pfkey_v2_parse.c

This a good VPN source

				pfkey_ext->sadb_ext_type,
				pfkey_v2_sadb_ext_string(pfkey_ext->sadb_ext_type));
			SENDERR(EINVAL);
		}

		/* Do I even know about this type of extension? */
		if(ext_parsers[pfkey_ext->sadb_ext_type]==NULL) {
			DEBUGGING(PF_KEY_DEBUG_PARSE_PROBLEM,
				"pfkey_msg_parse: "
				"ext type %d(%s) unknown, ignoring.\n", 
				pfkey_ext->sadb_ext_type,
				pfkey_v2_sadb_ext_string(pfkey_ext->sadb_ext_type));
			goto next_ext;
		}

		/* Is this type of extension permitted for this type of message? */
		if(!(extensions_bitmaps[dir][EXT_BITS_PERM][pfkey_msg->sadb_msg_type] &
		     1<<pfkey_ext->sadb_ext_type)) {
			DEBUGGING(PF_KEY_DEBUG_PARSE_PROBLEM,
				"pfkey_msg_parse: "
				"ext type %d(%s) not permitted, exts_perm_in=%08x, 1<<type=%08x\n", 
				pfkey_ext->sadb_ext_type, 
				pfkey_v2_sadb_ext_string(pfkey_ext->sadb_ext_type),
				extensions_bitmaps[dir][EXT_BITS_PERM][pfkey_msg->sadb_msg_type],
				1<<pfkey_ext->sadb_ext_type);
			SENDERR(EINVAL);
		}

		DEBUGGING(PF_KEY_DEBUG_PARSE_STRUCT,
			  "pfkey_msg_parse: "
			  "remain=%d ext_type=%d(%s) ext_len=%d parsing ext 0p%p with parser %s.\n",
			  remain,
			  pfkey_ext->sadb_ext_type,
			  pfkey_v2_sadb_ext_string(pfkey_ext->sadb_ext_type),
			  pfkey_ext->sadb_ext_len,
			  pfkey_ext,
			  ext_parsers[pfkey_ext->sadb_ext_type]->parser_name);
		
		/* Parse the extension */
		if((error =
		    (*ext_parsers[pfkey_ext->sadb_ext_type]->parser)(pfkey_ext))) {
			DEBUGGING(PF_KEY_DEBUG_PARSE_PROBLEM,
				"pfkey_msg_parse: "
				"extension parsing for type %d(%s) failed with error %d.\n",
				pfkey_ext->sadb_ext_type,
				pfkey_v2_sadb_ext_string(pfkey_ext->sadb_ext_type),
				error); 
			SENDERR(-error);
		}
		DEBUGGING(PF_KEY_DEBUG_PARSE_FLOW,
			"pfkey_msg_parse: "
			"Extension %d(%s) parsed.\n",
			pfkey_ext->sadb_ext_type,
			pfkey_v2_sadb_ext_string(pfkey_ext->sadb_ext_type));
		
		/* Mark that we have seen this extension and remember the header location */
		extensions_seen |= ( 1 << pfkey_ext->sadb_ext_type );
		extensions[pfkey_ext->sadb_ext_type] = pfkey_ext;

	next_ext:		
		/* Calculate how much message remains */
		remain -= pfkey_ext->sadb_ext_len;

		if(!remain) {
			break;
		}
		/* Find the next extension header */
		pfkey_ext = (struct sadb_ext*)((char*)pfkey_ext +
			pfkey_ext->sadb_ext_len * IPSEC_PFKEYv2_ALIGN);
	}

	if(remain) {
		DEBUGGING(PF_KEY_DEBUG_PARSE_PROBLEM,
			"pfkey_msg_parse: "
			"unexpected remainder of %d.\n", 
			remain);
		/* why is there still something remaining? */
		SENDERR(EINVAL);
	}

	/* check required extensions */
	DEBUGGING(PF_KEY_DEBUG_PARSE_STRUCT,
		"pfkey_msg_parse: "
		"extensions permitted=%08x, seen=%08x, required=%08x.\n",
		extensions_bitmaps[dir][EXT_BITS_PERM][pfkey_msg->sadb_msg_type],
		extensions_seen,
		extensions_bitmaps[dir][EXT_BITS_REQ][pfkey_msg->sadb_msg_type]);

