]> git.saurik.com Git - apple/ipsec.git/blob - ipsec-tools/Common/pfkey.c
projects / apple / ipsec.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
ipsec-317.200.3.tar.gz
[apple/ipsec.git] / ipsec-tools / Common / pfkey.c
1 /* $KAME: pfkey.c,v 1.47 2003/10/02 19:52:12 itojun Exp $ */
2
3 /*
4 * Copyright (C) 1995, 1996, 1997, 1998, and 1999 WIDE Project.
5 * All rights reserved.
6 *
7 * Redistribution and use in source and binary forms, with or without
8 * modification, are permitted provided that the following conditions
9 * are met:
10 * 1. Redistributions of source code must retain the above copyright
11 * notice, this list of conditions and the following disclaimer.
12 * 2. Redistributions in binary form must reproduce the above copyright
13 * notice, this list of conditions and the following disclaimer in the
14 * documentation and/or other materials provided with the distribution.
15 * 3. Neither the name of the project nor the names of its contributors
16 * may be used to endorse or promote products derived from this software
17 * without specific prior written permission.
18 *
19 * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
20 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
21 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
22 * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
23 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
24 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
25 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
26 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
27 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
28 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
29 * SUCH DAMAGE.
30 */
31
32 #ifdef HAVE_CONFIG_H
33 #include "config.h"
34 #endif
35
36 #include <sys/types.h>
37 #include <sys/param.h>
38 #include <sys/socket.h>
39 #include <net/pfkeyv2.h>
40 #include <sys/sysctl.h>
41 #include <netinet/in.h>
42 #ifdef HAVE_NETINET6_IPSEC
43 # include <netinet6/ipsec.h>
44 #else
45 # include <netinet/ipsec.h>
46 #endif
47
48 #include <stdlib.h>
49 #include <unistd.h>
50 #include <string.h>
51 #include <errno.h>
52 #include <stdio.h>
53 #include <fcntl.h>
54 #include <ifaddrs.h>
55
56 #include "var.h"
57 #include "ipsec_strerror.h"
58 #include "libpfkey.h"
59
60 #define CALLOC(size, cast) (cast)calloc(1, (size))
61
62 static int findsupportedmap (int);
63 static int setsupportedmap (struct sadb_supported *);
64 static struct sadb_alg *findsupportedalg (u_int, u_int);
65 static int pfkey_send_x1 (int, u_int, u_int, u_int, struct sockaddr_storage *,
66 struct sockaddr_storage *, u_int32_t, u_int32_t, u_int, caddr_t,
67 u_int, u_int, u_int, u_int, u_int, u_int32_t, u_int32_t,
68 u_int32_t, u_int32_t, u_int32_t, u_int16_t, u_int);
69 static int pfkey_send_x2 (int, u_int, u_int, u_int,
70 struct sockaddr_storage *, struct sockaddr_storage *, u_int32_t);
71 static int pfkey_send_x3 (int, u_int, u_int);
72 static int pfkey_send_x4 (int, u_int, struct sockaddr_storage *, struct sockaddr_storage *, u_int,
73 struct sockaddr_storage *, struct sockaddr_storage *, u_int, u_int, u_int64_t, u_int64_t,
74 char *, int, u_int32_t, char *, char *, char *, u_int);
75 static int pfkey_send_x5 (int, u_int, u_int32_t);
76
77 static caddr_t pfkey_setsadbmsg (caddr_t, caddr_t, u_int, u_int,
78 u_int, u_int32_t, pid_t);
79 static caddr_t pfkey_setsadbsa (caddr_t, caddr_t, u_int32_t, u_int,
80 u_int, u_int, u_int32_t, u_int16_t);
81 static caddr_t pfkey_setsadbaddr (caddr_t, caddr_t, u_int,
82 struct sockaddr_storage *, u_int, u_int);
83 static caddr_t pfkey_setsadbkey (caddr_t, caddr_t, u_int, caddr_t, u_int);
84 static caddr_t pfkey_setsadblifetime (caddr_t, caddr_t, u_int, u_int32_t,
85 u_int32_t, u_int32_t, u_int32_t);
86 static caddr_t pfkey_setsadbipsecif(caddr_t, caddr_t, char *,
87 char *, char *, int);
88 static caddr_t pfkey_setsadbxsa2 (caddr_t, caddr_t, u_int32_t, u_int32_t, u_int);
89
90 #ifdef SADB_X_EXT_NAT_T_TYPE
91 static caddr_t pfkey_set_natt_type (caddr_t, caddr_t, u_int, u_int8_t);
92 static caddr_t pfkey_set_natt_port (caddr_t, caddr_t, u_int, u_int16_t);
93 #endif
94 #ifdef SADB_X_EXT_NAT_T_FRAG
95 static caddr_t pfkey_set_natt_frag (caddr_t, caddr_t, u_int, u_int16_t);
96 #endif
97
98 /*
99 * make and search supported algorithm structure.
100 */
101 static struct sadb_supported *ipsec_supported[] = { NULL, NULL, NULL,
102 #ifdef SADB_X_SATYPE_TCPSIGNATURE
103 NULL,
104 #endif
105 };
106
107 static int supported_map[] = {
108 SADB_SATYPE_AH,
109 SADB_SATYPE_ESP,
110 SADB_X_SATYPE_IPCOMP,
111 #ifdef SADB_X_SATYPE_TCPSIGNATURE
112 SADB_X_SATYPE_TCPSIGNATURE,
113 #endif
114 };
115
116 static int
117 findsupportedmap(int satype)
118 {
119 int i;
120
121 for (i = 0; i < sizeof(supported_map)/sizeof(supported_map[0]); i++)
122 if (supported_map[i] == satype)
123 return i;
124 return -1;
125 }
126
127 static struct sadb_alg *
128 findsupportedalg(u_int satype, u_int alg_id)
129 {
130 int algno;
131 int tlen;
132 caddr_t p;
133
134 /* validity check */
135 algno = findsupportedmap((int)satype);
136 if (algno == -1) {
137 __ipsec_errcode = EIPSEC_INVAL_ARGUMENT;
138 return NULL;
139 }
140 if (ipsec_supported[algno] == NULL) {
141 __ipsec_errcode = EIPSEC_DO_GET_SUPP_LIST;
142 return NULL;
143 }
144
145 tlen = ipsec_supported[algno]->sadb_supported_len
146 - sizeof(struct sadb_supported);
147 p = (void *)(ipsec_supported[algno] + 1);
148 while (tlen > 0) {
149 if (tlen < sizeof(struct sadb_alg)) {
150 /* invalid format */
151 break;
152 }
153 if (((struct sadb_alg *)(void *)p)->sadb_alg_id == alg_id)
154 return (void *)p;
155
156 tlen -= sizeof(struct sadb_alg);
157 p += sizeof(struct sadb_alg);
158 }
159
160 __ipsec_errcode = EIPSEC_NOT_SUPPORTED;
161 return NULL;
162 }
163
164 static int
165 setsupportedmap(struct sadb_supported *sup)
166 {
167 struct sadb_supported **ipsup;
168
169 switch (sup->sadb_supported_exttype) {
170 case SADB_EXT_SUPPORTED_AUTH:
171 ipsup = &ipsec_supported[findsupportedmap(SADB_SATYPE_AH)];
172 break;
173 case SADB_EXT_SUPPORTED_ENCRYPT:
174 ipsup = &ipsec_supported[findsupportedmap(SADB_SATYPE_ESP)];
175 break;
176 default:
177 __ipsec_errcode = EIPSEC_INVAL_SATYPE;
178 return -1;
179 }
180
181 if (*ipsup)
182 free(*ipsup);
183
184 *ipsup = malloc((size_t)sup->sadb_supported_len);
185 if (!*ipsup) {
186 __ipsec_set_strerror(strerror(errno));
187 return -1;
188 }
189 memcpy(*ipsup, sup, (size_t)sup->sadb_supported_len);
190
191 return 0;
192 }
193
194 /*
195 * check key length against algorithm specified.
196 * This function is called with SADB_EXT_SUPPORTED_{AUTH,ENCRYPT} as the
197 * augument, and only calls to ipsec_check_keylen2();
198 * keylen is the unit of bit.
199 * OUT:
200 * -1: invalid.
201 * 0: valid.
202 */
203 int
204 ipsec_check_keylen(u_int supported, u_int alg_id, u_int keylen)
205 {
206 u_int satype;
207
208 /* validity check */
209 switch (supported) {
210 case SADB_EXT_SUPPORTED_AUTH:
211 satype = SADB_SATYPE_AH;
212 break;
213 case SADB_EXT_SUPPORTED_ENCRYPT:
214 satype = SADB_SATYPE_ESP;
215 break;
216 default:
217 __ipsec_errcode = EIPSEC_INVAL_ARGUMENT;
218 return -1;
219 }
220
221 return ipsec_check_keylen2(satype, alg_id, keylen);
222 }
223
224 /*
225 * check key length against algorithm specified.
226 * satype is one of satype defined at pfkeyv2.h.
227 * keylen is the unit of bit.
228 * OUT:
229 * -1: invalid.
230 * 0: valid.
231 */
232 int
233 ipsec_check_keylen2(u_int satype, u_int alg_id, u_int keylen)
234 {
235 struct sadb_alg *alg;
236
237 alg = findsupportedalg(satype, alg_id);
238 if (!alg)
239 return -1;
240
241 if (keylen < alg->sadb_alg_minbits || keylen > alg->sadb_alg_maxbits) {
242 fprintf(stderr, "%d %d %d\n", keylen, alg->sadb_alg_minbits,
243 alg->sadb_alg_maxbits);
244 __ipsec_errcode = EIPSEC_INVAL_KEYLEN;
245 return -1;
246 }
247
248 __ipsec_errcode = EIPSEC_NO_ERROR;
249 return 0;
250 }
251
252 /*
253 * get max/min key length against algorithm specified.
254 * satype is one of satype defined at pfkeyv2.h.
255 * keylen is the unit of bit.
256 * OUT:
257 * -1: invalid.
258 * 0: valid.
259 */
260 int
261 ipsec_get_keylen(u_int supported, u_int alg_id, struct sadb_alg *alg0)
262 {
263 struct sadb_alg *alg;
264 u_int satype;
265
266 /* validity check */
267 if (!alg0) {
268 __ipsec_errcode = EIPSEC_INVAL_ARGUMENT;
269 return -1;
270 }
271
272 switch (supported) {
273 case SADB_EXT_SUPPORTED_AUTH:
274 satype = SADB_SATYPE_AH;
275 break;
276 case SADB_EXT_SUPPORTED_ENCRYPT:
277 satype = SADB_SATYPE_ESP;
278 break;
279 default:
280 __ipsec_errcode = EIPSEC_INVAL_ARGUMENT;
281 return -1;
282 }
283
284 alg = findsupportedalg(satype, alg_id);
285 if (!alg)
286 return -1;
287
288 memcpy(alg0, alg, sizeof(*alg0));
289
290 __ipsec_errcode = EIPSEC_NO_ERROR;
291 return 0;
292 }
293
294 /*
295 * set the rate for SOFT lifetime against HARD one.
296 * If rate is more than 100 or equal to zero, then set to 100.
