1 /* $OpenBSD: pfkeyv2_convert.c,v 1.43 2014/07/12 18:44:22 tedu Exp $ */ 2 /* 3 * The author of this code is Angelos D. Keromytis (angelos@keromytis.org) 4 * 5 * Part of this code is based on code written by Craig Metz (cmetz@inner.net) 6 * for NRL. Those licenses follow this one. 7 * 8 * Copyright (c) 2001 Angelos D. Keromytis. 9 * 10 * Permission to use, copy, and modify this software with or without fee 11 * is hereby granted, provided that this entire notice is included in 12 * all copies of any software which is or includes a copy or 13 * modification of this software. 14 * You may use this code under the GNU public license if you so wish. Please 15 * contribute changes back to the authors under this freer than GPL license 16 * so that we may further the use of strong encryption without limitations to 17 * all. 18 * 19 * THIS SOFTWARE IS BEING PROVIDED "AS IS", WITHOUT ANY EXPRESS OR 20 * IMPLIED WARRANTY. IN PARTICULAR, NONE OF THE AUTHORS MAKES ANY 21 * REPRESENTATION OR WARRANTY OF ANY KIND CONCERNING THE 22 * MERCHANTABILITY OF THIS SOFTWARE OR ITS FITNESS FOR ANY PARTICULAR 23 * PURPOSE. 24 */ 25 26 /* 27 * @(#)COPYRIGHT 1.1 (NRL) 17 January 1995 28 * 29 * NRL grants permission for redistribution and use in source and binary 30 * forms, with or without modification, of the software and documentation 31 * created at NRL provided that the following conditions are met: 32 * 33 * 1. Redistributions of source code must retain the above copyright 34 * notice, this list of conditions and the following disclaimer. 35 * 2. Redistributions in binary form must reproduce the above copyright 36 * notice, this list of conditions and the following disclaimer in the 37 * documentation and/or other materials provided with the distribution. 38 * 3. All advertising materials mentioning features or use of this software 39 * must display the following acknowledgements: 40 * This product includes software developed by the University of 41 * California, Berkeley and its contributors. 42 * This product includes software developed at the Information 43 * Technology Division, US Naval Research Laboratory. 44 * 4. Neither the name of the NRL nor the names of its contributors 45 * may be used to endorse or promote products derived from this software 46 * without specific prior written permission. 47 * 48 * THE SOFTWARE PROVIDED BY NRL IS PROVIDED BY NRL AND CONTRIBUTORS ``AS 49 * IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED 50 * TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A 51 * PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL NRL OR 52 * CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, 53 * EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, 54 * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR 55 * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF 56 * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING 57 * NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS 58 * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 59 * 60 * The views and conclusions contained in the software and documentation 61 * are those of the authors and should not be interpreted as representing 62 * official policies, either expressed or implied, of the US Naval 63 * Research Laboratory (NRL). 64 */ 65 66 /* 67 * Copyright (c) 1995, 1996, 1997, 1998, 1999 Craig Metz. All rights reserved. 68 * 69 * Redistribution and use in source and binary forms, with or without 70 * modification, are permitted provided that the following conditions 71 * are met: 72 * 1. Redistributions of source code must retain the above copyright 73 * notice, this list of conditions and the following disclaimer. 74 * 2. Redistributions in binary form must reproduce the above copyright 75 * notice, this list of conditions and the following disclaimer in the 76 * documentation and/or other materials provided with the distribution. 