	/* don't check further if it is an error return message since it
	   may not have a body */
	if(pfkey_msg->sadb_msg_errno) {
		SENDERR(-error);
	}

	if((extensions_seen &
	    extensions_bitmaps[dir][EXT_BITS_REQ][pfkey_msg->sadb_msg_type]) !=
	   extensions_bitmaps[dir][EXT_BITS_REQ][pfkey_msg->sadb_msg_type]) {
		DEBUGGING(PF_KEY_DEBUG_PARSE_PROBLEM,
			"pfkey_msg_parse: "
			"required extensions missing:%08x.\n",
			extensions_bitmaps[dir][EXT_BITS_REQ][pfkey_msg->sadb_msg_type] -
			(extensions_seen &
			 extensions_bitmaps[dir][EXT_BITS_REQ][pfkey_msg->sadb_msg_type]));
		SENDERR(EINVAL);
	}
	
	if((dir == EXT_BITS_IN) && (pfkey_msg->sadb_msg_type == SADB_X_DELFLOW)
	   && ((extensions_seen	& SADB_X_EXT_ADDRESS_DELFLOW)
	       != SADB_X_EXT_ADDRESS_DELFLOW)
	   && (((extensions_seen & (1<<SADB_EXT_SA)) != (1<<SADB_EXT_SA))
	   || ((((struct sadb_sa*)extensions[SADB_EXT_SA])->sadb_sa_flags
		& SADB_X_SAFLAGS_CLEARFLOW)
	       != SADB_X_SAFLAGS_CLEARFLOW))) {
		DEBUGGING(PF_KEY_DEBUG_PARSE_PROBLEM,
			"pfkey_msg_parse: "
			"required SADB_X_DELFLOW extensions missing: either %08x must be present or %08x must be present with SADB_X_SAFLAGS_CLEARFLOW set.\n",
			SADB_X_EXT_ADDRESS_DELFLOW
			- (extensions_seen & SADB_X_EXT_ADDRESS_DELFLOW),
			(1<<SADB_EXT_SA) - (extensions_seen & (1<<SADB_EXT_SA)));
		SENDERR(EINVAL);
	}
	
	switch(pfkey_msg->sadb_msg_type) {
	case SADB_ADD:
	case SADB_UPDATE:
		/* check maturity */
		if(((struct sadb_sa*)extensions[SADB_EXT_SA])->sadb_sa_state !=
		   SADB_SASTATE_MATURE) {
			DEBUGGING(PF_KEY_DEBUG_PARSE_PROBLEM,
				"pfkey_msg_parse: "
				"state=%d for add or update should be MATURE=%d.\n",
				((struct sadb_sa*)extensions[SADB_EXT_SA])->sadb_sa_state,
				SADB_SASTATE_MATURE);
			SENDERR(EINVAL);
		}
		