297 */
298 static u_int soft_lifetime_allocations_rate = PFKEY_SOFT_LIFETIME_RATE;
299 static u_int soft_lifetime_bytes_rate = PFKEY_SOFT_LIFETIME_RATE;
300 static u_int soft_lifetime_addtime_rate = PFKEY_SOFT_LIFETIME_RATE;
301 static u_int soft_lifetime_usetime_rate = PFKEY_SOFT_LIFETIME_RATE;
302
303 u_int
304 pfkey_set_softrate(u_int type, u_int rate)
305 {
306 __ipsec_errcode = EIPSEC_NO_ERROR;
307
308 if (rate > 100 || rate == 0)
309 rate = 100;
310
311 switch (type) {
312 case SADB_X_LIFETIME_ALLOCATIONS:
313 soft_lifetime_allocations_rate = rate;
314 return 0;
315 case SADB_X_LIFETIME_BYTES:
316 soft_lifetime_bytes_rate = rate;
317 return 0;
318 case SADB_X_LIFETIME_ADDTIME:
319 soft_lifetime_addtime_rate = rate;
320 return 0;
321 case SADB_X_LIFETIME_USETIME:
322 soft_lifetime_usetime_rate = rate;
323 return 0;
324 }
325
326 __ipsec_errcode = EIPSEC_INVAL_ARGUMENT;
327 return 1;
328 }
329
330 /*
331 * get current rate for SOFT lifetime against HARD one.
332 * ATTENTION: ~0 is returned if invalid type was passed.
333 */
334 u_int
335 pfkey_get_softrate(u_int type)
336 {
337 switch (type) {
338 case SADB_X_LIFETIME_ALLOCATIONS:
339 return soft_lifetime_allocations_rate;
340 case SADB_X_LIFETIME_BYTES:
341 return soft_lifetime_bytes_rate;
342 case SADB_X_LIFETIME_ADDTIME:
343 return soft_lifetime_addtime_rate;
344 case SADB_X_LIFETIME_USETIME:
345 return soft_lifetime_usetime_rate;
346 }
347
348 return (u_int)~0;
349 }
350
351 /*
352 * sending SADB_GETSPI message to the kernel.
353 * OUT:
354 * positive: success and return length sent.
355 * -1 : error occured, and set errno.
356 */
357 int
358 pfkey_send_getspi(int so, u_int satype, u_int mode, struct sockaddr_storage *src, struct sockaddr_storage *dst,
359 u_int32_t min, u_int32_t max, u_int32_t reqid, u_int use_addtime, u_int64_t l_addtime, u_int32_t seq, u_int always_expire)
360 {
361 struct sadb_msg *newmsg;
362 caddr_t ep;
363 int len;
364 int need_spirange = 0;
365 caddr_t p;
366 int plen;
367
368 /* validity check */
369 if (src == NULL || dst == NULL) {
370 __ipsec_errcode = EIPSEC_INVAL_ARGUMENT;
371 return -1;
372 }
373 if (src->ss_family != dst->ss_family) {
374 __ipsec_errcode = EIPSEC_FAMILY_MISMATCH;
375 return -1;
376 }
377 if (min > max || (min > 0 && min <= 255)) {
378 __ipsec_errcode = EIPSEC_INVAL_SPI;
379 return -1;
380 }
381 switch (src->ss_family) {
382 case AF_INET:
383 plen = sizeof(struct in_addr) << 3;
384 break;
385 case AF_INET6:
386 plen = sizeof(struct in6_addr) << 3;
387 break;
388 default:
389 __ipsec_errcode = EIPSEC_INVAL_FAMILY;
390 return -1;
391 }
392
393 /* create new sadb_msg to send. */
394 len = sizeof(struct sadb_msg)
395 + sizeof(struct sadb_x_sa2)
396 + sizeof(struct sadb_address)
397 + PFKEY_ALIGN8(sysdep_sa_len((struct sockaddr *)src))
398 + sizeof(struct sadb_address)
399 + PFKEY_ALIGN8(sysdep_sa_len((struct sockaddr *)dst))
400 + ((use_addtime) ? sizeof(struct sadb_lifetime) : 0);
401
402 if (min > 255 && max < (u_int)~0) {
403 need_spirange++;
404 len += sizeof(struct sadb_spirange);
405 }
406
407 if ((newmsg = CALLOC((size_t)len, struct sadb_msg *)) == NULL) {
408 __ipsec_set_strerror(strerror(errno));
409 return -1;
410 }
411 ep = ((caddr_t)(void *)newmsg) + len;
412
413 p = pfkey_setsadbmsg((void *)newmsg, ep, SADB_GETSPI,
414 (u_int)len, satype, seq, getpid());
415 if (!p) {
416 free(newmsg);
417 return -1;
418 }
419
420 p = pfkey_setsadbxsa2(p, ep, mode, reqid, always_expire);
421 if (!p) {
422 free(newmsg);
423 return -1;
424 }
425
426 /* set sadb_address for source */
427 p = pfkey_setsadbaddr(p, ep, SADB_EXT_ADDRESS_SRC, src, (u_int)plen,
428 IPSEC_ULPROTO_ANY);
429 if (!p) {
430 free(newmsg);
431 return -1;
432 }
433
434 /* set sadb_address for destination */
435 p = pfkey_setsadbaddr(p, ep, SADB_EXT_ADDRESS_DST, dst, (u_int)plen,
436 IPSEC_ULPROTO_ANY);
437 if (!p) {
438 free(newmsg);
439 return -1;
440 }
441
442 if (use_addtime) {
443 /* set sadb_lifetime, only hard lifetime applicable for larval SAs */
444 p = pfkey_setsadblifetime(p, ep, SADB_EXT_LIFETIME_HARD,
445 0, 0, l_addtime, 0);
446 if (!p) {
447 free(newmsg);
448 return -1;
449 }
450 }
451
452 /* proccessing spi range */
453 if (need_spirange) {
454 struct sadb_spirange spirange;
455
456 if (p + sizeof(spirange) > ep) {
457 free(newmsg);
458 return -1;
459 }
460
461 memset(&spirange, 0, sizeof(spirange));
462 spirange.sadb_spirange_len = PFKEY_UNIT64(sizeof(spirange));
463 spirange.sadb_spirange_exttype = SADB_EXT_SPIRANGE;
464 spirange.sadb_spirange_min = min;
465 spirange.sadb_spirange_max = max;
466
467 memcpy(p, &spirange, sizeof(spirange));
468
469 p += sizeof(spirange);
470 }
471 if (p != ep) {
472 free(newmsg);
473 return -1;
474 }
475
476 /* send message */
477 len = pfkey_send(so, newmsg, len);
478 free(newmsg);
479
480 if (len < 0)
481 return -1;
482
483 __ipsec_errcode = EIPSEC_NO_ERROR;
484 return len;
485 }
486
487
488 /*
489 * sending SADB_UPDATE message to the kernel.
490 * The length of key material is a_keylen + e_keylen.
491 * OUT:
492 * positive: success and return length sent.
493 * -1 : error occured, and set errno.
494 */
495 int
496 pfkey_send_update(int so, u_int satype, u_int mode, struct sockaddr_storage *src, struct sockaddr_storage *dst,
497 u_int32_t spi, u_int32_t reqid, u_int wsize, caddr_t keymat, u_int e_type, u_int e_keylen,
498 u_int a_type, u_int a_keylen, u_int flags, u_int32_t l_alloc, u_int64_t l_bytes,
499 u_int64_t l_addtime, u_int64_t l_usetime, u_int32_t seq, u_int16_t port, u_int always_expire)
500 {
501 int len;
502 if ((len = pfkey_send_x1(so, SADB_UPDATE, satype, mode, src, dst, spi,
503 reqid, wsize,
504 keymat, e_type, e_keylen, a_type, a_keylen, flags,
505 l_alloc, (u_int)l_bytes, (u_int)l_addtime,
506 (u_int)l_usetime, seq, port, always_expire)) < 0)
507 return -1;
508
509 return len;
510 }
511
512
513 /*
514 * sending SADB_ADD message to the kernel.
515 * The length of key material is a_keylen + e_keylen.
516 * OUT:
517 * positive: success and return length sent.
518 * -1 : error occured, and set errno.
519 */
520 int
521 pfkey_send_add(int so, u_int satype, u_int mode, struct sockaddr_storage *src, struct sockaddr_storage *dst,
522 u_int32_t spi, u_int32_t reqid, u_int wsize, caddr_t keymat, u_int e_type, u_int e_keylen,
523 u_int a_type, u_int a_keylen, u_int flags, u_int32_t l_alloc, u_int64_t l_bytes,
524 u_int64_t l_addtime, u_int64_t l_usetime, u_int32_t seq, u_int16_t port, u_int always_expire)
525 {
526 int len;
527 if ((len = pfkey_send_x1(so, SADB_ADD, satype, mode, src, dst, spi,
528 reqid, wsize,
529 keymat, e_type, e_keylen, a_type, a_keylen, flags,
530 l_alloc, (u_int)l_bytes, (u_int)l_addtime,
531 (u_int)l_usetime, seq, port, always_expire)) < 0)
532 return -1;
533
534 return len;
535 }
536
537
538 /*
539 * sending SADB_DELETE message to the kernel.
540 * OUT:
541 * positive: success and return length sent.
542 * -1 : error occured, and set errno.
543 */
544 int
545 pfkey_send_delete(so, satype, mode, src, dst, spi)
546 int so;
547 u_int satype, mode;
548 struct sockaddr_storage *src, *dst;
549 u_int32_t spi;
550 {
551 int len;
552 if ((len = pfkey_send_x2(so, SADB_DELETE, satype, mode, src, dst, spi)) < 0)
553 return -1;
554
555 return len;
556 }
557
558 /*
559 * sending SADB_DELETE without spi to the kernel. This is
560 * the "delete all" request (an extension also present in
561 * Solaris).
562 *
563 * OUT:
564 * positive: success and return length sent
565 * -1 : error occured, and set errno
566 */
567 /*ARGSUSED*/
568 int
569 pfkey_send_delete_all(int so, u_int satype, u_int mode, struct sockaddr_storage *src, struct sockaddr_storage *dst)
570 {
571 struct sadb_msg *newmsg;
572 int len;
573 caddr_t p;
574 int plen;
575 caddr_t ep;
576
577 /* validity check */
578 if (src == NULL || dst == NULL) {
579 __ipsec_errcode = EIPSEC_INVAL_ARGUMENT;
580 return -1;
581 }
582 if (src->ss_family != dst->ss_family) {
583 __ipsec_errcode = EIPSEC_FAMILY_MISMATCH;
584 return -1;
585 }
586 switch (src->ss_family) {
587 case AF_INET:
588 plen = sizeof(struct in_addr) << 3;
589 break;
590 case AF_INET6:
591 plen = sizeof(struct in6_addr) << 3;
592 break;
593 default:
594 __ipsec_errcode = EIPSEC_INVAL_FAMILY;
595 return -1;
596 }
597
598 /* create new sadb_msg to reply. */
599 len = sizeof(struct sadb_msg)
600 + sizeof(struct sadb_address)
601 + PFKEY_ALIGN8(sysdep_sa_len((struct sockaddr *)src))
602 + sizeof(struct sadb_address)
603 + PFKEY_ALIGN8(sysdep_sa_len((struct sockaddr *)dst));
604
605 if ((newmsg = CALLOC((size_t)len, struct sadb_msg *)) == NULL) {
606 __ipsec_set_strerror(strerror(errno));
607 return -1;
608 }
609 ep = ((caddr_t)(void *)newmsg) + len;
610
611 p = pfkey_setsadbmsg((void *)newmsg, ep, SADB_DELETE, (u_int)len,
612 satype, 0, getpid());
613 if (!p) {
614 free(newmsg);
615 return -1;
616 }
617 p = pfkey_setsadbaddr(p, ep, SADB_EXT_ADDRESS_SRC, src, (u_int)plen,
618 IPSEC_ULPROTO_ANY);
619 if (!p) {
620 free(newmsg);
621 return -1;
622 }
623 p = pfkey_setsadbaddr(p, ep, SADB_EXT_ADDRESS_DST, dst, (u_int)plen,
624 IPSEC_ULPROTO_ANY);
625 if (!p || p != ep) {
626 free(newmsg);
627 return -1;
628 }
629
630 /* send message */
631 len = pfkey_send(so, newmsg, len);
632 free(newmsg);
633
634 if (len < 0)
635 return -1;
636
637 __ipsec_errcode = EIPSEC_NO_ERROR;
638 return len;
639 }
640
641 /*
642 * sending SADB_GET message to the kernel.
