Home | History | Annotate | Download | only in libipsec
      1 /*	$NetBSD: pfkey.c,v 1.13.4.2 2007/10/15 16:05:22 vanhu Exp $	*/
      2 
      3 /*	$KAME: pfkey.c,v 1.47 2003/10/02 19:52:12 itojun Exp $	*/
      4 
      5 /*
      6  * Copyright (C) 1995, 1996, 1997, 1998, and 1999 WIDE Project.
      7  * All rights reserved.
      8  *
      9  * Redistribution and use in source and binary forms, with or without
     10  * modification, are permitted provided that the following conditions
     11  * are met:
     12  * 1. Redistributions of source code must retain the above copyright
     13  *    notice, this list of conditions and the following disclaimer.
     14  * 2. Redistributions in binary form must reproduce the above copyright
     15  *    notice, this list of conditions and the following disclaimer in the
     16  *    documentation and/or other materials provided with the distribution.
     17  * 3. Neither the name of the project nor the names of its contributors
     18  *    may be used to endorse or promote products derived from this software
     19  *    without specific prior written permission.
     20  *
     21  * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
     22  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
     23  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
     24  * ARE DISCLAIMED.  IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
     25  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
     26  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
     27  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
     28  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
     29  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
     30  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
     31  * SUCH DAMAGE.
     32  */
     33 
     34 #ifdef HAVE_CONFIG_H
     35 #include "config.h"
     36 #endif
     37 
     38 #include <sys/types.h>
     39 #include <sys/param.h>
     40 #include <sys/socket.h>
     41 #include <net/pfkeyv2.h>
     42 #include <netinet/in.h>
     43 #include PATH_IPSEC_H
     44 
     45 #include <stdlib.h>
     46 #include <unistd.h>
     47 #include <string.h>
     48 #include <errno.h>
     49 #include <stdio.h>
     50 
     51 #include "ipsec_strerror.h"
     52 #include "libpfkey.h"
     53 
     54 #define CALLOC(size, cast) (cast)calloc(1, (size))
     55 
     56 static int findsupportedmap __P((int));
     57 static int setsupportedmap __P((struct sadb_supported *));
     58 static struct sadb_alg *findsupportedalg __P((u_int, u_int));
     59 static int pfkey_send_x1 __P((struct pfkey_send_sa_args *));
     60 static int pfkey_send_x2 __P((int, u_int, u_int, u_int,
     61 	struct sockaddr *, struct sockaddr *, u_int32_t));
     62 static int pfkey_send_x3 __P((int, u_int, u_int));
     63 static int pfkey_send_x4 __P((int, u_int, struct sockaddr *, u_int,
     64 	struct sockaddr *, u_int, u_int, u_int64_t, u_int64_t,
     65 	char *, int, u_int32_t));
     66 static int pfkey_send_x5 __P((int, u_int, u_int32_t));
     67 
     68 static caddr_t pfkey_setsadbmsg __P((caddr_t, caddr_t, u_int, u_int,
     69 	u_int, u_int32_t, pid_t));
     70 static caddr_t pfkey_setsadbsa __P((caddr_t, caddr_t, u_int32_t, u_int,
     71 	u_int, u_int, u_int32_t));
     72 static caddr_t pfkey_setsadbaddr __P((caddr_t, caddr_t, u_int,
     73 	struct sockaddr *, u_int, u_int));
     74 static caddr_t pfkey_setsadbkey __P((caddr_t, caddr_t, u_int, caddr_t, u_int));
     75 static caddr_t pfkey_setsadblifetime __P((caddr_t, caddr_t, u_int, u_int32_t,
     76 	u_int32_t, u_int32_t, u_int32_t));
     77 static caddr_t pfkey_setsadbxsa2 __P((caddr_t, caddr_t, u_int32_t, u_int32_t));
     78 
     79 #ifdef SADB_X_EXT_NAT_T_TYPE
     80 static caddr_t pfkey_set_natt_type __P((caddr_t, caddr_t, u_int, u_int8_t));
     81 static caddr_t pfkey_set_natt_port __P((caddr_t, caddr_t, u_int, u_int16_t));
     82 #endif
     83 #ifdef SADB_X_EXT_NAT_T_FRAG
     84 static caddr_t pfkey_set_natt_frag __P((caddr_t, caddr_t, u_int, u_int16_t));
     85 #endif
     86 
     87 #ifdef SADB_X_EXT_SEC_CTX
     88 static caddr_t pfkey_setsecctx __P((caddr_t, caddr_t, u_int, u_int8_t, u_int8_t,
     89 				    caddr_t, u_int16_t));
     90 #endif
     91 
     92 int libipsec_opt = 0
     93 #ifdef SADB_X_EXT_NAT_T_TYPE
     94 	| LIBIPSEC_OPT_NATT
     95 #endif
     96 #ifdef SADB_X_EXT_NAT_T_FRAG
     97 	| LIBIPSEC_OPT_FRAG
     98 #endif
     99 #ifdef SADB_X_EXT_NAT_T_SEC_CTX
    100 	| LIBIPSEC_OPT_SEC_CTX
    101 #endif
    102 	;
    103 
    104 /*
    105  * make and search supported algorithm structure.
