Extend IKE knowledge so we can parse the rest (normally encrypted parts)

of the IKE negotiation. Useful for isakmpd's new -L and -l options.
Also some cleanup. (angelos@, niklas@ ok)

4 files changed, 405 insertions, 156 deletions

diff --git a/usr.sbin/tcpdump/ike.h b/usr.sbin/tcpdump/ike.h
index 4a43c54aced..2f37201cd01 100644
--- a/usr.sbin/tcpdump/ike.h
+++ b/usr.sbin/tcpdump/ike.h
@@ -1,9 +1,12 @@
-/* $OpenBSD: ike.h,v 1.1 2000/10/03 14:25:47 ho Exp $ */
+/* $OpenBSD: ike.h,v 1.2 2001/04/09 21:44:40 ho Exp $ */
 
 #define ISAKMP_DOI		0
 #define IPSEC_DOI		1
 
-#define PROTO_ISAKMP            1
+#define PROTO_ISAKMP		1
+#define PROTO_IPSEC_AH		2
+#define PROTO_IPSEC_ESP		3
+#define PROTO_IPCOMP		4
 
 #define IKE_ATTR_ENCRYPTION_ALGORITHM	1
 #define IKE_ATTR_HASH_ALGORITHM		2
@@ -12,12 +15,17 @@
 #define IKE_ATTR_GROUP_TYPE		5
 #define IKE_ATTR_LIFE_TYPE		11
 
+#define IKE_PROTO_INITIALIZER						\
+	{ "RESERVED", "ISAKMP", "IPSEC_AH", "IPSEC_ESP", "IPCOMP",	\
+	}
+
 #define IKE_ATTR_ENCRYPT_INITIALIZER					\
-	{ "NONE", "DES_CBS", "IDEA_CBC", "BLOWFISH_CBC",		\
-	  "RC5_R16_B64_CBC", "3DES_CBC", "CAST_CBC",			\
+	{ "NONE", "DES_CBC", "IDEA_CBC", "BLOWFISH_CBC",		\
+	  "RC5_R16_B64_CBC", "3DES_CBC", "CAST_CBC", "AES_CBC",		\
 	}
 #define IKE_ATTR_HASH_INITIALIZER					\
 	{ "NONE", "MD5", "SHA", "TIGER",				\
+	  "SHA2_256", "SHA2_384", "SHA2_512",				\
 	}
 #define IKE_ATTR_AUTH_INITIALIZER					\
 	{ "NONE", "PRE_SHARED", "DSS", "RSA_SIG",			\
@@ -73,7 +81,7 @@
 #define PAYLOAD_NONCE		10
 #define PAYLOAD_NOTIFICATION	11
 #define PAYLOAD_DELETE		12
-#define PAYLOAD_VENDOR          13
+#define PAYLOAD_VENDOR		13
 
 #define IKE_PAYLOAD_TYPES_INITIALIZER			\
 	{ "NONE",		/*  0 */		\
@@ -93,12 +101,12 @@
 	}
 
 /* Exchange types */
-#define EXCHANGE_NONE           0
-#define EXCHANGE_BASE           1
-#define EXCHANGE_ID_PROT        2
-#define EXCHANGE_AUTH_ONLY      3
-#define EXCHANGE_AGGRESSIVE     4
-#define EXCHANGE_INFO           5
+#define EXCHANGE_NONE		0
+#define EXCHANGE_BASE		1
+#define EXCHANGE_ID_PROT	2
+#define EXCHANGE_AUTH_ONLY	3
+#define EXCHANGE_AGGRESSIVE	4
+#define EXCHANGE_INFO		5
 #define EXCHANGE_QUICK_MODE	32
 #define EXCHANGE_NEW_GROUP_MODE	33
 
