Context Navigation

source: rtems-libbsd/freebsd/lib/libipsec/pfkey.c @ bceabc9

4.1155-freebsd-126-freebsd-12freebsd-9.3

Last change on this file since bceabc9 was bceabc9, checked in by Sebastian Huber <sebastian.huber@…>, on 10/09/13 at 20:42:09
Move files to match FreeBSD layout
Property mode set to `100644`
File size: 44.6 KB

Line
1	/* $KAME: pfkey.c,v 1.46 2003/08/26 03:37:06 itojun Exp $ */
2
3	/*
4	* Copyright (C) 1995, 1996, 1997, 1998, and 1999 WIDE Project.
5	* All rights reserved.
6	*
7	* Redistribution and use in source and binary forms, with or without
8	* modification, are permitted provided that the following conditions
9	* are met:
10	* 1. Redistributions of source code must retain the above copyright
11	* notice, this list of conditions and the following disclaimer.
12	* 2. Redistributions in binary form must reproduce the above copyright
13	* notice, this list of conditions and the following disclaimer in the
14	* documentation and/or other materials provided with the distribution.
15	* 3. Neither the name of the project nor the names of its contributors
16	* may be used to endorse or promote products derived from this software
17	* without specific prior written permission.
18	*
19	* THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
20	* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
21	* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
22	* ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
23	* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
24	* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
25	* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
26	* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
27	* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
28	* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
29	* SUCH DAMAGE.
30	*/
31
32	#include <sys/cdefs.h>
33	__FBSDID("$FreeBSD$");
34
35	#include <sys/types.h>
36	#include <sys/param.h>
37	#include <sys/socket.h>
38	#ifdef __rtems__
39	#include <freebsd/net/pfkeyv2.h>
40	#include <freebsd/netipsec/key_var.h>
41	#include <freebsd/netinet/in.h>
42	#include <freebsd/netipsec/ipsec.h>
43	#else
44	#include <net/pfkeyv2.h>
45	#include <netipsec/key_var.h>
46	#include <netinet/in.h>
47	#include <netipsec/ipsec.h>
48	#endif
49
50	#include <stdlib.h>
51	#include <unistd.h>
52	#include <string.h>
53	#include <errno.h>
54
55	#include "ipsec_strerror.h"
56	#include "libpfkey.h"
57
58	#define CALLOC(size, cast) (cast)calloc(1, (size))
59
60	static int findsupportedmap(int);
61	static int setsupportedmap(struct sadb_supported *);
62	static struct sadb_alg *findsupportedalg(u_int, u_int);
63	static int pfkey_send_x1(int, u_int, u_int, u_int, struct sockaddr *,
64	struct sockaddr *, u_int32_t, u_int32_t, u_int, caddr_t,
65	u_int, u_int, u_int, u_int, u_int, u_int32_t, u_int32_t,
66	u_int32_t, u_int32_t, u_int32_t);
67	static int pfkey_send_x2(int, u_int, u_int, u_int,
68	struct sockaddr , struct sockaddr , u_int32_t);
69	static int pfkey_send_x3(int, u_int, u_int);
70	static int pfkey_send_x4(int, u_int, struct sockaddr *, u_int,
71	struct sockaddr *, u_int, u_int, u_int64_t, u_int64_t,
72	char *, int, u_int32_t);
73	static int pfkey_send_x5(int, u_int, u_int32_t);
74
75	static caddr_t pfkey_setsadbmsg(caddr_t, caddr_t, u_int, u_int,
76	u_int, u_int32_t, pid_t);
77	static caddr_t pfkey_setsadbsa(caddr_t, caddr_t, u_int32_t, u_int,
78	u_int, u_int, u_int32_t);
79	static caddr_t pfkey_setsadbaddr(caddr_t, caddr_t, u_int,
80	struct sockaddr *, u_int, u_int);
81	static caddr_t pfkey_setsadbkey(caddr_t, caddr_t, u_int, caddr_t, u_int);
82	static caddr_t pfkey_setsadblifetime(caddr_t, caddr_t, u_int, u_int32_t,
83	u_int32_t, u_int32_t, u_int32_t);
84	static caddr_t pfkey_setsadbxsa2(caddr_t, caddr_t, u_int32_t, u_int32_t);
85
86	/*
87	* make and search supported algorithm structure.
88	*/
89	static struct sadb_supported *ipsec_supported[] = { NULL, NULL, NULL, NULL };
90
91	static int supported_map[] = {
92	SADB_SATYPE_AH,
93	SADB_SATYPE_ESP,
94	SADB_X_SATYPE_IPCOMP,
95	SADB_X_SATYPE_TCPSIGNATURE
96	};
97
98	static int
99	findsupportedmap(satype)
100	int satype;
101	{
102	int i;
103
104	for (i = 0; i < sizeof(supported_map)/sizeof(supported_map[0]); i++)
105	if (supported_map[i] == satype)
106	return i;
107	return -1;
108	}
109
110	static struct sadb_alg *
111	findsupportedalg(satype, alg_id)
112	u_int satype, alg_id;
113	{
114	int algno;
115	int tlen;
116	caddr_t p;
117
118	/* validity check */
119	algno = findsupportedmap(satype);
120	if (algno == -1) {
121	__ipsec_errcode = EIPSEC_INVAL_ARGUMENT;
122	return NULL;
123	}
124	if (ipsec_supported[algno] == NULL) {
125	__ipsec_errcode = EIPSEC_DO_GET_SUPP_LIST;
126	return NULL;
127	}
128
129	tlen = ipsec_supported[algno]->sadb_supported_len
130	- sizeof(struct sadb_supported);
131	p = (caddr_t)(ipsec_supported[algno] + 1);
132	while (tlen > 0) {
133	if (tlen < sizeof(struct sadb_alg)) {
134	/* invalid format */
135	break;
136	}
137	if (((struct sadb_alg *)p)->sadb_alg_id == alg_id)
138	return (struct sadb_alg *)p;
139
140	tlen -= sizeof(struct sadb_alg);
141	p += sizeof(struct sadb_alg);
142	}
143
144	__ipsec_errcode = EIPSEC_NOT_SUPPORTED;
145	return NULL;
146	}
147
148	static int
149	setsupportedmap(sup)
150	struct sadb_supported *sup;
151	{
152	struct sadb_supported **ipsup;
153
154	switch (sup->sadb_supported_exttype) {
155	case SADB_EXT_SUPPORTED_AUTH:
156	ipsup = &ipsec_supported[findsupportedmap(SADB_SATYPE_AH)];
157	break;
158	case SADB_EXT_SUPPORTED_ENCRYPT:
159	ipsup = &ipsec_supported[findsupportedmap(SADB_SATYPE_ESP)];
160	break;
161	default:
162	__ipsec_errcode = EIPSEC_INVAL_SATYPE;
163	return -1;
164	}
165
166	if (*ipsup)
167	free(*ipsup);
168
169	*ipsup = malloc(sup->sadb_supported_len);
170	if (!*ipsup) {
171	__ipsec_set_strerror(strerror(errno));
172	return -1;
173	}
174	memcpy(*ipsup, sup, sup->sadb_supported_len);
175
176	return 0;
177	}
178
179	/*
180	* check key length against algorithm specified.
181	* This function is called with SADB_EXT_SUPPORTED_{AUTH,ENCRYPT} as the
182	* augument, and only calls to ipsec_check_keylen2();
183	* keylen is the unit of bit.
184	* OUT:
185	* -1: invalid.
186	* 0: valid.
187	*/
188	int
189	ipsec_check_keylen(supported, alg_id, keylen)
190	u_int supported;
191	u_int alg_id;
192	u_int keylen;
193	{
194	int satype;
195
196	/* validity check */
197	switch (supported) {
198	case SADB_EXT_SUPPORTED_AUTH:
199	satype = SADB_SATYPE_AH;
200	break;
201	case SADB_EXT_SUPPORTED_ENCRYPT:
202	satype = SADB_SATYPE_ESP;
203	break;
204	default:
205	__ipsec_errcode = EIPSEC_INVAL_ARGUMENT;
206	return -1;
207	}
208
209	return ipsec_check_keylen2(satype, alg_id, keylen);
210	}
211
212	/*
213	* check key length against algorithm specified.
214	* satype is one of satype defined at pfkeyv2.h.
215	* keylen is the unit of bit.
216	* OUT:
217	* -1: invalid.
218	* 0: valid.
219	*/
220	int
221	ipsec_check_keylen2(satype, alg_id, keylen)
222	u_int satype;
223	u_int alg_id;
224	u_int keylen;
225	{
226	struct sadb_alg *alg;
227
228	alg = findsupportedalg(satype, alg_id);
229	if (!alg)
230	return -1;
231
232	if (keylen < alg->sadb_alg_minbits \|\| keylen > alg->sadb_alg_maxbits) {
233	__ipsec_errcode = EIPSEC_INVAL_KEYLEN;
234	return -1;
235	}
236
237	__ipsec_errcode = EIPSEC_NO_ERROR;
238	return 0;
239	}
240
241	/*
242	* get max/min key length against algorithm specified.
243	* satype is one of satype defined at pfkeyv2.h.
244	* keylen is the unit of bit.