		/* check AH and ESP */
		switch(((struct sadb_msg*)extensions[SADB_EXT_RESERVED])->sadb_msg_satype) {
		case SADB_SATYPE_AH:
			if(!(((struct sadb_sa*)extensions[SADB_EXT_SA]) &&
			     ((struct sadb_sa*)extensions[SADB_EXT_SA])->sadb_sa_auth !=
			     SADB_AALG_NONE)) {
				DEBUGGING(PF_KEY_DEBUG_PARSE_PROBLEM,
					"pfkey_msg_parse: "
					"auth alg is zero, must be non-zero for AH SAs.\n");
				SENDERR(EINVAL);
			}
			if(((struct sadb_sa*)(extensions[SADB_EXT_SA]))->sadb_sa_encrypt !=
			   SADB_EALG_NONE) {
				DEBUGGING(PF_KEY_DEBUG_PARSE_PROBLEM,
					"pfkey_msg_parse: "
					"AH handed encalg=%d, must be zero.\n",
					((struct sadb_sa*)(extensions[SADB_EXT_SA]))->sadb_sa_encrypt);
				SENDERR(EINVAL);
			}
			break;
		case SADB_SATYPE_ESP:
			if(!(((struct sadb_sa*)extensions[SADB_EXT_SA]) &&
			     ((struct sadb_sa*)extensions[SADB_EXT_SA])->sadb_sa_encrypt !=
			     SADB_EALG_NONE)) {
				DEBUGGING(PF_KEY_DEBUG_PARSE_PROBLEM,
					"pfkey_msg_parse: "
					"encrypt alg=%d is zero, must be non-zero for ESP=%d SAs.\n",
					((struct sadb_sa*)extensions[SADB_EXT_SA])->sadb_sa_encrypt,
					((struct sadb_msg*)extensions[SADB_EXT_RESERVED])->sadb_msg_satype);
				SENDERR(EINVAL);
			}
			if((((struct sadb_sa*)(extensions[SADB_EXT_SA]))->sadb_sa_encrypt ==
			    SADB_EALG_NULL) &&
			   (((struct sadb_sa*)(extensions[SADB_EXT_SA]))->sadb_sa_auth ==
			    SADB_AALG_NONE) ) {
				DEBUGGING(PF_KEY_DEBUG_PARSE_PROBLEM,
					"pfkey_msg_parse: "
					"ESP handed encNULL+authNONE, illegal combination.\n");
				SENDERR(EINVAL);
			}
			break;
		case SADB_X_SATYPE_COMP:
			if(!(((struct sadb_sa*)extensions[SADB_EXT_SA]) &&
			     ((struct sadb_sa*)extensions[SADB_EXT_SA])->sadb_sa_encrypt !=
			     SADB_EALG_NONE)) {
				DEBUGGING(PF_KEY_DEBUG_PARSE_PROBLEM,
					"pfkey_msg_parse: "
					"encrypt alg=%d is zero, must be non-zero for COMP=%d SAs.\n",
					((struct sadb_sa*)extensions[SADB_EXT_SA])->sadb_sa_encrypt,
					((struct sadb_msg*)extensions[SADB_EXT_RESERVED])->sadb_msg_satype);
				SENDERR(EINVAL);
			}
			if(((struct sadb_sa*)(extensions[SADB_EXT_SA]))->sadb_sa_auth !=
			   SADB_AALG_NONE) {
				DEBUGGING(PF_KEY_DEBUG_PARSE_PROBLEM,
					"pfkey_msg_parse: "
					"COMP handed auth=%d, must be zero.\n",
					((struct sadb_sa*)(extensions[SADB_EXT_SA]))->sadb_sa_auth);
				SENDERR(EINVAL);
			}
			break;
		default:
			break;
		}
		if(ntohl(((struct sadb_sa*)(extensions[SADB_EXT_SA]))->sadb_sa_spi) <= 255) {
			DEBUGGING(PF_KEY_DEBUG_PARSE_PROBLEM,
				"pfkey_msg_parse: "
				"spi=%08x must be > 255.\n",
				ntohl(((struct sadb_sa*)(extensions[SADB_EXT_SA]))->sadb_sa_spi));
			SENDERR(EINVAL);
		}
	default:	
		break;
	}
errlab:

	return error;
}

/*
 * $Log: pfkey_v2_parse.c,v $
 * Revision 1.63  2004/10/28 22:54:10  mcr
 * 	results from valgrind, thanks to: Harald Hoyer <harald@redhat.com>
 *
 * Revision 1.62  2004/10/03 01:26:36  mcr
 * 	fixes for gcc 3.4 compilation.
 *
 * Revision 1.61  2004/07/10 19:11:18  mcr
 * 	CONFIG_IPSEC -> CONFIG_KLIPS.
 *
 * Revision 1.59  2004/04/18 03:03:49  mcr
 * 	renamed common include files from pluto directory.
 *
 * Revision 1.58  2004/03/08 01:59:08  ken
 * freeswan.h -> openswan.h
 *
 * Revision 1.57  2003/12/10 01:20:19  mcr
 * 	NAT-traversal patches to KLIPS.
 *
 * Revision 1.56  2003/12/04 23:01:12  mcr
 * 	removed ipsec_netlink.h
 *
 * Revision 1.55  2003/11/07 01:30:37  ken
 * Cast sizeof() to int to keep things 64bit clean
 *
 * Revision 1.54  2003/10/31 02:27:12  mcr
 * 	pulled up port-selector patches and sa_id elimination.
 *
 * Revision 1.53.20.2  2003/10/29 01:11:32  mcr
 * 	added debugging for pfkey library.
 *
 * Revision 1.53.20.1  2003/09/21 13:59:44  mcr
 * 	pre-liminary X.509 patch - does not yet pass tests.
 *
 * Revision 1.53  2003/01/30 02:32:09  rgb
 *
 * Rename SAref table macro names for clarity.
 * Convert IPsecSAref_t from signed to unsigned to fix apparent SAref exhaustion bug.
 *
 * Revision 1.52  2002/12/30 06:53:07  mcr
 * 	deal with short SA structures... #if 0 out for now. Probably
 * 	not quite the right way.
 *
 * Revision 1.51  2002/12/13 18:16:02  mcr
 * 	restored sa_ref code
 *
 * Revision 1.50  2002/12/13 18:06:52  mcr
 * 	temporarily removed sadb_x_sa_ref reference for 2.xx
 *
 * Revision 1.49  2002/10/05 05:02:58  dhr
 *
 * C labels go on statements
 *
 * Revision 1.48  2002/09/20 15:40:45  rgb
 * Added sadb_x_sa_ref to struct sadb_sa.
 *
 * Revision 1.47  2002/09/20 05:01:31  rgb
 * Fixed usage of pfkey_lib_debug.
 * Format for function declaration style consistency.
 * Added text labels to elucidate numeric values presented.
 * Re-organised debug output to reduce noise in output.
 *
 * Revision 1.46  2002/07/24 18:44:54  rgb
 * Type fiddling to tame ia64 compiler.
 *
 * Revision 1.45  2002/05/23 07:14:11  rgb
 * Cleaned up %p variants to 0p%p for test suite cleanup.
 *
 * Revision 1.44  2002/04/24 07:55:32  mcr
 * 	#include patches and Makefiles for post-reorg compilation.
 *
 * Revision 1.43  2002/04/24 07:36:40  mcr
 * Moved from ./lib/pfkey_v2_parse.c,v
 *
 * Revision 1.42  2002/01/29 22:25:36  rgb
 * Re-add ipsec_kversion.h to keep MALLOC happy.
 *
 * Revision 1.41  2002/01/29 01:59:10  mcr
 * 	removal of kversions.h - sources that needed it now use ipsec_param.h.
 * 	updating of IPv6 structures to match latest in6.h version.
 * 	removed dead code from openswan.h that also duplicated kversions.h
 * 	code.
 *
 * Revision 1.40  2002/01/20 20:34:50  mcr
 * 	added pfkey_v2_sadb_type_string to decode sadb_type to string.
 *
 * Revision 1.39  2001/11/27 05:29:22  mcr
 * 	pfkey parses are now maintained by a structure
 * 	that includes their name for debug purposes.
 * 	DEBUGGING() macro changed so that it takes a debug
 * 	level so that pf_key() can use this to decode the
 * 	structures without innundanting humans.
 * 	Also uses pfkey_v2_sadb_ext_string() in messages.
 *
 * Revision 1.38  2001/11/06 19:47:47  rgb
 * Added packet parameter to lifetime and comb structures.
 *
 * Revision 1.37  2001/10/18 04:45:24  rgb
 * 2.4.9 kernel deprecates linux/malloc.h in favour of linux/slab.h,
 * lib/openswan.h version macros moved to lib/kversions.h.
 * Other compiler directive cleanups.
 *
 * Revision 1.36  2001/06/14 19:35:16  rgb
 * Update copyright date.
 *
 * Revision 1.35  2001/05/03 19:44:51  rgb
 * Standardise on SENDERR() macro.
 *
 * Revision 1.34  2001/03/16 07:41:51  rgb
 * Put openswan.h include before pluto includes.
 *
 * Revision 1.33  2001/02/27 07:13:51  rgb
 * Added satype2name() function.
 * Added text to default satype_tbl entry.
 * Added satype2name() conversions for most satype debug output.
 *
 * Revision 1.32  2001/02/26 20:01:09  rgb
 * Added internal IP protocol 61 for magic SAs.
 * Ditch unused sadb_satype2proto[], replaced by satype2proto().
 * Re-formatted debug output (split lines, consistent spacing).
 * Removed acquire, register and expire requirements for a known satype.
 * Changed message type checking to a switch structure.
 * Verify expected NULL auth for IPCOMP.
