1 /*
2 * This file and its contents are supplied under the terms of the
3 * Common Development and Distribution License ("CDDL"), version 1.0.
4 * You may only use this file in accordance with the terms of version
5 * 1.0 of the CDDL.
6 *
7 * A full copy of the text of the CDDL should have accompanied this
8 * source. A copy of the CDDL is also available via the Internet at
9 * http://www.illumos.org/license/CDDL.
10 */
11
12 /*
13 * Copyright (c) 2017, Joyent, Inc.
14 */
15 #include <sys/types.h>
16 #include <net/pfkeyv2.h>
17 #include <sys/debug.h>
18 #include "defs.h"
19 #include "ikev2.h"
20 #include "ikev2_pkt.h"
21
22 ikev2_xf_auth_t ikev2_pfkey_to_auth(int);
23 ikev2_xf_encr_t ikev2_pfkey_to_encr(int);
24
25 boolean_t
26 ikev2_sa_from_acquire(pkt_t *pkt, parsedmsg_t *pmsg, uint32_t spi,
27 ikev2_dh_t dh)
28 {
29 sadb_msg_t *samsg = pmsg->pmsg_samsg;
30 sadb_sa_t *sa;
31 sadb_prop_t *prop;
32 sadb_comb_t *comb;
33 boolean_t ok;
34 ikev2_spi_proto_t spi_type = IKEV2_PROTO_NONE;
35
36 ASSERT3U(samsg->sadb_msg_type, ==, SADB_ACQUIRE);
37
38 switch (samsg->sadb_msg_satype) {
39 case SADB_SATYPE_AH:
40 spi_type = IKEV2_PROTO_AH;
41 break;
42 case SADB_SATYPE_ESP:
43 spi_type = IKEV2_PROTO_ESP;
44 break;
45 default:
46 INVALID("sadb_msg_satype");
47 }
48
49 prop = (sadb_prop_t *)pmsg->pmsg_exts[SADB_EXT_PROPOSAL];
50 ASSERT3U(prop->sadb_prop_exttype, ==, SADB_EXT_PROPOSAL);
51
52 ok = ikev2_add_sa(pkt);
53
54 comb = (sadb_comb_t *)(prop + 1);
55 for (size_t i = 0; i < prop->sadb_x_prop_numecombs; i++, comb++) {
56 ok &= ikev2_add_prop(pkt, i + 1, spi_type, spi);
57
58 if (comb->sadb_comb_encrypt != SADB_EALG_NONE) {
59 ikev2_xf_encr_t encr;
60 uint16_t minbits, maxbits;
61
62 encr = ikev2_pfkey_to_encr(comb->sadb_comb_encrypt);
63 minbits = comb->sadb_comb_encrypt_minbits;
64 maxbits = comb->sadb_comb_encrypt_maxbits;
65 ok &= ikev2_add_xf_encr(pkt, encr, minbits, maxbits);
66 }
67
68 if (comb->sadb_comb_auth != SADB_AALG_NONE) {
69 ikev2_xf_auth_t xf_auth;
70 /*
71 * nothing currently supports this either local algs
72 * or the IKE protocol
73 */
74 VERIFY3U(comb->sadb_comb_auth_minbits, ==, 0);
75 VERIFY3U(comb->sadb_comb_auth_maxbits, ==, 0);
76
77 xf_auth = ikev2_pfkey_to_auth(comb->sadb_comb_auth);
78 ok &= ikev2_add_xform(pkt, IKEV2_XF_AUTH, xf_auth);
79 }
80
81 if (dh != IKEV2_DH_NONE)
82 ok &= ikev2_add_xform(pkt, IKEV2_XF_DH, dh);
83 }
84
85 return (ok);
86 }
87
88 ikev2_xf_auth_t
89 ikev2_pfkey_to_auth(int alg)
90 {
91 switch (alg) {
92 case SADB_AALG_NONE:
93 case SADB_AALG_SHA256HMAC:
94 case SADB_AALG_SHA384HMAC:
95 case SADB_AALG_SHA512HMAC:
96 /* these values all correspond */
97 return (alg);
98 case SADB_AALG_MD5HMAC:
99 /* this one does not */
100 return (IKEV2_XF_AUTH_HMAC_MD5_96);
101 case SADB_AALG_SHA1HMAC:
102 /* nor does this one */
103 return (IKEV2_XF_AUTH_HMAC_SHA1_96);
104 default:
105 INVALID("alg");
106 /*NOTREACHED*/
107 return (alg);
108 }
109 }
110
111 ikev2_xf_encr_t
112 ikev2_pfkey_to_encr(int alg)
113 {
114 switch (alg) {
115 case SADB_EALG_NONE:
116 case SADB_EALG_DESCBC:
117 case SADB_EALG_3DESCBC:
118 case SADB_EALG_BLOWFISH:
119 case SADB_EALG_NULL:
120 case SADB_EALG_AES: /* CBC */
121 case SADB_EALG_AES_CCM_8:
122 case SADB_EALG_AES_CCM_12:
123 case SADB_EALG_AES_CCM_16:
124 case SADB_EALG_AES_GCM_8:
125 case SADB_EALG_AES_GCM_12:
126 case SADB_EALG_AES_GCM_16:
127 return (alg);
128 default:
129 INVALID("alg");
130 /*NOTREACHED*/
131 return (alg);
132 }
133 }
134