📄 isakmp.c
字号:
/****************************************************************************
**
** File: isakmp.c
**
** Extensions and additions by: Stuart Stock (stuart@ins.com)
** Original Author: Mike Borella
**
** Comments: Dump ISAKMP headers under IPSec DOI
**
** See RFC 2408 "Internet Security Association and Key Management Protocol"
** and RFC 2407 "The Internet IP Security Domain Interpretation for ISAKMP"
**
** and when you can't find the value anywhere else, look in:
** draft-ietf-ipsec-ike-01 "The Internet Key Exchange (IKE)"
**
*****************************************************************************/
#include <stdio.h>
#include <unistd.h>
#include <string.h>
#include <ctype.h>
#include "config.h"
#include "isakmp.h"
extern u_char *packet_end;
void print_char2hex(u_char *bp, int length);
/*----------------------------------------------------------------------------
**
** dump_isakmp()
**
** Parse ISAKMP packet and dump fields.
**
**----------------------------------------------------------------------------
*/
void dump_isakmp(u_char *bp, int length)
{
u_char *ep = bp + length;
u_char *p;
ISAKMPHdr *isakmp;
void dump_next_payload(int);
void determine_next_payload(int, u_char *);
/*
* Make sure we don't run off the end of the packet
*/
if (ep > packet_end)
ep = packet_end;
p = bp;
printf("-----------------------------------------------------------------\n");
printf(" ISAKMP Headers\n");
printf("-----------------------------------------------------------------\n");
isakmp = (ISAKMPHdr *) bp;
printf("Initiator Cookie: %x", EXTRACT_32BITS(isakmp->i_cookie));
printf("%x\n", EXTRACT_32BITS(isakmp->i_cookie + 4));
printf("Responder Cookie: %x", EXTRACT_32BITS(isakmp->r_cookie));
if (EXTRACT_32BITS(isakmp->r_cookie) != 0)
printf("%x", EXTRACT_32BITS(isakmp->r_cookie + 4));
printf("\n");
printf("Next payload: %d ", isakmp->next_payload);
dump_next_payload(isakmp->next_payload);
printf("Major version: %d\n", isakmp->maj_version);
printf("Minor version: %d\n", isakmp->min_version);
printf("Exchange type: %d ", isakmp->exchange_type);
switch(isakmp->exchange_type)
{
case 0:
printf("(none)");
break;
case 1:
printf("(base)");
break;
case 2:
printf("(identity protection)");
break;
case 3:
printf("(authentication only)");
break;
case 4:
printf("(aggressive)");
break;
case 5:
printf("(informational)");
break;
case 32:
printf("(quick)");
break;
case 33:
printf("(new group)");
break;
case 34:
printf("(Acknowledged Informational)");
break;
default:
if (isakmp->exchange_type >= 6 && isakmp->exchange_type <= 31)
printf("(future)");
if (isakmp->exchange_type >= 35 && isakmp->exchange_type <= 239)
printf("(DOI specific)");
if (isakmp->exchange_type >= 240 && isakmp->exchange_type <= 255)
printf("(private)");
}
printf("\n");
printf("Flags: %d", isakmp->flags);
if (isakmp->flags)
{
printf(" (");
if (isakmp->flags & 0x01)
printf("E");
if (isakmp->flags & 0x02)
printf("C");
if (isakmp->flags & 0x04)
printf("A");
printf(")");
}
printf("\n");
printf("Message ID: %u\n", ntohl(isakmp->msg_id));
printf("Length: %d\n", ntohl(isakmp->length));
/*
* Short circuit processing if this is the only header or encryption
* bit is set
*/
if (!isakmp->next_payload || isakmp->flags & 0x01)
return;
/*
* Otherwise, advance pointer and keep processing
*/
bp = bp + sizeof(ISAKMPHdr);
determine_next_payload(isakmp->next_payload, bp);
}
/*----------------------------------------------------------------------------
**
** dump_next_payload()
**
** Decode and print the next payload type
**
**----------------------------------------------------------------------------
*/
void dump_next_payload(int np)
{
switch(np)
{
case 0:
printf("(none)");
break;
case 1:
printf("(security association)");
break;
case 2:
printf("(proposal)");
break;
case 3:
printf("(transform)");
break;
case 4:
printf("(key exchange)");
break;
case 5:
printf("(identification)");
break;
case 6:
printf("(certificate)");
break;
case 7:
printf("(certificate request)");
break;
case 8:
printf("(hash)");
break;
case 9:
printf("(signature)");
break;
case 10:
printf("(nonce)");
break;
case 11:
printf("(notification)");
break;
case 12:
printf("(delete)");
break;
case 13:
printf("(vendor ID)");
break;
default:
if (np >= 14 && np <= 127)
printf("(reserved)");
else
printf("(private)");
}
printf("\n");
}