 * Enforced spi > 0x100 requirement, now that pass uses a magic SA for
 * appropriate message types.
 *
 * Revision 1.31  2000/12/01 07:09:00  rgb
 * Added ipcomp sanity check to require encalgo is set.
 *
 * Revision 1.30  2000/11/17 18:10:30  rgb
 * Fixed bugs mostly relating to spirange, to treat all spi variables as
 * network byte order since this is the way PF_KEYv2 stored spis.
 *
 * Revision 1.29  2000/10/12 00:02:39  rgb
 * Removed 'format, ##' nonsense from debug macros for RH7.0.
 *
 * Revision 1.28  2000/09/20 16:23:04  rgb
 * Remove over-paranoid extension check in the presence of sadb_msg_errno.
 *
 * Revision 1.27  2000/09/20 04:04:21  rgb
 * Changed static functions to DEBUG_NO_STATIC to reveal function names in
 * oopsen.
 *
 * Revision 1.26  2000/09/15 11:37:02  rgb
 * Merge in heavily modified Svenning Soerensen's <svenning@post5.tele.dk>
 * IPCOMP zlib deflate code.
 *
 * Revision 1.25  2000/09/12 22:35:37  rgb
 * Restructured to remove unused extensions from CLEARFLOW messages.
 *
 * Revision 1.24  2000/09/12 18:59:54  rgb
 * Added Gerhard's IPv6 support to pfkey parts of libopenswan.
 *
 * Revision 1.23  2000/09/12 03:27:00  rgb
 * Moved DEBUGGING definition to compile kernel with debug off.
 *
 * Revision 1.22  2000/09/09 06:39:27  rgb
 * Restrict pfkey errno check to downward messages only.
 *
 * Revision 1.21  2000/09/08 19:22:34  rgb
 * Enabled pfkey_sens_parse().
 * Added check for errno on downward acquire messages only.
 *
 * Revision 1.20  2000/09/01 18:48:23  rgb
 * Fixed reserved check bug and added debug output in
 * pfkey_supported_parse().
 * Fixed debug output label bug in pfkey_ident_parse().
 *
 * Revision 1.19  2000/08/27 01:55:26  rgb
 * Define OCTETBITS and PFKEYBITS to avoid using 'magic' numbers in code.
 *
 * Revision 1.18  2000/08/24 17:00:36  rgb
 * Ignore unknown extensions instead of failing.
 *
 * Revision 1.17  2000/06/02 22:54:14  rgb
 * Added Gerhard Gessler's struct sockaddr_storage mods for IPv6 support.
 *
 * Revision 1.16  2000/05/10 19:25:11  rgb
 * Fleshed out proposal and supported extensions.
 *
 * Revision 1.15  2000/01/24 21:15:31  rgb
 * Added disabled pluto pfkey lib debug flag.
 * Added algo debugging reporting.
 *
 * Revision 1.14  2000/01/22 23:24:29  rgb
 * Added new functions proto2satype() and satype2proto() and lookup
 * table satype_tbl.  Also added proto2name() since it was easy.
 *
 * Revision 1.13  2000/01/21 09:43:59  rgb
 * Cast ntohl(spi) as (unsigned long int) to shut up compiler.
 *
 * Revision 1.12  2000/01/21 06:28:19  rgb
 * Added address cases for eroute flows.
 * Indented compiler directives for readability.
 * Added klipsdebug switching capability.
 *
 * Revision 1.11  1999/12/29 21:14:59  rgb
 * Fixed debug text cut and paste typo.
 *
 * Revision 1.10  1999/12/10 17:45:24  rgb
 * Added address debugging.
 *
 * Revision 1.9  1999/12/09 23:11:42  rgb
 * Ditched <string.h> include since we no longer use memset().
 * Use new pfkey_extensions_init() instead of memset().
 * Added check for SATYPE in pfkey_msg_build().
 * Tidy up comments and debugging comments.
 *
 * Revision 1.8  1999/12/07 19:55:26  rgb
 * Removed unused first argument from extension parsers.
 * Removed static pluto debug flag.
 * Moved message type and state checking to pfkey_msg_parse().
 * Changed print[fk] type from lx to x to quiet compiler.
 * Removed redundant remain check.
 * Changed __u* types to uint* to avoid use of asm/types.h and
 * sys/types.h in userspace code.
 *
 * Revision 1.7  1999/12/01 22:20:51  rgb
 * Moved pfkey_lib_debug variable into the library.
 * Added pfkey version check into header parsing.
 * Added check for SATYPE only for those extensions that require a
 * non-zero value.
 *
 * Revision 1.6  1999/11/27 11:58:05  rgb
 * Added ipv6 headers.
 * Moved sadb_satype2proto protocol lookup table from
 * klips/net/ipsec/pfkey_v2_parser.c.
 * Enable lifetime_current checking.
 * Debugging error messages added.
 * Add argument to pfkey_msg_parse() for direction.
 * Consolidated the 4 1-d extension bitmap arrays into one 4-d array.
 * Add CVS log entry to bottom of file.
 * Moved auth and enc alg check to pfkey_msg_parse().
 * Enable accidentally disabled spirange parsing.
 * Moved protocol/algorithm checks from klips/net/ipsec/pfkey_v2_parser.c
 *
 * Local variables:
 * c-file-style: "linux"
 * End:
 *
 */