2 * Routines for the Internet Security Association and Key Management Protocol
3 * (ISAKMP) (RFC 2408) and the Internet IP Security Domain of Interpretation
4 * for ISAKMP (RFC 2407)
5 * Brad Robel-Forrest <brad.robel-forrest@watchguard.com>
7 * $Id: packet-isakmp.c,v 1.70 2003/10/08 05:36:19 guy Exp $
9 * Ethereal - Network traffic analyzer
10 * By Gerald Combs <gerald@ethereal.com>
11 * Copyright 1998 Gerald Combs
13 * This program is free software; you can redistribute it and/or
14 * modify it under the terms of the GNU General Public License
15 * as published by the Free Software Foundation; either version 2
16 * of the License, or (at your option) any later version.
18 * This program is distributed in the hope that it will be useful,
19 * but WITHOUT ANY WARRANTY; without even the implied warranty of
20 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
21 * GNU General Public License for more details.
23 * You should have received a copy of the GNU General Public License
24 * along with this program; if not, write to the Free Software
25 * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
37 #ifdef NEED_SNPRINTF_H
38 # include "snprintf.h"
41 #include <epan/packet.h>
42 #include <epan/ipv6-utils.h>
45 #define isakmp_min(a, b) ((a<b) ? a : b)
47 static int proto_isakmp = -1;
49 static gint ett_isakmp = -1;
50 static gint ett_isakmp_flags = -1;
51 static gint ett_isakmp_payload = -1;
53 #define UDP_PORT_ISAKMP 500
54 #define TCP_PORT_ISAKMP 500
56 #define NUM_PROTO_TYPES 5
57 #define proto2str(t) \
58 ((t < NUM_PROTO_TYPES) ? prototypestr[t] : "UNKNOWN-PROTO-TYPE")
60 static const char *prototypestr[NUM_PROTO_TYPES] = {
68 #define NUM_P1_ATT_TYPES 17
69 #define p1_atttype2str(t) \
70 ((t < NUM_P1_ATT_TYPES) ? p1_atttypestr[t] : "UNKNOWN-ATTRIBUTE-TYPE")
72 static const char *p1_atttypestr[NUM_P1_ATT_TYPES] = {
73 "UNKNOWN-ATTRIBUTE-TYPE",
74 "Encryption-Algorithm",
76 "Authentication-Method",
80 "Group-Generator-One",
81 "Group-Generator-Two",
92 #define NUM_ATT_TYPES 11
93 #define atttype2str(t) \
94 ((t < NUM_ATT_TYPES) ? atttypestr[t] : "UNKNOWN-ATTRIBUTE-TYPE")
96 static const char *atttypestr[NUM_ATT_TYPES] = {
97 "UNKNOWN-ATTRIBUTE-TYPE",
101 "Encapsulation-Mode",
102 "Authentication-Algorithm",
105 "Compress-Dictinary-Size",
106 "Compress-Private-Algorithm",
110 #define NUM_TRANS_TYPES 2
111 #define trans2str(t) \
112 ((t < NUM_TRANS_TYPES) ? transtypestr[t] : "UNKNOWN-TRANS-TYPE")
114 static const char *transtypestr[NUM_TRANS_TYPES] = {
119 #define NUM_AH_TRANS_TYPES 8
120 #define ah_trans2str(t) \
121 ((t < NUM_AH_TRANS_TYPES) ? ah_transtypestr[t] : "UNKNOWN-AH-TRANS-TYPE")
123 static const char *ah_transtypestr[NUM_AH_TRANS_TYPES] = {
134 #define NUM_ESP_TRANS_TYPES 13
135 #define esp_trans2str(t) \
136 ((t < NUM_ESP_TRANS_TYPES) ? esp_transtypestr[t] : "UNKNOWN-ESP-TRANS-TYPE")
138 static const char *esp_transtypestr[NUM_ESP_TRANS_TYPES] = {
154 #define NUM_IPCOMP_TRANS_TYPES 5
155 #define ipcomp_trans2str(t) \
156 ((t < NUM_IPCOMP_TRANS_TYPES) ? ipcomp_transtypestr[t] : "UNKNOWN-IPCOMP-TRANS-TYPE")
158 static const char *ipcomp_transtypestr[NUM_IPCOMP_TRANS_TYPES] = {
166 #define NUM_ID_TYPES 12
168 ((t < NUM_ID_TYPES) ? idtypestr[t] : "UNKNOWN-ID-TYPE")
170 static const char *idtypestr[NUM_ID_TYPES] = {
185 #define NUM_GRPDESC_TYPES 19
186 #define grpdesc2str(t) ((t < NUM_GRPDESC_TYPES) ? grpdescstr[t] : "UNKNOWN-GROUP-DESCRIPTION")
188 static const char *grpdescstr[NUM_GRPDESC_TYPES] = {
190 "Default 768-bit MODP group",
191 "Alternate 1024-bit MODP group",
192 "EC2N group on GP[2^155] group",
193 "EC2N group on GP[2^185] group",
194 "1536 bit MODP group",
195 "EC2N group over GF[2^163]",
196 "EC2N group over GF[2^163]",
197 "EC2N group over GF[2^283]",
198 "EC2N group over GF[2^283]",
199 "EC2N group over GF[2^409]",
200 "EC2N group over GF[2^409]",
201 "EC2N group over GF[2^571]",
202 "EC2N group over GF[2^571]",
203 "2048 bit MODP group",
204 "3072 bit MODP group",
205 "4096 bit MODP group",
206 "6144 bit MODP group",
207 "8192 bit MODP group",
224 struct udp_encap_hdr {
225 guint8 non_esp_marker[4];
229 static proto_tree *dissect_payload_header(tvbuff_t *, int, int, guint8,
230 guint8 *, guint16 *, proto_tree *);
232 static void dissect_sa(tvbuff_t *, int, int, proto_tree *, int);
233 static void dissect_proposal(tvbuff_t *, int, int, proto_tree *, int);
234 static void dissect_transform(tvbuff_t *, int, int, proto_tree *, int);
