rpms/tcpdump
7
0
Fork 0
Code Issues Pull Requests Releases Activity
0b97fc6175
tcpdump/tcpdump-3.9.7-ikev2.patch
Miroslav Lichvar f987273429 - support decoding IKEv2 packets
2007-09-18 14:34:58 +00:00

2645 lines
72 KiB
Diff
Raw Blame History

This file contains invisible Unicode characters

This file contains invisible Unicode characters that are indistinguishable to humans but may be processed differently by a computer. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

Index: tcpdump/interface.h
===================================================================
RCS file: /tcpdump/master/tcpdump/interface.h,v
retrieving revision 1.278
retrieving revision 1.279
diff -u -r1.278 -r1.279
--- tcpdump/interface.h 8 Aug 2007 17:20:58 -0000 1.278
+++ tcpdump/interface.h 29 Aug 2007 12:31:00 -0000 1.279
@@ -356,6 +356,7 @@
/* forward compatibility */
+#ifndef NETDISSECT_REWORKED
extern netdissect_options *gndo;
#define eflag gndo->ndo_eflag
@@ -389,3 +390,4 @@
#define snaplen gndo->ndo_snaplen
#define snapend gndo->ndo_snapend
+#endif
Index: tcpdump/isakmp.h
===================================================================
RCS file: /tcpdump/master/tcpdump/isakmp.h,v
retrieving revision 1.10
retrieving revision 1.11
diff -u -r1.10 -r1.11
--- tcpdump/isakmp.h 11 Dec 2002 07:13:54 -0000 1.10
+++ tcpdump/isakmp.h 29 Aug 2007 02:38:14 -0000 1.11
@@ -81,7 +81,7 @@
#define ISAKMP_TIMER_DEFAULT 10 /* seconds */
#define ISAKMP_TRY_DEFAULT 3 /* times */
-/* 3.1 ISAKMP Header Format
+/* 3.1 ISAKMP Header Format (IKEv1 and IKEv2)
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
! Initiator !
@@ -128,8 +128,11 @@
#define ISAKMP_NPTYPE_D 12 /* Delete */
#define ISAKMP_NPTYPE_VID 13 /* Vendor ID */
-#define ISAKMP_MAJOR_VERSION 1
-#define ISAKMP_MINOR_VERSION 0
+#define IKEv1_MAJOR_VERSION 1
+#define IKEv1_MINOR_VERSION 0
+
+#define IKEv2_MAJOR_VERSION 2
+#define IKEv2_MINOR_VERSION 0
/* Exchange Type */
#define ISAKMP_ETYPE_NONE 0 /* NONE */
@@ -142,6 +145,13 @@
/* Flags */
#define ISAKMP_FLAG_E 0x01 /* Encryption Bit */
#define ISAKMP_FLAG_C 0x02 /* Commit Bit */
+#define ISAKMP_FLAG_extra 0x04
+
+/* IKEv2 */
+#define ISAKMP_FLAG_I (1 << 3) /* (I)nitiator */
+#define ISAKMP_FLAG_V (1 << 4) /* (V)ersion */
+#define ISAKMP_FLAG_R (1 << 5) /* (R)esponse */
+
/* 3.2 Payload Generic Header
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
@@ -151,7 +161,7 @@
*/
struct isakmp_gen {
u_int8_t np; /* Next Payload */
- u_int8_t reserved; /* RESERVED, unused, must set to 0 */
+ u_int8_t critical; /* bit 7 - critical, rest is RESERVED */
u_int16_t len; /* Payload Length */
};
@@ -188,7 +198,7 @@
message of a Base Exchange (see Section 4.4) and the value "0" in the
first message of an Identity Protect Exchange (see Section 4.5).
*/
-struct isakmp_pl_sa {
+struct ikev1_pl_sa {
struct isakmp_gen h;
u_int32_t doi; /* Domain of Interpretation */
u_int32_t sit; /* Situation */
@@ -202,7 +212,7 @@
last within the security association proposal, then this field will
be 0.
*/
-struct isakmp_pl_p {
+struct ikev1_pl_p {
struct isakmp_gen h;
u_int8_t p_no; /* Proposal # */
u_int8_t prot_id; /* Protocol */
@@ -218,7 +228,7 @@
then this field will be 3. If the current Transform payload is the
last within the proposal, then this field will be 0.
*/
-struct isakmp_pl_t {
+struct ikev1_pl_t {
struct isakmp_gen h;
u_int8_t t_no; /* Transform # */
u_int8_t t_id; /* Transform-Id */
@@ -227,14 +237,14 @@
};
/* 3.7 Key Exchange Payload */
-struct isakmp_pl_ke {
+struct ikev1_pl_ke {
struct isakmp_gen h;
/* Key Exchange Data */
};
/* 3.8 Identification Payload */
/* MUST NOT to be used, because of being defined in ipsec-doi. */
-struct isakmp_pl_id {
+struct ikev1_pl_id {
struct isakmp_gen h;
union {
u_int8_t id_type; /* ID Type */
@@ -244,7 +254,7 @@
};
/* 3.9 Certificate Payload */
-struct isakmp_pl_cert {
+struct ikev1_pl_cert {
struct isakmp_gen h;
u_int8_t encode; /* Cert Encoding */
char cert; /* Certificate Data */
@@ -268,7 +278,7 @@
#define ISAKMP_CERT_SPKI 9
/* 3.10 Certificate Request Payload */
-struct isakmp_pl_cr {
+struct ikev1_pl_cr {
struct isakmp_gen h;
u_int8_t num_cert; /* # Cert. Types */
/*
@@ -283,27 +293,27 @@
/* 3.11 Hash Payload */
/* may not be used, because of having only data. */
-struct isakmp_pl_hash {
+struct ikev1_pl_hash {
struct isakmp_gen h;
/* Hash Data */
};
/* 3.12 Signature Payload */
/* may not be used, because of having only data. */
-struct isakmp_pl_sig {
+struct ikev1_pl_sig {
struct isakmp_gen h;
/* Signature Data */
};
/* 3.13 Nonce Payload */
/* may not be used, because of having only data. */
-struct isakmp_pl_nonce {
+struct ikev1_pl_nonce {
struct isakmp_gen h;
/* Nonce Data */
};
/* 3.14 Notification Payload */
-struct isakmp_pl_n {
+struct ikev1_pl_n {
struct isakmp_gen h;
u_int32_t doi; /* Domain of Interpretation */
u_int8_t prot_id; /* Protocol-ID */
@@ -347,7 +357,7 @@
#define ISAKMP_LOG_RETRY_LIMIT_REACHED 65530
/* 3.15 Delete Payload */
-struct isakmp_pl_d {
+struct ikev1_pl_d {
struct isakmp_gen h;
u_int32_t doi; /* Domain of Interpretation */
u_int8_t prot_id; /* Protocol-Id */
@@ -357,15 +367,15 @@
};
-struct isakmp_ph1tab {
- struct isakmp_ph1 *head;
- struct isakmp_ph1 *tail;
+struct ikev1_ph1tab {
+ struct ikev1_ph1 *head;
+ struct ikev1_ph1 *tail;
int len;
};
struct isakmp_ph2tab {
- struct isakmp_ph2 *head;
- struct isakmp_ph2 *tail;
+ struct ikev1_ph2 *head;
+ struct ikev1_ph2 *tail;
int len;
};
@@ -375,4 +385,99 @@
#define PFS_NEED 1
#define PFS_NONEED 0
+/* IKEv2 (RFC4306) */
+
+/* 3.3 Security Association Payload -- generic header */
+/* 3.3.1. Proposal Substructure */
+struct ikev2_p {
+ struct isakmp_gen h;
+ u_int8_t p_no; /* Proposal # */
+ u_int8_t prot_id; /* Protocol */
+ u_int8_t spi_size; /* SPI Size */
+ u_int8_t num_t; /* Number of Transforms */
+};
+
+/* 3.3.2. Transform Substructure */
+struct ikev2_t {
+ struct isakmp_gen h;
+ u_int8_t t_type; /* Transform Type (ENCR,PRF,INTEG,etc.*/
+ u_int8_t res2; /* reserved byte */
+ u_int16_t t_id; /* Transform ID */
+};
+
+enum ikev2_t_type {
+ IV2_T_ENCR = 1,
+ IV2_T_PRF = 2,
+ IV2_T_INTEG= 3,
+ IV2_T_DH = 4,
+ IV2_T_ESN = 5,
+};
+
+/* 3.4. Key Exchange Payload */
+struct ikev2_ke {
+ struct isakmp_gen h;
+ u_int16_t ke_group;
+ u_int16_t ke_res1;
+ /* KE data */
+};
+
+
+/* 3.10 Notification Payload */
+struct ikev2_n {
+ struct isakmp_gen h;
+ u_int8_t prot_id; /* Protocol-ID */
+ u_int8_t spi_size; /* SPI Size */
+ u_int16_t type; /* Notify Message Type */
+ /* SPI */
+ /* Notification Data */
+};
+
+enum ikev2_n_type {
+ IV2_NOTIFY_UNSUPPORTED_CRITICAL_PAYLOAD = 1,
+ IV2_NOTIFY_INVALID_IKE_SPI = 4,
+ IV2_NOTIFY_INVALID_MAJOR_VERSION = 5,
+ IV2_NOTIFY_INVALID_SYNTAX = 7,
+ IV2_NOTIFY_INVALID_MESSAGE_ID = 9,
+ IV2_NOTIFY_INVALID_SPI =11,
+ IV2_NOTIFY_NO_PROPOSAL_CHOSEN =14,
+ IV2_NOTIFY_INVALID_KE_PAYLOAD =17,
+ IV2_NOTIFY_AUTHENTICATION_FAILED =24,
+ IV2_NOTIFY_SINGLE_PAIR_REQUIRED =34,
+ IV2_NOTIFY_NO_ADDITIONAL_SAS =35,
+ IV2_NOTIFY_INTERNAL_ADDRESS_FAILURE =36,
+ IV2_NOTIFY_FAILED_CP_REQUIRED =37,
+ IV2_NOTIFY_INVALID_SELECTORS =39,
+ IV2_NOTIFY_INITIAL_CONTACT =16384,
+ IV2_NOTIFY_SET_WINDOW_SIZE =16385,
+ IV2_NOTIFY_ADDITIONAL_TS_POSSIBLE =16386,
+ IV2_NOTIFY_IPCOMP_SUPPORTED =16387,
+ IV2_NOTIFY_NAT_DETECTION_SOURCE_IP =16388,
+ IV2_NOTIFY_NAT_DETECTION_DESTINATION_IP =16389,
+ IV2_NOTIFY_COOKIE =16390,
+ IV2_NOTIFY_USE_TRANSPORT_MODE =16391,
+ IV2_NOTIFY_HTTP_CERT_LOOKUP_SUPPORTED =16392,
+ IV2_NOTIFY_REKEY_SA =16393,
+ IV2_NOTIFY_ESP_TFC_PADDING_NOT_SUPPORTED =16394,
+ IV2_NOTIFY_NON_FIRST_FRAGMENTS_ALSO =16395
+};
+
+struct notify_messages {
+ u_int16_t type;
+ char *msg;
+};
+
+/* 3.8 Notification Payload */
+struct ikev2_auth {
+ struct isakmp_gen h;
+ u_int8_t auth_method; /* Protocol-ID */
+ u_int8_t reserved[3];
+ /* authentication data */
+};
+
+enum ikev2_auth_type {
+ IV2_RSA_SIG = 1,
+ IV2_SHARED = 2,
+ IV2_DSS_SIG = 3,
+};
+
#endif /* !defined(_ISAKMP_H_) */
Index: tcpdump/print-isakmp.c
===================================================================
RCS file: /tcpdump/master/tcpdump/print-isakmp.c,v
retrieving revision 1.53
retrieving revision 1.56
diff -u -r1.53 -r1.56
--- tcpdump/print-isakmp.c 27 Aug 2006 18:48:29 -0000 1.53
+++ tcpdump/print-isakmp.c 29 Aug 2007 12:31:00 -0000 1.56
@@ -34,4 +34,5 @@
#endif
+#define NETDISSECT_REWORKED
#ifdef HAVE_CONFIG_H
#include "config.h"
@@ -59,39 +60,64 @@
#define sockaddr_storage sockaddr
#endif
-static const u_char *isakmp_sa_print(const struct isakmp_gen *,
- u_int, const u_char *, u_int32_t, u_int32_t, u_int32_t, int);
-static const u_char *isakmp_p_print(const struct isakmp_gen *,
