2 * @(#) RFC2367 PF_KEYv2 Key management API message parser
3 * Copyright (C) 1999, 2000, 2001 Richard Guy Briggs <rgb@freeswan.org>
5 * This program is free software; you can redistribute it and/or modify it
6 * under the terms of the GNU General Public License as published by the
7 * Free Software Foundation; either version 2 of the License, or (at your
8 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
10 * This program is distributed in the hope that it will be useful, but
11 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
12 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
15 * RCSID $Id: pfkey_v2_parser.c,v 1.4 2004/09/29 22:27:41 as Exp $
19 * Template from klips/net/ipsec/ipsec/ipsec_netlink.c.
22 char pfkey_v2_parser_c_version
[] = "$Id: pfkey_v2_parser.c,v 1.4 2004/09/29 22:27:41 as Exp $";
24 #include <linux/config.h>
25 #include <linux/version.h>
26 #include <linux/kernel.h> /* printk() */
28 #include "freeswan/ipsec_param.h"
31 # include <linux/slab.h> /* kmalloc() */
32 #else /* MALLOC_SLAB */
33 # include <linux/malloc.h> /* kmalloc() */
34 #endif /* MALLOC_SLAB */
35 #include <linux/errno.h> /* error codes */
36 #include <linux/types.h> /* size_t */
37 #include <linux/interrupt.h> /* mark_bh */
39 #include <linux/netdevice.h> /* struct device, and other headers */
40 #include <linux/etherdevice.h> /* eth_type_trans */
41 #include <linux/ip.h> /* struct iphdr */
42 #include <linux/skbuff.h>
46 #include <crypto/des.h>
50 # include <linux/spinlock.h> /* *lock* */
51 # else /* SPINLOCK_23 */
52 # include <asm/spinlock.h> /* *lock* */
53 # endif /* SPINLOCK_23 */
56 # include <asm/uaccess.h>
57 # include <linux/in6.h>
58 # define ip_chk_addr inet_addr_type
59 # define IS_MYADDR RTN_LOCAL
61 #include <asm/checksum.h>
64 # include <linux/netlink.h>
66 # include <net/netlink.h>
69 #include <linux/random.h> /* get_random_bytes() */
71 #include "freeswan/radij.h"
72 #include "freeswan/ipsec_encap.h"
73 #include "freeswan/ipsec_sa.h"
75 #include "freeswan/ipsec_radij.h"
76 #include "freeswan/ipsec_xform.h"
77 #include "freeswan/ipsec_ah.h"
78 #include "freeswan/ipsec_esp.h"
79 #include "freeswan/ipsec_tunnel.h"
80 #include "freeswan/ipsec_rcv.h"
81 #include "freeswan/ipcomp.h"
86 #include "freeswan/ipsec_proto.h"
87 #include "freeswan/ipsec_alg.h"
90 #define SENDERR(_x) do { error = -(_x); goto errlab; } while (0)
94 struct sklist_t
* next
;
95 } pfkey_sklist_head
, *pfkey_sklist
, *pfkey_sklist_prev
;
97 __u32 pfkey_msg_seq
= 0;
100 pfkey_alloc_eroute(struct eroute
** eroute
)
104 KLIPS_PRINT(debug_pfkey
,
105 "klips_debug:pfkey_alloc_eroute: "
106 "eroute struct already allocated\n");
110 KLIPS_PRINT(debug_pfkey
,
111 "klips_debug:pfkey_alloc_eroute: "
112 "allocating %lu bytes for an eroute.\n",
113 (unsigned long) sizeof(**eroute
));
114 if((*eroute
= kmalloc(sizeof(**eroute
), GFP_ATOMIC
) ) == NULL
) {
115 KLIPS_PRINT(debug_pfkey
,
116 "klips_debug:pfkey_alloc_eroute: "
117 "memory allocation error\n");
120 KLIPS_PRINT(debug_pfkey
,
121 "klips_debug:pfkey_alloc_eroute: "
122 "allocated eroute struct=0p%p.\n", eroute
);
123 memset((caddr_t
)*eroute
, 0, sizeof(**eroute
));
124 (*eroute
)->er_eaddr
.sen_len
=
125 (*eroute
)->er_emask
.sen_len
= sizeof(struct sockaddr_encap
);
126 (*eroute
)->er_eaddr
.sen_family
=
127 (*eroute
)->er_emask
.sen_family
= AF_ENCAP
;
128 (*eroute
)->er_eaddr
.sen_type
= SENT_IP4
;
129 (*eroute
)->er_emask
.sen_type
= 255;
130 (*eroute
)->er_pid
= 0;
131 (*eroute
)->er_count
= 0;
132 (*eroute
)->er_lasttime
= jiffies
/HZ
;
139 pfkey_x_protocol_process(struct sadb_ext
*pfkey_ext
,
140 struct pfkey_extracted_data
*extr
)
143 struct sadb_protocol
* p
= (struct sadb_protocol
*)pfkey_ext
;
145 KLIPS_PRINT(debug_pfkey
, "klips_debug:pfkey_x_protocol_process: %p\n", extr
);
148 KLIPS_PRINT(debug_pfkey
,
149 "klips_debug:pfkey_x_protocol_process:"
150 "extr is NULL, fatal\n");
153 if (extr
->eroute
== 0) {
154 KLIPS_PRINT(debug_pfkey
,
155 "klips_debug:pfkey_x_protocol_process:"
156 "extr->eroute is NULL, fatal\n");
159 extr
->eroute
->er_eaddr
.sen_proto
= p
->sadb_protocol_proto
;
160 extr
->eroute
->er_emask
.sen_proto
= p
->sadb_protocol_proto
? ~0:0;
161 KLIPS_PRINT(debug_pfkey
,
162 "klips_debug:pfkey_x_protocol_process: protocol = %d.\n",
163 p
->sadb_protocol_proto
);
169 pfkey_ipsec_sa_init(struct ipsec_sa
*ipsp
, struct sadb_ext
**extensions
)
174 char ipaddr_txt
[ADDRTOA_BUF
];
175 char ipaddr2_txt
[ADDRTOA_BUF
];
176 #if defined (CONFIG_IPSEC_AUTH_HMAC_MD5) || defined (CONFIG_IPSEC_AUTH_HMAC_SHA1)
178 unsigned char kb
[AHMD596_BLKLEN
];
180 #ifdef CONFIG_IPSEC_ALG
181 struct ipsec_alg_enc
*ixt_e
= NULL
;
182 struct ipsec_alg_auth
*ixt_a
= NULL
;
183 #endif /* CONFIG_IPSEC_ALG */
186 KLIPS_PRINT(debug_pfkey
,
187 "klips_debug:pfkey_ipsec_sa_init: "
188 "ipsp is NULL, fatal\n");
192 sa_len
= satoa(ipsp
->ips_said
, 0, sa
, SATOA_BUF
);
194 KLIPS_PRINT(debug_pfkey
,
195 "klips_debug:pfkey_ipsec_sa_init: "
196 "(pfkey defined) called for SA:%s\n",
197 sa_len
? sa
: " (error)");
199 KLIPS_PRINT(debug_pfkey
,
200 "klips_debug:pfkey_ipsec_sa_init: "
201 "calling init routine of %s%s%s\n",
202 IPS_XFORM_NAME(ipsp
));
204 switch(ipsp
->ips_said
.proto
) {
206 #ifdef CONFIG_IPSEC_IPIP
208 addrtoa(((struct sockaddr_in
*)(ipsp
->ips_addr_s
))->sin_addr
,
210 ipaddr_txt
, sizeof(ipaddr_txt
));
211 addrtoa(((struct sockaddr_in
*)(ipsp
->ips_addr_d
))->sin_addr
,
213 ipaddr2_txt
, sizeof(ipaddr_txt
));
214 KLIPS_PRINT(debug_pfkey
,
215 "klips_debug:pfkey_ipsec_sa_init: "
216 "(pfkey defined) IPIP ipsec_sa set for %s->%s.\n",
221 #endif /* !CONFIG_IPSEC_IPIP */
222 #ifdef CONFIG_IPSEC_AH
224 switch(ipsp
->ips_authalg
) {
225 # ifdef CONFIG_IPSEC_AUTH_HMAC_MD5
232 if(ipsp
->ips_key_bits_a
!= (AHMD596_KLEN
* 8)) {
233 KLIPS_PRINT(debug_pfkey
,
234 "klips_debug:pfkey_ipsec_sa_init: "
235 "incorrect key size: %d bits -- must be %d bits\n"/*octets (bytes)\n"*/,
236 ipsp
->ips_key_bits_a
, AHMD596_KLEN
* 8);
240 # if KLIPS_DIVULGE_HMAC_KEY
241 KLIPS_PRINT(debug_pfkey
&& sysctl_ipsec_debug_verbose
,
242 "klips_debug:pfkey_ipsec_sa_init: "
243 "hmac md5-96 key is 0x%08x %08x %08x %08x\n",
244 ntohl(*(((__u32
*)ipsp
->ips_key_a
)+0)),
245 ntohl(*(((__u32
*)ipsp
->ips_key_a
)+1)),
246 ntohl(*(((__u32
*)ipsp
->ips_key_a
)+2)),
247 ntohl(*(((__u32
*)ipsp
->ips_key_a
)+3)));
248 # endif /* KLIPS_DIVULGE_HMAC_KEY */
250 ipsp
->ips_auth_bits
= AHMD596_ALEN
* 8;
252 /* save the pointer to the key material */
253 akp
= ipsp
->ips_key_a
;
254 aks
= ipsp
->ips_key_a_size
;
256 KLIPS_PRINT(debug_pfkey
&& sysctl_ipsec_debug_verbose
,
257 "klips_debug:pfkey_ipsec_sa_init: "
258 "allocating %lu bytes for md5_ctx.\n",
259 (unsigned long) sizeof(struct md5_ctx
));
260 if((ipsp
->ips_key_a
= (caddr_t
)
261 kmalloc(sizeof(struct md5_ctx
), GFP_ATOMIC
)) == NULL
) {
262 ipsp
->ips_key_a
= akp
;
265 ipsp
->ips_key_a_size
= sizeof(struct md5_ctx
);
267 for (i
= 0; i
< DIVUP(ipsp
->ips_key_bits_a
, 8); i
++) {
268 kb
[i
] = akp
[i
] ^ HMAC_IPAD
;
270 for (; i
< AHMD596_BLKLEN
; i
++) {
274 ictx
= &(((struct md5_ctx
*)(ipsp
->ips_key_a
))->ictx
);
276 MD5Update(ictx
, kb
, AHMD596_BLKLEN
);
278 for (i
= 0; i
< AHMD596_BLKLEN
; i
++) {
279 kb
[i
] ^= (HMAC_IPAD
^ HMAC_OPAD
);
282 octx
= &(((struct md5_ctx
*)(ipsp
->ips_key_a
))->octx
);
284 MD5Update(octx
, kb
, AHMD596_BLKLEN
);
286 # if KLIPS_DIVULGE_HMAC_KEY
287 KLIPS_PRINT(debug_pfkey
&& sysctl_ipsec_debug_verbose
,
288 "klips_debug:pfkey_ipsec_sa_init: "
289 "MD5 ictx=0x%08x %08x %08x %08x octx=0x%08x %08x %08x %08x\n",
298 # endif /* KLIPS_DIVULGE_HMAC_KEY */
300 /* zero key buffer -- paranoid */
305 # endif /* CONFIG_IPSEC_AUTH_HMAC_MD5 */
306 # ifdef CONFIG_IPSEC_AUTH_HMAC_SHA1
313 if(ipsp
->ips_key_bits_a
!= (AHSHA196_KLEN
* 8)) {
314 KLIPS_PRINT(debug_pfkey
,
315 "klips_debug:pfkey_ipsec_sa_init: "
316 "incorrect key size: %d bits -- must be %d bits\n"/*octets (bytes)\n"*/,
317 ipsp
->ips_key_bits_a
, AHSHA196_KLEN
* 8);
321 # if KLIPS_DIVULGE_HMAC_KEY
322 KLIPS_PRINT(debug_pfkey
&& sysctl_ipsec_debug_verbose
,
323 "klips_debug:pfkey_ipsec_sa_init: "
324 "hmac sha1-96 key is 0x%08x %08x %08x %08x\n",
325 ntohl(*(((__u32
*)ipsp
->ips_key_a
)+0)),
326 ntohl(*(((__u32
*)ipsp
->ips_key_a
)+1)),
327 ntohl(*(((__u32
*)ipsp
->ips_key_a
)+2)),
328 ntohl(*(((__u32
*)ipsp
->ips_key_a
)+3)));
329 # endif /* KLIPS_DIVULGE_HMAC_KEY */
331 ipsp
->ips_auth_bits
= AHSHA196_ALEN
* 8;
333 /* save the pointer to the key material */
334 akp
= ipsp
->ips_key_a
;
335 aks
= ipsp
->ips_key_a_size
;
337 KLIPS_PRINT(debug_pfkey
&& sysctl_ipsec_debug_verbose
,
338 "klips_debug:pfkey_ipsec_sa_init: "
339 "allocating %lu bytes for sha1_ctx.\n",
340 (unsigned long) sizeof(struct sha1_ctx
));
341 if((ipsp
->ips_key_a
= (caddr_t
)
342 kmalloc(sizeof(struct sha1_ctx
), GFP_ATOMIC
)) == NULL
) {
343 ipsp
->ips_key_a
= akp
;
346 ipsp
->ips_key_a_size
= sizeof(struct sha1_ctx
);
348 for (i
= 0; i
< DIVUP(ipsp
->ips_key_bits_a
, 8); i
++) {
349 kb
[i
] = akp
[i
] ^ HMAC_IPAD
;
351 for (; i
< AHMD596_BLKLEN
; i
++) {
355 ictx
= &(((struct sha1_ctx
*)(ipsp
->ips_key_a
))->ictx
);
357 SHA1Update(ictx
, kb
, AHSHA196_BLKLEN
);
359 for (i
= 0; i
< AHSHA196_BLKLEN
; i
++) {
360 kb
[i
] ^= (HMAC_IPAD
^ HMAC_OPAD
);
363 octx
= &(((struct sha1_ctx
*)(ipsp
->ips_key_a
))->octx
);
365 SHA1Update(octx
, kb
, AHSHA196_BLKLEN
);
367 # if KLIPS_DIVULGE_HMAC_KEY
368 KLIPS_PRINT(debug_pfkey
&& sysctl_ipsec_debug_verbose
,
369 "klips_debug:pfkey_ipsec_sa_init: "
370 "SHA1 ictx=0x%08x %08x %08x %08x octx=0x%08x %08x %08x %08x\n",
379 # endif /* KLIPS_DIVULGE_HMAC_KEY */
380 /* zero key buffer -- paranoid */
385 # endif /* CONFIG_IPSEC_AUTH_HMAC_SHA1 */
387 KLIPS_PRINT(debug_pfkey
,
388 "klips_debug:pfkey_ipsec_sa_init: "
389 "authalg=%d support not available in the kernel",
394 #endif /* CONFIG_IPSEC_AH */
395 #ifdef CONFIG_IPSEC_ESP
397 #if defined (CONFIG_IPSEC_AUTH_HMAC_MD5) || defined (CONFIG_IPSEC_AUTH_HMAC_SHA1)
401 #if defined (CONFIG_IPSEC_ENC_3DES)
406 ipsp
->ips_iv_size
= 0;
407 #ifdef CONFIG_IPSEC_ALG
408 if ((ixt_e
=ipsp
->ips_alg_enc
)) {
409 ipsp
->ips_iv_size
= ixt_e
->ixt_ivlen
/8;
411 #endif /* CONFIG_IPSEC_ALG */
412 switch(ipsp
->ips_encalg
) {
413 # ifdef CONFIG_IPSEC_ENC_3DES
415 # endif /* CONFIG_IPSEC_ENC_3DES */
416 # if defined(CONFIG_IPSEC_ENC_3DES)
417 KLIPS_PRINT(debug_pfkey
&& sysctl_ipsec_debug_verbose
,
418 "klips_debug:pfkey_ipsec_sa_init: "
419 "allocating %u bytes for iv.\n",
421 if((ipsp
->ips_iv
= (caddr_t
)
422 kmalloc((ipsp
->ips_iv_size
= EMT_ESPDES_IV_SZ
), GFP_ATOMIC
)) == NULL
) {
425 prng_bytes(&ipsec_prng
, (char *)ipsp
->ips_iv
, EMT_ESPDES_IV_SZ
);
426 ipsp
->ips_iv_bits
= ipsp
->ips_iv_size
* 8;
427 ipsp
->ips_iv_size
= EMT_ESPDES_IV_SZ
;
429 # endif /* defined(CONFIG_IPSEC_ENC_3DES) */
433 KLIPS_PRINT(debug_pfkey
,
434 "klips_debug:pfkey_ipsec_sa_init: "
435 "encalg=%d support not available in the kernel",
441 if (ipsp
->ips_iv_size
) {
442 if((ipsp
->ips_iv
= (caddr_t
)
443 kmalloc(ipsp
->ips_iv_size
, GFP_ATOMIC
)) == NULL
) {
446 prng_bytes(&ipsec_prng
, (char *)ipsp
->ips_iv
, ipsp
->ips_iv_size
);
447 ipsp
->ips_iv_bits
= ipsp
->ips_iv_size
* 8;
450 #ifdef CONFIG_IPSEC_ALG
452 if ((error
=ipsec_alg_enc_key_create(ipsp
)) < 0)
455 #endif /* CONFIG_IPSEC_ALG */
456 switch(ipsp
->ips_encalg
) {
457 # ifdef CONFIG_IPSEC_ENC_3DES
459 if(ipsp
->ips_key_bits_e
!= (EMT_ESP3DES_KEY_SZ
* 8)) {
460 KLIPS_PRINT(debug_pfkey
,
461 "klips_debug:pfkey_ipsec_sa_init: "
462 "incorrect encryption key size: %d bits -- must be %d bits\n"/*octets (bytes)\n"*/,
463 ipsp
->ips_key_bits_e
, EMT_ESP3DES_KEY_SZ
* 8);
467 /* save encryption key pointer */
468 ekp
= ipsp
->ips_key_e
;
469 eks
= ipsp
->ips_key_e_size
;
471 KLIPS_PRINT(debug_pfkey
&& sysctl_ipsec_debug_verbose
,
472 "klips_debug:pfkey_ipsec_sa_init: "
473 "allocating %lu bytes for 3des.\n",
474 (unsigned long) (3 * sizeof(struct des_eks
)));
475 if((ipsp
->ips_key_e
= (caddr_t
)
476 kmalloc(3 * sizeof(struct des_eks
), GFP_ATOMIC
)) == NULL
) {
477 ipsp
->ips_key_e
= ekp
;
480 ipsp
