]> git.ipfire.org Git - people/ms/strongswan.git/blob - linux/net/ipsec/pfkey_v2_parser.c
projects / people / ms / strongswan.git / blob
? search:


d170ddea5eef1cc7d75348ff09335cceab79ee78
[people/ms/strongswan.git] / linux / net / ipsec / pfkey_v2_parser.c
1 /*
2 * @(#) RFC2367 PF_KEYv2 Key management API message parser
3 * Copyright (C) 1999, 2000, 2001 Richard Guy Briggs <rgb@freeswan.org>
4 *
5 * This program is free software; you can redistribute it and/or modify it
6 * under the terms of the GNU General Public License as published by the
7 * Free Software Foundation; either version 2 of the License, or (at your
8 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
9 *
10 * This program is distributed in the hope that it will be useful, but
11 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
12 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
13 * for more details.
14 *
15 * RCSID $Id: pfkey_v2_parser.c,v 1.4 2004/09/29 22:27:41 as Exp $
16 */
17
18 /*
19 * Template from klips/net/ipsec/ipsec/ipsec_netlink.c.
20 */
21
22 char pfkey_v2_parser_c_version[] = "$Id: pfkey_v2_parser.c,v 1.4 2004/09/29 22:27:41 as Exp $";
23
24 #include <linux/config.h>
25 #include <linux/version.h>
26 #include <linux/kernel.h> /* printk() */
27
28 #include "freeswan/ipsec_param.h"
29
30 #ifdef MALLOC_SLAB
31 # include <linux/slab.h> /* kmalloc() */
32 #else /* MALLOC_SLAB */
33 # include <linux/malloc.h> /* kmalloc() */
34 #endif /* MALLOC_SLAB */
35 #include <linux/errno.h> /* error codes */
36 #include <linux/types.h> /* size_t */
37 #include <linux/interrupt.h> /* mark_bh */
38
39 #include <linux/netdevice.h> /* struct device, and other headers */
40 #include <linux/etherdevice.h> /* eth_type_trans */
41 #include <linux/ip.h> /* struct iphdr */
42 #include <linux/skbuff.h>
43
44 #include <freeswan.h>
45
46 #include <crypto/des.h>
47
48 #ifdef SPINLOCK
49 # ifdef SPINLOCK_23
50 # include <linux/spinlock.h> /* *lock* */
51 # else /* SPINLOCK_23 */
52 # include <asm/spinlock.h> /* *lock* */
53 # endif /* SPINLOCK_23 */
54 #endif /* SPINLOCK */
55 #ifdef NET_21
56 # include <asm/uaccess.h>
57 # include <linux/in6.h>
58 # define ip_chk_addr inet_addr_type
59 # define IS_MYADDR RTN_LOCAL
60 #endif
61 #include <asm/checksum.h>
62 #include <net/ip.h>
63 #ifdef NETLINK_SOCK
64 # include <linux/netlink.h>
65 #else
66 # include <net/netlink.h>
67 #endif
68
69 #include <linux/random.h> /* get_random_bytes() */
70
71 #include "freeswan/radij.h"
72 #include "freeswan/ipsec_encap.h"
73 #include "freeswan/ipsec_sa.h"
74
75 #include "freeswan/ipsec_radij.h"
76 #include "freeswan/ipsec_xform.h"
77 #include "freeswan/ipsec_ah.h"
78 #include "freeswan/ipsec_esp.h"
79 #include "freeswan/ipsec_tunnel.h"
80 #include "freeswan/ipsec_rcv.h"
81 #include "freeswan/ipcomp.h"
82
83 #include <pfkeyv2.h>
84 #include <pfkey.h>
85
86 #include "freeswan/ipsec_proto.h"
87 #include "freeswan/ipsec_alg.h"
88
89
90 #define SENDERR(_x) do { error = -(_x); goto errlab; } while (0)
91
92 struct sklist_t {
93 struct socket *sk;
94 struct sklist_t* next;
95 } pfkey_sklist_head, *pfkey_sklist, *pfkey_sklist_prev;
96
97 __u32 pfkey_msg_seq = 0;
98
99 int
100 pfkey_alloc_eroute(struct eroute** eroute)
101 {
102 int error = 0;
103 if(*eroute) {
104 KLIPS_PRINT(debug_pfkey,
105 "klips_debug:pfkey_alloc_eroute: "
106 "eroute struct already allocated\n");
107 SENDERR(EEXIST);
108 }
109
110 KLIPS_PRINT(debug_pfkey,
111 "klips_debug:pfkey_alloc_eroute: "
112 "allocating %lu bytes for an eroute.\n",
113 (unsigned long) sizeof(**eroute));
114 if((*eroute = kmalloc(sizeof(**eroute), GFP_ATOMIC) ) == NULL) {
115 KLIPS_PRINT(debug_pfkey,
116 "klips_debug:pfkey_alloc_eroute: "
117 "memory allocation error\n");
118 SENDERR(ENOMEM);
119 }
120 KLIPS_PRINT(debug_pfkey,
121 "klips_debug:pfkey_alloc_eroute: "
122 "allocated eroute struct=0p%p.\n", eroute);
123 memset((caddr_t)*eroute, 0, sizeof(**eroute));
124 (*eroute)->er_eaddr.sen_len =
125 (*eroute)->er_emask.sen_len = sizeof(struct sockaddr_encap);
126 (*eroute)->er_eaddr.sen_family =
127 (*eroute)->er_emask.sen_family = AF_ENCAP;
128 (*eroute)->er_eaddr.sen_type = SENT_IP4;
129 (*eroute)->er_emask.sen_type = 255;
130 (*eroute)->er_pid = 0;
131 (*eroute)->er_count = 0;
132 (*eroute)->er_lasttime = jiffies/HZ;
133
134 errlab:
135 return(error);
136 }
137
138 DEBUG_NO_STATIC int
139 pfkey_x_protocol_process(struct sadb_ext *pfkey_ext,
140 struct pfkey_extracted_data *extr)
141 {
142 int error = 0;
143 struct sadb_protocol * p = (struct sadb_protocol *)pfkey_ext;
144
145 KLIPS_PRINT(debug_pfkey, "klips_debug:pfkey_x_protocol_process: %p\n", extr);
146
147 if (extr == 0) {
148 KLIPS_PRINT(debug_pfkey,
149 "klips_debug:pfkey_x_protocol_process:"
150 "extr is NULL, fatal\n");
151 SENDERR(EINVAL);
152 }
153 if (extr->eroute == 0) {
154 KLIPS_PRINT(debug_pfkey,
155 "klips_debug:pfkey_x_protocol_process:"
156 "extr->eroute is NULL, fatal\n");
157 SENDERR(EINVAL);
158 }
159 extr->eroute->er_eaddr.sen_proto = p->sadb_protocol_proto;
160 extr->eroute->er_emask.sen_proto = p->sadb_protocol_proto ? ~0:0;
161 KLIPS_PRINT(debug_pfkey,
162 "klips_debug:pfkey_x_protocol_process: protocol = %d.\n",
163 p->sadb_protocol_proto);
164 errlab:
165 return error;
166 }
167
168 DEBUG_NO_STATIC int
169 pfkey_ipsec_sa_init(struct ipsec_sa *ipsp, struct sadb_ext **extensions)
170 {
171 int error = 0;
172 char sa[SATOA_BUF];
173 size_t sa_len;
174 char ipaddr_txt[ADDRTOA_BUF];
175 char ipaddr2_txt[ADDRTOA_BUF];
176 #if defined (CONFIG_IPSEC_AUTH_HMAC_MD5) || defined (CONFIG_IPSEC_AUTH_HMAC_SHA1)
177 int i;
178 unsigned char kb[AHMD596_BLKLEN];
179 #endif
180 #ifdef CONFIG_IPSEC_ALG
181 struct ipsec_alg_enc *ixt_e = NULL;
182 struct ipsec_alg_auth *ixt_a = NULL;
183 #endif /* CONFIG_IPSEC_ALG */
184
185 if(ipsp == NULL) {
186 KLIPS_PRINT(debug_pfkey,
187 "klips_debug:pfkey_ipsec_sa_init: "
188 "ipsp is NULL, fatal\n");
189 SENDERR(EINVAL);
190 }
191
192 sa_len = satoa(ipsp->ips_said, 0, sa, SATOA_BUF);
193
194 KLIPS_PRINT(debug_pfkey,
195 "klips_debug:pfkey_ipsec_sa_init: "
196 "(pfkey defined) called for SA:%s\n",
197 sa_len ? sa : " (error)");
198
199 KLIPS_PRINT(debug_pfkey,
200 "klips_debug:pfkey_ipsec_sa_init: "
201 "calling init routine of %s%s%s\n",
202 IPS_XFORM_NAME(ipsp));
203
204 switch(ipsp->ips_said.proto) {
205
206 #ifdef CONFIG_IPSEC_IPIP
207 case IPPROTO_IPIP: {
208 addrtoa(((struct sockaddr_in*)(ipsp->ips_addr_s))->sin_addr,
209 0,
210 ipaddr_txt, sizeof(ipaddr_txt));
211 addrtoa(((struct sockaddr_in*)(ipsp->ips_addr_d))->sin_addr,
212 0,
213 ipaddr2_txt, sizeof(ipaddr_txt));
214 KLIPS_PRINT(debug_pfkey,
215 "klips_debug:pfkey_ipsec_sa_init: "
216 "(pfkey defined) IPIP ipsec_sa set for %s->%s.\n",
217 ipaddr_txt,
218 ipaddr2_txt);
219 }
220 break;
221 #endif /* !CONFIG_IPSEC_IPIP */
222 #ifdef CONFIG_IPSEC_AH
223 case IPPROTO_AH:
224 switch(ipsp->ips_authalg) {
225 # ifdef CONFIG_IPSEC_AUTH_HMAC_MD5
226 case AH_MD5: {
227 unsigned char *akp;
228 unsigned int aks;
229 MD5_CTX *ictx;
230 MD5_CTX *octx;
231
232 if(ipsp->ips_key_bits_a != (AHMD596_KLEN * 8)) {
233 KLIPS_PRINT(debug_pfkey,
234 "klips_debug:pfkey_ipsec_sa_init: "
235 "incorrect key size: %d bits -- must be %d bits\n"/*octets (bytes)\n"*/,
236 ipsp->ips_key_bits_a, AHMD596_KLEN * 8);
237 SENDERR(EINVAL);
238 }
239
240 # if KLIPS_DIVULGE_HMAC_KEY
241 KLIPS_PRINT(debug_pfkey && sysctl_ipsec_debug_verbose,
242 "klips_debug:pfkey_ipsec_sa_init: "
243 "hmac md5-96 key is 0x%08x %08x %08x %08x\n",
244 ntohl(*(((__u32 *)ipsp->ips_key_a)+0)),
245 ntohl(*(((__u32 *)ipsp->ips_key_a)+1)),
246 ntohl(*(((__u32 *)ipsp->ips_key_a)+2)),
247 ntohl(*(((__u32 *)ipsp->ips_key_a)+3)));
248 # endif /* KLIPS_DIVULGE_HMAC_KEY */
249
250 ipsp->ips_auth_bits = AHMD596_ALEN * 8;
251
252 /* save the pointer to the key material */
253 akp = ipsp->ips_key_a;
254 aks = ipsp->ips_key_a_size;
255
256 KLIPS_PRINT(debug_pfkey && sysctl_ipsec_debug_verbose,
257 "klips_debug:pfkey_ipsec_sa_init: "
258 "allocating %lu bytes for md5_ctx.\n",
259 (unsigned long) sizeof(struct md5_ctx));
260 if((ipsp->ips_key_a = (caddr_t)
261 kmalloc(sizeof(struct md5_ctx), GFP_ATOMIC)) == NULL) {
262 ipsp->ips_key_a = akp;
263 SENDERR(ENOMEM);
264 }
265 ipsp->ips_key_a_size = sizeof(struct md5_ctx);
266
267 for (i = 0; i < DIVUP(ipsp->ips_key_bits_a, 8); i++) {
268 kb[i] = akp[i] ^ HMAC_IPAD;
269 }
270 for (; i < AHMD596_BLKLEN; i++) {
271 kb[i] = HMAC_IPAD;
272 }
273
274 ictx = &(((struct md5_ctx*)(ipsp->ips_key_a))->ictx);
275 MD5Init(ictx);
276 MD5Update(ictx, kb, AHMD596_BLKLEN);
277
278 for (i = 0; i < AHMD596_BLKLEN; i++) {
279 kb[i] ^= (HMAC_IPAD ^ HMAC_OPAD);
280 }
281
282 octx = &(((struct md5_ctx*)(ipsp->ips_key_a))->octx);
283 MD5Init(octx);
284 MD5Update(octx, kb, AHMD596_BLKLEN);
285
286 # if KLIPS_DIVULGE_HMAC_KEY
287 KLIPS_PRINT(debug_pfkey && sysctl_ipsec_debug_verbose,
288 "klips_debug:pfkey_ipsec_sa_init: "
289 "MD5 ictx=0x%08x %08x %08x %08x octx=0x%08x %08x %08x %08x\n",
290 ((__u32*)ictx)[0],
291 ((__u32*)ictx)[1],
292 ((__u32*)ictx)[2],
293 ((__u32*)ictx)[3],
294 ((__u32*)octx)[0],
295 ((__u32*)octx)[1],
296 ((__u32*)octx)[2],
297 ((__u32*)octx)[3] );
298 # endif /* KLIPS_DIVULGE_HMAC_KEY */
299
300 /* zero key buffer -- paranoid */
301 memset(akp, 0, aks);
302 kfree(akp);
303 }
304 break;
305 # endif /* CONFIG_IPSEC_AUTH_HMAC_MD5 */
306 # ifdef CONFIG_IPSEC_AUTH_HMAC_SHA1
307 case AH_SHA: {
308 unsigned char *akp;
309 unsigned int aks;
310 SHA1_CTX *ictx;
311 SHA1_CTX *octx;
312
313 if(ipsp->ips_key_bits_a != (AHSHA196_KLEN * 8)) {
314 KLIPS_PRINT(debug_pfkey,
315 "klips_debug:pfkey_ipsec_sa_init: "
316 "incorrect key size: %d bits -- must be %d bits\n"/*octets (bytes)\n"*/,
317 ipsp->ips_key_bits_a, AHSHA196_KLEN * 8);
318 SENDERR(EINVAL);
319 }
320
321 # if KLIPS_DIVULGE_HMAC_KEY
322 KLIPS_PRINT(debug_pfkey && sysctl_ipsec_debug_verbose,
323 "klips_debug:pfkey_ipsec_sa_init: "
324 "hmac sha1-96 key is 0x%08x %08x %08x %08x\n",
325 ntohl(*(((__u32 *)ipsp->ips_key_a)+0)),
326 ntohl(*(((__u32 *)ipsp->ips_key_a)+1)),
327 ntohl(*(((__u32 *)ipsp->ips_key_a)+2)),
328 ntohl(*(((__u32 *)ipsp->ips_key_a)+3)));
329 # endif /* KLIPS_DIVULGE_HMAC_KEY */
330
331 ipsp->ips_auth_bits = AHSHA196_ALEN * 8;
332
333 /* save the pointer to the key material */
334 akp = ipsp->ips_key_a;
335 aks = ipsp->ips_key_a_size;
336
337 KLIPS_PRINT(debug_pfkey && sysctl_ipsec_debug_verbose,
338 "klips_debug:pfkey_ipsec_sa_init: "
339 "allocating %lu bytes for sha1_ctx.\n",
340 (unsigned long) sizeof(struct sha1_ctx));
341 if((ipsp->ips_key_a = (caddr_t)
342 kmalloc(sizeof(struct sha1_ctx), GFP_ATOMIC)) == NULL) {
343 ipsp->ips_key_a = akp;
344 SENDERR(ENOMEM);
345 }
346 ipsp->ips_key_a_size = sizeof(struct sha1_ctx);
347
348 for (i = 0; i < DIVUP(ipsp->ips_key_bits_a, 8); i++) {
349 kb[i] = akp[i] ^ HMAC_IPAD;
350 }
351 for (; i < AHMD596_BLKLEN; i++) {
352 kb[i] = HMAC_IPAD;
353 }
354
355 ictx = &(((struct sha1_ctx*)(ipsp->ips_key_a))->ictx);
356 SHA1Init(ictx);
357 SHA1Update(ictx, kb, AHSHA196_BLKLEN);
358
359 for (i = 0; i < AHSHA196_BLKLEN; i++) {
360 kb[i] ^= (HMAC_IPAD ^ HMAC_OPAD);
361 }
362
363 octx = &(((struct sha1_ctx*)(ipsp->ips_key_a))->octx);
364 SHA1Init(octx);
365 SHA1Update(octx, kb, AHSHA196_BLKLEN);
366
367 # if KLIPS_DIVULGE_HMAC_KEY
368 KLIPS_PRINT(debug_pfkey && sysctl_ipsec_debug_verbose,
369 "klips_debug:pfkey_ipsec_sa_init: "
370 "SHA1 ictx=0x%08x %08x %08x %08x octx=0x%08x %08x %08x %08x\n",
371 ((__u32*)ictx)[0],
372 ((__u32*)ictx)[1],
373 ((__u32*)ictx)[2],
374 ((__u32*)ictx)[3],
375 ((__u32*)octx)[0],
376 ((__u32*)octx)[1],
377 ((__u32*)octx)[2],
378 ((__u32*)octx)[3] );
379 # endif /* KLIPS_DIVULGE_HMAC_KEY */
380 /* zero key buffer -- paranoid */
381 memset(akp, 0, aks);
382 kfree(akp);
383 }
384 break;
385 # endif /* CONFIG_IPSEC_AUTH_HMAC_SHA1 */
386 default:
387 KLIPS_PRINT(debug_pfkey,
388 "klips_debug:pfkey_ipsec_sa_init: "
389 "authalg=%d support not available in the kernel",
390 ipsp->ips_authalg);
391 SENDERR(EINVAL);
392 }
393 break;
394 #endif /* CONFIG_IPSEC_AH */
395 #ifdef CONFIG_IPSEC_ESP
396 case IPPROTO_ESP: {
397 #if defined (CONFIG_IPSEC_AUTH_HMAC_MD5) || defined (CONFIG_IPSEC_AUTH_HMAC_SHA1)
398 unsigned char *akp;
399 unsigned int aks;
400 #endif
401 #if defined (CONFIG_IPSEC_ENC_3DES)
402 unsigned char *ekp;
403 unsigned int eks;
404 #endif
405
406 ipsp->ips_iv_size = 0;
407 #ifdef CONFIG_IPSEC_ALG
408 if ((ixt_e=ipsp->ips_alg_enc)) {
409 ipsp->ips_iv_size = ixt_e->ixt_ivlen/8;
410 } else
411 #endif /* CONFIG_IPSEC_ALG */
412 switch(ipsp->ips_encalg) {
413 # ifdef CONFIG_IPSEC_ENC_3DES
414 case ESP_3DES:
415 # endif /* CONFIG_IPSEC_ENC_3DES */
416 # if defined(CONFIG_IPSEC_ENC_3DES)
417 KLIPS_PRINT(debug_pfkey && sysctl_ipsec_debug_verbose,
418 "klips_debug:pfkey_ipsec_sa_init: "
419 "allocating %u bytes for iv.\n",
420 EMT_ESPDES_IV_SZ);
421 if((ipsp->ips_iv = (caddr_t)
422 kmalloc((ipsp->ips_iv_size = EMT_ESPDES_IV_SZ), GFP_ATOMIC)) == NULL) {
423 SENDERR(ENOMEM);
424 }
425 prng_bytes(&ipsec_prng, (char *)ipsp->ips_iv, EMT_ESPDES_IV_SZ);
426 ipsp->ips_iv_bits = ipsp->ips_iv_size * 8;
427 ipsp->ips_iv_size = EMT_ESPDES_IV_SZ;
428 break;
429 # endif /* defined(CONFIG_IPSEC_ENC_3DES) */
430 case ESP_NONE:
431 break;
432 default:
433 KLIPS_PRINT(debug_pfkey,
434 "klips_debug:pfkey_ipsec_sa_init: "
435 "encalg=%d support not available in the kernel",
436 ipsp->ips_encalg);
437 SENDERR(EINVAL);
438 }
439
440 /* Create IV */
441 if (ipsp->ips_iv_size) {
442 if((ipsp->ips_iv = (caddr_t)
443 kmalloc(ipsp->ips_iv_size, GFP_ATOMIC)) == NULL) {
444 SENDERR(ENOMEM);
445 }
446 prng_bytes(&ipsec_prng, (char *)ipsp->ips_iv, ipsp->ips_iv_size);
447 ipsp->ips_iv_bits = ipsp->ips_iv_size * 8;
448 }
449
450 #ifdef CONFIG_IPSEC_ALG
451 if (ixt_e) {
452 if ((error=ipsec_alg_enc_key_create(ipsp)) < 0)
453 SENDERR(-error);
454 } else
455 #endif /* CONFIG_IPSEC_ALG */
456 switch(ipsp->ips_encalg) {
457 # ifdef CONFIG_IPSEC_ENC_3DES
458 case ESP_3DES:
459 if(ipsp->ips_key_bits_e != (EMT_ESP3DES_KEY_SZ * 8)) {
