Context Navigation

source: rtems-libbsd/freebsd/lib/libipsec/pfkey.c @ d48955b

4.1155-freebsd-126-freebsd-12freebsd-9.3

Last change on this file since d48955b was d48955b, checked in by Sebastian Huber <sebastian.huber@…>, on 11/06/13 at 08:02:16
Add and use <machine/rtems-bsd-user-space.h>
Property mode set to `100644`
File size: 44.8 KB

Line
1	#include <machine/rtems-bsd-user-space.h>
2
3	/* $KAME: pfkey.c,v 1.46 2003/08/26 03:37:06 itojun Exp $ */
4
5	/*
6	* Copyright (C) 1995, 1996, 1997, 1998, and 1999 WIDE Project.
7	* All rights reserved.
8	*
9	* Redistribution and use in source and binary forms, with or without
10	* modification, are permitted provided that the following conditions
11	* are met:
12	* 1. Redistributions of source code must retain the above copyright
13	* notice, this list of conditions and the following disclaimer.
14	* 2. Redistributions in binary form must reproduce the above copyright
15	* notice, this list of conditions and the following disclaimer in the
16	* documentation and/or other materials provided with the distribution.
17	* 3. Neither the name of the project nor the names of its contributors
18	* may be used to endorse or promote products derived from this software
19	* without specific prior written permission.
20	*
21	* THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
22	* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
23	* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
24	* ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
25	* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
26	* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
27	* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
28	* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
29	* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
30	* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
31	* SUCH DAMAGE.
32	*/
33
34	#include <sys/cdefs.h>
35	__FBSDID("$FreeBSD$");
36
37	#include <rtems/bsd/sys/types.h>
38	#include <rtems/bsd/sys/param.h>
39	#include <sys/socket.h>
40	#include <net/pfkeyv2.h>
41	#include <netipsec/key_var.h>
42	#include <netinet/in.h>
43	#include <netipsec/ipsec.h>
44
45	#include <stdlib.h>
46	#include <unistd.h>
47	#include <string.h>
48	#include <errno.h>
49
50	#include "ipsec_strerror.h"
51	#include "libpfkey.h"
52
53	#define CALLOC(size, cast) (cast)calloc(1, (size))
54
55	static int findsupportedmap(int);
56	static int setsupportedmap(struct sadb_supported *);
57	static struct sadb_alg *findsupportedalg(u_int, u_int);
58	static int pfkey_send_x1(int, u_int, u_int, u_int, struct sockaddr *,
59	struct sockaddr *, u_int32_t, u_int32_t, u_int, caddr_t,
60	u_int, u_int, u_int, u_int, u_int, u_int32_t, u_int32_t,
61	u_int32_t, u_int32_t, u_int32_t);
62	static int pfkey_send_x2(int, u_int, u_int, u_int,
63	struct sockaddr , struct sockaddr , u_int32_t);
64	static int pfkey_send_x3(int, u_int, u_int);
65	static int pfkey_send_x4(int, u_int, struct sockaddr *, u_int,
66	struct sockaddr *, u_int, u_int, u_int64_t, u_int64_t,
67	char *, int, u_int32_t);
68	static int pfkey_send_x5(int, u_int, u_int32_t);
69
70	static caddr_t pfkey_setsadbmsg(caddr_t, caddr_t, u_int, u_int,
71	u_int, u_int32_t, pid_t);
72	static caddr_t pfkey_setsadbsa(caddr_t, caddr_t, u_int32_t, u_int,
73	u_int, u_int, u_int32_t);
74	static caddr_t pfkey_setsadbaddr(caddr_t, caddr_t, u_int,
75	struct sockaddr *, u_int, u_int);
76	static caddr_t pfkey_setsadbkey(caddr_t, caddr_t, u_int, caddr_t, u_int);
77	static caddr_t pfkey_setsadblifetime(caddr_t, caddr_t, u_int, u_int32_t,
78	u_int32_t, u_int32_t, u_int32_t);
79	static caddr_t pfkey_setsadbxsa2(caddr_t, caddr_t, u_int32_t, u_int32_t);
80
81	/*
82	* make and search supported algorithm structure.
83	*/
84	static struct sadb_supported *ipsec_supported[] = { NULL, NULL, NULL, NULL };
85
86	static int supported_map[] = {
87	SADB_SATYPE_AH,
88	SADB_SATYPE_ESP,
89	SADB_X_SATYPE_IPCOMP,
90	SADB_X_SATYPE_TCPSIGNATURE
91	};
92
93	static int
94	findsupportedmap(satype)
95	int satype;
96	{
97	int i;
98
99	for (i = 0; i < sizeof(supported_map)/sizeof(supported_map[0]); i++)
100	if (supported_map[i] == satype)
101	return i;
102	return -1;
103	}
104
105	static struct sadb_alg *
106	findsupportedalg(satype, alg_id)
107	u_int satype, alg_id;
108	{
109	int algno;
110	int tlen;
111	caddr_t p;
112
113	/* validity check */
114	algno = findsupportedmap(satype);
115	if (algno == -1) {
116	__ipsec_errcode = EIPSEC_INVAL_ARGUMENT;
117	return NULL;
118	}
119	if (ipsec_supported[algno] == NULL) {
120	__ipsec_errcode = EIPSEC_DO_GET_SUPP_LIST;
121	return NULL;
122	}
123
124	tlen = ipsec_supported[algno]->sadb_supported_len
125	- sizeof(struct sadb_supported);
126	p = (caddr_t)(ipsec_supported[algno] + 1);
127	while (tlen > 0) {
128	if (tlen < sizeof(struct sadb_alg)) {
129	/* invalid format */
130	break;
131	}
132	if (((struct sadb_alg *)p)->sadb_alg_id == alg_id)
133	return (struct sadb_alg *)p;
134
135	tlen -= sizeof(struct sadb_alg);
136	p += sizeof(struct sadb_alg);
137	}
138
139	__ipsec_errcode = EIPSEC_NOT_SUPPORTED;
140	return NULL;
141	}
142
143	static int
144	setsupportedmap(sup)
145	struct sadb_supported *sup;
146	{
147	struct sadb_supported **ipsup;
148
149	switch (sup->sadb_supported_exttype) {
150	case SADB_EXT_SUPPORTED_AUTH:
151	ipsup = &ipsec_supported[findsupportedmap(SADB_SATYPE_AH)];
152	break;
153	case SADB_EXT_SUPPORTED_ENCRYPT:
154	ipsup = &ipsec_supported[findsupportedmap(SADB_SATYPE_ESP)];
155	break;
156	default:
157	__ipsec_errcode = EIPSEC_INVAL_SATYPE;
158	return -1;
159	}
160
161	if (*ipsup)
162	free(*ipsup);
163
164	*ipsup = malloc(sup->sadb_supported_len);
165	if (!*ipsup) {
166	__ipsec_set_strerror(strerror(errno));
167	return -1;
168	}
169	memcpy(*ipsup, sup, sup->sadb_supported_len);
170
171	return 0;
172	}
173
174	/*
175	* check key length against algorithm specified.
176	* This function is called with SADB_EXT_SUPPORTED_{AUTH,ENCRYPT} as the
177	* augument, and only calls to ipsec_check_keylen2();
178	* keylen is the unit of bit.
179	* OUT:
180	* -1: invalid.
181	* 0: valid.
182	*/
183	int
184	ipsec_check_keylen(supported, alg_id, keylen)
185	u_int supported;
186	u_int alg_id;
187	u_int keylen;
188	{
189	int satype;
190
191	/* validity check */
192	switch (supported) {
193	case SADB_EXT_SUPPORTED_AUTH:
194	satype = SADB_SATYPE_AH;
195	break;
196	case SADB_EXT_SUPPORTED_ENCRYPT:
197	satype = SADB_SATYPE_ESP;
198	break;
199	default:
200	__ipsec_errcode = EIPSEC_INVAL_ARGUMENT;
201	return -1;
202	}
203
204	return ipsec_check_keylen2(satype, alg_id, keylen);
205	}
206
207	/*
208	* check key length against algorithm specified.
209	* satype is one of satype defined at pfkeyv2.h.
210	* keylen is the unit of bit.
211	* OUT:
212	* -1: invalid.
213	* 0: valid.
214	*/
215	int
216	ipsec_check_keylen2(satype, alg_id, keylen)
217	u_int satype;
218	u_int alg_id;
219	u_int keylen;
220	{
221	struct sadb_alg *alg;
222
223	alg = findsupportedalg(satype, alg_id);
224	if (!alg)
225	return -1;
226
227	if (keylen < alg->sadb_alg_minbits \|\| keylen > alg->sadb_alg_maxbits) {
228	__ipsec_errcode = EIPSEC_INVAL_KEYLEN;
229	return -1;
230	}
231
232	__ipsec_errcode = EIPSEC_NO_ERROR;
233	return 0;
234	}
235
236	/*
237	* get max/min key length against algorithm specified.
238	* satype is one of satype defined at pfkeyv2.h.
239	* keylen is the unit of bit.
240	* OUT:
241	* -1: invalid.
242	* 0: valid.
