1 /* $KAME: pfkey.c,v 1.46 2003/08/26 03:37:06 itojun Exp $ */
4 * Copyright (C) 1995, 1996, 1997, 1998, and 1999 WIDE Project.
7 * Redistribution and use in source and binary forms, with or without
8 * modification, are permitted provided that the following conditions
10 * 1. Redistributions of source code must retain the above copyright
11 * notice, this list of conditions and the following disclaimer.
12 * 2. Redistributions in binary form must reproduce the above copyright
13 * notice, this list of conditions and the following disclaimer in the
14 * documentation and/or other materials provided with the distribution.
15 * 3. Neither the name of the project nor the names of its contributors
16 * may be used to endorse or promote products derived from this software
17 * without specific prior written permission.
19 * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
20 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
21 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
22 * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
23 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
24 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
25 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
26 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
27 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
28 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
32 #include <sys/cdefs.h>
33 __FBSDID("$FreeBSD$");
35 #include <sys/types.h>
36 #include <sys/param.h>
37 #include <sys/socket.h>
38 #include <net/pfkeyv2.h>
39 #include <netipsec/key_var.h>
40 #include <netinet/in.h>
41 #include <netipsec/ipsec.h>
49 #include "ipsec_strerror.h"
52 #define CALLOC(size, cast) (cast)calloc(1, (size))
54 static int findsupportedmap(int);
55 static int setsupportedmap(struct sadb_supported *);
56 static struct sadb_alg *findsupportedalg(u_int, u_int);
57 static int pfkey_send_x1(int, u_int, u_int, u_int, struct sockaddr *,
58 struct sockaddr *, u_int32_t, u_int32_t, u_int, caddr_t,
59 u_int, u_int, u_int, u_int, u_int, u_int32_t, u_int32_t,
60 u_int32_t, u_int32_t, u_int32_t);
61 static int pfkey_send_x2(int, u_int, u_int, u_int,
62 struct sockaddr *, struct sockaddr *, u_int32_t);
63 static int pfkey_send_x3(int, u_int, u_int);
64 static int pfkey_send_x4(int, u_int, struct sockaddr *, u_int,
65 struct sockaddr *, u_int, u_int, u_int64_t, u_int64_t,
66 char *, int, u_int32_t);
67 static int pfkey_send_x5(int, u_int, u_int32_t);
69 static caddr_t pfkey_setsadbmsg(caddr_t, caddr_t, u_int, u_int,
70 u_int, u_int32_t, pid_t);
71 static caddr_t pfkey_setsadbsa(caddr_t, caddr_t, u_int32_t, u_int,
72 u_int, u_int, u_int32_t);
73 static caddr_t pfkey_setsadbxreplay(caddr_t, caddr_t, uint32_t);
74 static caddr_t pfkey_setsadbaddr(caddr_t, caddr_t, u_int,
75 struct sockaddr *, u_int, u_int);
76 static caddr_t pfkey_setsadbkey(caddr_t, caddr_t, u_int, caddr_t, u_int);
77 static caddr_t pfkey_setsadblifetime(caddr_t, caddr_t, u_int, u_int32_t,
78 u_int32_t, u_int32_t, u_int32_t);
79 static caddr_t pfkey_setsadbxsa2(caddr_t, caddr_t, u_int32_t, u_int32_t);
82 * make and search supported algorithm structure.
84 static struct sadb_supported *ipsec_supported[] = { NULL, NULL, NULL, NULL };
86 static int supported_map[] = {
90 SADB_X_SATYPE_TCPSIGNATURE
94 findsupportedmap(satype)
99 for (i = 0; i < sizeof(supported_map)/sizeof(supported_map[0]); i++)
100 if (supported_map[i] == satype)
105 static struct sadb_alg *
106 findsupportedalg(satype, alg_id)
107 u_int satype, alg_id;
114 algno = findsupportedmap(satype);
116 __ipsec_errcode = EIPSEC_INVAL_ARGUMENT;
119 if (ipsec_supported[algno] == NULL) {
120 __ipsec_errcode = EIPSEC_DO_GET_SUPP_LIST;
124 tlen = ipsec_supported[algno]->sadb_supported_len
125 - sizeof(struct sadb_supported);
126 p = (caddr_t)(ipsec_supported[algno] + 1);
128 if (tlen < sizeof(struct sadb_alg)) {
132 if (((struct sadb_alg *)p)->sadb_alg_id == alg_id)
133 return (struct sadb_alg *)p;
135 tlen -= sizeof(struct sadb_alg);
136 p += sizeof(struct sadb_alg);
139 __ipsec_errcode = EIPSEC_NOT_SUPPORTED;
145 struct sadb_supported *sup;
147 struct sadb_supported **ipsup;
149 switch (sup->sadb_supported_exttype) {
150 case SADB_EXT_SUPPORTED_AUTH:
151 ipsup = &ipsec_supported[findsupportedmap(SADB_SATYPE_AH)];
153 case SADB_EXT_SUPPORTED_ENCRYPT:
154 ipsup = &ipsec_supported[findsupportedmap(SADB_SATYPE_ESP)];
157 __ipsec_errcode = EIPSEC_INVAL_SATYPE;
164 *ipsup = malloc(sup->sadb_supported_len);
166 __ipsec_set_strerror(strerror(errno));
169 memcpy(*ipsup, sup, sup->sadb_supported_len);
175 * check key length against algorithm specified.
176 * This function is called with SADB_EXT_SUPPORTED_{AUTH,ENCRYPT} as the
177 * augument, and only calls to ipsec_check_keylen2();
178 * keylen is the unit of bit.
184 ipsec_check_keylen(supported, alg_id, keylen)
193 case SADB_EXT_SUPPORTED_AUTH:
194 satype = SADB_SATYPE_AH;
196 case SADB_EXT_SUPPORTED_ENCRYPT:
197 satype = SADB_SATYPE_ESP;
200 __ipsec_errcode = EIPSEC_INVAL_ARGUMENT;
204 return ipsec_check_keylen2(satype, alg_id, keylen);
208 * check key length against algorithm specified.
209 * satype is one of satype defined at pfkeyv2.h.
210 * keylen is the unit of bit.
216 ipsec_check_keylen2(satype, alg_id, keylen)
221 struct sadb_alg *alg;
223 alg = findsupportedalg(satype, alg_id);
227 if (keylen < alg->sadb_alg_minbits || keylen > alg->sadb_alg_maxbits) {
228 __ipsec_errcode = EIPSEC_INVAL_KEYLEN;
232 __ipsec_errcode = EIPSEC_NO_ERROR;
237 * get max/min key length against algorithm specified.
238 * satype is one of satype defined at pfkeyv2.h.
239 * keylen is the unit of bit.
245 ipsec_get_keylen(supported, alg_id, alg0)
246 u_int supported, alg_id;
247 struct sadb_alg *alg0;
249 struct sadb_alg *alg;
254 __ipsec_errcode = EIPSEC_INVAL_ARGUMENT;
259 case SADB_EXT_SUPPORTED_AUTH:
260 satype = SADB_SATYPE_AH;
262 case SADB_EXT_SUPPORTED_ENCRYPT:
263 satype = SADB_SATYPE_ESP;
266 __ipsec_errcode = EIPSEC_INVAL_ARGUMENT;
270 alg = findsupportedalg(satype, alg_id);
274 memcpy(alg0, alg, sizeof(*alg0));
276 __ipsec_errcode = EIPSEC_NO_ERROR;
281 * set the rate for SOFT lifetime against HARD one.
282 * If rate is more than 100 or equal to zero, then set to 100.
284 static u_int soft_lifetime_allocations_rate = PFKEY_SOFT_LIFETIME_RATE;
285 static u_int soft_lifetime_bytes_rate = PFKEY_SOFT_LIFETIME_RATE;
286 static u_int soft_lifetime_addtime_rate = PFKEY_SOFT_LIFETIME_RATE;
287 static u_int soft_lifetime_usetime_rate = PFKEY_SOFT_LIFETIME_RATE;
290 pfkey_set_softrate(type, rate)
293 __ipsec_errcode = EIPSEC_NO_ERROR;
295 if (rate > 100 || rate == 0)
299 case SADB_X_LIFETIME_ALLOCATIONS:
300 soft_lifetime_allocations_rate = rate;
302 case SADB_X_LIFETIME_BYTES:
303 soft_lifetime_bytes_rate = rate;
305 case SADB_X_LIFETIME_ADDTIME:
306 soft_lifetime_addtime_rate = rate;
308 case SADB_X_LIFETIME_USETIME:
309 soft_lifetime_usetime_rate = rate;
313 __ipsec_errcode = EIPSEC_INVAL_ARGUMENT;
318 * get current rate for SOFT lifetime against HARD one.
319 * ATTENTION: ~0 is returned if invalid type was passed.
322 pfkey_get_softrate(type)
326 case SADB_X_LIFETIME_ALLOCATIONS:
327 return soft_lifetime_allocations_rate;
328 case SADB_X_LIFETIME_BYTES:
329 return soft_lifetime_bytes_rate;
330 case SADB_X_LIFETIME_ADDTIME:
331 return soft_lifetime_addtime_rate;
332 case SADB_X_LIFETIME_USETIME:
333 return soft_lifetime_usetime_rate;
340 * sending SADB_GETSPI message to the kernel.
342 * positive: success and return length sent.
343 * -1 : error occured, and set errno.
346 pfkey_send_getspi(so, satype, mode, src, dst, min, max, reqid, seq)
349 struct sockaddr *src, *dst;
350 u_int32_t min, max, reqid, seq;
352 struct sadb_msg *newmsg;
355 int need_spirange = 0;
360 if (src == NULL || dst == NULL) {
361 __ipsec_errcode = EIPSEC_INVAL_ARGUMENT;
364 if (src->sa_family != dst->sa_family) {
365 __ipsec_errcode = EIPSEC_FAMILY_MISMATCH;
368 if (min > max || (min > 0 && min <= 255)) {
369 __ipsec_errcode = EIPSEC_INVAL_SPI;
372 switch (src->sa_family) {
374 plen = sizeof(struct in_addr) << 3;
377 plen = sizeof(struct in6_addr) << 3;
380 __ipsec_errcode = EIPSEC_INVAL_FAMILY;
384 /* create new sadb_msg to send. */
385 len = sizeof(struct sadb_msg)
386 + sizeof(struct sadb_x_sa2)
387 + sizeof(struct sadb_address)
388 + PFKEY_ALIGN8(src->sa_len)
389 + sizeof(struct sadb_address)
390 + PFKEY_ALIGN8(dst->sa_len);
392 if (min > 255 && max < ~0) {
394 len += sizeof(struct sadb_spirange);
397 if ((newmsg = CALLOC(len, struct sadb_msg *)) == NULL) {
398 __ipsec_set_strerror(strerror(errno));
401 ep = ((caddr_t)newmsg) + len;
403 p = pfkey_setsadbmsg((caddr_t)newmsg, ep, SADB_GETSPI,
404 len, satype, seq, getpid());
410 p = pfkey_setsadbxsa2(p, ep, mode, reqid);
416 /* set sadb_address for source */
417 p = pfkey_setsadbaddr(p, ep, SADB_EXT_ADDRESS_SRC, src, plen,
424 /* set sadb_address for destination */
425 p = pfkey_setsadbaddr(p, ep, SADB_EXT_ADDRESS_DST, dst, plen,
432 /* proccessing spi range */
434 struct sadb_spirange spirange;
436 if (p + sizeof(spirange) > ep) {
441 memset(&spirange, 0, sizeof(spirange));
442 spirange.sadb_spirange_len = PFKEY_UNIT64(sizeof(spirange));
443 spirange.sadb_spirange_exttype = SADB_EXT_SPIRANGE;
444 spirange.sadb_spirange_min = min;
445 spirange.sadb_spirange_max = max;
447 memcpy(p, &spirange, sizeof(spirange));
449 p += sizeof(spirange);
457 len = pfkey_send(so, newmsg, len);
463 __ipsec_errcode = EIPSEC_NO_ERROR;
468 * sending SADB_UPDATE message to the kernel.
469 * The length of key material is a_keylen + e_keylen.
471 * positive: success and return length sent.
472 * -1 : error occured, and set errno.
475 pfkey_send_update(so, satype, mode, src, dst, spi, reqid, wsize,
476 keymat, e_type, e_keylen, a_type, a_keylen, flags,
477 l_alloc, l_bytes, l_addtime, l_usetime, seq)
479 u_int satype, mode, wsize;
480 struct sockaddr *src, *dst;
481 u_int32_t spi, reqid;
483 u_int e_type, e_keylen, a_type, a_keylen, flags;
485 u_int64_t l_bytes, l_addtime, l_usetime;
489 if ((len = pfkey_send_x1(so, SADB_UPDATE, satype, mode, src, dst, spi,
491 keymat, e_type, e_keylen, a_type, a_keylen, flags,
492 l_alloc, l_bytes, l_addtime, l_usetime, seq)) < 0)
499 * sending SADB_ADD message to the kernel.
500 * The length of key material is a_keylen + e_keylen.
502 * positive: success and return length sent.
503 * -1 : error occured, and set errno.
