print-isakmp.c

Windump3.6.2源代码

		if (map && nmap) {
			cp = isakmp_attrmap_print(cp, (ep < ep2) ? ep : ep2,
				map, nmap);
		} else
			cp = isakmp_attr_print(cp, (ep < ep2) ? ep : ep2);
	}
	if (ep < ep2)
		printf("...");
	return cp;
}

static u_char *
isakmp_ke_print(struct isakmp_gen *ext, u_char *ep, u_int32_t phase,
	u_int32_t doi, u_int32_t proto)
{
	struct isakmp_gen e;

	printf("%s:", NPSTR(ISAKMP_NPTYPE_KE));

	safememcpy(&e, ext, sizeof(e));
	printf(" key len=%d", ntohs(e.len) - 4);
	if (2 < vflag && 4 < ntohs(e.len)) {
		printf(" ");
		rawprint((caddr_t)(ext + 1), ntohs(e.len) - 4);
	}
	return (u_char *)ext + ntohs(e.len);
}

static u_char *
isakmp_id_print(struct isakmp_gen *ext, u_char *ep, u_int32_t phase,
	u_int32_t doi, u_int32_t proto)
{
#define USE_IPSECDOI_IN_PHASE1	1
	struct isakmp_pl_id *p, id;
	static char *idtypestr[] = {
		"IPv4", "IPv4net", "IPv6", "IPv6net",
	};
	static char *ipsecidtypestr[] = {
		NULL, "IPv4", "FQDN", "user FQDN", "IPv4net", "IPv6",
		"IPv6net", "IPv4range", "IPv6range", "ASN1 DN", "ASN1 GN",
		"keyid",
	};
	int len;
	u_char *data;

	printf("%s:", NPSTR(ISAKMP_NPTYPE_ID));

	p = (struct isakmp_pl_id *)ext;
	safememcpy(&id, ext, sizeof(id));
	if (sizeof(*p) < id.h.len)
		data = (u_char *)(p + 1);
	else
		data = NULL;
	len = ntohs(id.h.len) - sizeof(*p);

#if 0 /*debug*/
	printf(" [phase=%d doi=%d proto=%d]", phase, doi, proto);
#endif
	switch (phase) {
#ifndef USE_IPSECDOI_IN_PHASE1
	case 1:
#endif
	default:
		printf(" idtype=%s", STR_OR_ID(id.d.id_type, idtypestr));
		printf(" doi_data=%u",
			(u_int32_t)(ntohl(id.d.doi_data) & 0xffffff));
		break;

#ifdef USE_IPSECDOI_IN_PHASE1
	case 1:
#endif
	case 2:
	    {
		struct ipsecdoi_id *p, id;
		struct protoent *pe;

		p = (struct ipsecdoi_id *)ext;
		safememcpy(&id, ext, sizeof(id));
		printf(" idtype=%s", STR_OR_ID(id.type, ipsecidtypestr));
		if (id.proto_id) {
#ifndef WIN32
			setprotoent(1);
#endif /* WIN32 */
			pe = getprotobynumber(id.proto_id);
			if (pe)
				printf(" protoid=%s", pe->p_name);
#ifndef WIN32
			endprotoent();
#endif /* WIN32 */
		} else {
			/* it DOES NOT mean IPPROTO_IP! */
			printf(" protoid=%s", "0");
		}
		printf(" port=%d", ntohs(id.port));
		if (!len)
			break;
		switch (id.type) {
		case IPSECDOI_ID_IPV4_ADDR:
			printf(" len=%d %s", len, ipaddr_string(data));
			len = 0;
			break;
		case IPSECDOI_ID_FQDN:
		case IPSECDOI_ID_USER_FQDN:
		    {
			int i;
			printf(" len=%d ", len);
			for (i = 0; i < len; i++) {
				if (isprint(data[i]))
					printf("%c", data[i]);
				else
					printf("\\%03o", data[i]);
			}
			len = 0;
			break;
		    }
		case IPSECDOI_ID_IPV4_ADDR_SUBNET:
		    {
			u_char *mask;
			mask = data + sizeof(struct in_addr);
			printf(" len=%d %s/%u.%u.%u.%u", len,
				ipaddr_string(data),
				mask[0], mask[1], mask[2], mask[3]);
			len = 0;
			break;
		    }
#ifdef INET6
		case IPSECDOI_ID_IPV6_ADDR:
			printf(" len=%d %s", len, ip6addr_string(data));
			len = 0;
			break;
		case IPSECDOI_ID_IPV6_ADDR_SUBNET:
		    {
			u_int32_t *mask;
			mask = (u_int32_t *)(data + sizeof(struct in6_addr));
			/*XXX*/
			printf(" len=%d %s/0x%08x%08x%08x%08x", len,
				ip6addr_string(data),
				mask[0], mask[1], mask[2], mask[3]);
			len = 0;
			break;
		    }
#endif /*INET6*/
		case IPSECDOI_ID_IPV4_ADDR_RANGE:
			printf(" len=%d %s-%s", len, ipaddr_string(data),
				ipaddr_string(data + sizeof(struct in_addr)));
			len = 0;
			break;
#ifdef INET6
		case IPSECDOI_ID_IPV6_ADDR_RANGE:
			printf(" len=%d %s-%s", len, ip6addr_string(data),
				ip6addr_string(data + sizeof(struct in6_addr)));
			len = 0;
			break;
#endif /*INET6*/
		case IPSECDOI_ID_DER_ASN1_DN:
		case IPSECDOI_ID_DER_ASN1_GN:
		case IPSECDOI_ID_KEY_ID:
			break;
		}
		break;
	    }
	}
	if (data && len) {
		len -= sizeof(*p);
		printf(" len=%d", len);
		if (2 < vflag) {
			printf(" ");
			rawprint((caddr_t)data, len);
		}
	}
	return (u_char *)ext + ntohs(id.h.len);
}

