projects / strongswan.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
history | raw | HEAD
removed old FreeS/WAN cvs revision entries
[strongswan.git] / src / libfreeswan / pfkey_v2_parse.c
1 /*
2 * RFC2367 PF_KEYv2 Key management API message parser
3 * Copyright (C) 1999, 2000, 2001 Richard Guy Briggs.
4 *
5 * This program is free software; you can redistribute it and/or modify it
6 * under the terms of the GNU General Public License as published by the
7 * Free Software Foundation; either version 2 of the License, or (at your
8 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
9 *
10 * This program is distributed in the hope that it will be useful, but
11 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
12 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
13 * for more details.
14 *
15 * RCSID $Id: pfkey_v2_parse.c,v 1.4 2004/06/13 20:35:07 as Exp $
16 */
17
18 /*
19 * Template from klips/net/ipsec/ipsec/ipsec_parser.c.
20 */
21
22 char pfkey_v2_parse_c_version[] = "$Id: pfkey_v2_parse.c,v 1.4 2004/06/13 20:35:07 as Exp $";
23
24 /*
25 * Some ugly stuff to allow consistent debugging code for use in the
26 * kernel and in user space
27 */
28
29 #ifdef __KERNEL__
30
31 # include <linux/kernel.h> /* for printk */
32
33 #include "freeswan/ipsec_kversion.h" /* for malloc switch */
34
35 # ifdef MALLOC_SLAB
36 # include <linux/slab.h> /* kmalloc() */
37 # else /* MALLOC_SLAB */
38 # include <linux/malloc.h> /* kmalloc() */
39 # endif /* MALLOC_SLAB */
40 # include <linux/errno.h> /* error codes */
41 # include <linux/types.h> /* size_t */
42 # include <linux/interrupt.h> /* mark_bh */
43
44 # include <linux/netdevice.h> /* struct device, and other headers */
45 # include <linux/etherdevice.h> /* eth_type_trans */
46 # include <linux/ip.h> /* struct iphdr */
47 # if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
48 # include <linux/ipv6.h> /* struct ipv6hdr */
49 # endif /* if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE) */
50 extern int debug_pfkey;
51
52 #include "freeswan.h"
53
54 #include "ipsec_encap.h"
55
56 #else /* __KERNEL__ */
57
58 # include <sys/types.h>
59 # include <linux/types.h>
60 # include <linux/errno.h>
61
62 # include <freeswan.h>
63 # include <constants.h>
64 # include <defs.h> /* for PRINTF_LIKE */
65 # include <log.h> /* for debugging and DBG_log */
66
67 /* #define PLUTO */
68
69 # ifdef PLUTO
70 # define DEBUGGING(level, args...) { DBG_log("pfkey_lib_debug:" args); }
71 # else
72 # define DEBUGGING(level, args...) if(pfkey_lib_debug & level) { printf("pfkey_lib_debug:" args); } else { ; }
73 # endif
74
75 #endif /* __KERNEL__ */
76
77
78 #include <pfkeyv2.h>
79 #include <pfkey.h>
80
81 #ifdef __KERNEL__
82 extern int sysctl_ipsec_debug_verbose;
83 # define DEBUGGING(level, args...) \
84 KLIPS_PRINT( \
85 ((debug_pfkey & level & (PF_KEY_DEBUG_PARSE_STRUCT | PF_KEY_DEBUG_PARSE_PROBLEM)) \
86 || (sysctl_ipsec_debug_verbose && (debug_pfkey & level & PF_KEY_DEBUG_PARSE_FLOW))) \
87 , "klips_debug:" args)
88 #endif /* __KERNEL__ */
89 #include "ipsec_sa.h" /* IPSEC_SAREF_NULL, IPSEC_SA_REF_TABLE_IDX_WIDTH */
90
91
92 #define SENDERR(_x) do { error = -(_x); goto errlab; } while (0)
93
94 struct satype_tbl {
95 uint8_t proto;
96 uint8_t satype;
97 char* name;
98 } static satype_tbl[] = {
99 #ifdef __KERNEL__
100 { IPPROTO_ESP, SADB_SATYPE_ESP, "ESP" },
101 { IPPROTO_AH, SADB_SATYPE_AH, "AH" },
102 { IPPROTO_IPIP, SADB_X_SATYPE_IPIP, "IPIP" },
103 #ifdef CONFIG_IPSEC_IPCOMP
104 { IPPROTO_COMP, SADB_X_SATYPE_COMP, "COMP" },
105 #endif /* CONFIG_IPSEC_IPCOMP */
106 { IPPROTO_INT, SADB_X_SATYPE_INT, "INT" },
107 #else /* __KERNEL__ */
108 { SA_ESP, SADB_SATYPE_ESP, "ESP" },
109 { SA_AH, SADB_SATYPE_AH, "AH" },
110 { SA_IPIP, SADB_X_SATYPE_IPIP, "IPIP" },
111 { SA_COMP, SADB_X_SATYPE_COMP, "COMP" },
112 { SA_INT, SADB_X_SATYPE_INT, "INT" },
113 #endif /* __KERNEL__ */
114 { 0, 0, "UNKNOWN" }
115 };
116
117 uint8_t
118 satype2proto(uint8_t satype)
119 {
120 int i =0;
121
122 while(satype_tbl[i].satype != satype && satype_tbl[i].satype != 0) {
123 i++;
124 }
125 return satype_tbl[i].proto;
126 }
127
128 uint8_t
129 proto2satype(uint8_t proto)
130 {
131 int i = 0;
132
133 while(satype_tbl[i].proto != proto && satype_tbl[i].proto != 0) {
134 i++;
135 }
136 return satype_tbl[i].satype;
137 }
138
139 char*
140 satype2name(uint8_t satype)
141 {
142 int i = 0;
143
144 while(satype_tbl[i].satype != satype && satype_tbl[i].satype != 0) {
145 i++;
146 }
147 return satype_tbl[i].name;
148 }
149
150 char*
151 proto2name(uint8_t proto)
152 {
153 int i = 0;
154
155 while(satype_tbl[i].proto != proto && satype_tbl[i].proto != 0) {
156 i++;
157 }
158 return satype_tbl[i].name;
159 }
160
161 /* Default extension parsers taken from the KLIPS code */
162
163 DEBUG_NO_STATIC int
164 pfkey_sa_parse(struct sadb_ext *pfkey_ext)
165 {
166 int error = 0;
167 struct sadb_sa *pfkey_sa = (struct sadb_sa *)pfkey_ext;
168 #if 0
169 struct sadb_sa sav2;
170 #endif
171
172 DEBUGGING(PF_KEY_DEBUG_PARSE_FLOW,
173 "pfkey_sa_parse: entry\n");
174 /* sanity checks... */
175 if(!pfkey_sa) {
176 DEBUGGING(PF_KEY_DEBUG_PARSE_PROBLEM,
177 "pfkey_sa_parse: "
178 "NULL pointer passed in.\n");
179 SENDERR(EINVAL);
180 }
181
182 #if 0
183 /* check if this structure is short, and if so, fix it up.
184 * XXX this is NOT the way to do things.