->ips_key_e_size
= 3 * sizeof(struct des_eks
);
482 for(i
= 0; i
< 3; i
++) {
483 #if KLIPS_DIVULGE_CYPHER_KEY
484 KLIPS_PRINT(debug_pfkey
&& sysctl_ipsec_debug_verbose
,
485 "klips_debug:pfkey_ipsec_sa_init: "
486 "3des key %d/3 is 0x%08x%08x\n",
488 ntohl(*((__u32
*)ekp
+ i
* 2)),
489 ntohl(*((__u32
*)ekp
+ i
* 2 + 1)));
491 #if KLIPS_FIXES_DES_PARITY
493 des_set_odd_parity((des_cblock
*)(ekp
+ EMT_ESPDES_KEY_SZ
* i
));
495 error
= des_set_key((des_cblock
*)(ekp
+ EMT_ESPDES_KEY_SZ
* i
),
496 ((struct des_eks
*)(ipsp
->ips_key_e
))[i
].ks
);
498 printk("klips_debug:pfkey_ipsec_sa_init: "
499 "parity error in des key %d/3\n",
501 else if (error
== -2)
502 printk("klips_debug:pfkey_ipsec_sa_init: "
503 "illegal weak des key %d/3\n", i
+ 1);
515 # endif /* CONFIG_IPSEC_ENC_3DES */
519 KLIPS_PRINT(debug_pfkey
,
520 "klips_debug:pfkey_ipsec_sa_init: "
521 "encalg=%d support not available in the kernel",
526 #ifdef CONFIG_IPSEC_ALG
527 if ((ixt_a
=ipsp
->ips_alg_auth
)) {
528 if ((error
=ipsec_alg_auth_key_create(ipsp
)) < 0)
531 #endif /* CONFIG_IPSEC_ALG */
533 switch(ipsp
->ips_authalg
) {
534 # ifdef CONFIG_IPSEC_AUTH_HMAC_MD5
539 if(ipsp
->ips_key_bits_a
!= (AHMD596_KLEN
* 8)) {
540 KLIPS_PRINT(debug_pfkey
,
541 "klips_debug:pfkey_ipsec_sa_init: "
542 "incorrect authorisation key size: %d bits -- must be %d bits\n"/*octets (bytes)\n"*/,
543 ipsp
->ips_key_bits_a
,
548 # if KLIPS_DIVULGE_HMAC_KEY
549 KLIPS_PRINT(debug_pfkey
&& sysctl_ipsec_debug_verbose
,
550 "klips_debug:pfkey_ipsec_sa_init: "
551 "hmac md5-96 key is 0x%08x %08x %08x %08x\n",
552 ntohl(*(((__u32
*)(ipsp
->ips_key_a
))+0)),
553 ntohl(*(((__u32
*)(ipsp
->ips_key_a
))+1)),
554 ntohl(*(((__u32
*)(ipsp
->ips_key_a
))+2)),
555 ntohl(*(((__u32
*)(ipsp
->ips_key_a
))+3)));
556 # endif /* KLIPS_DIVULGE_HMAC_KEY */
557 ipsp
->ips_auth_bits
= AHMD596_ALEN
* 8;
559 /* save the pointer to the key material */
560 akp
= ipsp
->ips_key_a
;
561 aks
= ipsp
->ips_key_a_size
;
563 KLIPS_PRINT(debug_pfkey
&& sysctl_ipsec_debug_verbose
,
564 "klips_debug:pfkey_ipsec_sa_init: "
565 "allocating %lu bytes for md5_ctx.\n",
566 (unsigned long) sizeof(struct md5_ctx
));
567 if((ipsp
->ips_key_a
= (caddr_t
)
568 kmalloc(sizeof(struct md5_ctx
), GFP_ATOMIC
)) == NULL
) {
569 ipsp
->ips_key_a
= akp
;
572 ipsp
->ips_key_a_size
= sizeof(struct md5_ctx
);
574 for (i
= 0; i
< DIVUP(ipsp
->ips_key_bits_a
, 8); i
++) {
575 kb
[i
] = akp
[i
] ^ HMAC_IPAD
;
577 for (; i
< AHMD596_BLKLEN
; i
++) {
581 ictx
= &(((struct md5_ctx
*)(ipsp
->ips_key_a
))->ictx
);
583 MD5Update(ictx
, kb
, AHMD596_BLKLEN
);
585 for (i
= 0; i
< AHMD596_BLKLEN
; i
++) {
586 kb
[i
] ^= (HMAC_IPAD
^ HMAC_OPAD
);
589 octx
= &(((struct md5_ctx
*)(ipsp
->ips_key_a
))->octx
);
591 MD5Update(octx
, kb
, AHMD596_BLKLEN
);
593 # if KLIPS_DIVULGE_HMAC_KEY
594 KLIPS_PRINT(debug_pfkey
&& sysctl_ipsec_debug_verbose
,
595 "klips_debug:pfkey_ipsec_sa_init: "
596 "MD5 ictx=0x%08x %08x %08x %08x octx=0x%08x %08x %08x %08x\n",
605 # endif /* KLIPS_DIVULGE_HMAC_KEY */
611 # endif /* CONFIG_IPSEC_AUTH_HMAC_MD5 */
612 # ifdef CONFIG_IPSEC_AUTH_HMAC_SHA1
617 if(ipsp
->ips_key_bits_a
!= (AHSHA196_KLEN
* 8)) {
618 KLIPS_PRINT(debug_pfkey
,
619 "klips_debug:pfkey_ipsec_sa_init: "
620 "incorrect authorisation key size: %d bits -- must be %d bits\n"/*octets (bytes)\n"*/,
621 ipsp
->ips_key_bits_a
,
626 # if KLIPS_DIVULGE_HMAC_KEY
627 KLIPS_PRINT(debug_pfkey
&& sysctl_ipsec_debug_verbose
,
628 "klips_debug:pfkey_ipsec_sa_init: "
629 "hmac sha1-96 key is 0x%08x %08x %08x %08x\n",
630 ntohl(*(((__u32
*)ipsp
->ips_key_a
)+0)),
631 ntohl(*(((__u32
*)ipsp
->ips_key_a
)+1)),
632 ntohl(*(((__u32
*)ipsp
->ips_key_a
)+2)),
633 ntohl(*(((__u32
*)ipsp
->ips_key_a
)+3)));
634 # endif /* KLIPS_DIVULGE_HMAC_KEY */
635 ipsp
->ips_auth_bits
= AHSHA196_ALEN
* 8;
637 /* save the pointer to the key material */
638 akp
= ipsp
->ips_key_a
;
639 aks
= ipsp
->ips_key_a_size
;
641 KLIPS_PRINT(debug_pfkey
&& sysctl_ipsec_debug_verbose
,
642 "klips_debug:pfkey_ipsec_sa_init: "
643 "allocating %lu bytes for sha1_ctx.\n",
644 (unsigned long) sizeof(struct sha1_ctx
));
645 if((ipsp
->ips_key_a
= (caddr_t
)
646 kmalloc(sizeof(struct sha1_ctx
), GFP_ATOMIC
)) == NULL
) {
647 ipsp
->ips_key_a
= akp
;
650 ipsp
->ips_key_a_size
= sizeof(struct sha1_ctx
);
652 for (i
= 0; i
< DIVUP(ipsp
->ips_key_bits_a
, 8); i
++) {
653 kb
[i
] = akp
[i
] ^ HMAC_IPAD
;
655 for (; i
< AHMD596_BLKLEN
; i
++) {
659 ictx
= &(((struct sha1_ctx
*)(ipsp
->ips_key_a
))->ictx
);
661 SHA1Update(ictx
, kb
, AHSHA196_BLKLEN
);
663 for (i
= 0; i
< AHSHA196_BLKLEN
; i
++) {
664 kb
[i
] ^= (HMAC_IPAD
^ HMAC_OPAD
);
667 octx
= &((struct sha1_ctx
*)(ipsp
->ips_key_a
))->octx
;
669 SHA1Update(octx
, kb
, AHSHA196_BLKLEN
);
671 # if KLIPS_DIVULGE_HMAC_KEY
672 KLIPS_PRINT(debug_pfkey
&& sysctl_ipsec_debug_verbose
,
673 "klips_debug:pfkey_ipsec_sa_init: "
674 "SHA1 ictx=0x%08x %08x %08x %08x octx=0x%08x %08x %08x %08x\n",
683 # endif /* KLIPS_DIVULGE_HMAC_KEY */
688 # endif /* CONFIG_IPSEC_AUTH_HMAC_SHA1 */
692 KLIPS_PRINT(debug_pfkey
,
693 "klips_debug:pfkey_ipsec_sa_init: "
694 "authalg=%d support not available in the kernel.\n",
700 #endif /* !CONFIG_IPSEC_ESP */
701 #ifdef CONFIG_IPSEC_IPCOMP
703 ipsp
->ips_comp_adapt_tries
= 0;
704 ipsp
->ips_comp_adapt_skip
= 0;
705 ipsp
->ips_comp_ratio_cbytes
= 0;
706 ipsp
->ips_comp_ratio_dbytes
= 0;
708 #endif /* CONFIG_IPSEC_IPCOMP */
710 KLIPS_PRINT(debug_pfkey
,
711 "klips_debug:pfkey_ipsec_sa_init: "
712 "proto=%d unknown.\n",
713 ipsp
->ips_said
.proto
);
723 pfkey_safe_build(int error
, struct sadb_ext
*extensions
[SADB_MAX
+1])
725 KLIPS_PRINT(debug_pfkey
, "klips_debug:pfkey_safe_build: "
729 KLIPS_PRINT(debug_pfkey
, "klips_debug:pfkey_safe_build:"
733 KLIPS_PRINT(debug_pfkey
, "klips_debug:pfkey_safe_build:"
736 pfkey_extensions_free(extensions
);
743 pfkey_getspi_parse(struct sock
*sk
, struct sadb_ext
**extensions
, struct pfkey_extracted_data
* extr
)
746 ipsec_spi_t minspi
= htonl(256), maxspi
= htonl(-1L);
748 struct ipsec_sa
*ipsq
;
751 struct sadb_ext
*extensions_reply
[SADB_EXT_MAX
+1];
752 struct sadb_msg
*pfkey_reply
= NULL
;
753 struct socket_list
*pfkey_socketsp
;
754 uint8_t satype
= ((struct sadb_msg
*)extensions
[SADB_EXT_RESERVED
])->sadb_msg_satype
;
756 KLIPS_PRINT(debug_pfkey
,
757 "klips_debug:pfkey_getspi_parse: .\n");
759 pfkey_extensions_init(extensions_reply
);
761 if(extr
== NULL
|| extr
->ips
== NULL
) {
762 KLIPS_PRINT(debug_pfkey
,
763 "klips_debug:pfkey_getspi_parse: "
764 "error, extr or extr->ipsec_sa pointer NULL\n");
768 if(extensions
[SADB_EXT_SPIRANGE
]) {
769 minspi
= ((struct sadb_spirange
*)extensions
[SADB_EXT_SPIRANGE
])->sadb_spirange_min
;
770 maxspi
= ((struct sadb_spirange
*)extensions
[SADB_EXT_SPIRANGE
])->sadb_spirange_max
;
773 if(maxspi
== minspi
) {
774 extr
->ips
->ips_said
.spi
= maxspi
;
775 ipsq
= ipsec_sa_getbyid(&(extr
->ips
->ips_said
));
777 sa_len
= satoa(extr
->ips
->ips_said
, 0, sa
, SATOA_BUF
);
779 KLIPS_PRINT(debug_pfkey
,
780 "klips_debug:pfkey_getspi_parse: "
781 "EMT_GETSPI found an old ipsec_sa for SA: %s, delete it first.\n",
782 sa_len
? sa
: " (error)");
791 while( ( i
< (spi_diff
= (ntohl(maxspi
) - ntohl(minspi
)))) && !found_avail
) {
792 prng_bytes(&ipsec_prng
, (char *) &(rand_val
),
793 ( (spi_diff
< (2^8)) ? 1 :
794 ( (spi_diff
< (2^16)) ? 2 :
795 ( (spi_diff
< (2^24)) ? 3 :
797 extr
->ips
->ips_said
.spi
= htonl(ntohl(minspi
) +
801 ipsq
= ipsec_sa_getbyid(&(extr
->ips
->ips_said
));
810 sa_len
= satoa(extr
->ips
->ips_said
, 0, sa
, SATOA_BUF
);
813 KLIPS_PRINT(debug_pfkey
,
814 "klips_debug:pfkey_getspi_parse: "
815 "found an old ipsec_sa for SA: %s, delete it first.\n",
816 sa_len
? sa
: " (error)");
820 if(ip_chk_addr((unsigned long)extr
->ips
->ips_said
.dst
.s_addr
) == IS_MYADDR
) {
821 extr
->ips
->ips_flags
|= EMT_INBOUND
;
824 KLIPS_PRINT(debug_pfkey
,
825 "klips_debug:pfkey_getspi_parse: "
826 "existing ipsec_sa not found (this is good) for SA: %s, %s-bound, allocating.\n",
827 sa_len
? sa
: " (error)",
828 extr
->ips
->ips_flags
& EMT_INBOUND
? "in" : "out");
830 /* XXX extr->ips->ips_rcvif = &(enc_softc[em->em_if].enc_if);*/
831 extr
->ips
->ips_rcvif
= NULL
;
832 extr
->ips
->ips_life
.ipl_addtime
.ipl_count
= jiffies
/HZ
;
834 extr
->ips
->ips_state
= SADB_SASTATE_LARVAL
;
836 if(!extr
->ips
->ips_life
.ipl_allocations
.ipl_count
) {
837 extr
->ips
->ips_life
.ipl_allocations
.ipl_count
+= 1;
840 if(!(pfkey_safe_build(error
= pfkey_msg_hdr_build(&extensions_reply
[0],
844 ((struct sadb_msg
*)extensions
[SADB_EXT_RESERVED
])->sadb_msg_seq
,
845 ((struct sadb_msg
*)extensions
[SADB_EXT_RESERVED
])->sadb_msg_pid
),
847 && pfkey_safe_build(error
= pfkey_sa_ref_build(&extensions_reply
[SADB_EXT_SA
],
849 extr
->ips
->ips_said
.spi
,
857 && pfkey_safe_build(error
= pfkey_address_build(&extensions_reply
[SADB_EXT_ADDRESS_SRC
],
858 SADB_EXT_ADDRESS_SRC
,
859 0, /*extr->ips->ips_said.proto,*/
861 extr
->ips
->ips_addr_s
),
863 && pfkey_safe_build(error
= pfkey_address_build(&extensions_reply
[SADB_EXT_ADDRESS_DST
],
864 SADB_EXT_ADDRESS_DST
,
865 0, /*extr->ips->ips_said.proto,*/
867 extr
->ips
->ips_addr_d
),
868 extensions_reply
) )) {
869 KLIPS_PRINT(debug_pfkey
, "klips_debug:pfkey_getspi_parse: "
870 "failed to build the getspi reply message extensions\n");
874 if((error
= pfkey_msg_build(&pfkey_reply
, extensions_reply
, EXT_BITS_OUT
))) {
875 KLIPS_PRINT(debug_pfkey
, "klips_debug:pfkey_getspi_parse: "
876 "failed to build the getspi reply message\n");
879 for(pfkey_socketsp
= pfkey_open_sockets
;
881 pfkey_socketsp
= pfkey_socketsp
->next
) {
882 if((error
= pfkey_upmsg(pfkey_socketsp
->socketp
, pfkey_reply
))) {
883 KLIPS_PRINT(debug_pfkey
, "klips_debug:pfkey_getspi_parse: "
884 "sending up getspi reply message for satype=%d(%s) to socket=0p%p failed with error=%d.\n",
887 pfkey_socketsp
->socketp
,
891 KLIPS_PRINT(debug_pfkey
, "klips_debug:pfkey_getspi_parse: "
892 "sending up getspi reply message for satype=%d(%s) to socket=0p%p succeeded.\n",
895 pfkey_socketsp
->socketp
);
898 if((error
= ipsec_sa_add(extr
->ips
))) {
899 KLIPS_PRINT(debug_pfkey
, "klips_debug:pfkey_getspi_parse: "
900 "failed to add the larval SA=%s with error=%d.\n",
901 sa_len
? sa
: " (error)",
907 KLIPS_PRINT(debug_pfkey
,
908 "klips_debug:pfkey_getspi_parse: "
909 "successful for SA: %s\n",
910 sa_len
? sa
: " (error)");
914 pfkey_msg_free(&pfkey_reply
);
916 pfkey_extensions_free(extensions_reply
);
921 pfkey_update_parse(struct sock
*sk
, struct sadb_ext
**extensions
, struct pfkey_extracted_data
* extr
)
924 struct ipsec_sa
* ipsq
;
927 struct sadb_ext
*extensions_reply
[SADB_EXT_MAX
+1];
928 struct sadb_msg
*pfkey_reply
= NULL
;
929 struct socket_list
*pfkey_socketsp
;
930 uint8_t satype
= ((struct sadb_msg
*)extensions
[SADB_EXT_RESERVED
])->sadb_msg_satype
;
931 #ifdef CONFIG_IPSEC_NAT_TRAVERSAL
932 struct ipsec_sa
*nat_t_ips_saved
= NULL
;
934 KLIPS_PRINT(debug_pfkey
,
935 "klips_debug:pfkey_update_parse: .\n");
937 pfkey_extensions_init(extensions_reply
);
939 if(((struct sadb_sa
*)extensions
[SADB_EXT_SA
])->sadb_sa_state
!= SADB_SASTATE_MATURE
) {
940 KLIPS_PRINT(debug_pfkey
,
941 "klips_debug:pfkey_update_parse: "
942 "error, sa_state=%d must be MATURE=%d\n",
943 ((struct sadb_sa
*)extensions
[SADB_EXT_SA
])->sadb_sa_state
,
944 SADB_SASTATE_MATURE
);
948 if(extr
== NULL
|| extr
->ips
== NULL
) {
949 KLIPS_PRINT(debug_pfkey
,
950 "klips_debug:pfkey_update_parse: "
951 "error, extr or extr->ips pointer NULL\n");
955 sa_len
= satoa(extr
->ips
->ips_said
, 0, sa
, SATOA_BUF
);
957 spin_lock_bh(&tdb_lock
);
959 ipsq
= ipsec_sa_getbyid(&(extr
->ips
->ips_said
));
961 spin_unlock_bh(&tdb_lock
);
962 KLIPS_PRINT(debug_pfkey
,
963 "klips_debug:pfkey_update_parse: "
964 "reserved ipsec_sa for SA: %s not found. Call SADB_GETSPI first or call SADB_ADD instead.\n",
965 sa_len
? sa
: " (error)");
969 if(ip_chk_addr((unsigned long)extr
->ips
->ips_said
.dst
.s_addr
) == IS_MYADDR
) {
970 extr
->ips
->ips_flags
|= EMT_INBOUND
;
973 KLIPS_PRINT(debug_pfkey
,
974 "klips_debug:pfkey_update_parse: "
975 "existing ipsec_sa found (this is good) for SA: %s, %s-bound, updating.\n",
976 sa_len
? sa
: " (error)",
977 extr
->ips
->ips_flags
& EMT_INBOUND
? "in" : "out");
979 #ifdef CONFIG_IPSEC_NAT_TRAVERSAL
980 if (extr
->ips
->ips_natt_sport
|| extr
->ips
->ips_natt_dport
) {
981 KLIPS_PRINT(debug_pfkey
,
982 "klips_debug:pfkey_update_parse: only updating NAT-T ports "
983 "(%u:%u -> %u:%u)\n",
984 ipsq
->ips_natt_sport
, ipsq
->ips_natt_dport
,
985 extr
->ips
->ips_natt_sport
, extr
->ips
->ips_natt_dport
);
987 if (extr
->ips
->ips_natt_sport
) {
988 ipsq
->ips_natt_sport
= extr
->ips
->ips_natt_sport
;
989 if (ipsq
->ips_addr_s
->sa_family
== AF_INET
) {
990 ((struct sockaddr_in
*)(ipsq
->ips_addr_s
))->sin_port
= htons(extr
->ips
->ips_natt_sport
);
994 if (extr
->ips
->ips_natt_dport
) {
995 ipsq
->ips_natt_dport
= extr
->ips
->ips_natt_dport
;
996 if (ipsq
->ips_addr_d
->sa_family
== AF_INET
) {
997 ((struct sockaddr_in
*)(ipsq
->ips_addr_d
))->sin_port
= htons(extr
->ips
->ips_natt_dport
);
1001 nat_t_ips_saved
= extr
->ips
;
1007 /* XXX extr->ips->ips_rcvif = &(enc_softc[em->em_if].enc_if);*/
1008 extr
->ips
->ips_rcvif
= NULL
;
1009 if ((error
= pfkey_ipsec_sa_init(extr
->ips
, extensions
))) {
1011 spin_unlock_bh(&tdb_lock
);
1012 KLIPS_PRINT(debug_pfkey
,
1013 "klips_debug:pfkey_update_parse: "
1014 "not successful for SA: %s, deleting.\n",
1015 sa_len
? sa
: " (error)");
1019 extr
->ips
->ips_life
.ipl_addtime
.ipl_count
= ipsq
->ips_life
.ipl_addtime
.ipl_count
;
1021 if((error
= ipsec_sa_delchain(ipsq
))) {
1022 spin_unlock_bh(&tdb_lock
);
1023 KLIPS_PRINT(debug_pfkey
,
1024 "klips_debug:pfkey_update_parse: "
1025 "error=%d, trouble deleting intermediate ipsec_sa for SA=%s.\n",
1027 sa_len
? sa
: " (error)");
1030 #ifdef CONFIG_IPSEC_NAT_TRAVERSAL
1034 spin_unlock_bh(&tdb_lock
);
1036 if(!(pfkey_safe_build(error
= pfkey_msg_hdr_build(&extensions_reply
[0],
1040 ((struct sadb_msg
*)extensions
[SADB_EXT_RESERVED
])->sadb_msg_seq
,
1041 ((struct sadb_msg
*)extensions
[SADB_EXT_RESERVED
])->sadb_msg_pid
),
1043 && pfkey_safe_build(error
= pfkey_sa_ref_build(&extensions_reply
[SADB_EXT_SA
],
1045 extr
->ips
->ips_said
.spi
,
1046 extr
->ips
->ips_replaywin
,
1047 extr
->ips
->ips_state
,
1048 extr
->ips
->ips_authalg
,
1049 extr
->ips
->ips_encalg
,
1050 extr
->ips
->ips_flags
,
1051 extr
->ips
->ips_ref
),
1053 /* The 3 lifetime extentions should only be sent if non-zero. */
1054 && (extensions
[SADB_EXT_LIFETIME_HARD
]
1055 ? pfkey_safe_build(error
= pfkey_lifetime_build(&extensions_reply
[SADB_EXT_LIFETIME_HARD
],
1056 SADB_EXT_LIFETIME_HARD
,
1057 extr
->ips
->ips_life
.ipl_allocations
.ipl_hard
,
1058 extr
->ips
->ips_life
.ipl_bytes
.ipl_hard
,
1059 extr
->ips
->ips_life
.ipl_addtime
.ipl_hard
,
1060 extr
->ips
->ips_life
.ipl_usetime
.ipl_hard
,
1061 extr
->ips
->ips_life
.ipl_packets
.ipl_hard
),
1062 extensions_reply
) : 1)
1063 && (extensions
[SADB_EXT_LIFETIME_SOFT
]
1064 ? pfkey_safe_build(error
= pfkey_lifetime_build(&extensions_reply
[SADB_EXT_LIFETIME_SOFT
],
1065 SADB_EXT_LIFETIME_SOFT
,
1066 extr
->ips
->ips_life
.ipl_allocations
.ipl_count
,
1067 extr
->ips
->ips_life
.ipl_bytes
.ipl_count
,
1068 extr
->ips
->ips_life
.ipl_addtime
.ipl_count
,
1069 extr
->ips
->ips_life
.ipl_usetime
.ipl_count
,
1070 extr
->ips
->ips_life
.ipl_packets
.ipl_count
),
1071 extensions_reply
) : 1)
1072 && (extr
->ips
->ips_life
.ipl_allocations
.ipl_count
1073 || extr
->ips
->ips_life
.ipl_bytes
.ipl_count
1074 || extr
->ips
->ips_life
.ipl_addtime
.ipl_count
1075 || extr
->ips
->ips_life
.ipl_usetime
.ipl_count
1076 || extr
->ips
->ips_life
.ipl_packets
.ipl_count
1078 ? pfkey_safe_build(error
= pfkey_lifetime_build(&extensions_reply
[SADB_EXT_LIFETIME_CURRENT
],
1079 SADB_EXT_LIFETIME_CURRENT
,
1080 extr
->ips
->ips_life
.ipl_allocations
.ipl_count
,
1081 extr
->ips
->ips_life
.ipl_bytes
.ipl_count
,
1082 extr
->ips
->ips_life
.ipl_addtime
.ipl_count
,
1083 extr
->ips
->ips_life
.ipl_usetime
.ipl_count
,
1084 extr
->ips
->ips_life
.ipl_packets
.ipl_count
),
1085 extensions_reply
) : 1)
1086 && pfkey_safe_build(error
= pfkey_address_build(&extensions_reply
[SADB_EXT_ADDRESS_SRC
],
1087 SADB_EXT_ADDRESS_SRC
,
1088 0, /*extr->ips->ips_said.proto,*/
1090 extr
->ips
->ips_addr_s
),
1092 && pfkey_safe_build(error
= pfkey_address_build(&extensions_reply
[SADB_EXT_ADDRESS_DST
],
1093 SADB_EXT_ADDRESS_DST
,
1094 0, /*extr->ips->ips_said.proto,*/
1096 extr
->ips
->ips_addr_d
),
1098 && (extr
->ips
->ips_ident_s
.data
1099 ? pfkey_safe_build(error
= pfkey_ident_build(&extensions_reply
[SADB_EXT_IDENTITY_SRC
],
1100 SADB_EXT_IDENTITY_SRC
,
1101 extr
->ips
->ips_ident_s
.type
,
1102 extr
->ips
->ips_ident_s
.id
,
1103 extr
->ips
->ips_ident_s
.len
,
1104 extr
->ips
->ips_ident_s
.data
),
1105 extensions_reply
) : 1)
1106 && (extr
->ips
->ips_ident_d
.data
1107 ? pfkey_safe_build(error
= pfkey_ident_build(&extensions_reply
[SADB_EXT_IDENTITY_DST
],
1108 SADB_EXT_IDENTITY_DST
,
1109 extr
->ips
->ips_ident_d
.type
,
1110 extr
->ips
->ips_ident_d
.id
,
1111 extr
->ips
->ips_ident_d
.len
,
1112 extr
->ips
->ips_ident_d
.data
),
1113 extensions_reply
) : 1)
1115 /* FIXME: This won't work yet because I have not finished
1117 && (extr
->ips
->ips_sens_
1118 ? pfkey_safe_build(error
= pfkey_sens_build(&extensions_reply
[SADB_EXT_SENSITIVITY
],
1119 extr
->ips
->ips_sens_dpd
,
1120 extr
->ips
->ips_sens_sens_level
,
1121 extr
->ips
->ips_sens_sens_len
,
1122 extr
->ips
->ips_sens_sens_bitmap
,
1123 extr
->ips
->ips_sens_integ_level
,
1124 extr
->ips
->ips_sens_integ_len
,
1125 extr
->ips
->ips_sens_integ_bitmap
),
1126 extensions_reply
) : 1)
1129 KLIPS_PRINT(debug_pfkey
, "klips_debug:pfkey_update_parse: "
1130 "failed to build the update reply message extensions\n");
1134 if((error
= pfkey_msg_build(&pfkey_reply
, extensions_reply
, EXT_BITS_OUT
))) {
1135 KLIPS_PRINT(debug_pfkey
, "klips_debug:pfkey_update_parse: "
1136 "failed to build the update reply message\n");
1139 for(pfkey_socketsp
= pfkey_open_sockets
;
1141 pfkey_socketsp
= pfkey_socketsp
->next
) {
1142 if((error
= pfkey_upmsg(pfkey_socketsp
->socketp
, pfkey_reply
))) {
1143 KLIPS_PRINT(debug_pfkey
, "klips_debug:pfkey_update_parse: "
1144 "sending up update reply message for satype=%d(%s) to socket=0p%p failed with error=%d.\n",
1146 satype2name(satype
),
1147 pfkey_socketsp
->socketp
,
1151 KLIPS_PRINT(debug_pfkey
, "klips_debug:pfkey_update_parse: "
1152 "sending up update reply message for satype=%d(%s) to socket=0p%p succeeded.\n",
1154 satype2name(satype
),
1155 pfkey_socketsp
->socketp
);
1158 #ifdef CONFIG_IPSEC_NAT_TRAVERSAL
1159 if (nat_t_ips_saved
) {
1161 * As we _really_ update existing SA, we keep tdbq and need to delete
1162 * parsed ips (nat_t_ips_saved, was extr->ips).
1164 * goto errlab with extr->ips = nat_t_ips_saved will free it.
1167 extr
->ips
= nat_t_ips_saved
;
1170 KLIPS_PRINT(debug_pfkey
,
1171 "klips_debug:pfkey_update_parse (NAT-T ports): "
1172 "successful for SA: %s\n",
1173 sa_len
? sa
: " (error)");
1179 if((error
= ipsec_sa_add(extr
->ips
))) {
1180 KLIPS_PRINT(debug_pfkey
, "klips_debug:pfkey_update_parse: "
1181 "failed to update the mature SA=%s with error=%d.\n",
1182 sa_len
? sa
: " (error)",
1188 KLIPS_PRINT(debug_pfkey
,
1189 "klips_debug:pfkey_update_parse: "
1190 "successful for SA: %s\n",
1191 sa_len
? sa
: " (error)");
1195 pfkey_msg_free(&pfkey_reply
);
1197 pfkey_extensions_free(extensions_reply
);
1202 pfkey_add_parse(struct sock
*sk
, struct sadb_ext
**extensions
, struct pfkey_extracted_data
* extr
)
1205 struct ipsec_sa
* ipsq
;
1208 struct sadb_ext
*extensions_reply
[SADB_EXT_MAX
+1];
1209 struct sadb_msg
*pfkey_reply
= NULL
;
1210 struct socket_list
*pfkey_socketsp
;
1211 uint8_t satype
= ((struct sadb_msg
*)extensions
[SADB_EXT_RESERVED
])->sadb_msg_satype
;
1213 KLIPS_PRINT(debug_pfkey
,
1214 "klips_debug:pfkey_add_parse: .\n");
1216 pfkey_extensions_init(extensions_reply
);
1218 if(((struct sadb_sa
*)extensions
[SADB_EXT_SA
])->sadb_sa_state
!= SADB_SASTATE_MATURE
) {
1219 KLIPS_PRINT(debug_pfkey
,
1220 "klips_debug:pfkey_add_parse: "
1221 "error, sa_state=%d must be MATURE=%d\n",
1222 ((struct sadb_sa
*)extensions
[SADB_EXT_SA
])->sadb_sa_state
,
1223 SADB_SASTATE_MATURE
);
1227 if(!extr
|| !extr
->ips
) {
1228 KLIPS_PRINT(debug_pfkey
,
1229 "klips_debug:pfkey_add_parse: "
1230 "extr or extr->ips pointer NULL\n");
1234 sa_len
= satoa(extr
->ips
->ips_said
, 0, sa
, SATOA_BUF
);
1236 ipsq
= ipsec_sa_getbyid(&(extr
->ips
->ips_said
));
1239 KLIPS_PRINT(debug_pfkey
,
1240 "klips_debug:pfkey_add_parse: "
1241 "found an old ipsec_sa for SA%s, delete it first.\n",
1242 sa_len
? sa
: " (error)");
1246 if(ip_chk_addr((unsigned long)extr
->ips
->ips_said
.dst
.s_addr
) == IS_MYADDR
) {
1247 extr
->ips
->ips_flags
|= EMT_INBOUND
;
1250 KLIPS_PRINT(debug_pfkey
,
1251 "klips_debug:pfkey_add_parse: "
1252 "existing ipsec_sa not found (this is good) for SA%s, %s-bound, allocating.\n",
1253 sa_len
? sa
: " (error)",
1254 extr
->ips
->ips_flags
& EMT_INBOUND
? "in" : "out");
1256 /* XXX extr->ips->ips_rcvif = &(enc_softc[em->em_if].enc_if);*/
1257 extr
->ips
->ips_rcvif
= NULL
;
1259 if ((error
= pfkey_ipsec_sa_init(extr
->ips
, extensions
))) {
1260 KLIPS_PRINT(debug_pfkey
,
1261 "klips_debug:pfkey_add_parse: "
1262 "not successful for SA: %s, deleting.\n",
1263 sa_len
? sa
: " (error)");
1267 extr
->ips
->ips_life
.ipl_addtime
.ipl_count
= jiffies
/ HZ
;
1268 if(!extr
->ips
->ips_life
.ipl_allocations
.ipl_count
) {
1269 extr
->ips
->ips_life
.ipl_allocations
.ipl_count
+= 1;
1272 if(!(pfkey_safe_build(error
= pfkey_msg_hdr_build(&extensions_reply
[0],
1276 ((struct sadb_msg
*)extensions
[SADB_EXT_RESERVED
])->sadb_msg_seq
,
1277 ((struct sadb_msg
*)extensions
[SADB_EXT_RESERVED
])->sadb_msg_pid
),
1279 && pfkey_safe_build(error
= pfkey_sa_ref_build(&extensions_reply
[SADB_EXT_SA
],
1281 extr
->ips
->ips_said
.spi
,
1282 extr
->ips
->ips_replaywin
,
1283 extr
->ips
->ips_state
,
1284 extr
->ips
->ips_authalg
,
1285 extr
->ips
->ips_encalg
,
1286 extr
->ips
->ips_flags
,
1287 extr
->ips
->ips_ref
),
1289 /* The 3 lifetime extentions should only be sent if non-zero. */
1290 && (extensions
[SADB_EXT_LIFETIME_HARD
]
1291 ? pfkey_safe_build(error
= pfkey_lifetime_build(&extensions_reply
[SADB_EXT_LIFETIME_HARD
],
1292 SADB_EXT_LIFETIME_HARD
,
1293 extr
->ips
->ips_life
.ipl_allocations
.ipl_hard
,
1294 extr
->ips
->ips_life
.ipl_bytes
.ipl_hard
,
1295 extr
->ips
->ips_life
.ipl_addtime
.ipl_hard
,
1296 extr
->ips
->ips_life
.ipl_usetime
.ipl_hard
,
1297 extr
->ips
->ips_life
.ipl_packets
.ipl_hard
),
1298 extensions_reply
) : 1)
1299 && (extensions
[SADB_EXT_LIFETIME_SOFT
]
1300 ? pfkey_safe_build(error
= pfkey_lifetime_build(&extensions_reply
[SADB_EXT_LIFETIME_SOFT
],
1301 SADB_EXT_LIFETIME_SOFT
,
1302 extr
->ips
->ips_life
.ipl_allocations
.ipl_soft
,
1303 extr
->ips
->ips_life
.ipl_bytes
.ipl_soft
,
1304 extr
->ips
->ips_life
.ipl_addtime
.ipl_soft
,
1305 extr
->ips
->ips_life
.ipl_usetime
.ipl_soft
,
1306 extr
->ips
->ips_life
.ipl_packets
.ipl_soft
),
1307 extensions_reply
) : 1)
1308 && pfkey_safe_build(error
= pfkey_address_build(&extensions_reply
[SADB_EXT_ADDRESS_SRC
],
1309 SADB_EXT_ADDRESS_SRC
,
1310 0, /*extr->ips->ips_said.proto,*/
1312 extr
->ips
->ips_addr_s
),
1314 && pfkey_safe_build(error
= pfkey_address_build(&extensions_reply
[SADB_EXT_ADDRESS_DST
],
1315 SADB_EXT_ADDRESS_DST
,
1316 0, /*extr->ips->ips_said.proto,*/
1318 extr
->ips
->ips_addr_d
),
1320 && (extr
->ips
->ips_ident_s
.data
1321 ? pfkey_safe_build(error
= pfkey_ident_build(&extensions_reply
[SADB_EXT_IDENTITY_SRC
],
1322 SADB_EXT_IDENTITY_SRC
,
1323 extr
->ips
->ips_ident_s
.type
,
1324 extr
->ips
->ips_ident_s
.id
,
1325 extr
->ips
->ips_ident_s
.len
,
1326 extr
->ips
->ips_ident_s
.data
),
1327 extensions_reply
) : 1)
1328 && (extr
->ips
->ips_ident_d
.data
1329 ? pfkey_safe_build(error
= pfkey_ident_build(&extensions_reply
[SADB_EXT_IDENTITY_DST
],
