• Home
  • Line#
  • Scopes#
  • Navigate#
  • Raw
  • Download
1 /*
2  * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
3  * All rights reserved.
4  *
5  * Redistribution and use in source and binary forms, with or without
6  * modification, are permitted provided that the following conditions
7  * are met:
8  * 1. Redistributions of source code must retain the above copyright
9  *    notice, this list of conditions and the following disclaimer.
10  * 2. Redistributions in binary form must reproduce the above copyright
11  *    notice, this list of conditions and the following disclaimer in the
12  *    documentation and/or other materials provided with the distribution.
13  * 3. Neither the name of the project nor the names of its contributors
14  *    may be used to endorse or promote products derived from this software
15  *    without specific prior written permission.
16  *
17  * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
18  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
19  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
20  * ARE DISCLAIMED.  IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
21  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
22  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
23  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
24  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
25  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
26  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
27  * SUCH DAMAGE.
28  *
29  */
30 
31 /* \summary: Internet Security Association and Key Management Protocol (ISAKMP) printer */
32 
33 #ifdef HAVE_CONFIG_H
34 #include "config.h"
35 #endif
36 
37 /* The functions from print-esp.c used in this file are only defined when both
38  * OpenSSL and evp.h are detected. Employ the same preprocessor device here.
39  */
40 #ifndef HAVE_OPENSSL_EVP_H
41 #undef HAVE_LIBCRYPTO
42 #endif
43 
44 #include <netdissect-stdinc.h>
45 
46 #include <string.h>
47 
48 #include "netdissect.h"
49 #include "addrtoname.h"
50 #include "extract.h"
51 
52 #include "ip.h"
53 #include "ip6.h"
54 
55 /* refer to RFC 2408 */
56 
57 typedef u_char cookie_t[8];
58 typedef u_char msgid_t[4];
59 
60 #define PORT_ISAKMP 500
61 
62 /* 3.1 ISAKMP Header Format (IKEv1 and IKEv2)
63          0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
64         +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
65         !                          Initiator                            !
66         !                            Cookie                             !
67         +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
68         !                          Responder                            !
69         !                            Cookie                             !
70         +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
71         !  Next Payload ! MjVer ! MnVer ! Exchange Type !     Flags     !
72         +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
73         !                          Message ID                           !
74         +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
75         !                            Length                             !
76         +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
77 */
78 struct isakmp {
79 	cookie_t i_ck;		/* Initiator Cookie */
80 	cookie_t r_ck;		/* Responder Cookie */
81 	uint8_t np;		/* Next Payload Type */
82 	uint8_t vers;
83 #define ISAKMP_VERS_MAJOR	0xf0
84 #define ISAKMP_VERS_MAJOR_SHIFT	4
85 #define ISAKMP_VERS_MINOR	0x0f
86 #define ISAKMP_VERS_MINOR_SHIFT	0
87 	uint8_t etype;		/* Exchange Type */
88 	uint8_t flags;		/* Flags */
89 	msgid_t msgid;
90 	uint32_t len;		/* Length */
91 };
92 
93 /* Next Payload Type */
94 #define ISAKMP_NPTYPE_NONE   0 /* NONE*/
95 #define ISAKMP_NPTYPE_SA     1 /* Security Association */
96 #define ISAKMP_NPTYPE_P      2 /* Proposal */
97 #define ISAKMP_NPTYPE_T      3 /* Transform */
98 #define ISAKMP_NPTYPE_KE     4 /* Key Exchange */
99 #define ISAKMP_NPTYPE_ID     5 /* Identification */
100 #define ISAKMP_NPTYPE_CERT   6 /* Certificate */
101 #define ISAKMP_NPTYPE_CR     7 /* Certificate Request */
102 #define ISAKMP_NPTYPE_HASH   8 /* Hash */
103 #define ISAKMP_NPTYPE_SIG    9 /* Signature */
104 #define ISAKMP_NPTYPE_NONCE 10 /* Nonce */
105 #define ISAKMP_NPTYPE_N     11 /* Notification */
106 #define ISAKMP_NPTYPE_D     12 /* Delete */
107 #define ISAKMP_NPTYPE_VID   13 /* Vendor ID */
108 #define ISAKMP_NPTYPE_v2E   46 /* v2 Encrypted payload */
109 
110 #define IKEv1_MAJOR_VERSION  1
111 #define IKEv1_MINOR_VERSION  0
112 
113 #define IKEv2_MAJOR_VERSION  2
114 #define IKEv2_MINOR_VERSION  0
115 
116 /* Flags */
117 #define ISAKMP_FLAG_E 0x01 /* Encryption Bit */
118 #define ISAKMP_FLAG_C 0x02 /* Commit Bit */
119 #define ISAKMP_FLAG_extra 0x04
120 
121 /* IKEv2 */
122 #define ISAKMP_FLAG_I (1 << 3)  /* (I)nitiator */
123 #define ISAKMP_FLAG_V (1 << 4)  /* (V)ersion   */
124 #define ISAKMP_FLAG_R (1 << 5)  /* (R)esponse  */
125 
126 
127 /* 3.2 Payload Generic Header
128          0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
129         +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
130         ! Next Payload  !   RESERVED    !         Payload Length        !
131         +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
132 */
133 struct isakmp_gen {
134 	uint8_t  np;       /* Next Payload */
135 	uint8_t  critical; /* bit 7 - critical, rest is RESERVED */
136 	uint16_t len;      /* Payload Length */
137 };
138 
139 /* 3.3 Data Attributes
140          0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
141         +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
142         !A!       Attribute Type        !    AF=0  Attribute Length     !
143         !F!                             !    AF=1  Attribute Value      !
144         +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
145         .                   AF=0  Attribute Value                       .
146         .                   AF=1  Not Transmitted                       .
147         +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
148 */
149 struct isakmp_data {
150 	uint16_t type;     /* defined by DOI-spec, and Attribute Format */
151 	uint16_t lorv;     /* if f equal 1, Attribute Length */
152 	                  /* if f equal 0, Attribute Value */
153 	/* if f equal 1, Attribute Value */
154 };
155 
156 /* 3.4 Security Association Payload */
157 	/* MAY NOT be used, because of being defined in ipsec-doi. */
158 	/*
159 	If the current payload is the last in the message,
160 	then the value of the next payload field will be 0.
161 	This field MUST NOT contain the
162 	values for the Proposal or Transform payloads as they are considered
163 	part of the security association negotiation.  For example, this
164 	field would contain the value "10" (Nonce payload) in the first
165 	message of a Base Exchange (see Section 4.4) and the value "0" in the
166 	first message of an Identity Protect Exchange (see Section 4.5).
167 	*/
168 struct ikev1_pl_sa {
169 	struct isakmp_gen h;
170 	uint32_t doi; /* Domain of Interpretation */
171 	uint32_t sit; /* Situation */
172 };
173 
174 /* 3.5 Proposal Payload */
175 	/*
176 	The value of the next payload field MUST only contain the value "2"
177 	or "0".  If there are additional Proposal payloads in the message,
178 	then this field will be 2.  If the current Proposal payload is the
179 	last within the security association proposal, then this field will
180 	be 0.
181 	*/
182 struct ikev1_pl_p {
183 	struct isakmp_gen h;
184 	uint8_t p_no;      /* Proposal # */
185 	uint8_t prot_id;   /* Protocol */
186 	uint8_t spi_size;  /* SPI Size */
187 	uint8_t num_t;     /* Number of Transforms */
188 	/* SPI */
189 };
190 
191 /* 3.6 Transform Payload */
192 	/*
193 	The value of the next payload field MUST only contain the value "3"
194 	or "0".  If there are additional Transform payloads in the proposal,
195 	then this field will be 3.  If the current Transform payload is the
196 	last within the proposal, then this field will be 0.
197 	*/
198 struct ikev1_pl_t {
199 	struct isakmp_gen h;
200 	uint8_t  t_no;     /* Transform # */
201 	uint8_t  t_id;     /* Transform-Id */
202 	uint16_t reserved; /* RESERVED2 */
203 	/* SA Attributes */
204 };
205 
206 /* 3.7 Key Exchange Payload */
207 struct ikev1_pl_ke {
208 	struct isakmp_gen h;
209 	/* Key Exchange Data */
210 };
211 
212 /* 3.8 Identification Payload */
213 	/* MUST NOT to be used, because of being defined in ipsec-doi. */
214 struct ikev1_pl_id {
215 	struct isakmp_gen h;
216 	union {
217 		uint8_t  id_type;   /* ID Type */
218 		uint32_t doi_data;  /* DOI Specific ID Data */
219 	} d;
220 	/* Identification Data */
221 };
222 
223 /* 3.9 Certificate Payload */
224 struct ikev1_pl_cert {
225 	struct isakmp_gen h;
226 	uint8_t encode; /* Cert Encoding */
227 	char   cert;   /* Certificate Data */
228 		/*
229 		This field indicates the type of
230 		certificate or certificate-related information contained in the
231 		Certificate Data field.
232 		*/
233 };
234 
235 /* 3.10 Certificate Request Payload */
236 struct ikev1_pl_cr {
237 	struct isakmp_gen h;
238 	uint8_t num_cert; /* # Cert. Types */
239 	/*
240 	Certificate Types (variable length)
241 	  -- Contains a list of the types of certificates requested,
242 	  sorted in order of preference.  Each individual certificate
243 	  type is 1 octet.  This field is NOT requiredo
244 	*/
245 	/* # Certificate Authorities (1 octet) */
246 	/* Certificate Authorities (variable length) */
247 };
248 
249 /* 3.11 Hash Payload */
250 	/* may not be used, because of having only data. */
251 struct ikev1_pl_hash {
252 	struct isakmp_gen h;
253 	/* Hash Data */
254 };
255 
256 /* 3.12 Signature Payload */
257 	/* may not be used, because of having only data. */
258 struct ikev1_pl_sig {
259 	struct isakmp_gen h;
260 	/* Signature Data */
261 };
262 
263 /* 3.13 Nonce Payload */
264 	/* may not be used, because of having only data. */
265 struct ikev1_pl_nonce {
266 	struct isakmp_gen h;
267 	/* Nonce Data */
268 };
269 
270 /* 3.14 Notification Payload */
271 struct ikev1_pl_n {
272 	struct isakmp_gen h;
273 	uint32_t doi;      /* Domain of Interpretation */
274 	uint8_t  prot_id;  /* Protocol-ID */
275 	uint8_t  spi_size; /* SPI Size */
276 	uint16_t type;     /* Notify Message Type */
277 	/* SPI */
278 	/* Notification Data */
279 };
280 
281 /* 3.14.1 Notify Message Types */
282 /* NOTIFY MESSAGES - ERROR TYPES */
283 #define ISAKMP_NTYPE_INVALID_PAYLOAD_TYPE           1
284 #define ISAKMP_NTYPE_DOI_NOT_SUPPORTED              2
285 #define ISAKMP_NTYPE_SITUATION_NOT_SUPPORTED        3
286 #define ISAKMP_NTYPE_INVALID_COOKIE                 4
287 #define ISAKMP_NTYPE_INVALID_MAJOR_VERSION          5
288 #define ISAKMP_NTYPE_INVALID_MINOR_VERSION          6
289 #define ISAKMP_NTYPE_INVALID_EXCHANGE_TYPE          7
290 #define ISAKMP_NTYPE_INVALID_FLAGS                  8
291 #define ISAKMP_NTYPE_INVALID_MESSAGE_ID             9
292 #define ISAKMP_NTYPE_INVALID_PROTOCOL_ID            10
293 #define ISAKMP_NTYPE_INVALID_SPI                    11
294 #define ISAKMP_NTYPE_INVALID_TRANSFORM_ID           12
295 #define ISAKMP_NTYPE_ATTRIBUTES_NOT_SUPPORTED       13
296 #define ISAKMP_NTYPE_NO_PROPOSAL_CHOSEN             14
297 #define ISAKMP_NTYPE_BAD_PROPOSAL_SYNTAX            15
298 #define ISAKMP_NTYPE_PAYLOAD_MALFORMED              16
299 #define ISAKMP_NTYPE_INVALID_KEY_INFORMATION        17
300 #define ISAKMP_NTYPE_INVALID_ID_INFORMATION         18
301 #define ISAKMP_NTYPE_INVALID_CERT_ENCODING          19
302 #define ISAKMP_NTYPE_INVALID_CERTIFICATE            20
303 #define ISAKMP_NTYPE_BAD_CERT_REQUEST_SYNTAX        21
304 #define ISAKMP_NTYPE_INVALID_CERT_AUTHORITY         22
305 #define ISAKMP_NTYPE_INVALID_HASH_INFORMATION       23
306 #define ISAKMP_NTYPE_AUTHENTICATION_FAILED          24
307 #define ISAKMP_NTYPE_INVALID_SIGNATURE              25
308 #define ISAKMP_NTYPE_ADDRESS_NOTIFICATION           26
309 
310 /* 3.15 Delete Payload */
311 struct ikev1_pl_d {
312 	struct isakmp_gen h;
313 	uint32_t doi;      /* Domain of Interpretation */
314 	uint8_t  prot_id;  /* Protocol-Id */
315 	uint8_t  spi_size; /* SPI Size */
316 	uint16_t num_spi;  /* # of SPIs */
317 	/* SPI(es) */
318 };
319 
320 struct ikev1_ph1tab {
321 	struct ikev1_ph1 *head;
322 	struct ikev1_ph1 *tail;
323 	int len;
324 };
325 
326 struct isakmp_ph2tab {
327 	struct ikev1_ph2 *head;
328 	struct ikev1_ph2 *tail;
329 	int len;
330 };
331 
332 /* IKEv2 (RFC4306) */
333 
334 /* 3.3  Security Association Payload -- generic header */
335 /* 3.3.1.  Proposal Substructure */
336 struct ikev2_p {
337 	struct isakmp_gen h;
338 	uint8_t p_no;      /* Proposal # */
339 	uint8_t prot_id;   /* Protocol */
340 	uint8_t spi_size;  /* SPI Size */
341 	uint8_t num_t;     /* Number of Transforms */
342 };
343 
344 /* 3.3.2.  Transform Substructure */
345 struct ikev2_t {
346 	struct isakmp_gen h;
347 	uint8_t t_type;    /* Transform Type (ENCR,PRF,INTEG,etc.*/
348 	uint8_t res2;      /* reserved byte */
349 	uint16_t t_id;     /* Transform ID */
350 };
351 
352 enum ikev2_t_type {
353 	IV2_T_ENCR = 1,
354 	IV2_T_PRF  = 2,
355 	IV2_T_INTEG= 3,
356 	IV2_T_DH   = 4,
357 	IV2_T_ESN  = 5
358 };
359 
360 /* 3.4.  Key Exchange Payload */
361 struct ikev2_ke {
362 	struct isakmp_gen h;
363 	uint16_t  ke_group;
364 	uint16_t  ke_res1;
365 	/* KE data */
366 };
367 
368 
369 /* 3.5.  Identification Payloads */
370 enum ikev2_id_type {
371 	ID_IPV4_ADDR=1,
372 	ID_FQDN=2,
373 	ID_RFC822_ADDR=3,
374 	ID_IPV6_ADDR=5,
375 	ID_DER_ASN1_DN=9,
376 	ID_DER_ASN1_GN=10,
377 	ID_KEY_ID=11
378 };
379 struct ikev2_id {
380 	struct isakmp_gen h;
