1 | #include <machine/rtems-bsd-user-space.h> |
---|
2 | |
---|
3 | #ifdef __rtems__ |
---|
4 | /* Only need socket from rtems-bsd-program wrappers! */ |
---|
5 | int |
---|
6 | rtems_bsd_program_socket(int domain, int type, int protocol); |
---|
7 | #define socket(domain, type, protocol) \ |
---|
8 | rtems_bsd_program_socket(domain, type, protocol) |
---|
9 | #endif /* __rtems__ */ |
---|
10 | /* $NetBSD: pfkey.c,v 1.21.2.1 2011/11/14 13:25:06 tteras Exp $ */ |
---|
11 | |
---|
12 | /* $KAME: pfkey.c,v 1.47 2003/10/02 19:52:12 itojun Exp $ */ |
---|
13 | |
---|
14 | /* |
---|
15 | * Copyright (C) 1995, 1996, 1997, 1998, and 1999 WIDE Project. |
---|
16 | * All rights reserved. |
---|
17 | * |
---|
18 | * Redistribution and use in source and binary forms, with or without |
---|
19 | * modification, are permitted provided that the following conditions |
---|
20 | * are met: |
---|
21 | * 1. Redistributions of source code must retain the above copyright |
---|
22 | * notice, this list of conditions and the following disclaimer. |
---|
23 | * 2. Redistributions in binary form must reproduce the above copyright |
---|
24 | * notice, this list of conditions and the following disclaimer in the |
---|
25 | * documentation and/or other materials provided with the distribution. |
---|
26 | * 3. Neither the name of the project nor the names of its contributors |
---|
27 | * may be used to endorse or promote products derived from this software |
---|
28 | * without specific prior written permission. |
---|
29 | * |
---|
30 | * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND |
---|
31 | * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE |
---|
32 | * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE |
---|
33 | * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE |
---|
34 | * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL |
---|
35 | * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS |
---|
36 | * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) |
---|
37 | * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT |
---|
38 | * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY |
---|
39 | * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF |
---|
40 | * SUCH DAMAGE. |
---|
41 | */ |
---|
42 | |
---|
43 | #ifdef HAVE_CONFIG_H |
---|
44 | #include "config.h" |
---|
45 | #endif |
---|
46 | |
---|
47 | #include <sys/types.h> |
---|
48 | #include <sys/param.h> |
---|
49 | #include <sys/socket.h> |
---|
50 | #include <net/pfkeyv2.h> |
---|
51 | #include <netinet/in.h> |
---|
52 | #include PATH_IPSEC_H |
---|
53 | |
---|
54 | #include <stdlib.h> |
---|
55 | #include <unistd.h> |
---|
56 | #include <string.h> |
---|
57 | #include <errno.h> |
---|
58 | #include <stdio.h> |
---|
59 | |
---|
60 | #include "ipsec_strerror.h" |
---|
61 | #include "libpfkey.h" |
---|
62 | |
---|
63 | #define CALLOC(size, cast) (cast)calloc(1, (size)) |
---|
64 | |
---|
65 | static int findsupportedmap __P((int)); |
---|
66 | static int setsupportedmap __P((struct sadb_supported *)); |
---|
67 | static struct sadb_alg *findsupportedalg __P((u_int, u_int)); |
---|
68 | static int pfkey_send_x1 __P((struct pfkey_send_sa_args *)); |
---|
69 | static int pfkey_send_x2 __P((int, u_int, u_int, u_int, |
---|
70 | struct sockaddr *, struct sockaddr *, u_int32_t)); |
---|
71 | static int pfkey_send_x3 __P((int, u_int, u_int)); |
---|
72 | static int pfkey_send_x4 __P((int, u_int, struct sockaddr *, u_int, |
---|
73 | struct sockaddr *, u_int, u_int, u_int64_t, u_int64_t, |
---|
74 | char *, int, u_int32_t)); |
---|
75 | static int pfkey_send_x5 __P((int, u_int, u_int32_t)); |
---|
76 | |
---|
77 | static caddr_t pfkey_setsadbmsg __P((caddr_t, caddr_t, u_int, u_int, |
---|
78 | u_int, u_int32_t, pid_t)); |
---|
79 | static caddr_t pfkey_setsadbsa __P((caddr_t, caddr_t, u_int32_t, u_int, |
---|
80 | u_int, u_int, u_int32_t)); |
---|
81 | static caddr_t pfkey_setsadbaddr __P((caddr_t, caddr_t, u_int, |
---|
82 | struct sockaddr *, u_int, u_int)); |
---|
83 | |
---|
84 | #ifdef SADB_X_EXT_KMADDRESS |
---|
85 | static caddr_t pfkey_setsadbkmaddr __P((caddr_t, caddr_t, struct sockaddr *, |
---|
86 | struct sockaddr *)); |
---|
87 | #endif |
---|
88 | |
---|
89 | static caddr_t pfkey_setsadbkey __P((caddr_t, caddr_t, u_int, caddr_t, u_int)); |
---|
90 | static caddr_t pfkey_setsadblifetime __P((caddr_t, caddr_t, u_int, u_int32_t, |
---|
91 | u_int32_t, u_int32_t, u_int32_t)); |
---|
92 | static caddr_t pfkey_setsadbxsa2 __P((caddr_t, caddr_t, u_int32_t, u_int32_t)); |
---|
93 | |
---|
94 | #ifdef SADB_X_EXT_NAT_T_TYPE |
---|
95 | static caddr_t pfkey_set_natt_type __P((caddr_t, caddr_t, u_int, u_int8_t)); |
---|
96 | static caddr_t pfkey_set_natt_port __P((caddr_t, caddr_t, u_int, u_int16_t)); |
---|
97 | #endif |
---|
98 | #ifdef SADB_X_EXT_NAT_T_FRAG |
---|
99 | static caddr_t pfkey_set_natt_frag __P((caddr_t, caddr_t, u_int, u_int16_t)); |
---|
100 | #endif |
---|
101 | |
---|
102 | #ifdef SADB_X_EXT_SEC_CTX |
---|
103 | static caddr_t pfkey_setsecctx __P((caddr_t, caddr_t, u_int, u_int8_t, u_int8_t, |
---|
104 | caddr_t, u_int16_t)); |
---|
105 | #endif |
---|
106 | |
---|
107 | #ifndef __rtems__ |
---|
108 | int libipsec_opt = 0 |
---|
109 | #else /* __rtems__ */ |
---|
110 | const int libipsec_opt = 0 |
---|
111 | #endif /* __rtems__ */ |
---|
112 | #ifdef SADB_X_EXT_NAT_T_TYPE |
---|
113 | | LIBIPSEC_OPT_NATT |
---|
114 | #endif |
---|
115 | #ifdef SADB_X_EXT_NAT_T_FRAG |
---|
116 | | LIBIPSEC_OPT_FRAG |
---|
117 | #endif |
---|
118 | #ifdef SADB_X_EXT_NAT_T_SEC_CTX |
---|
119 | | LIBIPSEC_OPT_SEC_CTX |
---|
120 | #endif |
---|
121 | ; |
---|
122 | |
---|
123 | /* |
---|
124 | * make and search supported algorithm structure. |
---|
125 | */ |
---|
126 | static struct sadb_supported *ipsec_supported[] = { NULL, NULL, NULL, |
---|
127 | #ifdef SADB_X_SATYPE_TCPSIGNATURE |
---|
128 | NULL, |
---|
129 | #endif |
---|
130 | }; |
---|
131 | |
---|
132 | #ifndef __rtems__ |
---|
133 | static int supported_map[] = { |
---|
134 | #else /* __rtems__ */ |
---|
135 | static const int supported_map[] = { |
---|
136 | #endif /* __rtems__ */ |
---|
137 | SADB_SATYPE_AH, |
---|
138 | SADB_SATYPE_ESP, |
---|
139 | SADB_X_SATYPE_IPCOMP, |
---|
140 | #ifdef SADB_X_SATYPE_TCPSIGNATURE |
---|
141 | SADB_X_SATYPE_TCPSIGNATURE, |
---|
142 | #endif |
---|
143 | }; |
---|
144 | |
---|
145 | static int |
---|
146 | findsupportedmap(satype) |
---|
147 | int satype; |
---|
148 | { |
---|
149 | int i; |
---|
150 | |
---|
151 | for (i = 0; i < sizeof(supported_map)/sizeof(supported_map[0]); i++) |
---|
152 | if (supported_map[i] == satype) |
---|
153 | return i; |
---|
154 | return -1; |
---|
155 | } |
---|
156 | |
---|
157 | static struct sadb_alg * |
---|
158 | findsupportedalg(satype, alg_id) |
---|
159 | u_int satype, alg_id; |
---|
160 | { |
---|
161 | int algno; |
---|
162 | int tlen; |
---|
163 | caddr_t p; |
---|
164 | |
---|
165 | /* validity check */ |
---|
166 | algno = findsupportedmap((int)satype); |
---|
167 | if (algno == -1) { |
---|
168 | __ipsec_errcode = EIPSEC_INVAL_ARGUMENT; |
---|
169 | return NULL; |
---|
170 | } |
---|
171 | if (ipsec_supported[algno] == NULL) { |
---|
172 | __ipsec_errcode = EIPSEC_DO_GET_SUPP_LIST; |
---|
173 | return NULL; |
---|
174 | } |
---|
175 | |
---|
176 | tlen = ipsec_supported[algno]->sadb_supported_len |
---|
177 | - sizeof(struct sadb_supported); |
---|
178 | p = (void *)(ipsec_supported[algno] + 1); |
---|
179 | while (tlen > 0) { |
---|
180 | if (tlen < sizeof(struct sadb_alg)) { |
---|
181 | /* invalid format */ |
---|
182 | break; |
---|
183 | } |
---|
184 | if (((struct sadb_alg *)(void *)p)->sadb_alg_id == alg_id) |
---|
185 | return (void *)p; |
---|
186 | |
---|
187 | tlen -= sizeof(struct sadb_alg); |
---|
188 | p += sizeof(struct sadb_alg); |
---|
189 | } |
---|
190 | |
---|
191 | __ipsec_errcode = EIPSEC_NOT_SUPPORTED; |
---|
192 | return NULL; |
---|
193 | } |
---|
194 | |
---|
195 | static int |
---|
196 | setsupportedmap(sup) |
---|
197 | struct sadb_supported *sup; |
---|
198 | { |
---|
199 | struct sadb_supported **ipsup; |
---|
200 | |
---|
201 | switch (sup->sadb_supported_exttype) { |
---|
202 | case SADB_EXT_SUPPORTED_AUTH: |
---|
203 | ipsup = &ipsec_supported[findsupportedmap(SADB_SATYPE_AH)]; |
---|
204 | break; |
---|
205 | case SADB_EXT_SUPPORTED_ENCRYPT: |
---|
206 | ipsup = &ipsec_supported[findsupportedmap(SADB_SATYPE_ESP)]; |
---|
207 | break; |
---|
208 | default: |
---|
209 | __ipsec_errcode = EIPSEC_INVAL_SATYPE; |
---|
210 | return -1; |
---|
211 | } |
---|
212 | |
---|
213 | if (*ipsup) |
---|
214 | free(*ipsup); |
---|
215 | |
---|
216 | *ipsup = malloc((size_t)sup->sadb_supported_len); |
---|
217 | if (!*ipsup) { |
---|
218 | __ipsec_set_strerror(strerror(errno)); |
---|
219 | return -1; |
---|
220 | } |
---|
221 | memcpy(*ipsup, sup, (size_t)sup->sadb_supported_len); |
---|
222 | |
---|
223 | return 0; |
---|
224 | } |
---|
225 | |
---|
226 | /* |
---|
227 | * check key length against algorithm specified. |
---|
228 | * This function is called with SADB_EXT_SUPPORTED_{AUTH,ENCRYPT} as the |
---|
229 | * augument, and only calls to ipsec_check_keylen2(); |
---|
230 | * keylen is the unit of bit. |
---|
231 | * OUT: |
---|
232 | * -1: invalid. |
---|
233 | * 0: valid. |
---|
234 | */ |
---|
235 | int |
---|
236 | ipsec_check_keylen(supported, alg_id, keylen) |
---|
237 | u_int supported; |
---|
238 | u_int alg_id; |
---|
239 | u_int keylen; |
---|
240 | { |
---|
241 | u_int satype; |
---|
242 | |
---|
243 | /* validity check */ |
---|
244 | switch (supported) { |
---|
245 | case SADB_EXT_SUPPORTED_AUTH: |
---|
246 | satype = SADB_SATYPE_AH; |
---|
247 | break; |
---|
248 | case SADB_EXT_SUPPORTED_ENCRYPT: |
---|
249 | satype = SADB_SATYPE_ESP; |
---|
250 | break; |
---|
251 | default: |
---|
252 | __ipsec_errcode = EIPSEC_INVAL_ARGUMENT; |
---|
253 | return -1; |
---|
254 | } |
---|
255 | |
---|
256 | return ipsec_check_keylen2(satype, alg_id, keylen); |
---|
257 | } |
---|
258 | |
---|
259 | /* |
---|
260 | * check key length against algorithm specified. |
---|
261 | * satype is one of satype defined at pfkeyv2.h. |
---|
262 | * keylen is the unit of bit. |
---|
263 | * OUT: |
---|
264 | * -1: invalid. |
---|
265 | * 0: valid. |
---|
266 | */ |
---|
267 | int |
---|
268 | ipsec_check_keylen2(satype, alg_id, keylen) |
---|
269 | u_int satype; |
---|
270 | u_int alg_id; |
---|
271 | u_int keylen; |
---|
272 | { |
---|
273 | struct sadb_alg *alg; |
---|
274 | |
---|
275 | alg = findsupportedalg(satype, alg_id); |
---|
276 | if (!alg) |
---|
277 | return -1; |
---|
278 | |
---|
279 | if (keylen < alg->sadb_alg_minbits || keylen > alg->sadb_alg_maxbits) { |
---|
280 | fprintf(stderr, "%d %d %d\n", keylen, alg->sadb_alg_minbits, |
---|
281 | alg->sadb_alg_maxbits); |
---|
282 | __ipsec_errcode = EIPSEC_INVAL_KEYLEN; |
---|
283 | return -1; |
---|
284 | } |
---|
285 | |
---|
286 | __ipsec_errcode = EIPSEC_NO_ERROR; |
---|
287 | return 0; |
---|
288 | } |
---|
289 | |
---|
290 | /* |
---|
291 | * get max/min key length against algorithm specified. |
---|
292 | * satype is one of satype defined at pfkeyv2.h. |
---|
293 | * keylen is the unit of bit. |
---|
294 | * OUT: |
---|
295 | * -1: invalid. |
---|
296 | * 0: valid. |
---|
297 | */ |
---|
298 | int |
---|
299 | ipsec_get_keylen(supported, alg_id, alg0) |
---|
300 | u_int supported, alg_id; |
---|
301 | struct sadb_alg *alg0; |
---|
302 | { |
---|
303 | struct sadb_alg *alg; |
---|
304 | u_int satype; |
---|
305 | |
---|
306 | /* validity check */ |
---|
307 | if (!alg0) { |
---|
308 | __ipsec_errcode = EIPSEC_INVAL_ARGUMENT; |
---|
309 | return -1; |
---|
310 | } |
---|
311 | |
---|
312 | switch (supported) { |
---|
313 | case SADB_EXT_SUPPORTED_AUTH: |
---|