185 */
186 if(pfkey_sa->sadb_sa_len == sizeof(struct sadb_sa_v1)/IPSEC_PFKEYv2_ALIGN) {
187
188 /* yes, so clear out a temporary structure, and copy first */
189 memset(&sav2, 0, sizeof(sav2));
190 memcpy(&sav2, pfkey_sa, sizeof(struct sadb_sa_v1));
191 sav2.sadb_x_sa_ref=-1;
192 sav2.sadb_sa_len = sizeof(struct sadb_sa) / IPSEC_PFKEYv2_ALIGN;
193
194 pfkey_sa = &sav2;
195 }
196 #endif
197
198
199 if(pfkey_sa->sadb_sa_len != sizeof(struct sadb_sa) / IPSEC_PFKEYv2_ALIGN) {
200 DEBUGGING(PF_KEY_DEBUG_PARSE_PROBLEM,
201 "pfkey_sa_parse: "
202 "length wrong pfkey_sa->sadb_sa_len=%d sizeof(struct sadb_sa)=%d.\n",
203 pfkey_sa->sadb_sa_len,
204 (int)sizeof(struct sadb_sa));
205 SENDERR(EINVAL);
206 }
207
208 if(pfkey_sa->sadb_sa_encrypt > SADB_EALG_MAX) {
209 DEBUGGING(PF_KEY_DEBUG_PARSE_PROBLEM,
210 "pfkey_sa_parse: "
211 "pfkey_sa->sadb_sa_encrypt=%d > SADB_EALG_MAX=%d.\n",
212 pfkey_sa->sadb_sa_encrypt,
213 SADB_EALG_MAX);
214 SENDERR(EINVAL);
215 }
216
217 if(pfkey_sa->sadb_sa_auth > SADB_AALG_MAX) {
218 DEBUGGING(PF_KEY_DEBUG_PARSE_PROBLEM,
219 "pfkey_sa_parse: "
220 "pfkey_sa->sadb_sa_auth=%d > SADB_AALG_MAX=%d.\n",
221 pfkey_sa->sadb_sa_auth,
222 SADB_AALG_MAX);
223 SENDERR(EINVAL);
224 }
225
226 if(pfkey_sa->sadb_sa_state > SADB_SASTATE_MAX) {
227 DEBUGGING(PF_KEY_DEBUG_PARSE_PROBLEM,
228 "pfkey_sa_parse: "
229 "state=%d exceeds MAX=%d.\n",
230 pfkey_sa->sadb_sa_state,
231 SADB_SASTATE_MAX);
232 SENDERR(EINVAL);
233 }
234
235 if(pfkey_sa->sadb_sa_state == SADB_SASTATE_DEAD) {
236 DEBUGGING(PF_KEY_DEBUG_PARSE_PROBLEM,
237 "pfkey_sa_parse: "
238 "state=%d is DEAD=%d.\n",
239 pfkey_sa->sadb_sa_state,
240 SADB_SASTATE_DEAD);
241 SENDERR(EINVAL);
242 }
243
244 if(pfkey_sa->sadb_sa_replay > 64) {
245 DEBUGGING(PF_KEY_DEBUG_PARSE_PROBLEM,
246 "pfkey_sa_parse: "
247 "replay window size: %d -- must be 0 <= size <= 64\n",
248 pfkey_sa->sadb_sa_replay);
249 SENDERR(EINVAL);
250 }
251
252 if(! ((pfkey_sa->sadb_sa_exttype == SADB_EXT_SA) ||
253 (pfkey_sa->sadb_sa_exttype == SADB_X_EXT_SA2)))
254 {
255 DEBUGGING(PF_KEY_DEBUG_PARSE_PROBLEM,
256 "pfkey_sa_parse: "
257 "unknown exttype=%d, expecting SADB_EXT_SA=%d or SADB_X_EXT_SA2=%d.\n",
258 pfkey_sa->sadb_sa_exttype,
259 SADB_EXT_SA,
260 SADB_X_EXT_SA2);
261 SENDERR(EINVAL);
262 }
263
264 if((IPSEC_SAREF_NULL != pfkey_sa->sadb_x_sa_ref) && (pfkey_sa->sadb_x_sa_ref >= (1 << IPSEC_SA_REF_TABLE_IDX_WIDTH))) {
265 DEBUGGING(PF_KEY_DEBUG_PARSE_PROBLEM,
266 "pfkey_sa_parse: "
267 "SAref=%d must be (SAref == IPSEC_SAREF_NULL(%d) || SAref < IPSEC_SA_REF_TABLE_NUM_ENTRIES(%d)).\n",
268 pfkey_sa->sadb_x_sa_ref,
269 IPSEC_SAREF_NULL,
270 IPSEC_SA_REF_TABLE_NUM_ENTRIES);
271 SENDERR(EINVAL);
272 }
273
274 DEBUGGING(PF_KEY_DEBUG_PARSE_STRUCT,
275 "pfkey_sa_parse: "
276 "successfully found len=%d exttype=%d(%s) spi=%08lx replay=%d state=%d auth=%d encrypt=%d flags=%d ref=%d.\n",
277 pfkey_sa->sadb_sa_len,
278 pfkey_sa->sadb_sa_exttype,
279 pfkey_v2_sadb_ext_string(pfkey_sa->sadb_sa_exttype),
280 (long unsigned int)ntohl(pfkey_sa->sadb_sa_spi),
281 pfkey_sa->sadb_sa_replay,
282 pfkey_sa->sadb_sa_state,
283 pfkey_sa->sadb_sa_auth,
284 pfkey_sa->sadb_sa_encrypt,
285 pfkey_sa->sadb_sa_flags,
286 pfkey_sa->sadb_x_sa_ref);
287
288 errlab:
289 return error;
290 }
291
292 DEBUG_NO_STATIC int
293 pfkey_lifetime_parse(struct sadb_ext *pfkey_ext)
294 {
295 int error = 0;
296 struct sadb_lifetime *pfkey_lifetime = (struct sadb_lifetime *)pfkey_ext;
297
298 DEBUGGING(PF_KEY_DEBUG_PARSE_FLOW,
299 "pfkey_lifetime_parse:enter\n");
300 /* sanity checks... */
301 if(!pfkey_lifetime) {
302 DEBUGGING(PF_KEY_DEBUG_PARSE_PROBLEM,
303 "pfkey_lifetime_parse: "
304 "NULL pointer passed in.\n");
305 SENDERR(EINVAL);
306 }
307
308 if(pfkey_lifetime->sadb_lifetime_len !=
309 sizeof(struct sadb_lifetime) / IPSEC_PFKEYv2_ALIGN) {
310 DEBUGGING(PF_KEY_DEBUG_PARSE_PROBLEM,
311 "pfkey_lifetime_parse: "
312 "length wrong pfkey_lifetime->sadb_lifetime_len=%d sizeof(struct sadb_lifetime)=%d.\n",
313 pfkey_lifetime->sadb_lifetime_len,
314 (int)sizeof(struct sadb_lifetime));
315 SENDERR(EINVAL);
316 }
317
318 if((pfkey_lifetime->sadb_lifetime_exttype != SADB_EXT_LIFETIME_HARD) &&
319 (pfkey_lifetime->sadb_lifetime_exttype != SADB_EXT_LIFETIME_SOFT) &&
320 (pfkey_lifetime->sadb_lifetime_exttype != SADB_EXT_LIFETIME_CURRENT)) {
321 DEBUGGING(PF_KEY_DEBUG_PARSE_PROBLEM,
322 "pfkey_lifetime_parse: "
323 "unexpected ext_type=%d.\n",
324 pfkey_lifetime->sadb_lifetime_exttype);
325 SENDERR(EINVAL);
326 }
327
328 DEBUGGING(PF_KEY_DEBUG_PARSE_STRUCT,
329 "pfkey_lifetime_parse: "
330 "life_type=%d(%s) alloc=%u bytes=%u add=%u use=%u pkts=%u.\n",
331 pfkey_lifetime->sadb_lifetime_exttype,
332 pfkey_v2_sadb_ext_string(pfkey_lifetime->sadb_lifetime_exttype),
333 pfkey_lifetime->sadb_lifetime_allocations,
334 (unsigned)pfkey_lifetime->sadb_lifetime_bytes,
335 (unsigned)pfkey_lifetime->sadb_lifetime_addtime,
336 (unsigned)pfkey_lifetime->sadb_lifetime_usetime,
337 pfkey_lifetime->sadb_x_lifetime_packets);
338 errlab:
339 return error;
340 }
341
342 DEBUG_NO_STATIC int
343 pfkey_address_parse(struct sadb_ext *pfkey_ext)
344 {
345 int error = 0;
346 int saddr_len = 0;
347 struct sadb_address *pfkey_address = (struct sadb_address *)pfkey_ext;
348 struct sockaddr* s = (struct sockaddr*)((char*)pfkey_address + sizeof(*pfkey_address));
349 char ipaddr_txt[ADDRTOT_BUF];
350
351 DEBUGGING(PF_KEY_DEBUG_PARSE_FLOW,
352 "pfkey_address_parse:enter\n");
353 /* sanity checks... */
354 if(!pfkey_address) {
355 DEBUGGING(PF_KEY_DEBUG_PARSE_PROBLEM,
356 "pfkey_address_parse: "
357 "NULL pointer passed in.\n");
358 SENDERR(EINVAL);
359 }
360
361 if(pfkey_address->sadb_address_len <
362 (sizeof(struct sadb_address) + sizeof(struct sockaddr))/
363 IPSEC_PFKEYv2_ALIGN) {
364 DEBUGGING(PF_KEY_DEBUG_PARSE_PROBLEM,
365 "pfkey_address_parse: "
366 "size wrong 1 ext_len=%d, adr_ext_len=%d, saddr_len=%d.\n",
367 pfkey_address->sadb_address_len,
368 (int)sizeof(struct sadb_address),
369 (int)sizeof(struct sockaddr));
370 SENDERR(EINVAL);
371 }
372
373 if(pfkey_address->sadb_address_reserved) {
374 DEBUGGING(PF_KEY_DEBUG_PARSE_PROBLEM,
375 "pfkey_address_parse: "
376 "res=%d, must be zero.\n",
377 pfkey_address->sadb_address_reserved);
378 SENDERR(EINVAL);
379 }
380
381 switch(pfkey_address->sadb_address_exttype) {
382 case SADB_EXT_ADDRESS_SRC:
383 case SADB_EXT_ADDRESS_DST:
384 case SADB_EXT_ADDRESS_PROXY:
385 case SADB_X_EXT_ADDRESS_DST2:
386 case SADB_X_EXT_ADDRESS_SRC_FLOW:
387 case SADB_X_EXT_ADDRESS_DST_FLOW:
388 case SADB_X_EXT_ADDRESS_SRC_MASK:
389 case SADB_X_EXT_ADDRESS_DST_MASK:
390 case SADB_X_EXT_NAT_T_OA:
391 break;
392 default:
393 DEBUGGING(PF_KEY_DEBUG_PARSE_PROBLEM,
394 "pfkey_address_parse: "
395 "unexpected ext_type=%d.\n",
396 pfkey_address->sadb_address_exttype);
397 SENDERR(EINVAL);
398 }
399
400 switch(s->sa_family) {
401 case AF_INET:
402 saddr_len = sizeof(struct sockaddr_in);
403 sprintf(ipaddr_txt, "%d.%d.%d.%d"
404 , (((struct sockaddr_in*)s)->sin_addr.s_addr >> 0) & 0xFF
405 , (((struct sockaddr_in*)s)->sin_addr.s_addr >> 8) & 0xFF
406 , (((struct sockaddr_in*)s)->sin_addr.s_addr >> 16) & 0xFF
407 , (((struct sockaddr_in*)s)->sin_addr.s_addr >> 24) & 0xFF);
408 DEBUGGING(PF_KEY_DEBUG_PARSE_STRUCT,
409 "pfkey_address_parse: "
410 "found exttype=%u(%s) family=%d(AF_INET) address=%s proto=%u port=%u.\n",
411 pfkey_address->sadb_address_exttype,
412 pfkey_v2_sadb_ext_string(pfkey_address->sadb_address_exttype),
413 s->sa_family,
414 ipaddr_txt,
415 pfkey_address->sadb_address_proto,
416 ntohs(((struct sockaddr_in*)s)->sin_port));
417 break;
418 case AF_INET6:
419 saddr_len = sizeof(struct sockaddr_in6);
420 sprintf(ipaddr_txt, "%x:%x:%x:%x:%x:%x:%x:%x"
421 , ntohs(((struct sockaddr_in6*)s)->sin6_addr.s6_addr16[0])
422 , ntohs(((struct sockaddr_in6*)s)->sin6_addr.s6_addr16[1])
423 , ntohs(((struct sockaddr_in6*)s)->sin6_addr.s6_addr16[2])
424 , ntohs(((struct sockaddr_in6*)s)->sin6_addr.s6_addr16[3])
425 , ntohs(((struct sockaddr_in6*)s)->sin6_addr.s6_addr16[4])
426 , ntohs(((struct sockaddr_in6*)s)->sin6_addr.s6_addr16[5])
427 , ntohs(((struct sockaddr_in6*)s)->sin6_addr.s6_addr16[6])
428 , ntohs(((struct sockaddr_in6*)s)->sin6_addr.s6_addr16[7]));
429 DEBUGGING(PF_KEY_DEBUG_PARSE_STRUCT,
430 "pfkey_address_parse: "
431 "found exttype=%u(%s) family=%d(AF_INET6) address=%s proto=%u port=%u.\n",
432 pfkey_address->sadb_address_exttype,
433 pfkey_v2_sadb_ext_string(pfkey_address->sadb_address_exttype),
434 s->sa_family,
435 ipaddr_txt,
436 pfkey_address->sadb_address_proto,
437 ((struct sockaddr_in6*)s)->sin6_port);
438 break;
439 default:
440 DEBUGGING(PF_KEY_DEBUG_PARSE_PROBLEM,
441 "pfkey_address_parse: "
442 "s->sa_family=%d not supported.\n",
443 s->sa_family);
444 SENDERR(EPFNOSUPPORT);
445 }
446
447 if(pfkey_address->sadb_address_len !=
448 DIVUP(sizeof(struct sadb_address) + saddr_len, IPSEC_PFKEYv2_ALIGN)) {
449 DEBUGGING(PF_KEY_DEBUG_PARSE_PROBLEM,
450 "pfkey_address_parse: "
451 "size wrong 2 ext_len=%d, adr_ext_len=%d, saddr_len=%d.\n",
452 pfkey_address->sadb_address_len,
453 (int)sizeof(struct sadb_address),
454 saddr_len);
455 SENDERR(EINVAL);
456 }
457
458 if(pfkey_address->sadb_address_prefixlen != 0) {
459 DEBUGGING(PF_KEY_DEBUG_PARSE_PROBLEM,
460 "pfkey_address_parse: "
461 "address prefixes not supported yet.\n");
462 SENDERR(EAFNOSUPPORT); /* not supported yet */
463 }
464
465 /* XXX check if port!=0 */
466
467 DEBUGGING(PF_KEY_DEBUG_PARSE_FLOW,
468 "pfkey_address_parse: successful.\n");
469 errlab:
470 return error;
471 }
472
473 DEBUG_NO_STATIC int
474 pfkey_key_parse(struct sadb_ext *pfkey_ext)
475 {
476 int error = 0;
477 struct sadb_key *pfkey_key = (struct sadb_key *)pfkey_ext;
478
479 DEBUGGING(PF_KEY_DEBUG_PARSE_FLOW,
480 "pfkey_key_parse:enter\n");
481 /* sanity checks... */
482
483 if(!pfkey_key) {
484 DEBUGGING(PF_KEY_DEBUG_PARSE_PROBLEM,
485 "pfkey_key_parse: "
486 "NULL pointer passed in.\n");
487 SENDERR(EINVAL);
488 }
489
490 if(pfkey_key->sadb_key_len < sizeof(struct sadb_key) / IPSEC_PFKEYv2_ALIGN) {
491 DEBUGGING(PF_KEY_DEBUG_PARSE_PROBLEM,
492 "pfkey_key_parse: "
493 "size wrong ext_len=%d, key_ext_len=%d.\n",
494 pfkey_key->sadb_key_len,
495 (int)sizeof(struct sadb_key));
496 SENDERR(EINVAL);
497 }
498
499 if(!pfkey_key->sadb_key_bits) {
500 DEBUGGING(PF_KEY_DEBUG_PARSE_PROBLEM,
501 "pfkey_key_parse: "
502 "key length set to zero, must be non-zero.\n");
503 SENDERR(EINVAL);
504 }
505
506 if(pfkey_key->sadb_key_len !=
507 DIVUP(sizeof(struct sadb_key) * OCTETBITS + pfkey_key->sadb_key_bits,
508 PFKEYBITS)) {
509 DEBUGGING(PF_KEY_DEBUG_PARSE_PROBLEM,
510 "pfkey_key_parse: "
511 "key length=%d does not agree with extension length=%d.\n",
512 pfkey_key->sadb_key_bits,
513 pfkey_key->sadb_key_len);
514 SENDERR(EINVAL);
515 }
516
517 if(pfkey_key->sadb_key_reserved) {
518 DEBUGGING(PF_KEY_DEBUG_PARSE_PROBLEM,
519 "pfkey_key_parse: "
520 "res=%d, must be zero.\n",
521 pfkey_key->sadb_key_reserved);
522 SENDERR(EINVAL);
523 }
524
525 if(! ( (pfkey_key->sadb_key_exttype == SADB_EXT_KEY_AUTH) ||
526 (pfkey_key->sadb_key_exttype == SADB_EXT_KEY_ENCRYPT))) {
527 DEBUGGING(PF_KEY_DEBUG_PARSE_PROBLEM,
528 "pfkey_key_parse: "
529 "expecting extension type AUTH or ENCRYPT, got %d.\n",
530 pfkey_key->sadb_key_exttype);
531 SENDERR(EINVAL);
532 }
533
534 DEBUGGING(PF_KEY_DEBUG_PARSE_STRUCT,
535 "pfkey_key_parse: "
536 "success, found len=%d exttype=%d(%s) bits=%d reserved=%d.\n",
537 pfkey_key->sadb_key_len,
538 pfkey_key->sadb_key_exttype,
539 pfkey_v2_sadb_ext_string(pfkey_key->sadb_key_exttype),
540 pfkey_key->sadb_key_bits,
541 pfkey_key->sadb_key_reserved);
542
543 errlab:
544 return error;
545 }
546
547 DEBUG_NO_STATIC int
548 pfkey_ident_parse(struct sadb_ext *pfkey_ext)
549 {
550 int error = 0;
551 struct sadb_ident *pfkey_ident = (struct sadb_ident *)pfkey_ext;
552
553 /* sanity checks... */
554 if(pfkey_ident->sadb_ident_len < sizeof(struct sadb_ident) / IPSEC_PFKEYv2_ALIGN) {
555 DEBUGGING(PF_KEY_DEBUG_PARSE_PROBLEM,
556 "pfkey_ident_parse: "
557 "size wrong ext_len=%d, key_ext_len=%d.\n",
558 pfkey_ident->sadb_ident_len,
559 (int)sizeof(struct sadb_ident));
560 SENDERR(EINVAL);
561 }
562
563 if(pfkey_ident->sadb_ident_type > SADB_IDENTTYPE_MAX) {
564 DEBUGGING(PF_KEY_DEBUG_PARSE_PROBLEM,
565 "pfkey_ident_parse: "
566 "ident_type=%d out of range, must be less than %d.\n",
567 pfkey_ident->sadb_ident_type,
568 SADB_IDENTTYPE_MAX);
569 SENDERR(EINVAL);
570 }
571
572 if(pfkey_ident->sadb_ident_reserved) {
573 DEBUGGING(PF_KEY_DEBUG_PARSE_PROBLEM,
574 "pfkey_ident_parse: "
575 "res=%d, must be zero.\n",
576 pfkey_ident->sadb_ident_reserved);
577 SENDERR(EINVAL);
578 }
579
580 /* string terminator/padding must be zero */
581 if(pfkey_ident->sadb_ident_len > sizeof(struct sadb_ident) / IPSEC_PFKEYv2_ALIGN) {
582 if(*((char*)pfkey_ident + pfkey_ident->sadb_ident_len * IPSEC_PFKEYv2_ALIGN - 1)) {
583 DEBUGGING(PF_KEY_DEBUG_PARSE_PROBLEM,
584 "pfkey_ident_parse: "
585 "string padding must be zero, last is 0x%02x.\n",
586 *((char*)pfkey_ident +
587 pfkey_ident->sadb_ident_len * IPSEC_PFKEYv2_ALIGN - 1));
588 SENDERR(EINVAL);
589 }
590 }
591
592 if( ! ((pfkey_ident->sadb_ident_exttype == SADB_EXT_IDENTITY_SRC) ||