243	*/
244	int
245	ipsec_get_keylen(supported, alg_id, alg0)
246	u_int supported, alg_id;
247	struct sadb_alg *alg0;
248	{
249	struct sadb_alg *alg;
250	u_int satype;
251
252	/* validity check */
253	if (!alg0) {
254	__ipsec_errcode = EIPSEC_INVAL_ARGUMENT;
255	return -1;
256	}
257
258	switch (supported) {
259	case SADB_EXT_SUPPORTED_AUTH:
260	satype = SADB_SATYPE_AH;
261	break;
262	case SADB_EXT_SUPPORTED_ENCRYPT:
263	satype = SADB_SATYPE_ESP;
264	break;
265	default:
266	__ipsec_errcode = EIPSEC_INVAL_ARGUMENT;
267	return -1;
268	}
269
270	alg = findsupportedalg(satype, alg_id);
271	if (!alg)
272	return -1;
273
274	memcpy(alg0, alg, sizeof(*alg0));
275
276	__ipsec_errcode = EIPSEC_NO_ERROR;
277	return 0;
278	}
279
280	/*
281	* set the rate for SOFT lifetime against HARD one.
282	* If rate is more than 100 or equal to zero, then set to 100.
283	*/
284	static u_int soft_lifetime_allocations_rate = PFKEY_SOFT_LIFETIME_RATE;
285	static u_int soft_lifetime_bytes_rate = PFKEY_SOFT_LIFETIME_RATE;
286	static u_int soft_lifetime_addtime_rate = PFKEY_SOFT_LIFETIME_RATE;
287	static u_int soft_lifetime_usetime_rate = PFKEY_SOFT_LIFETIME_RATE;
288
289	u_int
290	pfkey_set_softrate(type, rate)
291	u_int type, rate;
292	{
293	__ipsec_errcode = EIPSEC_NO_ERROR;
294
295	if (rate > 100 \|\| rate == 0)
296	rate = 100;
297
298	switch (type) {
299	case SADB_X_LIFETIME_ALLOCATIONS:
300	soft_lifetime_allocations_rate = rate;
301	return 0;
302	case SADB_X_LIFETIME_BYTES:
303	soft_lifetime_bytes_rate = rate;
304	return 0;
305	case SADB_X_LIFETIME_ADDTIME:
306	soft_lifetime_addtime_rate = rate;
307	return 0;
308	case SADB_X_LIFETIME_USETIME:
309	soft_lifetime_usetime_rate = rate;
310	return 0;
311	}
312
313	__ipsec_errcode = EIPSEC_INVAL_ARGUMENT;
314	return 1;
315	}
316
317	/*
318	* get current rate for SOFT lifetime against HARD one.
319	* ATTENTION: ~0 is returned if invalid type was passed.
320	*/
321	u_int
322	pfkey_get_softrate(type)
323	u_int type;
324	{
325	switch (type) {
326	case SADB_X_LIFETIME_ALLOCATIONS:
327	return soft_lifetime_allocations_rate;
328	case SADB_X_LIFETIME_BYTES:
329	return soft_lifetime_bytes_rate;
330	case SADB_X_LIFETIME_ADDTIME:
331	return soft_lifetime_addtime_rate;
332	case SADB_X_LIFETIME_USETIME:
333	return soft_lifetime_usetime_rate;
334	}
335
336	return ~0;
337	}
338
339	/*
340	* sending SADB_GETSPI message to the kernel.
341	* OUT:
342	* positive: success and return length sent.
343	* -1 : error occured, and set errno.
344	*/
345	int
346	pfkey_send_getspi(so, satype, mode, src, dst, min, max, reqid, seq)
347	int so;
348	u_int satype, mode;
349	struct sockaddr src, dst;
350	u_int32_t min, max, reqid, seq;
351	{
352	struct sadb_msg *newmsg;
353	caddr_t ep;
354	int len;
355	int need_spirange = 0;
356	caddr_t p;
357	int plen;
358
359	/* validity check */
360	if (src == NULL \|\| dst == NULL) {
361	__ipsec_errcode = EIPSEC_INVAL_ARGUMENT;
362	return -1;
363	}
364	if (src->sa_family != dst->sa_family) {
365	__ipsec_errcode = EIPSEC_FAMILY_MISMATCH;
366	return -1;
367	}
368	if (min > max \|\| (min > 0 && min <= 255)) {
369	__ipsec_errcode = EIPSEC_INVAL_SPI;
370	return -1;
371	}
372	switch (src->sa_family) {
373	case AF_INET:
374	plen = sizeof(struct in_addr) << 3;
375	break;
376	case AF_INET6:
377	plen = sizeof(struct in6_addr) << 3;
378	break;
379	default:
380	__ipsec_errcode = EIPSEC_INVAL_FAMILY;
381	return -1;
382	}
383
384	/* create new sadb_msg to send. */
385	len = sizeof(struct sadb_msg)
386	+ sizeof(struct sadb_x_sa2)
387	+ sizeof(struct sadb_address)
388	+ PFKEY_ALIGN8(src->sa_len)
389	+ sizeof(struct sadb_address)
390	+ PFKEY_ALIGN8(dst->sa_len);
391
392	if (min > 255 && max < ~0) {
393	need_spirange++;
394	len += sizeof(struct sadb_spirange);
395	}
396
397	if ((newmsg = CALLOC(len, struct sadb_msg *)) == NULL) {
398	__ipsec_set_strerror(strerror(errno));
399	return -1;
400	}
401	ep = ((caddr_t)newmsg) + len;
402
403	p = pfkey_setsadbmsg((caddr_t)newmsg, ep, SADB_GETSPI,
404	len, satype, seq, getpid());
405	if (!p) {
406	free(newmsg);
407	return -1;
408	}
409
410	p = pfkey_setsadbxsa2(p, ep, mode, reqid);
411	if (!p) {
412	free(newmsg);
413	return -1;
414	}
415
416	/* set sadb_address for source */
417	p = pfkey_setsadbaddr(p, ep, SADB_EXT_ADDRESS_SRC, src, plen,
418	IPSEC_ULPROTO_ANY);
419	if (!p) {
420	free(newmsg);
421	return -1;
422	}
423
424	/* set sadb_address for destination */
425	p = pfkey_setsadbaddr(p, ep, SADB_EXT_ADDRESS_DST, dst, plen,
426	IPSEC_ULPROTO_ANY);
427	if (!p) {
428	free(newmsg);
429	return -1;
430	}
431
432	/* proccessing spi range */
433	if (need_spirange) {
434	struct sadb_spirange spirange;
435
436	if (p + sizeof(spirange) > ep) {
437	free(newmsg);
438	return -1;
439	}
440
441	memset(&spirange, 0, sizeof(spirange));
442	spirange.sadb_spirange_len = PFKEY_UNIT64(sizeof(spirange));
443	spirange.sadb_spirange_exttype = SADB_EXT_SPIRANGE;
444	spirange.sadb_spirange_min = min;
445	spirange.sadb_spirange_max = max;
446
447	memcpy(p, &spirange, sizeof(spirange));
448
449	p += sizeof(spirange);
450	}
451	if (p != ep) {
452	free(newmsg);
453	return -1;
454	}
455
456	/* send message */
457	len = pfkey_send(so, newmsg, len);
458	free(newmsg);
459
460	if (len < 0)
461	return -1;
462
463	__ipsec_errcode = EIPSEC_NO_ERROR;
464	return len;
465	}
466
467	/*
468	* sending SADB_UPDATE message to the kernel.
469	* The length of key material is a_keylen + e_keylen.
470	* OUT:
471	* positive: success and return length sent.
472	* -1 : error occured, and set errno.
473	*/
474	int
475	pfkey_send_update(so, satype, mode, src, dst, spi, reqid, wsize,
476	keymat, e_type, e_keylen, a_type, a_keylen, flags,
477	l_alloc, l_bytes, l_addtime, l_usetime, seq)
478	int so;
479	u_int satype, mode, wsize;
480	struct sockaddr src, dst;
481	u_int32_t spi, reqid;
482	caddr_t keymat;
483	u_int e_type, e_keylen, a_type, a_keylen, flags;
484	u_int32_t l_alloc;
485	u_int64_t l_bytes, l_addtime, l_usetime;
486	u_int32_t seq;
487	{
488	int len;
489	if ((len = pfkey_send_x1(so, SADB_UPDATE, satype, mode, src, dst, spi,
490	reqid, wsize,
491	keymat, e_type, e_keylen, a_type, a_keylen, flags,
492	l_alloc, l_bytes, l_addtime, l_usetime, seq)) < 0)
493	return -1;
494
495	return len;
496	}
497
498	/*
499	* sending SADB_ADD message to the kernel.
500	* The length of key material is a_keylen + e_keylen.
501	* OUT:
502	* positive: success and return length sent.
503	* -1 : error occured, and set errno.
504	*/
505	int
506	pfkey_send_add(so, satype, mode, src, dst, spi, reqid, wsize,
507	keymat, e_type, e_keylen, a_type, a_keylen, flags,
508	l_alloc, l_bytes, l_addtime, l_usetime, seq)
509	int so;
510	u_int satype, mode, wsize;
511	struct sockaddr src, dst;
512	u_int32_t spi, reqid;
513	caddr_t keymat;
514	u_int e_type, e_keylen, a_type, a_keylen, flags;
515	u_int32_t l_alloc;
516	u_int64_t l_bytes, l_addtime, l_usetime;
517	u_int32_t seq;
518	{
519	int len;
520	if ((len = pfkey_send_x1(so, SADB_ADD, satype, mode, src, dst, spi,
521	reqid, wsize,
522	keymat, e_type, e_keylen, a_type, a_keylen, flags,
523	l_alloc, l_bytes, l_addtime, l_usetime, seq)) < 0)
524	return -1;
525
526	return len;
527	}
528
529	/*
530	* sending SADB_DELETE message to the kernel.
531	* OUT:
532	* positive: success and return length sent.
533	* -1 : error occured, and set errno.
534	*/
535	int
536	pfkey_send_delete(so, satype, mode, src, dst, spi)
537	int so;
538	u_int satype, mode;
539	struct sockaddr src, dst;
540	u_int32_t spi;
541	{
542	int len;
543	if ((len = pfkey_send_x2(so, SADB_DELETE, satype, mode, src, dst, spi)) < 0)
544	return -1;
545
546	return len;
547	}
548
549	/*
550	* sending SADB_DELETE without spi to the kernel. This is
551	* the "delete all" request (an extension also present in
552	* Solaris).
553	*
554	* OUT:
555	* positive: success and return length sent
556	* -1 : error occured, and set errno
557	*/
558	int
559	pfkey_send_delete_all(so, satype, mode, src, dst)
560	int so;
561	u_int satype, mode;
562	struct sockaddr src, dst;
563	{
564	struct sadb_msg *newmsg;
565	int len;
566	caddr_t p;
567	int plen;
568	caddr_t ep;
569
570	/* validity check */
571	if (src == NULL \|\| dst == NULL) {
572	__ipsec_errcode = EIPSEC_INVAL_ARGUMENT;
573	return -1;
574	}
575	if (src->sa_family != dst->sa_family) {
576	__ipsec_errcode = EIPSEC_FAMILY_MISMATCH;
577	return -1;
578	}
579	switch (src->sa_family) {
580	case AF_INET:
581	plen = sizeof(struct in_addr) << 3;
582	break;
583	case AF_INET6:
584	plen = sizeof(struct in6_addr) << 3;
585	break;
586	default:
587	__ipsec_errcode = EIPSEC_INVAL_FAMILY;
588	return -1;
589	}
590
591	/* create new sadb_msg to reply. */
592	len = sizeof(struct sadb_msg)
593	+ sizeof(struct sadb_address)
594	+ PFKEY_ALIGN8(src->sa_len)
595	+ sizeof(struct sadb_address)
596	+ PFKEY_ALIGN8(dst->sa_len);
597
598	if ((newmsg = CALLOC(len, struct sadb_msg *)) == NULL) {
599	__ipsec_set_strerror(strerror(errno));
600	return -1;
601	}
602	ep = ((caddr_t)newmsg) + len;
603
604	p = pfkey_setsadbmsg((caddr_t)newmsg, ep, SADB_DELETE, len, satype, 0,
605	getpid());
606	if (!p) {
607	free(newmsg);
608	return -1;
609	}
610	p = pfkey_setsadbaddr(p, ep, SADB_EXT_ADDRESS_SRC, src, plen,
611	IPSEC_ULPROTO_ANY);
612	if (!p) {
613	free(newmsg);
614	return -1;
615	}
616	p = pfkey_setsadbaddr(p, ep, SADB_EXT_ADDRESS_DST, dst, plen,
617	IPSEC_ULPROTO_ANY);
618	if (!p \|\| p != ep) {
619	free(newmsg);
620	return -1;
621	}
622
623	/* send message */
624	len = pfkey_send(so, newmsg, len);
625	free(newmsg);
626
627	if (len < 0)
628	return -1;
629
630	__ipsec_errcode = EIPSEC_NO_ERROR;
631	return len;
632	}
633
634	/*
635	* sending SADB_GET message to the kernel.
636	* OUT:
637	* positive: success and return length sent.
638	* -1 : error occured, and set errno.
639	*/
640	int
641	pfkey_send_get(so, satype, mode, src, dst, spi)
642	int so;
643	u_int satype, mode;
644	struct sockaddr src, dst;
645	u_int32_t spi;
646	{
647	int len;
648	if ((len = pfkey_send_x2(so, SADB_GET, satype, mode, src, dst, spi)) < 0)
649	return -1;
650
651	return len;
652	}
653
654	/*
655	* sending SADB_REGISTER message to the kernel.
656	* OUT:
657	* positive: success and return length sent.
658	* -1 : error occured, and set errno.
659	*/
660	int
661	pfkey_send_register(so, satype)
662	int so;
663	u_int satype;
664	{
665	int len, algno;
666
667	if (satype == SADB_SATYPE_UNSPEC) {
668	for (algno = 0;
669	algno < sizeof(supported_map)/sizeof(supported_map[0]);
670	algno++) {
671	if (ipsec_supported[algno]) {
672	free(ipsec_supported[algno]);
673	ipsec_supported[algno] = NULL;
674	}
675	}
676	} else {
677	algno = findsupportedmap(satype);
678	if (algno == -1) {
679	__ipsec_errcode = EIPSEC_INVAL_ARGUMENT;
680	return -1;
681	}
682
683	if (ipsec_supported[algno]) {
684	free(ipsec_supported[algno]);
685	ipsec_supported[algno] = NULL;
686	}
687	}
688
689	if ((len = pfkey_send_x3(so, SADB_REGISTER, satype)) < 0)
690	return -1;
691
692	return len;
693	}
694
695	/*
696	* receiving SADB_REGISTER message from the kernel, and copy buffer for
697	* sadb_supported returned into ipsec_supported.
698	* OUT:
699	* 0: success and return length sent.
700	* -1: error occured, and set errno.
701	*/
702	int
703	pfkey_recv_register(so)
704	int so;
705	{
706	pid_t pid = getpid();
707	struct sadb_msg *newmsg;
708	int error = -1;
709
710	/* receive message */
711	for (;;) {
712	if ((newmsg = pfkey_recv(so)) == NULL)
713	return -1;
714	if (newmsg->sadb_msg_type == SADB_REGISTER &&
715	newmsg->sadb_msg_pid == pid)
716	break;
717	free(newmsg);
718	}
719
720	/* check and fix */
721	newmsg->sadb_msg_len = PFKEY_UNUNIT64(newmsg->sadb_msg_len);
722
723	error = pfkey_set_supported(newmsg, newmsg->sadb_msg_len);
724	free(newmsg);
725
726	if (error == 0)
727	__ipsec_errcode = EIPSEC_NO_ERROR;
728
729	return error;
730	}
731
732	/*
733	* receiving SADB_REGISTER message from the kernel, and copy buffer for
734	* sadb_supported returned into ipsec_supported.
735	* NOTE: sadb_msg_len must be host order.
736	* IN:
737	* tlen: msg length, it's to makeing sure.
738	* OUT:
739	* 0: success and return length sent.
740	* -1: error occured, and set errno.
741	*/
742	int
743	pfkey_set_supported(msg, tlen)
744	struct sadb_msg *msg;
745	int tlen;
746	{
747	struct sadb_supported *sup;
748	caddr_t p;
749	caddr_t ep;
750
751	/* validity */
752	if (msg->sadb_msg_len != tlen) {
753	__ipsec_errcode = EIPSEC_INVAL_ARGUMENT;
754	return -1;
755	}
756
757	p = (caddr_t)msg;
758	ep = p + tlen;
759
760	p += sizeof(struct sadb_msg);
761
762	while (p < ep) {
763	sup = (struct sadb_supported *)p;
764	if (ep < p + sizeof(*sup) \|\|
765	PFKEY_EXTLEN(sup) < sizeof(*sup) \|\|
766	ep < p + sup->sadb_supported_len) {
767	/* invalid format */
768	break;
769	}
770
771	switch (sup->sadb_supported_exttype) {
772	case SADB_EXT_SUPPORTED_AUTH:
773	case SADB_EXT_SUPPORTED_ENCRYPT:
774	break;
775	default:
776	__ipsec_errcode = EIPSEC_INVAL_SATYPE;
777	return -1;
778	}
779
780	/* fixed length */
781	sup->sadb_supported_len = PFKEY_EXTLEN(sup);
782
783	/* set supported map */
784	if (setsupportedmap(sup) != 0)
785	return -1;
786
787	p += sup->sadb_supported_len;
788	}
789
790	if (p != ep) {
791	__ipsec_errcode = EIPSEC_INVAL_SATYPE;
792	return -1;
793	}
794
795	__ipsec_errcode = EIPSEC_NO_ERROR;
796
797	return 0;
798	}
799
800	/*
801	* sending SADB_FLUSH message to the kernel.
802	* OUT:
803	* positive: success and return length sent.
804	* -1 : error occured, and set errno.
805	*/
806	int
807	pfkey_send_flush(so, satype)
808	int so;
809	u_int satype;
810	{
811	int len;
812
813	if ((len = pfkey_send_x3(so, SADB_FLUSH, satype)) < 0)
814	return -1;
815
816	return len;
817	}
818
819	/*
820	* sending SADB_DUMP message to the kernel.
821	* OUT:
822	* positive: success and return length sent.
823	* -1 : error occured, and set errno.