381 	uint8_t  type;        /* ID type */
382 	uint8_t  res1;
383 	uint16_t res2;
384 	/* SPI */
385 	/* Notification Data */
386 };
387 
388 /* 3.10 Notification Payload */
389 struct ikev2_n {
390 	struct isakmp_gen h;
391 	uint8_t  prot_id;  /* Protocol-ID */
392 	uint8_t  spi_size; /* SPI Size */
393 	uint16_t type;     /* Notify Message Type */
394 };
395 
396 enum ikev2_n_type {
397 	IV2_NOTIFY_UNSUPPORTED_CRITICAL_PAYLOAD            = 1,
398 	IV2_NOTIFY_INVALID_IKE_SPI                         = 4,
399 	IV2_NOTIFY_INVALID_MAJOR_VERSION                   = 5,
400 	IV2_NOTIFY_INVALID_SYNTAX                          = 7,
401 	IV2_NOTIFY_INVALID_MESSAGE_ID                      = 9,
402 	IV2_NOTIFY_INVALID_SPI                             =11,
403 	IV2_NOTIFY_NO_PROPOSAL_CHOSEN                      =14,
404 	IV2_NOTIFY_INVALID_KE_PAYLOAD                      =17,
405 	IV2_NOTIFY_AUTHENTICATION_FAILED                   =24,
406 	IV2_NOTIFY_SINGLE_PAIR_REQUIRED                    =34,
407 	IV2_NOTIFY_NO_ADDITIONAL_SAS                       =35,
408 	IV2_NOTIFY_INTERNAL_ADDRESS_FAILURE                =36,
409 	IV2_NOTIFY_FAILED_CP_REQUIRED                      =37,
410 	IV2_NOTIFY_INVALID_SELECTORS                       =39,
411 	IV2_NOTIFY_INITIAL_CONTACT                         =16384,
412 	IV2_NOTIFY_SET_WINDOW_SIZE                         =16385,
413 	IV2_NOTIFY_ADDITIONAL_TS_POSSIBLE                  =16386,
414 	IV2_NOTIFY_IPCOMP_SUPPORTED                        =16387,
415 	IV2_NOTIFY_NAT_DETECTION_SOURCE_IP                 =16388,
416 	IV2_NOTIFY_NAT_DETECTION_DESTINATION_IP            =16389,
417 	IV2_NOTIFY_COOKIE                                  =16390,
418 	IV2_NOTIFY_USE_TRANSPORT_MODE                      =16391,
419 	IV2_NOTIFY_HTTP_CERT_LOOKUP_SUPPORTED              =16392,
420 	IV2_NOTIFY_REKEY_SA                                =16393,
421 	IV2_NOTIFY_ESP_TFC_PADDING_NOT_SUPPORTED           =16394,
422 	IV2_NOTIFY_NON_FIRST_FRAGMENTS_ALSO                =16395
423 };
424 
425 struct notify_messages {
426 	uint16_t type;
427 	char     *msg;
428 };
429 
430 /* 3.8 Notification Payload */
431 struct ikev2_auth {
432 	struct isakmp_gen h;
433 	uint8_t  auth_method;  /* Protocol-ID */
434 	uint8_t  reserved[3];
435 	/* authentication data */
436 };
437 
438 enum ikev2_auth_type {
439 	IV2_RSA_SIG = 1,
440 	IV2_SHARED  = 2,
441 	IV2_DSS_SIG = 3
442 };
443 
444 /* refer to RFC 2409 */
445 
446 #if 0
447 /* isakmp sa structure */
448 struct oakley_sa {
449 	uint8_t  proto_id;            /* OAKLEY */
450 	vchar_t   *spi;                /* spi */
451 	uint8_t  dhgrp;               /* DH; group */
452 	uint8_t  auth_t;              /* method of authentication */
453 	uint8_t  prf_t;               /* type of prf */
454 	uint8_t  hash_t;              /* type of hash */
455 	uint8_t  enc_t;               /* type of cipher */
456 	uint8_t  life_t;              /* type of duration of lifetime */
457 	uint32_t ldur;                /* life duration */
458 };
459 #endif
460 
461 /* refer to RFC 2407 */
462 
463 #define IPSEC_DOI 1
464 
465 /* 4.2 IPSEC Situation Definition */
466 #define IPSECDOI_SIT_IDENTITY_ONLY           0x00000001
467 #define IPSECDOI_SIT_SECRECY                 0x00000002
468 #define IPSECDOI_SIT_INTEGRITY               0x00000004
469 
470 /* 4.4.1 IPSEC Security Protocol Identifiers */
471   /* 4.4.2 IPSEC ISAKMP Transform Values */
472 #define IPSECDOI_PROTO_ISAKMP                        1
473 #define   IPSECDOI_KEY_IKE                             1
474 
475 /* 4.4.1 IPSEC Security Protocol Identifiers */
476 #define IPSECDOI_PROTO_IPSEC_AH                      2
477   /* 4.4.3 IPSEC AH Transform Values */
478 #define   IPSECDOI_AH_MD5                              2
479 #define   IPSECDOI_AH_SHA                              3
480 #define   IPSECDOI_AH_DES                              4
481 #define   IPSECDOI_AH_SHA2_256                         5
482 #define   IPSECDOI_AH_SHA2_384                         6
483 #define   IPSECDOI_AH_SHA2_512                         7
484 
485 /* 4.4.1 IPSEC Security Protocol Identifiers */
486 #define IPSECDOI_PROTO_IPSEC_ESP                     3
487   /* 4.4.4 IPSEC ESP Transform Identifiers */
488 #define   IPSECDOI_ESP_DES_IV64                        1
489 #define   IPSECDOI_ESP_DES                             2
490 #define   IPSECDOI_ESP_3DES                            3
491 #define   IPSECDOI_ESP_RC5                             4
492 #define   IPSECDOI_ESP_IDEA                            5
493 #define   IPSECDOI_ESP_CAST                            6
494 #define   IPSECDOI_ESP_BLOWFISH                        7
495 #define   IPSECDOI_ESP_3IDEA                           8
496 #define   IPSECDOI_ESP_DES_IV32                        9
497 #define   IPSECDOI_ESP_RC4                            10
498 #define   IPSECDOI_ESP_NULL                           11
499 #define   IPSECDOI_ESP_RIJNDAEL				12
500 #define   IPSECDOI_ESP_AES				12
501 
502 /* 4.4.1 IPSEC Security Protocol Identifiers */
503 #define IPSECDOI_PROTO_IPCOMP                        4
504   /* 4.4.5 IPSEC IPCOMP Transform Identifiers */
505 #define   IPSECDOI_IPCOMP_OUI                          1
506 #define   IPSECDOI_IPCOMP_DEFLATE                      2
507 #define   IPSECDOI_IPCOMP_LZS                          3
508 
509 /* 4.5 IPSEC Security Association Attributes */
510 #define IPSECDOI_ATTR_SA_LTYPE                1 /* B */
511 #define   IPSECDOI_ATTR_SA_LTYPE_DEFAULT        1
512 #define   IPSECDOI_ATTR_SA_LTYPE_SEC            1
513 #define   IPSECDOI_ATTR_SA_LTYPE_KB             2
514 #define IPSECDOI_ATTR_SA_LDUR                 2 /* V */
515 #define   IPSECDOI_ATTR_SA_LDUR_DEFAULT         28800 /* 8 hours */
516 #define IPSECDOI_ATTR_GRP_DESC                3 /* B */
517 #define IPSECDOI_ATTR_ENC_MODE                4 /* B */
518 	/* default value: host dependent */
519 #define   IPSECDOI_ATTR_ENC_MODE_TUNNEL         1
520 #define   IPSECDOI_ATTR_ENC_MODE_TRNS           2
521 #define IPSECDOI_ATTR_AUTH                    5 /* B */
522 	/* 0 means not to use authentication. */
523 #define   IPSECDOI_ATTR_AUTH_HMAC_MD5           1
524 #define   IPSECDOI_ATTR_AUTH_HMAC_SHA1          2
525 #define   IPSECDOI_ATTR_AUTH_DES_MAC            3
526 #define   IPSECDOI_ATTR_AUTH_KPDK               4 /*RFC-1826(Key/Pad/Data/Key)*/
527 	/*
528 	 * When negotiating ESP without authentication, the Auth
529 	 * Algorithm attribute MUST NOT be included in the proposal.
530 	 * When negotiating ESP without confidentiality, the Auth
531 	 * Algorithm attribute MUST be included in the proposal and
532 	 * the ESP transform ID must be ESP_NULL.
533 	*/
534 #define IPSECDOI_ATTR_KEY_LENGTH              6 /* B */
535 #define IPSECDOI_ATTR_KEY_ROUNDS              7 /* B */
536 #define IPSECDOI_ATTR_COMP_DICT_SIZE          8 /* B */
537 #define IPSECDOI_ATTR_COMP_PRIVALG            9 /* V */
538 
539 /* 4.6.1 Security Association Payload */
540 struct ipsecdoi_sa {
541 	struct isakmp_gen h;
542 	uint32_t doi; /* Domain of Interpretation */
543 	uint32_t sit; /* Situation */
544 };
545 
546 struct ipsecdoi_secrecy_h {
547 	uint16_t len;
548 	uint16_t reserved;
549 };
550 
551 /* 4.6.2.1 Identification Type Values */
552 struct ipsecdoi_id {
553 	struct isakmp_gen h;
554 	uint8_t  type;		/* ID Type */
555 	uint8_t  proto_id;	/* Protocol ID */
556 	uint16_t port;		/* Port */
557 	/* Identification Data */
558 };
559 
560 #define IPSECDOI_ID_IPV4_ADDR                        1
561 #define IPSECDOI_ID_FQDN                             2
562 #define IPSECDOI_ID_USER_FQDN                        3
563 #define IPSECDOI_ID_IPV4_ADDR_SUBNET                 4
564 #define IPSECDOI_ID_IPV6_ADDR                        5
565 #define IPSECDOI_ID_IPV6_ADDR_SUBNET                 6
566 #define IPSECDOI_ID_IPV4_ADDR_RANGE                  7
567 #define IPSECDOI_ID_IPV6_ADDR_RANGE                  8
568 #define IPSECDOI_ID_DER_ASN1_DN                      9
569 #define IPSECDOI_ID_DER_ASN1_GN                      10
570 #define IPSECDOI_ID_KEY_ID                           11
571 
572 /* 4.6.3 IPSEC DOI Notify Message Types */
573 /* Notify Messages - Status Types */
574 #define IPSECDOI_NTYPE_RESPONDER_LIFETIME                  24576
575 #define IPSECDOI_NTYPE_REPLAY_STATUS                       24577
576 #define IPSECDOI_NTYPE_INITIAL_CONTACT                     24578
577 
578 #define DECLARE_PRINTER(func) static const u_char *ike##func##_print( \
579 		netdissect_options *ndo, u_char tpay,	              \
580 		const struct isakmp_gen *ext,			      \
581 		u_int item_len, \
582 		const u_char *end_pointer, \
583 		uint32_t phase,\
584 		uint32_t doi0, \
585 		uint32_t proto0, int depth)
586 
587 DECLARE_PRINTER(v1_sa);
588 DECLARE_PRINTER(v1_p);
589 DECLARE_PRINTER(v1_t);
590 DECLARE_PRINTER(v1_ke);
591 DECLARE_PRINTER(v1_id);
592 DECLARE_PRINTER(v1_cert);
593 DECLARE_PRINTER(v1_cr);
594 DECLARE_PRINTER(v1_sig);
595 DECLARE_PRINTER(v1_hash);
596 DECLARE_PRINTER(v1_nonce);
597 DECLARE_PRINTER(v1_n);
598 DECLARE_PRINTER(v1_d);
599 DECLARE_PRINTER(v1_vid);
600 
601 DECLARE_PRINTER(v2_sa);
602 DECLARE_PRINTER(v2_ke);
603 DECLARE_PRINTER(v2_ID);
604 DECLARE_PRINTER(v2_cert);
605 DECLARE_PRINTER(v2_cr);
606 DECLARE_PRINTER(v2_auth);
607 DECLARE_PRINTER(v2_nonce);
608 DECLARE_PRINTER(v2_n);
609 DECLARE_PRINTER(v2_d);
610 DECLARE_PRINTER(v2_vid);
611 DECLARE_PRINTER(v2_TS);
612 DECLARE_PRINTER(v2_cp);
613 DECLARE_PRINTER(v2_eap);
614 
615 static const u_char *ikev2_e_print(netdissect_options *ndo,
616 				   struct isakmp *base,
617 				   u_char tpay,
618 				   const struct isakmp_gen *ext,
619 				   u_int item_len,
620 				   const u_char *end_pointer,
621 				   uint32_t phase,
622 				   uint32_t doi0,
623 				   uint32_t proto0, int depth);
624 
625 
626 static const u_char *ike_sub0_print(netdissect_options *ndo,u_char, const struct isakmp_gen *,
627 	const u_char *,	uint32_t, uint32_t, uint32_t, int);
628 static const u_char *ikev1_sub_print(netdissect_options *ndo,u_char, const struct isakmp_gen *,
629 	const u_char *, uint32_t, uint32_t, uint32_t, int);
630 
631 static const u_char *ikev2_sub_print(netdissect_options *ndo,
632 				     struct isakmp *base,
633 				     u_char np, const struct isakmp_gen *ext,
634 				     const u_char *ep, uint32_t phase,
635 				     uint32_t doi, uint32_t proto,
636 				     int depth);
637 
638 
639 static char *numstr(int);
640 
641 static void
642 ikev1_print(netdissect_options *ndo,
643 	    const u_char *bp,  u_int length,
644 	    const u_char *bp2, struct isakmp *base);
645 
646 #define MAXINITIATORS	20
647 static int ninitiator = 0;
648 union inaddr_u {
649 	struct in_addr in4;
650 	struct in6_addr in6;
651 };
652 static struct {
653 	cookie_t initiator;
654 	u_int version;
655 	union inaddr_u iaddr;
656 	union inaddr_u raddr;
657 } cookiecache[MAXINITIATORS];
658 
659 /* protocol id */
660 static const char *protoidstr[] = {
661 	NULL, "isakmp", "ipsec-ah", "ipsec-esp", "ipcomp",
662 };
663 
664 /* isakmp->np */
665 static const char *npstr[] = {
666 	"none", "sa", "p", "t", "ke", "id", "cert", "cr", "hash", /* 0 - 8 */
667 	"sig", "nonce", "n", "d", "vid",      /* 9 - 13 */
668 	"pay14", "pay15", "pay16", "pay17", "pay18", /* 14- 18 */
669 	"pay19", "pay20", "pay21", "pay22", "pay23", /* 19- 23 */
670 	"pay24", "pay25", "pay26", "pay27", "pay28", /* 24- 28 */
671 	"pay29", "pay30", "pay31", "pay32",          /* 29- 32 */
672 	"v2sa",  "v2ke",  "v2IDi", "v2IDr", "v2cert",/* 33- 37 */
673 	"v2cr",  "v2auth","v2nonce", "v2n",   "v2d",   /* 38- 42 */
674 	"v2vid", "v2TSi", "v2TSr", "v2e",   "v2cp",  /* 43- 47 */
675 	"v2eap",                                     /* 48 */
676 
677 };
678 
679 /* isakmp->np */
680 static const u_char *(*npfunc[])(netdissect_options *ndo, u_char tpay,
681 				 const struct isakmp_gen *ext,
682 				 u_int item_len,
683 				 const u_char *end_pointer,
684 				 uint32_t phase,
685 				 uint32_t doi0,
686 				 uint32_t proto0, int depth) = {
687 	NULL,
688 	ikev1_sa_print,
689 	ikev1_p_print,
690 	ikev1_t_print,
691 	ikev1_ke_print,
692 	ikev1_id_print,
693 	ikev1_cert_print,
694 	ikev1_cr_print,
695 	ikev1_hash_print,
696 	ikev1_sig_print,
697 	ikev1_nonce_print,
698 	ikev1_n_print,
699 	ikev1_d_print,
700 	ikev1_vid_print,                  /* 13 */
701 	NULL, NULL, NULL, NULL, NULL,     /* 14- 18 */
702 	NULL, NULL, NULL, NULL, NULL,     /* 19- 23 */
703 	NULL, NULL, NULL, NULL, NULL,     /* 24- 28 */
704 	NULL, NULL, NULL, NULL,           /* 29- 32 */
705 	ikev2_sa_print,                 /* 33 */
706 	ikev2_ke_print,                 /* 34 */
707 	ikev2_ID_print,                 /* 35 */
708 	ikev2_ID_print,                 /* 36 */
709 	ikev2_cert_print,               /* 37 */
710 	ikev2_cr_print,                 /* 38 */
711 	ikev2_auth_print,               /* 39 */
712 	ikev2_nonce_print,              /* 40 */
713 	ikev2_n_print,                  /* 41 */
714 	ikev2_d_print,                  /* 42 */
715 	ikev2_vid_print,                /* 43 */
716 	ikev2_TS_print,                 /* 44 */
717 	ikev2_TS_print,                 /* 45 */
718 	NULL, /* ikev2_e_print,*/       /* 46 - special */
719 	ikev2_cp_print,                 /* 47 */
720 	ikev2_eap_print,                /* 48 */
721 };
722 
723 /* isakmp->etype */
724 static const char *etypestr[] = {
725 /* IKEv1 exchange types */
726 	"none", "base", "ident", "auth", "agg", "inf", NULL, NULL,  /* 0-7 */
727 	NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL,  /*  8-15 */
728 	NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL,  /* 16-23 */
729 	NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL,  /* 24-31 */
730 	"oakley-quick", "oakley-newgroup",               /* 32-33 */
731 /* IKEv2 exchange types */
