1 /*
2  * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
3  * All rights reserved.
4  *
5  * Redistribution and use in source and binary forms, with or without
6  * modification, are permitted provided that the following conditions
7  * are met:
8  * 1. Redistributions of source code must retain the above copyright
9  *    notice, this list of conditions and the following disclaimer.
10  * 2. Redistributions in binary form must reproduce the above copyright
11  *    notice, this list of conditions and the following disclaimer in the
12  *    documentation and/or other materials provided with the distribution.
13  * 3. Neither the name of the project nor the names of its contributors
14  *    may be used to endorse or promote products derived from this software
15  *    without specific prior written permission.
16  *
17  * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
18  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
19  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
20  * ARE DISCLAIMED.  IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
21  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
22  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
23  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
24  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
25  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
26  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
27  * SUCH DAMAGE.
28  *
29  */
30 
31 /* \summary: Internet Security Association and Key Management Protocol (ISAKMP) printer */
32 
33 #ifdef HAVE_CONFIG_H
34 #include "config.h"
35 #endif
36 
37 /* The functions from print-esp.c used in this file are only defined when both
38  * OpenSSL and evp.h are detected. Employ the same preprocessor device here.
39  */
40 #ifndef HAVE_OPENSSL_EVP_H
41 #undef HAVE_LIBCRYPTO
42 #endif
43 
44 #include <netdissect-stdinc.h>
45 
46 #include <string.h>
47 
48 #include "netdissect.h"
49 #include "addrtoname.h"
50 #include "extract.h"
51 
52 #include "ip.h"
53 #include "ip6.h"
54 #include "ipproto.h"
55 
56 /* refer to RFC 2408 */
57 
58 typedef u_char cookie_t[8];
59 typedef u_char msgid_t[4];
60 
61 #define PORT_ISAKMP 500
62 
63 /* 3.1 ISAKMP Header Format (IKEv1 and IKEv2)
64          0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
65         +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
66         !                          Initiator                            !
67         !                            Cookie                             !
68         +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
69         !                          Responder                            !
70         !                            Cookie                             !
71         +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
72         !  Next Payload ! MjVer ! MnVer ! Exchange Type !     Flags     !
73         +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
74         !                          Message ID                           !
75         +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
76         !                            Length                             !
77         +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
78 */
79 struct isakmp {
80 	cookie_t i_ck;		/* Initiator Cookie */
81 	cookie_t r_ck;		/* Responder Cookie */
82 	uint8_t np;		/* Next Payload Type */
83 	uint8_t vers;
84 #define ISAKMP_VERS_MAJOR	0xf0
85 #define ISAKMP_VERS_MAJOR_SHIFT	4
86 #define ISAKMP_VERS_MINOR	0x0f
87 #define ISAKMP_VERS_MINOR_SHIFT	0
88 	uint8_t etype;		/* Exchange Type */
89 	uint8_t flags;		/* Flags */
90 	msgid_t msgid;
91 	uint32_t len;		/* Length */
92 };
93 
94 /* Next Payload Type */
95 #define ISAKMP_NPTYPE_NONE   0 /* NONE*/
96 #define ISAKMP_NPTYPE_SA     1 /* Security Association */
97 #define ISAKMP_NPTYPE_P      2 /* Proposal */
98 #define ISAKMP_NPTYPE_T      3 /* Transform */
99 #define ISAKMP_NPTYPE_KE     4 /* Key Exchange */
100 #define ISAKMP_NPTYPE_ID     5 /* Identification */
101 #define ISAKMP_NPTYPE_CERT   6 /* Certificate */
102 #define ISAKMP_NPTYPE_CR     7 /* Certificate Request */
103 #define ISAKMP_NPTYPE_HASH   8 /* Hash */
104 #define ISAKMP_NPTYPE_SIG    9 /* Signature */
105 #define ISAKMP_NPTYPE_NONCE 10 /* Nonce */
106 #define ISAKMP_NPTYPE_N     11 /* Notification */
107 #define ISAKMP_NPTYPE_D     12 /* Delete */
108 #define ISAKMP_NPTYPE_VID   13 /* Vendor ID */
109 #define ISAKMP_NPTYPE_v2E   46 /* v2 Encrypted payload */
110 
111 #define IKEv1_MAJOR_VERSION  1
112 #define IKEv1_MINOR_VERSION  0
113 
114 #define IKEv2_MAJOR_VERSION  2
115 #define IKEv2_MINOR_VERSION  0
116 
117 /* Flags */
118 #define ISAKMP_FLAG_E 0x01 /* Encryption Bit */
119 #define ISAKMP_FLAG_C 0x02 /* Commit Bit */
120 #define ISAKMP_FLAG_extra 0x04
121 
122 /* IKEv2 */
123 #define ISAKMP_FLAG_I (1 << 3)  /* (I)nitiator */
124 #define ISAKMP_FLAG_V (1 << 4)  /* (V)ersion   */
125 #define ISAKMP_FLAG_R (1 << 5)  /* (R)esponse  */
126 
127 
128 /* 3.2 Payload Generic Header
129          0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
130         +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
131         ! Next Payload  !   RESERVED    !         Payload Length        !
132         +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
133 */
134 struct isakmp_gen {
135 	uint8_t  np;       /* Next Payload */
136 	uint8_t  critical; /* bit 7 - critical, rest is RESERVED */
137 	uint16_t len;      /* Payload Length */
138 };
139 
140 /* 3.3 Data Attributes
141          0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
142         +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
143         !A!       Attribute Type        !    AF=0  Attribute Length     !
144         !F!                             !    AF=1  Attribute Value      !
145         +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
146         .                   AF=0  Attribute Value                       .
147         .                   AF=1  Not Transmitted                       .
148         +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
149 */
150 struct isakmp_data {
151 	uint16_t type;     /* defined by DOI-spec, and Attribute Format */
152 	uint16_t lorv;     /* if f equal 1, Attribute Length */
153 	                  /* if f equal 0, Attribute Value */
154 	/* if f equal 1, Attribute Value */
155 };
156 
157 /* 3.4 Security Association Payload */
158 	/* MAY NOT be used, because of being defined in ipsec-doi. */
159 	/*
160 	If the current payload is the last in the message,
161 	then the value of the next payload field will be 0.
162 	This field MUST NOT contain the
163 	values for the Proposal or Transform payloads as they are considered
164 	part of the security association negotiation.  For example, this
165 	field would contain the value "10" (Nonce payload) in the first
166 	message of a Base Exchange (see Section 4.4) and the value "0" in the
167 	first message of an Identity Protect Exchange (see Section 4.5).
168 	*/
169 struct ikev1_pl_sa {
170 	struct isakmp_gen h;
171 	uint32_t doi; /* Domain of Interpretation */
172 	uint32_t sit; /* Situation */
173 };
174 
175 /* 3.5 Proposal Payload */
176 	/*
177 	The value of the next payload field MUST only contain the value "2"
178 	or "0".  If there are additional Proposal payloads in the message,
179 	then this field will be 2.  If the current Proposal payload is the
180 	last within the security association proposal, then this field will
181 	be 0.
182 	*/
183 struct ikev1_pl_p {
184 	struct isakmp_gen h;
185 	uint8_t p_no;      /* Proposal # */
186 	uint8_t prot_id;   /* Protocol */
187 	uint8_t spi_size;  /* SPI Size */
188 	uint8_t num_t;     /* Number of Transforms */
189 	/* SPI */
190 };
191 
192 /* 3.6 Transform Payload */
193 	/*
194 	The value of the next payload field MUST only contain the value "3"
195 	or "0".  If there are additional Transform payloads in the proposal,
196 	then this field will be 3.  If the current Transform payload is the
197 	last within the proposal, then this field will be 0.
198 	*/
199 struct ikev1_pl_t {
200 	struct isakmp_gen h;
201 	uint8_t  t_no;     /* Transform # */
202 	uint8_t  t_id;     /* Transform-Id */
203 	uint16_t reserved; /* RESERVED2 */
204 	/* SA Attributes */
205 };
206 
207 /* 3.7 Key Exchange Payload */
208 struct ikev1_pl_ke {
209 	struct isakmp_gen h;
210 	/* Key Exchange Data */
211 };
212 
213 /* 3.8 Identification Payload */
214 	/* MUST NOT to be used, because of being defined in ipsec-doi. */
215 struct ikev1_pl_id {
216 	struct isakmp_gen h;
217 	union {
218 		uint8_t  id_type;   /* ID Type */
219 		uint32_t doi_data;  /* DOI Specific ID Data */
220 	} d;
221 	/* Identification Data */
222 };
223 
224 /* 3.9 Certificate Payload */
225 struct ikev1_pl_cert {
226 	struct isakmp_gen h;
227 	uint8_t encode; /* Cert Encoding */
228 	char   cert;   /* Certificate Data */
229 		/*
230 		This field indicates the type of
231 		certificate or certificate-related information contained in the
232 		Certificate Data field.
233 		*/
234 };
235 
236 /* 3.10 Certificate Request Payload */
237 struct ikev1_pl_cr {
238 	struct isakmp_gen h;
239 	uint8_t num_cert; /* # Cert. Types */
240 	/*
241 	Certificate Types (variable length)
242 	  -- Contains a list of the types of certificates requested,
243 	  sorted in order of preference.  Each individual certificate
244 	  type is 1 octet.  This field is NOT requiredo
245 	*/
246 	/* # Certificate Authorities (1 octet) */
247 	/* Certificate Authorities (variable length) */
248 };
249 
250 /* 3.11 Hash Payload */
251 	/* may not be used, because of having only data. */
252 struct ikev1_pl_hash {
253 	struct isakmp_gen h;
254 	/* Hash Data */
255 };
256 
257 /* 3.12 Signature Payload */
258 	/* may not be used, because of having only data. */
259 struct ikev1_pl_sig {
260 	struct isakmp_gen h;
261 	/* Signature Data */
262 };
263 
264 /* 3.13 Nonce Payload */
265 	/* may not be used, because of having only data. */
266 struct ikev1_pl_nonce {
267 	struct isakmp_gen h;
268 	/* Nonce Data */
269 };
270 
271 /* 3.14 Notification Payload */
272 struct ikev1_pl_n {
273 	struct isakmp_gen h;
274 	uint32_t doi;      /* Domain of Interpretation */
275 	uint8_t  prot_id;  /* Protocol-ID */
276 	uint8_t  spi_size; /* SPI Size */
277 	uint16_t type;     /* Notify Message Type */
278 	/* SPI */
279 	/* Notification Data */
280 };
281 
282 /* 3.14.1 Notify Message Types */
283 /* NOTIFY MESSAGES - ERROR TYPES */
284 #define ISAKMP_NTYPE_INVALID_PAYLOAD_TYPE           1
285 #define ISAKMP_NTYPE_DOI_NOT_SUPPORTED              2
286 #define ISAKMP_NTYPE_SITUATION_NOT_SUPPORTED        3
287 #define ISAKMP_NTYPE_INVALID_COOKIE                 4
288 #define ISAKMP_NTYPE_INVALID_MAJOR_VERSION          5
289 #define ISAKMP_NTYPE_INVALID_MINOR_VERSION          6
290 #define ISAKMP_NTYPE_INVALID_EXCHANGE_TYPE          7
291 #define ISAKMP_NTYPE_INVALID_FLAGS                  8
292 #define ISAKMP_NTYPE_INVALID_MESSAGE_ID             9
293 #define ISAKMP_NTYPE_INVALID_PROTOCOL_ID            10
294 #define ISAKMP_NTYPE_INVALID_SPI                    11
295 #define ISAKMP_NTYPE_INVALID_TRANSFORM_ID           12
296 #define ISAKMP_NTYPE_ATTRIBUTES_NOT_SUPPORTED       13
297 #define ISAKMP_NTYPE_NO_PROPOSAL_CHOSEN             14
298 #define ISAKMP_NTYPE_BAD_PROPOSAL_SYNTAX            15
299 #define ISAKMP_NTYPE_PAYLOAD_MALFORMED              16
300 #define ISAKMP_NTYPE_INVALID_KEY_INFORMATION        17
301 #define ISAKMP_NTYPE_INVALID_ID_INFORMATION         18
302 #define ISAKMP_NTYPE_INVALID_CERT_ENCODING          19
303 #define ISAKMP_NTYPE_INVALID_CERTIFICATE            20
304 #define ISAKMP_NTYPE_BAD_CERT_REQUEST_SYNTAX        21
305 #define ISAKMP_NTYPE_INVALID_CERT_AUTHORITY         22
306 #define ISAKMP_NTYPE_INVALID_HASH_INFORMATION       23
307 #define ISAKMP_NTYPE_AUTHENTICATION_FAILED          24
308 #define ISAKMP_NTYPE_INVALID_SIGNATURE              25
309 #define ISAKMP_NTYPE_ADDRESS_NOTIFICATION           26
310 
311 /* 3.15 Delete Payload */
312 struct ikev1_pl_d {
313 	struct isakmp_gen h;
314 	uint32_t doi;      /* Domain of Interpretation */
315 	uint8_t  prot_id;  /* Protocol-Id */
316 	uint8_t  spi_size; /* SPI Size */
317 	uint16_t num_spi;  /* # of SPIs */
318 	/* SPI(es) */
319 };
320 
321 struct ikev1_ph1tab {
322 	struct ikev1_ph1 *head;
323 	struct ikev1_ph1 *tail;
324 	int len;
325 };
326 
327 struct isakmp_ph2tab {
328 	struct ikev1_ph2 *head;
329 	struct ikev1_ph2 *tail;
330 	int len;
331 };
332 
333 /* IKEv2 (RFC4306) */
334 
335 /* 3.3  Security Association Payload -- generic header */
336 /* 3.3.1.  Proposal Substructure */
337 struct ikev2_p {
338 	struct isakmp_gen h;
339 	uint8_t p_no;      /* Proposal # */
340 	uint8_t prot_id;   /* Protocol */
341 	uint8_t spi_size;  /* SPI Size */
342 	uint8_t num_t;     /* Number of Transforms */
343 };
344 
345 /* 3.3.2.  Transform Substructure */
346 struct ikev2_t {
347 	struct isakmp_gen h;
348 	uint8_t t_type;    /* Transform Type (ENCR,PRF,INTEG,etc.*/
349 	uint8_t res2;      /* reserved byte */
350 	uint16_t t_id;     /* Transform ID */
351 };
352 
353 enum ikev2_t_type {
354 	IV2_T_ENCR = 1,
355 	IV2_T_PRF  = 2,
356 	IV2_T_INTEG= 3,
357 	IV2_T_DH   = 4,
358 	IV2_T_ESN  = 5
359 };
360 
361 /* 3.4.  Key Exchange Payload */
362 struct ikev2_ke {
363 	struct isakmp_gen h;
364 	uint16_t  ke_group;
365 	uint16_t  ke_res1;
366 	/* KE data */
367 };
368 
369 
370 /* 3.5.  Identification Payloads */
371 enum ikev2_id_type {
372 	ID_IPV4_ADDR=1,
373 	ID_FQDN=2,
374 	ID_RFC822_ADDR=3,
375 	ID_IPV6_ADDR=5,
376 	ID_DER_ASN1_DN=9,
377 	ID_DER_ASN1_GN=10,
378 	ID_KEY_ID=11
379 };
380 struct ikev2_id {
381 	struct isakmp_gen h;
382 	uint8_t  type;        /* ID type */
383 	uint8_t  res1;
384 	uint16_t res2;
385 	/* SPI */
386 	/* Notification Data */
387 };
388 
389 /* 3.10 Notification Payload */
390 struct ikev2_n {
391 	struct isakmp_gen h;
392 	uint8_t  prot_id;  /* Protocol-ID */
393 	uint8_t  spi_size; /* SPI Size */
394 	uint16_t type;     /* Notify Message Type */
395 };
396 
397 enum ikev2_n_type {
398 	IV2_NOTIFY_UNSUPPORTED_CRITICAL_PAYLOAD            = 1,
399 	IV2_NOTIFY_INVALID_IKE_SPI                         = 4,
400 	IV2_NOTIFY_INVALID_MAJOR_VERSION                   = 5,
401 	IV2_NOTIFY_INVALID_SYNTAX                          = 7,
402 	IV2_NOTIFY_INVALID_MESSAGE_ID                      = 9,
403 	IV2_NOTIFY_INVALID_SPI                             =11,
404 	IV2_NOTIFY_NO_PROPOSAL_CHOSEN                      =14,
405 	IV2_NOTIFY_INVALID_KE_PAYLOAD                      =17,
406 	IV2_NOTIFY_AUTHENTICATION_FAILED                   =24,
407 	IV2_NOTIFY_SINGLE_PAIR_REQUIRED                    =34,
408 	IV2_NOTIFY_NO_ADDITIONAL_SAS                       =35,
409 	IV2_NOTIFY_INTERNAL_ADDRESS_FAILURE                =36,
410 	IV2_NOTIFY_FAILED_CP_REQUIRED                      =37,
411 	IV2_NOTIFY_INVALID_SELECTORS                       =39,
412 	IV2_NOTIFY_INITIAL_CONTACT                         =16384,
413 	IV2_NOTIFY_SET_WINDOW_SIZE                         =16385,
414 	IV2_NOTIFY_ADDITIONAL_TS_POSSIBLE                  =16386,
415 	IV2_NOTIFY_IPCOMP_SUPPORTED                        =16387,
416 	IV2_NOTIFY_NAT_DETECTION_SOURCE_IP                 =16388,
417 	IV2_NOTIFY_NAT_DETECTION_DESTINATION_IP            =16389,
418 	IV2_NOTIFY_COOKIE                                  =16390,
419 	IV2_NOTIFY_USE_TRANSPORT_MODE                      =16391,
420 	IV2_NOTIFY_HTTP_CERT_LOOKUP_SUPPORTED              =16392,
421 	IV2_NOTIFY_REKEY_SA                                =16393,
422 	IV2_NOTIFY_ESP_TFC_PADDING_NOT_SUPPORTED           =16394,
423 	IV2_NOTIFY_NON_FIRST_FRAGMENTS_ALSO                =16395
424 };
425 
426 struct notify_messages {
427 	uint16_t type;
428 	char     *msg;
429 };
430 
431 /* 3.8 Authentication Payload */
432 struct ikev2_auth {
433 	struct isakmp_gen h;
434 	uint8_t  auth_method;  /* Protocol-ID */
435 	uint8_t  reserved[3];
436 	/* authentication data */
437 };
438 
439 enum ikev2_auth_type {
440 	IV2_RSA_SIG = 1,
441 	IV2_SHARED  = 2,
442 	IV2_DSS_SIG = 3
443 };
444 
445 /* refer to RFC 2409 */
446 
447 #if 0
448 /* isakmp sa structure */
449 struct oakley_sa {
450 	uint8_t  proto_id;            /* OAKLEY */
451 	vchar_t   *spi;                /* spi */
452 	uint8_t  dhgrp;               /* DH; group */
453 	uint8_t  auth_t;              /* method of authentication */
454 	uint8_t  prf_t;               /* type of prf */
455 	uint8_t  hash_t;              /* type of hash */
456 	uint8_t  enc_t;               /* type of cipher */
457 	uint8_t  life_t;              /* type of duration of lifetime */
458 	uint32_t ldur;                /* life duration */
459 };
460 #endif
461 
462 /* refer to RFC 2407 */
463 
464 #define IPSEC_DOI 1
465 
466 /* 4.2 IPSEC Situation Definition */
467 #define IPSECDOI_SIT_IDENTITY_ONLY           0x00000001
468 #define IPSECDOI_SIT_SECRECY                 0x00000002
469 #define IPSECDOI_SIT_INTEGRITY               0x00000004
470 
471 /* 4.4.1 IPSEC Security Protocol Identifiers */
472   /* 4.4.2 IPSEC ISAKMP Transform Values */
473 #define IPSECDOI_PROTO_ISAKMP                        1
474 #define   IPSECDOI_KEY_IKE                             1
475 
476 /* 4.4.1 IPSEC Security Protocol Identifiers */
477 #define IPSECDOI_PROTO_IPSEC_AH                      2
478   /* 4.4.3 IPSEC AH Transform Values */
479 #define   IPSECDOI_AH_MD5                              2
480 #define   IPSECDOI_AH_SHA                              3
481 #define   IPSECDOI_AH_DES                              4
482 #define   IPSECDOI_AH_SHA2_256                         5
483 #define   IPSECDOI_AH_SHA2_384                         6
484 #define   IPSECDOI_AH_SHA2_512                         7
485 
486 /* 4.4.1 IPSEC Security Protocol Identifiers */
487 #define IPSECDOI_PROTO_IPSEC_ESP                     3
488   /* 4.4.4 IPSEC ESP Transform Identifiers */
489 #define   IPSECDOI_ESP_DES_IV64                        1
490 #define   IPSECDOI_ESP_DES                             2
491 #define   IPSECDOI_ESP_3DES                            3
492 #define   IPSECDOI_ESP_RC5                             4
493 #define   IPSECDOI_ESP_IDEA                            5
494 #define   IPSECDOI_ESP_CAST                            6
495 #define   IPSECDOI_ESP_BLOWFISH                        7
496 #define   IPSECDOI_ESP_3IDEA                           8
497 #define   IPSECDOI_ESP_DES_IV32                        9
498 #define   IPSECDOI_ESP_RC4                            10
499 #define   IPSECDOI_ESP_NULL                           11
500 #define   IPSECDOI_ESP_RIJNDAEL				12
501 #define   IPSECDOI_ESP_AES				12
502 
503 /* 4.4.1 IPSEC Security Protocol Identifiers */
504 #define IPSECDOI_PROTO_IPCOMP                        4
505   /* 4.4.5 IPSEC IPCOMP Transform Identifiers */
506 #define   IPSECDOI_IPCOMP_OUI                          1
507 #define   IPSECDOI_IPCOMP_DEFLATE                      2
508 #define   IPSECDOI_IPCOMP_LZS                          3
509 
510 /* 4.5 IPSEC Security Association Attributes */
511 #define IPSECDOI_ATTR_SA_LTYPE                1 /* B */
512 #define   IPSECDOI_ATTR_SA_LTYPE_DEFAULT        1
513 #define   IPSECDOI_ATTR_SA_LTYPE_SEC            1
514 #define   IPSECDOI_ATTR_SA_LTYPE_KB             2
515 #define IPSECDOI_ATTR_SA_LDUR                 2 /* V */
516 #define   IPSECDOI_ATTR_SA_LDUR_DEFAULT         28800 /* 8 hours */
517 #define IPSECDOI_ATTR_GRP_DESC                3 /* B */
518 #define IPSECDOI_ATTR_ENC_MODE                4 /* B */
519 	/* default value: host dependent */
520 #define   IPSECDOI_ATTR_ENC_MODE_TUNNEL         1
521 #define   IPSECDOI_ATTR_ENC_MODE_TRNS           2
522 #define IPSECDOI_ATTR_AUTH                    5 /* B */
523 	/* 0 means not to use authentication. */
524 #define   IPSECDOI_ATTR_AUTH_HMAC_MD5           1
525 #define   IPSECDOI_ATTR_AUTH_HMAC_SHA1          2
526 #define   IPSECDOI_ATTR_AUTH_DES_MAC            3
527 #define   IPSECDOI_ATTR_AUTH_KPDK               4 /*RFC-1826(Key/Pad/Data/Key)*/
528 	/*
529 	 * When negotiating ESP without authentication, the Auth
530 	 * Algorithm attribute MUST NOT be included in the proposal.