643 * OUT:
644 * positive: success and return length sent.
645 * -1 : error occured, and set errno.
646 */
647 int
648 pfkey_send_get(int so, u_int satype, u_int mode, struct sockaddr_storage *src, struct sockaddr_storage *dst, u_int32_t spi)
649 {
650 int len;
651 if ((len = pfkey_send_x2(so, SADB_GET, satype, mode, src, dst, spi)) < 0)
652 return -1;
653
654 return len;
655 }
656
657 /*
658 * sending SADB_REGISTER message to the kernel.
659 * OUT:
660 * positive: success and return length sent.
661 * -1 : error occured, and set errno.
662 */
663 int
664 pfkey_send_register(int so, u_int satype)
665 {
666 int len, algno;
667
668 if (satype == PF_UNSPEC) {
669 for (algno = 0;
670 algno < sizeof(supported_map)/sizeof(supported_map[0]);
671 algno++) {
672 if (ipsec_supported[algno]) {
673 free(ipsec_supported[algno]);
674 ipsec_supported[algno] = NULL;
675 }
676 }
677 } else {
678 algno = findsupportedmap((int)satype);
679 if (algno == -1) {
680 __ipsec_errcode = EIPSEC_INVAL_ARGUMENT;
681 return -1;
682 }
683
684 if (ipsec_supported[algno]) {
685 free(ipsec_supported[algno]);
686 ipsec_supported[algno] = NULL;
687 }
688 }
689
690 if ((len = pfkey_send_x3(so, SADB_REGISTER, satype)) < 0)
691 return -1;
692
693 return len;
694 }
695
696 /*
697 * receiving SADB_REGISTER message from the kernel, and copy buffer for
698 * sadb_supported returned into ipsec_supported.
699 * OUT:
700 * 0: success and return length sent.
701 * -1: error occured, and set errno.
702 */
703 int
704 pfkey_recv_register(int so)
705 {
706 pid_t pid = getpid();
707 struct sadb_msg *newmsg;
708 int error = -1;
709
710 /* receive message */
711 for (;;) {
712 if ((newmsg = pfkey_recv(so)) == NULL)
713 return -1;
714 if (newmsg->sadb_msg_type == SADB_REGISTER &&
715 newmsg->sadb_msg_pid == pid)
716 break;
717 free(newmsg);
718 }
719
720 /* check and fix */
721 newmsg->sadb_msg_len = PFKEY_UNUNIT64(newmsg->sadb_msg_len);
722
723 error = pfkey_set_supported(newmsg, newmsg->sadb_msg_len);
724 free(newmsg);
725
726 if (error == 0)
727 __ipsec_errcode = EIPSEC_NO_ERROR;
728
729 return error;
730 }
731
732 /*
733 * receiving SADB_REGISTER message from the kernel, and copy buffer for
734 * sadb_supported returned into ipsec_supported.
735 * NOTE: sadb_msg_len must be host order.
736 * IN:
737 * tlen: msg length, it's to makeing sure.
738 * OUT:
739 * 0: success and return length sent.
740 * -1: error occured, and set errno.
741 */
742 int
743 pfkey_set_supported(struct sadb_msg *msg, int tlen)
744 {
745 struct sadb_supported *sup;
746 caddr_t p;
747 caddr_t ep;
748
749 /* validity */
750 if (msg->sadb_msg_len != tlen) {
751 __ipsec_errcode = EIPSEC_INVAL_ARGUMENT;
752 return -1;
753 }
754
755 p = (void *)msg;
756 ep = p + tlen;
757
758 p += sizeof(struct sadb_msg);
759
760 while (p < ep) {
761 sup = (void *)p;
762 if (ep < p + sizeof(*sup) ||
763 PFKEY_EXTLEN(sup) < sizeof(*sup) ||
764 ep < p + sup->sadb_supported_len) {
765 /* invalid format */
766 break;
767 }
768
769 switch (sup->sadb_supported_exttype) {
770 case SADB_EXT_SUPPORTED_AUTH:
771 case SADB_EXT_SUPPORTED_ENCRYPT:
772 break;
773 default:
774 __ipsec_errcode = EIPSEC_INVAL_SATYPE;
775 return -1;
776 }
777
778 /* fixed length */
779 sup->sadb_supported_len = PFKEY_EXTLEN(sup);
780
781 /* set supported map */
782 if (setsupportedmap(sup) != 0)
783 return -1;
784
785 p += sup->sadb_supported_len;
786 }
787
788 if (p != ep) {
789 __ipsec_errcode = EIPSEC_INVAL_SATYPE;
790 return -1;
791 }
792
793 __ipsec_errcode = EIPSEC_NO_ERROR;
794
795 return 0;
796 }
797
798 /*
799 * sending SADB_FLUSH message to the kernel.
800 * OUT:
801 * positive: success and return length sent.
802 * -1 : error occured, and set errno.
803 */
804 int
805 pfkey_send_flush(int so, u_int satype)
806 {
807 int len;
808
809 if ((len = pfkey_send_x3(so, SADB_FLUSH, satype)) < 0)
810 return -1;
811
812 return len;
813 }
814
815 /*
816 * sending SADB_DUMP message to the kernel.
817 * OUT:
818 * positive: success and return length sent.
819 * -1 : error occured, and set errno.
820 */
821 int
822 pfkey_send_dump(int so, u_int satype)
823 {
824 int len;
825
826 if ((len = pfkey_send_x3(so, SADB_DUMP, satype)) < 0)
827 return -1;
828
829 return len;
830 }
831
832 /*
833 * sending SADB_X_PROMISC message to the kernel.
834 * NOTE that this function handles promisc mode toggle only.
835 * IN:
836 * flag: set promisc off if zero, set promisc on if non-zero.
837 * OUT:
838 * positive: success and return length sent.
839 * -1 : error occured, and set errno.
840 * 0 : error occured, and set errno.
841 * others: a pointer to new allocated buffer in which supported
842 * algorithms is.
843 */
844 int
845 pfkey_send_promisc_toggle(int so, int flag)
846 {
847 int len;
848
849 if ((len = pfkey_send_x3(so, SADB_X_PROMISC,
850 (u_int)(flag ? 1 : 0))) < 0)
851 return -1;
852
853 return len;
854 }
855
856 /*
857 * sending SADB_X_SPDADD message to the kernel.
858 * OUT:
859 * positive: success and return length sent.
860 * -1 : error occured, and set errno.
861 */
862 int
863 pfkey_send_spdadd(int so, struct sockaddr_storage *src, u_int prefs, struct sockaddr_storage *dst,
864 u_int prefd, u_int proto, caddr_t policy, int policylen, u_int32_t seq)
865 {
866 int len;
867
868 if ((len = pfkey_send_x4(so, SADB_X_SPDADD,
869 src, NULL, prefs, dst, NULL, prefd, proto,
870 (u_int64_t)0, (u_int64_t)0,
871 policy, policylen, seq, NULL, NULL, NULL, 0)) < 0)
872 return -1;
873
874 return len;
875 }
876
877 /*
878 * sending SADB_X_SPDADD message to the kernel.
879 * OUT:
880 * positive: success and return length sent.
881 * -1 : error occured, and set errno.
882 */
883 int
884 pfkey_send_spdadd_with_interface(int so, struct sockaddr_storage *src, struct sockaddr_storage *src_end, u_int prefs, struct sockaddr_storage *dst,
885 struct sockaddr_storage *dst_end, u_int prefd, u_int proto, caddr_t policy, int policylen, u_int32_t seq, char *ipsec_if,
886 char *internal_if, char *outgoing_if, u_int disabled)
887 {
888 int len;
889
890 if ((len = pfkey_send_x4(so, SADB_X_SPDADD,
891 src, src_end, prefs, dst, dst_end, prefd, proto,
892 (u_int64_t)0, (u_int64_t)0,
893 policy, policylen, seq, ipsec_if, internal_if, outgoing_if, disabled)) < 0)
894 return -1;
895
896 return len;
897 }
898
899 /*
900 * sending SADB_X_SPDADD message to the kernel.
901 * OUT:
902 * positive: success and return length sent.
903 * -1 : error occured, and set errno.
904 */
905 int
906 pfkey_send_spdadd2(int so, struct sockaddr_storage *src, u_int prefs, struct sockaddr_storage *dst, u_int prefd, u_int proto, u_int64_t ltime, u_int64_t vtime,
907 caddr_t policy, int policylen, u_int32_t seq)
908 {
909 int len;
910
911 if ((len = pfkey_send_x4(so, SADB_X_SPDADD,
912 src, NULL, prefs, dst, NULL, prefd, proto,
913 ltime, vtime,
914 policy, policylen, seq, NULL, NULL, NULL, 0)) < 0)
915 return -1;
916
917 return len;
918 }
919
920 /*
921 * sending SADB_X_SPDUPDATE message to the kernel.
922 * OUT:
923 * positive: success and return length sent.
924 * -1 : error occured, and set errno.
925 */
926 int
927 pfkey_send_spdupdate(int so, struct sockaddr_storage *src, u_int prefs, struct sockaddr_storage *dst,
928 u_int prefd, u_int proto, caddr_t policy, int policylen, u_int32_t seq)
929 {
930 int len;
931
932 if ((len = pfkey_send_x4(so, SADB_X_SPDUPDATE,
933 src, NULL, prefs, dst, NULL, prefd, proto,
934 (u_int64_t)0, (u_int64_t)0,
935 policy, policylen, seq, NULL, NULL, NULL, 0)) < 0)
936 return -1;
937
938 return len;
939 }
940
941 /*
942 * sending SADB_X_SPDUPDATE message to the kernel.
943 * OUT:
944 * positive: success and return length sent.
945 * -1 : error occured, and set errno.