824	*/
825	int
826	pfkey_send_dump(so, satype)
827	int so;
828	u_int satype;
829	{
830	int len;
831
832	if ((len = pfkey_send_x3(so, SADB_DUMP, satype)) < 0)
833	return -1;
834
835	return len;
836	}
837
838	/*
839	* sending SADB_X_PROMISC message to the kernel.
840	* NOTE that this function handles promisc mode toggle only.
841	* IN:
842	* flag: set promisc off if zero, set promisc on if non-zero.
843	* OUT:
844	* positive: success and return length sent.
845	* -1 : error occured, and set errno.
846	* 0 : error occured, and set errno.
847	* others: a pointer to new allocated buffer in which supported
848	* algorithms is.
849	*/
850	int
851	pfkey_send_promisc_toggle(so, flag)
852	int so;
853	int flag;
854	{
855	int len;
856
857	if ((len = pfkey_send_x3(so, SADB_X_PROMISC, (flag ? 1 : 0))) < 0)
858	return -1;
859
860	return len;
861	}
862
863	/*
864	* sending SADB_X_SPDADD message to the kernel.
865	* OUT:
866	* positive: success and return length sent.
867	* -1 : error occured, and set errno.
868	*/
869	int
870	pfkey_send_spdadd(so, src, prefs, dst, prefd, proto, policy, policylen, seq)
871	int so;
872	struct sockaddr src, dst;
873	u_int prefs, prefd, proto;
874	caddr_t policy;
875	int policylen;
876	u_int32_t seq;
877	{
878	int len;
879
880	if ((len = pfkey_send_x4(so, SADB_X_SPDADD,
881	src, prefs, dst, prefd, proto,
882	0, 0,
883	policy, policylen, seq)) < 0)
884	return -1;
885
886	return len;
887	}
888
889	/*
890	* sending SADB_X_SPDADD message to the kernel.
891	* OUT:
892	* positive: success and return length sent.
893	* -1 : error occured, and set errno.
894	*/
895	int
896	pfkey_send_spdadd2(so, src, prefs, dst, prefd, proto, ltime, vtime,
897	policy, policylen, seq)
898	int so;
899	struct sockaddr src, dst;
900	u_int prefs, prefd, proto;
901	u_int64_t ltime, vtime;
902	caddr_t policy;
903	int policylen;
904	u_int32_t seq;
905	{
906	int len;
907
908	if ((len = pfkey_send_x4(so, SADB_X_SPDADD,
909	src, prefs, dst, prefd, proto,
910	ltime, vtime,
911	policy, policylen, seq)) < 0)
912	return -1;
913
914	return len;
915	}
916
917	/*
918	* sending SADB_X_SPDUPDATE message to the kernel.
919	* OUT:
920	* positive: success and return length sent.
921	* -1 : error occured, and set errno.
922	*/
923	int
924	pfkey_send_spdupdate(so, src, prefs, dst, prefd, proto, policy, policylen, seq)
925	int so;
926	struct sockaddr src, dst;
927	u_int prefs, prefd, proto;
928	caddr_t policy;
929	int policylen;
930	u_int32_t seq;
931	{
932	int len;
933
934	if ((len = pfkey_send_x4(so, SADB_X_SPDUPDATE,
935	src, prefs, dst, prefd, proto,
936	0, 0,
937	policy, policylen, seq)) < 0)
938	return -1;
939
940	return len;
941	}
942
943	/*
944	* sending SADB_X_SPDUPDATE message to the kernel.
945	* OUT:
946	* positive: success and return length sent.
947	* -1 : error occured, and set errno.
948	*/
949	int
950	pfkey_send_spdupdate2(so, src, prefs, dst, prefd, proto, ltime, vtime,
951	policy, policylen, seq)
952	int so;
953	struct sockaddr src, dst;
954	u_int prefs, prefd, proto;
955	u_int64_t ltime, vtime;
956	caddr_t policy;
957	int policylen;
958	u_int32_t seq;
959	{
960	int len;
961
962	if ((len = pfkey_send_x4(so, SADB_X_SPDUPDATE,
963	src, prefs, dst, prefd, proto,
964	ltime, vtime,
965	policy, policylen, seq)) < 0)
966	return -1;
967
968	return len;
969	}
970
971	/*
972	* sending SADB_X_SPDDELETE message to the kernel.
973	* OUT:
974	* positive: success and return length sent.
975	* -1 : error occured, and set errno.
976	*/
977	int
978	pfkey_send_spddelete(so, src, prefs, dst, prefd, proto, policy, policylen, seq)
979	int so;
980	struct sockaddr src, dst;
981	u_int prefs, prefd, proto;
982	caddr_t policy;
983	int policylen;
984	u_int32_t seq;
985	{
986	int len;
987
988	if (policylen != sizeof(struct sadb_x_policy)) {
989	__ipsec_errcode = EIPSEC_INVAL_ARGUMENT;
990	return -1;
991	}
992
993	if ((len = pfkey_send_x4(so, SADB_X_SPDDELETE,
994	src, prefs, dst, prefd, proto,
995	0, 0,
996	policy, policylen, seq)) < 0)
997	return -1;
998
999	return len;
1000	}
1001
1002	/*
1003	* sending SADB_X_SPDDELETE message to the kernel.
1004	* OUT:
1005	* positive: success and return length sent.
1006	* -1 : error occured, and set errno.
1007	*/
1008	int
1009	pfkey_send_spddelete2(so, spid)
1010	int so;
1011	u_int32_t spid;
1012	{
1013	int len;
1014
1015	if ((len = pfkey_send_x5(so, SADB_X_SPDDELETE2, spid)) < 0)
1016	return -1;
1017
1018	return len;
1019	}
1020
1021	/*
1022	* sending SADB_X_SPDGET message to the kernel.
1023	* OUT:
1024	* positive: success and return length sent.
1025	* -1 : error occured, and set errno.
1026	*/
1027	int
1028	pfkey_send_spdget(so, spid)
1029	int so;
1030	u_int32_t spid;
1031	{
1032	int len;
1033
1034	if ((len = pfkey_send_x5(so, SADB_X_SPDGET, spid)) < 0)
1035	return -1;
1036
1037	return len;
1038	}
1039
1040	/*
1041	* sending SADB_X_SPDSETIDX message to the kernel.
1042	* OUT:
1043	* positive: success and return length sent.
1044	* -1 : error occured, and set errno.
1045	*/
1046	int
1047	pfkey_send_spdsetidx(so, src, prefs, dst, prefd, proto, policy, policylen, seq)
1048	int so;
1049	struct sockaddr src, dst;
1050	u_int prefs, prefd, proto;
1051	caddr_t policy;
1052	int policylen;
1053	u_int32_t seq;
1054	{
1055	int len;
1056
1057	if (policylen != sizeof(struct sadb_x_policy)) {
1058	__ipsec_errcode = EIPSEC_INVAL_ARGUMENT;
1059	return -1;
1060	}
1061
1062	if ((len = pfkey_send_x4(so, SADB_X_SPDSETIDX,
1063	src, prefs, dst, prefd, proto,
1064	0, 0,
1065	policy, policylen, seq)) < 0)
1066	return -1;
1067
1068	return len;
1069	}
1070
1071	/*
1072	* sending SADB_SPDFLUSH message to the kernel.
1073	* OUT:
1074	* positive: success and return length sent.
1075	* -1 : error occured, and set errno.
1076	*/
1077	int
1078	pfkey_send_spdflush(so)
1079	int so;
1080	{
1081	int len;
1082
1083	if ((len = pfkey_send_x3(so, SADB_X_SPDFLUSH, SADB_SATYPE_UNSPEC)) < 0)
1084	return -1;
1085
1086	return len;
1087	}
1088
1089	/*
1090	* sending SADB_SPDDUMP message to the kernel.
1091	* OUT:
1092	* positive: success and return length sent.
1093	* -1 : error occured, and set errno.
