From 203e1d5ebf378a77b8a365f628e927d86e453a1b Mon Sep 17 00:00:00 2001 From: Miroslav Lichvar Date: Thu, 6 Dec 2007 15:31:44 +0000 Subject: [PATCH] - update IKEv2 support --- ...7-ikev2.patch => tcpdump-3.9.8-ikev2.patch | 2125 ++++++++++++----- tcpdump.spec | 9 +- 2 files changed, 1514 insertions(+), 620 deletions(-) rename tcpdump-3.9.7-ikev2.patch => tcpdump-3.9.8-ikev2.patch (73%) diff --git a/tcpdump-3.9.7-ikev2.patch b/tcpdump-3.9.8-ikev2.patch similarity index 73% rename from tcpdump-3.9.7-ikev2.patch rename to tcpdump-3.9.8-ikev2.patch index ed36a2b..4e9b9bb 100644 --- a/tcpdump-3.9.7-ikev2.patch +++ b/tcpdump-3.9.8-ikev2.patch @@ -1,317 +1,24 @@ -Index: tcpdump/interface.h -=================================================================== -RCS file: /tcpdump/master/tcpdump/interface.h,v -retrieving revision 1.278 -retrieving revision 1.279 -diff -u -r1.278 -r1.279 ---- tcpdump/interface.h 8 Aug 2007 17:20:58 -0000 1.278 -+++ tcpdump/interface.h 29 Aug 2007 12:31:00 -0000 1.279 -@@ -356,6 +356,7 @@ - - /* forward compatibility */ - -+#ifndef NETDISSECT_REWORKED - extern netdissect_options *gndo; - - #define eflag gndo->ndo_eflag -@@ -389,3 +390,4 @@ - #define snaplen gndo->ndo_snaplen - #define snapend gndo->ndo_snapend - -+#endif -Index: tcpdump/isakmp.h -=================================================================== -RCS file: /tcpdump/master/tcpdump/isakmp.h,v -retrieving revision 1.10 -retrieving revision 1.11 -diff -u -r1.10 -r1.11 ---- tcpdump/isakmp.h 11 Dec 2002 07:13:54 -0000 1.10 -+++ tcpdump/isakmp.h 29 Aug 2007 02:38:14 -0000 1.11 -@@ -81,7 +81,7 @@ - #define ISAKMP_TIMER_DEFAULT 10 /* seconds */ - #define ISAKMP_TRY_DEFAULT 3 /* times */ - --/* 3.1 ISAKMP Header Format -+/* 3.1 ISAKMP Header Format (IKEv1 and IKEv2) - 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 - +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ - ! Initiator ! -@@ -128,8 +128,11 @@ - #define ISAKMP_NPTYPE_D 12 /* Delete */ - #define ISAKMP_NPTYPE_VID 13 /* Vendor ID */ - --#define ISAKMP_MAJOR_VERSION 1 --#define ISAKMP_MINOR_VERSION 0 -+#define IKEv1_MAJOR_VERSION 1 -+#define IKEv1_MINOR_VERSION 0 -+ -+#define IKEv2_MAJOR_VERSION 2 -+#define IKEv2_MINOR_VERSION 0 - - /* Exchange Type */ - #define ISAKMP_ETYPE_NONE 0 /* NONE */ -@@ -142,6 +145,13 @@ - /* Flags */ - #define ISAKMP_FLAG_E 0x01 /* Encryption Bit */ - #define ISAKMP_FLAG_C 0x02 /* Commit Bit */ -+#define ISAKMP_FLAG_extra 0x04 -+ -+/* IKEv2 */ -+#define ISAKMP_FLAG_I (1 << 3) /* (I)nitiator */ -+#define ISAKMP_FLAG_V (1 << 4) /* (V)ersion */ -+#define ISAKMP_FLAG_R (1 << 5) /* (R)esponse */ -+ - - /* 3.2 Payload Generic Header - 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 -@@ -151,7 +161,7 @@ - */ - struct isakmp_gen { - u_int8_t np; /* Next Payload */ -- u_int8_t reserved; /* RESERVED, unused, must set to 0 */ -+ u_int8_t critical; /* bit 7 - critical, rest is RESERVED */ - u_int16_t len; /* Payload Length */ - }; - -@@ -188,7 +198,7 @@ - message of a Base Exchange (see Section 4.4) and the value "0" in the - first message of an Identity Protect Exchange (see Section 4.5). - */ --struct isakmp_pl_sa { -+struct ikev1_pl_sa { - struct isakmp_gen h; - u_int32_t doi; /* Domain of Interpretation */ - u_int32_t sit; /* Situation */ -@@ -202,7 +212,7 @@ - last within the security association proposal, then this field will - be 0. - */ --struct isakmp_pl_p { -+struct ikev1_pl_p { - struct isakmp_gen h; - u_int8_t p_no; /* Proposal # */ - u_int8_t prot_id; /* Protocol */ -@@ -218,7 +228,7 @@ - then this field will be 3. If the current Transform payload is the - last within the proposal, then this field will be 0. - */ --struct isakmp_pl_t { -+struct ikev1_pl_t { - struct isakmp_gen h; - u_int8_t t_no; /* Transform # */ - u_int8_t t_id; /* Transform-Id */ -@@ -227,14 +237,14 @@ - }; - - /* 3.7 Key Exchange Payload */ --struct isakmp_pl_ke { -+struct ikev1_pl_ke { - struct isakmp_gen h; - /* Key Exchange Data */ - }; - - /* 3.8 Identification Payload */ - /* MUST NOT to be used, because of being defined in ipsec-doi. */ --struct isakmp_pl_id { -+struct ikev1_pl_id { - struct isakmp_gen h; - union { - u_int8_t id_type; /* ID Type */ -@@ -244,7 +254,7 @@ - }; - - /* 3.9 Certificate Payload */ --struct isakmp_pl_cert { -+struct ikev1_pl_cert { - struct isakmp_gen h; - u_int8_t encode; /* Cert Encoding */ - char cert; /* Certificate Data */ -@@ -268,7 +278,7 @@ - #define ISAKMP_CERT_SPKI 9 - - /* 3.10 Certificate Request Payload */ --struct isakmp_pl_cr { -+struct ikev1_pl_cr { - struct isakmp_gen h; - u_int8_t num_cert; /* # Cert. Types */ - /* -@@ -283,27 +293,27 @@ - - /* 3.11 Hash Payload */ - /* may not be used, because of having only data. */ --struct isakmp_pl_hash { -+struct ikev1_pl_hash { - struct isakmp_gen h; - /* Hash Data */ - }; - - /* 3.12 Signature Payload */ - /* may not be used, because of having only data. */ --struct isakmp_pl_sig { -+struct ikev1_pl_sig { - struct isakmp_gen h; - /* Signature Data */ - }; - - /* 3.13 Nonce Payload */ - /* may not be used, because of having only data. */ --struct isakmp_pl_nonce { -+struct ikev1_pl_nonce { - struct isakmp_gen h; - /* Nonce Data */ - }; - - /* 3.14 Notification Payload */ --struct isakmp_pl_n { -+struct ikev1_pl_n { - struct isakmp_gen h; - u_int32_t doi; /* Domain of Interpretation */ - u_int8_t prot_id; /* Protocol-ID */ -@@ -347,7 +357,7 @@ - #define ISAKMP_LOG_RETRY_LIMIT_REACHED 65530 - - /* 3.15 Delete Payload */ --struct isakmp_pl_d { -+struct ikev1_pl_d { - struct isakmp_gen h; - u_int32_t doi; /* Domain of Interpretation */ - u_int8_t prot_id; /* Protocol-Id */ -@@ -357,15 +367,15 @@ - }; - - --struct isakmp_ph1tab { -- struct isakmp_ph1 *head; -- struct isakmp_ph1 *tail; -+struct ikev1_ph1tab { -+ struct ikev1_ph1 *head; -+ struct ikev1_ph1 *tail; - int len; - }; - - struct isakmp_ph2tab { -- struct isakmp_ph2 *head; -- struct isakmp_ph2 *tail; -+ struct ikev1_ph2 *head; -+ struct ikev1_ph2 *tail; - int len; - }; - -@@ -375,4 +385,99 @@ - #define PFS_NEED 1 - #define PFS_NONEED 0 - -+/* IKEv2 (RFC4306) */ -+ -+/* 3.3 Security Association Payload -- generic header */ -+/* 3.3.1. Proposal Substructure */ -+struct ikev2_p { -+ struct isakmp_gen h; -+ u_int8_t p_no; /* Proposal # */ -+ u_int8_t prot_id; /* Protocol */ -+ u_int8_t spi_size; /* SPI Size */ -+ u_int8_t num_t; /* Number of Transforms */ -+}; -+ -+/* 3.3.2. Transform Substructure */ -+struct ikev2_t { -+ struct isakmp_gen h; -+ u_int8_t t_type; /* Transform Type (ENCR,PRF,INTEG,etc.*/ -+ u_int8_t res2; /* reserved byte */ -+ u_int16_t t_id; /* Transform ID */ -+}; -+ -+enum ikev2_t_type { -+ IV2_T_ENCR = 1, -+ IV2_T_PRF = 2, -+ IV2_T_INTEG= 3, -+ IV2_T_DH = 4, -+ IV2_T_ESN = 5, -+}; -+ -+/* 3.4. Key Exchange Payload */ -+struct ikev2_ke { -+ struct isakmp_gen h; -+ u_int16_t ke_group; -+ u_int16_t ke_res1; -+ /* KE data */ -+}; -+ -+ -+/* 3.10 Notification Payload */ -+struct ikev2_n { -+ struct isakmp_gen h; -+ u_int8_t prot_id; /* Protocol-ID */ -+ u_int8_t spi_size; /* SPI Size */ -+ u_int16_t type; /* Notify Message Type */ -+ /* SPI */ -+ /* Notification Data */ -+}; -+ -+enum ikev2_n_type { -+ IV2_NOTIFY_UNSUPPORTED_CRITICAL_PAYLOAD = 1, -+ IV2_NOTIFY_INVALID_IKE_SPI = 4, -+ IV2_NOTIFY_INVALID_MAJOR_VERSION = 5, -+ IV2_NOTIFY_INVALID_SYNTAX = 7, -+ IV2_NOTIFY_INVALID_MESSAGE_ID = 9, -+ IV2_NOTIFY_INVALID_SPI =11, -+ IV2_NOTIFY_NO_PROPOSAL_CHOSEN =14, -+ IV2_NOTIFY_INVALID_KE_PAYLOAD =17, -+ IV2_NOTIFY_AUTHENTICATION_FAILED =24, -+ IV2_NOTIFY_SINGLE_PAIR_REQUIRED =34, -+ IV2_NOTIFY_NO_ADDITIONAL_SAS =35, -+ IV2_NOTIFY_INTERNAL_ADDRESS_FAILURE =36, -+ IV2_NOTIFY_FAILED_CP_REQUIRED =37, -+ IV2_NOTIFY_INVALID_SELECTORS =39, -+ IV2_NOTIFY_INITIAL_CONTACT =16384, -+ IV2_NOTIFY_SET_WINDOW_SIZE =16385, -+ IV2_NOTIFY_ADDITIONAL_TS_POSSIBLE =16386, -+ IV2_NOTIFY_IPCOMP_SUPPORTED =16387, -+ IV2_NOTIFY_NAT_DETECTION_SOURCE_IP =16388, -+ IV2_NOTIFY_NAT_DETECTION_DESTINATION_IP =16389, -+ IV2_NOTIFY_COOKIE =16390, -+ IV2_NOTIFY_USE_TRANSPORT_MODE =16391, -+ IV2_NOTIFY_HTTP_CERT_LOOKUP_SUPPORTED =16392, -+ IV2_NOTIFY_REKEY_SA =16393, -+ IV2_NOTIFY_ESP_TFC_PADDING_NOT_SUPPORTED =16394, -+ IV2_NOTIFY_NON_FIRST_FRAGMENTS_ALSO =16395 -+}; -+ -+struct notify_messages { -+ u_int16_t type; -+ char *msg; -+}; -+ -+/* 3.8 Notification Payload */ -+struct ikev2_auth { -+ struct isakmp_gen h; -+ u_int8_t auth_method; /* Protocol-ID */ -+ u_int8_t reserved[3]; -+ /* authentication data */ -+}; -+ -+enum ikev2_auth_type { -+ IV2_RSA_SIG = 1, -+ IV2_SHARED = 2, -+ IV2_DSS_SIG = 3, -+}; -+ - #endif /* !defined(_ISAKMP_H_) */ Index: tcpdump/print-isakmp.c =================================================================== RCS file: /tcpdump/master/tcpdump/print-isakmp.c,v -retrieving revision 1.53 -retrieving revision 1.56 -diff -u -r1.53 -r1.56 ---- tcpdump/print-isakmp.c 27 Aug 2006 18:48:29 -0000 1.53 -+++ tcpdump/print-isakmp.c 29 Aug 2007 12:31:00 -0000 1.56 -@@ -34,4 +34,5 @@ +retrieving revision 1.51 +retrieving revision 1.59 +diff -u -r1.51 -r1.59 +--- tcpdump/print-isakmp.c 7 Apr 2005 00:28:17 -0000 1.51 ++++ tcpdump/print-isakmp.c 27 Nov 2007 03:57:20 -0000 1.59 +@@ -30,9 +30,10 @@ + + #ifndef lint + static const char rcsid[] _U_ = +- "@(#) $Header: /tcpdump/master/tcpdump/print-isakmp.c,v 1.51 2005/04/07 00:28:17 mcr Exp $ (LBL)"; ++ "@(#) $Header: /tcpdump/master/tcpdump/print-isakmp.c,v 1.59 2007/11/27 03:57:20 mcr Exp $ (LBL)"; #endif +#define NETDISSECT_REWORKED #ifdef HAVE_CONFIG_H #include "config.h" -@@ -59,39 +60,64 @@ + #endif +@@ -59,39 +60,75 @@ #define sockaddr_storage sockaddr #endif @@ -376,10 +83,20 @@ diff -u -r1.53 -r1.56 +DECLARE_PRINTER(v2_d); +DECLARE_PRINTER(v2_vid); +DECLARE_PRINTER(v2_TS); -+DECLARE_PRINTER(v2_e); +DECLARE_PRINTER(v2_cp); +DECLARE_PRINTER(v2_eap); + ++static const u_char *ikev2_e_print(netdissect_options *ndo, ++ struct isakmp *base, ++ u_char tpay, ++ const struct isakmp_gen *ext, ++ u_int item_len, ++ const u_char *end_pointer, ++ u_int32_t phase, ++ u_int32_t doi0, ++ u_int32_t proto0, int depth); ++ ++ +static const u_char *ike_sub0_print(netdissect_options *ndo,u_char, const struct isakmp_gen *, const u_char *, u_int32_t, u_int32_t, u_int32_t, int); -static const u_char *isakmp_sub_print(u_char, const struct isakmp_gen *, @@ -387,6 +104,7 @@ diff -u -r1.53 -r1.56 const u_char *, u_int32_t, u_int32_t, u_int32_t, int); + +static const u_char *ikev2_sub_print(netdissect_options *ndo, ++ struct isakmp *base, + u_char np, const struct isakmp_gen *ext, + const u_char *ep, u_int32_t phase, + u_int32_t doi, u_int32_t proto, @@ -404,7 +122,7 @@ diff -u -r1.53 -r1.56 #define MAXINITIATORS 20 int ninitiator = 0; struct { -@@ -107,36 +133,73 @@ +@@ -107,36 +144,73 @@ /* isakmp->np */ static const char *npstr[] = { @@ -477,7 +195,7 @@ diff -u -r1.53 -r1.56 + ikev2_vid_print, /* 43 */ + ikev2_TS_print, /* 44 */ + ikev2_TS_print, /* 45 */ -+ ikev2_e_print, /* 46 */ ++ NULL, /* ikev2_e_print,*/ /* 46 - special */ + ikev2_cp_print, /* 47 */ + ikev2_eap_print, /* 48 */ }; @@ -500,7 +218,7 @@ diff -u -r1.53 -r1.56 }; #define STR_OR_ID(x, tab) \ -@@ -145,6 +208,13 @@ +@@ -145,6 +219,13 @@ #define NPSTR(x) STR_OR_ID(x, npstr) #define ETYPESTR(x) STR_OR_ID(x, etypestr) @@ -514,28 +232,39 @@ diff -u -r1.53 -r1.56 #define NPFUNC(x) \ (((x) < sizeof(npfunc)/sizeof(npfunc[0]) && npfunc[(x)]) \ ? npfunc[(x)] : NULL) -@@ -322,21 +392,54 @@ +@@ -321,18 +402,58 @@ + return 0; } - static int +-static int -rawprint(caddr_t loc, size_t len) -+rawprint(netdissect_options *ndo, caddr_t loc, size_t len) ++static void ++hexprint(netdissect_options *ndo, caddr_t loc, size_t len) { - static u_char *p; +- static u_char *p; ++ u_char *p; size_t i; - TCHECK2(*loc, len); -+ ND_TCHECK2(*loc, len); - +- p = (u_char *)loc; for (i = 0; i < len; i++) - printf("%02x", p[i] & 0xff); + ND_PRINT((ndo,"%02x", p[i] & 0xff)); - return 1; - trunc: - return 0; - } - ++} ++ ++static int ++rawprint(netdissect_options *ndo, caddr_t loc, size_t len) ++{ ++ ND_TCHECK2(*loc, len); ++ ++ hexprint(ndo, loc, len); ++ return 1; ++trunc: ++ return 0; ++} ++ ++ +/* + * returns false if we run out of data buffer + */ @@ -563,16 +292,12 @@ diff -u -r1.53 -r1.56 + if(!rawprint(ndo, (caddr_t)(end), elen)) goto trunc; + } + ND_PRINT((ndo,")")); -+ return 1; + return 1; + -+trunc: -+ return 0; -+} -+ - struct attrmap { - const char *type; - u_int nvalue; -@@ -344,8 +447,9 @@ + trunc: + return 0; + } +@@ -344,8 +465,9 @@ }; static const u_char * @@ -584,7 +309,7 @@ diff -u -r1.53 -r1.56 { u_int16_t *q; int totlen; -@@ -357,33 +461,33 @@ +@@ -357,33 +479,33 @@ else totlen = 4 + EXTRACT_16BITS(&q[1]); if (ep < p + totlen) { @@ -629,7 +354,7 @@ diff -u -r1.53 -r1.56 { u_int16_t *q; int totlen; -@@ -395,129 +499,166 @@ +@@ -395,129 +517,166 @@ else totlen = 4 + EXTRACT_16BITS(&q[1]); if (ep < p + totlen) { @@ -839,7 +564,31 @@ diff -u -r1.53 -r1.56 static const char *esp_p_map[] = { NULL, "1des-iv64", "1des", "3des", "rc5", "idea", "cast", "blowfish", "3idea", "1des-iv32", "rc4", "null", "aes" -@@ -554,6 +695,17 @@ +@@ -531,8 +690,21 @@ + { NULL, 0, { NULL } }, + { "lifetype", 3, { NULL, "sec", "kb", }, }, + { "life", 0, { NULL } }, +- { "group desc", 5, { NULL, "modp768", "modp1024", "EC2N 2^155", +- "EC2N 2^185", }, }, ++ { "group desc", 18, { NULL, "modp768", ++ "modp1024", /* group 2 */ ++ "EC2N 2^155", /* group 3 */ ++ "EC2N 2^185", /* group 4 */ ++ "modp1536", /* group 5 */ ++ "iana-grp06", "iana-grp07", /* reserved */ ++ "iana-grp08", "iana-grp09", ++ "iana-grp10", "iana-grp11", ++ "iana-grp12", "iana-grp13", ++ "modp2048", /* group 14 */ ++ "modp3072", /* group 15 */ ++ "modp4096", /* group 16 */ ++ "modp6144", /* group 17 */ ++ "modp8192", /* group 18 */ ++ }, }, + { "enc mode", 3, { NULL, "tunnel", "transport", }, }, + { "auth", 5, { NULL, "hmac-md5", "hmac-sha1", "1des-mac", "keyed", }, }, + { "keylen", 0, { NULL } }, +@@ -541,6 +713,17 @@ { "privalg", 0, { NULL } }, }; @@ -857,7 +606,31 @@ diff -u -r1.53 -r1.56 const struct attrmap oakley_t_map[] = { { NULL, 0, { NULL } }, { "enc", 8, { NULL, "1des", "idea", "blowfish", "rc5", -@@ -592,27 +744,28 @@ +@@ -549,8 +732,21 @@ + "sha2-256", "sha2-384", "sha2-512", }, }, + { "auth", 6, { NULL, "preshared", "dss", "rsa sig", "rsa enc", + "rsa enc revised", }, }, +- { "group desc", 5, { NULL, "modp768", "modp1024", "EC2N 2^155", +- "EC2N 2^185", }, }, ++ { "group desc", 18, { NULL, "modp768", ++ "modp1024", /* group 2 */ ++ "EC2N 2^155", /* group 3 */ ++ "EC2N 2^185", /* group 4 */ ++ "modp1536", /* group 5 */ ++ "iana-grp06", "iana-grp07", /* reserved */ ++ "iana-grp08", "iana-grp09", ++ "iana-grp10", "iana-grp11", ++ "iana-grp12", "iana-grp13", ++ "modp2048", /* group 14 */ ++ "modp3072", /* group 15 */ ++ "modp4096", /* group 16 */ ++ "modp6144", /* group 17 */ ++ "modp8192", /* group 18 */ ++ }, }, + { "group type", 4, { NULL, "MODP", "ECP", "EC2N", }, }, + { "group prime", 0, { NULL } }, + { "group gen1", 0, { NULL } }, +@@ -566,27 +762,28 @@ }; static const u_char * @@ -895,7 +668,7 @@ diff -u -r1.53 -r1.56 map = oakley_t_map; nmap = sizeof(oakley_t_map)/sizeof(oakley_t_map[0]); break; -@@ -639,57 +792,59 @@ +@@ -613,57 +810,59 @@ } if (idstr) @@ -976,7 +749,7 @@ diff -u -r1.53 -r1.56 static const char *idtypestr[] = { "IPv4", "IPv4net", "IPv6", "IPv6net", }; -@@ -701,10 +856,10 @@ +@@ -675,10 +874,10 @@ int len; const u_char *data; @@ -990,7 +763,7 @@ diff -u -r1.53 -r1.56 safememcpy(&id, ext, sizeof(id)); if (sizeof(*p) < item_len) { data = (u_char *)(p + 1); -@@ -715,16 +870,16 @@ +@@ -689,16 +888,16 @@ } #if 0 /*debug*/ @@ -1011,7 +784,7 @@ diff -u -r1.53 -r1.56 break; #ifdef USE_IPSECDOI_IN_PHASE1 -@@ -737,42 +892,42 @@ +@@ -711,42 +910,42 @@ struct protoent *pe; p = (struct ipsecdoi_id *)ext; @@ -1063,7 +836,7 @@ diff -u -r1.53 -r1.56 for (i = 0; i < len; i++) safeputchar(data[i]); len = 0; -@@ -782,12 +937,12 @@ +@@ -756,12 +955,12 @@ { const u_char *mask; if (len < 8) @@ -1080,7 +853,7 @@ diff -u -r1.53 -r1.56 } len = 0; break; -@@ -795,22 +950,22 @@ +@@ -769,22 +968,22 @@ #ifdef INET6 case IPSECDOI_ID_IPV6_ADDR: if (len < 16) @@ -1109,7 +882,7 @@ diff -u -r1.53 -r1.56 } len = 0; break; -@@ -818,22 +973,22 @@ +@@ -792,22 +991,22 @@ #endif /*INET6*/ case IPSECDOI_ID_IPV4_ADDR_RANGE: if (len < 8) @@ -1140,7 +913,7 @@ diff -u -r1.53 -r1.56 } len = 0; break; -@@ -847,159 +1002,169 @@ +@@ -821,159 +1020,169 @@ } } if (data && len) { @@ -1380,7 +1153,7 @@ diff -u -r1.53 -r1.56 const u_char *cp; u_char *ep2; u_int32_t doi; -@@ -1050,47 +1215,47 @@ +@@ -1024,47 +1233,47 @@ #define IPSEC_NOTIFY_STATUS_STR(x) \ STR_OR_ID((u_int)((x) - 24576), ipsec_notify_status_str) @@ -1448,7 +1221,7 @@ diff -u -r1.53 -r1.56 goto trunc; } -@@ -1098,119 +1263,712 @@ +@@ -1072,322 +1281,1212 @@ ep2 = (u_char *)p + item_len; if (cp < ep) { @@ -1575,21 +1348,27 @@ diff -u -r1.53 -r1.56 - printf("%s:", NPSTR(ISAKMP_NPTYPE_VID)); + ND_PRINT((ndo,"%s:", NPSTR(ISAKMP_NPTYPE_VID))); -+ + +- TCHECK(*ext); + ND_TCHECK(*ext); -+ safememcpy(&e, ext, sizeof(e)); + safememcpy(&e, ext, sizeof(e)); +- printf(" len=%d", ntohs(e.len) - 4); +- if (2 < vflag && 4 < ntohs(e.len)) { +- printf(" "); +- if (!rawprint((caddr_t)(ext + 1), ntohs(e.len) - 4)) + ND_PRINT((ndo," len=%d", ntohs(e.len) - 4)); + if (2 < ndo->ndo_vflag && 4 < ntohs(e.len)) { + ND_PRINT((ndo," ")); + if (!rawprint(ndo, (caddr_t)(ext + 1), ntohs(e.len) - 4)) -+ goto trunc; -+ } -+ return (u_char *)ext + ntohs(e.len); -+trunc: + goto trunc; + } + return (u_char *)ext + ntohs(e.len); + trunc: +- printf(" [|%s]", NPSTR(ISAKMP_NPTYPE_VID)); + ND_PRINT((ndo," [|%s]", NPSTR(ISAKMP_NPTYPE_VID))); -+ return NULL; -+} -+ + return NULL; + } + +/************************************************************/ +/* */ +/* IKE v2 - rfc4306 - dissector */ @@ -1602,29 +1381,60 @@ diff -u -r1.53 -r1.56 + ND_PRINT((ndo,"%s%s:", payname, critical&0x80 ? "[C]" : "")); +} + -+static const u_char * + static const u_char * +-isakmp_sub0_print(u_char np, const struct isakmp_gen *ext, const u_char *ep, +- u_int32_t phase, u_int32_t doi, u_int32_t proto, int depth) +ikev2_gen_print(netdissect_options *ndo, u_char tpay, + const struct isakmp_gen *ext) -+{ -+ struct isakmp_gen e; -+ + { +- const u_char *cp; + struct isakmp_gen e; +- u_int item_len; + +- cp = (u_char *)ext; +- TCHECK(*ext); + ND_TCHECK(*ext); -+ safememcpy(&e, ext, sizeof(e)); + safememcpy(&e, ext, sizeof(e)); + ikev2_pay_print(ndo, NPSTR(tpay), e.critical); -+ + +- /* +- * Since we can't have a payload length of less than 4 bytes, +- * we need to bail out here if the generic header is nonsensical +- * or truncated, otherwise we could loop forever processing +- * zero-length items or otherwise misdissect the packet. +- */ +- item_len = ntohs(e.len); +- if (item_len <= 4) +- return NULL; +- +- if (NPFUNC(np)) { +- /* +- * XXX - what if item_len is too short, or too long, +- * for this payload type? +- */ +- cp = (*npfunc[np])(ext, item_len, ep, phase, doi, proto, depth); +- } else { +- printf("%s", NPSTR(np)); +- cp += item_len; + ND_PRINT((ndo," len=%d", ntohs(e.len) - 4)); + if (2 < ndo->ndo_vflag && 4 < ntohs(e.len)) { + ND_PRINT((ndo," ")); + if (!rawprint(ndo, (caddr_t)(ext + 1), ntohs(e.len) - 4)) + goto trunc; -+ } + } +- +- return cp; + return (u_char *)ext + ntohs(e.len); -+trunc: + trunc: +- printf(" [|isakmp]"); + ND_PRINT((ndo," [|%s]", NPSTR(tpay))); -+ return NULL; -+} -+ -+static const u_char * + return NULL; + } + + static const u_char * +-isakmp_sub_print(u_char np, const struct isakmp_gen *ext, const u_char *ep, +- u_int32_t phase, u_int32_t doi, u_int32_t proto, int depth) +-{ +ikev2_t_print(netdissect_options *ndo, u_char tpay _U_, int pcount, + const struct isakmp_gen *ext, u_int item_len, + const u_char *ep, u_int32_t phase _U_, u_int32_t doi _U_, @@ -1633,37 +1443,59 @@ diff -u -r1.53 -r1.56 + const struct ikev2_t *p; + struct ikev2_t t; + u_int16_t t_id; -+ const u_char *cp; + const u_char *cp; +- int i; +- struct isakmp_gen e; + const char *idstr; + const struct attrmap *map; + size_t nmap; + const u_char *ep2; -+ + +- cp = (const u_char *)ext; + p = (struct ikev2_t *)ext; + ND_TCHECK(*p); + safememcpy(&t, ext, sizeof(t)); + ikev2_pay_print(ndo, NPSTR(ISAKMP_NPTYPE_T), t.h.critical); -+ + +- while (np) { +- TCHECK(*ext); +- +- safememcpy(&e, ext, sizeof(e)); + t_id = ntohs(t.t_id); + + map = NULL; + nmap = 0; -+ + +- TCHECK2(*ext, ntohs(e.len)); + switch (t.t_type) { + case IV2_T_ENCR: + idstr = STR_OR_ID(t_id, esp_p_map); + map = encr_t_map; + nmap = sizeof(encr_t_map)/sizeof(encr_t_map[0]); + break; -+ + +- depth++; +- printf("\n"); +- for (i = 0; i < depth; i++) +- printf(" "); +- printf("("); +- cp = isakmp_sub0_print(np, ext, ep, phase, doi, proto, depth); +- printf(")"); +- depth--; + case IV2_T_PRF: + idstr = STR_OR_ID(t_id, prf_p_map); + break; -+ + +- if (cp == NULL) { +- /* Zero-length subitem */ +- return NULL; +- } + case IV2_T_INTEG: + idstr = STR_OR_ID(t_id, integ_p_map); + break; -+ + +- np = e.np; +- ext = (struct isakmp_gen *)cp; + case IV2_T_DH: + idstr = STR_OR_ID(t_id, dh_p_map); + break; @@ -1693,42 +1525,78 @@ diff -u -r1.53 -r1.56 + map, nmap); + } else + cp = ikev1_attr_print(ndo, cp, (ep < ep2) ? ep : ep2); -+ } + } + if (ep < ep2) + ND_PRINT((ndo,"...")); -+ return cp; -+trunc: + return cp; + trunc: +- printf(" [|%s]", NPSTR(np)); + ND_PRINT((ndo," [|%s]", NPSTR(ISAKMP_NPTYPE_T))); -+ return NULL; -+} -+ + return NULL; + } + +-static char * +-numstr(int x) +static const u_char * +ikev2_p_print(netdissect_options *ndo, u_char tpay _U_, int pcount _U_, + const struct isakmp_gen *ext, u_int item_len _U_, + const u_char *ep, u_int32_t phase, u_int32_t doi0, + u_int32_t proto0 _U_, int depth) -+{ + { +- static char buf[20]; +- snprintf(buf, sizeof(buf), "#%d", x); +- return buf; +-} + const struct ikev2_p *p; + struct ikev2_p prop; + const u_char *cp; -+ + +-/* +- * some compiler tries to optimize memcpy(), using the alignment constraint +- * on the argument pointer type. by using this function, we try to avoid the +- * optimization. +- */ +-static void +-safememcpy(void *p, const void *q, size_t l) +-{ +- memcpy(p, q, l); +-} + p = (struct ikev2_p *)ext; + ND_TCHECK(*p); + safememcpy(&prop, ext, sizeof(prop)); + ikev2_pay_print(ndo, NPSTR(ISAKMP_NPTYPE_P), prop.h.critical); -+ -+ ND_PRINT((ndo," #%u protoid=%s transform=%d", -+ prop.p_no, PROTOIDSTR(prop.prot_id), prop.num_t)); + +-void +-isakmp_print(netdissect_options *ndo, +- const u_char *bp, u_int length, +- const u_char *bp2) +-{ +- const struct isakmp *p; +- struct isakmp base; +- const u_char *ep; +- u_char np; +- int i; +- int phase; +- int major, minor; ++ ND_PRINT((ndo," #%u protoid=%s transform=%d len=%u", ++ prop.p_no, PROTOIDSTR(prop.prot_id), ++ prop.num_t, ntohs(prop.h.len))); + if (prop.spi_size) { + ND_PRINT((ndo," spi=")); + if (!rawprint(ndo, (caddr_t)(p + 1), prop.spi_size)) + goto trunc; + } -+ + +- p = (const struct isakmp *)bp; +- ep = ndo->ndo_snapend; + ext = (struct isakmp_gen *)((u_char *)(p + 1) + prop.spi_size); + ND_TCHECK(*ext); -+ -+ cp = ikev2_sub_print(ndo, ISAKMP_NPTYPE_T, ext, ep, phase, doi0, + +- if ((struct isakmp *)ep < p + 1) { +- printf("[|isakmp]"); +- return; +- } ++ cp = ikev2_sub_print(ndo, NULL, ISAKMP_NPTYPE_T, ext, ep, phase, doi0, + prop.prot_id, depth); + + return cp; @@ -1736,7 +1604,8 @@ diff -u -r1.53 -r1.56 + ND_PRINT((ndo," [|%s]", NPSTR(ISAKMP_NPTYPE_P))); + return NULL; +} -+ + +- safememcpy(&base, p, sizeof(base)); +static const u_char * +ikev2_sa_print(netdissect_options *ndo, u_char tpay, + const struct isakmp_gen *ext1, @@ -1746,25 +1615,66 @@ diff -u -r1.53 -r1.56 +{ + struct isakmp_gen e; + int osa_len, sa_len; -+ + +- printf("isakmp"); +- if (vflag) { +- major = (base.vers & ISAKMP_VERS_MAJOR) +- >> ISAKMP_VERS_MAJOR_SHIFT; +- minor = (base.vers & ISAKMP_VERS_MINOR) +- >> ISAKMP_VERS_MINOR_SHIFT; +- printf(" %d.%d", major, minor); +- } + ND_TCHECK(*ext1); + safememcpy(&e, ext1, sizeof(e)); + ikev2_pay_print(ndo, "sa", e.critical); -+ + +- if (vflag) { +- printf(" msgid "); +- rawprint((caddr_t)&base.msgid, sizeof(base.msgid)); +- } + osa_len= ntohs(e.len); + sa_len = osa_len - 4; + ND_PRINT((ndo," len=%d", sa_len)); -+ -+ ikev2_sub_print(ndo, ISAKMP_NPTYPE_P, + +- if (1 < vflag) { +- printf(" cookie "); +- rawprint((caddr_t)&base.i_ck, sizeof(base.i_ck)); +- printf("->"); +- rawprint((caddr_t)&base.r_ck, sizeof(base.r_ck)); +- } +- printf(":"); ++ ikev2_sub_print(ndo, NULL, ISAKMP_NPTYPE_P, + ext1+1, ep, + 0, 0, 0, depth); -+ + +- phase = (*(u_int32_t *)base.msgid == 0) ? 