pfkey_v2_parser.c

FREESWAN VPN源代码包

errlab:
	return error;
}
DEBUG_NO_STATIC int
pfkey_x_nat_t_port_process(struct sadb_ext *pfkey_ext, struct pfkey_extracted_data* extr)
{
	int error = 0;
	struct sadb_x_nat_t_port *pfkey_x_nat_t_port = (struct sadb_x_nat_t_port *)pfkey_ext;

	if(!pfkey_x_nat_t_port) {
		printk("klips_debug:pfkey_x_nat_t_port_process: "
		       "null pointer passed in\n");
		SENDERR(EINVAL);
	}

	KLIPS_PRINT(debug_pfkey,
		    "klips_debug:pfkey_x_nat_t_port_process: %d/%d.\n",
			pfkey_x_nat_t_port->sadb_x_nat_t_port_exttype,
			pfkey_x_nat_t_port->sadb_x_nat_t_port_port);

	if(!extr || !extr->tdb) {
		KLIPS_PRINT(debug_pfkey,
			    "klips_debug:pfkey_nat_t_type_process: "
			    "extr or extr->tdb is NULL, fatal\n");
		SENDERR(EINVAL);
	}

	switch(pfkey_x_nat_t_port->sadb_x_nat_t_port_exttype) {
		case SADB_X_EXT_NAT_T_SPORT:
			extr->tdb->ips_natt_sport = pfkey_x_nat_t_port->sadb_x_nat_t_port_port;
			break;
		case SADB_X_EXT_NAT_T_DPORT:
			extr->tdb->ips_natt_dport = pfkey_x_nat_t_port->sadb_x_nat_t_port_port;
			break;
		default:
			KLIPS_PRINT(debug_pfkey,
			    "klips_debug:pfkey_x_nat_t_port_process: "
			    "unknown exttype %d.\n",
			    pfkey_x_nat_t_port->sadb_x_nat_t_port_exttype);
			SENDERR(EINVAL);
			break;
	}

errlab:
	return error;
}
#endif

DEBUG_NO_STATIC int
pfkey_x_protocol_process(struct sadb_ext *pfkey_ext,
			 struct pfkey_extracted_data *extr)
{
	int error = 0;
	struct sadb_protocol * p = (struct sadb_protocol *)pfkey_ext;

	KLIPS_PRINT(debug_pfkey, "klips_debug:pfkey_x_protocol_process: %p\n", extr);
        
	if (extr == 0) {
		KLIPS_PRINT(debug_pfkey,
                      "klips_debug:pfkey_x_protocol_process:"
			    "extr is NULL, fatal\n");
		SENDERR(EINVAL);
	}
	if (extr->eroute == 0) {
		KLIPS_PRINT(debug_pfkey,
                      "klips_debug:pfkey_x_protocol_process:"
			    "extr->eroute is NULL, fatal\n");
		SENDERR(EINVAL);
	}
	extr->eroute->er_eaddr.sen_proto = p->sadb_protocol_proto;
	extr->eroute->er_emask.sen_proto = p->sadb_protocol_proto ? ~0:0;
	KLIPS_PRINT(debug_pfkey,
		    "klips_debug:pfkey_x_protocol_process: protocol = %d.\n",
		    p->sadb_protocol_proto);
 errlab:
	return error;
}


DEBUG_NO_STATIC int
pfkey_ipsec_sa_init(struct ipsec_sa *tdbp, struct sadb_ext **extensions)
{
        int error = 0;
        char sa[SATOA_BUF];
	size_t sa_len;
	char ipaddr_txt[ADDRTOA_BUF];
	char ipaddr2_txt[ADDRTOA_BUF];
#if defined (CONFIG_IPSEC_AUTH_HMAC_MD5) || defined (CONFIG_IPSEC_AUTH_HMAC_SHA1)
        int i;
	unsigned char kb[AHMD596_BLKLEN];
#endif
#ifdef CONFIG_IPSEC_ALG
	struct ipsec_alg_enc *ixt_e = NULL;
	struct ipsec_alg_auth *ixt_a = NULL;
#endif /* CONFIG_IPSEC_ALG */

	if(!tdbp) {
		KLIPS_PRINT(debug_pfkey,
			    "klips_debug:pfkey_ipsec_sa_init: "
			    "tdbp is NULL, fatal\n");
		SENDERR(EINVAL);
	}

	sa_len = satoa(tdbp->tdb_said, 0, sa, SATOA_BUF);

        KLIPS_PRINT(debug_pfkey,
		    "klips_debug:pfkey_ipsec_sa_init: "
		    "(pfkey defined) called for SA:%s\n",
		    sa_len ? sa : " (error)");

	KLIPS_PRINT(debug_pfkey,
		    "klips_debug:pfkey_ipsec_sa_init: "
		    "calling init routine of %s%s%s\n",
		    IPS_XFORM_NAME(tdbp));
	
	switch(tdbp->tdb_said.proto) {
		
#ifdef CONFIG_IPSEC_IPIP
	case IPPROTO_IPIP: {
		addrtoa(((struct sockaddr_in*)(tdbp->tdb_addr_s))->sin_addr,
			0,
			ipaddr_txt, sizeof(ipaddr_txt));
		addrtoa(((struct sockaddr_in*)(tdbp->tdb_addr_d))->sin_addr,
			0,
			ipaddr2_txt, sizeof(ipaddr_txt));
		KLIPS_PRINT(debug_pfkey,
			    "klips_debug:pfkey_ipsec_sa_init: "
			    "(pfkey defined) IPIP tdb set for %s->%s.\n",
			    ipaddr_txt,
			    ipaddr2_txt);
	}
	break;
#endif /* !CONFIG_IPSEC_IPIP */
#ifdef CONFIG_IPSEC_AH
	case IPPROTO_AH:
		switch(tdbp->tdb_authalg) {
# ifdef CONFIG_IPSEC_AUTH_HMAC_MD5
		case AH_MD5: {
			unsigned char *akp;
			unsigned int aks;
			MD5_CTX *ictx;
			MD5_CTX *octx;
			
			if(tdbp->tdb_key_bits_a != (AHMD596_KLEN * 8)) {
				KLIPS_PRINT(debug_pfkey,
					    "klips_debug:pfkey_ipsec_sa_init: "
					    "incorrect key size: %d bits -- must be %d bits\n"/*octets (bytes)\n"*/,
					    tdbp->tdb_key_bits_a, AHMD596_KLEN * 8);
				SENDERR(EINVAL);
			}
			
#  if 0 /* we don't really want to print these unless there are really big problems */
			KLIPS_PRINT(debug_pfkey && sysctl_ipsec_debug_verbose,
				    "klips_debug:pfkey_ipsec_sa_init: "
				    "hmac md5-96 key is 0x%08x %08x %08x %08x\n",
				    ntohl(*(((__u32 *)tdbp->tdb_key_a)+0)),
				    ntohl(*(((__u32 *)tdbp->tdb_key_a)+1)),
				    ntohl(*(((__u32 *)tdbp->tdb_key_a)+2)),
				    ntohl(*(((__u32 *)tdbp->tdb_key_a)+3)));
#  endif
			
			tdbp->tdb_auth_bits = AHMD596_ALEN * 8;
			
			/* save the pointer to the key material */
			akp = tdbp->tdb_key_a;
			aks = tdbp->tdb_key_a_size;
			
			if((tdbp->tdb_key_a = (caddr_t)
			    kmalloc(sizeof(struct md5_ctx), GFP_ATOMIC)) == NULL) {
				tdbp->tdb_key_a = akp;
				SENDERR(ENOMEM);
			}
			tdbp->tdb_key_a_size = sizeof(struct md5_ctx);

			for (i = 0; i < DIVUP(tdbp->tdb_key_bits_a, 8); i++) {
				kb[i] = akp[i] ^ HMAC_IPAD;
			}
			for (; i < AHMD596_BLKLEN; i++) {
				kb[i] = HMAC_IPAD;
			}

			ictx = &(((struct md5_ctx*)(tdbp->tdb_key_a))->ictx);
			MD5Init(ictx);
			MD5Update(ictx, kb, AHMD596_BLKLEN);

			for (i = 0; i < AHMD596_BLKLEN; i++) {
				kb[i] ^= (HMAC_IPAD ^ HMAC_OPAD);
			}

			octx = &(((struct md5_ctx*)(tdbp->tdb_key_a))->octx);
			MD5Init(octx);
			MD5Update(octx, kb, AHMD596_BLKLEN);
			
#  if 0 /* we don't really want to print these unless there are really big problems */
			KLIPS_PRINT(debug_pfkey && sysctl_ipsec_debug_verbose,
				    "klips_debug:pfkey_ipsec_sa_init: "
				    "MD5 ictx=0x%08x %08x %08x %08x octx=0x%08x %08x %08x %08x\n",
				    ((__u32*)ictx)[0],
				    ((__u32*)ictx)[1],
				    ((__u32*)ictx)[2],
				    ((__u32*)ictx)[3],
				    ((__u32*)octx)[0],
				    ((__u32*)octx)[1],
				    ((__u32*)octx)[2],
				    ((__u32*)octx)[3] );
#  endif
			
			/* zero key buffer -- paranoid */
			memset(akp, 0, aks);
			kfree(akp);
		}
		break;
# endif /* CONFIG_IPSEC_AUTH_HMAC_MD5 */
# ifdef CONFIG_IPSEC_AUTH_HMAC_SHA1
		case AH_SHA: {
			unsigned char *akp;
			unsigned int aks;
			SHA1_CTX *ictx;
			SHA1_CTX *octx;
			
			if(tdbp->tdb_key_bits_a != (AHSHA196_KLEN * 8)) {
				KLIPS_PRINT(debug_pfkey,
					    "klips_debug:pfkey_ipsec_sa_init: "
					    "incorrect key size: %d bits -- must be %d bits\n"/*octets (bytes)\n"*/,
					    tdbp->tdb_key_bits_a, AHSHA196_KLEN * 8);
				SENDERR(EINVAL);
			}
			
#  if 0 /* we don't really want to print these unless there are really big problems */
			KLIPS_PRINT(debug_pfkey && sysctl_ipsec_debug_verbose,
				    "klips_debug:pfkey_ipsec_sa_init: "
				    "hmac sha1-96 key is 0x%08x %08x %08x %08x\n",
				    ntohl(*(((__u32 *)tdbp->tdb_key_a)+0)),
				    ntohl(*(((__u32 *)tdbp->tdb_key_a)+1)),
				    ntohl(*(((__u32 *)tdbp->tdb_key_a)+2)),
				    ntohl(*(((__u32 *)tdbp->tdb_key_a)+3)));
#  endif
			
			tdbp->tdb_auth_bits = AHSHA196_ALEN * 8;
			
			/* save the pointer to the key material */
			akp = tdbp->tdb_key_a;
			aks = tdbp->tdb_key_a_size;
			
			if((tdbp->tdb_key_a = (caddr_t)
			    kmalloc(sizeof(struct sha1_ctx), GFP_ATOMIC)) == NULL) {
				tdbp->tdb_key_a = akp;
				SENDERR(ENOMEM);
			}
			tdbp->tdb_key_a_size = sizeof(struct sha1_ctx);

			for (i = 0; i < DIVUP(tdbp->tdb_key_bits_a, 8); i++) {
				kb[i] = akp[i] ^ HMAC_IPAD;
			}
			for (; i < AHMD596_BLKLEN; i++) {
				kb[i] = HMAC_IPAD;
			}

			ictx = &(((struct sha1_ctx*)(tdbp->tdb_key_a))->ictx);
			SHA1Init(ictx);
			SHA1Update(ictx, kb, AHSHA196_BLKLEN);

			for (i = 0; i < AHSHA196_BLKLEN; i++) {
				kb[i] ^= (HMAC_IPAD ^ HMAC_OPAD);
			}

			octx = &(((struct sha1_ctx*)(tdbp->tdb_key_a))->octx);
			SHA1Init(octx);
			SHA1Update(octx, kb, AHSHA196_BLKLEN);
			
#  if 0 /* we don't really want to print these unless there are really big problems */
			KLIPS_PRINT(debug_pfkey && sysctl_ipsec_debug_verbose,
				    "klips_debug:pfkey_ipsec_sa_init: "
				    "SHA1 ictx=0x%08x %08x %08x %08x octx=0x%08x %08x %08x %08x\n", 
				    ((__u32*)ictx)[0],
				    ((__u32*)ictx)[1],
				    ((__u32*)ictx)[2],
				    ((__u32*)ictx)[3],
				    ((__u32*)octx)[0],
				    ((__u32*)octx)[1],
				    ((__u32*)octx)[2],
				    ((__u32*)octx)[3] );
#  endif			
			/* zero key buffer -- paranoid */
			memset(akp, 0, aks);
			kfree(akp);
		}
		break;
# endif /* CONFIG_IPSEC_AUTH_HMAC_SHA1 */
		default:
			KLIPS_PRINT(debug_pfkey,
				    "klips_debug:pfkey_ipsec_sa_init: "
				    "authalg=%d support not available in the kernel",
				    tdbp->tdb_authalg);
			SENDERR(EINVAL);
		}
	break;
#endif /* CONFIG_IPSEC_AH */
#ifdef CONFIG_IPSEC_ESP
	case IPPROTO_ESP: {
#if defined (CONFIG_IPSEC_AUTH_HMAC_MD5) || defined (CONFIG_IPSEC_AUTH_HMAC_SHA1)
		unsigned char *akp;
		unsigned int aks;
#endif
#if defined (CONFIG_IPSEC_ENC_3DES)
		unsigned char *ekp;
		unsigned int eks;
#endif
		
		tdbp->tdb_iv_size = 0;
#ifdef CONFIG_IPSEC_ALG
		if ((ixt_e=IPSEC_ALG_SA_ESP_ENC(tdbp))) {
			tdbp->tdb_iv_size = ixt_e->ixt_ivlen/8;
		} else	
#endif /* CONFIG_IPSEC_ALG */
		switch(tdbp->tdb_encalg) {
# ifdef CONFIG_IPSEC_ENC_3DES
		case ESP_3DES:
# endif /* CONFIG_IPSEC_ENC_3DES */
# if defined(CONFIG_IPSEC_ENC_3DES)
			tdbp->tdb_iv_size = EMT_ESPDES_IV_SZ;
# endif /* defined(CONFIG_IPSEC_ENC_3DES) */
                case ESP_NONE:
			break;
		default:
			KLIPS_PRINT(debug_pfkey,
				    "klips_debug:pfkey_ipsec_sa_init: "
				    "encalg=%d support not available in the kernel",
				    tdbp->tdb_encalg);
			SENDERR(EINVAL);
		}

		/* Create IV */
		if (tdbp->tdb_iv_size) {
			if((tdbp->tdb_iv = (caddr_t)
			    kmalloc(tdbp->tdb_iv_size, GFP_ATOMIC)) == NULL) {
				SENDERR(ENOMEM);
			}
			get_random_bytes((void *)tdbp->tdb_iv, tdbp->tdb_iv_size);
			tdbp->tdb_iv_bits = tdbp->tdb_iv_size * 8;
		}
		
#ifdef CONFIG_IPSEC_ALG
		if (ixt_e) {
			if ((error=ipsec_alg_enc_key_create(tdbp)) < 0)
				SENDERR(-error);
		} else
#endif /* CONFIG_IPSEC_ALG */
		switch(tdbp->tdb_encalg) {
# ifdef CONFIG_IPSEC_ENC_3DES
		case ESP_3DES:
			if(tdbp->tdb_key_bits_e != (EMT_ESP3DES_KEY_SZ * 8)) {
				KLIPS_PRINT(debug_pfkey,
					    "klips_debug:pfkey_ipsec_sa_init: "
					    "incorrect encryption key size: %d bits -- must be %d bits\n"/*octets (bytes)\n"*/,
					    tdbp->tdb_key_bits_e, EMT_ESP3DES_KEY_SZ * 8);
				SENDERR(EINVAL);
			}
			
			/* save encryption key pointer */
			ekp = tdbp->tdb_key_e;
			eks = tdbp->tdb_key_e_size;
			
			if((tdbp->tdb_key_e = (caddr_t)
			    kmalloc(3 * sizeof(struct des_eks), GFP_ATOMIC)) == NULL) {
				tdbp->tdb_key_e = ekp;
				SENDERR(ENOMEM);
			}
			tdbp->tdb_key_e_size = 3 * sizeof(struct des_eks);

			for(i = 0; i < 3; i++) {
#if KLIPS_DIVULGE_CYPHER_KEY
				KLIPS_PRINT(debug_pfkey && sysctl_ipsec_debug_verbose,
					    "klips_debug:pfkey_ipsec_sa_init: "
					    "3des key %d/3 is 0x%08x%08x\n",
					    i + 1,
					    ntohl(*((__u32 *)ekp + i * 2)),
					    ntohl(*((__u32 *)ekp + i * 2 + 1)));
#  endif
#if KLIPS_FIXES_DES_PARITY				
				/* force parity */
				des_set_odd_parity((des_cblock *)(ekp + EMT_ESPDES_KEY_SZ * i));
#endif
				error = des_set_key((des_cblock *)(ekp + EMT_ESPDES_KEY_SZ * i),
						    ((struct des_eks *)(tdbp->tdb_key_e))[i].ks);
				if (error == -1)
					printk("klips_debug:pfkey_ipsec_sa_init: "
					       "parity error in des key %d/3\n",
					       i + 1);
				else if (error == -2)
					printk("klips_debug:pfkey_ipsec_sa_init: "
					       "illegal weak des key %d/3\n", i + 1);
				if (error) {
					memset(ekp, 0, eks);
					kfree(ekp);
					SENDERR(EINVAL);
				}
			}

			/* paranoid */
			memset(ekp, 0, eks);
			kfree(ekp);
			break;
# endif /* CONFIG_IPSEC_ENC_3DES */
                case ESP_NONE:
			break;
		default:
			KLIPS_PRINT(debug_pfkey,
				    "klips_debug:pfkey_ipsec_sa_init: "
				    "encalg=%d support not available in the kernel",
				    tdbp->tdb_encalg);
			SENDERR(EINVAL);
		}

#ifdef CONFIG_IPSEC_ALG
		if ((ixt_a=IPSEC_ALG_SA_ESP_AUTH(tdbp))) {
			if ((error=ipsec_alg_auth_key_create(tdbp)) < 0)
				SENDERR(-error);