1 /* $OpenBSD: pfkeyv2_convert.c,v 1.36 2012/06/29 14:48:04 mikeb Exp $ */ 2 /* 3 * The author of this code is Angelos D. Keromytis (angelos@keromytis.org) 4 * 5 * Part of this code is based on code written by Craig Metz (cmetz@inner.net) 6 * for NRL. Those licenses follow this one. 7 * 8 * Copyright (c) 2001 Angelos D. Keromytis. 9 * 10 * Permission to use, copy, and modify this software with or without fee 11 * is hereby granted, provided that this entire notice is included in 12 * all copies of any software which is or includes a copy or 13 * modification of this software. 14 * You may use this code under the GNU public license if you so wish. Please 15 * contribute changes back to the authors under this freer than GPL license 16 * so that we may further the use of strong encryption without limitations to 17 * all. 18 * 19 * THIS SOFTWARE IS BEING PROVIDED "AS IS", WITHOUT ANY EXPRESS OR 20 * IMPLIED WARRANTY. IN PARTICULAR, NONE OF THE AUTHORS MAKES ANY 21 * REPRESENTATION OR WARRANTY OF ANY KIND CONCERNING THE 22 * MERCHANTABILITY OF THIS SOFTWARE OR ITS FITNESS FOR ANY PARTICULAR 23 * PURPOSE. 24 */ 25 26 /* 27 * @(#)COPYRIGHT 1.1 (NRL) 17 January 1995 28 * 29 * NRL grants permission for redistribution and use in source and binary 30 * forms, with or without modification, of the software and documentation 31 * created at NRL provided that the following conditions are met: 32 * 33 * 1. Redistributions of source code must retain the above copyright 34 * notice, this list of conditions and the following disclaimer. 35 * 2. Redistributions in binary form must reproduce the above copyright 36 * notice, this list of conditions and the following disclaimer in the 37 * documentation and/or other materials provided with the distribution. 38 * 3. All advertising materials mentioning features or use of this software 39 * must display the following acknowledgements: 40 * This product includes software developed by the University of 41 * California, Berkeley and its contributors. 42 * This product includes software developed at the Information 43 * Technology Division, US Naval Research Laboratory. 44 * 4. Neither the name of the NRL nor the names of its contributors 45 * may be used to endorse or promote products derived from this software 46 * without specific prior written permission. 47 * 48 * THE SOFTWARE PROVIDED BY NRL IS PROVIDED BY NRL AND CONTRIBUTORS ``AS 49 * IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED 50 * TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A 51 * PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL NRL OR 52 * CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, 53 * EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, 54 * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR 55 * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF 56 * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING 57 * NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS 58 * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 59 * 60 * The views and conclusions contained in the software and documentation 61 * are those of the authors and should not be interpreted as representing 62 * official policies, either expressed or implied, of the US Naval 63 * Research Laboratory (NRL). 64 */ 65 66 /* 67 * Copyright (c) 1995, 1996, 1997, 1998, 1999 Craig Metz. All rights reserved. 68 * 69 * Redistribution and use in source and binary forms, with or without 70 * modification, are permitted provided that the following conditions 71 * are met: 72 * 1. Redistributions of source code must retain the above copyright 73 * notice, this list of conditions and the following disclaimer. 74 * 2. Redistributions in binary form must reproduce the above copyright 75 * notice, this list of conditions and the following disclaimer in the 76 * documentation and/or other materials provided with the distribution. 