1 /* $KAME: pfkey.c,v 1.46 2003/08/26 03:37:06 itojun Exp $ */
4 * Copyright (C) 1995, 1996, 1997, 1998, and 1999 WIDE Project.
7 * Redistribution and use in source and binary forms, with or without
8 * modification, are permitted provided that the following conditions
10 * 1. Redistributions of source code must retain the above copyright
11 * notice, this list of conditions and the following disclaimer.
12 * 2. Redistributions in binary form must reproduce the above copyright
13 * notice, this list of conditions and the following disclaimer in the
14 * documentation and/or other materials provided with the distribution.
15 * 3. Neither the name of the project nor the names of its contributors
16 * may be used to endorse or promote products derived from this software
17 * without specific prior written permission.
19 * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
20 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
21 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
22 * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
23 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
24 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
25 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
26 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
27 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
28 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
32 #include <sys/cdefs.h>
33 __FBSDID("$FreeBSD$");
35 #include <sys/types.h>
36 #include <sys/param.h>
37 #include <sys/socket.h>
38 #include <net/pfkeyv2.h>
39 #include <netipsec/key_var.h>
40 #include <netinet/in.h>
41 #include <netipsec/ipsec.h>
49 #include "ipsec_strerror.h"
52 #define CALLOC(size, cast) (cast)calloc(1, (size))
54 static int findsupportedmap(int);
55 static int setsupportedmap(struct sadb_supported *);
56 static struct sadb_alg *findsupportedalg(u_int, u_int);
57 static int pfkey_send_x1(int, u_int, u_int, u_int, struct sockaddr *,
58 struct sockaddr *, u_int32_t, u_int32_t, u_int, caddr_t,
59 u_int, u_int, u_int, u_int, u_int, u_int32_t, u_int32_t,
60 u_int32_t, u_int32_t, u_int32_t);
61 static int pfkey_send_x2(int, u_int, u_int, u_int,
62 struct sockaddr *, struct sockaddr *, u_int32_t);
63 static int pfkey_send_x3(int, u_int, u_int);
64 static int pfkey_send_x4(int, u_int, struct sockaddr *, u_int,
65 struct sockaddr *, u_int, u_int, u_int64_t, u_int64_t,
66 char *, int, u_int32_t);
67 static int pfkey_send_x5(int, u_int, u_int32_t);
69 static caddr_t pfkey_setsadbmsg(caddr_t, caddr_t, u_int, u_int,
70 u_int, u_int32_t, pid_t);
71 static caddr_t pfkey_setsadbsa(caddr_t, caddr_t, u_int32_t, u_int,
72 u_int, u_int, u_int32_t);
73 static caddr_t pfkey_setsadbxreplay(caddr_t, caddr_t, uint32_t);
74 static caddr_t pfkey_setsadbaddr(caddr_t, caddr_t, u_int,
75 struct sockaddr *, u_int, u_int);
76 static caddr_t pfkey_setsadbkey(caddr_t, caddr_t, u_int, caddr_t, u_int);
77 static caddr_t pfkey_setsadblifetime(caddr_t, caddr_t, u_int, u_int32_t,
78 u_int32_t, u_int32_t, u_int32_t);
79 static caddr_t pfkey_setsadbxsa2(caddr_t, caddr_t, u_int32_t, u_int32_t);
82 * make and search supported algorithm structure.
84 static struct sadb_supported *ipsec_supported[] = { NULL, NULL, NULL, NULL };
86 static int supported_map[] = {
90 SADB_X_SATYPE_TCPSIGNATURE
94 findsupportedmap(satype)
99 for (i = 0; i < sizeof(supported_map)/sizeof(supported_map[0]); i++)
100 if (supported_map[i] == satype)
105 static struct sadb_alg *
106 findsupportedalg(satype, alg_id)
107 u_int satype, alg_id;
114 algno = findsupportedmap(satype);
116 __ipsec_errcode = EIPSEC_INVAL_ARGUMENT;
119 if (ipsec_supported[algno] == NULL) {
120 __ipsec_errcode = EIPSEC_DO_GET_SUPP_LIST;
124 tlen = ipsec_supported[algno]->sadb_supported_len
125 - sizeof(struct sadb_supported);
126 p = (caddr_t)(ipsec_supported[algno] + 1);
128 if (tlen < sizeof(struct sadb_alg)) {
132 if (((struct sadb_alg *)p)->sadb_alg_id == alg_id)
133 return (struct sadb_alg *)p;
135 tlen -= sizeof(struct sadb_alg);
136 p += sizeof(struct sadb_alg);
139 __ipsec_errcode = EIPSEC_NOT_SUPPORTED;
145 struct sadb_supported *sup;
147 struct sadb_supported **ipsup;
149 switch (sup->sadb_supported_exttype) {
150 case SADB_EXT_SUPPORTED_AUTH:
151 ipsup = &ipsec_supported[findsupportedmap(SADB_SATYPE_AH)];
153 case SADB_EXT_SUPPORTED_ENCRYPT:
154 ipsup = &ipsec_supported[findsupportedmap(SADB_SATYPE_ESP)];
157 __ipsec_errcode = EIPSEC_INVAL_SATYPE;
164 *ipsup = malloc(sup->sadb_supported_len);
166 __ipsec_set_strerror(strerror(errno));
169 memcpy(*ipsup, sup, sup->sadb_supported_len);
175 * check key length against algorithm specified.
176 * This function is called with SADB_EXT_SUPPORTED_{AUTH,ENCRYPT} as the
177 * augument, and only calls to ipsec_check_keylen2();
178 * keylen is the unit of bit.
184 ipsec_check_keylen(supported, alg_id, keylen)
193 case SADB_EXT_SUPPORTED_AUTH:
194 satype = SADB_SATYPE_AH;
196 case SADB_EXT_SUPPORTED_ENCRYPT:
197 satype = SADB_SATYPE_ESP;
200 __ipsec_errcode = EIPSEC_INVAL_ARGUMENT;
204 return ipsec_check_keylen2(satype, alg_id, keylen);
208 * check key length against algorithm specified.
209 * satype is one of satype defined at pfkeyv2.h.
210 * keylen is the unit of bit.
216 ipsec_check_keylen2(satype, alg_id, keylen)
221 struct sadb_alg *alg;
223 alg = findsupportedalg(satype, alg_id);
227 if (keylen < alg->sadb_alg_minbits || keylen > alg->sadb_alg_maxbits) {
228 __ipsec_errcode = EIPSEC_INVAL_KEYLEN;
232 __ipsec_errcode = EIPSEC_NO_ERROR;
237 * get max/min key length against algorithm specified.
238 * satype is one of satype defined at pfkeyv2.h.
239 * keylen is the unit of bit.