235 static void dissect_key_exch(tvbuff_t *, int, int, proto_tree *, int);
236 static void dissect_id(tvbuff_t *, int, int, proto_tree *, int);
237 static void dissect_cert(tvbuff_t *, int, int, proto_tree *, int);
238 static void dissect_certreq(tvbuff_t *, int, int, proto_tree *, int);
239 static void dissect_hash(tvbuff_t *, int, int, proto_tree *, int);
240 static void dissect_sig(tvbuff_t *, int, int, proto_tree *, int);
241 static void dissect_nonce(tvbuff_t *, int, int, proto_tree *, int);
242 static void dissect_notif(tvbuff_t *, int, int, proto_tree *, int);
243 static void dissect_delete(tvbuff_t *, int, int, proto_tree *, int);
244 static void dissect_vid(tvbuff_t *, int, int, proto_tree *, int);
245 static void dissect_config(tvbuff_t *, int, int, proto_tree *, int);
246 static void dissect_nat_discovery(tvbuff_t *, int, int, proto_tree *, int);
247 static void dissect_nat_original_address(tvbuff_t *, int, int, proto_tree *, int);
249 static const char *payloadtype2str(guint8);
250 static const char *exchtype2str(guint8);
251 static const char *doitype2str(guint32);
252 static const char *msgtype2str(guint16);
253 static const char *situation2str(guint32);
254 static const char *value2str(int, guint16, guint16);
255 static const char *attrtype2str(guint8);
256 static const char *cfgattrident2str(guint16);
257 static const char *certtype2str(guint8);
259 static gboolean get_num(tvbuff_t *, int, guint16, guint32 *);
261 #define LOAD_TYPE_NONE 0 /* payload type for None */
262 #define LOAD_TYPE_PROPOSAL 2 /* payload type for Proposal */
263 #define LOAD_TYPE_TRANSFORM 3 /* payload type for Transform */
264 #define NUM_LOAD_TYPES 17
265 #define loadtype2str(t) \
266 ((t < NUM_LOAD_TYPES) ? strfuncs[t].str : "Unknown payload type")
268 static struct strfunc {
270 void (*func)(tvbuff_t *, int, int, proto_tree *, int);
271 } strfuncs[NUM_LOAD_TYPES] = {
273 {"Security Association", dissect_sa },
274 {"Proposal", dissect_proposal },
275 {"Transform", dissect_transform },
276 {"Key Exchange", dissect_key_exch },
277 {"Identification", dissect_id },
278 {"Certificate", dissect_cert },
279 {"Certificate Request", dissect_certreq },
280 {"Hash", dissect_hash },
281 {"Signature", dissect_sig },
282 {"Nonce", dissect_nonce },
283 {"Notification", dissect_notif },
284 {"Delete", dissect_delete },
285 {"Vendor ID", dissect_vid },
286 {"Attrib", dissect_config },
287 {"NAT-Discovery", dissect_nat_discovery }, /* draft-ietf-ipsec-nat-t-ike */
288 {"NAT-Original Address", dissect_nat_original_address } /* draft-ietf-ipsec-nat-t-ike */
292 #define VID_MS_LEN 20
293 static const guint8 VID_MS_W2K_WXP[VID_MS_LEN] = {0x1E, 0x2B, 0x51, 0x69, 0x5, 0x99, 0x1C, 0x7D, 0x7C, 0x96, 0xFC, 0xBF, 0xB5, 0x87, 0xE4, 0x61, 0x0, 0x0, 0x0, 0x2}; /* according to http://www.microsoft.com/technet/treeview/default.asp?url=/technet/columns/cableguy/cg0602.asp */
295 #define VID_CP_LEN 20
296 static const guint8 VID_CP[VID_CP_LEN] = {0xF4, 0xED, 0x19, 0xE0, 0xC1, 0x14, 0xEB, 0x51, 0x6F, 0xAA, 0xAC, 0x0E, 0xE3, 0x7D, 0xAF, 0x28, 0x7, 0xB4, 0x38, 0x1F};
298 static const guint8 VID_CYBERGUARD[VID_LEN] = {0x9A, 0xA1, 0xF3, 0xB4, 0x34, 0x72, 0xA4, 0x5D, 0x5F, 0x50, 0x6A, 0xEB, 0x26, 0xC, 0xF2, 0x14};
300 static const guint8 VID_draft_ietf_ipsec_nat_t_ike_03[VID_LEN] = {0x7D, 0x94, 0x19, 0xA6, 0x53, 0x10, 0xCA, 0x6F, 0x2C, 0x17, 0x9D, 0x92, 0x15, 0x52, 0x9d, 0x56}; /* according to http://www.ietf.org/internet-drafts/draft-ietf-ipsec-nat-t-ike-03.txt */
303 * Seen in Netscreen. Suppose to be ASCII HeartBeat_Notify - but I don't know the rest yet. I suspect it then proceeds with
304 * 8k10, which means every 8K (?), and version 1.0 of the protocol (?). I won't add it to the code, until I know what it really
305 * means. ykaul-at-netvision.net.il
307 static const guint8 VID_HeartBeat_Notify[VID_LEN] = {0x48, 0x65, 0x61, 0x72, 0x74, 0x42, 0x65, 0x61, 0x74, 0x5f, 0x4e, 0x6f, 0x74, 0x69, 0x66, 0x79};
309 static dissector_handle_t esp_handle;
310 static dissector_handle_t ah_handle;
313 dissect_payloads(tvbuff_t *tvb, proto_tree *tree, guint8 initial_payload,
314 int offset, int length)
316 guint8 payload, next_payload;
317 guint16 payload_length;
320 for (payload = initial_payload; length != 0; payload = next_payload) {
321 if (payload == LOAD_TYPE_NONE) {
323 * What? There's more stuff in this chunk of data, but the
324 * previous payload had a "next payload" type of None?