460 KLIPS_PRINT(debug_pfkey,
461 "klips_debug:pfkey_ipsec_sa_init: "
462 "incorrect encryption key size: %d bits -- must be %d bits\n"/*octets (bytes)\n"*/,
463 ipsp->ips_key_bits_e, EMT_ESP3DES_KEY_SZ * 8);
464 SENDERR(EINVAL);
465 }
466
467 /* save encryption key pointer */
468 ekp = ipsp->ips_key_e;
469 eks = ipsp->ips_key_e_size;
470
471 KLIPS_PRINT(debug_pfkey && sysctl_ipsec_debug_verbose,
472 "klips_debug:pfkey_ipsec_sa_init: "
473 "allocating %lu bytes for 3des.\n",
474 (unsigned long) (3 * sizeof(struct des_eks)));
475 if((ipsp->ips_key_e = (caddr_t)
476 kmalloc(3 * sizeof(struct des_eks), GFP_ATOMIC)) == NULL) {
477 ipsp->ips_key_e = ekp;
478 SENDERR(ENOMEM);
479 }
480 ipsp->ips_key_e_size = 3 * sizeof(struct des_eks);
481
482 for(i = 0; i < 3; i++) {
483 #if KLIPS_DIVULGE_CYPHER_KEY
484 KLIPS_PRINT(debug_pfkey && sysctl_ipsec_debug_verbose,
485 "klips_debug:pfkey_ipsec_sa_init: "
486 "3des key %d/3 is 0x%08x%08x\n",
487 i + 1,
488 ntohl(*((__u32 *)ekp + i * 2)),
489 ntohl(*((__u32 *)ekp + i * 2 + 1)));
490 # endif
491 #if KLIPS_FIXES_DES_PARITY
492 /* force parity */
493 des_set_odd_parity((des_cblock *)(ekp + EMT_ESPDES_KEY_SZ * i));
494 #endif
495 error = des_set_key((des_cblock *)(ekp + EMT_ESPDES_KEY_SZ * i),
496 ((struct des_eks *)(ipsp->ips_key_e))[i].ks);
497 if (error == -1)
498 printk("klips_debug:pfkey_ipsec_sa_init: "
499 "parity error in des key %d/3\n",
500 i + 1);
501 else if (error == -2)
502 printk("klips_debug:pfkey_ipsec_sa_init: "
503 "illegal weak des key %d/3\n", i + 1);
504 if (error) {
505 memset(ekp, 0, eks);
506 kfree(ekp);
507 SENDERR(EINVAL);
508 }
509 }
510
511 /* paranoid */
512 memset(ekp, 0, eks);
513 kfree(ekp);
514 break;
515 # endif /* CONFIG_IPSEC_ENC_3DES */
516 case ESP_NONE:
517 break;
518 default:
519 KLIPS_PRINT(debug_pfkey,
520 "klips_debug:pfkey_ipsec_sa_init: "
521 "encalg=%d support not available in the kernel",
522 ipsp->ips_encalg);
523 SENDERR(EINVAL);
524 }
525
526 #ifdef CONFIG_IPSEC_ALG
527 if ((ixt_a=ipsp->ips_alg_auth)) {
528 if ((error=ipsec_alg_auth_key_create(ipsp)) < 0)
529 SENDERR(-error);
530 } else
531 #endif /* CONFIG_IPSEC_ALG */
532
533 switch(ipsp->ips_authalg) {
534 # ifdef CONFIG_IPSEC_AUTH_HMAC_MD5
535 case AH_MD5: {
536 MD5_CTX *ictx;
537 MD5_CTX *octx;
538
539 if(ipsp->ips_key_bits_a != (AHMD596_KLEN * 8)) {
540 KLIPS_PRINT(debug_pfkey,
541 "klips_debug:pfkey_ipsec_sa_init: "
542 "incorrect authorisation key size: %d bits -- must be %d bits\n"/*octets (bytes)\n"*/,
543 ipsp->ips_key_bits_a,
544 AHMD596_KLEN * 8);
545 SENDERR(EINVAL);
546 }
547
548 # if KLIPS_DIVULGE_HMAC_KEY
549 KLIPS_PRINT(debug_pfkey && sysctl_ipsec_debug_verbose,
550 "klips_debug:pfkey_ipsec_sa_init: "
551 "hmac md5-96 key is 0x%08x %08x %08x %08x\n",
552 ntohl(*(((__u32 *)(ipsp->ips_key_a))+0)),
553 ntohl(*(((__u32 *)(ipsp->ips_key_a))+1)),
554 ntohl(*(((__u32 *)(ipsp->ips_key_a))+2)),
555 ntohl(*(((__u32 *)(ipsp->ips_key_a))+3)));
556 # endif /* KLIPS_DIVULGE_HMAC_KEY */
557 ipsp->ips_auth_bits = AHMD596_ALEN * 8;
558
559 /* save the pointer to the key material */
560 akp = ipsp->ips_key_a;
561 aks = ipsp->ips_key_a_size;
562
563 KLIPS_PRINT(debug_pfkey && sysctl_ipsec_debug_verbose,
564 "klips_debug:pfkey_ipsec_sa_init: "
565 "allocating %lu bytes for md5_ctx.\n",
566 (unsigned long) sizeof(struct md5_ctx));
567 if((ipsp->ips_key_a = (caddr_t)
568 kmalloc(sizeof(struct md5_ctx), GFP_ATOMIC)) == NULL) {
569 ipsp->ips_key_a = akp;
570 SENDERR(ENOMEM);
571 }
572 ipsp->ips_key_a_size = sizeof(struct md5_ctx);
573
574 for (i = 0; i < DIVUP(ipsp->ips_key_bits_a, 8); i++) {
575 kb[i] = akp[i] ^ HMAC_IPAD;
576 }
577 for (; i < AHMD596_BLKLEN; i++) {
578 kb[i] = HMAC_IPAD;
579 }
580
581 ictx = &(((struct md5_ctx*)(ipsp->ips_key_a))->ictx);
582 MD5Init(ictx);
583 MD5Update(ictx, kb, AHMD596_BLKLEN);
584
585 for (i = 0; i < AHMD596_BLKLEN; i++) {
586 kb[i] ^= (HMAC_IPAD ^ HMAC_OPAD);
587 }
588
589 octx = &(((struct md5_ctx*)(ipsp->ips_key_a))->octx);
590 MD5Init(octx);
591 MD5Update(octx, kb, AHMD596_BLKLEN);
592
593 # if KLIPS_DIVULGE_HMAC_KEY
594 KLIPS_PRINT(debug_pfkey && sysctl_ipsec_debug_verbose,
595 "klips_debug:pfkey_ipsec_sa_init: "
596 "MD5 ictx=0x%08x %08x %08x %08x octx=0x%08x %08x %08x %08x\n",
597 ((__u32*)ictx)[0],
598 ((__u32*)ictx)[1],
599 ((__u32*)ictx)[2],
600 ((__u32*)ictx)[3],
601 ((__u32*)octx)[0],
602 ((__u32*)octx)[1],
603 ((__u32*)octx)[2],
604 ((__u32*)octx)[3] );
605 # endif /* KLIPS_DIVULGE_HMAC_KEY */
606 /* paranoid */
607 memset(akp, 0, aks);
608 kfree(akp);
609 break;
610 }
611 # endif /* CONFIG_IPSEC_AUTH_HMAC_MD5 */
612 # ifdef CONFIG_IPSEC_AUTH_HMAC_SHA1
613 case AH_SHA: {
614 SHA1_CTX *ictx;
615 SHA1_CTX *octx;
616
617 if(ipsp->ips_key_bits_a != (AHSHA196_KLEN * 8)) {
618 KLIPS_PRINT(debug_pfkey,
619 "klips_debug:pfkey_ipsec_sa_init: "
620 "incorrect authorisation key size: %d bits -- must be %d bits\n"/*octets (bytes)\n"*/,
621 ipsp->ips_key_bits_a,
622 AHSHA196_KLEN * 8);
623 SENDERR(EINVAL);
624 }
625
626 # if KLIPS_DIVULGE_HMAC_KEY
627 KLIPS_PRINT(debug_pfkey && sysctl_ipsec_debug_verbose,
628 "klips_debug:pfkey_ipsec_sa_init: "
629 "hmac sha1-96 key is 0x%08x %08x %08x %08x\n",
630 ntohl(*(((__u32 *)ipsp->ips_key_a)+0)),
631 ntohl(*(((__u32 *)ipsp->ips_key_a)+1)),
632 ntohl(*(((__u32 *)ipsp->ips_key_a)+2)),
633 ntohl(*(((__u32 *)ipsp->ips_key_a)+3)));
634 # endif /* KLIPS_DIVULGE_HMAC_KEY */
635 ipsp->ips_auth_bits = AHSHA196_ALEN * 8;
636
637 /* save the pointer to the key material */
638 akp = ipsp->ips_key_a;
639 aks = ipsp->ips_key_a_size;
640
641 KLIPS_PRINT(debug_pfkey && sysctl_ipsec_debug_verbose,
642 "klips_debug:pfkey_ipsec_sa_init: "
643 "allocating %lu bytes for sha1_ctx.\n",
644 (unsigned long) sizeof(struct sha1_ctx));
645 if((ipsp->ips_key_a = (caddr_t)
646 kmalloc(sizeof(struct sha1_ctx), GFP_ATOMIC)) == NULL) {
647 ipsp->ips_key_a = akp;
648 SENDERR(ENOMEM);
649 }
650 ipsp->ips_key_a_size = sizeof(struct sha1_ctx);
651
652 for (i = 0; i < DIVUP(ipsp->ips_key_bits_a, 8); i++) {
653 kb[i] = akp[i] ^ HMAC_IPAD;
654 }
655 for (; i < AHMD596_BLKLEN; i++) {
656 kb[i] = HMAC_IPAD;
657 }
658
659 ictx = &(((struct sha1_ctx*)(ipsp->ips_key_a))->ictx);
660 SHA1Init(ictx);
661 SHA1Update(ictx, kb, AHSHA196_BLKLEN);
662
663 for (i = 0; i < AHSHA196_BLKLEN; i++) {
664 kb[i] ^= (HMAC_IPAD ^ HMAC_OPAD);
665 }
666
667 octx = &((struct sha1_ctx*)(ipsp->ips_key_a))->octx;
668 SHA1Init(octx);
669 SHA1Update(octx, kb, AHSHA196_BLKLEN);
670
671 # if KLIPS_DIVULGE_HMAC_KEY
672 KLIPS_PRINT(debug_pfkey && sysctl_ipsec_debug_verbose,
673 "klips_debug:pfkey_ipsec_sa_init: "
674 "SHA1 ictx=0x%08x %08x %08x %08x octx=0x%08x %08x %08x %08x\n",
675 ((__u32*)ictx)[0],
676 ((__u32*)ictx)[1],
677 ((__u32*)ictx)[2],
678 ((__u32*)ictx)[3],
679 ((__u32*)octx)[0],
680 ((__u32*)octx)[1],
681 ((__u32*)octx)[2],
682 ((__u32*)octx)[3] );
683 # endif /* KLIPS_DIVULGE_HMAC_KEY */
684 memset(akp, 0, aks);
685 kfree(akp);
686 break;
687 }
688 # endif /* CONFIG_IPSEC_AUTH_HMAC_SHA1 */
689 case AH_NONE:
690 break;
691 default:
692 KLIPS_PRINT(debug_pfkey,
693 "klips_debug:pfkey_ipsec_sa_init: "
694 "authalg=%d support not available in the kernel.\n",
695 ipsp->ips_authalg);
696 SENDERR(EINVAL);
697 }
698 }
699 break;
700 #endif /* !CONFIG_IPSEC_ESP */
701 #ifdef CONFIG_IPSEC_IPCOMP
702 case IPPROTO_COMP:
703 ipsp->ips_comp_adapt_tries = 0;
704 ipsp->ips_comp_adapt_skip = 0;
705 ipsp->ips_comp_ratio_cbytes = 0;
706 ipsp->ips_comp_ratio_dbytes = 0;
707 break;
708 #endif /* CONFIG_IPSEC_IPCOMP */
709 default:
710 KLIPS_PRINT(debug_pfkey,
711 "klips_debug:pfkey_ipsec_sa_init: "
712 "proto=%d unknown.\n",
713 ipsp->ips_said.proto);
714 SENDERR(EINVAL);
715 }
716
717 errlab:
718 return(error);
719 }
720
721
722 int
723 pfkey_safe_build(int error, struct sadb_ext *extensions[SADB_MAX+1])
724 {
725 KLIPS_PRINT(debug_pfkey, "klips_debug:pfkey_safe_build: "
726 "error=%d\n",
727 error);
728 if (!error) {
729 KLIPS_PRINT(debug_pfkey, "klips_debug:pfkey_safe_build:"
730 "success.\n");
731 return 1;
732 } else {
733 KLIPS_PRINT(debug_pfkey, "klips_debug:pfkey_safe_build:"
734 "caught error %d\n",
735 error);
736 pfkey_extensions_free(extensions);
737 return 0;
738 }
739 }
740
741
742 DEBUG_NO_STATIC int
743 pfkey_getspi_parse(struct sock *sk, struct sadb_ext **extensions, struct pfkey_extracted_data* extr)
744 {
745 int error = 0;
746 ipsec_spi_t minspi = htonl(256), maxspi = htonl(-1L);
747 int found_avail = 0;
748 struct ipsec_sa *ipsq;
749 char sa[SATOA_BUF];
750 size_t sa_len;
751 struct sadb_ext *extensions_reply[SADB_EXT_MAX+1];
752 struct sadb_msg *pfkey_reply = NULL;
753 struct socket_list *pfkey_socketsp;
754 uint8_t satype = ((struct sadb_msg*)extensions[SADB_EXT_RESERVED])->sadb_msg_satype;
755
756 KLIPS_PRINT(debug_pfkey,
757 "klips_debug:pfkey_getspi_parse: .\n");
758
759 pfkey_extensions_init(extensions_reply);
760
761 if(extr == NULL || extr->ips == NULL) {
762 KLIPS_PRINT(debug_pfkey,
763 "klips_debug:pfkey_getspi_parse: "
764 "error, extr or extr->ipsec_sa pointer NULL\n");
765 SENDERR(EINVAL);
766 }
767
768 if(extensions[SADB_EXT_SPIRANGE]) {
769 minspi = ((struct sadb_spirange *)extensions[SADB_EXT_SPIRANGE])->sadb_spirange_min;
770 maxspi = ((struct sadb_spirange *)extensions[SADB_EXT_SPIRANGE])->sadb_spirange_max;
771 }
772
773 if(maxspi == minspi) {
774 extr->ips->ips_said.spi = maxspi;
775 ipsq = ipsec_sa_getbyid(&(extr->ips->ips_said));
776 if(ipsq != NULL) {
777 sa_len = satoa(extr->ips->ips_said, 0, sa, SATOA_BUF);
778 ipsec_sa_put(ipsq);
779 KLIPS_PRINT(debug_pfkey,
780 "klips_debug:pfkey_getspi_parse: "
781 "EMT_GETSPI found an old ipsec_sa for SA: %s, delete it first.\n",
782 sa_len ? sa : " (error)");
783 SENDERR(EEXIST);
784 } else {
785 found_avail = 1;
786 }
787 } else {
788 int i = 0;
789 __u32 rand_val;
790 __u32 spi_diff;
791 while( ( i < (spi_diff = (ntohl(maxspi) - ntohl(minspi)))) && !found_avail ) {
792 prng_bytes(&ipsec_prng, (char *) &(rand_val),
793 ( (spi_diff < (2^8)) ? 1 :
794 ( (spi_diff < (2^16)) ? 2 :
795 ( (spi_diff < (2^24)) ? 3 :
796 4 ) ) ) );
797 extr->ips->ips_said.spi = htonl(ntohl(minspi) +
798 (rand_val %
799 (spi_diff + 1)));
800 i++;
801 ipsq = ipsec_sa_getbyid(&(extr->ips->ips_said));
802 if(ipsq == NULL) {
803 found_avail = 1;
804 } else {
805 ipsec_sa_put(ipsq);
806 }
807 }
808 }
809
810 sa_len = satoa(extr->ips->ips_said, 0, sa, SATOA_BUF);
811
812 if (!found_avail) {
813 KLIPS_PRINT(debug_pfkey,
814 "klips_debug:pfkey_getspi_parse: "
815 "found an old ipsec_sa for SA: %s, delete it first.\n",
816 sa_len ? sa : " (error)");
817 SENDERR(EEXIST);
818 }
819
820 if(ip_chk_addr((unsigned long)extr->ips->ips_said.dst.s_addr) == IS_MYADDR) {
821 extr->ips->ips_flags |= EMT_INBOUND;
822 }
823
824 KLIPS_PRINT(debug_pfkey,
825 "klips_debug:pfkey_getspi_parse: "
826 "existing ipsec_sa not found (this is good) for SA: %s, %s-bound, allocating.\n",
827 sa_len ? sa : " (error)",
828 extr->ips->ips_flags & EMT_INBOUND ? "in" : "out");
829
830 /* XXX extr->ips->ips_rcvif = &(enc_softc[em->em_if].enc_if);*/
831 extr->ips->ips_rcvif = NULL;
832 extr->ips->ips_life.ipl_addtime.ipl_count = jiffies/HZ;
833
834 extr->ips->ips_state = SADB_SASTATE_LARVAL;
835
836 if(!extr->ips->ips_life.ipl_allocations.ipl_count) {
837 extr->ips->ips_life.ipl_allocations.ipl_count += 1;
838 }
839
840 if(!(pfkey_safe_build(error = pfkey_msg_hdr_build(&extensions_reply[0],
841 SADB_GETSPI,
842 satype,
843 0,
844 ((struct sadb_msg*)extensions[SADB_EXT_RESERVED])->sadb_msg_seq,
845 ((struct sadb_msg*)extensions[SADB_EXT_RESERVED])->sadb_msg_pid),
846 extensions_reply)
847 && pfkey_safe_build(error = pfkey_sa_ref_build(&extensions_reply[SADB_EXT_SA],
848 SADB_EXT_SA,
849 extr->ips->ips_said.spi,
850 0,
851 SADB_SASTATE_LARVAL,
852 0,
853 0,
854 0,
855 extr->ips->ips_ref),
856 extensions_reply)
857 && pfkey_safe_build(error = pfkey_address_build(&extensions_reply[SADB_EXT_ADDRESS_SRC],
858 SADB_EXT_ADDRESS_SRC,
859 0, /*extr->ips->ips_said.proto,*/
860 0,
861 extr->ips->ips_addr_s),
862 extensions_reply)
863 && pfkey_safe_build(error = pfkey_address_build(&extensions_reply[SADB_EXT_ADDRESS_DST],
864 SADB_EXT_ADDRESS_DST,
865 0, /*extr->ips->ips_said.proto,*/
866 0,
867 extr->ips->ips_addr_d),
868 extensions_reply) )) {
869 KLIPS_PRINT(debug_pfkey, "klips_debug:pfkey_getspi_parse: "
870 "failed to build the getspi reply message extensions\n");
871 goto errlab;
872 }
873
874 if((error = pfkey_msg_build(&pfkey_reply, extensions_reply, EXT_BITS_OUT))) {
875 KLIPS_PRINT(debug_pfkey, "klips_debug:pfkey_getspi_parse: "
876 "failed to build the getspi reply message\n");
877 SENDERR(-error);
878 }
879 for(pfkey_socketsp = pfkey_open_sockets;
880 pfkey_socketsp;
881 pfkey_socketsp = pfkey_socketsp->next) {
882 if((error = pfkey_upmsg(pfkey_socketsp->socketp, pfkey_reply))) {
883 KLIPS_PRINT(debug_pfkey, "klips_debug:pfkey_getspi_parse: "
884 "sending up getspi reply message for satype=%d(%s) to socket=0p%p failed with error=%d.\n",
885 satype,
886 satype2name(satype),
887 pfkey_socketsp->socketp,
888 error);
889 SENDERR(-error);
890 }
891 KLIPS_PRINT(debug_pfkey, "klips_debug:pfkey_getspi_parse: "
892 "sending up getspi reply message for satype=%d(%s) to socket=0p%p succeeded.\n",
893 satype,
894 satype2name(satype),
895 pfkey_socketsp->socketp);
896 }
897
898 if((error = ipsec_sa_add(extr->ips))) {
899 KLIPS_PRINT(debug_pfkey, "klips_debug:pfkey_getspi_parse: "
900 "failed to add the larval SA=%s with error=%d.\n",
901 sa_len ? sa : " (error)",
902 error);
903 SENDERR(-error);
904 }
905 extr->ips = NULL;
906
907 KLIPS_PRINT(debug_pfkey,
908 "klips_debug:pfkey_getspi_parse: "
909 "successful for SA: %s\n",
910 sa_len ? sa : " (error)");
911
912 errlab:
913 if (pfkey_reply) {
914 pfkey_msg_free(&pfkey_reply);
915 }
916 pfkey_extensions_free(extensions_reply);
917 return error;
918 }
919
920 DEBUG_NO_STATIC int
921 pfkey_update_parse(struct sock *sk, struct sadb_ext **extensions, struct pfkey_extracted_data* extr)
922 {
923 int error = 0;
924 struct ipsec_sa* ipsq;