314 | satype = SADB_SATYPE_AH; |
---|
315 | break; |
---|
316 | case SADB_EXT_SUPPORTED_ENCRYPT: |
---|
317 | satype = SADB_SATYPE_ESP; |
---|
318 | break; |
---|
319 | default: |
---|
320 | __ipsec_errcode = EIPSEC_INVAL_ARGUMENT; |
---|
321 | return -1; |
---|
322 | } |
---|
323 | |
---|
324 | alg = findsupportedalg(satype, alg_id); |
---|
325 | if (!alg) |
---|
326 | return -1; |
---|
327 | |
---|
328 | memcpy(alg0, alg, sizeof(*alg0)); |
---|
329 | |
---|
330 | __ipsec_errcode = EIPSEC_NO_ERROR; |
---|
331 | return 0; |
---|
332 | } |
---|
333 | |
---|
334 | /* |
---|
335 | * set the rate for SOFT lifetime against HARD one. |
---|
336 | * If rate is more than 100 or equal to zero, then set to 100. |
---|
337 | */ |
---|
338 | static u_int soft_lifetime_allocations_rate = PFKEY_SOFT_LIFETIME_RATE; |
---|
339 | static u_int soft_lifetime_bytes_rate = PFKEY_SOFT_LIFETIME_RATE; |
---|
340 | static u_int soft_lifetime_addtime_rate = PFKEY_SOFT_LIFETIME_RATE; |
---|
341 | static u_int soft_lifetime_usetime_rate = PFKEY_SOFT_LIFETIME_RATE; |
---|
342 | |
---|
343 | u_int |
---|
344 | pfkey_set_softrate(type, rate) |
---|
345 | u_int type, rate; |
---|
346 | { |
---|
347 | __ipsec_errcode = EIPSEC_NO_ERROR; |
---|
348 | |
---|
349 | if (rate > 100 || rate == 0) |
---|
350 | rate = 100; |
---|
351 | |
---|
352 | switch (type) { |
---|
353 | case SADB_X_LIFETIME_ALLOCATIONS: |
---|
354 | soft_lifetime_allocations_rate = rate; |
---|
355 | return 0; |
---|
356 | case SADB_X_LIFETIME_BYTES: |
---|
357 | soft_lifetime_bytes_rate = rate; |
---|
358 | return 0; |
---|
359 | case SADB_X_LIFETIME_ADDTIME: |
---|
360 | soft_lifetime_addtime_rate = rate; |
---|
361 | return 0; |
---|
362 | case SADB_X_LIFETIME_USETIME: |
---|
363 | soft_lifetime_usetime_rate = rate; |
---|
364 | return 0; |
---|
365 | } |
---|
366 | |
---|
367 | __ipsec_errcode = EIPSEC_INVAL_ARGUMENT; |
---|
368 | return 1; |
---|
369 | } |
---|
370 | |
---|
371 | /* |
---|
372 | * get current rate for SOFT lifetime against HARD one. |
---|
373 | * ATTENTION: ~0 is returned if invalid type was passed. |
---|
374 | */ |
---|
375 | u_int |
---|
376 | pfkey_get_softrate(type) |
---|
377 | u_int type; |
---|
378 | { |
---|
379 | switch (type) { |
---|
380 | case SADB_X_LIFETIME_ALLOCATIONS: |
---|
381 | return soft_lifetime_allocations_rate; |
---|
382 | case SADB_X_LIFETIME_BYTES: |
---|
383 | return soft_lifetime_bytes_rate; |
---|
384 | case SADB_X_LIFETIME_ADDTIME: |
---|
385 | return soft_lifetime_addtime_rate; |
---|
386 | case SADB_X_LIFETIME_USETIME: |
---|
387 | return soft_lifetime_usetime_rate; |
---|
388 | } |
---|
389 | |
---|
390 | return (u_int)~0; |
---|
391 | } |
---|
392 | |
---|
393 | /* |
---|
394 | * sending SADB_GETSPI message to the kernel. |
---|
395 | * OUT: |
---|
396 | * positive: success and return length sent. |
---|
397 | * -1 : error occured, and set errno. |
---|
398 | */ |
---|
399 | int |
---|
400 | pfkey_send_getspi_nat(int so, u_int satype, u_int mode, struct sockaddr *src, |
---|
401 | struct sockaddr *dst, u_int8_t natt_type, u_int16_t sport, |
---|
402 | u_int16_t dport, u_int32_t min, u_int32_t max, u_int32_t reqid, |
---|
403 | u_int32_t seq) |
---|
404 | { |
---|
405 | struct sadb_msg *newmsg; |
---|
406 | caddr_t ep; |
---|
407 | int len; |
---|
408 | int need_spirange = 0; |
---|
409 | caddr_t p; |
---|
410 | int plen; |
---|
411 | |
---|
412 | /* validity check */ |
---|
413 | if (src == NULL || dst == NULL) { |
---|
414 | __ipsec_errcode = EIPSEC_INVAL_ARGUMENT; |
---|
415 | return -1; |
---|
416 | } |
---|
417 | if (src->sa_family != dst->sa_family) { |
---|
418 | __ipsec_errcode = EIPSEC_FAMILY_MISMATCH; |
---|
419 | return -1; |
---|
420 | } |
---|
421 | if (min > max || (min > 0 && min <= 255)) { |
---|
422 | __ipsec_errcode = EIPSEC_INVAL_SPI; |
---|
423 | return -1; |
---|
424 | } |
---|
425 | switch (src->sa_family) { |
---|
426 | case AF_INET: |
---|
427 | plen = sizeof(struct in_addr) << 3; |
---|
428 | break; |
---|
429 | case AF_INET6: |
---|
430 | plen = sizeof(struct in6_addr) << 3; |
---|
431 | break; |
---|
432 | default: |
---|
433 | __ipsec_errcode = EIPSEC_INVAL_FAMILY; |
---|
434 | return -1; |
---|
435 | } |
---|
436 | |
---|
437 | /* create new sadb_msg to send. */ |
---|
438 | len = sizeof(struct sadb_msg) |
---|
439 | + sizeof(struct sadb_x_sa2) |
---|
440 | + sizeof(struct sadb_address) |
---|
441 | + PFKEY_ALIGN8(sysdep_sa_len(src)) |
---|
442 | + sizeof(struct sadb_address) |
---|
443 | + PFKEY_ALIGN8(sysdep_sa_len(dst)); |
---|
444 | |
---|
445 | if (min > 255 && max < (u_int)~0) { |
---|
446 | need_spirange++; |
---|
447 | len += sizeof(struct sadb_spirange); |
---|
448 | } |
---|
449 | |
---|
450 | #ifdef SADB_X_EXT_NAT_T_TYPE |
---|
451 | if(natt_type||sport||dport){ |
---|
452 | len += sizeof(struct sadb_x_nat_t_type); |
---|
453 | len += sizeof(struct sadb_x_nat_t_port); |
---|
454 | len += sizeof(struct sadb_x_nat_t_port); |
---|
455 | } |
---|
456 | #endif |
---|
457 | |
---|
458 | if ((newmsg = CALLOC((size_t)len, struct sadb_msg *)) == NULL) { |
---|
459 | __ipsec_set_strerror(strerror(errno)); |
---|
460 | return -1; |
---|
461 | } |
---|
462 | ep = ((caddr_t)(void *)newmsg) + len; |
---|
463 | |
---|
464 | p = pfkey_setsadbmsg((void *)newmsg, ep, SADB_GETSPI, |
---|
465 | (u_int)len, satype, seq, getpid()); |
---|
466 | if (!p) { |
---|
467 | free(newmsg); |
---|
468 | return -1; |
---|
469 | } |
---|
470 | |
---|
471 | p = pfkey_setsadbxsa2(p, ep, mode, reqid); |
---|
472 | if (!p) { |
---|
473 | free(newmsg); |
---|
474 | return -1; |
---|
475 | } |
---|
476 | |
---|
477 | /* set sadb_address for source */ |
---|
478 | p = pfkey_setsadbaddr(p, ep, SADB_EXT_ADDRESS_SRC, src, (u_int)plen, |
---|
479 | IPSEC_ULPROTO_ANY); |
---|
480 | if (!p) { |
---|
481 | free(newmsg); |
---|
482 | return -1; |
---|
483 | } |
---|
484 | |
---|
485 | /* set sadb_address for destination */ |
---|
486 | p = pfkey_setsadbaddr(p, ep, SADB_EXT_ADDRESS_DST, dst, (u_int)plen, |
---|
487 | IPSEC_ULPROTO_ANY); |
---|
488 | if (!p) { |
---|
489 | free(newmsg); |
---|
490 | return -1; |
---|
491 | } |
---|
492 | |
---|
493 | #ifdef SADB_X_EXT_NAT_T_TYPE |
---|
494 | /* Add nat-t messages */ |
---|
495 | if (natt_type) { |
---|
496 | p = pfkey_set_natt_type(p, ep, SADB_X_EXT_NAT_T_TYPE, |
---|
497 | natt_type); |
---|
498 | if (!p) { |
---|
499 | free(newmsg); |
---|
500 | return -1; |
---|
501 | } |
---|
502 | |
---|
503 | p = pfkey_set_natt_port(p, ep, SADB_X_EXT_NAT_T_SPORT, |
---|
504 | sport); |
---|
505 | if (!p) { |
---|
506 | free(newmsg); |
---|
507 | return -1; |
---|
508 | } |
---|
509 | |
---|
510 | p = pfkey_set_natt_port(p, ep, SADB_X_EXT_NAT_T_DPORT, |
---|
511 | dport); |
---|
512 | if (!p) { |
---|
513 | free(newmsg); |
---|
514 | return -1; |
---|
515 | } |
---|
516 | } |
---|
517 | #endif |
---|
518 | |
---|
519 | /* proccessing spi range */ |
---|
520 | if (need_spirange) { |
---|
521 | struct sadb_spirange spirange; |
---|
522 | |
---|
523 | if (p + sizeof(spirange) > ep) { |
---|
524 | free(newmsg); |
---|
525 | return -1; |
---|
526 | } |
---|
527 | |
---|
528 | memset(&spirange, 0, sizeof(spirange)); |
---|
529 | spirange.sadb_spirange_len = PFKEY_UNIT64(sizeof(spirange)); |
---|
530 | spirange.sadb_spirange_exttype = SADB_EXT_SPIRANGE; |
---|
531 | spirange.sadb_spirange_min = min; |
---|
532 | spirange.sadb_spirange_max = max; |
---|
533 | |
---|
534 | memcpy(p, &spirange, sizeof(spirange)); |
---|
535 | |
---|
536 | p += sizeof(spirange); |
---|
537 | } |
---|
538 | if (p != ep) { |
---|
539 | free(newmsg); |
---|
540 | return -1; |
---|
541 | } |
---|
542 | |
---|
543 | /* send message */ |
---|
544 | len = pfkey_send(so, newmsg, len); |
---|
545 | free(newmsg); |
---|
546 | |
---|
547 | if (len < 0) |
---|
548 | return -1; |
---|
549 | |
---|
550 | __ipsec_errcode = EIPSEC_NO_ERROR; |
---|
551 | return len; |
---|
552 | } |
---|
553 | |
---|
554 | int |
---|
555 | pfkey_send_getspi(int so, u_int satype, u_int mode, struct sockaddr *src, |
---|
556 | struct sockaddr *dst, u_int32_t min, u_int32_t max, u_int32_t reqid, |
---|
557 | u_int32_t seq) |
---|
558 | { |
---|
559 | return pfkey_send_getspi_nat(so, satype, mode, src, dst, 0, 0, 0, |
---|
560 | min, max, reqid, seq); |
---|
561 | } |
---|
562 | |
---|
563 | /* |
---|
564 | * sending SADB_UPDATE message to the kernel. |
---|
565 | * The length of key material is a_keylen + e_keylen. |
---|
566 | * OUT: |
---|
567 | * positive: success and return length sent. |
---|
568 | * -1 : error occured, and set errno. |
---|
569 | */ |
---|
570 | int |
---|
571 | pfkey_send_update2(struct pfkey_send_sa_args *sa_parms) |
---|
572 | { |
---|
573 | int len; |
---|
574 | |
---|
575 | sa_parms->type = SADB_UPDATE; |
---|
576 | if ((len = pfkey_send_x1(sa_parms)) < 0) |
---|
577 | return -1; |
---|
578 | |
---|
579 | return len; |
---|
580 | } |
---|
581 | |
---|
582 | /* |
---|
583 | * sending SADB_ADD message to the kernel. |
---|
584 | * The length of key material is a_keylen + e_keylen. |
---|
585 | * OUT: |
---|
586 | * positive: success and return length sent. |
---|
587 | * -1 : error occured, and set errno. |
---|
588 | */ |
---|
589 | int |
---|
590 | pfkey_send_add2(struct pfkey_send_sa_args *sa_parms) |
---|
591 | { |
---|
592 | int len; |
---|
593 | |
---|
594 | sa_parms->type = SADB_ADD; |
---|
595 | if ((len = pfkey_send_x1(sa_parms)) < 0) |
---|
596 | return -1; |
---|
597 | |
---|
598 | return len; |
---|
599 | } |
---|
600 | |
---|
601 | /* |
---|
602 | * sending SADB_DELETE message to the kernel. |
---|
603 | * OUT: |
---|
604 | * positive: success and return length sent. |
---|
605 | * -1 : error occured, and set errno. |
---|
606 | */ |
---|
607 | int |
---|
608 | pfkey_send_delete(int so, u_int satype, u_int mode, struct sockaddr *src, |
---|
609 | struct sockaddr *dst, u_int32_t spi) |
---|
610 | { |
---|
611 | int len; |
---|
612 | if ((len = pfkey_send_x2(so, SADB_DELETE, satype, mode, src, dst, spi)) < 0) |
---|
613 | return -1; |
---|
614 | |
---|
615 | return len; |
---|
616 | } |
---|
617 | |
---|
618 | /* |
---|
619 | * sending SADB_DELETE without spi to the kernel. This is |
---|
620 | * the "delete all" request (an extension also present in |
---|
621 | * Solaris). |
---|
622 | * |
---|
623 | * OUT: |
---|
624 | * positive: success and return length sent |
---|
625 | * -1 : error occured, and set errno |
---|
626 | */ |
---|
627 | /*ARGSUSED*/ |
---|
628 | int |
---|
629 | pfkey_send_delete_all(int so, u_int satype, u_int mode, struct sockaddr *src, |
---|
630 | struct sockaddr *dst) |
---|
631 | { |
---|
632 | struct sadb_msg *newmsg; |
---|
633 | int len; |
---|
634 | caddr_t p; |
---|
635 | int plen; |
---|
636 | caddr_t ep; |
---|
637 | |
---|
638 | /* validity check */ |
---|
639 | if (src == NULL || dst == NULL) { |
---|
640 | __ipsec_errcode = EIPSEC_INVAL_ARGUMENT; |
---|
641 | return -1; |
---|
642 | } |
---|
643 | if (src->sa_family != dst->sa_family) { |
---|
644 | __ipsec_errcode = EIPSEC_FAMILY_MISMATCH; |
---|
645 | return -1; |
---|
646 | } |
---|
647 | switch (src->sa_family) { |
---|
648 | case AF_INET: |
---|
649 | plen = sizeof(struct in_addr) << 3; |
---|
650 | break; |
---|
651 | case AF_INET6: |
---|
652 | plen = sizeof(struct in6_addr) << 3; |
---|
653 | break; |
---|
654 | default: |
---|
655 | __ipsec_errcode = EIPSEC_INVAL_FAMILY; |
---|
656 | return -1; |
---|
657 | } |
---|
658 | |
---|
659 | /* create new sadb_msg to reply. */ |
---|
660 | len = sizeof(struct sadb_msg) |
---|
661 | + sizeof(struct sadb_address) |
---|
662 | + PFKEY_ALIGN8(sysdep_sa_len(src)) |
---|
663 | + sizeof(struct sadb_address) |
---|
664 | + PFKEY_ALIGN8(sysdep_sa_len(dst)); |
---|
665 | |
---|
666 | if ((newmsg = CALLOC((size_t)len, struct sadb_msg *)) == NULL) { |
---|