@@ -126,79 +134,154 @@
 #define FLAGS_COMMIT		2
 #define FLAGS_AUTH_ONLY		4
 
-#define CERT_NONE               0
-#define CERT_PKCS               1
-#define CERT_PGP                2
-#define CERT_DNS                3
-#define CERT_X509_SIG           4
-#define CERT_X509_KE            5
-#define CERT_KERBEROS           6
-#define CERT_CRL                7
-#define CERT_ARL                8
-#define CERT_SPKI               9
-#define CERT_X509_ATTR         10
-
-#define NOTIFY_INVALID_PAYLOAD_TYPE          1
-#define NOTIFY_DOI_NOT_SUPPORTED             2
-#define NOTIFY_SITUATION_NOT_SUPPORTED       3
-#define NOTIFY_INVALID_COOKIE                4
-#define NOTIFY_INVALID_MAJOR_VERSION         5
-#define NOTIFY_INVALID_MINOR_VERSION         6
-#define NOTIFY_INVALID_EXCHANGE_TYPE         7
-#define NOTIFY_INVALID_FLAGS                 8
-#define NOTIFY_INVALID_MESSAGE_ID            9
-#define NOTIFY_INVALID_PROTOCOL_ID           10
-#define NOTIFY_INVALID_SPI                   11
-#define NOTIFY_INVALID_TRANSFORM_ID          12
-#define NOTIFY_ATTRIBUTES_NOT_SUPPORTED      13
-#define NOTIFY_NO_PROPOSAL_CHOSEN            14
-#define NOTIFY_BAD_PROPOSAL_SYNTAX           15
-#define NOTIFY_PAYLOAD_MALFORMED             16
-#define NOTIFY_INVALID_KEY_INFORMATION       17
-#define NOTIFY_INVALID_ID_INFORMATION        18
-#define NOTIFY_INVALID_CERT_ENCODING         19
-#define NOTIFY_INVALID_CERTIFICATE           20
-#define NOTIFY_CERT_TYPE_UNSUPPORTED         21
-#define NOTIFY_INVALID_CERT_AUTHORITY        22
-#define NOTIFY_INVALID_HASH_INFORMATION      23
-#define NOTIFY_AUTHENTICATION_FAILED         24
-#define NOTIFY_INVALID_SIGNATURE             25
-#define NOTIFY_ADDRESS_NOTIFICATION          26
-#define NOTIFY_NOTIFY_SA_LIFETIME            27
-#define NOTIFY_CERTIFICATE_UNAVAILABLE       28
-#define NOTIFY_UNSUPPORTED_EXCHANGE_TYPE     29
-#define NOTIFY_UNEQUAL_PAYLOAD_LENGTHS       30
+#define CERT_NONE		0
+#define CERT_PKCS		1
+#define CERT_PGP		2
+#define CERT_DNS		3
+#define CERT_X509_SIG		4
+#define CERT_X509_KE		5
+#define CERT_KERBEROS		6
+#define CERT_CRL		7
+#define CERT_ARL		8
+#define CERT_SPKI		9
+#define CERT_X509_ATTR		10
+
+#define NOTIFY_INVALID_PAYLOAD_TYPE		1
+#define NOTIFY_DOI_NOT_SUPPORTED		2
+#define NOTIFY_SITUATION_NOT_SUPPORTED		3
+#define NOTIFY_INVALID_COOKIE			4
+#define NOTIFY_INVALID_MAJOR_VERSION		5
+#define NOTIFY_INVALID_MINOR_VERSION		6
+#define NOTIFY_INVALID_EXCHANGE_TYPE		7
+#define NOTIFY_INVALID_FLAGS			8
+#define NOTIFY_INVALID_MESSAGE_ID		9
+#define NOTIFY_INVALID_PROTOCOL_ID		10
+#define NOTIFY_INVALID_SPI			11
+#define NOTIFY_INVALID_TRANSFORM_ID		12
+#define NOTIFY_ATTRIBUTES_NOT_SUPPORTED		13
+#define NOTIFY_NO_PROPOSAL_CHOSEN		14
+#define NOTIFY_BAD_PROPOSAL_SYNTAX		15
+#define NOTIFY_PAYLOAD_MALFORMED		16
+#define NOTIFY_INVALID_KEY_INFORMATION		17
+#define NOTIFY_INVALID_ID_INFORMATION		18
+#define NOTIFY_INVALID_CERT_ENCODING		19
+#define NOTIFY_INVALID_CERTIFICATE		20
+#define NOTIFY_CERT_TYPE_UNSUPPORTED		21
+#define NOTIFY_INVALID_CERT_AUTHORITY		22
+#define NOTIFY_INVALID_HASH_INFORMATION		23
+#define NOTIFY_AUTHENTICATION_FAILED		24
+#define NOTIFY_INVALID_SIGNATURE		25
+#define NOTIFY_ADDRESS_NOTIFICATION		26
+#define NOTIFY_NOTIFY_SA_LIFETIME		27
+#define NOTIFY_CERTIFICATE_UNAVAILABLE		28
+#define NOTIFY_UNSUPPORTED_EXCHANGE_TYPE	29
+#define NOTIFY_UNEQUAL_PAYLOAD_LENGTHS		30
 
