2 * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
5 * Redistribution and use in source and binary forms, with or without
6 * modification, are permitted provided that the following conditions
8 * 1. Redistributions of source code must retain the above copyright
9 * notice, this list of conditions and the following disclaimer.
10 * 2. Redistributions in binary form must reproduce the above copyright
11 * notice, this list of conditions and the following disclaimer in the
12 * documentation and/or other materials provided with the distribution.
13 * 3. Neither the name of the project nor the names of its contributors
14 * may be used to endorse or promote products derived from this software
15 * without specific prior written permission.
17 * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
18 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
19 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
20 * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
21 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
22 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
23 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
24 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
25 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
26 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
31 /* \summary: Internet Security Association and Key Management Protocol (ISAKMP) printer */
37 /* The functions from print-esp.c used in this file are only defined when both
38 * OpenSSL and evp.h are detected. Employ the same preprocessor device here.
40 #ifndef HAVE_OPENSSL_EVP_H
44 #include <netdissect-stdinc.h>
48 #include "netdissect.h"
49 #include "addrtoname.h"
56 /* refer to RFC 2408 */
58 typedef u_char cookie_t[8];
59 typedef u_char msgid_t[4];
61 #define PORT_ISAKMP 500
63 /* 3.1 ISAKMP Header Format (IKEv1 and IKEv2)
64 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
65 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
68 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
71 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
72 ! Next Payload ! MjVer ! MnVer ! Exchange Type ! Flags !
73 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
75 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
77 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
80 cookie_t i_ck; /* Initiator Cookie */
81 cookie_t r_ck; /* Responder Cookie */
82 uint8_t np; /* Next Payload Type */
84 #define ISAKMP_VERS_MAJOR 0xf0
85 #define ISAKMP_VERS_MAJOR_SHIFT 4
86 #define ISAKMP_VERS_MINOR 0x0f
87 #define ISAKMP_VERS_MINOR_SHIFT 0
88 uint8_t etype; /* Exchange Type */
89 uint8_t flags; /* Flags */
91 uint32_t len; /* Length */
94 /* Next Payload Type */
95 #define ISAKMP_NPTYPE_NONE 0 /* NONE*/
96 #define ISAKMP_NPTYPE_SA 1 /* Security Association */
97 #define ISAKMP_NPTYPE_P 2 /* Proposal */
98 #define ISAKMP_NPTYPE_T 3 /* Transform */
99 #define ISAKMP_NPTYPE_KE 4 /* Key Exchange */
100 #define ISAKMP_NPTYPE_ID 5 /* Identification */
101 #define ISAKMP_NPTYPE_CERT 6 /* Certificate */
102 #define ISAKMP_NPTYPE_CR 7 /* Certificate Request */
103 #define ISAKMP_NPTYPE_HASH 8 /* Hash */
104 #define ISAKMP_NPTYPE_SIG 9 /* Signature */
105 #define ISAKMP_NPTYPE_NONCE 10 /* Nonce */
106 #define ISAKMP_NPTYPE_N 11 /* Notification */
107 #define ISAKMP_NPTYPE_D 12 /* Delete */
108 #define ISAKMP_NPTYPE_VID 13 /* Vendor ID */
109 #define ISAKMP_NPTYPE_v2E 46 /* v2 Encrypted payload */
111 #define IKEv1_MAJOR_VERSION 1
112 #define IKEv1_MINOR_VERSION 0
114 #define IKEv2_MAJOR_VERSION 2
115 #define IKEv2_MINOR_VERSION 0
118 #define ISAKMP_FLAG_E 0x01 /* Encryption Bit */
119 #define ISAKMP_FLAG_C 0x02 /* Commit Bit */
120 #define ISAKMP_FLAG_extra 0x04
123 #define ISAKMP_FLAG_I (1 << 3) /* (I)nitiator */
124 #define ISAKMP_FLAG_V (1 << 4) /* (V)ersion */
125 #define ISAKMP_FLAG_R (1 << 5) /* (R)esponse */
128 /* 3.2 Payload Generic Header
129 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
130 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
131 ! Next Payload ! RESERVED ! Payload Length !
132 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
135 uint8_t np; /* Next Payload */
136 uint8_t critical; /* bit 7 - critical, rest is RESERVED */
137 uint16_t len; /* Payload Length */
140 /* 3.3 Data Attributes
141 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
142 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
143 !A! Attribute Type ! AF=0 Attribute Length !
144 !F! ! AF=1 Attribute Value !
145 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
146 . AF=0 Attribute Value .
147 . AF=1 Not Transmitted .
148 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
151 uint16_t type; /* defined by DOI-spec, and Attribute Format */
152 uint16_t lorv; /* if f equal 1, Attribute Length */
153 /* if f equal 0, Attribute Value */
154 /* if f equal 1, Attribute Value */
157 /* 3.4 Security Association Payload */
158 /* MAY NOT be used, because of being defined in ipsec-doi. */
160 If the current payload is the last in the message,
161 then the value of the next payload field will be 0.
162 This field MUST NOT contain the
163 values for the Proposal or Transform payloads as they are considered
164 part of the security association negotiation. For example, this
165 field would contain the value "10" (Nonce payload) in the first
166 message of a Base Exchange (see Section 4.4) and the value "0" in the
167 first message of an Identity Protect Exchange (see Section 4.5).
171 uint32_t doi; /* Domain of Interpretation */
172 uint32_t sit; /* Situation */
175 /* 3.5 Proposal Payload */
177 The value of the next payload field MUST only contain the value "2"
178 or "0". If there are additional Proposal payloads in the message,
179 then this field will be 2. If the current Proposal payload is the
180 last within the security association proposal, then this field will
185 uint8_t p_no; /* Proposal # */
186 uint8_t prot_id; /* Protocol */
187 uint8_t spi_size; /* SPI Size */
188 uint8_t num_t; /* Number of Transforms */
192 /* 3.6 Transform Payload */
194 The value of the next payload field MUST only contain the value "3"
195 or "0". If there are additional Transform payloads in the proposal,
196 then this field will be 3. If the current Transform payload is the
197 last within the proposal, then this field will be 0.
201 uint8_t t_no; /* Transform # */
202 uint8_t t_id; /* Transform-Id */
203 uint16_t reserved; /* RESERVED2 */
207 /* 3.7 Key Exchange Payload */
210 /* Key Exchange Data */
213 /* 3.8 Identification Payload */
214 /* MUST NOT to be used, because of being defined in ipsec-doi. */
218 uint8_t id_type; /* ID Type */
219 uint32_t doi_data; /* DOI Specific ID Data */
221 /* Identification Data */
224 /* 3.9 Certificate Payload */
225 struct ikev1_pl_cert {
227 uint8_t encode; /* Cert Encoding */
228 char cert; /* Certificate Data */
230 This field indicates the type of
231 certificate or certificate-related information contained in the
232 Certificate Data field.
236 /* 3.10 Certificate Request Payload */
239 uint8_t num_cert; /* # Cert. Types */
241 Certificate Types (variable length)
242 -- Contains a list of the types of certificates requested,
243 sorted in order of preference. Each individual certificate
244 type is 1 octet. This field is NOT requiredo
246 /* # Certificate Authorities (1 octet) */
247 /* Certificate Authorities (variable length) */
250 /* 3.11 Hash Payload */
251 /* may not be used, because of having only data. */
252 struct ikev1_pl_hash {
257 /* 3.12 Signature Payload */
258 /* may not be used, because of having only data. */
259 struct ikev1_pl_sig {
264 /* 3.13 Nonce Payload */
265 /* may not be used, because of having only data. */
266 struct ikev1_pl_nonce {
271 /* 3.14 Notification Payload */
274 uint32_t doi; /* Domain of Interpretation */
275 uint8_t prot_id; /* Protocol-ID */
276 uint8_t spi_size; /* SPI Size */
277 uint16_t type; /* Notify Message Type */
279 /* Notification Data */
282 /* 3.14.1 Notify Message Types */
283 /* NOTIFY MESSAGES - ERROR TYPES */
284 #define ISAKMP_NTYPE_INVALID_PAYLOAD_TYPE 1
285 #define ISAKMP_NTYPE_DOI_NOT_SUPPORTED 2
286 #define ISAKMP_NTYPE_SITUATION_NOT_SUPPORTED 3
287 #define ISAKMP_NTYPE_INVALID_COOKIE 4
288 #define ISAKMP_NTYPE_INVALID_MAJOR_VERSION 5
289 #define ISAKMP_NTYPE_INVALID_MINOR_VERSION 6
290 #define ISAKMP_NTYPE_INVALID_EXCHANGE_TYPE 7
291 #define ISAKMP_NTYPE_INVALID_FLAGS 8
292 #define ISAKMP_NTYPE_INVALID_MESSAGE_ID 9
293 #define ISAKMP_NTYPE_INVALID_PROTOCOL_ID 10
294 #define ISAKMP_NTYPE_INVALID_SPI 11
295 #define ISAKMP_NTYPE_INVALID_TRANSFORM_ID 12
296 #define ISAKMP_NTYPE_ATTRIBUTES_NOT_SUPPORTED 13
297 #define ISAKMP_NTYPE_NO_PROPOSAL_CHOSEN 14
298 #define ISAKMP_NTYPE_BAD_PROPOSAL_SYNTAX 15
299 #define ISAKMP_NTYPE_PAYLOAD_MALFORMED 16
300 #define ISAKMP_NTYPE_INVALID_KEY_INFORMATION 17
