- fixed include path
[strongswan.git] / linux / lib / libfreeswan / pfkey_v2_parse.c
1 /*
2 * RFC2367 PF_KEYv2 Key management API message parser
3 * Copyright (C) 1999, 2000, 2001 Richard Guy Briggs.
4 *
5 * This program is free software; you can redistribute it and/or modify it
6 * under the terms of the GNU General Public License as published by the
7 * Free Software Foundation; either version 2 of the License, or (at your
8 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
9 *
10 * This program is distributed in the hope that it will be useful, but
11 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
12 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
13 * for more details.
14 *
15 * RCSID $Id: pfkey_v2_parse.c,v 1.4 2004/06/13 20:35:07 as Exp $
16 */
17
18 /*
19 * Template from klips/net/ipsec/ipsec/ipsec_parser.c.
20 */
21
22 char pfkey_v2_parse_c_version[] = "$Id: pfkey_v2_parse.c,v 1.4 2004/06/13 20:35:07 as Exp $";
23
24 /*
25 * Some ugly stuff to allow consistent debugging code for use in the
26 * kernel and in user space
27 */
28
29 #ifdef __KERNEL__
30
31 # include <linux/kernel.h> /* for printk */
32
33 #include "freeswan/ipsec_kversion.h" /* for malloc switch */
34
35 # ifdef MALLOC_SLAB
36 # include <linux/slab.h> /* kmalloc() */
37 # else /* MALLOC_SLAB */
38 # include <linux/malloc.h> /* kmalloc() */
39 # endif /* MALLOC_SLAB */
40 # include <linux/errno.h> /* error codes */
41 # include <linux/types.h> /* size_t */
42 # include <linux/interrupt.h> /* mark_bh */
43
44 # include <linux/netdevice.h> /* struct device, and other headers */
45 # include <linux/etherdevice.h> /* eth_type_trans */
46 # include <linux/ip.h> /* struct iphdr */
47 # if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
48 # include <linux/ipv6.h> /* struct ipv6hdr */
49 # endif /* if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE) */
50 extern int debug_pfkey;
51
52 # include <freeswan.h>
53
54 #include "freeswan/ipsec_encap.h"
55
56 #else /* __KERNEL__ */
57
58 # include <sys/types.h>
59 # include <linux/types.h>
60 # include <linux/errno.h>
61
62 # include <freeswan.h>
63 # include "src/pluto/constants.h"
64 # include "src/pluto/defs.h" /* for PRINTF_LIKE */
65 # include "src/pluto/log.h" /* for debugging and DBG_log */
66
67 /* #define PLUTO */
68
69 # ifdef PLUTO
70 # define DEBUGGING(level, args...) { DBG_log("pfkey_lib_debug:" args); }
71 # else
72 # define DEBUGGING(level, args...) if(pfkey_lib_debug & level) { printf("pfkey_lib_debug:" args); } else { ; }
73 # endif
74
75 #endif /* __KERNEL__ */
76
77
78 #include <pfkeyv2.h>
79 #include <pfkey.h>
80
81 #ifdef __KERNEL__
82 extern int sysctl_ipsec_debug_verbose;
83 # define DEBUGGING(level, args...) \
84 KLIPS_PRINT( \
85 ((debug_pfkey & level & (PF_KEY_DEBUG_PARSE_STRUCT | PF_KEY_DEBUG_PARSE_PROBLEM)) \
86 || (sysctl_ipsec_debug_verbose && (debug_pfkey & level & PF_KEY_DEBUG_PARSE_FLOW))) \
87 , "klips_debug:" args)
88 #endif /* __KERNEL__ */
89 #include "freeswan/ipsec_sa.h" /* IPSEC_SAREF_NULL, IPSEC_SA_REF_TABLE_IDX_WIDTH */
90
91
92 #define SENDERR(_x) do { error = -(_x); goto errlab; } while (0)
93
94 struct satype_tbl {
95 uint8_t proto;
96 uint8_t satype;
97 char* name;
98 } static satype_tbl[] = {
99 #ifdef __KERNEL__
100 { IPPROTO_ESP, SADB_SATYPE_ESP, "ESP" },
101 { IPPROTO_AH, SADB_SATYPE_AH, "AH" },
102 { IPPROTO_IPIP, SADB_X_SATYPE_IPIP, "IPIP" },
103 #ifdef CONFIG_IPSEC_IPCOMP
104 { IPPROTO_COMP, SADB_X_SATYPE_COMP, "COMP" },
105 #endif /* CONFIG_IPSEC_IPCOMP */
106 { IPPROTO_INT, SADB_X_SATYPE_INT, "INT" },
107 #else /* __KERNEL__ */
108 { SA_ESP, SADB_SATYPE_ESP, "ESP" },
109 { SA_AH, SADB_SATYPE_AH, "AH" },
110 { SA_IPIP, SADB_X_SATYPE_IPIP, "IPIP" },
111 { SA_COMP, SADB_X_SATYPE_COMP, "COMP" },
112 { SA_INT, SADB_X_SATYPE_INT, "INT" },
113 #endif /* __KERNEL__ */
114 { 0, 0, "UNKNOWN" }
115 };
116
117 uint8_t
118 satype2proto(uint8_t satype)
119 {
120 int i =0;
121
122 while(satype_tbl[i].satype != satype && satype_tbl[i].satype != 0) {
123 i++;
124 }
125 return satype_tbl[i].proto;
126 }
127
128 uint8_t
129 proto2satype(uint8_t proto)
130 {
131 int i = 0;
132
133 while(satype_tbl[i].proto != proto && satype_tbl[i].proto != 0) {
134 i++;
135 }
136 return satype_tbl[i].satype;
137 }
138
139 char*
140 satype2name(uint8_t satype)
141 {
142 int i = 0;
143
144 while(satype_tbl[i].satype != satype && satype_tbl[i].satype != 0) {
145 i++;
146 }
147 return satype_tbl[i].name;
148 }
149
150 char*
151 proto2name(uint8_t proto)
152 {
153 int i = 0;
154
155 while(satype_tbl[i].proto != proto && satype_tbl[i].proto != 0) {
156 i++;
157 }
158 return satype_tbl[i].name;
159 }
160
161 /* Default extension parsers taken from the KLIPS code */
162
163 DEBUG_NO_STATIC int
164 pfkey_sa_parse(struct sadb_ext *pfkey_ext)
165 {
166 int error = 0;
167 struct sadb_sa *pfkey_sa = (struct sadb_sa *)pfkey_ext;
168 #if 0
169 struct sadb_sa sav2;
170 #endif
171
172 DEBUGGING(PF_KEY_DEBUG_PARSE_FLOW,
173 "pfkey_sa_parse: entry\n");
174 /* sanity checks... */
175 if(!pfkey_sa) {
176 DEBUGGING(PF_KEY_DEBUG_PARSE_PROBLEM,
177 "pfkey_sa_parse: "
178 "NULL pointer passed in.\n");
179 SENDERR(EINVAL);
180 }
181
182 #if 0
183 /* check if this structure is short, and if so, fix it up.
184 * XXX this is NOT the way to do things.
185 */
186 if(pfkey_sa->sadb_sa_len == sizeof(struct sadb_sa_v1)/IPSEC_PFKEYv2_ALIGN) {
187
188 /* yes, so clear out a temporary structure, and copy first */
189 memset(&sav2, 0, sizeof(sav2));
190 memcpy(&sav2, pfkey_sa, sizeof(struct sadb_sa_v1));
191 sav2.sadb_x_sa_ref=-1;
192 sav2.sadb_sa_len = sizeof(struct sadb_sa) / IPSEC_PFKEYv2_ALIGN;
193
194 pfkey_sa = &sav2;
195 }
196 #endif
197
198
199 if(pfkey_sa->sadb_sa_len != sizeof(struct sadb_sa) / IPSEC_PFKEYv2_ALIGN) {
200 DEBUGGING(PF_KEY_DEBUG_PARSE_PROBLEM,
201 "pfkey_sa_parse: "
202 "length wrong pfkey_sa->sadb_sa_len=%d sizeof(struct sadb_sa)=%d.\n",
203 pfkey_sa->sadb_sa_len,
204 (int)sizeof(struct sadb_sa));
205 SENDERR(EINVAL);
206 }
207
208 if(pfkey_sa->sadb_sa_encrypt > SADB_EALG_MAX) {
209 DEBUGGING(PF_KEY_DEBUG_PARSE_PROBLEM,
210 "pfkey_sa_parse: "
211 "pfkey_sa->sadb_sa_encrypt=%d > SADB_EALG_MAX=%d.\n",
212 pfkey_sa->sadb_sa_encrypt,
213 SADB_EALG_MAX);
214 SENDERR(EINVAL);
215 }
216
217 if(pfkey_sa->sadb_sa_auth > SADB_AALG_MAX) {
218 DEBUGGING(PF_KEY_DEBUG_PARSE_PROBLEM,
219 "pfkey_sa_parse: "
220 "pfkey_sa->sadb_sa_auth=%d > SADB_AALG_MAX=%d.\n",
221 pfkey_sa->sadb_sa_auth,
222 SADB_AALG_MAX);
223 SENDERR(EINVAL);
224 }
225
226 if(pfkey_sa->sadb_sa_state > SADB_SASTATE_MAX) {
227 DEBUGGING(PF_KEY_DEBUG_PARSE_PROBLEM,
228 "pfkey_sa_parse: "
229 "state=%d exceeds MAX=%d.\n",
230 pfkey_sa->sadb_sa_state,
231 SADB_SASTATE_MAX);
232 SENDERR(EINVAL);
233 }
234
235 if(pfkey_sa->sadb_sa_state == SADB_SASTATE_DEAD) {
236 DEBUGGING(PF_KEY_DEBUG_PARSE_PROBLEM,
237 "pfkey_sa_parse: "
238 "state=%d is DEAD=%d.\n",
239 pfkey_sa->sadb_sa_state,
240 SADB_SASTATE_DEAD);
241 SENDERR(EINVAL);
242 }
243
244 if(pfkey_sa->sadb_sa_replay > 64) {
245 DEBUGGING(PF_KEY_DEBUG_PARSE_PROBLEM,
246 "pfkey_sa_parse: "
247 "replay window size: %d -- must be 0 <= size <= 64\n",