- u_int, const u_char *, u_int32_t, u_int32_t, u_int32_t, int);
-static const u_char *isakmp_t_print(const struct isakmp_gen *,
- u_int, const u_char *, u_int32_t, u_int32_t, u_int32_t, int);
-static const u_char *isakmp_ke_print(const struct isakmp_gen *,
- u_int, const u_char *, u_int32_t, u_int32_t, u_int32_t, int);
-static const u_char *isakmp_id_print(const struct isakmp_gen *,
- u_int, const u_char *, u_int32_t, u_int32_t, u_int32_t, int);
-static const u_char *isakmp_cert_print(const struct isakmp_gen *,
- u_int, const u_char *, u_int32_t, u_int32_t, u_int32_t, int);
-static const u_char *isakmp_cr_print(const struct isakmp_gen *,
- u_int, const u_char *, u_int32_t, u_int32_t, u_int32_t, int);
-static const u_char *isakmp_sig_print(const struct isakmp_gen *,
- u_int, const u_char *, u_int32_t, u_int32_t, u_int32_t, int);
-static const u_char *isakmp_hash_print(const struct isakmp_gen *,
- u_int, const u_char *, u_int32_t, u_int32_t, u_int32_t, int);
-static const u_char *isakmp_nonce_print(const struct isakmp_gen *,
- u_int, const u_char *, u_int32_t, u_int32_t, u_int32_t, int);
-static const u_char *isakmp_n_print(const struct isakmp_gen *,
- u_int, const u_char *, u_int32_t, u_int32_t, u_int32_t, int);
-static const u_char *isakmp_d_print(const struct isakmp_gen *,
- u_int, const u_char *, u_int32_t, u_int32_t, u_int32_t, int);
-static const u_char *isakmp_vid_print(const struct isakmp_gen *,
- u_int, const u_char *, u_int32_t, u_int32_t, u_int32_t, int);
-static const u_char *isakmp_sub0_print(u_char, const struct isakmp_gen *,
+#define DECLARE_PRINTER(func) static const u_char *ike##func##_print( \
+ netdissect_options *ndo, u_char tpay, \
+ const struct isakmp_gen *ext, \
+ u_int item_len, \
+ const u_char *end_pointer, \
+ u_int32_t phase,\
+ u_int32_t doi0, \
+ u_int32_t proto0, int depth)
+
+DECLARE_PRINTER(v1_sa);
+DECLARE_PRINTER(v1_p);
+DECLARE_PRINTER(v1_t);
+DECLARE_PRINTER(v1_ke);
+DECLARE_PRINTER(v1_id);
+DECLARE_PRINTER(v1_cert);
+DECLARE_PRINTER(v1_cr);
+DECLARE_PRINTER(v1_sig);
+DECLARE_PRINTER(v1_hash);
+DECLARE_PRINTER(v1_nonce);
+DECLARE_PRINTER(v1_n);
+DECLARE_PRINTER(v1_d);
+DECLARE_PRINTER(v1_vid);
+
+DECLARE_PRINTER(v2_sa);
+DECLARE_PRINTER(v2_ke);
+DECLARE_PRINTER(v2_ID);
+DECLARE_PRINTER(v2_cert);
+DECLARE_PRINTER(v2_cr);
+DECLARE_PRINTER(v2_auth);
+DECLARE_PRINTER(v2_nonce);
+DECLARE_PRINTER(v2_n);
+DECLARE_PRINTER(v2_d);
+DECLARE_PRINTER(v2_vid);
+DECLARE_PRINTER(v2_TS);
+DECLARE_PRINTER(v2_e);
+DECLARE_PRINTER(v2_cp);
+DECLARE_PRINTER(v2_eap);
+
+static const u_char *ike_sub0_print(netdissect_options *ndo,u_char, const struct isakmp_gen *,
const u_char *, u_int32_t, u_int32_t, u_int32_t, int);
-static const u_char *isakmp_sub_print(u_char, const struct isakmp_gen *,
+static const u_char *ikev1_sub_print(netdissect_options *ndo,u_char, const struct isakmp_gen *,
const u_char *, u_int32_t, u_int32_t, u_int32_t, int);
+
+static const u_char *ikev2_sub_print(netdissect_options *ndo,
+ u_char np, const struct isakmp_gen *ext,
+ const u_char *ep, u_int32_t phase,
+ u_int32_t doi, u_int32_t proto,
+ int depth);
+
+
static char *numstr(int);
static void safememcpy(void *, const void *, size_t);
+static void
+ikev1_print(netdissect_options *ndo,
+ const u_char *bp, u_int length,
+ const u_char *bp2, struct isakmp *base);
+
#define MAXINITIATORS 20
int ninitiator = 0;
struct {
@@ -107,36 +133,73 @@
/* isakmp->np */
static const char *npstr[] = {
- "none", "sa", "p", "t", "ke", "id", "cert", "cr", "hash",
- "sig", "nonce", "n", "d", "vid"
+ "none", "sa", "p", "t", "ke", "id", "cert", "cr", "hash", /* 0 - 8 */
+ "sig", "nonce", "n", "d", "vid", /* 9 - 13 */
+ "pay14", "pay15", "pay16", "pay17", "pay18", /* 14- 18 */
+ "pay19", "pay20", "pay21", "pay22", "pay23", /* 19- 23 */
+ "pay24", "pay25", "pay26", "pay27", "pay28", /* 24- 28 */
+ "pay29", "pay30", "pay31", "pay32", /* 29- 32 */
+ "v2sa", "v2ke", "v2IDi", "v2IDr", "v2cert",/* 33- 37 */
+ "v2cr", "v2auth","v2nonce", "v2n", "v2d", /* 38- 42 */
+ "v2vid", "v2TSi", "v2TSr", "v2e", "v2cp", /* 43- 47 */
+ "v2eap", /* 48 */
+
};
/* isakmp->np */
-static const u_char *(*npfunc[])(const struct isakmp_gen *, u_int,
- const u_char *, u_int32_t, u_int32_t, u_int32_t, int) = {
+static const u_char *(*npfunc[])(netdissect_options *ndo, u_char tpay,
+ const struct isakmp_gen *ext,
+ u_int item_len,
+ const u_char *end_pointer,
+ u_int32_t phase,
+ u_int32_t doi0,
+ u_int32_t proto0, int depth) = {
NULL,
- isakmp_sa_print,
- isakmp_p_print,
- isakmp_t_print,
- isakmp_ke_print,
- isakmp_id_print,
- isakmp_cert_print,
- isakmp_cr_print,
- isakmp_hash_print,
- isakmp_sig_print,
- isakmp_nonce_print,
- isakmp_n_print,
- isakmp_d_print,
- isakmp_vid_print,
+ ikev1_sa_print,
+ ikev1_p_print,
+ ikev1_t_print,
+ ikev1_ke_print,
+ ikev1_id_print,
+ ikev1_cert_print,
+ ikev1_cr_print,
+ ikev1_hash_print,
+ ikev1_sig_print,
+ ikev1_nonce_print,
+ ikev1_n_print,
+ ikev1_d_print,
+ ikev1_vid_print, /* 13 */
+ NULL, NULL, NULL, NULL, NULL, /* 14- 18 */
+ NULL, NULL, NULL, NULL, NULL, /* 19- 23 */
+ NULL, NULL, NULL, NULL, NULL, /* 24- 28 */
+ NULL, NULL, NULL, NULL, /* 29- 32 */
+ ikev2_sa_print, /* 33 */
+ ikev2_ke_print, /* 34 */
+ ikev2_ID_print, /* 35 */
+ ikev2_ID_print, /* 36 */
+ ikev2_cert_print, /* 37 */
+ ikev2_cr_print, /* 38 */
+ ikev2_auth_print, /* 39 */
+ ikev2_nonce_print, /* 40 */
+ ikev2_n_print, /* 41 */
+ ikev2_d_print, /* 42 */
+ ikev2_vid_print, /* 43 */
+ ikev2_TS_print, /* 44 */
+ ikev2_TS_print, /* 45 */
+ ikev2_e_print, /* 46 */
+ ikev2_cp_print, /* 47 */
+ ikev2_eap_print, /* 48 */
};
/* isakmp->etype */
static const char *etypestr[] = {
- "none", "base", "ident", "auth", "agg", "inf", NULL, NULL,
- NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL,
- NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL,
- NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL,
- "oakley-quick", "oakley-newgroup",
+/* IKEv1 exchange types */
+ "none", "base", "ident", "auth", "agg", "inf", NULL, NULL, /* 0-7 */
+ NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, /* 8-15 */
+ NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, /* 16-23 */
+ NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, /* 24-31 */
+ "oakley-quick", "oakley-newgroup", /* 32-33 */
+/* IKEv2 exchange types */
+ "ikev2_init", "ikev2_auth", "child_sa", "inf2" /* 34-37 */
};
#define STR_OR_ID(x, tab) \
@@ -145,6 +208,13 @@
#define NPSTR(x) STR_OR_ID(x, npstr)
#define ETYPESTR(x) STR_OR_ID(x, etypestr)
+#define CHECKLEN(p, np) \
+ if (ep < (u_char *)(p)) { \
+ ND_PRINT((ndo," [|%s]", NPSTR(np))); \
+ goto done; \
+ }
+
+
#define NPFUNC(x) \
(((x) < sizeof(npfunc)/sizeof(npfunc[0]) && npfunc[(x)]) \
? npfunc[(x)] : NULL)
@@ -322,21 +392,54 @@
}
static int
-rawprint(caddr_t loc, size_t len)
+rawprint(netdissect_options *ndo, caddr_t loc, size_t len)
{
static u_char *p;
size_t i;
- TCHECK2(*loc, len);
+ ND_TCHECK2(*loc, len);
p = (u_char *)loc;
for (i = 0; i < len; i++)
- printf("%02x", p[i] & 0xff);
+ ND_PRINT((ndo,"%02x", p[i] & 0xff));
return 1;
trunc:
return 0;
}
+/*
+ * returns false if we run out of data buffer
+ */
+static int ike_show_somedata(struct netdissect_options *ndo,
+ const u_char *cp, const u_char *ep)
+{
+ /* there is too much data, just show some of it */
+ const u_char *end = ep - 20;
+ int elen = 20;
+ int len = ep - cp;
+ if(len > 10) {
+ len = 10;
+ }
+
+ /* really shouldn't happen because of above */
+ if(end < cp + len) {
+ end = cp+len;
+ elen = ep - end;
+ }
+
+ ND_PRINT((ndo," data=("));
+ if(!rawprint(ndo, (caddr_t)(cp), len)) goto trunc;
+ ND_PRINT((ndo, "..."));
+ if(elen) {
+ if(!rawprint(ndo, (caddr_t)(end), elen)) goto trunc;
+ }
+ ND_PRINT((ndo,")"));
+ return 1;
+
+trunc:
+ return 0;
+}
+
struct attrmap {
const char *type;
u_int nvalue;
@@ -344,8 +447,9 @@
};
static const u_char *
-isakmp_attrmap_print(const u_char *p, const u_char *ep,
- const struct attrmap *map, size_t nmap)
+ikev1_attrmap_print(netdissect_options *ndo,
+ const u_char *p, const u_char *ep,
+ const struct attrmap *map, size_t nmap)
{
u_int16_t *q;
int totlen;
@@ -357,33 +461,33 @@
else
totlen = 4 + EXTRACT_16BITS(&q[1]);
if (ep < p + totlen) {
- printf("[|attr]");
+ ND_PRINT((ndo,"[|attr]"));
return ep + 1;
}
- printf("(");
+ ND_PRINT((ndo,"("));
t = EXTRACT_16BITS(&q[0]) & 0x7fff;
if (map && t < nmap && map[t].type)
- printf("type=%s ", map[t].type);
+ ND_PRINT((ndo,"type=%s ", map[t].type));
else
- printf("type=#%d ", t);
+ ND_PRINT((ndo,"type=#%d ", t));
if (p[0] & 0x80) {
- printf("value=");
+ ND_PRINT((ndo,"value="));
v = EXTRACT_16BITS(&q[1]);