 #define IKE_NOTIFY_TYPES_INITIALIZER			\
-      { "",						\
-	"INVALID PAYLOAD TYPE",				\
-	"DOI NOT SUPPORTED",				\
-	"SITUATION NOT SUPPORTED",			\
-	"INVALID COOKIE",				\
-	"INVALID MAJOR VERSION",			\
-	"INVALID MINOR VERSION",			\
-	"INVALID EXCHANGE TYPE",			\
-	"INVALID FLAGS",				\
-	"INVALID MESSAGE ID",				\
-	"INVALID PROTOCOL ID",				\
-	"INVALID SPI",					\
-	"INVALID TRANSFORM ID",				\
-	"ATTRIBUTES NOT SUPPORTED",			\
-	"NO PROPOSAL CHOSEN",				\
-	"BAD PROPOSAL SYNTAX",				\
-	"PAYLOAD MALFORMED",				\
-	"INVALID KEY INFORMATION",			\
-	"INVALID ID INFORMATION",			\
-	"INVALID CERT ENCODING",			\
-	"INVALID CERTIFICATE",				\
-	"CERT TYPE UNSUPPORTED",			\
-	"INVALID CERT AUTHORITY",			\
-	"INVALID HASH INFORMATION",			\
-	"AUTHENTICATION FAILED",			\
-	"INVALID SIGNATURE",				\
-	"ADDRESS NOTIFICATION",				\
-	"NOTIFY SA LIFETIME",				\
-	"CERTIFICATE UNAVAILABLE",			\
-	"UNSUPPORTED EXCHANGE TYPE",			\
-	"UNEQUAL PAYLOAD LENGTHS",			\
-      }
+	{ "",						\
+	  "INVALID PAYLOAD TYPE",			\
+	  "DOI NOT SUPPORTED",				\
+	  "SITUATION NOT SUPPORTED",			\
+	  "INVALID COOKIE",				\
+	  "INVALID MAJOR VERSION",			\
+	  "INVALID MINOR VERSION",			\
+	  "INVALID EXCHANGE TYPE",			\
+	  "INVALID FLAGS",				\
+	  "INVALID MESSAGE ID",				\
+	  "INVALID PROTOCOL ID",			\
+	  "INVALID SPI",				\
+	  "INVALID TRANSFORM ID",			\
+	  "ATTRIBUTES NOT SUPPORTED",			\
+	  "NO PROPOSAL CHOSEN",				\
+	  "BAD PROPOSAL SYNTAX",			\
+	  "PAYLOAD MALFORMED",				\
+	  "INVALID KEY INFORMATION",			\
+	  "INVALID ID INFORMATION",			\
+	  "INVALID CERT ENCODING",			\
+	  "INVALID CERTIFICATE",			\
+	  "CERT TYPE UNSUPPORTED",			\
+	  "INVALID CERT AUTHORITY",			\
+	  "INVALID HASH INFORMATION",			\
+	  "AUTHENTICATION FAILED",			\
+	  "INVALID SIGNATURE",				\
+	  "ADDRESS NOTIFICATION",			\
+	  "NOTIFY SA LIFETIME",				\
+	  "CERTIFICATE UNAVAILABLE",			\
+	  "UNSUPPORTED EXCHANGE TYPE",			\
+	  "UNEQUAL PAYLOAD LENGTHS",			\
+	}
+
+/* RFC 2407, 4.6.3 */
+#define NOTIFY_IPSEC_RESPONDER_LIFETIME	24576
+#define NOTIFY_IPSEC_REPLAY_STATUS	24577
+#define NOTIFY_IPSEC_INITIAL_CONTACT	24578
+
+#define IPSEC_ID_RESERVED		0
+#define IPSEC_ID_IPV4_ADDR		1
+#define IPSEC_ID_FQDN			2
+#define IPSEC_ID_USER_FQDN		3
+#define IPSEC_ID_IPV4_ADDR_SUBNET	4
+#define IPSEC_ID_IPV6_ADDR		5
+#define IPSEC_ID_IPV6_ADDR_SUBNET	6
+#define IPSEC_ID_IPV4_ADDR_RANGE	7
+#define IPSEC_ID_IPV6_ADDR_RANGE	8
+#define IPSEC_ID_DER_ASN1_DN		9
+#define IPSEC_ID_DER_ASN1_GN		10
+#define IPSEC_ID_KEY_ID			11
+
+#define IPSEC_ID_TYPE_INITIALIZER			\
+	{ "RESERVED",					\
+	  "IPV4_ADDR",					\
+	  "FQDN",					\
+	  "USER_FQDN",					\
+	  "IPV4_ADDR_SUBNET",				\
+	  "IPV6_ADDR",					\
+	  "IPV6_ADDR_SUBNET",				\
+	  "IPV4_ADDR_RANGE",				\
+	  "IPV6_ADDR_RANGE",				\
+	  "DER_ASN1_DN",				\
+	  "DER_ASN1_GN",				\
+	  "KEY_ID",					\
+	}
+
+#define IPSEC_ATTR_SA_LIFE_TYPE			1
+#define IPSEC_ATTR_SA_LIFE_DURATION		2
+#define IPSEC_ATTR_GROUP_DESCRIPTION		3
+#define IPSEC_ATTR_ENCAPSULATION_MODE		4
+#define IPSEC_ATTR_AUTHENTICATION_ALGORITHM	5
+#define IPSEC_ATTR_KEY_LENGTH			6
+#define IPSEC_ATTR_KEY_ROUNDS			7
+#define IPSEC_ATTR_COMPRESS_DICTIONARY_SIZE	8
+#define IPSEC_ATTR_COMPRESS_PRIVATE_ALGORITHM	9
+
+#define IPSEC_ATTR_INITIALIZER					\
+	{ "NONE", "LIFE_TYPE", "LIFE_DURATION",			\
+	  "GROUP_DESCRIPTION", "ENCAPSULATION_MODE",		\
+	  "AUTHENTICATION_ALGORITHM", "KEY_LENGTH",		\
+	  "KEY_ROUNDS", "COMPRESS_DICTIONARY_SIZE",		\
+	  "COMPRESS_PRIVATE_ALGORITHM",				\
+	}
+
+#define IPSEC_ATTR_DURATION_INITIALIZER				\
+	{ "NONE", "SECONDS", "KILOBYTES",			\
+	}
+#define IPSEC_ATTR_ENCAP_INITIALIZER				\
+	{ "NONE", "TUNNEL", "TRANSPORT",			\
+	}
+#define IPSEC_ATTR_AUTH_INITIALIZER				\
+	{ "NONE", "HMAC_MD5", "HMAC_SHA", "DES_MAC", "KPDK",	\
+	  "HMAC_SHA2_256", "HMAC_SHA2_384", "HMAC_SHA2_512",	\
+	  "HMAC_RIPEMD",					\
+	}
+#define IPSEC_AH_INITIALIZER					\
+	{ "NONE", "MD5", "SHA", "DES", "SHA2_256", "SHA2_384",	\
+	  "SHA2_512", "RIPEMD",					\
+	}
+#define IPSEC_ESP_INITIALIZER					\
+	{ "NONE", "DEV_IV64", "DES", "3DES", "RC5", "IDEA",	\
+	  "CAST", "BLOWFISH", "3IDEA", "DES_IV32", "RC4",	\
+	  "NULL", "AES",					\
+	}
+#define IPSEC_ATTR_IPCOMP_INITIALIZER				\
+	{ "NONE", "OUI", "DEFLATE", "LZS", "V42BIS",		\
+	}
diff --git a/usr.sbin/tcpdump/interface.h b/usr.sbin/tcpdump/interface.h
index 77c4e93af51..2a5965a61b9 100644
--- a/usr.sbin/tcpdump/interface.h
+++ b/usr.sbin/tcpdump/interface.h
@@ -1,4 +1,4 @@
-/*	$OpenBSD: interface.h,v 1.25 2001/04/08 22:45:53 jakob Exp $	*/
+/*	$OpenBSD: interface.h,v 1.26 2001/04/09 21:44:40 ho Exp $	*/
 