77 * 3. Neither the name of the author nor the names of any contributors 78 * may be used to endorse or promote products derived from this software 79 * without specific prior written permission. 80 * 81 * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND 82 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 83 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 84 * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE 85 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 86 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 87 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 88 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 89 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 90 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 91 * SUCH DAMAGE. 92 */ 93 94 #include "pf.h" 95 96 #include <sys/types.h> 97 #include <sys/param.h> 98 #include <sys/systm.h> 99 #include <sys/mbuf.h> 100 #include <sys/kernel.h> 101 #include <sys/socket.h> 102 #include <sys/timeout.h> 103 #include <net/route.h> 104 #include <net/if.h> 105 106 #if NPF > 0 107 #include <net/pfvar.h> 108 #endif 109 110 #include <netinet/ip_ipsp.h> 111 #include <net/pfkeyv2.h> 112 #include <crypto/cryptodev.h> 113 #include <crypto/xform.h> 114 115 /* 116 * (Partly) Initialize a TDB based on an SADB_SA payload. Other parts 117 * of the TDB will be initialized by other import routines, and tdb_init(). 118 */ 119 void 120 import_sa(struct tdb *tdb, struct sadb_sa *sadb_sa, struct ipsecinit *ii) 121 { 122 if (!sadb_sa) 123 return; 124 125 if (ii) { 126 ii->ii_encalg = sadb_sa->sadb_sa_encrypt; 127 ii->ii_authalg = sadb_sa->sadb_sa_auth; 128 ii->ii_compalg = sadb_sa->sadb_sa_encrypt; /* Yeurk! */ 129 130 tdb->tdb_spi = sadb_sa->sadb_sa_spi; 131 tdb->tdb_wnd = sadb_sa->sadb_sa_replay; 132 133 if (sadb_sa->sadb_sa_flags & SADB_SAFLAGS_PFS) 134 tdb->tdb_flags |= TDBF_PFS; 135 136 if (sadb_sa->sadb_sa_flags & SADB_X_SAFLAGS_TUNNEL) 137 tdb->tdb_flags |= TDBF_TUNNELING; 138 139 if (sadb_sa->sadb_sa_flags & SADB_X_SAFLAGS_UDPENCAP) 140 tdb->tdb_flags |= TDBF_UDPENCAP; 141 142 if (sadb_sa->sadb_sa_flags & SADB_X_SAFLAGS_ESN) 143 tdb->tdb_flags |= TDBF_ESN; 144 } 145 146 if (sadb_sa->sadb_sa_state != SADB_SASTATE_MATURE) 147 tdb->tdb_flags |= TDBF_INVALID; 148 } 149 150 /* 151 * Export some of the information on a TDB. 152 */ 153 void 154 export_sa(void **p, struct tdb *tdb) 155 { 156 struct sadb_sa *sadb_sa = (struct sadb_sa *) *p; 157 158 sadb_sa->sadb_sa_len = sizeof(struct sadb_sa) / sizeof(uint64_t); 159 160 sadb_sa->sadb_sa_spi = tdb->tdb_spi; 161 sadb_sa->sadb_sa_replay = tdb->tdb_wnd; 162 163 if (tdb->tdb_flags & TDBF_INVALID) 164 sadb_sa->sadb_sa_state = SADB_SASTATE_LARVAL; 165 else 166 sadb_sa->sadb_sa_state = SADB_SASTATE_MATURE; 167 168 if (tdb->tdb_sproto == IPPROTO_IPCOMP && 169 tdb->tdb_compalgxform != NULL) { 170 switch (tdb->tdb_compalgxform->type) { 171 case CRYPTO_DEFLATE_COMP: 172 sadb_sa->sadb_sa_encrypt = SADB_X_CALG_DEFLATE; 173 break; 174 case CRYPTO_LZS_COMP: 175 sadb_sa->sadb_sa_encrypt = SADB_X_CALG_LZS; 176 break; 177 } 178 } 179 180 if (tdb->tdb_authalgxform) { 181 switch (tdb->tdb_authalgxform->type) { 182 case CRYPTO_MD5_HMAC: 183 sadb_sa->sadb_sa_auth = SADB_AALG_MD5HMAC; 184 break; 185 186 case CRYPTO_SHA1_HMAC: 187 sadb_sa->sadb_sa_auth = SADB_AALG_SHA1HMAC; 188 break; 189 190 case CRYPTO_RIPEMD160_HMAC: 191 sadb_sa->sadb_sa_auth = SADB_X_AALG_RIPEMD160HMAC; 192 break; 193 194 case CRYPTO_SHA2_256_HMAC: 195 sadb_sa->sadb_sa_auth = SADB_X_AALG_SHA2_256; 196 break; 197 198 case CRYPTO_SHA2_384_HMAC: 199 sadb_sa->sadb_sa_auth = SADB_X_AALG_SHA2_384; 200 break; 201 202 case CRYPTO_SHA2_512_HMAC: 203 sadb_sa->sadb_sa_auth = SADB_X_AALG_SHA2_512; 204 break; 205 206 case CRYPTO_AES_128_GMAC: 207 sadb_sa->sadb_sa_auth = SADB_X_AALG_AES128GMAC; 208 break; 209 210 case CRYPTO_AES_192_GMAC: 211 sadb_sa->sadb_sa_auth = SADB_X_AALG_AES192GMAC; 