326 proto_tree_add_text(tree, tvb, offset, length,
328 tvb_bytes_to_str(tvb, offset, length));
331 ntree = dissect_payload_header(tvb, offset, length, payload,
332 &next_payload, &payload_length, tree);
335 if (payload_length >= 4) { /* XXX = > 4? */
336 if (payload < NUM_LOAD_TYPES && strfuncs[payload].func != NULL) {
337 (*strfuncs[payload].func)(tvb, offset + 4, payload_length - 4, ntree,
341 proto_tree_add_text(ntree, tvb, offset + 4, payload_length - 4,
346 proto_tree_add_text(ntree, tvb, offset + 4, 0,
347 "Payload (bogus, length is %u, must be at least 4)",
351 offset += payload_length;
352 length -= payload_length;
357 dissect_isakmp(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree)
360 struct isakmp_hdr hdr;
362 proto_tree * isakmp_tree = NULL;
363 struct udp_encap_hdr encap_hdr;
365 static const guint8 non_esp_marker[4] = { 0, 0, 0, 0 };
368 if (check_col(pinfo->cinfo, COL_PROTOCOL))
369 col_set_str(pinfo->cinfo, COL_PROTOCOL, "ISAKMP");
370 if (check_col(pinfo->cinfo, COL_INFO))
371 col_clear(pinfo->cinfo, COL_INFO);
373 hdr.length = tvb_get_ntohl(tvb, offset + sizeof(hdr) - sizeof(hdr.length));
376 ti = proto_tree_add_item(tree, proto_isakmp, tvb, offset, hdr.length, FALSE);
377 isakmp_tree = proto_item_add_subtree(ti, ett_isakmp);
380 tvb_memcpy(tvb, (guint8 *)&encap_hdr, 0, sizeof(encap_hdr));
382 if (encap_hdr.non_esp_marker[0] == 0xFF) {
383 if (check_col(pinfo->cinfo, COL_INFO))
384 col_add_str(pinfo->cinfo, COL_INFO, "UDP encapsulated IPSec - NAT Keepalive");
387 if (memcmp(encap_hdr.non_esp_marker,non_esp_marker,4) == 0) {
388 if (check_col(pinfo->cinfo, COL_INFO))
389 col_add_str(pinfo->cinfo, COL_INFO, "UDP encapsulated IPSec - ESP");
391 proto_tree_add_text(isakmp_tree, tvb, offset,
392 sizeof(encap_hdr.non_esp_marker),
394 offset += sizeof(encap_hdr.non_esp_marker);
395 next_tvb = tvb_new_subset(tvb, offset, -1, -1);
396 call_dissector(esp_handle, next_tvb, pinfo, tree);
399 hdr.exch_type = tvb_get_guint8(tvb, sizeof(hdr.icookie) + sizeof(hdr.rcookie) + sizeof(hdr.next_payload) + sizeof(hdr.version));
400 if (check_col(pinfo->cinfo, COL_INFO))
401 col_add_str(pinfo->cinfo, COL_INFO, exchtype2str(hdr.exch_type));
404 tvb_memcpy(tvb, (guint8 *)&hdr.icookie, offset, sizeof(hdr.icookie));
405 proto_tree_add_text(isakmp_tree, tvb, offset, sizeof(hdr.icookie),
406 "Initiator cookie: 0x%s", tvb_bytes_to_str(tvb, offset, sizeof(hdr.icookie)));
407 offset += sizeof(hdr.icookie);
409 tvb_memcpy(tvb, (guint8 *)&hdr.rcookie, offset, sizeof(hdr.rcookie));
410 proto_tree_add_text(isakmp_tree, tvb, offset, sizeof(hdr.rcookie),
411 "Responder cookie: 0x%s", tvb_bytes_to_str(tvb, offset, sizeof(hdr.rcookie)));
412 offset += sizeof(hdr.rcookie);
414 hdr.next_payload = tvb_get_guint8(tvb, offset);
415 proto_tree_add_text(isakmp_tree, tvb, offset, sizeof(hdr.next_payload),
416 "Next payload: %s (%u)",
417 payloadtype2str(hdr.next_payload), hdr.next_payload);
418 offset += sizeof(hdr.next_payload);
420 hdr.version = tvb_get_guint8(tvb, offset);
421 proto_tree_add_text(isakmp_tree, tvb, offset, sizeof(hdr.version),
423 hi_nibble(hdr.version), lo_nibble(hdr.version));
424 offset += sizeof(hdr.version);
426 hdr.exch_type = tvb_get_guint8(tvb, offset);
427 proto_tree_add_text(isakmp_tree, tvb, offset, sizeof(hdr.exch_type),
428 "Exchange type: %s (%u)",
429 exchtype2str(hdr.exch_type), hdr.exch_type);
430 offset += sizeof(hdr.exch_type);
436 hdr.flags = tvb_get_guint8(tvb, offset);
437 fti = proto_tree_add_text(isakmp_tree, tvb, offset, sizeof(hdr.flags), "Flags");
438 ftree = proto_item_add_subtree(fti, ett_isakmp_flags);
440 proto_tree_add_text(ftree, tvb, offset, 1, "%s",
441 decode_boolean_bitfield(hdr.flags, E_FLAG, sizeof(hdr.flags)*8,
442 "Encryption", "No encryption"));
443 proto_tree_add_text(ftree, tvb, offset, 1, "%s",
444 decode_boolean_bitfield(hdr.flags, C_FLAG, sizeof(hdr.flags)*8,
445 "Commit", "No commit"));
446 proto_tree_add_text(ftree, tvb, offset, 1, "%s",
447 decode_boolean_bitfield(hdr.flags, A_FLAG, sizeof(hdr.flags)*8,
448 "Authentication", "No authentication"));
449 offset += sizeof(hdr.flags);
452 proto_tree_add_text(isakmp_tree, tvb, offset, sizeof(hdr.message_id),
453 "Message ID: 0x%s", tvb_bytes_to_str(tvb, offset, sizeof(hdr.message_id)));
454 offset += sizeof(hdr.message_id);
456 proto_tree_add_text(isakmp_tree, tvb, offset, sizeof(hdr.length),
457 "Length: %u", hdr.length);