 /*
  * Copyright (c) 1988, 1989, 1990, 1991, 1992, 1993, 1994, 1995, 1996, 1997
@@ -20,7 +20,7 @@
  * WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF
  * MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.
  *
- * @(#) $Header: /cvs/OpenBSD/src/usr.sbin/tcpdump/interface.h,v 1.25 2001/04/08 22:45:53 jakob Exp $ (LBL)
+ * @(#) $Header: /cvs/OpenBSD/src/usr.sbin/tcpdump/interface.h,v 1.26 2001/04/09 21:44:40 ho Exp $ (LBL)
  */
 
 #ifndef tcpdump_interface_h
@@ -232,7 +232,7 @@ extern void tftp_print(const u_char *, u_int);
 extern void timed_print(const u_char *, u_int);
 extern void udp_print(const u_char *, u_int, const u_char *);
 extern void wb_print(const void *, u_int);
-extern void isakmp_print(const u_char *, u_int);
+extern void ike_print(const u_char *, u_int);
 extern void ah_print(const u_char *, u_int, const u_char *);
 extern void esp_print(const u_char *, u_int, const u_char *);
 extern void cdp_print(const u_char *, u_int, u_int, const u_char *,
diff --git a/usr.sbin/tcpdump/print-ike.c b/usr.sbin/tcpdump/print-ike.c
index 6c3c9450c7e..793b552ea7a 100644
--- a/usr.sbin/tcpdump/print-ike.c
+++ b/usr.sbin/tcpdump/print-ike.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: print-ike.c,v 1.4 2000/10/03 14:25:47 ho Exp $	*/
+/*	$OpenBSD: print-ike.c,v 1.5 2001/04/09 21:44:40 ho Exp $	*/
 
 /*
  * Copyright (c) 1990, 1991, 1992, 1993, 1994, 1995, 1996, 1997, 1998, 1999
@@ -31,7 +31,7 @@
 
 #ifndef lint
 static const char rcsid[] =
-    "@(#) $Header: /cvs/OpenBSD/src/usr.sbin/tcpdump/print-ike.c,v 1.4 2000/10/03 14:25:47 ho Exp $ (XXX)";
+    "@(#) $Header: /cvs/OpenBSD/src/usr.sbin/tcpdump/print-ike.c,v 1.5 2001/04/09 21:44:40 ho Exp $ (XXX)";
 #endif
 
 #include <sys/param.h>
@@ -45,6 +45,7 @@ struct rtentry;
 
 #include <net/if.h>
 #include <netinet/in.h>
+#include <arpa/inet.h>
 
 #include <ctype.h>
 #include <stdio.h>
@@ -77,11 +78,12 @@ struct notification_payload {
 	u_char    data[0];
 };
 
-static int isakmp_doi;
-
-static void isakmp_pl_print(register u_char type, register u_char *payload);
+static void ike_pl_print(register u_char, register u_char *, u_char);
 
 int ike_tab_level = 0;
+u_char xform_proto;
+
+static const char *ike[] = IKE_PROTO_INITIALIZER;
 
 #define SMALL_TABS 4
 #define SPACES "                                                   "
@@ -97,11 +99,27 @@ ike_tab_offset (void)
   return (p > line ? p : line);
 }
 
+static char *
+ike_get_cookie (u_char *ic, u_char *rc)
+{
+	static char cookie_jar[35];
+	register int i;
+	cookie_jar[0] = cookie_jar[34] = 0;
+
+	for (i = 0; i < 8; i++)
+		sprintf (cookie_jar + (i<<1), "%02x", *(ic + i));
+	strcat (cookie_jar, "->");
+	for (i = 0; i < 8; i++)
+		sprintf (cookie_jar + 18 + (i<<1), "%02x", *(rc + i));
+
+	return cookie_jar;
+}
+
 /*
  * Print isakmp requests
  */
 void
-isakmp_print (register const u_char *cp, register u_int length)
+ike_print (register const u_char *cp, register u_int length)
 {
 	struct isakmp_header *ih;
 	register const u_char *ep;
@@ -145,16 +163,8 @@ isakmp_print (register const u_char *cp, register u_int length)
 		printf(" commit");
 	}
 