301 #define ISAKMP_NTYPE_INVALID_ID_INFORMATION 18
302 #define ISAKMP_NTYPE_INVALID_CERT_ENCODING 19
303 #define ISAKMP_NTYPE_INVALID_CERTIFICATE 20
304 #define ISAKMP_NTYPE_BAD_CERT_REQUEST_SYNTAX 21
305 #define ISAKMP_NTYPE_INVALID_CERT_AUTHORITY 22
306 #define ISAKMP_NTYPE_INVALID_HASH_INFORMATION 23
307 #define ISAKMP_NTYPE_AUTHENTICATION_FAILED 24
308 #define ISAKMP_NTYPE_INVALID_SIGNATURE 25
309 #define ISAKMP_NTYPE_ADDRESS_NOTIFICATION 26
311 /* 3.15 Delete Payload */
314 uint32_t doi; /* Domain of Interpretation */
315 uint8_t prot_id; /* Protocol-Id */
316 uint8_t spi_size; /* SPI Size */
317 uint16_t num_spi; /* # of SPIs */
321 struct ikev1_ph1tab {
322 struct ikev1_ph1 *head;
323 struct ikev1_ph1 *tail;
327 struct isakmp_ph2tab {
328 struct ikev1_ph2 *head;
329 struct ikev1_ph2 *tail;
333 /* IKEv2 (RFC4306) */
335 /* 3.3 Security Association Payload -- generic header */
336 /* 3.3.1. Proposal Substructure */
339 uint8_t p_no; /* Proposal # */
340 uint8_t prot_id; /* Protocol */
341 uint8_t spi_size; /* SPI Size */
342 uint8_t num_t; /* Number of Transforms */
345 /* 3.3.2. Transform Substructure */
348 uint8_t t_type; /* Transform Type (ENCR,PRF,INTEG,etc.*/
349 uint8_t res2; /* reserved byte */
350 uint16_t t_id; /* Transform ID */
361 /* 3.4. Key Exchange Payload */
370 /* 3.5. Identification Payloads */
382 uint8_t type; /* ID type */
386 /* Notification Data */
389 /* 3.10 Notification Payload */
392 uint8_t prot_id; /* Protocol-ID */
393 uint8_t spi_size; /* SPI Size */
394 uint16_t type; /* Notify Message Type */
398 IV2_NOTIFY_UNSUPPORTED_CRITICAL_PAYLOAD = 1,
399 IV2_NOTIFY_INVALID_IKE_SPI = 4,
400 IV2_NOTIFY_INVALID_MAJOR_VERSION = 5,
401 IV2_NOTIFY_INVALID_SYNTAX = 7,
402 IV2_NOTIFY_INVALID_MESSAGE_ID = 9,
403 IV2_NOTIFY_INVALID_SPI =11,
404 IV2_NOTIFY_NO_PROPOSAL_CHOSEN =14,
405 IV2_NOTIFY_INVALID_KE_PAYLOAD =17,
406 IV2_NOTIFY_AUTHENTICATION_FAILED =24,
407 IV2_NOTIFY_SINGLE_PAIR_REQUIRED =34,
408 IV2_NOTIFY_NO_ADDITIONAL_SAS =35,
409 IV2_NOTIFY_INTERNAL_ADDRESS_FAILURE =36,
410 IV2_NOTIFY_FAILED_CP_REQUIRED =37,
411 IV2_NOTIFY_INVALID_SELECTORS =39,
412 IV2_NOTIFY_INITIAL_CONTACT =16384,
413 IV2_NOTIFY_SET_WINDOW_SIZE =16385,
414 IV2_NOTIFY_ADDITIONAL_TS_POSSIBLE =16386,
415 IV2_NOTIFY_IPCOMP_SUPPORTED =16387,
416 IV2_NOTIFY_NAT_DETECTION_SOURCE_IP =16388,
417 IV2_NOTIFY_NAT_DETECTION_DESTINATION_IP =16389,
418 IV2_NOTIFY_COOKIE =16390,
419 IV2_NOTIFY_USE_TRANSPORT_MODE =16391,
420 IV2_NOTIFY_HTTP_CERT_LOOKUP_SUPPORTED =16392,
421 IV2_NOTIFY_REKEY_SA =16393,
422 IV2_NOTIFY_ESP_TFC_PADDING_NOT_SUPPORTED =16394,
423 IV2_NOTIFY_NON_FIRST_FRAGMENTS_ALSO =16395
426 struct notify_messages {
431 /* 3.8 Authentication Payload */
434 uint8_t auth_method; /* Protocol-ID */
436 /* authentication data */
439 enum ikev2_auth_type {
445 /* refer to RFC 2409 */
448 /* isakmp sa structure */
450 uint8_t proto_id; /* OAKLEY */
451 vchar_t *spi; /* spi */
452 uint8_t dhgrp; /* DH; group */
453 uint8_t auth_t; /* method of authentication */
454 uint8_t prf_t; /* type of prf */
455 uint8_t hash_t; /* type of hash */
456 uint8_t enc_t; /* type of cipher */
457 uint8_t life_t; /* type of duration of lifetime */
458 uint32_t ldur; /* life duration */
462 /* refer to RFC 2407 */
466 /* 4.2 IPSEC Situation Definition */
467 #define IPSECDOI_SIT_IDENTITY_ONLY 0x00000001
468 #define IPSECDOI_SIT_SECRECY 0x00000002
469 #define IPSECDOI_SIT_INTEGRITY 0x00000004
471 /* 4.4.1 IPSEC Security Protocol Identifiers */
472 /* 4.4.2 IPSEC ISAKMP Transform Values */
473 #define IPSECDOI_PROTO_ISAKMP 1
474 #define IPSECDOI_KEY_IKE 1
476 /* 4.4.1 IPSEC Security Protocol Identifiers */
477 #define IPSECDOI_PROTO_IPSEC_AH 2
478 /* 4.4.3 IPSEC AH Transform Values */
479 #define IPSECDOI_AH_MD5 2
480 #define IPSECDOI_AH_SHA 3
481 #define IPSECDOI_AH_DES 4
482 #define IPSECDOI_AH_SHA2_256 5
483 #define IPSECDOI_AH_SHA2_384 6
484 #define IPSECDOI_AH_SHA2_512 7
486 /* 4.4.1 IPSEC Security Protocol Identifiers */
487 #define IPSECDOI_PROTO_IPSEC_ESP 3
488 /* 4.4.4 IPSEC ESP Transform Identifiers */
489 #define IPSECDOI_ESP_DES_IV64 1
490 #define IPSECDOI_ESP_DES 2
491 #define IPSECDOI_ESP_3DES 3
492 #define IPSECDOI_ESP_RC5 4
493 #define IPSECDOI_ESP_IDEA 5
494 #define IPSECDOI_ESP_CAST 6
495 #define IPSECDOI_ESP_BLOWFISH 7
496 #define IPSECDOI_ESP_3IDEA 8
497 #define IPSECDOI_ESP_DES_IV32 9
498 #define IPSECDOI_ESP_RC4 10
499 #define IPSECDOI_ESP_NULL 11
500 #define IPSECDOI_ESP_RIJNDAEL 12
501 #define IPSECDOI_ESP_AES 12
503 /* 4.4.1 IPSEC Security Protocol Identifiers */
504 #define IPSECDOI_PROTO_IPCOMP 4
505 /* 4.4.5 IPSEC IPCOMP Transform Identifiers */
506 #define IPSECDOI_IPCOMP_OUI 1
507 #define IPSECDOI_IPCOMP_DEFLATE 2
508 #define IPSECDOI_IPCOMP_LZS 3
510 /* 4.5 IPSEC Security Association Attributes */
511 #define IPSECDOI_ATTR_SA_LTYPE 1 /* B */
512 #define IPSECDOI_ATTR_SA_LTYPE_DEFAULT 1
513 #define IPSECDOI_ATTR_SA_LTYPE_SEC 1
514 #define IPSECDOI_ATTR_SA_LTYPE_KB 2
515 #define IPSECDOI_ATTR_SA_LDUR 2 /* V */
516 #define IPSECDOI_ATTR_SA_LDUR_DEFAULT 28800 /* 8 hours */
517 #define IPSECDOI_ATTR_GRP_DESC 3 /* B */
518 #define IPSECDOI_ATTR_ENC_MODE 4 /* B */
519 /* default value: host dependent */
520 #define IPSECDOI_ATTR_ENC_MODE_TUNNEL 1
521 #define IPSECDOI_ATTR_ENC_MODE_TRNS 2
522 #define IPSECDOI_ATTR_AUTH 5 /* B */
523 /* 0 means not to use authentication. */
524 #define IPSECDOI_ATTR_AUTH_HMAC_MD5 1
525 #define IPSECDOI_ATTR_AUTH_HMAC_SHA1 2
526 #define IPSECDOI_ATTR_AUTH_DES_MAC 3
527 #define IPSECDOI_ATTR_AUTH_KPDK 4 /*RFC-1826(Key/Pad/Data/Key)*/
529 * When negotiating ESP without authentication, the Auth
530 * Algorithm attribute MUST NOT be included in the proposal.
531 * When negotiating ESP without confidentiality, the Auth
532 * Algorithm attribute MUST be included in the proposal and
533 * the ESP transform ID must be ESP_NULL.
535 #define IPSECDOI_ATTR_KEY_LENGTH 6 /* B */
536 #define IPSECDOI_ATTR_KEY_ROUNDS 7 /* B */
537 #define IPSECDOI_ATTR_COMP_DICT_SIZE 8 /* B */
538 #define IPSECDOI_ATTR_COMP_PRIVALG 9 /* V */
540 /* 4.6.1 Security Association Payload */
543 uint32_t doi; /* Domain of Interpretation */
544 uint32_t sit; /* Situation */
547 struct ipsecdoi_secrecy_h {
552 /* 4.6.2.1 Identification Type Values */
555 uint8_t type; /* ID Type */
556 uint8_t proto_id; /* Protocol ID */
557 uint16_t port; /* Port */
558 /* Identification Data */
561 #define IPSECDOI_ID_IPV4_ADDR 1
562 #define IPSECDOI_ID_FQDN 2
563 #define IPSECDOI_ID_USER_FQDN 3
564 #define IPSECDOI_ID_IPV4_ADDR_SUBNET 4
565 #define IPSECDOI_ID_IPV6_ADDR 5
566 #define IPSECDOI_ID_IPV6_ADDR_SUBNET 6
567 #define IPSECDOI_ID_IPV4_ADDR_RANGE 7
568 #define IPSECDOI_ID_IPV6_ADDR_RANGE 8
569 #define IPSECDOI_ID_DER_ASN1_DN 9
570 #define IPSECDOI_ID_DER_ASN1_GN 10
571 #define IPSECDOI_ID_KEY_ID 11
573 /* 4.6.3 IPSEC DOI Notify Message Types */
574 /* Notify Messages - Status Types */
575 #define IPSECDOI_NTYPE_RESPONDER_LIFETIME 24576
576 #define IPSECDOI_NTYPE_REPLAY_STATUS 24577
577 #define IPSECDOI_NTYPE_INITIAL_CONTACT 24578
579 #define DECLARE_PRINTER(func) static const u_char *ike##func##_print( \
580 netdissect_options *ndo, u_char tpay, \
581 const struct isakmp_gen *ext, \
583 const u_char *end_pointer, \
586 uint32_t proto0, int depth)
588 DECLARE_PRINTER(v1_sa);
589 DECLARE_PRINTER(v1_p);
590 DECLARE_PRINTER(v1_t);
591 DECLARE_PRINTER(v1_ke);
592 DECLARE_PRINTER(v1_id);
593 DECLARE_PRINTER(v1_cert);
594 DECLARE_PRINTER(v1_cr);
595 DECLARE_PRINTER(v1_sig);
596 DECLARE_PRINTER(v1_hash);
597 DECLARE_PRINTER(v1_nonce);
598 DECLARE_PRINTER(v1_n);
599 DECLARE_PRINTER(v1_d);
600 DECLARE_PRINTER(v1_vid);
602 DECLARE_PRINTER(v2_sa);
603 DECLARE_PRINTER(v2_ke);
604 DECLARE_PRINTER(v2_ID);
605 DECLARE_PRINTER(v2_cert);
606 DECLARE_PRINTER(v2_cr);
607 DECLARE_PRINTER(v2_auth);
608 DECLARE_PRINTER(v2_nonce);
609 DECLARE_PRINTER(v2_n);
610 DECLARE_PRINTER(v2_d);
611 DECLARE_PRINTER(v2_vid);
612 DECLARE_PRINTER(v2_TS);
613 DECLARE_PRINTER(v2_cp);
614 DECLARE_PRINTER(v2_eap);
616 static const u_char *ikev2_e_print(netdissect_options *ndo,
619 const struct isakmp_gen *ext,
621 const u_char *end_pointer,
624 uint32_t proto0, int depth);
627 static const u_char *ike_sub0_print(netdissect_options *ndo,u_char, const struct isakmp_gen *,
628 const u_char *, uint32_t, uint32_t, uint32_t, int);
629 static const u_char *ikev1_sub_print(netdissect_options *ndo,u_char, const struct isakmp_gen *,
630 const u_char *, uint32_t, uint32_t, uint32_t, int);
632 static const u_char *ikev2_sub_print(netdissect_options *ndo,
634 u_char np, const struct isakmp_gen *ext,
635 const u_char *ep, uint32_t phase,
636 uint32_t doi, uint32_t proto,
640 static char *numstr(int);
643 ikev1_print(netdissect_options *ndo,
644 const u_char *bp, u_int length,
645 const u_char *bp2, struct isakmp *base);
647 #define MAXINITIATORS 20