static u_char *
isakmp_cert_print(struct isakmp_gen *ext, u_char *ep, u_int32_t phase,
	u_int32_t doi0, u_int32_t proto0)
{
	struct isakmp_pl_cert *p, cert;
	static char *certstr[] = {
		"none",	"pkcs7", "pgp", "dns",
		"x509sign", "x509ke", "kerberos", "crl",
		"arl", "spki", "x509attr",
	};

	printf("%s:", NPSTR(ISAKMP_NPTYPE_CERT));

	p = (struct isakmp_pl_cert *)ext;
	safememcpy(&cert, ext, sizeof(cert));
	printf(" len=%d", ntohs(cert.h.len) - 4);
	printf(" type=%s", STR_OR_ID((cert.encode), certstr));
	if (2 < vflag && 4 < ntohs(cert.h.len)) {
		printf(" ");
		rawprint((caddr_t)(ext + 1), ntohs(cert.h.len) - 4);
	}
	return (u_char *)ext + ntohs(cert.h.len);
}

static u_char *
isakmp_cr_print(struct isakmp_gen *ext, u_char *ep, u_int32_t phase,
	u_int32_t doi0, u_int32_t proto0)
{
	struct isakmp_pl_cert *p, cert;
	static char *certstr[] = {
		"none",	"pkcs7", "pgp", "dns",
		"x509sign", "x509ke", "kerberos", "crl",
		"arl", "spki", "x509attr",
	};

	printf("%s:", NPSTR(ISAKMP_NPTYPE_CR));

	p = (struct isakmp_pl_cert *)ext;
	safememcpy(&cert, ext, sizeof(cert));
	printf(" len=%d", ntohs(cert.h.len) - 4);
	printf(" type=%s", STR_OR_ID((cert.encode), certstr));
	if (2 < vflag && 4 < ntohs(cert.h.len)) {
		printf(" ");
		rawprint((caddr_t)(ext + 1), ntohs(cert.h.len) - 4);
	}
	return (u_char *)ext + ntohs(cert.h.len);
}

static u_char *
isakmp_hash_print(struct isakmp_gen *ext, u_char *ep, u_int32_t phase,
	u_int32_t doi, u_int32_t proto)
{
	struct isakmp_gen e;

	printf("%s:", NPSTR(ISAKMP_NPTYPE_HASH));

	safememcpy(&e, ext, sizeof(e));
	printf(" len=%d", ntohs(e.len) - 4);
	if (2 < vflag && 4 < ntohs(e.len)) {
		printf(" ");
		rawprint((caddr_t)(ext + 1), ntohs(e.len) - 4);
	}
	return (u_char *)ext + ntohs(e.len);
}

static u_char *
isakmp_sig_print(struct isakmp_gen *ext, u_char *ep, u_int32_t phase,
	u_int32_t doi, u_int32_t proto)
{
	struct isakmp_gen e;

	printf("%s:", NPSTR(ISAKMP_NPTYPE_SIG));

	safememcpy(&e, ext, sizeof(e));
	printf(" len=%d", ntohs(e.len) - 4);
	if (2 < vflag && 4 < ntohs(e.len)) {
		printf(" ");
		rawprint((caddr_t)(ext + 1), ntohs(e.len) - 4);
	}
	return (u_char *)ext + ntohs(e.len);
}

static u_char *
isakmp_nonce_print(struct isakmp_gen *ext, u_char *ep, u_int32_t phase,
	u_int32_t doi, u_int32_t proto)
{
	struct isakmp_gen e;

	printf("%s:", NPSTR(ISAKMP_NPTYPE_NONCE));

	safememcpy(&e, ext, sizeof(e));
	printf(" n len=%d", ntohs(e.len) - 4);
	if (2 < vflag && 4 < ntohs(e.len)) {
		printf(" ");
		rawprint((caddr_t)(ext + 1), ntohs(e.len) - 4);
	}
	return (u_char *)ext + ntohs(e.len);
}

static u_char *
isakmp_n_print(struct isakmp_gen *ext, u_char *ep, u_int32_t phase,
	u_int32_t doi0, u_int32_t proto0)
{
	struct isakmp_pl_n *p, n;
	u_char *cp;
	u_char *ep2;
	u_int32_t doi;
	u_int32_t proto;
	static char *notifystr[] = {
		NULL,				"INVALID-PAYLOAD-TYPE",
		"DOI-NOT-SUPPORTED",		"SITUATION-NOT-SUPPORTED",
		"INVALID-COOKIE",		"INVALID-MAJOR-VERSION",
		"INVALID-MINOR-VERSION",	"INVALID-EXCHANGE-TYPE",
		"INVALID-FLAGS",		"INVALID-MESSAGE-ID",
		"INVALID-PROTOCOL-ID",		"INVALID-SPI",
		"INVALID-TRANSFORM-ID",		"ATTRIBUTES-NOT-SUPPORTED",
		"NO-PROPOSAL-CHOSEN",		"BAD-PROPOSAL-SYNTAX",
		"PAYLOAD-MALFORMED",		"INVALID-KEY-INFORMATION",
		"INVALID-ID-INFORMATION",	"INVALID-CERT-ENCODING",
		"INVALID-CERTIFICATE",		"CERT-TYPE-UNSUPPORTED",
		"INVALID-CERT-AUTHORITY",	"INVALID-HASH-INFORMATION",
		"AUTHENTICATION-FAILED",	"INVALID-SIGNATURE",
		"ADDRESS-NOTIFICATION",		"NOTIFY-SA-LIFETIME",
		"CERTIFICATE-UNAVAILABLE",	"UNSUPPORTED-EXCHANGE-TYPE",
		"UNEQUAL-PAYLOAD-LENGTHS",
	};
	static char *ipsecnotifystr[] = {
		"RESPONDER-LIFETIME",		"REPLAY-STATUS",
		"INITIAL-CONTACT",
	};
/* NOTE: these macro must be called with x in proper range */
#define NOTIFYSTR(x) \
	(((x) == 16384) ? "CONNECTED" : STR_OR_ID((x), notifystr))
#define IPSECNOTIFYSTR(x) \
	(((x) == 8192) ? "RESERVED" : STR_OR_ID(((x) - 24576), ipsecnotifystr))

	printf("%s:", NPSTR(ISAKMP_NPTYPE_N));

	p = (struct isakmp_pl_n *)ext;
	safememcpy(&n, ext, sizeof(n));
	doi = ntohl(n.doi);
	proto = n.prot_id;
	if (doi != 1) {
		printf(" doi=%d", doi);
		printf(" proto=%d", proto);
		printf(" type=%s", NOTIFYSTR(ntohs(n.type)));
		if (n.spi_size) {
			printf(" spi=");
			rawprint((caddr_t)(p + 1), n.spi_size);
		}
		return (u_char *)(p + 1) + n.spi_size;
	}

	printf(" doi=ipsec");
	printf(" proto=%s", PROTOIDSTR(proto));
	if (ntohs(n.type) < 8192)
		printf(" type=%s", NOTIFYSTR(ntohs(n.type)));
	else if (ntohs(n.type) < 16384)
		printf(" type=%s", IPSECNOTIFYSTR(ntohs(n.type)));
	else if (ntohs(n.type) < 24576)
		printf(" type=%s", NOTIFYSTR(ntohs(n.type)));
	else if (ntohs(n.type) < 40960)
		printf(" type=%s", IPSECNOTIFYSTR(ntohs(n.type)));
	else
		printf(" type=%s", NOTIFYSTR(ntohs(n.type)));
	if (n.spi_size) {
		printf(" spi=");
		rawprint((caddr_t)(p + 1), n.spi_size);
	}

	cp = (u_char *)(p + 1) + n.spi_size;
	ep2 = (u_char *)p + ntohs(n.h.len);

	if (cp < ep) {
		printf(" orig=(");
		switch (ntohs(n.type)) {
		case IPSECDOI_NTYPE_RESPONDER_LIFETIME:
		    {
			struct attrmap *map = oakley_t_map;
			size_t nmap = sizeof(oakley_t_map)/sizeof(oakley_t_map[0]);
			while (cp < ep && cp < ep2) {
				cp = isakmp_attrmap_print(cp,
					(ep < ep2) ? ep : ep2, map, nmap);
			}
			break;
		    }
		case IPSECDOI_NTYPE_REPLAY_STATUS:
			printf("replay detection %sabled",
				(*(u_int32_t *)cp) ? "en" : "dis");
			break;
		case ISAKMP_NTYPE_NO_PROPOSAL_CHOSEN:
			isakmp_sub_print(ISAKMP_NPTYPE_SA,
				(struct isakmp_gen *)cp, ep, phase, doi, proto);
			break;
		default:
			/* NULL is dummy */
			isakmp_print(cp,
				ntohs(n.h.len) - sizeof(*p) - n.spi_size,
				NULL);
		}
		printf(")");
	}
	return (u_char *)ext + ntohs(n.h.len);
}

static u_char *
isakmp_d_print(struct isakmp_gen *ext, u_char *ep, u_int32_t phase,
	u_int32_t doi0, u_int32_t proto0)
{
	struct isakmp_pl_d *p, d;
	u_int8_t *q;
	u_int32_t doi;
	u_int32_t proto;
	int i;

	printf("%s:", NPSTR(ISAKMP_NPTYPE_D));

	p = (struct isakmp_pl_d *)ext;
	safememcpy(&d, ext, sizeof(d));
	doi = ntohl(d.doi);
	proto = d.prot_id;
	if (doi != 1) {
		printf(" doi=%u", doi);
		printf(" proto=%u", proto);
	} else {
		printf(" doi=ipsec");
		printf(" proto=%s", PROTOIDSTR(proto));
	}
	printf(" spilen=%u", d.spi_size);
	printf(" nspi=%u", ntohs(d.num_spi));
	printf(" spi=");
	q = (u_int8_t *)(p + 1);
	for (i = 0; i < ntohs(d.num_spi); i++) {
		if (i != 0)
			printf(",");
		rawprint((caddr_t)q, d.spi_size);
		q += d.spi_size;
	}
	return q;
}

static u_char *
isakmp_vid_print(struct isakmp_gen *ext, u_char *ep, u_int32_t phase,
	u_int32_t doi, u_int32_t proto)
{
	struct isakmp_gen e;

	printf("%s:", NPSTR(ISAKMP_NPTYPE_VID));

	safememcpy(&e, ext, sizeof(e));
	printf(" len=%d", ntohs(e.len) - 4);
	if (2 < vflag && 4 < ntohs(e.len)) {
		printf(" ");
		rawprint((caddr_t)(ext + 1), ntohs(e.len) - 4);
	}
	return (u_char *)ext + ntohs(e.len);
}

static u_char *
isakmp_sub0_print(u_char np, struct isakmp_gen *ext, u_char *ep,
	u_int32_t phase, u_int32_t doi, u_int32_t proto)
{
	u_char *cp;
	struct isakmp_gen e;

	cp = (u_char *)ext;
	safememcpy(&e, ext, sizeof(e));

	if (NPFUNC(np))
		cp = (*NPFUNC(np))(ext, ep, phase, doi, proto);
	else {
		printf("%s", NPSTR(np));
		cp += ntohs(e.len);
	}
	return cp;
}

static u_char *
isakmp_sub_print(u_char np, struct isakmp_gen *ext, u_char *ep,
	u_int32_t phase, u_int32_t doi, u_int32_t proto)
{
	u_char *cp;
	static int depth = 0;
	int i;
	struct isakmp_gen e;

	cp = (u_char *)ext;

	while (np) {
		safememcpy(&e, ext, sizeof(e));

		if (ep < (u_char *)ext + ntohs(e.len)) {
			printf(" [|%s]", NPSTR(np));
			cp = ep + 1;
			break;
		}
		depth++;
		printf("\n");
		for (i = 0; i < depth; i++)
			printf("    ");
		printf("(");
		cp = isakmp_sub0_print(np, ext, ep, phase, doi, proto);
		printf(")");
		depth--;

		np = e.np;
		ext = (struct isakmp_gen *)cp;
	}
	return cp;
}

static char *
numstr(int x)
{
	static char buf[20];
	snprintf(buf, sizeof(buf), "#%d", x);
	return buf;
}

/*
 * some compiler tries to optimize memcpy(), using the alignment constraint
 * on the argument pointer type.  by using this function, we try to avoid the
 * optimization.
 */
static void
safememcpy(void *p, void *q, size_t l)
{
	memcpy(p, q, l);
}

void
isakmp_print(const u_char *bp, u_int length, const u_char *bp2)
{
	struct isakmp *p, base;
	u_char *ep;
	u_char np;
	int i;
	int phase;
	int major, minor;

	p = (struct isakmp *)bp;
	ep = (u_char *)snapend;

	if ((struct isakmp *)ep < p + 1) {
		printf("[|isakmp]");
		return;
	}

	safememcpy(&base, p, sizeof(base));

	printf("isakmp");
	if (vflag) {
		major = (base.vers & ISAKMP_VERS_MAJOR)
				>> ISAKMP_VERS_MAJOR_SHIFT;
		minor = (base.vers & ISAKMP_VERS_MINOR)
				>> ISAKMP_VERS_MINOR_SHIFT;
		printf(" %d.%d", major, minor);
	}

	if (vflag) {
		printf(" msgid ");
		rawprint((caddr_t)&base.msgid, sizeof(base.msgid));
	}

	if (1 < vflag) {
		printf(" cookie ");
		rawprint((caddr_t)&base.i_ck, sizeof(base.i_ck));
		printf("->");
		rawprint((caddr_t)&base.r_ck, sizeof(base.r_ck));
	}
	printf(":");

	phase = (*(u_int32_t *)base.msgid == 0) ? 1 : 2;
	if (phase == 1)
		printf(" phase %d", phase);
	else
		printf(" phase %d/others", phase);

	i = cookie_find(&base.i_ck);
	if (i < 0) {
		if (iszero((u_char *)&base.r_ck, sizeof(base.r_ck))) {
			/* the first packet */
			printf(" I");
			if (bp2)
				cookie_record(&base.i_ck, bp2);
		} else
			printf(" ?");
	} else {
		if (bp2 && cookie_isinitiator(i, bp2))
			printf(" I");
		else if (bp2 && cookie_isresponder(i, bp2))
			printf(" R");
		else
			printf(" ?");
	}

	printf(" %s", ETYPESTR(base.etype));
	if (base.flags) {
		printf("[%s%s]", base.flags & ISAKMP_FLAG_E ? "E" : "",
			base.flags & ISAKMP_FLAG_C ? "C" : "");
	}
	printf(":");

    {
	struct isakmp_gen *ext;
	int nparen;

#define CHECKLEN(p, np) \
	if (ep < (u_char *)(p)) {				\
		printf(" [|%s]", NPSTR(np));			\
		goto done;					\
	}

	/* regardless of phase... */
	if (base.flags & ISAKMP_FLAG_E) {
		/*
		 * encrypted, nothing we can do right now.
		 * we hope to decrypt the packet in the future...
		 */
		printf(" [|%s]", NPSTR(base.np));
		goto done;
	}

	nparen = 0;
	CHECKLEN(p + 1, base.np)

	np = base.np;
	ext = (struct isakmp_gen *)(p + 1);
	isakmp_sub_print(np, ext, ep, phase, 0, 0);
    }

done:
	if (vflag) {
		if (ntohl(base.len) != length) {
			printf(" (len mismatch: isakmp %u/ip %d)",
				(u_int32_t)ntohl(base.len), length);
		}
	}
}