1330 SADB_EXT_IDENTITY_DST
,
1331 extr
->ips
->ips_ident_d
.type
,
1332 extr
->ips
->ips_ident_d
.id
,
1333 extr
->ips
->ips_ident_d
.len
,
1334 extr
->ips
->ips_ident_d
.data
),
1335 extensions_reply
) : 1)
1337 /* FIXME: This won't work yet because I have not finished
1339 && (extr
->ips
->ips_sens_
1340 ? pfkey_safe_build(error
= pfkey_sens_build(&extensions_reply
[SADB_EXT_SENSITIVITY
],
1341 extr
->ips
->ips_sens_dpd
,
1342 extr
->ips
->ips_sens_sens_level
,
1343 extr
->ips
->ips_sens_sens_len
,
1344 extr
->ips
->ips_sens_sens_bitmap
,
1345 extr
->ips
->ips_sens_integ_level
,
1346 extr
->ips
->ips_sens_integ_len
,
1347 extr
->ips
->ips_sens_integ_bitmap
),
1348 extensions_reply
) : 1)
1351 KLIPS_PRINT(debug_pfkey
, "klips_debug:pfkey_add_parse: "
1352 "failed to build the add reply message extensions\n");
1356 if((error
= pfkey_msg_build(&pfkey_reply
, extensions_reply
, EXT_BITS_OUT
))) {
1357 KLIPS_PRINT(debug_pfkey
, "klips_debug:pfkey_add_parse: "
1358 "failed to build the add reply message\n");
1361 for(pfkey_socketsp
= pfkey_open_sockets
;
1363 pfkey_socketsp
= pfkey_socketsp
->next
) {
1364 if((error
= pfkey_upmsg(pfkey_socketsp
->socketp
, pfkey_reply
))) {
1365 KLIPS_PRINT(debug_pfkey
, "klips_debug:pfkey_add_parse: "
1366 "sending up add reply message for satype=%d(%s) to socket=0p%p failed with error=%d.\n",
1368 satype2name(satype
),
1369 pfkey_socketsp
->socketp
,
1373 KLIPS_PRINT(debug_pfkey
, "klips_debug:pfkey_add_parse: "
1374 "sending up add reply message for satype=%d(%s) to socket=0p%p succeeded.\n",
1376 satype2name(satype
),
1377 pfkey_socketsp
->socketp
);
1380 if((error
= ipsec_sa_add(extr
->ips
))) {
1381 KLIPS_PRINT(debug_pfkey
, "klips_debug:pfkey_add_parse: "
1382 "failed to add the mature SA=%s with error=%d.\n",
1383 sa_len
? sa
: " (error)",
1389 KLIPS_PRINT(debug_pfkey
,
1390 "klips_debug:pfkey_add_parse: "
1391 "successful for SA: %s\n",
1392 sa_len
? sa
: " (error)");
1396 pfkey_msg_free(&pfkey_reply
);
1398 pfkey_extensions_free(extensions_reply
);
1403 pfkey_delete_parse(struct sock
*sk
, struct sadb_ext
**extensions
, struct pfkey_extracted_data
* extr
)
1405 struct ipsec_sa
*ipsp
;
1409 struct sadb_ext
*extensions_reply
[SADB_EXT_MAX
+1];
1410 struct sadb_msg
*pfkey_reply
= NULL
;
1411 struct socket_list
*pfkey_socketsp
;
1412 uint8_t satype
= ((struct sadb_msg
*)extensions
[SADB_EXT_RESERVED
])->sadb_msg_satype
;
1414 KLIPS_PRINT(debug_pfkey
,
1415 "klips_debug:pfkey_delete_parse: .\n");
1417 pfkey_extensions_init(extensions_reply
);
1419 if(!extr
|| !extr
->ips
) {
1420 KLIPS_PRINT(debug_pfkey
,
1421 "klips_debug:pfkey_delete_parse: "
1422 "extr or extr->ips pointer NULL, fatal\n");
1426 sa_len
= satoa(extr
->ips
->ips_said
, 0, sa
, SATOA_BUF
);
1428 spin_lock_bh(&tdb_lock
);
1430 ipsp
= ipsec_sa_getbyid(&(extr
->ips
->ips_said
));
1432 spin_unlock_bh(&tdb_lock
);
1433 KLIPS_PRINT(debug_pfkey
,
1434 "klips_debug:pfkey_delete_parse: "
1435 "ipsec_sa not found for SA:%s, could not delete.\n",
1436 sa_len
? sa
: " (error)");
1441 if((error
= ipsec_sa_delchain(ipsp
))) {
1442 spin_unlock_bh(&tdb_lock
);
1443 KLIPS_PRINT(debug_pfkey
,
1444 "klips_debug:pfkey_delete_parse: "
1445 "error=%d returned trying to delete ipsec_sa for SA:%s.\n",
1447 sa_len
? sa
: " (error)");
1450 spin_unlock_bh(&tdb_lock
);
1452 if(!(pfkey_safe_build(error
= pfkey_msg_hdr_build(&extensions_reply
[0],
1456 ((struct sadb_msg
*)extensions
[SADB_EXT_RESERVED
])->sadb_msg_seq
,
1457 ((struct sadb_msg
*)extensions
[SADB_EXT_RESERVED
])->sadb_msg_pid
),
1459 && pfkey_safe_build(error
= pfkey_sa_ref_build(&extensions_reply
[SADB_EXT_SA
],
1461 extr
->ips
->ips_said
.spi
,
1467 extr
->ips
->ips_ref
),
1469 && pfkey_safe_build(error
= pfkey_address_build(&extensions_reply
[SADB_EXT_ADDRESS_SRC
],
1470 SADB_EXT_ADDRESS_SRC
,
1471 0, /*extr->ips->ips_said.proto,*/
1473 extr
->ips
->ips_addr_s
),
1475 && pfkey_safe_build(error
= pfkey_address_build(&extensions_reply
[SADB_EXT_ADDRESS_DST
],
1476 SADB_EXT_ADDRESS_DST
,
1477 0, /*extr->ips->ips_said.proto,*/
1479 extr
->ips
->ips_addr_d
),
1482 KLIPS_PRINT(debug_pfkey
, "klips_debug:pfkey_delete_parse: "
1483 "failed to build the delete reply message extensions\n");
1487 if((error
= pfkey_msg_build(&pfkey_reply
, extensions_reply
, EXT_BITS_OUT
))) {
1488 KLIPS_PRINT(debug_pfkey
, "klips_debug:pfkey_delete_parse: "
1489 "failed to build the delete reply message\n");
1492 for(pfkey_socketsp
= pfkey_open_sockets
;
1494 pfkey_socketsp
= pfkey_socketsp
->next
) {
1495 if((error
= pfkey_upmsg(pfkey_socketsp
->socketp
, pfkey_reply
))) {
1496 KLIPS_PRINT(debug_pfkey
, "klips_debug:pfkey_delete_parse: "
1497 "sending up delete reply message for satype=%d(%s) to socket=0p%p failed with error=%d.\n",
1499 satype2name(satype
),
1500 pfkey_socketsp
->socketp
,
1504 KLIPS_PRINT(debug_pfkey
, "klips_debug:pfkey_delete_parse: "
1505 "sending up delete reply message for satype=%d(%s) to socket=0p%p succeeded.\n",
1507 satype2name(satype
),
1508 pfkey_socketsp
->socketp
);
1513 pfkey_msg_free(&pfkey_reply
);
1515 pfkey_extensions_free(extensions_reply
);
1520 pfkey_get_parse(struct sock
*sk
, struct sadb_ext
**extensions
, struct pfkey_extracted_data
* extr
)
1523 struct ipsec_sa
*ipsp
;
1526 struct sadb_ext
*extensions_reply
[SADB_EXT_MAX
+1];
1527 struct sadb_msg
*pfkey_reply
= NULL
;
1529 KLIPS_PRINT(debug_pfkey
,
1530 "klips_debug:pfkey_get_parse: .\n");
1532 pfkey_extensions_init(extensions_reply
);
1534 if(!extr
|| !extr
->ips
) {
1535 KLIPS_PRINT(debug_pfkey
,
1536 "klips_debug:pfkey_get_parse: "
1537 "extr or extr->ips pointer NULL, fatal\n");
1541 sa_len
= satoa(extr
->ips
->ips_said
, 0, sa
, SATOA_BUF
);
1543 spin_lock_bh(&tdb_lock
);
1545 ipsp
= ipsec_sa_getbyid(&(extr
->ips
->ips_said
));
1547 spin_unlock_bh(&tdb_lock
);
1548 KLIPS_PRINT(debug_pfkey
, "klips_debug:pfkey_get_parse: "
1549 "ipsec_sa not found for SA=%s, could not get.\n",
1550 sa_len
? sa
: " (error)");
1554 if(!(pfkey_safe_build(error
= pfkey_msg_hdr_build(&extensions_reply
[0],
1556 ((struct sadb_msg
*)extensions
[SADB_EXT_RESERVED
])->sadb_msg_satype
,
1558 ((struct sadb_msg
*)extensions
[SADB_EXT_RESERVED
])->sadb_msg_seq
,
1559 ((struct sadb_msg
*)extensions
[SADB_EXT_RESERVED
])->sadb_msg_pid
),
1561 && pfkey_safe_build(error
= pfkey_sa_ref_build(&extensions_reply
[SADB_EXT_SA
],
1563 extr
->ips
->ips_said
.spi
,
1564 extr
->ips
->ips_replaywin
,
1565 extr
->ips
->ips_state
,
1566 extr
->ips
->ips_authalg
,
1567 extr
->ips
->ips_encalg
,
1568 extr
->ips
->ips_flags
,
1569 extr
->ips
->ips_ref
),
1571 /* The 3 lifetime extentions should only be sent if non-zero. */
1572 && (ipsp
->ips_life
.ipl_allocations
.ipl_count
1573 || ipsp
->ips_life
.ipl_bytes
.ipl_count
1574 || ipsp
->ips_life
.ipl_addtime
.ipl_count
1575 || ipsp
->ips_life
.ipl_usetime
.ipl_count
1576 || ipsp
->ips_life
.ipl_packets
.ipl_count
1577 ? pfkey_safe_build(error
= pfkey_lifetime_build(&extensions_reply
[SADB_EXT_LIFETIME_CURRENT
],
1578 SADB_EXT_LIFETIME_CURRENT
,
1579 ipsp
->ips_life
.ipl_allocations
.ipl_count
,
1580 ipsp
->ips_life
.ipl_bytes
.ipl_count
,
1581 ipsp
->ips_life
.ipl_addtime
.ipl_count
,
1582 ipsp
->ips_life
.ipl_usetime
.ipl_count
,
1583 ipsp
->ips_life
.ipl_packets
.ipl_count
),
1584 extensions_reply
) : 1)
1585 && (ipsp
->ips_life
.ipl_allocations
.ipl_hard
1586 || ipsp
->ips_life
.ipl_bytes
.ipl_hard
1587 || ipsp
->ips_life
.ipl_addtime
.ipl_hard
1588 || ipsp
->ips_life
.ipl_usetime
.ipl_hard
1589 || ipsp
->ips_life
.ipl_packets
.ipl_hard
1590 ? pfkey_safe_build(error
= pfkey_lifetime_build(&extensions_reply
[SADB_EXT_LIFETIME_HARD
],
1591 SADB_EXT_LIFETIME_HARD
,
1592 ipsp
->ips_life
.ipl_allocations
.ipl_hard
,
1593 ipsp
->ips_life
.ipl_bytes
.ipl_hard
,
1594 ipsp
->ips_life
.ipl_addtime
.ipl_hard
,
1595 ipsp
->ips_life
.ipl_usetime
.ipl_hard
,
1596 ipsp
->ips_life
.ipl_packets
.ipl_hard
),
1597 extensions_reply
) : 1)
1598 && (ipsp
->ips_life
.ipl_allocations
.ipl_soft
1599 || ipsp
->ips_life
.ipl_bytes
.ipl_soft
1600 || ipsp
->ips_life
.ipl_addtime
.ipl_soft
1601 || ipsp
->ips_life
.ipl_usetime
.ipl_soft
1602 || ipsp
->ips_life
.ipl_packets
.ipl_soft
1603 ? pfkey_safe_build(error
= pfkey_lifetime_build(&extensions_reply
[SADB_EXT_LIFETIME_SOFT
],
1604 SADB_EXT_LIFETIME_SOFT
,
1605 ipsp
->ips_life
.ipl_allocations
.ipl_soft
,
1606 ipsp
->ips_life
.ipl_bytes
.ipl_soft
,
1607 ipsp
->ips_life
.ipl_addtime
.ipl_soft
,
1608 ipsp
->ips_life
.ipl_usetime
.ipl_soft
,
1609 ipsp
->ips_life
.ipl_packets
.ipl_soft
),
1610 extensions_reply
) : 1)
1611 && pfkey_safe_build(error
= pfkey_address_build(&extensions_reply
[SADB_EXT_ADDRESS_SRC
],
1612 SADB_EXT_ADDRESS_SRC
,
1613 0, /*extr->ips->ips_said.proto,*/
1615 extr
->ips
->ips_addr_s
),
1617 && pfkey_safe_build(error
= pfkey_address_build(&extensions_reply
[SADB_EXT_ADDRESS_DST
],
1618 SADB_EXT_ADDRESS_DST
,
1619 0, /*extr->ips->ips_said.proto,*/
1621 extr
->ips
->ips_addr_d
),
1623 && (extr
->ips
->ips_addr_p
1624 ? pfkey_safe_build(error
= pfkey_address_build(&extensions_reply
[SADB_EXT_ADDRESS_PROXY
],
1625 SADB_EXT_ADDRESS_PROXY
,
1626 0, /*extr->ips->ips_said.proto,*/
1628 extr
->ips
->ips_addr_p
),
1629 extensions_reply
) : 1)
1631 /* FIXME: This won't work yet because the keys are not
1632 stored directly in the ipsec_sa. They are stored as
1634 && (extr
->ips
->ips_key_a_size
1635 ? pfkey_safe_build(error
= pfkey_key_build(&extensions_reply
[SADB_EXT_KEY_AUTH
],
1637 extr
->ips
->ips_key_a_size
* 8,
1638 extr
->ips
->ips_key_a
),
1639 extensions_reply
) : 1)
1640 /* FIXME: This won't work yet because the keys are not
1641 stored directly in the ipsec_sa. They are stored as
1643 && (extr
->ips
->ips_key_e_size
1644 ? pfkey_safe_build(error
= pfkey_key_build(&extensions_reply
[SADB_EXT_KEY_ENCRYPT
],
1645 SADB_EXT_KEY_ENCRYPT
,
1646 extr
->ips
->ips_key_e_size
* 8,
1647 extr
->ips
->ips_key_e
),
1648 extensions_reply
) : 1)
1650 && (extr
->ips
->ips_ident_s
.data
1651 ? pfkey_safe_build(error
= pfkey_ident_build(&extensions_reply
[SADB_EXT_IDENTITY_SRC
],
1652 SADB_EXT_IDENTITY_SRC
,
1653 extr
->ips
->ips_ident_s
.type
,
1654 extr
->ips
->ips_ident_s
.id
,
1655 extr
->ips
->ips_ident_s
.len
,
1656 extr
->ips
->ips_ident_s
.data
),
1657 extensions_reply
) : 1)
1658 && (extr
->ips
->ips_ident_d
.data
1659 ? pfkey_safe_build(error
= pfkey_ident_build(&extensions_reply
[SADB_EXT_IDENTITY_DST
],
1660 SADB_EXT_IDENTITY_DST
,
1661 extr
->ips
->ips_ident_d
.type
,
1662 extr
->ips
->ips_ident_d
.id
,
1663 extr
->ips
->ips_ident_d
.len
,
1664 extr
->ips
->ips_ident_d
.data
),
1665 extensions_reply
) : 1)
1667 /* FIXME: This won't work yet because I have not finished
1669 && (extr
->ips
->ips_sens_
1670 ? pfkey_safe_build(error
= pfkey_sens_build(&extensions_reply
[SADB_EXT_SENSITIVITY
],
1671 extr
->ips
->ips_sens_dpd
,
1672 extr
->ips
->ips_sens_sens_level
,
1673 extr
->ips
->ips_sens_sens_len
,
1674 extr
->ips
->ips_sens_sens_bitmap
,
1675 extr
->ips
->ips_sens_integ_level
,
1676 extr
->ips
->ips_sens_integ_len
,
1677 extr
->ips
->ips_sens_integ_bitmap
),
1678 extensions_reply
) : 1)
1681 KLIPS_PRINT(debug_pfkey
, "klips_debug:pfkey_get_parse: "
1682 "failed to build the get reply message extensions\n");
1684 spin_unlock_bh(&tdb_lock
);
1689 spin_unlock_bh(&tdb_lock
);
1691 if((error
= pfkey_msg_build(&pfkey_reply
, extensions_reply
, EXT_BITS_OUT
))) {
1692 KLIPS_PRINT(debug_pfkey
, "klips_debug:pfkey_get_parse: "
1693 "failed to build the get reply message\n");
1697 if((error
= pfkey_upmsg(sk
->socket
, pfkey_reply
))) {
1698 KLIPS_PRINT(debug_pfkey
, "klips_debug:pfkey_get_parse: "
1699 "failed to send the get reply message\n");
1703 KLIPS_PRINT(debug_pfkey
, "klips_debug:pfkey_get_parse: "
1704 "succeeded in sending get reply message.\n");
1708 pfkey_msg_free(&pfkey_reply
);
1710 pfkey_extensions_free(extensions_reply
);
1715 pfkey_acquire_parse(struct sock
*sk
, struct sadb_ext
**extensions
, struct pfkey_extracted_data
* extr
)
1718 struct socket_list
*pfkey_socketsp
;
1719 uint8_t satype
= ((struct sadb_msg
*)extensions
[SADB_EXT_RESERVED