1 : 2; +- if (phase == 1) +- printf(" phase %d", phase); +- else +- printf(" phase %d/others", phase); + return (u_char *)ext1 + osa_len; +trunc: + ND_PRINT((ndo," [|%s]", NPSTR(tpay))); + return NULL; +} -+ + +- i = cookie_find(&base.i_ck); +- if (i < 0) { +- if (iszero((u_char *)&base.r_ck, sizeof(base.r_ck))) { +- /* the first packet */ +- printf(" I"); +- if (bp2) +- cookie_record(&base.i_ck, bp2); +- } else +- printf(" ?"); +- } else { +- if (bp2 && cookie_isinitiator(i, bp2)) +- printf(" I"); +- else if (bp2 && cookie_isresponder(i, bp2)) +- printf(" R"); +- else +- printf(" ?"); +- } +static const u_char * +ikev2_ke_print(netdissect_options *ndo, u_char tpay, + const struct isakmp_gen *ext, @@ -1774,7 +1684,11 @@ diff -u -r1.53 -r1.56 +{ + struct ikev2_ke ke; + struct ikev2_ke *k; -+ + +- printf(" %s", ETYPESTR(base.etype)); +- if (base.flags) { +- printf("[%s%s]", base.flags & ISAKMP_FLAG_E ? "E" : "", +- base.flags & ISAKMP_FLAG_C ? "C" : ""); + k = (struct ikev2_ke *)ext; + ND_TCHECK(*ext); + safememcpy(&ke, ext, sizeof(ke)); @@ -1787,13 +1701,22 @@ diff -u -r1.53 -r1.56 + ND_PRINT((ndo," ")); + if (!rawprint(ndo, (caddr_t)(k + 1), ntohs(ke.h.len) - 8)) + goto trunc; -+ } + } + return (u_char *)ext + ntohs(ke.h.len); +trunc: + ND_PRINT((ndo," [|%s]", NPSTR(tpay))); + return NULL; +} -+ + +- if (vflag) { +- const struct isakmp_gen *ext; +- int nparen; +- +-#define CHECKLEN(p, np) \ +- if (ep < (u_char *)(p)) { \ +- printf(" [|%s]", NPSTR(np)); \ +- goto done; \ +- } +static const u_char * +ikev2_ID_print(netdissect_options *ndo, u_char tpay, + const struct isakmp_gen *ext, @@ -1801,9 +1724,102 @@ diff -u -r1.53 -r1.56 + u_int32_t phase _U_, u_int32_t doi _U_, + u_int32_t proto _U_, int depth _U_) +{ -+ return ikev2_gen_print(ndo, tpay, ext); -+} ++ struct ikev2_id id; ++ int id_len, idtype_len, i; ++ unsigned int dumpascii, dumphex; ++ unsigned char *typedata; + +- printf(":"); ++ ND_TCHECK(*ext); ++ safememcpy(&id, ext, sizeof(id)); ++ ikev2_pay_print(ndo, NPSTR(tpay), id.h.critical); + +- /* regardless of phase... */ +- if (base.flags & ISAKMP_FLAG_E) { +- /* +- * encrypted, nothing we can do right now. +- * we hope to decrypt the packet in the future... +- */ +- printf(" [encrypted %s]", NPSTR(base.np)); +- goto done; +- } ++ id_len = ntohs(id.h.len); + +- nparen = 0; +- CHECKLEN(p + 1, base.np) ++ ND_PRINT((ndo," len=%d", id_len - 4)); ++ if (2 < ndo->ndo_vflag && 4 < id_len) { ++ ND_PRINT((ndo," ")); ++ if (!rawprint(ndo, (caddr_t)(ext + 1), id_len - 4)) ++ goto trunc; ++ } + +- np = base.np; +- ext = (struct isakmp_gen *)(p + 1); +- isakmp_sub_print(np, ext, ep, phase, 0, 0, 0); ++ idtype_len =id_len - sizeof(struct ikev2_id); ++ dumpascii = 0; ++ dumphex = 0; ++ typedata = (unsigned char *)(ext)+sizeof(struct ikev2_id); + ++ switch(id.type) { ++ case ID_IPV4_ADDR: ++ ND_PRINT((ndo, " ipv4:")); ++ dumphex=1; ++ break; ++ case ID_FQDN: ++ ND_PRINT((ndo, " fqdn:")); ++ dumpascii=1; ++ break; ++ case ID_RFC822_ADDR: ++ ND_PRINT((ndo, " rfc822:")); ++ dumpascii=1; ++ break; ++ case ID_IPV6_ADDR: ++ ND_PRINT((ndo, " ipv6:")); ++ dumphex=1; ++ break; ++ case ID_DER_ASN1_DN: ++ ND_PRINT((ndo, " dn:")); ++ dumphex=1; ++ break; ++ case ID_DER_ASN1_GN: ++ ND_PRINT((ndo, " gn:")); ++ dumphex=1; ++ break; ++ case ID_KEY_ID: ++ ND_PRINT((ndo, " keyid:")); ++ dumphex=1; ++ break; + } + +-done: +- if (vflag) { +- if (ntohl(base.len) != length) { +- printf(" (len mismatch: isakmp %u/ip %u)", +- (u_int32_t)ntohl(base.len), length); ++ if(dumpascii) { ++ ND_TCHECK2(*typedata, idtype_len); ++ for(i=0; indo_vflag && 4 < ntohs(e.h.len)) { ++ if (1 < ndo->ndo_vflag && 4 < len) { + ND_PRINT((ndo," authdata=(")); -+ if (!rawprint(ndo, (caddr_t)(ext + 1), ntohs(e.h.len) - 4)) ++ if (!rawprint(ndo, (caddr_t)authdata, len - sizeof(a))) + goto trunc; + ND_PRINT((ndo,") ")); -+ } else if(ndo->ndo_vflag && 4 < ntohs(e.h.len)) { -+ if(!ike_show_somedata(ndo, (const u_char *)(ext+1), ep)) goto trunc; ++ } else if(ndo->ndo_vflag && 4 < len) { ++ if(!ike_show_somedata(ndo, authdata, ep)) goto trunc; + } + -+ return (u_char *)ext + ntohs(e.h.len); ++ return (u_char *)ext + len; +trunc: + ND_PRINT((ndo," [|%s]", NPSTR(tpay))); + return NULL; @@ -2078,8 +2097,7 @@ diff -u -r1.53 -r1.56 + if(3 < ndo->ndo_vflag) { + showdata = 1; + } - -- TCHECK(*ext); ++ + if ((showdata || (showsomedata && ep-cp < 30)) && cp < ep) { + ND_PRINT((ndo," data=(")); + if (!rawprint(ndo, (caddr_t)(cp), ep - cp)) @@ -2119,11 +2137,7 @@ diff -u -r1.53 -r1.56 + int i, len; + + ND_TCHECK(*ext); - safememcpy(&e, ext, sizeof(e)); -- printf(" len=%d", ntohs(e.len) - 4); -- if (2 < vflag && 4 < ntohs(e.len)) { -- printf(" "); -- if (!rawprint((caddr_t)(ext + 1), ntohs(e.len) - 4)) ++ safememcpy(&e, ext, sizeof(e)); + ikev2_pay_print(ndo, NPSTR(tpay), e.critical); + ND_PRINT((ndo," len=%d vid=", ntohs(e.len) - 4)); + @@ -2137,18 +2151,15 @@ diff -u -r1.53 -r1.56 + if (2 < ndo->ndo_vflag && 4 < len) { + ND_PRINT((ndo," ")); + if (!rawprint(ndo, (caddr_t)(ext + 1), ntohs(e.len) - 4)) - goto trunc; - } - return (u_char *)ext + ntohs(e.len); - trunc: -- printf(" [|%s]", NPSTR(ISAKMP_NPTYPE_VID)); ++ goto trunc; ++ } ++ return (u_char *)ext + ntohs(e.len); ++trunc: + ND_PRINT((ndo," [|%s]", NPSTR(tpay))); - return NULL; - } - - static const u_char * --isakmp_sub0_print(u_char np, const struct isakmp_gen *ext, const u_char *ep, -- u_int32_t phase, u_int32_t doi, u_int32_t proto, int depth) ++ return NULL; ++} ++ ++static const u_char * +ikev2_TS_print(netdissect_options *ndo, u_char tpay, + const struct isakmp_gen *ext, + u_int item_len _U_, const u_char *ep _U_, @@ -2159,13 +2170,54 @@ diff -u -r1.53 -r1.56 +} + +static const u_char * -+ikev2_e_print(netdissect_options *ndo, u_char tpay, ++ikev2_e_print(netdissect_options *ndo, struct isakmp *base, ++ u_char tpay, + const struct isakmp_gen *ext, + u_int item_len _U_, const u_char *ep _U_, -+ u_int32_t phase _U_, u_int32_t doi _U_, -+ u_int32_t proto _U_, int depth _U_) ++ u_int32_t phase, u_int32_t doi, ++ u_int32_t proto, int depth) +{ -+ return ikev2_gen_print(ndo, tpay, ext); ++ struct isakmp_gen e; ++ u_char *dat; ++ volatile int dlen; ++ ++ ND_TCHECK(*ext); ++ safememcpy(&e, ext, sizeof(e)); ++ ikev2_pay_print(ndo, NPSTR(tpay), e.critical); ++ ++ dlen = ntohs(e.len)-4; ++ ++ ND_PRINT((ndo," len=%d", dlen)); ++ if (2 < ndo->ndo_vflag && 4 < dlen) { ++ ND_PRINT((ndo," ")); ++ if (!rawprint(ndo, (caddr_t)(ext + 1), dlen)) ++ goto trunc; ++ } ++ ++ dat = (u_char *)(ext+1); ++ ND_TCHECK2(*dat, dlen); ++ ++ /* try to decypt it! */ ++ if(esp_print_decrypt_buffer_by_ikev2(ndo, ++ base->flags & ISAKMP_FLAG_I, ++ base->i_ck, base->r_ck, ++ dat, dat+dlen)) { ++ ++ ext = (const struct isakmp_gen *)ndo->ndo_packetp; ++ ++ /* got it decrypted, print stuff inside. */ ++ ikev2_sub_print(ndo, base, e.np, ext, ndo->ndo_snapend, ++ phase, doi, proto, depth+1); ++ } ++ ++ ++ /* always return NULL, because E must be at end, and NP refers ++ * to what was inside. ++ */ ++ return NULL; ++trunc: ++ ND_PRINT((ndo," [|%s]", NPSTR(tpay))); ++ return NULL; +} + +static const u_char * @@ -2191,187 +2243,151 @@ diff -u -r1.53 -r1.56 +static const u_char * +ike_sub0_print(netdissect_options *ndo, + u_char np, const struct isakmp_gen *ext, const u_char *ep, -+ u_int32_t phase, u_int32_t doi, u_int32_t proto, int depth) - { - const u_char *cp; - struct isakmp_gen e; - u_int item_len; - - cp = (u_char *)ext; -- TCHECK(*ext); ++ ++ u_int32_t phase, u_int32_t doi, u_int32_t proto, int depth) ++{ ++ const u_char *cp; ++ struct isakmp_gen e; ++ u_int item_len; ++ ++ cp = (u_char *)ext; + ND_TCHECK(*ext); - safememcpy(&e, ext, sizeof(e)); - - /* -@@ -1228,21 +1986,22 @@ - * XXX - what if item_len is too short, or too long, - * for this payload type? - */ -- cp = (*npfunc[np])(ext, item_len, ep, phase, doi, proto, depth); ++ safememcpy(&e, ext, sizeof(e)); ++ ++ /* ++ * Since we can't have a payload length of less than 4 bytes, ++ * we need to bail out here if the generic header is