506 pfkey_send_add(so, satype, mode, src, dst, spi, reqid, wsize,
507 keymat, e_type, e_keylen, a_type, a_keylen, flags,
508 l_alloc, l_bytes, l_addtime, l_usetime, seq)
510 u_int satype, mode, wsize;
511 struct sockaddr *src, *dst;
512 u_int32_t spi, reqid;
514 u_int e_type, e_keylen, a_type, a_keylen, flags;
516 u_int64_t l_bytes, l_addtime, l_usetime;
520 if ((len = pfkey_send_x1(so, SADB_ADD, satype, mode, src, dst, spi,
522 keymat, e_type, e_keylen, a_type, a_keylen, flags,
523 l_alloc, l_bytes, l_addtime, l_usetime, seq)) < 0)
530 * sending SADB_DELETE message to the kernel.
532 * positive: success and return length sent.
533 * -1 : error occured, and set errno.
536 pfkey_send_delete(so, satype, mode, src, dst, spi)
539 struct sockaddr *src, *dst;
543 if ((len = pfkey_send_x2(so, SADB_DELETE, satype, mode, src, dst, spi)) < 0)
550 * sending SADB_DELETE without spi to the kernel. This is
551 * the "delete all" request (an extension also present in
555 * positive: success and return length sent
556 * -1 : error occured, and set errno
559 pfkey_send_delete_all(so, satype, mode, src, dst)
562 struct sockaddr *src, *dst;
564 struct sadb_msg *newmsg;
571 if (src == NULL || dst == NULL) {
572 __ipsec_errcode = EIPSEC_INVAL_ARGUMENT;
575 if (src->sa_family != dst->sa_family) {
576 __ipsec_errcode = EIPSEC_FAMILY_MISMATCH;
579 switch (src->sa_family) {
581 plen = sizeof(struct in_addr) << 3;
584 plen = sizeof(struct in6_addr) << 3;
587 __ipsec_errcode = EIPSEC_INVAL_FAMILY;
591 /* create new sadb_msg to reply. */
592 len = sizeof(struct sadb_msg)
593 + sizeof(struct sadb_address)
594 + PFKEY_ALIGN8(src->sa_len)
595 + sizeof(struct sadb_address)
596 + PFKEY_ALIGN8(dst->sa_len);
598 if ((newmsg = CALLOC(len, struct sadb_msg *)) == NULL) {
599 __ipsec_set_strerror(strerror(errno));
602 ep = ((caddr_t)newmsg) + len;
604 p = pfkey_setsadbmsg((caddr_t)newmsg, ep, SADB_DELETE, len, satype, 0,
610 p = pfkey_setsadbaddr(p, ep, SADB_EXT_ADDRESS_SRC, src, plen,
616 p = pfkey_setsadbaddr(p, ep, SADB_EXT_ADDRESS_DST, dst, plen,
624 len = pfkey_send(so, newmsg, len);
630 __ipsec_errcode = EIPSEC_NO_ERROR;
635 * sending SADB_GET message to the kernel.
637 * positive: success and return length sent.
638 * -1 : error occured, and set errno.
641 pfkey_send_get(so, satype, mode, src, dst, spi)
644 struct sockaddr *src, *dst;
648 if ((len = pfkey_send_x2(so, SADB_GET, satype, mode, src, dst, spi)) < 0)
655 * sending SADB_REGISTER message to the kernel.
657 * positive: success and return length sent.
658 * -1 : error occured, and set errno.
661 pfkey_send_register(so, satype)
667 if (satype == SADB_SATYPE_UNSPEC) {
669 algno < sizeof(supported_map)/sizeof(supported_map[0]);
671 if (ipsec_supported[algno]) {
672 free(ipsec_supported[algno]);
673 ipsec_supported[algno] = NULL;
677 algno = findsupportedmap(satype);
679 __ipsec_errcode = EIPSEC_INVAL_ARGUMENT;
683 if (ipsec_supported[algno]) {
684 free(ipsec_supported[algno]);
685 ipsec_supported[algno] = NULL;
689 if ((len = pfkey_send_x3(so, SADB_REGISTER, satype)) < 0)
696 * receiving SADB_REGISTER message from the kernel, and copy buffer for
697 * sadb_supported returned into ipsec_supported.
699 * 0: success and return length sent.
700 * -1: error occured, and set errno.
703 pfkey_recv_register(so)
706 pid_t pid = getpid();
707 struct sadb_msg *newmsg;
710 /* receive message */
712 if ((newmsg = pfkey_recv(so)) == NULL)
714 if (newmsg->sadb_msg_type == SADB_REGISTER &&
715 newmsg->sadb_msg_pid == pid)
721 newmsg->sadb_msg_len = PFKEY_UNUNIT64(newmsg->sadb_msg_len);
723 error = pfkey_set_supported(newmsg, newmsg->sadb_msg_len);
727 __ipsec_errcode = EIPSEC_NO_ERROR;
733 * receiving SADB_REGISTER message from the kernel, and copy buffer for
734 * sadb_supported returned into ipsec_supported.
735 * NOTE: sadb_msg_len must be host order.
737 * tlen: msg length, it's to makeing sure.
739 * 0: success and return length sent.
740 * -1: error occured, and set errno.
743 pfkey_set_supported(msg, tlen)
744 struct sadb_msg *msg;
747 struct sadb_supported *sup;
752 if (msg->sadb_msg_len != tlen) {
753 __ipsec_errcode = EIPSEC_INVAL_ARGUMENT;
760 p += sizeof(struct sadb_msg);
763 sup = (struct sadb_supported *)p;
764 if (ep < p + sizeof(*sup) ||
765 PFKEY_EXTLEN(sup) < sizeof(*sup) ||
766 ep < p + sup->sadb_supported_len) {
771 switch (sup->sadb_supported_exttype) {
772 case SADB_EXT_SUPPORTED_AUTH:
773 case SADB_EXT_SUPPORTED_ENCRYPT:
776 __ipsec_errcode = EIPSEC_INVAL_SATYPE;
781 sup->sadb_supported_len = PFKEY_EXTLEN(sup);
783 /* set supported map */
784 if (setsupportedmap(sup) != 0)
787 p += sup->sadb_supported_len;
791 __ipsec_errcode = EIPSEC_INVAL_SATYPE;
795 __ipsec_errcode = EIPSEC_NO_ERROR;
801 * sending SADB_FLUSH message to the kernel.
803 * positive: success and return length sent.
804 * -1 : error occured, and set errno.
807 pfkey_send_flush(so, satype)
813 if ((len = pfkey_send_x3(so, SADB_FLUSH, satype)) < 0)
820 * sending SADB_DUMP message to the kernel.
822 * positive: success and return length sent.
823 * -1 : error occured, and set errno.
826 pfkey_send_dump(so, satype)
832 if ((len = pfkey_send_x3(so, SADB_DUMP, satype)) < 0)
839 * sending SADB_X_PROMISC message to the kernel.
840 * NOTE that this function handles promisc mode toggle only.
842 * flag: set promisc off if zero, set promisc on if non-zero.
844 * positive: success and return length sent.
845 * -1 : error occured, and set errno.
846 * 0 : error occured, and set errno.
847 * others: a pointer to new allocated buffer in which supported
851 pfkey_send_promisc_toggle(so, flag)
857 if ((len = pfkey_send_x3(so, SADB_X_PROMISC, (flag ? 1 : 0))) < 0)
864 * sending SADB_X_SPDADD message to the kernel.
866 * positive: success and return length sent.
867 * -1 : error occured, and set errno.
870 pfkey_send_spdadd(so, src, prefs, dst, prefd, proto, policy, policylen, seq)
872 struct sockaddr *src, *dst;
873 u_int prefs, prefd, proto;
880 if ((len = pfkey_send_x4(so, SADB_X_SPDADD,
881 src, prefs, dst, prefd, proto,
883 policy, policylen, seq)) < 0)
890 * sending SADB_X_SPDADD message to the kernel.
892 * positive: success and return length sent.
893 * -1 : error occured, and set errno.
896 pfkey_send_spdadd2(so, src, prefs, dst, prefd, proto, ltime, vtime,
897 policy, policylen, seq)
899 struct sockaddr *src, *dst;
900 u_int prefs, prefd, proto;
901 u_int64_t ltime, vtime;
908 if ((len = pfkey_send_x4(so, SADB_X_SPDADD,
909 src, prefs, dst, prefd, proto,
911 policy, policylen, seq)) < 0)
918 * sending SADB_X_SPDUPDATE message to the kernel.
920 * positive: success and return length sent.
921 * -1 : error occured, and set errno.
924 pfkey_send_spdupdate(so, src, prefs, dst, prefd, proto, policy, policylen, seq)
926 struct sockaddr *src, *dst;
927 u_int prefs, prefd, proto;
934 if ((len = pfkey_send_x4(so, SADB_X_SPDUPDATE,
935 src, prefs, dst, prefd, proto,
937 policy, policylen, seq)) < 0)
944 * sending SADB_X_SPDUPDATE message to the kernel.
946 * positive: success and return length sent.
947 * -1 : error occured, and set errno.
950 pfkey_send_spdupdate2(so, src, prefs, dst, prefd, proto, ltime, vtime,
951 policy, policylen, seq)
953 struct sockaddr *src, *dst;
954 u_int prefs, prefd, proto;
955 u_int64_t ltime, vtime;
962 if ((len = pfkey_send_x4(so, SADB_X_SPDUPDATE,
963 src, prefs, dst, prefd, proto,
965 policy, policylen, seq)) < 0)
972 * sending SADB_X_SPDDELETE message to the kernel.
974 * positive: success and return length sent.
975 * -1 : error occured, and set errno.
978 pfkey_send_spddelete(so, src, prefs, dst, prefd, proto, policy, policylen, seq)
980 struct sockaddr *src, *dst;
981 u_int prefs, prefd, proto;
988 if (policylen != sizeof(struct sadb_x_policy)) {
989 __ipsec_errcode = EIPSEC_INVAL_ARGUMENT;
993 if ((len = pfkey_send_x4(so, SADB_X_SPDDELETE,
994 src, prefs, dst, prefd, proto,
996 policy, policylen, seq)) < 0)
1003 * sending SADB_X_SPDDELETE message to the kernel.
1005 * positive: success and return length sent.
1006 * -1 : error occured, and set errno.
1009 pfkey_send_spddelete2(so, spid)
1015 if ((len = pfkey_send_x5(so, SADB_X_SPDDELETE2, spid)) < 0)
1022 * sending SADB_X_SPDGET message to the kernel.
1024 * positive: success and return length sent.
1025 * -1 : error occured, and set errno.
1028 pfkey_send_spdget(so, spid)
1034 if ((len = pfkey_send_x5(so, SADB_X_SPDGET, spid)) < 0)
1041 * sending SADB_X_SPDSETIDX message to the kernel.
1043 * positive: success and return length sent.
1044 * -1 : error occured, and set errno.
1047 pfkey_send_spdsetidx(so, src, prefs, dst, prefd, proto, policy, policylen, seq)
1049 struct sockaddr *src, *dst;
1050 u_int prefs, prefd, proto;
1057 if (policylen != sizeof(struct sadb_x_policy)) {
1058 __ipsec_errcode = EIPSEC_INVAL_ARGUMENT;
1062 if ((len = pfkey_send_x4(so, SADB_X_SPDSETIDX,
1063 src, prefs, dst, prefd, proto,
1065 policy, policylen, seq)) < 0)
1072 * sending SADB_SPDFLUSH message to the kernel.
1074 * positive: success and return length sent.
1075 * -1 : error occured, and set errno.
1078 pfkey_send_spdflush(so)
1083 if ((len = pfkey_send_x3(so, SADB_X_SPDFLUSH, SADB_SATYPE_UNSPEC)) < 0)
1090 * sending SADB_SPDDUMP message to the kernel.
1092 * positive: success and return length sent.
1093 * -1 : error occured, and set errno.
1096 pfkey_send_spddump(so)
1101 if ((len = pfkey_send_x3(so, SADB_X_SPDDUMP, SADB_SATYPE_UNSPEC)) < 0)
1107 /* sending SADB_ADD or SADB_UPDATE message to the kernel */
1109 pfkey_send_x1(so, type, satype, mode, src, dst, spi, reqid, wsize,
1110 keymat, e_type, e_keylen, a_type, a_keylen, flags,
1111 l_alloc, l_bytes, l_addtime, l_usetime, seq)
1113 u_int type, satype, mode;
1114 struct sockaddr *src, *dst;
1115 u_int32_t spi, reqid;
1118 u_int e_type, e_keylen, a_type, a_keylen, flags;
1119 u_int32_t l_alloc, l_bytes, l_addtime, l_usetime, seq;
1121 struct sadb_msg *newmsg;
1127 /* validity check */
1128 if (src == NULL || dst == NULL) {
1129 __ipsec_errcode = EIPSEC_INVAL_ARGUMENT;
1132 if (src->sa_family != dst->sa_family) {
1133 __ipsec_errcode = EIPSEC_FAMILY_MISMATCH;
1136 switch (src->sa_family) {
1138 plen = sizeof(struct in_addr) << 3;
1141 plen = sizeof(struct in6_addr) << 3;
1144 __ipsec_errcode = EIPSEC_INVAL_FAMILY;
1149 case SADB_SATYPE_ESP:
1150 if (e_type == SADB_EALG_NONE) {
1151 __ipsec_errcode = EIPSEC_NO_ALGS;
1155 case SADB_SATYPE_AH:
1156 if (e_type != SADB_EALG_NONE) {
1157 __ipsec_errcode = EIPSEC_INVAL_ALGS;
1160 if (a_type == SADB_AALG_NONE) {
1161 __ipsec_errcode = EIPSEC_NO_ALGS;
1165 case SADB_X_SATYPE_IPCOMP:
1166 if (e_type == SADB_X_CALG_NONE) {
1167 __ipsec_errcode = EIPSEC_INVAL_ALGS;
1170 if (a_type != SADB_AALG_NONE) {
1171 __ipsec_errcode = EIPSEC_NO_ALGS;
1175 case SADB_X_SATYPE_TCPSIGNATURE:
1176 if (e_type != SADB_EALG_NONE) {
1177 __ipsec_errcode = EIPSEC_INVAL_ALGS;
1180 if (a_type != SADB_X_AALG_TCP_MD5) {
1181 __ipsec_errcode = EIPSEC_INVAL_ALGS;
1186 __ipsec_errcode = EIPSEC_INVAL_SATYPE;
1190 /* create new sadb_msg to reply. */
1191 len = sizeof(struct sadb_msg)
1192 + sizeof(struct sadb_sa)
1193 + sizeof(struct sadb_x_sa2)
1194 + sizeof(struct sadb_address)
1195 + PFKEY_ALIGN8(src->sa_len)
1196 + sizeof(struct sadb_address)
1197 + PFKEY_ALIGN8(dst->sa_len)
1198 + sizeof(struct sadb_lifetime)
1199 + sizeof(struct sadb_lifetime);
1201 if (wsize > UINT8_MAX) {
1202 if (wsize > (UINT32_MAX - 32) >> 3) {
1203 __ipsec_errcode = EIPSEC_INVAL_ARGUMENT;
1206 len += sizeof(struct sadb_x_sa_replay);
1208 if (e_type != SADB_EALG_NONE)
1209 len += (sizeof(struct sadb_key) + PFKEY_ALIGN8(e_keylen));
1210 if (a_type != SADB_AALG_NONE)
1211 len += (sizeof(struct sadb_key) + PFKEY_ALIGN8(a_keylen));
1213 if ((newmsg = CALLOC(len, struct sadb_msg *)) == NULL) {
1214 __ipsec_set_strerror(strerror(errno));
1217 ep = ((caddr_t)newmsg) + len;
1219 p = pfkey_setsadbmsg((caddr_t)newmsg, ep, type, len,
1220 satype, seq, getpid());
1225 p = pfkey_setsadbsa(p, ep, spi, wsize, a_type, e_type, flags);
1230 p = pfkey_setsadbxsa2(p, ep, mode, reqid);
1235 if (wsize > UINT8_MAX) {
1236 p = pfkey_setsadbxreplay(p, ep, wsize);
1242 p = pfkey_setsadbaddr(p, ep, SADB_EXT_ADDRESS_SRC, src, plen,
1248 p = pfkey_setsadbaddr(p, ep, SADB_EXT_ADDRESS_DST, dst, plen,
1255 if (e_type != SADB_EALG_NONE) {
1256 p = pfkey_setsadbkey(p, ep, SADB_EXT_KEY_ENCRYPT,
1263 if (a_type != SADB_AALG_NONE) {
1264 p = pfkey_setsadbkey(p, ep, SADB_EXT_KEY_AUTH,
1265 keymat + e_keylen, a_keylen);
1272 /* set sadb_lifetime for destination */
1273 p = pfkey_setsadblifetime(p, ep, SADB_EXT_LIFETIME_HARD,
1274 l_alloc, l_bytes, l_addtime, l_usetime);
1279 p = pfkey_setsadblifetime(p, ep, SADB_EXT_LIFETIME_SOFT,
1280 l_alloc, l_bytes, l_addtime, l_usetime);
1281 if (!p || p != ep) {
1287 len = pfkey_send(so, newmsg, len);
1293 __ipsec_errcode = EIPSEC_NO_ERROR;
1297 /* sending SADB_DELETE or SADB_GET message to the kernel */
1299 pfkey_send_x2(so, type, satype, mode, src, dst, spi)
1301 u_int type, satype, mode;
1302 struct sockaddr *src, *dst;
1305 struct sadb_msg *newmsg;
1311 /* validity check */
1312 if (src == NULL || dst == NULL) {
1313 __ipsec_errcode = EIPSEC_INVAL_ARGUMENT;
1316 if (src->sa_family != dst->sa_family) {
1317 __ipsec_errcode = EIPSEC_FAMILY_MISMATCH;
1320 switch (src->sa_family) {
1322 plen = sizeof(struct in_addr) << 3;
1325 plen = sizeof(struct in6_addr) << 3;
1328 __ipsec_errcode = EIPSEC_INVAL_FAMILY;
1332 /* create new sadb_msg to reply. */
1333 len = sizeof(struct sadb_msg)
1334 + sizeof(struct sadb_sa)
1335 + sizeof(struct sadb_address)
1336 + PFKEY_ALIGN8(src->sa_len)
1337 + sizeof(struct sadb_address)
1338 + PFKEY_ALIGN8(dst->sa_len);
1340 if ((newmsg = CALLOC(len, struct sadb_msg *)) == NULL) {
1341 __ipsec_set_strerror(strerror(errno));
1344 ep = ((caddr_t)newmsg) + len;
1346 p = pfkey_setsadbmsg((caddr_t)newmsg, ep, type, len, satype, 0,
1352 p = pfkey_setsadbsa(p, ep, spi, 0, 0, 0, 0);
1357 p = pfkey_setsadbaddr(p, ep, SADB_EXT_ADDRESS_SRC, src, plen,
1363 p = pfkey_setsadbaddr(p, ep, SADB_EXT_ADDRESS_DST, dst, plen,
1365 if (!p || p != ep) {
1371 len = pfkey_send(so, newmsg, len);
1377 __ipsec_errcode = EIPSEC_NO_ERROR;
1382 * sending SADB_REGISTER, SADB_FLUSH, SADB_DUMP or SADB_X_PROMISC message
1386 pfkey_send_x3(so, type, satype)
1390 struct sadb_msg *newmsg;
1395 /* validity check */
1397 case SADB_X_PROMISC:
1398 if (satype != 0 && satype != 1) {
1399 __ipsec_errcode = EIPSEC_INVAL_SATYPE;
1405 case SADB_SATYPE_UNSPEC:
1406 case SADB_SATYPE_AH:
1407 case SADB_SATYPE_ESP:
1408 case SADB_X_SATYPE_IPCOMP:
1409 case SADB_X_SATYPE_TCPSIGNATURE:
1412 __ipsec_errcode = EIPSEC_INVAL_SATYPE;
1417 /* create new sadb_msg to send. */
1418 len = sizeof(struct sadb_msg);
1420 if ((newmsg = CALLOC(len, struct sadb_msg *)) == NULL) {
1421 __ipsec_set_strerror(strerror(errno));
1424 ep = ((caddr_t)newmsg) + len;
1426 p = pfkey_setsadbmsg((caddr_t)newmsg, ep, type, len, satype, 0,
1428 if (!p || p != ep) {
1434 len = pfkey_send(so, newmsg, len);
1440 __ipsec_errcode = EIPSEC_NO_ERROR;
1444 /* sending SADB_X_SPDADD message to the kernel */
1446 pfkey_send_x4(so, type, src, prefs, dst, prefd, proto,
1447 ltime, vtime, policy, policylen, seq)
1449 struct sockaddr *src, *dst;
1450 u_int type, prefs, prefd, proto;
1451 u_int64_t ltime, vtime;
1456 struct sadb_msg *newmsg;
1462 /* validity check */
1463 if (src == NULL || dst == NULL) {
1464 __ipsec_errcode = EIPSEC_INVAL_ARGUMENT;
1467 if (src->sa_family != dst->sa_family) {
1468 __ipsec_errcode = EIPSEC_FAMILY_MISMATCH;
1472 switch (src->sa_family) {
1474 plen = sizeof(struct in_addr) << 3;
1477 plen = sizeof(struct in6_addr) << 3;
1480 __ipsec_errcode = EIPSEC_INVAL_FAMILY;
1483 if (prefs > plen || prefd > plen) {
1484 __ipsec_errcode = EIPSEC_INVAL_PREFIXLEN;
1488 /* create new sadb_msg to reply. */
1489 len = sizeof(struct sadb_msg)
1490 + sizeof(struct sadb_address)
1491 + PFKEY_ALIGN8(src->sa_len)
1492 + sizeof(struct sadb_address)
1493 + PFKEY_ALIGN8(src->sa_len)
1494 + sizeof(struct sadb_lifetime)
1497 if ((newmsg = CALLOC(len, struct sadb_msg *)) == NULL) {
1498 __ipsec_set_strerror(strerror(errno));
1501 ep = ((caddr_t)newmsg) + len;
1503 p = pfkey_setsadbmsg((caddr_t)newmsg, ep, type, len,
1504 SADB_SATYPE_UNSPEC, seq, getpid());
1509 p = pfkey_setsadbaddr(p, ep, SADB_EXT_ADDRESS_SRC, src, prefs, proto);
1514 p = pfkey_setsadbaddr(p, ep, SADB_EXT_ADDRESS_DST, dst, prefd, proto);
1519 p = pfkey_setsadblifetime(p, ep, SADB_EXT_LIFETIME_HARD,
1520 0, 0, ltime, vtime);
1521 if (!p || p + policylen != ep) {
1525 memcpy(p, policy, policylen);
1528 len = pfkey_send(so, newmsg, len);
1534 __ipsec_errcode = EIPSEC_NO_ERROR;
1538 /* sending SADB_X_SPDGET or SADB_X_SPDDELETE message to the kernel */
1540 pfkey_send_x5(so, type, spid)
1545 struct sadb_msg *newmsg;
1546 struct sadb_x_policy xpl;
1551 /* create new sadb_msg to reply. */
1552 len = sizeof(struct sadb_msg)
1555 if ((newmsg = CALLOC(len, struct sadb_msg *)) == NULL) {
1556 __ipsec_set_strerror(strerror(errno));
1559 ep = ((caddr_t)newmsg) + len;
1561 p = pfkey_setsadbmsg((caddr_t)newmsg, ep, type, len,
1562 SADB_SATYPE_UNSPEC, 0, getpid());
1568 if (p + sizeof(xpl) != ep) {
1572 memset(&xpl, 0, sizeof(xpl));
1573 xpl.sadb_x_policy_len = PFKEY_UNIT64(sizeof(xpl));
1574 xpl.sadb_x_policy_exttype = SADB_X_EXT_POLICY;
1575 xpl.sadb_x_policy_id = spid;
1576 memcpy(p, &xpl, sizeof(xpl));
1579 len = pfkey_send(so, newmsg, len);
1585 __ipsec_errcode = EIPSEC_NO_ERROR;
1593 * others : success and return value of socket.
1599 int bufsiz_current, bufsiz_wanted;
1603 if ((so = socket(PF_KEY, SOCK_RAW, PF_KEY_V2)) < 0) {
1604 __ipsec_set_strerror(strerror(errno));
1609 * This is a temporary workaround for KAME PR 154.
1610 * Don't really care even if it fails.
1612 /* Try to have 128k. If we have more, do not lower it. */
1613 bufsiz_wanted = 128 * 1024;
1614 len = sizeof(bufsiz_current);
1615 ret = getsockopt(so, SOL_SOCKET, SO_SNDBUF,
1616 &bufsiz_current, &len);
1617 if ((ret < 0) || (bufsiz_current < bufsiz_wanted))
1618 (void)setsockopt(so, SOL_SOCKET, SO_SNDBUF,
1619 &bufsiz_wanted, sizeof(bufsiz_wanted));
1621 /* Try to have have at least 2MB. If we have more, do not lower it. */
1622 bufsiz_wanted = 2 * 1024 * 1024;
1623 len = sizeof(bufsiz_current);
1624 ret = getsockopt(so, SOL_SOCKET, SO_RCVBUF,
1625 &bufsiz_current, &len);
1627 bufsiz_current = 128 * 1024;
1629 for (; bufsiz_wanted > bufsiz_current; bufsiz_wanted /= 2) {
1630 if (setsockopt(so, SOL_SOCKET, SO_RCVBUF,
1631 &bufsiz_wanted, sizeof(bufsiz_wanted)) == 0)
1635 __ipsec_errcode = EIPSEC_NO_ERROR;
1651 __ipsec_errcode = EIPSEC_NO_ERROR;
1656 * receive sadb_msg data, and return pointer to new buffer allocated.
1657 * Must free this buffer later.
1659 * NULL : error occured.
1660 * others : a pointer to sadb_msg structure.
1662 * XXX should be rewritten to pass length explicitly
1668 struct sadb_msg buf, *newmsg;
1671 while ((len = recv(so, (caddr_t)&buf, sizeof(buf), MSG_PEEK)) < 0) {
1674 __ipsec_set_strerror(strerror(errno));
1678 if (len < sizeof(buf)) {
1679 recv(so, (caddr_t)&buf, sizeof(buf), 0);
1680 __ipsec_errcode = EIPSEC_MAX;
1684 /* read real message */
1685 reallen = PFKEY_UNUNIT64(buf.sadb_msg_len);
1686 if ((newmsg = CALLOC(reallen, struct sadb_msg *)) == NULL) {
1687 __ipsec_set_strerror(strerror(errno));
1691 while ((len = recv(so, (caddr_t)newmsg, reallen, 0)) < 0) {
1694 __ipsec_set_strerror(strerror(errno));
1699 if (len != reallen) {
1700 __ipsec_errcode = EIPSEC_SYSTEM_ERROR;
1705 /* don't trust what the kernel says, validate! */
1706 if (PFKEY_UNUNIT64(newmsg->sadb_msg_len) != len) {
1707 __ipsec_errcode = EIPSEC_SYSTEM_ERROR;
1712 __ipsec_errcode = EIPSEC_NO_ERROR;
1717 * send message to a socket.
1719 * others: success and return length sent.
1723 pfkey_send(so, msg, len)
1725 struct sadb_msg *msg;
1728 if ((len = send(so, (caddr_t)msg, len, 0)) < 0) {
1729 __ipsec_set_strerror(strerror(errno));
1733 __ipsec_errcode = EIPSEC_NO_ERROR;
1739 * NOTE: These functions are derived from netkey/key.c in KAME.
1742 * set the pointer to each header in this message buffer.
1743 * IN: msg: pointer to message buffer.
1744 * mhp: pointer to the buffer initialized like below:
1745 * caddr_t mhp[SADB_EXT_MAX + 1];
1749 * XXX should be rewritten to obtain length explicitly
1752 pfkey_align(msg, mhp)
1753 struct sadb_msg *msg;
1756 struct sadb_ext *ext;
1759 caddr_t ep; /* XXX should be passed from upper layer */
1761 /* validity check */
1762 if (msg == NULL || mhp == NULL) {
1763 __ipsec_errcode = EIPSEC_INVAL_ARGUMENT;
1768 for (i = 0; i < SADB_EXT_MAX + 1; i++)
1771 mhp[0] = (caddr_t)msg;
1775 ep = p + PFKEY_UNUNIT64(msg->sadb_msg_len);
1777 /* skip base header */
1778 p += sizeof(struct sadb_msg);
1781 ext = (struct sadb_ext *)p;
1782 if (ep < p + sizeof(*ext) || PFKEY_EXTLEN(ext) < sizeof(*ext) ||
1783 ep < p + PFKEY_EXTLEN(ext)) {
1784 /* invalid format */
1788 /* duplicate check */
1789 /* XXX Are there duplication either KEY_AUTH or KEY_ENCRYPT ?*/
1790 if (mhp[ext->sadb_ext_type] != NULL) {
1791 __ipsec_errcode = EIPSEC_INVAL_EXTTYPE;
1796 switch (ext->sadb_ext_type) {
1798 case SADB_EXT_LIFETIME_CURRENT:
1799 case SADB_EXT_LIFETIME_HARD:
1800 case SADB_EXT_LIFETIME_SOFT:
1801 case SADB_EXT_ADDRESS_SRC:
1802 case SADB_EXT_ADDRESS_DST:
1803 case SADB_EXT_ADDRESS_PROXY:
1804 case SADB_EXT_KEY_AUTH:
1805 /* XXX should to be check weak keys. */
1806 case SADB_EXT_KEY_ENCRYPT:
1807 /* XXX should to be check weak keys. */
1808 case SADB_EXT_IDENTITY_SRC:
1809 case SADB_EXT_IDENTITY_DST:
1810 case SADB_EXT_SENSITIVITY:
1811 case SADB_EXT_PROPOSAL:
1812 case SADB_EXT_SUPPORTED_AUTH:
1813 case SADB_EXT_SUPPORTED_ENCRYPT:
1814 case SADB_EXT_SPIRANGE:
1815 case SADB_X_EXT_POLICY:
1816 case SADB_X_EXT_SA2:
1817 case SADB_X_EXT_NAT_T_TYPE:
1818 case SADB_X_EXT_NAT_T_SPORT:
1819 case SADB_X_EXT_NAT_T_DPORT:
1820 case SADB_X_EXT_NAT_T_OAI:
1821 case SADB_X_EXT_NAT_T_OAR:
1822 case SADB_X_EXT_NAT_T_FRAG:
1823 case SADB_X_EXT_SA_REPLAY:
1824 case SADB_X_EXT_NEW_ADDRESS_SRC:
1825 case SADB_X_EXT_NEW_ADDRESS_DST:
1826 mhp[ext->sadb_ext_type] = (caddr_t)ext;
1829 __ipsec_errcode = EIPSEC_INVAL_EXTTYPE;
1833 p += PFKEY_EXTLEN(ext);
1837 __ipsec_errcode = EIPSEC_INVAL_SADBMSG;
1841 __ipsec_errcode = EIPSEC_NO_ERROR;
1846 * check basic usage for sadb_msg,
1847 * NOTE: This routine is derived from netkey/key.c in KAME.
1848 * IN: msg: pointer to message buffer.
1849 * mhp: pointer to the buffer initialized like below:
1851 * caddr_t mhp[SADB_EXT_MAX + 1];
1860 struct sadb_msg *msg;
1862 /* validity check */
1863 if (mhp == NULL || mhp[0] == NULL) {
1864 __ipsec_errcode = EIPSEC_INVAL_ARGUMENT;
1868 msg = (struct sadb_msg *)mhp[0];
1871 if (msg->sadb_msg_version != PF_KEY_V2) {
1872 __ipsec_errcode = EIPSEC_INVAL_VERSION;
1877 if (msg->sadb_msg_type > SADB_MAX) {
1878 __ipsec_errcode = EIPSEC_INVAL_MSGTYPE;
1883 switch (msg->sadb_msg_satype) {
1884 case SADB_SATYPE_UNSPEC:
1885 switch (msg->sadb_msg_type) {
1893 __ipsec_errcode = EIPSEC_INVAL_SATYPE;
1897 case SADB_SATYPE_ESP:
1898 case SADB_SATYPE_AH:
1899 case SADB_X_SATYPE_IPCOMP:
1900 case SADB_X_SATYPE_TCPSIGNATURE:
1901 switch (msg->sadb_msg_type) {
1903 case SADB_X_SPDDELETE:
1905 case SADB_X_SPDDUMP:
1906 case SADB_X_SPDFLUSH:
1907 __ipsec_errcode = EIPSEC_INVAL_SATYPE;
1911 case SADB_SATYPE_RSVP:
1912 case SADB_SATYPE_OSPFV2:
1913 case SADB_SATYPE_RIPV2:
1914 case SADB_SATYPE_MIP:
1915 __ipsec_errcode = EIPSEC_NOT_SUPPORTED;
1917 case 1: /* XXX: What does it do ? */
1918 if (msg->sadb_msg_type == SADB_X_PROMISC)
1922 __ipsec_errcode = EIPSEC_INVAL_SATYPE;
1926 /* check field of upper layer protocol and address family */
1927 if (mhp[SADB_EXT_ADDRESS_SRC] != NULL
1928 && mhp[SADB_EXT_ADDRESS_DST] != NULL) {
1929 struct sadb_address *src0, *dst0;
1931 src0 = (struct sadb_address *)(mhp[SADB_EXT_ADDRESS_SRC]);
1932 dst0 = (struct sadb_address *)(mhp[SADB_EXT_ADDRESS_DST]);
1934 if (src0->sadb_address_proto != dst0->sadb_address_proto) {
1935 __ipsec_errcode = EIPSEC_PROTO_MISMATCH;
1939 if (PFKEY_ADDR_SADDR(src0)->sa_family
1940 != PFKEY_ADDR_SADDR(dst0)->sa_family) {
1941 __ipsec_errcode = EIPSEC_FAMILY_MISMATCH;
1945 switch (PFKEY_ADDR_SADDR(src0)->sa_family) {
1950 __ipsec_errcode = EIPSEC_INVAL_FAMILY;
1955 * prefixlen == 0 is valid because there must be the case
1956 * all addresses are matched.
1960 __ipsec_errcode = EIPSEC_NO_ERROR;
1965 * set data into sadb_msg.
1966 * `buf' must has been allocated sufficiently.
1969 pfkey_setsadbmsg(buf, lim, type, tlen, satype, seq, pid)
1980 p = (struct sadb_msg *)buf;
1981 len = sizeof(struct sadb_msg);
1983 if (buf + len > lim)
1987 p->sadb_msg_version = PF_KEY_V2;
1988 p->sadb_msg_type = type;
1989 p->sadb_msg_errno = 0;
1990 p->sadb_msg_satype = satype;
1991 p->sadb_msg_len = PFKEY_UNIT64(tlen);
1992 p->sadb_msg_reserved = 0;
1993 p->sadb_msg_seq = seq;
1994 p->sadb_msg_pid = (u_int32_t)pid;
2000 * copy secasvar data into sadb_address.
2001 * `buf' must has been allocated sufficiently.
2004 pfkey_setsadbsa(buf, lim, spi, wsize, auth, enc, flags)
2007 u_int32_t spi, flags;
2008 u_int wsize, auth, enc;
2013 p = (struct sadb_sa *)buf;
2014 len = sizeof(struct sadb_sa);
2016 if (buf + len > lim)
2020 p->sadb_sa_len = PFKEY_UNIT64(len);
2021 p->sadb_sa_exttype = SADB_EXT_SA;
2022 p->sadb_sa_spi = spi;
2023 p->sadb_sa_replay = wsize > UINT8_MAX ? UINT8_MAX: wsize;
2024 p->sadb_sa_state = SADB_SASTATE_LARVAL;
2025 p->sadb_sa_auth = auth;
2026 p->sadb_sa_encrypt = enc;
2027 p->sadb_sa_flags = flags;
2033 * Set data into sadb_x_sa_replay.
2034 * `buf' must has been allocated sufficiently.
2037 pfkey_setsadbxreplay(caddr_t buf, caddr_t lim, uint32_t wsize)
2039 struct sadb_x_sa_replay *p;
2042 p = (struct sadb_x_sa_replay *)buf;
2043 len = sizeof(struct sadb_x_sa_replay);
2045 if (buf + len > lim)
2049 p->sadb_x_sa_replay_len = PFKEY_UNIT64(len);
2050 p->sadb_x_sa_replay_exttype = SADB_X_EXT_SA_REPLAY;
2051 /* Convert wsize from bytes to number of packets. */
2052 p->sadb_x_sa_replay_replay = wsize << 3;
2058 * set data into sadb_address.
2059 * `buf' must has been allocated sufficiently.
2060 * prefixlen is in bits.
2063 pfkey_setsadbaddr(buf, lim, exttype, saddr, prefixlen, ul_proto)
2067 struct sockaddr *saddr;
2071 struct sadb_address *p;
2074 p = (struct sadb_address *)buf;
2075 len = sizeof(struct sadb_address) + PFKEY_ALIGN8(saddr->sa_len);
2077 if (buf + len > lim)
2081 p->sadb_address_len = PFKEY_UNIT64(len);
2082 p->sadb_address_exttype = exttype & 0xffff;
2083 p->sadb_address_proto = ul_proto & 0xff;
2084 p->sadb_address_prefixlen = prefixlen;
2085 p->sadb_address_reserved = 0;
2087 memcpy(p + 1, saddr, saddr->sa_len);
2093 * set sadb_key structure after clearing buffer with zero.
2094 * OUT: the pointer of buf + len.
2097 pfkey_setsadbkey(buf, lim, type, key, keylen)
2106 p = (struct sadb_key *)buf;
2107 len = sizeof(struct sadb_key) + PFKEY_ALIGN8(keylen);
2109 if (buf + len > lim)
2113 p->sadb_key_len = PFKEY_UNIT64(len);
2114 p->sadb_key_exttype = type;
2115 p->sadb_key_bits = keylen << 3;
2116 p->sadb_key_reserved = 0;
2118 memcpy(p + 1, key, keylen);
2124 * set sadb_lifetime structure after clearing buffer with zero.
2125 * OUT: the pointer of buf + len.
2128 pfkey_setsadblifetime(buf, lim, type, l_alloc, l_bytes, l_addtime, l_usetime)
2132 u_int32_t l_alloc, l_bytes, l_addtime, l_usetime;
2134 struct sadb_lifetime *p;
2137 p = (struct sadb_lifetime *)buf;
2138 len = sizeof(struct sadb_lifetime);
2140 if (buf + len > lim)
2144 p->sadb_lifetime_len = PFKEY_UNIT64(len);
2145 p->sadb_lifetime_exttype = type;
2148 case SADB_EXT_LIFETIME_SOFT:
2149 p->sadb_lifetime_allocations
2150 = (l_alloc * soft_lifetime_allocations_rate) /100;
2151 p->sadb_lifetime_bytes
2152 = (l_bytes * soft_lifetime_bytes_rate) /100;
2153 p->sadb_lifetime_addtime
2154 = (l_addtime * soft_lifetime_addtime_rate) /100;
2155 p->sadb_lifetime_usetime
2156 = (l_usetime * soft_lifetime_usetime_rate) /100;
2158 case SADB_EXT_LIFETIME_HARD:
2159 p->sadb_lifetime_allocations = l_alloc;
2160 p->sadb_lifetime_bytes = l_bytes;
2161 p->sadb_lifetime_addtime = l_addtime;
2162 p->sadb_lifetime_usetime = l_usetime;
2170 * copy secasvar data into sadb_address.
2171 * `buf' must has been allocated sufficiently.
2174 pfkey_setsadbxsa2(buf, lim, mode0, reqid)
2180 struct sadb_x_sa2 *p;
2181 u_int8_t mode = mode0 & 0xff;
2184 p = (struct sadb_x_sa2 *)buf;
2185 len = sizeof(struct sadb_x_sa2);
2187 if (buf + len > lim)
2191 p->sadb_x_sa2_len = PFKEY_UNIT64(len);
2192 p->sadb_x_sa2_exttype = SADB_X_EXT_SA2;
2193 p->sadb_x_sa2_mode = mode;
2194 p->sadb_x_sa2_reqid = reqid;