1 /* $KAME: pfkey.c,v 1.46 2003/08/26 03:37:06 itojun Exp $ */
2
3 /*-
4 * SPDX-License-Identifier: BSD-3-Clause
5 *
6 * Copyright (C) 1995, 1996, 1997, 1998, and 1999 WIDE Project.
7 * All rights reserved.
8 *
9 * Redistribution and use in source and binary forms, with or without
10 * modification, are permitted provided that the following conditions
11 * are met:
12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer.
14 * 2. Redistributions in binary form must reproduce the above copyright
15 * notice, this list of conditions and the following disclaimer in the
16 * documentation and/or other materials provided with the distribution.
17 * 3. Neither the name of the project nor the names of its contributors
18 * may be used to endorse or promote products derived from this software
19 * without specific prior written permission.
20 *
21 * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
22 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
23 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
24 * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
25 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
26 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
27 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
28 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
29 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
30 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
31 * SUCH DAMAGE.
32 */
33
34 #include <sys/cdefs.h>
35 #include <sys/types.h>
36 #include <sys/param.h>
37 #include <sys/socket.h>
38 #include <net/pfkeyv2.h>
39 #include <netipsec/key_var.h>
40 #include <netinet/in.h>
41 #include <netipsec/ipsec.h>
42
43 #include <stdlib.h>
44 #include <stdint.h>
45 #include <unistd.h>
46 #include <string.h>
47 #include <errno.h>
48
49 #include "ipsec_strerror.h"
50 #include "libpfkey.h"
51
52 #define CALLOC(size, cast) (cast)calloc(1, (size))
53
54 static int findsupportedmap(int);
55 static int setsupportedmap(struct sadb_supported *);
56 static struct sadb_alg *findsupportedalg(u_int, u_int);
57 static int pfkey_send_x1(int, u_int, u_int, u_int, struct sockaddr *,
58 struct sockaddr *, u_int32_t, u_int32_t, u_int, caddr_t,
59 u_int, u_int, u_int, u_int, u_int, u_int32_t, u_int32_t,
60 u_int32_t, u_int32_t, u_int32_t);
61 static int pfkey_send_x2(int, u_int, u_int, u_int,
62 struct sockaddr *, struct sockaddr *, u_int32_t);
63 static int pfkey_send_x3(int, u_int, u_int);
64 static int pfkey_send_x4(int, u_int, struct sockaddr *, u_int,
65 struct sockaddr *, u_int, u_int, u_int64_t, u_int64_t,
66 char *, int, u_int32_t);
67 static int pfkey_send_x5(int, u_int, u_int32_t);
68
69 static caddr_t pfkey_setsadbmsg(caddr_t, caddr_t, u_int, u_int,
70 u_int, u_int32_t, pid_t);
71 static caddr_t pfkey_setsadbsa(caddr_t, caddr_t, u_int32_t, u_int,
72 u_int, u_int, u_int32_t);
73 static caddr_t pfkey_setsadbxreplay(caddr_t, caddr_t, uint32_t);
74 static caddr_t pfkey_setsadbaddr(caddr_t, caddr_t, u_int,
75 struct sockaddr *, u_int, u_int);
76 static caddr_t pfkey_setsadbkey(caddr_t, caddr_t, u_int, caddr_t, u_int);
77 static caddr_t pfkey_setsadblifetime(caddr_t, caddr_t, u_int, u_int32_t,
78 u_int32_t, u_int32_t, u_int32_t);
79 static caddr_t pfkey_setsadbxsa2(caddr_t, caddr_t, u_int32_t, u_int32_t);
80
81 /*
82 * make and search supported algorithm structure.
83 */
84 static struct sadb_supported *ipsec_supported[] = { NULL, NULL, NULL, NULL };
85
86 static int supported_map[] = {
87 SADB_SATYPE_AH,
88 SADB_SATYPE_ESP,
89 SADB_X_SATYPE_IPCOMP,
90 SADB_X_SATYPE_TCPSIGNATURE
91 };
92
93 static int
findsupportedmap(satype)94 findsupportedmap(satype)
95 int satype;
96 {
97 int i;
98
99 for (i = 0; i < sizeof(supported_map)/sizeof(supported_map[0]); i++)
100 if (supported_map[i] == satype)
101 return i;
102 return -1;
103 }
104
105 static struct sadb_alg *
findsupportedalg(satype,alg_id)106 findsupportedalg(satype, alg_id)
107 u_int satype, alg_id;
108 {
109 int algno;
110 int tlen;
111 caddr_t p;
112
113 /* validity check */
114 algno = findsupportedmap(satype);
115 if (algno == -1) {
116 __ipsec_errcode = EIPSEC_INVAL_ARGUMENT;
117 return NULL;
118 }
119 if (ipsec_supported[algno] == NULL) {
120 __ipsec_errcode = EIPSEC_DO_GET_SUPP_LIST;
121 return NULL;
122 }
123
124 tlen = ipsec_supported[algno]->sadb_supported_len
125 - sizeof(struct sadb_supported);
126 p = (caddr_t)(ipsec_supported[algno] + 1);
127 while (tlen > 0) {
128 if (tlen < sizeof(struct sadb_alg)) {
129 /* invalid format */
130 break;
131 }
132 if (((struct sadb_alg *)p)->sadb_alg_id == alg_id)
133 return (struct sadb_alg *)p;
134
135 tlen -= sizeof(struct sadb_alg);
136 p += sizeof(struct sadb_alg);
137 }
138
139 __ipsec_errcode = EIPSEC_NOT_SUPPORTED;
140 return NULL;
141 }
142
143 static int
setsupportedmap(sup)144 setsupportedmap(sup)
145 struct sadb_supported *sup;
146 {
147 struct sadb_supported **ipsup;
148
149 switch (sup->sadb_supported_exttype) {
150 case SADB_EXT_SUPPORTED_AUTH:
151 ipsup = &ipsec_supported[findsupportedmap(SADB_SATYPE_AH)];
152 break;
153 case SADB_EXT_SUPPORTED_ENCRYPT:
154 ipsup = &ipsec_supported[findsupportedmap(SADB_SATYPE_ESP)];
155 break;
156 default:
157 __ipsec_errcode = EIPSEC_INVAL_SATYPE;
158 return -1;
159 }
160
161 if (*ipsup)
162 free(*ipsup);
163
164 *ipsup = malloc(sup->sadb_supported_len);
165 if (!*ipsup) {
166 __ipsec_set_strerror(strerror(errno));
167 return -1;
168 }
169 memcpy(*ipsup, sup, sup->sadb_supported_len);
170
171 return 0;
172 }
173
174 /*
175 * check key length against algorithm specified.
176 * This function is called with SADB_EXT_SUPPORTED_{AUTH,ENCRYPT} as the
177 * augument, and only calls to ipsec_check_keylen2();
178 * keylen is the unit of bit.
179 * OUT:
180 * -1: invalid.
181 * 0: valid.
182 */
183 int
ipsec_check_keylen(supported,alg_id,keylen)184 ipsec_check_keylen(supported, alg_id, keylen)
185 u_int supported;
186 u_int alg_id;
187 u_int keylen;
188 {
189 int satype;
190
191 /* validity check */
192 switch (supported) {
193 case SADB_EXT_SUPPORTED_AUTH:
194 satype = SADB_SATYPE_AH;
195 break;
196 case SADB_EXT_SUPPORTED_ENCRYPT:
197 satype = SADB_SATYPE_ESP;
198 break;
199 default:
200 __ipsec_errcode = EIPSEC_INVAL_ARGUMENT;
201 return -1;
202 }
203
204 return ipsec_check_keylen2(satype, alg_id, keylen);
205 }
206
207 /*
208 * check key length against algorithm specified.
209 * satype is one of satype defined at pfkeyv2.h.
210 * keylen is the unit of bit.
211 * OUT:
212 * -1: invalid.
213 * 0: valid.
214 */
215 int
ipsec_check_keylen2(satype,alg_id,keylen)216 ipsec_check_keylen2(satype, alg_id, keylen)
217 u_int satype;
218 u_int alg_id;
219 u_int keylen;
220 {
221 struct sadb_alg *alg;
222
223 alg = findsupportedalg(satype, alg_id);
224 if (!alg)
225 return -1;
226
227 if (keylen < alg->sadb_alg_minbits || keylen > alg->sadb_alg_maxbits) {
228 __ipsec_errcode = EIPSEC_INVAL_KEYLEN;
229 return -1;
230 }
231
232 __ipsec_errcode = EIPSEC_NO_ERROR;
233 return 0;
234 }
235
236 /*
237 * get max/min key length against algorithm specified.
238 * satype is one of satype defined at pfkeyv2.h.
239 * keylen is the unit of bit.
240 * OUT:
241 * -1: invalid.
242 * 0: valid.
243 */
244 int
ipsec_get_keylen(supported,alg_id,alg0)245 ipsec_get_keylen(supported, alg_id, alg0)
246 u_int supported, alg_id;
247 struct sadb_alg *alg0;
248 {
249 struct sadb_alg *alg;
250 u_int satype;
251
252 /* validity check */
253 if (!alg0) {
254 __ipsec_errcode = EIPSEC_INVAL_ARGUMENT;
255 return -1;
256 }
257
258 switch (supported) {
259 case SADB_EXT_SUPPORTED_AUTH:
260 satype = SADB_SATYPE_AH;
261 break;
262 case SADB_EXT_SUPPORTED_ENCRYPT:
263 satype = SADB_SATYPE_ESP;
264 break;
265 default:
266 __ipsec_errcode = EIPSEC_INVAL_ARGUMENT;
267 return -1;
268 }
269
270 alg = findsupportedalg(satype, alg_id);
271 if (!alg)
272 return -1;
273
274 memcpy(alg0, alg, sizeof(*alg0));
275
276 __ipsec_errcode = EIPSEC_NO_ERROR;
277 return 0;
278 }
279
280 /*
281 * set the rate for SOFT lifetime against HARD one.
282 * If rate is more than 100 or equal to zero, then set to 100.
283 */
284 static u_int soft_lifetime_allocations_rate = PFKEY_SOFT_LIFETIME_RATE;
285 static u_int soft_lifetime_bytes_rate = PFKEY_SOFT_LIFETIME_RATE;
286 static u_int soft_lifetime_addtime_rate = PFKEY_SOFT_LIFETIME_RATE;
287 static u_int soft_lifetime_usetime_rate = PFKEY_SOFT_LIFETIME_RATE;
288
289 u_int
pfkey_set_softrate(type,rate)290 pfkey_set_softrate(type, rate)
291 u_int type, rate;
292 {
293 __ipsec_errcode = EIPSEC_NO_ERROR;
294
295 if (rate > 100 || rate == 0)
296 rate = 100;
297
298 switch (type) {
299 case SADB_X_LIFETIME_ALLOCATIONS:
300 soft_lifetime_allocations_rate = rate;
301 return 0;
302 case SADB_X_LIFETIME_BYTES:
303 soft_lifetime_bytes_rate = rate;
304 return 0;
305 case SADB_X_LIFETIME_ADDTIME:
306 soft_lifetime_addtime_rate = rate;
307 return 0;
308 case SADB_X_LIFETIME_USETIME:
309 soft_lifetime_usetime_rate = rate;
310 return 0;
311 }
312
313 __ipsec_errcode = EIPSEC_INVAL_ARGUMENT;
314 return 1;
315 }
316
317 /*
318 * get current rate for SOFT lifetime against HARD one.
319 * ATTENTION: ~0 is returned if invalid type was passed.
320 */
321 u_int
pfkey_get_softrate(type)322 pfkey_get_softrate(type)
323 u_int type;
324 {
325 switch (type) {
326 case SADB_X_LIFETIME_ALLOCATIONS:
327 return soft_lifetime_allocations_rate;
328 case SADB_X_LIFETIME_BYTES:
329 return soft_lifetime_bytes_rate;
330 case SADB_X_LIFETIME_ADDTIME:
331 return soft_lifetime_addtime_rate;
332 case SADB_X_LIFETIME_USETIME:
333 return soft_lifetime_usetime_rate;
334 }
335
336 return ~0;
337 }
338
339 /*
340 * sending SADB_GETSPI message to the kernel.
341 * OUT:
342 * positive: success and return length sent.
343 * -1 : error occured, and set errno.
344 */
345 int
pfkey_send_getspi(so,satype,mode,src,dst,min,max,reqid,seq)346 pfkey_send_getspi(so, satype, mode, src, dst, min, max, reqid, seq)
347 int so;
348 u_int satype, mode;
349 struct sockaddr *src, *dst;
350 u_int32_t min, max, reqid, seq;
351 {
352 struct sadb_msg *newmsg;
353 caddr_t ep;
354 int len;
355 int need_spirange = 0;
356 caddr_t p;
357 int plen;
358
359 /* validity check */
360 if (src == NULL || dst == NULL) {
361 __ipsec_errcode = EIPSEC_INVAL_ARGUMENT;
362 return -1;
363 }
364 if (src->sa_family != dst->sa_family) {
365 __ipsec_errcode = EIPSEC_FAMILY_MISMATCH;
366 return -1;
367 }
368 if (min > max || (min > 0 && min <= 255)) {
369 __ipsec_errcode = EIPSEC_INVAL_SPI;
370 return -1;
371 }
372 switch (src->sa_family) {
373 case AF_INET:
374 plen = sizeof(struct in_addr) << 3;
375 break;
376 case AF_INET6:
377 plen = sizeof(struct in6_addr) << 3;
378 break;
379 default:
380 __ipsec_errcode = EIPSEC_INVAL_FAMILY;
381 return -1;
382 }
383
384 /* create new sadb_msg to send. */
385 len = sizeof(struct sadb_msg)
386 + sizeof(struct sadb_x_sa2)
387 + sizeof(struct sadb_address)
388 + PFKEY_ALIGN8(src->sa_len)
389 + sizeof(struct sadb_address)
390 + PFKEY_ALIGN8(dst->sa_len);
391
392 if (min > 255 && max < ~0) {
393 need_spirange++;
394 len += sizeof(struct sadb_spirange);
395 }
396
397 if ((newmsg = CALLOC(len, struct sadb_msg *)) == NULL) {
398 __ipsec_set_strerror(strerror(errno));
399 return -1;
400 }
401 ep = ((caddr_t)newmsg) + len;
402
403 p = pfkey_setsadbmsg((caddr_t)newmsg, ep, SADB_GETSPI,
404 len, satype, seq, getpid());
405 if (!p) {
406 free(newmsg);
407 return -1;
408 }
409
410 p = pfkey_setsadbxsa2(p, ep, mode, reqid);
411 if (!p) {
412 free(newmsg);
413 return -1;
414 }
415
416 /* set sadb_address for source */
417 p = pfkey_setsadbaddr(p, ep, SADB_EXT_ADDRESS_SRC, src, plen,
418 IPSEC_ULPROTO_ANY);
419 if (!p) {
420 free(newmsg);
421 return -1;
422 }
423
424 /* set sadb_address for destination */
425 p = pfkey_setsadbaddr(p, ep, SADB_EXT_ADDRESS_DST, dst, plen,
426 IPSEC_ULPROTO_ANY);
427 if (!p) {
428 free(newmsg);
429 return -1;
430 }
431
432 /* processing spi range */
433 if (need_spirange) {
434 struct sadb_spirange spirange;
435
436 if (p + sizeof(spirange) > ep) {
437 free(newmsg);
438 return -1;
439 }
440
441 memset(&spirange, 0, sizeof(spirange));
442 spirange.sadb_spirange_len = PFKEY_UNIT64(sizeof(spirange));
443 spirange.sadb_spirange_exttype = SADB_EXT_SPIRANGE;
444 spirange.sadb_spirange_min = min;
445 spirange.sadb_spirange_max = max;
446
447 memcpy(p, &spirange, sizeof(spirange));
448
449 p += sizeof(spirange);
450 }
451 if (p != ep) {
452 free(newmsg);
453 return -1;
454 }
455
456 /* send message */
457 len = pfkey_send(so, newmsg, len);
458 free(newmsg);
459
460 if (len < 0)
461 return -1;
462
463 __ipsec_errcode = EIPSEC_NO_ERROR;
464 return len;
465 }
466
467 /*
468 * sending SADB_UPDATE message to the kernel.
469 * The length of key material is a_keylen + e_keylen.
470 * OUT:
471 * positive: success and return length sent.
472 * -1 : error occured, and set errno.
473 */
474 int
pfkey_send_update(so,satype,mode,src,dst,spi,reqid,wsize,keymat,e_type,e_keylen,a_type,a_keylen,flags,l_alloc,l_bytes,l_addtime,l_usetime,seq)475 pfkey_send_update(so, satype, mode, src, dst, spi, reqid, wsize,
476 keymat, e_type, e_keylen, a_type, a_keylen, flags,
477 l_alloc, l_bytes, l_addtime, l_usetime, seq)
478 int so;
479 u_int satype, mode, wsize;
480 struct sockaddr *src, *dst;
481 u_int32_t spi, reqid;
482 caddr_t keymat;
483 u_int e_type, e_keylen, a_type, a_keylen, flags;
484 u_int32_t l_alloc;
485 u_int64_t l_bytes, l_addtime, l_usetime;
486 u_int32_t seq;
487 {
488 int len;
489 if ((len = pfkey_send_x1(so, SADB_UPDATE, satype, mode, src, dst, spi,
490 reqid, wsize,
491 keymat, e_type, e_keylen, a_type, a_keylen, flags,
492 l_alloc, l_bytes, l_addtime, l_usetime, seq)) < 0)
493 return -1;
494
495 return len;
496 }
497
498 /*
499 * sending SADB_ADD message to the kernel.
500 * The length of key material is a_keylen + e_keylen.
501 * OUT:
502 * positive: success and return length sent.
503 * -1 : error occured, and set errno.
504 */
505 int
pfkey_send_add(so,satype,mode,src,dst,spi,reqid,wsize,keymat,e_type,e_keylen,a_type,a_keylen,flags,l_alloc,l_bytes,l_addtime,l_usetime,seq)506 pfkey_send_add(so, satype, mode, src, dst, spi, reqid, wsize,
507 keymat, e_type, e_keylen, a_type, a_keylen, flags,
508 l_alloc, l_bytes, l_addtime, l_usetime, seq)
509 int so;
510 u_int satype, mode, wsize;
511 struct sockaddr *src, *dst;
512 u_int32_t spi, reqid;
513 caddr_t keymat;
514 u_int e_type, e_keylen, a_type, a_keylen, flags;
515 u_int32_t l_alloc;
516 u_int64_t l_bytes, l_addtime, l_usetime;
517 u_int32_t seq;
518 {
519 int len;
520 if ((len = pfkey_send_x1(so, SADB_ADD, satype, mode, src, dst, spi,
521 reqid, wsize,
522 keymat, e_type, e_keylen, a_type, a_keylen, flags,
523 l_alloc, l_bytes, l_addtime, l_usetime, seq)) < 0)
524 return -1;
525
526 return len;
527 }
528
529 /*
530 * sending SADB_DELETE message to the kernel.
531 * OUT:
532 * positive: success and return length sent.
533 * -1 : error occured, and set errno.
534 */
535 int
pfkey_send_delete(so,satype,mode,src,dst,spi)536 pfkey_send_delete(so, satype, mode, src, dst, spi)
537 int so;
538 u_int satype, mode;
539 struct sockaddr *src, *dst;
540 u_int32_t spi;
541 {
542 int len;
543 if ((len = pfkey_send_x2(so, SADB_DELETE, satype, mode, src, dst, spi)) < 0)
544 return -1;
545
546 return len;
547 }
548
549 /*
550 * sending SADB_DELETE without spi to the kernel. This is
551 * the "delete all" request (an extension also present in
552 * Solaris).
553 *
554 * OUT:
555 * positive: success and return length sent
556 * -1 : error occured, and set errno
557 */
558 int
pfkey_send_delete_all(so,satype,mode,src,dst)559 pfkey_send_delete_all(so, satype, mode, src, dst)
560 int so;
561 u_int satype, mode;
562 struct sockaddr *src, *dst;
563 {
564 struct sadb_msg *newmsg;
565 int len;
566 caddr_t p;
567 int plen;
568 caddr_t ep;
569
570 /* validity check */
571 if (src == NULL || dst == NULL) {
572 __ipsec_errcode = EIPSEC_INVAL_ARGUMENT;
573 return -1;
574 }
575 if (src->sa_family != dst->sa_family) {
576 __ipsec_errcode = EIPSEC_FAMILY_MISMATCH;
577 return -1;
578 }
579 switch (src->sa_family) {
580 case AF_INET:
581 plen = sizeof(struct in_addr) << 3;
582 break;
583 case AF_INET6:
584 plen = sizeof(struct in6_addr) << 3;
585 break;
586 default:
587 __ipsec_errcode = EIPSEC_INVAL_FAMILY;
588 return -1;
589 }
590
591 /* create new sadb_msg to reply. */
592 len = sizeof(struct sadb_msg)
593 + sizeof(struct sadb_address)
594 + PFKEY_ALIGN8(src->sa_len)
595 + sizeof(struct sadb_address)
596 + PFKEY_ALIGN8(dst->sa_len);
597
598 if ((newmsg = CALLOC(len, struct sadb_msg *)) == NULL) {
599 __ipsec_set_strerror(strerror(errno));
600 return -1;
601 }
602 ep = ((caddr_t)newmsg) + len;
603
604 p = pfkey_setsadbmsg((caddr_t)newmsg, ep, SADB_DELETE, len, satype, 0,
605 getpid());
606 if (!p) {
607 free(newmsg);
608 return -1;
609 }
610 p = pfkey_setsadbaddr(p, ep, SADB_EXT_ADDRESS_SRC, src, plen,
611 IPSEC_ULPROTO_ANY);
612 if (!p) {
613 free(newmsg);
614 return -1;
615 }
616 p = pfkey_setsadbaddr(p, ep, SADB_EXT_ADDRESS_DST, dst, plen,
617 IPSEC_ULPROTO_ANY);
618 if (!p || p != ep) {
619 free(newmsg);
620 return -1;
621 }
622
623 /* send message */
624 len = pfkey_send(so, newmsg, len);
625 free(newmsg);
626
627 if (len < 0)
628 return -1;
629
630 __ipsec_errcode = EIPSEC_NO_ERROR;
631 return len;
632 }
633
634 /*
635 * sending SADB_GET message to the kernel.
636 * OUT:
637 * positive: success and return length sent.
638 * -1 : error occured, and set errno.
639 */
640 int
pfkey_send_get(so,satype,mode,src,dst,spi)641 pfkey_send_get(so, satype, mode, src, dst, spi)
642 int so;
643 u_int satype, mode;
644 struct sockaddr *src, *dst;
645 u_int32_t spi;
646 {
647 int len;
648 if ((len = pfkey_send_x2(so, SADB_GET, satype, mode, src, dst, spi)) < 0)
649 return -1;
650
651 return len;
652 }
653
654 /*
655 * sending SADB_REGISTER message to the kernel.
656 * OUT:
657 * positive: success and return length sent.
658 * -1 : error occured, and set errno.
659 */
660 int
pfkey_send_register(so,satype)661 pfkey_send_register(so, satype)
662 int so;
663 u_int satype;
664 {
665 int len, algno;
666
667 if (satype == SADB_SATYPE_UNSPEC) {
668 for (algno = 0;
669 algno < sizeof(supported_map)/sizeof(supported_map[0]);
670 algno++) {
671 if (ipsec_supported[algno]) {
672 free(ipsec_supported[algno]);
673 ipsec_supported[algno] = NULL;
674 }
675 }
676 } else {
677 algno = findsupportedmap(satype);
678 if (algno == -1) {
679 __ipsec_errcode = EIPSEC_INVAL_ARGUMENT;
680 return -1;
681 }
682
683 if (ipsec_supported[algno]) {
684 free(ipsec_supported[algno]);
685 ipsec_supported[algno] = NULL;
686 }
687 }
688
689 if ((len = pfkey_send_x3(so, SADB_REGISTER, satype)) < 0)
690 return -1;
691
692 return len;
693 }
694
695 /*
696 * receiving SADB_REGISTER message from the kernel, and copy buffer for
697 * sadb_supported returned into ipsec_supported.
698 * OUT:
699 * 0: success and return length sent.
700 * -1: error occured, and set errno.
701 */
702 int
pfkey_recv_register(so)703 pfkey_recv_register(so)
704 int so;
705 {
706 pid_t pid = getpid();
707 struct sadb_msg *newmsg;
708 int error = -1;
709
710 /* receive message */
711 for (;;) {
712 if ((newmsg = pfkey_recv(so)) == NULL)
713 return -1;
714 if (newmsg->sadb_msg_type == SADB_REGISTER &&
715 newmsg->sadb_msg_pid == pid)
716 break;
717 free(newmsg);
718 }
719
720 /* check and fix */
721 newmsg->sadb_msg_len = PFKEY_UNUNIT64(newmsg->sadb_msg_len);
722
723 error = pfkey_set_supported(newmsg, newmsg->sadb_msg_len);
724 free(newmsg);
725
726 if (error == 0)
727 __ipsec_errcode = EIPSEC_NO_ERROR;
728
729 return error;
730 }
731
732 /*
733 * receiving SADB_REGISTER message from the kernel, and copy buffer for
734 * sadb_supported returned into ipsec_supported.
735 * NOTE: sadb_msg_len must be host order.
736 * IN:
737 * tlen: msg length, it's to makeing sure.
738 * OUT:
739 * 0: success and return length sent.
740 * -1: error occured, and set errno.
741 */
742 int
pfkey_set_supported(msg,tlen)743 pfkey_set_supported(msg, tlen)
744 struct sadb_msg *msg;
745 int tlen;
746 {
747 struct sadb_supported *sup;
748 caddr_t p;
749 caddr_t ep;
750
751 /* validity */
752 if (msg->sadb_msg_len != tlen) {
753 __ipsec_errcode = EIPSEC_INVAL_ARGUMENT;
754 return -1;
755 }
756
757 p = (caddr_t)msg;
758 ep = p + tlen;
759
760 p += sizeof(struct sadb_msg);
761
762 while (p < ep) {
763 sup = (struct sadb_supported *)p;
764 if (ep < p + sizeof(*sup) ||
765 PFKEY_EXTLEN(sup) < sizeof(*sup) ||
766 ep < p + sup->sadb_supported_len) {
767 /* invalid format */
768 break;
769 }
770
771 switch (sup->sadb_supported_exttype) {
772 case SADB_EXT_SUPPORTED_AUTH:
773 case SADB_EXT_SUPPORTED_ENCRYPT:
774 break;
775 default:
776 __ipsec_errcode = EIPSEC_INVAL_SATYPE;
777 return -1;
778 }
779
780 /* fixed length */
781 sup->sadb_supported_len = PFKEY_EXTLEN(sup);
782
783 /* set supported map */
784 if (setsupportedmap(sup) != 0)
785 return -1;
786
787 p += sup->sadb_supported_len;
788 }
789
790 if (p != ep) {
791 __ipsec_errcode = EIPSEC_INVAL_SATYPE;
792 return -1;
793 }
794
795 __ipsec_errcode = EIPSEC_NO_ERROR;
796
797 return 0;
798 }
799
800 /*
801 * sending SADB_FLUSH message to the kernel.
802 * OUT:
803 * positive: success and return length sent.
804 * -1 : error occured, and set errno.
805 */
806 int
pfkey_send_flush(so,satype)807 pfkey_send_flush(so, satype)
808 int so;
809 u_int satype;
810 {
811 int len;
812
813 if ((len = pfkey_send_x3(so, SADB_FLUSH, satype)) < 0)
814 return -1;
815
816 return len;
817 }
818
819 /*
820 * sending SADB_DUMP message to the kernel.
821 * OUT:
822 * positive: success and return length sent.
823 * -1 : error occured, and set errno.
824 */
825 int
pfkey_send_dump(so,satype)826 pfkey_send_dump(so, satype)
827 int so;
828 u_int satype;
829 {
830 int len;
831
832 if ((len = pfkey_send_x3(so, SADB_DUMP, satype)) < 0)
833 return -1;
834
835 return len;
836 }
837
838 /*
839 * sending SADB_X_PROMISC message to the kernel.
840 * NOTE that this function handles promisc mode toggle only.
841 * IN:
842 * flag: set promisc off if zero, set promisc on if non-zero.
843 * OUT:
844 * positive: success and return length sent.
845 * -1 : error occured, and set errno.
846 * 0 : error occured, and set errno.
847 * others: a pointer to new allocated buffer in which supported
848 * algorithms is.
849 */
850 int
pfkey_send_promisc_toggle(so,flag)851 pfkey_send_promisc_toggle(so, flag)
852 int so;
853 int flag;
854 {
855 int len;
856
857 if ((len = pfkey_send_x3(so, SADB_X_PROMISC, (flag ? 1 : 0))) < 0)
858 return -1;
859
860 return len;
861 }
862
863 /*
864 * sending SADB_X_SPDADD message to the kernel.
865 * OUT:
866 * positive: success and return length sent.
867 * -1 : error occured, and set errno.
868 */
869 int
pfkey_send_spdadd(so,src,prefs,dst,prefd,proto,policy,policylen,seq)870 pfkey_send_spdadd(so, src, prefs, dst, prefd, proto, policy, policylen, seq)
871 int so;
872 struct sockaddr *src, *dst;
873 u_int prefs, prefd, proto;
874 caddr_t policy;
875 int policylen;
876 u_int32_t seq;
877 {
878 int len;
879
880 if ((len = pfkey_send_x4(so, SADB_X_SPDADD,
881 src, prefs, dst, prefd, proto,
882 0, 0,
883 policy, policylen, seq)) < 0)
884 return -1;
885
886 return len;
887 }
888
889 /*
890 * sending SADB_X_SPDADD message to the kernel.
891 * OUT:
892 * positive: success and return length sent.
893 * -1 : error occured, and set errno.
894 */
895 int
pfkey_send_spdadd2(so,src,prefs,dst,prefd,proto,ltime,vtime,policy,policylen,seq)896 pfkey_send_spdadd2(so, src, prefs, dst, prefd, proto, ltime, vtime,
897 policy, policylen, seq)
898 int so;
899 struct sockaddr *src, *dst;
900 u_int prefs, prefd, proto;
901 u_int64_t ltime, vtime;
902 caddr_t policy;
903 int policylen;
904 u_int32_t seq;
905 {
906 int len;
907
908 if ((len = pfkey_send_x4(so, SADB_X_SPDADD,
909 src, prefs, dst, prefd, proto,
910 ltime, vtime,
911 policy, policylen, seq)) < 0)
912 return -1;
913
914 return len;
915 }
916
917 /*
918 * sending SADB_X_SPDUPDATE message to the kernel.
919 * OUT:
920 * positive: success and return length sent.
921 * -1 : error occured, and set errno.
922 */
923 int
pfkey_send_spdupdate(so,src,prefs,dst,prefd,proto,policy,policylen,seq)924 pfkey_send_spdupdate(so, src, prefs, dst, prefd, proto, policy, policylen, seq)
925 int so;
926 struct sockaddr *src, *dst;
927 u_int prefs, prefd, proto;
928 caddr_t policy;
929 int policylen;
930 u_int32_t seq;
931 {
932 int len;
933
934 if ((len = pfkey_send_x4(so, SADB_X_SPDUPDATE,
935 src, prefs, dst, prefd, proto,
936 0, 0,
937 policy, policylen, seq)) < 0)
938 return -1;
939
940 return len;
941 }
942
943 /*
944 * sending SADB_X_SPDUPDATE message to the kernel.
945 * OUT:
946 * positive: success and return length sent.
947 * -1 : error occured, and set errno.
948 */
949 int
pfkey_send_spdupdate2(so,src,prefs,dst,prefd,proto,ltime,vtime,policy,policylen,seq)950 pfkey_send_spdupdate2(so, src, prefs, dst, prefd, proto, ltime, vtime,
951 policy, policylen, seq)
952 int so;
953 struct sockaddr *src, *dst;
954 u_int prefs, prefd, proto;
955 u_int64_t ltime, vtime;
956 caddr_t policy;
957 int policylen;
958 u_int32_t seq;
959 {
960 int len;
961
962 if ((len = pfkey_send_x4(so, SADB_X_SPDUPDATE,
963 src, prefs, dst, prefd, proto,
964 ltime, vtime,
965 policy, policylen, seq)) < 0)
966 return -1;
967
968 return len;
969 }
970
971 /*
972 * sending SADB_X_SPDDELETE message to the kernel.
973 * OUT:
974 * positive: success and return length sent.
975 * -1 : error occured, and set errno.
976 */
977 int
pfkey_send_spddelete(so,src,prefs,dst,prefd,proto,policy,policylen,seq)978 pfkey_send_spddelete(so, src, prefs, dst, prefd, proto, policy, policylen, seq)
979 int so;
980 struct sockaddr *src, *dst;
981 u_int prefs, prefd, proto;
982 caddr_t policy;
983 int policylen;
984 u_int32_t seq;
985 {
986 int len;
987
988 if (policylen != sizeof(struct sadb_x_policy)) {
989 __ipsec_errcode = EIPSEC_INVAL_ARGUMENT;
990 return -1;
991 }
992
993 if ((len = pfkey_send_x4(so, SADB_X_SPDDELETE,
994 src, prefs, dst, prefd, proto,
995 0, 0,
996 policy, policylen, seq)) < 0)
997 return -1;
998
999 return len;
1000 }
1001
1002 /*
1003 * sending SADB_X_SPDDELETE message to the kernel.
1004 * OUT:
1005 * positive: success and return length sent.
1006 * -1 : error occured, and set errno.
1007 */
1008 int
pfkey_send_spddelete2(so,spid)1009 pfkey_send_spddelete2(so, spid)
1010 int so;
1011 u_int32_t spid;
1012 {
1013 int len;
1014
1015 if ((len = pfkey_send_x5(so, SADB_X_SPDDELETE2, spid)) < 0)
1016 return -1;
1017
1018 return len;
1019 }
1020
1021 /*
1022 * sending SADB_X_SPDGET message to the kernel.
1023 * OUT:
1024 * positive: success and return length sent.
1025 * -1 : error occured, and set errno.
1026 */
1027 int
pfkey_send_spdget(so,spid)1028 pfkey_send_spdget(so, spid)
1029 int so;
1030 u_int32_t spid;
1031 {
1032 int len;
1033
1034 if ((len = pfkey_send_x5(so, SADB_X_SPDGET, spid)) < 0)
1035 return -1;
1036
1037 return len;
1038 }
1039
1040 /*
1041 * sending SADB_X_SPDSETIDX message to the kernel.
1042 * OUT:
1043 * positive: success and return length sent.
1044 * -1 : error occured, and set errno.
1045 */
1046 int
pfkey_send_spdsetidx(so,src,prefs,dst,prefd,proto,policy,policylen,seq)1047 pfkey_send_spdsetidx(so, src, prefs, dst, prefd, proto, policy, policylen, seq)
1048 int so;
1049 struct sockaddr *src, *dst;
1050 u_int prefs, prefd, proto;
1051 caddr_t policy;
1052 int policylen;
1053 u_int32_t seq;
1054 {
1055 int len;
1056
1057 if (policylen != sizeof(struct sadb_x_policy)) {
1058 __ipsec_errcode = EIPSEC_INVAL_ARGUMENT;
1059 return -1;
1060 }
1061
1062 if ((len = pfkey_send_x4(so, SADB_X_SPDSETIDX,
1063 src, prefs, dst, prefd, proto,
1064 0, 0,
1065 policy, policylen, seq)) < 0)
1066 return -1;
1067
1068 return len;
1069 }
1070
1071 /*
1072 * sending SADB_SPDFLUSH message to the kernel.
1073 * OUT:
1074 * positive: success and return length sent.
1075 * -1 : error occured, and set errno.
1076 */
1077 int
pfkey_send_spdflush(so)1078 pfkey_send_spdflush(so)
1079 int so;
1080 {
1081 int len;
1082
1083 if ((len = pfkey_send_x3(so, SADB_X_SPDFLUSH, SADB_SATYPE_UNSPEC)) < 0)
1084 return -1;
1085
1086 return len;
1087 }
1088
1089 /*
1090 * sending SADB_SPDDUMP message to the kernel.
1091 * OUT:
1092 * positive: success and return length sent.
1093 * -1 : error occured, and set errno.
1094 */
1095 int
pfkey_send_spddump(so)1096 pfkey_send_spddump(so)
1097 int so;
1098 {
1099 int len;
1100
1101 if ((len = pfkey_send_x3(so, SADB_X_SPDDUMP, SADB_SATYPE_UNSPEC)) < 0)
1102 return -1;
1103
1104 return len;
1105 }
1106
1107 /* sending SADB_ADD or SADB_UPDATE message to the kernel */
1108 static int
pfkey_send_x1(so,type,satype,mode,src,dst,spi,reqid,wsize,keymat,e_type,e_keylen,a_type,a_keylen,flags,l_alloc,l_bytes,l_addtime,l_usetime,seq)1109 pfkey_send_x1(so, type, satype, mode, src, dst, spi, reqid, wsize,
1110 keymat, e_type, e_keylen, a_type, a_keylen, flags,
1111 l_alloc, l_bytes, l_addtime, l_usetime, seq)
1112 int so;
1113 u_int type, satype, mode;
1114 struct sockaddr *src, *dst;
1115 u_int32_t spi, reqid;
1116 u_int wsize;
1117 caddr_t keymat;
1118 u_int e_type, e_keylen, a_type, a_keylen, flags;
1119 u_int32_t l_alloc, l_bytes, l_addtime, l_usetime, seq;
1120 {
1121 struct sadb_msg *newmsg;
1122 int len;
1123 caddr_t p;
1124 int plen;
1125 caddr_t ep;
1126
1127 /* validity check */
1128 if (src == NULL || dst == NULL) {
1129 __ipsec_errcode = EIPSEC_INVAL_ARGUMENT;
1130 return -1;
1131 }
1132 if (src->sa_family != dst->sa_family) {
1133 __ipsec_errcode = EIPSEC_FAMILY_MISMATCH;
1134 return -1;
1135 }
1136 switch (src->sa_family) {
1137 case AF_INET:
1138 plen = sizeof(struct in_addr) << 3;
1139 break;
1140 case AF_INET6:
1141 plen = sizeof(struct in6_addr) << 3;
1142 break;
1143 default:
1144 __ipsec_errcode = EIPSEC_INVAL_FAMILY;
1145 return -1;
1146 }
1147
1148 switch (satype) {
1149 case SADB_SATYPE_ESP:
1150 if (e_type == SADB_EALG_NONE) {
1151 __ipsec_errcode = EIPSEC_NO_ALGS;
1152 return -1;
1153 }
1154 break;
1155 case SADB_SATYPE_AH:
1156 if (e_type != SADB_EALG_NONE) {
1157 __ipsec_errcode = EIPSEC_INVAL_ALGS;
1158 return -1;
1159 }
1160 if (a_type == SADB_AALG_NONE) {
1161 __ipsec_errcode = EIPSEC_NO_ALGS;
1162 return -1;
1163 }
1164 break;
1165 case SADB_X_SATYPE_IPCOMP:
1166 if (e_type == SADB_X_CALG_NONE) {
1167 __ipsec_errcode = EIPSEC_INVAL_ALGS;
1168 return -1;
1169 }
1170 if (a_type != SADB_AALG_NONE) {
1171 __ipsec_errcode = EIPSEC_NO_ALGS;
1172 return -1;
1173 }
1174 break;
1175 case SADB_X_SATYPE_TCPSIGNATURE:
1176 if (e_type != SADB_EALG_NONE) {
1177 __ipsec_errcode = EIPSEC_INVAL_ALGS;
1178 return -1;
1179 }
1180 if (a_type != SADB_X_AALG_TCP_MD5) {
1181 __ipsec_errcode = EIPSEC_INVAL_ALGS;
1182 return -1;
1183 }
1184 break;
1185 default:
1186 __ipsec_errcode = EIPSEC_INVAL_SATYPE;
1187 return -1;
1188 }
1189
1190 /* create new sadb_msg to reply. */
1191 len = sizeof(struct sadb_msg)
1192 + sizeof(struct sadb_sa)
1193 + sizeof(struct sadb_x_sa2)
1194 + sizeof(struct sadb_address)
1195 + PFKEY_ALIGN8(src->sa_len)
1196 + sizeof(struct sadb_address)
1197 + PFKEY_ALIGN8(dst->sa_len)
1198 + sizeof(struct sadb_lifetime)
1199 + sizeof(struct sadb_lifetime);
1200
1201 if (wsize > UINT8_MAX) {
1202 if (wsize > (UINT32_MAX - 32) >> 3) {
1203 __ipsec_errcode = EIPSEC_INVAL_ARGUMENT;
1204 return (-1);
1205 }
1206 len += sizeof(struct sadb_x_sa_replay);
1207 }
1208 if (e_type != SADB_EALG_NONE)
1209 len += (sizeof(struct sadb_key) + PFKEY_ALIGN8(e_keylen));
1210 if (a_type != SADB_AALG_NONE)
1211 len += (sizeof(struct sadb_key) + PFKEY_ALIGN8(a_keylen));
1212
1213 if ((newmsg = CALLOC(len, struct sadb_msg *)) == NULL) {
1214 __ipsec_set_strerror(strerror(errno));
1215 return -1;
1216 }
1217 ep = ((caddr_t)newmsg) + len;
1218
1219 p = pfkey_setsadbmsg((caddr_t)newmsg, ep, type, len,
1220 satype, seq, getpid());
1221 if (!p) {
1222 free(newmsg);
1223 return -1;
1224 }
1225 p = pfkey_setsadbsa(p, ep, spi, wsize, a_type, e_type, flags);
1226 if (!p) {
1227 free(newmsg);
1228 return -1;
1229 }
1230 p = pfkey_setsadbxsa2(p, ep, mode, reqid);
1231 if (!p) {
1232 free(newmsg);
1233 return -1;
1234 }
1235 if (wsize > UINT8_MAX) {
1236 p = pfkey_setsadbxreplay(p, ep, wsize);
1237 if (!p) {
1238 free(newmsg);
1239 return (-1);
1240 }
1241 }
1242 p = pfkey_setsadbaddr(p, ep, SADB_EXT_ADDRESS_SRC, src, plen,
1243 IPSEC_ULPROTO_ANY);
1244 if (!p) {
1245 free(newmsg);
1246 return -1;
1247 }
1248 p = pfkey_setsadbaddr(p, ep, SADB_EXT_ADDRESS_DST, dst, plen,
1249 IPSEC_ULPROTO_ANY);
1250 if (!p) {
1251 free(newmsg);
1252 return -1;
1253 }
1254
1255 if (e_type != SADB_EALG_NONE) {
1256 p = pfkey_setsadbkey(p, ep, SADB_EXT_KEY_ENCRYPT,
1257 keymat, e_keylen);
1258 if (!p) {
1259 free(newmsg);
1260 return -1;
1261 }
1262 }
1263 if (a_type != SADB_AALG_NONE) {
1264 p = pfkey_setsadbkey(p, ep, SADB_EXT_KEY_AUTH,
1265 keymat + e_keylen, a_keylen);
1266 if (!p) {
1267 free(newmsg);
1268 return -1;
1269 }
1270 }
1271
1272 /* set sadb_lifetime for destination */
1273 p = pfkey_setsadblifetime(p, ep, SADB_EXT_LIFETIME_HARD,
1274 l_alloc, l_bytes, l_addtime, l_usetime);
1275 if (!p) {
1276 free(newmsg);
1277 return -1;
1278 }
1279 p = pfkey_setsadblifetime(p, ep, SADB_EXT_LIFETIME_SOFT,
1280 l_alloc, l_bytes, l_addtime, l_usetime);
1281 if (!p || p != ep) {
1282 free(newmsg);
1283 return -1;
1284 }
1285
1286 /* send message */
1287 len = pfkey_send(so, newmsg, len);
1288 free(newmsg);
1289
1290 if (len < 0)
1291 return -1;
1292
1293 __ipsec_errcode = EIPSEC_NO_ERROR;
1294 return len;
1295 }
1296
1297 /* sending SADB_DELETE or SADB_GET message to the kernel */
1298 static int
pfkey_send_x2(so,type,satype,mode,src,dst,spi)1299 pfkey_send_x2(so, type, satype, mode, src, dst, spi)
1300 int so;
1301 u_int type, satype, mode;
1302 struct sockaddr *src, *dst;
1303 u_int32_t spi;
1304 {
1305 struct sadb_msg *newmsg;
1306 int len;
1307 caddr_t p;
1308 int plen;
1309 caddr_t ep;
1310
1311 /* validity check */
1312 if (src == NULL || dst == NULL) {
1313 __ipsec_errcode = EIPSEC_INVAL_ARGUMENT;
1314 return -1;
1315 }
1316 if (src->sa_family != dst->sa_family) {
1317 __ipsec_errcode = EIPSEC_FAMILY_MISMATCH;
1318 return -1;
1319 }
1320 switch (src->sa_family) {
1321 case AF_INET:
1322 plen = sizeof(struct in_addr) << 3;
1323 break;
1324 case AF_INET6:
1325 plen = sizeof(struct in6_addr) << 3;
1326 break;
1327 default:
1328 __ipsec_errcode = EIPSEC_INVAL_FAMILY;
1329 return -1;
1330 }
1331
1332 /* create new sadb_msg to reply. */
1333 len = sizeof(struct sadb_msg)
1334 + sizeof(struct sadb_sa)
1335 + sizeof(struct sadb_address)
1336 + PFKEY_ALIGN8(src->sa_len)
1337 + sizeof(struct sadb_address)
1338 + PFKEY_ALIGN8(dst->sa_len);
1339
1340 if ((newmsg = CALLOC(len, struct sadb_msg *)) == NULL) {
1341 __ipsec_set_strerror(strerror(errno));
1342 return -1;
1343 }
1344 ep = ((caddr_t)newmsg) + len;
1345
1346 p = pfkey_setsadbmsg((caddr_t)newmsg, ep, type, len, satype, 0,
1347 getpid());
1348 if (!p) {
1349 free(newmsg);
1350 return -1;
1351 }
1352 p = pfkey_setsadbsa(p, ep, spi, 0, 0, 0, 0);
1353 if (!p) {
1354 free(newmsg);
1355 return -1;
1356 }
1357 p = pfkey_setsadbaddr(p, ep, SADB_EXT_ADDRESS_SRC, src, plen,
1358 IPSEC_ULPROTO_ANY);
1359 if (!p) {
1360 free(newmsg);
1361 return -1;
1362 }
1363 p = pfkey_setsadbaddr(p, ep, SADB_EXT_ADDRESS_DST, dst, plen,
1364 IPSEC_ULPROTO_ANY);
1365 if (!p || p != ep) {
1366 free(newmsg);
1367 return -1;
1368 }
1369
1370 /* send message */
1371 len = pfkey_send(so, newmsg, len);
1372 free(newmsg);
1373
1374 if (len < 0)
1375 return -1;
1376
1377 __ipsec_errcode = EIPSEC_NO_ERROR;
1378 return len;
1379 }
1380
1381 /*
1382 * sending SADB_REGISTER, SADB_FLUSH, SADB_DUMP or SADB_X_PROMISC message
1383 * to the kernel
1384 */
1385 static int
pfkey_send_x3(so,type,satype)1386 pfkey_send_x3(so, type, satype)
1387 int so;
1388 u_int type, satype;
1389 {
1390 struct sadb_msg *newmsg;
1391 int len;
1392 caddr_t p;
1393 caddr_t ep;
1394
1395 /* validity check */
1396 switch (type) {
1397 case SADB_X_PROMISC:
1398 if (satype != 0 && satype != 1) {
1399 __ipsec_errcode = EIPSEC_INVAL_SATYPE;
1400 return -1;
1401 }
1402 break;
1403 default:
1404 switch (satype) {
1405 case SADB_SATYPE_UNSPEC:
1406 case SADB_SATYPE_AH:
1407 case SADB_SATYPE_ESP:
1408 case SADB_X_SATYPE_IPCOMP:
1409 case SADB_X_SATYPE_TCPSIGNATURE:
1410 break;
1411 default:
1412 __ipsec_errcode = EIPSEC_INVAL_SATYPE;
1413 return -1;
1414 }
1415 }
1416
1417 /* create new sadb_msg to send. */
1418 len = sizeof(struct sadb_msg);
1419
1420 if ((newmsg = CALLOC(len, struct sadb_msg *)) == NULL) {
1421 __ipsec_set_strerror(strerror(errno));
1422 return -1;
1423 }
1424 ep = ((caddr_t)newmsg) + len;
1425
1426 p = pfkey_setsadbmsg((caddr_t)newmsg, ep, type, len, satype, 0,
1427 getpid());
1428 if (!p || p != ep) {
1429 free(newmsg);
1430 return -1;
1431 }
1432
1433 /* send message */
1434 len = pfkey_send(so, newmsg, len);
1435 free(newmsg);
1436
1437 if (len < 0)
1438 return -1;
1439
1440 __ipsec_errcode = EIPSEC_NO_ERROR;
1441 return len;
1442 }
1443
1444 /* sending SADB_X_SPDADD message to the kernel */
1445 static int
pfkey_send_x4(so,type,src,prefs,dst,prefd,proto,ltime,vtime,policy,policylen,seq)1446 pfkey_send_x4(so, type, src, prefs, dst, prefd, proto,
1447 ltime, vtime, policy, policylen, seq)
1448 int so;
1449 struct sockaddr *src, *dst;
1450 u_int type, prefs, prefd, proto;
1451 u_int64_t ltime, vtime;
1452 char *policy;
1453 int policylen;
1454 u_int32_t seq;
1455 {
1456 struct sadb_msg *newmsg;
1457 int len;
1458 caddr_t p;
1459 int plen;
1460 caddr_t ep;
1461
1462 /* validity check */
1463 if (src == NULL || dst == NULL) {
1464 __ipsec_errcode = EIPSEC_INVAL_ARGUMENT;
1465 return -1;
1466 }
1467 if (src->sa_family != dst->sa_family) {
1468 __ipsec_errcode = EIPSEC_FAMILY_MISMATCH;
1469 return -1;
1470 }
1471
1472 switch (src->sa_family) {
1473 case AF_INET:
1474 plen = sizeof(struct in_addr) << 3;
1475 break;
1476 case AF_INET6:
1477 plen = sizeof(struct in6_addr) << 3;
1478 break;
1479 default:
1480 __ipsec_errcode = EIPSEC_INVAL_FAMILY;
1481 return -1;
1482 }
1483 if (prefs > plen || prefd > plen) {
1484 __ipsec_errcode = EIPSEC_INVAL_PREFIXLEN;
1485 return -1;
1486 }
1487
1488 /* create new sadb_msg to reply. */
1489 len = sizeof(struct sadb_msg)
1490 + sizeof(struct sadb_address)
1491 + PFKEY_ALIGN8(src->sa_len)
1492 + sizeof(struct sadb_address)
1493 + PFKEY_ALIGN8(src->sa_len)
1494 + sizeof(struct sadb_lifetime)
1495 + policylen;
1496
1497 if ((newmsg = CALLOC(len, struct sadb_msg *)) == NULL) {
1498 __ipsec_set_strerror(strerror(errno));
1499 return -1;
1500 }
1501 ep = ((caddr_t)newmsg) + len;
1502
1503 p = pfkey_setsadbmsg((caddr_t)newmsg, ep, type, len,
1504 SADB_SATYPE_UNSPEC, seq, getpid());
1505 if (!p) {
1506 free(newmsg);
1507 return -1;
1508 }
1509 p = pfkey_setsadbaddr(p, ep, SADB_EXT_ADDRESS_SRC, src, prefs, proto);
1510 if (!p) {
1511 free(newmsg);
1512 return -1;
1513 }
1514 p = pfkey_setsadbaddr(p, ep, SADB_EXT_ADDRESS_DST, dst, prefd, proto);
1515 if (!p) {
1516 free(newmsg);
1517 return -1;
1518 }
1519 p = pfkey_setsadblifetime(p, ep, SADB_EXT_LIFETIME_HARD,
1520 0, 0, ltime, vtime);
1521 if (!p || p + policylen != ep) {
1522 free(newmsg);
1523 return -1;
1524 }
1525 memcpy(p, policy, policylen);
1526
1527 /* send message */
1528 len = pfkey_send(so, newmsg, len);
1529 free(newmsg);
1530
1531 if (len < 0)
1532 return -1;
1533
1534 __ipsec_errcode = EIPSEC_NO_ERROR;
1535 return len;
1536 }
1537
1538 /* sending SADB_X_SPDGET or SADB_X_SPDDELETE message to the kernel */
1539 static int
pfkey_send_x5(so,type,spid)1540 pfkey_send_x5(so, type, spid)
1541 int so;
1542 u_int type;
1543 u_int32_t spid;
1544 {
1545 struct sadb_msg *newmsg;
1546 struct sadb_x_policy xpl;
1547 int len;
1548 caddr_t p;
1549 caddr_t ep;
1550
1551 /* create new sadb_msg to reply. */
1552 len = sizeof(struct sadb_msg)
1553 + sizeof(xpl);
1554
1555 if ((newmsg = CALLOC(len, struct sadb_msg *)) == NULL) {
1556 __ipsec_set_strerror(strerror(errno));
1557 return -1;
1558 }
1559 ep = ((caddr_t)newmsg) + len;
1560
1561 p = pfkey_setsadbmsg((caddr_t)newmsg, ep, type, len,
1562 SADB_SATYPE_UNSPEC, 0, getpid());
1563 if (!p) {
1564 free(newmsg);
1565 return -1;
1566 }
1567
1568 if (p + sizeof(xpl) != ep) {
1569 free(newmsg);
1570 return -1;
1571 }
1572 memset(&xpl, 0, sizeof(xpl));
1573 xpl.sadb_x_policy_len = PFKEY_UNIT64(sizeof(xpl));
1574 xpl.sadb_x_policy_exttype = SADB_X_EXT_POLICY;
1575 xpl.sadb_x_policy_id = spid;
1576 memcpy(p, &xpl, sizeof(xpl));
1577
1578 /* send message */
1579 len = pfkey_send(so, newmsg, len);
1580 free(newmsg);
1581
1582 if (len < 0)
1583 return -1;
1584
1585 __ipsec_errcode = EIPSEC_NO_ERROR;
1586 return len;
1587 }
1588
1589 /*
1590 * open a socket.
1591 * OUT:
1592 * -1: fail.
1593 * others : success and return value of socket.
1594 */
1595 int
pfkey_open(void)1596 pfkey_open(void)
1597 {
1598 int so;
1599 int bufsiz_current, bufsiz_wanted;
1600 int ret;
1601 socklen_t len;
1602
1603 if ((so = socket(PF_KEY, SOCK_RAW, PF_KEY_V2)) < 0) {
1604 __ipsec_set_strerror(strerror(errno));
1605 return -1;
1606 }
1607
1608 /*
1609 * This is a temporary workaround for KAME PR 154.
1610 * Don't really care even if it fails.
1611 */
1612 /* Try to have 128k. If we have more, do not lower it. */
1613 bufsiz_wanted = 128 * 1024;
1614 len = sizeof(bufsiz_current);
1615 ret = getsockopt(so, SOL_SOCKET, SO_SNDBUF,
1616 &bufsiz_current, &len);
1617 if ((ret < 0) || (bufsiz_current < bufsiz_wanted))
1618 (void)setsockopt(so, SOL_SOCKET, SO_SNDBUF,
1619 &bufsiz_wanted, sizeof(bufsiz_wanted));
1620
1621 /* Try to have have at least 2MB. If we have more, do not lower it. */
1622 bufsiz_wanted = 2 * 1024 * 1024;
1623 len = sizeof(bufsiz_current);
1624 ret = getsockopt(so, SOL_SOCKET, SO_RCVBUF,
1625 &bufsiz_current, &len);
1626 if (ret < 0)
1627 bufsiz_current = 128 * 1024;
1628
1629 for (; bufsiz_wanted > bufsiz_current; bufsiz_wanted /= 2) {
1630 if (setsockopt(so, SOL_SOCKET, SO_RCVBUF,
1631 &bufsiz_wanted, sizeof(bufsiz_wanted)) == 0)
1632 break;
1633 }
1634
1635 __ipsec_errcode = EIPSEC_NO_ERROR;
1636 return so;
1637 }
1638
1639 /*
1640 * close a socket.
1641 * OUT:
1642 * 0: success.
1643 * -1: fail.
1644 */
1645 void
pfkey_close(so)1646 pfkey_close(so)
1647 int so;
1648 {
1649 (void)close(so);
1650
1651 __ipsec_errcode = EIPSEC_NO_ERROR;
1652 return;
1653 }
1654
1655 /*
1656 * receive sadb_msg data, and return pointer to new buffer allocated.
1657 * Must free this buffer later.
1658 * OUT:
1659 * NULL : error occured.
1660 * others : a pointer to sadb_msg structure.
1661 *
1662 * XXX should be rewritten to pass length explicitly
1663 */
1664 struct sadb_msg *
pfkey_recv(so)1665 pfkey_recv(so)
1666 int so;
1667 {
1668 struct sadb_msg buf, *newmsg;
1669 int len, reallen;
1670
1671 while ((len = recv(so, (caddr_t)&buf, sizeof(buf), MSG_PEEK)) < 0) {
1672 if (errno == EINTR)
1673 continue;
1674 __ipsec_set_strerror(strerror(errno));
1675 return NULL;
1676 }
1677
1678 if (len < sizeof(buf)) {
1679 recv(so, (caddr_t)&buf, sizeof(buf), 0);
1680 __ipsec_errcode = EIPSEC_MAX;
1681 return NULL;
1682 }
1683
1684 /* read real message */
1685 reallen = PFKEY_UNUNIT64(buf.sadb_msg_len);
1686 if ((newmsg = CALLOC(reallen, struct sadb_msg *)) == NULL) {
1687 __ipsec_set_strerror(strerror(errno));
1688 return NULL;
1689 }
1690
1691 while ((len = recv(so, (caddr_t)newmsg, reallen, 0)) < 0) {
1692 if (errno == EINTR)
1693 continue;
1694 __ipsec_set_strerror(strerror(errno));
1695 free(newmsg);
1696 return NULL;
1697 }
1698
1699 if (len != reallen) {
1700 __ipsec_errcode = EIPSEC_SYSTEM_ERROR;
1701 free(newmsg);
1702 return NULL;
1703 }
1704
1705 /* don't trust what the kernel says, validate! */
1706 if (PFKEY_UNUNIT64(newmsg->sadb_msg_len) != len) {
1707 __ipsec_errcode = EIPSEC_SYSTEM_ERROR;
1708 free(newmsg);
1709 return NULL;
1710 }
1711
1712 __ipsec_errcode = EIPSEC_NO_ERROR;
1713 return newmsg;
1714 }
1715
1716 /*
1717 * send message to a socket.
1718 * OUT:
1719 * others: success and return length sent.
1720 * -1 : fail.
1721 */
1722 int
pfkey_send(so,msg,len)1723 pfkey_send(so, msg, len)
1724 int so;
1725 struct sadb_msg *msg;
1726 int len;
1727 {
1728 if ((len = send(so, (caddr_t)msg, len, 0)) < 0) {
1729 __ipsec_set_strerror(strerror(errno));
1730 return -1;
1731 }
1732
1733 __ipsec_errcode = EIPSEC_NO_ERROR;
1734 return len;
1735 }
1736
1737 /*
1738 * %%% Utilities
1739 * NOTE: These functions are derived from netkey/key.c in KAME.
1740 */
1741 /*
1742 * set the pointer to each header in this message buffer.
1743 * IN: msg: pointer to message buffer.
1744 * mhp: pointer to the buffer initialized like below:
1745 * caddr_t mhp[SADB_EXT_MAX + 1];
1746 * OUT: -1: invalid.
1747 * 0: valid.
1748 *
1749 * XXX should be rewritten to obtain length explicitly
1750 */
1751 int
pfkey_align(msg,mhp)1752 pfkey_align(msg, mhp)
1753 struct sadb_msg *msg;
1754 caddr_t *mhp;
1755 {
1756 struct sadb_ext *ext;
1757 int i;
1758 caddr_t p;
1759 caddr_t ep; /* XXX should be passed from upper layer */
1760
1761 /* validity check */
1762 if (msg == NULL || mhp == NULL) {
1763 __ipsec_errcode = EIPSEC_INVAL_ARGUMENT;
1764 return -1;
1765 }
1766
1767 /* initialize */
1768 for (i = 0; i < SADB_EXT_MAX + 1; i++)
1769 mhp[i] = NULL;
1770
1771 mhp[0] = (caddr_t)msg;
1772
1773 /* initialize */
1774 p = (caddr_t) msg;
1775 ep = p + PFKEY_UNUNIT64(msg->sadb_msg_len);
1776
1777 /* skip base header */
1778 p += sizeof(struct sadb_msg);
1779
1780 while (p < ep) {
1781 ext = (struct sadb_ext *)p;
1782 if (ep < p + sizeof(*ext) || PFKEY_EXTLEN(ext) < sizeof(*ext) ||
1783 ep < p + PFKEY_EXTLEN(ext)) {
1784 /* invalid format */
1785 break;
1786 }
1787
1788 /* duplicate check */
1789 /* XXX Are there duplication either KEY_AUTH or KEY_ENCRYPT ?*/
1790 if (mhp[ext->sadb_ext_type] != NULL) {
1791 __ipsec_errcode = EIPSEC_INVAL_EXTTYPE;
1792 return -1;
1793 }
1794
1795 /* set pointer */
1796 switch (ext->sadb_ext_type) {
1797 case SADB_EXT_SA:
1798 case SADB_EXT_LIFETIME_CURRENT:
1799 case SADB_EXT_LIFETIME_HARD:
1800 case SADB_EXT_LIFETIME_SOFT:
1801 case SADB_EXT_ADDRESS_SRC:
1802 case SADB_EXT_ADDRESS_DST:
1803 case SADB_EXT_ADDRESS_PROXY:
1804 case SADB_EXT_KEY_AUTH:
1805 /* XXX should to be check weak keys. */
1806 case SADB_EXT_KEY_ENCRYPT:
1807 /* XXX should to be check weak keys. */
1808 case SADB_EXT_IDENTITY_SRC:
1809 case SADB_EXT_IDENTITY_DST:
1810 case SADB_EXT_SENSITIVITY:
1811 case SADB_EXT_PROPOSAL:
1812 case SADB_EXT_SUPPORTED_AUTH:
1813 case SADB_EXT_SUPPORTED_ENCRYPT:
1814 case SADB_EXT_SPIRANGE:
1815 case SADB_X_EXT_POLICY:
1816 case SADB_X_EXT_SA2:
1817 case SADB_X_EXT_NAT_T_TYPE:
1818 case SADB_X_EXT_NAT_T_SPORT:
1819 case SADB_X_EXT_NAT_T_DPORT:
1820 case SADB_X_EXT_NAT_T_OAI:
1821 case SADB_X_EXT_NAT_T_OAR:
1822 case SADB_X_EXT_NAT_T_FRAG:
1823 case SADB_X_EXT_SA_REPLAY:
1824 case SADB_X_EXT_NEW_ADDRESS_SRC:
1825 case SADB_X_EXT_NEW_ADDRESS_DST:
1826 mhp[ext->sadb_ext_type] = (caddr_t)ext;
1827 break;
1828 default:
1829 __ipsec_errcode = EIPSEC_INVAL_EXTTYPE;
1830 return -1;
1831 }
1832
1833 p += PFKEY_EXTLEN(ext);
1834 }
1835
1836 if (p != ep) {
1837 __ipsec_errcode = EIPSEC_INVAL_SADBMSG;
1838 return -1;
1839 }
1840
1841 __ipsec_errcode = EIPSEC_NO_ERROR;
1842 return 0;
1843 }
1844
1845 /*
1846 * check basic usage for sadb_msg,
1847 * NOTE: This routine is derived from netkey/key.c in KAME.
1848 * IN: msg: pointer to message buffer.
1849 * mhp: pointer to the buffer initialized like below:
1850 *
1851 * caddr_t mhp[SADB_EXT_MAX + 1];
1852 *
1853 * OUT: -1: invalid.
1854 * 0: valid.
1855 */
1856 int
pfkey_check(mhp)1857 pfkey_check(mhp)
1858 caddr_t *mhp;
1859 {
1860 struct sadb_msg *msg;
1861
1862 /* validity check */
1863 if (mhp == NULL || mhp[0] == NULL) {
1864 __ipsec_errcode = EIPSEC_INVAL_ARGUMENT;
1865 return -1;
1866 }
1867
1868 msg = (struct sadb_msg *)mhp[0];
1869
1870 /* check version */
1871 if (msg->sadb_msg_version != PF_KEY_V2) {
1872 __ipsec_errcode = EIPSEC_INVAL_VERSION;
1873 return -1;
1874 }
1875
1876 /* check type */
1877 if (msg->sadb_msg_type > SADB_MAX) {
1878 __ipsec_errcode = EIPSEC_INVAL_MSGTYPE;
1879 return -1;
1880 }
1881
1882 /* check SA type */
1883 switch (msg->sadb_msg_satype) {
1884 case SADB_SATYPE_UNSPEC:
1885 switch (msg->sadb_msg_type) {
1886 case SADB_GETSPI:
1887 case SADB_UPDATE:
1888 case SADB_ADD:
1889 case SADB_DELETE:
1890 case SADB_GET:
1891 case SADB_ACQUIRE:
1892 case SADB_EXPIRE:
1893 __ipsec_errcode = EIPSEC_INVAL_SATYPE;
1894 return -1;
1895 }
1896 break;
1897 case SADB_SATYPE_ESP:
1898 case SADB_SATYPE_AH:
1899 case SADB_X_SATYPE_IPCOMP:
1900 case SADB_X_SATYPE_TCPSIGNATURE:
1901 switch (msg->sadb_msg_type) {
1902 case SADB_X_SPDADD:
1903 case SADB_X_SPDDELETE:
1904 case SADB_X_SPDGET:
1905 case SADB_X_SPDDUMP:
1906 case SADB_X_SPDFLUSH:
1907 __ipsec_errcode = EIPSEC_INVAL_SATYPE;
1908 return -1;
1909 }
1910 break;
1911 case SADB_SATYPE_RSVP:
1912 case SADB_SATYPE_OSPFV2:
1913 case SADB_SATYPE_RIPV2:
1914 case SADB_SATYPE_MIP:
1915 __ipsec_errcode = EIPSEC_NOT_SUPPORTED;
1916 return -1;
1917 case 1: /* XXX: What does it do ? */
1918 if (msg->sadb_msg_type == SADB_X_PROMISC)
1919 break;
1920 /*FALLTHROUGH*/
1921 default:
1922 __ipsec_errcode = EIPSEC_INVAL_SATYPE;
1923 return -1;
1924 }
1925
1926 /* check field of upper layer protocol and address family */
1927 if (mhp[SADB_EXT_ADDRESS_SRC] != NULL
1928 && mhp[SADB_EXT_ADDRESS_DST] != NULL) {
1929 struct sadb_address *src0, *dst0;
1930
1931 src0 = (struct sadb_address *)(mhp[SADB_EXT_ADDRESS_SRC]);
1932 dst0 = (struct sadb_address *)(mhp[SADB_EXT_ADDRESS_DST]);
1933
1934 if (src0->sadb_address_proto != dst0->sadb_address_proto) {
1935 __ipsec_errcode = EIPSEC_PROTO_MISMATCH;
1936 return -1;
1937 }
1938
1939 if (PFKEY_ADDR_SADDR(src0)->sa_family
1940 != PFKEY_ADDR_SADDR(dst0)->sa_family) {
1941 __ipsec_errcode = EIPSEC_FAMILY_MISMATCH;
1942 return -1;
1943 }
1944
1945 switch (PFKEY_ADDR_SADDR(src0)->sa_family) {
1946 case AF_INET:
1947 case AF_INET6:
1948 break;
1949 default:
1950 __ipsec_errcode = EIPSEC_INVAL_FAMILY;
1951 return -1;
1952 }
1953
1954 /*
1955 * prefixlen == 0 is valid because there must be the case
1956 * all addresses are matched.
1957 */
1958 }
1959
1960 __ipsec_errcode = EIPSEC_NO_ERROR;
1961 return 0;
1962 }
1963
1964 /*
1965 * set data into sadb_msg.
1966 * `buf' must has been allocated sufficiently.
1967 */
1968 static caddr_t
pfkey_setsadbmsg(buf,lim,type,tlen,satype,seq,pid)1969 pfkey_setsadbmsg(buf, lim, type, tlen, satype, seq, pid)
1970 caddr_t buf;
1971 caddr_t lim;
1972 u_int type, satype;
1973 u_int tlen;
1974 u_int32_t seq;
1975 pid_t pid;
1976 {
1977 struct sadb_msg *p;
1978 u_int len;
1979
1980 p = (struct sadb_msg *)buf;
1981 len = sizeof(struct sadb_msg);
1982
1983 if (buf + len > lim)
1984 return NULL;
1985
1986 memset(p, 0, len);
1987 p->sadb_msg_version = PF_KEY_V2;
1988 p->sadb_msg_type = type;
1989 p->sadb_msg_errno = 0;
1990 p->sadb_msg_satype = satype;
1991 p->sadb_msg_len = PFKEY_UNIT64(tlen);
1992 p->sadb_msg_reserved = 0;
1993 p->sadb_msg_seq = seq;
1994 p->sadb_msg_pid = (u_int32_t)pid;
1995
1996 return(buf + len);
1997 }
1998
1999 /*
2000 * copy secasvar data into sadb_address.
2001 * `buf' must has been allocated sufficiently.
2002 */
2003 static caddr_t
pfkey_setsadbsa(buf,lim,spi,wsize,auth,enc,flags)2004 pfkey_setsadbsa(buf, lim, spi, wsize, auth, enc, flags)
2005 caddr_t buf;
2006 caddr_t lim;
2007 u_int32_t spi, flags;
2008 u_int wsize, auth, enc;
2009 {
2010 struct sadb_sa *p;
2011 u_int len;
2012
2013 p = (struct sadb_sa *)buf;
2014 len = sizeof(struct sadb_sa);
2015
2016 if (buf + len > lim)
2017 return NULL;
2018
2019 memset(p, 0, len);
2020 p->sadb_sa_len = PFKEY_UNIT64(len);
2021 p->sadb_sa_exttype = SADB_EXT_SA;
2022 p->sadb_sa_spi = spi;
2023 p->sadb_sa_replay = wsize > UINT8_MAX ? UINT8_MAX: wsize;
2024 p->sadb_sa_state = SADB_SASTATE_LARVAL;
2025 p->sadb_sa_auth = auth;
2026 p->sadb_sa_encrypt = enc;
2027 p->sadb_sa_flags = flags;
2028
2029 return(buf + len);
2030 }
2031
2032 /*
2033 * Set data into sadb_x_sa_replay.
2034 * `buf' must has been allocated sufficiently.
2035 */
2036 static caddr_t
pfkey_setsadbxreplay(caddr_t buf,caddr_t lim,uint32_t wsize)2037 pfkey_setsadbxreplay(caddr_t buf, caddr_t lim, uint32_t wsize)
2038 {
2039 struct sadb_x_sa_replay *p;
2040 u_int len;
2041
2042 p = (struct sadb_x_sa_replay *)buf;
2043 len = sizeof(struct sadb_x_sa_replay);
2044
2045 if (buf + len > lim)
2046 return (NULL);
2047
2048 memset(p, 0, len);
2049 p->sadb_x_sa_replay_len = PFKEY_UNIT64(len);
2050 p->sadb_x_sa_replay_exttype = SADB_X_EXT_SA_REPLAY;
2051 /* Convert wsize from bytes to number of packets. */
2052 p->sadb_x_sa_replay_replay = wsize << 3;
2053
2054 return (buf + len);
2055 }
2056
2057 /*
2058 * set data into sadb_address.
2059 * `buf' must has been allocated sufficiently.
2060 * prefixlen is in bits.
2061 */
2062 static caddr_t
pfkey_setsadbaddr(buf,lim,exttype,saddr,prefixlen,ul_proto)2063 pfkey_setsadbaddr(buf, lim, exttype, saddr, prefixlen, ul_proto)
2064 caddr_t buf;
2065 caddr_t lim;
2066 u_int exttype;
2067 struct sockaddr *saddr;
2068 u_int prefixlen;
2069 u_int ul_proto;
2070 {
2071 struct sadb_address *p;
2072 u_int len;
2073
2074 p = (struct sadb_address *)buf;
2075 len = sizeof(struct sadb_address) + PFKEY_ALIGN8(saddr->sa_len);
2076
2077 if (buf + len > lim)
2078 return NULL;
2079
2080 memset(p, 0, len);
2081 p->sadb_address_len = PFKEY_UNIT64(len);
2082 p->sadb_address_exttype = exttype & 0xffff;
2083 p->sadb_address_proto = ul_proto & 0xff;
2084 p->sadb_address_prefixlen = prefixlen;
2085 p->sadb_address_reserved = 0;
2086
2087 memcpy(p + 1, saddr, saddr->sa_len);
2088
2089 return(buf + len);
2090 }
2091
2092 /*
2093 * set sadb_key structure after clearing buffer with zero.
2094 * OUT: the pointer of buf + len.
2095 */
2096 static caddr_t
pfkey_setsadbkey(buf,lim,type,key,keylen)2097 pfkey_setsadbkey(buf, lim, type, key, keylen)
2098 caddr_t buf;
2099 caddr_t lim;
2100 caddr_t key;
2101 u_int type, keylen;
2102 {
2103 struct sadb_key *p;
2104 u_int len;
2105
2106 p = (struct sadb_key *)buf;
2107 len = sizeof(struct sadb_key) + PFKEY_ALIGN8(keylen);
2108
2109 if (buf + len > lim)
2110 return NULL;
2111
2112 memset(p, 0, len);
2113 p->sadb_key_len = PFKEY_UNIT64(len);
2114 p->sadb_key_exttype = type;
2115 p->sadb_key_bits = keylen << 3;
2116 p->sadb_key_reserved = 0;
2117
2118 memcpy(p + 1, key, keylen);
2119
2120 return buf + len;
2121 }
2122
2123 /*
2124 * set sadb_lifetime structure after clearing buffer with zero.
2125 * OUT: the pointer of buf + len.
2126 */
2127 static caddr_t
pfkey_setsadblifetime(buf,lim,type,l_alloc,l_bytes,l_addtime,l_usetime)2128 pfkey_setsadblifetime(buf, lim, type, l_alloc, l_bytes, l_addtime, l_usetime)
2129 caddr_t buf;
2130 caddr_t lim;
2131 u_int type;
2132 u_int32_t l_alloc, l_bytes, l_addtime, l_usetime;
2133 {
2134 struct sadb_lifetime *p;
2135 u_int len;
2136
2137 p = (struct sadb_lifetime *)buf;
2138 len = sizeof(struct sadb_lifetime);
2139
2140 if (buf + len > lim)
2141 return NULL;
2142
2143 memset(p, 0, len);
2144 p->sadb_lifetime_len = PFKEY_UNIT64(len);
2145 p->sadb_lifetime_exttype = type;
2146
2147 switch (type) {
2148 case SADB_EXT_LIFETIME_SOFT:
2149 p->sadb_lifetime_allocations
2150 = (l_alloc * soft_lifetime_allocations_rate) /100;
2151 p->sadb_lifetime_bytes
2152 = (l_bytes * soft_lifetime_bytes_rate) /100;
2153 p->sadb_lifetime_addtime
2154 = (l_addtime * soft_lifetime_addtime_rate) /100;
2155 p->sadb_lifetime_usetime
2156 = (l_usetime * soft_lifetime_usetime_rate) /100;
2157 break;
2158 case SADB_EXT_LIFETIME_HARD:
2159 p->sadb_lifetime_allocations = l_alloc;
2160 p->sadb_lifetime_bytes = l_bytes;
2161 p->sadb_lifetime_addtime = l_addtime;
2162 p->sadb_lifetime_usetime = l_usetime;
2163 break;
2164 }
2165
2166 return buf + len;
2167 }
2168
2169 /*
2170 * copy secasvar data into sadb_address.
2171 * `buf' must has been allocated sufficiently.
2172 */
2173 static caddr_t
pfkey_setsadbxsa2(buf,lim,mode0,reqid)2174 pfkey_setsadbxsa2(buf, lim, mode0, reqid)
2175 caddr_t buf;
2176 caddr_t lim;
2177 u_int32_t mode0;
2178 u_int32_t reqid;
2179 {
2180 struct sadb_x_sa2 *p;
2181 u_int8_t mode = mode0 & 0xff;
2182 u_int len;
2183
2184 p = (struct sadb_x_sa2 *)buf;
2185 len = sizeof(struct sadb_x_sa2);
2186
2187 if (buf + len > lim)
2188 return NULL;
2189
2190 memset(p, 0, len);
2191 p->sadb_x_sa2_len = PFKEY_UNIT64(len);
2192 p->sadb_x_sa2_exttype = SADB_X_EXT_SA2;
2193 p->sadb_x_sa2_mode = mode;
2194 p->sadb_x_sa2_reqid = reqid;
2195
2196 return(buf + len);
2197 }
2198