245 ipsec_get_keylen(supported, alg_id, alg0)
246 u_int supported, alg_id;
247 struct sadb_alg *alg0;
249 struct sadb_alg *alg;
254 __ipsec_errcode = EIPSEC_INVAL_ARGUMENT;
259 case SADB_EXT_SUPPORTED_AUTH:
260 satype = SADB_SATYPE_AH;
262 case SADB_EXT_SUPPORTED_ENCRYPT:
263 satype = SADB_SATYPE_ESP;
266 __ipsec_errcode = EIPSEC_INVAL_ARGUMENT;
270 alg = findsupportedalg(satype, alg_id);
274 memcpy(alg0, alg, sizeof(*alg0));
276 __ipsec_errcode = EIPSEC_NO_ERROR;
281 * set the rate for SOFT lifetime against HARD one.
282 * If rate is more than 100 or equal to zero, then set to 100.
284 static u_int soft_lifetime_allocations_rate = PFKEY_SOFT_LIFETIME_RATE;
285 static u_int soft_lifetime_bytes_rate = PFKEY_SOFT_LIFETIME_RATE;
286 static u_int soft_lifetime_addtime_rate = PFKEY_SOFT_LIFETIME_RATE;
287 static u_int soft_lifetime_usetime_rate = PFKEY_SOFT_LIFETIME_RATE;
290 pfkey_set_softrate(type, rate)
293 __ipsec_errcode = EIPSEC_NO_ERROR;
295 if (rate > 100 || rate == 0)
299 case SADB_X_LIFETIME_ALLOCATIONS:
300 soft_lifetime_allocations_rate = rate;
302 case SADB_X_LIFETIME_BYTES:
303 soft_lifetime_bytes_rate = rate;
305 case SADB_X_LIFETIME_ADDTIME:
306 soft_lifetime_addtime_rate = rate;
308 case SADB_X_LIFETIME_USETIME:
309 soft_lifetime_usetime_rate = rate;
313 __ipsec_errcode = EIPSEC_INVAL_ARGUMENT;
318 * get current rate for SOFT lifetime against HARD one.
319 * ATTENTION: ~0 is returned if invalid type was passed.
322 pfkey_get_softrate(type)
326 case SADB_X_LIFETIME_ALLOCATIONS:
327 return soft_lifetime_allocations_rate;
328 case SADB_X_LIFETIME_BYTES:
329 return soft_lifetime_bytes_rate;
330 case SADB_X_LIFETIME_ADDTIME:
331 return soft_lifetime_addtime_rate;
332 case SADB_X_LIFETIME_USETIME:
333 return soft_lifetime_usetime_rate;
340 * sending SADB_GETSPI message to the kernel.
342 * positive: success and return length sent.
343 * -1 : error occured, and set errno.
346 pfkey_send_getspi(so, satype, mode, src, dst, min, max, reqid, seq)
349 struct sockaddr *src, *dst;
350 u_int32_t min, max, reqid, seq;
352 struct sadb_msg *newmsg;
355 int need_spirange = 0;
360 if (src == NULL || dst == NULL) {
361 __ipsec_errcode = EIPSEC_INVAL_ARGUMENT;
364 if (src->sa_family != dst->sa_family) {
365 __ipsec_errcode = EIPSEC_FAMILY_MISMATCH;
368 if (min > max || (min > 0 && min <= 255)) {
369 __ipsec_errcode = EIPSEC_INVAL_SPI;
372 switch (src->sa_family) {
374 plen = sizeof(struct in_addr) << 3;
377 plen = sizeof(struct in6_addr) << 3;
380 __ipsec_errcode = EIPSEC_INVAL_FAMILY;
384 /* create new sadb_msg to send. */
385 len = sizeof(struct sadb_msg)
386 + sizeof(struct sadb_x_sa2)
387 + sizeof(struct sadb_address)
388 + PFKEY_ALIGN8(src->sa_len)
389 + sizeof(struct sadb_address)
390 + PFKEY_ALIGN8(dst->sa_len);
392 if (min > 255 && max < ~0) {
394 len += sizeof(struct sadb_spirange);
397 if ((newmsg = CALLOC(len, struct sadb_msg *)) == NULL) {
398 __ipsec_set_strerror(strerror(errno));
401 ep = ((caddr_t)newmsg) + len;
403 p = pfkey_setsadbmsg((caddr_t)newmsg, ep, SADB_GETSPI,
404 len, satype, seq, getpid());
410 p = pfkey_setsadbxsa2(p, ep, mode, reqid);
416 /* set sadb_address for source */
417 p = pfkey_setsadbaddr(p, ep, SADB_EXT_ADDRESS_SRC, src, plen,
424 /* set sadb_address for destination */
425 p = pfkey_setsadbaddr(p, ep, SADB_EXT_ADDRESS_DST, dst, plen,
432 /* proccessing spi range */
434 struct sadb_spirange spirange;
436 if (p + sizeof(spirange) > ep) {
441 memset(&spirange, 0, sizeof(spirange));
442 spirange.sadb_spirange_len = PFKEY_UNIT64(sizeof(spirange));
443 spirange.sadb_spirange_exttype = SADB_EXT_SPIRANGE;
444 spirange.sadb_spirange_min = min;
445 spirange.sadb_spirange_max = max;
447 memcpy(p, &spirange, sizeof(spirange));
449 p += sizeof(spirange);
457 len = pfkey_send(so, newmsg, len);
463 __ipsec_errcode = EIPSEC_NO_ERROR;
468 * sending SADB_UPDATE message to the kernel.
469 * The length of key material is a_keylen + e_keylen.
471 * positive: success and return length sent.
472 * -1 : error occured, and set errno.
475 pfkey_send_update(so, satype, mode, src, dst, spi, reqid, wsize,
476 keymat, e_type, e_keylen, a_type, a_keylen, flags,
477 l_alloc, l_bytes, l_addtime, l_usetime, seq)
479 u_int satype, mode, wsize;
480 struct sockaddr *src, *dst;
481 u_int32_t spi, reqid;
483 u_int e_type, e_keylen, a_type, a_keylen, flags;
485 u_int64_t l_bytes, l_addtime, l_usetime;
489 if ((len = pfkey_send_x1(so, SADB_UPDATE, satype, mode, src, dst, spi,
491 keymat, e_type, e_keylen, a_type, a_keylen, flags,
492 l_alloc, l_bytes, l_addtime, l_usetime, seq)) < 0)
499 * sending SADB_ADD message to the kernel.
500 * The length of key material is a_keylen + e_keylen.
502 * positive: success and return length sent.
503 * -1 : error occured, and set errno.