925 char sa[SATOA_BUF];
926 size_t sa_len;
927 struct sadb_ext *extensions_reply[SADB_EXT_MAX+1];
928 struct sadb_msg *pfkey_reply = NULL;
929 struct socket_list *pfkey_socketsp;
930 uint8_t satype = ((struct sadb_msg*)extensions[SADB_EXT_RESERVED])->sadb_msg_satype;
931 #ifdef CONFIG_IPSEC_NAT_TRAVERSAL
932 struct ipsec_sa *nat_t_ips_saved = NULL;
933 #endif
934 KLIPS_PRINT(debug_pfkey,
935 "klips_debug:pfkey_update_parse: .\n");
936
937 pfkey_extensions_init(extensions_reply);
938
939 if(((struct sadb_sa*)extensions[SADB_EXT_SA])->sadb_sa_state != SADB_SASTATE_MATURE) {
940 KLIPS_PRINT(debug_pfkey,
941 "klips_debug:pfkey_update_parse: "
942 "error, sa_state=%d must be MATURE=%d\n",
943 ((struct sadb_sa*)extensions[SADB_EXT_SA])->sadb_sa_state,
944 SADB_SASTATE_MATURE);
945 SENDERR(EINVAL);
946 }
947
948 if(extr == NULL || extr->ips == NULL) {
949 KLIPS_PRINT(debug_pfkey,
950 "klips_debug:pfkey_update_parse: "
951 "error, extr or extr->ips pointer NULL\n");
952 SENDERR(EINVAL);
953 }
954
955 sa_len = satoa(extr->ips->ips_said, 0, sa, SATOA_BUF);
956
957 spin_lock_bh(&tdb_lock);
958
959 ipsq = ipsec_sa_getbyid(&(extr->ips->ips_said));
960 if (ipsq == NULL) {
961 spin_unlock_bh(&tdb_lock);
962 KLIPS_PRINT(debug_pfkey,
963 "klips_debug:pfkey_update_parse: "
964 "reserved ipsec_sa for SA: %s not found. Call SADB_GETSPI first or call SADB_ADD instead.\n",
965 sa_len ? sa : " (error)");
966 SENDERR(ENOENT);
967 }
968
969 if(ip_chk_addr((unsigned long)extr->ips->ips_said.dst.s_addr) == IS_MYADDR) {
970 extr->ips->ips_flags |= EMT_INBOUND;
971 }
972
973 KLIPS_PRINT(debug_pfkey,
974 "klips_debug:pfkey_update_parse: "
975 "existing ipsec_sa found (this is good) for SA: %s, %s-bound, updating.\n",
976 sa_len ? sa : " (error)",
977 extr->ips->ips_flags & EMT_INBOUND ? "in" : "out");
978
979 #ifdef CONFIG_IPSEC_NAT_TRAVERSAL
980 if (extr->ips->ips_natt_sport || extr->ips->ips_natt_dport) {
981 KLIPS_PRINT(debug_pfkey,
982 "klips_debug:pfkey_update_parse: only updating NAT-T ports "
983 "(%u:%u -> %u:%u)\n",
984 ipsq->ips_natt_sport, ipsq->ips_natt_dport,
985 extr->ips->ips_natt_sport, extr->ips->ips_natt_dport);
986
987 if (extr->ips->ips_natt_sport) {
988 ipsq->ips_natt_sport = extr->ips->ips_natt_sport;
989 if (ipsq->ips_addr_s->sa_family == AF_INET) {
990 ((struct sockaddr_in *)(ipsq->ips_addr_s))->sin_port = htons(extr->ips->ips_natt_sport);
991 }
992 }
993
994 if (extr->ips->ips_natt_dport) {
995 ipsq->ips_natt_dport = extr->ips->ips_natt_dport;
996 if (ipsq->ips_addr_d->sa_family == AF_INET) {
997 ((struct sockaddr_in *)(ipsq->ips_addr_d))->sin_port = htons(extr->ips->ips_natt_dport);
998 }
999 }
1000
1001 nat_t_ips_saved = extr->ips;
1002 extr->ips = ipsq;
1003 }
1004 else {
1005 #endif
1006
1007 /* XXX extr->ips->ips_rcvif = &(enc_softc[em->em_if].enc_if);*/
1008 extr->ips->ips_rcvif = NULL;
1009 if ((error = pfkey_ipsec_sa_init(extr->ips, extensions))) {
1010 ipsec_sa_put(ipsq);
1011 spin_unlock_bh(&tdb_lock);
1012 KLIPS_PRINT(debug_pfkey,
1013 "klips_debug:pfkey_update_parse: "
1014 "not successful for SA: %s, deleting.\n",
1015 sa_len ? sa : " (error)");
1016 SENDERR(-error);
1017 }
1018
1019 extr->ips->ips_life.ipl_addtime.ipl_count = ipsq->ips_life.ipl_addtime.ipl_count;
1020 ipsec_sa_put(ipsq);
1021 if((error = ipsec_sa_delchain(ipsq))) {
1022 spin_unlock_bh(&tdb_lock);
1023 KLIPS_PRINT(debug_pfkey,
1024 "klips_debug:pfkey_update_parse: "
1025 "error=%d, trouble deleting intermediate ipsec_sa for SA=%s.\n",
1026 error,
1027 sa_len ? sa : " (error)");
1028 SENDERR(-error);
1029 }
1030 #ifdef CONFIG_IPSEC_NAT_TRAVERSAL
1031 }
1032 #endif
1033
1034 spin_unlock_bh(&tdb_lock);
1035
1036 if(!(pfkey_safe_build(error = pfkey_msg_hdr_build(&extensions_reply[0],
1037 SADB_UPDATE,
1038 satype,
1039 0,
1040 ((struct sadb_msg*)extensions[SADB_EXT_RESERVED])->sadb_msg_seq,
1041 ((struct sadb_msg*)extensions[SADB_EXT_RESERVED])->sadb_msg_pid),
1042 extensions_reply)
1043 && pfkey_safe_build(error = pfkey_sa_ref_build(&extensions_reply[SADB_EXT_SA],
1044 SADB_EXT_SA,
1045 extr->ips->ips_said.spi,
1046 extr->ips->ips_replaywin,
1047 extr->ips->ips_state,
1048 extr->ips->ips_authalg,
1049 extr->ips->ips_encalg,
1050 extr->ips->ips_flags,
1051 extr->ips->ips_ref),
1052 extensions_reply)
1053 /* The 3 lifetime extentions should only be sent if non-zero. */
1054 && (extensions[SADB_EXT_LIFETIME_HARD]
1055 ? pfkey_safe_build(error = pfkey_lifetime_build(&extensions_reply[SADB_EXT_LIFETIME_HARD],
1056 SADB_EXT_LIFETIME_HARD,
1057 extr->ips->ips_life.ipl_allocations.ipl_hard,
1058 extr->ips->ips_life.ipl_bytes.ipl_hard,
1059 extr->ips->ips_life.ipl_addtime.ipl_hard,
1060 extr->ips->ips_life.ipl_usetime.ipl_hard,
1061 extr->ips->ips_life.ipl_packets.ipl_hard),
1062 extensions_reply) : 1)
1063 && (extensions[SADB_EXT_LIFETIME_SOFT]
1064 ? pfkey_safe_build(error = pfkey_lifetime_build(&extensions_reply[SADB_EXT_LIFETIME_SOFT],
1065 SADB_EXT_LIFETIME_SOFT,
1066 extr->ips->ips_life.ipl_allocations.ipl_count,
1067 extr->ips->ips_life.ipl_bytes.ipl_count,
1068 extr->ips->ips_life.ipl_addtime.ipl_count,
1069 extr->ips->ips_life.ipl_usetime.ipl_count,
1070 extr->ips->ips_life.ipl_packets.ipl_count),
1071 extensions_reply) : 1)
1072 && (extr->ips->ips_life.ipl_allocations.ipl_count
1073 || extr->ips->ips_life.ipl_bytes.ipl_count
1074 || extr->ips->ips_life.ipl_addtime.ipl_count
1075 || extr->ips->ips_life.ipl_usetime.ipl_count
1076 || extr->ips->ips_life.ipl_packets.ipl_count
1077
1078 ? pfkey_safe_build(error = pfkey_lifetime_build(&extensions_reply[SADB_EXT_LIFETIME_CURRENT],
1079 SADB_EXT_LIFETIME_CURRENT,
1080 extr->ips->ips_life.ipl_allocations.ipl_count,
1081 extr->ips->ips_life.ipl_bytes.ipl_count,
1082 extr->ips->ips_life.ipl_addtime.ipl_count,
1083 extr->ips->ips_life.ipl_usetime.ipl_count,
1084 extr->ips->ips_life.ipl_packets.ipl_count),
1085 extensions_reply) : 1)
1086 && pfkey_safe_build(error = pfkey_address_build(&extensions_reply[SADB_EXT_ADDRESS_SRC],
1087 SADB_EXT_ADDRESS_SRC,
1088 0, /*extr->ips->ips_said.proto,*/
1089 0,
1090 extr->ips->ips_addr_s),
1091 extensions_reply)
1092 && pfkey_safe_build(error = pfkey_address_build(&extensions_reply[SADB_EXT_ADDRESS_DST],
1093 SADB_EXT_ADDRESS_DST,
1094 0, /*extr->ips->ips_said.proto,*/
1095 0,
1096 extr->ips->ips_addr_d),
1097 extensions_reply)
1098 && (extr->ips->ips_ident_s.data
1099 ? pfkey_safe_build(error = pfkey_ident_build(&extensions_reply[SADB_EXT_IDENTITY_SRC],
1100 SADB_EXT_IDENTITY_SRC,
1101 extr->ips->ips_ident_s.type,
1102 extr->ips->ips_ident_s.id,
1103 extr->ips->ips_ident_s.len,
1104 extr->ips->ips_ident_s.data),
1105 extensions_reply) : 1)
1106 && (extr->ips->ips_ident_d.data
1107 ? pfkey_safe_build(error = pfkey_ident_build(&extensions_reply[SADB_EXT_IDENTITY_DST],
1108 SADB_EXT_IDENTITY_DST,
1109 extr->ips->ips_ident_d.type,
1110 extr->ips->ips_ident_d.id,
1111 extr->ips->ips_ident_d.len,
1112 extr->ips->ips_ident_d.data),
1113 extensions_reply) : 1)
1114 #if 0
1115 /* FIXME: This won't work yet because I have not finished
1116 it. */
1117 && (extr->ips->ips_sens_
1118 ? pfkey_safe_build(error = pfkey_sens_build(&extensions_reply[SADB_EXT_SENSITIVITY],
1119 extr->ips->ips_sens_dpd,
1120 extr->ips->ips_sens_sens_level,
1121 extr->ips->ips_sens_sens_len,
1122 extr->ips->ips_sens_sens_bitmap,
1123 extr->ips->ips_sens_integ_level,
1124 extr->ips->ips_sens_integ_len,
1125 extr->ips->ips_sens_integ_bitmap),
1126 extensions_reply) : 1)
1127 #endif
1128 )) {
1129 KLIPS_PRINT(debug_pfkey, "klips_debug:pfkey_update_parse: "
1130 "failed to build the update reply message extensions\n");
1131 SENDERR(-error);
1132 }
1133
1134 if((error = pfkey_msg_build(&pfkey_reply, extensions_reply, EXT_BITS_OUT))) {
1135 KLIPS_PRINT(debug_pfkey, "klips_debug:pfkey_update_parse: "
1136 "failed to build the update reply message\n");
1137 SENDERR(-error);
1138 }
1139 for(pfkey_socketsp = pfkey_open_sockets;
1140 pfkey_socketsp;
1141 pfkey_socketsp = pfkey_socketsp->next) {
1142 if((error = pfkey_upmsg(pfkey_socketsp->socketp, pfkey_reply))) {
1143 KLIPS_PRINT(debug_pfkey, "klips_debug:pfkey_update_parse: "
1144 "sending up update reply message for satype=%d(%s) to socket=0p%p failed with error=%d.\n",
1145 satype,
1146 satype2name(satype),
1147 pfkey_socketsp->socketp,
1148 error);
1149 SENDERR(-error);
1150 }
1151 KLIPS_PRINT(debug_pfkey, "klips_debug:pfkey_update_parse: "
1152 "sending up update reply message for satype=%d(%s) to socket=0p%p succeeded.\n",
1153 satype,
1154 satype2name(satype),
1155 pfkey_socketsp->socketp);
1156 }
1157
1158 #ifdef CONFIG_IPSEC_NAT_TRAVERSAL
1159 if (nat_t_ips_saved) {
1160 /**
1161 * As we _really_ update existing SA, we keep tdbq and need to delete
1162 * parsed ips (nat_t_ips_saved, was extr->ips).
1163 *
1164 * goto errlab with extr->ips = nat_t_ips_saved will free it.
1165 */
1166
1167 extr->ips = nat_t_ips_saved;
1168
1169 error = 0;
1170 KLIPS_PRINT(debug_pfkey,
1171 "klips_debug:pfkey_update_parse (NAT-T ports): "
1172 "successful for SA: %s\n",
1173 sa_len ? sa : " (error)");
1174
1175 goto errlab;
1176 }
1177 #endif
1178
1179 if((error = ipsec_sa_add(extr->ips))) {
1180 KLIPS_PRINT(debug_pfkey, "klips_debug:pfkey_update_parse: "
1181 "failed to update the mature SA=%s with error=%d.\n",
1182 sa_len ? sa : " (error)",
1183 error);
1184 SENDERR(-error);
1185 }
1186 extr->ips = NULL;
1187
1188 KLIPS_PRINT(debug_pfkey,
1189 "klips_debug:pfkey_update_parse: "
1190 "successful for SA: %s\n",
1191 sa_len ? sa : " (error)");
1192
1193 errlab:
1194 if (pfkey_reply) {
1195 pfkey_msg_free(&pfkey_reply);
1196 }
1197 pfkey_extensions_free(extensions_reply);
1198 return error;
1199 }
1200
1201 DEBUG_NO_STATIC int
1202 pfkey_add_parse(struct sock *sk, struct sadb_ext **extensions, struct pfkey_extracted_data* extr)
1203 {
1204 int error = 0;
1205 struct ipsec_sa* ipsq;
1206 char sa[SATOA_BUF];
1207 size_t sa_len;
1208 struct sadb_ext *extensions_reply[SADB_EXT_MAX+1];
1209 struct sadb_msg *pfkey_reply = NULL;
1210 struct socket_list *pfkey_socketsp;
1211 uint8_t satype = ((struct sadb_msg*)extensions[SADB_EXT_RESERVED])->sadb_msg_satype;
1212
1213 KLIPS_PRINT(debug_pfkey,
1214 "klips_debug:pfkey_add_parse: .\n");
1215
1216 pfkey_extensions_init(extensions_reply);
1217
1218 if(((struct sadb_sa*)extensions[SADB_EXT_SA])->sadb_sa_state != SADB_SASTATE_MATURE) {
1219 KLIPS_PRINT(debug_pfkey,
1220 "klips_debug:pfkey_add_parse: "
1221 "error, sa_state=%d must be MATURE=%d\n",
1222 ((struct sadb_sa*)extensions[SADB_EXT_SA])->sadb_sa_state,
1223 SADB_SASTATE_MATURE);
1224 SENDERR(EINVAL);
1225 }
1226
1227 if(!extr || !extr->ips) {
1228 KLIPS_PRINT(debug_pfkey,
1229 "klips_debug:pfkey_add_parse: "
1230 "extr or extr->ips pointer NULL\n");
1231 SENDERR(EINVAL);
1232 }
1233
1234 sa_len = satoa(extr->ips->ips_said, 0, sa, SATOA_BUF);
1235
1236 ipsq = ipsec_sa_getbyid(&(extr->ips->ips_said));
1237 if(ipsq != NULL) {
1238 ipsec_sa_put(ipsq);
1239 KLIPS_PRINT(debug_pfkey,
1240 "klips_debug:pfkey_add_parse: "
1241 "found an old ipsec_sa for SA%s, delete it first.\n",
1242 sa_len ? sa : " (error)");
1243 SENDERR(EEXIST);
1244 }
1245
1246 if(ip_chk_addr((unsigned long)extr->ips->ips_said.dst.s_addr) == IS_MYADDR) {
1247 extr->ips->ips_flags |= EMT_INBOUND;
1248 }
1249
1250 KLIPS_PRINT(debug_pfkey,
1251 "klips_debug:pfkey_add_parse: "
1252 "existing ipsec_sa not found (this is good) for SA%s, %s-bound, allocating.\n",
1253 sa_len ? sa : " (error)",
1254 extr->ips->ips_flags & EMT_INBOUND ? "in" : "out");
1255
1256 /* XXX extr->ips->ips_rcvif = &(enc_softc[em->em_if].enc_if);*/
1257 extr->ips->ips_rcvif = NULL;
1258
1259 if ((error = pfkey_ipsec_sa_init(extr->ips, extensions))) {
1260 KLIPS_PRINT(debug_pfkey,
1261 "klips_debug:pfkey_add_parse: "
1262 "not successful for SA: %s, deleting.\n",
1263 sa_len ? sa : " (error)");
1264 SENDERR(-error);
1265 }
1266
1267 extr->ips->ips_life.ipl_addtime.ipl_count = jiffies / HZ;
1268 if(!extr->ips->ips_life.ipl_allocations.ipl_count) {
1269 extr->ips->ips_life.ipl_allocations.ipl_count += 1;
1270 }
1271
1272 if(!(pfkey_safe_build(error = pfkey_msg_hdr_build(&extensions_reply[0],
1273 SADB_ADD,
1274 satype,
1275 0,
1276 ((struct sadb_msg*)extensions[SADB_EXT_RESERVED])->sadb_msg_seq,
1277 ((struct sadb_msg*)extensions[SADB_EXT_RESERVED])->sadb_msg_pid),
1278 extensions_reply)
1279 && pfkey_safe_build(error = pfkey_sa_ref_build(&extensions_reply[SADB_EXT_SA],
1280 SADB_EXT_SA,
1281 extr->ips->ips_said.spi,
1282 extr->ips->ips_replaywin,
1283 extr->ips->ips_state,
1284 extr->ips->ips_authalg,
1285 extr->ips->ips_encalg,
1286 extr->ips->ips_flags,
1287 extr->ips->ips_ref),
1288 extensions_reply)
1289 /* The 3 lifetime extentions should only be sent if non-zero. */
1290 && (extensions[SADB_EXT_LIFETIME_HARD]
1291 ? pfkey_safe_build(error = pfkey_lifetime_build(&extensions_reply[SADB_EXT_LIFETIME_HARD],
1292 SADB_EXT_LIFETIME_HARD,
1293 extr->ips->ips_life.ipl_allocations.ipl_hard,
1294 extr->ips->ips_life.ipl_bytes.ipl_hard,
1295 extr->ips->ips_life.ipl_addtime.ipl_hard,
1296 extr->ips->ips_life.ipl_usetime.ipl_hard,
1297 extr->ips->ips_life.ipl_packets.ipl_hard),
1298 extensions_reply) : 1)
1299 && (extensions[SADB_EXT_LIFETIME_SOFT]
1300 ? pfkey_safe_build(error = pfkey_lifetime_build(&extensions_reply[SADB_EXT_LIFETIME_SOFT],
1301 SADB_EXT_LIFETIME_SOFT,
1302 extr->ips->ips_life.ipl_allocations.ipl_soft,
1303 extr->ips->ips_life.ipl_bytes.ipl_soft,
1304 extr->ips->ips_life.ipl_addtime.ipl_soft,
1305 extr->ips->ips_life.ipl_usetime.ipl_soft,
1306 extr->ips->ips_life.ipl_packets.ipl_soft),
1307 extensions_reply) : 1)
1308 && pfkey_safe_build(error = pfkey_address_build(&extensions_reply[SADB_EXT_ADDRESS_SRC],
1309 SADB_EXT_ADDRESS_SRC,
1310 0, /*extr->ips->ips_said.proto,*/
1311 0,
1312 extr->ips->ips_addr_s),
1313 extensions_reply)
1314 && pfkey_safe_build(error = pfkey_address_build(&extensions_reply[SADB_EXT_ADDRESS_DST],
1315 SADB_EXT_ADDRESS_DST,
1316 0, /*extr->ips->ips_said.proto,*/
1317 0,
1318 extr->ips->ips_addr_d),
1319 extensions_reply)
