root/net/pfkeyv2_convert.c

DEFINITIONS

1. import_sa
2. export_sa
3. import_lifetime
4. export_lifetime
5. import_flow
6. export_encap
7. export_flow
8. import_address
9. export_address
10. import_auth
11. import_credentials
12. import_identity
13. export_credentials
14. export_auth
15. export_identity
16. import_key
17. export_key
18. import_udpencap
19. export_udpencap
20. import_tag
21. export_tag

    1 /*      $OpenBSD: pfkeyv2_convert.c,v 1.29 2006/11/24 13:52:14 reyk Exp $       */
    2 /*
    3  * The author of this code is Angelos D. Keromytis (angelos@keromytis.org)
    4  *
    5  * Part of this code is based on code written by Craig Metz (cmetz@inner.net)
    6  * for NRL. Those licenses follow this one.
    7  *
    8  * Copyright (c) 2001 Angelos D. Keromytis.
    9  *
   10  * Permission to use, copy, and modify this software with or without fee
   11  * is hereby granted, provided that this entire notice is included in
   12  * all copies of any software which is or includes a copy or
   13  * modification of this software.
   14  * You may use this code under the GNU public license if you so wish. Please
   15  * contribute changes back to the authors under this freer than GPL license
   16  * so that we may further the use of strong encryption without limitations to
   17  * all.
   18  *
   19  * THIS SOFTWARE IS BEING PROVIDED "AS IS", WITHOUT ANY EXPRESS OR
   20  * IMPLIED WARRANTY. IN PARTICULAR, NONE OF THE AUTHORS MAKES ANY
   21  * REPRESENTATION OR WARRANTY OF ANY KIND CONCERNING THE
   22  * MERCHANTABILITY OF THIS SOFTWARE OR ITS FITNESS FOR ANY PARTICULAR
   23  * PURPOSE.
   24  */
   26 /*
   27  *      @(#)COPYRIGHT   1.1 (NRL) 17 January 1995
   28  * 
   29  * NRL grants permission for redistribution and use in source and binary
   30  * forms, with or without modification, of the software and documentation
   31  * created at NRL provided that the following conditions are met:
   32  * 
   33  * 1. Redistributions of source code must retain the above copyright
   34  *    notice, this list of conditions and the following disclaimer.
   35  * 2. Redistributions in binary form must reproduce the above copyright
   36  *    notice, this list of conditions and the following disclaimer in the
   37  *    documentation and/or other materials provided with the distribution.
   38  * 3. All advertising materials mentioning features or use of this software
   39  *    must display the following acknowledgements:
   40  *      This product includes software developed by the University of
   41  *      California, Berkeley and its contributors.
   42  *      This product includes software developed at the Information
   43  *      Technology Division, US Naval Research Laboratory.
   44  * 4. Neither the name of the NRL nor the names of its contributors
   45  *    may be used to endorse or promote products derived from this software
   46  *    without specific prior written permission.
   47  * 
   48  * THE SOFTWARE PROVIDED BY NRL IS PROVIDED BY NRL AND CONTRIBUTORS ``AS
   49  * IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
   50  * TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A
   51  * PARTICULAR PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL NRL OR
   52  * CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
   53  * EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
   54  * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
   55  * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
   56  * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
   57  * NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
   58  * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
   59  * 
   60  * The views and conclusions contained in the software and documentation
   61  * are those of the authors and should not be interpreted as representing
   62  * official policies, either expressed or implied, of the US Naval
   63  * Research Laboratory (NRL).
   64  */
   66 /*
   67  * Copyright (c) 1995, 1996, 1997, 1998, 1999 Craig Metz. All rights reserved.
   68  *
   69  * Redistribution and use in source and binary forms, with or without
   70  * modification, are permitted provided that the following conditions
   71  * are met:
   72  * 1. Redistributions of source code must retain the above copyright
   73  *    notice, this list of conditions and the following disclaimer.
   74  * 2. Redistributions in binary form must reproduce the above copyright
   75  *    notice, this list of conditions and the following disclaimer in the
   76  *    documentation and/or other materials provided with the distribution.
   77  * 3. Neither the name of the author nor the names of any contributors
   78  *    may be used to endorse or promote products derived from this software
   79  *    without specific prior written permission.
   80  *
   81  * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
   82  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
   83  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
   84  * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
   85  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
   86  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
   87  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
   88  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
   89  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
   90  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
   91  * SUCH DAMAGE.
   92  */
   94 #include "pf.h"
   96 #include <sys/types.h>
   97 #include <sys/param.h>
   98 #include <sys/systm.h>
   99 #include <sys/mbuf.h>
  100 #include <sys/kernel.h>
  101 #include <sys/socket.h>
  102 #include <net/route.h>
  103 #include <net/if.h>
  105 #if NPF > 0
  106 #include <net/pfvar.h>
  107 #endif
  109 #include <netinet/ip_ipsp.h>
  110 #ifdef INET6
  111 #include <netinet6/in6_var.h>
  112 #endif
  113 #include <net/pfkeyv2.h>
  114 #include <crypto/cryptodev.h>
  115 #include <crypto/xform.h>
  117 /*
  118  * (Partly) Initialize a TDB based on an SADB_SA payload. Other parts
  119  * of the TDB will be initialized by other import routines, and tdb_init().
  120  */
  121 void
import_sa(struct tdb *tdb, struct sadb_sa *sadb_sa, struct ipsecinit *ii)
  123 {
  124         if (!sadb_sa)
  125                 return;
  127         if (ii) {
ii->ii_encalg = sadb_sa->sadb_sa_encrypt;
ii->ii_authalg = sadb_sa->sadb_sa_auth;
ii->ii_compalg = sadb_sa->sadb_sa_encrypt; /* Yeurk! */
tdb->tdb_spi = sadb_sa->sadb_sa_spi;
tdb->tdb_wnd = sadb_sa->sadb_sa_replay;
  135                 if (sadb_sa->sadb_sa_flags & SADB_SAFLAGS_PFS)
tdb->tdb_flags |= TDBF_PFS;
  138                 if (sadb_sa->sadb_sa_flags & SADB_X_SAFLAGS_HALFIV)
tdb->tdb_flags |= TDBF_HALFIV;
  141                 if (sadb_sa->sadb_sa_flags & SADB_X_SAFLAGS_TUNNEL)
tdb->tdb_flags |= TDBF_TUNNELING;
  144                 if (sadb_sa->sadb_sa_flags & SADB_X_SAFLAGS_RANDOMPADDING)
tdb->tdb_flags |= TDBF_RANDOMPADDING;
  147                 if (sadb_sa->sadb_sa_flags & SADB_X_SAFLAGS_NOREPLAY)
tdb->tdb_flags |= TDBF_NOREPLAY;
  150                 if (sadb_sa->sadb_sa_flags & SADB_X_SAFLAGS_UDPENCAP)
tdb->tdb_flags |= TDBF_UDPENCAP;
  152         }
  154         if (sadb_sa->sadb_sa_state != SADB_SASTATE_MATURE)
tdb->tdb_flags |= TDBF_INVALID;
  156 }
  158 /*
  159  * Export some of the information on a TDB.
  160  */
  161 void
export_sa(void **p, struct tdb *tdb)
  163 {
  164         struct sadb_sa *sadb_sa = (struct sadb_sa *) *p;
sadb_sa->sadb_sa_len = sizeof(struct sadb_sa) / sizeof(uint64_t);
sadb_sa->sadb_sa_spi = tdb->tdb_spi;
sadb_sa->sadb_sa_replay = tdb->tdb_wnd;
  171         if (tdb->tdb_flags & TDBF_INVALID)
sadb_sa->sadb_sa_state = SADB_SASTATE_LARVAL;
  173         else
sadb_sa->sadb_sa_state = SADB_SASTATE_MATURE;
  176         if (tdb->tdb_sproto == IPPROTO_IPCOMP &&
tdb->tdb_compalgxform != NULL) {
  178                 switch (tdb->tdb_compalgxform->type) {
  179                 case CRYPTO_DEFLATE_COMP:
sadb_sa->sadb_sa_encrypt = SADB_X_CALG_DEFLATE;
  181                         break;
  182                 case CRYPTO_LZS_COMP:
sadb_sa->sadb_sa_encrypt = SADB_X_CALG_LZS;
  184                         break;
  185                 }
  186         }
  188         if (tdb->tdb_authalgxform) {
  189                 switch (tdb->tdb_authalgxform->type) {
  190                 case CRYPTO_MD5_HMAC:
sadb_sa->sadb_sa_auth = SADB_AALG_MD5HMAC;
  192                         break;
  194                 case CRYPTO_SHA1_HMAC:
sadb_sa->sadb_sa_auth = SADB_AALG_SHA1HMAC;
  196                         break;
  198                 case CRYPTO_RIPEMD160_HMAC:
sadb_sa->sadb_sa_auth = SADB_X_AALG_RIPEMD160HMAC;
  200                         break;
  202                 case CRYPTO_SHA2_256_HMAC:
sadb_sa->sadb_sa_auth = SADB_X_AALG_SHA2_256;
  204                         break;
  206                 case CRYPTO_SHA2_384_HMAC:
sadb_sa->sadb_sa_auth = SADB_X_AALG_SHA2_384;
  208                         break;
  210                 case CRYPTO_SHA2_512_HMAC:
sadb_sa->sadb_sa_auth = SADB_X_AALG_SHA2_512;
  212                         break;
  214                 case CRYPTO_MD5_KPDK:
sadb_sa->sadb_sa_auth = SADB_X_AALG_MD5;
  216                         break;
  218                 case CRYPTO_SHA1_KPDK:
sadb_sa->sadb_sa_auth = SADB_X_AALG_SHA1;
  220                         break;
  221                 }
  222         }
  224         if (tdb->tdb_encalgxform) {
  225                 switch (tdb->tdb_encalgxform->type) {
  226                 case CRYPTO_NULL:
sadb_sa->sadb_sa_encrypt = SADB_EALG_NULL;
  228                         break;
  230                 case CRYPTO_DES_CBC:
sadb_sa->sadb_sa_encrypt = SADB_EALG_DESCBC;
  232                         break;
  234                 case CRYPTO_3DES_CBC:
sadb_sa->sadb_sa_encrypt = SADB_EALG_3DESCBC;
  236                         break;
  238                 case CRYPTO_AES_CBC:
sadb_sa->sadb_sa_encrypt = SADB_X_EALG_AES;
  240                         break;
  242                 case CRYPTO_AES_CTR:
sadb_sa->sadb_sa_encrypt = SADB_X_EALG_AESCTR;
  244                         break;
  246                 case CRYPTO_CAST_CBC:
sadb_sa->sadb_sa_encrypt = SADB_X_EALG_CAST;
  248                         break;
  250                 case CRYPTO_BLF_CBC:
sadb_sa->sadb_sa_encrypt = SADB_X_EALG_BLF;
  252                         break;
  254                 case CRYPTO_SKIPJACK_CBC:
sadb_sa->sadb_sa_encrypt = SADB_X_EALG_SKIPJACK;
  256                         break;
  257                 }
  258         }
  260         if (tdb->tdb_flags & TDBF_PFS)
sadb_sa->sadb_sa_flags |= SADB_SAFLAGS_PFS;
  263         /* Only relevant for the "old" IPsec transforms. */
  264         if (tdb->tdb_flags & TDBF_HALFIV)
sadb_sa->sadb_sa_flags |= SADB_X_SAFLAGS_HALFIV;
  267         if (tdb->tdb_flags & TDBF_TUNNELING)
sadb_sa->sadb_sa_flags |= SADB_X_SAFLAGS_TUNNEL;
  270         if (tdb->tdb_flags & TDBF_RANDOMPADDING)
sadb_sa->sadb_sa_flags |= SADB_X_SAFLAGS_RANDOMPADDING;
  273         if (tdb->tdb_flags & TDBF_NOREPLAY)
sadb_sa->sadb_sa_flags |= SADB_X_SAFLAGS_NOREPLAY;
  276         *p += sizeof(struct sadb_sa);
  277 }
  279 /*
  280  * Initialize expirations and counters based on lifetime payload.
  281  */
  282 void
import_lifetime(struct tdb *tdb, struct sadb_lifetime *sadb_lifetime, int type)
  284 {
  285         struct timeval tv;
  287         if (!sadb_lifetime)
  288                 return;
getmicrotime(&tv);
  292         switch (type) {
  293         case PFKEYV2_LIFETIME_HARD:
  294                 if ((tdb->tdb_exp_allocations =
sadb_lifetime->sadb_lifetime_allocations) != 0)
tdb->tdb_flags |= TDBF_ALLOCATIONS;
  297                 else
tdb->tdb_flags &= ~TDBF_ALLOCATIONS;
  300                 if ((tdb->tdb_exp_bytes =
sadb_lifetime->sadb_lifetime_bytes) != 0)
tdb->tdb_flags |= TDBF_BYTES;
  303                 else
tdb->tdb_flags &= ~TDBF_BYTES;
  306                 if ((tdb->tdb_exp_timeout =
sadb_lifetime->sadb_lifetime_addtime) != 0) {
tdb->tdb_flags |= TDBF_TIMER;
  309                         if (tv.tv_sec + tdb->tdb_exp_timeout < tv.tv_sec)
tv.tv_sec = ((unsigned long) -1) / 2; /* XXX */
  311                         else
tv.tv_sec += tdb->tdb_exp_timeout;
timeout_add(&tdb->tdb_timer_tmo, hzto(&tv));
  314                 } else
tdb->tdb_flags &= ~TDBF_TIMER;
  317                 if ((tdb->tdb_exp_first_use =
sadb_lifetime->sadb_lifetime_usetime) != 0)
tdb->tdb_flags |= TDBF_FIRSTUSE;
  320                 else
tdb->tdb_flags &= ~TDBF_FIRSTUSE;
  322                 break;
  324         case PFKEYV2_LIFETIME_SOFT:
  325                 if ((tdb->tdb_soft_allocations =
sadb_lifetime->sadb_lifetime_allocations) != 0)
tdb->tdb_flags |= TDBF_SOFT_ALLOCATIONS;
  328                 else
tdb->tdb_flags &= ~TDBF_SOFT_ALLOCATIONS;
  331                 if ((tdb->tdb_soft_bytes =
sadb_lifetime->sadb_lifetime_bytes) != 0)
tdb->tdb_flags |= TDBF_SOFT_BYTES;
  334                 else
tdb->tdb_flags &= ~TDBF_SOFT_BYTES;
  337                 if ((tdb->tdb_soft_timeout =
sadb_lifetime->sadb_lifetime_addtime) != 0) {
tdb->tdb_flags |= TDBF_SOFT_TIMER;
  340                         if (tv.tv_sec + tdb->tdb_soft_timeout < tv.tv_sec)
tv.tv_sec = ((unsigned long) -1) / 2; /* XXX */
  342                         else
tv.tv_sec += tdb->tdb_soft_timeout;
timeout_add(&tdb->tdb_stimer_tmo, hzto(&tv));
  345                 } else
tdb->tdb_flags &= ~TDBF_SOFT_TIMER;
  348                 if ((tdb->tdb_soft_first_use =
sadb_lifetime->sadb_lifetime_usetime) != 0)
tdb->tdb_flags |= TDBF_SOFT_FIRSTUSE;
  351                 else
tdb->tdb_flags &= ~TDBF_SOFT_FIRSTUSE;
  353                 break;
  355         case PFKEYV2_LIFETIME_CURRENT:  /* Nothing fancy here. */
tdb->tdb_cur_allocations =
sadb_lifetime->sadb_lifetime_allocations;
tdb->tdb_cur_bytes = sadb_lifetime->sadb_lifetime_bytes;
tdb->tdb_established = sadb_lifetime->sadb_lifetime_addtime;
tdb->tdb_first_use = sadb_lifetime->sadb_lifetime_usetime;
  361         }
  362 }
  364 /*
  365  * Export TDB expiration information.
  366  */
  367 void
export_lifetime(void **p, struct tdb *tdb, int type)
  369 {
  370         struct sadb_lifetime *sadb_lifetime = (struct sadb_lifetime *) *p;
sadb_lifetime->sadb_lifetime_len = sizeof(struct sadb_lifetime) /
  373             sizeof(uint64_t);
  375         switch (type) {
  376         case PFKEYV2_LIFETIME_HARD:
  377                 if (tdb->tdb_flags & TDBF_ALLOCATIONS)
sadb_lifetime->sadb_lifetime_allocations =
tdb->tdb_exp_allocations;
  381                 if (tdb->tdb_flags & TDBF_BYTES)
sadb_lifetime->sadb_lifetime_bytes =
tdb->tdb_exp_bytes;
  385                 if (tdb->tdb_flags & TDBF_TIMER)
sadb_lifetime->sadb_lifetime_addtime =
tdb->tdb_exp_timeout;
  389                 if (tdb->tdb_flags & TDBF_FIRSTUSE)
sadb_lifetime->sadb_lifetime_usetime =
tdb->tdb_exp_first_use;
  392                 break;
  394         case PFKEYV2_LIFETIME_SOFT:
  395                 if (tdb->tdb_flags & TDBF_SOFT_ALLOCATIONS)
sadb_lifetime->sadb_lifetime_allocations =
tdb->tdb_soft_allocations;
  399                 if (tdb->tdb_flags & TDBF_SOFT_BYTES)
sadb_lifetime->sadb_lifetime_bytes =
tdb->tdb_soft_bytes;
  403                 if (tdb->tdb_flags & TDBF_SOFT_TIMER)
sadb_lifetime->sadb_lifetime_addtime =
tdb->tdb_soft_timeout;
  407                 if (tdb->tdb_flags & TDBF_SOFT_FIRSTUSE)
sadb_lifetime->sadb_lifetime_usetime =
tdb->tdb_soft_first_use;
  410                 break;
  412         case PFKEYV2_LIFETIME_CURRENT:
sadb_lifetime->sadb_lifetime_allocations =
tdb->tdb_cur_allocations;
sadb_lifetime->sadb_lifetime_bytes = tdb->tdb_cur_bytes;
sadb_lifetime->sadb_lifetime_addtime = tdb->tdb_established;
sadb_lifetime->sadb_lifetime_usetime = tdb->tdb_first_use;
  418                 break;
  420         case PFKEYV2_LIFETIME_LASTUSE:
sadb_lifetime->sadb_lifetime_allocations = 0;
sadb_lifetime->sadb_lifetime_bytes = 0;
sadb_lifetime->sadb_lifetime_addtime = 0;
sadb_lifetime->sadb_lifetime_usetime = tdb->tdb_last_used;
  425                 break;
  426         }
  428         *p += sizeof(struct sadb_lifetime);
  429 }
  431 /*
  432  * Import flow information to two struct sockaddr_encap's. Either
  433  * all or none of the address arguments are NULL.
  434  */
  435 void
import_flow(struct sockaddr_encap *flow, struct sockaddr_encap *flowmask,
  437     struct sadb_address *ssrc, struct sadb_address *ssrcmask,
  438     struct sadb_address *ddst, struct sadb_address *ddstmask,
  439     struct sadb_protocol *sab, struct sadb_protocol *ftype)
  440 {
u_int8_t transproto = 0;
  442         union sockaddr_union *src = (union sockaddr_union *)(ssrc + 1);
  443         union sockaddr_union *dst = (union sockaddr_union *)(ddst + 1);
  444         union sockaddr_union *srcmask = (union sockaddr_union *)(ssrcmask + 1);
  445         union sockaddr_union *dstmask = (union sockaddr_union *)(ddstmask + 1);
  447         if (ssrc == NULL)
  448                 return; /* There wasn't any information to begin with. */
bzero(flow, sizeof(*flow));
bzero(flowmask, sizeof(*flowmask));
  453         if (sab != NULL)
transproto = sab->sadb_protocol_proto;
  456         /*
  457          * Check that all the address families match. We know they are
  458          * valid and supported because pfkeyv2_parsemessage() checked that.
  459          */
  460         if ((src->sa.sa_family != dst->sa.sa_family) ||
  461             (src->sa.sa_family != srcmask->sa.sa_family) ||
  462             (src->sa.sa_family != dstmask->sa.sa_family))
  463                 return;
  465         /*
  466          * We set these as an indication that tdb_filter/tdb_filtermask are
  467          * in fact initialized.
  468          */
flow->sen_family = flowmask->sen_family = PF_KEY;
flow->sen_len = flowmask->sen_len = SENT_LEN;
  472         switch (src->sa.sa_family)
  473         {
  474 #ifdef INET
  475         case AF_INET:
  476                 /* netmask handling */
rt_maskedcopy(&src->sa, &src->sa, &srcmask->sa);
rt_maskedcopy(&dst->sa, &dst->sa, &dstmask->sa);
flow->sen_type = SENT_IP4;
flow->sen_direction = ftype->sadb_protocol_direction;
flow->sen_ip_src = src->sin.sin_addr;
flow->sen_ip_dst = dst->sin.sin_addr;
flow->sen_proto = transproto;
flow->sen_sport = src->sin.sin_port;
flow->sen_dport = dst->sin.sin_port;
flowmask->sen_type = SENT_IP4;
flowmask->sen_direction = 0xff;
flowmask->sen_ip_src = srcmask->sin.sin_addr;
flowmask->sen_ip_dst = dstmask->sin.sin_addr;
flowmask->sen_sport = srcmask->sin.sin_port;
flowmask->sen_dport = dstmask->sin.sin_port;
  494                 if (transproto)
flowmask->sen_proto = 0xff;
  496                 break;
  497 #endif /* INET */
  499 #ifdef INET6
  500         case AF_INET6:
in6_embedscope(&src->sin6.sin6_addr, &src->sin6,
NULL, NULL);
in6_embedscope(&dst->sin6.sin6_addr, &dst->sin6,
NULL, NULL);
  506                 /* netmask handling */
rt_maskedcopy(&src->sa, &src->sa, &srcmask->sa);
rt_maskedcopy(&dst->sa, &dst->sa, &dstmask->sa);
flow->sen_type = SENT_IP6;
flow->sen_ip6_direction = ftype->sadb_protocol_direction;
flow->sen_ip6_src = src->sin6.sin6_addr;
flow->sen_ip6_dst = dst->sin6.sin6_addr;
flow->sen_ip6_proto = transproto;
flow->sen_ip6_sport = src->sin6.sin6_port;
flow->sen_ip6_dport = dst->sin6.sin6_port;
flowmask->sen_type = SENT_IP6;
flowmask->sen_ip6_direction = 0xff;
flowmask->sen_ip6_src = srcmask->sin6.sin6_addr;
flowmask->sen_ip6_dst = dstmask->sin6.sin6_addr;
flowmask->sen_ip6_sport = srcmask->sin6.sin6_port;
flowmask->sen_ip6_dport = dstmask->sin6.sin6_port;
  524                 if (transproto)
flowmask->sen_ip6_proto = 0xff;
  526                 break;
  527 #endif /* INET6 */
  528         }
  529 }
  531 /*
  532  * Helper to export addresses from an struct sockaddr_encap.
  533  */
  534 static void
export_encap(void **p, struct sockaddr_encap *encap, int type)
  536 {
  537         struct sadb_address *saddr = (struct sadb_address *)*p;
  538         union sockaddr_union *sunion;
  540         *p += sizeof(struct sadb_address);
sunion = (union sockaddr_union *)*p;
  543         switch (encap->sen_type) {
  544         case SENT_IP4:
saddr->sadb_address_len = (sizeof(struct sadb_address) +
PADUP(sizeof(struct sockaddr_in))) / sizeof(uint64_t);
sunion->sa.sa_len = sizeof(struct sockaddr_in);
sunion->sa.sa_family = AF_INET;
  549                 if (type == SADB_X_EXT_SRC_FLOW ||
type == SADB_X_EXT_SRC_MASK) {
sunion->sin.sin_addr = encap->sen_ip_src;
sunion->sin.sin_port = encap->sen_sport;
  553                 } else {
sunion->sin.sin_addr = encap->sen_ip_dst;
sunion->sin.sin_port = encap->sen_dport;
  556                 }
  557                 *p += PADUP(sizeof(struct sockaddr_in));
  558                 break;
  559         case SENT_IP6:
saddr->sadb_address_len = (sizeof(struct sadb_address)
  561                     + PADUP(sizeof(struct sockaddr_in6))) / sizeof(uint64_t);
sunion->sa.sa_len = sizeof(struct sockaddr_in6);
sunion->sa.sa_family = AF_INET6;
  564                 if (type == SADB_X_EXT_SRC_FLOW ||
type == SADB_X_EXT_SRC_MASK) {
sunion->sin6.sin6_addr = encap->sen_ip6_src;
sunion->sin6.sin6_port = encap->sen_ip6_sport;
  568                 } else {
sunion->sin6.sin6_addr = encap->sen_ip6_dst;
sunion->sin6.sin6_port = encap->sen_ip6_dport;
  571                 }
  572                 *p += PADUP(sizeof(struct sockaddr_in6));
  573                 break;
  574         }
  575 }
  577 /*
  578  * Export flow information from two struct sockaddr_encap's.
  579  */
  580 void
export_flow(void **p, u_int8_t ftype, struct sockaddr_encap *flow,
  582     struct sockaddr_encap *flowmask, void **headers)
  583 {
  584         struct sadb_protocol *sab;
headers[SADB_X_EXT_FLOW_TYPE] = *p;
sab = (struct sadb_protocol *)*p;
sab->sadb_protocol_len = sizeof(struct sadb_protocol) /
  589             sizeof(uint64_t);
  591         switch (ftype) {
  592         case IPSP_IPSEC_USE:
sab->sadb_protocol_proto = SADB_X_FLOW_TYPE_USE;
  594                 break;
  595         case IPSP_IPSEC_ACQUIRE:
sab->sadb_protocol_proto = SADB_X_FLOW_TYPE_ACQUIRE;
  597                 break;
  598         case IPSP_IPSEC_REQUIRE:
sab->sadb_protocol_proto = SADB_X_FLOW_TYPE_REQUIRE;
  600                 break;
  601         case IPSP_DENY:
sab->sadb_protocol_proto = SADB_X_FLOW_TYPE_DENY;
  603                 break;
  604         case IPSP_PERMIT:
sab->sadb_protocol_proto = SADB_X_FLOW_TYPE_BYPASS;
  606                 break;
  607         case IPSP_IPSEC_DONTACQ:
sab->sadb_protocol_proto = SADB_X_FLOW_TYPE_DONTACQ;
  609                 break;
  610         default:
sab->sadb_protocol_proto = 0;
  612                 break;
  613         }
  615         switch (flow->sen_type) {
  616 #ifdef INET
  617         case SENT_IP4:
sab->sadb_protocol_direction = flow->sen_direction;
  619                 break;
  620 #endif /* INET */
  621 #ifdef INET6
  622         case SENT_IP6:
sab->sadb_protocol_direction = flow->sen_ip6_direction;
  624                 break;
  625 #endif /* INET6 */
  626         }
  627         *p += sizeof(struct sadb_protocol);
headers[SADB_X_EXT_PROTOCOL] = *p;
sab = (struct sadb_protocol *)*p;
sab->sadb_protocol_len = sizeof(struct sadb_protocol) /
  632             sizeof(uint64_t);
  633         switch (flow->sen_type) {
  634 #ifdef INET
  635         case SENT_IP4:
sab->sadb_protocol_proto = flow->sen_proto;
  637                 break;
  638 #endif /* INET */
  639 #ifdef INET6
  640         case SENT_IP6:
sab->sadb_protocol_proto = flow->sen_ip6_proto;
  642                 break;
  643 #endif /* INET6 */
  644         }
  645         *p += sizeof(struct sadb_protocol);
headers[SADB_X_EXT_SRC_FLOW] = *p;
export_encap(p, flow, SADB_X_EXT_SRC_FLOW);
headers[SADB_X_EXT_SRC_MASK] = *p;
export_encap(p, flowmask, SADB_X_EXT_SRC_MASK);
headers[SADB_X_EXT_DST_FLOW] = *p;
export_encap(p, flow, SADB_X_EXT_DST_FLOW);
headers[SADB_X_EXT_DST_MASK] = *p;
export_encap(p, flowmask, SADB_X_EXT_DST_MASK);
  658 }
  660 /*
  661  * Copy an SADB_ADDRESS payload to a struct sockaddr.
  662  */
  663 void
import_address(struct sockaddr *sa, struct sadb_address *sadb_address)
  665 {
  666         int salen;
  667         struct sockaddr *ssa = (struct sockaddr *)((void *) sadb_address +
  668             sizeof(struct sadb_address));
  670         if (!sadb_address)
  671                 return;
  673         if (ssa->sa_len)
salen = ssa->sa_len;
  675         else
  676                 switch (ssa->sa_family) {
  677 #ifdef INET
  678                 case AF_INET:
salen = sizeof(struct sockaddr_in);
  680                         break;
  681 #endif /* INET */
  683 #if INET6
  684                 case AF_INET6:
salen = sizeof(struct sockaddr_in6);
  686                         break;
  687 #endif /* INET6 */
  689                 default:
  690                         return;
  691                 }
bcopy(ssa, sa, salen);
sa->sa_len = salen;
  695 }
  697 /*
  698  * Export a struct sockaddr as an SADB_ADDRESS payload.
  699  */
  700 void
export_address(void **p, struct sockaddr *sa)
  702 {
  703         struct sadb_address *sadb_address = (struct sadb_address *) *p;
sadb_address->sadb_address_len = (sizeof(struct sadb_address) +
PADUP(SA_LEN(sa))) / sizeof(uint64_t);
  708         *p += sizeof(struct sadb_address);
bcopy(sa, *p, SA_LEN(sa));
  710         ((struct sockaddr *) *p)->sa_family = sa->sa_family;
  711         *p += PADUP(SA_LEN(sa));
  712 }
  714 /*
  715  * Import authentication information into the TDB.
  716  */
  717 void
import_auth(struct tdb *tdb, struct sadb_x_cred *sadb_auth, int dstauth)
  719 {
  720         struct ipsec_ref **ipr;
  722         if (!sadb_auth)
  723                 return;
  725         if (dstauth == PFKEYV2_AUTH_REMOTE)
ipr = &tdb->tdb_remote_auth;
  727         else
ipr = &tdb->tdb_local_auth;
MALLOC(*ipr, struct ipsec_ref *, EXTLEN(sadb_auth) -
  731             sizeof(struct sadb_x_cred) + sizeof(struct ipsec_ref),
M_CREDENTIALS, M_WAITOK);
  733         (*ipr)->ref_len = EXTLEN(sadb_auth) - sizeof(struct sadb_x_cred);
  735         switch (sadb_auth->sadb_x_cred_type) {
  736         case SADB_X_AUTHTYPE_PASSPHRASE:
  737                 (*ipr)->ref_type = IPSP_AUTH_PASSPHRASE;
  738                 break;
  739         case SADB_X_AUTHTYPE_RSA:
  740                 (*ipr)->ref_type = IPSP_AUTH_RSA;
  741                 break;
  742         default:
FREE(*ipr, M_CREDENTIALS);
  744                 *ipr = NULL;
  745                 return;
  746         }
  747         (*ipr)->ref_count = 1;
  748         (*ipr)->ref_malloctype = M_CREDENTIALS;
bcopy((void *) sadb_auth + sizeof(struct sadb_x_cred),
  750             (*ipr) + 1, (*ipr)->ref_len);
  751 }
  753 /*
  754  * Import a set of credentials into the TDB.
  755  */
  756 void
import_credentials(struct tdb *tdb, struct sadb_x_cred *sadb_cred, int dstcred)
  758 {
  759         struct ipsec_ref **ipr;
  761         if (!sadb_cred)
  762                 return;
  764         if (dstcred == PFKEYV2_CRED_REMOTE)
ipr = &tdb->tdb_remote_cred;
  766         else
ipr = &tdb->tdb_local_cred;
MALLOC(*ipr, struct ipsec_ref *, EXTLEN(sadb_cred) -
  770             sizeof(struct sadb_x_cred) + sizeof(struct ipsec_ref),
M_CREDENTIALS, M_WAITOK);
  772         (*ipr)->ref_len = EXTLEN(sadb_cred) - sizeof(struct sadb_x_cred);
  774         switch (sadb_cred->sadb_x_cred_type) {
  775         case SADB_X_CREDTYPE_X509:
  776                 (*ipr)->ref_type = IPSP_CRED_X509;
  777                 break;
  778         case SADB_X_CREDTYPE_KEYNOTE:
  779                 (*ipr)->ref_type = IPSP_CRED_KEYNOTE;
  780                 break;
  781         default:
FREE(*ipr, M_CREDENTIALS);
  783                 *ipr = NULL;
  784                 return;
  785         }
  786         (*ipr)->ref_count = 1;
  787         (*ipr)->ref_malloctype = M_CREDENTIALS;
bcopy((void *) sadb_cred + sizeof(struct sadb_x_cred),
  789             (*ipr) + 1, (*ipr)->ref_len);
  790 }
  792 /*
  793  * Import an identity payload into the TDB.
  794  */
  795 void
import_identity(struct tdb *tdb, struct sadb_ident *sadb_ident, int type)
  797 {
  798         struct ipsec_ref **ipr;
  800         if (!sadb_ident)
  801                 return;
  803         if (type == PFKEYV2_IDENTITY_SRC)
ipr = &tdb->tdb_srcid;
  805         else
ipr = &tdb->tdb_dstid;
MALLOC(*ipr, struct ipsec_ref *, EXTLEN(sadb_ident) -
  809             sizeof(struct sadb_ident) + sizeof(struct ipsec_ref),
M_CREDENTIALS, M_WAITOK);
  811         (*ipr)->ref_len = EXTLEN(sadb_ident) - sizeof(struct sadb_ident);
  813         switch (sadb_ident->sadb_ident_type) {
  814         case SADB_IDENTTYPE_PREFIX:
  815                 (*ipr)->ref_type = IPSP_IDENTITY_PREFIX;
  816                 break;
  817         case SADB_IDENTTYPE_FQDN:
  818                 (*ipr)->ref_type = IPSP_IDENTITY_FQDN;
  819                 break;
  820         case SADB_IDENTTYPE_USERFQDN:
  821                 (*ipr)->ref_type = IPSP_IDENTITY_USERFQDN;
  822                 break;
  823         case SADB_X_IDENTTYPE_CONNECTION:
  824                 (*ipr)->ref_type = IPSP_IDENTITY_CONNECTION;
  825                 break;
  826         default:
FREE(*ipr, M_CREDENTIALS);
  828                 *ipr = NULL;
  829                 return;
  830         }
  831         (*ipr)->ref_count = 1;
  832         (*ipr)->ref_malloctype = M_CREDENTIALS;
bcopy((void *) sadb_ident + sizeof(struct sadb_ident), (*ipr) + 1,
  834             (*ipr)->ref_len);
  835 }
  837 void
export_credentials(void **p, struct tdb *tdb, int dstcred)
  839 {
  840         struct ipsec_ref **ipr;
  841         struct sadb_x_cred *sadb_cred = (struct sadb_x_cred *) *p;
  843         if (dstcred == PFKEYV2_CRED_REMOTE)
ipr = &tdb->tdb_remote_cred;
  845         else
ipr = &tdb->tdb_local_cred;
sadb_cred->sadb_x_cred_len = (sizeof(struct sadb_x_cred) +
PADUP((*ipr)->ref_len)) / sizeof(uint64_t);
  851         switch ((*ipr)->ref_type) {
  852         case IPSP_CRED_KEYNOTE:
sadb_cred->sadb_x_cred_type = SADB_X_CREDTYPE_KEYNOTE;
  854                 break;
  855         case IPSP_CRED_X509:
sadb_cred->sadb_x_cred_type = SADB_X_CREDTYPE_X509;
  857                 break;
  858         }
  859         *p += sizeof(struct sadb_x_cred);
bcopy((*ipr) + 1, *p, (*ipr)->ref_len);
  861         *p += PADUP((*ipr)->ref_len);
  862 }
  864 void
export_auth(void **p, struct tdb *tdb, int dstauth)
  866 {
  867         struct ipsec_ref **ipr;
  868         struct sadb_x_cred *sadb_auth = (struct sadb_x_cred *) *p;
  870         if (dstauth == PFKEYV2_AUTH_REMOTE)
ipr = &tdb->tdb_remote_auth;
  872         else
ipr = &tdb->tdb_local_auth;
sadb_auth->sadb_x_cred_len = (sizeof(struct sadb_x_cred) +
PADUP((*ipr)->ref_len)) / sizeof(uint64_t);
  878         switch ((*ipr)->ref_type) {
  879         case IPSP_AUTH_PASSPHRASE:
sadb_auth->sadb_x_cred_type = SADB_X_AUTHTYPE_PASSPHRASE;
  881                 break;
  882         case IPSP_AUTH_RSA:
sadb_auth->sadb_x_cred_type = SADB_X_AUTHTYPE_RSA;
  884                 break;
  885         }
  886         *p += sizeof(struct sadb_x_cred);
bcopy((*ipr) + 1, *p, (*ipr)->ref_len);
  888         *p += PADUP((*ipr)->ref_len);
  889 }
  891 void
export_identity(void **p, struct tdb *tdb, int type)
  893 {
  894         struct ipsec_ref **ipr;
  895         struct sadb_ident *sadb_ident = (struct sadb_ident *) *p;
  897         if (type == PFKEYV2_IDENTITY_SRC)
ipr = &tdb->tdb_srcid;
  899         else
ipr = &tdb->tdb_dstid;
sadb_ident->sadb_ident_len = (sizeof(struct sadb_ident) +
PADUP((*ipr)->ref_len)) / sizeof(uint64_t);
  905         switch ((*ipr)->ref_type) {
  906         case IPSP_IDENTITY_PREFIX:
sadb_ident->sadb_ident_type = SADB_IDENTTYPE_PREFIX;
  908                 break;
  909         case IPSP_IDENTITY_FQDN:
sadb_ident->sadb_ident_type = SADB_IDENTTYPE_FQDN;
  911                 break;
  912         case IPSP_IDENTITY_USERFQDN:
sadb_ident->sadb_ident_type = SADB_IDENTTYPE_USERFQDN;
  914                 break;
  915         case IPSP_IDENTITY_CONNECTION:
sadb_ident->sadb_ident_type = SADB_X_IDENTTYPE_CONNECTION;
  917                 break;
  918         }
  919         *p += sizeof(struct sadb_ident);
bcopy((*ipr) + 1, *p, (*ipr)->ref_len);
  921         *p += PADUP((*ipr)->ref_len);
  922 }
  924 /* ... */
  925 void
import_key(struct ipsecinit *ii, struct sadb_key *sadb_key, int type)
  927 {
  928         if (!sadb_key)
  929                 return;
  931         if (type == PFKEYV2_ENCRYPTION_KEY) { /* Encryption key */
ii->ii_enckeylen = sadb_key->sadb_key_bits / 8;
ii->ii_enckey = (void *)sadb_key + sizeof(struct sadb_key);
  934         } else {
ii->ii_authkeylen = sadb_key->sadb_key_bits / 8;
ii->ii_authkey = (void *)sadb_key + sizeof(struct sadb_key);
  937         }
  938 }
  940 void
export_key(void **p, struct tdb *tdb, int type)
  942 {
  943         struct sadb_key *sadb_key = (struct sadb_key *) *p;
  945         if (type == PFKEYV2_ENCRYPTION_KEY) {
sadb_key->sadb_key_len = (sizeof(struct sadb_key) +
PADUP(tdb->tdb_emxkeylen)) /
  948                     sizeof(uint64_t);
sadb_key->sadb_key_bits = tdb->tdb_emxkeylen * 8;
  950                 *p += sizeof(struct sadb_key);
bcopy(tdb->tdb_emxkey, *p, tdb->tdb_emxkeylen);
  952                 *p += PADUP(tdb->tdb_emxkeylen);
  953         } else {
sadb_key->sadb_key_len = (sizeof(struct sadb_key) +
PADUP(tdb->tdb_amxkeylen)) /
  956                     sizeof(uint64_t);
sadb_key->sadb_key_bits = tdb->tdb_amxkeylen * 8;
  958                 *p += sizeof(struct sadb_key);
bcopy(tdb->tdb_amxkey, *p, tdb->tdb_amxkeylen);
  960                 *p += PADUP(tdb->tdb_amxkeylen);
  961         }
  962 }
  964 /* Import/Export remote port for UDP Encapsulation */
  965 void
import_udpencap(struct tdb *tdb, struct sadb_x_udpencap *sadb_udpencap)
  967 {
  968         if (sadb_udpencap)
tdb->tdb_udpencap_port = sadb_udpencap->sadb_x_udpencap_port;
  970 }
  972 void
export_udpencap(void **p, struct tdb *tdb)
  974 {
  975         struct sadb_x_udpencap *sadb_udpencap = (struct sadb_x_udpencap *) *p;
sadb_udpencap->sadb_x_udpencap_port = tdb->tdb_udpencap_port;
sadb_udpencap->sadb_x_udpencap_reserved = 0;
sadb_udpencap->sadb_x_udpencap_len =
  980             sizeof(struct sadb_x_udpencap) / sizeof(uint64_t);
  981         *p += sizeof(struct sadb_x_udpencap);
  982 }
  984 #if NPF > 0
  985 /* Import PF tag information for SA */
  986 void
import_tag(struct tdb *tdb, struct sadb_x_tag *stag)
  988 {
  989         char *s;
  991         if (stag) {
s = (char *)(stag + 1);
tdb->tdb_tag = pf_tagname2tag(s);
  994         }
  995 }
  997 /* Export PF tag information for SA */
  998 void
export_tag(void **p, struct tdb *tdb)
 1000 {
 1001         struct sadb_x_tag *stag = (struct sadb_x_tag *)*p;
 1002         char *s = (char *)(stag + 1);
pf_tag2tagname(tdb->tdb_tag, s);
stag->sadb_x_tag_taglen = strlen(s) + 1;
stag->sadb_x_tag_len = (sizeof(struct sadb_x_tag) +
PADUP(stag->sadb_x_tag_taglen)) / sizeof(uint64_t);
 1008         *p += PADUP(stag->sadb_x_tag_taglen) + sizeof(struct sadb_x_tag);
 1009 }
 1010 #endif