1/* $KAME: pfkey.c,v 1.46 2003/08/26 03:37:06 itojun Exp $ */ 2 3/* 4 * Copyright (C) 1995, 1996, 1997, 1998, and 1999 WIDE Project. 5 * All rights reserved. 6 * 7 * Redistribution and use in source and binary forms, with or without 8 * modification, are permitted provided that the following conditions 9 * are met: 10 * 1. Redistributions of source code must retain the above copyright 11 * notice, this list of conditions and the following disclaimer. 12 * 2. Redistributions in binary form must reproduce the above copyright 13 * notice, this list of conditions and the following disclaimer in the 14 * documentation and/or other materials provided with the distribution. 15 * 3. Neither the name of the project nor the names of its contributors 16 * may be used to endorse or promote products derived from this software 17 * without specific prior written permission. 18 * 19 * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND 20 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 21 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 22 * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE 23 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 24 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 25 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 26 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 27 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 28 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 29 * SUCH DAMAGE. 30 */ 31 32#include <sys/cdefs.h> 33__FBSDID("$FreeBSD$"); 34 35#include <sys/types.h> 36#include <sys/param.h> 37#include <sys/socket.h> 38#include <net/pfkeyv2.h> 39#include <netipsec/key_var.h> 40#include <netinet/in.h> 41#include <netipsec/ipsec.h> 42 43#include <stdlib.h> 44#include <unistd.h> 45#include <string.h> 46#include <errno.h> 47 48#include "ipsec_strerror.h" 49#include "libpfkey.h" 50 51#define CALLOC(size, cast) (cast)calloc(1, (size)) 52 53static int findsupportedmap(int); 54static int setsupportedmap(struct sadb_supported *); 55static struct sadb_alg *findsupportedalg(u_int, u_int); 56static int pfkey_send_x1(int, u_int, u_int, u_int, struct sockaddr *, 57 struct sockaddr *, u_int32_t, u_int32_t, u_int, caddr_t, 58 u_int, u_int, u_int, u_int, u_int, u_int32_t, u_int32_t, 59 u_int32_t, u_int32_t, u_int32_t); 60static int pfkey_send_x2(int, u_int, u_int, u_int, 61 struct sockaddr *, struct sockaddr *, u_int32_t); 62static int pfkey_send_x3(int, u_int, u_int); 63static int pfkey_send_x4(int, u_int, struct sockaddr *, u_int, 64 struct sockaddr *, u_int, u_int, u_int64_t, u_int64_t, 65 char *, int, u_int32_t); 66static int pfkey_send_x5(int, u_int, u_int32_t); 67 68static caddr_t pfkey_setsadbmsg(caddr_t, caddr_t, u_int, u_int, 69 u_int, u_int32_t, pid_t); 70static caddr_t pfkey_setsadbsa(caddr_t, caddr_t, u_int32_t, u_int, 71 u_int, u_int, u_int32_t); 72static caddr_t pfkey_setsadbaddr(caddr_t, caddr_t, u_int, 73 struct sockaddr *, u_int, u_int); 74static caddr_t pfkey_setsadbkey(caddr_t, caddr_t, u_int, caddr_t, u_int); 75static caddr_t pfkey_setsadblifetime(caddr_t, caddr_t, u_int, u_int32_t, 76 u_int32_t, u_int32_t, u_int32_t); 77static caddr_t pfkey_setsadbxsa2(caddr_t, caddr_t, u_int32_t, u_int32_t); 78 79/* 80 * make and search supported algorithm structure. 81 */ 82static struct sadb_supported *ipsec_supported[] = { NULL, NULL, NULL, NULL }; 83 84static int supported_map[] = { 85 SADB_SATYPE_AH, 86 SADB_SATYPE_ESP, 87 SADB_X_SATYPE_IPCOMP, 88 SADB_X_SATYPE_TCPSIGNATURE 89}; 90 91static int 92findsupportedmap(satype) 93 int satype; 94{ 95 int i; 96 97 for (i = 0; i < sizeof(supported_map)/sizeof(supported_map[0]); i++) 98 if (supported_map[i] == satype) 99 return i; 100 return -1; 101} 102 103static struct sadb_alg * 104findsupportedalg(satype, alg_id) 105 u_int satype, alg_id; 106{ 107 int algno; 108 int tlen; 109 caddr_t p; 110 111 /* validity check */ 112 algno = findsupportedmap(satype); 113 if (algno == -1) { 114 __ipsec_errcode = EIPSEC_INVAL_ARGUMENT; 115 return NULL; 116 } 117 if (ipsec_supported[algno] == NULL) { 118 __ipsec_errcode = EIPSEC_DO_GET_SUPP_LIST; 119 return NULL; 120 } 121 122 tlen = ipsec_supported[algno]->sadb_supported_len 123 - sizeof(struct sadb_supported); 124 p = (caddr_t)(ipsec_supported[algno] + 1); 125 while (tlen > 0) { 126 if (tlen < sizeof(struct sadb_alg)) { 127 /* invalid format */ 128 break; 129 } 130 if (((struct sadb_alg *)p)->sadb_alg_id == alg_id) 131 return (struct sadb_alg *)p; 132 133 tlen -= sizeof(struct sadb_alg); 134 p += sizeof(struct sadb_alg); 135 } 136 137 __ipsec_errcode = EIPSEC_NOT_SUPPORTED; 138 return NULL; 139} 140 141static int 142setsupportedmap(sup) 143 struct sadb_supported *sup; 144{ 145 struct sadb_supported **ipsup; 146 147 switch (sup->sadb_supported_exttype) { 148 case SADB_EXT_SUPPORTED_AUTH: 149 ipsup = &ipsec_supported[findsupportedmap(SADB_SATYPE_AH)]; 150 break; 151 case SADB_EXT_SUPPORTED_ENCRYPT: 152 ipsup = &ipsec_supported[findsupportedmap(SADB_SATYPE_ESP)]; 153 break; 154 default: 155 __ipsec_errcode = EIPSEC_INVAL_SATYPE; 156 return -1; 157 } 158 159 if (*ipsup) 160 free(*ipsup); 161 162 *ipsup = malloc(sup->sadb_supported_len); 163 if (!*ipsup) { 164 __ipsec_set_strerror(strerror(errno)); 165 return -1; 166 } 167 memcpy(*ipsup, sup, sup->sadb_supported_len); 168 169 return 0; 170} 171 172/* 173 * check key length against algorithm specified. 174 * This function is called with SADB_EXT_SUPPORTED_{AUTH,ENCRYPT} as the 175 * augument, and only calls to ipsec_check_keylen2(); 176 * keylen is the unit of bit. 177 * OUT: 178 * -1: invalid. 179 * 0: valid. 180 */ 181int 182ipsec_check_keylen(supported, alg_id, keylen) 183 u_int supported; 184 u_int alg_id; 185 u_int keylen; 186{ 187 int satype; 188 189 /* validity check */ 190 switch (supported) { 191 case SADB_EXT_SUPPORTED_AUTH: 192 satype = SADB_SATYPE_AH; 193 break; 194 case SADB_EXT_SUPPORTED_ENCRYPT: 195 satype = SADB_SATYPE_ESP; 196 break; 197 default: 198 __ipsec_errcode = EIPSEC_INVAL_ARGUMENT; 199 return -1; 200 } 201 202 return ipsec_check_keylen2(satype, alg_id, keylen); 203} 204 205/* 206 * check key length against algorithm specified. 207 * satype is one of satype defined at pfkeyv2.h. 208 * keylen is the unit of bit. 209 * OUT: 210 * -1: invalid. 211 * 0: valid. 