458 offset += sizeof(hdr.length);
460 len = hdr.length - sizeof(hdr);
462 if (hdr.flags & E_FLAG) {
463 if (len && isakmp_tree) {
464 proto_tree_add_text(isakmp_tree, tvb, offset, len,
465 "Encrypted payload (%d byte%s)",
466 len, plurality(len, "", "s"));
469 dissect_payloads(tvb, isakmp_tree, hdr.next_payload, offset, len);
474 dissect_payload_header(tvbuff_t *tvb, int offset, int length, guint8 payload,
475 guint8 *next_payload_p, guint16 *payload_length_p, proto_tree *tree)
478 guint16 payload_length;
483 proto_tree_add_text(tree, tvb, offset, length,
484 "Not enough room in payload for all transforms");
487 next_payload = tvb_get_guint8(tvb, offset);
488 payload_length = tvb_get_ntohs(tvb, offset + 2);
490 ti = proto_tree_add_text(tree, tvb, offset, payload_length,
491 "%s payload", loadtype2str(payload));
492 ntree = proto_item_add_subtree(ti, ett_isakmp_payload);
494 proto_tree_add_text(ntree, tvb, offset, 1,
495 "Next payload: %s (%u)",
496 payloadtype2str(next_payload), next_payload);
497 proto_tree_add_text(ntree, tvb, offset+2, 2, "Length: %u", payload_length);
499 *next_payload_p = next_payload;
500 *payload_length_p = payload_length;
505 dissect_sa(tvbuff_t *tvb, int offset, int length, proto_tree *tree,
512 proto_tree_add_text(tree, tvb, offset, length,
513 "DOI %s (length is %u, should be >= 4)",
514 tvb_bytes_to_str(tvb, offset, length), length);
517 doi = tvb_get_ntohl(tvb, offset);
518 proto_tree_add_text(tree, tvb, offset, 4,
519 "Domain of interpretation: %s (%u)",
520 doitype2str(doi), doi);
527 proto_tree_add_text(tree, tvb, offset, length,
528 "Situation: %s (length is %u, should be >= 4)",
529 tvb_bytes_to_str(tvb, offset, length), length);
532 situation = tvb_get_ntohl(tvb, offset);
533 proto_tree_add_text(tree, tvb, offset, 4,
534 "Situation: %s (%u)",
535 situation2str(situation), situation);
539 dissect_payloads(tvb, tree, LOAD_TYPE_PROPOSAL, offset, length);
542 proto_tree_add_text(tree, tvb, offset, length,
544 tvb_bytes_to_str(tvb, offset, length));
549 dissect_proposal(tvbuff_t *tvb, int offset, int length, proto_tree *tree,
554 guint8 num_transforms;
556 guint16 payload_length;
560 proposal_num = tvb_get_guint8(tvb, offset);
562 proto_item_append_text(tree, " # %d",proposal_num);
563 proto_tree_add_text(tree, tvb, offset, 1,
564 "Proposal number: %u", proposal_num);
568 protocol_id = tvb_get_guint8(tvb, offset);
569 proto_tree_add_text(tree, tvb, offset, 1,
570 "Protocol ID: %s (%u)",
571 proto2str(protocol_id), protocol_id);
575 spi_size = tvb_get_guint8(tvb, offset);
576 proto_tree_add_text(tree, tvb, offset, 1,
577 "SPI size: %u", spi_size);
581 num_transforms = tvb_get_guint8(tvb, offset);
582 proto_tree_add_text(tree, tvb, offset, 1,
583 "Number of transforms: %u", num_transforms);
588 proto_tree_add_text(tree, tvb, offset, spi_size, "SPI: %s",
589 tvb_bytes_to_str(tvb, offset, spi_size));
594 while (num_transforms > 0) {
595 ntree = dissect_payload_header(tvb, offset, length, LOAD_TYPE_TRANSFORM,
596 &next_payload, &payload_length, tree);
599 if (length < payload_length) {
600 proto_tree_add_text(tree, tvb, offset + 4, length,
601 "Not enough room in payload for all transforms");
604 if (payload_length >= 4)
605 dissect_transform(tvb, offset + 4, payload_length - 4, ntree, protocol_id);
607 proto_tree_add_text(ntree, tvb, offset + 4, payload_length - 4, "Payload");
608 offset += payload_length;
609 length -= payload_length;
615 dissect_transform(tvbuff_t *tvb, int offset, int length, proto_tree *tree,
619 guint8 transform_num;
621 transform_num = tvb_get_guint8(tvb, offset);
622 proto_item_append_text(tree," # %d",transform_num);
623 proto_tree_add_text(tree, tvb, offset, 1,
624 "Transform number: %u", transform_num);
628 transform_id = tvb_get_guint8(tvb, offset);
629 switch (protocol_id) {
631 proto_tree_add_text(tree, tvb, offset, 1,
632 "Transform ID: %u", transform_id);
635 proto_tree_add_text(tree, tvb, offset, 1,
636 "Transform ID: %s (%u)",
637 trans2str(transform_id), transform_id);
640 proto_tree_add_text(tree, tvb, offset, 1,
641 "Transform ID: %s (%u)",
642 ah_trans2str(transform_id), transform_id);
645 proto_tree_add_text(tree, tvb, offset, 1,
646 "Transform ID: %s (%u)",
647 esp_trans2str(transform_id), transform_id);
650 proto_tree_add_text(tree, tvb, offset, 1,
651 "Transform ID: %s (%u)",
652 ipcomp_trans2str(transform_id), transform_id);