648 static int ninitiator = 0;
656 union inaddr_u iaddr;
657 union inaddr_u raddr;
658 } cookiecache[MAXINITIATORS];
661 static const char *protoidstr[] = {
662 NULL, "isakmp", "ipsec-ah", "ipsec-esp", "ipcomp",
666 static const char *npstr[] = {
667 "none", "sa", "p", "t", "ke", "id", "cert", "cr", "hash", /* 0 - 8 */
668 "sig", "nonce", "n", "d", "vid", /* 9 - 13 */
669 "pay14", "pay15", "pay16", "pay17", "pay18", /* 14- 18 */
670 "pay19", "pay20", "pay21", "pay22", "pay23", /* 19- 23 */
671 "pay24", "pay25", "pay26", "pay27", "pay28", /* 24- 28 */
672 "pay29", "pay30", "pay31", "pay32", /* 29- 32 */
673 "v2sa", "v2ke", "v2IDi", "v2IDr", "v2cert",/* 33- 37 */
674 "v2cr", "v2auth","v2nonce", "v2n", "v2d", /* 38- 42 */
675 "v2vid", "v2TSi", "v2TSr", "v2e", "v2cp", /* 43- 47 */
681 static const u_char *(*npfunc[])(netdissect_options *ndo, u_char tpay,
682 const struct isakmp_gen *ext,
684 const u_char *end_pointer,
687 uint32_t proto0, int depth) = {
701 ikev1_vid_print, /* 13 */
702 NULL, NULL, NULL, NULL, NULL, /* 14- 18 */
703 NULL, NULL, NULL, NULL, NULL, /* 19- 23 */
704 NULL, NULL, NULL, NULL, NULL, /* 24- 28 */
705 NULL, NULL, NULL, NULL, /* 29- 32 */
706 ikev2_sa_print, /* 33 */
707 ikev2_ke_print, /* 34 */
708 ikev2_ID_print, /* 35 */
709 ikev2_ID_print, /* 36 */
710 ikev2_cert_print, /* 37 */
711 ikev2_cr_print, /* 38 */
712 ikev2_auth_print, /* 39 */
713 ikev2_nonce_print, /* 40 */
714 ikev2_n_print, /* 41 */
715 ikev2_d_print, /* 42 */
716 ikev2_vid_print, /* 43 */
717 ikev2_TS_print, /* 44 */
718 ikev2_TS_print, /* 45 */
719 NULL, /* ikev2_e_print,*/ /* 46 - special */
720 ikev2_cp_print, /* 47 */
721 ikev2_eap_print, /* 48 */
725 static const char *etypestr[] = {
726 /* IKEv1 exchange types */
727 "none", "base", "ident", "auth", "agg", "inf", NULL, NULL, /* 0-7 */
728 NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, /* 8-15 */
729 NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, /* 16-23 */
730 NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, /* 24-31 */
731 "oakley-quick", "oakley-newgroup", /* 32-33 */
732 /* IKEv2 exchange types */
733 "ikev2_init", "ikev2_auth", "child_sa", "inf2" /* 34-37 */
736 #define STR_OR_ID(x, tab) \
737 (((x) < sizeof(tab)/sizeof(tab[0]) && tab[(x)]) ? tab[(x)] : numstr(x))
738 #define PROTOIDSTR(x) STR_OR_ID(x, protoidstr)
739 #define NPSTR(x) STR_OR_ID(x, npstr)
740 #define ETYPESTR(x) STR_OR_ID(x, etypestr)
742 #define CHECKLEN(p, np) \
743 if (ep < (const u_char *)(p)) { \
744 ND_PRINT((ndo," [|%s]", NPSTR(np))); \
750 (((x) < sizeof(npfunc)/sizeof(npfunc[0]) && npfunc[(x)]) \
751 ? npfunc[(x)] : NULL)
754 iszero(const u_char *p, size_t l)
763 /* find cookie from initiator cache */
765 cookie_find(cookie_t *in)
769 for (i = 0; i < MAXINITIATORS; i++) {
770 if (memcmp(in, &cookiecache[i].initiator, sizeof(*in)) == 0)
777 /* record initiator */
779 cookie_record(cookie_t *in, const u_char *bp2)
783 const struct ip6_hdr *ip6;
787 ninitiator = (i + 1) % MAXINITIATORS;
791 ip = (const struct ip *)bp2;
794 cookiecache[ninitiator].version = 4;
795 UNALIGNED_MEMCPY(&cookiecache[ninitiator].iaddr.in4, &ip->ip_src, sizeof(struct in_addr));
796 UNALIGNED_MEMCPY(&cookiecache[ninitiator].raddr.in4, &ip->ip_dst, sizeof(struct in_addr));
799 ip6 = (const struct ip6_hdr *)bp2;
800 cookiecache[ninitiator].version = 6;
801 UNALIGNED_MEMCPY(&cookiecache[ninitiator].iaddr.in6, &ip6->ip6_src, sizeof(struct in6_addr));
802 UNALIGNED_MEMCPY(&cookiecache[ninitiator].raddr.in6, &ip6->ip6_dst, sizeof(struct in6_addr));
807 UNALIGNED_MEMCPY(&cookiecache[ninitiator].initiator, in, sizeof(*in));
808 ninitiator = (ninitiator + 1) % MAXINITIATORS;
811 #define cookie_isinitiator(x, y) cookie_sidecheck((x), (y), 1)
812 #define cookie_isresponder(x, y) cookie_sidecheck((x), (y), 0)
814 cookie_sidecheck(int i, const u_char *bp2, int initiator)
817 const struct ip6_hdr *ip6;
819 ip = (const struct ip *)bp2;
822 if (cookiecache[i].version != 4)
825 if (UNALIGNED_MEMCMP(&ip->ip_src, &cookiecache[i].iaddr.in4, sizeof(struct in_addr)) == 0)
828 if (UNALIGNED_MEMCMP(&ip->ip_src, &cookiecache[i].raddr.in4, sizeof(struct in_addr)) == 0)
833 if (cookiecache[i].version != 6)
835 ip6 = (const struct ip6_hdr *)bp2;
837 if (UNALIGNED_MEMCMP(&ip6->ip6_src, &cookiecache[i].iaddr.in6, sizeof(struct in6_addr)) == 0)
840 if (UNALIGNED_MEMCMP(&ip6->ip6_src, &cookiecache[i].raddr.in6, sizeof(struct in6_addr)) == 0)
852 hexprint(netdissect_options *ndo, const uint8_t *loc, size_t len)
858 for (i = 0; i < len; i++)
859 ND_PRINT((ndo,"%02x", p[i] & 0xff));
863 rawprint(netdissect_options *ndo, const uint8_t *loc, size_t len)
865 ND_TCHECK2(*loc, len);
867 hexprint(ndo, loc, len);
875 * returns false if we run out of data buffer
877 static int ike_show_somedata(netdissect_options *ndo,
878 const u_char *cp, const u_char *ep)
880 /* there is too much data, just show some of it */
881 const u_char *end = ep - 20;
888 /* really shouldn't happen because of above */
894 ND_PRINT((ndo," data=("));
895 if(!rawprint(ndo, (const uint8_t *)(cp), len)) goto trunc;
896 ND_PRINT((ndo, "..."));
898 if(!rawprint(ndo, (const uint8_t *)(end), elen)) goto trunc;
910 const char *value[30]; /*XXX*/
913 static const u_char *
914 ikev1_attrmap_print(netdissect_options *ndo,
915 const u_char *p, const u_char *ep2,
916 const struct attrmap *map, size_t nmap)
925 ND_TCHECK_16BITS(&p[2]);
926 totlen = 4 + EXTRACT_16BITS(&p[2]);
928 if (ep2 < p + totlen) {
929 ND_PRINT((ndo,"[|attr]"));
933 ND_TCHECK_16BITS(&p[0]);
935 t = EXTRACT_16BITS(&p[0]) & 0x7fff;
936 if (map && t < nmap && map[t].type)
937 ND_PRINT((ndo,"type=%s ", map[t].type));
939 ND_PRINT((ndo,"type=#%d ", t));
941 ND_PRINT((ndo,"value="));
942 ND_TCHECK_16BITS(&p[2]);
943 v = EXTRACT_16BITS(&p[2]);
944 if (map && t < nmap && v < map[t].nvalue && map[t].value[v])
945 ND_PRINT((ndo,"%s", map[t].value[v]));
947 if (!rawprint(ndo, (const uint8_t *)&p[2], 2)) {
953 ND_PRINT((ndo,"len=%d value=", totlen - 4));
954 if (!rawprint(ndo, (const uint8_t *)&p[4], totlen - 4)) {
966 static const u_char *
967 ikev1_attr_print(netdissect_options *ndo, const u_char *p, const u_char *ep2)
976 ND_TCHECK_16BITS(&p[2]);
977 totlen = 4 + EXTRACT_16BITS(&p[2]);
979 if (ep2 < p + totlen) {
980 ND_PRINT((ndo,"[|attr]"));
984 ND_TCHECK_16BITS(&p[0]);
986 t = EXTRACT_16BITS(&p[0]) & 0x7fff;
987 ND_PRINT((ndo,"type=#%d ", t));
989 ND_PRINT((ndo,"value="));
991 if (!rawprint(ndo, (const uint8_t *)&p[2], 2)) {
996 ND_PRINT((ndo,"len=%d value=", totlen - 4));
997 if (!rawprint(ndo, (const uint8_t *)&p[4], totlen - 4)) {
1002 ND_PRINT((ndo,")"));
1009 static const u_char *
1010 ikev1_sa_print(netdissect_options *ndo, u_char tpay _U_,
1011 const struct isakmp_gen *ext,
1013 const u_char *ep, uint32_t phase, uint32_t doi0 _U_,
1014 uint32_t proto0, int depth)
1016 const struct ikev1_pl_sa *p;
1017 struct ikev1_pl_sa sa;
1018 uint32_t doi, sit, ident;
1019 const u_char *cp, *np;
1022 ND_PRINT((ndo,"%s:", NPSTR(ISAKMP_NPTYPE_SA)));
1024 p = (const struct ikev1_pl_sa *)ext;
1026 UNALIGNED_MEMCPY(&sa, ext, sizeof(sa));
1027 doi = ntohl(sa.doi);
1028 sit = ntohl(sa.sit);
1030 ND_PRINT((ndo," doi=%d", doi));
1031 ND_PRINT((ndo," situation=%u", (uint32_t)ntohl(sa.sit)));
1032 return (const u_char *)(p + 1);
1035 ND_PRINT((ndo," doi=ipsec"));
1036 ND_PRINT((ndo," situation="));
1039 ND_PRINT((ndo,"identity"));
1043 ND_PRINT((ndo,"%ssecrecy", t ? "+" : ""));
1047 ND_PRINT((ndo,"%sintegrity", t ? "+" : ""));
1049 np = (const u_char *)ext + sizeof(sa);
1051 ND_TCHECK2(*(ext + 1), sizeof(ident));
1052 UNALIGNED_MEMCPY(&ident, ext + 1, sizeof(ident));
1053 ND_PRINT((ndo," ident=%u", (uint32_t)ntohl(ident)));
1054 np += sizeof(ident);
1057 ext = (const struct isakmp_gen *)np;
1060 cp = ikev1_sub_print(ndo, ISAKMP_NPTYPE_P, ext, ep, phase, doi, proto0,
1065 ND_PRINT((ndo," [|%s]", NPSTR(ISAKMP_NPTYPE_SA)));
1069 static const u_char *
1070 ikev1_p_print(netdissect_options *ndo, u_char tpay _U_,
1071 const struct isakmp_gen *ext, u_int item_len _U_,
1072 const u_char *ep, uint32_t phase, uint32_t doi0,
1073 uint32_t proto0 _U_, int depth)
1075 const struct ikev1_pl_p *p;
1076 struct ikev1_pl_p prop;
1079 ND_PRINT((ndo,"%s:", NPSTR(ISAKMP_NPTYPE_P)));
1081 p = (const struct ikev1_pl_p *)ext;
1083 UNALIGNED_MEMCPY(&prop, ext, sizeof(prop));
1084 ND_PRINT((ndo," #%d protoid=%s transform=%d",
1085 prop.p_no, PROTOIDSTR(prop.prot_id), prop.num_t));
1086 if (prop.spi_size) {
1087 ND_PRINT((ndo," spi="));
1088 if (!rawprint(ndo, (const uint8_t *)(p + 1), prop.spi_size))
1092 ext = (const struct isakmp_gen *)((const u_char *)(p + 1) + prop.spi_size);
1095 cp = ikev1_sub_print(ndo, ISAKMP_NPTYPE_T, ext, ep, phase, doi0,
1096 prop.prot_id, depth);
1100 ND_PRINT((ndo," [|%s]", NPSTR(ISAKMP_NPTYPE_P)));
1104 static const char *ikev1_p_map[] = {
1108 static const char *ikev2_t_type_map[]={
1109 NULL, "encr", "prf", "integ", "dh", "esn"
