(ndo->ndo_vflag && 4 < len) {
1723 if(!ike_show_somedata(ndo, authdata, ep)) goto trunc;
1726 return (u_char *)ext + len;
1728 ND_PRINT((ndo," [|%s]", NPSTR(tpay)));
1732 static const u_char *
1733 ikev2_nonce_print(netdissect_options *ndo, u_char tpay,
1734 const struct isakmp_gen *ext,
1735 u_int item_len _U_, const u_char *ep _U_,
1736 u_int32_t phase _U_, u_int32_t doi _U_,
1737 u_int32_t proto _U_, int depth _U_)
1739 struct isakmp_gen e;
1742 safememcpy(&e, ext, sizeof(e));
1743 ikev2_pay_print(ndo, "nonce", e.critical);
1745 ND_PRINT((ndo," len=%d", ntohs(e.len) - 4));
1746 if (1 < ndo->ndo_vflag && 4 < ntohs(e.len)) {
1747 ND_PRINT((ndo," nonce=("));
1748 if (!rawprint(ndo, (caddr_t)(ext + 1), ntohs(e.len) - 4))
1750 ND_PRINT((ndo,") "));
1751 } else if(ndo->ndo_vflag && 4 < ntohs(e.len)) {
1752 if(!ike_show_somedata(ndo, (const u_char *)(ext+1), ep)) goto trunc;
1755 return (u_char *)ext + ntohs(e.len);
1757 ND_PRINT((ndo," [|%s]", NPSTR(tpay)));
1761 /* notify payloads */
1762 static const u_char *
1763 ikev2_n_print(netdissect_options *ndo, u_char tpay _U_,
1764 const struct isakmp_gen *ext,
1765 u_int item_len _U_, const u_char *ep _U_,
1766 u_int32_t phase _U_, u_int32_t doi _U_,
1767 u_int32_t proto _U_, int depth _U_)
1769 struct ikev2_n *p, n;
1772 u_char showspi, showdata, showsomedata;
1773 const char *notify_name;
1776 p = (struct ikev2_n *)ext;
1778 safememcpy(&n, ext, sizeof(n));
1779 ikev2_pay_print(ndo, NPSTR(ISAKMP_NPTYPE_N), n.h.critical);
1786 ND_PRINT((ndo," prot_id=%s", PROTOIDSTR(n.prot_id)));
1788 type = ntohs(n.type);
1790 /* notify space is annoying sparse */
1792 case IV2_NOTIFY_UNSUPPORTED_CRITICAL_PAYLOAD:
1793 notify_name = "unsupported_critical_payload";
1797 case IV2_NOTIFY_INVALID_IKE_SPI:
1798 notify_name = "invalid_ike_spi";
1802 case IV2_NOTIFY_INVALID_MAJOR_VERSION:
1803 notify_name = "invalid_major_version";
1807 case IV2_NOTIFY_INVALID_SYNTAX:
1808 notify_name = "invalid_syntax";
1812 case IV2_NOTIFY_INVALID_MESSAGE_ID:
1813 notify_name = "invalid_message_id";
1817 case IV2_NOTIFY_INVALID_SPI:
1818 notify_name = "invalid_spi";
1822 case IV2_NOTIFY_NO_PROPOSAL_CHOSEN:
1823 notify_name = "no_protocol_chosen";
1827 case IV2_NOTIFY_INVALID_KE_PAYLOAD:
1828 notify_name = "invalid_ke_payload";
1832 case IV2_NOTIFY_AUTHENTICATION_FAILED:
1833 notify_name = "authentication_failed";
1837 case IV2_NOTIFY_SINGLE_PAIR_REQUIRED:
1838 notify_name = "single_pair_required";
1842 case IV2_NOTIFY_NO_ADDITIONAL_SAS:
1843 notify_name = "no_additional_sas";
1847 case IV2_NOTIFY_INTERNAL_ADDRESS_FAILURE:
1848 notify_name = "internal_address_failure";
1852 case IV2_NOTIFY_FAILED_CP_REQUIRED:
1853 notify_name = "failed:cp_required";
1857 case IV2_NOTIFY_INVALID_SELECTORS:
1858 notify_name = "invalid_selectors";