732 	"ikev2_init", "ikev2_auth", "child_sa", "inf2"   /* 34-37 */
733 };
734 
735 #define STR_OR_ID(x, tab) \
736 	(((x) < sizeof(tab)/sizeof(tab[0]) && tab[(x)])	? tab[(x)] : numstr(x))
737 #define PROTOIDSTR(x)	STR_OR_ID(x, protoidstr)
738 #define NPSTR(x)	STR_OR_ID(x, npstr)
739 #define ETYPESTR(x)	STR_OR_ID(x, etypestr)
740 
741 #define CHECKLEN(p, np)							\
742 		if (ep < (const u_char *)(p)) {				\
743 			ND_PRINT((ndo," [|%s]", NPSTR(np)));		\
744 			goto done;					\
745 		}
746 
747 
748 #define NPFUNC(x) \
749 	(((x) < sizeof(npfunc)/sizeof(npfunc[0]) && npfunc[(x)]) \
750 		? npfunc[(x)] : NULL)
751 
752 static int
iszero(const u_char * p,size_t l)753 iszero(const u_char *p, size_t l)
754 {
755 	while (l--) {
756 		if (*p++)
757 			return 0;
758 	}
759 	return 1;
760 }
761 
762 /* find cookie from initiator cache */
763 static int
cookie_find(cookie_t * in)764 cookie_find(cookie_t *in)
765 {
766 	int i;
767 
768 	for (i = 0; i < MAXINITIATORS; i++) {
769 		if (memcmp(in, &cookiecache[i].initiator, sizeof(*in)) == 0)
770 			return i;
771 	}
772 
773 	return -1;
774 }
775 
776 /* record initiator */
777 static void
cookie_record(cookie_t * in,const u_char * bp2)778 cookie_record(cookie_t *in, const u_char *bp2)
779 {
780 	int i;
781 	const struct ip *ip;
782 	const struct ip6_hdr *ip6;
783 
784 	i = cookie_find(in);
785 	if (0 <= i) {
786 		ninitiator = (i + 1) % MAXINITIATORS;
787 		return;
788 	}
789 
790 	ip = (const struct ip *)bp2;
791 	switch (IP_V(ip)) {
792 	case 4:
793 		cookiecache[ninitiator].version = 4;
794 		UNALIGNED_MEMCPY(&cookiecache[ninitiator].iaddr.in4, &ip->ip_src, sizeof(struct in_addr));
795 		UNALIGNED_MEMCPY(&cookiecache[ninitiator].raddr.in4, &ip->ip_dst, sizeof(struct in_addr));
796 		break;
797 	case 6:
798 		ip6 = (const struct ip6_hdr *)bp2;
799 		cookiecache[ninitiator].version = 6;
800 		UNALIGNED_MEMCPY(&cookiecache[ninitiator].iaddr.in6, &ip6->ip6_src, sizeof(struct in6_addr));
801 		UNALIGNED_MEMCPY(&cookiecache[ninitiator].raddr.in6, &ip6->ip6_dst, sizeof(struct in6_addr));
802 		break;
803 	default:
804 		return;
805 	}
806 	UNALIGNED_MEMCPY(&cookiecache[ninitiator].initiator, in, sizeof(*in));
807 	ninitiator = (ninitiator + 1) % MAXINITIATORS;
808 }
809 
810 #define cookie_isinitiator(x, y)	cookie_sidecheck((x), (y), 1)
811 #define cookie_isresponder(x, y)	cookie_sidecheck((x), (y), 0)
812 static int
cookie_sidecheck(int i,const u_char * bp2,int initiator)813 cookie_sidecheck(int i, const u_char *bp2, int initiator)
814 {
815 	const struct ip *ip;
816 	const struct ip6_hdr *ip6;
817 
818 	ip = (const struct ip *)bp2;
819 	switch (IP_V(ip)) {
820 	case 4:
821 		if (cookiecache[i].version != 4)
822 			return 0;
823 		if (initiator) {
824 			if (UNALIGNED_MEMCMP(&ip->ip_src, &cookiecache[i].iaddr.in4, sizeof(struct in_addr)) == 0)
825 				return 1;
826 		} else {
827 			if (UNALIGNED_MEMCMP(&ip->ip_src, &cookiecache[i].raddr.in4, sizeof(struct in_addr)) == 0)
828 				return 1;
829 		}
830 		break;
831 	case 6:
832 		if (cookiecache[i].version != 6)
833 			return 0;
834 		ip6 = (const struct ip6_hdr *)bp2;
835 		if (initiator) {
836 			if (UNALIGNED_MEMCMP(&ip6->ip6_src, &cookiecache[i].iaddr.in6, sizeof(struct in6_addr)) == 0)
837 				return 1;
838 		} else {
839 			if (UNALIGNED_MEMCMP(&ip6->ip6_src, &cookiecache[i].raddr.in6, sizeof(struct in6_addr)) == 0)
840 				return 1;
841 		}
842 		break;
843 	default:
844 		break;
845 	}
846 
847 	return 0;
848 }
849 
850 static void
hexprint(netdissect_options * ndo,const uint8_t * loc,size_t len)851 hexprint(netdissect_options *ndo, const uint8_t *loc, size_t len)
852 {
853 	const uint8_t *p;
854 	size_t i;
855 
856 	p = loc;
857 	for (i = 0; i < len; i++)
858 		ND_PRINT((ndo,"%02x", p[i] & 0xff));
859 }
860 
861 static int
rawprint(netdissect_options * ndo,const uint8_t * loc,size_t len)862 rawprint(netdissect_options *ndo, const uint8_t *loc, size_t len)
863 {
864 	ND_TCHECK2(*loc, len);
865 
866 	hexprint(ndo, loc, len);
867 	return 1;
868 trunc:
869 	return 0;
870 }
871 
872 
873 /*
874  * returns false if we run out of data buffer
875  */
ike_show_somedata(netdissect_options * ndo,const u_char * cp,const u_char * ep)876 static int ike_show_somedata(netdissect_options *ndo,
877 			     const u_char *cp, const u_char *ep)
878 {
879 	/* there is too much data, just show some of it */
880 	const u_char *end = ep - 20;
881 	int  elen = 20;
882 	int   len = ep - cp;
883 	if(len > 10) {
884 		len = 10;
885 	}
886 
887 	/* really shouldn't happen because of above */
888 	if(end < cp + len) {
889 		end = cp+len;
890 		elen = ep - end;
891 	}
892 
893 	ND_PRINT((ndo," data=("));
894 	if(!rawprint(ndo, (const uint8_t *)(cp), len)) goto trunc;
895 	ND_PRINT((ndo, "..."));
896 	if(elen) {
897 		if(!rawprint(ndo, (const uint8_t *)(end), elen)) goto trunc;
898 	}
899 	ND_PRINT((ndo,")"));
900 	return 1;
901 
902 trunc:
903 	return 0;
904 }
905 
906 struct attrmap {
907 	const char *type;
908 	u_int nvalue;
909 	const char *value[30];	/*XXX*/
910 };
911 
912 static const u_char *
ikev1_attrmap_print(netdissect_options * ndo,const u_char * p,const u_char * ep,const struct attrmap * map,size_t nmap)913 ikev1_attrmap_print(netdissect_options *ndo,
914 		    const u_char *p, const u_char *ep,
915 		    const struct attrmap *map, size_t nmap)
916 {
917 	int totlen;
918 	uint32_t t, v;
919 
920 	if (p[0] & 0x80)
921 		totlen = 4;
922 	else
923 		totlen = 4 + EXTRACT_16BITS(&p[2]);
924 	if (ep < p + totlen) {
925 		ND_PRINT((ndo,"[|attr]"));
926 		return ep + 1;
927 	}
928 
929 	ND_PRINT((ndo,"("));
930 	t = EXTRACT_16BITS(&p[0]) & 0x7fff;
931 	if (map && t < nmap && map[t].type)
932 		ND_PRINT((ndo,"type=%s ", map[t].type));
933 	else
934 		ND_PRINT((ndo,"type=#%d ", t));
935 	if (p[0] & 0x80) {
936 		ND_PRINT((ndo,"value="));
937 		v = EXTRACT_16BITS(&p[2]);
938 		if (map && t < nmap && v < map[t].nvalue && map[t].value[v])
939 			ND_PRINT((ndo,"%s", map[t].value[v]));
940 		else
941 			rawprint(ndo, (const uint8_t *)&p[2], 2);
942 	} else {
943 		ND_PRINT((ndo,"len=%d value=", EXTRACT_16BITS(&p[2])));
944 		rawprint(ndo, (const uint8_t *)&p[4], EXTRACT_16BITS(&p[2]));
945 	}
946 	ND_PRINT((ndo,")"));
947 	return p + totlen;
948 }
949 
950 static const u_char *
ikev1_attr_print(netdissect_options * ndo,const u_char * p,const u_char * ep)951 ikev1_attr_print(netdissect_options *ndo, const u_char *p, const u_char *ep)
952 {
953 	int totlen;
954 	uint32_t t;
955 
956 	if (p[0] & 0x80)
957 		totlen = 4;
958 	else
959 		totlen = 4 + EXTRACT_16BITS(&p[2]);
960 	if (ep < p + totlen) {
961 		ND_PRINT((ndo,"[|attr]"));
962 		return ep + 1;
963 	}
964 
965 	ND_PRINT((ndo,"("));
966 	t = EXTRACT_16BITS(&p[0]) & 0x7fff;
967 	ND_PRINT((ndo,"type=#%d ", t));
968 	if (p[0] & 0x80) {
969 		ND_PRINT((ndo,"value="));
970 		t = p[2];
971 		rawprint(ndo, (const uint8_t *)&p[2], 2);
972 	} else {
973 		ND_PRINT((ndo,"len=%d value=", EXTRACT_16BITS(&p[2])));
974 		rawprint(ndo, (const uint8_t *)&p[4], EXTRACT_16BITS(&p[2]));
975 	}
976 	ND_PRINT((ndo,")"));
977 	return p + totlen;
978 }
979 
980 static const u_char *
ikev1_sa_print(netdissect_options * ndo,u_char tpay _U_,const struct isakmp_gen * ext,u_int item_len _U_,const u_char * ep,uint32_t phase,uint32_t doi0 _U_,uint32_t proto0,int depth)981 ikev1_sa_print(netdissect_options *ndo, u_char tpay _U_,
982 	       const struct isakmp_gen *ext,
983 		u_int item_len _U_,
984 		const u_char *ep, uint32_t phase, uint32_t doi0 _U_,
985 		uint32_t proto0, int depth)
986 {
987 	const struct ikev1_pl_sa *p;
988 	struct ikev1_pl_sa sa;
989 	uint32_t doi, sit, ident;
990 	const u_char *cp, *np;
991 	int t;
992 
993 	ND_PRINT((ndo,"%s:", NPSTR(ISAKMP_NPTYPE_SA)));
994 
995 	p = (const struct ikev1_pl_sa *)ext;
996 	ND_TCHECK(*p);
997 	UNALIGNED_MEMCPY(&sa, ext, sizeof(sa));
998 	doi = ntohl(sa.doi);
999 	sit = ntohl(sa.sit);
1000 	if (doi != 1) {
1001 		ND_PRINT((ndo," doi=%d", doi));
1002 		ND_PRINT((ndo," situation=%u", (uint32_t)ntohl(sa.sit)));
1003 		return (const u_char *)(p + 1);
1004 	}
1005 
1006 	ND_PRINT((ndo," doi=ipsec"));
1007 	ND_PRINT((ndo," situation="));
1008 	t = 0;
1009 	if (sit & 0x01) {
1010 		ND_PRINT((ndo,"identity"));
1011 		t++;
1012 	}
1013 	if (sit & 0x02) {
1014 		ND_PRINT((ndo,"%ssecrecy", t ? "+" : ""));
1015 		t++;
1016 	}
1017 	if (sit & 0x04)
1018 		ND_PRINT((ndo,"%sintegrity", t ? "+" : ""));
1019 
1020 	np = (const u_char *)ext + sizeof(sa);
1021 	if (sit != 0x01) {
1022 		ND_TCHECK2(*(ext + 1), sizeof(ident));
1023 		UNALIGNED_MEMCPY(&ident, ext + 1, sizeof(ident));
1024 		ND_PRINT((ndo," ident=%u", (uint32_t)ntohl(ident)));
1025 		np += sizeof(ident);
1026 	}
1027 
1028 	ext = (const struct isakmp_gen *)np;
1029 	ND_TCHECK(*ext);
1030 
1031 	cp = ikev1_sub_print(ndo, ISAKMP_NPTYPE_P, ext, ep, phase, doi, proto0,
1032 		depth);
1033 
1034 	return cp;
1035 trunc:
1036 	ND_PRINT((ndo," [|%s]", NPSTR(ISAKMP_NPTYPE_SA)));
1037 	return NULL;
1038 }
1039 
1040 static const u_char *
ikev1_p_print(netdissect_options * ndo,u_char tpay _U_,const struct isakmp_gen * ext,u_int item_len _U_,const u_char * ep,uint32_t phase,uint32_t doi0,uint32_t proto0 _U_,int depth)1041 ikev1_p_print(netdissect_options *ndo, u_char tpay _U_,
1042 	      const struct isakmp_gen *ext, u_int item_len _U_,
1043 	       const u_char *ep, uint32_t phase, uint32_t doi0,
1044 	       uint32_t proto0 _U_, int depth)
1045 {
1046 	const struct ikev1_pl_p *p;
1047 	struct ikev1_pl_p prop;
1048 	const u_char *cp;
1049 
1050 	ND_PRINT((ndo,"%s:", NPSTR(ISAKMP_NPTYPE_P)));
1051 
1052 	p = (const struct ikev1_pl_p *)ext;
1053 	ND_TCHECK(*p);
1054 	UNALIGNED_MEMCPY(&prop, ext, sizeof(prop));
1055 	ND_PRINT((ndo," #%d protoid=%s transform=%d",
1056 		  prop.p_no, PROTOIDSTR(prop.prot_id), prop.num_t));
1057 	if (prop.spi_size) {
1058 		ND_PRINT((ndo," spi="));
1059 		if (!rawprint(ndo, (const uint8_t *)(p + 1), prop.spi_size))
1060 			goto trunc;
1061 	}
1062 
1063 	ext = (const struct isakmp_gen *)((const u_char *)(p + 1) + prop.spi_size);
1064 	ND_TCHECK(*ext);
1065 
1066 	cp = ikev1_sub_print(ndo, ISAKMP_NPTYPE_T, ext, ep, phase, doi0,
1067 			     prop.prot_id, depth);
1068 
1069 	return cp;
1070 trunc:
1071 	ND_PRINT((ndo," [|%s]", NPSTR(ISAKMP_NPTYPE_P)));
1072 	return NULL;
1073 }
1074 
1075 static const char *ikev1_p_map[] = {
1076 	NULL, "ike",
1077 };
1078 
1079 static const char *ikev2_t_type_map[]={
1080 	NULL, "encr", "prf", "integ", "dh", "esn"
1081 };
1082 
1083 static const char *ah_p_map[] = {
1084 	NULL, "(reserved)", "md5", "sha", "1des",
1085 	"sha2-256", "sha2-384", "sha2-512",
1086 };
1087 
1088 static const char *prf_p_map[] = {
1089 	NULL, "hmac-md5", "hmac-sha", "hmac-tiger",
1090 	"aes128_xcbc"
1091 };
1092 
1093 static const char *integ_p_map[] = {
1094 	NULL, "hmac-md5", "hmac-sha", "dec-mac",
1095 	"kpdk-md5", "aes-xcbc"
1096 };
1097 
1098 static const char *esn_p_map[] = {
1099 	"no-esn", "esn"
1100 };
1101 
1102 static const char *dh_p_map[] = {
1103 	NULL, "modp768",
1104 	"modp1024",    /* group 2 */
1105 	"EC2N 2^155",  /* group 3 */
1106 	"EC2N 2^185",  /* group 4 */
1107 	"modp1536",    /* group 5 */
1108 	"iana-grp06", "iana-grp07", /* reserved */
1109 	"iana-grp08", "iana-grp09",
1110 	"iana-grp10", "iana-grp11",
1111 	"iana-grp12", "iana-grp13",
1112 	"modp2048",    /* group 14 */
1113 	"modp3072",    /* group 15 */
1114 	"modp4096",    /* group 16 */
1115 	"modp6144",    /* group 17 */
1116 	"modp8192",    /* group 18 */
1117 };
1118 
1119 static const char *esp_p_map[] = {
1120 	NULL, "1des-iv64", "1des", "3des", "rc5", "idea", "cast",
1121 	"blowfish", "3idea", "1des-iv32", "rc4", "null", "aes"
1122 };
1123 
1124 static const char *ipcomp_p_map[] = {
1125 	NULL, "oui", "deflate", "lzs",
1126 };
1127 
1128 static const struct attrmap ipsec_t_map[] = {
1129 	{ NULL,	0, { NULL } },
1130 	{ "lifetype", 3, { NULL, "sec", "kb", }, },
1131 	{ "life", 0, { NULL } },
1132 	{ "group desc", 18,	{ NULL, "modp768",
1133 				  "modp1024",    /* group 2 */
1134 				  "EC2N 2^155",  /* group 3 */
1135 				  "EC2N 2^185",  /* group 4 */
1136 				  "modp1536",    /* group 5 */
1137 				  "iana-grp06", "iana-grp07", /* reserved */
1138 				  "iana-grp08", "iana-grp09",
1139 				  "iana-grp10", "iana-grp11",
1140 				  "iana-grp12", "iana-grp13",
1141 				  "modp2048",    /* group 14 */
1142 				  "modp3072",    /* group 15 */
1143 				  "modp4096",    /* group 16 */
1144 				  "modp6144",    /* group 17 */
1145 				  "modp8192",    /* group 18 */
1146 		}, },
1147 	{ "enc mode", 3, { NULL, "tunnel", "transport", }, },
1148 	{ "auth", 5, { NULL, "hmac-md5", "hmac-sha1", "1des-mac", "keyed", }, },
1149 	{ "keylen", 0, { NULL } },
1150 	{ "rounds", 0, { NULL } },
1151 	{ "dictsize", 0, { NULL } },
1152 	{ "privalg", 0, { NULL } },
1153 };
1154 
1155 static const struct attrmap encr_t_map[] = {
1156 	{ NULL,	0, { NULL } }, 	{ NULL,	0, { NULL } },  /* 0, 1 */
1157 	{ NULL,	0, { NULL } },	{ NULL,	0, { NULL } },  /* 2, 3 */
1158 	{ NULL,	0, { NULL } },	{ NULL,	0, { NULL } },  /* 4, 5 */
1159 	{ NULL,	0, { NULL } },	{ NULL,	0, { NULL } },  /* 6, 7 */
1160 	{ NULL,	0, { NULL } },	{ NULL,	0, { NULL } },  /* 8, 9 */
1161 	{ NULL,	0, { NULL } },	{ NULL,	0, { NULL } },  /* 10,11*/
1162 	{ NULL,	0, { NULL } },	{ NULL,	0, { NULL } },  /* 12,13*/
1163 	{ "keylen", 14, { NULL }},
1164 };
1165 
1166 static const struct attrmap oakley_t_map[] = {
1167 	{ NULL,	0, { NULL } },
1168 	{ "enc", 8,	{ NULL, "1des", "idea", "blowfish", "rc5",
1169 		 	  "3des", "cast", "aes", }, },
1170 	{ "hash", 7,	{ NULL, "md5", "sha1", "tiger",
1171 			  "sha2-256", "sha2-384", "sha2-512", }, },
1172 	{ "auth", 6,	{ NULL, "preshared", "dss", "rsa sig", "rsa enc",
1173 			  "rsa enc revised", }, },
1174 	{ "group desc", 18,	{ NULL, "modp768",
1175 				  "modp1024",    /* group 2 */