1320 && (extr->ips->ips_ident_s.data
1321 ? pfkey_safe_build(error = pfkey_ident_build(&extensions_reply[SADB_EXT_IDENTITY_SRC],
1322 SADB_EXT_IDENTITY_SRC,
1323 extr->ips->ips_ident_s.type,
1324 extr->ips->ips_ident_s.id,
1325 extr->ips->ips_ident_s.len,
1326 extr->ips->ips_ident_s.data),
1327 extensions_reply) : 1)
1328 && (extr->ips->ips_ident_d.data
1329 ? pfkey_safe_build(error = pfkey_ident_build(&extensions_reply[SADB_EXT_IDENTITY_DST],
1330 SADB_EXT_IDENTITY_DST,
1331 extr->ips->ips_ident_d.type,
1332 extr->ips->ips_ident_d.id,
1333 extr->ips->ips_ident_d.len,
1334 extr->ips->ips_ident_d.data),
1335 extensions_reply) : 1)
1336 #if 0
1337 /* FIXME: This won't work yet because I have not finished
1338 it. */
1339 && (extr->ips->ips_sens_
1340 ? pfkey_safe_build(error = pfkey_sens_build(&extensions_reply[SADB_EXT_SENSITIVITY],
1341 extr->ips->ips_sens_dpd,
1342 extr->ips->ips_sens_sens_level,
1343 extr->ips->ips_sens_sens_len,
1344 extr->ips->ips_sens_sens_bitmap,
1345 extr->ips->ips_sens_integ_level,
1346 extr->ips->ips_sens_integ_len,
1347 extr->ips->ips_sens_integ_bitmap),
1348 extensions_reply) : 1)
1349 #endif
1350 )) {
1351 KLIPS_PRINT(debug_pfkey, "klips_debug:pfkey_add_parse: "
1352 "failed to build the add reply message extensions\n");
1353 SENDERR(-error);
1354 }
1355
1356 if((error = pfkey_msg_build(&pfkey_reply, extensions_reply, EXT_BITS_OUT))) {
1357 KLIPS_PRINT(debug_pfkey, "klips_debug:pfkey_add_parse: "
1358 "failed to build the add reply message\n");
1359 SENDERR(-error);
1360 }
1361 for(pfkey_socketsp = pfkey_open_sockets;
1362 pfkey_socketsp;
1363 pfkey_socketsp = pfkey_socketsp->next) {
1364 if((error = pfkey_upmsg(pfkey_socketsp->socketp, pfkey_reply))) {
1365 KLIPS_PRINT(debug_pfkey, "klips_debug:pfkey_add_parse: "
1366 "sending up add reply message for satype=%d(%s) to socket=0p%p failed with error=%d.\n",
1367 satype,
1368 satype2name(satype),
1369 pfkey_socketsp->socketp,
1370 error);
1371 SENDERR(-error);
1372 }
1373 KLIPS_PRINT(debug_pfkey, "klips_debug:pfkey_add_parse: "
1374 "sending up add reply message for satype=%d(%s) to socket=0p%p succeeded.\n",
1375 satype,
1376 satype2name(satype),
1377 pfkey_socketsp->socketp);
1378 }
1379
1380 if((error = ipsec_sa_add(extr->ips))) {
1381 KLIPS_PRINT(debug_pfkey, "klips_debug:pfkey_add_parse: "
1382 "failed to add the mature SA=%s with error=%d.\n",
1383 sa_len ? sa : " (error)",
1384 error);
1385 SENDERR(-error);
1386 }
1387 extr->ips = NULL;
1388
1389 KLIPS_PRINT(debug_pfkey,
1390 "klips_debug:pfkey_add_parse: "
1391 "successful for SA: %s\n",
1392 sa_len ? sa : " (error)");
1393
1394 errlab:
1395 if (pfkey_reply) {
1396 pfkey_msg_free(&pfkey_reply);
1397 }
1398 pfkey_extensions_free(extensions_reply);
1399 return error;
1400 }
1401
1402 DEBUG_NO_STATIC int
1403 pfkey_delete_parse(struct sock *sk, struct sadb_ext **extensions, struct pfkey_extracted_data* extr)
1404 {
1405 struct ipsec_sa *ipsp;
1406 char sa[SATOA_BUF];
1407 size_t sa_len;
1408 int error = 0;
1409 struct sadb_ext *extensions_reply[SADB_EXT_MAX+1];
1410 struct sadb_msg *pfkey_reply = NULL;
1411 struct socket_list *pfkey_socketsp;
1412 uint8_t satype = ((struct sadb_msg*)extensions[SADB_EXT_RESERVED])->sadb_msg_satype;
1413
1414 KLIPS_PRINT(debug_pfkey,
1415 "klips_debug:pfkey_delete_parse: .\n");
1416
1417 pfkey_extensions_init(extensions_reply);
1418
1419 if(!extr || !extr->ips) {
1420 KLIPS_PRINT(debug_pfkey,
1421 "klips_debug:pfkey_delete_parse: "
1422 "extr or extr->ips pointer NULL, fatal\n");
1423 SENDERR(EINVAL);
1424 }
1425
1426 sa_len = satoa(extr->ips->ips_said, 0, sa, SATOA_BUF);
1427
1428 spin_lock_bh(&tdb_lock);
1429
1430 ipsp = ipsec_sa_getbyid(&(extr->ips->ips_said));
1431 if (ipsp == NULL) {
1432 spin_unlock_bh(&tdb_lock);
1433 KLIPS_PRINT(debug_pfkey,
1434 "klips_debug:pfkey_delete_parse: "
1435 "ipsec_sa not found for SA:%s, could not delete.\n",
1436 sa_len ? sa : " (error)");
1437 SENDERR(ESRCH);
1438 }
1439
1440 ipsec_sa_put(ipsp);
1441 if((error = ipsec_sa_delchain(ipsp))) {
1442 spin_unlock_bh(&tdb_lock);
1443 KLIPS_PRINT(debug_pfkey,
1444 "klips_debug:pfkey_delete_parse: "
1445 "error=%d returned trying to delete ipsec_sa for SA:%s.\n",
1446 error,
1447 sa_len ? sa : " (error)");
1448 SENDERR(-error);
1449 }
1450 spin_unlock_bh(&tdb_lock);
1451
1452 if(!(pfkey_safe_build(error = pfkey_msg_hdr_build(&extensions_reply[0],
1453 SADB_DELETE,
1454 satype,
1455 0,
1456 ((struct sadb_msg*)extensions[SADB_EXT_RESERVED])->sadb_msg_seq,
1457 ((struct sadb_msg*)extensions[SADB_EXT_RESERVED])->sadb_msg_pid),
1458 extensions_reply)
1459 && pfkey_safe_build(error = pfkey_sa_ref_build(&extensions_reply[SADB_EXT_SA],
1460 SADB_EXT_SA,
1461 extr->ips->ips_said.spi,
1462 0,
1463 0,
1464 0,
1465 0,
1466 0,
1467 extr->ips->ips_ref),
1468 extensions_reply)
1469 && pfkey_safe_build(error = pfkey_address_build(&extensions_reply[SADB_EXT_ADDRESS_SRC],
1470 SADB_EXT_ADDRESS_SRC,
1471 0, /*extr->ips->ips_said.proto,*/
1472 0,
1473 extr->ips->ips_addr_s),
1474 extensions_reply)
1475 && pfkey_safe_build(error = pfkey_address_build(&extensions_reply[SADB_EXT_ADDRESS_DST],
1476 SADB_EXT_ADDRESS_DST,
1477 0, /*extr->ips->ips_said.proto,*/
1478 0,
1479 extr->ips->ips_addr_d),
1480 extensions_reply)
1481 )) {
1482 KLIPS_PRINT(debug_pfkey, "klips_debug:pfkey_delete_parse: "
1483 "failed to build the delete reply message extensions\n");
1484 SENDERR(-error);
1485 }
1486
1487 if((error = pfkey_msg_build(&pfkey_reply, extensions_reply, EXT_BITS_OUT))) {
1488 KLIPS_PRINT(debug_pfkey, "klips_debug:pfkey_delete_parse: "
1489 "failed to build the delete reply message\n");
1490 SENDERR(-error);
1491 }
1492 for(pfkey_socketsp = pfkey_open_sockets;
1493 pfkey_socketsp;
1494 pfkey_socketsp = pfkey_socketsp->next) {
1495 if((error = pfkey_upmsg(pfkey_socketsp->socketp, pfkey_reply))) {
1496 KLIPS_PRINT(debug_pfkey, "klips_debug:pfkey_delete_parse: "
1497 "sending up delete reply message for satype=%d(%s) to socket=0p%p failed with error=%d.\n",
1498 satype,
1499 satype2name(satype),
1500 pfkey_socketsp->socketp,
1501 error);
1502 SENDERR(-error);
1503 }
1504 KLIPS_PRINT(debug_pfkey, "klips_debug:pfkey_delete_parse: "
1505 "sending up delete reply message for satype=%d(%s) to socket=0p%p succeeded.\n",
1506 satype,
1507 satype2name(satype),
1508 pfkey_socketsp->socketp);
1509 }
1510
1511 errlab:
1512 if (pfkey_reply) {
1513 pfkey_msg_free(&pfkey_reply);
1514 }
1515 pfkey_extensions_free(extensions_reply);
1516 return error;
1517 }
1518
1519 DEBUG_NO_STATIC int
1520 pfkey_get_parse(struct sock *sk, struct sadb_ext **extensions, struct pfkey_extracted_data* extr)
1521 {
1522 int error = 0;
1523 struct ipsec_sa *ipsp;
1524 char sa[SATOA_BUF];
1525 size_t sa_len;
1526 struct sadb_ext *extensions_reply[SADB_EXT_MAX+1];
1527 struct sadb_msg *pfkey_reply = NULL;
1528
1529 KLIPS_PRINT(debug_pfkey,
1530 "klips_debug:pfkey_get_parse: .\n");
1531
1532 pfkey_extensions_init(extensions_reply);
1533
1534 if(!extr || !extr->ips) {
1535 KLIPS_PRINT(debug_pfkey,
1536 "klips_debug:pfkey_get_parse: "
1537 "extr or extr->ips pointer NULL, fatal\n");
1538 SENDERR(EINVAL);
1539 }
1540
1541 sa_len = satoa(extr->ips->ips_said, 0, sa, SATOA_BUF);
1542
1543 spin_lock_bh(&tdb_lock);
1544
1545 ipsp = ipsec_sa_getbyid(&(extr->ips->ips_said));
1546 if (ipsp == NULL) {
1547 spin_unlock_bh(&tdb_lock);
1548 KLIPS_PRINT(debug_pfkey, "klips_debug:pfkey_get_parse: "
1549 "ipsec_sa not found for SA=%s, could not get.\n",
1550 sa_len ? sa : " (error)");
1551 SENDERR(ESRCH);
1552 }
1553
1554 if(!(pfkey_safe_build(error = pfkey_msg_hdr_build(&extensions_reply[0],
1555 SADB_GET,
1556 ((struct sadb_msg*)extensions[SADB_EXT_RESERVED])->sadb_msg_satype,
1557 0,
1558 ((struct sadb_msg*)extensions[SADB_EXT_RESERVED])->sadb_msg_seq,
1559 ((struct sadb_msg*)extensions[SADB_EXT_RESERVED])->sadb_msg_pid),
1560 extensions_reply)
1561 && pfkey_safe_build(error = pfkey_sa_ref_build(&extensions_reply[SADB_EXT_SA],
1562 SADB_EXT_SA,
1563 extr->ips->ips_said.spi,
1564 extr->ips->ips_replaywin,
1565 extr->ips->ips_state,
1566 extr->ips->ips_authalg,
1567 extr->ips->ips_encalg,
1568 extr->ips->ips_flags,
1569 extr->ips->ips_ref),
1570 extensions_reply)
1571 /* The 3 lifetime extentions should only be sent if non-zero. */
1572 && (ipsp->ips_life.ipl_allocations.ipl_count
1573 || ipsp->ips_life.ipl_bytes.ipl_count
1574 || ipsp->ips_life.ipl_addtime.ipl_count
1575 || ipsp->ips_life.ipl_usetime.ipl_count
1576 || ipsp->ips_life.ipl_packets.ipl_count
1577 ? pfkey_safe_build(error = pfkey_lifetime_build(&extensions_reply[SADB_EXT_LIFETIME_CURRENT],
1578 SADB_EXT_LIFETIME_CURRENT,
1579 ipsp->ips_life.ipl_allocations.ipl_count,
1580 ipsp->ips_life.ipl_bytes.ipl_count,
1581 ipsp->ips_life.ipl_addtime.ipl_count,
1582 ipsp->ips_life.ipl_usetime.ipl_count,
1583 ipsp->ips_life.ipl_packets.ipl_count),
1584 extensions_reply) : 1)
1585 && (ipsp->ips_life.ipl_allocations.ipl_hard
1586 || ipsp->ips_life.ipl_bytes.ipl_hard
1587 || ipsp->ips_life.ipl_addtime.ipl_hard
1588 || ipsp->ips_life.ipl_usetime.ipl_hard
1589 || ipsp->ips_life.ipl_packets.ipl_hard
1590 ? pfkey_safe_build(error = pfkey_lifetime_build(&extensions_reply[SADB_EXT_LIFETIME_HARD],
1591 SADB_EXT_LIFETIME_HARD,
1592 ipsp->ips_life.ipl_allocations.ipl_hard,
1593 ipsp->ips_life.ipl_bytes.ipl_hard,
1594 ipsp->ips_life.ipl_addtime.ipl_hard,
1595 ipsp->ips_life.ipl_usetime.ipl_hard,
1596 ipsp->ips_life.ipl_packets.ipl_hard),
1597 extensions_reply) : 1)
1598 && (ipsp->ips_life.ipl_allocations.ipl_soft
1599 || ipsp->ips_life.ipl_bytes.ipl_soft
1600 || ipsp->ips_life.ipl_addtime.ipl_soft
1601 || ipsp->ips_life.ipl_usetime.ipl_soft
1602 || ipsp->ips_life.ipl_packets.ipl_soft
1603 ? pfkey_safe_build(error = pfkey_lifetime_build(&extensions_reply[SADB_EXT_LIFETIME_SOFT],
1604 SADB_EXT_LIFETIME_SOFT,
1605 ipsp->ips_life.ipl_allocations.ipl_soft,
1606 ipsp->ips_life.ipl_bytes.ipl_soft,
1607 ipsp->ips_life.ipl_addtime.ipl_soft,
1608 ipsp->ips_life.ipl_usetime.ipl_soft,
1609 ipsp->ips_life.ipl_packets.ipl_soft),
1610 extensions_reply) : 1)
1611 && pfkey_safe_build(error = pfkey_address_build(&extensions_reply[SADB_EXT_ADDRESS_SRC],
1612 SADB_EXT_ADDRESS_SRC,
1613 0, /*extr->ips->ips_said.proto,*/
1614 0,
1615 extr->ips->ips_addr_s),
1616 extensions_reply)
1617 && pfkey_safe_build(error = pfkey_address_build(&extensions_reply[SADB_EXT_ADDRESS_DST],
1618 SADB_EXT_ADDRESS_DST,
1619 0, /*extr->ips->ips_said.proto,*/
1620 0,
1621 extr->ips->ips_addr_d),
1622 extensions_reply)
1623 && (extr->ips->ips_addr_p
1624 ? pfkey_safe_build(error = pfkey_address_build(&extensions_reply[SADB_EXT_ADDRESS_PROXY],
1625 SADB_EXT_ADDRESS_PROXY,
1626 0, /*extr->ips->ips_said.proto,*/
1627 0,
1628 extr->ips->ips_addr_p),
1629 extensions_reply) : 1)
1630 #if 0
1631 /* FIXME: This won't work yet because the keys are not
1632 stored directly in the ipsec_sa. They are stored as
1633 contexts. */
1634 && (extr->ips->ips_key_a_size
1635 ? pfkey_safe_build(error = pfkey_key_build(&extensions_reply[SADB_EXT_KEY_AUTH],
1636 SADB_EXT_KEY_AUTH,
1637 extr->ips->ips_key_a_size * 8,
1638 extr->ips->ips_key_a),
1639 extensions_reply) : 1)
1640 /* FIXME: This won't work yet because the keys are not
1641 stored directly in the ipsec_sa. They are stored as
1642 key schedules. */
1643 && (extr->ips->ips_key_e_size
1644 ? pfkey_safe_build(error = pfkey_key_build(&extensions_reply[SADB_EXT_KEY_ENCRYPT],
1645 SADB_EXT_KEY_ENCRYPT,
1646 extr->ips->ips_key_e_size * 8,
1647 extr->ips->ips_key_e),
1648 extensions_reply) : 1)
1649 #endif
1650 && (extr->ips->ips_ident_s.data
1651 ? pfkey_safe_build(error = pfkey_ident_build(&extensions_reply[SADB_EXT_IDENTITY_SRC],
1652 SADB_EXT_IDENTITY_SRC,
1653 extr->ips->ips_ident_s.type,
1654 extr->ips->ips_ident_s.id,
1655 extr->ips->ips_ident_s.len,
1656 extr->ips->ips_ident_s.data),
1657 extensions_reply) : 1)
1658 && (extr->ips->ips_ident_d.data
1659 ? pfkey_safe_build(error = pfkey_ident_build(&extensions_reply[SADB_EXT_IDENTITY_DST],
1660 SADB_EXT_IDENTITY_DST,
1661 extr->ips->ips_ident_d.type,
1662 extr->ips->ips_ident_d.id,
1663 extr->ips->ips_ident_d.len,
1664 extr->ips->ips_ident_d.data),
1665 extensions_reply) : 1)
1666 #if 0
1667 /* FIXME: This won't work yet because I have not finished
1668 it. */
1669 && (extr->ips->ips_sens_
1670 ? pfkey_safe_build(error = pfkey_sens_build(&extensions_reply[SADB_EXT_SENSITIVITY],
1671 extr->ips->ips_sens_dpd,
1672 extr->ips->ips_sens_sens_level,
1673 extr->ips->ips_sens_sens_len,
1674 extr->ips->ips_sens_sens_bitmap,
1675 extr->ips->ips_sens_integ_level,
1676 extr->ips->ips_sens_integ_len,
1677 extr->ips->ips_sens_integ_bitmap),
1678 extensions_reply) : 1)
1679 #endif
1680 )) {
1681 KLIPS_PRINT(debug_pfkey, "klips_debug:pfkey_get_parse: "
1682 "failed to build the get reply message extensions\n");
1683 ipsec_sa_put(ipsp);
1684 spin_unlock_bh(&tdb_lock);
1685 SENDERR(-error);
1686 }
1687
1688 ipsec_sa_put(ipsp);
1689 spin_unlock_bh(&tdb_lock);
1690
1691 if((error = pfkey_msg_build(&pfkey_reply, extensions_reply, EXT_BITS_OUT))) {
1692 KLIPS_PRINT(debug_pfkey, "klips_debug:pfkey_get_parse: "
1693 "failed to build the get reply message\n");
1694 SENDERR(-error);
1695 }
1696
1697 if((error = pfkey_upmsg(sk->socket, pfkey_reply))) {
1698 KLIPS_PRINT(debug_pfkey, "klips_debug:pfkey_get_parse: "
1699 "failed to send the get reply message\n");
1700 SENDERR(-error);
1701 }
1702
1703 KLIPS_PRINT(debug_pfkey, "klips_debug:pfkey_get_parse: "
1704 "succeeded in sending get reply message.\n");
1705
1706 errlab:
1707 if (pfkey_reply) {
1708 pfkey_msg_free(&pfkey_reply);
1709 }
1710 pfkey_extensions_free(extensions_reply);
1711 return error;
1712 }
1713
1714 DEBUG_NO_STATIC int
1715 pfkey_acquire_parse(struct sock *sk, struct sadb_ext **extensions, struct pfkey_extracted_data* extr)
1716 {
1717 int error = 0;
1718 struct socket_list *pfkey_socketsp;
1719 uint8_t satype = ((struct sadb_msg*)extensions[SADB_EXT_RESERVED])->sadb_msg_satype;
1720
1721 KLIPS_PRINT(debug_pfkey,
1722 "klips_debug:pfkey_acquire_parse: .\n");
