DEBUG_NO_STATIC int pfkey_x_ext_saref_parse(struct sadb_ext *pfkey_ext) { int error = 0; struct sadb_x_saref *p = (struct sadb_x_saref *)pfkey_ext; DEBUGGING(PF_KEY_DEBUG_PARSE_PROBLEM, "pfkey_x_saref_parse:\n"); /* sanity checks... */ if (p->sadb_x_saref_len != IPSEC_PFKEYv2_WORDS(sizeof(*p))) { DEBUGGING(PF_KEY_DEBUG_PARSE_PROBLEM, "pfkey_x_saref_parse: size wrong ext_len=%d, key_ext_len=%d.\n", p->sadb_x_saref_len, (int)sizeof(*p)); SENDERR(EINVAL); } errlab: return error; }
void pfkey_print(struct sadb_msg *msg, FILE *out) { int len; struct sadb_ext *se; fprintf(out, "version=%d type=%d errno=%d satype=%d len=%d seq=%d pid=%d ", msg->sadb_msg_version, msg->sadb_msg_type, msg->sadb_msg_errno, msg->sadb_msg_satype, msg->sadb_msg_len, (int)msg->sadb_msg_seq, (int)msg->sadb_msg_pid); len = IPSEC_PFKEYv2_LEN(msg->sadb_msg_len); len -= sizeof(struct sadb_msg); se = (struct sadb_ext *)(&msg[1]); while(len > sizeof(struct sadb_ext)) { fprintf(out, "{ext=%d len=%d ", se->sadb_ext_type, se->sadb_ext_len); /* make sure that there is enough left */ if(IPSEC_PFKEYv2_LEN(se->sadb_ext_len) > len) { fprintf(out, "short-packet(%d<%d) ", len, (int)IPSEC_PFKEYv2_LEN(se->sadb_ext_len)); /* force it to match */ se->sadb_ext_len = IPSEC_PFKEYv2_WORDS(len); goto dumpbytes; } /* okay, decode what we know */ switch(se->sadb_ext_type) { case SADB_EXT_SA: { struct k_sadb_sa *sa = (struct k_sadb_sa *)se; fprintf(out, "spi=%08x replay=%d state=%d auth=%d encrypt=%d flags=%08x ref=%08x}", (int)sa->sadb_sa_spi, sa->sadb_sa_replay, sa->sadb_sa_state, sa->sadb_sa_auth, sa->sadb_sa_encrypt, (int)sa->sadb_sa_flags, (int)sa->sadb_x_sa_ref); } break; case SADB_X_EXT_ADDRESS_SRC_FLOW: case SADB_X_EXT_ADDRESS_DST_FLOW: case SADB_X_EXT_ADDRESS_SRC_MASK: case SADB_X_EXT_ADDRESS_DST_MASK: case SADB_EXT_ADDRESS_DST: case SADB_EXT_ADDRESS_SRC: { struct sadb_address *addr = (struct sadb_address *)se; int alen = IPSEC_PFKEYv2_LEN(addr->sadb_address_len)-sizeof(struct sadb_address); unsigned char *bytes = (unsigned char *)&addr[1]; fprintf(out, "proto=%d prefixlen=%d addr=0x", addr->sadb_address_proto, addr->sadb_address_prefixlen); while(alen > 0) { fprintf(out, "%02x", *bytes); bytes++; alen--; } fprintf(out, " } "); } break; case SADB_X_EXT_PROTOCOL: { struct sadb_protocol *sp = (struct sadb_protocol *)se; fprintf(out, "proto=%d direction=%d flags=%d } ", sp->sadb_protocol_proto, sp->sadb_protocol_direction, sp->sadb_protocol_flags); } break; case SADB_EXT_LIFETIME_CURRENT: case SADB_EXT_LIFETIME_HARD: case SADB_EXT_LIFETIME_SOFT: { struct sadb_lifetime *life = (struct sadb_lifetime *)se; fprintf(out, "allocations=%d bytes=%qd addtime=%qd usetime=%qd packets=%d", (int)life->sadb_lifetime_allocations, (long