1112 static const char *ah_p_map[] = {
1113 NULL, "(reserved)", "md5", "sha", "1des",
1114 "sha2-256", "sha2-384", "sha2-512",
1117 static const char *prf_p_map[] = {
1118 NULL, "hmac-md5", "hmac-sha", "hmac-tiger",
1122 static const char *integ_p_map[] = {
1123 NULL, "hmac-md5", "hmac-sha", "dec-mac",
1124 "kpdk-md5", "aes-xcbc"
1127 static const char *esn_p_map[] = {
1131 static const char *dh_p_map[] = {
1133 "modp1024", /* group 2 */
1134 "EC2N 2^155", /* group 3 */
1135 "EC2N 2^185", /* group 4 */
1136 "modp1536", /* group 5 */
1137 "iana-grp06", "iana-grp07", /* reserved */
1138 "iana-grp08", "iana-grp09",
1139 "iana-grp10", "iana-grp11",
1140 "iana-grp12", "iana-grp13",
1141 "modp2048", /* group 14 */
1142 "modp3072", /* group 15 */
1143 "modp4096", /* group 16 */
1144 "modp6144", /* group 17 */
1145 "modp8192", /* group 18 */
1148 static const char *esp_p_map[] = {
1149 NULL, "1des-iv64", "1des", "3des", "rc5", "idea", "cast",
1150 "blowfish", "3idea", "1des-iv32", "rc4", "null", "aes"
1153 static const char *ipcomp_p_map[] = {
1154 NULL, "oui", "deflate", "lzs",
1157 static const struct attrmap ipsec_t_map[] = {
1158 { NULL, 0, { NULL } },
1159 { "lifetype", 3, { NULL, "sec", "kb", }, },
1160 { "life", 0, { NULL } },
1161 { "group desc", 18, { NULL, "modp768",
1162 "modp1024", /* group 2 */
1163 "EC2N 2^155", /* group 3 */
1164 "EC2N 2^185", /* group 4 */
1165 "modp1536", /* group 5 */
1166 "iana-grp06", "iana-grp07", /* reserved */
1167 "iana-grp08", "iana-grp09",
1168 "iana-grp10", "iana-grp11",
1169 "iana-grp12", "iana-grp13",
1170 "modp2048", /* group 14 */
1171 "modp3072", /* group 15 */
1172 "modp4096", /* group 16 */
1173 "modp6144", /* group 17 */
1174 "modp8192", /* group 18 */
1176 { "enc mode", 3, { NULL, "tunnel", "transport", }, },
1177 { "auth", 5, { NULL, "hmac-md5", "hmac-sha1", "1des-mac", "keyed", }, },
1178 { "keylen", 0, { NULL } },
1179 { "rounds", 0, { NULL } },
1180 { "dictsize", 0, { NULL } },
1181 { "privalg", 0, { NULL } },
1184 static const struct attrmap encr_t_map[] = {
1185 { NULL, 0, { NULL } }, { NULL, 0, { NULL } }, /* 0, 1 */
1186 { NULL, 0, { NULL } }, { NULL, 0, { NULL } }, /* 2, 3 */
1187 { NULL, 0, { NULL } }, { NULL, 0, { NULL } }, /* 4, 5 */
1188 { NULL, 0, { NULL } }, { NULL, 0, { NULL } }, /* 6, 7 */
1189 { NULL, 0, { NULL } }, { NULL, 0, { NULL } }, /* 8, 9 */
1190 { NULL, 0, { NULL } }, { NULL, 0, { NULL } }, /* 10,11*/
1191 { NULL, 0, { NULL } }, { NULL, 0, { NULL } }, /* 12,13*/
1192 { "keylen", 14, { NULL }},
1195 static const struct attrmap oakley_t_map[] = {
1196 { NULL, 0, { NULL } },
1197 { "enc", 8, { NULL, "1des", "idea", "blowfish", "rc5",
1198 "3des", "cast", "aes", }, },
1199 { "hash", 7, { NULL, "md5", "sha1", "tiger",
1200 "sha2-256", "sha2-384", "sha2-512", }, },
1201 { "auth", 6, { NULL, "preshared", "dss", "rsa sig", "rsa enc",
1202 "rsa enc revised", }, },
1203 { "group desc", 18, { NULL, "modp768",
1204 "modp1024", /* group 2 */
1205 "EC2N 2^155", /* group 3 */
1206 "EC2N 2^185", /* group 4 */
1207 "modp1536", /* group 5 */
1208 "iana-grp06", "iana-grp07", /* reserved */
1209 "iana-grp08", "iana-grp09",
1210 "iana-grp10", "iana-grp11",
1211 "iana-grp12", "iana-grp13",
1212 "modp2048", /* group 14 */
1213 "modp3072", /* group 15 */
1214 "modp4096", /* group 16 */
1215 "modp6144", /* group 17 */
1216 "modp8192", /* group 18 */
1218 { "group type", 4, { NULL, "MODP", "ECP", "EC2N", }, },
1219 { "group prime", 0, { NULL } },
1220 { "group gen1", 0, { NULL } },
1221 { "group gen2", 0, { NULL } },
1222 { "group curve A", 0, { NULL } },
1223 { "group curve B", 0, { NULL } },
1224 { "lifetype", 3, { NULL, "sec", "kb", }, },
1225 { "lifeduration", 0, { NULL } },
1226 { "prf", 0, { NULL } },
1227 { "keylen", 0, { NULL } },
1228 { "field", 0, { NULL } },
1229 { "order", 0, { NULL } },
1232 static const u_char *
1233 ikev1_t_print(netdissect_options *ndo, u_char tpay _U_,
1234 const struct isakmp_gen *ext, u_int item_len,
1235 const u_char *ep, uint32_t phase _U_, uint32_t doi _U_,
1236 uint32_t proto, int depth _U_)
1238 const struct ikev1_pl_t *p;
1239 struct ikev1_pl_t t;
1242 const struct attrmap *map;
1246 ND_PRINT((ndo,"%s:", NPSTR(ISAKMP_NPTYPE_T)));
1248 p = (const struct ikev1_pl_t *)ext;
1250 UNALIGNED_MEMCPY(&t, ext, sizeof(t));
1254 idstr = STR_OR_ID(t.t_id, ikev1_p_map);
1256 nmap = sizeof(oakley_t_map)/sizeof(oakley_t_map[0]);
1259 idstr = STR_OR_ID(t.t_id, ah_p_map);
1261 nmap = sizeof(ipsec_t_map)/sizeof(ipsec_t_map[0]);
1264 idstr = STR_OR_ID(t.t_id, esp_p_map);
1266 nmap = sizeof(ipsec_t_map)/sizeof(ipsec_t_map[0]);
1269 idstr = STR_OR_ID(t.t_id, ipcomp_p_map);
1271 nmap = sizeof(ipsec_t_map)/sizeof(ipsec_t_map[0]);
1281 ND_PRINT((ndo," #%d id=%s ", t.t_no, idstr));
1283 ND_PRINT((ndo," #%d id=%d ", t.t_no, t.t_id));
1284 cp = (const u_char *)(p + 1);
1285 ep2 = (const u_char *)p + item_len;
1286 while (cp < ep && cp < ep2) {
1288 cp = ikev1_attrmap_print(ndo, cp, ep2, map, nmap);
1290 cp = ikev1_attr_print(ndo, cp, ep2);
1295 ND_PRINT((ndo,"..."));
1298 ND_PRINT((ndo," [|%s]", NPSTR(ISAKMP_NPTYPE_T)));
1302 static const u_char *
1303 ikev1_ke_print(netdissect_options *ndo, u_char tpay _U_,
1304 const struct isakmp_gen *ext, u_int item_len _U_,
1305 const u_char *ep _U_, uint32_t phase _U_, uint32_t doi _U_,
1306 uint32_t proto _U_, int depth _U_)
1308 struct isakmp_gen e;
1310 ND_PRINT((ndo,"%s:", NPSTR(ISAKMP_NPTYPE_KE)));
1313 UNALIGNED_MEMCPY(&e, ext, sizeof(e));
1314 ND_PRINT((ndo," key len=%d", ntohs(e.len) - 4));
1315 if (2 < ndo->ndo_vflag && 4 < ntohs(e.len)) {
1316 /* Print the entire payload in hex */
1317 ND_PRINT((ndo," "));
1318 if (!rawprint(ndo, (const uint8_t *)(ext + 1), ntohs(e.len) - 4))
1321 return (const u_char *)ext + ntohs(e.len);
1323 ND_PRINT((ndo," [|%s]", NPSTR(ISAKMP_NPTYPE_KE)));
1327 static const u_char *
1328 ikev1_id_print(netdissect_options *ndo, u_char tpay _U_,
1329 const struct isakmp_gen *ext, u_int item_len,
1330 const u_char *ep _U_, uint32_t phase, uint32_t doi _U_,
1331 uint32_t proto _U_, int depth _U_)
1333 #define USE_IPSECDOI_IN_PHASE1 1
1334 const struct ikev1_pl_id *p;
1335 struct ikev1_pl_id id;
1336 static const char *idtypestr[] = {
1337 "IPv4", "IPv4net", "IPv6", "IPv6net",
1339 static const char *ipsecidtypestr[] = {
1340 NULL, "IPv4", "FQDN", "user FQDN", "IPv4net", "IPv6",
1341 "IPv6net", "IPv4range", "IPv6range", "ASN1 DN", "ASN1 GN",
1347 ND_PRINT((ndo,"%s:", NPSTR(ISAKMP_NPTYPE_ID)));
1349 p = (const struct ikev1_pl_id *)ext;
1351 UNALIGNED_MEMCPY(&id, ext, sizeof(id));
1352 if (sizeof(*p) < item_len) {
1353 data = (const u_char *)(p + 1);
1354 len = item_len - sizeof(*p);
1361 ND_PRINT((ndo," [phase=%d doi=%d proto=%d]", phase, doi, proto));
1364 #ifndef USE_IPSECDOI_IN_PHASE1
1368 ND_PRINT((ndo," idtype=%s", STR_OR_ID(id.d.id_type, idtypestr)));
1369 ND_PRINT((ndo," doi_data=%u",
1370 (uint32_t)(ntohl(id.d.doi_data) & 0xffffff)));
1373 #ifdef USE_IPSECDOI_IN_PHASE1
1378 const struct ipsecdoi_id *doi_p;
1379 struct ipsecdoi_id doi_id;
1382 doi_p = (const struct ipsecdoi_id *)ext;
1384 UNALIGNED_MEMCPY(&doi_id, ext, sizeof(doi_id));
1385 ND_PRINT((ndo," idtype=%s", STR_OR_ID(doi_id.type, ipsecidtypestr)));
1386 /* A protocol ID of 0 DOES NOT mean IPPROTO_IP! */
1387 if (!ndo->ndo_nflag && doi_id.proto_id && (p_name = netdb_protoname(doi_id.proto_id)) != NULL)
1388 ND_PRINT((ndo," protoid=%s", p_name));
1390 ND_PRINT((ndo," protoid=%u", doi_id.proto_id));
1391 ND_PRINT((ndo," port=%d", ntohs(doi_id.port)));
1396 ND_TCHECK2(*data, len);
1397 switch (doi_id.type) {
1398 case IPSECDOI_ID_IPV4_ADDR:
1400 ND_PRINT((ndo," len=%d [bad: < 4]", len));
1402 ND_PRINT((ndo," len=%d %s", len, ipaddr_string(ndo, data)));
1405 case IPSECDOI_ID_FQDN:
1406 case IPSECDOI_ID_USER_FQDN:
1409 ND_PRINT((ndo," len=%d ", len));
1410 for (i = 0; i < len; i++)
1411 safeputchar(ndo, data[i]);
1415 case IPSECDOI_ID_IPV4_ADDR_SUBNET:
1419 ND_PRINT((ndo," len=%d [bad: < 8]", len));
1421 mask = data + sizeof(struct in_addr);
1422 ND_PRINT((ndo," len=%d %s/%u.%u.%u.%u", len,
1423 ipaddr_string(ndo, data),
1424 mask[0], mask[1], mask[2], mask[3]));
1429 case IPSECDOI_ID_IPV6_ADDR:
1431 ND_PRINT((ndo," len=%d [bad: < 16]", len));
1433 ND_PRINT((ndo," len=%d %s", len, ip6addr_string(ndo, data)));
1436 case IPSECDOI_ID_IPV6_ADDR_SUBNET:
1440 ND_PRINT((ndo," len=%d [bad: < 32]", len));
1442 mask = (const u_char *)(data + sizeof(struct in6_addr));
1444 ND_PRINT((ndo," len=%d %s/0x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x", len,
1445 ip6addr_string(ndo, data),
1446 mask[0], mask[1], mask[2], mask[3],
1447 mask[4], mask[5], mask[6], mask[7],
1448 mask[8], mask[9], mask[10], mask[11],
1449 mask[12], mask[13], mask[14], mask[15]));
1454 case IPSECDOI_ID_IPV4_ADDR_RANGE:
1456 ND_PRINT((ndo," len=%d [bad: < 8]", len));
1458 ND_PRINT((ndo," len=%d %s-%s", len,