/*----------------------------------------------------------------------------
**
** determine_next_payload()
**
** Call routing to parse the next payload type
**
**----------------------------------------------------------------------------
*/
void determine_next_payload(int np, u_char *bp)
{
void dump_sa_payload(u_char *bp);
void dump_proposal_payload(u_char *bp);
void dump_keyexchange_payload(u_char *bp);
void dump_hash_payload(u_char *bp);
void dump_notification_payload(u_char *bp);
void dump_identification_payload(u_char *bp);
void dump_nonce_payload(u_char *bp);
void dump_signature_payload(u_char *bp);
void dump_vendorid_payload(u_char *bp);
void dump_transform_payload(u_char *bp);
void dump_delete_payload(u_char *bp);
void dump_certificate_payload(u_char *bp, int type);
switch(np)
{
case 0: /* no payload, do nothing */
break;
case 1:
dump_sa_payload(bp);
break;
case 2:
dump_proposal_payload(bp);
break;
case 3:
dump_transform_payload(bp);
break;
case 4:
dump_keyexchange_payload(bp);
break;
case 5:
dump_identification_payload(bp);
break;
case 6:
dump_certificate_payload(bp, 1);
break;
case 7:
dump_certificate_payload(bp, 2);
break;
case 8:
dump_hash_payload(bp);
break;
case 9:
dump_signature_payload(bp);
break;
case 10:
dump_nonce_payload(bp);
break;
case 11:
dump_notification_payload(bp);
break;
case 12:
dump_delete_payload(bp);
break;
case 13:
dump_vendorid_payload(bp);
break;
default:
break;
}
}
/*---------------------------------------------------------------------
**
** dump_delete_payload()
**
** incomplete routine to dump delete packets
**
**---------------------------------------------------------------------
*/
void dump_delete_payload(u_char *bp)
{
ISAKMP_generic_hdr *gen;
u_char *old_bp;
int doi;
gen = (ISAKMP_generic_hdr *) bp;
old_bp = bp;
printf("-----------------------------------------------------------------\n");
printf(" ISAKMP Delete Header\n");
printf("-----------------------------------------------------------------\n");
printf("Next payload: %d ", gen->next_payload);
dump_next_payload(gen->next_payload);
printf("Reserved: %d\n", gen->reserved);
printf("Payload length %d\n", ntohs(gen->length));
bp = bp + sizeof(ISAKMP_generic_hdr);
doi = EXTRACT_32BITS(bp);
bp = bp + 4;
printf("DOI: %d\n", doi);
/* We want to dump the SPI's and crud here */
printf("\nNo decode support, yet\n");
bp = old_bp + ntohs(gen->length);
determine_next_payload(gen->next_payload, bp);
}
/*---------------------------------------------------------------------
**
** dump_certificate_payload()
**
** Dumps a certificate payload packet.
**
** Since ISAKMP packet types 6 (cert) and 7 (cert request) are the same
** format, the function takes a second parameter, type, to handle the
** proper formating.
**
**---------------------------------------------------------------------
*/
void dump_certificate_payload(u_char *bp, int type)
{
ISAKMP_generic_hdr *gen;
u_char *old_bp;
int cert_enc;
gen = (ISAKMP_generic_hdr *) bp;
old_bp = bp;
printf("-----------------------------------------------------------------\n");
if( type == 1) {
printf(" ISAKMP Certificate Header\n");
}
else {
printf(" ISAKMP Certificate Request Header\n");
}
printf("-----------------------------------------------------------------\n");
printf("Next payload: %d ", gen->next_payload);
dump_next_payload(gen->next_payload);
printf("Reserved: %d\n", gen->reserved);
printf("Payload length %d\n", ntohs(gen->length));
bp = bp + sizeof(ISAKMP_generic_hdr);
cert_enc = *bp;
bp ++;
printf("Certificate Encoding: %d ", cert_enc);
switch( cert_enc )
{
case 0:
printf("(NONE)");
break;
case 1:
printf("(PKCS7 Wrapped X.509)");
break;
case 2:
printf("(PGP Certificate)");
break;
case 3:
printf("(DNS Signed Key)");
break;
case 4:
printf("(X.509 - Signature)");
break;
case 5:
printf("(X.509 - Key Exchange)");
break;
case 6:
printf("(Kerberos Tickets)");
break;
case 7:
printf("(Certificate Revocation List)");
break;
case 8:
printf("(Authority Revocation List)");
break;
case 9:
printf("(SPKI Certificate)");
break;
case 10:
printf("(X.509 - Attribute)");
break;
default:
printf("(reserved)");
break;
}
printf("\n");
printf("Certificate data: ");
/* XXX Is this right? 4 bytes of ISAKMP crud and 1 byte for cert type */
print_char2hex(bp, ntohs(gen->length) - 5);
bp = old_bp + ntohs(gen->length);
determine_next_payload(gen->next_payload, bp);