248 pfkey_sa->sadb_sa_replay);
249 SENDERR(EINVAL);
250 }
251
252 if(! ((pfkey_sa->sadb_sa_exttype == SADB_EXT_SA) ||
253 (pfkey_sa->sadb_sa_exttype == SADB_X_EXT_SA2)))
254 {
255 DEBUGGING(PF_KEY_DEBUG_PARSE_PROBLEM,
256 "pfkey_sa_parse: "
257 "unknown exttype=%d, expecting SADB_EXT_SA=%d or SADB_X_EXT_SA2=%d.\n",
258 pfkey_sa->sadb_sa_exttype,
259 SADB_EXT_SA,
260 SADB_X_EXT_SA2);
261 SENDERR(EINVAL);
262 }
263
264 if((IPSEC_SAREF_NULL != pfkey_sa->sadb_x_sa_ref) && (pfkey_sa->sadb_x_sa_ref >= (1 << IPSEC_SA_REF_TABLE_IDX_WIDTH))) {
265 DEBUGGING(PF_KEY_DEBUG_PARSE_PROBLEM,
266 "pfkey_sa_parse: "
267 "SAref=%d must be (SAref == IPSEC_SAREF_NULL(%d) || SAref < IPSEC_SA_REF_TABLE_NUM_ENTRIES(%d)).\n",
268 pfkey_sa->sadb_x_sa_ref,
269 IPSEC_SAREF_NULL,
270 IPSEC_SA_REF_TABLE_NUM_ENTRIES);
271 SENDERR(EINVAL);
272 }
273
274 DEBUGGING(PF_KEY_DEBUG_PARSE_STRUCT,
275 "pfkey_sa_parse: "
276 "successfully found len=%d exttype=%d(%s) spi=%08lx replay=%d state=%d auth=%d encrypt=%d flags=%d ref=%d.\n",
277 pfkey_sa->sadb_sa_len,
278 pfkey_sa->sadb_sa_exttype,
279 pfkey_v2_sadb_ext_string(pfkey_sa->sadb_sa_exttype),
280 (long unsigned int)ntohl(pfkey_sa->sadb_sa_spi),
281 pfkey_sa->sadb_sa_replay,
282 pfkey_sa->sadb_sa_state,
283 pfkey_sa->sadb_sa_auth,
284 pfkey_sa->sadb_sa_encrypt,
285 pfkey_sa->sadb_sa_flags,
286 pfkey_sa->sadb_x_sa_ref);
287
288 errlab:
289 return error;
290 }
291
292 DEBUG_NO_STATIC int
293 pfkey_lifetime_parse(struct sadb_ext *pfkey_ext)
294 {
295 int error = 0;
296 struct sadb_lifetime *pfkey_lifetime = (struct sadb_lifetime *)pfkey_ext;
297
298 DEBUGGING(PF_KEY_DEBUG_PARSE_FLOW,
299 "pfkey_lifetime_parse:enter\n");
300 /* sanity checks... */
301 if(!pfkey_lifetime) {
302 DEBUGGING(PF_KEY_DEBUG_PARSE_PROBLEM,
303 "pfkey_lifetime_parse: "
304 "NULL pointer passed in.\n");
305 SENDERR(EINVAL);
306 }
307
308 if(pfkey_lifetime->sadb_lifetime_len !=
309 sizeof(struct sadb_lifetime) / IPSEC_PFKEYv2_ALIGN) {
310 DEBUGGING(PF_KEY_DEBUG_PARSE_PROBLEM,
311 "pfkey_lifetime_parse: "
312 "length wrong pfkey_lifetime->sadb_lifetime_len=%d sizeof(struct sadb_lifetime)=%d.\n",
313 pfkey_lifetime->sadb_lifetime_len,
314 (int)sizeof(struct sadb_lifetime));
315 SENDERR(EINVAL);
316 }
317
318 if((pfkey_lifetime->sadb_lifetime_exttype != SADB_EXT_LIFETIME_HARD) &&
319 (pfkey_lifetime->sadb_lifetime_exttype != SADB_EXT_LIFETIME_SOFT) &&
320 (pfkey_lifetime->sadb_lifetime_exttype != SADB_EXT_LIFETIME_CURRENT)) {
321 DEBUGGING(PF_KEY_DEBUG_PARSE_PROBLEM,
322 "pfkey_lifetime_parse: "
323 "unexpected ext_type=%d.\n",
324 pfkey_lifetime->sadb_lifetime_exttype);
325 SENDERR(EINVAL);
326 }
327
328 DEBUGGING(PF_KEY_DEBUG_PARSE_STRUCT,
329 "pfkey_lifetime_parse: "
330 "life_type=%d(%s) alloc=%u bytes=%u add=%u use=%u pkts=%u.\n",
331 pfkey_lifetime->sadb_lifetime_exttype,
332 pfkey_v2_sadb_ext_string(pfkey_lifetime->sadb_lifetime_exttype),
333 pfkey_lifetime->sadb_lifetime_allocations,
334 (unsigned)pfkey_lifetime->sadb_lifetime_bytes,
335 (unsigned)pfkey_lifetime->sadb_lifetime_addtime,
336 (unsigned)pfkey_lifetime->sadb_lifetime_usetime,
337 pfkey_lifetime->sadb_x_lifetime_packets);
338 errlab:
339 return error;
340 }
341
342 DEBUG_NO_STATIC int
343 pfkey_address_parse(struct sadb_ext *pfkey_ext)
344 {
345 int error = 0;
346 int saddr_len = 0;
347 struct sadb_address *pfkey_address = (struct sadb_address *)pfkey_ext;
348 struct sockaddr* s = (struct sockaddr*)((char*)pfkey_address + sizeof(*pfkey_address));
349 char ipaddr_txt[ADDRTOT_BUF];
350
351 DEBUGGING(PF_KEY_DEBUG_PARSE_FLOW,
352 "pfkey_address_parse:enter\n");
353 /* sanity checks... */
354 if(!pfkey_address) {
355 DEBUGGING(PF_KEY_DEBUG_PARSE_PROBLEM,
356 "pfkey_address_parse: "
357 "NULL pointer passed in.\n");
358 SENDERR(EINVAL);
359 }
360
361 if(pfkey_address->sadb_address_len <
362 (sizeof(struct sadb_address) + sizeof(struct sockaddr))/
363 IPSEC_PFKEYv2_ALIGN) {
364 DEBUGGING(PF_KEY_DEBUG_PARSE_PROBLEM,
365 "pfkey_address_parse: "
366 "size wrong 1 ext_len=%d, adr_ext_len=%d, saddr_len=%d.\n",
367 pfkey_address->sadb_address_len,
368 (int)sizeof(struct sadb_address),
369 (int)sizeof(struct sockaddr));
370 SENDERR(EINVAL);
371 }
372
373 if(pfkey_address->sadb_address_reserved) {
374 DEBUGGING(PF_KEY_DEBUG_PARSE_PROBLEM,
375 "pfkey_address_parse: "
376 "res=%d, must be zero.\n",
377 pfkey_address->sadb_address_reserved);
378 SENDERR(EINVAL);
379 }
380
381 switch(pfkey_address->sadb_address_exttype) {
382 case SADB_EXT_ADDRESS_SRC:
383 case SADB_EXT_ADDRESS_DST:
384 case SADB_EXT_ADDRESS_PROXY:
385 case SADB_X_EXT_ADDRESS_DST2:
386 case SADB_X_EXT_ADDRESS_SRC_FLOW:
387 case SADB_X_EXT_ADDRESS_DST_FLOW:
388 case SADB_X_EXT_ADDRESS_SRC_MASK:
389 case SADB_X_EXT_ADDRESS_DST_MASK:
390 #ifdef NAT_TRAVERSAL
391 case SADB_X_EXT_NAT_T_OA:
392 #endif
393 break;
394 default:
395 DEBUGGING(PF_KEY_DEBUG_PARSE_PROBLEM,
396 "pfkey_address_parse: "
397 "unexpected ext_type=%d.\n",
398 pfkey_address->sadb_address_exttype);
399 SENDERR(EINVAL);
400 }
401
402 switch(s->sa_family) {
403 case AF_INET:
404 saddr_len = sizeof(struct sockaddr_in);
405 sprintf(ipaddr_txt, "%d.%d.%d.%d"
406 , (((struct sockaddr_in*)s)->sin_addr.s_addr >> 0) & 0xFF
407 , (((struct sockaddr_in*)s)->sin_addr.s_addr >> 8) & 0xFF
408 , (((struct sockaddr_in*)s)->sin_addr.s_addr >> 16) & 0xFF
409 , (((struct sockaddr_in*)s)->sin_addr.s_addr >> 24) & 0xFF);
410 DEBUGGING(PF_KEY_DEBUG_PARSE_STRUCT,
411 "pfkey_address_parse: "
412 "found exttype=%u(%s) family=%d(AF_INET) address=%s proto=%u port=%u.\n",
413 pfkey_address->sadb_address_exttype,
414 pfkey_v2_sadb_ext_string(pfkey_address->sadb_address_exttype),
415 s->sa_family,
416 ipaddr_txt,
417 pfkey_address->sadb_address_proto,
418 ntohs(((struct sockaddr_in*)s)->sin_port));
419 break;
420 case AF_INET6:
421 saddr_len = sizeof(struct sockaddr_in6);
422 sprintf(ipaddr_txt, "%x:%x:%x:%x:%x:%x:%x:%x"
423 , ntohs(((struct sockaddr_in6*)s)->sin6_addr.s6_addr16[0])
424 , ntohs(((struct sockaddr_in6*)s)->sin6_addr.s6_addr16[1])
425 , ntohs(((struct sockaddr_in6*)s)->sin6_addr.s6_addr16[2])
426 , ntohs(((struct sockaddr_in6*)s)->sin6_addr.s6_addr16[3])
427 , ntohs(((struct sockaddr_in6*)s)->sin6_addr.s6_addr16[4])
428 , ntohs(((struct sockaddr_in6*)s)->sin6_addr.s6_addr16[5])
429 , ntohs(((struct sockaddr_in6*)s)->sin6_addr.s6_addr16[6])
430 , ntohs(((struct sockaddr_in6*)s)->sin6_addr.s6_addr16[7]));
431 DEBUGGING(PF_KEY_DEBUG_PARSE_STRUCT,
432 "pfkey_address_parse: "
433 "found exttype=%u(%s) family=%d(AF_INET6) address=%s proto=%u port=%u.\n",
434 pfkey_address->sadb_address_exttype,
435 pfkey_v2_sadb_ext_string(pfkey_address->sadb_address_exttype),
436 s->sa_family,
437 ipaddr_txt,
438 pfkey_address->sadb_address_proto,
439 ((struct sockaddr_in6*)s)->sin6_port);
440 break;
441 default:
442 DEBUGGING(PF_KEY_DEBUG_PARSE_PROBLEM,
443 "pfkey_address_parse: "
444 "s->sa_family=%d not supported.\n",
445 s->sa_family);
446 SENDERR(EPFNOSUPPORT);
447 }
448
449 if(pfkey_address->sadb_address_len !=
450 DIVUP(sizeof(struct sadb_address) + saddr_len, IPSEC_PFKEYv2_ALIGN)) {
451 DEBUGGING(PF_KEY_DEBUG_PARSE_PROBLEM,