593 (pfkey_ident->sadb_ident_exttype == SADB_EXT_IDENTITY_DST))) {
594 DEBUGGING(PF_KEY_DEBUG_PARSE_PROBLEM,
595 "pfkey_key_parse: "
596 "expecting extension type IDENTITY_SRC or IDENTITY_DST, got %d.\n",
597 pfkey_ident->sadb_ident_exttype);
598 SENDERR(EINVAL);
599 }
600
601 errlab:
602 return error;
603 }
604
605 DEBUG_NO_STATIC int
606 pfkey_sens_parse(struct sadb_ext *pfkey_ext)
607 {
608 int error = 0;
609 struct sadb_sens *pfkey_sens = (struct sadb_sens *)pfkey_ext;
610
611 /* sanity checks... */
612 if(pfkey_sens->sadb_sens_len < sizeof(struct sadb_sens) / IPSEC_PFKEYv2_ALIGN) {
613 DEBUGGING(PF_KEY_DEBUG_PARSE_PROBLEM,
614 "pfkey_sens_parse: "
615 "size wrong ext_len=%d, key_ext_len=%d.\n",
616 pfkey_sens->sadb_sens_len,
617 (int)sizeof(struct sadb_sens));
618 SENDERR(EINVAL);
619 }
620
621 DEBUGGING(PF_KEY_DEBUG_PARSE_PROBLEM,
622 "pfkey_sens_parse: "
623 "Sorry, I can't parse exttype=%d yet.\n",
624 pfkey_ext->sadb_ext_type);
625 #if 0
626 SENDERR(EINVAL); /* don't process these yet */
627 #endif
628
629 errlab:
630 return error;
631 }
632
633 DEBUG_NO_STATIC int
634 pfkey_prop_parse(struct sadb_ext *pfkey_ext)
635 {
636 int error = 0;
637 int i, num_comb;
638 struct sadb_prop *pfkey_prop = (struct sadb_prop *)pfkey_ext;
639 struct sadb_comb *pfkey_comb = (struct sadb_comb *)((char*)pfkey_ext + sizeof(struct sadb_prop));
640
641 /* sanity checks... */
642 if((pfkey_prop->sadb_prop_len < sizeof(struct sadb_prop) / IPSEC_PFKEYv2_ALIGN) ||
643 (((pfkey_prop->sadb_prop_len * IPSEC_PFKEYv2_ALIGN) - sizeof(struct sadb_prop)) % sizeof(struct sadb_comb))) {
644 DEBUGGING(PF_KEY_DEBUG_PARSE_PROBLEM,
645 "pfkey_prop_parse: "
646 "size wrong ext_len=%d, prop_ext_len=%d comb_ext_len=%d.\n",
647 pfkey_prop->sadb_prop_len,
648 (int)sizeof(struct sadb_prop),
649 (int)sizeof(struct sadb_comb));
650 SENDERR(EINVAL);
651 }
652
653 if(pfkey_prop->sadb_prop_replay > 64) {
654 DEBUGGING(PF_KEY_DEBUG_PARSE_PROBLEM,
655 "pfkey_prop_parse: "
656 "replay window size: %d -- must be 0 <= size <= 64\n",
657 pfkey_prop->sadb_prop_replay);
658 SENDERR(EINVAL);
659 }
660
661 for(i=0; i<3; i++) {
662 if(pfkey_prop->sadb_prop_reserved[i]) {
663 DEBUGGING(PF_KEY_DEBUG_PARSE_PROBLEM,
664 "pfkey_prop_parse: "
665 "res[%d]=%d, must be zero.\n",
666 i, pfkey_prop->sadb_prop_reserved[i]);
667 SENDERR(EINVAL);
668 }
669 }
670
671 num_comb = ((pfkey_prop->sadb_prop_len * IPSEC_PFKEYv2_ALIGN) - sizeof(struct sadb_prop)) / sizeof(struct sadb_comb);
672
673 for(i = 0; i < num_comb; i++) {
674 if(pfkey_comb->sadb_comb_auth > SADB_AALG_MAX) {
675 DEBUGGING(PF_KEY_DEBUG_PARSE_PROBLEM,
676 "pfkey_prop_parse: "
677 "pfkey_comb[%d]->sadb_comb_auth=%d > SADB_AALG_MAX=%d.\n",
678 i,
679 pfkey_comb->sadb_comb_auth,
680 SADB_AALG_MAX);
681 SENDERR(EINVAL);
682 }
683
684 if(pfkey_comb->sadb_comb_auth) {
685 if(!pfkey_comb->sadb_comb_auth_minbits) {
686 DEBUGGING(PF_KEY_DEBUG_PARSE_PROBLEM,
687 "pfkey_prop_parse: "
688 "pfkey_comb[%d]->sadb_comb_auth_minbits=0, fatal.\n",
689 i);
690 SENDERR(EINVAL);
691 }
692 if(!pfkey_comb->sadb_comb_auth_maxbits) {
693 DEBUGGING(PF_KEY_DEBUG_PARSE_PROBLEM,
694 "pfkey_prop_parse: "
695 "pfkey_comb[%d]->sadb_comb_auth_maxbits=0, fatal.\n",
696 i);
697 SENDERR(EINVAL);
698 }
699 if(pfkey_comb->sadb_comb_auth_minbits > pfkey_comb->sadb_comb_auth_maxbits) {
700 DEBUGGING(PF_KEY_DEBUG_PARSE_PROBLEM,
701 "pfkey_prop_parse: "
702 "pfkey_comb[%d]->sadb_comb_auth_minbits=%d > maxbits=%d, fatal.\n",
703 i,
704 pfkey_comb->sadb_comb_auth_minbits,
705 pfkey_comb->sadb_comb_auth_maxbits);
706 SENDERR(EINVAL);
707 }
708 } else {
709 if(pfkey_comb->sadb_comb_auth_minbits) {
710 DEBUGGING(PF_KEY_DEBUG_PARSE_PROBLEM,
711 "pfkey_prop_parse: "
712 "pfkey_comb[%d]->sadb_comb_auth_minbits=%d != 0, fatal.\n",
713 i,
714 pfkey_comb->sadb_comb_auth_minbits);
715 SENDERR(EINVAL);
716 }
717 if(pfkey_comb->sadb_comb_auth_maxbits) {
718 DEBUGGING(PF_KEY_DEBUG_PARSE_PROBLEM,
719 "pfkey_prop_parse: "
720 "pfkey_comb[%d]->sadb_comb_auth_maxbits=%d != 0, fatal.\n",
721 i,
722 pfkey_comb->sadb_comb_auth_maxbits);
723 SENDERR(EINVAL);
724 }
725 }
726
727 if(pfkey_comb->sadb_comb_encrypt > SADB_EALG_MAX) {
728 DEBUGGING(PF_KEY_DEBUG_PARSE_PROBLEM,
729 "pfkey_comb_parse: "
730 "pfkey_comb[%d]->sadb_comb_encrypt=%d > SADB_EALG_MAX=%d.\n",
731 i,
732 pfkey_comb->sadb_comb_encrypt,
733 SADB_EALG_MAX);
734 SENDERR(EINVAL);
735 }
736
737 if(pfkey_comb->sadb_comb_encrypt) {
738 if(!pfkey_comb->sadb_comb_encrypt_minbits) {
739 DEBUGGING(PF_KEY_DEBUG_PARSE_PROBLEM,
740 "pfkey_prop_parse: "
741 "pfkey_comb[%d]->sadb_comb_encrypt_minbits=0, fatal.\n",
742 i);
743 SENDERR(EINVAL);
744 }
745 if(!pfkey_comb->sadb_comb_encrypt_maxbits) {
746 DEBUGGING(PF_KEY_DEBUG_PARSE_PROBLEM,
747 "pfkey_prop_parse: "
748 "pfkey_comb[%d]->sadb_comb_encrypt_maxbits=0, fatal.\n",
749 i);
750 SENDERR(EINVAL);
751 }
752 if(pfkey_comb->sadb_comb_encrypt_minbits > pfkey_comb->sadb_comb_encrypt_maxbits) {
753 DEBUGGING(PF_KEY_DEBUG_PARSE_PROBLEM,
754 "pfkey_prop_parse: "
755 "pfkey_comb[%d]->sadb_comb_encrypt_minbits=%d > maxbits=%d, fatal.\n",
756 i,
757 pfkey_comb->sadb_comb_encrypt_minbits,
758 pfkey_comb->sadb_comb_encrypt_maxbits);
759 SENDERR(EINVAL);
760 }
761 } else {
762 if(pfkey_comb->sadb_comb_encrypt_minbits) {
763 DEBUGGING(PF_KEY_DEBUG_PARSE_PROBLEM,
764 "pfkey_prop_parse: "
765 "pfkey_comb[%d]->sadb_comb_encrypt_minbits=%d != 0, fatal.\n",
766 i,
767 pfkey_comb->sadb_comb_encrypt_minbits);
768 SENDERR(EINVAL);
769 }
770 if(pfkey_comb->sadb_comb_encrypt_maxbits) {
771 DEBUGGING(PF_KEY_DEBUG_PARSE_PROBLEM,
772 "pfkey_prop_parse: "
773 "pfkey_comb[%d]->sadb_comb_encrypt_maxbits=%d != 0, fatal.\n",
774 i,
775 pfkey_comb->sadb_comb_encrypt_maxbits);
776 SENDERR(EINVAL);
777 }
778 }
779
780 /* XXX do sanity check on flags */
781
782 if(pfkey_comb->sadb_comb_hard_allocations && pfkey_comb->sadb_comb_soft_allocations > pfkey_comb->sadb_comb_hard_allocations) {
783 DEBUGGING(PF_KEY_DEBUG_PARSE_PROBLEM,
784 "pfkey_prop_parse: "
785 "pfkey_comb[%d]->sadb_comb_soft_allocations=%d > hard_allocations=%d, fatal.\n",
786 i,
787 pfkey_comb->sadb_comb_soft_allocations,
788 pfkey_comb->sadb_comb_hard_allocations);
789 SENDERR(EINVAL);
790 }
791
792 if(pfkey_comb->sadb_comb_hard_bytes && pfkey_comb->sadb_comb_soft_bytes > pfkey_comb->sadb_comb_hard_bytes) {
793 DEBUGGING(PF_KEY_DEBUG_PARSE_PROBLEM,
794 "pfkey_prop_parse: "
795 "pfkey_comb[%d]->sadb_comb_soft_bytes=%Ld > hard_bytes=%Ld, fatal.\n",
796 i,
797 (unsigned long long int)pfkey_comb->sadb_comb_soft_bytes,
798 (unsigned long long int)pfkey_comb->sadb_comb_hard_bytes);
799 SENDERR(EINVAL);
800 }
801