-	printf("\n\tcookie: %02x%02x%02x%02x%02x%02x%02x%02x->"
-	       "%02x%02x%02x%02x%02x%02x%02x%02x",
-	       ih->init_cookie[0], ih->init_cookie[1],
-	       ih->init_cookie[2], ih->init_cookie[3], 
-	       ih->init_cookie[4], ih->init_cookie[5], 
-	       ih->init_cookie[6], ih->init_cookie[7], 
-	       ih->resp_cookie[0], ih->resp_cookie[1], 
-	       ih->resp_cookie[2], ih->resp_cookie[3], 
-	       ih->resp_cookie[4], ih->resp_cookie[5], 
-	       ih->resp_cookie[6], ih->resp_cookie[7]);
+	printf("\n\tcookie: %s", ike_get_cookie (ih->init_cookie,
+						 ih->resp_cookie));
 
 	TCHECK(ih->msgid, sizeof(ih->msgid));
 	printf(" msgid: %02x%02x%02x%02x",
@@ -180,7 +190,7 @@ isakmp_print (register const u_char *cp, register u_int length)
 
 	/* if verbose, print payload data */
 	if (vflag)
-	        isakmp_pl_print(nextpayload, payload);
+	        ike_pl_print(nextpayload, payload, ISAKMP_DOI);
 
 	return;
 
@@ -189,12 +199,12 @@ trunc:
 }
 
 void
-isakmp_sa_print (register u_char *buf, register int len)
+ike_sa_print (register u_char *buf, register int len)
 {
 	u_int32_t situation = ntohl(*(u_int32_t *)(buf + 4));
-	isakmp_doi = ntohl((*(u_int32_t *)buf));
-	printf(" DOI: %d", isakmp_doi);
-	if (isakmp_doi == IPSEC_DOI) {
+	u_char ike_doi = ntohl((*(u_int32_t *)buf));
+	printf(" DOI: %d", ike_doi);
+	if (ike_doi == IPSEC_DOI) {
 	        printf("(IPSEC) situation: ");
 		if (situation & IKE_SITUATION_IDENTITY_ONLY)
 		        printf("IDENTITY_ONLY ");
@@ -204,14 +214,14 @@ isakmp_sa_print (register u_char *buf, register int len)
 		        printf("INTEGRITY ");
 		if ((situation & IKE_SITUATION_MASK) == 0)
 		        printf("0x%x (unknown)", situation);
-	        isakmp_pl_print (PAYLOAD_PROPOSAL, buf + 8);
+	        ike_pl_print (PAYLOAD_PROPOSAL, buf + 8, IPSEC_DOI);
 	}
 	else
 	        printf(" situation: (unknown)");
 }
 
 int
-isakmp_attribute_print (register u_char *buf)
+ike_attribute_print (register u_char *buf, u_char doi)
 {
 	static char *attrs[] = IKE_ATTR_INITIALIZER;
 	static char *attr_enc[] = IKE_ATTR_ENCRYPT_INITIALIZER;
@@ -220,19 +230,29 @@ isakmp_attribute_print (register u_char *buf)
 	static char *attr_gdesc[] = IKE_ATTR_GROUP_DESC_INITIALIZER;
 	static char *attr_gtype[] = IKE_ATTR_GROUP_INITIALIZER;
 	static char *attr_ltype[] = IKE_ATTR_SA_DURATION_INITIALIZER;
+	static char *ipsec_attrs[] = IPSEC_ATTR_INITIALIZER;
+	static char *ipsec_attr_encap[] = IPSEC_ATTR_ENCAP_INITIALIZER;
+	static char *ipsec_attr_auth[] = IPSEC_ATTR_AUTH_INITIALIZER;
+	static char *ipsec_attr_ltype[] = IPSEC_ATTR_DURATION_INITIALIZER;
 
 	unsigned short type = buf[0]<<8 | buf[1];
 	unsigned short length = 0, p;
 
-	printf("\n\t%sattribute %s = ", ike_tab_offset(),
-	       ((type & 0x7fff) < sizeof attrs / sizeof attrs[0] ?
-		attrs[type & 0x7fff] : "unknown"));
+	if (doi == ISAKMP_DOI) 
+		printf("\n\t%sattribute %s = ", ike_tab_offset(),
+		       ((type & 0x7fff) < sizeof attrs / sizeof attrs[0] ?
+			attrs[type & 0x7fff] : "unknown"));
+	else
+		printf("\n\t%sattribute %s = ", ike_tab_offset(),
+		       ((type & 0x7fff) < 
+			(sizeof ipsec_attrs / sizeof ipsec_attrs[0]) ?
+			ipsec_attrs[type & 0x7fff] : "unknown"));
+		
 	if (!(type >> 15)) {
 	        length = buf[2]<<8 | buf[3];
 	        for (p = 0; p < length; p++)
 	               printf("%02x", (char)*(buf + 4 + p));
-	}
-	else {
+	} else {
 	        p = buf[2]<<8 | buf[3];
 
