1 /* $KAME: pfkey.c,v 1.46 2003/08/26 03:37:06 itojun Exp $ */ 2 3 /*- 4 * SPDX-License-Identifier: BSD-3-Clause 5 * 6 * Copyright (C) 1995, 1996, 1997, 1998, and 1999 WIDE Project. 7 * All rights reserved. 8 * 9 * Redistribution and use in source and binary forms, with or without 10 * modification, are permitted provided that the following conditions 11 * are met: 12 * 1. Redistributions of source code must retain the above copyright 13 * notice, this list of conditions and the following disclaimer. 14 * 2. Redistributions in binary form must reproduce the above copyright 15 * notice, this list of conditions and the following disclaimer in the 16 * documentation and/or other materials provided with the distribution. 17 * 3. Neither the name of the project nor the names of its contributors 18 * may be used to endorse or promote products derived from this software 19 * without specific prior written permission. 20 * 21 * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND 22 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 23 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 24 * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE 25 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 26 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 27 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 28 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 29 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 30 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 31 * SUCH DAMAGE. 32 */ 33 34 #include <sys/cdefs.h> 35 __FBSDID("$FreeBSD$"); 36 37 #include <sys/types.h> 38 #include <sys/param.h> 39 #include <sys/socket.h> 40 #include <net/pfkeyv2.h> 41 #include <netipsec/key_var.h> 42 #include <netinet/in.h> 43 #include <netipsec/ipsec.h> 44 45 #include <stdlib.h> 46 #include <stdint.h> 47 #include <unistd.h> 48 #include <string.h> 49 #include <errno.h> 50 51 #include "ipsec_strerror.h" 52 #include "libpfkey.h" 53 54 #define CALLOC(size, cast) (cast)calloc(1, (size)) 55 56 static int findsupportedmap(int); 57 static int setsupportedmap(struct sadb_supported *); 58 static struct sadb_alg *findsupportedalg(u_int, u_int); 59 static int pfkey_send_x1(int, u_int, u_int, u_int, struct sockaddr *, 60 struct sockaddr *, u_int32_t, u_int32_t, u_int, caddr_t, 61 u_int, u_int, u_int, u_int, u_int, u_int32_t, u_int32_t, 62 u_int32_t, u_int32_t, u_int32_t); 63 static int pfkey_send_x2(int, u_int, u_int, u_int, 64 struct sockaddr *, struct sockaddr *, u_int32_t); 65 static int pfkey_send_x3(int, u_int, u_int); 66 static int pfkey_send_x4(int, u_int, struct sockaddr *, u_int, 67 struct sockaddr *, u_int, u_int, u_int64_t, u_int64_t, 68 char *, int, u_int32_t); 69 static int pfkey_send_x5(int, u_int, u_int32_t); 70 71 static caddr_t pfkey_setsadbmsg(caddr_t, caddr_t, u_int, u_int, 72 u_int, u_int32_t, pid_t); 73 static caddr_t pfkey_setsadbsa(caddr_t, caddr_t, u_int32_t, u_int, 74 u_int, u_int, u_int32_t); 75 static caddr_t pfkey_setsadbxreplay(caddr_t, caddr_t, uint32_t); 76 static caddr_t pfkey_setsadbaddr(caddr_t, caddr_t, u_int, 77 struct sockaddr *, u_int, u_int); 78 static caddr_t pfkey_setsadbkey(caddr_t, caddr_t, u_int, caddr_t, u_int); 79 static caddr_t pfkey_setsadblifetime(caddr_t, caddr_t, u_int, u_int32_t, 80 u_int32_t, u_int32_t, u_int32_t); 81 static caddr_t pfkey_setsadbxsa2(caddr_t, caddr_t, u_int32_t, u_int32_t); 82 83 /* 84 * make and search supported algorithm structure. 85 */ 86 static struct sadb_supported *ipsec_supported[] = { NULL, NULL, NULL, NULL }; 87 88 static int supported_map[] = { 89 SADB_SATYPE_AH, 90 SADB_SATYPE_ESP, 91 SADB_X_SATYPE_IPCOMP, 92 SADB_X_SATYPE_TCPSIGNATURE 93 }; 94 95 static int 96 findsupportedmap(int satype) 97 { 98 int i; 99 100 for (i = 0; i < sizeof(supported_map)/sizeof(supported_map[0]); i++) 101 if (supported_map[i] == satype) 102 return i; 103 return -1; 104 } 105 106 static struct sadb_alg * 107 findsupportedalg(u_int satype, u_int alg_id) 108 { 109 int algno; 110 int tlen; 111 caddr_t p; 112 113 /* validity check */ 114 algno = findsupportedmap(satype); 115 if (algno == -1) { 116 __ipsec_errcode = EIPSEC_INVAL_ARGUMENT; 117 return NULL; 118 } 119 if (ipsec_supported[algno] == NULL) { 120 __ipsec_errcode = EIPSEC_DO_GET_SUPP_LIST; 121 return NULL; 122 } 123 124 tlen = ipsec_supported[algno]->sadb_supported_len 125 - sizeof(struct sadb_supported); 126 p = (caddr_t)(ipsec_supported[algno] + 1); 127 while (tlen > 0) { 128 if (tlen < sizeof(struct sadb_alg)) { 129 /* invalid format */ 130 break; 131 } 132 if (((struct sadb_alg *)p)->sadb_alg_id == alg_id) 133 return (struct sadb_alg *)p; 134 135 tlen -= sizeof(struct sadb_alg); 136 p += sizeof(struct sadb_alg); 137 } 138 139 __ipsec_errcode = EIPSEC_NOT_SUPPORTED; 140 return NULL; 141 } 142 143 static int 144 setsupportedmap(struct sadb_supported *sup) 145 { 146 struct sadb_supported **ipsup; 147 148 switch (sup->sadb_supported_exttype) { 149 case SADB_EXT_SUPPORTED_AUTH: 150 ipsup = &ipsec_supported[findsupportedmap(SADB_SATYPE_AH)]; 151 break; 152 case SADB_EXT_SUPPORTED_ENCRYPT: 153 ipsup = &ipsec_supported[findsupportedmap(SADB_SATYPE_ESP)]; 154 break; 155 default: 156 __ipsec_errcode = EIPSEC_INVAL_SATYPE; 157 return -1; 158 } 159 160 if (*ipsup) 161 free(*ipsup); 162 163 *ipsup = malloc(sup->sadb_supported_len); 164 if (!*ipsup) { 165 __ipsec_set_strerror(strerror(errno)); 166 return -1; 167 } 168 memcpy(*ipsup, sup, sup->sadb_supported_len); 169 170 return 0; 171 } 172 173 /* 174 * check key length against algorithm specified. 175 * This function is called with SADB_EXT_SUPPORTED_{AUTH,ENCRYPT} as the 176 * augument, and only calls to ipsec_check_keylen2(); 177 * keylen is the unit of bit. 178 * OUT: 179 * -1: invalid. 180 * 0: valid. 181 */ 182 int 183 ipsec_check_keylen(u_int supported, u_int alg_id, u_int keylen) 184 { 185 int satype; 186 187 /* validity check */ 188 switch (supported) { 189 case SADB_EXT_SUPPORTED_AUTH: 190 satype = SADB_SATYPE_AH; 191 break; 192 case SADB_EXT_SUPPORTED_ENCRYPT: 193 satype = SADB_SATYPE_ESP; 194 break; 195 default: 196 __ipsec_errcode = EIPSEC_INVAL_ARGUMENT; 197 return -1; 198 } 199 200 return ipsec_check_keylen2(satype, alg_id, keylen); 201 } 202 203 /* 204 * check key length against algorithm specified. 205 * satype is one of satype defined at pfkeyv2.h. 206 * keylen is the unit of bit. 207 * OUT: 208 * -1: invalid. 209 * 0: valid. 