452 "pfkey_address_parse: "
453 "size wrong 2 ext_len=%d, adr_ext_len=%d, saddr_len=%d.\n",
454 pfkey_address->sadb_address_len,
455 (int)sizeof(struct sadb_address),
456 saddr_len);
457 SENDERR(EINVAL);
458 }
459
460 if(pfkey_address->sadb_address_prefixlen != 0) {
461 DEBUGGING(PF_KEY_DEBUG_PARSE_PROBLEM,
462 "pfkey_address_parse: "
463 "address prefixes not supported yet.\n");
464 SENDERR(EAFNOSUPPORT); /* not supported yet */
465 }
466
467 /* XXX check if port!=0 */
468
469 DEBUGGING(PF_KEY_DEBUG_PARSE_FLOW,
470 "pfkey_address_parse: successful.\n");
471 errlab:
472 return error;
473 }
474
475 DEBUG_NO_STATIC int
476 pfkey_key_parse(struct sadb_ext *pfkey_ext)
477 {
478 int error = 0;
479 struct sadb_key *pfkey_key = (struct sadb_key *)pfkey_ext;
480
481 DEBUGGING(PF_KEY_DEBUG_PARSE_FLOW,
482 "pfkey_key_parse:enter\n");
483 /* sanity checks... */
484
485 if(!pfkey_key) {
486 DEBUGGING(PF_KEY_DEBUG_PARSE_PROBLEM,
487 "pfkey_key_parse: "
488 "NULL pointer passed in.\n");
489 SENDERR(EINVAL);
490 }
491
492 if(pfkey_key->sadb_key_len < sizeof(struct sadb_key) / IPSEC_PFKEYv2_ALIGN) {
493 DEBUGGING(PF_KEY_DEBUG_PARSE_PROBLEM,
494 "pfkey_key_parse: "
495 "size wrong ext_len=%d, key_ext_len=%d.\n",
496 pfkey_key->sadb_key_len,
497 (int)sizeof(struct sadb_key));
498 SENDERR(EINVAL);
499 }
500
501 if(!pfkey_key->sadb_key_bits) {
502 DEBUGGING(PF_KEY_DEBUG_PARSE_PROBLEM,
503 "pfkey_key_parse: "
504 "key length set to zero, must be non-zero.\n");
505 SENDERR(EINVAL);
506 }
507
508 if(pfkey_key->sadb_key_len !=
509 DIVUP(sizeof(struct sadb_key) * OCTETBITS + pfkey_key->sadb_key_bits,
510 PFKEYBITS)) {
511 DEBUGGING(PF_KEY_DEBUG_PARSE_PROBLEM,
512 "pfkey_key_parse: "
513 "key length=%d does not agree with extension length=%d.\n",
514 pfkey_key->sadb_key_bits,
515 pfkey_key->sadb_key_len);
516 SENDERR(EINVAL);
517 }
518
519 if(pfkey_key->sadb_key_reserved) {
520 DEBUGGING(PF_KEY_DEBUG_PARSE_PROBLEM,
521 "pfkey_key_parse: "
522 "res=%d, must be zero.\n",
523 pfkey_key->sadb_key_reserved);
524 SENDERR(EINVAL);
525 }
526
527 if(! ( (pfkey_key->sadb_key_exttype == SADB_EXT_KEY_AUTH) ||
528 (pfkey_key->sadb_key_exttype == SADB_EXT_KEY_ENCRYPT))) {
529 DEBUGGING(PF_KEY_DEBUG_PARSE_PROBLEM,
530 "pfkey_key_parse: "
531 "expecting extension type AUTH or ENCRYPT, got %d.\n",
532 pfkey_key->sadb_key_exttype);
533 SENDERR(EINVAL);
534 }
535
536 DEBUGGING(PF_KEY_DEBUG_PARSE_STRUCT,
537 "pfkey_key_parse: "
538 "success, found len=%d exttype=%d(%s) bits=%d reserved=%d.\n",
539 pfkey_key->sadb_key_len,
540 pfkey_key->sadb_key_exttype,
541 pfkey_v2_sadb_ext_string(pfkey_key->sadb_key_exttype),
542 pfkey_key->sadb_key_bits,
543 pfkey_key->sadb_key_reserved);
544
545 errlab:
546 return error;
547 }
548
549 DEBUG_NO_STATIC int
550 pfkey_ident_parse(struct sadb_ext *pfkey_ext)
551 {
552 int error = 0;
553 struct sadb_ident *pfkey_ident = (struct sadb_ident *)pfkey_ext;
554
555 /* sanity checks... */
556 if(pfkey_ident->sadb_ident_len < sizeof(struct sadb_ident) / IPSEC_PFKEYv2_ALIGN) {
557 DEBUGGING(PF_KEY_DEBUG_PARSE_PROBLEM,
558 "pfkey_ident_parse: "
559 "size wrong ext_len=%d, key_ext_len=%d.\n",
560 pfkey_ident->sadb_ident_len,
561 (int)sizeof(struct sadb_ident));
562 SENDERR(EINVAL);
563 }
564
565 if(pfkey_ident->sadb_ident_type > SADB_IDENTTYPE_MAX) {
566 DEBUGGING(PF_KEY_DEBUG_PARSE_PROBLEM,
567 "pfkey_ident_parse: "
568 "ident_type=%d out of range, must be less than %d.\n",
569 pfkey_ident->sadb_ident_type,
570 SADB_IDENTTYPE_MAX);
571 SENDERR(EINVAL);
572 }
573
574 if(pfkey_ident->sadb_ident_reserved) {
575 DEBUGGING(PF_KEY_DEBUG_PARSE_PROBLEM,
576 "pfkey_ident_parse: "
577 "res=%d, must be zero.\n",
578 pfkey_ident->sadb_ident_reserved);
579 SENDERR(EINVAL);
580 }
581
582 /* string terminator/padding must be zero */
583 if(pfkey_ident->sadb_ident_len > sizeof(struct sadb_ident) / IPSEC_PFKEYv2_ALIGN) {
584 if(*((char*)pfkey_ident + pfkey_ident->sadb_ident_len * IPSEC_PFKEYv2_ALIGN - 1)) {
585 DEBUGGING(PF_KEY_DEBUG_PARSE_PROBLEM,
586 "pfkey_ident_parse: "
587 "string padding must be zero, last is 0x%02x.\n",
588 *((char*)pfkey_ident +
589 pfkey_ident->sadb_ident_len * IPSEC_PFKEYv2_ALIGN - 1));
590 SENDERR(EINVAL);
591 }
592 }
593
594 if( ! ((pfkey_ident->sadb_ident_exttype == SADB_EXT_IDENTITY_SRC) ||
595 (pfkey_ident->sadb_ident_exttype == SADB_EXT_IDENTITY_DST))) {
596 DEBUGGING(PF_KEY_DEBUG_PARSE_PROBLEM,
597 "pfkey_key_parse: "
598 "expecting extension type IDENTITY_SRC or IDENTITY_DST, got %d.\n",
599 pfkey_ident->sadb_ident_exttype);
600 SENDERR(EINVAL);
601 }
602
603 errlab:
604 return error;
605 }
606
607 DEBUG_NO_STATIC int
608 pfkey_sens_parse(struct sadb_ext *pfkey_ext)
609 {
610 int error = 0;
611 struct sadb_sens *pfkey_sens = (struct sadb_sens *)pfkey_ext;
612
613 /* sanity checks... */
614 if(pfkey_sens->sadb_sens_len < sizeof(struct sadb_sens) / IPSEC_PFKEYv2_ALIGN) {
615 DEBUGGING(PF_KEY_DEBUG_PARSE_PROBLEM,
616 "pfkey_sens_parse: "
617 "size wrong ext_len=%d, key_ext_len=%d.\n",
618 pfkey_sens->sadb_sens_len,
619 (int)sizeof(struct sadb_sens));
620 SENDERR(EINVAL);
621 }
622
623 DEBUGGING(PF_KEY_DEBUG_PARSE_PROBLEM,
624 "pfkey_sens_parse: "
625 "Sorry, I can't parse exttype=%d yet.\n",
626 pfkey_ext->sadb_ext_type);
627 #if 0
628 SENDERR(EINVAL); /* don't process these yet */
629 #endif
630
631 errlab:
632 return error;
633 }
634
635 DEBUG_NO_STATIC int
636 pfkey_prop_parse(struct sadb_ext *pfkey_ext)
637 {
638 int error = 0;
639 int i, num_comb;
640 struct sadb_prop *pfkey_prop = (struct sadb_prop *)pfkey_ext;
641 struct sadb_comb *pfkey_comb = (struct sadb_comb *)((char*)pfkey_ext + sizeof(struct sadb_prop));
642
643 /* sanity checks... */
644 if((pfkey_prop->sadb_prop_len < sizeof(struct sadb_prop) / IPSEC_PFKEYv2_ALIGN) ||
645 (((pfkey_prop->sadb_prop_len * IPSEC_PFKEYv2_ALIGN) - sizeof(struct sadb_prop)) % sizeof(struct sadb_comb))) {
646 DEBUGGING(PF_KEY_DEBUG_PARSE_PROBLEM,
647 "pfkey_prop_parse: "
648 "size wrong ext_len=%d, prop_ext_len=%d comb_ext_len=%d.\n",
649 pfkey_prop->sadb_prop_len,
650 (int)sizeof(struct sadb_prop),
651 (int)sizeof(struct sadb_comb));
652 SENDERR(EINVAL);
653 }
654
655 if(pfkey_prop->sadb_prop_replay > 64) {
656 DEBUGGING(PF_KEY_DEBUG_PARSE_PROBLEM,
657 "pfkey_prop_parse: "
658 "replay window size: %d -- must be 0 <= size <= 64\n",
659 pfkey_prop->sadb_prop_replay);
660 SENDERR(EINVAL);
661 }
662
663 for(i=0; i<3; i++) {
664 if(pfkey_prop->sadb_prop_reserved[i]) {
665 DEBUGGING(PF_KEY_DEBUG_PARSE_PROBLEM,
666 "pfkey_prop_parse: "
667 "res[%d]=%d, must be zero.\n",
668 i, pfkey_prop->sadb_prop_reserved[i]);
669 SENDERR(EINVAL);
670 }
671 }
672
673 num_comb = ((pfkey_prop->sadb_prop_len * IPSEC_PFKEYv2_ALIGN) - sizeof(struct sadb_prop)) / sizeof(struct sadb_comb);
674
675 for(i = 0; i < num_comb; i++) {
676 if(pfkey_comb->sadb_comb_auth > SADB_AALG_MAX) {
677 DEBUGGING(PF_KEY_DEBUG_PARSE_PROBLEM,
678 "pfkey_prop_parse: "
679 "pfkey_comb[%d]->sadb_comb_auth=%d > SADB_AALG_MAX=%d.\n",
680 i,
681 pfkey_comb->sadb_comb_auth,
682 SADB_AALG_MAX);
683 SENDERR(EINVAL);
684 }
685
686 if(pfkey_comb->sadb_comb_auth) {