661 guint16 aft = tvb_get_ntohs(tvb, offset);
662 guint16 type = aft & 0x7fff;
667 if (protocol_id == 1 && transform_id == 1) {
669 str = p1_atttype2str(type);
672 str = atttype2str(type);
676 val = tvb_get_ntohs(tvb, offset + 2);
677 proto_tree_add_text(tree, tvb, offset, 4,
680 value2str(ike_phase1, type, val), val);
685 len = tvb_get_ntohs(tvb, offset + 2);
687 if (!get_num(tvb, offset + 4, len, &val)) {
688 proto_tree_add_text(tree, tvb, offset, pack_len,
689 "%s (%u): <too big (%u bytes)>",
692 proto_tree_add_text(tree, tvb, offset, pack_len,
695 value2str(ike_phase1, type, val), val);
704 dissect_key_exch(tvbuff_t *tvb, int offset, int length, proto_tree *tree,
707 proto_tree_add_text(tree, tvb, offset, length, "Key Exchange Data");
711 dissect_id(tvbuff_t *tvb, int offset, int length, proto_tree *tree,
718 id_type = tvb_get_guint8(tvb, offset);
719 proto_tree_add_text(tree, tvb, offset, 1,
720 "ID type: %s (%u)", id2str(id_type), id_type);
724 protocol_id = tvb_get_guint8(tvb, offset);
725 if (protocol_id == 0) {
726 proto_tree_add_text(tree, tvb, offset, 1,
727 "Protocol ID: Unused");
729 proto_tree_add_text(tree, tvb, offset, 1,
730 "Protocol ID: %s (%u)",
731 ipprotostr(protocol_id), protocol_id);
736 port = tvb_get_ntohs(tvb, offset);
738 proto_tree_add_text(tree, tvb, offset, 2, "Port: Unused");
740 proto_tree_add_text(tree, tvb, offset, 2, "Port: %u", port);
746 proto_tree_add_text(tree, tvb, offset, length,
747 "Identification data: %s",
748 ip_to_str(tvb_get_ptr(tvb, offset, 4)));
752 proto_tree_add_text(tree, tvb, offset, length,
753 "Identification data: %.*s", length,
754 tvb_get_ptr(tvb, offset, length));
757 proto_tree_add_text(tree, tvb, offset, length,
758 "Identification data: %s/%s",
759 ip_to_str(tvb_get_ptr(tvb, offset, 4)),
760 ip_to_str(tvb_get_ptr(tvb, offset+4, 4)));
763 proto_tree_add_text(tree, tvb, offset, length, "Identification Data");
769 dissect_cert(tvbuff_t *tvb, int offset, int length, proto_tree *tree,
774 cert_enc = tvb_get_guint8(tvb, offset);
775 proto_tree_add_text(tree, tvb, offset, 1,
776 "Certificate encoding: %u - %s",
777 cert_enc, certtype2str(cert_enc));
781 proto_tree_add_text(tree, tvb, offset, length, "Certificate Data");
785 dissect_certreq(tvbuff_t *tvb, int offset, int length, proto_tree *tree,
790 cert_type = tvb_get_guint8(tvb, offset);
791 proto_tree_add_text(tree, tvb, offset, 1,
792 "Certificate type: %u - %s",
793 cert_type, certtype2str(cert_type));
797 proto_tree_add_text(tree, tvb, offset, length, "Certificate Authority");
801 dissect_hash(tvbuff_t *tvb, int offset, int length, proto_tree *tree,
804 proto_tree_add_text(tree, tvb, offset, length, "Hash Data");
808 dissect_sig(tvbuff_t *tvb, int offset, int length, proto_tree *tree,
811 proto_tree_add_text(tree, tvb, offset, length, "Signature Data");
815 dissect_nonce(tvbuff_t *tvb, int offset, int length, proto_tree *tree,
818 proto_tree_add_text(tree, tvb, offset, length, "Nonce Data");
822 dissect_notif(tvbuff_t *tvb, int offset, int length, proto_tree *tree,
830 doi = tvb_get_ntohl(tvb, offset);
831 proto_tree_add_text(tree, tvb, offset, 4,
832 "Domain of Interpretation: %s (%u)",
833 doitype2str(doi), doi);
837 protocol_id = tvb_get_guint8(tvb, offset);
838 proto_tree_add_text(tree, tvb, offset, 1,
839 "Protocol ID: %s (%u)",
840 proto2str(protocol_id), protocol_id);
844 spi_size = tvb_get_guint8(tvb, offset);
845 proto_tree_add_text(tree, tvb, offset, 1,
846 "SPI size: %u", spi_size);
850 msgtype = tvb_get_ntohs(tvb, offset);
851 proto_tree_add_text(tree, tvb, offset, 2,
852 "Message type: %s (%u)", msgtype2str(msgtype), msgtype);
857 proto_tree_add_text(tree, tvb, offset, spi_size, "Security Parameter Index");
863 proto_tree_add_text(tree, tvb, offset, length, "Notification Data");
867 dissect_delete(tvbuff_t *tvb, int offset, int length, proto_tree *tree,
876 doi = tvb_get_ntohl(tvb, offset);
877 proto_tree_add_text(tree, tvb, offset, 4,
878 "Domain of Interpretation: %s (%u)",
879 doitype2str(doi), doi);
883 protocol_id = tvb_get_guint8(tvb, offset);
884 proto_tree_add_text(tree, tvb, offset, 1,
885 "Protocol ID: %s (%u)",
886 proto2str(protocol_id), protocol_id);
890 spi_size = tvb_get_guint8(tvb, offset);
891 proto_tree_add_text(tree, tvb, offset, 1,
892 "SPI size: %u", spi_size);
896 num_spis = tvb_get_ntohs(tvb, offset);
897 proto_tree_add_text(tree, tvb, offset, 2,