if (map && t < nmap && v < map[t].nvalue && map[t].value[v])
- printf("%s", map[t].value[v]);
+ ND_PRINT((ndo,"%s", map[t].value[v]));
else
- rawprint((caddr_t)&q[1], 2);
+ rawprint(ndo, (caddr_t)&q[1], 2);
} else {
- printf("len=%d value=", EXTRACT_16BITS(&q[1]));
- rawprint((caddr_t)&p[4], EXTRACT_16BITS(&q[1]));
+ ND_PRINT((ndo,"len=%d value=", EXTRACT_16BITS(&q[1])));
+ rawprint(ndo, (caddr_t)&p[4], EXTRACT_16BITS(&q[1]));
}
- printf(")");
+ ND_PRINT((ndo,")"));
return p + totlen;
}
static const u_char *
-isakmp_attr_print(const u_char *p, const u_char *ep)
+ikev1_attr_print(netdissect_options *ndo, const u_char *p, const u_char *ep)
{
u_int16_t *q;
int totlen;
@@ -395,129 +499,166 @@
else
totlen = 4 + EXTRACT_16BITS(&q[1]);
if (ep < p + totlen) {
- printf("[|attr]");
+ ND_PRINT((ndo,"[|attr]"));
return ep + 1;
}
- printf("(");
+ ND_PRINT((ndo,"("));
t = EXTRACT_16BITS(&q[0]) & 0x7fff;
- printf("type=#%d ", t);
+ ND_PRINT((ndo,"type=#%d ", t));
if (p[0] & 0x80) {
- printf("value=");
+ ND_PRINT((ndo,"value="));
t = q[1];
- rawprint((caddr_t)&q[1], 2);
+ rawprint(ndo, (caddr_t)&q[1], 2);
} else {
- printf("len=%d value=", EXTRACT_16BITS(&q[1]));
- rawprint((caddr_t)&p[2], EXTRACT_16BITS(&q[1]));
+ ND_PRINT((ndo,"len=%d value=", EXTRACT_16BITS(&q[1])));
+ rawprint(ndo, (caddr_t)&p[2], EXTRACT_16BITS(&q[1]));
}
- printf(")");
+ ND_PRINT((ndo,")"));
return p + totlen;
}
static const u_char *
-isakmp_sa_print(const struct isakmp_gen *ext,
+ikev1_sa_print(netdissect_options *ndo, u_char tpay _U_,
+ const struct isakmp_gen *ext,
u_int item_len _U_,
const u_char *ep, u_int32_t phase, u_int32_t doi0 _U_,
u_int32_t proto0, int depth)
{
- const struct isakmp_pl_sa *p;
- struct isakmp_pl_sa sa;
+ const struct ikev1_pl_sa *p;
+ struct ikev1_pl_sa sa;
const u_int32_t *q;
u_int32_t doi, sit, ident;
const u_char *cp, *np;
int t;
- printf("%s:", NPSTR(ISAKMP_NPTYPE_SA));
+ ND_PRINT((ndo,"%s:", NPSTR(ISAKMP_NPTYPE_SA)));
- p = (struct isakmp_pl_sa *)ext;
- TCHECK(*p);
+ p = (struct ikev1_pl_sa *)ext;
+ ND_TCHECK(*p);
safememcpy(&sa, ext, sizeof(sa));
doi = ntohl(sa.doi);
sit = ntohl(sa.sit);
if (doi != 1) {
- printf(" doi=%d", doi);
- printf(" situation=%u", (u_int32_t)ntohl(sa.sit));
+ ND_PRINT((ndo," doi=%d", doi));
+ ND_PRINT((ndo," situation=%u", (u_int32_t)ntohl(sa.sit)));
return (u_char *)(p + 1);
}
- printf(" doi=ipsec");
+ ND_PRINT((ndo," doi=ipsec"));
q = (u_int32_t *)&sa.sit;
- printf(" situation=");
+ ND_PRINT((ndo," situation="));
t = 0;
if (sit & 0x01) {
- printf("identity");
+ ND_PRINT((ndo,"identity"));
t++;
}
if (sit & 0x02) {
- printf("%ssecrecy", t ? "+" : "");
+ ND_PRINT((ndo,"%ssecrecy", t ? "+" : ""));
t++;
}
if (sit & 0x04)
- printf("%sintegrity", t ? "+" : "");
+ ND_PRINT((ndo,"%sintegrity", t ? "+" : ""));
np = (u_char *)ext + sizeof(sa);
if (sit != 0x01) {
- TCHECK2(*(ext + 1), sizeof(ident));
+ ND_TCHECK2(*(ext + 1), sizeof(ident));
safememcpy(&ident, ext + 1, sizeof(ident));
- printf(" ident=%u", (u_int32_t)ntohl(ident));
+ ND_PRINT((ndo," ident=%u", (u_int32_t)ntohl(ident)));
np += sizeof(ident);
}
ext = (struct isakmp_gen *)np;
- TCHECK(*ext);
+ ND_TCHECK(*ext);
- cp = isakmp_sub_print(ISAKMP_NPTYPE_P, ext, ep, phase, doi, proto0,
+ cp = ikev1_sub_print(ndo, ISAKMP_NPTYPE_P, ext, ep, phase, doi, proto0,
depth);
return cp;
trunc:
- printf(" [|%s]", NPSTR(ISAKMP_NPTYPE_SA));
+ ND_PRINT((ndo," [|%s]", NPSTR(ISAKMP_NPTYPE_SA)));
return NULL;
}
static const u_char *
-isakmp_p_print(const struct isakmp_gen *ext, u_int item_len _U_,
+ikev1_p_print(netdissect_options *ndo, u_char tpay _U_,
+ const struct isakmp_gen *ext, u_int item_len _U_,
const u_char *ep, u_int32_t phase, u_int32_t doi0,
u_int32_t proto0 _U_, int depth)
{
- const struct isakmp_pl_p *p;
- struct isakmp_pl_p prop;
+ const struct ikev1_pl_p *p;
+ struct ikev1_pl_p prop;
const u_char *cp;
- printf("%s:", NPSTR(ISAKMP_NPTYPE_P));
+ ND_PRINT((ndo,"%s:", NPSTR(ISAKMP_NPTYPE_P)));
- p = (struct isakmp_pl_p *)ext;
- TCHECK(*p);
+ p = (struct ikev1_pl_p *)ext;
+ ND_TCHECK(*p);
safememcpy(&prop, ext, sizeof(prop));
- printf(" #%d protoid=%s transform=%d",
- prop.p_no, PROTOIDSTR(prop.prot_id), prop.num_t);
+ ND_PRINT((ndo," #%d protoid=%s transform=%d",
+ prop.p_no, PROTOIDSTR(prop.prot_id), prop.num_t));
if (prop.spi_size) {
- printf(" spi=");
- if (!rawprint((caddr_t)(p + 1), prop.spi_size))
+ ND_PRINT((ndo," spi="));
+ if (!rawprint(ndo, (caddr_t)(p + 1), prop.spi_size))
goto trunc;
}
ext = (struct isakmp_gen *)((u_char *)(p + 1) + prop.spi_size);
- TCHECK(*ext);
-
- cp = isakmp_sub_print(ISAKMP_NPTYPE_T, ext, ep, phase, doi0,
- prop.prot_id, depth);
-
+ ND_TCHECK(*ext);
+
+ cp = ikev1_sub_print(ndo, ISAKMP_NPTYPE_T, ext, ep, phase, doi0,
+ prop.prot_id, depth);
+
return cp;
trunc:
- printf(" [|%s]", NPSTR(ISAKMP_NPTYPE_P));
+ ND_PRINT((ndo," [|%s]", NPSTR(ISAKMP_NPTYPE_P)));
return NULL;
}
-static const char *isakmp_p_map[] = {
+static const char *ikev1_p_map[] = {
NULL, "ike",
};
+static const char *ikev2_t_type_map[]={
+ NULL, "encr", "prf", "integ", "dh", "esn"
+};
+
static const char *ah_p_map[] = {
NULL, "(reserved)", "md5", "sha", "1des",
"sha2-256", "sha2-384", "sha2-512",
};
+static const char *prf_p_map[] = {
+ NULL, "hmac-md5", "hmac-sha", "hmac-tiger",
+ "aes128_xcbc"
+};
+
+static const char *integ_p_map[] = {
+ NULL, "hmac-md5", "hmac-sha", "dec-mac",
+ "kpdk-md5", "aes-xcbc"
+};
+
+static const char *esn_p_map[] = {
+ "no-esn", "esn"
+};
+
+static const char *dh_p_map[] = {
+ NULL, "modp768",
+ "modp1024", /* group 2 */
+ "EC2N 2^155", /* group 3 */
+ "EC2N 2^185", /* group 4 */
+ "modp1536", /* group 5 */
+ "iana-grp06", "iana-grp07", /* reserved */
+ "iana-grp08", "iana-grp09",
+ "iana-grp10", "iana-grp11",
+ "iana-grp12", "iana-grp13",
+ "modp2048", /* group 14 */
+ "modp3072", /* group 15 */
+ "modp4096", /* group 16 */
+ "modp6144", /* group 17 */
+ "modp8192", /* group 18 */
+};
+
static const char *esp_p_map[] = {
NULL, "1des-iv64", "1des", "3des", "rc5", "idea", "cast",
"blowfish", "3idea", "1des-iv32", "rc4", "null", "aes"
@@ -554,6 +695,17 @@
{ "privalg", 0, { NULL } },
};
+const struct attrmap encr_t_map[] = {
+ { NULL, 0, { NULL } }, { NULL, 0, { NULL } }, /* 0, 1 */
+ { NULL, 0, { NULL } }, { NULL, 0, { NULL } }, /* 2, 3 */
+ { NULL, 0, { NULL } }, { NULL, 0, { NULL } }, /* 4, 5 */
+ { NULL, 0, { NULL } }, { NULL, 0, { NULL } }, /* 6, 7 */
+ { NULL, 0, { NULL } }, { NULL, 0, { NULL } }, /* 8, 9 */
+ { NULL, 0, { NULL } }, { NULL, 0, { NULL } }, /* 10,11*/
+ { NULL, 0, { NULL } }, { NULL, 0, { NULL } }, /* 12,13*/
+ { "keylen", 14, { NULL }},
+};
+
const struct attrmap oakley_t_map[] = {
{ NULL, 0, { NULL } },
{ "enc", 8, { NULL, "1des", "idea", "blowfish", "rc5",
@@ -592,27 +744,28 @@
};
static const u_char *
-isakmp_t_print(const struct isakmp_gen *ext, u_int item_len,
- const u_char *ep, u_int32_t phase _U_, u_int32_t doi _U_,
- u_int32_t proto, int depth _U_)
+ikev1_t_print(netdissect_options *ndo, u_char tpay _U_,
+ const struct isakmp_gen *ext, u_int item_len,
+ const u_char *ep, u_int32_t phase _U_, u_int32_t doi _U_,
+ u_int32_t proto, int depth _U_)
{
- const struct isakmp_pl_t *p;
- struct isakmp_pl_t t;
+ const struct ikev1_pl_t *p;
+ struct ikev1_pl_t t;
const u_char *cp;
const char *idstr;
const struct attrmap *map;
size_t nmap;
const u_char *ep2;
- printf("%s:", NPSTR(ISAKMP_NPTYPE_T));
+ ND_PRINT((ndo,"%s:", NPSTR(ISAKMP_NPTYPE_T)));
- p = (struct isakmp_pl_t *)ext;
- TCHECK(*p);
+ p = (struct ikev1_pl_t *)ext;
+ ND_TCHECK(*p);
safememcpy(&t, ext, sizeof(t));
switch (proto) {
case 1:
- idstr = STR_OR_ID(t.t_id, isakmp_p_map);
+ idstr = STR_OR_ID(t.t_id, ikev1_p_map);
map = oakley_t_map;
nmap = sizeof(oakley_t_map)/sizeof(oakley_t_map[0]);
break;
@@ -639,57 +792,59 @@
}
if (idstr)
- printf(" #%d id=%s ", t.t_no, idstr);
+ ND_PRINT((ndo," #%d id=%s ", t.t_no, idstr));
else
- printf(" #%d id=%d ", t.t_no, t.t_id);
+ ND_PRINT((ndo," #%d id=%d ", t.t_no, t.t_id));
cp = (u_char *)(p + 1);
ep2 = (u_char *)p + item_len;
while (cp < ep && cp < ep2) {
if (map && nmap) {
- cp = isakmp_attrmap_print(cp, (ep < ep2) ? ep : ep2,
+ cp = ikev1_attrmap_print(ndo, cp, (ep < ep2) ? ep : ep2,
map, nmap);
} else
- cp = isakmp_attr_print(cp, (ep < ep2) ? ep : ep2);
+ cp = ikev1_attr_print(ndo, cp, (ep < ep2) ? ep : ep2);
}
if (ep < ep2)
- printf("...");
+ ND_PRINT((ndo,"..."));
return cp;
trunc:
- printf(" [|%s]", NPSTR(ISAKMP_NPTYPE_T));
+ ND_PRINT((ndo," [|%s]", NPSTR(ISAKMP_NPTYPE_T)));
return NULL;
}
static const u_char *
-isakmp_ke_print(const struct isakmp_gen *ext, u_int item_len _U_,
- const u_char *ep _U_, u_int32_t phase _U_, u_int32_t doi _U_,