946 */
947 int
948 pfkey_send_spdupdate2(int so, struct sockaddr_storage *src, u_int prefs, struct sockaddr_storage *dst,
949 u_int prefd, u_int proto, u_int64_t ltime, u_int64_t vtime,
950 caddr_t policy, int policylen, u_int32_t seq)
951 {
952 int len;
953
954 if ((len = pfkey_send_x4(so, SADB_X_SPDUPDATE,
955 src, NULL, prefs, dst, NULL, prefd, proto,
956 ltime, vtime,
957 policy, policylen, seq, NULL, NULL, NULL, 0)) < 0)
958 return -1;
959
960 return len;
961 }
962
963 /*
964 * sending SADB_X_SPDDELETE message to the kernel.
965 * OUT:
966 * positive: success and return length sent.
967 * -1 : error occured, and set errno.
968 */
969 int
970 pfkey_send_spddelete(int so, struct sockaddr_storage *src, u_int prefs, struct sockaddr_storage *dst,
971 u_int prefd, u_int proto, caddr_t policy, int policylen, u_int32_t seq)
972 {
973 int len;
974
975 if (policylen != sizeof(struct sadb_x_policy)) {
976 __ipsec_errcode = EIPSEC_INVAL_ARGUMENT;
977 return -1;
978 }
979
980 if ((len = pfkey_send_x4(so, SADB_X_SPDDELETE,
981 src, NULL, prefs, dst, NULL, prefd, proto,
982 (u_int64_t)0, (u_int64_t)0,
983 policy, policylen, seq, NULL, NULL, NULL, 0)) < 0)
984 return -1;
985
986 return len;
987 }
988
989 /*
990 * sending SADB_X_SPDDELETE message to the kernel.
991 * OUT:
992 * positive: success and return length sent.
993 * -1 : error occured, and set errno.
994 */
995 int
996 pfkey_send_spddelete2(int so, u_int32_t spid)
997 {
998 int len;
999
1000 if ((len = pfkey_send_x5(so, SADB_X_SPDDELETE2, spid)) < 0)
1001 return -1;
1002
1003 return len;
1004 }
1005
1006 int
1007 pfkey_send_spdenable(int so, u_int32_t spid)
1008 {
1009 int len;
1010
1011 if ((len = pfkey_send_x5(so, SADB_X_SPDENABLE, spid)) < 0)
1012 return -1;
1013
1014 return len;
1015 }
1016
1017 int
1018 pfkey_send_spddisable(int so, u_int32_t spid)
1019 {
1020 int len;
1021
1022 if ((len = pfkey_send_x5(so, SADB_X_SPDDISABLE, spid)) < 0)
1023 return -1;
1024
1025 return len;
1026 }
1027
1028 /*
1029 * sending SADB_X_SPDGET message to the kernel.
1030 * OUT:
1031 * positive: success and return length sent.
1032 * -1 : error occured, and set errno.
1033 */
1034 int
1035 pfkey_send_spdget(int so, u_int32_t spid)
1036 {
1037 int len;
1038
1039 if ((len = pfkey_send_x5(so, SADB_X_SPDGET, spid)) < 0)
1040 return -1;
1041
1042 return len;
1043 }
1044
1045 /*
1046 * sending SADB_X_SPDSETIDX message to the kernel.
1047 * OUT:
1048 * positive: success and return length sent.
1049 * -1 : error occured, and set errno.
1050 */
1051 int
1052 pfkey_send_spdsetidx(int so, struct sockaddr_storage *src, u_int prefs, struct sockaddr_storage *dst,
1053 u_int prefd, u_int proto, caddr_t policy, int policylen, u_int32_t seq)
1054 {
1055 int len;
1056
1057 if (policylen != sizeof(struct sadb_x_policy)) {
1058 __ipsec_errcode = EIPSEC_INVAL_ARGUMENT;
1059 return -1;
1060 }
1061
1062 if ((len = pfkey_send_x4(so, SADB_X_SPDSETIDX,
1063 src, NULL, prefs, dst, NULL, prefd, proto,
1064 (u_int64_t)0, (u_int64_t)0,
1065 policy, policylen, seq, NULL, NULL, NULL, 0)) < 0)
1066 return -1;
1067
1068 return len;
1069 }
1070
1071 /*
1072 * sending SADB_SPDFLUSH message to the kernel.
1073 * OUT:
1074 * positive: success and return length sent.
1075 * -1 : error occured, and set errno.
1076 */
1077 int
1078 pfkey_send_spdflush(int so)
1079 {
1080 int len;
1081
1082 if ((len = pfkey_send_x3(so, SADB_X_SPDFLUSH, SADB_SATYPE_UNSPEC)) < 0)
1083 return -1;
1084
1085 return len;
1086 }
1087
1088 /*
1089 * sending SADB_SPDDUMP message to the kernel.
1090 * OUT:
1091 * positive: success and return length sent.
1092 * -1 : error occured, and set errno.
1093 */
1094 int
1095 pfkey_send_spddump(int so)
1096 {
1097 int len;
1098
1099 if ((len = pfkey_send_x3(so, SADB_X_SPDDUMP, SADB_SATYPE_UNSPEC)) < 0)
1100 return -1;
1101
1102 return len;
1103 }
1104
1105
1106 /* sending SADB_ADD or SADB_UPDATE message to the kernel */
1107 static int
1108 pfkey_send_x1(int so, u_int type, u_int satype, u_int mode, struct sockaddr_storage *src,
1109 struct sockaddr_storage *dst, u_int32_t spi, u_int32_t reqid, u_int wsize,
1110 caddr_t keymat, u_int e_type, u_int e_keylen, u_int a_type, u_int a_keylen, u_int flags,
1111 u_int32_t l_alloc, u_int32_t l_bytes, u_int32_t l_addtime, u_int32_t l_usetime, u_int32_t seq, u_int16_t port,
1112 u_int always_expire)
1113 {
1114 struct sadb_msg *newmsg = NULL;
1115 struct ifaddrs *ifap = NULL;
1116 struct ifaddrs *ifa = NULL;
1117 int len;
1118 int ret = -1;
1119 caddr_t p;
1120 int plen;
1121 caddr_t ep;
1122
1123 /* validity check */
1124 if (src == NULL || dst == NULL) {
1125 __ipsec_errcode = EIPSEC_INVAL_ARGUMENT;
1126 return -1;
1127 }
1128 if (src->ss_family != dst->ss_family) {
1129 __ipsec_errcode = EIPSEC_FAMILY_MISMATCH;
1130 return -1;
1131 }
1132 switch (src->ss_family) {
1133 case AF_INET:
1134 plen = sizeof(struct in_addr) << 3;
1135 break;
1136 case AF_INET6:
1137 plen = sizeof(struct in6_addr) << 3;
1138 break;
1139 default:
1140 __ipsec_errcode = EIPSEC_INVAL_FAMILY;
1141 return -1;
1142 }
1143
1144 switch (satype) {
1145 case SADB_SATYPE_ESP:
1146 if (e_type == SADB_EALG_NONE) {
1147 __ipsec_errcode = EIPSEC_NO_ALGS;
1148 return -1;
1149 }
1150 break;
1151 case SADB_SATYPE_AH:
1152 if (e_type != SADB_EALG_NONE) {
1153 __ipsec_errcode = EIPSEC_INVAL_ALGS;
1154 return -1;
1155 }
1156 if (a_type == SADB_AALG_NONE) {
1157 __ipsec_errcode = EIPSEC_NO_ALGS;
1158 return -1;
1159 }
1160 break;
1161 case SADB_X_SATYPE_IPCOMP:
1162 if (e_type == SADB_X_CALG_NONE) {
1163 __ipsec_errcode = EIPSEC_INVAL_ALGS;
1164 return -1;
1165 }
1166 if (a_type != SADB_AALG_NONE) {
1167 __ipsec_errcode = EIPSEC_NO_ALGS;
1168 return -1;
1169 }
1170 break;
1171 #ifdef SADB_X_AALG_TCP_MD5
1172 case SADB_X_SATYPE_TCPSIGNATURE:
1173 if (e_type != SADB_EALG_NONE) {
1174 __ipsec_errcode = EIPSEC_INVAL_ALGS;
1175 return -1;
1176 }
1177 if (a_type != SADB_X_AALG_TCP_MD5) {
1178 __ipsec_errcode = EIPSEC_INVAL_ALGS;
1179 return -1;
1180 }
1181 break;
1182 #endif
1183 default:
1184 __ipsec_errcode = EIPSEC_INVAL_SATYPE;
1185 return -1;
1186 }
1187
1188 if (getifaddrs(&ifap) < 0) {
1189 return -1;
1190 }
1191
1192 for (ifa = ifap; ifa != NULL; ifa = ifa->ifa_next) {
1193 if (ifa->ifa_addr == NULL || ifa->ifa_addr->sa_family != src->ss_family)
1194 continue;
1195
1196 if (src->ss_family == AF_INET) {
1197 if (memcmp(&((struct sockaddr_in *)(ifa->ifa_addr))->sin_addr, &((struct sockaddr_in *)src)->sin_addr, sizeof(struct in_addr)) != 0)
1198 continue;
1199 } else if (src->ss_family == AF_INET6) {
1200 if (memcmp(&((struct sockaddr_in6 *)(ifa->ifa_addr))->sin6_addr, &((struct sockaddr_in6 *)src)->sin6_addr, sizeof(struct in6_addr)) != 0)
1201 continue;
1202 }
1203
1204 break;
1205 }
1206
1207 /* create new sadb_msg to reply. */
1208 len = sizeof(struct sadb_msg)
1209 + sizeof(struct sadb_sa_2)
1210 + sizeof(struct sadb_x_sa2)
1211 + sizeof(struct sadb_address)
1212 + PFKEY_ALIGN8(sysdep_sa_len((struct sockaddr *)src))
1213 + sizeof(struct sadb_address)
1214 + PFKEY_ALIGN8(sysdep_sa_len((struct sockaddr *)dst))
1215 + sizeof(struct sadb_lifetime)
1216 + sizeof(struct sadb_lifetime)
1217 + ((ifa != NULL && ifa->ifa_name != NULL) ? sizeof(struct sadb_x_ipsecif) : 0);
1218
1219 if (e_type != SADB_EALG_NONE && satype != SADB_X_SATYPE_IPCOMP)
1220 len += (sizeof(struct sadb_key) + PFKEY_ALIGN8(e_keylen));
1221 if (a_type != SADB_AALG_NONE)
1222 len += (sizeof(struct sadb_key) + PFKEY_ALIGN8(a_keylen));
1223
1224 if ((newmsg = CALLOC((size_t)len, struct sadb_msg *)) == NULL) {
1225 __ipsec_set_strerror(strerror(errno));
1226 goto err;
1227 }
1228 ep = ((caddr_t)(void *)newmsg) + len;
1229
1230 p = pfkey_setsadbmsg((void *)newmsg, ep, type, (u_int)len,
1231 satype, seq, getpid());
1232 if (!p) {
1233 free(newmsg);
1234 freeifaddrs(ifap);
1235 return -1;
1236 }
1237 p = pfkey_setsadbsa(p, ep, spi, wsize, a_type, e_type, flags, port);
1238 if (!p) {
1239 goto err;
1240 }
1241 p = pfkey_setsadbxsa2(p, ep, mode, reqid, always_expire);
1242 if (!p) {
1243 goto err;
1244 }
1245 p = pfkey_setsadbaddr(p, ep, SADB_EXT_ADDRESS_SRC, src, (u_int)plen,
1246 IPSEC_ULPROTO_ANY);
1247 if (!p) {
1248 goto err;
1249 }
1250 p = pfkey_setsadbaddr(p, ep, SADB_EXT_ADDRESS_DST, dst, (u_int)plen,
1251 IPSEC_ULPROTO_ANY);
1252 if (!p) {
1253 goto err;
1254 }
1255
1256 if (ifa != NULL && ifa->ifa_name != NULL) {
1257 p = pfkey_setsadbipsecif(p, ep, NULL, ifa->ifa_name, NULL, 0);
1258 if (!p) {
1259 goto err;
1260 }
1261 }
1262
1263 if (e_type != SADB_EALG_NONE && satype != SADB_X_SATYPE_IPCOMP) {
1264 p = pfkey_setsadbkey(p, ep, SADB_EXT_KEY_ENCRYPT,
1265 keymat, e_keylen);
1266 if (!p) {
1267 goto err;
1268 }
1269 }
1270 if (a_type != SADB_AALG_NONE) {
1271 p = pfkey_setsadbkey(p, ep, SADB_EXT_KEY_AUTH,
1272 keymat + e_keylen, a_keylen);
1273 if (!p) {
1274 goto err;
1275 }
1276 }
1277
1278 /* set sadb_lifetime for destination */
1279 p = pfkey_setsadblifetime(p, ep, SADB_EXT_LIFETIME_HARD,
1280 l_alloc, l_bytes, l_addtime, l_usetime);
1281 if (!p) {
1282 goto err;
1283 }
1284 p = pfkey_setsadblifetime(p, ep, SADB_EXT_LIFETIME_SOFT,
1285 l_alloc, l_bytes, l_addtime, l_usetime);
1286 if (!p) {
1287 goto err;
1288 }
1289
1290 if (p != ep) {
1291 goto err;
1292 }
1293
1294 /* send message */
1295 len = pfkey_send(so, newmsg, len);
1296 if (len < 0) {
1297 goto err;
1298 }
1299
1300 __ipsec_errcode = EIPSEC_NO_ERROR;
1301 ret = len;
1302
1303 err:
1304 if (ifap != NULL) {
1305 freeifaddrs(ifap);
1306 }
1307
1308 if (newmsg != NULL) {
1309 free(newmsg);
1310 }
1311
1312 return ret;
1313 }
1314
1315
1316 /* sending SADB_DELETE or SADB_GET message to the kernel */
1317 /*ARGSUSED*/
1318 static int
1319 pfkey_send_x2(int so, u_int type, u_int satype, u_int mode, struct sockaddr_storage *src, struct sockaddr_storage *dst, u_int32_t spi)
1320 {
1321 struct sadb_msg *newmsg;
1322 int len;
1323 caddr_t p;
1324 int plen;
1325 caddr_t ep;
1326
1327 /* validity check */
1328 if (src == NULL || dst == NULL) {
1329 __ipsec_errcode = EIPSEC_INVAL_ARGUMENT;
1330 return -1;
1331 }
1332 if (src->ss_family != dst->ss_family) {
1333 __ipsec_errcode = EIPSEC_FAMILY_MISMATCH;
1334 return -1;
1335 }
1336 switch (src->ss_family) {
1337 case AF_INET:
1338 plen = sizeof(struct in_addr) << 3;
1339 break;
1340 case AF_INET6:
1341 plen = sizeof(struct in6_addr) << 3;
1342 break;
1343 default:
1344 __ipsec_errcode = EIPSEC_INVAL_FAMILY;
1345 return -1;
1346 }
1347
1348 /* create new sadb_msg to reply. */
1349 len = sizeof(struct sadb_msg)
1350 + sizeof(struct sadb_sa_2)
1351 + sizeof(struct sadb_address)
1352 + PFKEY_ALIGN8(sysdep_sa_len((struct sockaddr *)src))
1353 + sizeof(struct sadb_address)
1354 + PFKEY_ALIGN8(sysdep_sa_len((struct sockaddr *)dst));
1355
1356 if ((newmsg = CALLOC((size_t)len, struct sadb_msg *)) == NULL) {
1357 __ipsec_set_strerror(strerror(errno));
1358 return -1;
1359 }
1360 ep = ((caddr_t)(void *)newmsg) + len;
1361
1362 p = pfkey_setsadbmsg((void *)newmsg, ep, type, (u_int)len, satype, 0,
1363 getpid());
1364 if (!p) {
1365 free(newmsg);
1366 return -1;
1367 }
1368 p = pfkey_setsadbsa(p, ep, spi, 0, 0, 0, 0, 0);
1369 if (!p) {
1370 free(newmsg);
1371 return -1;
1372 }
1373 p = pfkey_setsadbaddr(p, ep, SADB_EXT_ADDRESS_SRC, src, (u_int)plen,
1374 IPSEC_ULPROTO_ANY);
1375 if (!p) {
1376 free(newmsg);
1377 return -1;
1378 }
1379 p = pfkey_setsadbaddr(p, ep, SADB_EXT_ADDRESS_DST, dst, (u_int)plen,
1380 IPSEC_ULPROTO_ANY);
1381 if (!p || p != ep) {
1382 free(newmsg);
1383 return -1;
1384 }
1385
1386 /* send message */
1387 len = pfkey_send(so, newmsg, len);
1388 free(newmsg);
1389
1390 if (len < 0)
1391 return -1;
1392
1393 __ipsec_errcode = EIPSEC_NO_ERROR;
1394 return len;
1395 }
1396
1397 /*
1398 * sending SADB_REGISTER, SADB_FLUSH, SADB_DUMP or SADB_X_PROMISC message
1399 * to the kernel
1400 */
1401 static int
1402 pfkey_send_x3(int so, u_int type, u_int satype)
1403 {
1404 struct sadb_msg *newmsg;
1405 int len;
1406 caddr_t p;
1407 caddr_t ep;
1408
1409 /* validity check */
1410 switch (type) {
1411 case SADB_X_PROMISC:
1412 if (satype != 0 && satype != 1) {
1413 __ipsec_errcode = EIPSEC_INVAL_SATYPE;
1414 return -1;
1415 }
1416 break;
1417 default:
1418 switch (satype) {
1419 case SADB_SATYPE_UNSPEC:
1420 case SADB_SATYPE_AH:
1421 case SADB_SATYPE_ESP:
1422 case SADB_X_SATYPE_IPCOMP:
1423 #ifdef SADB_X_SATYPE_TCPSIGNATURE
1424 case SADB_X_SATYPE_TCPSIGNATURE:
1425 #endif
1426 break;
1427 default:
1428 __ipsec_errcode = EIPSEC_INVAL_SATYPE;
1429 return -1;
1430 }
1431 }
1432
1433 /* create new sadb_msg to send. */
1434 len = sizeof(struct sadb_msg);
1435
1436 if ((newmsg = CALLOC((size_t)len, struct sadb_msg *)) == NULL) {
1437 __ipsec_set_strerror(strerror(errno));
1438 return -1;
1439 }
1440 ep = ((caddr_t)(void *)newmsg) + len;
1441
1442 p = pfkey_setsadbmsg((void *)newmsg, ep, type, (u_int)len, satype, 0,
1443 getpid());
1444 if (!p || p != ep) {
1445 free(newmsg);
1446 return -1;
1447 }
1448
1449 /* send message */
1450 len = pfkey_send(so, newmsg, len);
1451 free(newmsg);
1452
1453 if (len < 0)
1454 return -1;
1455
1456 __ipsec_errcode = EIPSEC_NO_ERROR;
1457 return len;
1458 }
1459
1460 /* sending SADB_X_SPDADD message to the kernel */
1461 static int
1462 pfkey_send_x4(int so, u_int type, struct sockaddr_storage *src, struct sockaddr_storage *src_end, u_int prefs, struct sockaddr_storage *dst, struct sockaddr_storage *dst_end,
1463 u_int prefd, u_int proto, u_int64_t ltime, u_int64_t vtime, char *policy, int policylen, u_int32_t seq, char *ipsec_if, char *internal_if, char *outgoing_if,
1464 u_int disabled)
1465 {
1466 struct sadb_msg *newmsg;
1467 int len;
1468 caddr_t p;
1469 int plen;
1470 caddr_t ep;
1471 int include_ipsec_if_msg = 0;
1472
1473 /* validity check */
1474 if (src == NULL || dst == NULL) {
1475 __ipsec_errcode = EIPSEC_INVAL_ARGUMENT;
1476 return -1;
1477 }
1478 if (src->ss_family != dst->ss_family) {
1479 __ipsec_errcode = EIPSEC_FAMILY_MISMATCH;
1480 return -1;
1481 }
1482
1483 switch (src->ss_family) {
1484 case AF_INET:
1485 plen = sizeof(struct in_addr) << 3;
1486 break;
1487 case AF_INET6:
1488 plen = sizeof(struct in6_addr) << 3;
1489 break;
1490 default:
1491 __ipsec_errcode = EIPSEC_INVAL_FAMILY;
1492 return -1;
1493 }
1494 if (prefs > plen || prefd > plen) {
1495 __ipsec_errcode = EIPSEC_INVAL_PREFIXLEN;
1496 return -1;
1497 }
1498
1499 if (ipsec_if || internal_if || outgoing_if || disabled) {
1500 include_ipsec_if_msg = 1;
1501 }
1502
1503 /* create new sadb_msg to reply. */
1504 len = sizeof(struct sadb_msg)
1505 + sizeof(struct sadb_address)
1506 + PFKEY_ALIGN8(sysdep_sa_len((struct sockaddr *)src))
1507 + ((src_end) ? sizeof(struct sadb_address) + PFKEY_ALIGN8(sysdep_sa_len((struct sockaddr *)src_end)) : 0)
1508 + sizeof(struct sadb_address)
1509 + PFKEY_ALIGN8(sysdep_sa_len((struct sockaddr *)src))
1510 + ((dst_end) ? sizeof(struct sadb_address) + PFKEY_ALIGN8(sysdep_sa_len((struct sockaddr *)dst_end)) : 0)
1511 + ((include_ipsec_if_msg) ? sizeof(struct sadb_x_ipsecif) : 0)
1512 + sizeof(struct sadb_lifetime)
1513 + policylen;
1514
1515 if ((newmsg = CALLOC((size_t)len, struct sadb_msg *)) == NULL) {
1516 __ipsec_set_strerror(strerror(errno));
1517 return -1;
1518 }
1519 ep = ((caddr_t)(void *)newmsg) + len;
1520
1521 p = pfkey_setsadbmsg((void *)newmsg, ep, type, (u_int)len,
1522 SADB_SATYPE_UNSPEC, seq, getpid());
1523 if (!p) {
1524 free(newmsg);
1525 return -1;
1526 }
1527 if (src_end) {
1528 p = pfkey_setsadbaddr(p, ep, SADB_X_EXT_ADDR_RANGE_SRC_START, src, prefs, proto);
1529 if (!p) {
1530 free(newmsg);
1531 return -1;
1532 }
1533 p = pfkey_setsadbaddr(p, ep, SADB_X_EXT_ADDR_RANGE_SRC_END, src_end, prefs, proto);
1534 if (!p) {
1535 free(newmsg);
1536 return -1;
1537 }
1538 } else {
1539 p = pfkey_setsadbaddr(p, ep, SADB_EXT_ADDRESS_SRC, src, prefs, proto);
1540 if (!p) {
1541 free(newmsg);
1542 return -1;
1543 }
1544 }
1545 if (dst_end) {
1546 p = pfkey_setsadbaddr(p, ep, SADB_X_EXT_ADDR_RANGE_DST_START, dst, prefd, proto);
1547 if (!p) {
1548 free(newmsg);
1549 return -1;
1550 }
1551 p = pfkey_setsadbaddr(p, ep, SADB_X_EXT_ADDR_RANGE_DST_END, dst_end, prefd, proto);
1552 if (!p) {
1553 free(newmsg);
1554 return -1;
1555 }
1556 } else {
1557 p = pfkey_setsadbaddr(p, ep, SADB_EXT_ADDRESS_DST, dst, prefd, proto);
1558 if (!p) {
1559 free(newmsg);
1560 return -1;
1561 }
1562 }
1563 if (include_ipsec_if_msg) {
1564 p = pfkey_setsadbipsecif(p, ep, internal_if, outgoing_if, ipsec_if, disabled);
1565 if (!p) {
1566 free(newmsg);
1567 return -1;
1568 }
1569 }
1570 p = pfkey_setsadblifetime(p, ep, SADB_EXT_LIFETIME_HARD,
1571 0, 0, (u_int)ltime, (u_int)vtime);
1572 if (!p || p + policylen != ep) {
1573 free(newmsg);
1574 return -1;
1575 }
1576 memcpy(p, policy, (size_t)policylen);
1577
1578 /* send message */
1579 len = pfkey_send(so, newmsg, len);
1580 free(newmsg);
1581
1582 if (len < 0)
1583 return -1;
1584
1585 __ipsec_errcode = EIPSEC_NO_ERROR;
1586 return len;
1587 }
1588
1589 /* sending SADB_X_SPDGET or SADB_X_SPDDELETE message to the kernel */
1590 static int
1591 pfkey_send_x5(int so, u_int type, u_int32_t spid)
1592 {
1593 struct sadb_msg *newmsg;
1594 struct sadb_x_policy xpl;
1595 int len;
1596 caddr_t p;
1597 caddr_t ep;
1598
1599 /* create new sadb_msg to reply. */
1600 len = sizeof(struct sadb_msg)
1601 + sizeof(xpl);
1602
1603 if ((newmsg = CALLOC((size_t)len, struct sadb_msg *)) == NULL) {
1604 __ipsec_set_strerror(strerror(errno));
1605 return -1;
1606 }
1607 ep = ((caddr_t)(void *)newmsg) + len;
1608
1609 p = pfkey_setsadbmsg((void *)newmsg, ep, type, (u_int)len,
1610 SADB_SATYPE_UNSPEC, 0, getpid());
1611 if (!p) {
1612 free(newmsg);
1613 return -1;
1614 }
1615
1616 if (p + sizeof(xpl) != ep) {
1617 free(newmsg);
1618 return -1;
1619 }
1620 memset(&xpl, 0, sizeof(xpl));
1621 xpl.sadb_x_policy_len = PFKEY_UNIT64(sizeof(xpl));
1622 xpl.sadb_x_policy_exttype = SADB_X_EXT_POLICY;
1623 xpl.sadb_x_policy_id = spid;
1624 memcpy(p, &xpl, sizeof(xpl));
1625
1626 /* send message */
1627 len = pfkey_send(so, newmsg, len);
1628 free(newmsg);
1629
1630 if (len < 0)
1631 return -1;
1632
1633 __ipsec_errcode = EIPSEC_NO_ERROR;
1634 return len;
1635 }
1636
1637 /*
1638 * open a socket.
1639 * OUT:
1640 * -1: fail.
1641 * others : success and return value of socket.
1642 */
1643 int
1644 pfkey_open()
1645 {
1646 int so;
1647 int bufsiz = 0; /* Max allowed by default */
1648 const unsigned long newbufk = 2176;
1649 unsigned long oldmax;
1650 size_t oldmaxsize = sizeof(oldmax);
1651 unsigned long newmax = newbufk * (1024 + 128);
1652
1653 if ((so = socket(PF_KEY, SOCK_RAW, PF_KEY_V2)) < 0) {
1654 __ipsec_set_strerror(strerror(errno));
1655 return -1;
1656 }
1657
1658 /*
1659 * This is a temporary workaround for KAME PR 154.
1660 * Don't really care even if it fails.
1661 */
1662 if (sysctlbyname("kern.ipc.maxsockbuf", &oldmax, &oldmaxsize, &newmax, sizeof(newmax)) != 0)
1663 bufsiz = 233016; /* Max allowed by default */
1664 else
1665 bufsiz = newbufk * 1024;
1666
1667 setsockopt(so, SOL_SOCKET, SO_SNDBUF, &bufsiz, sizeof(bufsiz));
1668 setsockopt(so, SOL_SOCKET, SO_RCVBUF, &bufsiz, sizeof(bufsiz));
1669
1670 if (bufsiz == newbufk * 1024)
1671 sysctlbyname("kern.ipc.maxsockbuf", NULL, NULL, &oldmax, oldmaxsize);
1672
1673 __ipsec_errcode = EIPSEC_NO_ERROR;
1674 return so;
1675 }
1676
1677 /*
1678 * close a socket.
1679 * OUT:
1680 * 0: success.
1681 * -1: fail.
1682 */
1683 void
1684 pfkey_close_sock(int so)
1685 {
1686 (void)close(so);
1687
1688 __ipsec_errcode = EIPSEC_NO_ERROR;
1689 return;
1690 }
1691
1692 /*
1693 * receive sadb_msg data, and return pointer to new buffer allocated.
1694 * Must free this buffer later.
1695 * OUT:
1696 * NULL : error occured.
1697 * others : a pointer to sadb_msg structure.
1698 *
1699 * XXX should be rewritten to pass length explicitly
1700 */
1701 struct sadb_msg *
1702 pfkey_recv(int so)
1703 {
1704 struct sadb_msg buf, *newmsg;
1705 ssize_t len;
1706 int reallen;
1707
1708 while ((len = recv(so, (void *)&buf, sizeof(buf), MSG_PEEK)) < 0) {
1709 if (errno == EINTR)
1710 continue;
1711 __ipsec_set_strerror(strerror(errno));
1712 return NULL;
1713 }
1714
1715 if (len < sizeof(buf)) {
1716 recv(so, (void *)&buf, sizeof(buf), 0);
1717 __ipsec_errcode = EIPSEC_MAX;
1718 return NULL;
1719 }
1720
1721 /* read real message */
1722 reallen = PFKEY_UNUNIT64(buf.sadb_msg_len);
1723 if ((newmsg = CALLOC((size_t)reallen, struct sadb_msg *)) == 0) {
1724 __ipsec_set_strerror(strerror(errno));
1725 return NULL;
1726 }
1727
1728 while ((len = recv(so, (void *)newmsg, (socklen_t)reallen, 0)) < 0) {
1729 if (errno == EINTR)
1730 continue;
1731 __ipsec_set_strerror(strerror(errno));
1732 free(newmsg);
1733 return NULL;
1734 }
1735
1736 if (len != reallen) {
1737 __ipsec_errcode = EIPSEC_SYSTEM_ERROR;
1738 free(newmsg);
1739 return NULL;
1740 }
1741
1742 /* don't trust what the kernel says, validate! */
1743 if (PFKEY_UNUNIT64(newmsg->sadb_msg_len) != len) {
1744 __ipsec_errcode = EIPSEC_SYSTEM_ERROR;
1745 free(newmsg);
1746 return NULL;
1747 }
1748
1749 __ipsec_errcode = EIPSEC_NO_ERROR;
1750 return newmsg;
1751 }
1752
1753 /*
1754 * send message to a socket.
1755 * OUT:
1756 * others: success and return length sent.
1757 * -1 : fail.
1758 */
1759 int
1760 pfkey_send(int so, struct sadb_msg *msg, int len)
1761 {
1762 if ((len = send(so, (void *)msg, (socklen_t)len, 0)) < 0) {
1763 __ipsec_set_strerror(strerror(errno));
1764 return -1;
1765 }
1766
1767 __ipsec_errcode = EIPSEC_NO_ERROR;
1768 return len;
1769 }
1770
1771 /*
1772 * %%% Utilities
1773 * NOTE: These functions are derived from netkey/key.c in KAME.
1774 */
1775 /*
1776 * set the pointer to each header in this message buffer.
1777 * IN: msg: pointer to message buffer.
1778 * mhp: pointer to the buffer initialized like below:
1779 * caddr_t mhp[SADB_EXT_MAX + 1];
1780 * OUT: -1: invalid.
1781 * 0: valid.
1782 *
1783 * XXX should be rewritten to obtain length explicitly
1784 */
1785 int
1786 pfkey_align(struct sadb_msg *msg, caddr_t *mhp)
1787 {
1788 struct sadb_ext *ext;
1789 int i;
1790 caddr_t p;
1791 caddr_t ep; /* XXX should be passed from upper layer */
1792
1793 /* validity check */
1794 if (msg == NULL || mhp == NULL) {
1795 __ipsec_errcode = EIPSEC_INVAL_ARGUMENT;
1796 return -1;
1797 }
1798
1799 /* initialize */
1800 for (i = 0; i < SADB_EXT_MAX + 1; i++)
1801 mhp[i] = NULL;
1802
1803 mhp[0] = (void *)msg;
1804
1805 /* initialize */
1806 p = (void *) msg;
1807 ep = p + PFKEY_UNUNIT64(msg->sadb_msg_len);
1808
1809 /* skip base header */
1810 p += sizeof(struct sadb_msg);
1811
1812 while (p < ep) {
1813 ext = (void *)p;
1814 if (ep < p + sizeof(*ext) || PFKEY_EXTLEN(ext) < sizeof(*ext) ||
1815 ep < p + PFKEY_EXTLEN(ext)) {
1816 /* invalid format */
1817 break;
1818 }
1819
1820 /* duplicate check */
1821 /* XXX Are there duplication either KEY_AUTH or KEY_ENCRYPT ?*/
1822 if (mhp[ext->sadb_ext_type] != NULL) {
1823 __ipsec_errcode = EIPSEC_INVAL_EXTTYPE;
1824 return -1;
1825 }
1826
1827 /* set pointer */
1828 switch (ext->sadb_ext_type) {
1829 case SADB_EXT_SA:
1830 case SADB_EXT_LIFETIME_CURRENT:
1831 case SADB_EXT_LIFETIME_HARD:
1832 case SADB_EXT_LIFETIME_SOFT:
1833 case SADB_EXT_ADDRESS_SRC:
1834 case SADB_EXT_ADDRESS_DST:
1835 case SADB_EXT_ADDRESS_PROXY:
1836 case SADB_EXT_KEY_AUTH:
1837 /* XXX should to be check weak keys. */
1838 case SADB_EXT_KEY_ENCRYPT:
1839 /* XXX should to be check weak keys. */
1840 case SADB_EXT_IDENTITY_SRC:
1841 case SADB_EXT_IDENTITY_DST:
1842 case SADB_EXT_SENSITIVITY:
1843 case SADB_EXT_PROPOSAL:
1844 case SADB_EXT_SUPPORTED_AUTH:
1845 case SADB_EXT_SUPPORTED_ENCRYPT:
1846 case SADB_EXT_SPIRANGE:
1847 case SADB_X_EXT_POLICY:
1848 case SADB_X_EXT_SA2:
1849 case SADB_EXT_SESSION_ID:
1850 case SADB_EXT_SASTAT:
1851 #ifdef SADB_X_EXT_NAT_T_TYPE
1852 case SADB_X_EXT_NAT_T_TYPE:
1853 case SADB_X_EXT_NAT_T_SPORT:
1854 case SADB_X_EXT_NAT_T_DPORT:
1855 case SADB_X_EXT_NAT_T_OA:
1856 #endif
1857 #ifdef SADB_X_EXT_TAG
1858 case SADB_X_EXT_TAG:
1859 #endif
1860 #ifdef SADB_X_EXT_PACKET
1861 case SADB_X_EXT_PACKET:
1862 #endif
1863 case SADB_X_EXT_IPSECIF:
1864 case SADB_X_EXT_ADDR_RANGE_SRC_START:
1865 case SADB_X_EXT_ADDR_RANGE_SRC_END:
1866 case SADB_X_EXT_ADDR_RANGE_DST_START:
1867 case SADB_X_EXT_ADDR_RANGE_DST_END:
1868 mhp[ext->sadb_ext_type] = (void *)ext;
1869 break;
1870 default:
1871 __ipsec_errcode = EIPSEC_INVAL_EXTTYPE;
1872 return -1;
1873 }
1874
1875 p += PFKEY_EXTLEN(ext);
1876 }
1877
1878 if (p != ep) {
1879 __ipsec_errcode = EIPSEC_INVAL_SADBMSG;
1880 return -1;
1881 }
1882
1883 __ipsec_errcode = EIPSEC_NO_ERROR;
1884 return 0;
1885 }
1886
1887 /*
1888 * check basic usage for sadb_msg,
1889 * NOTE: This routine is derived from netkey/key.c in KAME.
1890 * IN: msg: pointer to message buffer.
1891 * mhp: pointer to the buffer initialized like below:
1892 *
1893 * caddr_t mhp[SADB_EXT_MAX + 1];
1894 *
1895 * OUT: -1: invalid.
1896 * 0: valid.
1897 */
1898 int
1899 pfkey_check(caddr_t * mhp)
1900 {
1901 struct sadb_msg *msg;
1902
1903 /* validity check */
1904 if (mhp == NULL || mhp[0] == NULL) {
1905 __ipsec_errcode = EIPSEC_INVAL_ARGUMENT;
1906 return -1;
1907 }
1908
1909 msg = (void *)mhp[0];
1910
1911 /* check version */
1912 if (msg->sadb_msg_version != PF_KEY_V2) {
1913 __ipsec_errcode = EIPSEC_INVAL_VERSION;
1914 return -1;
1915 }
1916
1917 /* check type */
1918 if (msg->sadb_msg_type > SADB_MAX) {
1919 __ipsec_errcode = EIPSEC_INVAL_MSGTYPE;
1920 return -1;
1921 }
1922
1923 /* check SA type */
1924 switch (msg->sadb_msg_satype) {
1925 case SADB_SATYPE_UNSPEC:
1926 switch (msg->sadb_msg_type) {
1927 case SADB_GETSPI:
1928 case SADB_UPDATE:
1929 case SADB_ADD:
1930 case SADB_DELETE:
1931 case SADB_GET:
1932 case SADB_ACQUIRE:
1933 case SADB_EXPIRE:
1934 #ifdef SADB_X_NAT_T_NEW_MAPPING
1935 case SADB_X_NAT_T_NEW_MAPPING:
1936 #endif
1937 __ipsec_errcode = EIPSEC_INVAL_SATYPE;
1938 return -1;
1939 }
1940 break;
1941 case SADB_SATYPE_ESP:
1942 case SADB_SATYPE_AH:
1943 case SADB_X_SATYPE_IPCOMP:
1944 #ifdef SADB_X_SATYPE_TCPSIGNATURE
1945 case SADB_X_SATYPE_TCPSIGNATURE:
1946 #endif
1947 switch (msg->sadb_msg_type) {
1948 case SADB_X_SPDADD:
1949 case SADB_X_SPDDELETE:
1950 case SADB_X_SPDGET:
1951 case SADB_X_SPDDUMP:
1952 case SADB_X_SPDFLUSH:
1953 __ipsec_errcode = EIPSEC_INVAL_SATYPE;
1954 return -1;
1955 }
1956 #ifdef SADB_X_NAT_T_NEW_MAPPING
1957 if (msg->sadb_msg_type == SADB_X_NAT_T_NEW_MAPPING &&
1958 msg->sadb_msg_satype != SADB_SATYPE_ESP) {
1959 __ipsec_errcode = EIPSEC_INVAL_SATYPE;
1960 return -1;
1961 }
1962 #endif
1963 break;
1964 case SADB_SATYPE_RSVP:
1965 case SADB_SATYPE_OSPFV2:
1966 case SADB_SATYPE_RIPV2:
1967 case SADB_SATYPE_MIP:
1968 __ipsec_errcode = EIPSEC_NOT_SUPPORTED;
1969 return -1;
1970 case 1: /* XXX: What does it do ? */
1971 if (msg->sadb_msg_type == SADB_X_PROMISC)
1972 break;
1973 /*FALLTHROUGH*/
1974 default:
1975 __ipsec_errcode = EIPSEC_INVAL_SATYPE;
1976 return -1;
1977 }
1978
1979 /* check field of upper layer protocol and address family */
1980 if (mhp[SADB_EXT_ADDRESS_SRC] != NULL
1981 && mhp[SADB_EXT_ADDRESS_DST] != NULL) {
1982 struct sadb_address *src0, *dst0;
1983
1984 src0 = (void *)(mhp[SADB_EXT_ADDRESS_SRC]);
1985 dst0 = (void *)(mhp[SADB_EXT_ADDRESS_DST]);
1986
1987 if (src0->sadb_address_proto != dst0->sadb_address_proto) {
1988 __ipsec_errcode = EIPSEC_PROTO_MISMATCH;
1989 return -1;
1990 }
1991
1992 if (PFKEY_ADDR_SADDR(src0)->sa_family
1993 != PFKEY_ADDR_SADDR(dst0)->sa_family) {
1994 __ipsec_errcode = EIPSEC_FAMILY_MISMATCH;
1995 return -1;
1996 }
1997
1998 switch (PFKEY_ADDR_SADDR(src0)->sa_family) {
1999 case AF_INET:
2000 case AF_INET6:
2001 break;
2002 default:
2003 __ipsec_errcode = EIPSEC_INVAL_FAMILY;
2004 return -1;
2005 }
2006
2007 /*
2008 * prefixlen == 0 is valid because there must be the case
2009 * all addresses are matched.
2010 */
2011 }
2012
2013 __ipsec_errcode = EIPSEC_NO_ERROR;
2014 return 0;
2015 }
2016
2017 /*
2018 * set data into sadb_msg.
2019 * `buf' must has been allocated sufficiently.
2020 */
2021 static caddr_t
2022 pfkey_setsadbmsg(caddr_t buf, caddr_t lim, u_int type, u_int tlen, u_int satype, u_int32_t seq, pid_t pid)
2023 {
2024 struct sadb_msg *p;
2025 u_int len;
2026
2027 p = (void *)buf;
2028 len = sizeof(struct sadb_msg);
2029
2030 if (buf + len > lim)
2031 return NULL;
2032
2033 memset(p, 0, len);
2034 p->sadb_msg_version = PF_KEY_V2;
2035 p->sadb_msg_type = type;
2036 p->sadb_msg_errno = 0;
2037 p->sadb_msg_satype = satype;
2038 p->sadb_msg_len = PFKEY_UNIT64(tlen);
2039 p->sadb_msg_reserved = 0;
2040 p->sadb_msg_seq = seq;
2041 p->sadb_msg_pid = (u_int32_t)pid;
2042
2043 return(buf + len);
2044 }
2045
2046 /*
2047 * copy secasvar data into sadb_address.
2048 * `buf' must has been allocated sufficiently.
2049 */
2050 static caddr_t
2051 pfkey_setsadbsa(caddr_t buf, caddr_t lim, u_int32_t spi, u_int wsize, u_int auth, u_int enc, u_int32_t flags, u_int16_t port)
2052 {
2053 struct sadb_sa_2 *p;
2054 u_int len;
2055
2056 p = (void *)buf;
2057 len = sizeof(struct sadb_sa_2);
2058
2059 if (buf + len > lim)
2060 return NULL;
2061
2062 memset(p, 0, len);
2063 p->sa.sadb_sa_len = PFKEY_UNIT64(len);
2064 p->sa.sadb_sa_exttype = SADB_EXT_SA;
2065 p->sa.sadb_sa_spi = spi;
2066 p->sa.sadb_sa_replay = wsize;
2067 p->sa.sadb_sa_state = SADB_SASTATE_LARVAL;
2068 p->sa.sadb_sa_auth = auth;
2069 p->sa.sadb_sa_encrypt = enc;
2070 p->sa.sadb_sa_flags = flags;
2071 p->sadb_sa_natt_port = port;
2072
2073 return(buf + len);
2074 }
2075
2076 /*
2077 * set data into sadb_address.
2078 * `buf' must has been allocated sufficiently.
2079 * prefixlen is in bits.
2080 */
2081 static caddr_t
2082 pfkey_setsadbaddr(caddr_t buf, caddr_t lim, u_int exttype, struct sockaddr_storage *saddr, u_int prefixlen, u_int ul_proto)
2083 {
2084 struct sadb_address *p;
2085 u_int len;
2086
2087 p = (void *)buf;
2088 len = sizeof(struct sadb_address) + PFKEY_ALIGN8(sysdep_sa_len((struct sockaddr *)saddr));
2089
2090 if (buf + len > lim)
2091 return NULL;
2092
2093 memset(p, 0, len);
2094 p->sadb_address_len = PFKEY_UNIT64(len);
2095 p->sadb_address_exttype = exttype & 0xffff;
2096 p->sadb_address_proto = ul_proto & 0xff;
2097 p->sadb_address_prefixlen = prefixlen;
2098 p->sadb_address_reserved = 0;
2099
2100 memcpy(p + 1, saddr, (size_t)sysdep_sa_len((struct sockaddr *)saddr));
2101
2102 return(buf + len);
2103 }
2104
2105 /*
2106 * set sadb_key structure after clearing buffer with zero.
2107 * OUT: the pointer of buf + len.
2108 */
2109 static caddr_t
2110 pfkey_setsadbkey(caddr_t buf, caddr_t lim, u_int type, caddr_t key, u_int keylen)
2111 {
2112 struct sadb_key *p;
2113 u_int len;
2114
2115 p = (void *)buf;
2116 len = sizeof(struct sadb_key) + PFKEY_ALIGN8(keylen);
2117
2118 if (buf + len > lim)
2119 return NULL;
2120
2121 memset(p, 0, len);
2122 p->sadb_key_len = PFKEY_UNIT64(len);
2123 p->sadb_key_exttype = type;
2124 p->sadb_key_bits = keylen << 3;
2125 p->sadb_key_reserved = 0;
2126
2127 memcpy(p + 1, key, keylen);
2128
2129 return buf + len;
2130 }
2131
2132 /*
2133 * set sadb_lifetime structure after clearing buffer with zero.
2134 * OUT: the pointer of buf + len.
2135 */
2136 static caddr_t
2137 pfkey_setsadblifetime(caddr_t buf, caddr_t lim, u_int type, u_int32_t l_alloc,
2138 u_int32_t l_bytes, u_int32_t l_addtime, u_int32_t l_usetime)
2139 {
2140 struct sadb_lifetime *p;
2141 u_int len;
2142
2143 p = (void *)buf;
2144 len = sizeof(struct sadb_lifetime);
2145
2146 if (buf + len > lim)
2147 return NULL;
2148
2149 memset(p, 0, len);
2150 p->sadb_lifetime_len = PFKEY_UNIT64(len);
2151 p->sadb_lifetime_exttype = type;
2152
2153 switch (type) {
2154 case SADB_EXT_LIFETIME_SOFT:
2155 p->sadb_lifetime_allocations
2156 = (l_alloc * soft_lifetime_allocations_rate) /100;
2157 p->sadb_lifetime_bytes
2158 = (l_bytes * soft_lifetime_bytes_rate) /100;
2159 p->sadb_lifetime_addtime
2160 = (l_addtime * soft_lifetime_addtime_rate) /100;
2161 p->sadb_lifetime_usetime
2162 = (l_usetime * soft_lifetime_usetime_rate) /100;
2163 break;
2164 case SADB_EXT_LIFETIME_HARD:
2165 p->sadb_lifetime_allocations = l_alloc;
2166 p->sadb_lifetime_bytes = l_bytes;
2167 p->sadb_lifetime_addtime = l_addtime;
2168 p->sadb_lifetime_usetime = l_usetime;
2169 break;
2170 }
2171
2172 return buf + len;
2173 }
2174
2175 static caddr_t
2176 pfkey_setsadbipsecif(caddr_t buf, caddr_t lim, char *internal_if, char *outgoing_if, char *ipsec_if, int init_disabled)
2177 {
2178 struct sadb_x_ipsecif *p;
2179 u_int len;
2180
2181 p = (void *)buf;
2182 len = sizeof(struct sadb_x_ipsecif);
2183
2184 if (buf + len > lim)
2185 return NULL;
2186
2187 memset(p, 0, len);
2188 p->sadb_x_ipsecif_len = PFKEY_UNIT64(len);
2189 p->sadb_x_ipsecif_exttype = SADB_X_EXT_IPSECIF;
2190
2191 if (internal_if != NULL)
2192 strncpy(p->sadb_x_ipsecif_internal_if, internal_if, sizeof(p->sadb_x_ipsecif_internal_if) - 1);
2193 if (outgoing_if != NULL)
2194 strncpy(p->sadb_x_ipsecif_outgoing_if, outgoing_if, sizeof(p->sadb_x_ipsecif_outgoing_if) - 1);
2195 if (ipsec_if != NULL)
2196 strncpy(p->sadb_x_ipsecif_ipsec_if, ipsec_if, sizeof(p->sadb_x_ipsecif_ipsec_if) - 1);
2197
2198 p->sadb_x_ipsecif_init_disabled = init_disabled;
2199
2200 return (buf + len);
2201 }
2202
2203 /*
2204 * copy secasvar data into sadb_address.
2205 * `buf' must has been allocated sufficiently.
2206 */
2207 static caddr_t
2208 pfkey_setsadbxsa2(caddr_t buf, caddr_t lim, u_int32_t mode0, u_int32_t reqid, u_int always_expire)
2209 {
2210 struct sadb_x_sa2 *p;
2211 u_int8_t mode = mode0 & 0xff;
2212 u_int len;
2213
2214 p = (void *)buf;
2215 len = sizeof(struct sadb_x_sa2);
2216
2217 if (buf + len > lim)
2218 return NULL;
2219
2220 memset(p, 0, len);
2221 p->sadb_x_sa2_len = PFKEY_UNIT64(len);
2222 p->sadb_x_sa2_exttype = SADB_X_EXT_SA2;
2223 p->sadb_x_sa2_mode = mode;
2224 p->sadb_x_sa2_reqid = reqid;
2225 p->sadb_x_sa2_alwaysexpire = always_expire;
2226 #ifdef SADB_X_EXT_SA2_DELETE_ON_DETACH
2227 p->sadb_x_sa2_flags |= SADB_X_EXT_SA2_DELETE_ON_DETACH;
2228 #endif /* SADB_X_EXT_SA2_DELETE_ON_DETACH */
2229
2230 return(buf + len);
2231 }
2232
2233 #ifdef SADB_X_EXT_NAT_T_TYPE
2234 static caddr_t
2235 pfkey_set_natt_type(caddr_t buf, caddr_t lim, u_int type, u_int8_t l_natt_type)
2236 {
2237 struct sadb_x_nat_t_type *p;
2238 u_int len;
2239
2240 p = (void *)buf;
2241 len = sizeof(struct sadb_x_nat_t_type);
2242
2243 if (buf + len > lim)
2244 return NULL;
2245
2246 memset(p, 0, len);
2247 p->sadb_x_nat_t_type_len = PFKEY_UNIT64(len);
2248 p->sadb_x_nat_t_type_exttype = type;
2249 p->sadb_x_nat_t_type_type = l_natt_type;
2250
2251 return(buf + len);
2252 }
2253
2254 static caddr_t
2255 pfkey_set_natt_port(caddr_t buf, caddr_t lim, u_int type, u_int16_t l_natt_port)
2256 {
2257 struct sadb_x_nat_t_port *p;
2258 u_int len;
2259
2260 p = (void *)buf;
2261 len = sizeof(struct sadb_x_nat_t_port);
2262
2263 if (buf + len > lim)
2264 return NULL;
2265
2266 memset(p, 0, len);
2267 p->sadb_x_nat_t_port_len = PFKEY_UNIT64(len);
2268 p->sadb_x_nat_t_port_exttype = type;
2269 p->sadb_x_nat_t_port_port = htons(l_natt_port);
2270
2271 return(buf + len);
2272 }
2273 #endif
2274
2275 #ifdef SADB_X_EXT_NAT_T_FRAG
2276 static caddr_t
2277 pfkey_set_natt_frag(caddr_t buf, caddr_t lim, u_int type, u_int16_t l_natt_frag)
2278 {
2279 struct sadb_x_nat_t_frag *p;
2280 u_int len;
2281
2282 p = (void *)buf;
2283 len = sizeof(struct sadb_x_nat_t_frag);
2284
2285 if (buf + len > lim)
2286 return NULL;
2287
2288 memset(p, 0, len);
2289 p->sadb_x_nat_t_frag_len = PFKEY_UNIT64(len);
2290 p->sadb_x_nat_t_frag_exttype = type;
2291 p->sadb_x_nat_t_frag_fraglen = l_natt_frag;
2292
2293 return(buf + len);
2294 }
2295 #endif
2296
2297
2298 static caddr_t
2299 pfkey_setsadbsession_id (caddr_t buf,
2300 caddr_t lim,
2301 u_int64_t session_ids[],
2302 u_int32_t max_session_ids)
2303 {
2304 struct sadb_session_id *p;
2305 u_int len;
2306
2307 if (!max_session_ids)
2308 return NULL;
2309
2310 p = (void *)buf;
2311 len = sizeof(*p);
2312
2313 if (buf + len > lim)
2314 return NULL;
2315
2316 bzero(p, len);
2317 p->sadb_session_id_len = PFKEY_UNIT64(len);
2318 p->sadb_session_id_exttype = SADB_EXT_SESSION_ID;
2319 p->sadb_session_id_v[0] = session_ids[0];
2320 if (max_session_ids > 1)
2321 p->sadb_session_id_v[1] = session_ids[1];
2322
2323 return(buf + len);
2324 }
2325
2326 static caddr_t
2327 pfkey_setsadbsastats (caddr_t buf,
2328 caddr_t lim,
2329 u_int32_t dir,
2330 struct sastat *stats,
2331 u_int32_t max_stats)
2332 {
2333 struct sadb_sastat *p;
2334 u_int len, list_len;
2335
2336 if (!stats || !max_stats)
2337 return NULL;
2338
2339 p = ALIGNED_CAST(__typeof__(p))buf; // Wcast-align fix - buffer passed to here is malloc'd message buffer
2340 list_len = sizeof(*stats) * max_stats;
2341 len = sizeof(*p) + PFKEY_ALIGN8(list_len);
2342
2343 if (buf + len > lim)
2344 return NULL;
2345
2346 bzero(p, len);
2347 p->sadb_sastat_len = PFKEY_UNIT64(len);
2348 p->sadb_sastat_exttype = SADB_EXT_SASTAT;
2349 p->sadb_sastat_dir = dir;
2350 p->sadb_sastat_list_len = max_stats;
2351 bcopy(stats, p + 1, list_len);
2352
2353 return(buf + len);
2354 }
2355
2356 int
2357 pfkey_send_getsastats (int so,
2358 u_int32_t seq,
2359 u_int64_t *session_ids,
2360 u_int32_t max_session_ids,
2361 u_int8_t dir,
2362 struct sastat *stats,
2363 u_int32_t max_stats)
2364 {
2365 struct sadb_msg *newmsg;
2366 caddr_t ep;
2367 int list_len, out_len, len;
2368 caddr_t p;
2369
2370 if (!session_ids || !stats || !max_stats) {
2371 return -1;
2372 }
2373
2374 list_len = sizeof(*stats) * max_stats;
2375 /* create new sadb_msg to send. */
2376 out_len = sizeof(struct sadb_msg) + sizeof(struct sadb_session_id) + sizeof(struct sadb_sastat) + PFKEY_ALIGN8(list_len);
2377
2378 if ((newmsg = CALLOC((size_t)out_len, struct sadb_msg *)) == NULL) {
2379 __ipsec_set_strerror(strerror(errno));
2380 return -1;
2381 }
2382 ep = ((caddr_t)(void *)newmsg) + out_len;
2383
2384 p = pfkey_setsadbmsg((void *)newmsg, ep, SADB_GETSASTAT, (u_int)out_len, SADB_SATYPE_UNSPEC, seq, getpid());
2385 if (!p) {
2386 free(newmsg);
2387 return -1;
2388 }
2389
2390 p = pfkey_setsadbsession_id(p, ep, session_ids, max_session_ids);
2391 if (!p) {
2392 free(newmsg);
2393 return -1;
2394 }
2395
2396 p = pfkey_setsadbsastats(p, ep, dir, stats, max_stats);
2397 if (!p) {
2398 free(newmsg);
2399 return -1;
2400 }
2401
2402 /* send message */
2403 len = pfkey_send(so, newmsg, out_len);
2404 free(newmsg);
2405
2406 if (len < 0)
2407 return -1;
2408
2409 __ipsec_errcode = EIPSEC_NO_ERROR;
2410 return len;
2411 }
mirror of ipsec