1 /* $OpenBSD: pfkeyv2_convert.c,v 1.35 2011/04/13 11:28:47 markus Exp $ */ 2 /* 3 * The author of this code is Angelos D. Keromytis (angelos@keromytis.org) 4 * 5 * Part of this code is based on code written by Craig Metz (cmetz@inner.net) 6 * for NRL. Those licenses follow this one. 7 * 8 * Copyright (c) 2001 Angelos D. Keromytis. 9 * 10 * Permission to use, copy, and modify this software with or without fee 11 * is hereby granted, provided that this entire notice is included in 12 * all copies of any software which is or includes a copy or 13 * modification of this software. 14 * You may use this code under the GNU public license if you so wish. Please 15 * contribute changes back to the authors under this freer than GPL license 16 * so that we may further the use of strong encryption without limitations to 17 * all. 18 * 19 * THIS SOFTWARE IS BEING PROVIDED "AS IS", WITHOUT ANY EXPRESS OR 20 * IMPLIED WARRANTY. IN PARTICULAR, NONE OF THE AUTHORS MAKES ANY 21 * REPRESENTATION OR WARRANTY OF ANY KIND CONCERNING THE 22 * MERCHANTABILITY OF THIS SOFTWARE OR ITS FITNESS FOR ANY PARTICULAR 23 * PURPOSE. 24 */ 25 26 /* 27 * @(#)COPYRIGHT 1.1 (NRL) 17 January 1995 28 * 29 * NRL grants permission for redistribution and use in source and binary 30 * forms, with or without modification, of the software and documentation 31 * created at NRL provided that the following conditions are met: 32 * 33 * 1. Redistributions of source code must retain the above copyright 34 * notice, this list of conditions and the following disclaimer. 35 * 2. Redistributions in binary form must reproduce the above copyright 36 * notice, this list of conditions and the following disclaimer in the 37 * documentation and/or other materials provided with the distribution. 38 * 3. All advertising materials mentioning features or use of this software 39 * must display the following acknowledgements: 40 * This product includes software developed by the University of 41 * California, Berkeley and its contributors. 42 * This product includes software developed at the Information 43 * Technology Division, US Naval Research Laboratory. 44 * 4. Neither the name of the NRL nor the names of its contributors 45 * may be used to endorse or promote products derived from this software 46 * without specific prior written permission. 47 * 48 * THE SOFTWARE PROVIDED BY NRL IS PROVIDED BY NRL AND CONTRIBUTORS ``AS 49 * IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED 50 * TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A 51 * PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL NRL OR 52 * CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, 53 * EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, 54 * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR 55 * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF 56 * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING 57 * NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS 58 * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 59 * 60 * The views and conclusions contained in the software and documentation 61 * are those of the authors and should not be interpreted as representing 62 * official policies, either expressed or implied, of the US Naval 63 * Research Laboratory (NRL). 64 */ 65 66 /* 67 * Copyright (c) 1995, 1996, 1997, 1998, 1999 Craig Metz. All rights reserved. 68 * 69 * Redistribution and use in source and binary forms, with or without 70 * modification, are permitted provided that the following conditions 71 * are met: 72 * 1. Redistributions of source code must retain the above copyright 73 * notice, this list of conditions and the following disclaimer. 74 * 2. Redistributions in binary form must reproduce the above copyright 75 * notice, this list of conditions and the following disclaimer in the 76 * documentation and/or other materials provided with the distribution. 