212 */ 213int 214ipsec_check_keylen2(satype, alg_id, keylen) 215 u_int satype; 216 u_int alg_id; 217 u_int keylen; 218{ 219 struct sadb_alg *alg; 220 221 alg = findsupportedalg(satype, alg_id); 222 if (!alg) 223 return -1; 224 225 if (keylen < alg->sadb_alg_minbits || keylen > alg->sadb_alg_maxbits) { 226 __ipsec_errcode = EIPSEC_INVAL_KEYLEN; 227 return -1; 228 } 229 230 __ipsec_errcode = EIPSEC_NO_ERROR; 231 return 0; 232} 233 234/* 235 * get max/min key length against algorithm specified. 236 * satype is one of satype defined at pfkeyv2.h. 237 * keylen is the unit of bit. 238 * OUT: 239 * -1: invalid. 240 * 0: valid. 241 */ 242int 243ipsec_get_keylen(supported, alg_id, alg0) 244 u_int supported, alg_id; 245 struct sadb_alg *alg0; 246{ 247 struct sadb_alg *alg; 248 u_int satype; 249 250 /* validity check */ 251 if (!alg0) { 252 __ipsec_errcode = EIPSEC_INVAL_ARGUMENT; 253 return -1; 254 } 255 256 switch (supported) { 257 case SADB_EXT_SUPPORTED_AUTH: 258 satype = SADB_SATYPE_AH; 259 break; 260 case SADB_EXT_SUPPORTED_ENCRYPT: 261 satype = SADB_SATYPE_ESP; 262 break; 263 default: 264 __ipsec_errcode = EIPSEC_INVAL_ARGUMENT; 265 return -1; 266 } 267 268 alg = findsupportedalg(satype, alg_id); 269 if (!alg) 270 return -1; 271 272 memcpy(alg0, alg, sizeof(*alg0)); 273 274 __ipsec_errcode = EIPSEC_NO_ERROR; 275 return 0; 276} 277 278/* 279 * set the rate for SOFT lifetime against HARD one. 280 * If rate is more than 100 or equal to zero, then set to 100. 281 */ 282static u_int soft_lifetime_allocations_rate = PFKEY_SOFT_LIFETIME_RATE; 283static u_int soft_lifetime_bytes_rate = PFKEY_SOFT_LIFETIME_RATE; 284static u_int soft_lifetime_addtime_rate = PFKEY_SOFT_LIFETIME_RATE; 285static u_int soft_lifetime_usetime_rate = PFKEY_SOFT_LIFETIME_RATE; 286 287u_int 288pfkey_set_softrate(type, rate) 289 u_int type, rate; 290{ 291 __ipsec_errcode = EIPSEC_NO_ERROR; 292 293 if (rate > 100 || rate == 0) 294 rate = 100; 295 296 switch (type) { 297 case SADB_X_LIFETIME_ALLOCATIONS: 298 soft_lifetime_allocations_rate = rate; 299 return 0; 300 case SADB_X_LIFETIME_BYTES: 301 soft_lifetime_bytes_rate = rate; 302 return 0; 303 case SADB_X_LIFETIME_ADDTIME: 304 soft_lifetime_addtime_rate = rate; 305 return 0; 306 case SADB_X_LIFETIME_USETIME: 307 soft_lifetime_usetime_rate = rate; 308 return 0; 309 } 310 311 __ipsec_errcode = EIPSEC_INVAL_ARGUMENT; 312 return 1; 313} 314 315/* 316 * get current rate for SOFT lifetime against HARD one. 317 * ATTENTION: ~0 is returned if invalid type was passed. 318 */ 319u_int 320pfkey_get_softrate(type) 321 u_int type; 322{ 323 switch (type) { 324 case SADB_X_LIFETIME_ALLOCATIONS: 325 return soft_lifetime_allocations_rate; 326 case SADB_X_LIFETIME_BYTES: 327 return soft_lifetime_bytes_rate; 328 case SADB_X_LIFETIME_ADDTIME: 329 return soft_lifetime_addtime_rate; 330 case SADB_X_LIFETIME_USETIME: 331 return soft_lifetime_usetime_rate; 332 } 333 334 return ~0; 335} 336 337/* 338 * sending SADB_GETSPI message to the kernel. 339 * OUT: 340 * positive: success and return length sent. 341 * -1 : error occured, and set errno. 342 */ 343int 344pfkey_send_getspi(so, satype, mode, src, dst, min, max, reqid, seq) 345 int so; 346 u_int satype, mode; 347 struct sockaddr *src, *dst; 348 u_int32_t min, max, reqid, seq; 349{ 350 struct sadb_msg *newmsg; 351 caddr_t ep; 352 int len; 353 int need_spirange = 0; 354 caddr_t p; 355 int plen; 356 357 /* validity check */ 358 if (src == NULL || dst == NULL) { 359 __ipsec_errcode = EIPSEC_INVAL_ARGUMENT; 360 return -1; 361 } 362 if (src->sa_family != dst->sa_family) { 363 __ipsec_errcode = EIPSEC_FAMILY_MISMATCH; 364 return -1; 365 } 366 if (min > max || (min > 0 && min <= 255)) { 367 __ipsec_errcode = EIPSEC_INVAL_SPI; 368 return -1; 369 } 370 switch (src->sa_family) { 371 case AF_INET: 372 plen = sizeof(struct in_addr) << 3; 373 break; 374 case AF_INET6: 375 plen = sizeof(struct in6_addr) << 3; 376 break; 377 default: 378 __ipsec_errcode = EIPSEC_INVAL_FAMILY; 379 return -1; 380 } 381 382 /* create new sadb_msg to send. */ 383 len = sizeof(struct sadb_msg) 384 + sizeof(struct sadb_x_sa2) 385 + sizeof(struct sadb_address) 386 + PFKEY_ALIGN8(src->sa_len) 387 + sizeof(struct sadb_address) 388 + PFKEY_ALIGN8(dst->sa_len); 389 390 if (min > 255 && max < ~0) { 391 need_spirange++; 392 len += sizeof(struct sadb_spirange); 393 } 394 395 if ((newmsg = CALLOC(len, struct sadb_msg *)) == NULL) { 396 __ipsec_set_strerror(strerror(errno)); 397 return -1; 398 } 399 ep = ((caddr_t)newmsg) + len; 400 401 p = pfkey_setsadbmsg((caddr_t)newmsg, ep, SADB_GETSPI, 402 len, satype, seq, getpid()); 403 if (!p) { 404 free(newmsg); 405 return -1; 406 } 407 408 p = pfkey_setsadbxsa2(p, ep, mode, reqid); 409 if (!p) { 410 free(newmsg); 411 return -1; 412 } 413 414 /* set sadb_address for source */ 415 p = pfkey_setsadbaddr(p, ep, SADB_EXT_ADDRESS_SRC, src, plen, 416 IPSEC_ULPROTO_ANY); 417 if (!p) { 418 free(newmsg); 419 return -1; 420 } 421 422 /* set sadb_address for destination */ 423 p = pfkey_setsadbaddr(p, ep, SADB_EXT_ADDRESS_DST, dst, plen, 424 IPSEC_ULPROTO_ANY); 425 if (!p) { 426 free(newmsg); 427 return -1; 428 } 429 430 /* proccessing spi range */ 431 if (need_spirange) { 432 struct sadb_spirange spirange; 433 434 if (p + sizeof(spirange) > ep) { 435 free(newmsg); 436 return -1; 437 } 438 439 memset(&spirange, 0, sizeof(spirange)); 440 spirange.sadb_spirange_len = PFKEY_UNIT64(sizeof(spirange)); 441 spirange.sadb_spirange_exttype = SADB_EXT_SPIRANGE; 442 spirange.sadb_spirange_min = min; 443 spirange.sadb_spirange_max = max; 444 445 memcpy(p, &spirange, sizeof(spirange)); 446 447 p += sizeof(spirange); 448 } 449 if (p != ep) { 450 free(newmsg); 451 return -1; 452 } 453 454 /* send message */ 455 len = pfkey_send(so, newmsg, len); 456 free(newmsg); 457 458 if (len < 0) 459 return -1; 460 461 __ipsec_errcode = EIPSEC_NO_ERROR; 462 return len; 463} 464 465/* 466 * sending SADB_UPDATE message to the kernel. 467 * The length of key material is a_keylen + e_keylen. 468 * OUT: 469 * positive: success and return length sent. 470 * -1 : error occured, and set errno. 471 */ 472int 473pfkey_send_update(so, satype, mode, src, dst, spi, reqid, wsize, 474 keymat, e_type, e_keylen, a_type, a_keylen, flags, 475 l_alloc, l_bytes, l_addtime, l_usetime, seq) 476 int so; 477 u_int satype, mode, wsize; 478 struct sockaddr *src, *dst; 479 u_int32_t spi, reqid; 480 caddr_t keymat; 481 u_int e_type, e_keylen, a_type, a_keylen, flags; 482 u_int32_t l_alloc; 483 u_int64_t l_bytes, l_addtime, l_usetime; 484 u_int32_t seq; 485{ 486 int len; 487 if ((len = pfkey_send_x1(so, SADB_UPDATE, satype, mode, src, dst, spi, 488 reqid, wsize, 489 keymat, e_type, e_keylen, a_type, a_keylen, flags, 490 l_alloc, l_bytes, l_addtime, l_usetime, seq)) < 0) 491 return -1; 492 493 return len; 494} 495 496/* 497 * sending SADB_ADD message to the kernel. 