 #define CASE_PRINT(TYPE,var) \
@@ -243,68 +263,175 @@ isakmp_attribute_print (register u_char *buf)
                         printf("%d (unknown)", p); \
                 break;
  
+	if (doi == ISAKMP_DOI)
+		switch(type & 0x7fff) {
+			CASE_PRINT(IKE_ATTR_ENCRYPTION_ALGORITHM, attr_enc);
+			CASE_PRINT(IKE_ATTR_HASH_ALGORITHM, attr_hash);
+			CASE_PRINT(IKE_ATTR_AUTHENTICATION_METHOD, attr_auth);
+			CASE_PRINT(IKE_ATTR_GROUP_DESC, attr_gdesc);
+			CASE_PRINT(IKE_ATTR_GROUP_TYPE, attr_gtype);
+			CASE_PRINT(IKE_ATTR_LIFE_TYPE, attr_ltype);
+		default:
+			printf("%d", p);
+		}
+	else
 		switch(type & 0x7fff) {
-		CASE_PRINT(IKE_ATTR_ENCRYPTION_ALGORITHM, attr_enc);
-		CASE_PRINT(IKE_ATTR_HASH_ALGORITHM, attr_hash);
-		CASE_PRINT(IKE_ATTR_AUTHENTICATION_METHOD, attr_auth);
-		CASE_PRINT(IKE_ATTR_GROUP_DESC, attr_gdesc);
-		CASE_PRINT(IKE_ATTR_GROUP_TYPE, attr_gtype);
-		CASE_PRINT(IKE_ATTR_LIFE_TYPE, attr_ltype);
+			CASE_PRINT(IPSEC_ATTR_SA_LIFE_TYPE, ipsec_attr_ltype);
+			CASE_PRINT(IPSEC_ATTR_ENCAPSULATION_MODE,
+				   ipsec_attr_encap);
+			CASE_PRINT(IPSEC_ATTR_AUTHENTICATION_ALGORITHM,
+				   ipsec_attr_auth);
 		default:
-		  printf("%d", p);
+			printf ("%d", p);
 		}
 	}
+#undef CASE_PRINT
+
 	return length + 4;
 }
 
 void
-isakmp_transform_print (register u_char *buf, register int len)
+ike_transform_print (register u_char *buf, register int len, u_char doi)
 {
+	const char *ah[] = IPSEC_AH_INITIALIZER;
+	const char *esp[] = IPSEC_ESP_INITIALIZER;
 	u_char *attr = buf + 4;
 
-	printf("\n\t%stransform: %d ID: %d", ike_tab_offset(),
-	       (char)buf[0], (char)buf[1]);
+	printf("\n\t%stransform: %d ID: ", ike_tab_offset(), (char)buf[0]);
 	
+	switch (doi) {
+	case ISAKMP_DOI:
+		if (buf[1] < (sizeof ike / sizeof ike[0]))
+			printf ("%s", ike[buf[1]]);
+		else
+			printf ("%d(unknown)", buf[1]);
+		break;
+
+	default: /* IPSEC_DOI */
+		switch (xform_proto) {	/* from ike_proposal_print */
+		case PROTO_IPSEC_AH:
+			if (buf[1] < (sizeof ah / sizeof ah[0]))
+				printf ("%s", ah[buf[1]]);
+			else
+				printf ("%d(unknown)", buf[1]);
+			break;
+		case PROTO_IPSEC_ESP:
+			if (buf[1] < (sizeof esp / sizeof esp[0]))
+				printf ("%s", esp[buf[1]]);
+			else
+				printf ("%d(unknown)", buf[1]);
+			break;
+		default:
+			printf ("%d(unknown)", buf[1]);
+		}
+		break;
+	}
+ 
 	ike_tab_level++;
 	while((int)(attr - buf) < len - 4)  /* Skip last 'NONE' attr */
-	        attr += isakmp_attribute_print(attr);
+		attr += ike_attribute_print(attr, doi);
 	ike_tab_level--;
 }
 
 void
-isakmp_proposal_print (register u_char *buf, register int len)
+ike_proposal_print (register u_char *buf, register int len, u_char doi)
 {
-	printf(" proposal: %d proto: %d(%s) spisz: %d xforms: %d", 
-	       buf[0], buf[1], (buf[1] == PROTO_ISAKMP ? "ISAKMP" : "unknown"),
-	       buf[2], buf[3]);
+	printf(" proposal: %d proto: %s spisz: %d xforms: %d", 
+	       buf[0], (buf[1] < (sizeof ike / sizeof ike[0]) ? ike[buf[1]] : 
+			"(unknown)"), buf[2], buf[3]);
+
+	/* We need to store this for upcoming ike_attribute_print call. */
+	xform_proto = buf[1];
+
+	if (buf[2]) {
+		/* XXX it is possible that spisz may be != 4 ... */
+		printf(" SPI: 0x%08x", 
+		       buf[4]<<24 | buf[5]<<16 | buf[6]<<8 | buf[7]);
+		doi = IPSEC_DOI;
+	} else 
+		doi = ISAKMP_DOI;
 
 	if((char)buf[3] > 0)
-	       isakmp_pl_print(PAYLOAD_TRANSFORM, buf+4);
+		ike_pl_print(PAYLOAD_TRANSFORM, buf+4+buf[2], doi);
 }
 
 void
-isakmp_ke_print (register u_char *buf, register int len)
+ike_ke_print (register u_char *buf, register int len, u_char doi)
 {
-	if (isakmp_doi != IPSEC_DOI)
+	if (doi != IPSEC_DOI)
 		return;
 