77 * 3. Neither the name of the author nor the names of any contributors 78 * may be used to endorse or promote products derived from this software 79 * without specific prior written permission. 80 * 81 * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND 82 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 83 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 84 * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE 85 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 86 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 87 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 88 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 89 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 90 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 91 * SUCH DAMAGE. 92 */ 93 94 #include "pf.h" 95 96 #include <sys/types.h> 97 #include <sys/param.h> 98 #include <sys/systm.h> 99 #include <sys/mbuf.h> 100 #include <sys/kernel.h> 101 #include <sys/socket.h> 102 #include <net/route.h> 103 #include <net/if.h> 104 105 #if NPF > 0 106 #include <net/pfvar.h> 107 #endif 108 109 #include <netinet/ip_ipsp.h> 110 #ifdef INET6 111 #include <netinet6/in6_var.h> 112 #endif 113 #include <net/pfkeyv2.h> 114 #include <crypto/cryptodev.h> 115 #include <crypto/xform.h> 116 117 /* 118 * (Partly) Initialize a TDB based on an SADB_SA payload. Other parts 119 * of the TDB will be initialized by other import routines, and tdb_init(). 120 */ 121 void 122 import_sa(struct tdb *tdb, struct sadb_sa *sadb_sa, struct ipsecinit *ii) 123 { 124 if (!sadb_sa) 125 return; 126 127 if (ii) { 128 ii->ii_encalg = sadb_sa->sadb_sa_encrypt; 129 ii->ii_authalg = sadb_sa->sadb_sa_auth; 130 ii->ii_compalg = sadb_sa->sadb_sa_encrypt; /* Yeurk! */ 131 132 tdb->tdb_spi = sadb_sa->sadb_sa_spi; 133 tdb->tdb_wnd = sadb_sa->sadb_sa_replay; 134 135 if (sadb_sa->sadb_sa_flags & SADB_SAFLAGS_PFS) 136 tdb->tdb_flags |= TDBF_PFS; 137 138 if (sadb_sa->sadb_sa_flags & SADB_X_SAFLAGS_HALFIV) 139 tdb->tdb_flags |= TDBF_HALFIV; 140 141 if (sadb_sa->sadb_sa_flags & SADB_X_SAFLAGS_TUNNEL) 142 tdb->tdb_flags |= TDBF_TUNNELING; 143 144 if (sadb_sa->sadb_sa_flags & SADB_X_SAFLAGS_RANDOMPADDING) 145 tdb->tdb_flags |= TDBF_RANDOMPADDING; 146 147 if (sadb_sa->sadb_sa_flags & SADB_X_SAFLAGS_NOREPLAY) 148 tdb->tdb_flags |= TDBF_NOREPLAY; 149 150 if (sadb_sa->sadb_sa_flags & SADB_X_SAFLAGS_UDPENCAP) 151 tdb->tdb_flags |= TDBF_UDPENCAP; 152 } 153 154 if (sadb_sa->sadb_sa_state != SADB_SASTATE_MATURE) 155 tdb->tdb_flags |= TDBF_INVALID; 156 } 157 158 /* 159 * Export some of the information on a TDB. 160 */ 161 void 162 export_sa(void **p, struct tdb *tdb) 163 { 164 struct sadb_sa *sadb_sa = (struct sadb_sa *) *p; 165 166 sadb_sa->sadb_sa_len = sizeof(struct sadb_sa) / sizeof(uint64_t); 167 168 sadb_sa->sadb_sa_spi = tdb->tdb_spi; 169 sadb_sa->sadb_sa_replay = tdb->tdb_wnd; 170 171 if (tdb->tdb_flags & TDBF_INVALID) 172 sadb_sa->sadb_sa_state = SADB_SASTATE_LARVAL; 173 else 174 sadb_sa->sadb_sa_state = SADB_SASTATE_MATURE; 175 176 if (tdb->tdb_sproto == IPPROTO_IPCOMP && 177 tdb->tdb_compalgxform != NULL) { 178 switch (tdb->tdb_compalgxform->type) { 179 case CRYPTO_DEFLATE_COMP: 180 sadb_sa->sadb_sa_encrypt = SADB_X_CALG_DEFLATE; 181 break; 182 case CRYPTO_LZS_COMP: 183 sadb_sa->sadb_sa_encrypt = SADB_X_CALG_LZS; 184 break; 185 } 186 } 187 188 if (tdb->tdb_authalgxform) { 189 switch (tdb->tdb_authalgxform->type) { 190 case CRYPTO_MD5_HMAC: 191 sadb_sa->sadb_sa_auth = SADB_AALG_MD5HMAC; 192 break; 193 194 case CRYPTO_SHA1_HMAC: 195 sadb_sa->sadb_sa_auth = SADB_AALG_SHA1HMAC; 196 break; 197 198 case CRYPTO_RIPEMD160_HMAC: 199 sadb_sa->sadb_sa_auth = SADB_X_AALG_RIPEMD160HMAC; 200 break; 201 202 case CRYPTO_SHA2_256_HMAC: 203 sadb_sa->sadb_sa_auth = SADB_X_AALG_SHA2_256; 204 break; 205 206 case CRYPTO_SHA2_384_HMAC: 207 sadb_sa->sadb_sa_auth = SADB_X_AALG_SHA2_384; 208 break; 209 210 case CRYPTO_SHA2_512_HMAC: 211 sadb_sa->sadb_sa_auth = SADB_X_AALG_SHA2_512; 212 break; 213 214 case CRYPTO_AES_128_GMAC: 215 sadb_sa->sadb_sa_auth = SADB_X_AALG_AES128GMAC; 216 break; 217 218 case CRYPTO_AES_192_GMAC: 219 sadb_sa->sadb_sa_auth = SADB_X_AALG_AES192GMAC; 220 break; 221 222 case CRYPTO_AES_256_GMAC: 223 sadb_sa->sadb_sa_auth = SADB_X_AALG_AES256GMAC; 224 break; 225 226 case CRYPTO_MD5_KPDK: 227 sadb_sa->sadb_sa_auth = SADB_X_AALG_MD5; 228 break; 229 230 case CRYPTO_SHA1_KPDK: 231 sadb_sa->sadb_sa_auth = SADB_X_AALG_SHA1; 232 break; 233 } 234 } 235 236 if (tdb->tdb_encalgxform) { 237 switch (tdb->tdb_encalgxform->type) { 238 case CRYPTO_NULL: 239 sadb_sa->sadb_sa_encrypt = SADB_EALG_NULL; 240 break; 241 242 case CRYPTO_DES_CBC: 243 sadb_sa->sadb_sa_encrypt = SADB_EALG_DESCBC; 244 break; 245 246 case CRYPTO_3DES_CBC: 247 sadb_sa->sadb_sa_encrypt = SADB_EALG_3DESCBC; 248 break; 249 250 case CRYPTO_AES_CBC: 251 sadb_sa->sadb_sa_encrypt = SADB_X_EALG_AES; 252 break; 253 254 case CRYPTO_AES_CTR: 255 sadb_sa->sadb_sa_encrypt = SADB_X_EALG_AESCTR; 256 break; 257 258 case CRYPTO_AES_GCM_16: 259 sadb_sa->sadb_sa_encrypt = SADB_X_EALG_AESGCM16; 260 break; 261 262 case CRYPTO_AES_GMAC: 263 sadb_sa->sadb_sa_encrypt = SADB_X_EALG_AESGMAC; 264 break; 265 266 case CRYPTO_CAST_CBC: 267 sadb_sa->sadb_sa_encrypt = SADB_X_EALG_CAST; 268 break; 269 270 case CRYPTO_BLF_CBC: 271 sadb_sa->sadb_sa_encrypt = SADB_X_EALG_BLF; 272 break; 273 } 274 } 275 276 if (tdb->tdb_flags & TDBF_PFS) 277 sadb_sa->sadb_sa_flags |= SADB_SAFLAGS_PFS; 278 279 /* Only relevant for the "old" IPsec transforms. */ 280 if (tdb->tdb_flags & TDBF_HALFIV) 281 sadb_sa->sadb_sa_flags |= SADB_X_SAFLAGS_HALFIV; 282 283 if (tdb->tdb_flags & TDBF_TUNNELING) 284 sadb_sa->sadb_sa_flags |= SADB_X_SAFLAGS_TUNNEL; 285 286 if (tdb->tdb_flags & TDBF_RANDOMPADDING) 287 sadb_sa->sadb_sa_flags |= SADB_X_SAFLAGS_RANDOMPADDING; 288 289 if (tdb->tdb_flags & TDBF_NOREPLAY) 290 sadb_sa->sadb_sa_flags |= SADB_X_SAFLAGS_NOREPLAY; 291 292 if (tdb->tdb_flags & TDBF_UDPENCAP) 293 sadb_sa->sadb_sa_flags |= SADB_X_SAFLAGS_UDPENCAP; 294 295 *p += sizeof(struct sadb_sa); 296 } 297 298 /* 299 * Initialize expirations and counters based on lifetime payload. 300 */ 301 void 302 import_lifetime(struct tdb *tdb, struct sadb_lifetime *sadb_lifetime, int type) 303 { 304 struct timeval tv; 305 306 if (!sadb_lifetime) 307 return; 308 309 getmicrotime(&tv); 310 311 switch (type) { 312 case PFKEYV2_LIFETIME_HARD: 313 if ((tdb->tdb_exp_allocations = 314 sadb_lifetime->sadb_lifetime_allocations) != 0) 315 tdb->tdb_flags |= TDBF_ALLOCATIONS; 316 else 317 tdb->tdb_flags &= ~TDBF_ALLOCATIONS; 318 319 if ((tdb->tdb_exp_bytes = 320 sadb_lifetime->sadb_lifetime_bytes) != 0) 321 tdb->tdb_flags |= TDBF_BYTES; 322 else 323 tdb->tdb_flags &= ~TDBF_BYTES; 324 325 if ((tdb->tdb_exp_timeout = 326 sadb_lifetime->sadb_lifetime_addtime) != 0) { 327 tdb->tdb_flags |= TDBF_TIMER; 328 if (tv.tv_sec + tdb->tdb_exp_timeout < tv.tv_sec) 329 tv.tv_sec = ((unsigned long) -1) / 2; /* XXX */ 330 else 331 tv.tv_sec += tdb->tdb_exp_timeout; 332 timeout_add(&tdb->tdb_timer_tmo, hzto(&tv)); 333 } else 334 tdb->tdb_flags &= ~TDBF_TIMER; 335 336 if ((tdb->tdb_exp_first_use = 337 sadb_lifetime->sadb_lifetime_usetime) != 0) 338 tdb->tdb_flags |= TDBF_FIRSTUSE; 339 else 340 tdb->tdb_flags &= ~TDBF_FIRSTUSE; 341 break; 342 343 case PFKEYV2_LIFETIME_SOFT: 344 if ((tdb->tdb_soft_allocations = 345 sadb_lifetime->sadb_lifetime_allocations) != 0) 346 tdb->tdb_flags |= TDBF_SOFT_ALLOCATIONS; 347 else 348 tdb->tdb_flags &= ~TDBF_SOFT_ALLOCATIONS; 349 350 if ((tdb->tdb_soft_bytes = 351 sadb_lifetime->sadb_lifetime_bytes) != 0) 352 tdb->tdb_flags |= TDBF_SOFT_BYTES; 353 else 354 tdb->tdb_flags &= ~TDBF_SOFT_BYTES; 355 356 if ((tdb->tdb_soft_timeout = 357 sadb_lifetime->sadb_lifetime_addtime) != 0) { 358 tdb->tdb_flags |= TDBF_SOFT_TIMER; 359 if (tv.tv_sec + tdb->tdb_soft_timeout < tv.tv_sec) 360 tv.tv_sec = ((unsigned long) -1) / 2; /* XXX */ 361 else 362 tv.tv_sec += tdb->tdb_soft_timeout; 363 timeout_add(&tdb->tdb_stimer_tmo, hzto(&tv)); 364 } else 