3249 return 0;
3250 }
3251
3252 int
3253 ikev2_proposal_to_ipsec(struct ikev2_child_sa *child_sa,
3254 struct ikev2_child_param *child_param,
3255 struct prop_pair *proposal,
3256 int (*apply_func)(struct ikev2_child_sa *, struct rcpfk_msg *, void *),
3257 void *data)
3258 {
3259 struct rcpfk_msg param;
3260 struct prop_pair *proto;
3261 int i;
3262 int err;
3263 static int header_order[] = {
3264 IKEV2PROPOSAL_AH,
3265 IKEV2PROPOSAL_ESP
3266 };
3267 const int BITS = 8;
3268
3269 /*
3270 * param fields assigned here:
3271 * seq, samode, (reqid,) ul_proto,
3272 * spi, satype, enctype, enckey, enckeylen, authtype, authkey, authkeylen,
3273 *
3274 * not assigned here (apply_func need to assign them if necessary):
3275 * sa_src, pref_src, sa_dst, pref_dst,
3276 * so, wsize, saflags, lft_hard_time, lft_hard_bytes, lft_soft_time, lft_soft_bytes
3277 */
3278
3279 param.seq = child_sa->sadb_request.seqno;
3280
3281 /* for X_EXT_SA2 */
3282 param.samode = child_param->use_transport_mode ?
3283 RCT_IPSM_TRANSPORT : RCT_IPSM_TUNNEL;
3284 param.reqid = child_sa->selector->reqid; /* ??? */
3285
3286 param.ul_proto = child_sa->selector->upper_layer_protocol;
3287
3288 /*
4265 }
4266 return 0;
4267 }
4268
4269 struct sockaddr *
4270 ike_determine_sa_endpoint(struct sockaddr_storage *ss,
4271 struct rc_addrlist *config_ipaddr,
4272 struct sockaddr *actual_addr)
4273 {
4274 struct rc_addrlist *addrlist;
4275 struct sockaddr *addr;
4276
4277 if (!config_ipaddr)
4278 return actual_addr;
4279
4280 switch (config_ipaddr->type) {
4281 case RCT_ADDR_INET:
4282 memcpy(ss, config_ipaddr->a.ipaddr,
4283 SOCKADDR_LEN(config_ipaddr->a.ipaddr));
4284 addr = (struct sockaddr *)ss;
4285 if (!set_port(addr, extract_port(actual_addr))) {
4286 plog(PLOG_INTERR, PLOGLOC, 0, "set_port failed\n");
4287 return NULL;
4288 }
4289 break;
4290
4291 case RCT_ADDR_MACRO:
4292 if (rcs_is_addr_rw(config_ipaddr))
4293 return actual_addr;
4294
4295 if (rcs_getaddrlistbymacro(config_ipaddr->a.vstr,
4296 &addrlist) != 0) {
4297 plog(PLOG_INTERR, PLOGLOC, 0,
4298 "macro %.*s expansion failure\n",
4299 (int)config_ipaddr->a.vstr->l,
4300 config_ipaddr->a.vstr->v);
4301 return NULL;
4302 }
4303 if (addrlist->next)
4304 plog(PLOG_INTWARN, PLOGLOC, 0,
4305 "macro expands to multiple addresses, "
4306 "only the first one is used.\n");
4307
4308 memcpy(ss, addrlist->a.ipaddr,
4309 SOCKADDR_LEN(addrlist->a.ipaddr));
4310 rcs_free_addrlist(addrlist);
4311 addr = (struct sockaddr *)ss;
4312 if (!set_port(addr, extract_port(actual_addr))) {
4313 plog(PLOG_INTERR, PLOGLOC, 0, "set_port failed\n");
4314 return NULL;
4315 }
4316 break;
4317
4318 default:
4319 plog(PLOG_INTERR, PLOGLOC, 0,
4320 "my_sa_ipaddr or peers_sa_ipaddr is "
4321 "unsupported address type (type %s)\n",
4322 rct2str(config_ipaddr->type));
4323 return NULL;
4324 }
4325
4326 return addr;
4327 }
|
3249 return 0;
3250 }
3251
3252 int
3253 ikev2_proposal_to_ipsec(struct ikev2_child_sa *child_sa,
3254 struct ikev2_child_param *child_param,
3255 struct prop_pair *proposal,
3256 int (*apply_func)(struct ikev2_child_sa *, struct rcpfk_msg *, void *),
3257 void *data)
3258 {
3259 struct rcpfk_msg param;
3260 struct prop_pair *proto;
3261 int i;
3262 int err;
3263 static int header_order[] = {
3264 IKEV2PROPOSAL_AH,
3265 IKEV2PROPOSAL_ESP
3266 };
3267 const int BITS = 8;
3268
3269 (void) memset(¶m, 0, sizeof (param));
3270 /*
3271 * param fields assigned here:
3272 * seq, samode, (reqid,) ul_proto,
3273 * spi, satype, enctype, enckey, enckeylen, authtype, authkey, authkeylen,
3274 *
3275 * not assigned here (apply_func need to assign them if necessary):
3276 * sa_src, pref_src, sa_dst, pref_dst,
3277 * so, wsize, saflags, lft_hard_time, lft_hard_bytes, lft_soft_time, lft_soft_bytes
3278 */
3279
3280 param.seq = child_sa->sadb_request.seqno;
3281
3282 /* for X_EXT_SA2 */
3283 param.samode = child_param->use_transport_mode ?
3284 RCT_IPSM_TRANSPORT : RCT_IPSM_TUNNEL;
3285 param.reqid = child_sa->selector->reqid; /* ??? */
3286
3287 param.ul_proto = child_sa->selector->upper_layer_protocol;
3288
3289 /*
4266 }
4267 return 0;
4268 }
4269
4270 struct sockaddr *
4271 ike_determine_sa_endpoint(struct sockaddr_storage *ss,
4272 struct rc_addrlist *config_ipaddr,
4273 struct sockaddr *actual_addr)
4274 {
4275 struct rc_addrlist *addrlist;
4276 struct sockaddr *addr;
4277
4278 if (!config_ipaddr)
4279 return actual_addr;
4280
4281 switch (config_ipaddr->type) {
4282 case RCT_ADDR_INET:
4283 memcpy(ss, config_ipaddr->a.ipaddr,
4284 SOCKADDR_LEN(config_ipaddr->a.ipaddr));
4285 addr = (struct sockaddr *)ss;
4286 #ifdef sun
4287 /*
4288 * XXX KEBE SAYS we need the port from the "policy". This, of
4289 * course, goes to hell when we introduce tunnel- mode into
4290 * the mix, and config_ipaddr is != actual_addr. The IKEv1
4291 * callers of this are restricted to ikev1/pfkey.c, and the
4292 * IKEv2 callers are restricted to ikev2_child.c. Hopefully
4293 * those callers can account for tunnel-mode or
4294 * transport-mode. :)
4295 */
4296 #else
4297 if (!set_port(addr, extract_port(actual_addr))) {
4298 plog(PLOG_INTERR, PLOGLOC, 0, "set_port failed\n");
4299 return NULL;
4300 }
4301 #endif
4302 break;
4303
4304 case RCT_ADDR_MACRO:
4305 if (rcs_is_addr_rw(config_ipaddr))
4306 return actual_addr;
4307
4308 if (rcs_getaddrlistbymacro(config_ipaddr->a.vstr,
4309 &addrlist) != 0) {
4310 plog(PLOG_INTERR, PLOGLOC, 0,
4311 "macro %.*s expansion failure\n",
4312 (int)config_ipaddr->a.vstr->l,
4313 config_ipaddr->a.vstr->v);
4314 return NULL;
4315 }
4316 if (addrlist->next)
4317 plog(PLOG_INTWARN, PLOGLOC, 0,
4318 "macro expands to multiple addresses, "
4319 "only the first one is used.\n");
4320
4321 memcpy(ss, addrlist->a.ipaddr,
4322 SOCKADDR_LEN(addrlist->a.ipaddr));
4323 rcs_free_addrlist(addrlist);
4324 addr = (struct sockaddr *)ss;
4325 #ifdef sun
4326 /*
4327 * XXX KEBE SAYS we need the port from the "policy". This, of
4328 * course, goes to hell when we introduce tunnel- mode into
4329 * the mix, and config_ipaddr is != actual_addr. The IKEv1
4330 * callers of this are restricted to ikev1/pfkey.c, and the
4331 * IKEv2 callers are restricted to ikev2_child.c. Hopefully
4332 * those callers can account for tunnel-mode or
4333 * transport-mode. :)
4334 */
4335 #else
4336 if (!set_port(addr, extract_port(actual_addr))) {
4337 plog(PLOG_INTERR, PLOGLOC, 0, "set_port failed\n");
4338 return NULL;
4339 }
4340 #endif
4341 break;
4342 default:
4343 plog(PLOG_INTERR, PLOGLOC, 0,
4344 "my_sa_ipaddr or peers_sa_ipaddr is "
4345 "unsupported address type (type %s)\n",
4346 rct2str(config_ipaddr->type));
4347 return NULL;
4348 }
4349
4350 return addr;
4351 }
|