2 * RFC2367 PF_KEYv2 Key management API message parser
3 * Copyright (C) 1999, 2000, 2001 Richard Guy Briggs.
5 * This program is free software; you can redistribute it and/or modify it
6 * under the terms of the GNU General Public License as published by the
7 * Free Software Foundation; either version 2 of the License, or (at your
8 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
10 * This program is distributed in the hope that it will be useful, but
11 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
12 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
15 * RCSID $Id: pfkey_v2_parse.c,v 1.42 2002/01/29 22:25:36 rgb Exp $
19 * Template from klips/net/ipsec/ipsec/ipsec_parser.c.
22 char pfkey_v2_parse_c_version[] = "$Id: pfkey_v2_parse.c,v 1.42 2002/01/29 22:25:36 rgb Exp $";
25 * Some ugly stuff to allow consistent debugging code for use in the
26 * kernel and in user space
31 # include <linux/kernel.h> /* for printk */
33 # include "ipsec_kversion.h" /* for malloc switch */
35 # include <linux/slab.h> /* kmalloc() */
36 # else /* MALLOC_SLAB */
37 # include <linux/malloc.h> /* kmalloc() */
38 # endif /* MALLOC_SLAB */
39 # include <linux/errno.h> /* error codes */
40 # include <linux/types.h> /* size_t */
41 # include <linux/interrupt.h> /* mark_bh */
43 # include <linux/netdevice.h> /* struct device, and other headers */
44 # include <linux/etherdevice.h> /* eth_type_trans */
45 # include <linux/ip.h> /* struct iphdr */
46 # if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
47 # include <linux/ipv6.h> /* struct ipv6hdr */
48 # endif /* if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE) */
49 extern int debug_pfkey;
51 # include <freeswan.h>
53 #include "ipsec_encap.h"
55 #else /* __KERNEL__ */
57 # include <sys/types.h>
58 # include <linux/types.h>
59 # include <linux/errno.h>
61 # include <freeswan.h>
62 # include "../pluto/constants.h"
63 # include "../pluto/defs.h" /* for PRINTF_LIKE */
64 # include "../pluto/log.h" /* for debugging and DBG_log */
66 extern unsigned int pfkey_lib_debug; /* bits selecting what to report */
71 # define DEBUGGING(level, args...) { DBG_log("pfkey_lib_debug:" args); }
73 # define DEBUGGING(level, args...) if(pfkey_lib_debug >= level) { printf("pfkey_lib_debug:" args); } else { ; }
76 #endif /* __KERNEL__ */
84 # include "../radij.h" /* rd_nodes */
85 # include "../ipsec_encap.h" /* sockaddr_encap */
87 # include "ipsec_netlink.h" /* KLIPS_PRINT */
88 # define DEBUGGING(level, args...) \
89 KLIPS_PRINT((debug_pfkey >= level), "klips_debug:" args)
90 #endif /* __KERNEL__ */
93 #define SENDERR(_x) do { error = -(_x); goto errlab; } while (0)
99 } static satype_tbl[] = {
101 { IPPROTO_ESP, SADB_SATYPE_ESP, "ESP" },
102 { IPPROTO_AH, SADB_SATYPE_AH, "AH" },
103 { IPPROTO_IPIP, SADB_X_SATYPE_IPIP, "IPIP" },
104 #ifdef CONFIG_IPSEC_IPCOMP
105 { IPPROTO_COMP, SADB_X_SATYPE_COMP, "COMP" },
106 #endif /* CONFIG_IPSEC_IPCOMP */
107 { IPPROTO_INT, SADB_X_SATYPE_INT, "INT" },
108 #else /* __KERNEL__ */
109 { SA_ESP, SADB_SATYPE_ESP, "ESP" },
110 { SA_AH, SADB_SATYPE_AH, "AH" },
111 { SA_IPIP, SADB_X_SATYPE_IPIP, "IPIP" },
112 { SA_COMP, SADB_X_SATYPE_COMP, "COMP" },
113 { SA_INT, SADB_X_SATYPE_INT, "INT" },
114 #endif /* __KERNEL__ */
118 uint8_t satype2proto(uint8_t satype) {
121 while(satype_tbl[i].satype != satype && satype_tbl[i].satype != 0) {
124 return satype_tbl[i].proto;
127 uint8_t proto2satype(uint8_t proto) {
130 while(satype_tbl[i].proto != proto && satype_tbl[i].proto != 0) {
133 return satype_tbl[i].satype;
136 char* satype2name(uint8_t satype) {
139 while(satype_tbl[i].satype != satype && satype_tbl[i].satype != 0) {
142 return satype_tbl[i].name;
145 char* proto2name(uint8_t proto) {
148 while(satype_tbl[i].proto != proto && satype_tbl[i].proto != 0) {
151 return satype_tbl[i].name;
154 /* Default extension parsers taken from the KLIPS code */
157 pfkey_sa_parse(struct sadb_ext *pfkey_ext)
160 struct sadb_sa *pfkey_sa = (struct sadb_sa *)pfkey_ext;
162 DEBUGGING(PF_KEY_DEBUG_PARSE_FLOW,
163 "pfkey_sa_parse: entry\n");
164 /* sanity checks... */
166 DEBUGGING(PF_KEY_DEBUG_PARSE_PROBLEM,
168 "NULL pointer passed in.\n");
172 if(pfkey_sa->sadb_sa_len != sizeof(struct sadb_sa) / IPSEC_PFKEYv2_ALIGN) {
173 DEBUGGING(PF_KEY_DEBUG_PARSE_PROBLEM,
175 "length wrong pfkey_sa->sadb_sa_len=%d sizeof(struct sadb_sa)=%ld.\n",
176 pfkey_sa->sadb_sa_len,
177 sizeof(struct sadb_sa));
181 if(pfkey_sa->sadb_sa_encrypt > SADB_EALG_MAX) {
182 DEBUGGING(PF_KEY_DEBUG_PARSE_PROBLEM,
184 "pfkey_sa->sadb_sa_encrypt=%d > SADB_EALG_MAX=%d.\n",
185 pfkey_sa->sadb_sa_encrypt,
190 if(pfkey_sa->sadb_sa_auth > SADB_AALG_MAX) {
191 DEBUGGING(PF_KEY_DEBUG_PARSE_PROBLEM,
193 "pfkey_sa->sadb_sa_auth=%d > SADB_AALG_MAX=%d.\n",
194 pfkey_sa->sadb_sa_auth,
199 if(pfkey_sa->sadb_sa_state > SADB_SASTATE_MAX) {
200 DEBUGGING(PF_KEY_DEBUG_PARSE_PROBLEM,
202 "state=%d exceeds MAX=%d.\n",
203 pfkey_sa->sadb_sa_state,
208 if(pfkey_sa->sadb_sa_state == SADB_SASTATE_DEAD) {
209 DEBUGGING(PF_KEY_DEBUG_PARSE_PROBLEM,
211 "state=%d is DEAD=%d.\n",
212 pfkey_sa->sadb_sa_state,
217 if(pfkey_sa->sadb_sa_replay > 64) {
218 DEBUGGING(PF_KEY_DEBUG_PARSE_PROBLEM,
220 "replay window size: %d -- must be 0 <= size <= 64\n",
221 pfkey_sa->sadb_sa_replay);
225 if(! ((pfkey_sa->sadb_sa_exttype == SADB_EXT_SA) ||
226 (pfkey_sa->sadb_sa_exttype == SADB_X_EXT_SA2)))