1723
1724 /* XXX I don't know if we want an upper bound, since userspace may
1725 want to register itself for an satype > SADB_SATYPE_MAX. */
1726 if((satype == 0) || (satype > SADB_SATYPE_MAX)) {
1727 KLIPS_PRINT(debug_pfkey,
1728 "klips_debug:pfkey_acquire_parse: "
1729 "SATYPE=%d invalid.\n",
1730 satype);
1731 SENDERR(EINVAL);
1732 }
1733
1734 if(!(pfkey_registered_sockets[satype])) {
1735 KLIPS_PRINT(debug_pfkey, "klips_debug:pfkey_acquire_parse: "
1736 "no sockets registered for SAtype=%d(%s).\n",
1737 satype,
1738 satype2name(satype));
1739 SENDERR(EPROTONOSUPPORT);
1740 }
1741
1742 for(pfkey_socketsp = pfkey_registered_sockets[satype];
1743 pfkey_socketsp;
1744 pfkey_socketsp = pfkey_socketsp->next) {
1745 if((error = pfkey_upmsg(pfkey_socketsp->socketp,
1746 ((struct sadb_msg*)extensions[SADB_EXT_RESERVED])))) {
1747 KLIPS_PRINT(debug_pfkey, "klips_debug:pfkey_acquire_parse: "
1748 "sending up acquire reply message for satype=%d(%s) to socket=0p%p failed with error=%d.\n",
1749 satype,
1750 satype2name(satype),
1751 pfkey_socketsp->socketp,
1752 error);
1753 SENDERR(-error);
1754 }
1755 KLIPS_PRINT(debug_pfkey, "klips_debug:pfkey_acquire_parse: "
1756 "sending up acquire reply message for satype=%d(%s) to socket=0p%p succeeded.\n",
1757 satype,
1758 satype2name(satype),
1759 pfkey_socketsp->socketp);
1760 }
1761
1762 errlab:
1763 return error;
1764 }
1765
1766 DEBUG_NO_STATIC int
1767 pfkey_register_parse(struct sock *sk, struct sadb_ext **extensions, struct pfkey_extracted_data* extr)
1768 {
1769 int error = 0;
1770 uint8_t satype = ((struct sadb_msg*)extensions[SADB_EXT_RESERVED])->sadb_msg_satype;
1771
1772 KLIPS_PRINT(debug_pfkey,
1773 "klips_debug:pfkey_register_parse: .\n");
1774
1775 /* XXX I don't know if we want an upper bound, since userspace may
1776 want to register itself for an satype > SADB_SATYPE_MAX. */
1777 if((satype == 0) || (satype > SADB_SATYPE_MAX)) {
1778 KLIPS_PRINT(debug_pfkey,
1779 "klips_debug:pfkey_register_parse: "
1780 "SATYPE=%d invalid.\n",
1781 satype);
1782 SENDERR(EINVAL);
1783 }
1784
1785 if(!pfkey_list_insert_socket(sk->socket,
1786 &(pfkey_registered_sockets[satype]))) {
1787 KLIPS_PRINT(debug_pfkey,
1788 "klips_debug:pfkey_register_parse: "
1789 "SATYPE=%02d(%s) successfully registered by KMd (pid=%d).\n",
1790 satype,
1791 satype2name(satype),
1792 key_pid(sk));
1793 };
1794
1795 /* send up register msg with supported SATYPE algos */
1796
1797 error=pfkey_register_reply(satype, (struct sadb_msg*)extensions[SADB_EXT_RESERVED]);
1798 errlab:
1799 return error;
1800 }
1801 int
1802 pfkey_register_reply(int satype, struct sadb_msg *sadb_msg)
1803 {
1804 struct sadb_ext *extensions_reply[SADB_EXT_MAX+1];
1805 struct sadb_msg *pfkey_reply = NULL;
1806 struct socket_list *pfkey_socketsp;
1807 struct supported_list *pfkey_supported_listp;
1808 unsigned int alg_num_a = 0, alg_num_e = 0;
1809 struct sadb_alg *alg_a = NULL, *alg_e = NULL, *alg_ap = NULL, *alg_ep = NULL;
1810 int error = 0;
1811
1812 pfkey_extensions_init(extensions_reply);
1813
1814 if((satype == 0) || (satype > SADB_SATYPE_MAX)) {
1815 KLIPS_PRINT(debug_pfkey, "klips_debug:pfkey_register_reply: "
1816 "SAtype=%d unspecified or unknown.\n",
1817 satype);
1818 SENDERR(EINVAL);
1819 }
1820 if(!(pfkey_registered_sockets[satype])) {
1821 KLIPS_PRINT(debug_pfkey, "klips_debug:pfkey_register_reply: "
1822 "no sockets registered for SAtype=%d(%s).\n",
1823 satype,
1824 satype2name(satype));
1825 SENDERR(EPROTONOSUPPORT);
1826 }
1827 /* send up register msg with supported SATYPE algos */
1828 pfkey_supported_listp = pfkey_supported_list[satype];
1829 KLIPS_PRINT(debug_pfkey,
1830 "klips_debug:pfkey_register_reply: "
1831 "pfkey_supported_list[%d]=0p%p\n",
1832 satype,
1833 pfkey_supported_list[satype]);
1834 while(pfkey_supported_listp) {
1835 KLIPS_PRINT(debug_pfkey,
1836 "klips_debug:pfkey_register_reply: "
1837 "checking supported=0p%p\n",
1838 pfkey_supported_listp);
1839 if(pfkey_supported_listp->supportedp->supported_alg_exttype == SADB_EXT_SUPPORTED_AUTH) {
1840 KLIPS_PRINT(debug_pfkey,
1841 "klips_debug:pfkey_register_reply: "
1842 "adding auth alg.\n");
1843 alg_num_a++;
1844 }
1845 if(pfkey_supported_listp->supportedp->supported_alg_exttype == SADB_EXT_SUPPORTED_ENCRYPT) {
1846 KLIPS_PRINT(debug_pfkey,
1847 "klips_debug:pfkey_register_reply: "
1848 "adding encrypt alg.\n");
1849 alg_num_e++;
1850 }
1851 pfkey_supported_listp = pfkey_supported_listp->next;
1852 }
1853
1854 if(alg_num_a) {
1855 KLIPS_PRINT(debug_pfkey,
1856 "klips_debug:pfkey_register_reply: "
1857 "allocating %lu bytes for auth algs.\n",
1858 (unsigned long) (alg_num_a * sizeof(struct sadb_alg)));
1859 if((alg_a = kmalloc(alg_num_a * sizeof(struct sadb_alg), GFP_ATOMIC) ) == NULL) {
1860 KLIPS_PRINT(debug_pfkey,
1861 "klips_debug:pfkey_register_reply: "
1862 "auth alg memory allocation error\n");
1863 SENDERR(ENOMEM);
1864 }
1865 alg_ap = alg_a;
1866 }
1867
1868 if(alg_num_e) {
1869 KLIPS_PRINT(debug_pfkey,
1870 "klips_debug:pfkey_register_reply: "
1871 "allocating %lu bytes for enc algs.\n",
1872 (unsigned long) (alg_num_e * sizeof(struct sadb_alg)));
1873 if((alg_e = kmalloc(alg_num_e * sizeof(struct sadb_alg), GFP_ATOMIC) ) == NULL) {
1874 KLIPS_PRINT(debug_pfkey,
1875 "klips_debug:pfkey_register_reply: "
1876 "enc alg memory allocation error\n");
1877 SENDERR(ENOMEM);
1878 }
1879 alg_ep = alg_e;
1880 }
1881
1882 pfkey_supported_listp = pfkey_supported_list[satype];
1883 while(pfkey_supported_listp) {
1884 if(alg_num_a) {
1885 if(pfkey_supported_listp->supportedp->supported_alg_exttype == SADB_EXT_SUPPORTED_AUTH) {
1886 alg_ap->sadb_alg_id = pfkey_supported_listp->supportedp->supported_alg_id;
1887 alg_ap->sadb_alg_ivlen = pfkey_supported_listp->supportedp->supported_alg_ivlen;
1888 alg_ap->sadb_alg_minbits = pfkey_supported_listp->supportedp->supported_alg_minbits;
1889 alg_ap->sadb_alg_maxbits = pfkey_supported_listp->supportedp->supported_alg_maxbits;
1890 alg_ap->sadb_alg_reserved = 0;
1891 KLIPS_PRINT(debug_pfkey && sysctl_ipsec_debug_verbose,
1892 "klips_debug:pfkey_register_reply: "
1893 "adding auth=0p%p\n",
1894 alg_ap);
1895 alg_ap++;
1896 }
1897 }
1898 if(alg_num_e) {
1899 if(pfkey_supported_listp->supportedp->supported_alg_exttype == SADB_EXT_SUPPORTED_ENCRYPT) {
1900 alg_ep->sadb_alg_id = pfkey_supported_listp->supportedp->supported_alg_id;
1901 alg_ep->sadb_alg_ivlen = pfkey_supported_listp->supportedp->supported_alg_ivlen;
1902 alg_ep->sadb_alg_minbits = pfkey_supported_listp->supportedp->supported_alg_minbits;
1903 alg_ep->sadb_alg_maxbits = pfkey_supported_listp->supportedp->supported_alg_maxbits;
1904 alg_ep->sadb_alg_reserved = 0;
1905 KLIPS_PRINT(debug_pfkey && sysctl_ipsec_debug_verbose,
1906 "klips_debug:pfkey_register_reply: "
1907 "adding encrypt=0p%p\n",
1908 alg_ep);
1909 alg_ep++;
1910 }
1911 }
1912 KLIPS_PRINT(debug_pfkey,
1913 "klips_debug:pfkey_register_reply: "
1914 "found satype=%d(%s) exttype=%d id=%d ivlen=%d minbits=%d maxbits=%d.\n",
1915 satype,
1916 satype2name(satype),
1917 pfkey_supported_listp->supportedp->supported_alg_exttype,
1918 pfkey_supported_listp->supportedp->supported_alg_id,
1919 pfkey_supported_listp->supportedp->supported_alg_ivlen,
1920 pfkey_supported_listp->supportedp->supported_alg_minbits,
1921 pfkey_supported_listp->supportedp->supported_alg_maxbits);
1922 pfkey_supported_listp = pfkey_supported_listp->next;
1923 }
1924 if(!(pfkey_safe_build(error = pfkey_msg_hdr_build(&extensions_reply[0],
1925 SADB_REGISTER,
1926 satype,
1927 0,
1928 sadb_msg? sadb_msg->sadb_msg_seq : ++pfkey_msg_seq,
1929 sadb_msg? sadb_msg->sadb_msg_pid: current->pid),
1930 extensions_reply) &&
1931 (alg_num_a ? pfkey_safe_build(error = pfkey_supported_build(&extensions_reply[SADB_EXT_SUPPORTED_AUTH],
1932 SADB_EXT_SUPPORTED_AUTH,
1933 alg_num_a,
1934 alg_a),
1935 extensions_reply) : 1) &&
1936 (alg_num_e ? pfkey_safe_build(error = pfkey_supported_build(&extensions_reply[SADB_EXT_SUPPORTED_ENCRYPT],
1937 SADB_EXT_SUPPORTED_ENCRYPT,
1938 alg_num_e,
1939 alg_e),
1940 extensions_reply) : 1))) {
1941 KLIPS_PRINT(debug_pfkey, "klips_debug:pfkey_register_reply: "
1942 "failed to build the register message extensions_reply\n");
1943 SENDERR(-error);
1944 }
1945
1946 if((error = pfkey_msg_build(&pfkey_reply, extensions_reply, EXT_BITS_OUT))) {
1947 KLIPS_PRINT(debug_pfkey, "klips_debug:pfkey_register_reply: "
1948 "failed to build the register message\n");
1949 SENDERR(-error);
1950 }
1951 /* this should go to all registered sockets for that satype only */
1952 for(pfkey_socketsp = pfkey_registered_sockets[satype];
1953 pfkey_socketsp;
1954 pfkey_socketsp = pfkey_socketsp->next) {
1955 if((error = pfkey_upmsg(pfkey_socketsp->socketp, pfkey_reply))) {
1956 KLIPS_PRINT(debug_pfkey, "klips_debug:pfkey_register_reply: "
1957 "sending up acquire message for satype=%d(%s) to socket=0p%p failed with error=%d.\n",
1958 satype,
1959 satype2name(satype),
1960 pfkey_socketsp->socketp,
1961 error);
1962 SENDERR(-error);
1963 }
1964 KLIPS_PRINT(debug_pfkey, "klips_debug:pfkey_register_reply: "
1965 "sending up register message for satype=%d(%s) to socket=0p%p succeeded.\n",
1966 satype,
1967 satype2name(satype),
1968 pfkey_socketsp->socketp);
1969 }
1970
1971 errlab:
1972 if(alg_a) {
1973 kfree(alg_a);
1974 }
1975 if(alg_e) {
1976 kfree(alg_e);
1977 }
1978 if (pfkey_reply) {
1979 pfkey_msg_free(&pfkey_reply);
1980 }
1981 pfkey_extensions_free(extensions_reply);
1982 return error;
1983 }
1984
1985 DEBUG_NO_STATIC int
1986 pfkey_expire_parse(struct sock *sk, struct sadb_ext **extensions, struct pfkey_extracted_data* extr)
1987 {
1988 int error = 0;
1989 struct socket_list *pfkey_socketsp;
1990 #ifdef CONFIG_IPSEC_DEBUG
1991 uint8_t satype = ((struct sadb_msg*)extensions[SADB_EXT_RESERVED])->sadb_msg_satype;
1992 #endif /* CONFIG_IPSEC_DEBUG */
1993
1994 KLIPS_PRINT(debug_pfkey,
1995 "klips_debug:pfkey_expire_parse: .\n");
1996
1997 if(pfkey_open_sockets) {
1998 for(pfkey_socketsp = pfkey_open_sockets;
1999 pfkey_socketsp;
2000 pfkey_socketsp = pfkey_socketsp->next) {
2001 if((error = pfkey_upmsg(pfkey_socketsp->socketp,
2002 ((struct sadb_msg*)extensions[SADB_EXT_RESERVED])))) {
2003 KLIPS_PRINT(debug_pfkey, "klips_debug:pfkey_expire_parse: "
2004 "sending up expire reply message for satype=%d(%s) to socket=0p%p failed with error=%d.\n",
2005 satype,
2006 satype2name(satype),
2007 pfkey_socketsp->socketp,
2008 error);
2009 SENDERR(-error);
2010 }
2011 KLIPS_PRINT(debug_pfkey, "klips_debug:pfkey_expire_parse: "
2012 "sending up expire reply message for satype=%d(%s) to socket=0p%p succeeded.\n",
2013 satype,
2014 satype2name(satype),
2015 pfkey_socketsp->socketp);
2016 }
2017 }
2018
2019 errlab:
2020 return error;
2021 }
2022
2023 DEBUG_NO_STATIC int
2024 pfkey_flush_parse(struct sock *sk, struct sadb_ext **extensions, struct pfkey_extracted_data* extr)
2025 {
2026 int error = 0;
2027 struct socket_list *pfkey_socketsp;
2028 uint8_t satype = ((struct sadb_msg*)extensions[SADB_EXT_RESERVED])->sadb_msg_satype;
2029 uint8_t proto = 0;
2030
2031 KLIPS_PRINT(debug_pfkey,
2032 "klips_debug:pfkey_flush_parse: "
2033 "flushing type %d SAs\n",
2034 satype);
2035
2036 if(satype && !(proto = satype2proto(satype))) {
2037 KLIPS_PRINT(debug_pfkey,
2038 "klips_debug:pfkey_flush_parse: "
2039 "satype %d lookup failed.\n",
2040 ((struct sadb_msg*)extensions[SADB_EXT_RESERVED])->sadb_msg_satype);
2041 SENDERR(EINVAL);
2042 }
2043
2044 if ((error = ipsec_sadb_cleanup(proto))) {
2045 SENDERR(-error);
2046 }
2047
2048 if(pfkey_open_sockets) {
2049 for(pfkey_socketsp = pfkey_open_sockets;
2050 pfkey_socketsp;
2051 pfkey_socketsp = pfkey_socketsp->next) {
2052 if((error = pfkey_upmsg(pfkey_socketsp->socketp,
2053 ((struct sadb_msg*)extensions[SADB_EXT_RESERVED])))) {
2054 KLIPS_PRINT(debug_pfkey, "klips_debug:pfkey_flush_parse: "
2055 "sending up flush reply message for satype=%d(%s) (proto=%d) to socket=0p%p failed with error=%d.\n",
2056 satype,
2057 satype2name(satype),
2058 proto,
2059 pfkey_socketsp->socketp,
2060 error);
2061 SENDERR(-error);
2062 }
2063 KLIPS_PRINT(debug_pfkey, "klips_debug:pfkey_flush_parse: "
2064 "sending up flush reply message for satype=%d(%s) to socket=0p%p succeeded.\n",
2065 satype,
2066 satype2name(satype),
2067 pfkey_socketsp->socketp);
2068 }
2069 }
2070
2071 errlab:
2072 return error;
2073 }
2074
2075 DEBUG_NO_STATIC int
2076 pfkey_dump_parse(struct sock *sk, struct sadb_ext **extensions, struct pfkey_extracted_data* extr)
2077 {
2078 int error = 0;
2079
2080 KLIPS_PRINT(debug_pfkey,
2081 "klips_debug:pfkey_dump_parse: .\n");
2082
2083 SENDERR(ENOSYS);
2084 errlab:
2085 return error;
2086 }
2087
2088 DEBUG_NO_STATIC int
2089 pfkey_x_promisc_parse(struct sock *sk, struct sadb_ext **extensions, struct pfkey_extracted_data* extr)
2090 {
2091 int error = 0;
2092
2093 KLIPS_PRINT(debug_pfkey,
2094 "klips_debug:pfkey_promisc_parse: .\n");
2095
2096 SENDERR(ENOSYS);
2097 errlab:
2098 return error;
2099 }
2100
2101 DEBUG_NO_STATIC int
2102 pfkey_x_pchange_parse(struct sock *sk, struct sadb_ext **extensions, struct pfkey_extracted_data* extr)
2103 {
2104 int error = 0;
2105
2106 KLIPS_PRINT(debug_pfkey,
2107 "klips_debug:pfkey_x_pchange_parse: .\n");
2108
2109 SENDERR(ENOSYS);
2110 errlab:
2111 return error;
2112 }
2113
2114 DEBUG_NO_STATIC int
2115 pfkey_x_grpsa_parse(struct sock *sk, struct sadb_ext **extensions, struct pfkey_extracted_data* extr)
2116 {
2117 struct ipsec_sa *ips1p, *ips2p, *ipsp;
2118 struct sadb_ext *extensions_reply[SADB_EXT_MAX+1];
2119 struct sadb_msg *pfkey_reply = NULL;
2120 struct socket_list *pfkey_socketsp;
2121 uint8_t satype = ((struct sadb_msg*)extensions[SADB_EXT_RESERVED])->sadb_msg_satype;
2122 char sa1[SATOA_BUF], sa2[SATOA_BUF];
2123 size_t sa_len1, sa_len2 = 0;
2124 int error = 0;
2125
2126 KLIPS_PRINT(debug_pfkey,
2127 "klips_debug:pfkey_x_grpsa_parse: .\n");
2128
2129 pfkey_extensions_init(extensions_reply);
2130
2131 if(extr == NULL || extr->ips == NULL) {
2132 KLIPS_PRINT(debug_pfkey,