}
/*----------------------------------------------------------------------------
**
** dump_sa_payload()
**
** Dump an SA payload.
**
**----------------------------------------------------------------------------
*/
void dump_sa_payload(u_char *bp)
{
ISAKMP_generic_hdr *gen;
u_char *old_bp;
int doi;
u_int32_t situation;
gen = (ISAKMP_generic_hdr *) bp;
old_bp = bp;
printf("-----------------------------------------------------------------\n");
printf(" ISAKMP SA Header\n");
printf("-----------------------------------------------------------------\n");
printf("Next payload: %d ", gen->next_payload);
dump_next_payload(gen->next_payload);
printf("Reserved: %d\n", gen->reserved);
printf("Payload length %d\n", ntohs(gen->length));
bp = bp + sizeof(ISAKMP_generic_hdr);
doi = EXTRACT_32BITS(bp);
bp = bp + 4;
printf("DOI: %d\n", doi);
printf("Situation: ");
if (doi == DOI_IPSEC)
{
situation = EXTRACT_32BITS(bp);
bp = bp + 4;
printf("%d ", situation);
switch(situation)
{
case SIT_IDENTITY_ONLY:
printf("(identity only)");
break;
case SIT_SECRECY:
printf("(secrecy)");
break;
case SIT_INTEGRITY:
printf("(integrity)");
break;
}
printf("\n");
}
else
{
printf("(undefined DOI)\n");
}
bp = old_bp + ntohs(gen->length);
determine_next_payload(gen->next_payload, bp);
}
/*----------------------------------------------------------------------------
**
** dump_proposal_payload()
**
** Dump a proposal payload.
**
**----------------------------------------------------------------------------
*/
void dump_proposal_payload(u_char *bp)
{
ISAKMP_generic_hdr *gen;
u_int8_t protocol_id, spi_size;
u_int16_t num_trans;
u_int32_t prop;
u_char *old_bp;
old_bp = bp;
gen = (ISAKMP_generic_hdr *) bp;
printf("-----------------------------------------------------------------\n");
printf(" ISAKMP Proposal Header\n");
printf("-----------------------------------------------------------------\n");
printf("Next payload: %d ", gen->next_payload);
dump_next_payload(gen->next_payload);
printf("Reserved: %d\n", gen->reserved);
printf("Payload length %d\n", ntohs(gen->length));
bp = bp + sizeof(ISAKMP_generic_hdr);
prop = EXTRACT_32BITS(bp);
bp = bp + 4;
printf("Proposal Number: %d\n", prop);
protocol_id = *bp;
bp++;
printf("Protocol ID: %d ", protocol_id);
switch( protocol_id )
{
case 0:
printf("(reserved)");
break;
case 1:
printf("(protocol ISAKMP)");
break;
case 2:
printf("(protocol IPSEC AH)");
break;
case 3:
printf("(protocol IPSEC ESP)");
break;
case 4:
printf("(protocol IPCOMP)");
break;
default:
printf("(unknown)");
break;
}
printf("\n");
spi_size = *bp;
bp++;
printf("SPI size: %d\n", spi_size);
num_trans = EXTRACT_16BITS(bp);
bp = bp + 2;
printf("Number of Transforms: %d\n", num_trans);
printf("SPI: not shown\n");
bp = bp + spi_size;
/*
* Move pointer to end of this header
*/
bp = old_bp + ntohs(gen->length);
determine_next_payload(gen->next_payload, bp);
}
/*----------------------------------------------------------------------------
**
** dump_hash_payload()
**
** Dump a hash payload.
**
**----------------------------------------------------------------------------
*/
void dump_hash_payload(u_char *bp)
{
ISAKMP_generic_hdr *gen;
u_char *old_bp;
gen = (ISAKMP_generic_hdr *) bp;
old_bp = bp;
printf("-----------------------------------------------------------------\n");
printf(" ISAKMP Hash Header\n");
printf("-----------------------------------------------------------------\n");
printf("Next payload: %d ", gen->next_payload);
dump_next_payload(gen->next_payload);
printf("Reserved: %d\n", gen->reserved);
⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -