1 /* $KAME: pfkey.c,v 1.46 2003/08/26 03:37:06 itojun Exp $ */
4 * SPDX-License-Identifier: BSD-3-Clause
6 * Copyright (C) 1995, 1996, 1997, 1998, and 1999 WIDE Project.
9 * Redistribution and use in source and binary forms, with or without
10 * modification, are permitted provided that the following conditions
12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer.
14 * 2. Redistributions in binary form must reproduce the above copyright
15 * notice, this list of conditions and the following disclaimer in the
16 * documentation and/or other materials provided with the distribution.
17 * 3. Neither the name of the project nor the names of its contributors
18 * may be used to endorse or promote products derived from this software
19 * without specific prior written permission.
21 * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
22 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
23 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
24 * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
25 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
26 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
27 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
28 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
29 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
30 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
34 #include <sys/cdefs.h>
35 __FBSDID("$FreeBSD$");
37 #include <sys/types.h>
38 #include <sys/param.h>
39 #include <sys/socket.h>
40 #include <net/pfkeyv2.h>
41 #include <netipsec/key_var.h>
42 #include <netinet/in.h>
43 #include <netipsec/ipsec.h>
51 #include "ipsec_strerror.h"
54 #define CALLOC(size, cast) (cast)calloc(1, (size))
56 static int findsupportedmap(int);
57 static int setsupportedmap(struct sadb_supported *);
58 static struct sadb_alg *findsupportedalg(u_int, u_int);
59 static int pfkey_send_x1(int, u_int, u_int, u_int, struct sockaddr *,
60 struct sockaddr *, u_int32_t, u_int32_t, u_int, caddr_t,
61 u_int, u_int, u_int, u_int, u_int, u_int32_t, u_int32_t,
62 u_int32_t, u_int32_t, u_int32_t);
63 static int pfkey_send_x2(int, u_int, u_int, u_int,
64 struct sockaddr *, struct sockaddr *, u_int32_t);
65 static int pfkey_send_x3(int, u_int, u_int);
66 static int pfkey_send_x4(int, u_int, struct sockaddr *, u_int,
67 struct sockaddr *, u_int, u_int, u_int64_t, u_int64_t,
68 char *, int, u_int32_t);
69 static int pfkey_send_x5(int, u_int, u_int32_t);
71 static caddr_t pfkey_setsadbmsg(caddr_t, caddr_t, u_int, u_int,
72 u_int, u_int32_t, pid_t);
73 static caddr_t pfkey_setsadbsa(caddr_t, caddr_t, u_int32_t, u_int,
74 u_int, u_int, u_int32_t);
75 static caddr_t pfkey_setsadbxreplay(caddr_t, caddr_t, uint32_t);
76 static caddr_t pfkey_setsadbaddr(caddr_t, caddr_t, u_int,
77 struct sockaddr *, u_int, u_int);
78 static caddr_t pfkey_setsadbkey(caddr_t, caddr_t, u_int, caddr_t, u_int);
79 static caddr_t pfkey_setsadblifetime(caddr_t, caddr_t, u_int, u_int32_t,
80 u_int32_t, u_int32_t, u_int32_t);
81 static caddr_t pfkey_setsadbxsa2(caddr_t, caddr_t, u_int32_t, u_int32_t);
84 * make and search supported algorithm structure.
86 static struct sadb_supported *ipsec_supported[] = { NULL, NULL, NULL, NULL };
88 static int supported_map[] = {
92 SADB_X_SATYPE_TCPSIGNATURE
96 findsupportedmap(int satype)
100 for (i = 0; i < sizeof(supported_map)/sizeof(supported_map[0]); i++)
101 if (supported_map[i] == satype)
106 static struct sadb_alg *
107 findsupportedalg(u_int satype, u_int alg_id)
114 algno = findsupportedmap(satype);
116 __ipsec_errcode = EIPSEC_INVAL_ARGUMENT;
119 if (ipsec_supported[algno] == NULL) {
120 __ipsec_errcode = EIPSEC_DO_GET_SUPP_LIST;
124 tlen = ipsec_supported[algno]->sadb_supported_len
125 - sizeof(struct sadb_supported);
126 p = (caddr_t)(ipsec_supported[algno] + 1);
128 if (tlen < sizeof(struct sadb_alg)) {
132 if (((struct sadb_alg *)p)->sadb_alg_id == alg_id)
133 return (struct sadb_alg *)p;
135 tlen -= sizeof(struct sadb_alg);
136 p += sizeof(struct sadb_alg);
139 __ipsec_errcode = EIPSEC_NOT_SUPPORTED;
144 setsupportedmap(struct sadb_supported *sup)
146 struct sadb_supported **ipsup;
148 switch (sup->sadb_supported_exttype) {
149 case SADB_EXT_SUPPORTED_AUTH:
150 ipsup = &ipsec_supported[findsupportedmap(SADB_SATYPE_AH)];
152 case SADB_EXT_SUPPORTED_ENCRYPT:
153 ipsup = &ipsec_supported[findsupportedmap(SADB_SATYPE_ESP)];
156 __ipsec_errcode = EIPSEC_INVAL_SATYPE;
163 *ipsup = malloc(sup->sadb_supported_len);
165 __ipsec_set_strerror(strerror(errno));
168 memcpy(*ipsup, sup, sup->sadb_supported_len);
174 * check key length against algorithm specified.
175 * This function is called with SADB_EXT_SUPPORTED_{AUTH,ENCRYPT} as the
176 * augument, and only calls to ipsec_check_keylen2();
177 * keylen is the unit of bit.
183 ipsec_check_keylen(u_int supported, u_int alg_id, u_int keylen)
189 case SADB_EXT_SUPPORTED_AUTH:
190 satype = SADB_SATYPE_AH;
192 case SADB_EXT_SUPPORTED_ENCRYPT:
193 satype = SADB_SATYPE_ESP;
196 __ipsec_errcode = EIPSEC_INVAL_ARGUMENT;
200 return ipsec_check_keylen2(satype, alg_id, keylen);
204 * check key length against algorithm specified.
205 * satype is one of satype defined at pfkeyv2.h.
206 * keylen is the unit of bit.
212 ipsec_check_keylen2(u_int satype, u_int alg_id, u_int keylen)
214 struct sadb_alg *alg;
216 alg = findsupportedalg(satype, alg_id);
220 if (keylen < alg->sadb_alg_minbits || keylen > alg->sadb_alg_maxbits) {
221 __ipsec_errcode = EIPSEC_INVAL_KEYLEN;
225 __ipsec_errcode = EIPSEC_NO_ERROR;
230 * get max/min key length against algorithm specified.
231 * satype is one of satype defined at pfkeyv2.h.
232 * keylen is the unit of bit.
238 ipsec_get_keylen(u_int supported, u_int alg_id, struct sadb_alg *alg0)
240 struct sadb_alg *alg;
245 __ipsec_errcode = EIPSEC_INVAL_ARGUMENT;
250 case SADB_EXT_SUPPORTED_AUTH:
251 satype = SADB_SATYPE_AH;
253 case SADB_EXT_SUPPORTED_ENCRYPT:
254 satype = SADB_SATYPE_ESP;
257 __ipsec_errcode = EIPSEC_INVAL_ARGUMENT;
261 alg = findsupportedalg(satype, alg_id);
265 memcpy(alg0, alg, sizeof(*alg0));
267 __ipsec_errcode = EIPSEC_NO_ERROR;
272 * set the rate for SOFT lifetime against HARD one.
273 * If rate is more than 100 or equal to zero, then set to 100.
275 static u_int soft_lifetime_allocations_rate = PFKEY_SOFT_LIFETIME_RATE;
276 static u_int soft_lifetime_bytes_rate = PFKEY_SOFT_LIFETIME_RATE;
277 static u_int soft_lifetime_addtime_rate = PFKEY_SOFT_LIFETIME_RATE;
278 static u_int soft_lifetime_usetime_rate = PFKEY_SOFT_LIFETIME_RATE;
281 pfkey_set_softrate(u_int type, u_int rate)
283 __ipsec_errcode = EIPSEC_NO_ERROR;
285 if (rate > 100 || rate == 0)
289 case SADB_X_LIFETIME_ALLOCATIONS:
290 soft_lifetime_allocations_rate = rate;
292 case SADB_X_LIFETIME_BYTES:
293 soft_lifetime_bytes_rate = rate;
295 case SADB_X_LIFETIME_ADDTIME:
296 soft_lifetime_addtime_rate = rate;
298 case SADB_X_LIFETIME_USETIME:
299 soft_lifetime_usetime_rate = rate;
303 __ipsec_errcode = EIPSEC_INVAL_ARGUMENT;
308 * get current rate for SOFT lifetime against HARD one.
309 * ATTENTION: ~0 is returned if invalid type was passed.
312 pfkey_get_softrate(u_int type)
315 case SADB_X_LIFETIME_ALLOCATIONS:
316 return soft_lifetime_allocations_rate;
317 case SADB_X_LIFETIME_BYTES:
318 return soft_lifetime_bytes_rate;
319 case SADB_X_LIFETIME_ADDTIME:
320 return soft_lifetime_addtime_rate;
321 case SADB_X_LIFETIME_USETIME:
322 return soft_lifetime_usetime_rate;
329 * sending SADB_GETSPI message to the kernel.
331 * positive: success and return length sent.
332 * -1 : error occurred, and set errno.
335 pfkey_send_getspi(int so, u_int satype, u_int mode, struct sockaddr *src,
336 struct sockaddr *dst, u_int32_t min, uint32_t max, uint32_t reqid,
339 struct sadb_msg *newmsg;
342 int need_spirange = 0;
347 if (src == NULL || dst == NULL) {
348 __ipsec_errcode = EIPSEC_INVAL_ARGUMENT;
351 if (src->sa_family != dst->sa_family) {
352 __ipsec_errcode = EIPSEC_FAMILY_MISMATCH;
355 if (min > max || (min > 0 && min <= 255)) {
356 __ipsec_errcode = EIPSEC_INVAL_SPI;
359 switch (src->sa_family) {
361 plen = sizeof(struct in_addr) << 3;
364 plen = sizeof(struct in6_addr) << 3;
367 __ipsec_errcode = EIPSEC_INVAL_FAMILY;
371 /* create new sadb_msg to send. */
372 len = sizeof(struct sadb_msg)
373 + sizeof(struct sadb_x_sa2)
374 + sizeof(struct sadb_address)
375 + PFKEY_ALIGN8(src->sa_len)
376 + sizeof(struct sadb_address)
377 + PFKEY_ALIGN8(dst->sa_len);
379 if (min > 255 && max < ~0) {
381 len += sizeof(struct sadb_spirange);
384 if ((newmsg = CALLOC(len, struct sadb_msg *)) == NULL) {
385 __ipsec_set_strerror(strerror(errno));
388 ep = ((caddr_t)newmsg) + len;
390 p = pfkey_setsadbmsg((caddr_t)newmsg, ep, SADB_GETSPI,
391 len, satype, seq, getpid());
397 p = pfkey_setsadbxsa2(p, ep, mode, reqid);
403 /* set sadb_address for source */
404 p = pfkey_setsadbaddr(p, ep, SADB_EXT_ADDRESS_SRC, src, plen,
411 /* set sadb_address for destination */
412 p = pfkey_setsadbaddr(p, ep, SADB_EXT_ADDRESS_DST, dst, plen,
419 /* processing spi range */
421 struct sadb_spirange spirange;
423 if (p + sizeof(spirange) > ep) {
428 memset(&spirange, 0, sizeof(spirange));
429 spirange.sadb_spirange_len = PFKEY_UNIT64(sizeof(spirange));
430 spirange.sadb_spirange_exttype = SADB_EXT_SPIRANGE;
431 spirange.sadb_spirange_min = min;
432 spirange.sadb_spirange_max = max;
434 memcpy(p, &spirange, sizeof(spirange));
436 p += sizeof(spirange);
444 len = pfkey_send(so, newmsg, len);
450 __ipsec_errcode = EIPSEC_NO_ERROR;
455 * sending SADB_UPDATE message to the kernel.
456 * The length of key material is a_keylen + e_keylen.
458 * positive: success and return length sent.
459 * -1 : error occurred, and set errno.
462 pfkey_send_update(int so, u_int satype, u_int mode, struct sockaddr *src,
463 struct sockaddr *dst, u_int32_t spi, u_int32_t reqid, u_int wsize,
464 caddr_t keymat, u_int e_type, u_int e_keylen, u_int a_type, u_int a_keylen,
465 u_int flags, u_int32_t l_alloc, u_int64_t l_bytes, u_int64_t l_addtime,
466 u_int64_t l_usetime, u_int32_t seq)
469 if ((len = pfkey_send_x1(so, SADB_UPDATE, satype, mode, src, dst, spi,
471 keymat, e_type, e_keylen, a_type, a_keylen, flags,
472 l_alloc, l_bytes, l_addtime, l_usetime, seq)) < 0)
479 * sending SADB_ADD message to the kernel.
480 * The length of key material is a_keylen + e_keylen.
482 * positive: success and return length sent.
483 * -1 : error occurred, and set errno.
486 pfkey_send_add(int so, u_int satype, u_int mode, struct sockaddr *src,
487 struct sockaddr *dst, u_int32_t spi, u_int32_t reqid, u_int wsize,
488 caddr_t keymat, u_int e_type, u_int e_keylen, u_int a_type, u_int a_keylen,
489 u_int flags, u_int32_t l_alloc, u_int64_t l_bytes, u_int64_t l_addtime,
490 u_int64_t l_usetime, u_int32_t seq)
493 if ((len = pfkey_send_x1(so, SADB_ADD, satype, mode, src, dst, spi,
495 keymat, e_type, e_keylen, a_type, a_keylen, flags,
496 l_alloc, l_bytes, l_addtime, l_usetime, seq)) < 0)
503 * sending SADB_DELETE message to the kernel.
505 * positive: success and return length sent.
506 * -1 : error occurred, and set errno.
509 pfkey_send_delete(int so, u_int satype, u_int mode, struct sockaddr *src,
510 struct sockaddr *dst, u_int32_t spi)
513 if ((len = pfkey_send_x2(so, SADB_DELETE, satype, mode, src, dst, spi)) < 0)
520 * sending SADB_DELETE without spi to the kernel. This is
521 * the "delete all" request (an extension also present in
525 * positive: success and return length sent
526 * -1 : error occurred, and set errno
529 pfkey_send_delete_all(int so, u_int satype, u_int mode, struct sockaddr *src,
530 struct sockaddr *dst)
532 struct sadb_msg *newmsg;
539 if (src == NULL || dst == NULL) {
540 __ipsec_errcode = EIPSEC_INVAL_ARGUMENT;
543 if (src->sa_family != dst->sa_family) {
544 __ipsec_errcode = EIPSEC_FAMILY_MISMATCH;
547 switch (src->sa_family) {
549 plen = sizeof(struct in_addr) << 3;
552 plen = sizeof(struct in6_addr) << 3;
555 __ipsec_errcode = EIPSEC_INVAL_FAMILY;
559 /* create new sadb_msg to reply. */
560 len = sizeof(struct sadb_msg)
561 + sizeof(struct sadb_address)
562 + PFKEY_ALIGN8(src->sa_len)
563 + sizeof(struct sadb_address)
564 + PFKEY_ALIGN8(dst->sa_len);
566 if ((newmsg = CALLOC(len, struct sadb_msg *)) == NULL) {
567 __ipsec_set_strerror(strerror(errno));
570 ep = ((caddr_t)newmsg) + len;
572 p = pfkey_setsadbmsg((caddr_t)newmsg, ep, SADB_DELETE, len, satype, 0,
578 p = pfkey_setsadbaddr(p, ep, SADB_EXT_ADDRESS_SRC, src, plen,
584 p = pfkey_setsadbaddr(p, ep, SADB_EXT_ADDRESS_DST, dst, plen,
592 len = pfkey_send(so, newmsg, len);
598 __ipsec_errcode = EIPSEC_NO_ERROR;
603 * sending SADB_GET message to the kernel.
605 * positive: success and return length sent.
606 * -1 : error occurred, and set errno.
609 pfkey_send_get(int so, u_int satype, u_int mode, struct sockaddr *src,
610 struct sockaddr *dst, u_int32_t spi)
613 if ((len = pfkey_send_x2(so, SADB_GET, satype, mode, src, dst, spi)) < 0)
620 * sending SADB_REGISTER message to the kernel.
622 * positive: success and return length sent.
623 * -1 : error occurred, and set errno.
626 pfkey_send_register(int so, u_int satype)
630 if (satype == SADB_SATYPE_UNSPEC) {
632 algno < sizeof(supported_map)/sizeof(supported_map[0]);
634 if (ipsec_supported[algno]) {
635 free(ipsec_supported[algno]);
636 ipsec_supported[algno] = NULL;
640 algno = findsupportedmap(satype);
642 __ipsec_errcode = EIPSEC_INVAL_ARGUMENT;
646 if (ipsec_supported[algno]) {
647 free(ipsec_supported[algno]);
648 ipsec_supported[algno] = NULL;
652 if ((len = pfkey_send_x3(so, SADB_REGISTER, satype)) < 0)
659 * receiving SADB_REGISTER message from the kernel, and copy buffer for
660 * sadb_supported returned into ipsec_supported.
662 * 0: success and return length sent.
663 * -1: error occurred, and set errno.
666 pfkey_recv_register(int so)
668 pid_t pid = getpid();
669 struct sadb_msg *newmsg;
672 /* receive message */
674 if ((newmsg = pfkey_recv(so)) == NULL)
676 if (newmsg->sadb_msg_type == SADB_REGISTER &&
677 newmsg->sadb_msg_pid == pid)
683 newmsg->sadb_msg_len = PFKEY_UNUNIT64(newmsg->sadb_msg_len);
685 error = pfkey_set_supported(newmsg, newmsg->sadb_msg_len);
689 __ipsec_errcode = EIPSEC_NO_ERROR;
695 * receiving SADB_REGISTER message from the kernel, and copy buffer for
696 * sadb_supported returned into ipsec_supported.
697 * NOTE: sadb_msg_len must be host order.
699 * tlen: msg length, it's to makeing sure.
701 * 0: success and return length sent.
702 * -1: error occurred, and set errno.
705 pfkey_set_supported(struct sadb_msg *msg, int tlen)
707 struct sadb_supported *sup;
712 if (msg->sadb_msg_len != tlen) {
713 __ipsec_errcode = EIPSEC_INVAL_ARGUMENT;
720 p += sizeof(struct sadb_msg);
723 sup = (struct sadb_supported *)p;
724 if (ep < p + sizeof(*sup) ||
725 PFKEY_EXTLEN(sup) < sizeof(*sup) ||
726 ep < p + sup->sadb_supported_len) {
731 switch (sup->sadb_supported_exttype) {
732 case SADB_EXT_SUPPORTED_AUTH:
733 case SADB_EXT_SUPPORTED_ENCRYPT:
736 __ipsec_errcode = EIPSEC_INVAL_SATYPE;
741 sup->sadb_supported_len = PFKEY_EXTLEN(sup);
743 /* set supported map */
744 if (setsupportedmap(sup) != 0)
747 p += sup->sadb_supported_len;
751 __ipsec_errcode = EIPSEC_INVAL_SATYPE;
755 __ipsec_errcode = EIPSEC_NO_ERROR;
761 * sending SADB_FLUSH message to the kernel.
763 * positive: success and return length sent.
764 * -1 : error occurred, and set errno.
767 pfkey_send_flush(int so, u_int satype)
771 if ((len = pfkey_send_x3(so, SADB_FLUSH, satype)) < 0)
778 * sending SADB_DUMP message to the kernel.
780 * positive: success and return length sent.
781 * -1 : error occurred, and set errno.
784 pfkey_send_dump(int so, u_int satype)
788 if ((len = pfkey_send_x3(so, SADB_DUMP, satype)) < 0)
795 * sending SADB_X_PROMISC message to the kernel.
796 * NOTE that this function handles promisc mode toggle only.
798 * flag: set promisc off if zero, set promisc on if non-zero.
800 * positive: success and return length sent.
801 * -1 : error occurred, and set errno.
802 * 0 : error occurred, and set errno.
803 * others: a pointer to new allocated buffer in which supported
807 pfkey_send_promisc_toggle(int so, int flag)
811 if ((len = pfkey_send_x3(so, SADB_X_PROMISC, (flag ? 1 : 0))) < 0)
818 * sending SADB_X_SPDADD message to the kernel.
820 * positive: success and return length sent.
821 * -1 : error occurred, and set errno.
824 pfkey_send_spdadd(int so, struct sockaddr *src, u_int prefs,
825 struct sockaddr *dst, u_int prefd, u_int proto, caddr_t policy,
826 int policylen, u_int32_t seq)
830 if ((len = pfkey_send_x4(so, SADB_X_SPDADD,
831 src, prefs, dst, prefd, proto,
833 policy, policylen, seq)) < 0)
840 * sending SADB_X_SPDADD message to the kernel.
842 * positive: success and return length sent.
843 * -1 : error occurred, and set errno.
846 pfkey_send_spdadd2(int so, struct sockaddr *src, u_int prefs,
847 struct sockaddr *dst, u_int prefd, u_int proto, u_int64_t ltime,
848 u_int64_t vtime, caddr_t policy, int policylen, u_int32_t seq)
852 if ((len = pfkey_send_x4(so, SADB_X_SPDADD,
853 src, prefs, dst, prefd, proto,
855 policy, policylen, seq)) < 0)
862 * sending SADB_X_SPDUPDATE message to the kernel.
864 * positive: success and return length sent.
865 * -1 : error occurred, and set errno.
868 pfkey_send_spdupdate(int so, struct sockaddr *src, u_int prefs,
869 struct sockaddr *dst, u_int prefd, u_int proto, caddr_t policy,
870 int policylen, u_int32_t seq)
874 if ((len = pfkey_send_x4(so, SADB_X_SPDUPDATE,
875 src, prefs, dst, prefd, proto,
877 policy, policylen, seq)) < 0)
884 * sending SADB_X_SPDUPDATE message to the kernel.
886 * positive: success and return length sent.
887 * -1 : error occurred, and set errno.
890 pfkey_send_spdupdate2(int so, struct sockaddr *src, u_int prefs,
891 struct sockaddr *dst, u_int prefd, u_int proto, u_int64_t ltime,
892 u_int64_t vtime, caddr_t policy, int policylen, u_int32_t seq)
896 if ((len = pfkey_send_x4(so, SADB_X_SPDUPDATE,
897 src, prefs, dst, prefd, proto,
899 policy, policylen, seq)) < 0)
906 * sending SADB_X_SPDDELETE message to the kernel.
908 * positive: success and return length sent.
909 * -1 : error occurred, and set errno.
912 pfkey_send_spddelete(int so, struct sockaddr *src, u_int prefs,
913 struct sockaddr *dst, u_int prefd, u_int proto, caddr_t policy,
914 int policylen, u_int32_t seq)
918 if (policylen != sizeof(struct sadb_x_policy)) {
919 __ipsec_errcode = EIPSEC_INVAL_ARGUMENT;
923 if ((len = pfkey_send_x4(so, SADB_X_SPDDELETE,
924 src, prefs, dst, prefd, proto,
926 policy, policylen, seq)) < 0)
933 * sending SADB_X_SPDDELETE message to the kernel.
935 * positive: success and return length sent.
936 * -1 : error occurred, and set errno.
939 pfkey_send_spddelete2(int so, u_int32_t spid)
943 if ((len = pfkey_send_x5(so, SADB_X_SPDDELETE2, spid)) < 0)
950 * sending SADB_X_SPDGET message to the kernel.
952 * positive: success and return length sent.
953 * -1 : error occurred, and set errno.
956 pfkey_send_spdget(int so, u_int32_t spid)
960 if ((len = pfkey_send_x5(so, SADB_X_SPDGET, spid)) < 0)
967 * sending SADB_X_SPDSETIDX message to the kernel.
969 * positive: success and return length sent.
970 * -1 : error occurred, and set errno.
973 pfkey_send_spdsetidx(int so, struct sockaddr *src, u_int prefs,
974 struct sockaddr *dst, u_int prefd, u_int proto, caddr_t policy,
975 int policylen, u_int32_t seq)
979 if (policylen != sizeof(struct sadb_x_policy)) {
980 __ipsec_errcode = EIPSEC_INVAL_ARGUMENT;
984 if ((len = pfkey_send_x4(so, SADB_X_SPDSETIDX,
985 src, prefs, dst, prefd, proto,
987 policy, policylen, seq)) < 0)
994 * sending SADB_SPDFLUSH message to the kernel.
996 * positive: success and return length sent.
997 * -1 : error occurred, and set errno.
1000 pfkey_send_spdflush(int so)
1004 if ((len = pfkey_send_x3(so, SADB_X_SPDFLUSH, SADB_SATYPE_UNSPEC)) < 0)
1011 * sending SADB_SPDDUMP message to the kernel.
1013 * positive: success and return length sent.
1014 * -1 : error occurred, and set errno.
1017 pfkey_send_spddump(int so)
1021 if ((len = pfkey_send_x3(so, SADB_X_SPDDUMP, SADB_SATYPE_UNSPEC)) < 0)
1027 /* sending SADB_ADD or SADB_UPDATE message to the kernel */
1029 pfkey_send_x1(int so, u_int type, u_int satype, u_int mode,
1030 struct sockaddr *src, struct sockaddr *dst, u_int32_t spi, u_int32_t reqid,
1031 u_int wsize, caddr_t keymat, u_int e_type, u_int e_keylen, u_int a_type,
1032 u_int a_keylen, u_int flags, u_int32_t l_alloc, u_int32_t l_bytes,
1033 u_int32_t l_addtime, u_int32_t l_usetime, u_int32_t seq)
1035 struct sadb_msg *newmsg;
1041 /* validity check */
1042 if (src == NULL || dst == NULL) {
1043 __ipsec_errcode = EIPSEC_INVAL_ARGUMENT;
1046 if (src->sa_family != dst->sa_family) {
1047 __ipsec_errcode = EIPSEC_FAMILY_MISMATCH;
1050 switch (src->sa_family) {
1052 plen = sizeof(struct in_addr) << 3;
1055 plen = sizeof(struct in6_addr) << 3;
1058 __ipsec_errcode = EIPSEC_INVAL_FAMILY;
1063 case SADB_SATYPE_ESP:
1064 if (e_type == SADB_EALG_NONE) {
1065 __ipsec_errcode = EIPSEC_NO_ALGS;
1069 case SADB_SATYPE_AH:
1070 if (e_type != SADB_EALG_NONE) {
1071 __ipsec_errcode = EIPSEC_INVAL_ALGS;
1074 if (a_type == SADB_AALG_NONE) {
1075 __ipsec_errcode = EIPSEC_NO_ALGS;
1079 case SADB_X_SATYPE_IPCOMP:
1080 if (e_type == SADB_X_CALG_NONE) {
1081 __ipsec_errcode = EIPSEC_INVAL_ALGS;
1084 if (a_type != SADB_AALG_NONE) {
1085 __ipsec_errcode = EIPSEC_NO_ALGS;
1089 case SADB_X_SATYPE_TCPSIGNATURE:
1090 if (e_type != SADB_EALG_NONE) {
1091 __ipsec_errcode = EIPSEC_INVAL_ALGS;
1094 if (a_type != SADB_X_AALG_TCP_MD5) {
1095 __ipsec_errcode = EIPSEC_INVAL_ALGS;
1100 __ipsec_errcode = EIPSEC_INVAL_SATYPE;
1104 /* create new sadb_msg to reply. */
1105 len = sizeof(struct sadb_msg)
1106 + sizeof(struct sadb_sa)
1107 + sizeof(struct sadb_x_sa2)
1108 + sizeof(struct sadb_address)
1109 + PFKEY_ALIGN8(src->sa_len)
1110 + sizeof(struct sadb_address)
1111 + PFKEY_ALIGN8(dst->sa_len)
1112 + sizeof(struct sadb_lifetime)
1113 + sizeof(struct sadb_lifetime);
1115 if (wsize > UINT8_MAX) {
1116 if (wsize > (UINT32_MAX - 32) >> 3) {
1117 __ipsec_errcode = EIPSEC_INVAL_ARGUMENT;
1120 len += sizeof(struct sadb_x_sa_replay);
1122 if (e_type != SADB_EALG_NONE)
1123 len += (sizeof(struct sadb_key) + PFKEY_ALIGN8(e_keylen));
1124 if (a_type != SADB_AALG_NONE)
1125 len += (sizeof(struct sadb_key) + PFKEY_ALIGN8(a_keylen));
1127 if ((newmsg = CALLOC(len, struct sadb_msg *)) == NULL) {
1128 __ipsec_set_strerror(strerror(errno));
1131 ep = ((caddr_t)newmsg) + len;
1133 p = pfkey_setsadbmsg((caddr_t)newmsg, ep, type, len,
1134 satype, seq, getpid());
1139 p = pfkey_setsadbsa(p, ep, spi, wsize, a_type, e_type, flags);
1144 p = pfkey_setsadbxsa2(p, ep, mode, reqid);
1149 if (wsize > UINT8_MAX) {
1150 p = pfkey_setsadbxreplay(p, ep, wsize);
1156 p = pfkey_setsadbaddr(p, ep, SADB_EXT_ADDRESS_SRC, src, plen,
1162 p = pfkey_setsadbaddr(p, ep, SADB_EXT_ADDRESS_DST, dst, plen,
1169 if (e_type != SADB_EALG_NONE) {
1170 p = pfkey_setsadbkey(p, ep, SADB_EXT_KEY_ENCRYPT,
1177 if (a_type != SADB_AALG_NONE) {
1178 p = pfkey_setsadbkey(p, ep, SADB_EXT_KEY_AUTH,
1179 keymat + e_keylen, a_keylen);
1186 /* set sadb_lifetime for destination */
1187 p = pfkey_setsadblifetime(p, ep, SADB_EXT_LIFETIME_HARD,
1188 l_alloc, l_bytes, l_addtime, l_usetime);
1193 p = pfkey_setsadblifetime(p, ep, SADB_EXT_LIFETIME_SOFT,
1194 l_alloc, l_bytes, l_addtime, l_usetime);
1195 if (!p || p != ep) {
1201 len = pfkey_send(so, newmsg, len);
1207 __ipsec_errcode = EIPSEC_NO_ERROR;
1211 /* sending SADB_DELETE or SADB_GET message to the kernel */
1213 pfkey_send_x2(int so, u_int type, u_int satype, u_int mode,
1214 struct sockaddr *src, struct sockaddr *dst, u_int32_t spi)
1216 struct sadb_msg *newmsg;
1222 /* validity check */
1223 if (src == NULL || dst == NULL) {
1224 __ipsec_errcode = EIPSEC_INVAL_ARGUMENT;
1227 if (src->sa_family != dst->sa_family) {
1228 __ipsec_errcode = EIPSEC_FAMILY_MISMATCH;
1231 switch (src->sa_family) {
1233 plen = sizeof(struct in_addr) << 3;
1236 plen = sizeof(struct in6_addr) << 3;
1239 __ipsec_errcode = EIPSEC_INVAL_FAMILY;
1243 /* create new sadb_msg to reply. */
1244 len = sizeof(struct sadb_msg)
1245 + sizeof(struct sadb_sa)
1246 + sizeof(struct sadb_address)
1247 + PFKEY_ALIGN8(src->sa_len)
1248 + sizeof(struct sadb_address)
1249 + PFKEY_ALIGN8(dst->sa_len);
1251 if ((newmsg = CALLOC(len, struct sadb_msg *)) == NULL) {
1252 __ipsec_set_strerror(strerror(errno));
1255 ep = ((caddr_t)newmsg) + len;
1257 p = pfkey_setsadbmsg((caddr_t)newmsg, ep, type, len, satype, 0,
1263 p = pfkey_setsadbsa(p, ep, spi, 0, 0, 0, 0);
1268 p = pfkey_setsadbaddr(p, ep, SADB_EXT_ADDRESS_SRC, src, plen,
1274 p = pfkey_setsadbaddr(p, ep, SADB_EXT_ADDRESS_DST, dst, plen,
1276 if (!p || p != ep) {
1282 len = pfkey_send(so, newmsg, len);
1288 __ipsec_errcode = EIPSEC_NO_ERROR;
1293 * sending SADB_REGISTER, SADB_FLUSH, SADB_DUMP or SADB_X_PROMISC message
1297 pfkey_send_x3(int so, u_int type, u_int satype)
1299 struct sadb_msg *newmsg;
1304 /* validity check */
1306 case SADB_X_PROMISC:
1307 if (satype != 0 && satype != 1) {
1308 __ipsec_errcode = EIPSEC_INVAL_SATYPE;
1314 case SADB_SATYPE_UNSPEC:
1315 case SADB_SATYPE_AH:
1316 case SADB_SATYPE_ESP:
1317 case SADB_X_SATYPE_IPCOMP:
1318 case SADB_X_SATYPE_TCPSIGNATURE:
1321 __ipsec_errcode = EIPSEC_INVAL_SATYPE;
1326 /* create new sadb_msg to send. */
1327 len = sizeof(struct sadb_msg);
1329 if ((newmsg = CALLOC(len, struct sadb_msg *)) == NULL) {
1330 __ipsec_set_strerror(strerror(errno));
1333 ep = ((caddr_t)newmsg) + len;
1335 p = pfkey_setsadbmsg((caddr_t)newmsg, ep, type, len, satype, 0,
1337 if (!p || p != ep) {
1343 len = pfkey_send(so, newmsg, len);
1349 __ipsec_errcode = EIPSEC_NO_ERROR;
1353 /* sending SADB_X_SPDADD message to the kernel */
1355 pfkey_send_x4(int so, u_int type, struct sockaddr *src, u_int prefs,
1356 struct sockaddr *dst, u_int prefd, u_int proto, u_int64_t ltime,
1357 u_int64_t vtime, char *policy, int policylen, u_int32_t seq)
1359 struct sadb_msg *newmsg;
1365 /* validity check */
1366 if (src == NULL || dst == NULL) {
1367 __ipsec_errcode = EIPSEC_INVAL_ARGUMENT;
1370 if (src->sa_family != dst->sa_family) {
1371 __ipsec_errcode = EIPSEC_FAMILY_MISMATCH;
1375 switch (src->sa_family) {
1377 plen = sizeof(struct in_addr) << 3;
1380 plen = sizeof(struct in6_addr) << 3;
1383 __ipsec_errcode = EIPSEC_INVAL_FAMILY;
1386 if (prefs > plen || prefd > plen) {
1387 __ipsec_errcode = EIPSEC_INVAL_PREFIXLEN;
1391 /* create new sadb_msg to reply. */
1392 len = sizeof(struct sadb_msg)
1393 + sizeof(struct sadb_address)
1394 + PFKEY_ALIGN8(src->sa_len)
1395 + sizeof(struct sadb_address)
1396 + PFKEY_ALIGN8(src->sa_len)
1397 + sizeof(struct sadb_lifetime)
1400 if ((newmsg = CALLOC(len, struct sadb_msg *)) == NULL) {
1401 __ipsec_set_strerror(strerror(errno));
1404 ep = ((caddr_t)newmsg) + len;
1406 p = pfkey_setsadbmsg((caddr_t)newmsg, ep, type, len,
1407 SADB_SATYPE_UNSPEC, seq, getpid());
1412 p = pfkey_setsadbaddr(p, ep, SADB_EXT_ADDRESS_SRC, src, prefs, proto);
1417 p = pfkey_setsadbaddr(p, ep, SADB_EXT_ADDRESS_DST, dst, prefd, proto);
1422 p = pfkey_setsadblifetime(p, ep, SADB_EXT_LIFETIME_HARD,
1423 0, 0, ltime, vtime);
1424 if (!p || p + policylen != ep) {
1428 memcpy(p, policy, policylen);
1431 len = pfkey_send(so, newmsg, len);
1437 __ipsec_errcode = EIPSEC_NO_ERROR;
1441 /* sending SADB_X_SPDGET or SADB_X_SPDDELETE message to the kernel */
1443 pfkey_send_x5(int so, u_int type, u_int32_t spid)
1445 struct sadb_msg *newmsg;
1446 struct sadb_x_policy xpl;
1451 /* create new sadb_msg to reply. */
1452 len = sizeof(struct sadb_msg)
1455 if ((newmsg = CALLOC(len, struct sadb_msg *)) == NULL) {
1456 __ipsec_set_strerror(strerror(errno));
1459 ep = ((caddr_t)newmsg) + len;
1461 p = pfkey_setsadbmsg((caddr_t)newmsg, ep, type, len,
1462 SADB_SATYPE_UNSPEC, 0, getpid());
1468 if (p + sizeof(xpl) != ep) {
1472 memset(&xpl, 0, sizeof(xpl));
1473 xpl.sadb_x_policy_len = PFKEY_UNIT64(sizeof(xpl));
1474 xpl.sadb_x_policy_exttype = SADB_X_EXT_POLICY;
1475 xpl.sadb_x_policy_id = spid;
1476 memcpy(p, &xpl, sizeof(xpl));
1479 len = pfkey_send(so, newmsg, len);
1485 __ipsec_errcode = EIPSEC_NO_ERROR;
1493 * others : success and return value of socket.
1499 int bufsiz_current, bufsiz_wanted;
1503 if ((so = socket(PF_KEY, SOCK_RAW, PF_KEY_V2)) < 0) {
1504 __ipsec_set_strerror(strerror(errno));
1509 * This is a temporary workaround for KAME PR 154.
1510 * Don't really care even if it fails.
1512 /* Try to have 128k. If we have more, do not lower it. */
1513 bufsiz_wanted = 128 * 1024;
1514 len = sizeof(bufsiz_current);
1515 ret = getsockopt(so, SOL_SOCKET, SO_SNDBUF,
1516 &bufsiz_current, &len);
1517 if ((ret < 0) || (bufsiz_current < bufsiz_wanted))
1518 (void)setsockopt(so, SOL_SOCKET, SO_SNDBUF,
1519 &bufsiz_wanted, sizeof(bufsiz_wanted));
1521 /* Try to have have at least 2MB. If we have more, do not lower it. */
1522 bufsiz_wanted = 2 * 1024 * 1024;
1523 len = sizeof(bufsiz_current);
1524 ret = getsockopt(so, SOL_SOCKET, SO_RCVBUF,
1525 &bufsiz_current, &len);
1527 bufsiz_current = 128 * 1024;
1529 for (; bufsiz_wanted > bufsiz_current; bufsiz_wanted /= 2) {
1530 if (setsockopt(so, SOL_SOCKET, SO_RCVBUF,
1531 &bufsiz_wanted, sizeof(bufsiz_wanted)) == 0)
1535 __ipsec_errcode = EIPSEC_NO_ERROR;
1550 __ipsec_errcode = EIPSEC_NO_ERROR;
1555 * receive sadb_msg data, and return pointer to new buffer allocated.
1556 * Must free this buffer later.
1558 * NULL : error occurred.
1559 * others : a pointer to sadb_msg structure.
1561 * XXX should be rewritten to pass length explicitly
1566 struct sadb_msg buf, *newmsg;
1569 while ((len = recv(so, (caddr_t)&buf, sizeof(buf), MSG_PEEK)) < 0) {
1572 __ipsec_set_strerror(strerror(errno));
1576 if (len < sizeof(buf)) {
1577 recv(so, (caddr_t)&buf, sizeof(buf), 0);
1578 __ipsec_errcode = EIPSEC_MAX;
1582 /* read real message */
1583 reallen = PFKEY_UNUNIT64(buf.sadb_msg_len);
1584 if ((newmsg = CALLOC(reallen, struct sadb_msg *)) == NULL) {
1585 __ipsec_set_strerror(strerror(errno));
1589 while ((len = recv(so, (caddr_t)newmsg, reallen, 0)) < 0) {
1592 __ipsec_set_strerror(strerror(errno));
1597 if (len != reallen) {
1598 __ipsec_errcode = EIPSEC_SYSTEM_ERROR;
1603 /* don't trust what the kernel says, validate! */
1604 if (PFKEY_UNUNIT64(newmsg->sadb_msg_len) != len) {
1605 __ipsec_errcode = EIPSEC_SYSTEM_ERROR;
1610 __ipsec_errcode = EIPSEC_NO_ERROR;
1615 * send message to a socket.
1617 * others: success and return length sent.
1621 pfkey_send(int so, struct sadb_msg *msg, int len)
1623 if ((len = send(so, (caddr_t)msg, len, 0)) < 0) {
1624 __ipsec_set_strerror(strerror(errno));
1628 __ipsec_errcode = EIPSEC_NO_ERROR;
1634 * NOTE: These functions are derived from netkey/key.c in KAME.
1637 * set the pointer to each header in this message buffer.
1638 * IN: msg: pointer to message buffer.
1639 * mhp: pointer to the buffer initialized like below:
1640 * caddr_t mhp[SADB_EXT_MAX + 1];
1644 * XXX should be rewritten to obtain length explicitly
1647 pfkey_align(struct sadb_msg *msg, caddr_t *mhp)
1649 struct sadb_ext *ext;
1652 caddr_t ep; /* XXX should be passed from upper layer */
1654 /* validity check */
1655 if (msg == NULL || mhp == NULL) {
1656 __ipsec_errcode = EIPSEC_INVAL_ARGUMENT;
1661 for (i = 0; i < SADB_EXT_MAX + 1; i++)
1664 mhp[0] = (caddr_t)msg;
1668 ep = p + PFKEY_UNUNIT64(msg->sadb_msg_len);
1670 /* skip base header */
1671 p += sizeof(struct sadb_msg);
1674 ext = (struct sadb_ext *)p;
1675 if (ep < p + sizeof(*ext) || PFKEY_EXTLEN(ext) < sizeof(*ext) ||
1676 ep < p + PFKEY_EXTLEN(ext)) {
1677 /* invalid format */
1681 /* duplicate check */
1682 /* XXX Are there duplication either KEY_AUTH or KEY_ENCRYPT ?*/
1683 if (mhp[ext->sadb_ext_type] != NULL) {
1684 __ipsec_errcode = EIPSEC_INVAL_EXTTYPE;
1689 switch (ext->sadb_ext_type) {
1691 case SADB_EXT_LIFETIME_CURRENT:
1692 case SADB_EXT_LIFETIME_HARD:
1693 case SADB_EXT_LIFETIME_SOFT:
1694 case SADB_EXT_ADDRESS_SRC:
1695 case SADB_EXT_ADDRESS_DST:
1696 case SADB_EXT_ADDRESS_PROXY:
1697 case SADB_EXT_KEY_AUTH:
1698 /* XXX should to be check weak keys. */
1699 case SADB_EXT_KEY_ENCRYPT:
1700 /* XXX should to be check weak keys. */
1701 case SADB_EXT_IDENTITY_SRC:
1702 case SADB_EXT_IDENTITY_DST:
1703 case SADB_EXT_SENSITIVITY:
1704 case SADB_EXT_PROPOSAL:
1705 case SADB_EXT_SUPPORTED_AUTH:
1706 case SADB_EXT_SUPPORTED_ENCRYPT:
1707 case SADB_EXT_SPIRANGE:
1708 case SADB_X_EXT_POLICY:
1709 case SADB_X_EXT_SA2:
1710 case SADB_X_EXT_NAT_T_TYPE:
1711 case SADB_X_EXT_NAT_T_SPORT:
1712 case SADB_X_EXT_NAT_T_DPORT:
1713 case SADB_X_EXT_NAT_T_OAI:
1714 case SADB_X_EXT_NAT_T_OAR:
1715 case SADB_X_EXT_NAT_T_FRAG:
1716 case SADB_X_EXT_SA_REPLAY:
1717 case SADB_X_EXT_NEW_ADDRESS_SRC:
1718 case SADB_X_EXT_NEW_ADDRESS_DST:
1719 mhp[ext->sadb_ext_type] = (caddr_t)ext;
1722 __ipsec_errcode = EIPSEC_INVAL_EXTTYPE;
1726 p += PFKEY_EXTLEN(ext);
1730 __ipsec_errcode = EIPSEC_INVAL_SADBMSG;
1734 __ipsec_errcode = EIPSEC_NO_ERROR;
1739 * check basic usage for sadb_msg,
1740 * NOTE: This routine is derived from netkey/key.c in KAME.
1741 * IN: msg: pointer to message buffer.
1742 * mhp: pointer to the buffer initialized like below:
1744 * caddr_t mhp[SADB_EXT_MAX + 1];
1750 pfkey_check(caddr_t *mhp)
1752 struct sadb_msg *msg;
1754 /* validity check */
1755 if (mhp == NULL || mhp[0] == NULL) {
1756 __ipsec_errcode = EIPSEC_INVAL_ARGUMENT;
1760 msg = (struct sadb_msg *)mhp[0];
1763 if (msg->sadb_msg_version != PF_KEY_V2) {
1764 __ipsec_errcode = EIPSEC_INVAL_VERSION;
1769 if (msg->sadb_msg_type > SADB_MAX) {
1770 __ipsec_errcode = EIPSEC_INVAL_MSGTYPE;
1775 switch (msg->sadb_msg_satype) {
1776 case SADB_SATYPE_UNSPEC:
1777 switch (msg->sadb_msg_type) {
1785 __ipsec_errcode = EIPSEC_INVAL_SATYPE;
1789 case SADB_SATYPE_ESP:
1790 case SADB_SATYPE_AH:
1791 case SADB_X_SATYPE_IPCOMP:
1792 case SADB_X_SATYPE_TCPSIGNATURE:
1793 switch (msg->sadb_msg_type) {
1795 case SADB_X_SPDDELETE:
1797 case SADB_X_SPDDUMP:
1798 case SADB_X_SPDFLUSH:
1799 __ipsec_errcode = EIPSEC_INVAL_SATYPE;
1803 case SADB_SATYPE_RSVP:
1804 case SADB_SATYPE_OSPFV2:
1805 case SADB_SATYPE_RIPV2:
1806 case SADB_SATYPE_MIP:
1807 __ipsec_errcode = EIPSEC_NOT_SUPPORTED;
1809 case 1: /* XXX: What does it do ? */
1810 if (msg->sadb_msg_type == SADB_X_PROMISC)
1814 __ipsec_errcode = EIPSEC_INVAL_SATYPE;
1818 /* check field of upper layer protocol and address family */
1819 if (mhp[SADB_EXT_ADDRESS_SRC] != NULL
1820 && mhp[SADB_EXT_ADDRESS_DST] != NULL) {
1821 struct sadb_address *src0, *dst0;
1823 src0 = (struct sadb_address *)(mhp[SADB_EXT_ADDRESS_SRC]);
1824 dst0 = (struct sadb_address *)(mhp[SADB_EXT_ADDRESS_DST]);
1826 if (src0->sadb_address_proto != dst0->sadb_address_proto) {
1827 __ipsec_errcode = EIPSEC_PROTO_MISMATCH;
1831 if (PFKEY_ADDR_SADDR(src0)->sa_family
1832 != PFKEY_ADDR_SADDR(dst0)->sa_family) {
1833 __ipsec_errcode = EIPSEC_FAMILY_MISMATCH;
1837 switch (PFKEY_ADDR_SADDR(src0)->sa_family) {
1842 __ipsec_errcode = EIPSEC_INVAL_FAMILY;
1847 * prefixlen == 0 is valid because there must be the case
1848 * all addresses are matched.
1852 __ipsec_errcode = EIPSEC_NO_ERROR;
1857 * set data into sadb_msg.
1858 * `buf' must has been allocated sufficiently.
1861 pfkey_setsadbmsg(caddr_t buf, caddr_t lim, u_int type, u_int tlen,
1862 u_int satype, u_int32_t seq, pid_t pid)
1867 p = (struct sadb_msg *)buf;
1868 len = sizeof(struct sadb_msg);
1870 if (buf + len > lim)
1874 p->sadb_msg_version = PF_KEY_V2;
1875 p->sadb_msg_type = type;
1876 p->sadb_msg_errno = 0;
1877 p->sadb_msg_satype = satype;
1878 p->sadb_msg_len = PFKEY_UNIT64(tlen);
1879 p->sadb_msg_reserved = 0;
1880 p->sadb_msg_seq = seq;
1881 p->sadb_msg_pid = (u_int32_t)pid;
1887 * copy secasvar data into sadb_address.
1888 * `buf' must has been allocated sufficiently.
1891 pfkey_setsadbsa(caddr_t buf, caddr_t lim, u_int32_t spi, u_int wsize,
1892 u_int auth, u_int enc, u_int32_t flags)
1897 p = (struct sadb_sa *)buf;
1898 len = sizeof(struct sadb_sa);
1900 if (buf + len > lim)
1904 p->sadb_sa_len = PFKEY_UNIT64(len);
1905 p->sadb_sa_exttype = SADB_EXT_SA;
1906 p->sadb_sa_spi = spi;
1907 p->sadb_sa_replay = wsize > UINT8_MAX ? UINT8_MAX: wsize;
1908 p->sadb_sa_state = SADB_SASTATE_LARVAL;
1909 p->sadb_sa_auth = auth;
1910 p->sadb_sa_encrypt = enc;
1911 p->sadb_sa_flags = flags;
1917 * Set data into sadb_x_sa_replay.
1918 * `buf' must has been allocated sufficiently.
1921 pfkey_setsadbxreplay(caddr_t buf, caddr_t lim, uint32_t wsize)
1923 struct sadb_x_sa_replay *p;
1926 p = (struct sadb_x_sa_replay *)buf;
1927 len = sizeof(struct sadb_x_sa_replay);
1929 if (buf + len > lim)
1933 p->sadb_x_sa_replay_len = PFKEY_UNIT64(len);
1934 p->sadb_x_sa_replay_exttype = SADB_X_EXT_SA_REPLAY;
1935 /* Convert wsize from bytes to number of packets. */
1936 p->sadb_x_sa_replay_replay = wsize << 3;
1942 * set data into sadb_address.
1943 * `buf' must has been allocated sufficiently.
1944 * prefixlen is in bits.
1947 pfkey_setsadbaddr(caddr_t buf, caddr_t lim, u_int exttype,
1948 struct sockaddr *saddr, u_int prefixlen, u_int ul_proto)
1950 struct sadb_address *p;
1953 p = (struct sadb_address *)buf;
1954 len = sizeof(struct sadb_address) + PFKEY_ALIGN8(saddr->sa_len);
1956 if (buf + len > lim)
1960 p->sadb_address_len = PFKEY_UNIT64(len);
1961 p->sadb_address_exttype = exttype & 0xffff;
1962 p->sadb_address_proto = ul_proto & 0xff;
1963 p->sadb_address_prefixlen = prefixlen;
1964 p->sadb_address_reserved = 0;
1966 memcpy(p + 1, saddr, saddr->sa_len);
1972 * set sadb_key structure after clearing buffer with zero.
1973 * OUT: the pointer of buf + len.
1976 pfkey_setsadbkey(caddr_t buf, caddr_t lim, u_int type, caddr_t key, u_int keylen)
1981 p = (struct sadb_key *)buf;
1982 len = sizeof(struct sadb_key) + PFKEY_ALIGN8(keylen);
1984 if (buf + len > lim)
1988 p->sadb_key_len = PFKEY_UNIT64(len);
1989 p->sadb_key_exttype = type;
1990 p->sadb_key_bits = keylen << 3;
1991 p->sadb_key_reserved = 0;
1993 memcpy(p + 1, key, keylen);
1999 * set sadb_lifetime structure after clearing buffer with zero.
2000 * OUT: the pointer of buf + len.
2003 pfkey_setsadblifetime(caddr_t buf, caddr_t lim, u_int type, u_int32_t l_alloc,
2004 u_int32_t l_bytes, u_int32_t l_addtime, u_int32_t l_usetime)
2006 struct sadb_lifetime *p;
2009 p = (struct sadb_lifetime *)buf;
2010 len = sizeof(struct sadb_lifetime);
2012 if (buf + len > lim)
2016 p->sadb_lifetime_len = PFKEY_UNIT64(len);
2017 p->sadb_lifetime_exttype = type;
2020 case SADB_EXT_LIFETIME_SOFT:
2021 p->sadb_lifetime_allocations
2022 = (l_alloc * soft_lifetime_allocations_rate) /100;
2023 p->sadb_lifetime_bytes
2024 = (l_bytes * soft_lifetime_bytes_rate) /100;
2025 p->sadb_lifetime_addtime
2026 = (l_addtime * soft_lifetime_addtime_rate) /100;
2027 p->sadb_lifetime_usetime
2028 = (l_usetime * soft_lifetime_usetime_rate) /100;
2030 case SADB_EXT_LIFETIME_HARD:
2031 p->sadb_lifetime_allocations = l_alloc;
2032 p->sadb_lifetime_bytes = l_bytes;
2033 p->sadb_lifetime_addtime = l_addtime;
2034 p->sadb_lifetime_usetime = l_usetime;
2042 * copy secasvar data into sadb_address.
2043 * `buf' must has been allocated sufficiently.
2046 pfkey_setsadbxsa2(caddr_t buf, caddr_t lim, u_int32_t mode0, u_int32_t reqid)
2048 struct sadb_x_sa2 *p;
2049 u_int8_t mode = mode0 & 0xff;
2052 p = (struct sadb_x_sa2 *)buf;
2053 len = sizeof(struct sadb_x_sa2);
2055 if (buf + len > lim)
2059 p->sadb_x_sa2_len = PFKEY_UNIT64(len);
2060 p->sadb_x_sa2_exttype = SADB_X_EXT_SA2;
2061 p->sadb_x_sa2_mode = mode;
2062 p->sadb_x_sa2_reqid = reqid;