nonsensical ++ * or truncated, otherwise we could loop forever processing ++ * zero-length items or otherwise misdissect the packet. ++ */ ++ item_len = ntohs(e.len); ++ if (item_len <= 4) ++ return NULL; ++ ++ if (NPFUNC(np)) { ++ /* ++ * XXX - what if item_len is too short, or too long, ++ * for this payload type? ++ */ + cp = (*npfunc[np])(ndo, np, ext, item_len, ep, phase, doi, proto, depth); - } else { -- printf("%s", NPSTR(np)); ++ } else { + ND_PRINT((ndo,"%s", NPSTR(np))); - cp += item_len; - } - - return cp; - trunc: -- printf(" [|isakmp]"); ++ cp += item_len; ++ } ++ ++ return cp; ++trunc: + ND_PRINT((ndo," [|isakmp]")); - return NULL; - } - - static const u_char * --isakmp_sub_print(u_char np, const struct isakmp_gen *ext, const u_char *ep, -- u_int32_t phase, u_int32_t doi, u_int32_t proto, int depth) ++ return NULL; ++} ++ ++static const u_char * +ikev1_sub_print(netdissect_options *ndo, + u_char np, const struct isakmp_gen *ext, const u_char *ep, + u_int32_t phase, u_int32_t doi, u_int32_t proto, int depth) - { - const u_char *cp; - int i; -@@ -1251,19 +2010,19 @@ - cp = (const u_char *)ext; - - while (np) { -- TCHECK(*ext); ++{ ++ const u_char *cp; ++ int i; ++ struct isakmp_gen e; ++ ++ cp = (const u_char *)ext; ++ ++ while (np) { + ND_TCHECK(*ext); - - safememcpy(&e, ext, sizeof(e)); - -- TCHECK2(*ext, ntohs(e.len)); ++ ++ safememcpy(&e, ext, sizeof(e)); ++ + ND_TCHECK2(*ext, ntohs(e.len)); - - depth++; -- printf("\n"); ++ ++ depth++; + ND_PRINT((ndo,"\n")); - for (i = 0; i < depth; i++) -- printf(" "); -- printf("("); -- cp = isakmp_sub0_print(np, ext, ep, phase, doi, proto, depth); -- printf(")"); ++ for (i = 0; i < depth; i++) + ND_PRINT((ndo," ")); + ND_PRINT((ndo,"(")); + cp = ike_sub0_print(ndo, np, ext, ep, phase, doi, proto, depth); + ND_PRINT((ndo,")")); - depth--; - - if (cp == NULL) { -@@ -1276,7 +2035,7 @@ - } - return cp; - trunc: -- printf(" [|%s]", NPSTR(np)); ++ depth--; ++ ++ if (cp == NULL) { ++ /* Zero-length subitem */ ++ return NULL; ++ } ++ ++ np = e.np; ++ ext = (struct isakmp_gen *)cp; ++ } ++ return cp; ++trunc: + ND_PRINT((ndo," [|%s]", NPSTR(np))); - return NULL; - } - -@@ -1300,120 +2059,287 @@ - } - - void --isakmp_print(netdissect_options *ndo, -- const u_char *bp, u_int length, -- const u_char *bp2) ++ return NULL; ++} ++ ++static char * ++numstr(int x) ++{ ++ static char buf[20]; ++ snprintf(buf, sizeof(buf), "#%d", x); ++ return buf; ++} ++ ++/* ++ * some compiler tries to optimize memcpy(), using the alignment constraint ++ * on the argument pointer type. by using this function, we try to avoid the ++ * optimization. ++ */ ++static void ++safememcpy(void *p, const void *q, size_t l) ++{ ++ memcpy(p, q, l); ++} ++ ++void +ikev1_print(netdissect_options *ndo, + const u_char *bp, u_int length, + const u_char *bp2, struct isakmp *base) - { - const struct isakmp *p; -- struct isakmp base; - const u_char *ep; - u_char np; - int i; - int phase; -- int major, minor; -- ++{ ++ const struct isakmp *p; ++ const u_char *ep; ++ u_char np; ++ int i; ++ int phase; + - p = (const struct isakmp *)bp; - ep = ndo->ndo_snapend; -- -- if ((struct isakmp *)ep < p + 1) { -- printf("[|isakmp]"); -- return; -- } -- -- safememcpy(&base, p, sizeof(base)); -- -- printf("isakmp"); -- if (vflag) { -- major = (base.vers & ISAKMP_VERS_MAJOR) -- >> ISAKMP_VERS_MAJOR_SHIFT; -- minor = (base.vers & ISAKMP_VERS_MINOR) -- >> ISAKMP_VERS_MINOR_SHIFT; -- printf(" %d.%d", major, minor); -- } -- -- if (vflag) { -- printf(" msgid "); -- rawprint((caddr_t)&base.msgid, sizeof(base.msgid)); -- } -- -- if (1 < vflag) { -- printf(" cookie "); -- rawprint((caddr_t)&base.i_ck, sizeof(base.i_ck)); -- printf("->"); -- rawprint((caddr_t)&base.r_ck, sizeof(base.r_ck)); -- } -- printf(":"); -- -- phase = (*(u_int32_t *)base.msgid == 0) ? 1 : 2; ++ p = (const struct isakmp *)bp; ++ ep = ndo->ndo_snapend; + + phase = (*(u_int32_t *)base->msgid == 0) ? 1 : 2; - if (phase == 1) -- printf(" phase %d", phase); ++ if (phase == 1) + ND_PRINT((ndo," phase %d", phase)); - else -- printf(" phase %d/others", phase); -- -- i = cookie_find(&base.i_ck); ++ else + ND_PRINT((ndo," phase %d/others", phase)); + + i = cookie_find(&base->i_ck); - if (i < 0) { -- if (iszero((u_char *)&base.r_ck, sizeof(base.r_ck))) { ++ if (i < 0) { + if (iszero((u_char *)&base->r_ck, sizeof(base->r_ck))) { - /* the first packet */ -- printf(" I"); ++ /* the first packet */ + ND_PRINT((ndo," I")); - if (bp2) -- cookie_record(&base.i_ck, bp2); ++ if (bp2) + cookie_record(&base->i_ck, bp2); - } else -- printf(" ?"); ++ } else + ND_PRINT((ndo," ?")); - } else { - if (bp2 && cookie_isinitiator(i, bp2)) -- printf(" I"); ++ } else { ++ if (bp2 && cookie_isinitiator(i, bp2)) + ND_PRINT((ndo," I")); - else if (bp2 && cookie_isresponder(i, bp2)) -- printf(" R"); ++ else if (bp2 && cookie_isresponder(i, bp2)) + ND_PRINT((ndo," R")); - else -- printf(" ?"); ++ else + ND_PRINT((ndo," ?")); - } -- -- printf(" %s", ETYPESTR(base.etype)); -- if (base.flags) { -- printf("[%s%s]", base.flags & ISAKMP_FLAG_E ? "E" : "", -- base.flags & ISAKMP_FLAG_C ? "C" : ""); ++ } + + ND_PRINT((ndo," %s", ETYPESTR(base->etype))); + if (base->flags) { + ND_PRINT((ndo,"[%s%s]", base->flags & ISAKMP_FLAG_E ? "E" : "", + base->flags & ISAKMP_FLAG_C ? "C" : "")); - } -- -- if (vflag) { ++ } + + if (ndo->ndo_vflag) { - const struct isakmp_gen *ext; - int nparen; ++ const struct isakmp_gen *ext; ++ int nparen; + + ND_PRINT((ndo,":")); + @@ -2400,13 +2416,10 @@ diff -u -r1.53 -r1.56 + } + } +} - --#define CHECKLEN(p, np) \ -- if (ep < (u_char *)(p)) { \ -- printf(" [|%s]", NPSTR(np)); \ -- goto done; \ ++ +static const u_char * -+ikev2_sub0_print(netdissect_options *ndo, u_char np, int pcount, ++ikev2_sub0_print(netdissect_options *ndo, struct isakmp *base, ++ u_char np, int pcount, + const struct isakmp_gen *ext, const u_char *ep, + u_int32_t phase, u_int32_t doi, u_int32_t proto, int depth) +{ @@ -2434,6 +2447,9 @@ diff -u -r1.53 -r1.56 + } else if(np == ISAKMP_NPTYPE_T) { + cp = ikev2_t_print(ndo, np, pcount, ext, item_len, + ep, phase, doi, proto, depth); ++ } else if(np == ISAKMP_NPTYPE_v2E) { ++ cp = ikev2_e_print(ndo, base, np, ext, item_len, ++ ep, phase, doi, proto, depth); + } else if (NPFUNC(np)) { + /* + * XXX - what if item_len is too short, or too long, @@ -2454,6 +2470,7 @@ diff -u -r1.53 -r1.56 + +static const u_char * +ikev2_sub_print(netdissect_options *ndo, ++ struct isakmp *base, + u_char np, const struct isakmp_gen *ext, const u_char *ep, + u_int32_t phase, u_int32_t doi, u_int32_t proto, int depth) +{ @@ -2477,7 +2494,7 @@ diff -u -r1.53 -r1.56 + for (i = 0; i < depth; i++) + ND_PRINT((ndo," ")); + ND_PRINT((ndo,"(")); -+ cp = ikev2_sub0_print(ndo, np, pcount, ++ cp = ikev2_sub0_print(ndo, base, np, pcount, + ext, ep, phase, doi, proto, depth); + ND_PRINT((ndo,")")); + depth--; @@ -2485,9 +2502,8 @@ diff -u -r1.53 -r1.56 + if (cp == NULL) { + /* Zero-length subitem */ + return NULL; - } - -- printf(":"); ++ } ++ + np = e.np; + ext = (struct isakmp_gen *)cp; + } @@ -2529,44 +2545,35 @@ diff -u -r1.53 -r1.56 + int nparen; + + ND_PRINT((ndo, ":")); - - /* regardless of phase... */ -- if (base.flags & ISAKMP_FLAG_E) { ++ ++ /* regardless of phase... */ + if (base->flags & ISAKMP_FLAG_E) { - /* - * encrypted, nothing we can do right now. - * we hope to decrypt the packet in the future... - */ -- printf(" [encrypted %s]", NPSTR(base.np)); ++ /* ++ * encrypted, nothing we can do right now. ++ * we hope to decrypt the packet in the future... ++ */ + ND_PRINT((ndo, " [encrypted %s]", NPSTR(base->np))); - goto done; - } - - nparen = 0; -- CHECKLEN(p + 1, base.np) ++ goto done; ++ } ++ ++ nparen = 0; + CHECKLEN(p + 1, base->np) - -- np = base.np; ++ + np = base->np; - ext = (struct isakmp_gen *)(p + 1); -- isakmp_sub_print(np, ext, ep, phase, 0, 0, 0); -+ ikev2_sub_print(ndo, np, ext, ep, phase, 0, 0, 0); - } - - done: -- if (vflag) { -- if (ntohl(base.len) != length) { -- printf(" (len mismatch: isakmp %u/ip %u)", -- (u_int32_t)ntohl(base.len), length); ++ ext = (struct isakmp_gen *)(p + 1); ++ ikev2_sub_print(ndo, base, np, ext, ep, phase, 