228 DEBUGGING(PF_KEY_DEBUG_PARSE_PROBLEM,
230 "unknown exttype=%d, expecting SADB_EXT_SA=%d or SADB_X_EXT_SA2=%d.\n",
231 pfkey_sa->sadb_sa_exttype,
236 DEBUGGING(PF_KEY_DEBUG_PARSE_STRUCT,
238 "successfully found len=%d exttype=%d(%s) spi=%08lx replay=%d state=%d auth=%d encrypt=%d flags=%d.\n",
239 pfkey_sa->sadb_sa_len,
240 pfkey_sa->sadb_sa_exttype, pfkey_v2_sadb_ext_string(pfkey_sa->sadb_sa_exttype),
241 (long unsigned int)ntohl(pfkey_sa->sadb_sa_spi),
242 pfkey_sa->sadb_sa_replay,
243 pfkey_sa->sadb_sa_state,
244 pfkey_sa->sadb_sa_auth,
245 pfkey_sa->sadb_sa_encrypt,
246 pfkey_sa->sadb_sa_flags);
253 pfkey_lifetime_parse(struct sadb_ext *pfkey_ext)
256 struct sadb_lifetime *pfkey_lifetime = (struct sadb_lifetime *)pfkey_ext;
258 DEBUGGING(PF_KEY_DEBUG_PARSE_FLOW,
259 "pfkey_lifetime_parse:enter\n");
260 /* sanity checks... */
261 if(!pfkey_lifetime) {
262 DEBUGGING(PF_KEY_DEBUG_PARSE_PROBLEM,
263 "pfkey_lifetime_parse: "
264 "NULL pointer passed in.\n");
268 if(pfkey_lifetime->sadb_lifetime_len !=
269 sizeof(struct sadb_lifetime) / IPSEC_PFKEYv2_ALIGN) {
270 DEBUGGING(PF_KEY_DEBUG_PARSE_PROBLEM,
271 "pfkey_lifetime_parse: "
272 "length wrong pfkey_lifetime->sadb_lifetime_len=%d sizeof(struct sadb_lifetime)=%ld.\n",
273 pfkey_lifetime->sadb_lifetime_len,
274 sizeof(struct sadb_lifetime));
278 if((pfkey_lifetime->sadb_lifetime_exttype != SADB_EXT_LIFETIME_HARD) &&
279 (pfkey_lifetime->sadb_lifetime_exttype != SADB_EXT_LIFETIME_SOFT) &&
280 (pfkey_lifetime->sadb_lifetime_exttype != SADB_EXT_LIFETIME_CURRENT)) {
281 DEBUGGING(PF_KEY_DEBUG_PARSE_PROBLEM,
282 "pfkey_lifetime_parse: "
283 "unexpected ext_type=%d.\n",
284 pfkey_lifetime->sadb_lifetime_exttype);
293 pfkey_address_parse(struct sadb_ext *pfkey_ext)
297 struct sadb_address *pfkey_address = (struct sadb_address *)pfkey_ext;
298 struct sockaddr* s = (struct sockaddr*)((char*)pfkey_address + sizeof(*pfkey_address));
299 char ipaddr_txt[ADDRTOT_BUF];
301 DEBUGGING(PF_KEY_DEBUG_PARSE_FLOW,
302 "pfkey_address_parse:enter\n");
303 /* sanity checks... */
305 DEBUGGING(PF_KEY_DEBUG_PARSE_PROBLEM,
306 "pfkey_address_parse: "
307 "NULL pointer passed in.\n");
311 if(pfkey_address->sadb_address_len <
312 (sizeof(struct sadb_address) + sizeof(struct sockaddr))/
313 IPSEC_PFKEYv2_ALIGN) {
314 DEBUGGING(PF_KEY_DEBUG_PARSE_PROBLEM,
315 "pfkey_address_parse: "
316 "size wrong 1 ext_len=%d, adr_ext_len=%ld, saddr_len=%ld.\n",
317 pfkey_address->sadb_address_len,
318 sizeof(struct sadb_address),
319 sizeof(struct sockaddr));
323 if(pfkey_address->sadb_address_reserved) {
324 DEBUGGING(PF_KEY_DEBUG_PARSE_PROBLEM,
325 "pfkey_address_parse: "
326 "res=%d, must be zero.\n",
327 pfkey_address->sadb_address_reserved);
331 switch(pfkey_address->sadb_address_exttype) {
332 case SADB_EXT_ADDRESS_SRC:
333 case SADB_EXT_ADDRESS_DST:
334 case SADB_EXT_ADDRESS_PROXY:
335 case SADB_X_EXT_ADDRESS_DST2:
336 case SADB_X_EXT_ADDRESS_SRC_FLOW:
337 case SADB_X_EXT_ADDRESS_DST_FLOW:
338 case SADB_X_EXT_ADDRESS_SRC_MASK:
339 case SADB_X_EXT_ADDRESS_DST_MASK:
341 case SADB_X_EXT_NAT_T_OA:
345 DEBUGGING(PF_KEY_DEBUG_PARSE_PROBLEM,
346 "pfkey_address_parse: "
347 "unexpected ext_type=%d.\n",
348 pfkey_address->sadb_address_exttype);
352 switch(s->sa_family) {
354 DEBUGGING(PF_KEY_DEBUG_PARSE_STRUCT,
355 "pfkey_address_parse: "
356 "found address family=%d, AF_INET.\n",
358 saddr_len = sizeof(struct sockaddr_in);
359 sprintf(ipaddr_txt, "%d.%d.%d.%d"
360 , (((struct sockaddr_in*)s)->sin_addr.s_addr >> 0) & 0xFF
361 , (((struct sockaddr_in*)s)->sin_addr.s_addr >> 8) & 0xFF
362 , (((struct sockaddr_in*)s)->sin_addr.s_addr >> 16) & 0xFF
363 , (((struct sockaddr_in*)s)->sin_addr.s_addr >> 24) & 0xFF);
364 DEBUGGING(PF_KEY_DEBUG_PARSE_STRUCT,
365 "pfkey_address_parse: "
366 "found address=%s.\n",
370 DEBUGGING(PF_KEY_DEBUG_PARSE_STRUCT,
371 "pfkey_address_parse: "
372 "found address family=%d, AF_INET6.\n",
374 saddr_len = sizeof(struct sockaddr_in6);
375 sprintf(ipaddr_txt, "%x:%x:%x:%x:%x:%x:%x:%x"
376 , ntohs(((struct sockaddr_in6*)s)->sin6_addr.s6_addr16[0])
377 , ntohs(((struct sockaddr_in6*)s)->sin6_addr.s6_addr16[1])
378 , ntohs(((struct sockaddr_in6*)s)->sin6_addr.s6_addr16[2])
379 , ntohs(((struct sockaddr_in6*)s)->sin6_addr.s6_addr16[3])
380 , ntohs(((struct sockaddr_in6*)s)->sin6_addr.s6_addr16[4])
381 , ntohs(((struct sockaddr_in6*)s)->sin6_addr.s6_addr16[5])
382 , ntohs(((struct sockaddr_in6*)s)->sin6_addr.s6_addr16[6])
383 , ntohs(((struct sockaddr_in6*)s)->sin6_addr.s6_addr16[7]));
384 DEBUGGING(PF_KEY_DEBUG_PARSE_STRUCT,
385 "pfkey_address_parse: "
386 "found address=%s.\n",
390 DEBUGGING(PF_KEY_DEBUG_PARSE_PROBLEM,
391 "pfkey_address_parse: "
392 "s->sa_family=%d not supported.\n",
394 SENDERR(EPFNOSUPPORT);
397 if(pfkey_address->sadb_address_len !=
398 DIVUP(sizeof(struct sadb_address) + saddr_len, IPSEC_PFKEYv2_ALIGN)) {
399 DEBUGGING(PF_KEY_DEBUG_PARSE_PROBLEM,
400 "pfkey_address_parse: "
401 "size wrong 2 ext_len=%d, adr_ext_len=%ld, saddr_len=%d.\n",
402 pfkey_address->sadb_address_len,
403 sizeof(struct sadb_address),
408 if(pfkey_address->sadb_address_prefixlen != 0) {
409 DEBUGGING(PF_KEY_DEBUG_PARSE_PROBLEM,
410 "pfkey_address_parse: "
411 "address prefixes not supported yet.\n");
412 SENDERR(EAFNOSUPPORT); /* not supported yet */
415 /* XXX check if port!=0 */
417 DEBUGGING(PF_KEY_DEBUG_PARSE_FLOW,