1176 				  "EC2N 2^155",  /* group 3 */
1177 				  "EC2N 2^185",  /* group 4 */
1178 				  "modp1536",    /* group 5 */
1179 				  "iana-grp06", "iana-grp07", /* reserved */
1180 				  "iana-grp08", "iana-grp09",
1181 				  "iana-grp10", "iana-grp11",
1182 				  "iana-grp12", "iana-grp13",
1183 				  "modp2048",    /* group 14 */
1184 				  "modp3072",    /* group 15 */
1185 				  "modp4096",    /* group 16 */
1186 				  "modp6144",    /* group 17 */
1187 				  "modp8192",    /* group 18 */
1188 		}, },
1189 	{ "group type", 4,	{ NULL, "MODP", "ECP", "EC2N", }, },
1190 	{ "group prime", 0, { NULL } },
1191 	{ "group gen1", 0, { NULL } },
1192 	{ "group gen2", 0, { NULL } },
1193 	{ "group curve A", 0, { NULL } },
1194 	{ "group curve B", 0, { NULL } },
1195 	{ "lifetype", 3,	{ NULL, "sec", "kb", }, },
1196 	{ "lifeduration", 0, { NULL } },
1197 	{ "prf", 0, { NULL } },
1198 	{ "keylen", 0, { NULL } },
1199 	{ "field", 0, { NULL } },
1200 	{ "order", 0, { NULL } },
1201 };
1202 
1203 static const u_char *
ikev1_t_print(netdissect_options * ndo,u_char tpay _U_,const struct isakmp_gen * ext,u_int item_len,const u_char * ep,uint32_t phase _U_,uint32_t doi _U_,uint32_t proto,int depth _U_)1204 ikev1_t_print(netdissect_options *ndo, u_char tpay _U_,
1205 	      const struct isakmp_gen *ext, u_int item_len,
1206 	      const u_char *ep, uint32_t phase _U_, uint32_t doi _U_,
1207 	      uint32_t proto, int depth _U_)
1208 {
1209 	const struct ikev1_pl_t *p;
1210 	struct ikev1_pl_t t;
1211 	const u_char *cp;
1212 	const char *idstr;
1213 	const struct attrmap *map;
1214 	size_t nmap;
1215 	const u_char *ep2;
1216 
1217 	ND_PRINT((ndo,"%s:", NPSTR(ISAKMP_NPTYPE_T)));
1218 
1219 	p = (const struct ikev1_pl_t *)ext;
1220 	ND_TCHECK(*p);
1221 	UNALIGNED_MEMCPY(&t, ext, sizeof(t));
1222 
1223 	switch (proto) {
1224 	case 1:
1225 		idstr = STR_OR_ID(t.t_id, ikev1_p_map);
1226 		map = oakley_t_map;
1227 		nmap = sizeof(oakley_t_map)/sizeof(oakley_t_map[0]);
1228 		break;
1229 	case 2:
1230 		idstr = STR_OR_ID(t.t_id, ah_p_map);
1231 		map = ipsec_t_map;
1232 		nmap = sizeof(ipsec_t_map)/sizeof(ipsec_t_map[0]);
1233 		break;
1234 	case 3:
1235 		idstr = STR_OR_ID(t.t_id, esp_p_map);
1236 		map = ipsec_t_map;
1237 		nmap = sizeof(ipsec_t_map)/sizeof(ipsec_t_map[0]);
1238 		break;
1239 	case 4:
1240 		idstr = STR_OR_ID(t.t_id, ipcomp_p_map);
1241 		map = ipsec_t_map;
1242 		nmap = sizeof(ipsec_t_map)/sizeof(ipsec_t_map[0]);
1243 		break;
1244 	default:
1245 		idstr = NULL;
1246 		map = NULL;
1247 		nmap = 0;
1248 		break;
1249 	}
1250 
1251 	if (idstr)
1252 		ND_PRINT((ndo," #%d id=%s ", t.t_no, idstr));
1253 	else
1254 		ND_PRINT((ndo," #%d id=%d ", t.t_no, t.t_id));
1255 	cp = (const u_char *)(p + 1);
1256 	ep2 = (const u_char *)p + item_len;
1257 	while (cp < ep && cp < ep2) {
1258 		if (map && nmap) {
1259 			cp = ikev1_attrmap_print(ndo, cp, (ep < ep2) ? ep : ep2,
1260 				map, nmap);
1261 		} else
1262 			cp = ikev1_attr_print(ndo, cp, (ep < ep2) ? ep : ep2);
1263 	}
1264 	if (ep < ep2)
1265 		ND_PRINT((ndo,"..."));
1266 	return cp;
1267 trunc:
1268 	ND_PRINT((ndo," [|%s]", NPSTR(ISAKMP_NPTYPE_T)));
1269 	return NULL;
1270 }
1271 
1272 static const u_char *
ikev1_ke_print(netdissect_options * ndo,u_char tpay _U_,const struct isakmp_gen * ext,u_int item_len _U_,const u_char * ep _U_,uint32_t phase _U_,uint32_t doi _U_,uint32_t proto _U_,int depth _U_)1273 ikev1_ke_print(netdissect_options *ndo, u_char tpay _U_,
1274 	       const struct isakmp_gen *ext, u_int item_len _U_,
1275 	       const u_char *ep _U_, uint32_t phase _U_, uint32_t doi _U_,
1276 	       uint32_t proto _U_, int depth _U_)
1277 {
1278 	struct isakmp_gen e;
1279 
1280 	ND_PRINT((ndo,"%s:", NPSTR(ISAKMP_NPTYPE_KE)));
1281 
1282 	ND_TCHECK(*ext);
1283 	UNALIGNED_MEMCPY(&e, ext, sizeof(e));
1284 	ND_PRINT((ndo," key len=%d", ntohs(e.len) - 4));
1285 	if (2 < ndo->ndo_vflag && 4 < ntohs(e.len)) {
1286 		ND_PRINT((ndo," "));
1287 		if (!rawprint(ndo, (const uint8_t *)(ext + 1), ntohs(e.len) - 4))
1288 			goto trunc;
1289 	}
1290 	return (const u_char *)ext + ntohs(e.len);
1291 trunc:
1292 	ND_PRINT((ndo," [|%s]", NPSTR(ISAKMP_NPTYPE_KE)));
1293 	return NULL;
1294 }
1295 
1296 static const u_char *
ikev1_id_print(netdissect_options * ndo,u_char tpay _U_,const struct isakmp_gen * ext,u_int item_len,const u_char * ep _U_,uint32_t phase,uint32_t doi _U_,uint32_t proto _U_,int depth _U_)1297 ikev1_id_print(netdissect_options *ndo, u_char tpay _U_,
1298 	       const struct isakmp_gen *ext, u_int item_len,
1299 	       const u_char *ep _U_, uint32_t phase, uint32_t doi _U_,
1300 	       uint32_t proto _U_, int depth _U_)
1301 {
1302 #define USE_IPSECDOI_IN_PHASE1	1
1303 	const struct ikev1_pl_id *p;
1304 	struct ikev1_pl_id id;
1305 	static const char *idtypestr[] = {
1306 		"IPv4", "IPv4net", "IPv6", "IPv6net",
1307 	};
1308 	static const char *ipsecidtypestr[] = {
1309 		NULL, "IPv4", "FQDN", "user FQDN", "IPv4net", "IPv6",
1310 		"IPv6net", "IPv4range", "IPv6range", "ASN1 DN", "ASN1 GN",
1311 		"keyid",
1312 	};
1313 	int len;
1314 	const u_char *data;
1315 
1316 	ND_PRINT((ndo,"%s:", NPSTR(ISAKMP_NPTYPE_ID)));
1317 
1318 	p = (const struct ikev1_pl_id *)ext;
1319 	ND_TCHECK(*p);
1320 	UNALIGNED_MEMCPY(&id, ext, sizeof(id));
1321 	if (sizeof(*p) < item_len) {
1322 		data = (const u_char *)(p + 1);
1323 		len = item_len - sizeof(*p);
1324 	} else {
1325 		data = NULL;
1326 		len = 0;
1327 	}
1328 
1329 #if 0 /*debug*/
1330 	ND_PRINT((ndo," [phase=%d doi=%d proto=%d]", phase, doi, proto));
1331 #endif
1332 	switch (phase) {
1333 #ifndef USE_IPSECDOI_IN_PHASE1
1334 	case 1:
1335 #endif
1336 	default:
1337 		ND_PRINT((ndo," idtype=%s", STR_OR_ID(id.d.id_type, idtypestr)));
1338 		ND_PRINT((ndo," doi_data=%u",
1339 			  (uint32_t)(ntohl(id.d.doi_data) & 0xffffff)));
1340 		break;
1341 
1342 #ifdef USE_IPSECDOI_IN_PHASE1
1343 	case 1:
1344 #endif
1345 	case 2:
1346 	    {
1347 		const struct ipsecdoi_id *doi_p;
1348 		struct ipsecdoi_id doi_id;
1349 		struct protoent *pe;
1350 
1351 		doi_p = (const struct ipsecdoi_id *)ext;
1352 		ND_TCHECK(*doi_p);
1353 		UNALIGNED_MEMCPY(&doi_id, ext, sizeof(doi_id));
1354 		ND_PRINT((ndo," idtype=%s", STR_OR_ID(doi_id.type, ipsecidtypestr)));
1355 		/* A protocol ID of 0 DOES NOT mean IPPROTO_IP! */
1356 		pe = doi_id.proto_id ? getprotobynumber(doi_id.proto_id) : NULL;
1357 		if (pe)
1358 			ND_PRINT((ndo," protoid=%s", pe->p_name));
1359 		else
1360 			ND_PRINT((ndo," protoid=%u", doi_id.proto_id));
1361 		ND_PRINT((ndo," port=%d", ntohs(doi_id.port)));
1362 		if (!len)
1363 			break;
1364 		if (data == NULL)
1365 			goto trunc;
1366 		ND_TCHECK2(*data, len);
1367 		switch (doi_id.type) {
1368 		case IPSECDOI_ID_IPV4_ADDR:
1369 			if (len < 4)
1370 				ND_PRINT((ndo," len=%d [bad: < 4]", len));
1371 			else
1372 				ND_PRINT((ndo," len=%d %s", len, ipaddr_string(ndo, data)));
1373 			len = 0;
1374 			break;
1375 		case IPSECDOI_ID_FQDN:
1376 		case IPSECDOI_ID_USER_FQDN:
1377 		    {
1378 			int i;
1379 			ND_PRINT((ndo," len=%d ", len));
1380 			for (i = 0; i < len; i++)
1381 				safeputchar(ndo, data[i]);
1382 			len = 0;
1383 			break;
1384 		    }
1385 		case IPSECDOI_ID_IPV4_ADDR_SUBNET:
1386 		    {
1387 			const u_char *mask;
1388 			if (len < 8)
1389 				ND_PRINT((ndo," len=%d [bad: < 8]", len));
1390 			else {
1391 				mask = data + sizeof(struct in_addr);
1392 				ND_PRINT((ndo," len=%d %s/%u.%u.%u.%u", len,
1393 					  ipaddr_string(ndo, data),
1394 					  mask[0], mask[1], mask[2], mask[3]));
1395 			}
1396 			len = 0;
1397 			break;
1398 		    }
1399 		case IPSECDOI_ID_IPV6_ADDR:
1400 			if (len < 16)
1401 				ND_PRINT((ndo," len=%d [bad: < 16]", len));
1402 			else
1403 				ND_PRINT((ndo," len=%d %s", len, ip6addr_string(ndo, data)));
1404 			len = 0;
1405 			break;
1406 		case IPSECDOI_ID_IPV6_ADDR_SUBNET:
1407 		    {
1408 			const u_char *mask;
1409 			if (len < 20)
1410 				ND_PRINT((ndo," len=%d [bad: < 20]", len));
1411 			else {
1412 				mask = (const u_char *)(data + sizeof(struct in6_addr));
1413 				/*XXX*/
1414 				ND_PRINT((ndo," len=%d %s/0x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x", len,
1415 					  ip6addr_string(ndo, data),
1416 					  mask[0], mask[1], mask[2], mask[3],
1417 					  mask[4], mask[5], mask[6], mask[7],
1418 					  mask[8], mask[9], mask[10], mask[11],
1419 					  mask[12], mask[13], mask[14], mask[15]));
1420 			}
1421 			len = 0;
1422 			break;
1423 		    }
1424 		case IPSECDOI_ID_IPV4_ADDR_RANGE:
1425 			if (len < 8)
1426 				ND_PRINT((ndo," len=%d [bad: < 8]", len));
1427 			else {
1428 				ND_PRINT((ndo," len=%d %s-%s", len,
1429 					  ipaddr_string(ndo, data),
1430 					  ipaddr_string(ndo, data + sizeof(struct in_addr))));
1431 			}
1432 			len = 0;
1433 			break;
1434 		case IPSECDOI_ID_IPV6_ADDR_RANGE:
1435 			if (len < 32)
1436 				ND_PRINT((ndo," len=%d [bad: < 32]", len));
1437 			else {
1438 				ND_PRINT((ndo," len=%d %s-%s", len,
1439 					  ip6addr_string(ndo, data),
1440 					  ip6addr_string(ndo, data + sizeof(struct in6_addr))));
1441 			}
1442 			len = 0;
1443 			break;
1444 		case IPSECDOI_ID_DER_ASN1_DN:
1445 		case IPSECDOI_ID_DER_ASN1_GN:
1446 		case IPSECDOI_ID_KEY_ID:
1447 			break;
1448 		}
1449 		break;
1450 	    }
1451 	}
1452 	if (data && len) {
1453 		ND_PRINT((ndo," len=%d", len));
1454 		if (2 < ndo->ndo_vflag) {
1455 			ND_PRINT((ndo," "));
1456 			if (!rawprint(ndo, (const uint8_t *)data, len))
1457 				goto trunc;
1458 		}
1459 	}
1460 	return (const u_char *)ext + item_len;
1461 trunc:
1462 	ND_PRINT((ndo," [|%s]", NPSTR(ISAKMP_NPTYPE_ID)));
1463 	return NULL;
1464 }
1465 
1466 static const u_char *
ikev1_cert_print(netdissect_options * ndo,u_char tpay _U_,const struct isakmp_gen * ext,u_int item_len,const u_char * ep _U_,uint32_t phase _U_,uint32_t doi0 _U_,uint32_t proto0 _U_,int depth _U_)1467 ikev1_cert_print(netdissect_options *ndo, u_char tpay _U_,
1468 		 const struct isakmp_gen *ext, u_int item_len,
1469 		 const u_char *ep _U_, uint32_t phase _U_,
1470 		 uint32_t doi0 _U_,
1471 		 uint32_t proto0 _U_, int depth _U_)
1472 {
1473 	const struct ikev1_pl_cert *p;
1474 	struct ikev1_pl_cert cert;
1475 	static const char *certstr[] = {
1476 		"none",	"pkcs7", "pgp", "dns",
1477 		"x509sign", "x509ke", "kerberos", "crl",
1478 		"arl", "spki", "x509attr",
1479 	};
1480 
1481 	ND_PRINT((ndo,"%s:", NPSTR(ISAKMP_NPTYPE_CERT)));
1482 
1483 	p = (const struct ikev1_pl_cert *)ext;
1484 	ND_TCHECK(*p);
1485 	UNALIGNED_MEMCPY(&cert, ext, sizeof(cert));
1486 	ND_PRINT((ndo," len=%d", item_len - 4));
1487 	ND_PRINT((ndo," type=%s", STR_OR_ID((cert.encode), certstr)));
1488 	if (2 < ndo->ndo_vflag && 4 < item_len) {
1489 		ND_PRINT((ndo," "));
1490 		if (!rawprint(ndo, (const uint8_t *)(ext + 1), item_len - 4))
1491 			goto trunc;
1492 	}
1493 	return (const u_char *)ext + item_len;
1494 trunc:
1495 	ND_PRINT((ndo," [|%s]", NPSTR(ISAKMP_NPTYPE_CERT)));
1496 	return NULL;
1497 }
1498 
1499 static const u_char *
ikev1_cr_print(netdissect_options * ndo,u_char tpay _U_,const struct isakmp_gen * ext,u_int item_len,const u_char * ep _U_,uint32_t phase _U_,uint32_t doi0 _U_,uint32_t proto0 _U_,int depth _U_)1500 ikev1_cr_print(netdissect_options *ndo, u_char tpay _U_,
1501 	       const struct isakmp_gen *ext, u_int item_len,
1502 	       const u_char *ep _U_, uint32_t phase _U_, uint32_t doi0 _U_,
1503 	       uint32_t proto0 _U_, int depth _U_)
1504 {
1505 	const struct ikev1_pl_cert *p;
1506 	struct ikev1_pl_cert cert;
1507 	static const char *certstr[] = {
1508 		"none",	"pkcs7", "pgp", "dns",
1509 		"x509sign", "x509ke", "kerberos", "crl",
1510 		"arl", "spki", "x509attr",
1511 	};
1512 
1513 	ND_PRINT((ndo,"%s:", NPSTR(ISAKMP_NPTYPE_CR)));
1514 
1515 	p = (const struct ikev1_pl_cert *)ext;
1516 	ND_TCHECK(*p);
1517 	UNALIGNED_MEMCPY(&cert, ext, sizeof(cert));
1518 	ND_PRINT((ndo," len=%d", item_len - 4));
1519 	ND_PRINT((ndo," type=%s", STR_OR_ID((cert.encode), certstr)));
1520 	if (2 < ndo->ndo_vflag && 4 < item_len) {
1521 		ND_PRINT((ndo," "));
1522 		if (!rawprint(ndo, (const uint8_t *)(ext + 1), item_len - 4))
1523 			goto trunc;
1524 	}
1525 	return (const u_char *)ext + item_len;
1526 trunc:
1527 	ND_PRINT((ndo," [|%s]", NPSTR(ISAKMP_NPTYPE_CR)));
1528 	return NULL;
1529 }
1530 
1531 static const u_char *
ikev1_hash_print(netdissect_options * ndo,u_char tpay _U_,const struct isakmp_gen * ext,u_int item_len _U_,const u_char * ep _U_,uint32_t phase _U_,uint32_t doi _U_,uint32_t proto _U_,int depth _U_)1532 ikev1_hash_print(netdissect_options *ndo, u_char tpay _U_,
1533 		 const struct isakmp_gen *ext, u_int item_len _U_,
1534 		 const u_char *ep _U_, uint32_t phase _U_, uint32_t doi _U_,
1535 		 uint32_t proto _U_, int depth _U_)
1536 {
1537 	struct isakmp_gen e;
1538 
1539 	ND_PRINT((ndo,"%s:", NPSTR(ISAKMP_NPTYPE_HASH)));
1540 
1541 	ND_TCHECK(*ext);
1542 	UNALIGNED_MEMCPY(&e, ext, sizeof(e));
1543 	ND_PRINT((ndo," len=%d", ntohs(e.len) - 4));
1544 	if (2 < ndo->ndo_vflag && 4 < ntohs(e.len)) {
1545 		ND_PRINT((ndo," "));
1546 		if (!rawprint(ndo, (const uint8_t *)(ext + 1), ntohs(e.len) - 4))
1547 			goto trunc;
1548 	}
1549 	return (const u_char *)ext + ntohs(e.len);
1550 trunc:
1551 	ND_PRINT((ndo," [|%s]", NPSTR(ISAKMP_NPTYPE_HASH)));
1552 	return NULL;
1553 }
1554 
1555 static const u_char *
ikev1_sig_print(netdissect_options * ndo,u_char tpay _U_,const struct isakmp_gen * ext,u_int item_len _U_,const u_char * ep _U_,uint32_t phase _U_,uint32_t doi _U_,uint32_t proto _U_,int depth _U_)1556 ikev1_sig_print(netdissect_options *ndo, u_char tpay _U_,
1557 		const struct isakmp_gen *ext, u_int item_len _U_,
1558 		const u_char *ep _U_, uint32_t phase _U_, uint32_t doi _U_,
1559 		uint32_t proto _U_, int depth _U_)
1560 {
1561 	struct isakmp_gen e;
1562 
1563 	ND_PRINT((ndo,"%s:", NPSTR(ISAKMP_NPTYPE_SIG)));