long)life->sadb_lifetime_bytes, (long long)life->sadb_lifetime_addtime, (long long)life->sadb_lifetime_usetime, (int)life->sadb_x_lifetime_packets); fprintf(out, " } "); } break; case SADB_EXT_RESERVED: case SADB_EXT_ADDRESS_PROXY: case SADB_EXT_KEY_AUTH: case SADB_EXT_KEY_ENCRYPT: case SADB_EXT_IDENTITY_SRC: case SADB_EXT_IDENTITY_DST: case SADB_EXT_SENSITIVITY: case SADB_EXT_PROPOSAL: case SADB_EXT_SUPPORTED_AUTH: case SADB_EXT_SUPPORTED_ENCRYPT: case SADB_EXT_SPIRANGE: case SADB_X_EXT_KMPRIVATE: case SADB_X_EXT_SATYPE2: case SADB_X_EXT_SA2: case SADB_X_EXT_ADDRESS_DST2: case SADB_X_EXT_DEBUG: default: { unsigned int elen; unsigned char *bytes; dumpbytes: elen = IPSEC_PFKEYv2_LEN(se->sadb_ext_len)-sizeof(struct sadb_ext); bytes = (unsigned char *)&se[1]; fprintf(out, "bytes=0x"); while(elen > 0) { fprintf(out, "%02x", *bytes); bytes++; elen--; } fprintf(out, " } "); } break; } /* skip to next extension header */ { unsigned int elen = IPSEC_PFKEYv2_LEN(se->sadb_ext_len); if(elen < sizeof(struct sadb_ext)) { fprintf(out, "illegal-length(%d) ",elen); elen = sizeof(struct sadb_ext); } se = (struct sadb_ext *)(((unsigned char *)se)+elen); len -= elen; } } fprintf(out, "\n"); }
int pfkey_msg_parse(struct sadb_msg *pfkey_msg, struct pf_key_ext_parsers_def *ext_parsers[], struct sadb_ext *extensions[], int dir) { int error = 0; int remain; struct sadb_ext *pfkey_ext; pfkey_ext_track extensions_seen = 0; DEBUGGING(PF_KEY_DEBUG_PARSE_STRUCT, "pfkey_msg_parse: " "parsing message ver=%d, type=%d(%s), errno=%d, satype=%d(%s), len=%d, res=%d, seq=%d, pid=%d.\n", pfkey_msg->sadb_msg_version, pfkey_msg->sadb_msg_type, pfkey_v2_sadb_type_string(pfkey_msg->sadb_msg_type), pfkey_msg->sadb_msg_errno, pfkey_msg->sadb_msg_satype, satype2name(pfkey_msg->sadb_msg_satype), pfkey_msg->sadb_msg_len, pfkey_msg->sadb_msg_reserved, pfkey_msg->sadb_msg_seq, pfkey_msg->sadb_msg_pid); if(ext_parsers == NULL) ext_parsers = ext_default_parsers; pfkey_extensions_init(extensions); remain = pfkey_msg->sadb_msg_len; remain -= IPSEC_PFKEYv2_WORDS(sizeof(struct sadb_msg)); pfkey_ext = (struct sadb_ext*)((char*)pfkey_msg + sizeof(struct sadb_msg)); extensions[0] = (struct sadb_ext *) pfkey_msg; if(pfkey_msg->sadb_msg_version != PF_KEY_V2) { ERROR("pfkey_msg_parse: " "not PF_KEY_V2 msg, found %d, should be %d.\n", pfkey_msg->sadb_msg_version, PF_KEY_V2); SENDERR(EINVAL); } if(!pfkey_msg->sadb_msg_type) { ERROR("pfkey_msg_parse: " "msg type not set, must be non-zero..\n"); SENDERR(EINVAL); } if(pfkey_msg->sadb_msg_type > K_SADB_MAX) { ERROR("pfkey_msg_parse: " "msg type=%d > max=%d.\n", pfkey_msg->sadb_msg_type, K_SADB_MAX); SENDERR(EINVAL); } switch(pfkey_msg->sadb_msg_type) { case K_SADB_GETSPI: case K_SADB_UPDATE: case K_SADB_ADD: case K_SADB_DELETE: case K_SADB_GET: case K_SADB_X_GRPSA: case K_SADB_X_ADDFLOW: if(!satype2proto(pfkey_msg->sadb_msg_satype)) { ERROR("pfkey_msg_parse: " "satype %d conversion to proto failed for msg_type %d (%s).\n", pfkey_msg->sadb_msg_satype, pfkey_msg->sadb_msg_type, pfkey_v2_sadb_type_string(pfkey_msg->sadb_msg_type)); SENDERR(EINVAL); } else { DEBUGGING(PF_KEY_DEBUG_PARSE_PROBLEM, "pfkey_msg_parse: " "satype %d(%s) conversion to proto gives %d for msg_type %d(%s).\n", pfkey_msg->sadb_msg_satype, satype2name(pfkey_msg->sadb_msg_satype), satype2proto(pfkey_msg->sadb_msg_satype), pfkey_msg->sadb_msg_type, pfkey_v2_sadb_type_string(pfkey_msg->sadb_msg_type)); } case K_SADB_ACQUIRE: case K_SADB_REGISTER: case K_SADB_EXPIRE: if(!pfkey_msg->sadb_msg_satype) { DEBUGGING(PF_KEY_DEBUG_PARSE_PROBLEM, "pfkey_msg_parse: " "satype is zero, must be non-zero for msg_type %d(%s).\n", pfkey_msg->sadb_msg_type, pfkey_v2_sadb_type_string(pfkey_msg->sadb_msg_type)); SENDERR(EINVAL); } default: break; } /* errno must not be set in downward messages */ /* this is not entirely true... a response to an ACQUIRE could return an error */ if((dir == EXT_BITS_IN) && (pfkey_msg->sadb_msg_type != K_SADB_ACQUIRE) && pfkey_msg->sadb_msg_errno) { DEBUGGING(PF_KEY_DEBUG_PARSE_PROBLEM, "pfkey_msg_parse: " "errno set to %d.\n", pfkey_msg->sadb_msg_errno); SENDERR(EINVAL); } DEBUGGING(PF_KEY_DEBUG_PARSE_FLOW, "pfkey_msg_parse: " "remain=%d\n", remain ); extensions_seen = 1; while( (remain * IPSEC_PFKEYv2_ALIGN) >= sizeof(struct sadb_ext) ) { /* Is there enough message left to support another extension header? */ if(remain < pfkey_ext->sadb_ext_len) { ERROR("pfkey_msg_parse: " "remain %d less than ext len %d.\n", remain, pfkey_ext->sadb_ext_len); SENDERR(EINVAL); } DEBUGGING(PF_KEY_DEBUG_PARSE_FLOW, "pfkey_msg_parse: " "parsing ext type=%d(%s) remain=%d.\n", pfkey_ext->sadb_ext_type, pfkey_v2_sadb_ext_string(pfkey_ext->sadb_ext_type), remain); /* Is the extension header type valid? */ if((pfkey_ext->sadb_ext_type > K_SADB_EXT_MAX) || (!pfkey_ext->sadb_ext_type)) { DEBUGGING(PF_KEY_DEBUG_PARSE_PROBLEM, "pfkey_msg_parse: " "ext type %d(%s) invalid, K_SADB_EXT_MAX=%d.\n", pfkey_ext->sadb_ext_type, pfkey_v2_sadb_ext_string(pfkey_ext->sadb_ext_type), K_SADB_EXT_MAX); SENDERR(EINVAL); } /* Have we already seen this type of extension? */ if(extensions[pfkey_ext->sadb_ext_type] != NULL) { ERROR("pfkey_msg_parse: " "ext type %d(%s) already seen.\n", pfkey_ext->sadb_ext_type, pfkey_v2_sadb_ext_string(pfkey_ext->sadb_ext_type)); SENDERR(EINVAL); } /* Do I even know about this type of extension? */ if(ext_parsers[pfkey_ext->sadb_ext_type]==NULL) { ERROR("pfkey_msg_parse: " "ext type %d(%s) unknown, ignoring.\n", pfkey_ext->sadb_ext_type, pfkey_v2_sadb_ext_string(pfkey_ext->sadb_ext_type)); goto next_ext; } /* Is this type of extension permitted for this type of message? */ if(!pfkey_permitted_extension(dir,pfkey_msg->sadb_msg_type,pfkey_ext->sadb_ext_type)) { ERROR("ext type %d(%s) not permitted (parse)\n", pfkey_ext->sadb_ext_type, pfkey_v2_sadb_ext_string(pfkey_ext->sadb_ext_type)); SENDERR(EINVAL); } DEBUGGING(PF_KEY_DEBUG_PARSE_STRUCT, "pfkey_msg_parse: " "remain=%d ext_type=%d(%s) ext_len=%d parsing ext 0p%p with parser %s.\n", remain, pfkey_ext->sadb_ext_type, pfkey_v2_sadb_ext_string(pfkey_ext->sadb_ext_type), pfkey_ext->sadb_ext_len, pfkey_ext, ext_parsers[pfkey_ext->sadb_ext_type]->parser_name); /* Parse the extension */ if((error = (*ext_parsers[pfkey_ext->sadb_ext_type]->parser)(pfkey_ext))) { ERROR("pfkey_msg_parse: " "extension parsing for type %d(%s) failed with error %d.\n", pfkey_ext->sadb_ext_type, pfkey_v2_sadb_ext_string(pfkey_ext->sadb_ext_type), error); SENDERR(-error); } DEBUGGING(PF_KEY_DEBUG_PARSE_FLOW, "pfkey_msg_parse: " "Extension %d(%s) parsed.\n", pfkey_ext->sadb_ext_type, pfkey_v2_sadb_ext_string(pfkey_ext->sadb_ext_type)); /* Mark that we have seen this extension and remember the header location */ extensions[pfkey_ext->sadb_ext_type] = pfkey_ext; pfkey_mark_extension(pfkey_ext->sadb_ext_type,&extensions_seen); next_ext: /* Calculate how much message remains */ remain -= pfkey_ext->sadb_ext_len; if(!remain) { break; } /* Find the next extension header */ pfkey_ext = (struct sadb_ext*)((char*)pfkey_ext + pfkey_ext->sadb_ext_len * IPSEC_PFKEYv2_ALIGN); } if(remain) { DEBUGGING(PF_KEY_DEBUG_PARSE_PROBLEM, "pfkey_msg_parse: " "unexpected remainder of %d.\n", remain); /* why is there still something remaining? */ SENDERR(EINVAL); } /* don't check further if it is an error return message since it may not have a body */ if(pfkey_msg->sadb_msg_errno) { SENDERR(-error); } if(pfkey_extensions_missing(dir,pfkey_msg->sadb_msg_type,extensions_seen)) { ERROR("required extensions missing.seen=%08llx.\n",(unsigned long long)extensions_seen); SENDERR(EINVAL); } if((dir == EXT_BITS_IN) && (pfkey_msg->sadb_msg_type == K_SADB_X_DELFLOW) && ((extensions_seen & K_SADB_X_EXT_ADDRESS_DELFLOW) != K_SADB_X_EXT_ADDRESS_DELFLOW) && (((extensions_seen & (1<<SADB_EXT_SA)) != (1<<SADB_EXT_SA)) || ((((struct k_sadb_sa*)extensions[SADB_EXT_SA])->sadb_sa_flags & SADB_X_SAFLAGS_CLEARFLOW) != SADB_X_SAFLAGS_CLEARFLOW))) { DEBUGGING(PF_KEY_DEBUG_PARSE_PROBLEM, "pfkey_msg_parse: " "required SADB_X_DELFLOW extensions missing: either %16llx must be present or %16llx must be present with SADB_X_SAFLAGS_CLEARFLOW set.\n", (unsigned long long)K_SADB_X_EXT_ADDRESS_DELFLOW - (extensions_seen & K_SADB_X_EXT_ADDRESS_DELFLOW), (unsigned long long)(1<<SADB_EXT_SA) - (extensions_seen & (1<<SADB_EXT_SA))); SENDERR(EINVAL); } switch(pfkey_msg->sadb_msg_type) { case K_SADB_ADD: case K_SADB_UPDATE: /* check maturity */ if(((struct sadb_sa*)extensions[SADB_EXT_SA])->sadb_sa_state != K_SADB_SASTATE_MATURE) { DEBUGGING(PF_KEY_DEBUG_PARSE_PROBLEM, "pfkey_msg_parse: " "state=%d for add or update should be MATURE=%d.\n", ((struct k_sadb_sa*)extensions[SADB_EXT_SA])->sadb_sa_state, K_SADB_SASTATE_MATURE); SENDERR(EINVAL); } /* check AH and ESP */ switch(((struct sadb_msg*)extensions[SADB_EXT_RESERVED])->sadb_msg_satype) { case SADB_SATYPE_AH: if(!(((struct k_sadb_sa*)extensions[SADB_EXT_SA]) && ((struct k_sadb_sa*)extensions[SADB_EXT_SA])->sadb_sa_auth != SADB_AALG_NONE)) { ERROR("pfkey_msg_parse: " "auth alg is zero, must be non-zero for AH SAs.\n"); SENDERR(EINVAL); } if(((struct k_sadb_sa*)(extensions[SADB_EXT_SA]))->sadb_sa_encrypt != SADB_EALG_NONE) { ERROR("pfkey_msg_parse: " "AH handed encalg=%d, must be zero.\n", ((struct k_sadb_sa*)(extensions[SADB_EXT_SA]))->sadb_sa_encrypt); SENDERR(EINVAL); } break; case SADB_SATYPE_ESP: if(!(((struct k_sadb_sa*)extensions[SADB_EXT_SA]) && ((struct k_sadb_sa*)extensions[SADB_EXT_SA])->sadb_sa_encrypt != SADB_EALG_NONE)) { ERROR("pfkey_msg_parse: " "encrypt alg=%d is zero, must be non-zero for ESP=%d SAs.\n", ((struct k_sadb_sa*)extensions[SADB_EXT_SA])->sadb_sa_encrypt, ((struct sadb_msg*)extensions[SADB_EXT_RESERVED])->sadb_msg_satype); SENDERR(EINVAL); } if((((struct k_sadb_sa*)(extensions[SADB_EXT_SA]))->sadb_sa_encrypt == SADB_EALG_NULL) && (((struct k_sadb_sa*)(extensions[SADB_EXT_SA]))->sadb_sa_auth == SADB_AALG_NONE) ) { ERROR("pfkey_msg_parse: " "ESP handed encNULL+authNONE, illegal combination.\n"); SENDERR(EINVAL); } break; case K_SADB_X_SATYPE_COMP: if(!(((struct k_sadb_sa*)extensions[SADB_EXT_SA]) && ((struct k_sadb_sa*)extensions[SADB_EXT_SA])->sadb_sa_encrypt != SADB_EALG_NONE)) { ERROR("pfkey_msg_parse: " "encrypt alg=%d is zero, must be non-zero for COMP=%d SAs.\n", ((struct k_sadb_sa*)extensions[SADB_EXT_SA])->sadb_sa_encrypt, ((struct sadb_msg*)extensions[SADB_EXT_RESERVED])->sadb_msg_satype); SENDERR(EINVAL); } if(((struct k_sadb_sa*)(extensions[SADB_EXT_SA]))->sadb_sa_auth != SADB_AALG_NONE) { ERROR("pfkey_msg_parse: " "COMP handed auth=%d, must be zero.\n", ((struct k_sadb_sa*)(extensions[SADB_EXT_SA]))->sadb_sa_auth); SENDERR(EINVAL); } break; default: break; } if(ntohl(((struct k_sadb_sa*)(extensions[SADB_EXT_SA]))->sadb_sa_spi) <= 255) { DEBUGGING(PF_KEY_DEBUG_PARSE_PROBLEM, "pfkey_msg_parse: " "spi=%08x must be > 255.\n", ntohl(((struct k_sadb_sa*)(extensions[SADB_EXT_SA]))->sadb_sa_spi)); SENDERR(EINVAL); } default: break; } errlab: return error; }