])->sadb_msg_satype
;
1721 KLIPS_PRINT(debug_pfkey
,
1722 "klips_debug:pfkey_acquire_parse: .\n");
1724 /* XXX I don't know if we want an upper bound, since userspace may
1725 want to register itself for an satype > SADB_SATYPE_MAX. */
1726 if((satype
== 0) || (satype
> SADB_SATYPE_MAX
)) {
1727 KLIPS_PRINT(debug_pfkey
,
1728 "klips_debug:pfkey_acquire_parse: "
1729 "SATYPE=%d invalid.\n",
1734 if(!(pfkey_registered_sockets
[satype
])) {
1735 KLIPS_PRINT(debug_pfkey
, "klips_debug:pfkey_acquire_parse: "
1736 "no sockets registered for SAtype=%d(%s).\n",
1738 satype2name(satype
));
1739 SENDERR(EPROTONOSUPPORT
);
1742 for(pfkey_socketsp
= pfkey_registered_sockets
[satype
];
1744 pfkey_socketsp
= pfkey_socketsp
->next
) {
1745 if((error
= pfkey_upmsg(pfkey_socketsp
->socketp
,
1746 ((struct sadb_msg
*)extensions
[SADB_EXT_RESERVED
])))) {
1747 KLIPS_PRINT(debug_pfkey
, "klips_debug:pfkey_acquire_parse: "
1748 "sending up acquire reply message for satype=%d(%s) to socket=0p%p failed with error=%d.\n",
1750 satype2name(satype
),
1751 pfkey_socketsp
->socketp
,
1755 KLIPS_PRINT(debug_pfkey
, "klips_debug:pfkey_acquire_parse: "
1756 "sending up acquire reply message for satype=%d(%s) to socket=0p%p succeeded.\n",
1758 satype2name(satype
),
1759 pfkey_socketsp
->socketp
);
1767 pfkey_register_parse(struct sock
*sk
, struct sadb_ext
**extensions
, struct pfkey_extracted_data
* extr
)
1770 uint8_t satype
= ((struct sadb_msg
*)extensions
[SADB_EXT_RESERVED
])->sadb_msg_satype
;
1772 KLIPS_PRINT(debug_pfkey
,
1773 "klips_debug:pfkey_register_parse: .\n");
1775 /* XXX I don't know if we want an upper bound, since userspace may
1776 want to register itself for an satype > SADB_SATYPE_MAX. */
1777 if((satype
== 0) || (satype
> SADB_SATYPE_MAX
)) {
1778 KLIPS_PRINT(debug_pfkey
,
1779 "klips_debug:pfkey_register_parse: "
1780 "SATYPE=%d invalid.\n",
1785 if(!pfkey_list_insert_socket(sk
->socket
,
1786 &(pfkey_registered_sockets
[satype
]))) {
1787 KLIPS_PRINT(debug_pfkey
,
1788 "klips_debug:pfkey_register_parse: "
1789 "SATYPE=%02d(%s) successfully registered by KMd (pid=%d).\n",
1791 satype2name(satype
),
1795 /* send up register msg with supported SATYPE algos */
1797 error
=pfkey_register_reply(satype
, (struct sadb_msg
*)extensions
[SADB_EXT_RESERVED
]);
1802 pfkey_register_reply(int satype
, struct sadb_msg
*sadb_msg
)
1804 struct sadb_ext
*extensions_reply
[SADB_EXT_MAX
+1];
1805 struct sadb_msg
*pfkey_reply
= NULL
;
1806 struct socket_list
*pfkey_socketsp
;
1807 struct supported_list
*pfkey_supported_listp
;
1808 unsigned int alg_num_a
= 0, alg_num_e
= 0;
1809 struct sadb_alg
*alg_a
= NULL
, *alg_e
= NULL
, *alg_ap
= NULL
, *alg_ep
= NULL
;
1812 pfkey_extensions_init(extensions_reply
);
1814 if((satype
== 0) || (satype
> SADB_SATYPE_MAX
)) {
1815 KLIPS_PRINT(debug_pfkey
, "klips_debug:pfkey_register_reply: "
1816 "SAtype=%d unspecified or unknown.\n",
1820 if(!(pfkey_registered_sockets
[satype
])) {
1821 KLIPS_PRINT(debug_pfkey
, "klips_debug:pfkey_register_reply: "
1822 "no sockets registered for SAtype=%d(%s).\n",
1824 satype2name(satype
));
1825 SENDERR(EPROTONOSUPPORT
);
1827 /* send up register msg with supported SATYPE algos */
1828 pfkey_supported_listp
= pfkey_supported_list
[satype
];
1829 KLIPS_PRINT(debug_pfkey
,
1830 "klips_debug:pfkey_register_reply: "
1831 "pfkey_supported_list[%d]=0p%p\n",
1833 pfkey_supported_list
[satype
]);
1834 while(pfkey_supported_listp
) {
1835 KLIPS_PRINT(debug_pfkey
,
1836 "klips_debug:pfkey_register_reply: "
1837 "checking supported=0p%p\n",
1838 pfkey_supported_listp
);
1839 if(pfkey_supported_listp
->supportedp
->supported_alg_exttype
== SADB_EXT_SUPPORTED_AUTH
) {
1840 KLIPS_PRINT(debug_pfkey
,
1841 "klips_debug:pfkey_register_reply: "
1842 "adding auth alg.\n");
1845 if(pfkey_supported_listp
->supportedp
->supported_alg_exttype
== SADB_EXT_SUPPORTED_ENCRYPT
) {
1846 KLIPS_PRINT(debug_pfkey
,
1847 "klips_debug:pfkey_register_reply: "
1848 "adding encrypt alg.\n");
1851 pfkey_supported_listp
= pfkey_supported_listp
->next
;
1855 KLIPS_PRINT(debug_pfkey
,
1856 "klips_debug:pfkey_register_reply: "
1857 "allocating %lu bytes for auth algs.\n",
1858 (unsigned long) (alg_num_a
* sizeof(struct sadb_alg
)));
1859 if((alg_a
= kmalloc(alg_num_a
* sizeof(struct sadb_alg
), GFP_ATOMIC
) ) == NULL
) {
1860 KLIPS_PRINT(debug_pfkey
,
1861 "klips_debug:pfkey_register_reply: "
1862 "auth alg memory allocation error\n");
1869 KLIPS_PRINT(debug_pfkey
,
1870 "klips_debug:pfkey_register_reply: "
1871 "allocating %lu bytes for enc algs.\n",
1872 (unsigned long) (alg_num_e
* sizeof(struct sadb_alg
)));
1873 if((alg_e
= kmalloc(alg_num_e
* sizeof(struct sadb_alg
), GFP_ATOMIC
) ) == NULL
) {
1874 KLIPS_PRINT(debug_pfkey
,
1875 "klips_debug:pfkey_register_reply: "
1876 "enc alg memory allocation error\n");
1882 pfkey_supported_listp
= pfkey_supported_list
[satype
];
1883 while(pfkey_supported_listp
) {
1885 if(pfkey_supported_listp
->supportedp
->supported_alg_exttype
== SADB_EXT_SUPPORTED_AUTH
) {
1886 alg_ap
->sadb_alg_id
= pfkey_supported_listp
->supportedp
->supported_alg_id
;
1887 alg_ap
->sadb_alg_ivlen
= pfkey_supported_listp
->supportedp
->supported_alg_ivlen
;
1888 alg_ap
->sadb_alg_minbits
= pfkey_supported_listp
->supportedp
->supported_alg_minbits
;
1889 alg_ap
->sadb_alg_maxbits
= pfkey_supported_listp
->supportedp
->supported_alg_maxbits
;
1890 alg_ap
->sadb_alg_reserved
= 0;
1891 KLIPS_PRINT(debug_pfkey
&& sysctl_ipsec_debug_verbose
,
1892 "klips_debug:pfkey_register_reply: "
1893 "adding auth=0p%p\n",
1899 if(pfkey_supported_listp
->supportedp
->supported_alg_exttype
== SADB_EXT_SUPPORTED_ENCRYPT
) {
1900 alg_ep
->sadb_alg_id
= pfkey_supported_listp
->supportedp
->supported_alg_id
;
1901 alg_ep
->sadb_alg_ivlen
= pfkey_supported_listp
->supportedp
->supported_alg_ivlen
;
1902 alg_ep
->sadb_alg_minbits
= pfkey_supported_listp
->supportedp
->supported_alg_minbits
;
1903 alg_ep
->sadb_alg_maxbits
= pfkey_supported_listp
->supportedp
->supported_alg_maxbits
;
1904 alg_ep
->sadb_alg_reserved
= 0;
1905 KLIPS_PRINT(debug_pfkey
&& sysctl_ipsec_debug_verbose
,
1906 "klips_debug:pfkey_register_reply: "
1907 "adding encrypt=0p%p\n",
1912 KLIPS_PRINT(debug_pfkey
,
1913 "klips_debug:pfkey_register_reply: "
1914 "found satype=%d(%s) exttype=%d id=%d ivlen=%d minbits=%d maxbits=%d.\n",
1916 satype2name(satype
),
1917 pfkey_supported_listp
->supportedp
->supported_alg_exttype
,
1918 pfkey_supported_listp
->supportedp
->supported_alg_id
,
1919 pfkey_supported_listp
->supportedp
->supported_alg_ivlen
,
1920 pfkey_supported_listp
->supportedp
->supported_alg_minbits
,
1921 pfkey_supported_listp
->supportedp
->supported_alg_maxbits
);
1922 pfkey_supported_listp
= pfkey_supported_listp
->next
;
1924 if(!(pfkey_safe_build(error
= pfkey_msg_hdr_build(&extensions_reply
[0],
1928 sadb_msg
? sadb_msg
->sadb_msg_seq
: ++pfkey_msg_seq
,
1929 sadb_msg
? sadb_msg
->sadb_msg_pid
: current
->pid
),
1930 extensions_reply
) &&
1931 (alg_num_a
? pfkey_safe_build(error
= pfkey_supported_build(&extensions_reply
[SADB_EXT_SUPPORTED_AUTH
],
1932 SADB_EXT_SUPPORTED_AUTH
,
1935 extensions_reply
) : 1) &&
1936 (alg_num_e
? pfkey_safe_build(error
= pfkey_supported_build(&extensions_reply
[SADB_EXT_SUPPORTED_ENCRYPT
],
1937 SADB_EXT_SUPPORTED_ENCRYPT
,
1940 extensions_reply
) : 1))) {
1941 KLIPS_PRINT(debug_pfkey
, "klips_debug:pfkey_register_reply: "
1942 "failed to build the register message extensions_reply\n");
1946 if((error
= pfkey_msg_build(&pfkey_reply
, extensions_reply
, EXT_BITS_OUT
))) {
1947 KLIPS_PRINT(debug_pfkey
, "klips_debug:pfkey_register_reply: "
1948 "failed to build the register message\n");
1951 /* this should go to all registered sockets for that satype only */
1952 for(pfkey_socketsp
= pfkey_registered_sockets
[satype
];
1954 pfkey_socketsp
= pfkey_socketsp
->next
) {
1955 if((error
= pfkey_upmsg(pfkey_socketsp
->socketp
, pfkey_reply
))) {
1956 KLIPS_PRINT(debug_pfkey
, "klips_debug:pfkey_register_reply: "
1957 "sending up acquire message for satype=%d(%s) to socket=0p%p failed with error=%d.\n",
1959 satype2name(satype
),
1960 pfkey_socketsp
->socketp
,
1964 KLIPS_PRINT(debug_pfkey
, "klips_debug:pfkey_register_reply: "
1965 "sending up register message for satype=%d(%s) to socket=0p%p succeeded.\n",
1967 satype2name(satype
),
1968 pfkey_socketsp
->socketp
);
1979 pfkey_msg_free(&pfkey_reply
);
1981 pfkey_extensions_free(extensions_reply
);
1986 pfkey_expire_parse(struct sock
*sk
, struct sadb_ext
**extensions
, struct pfkey_extracted_data
* extr
)
1989 struct socket_list
*pfkey_socketsp
;
1990 #ifdef CONFIG_IPSEC_DEBUG
1991 uint8_t satype
= ((struct sadb_msg
*)extensions
[SADB_EXT_RESERVED
])->sadb_msg_satype
;
1992 #endif /* CONFIG_IPSEC_DEBUG */
1994 KLIPS_PRINT(debug_pfkey
,
1995 "klips_debug:pfkey_expire_parse: .\n");
1997 if(pfkey_open_sockets
) {
1998 for(pfkey_socketsp
= pfkey_open_sockets
;
2000 pfkey_socketsp
= pfkey_socketsp
->next
) {
2001 if((error
= pfkey_upmsg(pfkey_socketsp
->socketp
,
2002 ((struct sadb_msg
*)extensions
[SADB_EXT_RESERVED
])))) {
2003 KLIPS_PRINT(debug_pfkey
, "klips_debug:pfkey_expire_parse: "
2004 "sending up expire reply message for satype=%d(%s) to socket=0p%p failed with error=%d.\n",
2006 satype2name(satype
),
2007 pfkey_socketsp
->socketp
,
2011 KLIPS_PRINT(debug_pfkey
, "klips_debug:pfkey_expire_parse: "
2012 "sending up expire reply message for satype=%d(%s) to socket=0p%p succeeded.\n",
2014 satype2name(satype
),
2015 pfkey_socketsp
->socketp
);
2024 pfkey_flush_parse(struct sock
*sk
, struct sadb_ext
**extensions
, struct pfkey_extracted_data
* extr
)
2027 struct socket_list
*pfkey_socketsp
;
2028 uint8_t satype
= ((struct sadb_msg
*)extensions
[SADB_EXT_RESERVED
])->sadb_msg_satype
;
2031 KLIPS_PRINT(debug_pfkey
,
2032 "klips_debug:pfkey_flush_parse: "
2033 "flushing type %d SAs\n",
2036 if(satype
&& !(proto
= satype2proto(satype
))) {
2037 KLIPS_PRINT(debug_pfkey
,
2038 "klips_debug:pfkey_flush_parse: "
2039 "satype %d lookup failed.\n",
2040 ((struct sadb_msg
*)extensions
[SADB_EXT_RESERVED
])->sadb_msg_satype
);
2044 if ((error
= ipsec_sadb_cleanup(proto
))) {
2048 if(pfkey_open_sockets
) {
2049 for(pfkey_socketsp
= pfkey_open_sockets
;
2051 pfkey_socketsp
= pfkey_socketsp
->next
) {
2052 if((error
= pfkey_upmsg(pfkey_socketsp
->socketp
,
2053 ((struct sadb_msg
*)extensions
[SADB_EXT_RESERVED
])))) {
2054 KLIPS_PRINT(debug_pfkey
, "klips_debug:pfkey_flush_parse: "
2055 "sending up flush reply message for satype=%d(%s) (proto=%d) to socket=0p%p failed with error=%d.\n",
2057 satype2name(satype
),
2059 pfkey_socketsp
->socketp
,
2063 KLIPS_PRINT(debug_pfkey
, "klips_debug:pfkey_flush_parse: "
2064 "sending up flush reply message for satype=%d(%s) to socket=0p%p succeeded.\n",
2066 satype2name(satype
),
2067 pfkey_socketsp
->socketp
);
2076 pfkey_dump_parse(struct sock
*sk
, struct sadb_ext
**extensions
, struct pfkey_extracted_data
* extr
)
2080 KLIPS_PRINT(debug_pfkey
,
2081 "klips_debug:pfkey_dump_parse: .\n");
2089 pfkey_x_promisc_parse(struct sock
*sk
, struct sadb_ext
**extensions
, struct pfkey_extracted_data
* extr
)
2093 KLIPS_PRINT(debug_pfkey
,
2094 "klips_debug:pfkey_promisc_parse: .\n");
2102 pfkey_x_pchange_parse(struct sock
*sk
, struct sadb_ext
**extensions
, struct pfkey_extracted_data
* extr
)
2106 KLIPS_PRINT(debug_pfkey
,
2107 "klips_debug:pfkey_x_pchange_parse: .\n");
2115 pfkey_x_grpsa_parse(struct sock
*sk
, struct sadb_ext
**extensions
, struct pfkey_extracted_data
* extr
)
2117 struct ipsec_sa
*ips1p
, *ips2p
, *ipsp
;
2118 struct sadb_ext
*extensions_reply
[SADB_EXT_MAX
+1];
2119 struct sadb_msg
*pfkey_reply
= NULL
;
2120 struct socket_list
*pfkey_socketsp
;
2121 uint8_t satype
= ((struct sadb_msg
*)extensions
[SADB_EXT_RESERVED
])->sadb_msg_satype
;
2122 char sa1
[SATOA_BUF
], sa2
[SATOA_BUF
];
2123 size_t sa_len1
, sa_len2
= 0;
2126 KLIPS_PRINT(debug_pfkey
,
2127 "klips_debug:pfkey_x_grpsa_parse: .\n");
2129 pfkey_extensions_init(extensions_reply
);
2131 if(extr
== NULL
|| extr
->ips
== NULL