506 pfkey_send_add(so, satype, mode, src, dst, spi, reqid, wsize,
507 keymat, e_type, e_keylen, a_type, a_keylen, flags,
508 l_alloc, l_bytes, l_addtime, l_usetime, seq)
510 u_int satype, mode, wsize;
511 struct sockaddr *src, *dst;
512 u_int32_t spi, reqid;
514 u_int e_type, e_keylen, a_type, a_keylen, flags;
516 u_int64_t l_bytes, l_addtime, l_usetime;
520 if ((len = pfkey_send_x1(so, SADB_ADD, satype, mode, src, dst, spi,
522 keymat, e_type, e_keylen, a_type, a_keylen, flags,
523 l_alloc, l_bytes, l_addtime, l_usetime, seq)) < 0)
530 * sending SADB_DELETE message to the kernel.
532 * positive: success and return length sent.
533 * -1 : error occured, and set errno.
536 pfkey_send_delete(so, satype, mode, src, dst, spi)
539 struct sockaddr *src, *dst;
543 if ((len = pfkey_send_x2(so, SADB_DELETE, satype, mode, src, dst, spi)) < 0)
550 * sending SADB_DELETE without spi to the kernel. This is
551 * the "delete all" request (an extension also present in
555 * positive: success and return length sent
556 * -1 : error occured, and set errno
559 pfkey_send_delete_all(so, satype, mode, src, dst)
562 struct sockaddr *src, *dst;
564 struct sadb_msg *newmsg;
571 if (src == NULL || dst == NULL) {
572 __ipsec_errcode = EIPSEC_INVAL_ARGUMENT;
575 if (src->sa_family != dst->sa_family) {
576 __ipsec_errcode = EIPSEC_FAMILY_MISMATCH;
579 switch (src->sa_family) {
581 plen = sizeof(struct in_addr) << 3;
584 plen = sizeof(struct in6_addr) << 3;
587 __ipsec_errcode = EIPSEC_INVAL_FAMILY;
591 /* create new sadb_msg to reply. */
592 len = sizeof(struct sadb_msg)
593 + sizeof(struct sadb_address)
594 + PFKEY_ALIGN8(src->sa_len)
595 + sizeof(struct sadb_address)
596 + PFKEY_ALIGN8(dst->sa_len);
598 if ((newmsg = CALLOC(len, struct sadb_msg *)) == NULL) {
599 __ipsec_set_strerror(strerror(errno));
602 ep = ((caddr_t)newmsg) + len;
604 p = pfkey_setsadbmsg((caddr_t)newmsg, ep, SADB_DELETE, len, satype, 0,
610 p = pfkey_setsadbaddr(p, ep, SADB_EXT_ADDRESS_SRC, src, plen,
616 p = pfkey_setsadbaddr(p, ep, SADB_EXT_ADDRESS_DST, dst, plen,
624 len = pfkey_send(so, newmsg, len);
630 __ipsec_errcode = EIPSEC_NO_ERROR;
635 * sending SADB_GET message to the kernel.
637 * positive: success and return length sent.
638 * -1 : error occured, and set errno.
641 pfkey_send_get(so, satype, mode, src, dst, spi)
644 struct sockaddr *src, *dst;
648 if ((len = pfkey_send_x2(so, SADB_GET, satype, mode, src, dst, spi)) < 0)
655 * sending SADB_REGISTER message to the kernel.
657 * positive: success and return length sent.
658 * -1 : error occured, and set errno.
661 pfkey_send_register(so, satype)
667 if (satype == SADB_SATYPE_UNSPEC) {
669 algno < sizeof(supported_map)/sizeof(supported_map[0]);
671 if (ipsec_supported[algno]) {
672 free(ipsec_supported[algno]);
673 ipsec_supported[algno] = NULL;
677 algno = findsupportedmap(satype);
679 __ipsec_errcode = EIPSEC_INVAL_ARGUMENT;
683 if (ipsec_supported[algno]) {
684 free(ipsec_supported[algno]);
685 ipsec_supported[algno] = NULL;
689 if ((len = pfkey_send_x3(so, SADB_REGISTER, satype)) < 0)
696 * receiving SADB_REGISTER message from the kernel, and copy buffer for
697 * sadb_supported returned into ipsec_supported.
699 * 0: success and return length sent.
700 * -1: error occured, and set errno.
703 pfkey_recv_register(so)
706 pid_t pid = getpid();
707 struct sadb_msg *newmsg;
710 /* receive message */
712 if ((newmsg = pfkey_recv(so)) == NULL)
714 if (newmsg->sadb_msg_type == SADB_REGISTER &&
715 newmsg->sadb_msg_pid == pid)
721 newmsg->sadb_msg_len = PFKEY_UNUNIT64(newmsg->sadb_msg_len);
723 error = pfkey_set_supported(newmsg, newmsg->sadb_msg_len);
727 __ipsec_errcode = EIPSEC_NO_ERROR;
733 * receiving SADB_REGISTER message from the kernel, and copy buffer for
734 * sadb_supported returned into ipsec_supported.
735 * NOTE: sadb_msg_len must be host order.
737 * tlen: msg length, it's to makeing sure.
739 * 0: success and return length sent.
740 * -1: error occured, and set errno.
743 pfkey_set_supported(msg, tlen)
744 struct sadb_msg *msg;
747 struct sadb_supported *sup;
752 if (msg->sadb_msg_len != tlen) {
753 __ipsec_errcode = EIPSEC_INVAL_ARGUMENT;
760 p += sizeof(struct sadb_msg);
763 sup = (struct sadb_supported *)p;
764 if (ep < p + sizeof(*sup) ||
765 PFKEY_EXTLEN(sup) < sizeof(*sup) ||
766 ep < p + sup->sadb_supported_len) {
771 switch (sup->sadb_supported_exttype) {
772 case SADB_EXT_SUPPORTED_AUTH:
773 case SADB_EXT_SUPPORTED_ENCRYPT:
776 __ipsec_errcode = EIPSEC_INVAL_SATYPE;
781 sup->sadb_supported_len = PFKEY_EXTLEN(sup);
783 /* set supported map */
784 if (setsupportedmap(sup) != 0)
787 p += sup->sadb_supported_len;
791 __ipsec_errcode = EIPSEC_INVAL_SATYPE;
795 __ipsec_errcode = EIPSEC_NO_ERROR;
801 * sending SADB_FLUSH message to the kernel.
803 * positive: success and return length sent.
804 * -1 : error occured, and set errno.
807 pfkey_send_flush(so, satype)
813 if ((len = pfkey_send_x3(so, SADB_FLUSH, satype)) < 0)
820 * sending SADB_DUMP message to the kernel.
822 * positive: success and return length sent.
823 * -1 : error occured, and set errno.
826 pfkey_send_dump(so, satype)
832 if ((len = pfkey_send_x3(so, SADB_DUMP, satype)) < 0)
839 * sending SADB_X_PROMISC message to the kernel.
840 * NOTE that this function handles promisc mode toggle only.
842 * flag: set promisc off if zero, set promisc on if non-zero.
844 * positive: success and return length sent.
845 * -1 : error occured, and set errno.
846 * 0 : error occured, and set errno.
847 * others: a pointer to new allocated buffer in which supported
851 pfkey_send_promisc_toggle(so, flag)
857 if ((len = pfkey_send_x3(so, SADB_X_PROMISC, (flag ? 1 : 0))) < 0)
864 * sending SADB_X_SPDADD message to the kernel.
866 * positive: success and return length sent.
867 * -1 : error occured, and set errno.
870 pfkey_send_spdadd(so, src, prefs, dst, prefd, proto, policy, policylen, seq)
872 struct sockaddr *src, *dst;
873 u_int prefs, prefd, proto;
880 if ((len = pfkey_send_x4(so, SADB_X_SPDADD,
881 src, prefs, dst, prefd, proto,
883 policy, policylen, seq)) < 0)
890 * sending SADB_X_SPDADD message to the kernel.
892 * positive: success and return length sent.
893 * -1 : error occured, and set errno.
896 pfkey_send_spdadd2(so, src, prefs, dst, prefd, proto, ltime, vtime,
897 policy, policylen, seq)
899 struct sockaddr *src, *dst;
900 u_int prefs, prefd, proto;
901 u_int64_t ltime, vtime;
908 if ((len = pfkey_send_x4(so, SADB_X_SPDADD,
909 src, prefs, dst, prefd, proto,
911 policy, policylen, seq)) < 0)
918 * sending SADB_X_SPDUPDATE message to the kernel.
920 * positive: success and return length sent.
921 * -1 : error occured, and set errno.
924 pfkey_send_spdupdate(so, src, prefs, dst, prefd, proto, policy, policylen, seq)
926 struct sockaddr *src, *dst;
927 u_int prefs, prefd, proto;
934 if ((len = pfkey_send_x4(so, SADB_X_SPDUPDATE,
935 src, prefs, dst, prefd, proto,
937 policy, policylen, seq)) < 0)
944 * sending SADB_X_SPDUPDATE message to the kernel.
946 * positive: success and return length sent.
947 * -1 : error occured, and set errno.
950 pfkey_send_spdupdate2(so, src, prefs, dst, prefd, proto, ltime, vtime,
951 policy, policylen, seq)
953 struct sockaddr *src, *dst;
954 u_int prefs, prefd, proto;
955 u_int64_t ltime, vtime;
962 if ((len = pfkey_send_x4(so, SADB_X_SPDUPDATE,
963 src, prefs, dst, prefd, proto,
965 policy, policylen, seq)) < 0)
972 * sending SADB_X_SPDDELETE message to the kernel.
974 * positive: success and return length sent.
975 * -1 : error occured, and set errno.
978 pfkey_send_spddelete(so, src, prefs, dst, prefd, proto, policy, policylen, seq)
980 struct sockaddr *src, *dst;
981 u_int prefs, prefd, proto;
988 if (policylen != sizeof(struct sadb_x_policy)) {
989 __ipsec_errcode = EIPSEC_INVAL_ARGUMENT;
993 if ((len = pfkey_send_x4(so, SADB_X_SPDDELETE,
994 src, prefs, dst, prefd, proto,
996 policy, policylen, seq)) < 0)
1003 * sending SADB_X_SPDDELETE message to the kernel.
1005 * positive: success and return length sent.
1006 * -1 : error occured, and set errno.
1009 pfkey_send_spddelete2(so, spid)
1015 if ((len = pfkey_send_x5(so, SADB_X_SPDDELETE2, spid)) < 0)
1022 * sending SADB_X_SPDGET message to the kernel.
1024 * positive: success and return length sent.
1025 * -1 : error occured, and set errno.
1028 pfkey_send_spdget(so, spid)
1034 if ((len = pfkey_send_x5(so, SADB_X_SPDGET, spid)) < 0)
1041 * sending SADB_X_SPDSETIDX message to the kernel.
1043 * positive: success and return length sent.
1044 * -1 : error occured, and set errno.
1047 pfkey_send_spdsetidx(so, src, prefs, dst, prefd, proto, policy, policylen, seq)
1049 struct sockaddr *src, *dst;
1050 u_int prefs, prefd, proto;
1057 if (policylen != sizeof(struct sadb_x_policy)) {
1058 __ipsec_errcode = EIPSEC_INVAL_ARGUMENT;
1062 if ((len = pfkey_send_x4(so, SADB_X_SPDSETIDX,
1063 src, prefs, dst, prefd, proto,
1065 policy, policylen, seq)) < 0)
1072 * sending SADB_SPDFLUSH message to the kernel.
1074 * positive: success and return length sent.
1075 * -1 : error occured, and set errno.
1078 pfkey_send_spdflush(so)
1083 if ((len = pfkey_send_x3(so, SADB_X_SPDFLUSH, SADB_SATYPE_UNSPEC)) < 0)
1090 * sending SADB_SPDDUMP message to the kernel.
1092 * positive: success and return length sent.
1093 * -1 : error occured, and set errno.