687 if(!pfkey_comb->sadb_comb_auth_minbits) {
688 DEBUGGING(PF_KEY_DEBUG_PARSE_PROBLEM,
689 "pfkey_prop_parse: "
690 "pfkey_comb[%d]->sadb_comb_auth_minbits=0, fatal.\n",
691 i);
692 SENDERR(EINVAL);
693 }
694 if(!pfkey_comb->sadb_comb_auth_maxbits) {
695 DEBUGGING(PF_KEY_DEBUG_PARSE_PROBLEM,
696 "pfkey_prop_parse: "
697 "pfkey_comb[%d]->sadb_comb_auth_maxbits=0, fatal.\n",
698 i);
699 SENDERR(EINVAL);
700 }
701 if(pfkey_comb->sadb_comb_auth_minbits > pfkey_comb->sadb_comb_auth_maxbits) {
702 DEBUGGING(PF_KEY_DEBUG_PARSE_PROBLEM,
703 "pfkey_prop_parse: "
704 "pfkey_comb[%d]->sadb_comb_auth_minbits=%d > maxbits=%d, fatal.\n",
705 i,
706 pfkey_comb->sadb_comb_auth_minbits,
707 pfkey_comb->sadb_comb_auth_maxbits);
708 SENDERR(EINVAL);
709 }
710 } else {
711 if(pfkey_comb->sadb_comb_auth_minbits) {
712 DEBUGGING(PF_KEY_DEBUG_PARSE_PROBLEM,
713 "pfkey_prop_parse: "
714 "pfkey_comb[%d]->sadb_comb_auth_minbits=%d != 0, fatal.\n",
715 i,
716 pfkey_comb->sadb_comb_auth_minbits);
717 SENDERR(EINVAL);
718 }
719 if(pfkey_comb->sadb_comb_auth_maxbits) {
720 DEBUGGING(PF_KEY_DEBUG_PARSE_PROBLEM,
721 "pfkey_prop_parse: "
722 "pfkey_comb[%d]->sadb_comb_auth_maxbits=%d != 0, fatal.\n",
723 i,
724 pfkey_comb->sadb_comb_auth_maxbits);
725 SENDERR(EINVAL);
726 }
727 }
728
729 if(pfkey_comb->sadb_comb_encrypt > SADB_EALG_MAX) {
730 DEBUGGING(PF_KEY_DEBUG_PARSE_PROBLEM,
731 "pfkey_comb_parse: "
732 "pfkey_comb[%d]->sadb_comb_encrypt=%d > SADB_EALG_MAX=%d.\n",
733 i,
734 pfkey_comb->sadb_comb_encrypt,
735 SADB_EALG_MAX);
736 SENDERR(EINVAL);
737 }
738
739 if(pfkey_comb->sadb_comb_encrypt) {
740 if(!pfkey_comb->sadb_comb_encrypt_minbits) {
741 DEBUGGING(PF_KEY_DEBUG_PARSE_PROBLEM,
742 "pfkey_prop_parse: "
743 "pfkey_comb[%d]->sadb_comb_encrypt_minbits=0, fatal.\n",
744 i);
745 SENDERR(EINVAL);
746 }
747 if(!pfkey_comb->sadb_comb_encrypt_maxbits) {
748 DEBUGGING(PF_KEY_DEBUG_PARSE_PROBLEM,
749 "pfkey_prop_parse: "
750 "pfkey_comb[%d]->sadb_comb_encrypt_maxbits=0, fatal.\n",
751 i);
752 SENDERR(EINVAL);
753 }
754 if(pfkey_comb->sadb_comb_encrypt_minbits > pfkey_comb->sadb_comb_encrypt_maxbits) {
755 DEBUGGING(PF_KEY_DEBUG_PARSE_PROBLEM,
756 "pfkey_prop_parse: "
757 "pfkey_comb[%d]->sadb_comb_encrypt_minbits=%d > maxbits=%d, fatal.\n",
758 i,
759 pfkey_comb->sadb_comb_encrypt_minbits,
760 pfkey_comb->sadb_comb_encrypt_maxbits);
761 SENDERR(EINVAL);
762 }
763 } else {
764 if(pfkey_comb->sadb_comb_encrypt_minbits) {
765 DEBUGGING(PF_KEY_DEBUG_PARSE_PROBLEM,
766 "pfkey_prop_parse: "
767 "pfkey_comb[%d]->sadb_comb_encrypt_minbits=%d != 0, fatal.\n",
768 i,
769 pfkey_comb->sadb_comb_encrypt_minbits);
770 SENDERR(EINVAL);
771 }
772 if(pfkey_comb->sadb_comb_encrypt_maxbits) {
773 DEBUGGING(PF_KEY_DEBUG_PARSE_PROBLEM,
774 "pfkey_prop_parse: "
775 "pfkey_comb[%d]->sadb_comb_encrypt_maxbits=%d != 0, fatal.\n",
776 i,
777 pfkey_comb->sadb_comb_encrypt_maxbits);
778 SENDERR(EINVAL);
779 }
780 }
781
782 /* XXX do sanity check on flags */
783
784 if(pfkey_comb->sadb_comb_hard_allocations && pfkey_comb->sadb_comb_soft_allocations > pfkey_comb->sadb_comb_hard_allocations) {
785 DEBUGGING(PF_KEY_DEBUG_PARSE_PROBLEM,
786 "pfkey_prop_parse: "
787 "pfkey_comb[%d]->sadb_comb_soft_allocations=%d > hard_allocations=%d, fatal.\n",
788 i,
789 pfkey_comb->sadb_comb_soft_allocations,
790 pfkey_comb->sadb_comb_hard_allocations);
791 SENDERR(EINVAL);
792 }
793
794 if(pfkey_comb->sadb_comb_hard_bytes && pfkey_comb->sadb_comb_soft_bytes > pfkey_comb->sadb_comb_hard_bytes) {
795 DEBUGGING(PF_KEY_DEBUG_PARSE_PROBLEM,
796 "pfkey_prop_parse: "
797 "pfkey_comb[%d]->sadb_comb_soft_bytes=%Ld > hard_bytes=%Ld, fatal.\n",
798 i,
799 (unsigned long long int)pfkey_comb->sadb_comb_soft_bytes,
800 (unsigned long long int)pfkey_comb->sadb_comb_hard_bytes);
801 SENDERR(EINVAL);
802 }
803
804 if(pfkey_comb->sadb_comb_hard_addtime && pfkey_comb->sadb_comb_soft_addtime > pfkey_comb->sadb_comb_hard_addtime) {
805 DEBUGGING(PF_KEY_DEBUG_PARSE_PROBLEM,
806 "pfkey_prop_parse: "
807 "pfkey_comb[%d]->sadb_comb_soft_addtime=%Ld > hard_addtime=%Ld, fatal.\n",
808 i,
809 (unsigned long long int)pfkey_comb->sadb_comb_soft_addtime,
810 (unsigned long long int)pfkey_comb->sadb_comb_hard_addtime);
811 SENDERR(EINVAL);
812 }
813
814 if(pfkey_comb->sadb_comb_hard_usetime && pfkey_comb->sadb_comb_soft_usetime > pfkey_comb->sadb_comb_hard_usetime) {
815 DEBUGGING(PF_KEY_DEBUG_PARSE_PROBLEM,
816 "pfkey_prop_parse: "
817 "pfkey_comb[%d]->sadb_comb_soft_usetime=%Ld > hard_usetime=%Ld, fatal.\n",
818 i,
819 (unsigned long long int)pfkey_comb->sadb_comb_soft_usetime,
820 (unsigned long long int)pfkey_comb->sadb_comb_hard_usetime);
821 SENDERR(EINVAL);
822 }
823
824 if(pfkey_comb->sadb_x_comb_hard_packets && pfkey_comb->sadb_x_comb_soft_packets > pfkey_comb->sadb_x_comb_hard_packets) {
825 DEBUGGING(PF_KEY_DEBUG_PARSE_PROBLEM,
826 "pfkey_prop_parse: "
827 "pfkey_comb[%d]->sadb_x_comb_soft_packets=%d > hard_packets=%d, fatal.\n",
828 i,
829 pfkey_comb->sadb_x_comb_soft_packets,
830 pfkey_comb->sadb_x_comb_hard_packets);
831 SENDERR(EINVAL);
832 }
833
834 if(pfkey_comb->sadb_comb_reserved) {
835 DEBUGGING(PF_KEY_DEBUG_PARSE_PROBLEM,
836 "pfkey_prop_parse: "
837 "comb[%d].res=%d, must be zero.\n",
838 i,
839 pfkey_comb->sadb_comb_reserved);
840 SENDERR(EINVAL);
841 }
842 pfkey_comb++;
843 }
844
845 errlab:
846 return error;
847 }
848
849 DEBUG_NO_STATIC int
850 pfkey_supported_parse(struct sadb_ext *pfkey_ext)
851 {
852 int error = 0;
853 unsigned int i, num_alg;
854 struct sadb_supported *pfkey_supported = (struct sadb_supported *)pfkey_ext;
855 struct sadb_alg *pfkey_alg = (struct sadb_alg*)((char*)pfkey_ext + sizeof(struct sadb_supported));
856
857 /* sanity checks... */
858 if((pfkey_supported->sadb_supported_len <
859 sizeof(struct sadb_supported) / IPSEC_PFKEYv2_ALIGN) ||
860 (((pfkey_supported->sadb_supported_len * IPSEC_PFKEYv2_ALIGN) -
861 sizeof(struct sadb_supported)) % sizeof(struct sadb_alg))) {
862
863 DEBUGGING(PF_KEY_DEBUG_PARSE_PROBLEM,
864 "pfkey_supported_parse: "
865 "size wrong ext_len=%d, supported_ext_len=%d alg_ext_len=%d.\n",
866 pfkey_supported->sadb_supported_len,
867 (int)sizeof(struct sadb_supported),
868 (int)sizeof(struct sadb_alg));
869 SENDERR(EINVAL);
870 }
871
872 if(pfkey_supported->sadb_supported_reserved) {
873 DEBUGGING(PF_KEY_DEBUG_PARSE_PROBLEM,
874 "pfkey_supported_parse: "
875 "res=%d, must be zero.\n",
876 pfkey_supported->sadb_supported_reserved);
877 SENDERR(EINVAL);
878 }
879
880 num_alg = ((pfkey_supported->sadb_supported_len * IPSEC_PFKEYv2_ALIGN) - sizeof(struct sadb_supported)) / sizeof(struct sadb_alg);
881
882 for(i = 0; i < num_alg; i++) {
883 /* process algo description */
884 if(pfkey_alg->sadb_alg_reserved) {
885 DEBUGGING(PF_KEY_DEBUG_PARSE_PROBLEM,
886 "pfkey_supported_parse: "
887 "alg[%d], id=%d, ivlen=%d, minbits=%d, maxbits=%d, res=%d, must be zero.\n",
888 i,
889 pfkey_alg->sadb_alg_id,
890 pfkey_alg->sadb_alg_ivlen,
891 pfkey_alg->sadb_alg_minbits,
892 pfkey_alg->sadb_alg_maxbits,
893 pfkey_alg->sadb_alg_reserved);
894 SENDERR(EINVAL);
895 }
896
897 /* XXX can alg_id auth/enc be determined from info given?