2133 "klips_debug:pfkey_x_grpsa_parse: "
2134 "extr or extr->ips is NULL, fatal.\n");
2135 SENDERR(EINVAL);
2136 }
2137
2138 sa_len1 = satoa(extr->ips->ips_said, 0, sa1, SATOA_BUF);
2139 if(extr->ips2 != NULL) {
2140 sa_len2 = satoa(extr->ips2->ips_said, 0, sa2, SATOA_BUF);
2141 }
2142
2143 spin_lock_bh(&tdb_lock);
2144
2145 ips1p = ipsec_sa_getbyid(&(extr->ips->ips_said));
2146 if(ips1p == NULL) {
2147 spin_unlock_bh(&tdb_lock);
2148 KLIPS_PRINT(debug_pfkey,
2149 "klips_debug:pfkey_x_grpsa_parse: "
2150 "reserved ipsec_sa for SA1: %s not found. Call SADB_ADD/UPDATE first.\n",
2151 sa_len1 ? sa1 : " (error)");
2152 SENDERR(ENOENT);
2153 }
2154 if(extr->ips2) { /* GRPSA */
2155 ips2p = ipsec_sa_getbyid(&(extr->ips2->ips_said));
2156 if(ips2p == NULL) {
2157 ipsec_sa_put(ips1p);
2158 spin_unlock_bh(&tdb_lock);
2159 KLIPS_PRINT(debug_pfkey,
2160 "klips_debug:pfkey_x_grpsa_parse: "
2161 "reserved ipsec_sa for SA2: %s not found. Call SADB_ADD/UPDATE first.\n",
2162 sa_len2 ? sa2 : " (error)");
2163 SENDERR(ENOENT);
2164 }
2165
2166 /* Is either one already linked? */
2167 if(ips1p->ips_onext) {
2168 ipsec_sa_put(ips1p);
2169 ipsec_sa_put(ips2p);
2170 spin_unlock_bh(&tdb_lock);
2171 KLIPS_PRINT(debug_pfkey,
2172 "klips_debug:pfkey_x_grpsa_parse: "
2173 "ipsec_sa for SA: %s is already linked.\n",
2174 sa_len1 ? sa1 : " (error)");
2175 SENDERR(EEXIST);
2176 }
2177 if(ips2p->ips_inext) {
2178 ipsec_sa_put(ips1p);
2179 ipsec_sa_put(ips2p);
2180 spin_unlock_bh(&tdb_lock);
2181 KLIPS_PRINT(debug_pfkey,
2182 "klips_debug:pfkey_x_grpsa_parse: "
2183 "ipsec_sa for SA: %s is already linked.\n",
2184 sa_len2 ? sa2 : " (error)");
2185 SENDERR(EEXIST);
2186 }
2187
2188 /* Is extr->ips already linked to extr->ips2? */
2189 ipsp = ips2p;
2190 while(ipsp) {
2191 if(ipsp == ips1p) {
2192 ipsec_sa_put(ips1p);
2193 ipsec_sa_put(ips2p);
2194 spin_unlock_bh(&tdb_lock);
2195 KLIPS_PRINT(debug_pfkey,
2196 "klips_debug:pfkey_x_grpsa_parse: "
2197 "ipsec_sa for SA: %s is already linked to %s.\n",
2198 sa_len1 ? sa1 : " (error)",
2199 sa_len2 ? sa2 : " (error)");
2200 SENDERR(EEXIST);
2201 }
2202 ipsp = ipsp->ips_onext;
2203 }
2204
2205 /* link 'em */
2206 KLIPS_PRINT(debug_pfkey,
2207 "klips_debug:pfkey_x_grpsa_parse: "
2208 "linking ipsec_sa SA: %s with %s.\n",
2209 sa_len1 ? sa1 : " (error)",
2210 sa_len2 ? sa2 : " (error)");
2211 ips1p->ips_onext = ips2p;
2212 ips2p->ips_inext = ips1p;
2213 } else { /* UNGRPSA */
2214 ipsec_sa_put(ips1p);
2215 KLIPS_PRINT(debug_pfkey,
2216 "klips_debug:pfkey_x_grpsa_parse: "
2217 "unlinking ipsec_sa SA: %s.\n",
2218 sa_len1 ? sa1 : " (error)");
2219 while(ips1p->ips_onext) {
2220 ips1p = ips1p->ips_onext;
2221 }
2222 while(ips1p->ips_inext) {
2223 ipsp = ips1p;
2224 ips1p = ips1p->ips_inext;
2225 ipsec_sa_put(ips1p);
2226 ipsp->ips_inext = NULL;
2227 ipsec_sa_put(ipsp);
2228 ips1p->ips_onext = NULL;
2229 }
2230 }
2231
2232 spin_unlock_bh(&tdb_lock);
2233
2234 if(!(pfkey_safe_build(error = pfkey_msg_hdr_build(&extensions_reply[0],
2235 SADB_X_GRPSA,
2236 satype,
2237 0,
2238 ((struct sadb_msg*)extensions[SADB_EXT_RESERVED])->sadb_msg_seq,
2239 ((struct sadb_msg*)extensions[SADB_EXT_RESERVED])->sadb_msg_pid),
2240 extensions_reply)
2241 && pfkey_safe_build(error = pfkey_sa_ref_build(&extensions_reply[SADB_EXT_SA],
2242 SADB_EXT_SA,
2243 extr->ips->ips_said.spi,
2244 extr->ips->ips_replaywin,
2245 extr->ips->ips_state,
2246 extr->ips->ips_authalg,
2247 extr->ips->ips_encalg,
2248 extr->ips->ips_flags,
2249 extr->ips->ips_ref),
2250 extensions_reply)
2251 && pfkey_safe_build(error = pfkey_address_build(&extensions_reply[SADB_EXT_ADDRESS_DST],
2252 SADB_EXT_ADDRESS_DST,
2253 0, /*extr->ips->ips_said.proto,*/
2254 0,
2255 extr->ips->ips_addr_d),
2256 extensions_reply)
2257 && (extr->ips2
2258 ? (pfkey_safe_build(error = pfkey_x_satype_build(&extensions_reply[SADB_X_EXT_SATYPE2],
2259 ((struct sadb_x_satype*)extensions[SADB_X_EXT_SATYPE2])->sadb_x_satype_satype
2260 /* proto2satype(extr->ips2->ips_said.proto) */),
2261 extensions_reply)
2262 && pfkey_safe_build(error = pfkey_sa_ref_build(&extensions_reply[SADB_X_EXT_SA2],
2263 SADB_X_EXT_SA2,
2264 extr->ips2->ips_said.spi,
2265 extr->ips2->ips_replaywin,
2266 extr->ips2->ips_state,
2267 extr->ips2->ips_authalg,
2268 extr->ips2->ips_encalg,
2269 extr->ips2->ips_flags,
2270 extr->ips2->ips_ref),
2271 extensions_reply)
2272 && pfkey_safe_build(error = pfkey_address_build(&extensions_reply[SADB_X_EXT_ADDRESS_DST2],
2273 SADB_X_EXT_ADDRESS_DST2,
2274 0, /*extr->ips->ips_said.proto,*/
2275 0,
2276 extr->ips2->ips_addr_d),
2277 extensions_reply) ) : 1 )
2278 )) {
2279 KLIPS_PRINT(debug_pfkey, "klips_debug:pfkey_x_grpsa_parse: "
2280 "failed to build the x_grpsa reply message extensions\n");
2281 SENDERR(-error);
2282 }
2283
2284 if((error = pfkey_msg_build(&pfkey_reply, extensions_reply, EXT_BITS_OUT))) {
2285 KLIPS_PRINT(debug_pfkey, "klips_debug:pfkey_x_grpsa_parse: "
2286 "failed to build the x_grpsa reply message\n");
2287 SENDERR(-error);
2288 }
2289
2290 for(pfkey_socketsp = pfkey_open_sockets;
2291 pfkey_socketsp;
2292 pfkey_socketsp = pfkey_socketsp->next) {
2293 if((error = pfkey_upmsg(pfkey_socketsp->socketp, pfkey_reply))) {
2294 KLIPS_PRINT(debug_pfkey, "klips_debug:pfkey_x_grpsa_parse: "
2295 "sending up x_grpsa reply message for satype=%d(%s) to socket=0p%p failed with error=%d.\n",
2296 satype,
2297 satype2name(satype),
2298 pfkey_socketsp->socketp,
2299 error);
2300 SENDERR(-error);
2301 }
2302 KLIPS_PRINT(debug_pfkey, "klips_debug:pfkey_x_grpsa_parse: "
2303 "sending up x_grpsa reply message for satype=%d(%s) to socket=0p%p succeeded.\n",
2304 satype,
2305 satype2name(satype),
2306 pfkey_socketsp->socketp);
2307 }
2308
2309 KLIPS_PRINT(debug_pfkey, "klips_debug:pfkey_x_grpsa_parse: "
2310 "succeeded in sending x_grpsa reply message.\n");
2311
2312 errlab:
2313 if (pfkey_reply) {
2314 pfkey_msg_free(&pfkey_reply);
2315 }
2316 pfkey_extensions_free(extensions_reply);
2317 return error;
2318 }
2319
2320 DEBUG_NO_STATIC int
2321 pfkey_x_addflow_parse(struct sock *sk, struct sadb_ext **extensions, struct pfkey_extracted_data* extr)
2322 {
2323 int error = 0;
2324 #ifdef CONFIG_IPSEC_DEBUG
2325 char buf1[64], buf2[64];
2326 #endif /* CONFIG_IPSEC_DEBUG */
2327 struct sadb_ext *extensions_reply[SADB_EXT_MAX+1];
2328 struct sadb_msg *pfkey_reply = NULL;
2329 struct socket_list *pfkey_socketsp;
2330 uint8_t satype = ((struct sadb_msg*)extensions[SADB_EXT_RESERVED])->sadb_msg_satype;
2331 ip_address srcflow, dstflow, srcmask, dstmask;
2332
2333 KLIPS_PRINT(debug_pfkey,
2334 "klips_debug:pfkey_x_addflow_parse: .\n");
2335
2336 pfkey_extensions_init(extensions_reply);
2337
2338 memset((caddr_t)&srcflow, 0, sizeof(srcflow));
2339 memset((caddr_t)&dstflow, 0, sizeof(dstflow));
2340 memset((caddr_t)&srcmask, 0, sizeof(srcmask));
2341 memset((caddr_t)&dstmask, 0, sizeof(dstmask));
2342
2343 if(!extr || !(extr->ips) || !(extr->eroute)) {
2344 KLIPS_PRINT(debug_pfkey,
2345 "klips_debug:pfkey_x_addflow_parse: "
2346 "missing extr, ipsec_sa or eroute data.\n");
2347 SENDERR(EINVAL);
2348 }
2349
2350 srcflow.u.v4.sin_family = AF_INET;
2351 dstflow.u.v4.sin_family = AF_INET;
2352 srcmask.u.v4.sin_family = AF_INET;
2353 dstmask.u.v4.sin_family = AF_INET;
2354 srcflow.u.v4.sin_addr = extr->eroute->er_eaddr.sen_ip_src;
2355 dstflow.u.v4.sin_addr = extr->eroute->er_eaddr.sen_ip_dst;
2356 srcmask.u.v4.sin_addr = extr->eroute->er_emask.sen_ip_src;
2357 dstmask.u.v4.sin_addr = extr->eroute->er_emask.sen_ip_dst;
2358
2359 #ifdef CONFIG_IPSEC_DEBUG
2360 if (debug_pfkey) {
2361 subnettoa(extr->eroute->er_eaddr.sen_ip_src,
2362 extr->eroute->er_emask.sen_ip_src, 0, buf1, sizeof(buf1));
2363 subnettoa(extr->eroute->er_eaddr.sen_ip_dst,
2364 extr->eroute->er_emask.sen_ip_dst, 0, buf2, sizeof(buf2));
2365 KLIPS_PRINT(debug_pfkey,
2366 "klips_debug:pfkey_x_addflow_parse: "
2367 "calling breakeroute and/or makeroute for %s->%s\n",
2368 buf1, buf2);
2369 }
2370 #endif /* CONFIG_IPSEC_DEBUG */
2371 if(extr->ips->ips_flags & SADB_X_SAFLAGS_INFLOW) {
2372 /* if(ip_chk_addr((unsigned long)extr->ips->ips_said.dst.s_addr) == IS_MYADDR) */
2373 struct ipsec_sa *ipsp, *ipsq;
2374 char sa[SATOA_BUF];
2375 size_t sa_len;
2376
2377 ipsq = ipsec_sa_getbyid(&(extr->ips->ips_said));
2378 if(ipsq == NULL) {
2379 KLIPS_PRINT(debug_pfkey,
2380 "klips_debug:pfkey_x_addflow_parse: "
2381 "ipsec_sa not found, cannot set incoming policy.\n");
2382 SENDERR(ENOENT);
2383 }
2384
2385 ipsp = ipsq;
2386 while(ipsp && ipsp->ips_said.proto != IPPROTO_IPIP) {
2387 ipsp = ipsp->ips_inext;
2388 }
2389
2390 if(ipsp == NULL) {
2391 ipsec_sa_put(ipsq);
2392 KLIPS_PRINT(debug_pfkey,
2393 "klips_debug:pfkey_x_addflow_parse: "
2394 "SA chain does not have an IPIP SA, cannot set incoming policy.\n");
2395 SENDERR(ENOENT);
2396 }
2397
2398 sa_len = satoa(extr->ips->ips_said, 0, sa, SATOA_BUF);
2399
2400 ipsp->ips_flags |= SADB_X_SAFLAGS_INFLOW;
2401 ipsp->ips_flow_s = srcflow;
2402 ipsp->ips_flow_d = dstflow;
2403 ipsp->ips_mask_s = srcmask;
2404 ipsp->ips_mask_d = dstmask;
2405
2406 ipsec_sa_put(ipsq);
2407
2408 KLIPS_PRINT(debug_pfkey,
2409 "klips_debug:pfkey_x_addflow_parse: "
2410 "inbound eroute, setting incoming policy information in IPIP ipsec_sa for SA: %s.\n",
2411 sa_len ? sa : " (error)");
2412 } else {
2413 struct sk_buff *first = NULL, *last = NULL;
2414
2415 if(extr->ips->ips_flags & SADB_X_SAFLAGS_REPLACEFLOW) {
2416 KLIPS_PRINT(debug_pfkey,
2417 "klips_debug:pfkey_x_addflow_parse: "
2418 "REPLACEFLOW flag set, calling breakeroute.\n");
2419 if ((error = ipsec_breakroute(&(extr->eroute->er_eaddr),
2420 &(extr->eroute->er_emask),
2421 &first, &last))) {
2422 KLIPS_PRINT(debug_pfkey,
2423 "klips_debug:pfkey_x_addflow_parse: "
2424 "breakeroute returned %d. first=0p%p, last=0p%p\n",
2425 error,
2426 first,
2427 last);
2428 if(first != NULL) {
2429 ipsec_kfree_skb(first);
2430 }
2431 if(last != NULL) {
2432 ipsec_kfree_skb(last);
2433 }
2434 SENDERR(-error);
2435 }
2436 }
2437
2438 KLIPS_PRINT(debug_pfkey,
2439 "klips_debug:pfkey_x_addflow_parse: "
2440 "calling makeroute.\n");
2441
2442 if ((error = ipsec_makeroute(&(extr->eroute->er_eaddr),
2443 &(extr->eroute->er_emask),
2444 extr->ips->ips_said,
2445 ((struct sadb_msg*)extensions[SADB_EXT_RESERVED])->sadb_msg_pid,
2446 NULL,
2447 &(extr->ips->ips_ident_s),
2448 &(extr->ips->ips_ident_d)))) {
2449 KLIPS_PRINT(debug_pfkey,
2450 "klips_debug:pfkey_x_addflow_parse: "
2451 "makeroute returned %d.\n", error);
2452 SENDERR(-error);
2453 }
2454 if(first != NULL) {
2455 KLIPS_PRINT(debug_pfkey,
2456 "klips_debug:pfkey_x_addflow_parse: "
2457 "first=0p%p HOLD packet re-injected.\n",
2458 first);
2459 DEV_QUEUE_XMIT(first, first->dev, SOPRI_NORMAL);
2460 }
2461 if(last != NULL) {
2462 KLIPS_PRINT(debug_pfkey,
2463 "klips_debug:pfkey_x_addflow_parse: "
2464 "last=0p%p HOLD packet re-injected.\n",
2465 last);
2466 DEV_QUEUE_XMIT(last, last->dev, SOPRI_NORMAL);
2467 }
2468 }
2469
2470 KLIPS_PRINT(debug_pfkey,
2471 "klips_debug:pfkey_x_addflow_parse: "
2472 "makeroute call successful.\n");
2473
2474 if(!(pfkey_safe_build(error = pfkey_msg_hdr_build(&extensions_reply[0],
2475 SADB_X_ADDFLOW,
2476 satype,
2477 0,
2478 ((struct sadb_msg*)extensions[SADB_EXT_RESERVED])->sadb_msg_seq,
2479 ((struct sadb_msg*)extensions[SADB_EXT_RESERVED])->sadb_msg_pid),
2480 extensions_reply)
2481 && pfkey_safe_build(error = pfkey_sa_ref_build(&extensions_reply[SADB_EXT_SA],
2482 SADB_EXT_SA,
2483 extr->ips->ips_said.spi,
2484 extr->ips->ips_replaywin,
2485 extr->ips->ips_state,
2486 extr->ips->ips_authalg,
2487 extr->ips->ips_encalg,
2488 extr->ips->ips_flags,
2489 extr->ips->ips_ref),
2490 extensions_reply)
2491 && (extensions[SADB_EXT_ADDRESS_SRC]
2492 ? pfkey_safe_build(error = pfkey_address_build(&extensions_reply[SADB_EXT_ADDRESS_SRC],
2493 SADB_EXT_ADDRESS_SRC,
2494 0, /*extr->ips->ips_said.proto,*/
2495 0,
2496 extr->ips->ips_addr_s),
2497 extensions_reply) : 1)
2498 && (extensions[SADB_EXT_ADDRESS_DST]
2499 ? pfkey_safe_build(error = pfkey_address_build(&extensions_reply[SADB_EXT_ADDRESS_DST],
2500 SADB_EXT_ADDRESS_DST,
2501 0, /*extr->ips->ips_said.proto,*/
2502 0,
2503 extr->ips->ips_addr_d),
2504 extensions_reply) : 1)
2505 && pfkey_safe_build(error = pfkey_address_build(&extensions_reply[SADB_X_EXT_ADDRESS_SRC_FLOW],
2506 SADB_X_EXT_ADDRESS_SRC_FLOW,
2507 0, /*extr->ips->ips_said.proto,*/
2508 0,
2509 (struct sockaddr*)&srcflow),
2510 extensions_reply)
2511 && pfkey_safe_build(error = pfkey_address_build(&extensions_reply[SADB_X_EXT_ADDRESS_DST_FLOW],
2512 SADB_X_EXT_ADDRESS_DST_FLOW,
2513 0, /*extr->ips->ips_said.proto,*/
2514 0,
2515 (struct sockaddr*)&dstflow),
2516 extensions_reply)
2517 && pfkey_safe_build(error = pfkey_address_build(&extensions_reply[SADB_X_EXT_ADDRESS_SRC_MASK],
2518 SADB_X_EXT_ADDRESS_SRC_MASK,
2519 0, /*extr->ips->ips_said.proto,*/
2520 0,
2521 (struct sockaddr*)&srcmask),
2522 extensions_reply)
2523 && pfkey_safe_build(error = pfkey_address_build(&extensions_reply[SADB_X_EXT_ADDRESS_DST_MASK],
2524 SADB_X_EXT_ADDRESS_DST_MASK,
2525 0, /*extr->ips->ips_said.proto,*/
2526 0,
2527 (struct sockaddr*)&dstmask),
2528 extensions_reply)
2529 )) {
2530 KLIPS_PRINT(debug_pfkey, "klips_debug:pfkey_x_addflow_parse: "
2531 "failed to build the x_addflow reply message extensions\n");
2532 SENDERR(-error);
2533 }
2534
2535 if((error = pfkey_msg_build(&pfkey_reply, extensions_reply, EXT_BITS_OUT))) {
2536 KLIPS_PRINT(debug_pfkey, "klips_debug:pfkey_x_addflow_parse: "
2537 "failed to build the x_addflow reply message\n");
2538 SENDERR(-error);
2539 }
2540
2541 for(pfkey_socketsp = pfkey_open_sockets;
2542 pfkey_socketsp;
2543 pfkey_socketsp = pfkey_socketsp->next) {
2544 if((error = pfkey_upmsg(pfkey_socketsp->socketp, pfkey_reply))) {
2545 KLIPS_PRINT(debug_pfkey, "klips_debug:pfkey_x_addflow_parse: "
2546 "sending up x_addflow reply message for satype=%d(%s) to socket=0p%p failed with error=%d.\n",
2547 satype,
2548 satype2name(satype),
2549 pfkey_socketsp->socketp,
2550 error);
2551 SENDERR(-error);
2552 }
2553 KLIPS_PRINT(debug_pfkey, "klips_debug:pfkey_x_addflow_parse: "
2554 "sending up x_addflow reply message for satype=%d(%s) (proto=%d) to socket=0p%p succeeded.\n",
2555 satype,
2556 satype2name(satype),
2557 extr->ips->ips_said.proto,
2558 pfkey_socketsp->socketp);
2559 }
2560
2561 KLIPS_PRINT(debug_pfkey,
2562 "klips_debug:pfkey_x_addflow_parse: "
2563 "extr->ips cleaned up and freed.\n");
2564
2565 errlab:
2566 if (pfkey_reply) {
2567 pfkey_msg_free(&pfkey_reply);
2568 }
2569 pfkey_extensions_free(extensions_reply);
2570 return error;
2571 }
2572
2573 DEBUG_NO_STATIC int
2574 pfkey_x_delflow_parse(struct sock *sk, struct sadb_ext **extensions, struct pfkey_extracted_data* extr)
2575 {
2576 int error = 0;
2577 #ifdef CONFIG_IPSEC_DEBUG
2578 char buf1[64], buf2[64];
2579 #endif /* CONFIG_IPSEC_DEBUG */
2580 struct sadb_ext *extensions_reply[SADB_EXT_MAX+1];
2581 struct sadb_msg *pfkey_reply = NULL;
2582 struct socket_list *pfkey_socketsp;
2583 uint8_t satype = ((struct sadb_msg*)extensions[SADB_EXT_RESERVED])->sadb_msg_satype;
2584 ip_address srcflow, dstflow, srcmask, dstmask;
2585
2586 KLIPS_PRINT(debug_pfkey,
2587 "klips_debug:pfkey_x_delflow_parse: .\n");
2588
2589 pfkey_extensions_init(extensions_reply);
2590
2591 memset((caddr_t)&srcflow, 0, sizeof(srcflow));
2592 memset((caddr_t)&dstflow, 0, sizeof(dstflow));
2593 memset((caddr_t)&srcmask, 0, sizeof(srcmask));
2594 memset((caddr_t)&dstmask, 0, sizeof(dstmask));
2595
2596 if(!extr || !(extr->ips)) {
2597 KLIPS_PRINT(debug_pfkey,
2598 "klips_debug:pfkey_x_delflow_parse: "
2599 "extr, or extr->ips is NULL, fatal\n");
2600 SENDERR(EINVAL);
2601 }
2602
2603 if(extr->ips->ips_flags & SADB_X_SAFLAGS_CLEARFLOW) {
2604 KLIPS_PRINT(debug_pfkey,
2605 "klips_debug:pfkey_x_delflow_parse: "
2606 "CLEARFLOW flag set, calling cleareroutes.\n");
2607 if ((error = ipsec_cleareroutes()))
2608 KLIPS_PRINT(debug_pfkey,
2609 "klips_debug:pfkey_x_delflow_parse: "
2610 "cleareroutes returned %d.\n", error);
2611 SENDERR(-error);
2612 } else {
2613 struct sk_buff *first = NULL, *last = NULL;
2614
2615 if(!(extr->eroute)) {
2616 KLIPS_PRINT(debug_pfkey,
2617 "klips_debug:pfkey_x_delflow_parse: "
2618 "extr->eroute is NULL, fatal.\n");
2619 SENDERR(EINVAL);
2620 }
2621
2622 srcflow.u.v4.sin_family = AF_INET;
2623 dstflow.u.v4.sin_family = AF_INET;
2624 srcmask.u.v4.sin_family = AF_INET;
2625 dstmask.u.v4.sin_family = AF_INET;
2626 srcflow.u.v4.sin_addr = extr->eroute->er_eaddr.sen_ip_src;
2627 dstflow.u.v4.sin_addr = extr->eroute->er_eaddr.sen_ip_dst;
2628 srcmask.u.v4.sin_addr = extr->eroute->er_emask.sen_ip_src;
2629 dstmask.u.v4.sin_addr = extr->eroute->er_emask.sen_ip_dst;
2630
2631 #ifdef CONFIG_IPSEC_DEBUG
2632 if (debug_pfkey) {
2633 subnettoa(extr->eroute->er_eaddr.sen_ip_src,
2634 extr->eroute->er_emask.sen_ip_src, 0, buf1, sizeof(buf1));
2635 subnettoa(extr->eroute->er_eaddr.sen_ip_dst,
2636 extr->eroute->er_emask.sen_ip_dst, 0, buf2, sizeof(buf2));
2637 KLIPS_PRINT(debug_pfkey,
2638 "klips_debug:pfkey_x_delflow_parse: "
2639 "calling breakeroute for %s->%s\n",
2640 buf1, buf2);
2641 }
2642 #endif /* CONFIG_IPSEC_DEBUG */
2643 error = ipsec_breakroute(&(extr->eroute->er_eaddr),
2644 &(extr->eroute->er_emask),
2645 &first, &last);
2646 if(error) {
2647 KLIPS_PRINT(debug_pfkey,
2648 "klips_debug:pfkey_x_delflow_parse: "
2649 "breakeroute returned %d. first=0p%p, last=0p%p\n",
2650 error,
2651 first,
2652 last);
2653 }
2654 if(first != NULL) {
2655 ipsec_kfree_skb(first);
2656 }
2657 if(last != NULL) {
2658 ipsec_kfree_skb(last);
2659 }
2660 if(error) {
2661 SENDERR(-error);
2662 }
2663 }
2664
2665 if(!(pfkey_safe_build(error = pfkey_msg_hdr_build(&extensions_reply[0],
2666 SADB_X_DELFLOW,
2667 satype,
2668 0,
2669 ((struct sadb_msg*)extensions[SADB_EXT_RESERVED])->sadb_msg_seq,
2670 ((struct sadb_msg*)extensions[SADB_EXT_RESERVED])->sadb_msg_pid),
2671 extensions_reply)
2672 && pfkey_safe_build(error = pfkey_sa_ref_build(&extensions_reply[SADB_EXT_SA],
2673 SADB_EXT_SA,
2674 extr->ips->ips_said.spi,
2675 extr->ips->ips_replaywin,
2676 extr->ips->ips_state,
2677 extr->ips->ips_authalg,
2678 extr->ips->ips_encalg,
2679 extr->ips->ips_flags,
2680 extr->ips->ips_ref),
2681 extensions_reply)
2682 && pfkey_safe_build(error = pfkey_address_build(&extensions_reply[SADB_X_EXT_ADDRESS_SRC_FLOW],
2683 SADB_X_EXT_ADDRESS_SRC_FLOW,
2684 0, /*extr->ips->ips_said.proto,*/
2685 0,
2686 (struct sockaddr*)&srcflow),
2687 extensions_reply)
2688 && pfkey_safe_build(error = pfkey_address_build(&extensions_reply[SADB_X_EXT_ADDRESS_DST_FLOW],
2689 SADB_X_EXT_ADDRESS_DST_FLOW,
2690 0, /*extr->ips->ips_said.proto,*/
2691 0,
2692 (struct sockaddr*)&dstflow),
2693 extensions_reply)
2694 && pfkey_safe_build(error = pfkey_address_build(&extensions_reply[SADB_X_EXT_ADDRESS_SRC_MASK],
2695 SADB_X_EXT_ADDRESS_SRC_MASK,
2696 0, /*extr->ips->ips_said.proto,*/
2697 0,
2698 (struct sockaddr*)&srcmask),
2699 extensions_reply)
2700 && pfkey_safe_build(error = pfkey_address_build(&extensions_reply[SADB_X_EXT_ADDRESS_DST_MASK],
2701 SADB_X_EXT_ADDRESS_DST_MASK,
2702 0, /*extr->ips->ips_said.proto,*/
2703 0,
2704 (struct sockaddr*)&dstmask),
2705 extensions_reply)
2706 )) {
2707 KLIPS_PRINT(debug_pfkey, "klips_debug:pfkey_x_delflow_parse: "
2708 "failed to build the x_delflow reply message extensions\n");
2709 SENDERR(-error);
2710 }
2711
2712 if((error = pfkey_msg_build(&pfkey_reply, extensions_reply, EXT_BITS_OUT))) {
2713 KLIPS_PRINT(debug_pfkey, "klips_debug:pfkey_x_delflow_parse: "
2714 "failed to build the x_delflow reply message\n");
2715 SENDERR(-error);
2716 }
2717
2718 for(pfkey_socketsp = pfkey_open_sockets;
2719 pfkey_socketsp;
2720 pfkey_socketsp = pfkey_socketsp->next) {
2721 if((error = pfkey_upmsg(pfkey_socketsp->socketp, pfkey_reply))) {
2722 KLIPS_PRINT(debug_pfkey, "klips_debug:pfkey_x_delflow_parse: "
2723 "sending up x_delflow reply message for satype=%d(%s) to socket=0p%p failed with error=%d.\n",
2724 satype,
2725 satype2name(satype),
2726 pfkey_socketsp->socketp,
2727 error);
2728 SENDERR(-error);
2729 }
2730 KLIPS_PRINT(debug_pfkey, "klips_debug:pfkey_x_delflow_parse: "
2731 "sending up x_delflow reply message for satype=%d(%s) to socket=0p%p succeeded.\n",
2732 satype,
2733 satype2name(satype),
2734 pfkey_socketsp->socketp);
2735 }
2736
2737 KLIPS_PRINT(debug_pfkey,
2738 "klips_debug:pfkey_x_delflow_parse: "
2739 "extr->ips cleaned up and freed.\n");
2740
2741 errlab:
2742 if (pfkey_reply) {
2743 pfkey_msg_free(&pfkey_reply);
2744 }
2745 pfkey_extensions_free(extensions_reply);
2746 return error;
2747 }
2748
2749 DEBUG_NO_STATIC int
2750 pfkey_x_msg_debug_parse(struct sock *sk, struct sadb_ext **extensions, struct pfkey_extracted_data* extr)
2751 {
2752 int error = 0;
2753
2754 KLIPS_PRINT(debug_pfkey,
2755 "klips_debug:pfkey_x_msg_debug_parse: .\n");
2756
2757 /* errlab:*/
2758 return error;
2759 }
2760
2761 /* pfkey_expire expects the ipsec_sa table to be locked before being called. */
2762 int
2763 pfkey_expire(struct ipsec_sa *ipsp, int hard)
2764 {
2765 struct sadb_ext *extensions[SADB_EXT_MAX+1];
2766 struct sadb_msg *pfkey_msg = NULL;
2767 struct socket_list *pfkey_socketsp;
2768 int error = 0;
2769 uint8_t satype;
2770
2771 pfkey_extensions_init(extensions);
2772
2773 if(!(satype = proto2satype(ipsp->ips_said.proto))) {
2774 KLIPS_PRINT(debug_pfkey,
2775 "klips_debug:pfkey_expire: "
2776 "satype lookup for protocol %d lookup failed.\n",
2777 ipsp->ips_said.proto);
2778 SENDERR(EINVAL);
2779 }
2780
2781 if(!pfkey_open_sockets) {
2782 KLIPS_PRINT(debug_pfkey, "klips_debug:pfkey_expire: "
2783 "no sockets listening.\n");
2784 SENDERR(EPROTONOSUPPORT);
2785 }
2786
2787 if (!(pfkey_safe_build(error = pfkey_msg_hdr_build(&extensions[0],
2788 SADB_EXPIRE,
2789 satype,
2790 0,
2791 ++pfkey_msg_seq,
2792 0),
2793 extensions)
2794 && pfkey_safe_build(error = pfkey_sa_ref_build(&extensions[SADB_EXT_SA],
2795 SADB_EXT_SA,
2796 ipsp->ips_said.spi,
2797 ipsp->ips_replaywin,
2798 ipsp->ips_state,
2799 ipsp->ips_authalg,
2800 ipsp->ips_encalg,
2801 ipsp->ips_flags,
2802 ipsp->ips_ref),
2803 extensions)
2804 && pfkey_safe_build(error = pfkey_lifetime_build(&extensions[SADB_EXT_LIFETIME_CURRENT],
2805 SADB_EXT_LIFETIME_CURRENT,
2806 ipsp->ips_life.ipl_allocations.ipl_count,
2807 ipsp->ips_life.ipl_bytes.ipl_count,
2808 ipsp->ips_life.ipl_addtime.ipl_count,
2809 ipsp->ips_life.ipl_usetime.ipl_count,
2810 ipsp->ips_life.ipl_packets.ipl_count),
2811 extensions)
2812 && (hard ?
2813 pfkey_safe_build(error = pfkey_lifetime_build(&extensions[SADB_EXT_LIFETIME_HARD],
2814 SADB_EXT_LIFETIME_HARD,
2815 ipsp->ips_life.ipl_allocations.ipl_hard,
2816 ipsp->ips_life.ipl_bytes.ipl_hard,
2817 ipsp->ips_life.ipl_addtime.ipl_hard,
2818 ipsp->ips_life.ipl_usetime.ipl_hard,
2819 ipsp->ips_life.ipl_packets.ipl_hard),
2820 extensions)
2821 : pfkey_safe_build(error = pfkey_lifetime_build(&extensions[SADB_EXT_LIFETIME_SOFT],
2822 SADB_EXT_LIFETIME_SOFT,
2823 ipsp->ips_life.ipl_allocations.ipl_soft,
2824 ipsp->ips_life.ipl_bytes.ipl_soft,
2825 ipsp->ips_life.ipl_addtime.ipl_soft,
2826 ipsp->ips_life.ipl_usetime.ipl_soft,
2827 ipsp->ips_life.ipl_packets.ipl_soft),
2828 extensions))
2829 && pfkey_safe_build(error = pfkey_address_build(&extensions[SADB_EXT_ADDRESS_SRC],
2830 SADB_EXT_ADDRESS_SRC,
2831 0, /* ipsp->ips_said.proto, */
2832 0,
2833 ipsp->ips_addr_s),
2834 extensions)
2835 && pfkey_safe_build(error = pfkey_address_build(&extensions[SADB_EXT_ADDRESS_DST],
2836 SADB_EXT_ADDRESS_DST,
2837 0, /* ipsp->ips_said.proto, */
2838 0,
2839 ipsp->ips_addr_d),
2840 extensions))) {
2841 KLIPS_PRINT(debug_pfkey, "klips_debug:pfkey_expire: "
2842 "failed to build the expire message extensions\n");
2843 spin_unlock(&tdb_lock);
2844 goto errlab;
2845 }
2846
2847 if ((error = pfkey_msg_build(&pfkey_msg, extensions, EXT_BITS_OUT))) {
2848 KLIPS_PRINT(debug_pfkey, "klips_debug:pfkey_expire: "
2849 "failed to build the expire message\n");
2850 SENDERR(-error);
2851 }
2852
2853 for(pfkey_socketsp = pfkey_open_sockets;
2854 pfkey_socketsp;
2855 pfkey_socketsp = pfkey_socketsp->next) {
2856 if((error = pfkey_upmsg(pfkey_socketsp->socketp, pfkey_msg))) {
2857 KLIPS_PRINT(debug_pfkey, "klips_debug:pfkey_expire: "
2858 "sending up expire message for satype=%d(%s) to socket=0p%p failed with error=%d.\n",
2859 satype,
2860 satype2name(satype),
2861 pfkey_socketsp->socketp,
2862 error);
2863 SENDERR(-error);
2864 }
2865 KLIPS_PRINT(debug_pfkey, "klips_debug:pfkey_expire: "
2866 "sending up expire message for satype=%d(%s) (proto=%d) to socket=0p%p succeeded.\n",
2867 satype,
2868 satype2name(satype),
2869 ipsp->ips_said.proto,
2870 pfkey_socketsp->socketp);
2871 }
2872
2873 errlab:
2874 if (pfkey_msg) {
2875 pfkey_msg_free(&pfkey_msg);
2876 }
2877 pfkey_extensions_free(extensions);
2878 return error;
2879 }
2880
2881 int
2882 pfkey_acquire(struct ipsec_sa *ipsp)
2883 {
2884 struct sadb_ext *extensions[SADB_EXT_MAX+1];
2885 struct sadb_msg *pfkey_msg = NULL;
2886 struct socket_list *pfkey_socketsp;
2887 int error = 0;
2888 struct sadb_comb comb[] = {
2889 /* auth; encrypt; flags; */
2890 /* auth_minbits; auth_maxbits; encrypt_minbits; encrypt_maxbits; */
2891 /* reserved; soft_allocations; hard_allocations; soft_bytes; hard_bytes; */
2892 /* soft_addtime; hard_addtime; soft_usetime; hard_usetime; */
2893 /* soft_packets; hard_packets; */
2894 { SADB_AALG_MD5_HMAC, SADB_EALG_3DES_CBC, SADB_SAFLAGS_PFS,
2895 128, 128, 168, 168,
2896 0, 0, 0, 0, 0,
2897 57600, 86400, 57600, 86400,
2898 0, 0 },
2899 { SADB_AALG_SHA1_HMAC, SADB_EALG_3DES_CBC, SADB_SAFLAGS_PFS,
2900 160, 160, 168, 168,
2901 0, 0, 0, 0, 0,
2902 57600, 86400, 57600, 86400,
2903 0, 0 }
2904 };
2905
2906 /* XXX This should not be hard-coded. It should be taken from the spdb */
2907 uint8_t satype = SADB_SATYPE_ESP;
2908
2909 pfkey_extensions_init(extensions);
2910
2911 if((satype == 0) || (satype > SADB_SATYPE_MAX)) {
2912 KLIPS_PRINT(debug_pfkey, "klips_debug:pfkey_acquire: "
2913 "SAtype=%d unspecified or unknown.\n",
2914 satype);
2915 SENDERR(EINVAL);
2916 }
2917
2918 if(!(pfkey_registered_sockets[satype])) {
2919 KLIPS_PRINT(1|debug_pfkey, "klips_debug:pfkey_acquire: "
2920 "no sockets registered for SAtype=%d(%s).\n",
2921 satype,
2922 satype2name(satype));
2923 SENDERR(EPROTONOSUPPORT);
2924 }
2925
2926 if (!(pfkey_safe_build(error = pfkey_msg_hdr_build(&extensions[0],
2927 SADB_ACQUIRE,
2928 satype,
2929 0,
2930 ++pfkey_msg_seq,
2931 0),
2932 extensions)
2933 && pfkey_safe_build(error = pfkey_address_build(&extensions[SADB_EXT_ADDRESS_SRC],
2934 SADB_EXT_ADDRESS_SRC,
2935 ipsp->ips_said.proto,
2936 0,
2937 ipsp->ips_addr_s),
2938 extensions)
2939 && pfkey_safe_build(error = pfkey_address_build(&extensions[SADB_EXT_ADDRESS_DST],
2940 SADB_EXT_ADDRESS_DST,
2941 ipsp->ips_said.proto,
2942 0,
2943 ipsp->ips_addr_d),
2944 extensions)
2945 #if 0
2946 && (ipsp->ips_addr_p
2947 ? pfkey_safe_build(error = pfkey_address_build(&extensions[SADB_EXT_ADDRESS_PROXY],
2948 SADB_EXT_ADDRESS_PROXY,
2949 ipsp->ips_said.proto,
2950 0,
2951 ipsp->ips_addr_p),
2952 extensions) : 1)
2953 #endif
2954 && (ipsp->ips_ident_s.type != SADB_IDENTTYPE_RESERVED
2955 ? pfkey_safe_build(error = pfkey_ident_build(&extensions[SADB_EXT_IDENTITY_SRC],
2956 SADB_EXT_IDENTITY_SRC,
2957 ipsp->ips_ident_s.type,
2958 ipsp->ips_ident_s.id,
2959 ipsp->ips_ident_s.len,
2960 ipsp->ips_ident_s.data),
2961 extensions) : 1)
2962
2963 && (ipsp->ips_ident_d.type != SADB_IDENTTYPE_RESERVED
2964 ? pfkey_safe_build(error = pfkey_ident_build(&extensions[SADB_EXT_IDENTITY_DST],
2965 SADB_EXT_IDENTITY_DST,
2966 ipsp->ips_ident_d.type,
2967 ipsp->ips_ident_d.id,
2968 ipsp->ips_ident_d.len,
2969 ipsp->ips_ident_d.data),
2970 extensions) : 1)
2971 #if 0
2972 /* FIXME: This won't work yet because I have not finished
2973 it. */
2974 && (ipsp->ips_sens_
2975 ? pfkey_safe_build(error = pfkey_sens_build(&extensions[SADB_EXT_SENSITIVITY],
2976 ipsp->ips_sens_dpd,
2977 ipsp->ips_sens_sens_level,
2978 ipsp->ips_sens_sens_len,
2979 ipsp->ips_sens_sens_bitmap,
2980 ipsp->ips_sens_integ_level,
2981 ipsp->ips_sens_integ_len,
2982 ipsp->ips_sens_integ_bitmap),
2983 extensions) : 1)
2984 #endif
2985 && pfkey_safe_build(error = pfkey_prop_build(&extensions[SADB_EXT_PROPOSAL],
2986 64, /* replay */
2987 sizeof(comb)/sizeof(struct sadb_comb),
2988 &(comb[0])),
2989 extensions)
2990 )) {
2991 KLIPS_PRINT(1|debug_pfkey, "klips_debug:pfkey_acquire: "
2992 "failed to build the acquire message extensions\n");
2993 SENDERR(-error);
2994 }
2995
2996 if ((error = pfkey_msg_build(&pfkey_msg, extensions, EXT_BITS_OUT))) {
2997 KLIPS_PRINT(1|debug_pfkey, "klips_debug:pfkey_acquire: "
2998 "failed to build the acquire message\n");
2999 SENDERR(-error);
3000 }
3001
3002 #if KLIPS_PFKEY_ACQUIRE_LOSSAGE > 0
3003 if(sysctl_ipsec_regress_pfkey_lossage) {
3004 return(0);
3005 }
3006 #endif
3007
3008 /* this should go to all registered sockets for that satype only */
3009 for(pfkey_socketsp = pfkey_registered_sockets[satype];
3010 pfkey_socketsp;
3011 pfkey_socketsp = pfkey_socketsp->next) {
3012 if((error = pfkey_upmsg(pfkey_socketsp->socketp, pfkey_msg))) {
3013 KLIPS_PRINT(1|debug_pfkey, "klips_debug:pfkey_acquire: "
3014 "sending up acquire message for satype=%d(%s) to socket=0p%p failed with error=%d.\n",
3015 satype,
3016 satype2name(satype),
3017 pfkey_socketsp->socketp,
3018 error);
3019 SENDERR(-error);
3020 }
3021 KLIPS_PRINT(debug_pfkey, "klips_debug:pfkey_acquire: "
3022 "sending up acquire message for satype=%d(%s) to socket=0p%p succeeded.\n",
3023 satype,
3024 satype2name(satype),
3025 pfkey_socketsp->socketp);
3026 }
3027
3028 errlab:
3029 if (pfkey_msg) {
3030 pfkey_msg_free(&pfkey_msg);
3031 }
3032 pfkey_extensions_free(extensions);
3033 return error;
3034 }
3035
3036 #ifdef CONFIG_IPSEC_NAT_TRAVERSAL
3037 int
3038 pfkey_nat_t_new_mapping(struct ipsec_sa *ipsp, struct sockaddr *ipaddr,
3039 __u16 sport)
3040 {
3041 struct sadb_ext *extensions[SADB_EXT_MAX+1];
3042 struct sadb_msg *pfkey_msg = NULL;
3043 struct socket_list *pfkey_socketsp;
3044 int error = 0;
3045 uint8_t satype = (ipsp->ips_said.proto==IPPROTO_ESP) ? SADB_SATYPE_ESP : 0;
3046
3047 /* Construct SADB_X_NAT_T_NEW_MAPPING message */
3048
3049 pfkey_extensions_init(extensions);
3050
3051 if((satype == 0) || (satype > SADB_SATYPE_MAX)) {
3052 KLIPS_PRINT(debug_pfkey, "klips_debug:pfkey_nat_t_new_mapping: "
3053 "SAtype=%d unspecified or unknown.\n",
3054 satype);
3055 SENDERR(EINVAL);
3056 }
3057
3058 if(!(pfkey_registered_sockets[satype])) {
3059 KLIPS_PRINT(debug_pfkey, "klips_debug:pfkey_nat_t_new_mapping: "
3060 "no sockets registered for SAtype=%d(%s).\n",
3061 satype,
3062 satype2name(satype));
3063 SENDERR(EPROTONOSUPPORT);
3064 }
3065
3066 if (!(pfkey_safe_build
3067 (error = pfkey_msg_hdr_build(&extensions[0], SADB_X_NAT_T_NEW_MAPPING,
3068 satype, 0, ++pfkey_msg_seq, 0), extensions)
3069 /* SA */
3070 && pfkey_safe_build
3071 (error = pfkey_sa_build(&extensions[SADB_EXT_SA],
3072 SADB_EXT_SA, ipsp->ips_said.spi, 0, 0, 0, 0, 0), extensions)
3073 /* ADDRESS_SRC = old addr */
3074 && pfkey_safe_build
3075 (error = pfkey_address_build(&extensions[SADB_EXT_ADDRESS_SRC],
3076 SADB_EXT_ADDRESS_SRC, ipsp->ips_said.proto, 0, ipsp->ips_addr_s),
3077 extensions)
3078 /* NAT_T_SPORT = old port */
3079 && pfkey_safe_build
3080 (error = pfkey_x_nat_t_port_build(&extensions[SADB_X_EXT_NAT_T_SPORT],
3081 SADB_X_EXT_NAT_T_SPORT, ipsp->ips_natt_sport), extensions)
3082 /* ADDRESS_DST = new addr */
3083 && pfkey_safe_build
3084 (error = pfkey_address_build(&extensions[SADB_EXT_ADDRESS_DST],
3085 SADB_EXT_ADDRESS_DST, ipsp->ips_said.proto, 0, ipaddr), extensions)
3086 /* NAT_T_DPORT = new port */
3087 && pfkey_safe_build
3088 (error = pfkey_x_nat_t_port_build(&extensions[SADB_X_EXT_NAT_T_DPORT],
3089 SADB_X_EXT_NAT_T_DPORT, sport), extensions)
3090 )) {
3091 KLIPS_PRINT(debug_pfkey, "klips_debug:pfkey_nat_t_new_mapping: "
3092 "failed to build the nat_t_new_mapping message extensions\n");
3093 SENDERR(-error);
3094 }
3095
3096 if ((error = pfkey_msg_build(&pfkey_msg, extensions, EXT_BITS_OUT))) {
3097 KLIPS_PRINT(debug_pfkey, "klips_debug:pfkey_nat_t_new_mapping: "
3098 "failed to build the nat_t_new_mapping message\n");
3099 SENDERR(-error);
3100 }
3101
3102 /* this should go to all registered sockets for that satype only */
3103 for(pfkey_socketsp = pfkey_registered_sockets[satype];
3104 pfkey_socketsp;
3105 pfkey_socketsp = pfkey_socketsp->next) {
3106 if((error = pfkey_upmsg(pfkey_socketsp->socketp, pfkey_msg))) {
3107 KLIPS_PRINT(debug_pfkey, "klips_debug:pfkey_nat_t_new_mapping: "
3108 "sending up nat_t_new_mapping message for satype=%d(%s) to socket=%p failed with error=%d.\n",
3109 satype,
3110 satype2name(satype),
3111 pfkey_socketsp->socketp,
3112 error);
3113 SENDERR(-error);
3114 }
3115 KLIPS_PRINT(debug_pfkey, "klips_debug:pfkey_nat_t_new_mapping: "
3116 "sending up nat_t_new_mapping message for satype=%d(%s) to socket=%p succeeded.\n",
3117 satype,
3118 satype2name(satype),
3119 pfkey_socketsp->socketp);
3120 }
3121
3122 errlab:
3123 if (pfkey_msg) {
3124 pfkey_msg_free(&pfkey_msg);
3125 }
3126 pfkey_extensions_free(extensions);
3127 return error;
3128 }
3129
3130 DEBUG_NO_STATIC int
3131 pfkey_x_nat_t_new_mapping_parse(struct sock *sk, struct sadb_ext **extensions, struct pfkey_extracted_data* extr)
3132 {
3133 /* SADB_X_NAT_T_NEW_MAPPING not used in kernel */
3134 return -EINVAL;
3135 }
3136 #endif
3137
3138 DEBUG_NO_STATIC int (*ext_processors[SADB_EXT_MAX+1])(struct sadb_ext *pfkey_ext, struct pfkey_extracted_data* extr) =
3139 {
3140 NULL, /* pfkey_msg_process, */
3141 pfkey_sa_process,
3142 pfkey_lifetime_process,
3143 pfkey_lifetime_process,
3144 pfkey_lifetime_process,
3145 pfkey_address_process,
3146 pfkey_address_process,
3147 pfkey_address_process,
3148 pfkey_key_process,
3149 pfkey_key_process,
3150 pfkey_ident_process,
3151 pfkey_ident_process,
3152 pfkey_sens_process,
3153 pfkey_prop_process,
3154 pfkey_supported_process,
3155 pfkey_supported_process,
3156 pfkey_spirange_process,
3157 pfkey_x_kmprivate_process,
3158 pfkey_x_satype_process,
3159 pfkey_sa_process,
3160 pfkey_address_process,
3161 pfkey_address_process,
3162 pfkey_address_process,
3163 pfkey_address_process,
3164 pfkey_address_process,
3165 pfkey_x_debug_process,
3166 pfkey_x_protocol_process
3167 #ifdef CONFIG_IPSEC_NAT_TRAVERSAL
3168 ,
3169 pfkey_x_nat_t_type_process,
3170 pfkey_x_nat_t_port_process,
3171 pfkey_x_nat_t_port_process,
3172 pfkey_address_process
3173 #endif
3174 };
3175
3176
3177 DEBUG_NO_STATIC int (*msg_parsers[SADB_MAX +1])(struct sock *sk, struct sadb_ext *extensions[], struct pfkey_extracted_data* extr)
3178 =
3179 {
3180 NULL, /* RESERVED */
3181 pfkey_getspi_parse,
3182 pfkey_update_parse,
3183 pfkey_add_parse,
3184 pfkey_delete_parse,
3185 pfkey_get_parse,
3186 pfkey_acquire_parse,
3187 pfkey_register_parse,
3188 pfkey_expire_parse,
3189 pfkey_flush_parse,
3190 pfkey_dump_parse,
3191 pfkey_x_promisc_parse,
3192 pfkey_x_pchange_parse,
3193 pfkey_x_grpsa_parse,
3194 pfkey_x_addflow_parse,
3195 pfkey_x_delflow_parse,
3196 pfkey_x_msg_debug_parse
3197 #ifdef CONFIG_IPSEC_NAT_TRAVERSAL
3198 , pfkey_x_nat_t_new_mapping_parse
3199 #endif
3200 };
3201
3202 int
3203 pfkey_build_reply(struct sadb_msg *pfkey_msg, struct pfkey_extracted_data *extr,
3204 struct sadb_msg **pfkey_reply)
3205 {
3206 struct sadb_ext *extensions[SADB_EXT_MAX+1];
3207 int error = 0;
3208 int msg_type = pfkey_msg->sadb_msg_type;
3209 int seq = pfkey_msg->sadb_msg_seq;
3210
3211 KLIPS_PRINT(debug_pfkey, "klips_debug:pfkey_build_reply: "
3212 "building reply with type: %d\n",
3213 msg_type);
3214 pfkey_extensions_init(extensions);
3215 if (!extr || !extr->ips) {
3216 KLIPS_PRINT(debug_pfkey, "klips_debug:pfkey_build_reply: "
3217 "bad ipsec_sa passed\n");
3218 return EINVAL;
3219 }
3220 error = pfkey_safe_build(pfkey_msg_hdr_build(&extensions[0],
3221 msg_type,
3222 proto2satype(extr->ips->ips_said.proto),
3223 0,
3224 seq,
3225 pfkey_msg->sadb_msg_pid),
3226 extensions) &&
3227 (!(extensions_bitmaps[EXT_BITS_OUT][EXT_BITS_REQ][msg_type] &
3228 1 << SADB_EXT_SA)
3229 || pfkey_safe_build(pfkey_sa_ref_build(&extensions[SADB_EXT_SA],
3230 SADB_EXT_SA,
3231 extr->ips->ips_said.spi,
3232 extr->ips->ips_replaywin,
3233 extr->ips->ips_state,
3234 extr->ips->ips_authalg,
3235 extr->ips->ips_encalg,
3236 extr->ips->ips_flags,
3237 extr->ips->ips_ref),
3238 extensions)) &&
3239 (!(extensions_bitmaps[EXT_BITS_OUT][EXT_BITS_REQ][msg_type] &
3240 1 << SADB_EXT_LIFETIME_CURRENT)
3241 || pfkey_safe_build(pfkey_lifetime_build(&extensions
3242 [SADB_EXT_LIFETIME_CURRENT],
3243 SADB_EXT_LIFETIME_CURRENT,
3244 extr->ips->ips_life.ipl_allocations.ipl_count,
3245 extr->ips->ips_life.ipl_bytes.ipl_count,
3246 extr->ips->ips_life.ipl_addtime.ipl_count,
3247 extr->ips->ips_life.ipl_usetime.ipl_count,
3248 extr->ips->ips_life.ipl_packets.ipl_count),
3249 extensions)) &&
3250 (!(extensions_bitmaps[EXT_BITS_OUT][EXT_BITS_REQ][msg_type] &
3251 1 << SADB_EXT_ADDRESS_SRC)
3252 || pfkey_safe_build(pfkey_address_build(&extensions[SADB_EXT_ADDRESS_SRC],
3253 SADB_EXT_ADDRESS_SRC,
3254 extr->ips->ips_said.proto,
3255 0,
3256 extr->ips->ips_addr_s),
3257 extensions)) &&
3258 (!(extensions_bitmaps[EXT_BITS_OUT][EXT_BITS_REQ][msg_type] &
3259 1 << SADB_EXT_ADDRESS_DST)
3260 || pfkey_safe_build(pfkey_address_build(&extensions[SADB_EXT_ADDRESS_DST],
3261 SADB_EXT_ADDRESS_DST,
3262 extr->ips->ips_said.proto,
3263 0,
3264 extr->ips->ips_addr_d),
3265 extensions));
3266
3267 if (error == 0) {
3268 KLIPS_PRINT(debug_pfkey, "klips_debug:pfkey_build_reply: "
3269 "building extensions failed\n");
3270 return EINVAL;
3271 }
3272
3273 KLIPS_PRINT(debug_pfkey,
3274 "klips_debug:pfkey_build_reply: "
3275 "built extensions, proceed to build the message\n");
3276 KLIPS_PRINT(debug_pfkey,
3277 "klips_debug:pfkey_build_reply: "
3278 "extensions[1]=0p%p\n",
3279 extensions[1]);
3280 error = pfkey_msg_build(pfkey_reply, extensions, EXT_BITS_OUT);
3281 pfkey_extensions_free(extensions);
3282
3283 return error;
3284 }
3285
3286 int
3287 pfkey_msg_interp(struct sock *sk, struct sadb_msg *pfkey_msg,
3288 struct sadb_msg **pfkey_reply)
3289 {
3290 int error = 0;
3291 int i;
3292 struct sadb_ext *extensions[SADB_EXT_MAX+1];
3293 struct pfkey_extracted_data extr = {NULL, NULL, NULL};
3294
3295 pfkey_extensions_init(extensions);
3296 KLIPS_PRINT(debug_pfkey,
3297 "klips_debug:pfkey_msg_interp: "
3298 "parsing message ver=%d, type=%d, errno=%d, satype=%d(%s), len=%d, res=%d, seq=%d, pid=%d.\n",
3299 pfkey_msg->sadb_msg_version,
3300 pfkey_msg->sadb_msg_type,
3301 pfkey_msg->sadb_msg_errno,
3302 pfkey_msg->sadb_msg_satype,
3303 satype2name(pfkey_msg->sadb_msg_satype),
3304 pfkey_msg->sadb_msg_len,
3305 pfkey_msg->sadb_msg_reserved,
3306 pfkey_msg->sadb_msg_seq,
3307 pfkey_msg->sadb_msg_pid);
3308
3309 extr.ips = ipsec_sa_alloc(&error); /* pass in error var by pointer */
3310 if(extr.ips == NULL) {
3311 KLIPS_PRINT(debug_pfkey,
3312 "klips_debug:pfkey_msg_interp: "
3313 "memory allocation error.\n");
3314 SENDERR(-error);
3315 }
3316
3317 KLIPS_PRINT(debug_pfkey,
3318 "klips_debug:pfkey_msg_interp: "
3319 "allocated extr->ips=0p%p.\n",
3320 extr.ips);
3321
3322 if(pfkey_msg->sadb_msg_satype > SADB_SATYPE_MAX) {
3323 KLIPS_PRINT(debug_pfkey,
3324 "klips_debug:pfkey_msg_interp: "
3325 "satype %d > max %d\n",
3326 pfkey_msg->sadb_msg_satype,
3327 SADB_SATYPE_MAX);
3328 SENDERR(EINVAL);
3329 }
3330
3331 switch(pfkey_msg->sadb_msg_type) {
3332 case SADB_GETSPI:
3333 case SADB_UPDATE:
3334 case SADB_ADD:
3335 case SADB_DELETE:
3336 case SADB_X_GRPSA:
3337 case SADB_X_ADDFLOW:
3338 if(!(extr.ips->ips_said.proto = satype2proto(pfkey_msg->sadb_msg_satype))) {
3339 KLIPS_PRINT(debug_pfkey,
3340 "klips_debug:pfkey_msg_interp: "
3341 "satype %d lookup failed.\n",
3342 pfkey_msg->sadb_msg_satype);
3343 SENDERR(EINVAL);
3344 } else {
3345 KLIPS_PRINT(debug_pfkey,
3346 "klips_debug:pfkey_msg_interp: "
3347 "satype %d lookups to proto=%d.\n",
3348 pfkey_msg->sadb_msg_satype,
3349 extr.ips->ips_said.proto);
3350 }
3351 break;
3352 default:
3353 break;
3354 }
3355
3356 /* The NULL below causes the default extension parsers to be used */
3357 /* Parse the extensions */
3358 if((error = pfkey_msg_parse(pfkey_msg, NULL, extensions, EXT_BITS_IN)))
3359 {
3360 KLIPS_PRINT(debug_pfkey,
3361 "klips_debug:pfkey_msg_interp: "
3362 "message parsing failed with error %d.\n",
3363 error);
3364 SENDERR(-error);
3365 }
3366
3367 /* Process the extensions */
3368 for(i=1; i <= SADB_EXT_MAX;i++) {
3369 if(extensions[i] != NULL) {
3370 KLIPS_PRINT(debug_pfkey,
3371 "klips_debug:pfkey_msg_interp: "
3372 "processing ext %d 0p%p with processor 0p%p.\n",
3373 i, extensions[i], ext_processors[i]);
3374 if((error = ext_processors[i](extensions[i], &extr))) {
3375 KLIPS_PRINT(debug_pfkey,
3376 "klips_debug:pfkey_msg_interp: "
3377 "extension processing for type %d failed with error %d.\n",
3378 i,
3379 error);
3380 SENDERR(-error);
3381 }
3382
3383 }
3384
3385 }
3386
3387 /* Parse the message types */
3388 KLIPS_PRINT(debug_pfkey,
3389 "klips_debug:pfkey_msg_interp: "
3390 "parsing message type %d(%s) with msg_parser 0p%p.\n",
3391 pfkey_msg->sadb_msg_type,
3392 pfkey_v2_sadb_type_string(pfkey_msg->sadb_msg_type),
3393 msg_parsers[pfkey_msg->sadb_msg_type]);
3394 if((error = msg_parsers[pfkey_msg->sadb_msg_type](sk, extensions, &extr))) {
3395 KLIPS_PRINT(debug_pfkey,
3396 "klips_debug:pfkey_msg_interp: "
3397 "message parsing failed with error %d.\n",
3398 error);
3399 SENDERR(-error);
3400 }
3401
3402 #if 0
3403 error = pfkey_build_reply(pfkey_msg, &extr, pfkey_reply);
3404 if (error) {
3405 *pfkey_reply = NULL;
3406 }
3407 #endif
3408 errlab:
3409 if(extr.ips != NULL) {
3410 ipsec_sa_wipe(extr.ips);
3411 }
3412 if(extr.ips2 != NULL) {
3413 ipsec_sa_wipe(extr.ips2);
3414 }
3415 if (extr.eroute != NULL) {
3416 kfree(extr.eroute);
3417 }
3418 return(error);
3419 }
3420
Michael's strongswan development tree