    106  */
    107 static struct sadb_supported *ipsec_supported[] = { NULL, NULL, NULL,
    108 #ifdef SADB_X_SATYPE_TCPSIGNATURE
    109     NULL,
    110 #endif
    111 };
    112 
    113 static int supported_map[] = {
    114 	SADB_SATYPE_AH,
    115 	SADB_SATYPE_ESP,
    116 	SADB_X_SATYPE_IPCOMP,
    117 #ifdef SADB_X_SATYPE_TCPSIGNATURE
    118 	SADB_X_SATYPE_TCPSIGNATURE,
    119 #endif
    120 };
    121 
    122 static int
    123 findsupportedmap(satype)
    124 	int satype;
    125 {
    126 	int i;
    127 
    128 	for (i = 0; i < sizeof(supported_map)/sizeof(supported_map[0]); i++)
    129 		if (supported_map[i] == satype)
    130 			return i;
    131 	return -1;
    132 }
    133 
    134 static struct sadb_alg *
    135 findsupportedalg(satype, alg_id)
    136 	u_int satype, alg_id;
    137 {
    138 	int algno;
    139 	int tlen;
    140 	caddr_t p;
    141 
    142 	/* validity check */
    143 	algno = findsupportedmap((int)satype);
    144 	if (algno == -1) {
    145 		__ipsec_errcode = EIPSEC_INVAL_ARGUMENT;
    146 		return NULL;
    147 	}
    148 	if (ipsec_supported[algno] == NULL) {
    149 		__ipsec_errcode = EIPSEC_DO_GET_SUPP_LIST;
    150 		return NULL;
    151 	}
    152 
    153 	tlen = ipsec_supported[algno]->sadb_supported_len
    154 		- sizeof(struct sadb_supported);
    155 	p = (void *)(ipsec_supported[algno] + 1);
    156 	while (tlen > 0) {
    157 		if (tlen < sizeof(struct sadb_alg)) {
    158 			/* invalid format */
    159 			break;
    160 		}
    161 		if (((struct sadb_alg *)(void *)p)->sadb_alg_id == alg_id)
    162 			return (void *)p;
    163 
    164 		tlen -= sizeof(struct sadb_alg);
    165 		p += sizeof(struct sadb_alg);
    166 	}
    167 
    168 	__ipsec_errcode = EIPSEC_NOT_SUPPORTED;
    169 	return NULL;
    170 }
    171 
    172 static int
    173 setsupportedmap(sup)
    174 	struct sadb_supported *sup;
    175 {
    176 	struct sadb_supported **ipsup;
    177 
    178 	switch (sup->sadb_supported_exttype) {
    179 	case SADB_EXT_SUPPORTED_AUTH:
    180 		ipsup = &ipsec_supported[findsupportedmap(SADB_SATYPE_AH)];
    181 		break;
    182 	case SADB_EXT_SUPPORTED_ENCRYPT:
    183 		ipsup = &ipsec_supported[findsupportedmap(SADB_SATYPE_ESP)];
    184 		break;
    185 	default:
    186 		__ipsec_errcode = EIPSEC_INVAL_SATYPE;
    187 		return -1;
    188 	}
    189 
    190 	if (*ipsup)
    191 		free(*ipsup);
    192 
    193 	*ipsup = malloc((size_t)sup->sadb_supported_len);
    194 	if (!*ipsup) {
    195 		__ipsec_set_strerror(strerror(errno));
    196 		return -1;
    197 	}
    198 	memcpy(*ipsup, sup, (size_t)sup->sadb_supported_len);
    199 
    200 	return 0;
    201 }
    202 
    203 /*
    204  * check key length against algorithm specified.
    205  * This function is called with SADB_EXT_SUPPORTED_{AUTH,ENCRYPT} as the
    206  * augument, and only calls to ipsec_check_keylen2();
    207  * keylen is the unit of bit.
    208  * OUT:
    209  *	-1: invalid.
    210  *	 0: valid.
    211  */
    212 int
    213 ipsec_check_keylen(supported, alg_id, keylen)
    214 	u_int supported;
    215 	u_int alg_id;
    216 	u_int keylen;
    217 {
    218 	u_int satype;
    219 
    220 	/* validity check */
    221 	switch (supported) {
    222 	case SADB_EXT_SUPPORTED_AUTH:
    223 		satype = SADB_SATYPE_AH;
    224 		break;
    225 	case SADB_EXT_SUPPORTED_ENCRYPT:
    226 		satype = SADB_SATYPE_ESP;
    227 		break;
    228 	default:
    229 		__ipsec_errcode = EIPSEC_INVAL_ARGUMENT;
    230 		return -1;
    231 	}
    232 
    233 	return ipsec_check_keylen2(satype, alg_id, keylen);
    234 }
    235 
    236 /*
    237  * check key length against algorithm specified.
    238  * satype is one of satype defined at pfkeyv2.h.
    239  * keylen is the unit of bit.
    240  * OUT:
    241  *	-1: invalid.
    242  *	 0: valid.
    243  */
    244 int
    245 ipsec_check_keylen2(satype, alg_id, keylen)
    246 	u_int satype;
    247 	u_int alg_id;
    248 	u_int keylen;
    249 {
    250 	struct sadb_alg *alg;
    251 
    252 	alg = findsupportedalg(satype, alg_id);
    253 	if (!alg)
    254 		return -1;
    255 
    256 	if (keylen < alg->sadb_alg_minbits || keylen > alg->sadb_alg_maxbits) {
    257 		fprintf(stderr, "%d %d %d\n", keylen, alg->sadb_alg_minbits,
    258 			alg->sadb_alg_maxbits);
    259 		__ipsec_errcode = EIPSEC_INVAL_KEYLEN;
    260 		return -1;
    261 	}
    262 
    263 	__ipsec_errcode = EIPSEC_NO_ERROR;
    264 	return 0;
    265 }
    266 
    267 /*
    268  * get max/min key length against algorithm specified.
    269  * satype is one of satype defined at pfkeyv2.h.
    270  * keylen is the unit of bit.
    271  * OUT:
    272  *	-1: invalid.
    273  *	 0: valid.
    274  */
    275 int
    276 ipsec_get_keylen(supported, alg_id, alg0)
    277 	u_int supported, alg_id;
    278 	struct sadb_alg *alg0;
    279 {
    280 	struct sadb_alg *alg;
    281 	u_int satype;
    282 
    283 	/* validity check */
    284 	if (!alg0) {
    285 		__ipsec_errcode = EIPSEC_INVAL_ARGUMENT;
    286 		return -1;
    287 	}
    288 
    289 	switch (supported) {
    290 	case SADB_EXT_SUPPORTED_AUTH:
    291 		satype = SADB_SATYPE_AH;
    292 		break;
    293 	case SADB_EXT_SUPPORTED_ENCRYPT:
    294 		satype = SADB_SATYPE_ESP;
    295 		break;
    296 	default:
    297 		__ipsec_errcode = EIPSEC_INVAL_ARGUMENT;
    298 		return -1;
    299 	}
    300 
    301 	alg = findsupportedalg(satype, alg_id);
    302 	if (!alg)
    303 		return -1;
    304 
    305 	memcpy(alg0, alg, sizeof(*alg0));
    306 
    307 	__ipsec_errcode = EIPSEC_NO_ERROR;
    308 	return 0;
    309 }
    310 
    311 /*
    312  * set the rate for SOFT lifetime against HARD one.
    313  * If rate is more than 100 or equal to zero, then set to 100.