365 tdb->tdb_flags &= ~TDBF_SOFT_TIMER; 366 367 if ((tdb->tdb_soft_first_use = 368 sadb_lifetime->sadb_lifetime_usetime) != 0) 369 tdb->tdb_flags |= TDBF_SOFT_FIRSTUSE; 370 else 371 tdb->tdb_flags &= ~TDBF_SOFT_FIRSTUSE; 372 break; 373 374 case PFKEYV2_LIFETIME_CURRENT: /* Nothing fancy here. */ 375 tdb->tdb_cur_allocations = 376 sadb_lifetime->sadb_lifetime_allocations; 377 tdb->tdb_cur_bytes = sadb_lifetime->sadb_lifetime_bytes; 378 tdb->tdb_established = sadb_lifetime->sadb_lifetime_addtime; 379 tdb->tdb_first_use = sadb_lifetime->sadb_lifetime_usetime; 380 } 381 } 382 383 /* 384 * Export TDB expiration information. 385 */ 386 void 387 export_lifetime(void **p, struct tdb *tdb, int type) 388 { 389 struct sadb_lifetime *sadb_lifetime = (struct sadb_lifetime *) *p; 390 391 sadb_lifetime->sadb_lifetime_len = sizeof(struct sadb_lifetime) / 392 sizeof(uint64_t); 393 394 switch (type) { 395 case PFKEYV2_LIFETIME_HARD: 396 if (tdb->tdb_flags & TDBF_ALLOCATIONS) 397 sadb_lifetime->sadb_lifetime_allocations = 398 tdb->tdb_exp_allocations; 399 400 if (tdb->tdb_flags & TDBF_BYTES) 401 sadb_lifetime->sadb_lifetime_bytes = 402 tdb->tdb_exp_bytes; 403 404 if (tdb->tdb_flags & TDBF_TIMER) 405 sadb_lifetime->sadb_lifetime_addtime = 406 tdb->tdb_exp_timeout; 407 408 if (tdb->tdb_flags & TDBF_FIRSTUSE) 409 sadb_lifetime->sadb_lifetime_usetime = 410 tdb->tdb_exp_first_use; 411 break; 412 413 case PFKEYV2_LIFETIME_SOFT: 414 if (tdb->tdb_flags & TDBF_SOFT_ALLOCATIONS) 415 sadb_lifetime->sadb_lifetime_allocations = 416 tdb->tdb_soft_allocations; 417 418 if (tdb->tdb_flags & TDBF_SOFT_BYTES) 419 sadb_lifetime->sadb_lifetime_bytes = 420 tdb->tdb_soft_bytes; 421 422 if (tdb->tdb_flags & TDBF_SOFT_TIMER) 423 sadb_lifetime->sadb_lifetime_addtime = 424 tdb->tdb_soft_timeout; 425 426 if (tdb->tdb_flags & TDBF_SOFT_FIRSTUSE) 427 sadb_lifetime->sadb_lifetime_usetime = 428 tdb->tdb_soft_first_use; 429 break; 430 431 case PFKEYV2_LIFETIME_CURRENT: 432 sadb_lifetime->sadb_lifetime_allocations = 433 tdb->tdb_cur_allocations; 434 sadb_lifetime->sadb_lifetime_bytes = tdb->tdb_cur_bytes; 435 sadb_lifetime->sadb_lifetime_addtime = tdb->tdb_established; 436 sadb_lifetime->sadb_lifetime_usetime = tdb->tdb_first_use; 437 break; 438 439 case PFKEYV2_LIFETIME_LASTUSE: 440 sadb_lifetime->sadb_lifetime_allocations = 0; 441 sadb_lifetime->sadb_lifetime_bytes = 0; 442 sadb_lifetime->sadb_lifetime_addtime = 0; 443 sadb_lifetime->sadb_lifetime_usetime = tdb->tdb_last_used; 444 break; 445 } 446 447 *p += sizeof(struct sadb_lifetime); 448 } 449 450 /* 451 * Import flow information to two struct sockaddr_encap's. Either 452 * all or none of the address arguments are NULL. 453 */ 454 void 455 import_flow(struct sockaddr_encap *flow, struct sockaddr_encap *flowmask, 456 struct sadb_address *ssrc, struct sadb_address *ssrcmask, 457 struct sadb_address *ddst, struct sadb_address *ddstmask, 458 struct sadb_protocol *sab, struct sadb_protocol *ftype) 459 { 460 u_int8_t transproto = 0; 461 union sockaddr_union *src = (union sockaddr_union *)(ssrc + 1); 462 union sockaddr_union *dst = (union sockaddr_union *)(ddst + 1); 463 union sockaddr_union *srcmask = (union sockaddr_union *)(ssrcmask + 1); 464 union sockaddr_union *dstmask = (union sockaddr_union *)(ddstmask + 1); 465 466 if (ssrc == NULL) 467 return; /* There wasn't any information to begin with. */ 468 469 bzero(flow, sizeof(*flow)); 470 bzero(flowmask, sizeof(*flowmask)); 471 472 if (sab != NULL) 473 transproto = sab->sadb_protocol_proto; 474 475 /* 476 * Check that all the address families match. We know they are 477 * valid and supported because pfkeyv2_parsemessage() checked that. 478 */ 479 if ((src->sa.sa_family != dst->sa.sa_family) || 480 (src->sa.sa_family != srcmask->sa.sa_family) || 481 (src->sa.sa_family != dstmask->sa.sa_family)) 482 return; 483 484 /* 485 * We set these as an indication that tdb_filter/tdb_filtermask are 486 * in fact initialized. 