1094	*/
1095	int
1096	pfkey_send_spddump(so)
1097	int so;
1098	{
1099	int len;
1100
1101	if ((len = pfkey_send_x3(so, SADB_X_SPDDUMP, SADB_SATYPE_UNSPEC)) < 0)
1102	return -1;
1103
1104	return len;
1105	}
1106
1107	/* sending SADB_ADD or SADB_UPDATE message to the kernel */
1108	static int
1109	pfkey_send_x1(so, type, satype, mode, src, dst, spi, reqid, wsize,
1110	keymat, e_type, e_keylen, a_type, a_keylen, flags,
1111	l_alloc, l_bytes, l_addtime, l_usetime, seq)
1112	int so;
1113	u_int type, satype, mode;
1114	struct sockaddr src, dst;
1115	u_int32_t spi, reqid;
1116	u_int wsize;
1117	caddr_t keymat;
1118	u_int e_type, e_keylen, a_type, a_keylen, flags;
1119	u_int32_t l_alloc, l_bytes, l_addtime, l_usetime, seq;
1120	{
1121	struct sadb_msg *newmsg;
1122	int len;
1123	caddr_t p;
1124	int plen;
1125	caddr_t ep;
1126
1127	/* validity check */
1128	if (src == NULL \|\| dst == NULL) {
1129	__ipsec_errcode = EIPSEC_INVAL_ARGUMENT;
1130	return -1;
1131	}
1132	if (src->sa_family != dst->sa_family) {
1133	__ipsec_errcode = EIPSEC_FAMILY_MISMATCH;
1134	return -1;
1135	}
1136	switch (src->sa_family) {
1137	case AF_INET:
1138	plen = sizeof(struct in_addr) << 3;
1139	break;
1140	case AF_INET6:
1141	plen = sizeof(struct in6_addr) << 3;
1142	break;
1143	default:
1144	__ipsec_errcode = EIPSEC_INVAL_FAMILY;
1145	return -1;
1146	}
1147
1148	switch (satype) {
1149	case SADB_SATYPE_ESP:
1150	if (e_type == SADB_EALG_NONE) {
1151	__ipsec_errcode = EIPSEC_NO_ALGS;
1152	return -1;
1153	}
1154	break;
1155	case SADB_SATYPE_AH:
1156	if (e_type != SADB_EALG_NONE) {
1157	__ipsec_errcode = EIPSEC_INVAL_ALGS;
1158	return -1;
1159	}
1160	if (a_type == SADB_AALG_NONE) {
1161	__ipsec_errcode = EIPSEC_NO_ALGS;
1162	return -1;
1163	}
1164	break;
1165	case SADB_X_SATYPE_IPCOMP:
1166	if (e_type == SADB_X_CALG_NONE) {
1167	__ipsec_errcode = EIPSEC_INVAL_ALGS;
1168	return -1;
1169	}
1170	if (a_type != SADB_AALG_NONE) {
1171	__ipsec_errcode = EIPSEC_NO_ALGS;
1172	return -1;
1173	}
1174	break;
1175	case SADB_X_SATYPE_TCPSIGNATURE:
1176	if (e_type != SADB_EALG_NONE) {
1177	__ipsec_errcode = EIPSEC_INVAL_ALGS;
1178	return -1;
1179	}
1180	if (a_type != SADB_X_AALG_TCP_MD5) {
1181	__ipsec_errcode = EIPSEC_INVAL_ALGS;
1182	return -1;
1183	}
1184	break;
1185	default:
1186	__ipsec_errcode = EIPSEC_INVAL_SATYPE;
1187	return -1;
1188	}
1189
1190	/* create new sadb_msg to reply. */
1191	len = sizeof(struct sadb_msg)
1192	+ sizeof(struct sadb_sa)
1193	+ sizeof(struct sadb_x_sa2)
1194	+ sizeof(struct sadb_address)
1195	+ PFKEY_ALIGN8(src->sa_len)
1196	+ sizeof(struct sadb_address)
1197	+ PFKEY_ALIGN8(dst->sa_len)
1198	+ sizeof(struct sadb_lifetime)
1199	+ sizeof(struct sadb_lifetime);
1200
1201	if (e_type != SADB_EALG_NONE)
1202	len += (sizeof(struct sadb_key) + PFKEY_ALIGN8(e_keylen));
1203	if (a_type != SADB_AALG_NONE)
1204	len += (sizeof(struct sadb_key) + PFKEY_ALIGN8(a_keylen));
1205
1206	if ((newmsg = CALLOC(len, struct sadb_msg *)) == NULL) {
1207	__ipsec_set_strerror(strerror(errno));
1208	return -1;
1209	}
1210	ep = ((caddr_t)newmsg) + len;
1211
1212	p = pfkey_setsadbmsg((caddr_t)newmsg, ep, type, len,
1213	satype, seq, getpid());
1214	if (!p) {
1215	free(newmsg);
1216	return -1;
1217	}
1218	p = pfkey_setsadbsa(p, ep, spi, wsize, a_type, e_type, flags);
1219	if (!p) {
1220	free(newmsg);
1221	return -1;
1222	}
1223	p = pfkey_setsadbxsa2(p, ep, mode, reqid);
1224	if (!p) {
1225	free(newmsg);
1226	return -1;
1227	}
1228	p = pfkey_setsadbaddr(p, ep, SADB_EXT_ADDRESS_SRC, src, plen,
1229	IPSEC_ULPROTO_ANY);
1230	if (!p) {
1231	free(newmsg);
1232	return -1;
1233	}
1234	p = pfkey_setsadbaddr(p, ep, SADB_EXT_ADDRESS_DST, dst, plen,
1235	IPSEC_ULPROTO_ANY);
1236	if (!p) {
1237	free(newmsg);
1238	return -1;
1239	}
1240
1241	if (e_type != SADB_EALG_NONE) {
1242	p = pfkey_setsadbkey(p, ep, SADB_EXT_KEY_ENCRYPT,
1243	keymat, e_keylen);
1244	if (!p) {
1245	free(newmsg);
1246	return -1;
1247	}
1248	}
1249	if (a_type != SADB_AALG_NONE) {
1250	p = pfkey_setsadbkey(p, ep, SADB_EXT_KEY_AUTH,
1251	keymat + e_keylen, a_keylen);
1252	if (!p) {
1253	free(newmsg);
1254	return -1;
1255	}
1256	}
1257
1258	/* set sadb_lifetime for destination */
1259	p = pfkey_setsadblifetime(p, ep, SADB_EXT_LIFETIME_HARD,
1260	l_alloc, l_bytes, l_addtime, l_usetime);
1261	if (!p) {
1262	free(newmsg);
1263	return -1;
1264	}
1265	p = pfkey_setsadblifetime(p, ep, SADB_EXT_LIFETIME_SOFT,
1266	l_alloc, l_bytes, l_addtime, l_usetime);
1267	if (!p \|\| p != ep) {
1268	free(newmsg);
1269	return -1;
1270	}
1271
1272	/* send message */
1273	len = pfkey_send(so, newmsg, len);
1274	free(newmsg);
1275
1276	if (len < 0)
1277	return -1;
1278
1279	__ipsec_errcode = EIPSEC_NO_ERROR;
1280	return len;
1281	}
1282
1283	/* sending SADB_DELETE or SADB_GET message to the kernel */
1284	static int
1285	pfkey_send_x2(so, type, satype, mode, src, dst, spi)
1286	int so;
1287	u_int type, satype, mode;
1288	struct sockaddr src, dst;
1289	u_int32_t spi;
1290	{
1291	struct sadb_msg *newmsg;
1292	int len;
1293	caddr_t p;
1294	int plen;
1295	caddr_t ep;
1296
1297	/* validity check */
1298	if (src == NULL \|\| dst == NULL) {
1299	__ipsec_errcode = EIPSEC_INVAL_ARGUMENT;
1300	return -1;
1301	}
1302	if (src->sa_family != dst->sa_family) {
1303	__ipsec_errcode = EIPSEC_FAMILY_MISMATCH;
1304	return -1;
1305	}
1306	switch (src->sa_family) {
1307	case AF_INET:
1308	plen = sizeof(struct in_addr) << 3;
1309	break;
1310	case AF_INET6:
1311	plen = sizeof(struct in6_addr) << 3;
1312	break;
1313	default:
1314	__ipsec_errcode = EIPSEC_INVAL_FAMILY;
1315	return -1;
1316	}
1317
1318	/* create new sadb_msg to reply. */
1319	len = sizeof(struct sadb_msg)
1320	+ sizeof(struct sadb_sa)
1321	+ sizeof(struct sadb_address)
1322	+ PFKEY_ALIGN8(src->sa_len)
1323	+ sizeof(struct sadb_address)
1324	+ PFKEY_ALIGN8(dst->sa_len);
1325
1326	if ((newmsg = CALLOC(len, struct sadb_msg *)) == NULL) {
1327	__ipsec_set_strerror(strerror(errno));
1328	return -1;
1329	}
1330	ep = ((caddr_t)newmsg) + len;
1331
1332	p = pfkey_setsadbmsg((caddr_t)newmsg, ep, type, len, satype, 0,
1333	getpid());
1334	if (!p) {
1335	free(newmsg);
1336	return -1;
1337	}
1338	p = pfkey_setsadbsa(p, ep, spi, 0, 0, 0, 0);
1339	if (!p) {
1340	free(newmsg);
1341	return -1;
1342	}
1343	p = pfkey_setsadbaddr(p, ep, SADB_EXT_ADDRESS_SRC, src, plen,
1344	IPSEC_ULPROTO_ANY);
1345	if (!p) {
1346	free(newmsg);
1347	return -1;
1348	}
1349	p = pfkey_setsadbaddr(p, ep, SADB_EXT_ADDRESS_DST, dst, plen,