    314  */
    315 static u_int soft_lifetime_allocations_rate = PFKEY_SOFT_LIFETIME_RATE;
    316 static u_int soft_lifetime_bytes_rate = PFKEY_SOFT_LIFETIME_RATE;
    317 static u_int soft_lifetime_addtime_rate = PFKEY_SOFT_LIFETIME_RATE;
    318 static u_int soft_lifetime_usetime_rate = PFKEY_SOFT_LIFETIME_RATE;
    319 
    320 u_int
    321 pfkey_set_softrate(type, rate)
    322 	u_int type, rate;
    323 {
    324 	__ipsec_errcode = EIPSEC_NO_ERROR;
    325 
    326 	if (rate > 100 || rate == 0)
    327 		rate = 100;
    328 
    329 	switch (type) {
    330 	case SADB_X_LIFETIME_ALLOCATIONS:
    331 		soft_lifetime_allocations_rate = rate;
    332 		return 0;
    333 	case SADB_X_LIFETIME_BYTES:
    334 		soft_lifetime_bytes_rate = rate;
    335 		return 0;
    336 	case SADB_X_LIFETIME_ADDTIME:
    337 		soft_lifetime_addtime_rate = rate;
    338 		return 0;
    339 	case SADB_X_LIFETIME_USETIME:
    340 		soft_lifetime_usetime_rate = rate;
    341 		return 0;
    342 	}
    343 
    344 	__ipsec_errcode = EIPSEC_INVAL_ARGUMENT;
    345 	return 1;
    346 }
    347 
    348 /*
    349  * get current rate for SOFT lifetime against HARD one.
    350  * ATTENTION: ~0 is returned if invalid type was passed.
    351  */
    352 u_int
    353 pfkey_get_softrate(type)
    354 	u_int type;
    355 {
    356 	switch (type) {
    357 	case SADB_X_LIFETIME_ALLOCATIONS:
    358 		return soft_lifetime_allocations_rate;
    359 	case SADB_X_LIFETIME_BYTES:
    360 		return soft_lifetime_bytes_rate;
    361 	case SADB_X_LIFETIME_ADDTIME:
    362 		return soft_lifetime_addtime_rate;
    363 	case SADB_X_LIFETIME_USETIME:
    364 		return soft_lifetime_usetime_rate;
    365 	}
    366 
    367 	return (u_int)~0;
    368 }
    369 
    370 /*
    371  * sending SADB_GETSPI message to the kernel.
    372  * OUT:
    373  *	positive: success and return length sent.
    374  *	-1	: error occured, and set errno.
    375  */
    376 int
    377 pfkey_send_getspi(so, satype, mode, src, dst, min, max, reqid, seq)
    378 	int so;
    379 	u_int satype, mode;
    380 	struct sockaddr *src, *dst;
    381 	u_int32_t min, max, reqid, seq;
    382 {
    383 	struct sadb_msg *newmsg;
    384 	caddr_t ep;
    385 	int len;
    386 	int need_spirange = 0;
    387 	caddr_t p;
    388 	int plen;
    389 
    390 	/* validity check */
    391 	if (src == NULL || dst == NULL) {
    392 		__ipsec_errcode = EIPSEC_INVAL_ARGUMENT;
    393 		return -1;
    394 	}
    395 	if (src->sa_family != dst->sa_family) {
    396 		__ipsec_errcode = EIPSEC_FAMILY_MISMATCH;
    397 		return -1;
    398 	}
    399 	if (min > max || (min > 0 && min <= 255)) {
    400 		__ipsec_errcode = EIPSEC_INVAL_SPI;
    401 		return -1;
    402 	}
    403 	switch (src->sa_family) {
    404 	case AF_INET:
    405 		plen = sizeof(struct in_addr) << 3;
    406 		break;
    407 	case AF_INET6:
    408 		plen = sizeof(struct in6_addr) << 3;
    409 		break;
    410 	default:
    411 		__ipsec_errcode = EIPSEC_INVAL_FAMILY;
    412 		return -1;
    413 	}
    414 
    415 	/* create new sadb_msg to send. */
    416 	len = sizeof(struct sadb_msg)
    417 		+ sizeof(struct sadb_x_sa2)
    418 		+ sizeof(struct sadb_address)
    419 		+ PFKEY_ALIGN8(sysdep_sa_len(src))
    420 		+ sizeof(struct sadb_address)
    421 		+ PFKEY_ALIGN8(sysdep_sa_len(dst));
    422 
    423 	if (min > 255 && max < (u_int)~0) {
    424 		need_spirange++;
    425 		len += sizeof(struct sadb_spirange);
    426 	}
    427 
    428 	if ((newmsg = CALLOC((size_t)len, struct sadb_msg *)) == NULL) {
    429 		__ipsec_set_strerror(strerror(errno));
    430 		return -1;
    431 	}
    432 	ep = ((caddr_t)(void *)newmsg) + len;
    433 
    434 	p = pfkey_setsadbmsg((void *)newmsg, ep, SADB_GETSPI,
    435 	    (u_int)len, satype, seq, getpid());
    436 	if (!p) {
    437 		free(newmsg);
    438 		return -1;
    439 	}
    440 
    441 	p = pfkey_setsadbxsa2(p, ep, mode, reqid);
    442 	if (!p) {
    443 		free(newmsg);
    444 		return -1;
    445 	}
    446 
    447 	/* set sadb_address for source */
    448 	p = pfkey_setsadbaddr(p, ep, SADB_EXT_ADDRESS_SRC, src, (u_int)plen,
    449 	    IPSEC_ULPROTO_ANY);
    450 	if (!p) {
    451 		free(newmsg);
    452 		return -1;
    453 	}
    454 
    455 	/* set sadb_address for destination */
    456 	p = pfkey_setsadbaddr(p, ep, SADB_EXT_ADDRESS_DST, dst, (u_int)plen,
    457 	    IPSEC_ULPROTO_ANY);
    458 	if (!p) {
    459 		free(newmsg);
    460 		return -1;
    461 	}
    462 
    463 	/* proccessing spi range */
    464 	if (need_spirange) {
    465 		struct sadb_spirange spirange;
    466 
    467 		if (p + sizeof(spirange) > ep) {
    468 			free(newmsg);
    469 			return -1;
    470 		}
    471 
    472 		memset(&spirange, 0, sizeof(spirange));
    473 		spirange.sadb_spirange_len = PFKEY_UNIT64(sizeof(spirange));
    474 		spirange.sadb_spirange_exttype = SADB_EXT_SPIRANGE;
    475 		spirange.sadb_spirange_min = min;
    476 		spirange.sadb_spirange_max = max;
    477 
    478 		memcpy(p, &spirange, sizeof(spirange));
    479 
    480 		p += sizeof(spirange);
    481 	}
    482 	if (p != ep) {
    483 		free(newmsg);
    484 		return -1;
    485 	}
    486 
    487 	/* send message */
    488 	len = pfkey_send(so, newmsg, len);
    489 	free(newmsg);
    490 
    491 	if (len < 0)
    492 		return -1;
    493 
    494 	__ipsec_errcode = EIPSEC_NO_ERROR;
    495 	return len;
    496 }
    497 
    498 /*
    499  * sending SADB_UPDATE message to the kernel.
    500  * The length of key material is a_keylen + e_keylen.
    501  * OUT:
    502  *	positive: success and return length sent.
    503  *	-1	: error occured, and set errno.
    504  */
    505 int
    506 pfkey_send_update2(sa_parms)
    507 	struct pfkey_send_sa_args *sa_parms;
    508 {
    509 	int len;
    510 
    511 
    512 	sa_parms->type = SADB_UPDATE;
    513 	if ((len = pfkey_send_x1(sa_parms)) < 0)
    514 		return -1;
    515 
    516 	return len;
    517 }
    518 
    519 /*
    520  * sending SADB_ADD message to the kernel.
    521  * The length of key material is a_keylen + e_keylen.
    522  * OUT:
    523  *	positive: success and return length sent.
    524  *	-1	: error occured, and set errno.
    525  */
    526 int
    527 pfkey_send_add2(sa_parms)
    528 	struct pfkey_send_sa_args *sa_parms;
    529 {
    530 	int len;
    531 
    532 	sa_parms->type = SADB_ADD;
    533 	if ((len = pfkey_send_x1(sa_parms)) < 0)
    534 		return -1;
    535 
    536 	return len;
    537 }
    538 
    539 /*
    540  * sending SADB_DELETE message to the kernel.
    541  * OUT:
    542  *	positive: success and return length sent.
    543  *	-1	: error occured, and set errno.
    544  */
    545 int
    546 pfkey_send_delete(so, satype, mode, src, dst, spi)
    547 	int so;
    548 	u_int satype, mode;
    549 	struct sockaddr *src, *dst;
    550 	u_int32_t spi;
    551 {
    552 	int len;
    553 	if ((len = pfkey_send_x2(so, SADB_DELETE, satype, mode, src, dst, spi)) < 0)
    554 		return -1;
    555 
    556 	return len;
    557 }
    558 
    559 /*
    560  * sending SADB_DELETE without spi to the kernel.  This is
    561  * the "delete all" request (an extension also present in
    562  * Solaris).
    563  *
    564  * OUT:
    565  *	positive: success and return length sent
    566  *	-1	: error occured, and set errno
    567  */
    568 /*ARGSUSED*/
    569 int
    570 pfkey_send_delete_all(so, satype, mode, src, dst)
    571 	int so;
    572 	u_int satype, mode;
    573 	struct sockaddr *src, *dst;
    574 {
    575 	struct sadb_msg *newmsg;
    576 	int len;
    577 	caddr_t p;
    578 	int plen;
    579 	caddr_t ep;
    580 
    581 	/* validity check */
    582 	if (src == NULL || dst == NULL) {
    583 		__ipsec_errcode = EIPSEC_INVAL_ARGUMENT;
    584 		return -1;
    585 	}
    586 	if (src->sa_family != dst->sa_family) {
    587 		__ipsec_errcode = EIPSEC_FAMILY_MISMATCH;
    588 		return -1;
    589 	}
    590 	switch (src->sa_family) {
    591 	case AF_INET:
    592 		plen = sizeof(struct in_addr) << 3;
    593 		break;
    594 	case AF_INET6:
    595 		plen = sizeof(struct in6_addr) << 3;
    596 		break;
    597 	default:
    598 		__ipsec_errcode = EIPSEC_INVAL_FAMILY;
    599 		return -1;
    600 	}
    601 
    602 	/* create new sadb_msg to reply. */
    603 	len = sizeof(struct sadb_msg)
    604 		+ sizeof(struct sadb_address)
    605 		+ PFKEY_ALIGN8(sysdep_sa_len(src))
    606 		+ sizeof(struct sadb_address)
    607 		+ PFKEY_ALIGN8(sysdep_sa_len(dst));
    608 
    609 	if ((newmsg = CALLOC((size_t)len, struct sadb_msg *)) == NULL) {
    610 		__ipsec_set_strerror(strerror(errno));
    611 		return -1;
    612 	}
    613 	ep = ((caddr_t)(void *)newmsg) + len;
    614 
    615 	p = pfkey_setsadbmsg((void *)newmsg, ep, SADB_DELETE, (u_int)len,
    616 	    satype, 0, getpid());
    617 	if (!p) {
    618 		free(newmsg);
    619 		return -1;
    620 	}
    621 	p = pfkey_setsadbaddr(p, ep, SADB_EXT_ADDRESS_SRC, src, (u_int)plen,
    622 	    IPSEC_ULPROTO_ANY);
    623 	if (!p) {
    624 		free(newmsg);
    625 		return -1;
    626 	}
    627 	p = pfkey_setsadbaddr(p, ep, SADB_EXT_ADDRESS_DST, dst, (u_int)plen,
    628 	    IPSEC_ULPROTO_ANY);
    629 	if (!p || p != ep) {
    630 		free(newmsg);
    631 		return -1;
    632 	}
    633 
    634 	/* send message */
    635 	len = pfkey_send(so, newmsg, len);
    636 	free(newmsg);
    637 
    638 	if (len < 0)
    639 		return -1;
    640 
    641 	__ipsec_errcode = EIPSEC_NO_ERROR;
    642 	return len;
    643 }
    644 
    645 /*
    646  * sending SADB_GET message to the kernel.
    647  * OUT:
    648  *	positive: success and return length sent.
    649  *	-1	: error occured, and set errno.
    650  */
    651 int
    652 pfkey_send_get(so, satype, mode, src, dst, spi)
    653 	int so;
    654 	u_int satype, mode;
    655 	struct sockaddr *src, *dst;
    656 	u_int32_t spi;
    657 {
    658 	int len;
    659 	if ((len = pfkey_send_x2(so, SADB_GET, satype, mode, src, dst, spi)) < 0)
    660 		return -1;
    661 
    662 	return len;
    663 }
    664 
    665 /*
    666  * sending SADB_REGISTER message to the kernel.
    667  * OUT:
    668  *	positive: success and return length sent.
    669  *	-1	: error occured, and set errno.