1862 case IV2_NOTIFY_INITIAL_CONTACT:
1863 notify_name = "initial_contact";
1867 case IV2_NOTIFY_SET_WINDOW_SIZE:
1868 notify_name = "set_window_size";
1872 case IV2_NOTIFY_ADDITIONAL_TS_POSSIBLE:
1873 notify_name = "additional_ts_possible";
1877 case IV2_NOTIFY_IPCOMP_SUPPORTED:
1878 notify_name = "ipcomp_supported";
1882 case IV2_NOTIFY_NAT_DETECTION_SOURCE_IP:
1883 notify_name = "nat_detection_source_ip";
1887 case IV2_NOTIFY_NAT_DETECTION_DESTINATION_IP:
1888 notify_name = "nat_detection_destination_ip";
1892 case IV2_NOTIFY_COOKIE:
1893 notify_name = "cookie";
1899 case IV2_NOTIFY_USE_TRANSPORT_MODE:
1900 notify_name = "use_transport_mode";
1904 case IV2_NOTIFY_HTTP_CERT_LOOKUP_SUPPORTED:
1905 notify_name = "http_cert_lookup_supported";
1909 case IV2_NOTIFY_REKEY_SA:
1910 notify_name = "rekey_sa";
1914 case IV2_NOTIFY_ESP_TFC_PADDING_NOT_SUPPORTED:
1915 notify_name = "tfc_padding_not_supported";
1919 case IV2_NOTIFY_NON_FIRST_FRAGMENTS_ALSO:
1920 notify_name = "non_first_fragment_also";
1926 notify_name="error";
1927 } else if(type < 16384) {
1928 notify_name="private-error";
1929 } else if(type < 40960) {
1930 notify_name="status";
1932 notify_name="private-status";
1937 ND_PRINT((ndo," type=%u(%s)", type, notify_name));
1941 if (showspi && n.spi_size) {
1942 ND_PRINT((ndo," spi="));
1943 if (!rawprint(ndo, (caddr_t)(p + 1), n.spi_size))
1947 cp = (u_char *)(p + 1) + n.spi_size;
1948 ep2 = (u_char *)p + item_len;
1950 if(3 < ndo->ndo_vflag) {
1954 if ((showdata || (showsomedata && ep-cp < 30)) && cp < ep) {
1955 ND_PRINT((ndo," data=("));
1956 if (!rawprint(ndo, (caddr_t)(cp), ep - cp))
1959 ND_PRINT((ndo,")"));
1961 } else if(showsomedata && cp < ep) {
1962 if(!ike_show_somedata(ndo, cp, ep)) goto trunc;
1965 return (u_char *)ext + item_len;
1967 ND_PRINT((ndo," [|%s]", NPSTR(ISAKMP_NPTYPE_N)));
1971 static const u_char *
1972 ikev2_d_print(netdissect_options *ndo, u_char tpay,
1973 const struct isakmp_gen *ext,
1974 u_int item_len _U_, const u_char *ep _U_,
1975 u_int32_t phase _U_, u_int32_t doi _U_,
1976 u_int32_t proto _U_, int depth _U_)
1978 return ikev2_gen_print(ndo, tpay, ext);
1981 static const u_char *
1982 ikev2_vid_print(netdissect_options *ndo, u_char tpay,
1983 const struct isakmp_gen *ext,
1984 u_int item_len _U_, const u_char *ep _U_,
1985 u_int32_t phase _U_, u_int32_t doi _U_,
1986 u_int32_t proto _U_, int depth _U_)
1988 struct isakmp_gen e;
1993 safememcpy(&e, ext, sizeof(e));
1994 ikev2_pay_print(ndo, NPSTR(tpay), e.critical);
1995 ND_PRINT((ndo," len=%d vid=", ntohs(e.len) - 4));
1997 vid = (const u_char *)(ext+1);
1998 len = ntohs(e.len) - 4;
1999 ND_TCHECK2(*vid, len);
2000 for(i=0; i<len; i++) {
2001 if(isprint(vid[i])) ND_PRINT((ndo, "%c", vid[i]));
2002 else ND_PRINT((ndo, "."));
2004 if (2 < ndo->ndo_vflag && 4 < len) {