- u_int32_t proto _U_, int depth _U_)
+ikev1_ke_print(netdissect_options *ndo, u_char tpay _U_,
+ const struct isakmp_gen *ext, u_int item_len _U_,
+ const u_char *ep _U_, u_int32_t phase _U_, u_int32_t doi _U_,
+ u_int32_t proto _U_, int depth _U_)
{
struct isakmp_gen e;
- printf("%s:", NPSTR(ISAKMP_NPTYPE_KE));
+ ND_PRINT((ndo,"%s:", NPSTR(ISAKMP_NPTYPE_KE)));
- TCHECK(*ext);
+ ND_TCHECK(*ext);
safememcpy(&e, ext, sizeof(e));
- printf(" key len=%d", ntohs(e.len) - 4);
- if (2 < vflag && 4 < ntohs(e.len)) {
- printf(" ");
- if (!rawprint((caddr_t)(ext + 1), ntohs(e.len) - 4))
+ ND_PRINT((ndo," key len=%d", ntohs(e.len) - 4));
+ if (2 < ndo->ndo_vflag && 4 < ntohs(e.len)) {
+ ND_PRINT((ndo," "));
+ if (!rawprint(ndo, (caddr_t)(ext + 1), ntohs(e.len) - 4))
goto trunc;
}
return (u_char *)ext + ntohs(e.len);
trunc:
- printf(" [|%s]", NPSTR(ISAKMP_NPTYPE_KE));
+ ND_PRINT((ndo," [|%s]", NPSTR(ISAKMP_NPTYPE_KE)));
return NULL;
}
static const u_char *
-isakmp_id_print(const struct isakmp_gen *ext, u_int item_len _U_,
- const u_char *ep _U_, u_int32_t phase, u_int32_t doi _U_,
- u_int32_t proto _U_, int depth _U_)
+ikev1_id_print(netdissect_options *ndo, u_char tpay _U_,
+ const struct isakmp_gen *ext, u_int item_len _U_,
+ const u_char *ep _U_, u_int32_t phase, u_int32_t doi _U_,
+ u_int32_t proto _U_, int depth _U_)
{
#define USE_IPSECDOI_IN_PHASE1 1
- const struct isakmp_pl_id *p;
- struct isakmp_pl_id id;
+ const struct ikev1_pl_id *p;
+ struct ikev1_pl_id id;
static const char *idtypestr[] = {
"IPv4", "IPv4net", "IPv6", "IPv6net",
};
@@ -701,10 +856,10 @@
int len;
const u_char *data;
- printf("%s:", NPSTR(ISAKMP_NPTYPE_ID));
+ ND_PRINT((ndo,"%s:", NPSTR(ISAKMP_NPTYPE_ID)));
- p = (struct isakmp_pl_id *)ext;
- TCHECK(*p);
+ p = (struct ikev1_pl_id *)ext;
+ ND_TCHECK(*p);
safememcpy(&id, ext, sizeof(id));
if (sizeof(*p) < item_len) {
data = (u_char *)(p + 1);
@@ -715,16 +870,16 @@
}
#if 0 /*debug*/
- printf(" [phase=%d doi=%d proto=%d]", phase, doi, proto);
+ ND_PRINT((ndo," [phase=%d doi=%d proto=%d]", phase, doi, proto));
#endif
switch (phase) {
#ifndef USE_IPSECDOI_IN_PHASE1
case 1:
#endif
default:
- printf(" idtype=%s", STR_OR_ID(id.d.id_type, idtypestr));
- printf(" doi_data=%u",
- (u_int32_t)(ntohl(id.d.doi_data) & 0xffffff));
+ ND_PRINT((ndo," idtype=%s", STR_OR_ID(id.d.id_type, idtypestr)));
+ ND_PRINT((ndo," doi_data=%u",
+ (u_int32_t)(ntohl(id.d.doi_data) & 0xffffff)));
break;
#ifdef USE_IPSECDOI_IN_PHASE1
@@ -737,42 +892,42 @@
struct protoent *pe;
p = (struct ipsecdoi_id *)ext;
- TCHECK(*p);
+ ND_TCHECK(*p);
safememcpy(&id, ext, sizeof(id));
- printf(" idtype=%s", STR_OR_ID(id.type, ipsecidtypestr));
+ ND_PRINT((ndo," idtype=%s", STR_OR_ID(id.type, ipsecidtypestr)));
if (id.proto_id) {
#ifndef WIN32
setprotoent(1);
#endif /* WIN32 */
pe = getprotobynumber(id.proto_id);
if (pe)
- printf(" protoid=%s", pe->p_name);
+ ND_PRINT((ndo," protoid=%s", pe->p_name));
#ifndef WIN32
endprotoent();
#endif /* WIN32 */
} else {
/* it DOES NOT mean IPPROTO_IP! */
- printf(" protoid=%s", "0");
+ ND_PRINT((ndo," protoid=%s", "0"));
}
- printf(" port=%d", ntohs(id.port));
+ ND_PRINT((ndo," port=%d", ntohs(id.port)));
if (!len)
break;
if (data == NULL)
goto trunc;
- TCHECK2(*data, len);
+ ND_TCHECK2(*data, len);
switch (id.type) {
case IPSECDOI_ID_IPV4_ADDR:
if (len < 4)
- printf(" len=%d [bad: < 4]", len);
+ ND_PRINT((ndo," len=%d [bad: < 4]", len));
else
- printf(" len=%d %s", len, ipaddr_string(data));
+ ND_PRINT((ndo," len=%d %s", len, ipaddr_string(data)));
len = 0;
break;
case IPSECDOI_ID_FQDN:
case IPSECDOI_ID_USER_FQDN:
{
int i;
- printf(" len=%d ", len);
+ ND_PRINT((ndo," len=%d ", len));
for (i = 0; i < len; i++)
safeputchar(data[i]);
len = 0;
@@ -782,12 +937,12 @@
{
const u_char *mask;
if (len < 8)
- printf(" len=%d [bad: < 8]", len);
+ ND_PRINT((ndo," len=%d [bad: < 8]", len));
else {
mask = data + sizeof(struct in_addr);
- printf(" len=%d %s/%u.%u.%u.%u", len,
- ipaddr_string(data),
- mask[0], mask[1], mask[2], mask[3]);
+ ND_PRINT((ndo," len=%d %s/%u.%u.%u.%u", len,
+ ipaddr_string(data),
+ mask[0], mask[1], mask[2], mask[3]));
}
len = 0;
break;
@@ -795,22 +950,22 @@
#ifdef INET6
case IPSECDOI_ID_IPV6_ADDR:
if (len < 16)
- printf(" len=%d [bad: < 16]", len);
+ ND_PRINT((ndo," len=%d [bad: < 16]", len));
else
- printf(" len=%d %s", len, ip6addr_string(data));
+ ND_PRINT((ndo," len=%d %s", len, ip6addr_string(data)));
len = 0;
break;
case IPSECDOI_ID_IPV6_ADDR_SUBNET:
{
const u_int32_t *mask;
if (len < 20)
- printf(" len=%d [bad: < 20]", len);
+ ND_PRINT((ndo," len=%d [bad: < 20]", len));
else {
mask = (u_int32_t *)(data + sizeof(struct in6_addr));
/*XXX*/
- printf(" len=%d %s/0x%08x%08x%08x%08x", len,
- ip6addr_string(data),
- mask[0], mask[1], mask[2], mask[3]);
+ ND_PRINT((ndo," len=%d %s/0x%08x%08x%08x%08x", len,
+ ip6addr_string(data),
+ mask[0], mask[1], mask[2], mask[3]));
}
len = 0;
break;
@@ -818,22 +973,22 @@
#endif /*INET6*/
case IPSECDOI_ID_IPV4_ADDR_RANGE:
if (len < 8)
- printf(" len=%d [bad: < 8]", len);
+ ND_PRINT((ndo," len=%d [bad: < 8]", len));
else {
- printf(" len=%d %s-%s", len,
- ipaddr_string(data),
- ipaddr_string(data + sizeof(struct in_addr)));
+ ND_PRINT((ndo," len=%d %s-%s", len,
+ ipaddr_string(data),
+ ipaddr_string(data + sizeof(struct in_addr))));
}
len = 0;
break;
#ifdef INET6
case IPSECDOI_ID_IPV6_ADDR_RANGE:
if (len < 32)
- printf(" len=%d [bad: < 32]", len);
+ ND_PRINT((ndo," len=%d [bad: < 32]", len));
else {
- printf(" len=%d %s-%s", len,
- ip6addr_string(data),
- ip6addr_string(data + sizeof(struct in6_addr)));
+ ND_PRINT((ndo," len=%d %s-%s", len,
+ ip6addr_string(data),
+ ip6addr_string(data + sizeof(struct in6_addr))));
}
len = 0;
break;
@@ -847,159 +1002,169 @@
}
}
if (data && len) {
- printf(" len=%d", len);
- if (2 < vflag) {
- printf(" ");
- if (!rawprint((caddr_t)data, len))
+ ND_PRINT((ndo," len=%d", len));
+ if (2 < ndo->ndo_vflag) {
+ ND_PRINT((ndo," "));
+ if (!rawprint(ndo, (caddr_t)data, len))
goto trunc;
}
}
return (u_char *)ext + item_len;
trunc:
- printf(" [|%s]", NPSTR(ISAKMP_NPTYPE_ID));
+ ND_PRINT((ndo," [|%s]", NPSTR(ISAKMP_NPTYPE_ID)));
return NULL;
}
static const u_char *
-isakmp_cert_print(const struct isakmp_gen *ext, u_int item_len _U_,
- const u_char *ep _U_, u_int32_t phase _U_,
- u_int32_t doi0 _U_,
- u_int32_t proto0 _U_, int depth _U_)
+ikev1_cert_print(netdissect_options *ndo, u_char tpay _U_,
+ const struct isakmp_gen *ext, u_int item_len _U_,
+ const u_char *ep _U_, u_int32_t phase _U_,
+ u_int32_t doi0 _U_,
+ u_int32_t proto0 _U_, int depth _U_)
{
- const struct isakmp_pl_cert *p;
- struct isakmp_pl_cert cert;
+ const struct ikev1_pl_cert *p;
+ struct ikev1_pl_cert cert;
static const char *certstr[] = {
"none", "pkcs7", "pgp", "dns",
"x509sign", "x509ke", "kerberos", "crl",
"arl", "spki", "x509attr",
};
- printf("%s:", NPSTR(ISAKMP_NPTYPE_CERT));
+ ND_PRINT((ndo,"%s:", NPSTR(ISAKMP_NPTYPE_CERT)));
- p = (struct isakmp_pl_cert *)ext;
- TCHECK(*p);
+ p = (struct ikev1_pl_cert *)ext;
+ ND_TCHECK(*p);
safememcpy(&cert, ext, sizeof(cert));
- printf(" len=%d", item_len - 4);
- printf(" type=%s", STR_OR_ID((cert.encode), certstr));
- if (2 < vflag && 4 < item_len) {
- printf(" ");
- if (!rawprint((caddr_t)(ext + 1), item_len - 4))
+ ND_PRINT((ndo," len=%d", item_len - 4));
+ ND_PRINT((ndo," type=%s", STR_OR_ID((cert.encode), certstr)));
+ if (2 < ndo->ndo_vflag && 4 < item_len) {
+ ND_PRINT((ndo," "));
+ if (!rawprint(ndo, (caddr_t)(ext + 1), item_len - 4))
goto trunc;
}
return (u_char *)ext + item_len;
trunc:
- printf(" [|%s]", NPSTR(ISAKMP_NPTYPE_CERT));
+ ND_PRINT((ndo," [|%s]", NPSTR(ISAKMP_NPTYPE_CERT)));
return NULL;
}
static const u_char *
-isakmp_cr_print(const struct isakmp_gen *ext, u_int item_len _U_,
- const u_char *ep _U_, u_int32_t phase _U_, u_int32_t doi0 _U_,
- u_int32_t proto0 _U_, int depth _U_)
+ikev1_cr_print(netdissect_options *ndo, u_char tpay _U_,
+ const struct isakmp_gen *ext, u_int item_len _U_,
+ const u_char *ep _U_, u_int32_t phase _U_, u_int32_t doi0 _U_,
+ u_int32_t proto0 _U_, int depth _U_)
{
- const struct isakmp_pl_cert *p;
- struct isakmp_pl_cert cert;
+ const struct ikev1_pl_cert *p;
+ struct ikev1_pl_cert cert;
static const char *certstr[] = {
"none", "pkcs7", "pgp", "dns",
"x509sign", "x509ke", "kerberos", "crl",
"arl", "spki", "x509attr",
};
- printf("%s:", NPSTR(ISAKMP_NPTYPE_CR));
+ ND_PRINT((ndo,"%s:", NPSTR(ISAKMP_NPTYPE_CR)));
- p = (struct isakmp_pl_cert *)ext;
- TCHECK(*p);
+ p = (struct ikev1_pl_cert *)ext;
+ ND_TCHECK(*p);
safememcpy(&cert, ext, sizeof(cert));
- printf(" len=%d", item_len - 4);
