1/* $KAME: pfkey.c,v 1.46 2003/08/26 03:37:06 itojun Exp $ */ 2 3/* 4 * Copyright (C) 1995, 1996, 1997, 1998, and 1999 WIDE Project. 5 * All rights reserved. 6 * 7 * Redistribution and use in source and binary forms, with or without 8 * modification, are permitted provided that the following conditions 9 * are met: 10 * 1. Redistributions of source code must retain the above copyright 11 * notice, this list of conditions and the following disclaimer. 12 * 2. Redistributions in binary form must reproduce the above copyright 13 * notice, this list of conditions and the following disclaimer in the 14 * documentation and/or other materials provided with the distribution. 15 * 3. Neither the name of the project nor the names of its contributors 16 * may be used to endorse or promote products derived from this software 17 * without specific prior written permission. 18 * 19 * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND 20 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 21 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 22 * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE 23 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 24 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 25 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 26 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 27 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 28 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 29 * SUCH DAMAGE. 30 */ 31 32#include <sys/cdefs.h> 33__FBSDID("$FreeBSD: stable/11/lib/libipsec/pfkey.c 331722 2018-03-29 02:50:57Z eadler $"); 34 35#include <sys/types.h> 36#include <sys/param.h> 37#include <sys/socket.h> 38#include <net/pfkeyv2.h> 39#include <netipsec/key_var.h> 40#include <netinet/in.h> 41#include <netipsec/ipsec.h> 42 43#include <stdlib.h> 44#include <stdint.h> 45#include <unistd.h> 46#include <string.h> 47#include <errno.h> 48 49#include "ipsec_strerror.h" 50#include "libpfkey.h" 51 52#define CALLOC(size, cast) (cast)calloc(1, (size)) 53 54static int findsupportedmap(int); 55static int setsupportedmap(struct sadb_supported *); 56static struct sadb_alg *findsupportedalg(u_int, u_int); 57static int pfkey_send_x1(int, u_int, u_int, u_int, struct sockaddr *, 58 struct sockaddr *, u_int32_t, u_int32_t, u_int, caddr_t, 59 u_int, u_int, u_int, u_int, u_int, u_int32_t, u_int32_t, 60 u_int32_t, u_int32_t, u_int32_t); 61static int pfkey_send_x2(int, u_int, u_int, u_int, 62 struct sockaddr *, struct sockaddr *, u_int32_t); 63static int pfkey_send_x3(int, u_int, u_int); 64static int pfkey_send_x4(int, u_int, struct sockaddr *, u_int, 65 struct sockaddr *, u_int, u_int, u_int64_t, u_int64_t, 66 char *, int, u_int32_t); 67static int pfkey_send_x5(int, u_int, u_int32_t); 68 69static caddr_t pfkey_setsadbmsg(caddr_t, caddr_t, u_int, u_int, 70 u_int, u_int32_t, pid_t); 71static caddr_t pfkey_setsadbsa(caddr_t, caddr_t, u_int32_t, u_int, 72 u_int, u_int, u_int32_t); 73static caddr_t pfkey_setsadbxreplay(caddr_t, caddr_t, uint32_t); 74static caddr_t pfkey_setsadbaddr(caddr_t, caddr_t, u_int, 75 struct sockaddr *, u_int, u_int); 76static caddr_t pfkey_setsadbkey(caddr_t, caddr_t, u_int, caddr_t, u_int); 77static caddr_t pfkey_setsadblifetime(caddr_t, caddr_t, u_int, u_int32_t, 78 u_int32_t, u_int32_t, u_int32_t); 79static caddr_t pfkey_setsadbxsa2(caddr_t, caddr_t, u_int32_t, u_int32_t); 80 81/* 82 * make and search supported algorithm structure. 83 */ 84static struct sadb_supported *ipsec_supported[] = { NULL, NULL, NULL, NULL }; 85 86static int supported_map[] = { 87 SADB_SATYPE_AH, 88 SADB_SATYPE_ESP, 89 SADB_X_SATYPE_IPCOMP, 90 SADB_X_SATYPE_TCPSIGNATURE 91}; 92 93static int 94findsupportedmap(satype) 95 int satype; 96{ 97 int i; 98 99 for (i = 0; i < sizeof(supported_map)/sizeof(supported_map[0]); i++) 100 if (supported_map[i] == satype) 101 return i; 102 return -1; 103} 104 105static struct sadb_alg * 106findsupportedalg(satype, alg_id) 107 u_int satype, alg_id; 108{ 109 int algno; 110 int tlen; 111 caddr_t p; 112 113 /* validity check */ 114 algno = findsupportedmap(satype); 115 if (algno == -1) { 116 __ipsec_errcode = EIPSEC_INVAL_ARGUMENT; 117 return NULL; 118 } 119 if (ipsec_supported[algno] == NULL) { 120 __ipsec_errcode = EIPSEC_DO_GET_SUPP_LIST; 121 return NULL; 122 } 123 124 tlen = ipsec_supported[algno]->sadb_supported_len 125 - sizeof(struct sadb_supported); 126 p = (caddr_t)(ipsec_supported[algno] + 1); 127 while (tlen > 0) { 128 if (tlen < sizeof(struct sadb_alg)) { 129 /* invalid format */ 130 break; 131 } 132 if (((struct sadb_alg *)p)->sadb_alg_id == alg_id) 133 return (struct sadb_alg *)p; 134 135 tlen -= sizeof(struct sadb_alg); 136 p += sizeof(struct sadb_alg); 137 } 138 139 __ipsec_errcode = EIPSEC_NOT_SUPPORTED; 140 return NULL; 141} 142 143static int 144setsupportedmap(sup) 145 struct sadb_supported *sup; 146{ 147 struct sadb_supported **ipsup; 148 149 switch (sup->sadb_supported_exttype) { 150 case SADB_EXT_SUPPORTED_AUTH: 151 ipsup = &ipsec_supported[findsupportedmap(SADB_SATYPE_AH)]; 152 break; 153 case SADB_EXT_SUPPORTED_ENCRYPT: 154 ipsup = &ipsec_supported[findsupportedmap(SADB_SATYPE_ESP)]; 155 break; 156 default: 157 __ipsec_errcode = EIPSEC_INVAL_SATYPE; 158 return -1; 159 } 160 161 if (*ipsup) 162 free(*ipsup); 163 164 *ipsup = malloc(sup->sadb_supported_len); 165 if (!*ipsup) { 166 __ipsec_set_strerror(strerror(errno)); 167 return -1; 168 } 169 memcpy(*ipsup, sup, sup->sadb_supported_len); 170 171 return 0; 172} 173 174/* 175 * check key length against algorithm specified. 176 * This function is called with SADB_EXT_SUPPORTED_{AUTH,ENCRYPT} as the 177 * augument, and only calls to ipsec_check_keylen2(); 178 * keylen is the unit of bit. 179 * OUT: 180 * -1: invalid. 181 * 0: valid. 182 */ 183int 184ipsec_check_keylen(supported, alg_id, keylen) 185 u_int supported; 186 u_int alg_id; 187 u_int keylen; 188{ 189 int satype; 190 191 /* validity check */ 192 switch (supported) { 193 case SADB_EXT_SUPPORTED_AUTH: 194 satype = SADB_SATYPE_AH; 195 break; 196 case SADB_EXT_SUPPORTED_ENCRYPT: 197 satype = SADB_SATYPE_ESP; 198 break; 199 default: 200 __ipsec_errcode = EIPSEC_INVAL_ARGUMENT; 201 return -1; 202 } 203 204 return ipsec_check_keylen2(satype, alg_id, keylen); 205} 206 207/* 208 * check key length against algorithm specified. 209 * satype is one of satype defined at pfkeyv2.h. 210 * keylen is the unit of bit. 211 * OUT: 212 * -1: invalid. 213 * 0: valid. 214 */ 215int 216ipsec_check_keylen2(satype, alg_id, keylen) 217 u_int satype; 218 u_int alg_id; 219 u_int keylen; 220{ 221 struct sadb_alg *alg; 222 223 alg = findsupportedalg(satype, alg_id); 224 if (!alg) 225 return -1; 226 227 if (keylen < alg->sadb_alg_minbits || keylen > alg->sadb_alg_maxbits) { 228 __ipsec_errcode = EIPSEC_INVAL_KEYLEN; 229 return -1; 230 } 231 232 __ipsec_errcode = EIPSEC_NO_ERROR; 233 return 0; 234} 235 236/* 237 * get max/min key length against algorithm specified. 238 * satype is one of satype defined at pfkeyv2.h. 239 * keylen is the unit of bit. 240 * OUT: 241 * -1: invalid. 242 * 0: valid. 243 */ 244int 245ipsec_get_keylen(supported, alg_id, alg0) 246 u_int supported, alg_id; 247 struct sadb_alg *alg0; 248{ 249 struct sadb_alg *alg; 250 u_int satype; 251 252 /* validity check */ 253 if (!alg0) { 254 __ipsec_errcode = EIPSEC_INVAL_ARGUMENT; 255 return -1; 256 } 257 258 switch (supported) { 259 case SADB_EXT_SUPPORTED_AUTH: 260 satype = SADB_SATYPE_AH; 261 break; 262 case SADB_EXT_SUPPORTED_ENCRYPT: 263 satype = SADB_SATYPE_ESP; 264 break; 265 default: 266 __ipsec_errcode = EIPSEC_INVAL_ARGUMENT; 267 return -1; 268 } 269 270 alg = findsupportedalg(satype, alg_id); 271 if (!alg) 272 return -1; 273 274 memcpy(alg0, alg, sizeof(*alg0)); 275 276 __ipsec_errcode = EIPSEC_NO_ERROR; 277 return 0; 278} 279 280/* 281 * set the rate for SOFT lifetime against HARD one. 282 * If rate is more than 100 or equal to zero, then set to 100. 283 */ 284static u_int soft_lifetime_allocations_rate = PFKEY_SOFT_LIFETIME_RATE; 285static u_int soft_lifetime_bytes_rate = PFKEY_SOFT_LIFETIME_RATE; 286static u_int soft_lifetime_addtime_rate = PFKEY_SOFT_LIFETIME_RATE; 287static u_int soft_lifetime_usetime_rate = PFKEY_SOFT_LIFETIME_RATE; 288 289u_int 290pfkey_set_softrate(type, rate) 291 u_int type, rate; 292{ 293 __ipsec_errcode = EIPSEC_NO_ERROR; 294 295 if (rate > 100 || rate == 0) 296 rate = 100; 297 298 switch (type) { 299 case SADB_X_LIFETIME_ALLOCATIONS: 300 soft_lifetime_allocations_rate = rate; 301 return 0; 302 case SADB_X_LIFETIME_BYTES: 303 soft_lifetime_bytes_rate = rate; 304 return 0; 305 case SADB_X_LIFETIME_ADDTIME: 306 soft_lifetime_addtime_rate = rate; 307 return 0; 308 case SADB_X_LIFETIME_USETIME: 309 soft_lifetime_usetime_rate = rate; 310 return 0; 311 } 312 313 __ipsec_errcode = EIPSEC_INVAL_ARGUMENT; 314 return 1; 315} 316 317/* 318 * get current rate for SOFT lifetime against HARD one. 319 * ATTENTION: ~0 is returned if invalid type was passed. 320 */ 321u_int 322pfkey_get_softrate(type) 323 u_int type; 324{ 325 switch (type) { 326 case SADB_X_LIFETIME_ALLOCATIONS: 327 return soft_lifetime_allocations_rate; 328 case SADB_X_LIFETIME_BYTES: 329 return soft_lifetime_bytes_rate; 330 case SADB_X_LIFETIME_ADDTIME: 331 return soft_lifetime_addtime_rate; 332 case SADB_X_LIFETIME_USETIME: 333 return soft_lifetime_usetime_rate; 334 } 335 336 return ~0; 337} 338 339/* 340 * sending SADB_GETSPI message to the kernel. 341 * OUT: 342 * positive: success and return length sent. 343 * -1 : error occured, and set errno. 344 */ 345int 346pfkey_send_getspi(so, satype, mode, src, dst, min, max, reqid, seq) 347 int so; 348 u_int satype, mode; 349 struct sockaddr *src, *dst; 350 u_int32_t min, max, reqid, seq; 351{ 352 struct sadb_msg *newmsg; 353 caddr_t ep; 354 int len; 355 int need_spirange = 0; 356 caddr_t p; 357 int plen; 358 359 /* validity check */ 360 if (src == NULL || dst == NULL) { 361 __ipsec_errcode = EIPSEC_INVAL_ARGUMENT; 362 return -1; 363 } 364 if (src->sa_family != dst->sa_family) { 365 __ipsec_errcode = EIPSEC_FAMILY_MISMATCH; 366 return -1; 367 } 368 if (min > max || (min > 0 && min <= 255)) { 369 __ipsec_errcode = EIPSEC_INVAL_SPI; 370 return -1; 371 } 372 switch (src->sa_family) { 373 case AF_INET: 374 plen = sizeof(struct in_addr) << 3; 375 break; 376 case AF_INET6: 377 plen = sizeof(struct in6_addr) << 3; 378 break; 379 default: 380 __ipsec_errcode = EIPSEC_INVAL_FAMILY; 381 return -1; 382 } 383 384 /* create new sadb_msg to send. */ 385 len = sizeof(struct sadb_msg) 386 + sizeof(struct sadb_x_sa2) 387 + sizeof(struct sadb_address) 388 + PFKEY_ALIGN8(src->sa_len) 389 + sizeof(struct sadb_address) 390 + PFKEY_ALIGN8(dst->sa_len); 391 392 if (min > 255 && max < ~0) { 393 need_spirange++; 394 len += sizeof(struct sadb_spirange); 395 } 396 397 if ((newmsg = CALLOC(len, struct sadb_msg *)) == NULL) { 398 __ipsec_set_strerror(strerror(errno)); 399 return -1; 400 } 401 ep = ((caddr_t)newmsg) + len; 402 403 p = pfkey_setsadbmsg((caddr_t)newmsg, ep, SADB_GETSPI, 404 len, satype, seq, getpid()); 405 if (!p) { 406 free(newmsg); 407 return -1; 408 } 409 410 p = pfkey_setsadbxsa2(p, ep, mode, reqid); 411 if (!p) { 412 free(newmsg); 413 return -1; 414 } 415 416 /* set sadb_address for source */ 417 p = pfkey_setsadbaddr(p, ep, SADB_EXT_ADDRESS_SRC, src, plen, 418 IPSEC_ULPROTO_ANY); 419 if (!p) { 420 free(newmsg); 421 return -1; 422 } 423 424 /* set sadb_address for destination */ 425 p = pfkey_setsadbaddr(p, ep, SADB_EXT_ADDRESS_DST, dst, plen, 426 IPSEC_ULPROTO_ANY); 427 if (!p) { 428 free(newmsg); 429 return -1; 430 } 431 432 /* proccessing spi range */ 433 if (need_spirange) { 434 struct sadb_spirange spirange; 435 436 if (p + sizeof(spirange) > ep) { 437 free(newmsg); 438 return -1; 439 } 440 441 memset(&spirange, 0, sizeof(spirange)); 442 spirange.sadb_spirange_len = PFKEY_UNIT64(sizeof(spirange)); 443 spirange.sadb_spirange_exttype = SADB_EXT_SPIRANGE; 444 spirange.sadb_spirange_min = min; 445 spirange.sadb_spirange_max = max; 446 447 memcpy(p, &spirange, sizeof(spirange)); 448 449 p += sizeof(spirange); 450 } 451 if (p != ep) { 452 free(newmsg); 453 return -1; 454 } 455 456 /* send message */ 457 len = pfkey_send(so, newmsg, len); 458 free(newmsg); 459 460 if (len < 0) 461 return -1; 462 463 __ipsec_errcode = EIPSEC_NO_ERROR; 464 return len; 465} 466 467/* 468 * sending SADB_UPDATE message to the kernel. 469 * The length of key material is a_keylen + e_keylen. 470 * OUT: 471 * positive: success and return length sent. 472 * -1 : error occured, and set errno. 473 */ 474int 475pfkey_send_update(so, satype, mode, src, dst, spi, reqid, wsize, 476 keymat, e_type, e_keylen, a_type, a_keylen, flags, 477 l_alloc, l_bytes, l_addtime, l_usetime, seq) 478 int so; 479 u_int satype, mode, wsize; 480 struct sockaddr *src, *dst; 481 u_int32_t spi, reqid; 482 caddr_t keymat; 483 u_int e_type, e_keylen, a_type, a_keylen, flags; 484 u_int32_t l_alloc; 485 u_int64_t l_bytes, l_addtime, l_usetime; 486 u_int32_t seq; 487{ 488 int len; 489 if ((len = pfkey_send_x1(so, SADB_UPDATE, satype, mode, src, dst, spi, 490 reqid, wsize, 491 keymat, e_type, e_keylen, a_type, a_keylen, flags, 492 l_alloc, l_bytes, l_addtime, l_usetime, seq)) < 0) 493 return -1; 494 495 return len; 496} 497 498/* 499 * sending SADB_ADD message to the kernel. 500 * The length of key material is a_keylen + e_keylen. 501 * OUT: 502 * positive: success and return length sent. 503 * -1 : error occured, and set errno. 504 */ 505int 506pfkey_send_add(so, satype, mode, src, dst, spi, reqid, wsize, 507 keymat, e_type, e_keylen, a_type, a_keylen, flags, 508 l_alloc, l_bytes, l_addtime, l_usetime, seq) 509 int so; 510 u_int satype, mode, wsize; 511 struct sockaddr *src, *dst; 512 u_int32_t spi, reqid; 513 caddr_t keymat; 514 u_int e_type, e_keylen, a_type, a_keylen, flags; 515 u_int32_t l_alloc; 516 u_int64_t l_bytes, l_addtime, l_usetime; 517 u_int32_t seq; 518{ 519 int len; 520 if ((len = pfkey_send_x1(so, SADB_ADD, satype, mode, src, dst, spi, 521 reqid, wsize, 522 keymat, e_type, e_keylen, a_type, a_keylen, flags, 523 l_alloc, l_bytes, l_addtime, l_usetime, seq)) < 0) 524 return -1; 525 526 return len; 527} 528 529/* 530 * sending SADB_DELETE message to the kernel. 531 * OUT: 532 * positive: success and return length sent. 533 * -1 : error occured, and set errno. 534 */ 535int 536pfkey_send_delete(so, satype, mode, src, dst, spi) 537 int so; 538 u_int satype, mode; 539 struct sockaddr *src, *dst; 540 u_int32_t spi; 541{ 542 int len; 543 if ((len = pfkey_send_x2(so, SADB_DELETE, satype, mode, src, dst, spi)) < 0) 544 return -1; 545 546 return len; 547} 548 549/* 550 * sending SADB_DELETE without spi to the kernel. This is 551 * the "delete all" request (an extension also present in 552 * Solaris). 553 * 554 * OUT: 555 * positive: success and return length sent 556 * -1 : error occured, and set errno 557 */ 558int 559pfkey_send_delete_all(so, satype, mode, src, dst) 560 int so; 561 u_int satype, mode; 562 struct sockaddr *src, *dst; 563{ 564 struct sadb_msg *newmsg; 565 int len; 566 caddr_t p; 567 int plen; 568 caddr_t ep; 569 570 /* validity check */ 571 if (src == NULL || dst == NULL) { 572 __ipsec_errcode = EIPSEC_INVAL_ARGUMENT; 573 return -1; 574 } 575 if (src->sa_family != dst->sa_family) { 576 __ipsec_errcode = EIPSEC_FAMILY_MISMATCH; 577 return -1; 578 } 579 switch (src->sa_family) { 580 case AF_INET: 581 plen = sizeof(struct in_addr) << 3; 582 break; 583 case AF_INET6: 584 plen = sizeof(struct in6_addr) << 3; 585 break; 586 default: 587 __ipsec_errcode = EIPSEC_INVAL_FAMILY; 588 return -1; 589 } 590 591 /* create new sadb_msg to reply. */ 592 len = sizeof(struct sadb_msg) 593 + sizeof(struct sadb_address) 594 + PFKEY_ALIGN8(src->sa_len) 595 + sizeof(struct sadb_address) 596 + PFKEY_ALIGN8(dst->sa_len); 597 598 if ((newmsg = CALLOC(len, struct sadb_msg *)) == NULL) { 599 __ipsec_set_strerror(strerror(errno)); 600 return -1; 601 } 602 ep = ((caddr_t)newmsg) + len; 603 604 p = pfkey_setsadbmsg((caddr_t)newmsg, ep, SADB_DELETE, len, satype, 0, 605 getpid()); 606 if (!p) { 607 free(newmsg); 608 return -1; 609 } 610 p = pfkey_setsadbaddr(p, ep, SADB_EXT_ADDRESS_SRC, src, plen, 611 IPSEC_ULPROTO_ANY); 612 if (!p) { 613 free(newmsg); 614 return -1; 615 } 616 p = pfkey_setsadbaddr(p, ep, SADB_EXT_ADDRESS_DST, dst, plen, 617 IPSEC_ULPROTO_ANY); 618 if (!p || p != ep) { 619 free(newmsg); 620 return -1; 621 } 622 623 /* send message */ 624 len = pfkey_send(so, newmsg, len); 625 free(newmsg); 626 627 if (len < 0) 628 return -1; 629 630 __ipsec_errcode = EIPSEC_NO_ERROR; 631 return len; 632} 633 634/* 635 * sending SADB_GET message to the kernel. 636 * OUT: 637 * positive: success and return length sent. 638 * -1 : error occured, and set errno. 639 */ 640int 641pfkey_send_get(so, satype, mode, src, dst, spi) 642 int so; 643 u_int satype, mode; 644 struct sockaddr *src, *dst; 645 u_int32_t spi; 646{ 647 int len; 648 if ((len = pfkey_send_x2(so, SADB_GET, satype, mode, src, dst, spi)) < 0) 649 return -1; 650 651 return len; 652} 653 654/* 655 * sending SADB_REGISTER message to the kernel. 656 * OUT: 657 * positive: success and return length sent. 658 * -1 : error occured, and set errno. 659 */ 660int 661pfkey_send_register(so, satype) 662 int so; 663 u_int satype; 664{ 665 int len, algno; 666 667 if (satype == SADB_SATYPE_UNSPEC) { 668 for (algno = 0; 669 algno < sizeof(supported_map)/sizeof(supported_map[0]); 670 algno++) { 671 if (ipsec_supported[algno]) { 672 free(ipsec_supported[algno]); 673 ipsec_supported[algno] = NULL; 674 } 675 } 676 } else { 677 algno = findsupportedmap(satype); 678 if (algno == -1) { 679 __ipsec_errcode = EIPSEC_INVAL_ARGUMENT; 680 return -1; 681 } 682 683 if (ipsec_supported[algno]) { 684 free(ipsec_supported[algno]); 685 ipsec_supported[algno] = NULL; 686 } 687 } 688 689 if ((len = pfkey_send_x3(so, SADB_REGISTER, satype)) < 0) 690 return -1; 691 692 return len; 693} 694 695/* 696 * receiving SADB_REGISTER message from the kernel, and copy buffer for 697 * sadb_supported returned into ipsec_supported. 698 * OUT: 699 * 0: success and return length sent. 700 * -1: error occured, and set errno. 701 */ 702int 703pfkey_recv_register(so) 704 int so; 705{ 706 pid_t pid = getpid(); 707 struct sadb_msg *newmsg; 708 int error = -1; 709 710 /* receive message */ 711 for (;;) { 712 if ((newmsg = pfkey_recv(so)) == NULL) 713 return -1; 714 if (newmsg->sadb_msg_type == SADB_REGISTER && 715 newmsg->sadb_msg_pid == pid) 716 break; 717 free(newmsg); 718 } 719 720 /* check and fix */ 721 newmsg->sadb_msg_len = PFKEY_UNUNIT64(newmsg->sadb_msg_len); 722 723 error = pfkey_set_supported(newmsg, newmsg->sadb_msg_len); 724 free(newmsg); 725 726 if (error == 0) 727 __ipsec_errcode = EIPSEC_NO_ERROR; 728 729 return error; 730} 731 732/* 733 * receiving SADB_REGISTER message from the kernel, and copy buffer for 734 * sadb_supported returned into ipsec_supported. 735 * NOTE: sadb_msg_len must be host order. 736 * IN: 737 * tlen: msg length, it's to makeing sure. 738 * OUT: 739 * 0: success and return length sent. 740 * -1: error occured, and set errno. 741 */ 742int 743pfkey_set_supported(msg, tlen) 744 struct sadb_msg *msg; 745 int tlen; 746{ 747 struct sadb_supported *sup; 748 caddr_t p; 749 caddr_t ep; 750 751 /* validity */ 752 if (msg->sadb_msg_len != tlen) { 753 __ipsec_errcode = EIPSEC_INVAL_ARGUMENT; 754 return -1; 755 } 756 757 p = (caddr_t)msg; 758 ep = p + tlen; 759 760 p += sizeof(struct sadb_msg); 761 762 while (p < ep) { 763 sup = (struct sadb_supported *)p; 764 if (ep < p + sizeof(*sup) || 765 PFKEY_EXTLEN(sup) < sizeof(*sup) || 766 ep < p + sup->sadb_supported_len) { 767 /* invalid format */ 768 break; 769 } 770 771 switch (sup->sadb_supported_exttype) { 772 case SADB_EXT_SUPPORTED_AUTH: 773 case SADB_EXT_SUPPORTED_ENCRYPT: 774 break; 775 default: 776 __ipsec_errcode = EIPSEC_INVAL_SATYPE; 777 return -1; 778 } 779 780 /* fixed length */ 781 sup->sadb_supported_len = PFKEY_EXTLEN(sup); 782 783 /* set supported map */ 784 if (setsupportedmap(sup) != 0) 785 return -1; 786 787 p += sup->sadb_supported_len; 788 } 789 790 if (p != ep) { 791 __ipsec_errcode = EIPSEC_INVAL_SATYPE; 792 return -1; 793 } 794 795 __ipsec_errcode = EIPSEC_NO_ERROR; 796 797 return 0; 798} 799 800/* 801 * sending SADB_FLUSH message to the kernel. 802 * OUT: 803 * positive: success and return length sent. 804 * -1 : error occured, and set errno. 805 */ 806int 807pfkey_send_flush(so, satype) 808 int so; 809 u_int satype; 810{ 811 int len; 812 813 if ((len = pfkey_send_x3(so, SADB_FLUSH, satype)) < 0) 814 return -1; 815 816 return len; 817} 818 819/* 820 * sending SADB_DUMP message to the kernel. 821 * OUT: 822 * positive: success and return length sent. 823 * -1 : error occured, and set errno. 824 */ 825int 826pfkey_send_dump(so, satype) 827 int so; 828 u_int satype; 829{ 830 int len; 831 832 if ((len = pfkey_send_x3(so, SADB_DUMP, satype)) < 0) 833 return -1; 834 835 return len; 836} 837 838/* 839 * sending SADB_X_PROMISC message to the kernel. 840 * NOTE that this function handles promisc mode toggle only. 841 * IN: 842 * flag: set promisc off if zero, set promisc on if non-zero. 843 * OUT: 844 * positive: success and return length sent. 845 * -1 : error occured, and set errno. 846 * 0 : error occured, and set errno. 847 * others: a pointer to new allocated buffer in which supported 848 * algorithms is. 849 */ 850int 851pfkey_send_promisc_toggle(so, flag) 852 int so; 853 int flag; 854{ 855 int len; 856 857 if ((len = pfkey_send_x3(so, SADB_X_PROMISC, (flag ? 1 : 0))) < 0) 858 return -1; 859 860 return len; 861} 862 863/* 864 * sending SADB_X_SPDADD message to the kernel. 865 * OUT: 866 * positive: success and return length sent. 867 * -1 : error occured, and set errno. 868 */ 869int 870pfkey_send_spdadd(so, src, prefs, dst, prefd, proto, policy, policylen, seq) 871 int so; 872 struct sockaddr *src, *dst; 873 u_int prefs, prefd, proto; 874 caddr_t policy; 875 int policylen; 876 u_int32_t seq; 877{ 878 int len; 879 880 if ((len = pfkey_send_x4(so, SADB_X_SPDADD, 881 src, prefs, dst, prefd, proto, 882 0, 0, 883 policy, policylen, seq)) < 0) 884 return -1; 885 886 return len; 887} 888 889/* 890 * sending SADB_X_SPDADD message to the kernel. 891 * OUT: 892 * positive: success and return length sent. 893 * -1 : error occured, and set errno. 894 */ 895int 896pfkey_send_spdadd2(so, src, prefs, dst, prefd, proto, ltime, vtime, 897 policy, policylen, seq) 898 int so; 899 struct sockaddr *src, *dst; 900 u_int prefs, prefd, proto; 901 u_int64_t ltime, vtime; 902 caddr_t policy; 903 int policylen; 904 u_int32_t seq; 905{ 906 int len; 907 908 if ((len = pfkey_send_x4(so, SADB_X_SPDADD, 909 src, prefs, dst, prefd, proto, 910 ltime, vtime, 911 policy, policylen, seq)) < 0) 912 return -1; 913 914 return len; 915} 916 917/* 918 * sending SADB_X_SPDUPDATE message to the kernel. 919 * OUT: 920 * positive: success and return length sent. 921 * -1 : error occured, and set errno. 922 */ 923int 924pfkey_send_spdupdate(so, src, prefs, dst, prefd, proto, policy, policylen, seq) 925 int so; 926 struct sockaddr *src, *dst; 927 u_int prefs, prefd, proto; 928 caddr_t policy; 929 int policylen; 930 u_int32_t seq; 931{ 932 int len; 933 934 if ((len = pfkey_send_x4(so, SADB_X_SPDUPDATE, 935 src, prefs, dst, prefd, proto, 936 0, 0, 937 policy, policylen, seq)) < 0) 938 return -1; 939 940 return len; 941} 942 943/* 944 * sending SADB_X_SPDUPDATE message to the kernel. 945 * OUT: 946 * positive: success and return length sent. 947 * -1 : error occured, and set errno. 948 */ 949int 950pfkey_send_spdupdate2(so, src, prefs, dst, prefd, proto, ltime, vtime, 951 policy, policylen, seq) 952 int so; 953 struct sockaddr *src, *dst; 954 u_int prefs, prefd, proto; 955 u_int64_t ltime, vtime; 956 caddr_t policy; 957 int policylen; 958 u_int32_t seq; 959{ 960 int len; 961 962 if ((len = pfkey_send_x4(so, SADB_X_SPDUPDATE, 963 src, prefs, dst, prefd, proto, 964 ltime, vtime, 965 policy, policylen, seq)) < 0) 966 return -1; 967 968 return len; 969} 970 971/* 972 * sending SADB_X_SPDDELETE message to the kernel. 973 * OUT: 974 * positive: success and return length sent. 975 * -1 : error occured, and set errno. 976 */ 977int 978pfkey_send_spddelete(so, src, prefs, dst, prefd, proto, policy, policylen, seq) 979 int so; 980 struct sockaddr *src, *dst; 981 u_int prefs, prefd, proto; 982 caddr_t policy; 983 int policylen; 984 u_int32_t seq; 985{ 986 int len; 987 988 if (policylen != sizeof(struct sadb_x_policy)) { 989 __ipsec_errcode = EIPSEC_INVAL_ARGUMENT; 990 return -1; 991 } 992 993 if ((len = pfkey_send_x4(so, SADB_X_SPDDELETE, 994 src, prefs, dst, prefd, proto, 995 0, 0, 996 policy, policylen, seq)) < 0) 997 return -1; 998 999 return len; 1000} 1001 1002/* 1003 * sending SADB_X_SPDDELETE message to the kernel. 1004 * OUT: 1005 * positive: success and return length sent. 1006 * -1 : error occured, and set errno. 1007 */ 1008int 1009pfkey_send_spddelete2(so, spid) 1010 int so; 1011 u_int32_t spid; 1012{ 1013 int len; 1014 1015 if ((len = pfkey_send_x5(so, SADB_X_SPDDELETE2, spid)) < 0) 1016 return -1; 1017 1018 return len; 1019} 1020 1021/* 1022 * sending SADB_X_SPDGET message to the kernel. 1023 * OUT: 1024 * positive: success and return length sent. 1025 * -1 : error occured, and set errno. 1026 */ 1027int 1028pfkey_send_spdget(so, spid) 1029 int so; 1030 u_int32_t spid; 1031{ 1032 int len; 1033 1034 if ((len = pfkey_send_x5(so, SADB_X_SPDGET, spid)) < 0) 1035 return -1; 1036 1037 return len; 1038} 1039 1040/* 1041 * sending SADB_X_SPDSETIDX message to the kernel. 1042 * OUT: 1043 * positive: success and return length sent. 1044 * -1 : error occured, and set errno. 1045 */ 1046int 1047pfkey_send_spdsetidx(so, src, prefs, dst, prefd, proto, policy, policylen, seq) 1048 int so; 1049 struct sockaddr *src, *dst; 1050 u_int prefs, prefd, proto; 1051 caddr_t policy; 1052 int policylen; 1053 u_int32_t seq; 1054{ 1055 int len; 1056 1057 if (policylen != sizeof(struct sadb_x_policy)) { 1058 __ipsec_errcode = EIPSEC_INVAL_ARGUMENT; 1059 return -1; 1060 } 1061 1062 if ((len = pfkey_send_x4(so, SADB_X_SPDSETIDX, 1063 src, prefs, dst, prefd, proto, 1064 0, 0, 1065 policy, policylen, seq)) < 0) 1066 return -1; 1067 1068 return len; 1069} 1070 1071/* 1072 * sending SADB_SPDFLUSH message to the kernel. 1073 * OUT: 1074 * positive: success and return length sent. 1075 * -1 : error occured, and set errno. 1076 */ 1077int 1078pfkey_send_spdflush(so) 1079 int so; 1080{ 1081 int len; 1082 1083 if ((len = pfkey_send_x3(so, SADB_X_SPDFLUSH, SADB_SATYPE_UNSPEC)) < 0) 1084 return -1; 1085 1086 return len; 1087} 1088 1089/* 1090 * sending SADB_SPDDUMP message to the kernel. 1091 * OUT: 1092 * positive: success and return length sent. 1093 * -1 : error occured, and set errno. 1094 */ 1095int 1096pfkey_send_spddump(so) 1097 int so; 1098{ 1099 int len; 1100 1101 if ((len = pfkey_send_x3(so, SADB_X_SPDDUMP, SADB_SATYPE_UNSPEC)) < 0) 1102 return -1; 1103 1104 return len; 1105} 1106 1107/* sending SADB_ADD or SADB_UPDATE message to the kernel */ 1108static int 1109pfkey_send_x1(so, type, satype, mode, src, dst, spi, reqid, wsize, 1110 keymat, e_type, e_keylen, a_type, a_keylen, flags, 1111 l_alloc, l_bytes, l_addtime, l_usetime, seq) 1112 int so; 1113 u_int type, satype, mode; 1114 struct sockaddr *src, *dst; 1115 u_int32_t spi, reqid; 1116 u_int wsize; 1117 caddr_t keymat; 1118 u_int e_type, e_keylen, a_type, a_keylen, flags; 1119 u_int32_t l_alloc, l_bytes, l_addtime, l_usetime, seq; 1120{ 1121 struct sadb_msg *newmsg; 1122 int len; 1123 caddr_t p; 1124 int plen; 1125 caddr_t ep; 1126 1127 /* validity check */ 1128 if (src == NULL || dst == NULL) { 1129 __ipsec_errcode = EIPSEC_INVAL_ARGUMENT; 1130 return -1; 1131 } 1132 if (src->sa_family != dst->sa_family) { 1133 __ipsec_errcode = EIPSEC_FAMILY_MISMATCH; 1134 return -1; 1135 } 1136 switch (src->sa_family) { 1137 case AF_INET: 1138 plen = sizeof(struct in_addr) << 3; 1139 break; 1140 case AF_INET6: 1141 plen = sizeof(struct in6_addr) << 3; 1142 break; 1143 default: 1144 __ipsec_errcode = EIPSEC_INVAL_FAMILY; 1145 return -1; 1146 } 1147 1148 switch (satype) { 1149 case SADB_SATYPE_ESP: 1150 if (e_type == SADB_EALG_NONE) { 1151 __ipsec_errcode = EIPSEC_NO_ALGS; 1152 return -1; 1153 } 1154 break; 1155 case SADB_SATYPE_AH: 1156 if (e_type != SADB_EALG_NONE) { 1157 __ipsec_errcode = EIPSEC_INVAL_ALGS; 1158 return -1; 1159 } 1160 if (a_type == SADB_AALG_NONE) { 1161 __ipsec_errcode = EIPSEC_NO_ALGS; 1162 return -1; 1163 } 1164 break; 1165 case SADB_X_SATYPE_IPCOMP: 1166 if (e_type == SADB_X_CALG_NONE) { 1167 __ipsec_errcode = EIPSEC_INVAL_ALGS; 1168 return -1; 1169 } 1170 if (a_type != SADB_AALG_NONE) { 1171 __ipsec_errcode = EIPSEC_NO_ALGS; 1172 return -1; 1173 } 1174 break; 1175 case SADB_X_SATYPE_TCPSIGNATURE: 1176 if (e_type != SADB_EALG_NONE) { 1177 __ipsec_errcode = EIPSEC_INVAL_ALGS; 1178 return -1; 1179 } 1180 if (a_type != SADB_X_AALG_TCP_MD5) { 1181 __ipsec_errcode = EIPSEC_INVAL_ALGS; 1182 return -1; 1183 } 1184 break; 1185 default: 1186 __ipsec_errcode = EIPSEC_INVAL_SATYPE; 1187 return -1; 1188 } 1189 1190 /* create new sadb_msg to reply. */ 1191 len = sizeof(struct sadb_msg) 1192 + sizeof(struct sadb_sa) 1193 + sizeof(struct sadb_x_sa2) 1194 + sizeof(struct sadb_address) 1195 + PFKEY_ALIGN8(src->sa_len) 1196 + sizeof(struct sadb_address) 1197 + PFKEY_ALIGN8(dst->sa_len) 1198 + sizeof(struct sadb_lifetime) 1199 + sizeof(struct sadb_lifetime); 1200 1201 if (wsize > UINT8_MAX) { 1202 if (wsize > (UINT32_MAX - 32) >> 3) { 1203 __ipsec_errcode = EIPSEC_INVAL_ARGUMENT; 1204 return (-1); 1205 } 1206 len += sizeof(struct sadb_x_sa_replay); 1207 } 1208 if (e_type != SADB_EALG_NONE) 1209 len += (sizeof(struct sadb_key) + PFKEY_ALIGN8(e_keylen)); 1210 if (a_type != SADB_AALG_NONE) 1211 len += (sizeof(struct sadb_key) + PFKEY_ALIGN8(a_keylen)); 1212 1213 if ((newmsg = CALLOC(len, struct sadb_msg *)) == NULL) { 1214 __ipsec_set_strerror(strerror(errno)); 1215 return -1; 1216 } 1217 ep = ((caddr_t)newmsg) + len; 1218 1219 p = pfkey_setsadbmsg((caddr_t)newmsg, ep, type, len, 1220 satype, seq, getpid()); 1221 if (!p) { 1222 free(newmsg); 1223 return -1; 1224 } 1225 p = pfkey_setsadbsa(p, ep, spi, wsize, a_type, e_type, flags); 1226 if (!p) { 1227 free(newmsg); 1228 return -1; 1229 } 1230 p = pfkey_setsadbxsa2(p, ep, mode, reqid); 1231 if (!p) { 1232 free(newmsg); 1233 return -1; 1234 } 1235 if (wsize > UINT8_MAX) { 1236 p = pfkey_setsadbxreplay(p, ep, wsize); 1237 if (!p) { 1238 free(newmsg); 1239 return (-1); 1240 } 1241 } 1242 p = pfkey_setsadbaddr(p, ep, SADB_EXT_ADDRESS_SRC, src, plen, 1243 IPSEC_ULPROTO_ANY); 1244 if (!p) { 1245 free(newmsg); 1246 return -1; 1247 } 1248 p = pfkey_setsadbaddr(p, ep, SADB_EXT_ADDRESS_DST, dst, plen, 1249 IPSEC_ULPROTO_ANY); 1250 if (!p) { 1251 free(newmsg); 1252 return -1; 1253 } 1254 1255 if (e_type != SADB_EALG_NONE) { 1256 p = pfkey_setsadbkey(p, ep, SADB_EXT_KEY_ENCRYPT, 1257 keymat, e_keylen); 1258 if (!p) { 1259 free(newmsg); 1260 return -1; 1261 } 1262 } 1263 if (a_type != SADB_AALG_NONE) { 1264 p = pfkey_setsadbkey(p, ep, SADB_EXT_KEY_AUTH, 1265 keymat + e_keylen, a_keylen); 1266 if (!p) { 1267 free(newmsg); 1268 return -1; 1269 } 1270 } 1271 1272 /* set sadb_lifetime for destination */ 1273 p = pfkey_setsadblifetime(p, ep, SADB_EXT_LIFETIME_HARD, 1274 l_alloc, l_bytes, l_addtime, l_usetime); 1275 if (!p) { 1276 free(newmsg); 1277 return -1; 1278 } 1279 p = pfkey_setsadblifetime(p, ep, SADB_EXT_LIFETIME_SOFT, 1280 l_alloc, l_bytes, l_addtime, l_usetime); 1281 if (!p || p != ep) { 1282 free(newmsg); 1283 return -1; 1284 } 1285 1286 /* send message */ 1287 len = pfkey_send(so, newmsg, len); 1288 free(newmsg); 1289 1290 if (len < 0) 1291 return -1; 1292 1293 __ipsec_errcode = EIPSEC_NO_ERROR; 1294 return len; 1295} 1296 1297/* sending SADB_DELETE or SADB_GET message to the kernel */ 1298static int 1299pfkey_send_x2(so, type, satype, mode, src, dst, spi) 1300 int so; 1301 u_int type, satype, mode; 1302 struct sockaddr *src, *dst; 1303 u_int32_t spi; 1304{ 1305 struct sadb_msg *newmsg; 1306 int len; 1307 caddr_t p; 1308 int plen; 1309 caddr_t ep; 1310 1311 /* validity check */ 1312 if (src == NULL || dst == NULL) { 1313 __ipsec_errcode = EIPSEC_INVAL_ARGUMENT; 1314 return -1; 1315 } 1316 if (src->sa_family != dst->sa_family) { 1317 __ipsec_errcode = EIPSEC_FAMILY_MISMATCH; 1318 return -1; 1319 } 1320 switch (src->sa_family) { 1321 case AF_INET: 1322 plen = sizeof(struct in_addr) << 3; 1323 break; 1324 case AF_INET6: 1325 plen = sizeof(struct in6_addr) << 3; 1326 break; 1327 default: 1328 __ipsec_errcode = EIPSEC_INVAL_FAMILY; 1329 return -1; 1330 } 1331 1332 /* create new sadb_msg to reply. */ 1333 len = sizeof(struct sadb_msg) 1334 + sizeof(struct sadb_sa) 1335 + sizeof(struct sadb_address) 1336 + PFKEY_ALIGN8(src->sa_len) 1337 + sizeof(struct sadb_address) 1338 + PFKEY_ALIGN8(dst->sa_len); 1339 1340 if ((newmsg = CALLOC(len, struct sadb_msg *)) == NULL) { 1341 __ipsec_set_strerror(strerror(errno)); 1342 return -1; 1343 } 1344 ep = ((caddr_t)newmsg) + len; 1345 1346 p = pfkey_setsadbmsg((caddr_t)newmsg, ep, type, len, satype, 0, 1347 getpid()); 1348 if (!p) { 1349 free(newmsg); 1350 return -1; 1351 } 1352 p = pfkey_setsadbsa(p, ep, spi, 0, 0, 0, 0); 1353 if (!p) { 1354 free(newmsg); 1355 return -1; 1356 } 1357 p = pfkey_setsadbaddr(p, ep, SADB_EXT_ADDRESS_SRC, src, plen, 1358 IPSEC_ULPROTO_ANY); 1359 if (!p) { 1360 free(newmsg); 1361 return -1; 1362 } 1363 p = pfkey_setsadbaddr(p, ep, SADB_EXT_ADDRESS_DST, dst, plen, 1364 IPSEC_ULPROTO_ANY); 1365 if (!p || p != ep) { 1366 free(newmsg); 1367 return -1; 1368 } 1369 1370 /* send message */ 1371 len = pfkey_send(so, newmsg, len); 1372 free(newmsg); 1373 1374 if (len < 0) 1375 return -1; 1376 1377 __ipsec_errcode = EIPSEC_NO_ERROR; 1378 return len; 1379} 1380 1381/* 1382 * sending SADB_REGISTER, SADB_FLUSH, SADB_DUMP or SADB_X_PROMISC message 1383 * to the kernel 1384 */ 1385static int 1386pfkey_send_x3(so, type, satype) 1387 int so; 1388 u_int type, satype; 1389{ 1390 struct sadb_msg *newmsg; 1391 int len; 1392 caddr_t p; 1393 caddr_t ep; 1394 1395 /* validity check */ 1396 switch (type) { 1397 case SADB_X_PROMISC: 1398 if (satype != 0 && satype != 1) { 1399 __ipsec_errcode = EIPSEC_INVAL_SATYPE; 1400 return -1; 1401 } 1402 break; 1403 default: 1404 switch (satype) { 1405 case SADB_SATYPE_UNSPEC: 1406 case SADB_SATYPE_AH: 1407 case SADB_SATYPE_ESP: 1408 case SADB_X_SATYPE_IPCOMP: 1409 case SADB_X_SATYPE_TCPSIGNATURE: 1410 break; 1411 default: 1412 __ipsec_errcode = EIPSEC_INVAL_SATYPE; 1413 return -1; 1414 } 1415 } 1416 1417 /* create new sadb_msg to send. */ 1418 len = sizeof(struct sadb_msg); 1419 1420 if ((newmsg = CALLOC(len, struct sadb_msg *)) == NULL) { 1421 __ipsec_set_strerror(strerror(errno)); 1422 return -1; 1423 } 1424 ep = ((caddr_t)newmsg) + len; 1425 1426 p = pfkey_setsadbmsg((caddr_t)newmsg, ep, type, len, satype, 0, 1427 getpid()); 1428 if (!p || p != ep) { 1429 free(newmsg); 1430 return -1; 1431 } 1432 1433 /* send message */ 1434 len = pfkey_send(so, newmsg, len); 1435 free(newmsg); 1436 1437 if (len < 0) 1438 return -1; 1439 1440 __ipsec_errcode = EIPSEC_NO_ERROR; 1441 return len; 1442} 1443 1444/* sending SADB_X_SPDADD message to the kernel */ 1445static int 1446pfkey_send_x4(so, type, src, prefs, dst, prefd, proto, 1447 ltime, vtime, policy, policylen, seq) 1448 int so; 1449 struct sockaddr *src, *dst; 1450 u_int type, prefs, prefd, proto; 1451 u_int64_t ltime, vtime; 1452 char *policy; 1453 int policylen; 1454 u_int32_t seq; 1455{ 1456 struct sadb_msg *newmsg; 1457 int len; 1458 caddr_t p; 1459 int plen; 1460 caddr_t ep; 1461 1462 /* validity check */ 1463 if (src == NULL || dst == NULL) { 1464 __ipsec_errcode = EIPSEC_INVAL_ARGUMENT; 1465 return -1; 1466 } 1467 if (src->sa_family != dst->sa_family) { 1468 __ipsec_errcode = EIPSEC_FAMILY_MISMATCH; 1469 return -1; 1470 } 1471 1472 switch (src->sa_family) { 1473 case AF_INET: 1474 plen = sizeof(struct in_addr) << 3; 1475 break; 1476 case AF_INET6: 1477 plen = sizeof(struct in6_addr) << 3; 1478 break; 1479 default: 1480 __ipsec_errcode = EIPSEC_INVAL_FAMILY; 1481 return -1; 1482 } 1483 if (prefs > plen || prefd > plen) { 1484 __ipsec_errcode = EIPSEC_INVAL_PREFIXLEN; 1485 return -1; 1486 } 1487 1488 /* create new sadb_msg to reply. */ 1489 len = sizeof(struct sadb_msg) 1490 + sizeof(struct sadb_address) 1491 + PFKEY_ALIGN8(src->sa_len) 1492 + sizeof(struct sadb_address) 1493 + PFKEY_ALIGN8(src->sa_len) 1494 + sizeof(struct sadb_lifetime) 1495 + policylen; 1496 1497 if ((newmsg = CALLOC(len, struct sadb_msg *)) == NULL) { 1498 __ipsec_set_strerror(strerror(errno)); 1499 return -1; 1500 } 1501 ep = ((caddr_t)newmsg) + len; 1502 1503 p = pfkey_setsadbmsg((caddr_t)newmsg, ep, type, len, 1504 SADB_SATYPE_UNSPEC, seq, getpid()); 1505 if (!p) { 1506 free(newmsg); 1507 return -1; 1508 } 1509 p = pfkey_setsadbaddr(p, ep, SADB_EXT_ADDRESS_SRC, src, prefs, proto); 1510 if (!p) { 1511 free(newmsg); 1512 return -1; 1513 } 1514 p = pfkey_setsadbaddr(p, ep, SADB_EXT_ADDRESS_DST, dst, prefd, proto); 1515 if (!p) { 1516 free(newmsg); 1517 return -1; 1518 } 1519 p = pfkey_setsadblifetime(p, ep, SADB_EXT_LIFETIME_HARD, 1520 0, 0, ltime, vtime); 1521 if (!p || p + policylen != ep) { 1522 free(newmsg); 1523 return -1; 1524 } 1525 memcpy(p, policy, policylen); 1526 1527 /* send message */ 1528 len = pfkey_send(so, newmsg, len); 1529 free(newmsg); 1530 1531 if (len < 0) 1532 return -1; 1533 1534 __ipsec_errcode = EIPSEC_NO_ERROR; 1535 return len; 1536} 1537 1538/* sending SADB_X_SPDGET or SADB_X_SPDDELETE message to the kernel */ 1539static int 1540pfkey_send_x5(so, type, spid) 1541 int so; 1542 u_int type; 1543 u_int32_t spid; 1544{ 1545 struct sadb_msg *newmsg; 1546 struct sadb_x_policy xpl; 1547 int len; 1548 caddr_t p; 1549 caddr_t ep; 1550 1551 /* create new sadb_msg to reply. */ 1552 len = sizeof(struct sadb_msg) 1553 + sizeof(xpl); 1554 1555 if ((newmsg = CALLOC(len, struct sadb_msg *)) == NULL) { 1556 __ipsec_set_strerror(strerror(errno)); 1557 return -1; 1558 } 1559 ep = ((caddr_t)newmsg) + len; 1560 1561 p = pfkey_setsadbmsg((caddr_t)newmsg, ep, type, len, 1562 SADB_SATYPE_UNSPEC, 0, getpid()); 1563 if (!p) { 1564 free(newmsg); 1565 return -1; 1566 } 1567 1568 if (p + sizeof(xpl) != ep) { 1569 free(newmsg); 1570 return -1; 1571 } 1572 memset(&xpl, 0, sizeof(xpl)); 1573 xpl.sadb_x_policy_len = PFKEY_UNIT64(sizeof(xpl)); 1574 xpl.sadb_x_policy_exttype = SADB_X_EXT_POLICY; 1575 xpl.sadb_x_policy_id = spid; 1576 memcpy(p, &xpl, sizeof(xpl)); 1577 1578 /* send message */ 1579 len = pfkey_send(so, newmsg, len); 1580 free(newmsg); 1581 1582 if (len < 0) 1583 return -1; 1584 1585 __ipsec_errcode = EIPSEC_NO_ERROR; 1586 return len; 1587} 1588 1589/* 1590 * open a socket. 1591 * OUT: 1592 * -1: fail. 1593 * others : success and return value of socket. 1594 */ 1595int 1596pfkey_open(void) 1597{ 1598 int so; 1599 int bufsiz_current, bufsiz_wanted; 1600 int ret; 1601 socklen_t len; 1602 1603 if ((so = socket(PF_KEY, SOCK_RAW, PF_KEY_V2)) < 0) { 1604 __ipsec_set_strerror(strerror(errno)); 1605 return -1; 1606 } 1607 1608 /* 1609 * This is a temporary workaround for KAME PR 154. 1610 * Don't really care even if it fails. 1611 */ 1612 /* Try to have 128k. If we have more, do not lower it. */ 1613 bufsiz_wanted = 128 * 1024; 1614 len = sizeof(bufsiz_current); 1615 ret = getsockopt(so, SOL_SOCKET, SO_SNDBUF, 1616 &bufsiz_current, &len); 1617 if ((ret < 0) || (bufsiz_current < bufsiz_wanted)) 1618 (void)setsockopt(so, SOL_SOCKET, SO_SNDBUF, 1619 &bufsiz_wanted, sizeof(bufsiz_wanted)); 1620 1621 /* Try to have have at least 2MB. If we have more, do not lower it. */ 1622 bufsiz_wanted = 2 * 1024 * 1024; 1623 len = sizeof(bufsiz_current); 1624 ret = getsockopt(so, SOL_SOCKET, SO_RCVBUF, 1625 &bufsiz_current, &len); 1626 if (ret < 0) 1627 bufsiz_current = 128 * 1024; 1628 1629 for (; bufsiz_wanted > bufsiz_current; bufsiz_wanted /= 2) { 1630 if (setsockopt(so, SOL_SOCKET, SO_RCVBUF, 1631 &bufsiz_wanted, sizeof(bufsiz_wanted)) == 0) 1632 break; 1633 } 1634 1635 __ipsec_errcode = EIPSEC_NO_ERROR; 1636 return so; 1637} 1638 1639/* 1640 * close a socket. 1641 * OUT: 1642 * 0: success. 1643 * -1: fail. 1644 */ 1645void 1646pfkey_close(so) 1647 int so; 1648{ 1649 (void)close(so); 1650 1651 __ipsec_errcode = EIPSEC_NO_ERROR; 1652 return; 1653} 1654 1655/* 1656 * receive sadb_msg data, and return pointer to new buffer allocated. 1657 * Must free this buffer later. 1658 * OUT: 1659 * NULL : error occured. 1660 * others : a pointer to sadb_msg structure. 1661 * 1662 * XXX should be rewritten to pass length explicitly 1663 */ 1664struct sadb_msg * 1665pfkey_recv(so) 1666 int so; 1667{ 1668 struct sadb_msg buf, *newmsg; 1669 int len, reallen; 1670 1671 while ((len = recv(so, (caddr_t)&buf, sizeof(buf), MSG_PEEK)) < 0) { 1672 if (errno == EINTR) 1673 continue; 1674 __ipsec_set_strerror(strerror(errno)); 1675 return NULL; 1676 } 1677 1678 if (len < sizeof(buf)) { 1679 recv(so, (caddr_t)&buf, sizeof(buf), 0); 1680 __ipsec_errcode = EIPSEC_MAX; 1681 return NULL; 1682 } 1683 1684 /* read real message */ 1685 reallen = PFKEY_UNUNIT64(buf.sadb_msg_len); 1686 if ((newmsg = CALLOC(reallen, struct sadb_msg *)) == NULL) { 1687 __ipsec_set_strerror(strerror(errno)); 1688 return NULL; 1689 } 1690 1691 while ((len = recv(so, (caddr_t)newmsg, reallen, 0)) < 0) { 1692 if (errno == EINTR) 1693 continue; 1694 __ipsec_set_strerror(strerror(errno)); 1695 free(newmsg); 1696 return NULL; 1697 } 1698 1699 if (len != reallen) { 1700 __ipsec_errcode = EIPSEC_SYSTEM_ERROR; 1701 free(newmsg); 1702 return NULL; 1703 } 1704 1705 /* don't trust what the kernel says, validate! */ 1706 if (PFKEY_UNUNIT64(newmsg->sadb_msg_len) != len) { 1707 __ipsec_errcode = EIPSEC_SYSTEM_ERROR; 1708 free(newmsg); 1709 return NULL; 1710 } 1711 1712 __ipsec_errcode = EIPSEC_NO_ERROR; 1713 return newmsg; 1714} 1715 1716/* 1717 * send message to a socket. 1718 * OUT: 1719 * others: success and return length sent. 1720 * -1 : fail. 1721 */ 1722int 1723pfkey_send(so, msg, len) 1724 int so; 1725 struct sadb_msg *msg; 1726 int len; 1727{ 1728 if ((len = send(so, (caddr_t)msg, len, 0)) < 0) { 1729 __ipsec_set_strerror(strerror(errno)); 1730 return -1; 1731 } 1732 1733 __ipsec_errcode = EIPSEC_NO_ERROR; 1734 return len; 1735} 1736 1737/* 1738 * %%% Utilities 1739 * NOTE: These functions are derived from netkey/key.c in KAME. 1740 */ 1741/* 1742 * set the pointer to each header in this message buffer. 1743 * IN: msg: pointer to message buffer. 1744 * mhp: pointer to the buffer initialized like below: 1745 * caddr_t mhp[SADB_EXT_MAX + 1]; 1746 * OUT: -1: invalid. 1747 * 0: valid. 1748 * 1749 * XXX should be rewritten to obtain length explicitly 1750 */ 1751int 1752pfkey_align(msg, mhp) 1753 struct sadb_msg *msg; 1754 caddr_t *mhp; 1755{ 1756 struct sadb_ext *ext; 1757 int i; 1758 caddr_t p; 1759 caddr_t ep; /* XXX should be passed from upper layer */ 1760 1761 /* validity check */ 1762 if (msg == NULL || mhp == NULL) { 1763 __ipsec_errcode = EIPSEC_INVAL_ARGUMENT; 1764 return -1; 1765 } 1766 1767 /* initialize */ 1768 for (i = 0; i < SADB_EXT_MAX + 1; i++) 1769 mhp[i] = NULL; 1770 1771 mhp[0] = (caddr_t)msg; 1772 1773 /* initialize */ 1774 p = (caddr_t) msg; 1775 ep = p + PFKEY_UNUNIT64(msg->sadb_msg_len); 1776 1777 /* skip base header */ 1778 p += sizeof(struct sadb_msg); 1779 1780 while (p < ep) { 1781 ext = (struct sadb_ext *)p; 1782 if (ep < p + sizeof(*ext) || PFKEY_EXTLEN(ext) < sizeof(*ext) || 1783 ep < p + PFKEY_EXTLEN(ext)) { 1784 /* invalid format */ 1785 break; 1786 } 1787 1788 /* duplicate check */ 1789 /* XXX Are there duplication either KEY_AUTH or KEY_ENCRYPT ?*/ 1790 if (mhp[ext->sadb_ext_type] != NULL) { 1791 __ipsec_errcode = EIPSEC_INVAL_EXTTYPE; 1792 return -1; 1793 } 1794 1795 /* set pointer */ 1796 switch (ext->sadb_ext_type) { 1797 case SADB_EXT_SA: 1798 case SADB_EXT_LIFETIME_CURRENT: 1799 case SADB_EXT_LIFETIME_HARD: 1800 case SADB_EXT_LIFETIME_SOFT: 1801 case SADB_EXT_ADDRESS_SRC: 1802 case SADB_EXT_ADDRESS_DST: 1803 case SADB_EXT_ADDRESS_PROXY: 1804 case SADB_EXT_KEY_AUTH: 1805 /* XXX should to be check weak keys. */ 1806 case SADB_EXT_KEY_ENCRYPT: 1807 /* XXX should to be check weak keys. */ 1808 case SADB_EXT_IDENTITY_SRC: 1809 case SADB_EXT_IDENTITY_DST: 1810 case SADB_EXT_SENSITIVITY: 1811 case SADB_EXT_PROPOSAL: 1812 case SADB_EXT_SUPPORTED_AUTH: 1813 case SADB_EXT_SUPPORTED_ENCRYPT: 1814 case SADB_EXT_SPIRANGE: 1815 case SADB_X_EXT_POLICY: 1816 case SADB_X_EXT_SA2: 1817 case SADB_X_EXT_NAT_T_TYPE: 1818 case SADB_X_EXT_NAT_T_SPORT: 1819 case SADB_X_EXT_NAT_T_DPORT: 1820 case SADB_X_EXT_NAT_T_OAI: 1821 case SADB_X_EXT_NAT_T_OAR: 1822 case SADB_X_EXT_NAT_T_FRAG: 1823 case SADB_X_EXT_SA_REPLAY: 1824 case SADB_X_EXT_NEW_ADDRESS_SRC: 1825 case SADB_X_EXT_NEW_ADDRESS_DST: 1826 mhp[ext->sadb_ext_type] = (caddr_t)ext; 1827 break; 1828 default: 1829 __ipsec_errcode = EIPSEC_INVAL_EXTTYPE; 1830 return -1; 1831 } 1832 1833 p += PFKEY_EXTLEN(ext); 1834 } 1835 1836 if (p != ep) { 1837 __ipsec_errcode = EIPSEC_INVAL_SADBMSG; 1838 return -1; 1839 } 1840 1841 __ipsec_errcode = EIPSEC_NO_ERROR; 1842 return 0; 1843} 1844 1845/* 1846 * check basic usage for sadb_msg, 1847 * NOTE: This routine is derived from netkey/key.c in KAME. 1848 * IN: msg: pointer to message buffer. 1849 * mhp: pointer to the buffer initialized like below: 1850 * 1851 * caddr_t mhp[SADB_EXT_MAX + 1]; 1852 * 1853 * OUT: -1: invalid. 1854 * 0: valid. 1855 */ 1856int 1857pfkey_check(mhp) 1858 caddr_t *mhp; 1859{ 1860 struct sadb_msg *msg; 1861 1862 /* validity check */ 1863 if (mhp == NULL || mhp[0] == NULL) { 1864 __ipsec_errcode = EIPSEC_INVAL_ARGUMENT; 1865 return -1; 1866 } 1867 1868 msg = (struct sadb_msg *)mhp[0]; 1869 1870 /* check version */ 1871 if (msg->sadb_msg_version != PF_KEY_V2) { 1872 __ipsec_errcode = EIPSEC_INVAL_VERSION; 1873 return -1; 1874 } 1875 1876 /* check type */ 1877 if (msg->sadb_msg_type > SADB_MAX) { 1878 __ipsec_errcode = EIPSEC_INVAL_MSGTYPE; 1879 return -1; 1880 } 1881 1882 /* check SA type */ 1883 switch (msg->sadb_msg_satype) { 1884 case SADB_SATYPE_UNSPEC: 1885 switch (msg->sadb_msg_type) { 1886 case SADB_GETSPI: 1887 case SADB_UPDATE: 1888 case SADB_ADD: 1889 case SADB_DELETE: 1890 case SADB_GET: 1891 case SADB_ACQUIRE: 1892 case SADB_EXPIRE: 1893 __ipsec_errcode = EIPSEC_INVAL_SATYPE; 1894 return -1; 1895 } 1896 break; 1897 case SADB_SATYPE_ESP: 1898 case SADB_SATYPE_AH: 1899 case SADB_X_SATYPE_IPCOMP: 1900 case SADB_X_SATYPE_TCPSIGNATURE: 1901 switch (msg->sadb_msg_type) { 1902 case SADB_X_SPDADD: 1903 case SADB_X_SPDDELETE: 1904 case SADB_X_SPDGET: 1905 case SADB_X_SPDDUMP: 1906 case SADB_X_SPDFLUSH: 1907 __ipsec_errcode = EIPSEC_INVAL_SATYPE; 1908 return -1; 1909 } 1910 break; 1911 case SADB_SATYPE_RSVP: 1912 case SADB_SATYPE_OSPFV2: 1913 case SADB_SATYPE_RIPV2: 1914 case SADB_SATYPE_MIP: 1915 __ipsec_errcode = EIPSEC_NOT_SUPPORTED; 1916 return -1; 1917 case 1: /* XXX: What does it do ? */ 1918 if (msg->sadb_msg_type == SADB_X_PROMISC) 1919 break; 1920 /*FALLTHROUGH*/ 1921 default: 1922 __ipsec_errcode = EIPSEC_INVAL_SATYPE; 1923 return -1; 1924 } 1925 1926 /* check field of upper layer protocol and address family */ 1927 if (mhp[SADB_EXT_ADDRESS_SRC] != NULL 1928 && mhp[SADB_EXT_ADDRESS_DST] != NULL) { 1929 struct sadb_address *src0, *dst0; 1930 1931 src0 = (struct sadb_address *)(mhp[SADB_EXT_ADDRESS_SRC]); 1932 dst0 = (struct sadb_address *)(mhp[SADB_EXT_ADDRESS_DST]); 1933 1934 if (src0->sadb_address_proto != dst0->sadb_address_proto) { 1935 __ipsec_errcode = EIPSEC_PROTO_MISMATCH; 1936 return -1; 1937 } 1938 1939 if (PFKEY_ADDR_SADDR(src0)->sa_family 1940 != PFKEY_ADDR_SADDR(dst0)->sa_family) { 1941 __ipsec_errcode = EIPSEC_FAMILY_MISMATCH; 1942 return -1; 1943 } 1944 1945 switch (PFKEY_ADDR_SADDR(src0)->sa_family) { 1946 case AF_INET: 1947 case AF_INET6: 1948 break; 1949 default: 1950 __ipsec_errcode = EIPSEC_INVAL_FAMILY; 1951 return -1; 1952 } 1953 1954 /* 1955 * prefixlen == 0 is valid because there must be the case 1956 * all addresses are matched. 1957 */ 1958 } 1959 1960 __ipsec_errcode = EIPSEC_NO_ERROR; 1961 return 0; 1962} 1963 1964/* 1965 * set data into sadb_msg. 1966 * `buf' must has been allocated sufficiently. 1967 */ 1968static caddr_t 1969pfkey_setsadbmsg(buf, lim, type, tlen, satype, seq, pid) 1970 caddr_t buf; 1971 caddr_t lim; 1972 u_int type, satype; 1973 u_int tlen; 1974 u_int32_t seq; 1975 pid_t pid; 1976{ 1977 struct sadb_msg *p; 1978 u_int len; 1979 1980 p = (struct sadb_msg *)buf; 1981 len = sizeof(struct sadb_msg); 1982 1983 if (buf + len > lim) 1984 return NULL; 1985 1986 memset(p, 0, len); 1987 p->sadb_msg_version = PF_KEY_V2; 1988 p->sadb_msg_type = type; 1989 p->sadb_msg_errno = 0; 1990 p->sadb_msg_satype = satype; 1991 p->sadb_msg_len = PFKEY_UNIT64(tlen); 1992 p->sadb_msg_reserved = 0; 1993 p->sadb_msg_seq = seq; 1994 p->sadb_msg_pid = (u_int32_t)pid; 1995 1996 return(buf + len); 1997} 1998 1999/* 2000 * copy secasvar data into sadb_address. 2001 * `buf' must has been allocated sufficiently. 2002 */ 2003static caddr_t 2004pfkey_setsadbsa(buf, lim, spi, wsize, auth, enc, flags) 2005 caddr_t buf; 2006 caddr_t lim; 2007 u_int32_t spi, flags; 2008 u_int wsize, auth, enc; 2009{ 2010 struct sadb_sa *p; 2011 u_int len; 2012 2013 p = (struct sadb_sa *)buf; 2014 len = sizeof(struct sadb_sa); 2015 2016 if (buf + len > lim) 2017 return NULL; 2018 2019 memset(p, 0, len); 2020 p->sadb_sa_len = PFKEY_UNIT64(len); 2021 p->sadb_sa_exttype = SADB_EXT_SA; 2022 p->sadb_sa_spi = spi; 2023 p->sadb_sa_replay = wsize > UINT8_MAX ? UINT8_MAX: wsize; 2024 p->sadb_sa_state = SADB_SASTATE_LARVAL; 2025 p->sadb_sa_auth = auth; 2026 p->sadb_sa_encrypt = enc; 2027 p->sadb_sa_flags = flags; 2028 2029 return(buf + len); 2030} 2031 2032/* 2033 * Set data into sadb_x_sa_replay. 2034 * `buf' must has been allocated sufficiently. 2035 */ 2036static caddr_t 2037pfkey_setsadbxreplay(caddr_t buf, caddr_t lim, uint32_t wsize) 2038{ 2039 struct sadb_x_sa_replay *p; 2040 u_int len; 2041 2042 p = (struct sadb_x_sa_replay *)buf; 2043 len = sizeof(struct sadb_x_sa_replay); 2044 2045 if (buf + len > lim) 2046 return (NULL); 2047 2048 memset(p, 0, len); 2049 p->sadb_x_sa_replay_len = PFKEY_UNIT64(len); 2050 p->sadb_x_sa_replay_exttype = SADB_X_EXT_SA_REPLAY; 2051 /* Convert wsize from bytes to number of packets. */ 2052 p->sadb_x_sa_replay_replay = wsize << 3; 2053 2054 return (buf + len); 2055} 2056 2057/* 2058 * set data into sadb_address. 2059 * `buf' must has been allocated sufficiently. 2060 * prefixlen is in bits. 2061 */ 2062static caddr_t 2063pfkey_setsadbaddr(buf, lim, exttype, saddr, prefixlen, ul_proto) 2064 caddr_t buf; 2065 caddr_t lim; 2066 u_int exttype; 2067 struct sockaddr *saddr; 2068 u_int prefixlen; 2069 u_int ul_proto; 2070{ 2071 struct sadb_address *p; 2072 u_int len; 2073 2074 p = (struct sadb_address *)buf; 2075 len = sizeof(struct sadb_address) + PFKEY_ALIGN8(saddr->sa_len); 2076 2077 if (buf + len > lim) 2078 return NULL; 2079 2080 memset(p, 0, len); 2081 p->sadb_address_len = PFKEY_UNIT64(len); 2082 p->sadb_address_exttype = exttype & 0xffff; 2083 p->sadb_address_proto = ul_proto & 0xff; 2084 p->sadb_address_prefixlen = prefixlen; 2085 p->sadb_address_reserved = 0; 2086 2087 memcpy(p + 1, saddr, saddr->sa_len); 2088 2089 return(buf + len); 2090} 2091 2092/* 2093 * set sadb_key structure after clearing buffer with zero. 2094 * OUT: the pointer of buf + len. 2095 */ 2096static caddr_t 2097pfkey_setsadbkey(buf, lim, type, key, keylen) 2098 caddr_t buf; 2099 caddr_t lim; 2100 caddr_t key; 2101 u_int type, keylen; 2102{ 2103 struct sadb_key *p; 2104 u_int len; 2105 2106 p = (struct sadb_key *)buf; 2107 len = sizeof(struct sadb_key) + PFKEY_ALIGN8(keylen); 2108 2109 if (buf + len > lim) 2110 return NULL; 2111 2112 memset(p, 0, len); 2113 p->sadb_key_len = PFKEY_UNIT64(len); 2114 p->sadb_key_exttype = type; 2115 p->sadb_key_bits = keylen << 3; 2116 p->sadb_key_reserved = 0; 2117 2118 memcpy(p + 1, key, keylen); 2119 2120 return buf + len; 2121} 2122 2123/* 2124 * set sadb_lifetime structure after clearing buffer with zero. 2125 * OUT: the pointer of buf + len. 2126 */ 2127static caddr_t 2128pfkey_setsadblifetime(buf, lim, type, l_alloc, l_bytes, l_addtime, l_usetime) 2129 caddr_t buf; 2130 caddr_t lim; 2131 u_int type; 2132 u_int32_t l_alloc, l_bytes, l_addtime, l_usetime; 2133{ 2134 struct sadb_lifetime *p; 2135 u_int len; 2136 2137 p = (struct sadb_lifetime *)buf; 2138 len = sizeof(struct sadb_lifetime); 2139 2140 if (buf + len > lim) 2141 return NULL; 2142 2143 memset(p, 0, len); 2144 p->sadb_lifetime_len = PFKEY_UNIT64(len); 2145 p->sadb_lifetime_exttype = type; 2146 2147 switch (type) { 2148 case SADB_EXT_LIFETIME_SOFT: 2149 p->sadb_lifetime_allocations 2150 = (l_alloc * soft_lifetime_allocations_rate) /100; 2151 p->sadb_lifetime_bytes 2152 = (l_bytes * soft_lifetime_bytes_rate) /100; 2153 p->sadb_lifetime_addtime 2154 = (l_addtime * soft_lifetime_addtime_rate) /100; 2155 p->sadb_lifetime_usetime 2156 = (l_usetime * soft_lifetime_usetime_rate) /100; 2157 break; 2158 case SADB_EXT_LIFETIME_HARD: 2159 p->sadb_lifetime_allocations = l_alloc; 2160 p->sadb_lifetime_bytes = l_bytes; 2161 p->sadb_lifetime_addtime = l_addtime; 2162 p->sadb_lifetime_usetime = l_usetime; 2163 break; 2164 } 2165 2166 return buf + len; 2167} 2168 2169/* 2170 * copy secasvar data into sadb_address. 2171 * `buf' must has been allocated sufficiently. 2172 */ 2173static caddr_t 2174pfkey_setsadbxsa2(buf, lim, mode0, reqid) 2175 caddr_t buf; 2176 caddr_t lim; 2177 u_int32_t mode0; 2178 u_int32_t reqid; 2179{ 2180 struct sadb_x_sa2 *p; 2181 u_int8_t mode = mode0 & 0xff; 2182 u_int len; 2183 2184 p = (struct sadb_x_sa2 *)buf; 2185 len = sizeof(struct sadb_x_sa2); 2186 2187 if (buf + len > lim) 2188 return NULL; 2189 2190 memset(p, 0, len); 2191 p->sadb_x_sa2_len = PFKEY_UNIT64(len); 2192 p->sadb_x_sa2_exttype = SADB_X_EXT_SA2; 2193 p->sadb_x_sa2_mode = mode; 2194 p->sadb_x_sa2_reqid = reqid; 2195 2196 return(buf + len); 2197} 2198