2005 ND_PRINT((ndo," "));
2006 if (!rawprint(ndo, (caddr_t)(ext + 1), ntohs(e.len) - 4))
2009 return (u_char *)ext + ntohs(e.len);
2011 ND_PRINT((ndo," [|%s]", NPSTR(tpay)));
2015 static const u_char *
2016 ikev2_TS_print(netdissect_options *ndo, u_char tpay,
2017 const struct isakmp_gen *ext,
2018 u_int item_len _U_, const u_char *ep _U_,
2019 u_int32_t phase _U_, u_int32_t doi _U_,
2020 u_int32_t proto _U_, int depth _U_)
2022 return ikev2_gen_print(ndo, tpay, ext);
2025 static const u_char *
2026 ikev2_e_print(netdissect_options *ndo,
2027 #ifndef HAVE_LIBCRYPTO
2030 struct isakmp *base,
2032 const struct isakmp_gen *ext,
2033 u_int item_len _U_, const u_char *ep _U_,
2034 #ifndef HAVE_LIBCRYPTO
2038 #ifndef HAVE_LIBCRYPTO
2042 #ifndef HAVE_LIBCRYPTO
2046 #ifndef HAVE_LIBCRYPTO
2051 struct isakmp_gen e;
2056 safememcpy(&e, ext, sizeof(e));
2057 ikev2_pay_print(ndo, NPSTR(tpay), e.critical);
2059 dlen = ntohs(e.len)-4;
2061 ND_PRINT((ndo," len=%d", dlen));
2062 if (2 < ndo->ndo_vflag && 4 < dlen) {
2063 ND_PRINT((ndo," "));
2064 if (!rawprint(ndo, (caddr_t)(ext + 1), dlen))
2068 dat = (u_char *)(ext+1);
2069 ND_TCHECK2(*dat, dlen);
2071 #ifdef HAVE_LIBCRYPTO
2072 /* try to decypt it! */
2073 if(esp_print_decrypt_buffer_by_ikev2(ndo,
2074 base->flags & ISAKMP_FLAG_I,
2075 base->i_ck, base->r_ck,
2078 ext = (const struct isakmp_gen *)ndo->ndo_packetp;
2080 /* got it decrypted, print stuff inside. */
2081 ikev2_sub_print(ndo, base, e.np, ext, ndo->ndo_snapend,
2082 phase, doi, proto, depth+1);
2087 /* always return NULL, because E must be at end, and NP refers
2088 * to what was inside.
2092 ND_PRINT((ndo," [|%s]", NPSTR(tpay)));
2096 static const u_char *
2097 ikev2_cp_print(netdissect_options *ndo, u_char tpay,
2098 const struct isakmp_gen *ext,
2099 u_int item_len _U_, const u_char *ep _U_,
2100 u_int32_t phase _U_, u_int32_t doi _U_,
2101 u_int32_t proto _U_, int depth _U_)
2103 return ikev2_gen_print(ndo, tpay, ext);
2106 static const u_char *
2107 ikev2_eap_print(netdissect_options *ndo, u_char tpay,
2108 const struct isakmp_gen *ext,
2109 u_int item_len _U_, const u_char *ep _U_,
2110 u_int32_t phase _U_, u_int32_t doi _U_,
2111 u_int32_t proto _U_, int depth _U_)
2113 return ikev2_gen_print(ndo, tpay, ext);
2116 static const u_char *
2117 ike_sub0_print(netdissect_options *ndo,
2118 u_char np, const struct isakmp_gen *ext, const u_char *ep,
2120 u_int32_t phase, u_int32_t doi, u_int32_t proto, int depth)
2123 struct isakmp_gen e;
2128 safememcpy(&e, ext, sizeof(e));
2131 * Since we can't have a payload length of less than 4 bytes,
2132 * we need to bail out here if the generic header is nonsensical
2133 * or truncated, otherwise we could loop forever processing
2134 * zero-length items or otherwise misdissect the packet.
