1 /* $KAME: pfkey.c,v 1.39 2001/03/05 18:22:17 thorpej Exp $ */ 2 3 /* 4 * Copyright (C) 1995, 1996, 1997, 1998, and 1999 WIDE Project. 5 * All rights reserved. 6 * 7 * Redistribution and use in source and binary forms, with or without 8 * modification, are permitted provided that the following conditions 9 * are met: 10 * 1. Redistributions of source code must retain the above copyright 11 * notice, this list of conditions and the following disclaimer. 12 * 2. Redistributions in binary form must reproduce the above copyright 13 * notice, this list of conditions and the following disclaimer in the 14 * documentation and/or other materials provided with the distribution. 15 * 3. Neither the name of the project nor the names of its contributors 16 * may be used to endorse or promote products derived from this software 17 * without specific prior written permission. 18 * 19 * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND 20 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 21 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 22 * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE 23 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 24 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 25 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 26 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 27 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 28 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 29 * SUCH DAMAGE. 30 */ 31 32 #include <sys/cdefs.h> 33 __FBSDID("$FreeBSD$"); 34 35 #include <sys/types.h> 36 #include <sys/param.h> 37 #include <sys/socket.h> 38 #include <net/pfkeyv2.h> 39 #include <netkey/key_var.h> 40 #include <netinet/in.h> 41 #include <netinet6/ipsec.h> 42 43 #include <stdlib.h> 44 #include <unistd.h> 45 #include <string.h> 46 #include <errno.h> 47 #include <stdio.h> 48 49 #include "ipsec_strerror.h" 50 #include "libpfkey.h" 51 52 #define CALLOC(size, cast) (cast)calloc(1, (size)) 53 54 static int findsupportedmap(int); 55 static int setsupportedmap(struct sadb_supported *); 56 static struct sadb_alg *findsupportedalg(u_int, u_int); 57 static int pfkey_send_x1(int, u_int, u_int, u_int, struct sockaddr *, 58 struct sockaddr *, u_int32_t, u_int32_t, u_int, caddr_t, 59 u_int, u_int, u_int, u_int, u_int, u_int32_t, u_int32_t, 60 u_int32_t, u_int32_t, u_int32_t); 61 static int pfkey_send_x2(int, u_int, u_int, u_int, 62 struct sockaddr *, struct sockaddr *, u_int32_t); 63 static int pfkey_send_x3(int, u_int, u_int); 64 static int pfkey_send_x4(int, u_int, struct sockaddr *, u_int, 65 struct sockaddr *, u_int, u_int, u_int64_t, u_int64_t, 66 char *, int, u_int32_t); 67 static int pfkey_send_x5(int, u_int, u_int32_t); 68 69 static caddr_t pfkey_setsadbmsg(caddr_t, caddr_t, u_int, u_int, 70 u_int, u_int32_t, pid_t); 71 static caddr_t pfkey_setsadbsa(caddr_t, caddr_t, u_int32_t, u_int, 72 u_int, u_int, u_int32_t); 73 static caddr_t pfkey_setsadbaddr(caddr_t, caddr_t, u_int, 74 struct sockaddr *, u_int, u_int); 75 static caddr_t pfkey_setsadbkey(caddr_t, caddr_t, u_int, caddr_t, u_int); 76 static caddr_t pfkey_setsadblifetime(caddr_t, caddr_t, u_int, u_int32_t, 77 u_int32_t, u_int32_t, u_int32_t); 78 static caddr_t pfkey_setsadbxsa2(caddr_t, caddr_t, u_int32_t, u_int32_t); 79 80 /* 81 * make and search supported algorithm structure. 82 */ 83 static struct sadb_supported *ipsec_supported[] = { NULL, NULL, NULL, }; 84 85 static int supported_map[] = { 86 SADB_SATYPE_AH, 87 SADB_SATYPE_ESP, 88 SADB_X_SATYPE_IPCOMP, 89 }; 90 91 static int 92 findsupportedmap(satype) 93 int satype; 94 { 95 int i; 96 97 for (i = 0; i < sizeof(supported_map)/sizeof(supported_map[0]); i++) 98 if (supported_map[i] == satype) 99 return i; 100 return -1; 101 } 102 103 static struct sadb_alg * 104 findsupportedalg(satype, alg_id) 105 u_int satype, alg_id; 106 { 107 int algno; 108 int tlen; 109 caddr_t p; 110 111 /* validity check */ 112 algno = findsupportedmap(satype); 113 if (algno == -1) { 114 __ipsec_errcode = EIPSEC_INVAL_ARGUMENT; 115 return NULL; 116 } 117 if (ipsec_supported[algno] == NULL) { 118 __ipsec_errcode = EIPSEC_DO_GET_SUPP_LIST; 119 return NULL; 120 } 121 122 tlen = ipsec_supported[algno]->sadb_supported_len 123 - sizeof(struct sadb_supported); 124 p = (caddr_t)(ipsec_supported[algno] + 1); 125 while (tlen > 0) { 126 if (tlen < sizeof(struct sadb_alg)) { 127 /* invalid format */ 128 break; 129 } 130 if (((struct sadb_alg *)p)->sadb_alg_id == alg_id) 131 return (struct sadb_alg *)p; 132 133 tlen -= sizeof(struct sadb_alg); 134 p += sizeof(struct sadb_alg); 135 } 136 137 __ipsec_errcode = EIPSEC_NOT_SUPPORTED; 138 return NULL; 139 } 140 141 static int 142 setsupportedmap(sup) 143 struct sadb_supported *sup; 144 { 145 struct sadb_supported **ipsup; 146 147 switch (sup->sadb_supported_exttype) { 148 case SADB_EXT_SUPPORTED_AUTH: 149 ipsup = &ipsec_supported[findsupportedmap(SADB_SATYPE_AH)]; 150 break; 151 case SADB_EXT_SUPPORTED_ENCRYPT: 152 ipsup = &ipsec_supported[findsupportedmap(SADB_SATYPE_ESP)]; 153 break; 154 default: 155 __ipsec_errcode = EIPSEC_INVAL_SATYPE; 156 return -1; 157 } 158 159 if (*ipsup) 160 free(*ipsup); 161 162 *ipsup = malloc(sup->sadb_supported_len); 163 if (!*ipsup) { 164 __ipsec_set_strerror(strerror(errno)); 165 return -1; 166 } 167 memcpy(*ipsup, sup, sup->sadb_supported_len); 168 169 return 0; 170 } 171 172 /* 173 * check key length against algorithm specified. 174 * This function is called with SADB_EXT_SUPPORTED_{AUTH,ENCRYPT} as the 175 * augument, and only calls to ipsec_check_keylen2(); 176 * keylen is the unit of bit. 177 * OUT: 178 * -1: invalid. 179 * 0: valid. 180 */ 181 int 182 ipsec_check_keylen(supported, alg_id, keylen) 183 u_int supported; 184 u_int alg_id; 185 u_int keylen; 186 { 187 int satype; 188 189 /* validity check */ 190 switch (supported) { 191 case SADB_EXT_SUPPORTED_AUTH: 192 satype = SADB_SATYPE_AH; 193 break; 194 case SADB_EXT_SUPPORTED_ENCRYPT: 195 satype = SADB_SATYPE_ESP; 196 break; 197 default: 198 __ipsec_errcode = EIPSEC_INVAL_ARGUMENT; 199 return -1; 200 } 201 202 return ipsec_check_keylen2(satype, alg_id, keylen); 203 } 204 205 /* 206 * check key length against algorithm specified. 207 * satype is one of satype defined at pfkeyv2.h. 208 * keylen is the unit of bit. 209 * OUT: 210 * -1: invalid. 211 * 0: valid. 