1096 pfkey_send_spddump(so)
1101 if ((len = pfkey_send_x3(so, SADB_X_SPDDUMP, SADB_SATYPE_UNSPEC)) < 0)
1107 /* sending SADB_ADD or SADB_UPDATE message to the kernel */
1109 pfkey_send_x1(so, type, satype, mode, src, dst, spi, reqid, wsize,
1110 keymat, e_type, e_keylen, a_type, a_keylen, flags,
1111 l_alloc, l_bytes, l_addtime, l_usetime, seq)
1113 u_int type, satype, mode;
1114 struct sockaddr *src, *dst;
1115 u_int32_t spi, reqid;
1118 u_int e_type, e_keylen, a_type, a_keylen, flags;
1119 u_int32_t l_alloc, l_bytes, l_addtime, l_usetime, seq;
1121 struct sadb_msg *newmsg;
1127 /* validity check */
1128 if (src == NULL || dst == NULL) {
1129 __ipsec_errcode = EIPSEC_INVAL_ARGUMENT;
1132 if (src->sa_family != dst->sa_family) {
1133 __ipsec_errcode = EIPSEC_FAMILY_MISMATCH;
1136 switch (src->sa_family) {
1138 plen = sizeof(struct in_addr) << 3;
1141 plen = sizeof(struct in6_addr) << 3;
1144 __ipsec_errcode = EIPSEC_INVAL_FAMILY;
1149 case SADB_SATYPE_ESP:
1150 if (e_type == SADB_EALG_NONE) {
1151 __ipsec_errcode = EIPSEC_NO_ALGS;
1155 case SADB_SATYPE_AH:
1156 if (e_type != SADB_EALG_NONE) {
1157 __ipsec_errcode = EIPSEC_INVAL_ALGS;
1160 if (a_type == SADB_AALG_NONE) {
1161 __ipsec_errcode = EIPSEC_NO_ALGS;
1165 case SADB_X_SATYPE_IPCOMP:
1166 if (e_type == SADB_X_CALG_NONE) {
1167 __ipsec_errcode = EIPSEC_INVAL_ALGS;
1170 if (a_type != SADB_AALG_NONE) {
1171 __ipsec_errcode = EIPSEC_NO_ALGS;
1175 case SADB_X_SATYPE_TCPSIGNATURE:
1176 if (e_type != SADB_EALG_NONE) {
1177 __ipsec_errcode = EIPSEC_INVAL_ALGS;
1180 if (a_type != SADB_X_AALG_TCP_MD5) {
1181 __ipsec_errcode = EIPSEC_INVAL_ALGS;
1186 __ipsec_errcode = EIPSEC_INVAL_SATYPE;
1190 /* create new sadb_msg to reply. */
1191 len = sizeof(struct sadb_msg)
1192 + sizeof(struct sadb_sa)
1193 + sizeof(struct sadb_x_sa2)
1194 + sizeof(struct sadb_address)
1195 + PFKEY_ALIGN8(src->sa_len)
1196 + sizeof(struct sadb_address)
1197 + PFKEY_ALIGN8(dst->sa_len)
1198 + sizeof(struct sadb_lifetime)
1199 + sizeof(struct sadb_lifetime);
1201 if (wsize > UINT8_MAX) {
1202 if (wsize > (UINT32_MAX - 32) >> 3) {
1203 __ipsec_errcode = EIPSEC_INVAL_ARGUMENT;
1206 len += sizeof(struct sadb_x_sa_replay);
1208 if (e_type != SADB_EALG_NONE)
1209 len += (sizeof(struct sadb_key) + PFKEY_ALIGN8(e_keylen));
1210 if (a_type != SADB_AALG_NONE)
1211 len += (sizeof(struct sadb_key) + PFKEY_ALIGN8(a_keylen));
1213 if ((newmsg = CALLOC(len, struct sadb_msg *)) == NULL) {
1214 __ipsec_set_strerror(strerror(errno));
1217 ep = ((caddr_t)newmsg) + len;
1219 p = pfkey_setsadbmsg((caddr_t)newmsg, ep, type, len,
1220 satype, seq, getpid());
1225 p = pfkey_setsadbsa(p, ep, spi, wsize, a_type, e_type, flags);
1230 p = pfkey_setsadbxsa2(p, ep, mode, reqid);
1235 if (wsize > UINT8_MAX) {
1236 p = pfkey_setsadbxreplay(p, ep, wsize);
1242 p = pfkey_setsadbaddr(p, ep, SADB_EXT_ADDRESS_SRC, src, plen,
1248 p = pfkey_setsadbaddr(p, ep, SADB_EXT_ADDRESS_DST, dst, plen,
1255 if (e_type != SADB_EALG_NONE) {
1256 p = pfkey_setsadbkey(p, ep, SADB_EXT_KEY_ENCRYPT,
1263 if (a_type != SADB_AALG_NONE) {
1264 p = pfkey_setsadbkey(p, ep, SADB_EXT_KEY_AUTH,
1265 keymat + e_keylen, a_keylen);
1272 /* set sadb_lifetime for destination */
1273 p = pfkey_setsadblifetime(p, ep, SADB_EXT_LIFETIME_HARD,
1274 l_alloc, l_bytes, l_addtime, l_usetime);
1279 p = pfkey_setsadblifetime(p, ep, SADB_EXT_LIFETIME_SOFT,
1280 l_alloc, l_bytes, l_addtime, l_usetime);
1281 if (!p || p != ep) {
1287 len = pfkey_send(so, newmsg, len);
1293 __ipsec_errcode = EIPSEC_NO_ERROR;
1297 /* sending SADB_DELETE or SADB_GET message to the kernel */
1299 pfkey_send_x2(so, type, satype, mode, src, dst, spi)
1301 u_int type, satype, mode;
1302 struct sockaddr *src, *dst;
1305 struct sadb_msg *newmsg;
1311 /* validity check */
1312 if (src == NULL || dst == NULL) {
1313 __ipsec_errcode = EIPSEC_INVAL_ARGUMENT;
1316 if (src->sa_family != dst->sa_family) {
1317 __ipsec_errcode = EIPSEC_FAMILY_MISMATCH;
1320 switch (src->sa_family) {
1322 plen = sizeof(struct in_addr) << 3;
1325 plen = sizeof(struct in6_addr) << 3;
1328 __ipsec_errcode = EIPSEC_INVAL_FAMILY;
1332 /* create new sadb_msg to reply. */
1333 len = sizeof(struct sadb_msg)
1334 + sizeof(struct sadb_sa)
1335 + sizeof(struct sadb_address)
1336 + PFKEY_ALIGN8(src->sa_len)
1337 + sizeof(struct sadb_address)
1338 + PFKEY_ALIGN8(dst->sa_len);
1340 if ((newmsg = CALLOC(len, struct sadb_msg *)) == NULL) {
1341 __ipsec_set_strerror(strerror(errno));
1344 ep = ((caddr_t)newmsg) + len;
1346 p = pfkey_setsadbmsg((caddr_t)newmsg, ep, type, len, satype, 0,
1352 p = pfkey_setsadbsa(p, ep, spi, 0, 0, 0, 0);
1357 p = pfkey_setsadbaddr(p, ep, SADB_EXT_ADDRESS_SRC, src, plen,
1363 p = pfkey_setsadbaddr(p, ep, SADB_EXT_ADDRESS_DST, dst, plen,
1365 if (!p || p != ep) {
1371 len = pfkey_send(so, newmsg, len);
1377 __ipsec_errcode = EIPSEC_NO_ERROR;
1382 * sending SADB_REGISTER, SADB_FLUSH, SADB_DUMP or SADB_X_PROMISC message
1386 pfkey_send_x3(so, type, satype)
1390 struct sadb_msg *newmsg;
1395 /* validity check */
1397 case SADB_X_PROMISC:
1398 if (satype != 0 && satype != 1) {
1399 __ipsec_errcode = EIPSEC_INVAL_SATYPE;
1405 case SADB_SATYPE_UNSPEC:
1406 case SADB_SATYPE_AH:
1407 case SADB_SATYPE_ESP:
1408 case SADB_X_SATYPE_IPCOMP:
1409 case SADB_X_SATYPE_TCPSIGNATURE:
1412 __ipsec_errcode = EIPSEC_INVAL_SATYPE;
1417 /* create new sadb_msg to send. */
1418 len = sizeof(struct sadb_msg);
1420 if ((newmsg = CALLOC(len, struct sadb_msg *)) == NULL) {
1421 __ipsec_set_strerror(strerror(errno));
1424 ep = ((caddr_t)newmsg) + len;
1426 p = pfkey_setsadbmsg((caddr_t)newmsg, ep, type, len, satype, 0,
1428 if (!p || p != ep) {
1434 len = pfkey_send(so, newmsg, len);
1440 __ipsec_errcode = EIPSEC_NO_ERROR;
1444 /* sending SADB_X_SPDADD message to the kernel */
1446 pfkey_send_x4(so, type, src, prefs, dst, prefd, proto,
1447 ltime, vtime, policy, policylen, seq)
1449 struct sockaddr *src, *dst;
1450 u_int type, prefs, prefd, proto;
1451 u_int64_t ltime, vtime;
1456 struct sadb_msg *newmsg;
1462 /* validity check */
1463 if (src == NULL || dst == NULL) {
1464 __ipsec_errcode = EIPSEC_INVAL_ARGUMENT;
1467 if (src->sa_family != dst->sa_family) {
1468 __ipsec_errcode = EIPSEC_FAMILY_MISMATCH;
1472 switch (src->sa_family) {
1474 plen = sizeof(struct in_addr) << 3;
1477 plen = sizeof(struct in6_addr) << 3;
1480 __ipsec_errcode = EIPSEC_INVAL_FAMILY;
1483 if (prefs > plen || prefd > plen) {
1484 __ipsec_errcode = EIPSEC_INVAL_PREFIXLEN;
1488 /* create new sadb_msg to reply. */
1489 len = sizeof(struct sadb_msg)
1490 + sizeof(struct sadb_address)
1491 + PFKEY_ALIGN8(src->sa_len)
1492 + sizeof(struct sadb_address)
1493 + PFKEY_ALIGN8(src->sa_len)
1494 + sizeof(struct sadb_lifetime)
1497 if ((newmsg = CALLOC(len, struct sadb_msg *)) == NULL) {
1498 __ipsec_set_strerror(strerror(errno));
1501 ep = ((caddr_t)newmsg) + len;
1503 p = pfkey_setsadbmsg((caddr_t)newmsg, ep, type, len,
1504 SADB_SATYPE_UNSPEC, seq, getpid());
1509 p = pfkey_setsadbaddr(p, ep, SADB_EXT_ADDRESS_SRC, src, prefs, proto);
1514 p = pfkey_setsadbaddr(p, ep, SADB_EXT_ADDRESS_DST, dst, prefd, proto);
1519 p = pfkey_setsadblifetime(p, ep, SADB_EXT_LIFETIME_HARD,
1520 0, 0, ltime, vtime);
1521 if (!p || p + policylen != ep) {
1525 memcpy(p, policy, policylen);
1528 len = pfkey_send(so, newmsg, len);
1534 __ipsec_errcode = EIPSEC_NO_ERROR;
1538 /* sending SADB_X_SPDGET or SADB_X_SPDDELETE message to the kernel */
1540 pfkey_send_x5(so, type, spid)
1545 struct sadb_msg *newmsg;
1546 struct sadb_x_policy xpl;
1551 /* create new sadb_msg to reply. */
1552 len = sizeof(struct sadb_msg)
1555 if ((newmsg = CALLOC(len, struct sadb_msg *)) == NULL) {
1556 __ipsec_set_strerror(strerror(errno));
1559 ep = ((caddr_t)newmsg) + len;
1561 p = pfkey_setsadbmsg((caddr_t)newmsg, ep, type, len,
1562 SADB_SATYPE_UNSPEC, 0, getpid());
1568 if (p + sizeof(xpl) != ep) {
1572 memset(&xpl, 0, sizeof(xpl));
1573 xpl.sadb_x_policy_len = PFKEY_UNIT64(sizeof(xpl));
1574 xpl.sadb_x_policy_exttype = SADB_X_EXT_POLICY;
1575 xpl.sadb_x_policy_id = spid;
1576 memcpy(p, &xpl, sizeof(xpl));
1579 len = pfkey_send(so, newmsg, len);
1585 __ipsec_errcode = EIPSEC_NO_ERROR;
1593 * others : success and return value of socket.
1599 const int bufsiz = 128 * 1024; /*is 128K enough?*/
1601 if ((so = socket(PF_KEY, SOCK_RAW, PF_KEY_V2)) < 0) {
1602 __ipsec_set_strerror(strerror(errno));
1607 * This is a temporary workaround for KAME PR 154.
1608 * Don't really care even if it fails.
1610 (void)setsockopt(so, SOL_SOCKET, SO_SNDBUF, &bufsiz, sizeof(bufsiz));
1611 (void)setsockopt(so, SOL_SOCKET, SO_RCVBUF, &bufsiz, sizeof(bufsiz));
1613 __ipsec_errcode = EIPSEC_NO_ERROR;
1629 __ipsec_errcode = EIPSEC_NO_ERROR;
1634 * receive sadb_msg data, and return pointer to new buffer allocated.
1635 * Must free this buffer later.
1637 * NULL : error occured.
1638 * others : a pointer to sadb_msg structure.
1640 * XXX should be rewritten to pass length explicitly
1646 struct sadb_msg buf, *newmsg;
1649 while ((len = recv(so, (caddr_t)&buf, sizeof(buf), MSG_PEEK)) < 0) {
1652 __ipsec_set_strerror(strerror(errno));
1656 if (len < sizeof(buf)) {
1657 recv(so, (caddr_t)&buf, sizeof(buf), 0);
1658 __ipsec_errcode = EIPSEC_MAX;
1662 /* read real message */
1663 reallen = PFKEY_UNUNIT64(buf.sadb_msg_len);
1664 if ((newmsg = CALLOC(reallen, struct sadb_msg *)) == NULL) {
1665 __ipsec_set_strerror(strerror(errno));
1669 while ((len = recv(so, (caddr_t)newmsg, reallen, 0)) < 0) {
1672 __ipsec_set_strerror(strerror(errno));
1677 if (len != reallen) {
1678 __ipsec_errcode = EIPSEC_SYSTEM_ERROR;
1683 /* don't trust what the kernel says, validate! */
1684 if (PFKEY_UNUNIT64(newmsg->sadb_msg_len) != len) {
1685 __ipsec_errcode = EIPSEC_SYSTEM_ERROR;
1690 __ipsec_errcode = EIPSEC_NO_ERROR;
1695 * send message to a socket.
1697 * others: success and return length sent.
1701 pfkey_send(so, msg, len)
1703 struct sadb_msg *msg;
1706 if ((len = send(so, (caddr_t)msg, len, 0)) < 0) {
1707 __ipsec_set_strerror(strerror(errno));
1711 __ipsec_errcode = EIPSEC_NO_ERROR;
1717 * NOTE: These functions are derived from netkey/key.c in KAME.
1720 * set the pointer to each header in this message buffer.
1721 * IN: msg: pointer to message buffer.
1722 * mhp: pointer to the buffer initialized like below:
1723 * caddr_t mhp[SADB_EXT_MAX + 1];
1727 * XXX should be rewritten to obtain length explicitly
1730 pfkey_align(msg, mhp)
1731 struct sadb_msg *msg;
1734 struct sadb_ext *ext;
1737 caddr_t ep; /* XXX should be passed from upper layer */
1739 /* validity check */
1740 if (msg == NULL || mhp == NULL) {
1741 __ipsec_errcode = EIPSEC_INVAL_ARGUMENT;
1746 for (i = 0; i < SADB_EXT_MAX + 1; i++)
1749 mhp[0] = (caddr_t)msg;
1753 ep = p + PFKEY_UNUNIT64(msg->sadb_msg_len);
1755 /* skip base header */
1756 p += sizeof(struct sadb_msg);
1759 ext = (struct sadb_ext *)p;
1760 if (ep < p + sizeof(*ext) || PFKEY_EXTLEN(ext) < sizeof(*ext) ||
1761 ep < p + PFKEY_EXTLEN(ext)) {
1762 /* invalid format */
1766 /* duplicate check */
1767 /* XXX Are there duplication either KEY_AUTH or KEY_ENCRYPT ?*/
1768 if (mhp[ext->sadb_ext_type] != NULL) {
1769 __ipsec_errcode = EIPSEC_INVAL_EXTTYPE;
1774 switch (ext->sadb_ext_type) {
1776 case SADB_EXT_LIFETIME_CURRENT:
1777 case SADB_EXT_LIFETIME_HARD:
1778 case SADB_EXT_LIFETIME_SOFT:
1779 case SADB_EXT_ADDRESS_SRC:
1780 case SADB_EXT_ADDRESS_DST:
1781 case SADB_EXT_ADDRESS_PROXY:
1782 case SADB_EXT_KEY_AUTH:
1783 /* XXX should to be check weak keys. */
1784 case SADB_EXT_KEY_ENCRYPT:
1785 /* XXX should to be check weak keys. */
1786 case SADB_EXT_IDENTITY_SRC:
1787 case SADB_EXT_IDENTITY_DST:
1788 case SADB_EXT_SENSITIVITY:
1789 case SADB_EXT_PROPOSAL:
1790 case SADB_EXT_SUPPORTED_AUTH:
1791 case SADB_EXT_SUPPORTED_ENCRYPT:
1792 case SADB_EXT_SPIRANGE:
1793 case SADB_X_EXT_POLICY:
1794 case SADB_X_EXT_SA2:
1795 case SADB_X_EXT_NAT_T_TYPE:
1796 case SADB_X_EXT_NAT_T_SPORT:
1797 case SADB_X_EXT_NAT_T_DPORT:
1798 case SADB_X_EXT_NAT_T_OAI:
1799 case SADB_X_EXT_NAT_T_OAR:
1800 case SADB_X_EXT_NAT_T_FRAG:
1801 case SADB_X_EXT_SA_REPLAY:
1802 case SADB_X_EXT_NEW_ADDRESS_SRC:
1803 case SADB_X_EXT_NEW_ADDRESS_DST:
1804 mhp[ext->sadb_ext_type] = (caddr_t)ext;
1807 __ipsec_errcode = EIPSEC_INVAL_EXTTYPE;
1811 p += PFKEY_EXTLEN(ext);
1815 __ipsec_errcode = EIPSEC_INVAL_SADBMSG;
1819 __ipsec_errcode = EIPSEC_NO_ERROR;
1824 * check basic usage for sadb_msg,
1825 * NOTE: This routine is derived from netkey/key.c in KAME.
1826 * IN: msg: pointer to message buffer.
1827 * mhp: pointer to the buffer initialized like below:
1829 * caddr_t mhp[SADB_EXT_MAX + 1];
1838 struct sadb_msg *msg;
1840 /* validity check */
1841 if (mhp == NULL || mhp[0] == NULL) {
1842 __ipsec_errcode = EIPSEC_INVAL_ARGUMENT;
1846 msg = (struct sadb_msg *)mhp[0];
1849 if (msg->sadb_msg_version != PF_KEY_V2) {
1850 __ipsec_errcode = EIPSEC_INVAL_VERSION;
1855 if (msg->sadb_msg_type > SADB_MAX) {
1856 __ipsec_errcode = EIPSEC_INVAL_MSGTYPE;
1861 switch (msg->sadb_msg_satype) {
1862 case SADB_SATYPE_UNSPEC:
1863 switch (msg->sadb_msg_type) {
1871 __ipsec_errcode = EIPSEC_INVAL_SATYPE;
1875 case SADB_SATYPE_ESP:
1876 case SADB_SATYPE_AH:
1877 case SADB_X_SATYPE_IPCOMP:
1878 case SADB_X_SATYPE_TCPSIGNATURE:
1879 switch (msg->sadb_msg_type) {
1881 case SADB_X_SPDDELETE:
1883 case SADB_X_SPDDUMP:
1884 case SADB_X_SPDFLUSH:
1885 __ipsec_errcode = EIPSEC_INVAL_SATYPE;
1889 case SADB_SATYPE_RSVP:
1890 case SADB_SATYPE_OSPFV2:
1891 case SADB_SATYPE_RIPV2:
1892 case SADB_SATYPE_MIP:
1893 __ipsec_errcode = EIPSEC_NOT_SUPPORTED;
1895 case 1: /* XXX: What does it do ? */
1896 if (msg->sadb_msg_type == SADB_X_PROMISC)
1900 __ipsec_errcode = EIPSEC_INVAL_SATYPE;
1904 /* check field of upper layer protocol and address family */
1905 if (mhp[SADB_EXT_ADDRESS_SRC] != NULL
1906 && mhp[SADB_EXT_ADDRESS_DST] != NULL) {
1907 struct sadb_address *src0, *dst0;
1909 src0 = (struct sadb_address *)(mhp[SADB_EXT_ADDRESS_SRC]);
1910 dst0 = (struct sadb_address *)(mhp[SADB_EXT_ADDRESS_DST]);
1912 if (src0->sadb_address_proto != dst0->sadb_address_proto) {
1913 __ipsec_errcode = EIPSEC_PROTO_MISMATCH;
1917 if (PFKEY_ADDR_SADDR(src0)->sa_family
1918 != PFKEY_ADDR_SADDR(dst0)->sa_family) {
1919 __ipsec_errcode = EIPSEC_FAMILY_MISMATCH;
1923 switch (PFKEY_ADDR_SADDR(src0)->sa_family) {
1928 __ipsec_errcode = EIPSEC_INVAL_FAMILY;
1933 * prefixlen == 0 is valid because there must be the case
1934 * all addresses are matched.