802 if(pfkey_comb->sadb_comb_hard_addtime && pfkey_comb->sadb_comb_soft_addtime > pfkey_comb->sadb_comb_hard_addtime) {
803 DEBUGGING(PF_KEY_DEBUG_PARSE_PROBLEM,
804 "pfkey_prop_parse: "
805 "pfkey_comb[%d]->sadb_comb_soft_addtime=%Ld > hard_addtime=%Ld, fatal.\n",
806 i,
807 (unsigned long long int)pfkey_comb->sadb_comb_soft_addtime,
808 (unsigned long long int)pfkey_comb->sadb_comb_hard_addtime);
809 SENDERR(EINVAL);
810 }
811
812 if(pfkey_comb->sadb_comb_hard_usetime && pfkey_comb->sadb_comb_soft_usetime > pfkey_comb->sadb_comb_hard_usetime) {
813 DEBUGGING(PF_KEY_DEBUG_PARSE_PROBLEM,
814 "pfkey_prop_parse: "
815 "pfkey_comb[%d]->sadb_comb_soft_usetime=%Ld > hard_usetime=%Ld, fatal.\n",
816 i,
817 (unsigned long long int)pfkey_comb->sadb_comb_soft_usetime,
818 (unsigned long long int)pfkey_comb->sadb_comb_hard_usetime);
819 SENDERR(EINVAL);
820 }
821
822 if(pfkey_comb->sadb_x_comb_hard_packets && pfkey_comb->sadb_x_comb_soft_packets > pfkey_comb->sadb_x_comb_hard_packets) {
823 DEBUGGING(PF_KEY_DEBUG_PARSE_PROBLEM,
824 "pfkey_prop_parse: "
825 "pfkey_comb[%d]->sadb_x_comb_soft_packets=%d > hard_packets=%d, fatal.\n",
826 i,
827 pfkey_comb->sadb_x_comb_soft_packets,
828 pfkey_comb->sadb_x_comb_hard_packets);
829 SENDERR(EINVAL);
830 }
831
832 if(pfkey_comb->sadb_comb_reserved) {
833 DEBUGGING(PF_KEY_DEBUG_PARSE_PROBLEM,
834 "pfkey_prop_parse: "
835 "comb[%d].res=%d, must be zero.\n",
836 i,
837 pfkey_comb->sadb_comb_reserved);
838 SENDERR(EINVAL);
839 }
840 pfkey_comb++;
841 }
842
843 errlab:
844 return error;
845 }
846
847 DEBUG_NO_STATIC int
848 pfkey_supported_parse(struct sadb_ext *pfkey_ext)
849 {
850 int error = 0;
851 unsigned int i, num_alg;
852 struct sadb_supported *pfkey_supported = (struct sadb_supported *)pfkey_ext;
853 struct sadb_alg *pfkey_alg = (struct sadb_alg*)((char*)pfkey_ext + sizeof(struct sadb_supported));
854
855 /* sanity checks... */
856 if((pfkey_supported->sadb_supported_len <
857 sizeof(struct sadb_supported) / IPSEC_PFKEYv2_ALIGN) ||
858 (((pfkey_supported->sadb_supported_len * IPSEC_PFKEYv2_ALIGN) -
859 sizeof(struct sadb_supported)) % sizeof(struct sadb_alg))) {
860
861 DEBUGGING(PF_KEY_DEBUG_PARSE_PROBLEM,
862 "pfkey_supported_parse: "
863 "size wrong ext_len=%d, supported_ext_len=%d alg_ext_len=%d.\n",
864 pfkey_supported->sadb_supported_len,
865 (int)sizeof(struct sadb_supported),
866 (int)sizeof(struct sadb_alg));
867 SENDERR(EINVAL);
868 }
869
870 if(pfkey_supported->sadb_supported_reserved) {
871 DEBUGGING(PF_KEY_DEBUG_PARSE_PROBLEM,
872 "pfkey_supported_parse: "
873 "res=%d, must be zero.\n",
874 pfkey_supported->sadb_supported_reserved);
875 SENDERR(EINVAL);
876 }
877
878 num_alg = ((pfkey_supported->sadb_supported_len * IPSEC_PFKEYv2_ALIGN) - sizeof(struct sadb_supported)) / sizeof(struct sadb_alg);
879
880 for(i = 0; i < num_alg; i++) {
881 /* process algo description */
882 if(pfkey_alg->sadb_alg_reserved) {
883 DEBUGGING(PF_KEY_DEBUG_PARSE_PROBLEM,
884 "pfkey_supported_parse: "
885 "alg[%d], id=%d, ivlen=%d, minbits=%d, maxbits=%d, res=%d, must be zero.\n",
886 i,
887 pfkey_alg->sadb_alg_id,
888 pfkey_alg->sadb_alg_ivlen,
889 pfkey_alg->sadb_alg_minbits,
890 pfkey_alg->sadb_alg_maxbits,
891 pfkey_alg->sadb_alg_reserved);
892 SENDERR(EINVAL);
893 }
894
895 /* XXX can alg_id auth/enc be determined from info given?
896 Yes, but OpenBSD's method does not iteroperate with rfc2367.
897 rgb, 2000-04-06 */
898
899 switch(pfkey_supported->sadb_supported_exttype) {
900 case SADB_EXT_SUPPORTED_AUTH:
901 if(pfkey_alg->sadb_alg_id > SADB_AALG_MAX) {
902 DEBUGGING(PF_KEY_DEBUG_PARSE_PROBLEM,
903 "pfkey_supported_parse: "
904 "alg[%d], alg_id=%d > SADB_AALG_MAX=%d, fatal.\n",
905 i,
906 pfkey_alg->sadb_alg_id,
907 SADB_AALG_MAX);
908 SENDERR(EINVAL);
909 }
910 break;
911 case SADB_EXT_SUPPORTED_ENCRYPT:
912 if(pfkey_alg->sadb_alg_id > SADB_EALG_MAX) {
913 DEBUGGING(PF_KEY_DEBUG_PARSE_PROBLEM,
914 "pfkey_supported_parse: "
915 "alg[%d], alg_id=%d > SADB_EALG_MAX=%d, fatal.\n",
916 i,
917 pfkey_alg->sadb_alg_id,
918 SADB_EALG_MAX);
919 SENDERR(EINVAL);
920 }
921 break;
922 default:
923 DEBUGGING(PF_KEY_DEBUG_PARSE_PROBLEM,
924 "pfkey_supported_parse: "
925 "alg[%d], alg_id=%d > SADB_EALG_MAX=%d, fatal.\n",
926 i,
927 pfkey_alg->sadb_alg_id,
928 SADB_EALG_MAX);
929 SENDERR(EINVAL);
930 }
931 pfkey_alg++;
932 }
933
934 errlab:
935 return error;
936 }
937
938 DEBUG_NO_STATIC int
939 pfkey_spirange_parse(struct sadb_ext *pfkey_ext)
940 {
941 int error = 0;
942 struct sadb_spirange *pfkey_spirange = (struct sadb_spirange *)pfkey_ext;
943
944 /* sanity checks... */
945 if(pfkey_spirange->sadb_spirange_len !=
946 sizeof(struct sadb_spirange) / IPSEC_PFKEYv2_ALIGN) {
947 DEBUGGING(PF_KEY_DEBUG_PARSE_PROBLEM,
948 "pfkey_spirange_parse: "
949 "size wrong ext_len=%d, key_ext_len=%d.\n",
950 pfkey_spirange->sadb_spirange_len,
951 (int)sizeof(struct sadb_spirange));
952 SENDERR(EINVAL);
953 }
954
955 if(pfkey_spirange->sadb_spirange_reserved) {
956 DEBUGGING(PF_KEY_DEBUG_PARSE_PROBLEM,
957 "pfkey_spirange_parse: "
958 "reserved=%d must be set to zero.\n",
959 pfkey_spirange->sadb_spirange_reserved);
960 SENDERR(EINVAL);
961 }
962
963 if(ntohl(pfkey_spirange->sadb_spirange_max) < ntohl(pfkey_spirange->sadb_spirange_min)) {
964 DEBUGGING(PF_KEY_DEBUG_PARSE_PROBLEM,
965 "pfkey_spirange_parse: "
966 "minspi=%08x must be < maxspi=%08x.\n",
967 ntohl(pfkey_spirange->sadb_spirange_min),
968 ntohl(pfkey_spirange->sadb_spirange_max));
969 SENDERR(EINVAL);
970 }
971
972 if(ntohl(pfkey_spirange->sadb_spirange_min) <= 255) {
973 DEBUGGING(PF_KEY_DEBUG_PARSE_PROBLEM,
974 "pfkey_spirange_parse: "
975 "minspi=%08x must be > 255.\n",
976 ntohl(pfkey_spirange->sadb_spirange_min));
977 SENDERR(EEXIST);
978 }
979
980 DEBUGGING(PF_KEY_DEBUG_PARSE_STRUCT,
981 "pfkey_spirange_parse: "
982 "ext_len=%u ext_type=%u(%s) min=%u max=%u res=%u.\n",
983 pfkey_spirange->sadb_spirange_len,
984 pfkey_spirange->sadb_spirange_exttype,
985 pfkey_v2_sadb_ext_string(pfkey_spirange->sadb_spirange_exttype),
986 pfkey_spirange->sadb_spirange_min,
987 pfkey_spirange->sadb_spirange_max,
988 pfkey_spirange->sadb_spirange_reserved);
989 errlab:
990 return error;
991 }
992
993 DEBUG_NO_STATIC int
994 pfkey_x_kmprivate_parse(struct sadb_ext *pfkey_ext)
995 {
996 int error = 0;
997 struct sadb_x_kmprivate *pfkey_x_kmprivate = (struct sadb_x_kmprivate *)pfkey_ext;
998
999 /* sanity checks... */
1000 if(pfkey_x_kmprivate->sadb_x_kmprivate_len <
1001 sizeof(struct sadb_x_kmprivate) / IPSEC_PFKEYv2_ALIGN) {
1002 DEBUGGING(PF_KEY_DEBUG_PARSE_PROBLEM,
1003 "pfkey_x_kmprivate_parse: "
1004 "size wrong ext_len=%d, key_ext_len=%d.\n",