0, 0, 0); ++ } ++ ++done: + if (ndo->ndo_vflag) { + if (ntohl(base->len) != length) { + ND_PRINT((ndo, " (len mismatch: isakmp %u/ip %u)", + (u_int32_t)ntohl(base->len), length)); - } - } - } - - void ++ } ++ } ++} ++ ++void +isakmp_print(netdissect_options *ndo, + const u_char *bp, u_int length, + const u_char *bp2) @@ -2576,6 +2583,12 @@ diff -u -r1.53 -r1.56 + const u_char *ep; + int major, minor; + ++ /* initiailize SAs */ ++ if (ndo->ndo_sa_list_head == NULL) { ++ if (ndo->ndo_espsecret) ++ esp_print_decodesecret(ndo); ++ } ++ + p = (const struct isakmp *)bp; + ep = ndo->ndo_snapend; + @@ -2598,14 +2611,14 @@ diff -u -r1.53 -r1.56 + + if (ndo->ndo_vflag) { + ND_PRINT((ndo," msgid ")); -+ rawprint(ndo, (caddr_t)&base.msgid, sizeof(base.msgid)); ++ hexprint(ndo, (caddr_t)&base.msgid, sizeof(base.msgid)); + } + + if (1 < ndo->ndo_vflag) { + ND_PRINT((ndo," cookie ")); -+ rawprint(ndo, (caddr_t)&base.i_ck, sizeof(base.i_ck)); ++ hexprint(ndo, (caddr_t)&base.i_ck, sizeof(base.i_ck)); + ND_PRINT((ndo,"->")); -+ rawprint(ndo, (caddr_t)&base.r_ck, sizeof(base.r_ck)); ++ hexprint(ndo, (caddr_t)&base.r_ck, sizeof(base.r_ck)); + } + ND_PRINT((ndo,":")); + @@ -2624,7 +2637,7 @@ diff -u -r1.53 -r1.56 isakmp_rfc3948_print(netdissect_options *ndo, const u_char *bp, u_int length, const u_char *bp2) -@@ -1429,7 +2355,7 @@ +@@ -1403,7 +2502,7 @@ if(length < 4) { goto trunc; } @@ -2633,7 +2646,7 @@ diff -u -r1.53 -r1.56 /* * see if this is an IKE packet */ -@@ -1459,7 +2385,7 @@ +@@ -1433,7 +2532,7 @@ } trunc: @@ -2642,3 +2655,881 @@ diff -u -r1.53 -r1.56 return; } +Index: tcpdump/isakmp.h +=================================================================== +RCS file: /tcpdump/master/tcpdump/isakmp.h,v +retrieving revision 1.10 +retrieving revision 1.12 +diff -u -r1.10 -r1.12 +--- tcpdump/isakmp.h 11 Dec 2002 07:13:54 -0000 1.10 ++++ tcpdump/isakmp.h 24 Nov 2007 18:13:33 -0000 1.12 +@@ -26,7 +26,7 @@ + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + */ +-/* YIPS @(#)$Id: isakmp.h,v 1.10 2002/12/11 07:13:54 guy Exp $ */ ++/* YIPS @(#)$Id: isakmp.h,v 1.12 2007/11/24 18:13:33 mcr Exp $ */ + + /* refer to RFC 2408 */ + +@@ -81,7 +81,7 @@ + #define ISAKMP_TIMER_DEFAULT 10 /* seconds */ + #define ISAKMP_TRY_DEFAULT 3 /* times */ + +-/* 3.1 ISAKMP Header Format ++/* 3.1 ISAKMP Header Format (IKEv1 and IKEv2) + 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + ! Initiator ! +@@ -127,9 +127,13 @@ + #define ISAKMP_NPTYPE_N 11 /* Notification */ + #define ISAKMP_NPTYPE_D 12 /* Delete */ + #define ISAKMP_NPTYPE_VID 13 /* Vendor ID */ ++#define ISAKMP_NPTYPE_v2E 46 /* v2 Encrypted payload */ + +-#define ISAKMP_MAJOR_VERSION 1 +-#define ISAKMP_MINOR_VERSION 0 ++#define IKEv1_MAJOR_VERSION 1 ++#define IKEv1_MINOR_VERSION 0 ++ ++#define IKEv2_MAJOR_VERSION 2 ++#define IKEv2_MINOR_VERSION 0 + + /* Exchange Type */ + #define ISAKMP_ETYPE_NONE 0 /* NONE */ +@@ -142,6 +146,13 @@ + /* Flags */ + #define ISAKMP_FLAG_E 0x01 /* Encryption Bit */ + #define ISAKMP_FLAG_C 0x02 /* Commit Bit */ ++#define ISAKMP_FLAG_extra 0x04 ++ ++/* IKEv2 */ ++#define ISAKMP_FLAG_I (1 << 3) /* (I)nitiator */ ++#define ISAKMP_FLAG_V (1 << 4) /* (V)ersion */ ++#define ISAKMP_FLAG_R (1 << 5) /* (R)esponse */ ++ + + /* 3.2 Payload Generic Header + 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +@@ -151,7 +162,7 @@ + */ + struct isakmp_gen { + u_int8_t np; /* Next Payload */ +- u_int8_t reserved; /* RESERVED, unused, must set to 0 */ ++ u_int8_t critical; /* bit 7 - critical, rest is RESERVED */ + u_int16_t len; /* Payload Length */ + }; + +@@ -188,7 +199,7 @@ + message of a Base Exchange (see Section 4.4) and the value "0" in the + first message of an Identity Protect Exchange (see Section 4.5). + */ +-struct isakmp_pl_sa { ++struct ikev1_pl_sa { + struct isakmp_gen h; + u_int32_t doi; /* Domain of Interpretation */ + u_int32_t sit; /* Situation */ +@@ -202,7 +213,7 @@ + last within the security association proposal, then this field will + be 0. + */ +-struct isakmp_pl_p { ++struct ikev1_pl_p { + struct isakmp_gen h; + u_int8_t p_no; /* Proposal # */ + u_int8_t prot_id; /* Protocol */ +@@ -218,7 +229,7 @@ + then this field will be 3. If the current Transform payload is the + last within the proposal, then this field will be 0. + */ +-struct isakmp_pl_t { ++struct ikev1_pl_t { + struct isakmp_gen h; + u_int8_t t_no; /* Transform # */ + u_int8_t t_id; /* Transform-Id */ +@@ -227,14 +238,14 @@ + }; + + /* 3.7 Key Exchange Payload */ +-struct isakmp_pl_ke { ++struct ikev1_pl_ke { + struct isakmp_gen h; + /* Key Exchange Data */ + }; + + /* 3.8 Identification Payload */ + /* MUST NOT to be used, because of being defined in ipsec-doi. */ +-struct isakmp_pl_id { ++struct ikev1_pl_id { + struct isakmp_gen h; + union { + u_int8_t id_type; /* ID Type */ +@@ -244,7 +255,7 @@ + }; + + /* 3.9 Certificate Payload */ +-struct isakmp_pl_cert { ++struct ikev1_pl_cert { + struct isakmp_gen h; + u_int8_t encode; /* Cert Encoding */ + char cert; /* Certificate Data */ +@@ -268,7 +279,7 @@ + #define ISAKMP_CERT_SPKI 9 + + /* 3.10 Certificate Request Payload */ +-struct isakmp_pl_cr { ++struct ikev1_pl_cr { + struct isakmp_gen h; + u_int8_t num_cert; /* # Cert. Types */ + /* +@@ -283,27 +294,27 @@ + + /* 3.11 Hash Payload */ + /* may not be used, because of having only data. */ +-struct isakmp_pl_hash { ++struct ikev1_pl_hash { + struct isakmp_gen h; + /* Hash Data */ + }; + + /* 3.12 Signature Payload */ + /* may not be used, because of having only data. */ +-struct isakmp_pl_sig { ++struct ikev1_pl_sig { + struct isakmp_gen h; + /* Signature Data */ + }; + + /* 3.13 Nonce Payload */ + /* may not be used, because of having only data. */ +-struct isakmp_pl_nonce { ++struct ikev1_pl_nonce { + struct isakmp_gen h; + /* Nonce Data */ + }; + + /* 3.14 Notification Payload */ +-struct isakmp_pl_n { ++struct ikev1_pl_n { + struct isakmp_gen h; + u_int32_t doi; /* Domain of Interpretation */ + u_int8_t prot_id; /* Protocol-ID */ +@@ -347,7 +358,7 @@ + #define ISAKMP_LOG_RETRY_LIMIT_REACHED 65530 + + /* 3.15 Delete Payload */ +-struct isakmp_pl_d { ++struct ikev1_pl_d { + struct isakmp_gen h; + u_int32_t doi; /* Domain of Interpretation */ + u_int8_t prot_id; /* Protocol-Id */ +@@ -357,15 +368,15 @@ + }; + + +-struct isakmp_ph1tab { +- struct isakmp_ph1 *head; +- struct isakmp_ph1 *tail; ++struct ikev1_ph1tab { ++ struct ikev1_ph1 *head; ++ struct ikev1_ph1 *tail; + int len; + }; + + struct isakmp_ph2tab { +- struct isakmp_ph2 *head; +- struct isakmp_ph2 *tail; ++ struct ikev1_ph2 *head; ++ struct ikev1_ph2 *tail; + int len; + }; + +@@ -375,4 +386,116 @@ + #define PFS_NEED 1 + #define PFS_NONEED 0 + ++/* IKEv2 (RFC4306) */ ++ ++/* 3.3 Security Association Payload -- generic header */ ++/* 3.3.1. Proposal Substructure */ ++struct ikev2_p { ++ struct isakmp_gen h; ++ u_int8_t p_no; /* Proposal # */ ++ u_int8_t prot_id; /* Protocol */ ++ u_int8_t spi_size; /* SPI Size */ ++ u_int8_t num_t; /* Number of Transforms */ ++}; ++ ++/* 3.3.2. Transform Substructure */ ++struct ikev2_t { ++ struct isakmp_gen h; ++ u_int8_t t_type; /* Transform Type (ENCR,PRF,INTEG,etc.