212 */ 213 int 214 ipsec_check_keylen2(satype, alg_id, keylen) 215 u_int satype; 216 u_int alg_id; 217 u_int keylen; 218 { 219 struct sadb_alg *alg; 220 221 alg = findsupportedalg(satype, alg_id); 222 if (!alg) 223 return -1; 224 225 if (keylen < alg->sadb_alg_minbits || keylen > alg->sadb_alg_maxbits) { 226 __ipsec_errcode = EIPSEC_INVAL_KEYLEN; 227 return -1; 228 } 229 230 __ipsec_errcode = EIPSEC_NO_ERROR; 231 return 0; 232 } 233 234 /* 235 * get max/min key length against algorithm specified. 236 * satype is one of satype defined at pfkeyv2.h. 237 * keylen is the unit of bit. 238 * OUT: 239 * -1: invalid. 240 * 0: valid. 241 */ 242 int 243 ipsec_get_keylen(supported, alg_id, alg0) 244 u_int supported, alg_id; 245 struct sadb_alg *alg0; 246 { 247 struct sadb_alg *alg; 248 u_int satype; 249 250 /* validity check */ 251 if (!alg0) { 252 __ipsec_errcode = EIPSEC_INVAL_ARGUMENT; 253 return -1; 254 } 255 256 switch (supported) { 257 case SADB_EXT_SUPPORTED_AUTH: 258 satype = SADB_SATYPE_AH; 259 break; 260 case SADB_EXT_SUPPORTED_ENCRYPT: 261 satype = SADB_SATYPE_ESP; 262 break; 263 default: 264 __ipsec_errcode = EIPSEC_INVAL_ARGUMENT; 265 return -1; 266 } 267 268 alg = findsupportedalg(satype, alg_id); 269 if (!alg) 270 return -1; 271 272 memcpy(alg0, alg, sizeof(*alg0)); 273 274 __ipsec_errcode = EIPSEC_NO_ERROR; 275 return 0; 276 } 277 278 /* 279 * set the rate for SOFT lifetime against HARD one. 280 * If rate is more than 100 or equal to zero, then set to 100. 281 */ 282 static u_int soft_lifetime_allocations_rate = PFKEY_SOFT_LIFETIME_RATE; 283 static u_int soft_lifetime_bytes_rate = PFKEY_SOFT_LIFETIME_RATE; 284 static u_int soft_lifetime_addtime_rate = PFKEY_SOFT_LIFETIME_RATE; 285 static u_int soft_lifetime_usetime_rate = PFKEY_SOFT_LIFETIME_RATE; 286 287 u_int 288 pfkey_set_softrate(type, rate) 289 u_int type, rate; 290 { 291 __ipsec_errcode = EIPSEC_NO_ERROR; 292 293 if (rate > 100 || rate == 0) 294 rate = 100; 295 296 switch (type) { 297 case SADB_X_LIFETIME_ALLOCATIONS: 298 soft_lifetime_allocations_rate = rate; 299 return 0; 300 case SADB_X_LIFETIME_BYTES: 301 soft_lifetime_bytes_rate = rate; 302 return 0; 303 case SADB_X_LIFETIME_ADDTIME: 304 soft_lifetime_addtime_rate = rate; 305 return 0; 306 case SADB_X_LIFETIME_USETIME: 307 soft_lifetime_usetime_rate = rate; 308 return 0; 309 } 310 311 __ipsec_errcode = EIPSEC_INVAL_ARGUMENT; 312 return 1; 313 } 314 315 /* 316 * get current rate for SOFT lifetime against HARD one. 317 * ATTENTION: ~0 is returned if invalid type was passed. 318 */ 319 u_int 320 pfkey_get_softrate(type) 321 u_int type; 322 { 323 switch (type) { 324 case SADB_X_LIFETIME_ALLOCATIONS: 325 return soft_lifetime_allocations_rate; 326 case SADB_X_LIFETIME_BYTES: 327 return soft_lifetime_bytes_rate; 328 case SADB_X_LIFETIME_ADDTIME: 329 return soft_lifetime_addtime_rate; 330 case SADB_X_LIFETIME_USETIME: 331 return soft_lifetime_usetime_rate; 332 } 333 334 return ~0; 335 } 336 337 /* 338 * sending SADB_GETSPI message to the kernel. 339 * OUT: 340 * positive: success and return length sent. 341 * -1 : error occured, and set errno. 342 */ 343 int 344 pfkey_send_getspi(so, satype, mode, src, dst, min, max, reqid, seq) 345 int so; 346 u_int satype, mode; 347 struct sockaddr *src, *dst; 348 u_int32_t min, max, reqid, seq; 349 { 350 struct sadb_msg *newmsg; 351 caddr_t ep; 352 int len; 353 int need_spirange = 0; 354 caddr_t p; 355 int plen; 356 357 /* validity check */ 358 if (src == NULL || dst == NULL) { 359 __ipsec_errcode = EIPSEC_INVAL_ARGUMENT; 360 return -1; 361 } 362 if (src->sa_family != dst->sa_family) { 363 __ipsec_errcode = EIPSEC_FAMILY_MISMATCH; 364 return -1; 365 } 366 if (min > max || (min > 0 && min <= 255)) { 367 __ipsec_errcode = EIPSEC_INVAL_SPI; 368 return -1; 369 } 370 switch (src->sa_family) { 371 case AF_INET: 372 plen = sizeof(struct in_addr) << 3; 373 break; 374 case AF_INET6: 375 plen = sizeof(struct in6_addr) << 3; 376 break; 377 default: 378 __ipsec_errcode = EIPSEC_INVAL_FAMILY; 379 return -1; 380 } 381 382 /* create new sadb_msg to send. */ 383 len = sizeof(struct sadb_msg) 384 + sizeof(struct sadb_x_sa2) 385 + sizeof(struct sadb_address) 386 + PFKEY_ALIGN8(src->sa_len) 387 + sizeof(struct sadb_address) 388 + PFKEY_ALIGN8(dst->sa_len); 389 390 if (min > 255 && max < ~0) { 391 need_spirange++; 392 len += sizeof(struct sadb_spirange); 393 } 394 395 if ((newmsg = CALLOC(len, struct sadb_msg *)) == NULL) { 396 __ipsec_set_strerror(strerror(errno)); 397 return -1; 398 } 399 ep = ((caddr_t)newmsg) + len; 400 401 p = pfkey_setsadbmsg((caddr_t)newmsg, ep, SADB_GETSPI, 402 len, satype, seq, getpid()); 403 if (!p) { 404 free(newmsg); 405 return -1; 406 } 407 408 p = pfkey_setsadbxsa2(p, ep, mode, reqid); 409 if (!p) { 410 free(newmsg); 411 return -1; 412 } 413 414 /* set sadb_address for source */ 415 p = pfkey_setsadbaddr(p, ep, SADB_EXT_ADDRESS_SRC, src, plen, 416 IPSEC_ULPROTO_ANY); 417 if (!p) { 418 free(newmsg); 419 return -1; 420 } 421 422 /* set sadb_address for destination */ 423 p = pfkey_setsadbaddr(p, ep, SADB_EXT_ADDRESS_DST, dst, plen, 424 IPSEC_ULPROTO_ANY); 425 if (!p) { 426 free(newmsg); 427 return -1; 428 } 429 430 /* proccessing spi range */ 431 if (need_spirange) { 432 struct sadb_spirange spirange; 433 434 if (p + sizeof(spirange) > ep) { 435 free(newmsg); 436 return -1; 437 } 438 439 memset(&spirange, 0, sizeof(spirange)); 440 spirange.sadb_spirange_len = PFKEY_UNIT64(sizeof(spirange)); 441 spirange.sadb_spirange_exttype = SADB_EXT_SPIRANGE; 442 spirange.sadb_spirange_min = min; 443 spirange.sadb_spirange_max = max; 444 445 memcpy(p, &spirange, sizeof(spirange)); 446 447 p += sizeof(spirange); 448 } 449 if (p != ep) { 450 free(newmsg); 451 return -1; 452 } 453 454 /* send message */ 455 len = pfkey_send(so, newmsg, len); 456 free(newmsg); 457 458 if (len < 0) 459 return -1; 460 461 __ipsec_errcode = EIPSEC_NO_ERROR; 462 return len; 463 } 464 465 /* 466 * sending SADB_UPDATE message to the kernel. 467 * The length of key material is a_keylen + e_keylen. 468 * OUT: 469 * positive: success and return length sent. 470 * -1 : error occured, and set errno. 471 */ 472 int 473 pfkey_send_update(so, satype, mode, src, dst, spi, reqid, wsize, 474 keymat, e_type, e_keylen, a_type, a_keylen, flags, 475 l_alloc, l_bytes, l_addtime, l_usetime, seq) 476 int so; 477 u_int satype, mode, wsize; 478 struct sockaddr *src, *dst; 479 u_int32_t spi, reqid; 480 caddr_t keymat; 481 u_int e_type, e_keylen, a_type, a_keylen, flags; 482 u_int32_t l_alloc; 483 u_int64_t l_bytes, l_addtime, l_usetime; 484 u_int32_t seq; 485 { 486 int len; 487 if ((len = pfkey_send_x1(so, SADB_UPDATE, satype, mode, src, dst, spi, 488 reqid, wsize, 489 keymat, e_type, e_keylen, a_type, a_keylen, flags, 490 l_alloc, l_bytes, l_addtime, l_usetime, seq)) < 0) 491 return -1; 492 493 return len; 494 } 495 496 /* 497 * sending SADB_ADD message to the kernel. 