210 */ 211 int 212 ipsec_check_keylen2(u_int satype, u_int alg_id, u_int keylen) 213 { 214 struct sadb_alg *alg; 215 216 alg = findsupportedalg(satype, alg_id); 217 if (!alg) 218 return -1; 219 220 if (keylen < alg->sadb_alg_minbits || keylen > alg->sadb_alg_maxbits) { 221 __ipsec_errcode = EIPSEC_INVAL_KEYLEN; 222 return -1; 223 } 224 225 __ipsec_errcode = EIPSEC_NO_ERROR; 226 return 0; 227 } 228 229 /* 230 * get max/min key length against algorithm specified. 231 * satype is one of satype defined at pfkeyv2.h. 232 * keylen is the unit of bit. 233 * OUT: 234 * -1: invalid. 235 * 0: valid. 236 */ 237 int 238 ipsec_get_keylen(u_int supported, u_int alg_id, struct sadb_alg *alg0) 239 { 240 struct sadb_alg *alg; 241 u_int satype; 242 243 /* validity check */ 244 if (!alg0) { 245 __ipsec_errcode = EIPSEC_INVAL_ARGUMENT; 246 return -1; 247 } 248 249 switch (supported) { 250 case SADB_EXT_SUPPORTED_AUTH: 251 satype = SADB_SATYPE_AH; 252 break; 253 case SADB_EXT_SUPPORTED_ENCRYPT: 254 satype = SADB_SATYPE_ESP; 255 break; 256 default: 257 __ipsec_errcode = EIPSEC_INVAL_ARGUMENT; 258 return -1; 259 } 260 261 alg = findsupportedalg(satype, alg_id); 262 if (!alg) 263 return -1; 264 265 memcpy(alg0, alg, sizeof(*alg0)); 266 267 __ipsec_errcode = EIPSEC_NO_ERROR; 268 return 0; 269 } 270 271 /* 272 * set the rate for SOFT lifetime against HARD one. 273 * If rate is more than 100 or equal to zero, then set to 100. 274 */ 275 static u_int soft_lifetime_allocations_rate = PFKEY_SOFT_LIFETIME_RATE; 276 static u_int soft_lifetime_bytes_rate = PFKEY_SOFT_LIFETIME_RATE; 277 static u_int soft_lifetime_addtime_rate = PFKEY_SOFT_LIFETIME_RATE; 278 static u_int soft_lifetime_usetime_rate = PFKEY_SOFT_LIFETIME_RATE; 279 280 u_int 281 pfkey_set_softrate(u_int type, u_int rate) 282 { 283 __ipsec_errcode = EIPSEC_NO_ERROR; 284 285 if (rate > 100 || rate == 0) 286 rate = 100; 287 288 switch (type) { 289 case SADB_X_LIFETIME_ALLOCATIONS: 290 soft_lifetime_allocations_rate = rate; 291 return 0; 292 case SADB_X_LIFETIME_BYTES: 293 soft_lifetime_bytes_rate = rate; 294 return 0; 295 case SADB_X_LIFETIME_ADDTIME: 296 soft_lifetime_addtime_rate = rate; 297 return 0; 298 case SADB_X_LIFETIME_USETIME: 299 soft_lifetime_usetime_rate = rate; 300 return 0; 301 } 302 303 __ipsec_errcode = EIPSEC_INVAL_ARGUMENT; 304 return 1; 305 } 306 307 /* 308 * get current rate for SOFT lifetime against HARD one. 309 * ATTENTION: ~0 is returned if invalid type was passed. 310 */ 311 u_int 312 pfkey_get_softrate(u_int type) 313 { 314 switch (type) { 315 case SADB_X_LIFETIME_ALLOCATIONS: 316 return soft_lifetime_allocations_rate; 317 case SADB_X_LIFETIME_BYTES: 318 return soft_lifetime_bytes_rate; 319 case SADB_X_LIFETIME_ADDTIME: 320 return soft_lifetime_addtime_rate; 321 case SADB_X_LIFETIME_USETIME: 322 return soft_lifetime_usetime_rate; 323 } 324 325 return ~0; 326 } 327 328 /* 329 * sending SADB_GETSPI message to the kernel. 330 * OUT: 331 * positive: success and return length sent. 332 * -1 : error occurred, and set errno. 333 */ 334 int 335 pfkey_send_getspi(int so, u_int satype, u_int mode, struct sockaddr *src, 336 struct sockaddr *dst, u_int32_t min, uint32_t max, uint32_t reqid, 337 uint32_t seq) 338 { 339 struct sadb_msg *newmsg; 340 caddr_t ep; 341 int len; 342 int need_spirange = 0; 343 caddr_t p; 344 int plen; 345 346 /* validity check */ 347 if (src == NULL || dst == NULL) { 348 __ipsec_errcode = EIPSEC_INVAL_ARGUMENT; 349 return -1; 350 } 351 if (src->sa_family != dst->sa_family) { 352 __ipsec_errcode = EIPSEC_FAMILY_MISMATCH; 353 return -1; 354 } 355 if (min > max || (min > 0 && min <= 255)) { 356 __ipsec_errcode = EIPSEC_INVAL_SPI; 357 return -1; 358 } 359 switch (src->sa_family) { 360 case AF_INET: 361 plen = sizeof(struct in_addr) << 3; 362 break; 363 case AF_INET6: 364 plen = sizeof(struct in6_addr) << 3; 365 break; 366 default: 367 __ipsec_errcode = EIPSEC_INVAL_FAMILY; 368 return -1; 369 } 370 371 /* create new sadb_msg to send. */ 372 len = sizeof(struct sadb_msg) 373 + sizeof(struct sadb_x_sa2) 374 + sizeof(struct sadb_address) 375 + PFKEY_ALIGN8(src->sa_len) 376 + sizeof(struct sadb_address) 377 + PFKEY_ALIGN8(dst->sa_len); 378 379 if (min > 255 && max < ~0) { 380 need_spirange++; 381 len += sizeof(struct sadb_spirange); 382 } 383 384 if ((newmsg = CALLOC(len, struct sadb_msg *)) == NULL) { 385 __ipsec_set_strerror(strerror(errno)); 386 return -1; 387 } 388 ep = ((caddr_t)newmsg) + len; 389 390 p = pfkey_setsadbmsg((caddr_t)newmsg, ep, SADB_GETSPI, 391 len, satype, seq, getpid()); 392 if (!p) { 393 free(newmsg); 394 return -1; 395 } 396 397 p = pfkey_setsadbxsa2(p, ep, mode, reqid); 398 if (!p) { 399 free(newmsg); 400 return -1; 401 } 402 403 /* set sadb_address for source */ 404 p = pfkey_setsadbaddr(p, ep, SADB_EXT_ADDRESS_SRC, src, plen, 405 IPSEC_ULPROTO_ANY); 406 if (!p) { 407 free(newmsg); 408 return -1; 409 } 410 411 /* set sadb_address for destination */ 412 p = pfkey_setsadbaddr(p, ep, SADB_EXT_ADDRESS_DST, dst, plen, 413 IPSEC_ULPROTO_ANY); 414 if (!p) { 415 free(newmsg); 416 return -1; 417 } 418 419 /* processing spi range */ 420 if (need_spirange) { 421 struct sadb_spirange spirange; 422 423 if (p + sizeof(spirange) > ep) { 424 free(newmsg); 425 return -1; 426 } 427 428 memset(&spirange, 0, sizeof(spirange)); 429 spirange.sadb_spirange_len = PFKEY_UNIT64(sizeof(spirange)); 430 spirange.sadb_spirange_exttype = SADB_EXT_SPIRANGE; 431 spirange.sadb_spirange_min = min; 432 spirange.sadb_spirange_max = max; 433 434 memcpy(p, &spirange, sizeof(spirange)); 435 436 p += sizeof(spirange); 437 } 438 if (p != ep) { 439 free(newmsg); 440 return -1; 441 } 442 443 /* send message */ 444 len = pfkey_send(so, newmsg, len); 445 free(newmsg); 446 447 if (len < 0) 448 return -1; 449 450 __ipsec_errcode = EIPSEC_NO_ERROR; 451 return len; 452 } 453 454 /* 455 * sending SADB_UPDATE message to the kernel. 456 * The length of key material is a_keylen + e_keylen. 457 * OUT: 458 * positive: success and return length sent. 459 * -1 : error occurred, and set errno. 460 */ 461 int 462 pfkey_send_update(int so, u_int satype, u_int mode, struct sockaddr *src, 463 struct sockaddr *dst, u_int32_t spi, u_int32_t reqid, u_int wsize, 464 caddr_t keymat, u_int e_type, u_int e_keylen, u_int a_type, u_int a_keylen, 465 u_int flags, u_int32_t l_alloc, u_int64_t l_bytes, u_int64_t l_addtime, 466 u_int64_t l_usetime, u_int32_t seq) 467 { 468 int len; 469 if ((len = pfkey_send_x1(so, SADB_UPDATE, satype, mode, src, dst, spi, 470 reqid, wsize, 471 keymat, e_type, e_keylen, a_type, a_keylen, flags, 472 l_alloc, l_bytes, l_addtime, l_usetime, seq)) < 0) 473 return -1; 474 475 return len; 476 } 477 478 /* 479 * sending SADB_ADD message to the kernel. 480 * The length of key material is a_keylen + e_keylen. 