898 Yes, but OpenBSD's method does not iteroperate with rfc2367.
899 rgb, 2000-04-06 */
900
901 switch(pfkey_supported->sadb_supported_exttype) {
902 case SADB_EXT_SUPPORTED_AUTH:
903 if(pfkey_alg->sadb_alg_id > SADB_AALG_MAX) {
904 DEBUGGING(PF_KEY_DEBUG_PARSE_PROBLEM,
905 "pfkey_supported_parse: "
906 "alg[%d], alg_id=%d > SADB_AALG_MAX=%d, fatal.\n",
907 i,
908 pfkey_alg->sadb_alg_id,
909 SADB_AALG_MAX);
910 SENDERR(EINVAL);
911 }
912 break;
913 case SADB_EXT_SUPPORTED_ENCRYPT:
914 if(pfkey_alg->sadb_alg_id > SADB_EALG_MAX) {
915 DEBUGGING(PF_KEY_DEBUG_PARSE_PROBLEM,
916 "pfkey_supported_parse: "
917 "alg[%d], alg_id=%d > SADB_EALG_MAX=%d, fatal.\n",
918 i,
919 pfkey_alg->sadb_alg_id,
920 SADB_EALG_MAX);
921 SENDERR(EINVAL);
922 }
923 break;
924 default:
925 DEBUGGING(PF_KEY_DEBUG_PARSE_PROBLEM,
926 "pfkey_supported_parse: "
927 "alg[%d], alg_id=%d > SADB_EALG_MAX=%d, fatal.\n",
928 i,
929 pfkey_alg->sadb_alg_id,
930 SADB_EALG_MAX);
931 SENDERR(EINVAL);
932 }
933 pfkey_alg++;
934 }
935
936 errlab:
937 return error;
938 }
939
940 DEBUG_NO_STATIC int
941 pfkey_spirange_parse(struct sadb_ext *pfkey_ext)
942 {
943 int error = 0;
944 struct sadb_spirange *pfkey_spirange = (struct sadb_spirange *)pfkey_ext;
945
946 /* sanity checks... */
947 if(pfkey_spirange->sadb_spirange_len !=
948 sizeof(struct sadb_spirange) / IPSEC_PFKEYv2_ALIGN) {
949 DEBUGGING(PF_KEY_DEBUG_PARSE_PROBLEM,
950 "pfkey_spirange_parse: "
951 "size wrong ext_len=%d, key_ext_len=%d.\n",
952 pfkey_spirange->sadb_spirange_len,
953 (int)sizeof(struct sadb_spirange));
954 SENDERR(EINVAL);
955 }
956
957 if(pfkey_spirange->sadb_spirange_reserved) {
958 DEBUGGING(PF_KEY_DEBUG_PARSE_PROBLEM,
959 "pfkey_spirange_parse: "
960 "reserved=%d must be set to zero.\n",
961 pfkey_spirange->sadb_spirange_reserved);
962 SENDERR(EINVAL);
963 }
964
965 if(ntohl(pfkey_spirange->sadb_spirange_max) < ntohl(pfkey_spirange->sadb_spirange_min)) {
966 DEBUGGING(PF_KEY_DEBUG_PARSE_PROBLEM,
967 "pfkey_spirange_parse: "
968 "minspi=%08x must be < maxspi=%08x.\n",
969 ntohl(pfkey_spirange->sadb_spirange_min),
970 ntohl(pfkey_spirange->sadb_spirange_max));
971 SENDERR(EINVAL);
972 }
973
974 if(ntohl(pfkey_spirange->sadb_spirange_min) <= 255) {
975 DEBUGGING(PF_KEY_DEBUG_PARSE_PROBLEM,
976 "pfkey_spirange_parse: "
977 "minspi=%08x must be > 255.\n",
978 ntohl(pfkey_spirange->sadb_spirange_min));
979 SENDERR(EEXIST);
980 }
981
982 DEBUGGING(PF_KEY_DEBUG_PARSE_STRUCT,
983 "pfkey_spirange_parse: "
984 "ext_len=%u ext_type=%u(%s) min=%u max=%u res=%u.\n",
985 pfkey_spirange->sadb_spirange_len,
986 pfkey_spirange->sadb_spirange_exttype,
987 pfkey_v2_sadb_ext_string(pfkey_spirange->sadb_spirange_exttype),
988 pfkey_spirange->sadb_spirange_min,
989 pfkey_spirange->sadb_spirange_max,
990 pfkey_spirange->sadb_spirange_reserved);
991 errlab:
992 return error;
993 }
994
995 DEBUG_NO_STATIC int
996 pfkey_x_kmprivate_parse(struct sadb_ext *pfkey_ext)
997 {
998 int error = 0;
999 struct sadb_x_kmprivate *pfkey_x_kmprivate = (struct sadb_x_kmprivate *)pfkey_ext;
1000
1001 /* sanity checks... */
1002 if(pfkey_x_kmprivate->sadb_x_kmprivate_len <
1003 sizeof(struct sadb_x_kmprivate) / IPSEC_PFKEYv2_ALIGN) {
1004 DEBUGGING(PF_KEY_DEBUG_PARSE_PROBLEM,
1005 "pfkey_x_kmprivate_parse: "
1006 "size wrong ext_len=%d, key_ext_len=%d.\n",
1007 pfkey_x_kmprivate->sadb_x_kmprivate_len,
1008 (int)sizeof(struct sadb_x_kmprivate));
1009 SENDERR(EINVAL);
1010 }
1011
1012 if(pfkey_x_kmprivate->sadb_x_kmprivate_reserved) {
1013 DEBUGGING(PF_KEY_DEBUG_PARSE_PROBLEM,
1014 "pfkey_x_kmprivate_parse: "
1015 "reserved=%d must be set to zero.\n",
1016 pfkey_x_kmprivate->sadb_x_kmprivate_reserved);
1017 SENDERR(EINVAL);
1018 }
1019
1020 DEBUGGING(PF_KEY_DEBUG_PARSE_PROBLEM,
1021 "pfkey_x_kmprivate_parse: "
1022 "Sorry, I can't parse exttype=%d yet.\n",
1023 pfkey_ext->sadb_ext_type);
1024 SENDERR(EINVAL); /* don't process these yet */
1025
1026 errlab:
1027 return error;
1028 }
1029
1030 DEBUG_NO_STATIC int
1031 pfkey_x_satype_parse(struct sadb_ext *pfkey_ext)
1032 {
1033 int error = 0;
1034 int i;
1035 struct sadb_x_satype *pfkey_x_satype = (struct sadb_x_satype *)pfkey_ext;
1036
1037 DEBUGGING(PF_KEY_DEBUG_PARSE_FLOW,
1038 "pfkey_x_satype_parse: enter\n");
1039 /* sanity checks... */
1040 if(pfkey_x_satype->sadb_x_satype_len !=
1041 sizeof(struct sadb_x_satype) / IPSEC_PFKEYv2_ALIGN) {
1042 DEBUGGING(PF_KEY_DEBUG_PARSE_PROBLEM,
1043 "pfkey_x_satype_parse: "
1044 "size wrong ext_len=%d, key_ext_len=%d.\n",
1045 pfkey_x_satype->sadb_x_satype_len,
1046 (int)sizeof(struct sadb_x_satype));
1047 SENDERR(EINVAL);
1048 }
1049
1050 if(!pfkey_x_satype->sadb_x_satype_satype) {
1051 DEBUGGING(PF_KEY_DEBUG_PARSE_PROBLEM,
1052 "pfkey_x_satype_parse: "
1053 "satype is zero, must be non-zero.\n");
1054 SENDERR(EINVAL);
1055 }
1056
1057 if(pfkey_x_satype->sadb_x_satype_satype > SADB_SATYPE_MAX) {
1058 DEBUGGING(PF_KEY_DEBUG_PARSE_PROBLEM,
1059 "pfkey_x_satype_parse: "
1060 "satype %d > max %d, invalid.\n",
1061 pfkey_x_satype->sadb_x_satype_satype, SADB_SATYPE_MAX);
1062 SENDERR(EINVAL);
1063 }
1064
1065 if(!(satype2proto(pfkey_x_satype->sadb_x_satype_satype))) {
1066 DEBUGGING(PF_KEY_DEBUG_PARSE_PROBLEM,
1067 "pfkey_x_satype_parse: "
1068 "proto lookup from satype=%d failed.\n",
1069 pfkey_x_satype->sadb_x_satype_satype);
1070 SENDERR(EINVAL);
1071 }
1072
1073 for(i = 0; i < 3; i++) {
1074 if(pfkey_x_satype->sadb_x_satype_reserved[i]) {
1075 DEBUGGING(PF_KEY_DEBUG_PARSE_PROBLEM,
1076 "pfkey_x_satype_parse: "
1077 "reserved[%d]=%d must be set to zero.\n",
1078 i, pfkey_x_satype->sadb_x_satype_reserved[i]);
1079 SENDERR(EINVAL);
1080 }
1081 }
1082
1083 DEBUGGING(PF_KEY_DEBUG_PARSE_STRUCT,
1084 "pfkey_x_satype_parse: "
1085 "len=%u ext=%u(%s) satype=%u(%s) res=%u,%u,%u.\n",
1086 pfkey_x_satype->sadb_x_satype_len,
1087 pfkey_x_satype->sadb_x_satype_exttype,
1088 pfkey_v2_sadb_ext_string(pfkey_x_satype->sadb_x_satype_exttype),
1089 pfkey_x_satype->sadb_x_satype_satype,
1090 satype2name(pfkey_x_satype->sadb_x_satype_satype),
1091 pfkey_x_satype->sadb_x_satype_reserved[0],
1092 pfkey_x_satype->sadb_x_satype_reserved[1],
1093 pfkey_x_satype->sadb_x_satype_reserved[2]);
1094 errlab:
1095 return error;
1096 }
1097
1098 DEBUG_NO_STATIC int
1099 pfkey_x_ext_debug_parse(struct sadb_ext *pfkey_ext)
1100 {
1101 int error = 0;
1102 int i;
1103 struct sadb_x_debug *pfkey_x_debug = (struct sadb_x_debug *)pfkey_ext;
1104
1105 DEBUGGING(PF_KEY_DEBUG_PARSE_FLOW,
1106 "pfkey_x_debug_parse: enter\n");
1107 /* sanity checks... */
1108 if(pfkey_x_debug->sadb_x_debug_len !=
1109 sizeof(struct sadb_x_debug) / IPSEC_PFKEYv2_ALIGN) {
1110 DEBUGGING(PF_KEY_DEBUG_PARSE_PROBLEM,
1111 "pfkey_x_debug_parse: "
1112 "size wrong ext_len=%d, key_ext_len=%d.\n",
1113 pfkey_x_debug->sadb_x_debug_len,
1114 (int)sizeof(struct sadb_x_debug));
1115 SENDERR(EINVAL);
1116 }
1117
1118 for(i = 0; i < 4; i++) {
1119 if(pfkey_x_debug->sadb_x_debug_reserved[i]) {
1120 DEBUGGING(PF_KEY_DEBUG_PARSE_PROBLEM,
1121 "pfkey_x_debug_parse: "
1122 "reserved[%d]=%d must be set to zero.\n",
1123 i, pfkey_x_debug->sadb_x_debug_reserved[i]);
1124 SENDERR(EINVAL);
1125 }
1126 }
1127
1128 errlab:
1129 return error;
1130 }
1131
1132 DEBUG_NO_STATIC int
1133 pfkey_x_ext_protocol_parse(struct sadb_ext *pfkey_ext)
1134 {
1135 int error = 0;
1136 struct sadb_protocol *p = (struct sadb_protocol *)pfkey_ext;
1137
1138 DEBUGGING(PF_KEY_DEBUG_PARSE_PROBLEM, "pfkey_x_protocol_parse:\n");
1139 /* sanity checks... */
1140
1141 if (p->sadb_protocol_len != sizeof(*p)/IPSEC_PFKEYv2_ALIGN) {
1142 DEBUGGING(PF_KEY_DEBUG_PARSE_PROBLEM,
1143 "pfkey_x_protocol_parse: size wrong ext_len=%d, key_ext_len=%d.\n",
1144 p->sadb_protocol_len, (int)sizeof(*p));
1145 SENDERR(EINVAL);
1146 }
1147
1148 if (p->sadb_protocol_reserved2 != 0) {
1149 DEBUGGING(PF_KEY_DEBUG_PARSE_PROBLEM,
1150 "pfkey_protocol_parse: res=%d, must be zero.\n",
1151 p->sadb_protocol_reserved2);
1152 SENDERR(EINVAL);