667 | __ipsec_set_strerror(strerror(errno)); |
---|
668 | return -1; |
---|
669 | } |
---|
670 | ep = ((caddr_t)(void *)newmsg) + len; |
---|
671 | |
---|
672 | p = pfkey_setsadbmsg((void *)newmsg, ep, SADB_DELETE, (u_int)len, |
---|
673 | satype, 0, getpid()); |
---|
674 | if (!p) { |
---|
675 | free(newmsg); |
---|
676 | return -1; |
---|
677 | } |
---|
678 | p = pfkey_setsadbaddr(p, ep, SADB_EXT_ADDRESS_SRC, src, (u_int)plen, |
---|
679 | IPSEC_ULPROTO_ANY); |
---|
680 | if (!p) { |
---|
681 | free(newmsg); |
---|
682 | return -1; |
---|
683 | } |
---|
684 | p = pfkey_setsadbaddr(p, ep, SADB_EXT_ADDRESS_DST, dst, (u_int)plen, |
---|
685 | IPSEC_ULPROTO_ANY); |
---|
686 | if (!p || p != ep) { |
---|
687 | free(newmsg); |
---|
688 | return -1; |
---|
689 | } |
---|
690 | |
---|
691 | /* send message */ |
---|
692 | len = pfkey_send(so, newmsg, len); |
---|
693 | free(newmsg); |
---|
694 | |
---|
695 | if (len < 0) |
---|
696 | return -1; |
---|
697 | |
---|
698 | __ipsec_errcode = EIPSEC_NO_ERROR; |
---|
699 | return len; |
---|
700 | } |
---|
701 | |
---|
702 | /* |
---|
703 | * sending SADB_GET message to the kernel. |
---|
704 | * OUT: |
---|
705 | * positive: success and return length sent. |
---|
706 | * -1 : error occured, and set errno. |
---|
707 | */ |
---|
708 | int |
---|
709 | pfkey_send_get(int so, u_int satype, u_int mode, struct sockaddr *src, |
---|
710 | struct sockaddr *dst, u_int32_t spi) |
---|
711 | { |
---|
712 | int len; |
---|
713 | if ((len = pfkey_send_x2(so, SADB_GET, satype, mode, src, dst, spi)) < 0) |
---|
714 | return -1; |
---|
715 | |
---|
716 | return len; |
---|
717 | } |
---|
718 | |
---|
719 | /* |
---|
720 | * sending SADB_REGISTER message to the kernel. |
---|
721 | * OUT: |
---|
722 | * positive: success and return length sent. |
---|
723 | * -1 : error occured, and set errno. |
---|
724 | */ |
---|
725 | int |
---|
726 | pfkey_send_register(int so, u_int satype) |
---|
727 | { |
---|
728 | int len, algno; |
---|
729 | |
---|
730 | if (satype == PF_UNSPEC) { |
---|
731 | for (algno = 0; |
---|
732 | algno < sizeof(supported_map)/sizeof(supported_map[0]); |
---|
733 | algno++) { |
---|
734 | if (ipsec_supported[algno]) { |
---|
735 | free(ipsec_supported[algno]); |
---|
736 | ipsec_supported[algno] = NULL; |
---|
737 | } |
---|
738 | } |
---|
739 | } else { |
---|
740 | algno = findsupportedmap((int)satype); |
---|
741 | if (algno == -1) { |
---|
742 | __ipsec_errcode = EIPSEC_INVAL_ARGUMENT; |
---|
743 | return -1; |
---|
744 | } |
---|
745 | |
---|
746 | if (ipsec_supported[algno]) { |
---|
747 | free(ipsec_supported[algno]); |
---|
748 | ipsec_supported[algno] = NULL; |
---|
749 | } |
---|
750 | } |
---|
751 | |
---|
752 | if ((len = pfkey_send_x3(so, SADB_REGISTER, satype)) < 0) |
---|
753 | return -1; |
---|
754 | |
---|
755 | return len; |
---|
756 | } |
---|
757 | |
---|
758 | /* |
---|
759 | * receiving SADB_REGISTER message from the kernel, and copy buffer for |
---|
760 | * sadb_supported returned into ipsec_supported. |
---|
761 | * OUT: |
---|
762 | * 0: success and return length sent. |
---|
763 | * -1: error occured, and set errno. |
---|
764 | */ |
---|
765 | int |
---|
766 | pfkey_recv_register(int so) |
---|
767 | { |
---|
768 | pid_t pid = getpid(); |
---|
769 | struct sadb_msg *newmsg; |
---|
770 | int error = -1; |
---|
771 | |
---|
772 | /* receive message */ |
---|
773 | for (;;) { |
---|
774 | if ((newmsg = pfkey_recv(so)) == NULL) |
---|
775 | return -1; |
---|
776 | if (newmsg->sadb_msg_type == SADB_REGISTER && |
---|
777 | newmsg->sadb_msg_pid == pid) |
---|
778 | break; |
---|
779 | free(newmsg); |
---|
780 | } |
---|
781 | |
---|
782 | /* check and fix */ |
---|
783 | newmsg->sadb_msg_len = PFKEY_UNUNIT64(newmsg->sadb_msg_len); |
---|
784 | |
---|
785 | error = pfkey_set_supported(newmsg, newmsg->sadb_msg_len); |
---|
786 | free(newmsg); |
---|
787 | |
---|
788 | if (error == 0) |
---|
789 | __ipsec_errcode = EIPSEC_NO_ERROR; |
---|
790 | |
---|
791 | return error; |
---|
792 | } |
---|
793 | |
---|
794 | /* |
---|
795 | * receiving SADB_REGISTER message from the kernel, and copy buffer for |
---|
796 | * sadb_supported returned into ipsec_supported. |
---|
797 | * NOTE: sadb_msg_len must be host order. |
---|
798 | * IN: |
---|
799 | * tlen: msg length, it's to makeing sure. |
---|
800 | * OUT: |
---|
801 | * 0: success and return length sent. |
---|
802 | * -1: error occured, and set errno. |
---|
803 | */ |
---|
804 | int |
---|
805 | pfkey_set_supported(struct sadb_msg *msg, int tlen) |
---|
806 | { |
---|
807 | struct sadb_supported *sup; |
---|
808 | caddr_t p; |
---|
809 | caddr_t ep; |
---|
810 | |
---|
811 | /* validity */ |
---|
812 | if (msg->sadb_msg_len != tlen) { |
---|
813 | __ipsec_errcode = EIPSEC_INVAL_ARGUMENT; |
---|
814 | return -1; |
---|
815 | } |
---|
816 | |
---|
817 | p = (void *)msg; |
---|
818 | ep = p + tlen; |
---|
819 | |
---|
820 | p += sizeof(struct sadb_msg); |
---|
821 | |
---|
822 | while (p < ep) { |
---|
823 | sup = (void *)p; |
---|
824 | if (ep < p + sizeof(*sup) || |
---|
825 | PFKEY_EXTLEN(sup) < sizeof(*sup) || |
---|
826 | ep < p + sup->sadb_supported_len) { |
---|
827 | /* invalid format */ |
---|
828 | break; |
---|
829 | } |
---|
830 | |
---|
831 | switch (sup->sadb_supported_exttype) { |
---|
832 | case SADB_EXT_SUPPORTED_AUTH: |
---|
833 | case SADB_EXT_SUPPORTED_ENCRYPT: |
---|
834 | break; |
---|
835 | default: |
---|
836 | __ipsec_errcode = EIPSEC_INVAL_SATYPE; |
---|
837 | return -1; |
---|
838 | } |
---|
839 | |
---|
840 | /* fixed length */ |
---|
841 | sup->sadb_supported_len = PFKEY_EXTLEN(sup); |
---|
842 | |
---|
843 | /* set supported map */ |
---|
844 | if (setsupportedmap(sup) != 0) |
---|
845 | return -1; |
---|
846 | |
---|
847 | p += sup->sadb_supported_len; |
---|
848 | } |
---|
849 | |
---|
850 | if (p != ep) { |
---|
851 | __ipsec_errcode = EIPSEC_INVAL_SATYPE; |
---|
852 | return -1; |
---|
853 | } |
---|
854 | |
---|
855 | __ipsec_errcode = EIPSEC_NO_ERROR; |
---|
856 | |
---|
857 | return 0; |
---|
858 | } |
---|
859 | |
---|
860 | /* |
---|
861 | * sending SADB_FLUSH message to the kernel. |
---|
862 | * OUT: |
---|
863 | * positive: success and return length sent. |
---|
864 | * -1 : error occured, and set errno. |
---|
865 | */ |
---|
866 | int |
---|
867 | pfkey_send_flush(int so, u_int satype) |
---|
868 | { |
---|
869 | int len; |
---|
870 | |
---|
871 | if ((len = pfkey_send_x3(so, SADB_FLUSH, satype)) < 0) |
---|
872 | return -1; |
---|
873 | |
---|
874 | return len; |
---|
875 | } |
---|
876 | |
---|
877 | /* |
---|
878 | * sending SADB_DUMP message to the kernel. |
---|
879 | * OUT: |
---|
880 | * positive: success and return length sent. |
---|
881 | * -1 : error occured, and set errno. |
---|
882 | */ |
---|
883 | int |
---|
884 | pfkey_send_dump(int so, u_int satype) |
---|
885 | { |
---|
886 | int len; |
---|
887 | |
---|
888 | if ((len = pfkey_send_x3(so, SADB_DUMP, satype)) < 0) |
---|
889 | return -1; |
---|
890 | |
---|
891 | return len; |
---|
892 | } |
---|
893 | |
---|
894 | /* |
---|
895 | * sending SADB_X_PROMISC message to the kernel. |
---|
896 | * NOTE that this function handles promisc mode toggle only. |
---|
897 | * IN: |
---|
898 | * flag: set promisc off if zero, set promisc on if non-zero. |
---|
899 | * OUT: |
---|
900 | * positive: success and return length sent. |
---|
901 | * -1 : error occured, and set errno. |
---|
902 | * 0 : error occured, and set errno. |
---|
903 | * others: a pointer to new allocated buffer in which supported |
---|
904 | * algorithms is. |
---|
905 | */ |
---|
906 | int |
---|
907 | pfkey_send_promisc_toggle(int so, int flag) |
---|
908 | { |
---|
909 | int len; |
---|
910 | |
---|
911 | if ((len = pfkey_send_x3(so, SADB_X_PROMISC, |
---|
912 | (u_int)(flag ? 1 : 0))) < 0) |
---|
913 | return -1; |
---|
914 | |
---|
915 | return len; |
---|
916 | } |
---|
917 | |
---|
918 | /* |
---|
919 | * sending SADB_X_SPDADD message to the kernel. |
---|
920 | * OUT: |
---|
921 | * positive: success and return length sent. |
---|
922 | * -1 : error occured, and set errno. |
---|
923 | */ |
---|
924 | int |
---|
925 | pfkey_send_spdadd(int so, struct sockaddr *src, u_int prefs, |
---|
926 | struct sockaddr *dst, u_int prefd, u_int proto, caddr_t policy, |
---|
927 | int policylen, u_int32_t seq) |
---|
928 | { |
---|
929 | int len; |
---|
930 | |
---|
931 | if ((len = pfkey_send_x4(so, SADB_X_SPDADD, |
---|
932 | src, prefs, dst, prefd, proto, |
---|
933 | (u_int64_t)0, (u_int64_t)0, |
---|
934 | policy, policylen, seq)) < 0) |
---|
935 | return -1; |
---|
936 | |
---|
937 | return len; |
---|
938 | } |
---|
939 | |
---|
940 | /* |
---|
941 | * sending SADB_X_SPDADD message to the kernel. |
---|
942 | * OUT: |
---|
943 | * positive: success and return length sent. |
---|
944 | * -1 : error occured, and set errno. |
---|
945 | */ |
---|
946 | int |
---|
947 | pfkey_send_spdadd2(int so, struct sockaddr *src, u_int prefs, |
---|
948 | struct sockaddr *dst, u_int prefd, u_int proto, u_int64_t ltime, |
---|
949 | u_int64_t vtime, caddr_t policy, int policylen, u_int32_t seq) |
---|
950 | { |
---|
951 | int len; |
---|
952 | |
---|
953 | if ((len = pfkey_send_x4(so, SADB_X_SPDADD, |
---|
954 | src, prefs, dst, prefd, proto, |
---|
955 | ltime, vtime, |
---|
956 | policy, policylen, seq)) < 0) |
---|
957 | return -1; |
---|
958 | |
---|
959 | return len; |
---|
960 | } |
---|
961 | |
---|
962 | /* |
---|
963 | * sending SADB_X_SPDUPDATE message to the kernel. |
---|
964 | * OUT: |
---|
965 | * positive: success and return length sent. |
---|
966 | * -1 : error occured, and set errno. |
---|
967 | */ |
---|
968 | int |
---|
969 | pfkey_send_spdupdate(int so, struct sockaddr *src, u_int prefs, |
---|
970 | struct sockaddr *dst, u_int prefd, u_int proto, caddr_t policy, |
---|
971 | int policylen, u_int32_t seq) |
---|
972 | { |
---|
973 | int len; |
---|
974 | |
---|
975 | if ((len = pfkey_send_x4(so, SADB_X_SPDUPDATE, |
---|
976 | src, prefs, dst, prefd, proto, |
---|
977 | (u_int64_t)0, (u_int64_t)0, |
---|
978 | policy, policylen, seq)) < 0) |
---|
979 | return -1; |
---|
980 | |
---|
981 | return len; |
---|
982 | } |
---|
983 | |
---|
984 | /* |
---|
985 | * sending SADB_X_SPDUPDATE message to the kernel. |
---|
986 | * OUT: |
---|
987 | * positive: success and return length sent. |
---|
988 | * -1 : error occured, and set errno. |
---|
989 | */ |
---|
990 | int |
---|
991 | pfkey_send_spdupdate2(int so, struct sockaddr *src, u_int prefs, |
---|
992 | struct sockaddr *dst, u_int prefd, u_int proto, u_int64_t ltime, |
---|
993 | u_int64_t vtime, caddr_t policy, int policylen, u_int32_t seq) |
---|
994 | { |
---|
995 | int len; |
---|
996 | |
---|
997 | if ((len = pfkey_send_x4(so, SADB_X_SPDUPDATE, |
---|
998 | src, prefs, dst, prefd, proto, |
---|
999 | ltime, vtime, |
---|
1000 | policy, policylen, seq)) < 0) |
---|
1001 | return -1; |
---|
1002 | |
---|
1003 | return len; |
---|
1004 | } |
---|
1005 | |
---|
1006 | /* |
---|
1007 | * sending SADB_X_SPDDELETE message to the kernel. |
---|
1008 | * OUT: |
---|
1009 | * positive: success and return length sent. |
---|
1010 | * -1 : error occured, and set errno. |
---|
1011 | */ |
---|
1012 | int |
---|
1013 | pfkey_send_spddelete(int so, struct sockaddr *src, u_int prefs, |
---|
1014 | struct sockaddr *dst, u_int prefd, u_int proto, caddr_t policy, |
---|
1015 | int policylen, u_int32_t seq) |
---|
1016 | { |
---|
1017 | int len; |
---|
1018 | |
---|
1019 | if (policylen != sizeof(struct sadb_x_policy)) { |
---|
1020 | __ipsec_errcode = EIPSEC_INVAL_ARGUMENT; |
---|
1021 | return -1; |
---|
1022 | } |
---|
1023 | |
---|
1024 | if ((len = pfkey_send_x4(so, SADB_X_SPDDELETE, |
---|
1025 | src, prefs, dst, prefd, proto, |
---|
1026 | (u_int64_t)0, (u_int64_t)0, |
---|
1027 | policy, policylen, seq)) < 0) |
---|
1028 | return -1; |
---|
1029 | |
---|
1030 | return len; |
---|
1031 | } |
---|
1032 | |
---|
1033 | /* |
---|
1034 | * sending SADB_X_SPDDELETE message to the kernel. |
---|
1035 | * OUT: |
---|
1036 | * positive: success and return length sent. |
---|
1037 | * -1 : error occured, and set errno. |
---|
1038 | */ |
---|
1039 | int |
---|
1040 | pfkey_send_spddelete2(int so, u_int32_t spid) |
---|
1041 | { |
---|
1042 | int len; |
---|
1043 | |
---|
1044 | if ((len = pfkey_send_x5(so, SADB_X_SPDDELETE2, spid)) < 0) |
---|
1045 | return -1; |
---|
1046 | |
---|
1047 | return len; |
---|
1048 | } |
---|
1049 | |
---|
1050 | /* |
---|
1051 | * sending SADB_X_SPDGET message to the kernel. |
---|
1052 | * OUT: |
---|
1053 | * positive: success and return length sent. |
---|
1054 | * -1 : error occured, and set errno. |
---|
1055 | */ |
---|
1056 | int |
---|
1057 | pfkey_send_spdget(int so, u_int32_t spid) |
---|
1058 | { |
---|
1059 | int len; |
---|
1060 | |
---|
1061 | if ((len = pfkey_send_x5(so, SADB_X_SPDGET, spid)) < 0) |
---|
1062 | return -1; |
---|
1063 | |
---|
1064 | return len; |
---|
1065 | } |
---|
1066 | |
---|
1067 | /* |
---|
1068 | * sending SADB_X_SPDSETIDX message to the kernel. |
---|
1069 | * OUT: |
---|
1070 | * positive: success and return length sent. |
---|
1071 | * -1 : error occured, and set errno. |
---|
1072 | */ |
---|
1073 | int |
---|
1074 | pfkey_send_spdsetidx(int so, struct sockaddr *src, u_int prefs, |
---|
1075 | struct sockaddr *dst, u_int prefd, u_int proto, caddr_t policy, |
---|
1076 | int policylen, u_int32_t seq) |
---|
1077 | { |
---|
1078 | int len; |
---|
1079 | |
---|
1080 | if (policylen != sizeof(struct sadb_x_policy)) { |
---|
1081 | __ipsec_errcode = EIPSEC_INVAL_ARGUMENT; |
---|
1082 | return -1; |
---|
1083 | } |
---|
1084 | |
---|
1085 | if ((len = pfkey_send_x4(so, SADB_X_SPDSETIDX, |
---|
1086 | src, prefs, dst, prefd, proto, |
---|
1087 | (u_int64_t)0, (u_int64_t)0, |
---|
1088 | policy, policylen, seq)) < 0) |
---|
1089 | return -1; |
---|
1090 | |
---|
1091 | return len; |
---|
1092 | } |
---|
1093 | |
---|
1094 | /* |
---|
1095 | * sending SADB_SPDFLUSH message to the kernel. |
---|
1096 | * OUT: |
---|
1097 | * positive: success and return length sent. |
---|
1098 | * -1 : error occured, and set errno. |
---|
1099 | */ |
---|
1100 | int |
---|
1101 | pfkey_send_spdflush(int so) |
---|
1102 | { |
---|
1103 | int len; |
---|
1104 | |
---|
1105 | if ((len = pfkey_send_x3(so, SADB_X_SPDFLUSH, SADB_SATYPE_UNSPEC)) < 0) |
---|
1106 | return -1; |
---|
1107 | |
---|
1108 | return len; |
---|
1109 | } |
---|
1110 | |
---|
1111 | /* |
---|
1112 | * sending SADB_SPDDUMP message to the kernel. |
---|
1113 | * OUT: |
---|
1114 | * positive: success and return length sent. |
---|
1115 | * -1 : error occured, and set errno. |
---|
1116 | */ |
---|
1117 | int |
---|
1118 | pfkey_send_spddump(int so) |
---|
1119 | { |
---|
1120 | int len; |
---|
1121 | |
---|
1122 | if ((len = pfkey_send_x3(so, SADB_X_SPDDUMP, SADB_SATYPE_UNSPEC)) < 0) |
---|
1123 | return -1; |
---|
1124 | |
---|
1125 | return len; |
---|
1126 | } |
---|
1127 | |
---|
1128 | |
---|
1129 | #ifdef SADB_X_MIGRATE |
---|
1130 | /* |
---|
1131 | * sending SADB_X_MIGRATE message to the kernel. |
---|
1132 | * OUT: |
---|
1133 | * positive: success and return length sent. |
---|
1134 | * -1 : error occured, and set errno. |
---|
1135 | */ |
---|
1136 | int |
---|
1137 | pfkey_send_migrate(int so, struct sockaddr *local, struct sockaddr *remote, |
---|
1138 | struct sockaddr *src, u_int prefs, struct sockaddr *dst, u_int prefd, |
---|
1139 | u_int proto, caddr_t policy, int policylen, u_int32_t seq) |
---|
1140 | { |
---|
1141 | struct sadb_msg *newmsg; |
---|
1142 | int len; |
---|
1143 | caddr_t p; |
---|
1144 | int plen; |
---|
1145 | caddr_t ep; |
---|
1146 | |
---|
1147 | /* validity check */ |
---|
1148 | if (src == NULL || dst == NULL) { |
---|
1149 | __ipsec_errcode = EIPSEC_INVAL_ARGUMENT; |
---|
1150 | return -1; |
---|
1151 | } |
---|
1152 | if (src->sa_family != dst->sa_family) { |
---|
1153 | __ipsec_errcode = EIPSEC_FAMILY_MISMATCH; |
---|
1154 | return -1; |
---|
1155 | } |
---|
1156 | |
---|
1157 | if (local == NULL || remote == NULL) { |
---|
1158 | __ipsec_errcode = EIPSEC_INVAL_ARGUMENT; |
---|
1159 | return -1; |
---|
1160 | } |
---|
1161 | #ifdef SADB_X_EXT_KMADDRESS |
---|
1162 | if (local->sa_family != remote->sa_family) { |
---|
1163 | __ipsec_errcode = EIPSEC_FAMILY_MISMATCH; |
---|
1164 | return -1; |
---|
1165 | } |
---|
1166 | #endif |
---|
1167 | |
---|
1168 | switch (src->sa_family) { |
---|
1169 | case AF_INET: |
---|
1170 | plen = sizeof(struct in_addr) << 3; |
---|
1171 | break; |
---|
1172 | case AF_INET6: |
---|
1173 | plen = sizeof(struct in6_addr) << 3; |
---|
1174 | break; |
---|
1175 | default: |
---|
1176 | __ipsec_errcode = EIPSEC_INVAL_FAMILY; |
---|
1177 | return -1; |
---|
1178 | } |
---|
1179 | if (prefs > plen || prefd > plen) { |
---|
1180 | __ipsec_errcode = EIPSEC_INVAL_PREFIXLEN; |
---|
1181 | return -1; |
---|
1182 | } |
---|
1183 | |
---|
1184 | /* create new sadb_msg to reply. */ |
---|
1185 | len = sizeof(struct sadb_msg) |
---|
1186 | #ifdef SADB_X_EXT_KMADDRESS |
---|
1187 | + sizeof(struct sadb_x_kmaddress) |
---|
1188 | + PFKEY_ALIGN8(2*sysdep_sa_len(local)) |
---|
1189 | #endif |
---|
1190 | + sizeof(struct sadb_address) |
---|
1191 | + PFKEY_ALIGN8(sysdep_sa_len(src)) |
---|
1192 | + sizeof(struct sadb_address) |
---|
1193 | + PFKEY_ALIGN8(sysdep_sa_len(dst)) |
---|
1194 | + policylen; |
---|
1195 | |
---|
1196 | if ((newmsg = CALLOC(len, struct sadb_msg *)) == NULL) { |
---|
1197 | __ipsec_set_strerror(strerror(errno)); |
---|
1198 | return -1; |
---|
1199 | } |
---|
1200 | ep = ((caddr_t)newmsg) + len; |
---|
1201 | |
---|
1202 | p = pfkey_setsadbmsg((caddr_t)newmsg, ep, SADB_X_MIGRATE, (u_int)len, |
---|
1203 | SADB_SATYPE_UNSPEC, seq, getpid()); |
---|
1204 | if (!p) { |
---|
1205 | free(newmsg); |
---|
1206 | return -1; |
---|
1207 | } |
---|
1208 | #ifdef SADB_X_EXT_KMADDRESS |
---|
1209 | p = pfkey_setsadbkmaddr(p, ep, local, remote); |
---|
1210 | if (!p) { |
---|
1211 | free(newmsg); |
---|
1212 | return -1; |
---|
1213 | } |
---|
1214 | #endif |
---|
1215 | p = pfkey_setsadbaddr(p, ep, SADB_EXT_ADDRESS_SRC, src, prefs, proto); |
---|
1216 | if (!p) { |
---|
1217 | free(newmsg); |
---|
1218 | return -1; |
---|
1219 | } |
---|
1220 | p = pfkey_setsadbaddr(p, ep, SADB_EXT_ADDRESS_DST, dst, prefd, proto); |
---|
1221 | if (!p || p + policylen != ep) { |
---|
1222 | free(newmsg); |
---|
1223 | return -1; |
---|
1224 | } |
---|
1225 | memcpy(p, policy, policylen); |
---|
1226 | |
---|
1227 | /* send message */ |
---|
1228 | len = pfkey_send(so, newmsg, len); |
---|
1229 | free(newmsg); |
---|
1230 | |
---|
1231 | if (len < 0) |
---|
1232 | return -1; |
---|
1233 | |
---|
1234 | __ipsec_errcode = EIPSEC_NO_ERROR; |
---|
1235 | return len; |
---|
1236 | } |
---|
1237 | #endif |
---|
1238 | |
---|
1239 | |
---|
1240 | /* sending SADB_ADD or SADB_UPDATE message to the kernel */ |
---|
1241 | static int |
---|
1242 | pfkey_send_x1(struct pfkey_send_sa_args *sa_parms) |
---|
1243 | { |
---|
1244 | struct sadb_msg *newmsg; |
---|
1245 | int len; |
---|
1246 | caddr_t p; |
---|
1247 | int plen; |
---|
1248 | caddr_t ep; |
---|
1249 | |
---|
1250 | /* validity check */ |
---|
1251 | if (sa_parms->src == NULL || sa_parms->dst == NULL) { |
---|
1252 | __ipsec_errcode = EIPSEC_INVAL_ARGUMENT; |
---|
1253 | return -1; |
---|
1254 | } |
---|
1255 | if (sa_parms->src->sa_family != sa_parms->dst->sa_family) { |
---|
1256 | __ipsec_errcode = EIPSEC_FAMILY_MISMATCH; |
---|
1257 | return -1; |
---|
1258 | } |
---|
1259 | switch (sa_parms->src->sa_family) { |
---|
1260 | case AF_INET: |
---|
1261 | plen = sizeof(struct in_addr) << 3; |
---|
1262 | break; |
---|
1263 | case AF_INET6: |
---|
1264 | plen = sizeof(struct in6_addr) << 3; |
---|
1265 | break; |
---|
1266 | default: |
---|
1267 | __ipsec_errcode = EIPSEC_INVAL_FAMILY; |
---|
1268 | return -1; |
---|
1269 | } |
---|
1270 | |
---|
1271 | switch (sa_parms->satype) { |
---|
1272 | case SADB_SATYPE_ESP: |
---|
1273 | if (sa_parms->e_type == SADB_EALG_NONE) { |
---|
1274 | __ipsec_errcode = EIPSEC_NO_ALGS; |
---|
1275 | return -1; |
---|
1276 | } |
---|
1277 | break; |
---|
1278 | case SADB_SATYPE_AH: |
---|
1279 | if (sa_parms->e_type != SADB_EALG_NONE) { |
---|
1280 | __ipsec_errcode = EIPSEC_INVAL_ALGS; |
---|
1281 | return -1; |
---|
1282 | } |
---|
1283 | if (sa_parms->a_type == SADB_AALG_NONE) { |
---|
1284 | __ipsec_errcode = EIPSEC_NO_ALGS; |
---|
1285 | return -1; |
---|
1286 | } |
---|
1287 | break; |
---|
1288 | case SADB_X_SATYPE_IPCOMP: |
---|
1289 | if (sa_parms->e_type == SADB_X_CALG_NONE) { |
---|
1290 | __ipsec_errcode = EIPSEC_INVAL_ALGS; |
---|
1291 | return -1; |
---|
1292 | } |
---|
1293 | if (sa_parms->a_type != SADB_AALG_NONE) { |
---|
1294 | __ipsec_errcode = EIPSEC_NO_ALGS; |
---|
1295 | return -1; |
---|
1296 | } |
---|
1297 | break; |
---|
1298 | #ifdef SADB_X_AALG_TCP_MD5 |
---|
1299 | case SADB_X_SATYPE_TCPSIGNATURE: |
---|
1300 | if (sa_parms->e_type != SADB_EALG_NONE) { |
---|
1301 | __ipsec_errcode = EIPSEC_INVAL_ALGS; |
---|
1302 | return -1; |
---|
1303 | } |
---|
1304 | if (sa_parms->a_type != SADB_X_AALG_TCP_MD5) { |
---|
1305 | __ipsec_errcode = EIPSEC_INVAL_ALGS; |
---|
1306 | return -1; |
---|
1307 | } |
---|
1308 | break; |
---|
1309 | #endif |
---|
1310 | default: |
---|
1311 | __ipsec_errcode = EIPSEC_INVAL_SATYPE; |
---|
1312 | return -1; |
---|
1313 | } |
---|
1314 | |
---|
1315 | /* create new sadb_msg to reply. */ |
---|
1316 | len = sizeof(struct sadb_msg) |
---|
1317 | + sizeof(struct sadb_sa) |
---|
1318 | + sizeof(struct sadb_x_sa2) |
---|
1319 | + sizeof(struct sadb_address) |
---|
1320 | + PFKEY_ALIGN8(sysdep_sa_len(sa_parms->src)) |
---|
1321 | + sizeof(struct sadb_address) |
---|
1322 | + PFKEY_ALIGN8(sysdep_sa_len(sa_parms->dst)) |
---|
1323 | + sizeof(struct sadb_lifetime) |
---|
1324 | + sizeof(struct sadb_lifetime); |
---|
1325 | |
---|
1326 | if (sa_parms->e_type != SADB_EALG_NONE && |
---|
1327 | sa_parms->satype != SADB_X_SATYPE_IPCOMP) |
---|
1328 | len += (sizeof(struct sadb_key) + |
---|
1329 | PFKEY_ALIGN8(sa_parms->e_keylen)); |
---|
1330 | if (sa_parms->a_type != SADB_AALG_NONE) |
---|
1331 | len += (sizeof(struct sadb_key) + |
---|
1332 | PFKEY_ALIGN8(sa_parms->a_keylen)); |
---|
1333 | |
---|
1334 | #ifdef SADB_X_EXT_SEC_CTX |
---|
1335 | if (sa_parms->ctxstr != NULL) |
---|
1336 | len += (sizeof(struct sadb_x_sec_ctx) |
---|
1337 | + PFKEY_ALIGN8(sa_parms->ctxstrlen)); |
---|
1338 | #endif |
---|
1339 | |
---|
1340 | #ifdef SADB_X_EXT_NAT_T_TYPE |
---|
1341 | /* add nat-t packets */ |
---|
1342 | if (sa_parms->l_natt_type) { |
---|
1343 | switch(sa_parms->satype) { |
---|
1344 | case SADB_SATYPE_ESP: |
---|
1345 | case SADB_X_SATYPE_IPCOMP: |
---|
1346 | break; |
---|
1347 | default: |
---|
1348 | __ipsec_errcode = EIPSEC_NO_ALGS; |
---|
1349 | return -1; |
---|
1350 | } |
---|
1351 | |
---|
1352 | len += sizeof(struct sadb_x_nat_t_type); |
---|
1353 | len += sizeof(struct sadb_x_nat_t_port); |
---|
1354 | len += sizeof(struct sadb_x_nat_t_port); |
---|
1355 | if (sa_parms->l_natt_oai) |
---|
1356 | len += sizeof(struct sadb_address) + |
---|
1357 | PFKEY_ALIGN8(sysdep_sa_len(sa_parms->l_natt_oai)); |
---|
1358 | if (sa_parms->l_natt_oar) |
---|
1359 | len += sizeof(struct sadb_address) + |
---|
1360 | PFKEY_ALIGN8(sysdep_sa_len(sa_parms->l_natt_oar)); |
---|
1361 | #ifdef SADB_X_EXT_NAT_T_FRAG |
---|
1362 | if (sa_parms->l_natt_frag) |
---|
1363 | len += sizeof(struct sadb_x_nat_t_frag); |
---|
1364 | #endif |
---|
1365 | } |
---|
1366 | #endif |
---|
1367 | |
---|
1368 | if ((newmsg = CALLOC((size_t)len, struct sadb_msg *)) == NULL) { |
---|
1369 | __ipsec_set_strerror(strerror(errno)); |
---|
1370 | return -1; |
---|
1371 | } |
---|
1372 | ep = ((caddr_t)(void *)newmsg) + len; |
---|
1373 | |
---|
1374 | p = pfkey_setsadbmsg((void *)newmsg, ep, sa_parms->type, (u_int)len, |
---|
1375 | sa_parms->satype, sa_parms->seq, getpid()); |
---|
1376 | if (!p) { |
---|
1377 | free(newmsg); |
---|
1378 | return -1; |
---|
1379 | } |
---|
1380 | p = pfkey_setsadbsa(p, ep, sa_parms->spi, sa_parms->wsize, |
---|
1381 | sa_parms->a_type, sa_parms->e_type, |
---|
1382 | sa_parms->flags); |
---|
1383 | if (!p) { |
---|
1384 | free(newmsg); |
---|
1385 | return -1; |
---|
1386 | } |
---|
1387 | p = pfkey_setsadbxsa2(p, ep, sa_parms->mode, sa_parms->reqid); |
---|
1388 | if (!p) { |
---|
1389 | free(newmsg); |
---|
1390 | return -1; |
---|
1391 | } |
---|
1392 | p = pfkey_setsadbaddr(p, ep, SADB_EXT_ADDRESS_SRC, sa_parms->src, |
---|
1393 | (u_int)plen, IPSEC_ULPROTO_ANY); |
---|
1394 | if (!p) { |
---|
1395 | free(newmsg); |
---|
1396 | return -1; |
---|
1397 | } |
---|
1398 | p = pfkey_setsadbaddr(p, ep, SADB_EXT_ADDRESS_DST, sa_parms->dst, |
---|
1399 | (u_int)plen, IPSEC_ULPROTO_ANY); |
---|
1400 | if (!p) { |
---|
1401 | free(newmsg); |
---|
1402 | return -1; |
---|
1403 | } |
---|
1404 | |
---|
1405 | if (sa_parms->e_type != SADB_EALG_NONE && |
---|
1406 | sa_parms->satype != SADB_X_SATYPE_IPCOMP) { |
---|
1407 | p = pfkey_setsadbkey(p, ep, SADB_EXT_KEY_ENCRYPT, |
---|
1408 | sa_parms->keymat, sa_parms->e_keylen); |
---|
1409 | if (!p) { |
---|
1410 | free(newmsg); |
---|
1411 | return -1; |
---|
1412 | } |
---|
1413 | } |
---|
1414 | if (sa_parms->a_type != SADB_AALG_NONE) { |
---|
1415 | p = pfkey_setsadbkey(p, ep, SADB_EXT_KEY_AUTH, |
---|
1416 | sa_parms->keymat + sa_parms->e_keylen, |
---|
1417 | sa_parms->a_keylen); |
---|
1418 | if (!p) { |
---|
1419 | free(newmsg); |
---|
1420 | return -1; |
---|
1421 | } |
---|
1422 | } |
---|
1423 | |
---|
1424 | /* set sadb_lifetime for destination */ |
---|
1425 | p = pfkey_setsadblifetime(p, ep, SADB_EXT_LIFETIME_HARD, |
---|
1426 | sa_parms->l_alloc, sa_parms->l_bytes, |
---|
1427 | sa_parms->l_addtime, sa_parms->l_usetime); |
---|
1428 | if (!p) { |
---|
1429 | free(newmsg); |
---|
1430 | return -1; |
---|
1431 | } |
---|
1432 | p = pfkey_setsadblifetime(p, ep, SADB_EXT_LIFETIME_SOFT, |
---|
1433 | sa_parms->l_alloc, sa_parms->l_bytes, |
---|
1434 | sa_parms->l_addtime, sa_parms->l_usetime); |
---|
1435 | if (!p) { |
---|
1436 | free(newmsg); |
---|
1437 | return -1; |
---|
1438 | } |
---|
1439 | #ifdef SADB_X_EXT_SEC_CTX |
---|
1440 | if (sa_parms->ctxstr != NULL) { |
---|
1441 | p = pfkey_setsecctx(p, ep, SADB_X_EXT_SEC_CTX, sa_parms->ctxdoi, |
---|
1442 | sa_parms->ctxalg, sa_parms->ctxstr, |
---|
1443 | sa_parms->ctxstrlen); |
---|
1444 | if (!p) { |
---|
1445 | free(newmsg); |
---|
1446 | return -1; |
---|
1447 | } |
---|
1448 | } |
---|
1449 | #endif |
---|
1450 | |
---|
1451 | #ifdef SADB_X_EXT_NAT_T_TYPE |
---|
1452 | /* Add nat-t messages */ |
---|
1453 | if (sa_parms->l_natt_type) { |
---|
1454 | p = pfkey_set_natt_type(p, ep, SADB_X_EXT_NAT_T_TYPE, |
---|
1455 | sa_parms->l_natt_type); |
---|
1456 | if (!p) { |
---|
1457 | free(newmsg); |
---|
1458 | return -1; |
---|
1459 | } |
---|
1460 | |
---|
1461 | p = pfkey_set_natt_port(p, ep, SADB_X_EXT_NAT_T_SPORT, |
---|
1462 | sa_parms->l_natt_sport); |
---|
1463 | if (!p) { |
---|
1464 | free(newmsg); |
---|
1465 | return -1; |
---|
1466 | } |
---|
1467 | |
---|
1468 | p = pfkey_set_natt_port(p, ep, SADB_X_EXT_NAT_T_DPORT, |
---|
1469 | sa_parms->l_natt_dport); |
---|
1470 | if (!p) { |
---|
1471 | free(newmsg); |
---|
1472 | return -1; |
---|
1473 | } |
---|
1474 | |
---|
1475 | if (sa_parms->l_natt_oai) { |
---|
1476 | p = pfkey_setsadbaddr(p, ep, SADB_X_EXT_NAT_T_OAI, |
---|
1477 | sa_parms->l_natt_oai, |
---|
1478 | (u_int)PFKEY_ALIGN8(sysdep_sa_len(sa_parms->l_natt_oai)), |
---|
1479 | IPSEC_ULPROTO_ANY); |
---|
1480 | if (!p) { |
---|
1481 | free(newmsg); |
---|
1482 | return -1; |
---|
1483 | } |
---|
1484 | } |
---|
1485 | |
---|
1486 | if (sa_parms->l_natt_oar) { |
---|
1487 | p = pfkey_setsadbaddr(p, ep, SADB_X_EXT_NAT_T_OAR, |
---|
1488 | sa_parms->l_natt_oar, |
---|
1489 | (u_int)PFKEY_ALIGN8(sysdep_sa_len(sa_parms->l_natt_oar)), |
---|
1490 | IPSEC_ULPROTO_ANY); |
---|
1491 | if (!p) { |
---|
1492 | free(newmsg); |
---|
1493 | return -1; |
---|
1494 | } |
---|
1495 | } |
---|
1496 | |
---|
1497 | #ifdef SADB_X_EXT_NAT_T_FRAG |
---|
1498 | if (sa_parms->l_natt_frag) { |
---|
1499 | p = pfkey_set_natt_frag(p, ep, SADB_X_EXT_NAT_T_FRAG, |
---|
1500 | sa_parms->l_natt_frag); |
---|
1501 | if (!p) { |
---|
1502 | free(newmsg); |
---|
1503 | return -1; |
---|
1504 | } |
---|
1505 | } |
---|
1506 | #endif |
---|
1507 | } |
---|
1508 | #endif |
---|
1509 | |
---|
1510 | if (p != ep) { |
---|
1511 | free(newmsg); |
---|
1512 | return -1; |
---|
1513 | } |
---|
1514 | |
---|
1515 | /* send message */ |
---|
1516 | len = pfkey_send(sa_parms->so, newmsg, len); |
---|
1517 | free(newmsg); |
---|
1518 | |
---|
1519 | if (len < 0) |
---|
1520 | return -1; |
---|
1521 | |
---|
1522 | __ipsec_errcode = EIPSEC_NO_ERROR; |
---|
1523 | return len; |
---|
1524 | } |
---|
1525 | |
---|
1526 | /* sending SADB_DELETE or SADB_GET message to the kernel */ |
---|
1527 | /*ARGSUSED*/ |
---|
1528 | static int |
---|
1529 | pfkey_send_x2(int so, u_int type, u_int satype, u_int mode, |
---|
1530 | struct sockaddr *src, struct sockaddr *dst, u_int32_t spi) |
---|
1531 | { |
---|
1532 | struct sadb_msg *newmsg; |
---|
1533 | int len; |
---|
1534 | caddr_t p; |
---|
1535 | int plen; |
---|
1536 | caddr_t ep; |
---|
1537 | |
---|
1538 | /* validity check */ |
---|
1539 | if (src == NULL || dst == NULL) { |
---|
1540 | __ipsec_errcode = EIPSEC_INVAL_ARGUMENT; |
---|
1541 | return -1; |
---|
1542 | } |
---|
1543 | if (src->sa_family != dst->sa_family) { |
---|
1544 | __ipsec_errcode = EIPSEC_FAMILY_MISMATCH; |
---|
1545 | return -1; |
---|
1546 | } |
---|
1547 | switch (src->sa_family) { |
---|
1548 | case AF_INET: |
---|
1549 | plen = sizeof(struct in_addr) << 3; |
---|
1550 | break; |
---|
1551 | case AF_INET6: |
---|
1552 | plen = sizeof(struct in6_addr) << 3; |
---|
1553 | break; |
---|
1554 | default: |
---|
1555 | __ipsec_errcode = EIPSEC_INVAL_FAMILY; |
---|
1556 | return -1; |
---|
1557 | } |
---|
1558 | |
---|
1559 | /* create new sadb_msg to reply. */ |
---|
1560 | len = sizeof(struct sadb_msg) |
---|
1561 | + sizeof(struct sadb_sa) |
---|
1562 | + sizeof(struct sadb_address) |
---|
1563 | + PFKEY_ALIGN8(sysdep_sa_len(src)) |
---|
1564 | + sizeof(struct sadb_address) |
---|
1565 | + PFKEY_ALIGN8(sysdep_sa_len(dst)); |
---|
1566 | |
---|
1567 | if ((newmsg = CALLOC((size_t)len, struct sadb_msg *)) == NULL) { |
---|
1568 | __ipsec_set_strerror(strerror(errno)); |
---|
1569 | return -1; |
---|
1570 | } |
---|
1571 | ep = ((caddr_t)(void *)newmsg) + len; |
---|
1572 | |
---|
1573 | p = pfkey_setsadbmsg((void *)newmsg, ep, type, (u_int)len, satype, 0, |
---|
1574 | getpid()); |
---|
1575 | if (!p) { |
---|
1576 | free(newmsg); |
---|
1577 | return -1; |
---|
1578 | } |
---|
1579 | p = pfkey_setsadbsa(p, ep, spi, 0, 0, 0, 0); |
---|
1580 | if (!p) { |
---|
1581 | free(newmsg); |
---|
1582 | return -1; |
---|
1583 | } |
---|
1584 | p = pfkey_setsadbaddr(p, ep, SADB_EXT_ADDRESS_SRC, src, (u_int)plen, |
---|
1585 | IPSEC_ULPROTO_ANY); |
---|
1586 | if (!p) { |
---|
1587 | free(newmsg); |
---|
1588 | return -1; |
---|
1589 | } |
---|
1590 | p = pfkey_setsadbaddr(p, ep, SADB_EXT_ADDRESS_DST, dst, (u_int)plen, |
---|
1591 | IPSEC_ULPROTO_ANY); |
---|
1592 | if (!p || p != ep) { |
---|
1593 | free(newmsg); |
---|
1594 | return -1; |
---|
1595 | } |
---|
1596 | |
---|
1597 | /* send message */ |
---|
1598 | len = pfkey_send(so, newmsg, len); |
---|
1599 | free(newmsg); |
---|
1600 | |
---|
1601 | if (len < 0) |
---|
1602 | return -1; |
---|
1603 | |
---|
1604 | __ipsec_errcode = EIPSEC_NO_ERROR; |
---|
1605 | return len; |
---|
1606 | } |
---|
1607 | |
---|
1608 | /* |
---|
1609 | * sending SADB_REGISTER, SADB_FLUSH, SADB_DUMP or SADB_X_PROMISC message |
---|
1610 | * to the kernel |
---|
1611 | */ |
---|
1612 | static int |
---|
1613 | pfkey_send_x3(int so, u_int type, u_int satype) |
---|
1614 | { |
---|
1615 | struct sadb_msg *newmsg; |
---|
1616 | int len; |
---|
1617 | caddr_t p; |
---|
1618 | caddr_t ep; |
---|
1619 | |
---|
1620 | /* validity check */ |
---|
1621 | switch (type) { |
---|
1622 | case SADB_X_PROMISC: |
---|
1623 | if (satype != 0 && satype != 1) { |
---|
1624 | __ipsec_errcode = EIPSEC_INVAL_SATYPE; |
---|
1625 | return -1; |
---|
1626 | } |
---|
1627 | break; |
---|
1628 | default: |
---|
1629 | switch (satype) { |
---|
1630 | case SADB_SATYPE_UNSPEC: |
---|
1631 | case SADB_SATYPE_AH: |
---|
1632 | case SADB_SATYPE_ESP: |
---|
1633 | case SADB_X_SATYPE_IPCOMP: |
---|
1634 | #ifdef SADB_X_SATYPE_TCPSIGNATURE |
---|
1635 | case SADB_X_SATYPE_TCPSIGNATURE: |
---|
1636 | #endif |
---|
1637 | break; |
---|
1638 | default: |
---|
1639 | __ipsec_errcode = EIPSEC_INVAL_SATYPE; |
---|
1640 | return -1; |
---|
1641 | } |
---|
1642 | } |
---|
1643 | |
---|
1644 | /* create new sadb_msg to send. */ |
---|
1645 | len = sizeof(struct sadb_msg); |
---|
1646 | |
---|
1647 | if ((newmsg = CALLOC((size_t)len, struct sadb_msg *)) == NULL) { |
---|
1648 | __ipsec_set_strerror(strerror(errno)); |
---|
1649 | return -1; |
---|
1650 | } |
---|
1651 | ep = ((caddr_t)(void *)newmsg) + len; |
---|
1652 | |
---|
1653 | p = pfkey_setsadbmsg((void *)newmsg, ep, type, (u_int)len, satype, 0, |
---|
1654 | getpid()); |
---|
1655 | if (!p || p != ep) { |
---|
1656 | free(newmsg); |
---|
1657 | return -1; |
---|
1658 | } |
---|
1659 | |
---|
1660 | /* send message */ |
---|
1661 | len = pfkey_send(so, newmsg, len); |
---|
1662 | free(newmsg); |
---|
1663 | |
---|
1664 | if (len < 0) |
---|
1665 | return -1; |
---|
1666 | |
---|
1667 | __ipsec_errcode = EIPSEC_NO_ERROR; |
---|
1668 | return len; |
---|
1669 | } |
---|
1670 | |
---|
1671 | /* sending SADB_X_SPDADD message to the kernel */ |
---|
1672 | static int |
---|
1673 | pfkey_send_x4(int so, u_int type, struct sockaddr *src, u_int prefs, |
---|
1674 | struct sockaddr *dst, u_int prefd, u_int proto, u_int64_t ltime, |
---|
1675 | u_int64_t vtime, char *policy, int policylen, u_int32_t seq) |
---|
1676 | { |
---|
1677 | struct sadb_msg *newmsg; |
---|
1678 | int len; |
---|
1679 | caddr_t p; |
---|
1680 | int plen; |
---|
1681 | caddr_t ep; |
---|
1682 | |
---|
1683 | /* validity check */ |
---|
1684 | if (src == NULL || dst == NULL) { |
---|
1685 | __ipsec_errcode = EIPSEC_INVAL_ARGUMENT; |
---|
1686 | return -1; |
---|
1687 | } |
---|
1688 | if (src->sa_family != dst->sa_family) { |
---|
1689 | __ipsec_errcode = EIPSEC_FAMILY_MISMATCH; |
---|
1690 | return -1; |
---|
1691 | } |
---|
1692 | |
---|
1693 | switch (src->sa_family) { |
---|
1694 | case AF_INET: |
---|
1695 | plen = sizeof(struct in_addr) << 3; |
---|
1696 | break; |
---|
1697 | case AF_INET6: |
---|
1698 | plen = sizeof(struct in6_addr) << 3; |
---|
1699 | break; |
---|
1700 | default: |
---|
1701 | __ipsec_errcode = EIPSEC_INVAL_FAMILY; |
---|
1702 | return -1; |
---|
1703 | } |
---|
1704 | if (prefs > plen || prefd > plen) { |
---|
1705 | __ipsec_errcode = EIPSEC_INVAL_PREFIXLEN; |
---|
1706 | return -1; |
---|
1707 | } |
---|
1708 | |
---|
1709 | /* create new sadb_msg to reply. */ |
---|
1710 | len = sizeof(struct sadb_msg) |
---|
1711 | + sizeof(struct sadb_address) |
---|
1712 | + PFKEY_ALIGN8(sysdep_sa_len(src)) |
---|
1713 | + sizeof(struct sadb_address) |
---|
1714 | + PFKEY_ALIGN8(sysdep_sa_len(src)) |
---|
1715 | + sizeof(struct sadb_lifetime) |
---|
1716 | + policylen; |
---|
1717 | |
---|
1718 | if ((newmsg = CALLOC((size_t)len, struct sadb_msg *)) == NULL) { |
---|
1719 | __ipsec_set_strerror(strerror(errno)); |
---|
1720 | return -1; |
---|
1721 | } |
---|
1722 | ep = ((caddr_t)(void *)newmsg) + len; |
---|
1723 | |
---|
1724 | p = pfkey_setsadbmsg((void *)newmsg, ep, type, (u_int)len, |
---|
1725 | SADB_SATYPE_UNSPEC, seq, getpid()); |
---|
1726 | if (!p) { |
---|
1727 | free(newmsg); |
---|
1728 | return -1; |
---|
1729 | } |
---|
1730 | p = pfkey_setsadbaddr(p, ep, SADB_EXT_ADDRESS_SRC, src, prefs, proto); |
---|
1731 | if (!p) { |
---|
1732 | free(newmsg); |
---|
1733 | return -1; |
---|
1734 | } |
---|
1735 | p = pfkey_setsadbaddr(p, ep, SADB_EXT_ADDRESS_DST, dst, prefd, proto); |
---|
1736 | if (!p) { |
---|
1737 | free(newmsg); |
---|
1738 | return -1; |
---|
1739 | } |
---|
1740 | p = pfkey_setsadblifetime(p, ep, SADB_EXT_LIFETIME_HARD, |
---|
1741 | 0, 0, (u_int)ltime, (u_int)vtime); |
---|
1742 | if (!p || p + policylen != ep) { |
---|
1743 | free(newmsg); |
---|
1744 | return -1; |
---|
1745 | } |
---|
1746 | memcpy(p, policy, (size_t)policylen); |
---|
1747 | |
---|
1748 | /* send message */ |
---|
1749 | len = pfkey_send(so, newmsg, len); |
---|
1750 | free(newmsg); |
---|
1751 | |
---|
1752 | if (len < 0) |
---|
1753 | return -1; |
---|
1754 | |
---|
1755 | __ipsec_errcode = EIPSEC_NO_ERROR; |
---|
1756 | return len; |
---|
1757 | } |
---|
1758 | |
---|
1759 | /* sending SADB_X_SPDGET or SADB_X_SPDDELETE message to the kernel */ |
---|
1760 | static int |
---|
1761 | pfkey_send_x5(int so, u_int type, u_int32_t spid) |
---|
1762 | { |
---|
1763 | struct sadb_msg *newmsg; |
---|
1764 | struct sadb_x_policy xpl; |
---|
1765 | int len; |
---|
1766 | caddr_t p; |
---|
1767 | caddr_t ep; |
---|
1768 | |
---|
1769 | /* create new sadb_msg to reply. */ |
---|
1770 | len = sizeof(struct sadb_msg) |
---|
1771 | + sizeof(xpl); |
---|
1772 | |
---|
1773 | if ((newmsg = CALLOC((size_t)len, struct sadb_msg *)) == NULL) { |
---|
1774 | __ipsec_set_strerror(strerror(errno)); |
---|
1775 | return -1; |
---|
1776 | } |
---|
1777 | ep = ((caddr_t)(void *)newmsg) + len; |
---|
1778 | |
---|
1779 | p = pfkey_setsadbmsg((void *)newmsg, ep, type, (u_int)len, |
---|
1780 | SADB_SATYPE_UNSPEC, 0, getpid()); |
---|
1781 | if (!p) { |
---|
1782 | free(newmsg); |
---|
1783 | return -1; |
---|
1784 | } |
---|
1785 | |
---|
1786 | if (p + sizeof(xpl) != ep) { |
---|
1787 | free(newmsg); |
---|
1788 | return -1; |
---|
1789 | } |
---|
1790 | memset(&xpl, 0, sizeof(xpl)); |
---|
1791 | xpl.sadb_x_policy_len = PFKEY_UNIT64(sizeof(xpl)); |
---|
1792 | xpl.sadb_x_policy_exttype = SADB_X_EXT_POLICY; |
---|
1793 | xpl.sadb_x_policy_id = spid; |
---|
1794 | memcpy(p, &xpl, sizeof(xpl)); |
---|
1795 | |
---|
1796 | /* send message */ |
---|
1797 | len = pfkey_send(so, newmsg, len); |
---|
1798 | free(newmsg); |
---|
1799 | |
---|
1800 | if (len < 0) |
---|
1801 | return -1; |
---|
1802 | |
---|
1803 | __ipsec_errcode = EIPSEC_NO_ERROR; |
---|
1804 | return len; |
---|
1805 | } |
---|
1806 | |
---|
1807 | /* |
---|
1808 | * open a socket. |
---|
1809 | * OUT: |
---|
1810 | * -1: fail. |
---|
1811 | * others : success and return value of socket. |
---|
1812 | */ |
---|
1813 | int |
---|
1814 | pfkey_open(void) |
---|
1815 | { |
---|
1816 | int so; |
---|
1817 | int bufsiz_current, bufsiz_wanted; |
---|
1818 | int ret; |
---|
1819 | socklen_t len; |
---|
1820 | |
---|
1821 | if ((so = socket(PF_KEY, SOCK_RAW, PF_KEY_V2)) < 0) { |
---|
1822 | __ipsec_set_strerror(strerror(errno)); |
---|
1823 | return -1; |
---|
1824 | } |
---|
1825 | |
---|
1826 | /* |
---|
1827 | * This is a temporary workaround for KAME PR 154. |
---|
1828 | * Don't really care even if it fails. |
---|
1829 | */ |
---|
1830 | /* Try to have 128k. If we have more, do not lower it. */ |
---|
1831 | bufsiz_wanted = 128 * 1024; |
---|
1832 | len = sizeof(bufsiz_current); |
---|
1833 | ret = getsockopt(so, SOL_SOCKET, SO_SNDBUF, |
---|
1834 | &bufsiz_current, &len); |
---|
1835 | if ((ret < 0) || (bufsiz_current < bufsiz_wanted)) |
---|
1836 | (void)setsockopt(so, SOL_SOCKET, SO_SNDBUF, |
---|
1837 | &bufsiz_wanted, sizeof(bufsiz_wanted)); |
---|
1838 | |
---|
1839 | /* Try to have have at least 2MB. If we have more, do not lower it. */ |
---|
1840 | bufsiz_wanted = 2 * 1024 * 1024; |
---|
1841 | len = sizeof(bufsiz_current); |
---|
1842 | ret = getsockopt(so, SOL_SOCKET, SO_RCVBUF, |
---|
1843 | &bufsiz_current, &len); |
---|
1844 | if (ret < 0) |
---|
1845 | bufsiz_current = 128 * 1024; |
---|
1846 | |
---|
1847 | for (; bufsiz_wanted > bufsiz_current; bufsiz_wanted /= 2) { |
---|
1848 | if (setsockopt(so, SOL_SOCKET, SO_RCVBUF, |
---|
1849 | &bufsiz_wanted, sizeof(bufsiz_wanted)) == 0) |
---|
1850 | break; |
---|
1851 | } |
---|
1852 | |
---|
1853 | __ipsec_errcode = EIPSEC_NO_ERROR; |
---|
1854 | return so; |
---|
1855 | } |
---|
1856 | |
---|
1857 | int |
---|
1858 | pfkey_set_buffer_size(int so, int size) |
---|
1859 | { |
---|
1860 | int newsize; |
---|
1861 | int actual_bufsiz; |
---|
1862 | socklen_t sizebufsiz; |
---|
1863 | int desired_bufsiz; |
---|
1864 | |
---|
1865 | /* |
---|
1866 | * on linux you may need to allow the kernel to allocate |
---|
1867 | * more buffer space by increasing: |
---|
1868 | * /proc/sys/net/core/rmem_max and wmem_max |
---|
1869 | */ |
---|
1870 | if (size > 0) { |
---|
1871 | actual_bufsiz = 0; |
---|
1872 | sizebufsiz = sizeof(actual_bufsiz); |
---|
1873 | desired_bufsiz = size * 1024; |
---|
1874 | if ((getsockopt(so, SOL_SOCKET, SO_RCVBUF, |
---|
1875 | &actual_bufsiz, &sizebufsiz) < 0) |
---|
1876 | || (actual_bufsiz < desired_bufsiz)) { |
---|
1877 | if (setsockopt(so, SOL_SOCKET, SO_RCVBUF, |
---|
1878 | &desired_bufsiz, sizeof(desired_bufsiz)) < 0) { |
---|
1879 | __ipsec_set_strerror(strerror(errno)); |
---|
1880 | return -1; |
---|
1881 | } |
---|
1882 | } |
---|
1883 | } |
---|
1884 | |
---|
1885 | /* return actual buffer size */ |
---|
1886 | actual_bufsiz = 0; |
---|
1887 | sizebufsiz = sizeof(actual_bufsiz); |
---|
1888 | getsockopt(so, SOL_SOCKET, SO_RCVBUF, |
---|
1889 | &actual_bufsiz, &sizebufsiz); |
---|
1890 | return actual_bufsiz / 1024; |
---|
1891 | } |
---|
1892 | |
---|
1893 | /* |
---|
1894 | * close a socket. |
---|
1895 | * OUT: |
---|
1896 | * 0: success. |
---|
1897 | * -1: fail. |
---|
1898 | */ |
---|
1899 | void |
---|
1900 | pfkey_close(int so) |
---|
1901 | { |
---|
1902 | (void)close(so); |
---|
1903 | |
---|
1904 | __ipsec_errcode = EIPSEC_NO_ERROR; |
---|
1905 | return; |
---|
1906 | } |
---|
1907 | |
---|
1908 | /* |
---|
1909 | * receive sadb_msg data, and return pointer to new buffer allocated. |
---|
1910 | * Must free this buffer later. |
---|
1911 | * OUT: |
---|
1912 | * NULL : error occured. |
---|
1913 | * others : a pointer to sadb_msg structure. |
---|
1914 | * |
---|
1915 | * XXX should be rewritten to pass length explicitly |
---|
1916 | */ |
---|
1917 | struct sadb_msg * |
---|
1918 | pfkey_recv(int so) |
---|
1919 | { |
---|
1920 | struct sadb_msg buf, *newmsg; |
---|
1921 | int len, reallen; |
---|
1922 | |
---|
1923 | while ((len = recv(so, (void *)&buf, sizeof(buf), MSG_PEEK)) < 0) { |
---|
1924 | if (errno == EINTR) |
---|
1925 | continue; |
---|
1926 | __ipsec_set_strerror(strerror(errno)); |
---|
1927 | return NULL; |
---|
1928 | } |
---|
1929 | |
---|
1930 | if (len < sizeof(buf)) { |
---|
1931 | recv(so, (void *)&buf, sizeof(buf), 0); |
---|
1932 | __ipsec_errcode = EIPSEC_MAX; |
---|
1933 | return NULL; |
---|
1934 | } |
---|
1935 | |
---|
1936 | /* read real message */ |
---|
1937 | reallen = PFKEY_UNUNIT64(buf.sadb_msg_len); |
---|
1938 | if ((newmsg = CALLOC((size_t)reallen, struct sadb_msg *)) == 0) { |
---|
1939 | __ipsec_set_strerror(strerror(errno)); |
---|
1940 | return NULL; |
---|
1941 | } |
---|
1942 | |
---|
1943 | while ((len = recv(so, (void *)newmsg, (socklen_t)reallen, 0)) < 0) { |
---|
1944 | if (errno == EINTR) |
---|
1945 | continue; |
---|
1946 | __ipsec_set_strerror(strerror(errno)); |
---|
1947 | free(newmsg); |
---|
1948 | return NULL; |
---|
1949 | } |
---|
1950 | |
---|
1951 | if (len != reallen) { |
---|
1952 | __ipsec_errcode = EIPSEC_SYSTEM_ERROR; |
---|
1953 | free(newmsg); |
---|
1954 | return NULL; |
---|
1955 | } |
---|
1956 | |
---|
1957 | /* don't trust what the kernel says, validate! */ |
---|
1958 | if (PFKEY_UNUNIT64(newmsg->sadb_msg_len) != len) { |
---|
1959 | __ipsec_errcode = EIPSEC_SYSTEM_ERROR; |
---|
1960 | free(newmsg); |
---|
1961 | return NULL; |
---|
1962 | } |
---|
1963 | |
---|
1964 | __ipsec_errcode = EIPSEC_NO_ERROR; |
---|
1965 | return newmsg; |
---|
1966 | } |
---|
1967 | |
---|
1968 | /* |
---|
1969 | * send message to a socket. |
---|
1970 | * OUT: |
---|
1971 | * others: success and return length sent. |
---|
1972 | * -1 : fail. |
---|
1973 | */ |
---|
1974 | int |
---|
1975 | pfkey_send(int so, struct sadb_msg *msg, int len) |
---|
1976 | { |
---|
1977 | if ((len = send(so, (void *)msg, (socklen_t)len, 0)) < 0) { |
---|
1978 | __ipsec_set_strerror(strerror(errno)); |
---|
1979 | return -1; |
---|
1980 | } |
---|
1981 | |
---|
1982 | __ipsec_errcode = EIPSEC_NO_ERROR; |
---|
1983 | return len; |
---|
1984 | } |
---|
1985 | |
---|
1986 | /* |
---|
1987 | * %%% Utilities |
---|
1988 | * NOTE: These functions are derived from netkey/key.c in KAME. |
---|
1989 | */ |
---|
1990 | /* |
---|
1991 | * set the pointer to each header in this message buffer. |
---|
1992 | * IN: msg: pointer to message buffer. |
---|
1993 | * mhp: pointer to the buffer initialized like below: |
---|
1994 | * caddr_t mhp[SADB_EXT_MAX + 1]; |
---|
1995 | * OUT: -1: invalid. |
---|
1996 | * 0: valid. |
---|
1997 | * |
---|
1998 | * XXX should be rewritten to obtain length explicitly |
---|
1999 | */ |
---|
2000 | int |
---|
2001 | pfkey_align(struct sadb_msg *msg, caddr_t *mhp) |
---|
2002 | { |
---|
2003 | struct sadb_ext *ext; |
---|
2004 | int i; |
---|
2005 | caddr_t p; |
---|
2006 | caddr_t ep; /* XXX should be passed from upper layer */ |
---|
2007 | |
---|
2008 | /* validity check */ |
---|
2009 | if (msg == NULL || mhp == NULL) { |
---|
2010 | __ipsec_errcode = EIPSEC_INVAL_ARGUMENT; |
---|
2011 | return -1; |
---|
2012 | } |
---|
2013 | |
---|
2014 | /* initialize */ |
---|
2015 | for (i = 0; i < SADB_EXT_MAX + 1; i++) |
---|
2016 | mhp[i] = NULL; |
---|
2017 | |
---|
2018 | mhp[0] = (void *)msg; |
---|
2019 | |
---|
2020 | /* initialize */ |
---|
2021 | p = (void *) msg; |
---|
2022 | ep = p + PFKEY_UNUNIT64(msg->sadb_msg_len); |
---|
2023 | |
---|
2024 | /* skip base header */ |
---|
2025 | p += sizeof(struct sadb_msg); |
---|
2026 | |
---|
2027 | while (p < ep) { |
---|
2028 | ext = (void *)p; |
---|
2029 | if (ep < p + sizeof(*ext) || PFKEY_EXTLEN(ext) < sizeof(*ext) || |
---|
2030 | ep < p + PFKEY_EXTLEN(ext)) { |
---|
2031 | /* invalid format */ |
---|
2032 | break; |
---|
2033 | } |
---|
2034 | |
---|
2035 | /* duplicate check */ |
---|
2036 | /* XXX Are there duplication either KEY_AUTH or KEY_ENCRYPT ?*/ |
---|
2037 | if (mhp[ext->sadb_ext_type] != NULL) { |
---|
2038 | __ipsec_errcode = EIPSEC_INVAL_EXTTYPE; |
---|
2039 | return -1; |
---|
2040 | } |
---|
2041 | |
---|
2042 | /* set pointer */ |
---|
2043 | switch (ext->sadb_ext_type) { |
---|
2044 | case SADB_EXT_SA: |
---|
2045 | case SADB_EXT_LIFETIME_CURRENT: |
---|
2046 | case SADB_EXT_LIFETIME_HARD: |
---|
2047 | case SADB_EXT_LIFETIME_SOFT: |
---|
2048 | case SADB_EXT_ADDRESS_SRC: |
---|
2049 | case SADB_EXT_ADDRESS_DST: |
---|
2050 | case SADB_EXT_ADDRESS_PROXY: |
---|
2051 | case SADB_EXT_KEY_AUTH: |
---|
2052 | /* XXX should to be check weak keys. */ |
---|
2053 | case SADB_EXT_KEY_ENCRYPT: |
---|
2054 | /* XXX should to be check weak keys. */ |
---|
2055 | case SADB_EXT_IDENTITY_SRC: |
---|
2056 | case SADB_EXT_IDENTITY_DST: |
---|
2057 | case SADB_EXT_SENSITIVITY: |
---|
2058 | case SADB_EXT_PROPOSAL: |
---|
2059 | case SADB_EXT_SUPPORTED_AUTH: |
---|
2060 | case SADB_EXT_SUPPORTED_ENCRYPT: |
---|
2061 | case SADB_EXT_SPIRANGE: |
---|
2062 | case SADB_X_EXT_POLICY: |
---|
2063 | case SADB_X_EXT_SA2: |
---|
2064 | #ifdef SADB_X_EXT_NAT_T_TYPE |
---|
2065 | case SADB_X_EXT_NAT_T_TYPE: |
---|
2066 | case SADB_X_EXT_NAT_T_SPORT: |
---|
2067 | case SADB_X_EXT_NAT_T_DPORT: |
---|
2068 | case SADB_X_EXT_NAT_T_OAI: |
---|
2069 | case SADB_X_EXT_NAT_T_OAR: |
---|
2070 | #endif |
---|
2071 | #ifdef SADB_X_EXT_TAG |
---|
2072 | case SADB_X_EXT_TAG: |
---|
2073 | #endif |
---|
2074 | #ifdef SADB_X_EXT_PACKET |
---|
2075 | case SADB_X_EXT_PACKET: |
---|
2076 | #endif |
---|
2077 | #ifdef SADB_X_EXT_KMADDRESS |
---|
2078 | case SADB_X_EXT_KMADDRESS: |
---|
2079 | #endif |
---|
2080 | #ifdef SADB_X_EXT_SEC_CTX |
---|
2081 | case SADB_X_EXT_SEC_CTX: |
---|
2082 | #endif |
---|
2083 | mhp[ext->sadb_ext_type] = (void *)ext; |
---|
2084 | break; |
---|
2085 | default: |
---|
2086 | __ipsec_errcode = EIPSEC_INVAL_EXTTYPE; |
---|
2087 | return -1; |
---|
2088 | } |
---|
2089 | |
---|
2090 | p += PFKEY_EXTLEN(ext); |
---|
2091 | } |
---|
2092 | |
---|
2093 | if (p != ep) { |
---|
2094 | __ipsec_errcode = EIPSEC_INVAL_SADBMSG; |
---|
2095 | return -1; |
---|
2096 | } |
---|
2097 | |
---|
2098 | __ipsec_errcode = EIPSEC_NO_ERROR; |
---|
2099 | return 0; |
---|
2100 | } |
---|
2101 | |
---|
2102 | /* |
---|
2103 | * check basic usage for sadb_msg, |
---|
2104 | * NOTE: This routine is derived from netkey/key.c in KAME. |
---|
2105 | * IN: msg: pointer to message buffer. |
---|
2106 | * mhp: pointer to the buffer initialized like below: |
---|
2107 | * |
---|
2108 | * caddr_t mhp[SADB_EXT_MAX + 1]; |
---|
2109 | * |
---|
2110 | * OUT: -1: invalid. |
---|
2111 | * 0: valid. |
---|
2112 | */ |
---|
2113 | int |
---|
2114 | pfkey_check(caddr_t *mhp) |
---|
2115 | { |
---|
2116 | struct sadb_msg *msg; |
---|
2117 | |
---|
2118 | /* validity check */ |
---|
2119 | if (mhp == NULL || mhp[0] == NULL) { |
---|
2120 | __ipsec_errcode = EIPSEC_INVAL_ARGUMENT; |
---|
2121 | return -1; |
---|
2122 | } |
---|
2123 | |
---|
2124 | msg = (void *)mhp[0]; |
---|
2125 | |
---|
2126 | /* check version */ |
---|
2127 | if (msg->sadb_msg_version != PF_KEY_V2) { |
---|
2128 | __ipsec_errcode = EIPSEC_INVAL_VERSION; |
---|
2129 | return -1; |
---|
2130 | } |
---|
2131 | |
---|
2132 | /* check type */ |
---|
2133 | if (msg->sadb_msg_type > SADB_MAX) { |
---|
2134 | __ipsec_errcode = EIPSEC_INVAL_MSGTYPE; |
---|
2135 | return -1; |
---|
2136 | } |
---|
2137 | |
---|
2138 | /* check SA type */ |
---|
2139 | switch (msg->sadb_msg_satype) { |
---|
2140 | case SADB_SATYPE_UNSPEC: |
---|
2141 | switch (msg->sadb_msg_type) { |
---|
2142 | case SADB_GETSPI: |
---|
2143 | case SADB_UPDATE: |
---|
2144 | case SADB_ADD: |
---|
2145 | case SADB_DELETE: |
---|
2146 | case SADB_GET: |
---|
2147 | case SADB_ACQUIRE: |
---|
2148 | case SADB_EXPIRE: |
---|
2149 | #ifdef SADB_X_NAT_T_NEW_MAPPING |
---|
2150 | case SADB_X_NAT_T_NEW_MAPPING: |
---|
2151 | #endif |
---|
2152 | __ipsec_errcode = EIPSEC_INVAL_SATYPE; |
---|
2153 | return -1; |
---|
2154 | } |
---|
2155 | break; |
---|
2156 | case SADB_SATYPE_ESP: |
---|
2157 | case SADB_SATYPE_AH: |
---|
2158 | case SADB_X_SATYPE_IPCOMP: |
---|
2159 | #ifdef SADB_X_SATYPE_TCPSIGNATURE |
---|
2160 | case SADB_X_SATYPE_TCPSIGNATURE: |
---|
2161 | #endif |
---|
2162 | switch (msg->sadb_msg_type) { |
---|
2163 | case SADB_X_SPDADD: |
---|
2164 | case SADB_X_SPDDELETE: |
---|
2165 | case SADB_X_SPDGET: |
---|
2166 | case SADB_X_SPDDUMP: |
---|
2167 | case SADB_X_SPDFLUSH: |
---|
2168 | __ipsec_errcode = EIPSEC_INVAL_SATYPE; |
---|
2169 | return -1; |
---|
2170 | } |
---|
2171 | #ifdef SADB_X_NAT_T_NEW_MAPPING |
---|
2172 | if (msg->sadb_msg_type == SADB_X_NAT_T_NEW_MAPPING && |
---|
2173 | msg->sadb_msg_satype != SADB_SATYPE_ESP) { |
---|
2174 | __ipsec_errcode = EIPSEC_INVAL_SATYPE; |
---|
2175 | return -1; |
---|
2176 | } |
---|
2177 | #endif |
---|
2178 | break; |
---|
2179 | case SADB_SATYPE_RSVP: |
---|
2180 | case SADB_SATYPE_OSPFV2: |
---|
2181 | case SADB_SATYPE_RIPV2: |
---|
2182 | case SADB_SATYPE_MIP: |
---|
2183 | __ipsec_errcode = EIPSEC_NOT_SUPPORTED; |
---|
2184 | return -1; |
---|
2185 | case 1: /* XXX: What does it do ? */ |
---|
2186 | if (msg->sadb_msg_type == SADB_X_PROMISC) |
---|
2187 | break; |
---|
2188 | /*FALLTHROUGH*/ |
---|
2189 | default: |
---|
2190 | #ifdef __linux__ |
---|
2191 | /* Linux kernel seems to be buggy and return |
---|
2192 | * uninitialized satype for spd flush message */ |
---|
2193 | if (msg->sadb_msg_type == SADB_X_SPDFLUSH) |
---|
2194 | break; |
---|
2195 | #endif |
---|
2196 | __ipsec_errcode = EIPSEC_INVAL_SATYPE; |
---|
2197 | return -1; |
---|
2198 | } |
---|
2199 | |
---|
2200 | /* check field of upper layer protocol and address family */ |
---|
2201 | if (mhp[SADB_EXT_ADDRESS_SRC] != NULL |
---|
2202 | && mhp[SADB_EXT_ADDRESS_DST] != NULL) { |
---|
2203 | struct sadb_address *src0, *dst0; |
---|
2204 | |
---|
2205 | src0 = (void *)(mhp[SADB_EXT_ADDRESS_SRC]); |
---|
2206 | dst0 = (void *)(mhp[SADB_EXT_ADDRESS_DST]); |
---|
2207 | |
---|
2208 | if (src0->sadb_address_proto != dst0->sadb_address_proto) { |
---|
2209 | __ipsec_errcode = EIPSEC_PROTO_MISMATCH; |
---|
2210 | return -1; |
---|
2211 | } |
---|
2212 | |
---|
2213 | if (PFKEY_ADDR_SADDR(src0)->sa_family |
---|
2214 | != PFKEY_ADDR_SADDR(dst0)->sa_family) { |
---|
2215 | __ipsec_errcode = EIPSEC_FAMILY_MISMATCH; |
---|
2216 | return -1; |
---|
2217 | } |
---|
2218 | |
---|
2219 | switch (PFKEY_ADDR_SADDR(src0)->sa_family) { |
---|
2220 | case AF_INET: |
---|
2221 | case AF_INET6: |
---|
2222 | break; |
---|
2223 | default: |
---|
2224 | __ipsec_errcode = EIPSEC_INVAL_FAMILY; |
---|
2225 | return -1; |
---|
2226 | } |
---|
2227 | |
---|
2228 | /* |
---|
2229 | * prefixlen == 0 is valid because there must be the case |
---|
2230 | * all addresses are matched. |
---|
2231 | */ |
---|
2232 | } |
---|
2233 | |
---|
2234 | __ipsec_errcode = EIPSEC_NO_ERROR; |
---|
2235 | return 0; |
---|
2236 | } |
---|
2237 | |
---|
2238 | /* |
---|
2239 | * set data into sadb_msg. |
---|
2240 | * `buf' must has been allocated sufficiently. |
---|
2241 | */ |
---|
2242 | static caddr_t |
---|
2243 | pfkey_setsadbmsg(caddr_t buf, caddr_t lim, u_int type, u_int tlen, |
---|
2244 | u_int satype, u_int32_t seq, pid_t pid) |
---|
2245 | { |
---|
2246 | struct sadb_msg *p; |
---|
2247 | u_int len; |
---|
2248 | |
---|
2249 | p = (void *)buf; |
---|
2250 | len = sizeof(struct sadb_msg); |
---|
2251 | |
---|
2252 | if (buf + len > lim) |
---|
2253 | return NULL; |
---|
2254 | |
---|
2255 | memset(p, 0, len); |
---|
2256 | p->sadb_msg_version = PF_KEY_V2; |
---|
2257 | p->sadb_msg_type = type; |
---|
2258 | p->sadb_msg_errno = 0; |
---|
2259 | p->sadb_msg_satype = satype; |
---|
2260 | p->sadb_msg_len = PFKEY_UNIT64(tlen); |
---|
2261 | p->sadb_msg_reserved = 0; |
---|
2262 | p->sadb_msg_seq = seq; |
---|
2263 | p->sadb_msg_pid = (u_int32_t)pid; |
---|
2264 | |
---|
2265 | return(buf + len); |
---|
2266 | } |
---|
2267 | |
---|
2268 | /* |
---|
2269 | * copy secasvar data into sadb_address. |
---|
2270 | * `buf' must has been allocated sufficiently. |
---|
2271 | */ |
---|
2272 | static caddr_t |
---|
2273 | pfkey_setsadbsa(caddr_t buf, caddr_t lim, u_int32_t spi, u_int wsize, |
---|
2274 | u_int auth, u_int enc, u_int32_t flags) |
---|
2275 | { |
---|
2276 | struct sadb_sa *p; |
---|
2277 | u_int len; |
---|
2278 | |
---|
2279 | p = (void *)buf; |
---|
2280 | len = sizeof(struct sadb_sa); |
---|
2281 | |
---|
2282 | if (buf + len > lim) |
---|
2283 | return NULL; |
---|
2284 | |
---|
2285 | memset(p, 0, len); |
---|
2286 | p->sadb_sa_len = PFKEY_UNIT64(len); |
---|
2287 | p->sadb_sa_exttype = SADB_EXT_SA; |
---|
2288 | p->sadb_sa_spi = spi; |
---|
2289 | p->sadb_sa_replay = wsize; |
---|
2290 | p->sadb_sa_state = SADB_SASTATE_LARVAL; |
---|
2291 | p->sadb_sa_auth = auth; |
---|
2292 | p->sadb_sa_encrypt = enc; |
---|
2293 | p->sadb_sa_flags = flags; |
---|
2294 | |
---|
2295 | return(buf + len); |
---|
2296 | } |
---|
2297 | |
---|
2298 | /* |
---|
2299 | * set data into sadb_address. |
---|
2300 | * `buf' must has been allocated sufficiently. |
---|
2301 | * prefixlen is in bits. |
---|
2302 | */ |
---|
2303 | static caddr_t |
---|
2304 | pfkey_setsadbaddr(caddr_t buf, caddr_t lim, u_int exttype, |
---|
2305 | struct sockaddr *saddr, u_int prefixlen, u_int ul_proto) |
---|
2306 | { |
---|
2307 | struct sadb_address *p; |
---|
2308 | u_int len; |
---|
2309 | |
---|
2310 | p = (void *)buf; |
---|
2311 | len = sizeof(struct sadb_address) + PFKEY_ALIGN8(sysdep_sa_len(saddr)); |
---|
2312 | |
---|
2313 | if (buf + len > lim) |
---|
2314 | return NULL; |
---|
2315 | |
---|
2316 | memset(p, 0, len); |
---|
2317 | p->sadb_address_len = PFKEY_UNIT64(len); |
---|
2318 | p->sadb_address_exttype = exttype & 0xffff; |
---|
2319 | p->sadb_address_proto = ul_proto & 0xff; |
---|
2320 | p->sadb_address_prefixlen = prefixlen; |
---|
2321 | p->sadb_address_reserved = 0; |
---|
2322 | |
---|
2323 | memcpy(p + 1, saddr, (size_t)sysdep_sa_len(saddr)); |
---|
2324 | |
---|
2325 | return(buf + len); |
---|
2326 | } |
---|
2327 | |
---|
2328 | #ifdef SADB_X_EXT_KMADDRESS |
---|
2329 | /* |
---|
2330 | * set data into sadb_x_kmaddress. |
---|
2331 | * `buf' must has been allocated sufficiently. |
---|
2332 | */ |
---|
2333 | static caddr_t |
---|
2334 | pfkey_setsadbkmaddr(caddr_t buf, caddr_t lim, struct sockaddr *local, |
---|
2335 | struct sockaddr *remote) |
---|
2336 | { |
---|
2337 | struct sadb_x_kmaddress *p; |
---|
2338 | struct sockaddr *sa; |
---|
2339 | u_int salen = sysdep_sa_len(local); |
---|
2340 | u_int len; |
---|
2341 | |
---|
2342 | /* sanity check */ |
---|
2343 | if (local->sa_family != remote->sa_family) |
---|
2344 | return NULL; |
---|
2345 | |
---|
2346 | p = (void *)buf; |
---|
2347 | len = sizeof(struct sadb_x_kmaddress) + PFKEY_ALIGN8(2*salen); |
---|
2348 | |
---|
2349 | if (buf + len > lim) |
---|
2350 | return NULL; |
---|
2351 | |
---|
2352 | memset(p, 0, len); |
---|
2353 | p->sadb_x_kmaddress_len = PFKEY_UNIT64(len); |
---|
2354 | p->sadb_x_kmaddress_exttype = SADB_X_EXT_KMADDRESS; |
---|
2355 | p->sadb_x_kmaddress_reserved = 0; |
---|
2356 | sa = (struct sockaddr *)(p + 1); |
---|
2357 | memcpy(sa, local, salen); |
---|
2358 | sa = (struct sockaddr *)((char *)sa + salen); |
---|
2359 | memcpy(sa, remote, salen); |
---|
2360 | |
---|
2361 | return(buf + len); |
---|
2362 | } |
---|
2363 | #endif |
---|
2364 | |
---|
2365 | /* |
---|
2366 | * set sadb_key structure after clearing buffer with zero. |
---|
2367 | * OUT: the pointer of buf + len. |
---|
2368 | */ |
---|
2369 | static caddr_t |
---|
2370 | pfkey_setsadbkey(caddr_t buf, caddr_t lim, u_int type, caddr_t key, |
---|
2371 | u_int keylen) |
---|
2372 | { |
---|
2373 | struct sadb_key *p; |
---|
2374 | u_int len; |
---|
2375 | |
---|
2376 | p = (void *)buf; |
---|
2377 | len = sizeof(struct sadb_key) + PFKEY_ALIGN8(keylen); |
---|
2378 | |
---|
2379 | if (buf + len > lim) |
---|
2380 | return NULL; |
---|
2381 | |
---|
2382 | memset(p, 0, len); |
---|
2383 | p->sadb_key_len = PFKEY_UNIT64(len); |
---|
2384 | p->sadb_key_exttype = type; |
---|
2385 | p->sadb_key_bits = keylen << 3; |
---|
2386 | p->sadb_key_reserved = 0; |
---|
2387 | |
---|
2388 | memcpy(p + 1, key, keylen); |
---|
2389 | |
---|
2390 | return buf + len; |
---|
2391 | } |
---|
2392 | |
---|
2393 | /* |
---|
2394 | * set sadb_lifetime structure after clearing buffer with zero. |
---|