1350	IPSEC_ULPROTO_ANY);
1351	if (!p \|\| p != ep) {
1352	free(newmsg);
1353	return -1;
1354	}
1355
1356	/* send message */
1357	len = pfkey_send(so, newmsg, len);
1358	free(newmsg);
1359
1360	if (len < 0)
1361	return -1;
1362
1363	__ipsec_errcode = EIPSEC_NO_ERROR;
1364	return len;
1365	}
1366
1367	/*
1368	* sending SADB_REGISTER, SADB_FLUSH, SADB_DUMP or SADB_X_PROMISC message
1369	* to the kernel
1370	*/
1371	static int
1372	pfkey_send_x3(so, type, satype)
1373	int so;
1374	u_int type, satype;
1375	{
1376	struct sadb_msg *newmsg;
1377	int len;
1378	caddr_t p;
1379	caddr_t ep;
1380
1381	/* validity check */
1382	switch (type) {
1383	case SADB_X_PROMISC:
1384	if (satype != 0 && satype != 1) {
1385	__ipsec_errcode = EIPSEC_INVAL_SATYPE;
1386	return -1;
1387	}
1388	break;
1389	default:
1390	switch (satype) {
1391	case SADB_SATYPE_UNSPEC:
1392	case SADB_SATYPE_AH:
1393	case SADB_SATYPE_ESP:
1394	case SADB_X_SATYPE_IPCOMP:
1395	case SADB_X_SATYPE_TCPSIGNATURE:
1396	break;
1397	default:
1398	__ipsec_errcode = EIPSEC_INVAL_SATYPE;
1399	return -1;
1400	}
1401	}
1402
1403	/* create new sadb_msg to send. */
1404	len = sizeof(struct sadb_msg);
1405
1406	if ((newmsg = CALLOC(len, struct sadb_msg *)) == NULL) {
1407	__ipsec_set_strerror(strerror(errno));
1408	return -1;
1409	}
1410	ep = ((caddr_t)newmsg) + len;
1411
1412	p = pfkey_setsadbmsg((caddr_t)newmsg, ep, type, len, satype, 0,
1413	getpid());
1414	if (!p \|\| p != ep) {
1415	free(newmsg);
1416	return -1;
1417	}
1418
1419	/* send message */
1420	len = pfkey_send(so, newmsg, len);
1421	free(newmsg);
1422
1423	if (len < 0)
1424	return -1;
1425
1426	__ipsec_errcode = EIPSEC_NO_ERROR;
1427	return len;
1428	}
1429
1430	/* sending SADB_X_SPDADD message to the kernel */
1431	static int
1432	pfkey_send_x4(so, type, src, prefs, dst, prefd, proto,
1433	ltime, vtime, policy, policylen, seq)
1434	int so;
1435	struct sockaddr src, dst;
1436	u_int type, prefs, prefd, proto;
1437	u_int64_t ltime, vtime;
1438	char *policy;
1439	int policylen;
1440	u_int32_t seq;
1441	{
1442	struct sadb_msg *newmsg;
1443	int len;
1444	caddr_t p;
1445	int plen;
1446	caddr_t ep;
1447
1448	/* validity check */
1449	if (src == NULL \|\| dst == NULL) {
1450	__ipsec_errcode = EIPSEC_INVAL_ARGUMENT;
1451	return -1;
1452	}
1453	if (src->sa_family != dst->sa_family) {
1454	__ipsec_errcode = EIPSEC_FAMILY_MISMATCH;
1455	return -1;
1456	}
1457
1458	switch (src->sa_family) {
1459	case AF_INET:
1460	plen = sizeof(struct in_addr) << 3;
1461	break;
1462	case AF_INET6:
1463	plen = sizeof(struct in6_addr) << 3;
1464	break;
1465	default:
1466	__ipsec_errcode = EIPSEC_INVAL_FAMILY;
1467	return -1;
1468	}
1469	if (prefs > plen \|\| prefd > plen) {
1470	__ipsec_errcode = EIPSEC_INVAL_PREFIXLEN;
1471	return -1;
1472	}
1473
1474	/* create new sadb_msg to reply. */
1475	len = sizeof(struct sadb_msg)
1476	+ sizeof(struct sadb_address)
1477	+ PFKEY_ALIGN8(src->sa_len)
1478	+ sizeof(struct sadb_address)
1479	+ PFKEY_ALIGN8(src->sa_len)
1480	+ sizeof(struct sadb_lifetime)
1481	+ policylen;
1482
1483	if ((newmsg = CALLOC(len, struct sadb_msg *)) == NULL) {
1484	__ipsec_set_strerror(strerror(errno));
1485	return -1;
1486	}
1487	ep = ((caddr_t)newmsg) + len;
1488
1489	p = pfkey_setsadbmsg((caddr_t)newmsg, ep, type, len,
1490	SADB_SATYPE_UNSPEC, seq, getpid());
1491	if (!p) {
1492	free(newmsg);
1493	return -1;
1494	}
1495	p = pfkey_setsadbaddr(p, ep, SADB_EXT_ADDRESS_SRC, src, prefs, proto);
1496	if (!p) {
1497	free(newmsg);
1498	return -1;
1499	}
1500	p = pfkey_setsadbaddr(p, ep, SADB_EXT_ADDRESS_DST, dst, prefd, proto);
1501	if (!p) {
1502	free(newmsg);
1503	return -1;
1504	}
1505	p = pfkey_setsadblifetime(p, ep, SADB_EXT_LIFETIME_HARD,
1506	0, 0, ltime, vtime);
1507	if (!p \|\| p + policylen != ep) {
1508	free(newmsg);
1509	return -1;
1510	}
1511	memcpy(p, policy, policylen);
1512
1513	/* send message */
1514	len = pfkey_send(so, newmsg, len);
1515	free(newmsg);
1516
1517	if (len < 0)
1518	return -1;
1519
1520	__ipsec_errcode = EIPSEC_NO_ERROR;
1521	return len;
1522	}
1523
1524	/* sending SADB_X_SPDGET or SADB_X_SPDDELETE message to the kernel */
1525	static int
1526	pfkey_send_x5(so, type, spid)
1527	int so;
1528	u_int type;
1529	u_int32_t spid;
1530	{
1531	struct sadb_msg *newmsg;
1532	struct sadb_x_policy xpl;
1533	int len;
1534	caddr_t p;
1535	caddr_t ep;
1536
1537	/* create new sadb_msg to reply. */
1538	len = sizeof(struct sadb_msg)
1539	+ sizeof(xpl);
1540
1541	if ((newmsg = CALLOC(len, struct sadb_msg *)) == NULL) {
1542	__ipsec_set_strerror(strerror(errno));
1543	return -1;
1544	}
1545	ep = ((caddr_t)newmsg) + len;
1546
1547	p = pfkey_setsadbmsg((caddr_t)newmsg, ep, type, len,
1548	SADB_SATYPE_UNSPEC, 0, getpid());
1549	if (!p) {
1550	free(newmsg);
1551	return -1;
1552	}
1553
1554	if (p + sizeof(xpl) != ep) {
1555	free(newmsg);
1556	return -1;
1557	}
1558	memset(&xpl, 0, sizeof(xpl));
1559	xpl.sadb_x_policy_len = PFKEY_UNIT64(sizeof(xpl));
1560	xpl.sadb_x_policy_exttype = SADB_X_EXT_POLICY;
1561	xpl.sadb_x_policy_id = spid;
1562	memcpy(p, &xpl, sizeof(xpl));
1563
1564	/* send message */
1565	len = pfkey_send(so, newmsg, len);
1566	free(newmsg);
1567
1568	if (len < 0)
1569	return -1;
1570
1571	__ipsec_errcode = EIPSEC_NO_ERROR;
1572	return len;
1573	}
1574
1575	/*
1576	* open a socket.
1577	* OUT:
1578	* -1: fail.
1579	* others : success and return value of socket.
1580	*/
1581	int
1582	pfkey_open()
1583	{
1584	int so;
1585	const int bufsiz = 128 * 1024; /is 128K enough?/
1586
1587	if ((so = socket(PF_KEY, SOCK_RAW, PF_KEY_V2)) < 0) {
1588	__ipsec_set_strerror(strerror(errno));
1589	return -1;
1590	}
1591
1592	/*
1593	* This is a temporary workaround for KAME PR 154.
1594	* Don't really care even if it fails.
1595	*/
1596	(void)setsockopt(so, SOL_SOCKET, SO_SNDBUF, &bufsiz, sizeof(bufsiz));
1597	(void)setsockopt(so, SOL_SOCKET, SO_RCVBUF, &bufsiz, sizeof(bufsiz));
1598
1599	__ipsec_errcode = EIPSEC_NO_ERROR;
1600	return so;
1601	}
1602
1603	/*
1604	* close a socket.
1605	* OUT:
1606	* 0: success.
1607	* -1: fail.
1608	*/
1609	void
1610	pfkey_close(so)
1611	int so;
1612	{
1613	(void)close(so);
1614
1615	__ipsec_errcode = EIPSEC_NO_ERROR;
1616	return;
1617	}
1618
1619	/*
1620	* receive sadb_msg data, and return pointer to new buffer allocated.
1621	* Must free this buffer later.
1622	* OUT:
1623	* NULL : error occured.
1624	* others : a pointer to sadb_msg structure.