) {
2132 KLIPS_PRINT(debug_pfkey
,
2133 "klips_debug:pfkey_x_grpsa_parse: "
2134 "extr or extr->ips is NULL, fatal.\n");
2138 sa_len1
= satoa(extr
->ips
->ips_said
, 0, sa1
, SATOA_BUF
);
2139 if(extr
->ips2
!= NULL
) {
2140 sa_len2
= satoa(extr
->ips2
->ips_said
, 0, sa2
, SATOA_BUF
);
2143 spin_lock_bh(&tdb_lock
);
2145 ips1p
= ipsec_sa_getbyid(&(extr
->ips
->ips_said
));
2147 spin_unlock_bh(&tdb_lock
);
2148 KLIPS_PRINT(debug_pfkey
,
2149 "klips_debug:pfkey_x_grpsa_parse: "
2150 "reserved ipsec_sa for SA1: %s not found. Call SADB_ADD/UPDATE first.\n",
2151 sa_len1
? sa1
: " (error)");
2154 if(extr
->ips2
) { /* GRPSA */
2155 ips2p
= ipsec_sa_getbyid(&(extr
->ips2
->ips_said
));
2157 ipsec_sa_put(ips1p
);
2158 spin_unlock_bh(&tdb_lock
);
2159 KLIPS_PRINT(debug_pfkey
,
2160 "klips_debug:pfkey_x_grpsa_parse: "
2161 "reserved ipsec_sa for SA2: %s not found. Call SADB_ADD/UPDATE first.\n",
2162 sa_len2
? sa2
: " (error)");
2166 /* Is either one already linked? */
2167 if(ips1p
->ips_onext
) {
2168 ipsec_sa_put(ips1p
);
2169 ipsec_sa_put(ips2p
);
2170 spin_unlock_bh(&tdb_lock
);
2171 KLIPS_PRINT(debug_pfkey
,
2172 "klips_debug:pfkey_x_grpsa_parse: "
2173 "ipsec_sa for SA: %s is already linked.\n",
2174 sa_len1
? sa1
: " (error)");
2177 if(ips2p
->ips_inext
) {
2178 ipsec_sa_put(ips1p
);
2179 ipsec_sa_put(ips2p
);
2180 spin_unlock_bh(&tdb_lock
);
2181 KLIPS_PRINT(debug_pfkey
,
2182 "klips_debug:pfkey_x_grpsa_parse: "
2183 "ipsec_sa for SA: %s is already linked.\n",
2184 sa_len2
? sa2
: " (error)");
2188 /* Is extr->ips already linked to extr->ips2? */
2192 ipsec_sa_put(ips1p
);
2193 ipsec_sa_put(ips2p
);
2194 spin_unlock_bh(&tdb_lock
);
2195 KLIPS_PRINT(debug_pfkey
,
2196 "klips_debug:pfkey_x_grpsa_parse: "
2197 "ipsec_sa for SA: %s is already linked to %s.\n",
2198 sa_len1
? sa1
: " (error)",
2199 sa_len2
? sa2
: " (error)");
2202 ipsp
= ipsp
->ips_onext
;
2206 KLIPS_PRINT(debug_pfkey
,
2207 "klips_debug:pfkey_x_grpsa_parse: "
2208 "linking ipsec_sa SA: %s with %s.\n",
2209 sa_len1
? sa1
: " (error)",
2210 sa_len2
? sa2
: " (error)");
2211 ips1p
->ips_onext
= ips2p
;
2212 ips2p
->ips_inext
= ips1p
;
2213 } else { /* UNGRPSA */
2214 ipsec_sa_put(ips1p
);
2215 KLIPS_PRINT(debug_pfkey
,
2216 "klips_debug:pfkey_x_grpsa_parse: "
2217 "unlinking ipsec_sa SA: %s.\n",
2218 sa_len1
? sa1
: " (error)");
2219 while(ips1p
->ips_onext
) {
2220 ips1p
= ips1p
->ips_onext
;
2222 while(ips1p
->ips_inext
) {
2224 ips1p
= ips1p
->ips_inext
;
2225 ipsec_sa_put(ips1p
);
2226 ipsp
->ips_inext
= NULL
;
2228 ips1p
->ips_onext
= NULL
;
2232 spin_unlock_bh(&tdb_lock
);
2234 if(!(pfkey_safe_build(error
= pfkey_msg_hdr_build(&extensions_reply
[0],
2238 ((struct sadb_msg
*)extensions
[SADB_EXT_RESERVED
])->sadb_msg_seq
,
2239 ((struct sadb_msg
*)extensions
[SADB_EXT_RESERVED
])->sadb_msg_pid
),
2241 && pfkey_safe_build(error
= pfkey_sa_ref_build(&extensions_reply
[SADB_EXT_SA
],
2243 extr
->ips
->ips_said
.spi
,
2244 extr
->ips
->ips_replaywin
,
2245 extr
->ips
->ips_state
,
2246 extr
->ips
->ips_authalg
,
2247 extr
->ips
->ips_encalg
,
2248 extr
->ips
->ips_flags
,
2249 extr
->ips
->ips_ref
),
2251 && pfkey_safe_build(error
= pfkey_address_build(&extensions_reply
[SADB_EXT_ADDRESS_DST
],
2252 SADB_EXT_ADDRESS_DST
,
2253 0, /*extr->ips->ips_said.proto,*/
2255 extr
->ips
->ips_addr_d
),
2258 ? (pfkey_safe_build(error
= pfkey_x_satype_build(&extensions_reply
[SADB_X_EXT_SATYPE2
],
2259 ((struct sadb_x_satype
*)extensions
[SADB_X_EXT_SATYPE2
])->sadb_x_satype_satype
2260 /* proto2satype(extr->ips2->ips_said.proto) */),
2262 && pfkey_safe_build(error
= pfkey_sa_ref_build(&extensions_reply
[SADB_X_EXT_SA2
],
2264 extr
->ips2
->ips_said
.spi
,
2265 extr
->ips2
->ips_replaywin
,
2266 extr
->ips2
->ips_state
,
2267 extr
->ips2
->ips_authalg
,
2268 extr
->ips2
->ips_encalg
,
2269 extr
->ips2
->ips_flags
,
2270 extr
->ips2
->ips_ref
),
2272 && pfkey_safe_build(error
= pfkey_address_build(&extensions_reply
[SADB_X_EXT_ADDRESS_DST2
],
2273 SADB_X_EXT_ADDRESS_DST2
,
2274 0, /*extr->ips->ips_said.proto,*/
2276 extr
->ips2
->ips_addr_d
),
2277 extensions_reply
) ) : 1 )
2279 KLIPS_PRINT(debug_pfkey
, "klips_debug:pfkey_x_grpsa_parse: "
2280 "failed to build the x_grpsa reply message extensions\n");
2284 if((error
= pfkey_msg_build(&pfkey_reply
, extensions_reply
, EXT_BITS_OUT
))) {
2285 KLIPS_PRINT(debug_pfkey
, "klips_debug:pfkey_x_grpsa_parse: "
2286 "failed to build the x_grpsa reply message\n");
2290 for(pfkey_socketsp
= pfkey_open_sockets
;
2292 pfkey_socketsp
= pfkey_socketsp
->next
) {
2293 if((error
= pfkey_upmsg(pfkey_socketsp
->socketp
, pfkey_reply
))) {
2294 KLIPS_PRINT(debug_pfkey
, "klips_debug:pfkey_x_grpsa_parse: "
2295 "sending up x_grpsa reply message for satype=%d(%s) to socket=0p%p failed with error=%d.\n",
2297 satype2name(satype
),
2298 pfkey_socketsp
->socketp
,
2302 KLIPS_PRINT(debug_pfkey
, "klips_debug:pfkey_x_grpsa_parse: "
2303 "sending up x_grpsa reply message for satype=%d(%s) to socket=0p%p succeeded.\n",
2305 satype2name(satype
),
2306 pfkey_socketsp
->socketp
);
2309 KLIPS_PRINT(debug_pfkey
, "klips_debug:pfkey_x_grpsa_parse: "
2310 "succeeded in sending x_grpsa reply message.\n");
2314 pfkey_msg_free(&pfkey_reply
);
2316 pfkey_extensions_free(extensions_reply
);
2321 pfkey_x_addflow_parse(struct sock
*sk
, struct sadb_ext
**extensions
, struct pfkey_extracted_data
* extr
)
2324 #ifdef CONFIG_IPSEC_DEBUG
2325 char buf1
[64], buf2
[64];
2326 #endif /* CONFIG_IPSEC_DEBUG */
2327 struct sadb_ext
*extensions_reply
[SADB_EXT_MAX
+1];
2328 struct sadb_msg
*pfkey_reply
= NULL
;
2329 struct socket_list
*pfkey_socketsp
;
2330 uint8_t satype
= ((struct sadb_msg
*)extensions
[SADB_EXT_RESERVED
])->sadb_msg_satype
;
2331 ip_address srcflow
, dstflow
, srcmask
, dstmask
;
2333 KLIPS_PRINT(debug_pfkey
,
2334 "klips_debug:pfkey_x_addflow_parse: .\n");
2336 pfkey_extensions_init(extensions_reply
);
2338 memset((caddr_t
)&srcflow
, 0, sizeof(srcflow
));
2339 memset((caddr_t
)&dstflow
, 0, sizeof(dstflow
));
2340 memset((caddr_t
)&srcmask
, 0, sizeof(srcmask
));
2341 memset((caddr_t
)&dstmask
, 0, sizeof(dstmask
));
2343 if(!extr
|| !(extr
->ips
) || !(extr
->eroute
)) {
2344 KLIPS_PRINT(debug_pfkey
,
2345 "klips_debug:pfkey_x_addflow_parse: "
2346 "missing extr, ipsec_sa or eroute data.\n");
2350 srcflow
.u
.v4
.sin_family
= AF_INET
;
2351 dstflow
.u
.v4
.sin_family
= AF_INET
;
2352 srcmask
.u
.v4
.sin_family
= AF_INET
;
2353 dstmask
.u
.v4
.sin_family
= AF_INET
;
2354 srcflow
.u
.v4
.sin_addr
= extr
->eroute
->er_eaddr
.sen_ip_src
;
2355 dstflow
.u
.v4
.sin_addr
= extr
->eroute
->er_eaddr
.sen_ip_dst
;
2356 srcmask
.u
.v4
.sin_addr
= extr
->eroute
->er_emask
.sen_ip_src
;
2357 dstmask
.u
.v4
.sin_addr
= extr
->eroute
->er_emask
.sen_ip_dst
;
2359 #ifdef CONFIG_IPSEC_DEBUG
2361 subnettoa(extr
->eroute
->er_eaddr
.sen_ip_src
,
2362 extr
->eroute
->er_emask
.sen_ip_src
, 0, buf1
, sizeof(buf1
));
2363 subnettoa(extr
->eroute
->er_eaddr
.sen_ip_dst
,
2364 extr
->eroute
->er_emask
.sen_ip_dst
, 0, buf2
, sizeof(buf2
));
2365 KLIPS_PRINT(debug_pfkey
,
2366 "klips_debug:pfkey_x_addflow_parse: "
2367 "calling breakeroute and/or makeroute for %s->%s\n",
2370 #endif /* CONFIG_IPSEC_DEBUG */
2371 if(extr
->ips
->ips_flags
& SADB_X_SAFLAGS_INFLOW
) {
2372 /* if(ip_chk_addr((unsigned long)extr->ips->ips_said.dst.s_addr) == IS_MYADDR) */
2373 struct ipsec_sa
*ipsp
, *ipsq
;
2377 ipsq
= ipsec_sa_getbyid(&(extr
->ips
->ips_said
));
2379 KLIPS_PRINT(debug_pfkey
,
2380 "klips_debug:pfkey_x_addflow_parse: "
2381 "ipsec_sa not found, cannot set incoming policy.\n");
2386 while(ipsp
&& ipsp
->ips_said
.proto
!= IPPROTO_IPIP
) {
2387 ipsp
= ipsp
->ips_inext
;
2392 KLIPS_PRINT(debug_pfkey
,
2393 "klips_debug:pfkey_x_addflow_parse: "
2394 "SA chain does not have an IPIP SA, cannot set incoming policy.\n");
2398 sa_len
= satoa(extr
->ips
->ips_said
, 0, sa
, SATOA_BUF
);
2400 ipsp
->ips_flags
|= SADB_X_SAFLAGS_INFLOW
;
2401 ipsp
->ips_flow_s
= srcflow
;
2402 ipsp
->ips_flow_d
= dstflow
;
2403 ipsp
->ips_mask_s
= srcmask
;
2404 ipsp
->ips_mask_d
= dstmask
;
2408 KLIPS_PRINT(debug_pfkey
,
2409 "klips_debug:pfkey_x_addflow_parse: "
2410 "inbound eroute, setting incoming policy information in IPIP ipsec_sa for SA: %s.\n",
2411 sa_len
? sa
: " (error)");
2413 struct sk_buff
*first
= NULL
, *last
= NULL
;
2415 if(extr
->ips
->ips_flags
& SADB_X_SAFLAGS_REPLACEFLOW
) {
2416 KLIPS_PRINT(debug_pfkey
,
2417 "klips_debug:pfkey_x_addflow_parse: "
2418 "REPLACEFLOW flag set, calling breakeroute.\n");
2419 if ((error
= ipsec_breakroute(&(extr
->eroute
->er_eaddr
),
2420 &(extr
->eroute
->er_emask
),
2422 KLIPS_PRINT(debug_pfkey
,
2423 "klips_debug:pfkey_x_addflow_parse: "
2424 "breakeroute returned %d. first=0p%p, last=0p%p\n",
2429 ipsec_kfree_skb(first
);
2432 ipsec_kfree_skb(last
);
2438 KLIPS_PRINT(debug_pfkey
,
2439 "klips_debug:pfkey_x_addflow_parse: "
2440 "calling makeroute.\n");
2442 if ((error
= ipsec_makeroute(&(extr
->eroute
->er_eaddr
),
2443 &(extr
->eroute
->er_emask
),
2444 extr
->ips
->ips_said
,
2445 ((struct sadb_msg
*)extensions
[SADB_EXT_RESERVED
])->sadb_msg_pid
,
2447 &(extr
->ips
->ips_ident_s
),
2448 &(extr
->ips
->ips_ident_d
)))) {
2449 KLIPS_PRINT(debug_pfkey
,
2450 "klips_debug:pfkey_x_addflow_parse: "
2451 "makeroute returned %d.\n", error
);
2455 KLIPS_PRINT(debug_pfkey
,
2456 "klips_debug:pfkey_x_addflow_parse: "
2457 "first=0p%p HOLD packet re-injected.\n",
2459 DEV_QUEUE_XMIT(first
, first
->dev
, SOPRI_NORMAL
);
2462 KLIPS_PRINT(debug_pfkey
,
2463 "klips_debug:pfkey_x_addflow_parse: "
2464 "last=0p%p HOLD packet re-injected.\n",
2466 DEV_QUEUE_XMIT(last
, last
->dev
, SOPRI_NORMAL
);
2470 KLIPS_PRINT(debug_pfkey
,
2471 "klips_debug:pfkey_x_addflow_parse: "
2472 "makeroute call successful.\n");
2474 if(!(pfkey_safe_build(error
= pfkey_msg_hdr_build(&extensions_reply
[0],
2478 ((struct sadb_msg
*)extensions
[SADB_EXT_RESERVED
])->sadb_msg_seq
,
2479 ((struct sadb_msg
*)extensions
[SADB_EXT_RESERVED
])->sadb_msg_pid
),
2481 && pfkey_safe_build(error
= pfkey_sa_ref_build(&extensions_reply
[SADB_EXT_SA
],
2483 extr
->ips
->ips_said
.spi
,
2484 extr
->ips
->ips_replaywin
,
2485 extr
->ips
->ips_state
,
2486 extr
->ips
->ips_authalg
,
2487 extr
->ips
->ips_encalg
,
2488 extr
->ips
->ips_flags
,
2489 extr
->ips
->ips_ref
),
2491 && (extensions
[SADB_EXT_ADDRESS_SRC
]
2492 ? pfkey_safe_build(error
= pfkey_address_build(&extensions_reply
[SADB_EXT_ADDRESS_SRC
],
2493 SADB_EXT_ADDRESS_SRC
,
2494 0, /*extr->ips->ips_said.proto,*/
2496 extr
->ips
->ips_addr_s
),
2497 extensions_reply
) : 1)
2498 && (extensions
[SADB_EXT_ADDRESS_DST
]
2499 ? pfkey_safe_build(error
= pfkey_address_build(&extensions_reply
[SADB_EXT_ADDRESS_DST
],
2500 SADB_EXT_ADDRESS_DST
,
2501 0, /*extr->ips->ips_said.proto,*/
2503 extr
->ips
->ips_addr_d
),
2504 extensions_reply
) : 1)
2505 && pfkey_safe_build(error
= pfkey_address_build(&extensions_reply
[SADB_X_EXT_ADDRESS_SRC_FLOW
],
2506 SADB_X_EXT_ADDRESS_SRC_FLOW
,
2507 0, /*extr->ips->ips_said.proto,*/
2509 (struct sockaddr
*)&srcflow
),
2511 && pfkey_safe_build(error
= pfkey_address_build(&extensions_reply
[SADB_X_EXT_ADDRESS_DST_FLOW
],
2512 SADB_X_EXT_ADDRESS_DST_FLOW
,
2513 0, /*extr->ips->ips_said.proto,*/
2515 (struct sockaddr
*)&dstflow
),
2517 && pfkey_safe_build(error
= pfkey_address_build(&extensions_reply
[SADB_X_EXT_ADDRESS_SRC_MASK
],
2518 SADB_X_EXT_ADDRESS_SRC_MASK
,
2519 0, /*extr->ips->ips_said.proto,*/
2521 (struct sockaddr
*)&srcmask
),
2523 && pfkey_safe_build(error
= pfkey_address_build(&extensions_reply
[SADB_X_EXT_ADDRESS_DST_MASK
],
2524 SADB_X_EXT_ADDRESS_DST_MASK
,
2525 0, /*extr->ips->ips_said.proto,*/
2527 (struct sockaddr
*)&dstmask
),
2530 KLIPS_PRINT(debug_pfkey
, "klips_debug:pfkey_x_addflow_parse: "
2531 "failed to build the x_addflow reply message extensions\n");
2535 if((error
= pfkey_msg_build(&pfkey_reply
, extensions_reply
, EXT_BITS_OUT
))) {
2536 KLIPS_PRINT(debug_pfkey
, "klips_debug:pfkey_x_addflow_parse: "
2537 "failed to build the x_addflow reply message\n");
2541 for(pfkey_socketsp
= pfkey_open_sockets
;
2543 pfkey_socketsp
= pfkey_socketsp
->next
) {
2544 if((error
= pfkey_upmsg(pfkey_socketsp
->socketp
, pfkey_reply
))) {
2545 KLIPS_PRINT(debug_pfkey
, "klips_debug:pfkey_x_addflow_parse: "
2546 "sending up x_addflow reply message for satype=%d(%s) to socket=0p%p failed with error=%d.\n",
2548 satype2name(satype
),
2549 pfkey_socketsp
->socketp
,
2553 KLIPS_PRINT(debug_pfkey
, "klips_debug:pfkey_x_addflow_parse: "
2554 "sending up x_addflow reply message for satype=%d(%s) (proto=%d) to socket=0p%p succeeded.\n",
2556 satype2name(satype
),
2557 extr
->ips
->ips_said
.proto
,
2558 pfkey_socketsp
->socketp
);
2561 KLIPS_PRINT(debug_pfkey
,
2562 "klips_debug:pfkey_x_addflow_parse: "
2563 "extr->ips cleaned up and freed.\n");
2567 pfkey_msg_free(&pfkey_reply
);
2569 pfkey_extensions_free(extensions_reply
);
2574 pfkey_x_delflow_parse(struct sock
*sk
, struct sadb_ext
**extensions
, struct pfkey_extracted_data
* extr
)
2577 #ifdef CONFIG_IPSEC_DEBUG
2578 char buf1
[64], buf2
[64];
2579 #endif /* CONFIG_IPSEC_DEBUG */
2580 struct sadb_ext
*extensions_reply
[SADB_EXT_MAX
+1];
2581 struct sadb_msg
*pfkey_reply
= NULL
;
2582 struct socket_list
*pfkey_socketsp
;
2583 uint8_t satype
= ((struct sadb_msg
*)extensions
[SADB_EXT_RESERVED
])->sadb_msg_satype
;
2584 ip_address srcflow
, dstflow
, srcmask
, dstmask
;
2586 KLIPS_PRINT(debug_pfkey
,
2587 "klips_debug:pfkey_x_delflow_parse: .\n");
2589 pfkey_extensions_init(extensions_reply
);
2591 memset((caddr_t
)&srcflow
, 0, sizeof(srcflow
));
2592 memset((caddr_t
)&dstflow
, 0, sizeof(dstflow
));
2593 memset((caddr_t
)&srcmask
, 0, sizeof(srcmask
));
2594 memset((caddr_t
)&dstmask
, 0, sizeof(dstmask
));
2596 if(!extr
|| !(extr
->ips
)) {
2597 KLIPS_PRINT(debug_pfkey
,
2598 "klips_debug:pfkey_x_delflow_parse: "
2599 "extr, or extr->ips is NULL, fatal\n");
2603 if(extr
->ips
->ips_flags
& SADB_X_SAFLAGS_CLEARFLOW
) {
2604 KLIPS_PRINT(debug_pfkey
,
2605 "klips_debug:pfkey_x_delflow_parse: "
2606 "CLEARFLOW flag set, calling cleareroutes.\n");
2607 if ((error
= ipsec_cleareroutes()))
2608 KLIPS_PRINT(debug_pfkey
,
2609 "klips_debug:pfkey_x_delflow_parse: "
2610 "cleareroutes returned %d.\n", error
);
2613 struct sk_buff
*first
= NULL
, *last
= NULL
;
2615 if(!(extr
->eroute
)) {
2616 KLIPS_PRINT(debug_pfkey
,
2617 "klips_debug:pfkey_x_delflow_parse: "
2618 "extr->eroute is NULL, fatal.\n");
2622 srcflow
.u
.v4
.sin_family
= AF_INET
;
2623 dstflow
.u
.v4
.sin_family
= AF_INET
;
2624 srcmask
.u
.v4
.sin_family
= AF_INET
;
2625 dstmask
.u
.v4
.sin_family
= AF_INET
;
2626 srcflow
.u
.v4
.sin_addr
= extr
->eroute
->er_eaddr
.sen_ip_src
;
2627 dstflow
.u
.v4
.sin_addr
= extr
->eroute
->er_eaddr
.sen_ip_dst
;
2628 srcmask
.u
.v4
.sin_addr
= extr
->eroute
->er_emask
.sen_ip_src
;
2629 dstmask
.u
.v4
.sin_addr
= extr
->eroute
->er_emask
.sen_ip_dst
;
2631 #ifdef CONFIG_IPSEC_DEBUG
2633 subnettoa(extr
->eroute
->er_eaddr
.sen_ip_src
,
2634 extr
->eroute
->er_emask
.sen_ip_src
, 0, buf1
, sizeof(buf1
));
2635 subnettoa(extr
->eroute
->er_eaddr
.sen_ip_dst
,
2636 extr
->eroute
->er_emask
.sen_ip_dst
, 0, buf2
, sizeof(buf2
));
2637 KLIPS_PRINT(debug_pfkey
,
2638 "klips_debug:pfkey_x_delflow_parse: "
2639 "calling breakeroute for %s->%s\n",
2642 #endif /* CONFIG_IPSEC_DEBUG */
2643 error
= ipsec_breakroute(&(extr
->eroute
->er_eaddr
),
2644 &(extr
->eroute
->er_emask
),
2647 KLIPS_PRINT(debug_pfkey
,
2648 "klips_debug:pfkey_x_delflow_parse: "
2649 "breakeroute returned %d. first=0p%p, last=0p%p\n",
2655 ipsec_kfree_skb(first
);
2658 ipsec_kfree_skb(last
);
2665 if(!(pfkey_safe_build(error
= pfkey_msg_hdr_build(&extensions_reply
[0],
2669 ((struct sadb_msg
*)extensions
[SADB_EXT_RESERVED
])->sadb_msg_seq
,
2670 ((struct sadb_msg
*)extensions
[SADB_EXT_RESERVED
])->sadb_msg_pid
),
2672 && pfkey_safe_build(error
= pfkey_sa_ref_build(&extensions_reply
[SADB_EXT_SA
],
2674 extr
->ips
->ips_said
.spi
,
2675 extr
->ips
->ips_replaywin
,
2676 extr
->ips
->ips_state
,
2677 extr
->ips
->ips_authalg
,
2678 extr
->ips
->ips_encalg
,
2679 extr
->ips
->ips_flags
,
2680 extr
->ips
->ips_ref
),
2682 && pfkey_safe_build(error
= pfkey_address_build(&extensions_reply
[SADB_X_EXT_ADDRESS_SRC_FLOW
],
2683 SADB_X_EXT_ADDRESS_SRC_FLOW
,
2684 0, /*extr->ips->ips_said.proto,*/
2686 (struct sockaddr
*)&srcflow
),
2688 && pfkey_safe_build(error
= pfkey_address_build(&extensions_reply
[SADB_X_EXT_ADDRESS_DST_FLOW
],
2689 SADB_X_EXT_ADDRESS_DST_FLOW
,
2690 0, /*extr->ips->ips_said.proto,*/
2692 (struct sockaddr
*)&dstflow
),
2694 && pfkey_safe_build(error
= pfkey_address_build(&extensions_reply
[SADB_X_EXT_ADDRESS_SRC_MASK
],
2695 SADB_X_EXT_ADDRESS_SRC_MASK
,
2696 0, /*extr->ips->ips_said.proto,*/
2698 (struct sockaddr
*)&srcmask
),
2700 && pfkey_safe_build(error
= pfkey_address_build(&extensions_reply
[SADB_X_EXT_ADDRESS_DST_MASK
],
2701 SADB_X_EXT_ADDRESS_DST_MASK
,
2702 0, /*extr->ips->ips_said.proto,*/
2704 (struct sockaddr
*)&dstmask
),
2707 KLIPS_PRINT(debug_pfkey
, "klips_debug:pfkey_x_delflow_parse: "
2708 "failed to build the x_delflow reply message extensions\n");
2712 if((error
= pfkey_msg_build(&pfkey_reply
, extensions_reply
, EXT_BITS_OUT
))) {
2713 KLIPS_PRINT(debug_pfkey
, "klips_debug:pfkey_x_delflow_parse: "
2714 "failed to build the x_delflow reply message\n");
2718 for(pfkey_socketsp
= pfkey_open_sockets
;
2720 pfkey_socketsp
= pfkey_socketsp
->next
) {
2721 if((error
= pfkey_upmsg(pfkey_socketsp
->socketp
, pfkey_reply
))) {
2722 KLIPS_PRINT(debug_pfkey
, "klips_debug:pfkey_x_delflow_parse: "
2723 "sending up x_delflow reply message for satype=%d(%s) to socket=0p%p failed with error=%d.\n",
2725 satype2name(satype
),
2726 pfkey_socketsp
->socketp
,
2730 KLIPS_PRINT(debug_pfkey
, "klips_debug:pfkey_x_delflow_parse: "
2731 "sending up x_delflow reply message for satype=%d(%s) to socket=0p%p succeeded.\n",
2733 satype2name(satype
),
2734 pfkey_socketsp
->socketp
);
2737 KLIPS_PRINT(debug_pfkey
,
2738 "klips_debug:pfkey_x_delflow_parse: "
2739 "extr->ips cleaned up and freed.\n");
2743 pfkey_msg_free(&pfkey_reply
);
2745 pfkey_extensions_free(extensions_reply
);
2750 pfkey_x_msg_debug_parse(struct sock
*sk
, struct sadb_ext
**extensions
, struct pfkey_extracted_data
* extr
)
2754 KLIPS_PRINT(debug_pfkey
,
2755 "klips_debug:pfkey_x_msg_debug_parse: .\n");
2761 /* pfkey_expire expects the ipsec_sa table to be locked before being called. */
2763 pfkey_expire(struct ipsec_sa
*ipsp
, int hard
)
2765 struct sadb_ext
*extensions
[SADB_EXT_MAX
+1];
2766 struct sadb_msg
*pfkey_msg
= NULL
;
2767 struct socket_list
*pfkey_socketsp
;
2771 pfkey_extensions_init(extensions
);
2773 if(!(satype
= proto2satype(ipsp
->ips_said
.proto
))) {
2774 KLIPS_PRINT(debug_pfkey
,
2775 "klips_debug:pfkey_expire: "
2776 "satype lookup for protocol %d lookup failed.\n",
2777 ipsp
->ips_said
.proto
);
2781 if(!pfkey_open_sockets
) {
2782 KLIPS_PRINT(debug_pfkey
, "klips_debug:pfkey_expire: "
2783 "no sockets listening.\n");
2784 SENDERR(EPROTONOSUPPORT
);
2787 if (!(pfkey_safe_build(error
= pfkey_msg_hdr_build(&extensions
[0],
2794 && pfkey_safe_build(error
= pfkey_sa_ref_build(&extensions
[SADB_EXT_SA
],
2797 ipsp
->ips_replaywin
,
2804 && pfkey_safe_build(error
= pfkey_lifetime_build(&extensions
[SADB_EXT_LIFETIME_CURRENT
],
2805 SADB_EXT_LIFETIME_CURRENT
,
2806 ipsp
->ips_life
.ipl_allocations
.ipl_count
,
2807 ipsp
->ips_life
.ipl_bytes
.ipl_count
,
2808 ipsp
->ips_life
.ipl_addtime
.ipl_count
,
2809 ipsp
->ips_life
.ipl_usetime
.ipl_count
,
2810 ipsp
->ips_life
.ipl_packets
.ipl_count
),
2813 pfkey_safe_build(error
= pfkey_lifetime_build(&extensions
[SADB_EXT_LIFETIME_HARD
],
2814 SADB_EXT_LIFETIME_HARD
,
2815 ipsp
->ips_life
.ipl_allocations
.ipl_hard
,
2816 ipsp
->ips_life
.ipl_bytes
.ipl_hard
,
2817 ipsp
->ips_life
.ipl_addtime
.ipl_hard
,
2818 ipsp
->ips_life
.ipl_usetime
.ipl_hard
,
2819 ipsp
->ips_life
.ipl_packets
.ipl_hard
),
2821 : pfkey_safe_build(error
= pfkey_lifetime_build(&extensions
[SADB_EXT_LIFETIME_SOFT
],
2822 SADB_EXT_LIFETIME_SOFT
,
2823 ipsp
->ips_life
.ipl_allocations
.ipl_soft
,
2824 ipsp
->ips_life
.ipl_bytes
.ipl_soft
,
2825 ipsp
->ips_life
.ipl_addtime
.ipl_soft
,
2826 ipsp
->ips_life
.ipl_usetime
.ipl_soft
,
2827 ipsp
->ips_life
.ipl_packets
.ipl_soft
),
2829 && pfkey_safe_build(error
= pfkey_address_build(&extensions
[SADB_EXT_ADDRESS_SRC
],
2830 SADB_EXT_ADDRESS_SRC
,
2831 0, /* ipsp->ips_said.proto, */
2835 && pfkey_safe_build(error
= pfkey_address_build(&extensions
[SADB_EXT_ADDRESS_DST
],
2836 SADB_EXT_ADDRESS_DST
,
2837 0, /* ipsp->ips_said.proto, */
2841 KLIPS_PRINT(debug_pfkey
, "klips_debug:pfkey_expire: "
2842 "failed to build the expire message extensions\n");
2843 spin_unlock(&tdb_lock
);
2847 if ((error
= pfkey_msg_build(&pfkey_msg
, extensions
, EXT_BITS_OUT
))) {
2848 KLIPS_PRINT(debug_pfkey
, "klips_debug:pfkey_expire: "
2849 "failed to build the expire message\n");
2853 for(pfkey_socketsp
= pfkey_open_sockets
;
2855 pfkey_socketsp
= pfkey_socketsp
->next
) {
2856 if((error
= pfkey_upmsg(pfkey_socketsp
->socketp
, pfkey_msg
))) {
2857 KLIPS_PRINT(debug_pfkey
, "klips_debug:pfkey_expire: "
2858 "sending up expire message for satype=%d(%s) to socket=0p%p failed with error=%d.\n",
2860 satype2name(satype
),
2861 pfkey_socketsp
->socketp
,
2865 KLIPS_PRINT(debug_pfkey
, "klips_debug:pfkey_expire: "
2866 "sending up expire message for satype=%d(%s) (proto=%d) to socket=0p%p succeeded.\n",
2868 satype2name(satype
),
2869 ipsp
->ips_said
.proto
,
2870 pfkey_socketsp
->socketp
);
2875 pfkey_msg_free(&pfkey_msg
);
2877 pfkey_extensions_free(extensions
);
2882 pfkey_acquire(struct ipsec_sa
*ipsp
)
2884 struct sadb_ext
*extensions
[SADB_EXT_MAX
+1];
2885 struct sadb_msg
*pfkey_msg
= NULL
;
2886 struct socket_list
*pfkey_socketsp
;
2888 struct sadb_comb comb
[] = {
2889 /* auth; encrypt; flags; */
2890 /* auth_minbits; auth_maxbits; encrypt_minbits; encrypt_maxbits; */
2891 /* reserved; soft_allocations; hard_allocations; soft_bytes; hard_bytes; */
2892 /* soft_addtime; hard_addtime; soft_usetime; hard_usetime; */
2893 /* soft_packets; hard_packets; */
2894 { SADB_AALG_MD5_HMAC
, SADB_EALG_3DES_CBC
, SADB_SAFLAGS_PFS
,
2897 57600, 86400, 57600, 86400,
2899 { SADB_AALG_SHA1_HMAC
, SADB_EALG_3DES_CBC
, SADB_SAFLAGS_PFS
,
2902 57600, 86400, 57600, 86400,
2906 /* XXX This should not be hard-coded. It should be taken from the spdb */
2907 uint8_t satype
= SADB_SATYPE_ESP
;
2909 pfkey_extensions_init(extensions
);
2911 if((satype
== 0) || (satype
> SADB_SATYPE_MAX
)) {
2912 KLIPS_PRINT(debug_pfkey
, "klips_debug:pfkey_acquire: "
2913 "SAtype=%d unspecified or unknown.\n",
2918 if(!(pfkey_registered_sockets
[satype
])) {
2919 KLIPS_PRINT(1|debug_pfkey
, "klips_debug:pfkey_acquire: "
2920 "no sockets registered for SAtype=%d(%s).\n",
2922 satype2name(satype
));
2923 SENDERR(EPROTONOSUPPORT
);
2926 if (!(pfkey_safe_build(error
= pfkey_msg_hdr_build(&extensions
[0],
2933 && pfkey_safe_build(error
= pfkey_address_build(&extensions
[SADB_EXT_ADDRESS_SRC
],
2934 SADB_EXT_ADDRESS_SRC
,
2935 ipsp
->ips_said
.proto
,
2939 && pfkey_safe_build(error
= pfkey_address_build(&extensions
[SADB_EXT_ADDRESS_DST
],
2940 SADB_EXT_ADDRESS_DST
,
2941 ipsp
->ips_said
.proto
,
2946 && (ipsp
->ips_addr_p
2947 ? pfkey_safe_build(error
= pfkey_address_build(&extensions
[SADB_EXT_ADDRESS_PROXY
],
2948 SADB_EXT_ADDRESS_PROXY
,
2949 ipsp
->ips_said
.proto
,
2954 && (ipsp
->ips_ident_s
.type
!= SADB_IDENTTYPE_RESERVED
2955 ? pfkey_safe_build(error
= pfkey_ident_build(&extensions
[SADB_EXT_IDENTITY_SRC
],
2956 SADB_EXT_IDENTITY_SRC
,
2957 ipsp
->ips_ident_s
.type
,
2958 ipsp
->ips_ident_s
.id
,
2959 ipsp
->ips_ident_s
.len
,
2960 ipsp
->ips_ident_s
.data
),
2963 && (ipsp
->ips_ident_d
.type
!= SADB_IDENTTYPE_RESERVED
2964 ? pfkey_safe_build(error
= pfkey_ident_build(&extensions
[SADB_EXT_IDENTITY_DST
],
2965 SADB_EXT_IDENTITY_DST
,
2966 ipsp
->ips_ident_d
.type
,
2967 ipsp
->ips_ident_d
.id
,
2968 ipsp
->ips_ident_d
.len
,
2969 ipsp
->ips_ident_d
.data
),
2972 /* FIXME: This won't work yet because I have not finished
2975 ? pfkey_safe_build(error
= pfkey_sens_build(&extensions
[SADB_EXT_SENSITIVITY
],
2977 ipsp
->ips_sens_sens_level
,
2978 ipsp
->ips_sens_sens_len
,
2979 ipsp
->ips_sens_sens_bitmap
,
2980 ipsp
->ips_sens_integ_level
,
2981 ipsp
->ips_sens_integ_len
,
2982 ipsp
->ips_sens_integ_bitmap
),
2985 && pfkey_safe_build(error
= pfkey_prop_build(&extensions
[SADB_EXT_PROPOSAL
],
2987 sizeof(comb
)/sizeof(struct sadb_comb
),
2991 KLIPS_PRINT(1|debug_pfkey
, "klips_debug:pfkey_acquire: "
2992 "failed to build the acquire message extensions\n");
2996 if ((error
= pfkey_msg_build(&pfkey_msg
, extensions
, EXT_BITS_OUT
))) {
2997 KLIPS_PRINT(1|debug_pfkey
, "klips_debug:pfkey_acquire: "
2998 "failed to build the acquire message\n");
3002 #if KLIPS_PFKEY_ACQUIRE_LOSSAGE > 0
3003 if(sysctl_ipsec_regress_pfkey_lossage
) {
3008 /* this should go to all registered sockets for that satype only */
3009 for(pfkey_socketsp
= pfkey_registered_sockets
[satype
];
3011 pfkey_socketsp
= pfkey_socketsp
->next
) {
3012 if((error
= pfkey_upmsg(pfkey_socketsp
->socketp
, pfkey_msg
))) {
3013 KLIPS_PRINT(1|debug_pfkey
, "klips_debug:pfkey_acquire: "
3014 "sending up acquire message for satype=%d(%s) to socket=0p%p failed with error=%d.\n",
3016 satype2name(satype
),
3017 pfkey_socketsp
->socketp
,
3021 KLIPS_PRINT(debug_pfkey
, "klips_debug:pfkey_acquire: "
3022 "sending up acquire message for satype=%d(%s) to socket=0p%p succeeded.\n",
3024 satype2name(satype
),
3025 pfkey_socketsp
->socketp
);
3030 pfkey_msg_free(&pfkey_msg
);
3032 pfkey_extensions_free(extensions
);
3036 #ifdef CONFIG_IPSEC_NAT_TRAVERSAL
3038 pfkey_nat_t_new_mapping(struct ipsec_sa
*ipsp
, struct sockaddr
*ipaddr
,
3041 struct sadb_ext
*extensions
[SADB_EXT_MAX
+1];
3042 struct sadb_msg
*pfkey_msg
= NULL
;
3043 struct socket_list
*pfkey_socketsp
;
3045 uint8_t satype
= (ipsp
->ips_said
.proto
==IPPROTO_ESP
) ? SADB_SATYPE_ESP
: 0;
3047 /* Construct SADB_X_NAT_T_NEW_MAPPING message */
3049 pfkey_extensions_init(extensions
);
3051 if((satype
== 0) || (satype
> SADB_SATYPE_MAX
)) {
3052 KLIPS_PRINT(debug_pfkey
, "klips_debug:pfkey_nat_t_new_mapping: "
3053 "SAtype=%d unspecified or unknown.\n",
3058 if(!(pfkey_registered_sockets
[satype
])) {
3059 KLIPS_PRINT(debug_pfkey
, "klips_debug:pfkey_nat_t_new_mapping: "
3060 "no sockets registered for SAtype=%d(%s).\n",
3062 satype2name(satype
));
3063 SENDERR(EPROTONOSUPPORT
);
3066 if (!(pfkey_safe_build
3067 (error
= pfkey_msg_hdr_build(&extensions
[0], SADB_X_NAT_T_NEW_MAPPING
,
3068 satype
, 0, ++pfkey_msg_seq
, 0), extensions
)
3071 (error
= pfkey_sa_build(&extensions
[SADB_EXT_SA
],
3072 SADB_EXT_SA
, ipsp
->ips_said
.spi
, 0, 0, 0, 0, 0), extensions
)
3073 /* ADDRESS_SRC = old addr */
3075 (error
= pfkey_address_build(&extensions
[SADB_EXT_ADDRESS_SRC
],
3076 SADB_EXT_ADDRESS_SRC
, ipsp
->ips_said
.proto
, 0, ipsp
->ips_addr_s
),
3078 /* NAT_T_SPORT = old port */
3080 (error
= pfkey_x_nat_t_port_build(&extensions
[SADB_X_EXT_NAT_T_SPORT
],
3081 SADB_X_EXT_NAT_T_SPORT
, ipsp
->ips_natt_sport
), extensions
)
3082 /* ADDRESS_DST = new addr */
3084 (error
= pfkey_address_build(&extensions
[SADB_EXT_ADDRESS_DST
],
3085 SADB_EXT_ADDRESS_DST
, ipsp
->ips_said
.proto
, 0, ipaddr
), extensions
)
3086 /* NAT_T_DPORT = new port */
3088 (error
= pfkey_x_nat_t_port_build(&extensions
[SADB_X_EXT_NAT_T_DPORT
],
3089 SADB_X_EXT_NAT_T_DPORT
, sport
), extensions
)
3091 KLIPS_PRINT(debug_pfkey
, "klips_debug:pfkey_nat_t_new_mapping: "
3092 "failed to build the nat_t_new_mapping message extensions\n");
3096 if ((error
= pfkey_msg_build(&pfkey_msg
, extensions
, EXT_BITS_OUT
))) {
3097 KLIPS_PRINT(debug_pfkey
, "klips_debug:pfkey_nat_t_new_mapping: "
3098 "failed to build the nat_t_new_mapping message\n");
3102 /* this should go to all registered sockets for that satype only */
3103 for(pfkey_socketsp
= pfkey_registered_sockets
[satype
];
3105 pfkey_socketsp
= pfkey_socketsp
->next
) {
3106 if((error
= pfkey_upmsg(pfkey_socketsp
->socketp
, pfkey_msg
))) {
3107 KLIPS_PRINT(debug_pfkey
, "klips_debug:pfkey_nat_t_new_mapping: "
3108 "sending up nat_t_new_mapping message for satype=%d(%s) to socket=%p failed with error=%d.\n",
3110 satype2name(satype
),
3111 pfkey_socketsp
->socketp
,
3115 KLIPS_PRINT(debug_pfkey
, "klips_debug:pfkey_nat_t_new_mapping: "
3116 "sending up nat_t_new_mapping message for satype=%d(%s) to socket=%p succeeded.\n",
3118 satype2name(satype
),
3119 pfkey_socketsp
->socketp
);
3124 pfkey_msg_free(&pfkey_msg
);
3126 pfkey_extensions_free(extensions
);
3131 pfkey_x_nat_t_new_mapping_parse(struct sock
*sk
, struct sadb_ext
**extensions
, struct pfkey_extracted_data
* extr
)
3133 /* SADB_X_NAT_T_NEW_MAPPING not used in kernel */
3138 DEBUG_NO_STATIC
int (*ext_processors
[SADB_EXT_MAX
+1])(struct sadb_ext
*pfkey_ext
, struct pfkey_extracted_data
* extr
) =
3140 NULL
, /* pfkey_msg_process, */
3142 pfkey_lifetime_process
,
3143 pfkey_lifetime_process
,
3144 pfkey_lifetime_process
,
3145 pfkey_address_process
,
3146 pfkey_address_process
,
3147 pfkey_address_process
,
3150 pfkey_ident_process
,
3151 pfkey_ident_process
,
3154 pfkey_supported_process
,
3155 pfkey_supported_process
,
3156 pfkey_spirange_process
,
3157 pfkey_x_kmprivate_process
,
3158 pfkey_x_satype_process
,
3160 pfkey_address_process
,
3161 pfkey_address_process
,
3162 pfkey_address_process
,
3163 pfkey_address_process
,
3164 pfkey_address_process
,
3165 pfkey_x_debug_process
,
3166 pfkey_x_protocol_process
3167 #ifdef CONFIG_IPSEC_NAT_TRAVERSAL
3169 pfkey_x_nat_t_type_process
,
3170 pfkey_x_nat_t_port_process
,
3171 pfkey_x_nat_t_port_process
,
3172 pfkey_address_process
3177 DEBUG_NO_STATIC
int (*msg_parsers
[SADB_MAX
+1])(struct sock
*sk
, struct sadb_ext
*extensions
[], struct pfkey_extracted_data
* extr
)
3180 NULL
, /* RESERVED */
3186 pfkey_acquire_parse
,
3187 pfkey_register_parse
,
3191 pfkey_x_promisc_parse
,
3192 pfkey_x_pchange_parse
,
3193 pfkey_x_grpsa_parse
,
3194 pfkey_x_addflow_parse
,
3195 pfkey_x_delflow_parse
,
3196 pfkey_x_msg_debug_parse
3197 #ifdef CONFIG_IPSEC_NAT_TRAVERSAL
3198 , pfkey_x_nat_t_new_mapping_parse
3203 pfkey_build_reply(struct sadb_msg
*pfkey_msg
, struct pfkey_extracted_data
*extr
,
3204 struct sadb_msg
**pfkey_reply
)
3206 struct sadb_ext
*extensions
[SADB_EXT_MAX
+1];
3208 int msg_type
= pfkey_msg
->sadb_msg_type
;
3209 int seq
= pfkey_msg
->sadb_msg_seq
;
3211 KLIPS_PRINT(debug_pfkey
, "klips_debug:pfkey_build_reply: "
3212 "building reply with type: %d\n",
3214 pfkey_extensions_init(extensions
);
3215 if (!extr
|| !extr
->ips
) {
3216 KLIPS_PRINT(debug_pfkey
, "klips_debug:pfkey_build_reply: "
3217 "bad ipsec_sa passed\n");
3220 error
= pfkey_safe_build(pfkey_msg_hdr_build(&extensions
[0],
3222 proto2satype(extr
->ips
->ips_said
.proto
),
3225 pfkey_msg
->sadb_msg_pid
),
3227 (!(extensions_bitmaps
[EXT_BITS_OUT
][EXT_BITS_REQ
][msg_type
] &
3229 || pfkey_safe_build(pfkey_sa_ref_build(&extensions
[SADB_EXT_SA
],
3231 extr
->ips
->ips_said
.spi
,
3232 extr
->ips
->ips_replaywin
,
3233 extr
->ips
->ips_state
,
3234 extr
->ips
->ips_authalg
,
3235 extr
->ips
->ips_encalg
,
3236 extr
->ips
->ips_flags
,
3237 extr
->ips
->ips_ref
),
3239 (!(extensions_bitmaps
[EXT_BITS_OUT
][EXT_BITS_REQ
][msg_type
] &
3240 1 << SADB_EXT_LIFETIME_CURRENT
)
3241 || pfkey_safe_build(pfkey_lifetime_build(&extensions
3242 [SADB_EXT_LIFETIME_CURRENT
],
3243 SADB_EXT_LIFETIME_CURRENT
,
3244 extr
->ips
->ips_life
.ipl_allocations
.ipl_count
,
3245 extr
->ips
->ips_life
.ipl_bytes
.ipl_count
,
3246 extr
->ips
->ips_life
.ipl_addtime
.ipl_count
,
3247 extr
->ips
->ips_life
.ipl_usetime
.ipl_count
,
3248 extr
->ips
->ips_life
.ipl_packets
.ipl_count
),
3250 (!(extensions_bitmaps
[EXT_BITS_OUT
][EXT_BITS_REQ
][msg_type
] &
3251 1 << SADB_EXT_ADDRESS_SRC
)
3252 || pfkey_safe_build(pfkey_address_build(&extensions
[SADB_EXT_ADDRESS_SRC
],
3253 SADB_EXT_ADDRESS_SRC
,
3254 extr
->ips
->ips_said
.proto
,
3256 extr
->ips
->ips_addr_s
),
3258 (!(extensions_bitmaps
[EXT_BITS_OUT
][EXT_BITS_REQ
][msg_type
] &
3259 1 << SADB_EXT_ADDRESS_DST
)
3260 || pfkey_safe_build(pfkey_address_build(&extensions
[SADB_EXT_ADDRESS_DST
],
3261 SADB_EXT_ADDRESS_DST
,
3262 extr
->ips
->ips_said
.proto
,
3264 extr
->ips
->ips_addr_d
),
3268 KLIPS_PRINT(debug_pfkey
, "klips_debug:pfkey_build_reply: "
3269 "building extensions failed\n");
3273 KLIPS_PRINT(debug_pfkey
,
3274 "klips_debug:pfkey_build_reply: "
3275 "built extensions, proceed to build the message\n");
3276 KLIPS_PRINT(debug_pfkey
,
3277 "klips_debug:pfkey_build_reply: "
3278 "extensions[1]=0p%p\n",
3280 error
= pfkey_msg_build(pfkey_reply
, extensions
, EXT_BITS_OUT
);
3281 pfkey_extensions_free(extensions
);
3287 pfkey_msg_interp(struct sock
*sk
, struct sadb_msg
*pfkey_msg
,
3288 struct sadb_msg
**pfkey_reply
)
3292 struct sadb_ext
*extensions
[SADB_EXT_MAX
+1];
3293 struct pfkey_extracted_data extr
= {NULL
, NULL
, NULL
};
3295 pfkey_extensions_init(extensions
);
3296 KLIPS_PRINT(debug_pfkey
,
3297 "klips_debug:pfkey_msg_interp: "
3298 "parsing message ver=%d, type=%d, errno=%d, satype=%d(%s), len=%d, res=%d, seq=%d, pid=%d.\n",
3299 pfkey_msg
->sadb_msg_version
,
3300 pfkey_msg
->sadb_msg_type
,
3301 pfkey_msg
->sadb_msg_errno
,
3302 pfkey_msg
->sadb_msg_satype
,
3303 satype2name(pfkey_msg
->sadb_msg_satype
),
3304 pfkey_msg
->sadb_msg_len
,
3305 pfkey_msg
->sadb_msg_reserved
,
3306 pfkey_msg
->sadb_msg_seq
,
3307 pfkey_msg
->sadb_msg_pid
);
3309 extr
.ips
= ipsec_sa_alloc(&error
); /* pass in error var by pointer */
3310 if(extr
.ips
== NULL
) {
3311 KLIPS_PRINT(debug_pfkey
,
3312 "klips_debug:pfkey_msg_interp: "
3313 "memory allocation error.\n");
3317 KLIPS_PRINT(debug_pfkey
,
3318 "klips_debug:pfkey_msg_interp: "
3319 "allocated extr->ips=0p%p.\n",
3322 if(pfkey_msg
->sadb_msg_satype
> SADB_SATYPE_MAX
) {
3323 KLIPS_PRINT(debug_pfkey
,
3324 "klips_debug:pfkey_msg_interp: "
3325 "satype %d > max %d\n",
3326 pfkey_msg
->sadb_msg_satype
,
3331 switch(pfkey_msg
->sadb_msg_type
) {
3337 case SADB_X_ADDFLOW
:
3338 if(!(extr
.ips
->ips_said
.proto
= satype2proto(pfkey_msg
->sadb_msg_satype
))) {
3339 KLIPS_PRINT(debug_pfkey
,
3340 "klips_debug:pfkey_msg_interp: "
3341 "satype %d lookup failed.\n",
3342 pfkey_msg
->sadb_msg_satype
);
3345 KLIPS_PRINT(debug_pfkey
,
3346 "klips_debug:pfkey_msg_interp: "
3347 "satype %d lookups to proto=%d.\n",
3348 pfkey_msg
->sadb_msg_satype
,
3349 extr
.ips
->ips_said
.proto
);
3356 /* The NULL below causes the default extension parsers to be used */
3357 /* Parse the extensions */
3358 if((error
= pfkey_msg_parse(pfkey_msg
, NULL
, extensions
, EXT_BITS_IN
)))
3360 KLIPS_PRINT(debug_pfkey
,
3361 "klips_debug:pfkey_msg_interp: "
3362 "message parsing failed with error %d.\n",
3367 /* Process the extensions */
3368 for(i
=1; i
<= SADB_EXT_MAX
;i
++) {
3369 if(extensions
[i
] != NULL
) {
3370 KLIPS_PRINT(debug_pfkey
,
3371 "klips_debug:pfkey_msg_interp: "
3372 "processing ext %d 0p%p with processor 0p%p.\n",
3373 i
, extensions
[i
], ext_processors
[i
]);
3374 if((error
= ext_processors
[i
](extensions
[i
], &extr
))) {
3375 KLIPS_PRINT(debug_pfkey
,
3376 "klips_debug:pfkey_msg_interp: "
3377 "extension processing for type %d failed with error %d.\n",
3387 /* Parse the message types */
3388 KLIPS_PRINT(debug_pfkey
,
3389 "klips_debug:pfkey_msg_interp: "
3390 "parsing message type %d(%s) with msg_parser 0p%p.\n",
3391 pfkey_msg
->sadb_msg_type
,
3392 pfkey_v2_sadb_type_string(pfkey_msg
->sadb_msg_type
),
3393 msg_parsers
[pfkey_msg
->sadb_msg_type
]);
3394 if((error
= msg_parsers
[pfkey_msg
->sadb_msg_type
](sk
, extensions
, &extr
))) {
3395 KLIPS_PRINT(debug_pfkey
,
3396 "klips_debug:pfkey_msg_interp: "
3397 "message parsing failed with error %d.\n",
3403 error
= pfkey_build_reply(pfkey_msg
, &extr
, pfkey_reply
);
3405 *pfkey_reply
= NULL
;
3409 if(extr
.ips
!= NULL
) {
3410 ipsec_sa_wipe(extr
.ips
);
3412 if(extr
.ips2
!= NULL
) {
3413 ipsec_sa_wipe(extr
.ips2
);
3415 if (extr
.eroute
!= NULL
) {