531 	 * When negotiating ESP without confidentiality, the Auth
532 	 * Algorithm attribute MUST be included in the proposal and
533 	 * the ESP transform ID must be ESP_NULL.
534 	*/
535 #define IPSECDOI_ATTR_KEY_LENGTH              6 /* B */
536 #define IPSECDOI_ATTR_KEY_ROUNDS              7 /* B */
537 #define IPSECDOI_ATTR_COMP_DICT_SIZE          8 /* B */
538 #define IPSECDOI_ATTR_COMP_PRIVALG            9 /* V */
539 
540 /* 4.6.1 Security Association Payload */
541 struct ipsecdoi_sa {
542 	struct isakmp_gen h;
543 	uint32_t doi; /* Domain of Interpretation */
544 	uint32_t sit; /* Situation */
545 };
546 
547 struct ipsecdoi_secrecy_h {
548 	uint16_t len;
549 	uint16_t reserved;
550 };
551 
552 /* 4.6.2.1 Identification Type Values */
553 struct ipsecdoi_id {
554 	struct isakmp_gen h;
555 	uint8_t  type;		/* ID Type */
556 	uint8_t  proto_id;	/* Protocol ID */
557 	uint16_t port;		/* Port */
558 	/* Identification Data */
559 };
560 
561 #define IPSECDOI_ID_IPV4_ADDR                        1
562 #define IPSECDOI_ID_FQDN                             2
563 #define IPSECDOI_ID_USER_FQDN                        3
564 #define IPSECDOI_ID_IPV4_ADDR_SUBNET                 4
565 #define IPSECDOI_ID_IPV6_ADDR                        5
566 #define IPSECDOI_ID_IPV6_ADDR_SUBNET                 6
567 #define IPSECDOI_ID_IPV4_ADDR_RANGE                  7
568 #define IPSECDOI_ID_IPV6_ADDR_RANGE                  8
569 #define IPSECDOI_ID_DER_ASN1_DN                      9
570 #define IPSECDOI_ID_DER_ASN1_GN                      10
571 #define IPSECDOI_ID_KEY_ID                           11
572 
573 /* 4.6.3 IPSEC DOI Notify Message Types */
574 /* Notify Messages - Status Types */
575 #define IPSECDOI_NTYPE_RESPONDER_LIFETIME                  24576
576 #define IPSECDOI_NTYPE_REPLAY_STATUS                       24577
577 #define IPSECDOI_NTYPE_INITIAL_CONTACT                     24578
578 
579 #define DECLARE_PRINTER(func) static const u_char *ike##func##_print( \
580 		netdissect_options *ndo, u_char tpay,	              \
581 		const struct isakmp_gen *ext,			      \
582 		u_int item_len, \
583 		const u_char *end_pointer, \
584 		uint32_t phase,\
585 		uint32_t doi0, \
586 		uint32_t proto0, int depth)
587 
588 DECLARE_PRINTER(v1_sa);
589 DECLARE_PRINTER(v1_p);
590 DECLARE_PRINTER(v1_t);
591 DECLARE_PRINTER(v1_ke);
592 DECLARE_PRINTER(v1_id);
593 DECLARE_PRINTER(v1_cert);
594 DECLARE_PRINTER(v1_cr);
595 DECLARE_PRINTER(v1_sig);
596 DECLARE_PRINTER(v1_hash);
597 DECLARE_PRINTER(v1_nonce);
598 DECLARE_PRINTER(v1_n);
599 DECLARE_PRINTER(v1_d);
600 DECLARE_PRINTER(v1_vid);
601 
602 DECLARE_PRINTER(v2_sa);
603 DECLARE_PRINTER(v2_ke);
604 DECLARE_PRINTER(v2_ID);
605 DECLARE_PRINTER(v2_cert);
606 DECLARE_PRINTER(v2_cr);
607 DECLARE_PRINTER(v2_auth);
608 DECLARE_PRINTER(v2_nonce);
609 DECLARE_PRINTER(v2_n);
610 DECLARE_PRINTER(v2_d);
611 DECLARE_PRINTER(v2_vid);
612 DECLARE_PRINTER(v2_TS);
613 DECLARE_PRINTER(v2_cp);
614 DECLARE_PRINTER(v2_eap);
615 
616 static const u_char *ikev2_e_print(netdissect_options *ndo,
617 				   struct isakmp *base,
618 				   u_char tpay,
619 				   const struct isakmp_gen *ext,
620 				   u_int item_len,
621 				   const u_char *end_pointer,
622 				   uint32_t phase,
623 				   uint32_t doi0,
624 				   uint32_t proto0, int depth);
625 
626 
627 static const u_char *ike_sub0_print(netdissect_options *ndo,u_char, const struct isakmp_gen *,
628 	const u_char *,	uint32_t, uint32_t, uint32_t, int);
629 static const u_char *ikev1_sub_print(netdissect_options *ndo,u_char, const struct isakmp_gen *,
630 	const u_char *, uint32_t, uint32_t, uint32_t, int);
631 
632 static const u_char *ikev2_sub_print(netdissect_options *ndo,
633 				     struct isakmp *base,
634 				     u_char np, const struct isakmp_gen *ext,
635 				     const u_char *ep, uint32_t phase,
636 				     uint32_t doi, uint32_t proto,
637 				     int depth);
638 
639 
640 static char *numstr(int);
641 
642 static void
643 ikev1_print(netdissect_options *ndo,
644 	    const u_char *bp,  u_int length,
645 	    const u_char *bp2, struct isakmp *base);
646 
647 #define MAXINITIATORS	20
648 static int ninitiator = 0;
649 union inaddr_u {
650 	struct in_addr in4;
651 	struct in6_addr in6;
652 };
653 static struct {
654 	cookie_t initiator;
655 	u_int version;
656 	union inaddr_u iaddr;
657 	union inaddr_u raddr;
658 } cookiecache[MAXINITIATORS];
659 
660 /* protocol id */
661 static const char *protoidstr[] = {
662 	NULL, "isakmp", "ipsec-ah", "ipsec-esp", "ipcomp",
663 };
664 
665 /* isakmp->np */
666 static const char *npstr[] = {
667 	"none", "sa", "p", "t", "ke", "id", "cert", "cr", "hash", /* 0 - 8 */
668 	"sig", "nonce", "n", "d", "vid",      /* 9 - 13 */
669 	"pay14", "pay15", "pay16", "pay17", "pay18", /* 14- 18 */
670 	"pay19", "pay20", "pay21", "pay22", "pay23", /* 19- 23 */
671 	"pay24", "pay25", "pay26", "pay27", "pay28", /* 24- 28 */
672 	"pay29", "pay30", "pay31", "pay32",          /* 29- 32 */
673 	"v2sa",  "v2ke",  "v2IDi", "v2IDr", "v2cert",/* 33- 37 */
674 	"v2cr",  "v2auth","v2nonce", "v2n",   "v2d",   /* 38- 42 */
675 	"v2vid", "v2TSi", "v2TSr", "v2e",   "v2cp",  /* 43- 47 */
676 	"v2eap",                                     /* 48 */
677 
678 };
679 
680 /* isakmp->np */
681 static const u_char *(*npfunc[])(netdissect_options *ndo, u_char tpay,
682 				 const struct isakmp_gen *ext,
683 				 u_int item_len,
684 				 const u_char *end_pointer,
685 				 uint32_t phase,
686 				 uint32_t doi0,
687 				 uint32_t proto0, int depth) = {
688 	NULL,
689 	ikev1_sa_print,
690 	ikev1_p_print,
691 	ikev1_t_print,
692 	ikev1_ke_print,
693 	ikev1_id_print,
694 	ikev1_cert_print,
695 	ikev1_cr_print,
696 	ikev1_hash_print,
697 	ikev1_sig_print,
698 	ikev1_nonce_print,
699 	ikev1_n_print,
700 	ikev1_d_print,
701 	ikev1_vid_print,                  /* 13 */
702 	NULL, NULL, NULL, NULL, NULL,     /* 14- 18 */
703 	NULL, NULL, NULL, NULL, NULL,     /* 19- 23 */
704 	NULL, NULL, NULL, NULL, NULL,     /* 24- 28 */
705 	NULL, NULL, NULL, NULL,           /* 29- 32 */
706 	ikev2_sa_print,                 /* 33 */
707 	ikev2_ke_print,                 /* 34 */
708 	ikev2_ID_print,                 /* 35 */
709 	ikev2_ID_print,                 /* 36 */
710 	ikev2_cert_print,               /* 37 */
711 	ikev2_cr_print,                 /* 38 */
712 	ikev2_auth_print,               /* 39 */
713 	ikev2_nonce_print,              /* 40 */
714 	ikev2_n_print,                  /* 41 */
715 	ikev2_d_print,                  /* 42 */
716 	ikev2_vid_print,                /* 43 */
717 	ikev2_TS_print,                 /* 44 */
718 	ikev2_TS_print,                 /* 45 */
719 	NULL, /* ikev2_e_print,*/       /* 46 - special */
720 	ikev2_cp_print,                 /* 47 */
721 	ikev2_eap_print,                /* 48 */
722 };
723 
724 /* isakmp->etype */
725 static const char *etypestr[] = {
726 /* IKEv1 exchange types */
727 	"none", "base", "ident", "auth", "agg", "inf", NULL, NULL,  /* 0-7 */
728 	NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL,  /*  8-15 */
729 	NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL,  /* 16-23 */
730 	NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL,  /* 24-31 */
731 	"oakley-quick", "oakley-newgroup",               /* 32-33 */
732 /* IKEv2 exchange types */
733 	"ikev2_init", "ikev2_auth", "child_sa", "inf2"   /* 34-37 */
734 };
735 
736 #define STR_OR_ID(x, tab) \
737 	(((x) < sizeof(tab)/sizeof(tab[0]) && tab[(x)])	? tab[(x)] : numstr(x))
738 #define PROTOIDSTR(x)	STR_OR_ID(x, protoidstr)
739 #define NPSTR(x)	STR_OR_ID(x, npstr)
740 #define ETYPESTR(x)	STR_OR_ID(x, etypestr)
741 
742 #define CHECKLEN(p, np)							\
743 		if (ep < (const u_char *)(p)) {				\
744 			ND_PRINT((ndo," [|%s]", NPSTR(np)));		\
745 			goto done;					\
746 		}
747 
748 
749 #define NPFUNC(x) \
750 	(((x) < sizeof(npfunc)/sizeof(npfunc[0]) && npfunc[(x)]) \
751 		? npfunc[(x)] : NULL)
752 
753 static int
iszero(const u_char * p,size_t l)754 iszero(const u_char *p, size_t l)
755 {
756 	while (l--) {
757 		if (*p++)
758 			return 0;
759 	}
760 	return 1;
761 }
762 
763 /* find cookie from initiator cache */
764 static int
cookie_find(cookie_t * in)765 cookie_find(cookie_t *in)
766 {
767 	int i;
768 
769 	for (i = 0; i < MAXINITIATORS; i++) {
770 		if (memcmp(in, &cookiecache[i].initiator, sizeof(*in)) == 0)
771 			return i;
772 	}
773 
774 	return -1;
775 }
776 
777 /* record initiator */
778 static void
cookie_record(cookie_t * in,const u_char * bp2)779 cookie_record(cookie_t *in, const u_char *bp2)
780 {
781 	int i;
782 	const struct ip *ip;
783 	const struct ip6_hdr *ip6;
784 
785 	i = cookie_find(in);
786 	if (0 <= i) {
787 		ninitiator = (i + 1) % MAXINITIATORS;
788 		return;
789 	}
790 
791 	ip = (const struct ip *)bp2;
792 	switch (IP_V(ip)) {
793 	case 4:
794 		cookiecache[ninitiator].version = 4;
795 		UNALIGNED_MEMCPY(&cookiecache[ninitiator].iaddr.in4, &ip->ip_src, sizeof(struct in_addr));
796 		UNALIGNED_MEMCPY(&cookiecache[ninitiator].raddr.in4, &ip->ip_dst, sizeof(struct in_addr));
797 		break;
798 	case 6:
799 		ip6 = (const struct ip6_hdr *)bp2;
800 		cookiecache[ninitiator].version = 6;
801 		UNALIGNED_MEMCPY(&cookiecache[ninitiator].iaddr.in6, &ip6->ip6_src, sizeof(struct in6_addr));
802 		UNALIGNED_MEMCPY(&cookiecache[ninitiator].raddr.in6, &ip6->ip6_dst, sizeof(struct in6_addr));
803 		break;
804 	default:
805 		return;
806 	}
807 	UNALIGNED_MEMCPY(&cookiecache[ninitiator].initiator, in, sizeof(*in));
808 	ninitiator = (ninitiator + 1) % MAXINITIATORS;
809 }
810 
811 #define cookie_isinitiator(x, y)	cookie_sidecheck((x), (y), 1)
812 #define cookie_isresponder(x, y)	cookie_sidecheck((x), (y), 0)
813 static int
cookie_sidecheck(int i,const u_char * bp2,int initiator)814 cookie_sidecheck(int i, const u_char *bp2, int initiator)
815 {
816 	const struct ip *ip;
817 	const struct ip6_hdr *ip6;
818 
819 	ip = (const struct ip *)bp2;
820 	switch (IP_V(ip)) {
821 	case 4:
822 		if (cookiecache[i].version != 4)
823 			return 0;
824 		if (initiator) {
825 			if (UNALIGNED_MEMCMP(&ip->ip_src, &cookiecache[i].iaddr.in4, sizeof(struct in_addr)) == 0)
826 				return 1;
827 		} else {
828 			if (UNALIGNED_MEMCMP(&ip->ip_src, &cookiecache[i].raddr.in4, sizeof(struct in_addr)) == 0)
829 				return 1;
830 		}
831 		break;
832 	case 6:
833 		if (cookiecache[i].version != 6)
834 			return 0;
835 		ip6 = (const struct ip6_hdr *)bp2;
836 		if (initiator) {
837 			if (UNALIGNED_MEMCMP(&ip6->ip6_src, &cookiecache[i].iaddr.in6, sizeof(struct in6_addr)) == 0)
838 				return 1;
839 		} else {
840 			if (UNALIGNED_MEMCMP(&ip6->ip6_src, &cookiecache[i].raddr.in6, sizeof(struct in6_addr)) == 0)
841 				return 1;
842 		}
843 		break;
844 	default:
845 		break;
846 	}
847 
848 	return 0;
849 }
850 
851 static void
hexprint(netdissect_options * ndo,const uint8_t * loc,size_t len)852 hexprint(netdissect_options *ndo, const uint8_t *loc, size_t len)
853 {
854 	const uint8_t *p;
855 	size_t i;
856 
857 	p = loc;
858 	for (i = 0; i < len; i++)
859 		ND_PRINT((ndo,"%02x", p[i] & 0xff));
860 }
861 
862 static int
rawprint(netdissect_options * ndo,const uint8_t * loc,size_t len)863 rawprint(netdissect_options *ndo, const uint8_t *loc, size_t len)
864 {
865 	ND_TCHECK2(*loc, len);
866 
867 	hexprint(ndo, loc, len);
868 	return 1;
869 trunc:
870 	return 0;
871 }
872 
873 
874 /*
875  * returns false if we run out of data buffer
876  */
ike_show_somedata(netdissect_options * ndo,const u_char * cp,const u_char * ep)877 static int ike_show_somedata(netdissect_options *ndo,
878 			     const u_char *cp, const u_char *ep)
879 {
880 	/* there is too much data, just show some of it */
881 	const u_char *end = ep - 20;
882 	int  elen = 20;
883 	int   len = ep - cp;
884 	if(len > 10) {
885 		len = 10;
886 	}
887 
888 	/* really shouldn't happen because of above */
889 	if(end < cp + len) {
890 		end = cp+len;
891 		elen = ep - end;
892 	}
893 
894 	ND_PRINT((ndo," data=("));
895 	if(!rawprint(ndo, (const uint8_t *)(cp), len)) goto trunc;
896 	ND_PRINT((ndo, "..."));
897 	if(elen) {
898 		if(!rawprint(ndo, (const uint8_t *)(end), elen)) goto trunc;
899 	}
900 	ND_PRINT((ndo,")"));
901 	return 1;
902 
903 trunc:
904 	return 0;
905 }
906 
907 struct attrmap {
908 	const char *type;
909 	u_int nvalue;
910 	const char *value[30];	/*XXX*/
911 };
912 
913 static const u_char *
ikev1_attrmap_print(netdissect_options * ndo,const u_char * p,const u_char * ep2,const struct attrmap * map,size_t nmap)914 ikev1_attrmap_print(netdissect_options *ndo,
915 		    const u_char *p, const u_char *ep2,
916 		    const struct attrmap *map, size_t nmap)
917 {
918 	int totlen;
919 	uint32_t t, v;
920 
921 	ND_TCHECK(p[0]);
922 	if (p[0] & 0x80)
923 		totlen = 4;
924 	else {
925 		ND_TCHECK_16BITS(&p[2]);
926 		totlen = 4 + EXTRACT_16BITS(&p[2]);
927 	}
928 	if (ep2 < p + totlen) {
929 		ND_PRINT((ndo,"[|attr]"));
930 		return ep2 + 1;
931 	}
932 
933 	ND_TCHECK_16BITS(&p[0]);
934 	ND_PRINT((ndo,"("));
935 	t = EXTRACT_16BITS(&p[0]) & 0x7fff;
936 	if (map && t < nmap && map[t].type)
937 		ND_PRINT((ndo,"type=%s ", map[t].type));
938 	else
939 		ND_PRINT((ndo,"type=#%d ", t));
940 	if (p[0] & 0x80) {
941 		ND_PRINT((ndo,"value="));
942 		ND_TCHECK_16BITS(&p[2]);
943 		v = EXTRACT_16BITS(&p[2]);
944 		if (map && t < nmap && v < map[t].nvalue && map[t].value[v])
945 			ND_PRINT((ndo,"%s", map[t].value[v]));
946 		else {
947 			if (!rawprint(ndo, (const uint8_t *)&p[2], 2)) {
948 				ND_PRINT((ndo,")"));
949 				goto trunc;
950 			}
951 		}
952 	} else {
953 		ND_PRINT((ndo,"len=%d value=", totlen - 4));
954 		if (!rawprint(ndo, (const uint8_t *)&p[4], totlen - 4)) {
955 			ND_PRINT((ndo,")"));
956 			goto trunc;
957 		}
958 	}
959 	ND_PRINT((ndo,")"));
960 	return p + totlen;
961 
962 trunc:
963 	return NULL;
964 }
965 
966 static const u_char *
ikev1_attr_print(netdissect_options * ndo,const u_char * p,const u_char * ep2)967 ikev1_attr_print(netdissect_options *ndo, const u_char *p, const u_char *ep2)
968 {
969 	int totlen;
970 	uint32_t t;
971 
972 	ND_TCHECK(p[0]);
973 	if (p[0] & 0x80)
974 		totlen = 4;
975 	else {
976 		ND_TCHECK_16BITS(&p[2]);
977 		totlen = 4 + EXTRACT_16BITS(&p[2]);
978 	}
979 	if (ep2 < p + totlen) {
980 		ND_PRINT((ndo,"[|attr]"));
981 		return ep2 + 1;
982 	}
983 
984 	ND_TCHECK_16BITS(&p[0]);
985 	ND_PRINT((ndo,"("));
986 	t = EXTRACT_16BITS(&p[0]) & 0x7fff;
987 	ND_PRINT((ndo,"type=#%d ", t));
988 	if (p[0] & 0x80) {
989 		ND_PRINT((ndo,"value="));
990 		t = p[2];
991 		if (!rawprint(ndo, (const uint8_t *)&p[2], 2)) {
992 			ND_PRINT((ndo,")"));
993 			goto trunc;
994 		}
995 	} else {
996 		ND_PRINT((ndo,"len=%d value=", totlen - 4));
997 		if (!rawprint(ndo, (const uint8_t *)&p[4], totlen - 4)) {
998 			ND_PRINT((ndo,")"));
999 			goto trunc;
1000 		}
1001 	}
1002 	ND_PRINT((ndo,")"));
1003 	return p + totlen;
1004 
1005 trunc:
1006 	return NULL;
1007 }
1008 
1009 static const u_char *
ikev1_sa_print(netdissect_options * ndo,u_char tpay _U_,const struct isakmp_gen * ext,u_int item_len _U_,const u_char * ep,uint32_t phase,uint32_t doi0 _U_,uint32_t proto0,int depth)1010 ikev1_sa_print(netdissect_options *ndo, u_char tpay _U_,
1011 	       const struct isakmp_gen *ext,
1012 		u_int item_len _U_,
1013 		const u_char *ep, uint32_t phase, uint32_t doi0 _U_,
1014 		uint32_t proto0, int depth)
1015 {
1016 	const struct ikev1_pl_sa *p;
1017 	struct ikev1_pl_sa sa;
1018 	uint32_t doi, sit, ident;
1019 	const u_char *cp, *np;
1020 	int t;
1021 
1022 	ND_PRINT((ndo,"%s:", NPSTR(ISAKMP_NPTYPE_SA)));
1023 
1024 	p = (const struct ikev1_pl_sa *)ext;
1025 	ND_TCHECK(*p);
1026 	UNALIGNED_MEMCPY(&sa, ext, sizeof(sa));
1027 	doi = ntohl(sa.doi);
1028 	sit = ntohl(sa.sit);
1029 	if (doi != 1) {
1030 		ND_PRINT((ndo," doi=%d", doi));
1031 		ND_PRINT((ndo," situation=%u", (uint32_t)ntohl(sa.sit)));
1032 		return (const u_char *)(p + 1);
1033 	}
1034 
1035 	ND_PRINT((ndo," doi=ipsec"));
1036 	ND_PRINT((ndo," situation="));
1037 	t = 0;
1038 	if (sit & 0x01) {
1039 		ND_PRINT((ndo,"identity"));
1040 		t++;
1041 	}
1042 	if (sit & 0x02) {
1043 		ND_PRINT((ndo,"%ssecrecy", t ? "+" : ""));
1044 		t++;
1045 	}
1046 	if (sit & 0x04)
1047 		ND_PRINT((ndo,"%sintegrity", t ? "+" : ""));
1048 
1049 	np = (const u_char *)ext + sizeof(sa);
1050 	if (sit != 0x01) {
1051 		ND_TCHECK2(*(ext + 1), sizeof(ident));
1052 		UNALIGNED_MEMCPY(&ident, ext + 1, sizeof(ident));
1053 		ND_PRINT((ndo," ident=%u", (uint32_t)ntohl(ident)));
1054 		np += sizeof(ident);
1055 	}
1056 
1057 	ext = (const struct isakmp_gen *)np;
1058 	ND_TCHECK(*ext);
1059 
1060 	cp = ikev1_sub_print(ndo, ISAKMP_NPTYPE_P, ext, ep, phase, doi, proto0,
1061 		depth);
1062 
1063 	return cp;
1064 trunc:
1065 	ND_PRINT((ndo," [|%s]", NPSTR(ISAKMP_NPTYPE_SA)));
1066 	return NULL;
1067 }
1068 
1069 static const u_char *
ikev1_p_print(netdissect_options * ndo,u_char tpay _U_,const struct isakmp_gen * ext,u_int item_len _U_,const u_char * ep,uint32_t phase,uint32_t doi0,uint32_t proto0 _U_,int depth)1070 ikev1_p_print(netdissect_options *ndo, u_char tpay _U_,
1071 	      const struct isakmp_gen *ext, u_int item_len _U_,
1072 	       const u_char *ep, uint32_t phase, uint32_t doi0,
1073 	       uint32_t proto0 _U_, int depth)
1074 {
1075 	const struct ikev1_pl_p *p;
1076 	struct ikev1_pl_p prop;
1077 	const u_char *cp;
1078 
1079 	ND_PRINT((ndo,"%s:", NPSTR(ISAKMP_NPTYPE_P)));
1080 
1081 	p = (const struct ikev1_pl_p *)ext;
1082 	ND_TCHECK(*p);
1083 	UNALIGNED_MEMCPY(&prop, ext, sizeof(prop));
1084 	ND_PRINT((ndo," #%d protoid=%s transform=%d",
1085 		  prop.p_no, PROTOIDSTR(prop.prot_id), prop.num_t));
1086 	if (prop.spi_size) {
1087 		ND_PRINT((ndo," spi="));
1088 		if (!rawprint(ndo, (const uint8_t *)(p + 1), prop.spi_size))
1089 			goto trunc;
1090 	}
1091 
1092 	ext = (const struct isakmp_gen *)((const u_char *)(p + 1) + prop.spi_size);
1093 	ND_TCHECK(*ext);
1094 
1095 	cp = ikev1_sub_print(ndo, ISAKMP_NPTYPE_T, ext, ep, phase, doi0,
1096 			     prop.prot_id, depth);
1097 
1098 	return cp;
1099 trunc:
1100 	ND_PRINT((ndo," [|%s]", NPSTR(ISAKMP_NPTYPE_P)));
1101 	return NULL;
1102 }
1103 
1104 static const char *ikev1_p_map[] = {
1105 	NULL, "ike",
1106 };
1107 
1108 static const char *ikev2_t_type_map[]={
1109 	NULL, "encr", "prf", "integ", "dh", "esn"
1110 };
1111 
1112 static const char *ah_p_map[] = {
1113 	NULL, "(reserved)", "md5", "sha", "1des",
1114 	"sha2-256", "sha2-384", "sha2-512",
1115 };
1116 
1117 static const char *prf_p_map[] = {
1118 	NULL, "hmac-md5", "hmac-sha", "hmac-tiger",
1119 	"aes128_xcbc"
1120 };
1121 
1122 static const char *integ_p_map[] = {
1123 	NULL, "hmac-md5", "hmac-sha", "dec-mac",
1124 	"kpdk-md5", "aes-xcbc"
1125 };
1126 
1127 static const char *esn_p_map[] = {
1128 	"no-esn", "esn"
1129 };
1130 
1131 static const char *dh_p_map[] = {
1132 	NULL, "modp768",
1133 	"modp1024",    /* group 2 */
1134 	"EC2N 2^155",  /* group 3 */
1135 	"EC2N 2^185",  /* group 4 */
1136 	"modp1536",    /* group 5 */
1137 	"iana-grp06", "iana-grp07", /* reserved */
1138 	"iana-grp08", "iana-grp09",
1139 	"iana-grp10", "iana-grp11",
1140 	"iana-grp12", "iana-grp13",
1141 	"modp2048",    /* group 14 */
1142 	"modp3072",    /* group 15 */
1143 	"modp4096",    /* group 16 */
1144 	"modp6144",    /* group 17 */
1145 	"modp8192",    /* group 18 */
1146 };
1147 
1148 static const char *esp_p_map[] = {
1149 	NULL, "1des-iv64", "1des", "3des", "rc5", "idea", "cast",
1150 	"blowfish", "3idea", "1des-iv32", "rc4", "null", "aes"
1151 };
1152 
1153 static const char *ipcomp_p_map[] = {
1154 	NULL, "oui", "deflate", "lzs",
1155 };
1156 
1157 static const struct attrmap ipsec_t_map[] = {
1158 	{ NULL,	0, { NULL } },
1159 	{ "lifetype", 3, { NULL, "sec", "kb", }, },
1160 	{ "life", 0, { NULL } },
1161 	{ "group desc", 18,	{ NULL, "modp768",
1162 				  "modp1024",    /* group 2 */
1163 				  "EC2N 2^155",  /* group 3 */
1164 				  "EC2N 2^185",  /* group 4 */
1165 				  "modp1536",    /* group 5 */
1166 				  "iana-grp06", "iana-grp07", /* reserved */
1167 				  "iana-grp08", "iana-grp09",
1168 				  "iana-grp10", "iana-grp11",
1169 				  "iana-grp12", "iana-grp13",
1170 				  "modp2048",    /* group 14 */
1171 				  "modp3072",    /* group 15 */
1172 				  "modp4096",    /* group 16 */
1173 				  "modp6144",    /* group 17 */
1174 				  "modp8192",    /* group 18 */
1175 		}, },
1176 	{ "enc mode", 3, { NULL, "tunnel", "transport", }, },
1177 	{ "auth", 5, { NULL, "hmac-md5", "hmac-sha1", "1des-mac", "keyed", }, },
1178 	{ "keylen", 0, { NULL } },
1179 	{ "rounds", 0, { NULL } },
1180 	{ "dictsize", 0, { NULL } },
1181 	{ "privalg", 0, { NULL } },
1182 };
1183 
1184 static const struct attrmap encr_t_map[] = {
1185 	{ NULL,	0, { NULL } }, 	{ NULL,	0, { NULL } },  /* 0, 1 */
1186 	{ NULL,	0, { NULL } },	{ NULL,	0, { NULL } },  /* 2, 3 */
1187 	{ NULL,	0, { NULL } },	{ NULL,	0, { NULL } },  /* 4, 5 */
1188 	{ NULL,	0, { NULL } },	{ NULL,	0, { NULL } },  /* 6, 7 */
1189 	{ NULL,	0, { NULL } },	{ NULL,	0, { NULL } },  /* 8, 9 */
1190 	{ NULL,	0, { NULL } },	{ NULL,	0, { NULL } },  /* 10,11*/
1191 	{ NULL,	0, { NULL } },	{ NULL,	0, { NULL } },  /* 12,13*/
1192 	{ "keylen", 14, { NULL }},
1193 };
1194 
1195 static const struct attrmap oakley_t_map[] = {
1196 	{ NULL,	0, { NULL } },
1197 	{ "enc", 8,	{ NULL, "1des", "idea", "blowfish", "rc5",
1198 		 	  "3des", "cast", "aes", }, },
1199 	{ "hash", 7,	{ NULL, "md5", "sha1", "tiger",
1200 			  "sha2-256", "sha2-384", "sha2-512", }, },
1201 	{ "auth", 6,	{ NULL, "preshared", "dss", "rsa sig", "rsa enc",
1202 			  "rsa enc revised", }, },
1203 	{ "group desc", 18,	{ NULL, "modp768",
1204 				  "modp1024",    /* group 2 */
1205 				  "EC2N 2^155",  /* group 3 */
1206 				  "EC2N 2^185",  /* group 4 */
1207 				  "modp1536",    /* group 5 */
1208 				  "iana-grp06", "iana-grp07", /* reserved */
1209 				  "iana-grp08", "iana-grp09",
1210 				  "iana-grp10", "iana-grp11",
1211 				  "iana-grp12", "iana-grp13",
1212 				  "modp2048",    /* group 14 */
1213 				  "modp3072",    /* group 15 */
1214 				  "modp4096",    /* group 16 */
1215 				  "modp6144",    /* group 17 */
1216 				  "modp8192",    /* group 18 */
1217 		}, },
1218 	{ "group type", 4,	{ NULL, "MODP", "ECP", "EC2N", }, },
1219 	{ "group prime", 0, { NULL } },
1220 	{ "group gen1", 0, { NULL } },
1221 	{ "group gen2", 0, { NULL } },
1222 	{ "group curve A", 0, { NULL } },
1223 	{ "group curve B", 0, { NULL } },
1224 	{ "lifetype", 3,	{ NULL, "sec", "kb", }, },
1225 	{ "lifeduration", 0, { NULL } },
1226 	{ "prf", 0, { NULL } },
1227 	{ "keylen", 0, { NULL } },
1228 	{ "field", 0, { NULL } },
1229 	{ "order", 0, { NULL } },
1230 };
1231 
1232 static const u_char *
ikev1_t_print(netdissect_options * ndo,u_char tpay _U_,const struct isakmp_gen * ext,u_int item_len,const u_char * ep,uint32_t phase _U_,uint32_t doi _U_,uint32_t proto,int depth _U_)1233 ikev1_t_print(netdissect_options *ndo, u_char tpay _U_,
1234 	      const struct isakmp_gen *ext, u_int item_len,
1235 	      const u_char *ep, uint32_t phase _U_, uint32_t doi _U_,
1236 	      uint32_t proto, int depth _U_)
1237 {
1238 	const struct ikev1_pl_t *p;
1239 	struct ikev1_pl_t t;
1240 	const u_char *cp;
1241 	const char *idstr;
1242 	const struct attrmap *map;
1243 	size_t nmap;
1244 	const u_char *ep2;
1245 
1246 	ND_PRINT((ndo,"%s:", NPSTR(ISAKMP_NPTYPE_T)));
1247 
1248 	p = (const struct ikev1_pl_t *)ext;
1249 	ND_TCHECK(*p);
1250 	UNALIGNED_MEMCPY(&t, ext, sizeof(t));
1251 
1252 	switch (proto) {
1253 	case 1:
1254 		idstr = STR_OR_ID(t.t_id, ikev1_p_map);
1255 		map = oakley_t_map;
1256 		nmap = sizeof(oakley_t_map)/sizeof(oakley_t_map[0]);
1257 		break;
1258 	case 2:
1259 		idstr = STR_OR_ID(t.t_id, ah_p_map);
1260 		map = ipsec_t_map;
1261 		nmap = sizeof(ipsec_t_map)/sizeof(ipsec_t_map[0]);
1262 		break;
1263 	case 3:
1264 		idstr = STR_OR_ID(t.t_id, esp_p_map);
1265 		map = ipsec_t_map;
1266 		nmap = sizeof(ipsec_t_map)/sizeof(ipsec_t_map[0]);
1267 		break;
1268 	case 4:
1269 		idstr = STR_OR_ID(t.t_id, ipcomp_p_map);
1270 		map = ipsec_t_map;
1271 		nmap = sizeof(ipsec_t_map)/sizeof(ipsec_t_map[0]);
1272 		break;
1273 	default:
1274 		idstr = NULL;
1275 		map = NULL;
1276 		nmap = 0;
1277 		break;
1278 	}
1279 
1280 	if (idstr)
1281 		ND_PRINT((ndo," #%d id=%s ", t.t_no, idstr));
1282 	else
1283 		ND_PRINT((ndo," #%d id=%d ", t.t_no, t.t_id));
1284 	cp = (const u_char *)(p + 1);
1285 	ep2 = (const u_char *)p + item_len;
1286 	while (cp < ep && cp < ep2) {
1287 		if (map && nmap)
1288 			cp = ikev1_attrmap_print(ndo, cp, ep2, map, nmap);
1289 		else
1290 			cp = ikev1_attr_print(ndo, cp, ep2);
1291 		if (cp == NULL)
1292 			goto trunc;
1293 	}
1294 	if (ep < ep2)
1295 		ND_PRINT((ndo,"..."));
1296 	return cp;
1297 trunc:
1298 	ND_PRINT((ndo," [|%s]", NPSTR(ISAKMP_NPTYPE_T)));
1299 	return NULL;
1300 }
1301 
1302 static const u_char *
ikev1_ke_print(netdissect_options * ndo,u_char tpay _U_,const struct isakmp_gen * ext,u_int item_len _U_,const u_char * ep _U_,uint32_t phase _U_,uint32_t doi _U_,uint32_t proto _U_,int depth _U_)1303 ikev1_ke_print(netdissect_options *ndo, u_char tpay _U_,
1304 	       const struct isakmp_gen *ext, u_int item_len _U_,
1305 	       const u_char *ep _U_, uint32_t phase _U_, uint32_t doi _U_,
1306 	       uint32_t proto _U_, int depth _U_)
1307 {
1308 	struct isakmp_gen e;
1309 
1310 	ND_PRINT((ndo,"%s:", NPSTR(ISAKMP_NPTYPE_KE)));
1311 
1312 	ND_TCHECK(*ext);
1313 	UNALIGNED_MEMCPY(&e, ext, sizeof(e));
1314 	ND_PRINT((ndo," key len=%d", ntohs(e.len) - 4));
1315 	if (2 < ndo->ndo_vflag && 4 < ntohs(e.len)) {
1316 		/* Print the entire payload in hex */
1317 		ND_PRINT((ndo," "));
1318 		if (!rawprint(ndo, (const uint8_t *)(ext + 1), ntohs(e.len) - 4))
1319 			goto trunc;
1320 	}
1321 	return (const u_char *)ext + ntohs(e.len);
1322 trunc:
1323 	ND_PRINT((ndo," [|%s]", NPSTR(ISAKMP_NPTYPE_KE)));
1324 	return NULL;
1325 }
1326 
1327 static const u_char *
ikev1_id_print(netdissect_options * ndo,u_char tpay _U_,const struct isakmp_gen * ext,u_int item_len,const u_char * ep _U_,uint32_t phase,uint32_t doi _U_,uint32_t proto _U_,int depth _U_)1328 ikev1_id_print(netdissect_options *ndo, u_char tpay _U_,
1329 	       const struct isakmp_gen *ext, u_int item_len,
1330 	       const u_char *ep _U_, uint32_t phase, uint32_t doi _U_,
1331 	       uint32_t proto _U_, int depth _U_)
1332 {
1333 #define USE_IPSECDOI_IN_PHASE1	1
1334 	const struct ikev1_pl_id *p;
1335 	struct ikev1_pl_id id;
1336 	static const char *idtypestr[] = {
1337 		"IPv4", "IPv4net", "IPv6", "IPv6net",
1338 	};
1339 	static const char *ipsecidtypestr[] = {
1340 		NULL, "IPv4", "FQDN", "user FQDN", "IPv4net", "IPv6",
1341 		"IPv6net", "IPv4range", "IPv6range", "ASN1 DN", "ASN1 GN",
1342 		"keyid",
1343 	};
1344 	int len;
1345 	const u_char *data;
1346 
1347 	ND_PRINT((ndo,"%s:", NPSTR(ISAKMP_NPTYPE_ID)));
1348 
1349 	p = (const struct ikev1_pl_id *)ext;
1350 	ND_TCHECK(*p);
1351 	UNALIGNED_MEMCPY(&id, ext, sizeof(id));
1352 	if (sizeof(*p) < item_len) {
1353 		data = (const u_char *)(p + 1);
1354 		len = item_len - sizeof(*p);
1355 	} else {
1356 		data = NULL;
1357 		len = 0;
1358 	}
1359 
1360 #if 0 /*debug*/
1361 	ND_PRINT((ndo," [phase=%d doi=%d proto=%d]", phase, doi, proto));
1362 #endif
1363 	switch (phase) {
1364 #ifndef USE_IPSECDOI_IN_PHASE1
1365 	case 1:
1366 #endif
1367 	default:
1368 		ND_PRINT((ndo," idtype=%s", STR_OR_ID(id.d.id_type, idtypestr)));
1369 		ND_PRINT((ndo," doi_data=%u",
1370 			  (uint32_t)(ntohl(id.d.doi_data) & 0xffffff)));
1371 		break;
1372 
1373 #ifdef USE_IPSECDOI_IN_PHASE1
1374 	case 1:
1375 #endif
1376 	case 2:
1377 	    {
1378 		const struct ipsecdoi_id *doi_p;
1379 		struct ipsecdoi_id doi_id;
1380 		const char *p_name;
1381 
1382 		doi_p = (const struct ipsecdoi_id *)ext;
1383 		ND_TCHECK(*doi_p);
1384 		UNALIGNED_MEMCPY(&doi_id, ext, sizeof(doi_id));
1385 		ND_PRINT((ndo," idtype=%s", STR_OR_ID(doi_id.type, ipsecidtypestr)));
1386 		/* A protocol ID of 0 DOES NOT mean IPPROTO_IP! */
1387 		if (!ndo->ndo_nflag && doi_id.proto_id && (p_name = netdb_protoname(doi_id.proto_id)) != NULL)
1388 			ND_PRINT((ndo," protoid=%s", p_name));
1389 		else
1390 			ND_PRINT((ndo," protoid=%u", doi_id.proto_id));
1391 		ND_PRINT((ndo," port=%d", ntohs(doi_id.port)));
1392 		if (!len)
1393 			break;
1394 		if (data == NULL)
1395 			goto trunc;
1396 		ND_TCHECK2(*data, len);
1397 		switch (doi_id.type) {
1398 		case IPSECDOI_ID_IPV4_ADDR:
1399 			if (len < 4)
1400 				ND_PRINT((ndo," len=%d [bad: < 4]", len));
1401 			else
1402 				ND_PRINT((ndo," len=%d %s", len, ipaddr_string(ndo, data)));
1403 			len = 0;
1404 			break;
1405 		case IPSECDOI_ID_FQDN:
1406 		case IPSECDOI_ID_USER_FQDN:
1407 		    {
1408 			int i;
1409 			ND_PRINT((ndo," len=%d ", len));
1410 			for (i = 0; i < len; i++)
1411 				safeputchar(ndo, data[i]);
1412 			len = 0;
1413 			break;
1414 		    }
1415 		case IPSECDOI_ID_IPV4_ADDR_SUBNET:
1416 		    {
1417 			const u_char *mask;
1418 			if (len < 8)
1419 				ND_PRINT((ndo," len=%d [bad: < 8]", len));
1420 			else {
1421 				mask = data + sizeof(struct in_addr);
1422 				ND_PRINT((ndo," len=%d %s/%u.%u.%u.%u", len,
1423 					  ipaddr_string(ndo, data),
1424 					  mask[0], mask[1], mask[2], mask[3]));
1425 			}
1426 			len = 0;
1427 			break;
1428 		    }
1429 		case IPSECDOI_ID_IPV6_ADDR:
1430 			if (len < 16)
1431 				ND_PRINT((ndo," len=%d [bad: < 16]", len));
1432 			else
1433 				ND_PRINT((ndo," len=%d %s", len, ip6addr_string(ndo, data)));
1434 			len = 0;
1435 			break;
1436 		case IPSECDOI_ID_IPV6_ADDR_SUBNET:
1437 		    {
1438 			const u_char *mask;
1439 			if (len < 32)
1440 				ND_PRINT((ndo," len=%d [bad: < 32]", len));
1441 			else {
1442 				mask = (const u_char *)(data + sizeof(struct in6_addr));
1443 				/*XXX*/
1444 				ND_PRINT((ndo," len=%d %s/0x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x", len,
1445 					  ip6addr_string(ndo, data),
1446 					  mask[0], mask[1], mask[2], mask[3],
1447 					  mask[4], mask[5], mask[6], mask[7],
1448 					  mask[8], mask[9], mask[10], mask[11],
1449 					  mask[12], mask[13], mask[14], mask[15]));
1450 			}
1451 			len = 0;
1452 			break;
1453 		    }
1454 		case IPSECDOI_ID_IPV4_ADDR_RANGE:
1455 			if (len < 8)
1456 				ND_PRINT((ndo," len=%d [bad: < 8]", len));
1457 			else {
1458 				ND_PRINT((ndo," len=%d %s-%s", len,
1459 					  ipaddr_string(ndo, data),
1460 					  ipaddr_string(ndo, data + sizeof(struct in_addr))));
1461 			}
1462 			len = 0;
1463 			break;
1464 		case IPSECDOI_ID_IPV6_ADDR_RANGE:
1465 			if (len < 32)
1466 				ND_PRINT((ndo," len=%d [bad: < 32]", len));
1467 			else {
1468 				ND_PRINT((ndo," len=%d %s-%s", len,
1469 					  ip6addr_string(ndo, data),
1470 					  ip6addr_string(ndo, data + sizeof(struct in6_addr))));
1471 			}
1472 			len = 0;
1473 			break;
1474 		case IPSECDOI_ID_DER_ASN1_DN:
1475 		case IPSECDOI_ID_DER_ASN1_GN:
1476 		case IPSECDOI_ID_KEY_ID:
1477 			break;
1478 		}
1479 		break;
1480 	    }
1481 	}
1482 	if (data && len) {
1483 		ND_PRINT((ndo," len=%d", len));
1484 		if (2 < ndo->ndo_vflag) {
1485 			ND_PRINT((ndo," "));
1486 			if (!rawprint(ndo, (const uint8_t *)data, len))
1487 				goto trunc;
1488 		}
1489 	}
1490 	return (const u_char *)ext + item_len;
1491 trunc:
1492 	ND_PRINT((ndo," [|%s]", NPSTR(ISAKMP_NPTYPE_ID)));
1493 	return NULL;
1494 }
1495 
1496 static const u_char *
ikev1_cert_print(netdissect_options * ndo,u_char tpay _U_,const struct isakmp_gen * ext,u_int item_len,const u_char * ep _U_,uint32_t phase _U_,uint32_t doi0 _U_,uint32_t proto0 _U_,int depth _U_)1497 ikev1_cert_print(netdissect_options *ndo, u_char tpay _U_,
1498 		 const struct isakmp_gen *ext, u_int item_len,
1499 		 const u_char *ep _U_, uint32_t phase _U_,
1500 		 uint32_t doi0 _U_,
1501 		 uint32_t proto0 _U_, int depth _U_)
1502 {
1503 	const struct ikev1_pl_cert *p;
1504 	struct ikev1_pl_cert cert;
1505 	static const char *certstr[] = {
1506 		"none",	"pkcs7", "pgp", "dns",
1507 		"x509sign", "x509ke", "kerberos", "crl",
1508 		"arl", "spki", "x509attr",
1509 	};
1510 
1511 	ND_PRINT((ndo,"%s:", NPSTR(ISAKMP_NPTYPE_CERT)));
1512 
1513 	p = (const struct ikev1_pl_cert *)ext;
1514 	ND_TCHECK(*p);
1515 	UNALIGNED_MEMCPY(&cert, ext, sizeof(cert));
1516 	ND_PRINT((ndo," len=%d", item_len - 4));
1517 	ND_PRINT((ndo," type=%s", STR_OR_ID((cert.encode), certstr)));
1518 	if (2 < ndo->ndo_vflag && 4 < item_len) {
1519 		/* Print the entire payload in hex */
1520 		ND_PRINT((ndo," "));
1521 		if (!rawprint(ndo, (const uint8_t *)(ext + 1), item_len - 4))
1522 			goto trunc;
1523 	}
1524 	return (const u_char *)ext + item_len;
1525 trunc:
1526 	ND_PRINT((ndo," [|%s]", NPSTR(ISAKMP_NPTYPE_CERT)));
1527 	return NULL;
1528 }
1529 
1530 static const u_char *
ikev1_cr_print(netdissect_options * ndo,u_char tpay _U_,const struct isakmp_gen * ext,u_int item_len,const u_char * ep _U_,uint32_t phase _U_,uint32_t doi0 _U_,uint32_t proto0 _U_,int depth _U_)1531 ikev1_cr_print(netdissect_options *ndo, u_char tpay _U_,
1532 	       const struct isakmp_gen *ext, u_int item_len,
1533 	       const u_char *ep _U_, uint32_t phase _U_, uint32_t doi0 _U_,
1534 	       uint32_t proto0 _U_, int depth _U_)
1535 {
1536 	const struct ikev1_pl_cert *p;
1537 	struct ikev1_pl_cert cert;
1538 	static const char *certstr[] = {
1539 		"none",	"pkcs7", "pgp", "dns",
1540 		"x509sign", "x509ke", "kerberos", "crl",
1541 		"arl", "spki", "x509attr",
1542 	};
1543 
1544 	ND_PRINT((ndo,"%s:", NPSTR(ISAKMP_NPTYPE_CR)));
1545 
1546 	p = (const struct ikev1_pl_cert *)ext;
1547 	ND_TCHECK(*p);
1548 	UNALIGNED_MEMCPY(&cert, ext, sizeof(cert));
1549 	ND_PRINT((ndo," len=%d", item_len - 4));
1550 	ND_PRINT((ndo," type=%s", STR_OR_ID((cert.encode), certstr)));
1551 	if (2 < ndo->ndo_vflag && 4 < item_len) {
1552 		/* Print the entire payload in hex */
1553 		ND_PRINT((ndo," "));
1554 		if (!rawprint(ndo, (const uint8_t *)(ext + 1), item_len - 4))
1555 			goto trunc;
1556 	}
1557 	return (const u_char *)ext + item_len;
1558 trunc:
1559 	ND_PRINT((ndo," [|%s]", NPSTR(ISAKMP_NPTYPE_CR)));
1560 	return NULL;
1561 }
1562 
1563 static const u_char *
ikev1_hash_print(netdissect_options * ndo,u_char tpay _U_,const struct isakmp_gen * ext,u_int item_len _U_,const u_char * ep _U_,uint32_t phase _U_,uint32_t doi _U_,uint32_t proto _U_,int depth _U_)1564 ikev1_hash_print(netdissect_options *ndo, u_char tpay _U_,
1565 		 const struct isakmp_gen *ext, u_int item_len _U_,
1566 		 const u_char *ep _U_, uint32_t phase _U_, uint32_t doi _U_,
1567 		 uint32_t proto _U_, int depth _U_)
1568 {
1569 	struct isakmp_gen e;
1570 
1571 	ND_PRINT((ndo,"%s:", NPSTR(ISAKMP_NPTYPE_HASH)));
1572 
1573 	ND_TCHECK(*ext);
1574 	UNALIGNED_MEMCPY(&e, ext, sizeof(e));
1575 	ND_PRINT((ndo," len=%d", ntohs(e.len) - 4));
1576 	if (2 < ndo->ndo_vflag && 4 < ntohs(e.len)) {
1577 		/* Print the entire payload in hex */
1578 		ND_PRINT((ndo," "));
1579 		if (!rawprint(ndo, (const uint8_t *)(ext + 1), ntohs(e.len) - 4))
1580 			goto trunc;
1581 	}
1582 	return (const u_char *)ext + ntohs(e.len);
1583 trunc:
1584 	ND_PRINT((ndo," [|%s]", NPSTR(ISAKMP_NPTYPE_HASH)));
1585 	return NULL;
1586 }
1587 
1588 static const u_char *
ikev1_sig_print(netdissect_options * ndo,u_char tpay _U_,const struct isakmp_gen * ext,u_int item_len _U_,const u_char * ep _U_,uint32_t phase _U_,uint32_t doi _U_,uint32_t proto _U_,int depth _U_)1589 ikev1_sig_print(netdissect_options *ndo, u_char tpay _U_,
1590 		const struct isakmp_gen *ext, u_int item_len _U_,
1591 		const u_char *ep _U_, uint32_t phase _U_, uint32_t doi _U_,
1592 		uint32_t proto _U_, int depth _U_)
1593 {
1594 	struct isakmp_gen e;
1595 
1596 	ND_PRINT((ndo,"%s:", NPSTR(ISAKMP_NPTYPE_SIG)));
1597 
1598 	ND_TCHECK(*ext);
1599 	UNALIGNED_MEMCPY(&e, ext, sizeof(e));
1600 	ND_PRINT((ndo," len=%d", ntohs(e.len) - 4));
1601 	if (2 < ndo->ndo_vflag && 4 < ntohs(e.len)) {
1602 		/* Print the entire payload in hex */
1603 		ND_PRINT((ndo," "));
1604 		if (!rawprint(ndo, (const uint8_t *)(ext + 1), ntohs(e.len) - 4))
1605 			goto trunc;
1606 	}
1607 	return (const u_char *)ext + ntohs(e.len);
1608 trunc:
1609 	ND_PRINT((ndo," [|%s]", NPSTR(ISAKMP_NPTYPE_SIG)));
1610 	return NULL;
1611 }
1612 
1613 static const u_char *
ikev1_nonce_print(netdissect_options * ndo,u_char tpay _U_,const struct isakmp_gen * ext,u_int item_len _U_,const u_char * ep,uint32_t phase _U_,uint32_t doi _U_,uint32_t proto _U_,int depth _U_)1614 ikev1_nonce_print(netdissect_options *ndo, u_char tpay _U_,
1615 		  const struct isakmp_gen *ext,
1616 		  u_int item_len _U_,
1617 		  const u_char *ep,
1618 		  uint32_t phase _U_, uint32_t doi _U_,
1619 		  uint32_t proto _U_, int depth _U_)
1620 {
1621 	struct isakmp_gen e;
1622 
1623 	ND_PRINT((ndo,"%s:", NPSTR(ISAKMP_NPTYPE_NONCE)));
1624 
1625 	ND_TCHECK(*ext);
1626 	UNALIGNED_MEMCPY(&e, ext, sizeof(e));
1627 	/*
1628 	 * Our caller has ensured that the length is >= 4.
1629 	 */
1630 	ND_PRINT((ndo," n len=%u", ntohs(e.len) - 4));
1631 	if (ntohs(e.len) > 4) {
1632 		if (ndo->ndo_vflag > 2) {
1633 			ND_PRINT((ndo, " "));
1634 			if (!rawprint(ndo, (const uint8_t *)(ext + 1), ntohs(e.len) - 4))
1635 				goto trunc;
1636 		} else if (ndo->ndo_vflag > 1) {
1637 			ND_PRINT((ndo, " "));
1638 			if (!ike_show_somedata(ndo, (const u_char *)(ext + 1), ep))
1639 				goto trunc;
1640 		}
1641 	}
1642 	return (const u_char *)ext + ntohs(e.len);
1643 trunc:
1644 	ND_PRINT((ndo," [|%s]", NPSTR(ISAKMP_NPTYPE_NONCE)));
1645 	return NULL;
1646 }
1647 
1648 static const u_char *
ikev1_n_print(netdissect_options * ndo,u_char tpay _U_,const struct isakmp_gen * ext,u_int item_len,const u_char * ep,uint32_t phase _U_,uint32_t doi0 _U_,uint32_t proto0 _U_,int depth _U_)1649 ikev1_n_print(netdissect_options *ndo, u_char tpay _U_,
1650 	      const struct isakmp_gen *ext, u_int item_len,
1651 	      const u_char *ep, uint32_t phase _U_, uint32_t doi0 _U_,
1652 	      uint32_t proto0 _U_, int depth _U_)
1653 {
1654 	const struct ikev1_pl_n *p;
1655 	struct ikev1_pl_n n;
1656 	const u_char *cp;
1657 	const u_char *ep2;
1658 	uint32_t doi;
1659 	uint32_t proto;
1660 	static const char *notify_error_str[] = {
1661 		NULL,				"INVALID-PAYLOAD-TYPE",
1662 		"DOI-NOT-SUPPORTED",		"SITUATION-NOT-SUPPORTED",
1663 		"INVALID-COOKIE",		"INVALID-MAJOR-VERSION",
1664 		"INVALID-MINOR-VERSION",	"INVALID-EXCHANGE-TYPE",
1665 		"INVALID-FLAGS",		"INVALID-MESSAGE-ID",
1666 		"INVALID-PROTOCOL-ID",		"INVALID-SPI",
1667 		"INVALID-TRANSFORM-ID",		"ATTRIBUTES-NOT-SUPPORTED",
1668 		"NO-PROPOSAL-CHOSEN",		"BAD-PROPOSAL-SYNTAX",
1669 		"PAYLOAD-MALFORMED",		"INVALID-KEY-INFORMATION",
1670 		"INVALID-ID-INFORMATION",	"INVALID-CERT-ENCODING",
1671 		"INVALID-CERTIFICATE",		"CERT-TYPE-UNSUPPORTED",
1672 		"INVALID-CERT-AUTHORITY",	"INVALID-HASH-INFORMATION",
1673 		"AUTHENTICATION-FAILED",	"INVALID-SIGNATURE",
1674 		"ADDRESS-NOTIFICATION",		"NOTIFY-SA-LIFETIME",
1675 		"CERTIFICATE-UNAVAILABLE",	"UNSUPPORTED-EXCHANGE-TYPE",
1676 		"UNEQUAL-PAYLOAD-LENGTHS",
1677 	};
1678 	static const char *ipsec_notify_error_str[] = {
1679 		"RESERVED",
1680 	};
1681 	static const char *notify_status_str[] = {
1682 		"CONNECTED",
1683 	};
1684 	static const char *ipsec_notify_status_str[] = {
1685 		"RESPONDER-LIFETIME",		"REPLAY-STATUS",
1686 		"INITIAL-CONTACT",
1687 	};
1688 /* NOTE: these macro must be called with x in proper range */
1689 
1690 /* 0 - 8191 */
1691 #define NOTIFY_ERROR_STR(x) \
1692 	STR_OR_ID((x), notify_error_str)
1693 
1694 /* 8192 - 16383 */
1695 #define IPSEC_NOTIFY_ERROR_STR(x) \
1696 	STR_OR_ID((u_int)((x) - 8192), ipsec_notify_error_str)
1697 
1698 /* 16384 - 24575 */
1699 #define NOTIFY_STATUS_STR(x) \
1700 	STR_OR_ID((u_int)((x) - 16384), notify_status_str)
1701 
1702 /* 24576 - 32767 */
1703 #define IPSEC_NOTIFY_STATUS_STR(x) \
1704 	STR_OR_ID((u_int)((x) - 24576), ipsec_notify_status_str)
1705 
1706 	ND_PRINT((ndo,"%s:", NPSTR(ISAKMP_NPTYPE_N)));
1707 
1708 	p = (const struct ikev1_pl_n *)ext;
1709 	ND_TCHECK(*p);
1710 	UNALIGNED_MEMCPY(&n, ext, sizeof(n));
1711 	doi = ntohl(n.doi);
1712 	proto = n.prot_id;
1713 	if (doi != 1) {
1714 		ND_PRINT((ndo," doi=%d", doi));
1715 		ND_PRINT((ndo," proto=%d", proto));
1716 		if (ntohs(n.type) < 8192)
1717 			ND_PRINT((ndo," type=%s", NOTIFY_ERROR_STR(ntohs(n.type))));
1718 		else if (ntohs(n.type) < 16384)
1719 			ND_PRINT((ndo," type=%s", numstr(ntohs(n.type))));
1720 		else if (ntohs(n.type) < 24576)
1721 			ND_PRINT((ndo," type=%s", NOTIFY_STATUS_STR(ntohs(n.type))));
1722 		else
1723 			ND_PRINT((ndo," type=%s", numstr(ntohs(n.type))));
1724 		if (n.spi_size) {
1725 			ND_PRINT((ndo," spi="));
1726 			if (!rawprint(ndo, (const uint8_t *)(p + 1), n.spi_size))
1727 				goto trunc;
1728 		}
1729 		return (const u_char *)(p + 1) + n.spi_size;
1730 	}
1731 
1732 	ND_PRINT((ndo," doi=ipsec"));
1733 	ND_PRINT((ndo," proto=%s", PROTOIDSTR(proto)));
1734 	if (ntohs(n.type) < 8192)
1735 		ND_PRINT((ndo," type=%s", NOTIFY_ERROR_STR(ntohs(n.type))));
1736 	else if (ntohs(n.type) < 16384)
1737 		ND_PRINT((ndo," type=%s", IPSEC_NOTIFY_ERROR_STR(ntohs(n.type))));
1738 	else if (ntohs(n.type) < 24576)
1739 		ND_PRINT((ndo," type=%s", NOTIFY_STATUS_STR(ntohs(n.type))));
1740 	else if (ntohs(n.type) < 32768)
1741 		ND_PRINT((ndo," type=%s", IPSEC_NOTIFY_STATUS_STR(ntohs(n.type))));
1742 	else
1743 		ND_PRINT((ndo," type=%s", numstr(ntohs(n.type))));
1744 	if (n.spi_size) {
1745 		ND_PRINT((ndo," spi="));
1746 		if (!rawprint(ndo, (const uint8_t *)(p + 1), n.spi_size))
1747 			goto trunc;
1748 	}
1749 
1750 	cp = (const u_char *)(p + 1) + n.spi_size;
1751 	ep2 = (const u_char *)p + item_len;
1752 
1753 	if (cp < ep) {
1754 		switch (ntohs(n.type)) {
1755 		case IPSECDOI_NTYPE_RESPONDER_LIFETIME:
1756 		    {
1757 			const struct attrmap *map = oakley_t_map;
1758 			size_t nmap = sizeof(oakley_t_map)/sizeof(oakley_t_map[0]);
1759 			ND_PRINT((ndo," attrs=("));
1760 			while (cp < ep && cp < ep2) {
1761 				cp = ikev1_attrmap_print(ndo, cp, ep2, map, nmap);
1762 				if (cp == NULL) {
1763 					ND_PRINT((ndo,")"));
1764 					goto trunc;
1765 				}
1766 			}
1767 			ND_PRINT((ndo,")"));
1768 			break;
1769 		    }
1770 		case IPSECDOI_NTYPE_REPLAY_STATUS:
1771 			ND_PRINT((ndo," status=("));
1772 			ND_PRINT((ndo,"replay detection %sabled",
1773 				  EXTRACT_32BITS(cp) ? "en" : "dis"));
1774 			ND_PRINT((ndo,")"));
1775 			break;
1776 		default:
1777 			/*
1778 			 * XXX - fill in more types here; see, for example,
1779 			 * draft-ietf-ipsec-notifymsg-04.
1780 			 */
1781 			if (ndo->ndo_vflag > 3) {
1782 				ND_PRINT((ndo," data=("));
1783 				if (!rawprint(ndo, (const uint8_t *)(cp), ep - cp))
1784 					goto trunc;
1785 				ND_PRINT((ndo,")"));
1786 			} else {
1787 				if (!ike_show_somedata(ndo, cp, ep))
1788 					goto trunc;
1789 			}
1790 			break;
1791 		}
1792 	}
1793 	return (const u_char *)ext + item_len;
1794 trunc:
1795 	ND_PRINT((ndo," [|%s]", NPSTR(ISAKMP_NPTYPE_N)));
1796 	return NULL;
1797 }
1798 
1799 static const u_char *
ikev1_d_print(netdissect_options * ndo,u_char tpay _U_,const struct isakmp_gen * ext,u_int item_len _U_,const u_char * ep _U_,uint32_t phase _U_,uint32_t doi0 _U_,uint32_t proto0 _U_,int depth _U_)1800 ikev1_d_print(netdissect_options *ndo, u_char tpay _U_,
1801 	      const struct isakmp_gen *ext, u_int item_len _U_,
1802 	      const u_char *ep _U_, uint32_t phase _U_, uint32_t doi0 _U_,
1803 	      uint32_t proto0 _U_, int depth _U_)
1804 {
1805 	const struct ikev1_pl_d *p;
1806 	struct ikev1_pl_d d;
1807 	const uint8_t *q;
1808 	uint32_t doi;
1809 	uint32_t proto;
1810 	int i;
1811 
1812 	ND_PRINT((ndo,"%s:", NPSTR(ISAKMP_NPTYPE_D)));
1813 
1814 	p = (const struct ikev1_pl_d *)ext;
1815 	ND_TCHECK(*p);
1816 	UNALIGNED_MEMCPY(&d, ext, sizeof(d));
1817 	doi = ntohl(d.doi);
1818 	proto = d.prot_id;
1819 	if (doi != 1) {
1820 		ND_PRINT((ndo," doi=%u", doi));
1821 		ND_PRINT((ndo," proto=%u", proto));
1822 	} else {
1823 		ND_PRINT((ndo," doi=ipsec"));
1824 		ND_PRINT((ndo," proto=%s", PROTOIDSTR(proto)));
1825 	}
1826 	ND_PRINT((ndo," spilen=%u", d.spi_size));
1827 	ND_PRINT((ndo," nspi=%u", ntohs(d.num_spi)));
1828 	ND_PRINT((ndo," spi="));
1829 	q = (const uint8_t *)(p + 1);
1830 	for (i = 0; i < ntohs(d.num_spi); i++) {
1831 		if (i != 0)
1832 			ND_PRINT((ndo,","));
1833 		if (!rawprint(ndo, (const uint8_t *)q, d.spi_size))
1834 			goto trunc;
1835 		q += d.spi_size;
1836 	}
1837 	return q;
1838 trunc:
1839 	ND_PRINT((ndo," [|%s]", NPSTR(ISAKMP_NPTYPE_D)));
1840 	return NULL;
1841 }
1842 
1843 static const u_char *
ikev1_vid_print(netdissect_options * ndo,u_char tpay _U_,const struct isakmp_gen * ext,u_int item_len _U_,const u_char * ep _U_,uint32_t phase _U_,uint32_t doi _U_,uint32_t proto _U_,int depth _U_)1844 ikev1_vid_print(netdissect_options *ndo, u_char tpay _U_,
1845 		const struct isakmp_gen *ext,
1846 		u_int item_len _U_, const u_char *ep _U_,
1847 		uint32_t phase _U_, uint32_t doi _U_,
1848 		uint32_t proto _U_, int depth _U_)
1849 {
1850 	struct isakmp_gen e;
1851 
1852 	ND_PRINT((ndo,"%s:", NPSTR(ISAKMP_NPTYPE_VID)));
1853 
1854 	ND_TCHECK(*ext);
1855 	UNALIGNED_MEMCPY(&e, ext, sizeof(e));
1856 	ND_PRINT((ndo," len=%d", ntohs(e.len) - 4));
1857 	if (2 < ndo->ndo_vflag && 4 < ntohs(e.len)) {
1858 		/* Print the entire payload in hex */
1859 		ND_PRINT((ndo," "));
1860 		if (!rawprint(ndo, (const uint8_t *)(ext + 1), ntohs(e.len) - 4))
1861 			goto trunc;
1862 	}
1863 	return (const u_char *)ext + ntohs(e.len);
1864 trunc:
1865 	ND_PRINT((ndo," [|%s]", NPSTR(ISAKMP_NPTYPE_VID)));
1866 	return NULL;
1867 }
1868 
1869 /************************************************************/
1870 /*                                                          */
1871 /*              IKE v2 - rfc4306 - dissector                */
1872 /*                                                          */
1873 /************************************************************/
1874 
1875 static void
ikev2_pay_print(netdissect_options * ndo,const char * payname,int critical)1876 ikev2_pay_print(netdissect_options *ndo, const char *payname, int critical)
1877 {
1878 	ND_PRINT((ndo,"%s%s:", payname, critical&0x80 ? "[C]" : ""));
1879 }
1880 
1881 static const u_char *
ikev2_gen_print(netdissect_options * ndo,u_char tpay,const struct isakmp_gen * ext)1882 ikev2_gen_print(netdissect_options *ndo, u_char tpay,
1883 		const struct isakmp_gen *ext)
1884 {
1885 	struct isakmp_gen e;
1886 
1887 	ND_TCHECK(*ext);
1888 	UNALIGNED_MEMCPY(&e, ext, sizeof(e));
1889 	ikev2_pay_print(ndo, NPSTR(tpay), e.critical);
1890 
1891 	ND_PRINT((ndo," len=%d", ntohs(e.len) - 4));
1892 	if (2 < ndo->ndo_vflag && 4 < ntohs(e.len)) {
1893 		/* Print the entire payload in hex */
1894 		ND_PRINT((ndo," "));
1895 		if (!rawprint(ndo, (const uint8_t *)(ext + 1), ntohs(e.len) - 4))
1896 			goto trunc;
1897 	}
1898 	return (const u_char *)ext + ntohs(e.len);
1899 trunc:
1900 	ND_PRINT((ndo," [|%s]", NPSTR(tpay)));
1901 	return NULL;
1902 }
1903 
1904 static const u_char *
ikev2_t_print(netdissect_options * ndo,int tcount,const struct isakmp_gen * ext,u_int item_len,const u_char * ep)1905 ikev2_t_print(netdissect_options *ndo, int tcount,
1906 	      const struct isakmp_gen *ext, u_int item_len,
1907 	      const u_char *ep)
1908 {
1909 	const struct ikev2_t *p;
1910 	struct ikev2_t t;
1911 	uint16_t  t_id;
1912 	const u_char *cp;
1913 	const char *idstr;
1914 	const struct attrmap *map;
1915 	size_t nmap;
1916 	const u_char *ep2;
1917 
1918 	p = (const struct ikev2_t *)ext;
1919 	ND_TCHECK(*p);
1920 	UNALIGNED_MEMCPY(&t, ext, sizeof(t));
1921 	ikev2_pay_print(ndo, NPSTR(ISAKMP_NPTYPE_T), t.h.critical);
1922 
1923 	t_id = ntohs(t.t_id);
1924 
1925 	map = NULL;
1926 	nmap = 0;
1927 
1928 	switch (t.t_type) {
1929 	case IV2_T_ENCR:
1930 		idstr = STR_OR_ID(t_id, esp_p_map);
1931 		map = encr_t_map;
1932 		nmap = sizeof(encr_t_map)/sizeof(encr_t_map[0]);
1933 		break;
1934 
1935 	case IV2_T_PRF:
1936 		idstr = STR_OR_ID(t_id, prf_p_map);
1937 		break;
1938 
1939 	case IV2_T_INTEG:
1940 		idstr = STR_OR_ID(t_id, integ_p_map);
1941 		break;
1942 
1943 	case IV2_T_DH:
1944 		idstr = STR_OR_ID(t_id, dh_p_map);
1945 		break;
1946 
1947 	case IV2_T_ESN:
1948 		idstr = STR_OR_ID(t_id, esn_p_map);
1949 		break;
1950 
1951 	default:
1952 		idstr = NULL;
1953 		break;
1954 	}
1955 
1956 	if (idstr)
1957 		ND_PRINT((ndo," #%u type=%s id=%s ", tcount,
1958 			  STR_OR_ID(t.t_type, ikev2_t_type_map),
1959 			  idstr));
1960 	else
1961 		ND_PRINT((ndo," #%u type=%s id=%u ", tcount,
1962 			  STR_OR_ID(t.t_type, ikev2_t_type_map),
1963 			  t.t_id));
1964 	cp = (const u_char *)(p + 1);
1965 	ep2 = (const u_char *)p + item_len;
1966 	while (cp < ep && cp < ep2) {
1967 		if (map && nmap) {
1968 			cp = ikev1_attrmap_print(ndo, cp, ep2, map, nmap);
1969 		} else
1970 			cp = ikev1_attr_print(ndo, cp, ep2);
1971 		if (cp == NULL)
1972 			goto trunc;
1973 	}
1974 	if (ep < ep2)
1975 		ND_PRINT((ndo,"..."));
1976 	return cp;
1977 trunc:
1978 	ND_PRINT((ndo," [|%s]", NPSTR(ISAKMP_NPTYPE_T)));
1979 	return NULL;
1980 }
1981 
1982 static const u_char *
ikev2_p_print(netdissect_options * ndo,u_char tpay _U_,int pcount _U_,const struct isakmp_gen * ext,u_int oprop_length,const u_char * ep,int depth)1983 ikev2_p_print(netdissect_options *ndo, u_char tpay _U_, int pcount _U_,
1984 	      const struct isakmp_gen *ext, u_int oprop_length,
1985 	      const u_char *ep, int depth)
1986 {
1987 	const struct ikev2_p *p;
1988 	struct ikev2_p prop;
1989 	u_int prop_length;
1990 	const u_char *cp;
1991 	int i;
1992 	int tcount;
1993 	u_char np;
1994 	struct isakmp_gen e;
1995 	u_int item_len;
1996 
1997 	p = (const struct ikev2_p *)ext;
1998 	ND_TCHECK(*p);
1999 	UNALIGNED_MEMCPY(&prop, ext, sizeof(prop));
2000 
2001 	ikev2_pay_print(ndo, NPSTR(ISAKMP_NPTYPE_P), prop.h.critical);
2002 
2003 	/*
2004 	 * ikev2_sa_print() guarantees that this is >= 4.
2005 	 */
2006 	prop_length = oprop_length - 4;
2007 	ND_PRINT((ndo," #%u protoid=%s transform=%d len=%u",
2008 		  prop.p_no,  PROTOIDSTR(prop.prot_id),
2009 		  prop.num_t, oprop_length));
2010 	cp = (const u_char *)(p + 1);
2011 
2012 	if (prop.spi_size) {
2013 		if (prop_length < prop.spi_size)
2014 			goto toolong;
2015 		ND_PRINT((ndo," spi="));
2016 		if (!rawprint(ndo, (const uint8_t *)cp, prop.spi_size))
2017 			goto trunc;
2018 		cp += prop.spi_size;
2019 		prop_length -= prop.spi_size;
2020 	}
2021 
2022 	/*
2023 	 * Print the transforms.
2024 	 */
2025 	tcount = 0;
2026 	for (np = ISAKMP_NPTYPE_T; np != 0; np = e.np) {
2027 		tcount++;
2028 		ext = (const struct isakmp_gen *)cp;
2029 		if (prop_length < sizeof(*ext))
2030 			goto toolong;
2031 		ND_TCHECK(*ext);
2032 		UNALIGNED_MEMCPY(&e, ext, sizeof(e));
2033 
2034 		/*
2035 		 * Since we can't have a payload length of less than 4 bytes,
2036 		 * we need to bail out here if the generic header is nonsensical
2037 		 * or truncated, otherwise we could loop forever processing
2038 		 * zero-length items or otherwise misdissect the packet.
2039 		 */
2040 		item_len = ntohs(e.len);
2041 		if (item_len <= 4)
2042 			goto trunc;
2043 
2044 		if (prop_length < item_len)
2045 			goto toolong;
2046 		ND_TCHECK2(*cp, item_len);
2047 
2048 		depth++;
2049 		ND_PRINT((ndo,"\n"));
2050 		for (i = 0; i < depth; i++)
2051 			ND_PRINT((ndo,"    "));
2052 		ND_PRINT((ndo,"("));
2053 		if (np == ISAKMP_NPTYPE_T) {
2054 			cp = ikev2_t_print(ndo, tcount, ext, item_len, ep);
2055 			if (cp == NULL) {
2056 				/* error, already reported */
2057 				return NULL;
2058 			}
2059 		} else {
2060 			ND_PRINT((ndo, "%s", NPSTR(np)));
2061 			cp += item_len;
2062 		}
2063 		ND_PRINT((ndo,")"));
2064 		depth--;
2065 		prop_length -= item_len;
2066 	}
2067 	return cp;
2068 toolong:
2069 	/*
2070 	 * Skip the rest of the proposal.
2071 	 */
2072 	cp += prop_length;
2073 	ND_PRINT((ndo," [|%s]", NPSTR(ISAKMP_NPTYPE_P)));
2074 	return cp;
2075 trunc:
2076 	ND_PRINT((ndo," [|%s]", NPSTR(ISAKMP_NPTYPE_P)));
2077 	return NULL;
2078 }
2079 
2080 static const u_char *
ikev2_sa_print(netdissect_options * ndo,u_char tpay,const struct isakmp_gen * ext1,u_int osa_length,const u_char * ep,uint32_t phase _U_,uint32_t doi _U_,uint32_t proto _U_,int depth)2081 ikev2_sa_print(netdissect_options *ndo, u_char tpay,
2082 		const struct isakmp_gen *ext1,
2083 		u_int osa_length, const u_char *ep,
2084 		uint32_t phase _U_, uint32_t doi _U_,
2085 		uint32_t proto _U_, int depth)
2086 {
2087 	const struct isakmp_gen *ext;
2088 	struct isakmp_gen e;
2089 	u_int sa_length;
2090 	const u_char *cp;
2091 	int i;
2092 	int pcount;
2093 	u_char np;
2094 	u_int item_len;
2095 
2096 	ND_TCHECK(*ext1);
2097 	UNALIGNED_MEMCPY(&e, ext1, sizeof(e));
2098 	ikev2_pay_print(ndo, "sa", e.critical);
2099 
2100 	/*
2101 	 * ikev2_sub0_print() guarantees that this is >= 4.
2102 	 */
2103 	osa_length= ntohs(e.len);
2104 	sa_length = osa_length - 4;
2105 	ND_PRINT((ndo," len=%d", sa_length));
2106 
2107 	/*
2108 	 * Print the payloads.
2109 	 */
2110 	cp = (const u_char *)(ext1 + 1);
2111 	pcount = 0;
2112 	for (np = ISAKMP_NPTYPE_P; np != 0; np = e.np) {
2113 		pcount++;
2114 		ext = (const struct isakmp_gen *)cp;
2115 		if (sa_length < sizeof(*ext))
2116 			goto toolong;
2117 		ND_TCHECK(*ext);
2118 		UNALIGNED_MEMCPY(&e, ext, sizeof(e));
2119 
2120 		/*
2121 		 * Since we can't have a payload length of less than 4 bytes,
2122 		 * we need to bail out here if the generic header is nonsensical
2123 		 * or truncated, otherwise we could loop forever processing
2124 		 * zero-length items or otherwise misdissect the packet.
2125 		 */
2126 		item_len = ntohs(e.len);
2127 		if (item_len <= 4)
2128 			goto trunc;
2129 
2130 		if (sa_length < item_len)
2131 			goto toolong;
2132 		ND_TCHECK2(*cp, item_len);
2133 
2134 		depth++;
2135 		ND_PRINT((ndo,"\n"));
2136 		for (i = 0; i < depth; i++)
2137 			ND_PRINT((ndo,"    "));
2138 		ND_PRINT((ndo,"("));
2139 		if (np == ISAKMP_NPTYPE_P) {
2140 			cp = ikev2_p_print(ndo, np, pcount, ext, item_len,
2141 					   ep, depth);
2142 			if (cp == NULL) {
2143 				/* error, already reported */
2144 				return NULL;
2145 			}
2146 		} else {
2147 			ND_PRINT((ndo, "%s", NPSTR(np)));
2148 			cp += item_len;
2149 		}
2150 		ND_PRINT((ndo,")"));
2151 		depth--;
2152 		sa_length -= item_len;
2153 	}
2154 	return cp;
2155 toolong:
2156 	/*
2157 	 * Skip the rest of the SA.
2158 	 */
2159 	cp += sa_length;
2160 	ND_PRINT((ndo," [|%s]", NPSTR(tpay)));
2161 	return cp;
2162 trunc:
2163 	ND_PRINT((ndo," [|%s]", NPSTR(tpay)));
2164 	return NULL;
2165 }
2166 
2167 static const u_char *
ikev2_ke_print(netdissect_options * ndo,u_char tpay,const struct isakmp_gen * ext,u_int item_len _U_,const u_char * ep _U_,uint32_t phase _U_,uint32_t doi _U_,uint32_t proto _U_,int depth _U_)2168 ikev2_ke_print(netdissect_options *ndo, u_char tpay,
2169 		const struct isakmp_gen *ext,
2170 		u_int item_len _U_, const u_char *ep _U_,
2171 		uint32_t phase _U_, uint32_t doi _U_,
2172 		uint32_t proto _U_, int depth _U_)
2173 {
2174 	struct ikev2_ke ke;
2175 	const struct ikev2_ke *k;
2176 
2177 	k = (const struct ikev2_ke *)ext;
2178 	ND_TCHECK(*k);
2179 	UNALIGNED_MEMCPY(&ke, ext, sizeof(ke));
2180 	ikev2_pay_print(ndo, NPSTR(tpay), ke.h.critical);
2181 
2182 	ND_PRINT((ndo," len=%u group=%s", ntohs(ke.h.len) - 8,
2183 		  STR_OR_ID(ntohs(ke.ke_group), dh_p_map)));
2184 
2185 	if (2 < ndo->ndo_vflag && 8 < ntohs(ke.h.len)) {
2186 		ND_PRINT((ndo," "));
2187 		if (!rawprint(ndo, (const uint8_t *)(k + 1), ntohs(ke.h.len) - 8))
2188 			goto trunc;
2189 	}
2190 	return (const u_char *)ext + ntohs(ke.h.len);
2191 trunc:
2192 	ND_PRINT((ndo," [|%s]", NPSTR(tpay)));
2193 	return NULL;
2194 }
2195 
2196 static const u_char *
ikev2_ID_print(netdissect_options * ndo,u_char tpay,const struct isakmp_gen * ext,u_int item_len _U_,const u_char * ep _U_,uint32_t phase _U_,uint32_t doi _U_,uint32_t proto _U_,int depth _U_)2197 ikev2_ID_print(netdissect_options *ndo, u_char tpay,
2198 		const struct isakmp_gen *ext,
2199 		u_int item_len _U_, const u_char *ep _U_,
2200 		uint32_t phase _U_, uint32_t doi _U_,
2201 		uint32_t proto _U_, int depth _U_)
2202 {
2203 	const struct ikev2_id *idp;
2204 	struct ikev2_id id;
2205 	int id_len, idtype_len, i;
2206 	unsigned int dumpascii, dumphex;
2207 	const unsigned char *typedata;
2208 
2209 	idp = (const struct ikev2_id *)ext;
2210 	ND_TCHECK(*idp);
2211 	UNALIGNED_MEMCPY(&id, ext, sizeof(id));
2212 	ikev2_pay_print(ndo, NPSTR(tpay), id.h.critical);
2213 
2214 	id_len = ntohs(id.h.len);
2215 
2216 	ND_PRINT((ndo," len=%d", id_len - 4));
2217 	if (2 < ndo->ndo_vflag && 4 < id_len) {
2218 		/* Print the entire payload in hex */
2219 		ND_PRINT((ndo," "));
2220 		if (!rawprint(ndo, (const uint8_t *)(ext + 1), id_len - 4))
2221 			goto trunc;
2222 	}
2223 
2224 	idtype_len =id_len - sizeof(struct ikev2_id);
2225 	dumpascii = 0;
2226 	dumphex   = 0;
2227 	typedata  = (const unsigned char *)(ext)+sizeof(struct ikev2_id);
2228 
2229 	switch(id.type) {
2230 	case ID_IPV4_ADDR:
2231 		ND_PRINT((ndo, " ipv4:"));
2232 		dumphex=1;
2233 		break;
2234 	case ID_FQDN:
2235 		ND_PRINT((ndo, " fqdn:"));
2236 		dumpascii=1;
2237 		break;
2238 	case ID_RFC822_ADDR:
2239 		ND_PRINT((ndo, " rfc822:"));
2240 		dumpascii=1;
2241 		break;
2242 	case ID_IPV6_ADDR:
2243 		ND_PRINT((ndo, " ipv6:"));
2244 		dumphex=1;
2245 		break;
2246 	case ID_DER_ASN1_DN:
2247 		ND_PRINT((ndo, " dn:"));
2248 		dumphex=1;
2249 		break;
2250 	case ID_DER_ASN1_GN:
2251 		ND_PRINT((ndo, " gn:"));
2252 		dumphex=1;
2253 		break;
2254 	case ID_KEY_ID:
2255 		ND_PRINT((ndo, " keyid:"));
2256 		dumphex=1;
2257 		break;
2258 	}
2259 
2260 	if(dumpascii) {
2261 		ND_TCHECK2(*typedata, idtype_len);
2262 		for(i=0; i<idtype_len; i++) {
2263 			if(ND_ISPRINT(typedata[i])) {
2264 				ND_PRINT((ndo, "%c", typedata[i]));
2265 			} else {
2266 				ND_PRINT((ndo, "."));
2267 			}
2268 		}
2269 	}
2270 	if(dumphex) {
2271 		if (!rawprint(ndo, (const uint8_t *)typedata, idtype_len))
2272 			goto trunc;
2273 	}
2274 
2275 	return (const u_char *)ext + id_len;
2276 trunc:
2277 	ND_PRINT((ndo," [|%s]", NPSTR(tpay)));
2278 	return NULL;
2279 }
2280 
2281 static const u_char *
ikev2_cert_print(netdissect_options * ndo,u_char tpay,const struct isakmp_gen * ext,u_int item_len _U_,const u_char * ep _U_,uint32_t phase _U_,uint32_t doi _U_,uint32_t proto _U_,int depth _U_)2282 ikev2_cert_print(netdissect_options *ndo, u_char tpay,
2283 		const struct isakmp_gen *ext,
2284 		u_int item_len _U_, const u_char *ep _U_,
2285 		uint32_t phase _U_, uint32_t doi _U_,
2286 		uint32_t proto _U_, int depth _U_)
2287 {
2288 	return ikev2_gen_print(ndo, tpay, ext);
2289 }
2290 
2291 static const u_char *
ikev2_cr_print(netdissect_options * ndo,u_char tpay,const struct isakmp_gen * ext,u_int item_len _U_,const u_char * ep _U_,uint32_t phase _U_,uint32_t doi _U_,uint32_t proto _U_,int depth _U_)2292 ikev2_cr_print(netdissect_options *ndo, u_char tpay,
2293 		const struct isakmp_gen *ext,
2294 		u_int item_len _U_, const u_char *ep _U_,
2295 		uint32_t phase _U_, uint32_t doi _U_,
2296 		uint32_t proto _U_, int depth _U_)
2297 {
2298 	return ikev2_gen_print(ndo, tpay, ext);
2299 }
2300 
2301 static const u_char *
ikev2_auth_print(netdissect_options * ndo,u_char tpay,const struct isakmp_gen * ext,u_int item_len _U_,const u_char * ep,uint32_t phase _U_,uint32_t doi _U_,uint32_t proto _U_,int depth _U_)2302 ikev2_auth_print(netdissect_options *ndo, u_char tpay,
2303 		const struct isakmp_gen *ext,
2304 		u_int item_len _U_, const u_char *ep,
2305 		uint32_t phase _U_, uint32_t doi _U_,
2306 		uint32_t proto _U_, int depth _U_)
2307 {
2308 	struct ikev2_auth a;
2309 	const char *v2_auth[]={ "invalid", "rsasig",
2310 				"shared-secret", "dsssig" };
2311 	const u_char *authdata = (const u_char*)ext + sizeof(a);
2312 	unsigned int len;
2313 
2314 	ND_TCHECK2(*ext, sizeof(a));
2315 	UNALIGNED_MEMCPY(&a, ext, sizeof(a));
2316 	ikev2_pay_print(ndo, NPSTR(tpay), a.h.critical);
2317 	len = ntohs(a.h.len);
2318 
2319 	/*
2320 	 * Our caller has ensured that the length is >= 4.
2321 	 */
2322 	ND_PRINT((ndo," len=%u method=%s", len-4,
2323 		  STR_OR_ID(a.auth_method, v2_auth)));
2324 	if (len > 4) {
2325 		if (ndo->ndo_vflag > 1) {
2326 			ND_PRINT((ndo, " authdata=("));
2327 			if (!rawprint(ndo, (const uint8_t *)authdata, len - sizeof(a)))
2328 				goto trunc;
2329 			ND_PRINT((ndo, ") "));
2330 		} else if (ndo->ndo_vflag) {
2331 			if (!ike_show_somedata(ndo, authdata, ep))
2332 				goto trunc;
2333 		}
2334 	}
2335 
2336 	return (const u_char *)ext + len;
2337 trunc:
2338 	ND_PRINT((ndo," [|%s]", NPSTR(tpay)));
2339 	return NULL;
2340 }
2341 
2342 static const u_char *
ikev2_nonce_print(netdissect_options * ndo,u_char tpay,const struct isakmp_gen * ext,u_int item_len _U_,const u_char * ep,uint32_t phase _U_,uint32_t doi _U_,uint32_t proto _U_,int depth _U_)2343 ikev2_nonce_print(netdissect_options *ndo, u_char tpay,
2344 		const struct isakmp_gen *ext,
2345 		u_int item_len _U_, const u_char *ep,
2346 		uint32_t phase _U_, uint32_t doi _U_,
2347 		uint32_t proto _U_, int depth _U_)
2348 {
2349 	struct isakmp_gen e;
2350 
2351 	ND_TCHECK(*ext);
2352 	UNALIGNED_MEMCPY(&e, ext, sizeof(e));
2353 	ikev2_pay_print(ndo, "nonce", e.critical);
2354 
2355 	ND_PRINT((ndo," len=%d", ntohs(e.len) - 4));
2356 	if (1 < ndo->ndo_vflag && 4 < ntohs(e.len)) {
2357 		ND_PRINT((ndo," nonce=("));
2358 		if (!rawprint(ndo, (const uint8_t *)(ext + 1), ntohs(e.len) - 4))
2359 			goto trunc;
2360 		ND_PRINT((ndo,") "));
2361 	} else if(ndo->ndo_vflag && 4 < ntohs(e.len)) {
2362 		if(!ike_show_somedata(ndo, (const u_char *)(ext+1), ep)) goto trunc;
2363 	}
2364 
2365 	return (const u_char *)ext + ntohs(e.len);
2366 trunc:
2367 	ND_PRINT((ndo," [|%s]", NPSTR(tpay)));
2368 	return NULL;
2369 }
2370 
2371 /* notify payloads */
2372 static const u_char *
ikev2_n_print(netdissect_options * ndo,u_char tpay _U_,const struct isakmp_gen * ext,u_int item_len,const u_char * ep,uint32_t phase _U_,uint32_t doi _U_,uint32_t proto _U_,int depth _U_)2373 ikev2_n_print(netdissect_options *ndo, u_char tpay _U_,
2374 		const struct isakmp_gen *ext,
2375 		u_int item_len, const u_char *ep,
2376 		uint32_t phase _U_, uint32_t doi _U_,
2377 		uint32_t proto _U_, int depth _U_)
2378 {
2379 	const struct ikev2_n *p;
2380 	struct ikev2_n n;
2381 	const u_char *cp;
2382 	u_char showspi, showsomedata;
2383 	const char *notify_name;
2384 	uint32_t type;
2385 
2386 	p = (const struct ikev2_n *)ext;
2387 	ND_TCHECK(*p);
2388 	UNALIGNED_MEMCPY(&n, ext, sizeof(n));
2389 	ikev2_pay_print(ndo, NPSTR(ISAKMP_NPTYPE_N), n.h.critical);
2390 
2391 	showspi = 1;
2392 	showsomedata=0;
2393 	notify_name=NULL;
2394 
2395 	ND_PRINT((ndo," prot_id=%s", PROTOIDSTR(n.prot_id)));
2396 
2397 	type = ntohs(n.type);
2398 
2399 	/* notify space is annoying sparse */
2400 	switch(type) {
2401 	case IV2_NOTIFY_UNSUPPORTED_CRITICAL_PAYLOAD:
2402 		notify_name = "unsupported_critical_payload";
2403 		showspi = 0;
2404 		break;
2405 
2406 	case IV2_NOTIFY_INVALID_IKE_SPI:
2407 		notify_name = "invalid_ike_spi";
2408 		showspi = 1;
2409 		break;
2410 
2411 	case IV2_NOTIFY_INVALID_MAJOR_VERSION:
2412 		notify_name = "invalid_major_version";
2413 		showspi = 0;
2414 		break;
2415 
2416 	case IV2_NOTIFY_INVALID_SYNTAX:
2417 		notify_name = "invalid_syntax";
2418 		showspi = 1;
2419 		break;
2420 
2421 	case IV2_NOTIFY_INVALID_MESSAGE_ID:
2422 		notify_name = "invalid_message_id";
2423 		showspi = 1;
2424 		break;
2425 
2426 	case IV2_NOTIFY_INVALID_SPI:
2427 		notify_name = "invalid_spi";
2428 		showspi = 1;
2429 		break;
2430 
2431 	case IV2_NOTIFY_NO_PROPOSAL_CHOSEN:
2432 		notify_name = "no_protocol_chosen";
2433 		showspi = 1;
2434 		break;
2435 
2436 	case IV2_NOTIFY_INVALID_KE_PAYLOAD:
2437 		notify_name = "invalid_ke_payload";
2438 		showspi = 1;
2439 		break;
2440 
2441 	case IV2_NOTIFY_AUTHENTICATION_FAILED:
2442 		notify_name = "authentication_failed";
2443 		showspi = 1;
2444 		break;
2445 
2446 	case IV2_NOTIFY_SINGLE_PAIR_REQUIRED:
2447 		notify_name = "single_pair_required";
2448 		showspi = 1;
2449 		break;
2450 
2451 	case IV2_NOTIFY_NO_ADDITIONAL_SAS:
2452 		notify_name = "no_additional_sas";
2453 		showspi = 0;
2454 		break;
2455 
2456 	case IV2_NOTIFY_INTERNAL_ADDRESS_FAILURE:
2457 		notify_name = "internal_address_failure";
2458 		showspi = 0;
2459 		break;
2460 
2461 	case IV2_NOTIFY_FAILED_CP_REQUIRED:
2462 		notify_name = "failed:cp_required";
2463 		showspi = 0;
2464 		break;
2465 
2466 	case IV2_NOTIFY_INVALID_SELECTORS:
2467 		notify_name = "invalid_selectors";
2468 		showspi = 0;
2469 		break;
2470 
2471 	case IV2_NOTIFY_INITIAL_CONTACT:
2472 		notify_name = "initial_contact";
2473 		showspi = 0;
2474 		break;
2475 
2476 	case IV2_NOTIFY_SET_WINDOW_SIZE:
2477 		notify_name = "set_window_size";
2478 		showspi = 0;
2479 		break;
2480 
2481 	case IV2_NOTIFY_ADDITIONAL_TS_POSSIBLE:
2482 		notify_name = "additional_ts_possible";
2483 		showspi = 0;
2484 		break;
2485 
2486 	case IV2_NOTIFY_IPCOMP_SUPPORTED:
2487 		notify_name = "ipcomp_supported";
2488 		showspi = 0;
2489 		break;
2490 
2491 	case IV2_NOTIFY_NAT_DETECTION_SOURCE_IP:
2492 		notify_name = "nat_detection_source_ip";
2493 		showspi = 1;
2494 		break;
2495 
2496 	case IV2_NOTIFY_NAT_DETECTION_DESTINATION_IP:
2497 		notify_name = "nat_detection_destination_ip";
2498 		showspi = 1;
2499 		break;
2500 
2501 	case IV2_NOTIFY_COOKIE:
2502 		notify_name = "cookie";
2503 		showspi = 1;
2504 		showsomedata= 1;
2505 		break;
2506 
2507 	case IV2_NOTIFY_USE_TRANSPORT_MODE:
2508 		notify_name = "use_transport_mode";
2509 		showspi = 0;
2510 		break;
2511 
2512 	case IV2_NOTIFY_HTTP_CERT_LOOKUP_SUPPORTED:
2513 		notify_name = "http_cert_lookup_supported";
2514 		showspi = 0;
2515 		break;
2516 
2517 	case IV2_NOTIFY_REKEY_SA:
2518 		notify_name = "rekey_sa";
2519 		showspi = 1;
2520 		break;
2521 
2522 	case IV2_NOTIFY_ESP_TFC_PADDING_NOT_SUPPORTED:
2523 		notify_name = "tfc_padding_not_supported";
2524 		showspi = 0;
2525 		break;
2526 
2527 	case IV2_NOTIFY_NON_FIRST_FRAGMENTS_ALSO:
2528 		notify_name = "non_first_fragment_also";
2529 		showspi = 0;
2530 		break;
2531 
2532 	default:
2533 		if (type < 8192) {
2534 			notify_name="error";
2535 		} else if(type < 16384) {
2536 			notify_name="private-error";
2537 		} else if(type < 40960) {
2538 			notify_name="status";
2539 		} else {
2540 			notify_name="private-status";
2541 		}
2542 	}
2543 
2544 	if(notify_name) {
2545 		ND_PRINT((ndo," type=%u(%s)", type, notify_name));
2546 	}
2547 
2548 
2549 	if (showspi && n.spi_size) {
2550 		ND_PRINT((ndo," spi="));
2551 		if (!rawprint(ndo, (const uint8_t *)(p + 1), n.spi_size))
2552 			goto trunc;
2553 	}
2554 
2555 	cp = (const u_char *)(p + 1) + n.spi_size;
2556 
2557 	if (cp < ep) {
2558 		if (ndo->ndo_vflag > 3 || (showsomedata && ep-cp < 30)) {
2559 			ND_PRINT((ndo," data=("));
2560 			if (!rawprint(ndo, (const uint8_t *)(cp), ep - cp))
2561 				goto trunc;
2562 
2563 			ND_PRINT((ndo,")"));
2564 		} else if (showsomedata) {
2565 			if (!ike_show_somedata(ndo, cp, ep))
2566 				goto trunc;
2567 		}
2568 	}
2569 
2570 	return (const u_char *)ext + item_len;
2571 trunc:
2572 	ND_PRINT((ndo," [|%s]", NPSTR(ISAKMP_NPTYPE_N)));
2573 	return NULL;
2574 }
2575 
2576 static const u_char *
ikev2_d_print(netdissect_options * ndo,u_char tpay,const struct isakmp_gen * ext,u_int item_len _U_,const u_char * ep _U_,uint32_t phase _U_,uint32_t doi _U_,uint32_t proto _U_,int depth _U_)2577 ikev2_d_print(netdissect_options *ndo, u_char tpay,
2578 		const struct isakmp_gen *ext,
2579 		u_int item_len _U_, const u_char *ep _U_,
2580 		uint32_t phase _U_, uint32_t doi _U_,
2581 		uint32_t proto _U_, int depth _U_)
2582 {
2583 	return ikev2_gen_print(ndo, tpay, ext);
2584 }
2585 
2586 static const u_char *
ikev2_vid_print(netdissect_options * ndo,u_char tpay,const struct isakmp_gen * ext,u_int item_len _U_,const u_char * ep _U_,uint32_t phase _U_,uint32_t doi _U_,uint32_t proto _U_,int depth _U_)2587 ikev2_vid_print(netdissect_options *ndo, u_char tpay,
2588 		const struct isakmp_gen *ext,
2589 		u_int item_len _U_, const u_char *ep _U_,
2590 		uint32_t phase _U_, uint32_t doi _U_,
2591 		uint32_t proto _U_, int depth _U_)
2592 {
2593 	struct isakmp_gen e;
2594 	const u_char *vid;
2595 	int i, len;
2596 
2597 	ND_TCHECK(*ext);
2598 	UNALIGNED_MEMCPY(&e, ext, sizeof(e));
2599 	ikev2_pay_print(ndo, NPSTR(tpay), e.critical);
2600 	ND_PRINT((ndo," len=%d vid=", ntohs(e.len) - 4));
2601 
2602 	vid = (const u_char *)(ext+1);
2603 	len = ntohs(e.len) - 4;
2604 	ND_TCHECK2(*vid, len);
2605 	for(i=0; i<len; i++) {
2606 		if(ND_ISPRINT(vid[i])) ND_PRINT((ndo, "%c", vid[i]));
2607 		else ND_PRINT((ndo, "."));
2608 	}
2609 	if (2 < ndo->ndo_vflag && 4 < len) {
2610 		/* Print the entire payload in hex */
2611 		ND_PRINT((ndo," "));
2612 		if (!rawprint(ndo, (const uint8_t *)(ext + 1), ntohs(e.len) - 4))
2613 			goto trunc;
2614 	}
2615 	return (const u_char *)ext + ntohs(e.len);
2616 trunc:
2617 	ND_PRINT((ndo," [|%s]", NPSTR(tpay)));
2618 	return NULL;
2619 }
2620 
2621 static const u_char *
ikev2_TS_print(netdissect_options * ndo,u_char tpay,const struct isakmp_gen * ext,u_int item_len _U_,const u_char * ep _U_,uint32_t phase _U_,uint32_t doi _U_,uint32_t proto _U_,int depth _U_)2622 ikev2_TS_print(netdissect_options *ndo, u_char tpay,
2623 		const struct isakmp_gen *ext,
2624 		u_int item_len _U_, const u_char *ep _U_,
2625 		uint32_t phase _U_, uint32_t doi _U_,
2626 		uint32_t proto _U_, int depth _U_)
2627 {
2628 	return ikev2_gen_print(ndo, tpay, ext);
2629 }
2630 
2631 static const u_char *
ikev2_e_print(netdissect_options * ndo,_U_ struct isakmp * base,u_char tpay,const struct isakmp_gen * ext,u_int item_len _U_,const u_char * ep _U_,_U_ uint32_t phase,_U_ uint32_t doi,_U_ uint32_t proto,_U_ int depth)2632 ikev2_e_print(netdissect_options *ndo,
2633 #ifndef HAVE_LIBCRYPTO
2634 	      _U_
2635 #endif
2636 	      struct isakmp *base,
2637 	      u_char tpay,
2638 	      const struct isakmp_gen *ext,
2639 	      u_int item_len _U_, const u_char *ep _U_,
2640 #ifndef HAVE_LIBCRYPTO
2641 	      _U_
2642 #endif
2643 	      uint32_t phase,
2644 #ifndef HAVE_LIBCRYPTO
2645 	      _U_
2646 #endif
2647 	      uint32_t doi,
2648 #ifndef HAVE_LIBCRYPTO
2649 	      _U_
2650 #endif
2651 	      uint32_t proto,
2652 #ifndef HAVE_LIBCRYPTO
2653 	      _U_
2654 #endif
2655 	      int depth)
2656 {
2657 	struct isakmp_gen e;
2658 	const u_char *dat;
2659 	volatile int dlen;
2660 
2661 	ND_TCHECK(*ext);
2662 	UNALIGNED_MEMCPY(&e, ext, sizeof(e));
2663 	ikev2_pay_print(ndo, NPSTR(tpay), e.critical);
2664 
2665 	dlen = ntohs(e.len)-4;
2666 
2667 	ND_PRINT((ndo," len=%d", dlen));
2668 	if (2 < ndo->ndo_vflag && 4 < dlen) {
2669 		ND_PRINT((ndo," "));
2670 		if (!rawprint(ndo, (const uint8_t *)(ext + 1), dlen))
2671 			goto trunc;
2672 	}
2673 
2674 	dat = (const u_char *)(ext+1);
2675 	ND_TCHECK2(*dat, dlen);
2676 
2677 #ifdef HAVE_LIBCRYPTO
2678 	/* try to decypt it! */
2679 	if(esp_print_decrypt_buffer_by_ikev2(ndo,
2680 					     base->flags & ISAKMP_FLAG_I,
2681 					     base->i_ck, base->r_ck,
2682 					     dat, dat+dlen)) {
2683 
2684 		ext = (const struct isakmp_gen *)ndo->ndo_packetp;
2685 
2686 		/* got it decrypted, print stuff inside. */
2687 		ikev2_sub_print(ndo, base, e.np, ext, ndo->ndo_snapend,
2688 				phase, doi, proto, depth+1);
2689 	}
2690 #endif
2691 
2692 
2693 	/* always return NULL, because E must be at end, and NP refers
2694 	 * to what was inside.
2695 	 */
2696 	return NULL;
2697 trunc:
2698 	ND_PRINT((ndo," [|%s]", NPSTR(tpay)));
2699 	return NULL;
2700 }
2701 
2702 static const u_char *
ikev2_cp_print(netdissect_options * ndo,u_char tpay,const struct isakmp_gen * ext,u_int item_len _U_,const u_char * ep _U_,uint32_t phase _U_,uint32_t doi _U_,uint32_t proto _U_,int depth _U_)2703 ikev2_cp_print(netdissect_options *ndo, u_char tpay,
2704 		const struct isakmp_gen *ext,
2705 		u_int item_len _U_, const u_char *ep _U_,
2706 		uint32_t phase _U_, uint32_t doi _U_,
2707 		uint32_t proto _U_, int depth _U_)
2708 {
2709 	return ikev2_gen_print(ndo, tpay, ext);
2710 }
2711 
2712 static const u_char *
ikev2_eap_print(netdissect_options * ndo,u_char tpay,const struct isakmp_gen * ext,u_int item_len _U_,const u_char * ep _U_,uint32_t phase _U_,uint32_t doi _U_,uint32_t proto _U_,int depth _U_)2713 ikev2_eap_print(netdissect_options *ndo, u_char tpay,
2714 		const struct isakmp_gen *ext,
2715 		u_int item_len _U_, const u_char *ep _U_,
2716 		uint32_t phase _U_, uint32_t doi _U_,
2717 		uint32_t proto _U_, int depth _U_)
2718 {
2719 	return ikev2_gen_print(ndo, tpay, ext);
2720 }
2721 
2722 static const u_char *
ike_sub0_print(netdissect_options * ndo,u_char np,const struct isakmp_gen * ext,const u_char * ep,uint32_t phase,uint32_t doi,uint32_t proto,int depth)2723 ike_sub0_print(netdissect_options *ndo,
2724 		 u_char np, const struct isakmp_gen *ext, const u_char *ep,
2725 
2726 	       uint32_t phase, uint32_t doi, uint32_t proto, int depth)
2727 {
2728 	const u_char *cp;
2729 	struct isakmp_gen e;
2730 	u_int item_len;
2731 
2732 	cp = (const u_char *)ext;
2733 	ND_TCHECK(*ext);
2734 	UNALIGNED_MEMCPY(&e, ext, sizeof(e));
2735 
2736 	/*
2737 	 * Since we can't have a payload length of less than 4 bytes,
2738 	 * we need to bail out here if the generic header is nonsensical
2739 	 * or truncated, otherwise we could loop forever processing
2740 	 * zero-length items or otherwise misdissect the packet.
2741 	 */
2742 	item_len = ntohs(e.len);
2743 	if (item_len <= 4)
2744 		return NULL;
2745 
2746 	if (NPFUNC(np)) {
2747 		/*
2748 		 * XXX - what if item_len is too short, or too long,
2749 		 * for this payload type?
2750 		 */
2751 		cp = (*npfunc[np])(ndo, np, ext, item_len, ep, phase, doi, proto, depth);
2752 	} else {
2753 		ND_PRINT((ndo,"%s", NPSTR(np)));
2754 		cp += item_len;
2755 	}
2756 
2757 	return cp;
2758 trunc:
2759 	ND_PRINT((ndo," [|isakmp]"));
2760 	return NULL;
2761 }
2762 
2763 static const u_char *
ikev1_sub_print(netdissect_options * ndo,u_char np,const struct isakmp_gen * ext,const u_char * ep,uint32_t phase,uint32_t doi,uint32_t proto,int depth)2764 ikev1_sub_print(netdissect_options *ndo,
2765 		u_char np, const struct isakmp_gen *ext, const u_char *ep,
2766 		uint32_t phase, uint32_t doi, uint32_t proto, int depth)
2767 {
2768 	const u_char *cp;
2769 	int i;
2770 	struct isakmp_gen e;
2771 
2772 	cp = (const u_char *)ext;
2773 
2774 	while (np) {
2775 		ND_TCHECK(*ext);
2776 		UNALIGNED_MEMCPY(&e, ext, sizeof(e));
2777 
2778 		ND_TCHECK2(*ext, ntohs(e.len));
2779 
2780 		depth++;
2781 		ND_PRINT((ndo,"\n"));
2782 		for (i = 0; i < depth; i++)
2783 			ND_PRINT((ndo,"    "));
2784 		ND_PRINT((ndo,"("));
2785 		cp = ike_sub0_print(ndo, np, ext, ep, phase, doi, proto, depth);
2786 		ND_PRINT((ndo,")"));
2787 		depth--;
2788 
2789 		if (cp == NULL) {
2790 			/* Zero-length subitem */
2791 			return NULL;
2792 		}
2793 
2794 		np = e.np;
2795 		ext = (const struct isakmp_gen *)cp;
2796 	}
2797 	return cp;
2798 trunc:
2799 	ND_PRINT((ndo," [|%s]", NPSTR(np)));
2800 	return NULL;
2801 }
2802 
2803 static char *
numstr(int x)2804 numstr(int x)
2805 {
2806 	static char buf[20];
2807 	snprintf(buf, sizeof(buf), "#%d", x);
2808 	return buf;
2809 }
2810 
2811 static void
ikev1_print(netdissect_options * ndo,const u_char * bp,u_int length,const u_char * bp2,struct isakmp * base)2812 ikev1_print(netdissect_options *ndo,
2813 	    const u_char *bp,  u_int length,
2814 	    const u_char *bp2, struct isakmp *base)
2815 {
2816 	const struct isakmp *p;
2817 	const u_char *ep;
2818 	u_char np;
2819 	int i;
2820 	int phase;
2821 
2822 	p = (const struct isakmp *)bp;
2823 	ep = ndo->ndo_snapend;
2824 
2825 	phase = (EXTRACT_32BITS(base->msgid) == 0) ? 1 : 2;
2826 	if (phase == 1)
2827 		ND_PRINT((ndo," phase %d", phase));
2828 	else
2829 		ND_PRINT((ndo," phase %d/others", phase));
2830 
2831 	i = cookie_find(&base->i_ck);
2832 	if (i < 0) {
2833 		if (iszero((const u_char *)&base->r_ck, sizeof(base->r_ck))) {
2834 			/* the first packet */
2835 			ND_PRINT((ndo," I"));
2836 			if (bp2)
2837 				cookie_record(&base->i_ck, bp2);
2838 		} else
2839 			ND_PRINT((ndo," ?"));
2840 	} else {
2841 		if (bp2 && cookie_isinitiator(i, bp2))
2842 			ND_PRINT((ndo," I"));
2843 		else if (bp2 && cookie_isresponder(i, bp2))
2844 			ND_PRINT((ndo," R"));
2845 		else
2846 			ND_PRINT((ndo," ?"));
2847 	}
2848 
2849 	ND_PRINT((ndo," %s", ETYPESTR(base->etype)));
2850 	if (base->flags) {
2851 		ND_PRINT((ndo,"[%s%s]", base->flags & ISAKMP_FLAG_E ? "E" : "",
2852 			  base->flags & ISAKMP_FLAG_C ? "C" : ""));
2853 	}
2854 
2855 	if (ndo->ndo_vflag) {
2856 		const struct isakmp_gen *ext;
2857 
2858 		ND_PRINT((ndo,":"));
2859 
2860 		/* regardless of phase... */
2861 		if (base->flags & ISAKMP_FLAG_E) {
2862 			/*
2863 			 * encrypted, nothing we can do right now.
2864 			 * we hope to decrypt the packet in the future...
2865 			 */
2866 			ND_PRINT((ndo," [encrypted %s]", NPSTR(base->np)));
2867 			goto done;
2868 		}
2869 
2870 		CHECKLEN(p + 1, base->np);
2871 		np = base->np;
2872 		ext = (const struct isakmp_gen *)(p + 1);
2873 		ikev1_sub_print(ndo, np, ext, ep, phase, 0, 0, 0);
2874 	}
2875 
2876 done:
2877 	if (ndo->ndo_vflag) {
2878 		if (ntohl(base->len) != length) {
2879 			ND_PRINT((ndo," (len mismatch: isakmp %u/ip %u)",
2880 				  (uint32_t)ntohl(base->len), length));
2881 		}
2882 	}
2883 }
2884 
2885 static const u_char *
ikev2_sub0_print(netdissect_options * ndo,struct isakmp * base,u_char np,const struct isakmp_gen * ext,const u_char * ep,uint32_t phase,uint32_t doi,uint32_t proto,int depth)2886 ikev2_sub0_print(netdissect_options *ndo, struct isakmp *base,
2887 		 u_char np,
2888 		 const struct isakmp_gen *ext, const u_char *ep,
2889 		 uint32_t phase, uint32_t doi, uint32_t proto, int depth)
2890 {
2891 	const u_char *cp;
2892 	struct isakmp_gen e;
2893 	u_int item_len;
2894 
2895 	cp = (const u_char *)ext;
2896 	ND_TCHECK(*ext);
2897 	UNALIGNED_MEMCPY(&e, ext, sizeof(e));
2898 
2899 	/*
2900 	 * Since we can't have a payload length of less than 4 bytes,
2901 	 * we need to bail out here if the generic header is nonsensical
2902 	 * or truncated, otherwise we could loop forever processing
2903 	 * zero-length items or otherwise misdissect the packet.
2904 	 */
2905 	item_len = ntohs(e.len);
2906 	if (item_len <= 4)
2907 		return NULL;
2908 
2909 	if (np == ISAKMP_NPTYPE_v2E) {
2910 		cp = ikev2_e_print(ndo, base, np, ext, item_len,
2911 				   ep, phase, doi, proto, depth);
2912 	} else if (NPFUNC(np)) {
2913 		/*
2914 		 * XXX - what if item_len is too short, or too long,
2915 		 * for this payload type?
2916 		 */
2917 		cp = (*npfunc[np])(ndo, np, ext, item_len,
2918 				   ep, phase, doi, proto, depth);
2919 	} else {
2920 		ND_PRINT((ndo,"%s", NPSTR(np)));
2921 		cp += item_len;
2922 	}
2923 
2924 	return cp;
2925 trunc:
2926 	ND_PRINT((ndo," [|isakmp]"));
2927 	return NULL;
2928 }
2929 
2930 static const u_char *
ikev2_sub_print(netdissect_options * ndo,struct isakmp * base,u_char np,const struct isakmp_gen * ext,const u_char * ep,uint32_t phase,uint32_t doi,uint32_t proto,int depth)2931 ikev2_sub_print(netdissect_options *ndo,
2932 		struct isakmp *base,
2933 		u_char np, const struct isakmp_gen *ext, const u_char *ep,
2934 		uint32_t phase, uint32_t doi, uint32_t proto, int depth)
2935 {
2936 	const u_char *cp;
2937 	int i;
2938 	struct isakmp_gen e;
2939 
2940 	cp = (const u_char *)ext;
2941 	while (np) {
2942 		ND_TCHECK(*ext);
2943 		UNALIGNED_MEMCPY(&e, ext, sizeof(e));
2944 
2945 		ND_TCHECK2(*ext, ntohs(e.len));
2946 
2947 		depth++;
2948 		ND_PRINT((ndo,"\n"));
2949 		for (i = 0; i < depth; i++)
2950 			ND_PRINT((ndo,"    "));
2951 		ND_PRINT((ndo,"("));
2952 		cp = ikev2_sub0_print(ndo, base, np,
2953 				      ext, ep, phase, doi, proto, depth);
2954 		ND_PRINT((ndo,")"));
2955 		depth--;
2956 
2957 		if (cp == NULL) {
2958 			/* Zero-length subitem */
2959 			return NULL;
2960 		}
2961 
2962 		np = e.np;
2963 		ext = (const struct isakmp_gen *)cp;
2964 	}
2965 	return cp;
2966 trunc:
2967 	ND_PRINT((ndo," [|%s]", NPSTR(np)));
2968 	return NULL;
2969 }
2970 
2971 static void
ikev2_print(netdissect_options * ndo,const u_char * bp,u_int length,const u_char * bp2 _U_,struct isakmp * base)2972 ikev2_print(netdissect_options *ndo,
2973 	    const u_char *bp,  u_int length,
2974 	    const u_char *bp2 _U_, struct isakmp *base)
2975 {
2976 	const struct isakmp *p;
2977 	const u_char *ep;
2978 	u_char np;
2979 	int phase;
2980 
2981 	p = (const struct isakmp *)bp;
2982 	ep = ndo->ndo_snapend;
2983 
2984 	phase = (EXTRACT_32BITS(base->msgid) == 0) ? 1 : 2;
2985 	if (phase == 1)
2986 		ND_PRINT((ndo, " parent_sa"));
2987 	else
2988 		ND_PRINT((ndo, " child_sa "));
2989 
2990 	ND_PRINT((ndo, " %s", ETYPESTR(base->etype)));
2991 	if (base->flags) {
2992 		ND_PRINT((ndo, "[%s%s%s]",
2993 			  base->flags & ISAKMP_FLAG_I ? "I" : "",
2994 			  base->flags & ISAKMP_FLAG_V ? "V" : "",
2995 			  base->flags & ISAKMP_FLAG_R ? "R" : ""));
2996 	}
2997 
2998 	if (ndo->ndo_vflag) {
2999 		const struct isakmp_gen *ext;
3000 
3001 		ND_PRINT((ndo, ":"));
3002 
3003 		/* regardless of phase... */
3004 		if (base->flags & ISAKMP_FLAG_E) {
3005 			/*
3006 			 * encrypted, nothing we can do right now.
3007 			 * we hope to decrypt the packet in the future...
3008 			 */
3009 			ND_PRINT((ndo, " [encrypted %s]", NPSTR(base->np)));
3010 			goto done;
3011 		}
3012 
3013 		CHECKLEN(p + 1, base->np)
3014 
3015 		np = base->np;
3016 		ext = (const struct isakmp_gen *)(p + 1);
3017 		ikev2_sub_print(ndo, base, np, ext, ep, phase, 0, 0, 0);
3018 	}
3019 
3020 done:
3021 	if (ndo->ndo_vflag) {
3022 		if (ntohl(base->len) != length) {
3023 			ND_PRINT((ndo, " (len mismatch: isakmp %u/ip %u)",
3024 				  (uint32_t)ntohl(base->len), length));
3025 		}
3026 	}
3027 }
3028 
3029 void
isakmp_print(netdissect_options * ndo,const u_char * bp,u_int length,const u_char * bp2)3030 isakmp_print(netdissect_options *ndo,
3031 	     const u_char *bp, u_int length,
3032 	     const u_char *bp2)
3033 {
3034 	const struct isakmp *p;
3035 	struct isakmp base;
3036 	const u_char *ep;
3037 	int major, minor;
3038 
3039 #ifdef HAVE_LIBCRYPTO
3040 	/* initialize SAs */
3041 	if (ndo->ndo_sa_list_head == NULL) {
3042 		if (ndo->ndo_espsecret)
3043 			esp_print_decodesecret(ndo);
3044 	}
3045 #endif
3046 
3047 	p = (const struct isakmp *)bp;
3048 	ep = ndo->ndo_snapend;
3049 
3050 	if ((const struct isakmp *)ep < p + 1) {
3051 		ND_PRINT((ndo,"[|isakmp]"));
3052 		return;
3053 	}
3054 
3055 	UNALIGNED_MEMCPY(&base, p, sizeof(base));
3056 
3057 	ND_PRINT((ndo,"isakmp"));
3058 	major = (base.vers & ISAKMP_VERS_MAJOR)
3059 		>> ISAKMP_VERS_MAJOR_SHIFT;
3060 	minor = (base.vers & ISAKMP_VERS_MINOR)
3061 		>> ISAKMP_VERS_MINOR_SHIFT;
3062 
3063 	if (ndo->ndo_vflag) {
3064 		ND_PRINT((ndo," %d.%d", major, minor));
3065 	}
3066 
3067 	if (ndo->ndo_vflag) {
3068 		ND_PRINT((ndo," msgid "));
3069 		hexprint(ndo, (const uint8_t *)&base.msgid, sizeof(base.msgid));
3070 	}
3071 
3072 	if (1 < ndo->ndo_vflag) {
3073 		ND_PRINT((ndo," cookie "));
3074 		hexprint(ndo, (const uint8_t *)&base.i_ck, sizeof(base.i_ck));
3075 		ND_PRINT((ndo,"->"));
3076 		hexprint(ndo, (const uint8_t *)&base.r_ck, sizeof(base.r_ck));
3077 	}
3078 	ND_PRINT((ndo,":"));
3079 
3080 	switch(major) {
3081 	case IKEv1_MAJOR_VERSION:
3082 		ikev1_print(ndo, bp, length, bp2, &base);
3083 		break;
3084 
3085 	case IKEv2_MAJOR_VERSION:
3086 		ikev2_print(ndo, bp, length, bp2, &base);
3087 		break;
3088 	}
3089 }
3090 
3091 void
isakmp_rfc3948_print(netdissect_options * ndo,const u_char * bp,u_int length,const u_char * bp2)3092 isakmp_rfc3948_print(netdissect_options *ndo,
3093 		     const u_char *bp, u_int length,
3094 		     const u_char *bp2)
3095 {
3096 	ND_TCHECK(bp[0]);
3097 	if(length == 1 && bp[0]==0xff) {
3098 		ND_PRINT((ndo, "isakmp-nat-keep-alive"));
3099 		return;
3100 	}
3101 
3102 	if(length < 4) {
3103 		goto trunc;
3104 	}
3105 	ND_TCHECK(bp[3]);
3106 
3107 	/*
3108 	 * see if this is an IKE packet
3109 	 */
3110 	if(bp[0]==0 && bp[1]==0 && bp[2]==0 && bp[3]==0) {
3111 		ND_PRINT((ndo, "NONESP-encap: "));
3112 		isakmp_print(ndo, bp+4, length-4, bp2);
3113 		return;
3114 	}
3115 
3116 	/* must be an ESP packet */
3117 	{
3118 		int nh, enh, padlen;
3119 		int advance;
3120 
3121 		ND_PRINT((ndo, "UDP-encap: "));
3122 
3123 		advance = esp_print(ndo, bp, length, bp2, &enh, &padlen);
3124 		if(advance <= 0)
3125 			return;
3126 
3127 		bp += advance;
3128 		length -= advance + padlen;
3129 		nh = enh & 0xff;
3130 
3131 		ip_print_inner(ndo, bp, length, nh, bp2);
3132 		return;
3133 	}
3134 
3135 trunc:
3136 	ND_PRINT((ndo,"[|isakmp]"));
3137 	return;
3138 }
3139 
3140 /*
3141  * Local Variables:
3142  * c-style: whitesmith
3143  * c-basic-offset: 8
3144  * End:
3145  */
3146