1564 
1565 	ND_TCHECK(*ext);
1566 	UNALIGNED_MEMCPY(&e, ext, sizeof(e));
1567 	ND_PRINT((ndo," len=%d", ntohs(e.len) - 4));
1568 	if (2 < ndo->ndo_vflag && 4 < ntohs(e.len)) {
1569 		ND_PRINT((ndo," "));
1570 		if (!rawprint(ndo, (const uint8_t *)(ext + 1), ntohs(e.len) - 4))
1571 			goto trunc;
1572 	}
1573 	return (const u_char *)ext + ntohs(e.len);
1574 trunc:
1575 	ND_PRINT((ndo," [|%s]", NPSTR(ISAKMP_NPTYPE_SIG)));
1576 	return NULL;
1577 }
1578 
1579 static const u_char *
ikev1_nonce_print(netdissect_options * ndo,u_char tpay _U_,const struct isakmp_gen * ext,u_int item_len _U_,const u_char * ep,uint32_t phase _U_,uint32_t doi _U_,uint32_t proto _U_,int depth _U_)1580 ikev1_nonce_print(netdissect_options *ndo, u_char tpay _U_,
1581 		  const struct isakmp_gen *ext,
1582 		  u_int item_len _U_,
1583 		  const u_char *ep,
1584 		  uint32_t phase _U_, uint32_t doi _U_,
1585 		  uint32_t proto _U_, int depth _U_)
1586 {
1587 	struct isakmp_gen e;
1588 
1589 	ND_PRINT((ndo,"%s:", NPSTR(ISAKMP_NPTYPE_NONCE)));
1590 
1591 	ND_TCHECK(*ext);
1592 	UNALIGNED_MEMCPY(&e, ext, sizeof(e));
1593 	ND_PRINT((ndo," n len=%d", ntohs(e.len) - 4));
1594 	if (2 < ndo->ndo_vflag && 4 < ntohs(e.len)) {
1595 		ND_PRINT((ndo," "));
1596 		if (!rawprint(ndo, (const uint8_t *)(ext + 1), ntohs(e.len) - 4))
1597 			goto trunc;
1598 	} else if (1 < ndo->ndo_vflag && 4 < ntohs(e.len)) {
1599 		ND_PRINT((ndo," "));
1600 		if (!ike_show_somedata(ndo, (const u_char *)(const uint8_t *)(ext + 1), ep))
1601 			goto trunc;
1602 	}
1603 	return (const u_char *)ext + ntohs(e.len);
1604 trunc:
1605 	ND_PRINT((ndo," [|%s]", NPSTR(ISAKMP_NPTYPE_NONCE)));
1606 	return NULL;
1607 }
1608 
1609 static const u_char *
ikev1_n_print(netdissect_options * ndo,u_char tpay _U_,const struct isakmp_gen * ext,u_int item_len,const u_char * ep,uint32_t phase,uint32_t doi0 _U_,uint32_t proto0 _U_,int depth)1610 ikev1_n_print(netdissect_options *ndo, u_char tpay _U_,
1611 	      const struct isakmp_gen *ext, u_int item_len,
1612 	      const u_char *ep, uint32_t phase, uint32_t doi0 _U_,
1613 	      uint32_t proto0 _U_, int depth)
1614 {
1615 	const struct ikev1_pl_n *p;
1616 	struct ikev1_pl_n n;
1617 	const u_char *cp;
1618 	const u_char *ep2;
1619 	uint32_t doi;
1620 	uint32_t proto;
1621 	static const char *notify_error_str[] = {
1622 		NULL,				"INVALID-PAYLOAD-TYPE",
1623 		"DOI-NOT-SUPPORTED",		"SITUATION-NOT-SUPPORTED",
1624 		"INVALID-COOKIE",		"INVALID-MAJOR-VERSION",
1625 		"INVALID-MINOR-VERSION",	"INVALID-EXCHANGE-TYPE",
1626 		"INVALID-FLAGS",		"INVALID-MESSAGE-ID",
1627 		"INVALID-PROTOCOL-ID",		"INVALID-SPI",
1628 		"INVALID-TRANSFORM-ID",		"ATTRIBUTES-NOT-SUPPORTED",
1629 		"NO-PROPOSAL-CHOSEN",		"BAD-PROPOSAL-SYNTAX",
1630 		"PAYLOAD-MALFORMED",		"INVALID-KEY-INFORMATION",
1631 		"INVALID-ID-INFORMATION",	"INVALID-CERT-ENCODING",
1632 		"INVALID-CERTIFICATE",		"CERT-TYPE-UNSUPPORTED",
1633 		"INVALID-CERT-AUTHORITY",	"INVALID-HASH-INFORMATION",
1634 		"AUTHENTICATION-FAILED",	"INVALID-SIGNATURE",
1635 		"ADDRESS-NOTIFICATION",		"NOTIFY-SA-LIFETIME",
1636 		"CERTIFICATE-UNAVAILABLE",	"UNSUPPORTED-EXCHANGE-TYPE",
1637 		"UNEQUAL-PAYLOAD-LENGTHS",
1638 	};
1639 	static const char *ipsec_notify_error_str[] = {
1640 		"RESERVED",
1641 	};
1642 	static const char *notify_status_str[] = {
1643 		"CONNECTED",
1644 	};
1645 	static const char *ipsec_notify_status_str[] = {
1646 		"RESPONDER-LIFETIME",		"REPLAY-STATUS",
1647 		"INITIAL-CONTACT",
1648 	};
1649 /* NOTE: these macro must be called with x in proper range */
1650 
1651 /* 0 - 8191 */
1652 #define NOTIFY_ERROR_STR(x) \
1653 	STR_OR_ID((x), notify_error_str)
1654 
1655 /* 8192 - 16383 */
1656 #define IPSEC_NOTIFY_ERROR_STR(x) \
1657 	STR_OR_ID((u_int)((x) - 8192), ipsec_notify_error_str)
1658 
1659 /* 16384 - 24575 */
1660 #define NOTIFY_STATUS_STR(x) \
1661 	STR_OR_ID((u_int)((x) - 16384), notify_status_str)
1662 
1663 /* 24576 - 32767 */
1664 #define IPSEC_NOTIFY_STATUS_STR(x) \
1665 	STR_OR_ID((u_int)((x) - 24576), ipsec_notify_status_str)
1666 
1667 	ND_PRINT((ndo,"%s:", NPSTR(ISAKMP_NPTYPE_N)));
1668 
1669 	p = (const struct ikev1_pl_n *)ext;
1670 	ND_TCHECK(*p);
1671 	UNALIGNED_MEMCPY(&n, ext, sizeof(n));
1672 	doi = ntohl(n.doi);
1673 	proto = n.prot_id;
1674 	if (doi != 1) {
1675 		ND_PRINT((ndo," doi=%d", doi));
1676 		ND_PRINT((ndo," proto=%d", proto));
1677 		if (ntohs(n.type) < 8192)
1678 			ND_PRINT((ndo," type=%s", NOTIFY_ERROR_STR(ntohs(n.type))));
1679 		else if (ntohs(n.type) < 16384)
1680 			ND_PRINT((ndo," type=%s", numstr(ntohs(n.type))));
1681 		else if (ntohs(n.type) < 24576)
1682 			ND_PRINT((ndo," type=%s", NOTIFY_STATUS_STR(ntohs(n.type))));
1683 		else
1684 			ND_PRINT((ndo," type=%s", numstr(ntohs(n.type))));
1685 		if (n.spi_size) {
1686 			ND_PRINT((ndo," spi="));
1687 			if (!rawprint(ndo, (const uint8_t *)(p + 1), n.spi_size))
1688 				goto trunc;
1689 		}
1690 		return (const u_char *)(p + 1) + n.spi_size;
1691 	}
1692 
1693 	ND_PRINT((ndo," doi=ipsec"));
1694 	ND_PRINT((ndo," proto=%s", PROTOIDSTR(proto)));
1695 	if (ntohs(n.type) < 8192)
1696 		ND_PRINT((ndo," type=%s", NOTIFY_ERROR_STR(ntohs(n.type))));
1697 	else if (ntohs(n.type) < 16384)
1698 		ND_PRINT((ndo," type=%s", IPSEC_NOTIFY_ERROR_STR(ntohs(n.type))));
1699 	else if (ntohs(n.type) < 24576)
1700 		ND_PRINT((ndo," type=%s", NOTIFY_STATUS_STR(ntohs(n.type))));
1701 	else if (ntohs(n.type) < 32768)
1702 		ND_PRINT((ndo," type=%s", IPSEC_NOTIFY_STATUS_STR(ntohs(n.type))));
1703 	else
1704 		ND_PRINT((ndo," type=%s", numstr(ntohs(n.type))));
1705 	if (n.spi_size) {
1706 		ND_PRINT((ndo," spi="));
1707 		if (!rawprint(ndo, (const uint8_t *)(p + 1), n.spi_size))
1708 			goto trunc;
1709 	}
1710 
1711 	cp = (const u_char *)(p + 1) + n.spi_size;
1712 	ep2 = (const u_char *)p + item_len;
1713 
1714 	if (cp < ep) {
1715 		ND_PRINT((ndo," orig=("));
1716 		switch (ntohs(n.type)) {
1717 		case IPSECDOI_NTYPE_RESPONDER_LIFETIME:
1718 		    {
1719 			const struct attrmap *map = oakley_t_map;
1720 			size_t nmap = sizeof(oakley_t_map)/sizeof(oakley_t_map[0]);
1721 			while (cp < ep && cp < ep2) {
1722 				cp = ikev1_attrmap_print(ndo, cp,
1723 					(ep < ep2) ? ep : ep2, map, nmap);
1724 			}
1725 			break;
1726 		    }
1727 		case IPSECDOI_NTYPE_REPLAY_STATUS:
1728 			ND_PRINT((ndo,"replay detection %sabled",
1729 				  EXTRACT_32BITS(cp) ? "en" : "dis"));
1730 			break;
1731 		case ISAKMP_NTYPE_NO_PROPOSAL_CHOSEN:
1732 			if (ikev1_sub_print(ndo, ISAKMP_NPTYPE_SA,
1733 					    (const struct isakmp_gen *)cp, ep, phase, doi, proto,
1734 					    depth) == NULL)
1735 				return NULL;
1736 			break;
1737 		default:
1738 			/* NULL is dummy */
1739 			isakmp_print(ndo, cp,
1740 				     item_len - sizeof(*p) - n.spi_size,
1741 				     NULL);
1742 		}
1743 		ND_PRINT((ndo,")"));
1744 	}
1745 	return (const u_char *)ext + item_len;
1746 trunc:
1747 	ND_PRINT((ndo," [|%s]", NPSTR(ISAKMP_NPTYPE_N)));
1748 	return NULL;
1749 }
1750 
1751 static const u_char *
ikev1_d_print(netdissect_options * ndo,u_char tpay _U_,const struct isakmp_gen * ext,u_int item_len _U_,const u_char * ep _U_,uint32_t phase _U_,uint32_t doi0 _U_,uint32_t proto0 _U_,int depth _U_)1752 ikev1_d_print(netdissect_options *ndo, u_char tpay _U_,
1753 	      const struct isakmp_gen *ext, u_int item_len _U_,
1754 	      const u_char *ep _U_, uint32_t phase _U_, uint32_t doi0 _U_,
1755 	      uint32_t proto0 _U_, int depth _U_)
1756 {
1757 	const struct ikev1_pl_d *p;
1758 	struct ikev1_pl_d d;
1759 	const uint8_t *q;
1760 	uint32_t doi;
1761 	uint32_t proto;
1762 	int i;
1763 
1764 	ND_PRINT((ndo,"%s:", NPSTR(ISAKMP_NPTYPE_D)));
1765 
1766 	p = (const struct ikev1_pl_d *)ext;
1767 	ND_TCHECK(*p);
1768 	UNALIGNED_MEMCPY(&d, ext, sizeof(d));
1769 	doi = ntohl(d.doi);
1770 	proto = d.prot_id;
1771 	if (doi != 1) {
1772 		ND_PRINT((ndo," doi=%u", doi));
1773 		ND_PRINT((ndo," proto=%u", proto));
1774 	} else {
1775 		ND_PRINT((ndo," doi=ipsec"));
1776 		ND_PRINT((ndo," proto=%s", PROTOIDSTR(proto)));
1777 	}
1778 	ND_PRINT((ndo," spilen=%u", d.spi_size));
1779 	ND_PRINT((ndo," nspi=%u", ntohs(d.num_spi)));
1780 	ND_PRINT((ndo," spi="));
1781 	q = (const uint8_t *)(p + 1);
1782 	for (i = 0; i < ntohs(d.num_spi); i++) {
1783 		if (i != 0)
1784 			ND_PRINT((ndo,","));
1785 		if (!rawprint(ndo, (const uint8_t *)q, d.spi_size))
1786 			goto trunc;
1787 		q += d.spi_size;
1788 	}
1789 	return q;
1790 trunc:
1791 	ND_PRINT((ndo," [|%s]", NPSTR(ISAKMP_NPTYPE_D)));
1792 	return NULL;
1793 }
1794 
1795 static const u_char *
ikev1_vid_print(netdissect_options * ndo,u_char tpay _U_,const struct isakmp_gen * ext,u_int item_len _U_,const u_char * ep _U_,uint32_t phase _U_,uint32_t doi _U_,uint32_t proto _U_,int depth _U_)1796 ikev1_vid_print(netdissect_options *ndo, u_char tpay _U_,
1797 		const struct isakmp_gen *ext,
1798 		u_int item_len _U_, const u_char *ep _U_,
1799 		uint32_t phase _U_, uint32_t doi _U_,
1800 		uint32_t proto _U_, int depth _U_)
1801 {
1802 	struct isakmp_gen e;
1803 
1804 	ND_PRINT((ndo,"%s:", NPSTR(ISAKMP_NPTYPE_VID)));
1805 
1806 	ND_TCHECK(*ext);
1807 	UNALIGNED_MEMCPY(&e, ext, sizeof(e));
1808 	ND_PRINT((ndo," len=%d", ntohs(e.len) - 4));
1809 	if (2 < ndo->ndo_vflag && 4 < ntohs(e.len)) {
1810 		ND_PRINT((ndo," "));
1811 		if (!rawprint(ndo, (const uint8_t *)(ext + 1), ntohs(e.len) - 4))
1812 			goto trunc;
1813 	}
1814 	return (const u_char *)ext + ntohs(e.len);
1815 trunc:
1816 	ND_PRINT((ndo," [|%s]", NPSTR(ISAKMP_NPTYPE_VID)));
1817 	return NULL;
1818 }
1819 
1820 /************************************************************/
1821 /*                                                          */
1822 /*              IKE v2 - rfc4306 - dissector                */
1823 /*                                                          */
1824 /************************************************************/
1825 
1826 static void
ikev2_pay_print(netdissect_options * ndo,const char * payname,int critical)1827 ikev2_pay_print(netdissect_options *ndo, const char *payname, int critical)
1828 {
1829 	ND_PRINT((ndo,"%s%s:", payname, critical&0x80 ? "[C]" : ""));
1830 }
1831 
1832 static const u_char *
ikev2_gen_print(netdissect_options * ndo,u_char tpay,const struct isakmp_gen * ext)1833 ikev2_gen_print(netdissect_options *ndo, u_char tpay,
1834 		const struct isakmp_gen *ext)
1835 {
1836 	struct isakmp_gen e;
1837 
1838 	ND_TCHECK(*ext);
1839 	UNALIGNED_MEMCPY(&e, ext, sizeof(e));
1840 	ikev2_pay_print(ndo, NPSTR(tpay), e.critical);
1841 
1842 	ND_PRINT((ndo," len=%d", ntohs(e.len) - 4));
1843 	if (2 < ndo->ndo_vflag && 4 < ntohs(e.len)) {
1844 		ND_PRINT((ndo," "));
1845 		if (!rawprint(ndo, (const uint8_t *)(ext + 1), ntohs(e.len) - 4))
1846 			goto trunc;
1847 	}
1848 	return (const u_char *)ext + ntohs(e.len);
1849 trunc:
1850 	ND_PRINT((ndo," [|%s]", NPSTR(tpay)));
1851 	return NULL;
1852 }
1853 
1854 static const u_char *
ikev2_t_print(netdissect_options * ndo,int tcount,const struct isakmp_gen * ext,u_int item_len,const u_char * ep)1855 ikev2_t_print(netdissect_options *ndo, int tcount,
1856 	      const struct isakmp_gen *ext, u_int item_len,
1857 	      const u_char *ep)
1858 {
1859 	const struct ikev2_t *p;
1860 	struct ikev2_t t;
1861 	uint16_t  t_id;
1862 	const u_char *cp;
1863 	const char *idstr;
1864 	const struct attrmap *map;
1865 	size_t nmap;
1866 	const u_char *ep2;
1867 
1868 	p = (const struct ikev2_t *)ext;
1869 	ND_TCHECK(*p);
1870 	UNALIGNED_MEMCPY(&t, ext, sizeof(t));
1871 	ikev2_pay_print(ndo, NPSTR(ISAKMP_NPTYPE_T), t.h.critical);
1872 
1873 	t_id = ntohs(t.t_id);
1874 
1875 	map = NULL;
1876 	nmap = 0;
1877 
1878 	switch (t.t_type) {
1879 	case IV2_T_ENCR:
1880 		idstr = STR_OR_ID(t_id, esp_p_map);
1881 		map = encr_t_map;
1882 		nmap = sizeof(encr_t_map)/sizeof(encr_t_map[0]);
1883 		break;
1884 
1885 	case IV2_T_PRF:
1886 		idstr = STR_OR_ID(t_id, prf_p_map);
1887 		break;
1888 
1889 	case IV2_T_INTEG:
1890 		idstr = STR_OR_ID(t_id, integ_p_map);
1891 		break;
1892 
1893 	case IV2_T_DH:
1894 		idstr = STR_OR_ID(t_id, dh_p_map);
1895 		break;
1896 
1897 	case IV2_T_ESN:
1898 		idstr = STR_OR_ID(t_id, esn_p_map);
1899 		break;
1900 
1901 	default:
1902 		idstr = NULL;
1903 		break;
1904 	}
1905 
1906 	if (idstr)
1907 		ND_PRINT((ndo," #%u type=%s id=%s ", tcount,
1908 			  STR_OR_ID(t.t_type, ikev2_t_type_map),
1909 			  idstr));
1910 	else
1911 		ND_PRINT((ndo," #%u type=%s id=%u ", tcount,
1912 			  STR_OR_ID(t.t_type, ikev2_t_type_map),
1913 			  t.t_id));
1914 	cp = (const u_char *)(p + 1);
1915 	ep2 = (const u_char *)p + item_len;
1916 	while (cp < ep && cp < ep2) {
1917 		if (map && nmap) {
1918 			cp = ikev1_attrmap_print(ndo, cp, (ep < ep2) ? ep : ep2,
1919 				map, nmap);
1920 		} else
1921 			cp = ikev1_attr_print(ndo, cp, (ep < ep2) ? ep : ep2);
1922 	}
1923 	if (ep < ep2)
1924 		ND_PRINT((ndo,"..."));
1925 	return cp;
1926 trunc:
1927 	ND_PRINT((ndo," [|%s]", NPSTR(ISAKMP_NPTYPE_T)));
1928 	return NULL;
1929 }
1930 
1931 static const u_char *
ikev2_p_print(netdissect_options * ndo,u_char tpay _U_,int pcount _U_,const struct isakmp_gen * ext,u_int oprop_length,const u_char * ep,int depth)1932 ikev2_p_print(netdissect_options *ndo, u_char tpay _U_, int pcount _U_,
1933 	      const struct isakmp_gen *ext, u_int oprop_length,
1934 	      const u_char *ep, int depth)
1935 {
1936 	const struct ikev2_p *p;
1937 	struct ikev2_p prop;
1938 	u_int prop_length;
1939 	const u_char *cp;
1940 	int i;
1941 	int tcount;
1942 	u_char np;
1943 	struct isakmp_gen e;
1944 	u_int item_len;
1945 
1946 	p = (const struct ikev2_p *)ext;
1947 	ND_TCHECK(*p);
1948 	UNALIGNED_MEMCPY(&prop, ext, sizeof(prop));
1949 
1950 	ikev2_pay_print(ndo, NPSTR(ISAKMP_NPTYPE_P), prop.h.critical);
1951 
1952 	/*
1953 	 * ikev2_sa_print() guarantees that this is >= 4.