    670  */
    671 int
    672 pfkey_send_register(so, satype)
    673 	int so;
    674 	u_int satype;
    675 {
    676 	int len, algno;
    677 
    678 	if (satype == PF_UNSPEC) {
    679 		for (algno = 0;
    680 		     algno < sizeof(supported_map)/sizeof(supported_map[0]);
    681 		     algno++) {
    682 			if (ipsec_supported[algno]) {
    683 				free(ipsec_supported[algno]);
    684 				ipsec_supported[algno] = NULL;
    685 			}
    686 		}
    687 	} else {
    688 		algno = findsupportedmap((int)satype);
    689 		if (algno == -1) {
    690 			__ipsec_errcode = EIPSEC_INVAL_ARGUMENT;
    691 			return -1;
    692 		}
    693 
    694 		if (ipsec_supported[algno]) {
    695 			free(ipsec_supported[algno]);
    696 			ipsec_supported[algno] = NULL;
    697 		}
    698 	}
    699 
    700 	if ((len = pfkey_send_x3(so, SADB_REGISTER, satype)) < 0)
    701 		return -1;
    702 
    703 	return len;
    704 }
    705 
    706 /*
    707  * receiving SADB_REGISTER message from the kernel, and copy buffer for
    708  * sadb_supported returned into ipsec_supported.
    709  * OUT:
    710  *	 0: success and return length sent.
    711  *	-1: error occured, and set errno.
    712  */
    713 int
    714 pfkey_recv_register(so)
    715 	int so;
    716 {
    717 	pid_t pid = getpid();
    718 	struct sadb_msg *newmsg;
    719 	int error = -1;
    720 
    721 	/* receive message */
    722 	for (;;) {
    723 		if ((newmsg = pfkey_recv(so)) == NULL)
    724 			return -1;
    725 		if (newmsg->sadb_msg_type == SADB_REGISTER &&
    726 		    newmsg->sadb_msg_pid == pid)
    727 			break;
    728 		free(newmsg);
    729 	}
    730 
    731 	/* check and fix */
    732 	newmsg->sadb_msg_len = PFKEY_UNUNIT64(newmsg->sadb_msg_len);
    733 
    734 	error = pfkey_set_supported(newmsg, newmsg->sadb_msg_len);
    735 	free(newmsg);
    736 
    737 	if (error == 0)
    738 		__ipsec_errcode = EIPSEC_NO_ERROR;
    739 
    740 	return error;
    741 }
    742 
    743 /*
    744  * receiving SADB_REGISTER message from the kernel, and copy buffer for
    745  * sadb_supported returned into ipsec_supported.
    746  * NOTE: sadb_msg_len must be host order.
    747  * IN:
    748  *	tlen: msg length, it's to makeing sure.
    749  * OUT:
    750  *	 0: success and return length sent.
    751  *	-1: error occured, and set errno.
    752  */
    753 int
    754 pfkey_set_supported(msg, tlen)
    755 	struct sadb_msg *msg;
    756 	int tlen;
    757 {
    758 	struct sadb_supported *sup;
    759 	caddr_t p;
    760 	caddr_t ep;
    761 
    762 	/* validity */
    763 	if (msg->sadb_msg_len != tlen) {
    764 		__ipsec_errcode = EIPSEC_INVAL_ARGUMENT;
    765 		return -1;
    766 	}
    767 
    768 	p = (void *)msg;
    769 	ep = p + tlen;
    770 
    771 	p += sizeof(struct sadb_msg);
    772 
    773 	while (p < ep) {
    774 		sup = (void *)p;
    775 		if (ep < p + sizeof(*sup) ||
    776 		    PFKEY_EXTLEN(sup) < sizeof(*sup) ||
    777 		    ep < p + sup->sadb_supported_len) {
    778 			/* invalid format */
    779 			break;
    780 		}
    781 
    782 		switch (sup->sadb_supported_exttype) {
    783 		case SADB_EXT_SUPPORTED_AUTH:
    784 		case SADB_EXT_SUPPORTED_ENCRYPT:
    785 			break;
    786 		default:
    787 			__ipsec_errcode = EIPSEC_INVAL_SATYPE;
    788 			return -1;
    789 		}
    790 
    791 		/* fixed length */
    792 		sup->sadb_supported_len = PFKEY_EXTLEN(sup);
    793 
    794 		/* set supported map */
    795 		if (setsupportedmap(sup) != 0)
    796 			return -1;
    797 
    798 		p += sup->sadb_supported_len;
    799 	}
    800 
    801 	if (p != ep) {
    802 		__ipsec_errcode = EIPSEC_INVAL_SATYPE;
    803 		return -1;
    804 	}
    805 
    806 	__ipsec_errcode = EIPSEC_NO_ERROR;
    807 
    808 	return 0;
    809 }
    810 
    811 /*
    812  * sending SADB_FLUSH message to the kernel.
    813  * OUT:
    814  *	positive: success and return length sent.
    815  *	-1	: error occured, and set errno.
    816  */
    817 int
    818 pfkey_send_flush(so, satype)
    819 	int so;
    820 	u_int satype;
    821 {
    822 	int len;
    823 
    824 	if ((len = pfkey_send_x3(so, SADB_FLUSH, satype)) < 0)
    825 		return -1;
    826 
    827 	return len;
    828 }
    829 
    830 /*
    831  * sending SADB_DUMP message to the kernel.
    832  * OUT:
    833  *	positive: success and return length sent.
    834  *	-1	: error occured, and set errno.
    835  */
    836 int
    837 pfkey_send_dump(so, satype)
    838 	int so;
    839 	u_int satype;
    840 {
    841 	int len;
    842 
    843 	if ((len = pfkey_send_x3(so, SADB_DUMP, satype)) < 0)
    844 		return -1;
    845 
    846 	return len;
    847 }
    848 
    849 /*
    850  * sending SADB_X_PROMISC message to the kernel.
    851  * NOTE that this function handles promisc mode toggle only.
    852  * IN:
    853  *	flag:	set promisc off if zero, set promisc on if non-zero.
    854  * OUT:
    855  *	positive: success and return length sent.
    856  *	-1	: error occured, and set errno.
    857  *	0     : error occured, and set errno.
    858  *	others: a pointer to new allocated buffer in which supported
    859  *	        algorithms is.
    860  */
    861 int
    862 pfkey_send_promisc_toggle(so, flag)
    863 	int so;
    864 	int flag;
    865 {
    866 	int len;
    867 
    868 	if ((len = pfkey_send_x3(so, SADB_X_PROMISC,
    869 	    (u_int)(flag ? 1 : 0))) < 0)
    870 		return -1;
    871 
    872 	return len;
    873 }
    874 
    875 /*
    876  * sending SADB_X_SPDADD message to the kernel.
    877  * OUT:
    878  *	positive: success and return length sent.
    879  *	-1	: error occured, and set errno.