*/ ++ u_int8_t res2; /* reserved byte */ ++ u_int16_t t_id; /* Transform ID */ ++}; ++ ++enum ikev2_t_type { ++ IV2_T_ENCR = 1, ++ IV2_T_PRF = 2, ++ IV2_T_INTEG= 3, ++ IV2_T_DH = 4, ++ IV2_T_ESN = 5, ++}; ++ ++/* 3.4. Key Exchange Payload */ ++struct ikev2_ke { ++ struct isakmp_gen h; ++ u_int16_t ke_group; ++ u_int16_t ke_res1; ++ /* KE data */ ++}; ++ ++ ++/* 3.5. Identification Payloads */ ++enum ikev2_id_type { ++ ID_IPV4_ADDR=1, ++ ID_FQDN=2, ++ ID_RFC822_ADDR=3, ++ ID_IPV6_ADDR=5, ++ ID_DER_ASN1_DN=9, ++ ID_DER_ASN1_GN=10, ++ ID_KEY_ID=11, ++}; ++struct ikev2_id { ++ struct isakmp_gen h; ++ u_int8_t type; /* ID type */ ++ u_int8_t res1; ++ u_int16_t res2; ++ /* SPI */ ++ /* Notification Data */ ++}; ++ ++/* 3.10 Notification Payload */ ++struct ikev2_n { ++ struct isakmp_gen h; ++ u_int8_t prot_id; /* Protocol-ID */ ++ u_int8_t spi_size; /* SPI Size */ ++ u_int16_t type; /* Notify Message Type */ ++}; ++ ++enum ikev2_n_type { ++ IV2_NOTIFY_UNSUPPORTED_CRITICAL_PAYLOAD = 1, ++ IV2_NOTIFY_INVALID_IKE_SPI = 4, ++ IV2_NOTIFY_INVALID_MAJOR_VERSION = 5, ++ IV2_NOTIFY_INVALID_SYNTAX = 7, ++ IV2_NOTIFY_INVALID_MESSAGE_ID = 9, ++ IV2_NOTIFY_INVALID_SPI =11, ++ IV2_NOTIFY_NO_PROPOSAL_CHOSEN =14, ++ IV2_NOTIFY_INVALID_KE_PAYLOAD =17, ++ IV2_NOTIFY_AUTHENTICATION_FAILED =24, ++ IV2_NOTIFY_SINGLE_PAIR_REQUIRED =34, ++ IV2_NOTIFY_NO_ADDITIONAL_SAS =35, ++ IV2_NOTIFY_INTERNAL_ADDRESS_FAILURE =36, ++ IV2_NOTIFY_FAILED_CP_REQUIRED =37, ++ IV2_NOTIFY_INVALID_SELECTORS =39, ++ IV2_NOTIFY_INITIAL_CONTACT =16384, ++ IV2_NOTIFY_SET_WINDOW_SIZE =16385, ++ IV2_NOTIFY_ADDITIONAL_TS_POSSIBLE =16386, ++ IV2_NOTIFY_IPCOMP_SUPPORTED =16387, ++ IV2_NOTIFY_NAT_DETECTION_SOURCE_IP =16388, ++ IV2_NOTIFY_NAT_DETECTION_DESTINATION_IP =16389, ++ IV2_NOTIFY_COOKIE =16390, ++ IV2_NOTIFY_USE_TRANSPORT_MODE =16391, ++ IV2_NOTIFY_HTTP_CERT_LOOKUP_SUPPORTED =16392, ++ IV2_NOTIFY_REKEY_SA =16393, ++ IV2_NOTIFY_ESP_TFC_PADDING_NOT_SUPPORTED =16394, ++ IV2_NOTIFY_NON_FIRST_FRAGMENTS_ALSO =16395 ++}; ++ ++struct notify_messages { ++ u_int16_t type; ++ char *msg; ++}; ++ ++/* 3.8 Notification Payload */ ++struct ikev2_auth { ++ struct isakmp_gen h; ++ u_int8_t auth_method; /* Protocol-ID */ ++ u_int8_t reserved[3]; ++ /* authentication data */ ++}; ++ ++enum ikev2_auth_type { ++ IV2_RSA_SIG = 1, ++ IV2_SHARED = 2, ++ IV2_DSS_SIG = 3, ++}; ++ + #endif /* !defined(_ISAKMP_H_) */ +Index: tcpdump/netdissect.h +=================================================================== +RCS file: /tcpdump/master/tcpdump/netdissect.h,v +retrieving revision 1.23 +retrieving revision 1.24 +diff -u -r1.23 -r1.24 +--- tcpdump/netdissect.h 29 Jan 2007 09:59:42 -0000 1.23 ++++ tcpdump/netdissect.h 24 Nov 2007 18:13:33 -0000 1.24 +@@ -438,4 +438,11 @@ + + #endif + ++extern void esp_print_decodesecret(netdissect_options *ndo); ++extern int esp_print_decrypt_buffer_by_ikev2(netdissect_options *ndo, ++ int initiator, ++ u_char spii[8], u_char spir[8], ++ u_char *buf, u_char *end); ++ ++ + #endif /* netdissect_h */ +Index: tcpdump/print-esp.c +=================================================================== +RCS file: /tcpdump/master/tcpdump/print-esp.c,v +retrieving revision 1.56 +retrieving revision 1.57 +diff -u -r1.56 -r1.57 +--- tcpdump/print-esp.c 21 Apr 2005 06:44:40 -0000 1.56 ++++ tcpdump/print-esp.c 24 Nov 2007 18:13:33 -0000 1.57 +@@ -71,14 +71,71 @@ + struct sa_list { + struct sa_list *next; + struct sockaddr_storage daddr; +- u_int32_t spi; ++ u_int32_t spi; /* if == 0, then IKEv2 */ ++ int initiator; ++ u_char spii[8]; /* for IKEv2 */ ++ u_char spir[8]; + const EVP_CIPHER *evp; + int ivlen; + int authlen; ++ u_char authsecret[256]; ++ int authsecret_len; + u_char secret[256]; /* is that big enough for all secrets? */ + int secretlen; + }; + ++/* ++ * this will adjust ndo_packetp and ndo_snapend to new buffer! ++ */ ++int esp_print_decrypt_buffer_by_ikev2(netdissect_options *ndo, ++ int initiator, ++ u_char spii[8], u_char spir[8], ++ u_char *buf, u_char *end) ++{ ++ struct sa_list *sa; ++ u_char *iv; ++ int len; ++ EVP_CIPHER_CTX ctx; ++ ++ /* initiator arg is any non-zero value */ ++ if(initiator) initiator=1; ++ ++ /* see if we can find the SA, and if so, decode it */ ++ for (sa = ndo->ndo_sa_list_head; sa != NULL; sa = sa->next) { ++ if (sa->spi == 0 ++ && initiator == sa->initiator ++ && memcmp(spii, sa->spii, 8) == 0 ++ && memcmp(spir, sa->spir, 8) == 0) ++ break; ++ } ++ ++ if(sa == NULL) return 0; ++ if(sa->evp == NULL) return 0; ++ ++ /* ++ * remove authenticator, and see if we still have something to ++ * work with ++ */ ++ end = end - sa->authlen; ++ iv = buf; ++ buf = buf + sa->ivlen; ++ len = end-buf; ++ ++ if(end <= buf) return 0; ++ ++ memset(&ctx, 0, sizeof(ctx)); ++ if (EVP_CipherInit(&ctx, sa->evp, sa->secret, NULL, 0) < 0) ++ (*ndo->ndo_warning)(ndo, "espkey init failed"); ++ EVP_CipherInit(&ctx, NULL, NULL, iv, 0); ++ EVP_Cipher(&ctx, buf, buf, len); ++ ++ ndo->ndo_packetp = buf; ++ ndo->ndo_snapend = end; ++ ++ return 1; ++ ++} ++ + static void esp_print_addsa(netdissect_options *ndo, + struct sa_list *sa, int sa_def) + { +@@ -123,13 +180,193 @@ + } + + /* ++ * returns size of binary, 0 on failure. ++ */ ++static ++int espprint_decode_hex(netdissect_options *ndo, ++ u_char *binbuf, unsigned int binbuf_len, ++ char *hex) ++{ ++ unsigned int len; ++ int i; ++ ++ len = strlen(hex) / 2; ++ ++ if (len > binbuf_len) { ++ (*ndo->ndo_warning)(ndo, "secret is too big: %d\n", len); ++ return 0; ++ } ++ ++ i = 0; ++ while (hex[0] != '\0' && hex[1]!='\0') { ++ binbuf[i] = hex2byte(ndo, hex); ++ hex += 2; ++ i++; ++ } ++ ++ return i; ++} ++ ++/* + * decode the form: SPINUM@IP ALGONAME:0xsecret ++ */ ++ ++static int ++espprint_decode_encalgo(netdissect_options *ndo, ++ char *decode, struct sa_list *sa) ++{ ++ int len; ++ size_t i; ++ const EVP_CIPHER *evp; ++ int authlen = 0; ++ char *colon, *p; ++ ++ colon = strchr(decode, ':'); ++ if (colon == NULL) { ++ (*ndo->ndo_warning)(ndo, "failed to decode espsecret: %s\n", decode); ++ return 0; ++ } ++ *colon = '\0'; ++ ++ len = colon - decode; ++ if (strlen(decode) > strlen("-hmac96") && ++ !strcmp(decode + strlen(decode) - strlen("-hmac96"), ++ "-hmac96")) { ++ p = strstr(decode, "-hmac96"); ++ *p = '\0'; ++ authlen = 12; ++ } ++ if (strlen(decode) > strlen("-cbc") && ++ !strcmp(decode + strlen(decode) - strlen("-cbc"), "-cbc")) { ++ p = strstr(decode, "-cbc"); ++ *p = '\0'; ++ } ++ evp = EVP_get_cipherbyname(decode); ++ ++ if (!evp) { ++ (*ndo->ndo_warning)(ndo, "failed to find cipher algo %s\n", decode); ++ sa->evp = NULL; ++ sa->authlen = 0; ++ sa->ivlen = 0; ++ return 0; ++ } ++ ++ sa->evp = evp; ++ sa->authlen = authlen; ++ sa->ivlen = EVP_CIPHER_iv_length(evp); ++ ++ colon++; ++ if (colon[0] == '0' && colon[1] == 'x') { ++ /* decode some hex! */ ++ ++ colon += 2; ++ sa->secretlen = espprint_decode_hex(ndo, sa->secret, sizeof(sa->secret), colon); ++ if(sa->secretlen == 0) return 0; ++ } else { ++ i = strlen(colon); ++ ++ if (i < sizeof(sa->secret)) { ++ memcpy(sa->secret, colon, i); ++ sa->secretlen = i; ++ } else { ++ memcpy(sa->secret, colon, sizeof(sa->secret)); ++ sa->secretlen = sizeof(sa->secret); ++ } ++ } ++ ++ return 1; ++} ++ ++/* ++ * for the moment, ignore the auth algorith, just hard code the authenticator ++ * length. Need to research how openssl looks up HMAC stuff. ++ */ ++static int ++espprint_decode_authalgo(netdissect_options *ndo, ++ char *decode, struct sa_list *sa) ++{ ++ char *colon; ++ ++ colon = strchr(decode, ':'); ++ if (colon == NULL) { ++ (*ndo->ndo_warning)(ndo, "failed to decode espsecret: %s\n", decode); ++ return 0; ++ } ++ *colon = '\0'; ++ ++ if(strcasecmp(colon,"sha1") == 0 || ++ strcasecmp(colon,"md5") == 0) { ++ sa->authlen = 12; ++ } ++ return 1; ++} ++ ++static void esp_print_decode_ikeline(netdissect_options *ndo, char *line, ++ const char *file, int lineno) ++{ ++ /* it's an IKEv2 secret, store it instead */ ++ struct sa_list sa1; ++ ++ char *init; ++ char *icookie, *rcookie; ++ int ilen, rlen; ++ char *authkey; ++ char *enckey; ++ ++ init = strsep(&line, " \t"); ++ icookie = strsep(&line, " \t"); ++ rcookie = strsep(&line, " \t"); ++ authkey = strsep(&line, " \t"); ++ enckey = strsep(&line, " \t"); ++ ++ /* if any fields are missing */ ++ if(!init || !icookie || !rcookie || !authkey || !enckey) { ++ (*ndo->ndo_warning)(ndo, "print_esp: failed to find all fields for ikev2 at %s:%u", ++ file, lineno); ++ ++ return; ++ } ++ ++ ilen = strlen(icookie); ++ rlen = strlen(rcookie); ++ ++ if((init[0]!='I' && init[0]!='R') ++ || icookie[0]!='0' || icookie[1]!='x' ++ || rcookie[0]!='0' || rcookie[1]!='x' ++ || ilen!=18 ++ || rlen!=18) { ++ (*ndo->ndo_warning)(ndo, "print_esp: line %s:%u improperly formatted.", ++ file, lineno); ++ ++ (*ndo->ndo_warning)(ndo, "init=%s icookie=%s(%u) rcookie=%s(%u)", ++ init, icookie, ilen, rcookie, rlen); ++ ++ return; ++ } ++ ++ sa1.spi = 0; ++ sa1.initiator = (init[0] == 'I'); ++ if(espprint_decode_hex(ndo, sa1.spii, sizeof(sa1.spii), icookie+2)!=8) ++ return; ++ ++ if(espprint_decode_hex(ndo, sa1.spir, sizeof(sa1.spir), rcookie+2)!