498 * The length of key material is a_keylen + e_keylen. 499 * OUT: 500 * positive: success and return length sent. 501 * -1 : error occured, and set errno. 502 */ 503int 504pfkey_send_add(so, satype, mode, src, dst, spi, reqid, wsize, 505 keymat, e_type, e_keylen, a_type, a_keylen, flags, 506 l_alloc, l_bytes, l_addtime, l_usetime, seq) 507 int so; 508 u_int satype, mode, wsize; 509 struct sockaddr *src, *dst; 510 u_int32_t spi, reqid; 511 caddr_t keymat; 512 u_int e_type, e_keylen, a_type, a_keylen, flags; 513 u_int32_t l_alloc; 514 u_int64_t l_bytes, l_addtime, l_usetime; 515 u_int32_t seq; 516{ 517 int len; 518 if ((len = pfkey_send_x1(so, SADB_ADD, satype, mode, src, dst, spi, 519 reqid, wsize, 520 keymat, e_type, e_keylen, a_type, a_keylen, flags, 521 l_alloc, l_bytes, l_addtime, l_usetime, seq)) < 0) 522 return -1; 523 524 return len; 525} 526 527/* 528 * sending SADB_DELETE message to the kernel. 529 * OUT: 530 * positive: success and return length sent. 531 * -1 : error occured, and set errno. 532 */ 533int 534pfkey_send_delete(so, satype, mode, src, dst, spi) 535 int so; 536 u_int satype, mode; 537 struct sockaddr *src, *dst; 538 u_int32_t spi; 539{ 540 int len; 541 if ((len = pfkey_send_x2(so, SADB_DELETE, satype, mode, src, dst, spi)) < 0) 542 return -1; 543 544 return len; 545} 546 547/* 548 * sending SADB_DELETE without spi to the kernel. This is 549 * the "delete all" request (an extension also present in 550 * Solaris). 551 * 552 * OUT: 553 * positive: success and return length sent 554 * -1 : error occured, and set errno 555 */ 556int 557pfkey_send_delete_all(so, satype, mode, src, dst) 558 int so; 559 u_int satype, mode; 560 struct sockaddr *src, *dst; 561{ 562 struct sadb_msg *newmsg; 563 int len; 564 caddr_t p; 565 int plen; 566 caddr_t ep; 567 568 /* validity check */ 569 if (src == NULL || dst == NULL) { 570 __ipsec_errcode = EIPSEC_INVAL_ARGUMENT; 571 return -1; 572 } 573 if (src->sa_family != dst->sa_family) { 574 __ipsec_errcode = EIPSEC_FAMILY_MISMATCH; 575 return -1; 576 } 577 switch (src->sa_family) { 578 case AF_INET: 579 plen = sizeof(struct in_addr) << 3; 580 break; 581 case AF_INET6: 582 plen = sizeof(struct in6_addr) << 3; 583 break; 584 default: 585 __ipsec_errcode = EIPSEC_INVAL_FAMILY; 586 return -1; 587 } 588 589 /* create new sadb_msg to reply. */ 590 len = sizeof(struct sadb_msg) 591 + sizeof(struct sadb_address) 592 + PFKEY_ALIGN8(src->sa_len) 593 + sizeof(struct sadb_address) 594 + PFKEY_ALIGN8(dst->sa_len); 595 596 if ((newmsg = CALLOC(len, struct sadb_msg *)) == NULL) { 597 __ipsec_set_strerror(strerror(errno)); 598 return -1; 599 } 600 ep = ((caddr_t)newmsg) + len; 601 602 p = pfkey_setsadbmsg((caddr_t)newmsg, ep, SADB_DELETE, len, satype, 0, 603 getpid()); 604 if (!p) { 605 free(newmsg); 606 return -1; 607 } 608 p = pfkey_setsadbaddr(p, ep, SADB_EXT_ADDRESS_SRC, src, plen, 609 IPSEC_ULPROTO_ANY); 610 if (!p) { 611 free(newmsg); 612 return -1; 613 } 614 p = pfkey_setsadbaddr(p, ep, SADB_EXT_ADDRESS_DST, dst, plen, 615 IPSEC_ULPROTO_ANY); 616 if (!p || p != ep) { 617 free(newmsg); 618 return -1; 619 } 620 621 /* send message */ 622 len = pfkey_send(so, newmsg, len); 623 free(newmsg); 624 625 if (len < 0) 626 return -1; 627 628 __ipsec_errcode = EIPSEC_NO_ERROR; 629 return len; 630} 631 632/* 633 * sending SADB_GET message to the kernel. 634 * OUT: 635 * positive: success and return length sent. 636 * -1 : error occured, and set errno. 637 */ 638int 639pfkey_send_get(so, satype, mode, src, dst, spi) 640 int so; 641 u_int satype, mode; 642 struct sockaddr *src, *dst; 643 u_int32_t spi; 644{ 645 int len; 646 if ((len = pfkey_send_x2(so, SADB_GET, satype, mode, src, dst, spi)) < 0) 647 return -1; 648 649 return len; 650} 651 652/* 653 * sending SADB_REGISTER message to the kernel. 654 * OUT: 655 * positive: success and return length sent. 656 * -1 : error occured, and set errno. 657 */ 658int 659pfkey_send_register(so, satype) 660 int so; 661 u_int satype; 662{ 663 int len, algno; 664 665 if (satype == SADB_SATYPE_UNSPEC) { 666 for (algno = 0; 667 algno < sizeof(supported_map)/sizeof(supported_map[0]); 668 algno++) { 669 if (ipsec_supported[algno]) { 670 free(ipsec_supported[algno]); 671 ipsec_supported[algno] = NULL; 672 } 673 } 674 } else { 675 algno = findsupportedmap(satype); 676 if (algno == -1) { 677 __ipsec_errcode = EIPSEC_INVAL_ARGUMENT; 678 return -1; 679 } 680 681 if (ipsec_supported[algno]) { 682 free(ipsec_supported[algno]); 683 ipsec_supported[algno] = NULL; 684 } 685 } 686 687 if ((len = pfkey_send_x3(so, SADB_REGISTER, satype)) < 0) 688 return -1; 689 690 return len; 691} 692 693/* 694 * receiving SADB_REGISTER message from the kernel, and copy buffer for 695 * sadb_supported returned into ipsec_supported. 696 * OUT: 697 * 0: success and return length sent. 698 * -1: error occured, and set errno. 699 */ 700int 701pfkey_recv_register(so) 702 int so; 703{ 704 pid_t pid = getpid(); 705 struct sadb_msg *newmsg; 706 int error = -1; 707 708 /* receive message */ 709 for (;;) { 710 if ((newmsg = pfkey_recv(so)) == NULL) 711 return -1; 712 if (newmsg->sadb_msg_type == SADB_REGISTER && 713 newmsg->sadb_msg_pid == pid) 714 break; 715 free(newmsg); 716 } 717 718 /* check and fix */ 719 newmsg->sadb_msg_len = PFKEY_UNUNIT64(newmsg->sadb_msg_len); 720 721 error = pfkey_set_supported(newmsg, newmsg->sadb_msg_len); 722 free(newmsg); 723 724 if (error == 0) 725 __ipsec_errcode = EIPSEC_NO_ERROR; 726 727 return error; 728} 729 730/* 731 * receiving SADB_REGISTER message from the kernel, and copy buffer for 732 * sadb_supported returned into ipsec_supported. 733 * NOTE: sadb_msg_len must be host order. 734 * IN: 735 * tlen: msg length, it's to makeing sure. 736 * OUT: 737 * 0: success and return length sent. 738 * -1: error occured, and set errno. 739 */ 740int 741pfkey_set_supported(msg, tlen) 742 struct sadb_msg *msg; 743 int tlen; 744{ 745 struct sadb_supported *sup; 746 caddr_t p; 747 caddr_t ep; 748 749 /* validity */ 750 if (msg->sadb_msg_len != tlen) { 751 __ipsec_errcode = EIPSEC_INVAL_ARGUMENT; 752 return -1; 753 } 754 755 p = (caddr_t)msg; 756 ep = p + tlen; 757 758 p += sizeof(struct sadb_msg); 759 760 while (p < ep) { 761 sup = (struct sadb_supported *)p; 762 if (ep < p + sizeof(*sup) || 763 PFKEY_EXTLEN(sup) < sizeof(*sup) || 764 ep < p + sup->sadb_supported_len) { 765 /* invalid format */ 766 break; 767 } 768 769 switch (sup->sadb_supported_exttype) { 770 case SADB_EXT_SUPPORTED_AUTH: 771 case SADB_EXT_SUPPORTED_ENCRYPT: 772 break; 773 default: 774 __ipsec_errcode = EIPSEC_INVAL_SATYPE; 775 return -1; 776 } 777 778 /* fixed length */ 779 sup->sadb_supported_len = PFKEY_EXTLEN(sup); 780 781 /* set supported map */ 782 if (setsupportedmap(sup) != 0) 783 return -1; 784 785 p += sup->sadb_supported_len; 786 } 787 788 if (p != ep) { 789 __ipsec_errcode = EIPSEC_INVAL_SATYPE; 790 return -1; 791 } 792 793 __ipsec_errcode = EIPSEC_NO_ERROR; 794 795 return 0; 796} 797 798/* 799 * sending SADB_FLUSH message to the kernel. 800 * OUT: 801 * positive: success and return length sent. 802 * -1 : error occured, and set errno. 803 */ 804int 805pfkey_send_flush(so, satype) 806 int so; 807 u_int satype; 808{ 809 int len; 810 811 if ((len = pfkey_send_x3(so, SADB_FLUSH, satype)) < 0) 812 return -1; 813 814 return len; 815} 816 817/* 818 * sending SADB_DUMP message to the kernel. 819 * OUT: 820 * positive: success and return length sent. 821 * -1 : error occured, and set errno. 822 */ 823int 824pfkey_send_dump(so, satype) 825 int so; 826 u_int satype; 827{ 828 int len; 829 830 if ((len = pfkey_send_x3(so, SADB_DUMP, satype)) < 0) 831 return -1; 832 833 return len; 834} 835 836/* 837 * sending SADB_X_PROMISC message to the kernel. 838 * NOTE that this function handles promisc mode toggle only. 839 * IN: 840 * flag: set promisc off if zero, set promisc on if non-zero. 841 * OUT: 842 * positive: success and return length sent. 843 * -1 : error occured, and set errno. 844 * 0 : error occured, and set errno. 845 * others: a pointer to new allocated buffer in which supported 846 * algorithms is. 847 */ 848int 849pfkey_send_promisc_toggle(so, flag) 850 int so; 851 int flag; 852{ 853 int len; 854 855 if ((len = pfkey_send_x3(so, SADB_X_PROMISC, (flag ? 1 : 0))) < 0) 856 return -1; 857 858 return len; 859} 860 861/* 862 * sending SADB_X_SPDADD message to the kernel. 863 * OUT: 864 * positive: success and return length sent. 865 * -1 : error occured, and set errno. 866 */ 867int 868pfkey_send_spdadd(so, src, prefs, dst, prefd, proto, policy, policylen, seq) 869 int so; 870 struct sockaddr *src, *dst; 871 u_int prefs, prefd, proto; 872 caddr_t policy; 873 int policylen; 874 u_int32_t seq; 875{ 876 int len; 877 878 if ((len = pfkey_send_x4(so, SADB_X_SPDADD, 879 src, prefs, dst, prefd, proto, 880 0, 0, 881 policy, policylen, seq)) < 0) 882 return -1; 883 884 return len; 885} 886 887/* 888 * sending SADB_X_SPDADD message to the kernel. 889 * OUT: 890 * positive: success and return length sent. 891 * -1 : error occured, and set errno. 892 */ 893int 894pfkey_send_spdadd2(so, src, prefs, dst, prefd, proto, ltime, vtime, 895 policy, policylen, seq) 896 int so; 897 struct sockaddr *src, *dst; 898 u_int prefs, prefd, proto; 899 u_int64_t ltime, vtime; 900 caddr_t policy; 901 int policylen; 902 u_int32_t seq; 903{ 904 int len; 905 906 if ((len = pfkey_send_x4(so, SADB_X_SPDADD, 907 src, prefs, dst, prefd, proto, 908 ltime, vtime, 909 policy, policylen, seq)) < 0) 910 return -1; 911 912 return len; 913} 914 915/* 916 * sending SADB_X_SPDUPDATE message to the kernel. 917 * OUT: 918 * positive: success and return length sent. 919 * -1 : error occured, and set errno. 920 */ 921int 922pfkey_send_spdupdate(so, src, prefs, dst, prefd, proto, policy, policylen, seq) 923 int so; 924 struct sockaddr *src, *dst; 925 u_int prefs, prefd, proto; 926 caddr_t policy; 927 int policylen; 928 u_int32_t seq; 929{ 930 int len; 931 932 if ((len = pfkey_send_x4(so, SADB_X_SPDUPDATE, 933 src, prefs, dst, prefd, proto, 934 0, 0, 935 policy, policylen, seq)) < 0) 936 return -1; 937 938 return len; 939} 940 941/* 942 * sending SADB_X_SPDUPDATE message to the kernel. 943 * OUT: 944 * positive: success and return length sent. 945 * -1 : error occured, and set errno. 946 */ 947int 948pfkey_send_spdupdate2(so, src, prefs, dst, prefd, proto, ltime, vtime, 949 policy, policylen, seq) 950 int so; 951 struct sockaddr *src, *dst; 952 u_int prefs, prefd, proto; 953 u_int64_t ltime, vtime; 954 caddr_t policy; 955 int policylen; 956 u_int32_t seq; 957{ 958 int len; 959 960 if ((len = pfkey_send_x4(so, SADB_X_SPDUPDATE, 961 src, prefs, dst, prefd, proto, 962 ltime, vtime, 963 policy, policylen, seq)) < 0) 964 return -1; 965 966 return len; 967} 968 969/* 970 * sending SADB_X_SPDDELETE message to the kernel. 971 * OUT: 972 * positive: success and return length sent. 973 * -1 : error occured, and set errno. 974 */ 975int 976pfkey_send_spddelete(so, src, prefs, dst, prefd, proto, policy, policylen, seq) 977 int so; 978 struct sockaddr *src, *dst; 979 u_int prefs, prefd, proto; 980 caddr_t policy; 981 int policylen; 982 u_int32_t seq; 983{ 984 int len; 985 986 if (policylen != sizeof(struct sadb_x_policy)) { 987 __ipsec_errcode = EIPSEC_INVAL_ARGUMENT; 988 return -1; 989 } 990 991 if ((len = pfkey_send_x4(so, SADB_X_SPDDELETE, 992 src, prefs, dst, prefd, proto, 993 0, 0, 994 policy, policylen, seq)) < 0) 995 return -1; 996 997 return len; 998} 999 1000/* 1001 * sending SADB_X_SPDDELETE message to the kernel. 1002 * OUT: 1003 * positive: success and return length sent. 1004 * -1 : error occured, and set errno. 1005 */ 1006int 1007pfkey_send_spddelete2(so, spid) 1008 int so; 1009 u_int32_t spid; 1010{ 1011 int len; 1012 1013 if ((len = pfkey_send_x5(so, SADB_X_SPDDELETE2, spid)) < 0) 1014 return -1; 1015 1016 return len; 1017} 1018 1019/* 1020 * sending SADB_X_SPDGET message to the kernel. 1021 * OUT: 1022 * positive: success and return length sent. 1023 * -1 : error occured, and set errno. 1024 */ 1025int 1026pfkey_send_spdget(so, spid) 1027 int so; 1028 u_int32_t spid; 1029{ 1030 int len; 1031 1032 if ((len = pfkey_send_x5(so, SADB_X_SPDGET, spid)) < 0) 1033 return -1; 1034 1035 return len; 1036} 1037 1038/* 1039 * sending SADB_X_SPDSETIDX message to the kernel. 1040 * OUT: 1041 * positive: success and return length sent. 1042 * -1 : error occured, and set errno. 1043 */ 1044int 1045pfkey_send_spdsetidx(so, src, prefs, dst, prefd, proto, policy, policylen, seq) 1046 int so; 1047 struct sockaddr *src, *dst; 1048 u_int prefs, prefd, proto; 1049 caddr_t policy; 1050 int policylen; 1051 u_int32_t seq; 1052{ 1053 int len; 1054 1055 if (policylen != sizeof(struct sadb_x_policy)) { 1056 __ipsec_errcode = EIPSEC_INVAL_ARGUMENT; 1057 return -1; 1058 } 1059 1060 if ((len = pfkey_send_x4(so, SADB_X_SPDSETIDX, 1061 src, prefs, dst, prefd, proto, 1062 0, 0, 1063 policy, policylen, seq)) < 0) 1064 return -1; 1065 1066 return len; 1067} 1068 1069/* 1070 * sending SADB_SPDFLUSH message to the kernel. 