1954 	 */
1955 	prop_length = oprop_length - 4;
1956 	ND_PRINT((ndo," #%u protoid=%s transform=%d len=%u",
1957 		  prop.p_no,  PROTOIDSTR(prop.prot_id),
1958 		  prop.num_t, oprop_length));
1959 	cp = (const u_char *)(p + 1);
1960 
1961 	if (prop.spi_size) {
1962 		if (prop_length < prop.spi_size)
1963 			goto toolong;
1964 		ND_PRINT((ndo," spi="));
1965 		if (!rawprint(ndo, (const uint8_t *)cp, prop.spi_size))
1966 			goto trunc;
1967 		cp += prop.spi_size;
1968 		prop_length -= prop.spi_size;
1969 	}
1970 
1971 	/*
1972 	 * Print the transforms.
1973 	 */
1974 	tcount = 0;
1975 	for (np = ISAKMP_NPTYPE_T; np != 0; np = e.np) {
1976 		tcount++;
1977 		ext = (const struct isakmp_gen *)cp;
1978 		if (prop_length < sizeof(*ext))
1979 			goto toolong;
1980 		ND_TCHECK(*ext);
1981 
1982 		UNALIGNED_MEMCPY(&e, ext, sizeof(e));
1983 
1984 		/*
1985 		 * Since we can't have a payload length of less than 4 bytes,
1986 		 * we need to bail out here if the generic header is nonsensical
1987 		 * or truncated, otherwise we could loop forever processing
1988 		 * zero-length items or otherwise misdissect the packet.
1989 		 */
1990 		item_len = ntohs(e.len);
1991 		if (item_len <= 4)
1992 			goto trunc;
1993 
1994 		if (prop_length < item_len)
1995 			goto toolong;
1996 		ND_TCHECK2(*cp, item_len);
1997 
1998 		depth++;
1999 		ND_PRINT((ndo,"\n"));
2000 		for (i = 0; i < depth; i++)
2001 			ND_PRINT((ndo,"    "));
2002 		ND_PRINT((ndo,"("));
2003 		if (np == ISAKMP_NPTYPE_T) {
2004 			cp = ikev2_t_print(ndo, tcount, ext, item_len, ep);
2005 			if (cp == NULL) {
2006 				/* error, already reported */
2007 				return NULL;
2008 			}
2009 		} else {
2010 			ND_PRINT((ndo, "%s", NPSTR(np)));
2011 			cp += item_len;
2012 		}
2013 		ND_PRINT((ndo,")"));
2014 		depth--;
2015 		prop_length -= item_len;
2016 	}
2017 	return cp;
2018 toolong:
2019 	/*
2020 	 * Skip the rest of the proposal.
2021 	 */
2022 	cp += prop_length;
2023 	ND_PRINT((ndo," [|%s]", NPSTR(ISAKMP_NPTYPE_P)));
2024 	return cp;
2025 trunc:
2026 	ND_PRINT((ndo," [|%s]", NPSTR(ISAKMP_NPTYPE_P)));
2027 	return NULL;
2028 }
2029 
2030 static const u_char *
ikev2_sa_print(netdissect_options * ndo,u_char tpay,const struct isakmp_gen * ext1,u_int osa_length,const u_char * ep,uint32_t phase _U_,uint32_t doi _U_,uint32_t proto _U_,int depth)2031 ikev2_sa_print(netdissect_options *ndo, u_char tpay,
2032 		const struct isakmp_gen *ext1,
2033 		u_int osa_length, const u_char *ep,
2034 		uint32_t phase _U_, uint32_t doi _U_,
2035 		uint32_t proto _U_, int depth)
2036 {
2037 	const struct isakmp_gen *ext;
2038 	struct isakmp_gen e;
2039 	u_int sa_length;
2040 	const u_char *cp;
2041 	int i;
2042 	int pcount;
2043 	u_char np;
2044 	u_int item_len;
2045 
2046 	ND_TCHECK(*ext1);
2047 	UNALIGNED_MEMCPY(&e, ext1, sizeof(e));
2048 	ikev2_pay_print(ndo, "sa", e.critical);
2049 
2050 	/*
2051 	 * ikev2_sub0_print() guarantees that this is >= 4.
2052 	 */
2053 	osa_length= ntohs(e.len);
2054 	sa_length = osa_length - 4;
2055 	ND_PRINT((ndo," len=%d", sa_length));
2056 
2057 	/*
2058 	 * Print the payloads.
2059 	 */
2060 	cp = (const u_char *)(ext1 + 1);
2061 	pcount = 0;
2062 	for (np = ISAKMP_NPTYPE_P; np != 0; np = e.np) {
2063 		pcount++;
2064 		ext = (const struct isakmp_gen *)cp;
2065 		if (sa_length < sizeof(*ext))
2066 			goto toolong;
2067 		ND_TCHECK(*ext);
2068 
2069 		UNALIGNED_MEMCPY(&e, ext, sizeof(e));
2070 
2071 		/*
2072 		 * Since we can't have a payload length of less than 4 bytes,
2073 		 * we need to bail out here if the generic header is nonsensical
2074 		 * or truncated, otherwise we could loop forever processing
2075 		 * zero-length items or otherwise misdissect the packet.
2076 		 */
2077 		item_len = ntohs(e.len);
2078 		if (item_len <= 4)
2079 			goto trunc;
2080 
2081 		if (sa_length < item_len)
2082 			goto toolong;
2083 		ND_TCHECK2(*cp, item_len);
2084 
2085 		depth++;
2086 		ND_PRINT((ndo,"\n"));
2087 		for (i = 0; i < depth; i++)
2088 			ND_PRINT((ndo,"    "));
2089 		ND_PRINT((ndo,"("));
2090 		if (np == ISAKMP_NPTYPE_P) {
2091 			cp = ikev2_p_print(ndo, np, pcount, ext, item_len,
2092 					   ep, depth);
2093 			if (cp == NULL) {
2094 				/* error, already reported */
2095 				return NULL;
2096 			}
2097 		} else {
2098 			ND_PRINT((ndo, "%s", NPSTR(np)));
2099 			cp += item_len;
2100 		}
2101 		ND_PRINT((ndo,")"));
2102 		depth--;
2103 		sa_length -= item_len;
2104 	}
2105 	return cp;
2106 toolong:
2107 	/*
2108 	 * Skip the rest of the SA.
2109 	 */
2110 	cp += sa_length;
2111 	ND_PRINT((ndo," [|%s]", NPSTR(tpay)));
2112 	return cp;
2113 trunc:
2114 	ND_PRINT((ndo," [|%s]", NPSTR(tpay)));
2115 	return NULL;
2116 }
2117 
2118 static const u_char *
ikev2_ke_print(netdissect_options * ndo,u_char tpay,const struct isakmp_gen * ext,u_int item_len _U_,const u_char * ep _U_,uint32_t phase _U_,uint32_t doi _U_,uint32_t proto _U_,int depth _U_)2119 ikev2_ke_print(netdissect_options *ndo, u_char tpay,
2120 		const struct isakmp_gen *ext,
2121 		u_int item_len _U_, const u_char *ep _U_,
2122 		uint32_t phase _U_, uint32_t doi _U_,
2123 		uint32_t proto _U_, int depth _U_)
2124 {
2125 	struct ikev2_ke ke;
2126 	const struct ikev2_ke *k;
2127 
2128 	k = (const struct ikev2_ke *)ext;
2129 	ND_TCHECK(*ext);
2130 	UNALIGNED_MEMCPY(&ke, ext, sizeof(ke));
2131 	ikev2_pay_print(ndo, NPSTR(tpay), ke.h.critical);
2132 
2133 	ND_PRINT((ndo," len=%u group=%s", ntohs(ke.h.len) - 8,
2134 		  STR_OR_ID(ntohs(ke.ke_group), dh_p_map)));
2135 
2136 	if (2 < ndo->ndo_vflag && 8 < ntohs(ke.h.len)) {
2137 		ND_PRINT((ndo," "));
2138 		if (!rawprint(ndo, (const uint8_t *)(k + 1), ntohs(ke.h.len) - 8))
2139 			goto trunc;
2140 	}
2141 	return (const u_char *)ext + ntohs(ke.h.len);
2142 trunc:
2143 	ND_PRINT((ndo," [|%s]", NPSTR(tpay)));
2144 	return NULL;
2145 }
2146 
2147 static const u_char *
ikev2_ID_print(netdissect_options * ndo,u_char tpay,const struct isakmp_gen * ext,u_int item_len _U_,const u_char * ep _U_,uint32_t phase _U_,uint32_t doi _U_,uint32_t proto _U_,int depth _U_)2148 ikev2_ID_print(netdissect_options *ndo, u_char tpay,
2149 		const struct isakmp_gen *ext,
2150 		u_int item_len _U_, const u_char *ep _U_,
2151 		uint32_t phase _U_, uint32_t doi _U_,
2152 		uint32_t proto _U_, int depth _U_)
2153 {
2154 	struct ikev2_id id;
2155 	int id_len, idtype_len, i;
2156 	unsigned int dumpascii, dumphex;
2157 	const unsigned char *typedata;
2158 
2159 	ND_TCHECK(*ext);
2160 	UNALIGNED_MEMCPY(&id, ext, sizeof(id));
2161 	ikev2_pay_print(ndo, NPSTR(tpay), id.h.critical);
2162 
2163 	id_len = ntohs(id.h.len);
2164 
2165 	ND_PRINT((ndo," len=%d", id_len - 4));
2166 	if (2 < ndo->ndo_vflag && 4 < id_len) {
2167 		ND_PRINT((ndo," "));
2168 		if (!rawprint(ndo, (const uint8_t *)(ext + 1), id_len - 4))
2169 			goto trunc;
2170 	}
2171 
2172 	idtype_len =id_len - sizeof(struct ikev2_id);
2173 	dumpascii = 0;
2174 	dumphex   = 0;
2175 	typedata  = (const unsigned char *)(ext)+sizeof(struct ikev2_id);
2176 
2177 	switch(id.type) {
2178 	case ID_IPV4_ADDR:
2179 		ND_PRINT((ndo, " ipv4:"));
2180 		dumphex=1;
2181 		break;
2182 	case ID_FQDN:
2183 		ND_PRINT((ndo, " fqdn:"));
2184 		dumpascii=1;
2185 		break;
2186 	case ID_RFC822_ADDR:
2187 		ND_PRINT((ndo, " rfc822:"));
2188 		dumpascii=1;
2189 		break;
2190 	case ID_IPV6_ADDR:
2191 		ND_PRINT((ndo, " ipv6:"));
2192 		dumphex=1;
2193 		break;
2194 	case ID_DER_ASN1_DN:
2195 		ND_PRINT((ndo, " dn:"));
2196 		dumphex=1;
2197 		break;
2198 	case ID_DER_ASN1_GN:
2199 		ND_PRINT((ndo, " gn:"));
2200 		dumphex=1;
2201 		break;
2202 	case ID_KEY_ID:
2203 		ND_PRINT((ndo, " keyid:"));
2204 		dumphex=1;
2205 		break;
2206 	}
2207 
2208 	if(dumpascii) {
2209 		ND_TCHECK2(*typedata, idtype_len);
2210 		for(i=0; i<idtype_len; i++) {
2211 			if(ND_ISPRINT(typedata[i])) {
2212 				ND_PRINT((ndo, "%c", typedata[i]));
2213 			} else {
2214 				ND_PRINT((ndo, "."));
2215 			}
2216 		}
2217 	}
2218 	if(dumphex) {
2219 		if (!rawprint(ndo, (const uint8_t *)typedata, idtype_len))
2220 			goto trunc;
2221 	}
2222 
2223 	return (const u_char *)ext + id_len;
2224 trunc:
2225 	ND_PRINT((ndo," [|%s]", NPSTR(tpay)));
2226 	return NULL;
2227 }
2228 
2229 static const u_char *
ikev2_cert_print(netdissect_options * ndo,u_char tpay,const struct isakmp_gen * ext,u_int item_len _U_,const u_char * ep _U_,uint32_t phase _U_,uint32_t doi _U_,uint32_t proto _U_,int depth _U_)2230 ikev2_cert_print(netdissect_options *ndo, u_char tpay,
2231 		const struct isakmp_gen *ext,
2232 		u_int item_len _U_, const u_char *ep _U_,
2233 		uint32_t phase _U_, uint32_t doi _U_,
2234 		uint32_t proto _U_, int depth _U_)
2235 {
2236 	return ikev2_gen_print(ndo, tpay, ext);
2237 }
2238 
2239 static const u_char *
ikev2_cr_print(netdissect_options * ndo,u_char tpay,const struct isakmp_gen * ext,u_int item_len _U_,const u_char * ep _U_,uint32_t phase _U_,uint32_t doi _U_,uint32_t proto _U_,int depth _U_)2240 ikev2_cr_print(netdissect_options *ndo, u_char tpay,
2241 		const struct isakmp_gen *ext,
2242 		u_int item_len _U_, const u_char *ep _U_,
2243 		uint32_t phase _U_, uint32_t doi _U_,
2244 		uint32_t proto _U_, int depth _U_)
2245 {
2246 	return ikev2_gen_print(ndo, tpay, ext);
2247 }
2248 
2249 static const u_char *
ikev2_auth_print(netdissect_options * ndo,u_char tpay,const struct isakmp_gen * ext,u_int item_len _U_,const u_char * ep,uint32_t phase _U_,uint32_t doi _U_,uint32_t proto _U_,int depth _U_)2250 ikev2_auth_print(netdissect_options *ndo, u_char tpay,
2251 		const struct isakmp_gen *ext,
2252 		u_int item_len _U_, const u_char *ep,
2253 		uint32_t phase _U_, uint32_t doi _U_,
2254 		uint32_t proto _U_, int depth _U_)
2255 {
2256 	struct ikev2_auth a;
2257 	const char *v2_auth[]={ "invalid", "rsasig",
2258 				"shared-secret", "dsssig" };
2259 	const u_char *authdata = (const u_char*)ext + sizeof(a);
2260 	unsigned int len;
2261 
2262 	ND_TCHECK(*ext);
2263 	UNALIGNED_MEMCPY(&a, ext, sizeof(a));
2264 	ikev2_pay_print(ndo, NPSTR(tpay), a.h.critical);
2265 	len = ntohs(a.h.len);
2266 
2267 	ND_PRINT((ndo," len=%d method=%s", len-4,
2268 		  STR_OR_ID(a.auth_method, v2_auth)));
2269 
2270 	if (1 < ndo->ndo_vflag && 4 < len) {
2271 		ND_PRINT((ndo," authdata=("));
2272 		if (!rawprint(ndo, (const uint8_t *)authdata, len - sizeof(a)))
2273 			goto trunc;
2274 		ND_PRINT((ndo,") "));
2275 	} else if(ndo->ndo_vflag && 4 < len) {
2276 		if(!ike_show_somedata(ndo, authdata, ep)) goto trunc;
2277 	}
2278 
2279 	return (const u_char *)ext + len;
2280 trunc:
2281 	ND_PRINT((ndo," [|%s]", NPSTR(tpay)));
2282 	return NULL;
2283 }
2284 
2285 static const u_char *
ikev2_nonce_print(netdissect_options * ndo,u_char tpay,const struct isakmp_gen * ext,u_int item_len _U_,const u_char * ep,uint32_t phase _U_,uint32_t doi _U_,uint32_t proto _U_,int depth _U_)2286 ikev2_nonce_print(netdissect_options *ndo, u_char tpay,