212 break; 213 214 case CRYPTO_AES_256_GMAC: 215 sadb_sa->sadb_sa_auth = SADB_X_AALG_AES256GMAC; 216 break; 217 218 case CRYPTO_MD5_KPDK: 219 sadb_sa->sadb_sa_auth = SADB_X_AALG_MD5; 220 break; 221 222 case CRYPTO_SHA1_KPDK: 223 sadb_sa->sadb_sa_auth = SADB_X_AALG_SHA1; 224 break; 225 } 226 } 227 228 if (tdb->tdb_encalgxform) { 229 switch (tdb->tdb_encalgxform->type) { 230 case CRYPTO_NULL: 231 sadb_sa->sadb_sa_encrypt = SADB_EALG_NULL; 232 break; 233 234 case CRYPTO_DES_CBC: 235 sadb_sa->sadb_sa_encrypt = SADB_EALG_DESCBC; 236 break; 237 238 case CRYPTO_3DES_CBC: 239 sadb_sa->sadb_sa_encrypt = SADB_EALG_3DESCBC; 240 break; 241 242 case CRYPTO_AES_CBC: 243 sadb_sa->sadb_sa_encrypt = SADB_X_EALG_AES; 244 break; 245 246 case CRYPTO_AES_CTR: 247 sadb_sa->sadb_sa_encrypt = SADB_X_EALG_AESCTR; 248 break; 249 250 case CRYPTO_AES_GCM_16: 251 sadb_sa->sadb_sa_encrypt = SADB_X_EALG_AESGCM16; 252 break; 253 254 case CRYPTO_AES_GMAC: 255 sadb_sa->sadb_sa_encrypt = SADB_X_EALG_AESGMAC; 256 break; 257 258 case CRYPTO_CAST_CBC: 259 sadb_sa->sadb_sa_encrypt = SADB_X_EALG_CAST; 260 break; 261 262 case CRYPTO_BLF_CBC: 263 sadb_sa->sadb_sa_encrypt = SADB_X_EALG_BLF; 264 break; 265 } 266 } 267 268 if (tdb->tdb_flags & TDBF_PFS) 269 sadb_sa->sadb_sa_flags |= SADB_SAFLAGS_PFS; 270 271 if (tdb->tdb_flags & TDBF_TUNNELING) 272 sadb_sa->sadb_sa_flags |= SADB_X_SAFLAGS_TUNNEL; 273 274 if (tdb->tdb_flags & TDBF_UDPENCAP) 275 sadb_sa->sadb_sa_flags |= SADB_X_SAFLAGS_UDPENCAP; 276 277 if (tdb->tdb_flags & TDBF_ESN) 278 sadb_sa->sadb_sa_flags |= SADB_X_SAFLAGS_ESN; 279 280 *p += sizeof(struct sadb_sa); 281 } 282 283 /* 284 * Initialize expirations and counters based on lifetime payload. 285 */ 286 void 287 import_lifetime(struct tdb *tdb, struct sadb_lifetime *sadb_lifetime, int type) 288 { 289 struct timeval tv; 290 291 if (!sadb_lifetime) 292 return; 293 294 getmicrotime(&tv); 295 296 switch (type) { 297 case PFKEYV2_LIFETIME_HARD: 298 if ((tdb->tdb_exp_allocations = 299 sadb_lifetime->sadb_lifetime_allocations) != 0) 300 tdb->tdb_flags |= TDBF_ALLOCATIONS; 301 else 302 tdb->tdb_flags &= ~TDBF_ALLOCATIONS; 303 304 if ((tdb->tdb_exp_bytes = 305 sadb_lifetime->sadb_lifetime_bytes) != 0) 306 tdb->tdb_flags |= TDBF_BYTES; 307 else 308 tdb->tdb_flags &= ~TDBF_BYTES; 309 310 if ((tdb->tdb_exp_timeout = 311 sadb_lifetime->sadb_lifetime_addtime) != 0) { 312 tdb->tdb_flags |= TDBF_TIMER; 313 if (tv.tv_sec + tdb->tdb_exp_timeout < tv.tv_sec) 314 tv.tv_sec = ((unsigned long) -1) / 2; /* XXX */ 315 else 316 tv.tv_sec += tdb->tdb_exp_timeout; 317 timeout_add(&tdb->tdb_timer_tmo, hzto(&tv)); 318 } else 319 tdb->tdb_flags &= ~TDBF_TIMER; 320 321 if ((tdb->tdb_exp_first_use = 322 sadb_lifetime->sadb_lifetime_usetime) != 0) 323 tdb->tdb_flags |= TDBF_FIRSTUSE; 324 else 325 tdb->tdb_flags &= ~TDBF_FIRSTUSE; 326 break; 327 328 case PFKEYV2_LIFETIME_SOFT: 329 if ((tdb->tdb_soft_allocations = 330 sadb_lifetime->sadb_lifetime_allocations) != 0) 331 tdb->tdb_flags |= TDBF_SOFT_ALLOCATIONS; 332 else 333 tdb->tdb_flags &= ~TDBF_SOFT_ALLOCATIONS; 334 335 if ((tdb->tdb_soft_bytes = 336 sadb_lifetime->sadb_lifetime_bytes) != 0) 337 tdb->tdb_flags |= TDBF_SOFT_BYTES; 338 else 339 tdb->tdb_flags &= ~TDBF_SOFT_BYTES; 340 341 if ((tdb->tdb_soft_timeout = 342 sadb_lifetime->sadb_lifetime_addtime) != 0) { 343 tdb->tdb_flags |= TDBF_SOFT_TIMER; 344 if (tv.tv_sec + tdb->tdb_soft_timeout < tv.tv_sec) 345 tv.tv_sec = ((unsigned long) -1) / 2; /* XXX */ 346 else 347 tv.tv_sec += tdb->tdb_soft_timeout; 348 timeout_add(&tdb->tdb_stimer_tmo, hzto(&tv)); 349 } else 350 tdb->tdb_flags &= ~TDBF_SOFT_TIMER; 351 352 if ((tdb->tdb_soft_first_use = 353 sadb_lifetime->sadb_lifetime_usetime) != 0) 354 tdb->tdb_flags |= TDBF_SOFT_FIRSTUSE; 355 else 356 tdb->tdb_flags &= ~TDBF_SOFT_FIRSTUSE; 357 break; 358 359 case PFKEYV2_LIFETIME_CURRENT: /* Nothing fancy here. */ 360 tdb->tdb_cur_allocations = 361 sadb_lifetime->sadb_lifetime_allocations; 362 tdb->tdb_cur_bytes = sadb_lifetime->sadb_lifetime_bytes; 363 tdb->tdb_established = sadb_lifetime->sadb_lifetime_addtime; 364 tdb->tdb_first_use = sadb_lifetime->sadb_lifetime_usetime; 365 } 366 } 367 368 /* 369 * Export TDB expiration information. 370 */ 371 void 372 export_lifetime(void **p, struct tdb *tdb, int type) 373 { 374 struct sadb_lifetime *sadb_lifetime = (struct sadb_lifetime *) *p; 375 376 sadb_lifetime->sadb_lifetime_len = sizeof(struct sadb_lifetime) / 377 sizeof(uint64_t); 378 379 switch (type) { 380 case PFKEYV2_LIFETIME_HARD: 381 if (tdb->tdb_flags & TDBF_ALLOCATIONS) 382 sadb_lifetime->sadb_lifetime_allocations = 383 tdb->tdb_exp_allocations; 384 385 if (tdb->tdb_flags & TDBF_BYTES) 386 sadb_lifetime->sadb_lifetime_bytes = 387 tdb->tdb_exp_bytes; 388 389 if (tdb->tdb_flags & TDBF_TIMER) 390 sadb_lifetime->sadb_lifetime_addtime = 391 tdb->tdb_exp_timeout; 392 393 if (tdb->tdb_flags & TDBF_FIRSTUSE) 394 sadb_lifetime->sadb_lifetime_usetime = 395 tdb->tdb_exp_first_use; 396 break; 397 398 case PFKEYV2_LIFETIME_SOFT: 399 if (tdb->tdb_flags & TDBF_SOFT_ALLOCATIONS) 400 sadb_lifetime->sadb_lifetime_allocations = 401 tdb->tdb_soft_allocations; 402 403 if (tdb->tdb_flags & TDBF_SOFT_BYTES) 404 sadb_lifetime->sadb_lifetime_bytes = 405 tdb->tdb_soft_bytes; 406 407 if (tdb->tdb_flags & TDBF_SOFT_TIMER) 408 sadb_lifetime->sadb_lifetime_addtime = 409 tdb->tdb_soft_timeout; 410 411 if (tdb->tdb_flags & TDBF_SOFT_FIRSTUSE) 412 sadb_lifetime->sadb_lifetime_usetime = 413 tdb->tdb_soft_first_use; 414 break; 415 416 case PFKEYV2_LIFETIME_CURRENT: 417 sadb_lifetime->sadb_lifetime_allocations = 418 tdb->tdb_cur_allocations; 419 sadb_lifetime->sadb_lifetime_bytes = tdb->tdb_cur_bytes; 420 sadb_lifetime->sadb_lifetime_addtime = tdb->tdb_established; 421 sadb_lifetime->sadb_lifetime_usetime = tdb->tdb_first_use; 422 break; 423 424 case PFKEYV2_LIFETIME_LASTUSE: 425 sadb_lifetime->sadb_lifetime_allocations = 0; 426 sadb_lifetime->sadb_lifetime_bytes = 0; 427 sadb_lifetime->sadb_lifetime_addtime = 0; 428 sadb_lifetime->sadb_lifetime_usetime = tdb->tdb_last_used; 429 break; 430 } 431 432 *p += sizeof(struct sadb_lifetime); 433 } 434 435 /* 436 * Import flow information to two struct sockaddr_encap's. Either 437 * all or none of the address arguments are NULL. 438 */ 439 void 440 import_flow(struct sockaddr_encap *flow, struct sockaddr_encap *flowmask, 441 struct sadb_address *ssrc, struct sadb_address *ssrcmask, 442 struct sadb_address *ddst, struct sadb_address *ddstmask, 443 struct sadb_protocol *sab, struct sadb_protocol *ftype) 444 { 445 u_int8_t transproto = 0; 446 union sockaddr_union *src = (union sockaddr_union *)(ssrc + 1); 447 union sockaddr_union *dst = (union sockaddr_union *)(ddst + 1); 448 union sockaddr_union *srcmask = (union sockaddr_union *)(ssrcmask + 1); 449 union sockaddr_union *dstmask = (union sockaddr_union *)(ddstmask + 1); 450 451 if (ssrc == NULL) 452 return; /* There wasn't any information to begin with. */ 453 454 bzero(flow, sizeof(*flow)); 455 bzero(flowmask, sizeof(*flowmask)); 456 457 if (sab != NULL) 458 transproto = sab->sadb_protocol_proto; 459 460 /* 461 * Check that all the address families match. We know they are 462 * valid and supported because pfkeyv2_parsemessage() checked that. 463 */ 464 if ((src->sa.sa_family != dst->sa.sa_family) || 465 (src->sa.sa_family != srcmask->sa.sa_family) || 466 (src->sa.sa_family != dstmask->sa.sa_family)) 467 return; 468 469 /* 470 * We set these as an indication that tdb_filter/tdb_filtermask are 471 * in fact initialized. 