487 */ 488 flow->sen_family = flowmask->sen_family = PF_KEY; 489 flow->sen_len = flowmask->sen_len = SENT_LEN; 490 491 switch (src->sa.sa_family) 492 { 493 #ifdef INET 494 case AF_INET: 495 /* netmask handling */ 496 rt_maskedcopy(&src->sa, &src->sa, &srcmask->sa); 497 rt_maskedcopy(&dst->sa, &dst->sa, &dstmask->sa); 498 499 flow->sen_type = SENT_IP4; 500 flow->sen_direction = ftype->sadb_protocol_direction; 501 flow->sen_ip_src = src->sin.sin_addr; 502 flow->sen_ip_dst = dst->sin.sin_addr; 503 flow->sen_proto = transproto; 504 flow->sen_sport = src->sin.sin_port; 505 flow->sen_dport = dst->sin.sin_port; 506 507 flowmask->sen_type = SENT_IP4; 508 flowmask->sen_direction = 0xff; 509 flowmask->sen_ip_src = srcmask->sin.sin_addr; 510 flowmask->sen_ip_dst = dstmask->sin.sin_addr; 511 flowmask->sen_sport = srcmask->sin.sin_port; 512 flowmask->sen_dport = dstmask->sin.sin_port; 513 if (transproto) 514 flowmask->sen_proto = 0xff; 515 break; 516 #endif /* INET */ 517 518 #ifdef INET6 519 case AF_INET6: 520 in6_embedscope(&src->sin6.sin6_addr, &src->sin6, 521 NULL, NULL); 522 in6_embedscope(&dst->sin6.sin6_addr, &dst->sin6, 523 NULL, NULL); 524 525 /* netmask handling */ 526 rt_maskedcopy(&src->sa, &src->sa, &srcmask->sa); 527 rt_maskedcopy(&dst->sa, &dst->sa, &dstmask->sa); 528 529 flow->sen_type = SENT_IP6; 530 flow->sen_ip6_direction = ftype->sadb_protocol_direction; 531 flow->sen_ip6_src = src->sin6.sin6_addr; 532 flow->sen_ip6_dst = dst->sin6.sin6_addr; 533 flow->sen_ip6_proto = transproto; 534 flow->sen_ip6_sport = src->sin6.sin6_port; 535 flow->sen_ip6_dport = dst->sin6.sin6_port; 536 537 flowmask->sen_type = SENT_IP6; 538 flowmask->sen_ip6_direction = 0xff; 539 flowmask->sen_ip6_src = srcmask->sin6.sin6_addr; 540 flowmask->sen_ip6_dst = dstmask->sin6.sin6_addr; 541 flowmask->sen_ip6_sport = srcmask->sin6.sin6_port; 542 flowmask->sen_ip6_dport = dstmask->sin6.sin6_port; 543 if (transproto) 544 flowmask->sen_ip6_proto = 0xff; 545 break; 546 #endif /* INET6 */ 547 } 548 } 549 550 /* 551 * Helper to export addresses from an struct sockaddr_encap. 552 */ 553 static void 554 export_encap(void **p, struct sockaddr_encap *encap, int type) 555 { 556 struct sadb_address *saddr = (struct sadb_address *)*p; 557 union sockaddr_union *sunion; 558 559 *p += sizeof(struct sadb_address); 560 sunion = (union sockaddr_union *)*p; 561 562 switch (encap->sen_type) { 563 case SENT_IP4: 564 saddr->sadb_address_len = (sizeof(struct sadb_address) + 565 PADUP(sizeof(struct sockaddr_in))) / sizeof(uint64_t); 566 sunion->sa.sa_len = sizeof(struct sockaddr_in); 567 sunion->sa.sa_family = AF_INET; 568 if (type == SADB_X_EXT_SRC_FLOW || 569 type == SADB_X_EXT_SRC_MASK) { 570 sunion->sin.sin_addr = encap->sen_ip_src; 571 sunion->sin.sin_port = encap->sen_sport; 572 } else { 573 sunion->sin.sin_addr = encap->sen_ip_dst; 574 sunion->sin.sin_port = encap->sen_dport; 575 } 576 *p += PADUP(sizeof(struct sockaddr_in)); 577 break; 578 case SENT_IP6: 579 saddr->sadb_address_len = (sizeof(struct sadb_address) 580 + PADUP(sizeof(struct sockaddr_in6))) / sizeof(uint64_t); 581 sunion->sa.sa_len = sizeof(struct sockaddr_in6); 582 sunion->sa.sa_family = AF_INET6; 583 if (type == SADB_X_EXT_SRC_FLOW || 584 type == SADB_X_EXT_SRC_MASK) { 585 sunion->sin6.sin6_addr = encap->sen_ip6_src; 586 sunion->sin6.sin6_port = encap->sen_ip6_sport; 587 } else { 588 sunion->sin6.sin6_addr = encap->sen_ip6_dst; 589 sunion->sin6.sin6_port = encap->sen_ip6_dport; 590 } 591 *p += PADUP(sizeof(struct sockaddr_in6)); 592 break; 593 } 594 } 595 596 /* 597 * Export flow information from two struct sockaddr_encap's. 598 */ 599 void 600 export_flow(void **p, u_int8_t ftype, struct sockaddr_encap *flow, 601 struct sockaddr_encap *flowmask, void **headers) 602 { 603 struct sadb_protocol *sab; 604 605 headers[SADB_X_EXT_FLOW_TYPE] = *p; 606 sab = (struct sadb_protocol *)*p; 607 sab->sadb_protocol_len = sizeof(struct sadb_protocol) / 608 sizeof(uint64_t); 609 610 switch (ftype) { 611 case