2287 		const struct isakmp_gen *ext,
2288 		u_int item_len _U_, const u_char *ep,
2289 		uint32_t phase _U_, uint32_t doi _U_,
2290 		uint32_t proto _U_, int depth _U_)
2291 {
2292 	struct isakmp_gen e;
2293 
2294 	ND_TCHECK(*ext);
2295 	UNALIGNED_MEMCPY(&e, ext, sizeof(e));
2296 	ikev2_pay_print(ndo, "nonce", e.critical);
2297 
2298 	ND_PRINT((ndo," len=%d", ntohs(e.len) - 4));
2299 	if (1 < ndo->ndo_vflag && 4 < ntohs(e.len)) {
2300 		ND_PRINT((ndo," nonce=("));
2301 		if (!rawprint(ndo, (const uint8_t *)(ext + 1), ntohs(e.len) - 4))
2302 			goto trunc;
2303 		ND_PRINT((ndo,") "));
2304 	} else if(ndo->ndo_vflag && 4 < ntohs(e.len)) {
2305 		if(!ike_show_somedata(ndo, (const u_char *)(ext+1), ep)) goto trunc;
2306 	}
2307 
2308 	return (const u_char *)ext + ntohs(e.len);
2309 trunc:
2310 	ND_PRINT((ndo," [|%s]", NPSTR(tpay)));
2311 	return NULL;
2312 }
2313 
2314 /* notify payloads */
2315 static const u_char *
ikev2_n_print(netdissect_options * ndo,u_char tpay _U_,const struct isakmp_gen * ext,u_int item_len,const u_char * ep,uint32_t phase _U_,uint32_t doi _U_,uint32_t proto _U_,int depth _U_)2316 ikev2_n_print(netdissect_options *ndo, u_char tpay _U_,
2317 		const struct isakmp_gen *ext,
2318 		u_int item_len, const u_char *ep,
2319 		uint32_t phase _U_, uint32_t doi _U_,
2320 		uint32_t proto _U_, int depth _U_)
2321 {
2322 	const struct ikev2_n *p;
2323 	struct ikev2_n n;
2324 	const u_char *cp;
2325 	u_char showspi, showdata, showsomedata;
2326 	const char *notify_name;
2327 	uint32_t type;
2328 
2329 	p = (const struct ikev2_n *)ext;
2330 	ND_TCHECK(*p);
2331 	UNALIGNED_MEMCPY(&n, ext, sizeof(n));
2332 	ikev2_pay_print(ndo, NPSTR(ISAKMP_NPTYPE_N), n.h.critical);
2333 
2334 	showspi = 1;
2335 	showdata = 0;
2336 	showsomedata=0;
2337 	notify_name=NULL;
2338 
2339 	ND_PRINT((ndo," prot_id=%s", PROTOIDSTR(n.prot_id)));
2340 
2341 	type = ntohs(n.type);
2342 
2343 	/* notify space is annoying sparse */
2344 	switch(type) {
2345 	case IV2_NOTIFY_UNSUPPORTED_CRITICAL_PAYLOAD:
2346 		notify_name = "unsupported_critical_payload";
2347 		showspi = 0;
2348 		break;
2349 
2350 	case IV2_NOTIFY_INVALID_IKE_SPI:
2351 		notify_name = "invalid_ike_spi";
2352 		showspi = 1;
2353 		break;
2354 
2355 	case IV2_NOTIFY_INVALID_MAJOR_VERSION:
2356 		notify_name = "invalid_major_version";
2357 		showspi = 0;
2358 		break;
2359 
2360 	case IV2_NOTIFY_INVALID_SYNTAX:
2361 		notify_name = "invalid_syntax";
2362 		showspi = 1;
2363 		break;
2364 
2365 	case IV2_NOTIFY_INVALID_MESSAGE_ID:
2366 		notify_name = "invalid_message_id";
2367 		showspi = 1;
2368 		break;
2369 
2370 	case IV2_NOTIFY_INVALID_SPI:
2371 		notify_name = "invalid_spi";
2372 		showspi = 1;
2373 		break;
2374 
2375 	case IV2_NOTIFY_NO_PROPOSAL_CHOSEN:
2376 		notify_name = "no_protocol_chosen";
2377 		showspi = 1;
2378 		break;
2379 
2380 	case IV2_NOTIFY_INVALID_KE_PAYLOAD:
2381 		notify_name = "invalid_ke_payload";
2382 		showspi = 1;
2383 		break;
2384 
2385 	case IV2_NOTIFY_AUTHENTICATION_FAILED:
2386 		notify_name = "authentication_failed";
2387 		showspi = 1;
2388 		break;
2389 
2390 	case IV2_NOTIFY_SINGLE_PAIR_REQUIRED:
2391 		notify_name = "single_pair_required";
2392 		showspi = 1;
2393 		break;
2394 
2395 	case IV2_NOTIFY_NO_ADDITIONAL_SAS:
2396 		notify_name = "no_additional_sas";
2397 		showspi = 0;
2398 		break;
2399 
2400 	case IV2_NOTIFY_INTERNAL_ADDRESS_FAILURE:
2401 		notify_name = "internal_address_failure";
2402 		showspi = 0;
2403 		break;
2404 
2405 	case IV2_NOTIFY_FAILED_CP_REQUIRED:
2406 		notify_name = "failed:cp_required";
2407 		showspi = 0;
2408 		break;
2409 
2410 	case IV2_NOTIFY_INVALID_SELECTORS:
2411 		notify_name = "invalid_selectors";
2412 		showspi = 0;
2413 		break;
2414 
2415 	case IV2_NOTIFY_INITIAL_CONTACT:
2416 		notify_name = "initial_contact";
2417 		showspi = 0;
2418 		break;
2419 
2420 	case IV2_NOTIFY_SET_WINDOW_SIZE:
2421 		notify_name = "set_window_size";
2422 		showspi = 0;
2423 		break;
2424 
2425 	case IV2_NOTIFY_ADDITIONAL_TS_POSSIBLE:
2426 		notify_name = "additional_ts_possible";
2427 		showspi = 0;
2428 		break;
2429 
2430 	case IV2_NOTIFY_IPCOMP_SUPPORTED:
2431 		notify_name = "ipcomp_supported";
2432 		showspi = 0;
2433 		break;
2434 
2435 	case IV2_NOTIFY_NAT_DETECTION_SOURCE_IP:
2436 		notify_name = "nat_detection_source_ip";
2437 		showspi = 1;
2438 		break;
2439 
2440 	case IV2_NOTIFY_NAT_DETECTION_DESTINATION_IP:
2441 		notify_name = "nat_detection_destination_ip";
2442 		showspi = 1;
2443 		break;
2444 
2445 	case IV2_NOTIFY_COOKIE:
2446 		notify_name = "cookie";
2447 		showspi = 1;
2448 		showsomedata= 1;
2449 		showdata= 0;
2450 		break;
2451 
2452 	case IV2_NOTIFY_USE_TRANSPORT_MODE:
2453 		notify_name = "use_transport_mode";
2454 		showspi = 0;
2455 		break;
2456 
2457 	case IV2_NOTIFY_HTTP_CERT_LOOKUP_SUPPORTED:
2458 		notify_name = "http_cert_lookup_supported";
2459 		showspi = 0;
2460 		break;
2461 
2462 	case IV2_NOTIFY_REKEY_SA:
2463 		notify_name = "rekey_sa";
2464 		showspi = 1;
2465 		break;
2466 
2467 	case IV2_NOTIFY_ESP_TFC_PADDING_NOT_SUPPORTED:
2468 		notify_name = "tfc_padding_not_supported";
2469 		showspi = 0;
2470 		break;
2471 
2472 	case IV2_NOTIFY_NON_FIRST_FRAGMENTS_ALSO:
2473 		notify_name = "non_first_fragment_also";
2474 		showspi = 0;
2475 		break;
2476 
2477 	default:
2478 		if (type < 8192) {
2479 			notify_name="error";
2480 		} else if(type < 16384) {
2481 			notify_name="private-error";
2482 		} else if(type < 40960) {
2483 			notify_name="status";
2484 		} else {
2485 			notify_name="private-status";
2486 		}
2487 	}
2488 
2489 	if(notify_name) {
2490 		ND_PRINT((ndo," type=%u(%s)", type, notify_name));
2491 	}
2492 
2493 
2494 	if (showspi && n.spi_size) {
2495 		ND_PRINT((ndo," spi="));
2496 		if (!rawprint(ndo, (const uint8_t *)(p + 1), n.spi_size))
2497 			goto trunc;
2498 	}
2499 
2500 	cp = (const u_char *)(p + 1) + n.spi_size;
2501 
2502 	if(3 < ndo->ndo_vflag) {
2503 		showdata = 1;
2504 	}
2505 
2506 	if ((showdata || (showsomedata && ep-cp < 30)) && cp < ep) {
2507 		ND_PRINT((ndo," data=("));
2508 		if (!rawprint(ndo, (const uint8_t *)(cp), ep - cp))
2509 			goto trunc;
2510 
2511 		ND_PRINT((ndo,")"));
2512 
2513 	} else if(showsomedata && cp < ep) {
2514 		if(!ike_show_somedata(ndo, cp, ep)) goto trunc;
2515 	}
2516 
2517 	return (const u_char *)ext + item_len;
2518 trunc:
2519 	ND_PRINT((ndo," [|%s]", NPSTR(ISAKMP_NPTYPE_N)));
2520 	return NULL;
2521 }
2522 
2523 static const u_char *
ikev2_d_print(netdissect_options * ndo,u_char tpay,const struct isakmp_gen * ext,u_int item_len _U_,const u_char * ep _U_,uint32_t phase _U_,uint32_t doi _U_,uint32_t proto _U_,int depth _U_)2524 ikev2_d_print(netdissect_options *ndo, u_char tpay,
2525 		const struct isakmp_gen *ext,
2526 		u_int item_len _U_, const u_char *ep _U_,
2527 		uint32_t phase _U_, uint32_t doi _U_,
2528 		uint32_t proto _U_, int depth _U_)
2529 {
2530 	return ikev2_gen_print(ndo, tpay, ext);
2531 }
2532 
2533 static const u_char *
ikev2_vid_print(netdissect_options * ndo,u_char tpay,const struct isakmp_gen * ext,u_int item_len _U_,const u_char * ep _U_,uint32_t phase _U_,uint32_t doi _U_,uint32_t proto _U_,int depth _U_)2534 ikev2_vid_print(netdissect_options *ndo, u_char tpay,
2535 		const struct isakmp_gen *ext,
2536 		u_int item_len _U_, const u_char *ep _U_,
2537 		uint32_t phase _U_, uint32_t doi _U_,
2538 		uint32_t proto _U_, int depth _U_)
2539 {
2540 	struct isakmp_gen e;
2541 	const u_char *vid;
2542 	int i, len;
2543 
2544 	ND_TCHECK(*ext);
2545 	UNALIGNED_MEMCPY(&e, ext, sizeof(e));
2546 	ikev2_pay_print(ndo, NPSTR(tpay), e.critical);
2547 	ND_PRINT((ndo," len=%d vid=", ntohs(e.len) - 4));
2548 
2549 	vid = (const u_char *)(ext+1);
2550 	len = ntohs(e.len) - 4;
2551 	ND_TCHECK2(*vid, len);
2552 	for(i=0; i<len; i++) {
2553 		if(ND_ISPRINT(vid[i])) ND_PRINT((ndo, "%c", vid[i]));
2554 		else ND_PRINT((ndo, "."));
2555 	}
2556 	if (2 < ndo->ndo_vflag && 4 < len) {
2557 		ND_PRINT((ndo," "));
2558 		if (!rawprint(ndo, (const uint8_t *)(ext + 1), ntohs(e.len) - 4))
2559 			goto trunc;
2560 	}
2561 	return (const u_char *)ext + ntohs(e.len);
2562 trunc:
2563 	ND_PRINT((ndo," [|%s]", NPSTR(tpay)));
2564 	return NULL;
2565 }
2566 
2567 static const u_char *
ikev2_TS_print(netdissect_options * ndo,u_char tpay,const struct isakmp_gen * ext,u_int item_len _U_,const u_char * ep _U_,uint32_t phase _U_,uint32_t doi _U_,uint32_t proto _U_,int depth _U_)2568 ikev2_TS_print(netdissect_options *ndo, u_char tpay,
2569 		const struct isakmp_gen *ext,
2570 		u_int item_len _U_, const u_char *ep _U_,
2571 		uint32_t phase _U_, uint32_t doi _U_,
2572 		uint32_t proto _U_, int depth _U_)
2573 {
2574 	return ikev2_gen_print(ndo, tpay, ext);
2575 }
2576 
2577 static const u_char *
ikev2_e_print(netdissect_options * ndo,_U_ struct isakmp * base,u_char tpay,const struct isakmp_gen * ext,u_int item_len _U_,const u_char * ep _U_,_U_ uint32_t phase,_U_ uint32_t doi,_U_ uint32_t proto,_U_ int depth)2578 ikev2_e_print(netdissect_options *ndo,
2579 #ifndef HAVE_LIBCRYPTO
2580 	      _U_
2581 #endif
2582 	      struct isakmp *base,
2583 	      u_char tpay,
2584 	      const struct isakmp_gen *ext,
2585 	      u_int item_len _U_, const u_char *ep _U_,
2586 #ifndef HAVE_LIBCRYPTO
2587 	      _U_
2588 #endif
2589 	      uint32_t phase,
2590 #ifndef HAVE_LIBCRYPTO
2591 	      _U_
2592 #endif
2593 	      uint32_t doi,
2594 #ifndef HAVE_LIBCRYPTO
2595 	      _U_
2596 #endif
2597 	      uint32_t proto,
2598 #ifndef HAVE_LIBCRYPTO
2599 	      _U_
2600 #endif
2601 	      int depth)
2602 {
2603 	struct isakmp_gen e;
2604 	const u_char *dat;
2605 	volatile int dlen;
2606 
2607 	ND_TCHECK(*ext);
2608 	UNALIGNED_MEMCPY(&e, ext, sizeof(e));
2609 	ikev2_pay_print(ndo, NPSTR(tpay), e.critical);
2610 
2611 	dlen = ntohs(e.len)-4;
2612 
2613 	ND_PRINT((ndo," len=%d", dlen));
2614 	if (2 < ndo->ndo_vflag && 4 < dlen) {
2615 		ND_PRINT((ndo," "));
2616 		if (!rawprint(ndo, (const uint8_t *)(ext + 1), dlen))
2617 			goto trunc;
2618 	}
2619 
2620 	dat = (const u_char *)(ext+1);
2621 	ND_TCHECK2(*dat, dlen);
2622 
2623 #ifdef HAVE_LIBCRYPTO
2624 	/* try to decypt it! */
2625 	if(esp_print_decrypt_buffer_by_ikev2(ndo,
2626 					     base->flags & ISAKMP_FLAG_I,
2627 					     base->i_ck, base->r_ck,
2628 					     dat, dat+dlen)) {
2629 
2630 		ext = (const struct isakmp_gen *)ndo->ndo_packetp;
2631 
2632 		/* got it decrypted, print stuff inside. */
2633 		ikev2_sub_print(ndo, base, e.np, ext, ndo->ndo_snapend,
2634 				phase, doi, proto, depth+1);
2635 	}
2636 #endif
2637 
2638 
2639 	/* always return NULL, because E must be at end, and NP refers
2640 	 * to what was inside.