418 "pfkey_address_parse: successful.\n");
424 pfkey_key_parse(struct sadb_ext *pfkey_ext)
427 struct sadb_key *pfkey_key = (struct sadb_key *)pfkey_ext;
429 DEBUGGING(PF_KEY_DEBUG_PARSE_FLOW,
430 "pfkey_key_parse:enter\n");
431 /* sanity checks... */
434 DEBUGGING(PF_KEY_DEBUG_PARSE_PROBLEM,
436 "NULL pointer passed in.\n");
440 if(pfkey_key->sadb_key_len < sizeof(struct sadb_key) / IPSEC_PFKEYv2_ALIGN) {
441 DEBUGGING(PF_KEY_DEBUG_PARSE_PROBLEM,
443 "size wrong ext_len=%d, key_ext_len=%ld.\n",
444 pfkey_key->sadb_key_len,
445 sizeof(struct sadb_key));
449 if(!pfkey_key->sadb_key_bits) {
450 DEBUGGING(PF_KEY_DEBUG_PARSE_PROBLEM,
452 "key length set to zero, must be non-zero.\n");
456 if(pfkey_key->sadb_key_len !=
457 DIVUP(sizeof(struct sadb_key) * OCTETBITS + pfkey_key->sadb_key_bits,
459 DEBUGGING(PF_KEY_DEBUG_PARSE_PROBLEM,
461 "key length=%d does not agree with extension length=%d.\n",
462 pfkey_key->sadb_key_bits,
463 pfkey_key->sadb_key_len);
467 if(pfkey_key->sadb_key_reserved) {
468 DEBUGGING(PF_KEY_DEBUG_PARSE_PROBLEM,
470 "res=%d, must be zero.\n",
471 pfkey_key->sadb_key_reserved);
475 if(! ( (pfkey_key->sadb_key_exttype == SADB_EXT_KEY_AUTH) ||
476 (pfkey_key->sadb_key_exttype == SADB_EXT_KEY_ENCRYPT))) {
477 DEBUGGING(PF_KEY_DEBUG_PARSE_PROBLEM,
479 "expecting extension type AUTH or ENCRYPT, got %d.\n",
480 pfkey_key->sadb_key_exttype);
484 DEBUGGING(PF_KEY_DEBUG_PARSE_STRUCT,
486 "success, found len=%d exttype=%d bits=%d reserved=%d.\n",
487 pfkey_key->sadb_key_len,
488 pfkey_key->sadb_key_exttype,
489 pfkey_key->sadb_key_bits,
490 pfkey_key->sadb_key_reserved);
497 pfkey_ident_parse(struct sadb_ext *pfkey_ext)
500 struct sadb_ident *pfkey_ident = (struct sadb_ident *)pfkey_ext;
502 /* sanity checks... */
503 if(pfkey_ident->sadb_ident_len < sizeof(struct sadb_ident) / IPSEC_PFKEYv2_ALIGN) {
504 DEBUGGING(PF_KEY_DEBUG_PARSE_PROBLEM,
505 "pfkey_ident_parse: "
506 "size wrong ext_len=%d, key_ext_len=%ld.\n",
507 pfkey_ident->sadb_ident_len,
508 sizeof(struct sadb_ident));
512 if(pfkey_ident->sadb_ident_type > SADB_IDENTTYPE_MAX) {
513 DEBUGGING(PF_KEY_DEBUG_PARSE_PROBLEM,
514 "pfkey_ident_parse: "
515 "ident_type=%d out of range, must be less than %d.\n",
516 pfkey_ident->sadb_ident_type,
521 if(pfkey_ident->sadb_ident_reserved) {
522 DEBUGGING(PF_KEY_DEBUG_PARSE_PROBLEM,
523 "pfkey_ident_parse: "
524 "res=%d, must be zero.\n",
525 pfkey_ident->sadb_ident_reserved);
529 /* string terminator/padding must be zero */
530 if(pfkey_ident->sadb_ident_len > sizeof(struct sadb_ident) / IPSEC_PFKEYv2_ALIGN) {
531 if(*((char*)pfkey_ident + pfkey_ident->sadb_ident_len * IPSEC_PFKEYv2_ALIGN - 1)) {
532 DEBUGGING(PF_KEY_DEBUG_PARSE_PROBLEM,
533 "pfkey_ident_parse: "
534 "string padding must be zero, last is 0x%02x.\n",
535 *((char*)pfkey_ident +
536 pfkey_ident->sadb_ident_len * IPSEC_PFKEYv2_ALIGN - 1));
541 if( ! ((pfkey_ident->sadb_ident_exttype == SADB_EXT_IDENTITY_SRC) ||
542 (pfkey_ident->sadb_ident_exttype == SADB_EXT_IDENTITY_DST))) {
543 DEBUGGING(PF_KEY_DEBUG_PARSE_PROBLEM,
545 "expecting extension type IDENTITY_SRC or IDENTITY_DST, got %d.\n",
546 pfkey_ident->sadb_ident_exttype);
555 pfkey_sens_parse(struct sadb_ext *pfkey_ext)
558 struct sadb_sens *pfkey_sens = (struct sadb_sens *)pfkey_ext;
560 /* sanity checks... */
561 if(pfkey_sens->sadb_sens_len < sizeof(struct sadb_sens) / IPSEC_PFKEYv2_ALIGN) {
562 DEBUGGING(PF_KEY_DEBUG_PARSE_PROBLEM,
564 "size wrong ext_len=%d, key_ext_len=%ld.\n",
565 pfkey_sens->sadb_sens_len,
566 sizeof(struct sadb_sens));
570 DEBUGGING(PF_KEY_DEBUG_PARSE_PROBLEM,
572 "Sorry, I can't parse exttype=%d yet.\n",
573 pfkey_ext->sadb_ext_type);
575 SENDERR(EINVAL); /* don't process these yet */
583 pfkey_prop_parse(struct sadb_ext *pfkey_ext)
587 struct sadb_prop *pfkey_prop = (struct sadb_prop *)pfkey_ext;
588 struct sadb_comb *pfkey_comb = (struct sadb_comb *)((char*)pfkey_ext + sizeof(struct sadb_prop));
590 /* sanity checks... */
591 if((pfkey_prop->sadb_prop_len < sizeof(struct sadb_prop) / IPSEC_PFKEYv2_ALIGN) ||
592 (((pfkey_prop->sadb_prop_len * IPSEC_PFKEYv2_ALIGN) - sizeof(struct sadb_prop)) % sizeof(struct sadb_comb))) {
593 DEBUGGING(PF_KEY_DEBUG_PARSE_PROBLEM,
595 "size wrong ext_len=%d, prop_ext_len=%ld comb_ext_len=%ld.\n",
596 pfkey_prop->sadb_prop_len,
597 sizeof(struct sadb_prop),
598 sizeof(struct sadb_comb));
602 if(pfkey_prop->sadb_prop_replay > 64) {
603 DEBUGGING(PF_KEY_DEBUG_PARSE_PROBLEM,
605 "replay window size: %d -- must be 0 <= size <= 64\n",
606 pfkey_prop->sadb_prop_replay);
611 if(pfkey_prop->sadb_prop_reserved[i]) {
612 DEBUGGING(PF_KEY_DEBUG_PARSE_PROBLEM,
614 "res[%d]=%d, must be zero.\n",
615 i, pfkey_prop->sadb_prop_reserved[i]);
620 num_comb = ((pfkey_prop->sadb_prop_len * IPSEC_PFKEYv2_ALIGN) - sizeof(struct sadb_prop)) / sizeof(struct sadb_comb);
622 for(i = 0; i < num_comb; i++) {
623 if(pfkey_comb->sadb_comb_auth > SADB_AALG_MAX) {
624 DEBUGGING(PF_KEY_DEBUG_PARSE_PROBLEM,
626 "pfkey_comb[%d]->sadb_comb_auth=%d > SADB_AALG_MAX=%d.\n",
628 pfkey_comb->sadb_comb_auth,
633 if(pfkey_comb->sadb_comb_auth) {
634 if(!pfkey_comb->sadb_comb_auth_minbits) {
635 DEBUGGING(PF_KEY_DEBUG_PARSE_PROBLEM,
637 "pfkey_comb[%d]->sadb_comb_auth_minbits=0, fatal.\n",
641 if(!pfkey_comb->sadb_comb_auth_maxbits) {
642 DEBUGGING(PF_KEY_DEBUG_PARSE_PROBLEM,
644 "pfkey_comb[%d]->sadb_comb_auth_maxbits=0, fatal.\n",