=8) ++ return; ++ ++ if(!espprint_decode_encalgo(ndo, enckey, &sa1)) return; ++ ++ if(!espprint_decode_authalgo(ndo, authkey, &sa1)) return; ++ ++ esp_print_addsa(ndo, &sa1, FALSE); ++} ++ ++/* + * + * special form: file /name + * causes us to go read from this file instead. + * + */ +-static void esp_print_decode_onesecret(netdissect_options *ndo, char *line) ++static void esp_print_decode_onesecret(netdissect_options *ndo, char *line, ++ const char *file, int lineno) + { + struct sa_list sa1; + int sa_def; +@@ -155,15 +392,18 @@ + /* open file and read it */ + FILE *secretfile; + char fileline[1024]; ++ int lineno=0; + char *nl; ++ char *filename = line; + +- secretfile = fopen(line, FOPEN_READ_TXT); ++ secretfile = fopen(filename, FOPEN_READ_TXT); + if (secretfile == NULL) { +- perror(line); ++ perror(filename); + exit(3); + } + + while (fgets(fileline, sizeof(fileline)-1, secretfile) != NULL) { ++ lineno++; + /* remove newline from the line */ + nl = strchr(fileline, '\n'); + if (nl) +@@ -171,31 +411,37 @@ + if (fileline[0] == '#') continue; + if (fileline[0] == '\0') continue; + +- esp_print_decode_onesecret(ndo, fileline); ++ esp_print_decode_onesecret(ndo, fileline, filename, lineno); + } + fclose(secretfile); + + return; + } + ++ if (spikey && strcasecmp(spikey, "ikev2") == 0) { ++ esp_print_decode_ikeline(ndo, line, file, lineno); ++ return; ++ } ++ + if (spikey) { ++ + char *spistr, *foo; + u_int32_t spino; + struct sockaddr_in *sin; + #ifdef INET6 + struct sockaddr_in6 *sin6; + #endif +- ++ + spistr = strsep(&spikey, "@"); +- ++ + spino = strtoul(spistr, &foo, 0); + if (spistr == foo || !spikey) { + (*ndo->ndo_warning)(ndo, "print_esp: failed to decode spi# %s\n", foo); + return; + } +- ++ + sa1.spi = spino; +- ++ + sin = (struct sockaddr_in *)&sa1.daddr; + #ifdef INET6 + sin6 = (struct sockaddr_in6 *)&sa1.daddr; +@@ -206,122 +452,63 @@ + sin6->sin6_family = AF_INET6; + } else + #endif +- if (inet_pton(AF_INET, spikey, &sin->sin_addr) == 1) { ++ if (inet_pton(AF_INET, spikey, &sin->sin_addr) == 1) { + #ifdef HAVE_SOCKADDR_SA_LEN +- sin->sin_len = sizeof(struct sockaddr_in); ++ sin->sin_len = sizeof(struct sockaddr_in); + #endif +- sin->sin_family = AF_INET; +- } else { +- (*ndo->ndo_warning)(ndo, "print_esp: can not decode IP# %s\n", spikey); +- return; +- } ++ sin->sin_family = AF_INET; ++ } else { ++ (*ndo->ndo_warning)(ndo, "print_esp: can not decode IP# %s\n", spikey); ++ return; ++ } + } + + if (decode) { +- char *colon, *p; +- u_char espsecret_key[256]; +- int len; +- size_t i; +- const EVP_CIPHER *evp; +- int authlen = 0; +- + /* skip any blank spaces */ + while (isspace((unsigned char)*decode)) + decode++; +- +- colon = strchr(decode, ':'); +- if (colon == NULL) { +- (*ndo->ndo_warning)(ndo, "failed to decode espsecret: %s\n", decode); ++ ++ if(!espprint_decode_encalgo(ndo, decode, &sa1)) { + return; + } +- *colon = '\0'; +- +- len = colon - decode; +- if (strlen(decode) > strlen("-hmac96") && +- !strcmp(decode + strlen(decode) - strlen("-hmac96"), +- "-hmac96")) { +- p = strstr(decode, "-hmac96"); +- *p = '\0'; +- authlen = 12; +- } +- if (strlen(decode) > strlen("-cbc") && +- !strcmp(decode + strlen(decode) - strlen("-cbc"), "-cbc")) { +- p = strstr(decode, "-cbc"); +- *p = '\0'; +- } +- evp = EVP_get_cipherbyname(decode); +- if (!evp) { +- (*ndo->ndo_warning)(ndo, "failed to find cipher algo %s\n", decode); +- sa1.evp = NULL; +- sa1.authlen = 0; +- sa1.ivlen = 0; +- return; +- } +- +- sa1.evp = evp; +- sa1.authlen = authlen; +- sa1.ivlen = EVP_CIPHER_iv_length(evp); +- +- colon++; +- if (colon[0] == '0' && colon[1] == 'x') { +- /* decode some hex! */ +- colon += 2; +- len = strlen(colon) / 2; +- +- if (len > 256) { +- (*ndo->ndo_warning)(ndo, "secret is too big: %d\n", len); +- return; +- } +- +- i = 0; +- while (colon[0] != '\0' && colon[1]!='\0') { +- espsecret_key[i] = hex2byte(ndo, colon); +- colon += 2; +- i++; +- } +- +- memcpy(sa1.secret, espsecret_key, i); +- sa1.secretlen = i; +- } else { +- i = strlen(colon); +- +- if (i < sizeof(sa1.secret)) { +- memcpy(sa1.secret, colon, i); +- sa1.secretlen = i; +- } else { +- memcpy(sa1.secret, colon, sizeof(sa1.secret)); +- sa1.secretlen = sizeof(sa1.secret); +- } +- } + } + + esp_print_addsa(ndo, &sa1, sa_def); + } + +-static void esp_print_decodesecret(netdissect_options *ndo) ++static void esp_init(netdissect_options *ndo _U_) ++{ ++ ++ OpenSSL_add_all_algorithms(); ++ EVP_add_cipher_alias(SN_des_ede3_cbc, "3des"); ++} ++ ++void esp_print_decodesecret(netdissect_options *ndo) + { + char *line; + char *p; ++ static int initialized = 0; ++ ++ if (!initialized) { ++ esp_init(ndo); ++ initialized = 1; ++ } + + p = ndo->ndo_espsecret; + +- while (ndo->ndo_espsecret && ndo->ndo_espsecret[0] != '\0') { ++ while (p && p[0] != '\0') { + /* pick out the first line or first thing until a comma */ +- if ((line = strsep(&ndo->ndo_espsecret, "\n,")) == NULL) { +- line = ndo->ndo_espsecret; +- ndo->ndo_espsecret = NULL; ++ if ((line = strsep(&p, "\n,")) == NULL) { ++ line = p; ++ p = NULL; + } + +- esp_print_decode_onesecret(ndo, line); ++ esp_print_decode_onesecret(ndo, line, "cmdline", 0); + } +-} + +-static void esp_init(netdissect_options *ndo _U_) +-{ +- +- OpenSSL_add_all_algorithms(); +- EVP_add_cipher_alias(SN_des_ede3_cbc, "3des"); ++ ndo->ndo_espsecret = NULL; + } ++ + #endif + + int +@@ -359,7 +546,6 @@ + u_char *p; + EVP_CIPHER_CTX ctx; + int blocksz; +- static int initialized = 0; + #endif + + esp = (struct newesp *)bp; +@@ -367,11 +553,6 @@ + #ifdef HAVE_LIBCRYPTO + secret = NULL; + advance = 0; +- +- if (!initialized) { +- esp_init(ndo); +- initialized = 1; +- } + #endif + + #if 0 +--- tcpdump/print-esp.c.leak 2007-12-05 12:58:45.000000000 +0100 ++++ tcpdump/print-esp.c 2007-12-05 12:30:47.000000000 +0100 +@@ -128,6 +128,7 @@ int esp_print_decrypt_buffer_by_ikev2(ne + (*ndo->ndo_warning)(ndo, "espkey init failed"); + EVP_CipherInit(&ctx, NULL, NULL, iv, 0); + EVP_Cipher(&ctx, buf, buf, len); ++ EVP_CIPHER_CTX_cleanup(&ctx); + + ndo->ndo_packetp = buf; + ndo->ndo_snapend = end; +@@ -662,6 +663,7 @@ esp_print(netdissect_options *ndo, + p = ivoff; + EVP_CipherInit(&ctx, NULL, NULL, p, 0); + EVP_Cipher(&ctx, p + ivlen, p + ivlen, ep - (p + ivlen)); ++ EVP_CIPHER_CTX_cleanup(&ctx); + advance = ivoff - (u_char *)esp + ivlen; + } else + advance = sizeof(struct newesp); +Index: tcpdump/interface.h +=================================================================== +RCS file: /tcpdump/master/tcpdump/interface.h,v +retrieving revision 1.278 +retrieving revision 1.279 +diff -u -r1.278 -r1.279 +--- tcpdump/interface.h 8 Aug 2007 17:20:58 -0000 1.278 ++++ tcpdump/interface.h 29 Aug 2007 12:31:00 -0000 1.279 +@@ -356,6 +356,7 @@ + + /* forward compatibility */ + ++#ifndef NETDISSECT_REWORKED + extern netdissect_options *gndo; + + #define eflag gndo->ndo_eflag +@@ -389,3 +390,4 @@ + #define snaplen gndo->ndo_snaplen + #define snapend gndo->ndo_snapend + ++#endif diff --git a/tcpdump.spec b/tcpdump.spec index 3cf368b..1ec7098 100644 --- a/tcpdump.spec +++ b/tcpdump.spec @@ -2,7 +2,7 @@ Summary: A network traffic monitoring tool Name: tcpdump Epoch: 14 Version: 3.9.8 -Release: 2%{?dist} +Release: 3%{?dist} License: BSD with advertising URL: http://www.tcpdump.org Group: Applications/Internet @@ -15,7 +15,7 @@ Source1: ftp://ftp.ee.lbl.gov/tcpslice-1.2a3.tar.gz Patch1: tcpdump-3.9.7-droproot.patch Patch2: tcpdump-3.6.1-portnumbers.patch Patch3: tcpdump-3.9.7-crypto.patch -Patch4: tcpdump-3.9.7-ikev2.patch +Patch4: tcpdump-3.9.8-ikev2.patch Patch5: tcpslice-1.2a3-time.patch Patch6: tcpslice-CVS.20010207-bpf.patch Patch7: tcpdump-3.9.8-gethostby.patch @@ -63,7 +63,7 @@ mkdir -p ${RPM_BUILD_ROOT}%{_libdir} mkdir -p ${RPM_BUILD_ROOT}%{_mandir}/man8 mkdir -p ${RPM_BUILD_ROOT}%{_sbindir} -pushd %tcpslice_dir +pushd %{tcpslice_dir} install -m755 tcpslice ${RPM_BUILD_ROOT}%{_sbindir} install -m644 tcpslice.1 ${RPM_BUILD_ROOT}%{_mandir}/man8/tcpslice.8 popd @@ -93,6 +93,9 @@ exit 0 %{_mandir}/man8/tcpdump.8* %changelog +* Thu Dec 06 2007 Miroslav Lichvar - 14:3.9.8-3 +- update IKEv2 support + * Thu Dec 6 2007 Jeremy Katz - 14:3.9.8-2 - rebuild for new openssl