1071 * OUT: 1072 * positive: success and return length sent. 1073 * -1 : error occured, and set errno. 1074 */ 1075int 1076pfkey_send_spdflush(so) 1077 int so; 1078{ 1079 int len; 1080 1081 if ((len = pfkey_send_x3(so, SADB_X_SPDFLUSH, SADB_SATYPE_UNSPEC)) < 0) 1082 return -1; 1083 1084 return len; 1085} 1086 1087/* 1088 * sending SADB_SPDDUMP message to the kernel. 1089 * OUT: 1090 * positive: success and return length sent. 1091 * -1 : error occured, and set errno. 1092 */ 1093int 1094pfkey_send_spddump(so) 1095 int so; 1096{ 1097 int len; 1098 1099 if ((len = pfkey_send_x3(so, SADB_X_SPDDUMP, SADB_SATYPE_UNSPEC)) < 0) 1100 return -1; 1101 1102 return len; 1103} 1104 1105/* sending SADB_ADD or SADB_UPDATE message to the kernel */ 1106static int 1107pfkey_send_x1(so, type, satype, mode, src, dst, spi, reqid, wsize, 1108 keymat, e_type, e_keylen, a_type, a_keylen, flags, 1109 l_alloc, l_bytes, l_addtime, l_usetime, seq) 1110 int so; 1111 u_int type, satype, mode; 1112 struct sockaddr *src, *dst; 1113 u_int32_t spi, reqid; 1114 u_int wsize; 1115 caddr_t keymat; 1116 u_int e_type, e_keylen, a_type, a_keylen, flags; 1117 u_int32_t l_alloc, l_bytes, l_addtime, l_usetime, seq; 1118{ 1119 struct sadb_msg *newmsg; 1120 int len; 1121 caddr_t p; 1122 int plen; 1123 caddr_t ep; 1124 1125 /* validity check */ 1126 if (src == NULL || dst == NULL) { 1127 __ipsec_errcode = EIPSEC_INVAL_ARGUMENT; 1128 return -1; 1129 } 1130 if (src->sa_family != dst->sa_family) { 1131 __ipsec_errcode = EIPSEC_FAMILY_MISMATCH; 1132 return -1; 1133 } 1134 switch (src->sa_family) { 1135 case AF_INET: 1136 plen = sizeof(struct in_addr) << 3; 1137 break; 1138 case AF_INET6: 1139 plen = sizeof(struct in6_addr) << 3; 1140 break; 1141 default: 1142 __ipsec_errcode = EIPSEC_INVAL_FAMILY; 1143 return -1; 1144 } 1145 1146 switch (satype) { 1147 case SADB_SATYPE_ESP: 1148 if (e_type == SADB_EALG_NONE) { 1149 __ipsec_errcode = EIPSEC_NO_ALGS; 1150 return -1; 1151 } 1152 break; 1153 case SADB_SATYPE_AH: 1154 if (e_type != SADB_EALG_NONE) { 1155 __ipsec_errcode = EIPSEC_INVAL_ALGS; 1156 return -1; 1157 } 1158 if (a_type == SADB_AALG_NONE) { 1159 __ipsec_errcode = EIPSEC_NO_ALGS; 1160 return -1; 1161 } 1162 break; 1163 case SADB_X_SATYPE_IPCOMP: 1164 if (e_type == SADB_X_CALG_NONE) { 1165 __ipsec_errcode = EIPSEC_INVAL_ALGS; 1166 return -1; 1167 } 1168 if (a_type != SADB_AALG_NONE) { 1169 __ipsec_errcode = EIPSEC_NO_ALGS; 1170 return -1; 1171 } 1172 break; 1173 case SADB_X_SATYPE_TCPSIGNATURE: 1174 if (e_type != SADB_EALG_NONE) { 1175 __ipsec_errcode = EIPSEC_INVAL_ALGS; 1176 return -1; 1177 } 1178 if (a_type != SADB_X_AALG_TCP_MD5) { 1179 __ipsec_errcode = EIPSEC_INVAL_ALGS; 1180 return -1; 1181 } 1182 break; 1183 default: 1184 __ipsec_errcode = EIPSEC_INVAL_SATYPE; 1185 return -1; 1186 } 1187 1188 /* create new sadb_msg to reply. */ 1189 len = sizeof(struct sadb_msg) 1190 + sizeof(struct sadb_sa) 1191 + sizeof(struct sadb_x_sa2) 1192 + sizeof(struct sadb_address) 1193 + PFKEY_ALIGN8(src->sa_len) 1194 + sizeof(struct sadb_address) 1195 + PFKEY_ALIGN8(dst->sa_len) 1196 + sizeof(struct sadb_lifetime) 1197 + sizeof(struct sadb_lifetime); 1198 1199 if (e_type != SADB_EALG_NONE) 1200 len += (sizeof(struct sadb_key) + PFKEY_ALIGN8(e_keylen)); 1201 if (a_type != SADB_AALG_NONE) 1202 len += (sizeof(struct sadb_key) + PFKEY_ALIGN8(a_keylen)); 1203 1204 if ((newmsg = CALLOC(len, struct sadb_msg *)) == NULL) { 1205 __ipsec_set_strerror(strerror(errno)); 1206 return -1; 1207 } 1208 ep = ((caddr_t)newmsg) + len; 1209 1210 p = pfkey_setsadbmsg((caddr_t)newmsg, ep, type, len, 1211 satype, seq, getpid()); 1212 if (!p) { 1213 free(newmsg); 1214 return -1; 1215 } 1216 p = pfkey_setsadbsa(p, ep, spi, wsize, a_type, e_type, flags); 1217 if (!p) { 1218 free(newmsg); 1219 return -1; 1220 } 1221 p = pfkey_setsadbxsa2(p, ep, mode, reqid); 1222 if (!p) { 1223 free(newmsg); 1224 return -1; 1225 } 1226 p = pfkey_setsadbaddr(p, ep, SADB_EXT_ADDRESS_SRC, src, plen, 1227 IPSEC_ULPROTO_ANY); 1228 if (!p) { 1229 free(newmsg); 1230 return -1; 1231 } 1232 p = pfkey_setsadbaddr(p, ep, SADB_EXT_ADDRESS_DST, dst, plen, 1233 IPSEC_ULPROTO_ANY); 1234 if (!p) { 1235 free(newmsg); 1236 return -1; 1237 } 1238 1239 if (e_type != SADB_EALG_NONE) { 1240 p = pfkey_setsadbkey(p, ep, SADB_EXT_KEY_ENCRYPT, 1241 keymat, e_keylen); 1242 if (!p) { 1243 free(newmsg); 1244 return -1; 1245 } 1246 } 1247 if (a_type != SADB_AALG_NONE) { 1248 p = pfkey_setsadbkey(p, ep, SADB_EXT_KEY_AUTH, 1249 keymat + e_keylen, a_keylen); 1250 if (!p) { 1251 free(newmsg); 1252 return -1; 1253 } 1254 } 1255 1256 /* set sadb_lifetime for destination */ 1257 p = pfkey_setsadblifetime(p, ep, SADB_EXT_LIFETIME_HARD, 1258 l_alloc, l_bytes, l_addtime, l_usetime); 1259 if (!p) { 1260 free(newmsg); 1261 return -1; 1262 } 1263 p = pfkey_setsadblifetime(p, ep, SADB_EXT_LIFETIME_SOFT, 1264 l_alloc, l_bytes, l_addtime, l_usetime); 1265 if (!p || p != ep) { 1266 free(newmsg); 1267 return -1; 1268 } 1269 1270 /* send message */ 1271 len = pfkey_send(so, newmsg, len); 1272 free(newmsg); 1273 1274 if (len < 0) 1275 return -1; 1276 1277 __ipsec_errcode = EIPSEC_NO_ERROR; 1278 return len; 1279} 1280 1281/* sending SADB_DELETE or SADB_GET message to the kernel */ 1282static int 1283pfkey_send_x2(so, type, satype, mode, src, dst, spi) 1284 int so; 1285 u_int type, satype, mode; 1286 struct sockaddr *src, *dst; 1287 u_int32_t spi; 1288{ 1289 struct sadb_msg *newmsg; 1290 int len; 1291 caddr_t p; 1292 int plen; 1293 caddr_t ep; 1294 1295 /* validity check */ 1296 if (src == NULL || dst == NULL) { 1297 __ipsec_errcode = EIPSEC_INVAL_ARGUMENT; 1298 return -1; 1299 } 1300 if (src->sa_family != dst->sa_family) { 1301 __ipsec_errcode = EIPSEC_FAMILY_MISMATCH; 1302 return -1; 1303 } 1304 switch (src->sa_family) { 1305 case AF_INET: 1306 plen = sizeof(struct in_addr) << 3; 1307 break; 1308 case AF_INET6: 1309 plen = sizeof(struct in6_addr) << 3; 1310 break; 1311 default: 1312 __ipsec_errcode = EIPSEC_INVAL_FAMILY; 1313 return -1; 1314 } 1315 1316 /* create new sadb_msg to reply. */ 1317 len = sizeof(struct sadb_msg) 1318 + sizeof(struct sadb_sa) 1319 + sizeof(struct sadb_address) 1320 + PFKEY_ALIGN8(src->sa_len) 1321 + sizeof(struct sadb_address) 1322 + PFKEY_ALIGN8(dst->sa_len); 1323 1324 if ((newmsg = CALLOC(len, struct sadb_msg *)) == NULL) { 1325 __ipsec_set_strerror(strerror(errno)); 1326 return -1; 1327 } 1328 ep = ((caddr_t)newmsg) + len; 1329 1330 p = pfkey_setsadbmsg((caddr_t)newmsg, ep, type, len, satype, 0, 1331 getpid()); 1332 if (!p) { 1333 free(newmsg); 1334 return -1; 1335 } 1336 p = pfkey_setsadbsa(p, ep, spi, 0, 0, 0, 0); 1337 if (!p) { 1338 free(newmsg); 1339 return -1; 1340 } 1341 p = pfkey_setsadbaddr(p, ep, SADB_EXT_ADDRESS_SRC, src, plen, 1342 IPSEC_ULPROTO_ANY); 1343 if (!p) { 1344 free(newmsg); 1345 return -1; 1346 } 1347 p = pfkey_setsadbaddr(p, ep, SADB_EXT_ADDRESS_DST, dst, plen, 1348 IPSEC_ULPROTO_ANY); 1349 if (!p || p != ep) { 1350 free(newmsg); 1351 return -1; 1352 } 1353 1354 /* send message */ 1355 len = pfkey_send(so, newmsg, len); 1356 free(newmsg); 1357 1358 if (len < 0) 1359 return -1; 1360 1361 __ipsec_errcode = EIPSEC_NO_ERROR; 1362 return len; 1363} 1364 1365/* 1366 * sending SADB_REGISTER, SADB_FLUSH, SADB_DUMP or SADB_X_PROMISC message 1367 * to the kernel 1368 */ 1369static int 1370pfkey_send_x3(so, type, satype) 1371 int so; 1372 u_int type, satype; 1373{ 1374 struct sadb_msg *newmsg; 1375 int len; 1376 caddr_t p; 1377 caddr_t ep; 1378 1379 /* validity check */ 1380 switch (type) { 1381 case SADB_X_PROMISC: 1382 if (satype != 0 && satype != 1) { 1383 __ipsec_errcode = EIPSEC_INVAL_SATYPE; 1384 return -1; 1385 } 1386 break; 1387 default: 1388 switch (satype) { 1389 case SADB_SATYPE_UNSPEC: 1390 case SADB_SATYPE_AH: 1391 case SADB_SATYPE_ESP: 1392 case SADB_X_SATYPE_IPCOMP: 1393 case SADB_X_SATYPE_TCPSIGNATURE: 1394 break; 1395 default: 1396 __ipsec_errcode = EIPSEC_INVAL_SATYPE; 1397 return -1; 1398 } 1399 } 1400 1401 /* create new sadb_msg to send. */ 1402 len = sizeof(struct sadb_msg); 1403 1404 if ((newmsg = CALLOC(len, struct sadb_msg *)) == NULL) { 1405 __ipsec_set_strerror(strerror(errno)); 1406 return -1; 1407 } 1408 ep = ((caddr_t)newmsg) + len; 1409 1410 p = pfkey_setsadbmsg((caddr_t)newmsg, ep, type, len, satype, 0, 1411 getpid()); 1412 if (!p || p != ep) { 1413 free(newmsg); 1414 return -1; 1415 } 1416 1417 /* send message */ 1418 len = pfkey_send(so, newmsg, len); 1419 free(newmsg); 1420 1421 if (len < 0) 1422 return -1; 1423 1424 __ipsec_errcode = EIPSEC_NO_ERROR; 1425 return len; 1426} 1427 1428/* sending SADB_X_SPDADD message to the kernel */ 1429static int 1430pfkey_send_x4(so, type, src, prefs, dst, prefd, proto, 1431 ltime, vtime, policy, policylen, seq) 1432 int so; 1433 struct sockaddr *src, *dst; 1434 u_int type, prefs, prefd, proto; 1435 u_int64_t ltime, vtime; 1436 char *policy; 1437 int policylen; 1438 u_int32_t seq; 1439{ 1440 struct sadb_msg *newmsg; 1441 int len; 1442 caddr_t p; 1443 int plen; 1444 caddr_t ep; 1445 1446 /* validity check */ 1447 if (src == NULL || dst == NULL) { 1448 __ipsec_errcode = EIPSEC_INVAL_ARGUMENT; 1449 return -1; 1450 } 1451 if (src->sa_family != dst->sa_family) { 1452 __ipsec_errcode = EIPSEC_FAMILY_MISMATCH; 1453 return -1; 1454 } 1455 1456 switch (src->sa_family) { 1457 case AF_INET: 1458 plen = sizeof(struct in_addr) << 3; 1459 break; 1460 case AF_INET6: 1461 plen = sizeof(struct in6_addr) << 3; 1462 break; 1463 default: 1464 __ipsec_errcode = EIPSEC_INVAL_FAMILY; 1465 return -1; 1466 } 1467 if (prefs > plen || prefd > plen) { 1468 __ipsec_errcode = EIPSEC_INVAL_PREFIXLEN; 1469 return -1; 1470 } 1471 1472 /* create new sadb_msg to reply. */ 1473 len = sizeof(struct sadb_msg) 1474 + sizeof(struct sadb_address) 1475 + PFKEY_ALIGN8(src->sa_len) 1476 + sizeof(struct sadb_address) 1477 + PFKEY_ALIGN8(src->sa_len) 1478 + sizeof(struct sadb_lifetime) 1479 + policylen; 1480 1481 if ((newmsg = CALLOC(len, struct sadb_msg *)) == NULL) { 1482 __ipsec_set_strerror(strerror(errno)); 1483 return -1; 1484 } 1485 ep = ((caddr_t)newmsg) + len; 1486 1487 p = pfkey_setsadbmsg((caddr_t)newmsg, ep, type, len, 1488 SADB_SATYPE_UNSPEC, seq, getpid()); 1489 if (!p) { 1490 free(newmsg); 1491 return -1; 1492 } 1493 p = pfkey_setsadbaddr(p, ep, SADB_EXT_ADDRESS_SRC, src, prefs, proto); 1494 if (!p) { 1495 free(newmsg); 1496 return -1; 1497 } 1498 p = pfkey_setsadbaddr(p, ep, SADB_EXT_ADDRESS_DST, dst, prefd, proto); 1499 if (!p) { 1500 free(newmsg); 1501 return -1; 1502 } 1503 p = pfkey_setsadblifetime(p, ep, SADB_EXT_LIFETIME_HARD, 1504 0, 0, ltime, vtime); 1505 if (!p || p + policylen != ep) { 1506 free(newmsg); 1507 return -1; 1508 } 1509 memcpy(p, policy, policylen); 1510 1511 /* send message */ 1512 len = pfkey_send(so, newmsg, len); 1513 free(newmsg); 1514 1515 if (len < 0) 1516 return -1; 1517 1518 __ipsec_errcode = EIPSEC_NO_ERROR; 1519 return len; 1520} 1521 1522/* sending SADB_X_SPDGET or SADB_X_SPDDELETE message to the kernel */ 1523static int 1524pfkey_send_x5(so, type, spid) 1525 int so; 1526 u_int type; 1527 u_int32_t spid; 1528{ 1529 struct sadb_msg *newmsg; 1530 struct sadb_x_policy xpl; 1531 int len; 1532 caddr_t p; 1533 caddr_t ep; 1534 1535 /* create new sadb_msg to reply. */ 1536 len = sizeof(struct sadb_msg) 1537 + sizeof(xpl); 1538 1539 if ((newmsg = CALLOC(len, struct sadb_msg *)) == NULL) { 1540 __ipsec_set_strerror(strerror(errno)); 1541 return -1; 1542 } 1543 ep = ((caddr_t)newmsg) + len; 1544 1545 p = pfkey_setsadbmsg((caddr_t)newmsg, ep, type, len, 1546 SADB_SATYPE_UNSPEC, 0, getpid()); 1547 if (!p) { 1548 free(newmsg); 1549 return -1; 1550 } 1551 1552 if (p + sizeof(xpl) != ep) { 1553 free(newmsg); 1554 return -1; 1555 } 1556 memset(&xpl, 0, sizeof(xpl)); 1557 xpl.sadb_x_policy_len = PFKEY_UNIT64(sizeof(xpl)); 1558 xpl.sadb_x_policy_exttype = SADB_X_EXT_POLICY; 1559 xpl.sadb_x_policy_id = spid; 1560 memcpy(p, &xpl, sizeof(xpl)); 1561 1562 /* send message */ 1563 len = pfkey_send(so, newmsg, len); 1564 free(newmsg); 1565 1566 if (len < 0) 1567 return -1; 1568 1569 __ipsec_errcode = EIPSEC_NO_ERROR; 1570 return len; 1571} 1572 1573/* 1574 * open a socket. 1575 * OUT: 1576 * -1: fail. 1577 * others : success and return value of socket. 1578 */ 1579int 1580pfkey_open() 1581{ 1582 int so; 1583 const int bufsiz = 128 * 1024; /*is 128K enough?*/ 1584 1585 if ((so = socket(PF_KEY, SOCK_RAW, PF_KEY_V2)) < 0) { 1586 __ipsec_set_strerror(strerror(errno)); 1587 return -1; 1588 } 1589 1590 /* 1591 * This is a temporary workaround for KAME PR 154. 1592 * Don't really care even if it fails. 1593 */ 1594 (void)setsockopt(so, SOL_SOCKET, SO_SNDBUF, &bufsiz, sizeof(bufsiz)); 1595 (void)setsockopt(so, SOL_SOCKET, SO_RCVBUF, &bufsiz, sizeof(bufsiz)); 1596 1597 __ipsec_errcode = EIPSEC_NO_ERROR; 1598 return so; 1599} 1600 1601/* 1602 * close a socket. 1603 * OUT: 1604 * 0: success. 1605 * -1: fail. 1606 */ 1607void 1608pfkey_close(so) 1609 int so; 1610{ 1611 (void)close(so); 1612 1613 __ipsec_errcode = EIPSEC_NO_ERROR; 1614 return; 1615} 1616 1617/* 1618 * receive sadb_msg data, and return pointer to new buffer allocated. 1619 * Must free this buffer later. 1620 * OUT: 1621 * NULL : error occured. 1622 * others : a pointer to sadb_msg structure. 1623 * 1624 * XXX should be rewritten to pass length explicitly 1625 */ 1626struct sadb_msg * 1627pfkey_recv(so) 1628 int so; 1629{ 1630 struct sadb_msg buf, *newmsg; 1631 int len, reallen; 1632 1633 while ((len = recv(so, (caddr_t)&buf, sizeof(buf), MSG_PEEK)) < 0) { 1634 if (errno == EINTR) 1635 continue; 1636 __ipsec_set_strerror(strerror(errno)); 1637 return NULL; 1638 } 1639 1640 if (len < sizeof(buf)) { 1641 recv(so, (caddr_t)&buf, sizeof(buf), 0); 1642 __ipsec_errcode = EIPSEC_MAX; 1643 return NULL; 1644 } 1645 1646 /* read real message */ 1647 reallen = PFKEY_UNUNIT64(buf.sadb_msg_len); 1648 if ((newmsg = CALLOC(reallen, struct sadb_msg *)) == 0) { 1649 __ipsec_set_strerror(strerror(errno)); 1650 return NULL; 1651 } 1652 1653 while ((len = recv(so, (caddr_t)newmsg, reallen, 0)) < 0) { 1654 if (errno == EINTR) 1655 continue; 1656 __ipsec_set_strerror(strerror(errno)); 1657 free(newmsg); 1658 return NULL; 1659 } 1660 1661 if (len != reallen) { 1662 __ipsec_errcode = EIPSEC_SYSTEM_ERROR; 1663 free(newmsg); 1664 return NULL; 1665 } 1666 1667 /* don't trust what the kernel says, validate! */ 1668 if (PFKEY_UNUNIT64(newmsg->sadb_msg_len) != len) { 1669 __ipsec_errcode = EIPSEC_SYSTEM_ERROR; 1670 free(newmsg); 1671 return NULL; 1672 } 1673 1674 __ipsec_errcode = EIPSEC_NO_ERROR; 1675 return newmsg; 1676} 1677 1678/* 1679 * send message to a socket. 1680 * OUT: 1681 * others: success and return length sent. 1682 * -1 : fail. 1683 */ 1684int 1685pfkey_send(so, msg, len) 1686 int so; 1687 struct sadb_msg *msg; 1688 int len; 1689{ 1690 if ((len = send(so, (caddr_t)msg, len, 0)) < 0) { 1691 __ipsec_set_strerror(strerror(errno)); 1692 return -1; 1693 } 1694 1695 __ipsec_errcode = EIPSEC_NO_ERROR; 1696 return len; 1697} 1698 1699/* 1700 * %%% Utilities 1701 * NOTE: These functions are derived from netkey/key.c in KAME. 1702 */ 1703/* 1704 * set the pointer to each header in this message buffer. 1705 * IN: msg: pointer to message buffer. 1706 * mhp: pointer to the buffer initialized like below: 1707 * caddr_t mhp[SADB_EXT_MAX + 1]; 1708 * OUT: -1: invalid. 1709 * 0: valid. 1710 * 1711 * XXX should be rewritten to obtain length explicitly 1712 */ 1713int 1714pfkey_align(msg, mhp) 1715 struct sadb_msg *msg; 1716 caddr_t *mhp; 1717{ 1718 struct sadb_ext *ext; 1719 int i; 1720 caddr_t p; 1721 caddr_t ep; /* XXX should be passed from upper layer */ 1722 1723 /* validity check */ 1724 if (msg == NULL || mhp == NULL) { 1725 __ipsec_errcode = EIPSEC_INVAL_ARGUMENT; 1726 return -1; 1727 } 1728 1729 /* initialize */ 1730 for (i = 0; i < SADB_EXT_MAX + 1; i++) 1731 mhp[i] = NULL; 1732 1733 mhp[0] = (caddr_t)msg; 1734 1735 /* initialize */ 1736 p = (caddr_t) msg; 1737 ep = p + PFKEY_UNUNIT64(msg->sadb_msg_len); 1738 1739 /* skip base header */ 1740 p += sizeof(struct sadb_msg); 1741 1742 while (p < ep) { 1743 ext = (struct sadb_ext *)p; 1744 if (ep < p + sizeof(*ext) || PFKEY_EXTLEN(ext) < sizeof(*ext) || 1745 ep < p + PFKEY_EXTLEN(ext)) { 1746 /* invalid format */ 1747 break; 1748 } 1749 1750 /* duplicate check */ 1751 /* XXX Are there duplication either KEY_AUTH or KEY_ENCRYPT ?*/ 1752 if (mhp[ext->sadb_ext_type] != NULL) { 1753 __ipsec_errcode = EIPSEC_INVAL_EXTTYPE; 1754 return -1; 1755 } 1756 1757 /* set pointer */ 1758 switch (ext->sadb_ext_type) { 1759 case SADB_EXT_SA: 1760 case SADB_EXT_LIFETIME_CURRENT: 1761 case SADB_EXT_LIFETIME_HARD: 1762 case SADB_EXT_LIFETIME_SOFT: 1763 case SADB_EXT_ADDRESS_SRC: 1764 case SADB_EXT_ADDRESS_DST: 1765 case SADB_EXT_ADDRESS_PROXY: 1766 case SADB_EXT_KEY_AUTH: 1767 /* XXX should to be check weak keys. */ 1768 case SADB_EXT_KEY_ENCRYPT: 1769 /* XXX should to be check weak keys. */ 1770 case SADB_EXT_IDENTITY_SRC: 1771 case SADB_EXT_IDENTITY_DST: 1772 case SADB_EXT_SENSITIVITY: 1773 case SADB_EXT_PROPOSAL: 1774 case SADB_EXT_SUPPORTED_AUTH: 1775 case SADB_EXT_SUPPORTED_ENCRYPT: 1776 case SADB_EXT_SPIRANGE: 1777 case SADB_X_EXT_POLICY: 1778 case SADB_X_EXT_SA2: 1779 mhp[ext->sadb_ext_type] = (caddr_t)ext; 1780 break; 1781 case SADB_X_EXT_NAT_T_TYPE: 1782 case SADB_X_EXT_NAT_T_SPORT: 1783 case SADB_X_EXT_NAT_T_DPORT: 1784 /* case SADB_X_EXT_NAT_T_OA: is OAI */ 1785 case SADB_X_EXT_NAT_T_OAI: 1786 case SADB_X_EXT_NAT_T_OAR: 1787 case SADB_X_EXT_NAT_T_FRAG: 1788 if (feature_present("ipsec_natt")) { 1789 mhp[ext->sadb_ext_type] = (caddr_t)ext; 1790 break; 1791 } 1792 /* FALLTHROUGH */ 1793 default: 1794 __ipsec_errcode = EIPSEC_INVAL_EXTTYPE; 1795 return -1; 1796 } 1797 1798 p += PFKEY_EXTLEN(ext); 1799 } 1800 1801 if (p != ep) { 1802 __ipsec_errcode = EIPSEC_INVAL_SADBMSG; 1803 return -1; 1804 } 1805 1806 __ipsec_errcode = EIPSEC_NO_ERROR; 1807 return 0; 1808} 1809 1810/* 1811 * check basic usage for sadb_msg, 1812 * NOTE: This routine is derived from netkey/key.c in KAME. 1813 * IN: msg: pointer to message buffer. 1814 * mhp: pointer to the buffer initialized like below: 1815 * 1816 * caddr_t mhp[SADB_EXT_MAX + 1]; 1817 * 1818 * OUT: -1: invalid. 1819 * 0: valid. 1820 */ 1821int 1822pfkey_check(mhp) 1823 caddr_t *mhp; 1824{ 1825 struct sadb_msg *msg; 1826 1827 /* validity check */ 1828 if (mhp == NULL || mhp[0] == NULL) { 1829 __ipsec_errcode = EIPSEC_INVAL_ARGUMENT; 1830 return -1; 1831 } 1832 1833 msg = (struct sadb_msg *)mhp[0]; 1834 1835 /* check version */ 1836 if (msg->sadb_msg_version != PF_KEY_V2) { 1837 __ipsec_errcode = EIPSEC_INVAL_VERSION; 1838 return -1; 1839 } 1840 1841 /* check type */ 1842 if (msg->sadb_msg_type > SADB_MAX) { 1843 __ipsec_errcode = EIPSEC_INVAL_MSGTYPE; 1844 return -1; 1845 } 1846 1847 /* check SA type */ 1848 switch (msg->sadb_msg_satype) { 1849 case SADB_SATYPE_UNSPEC: 1850 switch (msg->sadb_msg_type) { 1851 case SADB_GETSPI: 1852 case SADB_UPDATE: 1853 case SADB_ADD: 1854 case SADB_DELETE: 1855 case SADB_GET: 1856 case SADB_ACQUIRE: 1857 case SADB_EXPIRE: 1858 __ipsec_errcode = EIPSEC_INVAL_SATYPE; 1859 return -1; 1860 } 1861 break; 1862 case SADB_SATYPE_ESP: 1863 case SADB_SATYPE_AH: 1864 case SADB_X_SATYPE_IPCOMP: 1865 case SADB_X_SATYPE_TCPSIGNATURE: 1866 switch (msg->sadb_msg_type) { 1867 case SADB_X_SPDADD: 1868 case SADB_X_SPDDELETE: 1869 case SADB_X_SPDGET: 1870 case SADB_X_SPDDUMP: 1871 case SADB_X_SPDFLUSH: 1872 __ipsec_errcode = EIPSEC_INVAL_SATYPE; 1873 return -1; 1874 } 1875 break; 1876 case SADB_SATYPE_RSVP: 1877 case SADB_SATYPE_OSPFV2: 1878 case SADB_SATYPE_RIPV2: 1879 case SADB_SATYPE_MIP: 1880 __ipsec_errcode = EIPSEC_NOT_SUPPORTED; 1881 return -1; 1882 case 1: /* XXX: What does it do ? */ 1883 if (msg->sadb_msg_type == SADB_X_PROMISC) 1884 break; 1885 /*FALLTHROUGH*/ 1886 default: 1887 __ipsec_errcode = EIPSEC_INVAL_SATYPE; 1888 return -1; 1889 } 1890 1891 /* check field of upper layer protocol and address family */ 1892 if (mhp[SADB_EXT_ADDRESS_SRC] != NULL 1893 && mhp[SADB_EXT_ADDRESS_DST] != NULL) { 1894 struct sadb_address *src0, *dst0; 1895 1896 src0 = (struct sadb_address *)(mhp[SADB_EXT_ADDRESS_SRC]); 1897 dst0 = (struct sadb_address *)(mhp[SADB_EXT_ADDRESS_DST]); 1898 1899 if (src0->sadb_address_proto != dst0->sadb_address_proto) { 1900 __ipsec_errcode = EIPSEC_PROTO_MISMATCH; 1901 return -1; 1902 } 1903 1904 if (PFKEY_ADDR_SADDR(src0)->sa_family 1905 != PFKEY_ADDR_SADDR(dst0)->sa_family) { 1906 __ipsec_errcode = EIPSEC_FAMILY_MISMATCH; 1907 return -1; 1908 } 1909 1910 switch (PFKEY_ADDR_SADDR(src0)->sa_family) { 1911 case AF_INET: 1912 case AF_INET6: 1913 break; 1914 default: 1915 __ipsec_errcode = EIPSEC_INVAL_FAMILY; 1916 return -1; 1917 } 1918 1919 /* 1920 * prefixlen == 0 is valid because there must be the case 1921 * all addresses are matched. 1922 */ 1923 } 1924 1925 __ipsec_errcode = EIPSEC_NO_ERROR; 1926 return 0; 1927} 1928 1929/* 1930 * set data into sadb_msg. 1931 * `buf' must has been allocated sufficiently. 1932 */ 1933static caddr_t 1934pfkey_setsadbmsg(buf, lim, type, tlen, satype, seq, pid) 1935 caddr_t buf; 1936 caddr_t lim; 1937 u_int type, satype; 1938 u_int tlen; 1939 u_int32_t seq; 1940 pid_t pid; 1941{ 1942 struct sadb_msg *p; 1943 u_int len; 1944 1945 p = (struct sadb_msg *)buf; 1946 len = sizeof(struct sadb_msg); 1947 1948 if (buf + len > lim) 1949 return NULL; 1950 1951 memset(p, 0, len); 1952 p->sadb_msg_version = PF_KEY_V2; 1953 p->sadb_msg_type = type; 1954 p->sadb_msg_errno = 0; 1955 p->sadb_msg_satype = satype; 1956 p->sadb_msg_len = PFKEY_UNIT64(tlen); 1957 p->sadb_msg_reserved = 0; 1958 p->sadb_msg_seq = seq; 1959 p->sadb_msg_pid = (u_int32_t)pid; 1960 1961 return(buf + len); 1962} 1963 1964/* 1965 * copy secasvar data into sadb_address. 1966 * `buf' must has been allocated sufficiently. 1967 */ 1968static caddr_t 1969pfkey_setsadbsa(buf, lim, spi, wsize, auth, enc, flags) 1970 caddr_t buf; 1971 caddr_t lim; 1972 u_int32_t spi, flags; 1973 u_int wsize, auth, enc; 1974{ 1975 struct sadb_sa *p; 1976 u_int len; 1977 1978 p = (struct sadb_sa *)buf; 1979 len = sizeof(struct sadb_sa); 1980 1981 if (buf + len > lim) 1982 return NULL; 1983 1984 memset(p, 0, len); 1985 p->sadb_sa_len = PFKEY_UNIT64(len); 1986 p->sadb_sa_exttype = SADB_EXT_SA; 1987 p->sadb_sa_spi = spi; 1988 p->sadb_sa_replay = wsize; 1989 p->sadb_sa_state = SADB_SASTATE_LARVAL; 1990 p->sadb_sa_auth = auth; 1991 p->sadb_sa_encrypt = enc; 1992 p->sadb_sa_flags = flags; 1993 1994 return(buf + len); 1995} 1996 1997/* 1998 * set data into sadb_address. 1999 * `buf' must has been allocated sufficiently. 2000 * prefixlen is in bits. 2001 */ 2002static caddr_t 2003pfkey_setsadbaddr(buf, lim, exttype, saddr, prefixlen, ul_proto) 2004 caddr_t buf; 2005 caddr_t lim; 2006 u_int exttype; 2007 struct sockaddr *saddr; 2008 u_int prefixlen; 2009 u_int ul_proto; 2010{ 2011 struct sadb_address *p; 2012 u_int len; 2013 2014 p = (struct sadb_address *)buf; 2015 len = sizeof(struct sadb_address) + PFKEY_ALIGN8(saddr->sa_len); 2016 2017 if (buf + len > lim) 2018 return NULL; 2019 2020 memset(p, 0, len); 2021 p->sadb_address_len = PFKEY_UNIT64(len); 2022 p->sadb_address_exttype = exttype & 0xffff; 2023 p->sadb_address_proto = ul_proto & 0xff; 2024 p->sadb_address_prefixlen = prefixlen; 2025 p->sadb_address_reserved = 0; 2026 2027 memcpy(p + 1, saddr, saddr->sa_len); 2028 2029 return(buf + len); 2030} 2031 2032/* 2033 * set sadb_key structure after clearing buffer with zero. 2034 * OUT: the pointer of buf + len. 2035 */ 2036static caddr_t 2037pfkey_setsadbkey(buf, lim, type, key, keylen) 2038 caddr_t buf; 2039 caddr_t lim; 2040 caddr_t key; 2041 u_int type, keylen; 2042{ 2043 struct sadb_key *p; 2044 u_int len; 2045 2046 p = (struct sadb_key *)buf; 2047 len = sizeof(struct sadb_key) + PFKEY_ALIGN8(keylen); 2048 2049 if (buf + len > lim) 2050 return NULL; 2051 2052 memset(p, 0, len); 2053 p->sadb_key_len = PFKEY_UNIT64(len); 2054 p->sadb_key_exttype = type; 2055 p->sadb_key_bits = keylen << 3; 2056 p->sadb_key_reserved = 0; 2057 2058 memcpy(p + 1, key, keylen); 2059 2060 return buf + len; 2061} 2062 2063/* 2064 * set sadb_lifetime structure after clearing buffer with zero. 2065 * OUT: the pointer of buf + len. 2066 */ 2067static caddr_t 2068pfkey_setsadblifetime(buf, lim, type, l_alloc, l_bytes, l_addtime, l_usetime) 2069 caddr_t buf; 2070 caddr_t lim; 2071 u_int type; 2072 u_int32_t l_alloc, l_bytes, l_addtime, l_usetime; 2073{ 2074 struct sadb_lifetime *p; 2075 u_int len; 2076 2077 p = (struct sadb_lifetime *)buf; 2078 len = sizeof(struct sadb_lifetime); 2079 2080 if (buf + len > lim) 2081 return NULL; 2082 2083 memset(p, 0, len); 2084 p->sadb_lifetime_len = PFKEY_UNIT64(len); 2085 p->sadb_lifetime_exttype = type; 2086 2087 switch (type) { 2088 case SADB_EXT_LIFETIME_SOFT: 2089 p->sadb_lifetime_allocations 2090 = (l_alloc * soft_lifetime_allocations_rate) /100; 2091 p->sadb_lifetime_bytes 2092 = (l_bytes * soft_lifetime_bytes_rate) /100; 2093 p->sadb_lifetime_addtime 2094 = (l_addtime * soft_lifetime_addtime_rate) /100; 2095 p->sadb_lifetime_usetime 2096 = (l_usetime * soft_lifetime_usetime_rate) /100; 2097 break; 2098 case SADB_EXT_LIFETIME_HARD: 2099 p->sadb_lifetime_allocations = l_alloc; 2100 p->sadb_lifetime_bytes = l_bytes; 2101 p->sadb_lifetime_addtime = l_addtime; 2102 p->sadb_lifetime_usetime = l_usetime; 2103 break; 2104 } 2105 2106 return buf + len; 2107} 2108 2109/* 2110 * copy secasvar data into sadb_address. 2111 * `buf' must has been allocated sufficiently. 2112 */ 2113static caddr_t 2114pfkey_setsadbxsa2(buf, lim, mode0, reqid) 2115 caddr_t buf; 2116 caddr_t lim; 2117 u_int32_t mode0; 2118 u_int32_t reqid; 2119{ 2120 struct sadb_x_sa2 *p; 2121 u_int8_t mode = mode0 & 0xff; 2122 u_int len; 2123 2124 p = (struct sadb_x_sa2 *)buf; 2125 len = sizeof(struct sadb_x_sa2); 2126 2127 if (buf + len > lim) 2128 return NULL; 2129 2130 memset(p, 0, len); 2131 p->sadb_x_sa2_len = PFKEY_UNIT64(len); 2132 p->sadb_x_sa2_exttype = SADB_X_EXT_SA2; 2133 p->sadb_x_sa2_mode = mode; 2134 p->sadb_x_sa2_reqid = reqid; 2135 2136 return(buf + len); 2137} 2138