498 * The length of key material is a_keylen + e_keylen. 499 * OUT: 500 * positive: success and return length sent. 501 * -1 : error occured, and set errno. 502 */ 503 int 504 pfkey_send_add(so, satype, mode, src, dst, spi, reqid, wsize, 505 keymat, e_type, e_keylen, a_type, a_keylen, flags, 506 l_alloc, l_bytes, l_addtime, l_usetime, seq) 507 int so; 508 u_int satype, mode, wsize; 509 struct sockaddr *src, *dst; 510 u_int32_t spi, reqid; 511 caddr_t keymat; 512 u_int e_type, e_keylen, a_type, a_keylen, flags; 513 u_int32_t l_alloc; 514 u_int64_t l_bytes, l_addtime, l_usetime; 515 u_int32_t seq; 516 { 517 int len; 518 if ((len = pfkey_send_x1(so, SADB_ADD, satype, mode, src, dst, spi, 519 reqid, wsize, 520 keymat, e_type, e_keylen, a_type, a_keylen, flags, 521 l_alloc, l_bytes, l_addtime, l_usetime, seq)) < 0) 522 return -1; 523 524 return len; 525 } 526 527 /* 528 * sending SADB_DELETE message to the kernel. 529 * OUT: 530 * positive: success and return length sent. 531 * -1 : error occured, and set errno. 532 */ 533 int 534 pfkey_send_delete(so, satype, mode, src, dst, spi) 535 int so; 536 u_int satype, mode; 537 struct sockaddr *src, *dst; 538 u_int32_t spi; 539 { 540 int len; 541 if ((len = pfkey_send_x2(so, SADB_DELETE, satype, mode, src, dst, spi)) < 0) 542 return -1; 543 544 return len; 545 } 546 547 /* 548 * sending SADB_DELETE without spi to the kernel. This is 549 * the "delete all" request (an extension also present in 550 * Solaris). 551 * 552 * OUT: 553 * positive: success and return length sent 554 * -1 : error occured, and set errno 555 */ 556 int 557 pfkey_send_delete_all(so, satype, mode, src, dst) 558 int so; 559 u_int satype, mode; 560 struct sockaddr *src, *dst; 561 { 562 struct sadb_msg *newmsg; 563 int len; 564 caddr_t p; 565 int plen; 566 caddr_t ep; 567 568 /* validity check */ 569 if (src == NULL || dst == NULL) { 570 __ipsec_errcode = EIPSEC_INVAL_ARGUMENT; 571 return -1; 572 } 573 if (src->sa_family != dst->sa_family) { 574 __ipsec_errcode = EIPSEC_FAMILY_MISMATCH; 575 return -1; 576 } 577 switch (src->sa_family) { 578 case AF_INET: 579 plen = sizeof(struct in_addr) << 3; 580 break; 581 case AF_INET6: 582 plen = sizeof(struct in6_addr) << 3; 583 break; 584 default: 585 __ipsec_errcode = EIPSEC_INVAL_FAMILY; 586 return -1; 587 } 588 589 /* create new sadb_msg to reply. */ 590 len = sizeof(struct sadb_msg) 591 + sizeof(struct sadb_address) 592 + PFKEY_ALIGN8(src->sa_len) 593 + sizeof(struct sadb_address) 594 + PFKEY_ALIGN8(dst->sa_len); 595 596 if ((newmsg = CALLOC(len, struct sadb_msg *)) == NULL) { 597 __ipsec_set_strerror(strerror(errno)); 598 return -1; 599 } 600 ep = ((caddr_t)newmsg) + len; 601 602 p = pfkey_setsadbmsg((caddr_t)newmsg, ep, SADB_DELETE, len, satype, 0, 603 getpid()); 604 if (!p) { 605 free(newmsg); 606 return -1; 607 } 608 p = pfkey_setsadbaddr(p, ep, SADB_EXT_ADDRESS_SRC, src, plen, 609 IPSEC_ULPROTO_ANY); 610 if (!p) { 611 free(newmsg); 612 return -1; 613 } 614 p = pfkey_setsadbaddr(p, ep, SADB_EXT_ADDRESS_DST, dst, plen, 615 IPSEC_ULPROTO_ANY); 616 if (!p || p != ep) { 617 free(newmsg); 618 return -1; 619 } 620 621 /* send message */ 622 len = pfkey_send(so, newmsg, len); 623 free(newmsg); 624 625 if (len < 0) 626 return -1; 627 628 __ipsec_errcode = EIPSEC_NO_ERROR; 629 return len; 630 } 631 632 /* 633 * sending SADB_GET message to the kernel. 634 * OUT: 635 * positive: success and return length sent. 636 * -1 : error occured, and set errno. 637 */ 638 int 639 pfkey_send_get(so, satype, mode, src, dst, spi) 640 int so; 641 u_int satype, mode; 642 struct sockaddr *src, *dst; 643 u_int32_t spi; 644 { 645 int len; 646 if ((len = pfkey_send_x2(so, SADB_GET, satype, mode, src, dst, spi)) < 0) 647 return -1; 648 649 return len; 650 } 651 652 /* 653 * sending SADB_REGISTER message to the kernel. 654 * OUT: 655 * positive: success and return length sent. 656 * -1 : error occured, and set errno. 657 */ 658 int 659 pfkey_send_register(so, satype) 660 int so; 661 u_int satype; 662 { 663 int len, algno; 664 665 if (satype == PF_UNSPEC) { 666 for (algno = 0; 667 algno < sizeof(supported_map)/sizeof(supported_map[0]); 668 algno++) { 669 if (ipsec_supported[algno]) { 670 free(ipsec_supported[algno]); 671 ipsec_supported[algno] = NULL; 672 } 673 } 674 } else { 675 algno = findsupportedmap(satype); 676 if (algno == -1) { 677 __ipsec_errcode = EIPSEC_INVAL_ARGUMENT; 678 return -1; 679 } 680 681 if (ipsec_supported[algno]) { 682 free(ipsec_supported[algno]); 683 ipsec_supported[algno] = NULL; 684 } 685 } 686 687 if ((len = pfkey_send_x3(so, SADB_REGISTER, satype)) < 0) 688 return -1; 689 690 return len; 691 } 692 693 /* 694 * receiving SADB_REGISTER message from the kernel, and copy buffer for 695 * sadb_supported returned into ipsec_supported. 696 * OUT: 697 * 0: success and return length sent. 698 * -1: error occured, and set errno. 699 */ 700 int 701 pfkey_recv_register(so) 702 int so; 703 { 704 pid_t pid = getpid(); 705 struct sadb_msg *newmsg; 706 int error = -1; 707 708 /* receive message */ 709 do { 710 if ((newmsg = pfkey_recv(so)) == NULL) 711 return -1; 712 } while (newmsg->sadb_msg_type != SADB_REGISTER 713 || newmsg->sadb_msg_pid != pid); 714 715 /* check and fix */ 716 newmsg->sadb_msg_len = PFKEY_UNUNIT64(newmsg->sadb_msg_len); 717 718 error = pfkey_set_supported(newmsg, newmsg->sadb_msg_len); 719 free(newmsg); 720 721 if (error == 0) 722 __ipsec_errcode = EIPSEC_NO_ERROR; 723 724 return error; 725 } 726 727 /* 728 * receiving SADB_REGISTER message from the kernel, and copy buffer for 729 * sadb_supported returned into ipsec_supported. 730 * NOTE: sadb_msg_len must be host order. 731 * IN: 732 * tlen: msg length, it's to makeing sure. 733 * OUT: 734 * 0: success and return length sent. 735 * -1: error occured, and set errno. 736 */ 737 int 738 pfkey_set_supported(msg, tlen) 739 struct sadb_msg *msg; 740 int tlen; 741 { 742 struct sadb_supported *sup; 743 caddr_t p; 744 caddr_t ep; 745 746 /* validity */ 747 if (msg->sadb_msg_len != tlen) { 748 __ipsec_errcode = EIPSEC_INVAL_ARGUMENT; 749 return -1; 750 } 751 752 p = (caddr_t)msg; 753 ep = p + tlen; 754 755 p += sizeof(struct sadb_msg); 756 757 while (p < ep) { 758 sup = (struct sadb_supported *)p; 759 if (ep < p + sizeof(*sup) || 760 PFKEY_EXTLEN(sup) < sizeof(*sup) || 761 ep < p + sup->sadb_supported_len) { 762 /* invalid format */ 763 break; 764 } 765 766 switch (sup->sadb_supported_exttype) { 767 case SADB_EXT_SUPPORTED_AUTH: 768 case SADB_EXT_SUPPORTED_ENCRYPT: 769 break; 770 default: 771 __ipsec_errcode = EIPSEC_INVAL_SATYPE; 772 return -1; 773 } 774 775 /* fixed length */ 776 sup->sadb_supported_len = PFKEY_EXTLEN(sup); 777 778 /* set supported map */ 779 if (setsupportedmap(sup) != 0) 780 return -1; 781 782 p += sup->sadb_supported_len; 783 } 784 785 if (p != ep) { 786 __ipsec_errcode = EIPSEC_INVAL_SATYPE; 787 return -1; 788 } 789 790 __ipsec_errcode = EIPSEC_NO_ERROR; 791 792 return 0; 793 } 794 795 /* 796 * sending SADB_FLUSH message to the kernel. 797 * OUT: 798 * positive: success and return length sent. 799 * -1 : error occured, and set errno. 800 */ 801 int 802 pfkey_send_flush(so, satype) 803 int so; 804 u_int satype; 805 { 806 int len; 807 808 if ((len = pfkey_send_x3(so, SADB_FLUSH, satype)) < 0) 809 return -1; 810 811 return len; 812 } 813 814 /* 815 * sending SADB_DUMP message to the kernel. 816 * OUT: 817 * positive: success and return length sent. 818 * -1 : error occured, and set errno. 819 */ 820 int 821 pfkey_send_dump(so, satype) 822 int so; 823 u_int satype; 824 { 825 int len; 826 827 if ((len = pfkey_send_x3(so, SADB_DUMP, satype)) < 0) 828 return -1; 829 830 return len; 831 } 832 833 /* 834 * sending SADB_X_PROMISC message to the kernel. 835 * NOTE that this function handles promisc mode toggle only. 836 * IN: 837 * flag: set promisc off if zero, set promisc on if non-zero. 838 * OUT: 839 * positive: success and return length sent. 840 * -1 : error occured, and set errno. 841 * 0 : error occured, and set errno. 842 * others: a pointer to new allocated buffer in which supported 843 * algorithms is. 844 */ 845 int 846 pfkey_send_promisc_toggle(so, flag) 847 int so; 848 int flag; 849 { 850 int len; 851 852 if ((len = pfkey_send_x3(so, SADB_X_PROMISC, (flag ? 1 : 0))) < 0) 853 return -1; 854 855 return len; 856 } 857 858 /* 859 * sending SADB_X_SPDADD message to the kernel. 860 * OUT: 861 * positive: success and return length sent. 862 * -1 : error occured, and set errno. 863 */ 864 int 865 pfkey_send_spdadd(so, src, prefs, dst, prefd, proto, policy, policylen, seq) 866 int so; 867 struct sockaddr *src, *dst; 868 u_int prefs, prefd, proto; 869 caddr_t policy; 870 int policylen; 871 u_int32_t seq; 872 { 873 int len; 874 875 if ((len = pfkey_send_x4(so, SADB_X_SPDADD, 876 src, prefs, dst, prefd, proto, 877 0, 0, 878 policy, policylen, seq)) < 0) 879 return -1; 880 881 return len; 882 } 883 884 /* 885 * sending SADB_X_SPDADD message to the kernel. 886 * OUT: 887 * positive: success and return length sent. 888 * -1 : error occured, and set errno. 889 */ 890 int 891 pfkey_send_spdadd2(so, src, prefs, dst, prefd, proto, ltime, vtime, 892 policy, policylen, seq) 893 int so; 894 struct sockaddr *src, *dst; 895 u_int prefs, prefd, proto; 896 u_int64_t ltime, vtime; 897 caddr_t policy; 898 int policylen; 899 u_int32_t seq; 900 { 901 int len; 902 903 if ((len = pfkey_send_x4(so, SADB_X_SPDADD, 904 src, prefs, dst, prefd, proto, 905 ltime, vtime, 906 policy, policylen, seq)) < 0) 907 return -1; 908 909 return len; 910 } 911 912 /* 913 * sending SADB_X_SPDUPDATE message to the kernel. 914 * OUT: 915 * positive: success and return length sent. 916 * -1 : error occured, and set errno. 917 */ 918 int 919 pfkey_send_spdupdate(so, src, prefs, dst, prefd, proto, policy, policylen, seq) 920 int so; 921 struct sockaddr *src, *dst; 922 u_int prefs, prefd, proto; 923 caddr_t policy; 924 int policylen; 925 u_int32_t seq; 926 { 927 int len; 928 929 if ((len = pfkey_send_x4(so, SADB_X_SPDUPDATE, 930 src, prefs, dst, prefd, proto, 931 0, 0, 932 policy, policylen, seq)) < 0) 933 return -1; 934 935 return len; 936 } 937 938 /* 939 * sending SADB_X_SPDUPDATE message to the kernel. 940 * OUT: 941 * positive: success and return length sent. 942 * -1 : error occured, and set errno. 943 */ 944 int 945 pfkey_send_spdupdate2(so, src, prefs, dst, prefd, proto, ltime, vtime, 946 policy, policylen, seq) 947 int so; 948 struct sockaddr *src, *dst; 949 u_int prefs, prefd, proto; 950 u_int64_t ltime, vtime; 951 caddr_t policy; 952 int policylen; 953 u_int32_t seq; 954 { 955 int len; 956 957 if ((len = pfkey_send_x4(so, SADB_X_SPDUPDATE, 958 src, prefs, dst, prefd, proto, 959 ltime, vtime, 960 policy, policylen, seq)) < 0) 961 return -1; 962 963 return len; 964 } 965 966 /* 967 * sending SADB_X_SPDDELETE message to the kernel. 968 * OUT: 969 * positive: success and return length sent. 970 * -1 : error occured, and set errno. 971 */ 972 int 973 pfkey_send_spddelete(so, src, prefs, dst, prefd, proto, policy, policylen, seq) 974 int so; 975 struct sockaddr *src, *dst; 976 u_int prefs, prefd, proto; 977 caddr_t policy; 978 int policylen; 979 u_int32_t seq; 980 { 981 int len; 982 983 if (policylen != sizeof(struct sadb_x_policy)) { 984 __ipsec_errcode = EIPSEC_INVAL_ARGUMENT; 985 return -1; 986 } 987 988 if ((len = pfkey_send_x4(so, SADB_X_SPDDELETE, 989 src, prefs, dst, prefd, proto, 990 0, 0, 991 policy, policylen, seq)) < 0) 992 return -1; 993 994 return len; 995 } 996 997 /* 998 * sending SADB_X_SPDDELETE message to the kernel. 999 * OUT: 1000 * positive: success and return length sent. 1001 * -1 : error occured, and set errno. 1002 */ 1003 int 1004 pfkey_send_spddelete2(so, spid) 1005 int so; 1006 u_int32_t spid; 1007 { 1008 int len; 1009 1010 if ((len = pfkey_send_x5(so, SADB_X_SPDDELETE2, spid)) < 0) 1011 return -1; 1012 1013 return len; 1014 } 1015 1016 /* 1017 * sending SADB_X_SPDGET message to the kernel. 1018 * OUT: 1019 * positive: success and return length sent. 1020 * -1 : error occured, and set errno. 1021 */ 1022 int 1023 pfkey_send_spdget(so, spid) 1024 int so; 1025 u_int32_t spid; 1026 { 1027 int len; 1028 1029 if ((len = pfkey_send_x5(so, SADB_X_SPDGET, spid)) < 0) 1030 return -1; 1031 1032 return len; 1033 } 1034 1035 /* 1036 * sending SADB_X_SPDSETIDX message to the kernel. 1037 * OUT: 1038 * positive: success and return length sent. 1039 * -1 : error occured, and set errno. 1040 */ 1041 int 1042 pfkey_send_spdsetidx(so, src, prefs, dst, prefd, proto, policy, policylen, seq) 1043 int so; 1044 struct sockaddr *src, *dst; 1045 u_int prefs, prefd, proto; 1046 caddr_t policy; 1047 int policylen; 1048 u_int32_t seq; 1049 { 1050 int len; 1051 1052 if (policylen != sizeof(struct sadb_x_policy)) { 1053 __ipsec_errcode = EIPSEC_INVAL_ARGUMENT; 1054 return -1; 1055 } 1056 1057 if ((len = pfkey_send_x4(so, SADB_X_SPDSETIDX, 1058 src, prefs, dst, prefd, proto, 1059 0, 0, 1060 policy, policylen, seq)) < 0) 1061 return -1; 1062 1063 return len; 1064 } 1065 1066 /* 1067 * sending SADB_SPDFLUSH message to the kernel. 1068 * OUT: 1069 * positive: success and return length sent. 1070 * -1 : error occured, and set errno. 1071 */ 1072 int 1073 pfkey_send_spdflush(so) 1074 int so; 1075 { 1076 int len; 1077 1078 if ((len = pfkey_send_x3(so, SADB_X_SPDFLUSH, SADB_SATYPE_UNSPEC)) < 0) 1079 return -1; 1080 1081 return len; 1082 } 1083 1084 /* 1085 * sending SADB_SPDDUMP message to the kernel. 1086 * OUT: 1087 * positive: success and return length sent. 1088 * -1 : error occured, and set errno. 1089 */ 1090 int 1091 pfkey_send_spddump(so) 1092 int so; 1093 { 1094 int len; 1095 1096 if ((len = pfkey_send_x3(so, SADB_X_SPDDUMP, SADB_SATYPE_UNSPEC)) < 0) 1097 return -1; 1098 1099 return len; 1100 } 1101 1102 /* sending SADB_ADD or SADB_UPDATE message to the kernel */ 1103 static int 1104 pfkey_send_x1(so, type, satype, mode, src, dst, spi, reqid, wsize, 1105 keymat, e_type, e_keylen, a_type, a_keylen, flags, 1106 l_alloc, l_bytes, l_addtime, l_usetime, seq) 1107 int so; 1108 u_int type, satype, mode; 1109 struct sockaddr *src, *dst; 1110 u_int32_t spi, reqid; 1111 u_int wsize; 1112 caddr_t keymat; 1113 u_int e_type, e_keylen, a_type, a_keylen, flags; 1114 u_int32_t l_alloc, l_bytes, l_addtime, l_usetime, seq; 1115 { 1116 struct sadb_msg *newmsg; 1117 int len; 1118 caddr_t p; 1119 int plen; 1120 caddr_t ep; 1121 1122 /* validity check */ 1123 if (src == NULL || dst == NULL) { 1124 __ipsec_errcode = EIPSEC_INVAL_ARGUMENT; 1125 return -1; 1126 } 1127 if (src->sa_family != dst->sa_family) { 1128 __ipsec_errcode = EIPSEC_FAMILY_MISMATCH; 1129 return -1; 1130 } 1131 switch (src->sa_family) { 1132 case AF_INET: 1133 plen = sizeof(struct in_addr) << 3; 1134 break; 1135 case AF_INET6: 1136 plen = sizeof(struct in6_addr) << 3; 1137 break; 1138 default: 1139 __ipsec_errcode = EIPSEC_INVAL_FAMILY; 1140 return -1; 1141 } 1142 1143 switch (satype) { 1144 case SADB_SATYPE_ESP: 1145 if (e_type == SADB_EALG_NONE) { 1146 __ipsec_errcode = EIPSEC_NO_ALGS; 1147 return -1; 1148 } 1149 break; 1150 case SADB_SATYPE_AH: 1151 if (e_type != SADB_EALG_NONE) { 1152 __ipsec_errcode = EIPSEC_INVAL_ALGS; 1153 return -1; 1154 } 1155 if (a_type == SADB_AALG_NONE) { 1156 __ipsec_errcode = EIPSEC_NO_ALGS; 1157 return -1; 1158 } 1159 break; 1160 case SADB_X_SATYPE_IPCOMP: 1161 if (e_type == SADB_X_CALG_NONE) { 1162 __ipsec_errcode = EIPSEC_INVAL_ALGS; 1163 return -1; 1164 } 1165 if (a_type != SADB_AALG_NONE) { 1166 __ipsec_errcode = EIPSEC_NO_ALGS; 1167 return -1; 1168 } 1169 break; 1170 default: 1171 __ipsec_errcode = EIPSEC_INVAL_SATYPE; 1172 return -1; 1173 } 1174 1175 /* create new sadb_msg to reply. */ 1176 len = sizeof(struct sadb_msg) 1177 + sizeof(struct sadb_sa) 1178 + sizeof(struct sadb_x_sa2) 1179 + sizeof(struct sadb_address) 1180 + PFKEY_ALIGN8(src->sa_len) 1181 + sizeof(struct sadb_address) 1182 + PFKEY_ALIGN8(dst->sa_len) 1183 + sizeof(struct sadb_lifetime) 1184 + sizeof(struct sadb_lifetime); 1185 1186 if (e_type != SADB_EALG_NONE) 1187 len += (sizeof(struct sadb_key) + PFKEY_ALIGN8(e_keylen)); 1188 if (a_type != SADB_AALG_NONE) 1189 len += (sizeof(struct sadb_key) + PFKEY_ALIGN8(a_keylen)); 1190 1191 if ((newmsg = CALLOC(len, struct sadb_msg *)) == NULL) { 1192 __ipsec_set_strerror(strerror(errno)); 1193 return -1; 1194 } 1195 ep = ((caddr_t)newmsg) + len; 1196 1197 p = pfkey_setsadbmsg((caddr_t)newmsg, ep, type, len, 1198 satype, seq, getpid()); 1199 if (!p) { 1200 free(newmsg); 1201 return -1; 1202 } 1203 p = pfkey_setsadbsa(p, ep, spi, wsize, a_type, e_type, flags); 1204 if (!p) { 1205 free(newmsg); 1206 return -1; 1207 } 1208 p = pfkey_setsadbxsa2(p, ep, mode, reqid); 1209 if (!p) { 1210 free(newmsg); 1211 return -1; 1212 } 1213 p = pfkey_setsadbaddr(p, ep, SADB_EXT_ADDRESS_SRC, src, plen, 1214 IPSEC_ULPROTO_ANY); 1215 if (!p) { 1216 free(newmsg); 1217 return -1; 1218 } 1219 p = pfkey_setsadbaddr(p, ep, SADB_EXT_ADDRESS_DST, dst, plen, 1220 IPSEC_ULPROTO_ANY); 1221 if (!p) { 1222 free(newmsg); 1223 return -1; 1224 } 1225 1226 if (e_type != SADB_EALG_NONE) { 1227 p = pfkey_setsadbkey(p, ep, SADB_EXT_KEY_ENCRYPT, 1228 keymat, e_keylen); 1229 if (!p) { 1230 free(newmsg); 1231 return -1; 1232 } 1233 } 1234 if (a_type != SADB_AALG_NONE) { 1235 p = pfkey_setsadbkey(p, ep, SADB_EXT_KEY_AUTH, 1236 keymat + e_keylen, a_keylen); 1237 if (!p) { 1238 free(newmsg); 1239 return -1; 1240 } 1241 } 1242 1243 /* set sadb_lifetime for destination */ 1244 p = pfkey_setsadblifetime(p, ep, SADB_EXT_LIFETIME_HARD, 1245 l_alloc, l_bytes, l_addtime, l_usetime); 1246 if (!p) { 1247 free(newmsg); 1248 return -1; 1249 } 1250 p = pfkey_setsadblifetime(p, ep, SADB_EXT_LIFETIME_SOFT, 1251 l_alloc, l_bytes, l_addtime, l_usetime); 1252 if (!p || p != ep) { 1253 free(newmsg); 1254 return -1; 1255 } 1256 1257 /* send message */ 1258 len = pfkey_send(so, newmsg, len); 1259 free(newmsg); 1260 1261 if (len < 0) 1262 return -1; 1263 1264 __ipsec_errcode = EIPSEC_NO_ERROR; 1265 return len; 1266 } 1267 1268 /* sending SADB_DELETE or SADB_GET message to the kernel */ 1269 static int 1270 pfkey_send_x2(so, type, satype, mode, src, dst, spi) 1271 int so; 1272 u_int type, satype, mode; 1273 struct sockaddr *src, *dst; 1274 u_int32_t spi; 1275 { 1276 struct sadb_msg *newmsg; 1277 int len; 1278 caddr_t p; 1279 int plen; 1280 caddr_t ep; 1281 1282 /* validity check */ 1283 if (src == NULL || dst == NULL) { 1284 __ipsec_errcode = EIPSEC_INVAL_ARGUMENT; 1285 return -1; 1286 } 1287 if (src->sa_family != dst->sa_family) { 1288 __ipsec_errcode = EIPSEC_FAMILY_MISMATCH; 1289 return -1; 1290 } 1291 switch (src->sa_family) { 1292 case AF_INET: 1293 plen = sizeof(struct in_addr) << 3; 1294 break; 1295 case AF_INET6: 1296 plen = sizeof(struct in6_addr) << 3; 1297 break; 1298 default: 1299 __ipsec_errcode = EIPSEC_INVAL_FAMILY; 1300 return -1; 1301 } 1302 1303 /* create new sadb_msg to reply. */ 1304 len = sizeof(struct sadb_msg) 1305 + sizeof(struct sadb_sa) 1306 + sizeof(struct sadb_address) 1307 + PFKEY_ALIGN8(src->sa_len) 1308 + sizeof(struct sadb_address) 1309 + PFKEY_ALIGN8(dst->sa_len); 1310 1311 if ((newmsg = CALLOC(len, struct sadb_msg *)) == NULL) { 1312 __ipsec_set_strerror(strerror(errno)); 1313 return -1; 1314 } 1315 ep = ((caddr_t)newmsg) + len; 1316 1317 p = pfkey_setsadbmsg((caddr_t)newmsg, ep, type, len, satype, 0, 1318 getpid()); 1319 if (!p) { 1320 free(newmsg); 1321 return -1; 1322 } 1323 p = pfkey_setsadbsa(p, ep, spi, 0, 0, 0, 0); 1324 if (!p) { 1325 free(newmsg); 1326 return -1; 1327 } 1328 p = pfkey_setsadbaddr(p, ep, SADB_EXT_ADDRESS_SRC, src, plen, 1329 IPSEC_ULPROTO_ANY); 1330 if (!p) { 1331 free(newmsg); 1332 return -1; 1333 } 1334 p = pfkey_setsadbaddr(p, ep, SADB_EXT_ADDRESS_DST, dst, plen, 1335 IPSEC_ULPROTO_ANY); 1336 if (!p || p != ep) { 1337 free(newmsg); 1338 return -1; 1339 } 1340 1341 /* send message */ 1342 len = pfkey_send(so, newmsg, len); 1343 free(newmsg); 1344 1345 if (len < 0) 1346 return -1; 1347 1348 __ipsec_errcode = EIPSEC_NO_ERROR; 1349 return len; 1350 } 1351 1352 /* 1353 * sending SADB_REGISTER, SADB_FLUSH, SADB_DUMP or SADB_X_PROMISC message 1354 * to the kernel 1355 */ 1356 static int 1357 pfkey_send_x3(so, type, satype) 1358 int so; 1359 u_int type, satype; 1360 { 1361 struct sadb_msg *newmsg; 1362 int len; 1363 caddr_t p; 1364 caddr_t ep; 1365 1366 /* validity check */ 1367 switch (type) { 1368 case SADB_X_PROMISC: 1369 if (satype != 0 && satype != 1) { 1370 __ipsec_errcode = EIPSEC_INVAL_SATYPE; 1371 return -1; 1372 } 1373 break; 1374 default: 1375 switch (satype) { 1376 case SADB_SATYPE_UNSPEC: 1377 case SADB_SATYPE_AH: 1378 case SADB_SATYPE_ESP: 1379 case SADB_X_SATYPE_IPCOMP: 1380 break; 1381 default: 1382 __ipsec_errcode = EIPSEC_INVAL_SATYPE; 1383 return -1; 1384 } 1385 } 1386 1387 /* create new sadb_msg to send. */ 1388 len = sizeof(struct sadb_msg); 1389 1390 if ((newmsg = CALLOC(len, struct sadb_msg *)) == NULL) { 1391 __ipsec_set_strerror(strerror(errno)); 1392 return -1; 1393 } 1394 ep = ((caddr_t)newmsg) + len; 1395 1396 p = pfkey_setsadbmsg((caddr_t)newmsg, ep, type, len, satype, 0, 1397 getpid()); 1398 if (!p || p != ep) { 1399 free(newmsg); 1400 return -1; 1401 } 1402 1403 /* send message */ 1404 len = pfkey_send(so, newmsg, len); 1405 free(newmsg); 1406 1407 if (len < 0) 1408 return -1; 1409 1410 __ipsec_errcode = EIPSEC_NO_ERROR; 1411 return len; 1412 } 1413 1414 /* sending SADB_X_SPDADD message to the kernel */ 1415 static int 1416 pfkey_send_x4(so, type, src, prefs, dst, prefd, proto, 1417 ltime, vtime, policy, policylen, seq) 1418 int so; 1419 struct sockaddr *src, *dst; 1420 u_int type, prefs, prefd, proto; 1421 u_int64_t ltime, vtime; 1422 char *policy; 1423 int policylen; 1424 u_int32_t seq; 1425 { 1426 struct sadb_msg *newmsg; 1427 int len; 1428 caddr_t p; 1429 int plen; 1430 caddr_t ep; 1431 1432 /* validity check */ 1433 if (src == NULL || dst == NULL) { 1434 __ipsec_errcode = EIPSEC_INVAL_ARGUMENT; 1435 return -1; 1436 } 1437 if (src->sa_family != dst->sa_family) { 1438 __ipsec_errcode = EIPSEC_FAMILY_MISMATCH; 1439 return -1; 1440 } 1441 1442 switch (src->sa_family) { 1443 case AF_INET: 1444 plen = sizeof(struct in_addr) << 3; 1445 break; 1446 case AF_INET6: 1447 plen = sizeof(struct in6_addr) << 3; 1448 break; 1449 default: 1450 __ipsec_errcode = EIPSEC_INVAL_FAMILY; 1451 return -1; 1452 } 1453 if (prefs > plen || prefd > plen) { 1454 __ipsec_errcode = EIPSEC_INVAL_PREFIXLEN; 1455 return -1; 1456 } 1457 1458 /* create new sadb_msg to reply. */ 1459 len = sizeof(struct sadb_msg) 1460 + sizeof(struct sadb_address) 1461 + PFKEY_ALIGN8(src->sa_len) 1462 + sizeof(struct sadb_address) 1463 + PFKEY_ALIGN8(src->sa_len) 1464 + sizeof(struct sadb_lifetime) 1465 + policylen; 1466 1467 if ((newmsg = CALLOC(len, struct sadb_msg *)) == NULL) { 1468 __ipsec_set_strerror(strerror(errno)); 1469 return -1; 1470 } 1471 ep = ((caddr_t)newmsg) + len; 1472 1473 p = pfkey_setsadbmsg((caddr_t)newmsg, ep, type, len, 1474 SADB_SATYPE_UNSPEC, seq, getpid()); 1475 if (!p) { 1476 free(newmsg); 1477 return -1; 1478 } 1479 p = pfkey_setsadbaddr(p, ep, SADB_EXT_ADDRESS_SRC, src, prefs, proto); 1480 if (!p) { 1481 free(newmsg); 1482 return -1; 1483 } 1484 p = pfkey_setsadbaddr(p, ep, SADB_EXT_ADDRESS_DST, dst, prefd, proto); 1485 if (!p) { 1486 free(newmsg); 1487 return -1; 1488 } 1489 p = pfkey_setsadblifetime(p, ep, SADB_EXT_LIFETIME_HARD, 1490 0, 0, ltime, vtime); 1491 if (!p || p + policylen != ep) { 1492 free(newmsg); 1493 return -1; 1494 } 1495 memcpy(p, policy, policylen); 1496 1497 /* send message */ 1498 len = pfkey_send(so, newmsg, len); 1499 free(newmsg); 1500 1501 if (len < 0) 1502 return -1; 1503 1504 __ipsec_errcode = EIPSEC_NO_ERROR; 1505 return len; 1506 } 1507 1508 /* sending SADB_X_SPDGET or SADB_X_SPDDELETE message to the kernel */ 1509 static int 1510 pfkey_send_x5(so, type, spid) 1511 int so; 1512 u_int type; 1513 u_int32_t spid; 1514 { 1515 struct sadb_msg *newmsg; 1516 struct sadb_x_policy xpl; 1517 int len; 1518 caddr_t p; 1519 caddr_t ep; 1520 1521 /* create new sadb_msg to reply. */ 1522 len = sizeof(struct sadb_msg) 1523 + sizeof(xpl); 1524 1525 if ((newmsg = CALLOC(len, struct sadb_msg *)) == NULL) { 1526 __ipsec_set_strerror(strerror(errno)); 1527 return -1; 1528 } 1529 ep = ((caddr_t)newmsg) + len; 1530 1531 p = pfkey_setsadbmsg((caddr_t)newmsg, ep, type, len, 1532 SADB_SATYPE_UNSPEC, 0, getpid()); 1533 if (!p) { 1534 free(newmsg); 1535 return -1; 1536 } 1537 1538 if (p + sizeof(xpl) != ep) { 1539 free(newmsg); 1540 return -1; 1541 } 1542 memset(&xpl, 0, sizeof(xpl)); 1543 xpl.sadb_x_policy_len = PFKEY_UNUNIT64(sizeof(xpl)); 1544 xpl.sadb_x_policy_exttype = SADB_X_EXT_POLICY; 1545 xpl.sadb_x_policy_id = spid; 1546 memcpy(p, &xpl, sizeof(xpl)); 1547 1548 /* send message */ 1549 len = pfkey_send(so, newmsg, len); 1550 free(newmsg); 1551 1552 if (len < 0) 1553 return -1; 1554 1555 __ipsec_errcode = EIPSEC_NO_ERROR; 1556 return len; 1557 } 1558 1559 /* 1560 * open a socket. 1561 * OUT: 1562 * -1: fail. 1563 * others : success and return value of socket. 1564 */ 1565 int 1566 pfkey_open() 1567 { 1568 int so; 1569 const int bufsiz = 128 * 1024; /*is 128K enough?*/ 1570 1571 if ((so = socket(PF_KEY, SOCK_RAW, PF_KEY_V2)) < 0) { 1572 __ipsec_set_strerror(strerror(errno)); 1573 return -1; 1574 } 1575 1576 /* 1577 * This is a temporary workaround for KAME PR 154. 1578 * Don't really care even if it fails. 1579 */ 1580 (void)setsockopt(so, SOL_SOCKET, SO_SNDBUF, &bufsiz, sizeof(bufsiz)); 1581 (void)setsockopt(so, SOL_SOCKET, SO_RCVBUF, &bufsiz, sizeof(bufsiz)); 1582 1583 __ipsec_errcode = EIPSEC_NO_ERROR; 1584 return so; 1585 } 1586 1587 /* 1588 * close a socket. 1589 * OUT: 1590 * 0: success. 1591 * -1: fail. 1592 */ 1593 void 1594 pfkey_close(so) 1595 int so; 1596 { 1597 (void)close(so); 1598 1599 __ipsec_errcode = EIPSEC_NO_ERROR; 1600 return; 1601 } 1602 1603 /* 1604 * receive sadb_msg data, and return pointer to new buffer allocated. 1605 * Must free this buffer later. 1606 * OUT: 1607 * NULL : error occured. 1608 * others : a pointer to sadb_msg structure. 1609 * 1610 * XXX should be rewritten to pass length explicitly 1611 */ 1612 struct sadb_msg * 1613 pfkey_recv(so) 1614 int so; 1615 { 1616 struct sadb_msg buf, *newmsg; 1617 int len, reallen; 1618 1619 while ((len = recv(so, (caddr_t)&buf, sizeof(buf), MSG_PEEK)) < 0) { 1620 if (errno == EINTR) 1621 continue; 1622 __ipsec_set_strerror(strerror(errno)); 1623 return NULL; 1624 } 1625 1626 if (len < sizeof(buf)) { 1627 recv(so, (caddr_t)&buf, sizeof(buf), 0); 1628 __ipsec_errcode = EIPSEC_MAX; 1629 return NULL; 1630 } 1631 1632 /* read real message */ 1633 reallen = PFKEY_UNUNIT64(buf.sadb_msg_len); 1634 if ((newmsg = CALLOC(reallen, struct sadb_msg *)) == 0) { 1635 __ipsec_set_strerror(strerror(errno)); 1636 return NULL; 1637 } 1638 1639 while ((len = recv(so, (caddr_t)newmsg, reallen, 0)) < 0) { 1640 if (errno == EINTR) 1641 continue; 1642 __ipsec_set_strerror(strerror(errno)); 1643 free(newmsg); 1644 return NULL; 1645 } 1646 1647 if (len != reallen) { 1648 __ipsec_errcode = EIPSEC_SYSTEM_ERROR; 1649 free(newmsg); 1650 return NULL; 1651 } 1652 1653 /* don't trust what the kernel says, validate! */ 1654 if (PFKEY_UNUNIT64(newmsg->sadb_msg_len) != len) { 1655 __ipsec_errcode = EIPSEC_SYSTEM_ERROR; 1656 free(newmsg); 1657 return NULL; 1658 } 1659 1660 __ipsec_errcode = EIPSEC_NO_ERROR; 1661 return newmsg; 1662 } 1663 1664 /* 1665 * send message to a socket. 1666 * OUT: 1667 * others: success and return length sent. 1668 * -1 : fail. 1669 */ 1670 int 1671 pfkey_send(so, msg, len) 1672 int so; 1673 struct sadb_msg *msg; 1674 int len; 1675 { 1676 if ((len = send(so, (caddr_t)msg, len, 0)) < 0) { 1677 __ipsec_set_strerror(strerror(errno)); 1678 return -1; 1679 } 1680 1681 __ipsec_errcode = EIPSEC_NO_ERROR; 1682 return len; 1683 } 1684 1685 /* 1686 * %%% Utilities 1687 * NOTE: These functions are derived from netkey/key.c in KAME. 1688 */ 1689 /* 1690 * set the pointer to each header in this message buffer. 1691 * IN: msg: pointer to message buffer. 1692 * mhp: pointer to the buffer initialized like below: 1693 * caddr_t mhp[SADB_EXT_MAX + 1]; 1694 * OUT: -1: invalid. 1695 * 0: valid. 1696 * 1697 * XXX should be rewritten to obtain length explicitly 1698 */ 1699 int 1700 pfkey_align(msg, mhp) 1701 struct sadb_msg *msg; 1702 caddr_t *mhp; 1703 { 1704 struct sadb_ext *ext; 1705 int i; 1706 caddr_t p; 1707 caddr_t ep; /* XXX should be passed from upper layer */ 1708 1709 /* validity check */ 1710 if (msg == NULL || mhp == NULL) { 1711 __ipsec_errcode = EIPSEC_INVAL_ARGUMENT; 1712 return -1; 1713 } 1714 1715 /* initialize */ 1716 for (i = 0; i < SADB_EXT_MAX + 1; i++) 1717 mhp[i] = NULL; 1718 1719 mhp[0] = (caddr_t)msg; 1720 1721 /* initialize */ 1722 p = (caddr_t) msg; 1723 ep = p + PFKEY_UNUNIT64(msg->sadb_msg_len); 1724 1725 /* skip base header */ 1726 p += sizeof(struct sadb_msg); 1727 1728 while (p < ep) { 1729 ext = (struct sadb_ext *)p; 1730 if (ep < p + sizeof(*ext) || PFKEY_EXTLEN(ext) < sizeof(*ext) || 1731 ep < p + PFKEY_EXTLEN(ext)) { 1732 /* invalid format */ 1733 break; 1734 } 1735 1736 /* duplicate check */ 1737 /* XXX Are there duplication either KEY_AUTH or KEY_ENCRYPT ?*/ 1738 if (mhp[ext->sadb_ext_type] != NULL) { 1739 __ipsec_errcode = EIPSEC_INVAL_EXTTYPE; 1740 return -1; 1741 } 1742 1743 /* set pointer */ 1744 switch (ext->sadb_ext_type) { 1745 case SADB_EXT_SA: 1746 case SADB_EXT_LIFETIME_CURRENT: 1747 case SADB_EXT_LIFETIME_HARD: 1748 case SADB_EXT_LIFETIME_SOFT: 1749 case SADB_EXT_ADDRESS_SRC: 1750 case SADB_EXT_ADDRESS_DST: 1751 case SADB_EXT_ADDRESS_PROXY: 1752 case SADB_EXT_KEY_AUTH: 1753 /* XXX should to be check weak keys. */ 1754 case SADB_EXT_KEY_ENCRYPT: 1755 /* XXX should to be check weak keys. */ 1756 case SADB_EXT_IDENTITY_SRC: 1757 case SADB_EXT_IDENTITY_DST: 1758 case SADB_EXT_SENSITIVITY: 1759 case SADB_EXT_PROPOSAL: 1760 case SADB_EXT_SUPPORTED_AUTH: 1761 case SADB_EXT_SUPPORTED_ENCRYPT: 1762 case SADB_EXT_SPIRANGE: 1763 case SADB_X_EXT_POLICY: 1764 case SADB_X_EXT_SA2: 1765 mhp[ext->sadb_ext_type] = (caddr_t)ext; 1766 break; 1767 default: 1768 __ipsec_errcode = EIPSEC_INVAL_EXTTYPE; 1769 return -1; 1770 } 1771 1772 p += PFKEY_EXTLEN(ext); 1773 } 1774 1775 if (p != ep) { 1776 __ipsec_errcode = EIPSEC_INVAL_SADBMSG; 1777 return -1; 1778 } 1779 1780 __ipsec_errcode = EIPSEC_NO_ERROR; 1781 return 0; 1782 } 1783 1784 /* 1785 * check basic usage for sadb_msg, 1786 * NOTE: This routine is derived from netkey/key.c in KAME. 1787 * IN: msg: pointer to message buffer. 1788 * mhp: pointer to the buffer initialized like below: 1789 * 1790 * caddr_t mhp[SADB_EXT_MAX + 1]; 1791 * 1792 * OUT: -1: invalid. 1793 * 0: valid. 1794 */ 1795 int 1796 pfkey_check(mhp) 1797 caddr_t *mhp; 1798 { 1799 struct sadb_msg *msg; 1800 1801 /* validity check */ 1802 if (mhp == NULL || mhp[0] == NULL) { 1803 __ipsec_errcode = EIPSEC_INVAL_ARGUMENT; 1804 return -1; 1805 } 1806 1807 msg = (struct sadb_msg *)mhp[0]; 1808 1809 /* check version */ 1810 if (msg->sadb_msg_version != PF_KEY_V2) { 1811 __ipsec_errcode = EIPSEC_INVAL_VERSION; 1812 return -1; 1813 } 1814 1815 /* check type */ 1816 if (msg->sadb_msg_type > SADB_MAX) { 1817 __ipsec_errcode = EIPSEC_INVAL_MSGTYPE; 1818 return -1; 1819 } 1820 1821 /* check SA type */ 1822 switch (msg->sadb_msg_satype) { 1823 case SADB_SATYPE_UNSPEC: 1824 switch (msg->sadb_msg_type) { 1825 case SADB_GETSPI: 1826 case SADB_UPDATE: 1827 case SADB_ADD: 1828 case SADB_DELETE: 1829 case SADB_GET: 1830 case SADB_ACQUIRE: 1831 case SADB_EXPIRE: 1832 __ipsec_errcode = EIPSEC_INVAL_SATYPE; 1833 return -1; 1834 } 1835 break; 1836 case SADB_SATYPE_ESP: 1837 case SADB_SATYPE_AH: 1838 case SADB_X_SATYPE_IPCOMP: 1839 switch (msg->sadb_msg_type) { 1840 case SADB_X_SPDADD: 1841 case SADB_X_SPDDELETE: 1842 case SADB_X_SPDGET: 1843 case SADB_X_SPDDUMP: 1844 case SADB_X_SPDFLUSH: 1845 __ipsec_errcode = EIPSEC_INVAL_SATYPE; 1846 return -1; 1847 } 1848 break; 1849 case SADB_SATYPE_RSVP: 1850 case SADB_SATYPE_OSPFV2: 1851 case SADB_SATYPE_RIPV2: 1852 case SADB_SATYPE_MIP: 1853 __ipsec_errcode = EIPSEC_NOT_SUPPORTED; 1854 return -1; 1855 case 1: /* XXX: What does it do ? */ 1856 if (msg->sadb_msg_type == SADB_X_PROMISC) 1857 break; 1858 /*FALLTHROUGH*/ 1859 default: 1860 __ipsec_errcode = EIPSEC_INVAL_SATYPE; 1861 return -1; 1862 } 1863 1864 /* check field of upper layer protocol and address family */ 1865 if (mhp[SADB_EXT_ADDRESS_SRC] != NULL 1866 && mhp[SADB_EXT_ADDRESS_DST] != NULL) { 1867 struct sadb_address *src0, *dst0; 1868 1869 src0 = (struct sadb_address *)(mhp[SADB_EXT_ADDRESS_SRC]); 1870 dst0 = (struct sadb_address *)(mhp[SADB_EXT_ADDRESS_DST]); 1871 1872 if (src0->sadb_address_proto != dst0->sadb_address_proto) { 1873 __ipsec_errcode = EIPSEC_PROTO_MISMATCH; 1874 return -1; 1875 } 1876 1877 if (PFKEY_ADDR_SADDR(src0)->sa_family 1878 != PFKEY_ADDR_SADDR(dst0)->sa_family) { 1879 __ipsec_errcode = EIPSEC_FAMILY_MISMATCH; 1880 return -1; 1881 } 1882 1883 switch (PFKEY_ADDR_SADDR(src0)->sa_family) { 1884 case AF_INET: 1885 case AF_INET6: 1886 break; 1887 default: 1888 __ipsec_errcode = EIPSEC_INVAL_FAMILY; 1889 return -1; 1890 } 1891 1892 /* 1893 * prefixlen == 0 is valid because there must be the case 1894 * all addresses are matched. 1895 */ 1896 } 1897 1898 __ipsec_errcode = EIPSEC_NO_ERROR; 1899 return 0; 1900 } 1901 1902 /* 1903 * set data into sadb_msg. 1904 * `buf' must has been allocated sufficiently. 1905 */ 1906 static caddr_t 1907 pfkey_setsadbmsg(buf, lim, type, tlen, satype, seq, pid) 1908 caddr_t buf; 1909 caddr_t lim; 1910 u_int type, satype; 1911 u_int tlen; 1912 u_int32_t seq; 1913 pid_t pid; 1914 { 1915 struct sadb_msg *p; 1916 u_int len; 1917 1918 p = (struct sadb_msg *)buf; 1919 len = sizeof(struct sadb_msg); 1920 1921 if (buf + len > lim) 1922 return NULL; 1923 1924 memset(p, 0, len); 1925 p->sadb_msg_version = PF_KEY_V2; 1926 p->sadb_msg_type = type; 1927 p->sadb_msg_errno = 0; 1928 p->sadb_msg_satype = satype; 1929 p->sadb_msg_len = PFKEY_UNIT64(tlen); 1930 p->sadb_msg_reserved = 0; 1931 p->sadb_msg_seq = seq; 1932 p->sadb_msg_pid = (u_int32_t)pid; 1933 1934 return(buf + len); 1935 } 1936 1937 /* 1938 * copy secasvar data into sadb_address. 1939 * `buf' must has been allocated sufficiently. 1940 */ 1941 static caddr_t 1942 pfkey_setsadbsa(buf, lim, spi, wsize, auth, enc, flags) 1943 caddr_t buf; 1944 caddr_t lim; 1945 u_int32_t spi, flags; 1946 u_int wsize, auth, enc; 1947 { 1948 struct sadb_sa *p; 1949 u_int len; 1950 1951 p = (struct sadb_sa *)buf; 1952 len = sizeof(struct sadb_sa); 1953 1954 if (buf + len > lim) 1955 return NULL; 1956 1957 memset(p, 0, len); 1958 p->sadb_sa_len = PFKEY_UNIT64(len); 1959 p->sadb_sa_exttype = SADB_EXT_SA; 1960 p->sadb_sa_spi = spi; 1961 p->sadb_sa_replay = wsize; 1962 p->sadb_sa_state = SADB_SASTATE_LARVAL; 1963 p->sadb_sa_auth = auth; 1964 p->sadb_sa_encrypt = enc; 1965 p->sadb_sa_flags = flags; 1966 1967 return(buf + len); 1968 } 1969 1970 /* 1971 * set data into sadb_address. 1972 * `buf' must has been allocated sufficiently. 1973 * prefixlen is in bits. 1974 */ 1975 static caddr_t 1976 pfkey_setsadbaddr(buf, lim, exttype, saddr, prefixlen, ul_proto) 1977 caddr_t buf; 1978 caddr_t lim; 1979 u_int exttype; 1980 struct sockaddr *saddr; 1981 u_int prefixlen; 1982 u_int ul_proto; 1983 { 1984 struct sadb_address *p; 1985 u_int len; 1986 1987 p = (struct sadb_address *)buf; 1988 len = sizeof(struct sadb_address) + PFKEY_ALIGN8(saddr->sa_len); 1989 1990 if (buf + len > lim) 1991 return NULL; 1992 1993 memset(p, 0, len); 1994 p->sadb_address_len = PFKEY_UNIT64(len); 1995 p->sadb_address_exttype = exttype & 0xffff; 1996 p->sadb_address_proto = ul_proto & 0xff; 1997 p->sadb_address_prefixlen = prefixlen; 1998 p->sadb_address_reserved = 0; 1999 2000 memcpy(p + 1, saddr, saddr->sa_len); 2001 2002 return(buf + len); 2003 } 2004 2005 /* 2006 * set sadb_key structure after clearing buffer with zero. 2007 * OUT: the pointer of buf + len. 2008 */ 2009 static caddr_t 2010 pfkey_setsadbkey(buf, lim, type, key, keylen) 2011 caddr_t buf; 2012 caddr_t lim; 2013 caddr_t key; 2014 u_int type, keylen; 2015 { 2016 struct sadb_key *p; 2017 u_int len; 2018 2019 p = (struct sadb_key *)buf; 2020 len = sizeof(struct sadb_key) + PFKEY_ALIGN8(keylen); 2021 2022 if (buf + len > lim) 2023 return NULL; 2024 2025 memset(p, 0, len); 2026 p->sadb_key_len = PFKEY_UNIT64(len); 2027 p->sadb_key_exttype = type; 2028 p->sadb_key_bits = keylen << 3; 2029 p->sadb_key_reserved = 0; 2030 2031 memcpy(p + 1, key, keylen); 2032 2033 return buf + len; 2034 } 2035 2036 /* 2037 * set sadb_lifetime structure after clearing buffer with zero. 2038 * OUT: the pointer of buf + len. 2039 */ 2040 static caddr_t 2041 pfkey_setsadblifetime(buf, lim, type, l_alloc, l_bytes, l_addtime, l_usetime) 2042 caddr_t buf; 2043 caddr_t lim; 2044 u_int type; 2045 u_int32_t l_alloc, l_bytes, l_addtime, l_usetime; 2046 { 2047 struct sadb_lifetime *p; 2048 u_int len; 2049 2050 p = (struct sadb_lifetime *)buf; 2051 len = sizeof(struct sadb_lifetime); 2052 2053 if (buf + len > lim) 2054 return NULL; 2055 2056 memset(p, 0, len); 2057 p->sadb_lifetime_len = PFKEY_UNIT64(len); 2058 p->sadb_lifetime_exttype = type; 2059 2060 switch (type) { 2061 case SADB_EXT_LIFETIME_SOFT: 2062 p->sadb_lifetime_allocations 2063 = (l_alloc * soft_lifetime_allocations_rate) /100; 2064 p->sadb_lifetime_bytes 2065 = (l_bytes * soft_lifetime_bytes_rate) /100; 2066 p->sadb_lifetime_addtime 2067 = (l_addtime * soft_lifetime_addtime_rate) /100; 2068 p->sadb_lifetime_usetime 2069 = (l_usetime * soft_lifetime_usetime_rate) /100; 2070 break; 2071 case SADB_EXT_LIFETIME_HARD: 2072 p->sadb_lifetime_allocations = l_alloc; 2073 p->sadb_lifetime_bytes = l_bytes; 2074 p->sadb_lifetime_addtime = l_addtime; 2075 p->sadb_lifetime_usetime = l_usetime; 2076 break; 2077 } 2078 2079 return buf + len; 2080 } 2081 2082 /* 2083 * copy secasvar data into sadb_address. 2084 * `buf' must has been allocated sufficiently. 2085 */ 2086 static caddr_t 2087 pfkey_setsadbxsa2(buf, lim, mode0, reqid) 2088 caddr_t buf; 2089 caddr_t lim; 2090 u_int32_t mode0; 2091 u_int32_t reqid; 2092 { 2093 struct sadb_x_sa2 *p; 2094 u_int8_t mode = mode0 & 0xff; 2095 u_int len; 2096 2097 p = (struct sadb_x_sa2 *)buf; 2098 len = sizeof(struct sadb_x_sa2); 2099 2100 if (buf + len > lim) 2101 return NULL; 2102 2103 memset(p, 0, len); 2104 p->sadb_x_sa2_len = PFKEY_UNIT64(len); 2105 p->sadb_x_sa2_exttype = SADB_X_EXT_SA2; 2106 p->sadb_x_sa2_mode = mode; 2107 p->sadb_x_sa2_reqid = reqid; 2108 2109 return(buf + len); 2110 } 2111