77 * 3. Neither the name of the author nor the names of any contributors 78 * may be used to endorse or promote products derived from this software 79 * without specific prior written permission. 80 * 81 * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND 82 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 83 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 84 * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE 85 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 86 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 87 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 88 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 89 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 90 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 91 * SUCH DAMAGE. 92 */ 93 94 #include "pf.h" 95 96 #include <sys/types.h> 97 #include <sys/param.h> 98 #include <sys/systm.h> 99 #include <sys/mbuf.h> 100 #include <sys/kernel.h> 101 #include <sys/socket.h> 102 #include <net/route.h> 103 #include <net/if.h> 104 105 #if NPF > 0 106 #include <net/pfvar.h> 107 #endif 108 109 #include <netinet/ip_ipsp.h> 110 #ifdef INET6 111 #include <netinet6/in6_var.h> 112 #endif 113 #include <net/pfkeyv2.h> 114 #include <crypto/cryptodev.h> 115 #include <crypto/xform.h> 116 117 /* 118 * (Partly) Initialize a TDB based on an SADB_SA payload. Other parts 119 * of the TDB will be initialized by other import routines, and tdb_init(). 120 */ 121 void 122 import_sa(struct tdb *tdb, struct sadb_sa *sadb_sa, struct ipsecinit *ii) 123 { 124 if (!sadb_sa) 125 return; 126 127 if (ii) { 128 ii->ii_encalg = sadb_sa->sadb_sa_encrypt; 129 ii->ii_authalg = sadb_sa->sadb_sa_auth; 130 ii->ii_compalg = sadb_sa->sadb_sa_encrypt; /* Yeurk! */ 131 132 tdb->tdb_spi = sadb_sa->sadb_sa_spi; 133 tdb->tdb_wnd = sadb_sa->sadb_sa_replay; 134 135 if (sadb_sa->sadb_sa_flags & SADB_SAFLAGS_PFS) 136 tdb->tdb_flags |= TDBF_PFS; 137 138 if (sadb_sa->sadb_sa_flags & SADB_X_SAFLAGS_HALFIV) 139 tdb->tdb_flags |= TDBF_HALFIV; 140 141 if (sadb_sa->sadb_sa_flags & SADB_X_SAFLAGS_TUNNEL) 142 tdb->tdb_flags |= TDBF_TUNNELING; 143 144 if (sadb_sa->sadb_sa_flags & SADB_X_SAFLAGS_RANDOMPADDING) 145 tdb->tdb_flags |= TDBF_RANDOMPADDING; 146 147 if (sadb_sa->sadb_sa_flags & SADB_X_SAFLAGS_NOREPLAY) 148 tdb->tdb_flags |= TDBF_NOREPLAY; 149 150 if (sadb_sa->sadb_sa_flags & SADB_X_SAFLAGS_UDPENCAP) 151 tdb->tdb_flags |= TDBF_UDPENCAP; 152 153 if (sadb_sa->sadb_sa_flags & SADB_X_SAFLAGS_ESN) 154 tdb->tdb_flags |= TDBF_ESN; 155 } 156 157 if (sadb_sa->sadb_sa_state != SADB_SASTATE_MATURE) 158 tdb->tdb_flags |= TDBF_INVALID; 159 } 160 161 /* 162 * Export some of the information on a TDB. 163 */ 164 void 165 export_sa(void **p, struct tdb *tdb) 166 { 167 struct sadb_sa *sadb_sa = (struct sadb_sa *) *p; 168 169 sadb_sa->sadb_sa_len = sizeof(struct sadb_sa) / sizeof(uint64_t); 170 171 sadb_sa->sadb_sa_spi = tdb->tdb_spi; 172 sadb_sa->sadb_sa_replay = tdb->tdb_wnd; 173 174 if (tdb->tdb_flags & TDBF_INVALID) 175 sadb_sa->sadb_sa_state = SADB_SASTATE_LARVAL; 176 else 177 sadb_sa->sadb_sa_state = SADB_SASTATE_MATURE; 178 179 if (tdb->tdb_sproto == IPPROTO_IPCOMP && 180 tdb->tdb_compalgxform != NULL) { 181 switch (tdb->tdb_compalgxform->type) { 182 case CRYPTO_DEFLATE_COMP: 183 sadb_sa->sadb_sa_encrypt = SADB_X_CALG_DEFLATE; 184 break; 185 case CRYPTO_LZS_COMP: 186 sadb_sa->sadb_sa_encrypt = SADB_X_CALG_LZS; 187 break; 188 } 189 } 190 191 if (tdb->tdb_authalgxform) { 192 switch (tdb->tdb_authalgxform->type) { 193 case CRYPTO_MD5_HMAC: 194 sadb_sa->sadb_sa_auth = SADB_AALG_MD5HMAC; 195 break; 196 197 case CRYPTO_SHA1_HMAC: 198 sadb_sa->sadb_sa_auth = SADB_AALG_SHA1HMAC; 199 break; 200 201 case CRYPTO_RIPEMD160_HMAC: 202 sadb_sa->sadb_sa_auth = SADB_X_AALG_RIPEMD160HMAC; 203 break; 204 205 case CRYPTO_SHA2_256_HMAC: 206 sadb_sa->sadb_sa_auth = SADB_X_AALG_SHA2_256; 207 break; 208 209 case CRYPTO_SHA2_384_HMAC: 210 sadb_sa->sadb_sa_auth = SADB_X_AALG_SHA2_384; 211 break; 212 213 case CRYPTO_SHA2_512_HMAC: 214 sadb_sa->sadb_sa_auth = SADB_X_AALG_SHA2_512; 215 break; 216 217 