2136 item_len = ntohs(e.len);
2142 * XXX - what if item_len is too short, or too long,
2143 * for this payload type?
2145 cp = (*npfunc[np])(ndo, np, ext, item_len, ep, phase, doi, proto, depth);
2147 ND_PRINT((ndo,"%s", NPSTR(np)));
2153 ND_PRINT((ndo," [|isakmp]"));
2157 static const u_char *
2158 ikev1_sub_print(netdissect_options *ndo,
2159 u_char np, const struct isakmp_gen *ext, const u_char *ep,
2160 u_int32_t phase, u_int32_t doi, u_int32_t proto, int depth)
2164 struct isakmp_gen e;
2166 cp = (const u_char *)ext;
2171 safememcpy(&e, ext, sizeof(e));
2173 ND_TCHECK2(*ext, ntohs(e.len));
2176 ND_PRINT((ndo,"\n"));
2177 for (i = 0; i < depth; i++)
2178 ND_PRINT((ndo," "));
2179 ND_PRINT((ndo,"("));
2180 cp = ike_sub0_print(ndo, np, ext, ep, phase, doi, proto, depth);
2181 ND_PRINT((ndo,")"));
2185 /* Zero-length subitem */
2190 ext = (struct isakmp_gen *)cp;
2194 ND_PRINT((ndo," [|%s]", NPSTR(np)));
2201 static char buf[20];
2202 snprintf(buf, sizeof(buf), "#%d", x);
2207 * some compiler tries to optimize memcpy(), using the alignment constraint
2208 * on the argument pointer type. by using this function, we try to avoid the
2212 safememcpy(void *p, const void *q, size_t l)
2218 ikev1_print(netdissect_options *ndo,
2219 const u_char *bp, u_int length,
2220 const u_char *bp2, struct isakmp *base)
2222 const struct isakmp *p;
2228 p = (const struct isakmp *)bp;
2229 ep = ndo->ndo_snapend;
2231 phase = (*(u_int32_t *)base->msgid == 0) ? 1 : 2;
2233 ND_PRINT((ndo," phase %d", phase));
2235 ND_PRINT((ndo," phase %d/others", phase));
2237 i = cookie_find(&base->i_ck);
2239 if (iszero((u_char *)&base->r_ck, sizeof(base->r_ck))) {
2240 /* the first packet */
2241 ND_PRINT((ndo," I"));
2243 cookie_record(&base->i_ck, bp2);
2245 ND_PRINT((ndo," ?"));
2247 if (bp2 && cookie_isinitiator(i, bp2))
2248 ND_PRINT((ndo," I"));
2249 else if (bp2 && cookie_isresponder(i, bp2))
2250 ND_PRINT((ndo," R"));
2252 ND_PRINT((ndo," ?"));
2255 ND_PRINT((ndo," %s", ETYPESTR(base->etype)));
2257 ND_PRINT((ndo,"[%s%s]", base->flags & ISAKMP_FLAG_E ? "E" : "",
2258 base->flags & ISAKMP_FLAG_C ? "C" : ""));
2261 if (ndo->ndo_vflag) {
2262 const struct isakmp_gen *ext;
2265 ND_PRINT((ndo,":"));
2267 /* regardless of phase... */
2268 if (base->flags & ISAKMP_FLAG_E) {
2270 * encrypted, nothing we can do right now.
2271 * we hope to decrypt the packet in the future...
2273 ND_PRINT((ndo," [encrypted %s]", NPSTR(base->np)));
2278 CHECKLEN(p + 1, base->np);
2280 ext = (struct isakmp_gen *)(p + 1);
2281 ikev1_sub_print(ndo, np, ext, ep, phase, 0, 0, 0);
2285 if (ndo->ndo_vflag) {
2286 if (ntohl(base->len) != length) {
2287 ND_PRINT((ndo," (len mismatch: isakmp %u/ip %u)",
2288 (u_int32_t)ntohl(base->len), length));
2293 static const u_char *
2294 ikev2_sub0_print(netdissect_options *ndo, struct isakmp *base,
2295 u_char np, int pcount,
2296 const struct isakmp_gen *ext, const u_char *ep,
2297 u_int32_t phase, u_int32_t doi, u_int32_t proto, int depth)
2300 struct isakmp_gen e;
2305 safememcpy(&e, ext, sizeof(e));
2308 * Since we can't have a payload length of less than 4 bytes,
2309 * we need to bail out here if the generic header is nonsensical
2310 * or truncated, otherwise we could loop forever processing
2311 * zero-length items or otherwise misdissect the packet.
2313 item_len = ntohs(e.len);
2317 if(np == ISAKMP_NPTYPE_P) {
2318 cp = ikev2_p_print(ndo, np, pcount, ext, item_len,
2319 ep, phase, doi, proto, depth);
2320 } else if(np == ISAKMP_NPTYPE_T) {
2321 cp = ikev2_t_print(ndo, np, pcount, ext, item_len,
2322 ep, phase, doi, proto, depth);
2323 } else if(np == ISAKMP_NPTYPE_v2E) {
2324 cp = ikev2_e_print(ndo, base, np, ext, item_len,
2325 ep, phase, doi, proto, depth);
2326 } else if (NPFUNC(np)) {
2328 * XXX - what if item_len is too short, or too long,
2329 * for this payload type?
2331 cp = (*npfunc[np])(ndo, np, /*pcount,*/ ext, item_len,
2332 ep, phase, doi, proto, depth);
2334 ND_PRINT((ndo,"%s", NPSTR(np)));
2340 ND_PRINT((ndo," [|isakmp]"));
2344 static const u_char *
2345 ikev2_sub_print(netdissect_options *ndo,
2346 struct isakmp *base,
2347 u_char np, const struct isakmp_gen *ext, const u_char *ep,
2348 u_int32_t phase, u_int32_t doi, u_int32_t proto, int depth)
2353 struct isakmp_gen e;
2355 cp = (const u_char *)ext;
2361 safememcpy(&e, ext, sizeof(e));
2363 ND_TCHECK2(*ext, ntohs(e.len));
2366 ND_PRINT((ndo,"\n"));
2367 for (i = 0; i < depth; i++)
2368 ND_PRINT((ndo," "));
2369 ND_PRINT((ndo,"("));
2370 cp = ikev2_sub0_print(ndo, base, np, pcount,
2371 ext, ep, phase, doi, proto, depth);
2372 ND_PRINT((ndo,")"));
2376 /* Zero-length subitem */
2381 ext = (struct isakmp_gen *)cp;
2385 ND_PRINT((ndo," [|%s]", NPSTR(np)));
2390 ikev2_print(netdissect_options *ndo,
2391 const u_char *bp, u_int length,
2392 const u_char *bp2 _U_, struct isakmp *base)
2394 const struct isakmp *p;
2399 p = (const struct isakmp *)bp;
2400 ep = ndo->ndo_snapend;
2402 phase = (*(u_int32_t *)base->msgid == 0) ? 1 : 2;
2404 ND_PRINT((ndo, " parent_sa"));
2406 ND_PRINT((ndo, " child_sa "));
2408 ND_PRINT((ndo, " %s", ETYPESTR(base->etype)));
2410 ND_PRINT((ndo, "[%s%s%s]",
2411 base->flags & ISAKMP_FLAG_I ? "I" : "",
2412 base->flags & ISAKMP_FLAG_V ? "V" : "",
2413 base->flags & ISAKMP_FLAG_R ? "R" : ""));
2416 if (ndo->ndo_vflag) {
2417 const struct isakmp_gen *ext;
2420 ND_PRINT((ndo, ":"));
2422 /* regardless of phase... */
2423 if (base->flags & ISAKMP_FLAG_E) {
2425 * encrypted, nothing we can do right now.
2426 * we hope to decrypt the packet in the future...
2428 ND_PRINT((ndo, " [encrypted %s]", NPSTR(base->np)));
2433 CHECKLEN(p + 1, base->np)
2436 ext = (struct isakmp_gen *)(p + 1);
2437 ikev2_sub_print(ndo, base, np, ext, ep, phase, 0, 0, 0);
2441 if (ndo->ndo_vflag) {
2442 if (ntohl(base->len) != length) {
2443 ND_PRINT((ndo, " (len mismatch: isakmp %u/ip %u)",
2444 (u_int32_t)ntohl(base->len), length));
2450 isakmp_print(netdissect_options *ndo,
2451 const u_char *bp, u_int length,
2454 const struct isakmp *p;
2459 #ifdef HAVE_LIBCRYPTO
2460 /* initialize SAs */
2461 if (ndo->ndo_sa_list_head == NULL) {
2462 if (ndo->ndo_espsecret)
2463 esp_print_decodesecret(ndo);
2467 p = (const struct isakmp *)bp;
2468 ep = ndo->ndo_snapend;
2470 if ((struct isakmp *)ep < p + 1) {
2471 ND_PRINT((ndo,"[|isakmp]"));
2475 safememcpy(&base, p, sizeof(base));
2477 ND_PRINT((ndo,"isakmp"));
2478 major = (base.vers & ISAKMP_VERS_MAJOR)
2479 >> ISAKMP_VERS_MAJOR_SHIFT;
2480 minor = (base.vers & ISAKMP_VERS_MINOR)
2481 >> ISAKMP_VERS_MINOR_SHIFT;
2483 if (ndo->ndo_vflag) {
2484 ND_PRINT((ndo," %d.%d", major, minor));
2487 if (ndo->ndo_vflag) {
2488 ND_PRINT((ndo," msgid "));
2489 hexprint(ndo, (caddr_t)&base.msgid, sizeof(base.msgid));
2492 if (1 < ndo->ndo_vflag) {
2493 ND_PRINT((ndo," cookie "));
2494 hexprint(ndo, (caddr_t)&base.i_ck, sizeof(base.i_ck));
2495 ND_PRINT((ndo,"->"));
2496 hexprint(ndo, (caddr_t)&base.r_ck, sizeof(base.r_ck));
2498 ND_PRINT((ndo,":"));
2501 case IKEv1_MAJOR_VERSION:
2502 ikev1_print(ndo, bp, length, bp2, &base);
2505 case IKEv2_MAJOR_VERSION:
2506 ikev2_print(ndo, bp, length, bp2, &base);
2512 isakmp_rfc3948_print(netdissect_options *ndo,
2513 const u_char *bp, u_int length,
2517 ep = ndo->ndo_snapend;
2519 if(length == 1 && bp[0]==0xff) {
2520 ND_PRINT((ndo, "isakmp-nat-keep-alive"));
2529 * see if this is an IKE packet
2531 if(bp[0]==0 && bp[1]==0 && bp[2]==0 && bp[3]==0) {
2532 ND_PRINT((ndo, "NONESP-encap: "));
2533 isakmp_print(ndo, bp+4, length-4, bp2);
2537 /* must be an ESP packet */
2539 int nh, enh, padlen;
2542 ND_PRINT((ndo, "UDP-encap: "));
2544 advance = esp_print(ndo, bp, length, bp2, &enh, &padlen);
2549 length -= advance + padlen;
2552 ip_print_inner(ndo, bp, length, nh, bp2);
2557 ND_PRINT((ndo,"[|isakmp]"));
2563 * c-style: whitesmith
nant's projects / dragonfly.git / blob