481 * OUT: 482 * positive: success and return length sent. 483 * -1 : error occurred, and set errno. 484 */ 485 int 486 pfkey_send_add(int so, u_int satype, u_int mode, struct sockaddr *src, 487 struct sockaddr *dst, u_int32_t spi, u_int32_t reqid, u_int wsize, 488 caddr_t keymat, u_int e_type, u_int e_keylen, u_int a_type, u_int a_keylen, 489 u_int flags, u_int32_t l_alloc, u_int64_t l_bytes, u_int64_t l_addtime, 490 u_int64_t l_usetime, u_int32_t seq) 491 { 492 int len; 493 if ((len = pfkey_send_x1(so, SADB_ADD, satype, mode, src, dst, spi, 494 reqid, wsize, 495 keymat, e_type, e_keylen, a_type, a_keylen, flags, 496 l_alloc, l_bytes, l_addtime, l_usetime, seq)) < 0) 497 return -1; 498 499 return len; 500 } 501 502 /* 503 * sending SADB_DELETE message to the kernel. 504 * OUT: 505 * positive: success and return length sent. 506 * -1 : error occurred, and set errno. 507 */ 508 int 509 pfkey_send_delete(int so, u_int satype, u_int mode, struct sockaddr *src, 510 struct sockaddr *dst, u_int32_t spi) 511 { 512 int len; 513 if ((len = pfkey_send_x2(so, SADB_DELETE, satype, mode, src, dst, spi)) < 0) 514 return -1; 515 516 return len; 517 } 518 519 /* 520 * sending SADB_DELETE without spi to the kernel. This is 521 * the "delete all" request (an extension also present in 522 * Solaris). 523 * 524 * OUT: 525 * positive: success and return length sent 526 * -1 : error occurred, and set errno 527 */ 528 int 529 pfkey_send_delete_all(int so, u_int satype, u_int mode, struct sockaddr *src, 530 struct sockaddr *dst) 531 { 532 struct sadb_msg *newmsg; 533 int len; 534 caddr_t p; 535 int plen; 536 caddr_t ep; 537 538 /* validity check */ 539 if (src == NULL || dst == NULL) { 540 __ipsec_errcode = EIPSEC_INVAL_ARGUMENT; 541 return -1; 542 } 543 if (src->sa_family != dst->sa_family) { 544 __ipsec_errcode = EIPSEC_FAMILY_MISMATCH; 545 return -1; 546 } 547 switch (src->sa_family) { 548 case AF_INET: 549 plen = sizeof(struct in_addr) << 3; 550 break; 551 case AF_INET6: 552 plen = sizeof(struct in6_addr) << 3; 553 break; 554 default: 555 __ipsec_errcode = EIPSEC_INVAL_FAMILY; 556 return -1; 557 } 558 559 /* create new sadb_msg to reply. */ 560 len = sizeof(struct sadb_msg) 561 + sizeof(struct sadb_address) 562 + PFKEY_ALIGN8(src->sa_len) 563 + sizeof(struct sadb_address) 564 + PFKEY_ALIGN8(dst->sa_len); 565 566 if ((newmsg = CALLOC(len, struct sadb_msg *)) == NULL) { 567 __ipsec_set_strerror(strerror(errno)); 568 return -1; 569 } 570 ep = ((caddr_t)newmsg) + len; 571 572 p = pfkey_setsadbmsg((caddr_t)newmsg, ep, SADB_DELETE, len, satype, 0, 573 getpid()); 574 if (!p) { 575 free(newmsg); 576 return -1; 577 } 578 p = pfkey_setsadbaddr(p, ep, SADB_EXT_ADDRESS_SRC, src, plen, 579 IPSEC_ULPROTO_ANY); 580 if (!p) { 581 free(newmsg); 582 return -1; 583 } 584 p = pfkey_setsadbaddr(p, ep, SADB_EXT_ADDRESS_DST, dst, plen, 585 IPSEC_ULPROTO_ANY); 586 if (!p || p != ep) { 587 free(newmsg); 588 return -1; 589 } 590 591 /* send message */ 592 len = pfkey_send(so, newmsg, len); 593 free(newmsg); 594 595 if (len < 0) 596 return -1; 597 598 __ipsec_errcode = EIPSEC_NO_ERROR; 599 return len; 600 } 601 602 /* 603 * sending SADB_GET message to the kernel. 604 * OUT: 605 * positive: success and return length sent. 606 * -1 : error occurred, and set errno. 607 */ 608 int 609 pfkey_send_get(int so, u_int satype, u_int mode, struct sockaddr *src, 610 struct sockaddr *dst, u_int32_t spi) 611 { 612 int len; 613 if ((len = pfkey_send_x2(so, SADB_GET, satype, mode, src, dst, spi)) < 0) 614 return -1; 615 616 return len; 617 } 618 619 /* 620 * sending SADB_REGISTER message to the kernel. 621 * OUT: 622 * positive: success and return length sent. 623 * -1 : error occurred, and set errno. 624 */ 625 int 626 pfkey_send_register(int so, u_int satype) 627 { 628 int len, algno; 629 630 if (satype == SADB_SATYPE_UNSPEC) { 631 for (algno = 0; 632 algno < sizeof(supported_map)/sizeof(supported_map[0]); 633 algno++) { 634 if (ipsec_supported[algno]) { 635 free(ipsec_supported[algno]); 636 ipsec_supported[algno] = NULL; 637 } 638 } 639 } else { 640 algno = findsupportedmap(satype); 641 if (algno == -1) { 642 __ipsec_errcode = EIPSEC_INVAL_ARGUMENT; 643 return -1; 644 } 645 646 if (ipsec_supported[algno]) { 647 free(ipsec_supported[algno]); 648 ipsec_supported[algno] = NULL; 649 } 650 } 651 652 if ((len = pfkey_send_x3(so, SADB_REGISTER, satype)) < 0) 653 return -1; 654 655 return len; 656 } 657 658 /* 659 * receiving SADB_REGISTER message from the kernel, and copy buffer for 660 * sadb_supported returned into ipsec_supported. 661 * OUT: 662 * 0: success and return length sent. 663 * -1: error occurred, and set errno. 664 */ 665 int 666 pfkey_recv_register(int so) 667 { 668 pid_t pid = getpid(); 669 struct sadb_msg *newmsg; 670 int error = -1; 671 672 /* receive message */ 673 for (;;) { 674 if ((newmsg = pfkey_recv(so)) == NULL) 675 return -1; 676 if (newmsg->sadb_msg_type == SADB_REGISTER && 677 newmsg->sadb_msg_pid == pid) 678 break; 679 free(newmsg); 680 } 681 682 /* check and fix */ 683 newmsg->sadb_msg_len = PFKEY_UNUNIT64(newmsg->sadb_msg_len); 684 685 error = pfkey_set_supported(newmsg, newmsg->sadb_msg_len); 686 free(newmsg); 687 688 if (error == 0) 689 __ipsec_errcode = EIPSEC_NO_ERROR; 690 691 return error; 692 } 693 694 /* 695 * receiving SADB_REGISTER message from the kernel, and copy buffer for 696 * sadb_supported returned into ipsec_supported. 697 * NOTE: sadb_msg_len must be host order. 698 * IN: 699 * tlen: msg length, it's to makeing sure. 700 * OUT: 701 * 0: success and return length sent. 702 * -1: error occurred, and set errno. 703 */ 704 int 705 pfkey_set_supported(struct sadb_msg *msg, int tlen) 706 { 707 struct sadb_supported *sup; 708 caddr_t p; 709 caddr_t ep; 710 711 /* validity */ 712 if (msg->sadb_msg_len != tlen) { 713 __ipsec_errcode = EIPSEC_INVAL_ARGUMENT; 714 return -1; 715 } 716 717 p = (caddr_t)msg; 718 ep = p + tlen; 719 720 p += sizeof(struct sadb_msg); 721 722 while (p < ep) { 723 sup = (struct sadb_supported *)p; 724 if (ep < p + sizeof(*sup) || 725 PFKEY_EXTLEN(sup) < sizeof(*sup) || 726 ep < p + sup->sadb_supported_len) { 727 /* invalid format */ 728 break; 729 } 730 731 switch (sup->sadb_supported_exttype) { 732 case SADB_EXT_SUPPORTED_AUTH: 733 case SADB_EXT_SUPPORTED_ENCRYPT: 734 break; 735 default: 736 __ipsec_errcode = EIPSEC_INVAL_SATYPE; 737 return -1; 738 } 739 740 /* fixed length */ 741 sup->sadb_supported_len = PFKEY_EXTLEN(sup); 742 743 /* set supported map */ 744 if (setsupportedmap(sup) != 0) 745 return -1; 746 747 p += sup->sadb_supported_len; 748 } 749 750 if (p != ep) { 751 __ipsec_errcode = EIPSEC_INVAL_SATYPE; 752 return -1; 753 } 754 755 __ipsec_errcode = EIPSEC_NO_ERROR; 756 757 return 0; 758 } 759 760 /* 761 * sending SADB_FLUSH message to the kernel. 