2641 	 */
2642 	return NULL;
2643 trunc:
2644 	ND_PRINT((ndo," [|%s]", NPSTR(tpay)));
2645 	return NULL;
2646 }
2647 
2648 static const u_char *
ikev2_cp_print(netdissect_options * ndo,u_char tpay,const struct isakmp_gen * ext,u_int item_len _U_,const u_char * ep _U_,uint32_t phase _U_,uint32_t doi _U_,uint32_t proto _U_,int depth _U_)2649 ikev2_cp_print(netdissect_options *ndo, u_char tpay,
2650 		const struct isakmp_gen *ext,
2651 		u_int item_len _U_, const u_char *ep _U_,
2652 		uint32_t phase _U_, uint32_t doi _U_,
2653 		uint32_t proto _U_, int depth _U_)
2654 {
2655 	return ikev2_gen_print(ndo, tpay, ext);
2656 }
2657 
2658 static const u_char *
ikev2_eap_print(netdissect_options * ndo,u_char tpay,const struct isakmp_gen * ext,u_int item_len _U_,const u_char * ep _U_,uint32_t phase _U_,uint32_t doi _U_,uint32_t proto _U_,int depth _U_)2659 ikev2_eap_print(netdissect_options *ndo, u_char tpay,
2660 		const struct isakmp_gen *ext,
2661 		u_int item_len _U_, const u_char *ep _U_,
2662 		uint32_t phase _U_, uint32_t doi _U_,
2663 		uint32_t proto _U_, int depth _U_)
2664 {
2665 	return ikev2_gen_print(ndo, tpay, ext);
2666 }
2667 
2668 static const u_char *
ike_sub0_print(netdissect_options * ndo,u_char np,const struct isakmp_gen * ext,const u_char * ep,uint32_t phase,uint32_t doi,uint32_t proto,int depth)2669 ike_sub0_print(netdissect_options *ndo,
2670 		 u_char np, const struct isakmp_gen *ext, const u_char *ep,
2671 
2672 	       uint32_t phase, uint32_t doi, uint32_t proto, int depth)
2673 {
2674 	const u_char *cp;
2675 	struct isakmp_gen e;
2676 	u_int item_len;
2677 
2678 	cp = (const u_char *)ext;
2679 	ND_TCHECK(*ext);
2680 	UNALIGNED_MEMCPY(&e, ext, sizeof(e));
2681 
2682 	/*
2683 	 * Since we can't have a payload length of less than 4 bytes,
2684 	 * we need to bail out here if the generic header is nonsensical
2685 	 * or truncated, otherwise we could loop forever processing
2686 	 * zero-length items or otherwise misdissect the packet.
2687 	 */
2688 	item_len = ntohs(e.len);
2689 	if (item_len <= 4)
2690 		return NULL;
2691 
2692 	if (NPFUNC(np)) {
2693 		/*
2694 		 * XXX - what if item_len is too short, or too long,
2695 		 * for this payload type?
2696 		 */
2697 		cp = (*npfunc[np])(ndo, np, ext, item_len, ep, phase, doi, proto, depth);
2698 	} else {
2699 		ND_PRINT((ndo,"%s", NPSTR(np)));
2700 		cp += item_len;
2701 	}
2702 
2703 	return cp;
2704 trunc:
2705 	ND_PRINT((ndo," [|isakmp]"));
2706 	return NULL;
2707 }
2708 
2709 static const u_char *
ikev1_sub_print(netdissect_options * ndo,u_char np,const struct isakmp_gen * ext,const u_char * ep,uint32_t phase,uint32_t doi,uint32_t proto,int depth)2710 ikev1_sub_print(netdissect_options *ndo,
2711 		u_char np, const struct isakmp_gen *ext, const u_char *ep,
2712 		uint32_t phase, uint32_t doi, uint32_t proto, int depth)
2713 {
2714 	const u_char *cp;
2715 	int i;
2716 	struct isakmp_gen e;
2717 
2718 	cp = (const u_char *)ext;
2719 
2720 	while (np) {
2721 		ND_TCHECK(*ext);
2722 
2723 		UNALIGNED_MEMCPY(&e, ext, sizeof(e));
2724 
2725 		ND_TCHECK2(*ext, ntohs(e.len));
2726 
2727 		depth++;
2728 		ND_PRINT((ndo,"\n"));
2729 		for (i = 0; i < depth; i++)
2730 			ND_PRINT((ndo,"    "));
2731 		ND_PRINT((ndo,"("));
2732 		cp = ike_sub0_print(ndo, np, ext, ep, phase, doi, proto, depth);
2733 		ND_PRINT((ndo,")"));
2734 		depth--;
2735 
2736 		if (cp == NULL) {
2737 			/* Zero-length subitem */
2738 			return NULL;
2739 		}
2740 
2741 		np = e.np;
2742 		ext = (const struct isakmp_gen *)cp;
2743 	}
2744 	return cp;
2745 trunc:
2746 	ND_PRINT((ndo," [|%s]", NPSTR(np)));
2747 	return NULL;
2748 }
2749 
2750 static char *
numstr(int x)2751 numstr(int x)
2752 {
2753 	static char buf[20];
2754 	snprintf(buf, sizeof(buf), "#%d", x);
2755 	return buf;
2756 }
2757 
2758 static void
ikev1_print(netdissect_options * ndo,const u_char * bp,u_int length,const u_char * bp2,struct isakmp * base)2759 ikev1_print(netdissect_options *ndo,
2760 	    const u_char *bp,  u_int length,
2761 	    const u_char *bp2, struct isakmp *base)
2762 {
2763 	const struct isakmp *p;
2764 	const u_char *ep;
2765 	u_char np;
2766 	int i;
2767 	int phase;
2768 
2769 	p = (const struct isakmp *)bp;
2770 	ep = ndo->ndo_snapend;
2771 
2772 	phase = (EXTRACT_32BITS(base->msgid) == 0) ? 1 : 2;
2773 	if (phase == 1)
2774 		ND_PRINT((ndo," phase %d", phase));
2775 	else
2776 		ND_PRINT((ndo," phase %d/others", phase));
2777 
2778 	i = cookie_find(&base->i_ck);
2779 	if (i < 0) {
2780 		if (iszero((const u_char *)&base->r_ck, sizeof(base->r_ck))) {
2781 			/* the first packet */
2782 			ND_PRINT((ndo," I"));
2783 			if (bp2)
2784 				cookie_record(&base->i_ck, bp2);
2785 		} else
2786 			ND_PRINT((ndo," ?"));
2787 	} else {
2788 		if (bp2 && cookie_isinitiator(i, bp2))
2789 			ND_PRINT((ndo," I"));
2790 		else if (bp2 && cookie_isresponder(i, bp2))
2791 			ND_PRINT((ndo," R"));
2792 		else
2793 			ND_PRINT((ndo," ?"));
2794 	}
2795 
2796 	ND_PRINT((ndo," %s", ETYPESTR(base->etype)));
2797 	if (base->flags) {
2798 		ND_PRINT((ndo,"[%s%s]", base->flags & ISAKMP_FLAG_E ? "E" : "",
2799 			  base->flags & ISAKMP_FLAG_C ? "C" : ""));
2800 	}
2801 
2802 	if (ndo->ndo_vflag) {
2803 		const struct isakmp_gen *ext;
2804 
2805 		ND_PRINT((ndo,":"));
2806 
2807 		/* regardless of phase... */
2808 		if (base->flags & ISAKMP_FLAG_E) {
2809 			/*
2810 			 * encrypted, nothing we can do right now.
2811 			 * we hope to decrypt the packet in the future...
2812 			 */
2813 			ND_PRINT((ndo," [encrypted %s]", NPSTR(base->np)));
2814 			goto done;
2815 		}
2816 
2817 		CHECKLEN(p + 1, base->np);
2818 		np = base->np;
2819 		ext = (const struct isakmp_gen *)(p + 1);
2820 		ikev1_sub_print(ndo, np, ext, ep, phase, 0, 0, 0);
2821 	}
2822 
2823 done:
2824 	if (ndo->ndo_vflag) {
2825 		if (ntohl(base->len) != length) {
2826 			ND_PRINT((ndo," (len mismatch: isakmp %u/ip %u)",
2827 				  (uint32_t)ntohl(base->len), length));
2828 		}
2829 	}
2830 }
2831 
2832 static const u_char *
ikev2_sub0_print(netdissect_options * ndo,struct isakmp * base,u_char np,const struct isakmp_gen * ext,const u_char * ep,uint32_t phase,uint32_t doi,uint32_t proto,int depth)2833 ikev2_sub0_print(netdissect_options *ndo, struct isakmp *base,
2834 		 u_char np,
2835 		 const struct isakmp_gen *ext, const u_char *ep,
2836 		 uint32_t phase, uint32_t doi, uint32_t proto, int depth)
2837 {
2838 	const u_char *cp;
2839 	struct isakmp_gen e;
2840 	u_int item_len;
2841 
2842 	cp = (const u_char *)ext;
2843 	ND_TCHECK(*ext);
2844 	UNALIGNED_MEMCPY(&e, ext, sizeof(e));
2845 
2846 	/*
2847 	 * Since we can't have a payload length of less than 4 bytes,
2848 	 * we need to bail out here if the generic header is nonsensical
2849 	 * or truncated, otherwise we could loop forever processing
2850 	 * zero-length items or otherwise misdissect the packet.
2851 	 */
2852 	item_len = ntohs(e.len);
2853 	if (item_len <= 4)
2854 		return NULL;
2855 
2856 	if (np == ISAKMP_NPTYPE_v2E) {
2857 		cp = ikev2_e_print(ndo, base, np, ext, item_len,
2858 				   ep, phase, doi, proto, depth);
2859 	} else if (NPFUNC(np)) {
2860 		/*
2861 		 * XXX - what if item_len is too short, or too long,
2862 		 * for this payload type?
2863 		 */
2864 		cp = (*npfunc[np])(ndo, np, ext, item_len,
2865 				   ep, phase, doi, proto, depth);
2866 	} else {
2867 		ND_PRINT((ndo,"%s", NPSTR(np)));
2868 		cp += item_len;
2869 	}
2870 
2871 	return cp;
2872 trunc:
2873 	ND_PRINT((ndo," [|isakmp]"));
2874 	return NULL;
2875 }
2876 
2877 static const u_char *
ikev2_sub_print(netdissect_options * ndo,struct isakmp * base,u_char np,const struct isakmp_gen * ext,const u_char * ep,uint32_t phase,uint32_t doi,uint32_t proto,int depth)2878 ikev2_sub_print(netdissect_options *ndo,
2879 		struct isakmp *base,
2880 		u_char np, const struct isakmp_gen *ext, const u_char *ep,
2881 		uint32_t phase, uint32_t doi, uint32_t proto, int depth)
2882 {
2883 	const u_char *cp;
2884 	int i;
2885 	struct isakmp_gen e;
2886 
2887 	cp = (const u_char *)ext;
2888 	while (np) {
2889 		ND_TCHECK(*ext);
2890 
2891 		UNALIGNED_MEMCPY(&e, ext, sizeof(e));
2892 
2893 		ND_TCHECK2(*ext, ntohs(e.len));
2894 
2895 		depth++;
2896 		ND_PRINT((ndo,"\n"));
2897 		for (i = 0; i < depth; i++)
2898 			ND_PRINT((ndo,"    "));
2899 		ND_PRINT((ndo,"("));
2900 		cp = ikev2_sub0_print(ndo, base, np,
2901 				      ext, ep, phase, doi, proto, depth);
2902 		ND_PRINT((ndo,")"));
2903 		depth--;
2904 
2905 		if (cp == NULL) {
2906 			/* Zero-length subitem */
2907 			return NULL;
2908 		}
2909 
2910 		np = e.np;
2911 		ext = (const struct isakmp_gen *)cp;
2912 	}
2913 	return cp;
2914 trunc:
2915 	ND_PRINT((ndo," [|%s]", NPSTR(np)));
2916 	return NULL;
2917 }
2918 
2919 static void
ikev2_print(netdissect_options * ndo,const u_char * bp,u_int length,const u_char * bp2 _U_,struct isakmp * base)2920 ikev2_print(netdissect_options *ndo,
2921 	    const u_char *bp,  u_int length,
2922 	    const u_char *bp2 _U_, struct isakmp *base)
2923 {
2924 	const struct isakmp *p;
2925 	const u_char *ep;
2926 	u_char np;
2927 	int phase;
2928 
2929 	p = (const struct isakmp *)bp;
2930 	ep = ndo->ndo_snapend;
2931 
2932 	phase = (EXTRACT_32BITS(base->msgid) == 0) ? 1 : 2;
2933 	if (phase == 1)
2934 		ND_PRINT((ndo, " parent_sa"));
2935 	else
2936 		ND_PRINT((ndo, " child_sa "));
2937 
2938 	ND_PRINT((ndo, " %s", ETYPESTR(base->etype)));
2939 	if (base->flags) {
2940 		ND_PRINT((ndo, "[%s%s%s]",
2941 			  base->flags & ISAKMP_FLAG_I ? "I" : "",
2942 			  base->flags & ISAKMP_FLAG_V ? "V" : "",
2943 			  base->flags & ISAKMP_FLAG_R ? "R" : ""));
2944 	}
2945 
2946 	if (ndo->ndo_vflag) {
2947 		const struct isakmp_gen *ext;
2948 
2949 		ND_PRINT((ndo, ":"));
2950 
2951 		/* regardless of phase... */
2952 		if (base->flags & ISAKMP_FLAG_E) {
2953 			/*
2954 			 * encrypted, nothing we can do right now.
2955 			 * we hope to decrypt the packet in the future...
2956 			 */
2957 			ND_PRINT((ndo, " [encrypted %s]", NPSTR(base->np)));
2958 			goto done;
2959 		}
2960 
2961 		CHECKLEN(p + 1, base->np)
2962 
2963 		np = base->np;
2964 		ext = (const struct isakmp_gen *)(p + 1);
2965 		ikev2_sub_print(ndo, base, np, ext, ep, phase, 0, 0, 0);
2966 	}
2967 
2968 done:
2969 	if (ndo->ndo_vflag) {
2970 		if (ntohl(base->len) != length) {
2971 			ND_PRINT((ndo, " (len mismatch: isakmp %u/ip %u)",
2972 				  (uint32_t)ntohl(base->len), length));
2973 		}
2974 	}
2975 }
2976 
2977 void
isakmp_print(netdissect_options * ndo,const u_char * bp,u_int length,const u_char * bp2)2978 isakmp_print(netdissect_options *ndo,
2979 	     const u_char *bp, u_int length,
2980 	     const u_char *bp2)
2981 {
2982 	const struct isakmp *p;
2983 	struct isakmp base;
2984 	const u_char *ep;
2985 	int major, minor;
2986 
2987 #ifdef HAVE_LIBCRYPTO
2988 	/* initialize SAs */
2989 	if (ndo->ndo_sa_list_head == NULL) {
2990 		if (ndo->ndo_espsecret)
2991 			esp_print_decodesecret(ndo);
2992 	}
2993 #endif
2994 
2995 	p = (const struct isakmp *)bp;
2996 	ep = ndo->ndo_snapend;
2997 
2998 	if ((const struct isakmp *)ep < p + 1) {
2999 		ND_PRINT((ndo,"[|isakmp]"));
3000 		return;
3001 	}
3002 
3003 	UNALIGNED_MEMCPY(&base, p, sizeof(base));
3004 
3005 	ND_PRINT((ndo,"isakmp"));
3006 	major = (base.vers & ISAKMP_VERS_MAJOR)
3007 		>> ISAKMP_VERS_MAJOR_SHIFT;
3008 	minor = (base.vers & ISAKMP_VERS_MINOR)
3009 		>> ISAKMP_VERS_MINOR_SHIFT;
3010 
3011 	if (ndo->ndo_vflag) {
3012 		ND_PRINT((ndo," %d.%d", major, minor));
3013 	}
3014 
3015 	if (ndo->ndo_vflag) {
3016 		ND_PRINT((ndo," msgid "));
3017 		hexprint(ndo, (const uint8_t *)&base.msgid, sizeof(base.msgid));
3018 	}
3019 
3020 	if (1 < ndo->ndo_vflag) {
3021 		ND_PRINT((ndo," cookie "));
3022 		hexprint(ndo, (const uint8_t *)&base.i_ck, sizeof(base.i_ck));
3023 		ND_PRINT((ndo,"->"));
3024 		hexprint(ndo, (const uint8_t *)&base.r_ck, sizeof(base.r_ck));
3025 	}
3026 	ND_PRINT((ndo,":"));
3027 
3028 	switch(major) {
3029 	case IKEv1_MAJOR_VERSION:
3030 		ikev1_print(ndo, bp, length, bp2, &base);
3031 		break;
3032 
3033 	case IKEv2_MAJOR_VERSION:
3034 		ikev2_print(ndo, bp, length, bp2, &base);
3035 		break;
3036 	}
3037 }
3038 
3039 void
isakmp_rfc3948_print(netdissect_options * ndo,const u_char * bp,u_int length,const u_char * bp2)3040 isakmp_rfc3948_print(netdissect_options *ndo,
3041 		     const u_char *bp, u_int length,
3042 		     const u_char *bp2)
3043 {
3044 
3045 	if(length == 1 && bp[0]==0xff) {
3046 		ND_PRINT((ndo, "isakmp-nat-keep-alive"));
3047 		return;
3048 	}
3049 
3050 	if(length < 4) {
3051 		goto trunc;
3052 	}
3053 
3054 	/*
3055 	 * see if this is an IKE packet
3056 	 */
3057 	if(bp[0]==0 && bp[1]==0 && bp[2]==0 && bp[3]==0) {
3058 		ND_PRINT((ndo, "NONESP-encap: "));
3059 		isakmp_print(ndo, bp+4, length-4, bp2);
3060 		return;
3061 	}
3062 
3063 	/* must be an ESP packet */
3064 	{
3065 		int nh, enh, padlen;
3066 		int advance;
3067 
3068 		ND_PRINT((ndo, "UDP-encap: "));
3069 
3070 		advance = esp_print(ndo, bp, length, bp2, &enh, &padlen);
3071 		if(advance <= 0)
3072 			return;
3073 
3074 		bp += advance;
3075 		length -= advance + padlen;
3076 		nh = enh & 0xff;
3077 
3078 		ip_print_inner(ndo, bp, length, nh, bp2);
3079 		return;
3080 	}
3081 
3082 trunc:
3083 	ND_PRINT((ndo,"[|isakmp]"));
3084 	return;
3085 }
3086 
3087 /*
3088  * Local Variables:
3089  * c-style: whitesmith
3090  * c-basic-offset: 8
3091  * End:
3092  */
3093 
3094 
3095 
3096 
3097