1005 pfkey_x_kmprivate->sadb_x_kmprivate_len,
1006 (int)sizeof(struct sadb_x_kmprivate));
1007 SENDERR(EINVAL);
1008 }
1009
1010 if(pfkey_x_kmprivate->sadb_x_kmprivate_reserved) {
1011 DEBUGGING(PF_KEY_DEBUG_PARSE_PROBLEM,
1012 "pfkey_x_kmprivate_parse: "
1013 "reserved=%d must be set to zero.\n",
1014 pfkey_x_kmprivate->sadb_x_kmprivate_reserved);
1015 SENDERR(EINVAL);
1016 }
1017
1018 DEBUGGING(PF_KEY_DEBUG_PARSE_PROBLEM,
1019 "pfkey_x_kmprivate_parse: "
1020 "Sorry, I can't parse exttype=%d yet.\n",
1021 pfkey_ext->sadb_ext_type);
1022 SENDERR(EINVAL); /* don't process these yet */
1023
1024 errlab:
1025 return error;
1026 }
1027
1028 DEBUG_NO_STATIC int
1029 pfkey_x_satype_parse(struct sadb_ext *pfkey_ext)
1030 {
1031 int error = 0;
1032 int i;
1033 struct sadb_x_satype *pfkey_x_satype = (struct sadb_x_satype *)pfkey_ext;
1034
1035 DEBUGGING(PF_KEY_DEBUG_PARSE_FLOW,
1036 "pfkey_x_satype_parse: enter\n");
1037 /* sanity checks... */
1038 if(pfkey_x_satype->sadb_x_satype_len !=
1039 sizeof(struct sadb_x_satype) / IPSEC_PFKEYv2_ALIGN) {
1040 DEBUGGING(PF_KEY_DEBUG_PARSE_PROBLEM,
1041 "pfkey_x_satype_parse: "
1042 "size wrong ext_len=%d, key_ext_len=%d.\n",
1043 pfkey_x_satype->sadb_x_satype_len,
1044 (int)sizeof(struct sadb_x_satype));
1045 SENDERR(EINVAL);
1046 }
1047
1048 if(!pfkey_x_satype->sadb_x_satype_satype) {
1049 DEBUGGING(PF_KEY_DEBUG_PARSE_PROBLEM,
1050 "pfkey_x_satype_parse: "
1051 "satype is zero, must be non-zero.\n");
1052 SENDERR(EINVAL);
1053 }
1054
1055 if(pfkey_x_satype->sadb_x_satype_satype > SADB_SATYPE_MAX) {
1056 DEBUGGING(PF_KEY_DEBUG_PARSE_PROBLEM,
1057 "pfkey_x_satype_parse: "
1058 "satype %d > max %d, invalid.\n",
1059 pfkey_x_satype->sadb_x_satype_satype, SADB_SATYPE_MAX);
1060 SENDERR(EINVAL);
1061 }
1062
1063 if(!(satype2proto(pfkey_x_satype->sadb_x_satype_satype))) {
1064 DEBUGGING(PF_KEY_DEBUG_PARSE_PROBLEM,
1065 "pfkey_x_satype_parse: "
1066 "proto lookup from satype=%d failed.\n",
1067 pfkey_x_satype->sadb_x_satype_satype);
1068 SENDERR(EINVAL);
1069 }
1070
1071 for(i = 0; i < 3; i++) {
1072 if(pfkey_x_satype->sadb_x_satype_reserved[i]) {
1073 DEBUGGING(PF_KEY_DEBUG_PARSE_PROBLEM,
1074 "pfkey_x_satype_parse: "
1075 "reserved[%d]=%d must be set to zero.\n",
1076 i, pfkey_x_satype->sadb_x_satype_reserved[i]);
1077 SENDERR(EINVAL);
1078 }
1079 }
1080
1081 DEBUGGING(PF_KEY_DEBUG_PARSE_STRUCT,
1082 "pfkey_x_satype_parse: "
1083 "len=%u ext=%u(%s) satype=%u(%s) res=%u,%u,%u.\n",
1084 pfkey_x_satype->sadb_x_satype_len,
1085 pfkey_x_satype->sadb_x_satype_exttype,
1086 pfkey_v2_sadb_ext_string(pfkey_x_satype->sadb_x_satype_exttype),
1087 pfkey_x_satype->sadb_x_satype_satype,
1088 satype2name(pfkey_x_satype->sadb_x_satype_satype),
1089 pfkey_x_satype->sadb_x_satype_reserved[0],
1090 pfkey_x_satype->sadb_x_satype_reserved[1],
1091 pfkey_x_satype->sadb_x_satype_reserved[2]);
1092 errlab:
1093 return error;
1094 }
1095
1096 DEBUG_NO_STATIC int
1097 pfkey_x_ext_debug_parse(struct sadb_ext *pfkey_ext)
1098 {
1099 int error = 0;
1100 int i;
1101 struct sadb_x_debug *pfkey_x_debug = (struct sadb_x_debug *)pfkey_ext;
1102
1103 DEBUGGING(PF_KEY_DEBUG_PARSE_FLOW,
1104 "pfkey_x_debug_parse: enter\n");
1105 /* sanity checks... */
1106 if(pfkey_x_debug->sadb_x_debug_len !=
1107 sizeof(struct sadb_x_debug) / IPSEC_PFKEYv2_ALIGN) {
1108 DEBUGGING(PF_KEY_DEBUG_PARSE_PROBLEM,
1109 "pfkey_x_debug_parse: "
1110 "size wrong ext_len=%d, key_ext_len=%d.\n",
1111 pfkey_x_debug->sadb_x_debug_len,
1112 (int)sizeof(struct sadb_x_debug));
1113 SENDERR(EINVAL);
1114 }
1115
1116 for(i = 0; i < 4; i++) {
1117 if(pfkey_x_debug->sadb_x_debug_reserved[i]) {
1118 DEBUGGING(PF_KEY_DEBUG_PARSE_PROBLEM,
1119 "pfkey_x_debug_parse: "
1120 "reserved[%d]=%d must be set to zero.\n",
1121 i, pfkey_x_debug->sadb_x_debug_reserved[i]);
1122 SENDERR(EINVAL);
1123 }
1124 }
1125
1126 errlab:
1127 return error;
1128 }
1129
1130 DEBUG_NO_STATIC int
1131 pfkey_x_ext_protocol_parse(struct sadb_ext *pfkey_ext)
1132 {
1133 int error = 0;
1134 struct sadb_protocol *p = (struct sadb_protocol *)pfkey_ext;
1135
1136 DEBUGGING(PF_KEY_DEBUG_PARSE_PROBLEM, "pfkey_x_protocol_parse:\n");
1137 /* sanity checks... */
1138
1139 if (p->sadb_protocol_len != sizeof(*p)/IPSEC_PFKEYv2_ALIGN) {
1140 DEBUGGING(PF_KEY_DEBUG_PARSE_PROBLEM,
1141 "pfkey_x_protocol_parse: size wrong ext_len=%d, key_ext_len=%d.\n",
1142 p->sadb_protocol_len, (int)sizeof(*p));
1143 SENDERR(EINVAL);
1144 }
1145
1146 if (p->sadb_protocol_reserved2 != 0) {
1147 DEBUGGING(PF_KEY_DEBUG_PARSE_PROBLEM,
1148 "pfkey_protocol_parse: res=%d, must be zero.\n",
1149 p->sadb_protocol_reserved2);
1150 SENDERR(EINVAL);
1151 }
1152
1153 errlab:
1154 return error;
1155 }
1156
1157 DEBUG_NO_STATIC int
1158 pfkey_x_ext_nat_t_type_parse(struct sadb_ext *pfkey_ext)
1159 {
1160 return 0;
1161 }
1162
1163 DEBUG_NO_STATIC int
1164 pfkey_x_ext_nat_t_port_parse(struct sadb_ext *pfkey_ext)
1165 {
1166 return 0;
1167 }
1168
1169 #define DEFINEPARSER(NAME) static struct pf_key_ext_parsers_def NAME##_def={NAME, #NAME};
1170
1171 DEFINEPARSER(pfkey_sa_parse);
1172 DEFINEPARSER(pfkey_lifetime_parse);
1173 DEFINEPARSER(pfkey_address_parse);
1174 DEFINEPARSER(pfkey_key_parse);
1175 DEFINEPARSER(pfkey_ident_parse);
1176 DEFINEPARSER(pfkey_sens_parse);
1177 DEFINEPARSER(pfkey_prop_parse);
1178 DEFINEPARSER(pfkey_supported_parse);
1179 DEFINEPARSER(pfkey_spirange_parse);
1180 DEFINEPARSER(pfkey_x_kmprivate_parse);
1181 DEFINEPARSER(pfkey_x_satype_parse);
1182 DEFINEPARSER(pfkey_x_ext_debug_parse);
1183 DEFINEPARSER(pfkey_x_ext_protocol_parse);
1184 DEFINEPARSER(pfkey_x_ext_nat_t_type_parse);
1185 DEFINEPARSER(pfkey_x_ext_nat_t_port_parse);
1186
1187 struct pf_key_ext_parsers_def *ext_default_parsers[]=
1188 {
1189 NULL, /* pfkey_msg_parse, */
1190 &pfkey_sa_parse_def,
1191 &pfkey_lifetime_parse_def,
1192 &pfkey_lifetime_parse_def,
1193 &pfkey_lifetime_parse_def,
1194 &pfkey_address_parse_def,
1195 &pfkey_address_parse_def,
1196 &pfkey_address_parse_def,
1197 &pfkey_key_parse_def,
1198 &pfkey_key_parse_def,
1199 &pfkey_ident_parse_def,
1200 &pfkey_ident_parse_def,
1201 &pfkey_sens_parse_def,
1202 &pfkey_prop_parse_def,
1203 &pfkey_supported_parse_def,
1204 &pfkey_supported_parse_def,
1205 &pfkey_spirange_parse_def,
1206 &pfkey_x_kmprivate_parse_def,
1207 &pfkey_x_satype_parse_def,
1208 &pfkey_sa_parse_def,
1209 &pfkey_address_parse_def,
1210 &pfkey_address_parse_def,
1211 &pfkey_address_parse_def,
1212 &pfkey_address_parse_def,
1213 &pfkey_address_parse_def,
1214 &pfkey_x_ext_debug_parse_def,
1215 &pfkey_x_ext_protocol_parse_def ,
1216 &pfkey_x_ext_nat_t_type_parse_def,