1459 ipaddr_string(ndo, data),
1460 ipaddr_string(ndo, data + sizeof(struct in_addr))));
1464 case IPSECDOI_ID_IPV6_ADDR_RANGE:
1466 ND_PRINT((ndo," len=%d [bad: < 32]", len));
1468 ND_PRINT((ndo," len=%d %s-%s", len,
1469 ip6addr_string(ndo, data),
1470 ip6addr_string(ndo, data + sizeof(struct in6_addr))));
1474 case IPSECDOI_ID_DER_ASN1_DN:
1475 case IPSECDOI_ID_DER_ASN1_GN:
1476 case IPSECDOI_ID_KEY_ID:
1483 ND_PRINT((ndo," len=%d", len));
1484 if (2 < ndo->ndo_vflag) {
1485 ND_PRINT((ndo," "));
1486 if (!rawprint(ndo, (const uint8_t *)data, len))
1490 return (const u_char *)ext + item_len;
1492 ND_PRINT((ndo," [|%s]", NPSTR(ISAKMP_NPTYPE_ID)));
1496 static const u_char *
1497 ikev1_cert_print(netdissect_options *ndo, u_char tpay _U_,
1498 const struct isakmp_gen *ext, u_int item_len,
1499 const u_char *ep _U_, uint32_t phase _U_,
1501 uint32_t proto0 _U_, int depth _U_)
1503 const struct ikev1_pl_cert *p;
1504 struct ikev1_pl_cert cert;
1505 static const char *certstr[] = {
1506 "none", "pkcs7", "pgp", "dns",
1507 "x509sign", "x509ke", "kerberos", "crl",
1508 "arl", "spki", "x509attr",
1511 ND_PRINT((ndo,"%s:", NPSTR(ISAKMP_NPTYPE_CERT)));
1513 p = (const struct ikev1_pl_cert *)ext;
1515 UNALIGNED_MEMCPY(&cert, ext, sizeof(cert));
1516 ND_PRINT((ndo," len=%d", item_len - 4));
1517 ND_PRINT((ndo," type=%s", STR_OR_ID((cert.encode), certstr)));
1518 if (2 < ndo->ndo_vflag && 4 < item_len) {
1519 /* Print the entire payload in hex */
1520 ND_PRINT((ndo," "));
1521 if (!rawprint(ndo, (const uint8_t *)(ext + 1), item_len - 4))
1524 return (const u_char *)ext + item_len;
1526 ND_PRINT((ndo," [|%s]", NPSTR(ISAKMP_NPTYPE_CERT)));
1530 static const u_char *
1531 ikev1_cr_print(netdissect_options *ndo, u_char tpay _U_,
1532 const struct isakmp_gen *ext, u_int item_len,
1533 const u_char *ep _U_, uint32_t phase _U_, uint32_t doi0 _U_,
1534 uint32_t proto0 _U_, int depth _U_)
1536 const struct ikev1_pl_cert *p;
1537 struct ikev1_pl_cert cert;
1538 static const char *certstr[] = {
1539 "none", "pkcs7", "pgp", "dns",
1540 "x509sign", "x509ke", "kerberos", "crl",
1541 "arl", "spki", "x509attr",
1544 ND_PRINT((ndo,"%s:", NPSTR(ISAKMP_NPTYPE_CR)));
1546 p = (const struct ikev1_pl_cert *)ext;
1548 UNALIGNED_MEMCPY(&cert, ext, sizeof(cert));
1549 ND_PRINT((ndo," len=%d", item_len - 4));
1550 ND_PRINT((ndo," type=%s", STR_OR_ID((cert.encode), certstr)));
1551 if (2 < ndo->ndo_vflag && 4 < item_len) {
1552 /* Print the entire payload in hex */
1553 ND_PRINT((ndo," "));
1554 if (!rawprint(ndo, (const uint8_t *)(ext + 1), item_len - 4))
1557 return (const u_char *)ext + item_len;
1559 ND_PRINT((ndo," [|%s]", NPSTR(ISAKMP_NPTYPE_CR)));
1563 static const u_char *
1564 ikev1_hash_print(netdissect_options *ndo, u_char tpay _U_,
1565 const struct isakmp_gen *ext, u_int item_len _U_,
1566 const u_char *ep _U_, uint32_t phase _U_, uint32_t doi _U_,
1567 uint32_t proto _U_, int depth _U_)
1569 struct isakmp_gen e;
1571 ND_PRINT((ndo,"%s:", NPSTR(ISAKMP_NPTYPE_HASH)));
1574 UNALIGNED_MEMCPY(&e, ext, sizeof(e));
1575 ND_PRINT((ndo," len=%d", ntohs(e.len) - 4));
1576 if (2 < ndo->ndo_vflag && 4 < ntohs(e.len)) {
1577 /* Print the entire payload in hex */
1578 ND_PRINT((ndo," "));
1579 if (!rawprint(ndo, (const uint8_t *)(ext + 1), ntohs(e.len) - 4))
1582 return (const u_char *)ext + ntohs(e.len);
1584 ND_PRINT((ndo," [|%s]", NPSTR(ISAKMP_NPTYPE_HASH)));
1588 static const u_char *
1589 ikev1_sig_print(netdissect_options *ndo, u_char tpay _U_,
1590 const struct isakmp_gen *ext, u_int item_len _U_,
1591 const u_char *ep _U_, uint32_t phase _U_, uint32_t doi _U_,
1592 uint32_t proto _U_, int depth _U_)
1594 struct isakmp_gen e;
1596 ND_PRINT((ndo,"%s:", NPSTR(ISAKMP_NPTYPE_SIG)));
1599 UNALIGNED_MEMCPY(&e, ext, sizeof(e));
1600 ND_PRINT((ndo," len=%d", ntohs(e.len) - 4));
1601 if (2 < ndo->ndo_vflag && 4 < ntohs(e.len)) {
1602 /* Print the entire payload in hex */
1603 ND_PRINT((ndo," "));
1604 if (!rawprint(ndo, (const uint8_t *)(ext + 1), ntohs(e.len) - 4))
1607 return (const u_char *)ext + ntohs(e.len);
1609 ND_PRINT((ndo," [|%s]", NPSTR(ISAKMP_NPTYPE_SIG)));
1613 static const u_char *
1614 ikev1_nonce_print(netdissect_options *ndo, u_char tpay _U_,
1615 const struct isakmp_gen *ext,
1618 uint32_t phase _U_, uint32_t doi _U_,
1619 uint32_t proto _U_, int depth _U_)
1621 struct isakmp_gen e;
1623 ND_PRINT((ndo,"%s:", NPSTR(ISAKMP_NPTYPE_NONCE)));
1626 UNALIGNED_MEMCPY(&e, ext, sizeof(e));
1628 * Our caller has ensured that the length is >= 4.
1630 ND_PRINT((ndo," n len=%u", ntohs(e.len) - 4));
1631 if (ntohs(e.len) > 4) {
1632 if (ndo->ndo_vflag > 2) {
1633 ND_PRINT((ndo, " "));
1634 if (!rawprint(ndo, (const uint8_t *)(ext + 1), ntohs(e.len) - 4))
1636 } else if (ndo->ndo_vflag > 1) {
1637 ND_PRINT((ndo, " "));
1638 if (!ike_show_somedata(ndo, (const u_char *)(ext + 1), ep))
1642 return (const u_char *)ext + ntohs(e.len);
1644 ND_PRINT((ndo," [|%s]", NPSTR(ISAKMP_NPTYPE_NONCE)));
1648 static const u_char *
1649 ikev1_n_print(netdissect_options *ndo, u_char tpay _U_,
1650 const struct isakmp_gen *ext, u_int item_len,
1651 const u_char *ep, uint32_t phase _U_, uint32_t doi0 _U_,
1652 uint32_t proto0 _U_, int depth _U_)
1654 const struct ikev1_pl_n *p;
1655 struct ikev1_pl_n n;
1660 static const char *notify_error_str[] = {
1661 NULL, "INVALID-PAYLOAD-TYPE",
1662 "DOI-NOT-SUPPORTED", "SITUATION-NOT-SUPPORTED",
1663 "INVALID-COOKIE", "INVALID-MAJOR-VERSION",
1664 "INVALID-MINOR-VERSION", "INVALID-EXCHANGE-TYPE",
1665 "INVALID-FLAGS", "INVALID-MESSAGE-ID",
1666 "INVALID-PROTOCOL-ID", "INVALID-SPI",
1667 "INVALID-TRANSFORM-ID", "ATTRIBUTES-NOT-SUPPORTED",
1668 "NO-PROPOSAL-CHOSEN", "BAD-PROPOSAL-SYNTAX",
1669 "PAYLOAD-MALFORMED", "INVALID-KEY-INFORMATION",
1670 "INVALID-ID-INFORMATION", "INVALID-CERT-ENCODING",
1671 "INVALID-CERTIFICATE", "CERT-TYPE-UNSUPPORTED",
1672 "INVALID-CERT-AUTHORITY", "INVALID-HASH-INFORMATION",
1673 "AUTHENTICATION-FAILED", "INVALID-SIGNATURE",
1674 "ADDRESS-NOTIFICATION", "NOTIFY-SA-LIFETIME",
1675 "CERTIFICATE-UNAVAILABLE", "UNSUPPORTED-EXCHANGE-TYPE",
1676 "UNEQUAL-PAYLOAD-LENGTHS",
1678 static const char *ipsec_notify_error_str[] = {
1681 static const char *notify_status_str[] = {
1684 static const char *ipsec_notify_status_str[] = {
1685 "RESPONDER-LIFETIME", "REPLAY-STATUS",
1688 /* NOTE: these macro must be called with x in proper range */
1691 #define NOTIFY_ERROR_STR(x) \
1692 STR_OR_ID((x), notify_error_str)
1695 #define IPSEC_NOTIFY_ERROR_STR(x) \
1696 STR_OR_ID((u_int)((x) - 8192), ipsec_notify_error_str)
1699 #define NOTIFY_STATUS_STR(x) \
1700 STR_OR_ID((u_int)((x) - 16384), notify_status_str)
1703 #define IPSEC_NOTIFY_STATUS_STR(x) \
1704 STR_OR_ID((u_int)((x) - 24576), ipsec_notify_status_str)
1706 ND_PRINT((ndo,"%s:", NPSTR(ISAKMP_NPTYPE_N)));
1708 p = (const struct ikev1_pl_n *)ext;
1710 UNALIGNED_MEMCPY(&n, ext, sizeof(n));
1714 ND_PRINT((ndo," doi=%d", doi));
1715 ND_PRINT((ndo," proto=%d", proto));
1716 if (ntohs(n.type) < 8192)
1717 ND_PRINT((ndo," type=%s", NOTIFY_ERROR_STR(ntohs(n.type))));
1718 else if (ntohs(n.type) < 16384)
1719 ND_PRINT((ndo," type=%s", numstr(ntohs(n.type))));
1720 else if (ntohs(n.type) < 24576)
1721 ND_PRINT((ndo," type=%s", NOTIFY_STATUS_STR(ntohs(n.type))));
1723 ND_PRINT((ndo," type=%s", numstr(ntohs(n.type))));
1725 ND_PRINT((ndo," spi="));
1726 if (!rawprint(ndo, (const uint8_t *)(p + 1), n.spi_size))
1729 return (const u_char *)(p + 1) + n.spi_size;
1732 ND_PRINT((ndo," doi=ipsec"));
1733 ND_PRINT((ndo," proto=%s", PROTOIDSTR(proto)));
1734 if (ntohs(n.type) < 8192)
1735 ND_PRINT((ndo," type=%s", NOTIFY_ERROR_STR(ntohs(n.type))));
1736 else if (ntohs(n.type) < 16384)
1737 ND_PRINT((ndo," type=%s", IPSEC_NOTIFY_ERROR_STR(ntohs(n.type))));
1738 else if (ntohs(n.type) < 24576)
1739 ND_PRINT((ndo," type=%s", NOTIFY_STATUS_STR(ntohs(n.type))));
1740 else if (ntohs(n.type) < 32768)
1741 ND_PRINT((ndo," type=%s", IPSEC_NOTIFY_STATUS_STR(ntohs(n.type))));
1743 ND_PRINT((ndo," type=%s", numstr(ntohs(n.type))));
1745 ND_PRINT((ndo," spi="));
1746 if (!rawprint(ndo, (const uint8_t *)(p + 1), n.spi_size))
1750 cp = (const u_char *)(p + 1) + n.spi_size;
1751 ep2 = (const u_char *)p + item_len;
1754 switch (ntohs(n.type)) {
1755 case IPSECDOI_NTYPE_RESPONDER_LIFETIME:
1757 const struct attrmap *map = oakley_t_map;
1758 size_t nmap = sizeof(oakley_t_map)/sizeof(oakley_t_map[0]);
1759 ND_PRINT((ndo," attrs=("));
1760 while (cp < ep && cp < ep2) {
1761 cp = ikev1_attrmap_print(ndo, cp, ep2, map, nmap);
1763 ND_PRINT((ndo,")"));
1767 ND_PRINT((ndo,")"));
1770 case IPSECDOI_NTYPE_REPLAY_STATUS:
1771 ND_PRINT((ndo," status=("));
1772 ND_TCHECK_32BITS(cp);
1773 ND_PRINT((ndo,"replay detection %sabled",
1774 EXTRACT_32BITS(cp) ? "en" : "dis"));
1775 ND_PRINT((ndo,")"));
1779 * XXX - fill in more types here; see, for example,
1780 * draft-ietf-ipsec-notifymsg-04.
1782 if (ndo->ndo_vflag > 3) {
1783 ND_PRINT((ndo," data=("));
1784 if (!rawprint(ndo, (const uint8_t *)(cp), ep - cp))
1786 ND_PRINT((ndo,")"));
1788 if (!ike_show_somedata(ndo, cp, ep))
1794 return (const u_char *)ext + item_len;
1796 ND_PRINT((ndo," [|%s]", NPSTR(ISAKMP_NPTYPE_N)));
1800 static const u_char *
1801 ikev1_d_print(netdissect_options *ndo, u_char tpay _U_,
1802 const struct isakmp_gen *ext, u_int item_len _U_,
1803 const u_char *ep _U_, uint32_t phase _U_, uint32_t doi0 _U_,
1804 uint32_t proto0 _U_, int depth _U_)
1806 const struct ikev1_pl_d *p;
1807 struct ikev1_pl_d d;
1813 ND_PRINT((ndo,"%s:", NPSTR(ISAKMP_NPTYPE_D)));
1815 p = (const struct ikev1_pl_d *)ext;
1817 UNALIGNED_MEMCPY(&d, ext, sizeof(d));
1821 ND_PRINT((ndo," doi=%u", doi));
1822 ND_PRINT((ndo," proto=%u", proto));
1824 ND_PRINT((ndo," doi=ipsec"));
1825 ND_PRINT((ndo," proto=%s", PROTOIDSTR(proto)));
1827 ND_PRINT((ndo," spilen=%u", d.spi_size));
1828 ND_PRINT((ndo," nspi=%u", ntohs(d.num_spi)));
1829 ND_PRINT((ndo," spi="));
1830 q = (const uint8_t *)(p + 1);
1831 for (i = 0; i < ntohs(d.num_spi); i++) {
1833 ND_PRINT((ndo,","));
1834 if (!rawprint(ndo, (const uint8_t *)q, d.spi_size))
1840 ND_PRINT((ndo," [|%s]", NPSTR(ISAKMP_NPTYPE_D)));
1844 static const u_char *
1845 ikev1_vid_print(netdissect_options *ndo, u_char tpay _U_,
1846 const struct isakmp_gen *ext,
1847 u_int item_len _U_, const u_char *ep _U_,
1848 uint32_t phase _U_, uint32_t doi _U_,
1849 uint32_t proto _U_, int depth _U_)
1851 struct isakmp_gen e;
1853 ND_PRINT((ndo,"%s:", NPSTR(ISAKMP_NPTYPE_VID)));
1856 UNALIGNED_MEMCPY(&e, ext, sizeof(e));
1857 ND_PRINT((ndo," len=%d", ntohs(e.len) - 4));
1858 if (2 < ndo->ndo_vflag && 4 < ntohs(e.len)) {
1859 /* Print the entire payload in hex */
1860 ND_PRINT((ndo," "));
1861 if (!rawprint(ndo, (const uint8_t *)(ext + 1), ntohs(e.len) - 4))
1864 return (const u_char *)ext + ntohs(e.len);
1866 ND_PRINT((ndo," [|%s]", NPSTR(ISAKMP_NPTYPE_VID)));
1870 /************************************************************/
1872 /* IKE v2 - rfc4306 - dissector */
1874 /************************************************************/
1877 ikev2_pay_print(netdissect_options *ndo, const char *payname, int critical)
1879 ND_PRINT((ndo,"%s%s:", payname, critical&0x80 ? "[C]" : ""));
1882 static const u_char *
1883 ikev2_gen_print(netdissect_options *ndo, u_char tpay,
1884 const struct isakmp_gen *ext)
1886 struct isakmp_gen e;
1889 UNALIGNED_MEMCPY(&e, ext, sizeof(e));
1890 ikev2_pay_print(ndo, NPSTR(tpay), e.critical);
1892 ND_PRINT((ndo," len=%d", ntohs(e.len) - 4));
1893 if (2 < ndo->ndo_vflag && 4 < ntohs(e.len)) {
1894 /* Print the entire payload in hex */
1895 ND_PRINT((ndo," "));
1896 if (!rawprint(ndo, (const uint8_t *)(ext + 1), ntohs(e.len) - 4))
1899 return (const u_char *)ext + ntohs(e.len);
1901 ND_PRINT((ndo," [|%s]", NPSTR(tpay)));
1905 static const u_char *
1906 ikev2_t_print(netdissect_options *ndo, int tcount,
1907 const struct isakmp_gen *ext, u_int item_len,
1910 const struct ikev2_t *p;
1915 const struct attrmap *map;
1919 p = (const struct ikev2_t *)ext;
1921 UNALIGNED_MEMCPY(&t, ext, sizeof(t));
1922 ikev2_pay_print(ndo, NPSTR(ISAKMP_NPTYPE_T), t.h.critical);
1924 t_id = ntohs(t.t_id);
1931 idstr = STR_OR_ID(t_id, esp_p_map);
1933 nmap = sizeof(encr_t_map)/sizeof(encr_t_map[0]);
1937 idstr = STR_OR_ID(t_id, prf_p_map);
1941 idstr = STR_OR_ID(t_id, integ_p_map);
1945 idstr = STR_OR_ID(t_id, dh_p_map);
1949 idstr = STR_OR_ID(t_id, esn_p_map);
1958 ND_PRINT((ndo," #%u type=%s id=%s ", tcount,
1959 STR_OR_ID(t.t_type, ikev2_t_type_map),
1962 ND_PRINT((ndo," #%u type=%s id=%u ", tcount,
1963 STR_OR_ID(t.t_type, ikev2_t_type_map),
1965 cp = (const u_char *)(p + 1);
1966 ep2 = (const u_char *)p + item_len;
1967 while (cp < ep && cp < ep2) {
1969 cp = ikev1_attrmap_print(ndo, cp, ep2, map, nmap);
1971 cp = ikev1_attr_print(ndo, cp, ep2);
1976 ND_PRINT((ndo,"..."));
1979 ND_PRINT((ndo," [|%s]", NPSTR(ISAKMP_NPTYPE_T)));
1983 static const u_char *
1984 ikev2_p_print(netdissect_options *ndo, u_char tpay _U_, int pcount _U_,
1985 const struct isakmp_gen *ext, u_int oprop_length,
1986 const u_char *ep, int depth)
1988 const struct ikev2_p *p;
1989 struct ikev2_p prop;
1995 struct isakmp_gen e;
1998 p = (const struct ikev2_p *)ext;
2000 UNALIGNED_MEMCPY(&prop, ext, sizeof(prop));
2002 ikev2_pay_print(ndo, NPSTR(ISAKMP_NPTYPE_P), prop.h.critical);
2005 * ikev2_sa_print() guarantees that this is >= 4.
2007 prop_length = oprop_length - 4;
2008 ND_PRINT((ndo," #%u protoid=%s transform=%d len=%u",
2009 prop.p_no, PROTOIDSTR(prop.prot_id),
2010 prop.num_t, oprop_length));
2011 cp = (const u_char *)(p + 1);
2013 if (prop.spi_size) {
2014 if (prop_length < prop.spi_size)
2016 ND_PRINT((ndo," spi="));
2017 if (!rawprint(ndo, (const uint8_t *)cp, prop.spi_size))
2019 cp += prop.spi_size;
2020 prop_length -= prop.spi_size;
2024 * Print the transforms.
2027 for (np = ISAKMP_NPTYPE_T; np != 0; np = e.np) {
2029 ext = (const struct isakmp_gen *)cp;
2030 if (prop_length < sizeof(*ext))
2033 UNALIGNED_MEMCPY(&e, ext, sizeof(e));
2036 * Since we can't have a payload length of less than 4 bytes,
2037 * we need to bail out here if the generic header is nonsensical
2038 * or truncated, otherwise we could loop forever processing
2039 * zero-length items or otherwise misdissect the packet.
2041 item_len = ntohs(e.len);
2045 if (prop_length < item_len)
2047 ND_TCHECK2(*cp, item_len);
2050 ND_PRINT((ndo,"\n"));
2051 for (i = 0; i < depth; i++)
2052 ND_PRINT((ndo," "));
2053 ND_PRINT((ndo,"("));
2054 if (np == ISAKMP_NPTYPE_T) {
2055 cp = ikev2_t_print(ndo, tcount, ext, item_len, ep);
2057 /* error, already reported */
2061 ND_PRINT((ndo, "%s", NPSTR(np)));
2064 ND_PRINT((ndo,")"));
2066 prop_length -= item_len;
2071 * Skip the rest of the proposal.
2074 ND_PRINT((ndo," [|%s]", NPSTR(ISAKMP_NPTYPE_P)));
2077 ND_PRINT((ndo," [|%s]", NPSTR(ISAKMP_NPTYPE_P)));
2081 static const u_char *
2082 ikev2_sa_print(netdissect_options *ndo, u_char tpay,
2083 const struct isakmp_gen *ext1,
2084 u_int osa_length, const u_char *ep,
2085 uint32_t phase _U_, uint32_t doi _U_,
2086 uint32_t proto _U_, int depth)
2088 const struct isakmp_gen *ext;
2089 struct isakmp_gen e;
2098 UNALIGNED_MEMCPY(&e, ext1, sizeof(e));
2099 ikev2_pay_print(ndo, "sa", e.critical);
2102 * ikev2_sub0_print() guarantees that this is >= 4.
2104 osa_length= ntohs(e.len);
2105 sa_length = osa_length - 4;
2106 ND_PRINT((ndo," len=%d", sa_length));
2109 * Print the payloads.
2111 cp = (const u_char *)(ext1 + 1);
2113 for (np = ISAKMP_NPTYPE_P; np != 0; np = e.np) {
2115 ext = (const struct isakmp_gen *)cp;
2116 if (sa_length < sizeof(*ext))
2119 UNALIGNED_MEMCPY(&e, ext, sizeof(e));
2122 * Since we can't have a payload length of less than 4 bytes,
2123 * we need to bail out here if the generic header is nonsensical
2124 * or truncated, otherwise we could loop forever processing
2125 * zero-length items or otherwise misdissect the packet.
2127 item_len = ntohs(e.len);
2131 if (sa_length < item_len)
2133 ND_TCHECK2(*cp, item_len);
2136 ND_PRINT((ndo,"\n"));
2137 for (i = 0; i < depth; i++)
2138 ND_PRINT((ndo," "));
2139 ND_PRINT((ndo,"("));
2140 if (np == ISAKMP_NPTYPE_P) {
2141 cp = ikev2_p_print(ndo, np, pcount, ext, item_len,
2144 /* error, already reported */
2148 ND_PRINT((ndo, "%s", NPSTR(np)));
2151 ND_PRINT((ndo,")"));
2153 sa_length -= item_len;
2158 * Skip the rest of the SA.
2161 ND_PRINT((ndo," [|%s]", NPSTR(tpay)));
2164 ND_PRINT((ndo," [|%s]", NPSTR(tpay)));
2168 static const u_char *
2169 ikev2_ke_print(netdissect_options *ndo, u_char tpay,
2170 const struct isakmp_gen *ext,
2171 u_int item_len _U_, const u_char *ep _U_,
2172 uint32_t phase _U_, uint32_t doi _U_,
2173 uint32_t proto _U_, int depth _U_)
2176 const struct ikev2_ke *k;
2178 k = (const struct ikev2_ke *)ext;
2180 UNALIGNED_MEMCPY(&ke, ext, sizeof(ke));
2181 ikev2_pay_print(ndo, NPSTR(tpay), ke.h.critical);
2183 ND_PRINT((ndo," len=%u group=%s", ntohs(ke.h.len) - 8,
2184 STR_OR_ID(ntohs(ke.ke_group), dh_p_map)));
2186 if (2 < ndo->ndo_vflag && 8 < ntohs(ke.h.len)) {
2187 ND_PRINT((ndo," "));
2188 if (!rawprint(ndo, (const uint8_t *)(k + 1), ntohs(ke.h.len) - 8))
2191 return (const u_char *)ext + ntohs(ke.h.len);
2193 ND_PRINT((ndo," [|%s]", NPSTR(tpay)));
2197 static const u_char *
2198 ikev2_ID_print(netdissect_options *ndo, u_char tpay,
2199 const struct isakmp_gen *ext,
2200 u_int item_len _U_, const u_char *ep _U_,
2201 uint32_t phase _U_, uint32_t doi _U_,
2202 uint32_t proto _U_, int depth _U_)
2204 const struct ikev2_id *idp;
2206 int id_len, idtype_len, i;
2207 unsigned int dumpascii, dumphex;
2208 const unsigned char *typedata;
2210 idp = (const struct ikev2_id *)ext;
2212 UNALIGNED_MEMCPY(&id, ext, sizeof(id));
2213 ikev2_pay_print(ndo, NPSTR(tpay), id.h.critical);
2215 id_len = ntohs(id.h.len);
2217 ND_PRINT((ndo," len=%d", id_len - 4));
2218 if (2 < ndo->ndo_vflag && 4 < id_len) {
2219 /* Print the entire payload in hex */
2220 ND_PRINT((ndo," "));
2221 if (!rawprint(ndo, (const uint8_t *)(ext + 1), id_len - 4))
2225 idtype_len =id_len - sizeof(struct ikev2_id);
2228 typedata = (const unsigned char *)(ext)+sizeof(struct ikev2_id);
2232 ND_PRINT((ndo, " ipv4:"));
2236 ND_PRINT((ndo, " fqdn:"));
2239 case ID_RFC822_ADDR:
2240 ND_PRINT((ndo, " rfc822:"));
2244 ND_PRINT((ndo, " ipv6:"));
2247 case ID_DER_ASN1_DN:
2248 ND_PRINT((ndo, " dn:"));
2251 case ID_DER_ASN1_GN:
2252 ND_PRINT((ndo, " gn:"));
2256 ND_PRINT((ndo, " keyid:"));
2262 ND_TCHECK2(*typedata, idtype_len);
2263 for(i=0; i<idtype_len; i++) {
2264 if(ND_ISPRINT(typedata[i])) {
2265 ND_PRINT((ndo, "%c", typedata[i]));
2267 ND_PRINT((ndo, "."));
2272 if (!rawprint(ndo, (const uint8_t *)typedata, idtype_len))
2276 return (const u_char *)ext + id_len;
2278 ND_PRINT((ndo," [|%s]", NPSTR(tpay)));
2282 static const u_char *
2283 ikev2_cert_print(netdissect_options *ndo, u_char tpay,
2284 const struct isakmp_gen *ext,
2285 u_int item_len _U_, const u_char *ep _U_,
2286 uint32_t phase _U_, uint32_t doi _U_,
2287 uint32_t proto _U_, int depth _U_)
2289 return ikev2_gen_print(ndo, tpay, ext);
2292 static const u_char *
2293 ikev2_cr_print(netdissect_options *ndo, u_char tpay,
2294 const struct isakmp_gen *ext,
2295 u_int item_len _U_, const u_char *ep _U_,
2296 uint32_t phase _U_, uint32_t doi _U_,
2297 uint32_t proto _U_, int depth _U_)
2299 return ikev2_gen_print(ndo, tpay, ext);
2302 static const u_char *
2303 ikev2_auth_print(netdissect_options *ndo, u_char tpay,
2304 const struct isakmp_gen *ext,
2305 u_int item_len _U_, const u_char *ep,
2306 uint32_t phase _U_, uint32_t doi _U_,
2307 uint32_t proto _U_, int depth _U_)
2309 struct ikev2_auth a;
2310 const char *v2_auth[]={ "invalid", "rsasig",
2311 "shared-secret", "dsssig" };
2312 const u_char *authdata = (const u_char*)ext + sizeof(a);
2315 ND_TCHECK2(*ext, sizeof(a));
2316 UNALIGNED_MEMCPY(&a, ext, sizeof(a));
2317 ikev2_pay_print(ndo, NPSTR(tpay), a.h.critical);
2318 len = ntohs(a.h.len);
2321 * Our caller has ensured that the length is >= 4.
2323 ND_PRINT((ndo," len=%u method=%s", len-4,
2324 STR_OR_ID(a.auth_method, v2_auth)));
2326 if (ndo->ndo_vflag > 1) {
2327 ND_PRINT((ndo, " authdata=("));
2328 if (!rawprint(ndo, (const uint8_t *)authdata, len - sizeof(a)))
2330 ND_PRINT((ndo, ") "));
2331 } else if (ndo->ndo_vflag) {
2332 if (!ike_show_somedata(ndo, authdata, ep))
2337 return (const u_char *)ext + len;
2339 ND_PRINT((ndo," [|%s]", NPSTR(tpay)));
2343 static const u_char *
2344 ikev2_nonce_print(netdissect_options *ndo, u_char tpay,
2345 const struct isakmp_gen *ext,
2346 u_int item_len _U_, const u_char *ep,
2347 uint32_t phase _U_, uint32_t doi _U_,
2348 uint32_t proto _U_, int depth _U_)
2350 struct isakmp_gen e;
2353 UNALIGNED_MEMCPY(&e, ext, sizeof(e));
2354 ikev2_pay_print(ndo, "nonce", e.critical);
2356 ND_PRINT((ndo," len=%d", ntohs(e.len) - 4));
2357 if (1 < ndo->ndo_vflag && 4 < ntohs(e.len)) {
2358 ND_PRINT((ndo," nonce=("));
2359 if (!rawprint(ndo, (const uint8_t *)(ext + 1), ntohs(e.len) - 4))
2361 ND_PRINT((ndo,") "));
2362 } else if(ndo->ndo_vflag && 4 < ntohs(e.len)) {
2363 if(!ike_show_somedata(ndo, (const u_char *)(ext+1), ep)) goto trunc;
2366 return (const u_char *)ext + ntohs(e.len);
2368 ND_PRINT((ndo," [|%s]", NPSTR(tpay)));
2372 /* notify payloads */
2373 static const u_char *
2374 ikev2_n_print(netdissect_options *ndo, u_char tpay _U_,
2375 const struct isakmp_gen *ext,
2376 u_int item_len, const u_char *ep,
2377 uint32_t phase _U_, uint32_t doi _U_,
2378 uint32_t proto _U_, int depth _U_)
2380 const struct ikev2_n *p;
2383 u_char showspi, showsomedata;
2384 const char *notify_name;
2387 p = (const struct ikev2_n *)ext;
2389 UNALIGNED_MEMCPY(&n, ext, sizeof(n));
2390 ikev2_pay_print(ndo, NPSTR(ISAKMP_NPTYPE_N), n.h.critical);
2396 ND_PRINT((ndo," prot_id=%s", PROTOIDSTR(n.prot_id)));
2398 type = ntohs(n.type);
2400 /* notify space is annoying sparse */
2402 case IV2_NOTIFY_UNSUPPORTED_CRITICAL_PAYLOAD:
2403 notify_name = "unsupported_critical_payload";
2407 case IV2_NOTIFY_INVALID_IKE_SPI:
2408 notify_name = "invalid_ike_spi";
2412 case IV2_NOTIFY_INVALID_MAJOR_VERSION:
2413 notify_name = "invalid_major_version";
2417 case IV2_NOTIFY_INVALID_SYNTAX:
2418 notify_name = "invalid_syntax";
2422 case IV2_NOTIFY_INVALID_MESSAGE_ID:
2423 notify_name = "invalid_message_id";
2427 case IV2_NOTIFY_INVALID_SPI:
2428 notify_name = "invalid_spi";
2432 case IV2_NOTIFY_NO_PROPOSAL_CHOSEN:
2433 notify_name = "no_protocol_chosen";
2437 case IV2_NOTIFY_INVALID_KE_PAYLOAD:
2438 notify_name = "invalid_ke_payload";
2442 case IV2_NOTIFY_AUTHENTICATION_FAILED:
2443 notify_name = "authentication_failed";
2447 case IV2_NOTIFY_SINGLE_PAIR_REQUIRED:
2448 notify_name = "single_pair_required";
2452 case IV2_NOTIFY_NO_ADDITIONAL_SAS:
2453 notify_name = "no_additional_sas";
2457 case IV2_NOTIFY_INTERNAL_ADDRESS_FAILURE:
2458 notify_name = "internal_address_failure";
2462 case IV2_NOTIFY_FAILED_CP_REQUIRED:
2463 notify_name = "failed:cp_required";
2467 case IV2_NOTIFY_INVALID_SELECTORS:
2468 notify_name = "invalid_selectors";
2472 case IV2_NOTIFY_INITIAL_CONTACT:
2473 notify_name = "initial_contact";
2477 case IV2_NOTIFY_SET_WINDOW_SIZE:
2478 notify_name = "set_window_size";
2482 case IV2_NOTIFY_ADDITIONAL_TS_POSSIBLE:
2483 notify_name = "additional_ts_possible";
2487 case IV2_NOTIFY_IPCOMP_SUPPORTED:
2488 notify_name = "ipcomp_supported";
2492 case IV2_NOTIFY_NAT_DETECTION_SOURCE_IP:
2493 notify_name = "nat_detection_source_ip";
2497 case IV2_NOTIFY_NAT_DETECTION_DESTINATION_IP:
2498 notify_name = "nat_detection_destination_ip";
2502 case IV2_NOTIFY_COOKIE:
2503 notify_name = "cookie";
2508 case IV2_NOTIFY_USE_TRANSPORT_MODE:
2509 notify_name = "use_transport_mode";
2513 case IV2_NOTIFY_HTTP_CERT_LOOKUP_SUPPORTED:
2514 notify_name = "http_cert_lookup_supported";
2518 case IV2_NOTIFY_REKEY_SA:
2519 notify_name = "rekey_sa";
2523 case IV2_NOTIFY_ESP_TFC_PADDING_NOT_SUPPORTED:
2524 notify_name = "tfc_padding_not_supported";
2528 case IV2_NOTIFY_NON_FIRST_FRAGMENTS_ALSO:
2529 notify_name = "non_first_fragment_also";
2535 notify_name="error";
2536 } else if(type < 16384) {
2537 notify_name="private-error";
2538 } else if(type < 40960) {
2539 notify_name="status";
2541 notify_name="private-status";
2546 ND_PRINT((ndo," type=%u(%s)", type, notify_name));
2550 if (showspi && n.spi_size) {
2551 ND_PRINT((ndo," spi="));
2552 if (!rawprint(ndo, (const uint8_t *)(p + 1), n.spi_size))
2556 cp = (const u_char *)(p + 1) + n.spi_size;
2559 if (ndo->ndo_vflag > 3 || (showsomedata && ep-cp < 30)) {
2560 ND_PRINT((ndo," data=("));
2561 if (!rawprint(ndo, (const uint8_t *)(cp), ep - cp))
2564 ND_PRINT((ndo,")"));
2565 } else if (showsomedata) {
2566 if (!ike_show_somedata(ndo, cp, ep))
2571 return (const u_char *)ext + item_len;
2573 ND_PRINT((ndo," [|%s]", NPSTR(ISAKMP_NPTYPE_N)));
2577 static const u_char *
2578 ikev2_d_print(netdissect_options *ndo, u_char tpay,
2579 const struct isakmp_gen *ext,
2580 u_int item_len _U_, const u_char *ep _U_,
2581 uint32_t phase _U_, uint32_t doi _U_,
2582 uint32_t proto _U_, int depth _U_)
2584 return ikev2_gen_print(ndo, tpay, ext);
2587 static const u_char *
2588 ikev2_vid_print(netdissect_options *ndo, u_char tpay,
2589 const struct isakmp_gen *ext,
2590 u_int item_len _U_, const u_char *ep _U_,
2591 uint32_t phase _U_, uint32_t doi _U_,
2592 uint32_t proto _U_, int depth _U_)
2594 struct isakmp_gen e;
2599 UNALIGNED_MEMCPY(&e, ext, sizeof(e));
2600 ikev2_pay_print(ndo, NPSTR(tpay), e.critical);
2601 ND_PRINT((ndo," len=%d vid=", ntohs(e.len) - 4));
2603 vid = (const u_char *)(ext+1);
2604 len = ntohs(e.len) - 4;
2605 ND_TCHECK2(*vid, len);
2606 for(i=0; i<len; i++) {
2607 if(ND_ISPRINT(vid[i])) ND_PRINT((ndo, "%c", vid[i]));
2608 else ND_PRINT((ndo, "."));
2610 if (2 < ndo->ndo_vflag && 4 < len) {
2611 /* Print the entire payload in hex */
2612 ND_PRINT((ndo," "));
2613 if (!rawprint(ndo, (const uint8_t *)(ext + 1), ntohs(e.len) - 4))
2616 return (const u_char *)ext + ntohs(e.len);
2618 ND_PRINT((ndo," [|%s]", NPSTR(tpay)));
2622 static const u_char *
2623 ikev2_TS_print(netdissect_options *ndo, u_char tpay,
2624 const struct isakmp_gen *ext,
2625 u_int item_len _U_, const u_char *ep _U_,
2626 uint32_t phase _U_, uint32_t doi _U_,
2627 uint32_t proto _U_, int depth _U_)
2629 return ikev2_gen_print(ndo, tpay, ext);
2632 static const u_char *
2633 ikev2_e_print(netdissect_options *ndo,
2634 #ifndef HAVE_LIBCRYPTO
2637 struct isakmp *base,
2639 const struct isakmp_gen *ext,
2640 u_int item_len _U_, const u_char *ep _U_,
2641 #ifndef HAVE_LIBCRYPTO
2645 #ifndef HAVE_LIBCRYPTO
2649 #ifndef HAVE_LIBCRYPTO
2653 #ifndef HAVE_LIBCRYPTO
2658 struct isakmp_gen e;
2663 UNALIGNED_MEMCPY(&e, ext, sizeof(e));
2664 ikev2_pay_print(ndo, NPSTR(tpay), e.critical);
2666 dlen = ntohs(e.len)-4;
2668 ND_PRINT((ndo," len=%d", dlen));
2669 if (2 < ndo->ndo_vflag && 4 < dlen) {
2670 ND_PRINT((ndo," "));
2671 if (!rawprint(ndo, (const uint8_t *)(ext + 1), dlen))
2675 dat = (const u_char *)(ext+1);
2676 ND_TCHECK2(*dat, dlen);
2678 #ifdef HAVE_LIBCRYPTO
2679 /* try to decypt it! */
2680 if(esp_print_decrypt_buffer_by_ikev2(ndo,
2681 base->flags & ISAKMP_FLAG_I,
2682 base->i_ck, base->r_ck,
2685 ext = (const struct isakmp_gen *)ndo->ndo_packetp;
2687 /* got it decrypted, print stuff inside. */
2688 ikev2_sub_print(ndo, base, e.np, ext, ndo->ndo_snapend,
2689 phase, doi, proto, depth+1);
2694 /* always return NULL, because E must be at end, and NP refers
2695 * to what was inside.