648 if(pfkey_comb->sadb_comb_auth_minbits > pfkey_comb->sadb_comb_auth_maxbits) {
649 DEBUGGING(PF_KEY_DEBUG_PARSE_PROBLEM,
651 "pfkey_comb[%d]->sadb_comb_auth_minbits=%d > maxbits=%d, fatal.\n",
653 pfkey_comb->sadb_comb_auth_minbits,
654 pfkey_comb->sadb_comb_auth_maxbits);
658 if(pfkey_comb->sadb_comb_auth_minbits) {
659 DEBUGGING(PF_KEY_DEBUG_PARSE_PROBLEM,
661 "pfkey_comb[%d]->sadb_comb_auth_minbits=%d != 0, fatal.\n",
663 pfkey_comb->sadb_comb_auth_minbits);
666 if(pfkey_comb->sadb_comb_auth_maxbits) {
667 DEBUGGING(PF_KEY_DEBUG_PARSE_PROBLEM,
669 "pfkey_comb[%d]->sadb_comb_auth_maxbits=%d != 0, fatal.\n",
671 pfkey_comb->sadb_comb_auth_maxbits);
676 if(pfkey_comb->sadb_comb_encrypt > SADB_EALG_MAX) {
677 DEBUGGING(PF_KEY_DEBUG_PARSE_PROBLEM,
679 "pfkey_comb[%d]->sadb_comb_encrypt=%d > SADB_EALG_MAX=%d.\n",
681 pfkey_comb->sadb_comb_encrypt,
686 if(pfkey_comb->sadb_comb_encrypt) {
687 if(!pfkey_comb->sadb_comb_encrypt_minbits) {
688 DEBUGGING(PF_KEY_DEBUG_PARSE_PROBLEM,
690 "pfkey_comb[%d]->sadb_comb_encrypt_minbits=0, fatal.\n",
694 if(!pfkey_comb->sadb_comb_encrypt_maxbits) {
695 DEBUGGING(PF_KEY_DEBUG_PARSE_PROBLEM,
697 "pfkey_comb[%d]->sadb_comb_encrypt_maxbits=0, fatal.\n",
701 if(pfkey_comb->sadb_comb_encrypt_minbits > pfkey_comb->sadb_comb_encrypt_maxbits) {
702 DEBUGGING(PF_KEY_DEBUG_PARSE_PROBLEM,
704 "pfkey_comb[%d]->sadb_comb_encrypt_minbits=%d > maxbits=%d, fatal.\n",
706 pfkey_comb->sadb_comb_encrypt_minbits,
707 pfkey_comb->sadb_comb_encrypt_maxbits);
711 if(pfkey_comb->sadb_comb_encrypt_minbits) {
712 DEBUGGING(PF_KEY_DEBUG_PARSE_PROBLEM,
714 "pfkey_comb[%d]->sadb_comb_encrypt_minbits=%d != 0, fatal.\n",
716 pfkey_comb->sadb_comb_encrypt_minbits);
719 if(pfkey_comb->sadb_comb_encrypt_maxbits) {
720 DEBUGGING(PF_KEY_DEBUG_PARSE_PROBLEM,
722 "pfkey_comb[%d]->sadb_comb_encrypt_maxbits=%d != 0, fatal.\n",
724 pfkey_comb->sadb_comb_encrypt_maxbits);
729 /* XXX do sanity check on flags */
731 if(pfkey_comb->sadb_comb_hard_allocations && pfkey_comb->sadb_comb_soft_allocations > pfkey_comb->sadb_comb_hard_allocations) {
732 DEBUGGING(PF_KEY_DEBUG_PARSE_PROBLEM,
734 "pfkey_comb[%d]->sadb_comb_soft_allocations=%d > hard_allocations=%d, fatal.\n",
736 pfkey_comb->sadb_comb_soft_allocations,
737 pfkey_comb->sadb_comb_hard_allocations);
741 if(pfkey_comb->sadb_comb_hard_bytes && pfkey_comb->sadb_comb_soft_bytes > pfkey_comb->sadb_comb_hard_bytes) {
742 DEBUGGING(PF_KEY_DEBUG_PARSE_PROBLEM,
744 "pfkey_comb[%d]->sadb_comb_soft_bytes=%Ld > hard_bytes=%Ld, fatal.\n",
746 pfkey_comb->sadb_comb_soft_bytes,
747 pfkey_comb->sadb_comb_hard_bytes);
751 if(pfkey_comb->sadb_comb_hard_addtime && pfkey_comb->sadb_comb_soft_addtime > pfkey_comb->sadb_comb_hard_addtime) {
752 DEBUGGING(PF_KEY_DEBUG_PARSE_PROBLEM,
754 "pfkey_comb[%d]->sadb_comb_soft_addtime=%Ld > hard_addtime=%Ld, fatal.\n",
756 pfkey_comb->sadb_comb_soft_addtime,
757 pfkey_comb->sadb_comb_hard_addtime);
761 if(pfkey_comb->sadb_comb_hard_usetime && pfkey_comb->sadb_comb_soft_usetime > pfkey_comb->sadb_comb_hard_usetime) {
762 DEBUGGING(PF_KEY_DEBUG_PARSE_PROBLEM,
764 "pfkey_comb[%d]->sadb_comb_soft_usetime=%Ld > hard_usetime=%Ld, fatal.\n",
766 pfkey_comb->sadb_comb_soft_usetime,
767 pfkey_comb->sadb_comb_hard_usetime);
771 if(pfkey_comb->sadb_x_comb_hard_packets && pfkey_comb->sadb_x_comb_soft_packets > pfkey_comb->sadb_x_comb_hard_packets) {
772 DEBUGGING(PF_KEY_DEBUG_PARSE_PROBLEM,
774 "pfkey_comb[%d]->sadb_x_comb_soft_packets=%d > hard_packets=%d, fatal.\n",
776 pfkey_comb->sadb_x_comb_soft_packets,
777 pfkey_comb->sadb_x_comb_hard_packets);
781 if(pfkey_comb->sadb_comb_reserved) {
782 DEBUGGING(PF_KEY_DEBUG_PARSE_PROBLEM,
784 "comb[%d].res=%d, must be zero.\n",
786 pfkey_comb->sadb_comb_reserved);
797 pfkey_supported_parse(struct sadb_ext *pfkey_ext)
800 unsigned int i, num_alg;
801 struct sadb_supported *pfkey_supported = (struct sadb_supported *)pfkey_ext;
802 struct sadb_alg *pfkey_alg = (struct sadb_alg*)((char*)pfkey_ext + sizeof(struct sadb_supported));
804 /* sanity checks... */
805 if((pfkey_supported->sadb_supported_len <
806 sizeof(struct sadb_supported) / IPSEC_PFKEYv2_ALIGN) ||
807 (((pfkey_supported->sadb_supported_len * IPSEC_PFKEYv2_ALIGN) -
808 sizeof(struct sadb_supported)) % sizeof(struct sadb_alg))) {
810 DEBUGGING(PF_KEY_DEBUG_PARSE_PROBLEM,
811 "pfkey_supported_parse: "
812 "size wrong ext_len=%d, supported_ext_len=%ld alg_ext_len=%ld.\n",
813 pfkey_supported->sadb_supported_len,
814 sizeof(struct sadb_supported),
815 sizeof(struct sadb_alg));
819 if(pfkey_supported->sadb_supported_reserved) {
820 DEBUGGING(PF_KEY_DEBUG_PARSE_PROBLEM,
821 "pfkey_supported_parse: "
822 "res=%d, must be zero.\n",
823 pfkey_supported->sadb_supported_reserved);
827 num_alg = ((pfkey_supported->sadb_supported_len * IPSEC_PFKEYv2_ALIGN) - sizeof(struct sadb_supported)) / sizeof(struct sadb_alg);
829 for(i = 0; i < num_alg; i++) {
830 /* process algo description */
831 if(pfkey_alg->sadb_alg_reserved) {
832 DEBUGGING(PF_KEY_DEBUG_PARSE_PROBLEM,
833 "pfkey_supported_parse: "
834 "alg[%d], id=%d, ivlen=%d, minbits=%d, maxbits=%d, res=%d, must be zero.\n",
836 pfkey_alg->sadb_alg_id,
837 pfkey_alg->sadb_alg_ivlen,
838 pfkey_alg->sadb_alg_minbits,
839 pfkey_alg->sadb_alg_maxbits,
840 pfkey_alg->sadb_alg_reserved);
844 /* XXX can alg_id auth/enc be determined from info given?