1217 &pfkey_x_ext_nat_t_port_parse_def,
1218 &pfkey_x_ext_nat_t_port_parse_def,
1219 &pfkey_address_parse_def
1220 };
1221
1222 int
1223 pfkey_msg_parse(struct sadb_msg *pfkey_msg,
1224 struct pf_key_ext_parsers_def *ext_parsers[],
1225 struct sadb_ext *extensions[],
1226 int dir)
1227 {
1228 int error = 0;
1229 int remain;
1230 struct sadb_ext *pfkey_ext;
1231 int extensions_seen = 0;
1232
1233 DEBUGGING(PF_KEY_DEBUG_PARSE_STRUCT,
1234 "pfkey_msg_parse: "
1235 "parsing message ver=%d, type=%d(%s), errno=%d, satype=%d(%s), len=%d, res=%d, seq=%d, pid=%d.\n",
1236 pfkey_msg->sadb_msg_version,
1237 pfkey_msg->sadb_msg_type,
1238 pfkey_v2_sadb_type_string(pfkey_msg->sadb_msg_type),
1239 pfkey_msg->sadb_msg_errno,
1240 pfkey_msg->sadb_msg_satype,
1241 satype2name(pfkey_msg->sadb_msg_satype),
1242 pfkey_msg->sadb_msg_len,
1243 pfkey_msg->sadb_msg_reserved,
1244 pfkey_msg->sadb_msg_seq,
1245 pfkey_msg->sadb_msg_pid);
1246
1247 if(ext_parsers == NULL) ext_parsers = ext_default_parsers;
1248
1249 pfkey_extensions_init(extensions);
1250
1251 remain = pfkey_msg->sadb_msg_len;
1252 remain -= sizeof(struct sadb_msg) / IPSEC_PFKEYv2_ALIGN;
1253
1254 pfkey_ext = (struct sadb_ext*)((char*)pfkey_msg +
1255 sizeof(struct sadb_msg));
1256
1257 extensions[0] = (struct sadb_ext *) pfkey_msg;
1258
1259
1260 if(pfkey_msg->sadb_msg_version != PF_KEY_V2) {
1261 DEBUGGING(PF_KEY_DEBUG_PARSE_PROBLEM,
1262 "pfkey_msg_parse: "
1263 "not PF_KEY_V2 msg, found %d, should be %d.\n",
1264 pfkey_msg->sadb_msg_version,
1265 PF_KEY_V2);
1266 SENDERR(EINVAL);
1267 }
1268
1269 if(!pfkey_msg->sadb_msg_type) {
1270 DEBUGGING(PF_KEY_DEBUG_PARSE_PROBLEM,
1271 "pfkey_msg_parse: "
1272 "msg type not set, must be non-zero..\n");
1273 SENDERR(EINVAL);
1274 }
1275
1276 if(pfkey_msg->sadb_msg_type > SADB_MAX) {
1277 DEBUGGING(PF_KEY_DEBUG_PARSE_PROBLEM,
1278 "pfkey_msg_parse: "
1279 "msg type=%d > max=%d.\n",
1280 pfkey_msg->sadb_msg_type,
1281 SADB_MAX);
1282 SENDERR(EINVAL);
1283 }
1284
1285 switch(pfkey_msg->sadb_msg_type) {
1286 case SADB_GETSPI:
1287 case SADB_UPDATE:
1288 case SADB_ADD:
1289 case SADB_DELETE:
1290 case SADB_GET:
1291 case SADB_X_GRPSA:
1292 case SADB_X_ADDFLOW:
1293 if(!satype2proto(pfkey_msg->sadb_msg_satype)) {
1294 DEBUGGING(PF_KEY_DEBUG_PARSE_PROBLEM,
1295 "pfkey_msg_parse: "
1296 "satype %d conversion to proto failed for msg_type %d (%s).\n",
1297 pfkey_msg->sadb_msg_satype,
1298 pfkey_msg->sadb_msg_type,
1299 pfkey_v2_sadb_type_string(pfkey_msg->sadb_msg_type));
1300 SENDERR(EINVAL);
1301 } else {
1302 DEBUGGING(PF_KEY_DEBUG_PARSE_PROBLEM,
1303 "pfkey_msg_parse: "
1304 "satype %d(%s) conversion to proto gives %d for msg_type %d(%s).\n",
1305 pfkey_msg->sadb_msg_satype,
1306 satype2name(pfkey_msg->sadb_msg_satype),
1307 satype2proto(pfkey_msg->sadb_msg_satype),
1308 pfkey_msg->sadb_msg_type,
1309 pfkey_v2_sadb_type_string(pfkey_msg->sadb_msg_type));
1310 }
1311 case SADB_ACQUIRE:
1312 case SADB_REGISTER:
1313 case SADB_EXPIRE:
1314 if(!pfkey_msg->sadb_msg_satype) {
1315 DEBUGGING(PF_KEY_DEBUG_PARSE_PROBLEM,
1316 "pfkey_msg_parse: "
1317 "satype is zero, must be non-zero for msg_type %d(%s).\n",
1318 pfkey_msg->sadb_msg_type,
1319 pfkey_v2_sadb_type_string(pfkey_msg->sadb_msg_type));
1320 SENDERR(EINVAL);
1321 }
1322 default:
1323 break;
1324 }
1325
1326 /* errno must not be set in downward messages */
1327 /* this is not entirely true... a response to an ACQUIRE could return an error */
1328 if((dir == EXT_BITS_IN) && (pfkey_msg->sadb_msg_type != SADB_ACQUIRE) && pfkey_msg->sadb_msg_errno) {
1329 DEBUGGING(PF_KEY_DEBUG_PARSE_PROBLEM,
1330 "pfkey_msg_parse: "
1331 "errno set to %d.\n",
1332 pfkey_msg->sadb_msg_errno);
1333 SENDERR(EINVAL);
1334 }
1335
1336 DEBUGGING(PF_KEY_DEBUG_PARSE_FLOW,
1337 "pfkey_msg_parse: "
1338 "remain=%d, ext_type=%d(%s), ext_len=%d.\n",
1339 remain,
1340 pfkey_ext->sadb_ext_type,
1341 pfkey_v2_sadb_ext_string(pfkey_ext->sadb_ext_type),
1342 pfkey_ext->sadb_ext_len);
1343
1344 DEBUGGING(PF_KEY_DEBUG_PARSE_FLOW,
1345 "pfkey_msg_parse: "
1346 "extensions permitted=%08x, required=%08x.\n",
1347 extensions_bitmaps[dir][EXT_BITS_PERM][pfkey_msg->sadb_msg_type],
1348 extensions_bitmaps[dir][EXT_BITS_REQ][pfkey_msg->sadb_msg_type]);
1349
1350 extensions_seen = 1;
1351
1352 while( (remain * IPSEC_PFKEYv2_ALIGN) >= sizeof(struct sadb_ext) ) {
1353 /* Is there enough message left to support another extension header? */
1354 if(remain < pfkey_ext->sadb_ext_len) {
1355 DEBUGGING(PF_KEY_DEBUG_PARSE_PROBLEM,
1356 "pfkey_msg_parse: "
1357 "remain %d less than ext len %d.\n",
1358 remain, pfkey_ext->sadb_ext_len);
1359 SENDERR(EINVAL);
1360 }
1361
1362 DEBUGGING(PF_KEY_DEBUG_PARSE_FLOW,
1363 "pfkey_msg_parse: "
1364 "parsing ext type=%d(%s) remain=%d.\n",
1365 pfkey_ext->sadb_ext_type,
1366 pfkey_v2_sadb_ext_string(pfkey_ext->sadb_ext_type),
1367 remain);
1368
1369 /* Is the extension header type valid? */
1370 if((pfkey_ext->sadb_ext_type > SADB_EXT_MAX) || (!pfkey_ext->sadb_ext_type)) {
1371 DEBUGGING(PF_KEY_DEBUG_PARSE_PROBLEM,
1372 "pfkey_msg_parse: "
1373 "ext type %d(%s) invalid, SADB_EXT_MAX=%d.\n",
1374 pfkey_ext->sadb_ext_type,
1375 pfkey_v2_sadb_ext_string(pfkey_ext->sadb_ext_type),
1376 SADB_EXT_MAX);
1377 SENDERR(EINVAL);
1378 }
1379
1380 /* Have we already seen this type of extension? */
1381 if((extensions_seen & ( 1 << pfkey_ext->sadb_ext_type )) != 0)
1382 {
1383 DEBUGGING(PF_KEY_DEBUG_PARSE_PROBLEM,
1384 "pfkey_msg_parse: "
1385 "ext type %d(%s) already seen.\n",
1386 pfkey_ext->sadb_ext_type,
1387 pfkey_v2_sadb_ext_string(pfkey_ext->sadb_ext_type));
1388 SENDERR(EINVAL);
1389 }
1390
1391 /* Do I even know about this type of extension? */
1392 if(ext_parsers[pfkey_ext->sadb_ext_type]==NULL) {
1393 DEBUGGING(PF_KEY_DEBUG_PARSE_PROBLEM,
1394 "pfkey_msg_parse: "
1395 "ext type %d(%s) unknown, ignoring.\n",
1396 pfkey_ext->sadb_ext_type,
1397 pfkey_v2_sadb_ext_string(pfkey_ext->sadb_ext_type));
1398 goto next_ext;
1399 }
1400
1401 /* Is this type of extension permitted for this type of message? */
1402 if(!(extensions_bitmaps[dir][EXT_BITS_PERM][pfkey_msg->sadb_msg_type] &
1403 1<<pfkey_ext->sadb_ext_type)) {
1404 DEBUGGING(PF_KEY_DEBUG_PARSE_PROBLEM,
1405 "pfkey_msg_parse: "
1406 "ext type %d(%s) not permitted, exts_perm_in=%08x, 1<<type=%08x\n",
1407 pfkey_ext->sadb_ext_type,
1408 pfkey_v2_sadb_ext_string(pfkey_ext->sadb_ext_type),
1409 extensions_bitmaps[dir][EXT_BITS_PERM][pfkey_msg->sadb_msg_type],
1410 1<<pfkey_ext->sadb_ext_type);
1411 SENDERR(EINVAL);
1412 }
1413
1414 DEBUGGING(PF_KEY_DEBUG_PARSE_STRUCT,
1415 "pfkey_msg_parse: "