1938 __ipsec_errcode = EIPSEC_NO_ERROR;
1943 * set data into sadb_msg.
1944 * `buf' must has been allocated sufficiently.
1947 pfkey_setsadbmsg(buf, lim, type, tlen, satype, seq, pid)
1958 p = (struct sadb_msg *)buf;
1959 len = sizeof(struct sadb_msg);
1961 if (buf + len > lim)
1965 p->sadb_msg_version = PF_KEY_V2;
1966 p->sadb_msg_type = type;
1967 p->sadb_msg_errno = 0;
1968 p->sadb_msg_satype = satype;
1969 p->sadb_msg_len = PFKEY_UNIT64(tlen);
1970 p->sadb_msg_reserved = 0;
1971 p->sadb_msg_seq = seq;
1972 p->sadb_msg_pid = (u_int32_t)pid;
1978 * copy secasvar data into sadb_address.
1979 * `buf' must has been allocated sufficiently.
1982 pfkey_setsadbsa(buf, lim, spi, wsize, auth, enc, flags)
1985 u_int32_t spi, flags;
1986 u_int wsize, auth, enc;
1991 p = (struct sadb_sa *)buf;
1992 len = sizeof(struct sadb_sa);
1994 if (buf + len > lim)
1998 p->sadb_sa_len = PFKEY_UNIT64(len);
1999 p->sadb_sa_exttype = SADB_EXT_SA;
2000 p->sadb_sa_spi = spi;
2001 p->sadb_sa_replay = wsize > UINT8_MAX ? UINT8_MAX: wsize;
2002 p->sadb_sa_state = SADB_SASTATE_LARVAL;
2003 p->sadb_sa_auth = auth;
2004 p->sadb_sa_encrypt = enc;
2005 p->sadb_sa_flags = flags;
2011 * Set data into sadb_x_sa_replay.
2012 * `buf' must has been allocated sufficiently.
2015 pfkey_setsadbxreplay(caddr_t buf, caddr_t lim, uint32_t wsize)
2017 struct sadb_x_sa_replay *p;
2020 p = (struct sadb_x_sa_replay *)buf;
2021 len = sizeof(struct sadb_x_sa_replay);
2023 if (buf + len > lim)
2027 p->sadb_x_sa_replay_len = PFKEY_UNIT64(len);
2028 p->sadb_x_sa_replay_exttype = SADB_X_EXT_SA_REPLAY;
2029 /* Convert wsize from bytes to number of packets. */
2030 p->sadb_x_sa_replay_replay = wsize << 3;
2036 * set data into sadb_address.
2037 * `buf' must has been allocated sufficiently.
2038 * prefixlen is in bits.
2041 pfkey_setsadbaddr(buf, lim, exttype, saddr, prefixlen, ul_proto)
2045 struct sockaddr *saddr;
2049 struct sadb_address *p;
2052 p = (struct sadb_address *)buf;
2053 len = sizeof(struct sadb_address) + PFKEY_ALIGN8(saddr->sa_len);
2055 if (buf + len > lim)
2059 p->sadb_address_len = PFKEY_UNIT64(len);
2060 p->sadb_address_exttype = exttype & 0xffff;
2061 p->sadb_address_proto = ul_proto & 0xff;
2062 p->sadb_address_prefixlen = prefixlen;
2063 p->sadb_address_reserved = 0;
2065 memcpy(p + 1, saddr, saddr->sa_len);
2071 * set sadb_key structure after clearing buffer with zero.
2072 * OUT: the pointer of buf + len.
2075 pfkey_setsadbkey(buf, lim, type, key, keylen)
2084 p = (struct sadb_key *)buf;
2085 len = sizeof(struct sadb_key) + PFKEY_ALIGN8(keylen);
2087 if (buf + len > lim)
2091 p->sadb_key_len = PFKEY_UNIT64(len);
2092 p->sadb_key_exttype = type;
2093 p->sadb_key_bits = keylen << 3;
2094 p->sadb_key_reserved = 0;
2096 memcpy(p + 1, key, keylen);
2102 * set sadb_lifetime structure after clearing buffer with zero.
2103 * OUT: the pointer of buf + len.
2106 pfkey_setsadblifetime(buf, lim, type, l_alloc, l_bytes, l_addtime, l_usetime)
2110 u_int32_t l_alloc, l_bytes, l_addtime, l_usetime;
2112 struct sadb_lifetime *p;
2115 p = (struct sadb_lifetime *)buf;
2116 len = sizeof(struct sadb_lifetime);
2118 if (buf + len > lim)
2122 p->sadb_lifetime_len = PFKEY_UNIT64(len);
2123 p->sadb_lifetime_exttype = type;
2126 case SADB_EXT_LIFETIME_SOFT:
2127 p->sadb_lifetime_allocations
2128 = (l_alloc * soft_lifetime_allocations_rate) /100;
2129 p->sadb_lifetime_bytes
2130 = (l_bytes * soft_lifetime_bytes_rate) /100;
2131 p->sadb_lifetime_addtime
2132 = (l_addtime * soft_lifetime_addtime_rate) /100;
2133 p->sadb_lifetime_usetime
2134 = (l_usetime * soft_lifetime_usetime_rate) /100;
2136 case SADB_EXT_LIFETIME_HARD:
2137 p->sadb_lifetime_allocations = l_alloc;
2138 p->sadb_lifetime_bytes = l_bytes;
2139 p->sadb_lifetime_addtime = l_addtime;
2140 p->sadb_lifetime_usetime = l_usetime;
2148 * copy secasvar data into sadb_address.
2149 * `buf' must has been allocated sufficiently.
2152 pfkey_setsadbxsa2(buf, lim, mode0, reqid)
2158 struct sadb_x_sa2 *p;
2159 u_int8_t mode = mode0 & 0xff;
2162 p = (struct sadb_x_sa2 *)buf;
2163 len = sizeof(struct sadb_x_sa2);
2165 if (buf + len > lim)
2169 p->sadb_x_sa2_len = PFKEY_UNIT64(len);
2170 p->sadb_x_sa2_exttype = SADB_X_EXT_SA2;
2171 p->sadb_x_sa2_mode = mode;
2172 p->sadb_x_sa2_reqid = reqid;