762 * OUT: 763 * positive: success and return length sent. 764 * -1 : error occurred, and set errno. 765 */ 766 int 767 pfkey_send_flush(int so, u_int satype) 768 { 769 int len; 770 771 if ((len = pfkey_send_x3(so, SADB_FLUSH, satype)) < 0) 772 return -1; 773 774 return len; 775 } 776 777 /* 778 * sending SADB_DUMP message to the kernel. 779 * OUT: 780 * positive: success and return length sent. 781 * -1 : error occurred, and set errno. 782 */ 783 int 784 pfkey_send_dump(int so, u_int satype) 785 { 786 int len; 787 788 if ((len = pfkey_send_x3(so, SADB_DUMP, satype)) < 0) 789 return -1; 790 791 return len; 792 } 793 794 /* 795 * sending SADB_X_PROMISC message to the kernel. 796 * NOTE that this function handles promisc mode toggle only. 797 * IN: 798 * flag: set promisc off if zero, set promisc on if non-zero. 799 * OUT: 800 * positive: success and return length sent. 801 * -1 : error occurred, and set errno. 802 * 0 : error occurred, and set errno. 803 * others: a pointer to new allocated buffer in which supported 804 * algorithms is. 805 */ 806 int 807 pfkey_send_promisc_toggle(int so, int flag) 808 { 809 int len; 810 811 if ((len = pfkey_send_x3(so, SADB_X_PROMISC, (flag ? 1 : 0))) < 0) 812 return -1; 813 814 return len; 815 } 816 817 /* 818 * sending SADB_X_SPDADD message to the kernel. 819 * OUT: 820 * positive: success and return length sent. 821 * -1 : error occurred, and set errno. 822 */ 823 int 824 pfkey_send_spdadd(int so, struct sockaddr *src, u_int prefs, 825 struct sockaddr *dst, u_int prefd, u_int proto, caddr_t policy, 826 int policylen, u_int32_t seq) 827 { 828 int len; 829 830 if ((len = pfkey_send_x4(so, SADB_X_SPDADD, 831 src, prefs, dst, prefd, proto, 832 0, 0, 833 policy, policylen, seq)) < 0) 834 return -1; 835 836 return len; 837 } 838 839 /* 840 * sending SADB_X_SPDADD message to the kernel. 841 * OUT: 842 * positive: success and return length sent. 843 * -1 : error occurred, and set errno. 844 */ 845 int 846 pfkey_send_spdadd2(int so, struct sockaddr *src, u_int prefs, 847 struct sockaddr *dst, u_int prefd, u_int proto, u_int64_t ltime, 848 u_int64_t vtime, caddr_t policy, int policylen, u_int32_t seq) 849 { 850 int len; 851 852 if ((len = pfkey_send_x4(so, SADB_X_SPDADD, 853 src, prefs, dst, prefd, proto, 854 ltime, vtime, 855 policy, policylen, seq)) < 0) 856 return -1; 857 858 return len; 859 } 860 861 /* 862 * sending SADB_X_SPDUPDATE message to the kernel. 863 * OUT: 864 * positive: success and return length sent. 865 * -1 : error occurred, and set errno. 866 */ 867 int 868 pfkey_send_spdupdate(int so, struct sockaddr *src, u_int prefs, 869 struct sockaddr *dst, u_int prefd, u_int proto, caddr_t policy, 870 int policylen, u_int32_t seq) 871 { 872 int len; 873 874 if ((len = pfkey_send_x4(so, SADB_X_SPDUPDATE, 875 src, prefs, dst, prefd, proto, 876 0, 0, 877 policy, policylen, seq)) < 0) 878 return -1; 879 880 return len; 881 } 882 883 /* 884 * sending SADB_X_SPDUPDATE message to the kernel. 885 * OUT: 886 * positive: success and return length sent. 887 * -1 : error occurred, and set errno. 888 */ 889 int 890 pfkey_send_spdupdate2(int so, struct sockaddr *src, u_int prefs, 891 struct sockaddr *dst, u_int prefd, u_int proto, u_int64_t ltime, 892 u_int64_t vtime, caddr_t policy, int policylen, u_int32_t seq) 893 { 894 int len; 895 896 if ((len = pfkey_send_x4(so, SADB_X_SPDUPDATE, 897 src, prefs, dst, prefd, proto, 898 ltime, vtime, 899 policy, policylen, seq)) < 0) 900 return -1; 901 902 return len; 903 } 904 905 /* 906 * sending SADB_X_SPDDELETE message to the kernel. 907 * OUT: 908 * positive: success and return length sent. 909 * -1 : error occurred, and set errno. 910 */ 911 int 912 pfkey_send_spddelete(int so, struct sockaddr *src, u_int prefs, 913 struct sockaddr *dst, u_int prefd, u_int proto, caddr_t policy, 914 int policylen, u_int32_t seq) 915 { 916 int len; 917 918 if (policylen != sizeof(struct sadb_x_policy)) { 919 __ipsec_errcode = EIPSEC_INVAL_ARGUMENT; 920 return -1; 921 } 922 923 if ((len = pfkey_send_x4(so, SADB_X_SPDDELETE, 924 src, prefs, dst, prefd, proto, 925 0, 0, 926 policy, policylen, seq)) < 0) 927 return -1; 928 929 return len; 930 } 931 932 /* 933 * sending SADB_X_SPDDELETE message to the kernel. 934 * OUT: 935 * positive: success and return length sent. 936 * -1 : error occurred, and set errno. 937 */ 938 int 939 pfkey_send_spddelete2(int so, u_int32_t spid) 940 { 941 int len; 942 943 if ((len = pfkey_send_x5(so, SADB_X_SPDDELETE2, spid)) < 0) 944 return -1; 945 946 return len; 947 } 948 949 /* 950 * sending SADB_X_SPDGET message to the kernel. 951 * OUT: 952 * positive: success and return length sent. 953 * -1 : error occurred, and set errno. 954 */ 955 int 956 pfkey_send_spdget(int so, u_int32_t spid) 957 { 958 int len; 959 960 if ((len = pfkey_send_x5(so, SADB_X_SPDGET, spid)) < 0) 961 return -1; 962 963 return len; 964 } 965 966 /* 967 * sending SADB_X_SPDSETIDX message to the kernel. 968 * OUT: 969 * positive: success and return length sent. 970 * -1 : error occurred, and set errno. 971 */ 972 int 973 pfkey_send_spdsetidx(int so, struct sockaddr *src, u_int prefs, 974 struct sockaddr *dst, u_int prefd, u_int proto, caddr_t policy, 975 int policylen, u_int32_t seq) 976 { 977 int len; 978 979 if (policylen != sizeof(struct sadb_x_policy)) { 980 __ipsec_errcode = EIPSEC_INVAL_ARGUMENT; 981 return -1; 982 } 983 984 if ((len = pfkey_send_x4(so, SADB_X_SPDSETIDX, 985 src, prefs, dst, prefd, proto, 986 0, 0, 987 policy, policylen, seq)) < 0) 988 return -1; 989 990 return len; 991 } 992 993 /* 994 * sending SADB_SPDFLUSH message to the kernel. 995 * OUT: 996 * positive: success and return length sent. 997 * -1 : error occurred, and set errno. 998 */ 999 int 1000 pfkey_send_spdflush(int so) 1001 { 1002 int len; 1003 1004 if ((len = pfkey_send_x3(so, SADB_X_SPDFLUSH, SADB_SATYPE_UNSPEC)) < 0) 1005 return -1; 1006 1007 return len; 1008 } 1009 1010 /* 1011 * sending SADB_SPDDUMP message to the kernel. 1012 * OUT: 1013 * positive: success and return length sent. 1014 * -1 : error occurred, and set errno. 1015 */ 1016 int 1017 pfkey_send_spddump(int so) 1018 { 1019 int len; 1020 1021 if ((len = pfkey_send_x3(so, SADB_X_SPDDUMP, SADB_SATYPE_UNSPEC)) < 0) 1022 return -1; 1023 1024 return len; 1025 } 1026 1027 /* sending SADB_ADD or SADB_UPDATE message to the kernel */ 1028 static int 1029 pfkey_send_x1(int so, u_int type, u_int satype, u_int mode, 1030 struct sockaddr *src, struct sockaddr *dst, u_int32_t spi, u_int32_t reqid, 1031 u_int wsize, caddr_t keymat, u_int e_type, u_int e_keylen, u_int a_type, 1032 u_int a_keylen, u_int flags, u_int32_t l_alloc, u_int32_t l_bytes, 1033 u_int32_t l_addtime, u_int32_t l_usetime, u_int32_t seq) 1034 { 1035 struct sadb_msg *newmsg; 1036 int len; 1037 caddr_t p; 1038 int plen; 1039 caddr_t ep; 1040 1041 /* validity check */ 1042 if (src == NULL || dst == NULL) { 1043 __ipsec_errcode = EIPSEC_INVAL_ARGUMENT; 1044 return -1; 1045 } 1046 if (src->sa_family != dst->sa_family) { 1047 __ipsec_errcode = EIPSEC_FAMILY_MISMATCH; 1048 return -1; 1049 } 1050 switch (src->sa_family) { 1051 case AF_INET: 1052 plen = sizeof(struct in_addr) << 3; 1053 break; 1054 case AF_INET6: 1055 plen = sizeof(struct in6_addr) << 3; 1056 break; 1057 default: 1058 __ipsec_errcode = EIPSEC_INVAL_FAMILY; 1059 return -1; 1060 } 1061 1062 switch (satype) { 1063 case SADB_SATYPE_ESP: 1064 if (e_type == SADB_EALG_NONE) { 1065 __ipsec_errcode = EIPSEC_NO_ALGS; 1066 return -1; 1067 } 1068 break; 1069 case SADB_SATYPE_AH: 1070 if (e_type != SADB_EALG_NONE) { 1071 __ipsec_errcode = EIPSEC_INVAL_ALGS; 1072 return -1; 1073 } 1074 if (a_type == SADB_AALG_NONE) { 1075 __ipsec_errcode = EIPSEC_NO_ALGS; 1076 return -1; 1077 } 1078 break; 1079 case SADB_X_SATYPE_IPCOMP: 1080 if (e_type == SADB_X_CALG_NONE) { 1081 __ipsec_errcode = EIPSEC_INVAL_ALGS; 1082 return -1; 1083 } 1084 if (a_type != SADB_AALG_NONE) { 1085 __ipsec_errcode = EIPSEC_NO_ALGS; 1086 return -1; 1087 } 1088 break; 1089 case SADB_X_SATYPE_TCPSIGNATURE: 1090 if (e_type != SADB_EALG_NONE) { 1091 __ipsec_errcode = EIPSEC_INVAL_ALGS; 1092 return -1; 1093 } 1094 if (a_type != SADB_X_AALG_TCP_MD5) { 1095 __ipsec_errcode = EIPSEC_INVAL_ALGS; 1096 return -1; 1097 } 1098 break; 1099 default: 1100 __ipsec_errcode = EIPSEC_INVAL_SATYPE; 1101 return -1; 1102 } 1103 1104 /* create new sadb_msg to reply. */ 1105 len = sizeof(struct sadb_msg) 1106 + sizeof(struct sadb_sa) 1107 + sizeof(struct sadb_x_sa2) 1108 + sizeof(struct sadb_address) 1109 + PFKEY_ALIGN8(src->sa_len) 1110 + sizeof(struct sadb_address) 1111 + PFKEY_ALIGN8(dst->sa_len) 1112 + sizeof(struct sadb_lifetime) 1113 + sizeof(struct sadb_lifetime); 1114 1115 if (wsize > UINT8_MAX) { 1116 if (wsize > (UINT32_MAX - 32) >> 3) { 1117 __ipsec_errcode = EIPSEC_INVAL_ARGUMENT; 1118 return (-1); 1119 } 1120 len += sizeof(struct sadb_x_sa_replay); 1121 } 1122 if (e_type != SADB_EALG_NONE) 1123 len += (sizeof(struct sadb_key) + PFKEY_ALIGN8(e_keylen)); 1124 if (a_type != SADB_AALG_NONE) 1125 len += (sizeof(struct sadb_key) + PFKEY_ALIGN8(a_keylen)); 1126 1127 if ((newmsg = CALLOC(len, struct sadb_msg *)) == NULL) { 1128 __ipsec_set_strerror(strerror(errno)); 1129 return -1; 1130 } 1131 ep = ((caddr_t)newmsg) + len; 1132 1133 p = pfkey_setsadbmsg((caddr_t)newmsg, ep, type, len, 1134 satype, seq, getpid()); 1135 if (!p) { 1136 free(newmsg); 1137 return -1; 1138 } 1139 p = pfkey_setsadbsa(p, ep, spi, wsize, a_type, e_type, flags); 1140 if (!p) { 1141 free(newmsg); 1142 return -1; 1143 } 1144 p = pfkey_setsadbxsa2(p, ep, mode, reqid); 1145 if (!p) { 1146 free(newmsg); 1147 return -1; 1148 } 1149 if (wsize > UINT8_MAX) { 1150 p = pfkey_setsadbxreplay(p, ep, wsize); 1151 if (!p) { 1152 free(newmsg); 1153 return (-1); 1154 } 1155 } 1156 p = pfkey_setsadbaddr(p, ep, SADB_EXT_ADDRESS_SRC, src, plen, 1157 IPSEC_ULPROTO_ANY); 1158 if (!p) { 1159 free(newmsg); 1160 return -1; 1161 } 1162 p = pfkey_setsadbaddr(p, ep, SADB_EXT_ADDRESS_DST, dst, plen, 1163 IPSEC_ULPROTO_ANY); 1164 if (!p) { 1165 free(newmsg); 1166 return -1; 1167 } 1168 1169 if (e_type != SADB_EALG_NONE) { 1170 p = pfkey_setsadbkey(p, ep, SADB_EXT_KEY_ENCRYPT, 1171 keymat, e_keylen); 1172 if (!p) { 1173 free(newmsg); 1174 return -1; 1175 } 1176 } 1177 if (a_type != SADB_AALG_NONE) { 1178 p = pfkey_setsadbkey(p, ep, SADB_EXT_KEY_AUTH, 1179 keymat + e_keylen, a_keylen); 1180 if (!p) { 1181 free(newmsg); 1182 return -1; 1183 } 1184 } 1185 1186 /* set sadb_lifetime for destination */ 1187 p = pfkey_setsadblifetime(p, ep, SADB_EXT_LIFETIME_HARD, 1188 l_alloc, l_bytes, l_addtime, l_usetime); 1189 if (!p) { 1190 free(newmsg); 1191 return -1; 1192 } 1193 p = pfkey_setsadblifetime(p, ep, SADB_EXT_LIFETIME_SOFT, 1194 l_alloc, l_bytes, l_addtime, l_usetime); 1195 if (!p || p != ep) { 1196 free(newmsg); 1197 return -1; 1198 } 1199 1200 /* send message */ 1201 len = pfkey_send(so, newmsg, len); 1202 free(newmsg); 1203 1204 if (len < 0) 1205 return -1; 1206 1207 __ipsec_errcode = EIPSEC_NO_ERROR; 1208 return len; 1209 } 1210 1211 /* sending SADB_DELETE or SADB_GET message to the kernel */ 1212 static int 1213 pfkey_send_x2(int so, u_int type, u_int satype, u_int mode, 1214 struct sockaddr *src, struct sockaddr *dst, u_int32_t spi) 1215 { 1216 struct sadb_msg *newmsg; 1217 int len; 1218 caddr_t p; 1219 int plen; 1220 caddr_t ep; 1221 1222 /* validity check */ 1223 if (src == NULL || dst == NULL) { 1224 __ipsec_errcode = EIPSEC_INVAL_ARGUMENT; 1225 return -1; 1226 } 1227 if (src->sa_family != dst->sa_family) { 1228 __ipsec_errcode = EIPSEC_FAMILY_MISMATCH; 1229 return -1; 1230 } 1231 switch (src->sa_family) { 1232 case AF_INET: 1233 plen = sizeof(struct in_addr) << 3; 1234 break; 1235 case AF_INET6: 1236 plen = sizeof(struct in6_addr) << 3; 1237 break; 1238 default: 1239 __ipsec_errcode = EIPSEC_INVAL_FAMILY; 1240 return -1; 1241 } 1242 1243 /* create new sadb_msg to reply. */ 1244 len = sizeof(struct sadb_msg) 1245 + sizeof(struct sadb_sa) 1246 + sizeof(struct sadb_address) 1247 + PFKEY_ALIGN8(src->sa_len) 1248 + sizeof(struct sadb_address) 1249 + PFKEY_ALIGN8(dst->sa_len); 1250 1251 if ((newmsg = CALLOC(len, struct sadb_msg *)) == NULL) { 1252 __ipsec_set_strerror(strerror(errno)); 1253 return -1; 1254 } 1255 ep = ((caddr_t)newmsg) + len; 1256 1257 p = pfkey_setsadbmsg((caddr_t)newmsg, ep, type, len, satype, 0, 1258 getpid()); 1259 if (!p) { 1260 free(newmsg); 1261 return -1; 1262 } 1263 p = pfkey_setsadbsa(p, ep, spi, 0, 0, 0, 0); 1264 if (!p) { 1265 free(newmsg); 1266 return -1; 1267 } 1268 p = pfkey_setsadbaddr(p, ep, SADB_EXT_ADDRESS_SRC, src, plen, 1269 IPSEC_ULPROTO_ANY); 1270 if (!p) { 1271 free(newmsg); 1272 return -1; 1273 } 1274 p = pfkey_setsadbaddr(p, ep, SADB_EXT_ADDRESS_DST, dst, plen, 1275 IPSEC_ULPROTO_ANY); 1276 if (!p || p != ep) { 1277 free(newmsg); 1278 return -1; 1279 } 1280 1281 /* send message */ 1282 len = pfkey_send(so, newmsg, len); 1283 free(newmsg); 1284 1285 if (len < 0) 1286 return -1; 1287 1288 __ipsec_errcode = EIPSEC_NO_ERROR; 1289 return len; 1290 } 1291 1292 /* 1293 * sending SADB_REGISTER, SADB_FLUSH, SADB_DUMP or SADB_X_PROMISC message 1294 * to the kernel 1295 */ 1296 static int 1297 pfkey_send_x3(int so, u_int type, u_int satype) 1298 { 1299 struct sadb_msg *newmsg; 1300 int len; 1301 caddr_t p; 1302 caddr_t ep; 1303 1304 /* validity check */ 1305 switch (type) { 1306 case SADB_X_PROMISC: 1307 if (satype != 0 && satype != 1) { 1308 __ipsec_errcode = EIPSEC_INVAL_SATYPE; 1309 return -1; 1310 } 1311 break; 1312 default: 1313 switch (satype) { 1314 case SADB_SATYPE_UNSPEC: 1315 case SADB_SATYPE_AH: 1316 case SADB_SATYPE_ESP: 1317 case SADB_X_SATYPE_IPCOMP: 1318 case SADB_X_SATYPE_TCPSIGNATURE: 1319 break; 1320 default: 1321 __ipsec_errcode = EIPSEC_INVAL_SATYPE; 1322 return -1; 1323 } 1324 } 1325 1326 /* create new sadb_msg to send. */ 1327 len = sizeof(struct sadb_msg); 1328 1329 if ((newmsg = CALLOC(len, struct sadb_msg *)) == NULL) { 1330 __ipsec_set_strerror(strerror(errno)); 1331 return -1; 1332 } 1333 ep = ((caddr_t)newmsg) + len; 1334 1335 p = pfkey_setsadbmsg((caddr_t)newmsg, ep, type, len, satype, 0, 1336 getpid()); 1337 if (!p || p != ep) { 1338 free(newmsg); 1339 return -1; 1340 } 1341 1342 /* send message */ 1343 len = pfkey_send(so, newmsg, len); 1344 free(newmsg); 1345 1346 if (len < 0) 1347 return -1; 1348 1349 __ipsec_errcode = EIPSEC_NO_ERROR; 1350 return len; 1351 } 1352 1353 /* sending SADB_X_SPDADD message to the kernel */ 1354 static int 1355 pfkey_send_x4(int so, u_int type, struct sockaddr *src, u_int prefs, 1356 struct sockaddr *dst, u_int prefd, u_int proto, u_int64_t ltime, 1357 u_int64_t vtime, char *policy, int policylen, u_int32_t seq) 1358 { 1359 struct sadb_msg *newmsg; 1360 int len; 1361 caddr_t p; 1362 int plen; 1363 caddr_t ep; 1364 1365 /* validity check */ 1366 if (src == NULL || dst == NULL) { 1367 __ipsec_errcode = EIPSEC_INVAL_ARGUMENT; 1368 return -1; 1369 } 1370 if (src->sa_family != dst->sa_family) { 1371 __ipsec_errcode = EIPSEC_FAMILY_MISMATCH; 1372 return -1; 1373 } 1374 1375 switch (src->sa_family) { 1376 case AF_INET: 1377 plen = sizeof(struct in_addr) << 3; 1378 break; 1379 case AF_INET6: 1380 plen = sizeof(struct in6_addr) << 3; 1381 break; 1382 default: 1383 __ipsec_errcode = EIPSEC_INVAL_FAMILY; 1384 return -1; 1385 } 1386 if (prefs > plen || prefd > plen) { 1387 __ipsec_errcode = EIPSEC_INVAL_PREFIXLEN; 1388 return -1; 1389 } 1390 1391 /* create new sadb_msg to reply. */ 1392 len = sizeof(struct sadb_msg) 1393 + sizeof(struct sadb_address) 1394 + PFKEY_ALIGN8(src->sa_len) 1395 + sizeof(struct sadb_address) 1396 + PFKEY_ALIGN8(src->sa_len) 1397 + sizeof(struct sadb_lifetime) 1398 + policylen; 1399 1400 if ((newmsg = CALLOC(len, struct sadb_msg *)) == NULL) { 1401 __ipsec_set_strerror(strerror(errno)); 1402 return -1; 1403 } 1404 ep = ((caddr_t)newmsg) + len; 1405 1406 p = pfkey_setsadbmsg((caddr_t)newmsg, ep, type, len, 1407 SADB_SATYPE_UNSPEC, seq, getpid()); 1408 if (!p) { 1409 free(newmsg); 1410 return -1; 1411 } 1412 p = pfkey_setsadbaddr(p, ep, SADB_EXT_ADDRESS_SRC, src, prefs, proto); 1413 if (!p) { 1414 free(newmsg); 1415 return -1; 1416 } 1417 p = pfkey_setsadbaddr(p, ep, SADB_EXT_ADDRESS_DST, dst, prefd, proto); 1418 if (!p) { 1419 free(newmsg); 1420 return -1; 1421 } 1422 p = pfkey_setsadblifetime(p, ep, SADB_EXT_LIFETIME_HARD, 1423 0, 0, ltime, vtime); 1424 if (!p || p + policylen != ep) { 1425 free(newmsg); 1426 return -1; 1427 } 1428 memcpy(p, policy, policylen); 1429 1430 /* send message */ 1431 len = pfkey_send(so, newmsg, len); 1432 free(newmsg); 1433 1434 if (len < 0) 1435 return -1; 1436 1437 __ipsec_errcode = EIPSEC_NO_ERROR; 1438 return len; 1439 } 1440 1441 /* sending SADB_X_SPDGET or SADB_X_SPDDELETE message to the kernel */ 1442 static int 1443 pfkey_send_x5(int so, u_int type, u_int32_t spid) 1444 { 1445 struct sadb_msg *newmsg; 1446 struct sadb_x_policy xpl; 1447 int len; 1448 caddr_t p; 1449 caddr_t ep; 1450 1451 /* create new sadb_msg to reply. */ 1452 len = sizeof(struct sadb_msg) 1453 + sizeof(xpl); 1454 1455 if ((newmsg = CALLOC(len, struct sadb_msg *)) == NULL) { 1456 __ipsec_set_strerror(strerror(errno)); 1457 return -1; 1458 } 1459 ep = ((caddr_t)newmsg) + len; 1460 1461 p = pfkey_setsadbmsg((caddr_t)newmsg, ep, type, len, 1462 SADB_SATYPE_UNSPEC, 0, getpid()); 1463 if (!p) { 1464 free(newmsg); 1465 return -1; 1466 } 1467 1468 if (p + sizeof(xpl) != ep) { 1469 free(newmsg); 1470 return -1; 1471 } 1472 memset(&xpl, 0, sizeof(xpl)); 1473 xpl.sadb_x_policy_len = PFKEY_UNIT64(sizeof(xpl)); 1474 xpl.sadb_x_policy_exttype = SADB_X_EXT_POLICY; 1475 xpl.sadb_x_policy_id = spid; 1476 memcpy(p, &xpl, sizeof(xpl)); 1477 1478 /* send message */ 1479 len = pfkey_send(so, newmsg, len); 1480 free(newmsg); 1481 1482 if (len < 0) 1483 return -1; 1484 1485 __ipsec_errcode = EIPSEC_NO_ERROR; 1486 return len; 1487 } 1488 1489 /* 1490 * open a socket. 1491 * OUT: 1492 * -1: fail. 1493 * others : success and return value of socket. 1494 */ 1495 int 1496 pfkey_open(void) 1497 { 1498 int so; 1499 int bufsiz_current, bufsiz_wanted; 1500 int ret; 1501 socklen_t len; 1502 1503 if ((so = socket(PF_KEY, SOCK_RAW, PF_KEY_V2)) < 0) { 1504 __ipsec_set_strerror(strerror(errno)); 1505 return -1; 1506 } 1507 1508 /* 1509 * This is a temporary workaround for KAME PR 154. 1510 * Don't really care even if it fails. 1511 */ 1512 /* Try to have 128k. If we have more, do not lower it. */ 1513 bufsiz_wanted = 128 * 1024; 1514 len = sizeof(bufsiz_current); 1515 ret = getsockopt(so, SOL_SOCKET, SO_SNDBUF, 1516 &bufsiz_current, &len); 1517 if ((ret < 0) || (bufsiz_current < bufsiz_wanted)) 1518 (void)setsockopt(so, SOL_SOCKET, SO_SNDBUF, 1519 &bufsiz_wanted, sizeof(bufsiz_wanted)); 1520 1521 /* Try to have have at least 2MB. If we have more, do not lower it. */ 1522 bufsiz_wanted = 2 * 1024 * 1024; 1523 len = sizeof(bufsiz_current); 1524 ret = getsockopt(so, SOL_SOCKET, SO_RCVBUF, 1525 &bufsiz_current, &len); 1526 if (ret < 0) 1527 bufsiz_current = 128 * 1024; 1528 1529 for (; bufsiz_wanted > bufsiz_current; bufsiz_wanted /= 2) { 1530 if (setsockopt(so, SOL_SOCKET, SO_RCVBUF, 1531 &bufsiz_wanted, sizeof(bufsiz_wanted)) == 0) 1532 break; 1533 } 1534 1535 __ipsec_errcode = EIPSEC_NO_ERROR; 1536 return so; 1537 } 1538 1539 /* 1540 * close a socket. 1541 * OUT: 1542 * 0: success. 1543 * -1: fail. 1544 */ 1545 void 1546 pfkey_close(int so) 1547 { 1548 (void)close(so); 1549 1550 __ipsec_errcode = EIPSEC_NO_ERROR; 1551 return; 1552 } 1553 1554 /* 1555 * receive sadb_msg data, and return pointer to new buffer allocated. 1556 * Must free this buffer later. 1557 * OUT: 1558 * NULL : error occurred. 1559 * others : a pointer to sadb_msg structure. 1560 * 1561 * XXX should be rewritten to pass length explicitly 1562 */ 1563 struct sadb_msg * 1564 pfkey_recv(int so) 1565 { 1566 struct sadb_msg buf, *newmsg; 1567 int len, reallen; 1568 1569 while ((len = recv(so, (caddr_t)&buf, sizeof(buf), MSG_PEEK)) < 0) { 1570 if (errno == EINTR) 1571 continue; 1572 __ipsec_set_strerror(strerror(errno)); 1573 return NULL; 1574 } 1575 1576 if (len < sizeof(buf)) { 1577 recv(so, (caddr_t)&buf, sizeof(buf), 0); 1578 __ipsec_errcode = EIPSEC_MAX; 1579 return NULL; 1580 } 1581 1582 /* read real message */ 1583 reallen = PFKEY_UNUNIT64(buf.sadb_msg_len); 1584 if ((newmsg = CALLOC(reallen, struct sadb_msg *)) == NULL) { 1585 __ipsec_set_strerror(strerror(errno)); 1586 return NULL; 1587 } 1588 1589 while ((len = recv(so, (caddr_t)newmsg, reallen, 0)) < 0) { 1590 if (errno == EINTR) 1591 continue; 1592 __ipsec_set_strerror(strerror(errno)); 1593 free(newmsg); 1594 return NULL; 1595 } 1596 1597 if (len != reallen) { 1598 __ipsec_errcode = EIPSEC_SYSTEM_ERROR; 1599 free(newmsg); 1600 return NULL; 1601 } 1602 1603 /* don't trust what the kernel says, validate! */ 1604 if (PFKEY_UNUNIT64(newmsg->sadb_msg_len) != len) { 1605 __ipsec_errcode = EIPSEC_SYSTEM_ERROR; 1606 free(newmsg); 1607 return NULL; 1608 } 1609 1610 __ipsec_errcode = EIPSEC_NO_ERROR; 1611 return newmsg; 1612 } 1613 1614 /* 1615 * send message to a socket. 1616 * OUT: 1617 * others: success and return length sent. 1618 * -1 : fail. 1619 */ 1620 int 1621 pfkey_send(int so, struct sadb_msg *msg, int len) 1622 { 1623 if ((len = send(so, (caddr_t)msg, len, 0)) < 0) { 1624 __ipsec_set_strerror(strerror(errno)); 1625 return -1; 1626 } 1627 1628 __ipsec_errcode = EIPSEC_NO_ERROR; 1629 return len; 1630 } 1631 1632 /* 1633 * %%% Utilities 1634 * NOTE: These functions are derived from netkey/key.c in KAME. 1635 */ 1636 /* 1637 * set the pointer to each header in this message buffer. 1638 * IN: msg: pointer to message buffer. 1639 * mhp: pointer to the buffer initialized like below: 1640 * caddr_t mhp[SADB_EXT_MAX + 1]; 1641 * OUT: -1: invalid. 1642 * 0: valid. 1643 * 1644 * XXX should be rewritten to obtain length explicitly 1645 */ 1646 int 1647 pfkey_align(struct sadb_msg *msg, caddr_t *mhp) 1648 { 1649 struct sadb_ext *ext; 1650 int i; 1651 caddr_t p; 1652 caddr_t ep; /* XXX should be passed from upper layer */ 1653 1654 /* validity check */ 1655 if (msg == NULL || mhp == NULL) { 1656 __ipsec_errcode = EIPSEC_INVAL_ARGUMENT; 1657 return -1; 1658 } 1659 1660 /* initialize */ 1661 for (i = 0; i < SADB_EXT_MAX + 1; i++) 1662 mhp[i] = NULL; 1663 1664 mhp[0] = (caddr_t)msg; 1665 1666 /* initialize */ 1667 p = (caddr_t) msg; 1668 ep = p + PFKEY_UNUNIT64(msg->sadb_msg_len); 1669 1670 /* skip base header */ 1671 p += sizeof(struct sadb_msg); 1672 1673 while (p < ep) { 1674 ext = (struct sadb_ext *)p; 1675 if (ep < p + sizeof(*ext) || PFKEY_EXTLEN(ext) < sizeof(*ext) || 1676 ep < p + PFKEY_EXTLEN(ext)) { 1677 /* invalid format */ 1678 break; 1679 } 1680 1681 /* duplicate check */ 1682 /* XXX Are there duplication either KEY_AUTH or KEY_ENCRYPT ?*/ 1683 if (mhp[ext->sadb_ext_type] != NULL) { 1684 __ipsec_errcode = EIPSEC_INVAL_EXTTYPE; 1685 return -1; 1686 } 1687 1688 /* set pointer */ 1689 switch (ext->sadb_ext_type) { 1690 case SADB_EXT_SA: 1691 case SADB_EXT_LIFETIME_CURRENT: 1692 case SADB_EXT_LIFETIME_HARD: 1693 case SADB_EXT_LIFETIME_SOFT: 1694 case SADB_EXT_ADDRESS_SRC: 1695 case SADB_EXT_ADDRESS_DST: 1696 case SADB_EXT_ADDRESS_PROXY: 1697 case SADB_EXT_KEY_AUTH: 1698 /* XXX should to be check weak keys. */ 1699 case SADB_EXT_KEY_ENCRYPT: 1700 /* XXX should to be check weak keys. */ 1701 case SADB_EXT_IDENTITY_SRC: 1702 case SADB_EXT_IDENTITY_DST: 1703 case SADB_EXT_SENSITIVITY: 1704 case SADB_EXT_PROPOSAL: 1705 case SADB_EXT_SUPPORTED_AUTH: 1706 case SADB_EXT_SUPPORTED_ENCRYPT: 1707 case SADB_EXT_SPIRANGE: 1708 case SADB_X_EXT_POLICY: 1709 case SADB_X_EXT_SA2: 1710 case SADB_X_EXT_NAT_T_TYPE: 1711 case SADB_X_EXT_NAT_T_SPORT: 1712 case SADB_X_EXT_NAT_T_DPORT: 1713 case SADB_X_EXT_NAT_T_OAI: 1714 case SADB_X_EXT_NAT_T_OAR: 1715 case SADB_X_EXT_NAT_T_FRAG: 1716 case SADB_X_EXT_SA_REPLAY: 1717 case SADB_X_EXT_NEW_ADDRESS_SRC: 1718 case SADB_X_EXT_NEW_ADDRESS_DST: 1719 mhp[ext->sadb_ext_type] = (caddr_t)ext; 1720 break; 1721 default: 1722 __ipsec_errcode = EIPSEC_INVAL_EXTTYPE; 1723 return -1; 1724 } 1725 1726 p += PFKEY_EXTLEN(ext); 1727 } 1728 1729 if (p != ep) { 1730 __ipsec_errcode = EIPSEC_INVAL_SADBMSG; 1731 return -1; 1732 } 1733 1734 __ipsec_errcode = EIPSEC_NO_ERROR; 1735 return 0; 1736 } 1737 1738 /* 1739 * check basic usage for sadb_msg, 1740 * NOTE: This routine is derived from netkey/key.c in KAME. 1741 * IN: msg: pointer to message buffer. 1742 * mhp: pointer to the buffer initialized like below: 1743 * 1744 * caddr_t mhp[SADB_EXT_MAX + 1]; 1745 * 1746 * OUT: -1: invalid. 1747 * 0: valid. 1748 */ 1749 int 1750 pfkey_check(caddr_t *mhp) 1751 { 1752 struct sadb_msg *msg; 1753 1754 /* validity check */ 1755 if (mhp == NULL || mhp[0] == NULL) { 1756 __ipsec_errcode = EIPSEC_INVAL_ARGUMENT; 1757 return -1; 1758 } 1759 1760 msg = (struct sadb_msg *)mhp[0]; 1761 1762 /* check version */ 1763 if (msg->sadb_msg_version != PF_KEY_V2) { 1764 __ipsec_errcode = EIPSEC_INVAL_VERSION; 1765 return -1; 1766 } 1767 1768 /* check type */ 1769 if (msg->sadb_msg_type > SADB_MAX) { 1770 __ipsec_errcode = EIPSEC_INVAL_MSGTYPE; 1771 return -1; 1772 } 1773 1774 /* check SA type */ 1775 switch (msg->sadb_msg_satype) { 1776 case SADB_SATYPE_UNSPEC: 1777 switch (msg->sadb_msg_type) { 1778 case SADB_GETSPI: 1779 case SADB_UPDATE: 1780 case SADB_ADD: 1781 case SADB_DELETE: 1782 case SADB_GET: 1783 case SADB_ACQUIRE: 1784 case SADB_EXPIRE: 1785 __ipsec_errcode = EIPSEC_INVAL_SATYPE; 1786 return -1; 1787 } 1788 break; 1789 case SADB_SATYPE_ESP: 1790 case SADB_SATYPE_AH: 1791 case SADB_X_SATYPE_IPCOMP: 1792 case SADB_X_SATYPE_TCPSIGNATURE: 1793 switch (msg->sadb_msg_type) { 1794 case SADB_X_SPDADD: 1795 case SADB_X_SPDDELETE: 1796 case SADB_X_SPDGET: 1797 case SADB_X_SPDDUMP: 1798 case SADB_X_SPDFLUSH: 1799 __ipsec_errcode = EIPSEC_INVAL_SATYPE; 1800 return -1; 1801 } 1802 break; 1803 case SADB_SATYPE_RSVP: 1804 case SADB_SATYPE_OSPFV2: 1805 case SADB_SATYPE_RIPV2: 1806 case SADB_SATYPE_MIP: 1807 __ipsec_errcode = EIPSEC_NOT_SUPPORTED; 1808 return -1; 1809 case 1: /* XXX: What does it do ? */ 1810 if (msg->sadb_msg_type == SADB_X_PROMISC) 1811 break; 1812 /*FALLTHROUGH*/ 1813 default: 1814 __ipsec_errcode = EIPSEC_INVAL_SATYPE; 1815 return -1; 1816 } 1817 1818 /* check field of upper layer protocol and address family */ 1819 if (mhp[SADB_EXT_ADDRESS_SRC] != NULL 1820 && mhp[SADB_EXT_ADDRESS_DST] != NULL) { 1821 struct sadb_address *src0, *dst0; 1822 1823 src0 = (struct sadb_address *)(mhp[SADB_EXT_ADDRESS_SRC]); 1824 dst0 = (struct sadb_address *)(mhp[SADB_EXT_ADDRESS_DST]); 1825 1826 if (src0->sadb_address_proto != dst0->sadb_address_proto) { 1827 __ipsec_errcode = EIPSEC_PROTO_MISMATCH; 1828 return -1; 1829 } 1830 1831 if (PFKEY_ADDR_SADDR(src0)->sa_family 1832 != PFKEY_ADDR_SADDR(dst0)->sa_family) { 1833 __ipsec_errcode = EIPSEC_FAMILY_MISMATCH; 1834 return -1; 1835 } 1836 1837 switch (PFKEY_ADDR_SADDR(src0)->sa_family) { 1838 case AF_INET: 1839 case AF_INET6: 1840 break; 1841 default: 1842 __ipsec_errcode = EIPSEC_INVAL_FAMILY; 1843 return -1; 1844 } 1845 1846 /* 1847 * prefixlen == 0 is valid because there must be the case 1848 * all addresses are matched. 1849 */ 1850 } 1851 1852 __ipsec_errcode = EIPSEC_NO_ERROR; 1853 return 0; 1854 } 1855 1856 /* 1857 * set data into sadb_msg. 1858 * `buf' must has been allocated sufficiently. 1859 */ 1860 static caddr_t 1861 pfkey_setsadbmsg(caddr_t buf, caddr_t lim, u_int type, u_int tlen, 1862 u_int satype, u_int32_t seq, pid_t pid) 1863 { 1864 struct sadb_msg *p; 1865 u_int len; 1866 1867 p = (struct sadb_msg *)buf; 1868 len = sizeof(struct sadb_msg); 1869 1870 if (buf + len > lim) 1871 return NULL; 1872 1873 memset(p, 0, len); 1874 p->sadb_msg_version = PF_KEY_V2; 1875 p->sadb_msg_type = type; 1876 p->sadb_msg_errno = 0; 1877 p->sadb_msg_satype = satype; 1878 p->sadb_msg_len = PFKEY_UNIT64(tlen); 1879 p->sadb_msg_reserved = 0; 1880 p->sadb_msg_seq = seq; 1881 p->sadb_msg_pid = (u_int32_t)pid; 1882 1883 return(buf + len); 1884 } 1885 1886 /* 1887 * copy secasvar data into sadb_address. 1888 * `buf' must has been allocated sufficiently. 1889 */ 1890 static caddr_t 1891 pfkey_setsadbsa(caddr_t buf, caddr_t lim, u_int32_t spi, u_int wsize, 1892 u_int auth, u_int enc, u_int32_t flags) 1893 { 1894 struct sadb_sa *p; 1895 u_int len; 1896 1897 p = (struct sadb_sa *)buf; 1898 len = sizeof(struct sadb_sa); 1899 1900 if (buf + len > lim) 1901 return NULL; 1902 1903 memset(p, 0, len); 1904 p->sadb_sa_len = PFKEY_UNIT64(len); 1905 p->sadb_sa_exttype = SADB_EXT_SA; 1906 p->sadb_sa_spi = spi; 1907 p->sadb_sa_replay = wsize > UINT8_MAX ? UINT8_MAX: wsize; 1908 p->sadb_sa_state = SADB_SASTATE_LARVAL; 1909 p->sadb_sa_auth = auth; 1910 p->sadb_sa_encrypt = enc; 1911 p->sadb_sa_flags = flags; 1912 1913 return(buf + len); 1914 } 1915 1916 /* 1917 * Set data into sadb_x_sa_replay. 1918 * `buf' must has been allocated sufficiently. 1919 */ 1920 static caddr_t 1921 pfkey_setsadbxreplay(caddr_t buf, caddr_t lim, uint32_t wsize) 1922 { 1923 struct sadb_x_sa_replay *p; 1924 u_int len; 1925 1926 p = (struct sadb_x_sa_replay *)buf; 1927 len = sizeof(struct sadb_x_sa_replay); 1928 1929 if (buf + len > lim) 1930 return (NULL); 1931 1932 memset(p, 0, len); 1933 p->sadb_x_sa_replay_len = PFKEY_UNIT64(len); 1934 p->sadb_x_sa_replay_exttype = SADB_X_EXT_SA_REPLAY; 1935 /* Convert wsize from bytes to number of packets. */ 1936 p->sadb_x_sa_replay_replay = wsize << 3; 1937 1938 return (buf + len); 1939 } 1940 1941 /* 1942 * set data into sadb_address. 1943 * `buf' must has been allocated sufficiently. 1944 * prefixlen is in bits. 1945 */ 1946 static caddr_t 1947 pfkey_setsadbaddr(caddr_t buf, caddr_t lim, u_int exttype, 1948 struct sockaddr *saddr, u_int prefixlen, u_int ul_proto) 1949 { 1950 struct sadb_address *p; 1951 u_int len; 1952 1953 p = (struct sadb_address *)buf; 1954 len = sizeof(struct sadb_address) + PFKEY_ALIGN8(saddr->sa_len); 1955 1956 if (buf + len > lim) 1957 return NULL; 1958 1959 memset(p, 0, len); 1960 p->sadb_address_len = PFKEY_UNIT64(len); 1961 p->sadb_address_exttype = exttype & 0xffff; 1962 p->sadb_address_proto = ul_proto & 0xff; 1963 p->sadb_address_prefixlen = prefixlen; 1964 p->sadb_address_reserved = 0; 1965 1966 memcpy(p + 1, saddr, saddr->sa_len); 1967 1968 return(buf + len); 1969 } 1970 1971 /* 1972 * set sadb_key structure after clearing buffer with zero. 1973 * OUT: the pointer of buf + len. 1974 */ 1975 static caddr_t 1976 pfkey_setsadbkey(caddr_t buf, caddr_t lim, u_int type, caddr_t key, u_int keylen) 1977 { 1978 struct sadb_key *p; 1979 u_int len; 1980 1981 p = (struct sadb_key *)buf; 1982 len = sizeof(struct sadb_key) + PFKEY_ALIGN8(keylen); 1983 1984 if (buf + len > lim) 1985 return NULL; 1986 1987 memset(p, 0, len); 1988 p->sadb_key_len = PFKEY_UNIT64(len); 1989 p->sadb_key_exttype = type; 1990 p->sadb_key_bits = keylen << 3; 1991 p->sadb_key_reserved = 0; 1992 1993 memcpy(p + 1, key, keylen); 1994 1995 return buf + len; 1996 } 1997 1998 /* 1999 * set sadb_lifetime structure after clearing buffer with zero. 2000 * OUT: the pointer of buf + len. 2001 */ 2002 static caddr_t 2003 pfkey_setsadblifetime(caddr_t buf, caddr_t lim, u_int type, u_int32_t l_alloc, 2004 u_int32_t l_bytes, u_int32_t l_addtime, u_int32_t l_usetime) 2005 { 2006 struct sadb_lifetime *p; 2007 u_int len; 2008 2009 p = (struct sadb_lifetime *)buf; 2010 len = sizeof(struct sadb_lifetime); 2011 2012 if (buf + len > lim) 2013 return NULL; 2014 2015 memset(p, 0, len); 2016 p->sadb_lifetime_len = PFKEY_UNIT64(len); 2017 p->sadb_lifetime_exttype = type; 2018 2019 switch (type) { 2020 case SADB_EXT_LIFETIME_SOFT: 2021 p->sadb_lifetime_allocations 2022 = (l_alloc * soft_lifetime_allocations_rate) /100; 2023 p->sadb_lifetime_bytes 2024 = (l_bytes * soft_lifetime_bytes_rate) /100; 2025 p->sadb_lifetime_addtime 2026 = (l_addtime * soft_lifetime_addtime_rate) /100; 2027 p->sadb_lifetime_usetime 2028 = (l_usetime * soft_lifetime_usetime_rate) /100; 2029 break; 2030 case SADB_EXT_LIFETIME_HARD: 2031 p->sadb_lifetime_allocations = l_alloc; 2032 p->sadb_lifetime_bytes = l_bytes; 2033 p->sadb_lifetime_addtime = l_addtime; 2034 p->sadb_lifetime_usetime = l_usetime; 2035 break; 2036 } 2037 2038 return buf + len; 2039 } 2040 2041 /* 2042 * copy secasvar data into sadb_address. 2043 * `buf' must has been allocated sufficiently. 2044 */ 2045 static caddr_t 2046 pfkey_setsadbxsa2(caddr_t buf, caddr_t lim, u_int32_t mode0, u_int32_t reqid) 2047 { 2048 struct sadb_x_sa2 *p; 2049 u_int8_t mode = mode0 & 0xff; 2050 u_int len; 2051 2052 p = (struct sadb_x_sa2 *)buf; 2053 len = sizeof(struct sadb_x_sa2); 2054 2055 if (buf + len > lim) 2056 return NULL; 2057 2058 memset(p, 0, len); 2059 p->sadb_x_sa2_len = PFKEY_UNIT64(len); 2060 p->sadb_x_sa2_exttype = SADB_X_EXT_SA2; 2061 p->sadb_x_sa2_mode = mode; 2062 p->sadb_x_sa2_reqid = reqid; 2063 2064 return(buf + len); 2065 } 2066