1625	*
1626	* XXX should be rewritten to pass length explicitly
1627	*/
1628	struct sadb_msg *
1629	pfkey_recv(so)
1630	int so;
1631	{
1632	struct sadb_msg buf, *newmsg;
1633	int len, reallen;
1634
1635	while ((len = recv(so, (caddr_t)&buf, sizeof(buf), MSG_PEEK)) < 0) {
1636	if (errno == EINTR)
1637	continue;
1638	__ipsec_set_strerror(strerror(errno));
1639	return NULL;
1640	}
1641
1642	if (len < sizeof(buf)) {
1643	recv(so, (caddr_t)&buf, sizeof(buf), 0);
1644	__ipsec_errcode = EIPSEC_MAX;
1645	return NULL;
1646	}
1647
1648	/* read real message */
1649	reallen = PFKEY_UNUNIT64(buf.sadb_msg_len);
1650	if ((newmsg = CALLOC(reallen, struct sadb_msg *)) == 0) {
1651	__ipsec_set_strerror(strerror(errno));
1652	return NULL;
1653	}
1654
1655	while ((len = recv(so, (caddr_t)newmsg, reallen, 0)) < 0) {
1656	if (errno == EINTR)
1657	continue;
1658	__ipsec_set_strerror(strerror(errno));
1659	free(newmsg);
1660	return NULL;
1661	}
1662
1663	if (len != reallen) {
1664	__ipsec_errcode = EIPSEC_SYSTEM_ERROR;
1665	free(newmsg);
1666	return NULL;
1667	}
1668
1669	/* don't trust what the kernel says, validate! */
1670	if (PFKEY_UNUNIT64(newmsg->sadb_msg_len) != len) {
1671	__ipsec_errcode = EIPSEC_SYSTEM_ERROR;
1672	free(newmsg);
1673	return NULL;
1674	}
1675
1676	__ipsec_errcode = EIPSEC_NO_ERROR;
1677	return newmsg;
1678	}
1679
1680	/*
1681	* send message to a socket.
1682	* OUT:
1683	* others: success and return length sent.
1684	* -1 : fail.
1685	*/
1686	int
1687	pfkey_send(so, msg, len)
1688	int so;
1689	struct sadb_msg *msg;
1690	int len;
1691	{
1692	if ((len = send(so, (caddr_t)msg, len, 0)) < 0) {
1693	__ipsec_set_strerror(strerror(errno));
1694	return -1;
1695	}
1696
1697	__ipsec_errcode = EIPSEC_NO_ERROR;
1698	return len;
1699	}
1700
1701	/*
1702	* %%% Utilities
1703	* NOTE: These functions are derived from netkey/key.c in KAME.
1704	*/
1705	/*
1706	* set the pointer to each header in this message buffer.
1707	* IN: msg: pointer to message buffer.
1708	* mhp: pointer to the buffer initialized like below:
1709	* caddr_t mhp[SADB_EXT_MAX + 1];
1710	* OUT: -1: invalid.
1711	* 0: valid.
1712	*
1713	* XXX should be rewritten to obtain length explicitly
1714	*/
1715	int
1716	pfkey_align(msg, mhp)
1717	struct sadb_msg *msg;
1718	caddr_t *mhp;
1719	{
1720	struct sadb_ext *ext;
1721	int i;
1722	caddr_t p;
1723	caddr_t ep; /* XXX should be passed from upper layer */
1724
1725	/* validity check */
1726	if (msg == NULL \|\| mhp == NULL) {
1727	__ipsec_errcode = EIPSEC_INVAL_ARGUMENT;
1728	return -1;
1729	}
1730
1731	/* initialize */
1732	for (i = 0; i < SADB_EXT_MAX + 1; i++)
1733	mhp[i] = NULL;
1734
1735	mhp[0] = (caddr_t)msg;
1736
1737	/* initialize */
1738	p = (caddr_t) msg;
1739	ep = p + PFKEY_UNUNIT64(msg->sadb_msg_len);
1740
1741	/* skip base header */
1742	p += sizeof(struct sadb_msg);
1743
1744	while (p < ep) {
1745	ext = (struct sadb_ext *)p;
1746	if (ep < p + sizeof(ext) \|\| PFKEY_EXTLEN(ext) < sizeof(ext) \|\|
1747	ep < p + PFKEY_EXTLEN(ext)) {
1748	/* invalid format */
1749	break;
1750	}
1751
1752	/* duplicate check */
1753	/* XXX Are there duplication either KEY_AUTH or KEY_ENCRYPT ?*/
1754	if (mhp[ext->sadb_ext_type] != NULL) {
1755	__ipsec_errcode = EIPSEC_INVAL_EXTTYPE;
1756	return -1;
1757	}
1758
1759	/* set pointer */
1760	switch (ext->sadb_ext_type) {
1761	case SADB_EXT_SA:
1762	case SADB_EXT_LIFETIME_CURRENT:
1763	case SADB_EXT_LIFETIME_HARD:
1764	case SADB_EXT_LIFETIME_SOFT:
1765	case SADB_EXT_ADDRESS_SRC:
1766	case SADB_EXT_ADDRESS_DST:
1767	case SADB_EXT_ADDRESS_PROXY:
1768	case SADB_EXT_KEY_AUTH:
1769	/* XXX should to be check weak keys. */
1770	case SADB_EXT_KEY_ENCRYPT:
1771	/* XXX should to be check weak keys. */
1772	case SADB_EXT_IDENTITY_SRC:
1773	case SADB_EXT_IDENTITY_DST:
1774	case SADB_EXT_SENSITIVITY:
1775	case SADB_EXT_PROPOSAL:
1776	case SADB_EXT_SUPPORTED_AUTH:
1777	case SADB_EXT_SUPPORTED_ENCRYPT:
1778	case SADB_EXT_SPIRANGE:
1779	case SADB_X_EXT_POLICY:
1780	case SADB_X_EXT_SA2:
1781	mhp[ext->sadb_ext_type] = (caddr_t)ext;
1782	break;
1783	case SADB_X_EXT_NAT_T_TYPE:
1784	case SADB_X_EXT_NAT_T_SPORT:
1785	case SADB_X_EXT_NAT_T_DPORT:
1786	/* case SADB_X_EXT_NAT_T_OA: is OAI */
1787	case SADB_X_EXT_NAT_T_OAI:
1788	case SADB_X_EXT_NAT_T_OAR:
1789	case SADB_X_EXT_NAT_T_FRAG:
1790	if (feature_present("ipsec_natt")) {
1791	mhp[ext->sadb_ext_type] = (caddr_t)ext;
1792	break;
1793	}
1794	/* FALLTHROUGH */
1795	default:
1796	__ipsec_errcode = EIPSEC_INVAL_EXTTYPE;
1797	return -1;
1798	}
1799
1800	p += PFKEY_EXTLEN(ext);
1801	}
1802
1803	if (p != ep) {
1804	__ipsec_errcode = EIPSEC_INVAL_SADBMSG;
1805	return -1;
1806	}
1807
1808	__ipsec_errcode = EIPSEC_NO_ERROR;
1809	return 0;
1810	}
1811
1812	/*
1813	* check basic usage for sadb_msg,
1814	* NOTE: This routine is derived from netkey/key.c in KAME.
1815	* IN: msg: pointer to message buffer.
1816	* mhp: pointer to the buffer initialized like below:
1817	*
1818	* caddr_t mhp[SADB_EXT_MAX + 1];
1819	*
1820	* OUT: -1: invalid.
1821	* 0: valid.
1822	*/
1823	int
1824	pfkey_check(mhp)
1825	caddr_t *mhp;
1826	{
1827	struct sadb_msg *msg;
1828
1829	/* validity check */
1830	if (mhp == NULL \|\| mhp[0] == NULL) {
1831	__ipsec_errcode = EIPSEC_INVAL_ARGUMENT;
1832	return -1;
1833	}
1834
1835	msg = (struct sadb_msg *)mhp[0];
1836
1837	/* check version */
1838	if (msg->sadb_msg_version != PF_KEY_V2) {
1839	__ipsec_errcode = EIPSEC_INVAL_VERSION;
1840	return -1;
1841	}
1842
1843	/* check type */
1844	if (msg->sadb_msg_type > SADB_MAX) {
1845	__ipsec_errcode = EIPSEC_INVAL_MSGTYPE;
1846	return -1;
1847	}
1848
1849	/* check SA type */
1850	switch (msg->sadb_msg_satype) {
1851	case SADB_SATYPE_UNSPEC:
1852	switch (msg->sadb_msg_type) {
1853	case SADB_GETSPI:
1854	case SADB_UPDATE:
1855	case SADB_ADD:
1856	case SADB_DELETE:
1857	case SADB_GET:
1858	case SADB_ACQUIRE:
1859	case SADB_EXPIRE:
1860	__ipsec_errcode = EIPSEC_INVAL_SATYPE;
1861	return -1;
1862	}
1863	break;
1864	case SADB_SATYPE_ESP:
1865	case SADB_SATYPE_AH:
1866	case SADB_X_SATYPE_IPCOMP:
1867	case SADB_X_SATYPE_TCPSIGNATURE:
1868	switch (msg->sadb_msg_type) {
1869	case SADB_X_SPDADD:
1870	case SADB_X_SPDDELETE:
1871	case SADB_X_SPDGET:
1872	case SADB_X_SPDDUMP:
1873	case SADB_X_SPDFLUSH:
1874	__ipsec_errcode = EIPSEC_INVAL_SATYPE;
1875	return -1;
1876	}
1877	break;
1878	case SADB_SATYPE_RSVP:
1879	case SADB_SATYPE_OSPFV2:
1880	case SADB_SATYPE_RIPV2:
1881	case SADB_SATYPE_MIP:
1882	__ipsec_errcode = EIPSEC_NOT_SUPPORTED;
1883	return -1;
1884	case 1: /* XXX: What does it do ? */
1885	if (msg->sadb_msg_type == SADB_X_PROMISC)
1886	break;
1887	/FALLTHROUGH/
1888	default:
1889	__ipsec_errcode = EIPSEC_INVAL_SATYPE;
1890	return -1;
1891	}
1892
1893	/* check field of upper layer protocol and address family */
1894	if (mhp[SADB_EXT_ADDRESS_SRC] != NULL
1895	&& mhp[SADB_EXT_ADDRESS_DST] != NULL) {
1896	struct sadb_address src0, dst0;
1897
1898	src0 = (struct sadb_address *)(mhp[SADB_EXT_ADDRESS_SRC]);
1899	dst0 = (struct sadb_address *)(mhp[SADB_EXT_ADDRESS_DST]);
1900
1901	if (src0->sadb_address_proto != dst0->sadb_address_proto) {
1902	__ipsec_errcode = EIPSEC_PROTO_MISMATCH;
1903	return -1;
1904	}
1905
1906	if (PFKEY_ADDR_SADDR(src0)->sa_family
1907	!= PFKEY_ADDR_SADDR(dst0)->sa_family) {
1908	__ipsec_errcode = EIPSEC_FAMILY_MISMATCH;
1909	return -1;
1910	}
1911
1912	switch (PFKEY_ADDR_SADDR(src0)->sa_family) {
1913	case AF_INET:
1914	case AF_INET6:
1915	break;
1916	default:
1917	__ipsec_errcode = EIPSEC_INVAL_FAMILY;
1918	return -1;
1919	}
1920
1921	/*
1922	* prefixlen == 0 is valid because there must be the case
1923	* all addresses are matched.