- printf(" type=%s", STR_OR_ID((cert.encode), certstr));
- if (2 < vflag && 4 < item_len) {
- printf(" ");
- if (!rawprint((caddr_t)(ext + 1), item_len - 4))
+ ND_PRINT((ndo," len=%d", item_len - 4));
+ ND_PRINT((ndo," type=%s", STR_OR_ID((cert.encode), certstr)));
+ if (2 < ndo->ndo_vflag && 4 < item_len) {
+ ND_PRINT((ndo," "));
+ if (!rawprint(ndo, (caddr_t)(ext + 1), item_len - 4))
goto trunc;
}
return (u_char *)ext + item_len;
trunc:
- printf(" [|%s]", NPSTR(ISAKMP_NPTYPE_CR));
+ ND_PRINT((ndo," [|%s]", NPSTR(ISAKMP_NPTYPE_CR)));
return NULL;
}
static const u_char *
-isakmp_hash_print(const struct isakmp_gen *ext, u_int item_len _U_,
- const u_char *ep _U_, u_int32_t phase _U_, u_int32_t doi _U_,
- u_int32_t proto _U_, int depth _U_)
+ikev1_hash_print(netdissect_options *ndo, u_char tpay _U_,
+ const struct isakmp_gen *ext, u_int item_len _U_,
+ const u_char *ep _U_, u_int32_t phase _U_, u_int32_t doi _U_,
+ u_int32_t proto _U_, int depth _U_)
{
struct isakmp_gen e;
- printf("%s:", NPSTR(ISAKMP_NPTYPE_HASH));
+ ND_PRINT((ndo,"%s:", NPSTR(ISAKMP_NPTYPE_HASH)));
- TCHECK(*ext);
+ ND_TCHECK(*ext);
safememcpy(&e, ext, sizeof(e));
- printf(" len=%d", ntohs(e.len) - 4);
- if (2 < vflag && 4 < ntohs(e.len)) {
- printf(" ");
- if (!rawprint((caddr_t)(ext + 1), ntohs(e.len) - 4))
+ ND_PRINT((ndo," len=%d", ntohs(e.len) - 4));
+ if (2 < ndo->ndo_vflag && 4 < ntohs(e.len)) {
+ ND_PRINT((ndo," "));
+ if (!rawprint(ndo, (caddr_t)(ext + 1), ntohs(e.len) - 4))
goto trunc;
}
return (u_char *)ext + ntohs(e.len);
trunc:
- printf(" [|%s]", NPSTR(ISAKMP_NPTYPE_HASH));
+ ND_PRINT((ndo," [|%s]", NPSTR(ISAKMP_NPTYPE_HASH)));
return NULL;
}
static const u_char *
-isakmp_sig_print(const struct isakmp_gen *ext, u_int item_len _U_,
- const u_char *ep _U_, u_int32_t phase _U_, u_int32_t doi _U_,
- u_int32_t proto _U_, int depth _U_)
+ikev1_sig_print(netdissect_options *ndo, u_char tpay _U_,
+ const struct isakmp_gen *ext, u_int item_len _U_,
+ const u_char *ep _U_, u_int32_t phase _U_, u_int32_t doi _U_,
+ u_int32_t proto _U_, int depth _U_)
{
struct isakmp_gen e;
- printf("%s:", NPSTR(ISAKMP_NPTYPE_SIG));
+ ND_PRINT((ndo,"%s:", NPSTR(ISAKMP_NPTYPE_SIG)));
- TCHECK(*ext);
+ ND_TCHECK(*ext);
safememcpy(&e, ext, sizeof(e));
- printf(" len=%d", ntohs(e.len) - 4);
- if (2 < vflag && 4 < ntohs(e.len)) {
- printf(" ");
- if (!rawprint((caddr_t)(ext + 1), ntohs(e.len) - 4))
+ ND_PRINT((ndo," len=%d", ntohs(e.len) - 4));
+ if (2 < ndo->ndo_vflag && 4 < ntohs(e.len)) {
+ ND_PRINT((ndo," "));
+ if (!rawprint(ndo, (caddr_t)(ext + 1), ntohs(e.len) - 4))
goto trunc;
}
return (u_char *)ext + ntohs(e.len);
trunc:
- printf(" [|%s]", NPSTR(ISAKMP_NPTYPE_SIG));
+ ND_PRINT((ndo," [|%s]", NPSTR(ISAKMP_NPTYPE_SIG)));
return NULL;
}
static const u_char *
-isakmp_nonce_print(const struct isakmp_gen *ext,
- u_int item_len _U_,
- const u_char *ep _U_,
- u_int32_t phase _U_, u_int32_t doi _U_,
- u_int32_t proto _U_, int depth _U_)
+ikev1_nonce_print(netdissect_options *ndo, u_char tpay _U_,
+ const struct isakmp_gen *ext,
+ u_int item_len _U_,
+ const u_char *ep _U_,
+ u_int32_t phase _U_, u_int32_t doi _U_,
+ u_int32_t proto _U_, int depth _U_)
{
struct isakmp_gen e;
- printf("%s:", NPSTR(ISAKMP_NPTYPE_NONCE));
+ ND_PRINT((ndo,"%s:", NPSTR(ISAKMP_NPTYPE_NONCE)));
- TCHECK(*ext);
+ ND_TCHECK(*ext);
safememcpy(&e, ext, sizeof(e));
- printf(" n len=%d", ntohs(e.len) - 4);
- if (2 < vflag && 4 < ntohs(e.len)) {
- printf(" ");
- if (!rawprint((caddr_t)(ext + 1), ntohs(e.len) - 4))
+ ND_PRINT((ndo," n len=%d", ntohs(e.len) - 4));
+ if (2 < ndo->ndo_vflag && 4 < ntohs(e.len)) {
+ ND_PRINT((ndo," "));
+ if (!rawprint(ndo, (caddr_t)(ext + 1), ntohs(e.len) - 4))
+ goto trunc;
+ } else if (1 < ndo->ndo_vflag && 4 < ntohs(e.len)) {
+ ND_PRINT((ndo," "));
+ if (!ike_show_somedata(ndo, (u_char *)(caddr_t)(ext + 1), ep))
goto trunc;
}
return (u_char *)ext + ntohs(e.len);
trunc:
- printf(" [|%s]", NPSTR(ISAKMP_NPTYPE_NONCE));
+ ND_PRINT((ndo," [|%s]", NPSTR(ISAKMP_NPTYPE_NONCE)));
return NULL;
}
static const u_char *
-isakmp_n_print(const struct isakmp_gen *ext, u_int item_len,
- const u_char *ep, u_int32_t phase, u_int32_t doi0 _U_,
- u_int32_t proto0 _U_, int depth)
+ikev1_n_print(netdissect_options *ndo, u_char tpay _U_,
+ const struct isakmp_gen *ext, u_int item_len,
+ const u_char *ep, u_int32_t phase, u_int32_t doi0 _U_,
+ u_int32_t proto0 _U_, int depth)
{
- struct isakmp_pl_n *p, n;
+ struct ikev1_pl_n *p, n;
const u_char *cp;
u_char *ep2;
u_int32_t doi;
@@ -1050,47 +1215,47 @@
#define IPSEC_NOTIFY_STATUS_STR(x) \
STR_OR_ID((u_int)((x) - 24576), ipsec_notify_status_str)
- printf("%s:", NPSTR(ISAKMP_NPTYPE_N));
+ ND_PRINT((ndo,"%s:", NPSTR(ISAKMP_NPTYPE_N)));
- p = (struct isakmp_pl_n *)ext;
- TCHECK(*p);
+ p = (struct ikev1_pl_n *)ext;
+ ND_TCHECK(*p);
safememcpy(&n, ext, sizeof(n));
doi = ntohl(n.doi);
proto = n.prot_id;
if (doi != 1) {
- printf(" doi=%d", doi);
- printf(" proto=%d", proto);
+ ND_PRINT((ndo," doi=%d", doi));
+ ND_PRINT((ndo," proto=%d", proto));
if (ntohs(n.type) < 8192)
- printf(" type=%s", NOTIFY_ERROR_STR(ntohs(n.type)));
+ ND_PRINT((ndo," type=%s", NOTIFY_ERROR_STR(ntohs(n.type))));
else if (ntohs(n.type) < 16384)
- printf(" type=%s", numstr(ntohs(n.type)));
+ ND_PRINT((ndo," type=%s", numstr(ntohs(n.type))));
else if (ntohs(n.type) < 24576)
- printf(" type=%s", NOTIFY_STATUS_STR(ntohs(n.type)));
+ ND_PRINT((ndo," type=%s", NOTIFY_STATUS_STR(ntohs(n.type))));
else
- printf(" type=%s", numstr(ntohs(n.type)));
+ ND_PRINT((ndo," type=%s", numstr(ntohs(n.type))));
if (n.spi_size) {
- printf(" spi=");
- if (!rawprint((caddr_t)(p + 1), n.spi_size))
+ ND_PRINT((ndo," spi="));
+ if (!rawprint(ndo, (caddr_t)(p + 1), n.spi_size))
goto trunc;
}
return (u_char *)(p + 1) + n.spi_size;
}
- printf(" doi=ipsec");
- printf(" proto=%s", PROTOIDSTR(proto));
+ ND_PRINT((ndo," doi=ipsec"));
+ ND_PRINT((ndo," proto=%s", PROTOIDSTR(proto)));
if (ntohs(n.type) < 8192)
- printf(" type=%s", NOTIFY_ERROR_STR(ntohs(n.type)));
+ ND_PRINT((ndo," type=%s", NOTIFY_ERROR_STR(ntohs(n.type))));
else if (ntohs(n.type) < 16384)
- printf(" type=%s", IPSEC_NOTIFY_ERROR_STR(ntohs(n.type)));
+ ND_PRINT((ndo," type=%s", IPSEC_NOTIFY_ERROR_STR(ntohs(n.type))));
else if (ntohs(n.type) < 24576)
- printf(" type=%s", NOTIFY_STATUS_STR(ntohs(n.type)));
+ ND_PRINT((ndo," type=%s", NOTIFY_STATUS_STR(ntohs(n.type))));
else if (ntohs(n.type) < 32768)
- printf(" type=%s", IPSEC_NOTIFY_STATUS_STR(ntohs(n.type)));
+ ND_PRINT((ndo," type=%s", IPSEC_NOTIFY_STATUS_STR(ntohs(n.type))));
else
- printf(" type=%s", numstr(ntohs(n.type)));
+ ND_PRINT((ndo," type=%s", numstr(ntohs(n.type))));
if (n.spi_size) {
- printf(" spi=");
- if (!rawprint((caddr_t)(p + 1), n.spi_size))
+ ND_PRINT((ndo," spi="));
+ if (!rawprint(ndo, (caddr_t)(p + 1), n.spi_size))
goto trunc;
}
@@ -1098,119 +1263,712 @@
ep2 = (u_char *)p + item_len;
if (cp < ep) {
- printf(" orig=(");
+ ND_PRINT((ndo," orig=("));
switch (ntohs(n.type)) {
case IPSECDOI_NTYPE_RESPONDER_LIFETIME:
{
const struct attrmap *map = oakley_t_map;
size_t nmap = sizeof(oakley_t_map)/sizeof(oakley_t_map[0]);
while (cp < ep && cp < ep2) {
- cp = isakmp_attrmap_print(cp,
+ cp = ikev1_attrmap_print(ndo, cp,
(ep < ep2) ? ep : ep2, map, nmap);
}
break;
}
case IPSECDOI_NTYPE_REPLAY_STATUS:
- printf("replay detection %sabled",
- (*(u_int32_t *)cp) ? "en" : "dis");
+ ND_PRINT((ndo,"replay detection %sabled",
+ (*(u_int32_t *)cp) ? "en" : "dis"));
break;
case ISAKMP_NTYPE_NO_PROPOSAL_CHOSEN:
- if (isakmp_sub_print(ISAKMP_NPTYPE_SA,
- (struct isakmp_gen *)cp, ep, phase, doi, proto,
- depth) == NULL)
+ if (ikev1_sub_print(ndo, ISAKMP_NPTYPE_SA,
+ (struct isakmp_gen *)cp, ep, phase, doi, proto,
+ depth) == NULL)
return NULL;
break;
default:
/* NULL is dummy */
- isakmp_print(gndo, cp,
+ isakmp_print(ndo, cp,
item_len - sizeof(*p) - n.spi_size,
NULL);
}
- printf(")");
+ ND_PRINT((ndo,")"));
}
return (u_char *)ext + item_len;
trunc:
- printf(" [|%s]", NPSTR(ISAKMP_NPTYPE_N));
+ ND_PRINT((ndo," [|%s]", NPSTR(ISAKMP_NPTYPE_N)));
return NULL;
}
static const u_char *
-isakmp_d_print(const struct isakmp_gen *ext, u_int item_len _U_,
- const u_char *ep _U_, u_int32_t phase _U_, u_int32_t doi0 _U_,
- u_int32_t proto0 _U_, int depth _U_)
+ikev1_d_print(netdissect_options *ndo, u_char tpay _U_,
+ const struct isakmp_gen *ext, u_int item_len _U_,
+ const u_char *ep _U_, u_int32_t phase _U_, u_int32_t doi0 _U_,
+ u_int32_t proto0 _U_, int depth _U_)
{
- const struct isakmp_pl_d *p;
- struct isakmp_pl_d d;
+ const struct ikev1_pl_d *p;
+ struct ikev1_pl_d d;
const u_int8_t *q;
u_int32_t doi;
u_int32_t proto;
int i;
- printf("%s:", NPSTR(ISAKMP_NPTYPE_D));
+ ND_PRINT((ndo,"%s:", NPSTR(ISAKMP_NPTYPE_D)));
- p = (struct isakmp_pl_d *)ext;
- TCHECK(*p);
+ p = (struct ikev1_pl_d *)ext;
+ ND_TCHECK(*p);
safememcpy(&d, ext, sizeof(d));
doi = ntohl(d.doi);
proto = d.prot_id;
if (doi != 1) {
- printf(" doi=%u", doi);
- printf(" proto=%u", proto);
+ ND_PRINT((ndo," doi=%u", doi));
+ ND_PRINT((ndo," proto=%u", proto));
} else {
- printf(" doi=ipsec");
- printf(" proto=%s", PROTOIDSTR(proto));
+ ND_PRINT((ndo," doi=ipsec"));
+ ND_PRINT((ndo," proto=%s", PROTOIDSTR(proto)));
}
- printf(" spilen=%u", d.spi_size);
- printf(" nspi=%u", ntohs(d.num_spi));
- printf(" spi=");
+ ND_PRINT((ndo," spilen=%u", d.spi_size));
+ ND_PRINT((ndo," nspi=%u", ntohs(d.num_spi)));
+ ND_PRINT((ndo," spi="));
q = (u_int8_t *)(p + 1);
for (i = 0; i < ntohs(d.num_spi); i++) {
if (i != 0)
- printf(",");
- if (!rawprint((caddr_t)q, d.spi_size))
+ ND_PRINT((ndo,","));
+ if (!rawprint(ndo, (caddr_t)q, d.spi_size))
goto trunc;
q += d.spi_size;
}
return q;
trunc:
- printf(" [|%s]", NPSTR(ISAKMP_NPTYPE_D));
+ ND_PRINT((ndo," [|%s]", NPSTR(ISAKMP_NPTYPE_D)));
return NULL;
}
static const u_char *
-isakmp_vid_print(const struct isakmp_gen *ext,
- u_int item_len _U_, const u_char *ep _U_,
- u_int32_t phase _U_, u_int32_t doi _U_,
- u_int32_t proto _U_, int depth _U_)
+ikev1_vid_print(netdissect_options *ndo, u_char tpay _U_,
+ const struct isakmp_gen *ext,
+ u_int item_len _U_, const u_char *ep _U_,
+ u_int32_t phase _U_, u_int32_t doi _U_,
+ u_int32_t proto _U_, int depth _U_)
{
struct isakmp_gen e;
- printf("%s:", NPSTR(ISAKMP_NPTYPE_VID));
+ ND_PRINT((ndo,"%s:", NPSTR(ISAKMP_NPTYPE_VID)));
+
+ ND_TCHECK(*ext);
+ safememcpy(&e, ext, sizeof(e));
+ ND_PRINT((ndo," len=%d", ntohs(e.len) - 4));
+ if (2 < ndo->ndo_vflag && 4 < ntohs(e.len)) {
+ ND_PRINT((ndo," "));
+ if (!rawprint(ndo, (caddr_t)(ext + 1), ntohs(e.len) - 4))
+ goto trunc;
+ }
+ return (u_char *)ext + ntohs(e.len);
+trunc:
+ ND_PRINT((ndo," [|%s]", NPSTR(ISAKMP_NPTYPE_VID)));
+ return NULL;
+}
+
+/************************************************************/
+/* */
+/* IKE v2 - rfc4306 - dissector */
+/* */
+/************************************************************/
+
+static void
+ikev2_pay_print(netdissect_options *ndo, const char *payname, int critical)
+{
+ ND_PRINT((ndo,"%s%s:", payname, critical&0x80 ? "[C]" : ""));
+}
+
+static const u_char *
+ikev2_gen_print(netdissect_options *ndo, u_char tpay,
+ const struct isakmp_gen *ext)
+{
+ struct isakmp_gen e;
+
+ ND_TCHECK(*ext);
+ safememcpy(&e, ext, sizeof(e));
+ ikev2_pay_print(ndo, NPSTR(tpay), e.critical);
+
+ ND_PRINT((ndo," len=%d", ntohs(e.len) - 4));
+ if (2 < ndo->ndo_vflag && 4 < ntohs(e.len)) {
+ ND_PRINT((ndo," "));
+ if (!rawprint(ndo, (caddr_t)(ext + 1), ntohs(e.len) - 4))
+ goto trunc;
+ }
+ return (u_char *)ext + ntohs(e.len);
+trunc:
+ ND_PRINT((ndo," [|%s]", NPSTR(tpay)));
+ return NULL;
+}
+
+static const u_char *
+ikev2_t_print(netdissect_options *ndo, u_char tpay _U_, int pcount,
+ const struct isakmp_gen *ext, u_int item_len,
+ const u_char *ep, u_int32_t phase _U_, u_int32_t doi _U_,
+ u_int32_t proto _U_, int depth _U_)
+{
+ const struct ikev2_t *p;
+ struct ikev2_t t;
+ u_int16_t t_id;
+ const u_char *cp;
+ const char *idstr;
+ const struct attrmap *map;
+ size_t nmap;
+ const u_char *ep2;
+
+ p = (struct ikev2_t *)ext;
+ ND_TCHECK(*p);
+ safememcpy(&t, ext, sizeof(t));
+ ikev2_pay_print(ndo, NPSTR(ISAKMP_NPTYPE_T), t.h.critical);
+
+ t_id = ntohs(t.t_id);
+
+ map = NULL;
+ nmap = 0;
+
+ switch (t.t_type) {
+ case IV2_T_ENCR:
+ idstr = STR_OR_ID(t_id, esp_p_map);
+ map = encr_t_map;
+ nmap = sizeof(encr_t_map)/sizeof(encr_t_map[0]);
+ break;
+
+ case IV2_T_PRF:
+ idstr = STR_OR_ID(t_id, prf_p_map);
+ break;
+
+ case IV2_T_INTEG:
+ idstr = STR_OR_ID(t_id, integ_p_map);
+ break;
+
+ case IV2_T_DH:
+ idstr = STR_OR_ID(t_id, dh_p_map);
+ break;
+
+ case IV2_T_ESN:
+ idstr = STR_OR_ID(t_id, esn_p_map);
+ break;
+
+ default:
+ idstr = NULL;
+ break;
+ }
+
+ if (idstr)
+ ND_PRINT((ndo," #%u type=%s id=%s ", pcount,
+ STR_OR_ID(t.t_type, ikev2_t_type_map),
+ idstr));
+ else
+ ND_PRINT((ndo," #%u type=%s id=%u ", pcount,
+ STR_OR_ID(t.t_type, ikev2_t_type_map),
+ t.t_id));
+ cp = (u_char *)(p + 1);
+ ep2 = (u_char *)p + item_len;
+ while (cp < ep && cp < ep2) {
+ if (map && nmap) {
+ cp = ikev1_attrmap_print(ndo, cp, (ep < ep2) ? ep : ep2,
+ map, nmap);
+ } else
+ cp = ikev1_attr_print(ndo, cp, (ep < ep2) ? ep : ep2);
+ }
+ if (ep < ep2)
+ ND_PRINT((ndo,"..."));
+ return cp;
+trunc:
+ ND_PRINT((ndo," [|%s]", NPSTR(ISAKMP_NPTYPE_T)));
+ return NULL;
+}
+
+static const u_char *
+ikev2_p_print(netdissect_options *ndo, u_char tpay _U_, int pcount _U_,
+ const struct isakmp_gen *ext, u_int item_len _U_,
+ const u_char *ep, u_int32_t phase, u_int32_t doi0,
+ u_int32_t proto0 _U_, int depth)
+{
+ const struct ikev2_p *p;
+ struct ikev2_p prop;
+ const u_char *cp;
+
+ p = (struct ikev2_p *)ext;
+ ND_TCHECK(*p);
+ safememcpy(&prop, ext, sizeof(prop));
+ ikev2_pay_print(ndo, NPSTR(ISAKMP_NPTYPE_P), prop.h.critical);
+
+ ND_PRINT((ndo," #%u protoid=%s transform=%d",
+ prop.p_no, PROTOIDSTR(prop.prot_id), prop.num_t));
+ if (prop.spi_size) {
+ ND_PRINT((ndo," spi="));
+ if (!rawprint(ndo, (caddr_t)(p + 1), prop.spi_size))
+ goto trunc;
+ }
+
+ ext = (struct isakmp_gen *)((u_char *)(p + 1) + prop.spi_size);
+ ND_TCHECK(*ext);
+
+ cp = ikev2_sub_print(ndo, ISAKMP_NPTYPE_T, ext, ep, phase, doi0,
+ prop.prot_id, depth);
+
+ return cp;
+trunc:
+ ND_PRINT((ndo," [|%s]", NPSTR(ISAKMP_NPTYPE_P)));
+ return NULL;
+}
+
+static const u_char *
+ikev2_sa_print(netdissect_options *ndo, u_char tpay,
+ const struct isakmp_gen *ext1,
+ u_int item_len _U_, const u_char *ep _U_,
+ u_int32_t phase _U_, u_int32_t doi _U_,
+ u_int32_t proto _U_, int depth _U_)
+{
+ struct isakmp_gen e;
+ int osa_len, sa_len;
+
+ ND_TCHECK(*ext1);
+ safememcpy(&e, ext1, sizeof(e));
+ ikev2_pay_print(ndo, "sa", e.critical);
+
+ osa_len= ntohs(e.len);
+ sa_len = osa_len - 4;
+ ND_PRINT((ndo," len=%d", sa_len));
+
+ ikev2_sub_print(ndo, ISAKMP_NPTYPE_P,
+ ext1+1, ep,
+ 0, 0, 0, depth);
+
+ return (u_char *)ext1 + osa_len;
+trunc:
+ ND_PRINT((ndo," [|%s]", NPSTR(tpay)));
+ return NULL;
+}
+
+static const u_char *
+ikev2_ke_print(netdissect_options *ndo, u_char tpay,
+ const struct isakmp_gen *ext,
+ u_int item_len _U_, const u_char *ep _U_,
+ u_int32_t phase _U_, u_int32_t doi _U_,
+ u_int32_t proto _U_, int depth _U_)
+{
+ struct ikev2_ke ke;
+ struct ikev2_ke *k;
+
+ k = (struct ikev2_ke *)ext;
+ ND_TCHECK(*ext);
+ safememcpy(&ke, ext, sizeof(ke));
+ ikev2_pay_print(ndo, NPSTR(tpay), ke.h.critical);
+
+ ND_PRINT((ndo," len=%u group=%s", ntohs(ke.h.len) - 8,
+ STR_OR_ID(ntohs(ke.ke_group), dh_p_map)));
+
+ if (2 < ndo->ndo_vflag && 8 < ntohs(ke.h.len)) {
+ ND_PRINT((ndo," "));
+ if (!rawprint(ndo, (caddr_t)(k + 1), ntohs(ke.h.len) - 8))
+ goto trunc;
+ }
+ return (u_char *)ext + ntohs(ke.h.len);
+trunc:
+ ND_PRINT((ndo," [|%s]", NPSTR(tpay)));
+ return NULL;
+}
+
+static const u_char *
+ikev2_ID_print(netdissect_options *ndo, u_char tpay,
+ const struct isakmp_gen *ext,
+ u_int item_len _U_, const u_char *ep _U_,
+ u_int32_t phase _U_, u_int32_t doi _U_,
+ u_int32_t proto _U_, int depth _U_)
+{
+ return ikev2_gen_print(ndo, tpay, ext);
+}
+
+static const u_char *
+ikev2_cert_print(netdissect_options *ndo, u_char tpay,
+ const struct isakmp_gen *ext,
+ u_int item_len _U_, const u_char *ep _U_,
+ u_int32_t phase _U_, u_int32_t doi _U_,
+ u_int32_t proto _U_, int depth _U_)
+{
+ return ikev2_gen_print(ndo, tpay, ext);
+}
+
+static const u_char *
+ikev2_cr_print(netdissect_options *ndo, u_char tpay,
+ const struct isakmp_gen *ext,
+ u_int item_len _U_, const u_char *ep _U_,
+ u_int32_t phase _U_, u_int32_t doi _U_,
+ u_int32_t proto _U_, int depth _U_)
+{
+ return ikev2_gen_print(ndo, tpay, ext);
+}
+
+static const u_char *
+ikev2_auth_print(netdissect_options *ndo, u_char tpay,
+ const struct isakmp_gen *ext,
+ u_int item_len _U_, const u_char *ep _U_,
+ u_int32_t phase _U_, u_int32_t doi _U_,
+ u_int32_t proto _U_, int depth _U_)
+{
+ struct ikev2_auth e;
+ const char *v2_auth[]={ "invalid", "rsasig",
+ "shared-secret", "dsssig" };
+
+ ND_TCHECK(*ext);
+ safememcpy(&e, ext, sizeof(e));
+ ikev2_pay_print(ndo, NPSTR(tpay), e.h.critical);
+
+ ND_PRINT((ndo," len=%d method=%s", ntohs(e.h.len) - 4,
+ STR_OR_ID(e.auth_method, v2_auth)));
+
+ if (1 < ndo->ndo_vflag && 4 < ntohs(e.h.len)) {
+ ND_PRINT((ndo," authdata=("));
+ if (!rawprint(ndo, (caddr_t)(ext + 1), ntohs(e.h.len) - 4))
+ goto trunc;
+ ND_PRINT((ndo,") "));