2699 ND_PRINT((ndo," [|%s]", NPSTR(tpay)));
2703 static const u_char *
2704 ikev2_cp_print(netdissect_options *ndo, u_char tpay,
2705 const struct isakmp_gen *ext,
2706 u_int item_len _U_, const u_char *ep _U_,
2707 uint32_t phase _U_, uint32_t doi _U_,
2708 uint32_t proto _U_, int depth _U_)
2710 return ikev2_gen_print(ndo, tpay, ext);
2713 static const u_char *
2714 ikev2_eap_print(netdissect_options *ndo, u_char tpay,
2715 const struct isakmp_gen *ext,
2716 u_int item_len _U_, const u_char *ep _U_,
2717 uint32_t phase _U_, uint32_t doi _U_,
2718 uint32_t proto _U_, int depth _U_)
2720 return ikev2_gen_print(ndo, tpay, ext);
2723 static const u_char *
2724 ike_sub0_print(netdissect_options *ndo,
2725 u_char np, const struct isakmp_gen *ext, const u_char *ep,
2727 uint32_t phase, uint32_t doi, uint32_t proto, int depth)
2730 struct isakmp_gen e;
2733 cp = (const u_char *)ext;
2735 UNALIGNED_MEMCPY(&e, ext, sizeof(e));
2738 * Since we can't have a payload length of less than 4 bytes,
2739 * we need to bail out here if the generic header is nonsensical
2740 * or truncated, otherwise we could loop forever processing
2741 * zero-length items or otherwise misdissect the packet.
2743 item_len = ntohs(e.len);
2749 * XXX - what if item_len is too short, or too long,
2750 * for this payload type?
2752 cp = (*npfunc[np])(ndo, np, ext, item_len, ep, phase, doi, proto, depth);
2754 ND_PRINT((ndo,"%s", NPSTR(np)));
2760 ND_PRINT((ndo," [|isakmp]"));
2764 static const u_char *
2765 ikev1_sub_print(netdissect_options *ndo,
2766 u_char np, const struct isakmp_gen *ext, const u_char *ep,
2767 uint32_t phase, uint32_t doi, uint32_t proto, int depth)
2771 struct isakmp_gen e;
2773 cp = (const u_char *)ext;
2777 UNALIGNED_MEMCPY(&e, ext, sizeof(e));
2779 ND_TCHECK2(*ext, ntohs(e.len));
2782 ND_PRINT((ndo,"\n"));
2783 for (i = 0; i < depth; i++)
2784 ND_PRINT((ndo," "));
2785 ND_PRINT((ndo,"("));
2786 cp = ike_sub0_print(ndo, np, ext, ep, phase, doi, proto, depth);
2787 ND_PRINT((ndo,")"));
2791 /* Zero-length subitem */
2796 ext = (const struct isakmp_gen *)cp;
2800 ND_PRINT((ndo," [|%s]", NPSTR(np)));
2807 static char buf[20];
2808 snprintf(buf, sizeof(buf), "#%d", x);
2813 ikev1_print(netdissect_options *ndo,
2814 const u_char *bp, u_int length,
2815 const u_char *bp2, struct isakmp *base)
2817 const struct isakmp *p;
2823 p = (const struct isakmp *)bp;
2824 ep = ndo->ndo_snapend;
2826 phase = (EXTRACT_32BITS(base->msgid) == 0) ? 1 : 2;
2828 ND_PRINT((ndo," phase %d", phase));
2830 ND_PRINT((ndo," phase %d/others", phase));
2832 i = cookie_find(&base->i_ck);
2834 if (iszero((const u_char *)&base->r_ck, sizeof(base->r_ck))) {
2835 /* the first packet */
2836 ND_PRINT((ndo," I"));
2838 cookie_record(&base->i_ck, bp2);
2840 ND_PRINT((ndo," ?"));
2842 if (bp2 && cookie_isinitiator(i, bp2))
2843 ND_PRINT((ndo," I"));
2844 else if (bp2 && cookie_isresponder(i, bp2))
2845 ND_PRINT((ndo," R"));
2847 ND_PRINT((ndo," ?"));
2850 ND_PRINT((ndo," %s", ETYPESTR(base->etype)));
2852 ND_PRINT((ndo,"[%s%s]", base->flags & ISAKMP_FLAG_E ? "E" : "",
2853 base->flags & ISAKMP_FLAG_C ? "C" : ""));
2856 if (ndo->ndo_vflag) {
2857 const struct isakmp_gen *ext;
2859 ND_PRINT((ndo,":"));
2861 /* regardless of phase... */
2862 if (base->flags & ISAKMP_FLAG_E) {
2864 * encrypted, nothing we can do right now.
2865 * we hope to decrypt the packet in the future...
2867 ND_PRINT((ndo," [encrypted %s]", NPSTR(base->np)));
2871 CHECKLEN(p + 1, base->np);
2873 ext = (const struct isakmp_gen *)(p + 1);
2874 ikev1_sub_print(ndo, np, ext, ep, phase, 0, 0, 0);
2878 if (ndo->ndo_vflag) {
2879 if (ntohl(base->len) != length) {
2880 ND_PRINT((ndo," (len mismatch: isakmp %u/ip %u)",
2881 (uint32_t)ntohl(base->len), length));
2886 static const u_char *
2887 ikev2_sub0_print(netdissect_options *ndo, struct isakmp *base,
2889 const struct isakmp_gen *ext, const u_char *ep,
2890 uint32_t phase, uint32_t doi, uint32_t proto, int depth)
2893 struct isakmp_gen e;
2896 cp = (const u_char *)ext;
2898 UNALIGNED_MEMCPY(&e, ext, sizeof(e));
2901 * Since we can't have a payload length of less than 4 bytes,
2902 * we need to bail out here if the generic header is nonsensical
2903 * or truncated, otherwise we could loop forever processing
2904 * zero-length items or otherwise misdissect the packet.
2906 item_len = ntohs(e.len);
2910 if (np == ISAKMP_NPTYPE_v2E) {
2911 cp = ikev2_e_print(ndo, base, np, ext, item_len,
2912 ep, phase, doi, proto, depth);
2913 } else if (NPFUNC(np)) {
2915 * XXX - what if item_len is too short, or too long,
2916 * for this payload type?
2918 cp = (*npfunc[np])(ndo, np, ext, item_len,
2919 ep, phase, doi, proto, depth);
2921 ND_PRINT((ndo,"%s", NPSTR(np)));
2927 ND_PRINT((ndo," [|isakmp]"));
2931 static const u_char *
2932 ikev2_sub_print(netdissect_options *ndo,
2933 struct isakmp *base,
2934 u_char np, const struct isakmp_gen *ext, const u_char *ep,
2935 uint32_t phase, uint32_t doi, uint32_t proto, int depth)
2939 struct isakmp_gen e;
2941 cp = (const u_char *)ext;
2944 UNALIGNED_MEMCPY(&e, ext, sizeof(e));
2946 ND_TCHECK2(*ext, ntohs(e.len));
2949 ND_PRINT((ndo,"\n"));
2950 for (i = 0; i < depth; i++)
2951 ND_PRINT((ndo," "));
2952 ND_PRINT((ndo,"("));
2953 cp = ikev2_sub0_print(ndo, base, np,
2954 ext, ep, phase, doi, proto, depth);
2955 ND_PRINT((ndo,")"));
2959 /* Zero-length subitem */
2964 ext = (const struct isakmp_gen *)cp;
2968 ND_PRINT((ndo," [|%s]", NPSTR(np)));
2973 ikev2_print(netdissect_options *ndo,
2974 const u_char *bp, u_int length,
2975 const u_char *bp2 _U_, struct isakmp *base)
2977 const struct isakmp *p;
2982 p = (const struct isakmp *)bp;
2983 ep = ndo->ndo_snapend;
2985 phase = (EXTRACT_32BITS(base->msgid) == 0) ? 1 : 2;
2987 ND_PRINT((ndo, " parent_sa"));
2989 ND_PRINT((ndo, " child_sa "));
2991 ND_PRINT((ndo, " %s", ETYPESTR(base->etype)));
2993 ND_PRINT((ndo, "[%s%s%s]",
2994 base->flags & ISAKMP_FLAG_I ? "I" : "",
2995 base->flags & ISAKMP_FLAG_V ? "V" : "",
2996 base->flags & ISAKMP_FLAG_R ? "R" : ""));
2999 if (ndo->ndo_vflag) {
3000 const struct isakmp_gen *ext;
3002 ND_PRINT((ndo, ":"));
3004 /* regardless of phase... */
3005 if (base->flags & ISAKMP_FLAG_E) {
3007 * encrypted, nothing we can do right now.
3008 * we hope to decrypt the packet in the future...
3010 ND_PRINT((ndo, " [encrypted %s]", NPSTR(base->np)));
3014 CHECKLEN(p + 1, base->np)
3017 ext = (const struct isakmp_gen *)(p + 1);
3018 ikev2_sub_print(ndo, base, np, ext, ep, phase, 0, 0, 0);
3022 if (ndo->ndo_vflag) {
3023 if (ntohl(base->len) != length) {
3024 ND_PRINT((ndo, " (len mismatch: isakmp %u/ip %u)",
3025 (uint32_t)ntohl(base->len), length));
3031 isakmp_print(netdissect_options *ndo,
3032 const u_char *bp, u_int length,
3035 const struct isakmp *p;
3040 #ifdef HAVE_LIBCRYPTO
3041 /* initialize SAs */
3042 if (ndo->ndo_sa_list_head == NULL) {
3043 if (ndo->ndo_espsecret)
3044 esp_print_decodesecret(ndo);
3048 p = (const struct isakmp *)bp;
3049 ep = ndo->ndo_snapend;
3051 if ((const struct isakmp *)ep < p + 1) {
3052 ND_PRINT((ndo,"[|isakmp]"));
3056 UNALIGNED_MEMCPY(&base, p, sizeof(base));
3058 ND_PRINT((ndo,"isakmp"));
3059 major = (base.vers & ISAKMP_VERS_MAJOR)
3060 >> ISAKMP_VERS_MAJOR_SHIFT;
3061 minor = (base.vers & ISAKMP_VERS_MINOR)
3062 >> ISAKMP_VERS_MINOR_SHIFT;
3064 if (ndo->ndo_vflag) {
3065 ND_PRINT((ndo," %d.%d", major, minor));
3068 if (ndo->ndo_vflag) {
3069 ND_PRINT((ndo," msgid "));
3070 hexprint(ndo, (const uint8_t *)&base.msgid, sizeof(base.msgid));
3073 if (1 < ndo->ndo_vflag) {
3074 ND_PRINT((ndo," cookie "));
3075 hexprint(ndo, (const uint8_t *)&base.i_ck, sizeof(base.i_ck));
3076 ND_PRINT((ndo,"->"));
3077 hexprint(ndo, (const uint8_t *)&base.r_ck, sizeof(base.r_ck));
3079 ND_PRINT((ndo,":"));
3082 case IKEv1_MAJOR_VERSION:
3083 ikev1_print(ndo, bp, length, bp2, &base);
3086 case IKEv2_MAJOR_VERSION:
3087 ikev2_print(ndo, bp, length, bp2, &base);
3093 isakmp_rfc3948_print(netdissect_options *ndo,
3094 const u_char *bp, u_int length,
3098 if(length == 1 && bp[0]==0xff) {
3099 ND_PRINT((ndo, "isakmp-nat-keep-alive"));
3109 * see if this is an IKE packet
3111 if(bp[0]==0 && bp[1]==0 && bp[2]==0 && bp[3]==0) {
3112 ND_PRINT((ndo, "NONESP-encap: "));
3113 isakmp_print(ndo, bp+4, length-4, bp2);
3117 /* must be an ESP packet */
3119 int nh, enh, padlen;
3122 ND_PRINT((ndo, "UDP-encap: "));
3124 advance = esp_print(ndo, bp, length, bp2, &enh, &padlen);
3129 length -= advance + padlen;
3132 ip_print_inner(ndo, bp, length, nh, bp2);
3137 ND_PRINT((ndo,"[|isakmp]"));
3143 * c-style: whitesmith
projects / dragonfly.git / blob