IPSP_IPSEC_USE: 612 sab->sadb_protocol_proto = SADB_X_FLOW_TYPE_USE; 613 break; 614 case IPSP_IPSEC_ACQUIRE: 615 sab->sadb_protocol_proto = SADB_X_FLOW_TYPE_ACQUIRE; 616 break; 617 case IPSP_IPSEC_REQUIRE: 618 sab->sadb_protocol_proto = SADB_X_FLOW_TYPE_REQUIRE; 619 break; 620 case IPSP_DENY: 621 sab->sadb_protocol_proto = SADB_X_FLOW_TYPE_DENY; 622 break; 623 case IPSP_PERMIT: 624 sab->sadb_protocol_proto = SADB_X_FLOW_TYPE_BYPASS; 625 break; 626 case IPSP_IPSEC_DONTACQ: 627 sab->sadb_protocol_proto = SADB_X_FLOW_TYPE_DONTACQ; 628 break; 629 default: 630 sab->sadb_protocol_proto = 0; 631 break; 632 } 633 634 switch (flow->sen_type) { 635 #ifdef INET 636 case SENT_IP4: 637 sab->sadb_protocol_direction = flow->sen_direction; 638 break; 639 #endif /* INET */ 640 #ifdef INET6 641 case SENT_IP6: 642 sab->sadb_protocol_direction = flow->sen_ip6_direction; 643 break; 644 #endif /* INET6 */ 645 } 646 *p += sizeof(struct sadb_protocol); 647 648 headers[SADB_X_EXT_PROTOCOL] = *p; 649 sab = (struct sadb_protocol *)*p; 650 sab->sadb_protocol_len = sizeof(struct sadb_protocol) / 651 sizeof(uint64_t); 652 switch (flow->sen_type) { 653 #ifdef INET 654 case SENT_IP4: 655 sab->sadb_protocol_proto = flow->sen_proto; 656 break; 657 #endif /* INET */ 658 #ifdef INET6 659 case SENT_IP6: 660 sab->sadb_protocol_proto = flow->sen_ip6_proto; 661 break; 662 #endif /* INET6 */ 663 } 664 *p += sizeof(struct sadb_protocol); 665 666 headers[SADB_X_EXT_SRC_FLOW] = *p; 667 export_encap(p, flow, SADB_X_EXT_SRC_FLOW); 668 669 headers[SADB_X_EXT_SRC_MASK] = *p; 670 export_encap(p, flowmask, SADB_X_EXT_SRC_MASK); 671 672 headers[SADB_X_EXT_DST_FLOW] = *p; 673 export_encap(p, flow, SADB_X_EXT_DST_FLOW); 674 675 headers[SADB_X_EXT_DST_MASK] = *p; 676 export_encap(p, flowmask, SADB_X_EXT_DST_MASK); 677 } 678 679 /* 680 * Copy an SADB_ADDRESS payload to a struct sockaddr. 681 */ 682 void 683 import_address(struct sockaddr *sa, struct sadb_address *sadb_address) 684 { 685 int salen; 686 struct sockaddr *ssa = (struct sockaddr *)((void *) sadb_address + 687 sizeof(struct sadb_address)); 688 689 if (!sadb_address) 690 return; 691 692 if (ssa->sa_len) 693 salen = ssa->sa_len; 694 else 695 switch (ssa->sa_family) { 696 #ifdef INET 697 case AF_INET: 698 salen = sizeof(struct sockaddr_in); 699 break; 700 #endif /* INET */ 701 702 #ifdef INET6 703 case AF_INET6: 704 salen = sizeof(struct sockaddr_in6); 705 break; 706 #endif /* INET6 */ 707 708 default: 709 return; 710 } 711 712 bcopy(ssa, sa, salen); 713 sa->sa_len = salen; 714 } 715 716 /* 717 * Export a struct sockaddr as an SADB_ADDRESS payload. 718 */ 719 void 720 export_address(void **p, struct sockaddr *sa) 721 { 722 struct sadb_address *sadb_address = (struct sadb_address *) *p; 723 724 sadb_address->sadb_address_len = (sizeof(struct sadb_address) + 725 PADUP(SA_LEN(sa))) / sizeof(uint64_t); 726 727 *p += sizeof(struct sadb_address); 728 bcopy(sa, *p, SA_LEN(sa)); 729 ((struct sockaddr *) *p)->sa_family = sa->sa_family; 730 *p += PADUP(SA_LEN(sa)); 731 } 732 733 /* 734 * Import authentication information into the TDB. 735 */ 736 void 737 import_auth(struct tdb *tdb, struct sadb_x_cred *sadb_auth, int dstauth) 738 { 739 struct ipsec_ref **ipr; 740 741 if (!sadb_auth) 742 return; 743 744 if (dstauth == PFKEYV2_AUTH_REMOTE) 745 ipr = &tdb->tdb_remote_auth; 746 else 747 ipr = &tdb->tdb_local_auth; 748 749 *ipr = malloc(EXTLEN(sadb_auth) - sizeof(struct sadb_x_cred) + 750 sizeof(struct ipsec_ref), M_CREDENTIALS, M_WAITOK); 751 (*ipr)->ref_len = EXTLEN(sadb_auth) - sizeof(struct sadb_x_cred); 752 753 switch (sadb_auth->sadb_x_cred_type) { 754 case SADB_X_AUTHTYPE_PASSPHRASE: 755 (*ipr)->ref_type = IPSP_AUTH_PASSPHRASE; 756 break; 757 case SADB_X_AUTHTYPE_RSA: 758 (*ipr)->ref_type = IPSP_AUTH_RSA; 759 break; 760 default: 761 free(*ipr, M_CREDENTIALS); 762 *ipr = NULL; 763 return; 764 } 765 (*ipr)->ref_count = 1; 766 (*ipr)->ref_malloctype = M_CREDENTIALS; 767 bcopy((void *) sadb_auth + sizeof(struct sadb_x_cred), 768 (*ipr) + 1, (*ipr)->ref_len); 769 } 770 771 /* 772 * Import a set of credentials into the TDB. 773 */ 774 void 775 import_credentials(struct tdb *tdb, struct sadb_x_cred *sadb_cred, int dstcred) 776 { 777 struct ipsec_ref **ipr; 778 779 if (!sadb_cred) 780 return; 781 782 if (dstcred == PFKEYV2_CRED_REMOTE) 783 ipr = &tdb->tdb_remote_cred; 784 else 785 ipr = &tdb->tdb_local_cred; 786 787 *ipr = malloc(EXTLEN(sadb_cred) - sizeof(struct sadb_x_cred) + 788 sizeof(struct ipsec_ref), M_CREDENTIALS, M_WAITOK); 789 (*ipr)->ref_len = EXTLEN(sadb_cred) - sizeof(struct sadb_x_cred); 790 791 switch (sadb_cred->sadb_x_cred_type) { 792 case SADB_X_CREDTYPE_X509: 793 (*ipr)->ref_type = IPSP_CRED_X509; 794 break; 795 case SADB_X_CREDTYPE_KEYNOTE: 796 (*ipr)->ref_type = IPSP_CRED_KEYNOTE; 797 break; 798 default: 799 free(*ipr, M_CREDENTIALS); 800 *ipr = NULL; 801 return; 802 } 803 (*ipr)->ref_count = 1; 804 (*ipr)->ref_malloctype = M_CREDENTIALS; 805 bcopy((void *) sadb_cred + sizeof(struct sadb_x_cred), 806 (*ipr) + 1, (*ipr)->ref_len); 807 } 808 809 /* 810 * Import an identity payload into the TDB. 811 */ 812 void 813 import_identity(struct tdb *tdb, struct sadb_ident *sadb_ident, int type) 814 { 815 struct ipsec_ref **ipr; 816 817 if (!sadb_ident) 818 return; 819 820 if (type == PFKEYV2_IDENTITY_SRC) 821 ipr = &tdb->tdb_srcid; 822 else 823 ipr = &tdb->tdb_dstid; 824 825 *ipr = malloc(EXTLEN(sadb_ident) - sizeof(struct sadb_ident) + 826 sizeof(struct ipsec_ref), M_CREDENTIALS, M_WAITOK); 827 (*ipr)->ref_len = EXTLEN(sadb_ident) - sizeof(struct sadb_ident); 828 829 switch (sadb_ident->sadb_ident_type) { 830 case SADB_IDENTTYPE_PREFIX: 831 (*ipr)->ref_type = IPSP_IDENTITY_PREFIX; 832 break; 833 case SADB_IDENTTYPE_FQDN: 834 (*ipr)->ref_type = IPSP_IDENTITY_FQDN; 835 break; 836 case SADB_IDENTTYPE_USERFQDN: 837 (*ipr)->ref_type = IPSP_IDENTITY_USERFQDN; 838 break; 839 case SADB_X_IDENTTYPE_CONNECTION: 840 (*ipr)->ref_type = IPSP_IDENTITY_CONNECTION; 841 break; 842 default: 843 free(*ipr, M_CREDENTIALS); 844 *ipr = NULL; 845 return; 846 } 847 (*ipr)->ref_count = 1; 848 (*ipr)->ref_malloctype = M_CREDENTIALS; 849 bcopy((void *) sadb_ident + sizeof(struct sadb_ident), (*ipr) + 1, 850 (*ipr)->ref_len); 851 } 852 853 void 854 export_credentials(void **p, struct tdb *tdb, int dstcred) 855 { 856 struct ipsec_ref **ipr; 857 struct sadb_x_cred *sadb_cred = (struct sadb_x_cred *) *p; 858 859 if (dstcred == PFKEYV2_CRED_REMOTE) 860 ipr = &tdb->tdb_remote_cred; 861 else 862 ipr = &tdb->tdb_local_cred; 863 864 sadb_cred->sadb_x_cred_len = (sizeof(struct sadb_x_cred) + 865 PADUP((*ipr)->ref_len)) / sizeof(uint64_t); 866 867 switch ((*ipr)->ref_type) { 868 case IPSP_CRED_KEYNOTE: 869 sadb_cred->sadb_x_cred_type = SADB_X_CREDTYPE_KEYNOTE; 870 break; 871 case IPSP_CRED_X509: 872 sadb_cred->sadb_x_cred_type = SADB_X_CREDTYPE_X509; 873 break; 874 } 875 *p += sizeof(struct sadb_x_cred); 876 bcopy((*ipr) + 1, *p, (*ipr)->ref_len); 877 *p += PADUP((*ipr)->ref_len); 878 } 879 880 void 881 export_auth(void **p, struct tdb *tdb, int dstauth) 882 { 883 struct ipsec_ref **ipr; 884 struct sadb_x_cred *sadb_auth = (struct sadb_x_cred *) *p; 885 886 if (dstauth == PFKEYV2_AUTH_REMOTE) 887 ipr = &tdb->tdb_remote_auth; 888 else 889 ipr = &tdb->tdb_local_auth; 890 891 sadb_auth->sadb_x_cred_len = (sizeof(struct sadb_x_cred) + 892 PADUP((*ipr)->ref_len)) / sizeof(uint64_t); 893 894 switch ((*ipr)->ref_type) { 895 case IPSP_AUTH_PASSPHRASE: 896 sadb_auth->sadb_x_cred_type = SADB_X_AUTHTYPE_PASSPHRASE; 897 break; 898 case IPSP_AUTH_RSA: 899 sadb_auth->sadb_x_cred_type = SADB_X_AUTHTYPE_RSA; 900 break; 901 } 902 *p += sizeof(struct sadb_x_cred); 903 bcopy((*ipr) + 1, *p, (*ipr)->ref_len); 904 *p += PADUP((*ipr)->ref_len); 905 } 906 907 void 908 export_identity(void **p, struct tdb *tdb, int type) 909 { 910 struct ipsec_ref **ipr; 911 struct sadb_ident *sadb_ident = (struct sadb_ident *) *p; 912 913 if (type == PFKEYV2_IDENTITY_SRC) 914 ipr = &tdb->tdb_srcid; 915 else 916 ipr = &tdb->tdb_dstid; 917 918 sadb_ident->sadb_ident_len = (sizeof(struct sadb_ident) + 919 PADUP((*ipr)->ref_len)) / sizeof(uint64_t); 920 921 switch ((*ipr)->ref_type) { 922 case IPSP_IDENTITY_PREFIX: 923 sadb_ident->sadb_ident_type = SADB_IDENTTYPE_PREFIX; 924 break; 925 case IPSP_IDENTITY_FQDN: 926 sadb_ident->sadb_ident_type = SADB_IDENTTYPE_FQDN; 927 break; 928 case IPSP_IDENTITY_USERFQDN: 929 sadb_ident->sadb_ident_type = SADB_IDENTTYPE_USERFQDN; 930 break; 931 case IPSP_IDENTITY_CONNECTION: 932 sadb_ident->sadb_ident_type = SADB_X_IDENTTYPE_CONNECTION; 933 break; 934 } 935 *p += sizeof(struct sadb_ident); 936 bcopy((*ipr) + 1, *p, (*ipr)->ref_len); 937 *p += PADUP((*ipr)->ref_len); 938 } 939 940 /* ... */ 941 void 942 import_key(struct ipsecinit *ii, struct sadb_key *sadb_key, int type) 943 { 944 if (!sadb_key) 945 return; 946 947 if (type == PFKEYV2_ENCRYPTION_KEY) { /* Encryption key */ 948 ii->ii_enckeylen = sadb_key->sadb_key_bits / 8; 949 ii->ii_enckey = (void *)sadb_key + sizeof(struct sadb_key); 950 } else { 951 ii->ii_authkeylen = sadb_key->sadb_key_bits / 8; 952 ii->ii_authkey = (void *)sadb_key + sizeof(struct sadb_key); 953 } 954 } 955 956 void 957 export_key(void **p, struct tdb *tdb, int type) 958 { 959 struct sadb_key *sadb_key = (struct sadb_key *) *p; 960 961 if (type == PFKEYV2_ENCRYPTION_KEY) { 962 sadb_key->sadb_key_len = (sizeof(struct sadb_key) + 963 PADUP(tdb->tdb_emxkeylen)) / 964 sizeof(uint64_t); 965 sadb_key->sadb_key_bits = tdb->tdb_emxkeylen * 8; 966 *p += sizeof(struct sadb_key); 967 bcopy(tdb->tdb_emxkey, *p, tdb->tdb_emxkeylen); 968 *p += PADUP(tdb->tdb_emxkeylen); 969 } else { 970 sadb_key->sadb_key_len = (sizeof(struct sadb_key) + 971 PADUP(tdb->tdb_amxkeylen)) / 972 sizeof(uint64_t); 973 sadb_key->sadb_key_bits = tdb->tdb_amxkeylen * 8; 974 *p += sizeof(struct sadb_key); 975 bcopy(tdb->tdb_amxkey, *p, tdb->tdb_amxkeylen); 976 *p += PADUP(tdb->tdb_amxkeylen); 977 } 978 } 979 980 /* Import/Export remote port for UDP Encapsulation */ 981 void 982 import_udpencap(struct tdb *tdb, struct sadb_x_udpencap *sadb_udpencap) 983 { 984 if (sadb_udpencap) 985 tdb->tdb_udpencap_port = sadb_udpencap->sadb_x_udpencap_port; 986 } 987 988 void 989 export_udpencap(void **p, struct tdb *tdb) 990 { 991 struct sadb_x_udpencap *sadb_udpencap = (struct sadb_x_udpencap *) *p; 992 993 sadb_udpencap->sadb_x_udpencap_port = tdb->tdb_udpencap_port; 994 sadb_udpencap->sadb_x_udpencap_reserved = 0; 995 sadb_udpencap->sadb_x_udpencap_len = 996 sizeof(struct sadb_x_udpencap) / sizeof(uint64_t); 997 *p += sizeof(struct sadb_x_udpencap); 998 } 999 1000 #if NPF > 0 1001 /* Import PF tag information for SA */ 1002 void 1003 import_tag(struct tdb *tdb, struct sadb_x_tag *stag) 1004 { 1005 char *s; 1006 1007 if (stag) { 1008 s = (char *)(stag + 1); 1009 tdb->tdb_tag = pf_tagname2tag(s); 1010 } 1011 } 1012 1013 /* Export PF tag information for SA */ 1014 void 1015 export_tag(void **p, struct tdb *tdb) 1016 { 1017 struct sadb_x_tag *stag = (struct sadb_x_tag *)*p; 1018 char *s = (char *)(stag + 1); 1019 1020 pf_tag2tagname(tdb->tdb_tag, s); 1021 stag->sadb_x_tag_taglen = strlen(s) + 1; 1022 stag->sadb_x_tag_len = (sizeof(struct sadb_x_tag) + 1023 PADUP(stag->sadb_x_tag_taglen)) / sizeof(uint64_t); 1024 *p += PADUP(stag->sadb_x_tag_taglen) + sizeof(struct sadb_x_tag); 1025 } 1026 1027 /* Import enc(4) tap device information for SA */ 1028 void 1029 import_tap(struct tdb *tdb, struct sadb_x_tap *stap) 1030 { 1031 if (stap) 1032 tdb->tdb_tap = stap->sadb_x_tap_unit; 1033 } 1034 1035 /* Export enc(4) tap device information for SA */ 1036 void 1037 export_tap(void **p, struct tdb *tdb) 1038 { 1039 struct sadb_x_tap *stag = (struct sadb_x_tap *)*p; 1040 1041 stag->sadb_x_tap_unit = tdb->tdb_tap; 1042 stag->sadb_x_tap_len = sizeof(struct sadb_x_tap) / sizeof(uint64_t); 1043 *p += sizeof(struct sadb_x_tap); 1044 } 1045 #endif 1046