+ } else if(ndo->ndo_vflag && 4 < ntohs(e.h.len)) {
+ if(!ike_show_somedata(ndo, (const u_char *)(ext+1), ep)) goto trunc;
+ }
+
+ return (u_char *)ext + ntohs(e.h.len);
+trunc:
+ ND_PRINT((ndo," [|%s]", NPSTR(tpay)));
+ return NULL;
+}
+
+static const u_char *
+ikev2_nonce_print(netdissect_options *ndo, u_char tpay,
+ const struct isakmp_gen *ext,
+ u_int item_len _U_, const u_char *ep _U_,
+ u_int32_t phase _U_, u_int32_t doi _U_,
+ u_int32_t proto _U_, int depth _U_)
+{
+ struct isakmp_gen e;
+
+ ND_TCHECK(*ext);
+ safememcpy(&e, ext, sizeof(e));
+ ikev2_pay_print(ndo, "nonce", e.critical);
+
+ ND_PRINT((ndo," len=%d", ntohs(e.len) - 4));
+ if (1 < ndo->ndo_vflag && 4 < ntohs(e.len)) {
+ ND_PRINT((ndo," nonce=("));
+ if (!rawprint(ndo, (caddr_t)(ext + 1), ntohs(e.len) - 4))
+ goto trunc;
+ ND_PRINT((ndo,") "));
+ } else if(ndo->ndo_vflag && 4 < ntohs(e.len)) {
+ if(!ike_show_somedata(ndo, (const u_char *)(ext+1), ep)) goto trunc;
+ }
+
+ return (u_char *)ext + ntohs(e.len);
+trunc:
+ ND_PRINT((ndo," [|%s]", NPSTR(tpay)));
+ return NULL;
+}
+
+/* notify payloads */
+static const u_char *
+ikev2_n_print(netdissect_options *ndo, u_char tpay _U_,
+ const struct isakmp_gen *ext,
+ u_int item_len _U_, const u_char *ep _U_,
+ u_int32_t phase _U_, u_int32_t doi _U_,
+ u_int32_t proto _U_, int depth _U_)
+{
+ struct ikev2_n *p, n;
+ const u_char *cp;
+ u_char *ep2;
+ u_char showspi, showdata, showsomedata;
+ const char *notify_name;
+ u_int32_t type;
+
+ p = (struct ikev2_n *)ext;
+ ND_TCHECK(*p);
+ safememcpy(&n, ext, sizeof(n));
+ ikev2_pay_print(ndo, NPSTR(ISAKMP_NPTYPE_N), n.h.critical);
+
+ showspi = 1;
+ showdata = 0;
+ showsomedata=0;
+ notify_name=NULL;
+
+ ND_PRINT((ndo," prot_id=%s", PROTOIDSTR(n.prot_id)));
+
+ type = ntohs(n.type);
+
+ /* notify space is annoying sparse */
+ switch(type) {
+ case IV2_NOTIFY_UNSUPPORTED_CRITICAL_PAYLOAD:
+ notify_name = "unsupported_critical_payload";
+ showspi = 0;
+ break;
+
+ case IV2_NOTIFY_INVALID_IKE_SPI:
+ notify_name = "invalid_ike_spi";
+ showspi = 1;
+ break;
+
+ case IV2_NOTIFY_INVALID_MAJOR_VERSION:
+ notify_name = "invalid_major_version";
+ showspi = 0;
+ break;
+
+ case IV2_NOTIFY_INVALID_SYNTAX:
+ notify_name = "invalid_syntax";
+ showspi = 1;
+ break;
+
+ case IV2_NOTIFY_INVALID_MESSAGE_ID:
+ notify_name = "invalid_message_id";
+ showspi = 1;
+ break;
+
+ case IV2_NOTIFY_INVALID_SPI:
+ notify_name = "invalid_spi";
+ showspi = 1;
+ break;
+
+ case IV2_NOTIFY_NO_PROPOSAL_CHOSEN:
+ notify_name = "no_protocol_chosen";
+ showspi = 1;
+ break;
+
+ case IV2_NOTIFY_INVALID_KE_PAYLOAD:
+ notify_name = "invalid_ke_payload";
+ showspi = 1;
+ break;
+
+ case IV2_NOTIFY_AUTHENTICATION_FAILED:
+ notify_name = "authentication_failed";
+ showspi = 1;
+ break;
+
+ case IV2_NOTIFY_SINGLE_PAIR_REQUIRED:
+ notify_name = "single_pair_required";
+ showspi = 1;
+ break;
+
+ case IV2_NOTIFY_NO_ADDITIONAL_SAS:
+ notify_name = "no_additional_sas";
+ showspi = 0;
+ break;
+
+ case IV2_NOTIFY_INTERNAL_ADDRESS_FAILURE:
+ notify_name = "internal_address_failure";
+ showspi = 0;
+ break;
+
+ case IV2_NOTIFY_FAILED_CP_REQUIRED:
+ notify_name = "failed:cp_required";
+ showspi = 0;
+ break;
+
+ case IV2_NOTIFY_INVALID_SELECTORS:
+ notify_name = "invalid_selectors";
+ showspi = 0;
+ break;
+
+ case IV2_NOTIFY_INITIAL_CONTACT:
+ notify_name = "initial_contact";
+ showspi = 0;
+ break;
+
+ case IV2_NOTIFY_SET_WINDOW_SIZE:
+ notify_name = "set_window_size";
+ showspi = 0;
+ break;
+
+ case IV2_NOTIFY_ADDITIONAL_TS_POSSIBLE:
+ notify_name = "additional_ts_possible";
+ showspi = 0;
+ break;
+
+ case IV2_NOTIFY_IPCOMP_SUPPORTED:
+ notify_name = "ipcomp_supported";
+ showspi = 0;
+ break;
+
+ case IV2_NOTIFY_NAT_DETECTION_SOURCE_IP:
+ notify_name = "nat_detection_source_ip";
+ showspi = 1;
+ break;
+
+ case IV2_NOTIFY_NAT_DETECTION_DESTINATION_IP:
+ notify_name = "nat_detection_destination_ip";
+ showspi = 1;
+ break;
+
+ case IV2_NOTIFY_COOKIE:
+ notify_name = "cookie";
+ showspi = 1;
+ showsomedata= 1;
+ showdata= 0;
+ break;
+
+ case IV2_NOTIFY_USE_TRANSPORT_MODE:
+ notify_name = "use_transport_mode";
+ showspi = 0;
+ break;
+
+ case IV2_NOTIFY_HTTP_CERT_LOOKUP_SUPPORTED:
+ notify_name = "http_cert_lookup_supported";
+ showspi = 0;
+ break;
+
+ case IV2_NOTIFY_REKEY_SA:
+ notify_name = "rekey_sa";
+ showspi = 1;
+ break;
+
+ case IV2_NOTIFY_ESP_TFC_PADDING_NOT_SUPPORTED:
+ notify_name = "tfc_padding_not_supported";
+ showspi = 0;
+ break;
+
+ case IV2_NOTIFY_NON_FIRST_FRAGMENTS_ALSO:
+ notify_name = "non_first_fragment_also";
+ showspi = 0;
+ break;
+
+ default:
+ if (type < 8192) {
+ notify_name="error";
+ } else if(type < 16384) {
+ notify_name="private-error";
+ } else if(type < 40960) {
+ notify_name="status";
+ } else {
+ notify_name="private-status";
+ }
+ }
+
+ if(notify_name) {
+ ND_PRINT((ndo," type=%u(%s)", type, notify_name));
+ }
+
+
+ if (showspi && n.spi_size) {
+ ND_PRINT((ndo," spi="));
+ if (!rawprint(ndo, (caddr_t)(p + 1), n.spi_size))
+ goto trunc;
+ }
+
+ cp = (u_char *)(p + 1) + n.spi_size;
+ ep2 = (u_char *)p + item_len;
+
+ if(3 < ndo->ndo_vflag) {
+ showdata = 1;
+ }
- TCHECK(*ext);
+ if ((showdata || (showsomedata && ep-cp < 30)) && cp < ep) {
+ ND_PRINT((ndo," data=("));
+ if (!rawprint(ndo, (caddr_t)(cp), ep - cp))
+ goto trunc;
+
+ ND_PRINT((ndo,")"));
+
+ } else if(showsomedata && cp < ep) {
+ if(!ike_show_somedata(ndo, cp, ep)) goto trunc;
+ }
+
+ return (u_char *)ext + item_len;
+trunc:
+ ND_PRINT((ndo," [|%s]", NPSTR(ISAKMP_NPTYPE_N)));
+ return NULL;
+}
+
+static const u_char *
+ikev2_d_print(netdissect_options *ndo, u_char tpay,
+ const struct isakmp_gen *ext,
+ u_int item_len _U_, const u_char *ep _U_,
+ u_int32_t phase _U_, u_int32_t doi _U_,
+ u_int32_t proto _U_, int depth _U_)
+{
+ return ikev2_gen_print(ndo, tpay, ext);
+}
+
+static const u_char *
+ikev2_vid_print(netdissect_options *ndo, u_char tpay,
+ const struct isakmp_gen *ext,
+ u_int item_len _U_, const u_char *ep _U_,
+ u_int32_t phase _U_, u_int32_t doi _U_,
+ u_int32_t proto _U_, int depth _U_)
+{
+ struct isakmp_gen e;
+ const u_char *vid;
+ int i, len;
+
+ ND_TCHECK(*ext);
safememcpy(&e, ext, sizeof(e));
- printf(" len=%d", ntohs(e.len) - 4);
- if (2 < vflag && 4 < ntohs(e.len)) {
- printf(" ");
- if (!rawprint((caddr_t)(ext + 1), ntohs(e.len) - 4))
+ ikev2_pay_print(ndo, NPSTR(tpay), e.critical);
+ ND_PRINT((ndo," len=%d vid=", ntohs(e.len) - 4));
+
+ vid = (const u_char *)(ext+1);
+ len = ntohs(e.len) - 4;
+ ND_TCHECK2(*vid, len);
+ for(i=0; i<len; i++) {
+ if(isprint(vid[i])) ND_PRINT((ndo, "%c", vid[i]));
+ else ND_PRINT((ndo, ".", vid[i]));
+ }
+ if (2 < ndo->ndo_vflag && 4 < len) {
+ ND_PRINT((ndo," "));
+ if (!rawprint(ndo, (caddr_t)(ext + 1), ntohs(e.len) - 4))
goto trunc;
}
return (u_char *)ext + ntohs(e.len);
trunc:
- printf(" [|%s]", NPSTR(ISAKMP_NPTYPE_VID));
+ ND_PRINT((ndo," [|%s]", NPSTR(tpay)));
return NULL;
}
static const u_char *
-isakmp_sub0_print(u_char np, const struct isakmp_gen *ext, const u_char *ep,
- u_int32_t phase, u_int32_t doi, u_int32_t proto, int depth)
+ikev2_TS_print(netdissect_options *ndo, u_char tpay,
+ const struct isakmp_gen *ext,
+ u_int item_len _U_, const u_char *ep _U_,
+ u_int32_t phase _U_, u_int32_t doi _U_,
+ u_int32_t proto _U_, int depth _U_)
+{
+ return ikev2_gen_print(ndo, tpay, ext);
+}
+
+static const u_char *
+ikev2_e_print(netdissect_options *ndo, u_char tpay,
+ const struct isakmp_gen *ext,
+ u_int item_len _U_, const u_char *ep _U_,
+ u_int32_t phase _U_, u_int32_t doi _U_,
+ u_int32_t proto _U_, int depth _U_)
+{
+ return ikev2_gen_print(ndo, tpay, ext);
+}
+
+static const u_char *
+ikev2_cp_print(netdissect_options *ndo, u_char tpay,
+ const struct isakmp_gen *ext,
+ u_int item_len _U_, const u_char *ep _U_,
+ u_int32_t phase _U_, u_int32_t doi _U_,
+ u_int32_t proto _U_, int depth _U_)
+{
+ return ikev2_gen_print(ndo, tpay, ext);
+}
+
+static const u_char *
+ikev2_eap_print(netdissect_options *ndo, u_char tpay,
+ const struct isakmp_gen *ext,
+ u_int item_len _U_, const u_char *ep _U_,
+ u_int32_t phase _U_, u_int32_t doi _U_,
+ u_int32_t proto _U_, int depth _U_)
+{
+ return ikev2_gen_print(ndo, tpay, ext);
+}
+
+static const u_char *
+ike_sub0_print(netdissect_options *ndo,
+ u_char np, const struct isakmp_gen *ext, const u_char *ep,
+ u_int32_t phase, u_int32_t doi, u_int32_t proto, int depth)
{
const u_char *cp;
struct isakmp_gen e;
u_int item_len;
cp = (u_char *)ext;
- TCHECK(*ext);
+ ND_TCHECK(*ext);
safememcpy(&e, ext, sizeof(e));
/*
@@ -1228,21 +1986,22 @@
* XXX - what if item_len is too short, or too long,
* for this payload type?