-	printf(" <KE payload data (not shown)> len: %d", len);
+	/* XXX ... */
 }
 	
 void
-isakmp_id_print (register u_char *buf, register int len)
+ipsec_id_print (register u_char *buf, register int len, u_char doi)
 {
-	if (isakmp_doi != IPSEC_DOI) 
+	static const char *idtypes[] = IPSEC_ID_TYPE_INITIALIZER;
+	char ntop_buf[INET6_ADDRSTRLEN];
+	struct in_addr in;
+	u_char *p;
+
+	if (doi != ISAKMP_DOI) 
 		return;
 
-	printf(" <ID payload data (not shown)> len: %d", len);
+	/* Don't print proto+port unless actually used */
+	if (buf[1] | buf[2] | buf[3])
+		printf (" proto: %d port: %d", buf[1], (buf[2] << 8) + buf[3]);
+
+	printf (" type: %s = ", buf[0] < (sizeof idtypes/sizeof idtypes[0]) ?
+		idtypes[buf[0]] : "<unknown>");
+
+	switch (buf[0]) {
+	case IPSEC_ID_IPV4_ADDR:
+		memcpy (&in.s_addr, buf + 4, sizeof in);
+		printf ("%s", inet_ntoa (in));
+		break;
+	case IPSEC_ID_IPV4_ADDR_SUBNET:
+	case IPSEC_ID_IPV4_ADDR_RANGE:
+		memcpy (&in.s_addr, buf + 4, sizeof in);
+		printf ("%s%s", inet_ntoa (in),
+			buf[0] == IPSEC_ID_IPV4_ADDR_SUBNET ? "/" : "-");
+		memcpy (&in.s_addr, buf + 8, sizeof in);
+		printf ("%s", inet_ntoa (in));
+		break;
+
+	case IPSEC_ID_IPV6_ADDR:
+		printf ("%s", inet_ntop (AF_INET6, buf + 4, ntop_buf,
+					 sizeof ntop_buf));
+		break;
+	case IPSEC_ID_IPV6_ADDR_SUBNET:
+	case IPSEC_ID_IPV6_ADDR_RANGE:
+		printf ("%s%s", inet_ntop (AF_INET6, buf + 4, ntop_buf,
+					   sizeof ntop_buf),
+			buf[0] == IPSEC_ID_IPV6_ADDR_SUBNET ? "/" : "-");
+		printf ("%s", inet_ntop (AF_INET6, buf + 4 + sizeof ntop_buf,
+					 ntop_buf, sizeof ntop_buf));
+
+	case IPSEC_ID_FQDN:
+	case IPSEC_ID_USER_FQDN:
+		printf ("\"");
+		for(p = buf + 4; (int)(p - buf) < len; p++)
+			printf("%c",(isprint(*p) ? *p : '.'));
+		printf ("\"");
+		break;
+
+	case IPSEC_ID_DER_ASN1_DN:
+	case IPSEC_ID_DER_ASN1_GN:
+	case IPSEC_ID_KEY_ID:
+	default:
+		printf ("\"(not shown)\"");
+		break;
+	}
 }
 
 void
-isakmp_notification_print (register u_char *buf, register int len)
+ike_notification_print (register u_char *buf, register int len)
 {
   	static const char *nftypes[] = IKE_NOTIFY_TYPES_INITIALIZER;
   	struct notification_payload *np = (struct notification_payload *)buf;
+	u_int32_t *replay;
+	u_char *attr;
 
 	if (len < sizeof (struct notification_payload)) {
 		printf (" (|len)");
@@ -323,18 +450,52 @@ isakmp_notification_print (register u_char *buf, register int len)
 
 	if (np->type > 0 && np->type < (sizeof nftypes / sizeof nftypes[0]))
 		printf("%s", nftypes[np->type]);
-	else
+	else switch (np->type) {
+
+	case NOTIFY_IPSEC_RESPONDER_LIFETIME:
+		printf("RESPONDER LIFETIME");
+		if (np->spi_size == 16)
+			printf ("(%s)", ike_get_cookie (&np->data[0], 
+							&np->data[8]));
+		else
+			printf("SPI: 0x%08x", np->data[0]<<24 | 
+			       np->data[1]<<16 | np->data[2]<<8 | np->data[3]);
+		attr = &np->data[np->spi_size];
+		ike_tab_level++;
+		while((int)(attr - buf) < len - 4)  /* Skip last 'NONE' attr */
+			attr += ike_attribute_print(attr, IPSEC_DOI);
+		ike_tab_level--;	
+		break;
+
+	case NOTIFY_IPSEC_REPLAY_STATUS:
+		replay = (u_int32_t *)&np->data[np->spi_size];
+		printf("REPLAY STATUS [%sabled] ", *replay ? "en" : "dis");
+		if (np->spi_size == 16)
+			printf ("(%s)", ike_get_cookie (&np->data[0], 
+							&np->data[8]));
+		else
+			printf("SPI: 0x%08x", np->data[0]<<24 | 
+			       np->data[1]<<16 | np->data[2]<<8 | np->data[3]);
+		break; 
+
+	case NOTIFY_IPSEC_INITIAL_CONTACT:
+		printf("INITIAL CONTACT (%s)", ike_get_cookie (&np->data[0],
+							       &np->data[8]));
+		break;
+
+	default:
 	  	printf("%d (unknown)", np->type);
-	
+		break;
+	}
   	return;
 }
 	
 void
-isakmp_vendor_print (register u_char *buf, register int len)
+ike_vendor_print (register u_char *buf, register int len, u_char doi)
 {
 	u_char *p = buf;
 