case CRYPTO_AES_128_GMAC: 218 sadb_sa->sadb_sa_auth = SADB_X_AALG_AES128GMAC; 219 break; 220 221 case CRYPTO_AES_192_GMAC: 222 sadb_sa->sadb_sa_auth = SADB_X_AALG_AES192GMAC; 223 break; 224 225 case CRYPTO_AES_256_GMAC: 226 sadb_sa->sadb_sa_auth = SADB_X_AALG_AES256GMAC; 227 break; 228 229 case CRYPTO_MD5_KPDK: 230 sadb_sa->sadb_sa_auth = SADB_X_AALG_MD5; 231 break; 232 233 case CRYPTO_SHA1_KPDK: 234 sadb_sa->sadb_sa_auth = SADB_X_AALG_SHA1; 235 break; 236 } 237 } 238 239 if (tdb->tdb_encalgxform) { 240 switch (tdb->tdb_encalgxform->type) { 241 case CRYPTO_NULL: 242 sadb_sa->sadb_sa_encrypt = SADB_EALG_NULL; 243 break; 244 245 case CRYPTO_DES_CBC: 246 sadb_sa->sadb_sa_encrypt = SADB_EALG_DESCBC; 247 break; 248 249 case CRYPTO_3DES_CBC: 250 sadb_sa->sadb_sa_encrypt = SADB_EALG_3DESCBC; 251 break; 252 253 case CRYPTO_AES_CBC: 254 sadb_sa->sadb_sa_encrypt = SADB_X_EALG_AES; 255 break; 256 257 case CRYPTO_AES_CTR: 258 sadb_sa->sadb_sa_encrypt = SADB_X_EALG_AESCTR; 259 break; 260 261 case CRYPTO_AES_GCM_16: 262 sadb_sa->sadb_sa_encrypt = SADB_X_EALG_AESGCM16; 263 break; 264 265 case CRYPTO_AES_GMAC: 266 sadb_sa->sadb_sa_encrypt = SADB_X_EALG_AESGMAC; 267 break; 268 269 case CRYPTO_CAST_CBC: 270 sadb_sa->sadb_sa_encrypt = SADB_X_EALG_CAST; 271 break; 272 273 case CRYPTO_BLF_CBC: 274 sadb_sa->sadb_sa_encrypt = SADB_X_EALG_BLF; 275 break; 276 } 277 } 278 279 if (tdb->tdb_flags & TDBF_PFS) 280 sadb_sa->sadb_sa_flags |= SADB_SAFLAGS_PFS; 281 282 /* Only relevant for the "old" IPsec transforms. */ 283 if (tdb->tdb_flags & TDBF_HALFIV) 284 sadb_sa->sadb_sa_flags |= SADB_X_SAFLAGS_HALFIV; 285 286 if (tdb->tdb_flags & TDBF_TUNNELING) 287 sadb_sa->sadb_sa_flags |= SADB_X_SAFLAGS_TUNNEL; 288 289 if (tdb->tdb_flags & TDBF_RANDOMPADDING) 290 sadb_sa->sadb_sa_flags |= SADB_X_SAFLAGS_RANDOMPADDING; 291 292 if (tdb->tdb_flags & TDBF_NOREPLAY) 293 sadb_sa->sadb_sa_flags |= SADB_X_SAFLAGS_NOREPLAY; 294 295 if (tdb->tdb_flags & TDBF_UDPENCAP) 296 sadb_sa->sadb_sa_flags |= SADB_X_SAFLAGS_UDPENCAP; 297 298 if (tdb->tdb_flags & TDBF_ESN) 299 sadb_sa->sadb_sa_flags |= SADB_X_SAFLAGS_ESN; 300 301 *p += sizeof(struct sadb_sa); 302 } 303 304 /* 305 * Initialize expirations and counters based on lifetime payload. 306 */ 307 void 308 import_lifetime(struct tdb *tdb, struct sadb_lifetime *sadb_lifetime, int type) 309 { 310 struct timeval tv; 311 312 if (!sadb_lifetime) 313 return; 314 315 getmicrotime(&tv); 316 317 switch (type) { 318 case PFKEYV2_LIFETIME_HARD: 319 if ((tdb->tdb_exp_allocations = 320 sadb_lifetime->sadb_lifetime_allocations) != 0) 321 tdb->tdb_flags |= TDBF_ALLOCATIONS; 322 else 323 tdb->tdb_flags &= ~TDBF_ALLOCATIONS; 324 325 if ((tdb->tdb_exp_bytes = 326 sadb_lifetime->sadb_lifetime_bytes) != 0) 327 tdb->tdb_flags |= TDBF_BYTES; 328 else 329 tdb->tdb_flags &= ~TDBF_BYTES; 330 331 if ((tdb->tdb_exp_timeout = 332 sadb_lifetime->sadb_lifetime_addtime) != 0) { 333 tdb->tdb_flags |= TDBF_TIMER; 334 if (tv.tv_sec + tdb->tdb_exp_timeout < tv.tv_sec) 335 tv.tv_sec = ((unsigned long) -1) / 2; /* XXX */ 336 else 337 tv.tv_sec += tdb->tdb_exp_timeout; 338 timeout_add(&tdb->tdb_timer_tmo, hzto(&tv)); 339 } else 340 tdb->tdb_flags &= ~TDBF_TIMER; 341 342 if ((tdb->tdb_exp_first_use = 343 sadb_lifetime->sadb_lifetime_usetime) != 0) 344 tdb->tdb_flags |= TDBF_FIRSTUSE; 345 else 346 tdb->tdb_flags &= ~TDBF_FIRSTUSE; 347 break; 348 349 case PFKEYV2_LIFETIME_SOFT: 350 if ((tdb->tdb_soft_allocations = 351 sadb_lifetime->sadb_lifetime_allocations) != 0) 352 tdb->tdb_flags |= TDBF_SOFT_ALLOCATIONS; 353 else 354 tdb->tdb_flags &= ~TDBF_SOFT_ALLOCATIONS; 355 356 if ((tdb->tdb_soft_bytes = 357 sadb_lifetime->sadb_lifetime_bytes) != 0) 358 tdb->tdb_flags |= TDBF_SOFT_BYTES; 359 else 360 tdb->tdb_flags &= ~TDBF_SOFT_BYTES; 361 362 if ((tdb->tdb_soft_timeout = 363 sadb_lifetime->sadb_lifetime_addtime) != 0) { 364 tdb->tdb_flags |= TDBF_SOFT_TIMER; 365 if (tv.tv_sec + tdb->tdb_soft_timeout < tv.tv_sec) 366 tv.tv_sec = ((unsigned long) -1) / 2; /* XXX */ 367 else 368 tv.tv_sec += tdb->tdb_soft_timeout; 369 timeout_add(&tdb->tdb_stimer_tmo, hzto(&tv)); 370 } else 371 tdb->tdb_flags &= ~TDBF_SOFT_TIMER; 372 373 if ((tdb->tdb_soft_first_use = 374 sadb_lifetime->sadb_lifetime_usetime) != 0) 375 tdb->tdb_flags |= TDBF_SOFT_FIRSTUSE; 376 else 377 tdb->tdb_flags &= ~TDBF_SOFT_FIRSTUSE; 378 break; 379 380 case PFKEYV2_LIFETIME_CURRENT: /* Nothing fancy here. */ 381 tdb->tdb_cur_allocations = 382 sadb_lifetime->sadb_lifetime_allocations; 383 tdb->tdb_cur_bytes = sadb_lifetime->sadb_lifetime_bytes; 384 tdb->tdb_established = sadb_lifetime->sadb_lifetime_addtime; 385 tdb->tdb_first_use = sadb_lifetime->sadb_lifetime_usetime; 386 } 387 } 388 389 /* 390 * Export TDB expiration information. 391 */ 392 void 393 export_lifetime(void **p, struct tdb *tdb, int type) 394 { 395 struct sadb_lifetime *sadb_lifetime = (struct sadb_lifetime *) *p; 396 397 sadb_lifetime->sadb_lifetime_len = sizeof(struct sadb_lifetime) / 398 sizeof(uint64_t); 399 400 switch (type) { 401 case PFKEYV2_LIFETIME_HARD: 402 if (tdb->tdb_flags & TDBF_ALLOCATIONS) 403 sadb_lifetime->sadb_lifetime_allocations = 404 tdb->tdb_exp_allocations; 405 406 if (tdb->tdb_flags & TDBF_BYTES) 407 sadb_lifetime->sadb_lifetime_bytes = 408 tdb->tdb_exp_bytes; 409 410 if (tdb->tdb_flags & TDBF_TIMER) 411 sadb_lifetime->sadb_lifetime_addtime = 412 tdb->tdb_exp_timeout; 413 414 if (tdb->tdb_flags & TDBF_FIRSTUSE) 415 sadb_lifetime->sadb_lifetime_usetime = 416 tdb->tdb_exp_first_use; 417 break; 418 419 case PFKEYV2_LIFETIME_SOFT: 420 if (tdb->tdb_flags & TDBF_SOFT_ALLOCATIONS) 421 sadb_lifetime->sadb_lifetime_allocations = 422 tdb->tdb_soft_allocations; 423 424 if (tdb->tdb_flags & TDBF_SOFT_BYTES) 425 sadb_lifetime->sadb_lifetime_bytes = 426 tdb->tdb_soft_bytes; 427 428 if (tdb->tdb_flags & TDBF_SOFT_TIMER) 429 sadb_lifetime->sadb_lifetime_addtime = 430 tdb->tdb_soft_timeout; 431 432 if (tdb->tdb_flags & TDBF_SOFT_FIRSTUSE) 433 sadb_lifetime->sadb_lifetime_usetime = 434 tdb->tdb_soft_first_use; 435 break; 436 437 case PFKEYV2_LIFETIME_CURRENT: 438 sadb_lifetime->sadb_lifetime_allocations = 439 tdb->tdb_cur_allocations; 440 sadb_lifetime->sadb_lifetime_bytes = tdb->tdb_cur_bytes; 441 sadb_lifetime->sadb_lifetime_addtime = tdb->tdb_established; 442 sadb_lifetime->sadb_lifetime_usetime = tdb->tdb_first_use; 443 break; 444 445 case PFKEYV2_LIFETIME_LASTUSE: 446 sadb_lifetime->sadb_lifetime_allocations = 0; 447 sadb_lifetime->sadb_lifetime_bytes = 0; 448 sadb_lifetime->sadb_lifetime_addtime = 0; 449 sadb_lifetime->sadb_lifetime_usetime = tdb->tdb_last_used; 450 break; 451 } 452 453 *p += sizeof(struct sadb_lifetime); 454 } 455 456 /* 457 * Import flow information to two struct sockaddr_encap's. Either 458 * all or none of the address arguments are NULL. 459 */ 460 void 461 import_flow(struct sockaddr_encap *flow, struct sockaddr_encap *flowmask, 462 struct sadb_address *ssrc, struct sadb_address *ssrcmask, 463 struct sadb_address *ddst, struct sadb_address *ddstmask, 464 struct sadb_protocol *sab, struct sadb_protocol *ftype) 465 { 466 u_int8_t transproto = 0; 467 union sockaddr_union *src = (union sockaddr_union *)(ssrc + 1); 468 union sockaddr_union *dst = (union sockaddr_union *)(ddst + 1); 469 union sockaddr_union *srcmask = (union sockaddr_union *)(ssrcmask + 1); 470 union sockaddr_union *dstmask = (union sockaddr_union *)(ddstmask + 1); 471 472 if (ssrc == NULL) 473 return; /* There wasn't any information to begin with. */ 474 475 bzero(flow, sizeof(*flow)); 476 bzero(flowmask, sizeof(*flowmask)); 477 478 if (sab != NULL) 479 transproto = sab->sadb_protocol_proto; 480 481 /* 482 * Check that all the address families match. We know they are 483 * valid and supported because pfkeyv2_parsemessage() checked that. 484 */ 485 if ((src->sa.sa_family != dst->sa.sa_family) || 486 (src->sa.sa_family != srcmask->sa.sa_family) || 487 (src->sa.sa_family != dstmask->sa.sa_family)) 488 return; 489 490 /* 491 * We set these as an indication that tdb_filter/tdb_filtermask are 492 * in fact initialized. 493 */ 494 flow->sen_family = flowmask->sen_family = PF_KEY; 495 flow->sen_len = flowmask->sen_len = SENT_LEN; 496 497 switch (src->sa.sa_family) 498 { 499 #ifdef INET 500 case AF_INET: 501 /* netmask handling */ 502 rt_maskedcopy(&src->sa, &src->sa, &srcmask->sa); 503 rt_maskedcopy(&dst->sa, &dst->sa, &dstmask->sa); 504 505 flow->sen_type = SENT_IP4; 506 flow->sen_direction = ftype->sadb_protocol_direction; 507 flow->sen_ip_src = src->sin.sin_addr; 508 flow->sen_ip_dst = dst->sin.sin_addr; 509 flow->sen_proto = transproto; 510 flow->sen_sport = src->sin.sin_port; 511 flow->sen_dport = dst->sin.sin_port; 512 513 flowmask->sen_type = SENT_IP4; 514 flowmask->sen_direction = 0xff; 515 flowmask->sen_ip_src = srcmask->sin.sin_addr; 516 flowmask->sen_ip_dst = dstmask->sin.sin_addr; 517 flowmask->sen_sport = srcmask->sin.sin_port; 518 flowmask->sen_dport = dstmask->sin.sin_port; 519 if (transproto) 520 flowmask->sen_proto = 0xff; 521 break; 522 #endif /* INET */ 523 524 #ifdef INET6 525 case AF_INET6: 526 in6_embedscope(&src->sin6.sin6_addr, &src->sin6, 527 NULL, NULL); 528 in6_embedscope(&dst->sin6.sin6_addr, &dst->sin6, 529 NULL, NULL); 530 531 /* netmask handling */ 532 rt_maskedcopy(&src->sa, &src->sa, &srcmask->sa); 533 rt_maskedcopy(&dst->sa, &dst->sa, &dstmask->sa); 534 535 flow->sen_type = SENT_IP6; 536 flow->sen_ip6_direction = ftype->sadb_protocol_direction; 537 flow->sen_ip6_src = src->sin6.sin6_addr; 538 flow->sen_ip6_dst = dst->sin6.sin6_addr; 539 flow->sen_ip6_proto = transproto; 540 flow->sen_ip6_sport = src->sin6.sin6_port; 541 flow->sen_ip6_dport = dst->sin6.sin6_port; 542 543 flowmask->sen_type = SENT_IP6; 544 flowmask->sen_ip6_direction = 0xff; 545 flowmask->sen_ip6_src = srcmask->sin6.sin6_addr; 546 flowmask->sen_ip6_dst = dstmask->sin6.sin6_addr; 547 flowmask->sen_ip6_sport = srcmask->sin6.sin6_port; 548 flowmask->sen_ip6_dport = dstmask->sin6.sin6_port; 549 if (transproto) 550 flowmask->sen_ip6_proto = 0xff; 551 break; 552 #endif /* INET6 */ 553 } 554 } 555 556 /* 557 * Helper to export addresses from an struct sockaddr_encap. 558 */ 559 static void 560 export_encap(void **p, struct sockaddr_encap *encap, int type) 561 { 562 struct sadb_address *saddr = (struct sadb_address *)*p; 563 union sockaddr_union *sunion; 564 565 *p += sizeof(struct sadb_address); 566 sunion = (union sockaddr_union *)*p; 567 568 switch (encap->sen_type) { 569 case SENT_IP4: 570 saddr->sadb_address_len = (sizeof(struct sadb_address) + 571 PADUP(sizeof(struct sockaddr_in))) / sizeof(uint64_t); 572 sunion->sa.sa_len = sizeof(struct sockaddr_in); 573 sunion->sa.sa_family = AF_INET; 574 if (type == SADB_X_EXT_SRC_FLOW || 575 type == SADB_X_EXT_SRC_MASK) { 576 sunion->sin.sin_addr = encap->sen_ip_src; 577 sunion->sin.sin_port = encap->sen_sport; 578 } else { 579 sunion->sin.sin_addr = encap->sen_ip_dst; 580 sunion->sin.sin_port = encap->sen_dport; 581 } 582 *p += PADUP(sizeof(struct sockaddr_in)); 583 break; 584 case SENT_IP6: 585 saddr->sadb_address_len = (sizeof(struct sadb_address) 586 + PADUP(sizeof(struct sockaddr_in6))) / sizeof(uint64_t); 587 sunion->sa.sa_len = sizeof(struct sockaddr_in6); 588 sunion->sa.sa_family = AF_INET6; 589 if (type == SADB_X_EXT_SRC_FLOW || 590 type == SADB_X_EXT_SRC_MASK) { 591 sunion->sin6.sin6_addr = encap->sen_ip6_src; 592 sunion->sin6.sin6_port = encap->sen_ip6_sport; 593 } else { 594 sunion->sin6.sin6_addr = encap->sen_ip6_dst; 595 sunion->sin6.sin6_port = encap->sen_ip6_dport; 596 } 597 *p += PADUP(sizeof(struct sockaddr_in6)); 598 break; 599 } 600 } 601 602 /* 603 * Export flow information from two struct sockaddr_encap's. 604 */ 605 void 606 export_flow(void **p, u_int8_t ftype, struct sockaddr_encap *flow, 607 struct sockaddr_encap *flowmask, void **headers) 608 { 609 struct sadb_protocol *sab; 610 611 headers[SADB_X_EXT_FLOW_TYPE] = *p; 612 sab = (struct sadb_protocol *)*p; 613 sab->sadb_protocol_len = sizeof(struct sadb_protocol) / 614 sizeof(uint64_t); 615 616 switch (ftype) { 617 case IPSP_IPSEC_USE: 618 sab->sadb_protocol_proto = SADB_X_FLOW_TYPE_USE; 619 break; 620 case IPSP_IPSEC_ACQUIRE: 621 sab->sadb_protocol_proto = SADB_X_FLOW_TYPE_ACQUIRE; 622 break; 623 case IPSP_IPSEC_REQUIRE: 624 sab->sadb_protocol_proto = SADB_X_FLOW_TYPE_REQUIRE; 625 break; 626 case IPSP_DENY: 627 sab->sadb_protocol_proto = SADB_X_FLOW_TYPE_DENY; 628 break; 629 case IPSP_PERMIT: 630 sab->sadb_protocol_proto = SADB_X_FLOW_TYPE_BYPASS; 631 break; 632 case IPSP_IPSEC_DONTACQ: 633 sab->sadb_protocol_proto = SADB_X_FLOW_TYPE_DONTACQ; 634 break; 635 default: 636 sab->sadb_protocol_proto = 0; 637 break; 638 } 639 640 switch (flow->sen_type) { 641 #ifdef INET 642 case SENT_IP4: 643 sab->sadb_protocol_direction = flow->sen_direction; 644 break; 645 #endif /* INET */ 646 #ifdef INET6 647 case SENT_IP6: 648 sab->sadb_protocol_direction = flow->sen_ip6_direction; 649 break; 650 #endif /* INET6 */ 651 } 652 *p += sizeof(struct sadb_protocol); 653 654 headers[SADB_X_EXT_PROTOCOL] = *p; 655 sab = (struct sadb_protocol *)*p; 656 sab->sadb_protocol_len = sizeof(struct sadb_protocol) / 657 sizeof(uint64_t); 658 switch (flow->sen_type) { 659 #ifdef INET 660 case SENT_IP4: 661 sab->sadb_protocol_proto = flow->sen_proto; 662 break; 663 #endif /* INET */ 664 #ifdef INET6 665 case SENT_IP6: 666 sab->sadb_protocol_proto = flow->sen_ip6_proto; 667 break; 668 #endif /* INET6 */ 669 } 670 *p += sizeof(struct sadb_protocol); 671 672 headers[SADB_X_EXT_SRC_FLOW] = *p; 673 export_encap(p, flow, SADB_X_EXT_SRC_FLOW); 674 675 headers[SADB_X_EXT_SRC_MASK] = *p; 676 export_encap(p, flowmask, SADB_X_EXT_SRC_MASK); 677 678 headers[SADB_X_EXT_DST_FLOW] = *p; 679 export_encap(p, flow, SADB_X_EXT_DST_FLOW); 680 681 headers[SADB_X_EXT_DST_MASK] = *p; 682 export_encap(p, flowmask, SADB_X_EXT_DST_MASK); 683 } 684 685 /* 686 * Copy an SADB_ADDRESS payload to a struct sockaddr. 687 */ 688 void 689 import_address(struct sockaddr *sa, struct sadb_address *sadb_address) 690 { 691 int salen; 692 struct sockaddr *ssa = (struct sockaddr *)((void *) sadb_address + 693 sizeof(struct sadb_address)); 694 695 if (!sadb_address) 696 return; 697 698 if (ssa->sa_len) 699 salen = ssa->sa_len; 700 else 701 switch (ssa->sa_family) { 702 #ifdef INET 703 case AF_INET: 704 salen = sizeof(struct sockaddr_in); 705 break; 706 #endif /* INET */ 707 708 #ifdef INET6 709 case AF_INET6: 710 salen = sizeof(struct sockaddr_in6); 711 break; 712 #endif /* INET6 */ 713 714 default: 715 return; 716 } 717 718 bcopy(ssa, sa, salen); 719 sa->sa_len = salen; 720 } 721 722 /* 723 * Export a struct sockaddr as an SADB_ADDRESS payload. 724 */ 725 void 726 export_address(void **p, struct sockaddr *sa) 727 { 728 struct sadb_address *sadb_address = (struct sadb_address *) *p; 729 730 sadb_address->sadb_address_len = (sizeof(struct sadb_address) + 731 PADUP(SA_LEN(sa))) / sizeof(uint64_t); 732 733 *p += sizeof(struct sadb_address); 734 bcopy(sa, *p, SA_LEN(sa)); 735 ((struct sockaddr *) *p)->sa_family = sa->sa_family; 736 *p += PADUP(SA_LEN(sa)); 737 } 738 739 /* 740 * Import authentication information into the TDB. 741 */ 742 void 743 import_auth(struct tdb *tdb, struct sadb_x_cred *sadb_auth, int dstauth) 744 { 745 struct ipsec_ref **ipr; 746 747 if (!sadb_auth) 748 return; 749 750 if (dstauth == PFKEYV2_AUTH_REMOTE) 751 ipr = &tdb->tdb_remote_auth; 752 else 753 ipr = &tdb->tdb_local_auth; 754 755 *ipr = malloc(EXTLEN(sadb_auth) - sizeof(struct sadb_x_cred) + 756 sizeof(struct ipsec_ref), M_CREDENTIALS, M_WAITOK); 757 (*ipr)->ref_len = EXTLEN(sadb_auth) - sizeof(struct sadb_x_cred); 758 759 switch (sadb_auth->sadb_x_cred_type) { 760 case SADB_X_AUTHTYPE_PASSPHRASE: 761 (*ipr)->ref_type = IPSP_AUTH_PASSPHRASE; 762 break; 763 case SADB_X_AUTHTYPE_RSA: 764 (*ipr)->ref_type = IPSP_AUTH_RSA; 765 break; 766 default: 767 free(*ipr, M_CREDENTIALS); 768 *ipr = NULL; 769 return; 770 } 771 (*ipr)->ref_count = 1; 772 (*ipr)->ref_malloctype = M_CREDENTIALS; 773 bcopy((void *) sadb_auth + sizeof(struct sadb_x_cred), 774 (*ipr) + 1, (*ipr)->ref_len); 775 } 776 777 /* 778 * Import a set of credentials into the TDB. 779 */ 780 void 781 import_credentials(struct tdb *tdb, struct sadb_x_cred *sadb_cred, int dstcred) 782 { 783 struct ipsec_ref **ipr; 784 785 if (!sadb_cred) 786 return; 787 788 if (dstcred == PFKEYV2_CRED_REMOTE) 789 ipr = &tdb->tdb_remote_cred; 790 else 791 ipr = &tdb->tdb_local_cred; 792 793 *ipr = malloc(EXTLEN(sadb_cred) - sizeof(struct sadb_x_cred) + 794 sizeof(struct ipsec_ref), M_CREDENTIALS, M_WAITOK); 795 (*ipr)->ref_len = EXTLEN(sadb_cred) - sizeof(struct sadb_x_cred); 796 797 switch (sadb_cred->sadb_x_cred_type) { 798 case SADB_X_CREDTYPE_X509: 799 (*ipr)->ref_type = IPSP_CRED_X509; 800 break; 801 case SADB_X_CREDTYPE_KEYNOTE: 802 (*ipr)->ref_type = IPSP_CRED_KEYNOTE; 803 break; 804 default: 805 free(*ipr, M_CREDENTIALS); 806 *ipr = NULL; 807 return; 808 } 809 (*ipr)->ref_count = 1; 810 (*ipr)->ref_malloctype = M_CREDENTIALS; 811 bcopy((void *) sadb_cred + sizeof(struct sadb_x_cred), 812 (*ipr) + 1, (*ipr)->ref_len); 813 } 814 815 /* 816 * Import an identity payload into the TDB. 817 */ 818 void 819 import_identity(struct tdb *tdb, struct sadb_ident *sadb_ident, int type) 820 { 821 struct ipsec_ref **ipr; 822 823 if (!sadb_ident) 824 return; 825 826 if (type == PFKEYV2_IDENTITY_SRC) 827 ipr = &tdb->tdb_srcid; 828 else 829 ipr = &tdb->tdb_dstid; 830 831 *ipr = malloc(EXTLEN(sadb_ident) - sizeof(struct sadb_ident) + 832 sizeof(struct ipsec_ref), M_CREDENTIALS, M_WAITOK); 833 (*ipr)->ref_len = EXTLEN(sadb_ident) - sizeof(struct sadb_ident); 834 835 switch (sadb_ident->sadb_ident_type) { 836 case SADB_IDENTTYPE_PREFIX: 837 (*ipr)->ref_type = IPSP_IDENTITY_PREFIX; 838 break; 839 case SADB_IDENTTYPE_FQDN: 840 (*ipr)->ref_type = IPSP_IDENTITY_FQDN; 841 break; 842 case SADB_IDENTTYPE_USERFQDN: 843 (*ipr)->ref_type = IPSP_IDENTITY_USERFQDN; 844 break; 845 case SADB_X_IDENTTYPE_CONNECTION: 846 (*ipr)->ref_type = IPSP_IDENTITY_CONNECTION; 847 break; 848 default: 849 free(*ipr, M_CREDENTIALS); 850 *ipr = NULL; 851 return; 852 } 853 (*ipr)->ref_count = 1; 854 (*ipr)->ref_malloctype = M_CREDENTIALS; 855 bcopy((void *) sadb_ident + sizeof(struct sadb_ident), (*ipr) + 1, 856 (*ipr)->ref_len); 857 } 858 859 void 860 export_credentials(void **p, struct tdb *tdb, int dstcred) 861 { 862 struct ipsec_ref **ipr; 863 struct sadb_x_cred *sadb_cred = (struct sadb_x_cred *) *p; 864 865 if (dstcred == PFKEYV2_CRED_REMOTE) 866 ipr = &tdb->tdb_remote_cred; 867 else 868 ipr = &tdb->tdb_local_cred; 869 870 sadb_cred->sadb_x_cred_len = (sizeof(struct sadb_x_cred) + 871 PADUP((*ipr)->ref_len)) / sizeof(uint64_t); 872 873 switch ((*ipr)->ref_type) { 874 case IPSP_CRED_KEYNOTE: 875 sadb_cred->sadb_x_cred_type = SADB_X_CREDTYPE_KEYNOTE; 876 break; 877 case IPSP_CRED_X509: 878 sadb_cred->sadb_x_cred_type = SADB_X_CREDTYPE_X509; 879 break; 880 } 881 *p += sizeof(struct sadb_x_cred); 882 bcopy((*ipr) + 1, *p, (*ipr)->ref_len); 883 *p += PADUP((*ipr)->ref_len); 884 } 885 886 void 887 export_auth(void **p, struct tdb *tdb, int dstauth) 888 { 889 struct ipsec_ref **ipr; 890 struct sadb_x_cred *sadb_auth = (struct sadb_x_cred *) *p; 891 892 if (dstauth == PFKEYV2_AUTH_REMOTE) 893 ipr = &tdb->tdb_remote_auth; 894 else 895 ipr = &tdb->tdb_local_auth; 896 897 sadb_auth->sadb_x_cred_len = (sizeof(struct sadb_x_cred) + 898 PADUP((*ipr)->ref_len)) / sizeof(uint64_t); 899 900 switch ((*ipr)->ref_type) { 901 case IPSP_AUTH_PASSPHRASE: 902 sadb_auth->sadb_x_cred_type = SADB_X_AUTHTYPE_PASSPHRASE; 903 break; 904 case IPSP_AUTH_RSA: 905 sadb_auth->sadb_x_cred_type = SADB_X_AUTHTYPE_RSA; 906 break; 907 } 908 *p += sizeof(struct sadb_x_cred); 909 bcopy((*ipr) + 1, *p, (*ipr)->ref_len); 910 *p += PADUP((*ipr)->ref_len); 911 } 912 913 void 914 export_identity(void **p, struct tdb *tdb, int type) 915 { 916 struct ipsec_ref **ipr; 917 struct sadb_ident *sadb_ident = (struct sadb_ident *) *p; 918 919 if (type == PFKEYV2_IDENTITY_SRC) 920 ipr = &tdb->tdb_srcid; 921 else 922 ipr = &tdb->tdb_dstid; 923 924 sadb_ident->sadb_ident_len = (sizeof(struct sadb_ident) + 925 PADUP((*ipr)->ref_len)) / sizeof(uint64_t); 926 927 switch ((*ipr)->ref_type) { 928 case IPSP_IDENTITY_PREFIX: 929 sadb_ident->sadb_ident_type = SADB_IDENTTYPE_PREFIX; 930 break; 931 case IPSP_IDENTITY_FQDN: 932 sadb_ident->sadb_ident_type = SADB_IDENTTYPE_FQDN; 933 break; 934 case IPSP_IDENTITY_USERFQDN: 935 sadb_ident->sadb_ident_type = SADB_IDENTTYPE_USERFQDN; 936 break; 937 case IPSP_IDENTITY_CONNECTION: 938 sadb_ident->sadb_ident_type = SADB_X_IDENTTYPE_CONNECTION; 939 break; 940 } 941 *p += sizeof(struct sadb_ident); 942 bcopy((*ipr) + 1, *p, (*ipr)->ref_len); 943 *p += PADUP((*ipr)->ref_len); 944 } 945 946 /* ... */ 947 void 948 import_key(struct ipsecinit *ii, struct sadb_key *sadb_key, int type) 949 { 950 if (!sadb_key) 951 return; 952 953 if (type == PFKEYV2_ENCRYPTION_KEY) { /* Encryption key */ 954 ii->ii_enckeylen = sadb_key->sadb_key_bits / 8; 955 ii->ii_enckey = (void *)sadb_key + sizeof(struct sadb_key); 956 } else { 957 ii->ii_authkeylen = sadb_key->sadb_key_bits / 8; 958 ii->ii_authkey = (void *)sadb_key + sizeof(struct sadb_key); 959 } 960 } 961 962 void 963 export_key(void **p, struct tdb *tdb, int type) 964 { 965 struct sadb_key *sadb_key = (struct sadb_key *) *p; 966 967 if (type == PFKEYV2_ENCRYPTION_KEY) { 968 sadb_key->sadb_key_len = (sizeof(struct sadb_key) + 969 PADUP(tdb->tdb_emxkeylen)) / 970 sizeof(uint64_t); 971 sadb_key->sadb_key_bits = tdb->tdb_emxkeylen * 8; 972 *p += sizeof(struct sadb_key); 973 bcopy(tdb->tdb_emxkey, *p, tdb->tdb_emxkeylen); 974 *p += PADUP(tdb->tdb_emxkeylen); 975 } else { 976 sadb_key->sadb_key_len = (sizeof(struct sadb_key) + 977 PADUP(tdb->tdb_amxkeylen)) / 978 sizeof(uint64_t); 979 sadb_key->sadb_key_bits = tdb->tdb_amxkeylen * 8; 980 *p += sizeof(struct sadb_key); 981 bcopy(tdb->tdb_amxkey, *p, tdb->tdb_amxkeylen); 982 *p += PADUP(tdb->tdb_amxkeylen); 983 } 984 } 985 986 /* Import/Export remote port for UDP Encapsulation */ 987 void 988 import_udpencap(struct tdb *tdb, struct sadb_x_udpencap *sadb_udpencap) 989 { 990 if (sadb_udpencap) 991 tdb->tdb_udpencap_port = sadb_udpencap->sadb_x_udpencap_port; 992 } 993 994 void 995 export_udpencap(void **p, struct tdb *tdb) 996 { 997 struct sadb_x_udpencap *sadb_udpencap = (struct sadb_x_udpencap *) *p; 998 999 sadb_udpencap->sadb_x_udpencap_port = tdb->tdb_udpencap_port; 1000 sadb_udpencap->sadb_x_udpencap_reserved = 0; 1001 sadb_udpencap->sadb_x_udpencap_len = 1002 sizeof(struct sadb_x_udpencap) / sizeof(uint64_t); 1003 *p += sizeof(struct sadb_x_udpencap); 1004 } 1005 1006 #if NPF > 0 1007 /* Import PF tag information for SA */ 1008 void 1009 import_tag(struct tdb *tdb, struct sadb_x_tag *stag) 1010 { 1011 char *s; 1012 1013 if (stag) { 1014 s = (char *)(stag + 1); 1015 tdb->tdb_tag = pf_tagname2tag(s); 1016 } 1017 } 1018 1019 /* Export PF tag information for SA */ 1020 void 1021 export_tag(void **p, struct tdb *tdb) 1022 { 1023 struct sadb_x_tag *stag = (struct sadb_x_tag *)*p; 1024 char *s = (char *)(stag + 1); 1025 1026 pf_tag2tagname(tdb->tdb_tag, s); 1027 stag->sadb_x_tag_taglen = strlen(s) + 1; 1028 stag->sadb_x_tag_len = (sizeof(struct sadb_x_tag) + 1029 PADUP(stag->sadb_x_tag_taglen)) / sizeof(uint64_t); 1030 *p += PADUP(stag->sadb_x_tag_taglen) + sizeof(struct sadb_x_tag); 1031 } 1032 1033 /* Import enc(4) tap device information for SA */ 1034 void 1035 import_tap(struct tdb *tdb, struct sadb_x_tap *stap) 1036 { 1037 if (stap) 1038 tdb->tdb_tap = stap->sadb_x_tap_unit; 1039 } 1040 1041 /* Export enc(4) tap device information for SA */ 1042 void 1043 export_tap(void **p, struct tdb *tdb) 1044 { 1045 struct sadb_x_tap *stag = (struct sadb_x_tap *)*p; 1046 1047 stag->sadb_x_tap_unit = tdb->tdb_tap; 1048 stag->sadb_x_tap_len = sizeof(struct sadb_x_tap) / sizeof(uint64_t); 1049 *p += sizeof(struct sadb_x_tap); 1050 } 1051 #endif 1052