898 "Number of SPIs: %u", num_spis);
902 for (i = 0; i < num_spis; ++i) {
903 if (length < spi_size) {
904 proto_tree_add_text(tree, tvb, offset, length,
905 "Not enough room in payload for all SPI's");
908 proto_tree_add_text(tree, tvb, offset, spi_size,
916 dissect_vid(tvbuff_t *tvb, int offset, int length, proto_tree *tree,
919 guint32 CPproduct, CPversion;
923 pVID = tvb_get_ptr(tvb, offset, length);
924 pt = proto_tree_add_text(tree, tvb, offset, length, "Vendor ID: ");
925 if (memcmp(pVID, VID_MS_W2K_WXP, isakmp_min(VID_MS_LEN, length)) == 0)
926 proto_item_append_text(pt, "Microsoft Win2K/WinXP");
928 if (memcmp(pVID, VID_CP, isakmp_min(VID_CP_LEN, length)) == 0)
930 proto_item_append_text(pt, "Check Point");
931 offset += VID_CP_LEN;
932 CPproduct = tvb_get_ntohl(tvb, offset);
933 ntree = proto_item_add_subtree(pt, ett_isakmp_payload);
934 pt = proto_tree_add_text(ntree, tvb, offset, sizeof(CPproduct), "Check Point Product: ");
936 case 1: proto_item_append_text(pt, "VPN-1");
938 case 2: proto_item_append_text(pt, "SecuRemote/SecureClient");
940 default: proto_item_append_text(pt, "Unknown CP product!");
943 offset += sizeof(CPproduct);
944 CPversion = tvb_get_ntohl(tvb, offset);
945 pt = proto_tree_add_text(ntree, tvb, offset, length, "Version: ");
947 case 2: proto_item_append_text(pt, "4.1");
949 case 3: proto_item_append_text(pt, "4.1 SP-1");
951 case 4002: proto_item_append_text(pt, "4.1 (SP-2 or above)");
953 case 5000: proto_item_append_text(pt, "NG");
955 case 5001: proto_item_append_text(pt, "NG Feature Pack 1");
957 case 5002: proto_item_append_text(pt, "NG Feature Pack 2");
959 case 5003: proto_item_append_text(pt, "NG Feature Pack 3");
961 default: proto_item_append_text(pt, " Uknown CP version!");
966 if (memcmp(pVID, VID_CYBERGUARD, isakmp_min(VID_LEN, length)) == 0)
967 proto_item_append_text(pt, "Cyber Guard");
969 if (memcmp(pVID, VID_draft_ietf_ipsec_nat_t_ike_03, isakmp_min(VID_LEN, length)) == 0)
970 proto_item_append_text(pt, "draft-ietf-ipsec-nat-t-ike-03");
972 proto_item_append_text(pt, "unknown vendor ID: 0x%s",tvb_bytes_to_str(tvb, offset, length));
976 dissect_config(tvbuff_t *tvb, int offset, int length, proto_tree *tree,
981 type = tvb_get_guint8(tvb, offset);
982 proto_tree_add_text(tree, tvb, offset, 1,
983 "Type %s (%u)",attrtype2str(type),type);
988 proto_tree_add_text(tree, tvb, offset, 2,
989 "Identifier: %u", tvb_get_ntohs(tvb, offset));
994 guint16 aft = tvb_get_ntohs(tvb, offset);
995 guint16 type = aft & 0x7fff;
1001 val = tvb_get_ntohs(tvb, offset + 2);
1002 proto_tree_add_text(tree, tvb, offset, 4,
1003 "%s (%u)", cfgattrident2str(type), val);
1008 len = tvb_get_ntohs(tvb, offset + 2);
1010 if (!get_num(tvb, offset + 4, len, &val)) {
1011 proto_tree_add_text(tree, tvb, offset, pack_len,
1012 "%s: <too big (%u bytes)>",
1013 cfgattrident2str(type), len);
1015 proto_tree_add_text(tree, tvb, offset, 4,
1016 "%s (%ue)", cfgattrident2str(type),
1026 dissect_nat_discovery(tvbuff_t *tvb, int offset, int length, proto_tree *tree,
1029 proto_tree_add_text(tree, tvb, offset, length,
1030 "Hash of address and port: %s",
1031 tvb_bytes_to_str(tvb, offset, length));
1035 dissect_nat_original_address(tvbuff_t *tvb, int offset, int length, proto_tree *tree,
1040 struct e_in6_addr addr_ipv6;
1042 id_type = tvb_get_guint8(tvb, offset);
1043 proto_tree_add_text(tree, tvb, offset, 1,
1044 "ID type: %s (%u)", id2str(id_type), id_type);
1048 offset += 3; /* reserved */
1053 case 1: /* ID_IPV4_ADDR */
1055 tvb_memcpy(tvb, (guint8 *)&addr_ipv4, offset, length);
1056 proto_tree_add_text(tree, tvb, offset, length,
1057 "Original address: %s",
1058 ip_to_str((guint8 *)&addr_ipv4));
1060 proto_tree_add_text(tree, tvb, offset, length,
1061 "Original address: bad length, should be 4, is %u",
1066 case 5: /* ID_IPV6_ADDR */
1068 tvb_memcpy(tvb, (guint8 *)&addr_ipv6, offset, length);
1069 proto_tree_add_text(tree, tvb, offset, length,
1070 "Original address: %s",
1071 ip6_to_str(&addr_ipv6));
1073 proto_tree_add_text(tree, tvb, offset, length,
1074 "Original address: bad length, should be 16, is %u",
1080 proto_tree_add_text(tree, tvb, offset, length,
1081 "Original address: bad address type");
1087 payloadtype2str(guint8 type) {
1089 if (type < NUM_LOAD_TYPES)
1090 return strfuncs[type].str;
1093 return "Private USE";
1097 exchtype2str(guint8 type) {
1099 #define NUM_EXCHSTRS 7
1100 static const char * exchstrs[NUM_EXCHSTRS] = {
1103 "Identity Protection (Main Mode)",
1104 "Authentication Only",
1107 "Transaction (Config Mode)"
1110 if (type < NUM_EXCHSTRS) return exchstrs[type];
1111 if (type < 32) return "ISAKMP Future Use";
1114 return "Quick Mode";
1116 return "New Group Mode";
1119 return "DOI Specific Use";
1120 return "Private Use";
1124 doitype2str(guint32 type) {
1125 if (type == 1) return "IPSEC";
1126 return "Unknown DOI Type";
1130 msgtype2str(guint16 type) {
1132 #define NUM_PREDEFINED 31
1133 static const char *msgs[NUM_PREDEFINED] = {
1135 "INVALID-PAYLOAD-TYPE",
1136 "DOI-NOT-SUPPORTED",
1137 "SITUATION-NOT-SUPPORTED",
1139 "INVALID-MAJOR-VERSION",
1140 "INVALID-MINOR-VERSION",
1141 "INVALID-EXCHANGE-TYPE",
1143 "INVALID-MESSAGE-ID",
1144 "INVALID-PROTOCOL-ID",
1146 "INVALID-TRANSFORM-ID",
1147 "ATTRIBUTES-NOT-SUPPORTED",
1148 "NO-PROPOSAL-CHOSEN",
1149 "BAD-PROPOSAL-SYNTAX",
1150 "PAYLOAD-MALFORMED",
1151 "INVALID-KEY-INFORMATION",
1152 "INVALID-ID-INFORMATION",
1153 "INVALID-CERT-ENCODING",
1154 "INVALID-CERTIFICATE",
1155 "CERT-TYPE-UNSUPPORTED",
1156 "INVALID-CERT-AUTHORITY",
1157 "INVALID-HASH-INFORMATION",
1158 "AUTHENTICATION-FAILED",
1159 "INVALID-SIGNATURE",
1160 "ADDRESS-NOTIFICATION",
1161 "NOTIFY-SA-LIFETIME",
1162 "CERTIFICATE-UNAVAILABLE",
1163 "UNSUPPORTED-EXCHANGE-TYPE",
1164 "UNEQUAL-PAYLOAD-LENGTHS"
1167 if (type < NUM_PREDEFINED) return msgs[type];
1168 if (type < 8192) return "RESERVED (Future Use)";
1169 if (type < 16384) return "Private Use";
1170 if (type < 16385) return "CONNECTED";
1171 if (type < 24576) return "RESERVED (Future Use) - status";
1172 if (type < 24577) return "RESPONDER-LIFETIME";
1173 if (type < 24578) return "REPLAY-STATUS";
1174 if (type < 24579) return "INITIAL-CONTACT";
1175 if (type < 32768) return "DOI-specific codes";
1176 if (type < 40960) return "Private Use - status";
1177 if (type < 65535) return "RESERVED (Future Use) - status (2)";
1179 return "Huh? You should never see this! Shame on you!";
1183 situation2str(guint32 type) {
1185 #define SIT_MSG_NUM 1024
1186 #define SIT_IDENTITY 0x01
1187 #define SIT_SECRECY 0x02
1188 #define SIT_INTEGRITY 0x04
1190 static char msg[SIT_MSG_NUM];
1195 if (type & SIT_IDENTITY) {
1196 ret = snprintf(msg, SIT_MSG_NUM-n, "%sIDENTITY", sep);
1197 if (ret == -1 || ret >= SIT_MSG_NUM-n) {
1199 msg[SIT_MSG_NUM-1] = '\0';
1205 if (type & SIT_SECRECY) {
1206 if (n >= SIT_MSG_NUM) {
1210 ret = snprintf(msg, SIT_MSG_NUM-n, "%sSECRECY", sep);
1211 if (ret == -1 || ret >= SIT_MSG_NUM-n) {
1213 msg[SIT_MSG_NUM-1] = '\0';
1219 if (type & SIT_INTEGRITY) {
1220 if (n >= SIT_MSG_NUM) {
1224 ret = snprintf(msg, SIT_MSG_NUM-n, "%sINTEGRITY", sep);
1225 if (ret == -1 || ret >= SIT_MSG_NUM-n) {
1227 msg[SIT_MSG_NUM-1] = '\0';
1238 value2str(int ike_p1, guint16 att_type, guint16 value) {
1240 if (value == 0) return "RESERVED";
1246 case 0: return "RESERVED";
1247 case 1: return "Seconds";
1248 case 2: return "Kilobytes";
1249 default: return "UNKNOWN-SA-VALUE";
1252 return "Duration-Value";
1254 return "Group-Value";
1257 case 0: return "RESERVED";
1258 case 1: return "Tunnel";
1259 case 2: return "Transport";
1260 case 3: return "UDP-Encapsulated-Tunnel"; /* http://www.ietf.org/internet-drafts/draft-ietf-ipsec-nat-t-ike-05.txt */
1261 case 4: return "UDP-Encapsulated-Transport"; /* http://www.ietf.org/internet-drafts/draft-ietf-ipsec-nat-t-ike-05.txt */
1262 case 61440: return "Check Point IPSec UDP Encapsulation";
1263 case 61443: return "UDP-Encapsulated-Tunnel (draft)";
1264 case 61444: return "UDP-Encapsulated-Transport (draft)";
1265 default: return "UNKNOWN-ENCAPSULATION-VALUE";
1269 case 0: return "RESERVED";
1270 case 1: return "HMAC-MD5";
1271 case 2: return "HMAC-SHA";
1272 case 3: return "DES-MAC";
1273 case 4: return "KPDK";
1274 case 5: return "HMAC-SHA2-256";
1275 case 6: return "HMAC-SHA2-384";
1276 case 7: return "HMAC-SHA2-512";
1277 default: return "UNKNOWN-AUTHENTICATION-VALUE";
1280 return "Key-Length";
1282 return "Key-Rounds";
1284 return "Compress-Dictionary-size";
1286 return "Compress Private Algorithm";
1287 default: return "UNKNOWN-ATTRIBUTE-TYPE";
1294 case 1: return "DES-CBC";
1295 case 2: return "IDEA-CBC";
1296 case 3: return "BLOWFISH-CBC";
1297 case 4: return "RC5-R16-B64-CBC";
1298 case 5: return "3DES-CBC";
1299 case 6: return "CAST-CBC";
1300 case 7: return "AES-CBC";
1301 default: return "UNKNOWN-ENCRYPTION-ALG";
1305 case 1: return "MD5";
1306 case 2: return "SHA";
1307 case 3: return "TIGER";
1308 case 4: return "SHA2-256";
1309 case 5: return "SHA2-384";
1310 case 6: return "SHA2-512";
1311 default: return "UNKNOWN-HASH-ALG";
1315 case 1: return "PSK";
1316 case 2: return "DSS-SIG";
1317 case 3: return "RSA-SIG";
1318 case 4: return "RSA-ENC";
1319 case 5: return "RSA-Revised-ENC";
1320 case 6: return "Encryption with El-Gamal";
1321 case 7: return "Revised encryption with El-Gamal";
1322 case 8: return "ECDSA signatures";
1323 case 9: return "AES-XCBC-MAC";
1324 case 64221: return "HybridInitRSA";
1325 case 64222: return "HybridRespRSA";
1326 case 64223: return "HybridInitDSS";
1327 case 64224: return "HybridRespDSS";
1328 case 65001: return "XAUTHInitPreShared";
1329 case 65002: return "XAUTHRespPreShared";
1330 case 65003: return "XAUTHInitDSS";
1331 case 65004: return "XAUTHRespDSS";
1332 case 65005: return "XAUTHInitRSA";
1333 case 65006: return "XAUTHRespRSA";
1334 case 65007: return "XAUTHInitRSAEncryption";
1335 case 65008: return "XAUTHRespRSAEncryption";
1336 case 65009: return "XAUTHInitRSARevisedEncryption";
1337 case 65010: return "XAUTHRespRSARevisedEncryption";
1338 default: return "UNKNOWN-AUTH-METHOD";
1340 case 4: return grpdesc2str(value);
1347 return "Group-Value";
1350 case 1: return "MODP";
1351 case 2: return "ECP";
1352 case 3: return "EC2N";
1353 default: return "UNKNOWN-GROUPT-TYPE";
1357 case 1: return "Seconds";
1358 case 2: return "Kilobytes";
1359 default: return "UNKNOWN-SA-VALUE";
1362 return "Duration-Value";
1366 return "Key-Length";
1368 return "Field-Size";
1369 default: return "UNKNOWN-ATTRIBUTE-TYPE";
1375 attrtype2str(guint8 type) {
1377 case 0: return "Reserved";
1378 case 1: return "ISAKMP_CFG_REQUEST";
1379 case 2: return "ISAKMP_CFG_REPLY";
1380 case 3: return "ISAKMP_CFG_SET";
1381 case 4: return "ISAKMP_CFG_ACK";
1384 return "Future use";
1385 return "Private use";
1389 cfgattrident2str(guint16 ident) {
1390 #define NUM_ATTR_DEFINED 12
1391 static const char *msgs[NUM_PREDEFINED] = {
1393 "INTERNAL_IP4_ADDRESS",
1394 "INTERNAL_IP4_NETMASK",
1396 "INTERNAL_IP4_NBNS",
1397 "INTERNAL_ADDRESS_EXPIREY",
1398 "INTERNAL_IP4_DHCP",
1399 "APPLICATION_VERSION"
1400 "INTERNAL_IP6_ADDRESS",
1401 "INTERNAL_IP6_NETMASK",
1403 "INTERNAL_IP6_NBNS",
1404 "INTERNAL_IP6_DHCP",
1406 if(ident < NUM_ATTR_DEFINED)
1409 return "Future use";
1411 case 16520: return "XAUTH_TYPE";
1412 case 16521: return "XAUTH_USER_NAME";
1413 case 16522: return "XAUTH_USER_PASSWORD";
1414 case 16523: return "XAUTH_PASSCODE";
1415 case 16524: return "XAUTH_MESSAGE";
1416 case 16525: return "XAUTH_CHALLANGE";
1417 case 16526: return "XAUTH_DOMAIN";
1418 case 16527: return "XAUTH_STATUS";
1419 case 16528: return "XAUTH_NEXT_PIN";
1420 case 16529: return "XAUTH_ANSWER";
1421 default: return "Private use";
1426 certtype2str(guint8 type) {
1427 #define NUM_CERTTYPE 11
1428 static const char *msgs[NUM_CERTTYPE] = {
1430 "PKCS #7 wrapped X.509 certificate",
1433 "X.509 Certificate - Signature",
1434 "X.509 Certificate - Key Exchange",
1436 "Certificate Revocation List (CRL)",
1437 "Authority Revocation List (ARL)",
1439 "X.509 Certificate - Attribute",
1441 if(type > NUM_CERTTYPE)
1447 get_num(tvbuff_t *tvb, int offset, guint16 len, guint32 *num_p) {
1451 *num_p = tvb_get_guint8(tvb, offset);
1454 *num_p = tvb_get_ntohs(tvb, offset);
1457 *num_p = tvb_get_ntoh24(tvb, offset);
1460 *num_p = tvb_get_ntohl(tvb, offset);
1470 proto_register_isakmp(void)
1472 /* static hf_register_info hf[] = {
1474 { "Name", "isakmp.abbreviation", TYPE, VALS_POINTER }},
1476 static gint *ett[] = {
1479 &ett_isakmp_payload,
1482 proto_isakmp = proto_register_protocol("Internet Security Association and Key Management Protocol",
1483 "ISAKMP", "isakmp");
1484 /* proto_register_field_array(proto_isakmp, hf, array_length(hf));*/
1485 proto_register_subtree_array(ett, array_length(ett));
1487 register_dissector("isakmp", dissect_isakmp, proto_isakmp);
1491 proto_reg_handoff_isakmp(void)
1493 dissector_handle_t isakmp_handle;
1496 * Get handle for the AH & ESP dissectors.
1498 esp_handle = find_dissector("esp");
1499 ah_handle = find_dissector("ah");
1501 isakmp_handle = find_dissector("isakmp");
1502 dissector_add("udp.port", UDP_PORT_ISAKMP, isakmp_handle);
1503 dissector_add("tcp.port", TCP_PORT_ISAKMP, isakmp_handle);