-	if (isakmp_doi != IPSEC_DOI) 
+	if (doi != IPSEC_DOI) 
 		return;
 
 	printf(" \"");
@@ -344,7 +505,7 @@ isakmp_vendor_print (register u_char *buf, register int len)
 }
 
 void
-isakmp_pl_print (register u_char type, register u_char *buf)
+ike_pl_print (register u_char type, register u_char *buf, u_char doi)
 {
 	static const char *pltypes[] = IKE_PAYLOAD_TYPES_INITIALIZER;
 	int next_type = buf[0];
@@ -363,23 +524,24 @@ isakmp_pl_print (register u_char type, register u_char *buf)
 		return;
 
 	case PAYLOAD_SA:
-		isakmp_sa_print(buf+4, this_len);
+		ike_sa_print(buf+4, this_len);
 		break;
 	    
 	case PAYLOAD_PROPOSAL:
-		isakmp_proposal_print(buf+4, this_len);
+		ike_proposal_print(buf+4, this_len, doi);
 		break;
 	    
 	case PAYLOAD_TRANSFORM:
-	        isakmp_transform_print(buf+4, this_len);
+		ike_transform_print(buf+4, this_len, doi);
 		break;
 	    
 	case PAYLOAD_KE:
-		isakmp_ke_print(buf+4, this_len);
+		ike_ke_print(buf+4, this_len, doi);
 		break;
 	    
 	case PAYLOAD_ID:
-	        isakmp_id_print(buf+4, this_len);
+		/* Should only happen with IPsec DOI */
+	        ipsec_id_print(buf+4, this_len, doi);
 		break;
 
 	case PAYLOAD_CERT:
@@ -391,11 +553,11 @@ isakmp_pl_print (register u_char type, register u_char *buf)
 		break;
 	    
 	case PAYLOAD_NOTIFICATION:
-	  	isakmp_notification_print(buf, this_len);
+	  	ike_notification_print(buf, this_len);
 		break;
 
 	case PAYLOAD_VENDOR:
-	        isakmp_vendor_print(buf+4, this_len);
+	        ike_vendor_print(buf+4, this_len, doi);
 		break;
 
 	default:
@@ -403,10 +565,14 @@ isakmp_pl_print (register u_char type, register u_char *buf)
 	ike_tab_level--;
 
 	if(next_type)  /* Recurse over next payload */
-	        isakmp_pl_print(next_type, buf + this_len);
+	        ike_pl_print(next_type, buf + this_len, doi);
 
 	return;
 
 pltrunc:
-	fputs(" [|isakmp]", stdout);
+	if (doi == ISAKMP_DOI)
+		fputs(" [|isakmp]", stdout);
+	else
+		fputs(" [|ipsec]", stdout);
+
 }
diff --git a/usr.sbin/tcpdump/print-udp.c b/usr.sbin/tcpdump/print-udp.c
index 6fca7d2447d..eb920f7579b 100644
--- a/usr.sbin/tcpdump/print-udp.c
+++ b/usr.sbin/tcpdump/print-udp.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: print-udp.c,v 1.18 2001/03/06 16:42:08 jakob Exp $	*/
+/*	$OpenBSD: print-udp.c,v 1.19 2001/04/09 21:44:41 ho Exp $	*/
 
 /*
  * Copyright (c) 1988, 1989, 1990, 1991, 1992, 1993, 1994, 1995, 1996
@@ -23,7 +23,7 @@
 
 #ifndef lint
 static const char rcsid[] =
-    "@(#) $Header: /cvs/OpenBSD/src/usr.sbin/tcpdump/print-udp.c,v 1.18 2001/03/06 16:42:08 jakob Exp $ (LBL)";
+    "@(#) $Header: /cvs/OpenBSD/src/usr.sbin/tcpdump/print-udp.c,v 1.19 2001/04/09 21:44:41 ho Exp $ (LBL)";
 #endif
 
 #include <sys/param.h>
@@ -583,7 +583,7 @@ udp_print(register const u_char *bp, u_int length, register const u_char *bp2)
 		else if (ISPORT(L2TP_PORT))
 			l2tp_print((const u_char *)(up + 1), length);
 		else if (ISPORT(ISAKMP_PORT))
-			isakmp_print((const u_char *)(up + 1), length);
+			ike_print((const u_char *)(up + 1), length);
 		else if (ISPORT(NETBIOS_NS_PORT))
 			nbt_udp137_print((const u_char *)(up + 1), length);
 		else if (ISPORT(NETBIOS_DGRAM_PORT))