1 | /* $KAME: pfkey.c,v 1.46 2003/08/26 03:37:06 itojun Exp $ */ |
---|
2 | |
---|
3 | /* |
---|
4 | * Copyright (C) 1995, 1996, 1997, 1998, and 1999 WIDE Project. |
---|
5 | * All rights reserved. |
---|
6 | * |
---|
7 | * Redistribution and use in source and binary forms, with or without |
---|
8 | * modification, are permitted provided that the following conditions |
---|
9 | * are met: |
---|
10 | * 1. Redistributions of source code must retain the above copyright |
---|
11 | * notice, this list of conditions and the following disclaimer. |
---|
12 | * 2. Redistributions in binary form must reproduce the above copyright |
---|
13 | * notice, this list of conditions and the following disclaimer in the |
---|
14 | * documentation and/or other materials provided with the distribution. |
---|
15 | * 3. Neither the name of the project nor the names of its contributors |
---|
16 | * may be used to endorse or promote products derived from this software |
---|
17 | * without specific prior written permission. |
---|
18 | * |
---|
19 | * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND |
---|
20 | * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE |
---|
21 | * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE |
---|
22 | * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE |
---|
23 | * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL |
---|
24 | * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS |
---|
25 | * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) |
---|
26 | * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT |
---|
27 | * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY |
---|
28 | * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF |
---|
29 | * SUCH DAMAGE. |
---|
30 | */ |
---|
31 | |
---|
32 | #include <sys/cdefs.h> |
---|
33 | __FBSDID("$FreeBSD$"); |
---|
34 | |
---|
35 | #include <sys/types.h> |
---|
36 | #include <sys/param.h> |
---|
37 | #include <sys/socket.h> |
---|
38 | #ifdef __rtems__ |
---|
39 | #include <freebsd/net/pfkeyv2.h> |
---|
40 | #include <freebsd/netipsec/key_var.h> |
---|
41 | #include <freebsd/netinet/in.h> |
---|
42 | #include <freebsd/netipsec/ipsec.h> |
---|
43 | #else |
---|
44 | #include <net/pfkeyv2.h> |
---|
45 | #include <netipsec/key_var.h> |
---|
46 | #include <netinet/in.h> |
---|
47 | #include <netipsec/ipsec.h> |
---|
48 | #endif |
---|
49 | |
---|
50 | #include <stdlib.h> |
---|
51 | #include <unistd.h> |
---|
52 | #include <string.h> |
---|
53 | #include <errno.h> |
---|
54 | |
---|
55 | #include "ipsec_strerror.h" |
---|
56 | #include "libpfkey.h" |
---|
57 | |
---|
58 | #define CALLOC(size, cast) (cast)calloc(1, (size)) |
---|
59 | |
---|
60 | static int findsupportedmap(int); |
---|
61 | static int setsupportedmap(struct sadb_supported *); |
---|
62 | static struct sadb_alg *findsupportedalg(u_int, u_int); |
---|
63 | static int pfkey_send_x1(int, u_int, u_int, u_int, struct sockaddr *, |
---|
64 | struct sockaddr *, u_int32_t, u_int32_t, u_int, caddr_t, |
---|
65 | u_int, u_int, u_int, u_int, u_int, u_int32_t, u_int32_t, |
---|
66 | u_int32_t, u_int32_t, u_int32_t); |
---|
67 | static int pfkey_send_x2(int, u_int, u_int, u_int, |
---|
68 | struct sockaddr *, struct sockaddr *, u_int32_t); |
---|
69 | static int pfkey_send_x3(int, u_int, u_int); |
---|
70 | static int pfkey_send_x4(int, u_int, struct sockaddr *, u_int, |
---|
71 | struct sockaddr *, u_int, u_int, u_int64_t, u_int64_t, |
---|
72 | char *, int, u_int32_t); |
---|
73 | static int pfkey_send_x5(int, u_int, u_int32_t); |
---|
74 | |
---|
75 | static caddr_t pfkey_setsadbmsg(caddr_t, caddr_t, u_int, u_int, |
---|
76 | u_int, u_int32_t, pid_t); |
---|
77 | static caddr_t pfkey_setsadbsa(caddr_t, caddr_t, u_int32_t, u_int, |
---|
78 | u_int, u_int, u_int32_t); |
---|
79 | static caddr_t pfkey_setsadbaddr(caddr_t, caddr_t, u_int, |
---|
80 | struct sockaddr *, u_int, u_int); |
---|
81 | static caddr_t pfkey_setsadbkey(caddr_t, caddr_t, u_int, caddr_t, u_int); |
---|
82 | static caddr_t pfkey_setsadblifetime(caddr_t, caddr_t, u_int, u_int32_t, |
---|
83 | u_int32_t, u_int32_t, u_int32_t); |
---|
84 | static caddr_t pfkey_setsadbxsa2(caddr_t, caddr_t, u_int32_t, u_int32_t); |
---|
85 | |
---|
86 | /* |
---|
87 | * make and search supported algorithm structure. |
---|
88 | */ |
---|
89 | static struct sadb_supported *ipsec_supported[] = { NULL, NULL, NULL, NULL }; |
---|
90 | |
---|
91 | static int supported_map[] = { |
---|
92 | SADB_SATYPE_AH, |
---|
93 | SADB_SATYPE_ESP, |
---|
94 | SADB_X_SATYPE_IPCOMP, |
---|
95 | SADB_X_SATYPE_TCPSIGNATURE |
---|
96 | }; |
---|
97 | |
---|
98 | static int |
---|
99 | findsupportedmap(satype) |
---|
100 | int satype; |
---|
101 | { |
---|
102 | int i; |
---|
103 | |
---|
104 | for (i = 0; i < sizeof(supported_map)/sizeof(supported_map[0]); i++) |
---|
105 | if (supported_map[i] == satype) |
---|
106 | return i; |
---|
107 | return -1; |
---|
108 | } |
---|
109 | |
---|
110 | static struct sadb_alg * |
---|
111 | findsupportedalg(satype, alg_id) |
---|
112 | u_int satype, alg_id; |
---|
113 | { |
---|
114 | int algno; |
---|
115 | int tlen; |
---|
116 | caddr_t p; |
---|
117 | |
---|
118 | /* validity check */ |
---|
119 | algno = findsupportedmap(satype); |
---|
120 | if (algno == -1) { |
---|
121 | __ipsec_errcode = EIPSEC_INVAL_ARGUMENT; |
---|
122 | return NULL; |
---|
123 | } |
---|
124 | if (ipsec_supported[algno] == NULL) { |
---|
125 | __ipsec_errcode = EIPSEC_DO_GET_SUPP_LIST; |
---|
126 | return NULL; |
---|
127 | } |
---|
128 | |
---|
129 | tlen = ipsec_supported[algno]->sadb_supported_len |
---|
130 | - sizeof(struct sadb_supported); |
---|
131 | p = (caddr_t)(ipsec_supported[algno] + 1); |
---|
132 | while (tlen > 0) { |
---|
133 | if (tlen < sizeof(struct sadb_alg)) { |
---|
134 | /* invalid format */ |
---|
135 | break; |
---|
136 | } |
---|
137 | if (((struct sadb_alg *)p)->sadb_alg_id == alg_id) |
---|
138 | return (struct sadb_alg *)p; |
---|
139 | |
---|
140 | tlen -= sizeof(struct sadb_alg); |
---|
141 | p += sizeof(struct sadb_alg); |
---|
142 | } |
---|
143 | |
---|
144 | __ipsec_errcode = EIPSEC_NOT_SUPPORTED; |
---|
145 | return NULL; |
---|
146 | } |
---|
147 | |
---|
148 | static int |
---|
149 | setsupportedmap(sup) |
---|
150 | struct sadb_supported *sup; |
---|
151 | { |
---|
152 | struct sadb_supported **ipsup; |
---|
153 | |
---|
154 | switch (sup->sadb_supported_exttype) { |
---|
155 | case SADB_EXT_SUPPORTED_AUTH: |
---|
156 | ipsup = &ipsec_supported[findsupportedmap(SADB_SATYPE_AH)]; |
---|
157 | break; |
---|
158 | case SADB_EXT_SUPPORTED_ENCRYPT: |
---|
159 | ipsup = &ipsec_supported[findsupportedmap(SADB_SATYPE_ESP)]; |
---|
160 | break; |
---|
161 | default: |
---|
162 | __ipsec_errcode = EIPSEC_INVAL_SATYPE; |
---|
163 | return -1; |
---|
164 | } |
---|
165 | |
---|
166 | if (*ipsup) |
---|
167 | free(*ipsup); |
---|
168 | |
---|
169 | *ipsup = malloc(sup->sadb_supported_len); |
---|
170 | if (!*ipsup) { |
---|
171 | __ipsec_set_strerror(strerror(errno)); |
---|
172 | return -1; |
---|
173 | } |
---|
174 | memcpy(*ipsup, sup, sup->sadb_supported_len); |
---|
175 | |
---|
176 | return 0; |
---|
177 | } |
---|
178 | |
---|
179 | /* |
---|
180 | * check key length against algorithm specified. |
---|
181 | * This function is called with SADB_EXT_SUPPORTED_{AUTH,ENCRYPT} as the |
---|
182 | * augument, and only calls to ipsec_check_keylen2(); |
---|
183 | * keylen is the unit of bit. |
---|
184 | * OUT: |
---|
185 | * -1: invalid. |
---|
186 | * 0: valid. |
---|
187 | */ |
---|
188 | int |
---|
189 | ipsec_check_keylen(supported, alg_id, keylen) |
---|
190 | u_int supported; |
---|
191 | u_int alg_id; |
---|
192 | u_int keylen; |
---|
193 | { |
---|
194 | int satype; |
---|
195 | |
---|
196 | /* validity check */ |
---|
197 | switch (supported) { |
---|
198 | case SADB_EXT_SUPPORTED_AUTH: |
---|
199 | satype = SADB_SATYPE_AH; |
---|
200 | break; |
---|
201 | case SADB_EXT_SUPPORTED_ENCRYPT: |
---|
202 | satype = SADB_SATYPE_ESP; |
---|
203 | break; |
---|
204 | default: |
---|
205 | __ipsec_errcode = EIPSEC_INVAL_ARGUMENT; |
---|
206 | return -1; |
---|
207 | } |
---|
208 | |
---|
209 | return ipsec_check_keylen2(satype, alg_id, keylen); |
---|
210 | } |
---|
211 | |
---|
212 | /* |
---|
213 | * check key length against algorithm specified. |
---|
214 | * satype is one of satype defined at pfkeyv2.h. |
---|
215 | * keylen is the unit of bit. |
---|
216 | * OUT: |
---|
217 | * -1: invalid. |
---|
218 | * 0: valid. |
---|
219 | */ |
---|
220 | int |
---|
221 | ipsec_check_keylen2(satype, alg_id, keylen) |
---|
222 | u_int satype; |
---|
223 | u_int alg_id; |
---|
224 | u_int keylen; |
---|
225 | { |
---|
226 | struct sadb_alg *alg; |
---|
227 | |
---|
228 | alg = findsupportedalg(satype, alg_id); |
---|
229 | if (!alg) |
---|
230 | return -1; |
---|
231 | |
---|
232 | if (keylen < alg->sadb_alg_minbits || keylen > alg->sadb_alg_maxbits) { |
---|
233 | __ipsec_errcode = EIPSEC_INVAL_KEYLEN; |
---|
234 | return -1; |
---|
235 | } |
---|
236 | |
---|
237 | __ipsec_errcode = EIPSEC_NO_ERROR; |
---|
238 | return 0; |
---|
239 | } |
---|
240 | |
---|
241 | /* |
---|
242 | * get max/min key length against algorithm specified. |
---|
243 | * satype is one of satype defined at pfkeyv2.h. |
---|
244 | * keylen is the unit of bit. |
---|
245 | * OUT: |
---|
246 | * -1: invalid. |
---|
247 | * 0: valid. |
---|
248 | */ |
---|
249 | int |
---|
250 | ipsec_get_keylen(supported, alg_id, alg0) |
---|
251 | u_int supported, alg_id; |
---|
252 | struct sadb_alg *alg0; |
---|
253 | { |
---|
254 | struct sadb_alg *alg; |
---|
255 | u_int satype; |
---|
256 | |
---|
257 | /* validity check */ |
---|
258 | if (!alg0) { |
---|
259 | __ipsec_errcode = EIPSEC_INVAL_ARGUMENT; |
---|
260 | return -1; |
---|
261 | } |
---|
262 | |
---|
263 | switch (supported) { |
---|
264 | case SADB_EXT_SUPPORTED_AUTH: |
---|
265 | satype = SADB_SATYPE_AH; |
---|
266 | break; |
---|
267 | case SADB_EXT_SUPPORTED_ENCRYPT: |
---|
268 | satype = SADB_SATYPE_ESP; |
---|
269 | break; |
---|
270 | default: |
---|
271 | __ipsec_errcode = EIPSEC_INVAL_ARGUMENT; |
---|
272 | return -1; |
---|
273 | } |
---|
274 | |
---|
275 | alg = findsupportedalg(satype, alg_id); |
---|
276 | if (!alg) |
---|
277 | return -1; |
---|
278 | |
---|
279 | memcpy(alg0, alg, sizeof(*alg0)); |
---|
280 | |
---|
281 | __ipsec_errcode = EIPSEC_NO_ERROR; |
---|
282 | return 0; |
---|
283 | } |
---|
284 | |
---|
285 | /* |
---|
286 | * set the rate for SOFT lifetime against HARD one. |
---|
287 | * If rate is more than 100 or equal to zero, then set to 100. |
---|
288 | */ |
---|
289 | static u_int soft_lifetime_allocations_rate = PFKEY_SOFT_LIFETIME_RATE; |
---|
290 | static u_int soft_lifetime_bytes_rate = PFKEY_SOFT_LIFETIME_RATE; |
---|
291 | static u_int soft_lifetime_addtime_rate = PFKEY_SOFT_LIFETIME_RATE; |
---|
292 | static u_int soft_lifetime_usetime_rate = PFKEY_SOFT_LIFETIME_RATE; |
---|
293 | |
---|
294 | u_int |
---|
295 | pfkey_set_softrate(type, rate) |
---|
296 | u_int type, rate; |
---|
297 | { |
---|
298 | __ipsec_errcode = EIPSEC_NO_ERROR; |
---|
299 | |
---|
300 | if (rate > 100 || rate == 0) |
---|
301 | rate = 100; |
---|
302 | |
---|
303 | switch (type) { |
---|
304 | case SADB_X_LIFETIME_ALLOCATIONS: |
---|
305 | soft_lifetime_allocations_rate = rate; |
---|
306 | return 0; |
---|
307 | case SADB_X_LIFETIME_BYTES: |
---|
308 | soft_lifetime_bytes_rate = rate; |
---|
309 | return 0; |
---|
310 | case SADB_X_LIFETIME_ADDTIME: |
---|
311 | soft_lifetime_addtime_rate = rate; |
---|
312 | return 0; |
---|
313 | case SADB_X_LIFETIME_USETIME: |
---|
314 | soft_lifetime_usetime_rate = rate; |
---|
315 | return 0; |
---|
316 | } |
---|
317 | |
---|
318 | __ipsec_errcode = EIPSEC_INVAL_ARGUMENT; |
---|
319 | return 1; |
---|
320 | } |
---|
321 | |
---|
322 | /* |
---|
323 | * get current rate for SOFT lifetime against HARD one. |
---|
324 | * ATTENTION: ~0 is returned if invalid type was passed. |
---|
325 | */ |
---|
326 | u_int |
---|
327 | pfkey_get_softrate(type) |
---|
328 | u_int type; |
---|
329 | { |
---|
330 | switch (type) { |
---|
331 | case SADB_X_LIFETIME_ALLOCATIONS: |
---|
332 | return soft_lifetime_allocations_rate; |
---|
333 | case SADB_X_LIFETIME_BYTES: |
---|
334 | return soft_lifetime_bytes_rate; |
---|
335 | case SADB_X_LIFETIME_ADDTIME: |
---|
336 | return soft_lifetime_addtime_rate; |
---|
337 | case SADB_X_LIFETIME_USETIME: |
---|
338 | return soft_lifetime_usetime_rate; |
---|
339 | } |
---|
340 | |
---|
341 | return ~0; |
---|
342 | } |
---|
343 | |
---|
344 | /* |
---|
345 | * sending SADB_GETSPI message to the kernel. |
---|
346 | * OUT: |
---|
347 | * positive: success and return length sent. |
---|
348 | * -1 : error occured, and set errno. |
---|
349 | */ |
---|
350 | int |
---|
351 | pfkey_send_getspi(so, satype, mode, src, dst, min, max, reqid, seq) |
---|
352 | int so; |
---|
353 | u_int satype, mode; |
---|
354 | struct sockaddr *src, *dst; |
---|
355 | u_int32_t min, max, reqid, seq; |
---|
356 | { |
---|
357 | struct sadb_msg *newmsg; |
---|
358 | caddr_t ep; |
---|
359 | int len; |
---|
360 | int need_spirange = 0; |
---|
361 | caddr_t p; |
---|
362 | int plen; |
---|
363 | |
---|
364 | /* validity check */ |
---|
365 | if (src == NULL || dst == NULL) { |
---|
366 | __ipsec_errcode = EIPSEC_INVAL_ARGUMENT; |
---|
367 | return -1; |
---|
368 | } |
---|
369 | if (src->sa_family != dst->sa_family) { |
---|
370 | __ipsec_errcode = EIPSEC_FAMILY_MISMATCH; |
---|
371 | return -1; |
---|
372 | } |
---|
373 | if (min > max || (min > 0 && min <= 255)) { |
---|
374 | __ipsec_errcode = EIPSEC_INVAL_SPI; |
---|
375 | return -1; |
---|
376 | } |
---|
377 | switch (src->sa_family) { |
---|
378 | case AF_INET: |
---|
379 | plen = sizeof(struct in_addr) << 3; |
---|
380 | break; |
---|
381 | case AF_INET6: |
---|
382 | plen = sizeof(struct in6_addr) << 3; |
---|
383 | break; |
---|
384 | default: |
---|
385 | __ipsec_errcode = EIPSEC_INVAL_FAMILY; |
---|
386 | return -1; |
---|
387 | } |
---|
388 | |
---|
389 | /* create new sadb_msg to send. */ |
---|
390 | len = sizeof(struct sadb_msg) |
---|
391 | + sizeof(struct sadb_x_sa2) |
---|
392 | + sizeof(struct sadb_address) |
---|
393 | + PFKEY_ALIGN8(src->sa_len) |
---|
394 | + sizeof(struct sadb_address) |
---|
395 | + PFKEY_ALIGN8(dst->sa_len); |
---|
396 | |
---|
397 | if (min > 255 && max < ~0) { |
---|
398 | need_spirange++; |
---|
399 | len += sizeof(struct sadb_spirange); |
---|
400 | } |
---|
401 | |
---|
402 | if ((newmsg = CALLOC(len, struct sadb_msg *)) == NULL) { |
---|
403 | __ipsec_set_strerror(strerror(errno)); |
---|
404 | return -1; |
---|
405 | } |
---|
406 | ep = ((caddr_t)newmsg) + len; |
---|
407 | |
---|
408 | p = pfkey_setsadbmsg((caddr_t)newmsg, ep, SADB_GETSPI, |
---|
409 | len, satype, seq, getpid()); |
---|
410 | if (!p) { |
---|
411 | free(newmsg); |
---|
412 | return -1; |
---|
413 | } |
---|
414 | |
---|
415 | p = pfkey_setsadbxsa2(p, ep, mode, reqid); |
---|
416 | if (!p) { |
---|
417 | free(newmsg); |
---|
418 | return -1; |
---|
419 | } |
---|
420 | |
---|
421 | /* set sadb_address for source */ |
---|
422 | p = pfkey_setsadbaddr(p, ep, SADB_EXT_ADDRESS_SRC, src, plen, |
---|
423 | IPSEC_ULPROTO_ANY); |
---|
424 | if (!p) { |
---|
425 | free(newmsg); |
---|
426 | return -1; |
---|
427 | } |
---|
428 | |
---|
429 | /* set sadb_address for destination */ |
---|
430 | p = pfkey_setsadbaddr(p, ep, SADB_EXT_ADDRESS_DST, dst, plen, |
---|
431 | IPSEC_ULPROTO_ANY); |
---|
432 | if (!p) { |
---|
433 | free(newmsg); |
---|
434 | return -1; |
---|
435 | } |
---|
436 | |
---|
437 | /* proccessing spi range */ |
---|
438 | if (need_spirange) { |
---|
439 | struct sadb_spirange spirange; |
---|
440 | |
---|
441 | if (p + sizeof(spirange) > ep) { |
---|
442 | free(newmsg); |
---|
443 | return -1; |
---|
444 | } |
---|
445 | |
---|
446 | memset(&spirange, 0, sizeof(spirange)); |
---|
447 | spirange.sadb_spirange_len = PFKEY_UNIT64(sizeof(spirange)); |
---|
448 | spirange.sadb_spirange_exttype = SADB_EXT_SPIRANGE; |
---|
449 | spirange.sadb_spirange_min = min; |
---|
450 | spirange.sadb_spirange_max = max; |
---|
451 | |
---|
452 | memcpy(p, &spirange, sizeof(spirange)); |
---|
453 | |
---|
454 | p += sizeof(spirange); |
---|
455 | } |
---|
456 | if (p != ep) { |
---|
457 | free(newmsg); |
---|
458 | return -1; |
---|
459 | } |
---|
460 | |
---|
461 | /* send message */ |
---|
462 | len = pfkey_send(so, newmsg, len); |
---|
463 | free(newmsg); |
---|
464 | |
---|
465 | if (len < 0) |
---|
466 | return -1; |
---|
467 | |
---|
468 | __ipsec_errcode = EIPSEC_NO_ERROR; |
---|
469 | return len; |
---|
470 | } |
---|
471 | |
---|
472 | /* |
---|
473 | * sending SADB_UPDATE message to the kernel. |
---|
474 | * The length of key material is a_keylen + e_keylen. |
---|
475 | * OUT: |
---|
476 | * positive: success and return length sent. |
---|
477 | * -1 : error occured, and set errno. |
---|
478 | */ |
---|
479 | int |
---|
480 | pfkey_send_update(so, satype, mode, src, dst, spi, reqid, wsize, |
---|
481 | keymat, e_type, e_keylen, a_type, a_keylen, flags, |
---|
482 | l_alloc, l_bytes, l_addtime, l_usetime, seq) |
---|
483 | int so; |
---|
484 | u_int satype, mode, wsize; |
---|
485 | struct sockaddr *src, *dst; |
---|
486 | u_int32_t spi, reqid; |
---|
487 | caddr_t keymat; |
---|
488 | u_int e_type, e_keylen, a_type, a_keylen, flags; |
---|
489 | u_int32_t l_alloc; |
---|
490 | u_int64_t l_bytes, l_addtime, l_usetime; |
---|
491 | u_int32_t seq; |
---|
492 | { |
---|
493 | int len; |
---|
494 | if ((len = pfkey_send_x1(so, SADB_UPDATE, satype, mode, src, dst, spi, |
---|
495 | reqid, wsize, |
---|
496 | keymat, e_type, e_keylen, a_type, a_keylen, flags, |
---|
497 | l_alloc, l_bytes, l_addtime, l_usetime, seq)) < 0) |
---|
498 | return -1; |
---|
499 | |
---|
500 | return len; |
---|
501 | } |
---|
502 | |
---|
503 | /* |
---|
504 | * sending SADB_ADD message to the kernel. |
---|
505 | * The length of key material is a_keylen + e_keylen. |
---|
506 | * OUT: |
---|
507 | * positive: success and return length sent. |
---|
508 | * -1 : error occured, and set errno. |
---|
509 | */ |
---|
510 | int |
---|
511 | pfkey_send_add(so, satype, mode, src, dst, spi, reqid, wsize, |
---|
512 | keymat, e_type, e_keylen, a_type, a_keylen, flags, |
---|
513 | l_alloc, l_bytes, l_addtime, l_usetime, seq) |
---|
514 | int so; |
---|
515 | u_int satype, mode, wsize; |
---|
516 | struct sockaddr *src, *dst; |
---|
517 | u_int32_t spi, reqid; |
---|
518 | caddr_t keymat; |
---|
519 | u_int e_type, e_keylen, a_type, a_keylen, flags; |
---|
520 | u_int32_t l_alloc; |
---|
521 | u_int64_t l_bytes, l_addtime, l_usetime; |
---|
522 | u_int32_t seq; |
---|
523 | { |
---|
524 | int len; |
---|
525 | if ((len = pfkey_send_x1(so, SADB_ADD, satype, mode, src, dst, spi, |
---|
526 | reqid, wsize, |
---|
527 | keymat, e_type, e_keylen, a_type, a_keylen, flags, |
---|
528 | l_alloc, l_bytes, l_addtime, l_usetime, seq)) < 0) |
---|
529 | return -1; |
---|
530 | |
---|
531 | return len; |
---|
532 | } |
---|
533 | |
---|
534 | /* |
---|
535 | * sending SADB_DELETE message to the kernel. |
---|
536 | * OUT: |
---|
537 | * positive: success and return length sent. |
---|
538 | * -1 : error occured, and set errno. |
---|
539 | */ |
---|
540 | int |
---|
541 | pfkey_send_delete(so, satype, mode, src, dst, spi) |
---|
542 | int so; |
---|
543 | u_int satype, mode; |
---|
544 | struct sockaddr *src, *dst; |
---|
545 | u_int32_t spi; |
---|
546 | { |
---|
547 | int len; |
---|
548 | if ((len = pfkey_send_x2(so, SADB_DELETE, satype, mode, src, dst, spi)) < 0) |
---|
549 | return -1; |
---|
550 | |
---|
551 | return len; |
---|
552 | } |
---|
553 | |
---|
554 | /* |
---|
555 | * sending SADB_DELETE without spi to the kernel. This is |
---|
556 | * the "delete all" request (an extension also present in |
---|
557 | * Solaris). |
---|
558 | * |
---|
559 | * OUT: |
---|
560 | * positive: success and return length sent |
---|
561 | * -1 : error occured, and set errno |
---|
562 | */ |
---|
563 | int |
---|
564 | pfkey_send_delete_all(so, satype, mode, src, dst) |
---|
565 | int so; |
---|
566 | u_int satype, mode; |
---|
567 | struct sockaddr *src, *dst; |
---|
568 | { |
---|
569 | struct sadb_msg *newmsg; |
---|
570 | int len; |
---|
571 | caddr_t p; |
---|
572 | int plen; |
---|
573 | caddr_t ep; |
---|
574 | |
---|
575 | /* validity check */ |
---|
576 | if (src == NULL || dst == NULL) { |
---|
577 | __ipsec_errcode = EIPSEC_INVAL_ARGUMENT; |
---|
578 | return -1; |
---|
579 | } |
---|
580 | if (src->sa_family != dst->sa_family) { |
---|
581 | __ipsec_errcode = EIPSEC_FAMILY_MISMATCH; |
---|
582 | return -1; |
---|
583 | } |
---|
584 | switch (src->sa_family) { |
---|
585 | case AF_INET: |
---|
586 | plen = sizeof(struct in_addr) << 3; |
---|
587 | break; |
---|
588 | case AF_INET6: |
---|
589 | plen = sizeof(struct in6_addr) << 3; |
---|
590 | break; |
---|
591 | default: |
---|
592 | __ipsec_errcode = EIPSEC_INVAL_FAMILY; |
---|
593 | return -1; |
---|
594 | } |
---|
595 | |
---|
596 | /* create new sadb_msg to reply. */ |
---|
597 | len = sizeof(struct sadb_msg) |
---|
598 | + sizeof(struct sadb_address) |
---|
599 | + PFKEY_ALIGN8(src->sa_len) |
---|
600 | + sizeof(struct sadb_address) |
---|
601 | + PFKEY_ALIGN8(dst->sa_len); |
---|
602 | |
---|
603 | if ((newmsg = CALLOC(len, struct sadb_msg *)) == NULL) { |
---|
604 | __ipsec_set_strerror(strerror(errno)); |
---|
605 | return -1; |
---|
606 | } |
---|
607 | ep = ((caddr_t)newmsg) + len; |
---|
608 | |
---|
609 | p = pfkey_setsadbmsg((caddr_t)newmsg, ep, SADB_DELETE, len, satype, 0, |
---|
610 | getpid()); |
---|
611 | if (!p) { |
---|
612 | free(newmsg); |
---|
613 | return -1; |
---|
614 | } |
---|
615 | p = pfkey_setsadbaddr(p, ep, SADB_EXT_ADDRESS_SRC, src, plen, |
---|
616 | IPSEC_ULPROTO_ANY); |
---|
617 | if (!p) { |
---|
618 | free(newmsg); |
---|
619 | return -1; |
---|
620 | } |
---|
621 | p = pfkey_setsadbaddr(p, ep, SADB_EXT_ADDRESS_DST, dst, plen, |
---|
622 | IPSEC_ULPROTO_ANY); |
---|
623 | if (!p || p != ep) { |
---|
624 | free(newmsg); |
---|
625 | return -1; |
---|
626 | } |
---|
627 | |
---|
628 | /* send message */ |
---|
629 | len = pfkey_send(so, newmsg, len); |
---|
630 | free(newmsg); |
---|
631 | |
---|
632 | if (len < 0) |
---|
633 | return -1; |
---|
634 | |
---|
635 | __ipsec_errcode = EIPSEC_NO_ERROR; |
---|
636 | return len; |
---|
637 | } |
---|
638 | |
---|
639 | /* |
---|
640 | * sending SADB_GET message to the kernel. |
---|
641 | * OUT: |
---|
642 | * positive: success and return length sent. |
---|
643 | * -1 : error occured, and set errno. |
---|
644 | */ |
---|
645 | int |
---|
646 | pfkey_send_get(so, satype, mode, src, dst, spi) |
---|
647 | int so; |
---|
648 | u_int satype, mode; |
---|
649 | struct sockaddr *src, *dst; |
---|
650 | u_int32_t spi; |
---|
651 | { |
---|
652 | int len; |
---|
653 | if ((len = pfkey_send_x2(so, SADB_GET, satype, mode, src, dst, spi)) < 0) |
---|
654 | return -1; |
---|
655 | |
---|
656 | return len; |
---|
657 | } |
---|
658 | |
---|
659 | /* |
---|
660 | * sending SADB_REGISTER message to the kernel. |
---|
661 | * OUT: |
---|
662 | * positive: success and return length sent. |
---|
663 | * -1 : error occured, and set errno. |
---|
664 | */ |
---|
665 | int |
---|
666 | pfkey_send_register(so, satype) |
---|
667 | int so; |
---|
668 | u_int satype; |
---|
669 | { |
---|
670 | int len, algno; |
---|
671 | |
---|
672 | if (satype == PF_UNSPEC) { |
---|
673 | for (algno = 0; |
---|
674 | algno < sizeof(supported_map)/sizeof(supported_map[0]); |
---|
675 | algno++) { |
---|
676 | if (ipsec_supported[algno]) { |
---|
677 | free(ipsec_supported[algno]); |
---|
678 | ipsec_supported[algno] = NULL; |
---|
679 | } |
---|
680 | } |
---|
681 | } else { |
---|
682 | algno = findsupportedmap(satype); |
---|
683 | if (algno == -1) { |
---|
684 | __ipsec_errcode = EIPSEC_INVAL_ARGUMENT; |
---|
685 | return -1; |
---|
686 | } |
---|
687 | |
---|
688 | if (ipsec_supported[algno]) { |
---|
689 | free(ipsec_supported[algno]); |
---|
690 | ipsec_supported[algno] = NULL; |
---|
691 | } |
---|
692 | } |
---|
693 | |
---|
694 | if ((len = pfkey_send_x3(so, SADB_REGISTER, satype)) < 0) |
---|
695 | return -1; |
---|
696 | |
---|
697 | return len; |
---|
698 | } |
---|
699 | |
---|
700 | /* |
---|
701 | * receiving SADB_REGISTER message from the kernel, and copy buffer for |
---|
702 | * sadb_supported returned into ipsec_supported. |
---|
703 | * OUT: |
---|
704 | * 0: success and return length sent. |
---|
705 | * -1: error occured, and set errno. |
---|
706 | */ |
---|
707 | int |
---|
708 | pfkey_recv_register(so) |
---|
709 | int so; |
---|
710 | { |
---|
711 | pid_t pid = getpid(); |
---|
712 | struct sadb_msg *newmsg; |
---|
713 | int error = -1; |
---|
714 | |
---|
715 | /* receive message */ |
---|
716 | for (;;) { |
---|
717 | if ((newmsg = pfkey_recv(so)) == NULL) |
---|
718 | return -1; |
---|
719 | if (newmsg->sadb_msg_type == SADB_REGISTER && |
---|
720 | newmsg->sadb_msg_pid == pid) |
---|
721 | break; |
---|
722 | free(newmsg); |
---|
723 | } |
---|
724 | |
---|
725 | /* check and fix */ |
---|
726 | newmsg->sadb_msg_len = PFKEY_UNUNIT64(newmsg->sadb_msg_len); |
---|
727 | |
---|
728 | error = pfkey_set_supported(newmsg, newmsg->sadb_msg_len); |
---|
729 | free(newmsg); |
---|
730 | |
---|
731 | if (error == 0) |
---|
732 | __ipsec_errcode = EIPSEC_NO_ERROR; |
---|
733 | |
---|
734 | return error; |
---|
735 | } |
---|
736 | |
---|
737 | /* |
---|
738 | * receiving SADB_REGISTER message from the kernel, and copy buffer for |
---|
739 | * sadb_supported returned into ipsec_supported. |
---|
740 | * NOTE: sadb_msg_len must be host order. |
---|
741 | * IN: |
---|
742 | * tlen: msg length, it's to makeing sure. |
---|
743 | * OUT: |
---|
744 | * 0: success and return length sent. |
---|
745 | * -1: error occured, and set errno. |
---|
746 | */ |
---|
747 | int |
---|
748 | pfkey_set_supported(msg, tlen) |
---|
749 | struct sadb_msg *msg; |
---|
750 | int tlen; |
---|
751 | { |
---|
752 | struct sadb_supported *sup; |
---|
753 | caddr_t p; |
---|
754 | caddr_t ep; |
---|
755 | |
---|
756 | /* validity */ |
---|
757 | if (msg->sadb_msg_len != tlen) { |
---|
758 | __ipsec_errcode = EIPSEC_INVAL_ARGUMENT; |
---|
759 | return -1; |
---|
760 | } |
---|
761 | |
---|
762 | p = (caddr_t)msg; |
---|
763 | ep = p + tlen; |
---|
764 | |
---|
765 | p += sizeof(struct sadb_msg); |
---|
766 | |
---|
767 | while (p < ep) { |
---|
768 | sup = (struct sadb_supported *)p; |
---|
769 | if (ep < p + sizeof(*sup) || |
---|
770 | PFKEY_EXTLEN(sup) < sizeof(*sup) || |
---|
771 | ep < p + sup->sadb_supported_len) { |
---|
772 | /* invalid format */ |
---|
773 | break; |
---|
774 | } |
---|
775 | |
---|
776 | switch (sup->sadb_supported_exttype) { |
---|
777 | case SADB_EXT_SUPPORTED_AUTH: |
---|
778 | case SADB_EXT_SUPPORTED_ENCRYPT: |
---|
779 | break; |
---|
780 | default: |
---|
781 | __ipsec_errcode = EIPSEC_INVAL_SATYPE; |
---|
782 | return -1; |
---|
783 | } |
---|
784 | |
---|
785 | /* fixed length */ |
---|
786 | sup->sadb_supported_len = PFKEY_EXTLEN(sup); |
---|
787 | |
---|
788 | /* set supported map */ |
---|
789 | if (setsupportedmap(sup) != 0) |
---|
790 | return -1; |
---|
791 | |
---|
792 | p += sup->sadb_supported_len; |
---|
793 | } |
---|
794 | |
---|
795 | if (p != ep) { |
---|
796 | __ipsec_errcode = EIPSEC_INVAL_SATYPE; |
---|
797 | return -1; |
---|
798 | } |
---|
799 | |
---|
800 | __ipsec_errcode = EIPSEC_NO_ERROR; |
---|
801 | |
---|
802 | return 0; |
---|
803 | } |
---|
804 | |
---|
805 | /* |
---|
806 | * sending SADB_FLUSH message to the kernel. |
---|
807 | * OUT: |
---|
808 | * positive: success and return length sent. |
---|
809 | * -1 : error occured, and set errno. |
---|
810 | */ |
---|
811 | int |
---|
812 | pfkey_send_flush(so, satype) |
---|
813 | int so; |
---|
814 | u_int satype; |
---|
815 | { |
---|
816 | int len; |
---|
817 | |
---|
818 | if ((len = pfkey_send_x3(so, SADB_FLUSH, satype)) < 0) |
---|
819 | return -1; |
---|
820 | |
---|
821 | return len; |
---|
822 | } |
---|
823 | |
---|
824 | /* |
---|
825 | * sending SADB_DUMP message to the kernel. |
---|
826 | * OUT: |
---|
827 | * positive: success and return length sent. |
---|
828 | * -1 : error occured, and set errno. |
---|
829 | */ |
---|
830 | int |
---|
831 | pfkey_send_dump(so, satype) |
---|
832 | int so; |
---|
833 | u_int satype; |
---|
834 | { |
---|
835 | int len; |
---|
836 | |
---|
837 | if ((len = pfkey_send_x3(so, SADB_DUMP, satype)) < 0) |
---|
838 | return -1; |
---|
839 | |
---|
840 | return len; |
---|
841 | } |
---|
842 | |
---|
843 | /* |
---|
844 | * sending SADB_X_PROMISC message to the kernel. |
---|
845 | * NOTE that this function handles promisc mode toggle only. |
---|
846 | * IN: |
---|
847 | * flag: set promisc off if zero, set promisc on if non-zero. |
---|
848 | * OUT: |
---|
849 | * positive: success and return length sent. |
---|
850 | * -1 : error occured, and set errno. |
---|
851 | * 0 : error occured, and set errno. |
---|
852 | * others: a pointer to new allocated buffer in which supported |
---|
853 | * algorithms is. |
---|
854 | */ |
---|
855 | int |
---|
856 | pfkey_send_promisc_toggle(so, flag) |
---|
857 | int so; |
---|
858 | int flag; |
---|
859 | { |
---|
860 | int len; |
---|
861 | |
---|
862 | if ((len = pfkey_send_x3(so, SADB_X_PROMISC, (flag ? 1 : 0))) < 0) |
---|
863 | return -1; |
---|
864 | |
---|
865 | return len; |
---|
866 | } |
---|
867 | |
---|
868 | /* |
---|
869 | * sending SADB_X_SPDADD message to the kernel. |
---|
870 | * OUT: |
---|
871 | * positive: success and return length sent. |
---|
872 | * -1 : error occured, and set errno. |
---|
873 | */ |
---|
874 | int |
---|
875 | pfkey_send_spdadd(so, src, prefs, dst, prefd, proto, policy, policylen, seq) |
---|
876 | int so; |
---|
877 | struct sockaddr *src, *dst; |
---|
878 | u_int prefs, prefd, proto; |
---|
879 | caddr_t policy; |
---|
880 | int policylen; |
---|
881 | u_int32_t seq; |
---|
882 | { |
---|
883 | int len; |
---|
884 | |
---|
885 | if ((len = pfkey_send_x4(so, SADB_X_SPDADD, |
---|
886 | src, prefs, dst, prefd, proto, |
---|
887 | 0, 0, |
---|
888 | policy, policylen, seq)) < 0) |
---|
889 | return -1; |
---|
890 | |
---|
891 | return len; |
---|
892 | } |
---|
893 | |
---|
894 | /* |
---|
895 | * sending SADB_X_SPDADD message to the kernel. |
---|
896 | * OUT: |
---|
897 | * positive: success and return length sent. |
---|
898 | * -1 : error occured, and set errno. |
---|
899 | */ |
---|
900 | int |
---|
901 | pfkey_send_spdadd2(so, src, prefs, dst, prefd, proto, ltime, vtime, |
---|
902 | policy, policylen, seq) |
---|
903 | int so; |
---|
904 | struct sockaddr *src, *dst; |
---|
905 | u_int prefs, prefd, proto; |
---|
906 | u_int64_t ltime, vtime; |
---|
907 | caddr_t policy; |
---|
908 | int policylen; |
---|
909 | u_int32_t seq; |
---|
910 | { |
---|
911 | int len; |
---|
912 | |
---|
913 | if ((len = pfkey_send_x4(so, SADB_X_SPDADD, |
---|
914 | src, prefs, dst, prefd, proto, |
---|
915 | ltime, vtime, |
---|
916 | policy, policylen, seq)) < 0) |
---|
917 | return -1; |
---|
918 | |
---|
919 | return len; |
---|
920 | } |
---|
921 | |
---|
922 | /* |
---|
923 | * sending SADB_X_SPDUPDATE message to the kernel. |
---|
924 | * OUT: |
---|
925 | * positive: success and return length sent. |
---|
926 | * -1 : error occured, and set errno. |
---|
927 | */ |
---|
928 | int |
---|
929 | pfkey_send_spdupdate(so, src, prefs, dst, prefd, proto, policy, policylen, seq) |
---|
930 | int so; |
---|
931 | struct sockaddr *src, *dst; |
---|
932 | u_int prefs, prefd, proto; |
---|
933 | caddr_t policy; |
---|
934 | int policylen; |
---|
935 | u_int32_t seq; |
---|
936 | { |
---|
937 | int len; |
---|
938 | |
---|
939 | if ((len = pfkey_send_x4(so, SADB_X_SPDUPDATE, |
---|
940 | src, prefs, dst, prefd, proto, |
---|
941 | 0, 0, |
---|
942 | policy, policylen, seq)) < 0) |
---|
943 | return -1; |
---|
944 | |
---|
945 | return len; |
---|
946 | } |
---|
947 | |
---|
948 | /* |
---|
949 | * sending SADB_X_SPDUPDATE message to the kernel. |
---|
950 | * OUT: |
---|
951 | * positive: success and return length sent. |
---|
952 | * -1 : error occured, and set errno. |
---|
953 | */ |
---|
954 | int |
---|
955 | pfkey_send_spdupdate2(so, src, prefs, dst, prefd, proto, ltime, vtime, |
---|
956 | policy, policylen, seq) |
---|
957 | int so; |
---|
958 | struct sockaddr *src, *dst; |
---|
959 | u_int prefs, prefd, proto; |
---|
960 | u_int64_t ltime, vtime; |
---|
961 | caddr_t policy; |
---|
962 | int policylen; |
---|
963 | u_int32_t seq; |
---|
964 | { |
---|
965 | int len; |
---|
966 | |
---|
967 | if ((len = pfkey_send_x4(so, SADB_X_SPDUPDATE, |
---|
968 | src, prefs, dst, prefd, proto, |
---|
969 | ltime, vtime, |
---|
970 | policy, policylen, seq)) < 0) |
---|
971 | return -1; |
---|
972 | |
---|
973 | return len; |
---|
974 | } |
---|
975 | |
---|
976 | /* |
---|
977 | * sending SADB_X_SPDDELETE message to the kernel. |
---|
978 | * OUT: |
---|
979 | * positive: success and return length sent. |
---|
980 | * -1 : error occured, and set errno. |
---|
981 | */ |
---|
982 | int |
---|
983 | pfkey_send_spddelete(so, src, prefs, dst, prefd, proto, policy, policylen, seq) |
---|
984 | int so; |
---|
985 | struct sockaddr *src, *dst; |
---|
986 | u_int prefs, prefd, proto; |
---|
987 | caddr_t policy; |
---|
988 | int policylen; |
---|
989 | u_int32_t seq; |
---|
990 | { |
---|
991 | int len; |
---|
992 | |
---|
993 | if (policylen != sizeof(struct sadb_x_policy)) { |
---|
994 | __ipsec_errcode = EIPSEC_INVAL_ARGUMENT; |
---|
995 | return -1; |
---|
996 | } |
---|
997 | |
---|
998 | if ((len = pfkey_send_x4(so, SADB_X_SPDDELETE, |
---|
999 | src, prefs, dst, prefd, proto, |
---|
1000 | 0, 0, |
---|
1001 | policy, policylen, seq)) < 0) |
---|
1002 | return -1; |
---|
1003 | |
---|
1004 | return len; |
---|
1005 | } |
---|
1006 | |
---|
1007 | /* |
---|
1008 | * sending SADB_X_SPDDELETE message to the kernel. |
---|
1009 | * OUT: |
---|
1010 | * positive: success and return length sent. |
---|
1011 | * -1 : error occured, and set errno. |
---|
1012 | */ |
---|
1013 | int |
---|
1014 | pfkey_send_spddelete2(so, spid) |
---|
1015 | int so; |
---|
1016 | u_int32_t spid; |
---|
1017 | { |
---|
1018 | int len; |
---|
1019 | |
---|
1020 | if ((len = pfkey_send_x5(so, SADB_X_SPDDELETE2, spid)) < 0) |
---|
1021 | return -1; |
---|
1022 | |
---|
1023 | return len; |
---|
1024 | } |
---|
1025 | |
---|
1026 | /* |
---|
1027 | * sending SADB_X_SPDGET message to the kernel. |
---|
1028 | * OUT: |
---|
1029 | * positive: success and return length sent. |
---|
1030 | * -1 : error occured, and set errno. |
---|
1031 | */ |
---|
1032 | int |
---|
1033 | pfkey_send_spdget(so, spid) |
---|
1034 | int so; |
---|
1035 | u_int32_t spid; |
---|
1036 | { |
---|
1037 | int len; |
---|
1038 | |
---|
1039 | if ((len = pfkey_send_x5(so, SADB_X_SPDGET, spid)) < 0) |
---|
1040 | return -1; |
---|
1041 | |
---|
1042 | return len; |
---|
1043 | } |
---|
1044 | |
---|
1045 | /* |
---|
1046 | * sending SADB_X_SPDSETIDX message to the kernel. |
---|
1047 | * OUT: |
---|
1048 | * positive: success and return length sent. |
---|
1049 | * -1 : error occured, and set errno. |
---|
1050 | */ |
---|
1051 | int |
---|
1052 | pfkey_send_spdsetidx(so, src, prefs, dst, prefd, proto, policy, policylen, seq) |
---|
1053 | int so; |
---|
1054 | struct sockaddr *src, *dst; |
---|
1055 | u_int prefs, prefd, proto; |
---|
1056 | caddr_t policy; |
---|
1057 | int policylen; |
---|
1058 | u_int32_t seq; |
---|
1059 | { |
---|
1060 | int len; |
---|
1061 | |
---|
1062 | if (policylen != sizeof(struct sadb_x_policy)) { |
---|
1063 | __ipsec_errcode = EIPSEC_INVAL_ARGUMENT; |
---|
1064 | return -1; |
---|
1065 | } |
---|
1066 | |
---|
1067 | if ((len = pfkey_send_x4(so, SADB_X_SPDSETIDX, |
---|
1068 | src, prefs, dst, prefd, proto, |
---|
1069 | 0, 0, |
---|
1070 | policy, policylen, seq)) < 0) |
---|
1071 | return -1; |
---|
1072 | |
---|
1073 | return len; |
---|
1074 | } |
---|
1075 | |
---|
1076 | /* |
---|
1077 | * sending SADB_SPDFLUSH message to the kernel. |
---|
1078 | * OUT: |
---|
1079 | * positive: success and return length sent. |
---|
1080 | * -1 : error occured, and set errno. |
---|
1081 | */ |
---|
1082 | int |
---|
1083 | pfkey_send_spdflush(so) |
---|
1084 | int so; |
---|
1085 | { |
---|
1086 | int len; |
---|
1087 | |
---|
1088 | if ((len = pfkey_send_x3(so, SADB_X_SPDFLUSH, SADB_SATYPE_UNSPEC)) < 0) |
---|
1089 | return -1; |
---|
1090 | |
---|
1091 | return len; |
---|
1092 | } |
---|
1093 | |
---|
1094 | /* |
---|
1095 | * sending SADB_SPDDUMP message to the kernel. |
---|
1096 | * OUT: |
---|
1097 | * positive: success and return length sent. |
---|
1098 | * -1 : error occured, and set errno. |
---|
1099 | */ |
---|
1100 | int |
---|
1101 | pfkey_send_spddump(so) |
---|
1102 | int so; |
---|
1103 | { |
---|
1104 | int len; |
---|
1105 | |
---|
1106 | if ((len = pfkey_send_x3(so, SADB_X_SPDDUMP, SADB_SATYPE_UNSPEC)) < 0) |
---|
1107 | return -1; |
---|
1108 | |
---|
1109 | return len; |
---|
1110 | } |
---|
1111 | |
---|
1112 | /* sending SADB_ADD or SADB_UPDATE message to the kernel */ |
---|
1113 | static int |
---|
1114 | pfkey_send_x1(so, type, satype, mode, src, dst, spi, reqid, wsize, |
---|
1115 | keymat, e_type, e_keylen, a_type, a_keylen, flags, |
---|
1116 | l_alloc, l_bytes, l_addtime, l_usetime, seq) |
---|
1117 | int so; |
---|
1118 | u_int type, satype, mode; |
---|
1119 | struct sockaddr *src, *dst; |
---|
1120 | u_int32_t spi, reqid; |
---|
1121 | u_int wsize; |
---|
1122 | caddr_t keymat; |
---|
1123 | u_int e_type, e_keylen, a_type, a_keylen, flags; |
---|
1124 | u_int32_t l_alloc, l_bytes, l_addtime, l_usetime, seq; |
---|
1125 | { |
---|
1126 | struct sadb_msg *newmsg; |
---|
1127 | int len; |
---|
1128 | caddr_t p; |
---|
1129 | int plen; |
---|
1130 | caddr_t ep; |
---|
1131 | |
---|
1132 | /* validity check */ |
---|
1133 | if (src == NULL || dst == NULL) { |
---|
1134 | __ipsec_errcode = EIPSEC_INVAL_ARGUMENT; |
---|
1135 | return -1; |
---|
1136 | } |
---|
1137 | if (src->sa_family != dst->sa_family) { |
---|
1138 | __ipsec_errcode = EIPSEC_FAMILY_MISMATCH; |
---|
1139 | return -1; |
---|
1140 | } |
---|
1141 | switch (src->sa_family) { |
---|
1142 | case AF_INET: |
---|
1143 | plen = sizeof(struct in_addr) << 3; |
---|
1144 | break; |
---|
1145 | case AF_INET6: |
---|
1146 | plen = sizeof(struct in6_addr) << 3; |
---|
1147 | break; |
---|
1148 | default: |
---|
1149 | __ipsec_errcode = EIPSEC_INVAL_FAMILY; |
---|
1150 | return -1; |
---|
1151 | } |
---|
1152 | |
---|
1153 | switch (satype) { |
---|
1154 | case SADB_SATYPE_ESP: |
---|
1155 | if (e_type == SADB_EALG_NONE) { |
---|
1156 | __ipsec_errcode = EIPSEC_NO_ALGS; |
---|
1157 | return -1; |
---|
1158 | } |
---|
1159 | break; |
---|
1160 | case SADB_SATYPE_AH: |
---|
1161 | if (e_type != SADB_EALG_NONE) { |
---|
1162 | __ipsec_errcode = EIPSEC_INVAL_ALGS; |
---|
1163 | return -1; |
---|
1164 | } |
---|
1165 | if (a_type == SADB_AALG_NONE) { |
---|
1166 | __ipsec_errcode = EIPSEC_NO_ALGS; |
---|
1167 | return -1; |
---|
1168 | } |
---|
1169 | break; |
---|
1170 | case SADB_X_SATYPE_IPCOMP: |
---|
1171 | if (e_type == SADB_X_CALG_NONE) { |
---|
1172 | __ipsec_errcode = EIPSEC_INVAL_ALGS; |
---|
1173 | return -1; |
---|
1174 | } |
---|
1175 | if (a_type != SADB_AALG_NONE) { |
---|
1176 | __ipsec_errcode = EIPSEC_NO_ALGS; |
---|
1177 | return -1; |
---|
1178 | } |
---|
1179 | break; |
---|
1180 | case SADB_X_SATYPE_TCPSIGNATURE: |
---|
1181 | if (e_type != SADB_EALG_NONE) { |
---|
1182 | __ipsec_errcode = EIPSEC_INVAL_ALGS; |
---|
1183 | return -1; |
---|
1184 | } |
---|
1185 | if (a_type != SADB_X_AALG_TCP_MD5) { |
---|
1186 | __ipsec_errcode = EIPSEC_INVAL_ALGS; |
---|
1187 | return -1; |
---|
1188 | } |
---|
1189 | break; |
---|
1190 | default: |
---|
1191 | __ipsec_errcode = EIPSEC_INVAL_SATYPE; |
---|
1192 | return -1; |
---|
1193 | } |
---|
1194 | |
---|
1195 | /* create new sadb_msg to reply. */ |
---|
1196 | len = sizeof(struct sadb_msg) |
---|
1197 | + sizeof(struct sadb_sa) |
---|
1198 | + sizeof(struct sadb_x_sa2) |
---|
1199 | + sizeof(struct sadb_address) |
---|
1200 | + PFKEY_ALIGN8(src->sa_len) |
---|
1201 | + sizeof(struct sadb_address) |
---|
1202 | + PFKEY_ALIGN8(dst->sa_len) |
---|
1203 | + sizeof(struct sadb_lifetime) |
---|
1204 | + sizeof(struct sadb_lifetime); |
---|
1205 | |
---|
1206 | if (e_type != SADB_EALG_NONE) |
---|
1207 | len += (sizeof(struct sadb_key) + PFKEY_ALIGN8(e_keylen)); |
---|
1208 | if (a_type != SADB_AALG_NONE) |
---|
1209 | len += (sizeof(struct sadb_key) + PFKEY_ALIGN8(a_keylen)); |
---|
1210 | |
---|
1211 | if ((newmsg = CALLOC(len, struct sadb_msg *)) == NULL) { |
---|
1212 | __ipsec_set_strerror(strerror(errno)); |
---|
1213 | return -1; |
---|
1214 | } |
---|
1215 | ep = ((caddr_t)newmsg) + len; |
---|
1216 | |
---|
1217 | p = pfkey_setsadbmsg((caddr_t)newmsg, ep, type, len, |
---|
1218 | satype, seq, getpid()); |
---|
1219 | if (!p) { |
---|
1220 | free(newmsg); |
---|
1221 | return -1; |
---|
1222 | } |
---|
1223 | p = pfkey_setsadbsa(p, ep, spi, wsize, a_type, e_type, flags); |
---|
1224 | if (!p) { |
---|
1225 | free(newmsg); |
---|
1226 | return -1; |
---|
1227 | } |
---|
1228 | p = pfkey_setsadbxsa2(p, ep, mode, reqid); |
---|
1229 | if (!p) { |
---|
1230 | free(newmsg); |
---|
1231 | return -1; |
---|
1232 | } |
---|
1233 | p = pfkey_setsadbaddr(p, ep, SADB_EXT_ADDRESS_SRC, src, plen, |
---|
1234 | IPSEC_ULPROTO_ANY); |
---|
1235 | if (!p) { |
---|
1236 | free(newmsg); |
---|
1237 | return -1; |
---|
1238 | } |
---|
1239 | p = pfkey_setsadbaddr(p, ep, SADB_EXT_ADDRESS_DST, dst, plen, |
---|
1240 | IPSEC_ULPROTO_ANY); |
---|
1241 | if (!p) { |
---|
1242 | free(newmsg); |
---|
1243 | return -1; |
---|
1244 | } |
---|
1245 | |
---|
1246 | if (e_type != SADB_EALG_NONE) { |
---|
1247 | p = pfkey_setsadbkey(p, ep, SADB_EXT_KEY_ENCRYPT, |
---|
1248 | keymat, e_keylen); |
---|
1249 | if (!p) { |
---|
1250 | free(newmsg); |
---|
1251 | return -1; |
---|
1252 | } |
---|
1253 | } |
---|
1254 | if (a_type != SADB_AALG_NONE) { |
---|
1255 | p = pfkey_setsadbkey(p, ep, SADB_EXT_KEY_AUTH, |
---|
1256 | keymat + e_keylen, a_keylen); |
---|
1257 | if (!p) { |
---|
1258 | free(newmsg); |
---|
1259 | return -1; |
---|
1260 | } |
---|
1261 | } |
---|
1262 | |
---|
1263 | /* set sadb_lifetime for destination */ |
---|
1264 | p = pfkey_setsadblifetime(p, ep, SADB_EXT_LIFETIME_HARD, |
---|
1265 | l_alloc, l_bytes, l_addtime, l_usetime); |
---|
1266 | if (!p) { |
---|
1267 | free(newmsg); |
---|
1268 | return -1; |
---|
1269 | } |
---|
1270 | p = pfkey_setsadblifetime(p, ep, SADB_EXT_LIFETIME_SOFT, |
---|
1271 | l_alloc, l_bytes, l_addtime, l_usetime); |
---|
1272 | if (!p || p != ep) { |
---|
1273 | free(newmsg); |
---|
1274 | return -1; |
---|
1275 | } |
---|
1276 | |
---|
1277 | /* send message */ |
---|
1278 | len = pfkey_send(so, newmsg, len); |
---|
1279 | free(newmsg); |
---|
1280 | |
---|
1281 | if (len < 0) |
---|
1282 | return -1; |
---|
1283 | |
---|
1284 | __ipsec_errcode = EIPSEC_NO_ERROR; |
---|
1285 | return len; |
---|
1286 | } |
---|
1287 | |
---|
1288 | /* sending SADB_DELETE or SADB_GET message to the kernel */ |
---|
1289 | static int |
---|
1290 | pfkey_send_x2(so, type, satype, mode, src, dst, spi) |
---|
1291 | int so; |
---|
1292 | u_int type, satype, mode; |
---|
1293 | struct sockaddr *src, *dst; |
---|
1294 | u_int32_t spi; |
---|
1295 | { |
---|
1296 | struct sadb_msg *newmsg; |
---|
1297 | int len; |
---|
1298 | caddr_t p; |
---|
1299 | int plen; |
---|
1300 | caddr_t ep; |
---|
1301 | |
---|
1302 | /* validity check */ |
---|
1303 | if (src == NULL || dst == NULL) { |
---|
1304 | __ipsec_errcode = EIPSEC_INVAL_ARGUMENT; |
---|
1305 | return -1; |
---|
1306 | } |
---|
1307 | if (src->sa_family != dst->sa_family) { |
---|
1308 | __ipsec_errcode = EIPSEC_FAMILY_MISMATCH; |
---|
1309 | return -1; |
---|
1310 | } |
---|
1311 | switch (src->sa_family) { |
---|
1312 | case AF_INET: |
---|
1313 | plen = sizeof(struct in_addr) << 3; |
---|
1314 | break; |
---|
1315 | case AF_INET6: |
---|
1316 | plen = sizeof(struct in6_addr) << 3; |
---|
1317 | break; |
---|
1318 | default: |
---|
1319 | __ipsec_errcode = EIPSEC_INVAL_FAMILY; |
---|
1320 | return -1; |
---|
1321 | } |
---|
1322 | |
---|
1323 | /* create new sadb_msg to reply. */ |
---|
1324 | len = sizeof(struct sadb_msg) |
---|
1325 | + sizeof(struct sadb_sa) |
---|
1326 | + sizeof(struct sadb_address) |
---|
1327 | + PFKEY_ALIGN8(src->sa_len) |
---|
1328 | + sizeof(struct sadb_address) |
---|
1329 | + PFKEY_ALIGN8(dst->sa_len); |
---|
1330 | |
---|
1331 | if ((newmsg = CALLOC(len, struct sadb_msg *)) == NULL) { |
---|
1332 | __ipsec_set_strerror(strerror(errno)); |
---|
1333 | return -1; |
---|
1334 | } |
---|
1335 | ep = ((caddr_t)newmsg) + len; |
---|
1336 | |
---|
1337 | p = pfkey_setsadbmsg((caddr_t)newmsg, ep, type, len, satype, 0, |
---|
1338 | getpid()); |
---|
1339 | if (!p) { |
---|
1340 | free(newmsg); |
---|
1341 | return -1; |
---|
1342 | } |
---|
1343 | p = pfkey_setsadbsa(p, ep, spi, 0, 0, 0, 0); |
---|
1344 | if (!p) { |
---|
1345 | free(newmsg); |
---|
1346 | return -1; |
---|
1347 | } |
---|
1348 | p = pfkey_setsadbaddr(p, ep, SADB_EXT_ADDRESS_SRC, src, plen, |
---|
1349 | IPSEC_ULPROTO_ANY); |
---|
1350 | if (!p) { |
---|
1351 | free(newmsg); |
---|
1352 | return -1; |
---|
1353 | } |
---|
1354 | p = pfkey_setsadbaddr(p, ep, SADB_EXT_ADDRESS_DST, dst, plen, |
---|
1355 | IPSEC_ULPROTO_ANY); |
---|
1356 | if (!p || p != ep) { |
---|
1357 | free(newmsg); |
---|
1358 | return -1; |
---|
1359 | } |
---|
1360 | |
---|
1361 | /* send message */ |
---|
1362 | len = pfkey_send(so, newmsg, len); |
---|
1363 | free(newmsg); |
---|
1364 | |
---|
1365 | if (len < 0) |
---|
1366 | return -1; |
---|
1367 | |
---|
1368 | __ipsec_errcode = EIPSEC_NO_ERROR; |
---|
1369 | return len; |
---|
1370 | } |
---|
1371 | |
---|
1372 | /* |
---|
1373 | * sending SADB_REGISTER, SADB_FLUSH, SADB_DUMP or SADB_X_PROMISC message |
---|
1374 | * to the kernel |
---|
1375 | */ |
---|
1376 | static int |
---|
1377 | pfkey_send_x3(so, type, satype) |
---|
1378 | int so; |
---|
1379 | u_int type, satype; |
---|
1380 | { |
---|
1381 | struct sadb_msg *newmsg; |
---|
1382 | int len; |
---|
1383 | caddr_t p; |
---|
1384 | caddr_t ep; |
---|
1385 | |
---|
1386 | /* validity check */ |
---|
1387 | switch (type) { |
---|
1388 | case SADB_X_PROMISC: |
---|
1389 | if (satype != 0 && satype != 1) { |
---|
1390 | __ipsec_errcode = EIPSEC_INVAL_SATYPE; |
---|
1391 | return -1; |
---|
1392 | } |
---|
1393 | break; |
---|
1394 | default: |
---|
1395 | switch (satype) { |
---|
1396 | case SADB_SATYPE_UNSPEC: |
---|
1397 | case SADB_SATYPE_AH: |
---|
1398 | case SADB_SATYPE_ESP: |
---|
1399 | case SADB_X_SATYPE_IPCOMP: |
---|
1400 | case SADB_X_SATYPE_TCPSIGNATURE: |
---|
1401 | break; |
---|
1402 | default: |
---|
1403 | __ipsec_errcode = EIPSEC_INVAL_SATYPE; |
---|
1404 | return -1; |
---|
1405 | } |
---|
1406 | } |
---|
1407 | |
---|
1408 | /* create new sadb_msg to send. */ |
---|
1409 | len = sizeof(struct sadb_msg); |
---|
1410 | |
---|
1411 | if ((newmsg = CALLOC(len, struct sadb_msg *)) == NULL) { |
---|
1412 | __ipsec_set_strerror(strerror(errno)); |
---|
1413 | return -1; |
---|
1414 | } |
---|
1415 | ep = ((caddr_t)newmsg) + len; |
---|
1416 | |
---|
1417 | p = pfkey_setsadbmsg((caddr_t)newmsg, ep, type, len, satype, 0, |
---|
1418 | getpid()); |
---|
1419 | if (!p || p != ep) { |
---|
1420 | free(newmsg); |
---|
1421 | return -1; |
---|
1422 | } |
---|
1423 | |
---|
1424 | /* send message */ |
---|
1425 | len = pfkey_send(so, newmsg, len); |
---|
1426 | free(newmsg); |
---|
1427 | |
---|
1428 | if (len < 0) |
---|
1429 | return -1; |
---|
1430 | |
---|
1431 | __ipsec_errcode = EIPSEC_NO_ERROR; |
---|
1432 | return len; |
---|
1433 | } |
---|
1434 | |
---|
1435 | /* sending SADB_X_SPDADD message to the kernel */ |
---|
1436 | static int |
---|
1437 | pfkey_send_x4(so, type, src, prefs, dst, prefd, proto, |
---|
1438 | ltime, vtime, policy, policylen, seq) |
---|
1439 | int so; |
---|
1440 | struct sockaddr *src, *dst; |
---|
1441 | u_int type, prefs, prefd, proto; |
---|
1442 | u_int64_t ltime, vtime; |
---|
1443 | char *policy; |
---|
1444 | int policylen; |
---|
1445 | u_int32_t seq; |
---|
1446 | { |
---|
1447 | struct sadb_msg *newmsg; |
---|
1448 | int len; |
---|
1449 | caddr_t p; |
---|
1450 | int plen; |
---|
1451 | caddr_t ep; |
---|
1452 | |
---|
1453 | /* validity check */ |
---|
1454 | if (src == NULL || dst == NULL) { |
---|
1455 | __ipsec_errcode = EIPSEC_INVAL_ARGUMENT; |
---|
1456 | return -1; |
---|
1457 | } |
---|
1458 | if (src->sa_family != dst->sa_family) { |
---|
1459 | __ipsec_errcode = EIPSEC_FAMILY_MISMATCH; |
---|
1460 | return -1; |
---|
1461 | } |
---|
1462 | |
---|
1463 | switch (src->sa_family) { |
---|
1464 | case AF_INET: |
---|
1465 | plen = sizeof(struct in_addr) << 3; |
---|
1466 | break; |
---|
1467 | case AF_INET6: |
---|
1468 | plen = sizeof(struct in6_addr) << 3; |
---|
1469 | break; |
---|
1470 | default: |
---|
1471 | __ipsec_errcode = EIPSEC_INVAL_FAMILY; |
---|
1472 | return -1; |
---|
1473 | } |
---|
1474 | if (prefs > plen || prefd > plen) { |
---|
1475 | __ipsec_errcode = EIPSEC_INVAL_PREFIXLEN; |
---|
1476 | return -1; |
---|
1477 | } |
---|
1478 | |
---|
1479 | /* create new sadb_msg to reply. */ |
---|
1480 | len = sizeof(struct sadb_msg) |
---|
1481 | + sizeof(struct sadb_address) |
---|
1482 | + PFKEY_ALIGN8(src->sa_len) |
---|
1483 | + sizeof(struct sadb_address) |
---|
1484 | + PFKEY_ALIGN8(src->sa_len) |
---|
1485 | + sizeof(struct sadb_lifetime) |
---|
1486 | + policylen; |
---|
1487 | |
---|
1488 | if ((newmsg = CALLOC(len, struct sadb_msg *)) == NULL) { |
---|
1489 | __ipsec_set_strerror(strerror(errno)); |
---|
1490 | return -1; |
---|
1491 | } |
---|
1492 | ep = ((caddr_t)newmsg) + len; |
---|
1493 | |
---|
1494 | p = pfkey_setsadbmsg((caddr_t)newmsg, ep, type, len, |
---|
1495 | SADB_SATYPE_UNSPEC, seq, getpid()); |
---|
1496 | if (!p) { |
---|
1497 | free(newmsg); |
---|
1498 | return -1; |
---|
1499 | } |
---|
1500 | p = pfkey_setsadbaddr(p, ep, SADB_EXT_ADDRESS_SRC, src, prefs, proto); |
---|
1501 | if (!p) { |
---|
1502 | free(newmsg); |
---|
1503 | return -1; |
---|
1504 | } |
---|
1505 | p = pfkey_setsadbaddr(p, ep, SADB_EXT_ADDRESS_DST, dst, prefd, proto); |
---|
1506 | if (!p) { |
---|
1507 | free(newmsg); |
---|
1508 | return -1; |
---|
1509 | } |
---|
1510 | p = pfkey_setsadblifetime(p, ep, SADB_EXT_LIFETIME_HARD, |
---|
1511 | 0, 0, ltime, vtime); |
---|
1512 | if (!p || p + policylen != ep) { |
---|
1513 | free(newmsg); |
---|
1514 | return -1; |
---|
1515 | } |
---|
1516 | memcpy(p, policy, policylen); |
---|
1517 | |
---|
1518 | /* send message */ |
---|
1519 | len = pfkey_send(so, newmsg, len); |
---|
1520 | free(newmsg); |
---|
1521 | |
---|
1522 | if (len < 0) |
---|
1523 | return -1; |
---|
1524 | |
---|
1525 | __ipsec_errcode = EIPSEC_NO_ERROR; |
---|
1526 | return len; |
---|
1527 | } |
---|
1528 | |
---|
1529 | /* sending SADB_X_SPDGET or SADB_X_SPDDELETE message to the kernel */ |
---|
1530 | static int |
---|
1531 | pfkey_send_x5(so, type, spid) |
---|
1532 | int so; |
---|
1533 | u_int type; |
---|
1534 | u_int32_t spid; |
---|
1535 | { |
---|
1536 | struct sadb_msg *newmsg; |
---|
1537 | struct sadb_x_policy xpl; |
---|
1538 | int len; |
---|
1539 | caddr_t p; |
---|
1540 | caddr_t ep; |
---|
1541 | |
---|
1542 | /* create new sadb_msg to reply. */ |
---|
1543 | len = sizeof(struct sadb_msg) |
---|
1544 | + sizeof(xpl); |
---|
1545 | |
---|
1546 | if ((newmsg = CALLOC(len, struct sadb_msg *)) == NULL) { |
---|
1547 | __ipsec_set_strerror(strerror(errno)); |
---|
1548 | return -1; |
---|
1549 | } |
---|
1550 | ep = ((caddr_t)newmsg) + len; |
---|
1551 | |
---|
1552 | p = pfkey_setsadbmsg((caddr_t)newmsg, ep, type, len, |
---|
1553 | SADB_SATYPE_UNSPEC, 0, getpid()); |
---|
1554 | if (!p) { |
---|
1555 | free(newmsg); |
---|
1556 | return -1; |
---|
1557 | } |
---|
1558 | |
---|
1559 | if (p + sizeof(xpl) != ep) { |
---|
1560 | free(newmsg); |
---|
1561 | return -1; |
---|
1562 | } |
---|
1563 | memset(&xpl, 0, sizeof(xpl)); |
---|
1564 | xpl.sadb_x_policy_len = PFKEY_UNIT64(sizeof(xpl)); |
---|
1565 | xpl.sadb_x_policy_exttype = SADB_X_EXT_POLICY; |
---|
1566 | xpl.sadb_x_policy_id = spid; |
---|
1567 | memcpy(p, &xpl, sizeof(xpl)); |
---|
1568 | |
---|
1569 | /* send message */ |
---|
1570 | len = pfkey_send(so, newmsg, len); |
---|
1571 | free(newmsg); |
---|
1572 | |
---|
1573 | if (len < 0) |
---|
1574 | return -1; |
---|
1575 | |
---|
1576 | __ipsec_errcode = EIPSEC_NO_ERROR; |
---|
1577 | return len; |
---|
1578 | } |
---|
1579 | |
---|
1580 | /* |
---|
1581 | * open a socket. |
---|
1582 | * OUT: |
---|
1583 | * -1: fail. |
---|
1584 | * others : success and return value of socket. |
---|
1585 | */ |
---|
1586 | int |
---|
1587 | pfkey_open() |
---|
1588 | { |
---|
1589 | int so; |
---|
1590 | const int bufsiz = 128 * 1024; /*is 128K enough?*/ |
---|
1591 | |
---|
1592 | if ((so = socket(PF_KEY, SOCK_RAW, PF_KEY_V2)) < 0) { |
---|
1593 | __ipsec_set_strerror(strerror(errno)); |
---|
1594 | return -1; |
---|
1595 | } |
---|
1596 | |
---|
1597 | /* |
---|
1598 | * This is a temporary workaround for KAME PR 154. |
---|
1599 | * Don't really care even if it fails. |
---|
1600 | */ |
---|
1601 | (void)setsockopt(so, SOL_SOCKET, SO_SNDBUF, &bufsiz, sizeof(bufsiz)); |
---|
1602 | (void)setsockopt(so, SOL_SOCKET, SO_RCVBUF, &bufsiz, sizeof(bufsiz)); |
---|
1603 | |
---|
1604 | __ipsec_errcode = EIPSEC_NO_ERROR; |
---|
1605 | return so; |
---|
1606 | } |
---|
1607 | |
---|
1608 | /* |
---|
1609 | * close a socket. |
---|
1610 | * OUT: |
---|
1611 | * 0: success. |
---|
1612 | * -1: fail. |
---|
1613 | */ |
---|
1614 | void |
---|
1615 | pfkey_close(so) |
---|
1616 | int so; |
---|
1617 | { |
---|
1618 | (void)close(so); |
---|
1619 | |
---|
1620 | __ipsec_errcode = EIPSEC_NO_ERROR; |
---|
1621 | return; |
---|
1622 | } |
---|
1623 | |
---|
1624 | /* |
---|
1625 | * receive sadb_msg data, and return pointer to new buffer allocated. |
---|
1626 | * Must free this buffer later. |
---|
1627 | * OUT: |
---|
1628 | * NULL : error occured. |
---|
1629 | * others : a pointer to sadb_msg structure. |
---|
1630 | * |
---|
1631 | * XXX should be rewritten to pass length explicitly |
---|
1632 | */ |
---|
1633 | struct sadb_msg * |
---|
1634 | pfkey_recv(so) |
---|
1635 | int so; |
---|
1636 | { |
---|
1637 | struct sadb_msg buf, *newmsg; |
---|
1638 | int len, reallen; |
---|
1639 | |
---|
1640 | while ((len = recv(so, (caddr_t)&buf, sizeof(buf), MSG_PEEK)) < 0) { |
---|
1641 | if (errno == EINTR) |
---|
1642 | continue; |
---|
1643 | __ipsec_set_strerror(strerror(errno)); |
---|
1644 | return NULL; |
---|
1645 | } |
---|
1646 | |
---|
1647 | if (len < sizeof(buf)) { |
---|
1648 | recv(so, (caddr_t)&buf, sizeof(buf), 0); |
---|
1649 | __ipsec_errcode = EIPSEC_MAX; |
---|
1650 | return NULL; |
---|
1651 | } |
---|
1652 | |
---|
1653 | /* read real message */ |
---|
1654 | reallen = PFKEY_UNUNIT64(buf.sadb_msg_len); |
---|
1655 | if ((newmsg = CALLOC(reallen, struct sadb_msg *)) == 0) { |
---|
1656 | __ipsec_set_strerror(strerror(errno)); |
---|
1657 | return NULL; |
---|
1658 | } |
---|
1659 | |
---|
1660 | while ((len = recv(so, (caddr_t)newmsg, reallen, 0)) < 0) { |
---|
1661 | if (errno == EINTR) |
---|
1662 | continue; |
---|
1663 | __ipsec_set_strerror(strerror(errno)); |
---|
1664 | free(newmsg); |
---|
1665 | return NULL; |
---|
1666 | } |
---|
1667 | |
---|
1668 | if (len != reallen) { |
---|
1669 | __ipsec_errcode = EIPSEC_SYSTEM_ERROR; |
---|
1670 | free(newmsg); |
---|
1671 | return NULL; |
---|
1672 | } |
---|
1673 | |
---|
1674 | /* don't trust what the kernel says, validate! */ |
---|
1675 | if (PFKEY_UNUNIT64(newmsg->sadb_msg_len) != len) { |
---|
1676 | __ipsec_errcode = EIPSEC_SYSTEM_ERROR; |
---|
1677 | free(newmsg); |
---|
1678 | return NULL; |
---|
1679 | } |
---|
1680 | |
---|
1681 | __ipsec_errcode = EIPSEC_NO_ERROR; |
---|
1682 | return newmsg; |
---|
1683 | } |
---|
1684 | |
---|
1685 | /* |
---|
1686 | * send message to a socket. |
---|
1687 | * OUT: |
---|
1688 | * others: success and return length sent. |
---|
1689 | * -1 : fail. |
---|
1690 | */ |
---|
1691 | int |
---|
1692 | pfkey_send(so, msg, len) |
---|
1693 | int so; |
---|
1694 | struct sadb_msg *msg; |
---|
1695 | int len; |
---|
1696 | { |
---|
1697 | if ((len = send(so, (caddr_t)msg, len, 0)) < 0) { |
---|
1698 | __ipsec_set_strerror(strerror(errno)); |
---|
1699 | return -1; |
---|
1700 | } |
---|
1701 | |
---|
1702 | __ipsec_errcode = EIPSEC_NO_ERROR; |
---|
1703 | return len; |
---|
1704 | } |
---|
1705 | |
---|
1706 | /* |
---|
1707 | * %%% Utilities |
---|
1708 | * NOTE: These functions are derived from netkey/key.c in KAME. |
---|
1709 | */ |
---|
1710 | /* |
---|
1711 | * set the pointer to each header in this message buffer. |
---|
1712 | * IN: msg: pointer to message buffer. |
---|
1713 | * mhp: pointer to the buffer initialized like below: |
---|
1714 | * caddr_t mhp[SADB_EXT_MAX + 1]; |
---|
1715 | * OUT: -1: invalid. |
---|
1716 | * 0: valid. |
---|
1717 | * |
---|
1718 | * XXX should be rewritten to obtain length explicitly |
---|
1719 | */ |
---|
1720 | int |
---|
1721 | pfkey_align(msg, mhp) |
---|
1722 | struct sadb_msg *msg; |
---|
1723 | caddr_t *mhp; |
---|
1724 | { |
---|
1725 | struct sadb_ext *ext; |
---|
1726 | int i; |
---|
1727 | caddr_t p; |
---|
1728 | caddr_t ep; /* XXX should be passed from upper layer */ |
---|
1729 | |
---|
1730 | /* validity check */ |
---|
1731 | if (msg == NULL || mhp == NULL) { |
---|
1732 | __ipsec_errcode = EIPSEC_INVAL_ARGUMENT; |
---|
1733 | return -1; |
---|
1734 | } |
---|
1735 | |
---|
1736 | /* initialize */ |
---|
1737 | for (i = 0; i < SADB_EXT_MAX + 1; i++) |
---|
1738 | mhp[i] = NULL; |
---|
1739 | |
---|
1740 | mhp[0] = (caddr_t)msg; |
---|
1741 | |
---|
1742 | /* initialize */ |
---|
1743 | p = (caddr_t) msg; |
---|
1744 | ep = p + PFKEY_UNUNIT64(msg->sadb_msg_len); |
---|
1745 | |
---|
1746 | /* skip base header */ |
---|
1747 | p += sizeof(struct sadb_msg); |
---|
1748 | |
---|
1749 | while (p < ep) { |
---|
1750 | ext = (struct sadb_ext *)p; |
---|
1751 | if (ep < p + sizeof(*ext) || PFKEY_EXTLEN(ext) < sizeof(*ext) || |
---|
1752 | ep < p + PFKEY_EXTLEN(ext)) { |
---|
1753 | /* invalid format */ |
---|
1754 | break; |
---|
1755 | } |
---|
1756 | |
---|
1757 | /* duplicate check */ |
---|
1758 | /* XXX Are there duplication either KEY_AUTH or KEY_ENCRYPT ?*/ |
---|
1759 | if (mhp[ext->sadb_ext_type] != NULL) { |
---|
1760 | __ipsec_errcode = EIPSEC_INVAL_EXTTYPE; |
---|
1761 | return -1; |
---|
1762 | } |
---|
1763 | |
---|
1764 | /* set pointer */ |
---|
1765 | switch (ext->sadb_ext_type) { |
---|
1766 | case SADB_EXT_SA: |
---|
1767 | case SADB_EXT_LIFETIME_CURRENT: |
---|
1768 | case SADB_EXT_LIFETIME_HARD: |
---|
1769 | case SADB_EXT_LIFETIME_SOFT: |
---|
1770 | case SADB_EXT_ADDRESS_SRC: |
---|
1771 | case SADB_EXT_ADDRESS_DST: |
---|
1772 | case SADB_EXT_ADDRESS_PROXY: |
---|
1773 | case SADB_EXT_KEY_AUTH: |
---|
1774 | /* XXX should to be check weak keys. */ |
---|
1775 | case SADB_EXT_KEY_ENCRYPT: |
---|
1776 | /* XXX should to be check weak keys. */ |
---|
1777 | case SADB_EXT_IDENTITY_SRC: |
---|
1778 | case SADB_EXT_IDENTITY_DST: |
---|
1779 | case SADB_EXT_SENSITIVITY: |
---|
1780 | case SADB_EXT_PROPOSAL: |
---|
1781 | case SADB_EXT_SUPPORTED_AUTH: |
---|
1782 | case SADB_EXT_SUPPORTED_ENCRYPT: |
---|
1783 | case SADB_EXT_SPIRANGE: |
---|
1784 | case SADB_X_EXT_POLICY: |
---|
1785 | case SADB_X_EXT_SA2: |
---|
1786 | mhp[ext->sadb_ext_type] = (caddr_t)ext; |
---|
1787 | break; |
---|
1788 | default: |
---|
1789 | __ipsec_errcode = EIPSEC_INVAL_EXTTYPE; |
---|
1790 | return -1; |
---|
1791 | } |
---|
1792 | |
---|
1793 | p += PFKEY_EXTLEN(ext); |
---|
1794 | } |
---|
1795 | |
---|
1796 | if (p != ep) { |
---|
1797 | __ipsec_errcode = EIPSEC_INVAL_SADBMSG; |
---|
1798 | return -1; |
---|
1799 | } |
---|
1800 | |
---|
1801 | __ipsec_errcode = EIPSEC_NO_ERROR; |
---|
1802 | return 0; |
---|
1803 | } |
---|
1804 | |
---|
1805 | /* |
---|
1806 | * check basic usage for sadb_msg, |
---|
1807 | * NOTE: This routine is derived from netkey/key.c in KAME. |
---|
1808 | * IN: msg: pointer to message buffer. |
---|
1809 | * mhp: pointer to the buffer initialized like below: |
---|
1810 | * |
---|
1811 | * caddr_t mhp[SADB_EXT_MAX + 1]; |
---|
1812 | * |
---|
1813 | * OUT: -1: invalid. |
---|
1814 | * 0: valid. |
---|
1815 | */ |
---|
1816 | int |
---|
1817 | pfkey_check(mhp) |
---|
1818 | caddr_t *mhp; |
---|
1819 | { |
---|
1820 | struct sadb_msg *msg; |
---|
1821 | |
---|
1822 | /* validity check */ |
---|
1823 | if (mhp == NULL || mhp[0] == NULL) { |
---|
1824 | __ipsec_errcode = EIPSEC_INVAL_ARGUMENT; |
---|
1825 | return -1; |
---|
1826 | } |
---|
1827 | |
---|
1828 | msg = (struct sadb_msg *)mhp[0]; |
---|
1829 | |
---|
1830 | /* check version */ |
---|
1831 | if (msg->sadb_msg_version != PF_KEY_V2) { |
---|
1832 | __ipsec_errcode = EIPSEC_INVAL_VERSION; |
---|
1833 | return -1; |
---|
1834 | } |
---|
1835 | |
---|
1836 | /* check type */ |
---|
1837 | if (msg->sadb_msg_type > SADB_MAX) { |
---|
1838 | __ipsec_errcode = EIPSEC_INVAL_MSGTYPE; |
---|
1839 | return -1; |
---|
1840 | } |
---|
1841 | |
---|
1842 | /* check SA type */ |
---|
1843 | switch (msg->sadb_msg_satype) { |
---|
1844 | case SADB_SATYPE_UNSPEC: |
---|
1845 | switch (msg->sadb_msg_type) { |
---|
1846 | case SADB_GETSPI: |
---|
1847 | case SADB_UPDATE: |
---|
1848 | case SADB_ADD: |
---|
1849 | case SADB_DELETE: |
---|
1850 | case SADB_GET: |
---|
1851 | case SADB_ACQUIRE: |
---|
1852 | case SADB_EXPIRE: |
---|
1853 | __ipsec_errcode = EIPSEC_INVAL_SATYPE; |
---|
1854 | return -1; |
---|
1855 | } |
---|
1856 | break; |
---|
1857 | case SADB_SATYPE_ESP: |
---|
1858 | case SADB_SATYPE_AH: |
---|
1859 | case SADB_X_SATYPE_IPCOMP: |
---|
1860 | case SADB_X_SATYPE_TCPSIGNATURE: |
---|
1861 | switch (msg->sadb_msg_type) { |
---|
1862 | case SADB_X_SPDADD: |
---|
1863 | case SADB_X_SPDDELETE: |
---|
1864 | case SADB_X_SPDGET: |
---|
1865 | case SADB_X_SPDDUMP: |
---|
1866 | case SADB_X_SPDFLUSH: |
---|
1867 | __ipsec_errcode = EIPSEC_INVAL_SATYPE; |
---|
1868 | return -1; |
---|
1869 | } |
---|
1870 | break; |
---|
1871 | case SADB_SATYPE_RSVP: |
---|
1872 | case SADB_SATYPE_OSPFV2: |
---|
1873 | case SADB_SATYPE_RIPV2: |
---|
1874 | case SADB_SATYPE_MIP: |
---|
1875 | __ipsec_errcode = EIPSEC_NOT_SUPPORTED; |
---|
1876 | return -1; |
---|
1877 | case 1: /* XXX: What does it do ? */ |
---|
1878 | if (msg->sadb_msg_type == SADB_X_PROMISC) |
---|
1879 | break; |
---|
1880 | /*FALLTHROUGH*/ |
---|
1881 | default: |
---|
1882 | __ipsec_errcode = EIPSEC_INVAL_SATYPE; |
---|
1883 | return -1; |
---|
1884 | } |
---|
1885 | |
---|
1886 | /* check field of upper layer protocol and address family */ |
---|
1887 | if (mhp[SADB_EXT_ADDRESS_SRC] != NULL |
---|
1888 | && mhp[SADB_EXT_ADDRESS_DST] != NULL) { |
---|
1889 | struct sadb_address *src0, *dst0; |
---|
1890 | |
---|
1891 | src0 = (struct sadb_address *)(mhp[SADB_EXT_ADDRESS_SRC]); |
---|
1892 | dst0 = (struct sadb_address *)(mhp[SADB_EXT_ADDRESS_DST]); |
---|
1893 | |
---|
1894 | if (src0->sadb_address_proto != dst0->sadb_address_proto) { |
---|
1895 | __ipsec_errcode = EIPSEC_PROTO_MISMATCH; |
---|
1896 | return -1; |
---|
1897 | } |
---|
1898 | |
---|
1899 | if (PFKEY_ADDR_SADDR(src0)->sa_family |
---|
1900 | != PFKEY_ADDR_SADDR(dst0)->sa_family) { |
---|
1901 | __ipsec_errcode = EIPSEC_FAMILY_MISMATCH; |
---|
1902 | return -1; |
---|
1903 | } |
---|
1904 | |
---|
1905 | switch (PFKEY_ADDR_SADDR(src0)->sa_family) { |
---|
1906 | case AF_INET: |
---|
1907 | case AF_INET6: |
---|
1908 | break; |
---|
1909 | default: |
---|
1910 | __ipsec_errcode = EIPSEC_INVAL_FAMILY; |
---|
1911 | return -1; |
---|
1912 | } |
---|
1913 | |
---|
1914 | /* |
---|
1915 | * prefixlen == 0 is valid because there must be the case |
---|
1916 | * all addresses are matched. |
---|
1917 | */ |
---|
1918 | } |
---|
1919 | |
---|
1920 | __ipsec_errcode = EIPSEC_NO_ERROR; |
---|
1921 | return 0; |
---|
1922 | } |
---|
1923 | |
---|
1924 | /* |
---|
1925 | * set data into sadb_msg. |
---|
1926 | * `buf' must has been allocated sufficiently. |
---|
1927 | */ |
---|
1928 | static caddr_t |
---|
1929 | pfkey_setsadbmsg(buf, lim, type, tlen, satype, seq, pid) |
---|
1930 | caddr_t buf; |
---|
1931 | caddr_t lim; |
---|
1932 | u_int type, satype; |
---|
1933 | u_int tlen; |
---|
1934 | u_int32_t seq; |
---|
1935 | pid_t pid; |
---|
1936 | { |
---|
1937 | struct sadb_msg *p; |
---|
1938 | u_int len; |
---|
1939 | |
---|
1940 | p = (struct sadb_msg *)buf; |
---|
1941 | len = sizeof(struct sadb_msg); |
---|
1942 | |
---|
1943 | if (buf + len > lim) |
---|
1944 | return NULL; |
---|
1945 | |
---|
1946 | memset(p, 0, len); |
---|
1947 | p->sadb_msg_version = PF_KEY_V2; |
---|
1948 | p->sadb_msg_type = type; |
---|
1949 | p->sadb_msg_errno = 0; |
---|
1950 | p->sadb_msg_satype = satype; |
---|
1951 | p->sadb_msg_len = PFKEY_UNIT64(tlen); |
---|
1952 | p->sadb_msg_reserved = 0; |
---|
1953 | p->sadb_msg_seq = seq; |
---|
1954 | p->sadb_msg_pid = (u_int32_t)pid; |
---|
1955 | |
---|
1956 | return(buf + len); |
---|
1957 | } |
---|
1958 | |
---|
1959 | /* |
---|
1960 | * copy secasvar data into sadb_address. |
---|
1961 | * `buf' must has been allocated sufficiently. |
---|
1962 | */ |
---|
1963 | static caddr_t |
---|
1964 | pfkey_setsadbsa(buf, lim, spi, wsize, auth, enc, flags) |
---|
1965 | caddr_t buf; |
---|
1966 | caddr_t lim; |
---|
1967 | u_int32_t spi, flags; |
---|
1968 | u_int wsize, auth, enc; |
---|
1969 | { |
---|
1970 | struct sadb_sa *p; |
---|
1971 | u_int len; |
---|
1972 | |
---|
1973 | p = (struct sadb_sa *)buf; |
---|
1974 | len = sizeof(struct sadb_sa); |
---|
1975 | |
---|
1976 | if (buf + len > lim) |
---|
1977 | return NULL; |
---|
1978 | |
---|
1979 | memset(p, 0, len); |
---|
1980 | p->sadb_sa_len = PFKEY_UNIT64(len); |
---|
1981 | p->sadb_sa_exttype = SADB_EXT_SA; |
---|
1982 | p->sadb_sa_spi = spi; |
---|
1983 | p->sadb_sa_replay = wsize; |
---|
1984 | p->sadb_sa_state = SADB_SASTATE_LARVAL; |
---|
1985 | p->sadb_sa_auth = auth; |
---|
1986 | p->sadb_sa_encrypt = enc; |
---|
1987 | p->sadb_sa_flags = flags; |
---|
1988 | |
---|
1989 | return(buf + len); |
---|
1990 | } |
---|
1991 | |
---|
1992 | /* |
---|
1993 | * set data into sadb_address. |
---|
1994 | * `buf' must has been allocated sufficiently. |
---|
1995 | * prefixlen is in bits. |
---|
1996 | */ |
---|
1997 | static caddr_t |
---|
1998 | pfkey_setsadbaddr(buf, lim, exttype, saddr, prefixlen, ul_proto) |
---|
1999 | caddr_t buf; |
---|
2000 | caddr_t lim; |
---|
2001 | u_int exttype; |
---|
2002 | struct sockaddr *saddr; |
---|
2003 | u_int prefixlen; |
---|
2004 | u_int ul_proto; |
---|
2005 | { |
---|
2006 | struct sadb_address *p; |
---|
2007 | u_int len; |
---|
2008 | |
---|
2009 | p = (struct sadb_address *)buf; |
---|
2010 | len = sizeof(struct sadb_address) + PFKEY_ALIGN8(saddr->sa_len); |
---|
2011 | |
---|
2012 | if (buf + len > lim) |
---|
2013 | return NULL; |
---|
2014 | |
---|
2015 | memset(p, 0, len); |
---|
2016 | p->sadb_address_len = PFKEY_UNIT64(len); |
---|
2017 | p->sadb_address_exttype = exttype & 0xffff; |
---|
2018 | p->sadb_address_proto = ul_proto & 0xff; |
---|
2019 | p->sadb_address_prefixlen = prefixlen; |
---|
2020 | p->sadb_address_reserved = 0; |
---|
2021 | |
---|
2022 | memcpy(p + 1, saddr, saddr->sa_len); |
---|
2023 | |
---|
2024 | return(buf + len); |
---|
2025 | } |
---|
2026 | |
---|
2027 | /* |
---|
2028 | * set sadb_key structure after clearing buffer with zero. |
---|
2029 | * OUT: the pointer of buf + len. |
---|
2030 | */ |
---|
2031 | static caddr_t |
---|
2032 | pfkey_setsadbkey(buf, lim, type, key, keylen) |
---|
2033 | caddr_t buf; |
---|
2034 | caddr_t lim; |
---|
2035 | caddr_t key; |
---|
2036 | u_int type, keylen; |
---|
2037 | { |
---|
2038 | struct sadb_key *p; |
---|
2039 | u_int len; |
---|
2040 | |
---|
2041 | p = (struct sadb_key *)buf; |
---|
2042 | len = sizeof(struct sadb_key) + PFKEY_ALIGN8(keylen); |
---|
2043 | |
---|
2044 | if (buf + len > lim) |
---|
2045 | return NULL; |
---|
2046 | |
---|
2047 | memset(p, 0, len); |
---|
2048 | p->sadb_key_len = PFKEY_UNIT64(len); |
---|
2049 | p->sadb_key_exttype = type; |
---|
2050 | p->sadb_key_bits = keylen << 3; |
---|
2051 | p->sadb_key_reserved = 0; |
---|
2052 | |
---|
2053 | memcpy(p + 1, key, keylen); |
---|
2054 | |
---|
2055 | return buf + len; |
---|
2056 | } |
---|
2057 | |
---|
2058 | /* |
---|
2059 | * set sadb_lifetime structure after clearing buffer with zero. |
---|
2060 | * OUT: the pointer of buf + len. |
---|
2061 | */ |
---|
2062 | static caddr_t |
---|
2063 | pfkey_setsadblifetime(buf, lim, type, l_alloc, l_bytes, l_addtime, l_usetime) |
---|
2064 | caddr_t buf; |
---|
2065 | caddr_t lim; |
---|
2066 | u_int type; |
---|
2067 | u_int32_t l_alloc, l_bytes, l_addtime, l_usetime; |
---|
2068 | { |
---|
2069 | struct sadb_lifetime *p; |
---|
2070 | u_int len; |
---|
2071 | |
---|
2072 | p = (struct sadb_lifetime *)buf; |
---|
2073 | len = sizeof(struct sadb_lifetime); |
---|
2074 | |
---|
2075 | if (buf + len > lim) |
---|
2076 | return NULL; |
---|
2077 | |
---|
2078 | memset(p, 0, len); |
---|
2079 | p->sadb_lifetime_len = PFKEY_UNIT64(len); |
---|
2080 | p->sadb_lifetime_exttype = type; |
---|
2081 | |
---|
2082 | switch (type) { |
---|
2083 | case SADB_EXT_LIFETIME_SOFT: |
---|
2084 | p->sadb_lifetime_allocations |
---|
2085 | = (l_alloc * soft_lifetime_allocations_rate) /100; |
---|
2086 | p->sadb_lifetime_bytes |
---|
2087 | = (l_bytes * soft_lifetime_bytes_rate) /100; |
---|
2088 | p->sadb_lifetime_addtime |
---|
2089 | = (l_addtime * soft_lifetime_addtime_rate) /100; |
---|
2090 | p->sadb_lifetime_usetime |
---|
2091 | = (l_usetime * soft_lifetime_usetime_rate) /100; |
---|
2092 | break; |
---|
2093 | case SADB_EXT_LIFETIME_HARD: |
---|
2094 | p->sadb_lifetime_allocations = l_alloc; |
---|
2095 | p->sadb_lifetime_bytes = l_bytes; |
---|
2096 | p->sadb_lifetime_addtime = l_addtime; |
---|
2097 | p->sadb_lifetime_usetime = l_usetime; |
---|
2098 | break; |
---|
2099 | } |
---|
2100 | |
---|
2101 | return buf + len; |
---|
2102 | } |
---|
2103 | |
---|
2104 | /* |
---|
2105 | * copy secasvar data into sadb_address. |
---|
2106 | * `buf' must has been allocated sufficiently. |
---|
2107 | */ |
---|
2108 | static caddr_t |
---|
2109 | pfkey_setsadbxsa2(buf, lim, mode0, reqid) |
---|
2110 | caddr_t buf; |
---|
2111 | caddr_t lim; |
---|
2112 | u_int32_t mode0; |
---|
2113 | u_int32_t reqid; |
---|
2114 | { |
---|
2115 | struct sadb_x_sa2 *p; |
---|
2116 | u_int8_t mode = mode0 & 0xff; |
---|
2117 | u_int len; |
---|
2118 | |
---|
2119 | p = (struct sadb_x_sa2 *)buf; |
---|
2120 | len = sizeof(struct sadb_x_sa2); |
---|
2121 | |
---|
2122 | if (buf + len > lim) |
---|
2123 | return NULL; |
---|
2124 | |
---|
2125 | memset(p, 0, len); |
---|
2126 | p->sadb_x_sa2_len = PFKEY_UNIT64(len); |
---|
2127 | p->sadb_x_sa2_exttype = SADB_X_EXT_SA2; |
---|
2128 | p->sadb_x_sa2_mode = mode; |
---|
2129 | p->sadb_x_sa2_reqid = reqid; |
---|
2130 | |
---|
2131 | return(buf + len); |
---|
2132 | } |
---|