472 */ 473 flow->sen_family = flowmask->sen_family = PF_KEY; 474 flow->sen_len = flowmask->sen_len = SENT_LEN; 475 476 switch (src->sa.sa_family) 477 { 478 #ifdef INET 479 case AF_INET: 480 /* netmask handling */ 481 rt_maskedcopy(&src->sa, &src->sa, &srcmask->sa); 482 rt_maskedcopy(&dst->sa, &dst->sa, &dstmask->sa); 483 484 flow->sen_type = SENT_IP4; 485 flow->sen_direction = ftype->sadb_protocol_direction; 486 flow->sen_ip_src = src->sin.sin_addr; 487 flow->sen_ip_dst = dst->sin.sin_addr; 488 flow->sen_proto = transproto; 489 flow->sen_sport = src->sin.sin_port; 490 flow->sen_dport = dst->sin.sin_port; 491 492 flowmask->sen_type = SENT_IP4; 493 flowmask->sen_direction = 0xff; 494 flowmask->sen_ip_src = srcmask->sin.sin_addr; 495 flowmask->sen_ip_dst = dstmask->sin.sin_addr; 496 flowmask->sen_sport = srcmask->sin.sin_port; 497 flowmask->sen_dport = dstmask->sin.sin_port; 498 if (transproto) 499 flowmask->sen_proto = 0xff; 500 break; 501 #endif /* INET */ 502 503 #ifdef INET6 504 case AF_INET6: 505 in6_embedscope(&src->sin6.sin6_addr, &src->sin6, 506 NULL, NULL); 507 in6_embedscope(&dst->sin6.sin6_addr, &dst->sin6, 508 NULL, NULL); 509 510 /* netmask handling */ 511 rt_maskedcopy(&src->sa, &src->sa, &srcmask->sa); 512 rt_maskedcopy(&dst->sa, &dst->sa, &dstmask->sa); 513 514 flow->sen_type = SENT_IP6; 515 flow->sen_ip6_direction = ftype->sadb_protocol_direction; 516 flow->sen_ip6_src = src->sin6.sin6_addr; 517 flow->sen_ip6_dst = dst->sin6.sin6_addr; 518 flow->sen_ip6_proto = transproto; 519 flow->sen_ip6_sport = src->sin6.sin6_port; 520 flow->sen_ip6_dport = dst->sin6.sin6_port; 521 522 flowmask->sen_type = SENT_IP6; 523 flowmask->sen_ip6_direction = 0xff; 524 flowmask->sen_ip6_src = srcmask->sin6.sin6_addr; 525 flowmask->sen_ip6_dst = dstmask->sin6.sin6_addr; 526 flowmask->sen_ip6_sport = srcmask->sin6.sin6_port; 527 flowmask->sen_ip6_dport = dstmask->sin6.sin6_port; 528 if (transproto) 529 flowmask->sen_ip6_proto = 0xff; 530 break; 531 #endif /* INET6 */ 532 } 533 } 534 535 /* 536 * Helper to export addresses from an struct sockaddr_encap. 537 */ 538 static void 539 export_encap(void **p, struct sockaddr_encap *encap, int type) 540 { 541 struct sadb_address *saddr = (struct sadb_address *)*p; 542 union sockaddr_union *sunion; 543 544 *p += sizeof(struct sadb_address); 545 sunion = (union sockaddr_union *)*p; 546 547 switch (encap->sen_type) { 548 case SENT_IP4: 549 saddr->sadb_address_len = (sizeof(struct sadb_address) + 550 PADUP(sizeof(struct sockaddr_in))) / sizeof(uint64_t); 551 sunion->sa.sa_len = sizeof(struct sockaddr_in); 552 sunion->sa.sa_family = AF_INET; 553 if (type == SADB_X_EXT_SRC_FLOW || 554 type == SADB_X_EXT_SRC_MASK) { 555 sunion->sin.sin_addr = encap->sen_ip_src; 556 sunion->sin.sin_port = encap->sen_sport; 557 } else { 558 sunion->sin.sin_addr = encap->sen_ip_dst; 559 sunion->sin.sin_port = encap->sen_dport; 560 } 561 *p += PADUP(sizeof(struct sockaddr_in)); 562 break; 563 case SENT_IP6: 564 saddr->sadb_address_len = (sizeof(struct sadb_address) 565 + PADUP(sizeof(struct sockaddr_in6))) / sizeof(uint64_t); 566 sunion->sa.sa_len = sizeof(struct sockaddr_in6); 567 sunion->sa.sa_family = AF_INET6; 568 if (type == SADB_X_EXT_SRC_FLOW || 569 type == SADB_X_EXT_SRC_MASK) { 570 sunion->sin6.sin6_addr = encap->sen_ip6_src; 571 sunion->sin6.sin6_port = encap->sen_ip6_sport; 572 } else { 573 sunion->sin6.sin6_addr = encap->sen_ip6_dst; 574 sunion->sin6.sin6_port = encap->sen_ip6_dport; 575 } 576 *p += PADUP(sizeof(struct sockaddr_in6)); 577 break; 578 } 579 } 580 581 /* 582 * Export flow information from two struct sockaddr_encap's. 583 */ 584 void 585 export_flow(void **p, u_int8_t ftype, struct sockaddr_encap *flow, 586 struct sockaddr_encap *flowmask, void **headers) 587 { 588 struct sadb_protocol *sab; 589 590 headers[SADB_X_EXT_FLOW_TYPE] = *p; 591 sab = (struct sadb_protocol *)*p; 592 sab->sadb_protocol_len = sizeof(struct sadb_protocol) / 593 sizeof(uint64_t); 594 595 switch (ftype) { 596 case IPSP_IPSEC_USE: 597 sab->sadb_protocol_proto = SADB_X_FLOW_TYPE_USE; 598 break; 599 case IPSP_IPSEC_ACQUIRE: 600 sab->sadb_protocol_proto = SADB_X_FLOW_TYPE_ACQUIRE; 601 break; 602 case IPSP_IPSEC_REQUIRE: 603 sab->sadb_protocol_proto = SADB_X_FLOW_TYPE_REQUIRE; 604 break; 605 case IPSP_DENY: 606 sab->sadb_protocol_proto = SADB_X_FLOW_TYPE_DENY; 607 break; 608 case IPSP_PERMIT: 609 sab->sadb_protocol_proto = SADB_X_FLOW_TYPE_BYPASS; 610 break; 611 case IPSP_IPSEC_DONTACQ: 612 sab->sadb_protocol_proto = SADB_X_FLOW_TYPE_DONTACQ; 613 break; 614 default: 615 sab->sadb_protocol_proto = 0; 616 break; 617 } 618 619 switch (flow->sen_type) { 620 #ifdef INET 621 case SENT_IP4: 622 sab->sadb_protocol_direction = flow->sen_direction; 623 break; 624 #endif /* INET */ 625 #ifdef INET6 626 case SENT_IP6: 627 sab->sadb_protocol_direction = flow->sen_ip6_direction; 628 break; 629 #endif /* INET6 */ 630 } 631 *p += sizeof(struct sadb_protocol); 632 633 headers[SADB_X_EXT_PROTOCOL] = *p; 634 sab = (struct sadb_protocol *)*p; 635 sab->sadb_protocol_len = sizeof(struct sadb_protocol) / 636 sizeof(uint64_t); 637 switch (flow->sen_type) { 638 #ifdef INET 639 case SENT_IP4: 640 sab->sadb_protocol_proto = flow->sen_proto; 641 break; 642 #endif /* INET */ 643 #ifdef INET6 644 case SENT_IP6: 645 sab->sadb_protocol_proto = flow->sen_ip6_proto; 646 break; 647 #endif /* INET6 */ 648 } 649 *p += sizeof(struct sadb_protocol); 650 651 headers[SADB_X_EXT_SRC_FLOW] = *p; 652 export_encap(p, flow, SADB_X_EXT_SRC_FLOW); 653 654 headers[SADB_X_EXT_SRC_MASK] = *p; 655 export_encap(p, flowmask, SADB_X_EXT_SRC_MASK); 656 657 headers[SADB_X_EXT_DST_FLOW] = *p; 658 export_encap(p, flow, SADB_X_EXT_DST_FLOW); 659 660 headers[SADB_X_EXT_DST_MASK] = *p; 661 export_encap(p, flowmask, SADB_X_EXT_DST_MASK); 662 } 663 664 /* 665 * Copy an SADB_ADDRESS payload to a struct sockaddr. 666 */ 667 void 668 import_address(struct sockaddr *sa, struct sadb_address *sadb_address) 669 { 670 int salen; 671 struct sockaddr *ssa = (struct sockaddr *)((void *) sadb_address + 672 sizeof(struct sadb_address)); 673 674 if (!sadb_address) 675 return; 676 677 if (ssa->sa_len) 678 salen = ssa->sa_len; 679 else 680 switch (ssa->sa_family) { 681 #ifdef INET 682 case AF_INET: 683 salen = sizeof(struct sockaddr_in); 684 break; 685 #endif /* INET */ 686 687 #ifdef INET6 688 case AF_INET6: 689 salen = sizeof(struct sockaddr_in6); 690 break; 691 #endif /* INET6 */ 692 693 default: 694 return; 695 } 696 697 bcopy(ssa, sa, salen); 698 sa->sa_len = salen; 699 } 700 701 /* 702 * Export a struct sockaddr as an SADB_ADDRESS payload. 703 */ 704 void 705 export_address(void **p, struct sockaddr *sa) 706 { 707 struct sadb_address *sadb_address = (struct sadb_address *) *p; 708 709 sadb_address->sadb_address_len = (sizeof(struct sadb_address) + 710 PADUP(SA_LEN(sa))) / sizeof(uint64_t); 711 712 *p += sizeof(struct sadb_address); 713 bcopy(sa, *p, SA_LEN(sa)); 714 ((struct sockaddr *) *p)->sa_family = sa->sa_family; 715 *p += PADUP(SA_LEN(sa)); 716 } 717 718 /* 719 * Import authentication information into the TDB. 720 */ 721 void 722 import_auth(struct tdb *tdb, struct sadb_x_cred *sadb_auth, int dstauth) 723 { 724 struct ipsec_ref **ipr; 725 726 if (!sadb_auth) 727 return; 728 729 if (dstauth == PFKEYV2_AUTH_REMOTE) 730 ipr = &tdb->tdb_remote_auth; 731 else 732 ipr = &tdb->tdb_local_auth; 733 734 *ipr = malloc(EXTLEN(sadb_auth) - sizeof(struct sadb_x_cred) + 735 sizeof(struct ipsec_ref), M_CREDENTIALS, M_WAITOK); 736 (*ipr)->ref_len = EXTLEN(sadb_auth) - sizeof(struct sadb_x_cred); 737 738 switch (sadb_auth->sadb_x_cred_type) { 739 case SADB_X_AUTHTYPE_PASSPHRASE: 740 (*ipr)->ref_type = IPSP_AUTH_PASSPHRASE; 741 break; 742 case SADB_X_AUTHTYPE_RSA: 743 (*ipr)->ref_type = IPSP_AUTH_RSA; 744 break; 745 default: 746 free(*ipr, M_CREDENTIALS, 0); 747 *ipr = NULL; 748 return; 749 } 750 (*ipr)->ref_count = 1; 751 (*ipr)->ref_malloctype = M_CREDENTIALS; 752 bcopy((void *) sadb_auth + sizeof(struct sadb_x_cred), 753 (*ipr) + 1, (*ipr)->ref_len); 754 } 755 756 /* 757 * Import a set of credentials into the TDB. 758 */ 759 void 760 import_credentials(struct tdb *tdb, struct sadb_x_cred *sadb_cred, int dstcred) 761 { 762 struct ipsec_ref **ipr; 763 764 if (!sadb_cred) 765 return; 766 767 if (dstcred == PFKEYV2_CRED_REMOTE) 768 ipr = &tdb->tdb_remote_cred; 769 else 770 ipr = &tdb->tdb_local_cred; 771 772 *ipr = malloc(EXTLEN(sadb_cred) - sizeof(struct sadb_x_cred) + 773 sizeof(struct ipsec_ref), M_CREDENTIALS, M_WAITOK); 774 (*ipr)->ref_len = EXTLEN(sadb_cred) - sizeof(struct sadb_x_cred); 775 776 switch (sadb_cred->sadb_x_cred_type) { 777 case SADB_X_CREDTYPE_X509: 778 (*ipr)->ref_type = IPSP_CRED_X509; 779 break; 780 case SADB_X_CREDTYPE_KEYNOTE: 781 (*ipr)->ref_type = IPSP_CRED_KEYNOTE; 782 break; 783 default: 784 free(*ipr, M_CREDENTIALS, 0); 785 *ipr = NULL; 786 return; 787 } 788 (*ipr)->ref_count = 1; 789 (*ipr)->ref_malloctype = M_CREDENTIALS; 790 bcopy((void *) sadb_cred + sizeof(struct sadb_x_cred), 791 (*ipr) + 1, (*ipr)->ref_len); 792 } 793 794 /* 795 * Import an identity payload into the TDB. 796 */ 797 void 798 import_identity(struct tdb *tdb, struct sadb_ident *sadb_ident, int type) 799 { 800 struct ipsec_ref **ipr; 801 802 if (!sadb_ident) 803 return; 804 805 if (type == PFKEYV2_IDENTITY_SRC) 806 ipr = &tdb->tdb_srcid; 807 else 808 ipr = &tdb->tdb_dstid; 809 810 *ipr = malloc(EXTLEN(sadb_ident) - sizeof(struct sadb_ident) + 811 sizeof(struct ipsec_ref), M_CREDENTIALS, M_WAITOK); 812 (*ipr)->ref_len = EXTLEN(sadb_ident) - sizeof(struct sadb_ident); 813 814 switch (sadb_ident->sadb_ident_type) { 815 case SADB_IDENTTYPE_PREFIX: 816 (*ipr)->ref_type = IPSP_IDENTITY_PREFIX; 817 break; 818 case SADB_IDENTTYPE_FQDN: 819 (*ipr)->ref_type = IPSP_IDENTITY_FQDN; 820 break; 821 case SADB_IDENTTYPE_USERFQDN: 822 (*ipr)->ref_type = IPSP_IDENTITY_USERFQDN; 823 break; 824 case SADB_X_IDENTTYPE_CONNECTION: 825 (*ipr)->ref_type = IPSP_IDENTITY_CONNECTION; 826 break; 827 default: 828 free(*ipr, M_CREDENTIALS, 0); 829 *ipr = NULL; 830 return; 831 } 832 (*ipr)->ref_count = 1; 833 (*ipr)->ref_malloctype = M_CREDENTIALS; 834 bcopy((void *) sadb_ident + sizeof(struct sadb_ident), (*ipr) + 1, 835 (*ipr)->ref_len); 836 } 837 838 void 839 export_credentials(void **p, struct tdb *tdb, int dstcred) 840 { 841 struct ipsec_ref **ipr; 842 struct sadb_x_cred *sadb_cred = (struct sadb_x_cred *) *p; 843 844 if (dstcred == PFKEYV2_CRED_REMOTE) 845 ipr = &tdb->tdb_remote_cred; 846 else 847 ipr = &tdb->tdb_local_cred; 848 849 sadb_cred->sadb_x_cred_len = (sizeof(struct sadb_x_cred) + 850 PADUP((*ipr)->ref_len)) / sizeof(uint64_t); 851 852 switch ((*ipr)->ref_type) { 853 case IPSP_CRED_KEYNOTE: 854 sadb_cred->sadb_x_cred_type = SADB_X_CREDTYPE_KEYNOTE; 855 break; 856 case IPSP_CRED_X509: 857 sadb_cred->sadb_x_cred_type = SADB_X_CREDTYPE_X509; 858 break; 859 } 860 *p += sizeof(struct sadb_x_cred); 861 bcopy((*ipr) + 1, *p, (*ipr)->ref_len); 862 *p += PADUP((*ipr)->ref_len); 863 } 864 865 void 866 export_auth(void **p, struct tdb *tdb, int dstauth) 867 { 868 struct ipsec_ref **ipr; 869 struct sadb_x_cred *sadb_auth = (struct sadb_x_cred *) *p; 870 871 if (dstauth == PFKEYV2_AUTH_REMOTE) 872 ipr = &tdb->tdb_remote_auth; 873 else 874 ipr = &tdb->tdb_local_auth; 875 876 sadb_auth->sadb_x_cred_len = (sizeof(struct sadb_x_cred) + 877 PADUP((*ipr)->ref_len)) / sizeof(uint64_t); 878 879 switch ((*ipr)->ref_type) { 880 case IPSP_AUTH_PASSPHRASE: 881 sadb_auth->sadb_x_cred_type = SADB_X_AUTHTYPE_PASSPHRASE; 882 break; 883 case IPSP_AUTH_RSA: 884 sadb_auth->sadb_x_cred_type = SADB_X_AUTHTYPE_RSA; 885 break; 886 } 887 *p += sizeof(struct sadb_x_cred); 888 bcopy((*ipr) + 1, *p, (*ipr)->ref_len); 889 *p += PADUP((*ipr)->ref_len); 890 } 891 892 void 893 export_identity(void **p, struct tdb *tdb, int type) 894 { 895 struct ipsec_ref **ipr; 896 struct sadb_ident *sadb_ident = (struct sadb_ident *) *p; 897 898 if (type == PFKEYV2_IDENTITY_SRC) 899 ipr = &tdb->tdb_srcid; 900 else 901 ipr = &tdb->tdb_dstid; 902 903 sadb_ident->sadb_ident_len = (sizeof(struct sadb_ident) + 904 PADUP((*ipr)->ref_len)) / sizeof(uint64_t); 905 906 switch ((*ipr)->ref_type) { 907 case IPSP_IDENTITY_PREFIX: 908 sadb_ident->sadb_ident_type = SADB_IDENTTYPE_PREFIX; 909 break; 910 case IPSP_IDENTITY_FQDN: 911 sadb_ident->sadb_ident_type = SADB_IDENTTYPE_FQDN; 912 break; 913 case IPSP_IDENTITY_USERFQDN: 914 sadb_ident->sadb_ident_type = SADB_IDENTTYPE_USERFQDN; 915 break; 916 case IPSP_IDENTITY_CONNECTION: 917 sadb_ident->sadb_ident_type = SADB_X_IDENTTYPE_CONNECTION; 918 break; 919 } 920 *p += sizeof(struct sadb_ident); 921 bcopy((*ipr) + 1, *p, (*ipr)->ref_len); 922 *p += PADUP((*ipr)->ref_len); 923 } 924 925 /* ... */ 926 void 927 import_key(struct ipsecinit *ii, struct sadb_key *sadb_key, int type) 928 { 929 if (!sadb_key) 930 return; 931 932 if (type == PFKEYV2_ENCRYPTION_KEY) { /* Encryption key */ 933 ii->ii_enckeylen = sadb_key->sadb_key_bits / 8; 934 ii->ii_enckey = (void *)sadb_key + sizeof(struct sadb_key); 935 } else { 936 ii->ii_authkeylen = sadb_key->sadb_key_bits / 8; 937 ii->ii_authkey = (void *)sadb_key + sizeof(struct sadb_key); 938 } 939 } 940 941 void 942 export_key(void **p, struct tdb *tdb, int type) 943 { 944 struct sadb_key *sadb_key = (struct sadb_key *) *p; 945 946 if (type == PFKEYV2_ENCRYPTION_KEY) { 947 sadb_key->sadb_key_len = (sizeof(struct sadb_key) + 948 PADUP(tdb->tdb_emxkeylen)) / 949 sizeof(uint64_t); 950 sadb_key->sadb_key_bits = tdb->tdb_emxkeylen * 8; 951 *p += sizeof(struct sadb_key); 952 bcopy(tdb->tdb_emxkey, *p, tdb->tdb_emxkeylen); 953 *p += PADUP(tdb->tdb_emxkeylen); 954 } else { 955 sadb_key->sadb_key_len = (sizeof(struct sadb_key) + 956 PADUP(tdb->tdb_amxkeylen)) / 957 sizeof(uint64_t); 958 sadb_key->sadb_key_bits = tdb->tdb_amxkeylen * 8; 959 *p += sizeof(struct sadb_key); 960 bcopy(tdb->tdb_amxkey, *p, tdb->tdb_amxkeylen); 961 *p += PADUP(tdb->tdb_amxkeylen); 962 } 963 } 964 965 /* Import/Export remote port for UDP Encapsulation */ 966 void 967 import_udpencap(struct tdb *tdb, struct sadb_x_udpencap *sadb_udpencap) 968 { 969 if (sadb_udpencap) 970 tdb->tdb_udpencap_port = sadb_udpencap->sadb_x_udpencap_port; 971 } 972 973 void 974 export_udpencap(void **p, struct tdb *tdb) 975 { 976 struct sadb_x_udpencap *sadb_udpencap = (struct sadb_x_udpencap *) *p; 977 978 sadb_udpencap->sadb_x_udpencap_port = tdb->tdb_udpencap_port; 979 sadb_udpencap->sadb_x_udpencap_reserved = 0; 980 sadb_udpencap->sadb_x_udpencap_len = 981 sizeof(struct sadb_x_udpencap) / sizeof(uint64_t); 982 *p += sizeof(struct sadb_x_udpencap); 983 } 984 985 #if NPF > 0 986 /* Import PF tag information for SA */ 987 void 988 import_tag(struct tdb *tdb, struct sadb_x_tag *stag) 989 { 990 char *s; 991 992 if (stag) { 993 s = (char *)(stag + 1); 994 tdb->tdb_tag = pf_tagname2tag(s, 1); 995 } 996 } 997 998 /* Export PF tag information for SA */ 999 void 1000 export_tag(void **p, struct tdb *tdb) 1001 { 1002 struct sadb_x_tag *stag = (struct sadb_x_tag *)*p; 1003 char *s = (char *)(stag + 1); 1004 1005 pf_tag2tagname(tdb->tdb_tag, s); 1006 1007 stag->sadb_x_tag_taglen = strlen(s) + 1; 1008 stag->sadb_x_tag_len = (sizeof(struct sadb_x_tag) + 1009 PADUP(stag->sadb_x_tag_taglen)) / sizeof(uint64_t); 1010 *p += sizeof(struct sadb_x_tag) + PADUP(stag->sadb_x_tag_taglen); 1011 } 1012 1013 /* Import enc(4) tap device information for SA */ 1014 void 1015 import_tap(struct tdb *tdb, struct sadb_x_tap *stap) 1016 { 1017 if (stap) 1018 tdb->tdb_tap = stap->sadb_x_tap_unit; 1019 } 1020 1021 /* Export enc(4) tap device information for SA */ 1022 void 1023 export_tap(void **p, struct tdb *tdb) 1024 { 1025 struct sadb_x_tap *stag = (struct sadb_x_tap *)*p; 1026 1027 stag->sadb_x_tap_unit = tdb->tdb_tap; 1028 stag->sadb_x_tap_len = sizeof(struct sadb_x_tap) / sizeof(uint64_t); 1029 *p += sizeof(struct sadb_x_tap); 1030 } 1031 #endif 1032