1153 }
1154
1155 errlab:
1156 return error;
1157 }
1158
1159 #ifdef NAT_TRAVERSAL
1160 DEBUG_NO_STATIC int
1161 pfkey_x_ext_nat_t_type_parse(struct sadb_ext *pfkey_ext)
1162 {
1163 return 0;
1164 }
1165 DEBUG_NO_STATIC int
1166 pfkey_x_ext_nat_t_port_parse(struct sadb_ext *pfkey_ext)
1167 {
1168 return 0;
1169 }
1170 #endif
1171
1172 #define DEFINEPARSER(NAME) static struct pf_key_ext_parsers_def NAME##_def={NAME, #NAME};
1173
1174 DEFINEPARSER(pfkey_sa_parse);
1175 DEFINEPARSER(pfkey_lifetime_parse);
1176 DEFINEPARSER(pfkey_address_parse);
1177 DEFINEPARSER(pfkey_key_parse);
1178 DEFINEPARSER(pfkey_ident_parse);
1179 DEFINEPARSER(pfkey_sens_parse);
1180 DEFINEPARSER(pfkey_prop_parse);
1181 DEFINEPARSER(pfkey_supported_parse);
1182 DEFINEPARSER(pfkey_spirange_parse);
1183 DEFINEPARSER(pfkey_x_kmprivate_parse);
1184 DEFINEPARSER(pfkey_x_satype_parse);
1185 DEFINEPARSER(pfkey_x_ext_debug_parse);
1186 DEFINEPARSER(pfkey_x_ext_protocol_parse);
1187 #ifdef NAT_TRAVERSAL
1188 DEFINEPARSER(pfkey_x_ext_nat_t_type_parse);
1189 DEFINEPARSER(pfkey_x_ext_nat_t_port_parse);
1190 #endif
1191
1192 struct pf_key_ext_parsers_def *ext_default_parsers[]=
1193 {
1194 NULL, /* pfkey_msg_parse, */
1195 &pfkey_sa_parse_def,
1196 &pfkey_lifetime_parse_def,
1197 &pfkey_lifetime_parse_def,
1198 &pfkey_lifetime_parse_def,
1199 &pfkey_address_parse_def,
1200 &pfkey_address_parse_def,
1201 &pfkey_address_parse_def,
1202 &pfkey_key_parse_def,
1203 &pfkey_key_parse_def,
1204 &pfkey_ident_parse_def,
1205 &pfkey_ident_parse_def,
1206 &pfkey_sens_parse_def,
1207 &pfkey_prop_parse_def,
1208 &pfkey_supported_parse_def,
1209 &pfkey_supported_parse_def,
1210 &pfkey_spirange_parse_def,
1211 &pfkey_x_kmprivate_parse_def,
1212 &pfkey_x_satype_parse_def,
1213 &pfkey_sa_parse_def,
1214 &pfkey_address_parse_def,
1215 &pfkey_address_parse_def,
1216 &pfkey_address_parse_def,
1217 &pfkey_address_parse_def,
1218 &pfkey_address_parse_def,
1219 &pfkey_x_ext_debug_parse_def,
1220 &pfkey_x_ext_protocol_parse_def
1221 #ifdef NAT_TRAVERSAL
1222 ,
1223 &pfkey_x_ext_nat_t_type_parse_def,
1224 &pfkey_x_ext_nat_t_port_parse_def,
1225 &pfkey_x_ext_nat_t_port_parse_def,
1226 &pfkey_address_parse_def
1227 #endif
1228 };
1229
1230 int
1231 pfkey_msg_parse(struct sadb_msg *pfkey_msg,
1232 struct pf_key_ext_parsers_def *ext_parsers[],
1233 struct sadb_ext *extensions[],
1234 int dir)
1235 {
1236 int error = 0;
1237 int remain;
1238 struct sadb_ext *pfkey_ext;
1239 int extensions_seen = 0;
1240
1241 DEBUGGING(PF_KEY_DEBUG_PARSE_STRUCT,
1242 "pfkey_msg_parse: "
1243 "parsing message ver=%d, type=%d(%s), errno=%d, satype=%d(%s), len=%d, res=%d, seq=%d, pid=%d.\n",
1244 pfkey_msg->sadb_msg_version,
1245 pfkey_msg->sadb_msg_type,
1246 pfkey_v2_sadb_type_string(pfkey_msg->sadb_msg_type),
1247 pfkey_msg->sadb_msg_errno,
1248 pfkey_msg->sadb_msg_satype,
1249 satype2name(pfkey_msg->sadb_msg_satype),
1250 pfkey_msg->sadb_msg_len,
1251 pfkey_msg->sadb_msg_reserved,
1252 pfkey_msg->sadb_msg_seq,
1253 pfkey_msg->sadb_msg_pid);
1254
1255 if(ext_parsers == NULL) ext_parsers = ext_default_parsers;
1256
1257 pfkey_extensions_init(extensions);
1258
1259 remain = pfkey_msg->sadb_msg_len;
1260 remain -= sizeof(struct sadb_msg) / IPSEC_PFKEYv2_ALIGN;
1261
1262 pfkey_ext = (struct sadb_ext*)((char*)pfkey_msg +
1263 sizeof(struct sadb_msg));
1264
1265 extensions[0] = (struct sadb_ext *) pfkey_msg;
1266
1267
1268 if(pfkey_msg->sadb_msg_version != PF_KEY_V2) {
1269 DEBUGGING(PF_KEY_DEBUG_PARSE_PROBLEM,
1270 "pfkey_msg_parse: "
1271 "not PF_KEY_V2 msg, found %d, should be %d.\n",
1272 pfkey_msg->sadb_msg_version,
1273 PF_KEY_V2);
1274 SENDERR(EINVAL);
1275 }
1276
1277 if(!pfkey_msg->sadb_msg_type) {
1278 DEBUGGING(PF_KEY_DEBUG_PARSE_PROBLEM,
1279 "pfkey_msg_parse: "
1280 "msg type not set, must be non-zero..\n");
1281 SENDERR(EINVAL);
1282 }
1283
1284 if(pfkey_msg->sadb_msg_type > SADB_MAX) {
1285 DEBUGGING(PF_KEY_DEBUG_PARSE_PROBLEM,
1286 "pfkey_msg_parse: "
1287 "msg type=%d > max=%d.\n",
1288 pfkey_msg->sadb_msg_type,
1289 SADB_MAX);
1290 SENDERR(EINVAL);
1291 }
1292
1293 switch(pfkey_msg->sadb_msg_type) {
1294 case SADB_GETSPI:
1295 case SADB_UPDATE:
1296 case SADB_ADD:
1297 case SADB_DELETE:
1298 case SADB_GET:
1299 case SADB_X_GRPSA:
1300 case SADB_X_ADDFLOW:
1301 if(!satype2proto(pfkey_msg->sadb_msg_satype)) {
1302 DEBUGGING(PF_KEY_DEBUG_PARSE_PROBLEM,
1303 "pfkey_msg_parse: "
1304 "satype %d conversion to proto failed for msg_type %d (%s).\n",
1305 pfkey_msg->sadb_msg_satype,
1306 pfkey_msg->sadb_msg_type,
1307 pfkey_v2_sadb_type_string(pfkey_msg->sadb_msg_type));
1308 SENDERR(EINVAL);
1309 } else {
1310 DEBUGGING(PF_KEY_DEBUG_PARSE_PROBLEM,
1311 "pfkey_msg_parse: "
1312 "satype %d(%s) conversion to proto gives %d for msg_type %d(%s).\n",
1313 pfkey_msg->sadb_msg_satype,
1314 satype2name(pfkey_msg->sadb_msg_satype),
1315 satype2proto(pfkey_msg->sadb_msg_satype),
1316 pfkey_msg->sadb_msg_type,
1317 pfkey_v2_sadb_type_string(pfkey_msg->sadb_msg_type));
1318 }
1319 case SADB_ACQUIRE:
1320 case SADB_REGISTER:
1321 case SADB_EXPIRE:
1322 if(!pfkey_msg->sadb_msg_satype) {
1323 DEBUGGING(PF_KEY_DEBUG_PARSE_PROBLEM,
1324 "pfkey_msg_parse: "
1325 "satype is zero, must be non-zero for msg_type %d(%s).\n",
1326 pfkey_msg->sadb_msg_type,
1327 pfkey_v2_sadb_type_string(pfkey_msg->sadb_msg_type));
1328 SENDERR(EINVAL);
1329 }
1330 default:
1331 break;
1332 }
1333
1334 /* errno must not be set in downward messages */
1335 /* this is not entirely true... a response to an ACQUIRE could return an error */
1336 if((dir == EXT_BITS_IN) && (pfkey_msg->sadb_msg_type != SADB_ACQUIRE) && pfkey_msg->sadb_msg_errno) {
1337 DEBUGGING(PF_KEY_DEBUG_PARSE_PROBLEM,
1338 "pfkey_msg_parse: "
1339 "errno set to %d.\n",
1340 pfkey_msg->sadb_msg_errno);
1341 SENDERR(EINVAL);
1342 }
1343
1344 DEBUGGING(PF_KEY_DEBUG_PARSE_FLOW,
1345 "pfkey_msg_parse: "
1346 "remain=%d, ext_type=%d(%s), ext_len=%d.\n",
1347 remain,
1348 pfkey_ext->sadb_ext_type,
1349 pfkey_v2_sadb_ext_string(pfkey_ext->sadb_ext_type),
1350 pfkey_ext->sadb_ext_len);
1351
1352 DEBUGGING(PF_KEY_DEBUG_PARSE_FLOW,
1353 "pfkey_msg_parse: "
1354 "extensions permitted=%08x, required=%08x.\n",
1355 extensions_bitmaps[dir][EXT_BITS_PERM][pfkey_msg->sadb_msg_type],
1356 extensions_bitmaps[dir][EXT_BITS_REQ][pfkey_msg->sadb_msg_type]);
1357
1358 extensions_seen = 1;
1359
1360 while( (remain * IPSEC_PFKEYv2_ALIGN) >= sizeof(struct sadb_ext) ) {
1361 /* Is there enough message left to support another extension header? */
1362 if(remain < pfkey_ext->sadb_ext_len) {
1363 DEBUGGING(PF_KEY_DEBUG_PARSE_PROBLEM,
1364 "pfkey_msg_parse: "
1365 "remain %d less than ext len %d.\n",
1366 remain, pfkey_ext->sadb_ext_len);
1367 SENDERR(EINVAL);
1368 }
1369
1370 DEBUGGING(PF_KEY_DEBUG_PARSE_FLOW,
1371 "pfkey_msg_parse: "
1372 "parsing ext type=%d(%s) remain=%d.\n",
1373 pfkey_ext->sadb_ext_type,
1374 pfkey_v2_sadb_ext_string(pfkey_ext->sadb_ext_type),
1375 remain);
1376
1377 /* Is the extension header type valid? */
1378 if((pfkey_ext->sadb_ext_type > SADB_EXT_MAX) || (!pfkey_ext->sadb_ext_type)) {
1379 DEBUGGING(PF_KEY_DEBUG_PARSE_PROBLEM,
1380 "pfkey_msg_parse: "
1381 "ext type %d(%s) invalid, SADB_EXT_MAX=%d.\n",
1382 pfkey_ext->sadb_ext_type,
1383 pfkey_v2_sadb_ext_string(pfkey_ext->sadb_ext_type),
1384 SADB_EXT_MAX);
1385 SENDERR(EINVAL);
1386 }
1387
1388 /* Have we already seen this type of extension? */
1389 if((extensions_seen & ( 1 << pfkey_ext->sadb_ext_type )) != 0)
1390 {
1391 DEBUGGING(PF_KEY_DEBUG_PARSE_PROBLEM,
1392 "pfkey_msg_parse: "
1393 "ext type %d(%s) already seen.\n",
1394 pfkey_ext->sadb_ext_type,
1395 pfkey_v2_sadb_ext_string(pfkey_ext->sadb_ext_type));
1396 SENDERR(EINVAL);
1397 }
1398
1399 /* Do I even know about this type of extension? */
1400 if(ext_parsers[pfkey_ext->sadb_ext_type]==NULL) {
1401 DEBUGGING(PF_KEY_DEBUG_PARSE_PROBLEM,
1402 "pfkey_msg_parse: "
1403 "ext type %d(%s) unknown, ignoring.\n",