245	* OUT:
246	* -1: invalid.
247	* 0: valid.
248	*/
249	int
250	ipsec_get_keylen(supported, alg_id, alg0)
251	u_int supported, alg_id;
252	struct sadb_alg *alg0;
253	{
254	struct sadb_alg *alg;
255	u_int satype;
256
257	/* validity check */
258	if (!alg0) {
259	__ipsec_errcode = EIPSEC_INVAL_ARGUMENT;
260	return -1;
261	}
262
263	switch (supported) {
264	case SADB_EXT_SUPPORTED_AUTH:
265	satype = SADB_SATYPE_AH;
266	break;
267	case SADB_EXT_SUPPORTED_ENCRYPT:
268	satype = SADB_SATYPE_ESP;
269	break;
270	default:
271	__ipsec_errcode = EIPSEC_INVAL_ARGUMENT;
272	return -1;
273	}
274
275	alg = findsupportedalg(satype, alg_id);
276	if (!alg)
277	return -1;
278
279	memcpy(alg0, alg, sizeof(*alg0));
280
281	__ipsec_errcode = EIPSEC_NO_ERROR;
282	return 0;
283	}
284
285	/*
286	* set the rate for SOFT lifetime against HARD one.
287	* If rate is more than 100 or equal to zero, then set to 100.
288	*/
289	static u_int soft_lifetime_allocations_rate = PFKEY_SOFT_LIFETIME_RATE;
290	static u_int soft_lifetime_bytes_rate = PFKEY_SOFT_LIFETIME_RATE;
291	static u_int soft_lifetime_addtime_rate = PFKEY_SOFT_LIFETIME_RATE;
292	static u_int soft_lifetime_usetime_rate = PFKEY_SOFT_LIFETIME_RATE;
293
294	u_int
295	pfkey_set_softrate(type, rate)
296	u_int type, rate;
297	{
298	__ipsec_errcode = EIPSEC_NO_ERROR;
299
300	if (rate > 100 \|\| rate == 0)
301	rate = 100;
302
303	switch (type) {
304	case SADB_X_LIFETIME_ALLOCATIONS:
305	soft_lifetime_allocations_rate = rate;
306	return 0;
307	case SADB_X_LIFETIME_BYTES:
308	soft_lifetime_bytes_rate = rate;
309	return 0;
310	case SADB_X_LIFETIME_ADDTIME:
311	soft_lifetime_addtime_rate = rate;
312	return 0;
313	case SADB_X_LIFETIME_USETIME:
314	soft_lifetime_usetime_rate = rate;
315	return 0;
316	}
317
318	__ipsec_errcode = EIPSEC_INVAL_ARGUMENT;
319	return 1;
320	}
321
322	/*
323	* get current rate for SOFT lifetime against HARD one.
324	* ATTENTION: ~0 is returned if invalid type was passed.
325	*/
326	u_int
327	pfkey_get_softrate(type)
328	u_int type;
329	{
330	switch (type) {
331	case SADB_X_LIFETIME_ALLOCATIONS:
332	return soft_lifetime_allocations_rate;
333	case SADB_X_LIFETIME_BYTES:
334	return soft_lifetime_bytes_rate;
335	case SADB_X_LIFETIME_ADDTIME:
336	return soft_lifetime_addtime_rate;
337	case SADB_X_LIFETIME_USETIME:
338	return soft_lifetime_usetime_rate;
339	}
340
341	return ~0;
342	}
343
344	/*
345	* sending SADB_GETSPI message to the kernel.
346	* OUT:
347	* positive: success and return length sent.
348	* -1 : error occured, and set errno.
349	*/
350	int
351	pfkey_send_getspi(so, satype, mode, src, dst, min, max, reqid, seq)
352	int so;
353	u_int satype, mode;
354	struct sockaddr src, dst;
355	u_int32_t min, max, reqid, seq;
356	{
357	struct sadb_msg *newmsg;
358	caddr_t ep;
359	int len;
360	int need_spirange = 0;
361	caddr_t p;
362	int plen;
363
364	/* validity check */
365	if (src == NULL \|\| dst == NULL) {
366	__ipsec_errcode = EIPSEC_INVAL_ARGUMENT;
367	return -1;
368	}
369	if (src->sa_family != dst->sa_family) {
370	__ipsec_errcode = EIPSEC_FAMILY_MISMATCH;
371	return -1;
372	}
373	if (min > max \|\| (min > 0 && min <= 255)) {
374	__ipsec_errcode = EIPSEC_INVAL_SPI;
375	return -1;
376	}
377	switch (src->sa_family) {
378	case AF_INET:
379	plen = sizeof(struct in_addr) << 3;
380	break;
381	case AF_INET6:
382	plen = sizeof(struct in6_addr) << 3;
383	break;
384	default:
385	__ipsec_errcode = EIPSEC_INVAL_FAMILY;
386	return -1;
387	}
388
389	/* create new sadb_msg to send. */
390	len = sizeof(struct sadb_msg)
391	+ sizeof(struct sadb_x_sa2)
392	+ sizeof(struct sadb_address)
393	+ PFKEY_ALIGN8(src->sa_len)
394	+ sizeof(struct sadb_address)
395	+ PFKEY_ALIGN8(dst->sa_len);
396
397	if (min > 255 && max < ~0) {
398	need_spirange++;
399	len += sizeof(struct sadb_spirange);
400	}
401
402	if ((newmsg = CALLOC(len, struct sadb_msg *)) == NULL) {
403	__ipsec_set_strerror(strerror(errno));
404	return -1;
405	}
406	ep = ((caddr_t)newmsg) + len;
407
408	p = pfkey_setsadbmsg((caddr_t)newmsg, ep, SADB_GETSPI,
409	len, satype, seq, getpid());
410	if (!p) {
411	free(newmsg);
412	return -1;
413	}
414
415	p = pfkey_setsadbxsa2(p, ep, mode, reqid);
416	if (!p) {
417	free(newmsg);
418	return -1;
419	}
420
421	/* set sadb_address for source */
422	p = pfkey_setsadbaddr(p, ep, SADB_EXT_ADDRESS_SRC, src, plen,
423	IPSEC_ULPROTO_ANY);
424	if (!p) {
425	free(newmsg);
426	return -1;
427	}
428
429	/* set sadb_address for destination */
430	p = pfkey_setsadbaddr(p, ep, SADB_EXT_ADDRESS_DST, dst, plen,
431	IPSEC_ULPROTO_ANY);
432	if (!p) {
433	free(newmsg);
434	return -1;
435	}
436
437	/* proccessing spi range */
438	if (need_spirange) {
439	struct sadb_spirange spirange;
440
441	if (p + sizeof(spirange) > ep) {
442	free(newmsg);
443	return -1;
444	}
445
446	memset(&spirange, 0, sizeof(spirange));
447	spirange.sadb_spirange_len = PFKEY_UNIT64(sizeof(spirange));
448	spirange.sadb_spirange_exttype = SADB_EXT_SPIRANGE;
449	spirange.sadb_spirange_min = min;
450	spirange.sadb_spirange_max = max;
451
452	memcpy(p, &spirange, sizeof(spirange));
453
454	p += sizeof(spirange);
455	}
456	if (p != ep) {
457	free(newmsg);
458	return -1;
459	}
460
461	/* send message */
462	len = pfkey_send(so, newmsg, len);
463	free(newmsg);
464
465	if (len < 0)
466	return -1;
467
468	__ipsec_errcode = EIPSEC_NO_ERROR;
469	return len;
470	}
471
472	/*
473	* sending SADB_UPDATE message to the kernel.
474	* The length of key material is a_keylen + e_keylen.
475	* OUT:
476	* positive: success and return length sent.
477	* -1 : error occured, and set errno.
478	*/
479	int
480	pfkey_send_update(so, satype, mode, src, dst, spi, reqid, wsize,
481	keymat, e_type, e_keylen, a_type, a_keylen, flags,
482	l_alloc, l_bytes, l_addtime, l_usetime, seq)
483	int so;
484	u_int satype, mode, wsize;
485	struct sockaddr src, dst;
486	u_int32_t spi, reqid;
487	caddr_t keymat;
488	u_int e_type, e_keylen, a_type, a_keylen, flags;
489	u_int32_t l_alloc;
490	u_int64_t l_bytes, l_addtime, l_usetime;
491	u_int32_t seq;
492	{
493	int len;
494	if ((len = pfkey_send_x1(so, SADB_UPDATE, satype, mode, src, dst, spi,
495	reqid, wsize,
496	keymat, e_type, e_keylen, a_type, a_keylen, flags,
497	l_alloc, l_bytes, l_addtime, l_usetime, seq)) < 0)
498	return -1;
499
500	return len;
501	}
502
503	/*
504	* sending SADB_ADD message to the kernel.
505	* The length of key material is a_keylen + e_keylen.
506	* OUT:
507	* positive: success and return length sent.
508	* -1 : error occured, and set errno.
509	*/
510	int
511	pfkey_send_add(so, satype, mode, src, dst, spi, reqid, wsize,
512	keymat, e_type, e_keylen, a_type, a_keylen, flags,
513	l_alloc, l_bytes, l_addtime, l_usetime, seq)
514	int so;
515	u_int satype, mode, wsize;
516	struct sockaddr src, dst;
517	u_int32_t spi, reqid;
518	caddr_t keymat;
519	u_int e_type, e_keylen, a_type, a_keylen, flags;
520	u_int32_t l_alloc;
521	u_int64_t l_bytes, l_addtime, l_usetime;
522	u_int32_t seq;
523	{
524	int len;
525	if ((len = pfkey_send_x1(so, SADB_ADD, satype, mode, src, dst, spi,
526	reqid, wsize,
527	keymat, e_type, e_keylen, a_type, a_keylen, flags,
528	l_alloc, l_bytes, l_addtime, l_usetime, seq)) < 0)
529	return -1;
530
531	return len;
532	}
533
534	/*
535	* sending SADB_DELETE message to the kernel.
536	* OUT:
537	* positive: success and return length sent.
538	* -1 : error occured, and set errno.
539	*/
540	int
541	pfkey_send_delete(so, satype, mode, src, dst, spi)
542	int so;
543	u_int satype, mode;
544	struct sockaddr src, dst;
545	u_int32_t spi;
546	{
547	int len;
548	if ((len = pfkey_send_x2(so, SADB_DELETE, satype, mode, src, dst, spi)) < 0)
549	return -1;
550
551	return len;
552	}
553
554	/*
555	* sending SADB_DELETE without spi to the kernel. This is
556	* the "delete all" request (an extension also present in
557	* Solaris).
558	*
559	* OUT:
560	* positive: success and return length sent
561	* -1 : error occured, and set errno
562	*/
563	int
564	pfkey_send_delete_all(so, satype, mode, src, dst)
565	int so;
566	u_int satype, mode;
567	struct sockaddr src, dst;
568	{
569	struct sadb_msg *newmsg;
570	int len;
571	caddr_t p;
572	int plen;
573	caddr_t ep;
574
575	/* validity check */
576	if (src == NULL \|\| dst == NULL) {
577	__ipsec_errcode = EIPSEC_INVAL_ARGUMENT;
578	return -1;
579	}
580	if (src->sa_family != dst->sa_family) {
581	__ipsec_errcode = EIPSEC_FAMILY_MISMATCH;
582	return -1;
583	}
584	switch (src->sa_family) {
585	case AF_INET:
586	plen = sizeof(struct in_addr) << 3;
587	break;
588	case AF_INET6:
589	plen = sizeof(struct in6_addr) << 3;
590	break;
591	default:
592	__ipsec_errcode = EIPSEC_INVAL_FAMILY;
593	return -1;
594	}
595
596	/* create new sadb_msg to reply. */
597	len = sizeof(struct sadb_msg)
598	+ sizeof(struct sadb_address)
599	+ PFKEY_ALIGN8(src->sa_len)
600	+ sizeof(struct sadb_address)
601	+ PFKEY_ALIGN8(dst->sa_len);
602
603	if ((newmsg = CALLOC(len, struct sadb_msg *)) == NULL) {
604	__ipsec_set_strerror(strerror(errno));
605	return -1;
606	}
607	ep = ((caddr_t)newmsg) + len;
608
609	p = pfkey_setsadbmsg((caddr_t)newmsg, ep, SADB_DELETE, len, satype, 0,
610	getpid());
611	if (!p) {
612	free(newmsg);
613	return -1;
614	}
615	p = pfkey_setsadbaddr(p, ep, SADB_EXT_ADDRESS_SRC, src, plen,
616	IPSEC_ULPROTO_ANY);
617	if (!p) {
618	free(newmsg);
619	return -1;
620	}
621	p = pfkey_setsadbaddr(p, ep, SADB_EXT_ADDRESS_DST, dst, plen,
622	IPSEC_ULPROTO_ANY);
623	if (!p \|\| p != ep) {
624	free(newmsg);
625	return -1;
626	}
627
628	/* send message */
629	len = pfkey_send(so, newmsg, len);
630	free(newmsg);
631
632	if (len < 0)
633	return -1;
634
635	__ipsec_errcode = EIPSEC_NO_ERROR;
636	return len;
637	}
638
639	/*
640	* sending SADB_GET message to the kernel.
641	* OUT:
642	* positive: success and return length sent.
643	* -1 : error occured, and set errno.
644	*/
645	int
646	pfkey_send_get(so, satype, mode, src, dst, spi)
647	int so;
648	u_int satype, mode;
649	struct sockaddr src, dst;
650	u_int32_t spi;
651	{
652	int len;
653	if ((len = pfkey_send_x2(so, SADB_GET, satype, mode, src, dst, spi)) < 0)
654	return -1;
655
656	return len;
657	}
658
659	/*
660	* sending SADB_REGISTER message to the kernel.
661	* OUT:
662	* positive: success and return length sent.
663	* -1 : error occured, and set errno.
664	*/
665	int
666	pfkey_send_register(so, satype)
667	int so;
668	u_int satype;
669	{
670	int len, algno;
671
672	if (satype == PF_UNSPEC) {
673	for (algno = 0;
674	algno < sizeof(supported_map)/sizeof(supported_map[0]);
675	algno++) {
676	if (ipsec_supported[algno]) {
677	free(ipsec_supported[algno]);
678	ipsec_supported[algno] = NULL;
679	}
680	}
681	} else {
682	algno = findsupportedmap(satype);
683	if (algno == -1) {
684	__ipsec_errcode = EIPSEC_INVAL_ARGUMENT;
685	return -1;
686	}
687
688	if (ipsec_supported[algno]) {
689	free(ipsec_supported[algno]);
690	ipsec_supported[algno] = NULL;
691	}
692	}
693
694	if ((len = pfkey_send_x3(so, SADB_REGISTER, satype)) < 0)
695	return -1;
696
697	return len;
698	}
699
700	/*
701	* receiving SADB_REGISTER message from the kernel, and copy buffer for
702	* sadb_supported returned into ipsec_supported.
703	* OUT:
704	* 0: success and return length sent.
705	* -1: error occured, and set errno.
706	*/
707	int
708	pfkey_recv_register(so)
709	int so;
710	{
711	pid_t pid = getpid();
712	struct sadb_msg *newmsg;
713	int error = -1;
714
715	/* receive message */
716	for (;;) {
717	if ((newmsg = pfkey_recv(so)) == NULL)
718	return -1;
719	if (newmsg->sadb_msg_type == SADB_REGISTER &&
720	newmsg->sadb_msg_pid == pid)
721	break;
722	free(newmsg);
723	}
724
725	/* check and fix */
726	newmsg->sadb_msg_len = PFKEY_UNUNIT64(newmsg->sadb_msg_len);
727
728	error = pfkey_set_supported(newmsg, newmsg->sadb_msg_len);
729	free(newmsg);
730
731	if (error == 0)
732	__ipsec_errcode = EIPSEC_NO_ERROR;
733
734	return error;
735	}
736
737	/*
738	* receiving SADB_REGISTER message from the kernel, and copy buffer for
739	* sadb_supported returned into ipsec_supported.
740	* NOTE: sadb_msg_len must be host order.
741	* IN:
742	* tlen: msg length, it's to makeing sure.
743	* OUT:
744	* 0: success and return length sent.
745	* -1: error occured, and set errno.
746	*/
747	int
748	pfkey_set_supported(msg, tlen)
749	struct sadb_msg *msg;
750	int tlen;
751	{
752	struct sadb_supported *sup;
753	caddr_t p;
754	caddr_t ep;
755
756	/* validity */
757	if (msg->sadb_msg_len != tlen) {
758	__ipsec_errcode = EIPSEC_INVAL_ARGUMENT;
759	return -1;
760	}
761
762	p = (caddr_t)msg;
763	ep = p + tlen;
764
765	p += sizeof(struct sadb_msg);
766
767	while (p < ep) {
768	sup = (struct sadb_supported *)p;
769	if (ep < p + sizeof(*sup) \|\|
770	PFKEY_EXTLEN(sup) < sizeof(*sup) \|\|
771	ep < p + sup->sadb_supported_len) {
772	/* invalid format */
773	break;
774	}
775
776	switch (sup->sadb_supported_exttype) {
777	case SADB_EXT_SUPPORTED_AUTH:
778	case SADB_EXT_SUPPORTED_ENCRYPT:
779	break;
780	default:
781	__ipsec_errcode = EIPSEC_INVAL_SATYPE;
782	return -1;
783	}
784
785	/* fixed length */
786	sup->sadb_supported_len = PFKEY_EXTLEN(sup);
787
788	/* set supported map */
789	if (setsupportedmap(sup) != 0)
790	return -1;
791
792	p += sup->sadb_supported_len;
793	}
794
795	if (p != ep) {
796	__ipsec_errcode = EIPSEC_INVAL_SATYPE;
797	return -1;
798	}
799
800	__ipsec_errcode = EIPSEC_NO_ERROR;
801
802	return 0;
803	}
804
805	/*
806	* sending SADB_FLUSH message to the kernel.
807	* OUT:
808	* positive: success and return length sent.
809	* -1 : error occured, and set errno.
810	*/
811	int
812	pfkey_send_flush(so, satype)
813	int so;
814	u_int satype;
815	{
816	int len;
817
818	if ((len = pfkey_send_x3(so, SADB_FLUSH, satype)) < 0)
819	return -1;
820
821	return len;
822	}
823
824	/*
825	* sending SADB_DUMP message to the kernel.
826	* OUT:
827	* positive: success and return length sent.
828	* -1 : error occured, and set errno.
829	*/
830	int
831	pfkey_send_dump(so, satype)
832	int so;
833	u_int satype;
834	{
835	int len;
836
837	if ((len = pfkey_send_x3(so, SADB_DUMP, satype)) < 0)
838	return -1;
839
840	return len;
841	}
842
843	/*
844	* sending SADB_X_PROMISC message to the kernel.
845	* NOTE that this function handles promisc mode toggle only.
846	* IN:
847	* flag: set promisc off if zero, set promisc on if non-zero.
848	* OUT:
849	* positive: success and return length sent.
850	* -1 : error occured, and set errno.
851	* 0 : error occured, and set errno.
852	* others: a pointer to new allocated buffer in which supported
853	* algorithms is.
854	*/
855	int
856	pfkey_send_promisc_toggle(so, flag)
857	int so;
858	int flag;
859	{
860	int len;
861
862	if ((len = pfkey_send_x3(so, SADB_X_PROMISC, (flag ? 1 : 0))) < 0)
863	return -1;
864
865	return len;
866	}
867
868	/*
869	* sending SADB_X_SPDADD message to the kernel.
870	* OUT:
871	* positive: success and return length sent.
872	* -1 : error occured, and set errno.
873	*/
874	int
875	pfkey_send_spdadd(so, src, prefs, dst, prefd, proto, policy, policylen, seq)
876	int so;
877	struct sockaddr src, dst;
878	u_int prefs, prefd, proto;
879	caddr_t policy;
880	int policylen;
881	u_int32_t seq;
882	{
883	int len;
884
885	if ((len = pfkey_send_x4(so, SADB_X_SPDADD,
886	src, prefs, dst, prefd, proto,
887	0, 0,
888	policy, policylen, seq)) < 0)
889	return -1;
890
891	return len;
892	}
893
894	/*
895	* sending SADB_X_SPDADD message to the kernel.
896	* OUT:
897	* positive: success and return length sent.
898	* -1 : error occured, and set errno.
899	*/
900	int
901	pfkey_send_spdadd2(so, src, prefs, dst, prefd, proto, ltime, vtime,
902	policy, policylen, seq)
903	int so;
904	struct sockaddr src, dst;
905	u_int prefs, prefd, proto;
906	u_int64_t ltime, vtime;
907	caddr_t policy;
908	int policylen;
909	u_int32_t seq;
910	{
911	int len;
912
913	if ((len = pfkey_send_x4(so, SADB_X_SPDADD,
914	src, prefs, dst, prefd, proto,
915	ltime, vtime,
916	policy, policylen, seq)) < 0)
917	return -1;
918
919	return len;
920	}
921
922	/*
923	* sending SADB_X_SPDUPDATE message to the kernel.
924	* OUT:
925	* positive: success and return length sent.
926	* -1 : error occured, and set errno.
927	*/
928	int
929	pfkey_send_spdupdate(so, src, prefs, dst, prefd, proto, policy, policylen, seq)
930	int so;
931	struct sockaddr src, dst;
932	u_int prefs, prefd, proto;
933	caddr_t policy;
934	int policylen;
935	u_int32_t seq;
936	{
937	int len;
938
939	if ((len = pfkey_send_x4(so, SADB_X_SPDUPDATE,
940	src, prefs, dst, prefd, proto,
941	0, 0,
942	policy, policylen, seq)) < 0)
943	return -1;
944
945	return len;
946	}
947
948	/*
949	* sending SADB_X_SPDUPDATE message to the kernel.
950	* OUT:
951	* positive: success and return length sent.
952	* -1 : error occured, and set errno.
953	*/
954	int
955	pfkey_send_spdupdate2(so, src, prefs, dst, prefd, proto, ltime, vtime,
956	policy, policylen, seq)
957	int so;
958	struct sockaddr src, dst;
959	u_int prefs, prefd, proto;
960	u_int64_t ltime, vtime;
961	caddr_t policy;
962	int policylen;
963	u_int32_t seq;
964	{
965	int len;
966
967	if ((len = pfkey_send_x4(so, SADB_X_SPDUPDATE,
968	src, prefs, dst, prefd, proto,
969	ltime, vtime,
970	policy, policylen, seq)) < 0)
971	return -1;
972
973	return len;
974	}
975
976	/*
977	* sending SADB_X_SPDDELETE message to the kernel.
978	* OUT:
979	* positive: success and return length sent.
980	* -1 : error occured, and set errno.
981	*/
982	int
983	pfkey_send_spddelete(so, src, prefs, dst, prefd, proto, policy, policylen, seq)
984	int so;
985	struct sockaddr src, dst;
986	u_int prefs, prefd, proto;
987	caddr_t policy;
988	int policylen;
989	u_int32_t seq;
990	{
991	int len;
992
993	if (policylen != sizeof(struct sadb_x_policy)) {
994	__ipsec_errcode = EIPSEC_INVAL_ARGUMENT;
995	return -1;
996	}
997
998	if ((len = pfkey_send_x4(so, SADB_X_SPDDELETE,
999	src, prefs, dst, prefd, proto,
1000	0, 0,
1001	policy, policylen, seq)) < 0)
1002	return -1;
1003
1004	return len;
1005	}
1006
1007	/*
1008	* sending SADB_X_SPDDELETE message to the kernel.
1009	* OUT:
1010	* positive: success and return length sent.
1011	* -1 : error occured, and set errno.
1012	*/
1013	int
1014	pfkey_send_spddelete2(so, spid)
1015	int so;
1016	u_int32_t spid;
1017	{
1018	int len;
1019
1020	if ((len = pfkey_send_x5(so, SADB_X_SPDDELETE2, spid)) < 0)
1021	return -1;
1022
1023	return len;
1024	}
1025
1026	/*
1027	* sending SADB_X_SPDGET message to the kernel.
1028	* OUT:
1029	* positive: success and return length sent.
1030	* -1 : error occured, and set errno.
1031	*/
1032	int
1033	pfkey_send_spdget(so, spid)
1034	int so;
1035	u_int32_t spid;
1036	{
1037	int len;
1038
1039	if ((len = pfkey_send_x5(so, SADB_X_SPDGET, spid)) < 0)
1040	return -1;
1041
1042	return len;
1043	}
1044
1045	/*
1046	* sending SADB_X_SPDSETIDX message to the kernel.
1047	* OUT:
1048	* positive: success and return length sent.
1049	* -1 : error occured, and set errno.
1050	*/
1051	int
1052	pfkey_send_spdsetidx(so, src, prefs, dst, prefd, proto, policy, policylen, seq)
1053	int so;
1054	struct sockaddr src, dst;
1055	u_int prefs, prefd, proto;
1056	caddr_t policy;
1057	int policylen;
1058	u_int32_t seq;
1059	{
1060	int len;
1061
1062	if (policylen != sizeof(struct sadb_x_policy)) {
1063	__ipsec_errcode = EIPSEC_INVAL_ARGUMENT;
1064	return -1;
1065	}
1066
1067	if ((len = pfkey_send_x4(so, SADB_X_SPDSETIDX,
1068	src, prefs, dst, prefd, proto,
1069	0, 0,
1070	policy, policylen, seq)) < 0)
1071	return -1;
1072
1073	return len;
1074	}
1075
1076	/*
1077	* sending SADB_SPDFLUSH message to the kernel.
1078	* OUT:
1079	* positive: success and return length sent.
1080	* -1 : error occured, and set errno.
1081	*/
1082	int
1083	pfkey_send_spdflush(so)
1084	int so;
1085	{
1086	int len;
1087
1088	if ((len = pfkey_send_x3(so, SADB_X_SPDFLUSH, SADB_SATYPE_UNSPEC)) < 0)
1089	return -1;
1090
1091	return len;
1092	}
1093
1094	/*
1095	* sending SADB_SPDDUMP message to the kernel.
1096	* OUT:
1097	* positive: success and return length sent.
1098	* -1 : error occured, and set errno.
1099	*/
1100	int
1101	pfkey_send_spddump(so)
1102	int so;
1103	{
1104	int len;
1105
1106	if ((len = pfkey_send_x3(so, SADB_X_SPDDUMP, SADB_SATYPE_UNSPEC)) < 0)
1107	return -1;
1108
1109	return len;
1110	}
1111
1112	/* sending SADB_ADD or SADB_UPDATE message to the kernel */
1113	static int
1114	pfkey_send_x1(so, type, satype, mode, src, dst, spi, reqid, wsize,
1115	keymat, e_type, e_keylen, a_type, a_keylen, flags,
1116	l_alloc, l_bytes, l_addtime, l_usetime, seq)
1117	int so;
1118	u_int type, satype, mode;
1119	struct sockaddr src, dst;
1120	u_int32_t spi, reqid;
1121	u_int wsize;
1122	caddr_t keymat;
1123	u_int e_type, e_keylen, a_type, a_keylen, flags;
1124	u_int32_t l_alloc, l_bytes, l_addtime, l_usetime, seq;
1125	{
1126	struct sadb_msg *newmsg;
1127	int len;
1128	caddr_t p;
1129	int plen;
1130	caddr_t ep;
1131
1132	/* validity check */
1133	if (src == NULL \|\| dst == NULL) {
1134	__ipsec_errcode = EIPSEC_INVAL_ARGUMENT;
1135	return -1;
1136	}
1137	if (src->sa_family != dst->sa_family) {
1138	__ipsec_errcode = EIPSEC_FAMILY_MISMATCH;
1139	return -1;
1140	}
1141	switch (src->sa_family) {
1142	case AF_INET:
1143	plen = sizeof(struct in_addr) << 3;
1144	break;
1145	case AF_INET6:
1146	plen = sizeof(struct in6_addr) << 3;
1147	break;
1148	default:
1149	__ipsec_errcode = EIPSEC_INVAL_FAMILY;
1150	return -1;
1151	}
1152
1153	switch (satype) {
1154	case SADB_SATYPE_ESP:
1155	if (e_type == SADB_EALG_NONE) {
1156	__ipsec_errcode = EIPSEC_NO_ALGS;
1157	return -1;
1158	}
1159	break;
1160	case SADB_SATYPE_AH:
1161	if (e_type != SADB_EALG_NONE) {
1162	__ipsec_errcode = EIPSEC_INVAL_ALGS;
1163	return -1;
1164	}
1165	if (a_type == SADB_AALG_NONE) {
1166	__ipsec_errcode = EIPSEC_NO_ALGS;
1167	return -1;
1168	}
1169	break;
1170	case SADB_X_SATYPE_IPCOMP:
1171	if (e_type == SADB_X_CALG_NONE) {
1172	__ipsec_errcode = EIPSEC_INVAL_ALGS;
1173	return -1;
1174	}
1175	if (a_type != SADB_AALG_NONE) {
1176	__ipsec_errcode = EIPSEC_NO_ALGS;
1177	return -1;
1178	}
1179	break;
1180	case SADB_X_SATYPE_TCPSIGNATURE:
1181	if (e_type != SADB_EALG_NONE) {
1182	__ipsec_errcode = EIPSEC_INVAL_ALGS;
1183	return -1;
1184	}
1185	if (a_type != SADB_X_AALG_TCP_MD5) {
1186	__ipsec_errcode = EIPSEC_INVAL_ALGS;
1187	return -1;
1188	}
1189	break;
1190	default:
1191	__ipsec_errcode = EIPSEC_INVAL_SATYPE;
1192	return -1;
1193	}
1194
1195	/* create new sadb_msg to reply. */
1196	len = sizeof(struct sadb_msg)
1197	+ sizeof(struct sadb_sa)
1198	+ sizeof(struct sadb_x_sa2)
1199	+ sizeof(struct sadb_address)
1200	+ PFKEY_ALIGN8(src->sa_len)
1201	+ sizeof(struct sadb_address)
1202	+ PFKEY_ALIGN8(dst->sa_len)
1203	+ sizeof(struct sadb_lifetime)
1204	+ sizeof(struct sadb_lifetime);
1205
1206	if (e_type != SADB_EALG_NONE)
1207	len += (sizeof(struct sadb_key) + PFKEY_ALIGN8(e_keylen));
1208	if (a_type != SADB_AALG_NONE)
1209	len += (sizeof(struct sadb_key) + PFKEY_ALIGN8(a_keylen));
1210
1211	if ((newmsg = CALLOC(len, struct sadb_msg *)) == NULL) {
1212	__ipsec_set_strerror(strerror(errno));
1213	return -1;
1214	}
1215	ep = ((caddr_t)newmsg) + len;
1216
1217	p = pfkey_setsadbmsg((caddr_t)newmsg, ep, type, len,
1218	satype, seq, getpid());
1219	if (!p) {
1220	free(newmsg);
1221	return -1;
1222	}
1223	p = pfkey_setsadbsa(p, ep, spi, wsize, a_type, e_type, flags);
1224	if (!p) {
1225	free(newmsg);
1226	return -1;
1227	}
1228	p = pfkey_setsadbxsa2(p, ep, mode, reqid);
1229	if (!p) {
1230	free(newmsg);
1231	return -1;
1232	}
1233	p = pfkey_setsadbaddr(p, ep, SADB_EXT_ADDRESS_SRC, src, plen,
1234	IPSEC_ULPROTO_ANY);
1235	if (!p) {
1236	free(newmsg);
1237	return -1;
1238	}
1239	p = pfkey_setsadbaddr(p, ep, SADB_EXT_ADDRESS_DST, dst, plen,
1240	IPSEC_ULPROTO_ANY);
1241	if (!p) {
1242	free(newmsg);
1243	return -1;
1244	}
1245
1246	if (e_type != SADB_EALG_NONE) {
1247	p = pfkey_setsadbkey(p, ep, SADB_EXT_KEY_ENCRYPT,
1248	keymat, e_keylen);
1249	if (!p) {
1250	free(newmsg);
1251	return -1;
1252	}
1253	}
1254	if (a_type != SADB_AALG_NONE) {
1255	p = pfkey_setsadbkey(p, ep, SADB_EXT_KEY_AUTH,
1256	keymat + e_keylen, a_keylen);
1257	if (!p) {
1258	free(newmsg);
1259	return -1;
1260	}
1261	}
1262
1263	/* set sadb_lifetime for destination */
1264	p = pfkey_setsadblifetime(p, ep, SADB_EXT_LIFETIME_HARD,
1265	l_alloc, l_bytes, l_addtime, l_usetime);
1266	if (!p) {
1267	free(newmsg);
1268	return -1;
1269	}
1270	p = pfkey_setsadblifetime(p, ep, SADB_EXT_LIFETIME_SOFT,
1271	l_alloc, l_bytes, l_addtime, l_usetime);
1272	if (!p \|\| p != ep) {
1273	free(newmsg);
1274	return -1;
1275	}
1276
1277	/* send message */
1278	len = pfkey_send(so, newmsg, len);
1279	free(newmsg);
1280
1281	if (len < 0)
1282	return -1;
1283
1284	__ipsec_errcode = EIPSEC_NO_ERROR;
1285	return len;
1286	}
1287
1288	/* sending SADB_DELETE or SADB_GET message to the kernel */
1289	static int
1290	pfkey_send_x2(so, type, satype, mode, src, dst, spi)
1291	int so;
1292	u_int type, satype, mode;
1293	struct sockaddr src, dst;
1294	u_int32_t spi;
1295	{
1296	struct sadb_msg *newmsg;
1297	int len;
1298	caddr_t p;
1299	int plen;
1300	caddr_t ep;
1301
1302	/* validity check */
1303	if (src == NULL \|\| dst == NULL) {
1304	__ipsec_errcode = EIPSEC_INVAL_ARGUMENT;
1305	return -1;
1306	}
1307	if (src->sa_family != dst->sa_family) {
1308	__ipsec_errcode = EIPSEC_FAMILY_MISMATCH;
1309	return -1;
1310	}
1311	switch (src->sa_family) {
1312	case AF_INET:
1313	plen = sizeof(struct in_addr) << 3;
1314	break;
1315	case AF_INET6:
1316	plen = sizeof(struct in6_addr) << 3;
1317	break;
1318	default:
1319	__ipsec_errcode = EIPSEC_INVAL_FAMILY;
1320	return -1;
1321	}
1322
1323	/* create new sadb_msg to reply. */
1324	len = sizeof(struct sadb_msg)
1325	+ sizeof(struct sadb_sa)
1326	+ sizeof(struct sadb_address)
1327	+ PFKEY_ALIGN8(src->sa_len)
1328	+ sizeof(struct sadb_address)
1329	+ PFKEY_ALIGN8(dst->sa_len);
1330
1331	if ((newmsg = CALLOC(len, struct sadb_msg *)) == NULL) {
1332	__ipsec_set_strerror(strerror(errno));
1333	return -1;
1334	}
1335	ep = ((caddr_t)newmsg) + len;
1336
1337	p = pfkey_setsadbmsg((caddr_t)newmsg, ep, type, len, satype, 0,
1338	getpid());
1339	if (!p) {
1340	free(newmsg);
1341	return -1;
1342	}
1343	p = pfkey_setsadbsa(p, ep, spi, 0, 0, 0, 0);
1344	if (!p) {
1345	free(newmsg);
1346	return -1;
1347	}
1348	p = pfkey_setsadbaddr(p, ep, SADB_EXT_ADDRESS_SRC, src, plen,
1349	IPSEC_ULPROTO_ANY);
1350	if (!p) {
1351	free(newmsg);
1352	return -1;
1353	}
1354	p = pfkey_setsadbaddr(p, ep, SADB_EXT_ADDRESS_DST, dst, plen,
1355	IPSEC_ULPROTO_ANY);
1356	if (!p \|\| p != ep) {
1357	free(newmsg);
1358	return -1;
1359	}
1360
1361	/* send message */
1362	len = pfkey_send(so, newmsg, len);
1363	free(newmsg);
1364
1365	if (len < 0)
1366	return -1;
1367
1368	__ipsec_errcode = EIPSEC_NO_ERROR;
1369	return len;
1370	}
1371
1372	/*
1373	* sending SADB_REGISTER, SADB_FLUSH, SADB_DUMP or SADB_X_PROMISC message
1374	* to the kernel
1375	*/
1376	static int
1377	pfkey_send_x3(so, type, satype)
1378	int so;
1379	u_int type, satype;
1380	{
1381	struct sadb_msg *newmsg;
1382	int len;
1383	caddr_t p;
1384	caddr_t ep;
1385
1386	/* validity check */
1387	switch (type) {
1388	case SADB_X_PROMISC:
1389	if (satype != 0 && satype != 1) {
1390	__ipsec_errcode = EIPSEC_INVAL_SATYPE;
1391	return -1;
1392	}
1393	break;
1394	default:
1395	switch (satype) {
1396	case SADB_SATYPE_UNSPEC:
1397	case SADB_SATYPE_AH:
1398	case SADB_SATYPE_ESP:
1399	case SADB_X_SATYPE_IPCOMP:
1400	case SADB_X_SATYPE_TCPSIGNATURE:
1401	break;
1402	default:
1403	__ipsec_errcode = EIPSEC_INVAL_SATYPE;
1404	return -1;
1405	}
1406	}
1407
1408	/* create new sadb_msg to send. */
1409	len = sizeof(struct sadb_msg);
1410
1411	if ((newmsg = CALLOC(len, struct sadb_msg *)) == NULL) {
1412	__ipsec_set_strerror(strerror(errno));
1413	return -1;
1414	}
1415	ep = ((caddr_t)newmsg) + len;
1416
1417	p = pfkey_setsadbmsg((caddr_t)newmsg, ep, type, len, satype, 0,
1418	getpid());
1419	if (!p \|\| p != ep) {
1420	free(newmsg);
1421	return -1;
1422	}
1423
1424	/* send message */
1425	len = pfkey_send(so, newmsg, len);
1426	free(newmsg);
1427
1428	if (len < 0)
1429	return -1;
1430
1431	__ipsec_errcode = EIPSEC_NO_ERROR;
1432	return len;
1433	}
1434
1435	/* sending SADB_X_SPDADD message to the kernel */
1436	static int
1437	pfkey_send_x4(so, type, src, prefs, dst, prefd, proto,
1438	ltime, vtime, policy, policylen, seq)
1439	int so;
1440	struct sockaddr src, dst;
1441	u_int type, prefs, prefd, proto;
1442	u_int64_t ltime, vtime;
1443	char *policy;
1444	int policylen;
1445	u_int32_t seq;
1446	{
1447	struct sadb_msg *newmsg;
1448	int len;
1449	caddr_t p;
1450	int plen;
1451	caddr_t ep;
1452
1453	/* validity check */
1454	if (src == NULL \|\| dst == NULL) {
1455	__ipsec_errcode = EIPSEC_INVAL_ARGUMENT;
1456	return -1;
1457	}
1458	if (src->sa_family != dst->sa_family) {
1459	__ipsec_errcode = EIPSEC_FAMILY_MISMATCH;
1460	return -1;
1461	}
1462
1463	switch (src->sa_family) {
1464	case AF_INET:
1465	plen = sizeof(struct in_addr) << 3;
1466	break;
1467	case AF_INET6:
1468	plen = sizeof(struct in6_addr) << 3;
1469	break;
1470	default:
1471	__ipsec_errcode = EIPSEC_INVAL_FAMILY;
1472	return -1;
1473	}
1474	if (prefs > plen \|\| prefd > plen) {
1475	__ipsec_errcode = EIPSEC_INVAL_PREFIXLEN;
1476	return -1;
1477	}
1478
1479	/* create new sadb_msg to reply. */
1480	len = sizeof(struct sadb_msg)
1481	+ sizeof(struct sadb_address)
1482	+ PFKEY_ALIGN8(src->sa_len)
1483	+ sizeof(struct sadb_address)
1484	+ PFKEY_ALIGN8(src->sa_len)
1485	+ sizeof(struct sadb_lifetime)
1486	+ policylen;
1487
1488	if ((newmsg = CALLOC(len, struct sadb_msg *)) == NULL) {
1489	__ipsec_set_strerror(strerror(errno));
1490	return -1;
1491	}
1492	ep = ((caddr_t)newmsg) + len;
1493
1494	p = pfkey_setsadbmsg((caddr_t)newmsg, ep, type, len,
1495	SADB_SATYPE_UNSPEC, seq, getpid());
1496	if (!p) {
1497	free(newmsg);
1498	return -1;
1499	}
1500	p = pfkey_setsadbaddr(p, ep, SADB_EXT_ADDRESS_SRC, src, prefs, proto);
1501	if (!p) {
1502	free(newmsg);
1503	return -1;
1504	}
1505	p = pfkey_setsadbaddr(p, ep, SADB_EXT_ADDRESS_DST, dst, prefd, proto);
1506	if (!p) {
1507	free(newmsg);
1508	return -1;
1509	}
1510	p = pfkey_setsadblifetime(p, ep, SADB_EXT_LIFETIME_HARD,
1511	0, 0, ltime, vtime);
1512	if (!p \|\| p + policylen != ep) {
1513	free(newmsg);
1514	return -1;
1515	}
1516	memcpy(p, policy, policylen);
1517
1518	/* send message */
1519	len = pfkey_send(so, newmsg, len);
1520	free(newmsg);
1521
1522	if (len < 0)
1523	return -1;
1524
1525	__ipsec_errcode = EIPSEC_NO_ERROR;
1526	return len;
1527	}
1528
1529	/* sending SADB_X_SPDGET or SADB_X_SPDDELETE message to the kernel */
1530	static int
1531	pfkey_send_x5(so, type, spid)
1532	int so;
1533	u_int type;
1534	u_int32_t spid;
1535	{
1536	struct sadb_msg *newmsg;
1537	struct sadb_x_policy xpl;
1538	int len;
1539	caddr_t p;
1540	caddr_t ep;
1541
1542	/* create new sadb_msg to reply. */
1543	len = sizeof(struct sadb_msg)
1544	+ sizeof(xpl);
1545
1546	if ((newmsg = CALLOC(len, struct sadb_msg *)) == NULL) {
1547	__ipsec_set_strerror(strerror(errno));
1548	return -1;
1549	}
1550	ep = ((caddr_t)newmsg) + len;
1551
1552	p = pfkey_setsadbmsg((caddr_t)newmsg, ep, type, len,
1553	SADB_SATYPE_UNSPEC, 0, getpid());
1554	if (!p) {
1555	free(newmsg);
1556	return -1;
1557	}
1558
1559	if (p + sizeof(xpl) != ep) {
1560	free(newmsg);
1561	return -1;
1562	}
1563	memset(&xpl, 0, sizeof(xpl));
1564	xpl.sadb_x_policy_len = PFKEY_UNIT64(sizeof(xpl));
1565	xpl.sadb_x_policy_exttype = SADB_X_EXT_POLICY;
1566	xpl.sadb_x_policy_id = spid;
1567	memcpy(p, &xpl, sizeof(xpl));
1568
1569	/* send message */
1570	len = pfkey_send(so, newmsg, len);
1571	free(newmsg);
1572
1573	if (len < 0)
1574	return -1;
1575
1576	__ipsec_errcode = EIPSEC_NO_ERROR;
1577	return len;
1578	}
1579
1580	/*
1581	* open a socket.
1582	* OUT:
1583	* -1: fail.
1584	* others : success and return value of socket.
1585	*/
1586	int
1587	pfkey_open()
1588	{
1589	int so;
1590	const int bufsiz = 128 * 1024; /is 128K enough?/
1591
1592	if ((so = socket(PF_KEY, SOCK_RAW, PF_KEY_V2)) < 0) {
1593	__ipsec_set_strerror(strerror(errno));
1594	return -1;
1595	}
1596
1597	/*
1598	* This is a temporary workaround for KAME PR 154.
1599	* Don't really care even if it fails.
1600	*/
1601	(void)setsockopt(so, SOL_SOCKET, SO_SNDBUF, &bufsiz, sizeof(bufsiz));
1602	(void)setsockopt(so, SOL_SOCKET, SO_RCVBUF, &bufsiz, sizeof(bufsiz));
1603
1604	__ipsec_errcode = EIPSEC_NO_ERROR;
1605	return so;
1606	}
1607
1608	/*
1609	* close a socket.
1610	* OUT:
1611	* 0: success.
1612	* -1: fail.
1613	*/
1614	void
1615	pfkey_close(so)
1616	int so;
1617	{
1618	(void)close(so);
1619
1620	__ipsec_errcode = EIPSEC_NO_ERROR;
1621	return;
1622	}
1623
1624	/*
1625	* receive sadb_msg data, and return pointer to new buffer allocated.
1626	* Must free this buffer later.
1627	* OUT:
1628	* NULL : error occured.
1629	* others : a pointer to sadb_msg structure.
1630	*
1631	* XXX should be rewritten to pass length explicitly
1632	*/
1633	struct sadb_msg *
1634	pfkey_recv(so)
1635	int so;
1636	{
1637	struct sadb_msg buf, *newmsg;
1638	int len, reallen;
1639
1640	while ((len = recv(so, (caddr_t)&buf, sizeof(buf), MSG_PEEK)) < 0) {
1641	if (errno == EINTR)
1642	continue;
1643	__ipsec_set_strerror(strerror(errno));
1644	return NULL;
1645	}
1646
1647	if (len < sizeof(buf)) {
1648	recv(so, (caddr_t)&buf, sizeof(buf), 0);
1649	__ipsec_errcode = EIPSEC_MAX;
1650	return NULL;
1651	}
1652
1653	/* read real message */
1654	reallen = PFKEY_UNUNIT64(buf.sadb_msg_len);
1655	if ((newmsg = CALLOC(reallen, struct sadb_msg *)) == 0) {
1656	__ipsec_set_strerror(strerror(errno));
1657	return NULL;
1658	}
1659
1660	while ((len = recv(so, (caddr_t)newmsg, reallen, 0)) < 0) {
1661	if (errno == EINTR)
1662	continue;
1663	__ipsec_set_strerror(strerror(errno));
1664	free(newmsg);
1665	return NULL;
1666	}
1667
1668	if (len != reallen) {
1669	__ipsec_errcode = EIPSEC_SYSTEM_ERROR;
1670	free(newmsg);
1671	return NULL;
1672	}
1673
1674	/* don't trust what the kernel says, validate! */
1675	if (PFKEY_UNUNIT64(newmsg->sadb_msg_len) != len) {
1676	__ipsec_errcode = EIPSEC_SYSTEM_ERROR;
1677	free(newmsg);
1678	return NULL;
1679	}
1680
1681	__ipsec_errcode = EIPSEC_NO_ERROR;
1682	return newmsg;
1683	}
1684
1685	/*
1686	* send message to a socket.
1687	* OUT:
1688	* others: success and return length sent.
1689	* -1 : fail.
1690	*/
1691	int
1692	pfkey_send(so, msg, len)
1693	int so;
1694	struct sadb_msg *msg;
1695	int len;
1696	{
1697	if ((len = send(so, (caddr_t)msg, len, 0)) < 0) {
1698	__ipsec_set_strerror(strerror(errno));
1699	return -1;
1700	}
1701
1702	__ipsec_errcode = EIPSEC_NO_ERROR;
1703	return len;
1704	}
1705
1706	/*
1707	* %%% Utilities
1708	* NOTE: These functions are derived from netkey/key.c in KAME.
1709	*/
1710	/*
1711	* set the pointer to each header in this message buffer.
1712	* IN: msg: pointer to message buffer.
1713	* mhp: pointer to the buffer initialized like below:
1714	* caddr_t mhp[SADB_EXT_MAX + 1];
1715	* OUT: -1: invalid.
1716	* 0: valid.
1717	*
1718	* XXX should be rewritten to obtain length explicitly
1719	*/
1720	int
1721	pfkey_align(msg, mhp)
1722	struct sadb_msg *msg;
1723	caddr_t *mhp;
1724	{
1725	struct sadb_ext *ext;
1726	int i;
1727	caddr_t p;
1728	caddr_t ep; /* XXX should be passed from upper layer */
1729
1730	/* validity check */
1731	if (msg == NULL \|\| mhp == NULL) {
1732	__ipsec_errcode = EIPSEC_INVAL_ARGUMENT;
1733	return -1;
1734	}
1735
1736	/* initialize */
1737	for (i = 0; i < SADB_EXT_MAX + 1; i++)
1738	mhp[i] = NULL;
1739
1740	mhp[0] = (caddr_t)msg;
1741
1742	/* initialize */
1743	p = (caddr_t) msg;
1744	ep = p + PFKEY_UNUNIT64(msg->sadb_msg_len);
1745
1746	/* skip base header */
1747	p += sizeof(struct sadb_msg);
1748
1749	while (p < ep) {
1750	ext = (struct sadb_ext *)p;
1751	if (ep < p + sizeof(ext) \|\| PFKEY_EXTLEN(ext) < sizeof(ext) \|\|
1752	ep < p + PFKEY_EXTLEN(ext)) {
1753	/* invalid format */
1754	break;
1755	}
1756
1757	/* duplicate check */
1758	/* XXX Are there duplication either KEY_AUTH or KEY_ENCRYPT ?*/
1759	if (mhp[ext->sadb_ext_type] != NULL) {
1760	__ipsec_errcode = EIPSEC_INVAL_EXTTYPE;
1761	return -1;
1762	}
1763
1764	/* set pointer */
1765	switch (ext->sadb_ext_type) {
1766	case SADB_EXT_SA:
1767	case SADB_EXT_LIFETIME_CURRENT:
1768	case SADB_EXT_LIFETIME_HARD:
1769	case SADB_EXT_LIFETIME_SOFT:
1770	case SADB_EXT_ADDRESS_SRC:
1771	case SADB_EXT_ADDRESS_DST:
1772	case SADB_EXT_ADDRESS_PROXY:
1773	case SADB_EXT_KEY_AUTH:
1774	/* XXX should to be check weak keys. */
1775	case SADB_EXT_KEY_ENCRYPT:
1776	/* XXX should to be check weak keys. */
1777	case SADB_EXT_IDENTITY_SRC:
1778	case SADB_EXT_IDENTITY_DST:
1779	case SADB_EXT_SENSITIVITY:
1780	case SADB_EXT_PROPOSAL:
1781	case SADB_EXT_SUPPORTED_AUTH:
1782	case SADB_EXT_SUPPORTED_ENCRYPT:
1783	case SADB_EXT_SPIRANGE:
1784	case SADB_X_EXT_POLICY:
1785	case SADB_X_EXT_SA2:
1786	mhp[ext->sadb_ext_type] = (caddr_t)ext;
1787	break;
1788	default:
1789	__ipsec_errcode = EIPSEC_INVAL_EXTTYPE;
1790	return -1;
1791	}
1792
1793	p += PFKEY_EXTLEN(ext);
1794	}
1795
1796	if (p != ep) {
1797	__ipsec_errcode = EIPSEC_INVAL_SADBMSG;
1798	return -1;
1799	}
1800
1801	__ipsec_errcode = EIPSEC_NO_ERROR;
1802	return 0;
1803	}
1804
1805	/*
1806	* check basic usage for sadb_msg,
1807	* NOTE: This routine is derived from netkey/key.c in KAME.
1808	* IN: msg: pointer to message buffer.
1809	* mhp: pointer to the buffer initialized like below:
1810	*
1811	* caddr_t mhp[SADB_EXT_MAX + 1];
1812	*
1813	* OUT: -1: invalid.
1814	* 0: valid.
1815	*/
1816	int
1817	pfkey_check(mhp)
1818	caddr_t *mhp;
1819	{
1820	struct sadb_msg *msg;
1821
1822	/* validity check */
1823	if (mhp == NULL \|\| mhp[0] == NULL) {
1824	__ipsec_errcode = EIPSEC_INVAL_ARGUMENT;
1825	return -1;
1826	}
1827
1828	msg = (struct sadb_msg *)mhp[0];
1829
1830	/* check version */
1831	if (msg->sadb_msg_version != PF_KEY_V2) {
1832	__ipsec_errcode = EIPSEC_INVAL_VERSION;
1833	return -1;
1834	}
1835
1836	/* check type */
1837	if (msg->sadb_msg_type > SADB_MAX) {
1838	__ipsec_errcode = EIPSEC_INVAL_MSGTYPE;
1839	return -1;
1840	}
1841
1842	/* check SA type */
1843	switch (msg->sadb_msg_satype) {
1844	case SADB_SATYPE_UNSPEC:
1845	switch (msg->sadb_msg_type) {
1846	case SADB_GETSPI:
1847	case SADB_UPDATE:
1848	case SADB_ADD:
1849	case SADB_DELETE:
1850	case SADB_GET:
1851	case SADB_ACQUIRE:
1852	case SADB_EXPIRE:
1853	__ipsec_errcode = EIPSEC_INVAL_SATYPE;
1854	return -1;
1855	}
1856	break;
1857	case SADB_SATYPE_ESP:
1858	case SADB_SATYPE_AH:
1859	case SADB_X_SATYPE_IPCOMP:
1860	case SADB_X_SATYPE_TCPSIGNATURE:
1861	switch (msg->sadb_msg_type) {
1862	case SADB_X_SPDADD:
1863	case SADB_X_SPDDELETE:
1864	case SADB_X_SPDGET:
1865	case SADB_X_SPDDUMP:
1866	case SADB_X_SPDFLUSH:
1867	__ipsec_errcode = EIPSEC_INVAL_SATYPE;
1868	return -1;
1869	}
1870	break;
1871	case SADB_SATYPE_RSVP:
1872	case SADB_SATYPE_OSPFV2:
1873	case SADB_SATYPE_RIPV2:
1874	case SADB_SATYPE_MIP:
1875	__ipsec_errcode = EIPSEC_NOT_SUPPORTED;
1876	return -1;
1877	case 1: /* XXX: What does it do ? */
1878	if (msg->sadb_msg_type == SADB_X_PROMISC)
1879	break;
1880	/FALLTHROUGH/
1881	default:
1882	__ipsec_errcode = EIPSEC_INVAL_SATYPE;
1883	return -1;
1884	}
1885
1886	/* check field of upper layer protocol and address family */
1887	if (mhp[SADB_EXT_ADDRESS_SRC] != NULL
1888	&& mhp[SADB_EXT_ADDRESS_DST] != NULL) {
1889	struct sadb_address src0, dst0;
1890
1891	src0 = (struct sadb_address *)(mhp[SADB_EXT_ADDRESS_SRC]);
1892	dst0 = (struct sadb_address *)(mhp[SADB_EXT_ADDRESS_DST]);
1893
1894	if (src0->sadb_address_proto != dst0->sadb_address_proto) {
1895	__ipsec_errcode = EIPSEC_PROTO_MISMATCH;
1896	return -1;
1897	}
1898
1899	if (PFKEY_ADDR_SADDR(src0)->sa_family
1900	!= PFKEY_ADDR_SADDR(dst0)->sa_family) {
1901	__ipsec_errcode = EIPSEC_FAMILY_MISMATCH;
1902	return -1;
1903	}
1904
1905	switch (PFKEY_ADDR_SADDR(src0)->sa_family) {
1906	case AF_INET:
1907	case AF_INET6:
1908	break;
1909	default:
1910	__ipsec_errcode = EIPSEC_INVAL_FAMILY;
1911	return -1;
1912	}
1913
1914	/*
1915	* prefixlen == 0 is valid because there must be the case
1916	* all addresses are matched.
1917	*/
1918	}
1919
1920	__ipsec_errcode = EIPSEC_NO_ERROR;
1921	return 0;
1922	}
1923
1924	/*
1925	* set data into sadb_msg.
1926	* `buf' must has been allocated sufficiently.
1927	*/
1928	static caddr_t
1929	pfkey_setsadbmsg(buf, lim, type, tlen, satype, seq, pid)
1930	caddr_t buf;
1931	caddr_t lim;
1932	u_int type, satype;
1933	u_int tlen;
1934	u_int32_t seq;
1935	pid_t pid;
1936	{
1937	struct sadb_msg *p;
1938	u_int len;
1939
1940	p = (struct sadb_msg *)buf;
1941	len = sizeof(struct sadb_msg);
1942
1943	if (buf + len > lim)
1944	return NULL;
1945
1946	memset(p, 0, len);
1947	p->sadb_msg_version = PF_KEY_V2;
1948	p->sadb_msg_type = type;
1949	p->sadb_msg_errno = 0;
1950	p->sadb_msg_satype = satype;
1951	p->sadb_msg_len = PFKEY_UNIT64(tlen);
1952	p->sadb_msg_reserved = 0;
1953	p->sadb_msg_seq = seq;
1954	p->sadb_msg_pid = (u_int32_t)pid;
1955
1956	return(buf + len);
1957	}
1958
1959	/*
1960	* copy secasvar data into sadb_address.
1961	* `buf' must has been allocated sufficiently.
1962	*/
1963	static caddr_t
1964	pfkey_setsadbsa(buf, lim, spi, wsize, auth, enc, flags)
1965	caddr_t buf;
1966	caddr_t lim;
1967	u_int32_t spi, flags;
1968	u_int wsize, auth, enc;
1969	{
1970	struct sadb_sa *p;
1971	u_int len;
1972
1973	p = (struct sadb_sa *)buf;
1974	len = sizeof(struct sadb_sa);
1975
1976	if (buf + len > lim)
1977	return NULL;
1978
1979	memset(p, 0, len);
1980	p->sadb_sa_len = PFKEY_UNIT64(len);
1981	p->sadb_sa_exttype = SADB_EXT_SA;
1982	p->sadb_sa_spi = spi;
1983	p->sadb_sa_replay = wsize;
1984	p->sadb_sa_state = SADB_SASTATE_LARVAL;
1985	p->sadb_sa_auth = auth;
1986	p->sadb_sa_encrypt = enc;
1987	p->sadb_sa_flags = flags;
1988
1989	return(buf + len);
1990	}
1991
1992	/*
1993	* set data into sadb_address.
1994	* `buf' must has been allocated sufficiently.
1995	* prefixlen is in bits.
1996	*/
1997	static caddr_t
1998	pfkey_setsadbaddr(buf, lim, exttype, saddr, prefixlen, ul_proto)
1999	caddr_t buf;
2000	caddr_t lim;
2001	u_int exttype;
2002	struct sockaddr *saddr;
2003	u_int prefixlen;
2004	u_int ul_proto;
2005	{
2006	struct sadb_address *p;
2007	u_int len;
2008
2009	p = (struct sadb_address *)buf;
2010	len = sizeof(struct sadb_address) + PFKEY_ALIGN8(saddr->sa_len);
2011
2012	if (buf + len > lim)
2013	return NULL;
2014
2015	memset(p, 0, len);
2016	p->sadb_address_len = PFKEY_UNIT64(len);
2017	p->sadb_address_exttype = exttype & 0xffff;
2018	p->sadb_address_proto = ul_proto & 0xff;
2019	p->sadb_address_prefixlen = prefixlen;
2020	p->sadb_address_reserved = 0;
2021
2022	memcpy(p + 1, saddr, saddr->sa_len);
2023
2024	return(buf + len);
2025	}
2026
2027	/*
2028	* set sadb_key structure after clearing buffer with zero.
2029	* OUT: the pointer of buf + len.
2030	*/
2031	static caddr_t
2032	pfkey_setsadbkey(buf, lim, type, key, keylen)
2033	caddr_t buf;
2034	caddr_t lim;
2035	caddr_t key;
2036	u_int type, keylen;
2037	{
2038	struct sadb_key *p;
2039	u_int len;
2040
2041	p = (struct sadb_key *)buf;
2042	len = sizeof(struct sadb_key) + PFKEY_ALIGN8(keylen);
2043
2044	if (buf + len > lim)
2045	return NULL;
2046
2047	memset(p, 0, len);
2048	p->sadb_key_len = PFKEY_UNIT64(len);
2049	p->sadb_key_exttype = type;
2050	p->sadb_key_bits = keylen << 3;
2051	p->sadb_key_reserved = 0;
2052
2053	memcpy(p + 1, key, keylen);
2054
2055	return buf + len;
2056	}
2057
2058	/*
2059	* set sadb_lifetime structure after clearing buffer with zero.
2060	* OUT: the pointer of buf + len.
2061	*/
2062	static caddr_t
2063	pfkey_setsadblifetime(buf, lim, type, l_alloc, l_bytes, l_addtime, l_usetime)
2064	caddr_t buf;
2065	caddr_t lim;
2066	u_int type;
2067	u_int32_t l_alloc, l_bytes, l_addtime, l_usetime;
2068	{
2069	struct sadb_lifetime *p;
2070	u_int len;
2071
2072	p = (struct sadb_lifetime *)buf;
2073	len = sizeof(struct sadb_lifetime);
2074
2075	if (buf + len > lim)
2076	return NULL;
2077
2078	memset(p, 0, len);
2079	p->sadb_lifetime_len = PFKEY_UNIT64(len);
2080	p->sadb_lifetime_exttype = type;
2081
2082	switch (type) {
2083	case SADB_EXT_LIFETIME_SOFT:
2084	p->sadb_lifetime_allocations
2085	= (l_alloc * soft_lifetime_allocations_rate) /100;
2086	p->sadb_lifetime_bytes
2087	= (l_bytes * soft_lifetime_bytes_rate) /100;
2088	p->sadb_lifetime_addtime
2089	= (l_addtime * soft_lifetime_addtime_rate) /100;
2090	p->sadb_lifetime_usetime
2091	= (l_usetime * soft_lifetime_usetime_rate) /100;
2092	break;
2093	case SADB_EXT_LIFETIME_HARD:
2094	p->sadb_lifetime_allocations = l_alloc;
2095	p->sadb_lifetime_bytes = l_bytes;
2096	p->sadb_lifetime_addtime = l_addtime;
2097	p->sadb_lifetime_usetime = l_usetime;
2098	break;
2099	}
2100
2101	return buf + len;
2102	}
2103
2104	/*
2105	* copy secasvar data into sadb_address.
2106	* `buf' must has been allocated sufficiently.
2107	*/
2108	static caddr_t
2109	pfkey_setsadbxsa2(buf, lim, mode0, reqid)
2110	caddr_t buf;
2111	caddr_t lim;
2112	u_int32_t mode0;
2113	u_int32_t reqid;
2114	{
2115	struct sadb_x_sa2 *p;
2116	u_int8_t mode = mode0 & 0xff;
2117	u_int len;
2118
2119	p = (struct sadb_x_sa2 *)buf;
2120	len = sizeof(struct sadb_x_sa2);
2121
2122	if (buf + len > lim)
2123	return NULL;
2124
2125	memset(p, 0, len);
2126	p->sadb_x_sa2_len = PFKEY_UNIT64(len);
2127	p->sadb_x_sa2_exttype = SADB_X_EXT_SA2;
2128	p->sadb_x_sa2_mode = mode;
2129	p->sadb_x_sa2_reqid = reqid;
2130
2131	return(buf + len);
2132	}

Note: See TracBrowser for help on using the repository browser.

Download in other formats: