1 /* $KAME: pfkey.c,v 1.46 2003/08/26 03:37:06 itojun Exp $ */ 2 3 /* 4 * Copyright (C) 1995, 1996, 1997, 1998, and 1999 WIDE Project. 5 * All rights reserved. 6 * 7 * Redistribution and use in source and binary forms, with or without 8 * modification, are permitted provided that the following conditions 9 * are met: 10 * 1. Redistributions of source code must retain the above copyright 11 * notice, this list of conditions and the following disclaimer. 12 * 2. Redistributions in binary form must reproduce the above copyright 13 * notice, this list of conditions and the following disclaimer in the 14 * documentation and/or other materials provided with the distribution. 15 * 3. Neither the name of the project nor the names of its contributors 16 * may be used to endorse or promote products derived from this software 17 * without specific prior written permission. 18 * 19 * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND 20 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 21 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 22 * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE 23 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 24 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 25 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 26 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 27 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 28 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 29 * SUCH DAMAGE. 30 */ 31 32 #include <sys/cdefs.h> 33 __FBSDID("$FreeBSD$"); 34 35 #include <sys/types.h> 36 #include <sys/param.h> 37 #include <sys/socket.h> 38 #include <net/pfkeyv2.h> 39 #include <netipsec/key_var.h> 40 #include <netinet/in.h> 41 #include <netipsec/ipsec.h> 42 43 #include <stdlib.h> 44 #include <stdint.h> 45 #include <unistd.h> 46 #include <string.h> 47 #include <errno.h> 48 49 #include "ipsec_strerror.h" 50 #include "libpfkey.h" 51 52 #define CALLOC(size, cast) (cast)calloc(1, (size)) 53 54 static int findsupportedmap(int); 55 static int setsupportedmap(struct sadb_supported *); 56 static struct sadb_alg *findsupportedalg(u_int, u_int); 57 static int pfkey_send_x1(int, u_int, u_int, u_int, struct sockaddr *, 58 struct sockaddr *, u_int32_t, u_int32_t, u_int, caddr_t, 59 u_int, u_int, u_int, u_int, u_int, u_int32_t, u_int32_t, 60 u_int32_t, u_int32_t, u_int32_t); 61 static int pfkey_send_x2(int, u_int, u_int, u_int, 62 struct sockaddr *, struct sockaddr *, u_int32_t); 63 static int pfkey_send_x3(int, u_int, u_int); 64 static int pfkey_send_x4(int, u_int, struct sockaddr *, u_int, 65 struct sockaddr *, u_int, u_int, u_int64_t, u_int64_t, 66 char *, int, u_int32_t); 67 static int pfkey_send_x5(int, u_int, u_int32_t); 68 69 static caddr_t pfkey_setsadbmsg(caddr_t, caddr_t, u_int, u_int, 70 u_int, u_int32_t, pid_t); 71 static caddr_t pfkey_setsadbsa(caddr_t, caddr_t, u_int32_t, u_int, 72 u_int, u_int, u_int32_t); 73 static caddr_t pfkey_setsadbxreplay(caddr_t, caddr_t, uint32_t); 74 static caddr_t pfkey_setsadbaddr(caddr_t, caddr_t, u_int, 75 struct sockaddr *, u_int, u_int); 76 static caddr_t pfkey_setsadbkey(caddr_t, caddr_t, u_int, caddr_t, u_int); 77 static caddr_t pfkey_setsadblifetime(caddr_t, caddr_t, u_int, u_int32_t, 78 u_int32_t, u_int32_t, u_int32_t); 79 static caddr_t pfkey_setsadbxsa2(caddr_t, caddr_t, u_int32_t, u_int32_t); 80 81 /* 82 * make and search supported algorithm structure. 83 */ 84 static struct sadb_supported *ipsec_supported[] = { NULL, NULL, NULL, NULL }; 85 86 static int supported_map[] = { 87 SADB_SATYPE_AH, 88 SADB_SATYPE_ESP, 89 SADB_X_SATYPE_IPCOMP, 90 SADB_X_SATYPE_TCPSIGNATURE 91 }; 92 93 static int 94 findsupportedmap(satype) 95 int satype; 96 { 97 int i; 98 99 for (i = 0; i < sizeof(supported_map)/sizeof(supported_map[0]); i++) 100 if (supported_map[i] == satype) 101 return i; 102 return -1; 103 } 104 105 static struct sadb_alg * 106 findsupportedalg(satype, alg_id) 107 u_int satype, alg_id; 108 { 109 int algno; 110 int tlen; 111 caddr_t p; 112 113 /* validity check */ 114 algno = findsupportedmap(satype); 115 if (algno == -1) { 116 __ipsec_errcode = EIPSEC_INVAL_ARGUMENT; 117 return NULL; 118 } 119 if (ipsec_supported[algno] == NULL) { 120 __ipsec_errcode = EIPSEC_DO_GET_SUPP_LIST; 121 return NULL; 122 } 123 124 tlen = ipsec_supported[algno]->sadb_supported_len 125 - sizeof(struct sadb_supported); 126 p = (caddr_t)(ipsec_supported[algno] + 1); 127 while (tlen > 0) { 128 if (tlen < sizeof(struct sadb_alg)) { 129 /* invalid format */ 130 break; 131 } 132 if (((struct sadb_alg *)p)->sadb_alg_id == alg_id) 133 return (struct sadb_alg *)p; 134 135 tlen -= sizeof(struct sadb_alg); 136 p += sizeof(struct sadb_alg); 137 } 138 139 __ipsec_errcode = EIPSEC_NOT_SUPPORTED; 140 return NULL; 141 } 142 143 static int 144 setsupportedmap(sup) 145 struct sadb_supported *sup; 146 { 147 struct sadb_supported **ipsup; 148 149 switch (sup->sadb_supported_exttype) { 150 case SADB_EXT_SUPPORTED_AUTH: 151 ipsup = &ipsec_supported[findsupportedmap(SADB_SATYPE_AH)]; 152 break; 153 case SADB_EXT_SUPPORTED_ENCRYPT: 154 ipsup = &ipsec_supported[findsupportedmap(SADB_SATYPE_ESP)]; 155 break; 156 default: 157 __ipsec_errcode = EIPSEC_INVAL_SATYPE; 158 return -1; 159 } 160 161 if (*ipsup) 162 free(*ipsup); 163 164 *ipsup = malloc(sup->sadb_supported_len); 165 if (!*ipsup) { 166 __ipsec_set_strerror(strerror(errno)); 167 return -1; 168 } 169 memcpy(*ipsup, sup, sup->sadb_supported_len); 170 171 return 0; 172 } 173 174 /* 175 * check key length against algorithm specified. 176 * This function is called with SADB_EXT_SUPPORTED_{AUTH,ENCRYPT} as the 177 * augument, and only calls to ipsec_check_keylen2(); 178 * keylen is the unit of bit. 179 * OUT: 180 * -1: invalid. 181 * 0: valid. 182 */ 183 int 184 ipsec_check_keylen(supported, alg_id, keylen) 185 u_int supported; 186 u_int alg_id; 187 u_int keylen; 188 { 189 int satype; 190 191 /* validity check */ 192 switch (supported) { 193 case SADB_EXT_SUPPORTED_AUTH: 194 satype = SADB_SATYPE_AH; 195 break; 196 case SADB_EXT_SUPPORTED_ENCRYPT: 197 satype = SADB_SATYPE_ESP; 198 break; 199 default: 200 __ipsec_errcode = EIPSEC_INVAL_ARGUMENT; 201 return -1; 202 } 203 204 return ipsec_check_keylen2(satype, alg_id, keylen); 205 } 206 207 /* 208 * check key length against algorithm specified. 209 * satype is one of satype defined at pfkeyv2.h. 210 * keylen is the unit of bit. 211 * OUT: 212 * -1: invalid. 213 * 0: valid. 214 */ 215 int 216 ipsec_check_keylen2(satype, alg_id, keylen) 217 u_int satype; 218 u_int alg_id; 219 u_int keylen; 220 { 221 struct sadb_alg *alg; 222 223 alg = findsupportedalg(satype, alg_id); 224 if (!alg) 225 return -1; 226 227 if (keylen < alg->sadb_alg_minbits || keylen > alg->sadb_alg_maxbits) { 228 __ipsec_errcode = EIPSEC_INVAL_KEYLEN; 229 return -1; 230 } 231 232 __ipsec_errcode = EIPSEC_NO_ERROR; 233 return 0; 234 } 235 236 /* 237 * get max/min key length against algorithm specified. 238 * satype is one of satype defined at pfkeyv2.h. 239 * keylen is the unit of bit. 240 * OUT: 241 * -1: invalid. 242 * 0: valid. 243 */ 244 int 245 ipsec_get_keylen(supported, alg_id, alg0) 246 u_int supported, alg_id; 247 struct sadb_alg *alg0; 248 { 249 struct sadb_alg *alg; 250 u_int satype; 251 252 /* validity check */ 253 if (!alg0) { 254 __ipsec_errcode = EIPSEC_INVAL_ARGUMENT; 255 return -1; 256 } 257 258 switch (supported) { 259 case SADB_EXT_SUPPORTED_AUTH: 260 satype = SADB_SATYPE_AH; 261 break; 262 case SADB_EXT_SUPPORTED_ENCRYPT: 263 satype = SADB_SATYPE_ESP; 264 break; 265 default: 266 __ipsec_errcode = EIPSEC_INVAL_ARGUMENT; 267 return -1; 268 } 269 270 alg = findsupportedalg(satype, alg_id); 271 if (!alg) 272 return -1; 273 274 memcpy(alg0, alg, sizeof(*alg0)); 275 276 __ipsec_errcode = EIPSEC_NO_ERROR; 277 return 0; 278 } 279 280 /* 281 * set the rate for SOFT lifetime against HARD one. 282 * If rate is more than 100 or equal to zero, then set to 100. 283 */ 284 static u_int soft_lifetime_allocations_rate = PFKEY_SOFT_LIFETIME_RATE; 285 static u_int soft_lifetime_bytes_rate = PFKEY_SOFT_LIFETIME_RATE; 286 static u_int soft_lifetime_addtime_rate = PFKEY_SOFT_LIFETIME_RATE; 287 static u_int soft_lifetime_usetime_rate = PFKEY_SOFT_LIFETIME_RATE; 288 289 u_int 290 pfkey_set_softrate(type, rate) 291 u_int type, rate; 292 { 293 __ipsec_errcode = EIPSEC_NO_ERROR; 294 295 if (rate > 100 || rate == 0) 296 rate = 100; 297 298 switch (type) { 299 case SADB_X_LIFETIME_ALLOCATIONS: 300 soft_lifetime_allocations_rate = rate; 301 return 0; 302 case SADB_X_LIFETIME_BYTES: 303 soft_lifetime_bytes_rate = rate; 304 return 0; 305 case SADB_X_LIFETIME_ADDTIME: 306 soft_lifetime_addtime_rate = rate; 307 return 0; 308 case SADB_X_LIFETIME_USETIME: 309 soft_lifetime_usetime_rate = rate; 310 return 0; 311 } 312 313 __ipsec_errcode = EIPSEC_INVAL_ARGUMENT; 314 return 1; 315 } 316 317 /* 318 * get current rate for SOFT lifetime against HARD one. 319 * ATTENTION: ~0 is returned if invalid type was passed. 320 */ 321 u_int 322 pfkey_get_softrate(type) 323 u_int type; 324 { 325 switch (type) { 326 case SADB_X_LIFETIME_ALLOCATIONS: 327 return soft_lifetime_allocations_rate; 328 case SADB_X_LIFETIME_BYTES: 329 return soft_lifetime_bytes_rate; 330 case SADB_X_LIFETIME_ADDTIME: 331 return soft_lifetime_addtime_rate; 332 case SADB_X_LIFETIME_USETIME: 333 return soft_lifetime_usetime_rate; 334 } 335 336 return ~0; 337 } 338 339 /* 340 * sending SADB_GETSPI message to the kernel. 341 * OUT: 342 * positive: success and return length sent. 343 * -1 : error occured, and set errno. 344 */ 345 int 346 pfkey_send_getspi(so, satype, mode, src, dst, min, max, reqid, seq) 347 int so; 348 u_int satype, mode; 349 struct sockaddr *src, *dst; 350 u_int32_t min, max, reqid, seq; 351 { 352 struct sadb_msg *newmsg; 353 caddr_t ep; 354 int len; 355 int need_spirange = 0; 356 caddr_t p; 357 int plen; 358 359 /* validity check */ 360 if (src == NULL || dst == NULL) { 361 __ipsec_errcode = EIPSEC_INVAL_ARGUMENT; 362 return -1; 363 } 364 if (src->sa_family != dst->sa_family) { 365 __ipsec_errcode = EIPSEC_FAMILY_MISMATCH; 366 return -1; 367 } 368 if (min > max || (min > 0 && min <= 255)) { 369 __ipsec_errcode = EIPSEC_INVAL_SPI; 370 return -1; 371 } 372 switch (src->sa_family) { 373 case AF_INET: 374 plen = sizeof(struct in_addr) << 3; 375 break; 376 case AF_INET6: 377 plen = sizeof(struct in6_addr) << 3; 378 break; 379 default: 380 __ipsec_errcode = EIPSEC_INVAL_FAMILY; 381 return -1; 382 } 383 384 /* create new sadb_msg to send. */ 385 len = sizeof(struct sadb_msg) 386 + sizeof(struct sadb_x_sa2) 387 + sizeof(struct sadb_address) 388 + PFKEY_ALIGN8(src->sa_len) 389 + sizeof(struct sadb_address) 390 + PFKEY_ALIGN8(dst->sa_len); 391 392 if (min > 255 && max < ~0) { 393 need_spirange++; 394 len += sizeof(struct sadb_spirange); 395 } 396 397 if ((newmsg = CALLOC(len, struct sadb_msg *)) == NULL) { 398 __ipsec_set_strerror(strerror(errno)); 399 return -1; 400 } 401 ep = ((caddr_t)newmsg) + len; 402 403 p = pfkey_setsadbmsg((caddr_t)newmsg, ep, SADB_GETSPI, 404 len, satype, seq, getpid()); 405 if (!p) { 406 free(newmsg); 407 return -1; 408 } 409 410 p = pfkey_setsadbxsa2(p, ep, mode, reqid); 411 if (!p) { 412 free(newmsg); 413 return -1; 414 } 415 416 /* set sadb_address for source */ 417 p = pfkey_setsadbaddr(p, ep, SADB_EXT_ADDRESS_SRC, src, plen, 418 IPSEC_ULPROTO_ANY); 419 if (!p) { 420 free(newmsg); 421 return -1; 422 } 423 424 /* set sadb_address for destination */ 425 p = pfkey_setsadbaddr(p, ep, SADB_EXT_ADDRESS_DST, dst, plen, 426 IPSEC_ULPROTO_ANY); 427 if (!p) { 428 free(newmsg); 429 return -1; 430 } 431 432 /* proccessing spi range */ 433 if (need_spirange) { 434 struct sadb_spirange spirange; 435 436 if (p + sizeof(spirange) > ep) { 437 free(newmsg); 438 return -1; 439 } 440 441 memset(&spirange, 0, sizeof(spirange)); 442 spirange.sadb_spirange_len = PFKEY_UNIT64(sizeof(spirange)); 443 spirange.sadb_spirange_exttype = SADB_EXT_SPIRANGE; 444 spirange.sadb_spirange_min = min; 445 spirange.sadb_spirange_max = max; 446 447 memcpy(p, &spirange, sizeof(spirange)); 448 449 p += sizeof(spirange); 450 } 451 if (p != ep) { 452 free(newmsg); 453 return -1; 454 } 455 456 /* send message */ 457 len = pfkey_send(so, newmsg, len); 458 free(newmsg); 459 460 if (len < 0) 461 return -1; 462 463 __ipsec_errcode = EIPSEC_NO_ERROR; 464 return len; 465 } 466 467 /* 468 * sending SADB_UPDATE message to the kernel. 469 * The length of key material is a_keylen + e_keylen. 470 * OUT: 471 * positive: success and return length sent. 472 * -1 : error occured, and set errno. 473 */ 474 int 475 pfkey_send_update(so, satype, mode, src, dst, spi, reqid, wsize, 476 keymat, e_type, e_keylen, a_type, a_keylen, flags, 477 l_alloc, l_bytes, l_addtime, l_usetime, seq) 478 int so; 479 u_int satype, mode, wsize; 480 struct sockaddr *src, *dst; 481 u_int32_t spi, reqid; 482 caddr_t keymat; 483 u_int e_type, e_keylen, a_type, a_keylen, flags; 484 u_int32_t l_alloc; 485 u_int64_t l_bytes, l_addtime, l_usetime; 486 u_int32_t seq; 487 { 488 int len; 489 if ((len = pfkey_send_x1(so, SADB_UPDATE, satype, mode, src, dst, spi, 490 reqid, wsize, 491 keymat, e_type, e_keylen, a_type, a_keylen, flags, 492 l_alloc, l_bytes, l_addtime, l_usetime, seq)) < 0) 493 return -1; 494 495 return len; 496 } 497 498 /* 499 * sending SADB_ADD message to the kernel. 500 * The length of key material is a_keylen + e_keylen. 501 * OUT: 502 * positive: success and return length sent. 503 * -1 : error occured, and set errno. 504 */ 505 int 506 pfkey_send_add(so, satype, mode, src, dst, spi, reqid, wsize, 507 keymat, e_type, e_keylen, a_type, a_keylen, flags, 508 l_alloc, l_bytes, l_addtime, l_usetime, seq) 509 int so; 510 u_int satype, mode, wsize; 511 struct sockaddr *src, *dst; 512 u_int32_t spi, reqid; 513 caddr_t keymat; 514 u_int e_type, e_keylen, a_type, a_keylen, flags; 515 u_int32_t l_alloc; 516 u_int64_t l_bytes, l_addtime, l_usetime; 517 u_int32_t seq; 518 { 519 int len; 520 if ((len = pfkey_send_x1(so, SADB_ADD, satype, mode, src, dst, spi, 521 reqid, wsize, 522 keymat, e_type, e_keylen, a_type, a_keylen, flags, 523 l_alloc, l_bytes, l_addtime, l_usetime, seq)) < 0) 524 return -1; 525 526 return len; 527 } 528 529 /* 530 * sending SADB_DELETE message to the kernel. 531 * OUT: 532 * positive: success and return length sent. 533 * -1 : error occured, and set errno. 534 */ 535 int 536 pfkey_send_delete(so, satype, mode, src, dst, spi) 537 int so; 538 u_int satype, mode; 539 struct sockaddr *src, *dst; 540 u_int32_t spi; 541 { 542 int len; 543 if ((len = pfkey_send_x2(so, SADB_DELETE, satype, mode, src, dst, spi)) < 0) 544 return -1; 545 546 return len; 547 } 548 549 /* 550 * sending SADB_DELETE without spi to the kernel. This is 551 * the "delete all" request (an extension also present in 552 * Solaris). 553 * 554 * OUT: 555 * positive: success and return length sent 556 * -1 : error occured, and set errno 557 */ 558 int 559 pfkey_send_delete_all(so, satype, mode, src, dst) 560 int so; 561 u_int satype, mode; 562 struct sockaddr *src, *dst; 563 { 564 struct sadb_msg *newmsg; 565 int len; 566 caddr_t p; 567 int plen; 568 caddr_t ep; 569 570 /* validity check */ 571 if (src == NULL || dst == NULL) { 572 __ipsec_errcode = EIPSEC_INVAL_ARGUMENT; 573 return -1; 574 } 575 if (src->sa_family != dst->sa_family) { 576 __ipsec_errcode = EIPSEC_FAMILY_MISMATCH; 577 return -1; 578 } 579 switch (src->sa_family) { 580 case AF_INET: 581 plen = sizeof(struct in_addr) << 3; 582 break; 583 case AF_INET6: 584 plen = sizeof(struct in6_addr) << 3; 585 break; 586 default: 587 __ipsec_errcode = EIPSEC_INVAL_FAMILY; 588 return -1; 589 } 590 591 /* create new sadb_msg to reply. */ 592 len = sizeof(struct sadb_msg) 593 + sizeof(struct sadb_address) 594 + PFKEY_ALIGN8(src->sa_len) 595 + sizeof(struct sadb_address) 596 + PFKEY_ALIGN8(dst->sa_len); 597 598 if ((newmsg = CALLOC(len, struct sadb_msg *)) == NULL) { 599 __ipsec_set_strerror(strerror(errno)); 600 return -1; 601 } 602 ep = ((caddr_t)newmsg) + len; 603 604 p = pfkey_setsadbmsg((caddr_t)newmsg, ep, SADB_DELETE, len, satype, 0, 605 getpid()); 606 if (!p) { 607 free(newmsg); 608 return -1; 609 } 610 p = pfkey_setsadbaddr(p, ep, SADB_EXT_ADDRESS_SRC, src, plen, 611 IPSEC_ULPROTO_ANY); 612 if (!p) { 613 free(newmsg); 614 return -1; 615 } 616 p = pfkey_setsadbaddr(p, ep, SADB_EXT_ADDRESS_DST, dst, plen, 617 IPSEC_ULPROTO_ANY); 618 if (!p || p != ep) { 619 free(newmsg); 620 return -1; 621 } 622 623 /* send message */ 624 len = pfkey_send(so, newmsg, len); 625 free(newmsg); 626 627 if (len < 0) 628 return -1; 629 630 __ipsec_errcode = EIPSEC_NO_ERROR; 631 return len; 632 } 633 634 /* 635 * sending SADB_GET message to the kernel. 636 * OUT: 637 * positive: success and return length sent. 638 * -1 : error occured, and set errno. 639 */ 640 int 641 pfkey_send_get(so, satype, mode, src, dst, spi) 642 int so; 643 u_int satype, mode; 644 struct sockaddr *src, *dst; 645 u_int32_t spi; 646 { 647 int len; 648 if ((len = pfkey_send_x2(so, SADB_GET, satype, mode, src, dst, spi)) < 0) 649 return -1; 650 651 return len; 652 } 653 654 /* 655 * sending SADB_REGISTER message to the kernel. 656 * OUT: 657 * positive: success and return length sent. 658 * -1 : error occured, and set errno. 659 */ 660 int 661 pfkey_send_register(so, satype) 662 int so; 663 u_int satype; 664 { 665 int len, algno; 666 667 if (satype == SADB_SATYPE_UNSPEC) { 668 for (algno = 0; 669 algno < sizeof(supported_map)/sizeof(supported_map[0]); 670 algno++) { 671 if (ipsec_supported[algno]) { 672 free(ipsec_supported[algno]); 673 ipsec_supported[algno] = NULL; 674 } 675 } 676 } else { 677 algno = findsupportedmap(satype); 678 if (algno == -1) { 679 __ipsec_errcode = EIPSEC_INVAL_ARGUMENT; 680 return -1; 681 } 682 683 if (ipsec_supported[algno]) { 684 free(ipsec_supported[algno]); 685 ipsec_supported[algno] = NULL; 686 } 687 } 688 689 if ((len = pfkey_send_x3(so, SADB_REGISTER, satype)) < 0) 690 return -1; 691 692 return len; 693 } 694 695 /* 696 * receiving SADB_REGISTER message from the kernel, and copy buffer for 697 * sadb_supported returned into ipsec_supported. 698 * OUT: 699 * 0: success and return length sent. 700 * -1: error occured, and set errno. 701 */ 702 int 703 pfkey_recv_register(so) 704 int so; 705 { 706 pid_t pid = getpid(); 707 struct sadb_msg *newmsg; 708 int error = -1; 709 710 /* receive message */ 711 for (;;) { 712 if ((newmsg = pfkey_recv(so)) == NULL) 713 return -1; 714 if (newmsg->sadb_msg_type == SADB_REGISTER && 715 newmsg->sadb_msg_pid == pid) 716 break; 717 free(newmsg); 718 } 719 720 /* check and fix */ 721 newmsg->sadb_msg_len = PFKEY_UNUNIT64(newmsg->sadb_msg_len); 722 723 error = pfkey_set_supported(newmsg, newmsg->sadb_msg_len); 724 free(newmsg); 725 726 if (error == 0) 727 __ipsec_errcode = EIPSEC_NO_ERROR; 728 729 return error; 730 } 731 732 /* 733 * receiving SADB_REGISTER message from the kernel, and copy buffer for 734 * sadb_supported returned into ipsec_supported. 735 * NOTE: sadb_msg_len must be host order. 736 * IN: 737 * tlen: msg length, it's to makeing sure. 738 * OUT: 739 * 0: success and return length sent. 740 * -1: error occured, and set errno. 741 */ 742 int 743 pfkey_set_supported(msg, tlen) 744 struct sadb_msg *msg; 745 int tlen; 746 { 747 struct sadb_supported *sup; 748 caddr_t p; 749 caddr_t ep; 750 751 /* validity */ 752 if (msg->sadb_msg_len != tlen) { 753 __ipsec_errcode = EIPSEC_INVAL_ARGUMENT; 754 return -1; 755 } 756 757 p = (caddr_t)msg; 758 ep = p + tlen; 759 760 p += sizeof(struct sadb_msg); 761 762 while (p < ep) { 763 sup = (struct sadb_supported *)p; 764 if (ep < p + sizeof(*sup) || 765 PFKEY_EXTLEN(sup) < sizeof(*sup) || 766 ep < p + sup->sadb_supported_len) { 767 /* invalid format */ 768 break; 769 } 770 771 switch (sup->sadb_supported_exttype) { 772 case SADB_EXT_SUPPORTED_AUTH: 773 case SADB_EXT_SUPPORTED_ENCRYPT: 774 break; 775 default: 776 __ipsec_errcode = EIPSEC_INVAL_SATYPE; 777 return -1; 778 } 779 780 /* fixed length */ 781 sup->sadb_supported_len = PFKEY_EXTLEN(sup); 782 783 /* set supported map */ 784 if (setsupportedmap(sup) != 0) 785 return -1; 786 787 p += sup->sadb_supported_len; 788 } 789 790 if (p != ep) { 791 __ipsec_errcode = EIPSEC_INVAL_SATYPE; 792 return -1; 793 } 794 795 __ipsec_errcode = EIPSEC_NO_ERROR; 796 797 return 0; 798 } 799 800 /* 801 * sending SADB_FLUSH message to the kernel. 802 * OUT: 803 * positive: success and return length sent. 804 * -1 : error occured, and set errno. 805 */ 806 int 807 pfkey_send_flush(so, satype) 808 int so; 809 u_int satype; 810 { 811 int len; 812 813 if ((len = pfkey_send_x3(so, SADB_FLUSH, satype)) < 0) 814 return -1; 815 816 return len; 817 } 818 819 /* 820 * sending SADB_DUMP message to the kernel. 821 * OUT: 822 * positive: success and return length sent. 823 * -1 : error occured, and set errno. 824 */ 825 int 826 pfkey_send_dump(so, satype) 827 int so; 828 u_int satype; 829 { 830 int len; 831 832 if ((len = pfkey_send_x3(so, SADB_DUMP, satype)) < 0) 833 return -1; 834 835 return len; 836 } 837 838 /* 839 * sending SADB_X_PROMISC message to the kernel. 840 * NOTE that this function handles promisc mode toggle only. 841 * IN: 842 * flag: set promisc off if zero, set promisc on if non-zero. 843 * OUT: 844 * positive: success and return length sent. 845 * -1 : error occured, and set errno. 846 * 0 : error occured, and set errno. 847 * others: a pointer to new allocated buffer in which supported 848 * algorithms is. 849 */ 850 int 851 pfkey_send_promisc_toggle(so, flag) 852 int so; 853 int flag; 854 { 855 int len; 856 857 if ((len = pfkey_send_x3(so, SADB_X_PROMISC, (flag ? 1 : 0))) < 0) 858 return -1; 859 860 return len; 861 } 862 863 /* 864 * sending SADB_X_SPDADD message to the kernel. 865 * OUT: 866 * positive: success and return length sent. 867 * -1 : error occured, and set errno. 868 */ 869 int 870 pfkey_send_spdadd(so, src, prefs, dst, prefd, proto, policy, policylen, seq) 871 int so; 872 struct sockaddr *src, *dst; 873 u_int prefs, prefd, proto; 874 caddr_t policy; 875 int policylen; 876 u_int32_t seq; 877 { 878 int len; 879 880 if ((len = pfkey_send_x4(so, SADB_X_SPDADD, 881 src, prefs, dst, prefd, proto, 882 0, 0, 883 policy, policylen, seq)) < 0) 884 return -1; 885 886 return len; 887 } 888 889 /* 890 * sending SADB_X_SPDADD message to the kernel. 891 * OUT: 892 * positive: success and return length sent. 893 * -1 : error occured, and set errno. 894 */ 895 int 896 pfkey_send_spdadd2(so, src, prefs, dst, prefd, proto, ltime, vtime, 897 policy, policylen, seq) 898 int so; 899 struct sockaddr *src, *dst; 900 u_int prefs, prefd, proto; 901 u_int64_t ltime, vtime; 902 caddr_t policy; 903 int policylen; 904 u_int32_t seq; 905 { 906 int len; 907 908 if ((len = pfkey_send_x4(so, SADB_X_SPDADD, 909 src, prefs, dst, prefd, proto, 910 ltime, vtime, 911 policy, policylen, seq)) < 0) 912 return -1; 913 914 return len; 915 } 916 917 /* 918 * sending SADB_X_SPDUPDATE message to the kernel. 919 * OUT: 920 * positive: success and return length sent. 921 * -1 : error occured, and set errno. 922 */ 923 int 924 pfkey_send_spdupdate(so, src, prefs, dst, prefd, proto, policy, policylen, seq) 925 int so; 926 struct sockaddr *src, *dst; 927 u_int prefs, prefd, proto; 928 caddr_t policy; 929 int policylen; 930 u_int32_t seq; 931 { 932 int len; 933 934 if ((len = pfkey_send_x4(so, SADB_X_SPDUPDATE, 935 src, prefs, dst, prefd, proto, 936 0, 0, 937 policy, policylen, seq)) < 0) 938 return -1; 939 940 return len; 941 } 942 943 /* 944 * sending SADB_X_SPDUPDATE message to the kernel. 945 * OUT: 946 * positive: success and return length sent. 947 * -1 : error occured, and set errno. 948 */ 949 int 950 pfkey_send_spdupdate2(so, src, prefs, dst, prefd, proto, ltime, vtime, 951 policy, policylen, seq) 952 int so; 953 struct sockaddr *src, *dst; 954 u_int prefs, prefd, proto; 955 u_int64_t ltime, vtime; 956 caddr_t policy; 957 int policylen; 958 u_int32_t seq; 959 { 960 int len; 961 962 if ((len = pfkey_send_x4(so, SADB_X_SPDUPDATE, 963 src, prefs, dst, prefd, proto, 964 ltime, vtime, 965 policy, policylen, seq)) < 0) 966 return -1; 967 968 return len; 969 } 970 971 /* 972 * sending SADB_X_SPDDELETE message to the kernel. 973 * OUT: 974 * positive: success and return length sent. 975 * -1 : error occured, and set errno. 976 */ 977 int 978 pfkey_send_spddelete(so, src, prefs, dst, prefd, proto, policy, policylen, seq) 979 int so; 980 struct sockaddr *src, *dst; 981 u_int prefs, prefd, proto; 982 caddr_t policy; 983 int policylen; 984 u_int32_t seq; 985 { 986 int len; 987 988 if (policylen != sizeof(struct sadb_x_policy)) { 989 __ipsec_errcode = EIPSEC_INVAL_ARGUMENT; 990 return -1; 991 } 992 993 if ((len = pfkey_send_x4(so, SADB_X_SPDDELETE, 994 src, prefs, dst, prefd, proto, 995 0, 0, 996 policy, policylen, seq)) < 0) 997 return -1; 998 999 return len; 1000 } 1001 1002 /* 1003 * sending SADB_X_SPDDELETE message to the kernel. 1004 * OUT: 1005 * positive: success and return length sent. 1006 * -1 : error occured, and set errno. 1007 */ 1008 int 1009 pfkey_send_spddelete2(so, spid) 1010 int so; 1011 u_int32_t spid; 1012 { 1013 int len; 1014 1015 if ((len = pfkey_send_x5(so, SADB_X_SPDDELETE2, spid)) < 0) 1016 return -1; 1017 1018 return len; 1019 } 1020 1021 /* 1022 * sending SADB_X_SPDGET message to the kernel. 1023 * OUT: 1024 * positive: success and return length sent. 1025 * -1 : error occured, and set errno. 1026 */ 1027 int 1028 pfkey_send_spdget(so, spid) 1029 int so; 1030 u_int32_t spid; 1031 { 1032 int len; 1033 1034 if ((len = pfkey_send_x5(so, SADB_X_SPDGET, spid)) < 0) 1035 return -1; 1036 1037 return len; 1038 } 1039 1040 /* 1041 * sending SADB_X_SPDSETIDX message to the kernel. 1042 * OUT: 1043 * positive: success and return length sent. 1044 * -1 : error occured, and set errno. 1045 */ 1046 int 1047 pfkey_send_spdsetidx(so, src, prefs, dst, prefd, proto, policy, policylen, seq) 1048 int so; 1049 struct sockaddr *src, *dst; 1050 u_int prefs, prefd, proto; 1051 caddr_t policy; 1052 int policylen; 1053 u_int32_t seq; 1054 { 1055 int len; 1056 1057 if (policylen != sizeof(struct sadb_x_policy)) { 1058 __ipsec_errcode = EIPSEC_INVAL_ARGUMENT; 1059 return -1; 1060 } 1061 1062 if ((len = pfkey_send_x4(so, SADB_X_SPDSETIDX, 1063 src, prefs, dst, prefd, proto, 1064 0, 0, 1065 policy, policylen, seq)) < 0) 1066 return -1; 1067 1068 return len; 1069 } 1070 1071 /* 1072 * sending SADB_SPDFLUSH message to the kernel. 1073 * OUT: 1074 * positive: success and return length sent. 1075 * -1 : error occured, and set errno. 1076 */ 1077 int 1078 pfkey_send_spdflush(so) 1079 int so; 1080 { 1081 int len; 1082 1083 if ((len = pfkey_send_x3(so, SADB_X_SPDFLUSH, SADB_SATYPE_UNSPEC)) < 0) 1084 return -1; 1085 1086 return len; 1087 } 1088 1089 /* 1090 * sending SADB_SPDDUMP message to the kernel. 1091 * OUT: 1092 * positive: success and return length sent. 1093 * -1 : error occured, and set errno. 1094 */ 1095 int 1096 pfkey_send_spddump(so) 1097 int so; 1098 { 1099 int len; 1100 1101 if ((len = pfkey_send_x3(so, SADB_X_SPDDUMP, SADB_SATYPE_UNSPEC)) < 0) 1102 return -1; 1103 1104 return len; 1105 } 1106 1107 /* sending SADB_ADD or SADB_UPDATE message to the kernel */ 1108 static int 1109 pfkey_send_x1(so, type, satype, mode, src, dst, spi, reqid, wsize, 1110 keymat, e_type, e_keylen, a_type, a_keylen, flags, 1111 l_alloc, l_bytes, l_addtime, l_usetime, seq) 1112 int so; 1113 u_int type, satype, mode; 1114 struct sockaddr *src, *dst; 1115 u_int32_t spi, reqid; 1116 u_int wsize; 1117 caddr_t keymat; 1118 u_int e_type, e_keylen, a_type, a_keylen, flags; 1119 u_int32_t l_alloc, l_bytes, l_addtime, l_usetime, seq; 1120 { 1121 struct sadb_msg *newmsg; 1122 int len; 1123 caddr_t p; 1124 int plen; 1125 caddr_t ep; 1126 1127 /* validity check */ 1128 if (src == NULL || dst == NULL) { 1129 __ipsec_errcode = EIPSEC_INVAL_ARGUMENT; 1130 return -1; 1131 } 1132 if (src->sa_family != dst->sa_family) { 1133 __ipsec_errcode = EIPSEC_FAMILY_MISMATCH; 1134 return -1; 1135 } 1136 switch (src->sa_family) { 1137 case AF_INET: 1138 plen = sizeof(struct in_addr) << 3; 1139 break; 1140 case AF_INET6: 1141 plen = sizeof(struct in6_addr) << 3; 1142 break; 1143 default: 1144 __ipsec_errcode = EIPSEC_INVAL_FAMILY; 1145 return -1; 1146 } 1147 1148 switch (satype) { 1149 case SADB_SATYPE_ESP: 1150 if (e_type == SADB_EALG_NONE) { 1151 __ipsec_errcode = EIPSEC_NO_ALGS; 1152 return -1; 1153 } 1154 break; 1155 case SADB_SATYPE_AH: 1156 if (e_type != SADB_EALG_NONE) { 1157 __ipsec_errcode = EIPSEC_INVAL_ALGS; 1158 return -1; 1159 } 1160 if (a_type == SADB_AALG_NONE) { 1161 __ipsec_errcode = EIPSEC_NO_ALGS; 1162 return -1; 1163 } 1164 break; 1165 case SADB_X_SATYPE_IPCOMP: 1166 if (e_type == SADB_X_CALG_NONE) { 1167 __ipsec_errcode = EIPSEC_INVAL_ALGS; 1168 return -1; 1169 } 1170 if (a_type != SADB_AALG_NONE) { 1171 __ipsec_errcode = EIPSEC_NO_ALGS; 1172 return -1; 1173 } 1174 break; 1175 case SADB_X_SATYPE_TCPSIGNATURE: 1176 if (e_type != SADB_EALG_NONE) { 1177 __ipsec_errcode = EIPSEC_INVAL_ALGS; 1178 return -1; 1179 } 1180 if (a_type != SADB_X_AALG_TCP_MD5) { 1181 __ipsec_errcode = EIPSEC_INVAL_ALGS; 1182 return -1; 1183 } 1184 break; 1185 default: 1186 __ipsec_errcode = EIPSEC_INVAL_SATYPE; 1187 return -1; 1188 } 1189 1190 /* create new sadb_msg to reply. */ 1191 len = sizeof(struct sadb_msg) 1192 + sizeof(struct sadb_sa) 1193 + sizeof(struct sadb_x_sa2) 1194 + sizeof(struct sadb_address) 1195 + PFKEY_ALIGN8(src->sa_len) 1196 + sizeof(struct sadb_address) 1197 + PFKEY_ALIGN8(dst->sa_len) 1198 + sizeof(struct sadb_lifetime) 1199 + sizeof(struct sadb_lifetime); 1200 1201 if (wsize > UINT8_MAX) { 1202 if (wsize > (UINT32_MAX - 32) >> 3) { 1203 __ipsec_errcode = EIPSEC_INVAL_ARGUMENT; 1204 return (-1); 1205 } 1206 len += sizeof(struct sadb_x_sa_replay); 1207 } 1208 if (e_type != SADB_EALG_NONE) 1209 len += (sizeof(struct sadb_key) + PFKEY_ALIGN8(e_keylen)); 1210 if (a_type != SADB_AALG_NONE) 1211 len += (sizeof(struct sadb_key) + PFKEY_ALIGN8(a_keylen)); 1212 1213 if ((newmsg = CALLOC(len, struct sadb_msg *)) == NULL) { 1214 __ipsec_set_strerror(strerror(errno)); 1215 return -1; 1216 } 1217 ep = ((caddr_t)newmsg) + len; 1218 1219 p = pfkey_setsadbmsg((caddr_t)newmsg, ep, type, len, 1220 satype, seq, getpid()); 1221 if (!p) { 1222 free(newmsg); 1223 return -1; 1224 } 1225 p = pfkey_setsadbsa(p, ep, spi, wsize, a_type, e_type, flags); 1226 if (!p) { 1227 free(newmsg); 1228 return -1; 1229 } 1230 p = pfkey_setsadbxsa2(p, ep, mode, reqid); 1231 if (!p) { 1232 free(newmsg); 1233 return -1; 1234 } 1235 if (wsize > UINT8_MAX) { 1236 p = pfkey_setsadbxreplay(p, ep, wsize); 1237 if (!p) { 1238 free(newmsg); 1239 return (-1); 1240 } 1241 } 1242 p = pfkey_setsadbaddr(p, ep, SADB_EXT_ADDRESS_SRC, src, plen, 1243 IPSEC_ULPROTO_ANY); 1244 if (!p) { 1245 free(newmsg); 1246 return -1; 1247 } 1248 p = pfkey_setsadbaddr(p, ep, SADB_EXT_ADDRESS_DST, dst, plen, 1249 IPSEC_ULPROTO_ANY); 1250 if (!p) { 1251 free(newmsg); 1252 return -1; 1253 } 1254 1255 if (e_type != SADB_EALG_NONE) { 1256 p = pfkey_setsadbkey(p, ep, SADB_EXT_KEY_ENCRYPT, 1257 keymat, e_keylen); 1258 if (!p) { 1259 free(newmsg); 1260 return -1; 1261 } 1262 } 1263 if (a_type != SADB_AALG_NONE) { 1264 p = pfkey_setsadbkey(p, ep, SADB_EXT_KEY_AUTH, 1265 keymat + e_keylen, a_keylen); 1266 if (!p) { 1267 free(newmsg); 1268 return -1; 1269 } 1270 } 1271 1272 /* set sadb_lifetime for destination */ 1273 p = pfkey_setsadblifetime(p, ep, SADB_EXT_LIFETIME_HARD, 1274 l_alloc, l_bytes, l_addtime, l_usetime); 1275 if (!p) { 1276 free(newmsg); 1277 return -1; 1278 } 1279 p = pfkey_setsadblifetime(p, ep, SADB_EXT_LIFETIME_SOFT, 1280 l_alloc, l_bytes, l_addtime, l_usetime); 1281 if (!p || p != ep) { 1282 free(newmsg); 1283 return -1; 1284 } 1285 1286 /* send message */ 1287 len = pfkey_send(so, newmsg, len); 1288 free(newmsg); 1289 1290 if (len < 0) 1291 return -1; 1292 1293 __ipsec_errcode = EIPSEC_NO_ERROR; 1294 return len; 1295 } 1296 1297 /* sending SADB_DELETE or SADB_GET message to the kernel */ 1298 static int 1299 pfkey_send_x2(so, type, satype, mode, src, dst, spi) 1300 int so; 1301 u_int type, satype, mode; 1302 struct sockaddr *src, *dst; 1303 u_int32_t spi; 1304 { 1305 struct sadb_msg *newmsg; 1306 int len; 1307 caddr_t p; 1308 int plen; 1309 caddr_t ep; 1310 1311 /* validity check */ 1312 if (src == NULL || dst == NULL) { 1313 __ipsec_errcode = EIPSEC_INVAL_ARGUMENT; 1314 return -1; 1315 } 1316 if (src->sa_family != dst->sa_family) { 1317 __ipsec_errcode = EIPSEC_FAMILY_MISMATCH; 1318 return -1; 1319 } 1320 switch (src->sa_family) { 1321 case AF_INET: 1322 plen = sizeof(struct in_addr) << 3; 1323 break; 1324 case AF_INET6: 1325 plen = sizeof(struct in6_addr) << 3; 1326 break; 1327 default: 1328 __ipsec_errcode = EIPSEC_INVAL_FAMILY; 1329 return -1; 1330 } 1331 1332 /* create new sadb_msg to reply. */ 1333 len = sizeof(struct sadb_msg) 1334 + sizeof(struct sadb_sa) 1335 + sizeof(struct sadb_address) 1336 + PFKEY_ALIGN8(src->sa_len) 1337 + sizeof(struct sadb_address) 1338 + PFKEY_ALIGN8(dst->sa_len); 1339 1340 if ((newmsg = CALLOC(len, struct sadb_msg *)) == NULL) { 1341 __ipsec_set_strerror(strerror(errno)); 1342 return -1; 1343 } 1344 ep = ((caddr_t)newmsg) + len; 1345 1346 p = pfkey_setsadbmsg((caddr_t)newmsg, ep, type, len, satype, 0, 1347 getpid()); 1348 if (!p) { 1349 free(newmsg); 1350 return -1; 1351 } 1352 p = pfkey_setsadbsa(p, ep, spi, 0, 0, 0, 0); 1353 if (!p) { 1354 free(newmsg); 1355 return -1; 1356 } 1357 p = pfkey_setsadbaddr(p, ep, SADB_EXT_ADDRESS_SRC, src, plen, 1358 IPSEC_ULPROTO_ANY); 1359 if (!p) { 1360 free(newmsg); 1361 return -1; 1362 } 1363 p = pfkey_setsadbaddr(p, ep, SADB_EXT_ADDRESS_DST, dst, plen, 1364 IPSEC_ULPROTO_ANY); 1365 if (!p || p != ep) { 1366 free(newmsg); 1367 return -1; 1368 } 1369 1370 /* send message */ 1371 len = pfkey_send(so, newmsg, len); 1372 free(newmsg); 1373 1374 if (len < 0) 1375 return -1; 1376 1377 __ipsec_errcode = EIPSEC_NO_ERROR; 1378 return len; 1379 } 1380 1381 /* 1382 * sending SADB_REGISTER, SADB_FLUSH, SADB_DUMP or SADB_X_PROMISC message 1383 * to the kernel 1384 */ 1385 static int 1386 pfkey_send_x3(so, type, satype) 1387 int so; 1388 u_int type, satype; 1389 { 1390 struct sadb_msg *newmsg; 1391 int len; 1392 caddr_t p; 1393 caddr_t ep; 1394 1395 /* validity check */ 1396 switch (type) { 1397 case SADB_X_PROMISC: 1398 if (satype != 0 && satype != 1) { 1399 __ipsec_errcode = EIPSEC_INVAL_SATYPE; 1400 return -1; 1401 } 1402 break; 1403 default: 1404 switch (satype) { 1405 case SADB_SATYPE_UNSPEC: 1406 case SADB_SATYPE_AH: 1407 case SADB_SATYPE_ESP: 1408 case SADB_X_SATYPE_IPCOMP: 1409 case SADB_X_SATYPE_TCPSIGNATURE: 1410 break; 1411 default: 1412 __ipsec_errcode = EIPSEC_INVAL_SATYPE; 1413 return -1; 1414 } 1415 } 1416 1417 /* create new sadb_msg to send. */ 1418 len = sizeof(struct sadb_msg); 1419 1420 if ((newmsg = CALLOC(len, struct sadb_msg *)) == NULL) { 1421 __ipsec_set_strerror(strerror(errno)); 1422 return -1; 1423 } 1424 ep = ((caddr_t)newmsg) + len; 1425 1426 p = pfkey_setsadbmsg((caddr_t)newmsg, ep, type, len, satype, 0, 1427 getpid()); 1428 if (!p || p != ep) { 1429 free(newmsg); 1430 return -1; 1431 } 1432 1433 /* send message */ 1434 len = pfkey_send(so, newmsg, len); 1435 free(newmsg); 1436 1437 if (len < 0) 1438 return -1; 1439 1440 __ipsec_errcode = EIPSEC_NO_ERROR; 1441 return len; 1442 } 1443 1444 /* sending SADB_X_SPDADD message to the kernel */ 1445 static int 1446 pfkey_send_x4(so, type, src, prefs, dst, prefd, proto, 1447 ltime, vtime, policy, policylen, seq) 1448 int so; 1449 struct sockaddr *src, *dst; 1450 u_int type, prefs, prefd, proto; 1451 u_int64_t ltime, vtime; 1452 char *policy; 1453 int policylen; 1454 u_int32_t seq; 1455 { 1456 struct sadb_msg *newmsg; 1457 int len; 1458 caddr_t p; 1459 int plen; 1460 caddr_t ep; 1461 1462 /* validity check */ 1463 if (src == NULL || dst == NULL) { 1464 __ipsec_errcode = EIPSEC_INVAL_ARGUMENT; 1465 return -1; 1466 } 1467 if (src->sa_family != dst->sa_family) { 1468 __ipsec_errcode = EIPSEC_FAMILY_MISMATCH; 1469 return -1; 1470 } 1471 1472 switch (src->sa_family) { 1473 case AF_INET: 1474 plen = sizeof(struct in_addr) << 3; 1475 break; 1476 case AF_INET6: 1477 plen = sizeof(struct in6_addr) << 3; 1478 break; 1479 default: 1480 __ipsec_errcode = EIPSEC_INVAL_FAMILY; 1481 return -1; 1482 } 1483 if (prefs > plen || prefd > plen) { 1484 __ipsec_errcode = EIPSEC_INVAL_PREFIXLEN; 1485 return -1; 1486 } 1487 1488 /* create new sadb_msg to reply. */ 1489 len = sizeof(struct sadb_msg) 1490 + sizeof(struct sadb_address) 1491 + PFKEY_ALIGN8(src->sa_len) 1492 + sizeof(struct sadb_address) 1493 + PFKEY_ALIGN8(src->sa_len) 1494 + sizeof(struct sadb_lifetime) 1495 + policylen; 1496 1497 if ((newmsg = CALLOC(len, struct sadb_msg *)) == NULL) { 1498 __ipsec_set_strerror(strerror(errno)); 1499 return -1; 1500 } 1501 ep = ((caddr_t)newmsg) + len; 1502 1503 p = pfkey_setsadbmsg((caddr_t)newmsg, ep, type, len, 1504 SADB_SATYPE_UNSPEC, seq, getpid()); 1505 if (!p) { 1506 free(newmsg); 1507 return -1; 1508 } 1509 p = pfkey_setsadbaddr(p, ep, SADB_EXT_ADDRESS_SRC, src, prefs, proto); 1510 if (!p) { 1511 free(newmsg); 1512 return -1; 1513 } 1514 p = pfkey_setsadbaddr(p, ep, SADB_EXT_ADDRESS_DST, dst, prefd, proto); 1515 if (!p) { 1516 free(newmsg); 1517 return -1; 1518 } 1519 p = pfkey_setsadblifetime(p, ep, SADB_EXT_LIFETIME_HARD, 1520 0, 0, ltime, vtime); 1521 if (!p || p + policylen != ep) { 1522 free(newmsg); 1523 return -1; 1524 } 1525 memcpy(p, policy, policylen); 1526 1527 /* send message */ 1528 len = pfkey_send(so, newmsg, len); 1529 free(newmsg); 1530 1531 if (len < 0) 1532 return -1; 1533 1534 __ipsec_errcode = EIPSEC_NO_ERROR; 1535 return len; 1536 } 1537 1538 /* sending SADB_X_SPDGET or SADB_X_SPDDELETE message to the kernel */ 1539 static int 1540 pfkey_send_x5(so, type, spid) 1541 int so; 1542 u_int type; 1543 u_int32_t spid; 1544 { 1545 struct sadb_msg *newmsg; 1546 struct sadb_x_policy xpl; 1547 int len; 1548 caddr_t p; 1549 caddr_t ep; 1550 1551 /* create new sadb_msg to reply. */ 1552 len = sizeof(struct sadb_msg) 1553 + sizeof(xpl); 1554 1555 if ((newmsg = CALLOC(len, struct sadb_msg *)) == NULL) { 1556 __ipsec_set_strerror(strerror(errno)); 1557 return -1; 1558 } 1559 ep = ((caddr_t)newmsg) + len; 1560 1561 p = pfkey_setsadbmsg((caddr_t)newmsg, ep, type, len, 1562 SADB_SATYPE_UNSPEC, 0, getpid()); 1563 if (!p) { 1564 free(newmsg); 1565 return -1; 1566 } 1567 1568 if (p + sizeof(xpl) != ep) { 1569 free(newmsg); 1570 return -1; 1571 } 1572 memset(&xpl, 0, sizeof(xpl)); 1573 xpl.sadb_x_policy_len = PFKEY_UNIT64(sizeof(xpl)); 1574 xpl.sadb_x_policy_exttype = SADB_X_EXT_POLICY; 1575 xpl.sadb_x_policy_id = spid; 1576 memcpy(p, &xpl, sizeof(xpl)); 1577 1578 /* send message */ 1579 len = pfkey_send(so, newmsg, len); 1580 free(newmsg); 1581 1582 if (len < 0) 1583 return -1; 1584 1585 __ipsec_errcode = EIPSEC_NO_ERROR; 1586 return len; 1587 } 1588 1589 /* 1590 * open a socket. 1591 * OUT: 1592 * -1: fail. 1593 * others : success and return value of socket. 1594 */ 1595 int 1596 pfkey_open() 1597 { 1598 int so; 1599 const int bufsiz = 128 * 1024; /*is 128K enough?*/ 1600 1601 if ((so = socket(PF_KEY, SOCK_RAW, PF_KEY_V2)) < 0) { 1602 __ipsec_set_strerror(strerror(errno)); 1603 return -1; 1604 } 1605 1606 /* 1607 * This is a temporary workaround for KAME PR 154. 1608 * Don't really care even if it fails. 1609 */ 1610 (void)setsockopt(so, SOL_SOCKET, SO_SNDBUF, &bufsiz, sizeof(bufsiz)); 1611 (void)setsockopt(so, SOL_SOCKET, SO_RCVBUF, &bufsiz, sizeof(bufsiz)); 1612 1613 __ipsec_errcode = EIPSEC_NO_ERROR; 1614 return so; 1615 } 1616 1617 /* 1618 * close a socket. 1619 * OUT: 1620 * 0: success. 1621 * -1: fail. 1622 */ 1623 void 1624 pfkey_close(so) 1625 int so; 1626 { 1627 (void)close(so); 1628 1629 __ipsec_errcode = EIPSEC_NO_ERROR; 1630 return; 1631 } 1632 1633 /* 1634 * receive sadb_msg data, and return pointer to new buffer allocated. 1635 * Must free this buffer later. 1636 * OUT: 1637 * NULL : error occured. 1638 * others : a pointer to sadb_msg structure. 1639 * 1640 * XXX should be rewritten to pass length explicitly 1641 */ 1642 struct sadb_msg * 1643 pfkey_recv(so) 1644 int so; 1645 { 1646 struct sadb_msg buf, *newmsg; 1647 int len, reallen; 1648 1649 while ((len = recv(so, (caddr_t)&buf, sizeof(buf), MSG_PEEK)) < 0) { 1650 if (errno == EINTR) 1651 continue; 1652 __ipsec_set_strerror(strerror(errno)); 1653 return NULL; 1654 } 1655 1656 if (len < sizeof(buf)) { 1657 recv(so, (caddr_t)&buf, sizeof(buf), 0); 1658 __ipsec_errcode = EIPSEC_MAX; 1659 return NULL; 1660 } 1661 1662 /* read real message */ 1663 reallen = PFKEY_UNUNIT64(buf.sadb_msg_len); 1664 if ((newmsg = CALLOC(reallen, struct sadb_msg *)) == NULL) { 1665 __ipsec_set_strerror(strerror(errno)); 1666 return NULL; 1667 } 1668 1669 while ((len = recv(so, (caddr_t)newmsg, reallen, 0)) < 0) { 1670 if (errno == EINTR) 1671 continue; 1672 __ipsec_set_strerror(strerror(errno)); 1673 free(newmsg); 1674 return NULL; 1675 } 1676 1677 if (len != reallen) { 1678 __ipsec_errcode = EIPSEC_SYSTEM_ERROR; 1679 free(newmsg); 1680 return NULL; 1681 } 1682 1683 /* don't trust what the kernel says, validate! */ 1684 if (PFKEY_UNUNIT64(newmsg->sadb_msg_len) != len) { 1685 __ipsec_errcode = EIPSEC_SYSTEM_ERROR; 1686 free(newmsg); 1687 return NULL; 1688 } 1689 1690 __ipsec_errcode = EIPSEC_NO_ERROR; 1691 return newmsg; 1692 } 1693 1694 /* 1695 * send message to a socket. 1696 * OUT: 1697 * others: success and return length sent. 1698 * -1 : fail. 1699 */ 1700 int 1701 pfkey_send(so, msg, len) 1702 int so; 1703 struct sadb_msg *msg; 1704 int len; 1705 { 1706 if ((len = send(so, (caddr_t)msg, len, 0)) < 0) { 1707 __ipsec_set_strerror(strerror(errno)); 1708 return -1; 1709 } 1710 1711 __ipsec_errcode = EIPSEC_NO_ERROR; 1712 return len; 1713 } 1714 1715 /* 1716 * %%% Utilities 1717 * NOTE: These functions are derived from netkey/key.c in KAME. 1718 */ 1719 /* 1720 * set the pointer to each header in this message buffer. 1721 * IN: msg: pointer to message buffer. 1722 * mhp: pointer to the buffer initialized like below: 1723 * caddr_t mhp[SADB_EXT_MAX + 1]; 1724 * OUT: -1: invalid. 1725 * 0: valid. 1726 * 1727 * XXX should be rewritten to obtain length explicitly 1728 */ 1729 int 1730 pfkey_align(msg, mhp) 1731 struct sadb_msg *msg; 1732 caddr_t *mhp; 1733 { 1734 struct sadb_ext *ext; 1735 int i; 1736 caddr_t p; 1737 caddr_t ep; /* XXX should be passed from upper layer */ 1738 1739 /* validity check */ 1740 if (msg == NULL || mhp == NULL) { 1741 __ipsec_errcode = EIPSEC_INVAL_ARGUMENT; 1742 return -1; 1743 } 1744 1745 /* initialize */ 1746 for (i = 0; i < SADB_EXT_MAX + 1; i++) 1747 mhp[i] = NULL; 1748 1749 mhp[0] = (caddr_t)msg; 1750 1751 /* initialize */ 1752 p = (caddr_t) msg; 1753 ep = p + PFKEY_UNUNIT64(msg->sadb_msg_len); 1754 1755 /* skip base header */ 1756 p += sizeof(struct sadb_msg); 1757 1758 while (p < ep) { 1759 ext = (struct sadb_ext *)p; 1760 if (ep < p + sizeof(*ext) || PFKEY_EXTLEN(ext) < sizeof(*ext) || 1761 ep < p + PFKEY_EXTLEN(ext)) { 1762 /* invalid format */ 1763 break; 1764 } 1765 1766 /* duplicate check */ 1767 /* XXX Are there duplication either KEY_AUTH or KEY_ENCRYPT ?*/ 1768 if (mhp[ext->sadb_ext_type] != NULL) { 1769 __ipsec_errcode = EIPSEC_INVAL_EXTTYPE; 1770 return -1; 1771 } 1772 1773 /* set pointer */ 1774 switch (ext->sadb_ext_type) { 1775 case SADB_EXT_SA: 1776 case SADB_EXT_LIFETIME_CURRENT: 1777 case SADB_EXT_LIFETIME_HARD: 1778 case SADB_EXT_LIFETIME_SOFT: 1779 case SADB_EXT_ADDRESS_SRC: 1780 case SADB_EXT_ADDRESS_DST: 1781 case SADB_EXT_ADDRESS_PROXY: 1782 case SADB_EXT_KEY_AUTH: 1783 /* XXX should to be check weak keys. */ 1784 case SADB_EXT_KEY_ENCRYPT: 1785 /* XXX should to be check weak keys. */ 1786 case SADB_EXT_IDENTITY_SRC: 1787 case SADB_EXT_IDENTITY_DST: 1788 case SADB_EXT_SENSITIVITY: 1789 case SADB_EXT_PROPOSAL: 1790 case SADB_EXT_SUPPORTED_AUTH: 1791 case SADB_EXT_SUPPORTED_ENCRYPT: 1792 case SADB_EXT_SPIRANGE: 1793 case SADB_X_EXT_POLICY: 1794 case SADB_X_EXT_SA2: 1795 case SADB_X_EXT_NAT_T_TYPE: 1796 case SADB_X_EXT_NAT_T_SPORT: 1797 case SADB_X_EXT_NAT_T_DPORT: 1798 case SADB_X_EXT_NAT_T_OAI: 1799 case SADB_X_EXT_NAT_T_OAR: 1800 case SADB_X_EXT_NAT_T_FRAG: 1801 case SADB_X_EXT_SA_REPLAY: 1802 case SADB_X_EXT_NEW_ADDRESS_SRC: 1803 case SADB_X_EXT_NEW_ADDRESS_DST: 1804 mhp[ext->sadb_ext_type] = (caddr_t)ext; 1805 break; 1806 default: 1807 __ipsec_errcode = EIPSEC_INVAL_EXTTYPE; 1808 return -1; 1809 } 1810 1811 p += PFKEY_EXTLEN(ext); 1812 } 1813 1814 if (p != ep) { 1815 __ipsec_errcode = EIPSEC_INVAL_SADBMSG; 1816 return -1; 1817 } 1818 1819 __ipsec_errcode = EIPSEC_NO_ERROR; 1820 return 0; 1821 } 1822 1823 /* 1824 * check basic usage for sadb_msg, 1825 * NOTE: This routine is derived from netkey/key.c in KAME. 1826 * IN: msg: pointer to message buffer. 1827 * mhp: pointer to the buffer initialized like below: 1828 * 1829 * caddr_t mhp[SADB_EXT_MAX + 1]; 1830 * 1831 * OUT: -1: invalid. 1832 * 0: valid. 1833 */ 1834 int 1835 pfkey_check(mhp) 1836 caddr_t *mhp; 1837 { 1838 struct sadb_msg *msg; 1839 1840 /* validity check */ 1841 if (mhp == NULL || mhp[0] == NULL) { 1842 __ipsec_errcode = EIPSEC_INVAL_ARGUMENT; 1843 return -1; 1844 } 1845 1846 msg = (struct sadb_msg *)mhp[0]; 1847 1848 /* check version */ 1849 if (msg->sadb_msg_version != PF_KEY_V2) { 1850 __ipsec_errcode = EIPSEC_INVAL_VERSION; 1851 return -1; 1852 } 1853 1854 /* check type */ 1855 if (msg->sadb_msg_type > SADB_MAX) { 1856 __ipsec_errcode = EIPSEC_INVAL_MSGTYPE; 1857 return -1; 1858 } 1859 1860 /* check SA type */ 1861 switch (msg->sadb_msg_satype) { 1862 case SADB_SATYPE_UNSPEC: 1863 switch (msg->sadb_msg_type) { 1864 case SADB_GETSPI: 1865 case SADB_UPDATE: 1866 case SADB_ADD: 1867 case SADB_DELETE: 1868 case SADB_GET: 1869 case SADB_ACQUIRE: 1870 case SADB_EXPIRE: 1871 __ipsec_errcode = EIPSEC_INVAL_SATYPE; 1872 return -1; 1873 } 1874 break; 1875 case SADB_SATYPE_ESP: 1876 case SADB_SATYPE_AH: 1877 case SADB_X_SATYPE_IPCOMP: 1878 case SADB_X_SATYPE_TCPSIGNATURE: 1879 switch (msg->sadb_msg_type) { 1880 case SADB_X_SPDADD: 1881 case SADB_X_SPDDELETE: 1882 case SADB_X_SPDGET: 1883 case SADB_X_SPDDUMP: 1884 case SADB_X_SPDFLUSH: 1885 __ipsec_errcode = EIPSEC_INVAL_SATYPE; 1886 return -1; 1887 } 1888 break; 1889 case SADB_SATYPE_RSVP: 1890 case SADB_SATYPE_OSPFV2: 1891 case SADB_SATYPE_RIPV2: 1892 case SADB_SATYPE_MIP: 1893 __ipsec_errcode = EIPSEC_NOT_SUPPORTED; 1894 return -1; 1895 case 1: /* XXX: What does it do ? */ 1896 if (msg->sadb_msg_type == SADB_X_PROMISC) 1897 break; 1898 /*FALLTHROUGH*/ 1899 default: 1900 __ipsec_errcode = EIPSEC_INVAL_SATYPE; 1901 return -1; 1902 } 1903 1904 /* check field of upper layer protocol and address family */ 1905 if (mhp[SADB_EXT_ADDRESS_SRC] != NULL 1906 && mhp[SADB_EXT_ADDRESS_DST] != NULL) { 1907 struct sadb_address *src0, *dst0; 1908 1909 src0 = (struct sadb_address *)(mhp[SADB_EXT_ADDRESS_SRC]); 1910 dst0 = (struct sadb_address *)(mhp[SADB_EXT_ADDRESS_DST]); 1911 1912 if (src0->sadb_address_proto != dst0->sadb_address_proto) { 1913 __ipsec_errcode = EIPSEC_PROTO_MISMATCH; 1914 return -1; 1915 } 1916 1917 if (PFKEY_ADDR_SADDR(src0)->sa_family 1918 != PFKEY_ADDR_SADDR(dst0)->sa_family) { 1919 __ipsec_errcode = EIPSEC_FAMILY_MISMATCH; 1920 return -1; 1921 } 1922 1923 switch (PFKEY_ADDR_SADDR(src0)->sa_family) { 1924 case AF_INET: 1925 case AF_INET6: 1926 break; 1927 default: 1928 __ipsec_errcode = EIPSEC_INVAL_FAMILY; 1929 return -1; 1930 } 1931 1932 /* 1933 * prefixlen == 0 is valid because there must be the case 1934 * all addresses are matched. 1935 */ 1936 } 1937 1938 __ipsec_errcode = EIPSEC_NO_ERROR; 1939 return 0; 1940 } 1941 1942 /* 1943 * set data into sadb_msg. 1944 * `buf' must has been allocated sufficiently. 1945 */ 1946 static caddr_t 1947 pfkey_setsadbmsg(buf, lim, type, tlen, satype, seq, pid) 1948 caddr_t buf; 1949 caddr_t lim; 1950 u_int type, satype; 1951 u_int tlen; 1952 u_int32_t seq; 1953 pid_t pid; 1954 { 1955 struct sadb_msg *p; 1956 u_int len; 1957 1958 p = (struct sadb_msg *)buf; 1959 len = sizeof(struct sadb_msg); 1960 1961 if (buf + len > lim) 1962 return NULL; 1963 1964 memset(p, 0, len); 1965 p->sadb_msg_version = PF_KEY_V2; 1966 p->sadb_msg_type = type; 1967 p->sadb_msg_errno = 0; 1968 p->sadb_msg_satype = satype; 1969 p->sadb_msg_len = PFKEY_UNIT64(tlen); 1970 p->sadb_msg_reserved = 0; 1971 p->sadb_msg_seq = seq; 1972 p->sadb_msg_pid = (u_int32_t)pid; 1973 1974 return(buf + len); 1975 } 1976 1977 /* 1978 * copy secasvar data into sadb_address. 1979 * `buf' must has been allocated sufficiently. 1980 */ 1981 static caddr_t 1982 pfkey_setsadbsa(buf, lim, spi, wsize, auth, enc, flags) 1983 caddr_t buf; 1984 caddr_t lim; 1985 u_int32_t spi, flags; 1986 u_int wsize, auth, enc; 1987 { 1988 struct sadb_sa *p; 1989 u_int len; 1990 1991 p = (struct sadb_sa *)buf; 1992 len = sizeof(struct sadb_sa); 1993 1994 if (buf + len > lim) 1995 return NULL; 1996 1997 memset(p, 0, len); 1998 p->sadb_sa_len = PFKEY_UNIT64(len); 1999 p->sadb_sa_exttype = SADB_EXT_SA; 2000 p->sadb_sa_spi = spi; 2001 p->sadb_sa_replay = wsize > UINT8_MAX ? UINT8_MAX: wsize; 2002 p->sadb_sa_state = SADB_SASTATE_LARVAL; 2003 p->sadb_sa_auth = auth; 2004 p->sadb_sa_encrypt = enc; 2005 p->sadb_sa_flags = flags; 2006 2007 return(buf + len); 2008 } 2009 2010 /* 2011 * Set data into sadb_x_sa_replay. 2012 * `buf' must has been allocated sufficiently. 2013 */ 2014 static caddr_t 2015 pfkey_setsadbxreplay(caddr_t buf, caddr_t lim, uint32_t wsize) 2016 { 2017 struct sadb_x_sa_replay *p; 2018 u_int len; 2019 2020 p = (struct sadb_x_sa_replay *)buf; 2021 len = sizeof(struct sadb_x_sa_replay); 2022 2023 if (buf + len > lim) 2024 return (NULL); 2025 2026 memset(p, 0, len); 2027 p->sadb_x_sa_replay_len = PFKEY_UNIT64(len); 2028 p->sadb_x_sa_replay_exttype = SADB_X_EXT_SA_REPLAY; 2029 /* Convert wsize from bytes to number of packets. */ 2030 p->sadb_x_sa_replay_replay = wsize << 3; 2031 2032 return (buf + len); 2033 } 2034 2035 /* 2036 * set data into sadb_address. 2037 * `buf' must has been allocated sufficiently. 2038 * prefixlen is in bits. 2039 */ 2040 static caddr_t 2041 pfkey_setsadbaddr(buf, lim, exttype, saddr, prefixlen, ul_proto) 2042 caddr_t buf; 2043 caddr_t lim; 2044 u_int exttype; 2045 struct sockaddr *saddr; 2046 u_int prefixlen; 2047 u_int ul_proto; 2048 { 2049 struct sadb_address *p; 2050 u_int len; 2051 2052 p = (struct sadb_address *)buf; 2053 len = sizeof(struct sadb_address) + PFKEY_ALIGN8(saddr->sa_len); 2054 2055 if (buf + len > lim) 2056 return NULL; 2057 2058 memset(p, 0, len); 2059 p->sadb_address_len = PFKEY_UNIT64(len); 2060 p->sadb_address_exttype = exttype & 0xffff; 2061 p->sadb_address_proto = ul_proto & 0xff; 2062 p->sadb_address_prefixlen = prefixlen; 2063 p->sadb_address_reserved = 0; 2064 2065 memcpy(p + 1, saddr, saddr->sa_len); 2066 2067 return(buf + len); 2068 } 2069 2070 /* 2071 * set sadb_key structure after clearing buffer with zero. 2072 * OUT: the pointer of buf + len. 2073 */ 2074 static caddr_t 2075 pfkey_setsadbkey(buf, lim, type, key, keylen) 2076 caddr_t buf; 2077 caddr_t lim; 2078 caddr_t key; 2079 u_int type, keylen; 2080 { 2081 struct sadb_key *p; 2082 u_int len; 2083 2084 p = (struct sadb_key *)buf; 2085 len = sizeof(struct sadb_key) + PFKEY_ALIGN8(keylen); 2086 2087 if (buf + len > lim) 2088 return NULL; 2089 2090 memset(p, 0, len); 2091 p->sadb_key_len = PFKEY_UNIT64(len); 2092 p->sadb_key_exttype = type; 2093 p->sadb_key_bits = keylen << 3; 2094 p->sadb_key_reserved = 0; 2095 2096 memcpy(p + 1, key, keylen); 2097 2098 return buf + len; 2099 } 2100 2101 /* 2102 * set sadb_lifetime structure after clearing buffer with zero. 2103 * OUT: the pointer of buf + len. 2104 */ 2105 static caddr_t 2106 pfkey_setsadblifetime(buf, lim, type, l_alloc, l_bytes, l_addtime, l_usetime) 2107 caddr_t buf; 2108 caddr_t lim; 2109 u_int type; 2110 u_int32_t l_alloc, l_bytes, l_addtime, l_usetime; 2111 { 2112 struct sadb_lifetime *p; 2113 u_int len; 2114 2115 p = (struct sadb_lifetime *)buf; 2116 len = sizeof(struct sadb_lifetime); 2117 2118 if (buf + len > lim) 2119 return NULL; 2120 2121 memset(p, 0, len); 2122 p->sadb_lifetime_len = PFKEY_UNIT64(len); 2123 p->sadb_lifetime_exttype = type; 2124 2125 switch (type) { 2126 case SADB_EXT_LIFETIME_SOFT: 2127 p->sadb_lifetime_allocations 2128 = (l_alloc * soft_lifetime_allocations_rate) /100; 2129 p->sadb_lifetime_bytes 2130 = (l_bytes * soft_lifetime_bytes_rate) /100; 2131 p->sadb_lifetime_addtime 2132 = (l_addtime * soft_lifetime_addtime_rate) /100; 2133 p->sadb_lifetime_usetime 2134 = (l_usetime * soft_lifetime_usetime_rate) /100; 2135 break; 2136 case SADB_EXT_LIFETIME_HARD: 2137 p->sadb_lifetime_allocations = l_alloc; 2138 p->sadb_lifetime_bytes = l_bytes; 2139 p->sadb_lifetime_addtime = l_addtime; 2140 p->sadb_lifetime_usetime = l_usetime; 2141 break; 2142 } 2143 2144 return buf + len; 2145 } 2146 2147 /* 2148 * copy secasvar data into sadb_address. 2149 * `buf' must has been allocated sufficiently. 2150 */ 2151 static caddr_t 2152 pfkey_setsadbxsa2(buf, lim, mode0, reqid) 2153 caddr_t buf; 2154 caddr_t lim; 2155 u_int32_t mode0; 2156 u_int32_t reqid; 2157 { 2158 struct sadb_x_sa2 *p; 2159 u_int8_t mode = mode0 & 0xff; 2160 u_int len; 2161 2162 p = (struct sadb_x_sa2 *)buf; 2163 len = sizeof(struct sadb_x_sa2); 2164 2165 if (buf + len > lim) 2166 return NULL; 2167 2168 memset(p, 0, len); 2169 p->sadb_x_sa2_len = PFKEY_UNIT64(len); 2170 p->sadb_x_sa2_exttype = SADB_X_EXT_SA2; 2171 p->sadb_x_sa2_mode = mode; 2172 p->sadb_x_sa2_reqid = reqid; 2173 2174 return(buf + len); 2175 } 2176