2395 | * OUT: the pointer of buf + len. |
---|
2396 | */ |
---|
2397 | static caddr_t |
---|
2398 | pfkey_setsadblifetime(caddr_t buf, caddr_t lim, u_int type, u_int32_t l_alloc, |
---|
2399 | u_int32_t l_bytes, u_int32_t l_addtime, u_int32_t l_usetime) |
---|
2400 | { |
---|
2401 | struct sadb_lifetime *p; |
---|
2402 | u_int len; |
---|
2403 | |
---|
2404 | p = (void *)buf; |
---|
2405 | len = sizeof(struct sadb_lifetime); |
---|
2406 | |
---|
2407 | if (buf + len > lim) |
---|
2408 | return NULL; |
---|
2409 | |
---|
2410 | memset(p, 0, len); |
---|
2411 | p->sadb_lifetime_len = PFKEY_UNIT64(len); |
---|
2412 | p->sadb_lifetime_exttype = type; |
---|
2413 | |
---|
2414 | switch (type) { |
---|
2415 | case SADB_EXT_LIFETIME_SOFT: |
---|
2416 | p->sadb_lifetime_allocations |
---|
2417 | = (l_alloc * soft_lifetime_allocations_rate) /100; |
---|
2418 | p->sadb_lifetime_bytes |
---|
2419 | = (l_bytes * soft_lifetime_bytes_rate) /100; |
---|
2420 | p->sadb_lifetime_addtime |
---|
2421 | = (l_addtime * soft_lifetime_addtime_rate) /100; |
---|
2422 | p->sadb_lifetime_usetime |
---|
2423 | = (l_usetime * soft_lifetime_usetime_rate) /100; |
---|
2424 | break; |
---|
2425 | case SADB_EXT_LIFETIME_HARD: |
---|
2426 | p->sadb_lifetime_allocations = l_alloc; |
---|
2427 | p->sadb_lifetime_bytes = l_bytes; |
---|
2428 | p->sadb_lifetime_addtime = l_addtime; |
---|
2429 | p->sadb_lifetime_usetime = l_usetime; |
---|
2430 | break; |
---|
2431 | } |
---|
2432 | |
---|
2433 | return buf + len; |
---|
2434 | } |
---|
2435 | |
---|
2436 | /* |
---|
2437 | * copy secasvar data into sadb_address. |
---|
2438 | * `buf' must has been allocated sufficiently. |
---|
2439 | */ |
---|
2440 | static caddr_t |
---|
2441 | pfkey_setsadbxsa2(caddr_t buf, caddr_t lim, u_int32_t mode0, u_int32_t reqid) |
---|
2442 | { |
---|
2443 | struct sadb_x_sa2 *p; |
---|
2444 | u_int8_t mode = mode0 & 0xff; |
---|
2445 | u_int len; |
---|
2446 | |
---|
2447 | p = (void *)buf; |
---|
2448 | len = sizeof(struct sadb_x_sa2); |
---|
2449 | |
---|
2450 | if (buf + len > lim) |
---|
2451 | return NULL; |
---|
2452 | |
---|
2453 | memset(p, 0, len); |
---|
2454 | p->sadb_x_sa2_len = PFKEY_UNIT64(len); |
---|
2455 | p->sadb_x_sa2_exttype = SADB_X_EXT_SA2; |
---|
2456 | p->sadb_x_sa2_mode = mode; |
---|
2457 | p->sadb_x_sa2_reqid = reqid; |
---|
2458 | |
---|
2459 | return(buf + len); |
---|
2460 | } |
---|
2461 | |
---|
2462 | #ifdef SADB_X_EXT_NAT_T_TYPE |
---|
2463 | static caddr_t |
---|
2464 | pfkey_set_natt_type(caddr_t buf, caddr_t lim, u_int type, u_int8_t l_natt_type) |
---|
2465 | { |
---|
2466 | struct sadb_x_nat_t_type *p; |
---|
2467 | u_int len; |
---|
2468 | |
---|
2469 | p = (void *)buf; |
---|
2470 | len = sizeof(struct sadb_x_nat_t_type); |
---|
2471 | |
---|
2472 | if (buf + len > lim) |
---|
2473 | return NULL; |
---|
2474 | |
---|
2475 | memset(p, 0, len); |
---|
2476 | p->sadb_x_nat_t_type_len = PFKEY_UNIT64(len); |
---|
2477 | p->sadb_x_nat_t_type_exttype = type; |
---|
2478 | p->sadb_x_nat_t_type_type = l_natt_type; |
---|
2479 | |
---|
2480 | return(buf + len); |
---|
2481 | } |
---|
2482 | |
---|
2483 | static caddr_t |
---|
2484 | pfkey_set_natt_port(caddr_t buf, caddr_t lim, u_int type, u_int16_t l_natt_port) |
---|
2485 | { |
---|
2486 | struct sadb_x_nat_t_port *p; |
---|
2487 | u_int len; |
---|
2488 | |
---|
2489 | p = (void *)buf; |
---|
2490 | len = sizeof(struct sadb_x_nat_t_port); |
---|
2491 | |
---|
2492 | if (buf + len > lim) |
---|
2493 | return NULL; |
---|
2494 | |
---|
2495 | memset(p, 0, len); |
---|
2496 | p->sadb_x_nat_t_port_len = PFKEY_UNIT64(len); |
---|
2497 | p->sadb_x_nat_t_port_exttype = type; |
---|
2498 | p->sadb_x_nat_t_port_port = htons(l_natt_port); |
---|
2499 | |
---|
2500 | return(buf + len); |
---|
2501 | } |
---|
2502 | #endif |
---|
2503 | |
---|
2504 | #ifdef SADB_X_EXT_NAT_T_FRAG |
---|
2505 | static caddr_t |
---|
2506 | pfkey_set_natt_frag(caddr_t buf, caddr_t lim, u_int type, |
---|
2507 | u_int16_t l_natt_frag) |
---|
2508 | { |
---|
2509 | struct sadb_x_nat_t_frag *p; |
---|
2510 | u_int len; |
---|
2511 | |
---|
2512 | p = (void *)buf; |
---|
2513 | len = sizeof(struct sadb_x_nat_t_frag); |
---|
2514 | |
---|
2515 | if (buf + len > lim) |
---|
2516 | return NULL; |
---|
2517 | |
---|
2518 | memset(p, 0, len); |
---|
2519 | p->sadb_x_nat_t_frag_len = PFKEY_UNIT64(len); |
---|
2520 | p->sadb_x_nat_t_frag_exttype = type; |
---|
2521 | p->sadb_x_nat_t_frag_fraglen = l_natt_frag; |
---|
2522 | |
---|
2523 | return(buf + len); |
---|
2524 | } |
---|
2525 | #endif |
---|
2526 | |
---|
2527 | #ifdef SADB_X_EXT_SEC_CTX |
---|
2528 | static caddr_t |
---|
2529 | pfkey_setsecctx(caddr_t buf, caddr_t lim, u_int type, u_int8_t ctx_doi, |
---|
2530 | u_int8_t ctx_alg, caddr_t sec_ctx, u_int16_t sec_ctxlen) |
---|
2531 | { |
---|
2532 | struct sadb_x_sec_ctx *p; |
---|
2533 | u_int len; |
---|
2534 | |
---|
2535 | p = (struct sadb_x_sec_ctx *)buf; |
---|
2536 | len = sizeof(struct sadb_x_sec_ctx) + PFKEY_ALIGN8(sec_ctxlen); |
---|
2537 | |
---|
2538 | if (buf + len > lim) |
---|
2539 | return NULL; |
---|
2540 | |
---|
2541 | memset(p, 0, len); |
---|
2542 | p->sadb_x_sec_len = PFKEY_UNIT64(len); |
---|
2543 | p->sadb_x_sec_exttype = type; |
---|
2544 | p->sadb_x_ctx_len = sec_ctxlen; |
---|
2545 | p->sadb_x_ctx_doi = ctx_doi; |
---|
2546 | p->sadb_x_ctx_alg = ctx_alg; |
---|
2547 | |
---|
2548 | memcpy(p + 1, sec_ctx, sec_ctxlen); |
---|
2549 | |
---|
2550 | return buf + len; |
---|
2551 | } |
---|
2552 | #endif |
---|
2553 | |
---|
2554 | /* |
---|
2555 | * Deprecated, available for backward compatibility with third party |
---|
2556 | * libipsec users. Please use pfkey_send_update2 and pfkey_send_add2 instead |
---|
2557 | */ |
---|
2558 | int |
---|
2559 | pfkey_send_update(int so, u_int satype, u_int mode, struct sockaddr *src, |
---|
2560 | struct sockaddr *dst, u_int32_t spi, u_int32_t reqid, u_int wsize, |
---|
2561 | caddr_t keymat, u_int e_type, u_int e_keylen, u_int a_type, |
---|
2562 | u_int a_keylen, u_int flags, u_int32_t l_alloc, u_int64_t l_bytes, |
---|
2563 | u_int64_t l_addtime, u_int64_t l_usetime, u_int32_t seq) |
---|
2564 | { |
---|
2565 | struct pfkey_send_sa_args psaa; |
---|
2566 | |
---|
2567 | memset(&psaa, 0, sizeof(psaa)); |
---|
2568 | psaa.so = so; |
---|
2569 | psaa.type = SADB_UPDATE; |
---|
2570 | psaa.satype = satype; |
---|
2571 | psaa.mode = mode; |
---|
2572 | psaa.wsize = wsize; |
---|
2573 | psaa.src = src; |
---|
2574 | psaa.dst = dst; |
---|
2575 | psaa.spi = spi; |
---|
2576 | psaa.reqid = reqid; |
---|
2577 | psaa.keymat = keymat; |
---|
2578 | psaa.e_type = e_type; |
---|
2579 | psaa.e_keylen = e_keylen; |
---|
2580 | psaa.a_type = a_type; |
---|
2581 | psaa.a_keylen = a_keylen; |
---|
2582 | psaa.flags = flags; |
---|
2583 | psaa.l_alloc = l_alloc; |
---|
2584 | psaa.l_bytes = l_bytes; |
---|
2585 | psaa.l_addtime = l_addtime; |
---|
2586 | psaa.l_usetime = l_usetime; |
---|
2587 | psaa.seq = seq; |
---|
2588 | |
---|
2589 | return pfkey_send_update2(&psaa); |
---|
2590 | } |
---|
2591 | |
---|
2592 | int |
---|
2593 | pfkey_send_update_nat(int so, u_int satype, u_int mode, struct sockaddr *src, |
---|
2594 | struct sockaddr *dst, u_int32_t spi, u_int32_t reqid, u_int wsize, |
---|
2595 | caddr_t keymat, u_int e_type, u_int e_keylen, u_int a_type, |
---|
2596 | u_int a_keylen, u_int flags, u_int32_t l_alloc, u_int64_t l_bytes, |
---|
2597 | u_int64_t l_addtime, u_int64_t l_usetime, u_int32_t seq, |
---|
2598 | u_int8_t l_natt_type, u_int16_t l_natt_sport, u_int16_t l_natt_dport, |
---|
2599 | struct sockaddr *l_natt_oa, u_int16_t l_natt_frag) |
---|
2600 | { |
---|
2601 | struct pfkey_send_sa_args psaa; |
---|
2602 | |
---|
2603 | memset(&psaa, 0, sizeof(psaa)); |
---|
2604 | psaa.so = so; |
---|
2605 | psaa.type = SADB_UPDATE; |
---|
2606 | psaa.satype = satype; |
---|
2607 | psaa.mode = mode; |
---|
2608 | psaa.wsize = wsize; |
---|
2609 | psaa.src = src; |
---|
2610 | psaa.dst = dst; |
---|
2611 | psaa.spi = spi; |
---|
2612 | psaa.reqid = reqid; |
---|
2613 | psaa.keymat = keymat; |
---|
2614 | psaa.e_type = e_type; |
---|
2615 | psaa.e_keylen = e_keylen; |
---|
2616 | psaa.a_type = a_type; |
---|
2617 | psaa.a_keylen = a_keylen; |
---|
2618 | psaa.flags = flags; |
---|
2619 | psaa.l_alloc = l_alloc; |
---|
2620 | psaa.l_bytes = l_bytes; |
---|
2621 | psaa.l_addtime = l_addtime; |
---|
2622 | psaa.l_usetime = l_usetime; |
---|
2623 | psaa.seq = seq; |
---|
2624 | psaa.l_natt_type = l_natt_type; |
---|
2625 | psaa.l_natt_sport = l_natt_sport; |
---|
2626 | psaa.l_natt_dport = l_natt_dport; |
---|
2627 | psaa.l_natt_oar = l_natt_oa; |
---|
2628 | psaa.l_natt_frag = l_natt_frag; |
---|
2629 | |
---|
2630 | return pfkey_send_update2(&psaa); |
---|
2631 | } |
---|
2632 | |
---|
2633 | int |
---|
2634 | pfkey_send_add(int so, u_int satype, u_int mode, struct sockaddr *src, |
---|
2635 | struct sockaddr *dst, u_int32_t spi, u_int32_t reqid, u_int wsize, |
---|
2636 | caddr_t keymat, u_int e_type, u_int e_keylen, u_int a_type, |
---|
2637 | u_int a_keylen, u_int flags, u_int32_t l_alloc, u_int64_t l_bytes, |
---|
2638 | u_int64_t l_addtime, u_int64_t l_usetime, u_int32_t seq) |
---|
2639 | { |
---|
2640 | struct pfkey_send_sa_args psaa; |
---|
2641 | |
---|
2642 | memset(&psaa, 0, sizeof(psaa)); |
---|
2643 | psaa.so = so; |
---|
2644 | psaa.type = SADB_ADD; |
---|
2645 | psaa.satype = satype; |
---|
2646 | psaa.mode = mode; |
---|
2647 | psaa.wsize = wsize; |
---|
2648 | psaa.src = src; |
---|
2649 | psaa.dst = dst; |
---|
2650 | psaa.spi = spi; |
---|
2651 | psaa.reqid = reqid; |
---|
2652 | psaa.keymat = keymat; |
---|
2653 | psaa.e_type = e_type; |
---|
2654 | psaa.e_keylen = e_keylen; |
---|
2655 | psaa.a_type = a_type; |
---|
2656 | psaa.a_keylen = a_keylen; |
---|
2657 | psaa.flags = flags; |
---|
2658 | psaa.l_alloc = l_alloc; |
---|
2659 | psaa.l_bytes = l_bytes; |
---|
2660 | psaa.l_addtime = l_addtime; |
---|
2661 | psaa.l_usetime = l_usetime; |
---|
2662 | psaa.seq = seq; |
---|
2663 | |
---|
2664 | return pfkey_send_add2(&psaa); |
---|
2665 | } |
---|
2666 | |
---|
2667 | int |
---|
2668 | pfkey_send_add_nat(int so, u_int satype, u_int mode, struct sockaddr *src, |
---|
2669 | struct sockaddr *dst, u_int32_t spi, u_int32_t reqid, u_int wsize, |
---|
2670 | caddr_t keymat, u_int e_type, u_int e_keylen, u_int a_type, |
---|
2671 | u_int a_keylen, u_int flags, u_int32_t l_alloc, u_int64_t l_bytes, |
---|
2672 | u_int64_t l_addtime, u_int64_t l_usetime, u_int32_t seq, |
---|
2673 | u_int8_t l_natt_type, u_int16_t l_natt_sport, u_int16_t l_natt_dport, |
---|
2674 | struct sockaddr *l_natt_oa, u_int16_t l_natt_frag) |
---|
2675 | { |
---|
2676 | struct pfkey_send_sa_args psaa; |
---|
2677 | |
---|
2678 | memset(&psaa, 0, sizeof(psaa)); |
---|
2679 | psaa.so = so; |
---|
2680 | psaa.type = SADB_ADD; |
---|
2681 | psaa.satype = satype; |
---|
2682 | psaa.mode = mode; |
---|
2683 | psaa.wsize = wsize; |
---|
2684 | psaa.src = src; |
---|
2685 | psaa.dst = dst; |
---|
2686 | psaa.spi = spi; |
---|
2687 | psaa.reqid = reqid; |
---|
2688 | psaa.keymat = keymat; |
---|
2689 | psaa.e_type = e_type; |
---|
2690 | psaa.e_keylen = e_keylen; |
---|
2691 | psaa.a_type = a_type; |
---|
2692 | psaa.a_keylen = a_keylen; |
---|
2693 | psaa.flags = flags; |
---|
2694 | psaa.l_alloc = l_alloc; |
---|
2695 | psaa.l_bytes = l_bytes; |
---|
2696 | psaa.l_addtime = l_addtime; |
---|
2697 | psaa.l_usetime = l_usetime; |
---|
2698 | psaa.seq = seq; |
---|
2699 | psaa.l_natt_type = l_natt_type; |
---|
2700 | psaa.l_natt_sport = l_natt_sport; |
---|
2701 | psaa.l_natt_dport = l_natt_dport; |
---|
2702 | psaa.l_natt_oai = l_natt_oa; |
---|
2703 | psaa.l_natt_frag = l_natt_frag; |
---|
2704 | |
---|
2705 | return pfkey_send_add2(&psaa); |
---|
2706 | } |
---|