1416 "remain=%d ext_type=%d(%s) ext_len=%d parsing ext 0p%p with parser %s.\n",
1417 remain,
1418 pfkey_ext->sadb_ext_type,
1419 pfkey_v2_sadb_ext_string(pfkey_ext->sadb_ext_type),
1420 pfkey_ext->sadb_ext_len,
1421 pfkey_ext,
1422 ext_parsers[pfkey_ext->sadb_ext_type]->parser_name);
1423
1424 /* Parse the extension */
1425 if((error =
1426 (*ext_parsers[pfkey_ext->sadb_ext_type]->parser)(pfkey_ext))) {
1427 DEBUGGING(PF_KEY_DEBUG_PARSE_PROBLEM,
1428 "pfkey_msg_parse: "
1429 "extension parsing for type %d(%s) failed with error %d.\n",
1430 pfkey_ext->sadb_ext_type,
1431 pfkey_v2_sadb_ext_string(pfkey_ext->sadb_ext_type),
1432 error);
1433 SENDERR(-error);
1434 }
1435 DEBUGGING(PF_KEY_DEBUG_PARSE_FLOW,
1436 "pfkey_msg_parse: "
1437 "Extension %d(%s) parsed.\n",
1438 pfkey_ext->sadb_ext_type,
1439 pfkey_v2_sadb_ext_string(pfkey_ext->sadb_ext_type));
1440
1441 /* Mark that we have seen this extension and remember the header location */
1442 extensions_seen |= ( 1 << pfkey_ext->sadb_ext_type );
1443 extensions[pfkey_ext->sadb_ext_type] = pfkey_ext;
1444
1445 next_ext:
1446 /* Calculate how much message remains */
1447 remain -= pfkey_ext->sadb_ext_len;
1448
1449 if(!remain) {
1450 break;
1451 }
1452 /* Find the next extension header */
1453 pfkey_ext = (struct sadb_ext*)((char*)pfkey_ext +
1454 pfkey_ext->sadb_ext_len * IPSEC_PFKEYv2_ALIGN);
1455 }
1456
1457 if(remain) {
1458 DEBUGGING(PF_KEY_DEBUG_PARSE_PROBLEM,
1459 "pfkey_msg_parse: "
1460 "unexpected remainder of %d.\n",
1461 remain);
1462 /* why is there still something remaining? */
1463 SENDERR(EINVAL);
1464 }
1465
1466 /* check required extensions */
1467 DEBUGGING(PF_KEY_DEBUG_PARSE_STRUCT,
1468 "pfkey_msg_parse: "
1469 "extensions permitted=%08x, seen=%08x, required=%08x.\n",
1470 extensions_bitmaps[dir][EXT_BITS_PERM][pfkey_msg->sadb_msg_type],
1471 extensions_seen,
1472 extensions_bitmaps[dir][EXT_BITS_REQ][pfkey_msg->sadb_msg_type]);
1473
1474 /* don't check further if it is an error return message since it
1475 may not have a body */
1476 if(pfkey_msg->sadb_msg_errno) {
1477 SENDERR(-error);
1478 }
1479
1480 if((extensions_seen &
1481 extensions_bitmaps[dir][EXT_BITS_REQ][pfkey_msg->sadb_msg_type]) !=
1482 extensions_bitmaps[dir][EXT_BITS_REQ][pfkey_msg->sadb_msg_type]) {
1483 DEBUGGING(PF_KEY_DEBUG_PARSE_PROBLEM,
1484 "pfkey_msg_parse: "
1485 "required extensions missing:%08x.\n",
1486 extensions_bitmaps[dir][EXT_BITS_REQ][pfkey_msg->sadb_msg_type] -
1487 (extensions_seen &
1488 extensions_bitmaps[dir][EXT_BITS_REQ][pfkey_msg->sadb_msg_type]));
1489 SENDERR(EINVAL);
1490 }
1491
1492 if((dir == EXT_BITS_IN) && (pfkey_msg->sadb_msg_type == SADB_X_DELFLOW)
1493 && ((extensions_seen & SADB_X_EXT_ADDRESS_DELFLOW)
1494 != SADB_X_EXT_ADDRESS_DELFLOW)
1495 && (((extensions_seen & (1<<SADB_EXT_SA)) != (1<<SADB_EXT_SA))
1496 || ((((struct sadb_sa*)extensions[SADB_EXT_SA])->sadb_sa_flags
1497 & SADB_X_SAFLAGS_CLEARFLOW)
1498 != SADB_X_SAFLAGS_CLEARFLOW))) {
1499 DEBUGGING(PF_KEY_DEBUG_PARSE_PROBLEM,
1500 "pfkey_msg_parse: "
1501 "required SADB_X_DELFLOW extensions missing: either %08x must be present or %08x must be present with SADB_X_SAFLAGS_CLEARFLOW set.\n",
1502 SADB_X_EXT_ADDRESS_DELFLOW
1503 - (extensions_seen & SADB_X_EXT_ADDRESS_DELFLOW),
1504 (1<<SADB_EXT_SA) - (extensions_seen & (1<<SADB_EXT_SA)));
1505 SENDERR(EINVAL);
1506 }
1507
1508 switch(pfkey_msg->sadb_msg_type) {
1509 case SADB_ADD:
1510 case SADB_UPDATE:
1511 /* check maturity */
1512 if(((struct sadb_sa*)extensions[SADB_EXT_SA])->sadb_sa_state !=
1513 SADB_SASTATE_MATURE) {
1514 DEBUGGING(PF_KEY_DEBUG_PARSE_PROBLEM,
1515 "pfkey_msg_parse: "
1516 "state=%d for add or update should be MATURE=%d.\n",
1517 ((struct sadb_sa*)extensions[SADB_EXT_SA])->sadb_sa_state,
1518 SADB_SASTATE_MATURE);
1519 SENDERR(EINVAL);
1520 }
1521
1522 /* check AH and ESP */
1523 switch(((struct sadb_msg*)extensions[SADB_EXT_RESERVED])->sadb_msg_satype) {
1524 case SADB_SATYPE_AH:
1525 if(!(((struct sadb_sa*)extensions[SADB_EXT_SA]) &&
1526 ((struct sadb_sa*)extensions[SADB_EXT_SA])->sadb_sa_auth !=
1527 SADB_AALG_NONE)) {
1528 DEBUGGING(PF_KEY_DEBUG_PARSE_PROBLEM,
1529 "pfkey_msg_parse: "
1530 "auth alg is zero, must be non-zero for AH SAs.\n");
1531 SENDERR(EINVAL);
1532 }
1533 if(((struct sadb_sa*)(extensions[SADB_EXT_SA]))->sadb_sa_encrypt !=
1534 SADB_EALG_NONE) {
1535 DEBUGGING(PF_KEY_DEBUG_PARSE_PROBLEM,
1536 "pfkey_msg_parse: "
1537 "AH handed encalg=%d, must be zero.\n",
1538 ((struct sadb_sa*)(extensions[SADB_EXT_SA]))->sadb_sa_encrypt);
1539 SENDERR(EINVAL);
1540 }
1541 break;
1542 case SADB_SATYPE_ESP:
1543 if(!(((struct sadb_sa*)extensions[SADB_EXT_SA]) &&
1544 ((struct sadb_sa*)extensions[SADB_EXT_SA])->sadb_sa_encrypt !=
1545 SADB_EALG_NONE)) {
1546 DEBUGGING(PF_KEY_DEBUG_PARSE_PROBLEM,
1547 "pfkey_msg_parse: "
1548 "encrypt alg=%d is zero, must be non-zero for ESP=%d SAs.\n",
1549 ((struct sadb_sa*)extensions[SADB_EXT_SA])->sadb_sa_encrypt,
1550 ((struct sadb_msg*)extensions[SADB_EXT_RESERVED])->sadb_msg_satype);
1551 SENDERR(EINVAL);
1552 }
1553 if((((struct sadb_sa*)(extensions[SADB_EXT_SA]))->sadb_sa_encrypt ==
1554 SADB_EALG_NULL) &&
1555 (((struct sadb_sa*)(extensions[SADB_EXT_SA]))->sadb_sa_auth ==
1556 SADB_AALG_NONE) ) {
1557 DEBUGGING(PF_KEY_DEBUG_PARSE_PROBLEM,
1558 "pfkey_msg_parse: "
1559 "ESP handed encNULL+authNONE, illegal combination.\n");
1560 SENDERR(EINVAL);
1561 }
1562 break;
1563 case SADB_X_SATYPE_COMP:
1564 if(!(((struct sadb_sa*)extensions[SADB_EXT_SA]) &&
1565 ((struct sadb_sa*)extensions[SADB_EXT_SA])->sadb_sa_encrypt !=
1566 SADB_EALG_NONE)) {
1567 DEBUGGING(PF_KEY_DEBUG_PARSE_PROBLEM,
1568 "pfkey_msg_parse: "
1569 "encrypt alg=%d is zero, must be non-zero for COMP=%d SAs.\n",
1570 ((struct sadb_sa*)extensions[SADB_EXT_SA])->sadb_sa_encrypt,
1571 ((struct sadb_msg*)extensions[SADB_EXT_RESERVED])->sadb_msg_satype);
1572 SENDERR(EINVAL);
1573 }
1574 if(((struct sadb_sa*)(extensions[SADB_EXT_SA]))->sadb_sa_auth !=
1575 SADB_AALG_NONE) {
1576 DEBUGGING(PF_KEY_DEBUG_PARSE_PROBLEM,
1577 "pfkey_msg_parse: "
1578 "COMP handed auth=%d, must be zero.\n",
1579 ((struct sadb_sa*)(extensions[SADB_EXT_SA]))->sadb_sa_auth);
1580 SENDERR(EINVAL);
1581 }
1582 break;
1583 default:
1584 break;
1585 }
1586 if(ntohl(((struct sadb_sa*)(extensions[SADB_EXT_SA]))->sadb_sa_spi) <= 255) {
1587 DEBUGGING(PF_KEY_DEBUG_PARSE_PROBLEM,
1588 "pfkey_msg_parse: "
1589 "spi=%08x must be > 255.\n",
1590 ntohl(((struct sadb_sa*)(extensions[SADB_EXT_SA]))->sadb_sa_spi));
1591 SENDERR(EINVAL);
1592 }
1593 default:
1594 break;
1595 }
1596 errlab:
1597
1598 return error;
1599 }
strongSwan - IPsec VPN