*/
- cp = (*npfunc[np])(ext, item_len, ep, phase, doi, proto, depth);
+ cp = (*npfunc[np])(ndo, np, ext, item_len, ep, phase, doi, proto, depth);
} else {
- printf("%s", NPSTR(np));
+ ND_PRINT((ndo,"%s", NPSTR(np)));
cp += item_len;
}
return cp;
trunc:
- printf(" [|isakmp]");
+ ND_PRINT((ndo," [|isakmp]"));
return NULL;
}
static const u_char *
-isakmp_sub_print(u_char np, const struct isakmp_gen *ext, const u_char *ep,
- u_int32_t phase, u_int32_t doi, u_int32_t proto, int depth)
+ikev1_sub_print(netdissect_options *ndo,
+ u_char np, const struct isakmp_gen *ext, const u_char *ep,
+ u_int32_t phase, u_int32_t doi, u_int32_t proto, int depth)
{
const u_char *cp;
int i;
@@ -1251,19 +2010,19 @@
cp = (const u_char *)ext;
while (np) {
- TCHECK(*ext);
+ ND_TCHECK(*ext);
safememcpy(&e, ext, sizeof(e));
- TCHECK2(*ext, ntohs(e.len));
+ ND_TCHECK2(*ext, ntohs(e.len));
depth++;
- printf("\n");
+ ND_PRINT((ndo,"\n"));
for (i = 0; i < depth; i++)
- printf(" ");
- printf("(");
- cp = isakmp_sub0_print(np, ext, ep, phase, doi, proto, depth);
- printf(")");
+ ND_PRINT((ndo," "));
+ ND_PRINT((ndo,"("));
+ cp = ike_sub0_print(ndo, np, ext, ep, phase, doi, proto, depth);
+ ND_PRINT((ndo,")"));
depth--;
if (cp == NULL) {
@@ -1276,7 +2035,7 @@
}
return cp;
trunc:
- printf(" [|%s]", NPSTR(np));
+ ND_PRINT((ndo," [|%s]", NPSTR(np)));
return NULL;
}
@@ -1300,120 +2059,287 @@
}
void
-isakmp_print(netdissect_options *ndo,
- const u_char *bp, u_int length,
- const u_char *bp2)
+ikev1_print(netdissect_options *ndo,
+ const u_char *bp, u_int length,
+ const u_char *bp2, struct isakmp *base)
{
const struct isakmp *p;
- struct isakmp base;
const u_char *ep;
u_char np;
int i;
int phase;
- int major, minor;
-
+
p = (const struct isakmp *)bp;
ep = ndo->ndo_snapend;
-
- if ((struct isakmp *)ep < p + 1) {
- printf("[|isakmp]");
- return;
- }
-
- safememcpy(&base, p, sizeof(base));
-
- printf("isakmp");
- if (vflag) {
- major = (base.vers & ISAKMP_VERS_MAJOR)
- >> ISAKMP_VERS_MAJOR_SHIFT;
- minor = (base.vers & ISAKMP_VERS_MINOR)
- >> ISAKMP_VERS_MINOR_SHIFT;
- printf(" %d.%d", major, minor);
- }
-
- if (vflag) {
- printf(" msgid ");
- rawprint((caddr_t)&base.msgid, sizeof(base.msgid));
- }
-
- if (1 < vflag) {
- printf(" cookie ");
- rawprint((caddr_t)&base.i_ck, sizeof(base.i_ck));
- printf("->");
- rawprint((caddr_t)&base.r_ck, sizeof(base.r_ck));
- }
- printf(":");
-
- phase = (*(u_int32_t *)base.msgid == 0) ? 1 : 2;
+
+ phase = (*(u_int32_t *)base->msgid == 0) ? 1 : 2;
if (phase == 1)
- printf(" phase %d", phase);
+ ND_PRINT((ndo," phase %d", phase));
else
- printf(" phase %d/others", phase);
-
- i = cookie_find(&base.i_ck);
+ ND_PRINT((ndo," phase %d/others", phase));
+
+ i = cookie_find(&base->i_ck);
if (i < 0) {
- if (iszero((u_char *)&base.r_ck, sizeof(base.r_ck))) {
+ if (iszero((u_char *)&base->r_ck, sizeof(base->r_ck))) {
/* the first packet */
- printf(" I");
+ ND_PRINT((ndo," I"));
if (bp2)
- cookie_record(&base.i_ck, bp2);
+ cookie_record(&base->i_ck, bp2);
} else
- printf(" ?");
+ ND_PRINT((ndo," ?"));
} else {
if (bp2 && cookie_isinitiator(i, bp2))
- printf(" I");
+ ND_PRINT((ndo," I"));
else if (bp2 && cookie_isresponder(i, bp2))
- printf(" R");
+ ND_PRINT((ndo," R"));
else
- printf(" ?");
+ ND_PRINT((ndo," ?"));
}
-
- printf(" %s", ETYPESTR(base.etype));
- if (base.flags) {
- printf("[%s%s]", base.flags & ISAKMP_FLAG_E ? "E" : "",
- base.flags & ISAKMP_FLAG_C ? "C" : "");
+
+ ND_PRINT((ndo," %s", ETYPESTR(base->etype)));
+ if (base->flags) {
+ ND_PRINT((ndo,"[%s%s]", base->flags & ISAKMP_FLAG_E ? "E" : "",
+ base->flags & ISAKMP_FLAG_C ? "C" : ""));
}
-
- if (vflag) {
+
+ if (ndo->ndo_vflag) {
const struct isakmp_gen *ext;
int nparen;
+
+ ND_PRINT((ndo,":"));
+
+ /* regardless of phase... */
+ if (base->flags & ISAKMP_FLAG_E) {
+ /*
+ * encrypted, nothing we can do right now.
+ * we hope to decrypt the packet in the future...
+ */
+ ND_PRINT((ndo," [encrypted %s]", NPSTR(base->np)));
+ goto done;
+ }
+
+ nparen = 0;
+ CHECKLEN(p + 1, base->np);
+ np = base->np;
+ ext = (struct isakmp_gen *)(p + 1);
+ ikev1_sub_print(ndo, np, ext, ep, phase, 0, 0, 0);
+ }
+
+done:
+ if (ndo->ndo_vflag) {
+ if (ntohl(base->len) != length) {
+ ND_PRINT((ndo," (len mismatch: isakmp %u/ip %u)",
+ (u_int32_t)ntohl(base->len), length));
+ }
+ }
+}
-#define CHECKLEN(p, np) \
- if (ep < (u_char *)(p)) { \
- printf(" [|%s]", NPSTR(np)); \
- goto done; \
+static const u_char *
+ikev2_sub0_print(netdissect_options *ndo, u_char np, int pcount,
+ const struct isakmp_gen *ext, const u_char *ep,
+ u_int32_t phase, u_int32_t doi, u_int32_t proto, int depth)
+{
+ const u_char *cp;
+ struct isakmp_gen e;
+ u_int item_len;
+
+ cp = (u_char *)ext;
+ ND_TCHECK(*ext);
+ safememcpy(&e, ext, sizeof(e));
+
+ /*
+ * Since we can't have a payload length of less than 4 bytes,
+ * we need to bail out here if the generic header is nonsensical
+ * or truncated, otherwise we could loop forever processing
+ * zero-length items or otherwise misdissect the packet.
+ */
+ item_len = ntohs(e.len);
+ if (item_len <= 4)
+ return NULL;
+
+ if(np == ISAKMP_NPTYPE_P) {
+ cp = ikev2_p_print(ndo, np, pcount, ext, item_len,
+ ep, phase, doi, proto, depth);
+ } else if(np == ISAKMP_NPTYPE_T) {
+ cp = ikev2_t_print(ndo, np, pcount, ext, item_len,
+ ep, phase, doi, proto, depth);
+ } else if (NPFUNC(np)) {
+ /*
+ * XXX - what if item_len is too short, or too long,
+ * for this payload type?
+ */
+ cp = (*npfunc[np])(ndo, np, /*pcount,*/ ext, item_len,
+ ep, phase, doi, proto, depth);
+ } else {
+ ND_PRINT((ndo,"%s", NPSTR(np)));
+ cp += item_len;
+ }
+
+ return cp;
+trunc:
+ ND_PRINT((ndo," [|isakmp]"));
+ return NULL;
+}
+
+static const u_char *
+ikev2_sub_print(netdissect_options *ndo,
+ u_char np, const struct isakmp_gen *ext, const u_char *ep,
+ u_int32_t phase, u_int32_t doi, u_int32_t proto, int depth)
+{
+ const u_char *cp;
+ int i;
+ int pcount;
+ struct isakmp_gen e;
+
+ cp = (const u_char *)ext;
+ pcount = 0;
+ while (np) {
+ pcount++;
+ ND_TCHECK(*ext);
+
+ safememcpy(&e, ext, sizeof(e));
+
+ ND_TCHECK2(*ext, ntohs(e.len));
+
+ depth++;
+ ND_PRINT((ndo,"\n"));
+ for (i = 0; i < depth; i++)
+ ND_PRINT((ndo," "));
+ ND_PRINT((ndo,"("));
+ cp = ikev2_sub0_print(ndo, np, pcount,
+ ext, ep, phase, doi, proto, depth);
+ ND_PRINT((ndo,")"));
+ depth--;
+
+ if (cp == NULL) {
+ /* Zero-length subitem */
+ return NULL;
}
- printf(":");
+ np = e.np;
+ ext = (struct isakmp_gen *)cp;
+ }
+ return cp;
+trunc:
+ ND_PRINT((ndo," [|%s]", NPSTR(np)));
+ return NULL;
+}
+
+static void
+ikev2_print(netdissect_options *ndo,
+ const u_char *bp, u_int length,
+ const u_char *bp2 _U_, struct isakmp *base)
+{
+ const struct isakmp *p;
+ const u_char *ep;
+ u_char np;
+ int phase;
+
+ p = (const struct isakmp *)bp;
+ ep = ndo->ndo_snapend;
+
+ phase = (*(u_int32_t *)base->msgid == 0) ? 1 : 2;
+ if (phase == 1)
+ ND_PRINT((ndo, " parent_sa"));
+ else
+ ND_PRINT((ndo, " child_sa "));
+
+ ND_PRINT((ndo, " %s", ETYPESTR(base->etype)));
+ if (base->flags) {
+ ND_PRINT((ndo, "[%s%s]",
+ base->flags & ISAKMP_FLAG_I ? "I" : "",
+ base->flags & ISAKMP_FLAG_V ? "V" : "",
+ base->flags & ISAKMP_FLAG_R ? "R" : ""));
+ }
+
+ if (ndo->ndo_vflag) {
+ const struct isakmp_gen *ext;
+ int nparen;
+
+ ND_PRINT((ndo, ":"));
/* regardless of phase... */
- if (base.flags & ISAKMP_FLAG_E) {
+ if (base->flags & ISAKMP_FLAG_E) {
/*
* encrypted, nothing we can do right now.
* we hope to decrypt the packet in the future...
*/
- printf(" [encrypted %s]", NPSTR(base.np));
+ ND_PRINT((ndo, " [encrypted %s]", NPSTR(base->np)));
goto done;
}
nparen = 0;
- CHECKLEN(p + 1, base.np)
+ CHECKLEN(p + 1, base->np)
- np = base.np;
+ np = base->np;
ext = (struct isakmp_gen *)(p + 1);
- isakmp_sub_print(np, ext, ep, phase, 0, 0, 0);
+ ikev2_sub_print(ndo, np, ext, ep, phase, 0, 0, 0);
}
done:
- if (vflag) {
- if (ntohl(base.len) != length) {
- printf(" (len mismatch: isakmp %u/ip %u)",
- (u_int32_t)ntohl(base.len), length);
+ if (ndo->ndo_vflag) {
+ if (ntohl(base->len) != length) {
+ ND_PRINT((ndo, " (len mismatch: isakmp %u/ip %u)",
+ (u_int32_t)ntohl(base->len), length));
}
}
}
void
+isakmp_print(netdissect_options *ndo,
+ const u_char *bp, u_int length,
+ const u_char *bp2)
+{
+ const struct isakmp *p;
+ struct isakmp base;
+ const u_char *ep;
+ int major, minor;
+
+ p = (const struct isakmp *)bp;
+ ep = ndo->ndo_snapend;
+
+ if ((struct isakmp *)ep < p + 1) {
+ ND_PRINT((ndo,"[|isakmp]"));
+ return;
+ }
+
+ safememcpy(&base, p, sizeof(base));
+
+ ND_PRINT((ndo,"isakmp"));
+ major = (base.vers & ISAKMP_VERS_MAJOR)
+ >> ISAKMP_VERS_MAJOR_SHIFT;
+ minor = (base.vers & ISAKMP_VERS_MINOR)
+ >> ISAKMP_VERS_MINOR_SHIFT;
+
+ if (ndo->ndo_vflag) {
+ ND_PRINT((ndo," %d.%d", major, minor));
+ }
+
+ if (ndo->ndo_vflag) {
+ ND_PRINT((ndo," msgid "));
+ rawprint(ndo, (caddr_t)&base.msgid, sizeof(base.msgid));
+ }
+
+ if (1 < ndo->ndo_vflag) {
+ ND_PRINT((ndo," cookie "));
+ rawprint(ndo, (caddr_t)&base.i_ck, sizeof(base.i_ck));
+ ND_PRINT((ndo,"->"));
+ rawprint(ndo, (caddr_t)&base.r_ck, sizeof(base.r_ck));
+ }
+ ND_PRINT((ndo,":"));
+
+ switch(major) {
+ case IKEv1_MAJOR_VERSION:
+ ikev1_print(ndo, bp, length, bp2, &base);
+ break;
+
+ case IKEv2_MAJOR_VERSION:
+ ikev2_print(ndo, bp, length, bp2, &base);
+ break;
+ }
+}
+
+void
isakmp_rfc3948_print(netdissect_options *ndo,
const u_char *bp, u_int length,
const u_char *bp2)
@@ -1429,7 +2355,7 @@
if(length < 4) {
goto trunc;
}
-
+
/*
* see if this is an IKE packet
*/
@@ -1459,7 +2385,7 @@
}
trunc:
- printf("[|isakmp]");
+ ND_PRINT((ndo,"[|isakmp]"));
return;
}
Reference in New Issue View Git Blame Copy Permalink