1924	*/
1925	}
1926
1927	__ipsec_errcode = EIPSEC_NO_ERROR;
1928	return 0;
1929	}
1930
1931	/*
1932	* set data into sadb_msg.
1933	* `buf' must has been allocated sufficiently.
1934	*/
1935	static caddr_t
1936	pfkey_setsadbmsg(buf, lim, type, tlen, satype, seq, pid)
1937	caddr_t buf;
1938	caddr_t lim;
1939	u_int type, satype;
1940	u_int tlen;
1941	u_int32_t seq;
1942	pid_t pid;
1943	{
1944	struct sadb_msg *p;
1945	u_int len;
1946
1947	p = (struct sadb_msg *)buf;
1948	len = sizeof(struct sadb_msg);
1949
1950	if (buf + len > lim)
1951	return NULL;
1952
1953	memset(p, 0, len);
1954	p->sadb_msg_version = PF_KEY_V2;
1955	p->sadb_msg_type = type;
1956	p->sadb_msg_errno = 0;
1957	p->sadb_msg_satype = satype;
1958	p->sadb_msg_len = PFKEY_UNIT64(tlen);
1959	p->sadb_msg_reserved = 0;
1960	p->sadb_msg_seq = seq;
1961	p->sadb_msg_pid = (u_int32_t)pid;
1962
1963	return(buf + len);
1964	}
1965
1966	/*
1967	* copy secasvar data into sadb_address.
1968	* `buf' must has been allocated sufficiently.
1969	*/
1970	static caddr_t
1971	pfkey_setsadbsa(buf, lim, spi, wsize, auth, enc, flags)
1972	caddr_t buf;
1973	caddr_t lim;
1974	u_int32_t spi, flags;
1975	u_int wsize, auth, enc;
1976	{
1977	struct sadb_sa *p;
1978	u_int len;
1979
1980	p = (struct sadb_sa *)buf;
1981	len = sizeof(struct sadb_sa);
1982
1983	if (buf + len > lim)
1984	return NULL;
1985
1986	memset(p, 0, len);
1987	p->sadb_sa_len = PFKEY_UNIT64(len);
1988	p->sadb_sa_exttype = SADB_EXT_SA;
1989	p->sadb_sa_spi = spi;
1990	p->sadb_sa_replay = wsize;
1991	p->sadb_sa_state = SADB_SASTATE_LARVAL;
1992	p->sadb_sa_auth = auth;
1993	p->sadb_sa_encrypt = enc;
1994	p->sadb_sa_flags = flags;
1995
1996	return(buf + len);
1997	}
1998
1999	/*
2000	* set data into sadb_address.
2001	* `buf' must has been allocated sufficiently.
2002	* prefixlen is in bits.
2003	*/
2004	static caddr_t
2005	pfkey_setsadbaddr(buf, lim, exttype, saddr, prefixlen, ul_proto)
2006	caddr_t buf;
2007	caddr_t lim;
2008	u_int exttype;
2009	struct sockaddr *saddr;
2010	u_int prefixlen;
2011	u_int ul_proto;
2012	{
2013	struct sadb_address *p;
2014	u_int len;
2015
2016	p = (struct sadb_address *)buf;
2017	len = sizeof(struct sadb_address) + PFKEY_ALIGN8(saddr->sa_len);
2018
2019	if (buf + len > lim)
2020	return NULL;
2021
2022	memset(p, 0, len);
2023	p->sadb_address_len = PFKEY_UNIT64(len);
2024	p->sadb_address_exttype = exttype & 0xffff;
2025	p->sadb_address_proto = ul_proto & 0xff;
2026	p->sadb_address_prefixlen = prefixlen;
2027	p->sadb_address_reserved = 0;
2028
2029	memcpy(p + 1, saddr, saddr->sa_len);
2030
2031	return(buf + len);
2032	}
2033
2034	/*
2035	* set sadb_key structure after clearing buffer with zero.
2036	* OUT: the pointer of buf + len.
2037	*/
2038	static caddr_t
2039	pfkey_setsadbkey(buf, lim, type, key, keylen)
2040	caddr_t buf;
2041	caddr_t lim;
2042	caddr_t key;
2043	u_int type, keylen;
2044	{
2045	struct sadb_key *p;
2046	u_int len;
2047
2048	p = (struct sadb_key *)buf;
2049	len = sizeof(struct sadb_key) + PFKEY_ALIGN8(keylen);
2050
2051	if (buf + len > lim)
2052	return NULL;
2053
2054	memset(p, 0, len);
2055	p->sadb_key_len = PFKEY_UNIT64(len);
2056	p->sadb_key_exttype = type;
2057	p->sadb_key_bits = keylen << 3;
2058	p->sadb_key_reserved = 0;
2059
2060	memcpy(p + 1, key, keylen);
2061
2062	return buf + len;
2063	}
2064
2065	/*
2066	* set sadb_lifetime structure after clearing buffer with zero.
2067	* OUT: the pointer of buf + len.
2068	*/
2069	static caddr_t
2070	pfkey_setsadblifetime(buf, lim, type, l_alloc, l_bytes, l_addtime, l_usetime)
2071	caddr_t buf;
2072	caddr_t lim;
2073	u_int type;
2074	u_int32_t l_alloc, l_bytes, l_addtime, l_usetime;
2075	{
2076	struct sadb_lifetime *p;
2077	u_int len;
2078
2079	p = (struct sadb_lifetime *)buf;
2080	len = sizeof(struct sadb_lifetime);
2081
2082	if (buf + len > lim)
2083	return NULL;
2084
2085	memset(p, 0, len);
2086	p->sadb_lifetime_len = PFKEY_UNIT64(len);
2087	p->sadb_lifetime_exttype = type;
2088
2089	switch (type) {
2090	case SADB_EXT_LIFETIME_SOFT:
2091	p->sadb_lifetime_allocations
2092	= (l_alloc * soft_lifetime_allocations_rate) /100;
2093	p->sadb_lifetime_bytes
2094	= (l_bytes * soft_lifetime_bytes_rate) /100;
2095	p->sadb_lifetime_addtime
2096	= (l_addtime * soft_lifetime_addtime_rate) /100;
2097	p->sadb_lifetime_usetime
2098	= (l_usetime * soft_lifetime_usetime_rate) /100;
2099	break;
2100	case SADB_EXT_LIFETIME_HARD:
2101	p->sadb_lifetime_allocations = l_alloc;
2102	p->sadb_lifetime_bytes = l_bytes;
2103	p->sadb_lifetime_addtime = l_addtime;
2104	p->sadb_lifetime_usetime = l_usetime;
2105	break;
2106	}
2107
2108	return buf + len;
2109	}
2110
2111	/*
2112	* copy secasvar data into sadb_address.
2113	* `buf' must has been allocated sufficiently.
2114	*/
2115	static caddr_t
2116	pfkey_setsadbxsa2(buf, lim, mode0, reqid)
2117	caddr_t buf;
2118	caddr_t lim;
2119	u_int32_t mode0;
2120	u_int32_t reqid;
2121	{
2122	struct sadb_x_sa2 *p;
2123	u_int8_t mode = mode0 & 0xff;
2124	u_int len;
2125
2126	p = (struct sadb_x_sa2 *)buf;
2127	len = sizeof(struct sadb_x_sa2);
2128
2129	if (buf + len > lim)
2130	return NULL;
2131
2132	memset(p, 0, len);
2133	p->sadb_x_sa2_len = PFKEY_UNIT64(len);
2134	p->sadb_x_sa2_exttype = SADB_X_EXT_SA2;
2135	p->sadb_x_sa2_mode = mode;
2136	p->sadb_x_sa2_reqid = reqid;
2137
2138	return(buf + len);
2139	}

Note: See TracBrowser for help on using the repository browser.

Download in other formats: