rpms/tcpdump/devel tcpdump-3.9.7-ikev2.patch, NONE, 1.1 tcpdump.spec, 1.64, 1.65
Miroslav Lichvar (mlichvar)
fedora-extras-commits at redhat.com
Tue Sep 18 14:35:31 UTC 2007
Author: mlichvar
Update of /cvs/pkgs/rpms/tcpdump/devel
In directory cvs-int.fedora.redhat.com:/tmp/cvs-serv10524
Modified Files:
tcpdump.spec
Added Files:
tcpdump-3.9.7-ikev2.patch
Log Message:
- support decoding IKEv2 packets
tcpdump-3.9.7-ikev2.patch:
--- NEW FILE tcpdump-3.9.7-ikev2.patch ---
Index: tcpdump/interface.h
===================================================================
RCS file: /tcpdump/master/tcpdump/interface.h,v
retrieving revision 1.278
retrieving revision 1.279
diff -u -r1.278 -r1.279
--- tcpdump/interface.h 8 Aug 2007 17:20:58 -0000 1.278
+++ tcpdump/interface.h 29 Aug 2007 12:31:00 -0000 1.279
@@ -356,6 +356,7 @@
/* forward compatibility */
+#ifndef NETDISSECT_REWORKED
extern netdissect_options *gndo;
#define eflag gndo->ndo_eflag
@@ -389,3 +390,4 @@
#define snaplen gndo->ndo_snaplen
#define snapend gndo->ndo_snapend
+#endif
Index: tcpdump/isakmp.h
===================================================================
RCS file: /tcpdump/master/tcpdump/isakmp.h,v
retrieving revision 1.10
retrieving revision 1.11
diff -u -r1.10 -r1.11
--- tcpdump/isakmp.h 11 Dec 2002 07:13:54 -0000 1.10
+++ tcpdump/isakmp.h 29 Aug 2007 02:38:14 -0000 1.11
@@ -81,7 +81,7 @@
#define ISAKMP_TIMER_DEFAULT 10 /* seconds */
#define ISAKMP_TRY_DEFAULT 3 /* times */
-/* 3.1 ISAKMP Header Format
+/* 3.1 ISAKMP Header Format (IKEv1 and IKEv2)
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
! Initiator !
@@ -128,8 +128,11 @@
#define ISAKMP_NPTYPE_D 12 /* Delete */
#define ISAKMP_NPTYPE_VID 13 /* Vendor ID */
-#define ISAKMP_MAJOR_VERSION 1
-#define ISAKMP_MINOR_VERSION 0
+#define IKEv1_MAJOR_VERSION 1
+#define IKEv1_MINOR_VERSION 0
+
+#define IKEv2_MAJOR_VERSION 2
+#define IKEv2_MINOR_VERSION 0
/* Exchange Type */
#define ISAKMP_ETYPE_NONE 0 /* NONE */
@@ -142,6 +145,13 @@
/* Flags */
#define ISAKMP_FLAG_E 0x01 /* Encryption Bit */
#define ISAKMP_FLAG_C 0x02 /* Commit Bit */
+#define ISAKMP_FLAG_extra 0x04
+
+/* IKEv2 */
+#define ISAKMP_FLAG_I (1 << 3) /* (I)nitiator */
+#define ISAKMP_FLAG_V (1 << 4) /* (V)ersion */
+#define ISAKMP_FLAG_R (1 << 5) /* (R)esponse */
+
/* 3.2 Payload Generic Header
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
@@ -151,7 +161,7 @@
*/
struct isakmp_gen {
u_int8_t np; /* Next Payload */
- u_int8_t reserved; /* RESERVED, unused, must set to 0 */
+ u_int8_t critical; /* bit 7 - critical, rest is RESERVED */
u_int16_t len; /* Payload Length */
};
@@ -188,7 +198,7 @@
message of a Base Exchange (see Section 4.4) and the value "0" in the
first message of an Identity Protect Exchange (see Section 4.5).
*/
-struct isakmp_pl_sa {
+struct ikev1_pl_sa {
struct isakmp_gen h;
u_int32_t doi; /* Domain of Interpretation */
u_int32_t sit; /* Situation */
@@ -202,7 +212,7 @@
last within the security association proposal, then this field will
be 0.
*/
-struct isakmp_pl_p {
+struct ikev1_pl_p {
struct isakmp_gen h;
u_int8_t p_no; /* Proposal # */
u_int8_t prot_id; /* Protocol */
@@ -218,7 +228,7 @@
then this field will be 3. If the current Transform payload is the
last within the proposal, then this field will be 0.
*/
-struct isakmp_pl_t {
+struct ikev1_pl_t {
struct isakmp_gen h;
u_int8_t t_no; /* Transform # */
u_int8_t t_id; /* Transform-Id */
@@ -227,14 +237,14 @@
};
/* 3.7 Key Exchange Payload */
-struct isakmp_pl_ke {
+struct ikev1_pl_ke {
struct isakmp_gen h;
/* Key Exchange Data */
};
/* 3.8 Identification Payload */
/* MUST NOT to be used, because of being defined in ipsec-doi. */
-struct isakmp_pl_id {
+struct ikev1_pl_id {
struct isakmp_gen h;
union {
u_int8_t id_type; /* ID Type */
@@ -244,7 +254,7 @@
};
/* 3.9 Certificate Payload */
-struct isakmp_pl_cert {
+struct ikev1_pl_cert {
struct isakmp_gen h;
u_int8_t encode; /* Cert Encoding */
char cert; /* Certificate Data */
@@ -268,7 +278,7 @@
#define ISAKMP_CERT_SPKI 9
/* 3.10 Certificate Request Payload */
-struct isakmp_pl_cr {
+struct ikev1_pl_cr {
struct isakmp_gen h;
u_int8_t num_cert; /* # Cert. Types */
/*
@@ -283,27 +293,27 @@
/* 3.11 Hash Payload */
/* may not be used, because of having only data. */
-struct isakmp_pl_hash {
+struct ikev1_pl_hash {
struct isakmp_gen h;
/* Hash Data */
};
/* 3.12 Signature Payload */
/* may not be used, because of having only data. */
-struct isakmp_pl_sig {
+struct ikev1_pl_sig {
struct isakmp_gen h;
/* Signature Data */
};
/* 3.13 Nonce Payload */
/* may not be used, because of having only data. */
-struct isakmp_pl_nonce {
+struct ikev1_pl_nonce {
struct isakmp_gen h;
/* Nonce Data */
};
/* 3.14 Notification Payload */
-struct isakmp_pl_n {
+struct ikev1_pl_n {
struct isakmp_gen h;
u_int32_t doi; /* Domain of Interpretation */
u_int8_t prot_id; /* Protocol-ID */
@@ -347,7 +357,7 @@
#define ISAKMP_LOG_RETRY_LIMIT_REACHED 65530
/* 3.15 Delete Payload */
-struct isakmp_pl_d {
+struct ikev1_pl_d {
struct isakmp_gen h;
u_int32_t doi; /* Domain of Interpretation */
u_int8_t prot_id; /* Protocol-Id */
@@ -357,15 +367,15 @@
};
-struct isakmp_ph1tab {
- struct isakmp_ph1 *head;
- struct isakmp_ph1 *tail;
+struct ikev1_ph1tab {
+ struct ikev1_ph1 *head;
+ struct ikev1_ph1 *tail;
int len;
};
struct isakmp_ph2tab {
- struct isakmp_ph2 *head;
- struct isakmp_ph2 *tail;
+ struct ikev1_ph2 *head;
+ struct ikev1_ph2 *tail;
int len;
};
[...2245 lines suppressed...]
+ ND_PRINT((ndo,"%s", NPSTR(np)));
+ cp += item_len;
+ }
+
+ return cp;
+trunc:
+ ND_PRINT((ndo," [|isakmp]"));
+ return NULL;
+}
+
+static const u_char *
+ikev2_sub_print(netdissect_options *ndo,
+ u_char np, const struct isakmp_gen *ext, const u_char *ep,
+ u_int32_t phase, u_int32_t doi, u_int32_t proto, int depth)
+{
+ const u_char *cp;
+ int i;
+ int pcount;
+ struct isakmp_gen e;
+
+ cp = (const u_char *)ext;
+ pcount = 0;
+ while (np) {
+ pcount++;
+ ND_TCHECK(*ext);
+
+ safememcpy(&e, ext, sizeof(e));
+
+ ND_TCHECK2(*ext, ntohs(e.len));
+
+ depth++;
+ ND_PRINT((ndo,"\n"));
+ for (i = 0; i < depth; i++)
+ ND_PRINT((ndo," "));
+ ND_PRINT((ndo,"("));
+ cp = ikev2_sub0_print(ndo, np, pcount,
+ ext, ep, phase, doi, proto, depth);
+ ND_PRINT((ndo,")"));
+ depth--;
+
+ if (cp == NULL) {
+ /* Zero-length subitem */
+ return NULL;
}
- printf(":");
+ np = e.np;
+ ext = (struct isakmp_gen *)cp;
+ }
+ return cp;
+trunc:
+ ND_PRINT((ndo," [|%s]", NPSTR(np)));
+ return NULL;
+}
+
+static void
+ikev2_print(netdissect_options *ndo,
+ const u_char *bp, u_int length,
+ const u_char *bp2 _U_, struct isakmp *base)
+{
+ const struct isakmp *p;
+ const u_char *ep;
+ u_char np;
+ int phase;
+
+ p = (const struct isakmp *)bp;
+ ep = ndo->ndo_snapend;
+
+ phase = (*(u_int32_t *)base->msgid == 0) ? 1 : 2;
+ if (phase == 1)
+ ND_PRINT((ndo, " parent_sa"));
+ else
+ ND_PRINT((ndo, " child_sa "));
+
+ ND_PRINT((ndo, " %s", ETYPESTR(base->etype)));
+ if (base->flags) {
+ ND_PRINT((ndo, "[%s%s]",
+ base->flags & ISAKMP_FLAG_I ? "I" : "",
+ base->flags & ISAKMP_FLAG_V ? "V" : "",
+ base->flags & ISAKMP_FLAG_R ? "R" : ""));
+ }
+
+ if (ndo->ndo_vflag) {
+ const struct isakmp_gen *ext;
+ int nparen;
+
+ ND_PRINT((ndo, ":"));
/* regardless of phase... */
- if (base.flags & ISAKMP_FLAG_E) {
+ if (base->flags & ISAKMP_FLAG_E) {
/*
* encrypted, nothing we can do right now.
* we hope to decrypt the packet in the future...
*/
- printf(" [encrypted %s]", NPSTR(base.np));
+ ND_PRINT((ndo, " [encrypted %s]", NPSTR(base->np)));
goto done;
}
nparen = 0;
- CHECKLEN(p + 1, base.np)
+ CHECKLEN(p + 1, base->np)
- np = base.np;
+ np = base->np;
ext = (struct isakmp_gen *)(p + 1);
- isakmp_sub_print(np, ext, ep, phase, 0, 0, 0);
+ ikev2_sub_print(ndo, np, ext, ep, phase, 0, 0, 0);
}
done:
- if (vflag) {
- if (ntohl(base.len) != length) {
- printf(" (len mismatch: isakmp %u/ip %u)",
- (u_int32_t)ntohl(base.len), length);
+ if (ndo->ndo_vflag) {
+ if (ntohl(base->len) != length) {
+ ND_PRINT((ndo, " (len mismatch: isakmp %u/ip %u)",
+ (u_int32_t)ntohl(base->len), length));
}
}
}
void
+isakmp_print(netdissect_options *ndo,
+ const u_char *bp, u_int length,
+ const u_char *bp2)
+{
+ const struct isakmp *p;
+ struct isakmp base;
+ const u_char *ep;
+ int major, minor;
+
+ p = (const struct isakmp *)bp;
+ ep = ndo->ndo_snapend;
+
+ if ((struct isakmp *)ep < p + 1) {
+ ND_PRINT((ndo,"[|isakmp]"));
+ return;
+ }
+
+ safememcpy(&base, p, sizeof(base));
+
+ ND_PRINT((ndo,"isakmp"));
+ major = (base.vers & ISAKMP_VERS_MAJOR)
+ >> ISAKMP_VERS_MAJOR_SHIFT;
+ minor = (base.vers & ISAKMP_VERS_MINOR)
+ >> ISAKMP_VERS_MINOR_SHIFT;
+
+ if (ndo->ndo_vflag) {
+ ND_PRINT((ndo," %d.%d", major, minor));
+ }
+
+ if (ndo->ndo_vflag) {
+ ND_PRINT((ndo," msgid "));
+ rawprint(ndo, (caddr_t)&base.msgid, sizeof(base.msgid));
+ }
+
+ if (1 < ndo->ndo_vflag) {
+ ND_PRINT((ndo," cookie "));
+ rawprint(ndo, (caddr_t)&base.i_ck, sizeof(base.i_ck));
+ ND_PRINT((ndo,"->"));
+ rawprint(ndo, (caddr_t)&base.r_ck, sizeof(base.r_ck));
+ }
+ ND_PRINT((ndo,":"));
+
+ switch(major) {
+ case IKEv1_MAJOR_VERSION:
+ ikev1_print(ndo, bp, length, bp2, &base);
+ break;
+
+ case IKEv2_MAJOR_VERSION:
+ ikev2_print(ndo, bp, length, bp2, &base);
+ break;
+ }
+}
+
+void
isakmp_rfc3948_print(netdissect_options *ndo,
const u_char *bp, u_int length,
const u_char *bp2)
@@ -1429,7 +2355,7 @@
if(length < 4) {
goto trunc;
}
-
+
/*
* see if this is an IKE packet
*/
@@ -1459,7 +2385,7 @@
}
trunc:
- printf("[|isakmp]");
+ ND_PRINT((ndo,"[|isakmp]"));
return;
}
Index: tcpdump.spec
===================================================================
RCS file: /cvs/pkgs/rpms/tcpdump/devel/tcpdump.spec,v
retrieving revision 1.64
retrieving revision 1.65
diff -u -r1.64 -r1.65
--- tcpdump.spec 22 Aug 2007 12:24:32 -0000 1.64
+++ tcpdump.spec 18 Sep 2007 14:34:58 -0000 1.65
@@ -2,7 +2,7 @@
Name: tcpdump
Epoch: 14
Version: 3.9.7
-Release: 4%{?dist}
+Release: 5%{?dist}
License: BSD with advertising
URL: http://www.tcpdump.org
Group: Applications/Internet
@@ -15,6 +15,7 @@
Patch1: tcpdump-3.9.7-droproot.patch
Patch2: tcpdump-3.6.1-portnumbers.patch
Patch3: tcpdump-3.9.7-crypto.patch
+Patch4: tcpdump-3.9.7-ikev2.patch
Patch5: tcpslice-1.2a3-time.patch
Patch6: tcpslice-CVS.20010207-bpf.patch
@@ -34,6 +35,7 @@
%patch1 -p1 -b .droproot
%patch2 -p1 -b .portnumbers
%patch3 -p1 -b .crypto
+%patch4 -p1 -b .ikev2
pushd %{tcpslice_dir}
%patch5 -p1 -b .time
@@ -89,6 +91,9 @@
%{_mandir}/man8/tcpdump.8*
%changelog
+* Tue Sep 18 2007 Miroslav Lichvar <mlichvar at redhat.com> - 14:3.9.7-5
+- support decoding IKEv2 packets
+
* Wed Aug 22 2007 Miroslav Lichvar <mlichvar at redhat.com> - 14:3.9.7-4
- rebuild
More information about the fedora-extras-commits
mailing list