1404 pfkey_ext->sadb_ext_type,
1405 pfkey_v2_sadb_ext_string(pfkey_ext->sadb_ext_type));
1406 goto next_ext;
1407 }
1408
1409 /* Is this type of extension permitted for this type of message? */
1410 if(!(extensions_bitmaps[dir][EXT_BITS_PERM][pfkey_msg->sadb_msg_type] &
1411 1<<pfkey_ext->sadb_ext_type)) {
1412 DEBUGGING(PF_KEY_DEBUG_PARSE_PROBLEM,
1413 "pfkey_msg_parse: "
1414 "ext type %d(%s) not permitted, exts_perm_in=%08x, 1<<type=%08x\n",
1415 pfkey_ext->sadb_ext_type,
1416 pfkey_v2_sadb_ext_string(pfkey_ext->sadb_ext_type),
1417 extensions_bitmaps[dir][EXT_BITS_PERM][pfkey_msg->sadb_msg_type],
1418 1<<pfkey_ext->sadb_ext_type);
1419 SENDERR(EINVAL);
1420 }
1421
1422 DEBUGGING(PF_KEY_DEBUG_PARSE_STRUCT,
1423 "pfkey_msg_parse: "
1424 "remain=%d ext_type=%d(%s) ext_len=%d parsing ext 0p%p with parser %s.\n",
1425 remain,
1426 pfkey_ext->sadb_ext_type,
1427 pfkey_v2_sadb_ext_string(pfkey_ext->sadb_ext_type),
1428 pfkey_ext->sadb_ext_len,
1429 pfkey_ext,
1430 ext_parsers[pfkey_ext->sadb_ext_type]->parser_name);
1431
1432 /* Parse the extension */
1433 if((error =
1434 (*ext_parsers[pfkey_ext->sadb_ext_type]->parser)(pfkey_ext))) {
1435 DEBUGGING(PF_KEY_DEBUG_PARSE_PROBLEM,
1436 "pfkey_msg_parse: "
1437 "extension parsing for type %d(%s) failed with error %d.\n",
1438 pfkey_ext->sadb_ext_type,
1439 pfkey_v2_sadb_ext_string(pfkey_ext->sadb_ext_type),
1440 error);
1441 SENDERR(-error);
1442 }
1443 DEBUGGING(PF_KEY_DEBUG_PARSE_FLOW,
1444 "pfkey_msg_parse: "
1445 "Extension %d(%s) parsed.\n",
1446 pfkey_ext->sadb_ext_type,
1447 pfkey_v2_sadb_ext_string(pfkey_ext->sadb_ext_type));
1448
1449 /* Mark that we have seen this extension and remember the header location */
1450 extensions_seen |= ( 1 << pfkey_ext->sadb_ext_type );
1451 extensions[pfkey_ext->sadb_ext_type] = pfkey_ext;
1452
1453 next_ext:
1454 /* Calculate how much message remains */
1455 remain -= pfkey_ext->sadb_ext_len;
1456
1457 if(!remain) {
1458 break;
1459 }
1460 /* Find the next extension header */
1461 pfkey_ext = (struct sadb_ext*)((char*)pfkey_ext +
1462 pfkey_ext->sadb_ext_len * IPSEC_PFKEYv2_ALIGN);
1463 }
1464
1465 if(remain) {
1466 DEBUGGING(PF_KEY_DEBUG_PARSE_PROBLEM,
1467 "pfkey_msg_parse: "
1468 "unexpected remainder of %d.\n",
1469 remain);
1470 /* why is there still something remaining? */
1471 SENDERR(EINVAL);
1472 }
1473
1474 /* check required extensions */
1475 DEBUGGING(PF_KEY_DEBUG_PARSE_STRUCT,
1476 "pfkey_msg_parse: "
1477 "extensions permitted=%08x, seen=%08x, required=%08x.\n",
1478 extensions_bitmaps[dir][EXT_BITS_PERM][pfkey_msg->sadb_msg_type],
1479 extensions_seen,
1480 extensions_bitmaps[dir][EXT_BITS_REQ][pfkey_msg->sadb_msg_type]);
1481
1482 /* don't check further if it is an error return message since it
1483 may not have a body */
1484 if(pfkey_msg->sadb_msg_errno) {
1485 SENDERR(-error);
1486 }
1487
1488 if((extensions_seen &
1489 extensions_bitmaps[dir][EXT_BITS_REQ][pfkey_msg->sadb_msg_type]) !=
1490 extensions_bitmaps[dir][EXT_BITS_REQ][pfkey_msg->sadb_msg_type]) {
1491 DEBUGGING(PF_KEY_DEBUG_PARSE_PROBLEM,
1492 "pfkey_msg_parse: "
1493 "required extensions missing:%08x.\n",
1494 extensions_bitmaps[dir][EXT_BITS_REQ][pfkey_msg->sadb_msg_type] -
1495 (extensions_seen &
1496 extensions_bitmaps[dir][EXT_BITS_REQ][pfkey_msg->sadb_msg_type]));
1497 SENDERR(EINVAL);
1498 }
1499
1500 if((dir == EXT_BITS_IN) && (pfkey_msg->sadb_msg_type == SADB_X_DELFLOW)
1501 && ((extensions_seen & SADB_X_EXT_ADDRESS_DELFLOW)
1502 != SADB_X_EXT_ADDRESS_DELFLOW)
1503 && (((extensions_seen & (1<<SADB_EXT_SA)) != (1<<SADB_EXT_SA))
1504 || ((((struct sadb_sa*)extensions[SADB_EXT_SA])->sadb_sa_flags
1505 & SADB_X_SAFLAGS_CLEARFLOW)
1506 != SADB_X_SAFLAGS_CLEARFLOW))) {
1507 DEBUGGING(PF_KEY_DEBUG_PARSE_PROBLEM,
1508 "pfkey_msg_parse: "
1509 "required SADB_X_DELFLOW extensions missing: either %08x must be present or %08x must be present with SADB_X_SAFLAGS_CLEARFLOW set.\n",
1510 SADB_X_EXT_ADDRESS_DELFLOW
1511 - (extensions_seen & SADB_X_EXT_ADDRESS_DELFLOW),
1512 (1<<SADB_EXT_SA) - (extensions_seen & (1<<SADB_EXT_SA)));
1513 SENDERR(EINVAL);
1514 }
1515
1516 switch(pfkey_msg->sadb_msg_type) {
1517 case SADB_ADD:
1518 case SADB_UPDATE:
1519 /* check maturity */
1520 if(((struct sadb_sa*)extensions[SADB_EXT_SA])->sadb_sa_state !=
1521 SADB_SASTATE_MATURE) {
1522 DEBUGGING(PF_KEY_DEBUG_PARSE_PROBLEM,
1523 "pfkey_msg_parse: "
1524 "state=%d for add or update should be MATURE=%d.\n",
1525 ((struct sadb_sa*)extensions[SADB_EXT_SA])->sadb_sa_state,
1526 SADB_SASTATE_MATURE);
1527 SENDERR(EINVAL);
1528 }
1529
1530 /* check AH and ESP */
1531 switch(((struct sadb_msg*)extensions[SADB_EXT_RESERVED])->sadb_msg_satype) {
1532 case SADB_SATYPE_AH:
1533 if(!(((struct sadb_sa*)extensions[SADB_EXT_SA]) &&
1534 ((struct sadb_sa*)extensions[SADB_EXT_SA])->sadb_sa_auth !=
1535 SADB_AALG_NONE)) {
1536 DEBUGGING(PF_KEY_DEBUG_PARSE_PROBLEM,
1537 "pfkey_msg_parse: "
1538 "auth alg is zero, must be non-zero for AH SAs.\n");
1539 SENDERR(EINVAL);
1540 }
1541 if(((struct sadb_sa*)(extensions[SADB_EXT_SA]))->sadb_sa_encrypt !=
1542 SADB_EALG_NONE) {
1543 DEBUGGING(PF_KEY_DEBUG_PARSE_PROBLEM,
1544 "pfkey_msg_parse: "
1545 "AH handed encalg=%d, must be zero.\n",
1546 ((struct sadb_sa*)(extensions[SADB_EXT_SA]))->sadb_sa_encrypt);
1547 SENDERR(EINVAL);
1548 }
1549 break;
1550 case SADB_SATYPE_ESP:
1551 if(!(((struct sadb_sa*)extensions[SADB_EXT_SA]) &&
1552 ((struct sadb_sa*)extensions[SADB_EXT_SA])->sadb_sa_encrypt !=
1553 SADB_EALG_NONE)) {
1554 DEBUGGING(PF_KEY_DEBUG_PARSE_PROBLEM,
1555 "pfkey_msg_parse: "
1556 "encrypt alg=%d is zero, must be non-zero for ESP=%d SAs.\n",
1557 ((struct sadb_sa*)extensions[SADB_EXT_SA])->sadb_sa_encrypt,
1558 ((struct sadb_msg*)extensions[SADB_EXT_RESERVED])->sadb_msg_satype);
1559 SENDERR(EINVAL);
1560 }
1561 if((((struct sadb_sa*)(extensions[SADB_EXT_SA]))->sadb_sa_encrypt ==
1562 SADB_EALG_NULL) &&
1563 (((struct sadb_sa*)(extensions[SADB_EXT_SA]))->sadb_sa_auth ==
1564 SADB_AALG_NONE) ) {
1565 DEBUGGING(PF_KEY_DEBUG_PARSE_PROBLEM,
1566 "pfkey_msg_parse: "
1567 "ESP handed encNULL+authNONE, illegal combination.\n");
1568 SENDERR(EINVAL);
1569 }
1570 break;
1571 case SADB_X_SATYPE_COMP:
1572 if(!(((struct sadb_sa*)extensions[SADB_EXT_SA]) &&
1573 ((struct sadb_sa*)extensions[SADB_EXT_SA])->sadb_sa_encrypt !=
1574 SADB_EALG_NONE)) {
1575 DEBUGGING(PF_KEY_DEBUG_PARSE_PROBLEM,
1576 "pfkey_msg_parse: "
1577 "encrypt alg=%d is zero, must be non-zero for COMP=%d SAs.\n",
1578 ((struct sadb_sa*)extensions[SADB_EXT_SA])->sadb_sa_encrypt,
1579 ((struct sadb_msg*)extensions[SADB_EXT_RESERVED])->sadb_msg_satype);
1580 SENDERR(EINVAL);
1581 }
1582 if(((struct sadb_sa*)(extensions[SADB_EXT_SA]))->sadb_sa_auth !=
1583 SADB_AALG_NONE) {
1584 DEBUGGING(PF_KEY_DEBUG_PARSE_PROBLEM,
1585 "pfkey_msg_parse: "
1586 "COMP handed auth=%d, must be zero.\n",
1587 ((struct sadb_sa*)(extensions[SADB_EXT_SA]))->sadb_sa_auth);
1588 SENDERR(EINVAL);
1589 }
1590 break;
1591 default:
1592 break;
1593 }
1594 if(ntohl(((struct sadb_sa*)(extensions[SADB_EXT_SA]))->sadb_sa_spi) <= 255) {
1595 DEBUGGING(PF_KEY_DEBUG_PARSE_PROBLEM,
1596 "pfkey_msg_parse: "
1597 "spi=%08x must be > 255.\n",
1598 ntohl(((struct sadb_sa*)(extensions[SADB_EXT_SA]))->sadb_sa_spi));
1599 SENDERR(EINVAL);
1600 }
1601 default:
1602 break;
1603 }
1604 errlab:
1605
1606 return error;
1607 }
1608
1609 /*
1610 * $Log: pfkey_v2_parse.c,v $
1611 * Revision 1.4 2004/06/13 20:35:07 as
1612 * removed references to ipsec_netlink.h
1613 *
1614 * Revision 1.3 2004/03/30 10:00:17 as
1615 * 64 bit issues
1616 *
1617 * Revision 1.2 2004/03/22 21:53:18 as
1618 * merged alg-0.8.1 branch with HEAD
1619 *
1620 * Revision 1.1.2.1 2004/03/15 22:30:06 as
1621 * nat-0.6c patch merged
1622 *
1623 * Revision 1.1 2004/03/15 20:35:26 as
1624 * added files from freeswan-2.04-x509-1.5.3
1625 *
1626 * Revision 1.53 2003/01/30 02:32:09 rgb
1627 *
1628 * Rename SAref table macro names for clarity.
1629 * Convert IPsecSAref_t from signed to unsigned to fix apparent SAref exhaustion bug.
1630 *
1631 * Revision 1.52 2002/12/30 06:53:07 mcr
1632 * deal with short SA structures... #if 0 out for now. Probably
1633 * not quite the right way.
1634 *
1635 * Revision 1.51 2002/12/13 18:16:02 mcr
1636 * restored sa_ref code
1637 *
1638 * Revision 1.50 2002/12/13 18:06:52 mcr
1639 * temporarily removed sadb_x_sa_ref reference for 2.xx
1640 *
1641 * Revision 1.49 2002/10/05 05:02:58 dhr
1642 *
1643 * C labels go on statements
1644 *
1645 * Revision 1.48 2002/09/20 15:40:45 rgb
1646 * Added sadb_x_sa_ref to struct sadb_sa.
1647 *
1648 * Revision 1.47 2002/09/20 05:01:31 rgb
1649 * Fixed usage of pfkey_lib_debug.
1650 * Format for function declaration style consistency.
1651 * Added text labels to elucidate numeric values presented.
1652 * Re-organised debug output to reduce noise in output.
1653 *
1654 * Revision 1.46 2002/07/24 18:44:54 rgb
1655 * Type fiddling to tame ia64 compiler.
1656 *
1657 * Revision 1.45 2002/05/23 07:14:11 rgb
1658 * Cleaned up %p variants to 0p%p for test suite cleanup.
1659 *
1660 * Revision 1.44 2002/04/24 07:55:32 mcr
1661 * #include patches and Makefiles for post-reorg compilation.
1662 *
1663 * Revision 1.43 2002/04/24 07:36:40 mcr
1664 * Moved from ./lib/pfkey_v2_parse.c,v
1665 *
1666 * Revision 1.42 2002/01/29 22:25:36 rgb
1667 * Re-add ipsec_kversion.h to keep MALLOC happy.
1668 *
1669 * Revision 1.41 2002/01/29 01:59:10 mcr
1670 * removal of kversions.h - sources that needed it now use ipsec_param.h.
1671 * updating of IPv6 structures to match latest in6.h version.
1672 * removed dead code from freeswan.h that also duplicated kversions.h
1673 * code.
1674 *
1675 * Revision 1.40 2002/01/20 20:34:50 mcr
1676 * added pfkey_v2_sadb_type_string to decode sadb_type to string.
1677 *
1678 * Revision 1.39 2001/11/27 05:29:22 mcr
1679 * pfkey parses are now maintained by a structure
1680 * that includes their name for debug purposes.
1681 * DEBUGGING() macro changed so that it takes a debug
1682 * level so that pf_key() can use this to decode the
1683 * structures without innundanting humans.
1684 * Also uses pfkey_v2_sadb_ext_string() in messages.
1685 *
1686 * Revision 1.38 2001/11/06 19:47:47 rgb
1687 * Added packet parameter to lifetime and comb structures.
1688 *
1689 * Revision 1.37 2001/10/18 04:45:24 rgb
1690 * 2.4.9 kernel deprecates linux/malloc.h in favour of linux/slab.h,
1691 * lib/freeswan.h version macros moved to lib/kversions.h.
1692 * Other compiler directive cleanups.
1693 *
1694 * Revision 1.36 2001/06/14 19:35:16 rgb
1695 * Update copyright date.
1696 *
1697 * Revision 1.35 2001/05/03 19:44:51 rgb
1698 * Standardise on SENDERR() macro.
1699 *
1700 * Revision 1.34 2001/03/16 07:41:51 rgb
1701 * Put freeswan.h include before pluto includes.
1702 *
1703 * Revision 1.33 2001/02/27 07:13:51 rgb
1704 * Added satype2name() function.
1705 * Added text to default satype_tbl entry.
1706 * Added satype2name() conversions for most satype debug output.
1707 *
1708 * Revision 1.32 2001/02/26 20:01:09 rgb
1709 * Added internal IP protocol 61 for magic SAs.
1710 * Ditch unused sadb_satype2proto[], replaced by satype2proto().
1711 * Re-formatted debug output (split lines, consistent spacing).
1712 * Removed acquire, register and expire requirements for a known satype.
1713 * Changed message type checking to a switch structure.
1714 * Verify expected NULL auth for IPCOMP.
1715 * Enforced spi > 0x100 requirement, now that pass uses a magic SA for
1716 * appropriate message types.
1717 *
1718 * Revision 1.31 2000/12/01 07:09:00 rgb
1719 * Added ipcomp sanity check to require encalgo is set.
1720 *
1721 * Revision 1.30 2000/11/17 18:10:30 rgb
1722 * Fixed bugs mostly relating to spirange, to treat all spi variables as
1723 * network byte order since this is the way PF_KEYv2 stored spis.
1724 *
1725 * Revision 1.29 2000/10/12 00:02:39 rgb
1726 * Removed 'format, ##' nonsense from debug macros for RH7.0.
1727 *
1728 * Revision 1.28 2000/09/20 16:23:04 rgb
1729 * Remove over-paranoid extension check in the presence of sadb_msg_errno.
1730 *
1731 * Revision 1.27 2000/09/20 04:04:21 rgb
1732 * Changed static functions to DEBUG_NO_STATIC to reveal function names in
1733 * oopsen.
1734 *
1735 * Revision 1.26 2000/09/15 11:37:02 rgb
1736 * Merge in heavily modified Svenning Soerensen's <svenning@post5.tele.dk>
1737 * IPCOMP zlib deflate code.
1738 *
1739 * Revision 1.25 2000/09/12 22:35:37 rgb
1740 * Restructured to remove unused extensions from CLEARFLOW messages.
1741 *
1742 * Revision 1.24 2000/09/12 18:59:54 rgb
1743 * Added Gerhard's IPv6 support to pfkey parts of libfreeswan.
1744 *
1745 * Revision 1.23 2000/09/12 03:27:00 rgb
1746 * Moved DEBUGGING definition to compile kernel with debug off.
1747 *
1748 * Revision 1.22 2000/09/09 06:39:27 rgb
1749 * Restrict pfkey errno check to downward messages only.
1750 *
1751 * Revision 1.21 2000/09/08 19:22:34 rgb
1752 * Enabled pfkey_sens_parse().
1753 * Added check for errno on downward acquire messages only.
1754 *
1755 * Revision 1.20 2000/09/01 18:48:23 rgb
1756 * Fixed reserved check bug and added debug output in
1757 * pfkey_supported_parse().
1758 * Fixed debug output label bug in pfkey_ident_parse().
1759 *
1760 * Revision 1.19 2000/08/27 01:55:26 rgb
1761 * Define OCTETBITS and PFKEYBITS to avoid using 'magic' numbers in code.
1762 *
1763 * Revision 1.18 2000/08/24 17:00:36 rgb
1764 * Ignore unknown extensions instead of failing.
1765 *
1766 * Revision 1.17 2000/06/02 22:54:14 rgb
1767 * Added Gerhard Gessler's struct sockaddr_storage mods for IPv6 support.
1768 *
1769 * Revision 1.16 2000/05/10 19:25:11 rgb
1770 * Fleshed out proposal and supported extensions.
1771 *
1772 * Revision 1.15 2000/01/24 21:15:31 rgb
1773 * Added disabled pluto pfkey lib debug flag.
1774 * Added algo debugging reporting.
1775 *
1776 * Revision 1.14 2000/01/22 23:24:29 rgb
1777 * Added new functions proto2satype() and satype2proto() and lookup
1778 * table satype_tbl. Also added proto2name() since it was easy.
1779 *
1780 * Revision 1.13 2000/01/21 09:43:59 rgb
1781 * Cast ntohl(spi) as (unsigned long int) to shut up compiler.
1782 *
1783 * Revision 1.12 2000/01/21 06:28:19 rgb
1784 * Added address cases for eroute flows.
1785 * Indented compiler directives for readability.
1786 * Added klipsdebug switching capability.
1787 *
1788 * Revision 1.11 1999/12/29 21:14:59 rgb
1789 * Fixed debug text cut and paste typo.
1790 *
1791 * Revision 1.10 1999/12/10 17:45:24 rgb
1792 * Added address debugging.
1793 *
1794 * Revision 1.9 1999/12/09 23:11:42 rgb
1795 * Ditched <string.h> include since we no longer use memset().
1796 * Use new pfkey_extensions_init() instead of memset().
1797 * Added check for SATYPE in pfkey_msg_build().
1798 * Tidy up comments and debugging comments.
1799 *
1800 * Revision 1.8 1999/12/07 19:55:26 rgb
1801 * Removed unused first argument from extension parsers.
1802 * Removed static pluto debug flag.
1803 * Moved message type and state checking to pfkey_msg_parse().
1804 * Changed print[fk] type from lx to x to quiet compiler.
1805 * Removed redundant remain check.
1806 * Changed __u* types to uint* to avoid use of asm/types.h and
1807 * sys/types.h in userspace code.
1808 *
1809 * Revision 1.7 1999/12/01 22:20:51 rgb
1810 * Moved pfkey_lib_debug variable into the library.
1811 * Added pfkey version check into header parsing.
1812 * Added check for SATYPE only for those extensions that require a
1813 * non-zero value.
1814 *
1815 * Revision 1.6 1999/11/27 11:58:05 rgb
1816 * Added ipv6 headers.
1817 * Moved sadb_satype2proto protocol lookup table from
1818 * klips/net/ipsec/pfkey_v2_parser.c.
1819 * Enable lifetime_current checking.
1820 * Debugging error messages added.
1821 * Add argument to pfkey_msg_parse() for direction.
1822 * Consolidated the 4 1-d extension bitmap arrays into one 4-d array.
1823 * Add CVS log entry to bottom of file.
1824 * Moved auth and enc alg check to pfkey_msg_parse().
1825 * Enable accidentally disabled spirange parsing.
1826 * Moved protocol/algorithm checks from klips/net/ipsec/pfkey_v2_parser.c
1827 *
1828 * Local variables:
1829 * c-file-style: "linux"
1830 * End:
1831 *
1832 */