845 Yes, but OpenBSD's method does not iteroperate with rfc2367.
848 switch(pfkey_supported->sadb_supported_exttype) {
849 case SADB_EXT_SUPPORTED_AUTH:
850 if(pfkey_alg->sadb_alg_id > SADB_AALG_MAX) {
851 DEBUGGING(PF_KEY_DEBUG_PARSE_PROBLEM,
852 "pfkey_supported_parse: "
853 "alg[%d], alg_id=%d > SADB_AALG_MAX=%d, fatal.\n",
855 pfkey_alg->sadb_alg_id,
860 case SADB_EXT_SUPPORTED_ENCRYPT:
861 if(pfkey_alg->sadb_alg_id > SADB_EALG_MAX) {
862 DEBUGGING(PF_KEY_DEBUG_PARSE_PROBLEM,
863 "pfkey_supported_parse: "
864 "alg[%d], alg_id=%d > SADB_EALG_MAX=%d, fatal.\n",
866 pfkey_alg->sadb_alg_id,
872 DEBUGGING(PF_KEY_DEBUG_PARSE_PROBLEM,
873 "pfkey_supported_parse: "
874 "alg[%d], alg_id=%d > SADB_EALG_MAX=%d, fatal.\n",
876 pfkey_alg->sadb_alg_id,
888 pfkey_spirange_parse(struct sadb_ext *pfkey_ext)
891 struct sadb_spirange *pfkey_spirange = (struct sadb_spirange *)pfkey_ext;
893 /* sanity checks... */
894 if(pfkey_spirange->sadb_spirange_len !=
895 sizeof(struct sadb_spirange) / IPSEC_PFKEYv2_ALIGN) {
896 DEBUGGING(PF_KEY_DEBUG_PARSE_PROBLEM,
897 "pfkey_spirange_parse: "
898 "size wrong ext_len=%d, key_ext_len=%ld.\n",
899 pfkey_spirange->sadb_spirange_len,
900 sizeof(struct sadb_spirange));
904 if(pfkey_spirange->sadb_spirange_reserved) {
905 DEBUGGING(PF_KEY_DEBUG_PARSE_PROBLEM,
906 "pfkey_spirange_parse: "
907 "reserved=%d must be set to zero.\n",
908 pfkey_spirange->sadb_spirange_reserved);
912 if(ntohl(pfkey_spirange->sadb_spirange_max) < ntohl(pfkey_spirange->sadb_spirange_min)) {
913 DEBUGGING(PF_KEY_DEBUG_PARSE_PROBLEM,
914 "pfkey_spirange_parse: "
915 "minspi=%08lx must be < maxspi=%08lx.\n",
916 ntohl(pfkey_spirange->sadb_spirange_min),
917 ntohl(pfkey_spirange->sadb_spirange_max));
921 if(ntohl(pfkey_spirange->sadb_spirange_min) <= 255) {
922 DEBUGGING(PF_KEY_DEBUG_PARSE_PROBLEM,
923 "pfkey_spirange_parse: "
924 "minspi=%08lx must be > 255.\n",
925 ntohl(pfkey_spirange->sadb_spirange_min));
934 pfkey_x_kmprivate_parse(struct sadb_ext *pfkey_ext)
937 struct sadb_x_kmprivate *pfkey_x_kmprivate = (struct sadb_x_kmprivate *)pfkey_ext;
939 /* sanity checks... */
940 if(pfkey_x_kmprivate->sadb_x_kmprivate_len <
941 sizeof(struct sadb_x_kmprivate) / IPSEC_PFKEYv2_ALIGN) {
942 DEBUGGING(PF_KEY_DEBUG_PARSE_PROBLEM,
943 "pfkey_x_kmprivate_parse: "
944 "size wrong ext_len=%d, key_ext_len=%ld.\n",
945 pfkey_x_kmprivate->sadb_x_kmprivate_len,
946 sizeof(struct sadb_x_kmprivate));
950 if(pfkey_x_kmprivate->sadb_x_kmprivate_reserved) {
951 DEBUGGING(PF_KEY_DEBUG_PARSE_PROBLEM,
952 "pfkey_x_kmprivate_parse: "
953 "reserved=%d must be set to zero.\n",
954 pfkey_x_kmprivate->sadb_x_kmprivate_reserved);
958 DEBUGGING(PF_KEY_DEBUG_PARSE_PROBLEM,
959 "pfkey_x_kmprivate_parse: "
960 "Sorry, I can't parse exttype=%d yet.\n",
961 pfkey_ext->sadb_ext_type);
962 SENDERR(EINVAL); /* don't process these yet */
969 pfkey_x_satype_parse(struct sadb_ext *pfkey_ext)
973 struct sadb_x_satype *pfkey_x_satype = (struct sadb_x_satype *)pfkey_ext;
975 DEBUGGING(PF_KEY_DEBUG_PARSE_FLOW,
976 "pfkey_x_satype_parse: enter\n");
977 /* sanity checks... */
978 if(pfkey_x_satype->sadb_x_satype_len !=
979 sizeof(struct sadb_x_satype) / IPSEC_PFKEYv2_ALIGN) {
980 DEBUGGING(PF_KEY_DEBUG_PARSE_PROBLEM,
981 "pfkey_x_satype_parse: "
982 "size wrong ext_len=%d, key_ext_len=%ld.\n",
983 pfkey_x_satype->sadb_x_satype_len,
984 sizeof(struct sadb_x_satype));
988 if(!pfkey_x_satype->sadb_x_satype_satype) {
989 DEBUGGING(PF_KEY_DEBUG_PARSE_PROBLEM,
990 "pfkey_x_satype_parse: "
991 "satype is zero, must be non-zero.\n");
995 if(pfkey_x_satype->sadb_x_satype_satype > SADB_SATYPE_MAX) {
996 DEBUGGING(PF_KEY_DEBUG_PARSE_PROBLEM,
997 "pfkey_x_satype_parse: "
998 "satype %d > max %d, invalid.\n",
999 pfkey_x_satype->sadb_x_satype_satype, SADB_SATYPE_MAX);
1003 if(!(satype2proto(pfkey_x_satype->sadb_x_satype_satype))) {
1004 DEBUGGING(PF_KEY_DEBUG_PARSE_PROBLEM,
1005 "pfkey_x_satype_parse: "
1006 "proto lookup from satype=%d failed.\n",
1007 pfkey_x_satype->sadb_x_satype_satype);
1011 for(i = 0; i < 3; i++) {
1012 if(pfkey_x_satype->sadb_x_satype_reserved[i]) {
1013 DEBUGGING(PF_KEY_DEBUG_PARSE_PROBLEM,
1014 "pfkey_x_satype_parse: "
1015 "reserved[%d]=%d must be set to zero.\n",
1016 i, pfkey_x_satype->sadb_x_satype_reserved[i]);
1026 pfkey_x_ext_debug_parse(struct sadb_ext *pfkey_ext)
1030 struct sadb_x_debug *pfkey_x_debug = (struct sadb_x_debug *)pfkey_ext;
1032 DEBUGGING(PF_KEY_DEBUG_PARSE_FLOW,
1033 "pfkey_x_debug_parse: enter\n");
1034 /* sanity checks... */
1035 if(pfkey_x_debug->sadb_x_debug_len !=
1036 sizeof(struct sadb_x_debug) / IPSEC_PFKEYv2_ALIGN) {
1037 DEBUGGING(PF_KEY_DEBUG_PARSE_PROBLEM,
1038 "pfkey_x_debug_parse: "
1039 "size wrong ext_len=%d, key_ext_len=%ld.\n",
1040 pfkey_x_debug->sadb_x_debug_len,
1041 sizeof(struct sadb_x_debug));
1045 for(i = 0; i < 4; i++) {
1046 if(pfkey_x_debug->sadb_x_debug_reserved[i]) {
1047 DEBUGGING(PF_KEY_DEBUG_PARSE_PROBLEM,
1048 "pfkey_x_debug_parse: "
1049 "reserved[%d]=%d must be set to zero.\n",
1050 i, pfkey_x_debug->sadb_x_debug_reserved[i]);
1059 #ifdef NAT_TRAVERSAL
1061 pfkey_x_ext_nat_t_type_parse(struct sadb_ext *pfkey_ext)
1066 pfkey_x_ext_nat_t_port_parse(struct sadb_ext *pfkey_ext)
1072 #define DEFINEPARSER(NAME) static struct pf_key_ext_parsers_def NAME##_def={NAME, #NAME};
1074 DEFINEPARSER(pfkey_sa_parse);
1075 DEFINEPARSER(pfkey_lifetime_parse);
1076 DEFINEPARSER(pfkey_address_parse);
1077 DEFINEPARSER(pfkey_key_parse);
1078 DEFINEPARSER(pfkey_ident_parse);
1079 DEFINEPARSER(pfkey_sens_parse);
1080 DEFINEPARSER(pfkey_prop_parse);
1081 DEFINEPARSER(pfkey_supported_parse);
1082 DEFINEPARSER(pfkey_spirange_parse);
1083 DEFINEPARSER(pfkey_x_kmprivate_parse);
1084 DEFINEPARSER(pfkey_x_satype_parse);
1085 DEFINEPARSER(pfkey_x_ext_debug_parse);
1086 #ifdef NAT_TRAVERSAL
1087 DEFINEPARSER(pfkey_x_ext_nat_t_type_parse);
1088 DEFINEPARSER(pfkey_x_ext_nat_t_port_parse);
1091 struct pf_key_ext_parsers_def *ext_default_parsers[]=
1093 NULL, /* pfkey_msg_parse, */
1094 &pfkey_sa_parse_def,
1095 &pfkey_lifetime_parse_def,
1096 &pfkey_lifetime_parse_def,
1097 &pfkey_lifetime_parse_def,
1098 &pfkey_address_parse_def,
1099 &pfkey_address_parse_def,
1100 &pfkey_address_parse_def,
1101 &pfkey_key_parse_def,
1102 &pfkey_key_parse_def,
1103 &pfkey_ident_parse_def,
1104 &pfkey_ident_parse_def,
1105 &pfkey_sens_parse_def,
1106 &pfkey_prop_parse_def,
1107 &pfkey_supported_parse_def,
1108 &pfkey_supported_parse_def,
1109 &pfkey_spirange_parse_def,
1110 &pfkey_x_kmprivate_parse_def,
1111 &pfkey_x_satype_parse_def,
1112 &pfkey_sa_parse_def,
1113 &pfkey_address_parse_def,
1114 &pfkey_address_parse_def,
1115 &pfkey_address_parse_def,
1116 &pfkey_address_parse_def,
1117 &pfkey_address_parse_def,
1118 &pfkey_x_ext_debug_parse_def
1119 #ifdef NAT_TRAVERSAL
1121 &pfkey_x_ext_nat_t_type_parse_def,
1122 &pfkey_x_ext_nat_t_port_parse_def,
1123 &pfkey_x_ext_nat_t_port_parse_def,
1124 &pfkey_address_parse_def
1129 pfkey_msg_parse(struct sadb_msg *pfkey_msg,
1130 struct pf_key_ext_parsers_def *ext_parsers[],
1131 struct sadb_ext *extensions[],
1136 struct sadb_ext *pfkey_ext;
1137 int extensions_seen = 0;
1139 DEBUGGING(PF_KEY_DEBUG_PARSE_STRUCT,
1141 "parsing message ver=%d, type=%d(%s), errno=%d, satype=%d(%s), len=%d, res=%d, seq=%d, pid=%d.\n",
1142 pfkey_msg->sadb_msg_version,
1143 pfkey_msg->sadb_msg_type,
1144 pfkey_v2_sadb_type_string(pfkey_msg->sadb_msg_type),
1145 pfkey_msg->sadb_msg_errno,
1146 pfkey_msg->sadb_msg_satype,
1147 satype2name(pfkey_msg->sadb_msg_satype),
1148 pfkey_msg->sadb_msg_len,
1149 pfkey_msg->sadb_msg_reserved,
1150 pfkey_msg->sadb_msg_seq,
1151 pfkey_msg->sadb_msg_pid);
1153 if(ext_parsers == NULL) ext_parsers = ext_default_parsers;
1155 pfkey_extensions_init(extensions);
1157 remain = pfkey_msg->sadb_msg_len;
1158 remain -= sizeof(struct sadb_msg) / IPSEC_PFKEYv2_ALIGN;
1160 pfkey_ext = (struct sadb_ext*)((char*)pfkey_msg +
1161 sizeof(struct sadb_msg));
1163 extensions[0] = (struct sadb_ext *) pfkey_msg;
1166 if(pfkey_msg->sadb_msg_version != PF_KEY_V2) {
1167 DEBUGGING(PF_KEY_DEBUG_PARSE_PROBLEM,
1169 "not PF_KEY_V2 msg, found %d, should be %d.\n",
1170 pfkey_msg->sadb_msg_version,
1175 if(!pfkey_msg->sadb_msg_type) {
1176 DEBUGGING(PF_KEY_DEBUG_PARSE_PROBLEM,
1178 "msg type not set, must be non-zero..\n");
1182 if(pfkey_msg->sadb_msg_type > SADB_MAX) {
1183 DEBUGGING(PF_KEY_DEBUG_PARSE_PROBLEM,
1185 "msg type=%d > max=%d.\n",
1186 pfkey_msg->sadb_msg_type,
1191 switch(pfkey_msg->sadb_msg_type) {
1198 case SADB_X_ADDFLOW:
1199 if(!satype2proto(pfkey_msg->sadb_msg_satype)) {
1200 DEBUGGING(PF_KEY_DEBUG_PARSE_PROBLEM,
1202 "satype %d conversion to proto failed for msg_type %d (%s).\n",
1203 pfkey_msg->sadb_msg_satype,
1204 pfkey_msg->sadb_msg_type,
1205 pfkey_v2_sadb_type_string(pfkey_msg->sadb_msg_type));
1208 DEBUGGING(PF_KEY_DEBUG_PARSE_PROBLEM,
1210 "satype %d(%s) conversion to proto gives %d for msg_type %d(%s).\n",
1211 pfkey_msg->sadb_msg_satype,
1212 satype2name(pfkey_msg->sadb_msg_satype),
1213 satype2proto(pfkey_msg->sadb_msg_satype),
1214 pfkey_msg->sadb_msg_type,
1215 pfkey_v2_sadb_type_string(pfkey_msg->sadb_msg_type));
1220 if(!pfkey_msg->sadb_msg_satype) {
1221 DEBUGGING(PF_KEY_DEBUG_PARSE_PROBLEM,
1223 "satype is zero, must be non-zero for msg_type %d(%s).\n",
1224 pfkey_msg->sadb_msg_type,
1225 pfkey_v2_sadb_type_string(pfkey_msg->sadb_msg_type));
1232 /* errno must not be set in downward messages */
1233 /* this is not entirely true... a response to an ACQUIRE could return an error */
1234 if((dir == EXT_BITS_IN) && (pfkey_msg->sadb_msg_type != SADB_ACQUIRE) && pfkey_msg->sadb_msg_errno) {
1235 DEBUGGING(PF_KEY_DEBUG_PARSE_PROBLEM,
1237 "errno set to %d.\n",
1238 pfkey_msg->sadb_msg_errno);
1242 DEBUGGING(PF_KEY_DEBUG_PARSE_STRUCT,
1244 "remain=%d, ext_type=%d(%s), ext_len=%d.\n",
1246 pfkey_ext->sadb_ext_type,
1247 pfkey_v2_sadb_ext_string(pfkey_ext->sadb_ext_type),
1248 pfkey_ext->sadb_ext_len);
1250 DEBUGGING(PF_KEY_DEBUG_PARSE_STRUCT,
1252 "extensions permitted=%08x, required=%08x.\n",
1253 extensions_bitmaps[dir][EXT_BITS_PERM][pfkey_msg->sadb_msg_type],
1254 extensions_bitmaps[dir][EXT_BITS_REQ][pfkey_msg->sadb_msg_type]);
1256 extensions_seen = 1;
1258 while( (remain * IPSEC_PFKEYv2_ALIGN) >= sizeof(struct sadb_ext) ) {
1259 /* Is there enough message left to support another extension header? */
1260 if(remain < pfkey_ext->sadb_ext_len) {
1261 DEBUGGING(PF_KEY_DEBUG_PARSE_PROBLEM,
1263 "remain %d less than ext len %d.\n",
1264 remain, pfkey_ext->sadb_ext_len);
1268 DEBUGGING(PF_KEY_DEBUG_PARSE_STRUCT,
1270 "parsing ext type=%d remain=%d.\n",
1271 pfkey_ext->sadb_ext_type,
1274 /* Is the extension header type valid? */
1275 if((pfkey_ext->sadb_ext_type > SADB_EXT_MAX) || (!pfkey_ext->sadb_ext_type)) {
1276 DEBUGGING(PF_KEY_DEBUG_PARSE_PROBLEM,
1278 "ext type %d invalid, SADB_EXT_MAX=%d.\n",
1279 pfkey_ext->sadb_ext_type, SADB_EXT_MAX);
1283 /* Have we already seen this type of extension? */
1284 if((extensions_seen & ( 1 << pfkey_ext->sadb_ext_type )) != 0)
1286 DEBUGGING(PF_KEY_DEBUG_PARSE_PROBLEM,
1288 "ext type %d already seen.\n",
1289 pfkey_ext->sadb_ext_type);
1293 /* Do I even know about this type of extension? */
1294 if(ext_parsers[pfkey_ext->sadb_ext_type]==NULL) {
1295 DEBUGGING(PF_KEY_DEBUG_PARSE_PROBLEM,
1297 "ext type %d unknown, ignoring.\n",
1298 pfkey_ext->sadb_ext_type);
1302 /* Is this type of extension permitted for this type of message? */
1303 if(!(extensions_bitmaps[dir][EXT_BITS_PERM][pfkey_msg->sadb_msg_type] &
1304 1<<pfkey_ext->sadb_ext_type)) {
1305 DEBUGGING(PF_KEY_DEBUG_PARSE_PROBLEM,
1307 "ext type %d not permitted, exts_perm_in=%08x, 1<<type=%08x\n",
1308 pfkey_ext->sadb_ext_type,
1309 extensions_bitmaps[dir][EXT_BITS_PERM][pfkey_msg->sadb_msg_type],
1310 1<<pfkey_ext->sadb_ext_type);
1314 DEBUGGING(PF_KEY_DEBUG_PARSE_STRUCT,
1316 "About to parse extension %d %p with parser %s.\n",
1317 pfkey_ext->sadb_ext_type,
1319 ext_parsers[pfkey_ext->sadb_ext_type]->parser_name);
1320 /* Parse the extension */
1322 (*ext_parsers[pfkey_ext->sadb_ext_type]->parser)(pfkey_ext))) {
1323 DEBUGGING(PF_KEY_DEBUG_PARSE_PROBLEM,
1325 "extension parsing for type %d failed with error %d.\n",
1326 pfkey_ext->sadb_ext_type, error);
1329 DEBUGGING(PF_KEY_DEBUG_PARSE_STRUCT,
1331 "Extension %d parsed.\n",
1332 pfkey_ext->sadb_ext_type);
1334 /* Mark that we have seen this extension and remember the header location */
1335 extensions_seen |= ( 1 << pfkey_ext->sadb_ext_type );
1336 extensions[pfkey_ext->sadb_ext_type] = pfkey_ext;
1339 /* Calculate how much message remains */
1340 remain -= pfkey_ext->sadb_ext_len;
1345 /* Find the next extension header */
1346 pfkey_ext = (struct sadb_ext*)((char*)pfkey_ext +
1347 pfkey_ext->sadb_ext_len * IPSEC_PFKEYv2_ALIGN);
1351 DEBUGGING(PF_KEY_DEBUG_PARSE_PROBLEM,
1353 "unexpected remainder of %d.\n",
1355 /* why is there still something remaining? */
1359 /* check required extensions */
1360 DEBUGGING(PF_KEY_DEBUG_PARSE_STRUCT,
1362 "extensions permitted=%08x, seen=%08x, required=%08x.\n",
1363 extensions_bitmaps[dir][EXT_BITS_PERM][pfkey_msg->sadb_msg_type],
1365 extensions_bitmaps[dir][EXT_BITS_REQ][pfkey_msg->sadb_msg_type]);
1367 /* don't check further if it is an error return message since it
1368 may not have a body */
1369 if(pfkey_msg->sadb_msg_errno) {
1373 if((extensions_seen &
1374 extensions_bitmaps[dir][EXT_BITS_REQ][pfkey_msg->sadb_msg_type]) !=
1375 extensions_bitmaps[dir][EXT_BITS_REQ][pfkey_msg->sadb_msg_type]) {
1376 DEBUGGING(PF_KEY_DEBUG_PARSE_PROBLEM,
1378 "required extensions missing:%08x.\n",
1379 extensions_bitmaps[dir][EXT_BITS_REQ][pfkey_msg->sadb_msg_type] -
1381 extensions_bitmaps[dir][EXT_BITS_REQ][pfkey_msg->sadb_msg_type]));
1385 if((dir == EXT_BITS_IN) && (pfkey_msg->sadb_msg_type == SADB_X_DELFLOW)
1386 && ((extensions_seen & SADB_X_EXT_ADDRESS_DELFLOW)
1387 != SADB_X_EXT_ADDRESS_DELFLOW)
1388 && (((extensions_seen & (1<<SADB_EXT_SA)) != (1<<SADB_EXT_SA))
1389 || ((((struct sadb_sa*)extensions[SADB_EXT_SA])->sadb_sa_flags
1390 & SADB_X_SAFLAGS_CLEARFLOW)
1391 != SADB_X_SAFLAGS_CLEARFLOW))) {
1392 DEBUGGING(PF_KEY_DEBUG_PARSE_PROBLEM,
1394 "required SADB_X_DELFLOW extensions missing: either %08x must be present or %08x must be present with SADB_X_SAFLAGS_CLEARFLOW set.\n",
1395 SADB_X_EXT_ADDRESS_DELFLOW
1396 - (extensions_seen & SADB_X_EXT_ADDRESS_DELFLOW),
1397 (1<<SADB_EXT_SA) - (extensions_seen & (1<<SADB_EXT_SA)));
1401 switch(pfkey_msg->sadb_msg_type) {
1404 /* check maturity */
1405 if(((struct sadb_sa*)extensions[SADB_EXT_SA])->sadb_sa_state !=
1406 SADB_SASTATE_MATURE) {
1407 DEBUGGING(PF_KEY_DEBUG_PARSE_PROBLEM,
1409 "state=%d for add or update should be MATURE=%d.\n",
1410 ((struct sadb_sa*)extensions[SADB_EXT_SA])->sadb_sa_state,
1411 SADB_SASTATE_MATURE);
1415 /* check AH and ESP */
1416 switch(((struct sadb_msg*)extensions[SADB_EXT_RESERVED])->sadb_msg_satype) {
1417 case SADB_SATYPE_AH:
1418 if(!(((struct sadb_sa*)extensions[SADB_EXT_SA]) &&
1419 ((struct sadb_sa*)extensions[SADB_EXT_SA])->sadb_sa_auth !=
1421 DEBUGGING(PF_KEY_DEBUG_PARSE_PROBLEM,
1423 "auth alg is zero, must be non-zero for AH SAs.\n");
1426 if(((struct sadb_sa*)(extensions[SADB_EXT_SA]))->sadb_sa_encrypt !=
1428 DEBUGGING(PF_KEY_DEBUG_PARSE_PROBLEM,
1430 "AH handed encalg=%d, must be zero.\n",
1431 ((struct sadb_sa*)(extensions[SADB_EXT_SA]))->sadb_sa_encrypt);
1435 case SADB_SATYPE_ESP:
1436 if(!(((struct sadb_sa*)extensions[SADB_EXT_SA]) &&
1437 ((struct sadb_sa*)extensions[SADB_EXT_SA])->sadb_sa_encrypt !=
1439 DEBUGGING(PF_KEY_DEBUG_PARSE_PROBLEM,
1441 "encrypt alg=%d is zero, must be non-zero for ESP=%d SAs.\n",
1442 ((struct sadb_sa*)extensions[SADB_EXT_SA])->sadb_sa_encrypt,
1443 ((struct sadb_msg*)extensions[SADB_EXT_RESERVED])->sadb_msg_satype);
1446 if((((struct sadb_sa*)(extensions[SADB_EXT_SA]))->sadb_sa_encrypt ==
1448 (((struct sadb_sa*)(extensions[SADB_EXT_SA]))->sadb_sa_auth ==
1450 DEBUGGING(PF_KEY_DEBUG_PARSE_PROBLEM,
1452 "ESP handed encNULL+authNONE, illegal combination.\n");
1456 case SADB_X_SATYPE_COMP:
1457 if(!(((struct sadb_sa*)extensions[SADB_EXT_SA]) &&
1458 ((struct sadb_sa*)extensions[SADB_EXT_SA])->sadb_sa_encrypt !=
1460 DEBUGGING(PF_KEY_DEBUG_PARSE_PROBLEM,
1462 "encrypt alg=%d is zero, must be non-zero for COMP=%d SAs.\n",
1463 ((struct sadb_sa*)extensions[SADB_EXT_SA])->sadb_sa_encrypt,
1464 ((struct sadb_msg*)extensions[SADB_EXT_RESERVED])->sadb_msg_satype);
1467 if(((struct sadb_sa*)(extensions[SADB_EXT_SA]))->sadb_sa_auth !=
1469 DEBUGGING(PF_KEY_DEBUG_PARSE_PROBLEM,
1471 "COMP handed auth=%d, must be zero.\n",
1472 ((struct sadb_sa*)(extensions[SADB_EXT_SA]))->sadb_sa_auth);
1479 if(ntohl(((struct sadb_sa*)(extensions[SADB_EXT_SA]))->sadb_sa_spi) <= 255) {
1480 DEBUGGING(PF_KEY_DEBUG_PARSE_PROBLEM,
1482 "spi=%08lx must be > 255.\n",
1483 ntohl(((struct sadb_sa*)(extensions[SADB_EXT_SA]))->sadb_sa_spi));
1495 * $Log: pfkey_v2_parse.c,v $
1496 * Revision 1.42 2002/01/29 22:25:36 rgb
1497 * Re-add ipsec_kversion.h to keep MALLOC happy.
1499 * Revision 1.41 2002/01/29 01:59:10 mcr
1500 * removal of kversions.h - sources that needed it now use ipsec_param.h.
1501 * updating of IPv6 structures to match latest in6.h version.
1502 * removed dead code from freeswan.h that also duplicated kversions.h
1505 * Revision 1.40 2002/01/20 20:34:50 mcr
1506 * added pfkey_v2_sadb_type_string to decode sadb_type to string.
1508 * Revision 1.39 2001/11/27 05:29:22 mcr
1509 * pfkey parses are now maintained by a structure
1510 * that includes their name for debug purposes.
1511 * DEBUGGING() macro changed so that it takes a debug
1512 * level so that pf_key() can use this to decode the
1513 * structures without innundanting humans.
1514 * Also uses pfkey_v2_sadb_ext_string() in messages.
1516 * Revision 1.38 2001/11/06 19:47:47 rgb
1517 * Added packet parameter to lifetime and comb structures.
1519 * Revision 1.37 2001/10/18 04:45:24 rgb
1520 * 2.4.9 kernel deprecates linux/malloc.h in favour of linux/slab.h,
1521 * lib/freeswan.h version macros moved to lib/kversions.h.
1522 * Other compiler directive cleanups.
1524 * Revision 1.36 2001/06/14 19:35:16 rgb
1525 * Update copyright date.
1527 * Revision 1.35 2001/05/03 19:44:51 rgb
1528 * Standardise on SENDERR() macro.
1530 * Revision 1.34 2001/03/16 07:41:51 rgb
1531 * Put freeswan.h include before pluto includes.
1533 * Revision 1.33 2001/02/27 07:13:51 rgb
1534 * Added satype2name() function.
1535 * Added text to default satype_tbl entry.
1536 * Added satype2name() conversions for most satype debug output.
1538 * Revision 1.32 2001/02/26 20:01:09 rgb
1539 * Added internal IP protocol 61 for magic SAs.
1540 * Ditch unused sadb_satype2proto[], replaced by satype2proto().
1541 * Re-formatted debug output (split lines, consistent spacing).
1542 * Removed acquire, register and expire requirements for a known satype.
1543 * Changed message type checking to a switch structure.
1544 * Verify expected NULL auth for IPCOMP.
1545 * Enforced spi > 0x100 requirement, now that pass uses a magic SA for
1546 * appropriate message types.
1548 * Revision 1.31 2000/12/01 07:09:00 rgb
1549 * Added ipcomp sanity check to require encalgo is set.
1551 * Revision 1.30 2000/11/17 18:10:30 rgb
1552 * Fixed bugs mostly relating to spirange, to treat all spi variables as
1553 * network byte order since this is the way PF_KEYv2 stored spis.
1555 * Revision 1.29 2000/10/12 00:02:39 rgb
1556 * Removed 'format, ##' nonsense from debug macros for RH7.0.
1558 * Revision 1.28 2000/09/20 16:23:04 rgb
1559 * Remove over-paranoid extension check in the presence of sadb_msg_errno.
1561 * Revision 1.27 2000/09/20 04:04:21 rgb
1562 * Changed static functions to DEBUG_NO_STATIC to reveal function names in
1565 * Revision 1.26 2000/09/15 11:37:02 rgb
1566 * Merge in heavily modified Svenning Soerensen's <svenning@post5.tele.dk>
1567 * IPCOMP zlib deflate code.
1569 * Revision 1.25 2000/09/12 22:35:37 rgb
1570 * Restructured to remove unused extensions from CLEARFLOW messages.
1572 * Revision 1.24 2000/09/12 18:59:54 rgb
1573 * Added Gerhard's IPv6 support to pfkey parts of libfreeswan.
1575 * Revision 1.23 2000/09/12 03:27:00 rgb
1576 * Moved DEBUGGING definition to compile kernel with debug off.
1578 * Revision 1.22 2000/09/09 06:39:27 rgb
1579 * Restrict pfkey errno check to downward messages only.
1581 * Revision 1.21 2000/09/08 19:22:34 rgb
1582 * Enabled pfkey_sens_parse().
1583 * Added check for errno on downward acquire messages only.
1585 * Revision 1.20 2000/09/01 18:48:23 rgb
1586 * Fixed reserved check bug and added debug output in
1587 * pfkey_supported_parse().
1588 * Fixed debug output label bug in pfkey_ident_parse().
1590 * Revision 1.19 2000/08/27 01:55:26 rgb
1591 * Define OCTETBITS and PFKEYBITS to avoid using 'magic' numbers in code.
1593 * Revision 1.18 2000/08/24 17:00:36 rgb
1594 * Ignore unknown extensions instead of failing.
1596 * Revision 1.17 2000/06/02 22:54:14 rgb
1597 * Added Gerhard Gessler's struct sockaddr_storage mods for IPv6 support.
1599 * Revision 1.16 2000/05/10 19:25:11 rgb
1600 * Fleshed out proposal and supported extensions.
1602 * Revision 1.15 2000/01/24 21:15:31 rgb
1603 * Added disabled pluto pfkey lib debug flag.
1604 * Added algo debugging reporting.
1606 * Revision 1.14 2000/01/22 23:24:29 rgb
1607 * Added new functions proto2satype() and satype2proto() and lookup
1608 * table satype_tbl. Also added proto2name() since it was easy.
1610 * Revision 1.13 2000/01/21 09:43:59 rgb
1611 * Cast ntohl(spi) as (unsigned long int) to shut up compiler.
1613 * Revision 1.12 2000/01/21 06:28:19 rgb
1614 * Added address cases for eroute flows.
1615 * Indented compiler directives for readability.
1616 * Added klipsdebug switching capability.
1618 * Revision 1.11 1999/12/29 21:14:59 rgb
1619 * Fixed debug text cut and paste typo.
1621 * Revision 1.10 1999/12/10 17:45:24 rgb
1622 * Added address debugging.
1624 * Revision 1.9 1999/12/09 23:11:42 rgb
1625 * Ditched <string.h> include since we no longer use memset().
1626 * Use new pfkey_extensions_init() instead of memset().
1627 * Added check for SATYPE in pfkey_msg_build().
1628 * Tidy up comments and debugging comments.
1630 * Revision 1.8 1999/12/07 19:55:26 rgb
1631 * Removed unused first argument from extension parsers.
1632 * Removed static pluto debug flag.
1633 * Moved message type and state checking to pfkey_msg_parse().
1634 * Changed print[fk] type from lx to x to quiet compiler.
1635 * Removed redundant remain check.
1636 * Changed __u* types to uint* to avoid use of asm/types.h and
1637 * sys/types.h in userspace code.
1639 * Revision 1.7 1999/12/01 22:20:51 rgb
1640 * Moved pfkey_lib_debug variable into the library.
1641 * Added pfkey version check into header parsing.
1642 * Added check for SATYPE only for those extensions that require a
1645 * Revision 1.6 1999/11/27 11:58:05 rgb
1646 * Added ipv6 headers.
1647 * Moved sadb_satype2proto protocol lookup table from
1648 * klips/net/ipsec/pfkey_v2_parser.c.
1649 * Enable lifetime_current checking.
1650 * Debugging error messages added.
1651 * Add argument to pfkey_msg_parse() for direction.
1652 * Consolidated the 4 1-d extension bitmap arrays into one 4-d array.
1653 * Add CVS log entry to bottom of file.
1654 * Moved auth and enc alg check to pfkey_msg_parse().
1655 * Enable accidentally disabled spirange parsing.
1656 * Moved protocol/algorithm checks from klips/net/ipsec/pfkey_v2_parser.c
1659 * c-file-style: "linux"