    880  */
    881 int
    882 pfkey_send_spdadd(so, src, prefs, dst, prefd, proto, policy, policylen, seq)
    883 	int so;
    884 	struct sockaddr *src, *dst;
    885 	u_int prefs, prefd, proto;
    886 	caddr_t policy;
    887 	int policylen;
    888 	u_int32_t seq;
    889 {
    890 	int len;
    891 
    892 	if ((len = pfkey_send_x4(so, SADB_X_SPDADD,
    893 				src, prefs, dst, prefd, proto,
    894 				(u_int64_t)0, (u_int64_t)0,
    895 				policy, policylen, seq)) < 0)
    896 		return -1;
    897 
    898 	return len;
    899 }
    900 
    901 /*
    902  * sending SADB_X_SPDADD message to the kernel.
    903  * OUT:
    904  *	positive: success and return length sent.
    905  *	-1	: error occured, and set errno.
    906  */
    907 int
    908 pfkey_send_spdadd2(so, src, prefs, dst, prefd, proto, ltime, vtime,
    909 		policy, policylen, seq)
    910 	int so;
    911 	struct sockaddr *src, *dst;
    912 	u_int prefs, prefd, proto;
    913 	u_int64_t ltime, vtime;
    914 	caddr_t policy;
    915 	int policylen;
    916 	u_int32_t seq;
    917 {
    918 	int len;
    919 
    920 	if ((len = pfkey_send_x4(so, SADB_X_SPDADD,
    921 				src, prefs, dst, prefd, proto,
    922 				ltime, vtime,
    923 				policy, policylen, seq)) < 0)
    924 		return -1;
    925 
    926 	return len;
    927 }
    928 
    929 /*
    930  * sending SADB_X_SPDUPDATE message to the kernel.
    931  * OUT:
    932  *	positive: success and return length sent.
    933  *	-1	: error occured, and set errno.
    934  */
    935 int
    936 pfkey_send_spdupdate(so, src, prefs, dst, prefd, proto, policy, policylen, seq)
    937 	int so;
    938 	struct sockaddr *src, *dst;
    939 	u_int prefs, prefd, proto;
    940 	caddr_t policy;
    941 	int policylen;
    942 	u_int32_t seq;
    943 {
    944 	int len;
    945 
    946 	if ((len = pfkey_send_x4(so, SADB_X_SPDUPDATE,
    947 				src, prefs, dst, prefd, proto,
    948 				(u_int64_t)0, (u_int64_t)0,
    949 				policy, policylen, seq)) < 0)
    950 		return -1;
    951 
    952 	return len;
    953 }
    954 
    955 /*
    956  * sending SADB_X_SPDUPDATE message to the kernel.
    957  * OUT:
    958  *	positive: success and return length sent.
    959  *	-1	: error occured, and set errno.
    960  */
    961 int
    962 pfkey_send_spdupdate2(so, src, prefs, dst, prefd, proto, ltime, vtime,
    963 		policy, policylen, seq)
    964 	int so;
    965 	struct sockaddr *src, *dst;
    966 	u_int prefs, prefd, proto;
    967 	u_int64_t ltime, vtime;
    968 	caddr_t policy;
    969 	int policylen;
    970 	u_int32_t seq;
    971 {
    972 	int len;
    973 
    974 	if ((len = pfkey_send_x4(so, SADB_X_SPDUPDATE,
    975 				src, prefs, dst, prefd, proto,
    976 				ltime, vtime,
    977 				policy, policylen, seq)) < 0)
    978 		return -1;
    979 
    980 	return len;
    981 }
    982 
    983 /*
    984  * sending SADB_X_SPDDELETE message to the kernel.
    985  * OUT:
    986  *	positive: success and return length sent.
    987  *	-1	: error occured, and set errno.
    988  */
    989 int
    990 pfkey_send_spddelete(so, src, prefs, dst, prefd, proto, policy, policylen, seq)
    991 	int so;
    992 	struct sockaddr *src, *dst;
    993 	u_int prefs, prefd, proto;
    994 	caddr_t policy;
    995 	int policylen;
    996 	u_int32_t seq;
    997 {
    998 	int len;
    999 
   1000 	if (policylen != sizeof(struct sadb_x_policy)) {
   1001 		__ipsec_errcode = EIPSEC_INVAL_ARGUMENT;
   1002 		return -1;
   1003 	}
   1004 
   1005 	if ((len = pfkey_send_x4(so, SADB_X_SPDDELETE,
   1006 				src, prefs, dst, prefd, proto,
   1007 				(u_int64_t)0, (u_int64_t)0,
   1008 				policy, policylen, seq)) < 0)
   1009 		return -1;
   1010 
   1011 	return len;
   1012 }
   1013 
   1014 /*
   1015  * sending SADB_X_SPDDELETE message to the kernel.
   1016  * OUT:
   1017  *	positive: success and return length sent.
   1018  *	-1	: error occured, and set errno.
   1019  */
   1020 int
   1021 pfkey_send_spddelete2(so, spid)
   1022 	int so;
   1023 	u_int32_t spid;
   1024 {
   1025 	int len;
   1026 
   1027 	if ((len = pfkey_send_x5(so, SADB_X_SPDDELETE2, spid)) < 0)
   1028 		return -1;
   1029 
   1030 	return len;
   1031 }
   1032 
   1033 /*
   1034  * sending SADB_X_SPDGET message to the kernel.
   1035  * OUT:
   1036  *	positive: success and return length sent.
   1037  *	-1	: error occured, and set errno.
   1038  */
   1039 int
   1040 pfkey_send_spdget(so, spid)
   1041 	int so;
   1042 	u_int32_t spid;
   1043 {
   1044 	int len;
   1045 
   1046 	if ((len = pfkey_send_x5(so, SADB_X_SPDGET, spid)) < 0)
   1047 		return -1;
   1048 
   1049 	return len;
   1050 }
   1051 
   1052 /*
   1053  * sending SADB_X_SPDSETIDX message to the kernel.
   1054  * OUT:
   1055  *	positive: success and return length sent.
   1056  *	-1	: error occured, and set errno.
   1057  */
   1058 int
   1059 pfkey_send_spdsetidx(so, src, prefs, dst, prefd, proto, policy, policylen, seq)
   1060 	int so;
   1061 	struct sockaddr *src, *dst;
   1062 	u_int prefs, prefd, proto;
   1063 	caddr_t policy;
   1064 	int policylen;
   1065 	u_int32_t seq;
   1066 {
   1067 	int len;
   1068 
   1069 	if (policylen != sizeof(struct sadb_x_policy)) {
   1070 		__ipsec_errcode = EIPSEC_INVAL_ARGUMENT;
   1071 		return -1;
   1072 	}
   1073 
   1074 	if ((len = pfkey_send_x4(so, SADB_X_SPDSETIDX,
   1075 				src, prefs, dst, prefd, proto,
   1076 				(u_int64_t)0, (u_int64_t)0,
   1077 				policy, policylen, seq)) < 0)
   1078 		return -1;
   1079 
   1080 	return len;
   1081 }
   1082 
   1083 /*
   1084  * sending SADB_SPDFLUSH message to the kernel.
   1085  * OUT:
   1086  *	positive: success and return length sent.
   1087  *	-1	: error occured, and set errno.
   1088  */
   1089 int
   1090 pfkey_send_spdflush(so)
   1091 	int so;
   1092 {
   1093 	int len;
   1094 
   1095 	if ((len = pfkey_send_x3(so, SADB_X_SPDFLUSH, SADB_SATYPE_UNSPEC)) < 0)
   1096 		return -1;
   1097 
   1098 	return len;
   1099 }
   1100 
   1101 /*
   1102  * sending SADB_SPDDUMP message to the kernel.
   1103  * OUT:
   1104  *	positive: success and return length sent.
   1105  *	-1	: error occured, and set errno.
   1106  */
   1107 int
   1108 pfkey_send_spddump(so)
   1109 	int so;
   1110 {
   1111 	int len;
   1112 
   1113 	if ((len = pfkey_send_x3(so, SADB_X_SPDDUMP, SADB_SATYPE_UNSPEC)) < 0)
   1114 		return -1;
   1115 
   1116 	return len;
   1117 }
   1118 
   1119 
   1120 #ifdef SADB_X_MIGRATE
   1121 /*
   1122  * sending SADB_X_MIGRATE message to the kernel.
   1123  * OUT:
   1124  *	positive: success and return length sent.
   1125  *	-1	: error occured, and set errno.
   1126  */
   1127 int
   1128 pfkey_send_migrate(so, src, prefs, dst, prefd, proto, policy, policylen, seq)
   1129 	int so;
   1130 	struct sockaddr *src, *dst;
   1131 	u_int prefs, prefd, proto;
   1132 	caddr_t policy;
   1133 	int policylen;
   1134 	u_int32_t seq;
   1135 {
   1136 	struct sadb_msg *newmsg;
   1137 	int len;
   1138 	caddr_t p;
   1139 	int plen;
   1140 	caddr_t ep;
   1141 
   1142 	/* validity check */
   1143 	if (src == NULL || dst == NULL) {
   1144 		__ipsec_errcode = EIPSEC_INVAL_ARGUMENT;
   1145 		return -1;
   1146 	}
   1147 	if (src->sa_family != dst->sa_family) {
   1148 		__ipsec_errcode = EIPSEC_FAMILY_MISMATCH;
   1149 		return -1;
   1150 	}
   1151 
   1152 	switch (src->sa_family) {
   1153 	case AF_INET:
   1154 		plen = sizeof(struct in_addr) << 3;
   1155 		break;
   1156 	case AF_INET6:
   1157 		plen = sizeof(struct in6_addr) << 3;
   1158 		break;
   1159 	default:
   1160 		__ipsec_errcode = EIPSEC_INVAL_FAMILY;
   1161 		return -1;
   1162 	}
   1163 	if (prefs > plen || prefd > plen) {
   1164 		__ipsec_errcode = EIPSEC_INVAL_PREFIXLEN;
   1165 		return -1;
   1166 	}
   1167 
   1168 	/* create new sadb_msg to reply. */
   1169 	len = sizeof(struct sadb_msg)
   1170 		+ sizeof(struct sadb_address)
   1171 		+ PFKEY_ALIGN8(sysdep_sa_len(src))
   1172 		+ sizeof(struct sadb_address)
   1173 		+ PFKEY_ALIGN8(sysdep_sa_len(dst))
   1174 		+ policylen;
   1175 
   1176 	if ((newmsg = CALLOC(len, struct sadb_msg *)) == NULL) {
   1177 		__ipsec_set_strerror(strerror(errno));
   1178 		return -1;
   1179 	}
   1180 	ep = ((caddr_t)newmsg) + len;
   1181 
   1182 	p = pfkey_setsadbmsg((caddr_t)newmsg, ep, SADB_X_MIGRATE, (u_int)len,
   1183 	    SADB_SATYPE_UNSPEC, seq, getpid());
   1184 	if (!p) {
   1185 		free(newmsg);
   1186 		return -1;
   1187 	}
   1188 	p = pfkey_setsadbaddr(p, ep, SADB_EXT_ADDRESS_SRC, src, prefs, proto);
   1189 	if (!p) {
   1190 		free(newmsg);
   1191 		return -1;
   1192 	}
   1193 	p = pfkey_setsadbaddr(p, ep, SADB_EXT_ADDRESS_DST, dst, prefd, proto);
   1194 	if (!p || p + policylen != ep) {
   1195 		free(newmsg);
   1196 		return -1;
   1197 	}
   1198 	memcpy(p, policy, policylen);
   1199 
   1200 	/* send message */
   1201 	len = pfkey_send(so, newmsg, len);
   1202 	free(newmsg);
   1203 
   1204 	if (len < 0)
   1205 		return -1;
   1206 
   1207 	__ipsec_errcode = EIPSEC_NO_ERROR;
   1208 	return len;
   1209 }
   1210 #endif
   1211 
   1212 
   1213 /* sending SADB_ADD or SADB_UPDATE message to the kernel */
   1214 static int
   1215 pfkey_send_x1(sa_parms)
   1216 	struct pfkey_send_sa_args *sa_parms;
   1217 {
   1218 	struct sadb_msg *newmsg;
   1219 	int len;
   1220 	caddr_t p;
   1221 	int plen;
   1222 	caddr_t ep;
   1223 
   1224 	/* validity check */
   1225 	if (sa_parms->src == NULL || sa_parms->dst == NULL) {
   1226 		__ipsec_errcode = EIPSEC_INVAL_ARGUMENT;
   1227 		return -1;
   1228 	}
   1229 	if (sa_parms->src->sa_family != sa_parms->dst->sa_family) {
   1230 		__ipsec_errcode = EIPSEC_FAMILY_MISMATCH;
   1231 		return -1;
   1232 	}
   1233 	switch (sa_parms->src->sa_family) {
   1234 	case AF_INET:
   1235 		plen = sizeof(struct in_addr) << 3;
   1236 		break;
   1237 	case AF_INET6:
   1238 		plen = sizeof(struct in6_addr) << 3;
   1239 		break;
   1240 	default:
   1241 		__ipsec_errcode = EIPSEC_INVAL_FAMILY;
   1242 		return -1;
   1243 	}
   1244 
   1245 	switch (sa_parms->satype) {
   1246 	case SADB_SATYPE_ESP:
   1247 		if (sa_parms->e_type == SADB_EALG_NONE) {
   1248 			__ipsec_errcode = EIPSEC_NO_ALGS;
   1249 			return -1;
   1250 		}
   1251 		break;
   1252 	case SADB_SATYPE_AH:
   1253 		if (sa_parms->e_type != SADB_EALG_NONE) {
   1254 			__ipsec_errcode = EIPSEC_INVAL_ALGS;
   1255 			return -1;
   1256 		}
   1257 		if (sa_parms->a_type == SADB_AALG_NONE) {
   1258 			__ipsec_errcode = EIPSEC_NO_ALGS;
   1259 			return -1;
   1260 		}
   1261 		break;
   1262 	case SADB_X_SATYPE_IPCOMP:
   1263 		if (sa_parms->e_type == SADB_X_CALG_NONE) {
   1264 			__ipsec_errcode = EIPSEC_INVAL_ALGS;
   1265 			return -1;
   1266 		}
   1267 		if (sa_parms->a_type != SADB_AALG_NONE) {
   1268 			__ipsec_errcode = EIPSEC_NO_ALGS;
   1269 			return -1;
   1270 		}
   1271 		break;
   1272 #ifdef SADB_X_AALG_TCP_MD5
   1273 	case SADB_X_SATYPE_TCPSIGNATURE:
   1274 		if (sa_parms->e_type != SADB_EALG_NONE) {
   1275 			__ipsec_errcode = EIPSEC_INVAL_ALGS;
   1276 			return -1;
   1277 		}
   1278 		if (sa_parms->a_type != SADB_X_AALG_TCP_MD5) {
   1279 			__ipsec_errcode = EIPSEC_INVAL_ALGS;
   1280 			return -1;
   1281 		}
   1282 		break;
   1283 #endif
   1284 	default:
   1285 		__ipsec_errcode = EIPSEC_INVAL_SATYPE;
   1286 		return -1;
   1287 	}
   1288 
   1289 	/* create new sadb_msg to reply. */
   1290 	len = sizeof(struct sadb_msg)
   1291 		+ sizeof(struct sadb_sa)
   1292 		+ sizeof(struct sadb_x_sa2)
   1293 		+ sizeof(struct sadb_address)
   1294 		+ PFKEY_ALIGN8(sysdep_sa_len(sa_parms->src))
   1295 		+ sizeof(struct sadb_address)
   1296 		+ PFKEY_ALIGN8(sysdep_sa_len(sa_parms->dst))
   1297 		+ sizeof(struct sadb_lifetime)
   1298 		+ sizeof(struct sadb_lifetime);
   1299 
   1300 	if (sa_parms->e_type != SADB_EALG_NONE &&
   1301 	    sa_parms->satype != SADB_X_SATYPE_IPCOMP)
   1302 		len += (sizeof(struct sadb_key) +
   1303 			PFKEY_ALIGN8(sa_parms->e_keylen));
   1304 	if (sa_parms->a_type != SADB_AALG_NONE)
   1305 		len += (sizeof(struct sadb_key) +
   1306 			PFKEY_ALIGN8(sa_parms->a_keylen));
   1307 
   1308 #ifdef SADB_X_EXT_SEC_CTX
   1309 	if (sa_parms->ctxstr != NULL)
   1310 		len += (sizeof(struct sadb_x_sec_ctx)
   1311 		    + PFKEY_ALIGN8(sa_parms->ctxstrlen));
   1312 #endif
   1313 
   1314 #ifdef SADB_X_EXT_NAT_T_TYPE
   1315 	/* add nat-t packets */
   1316 	if (sa_parms->l_natt_type) {
   1317 		switch(sa_parms->satype) {
   1318 		case SADB_SATYPE_ESP:
   1319 		case SADB_X_SATYPE_IPCOMP:
   1320 			break;
   1321 		default:
   1322 			__ipsec_errcode = EIPSEC_NO_ALGS;
   1323 			return -1;
   1324 		}
   1325 
   1326 		len += sizeof(struct sadb_x_nat_t_type);
   1327 		len += sizeof(struct sadb_x_nat_t_port);
   1328 		len += sizeof(struct sadb_x_nat_t_port);
   1329 		if (sa_parms->l_natt_oa)
   1330 			len += sizeof(struct sadb_address) +
   1331 			  PFKEY_ALIGN8(sysdep_sa_len(sa_parms->l_natt_oa));
   1332 #ifdef SADB_X_EXT_NAT_T_FRAG
   1333 		if (sa_parms->l_natt_frag)
   1334 			len += sizeof(struct sadb_x_nat_t_frag);
   1335 #endif
   1336 	}
   1337 #endif
   1338 
   1339 	if ((newmsg = CALLOC((size_t)len, struct sadb_msg *)) == NULL) {
   1340 		__ipsec_set_strerror(strerror(errno));
   1341 		return -1;
   1342 	}
   1343 	ep = ((caddr_t)(void *)newmsg) + len;
   1344 
   1345 	p = pfkey_setsadbmsg((void *)newmsg, ep, sa_parms->type, (u_int)len,
   1346 	                     sa_parms->satype, sa_parms->seq, getpid());
   1347 	if (!p) {
   1348 		free(newmsg);
   1349 		return -1;
   1350 	}
   1351 	p = pfkey_setsadbsa(p, ep, sa_parms->spi, sa_parms->wsize,
   1352 			    sa_parms->a_type, sa_parms->e_type,
   1353 			    sa_parms->flags);
   1354 	if (!p) {
   1355 		free(newmsg);
   1356 		return -1;
   1357 	}
   1358 	p = pfkey_setsadbxsa2(p, ep, sa_parms->mode, sa_parms->reqid);
   1359 	if (!p) {
   1360 		free(newmsg);
   1361 		return -1;
   1362 	}
   1363 	p = pfkey_setsadbaddr(p, ep, SADB_EXT_ADDRESS_SRC, sa_parms->src,
   1364 			      (u_int)plen, IPSEC_ULPROTO_ANY);
   1365 	if (!p) {
   1366 		free(newmsg);
   1367 		return -1;
   1368 	}
   1369 	p = pfkey_setsadbaddr(p, ep, SADB_EXT_ADDRESS_DST, sa_parms->dst,
   1370 			      (u_int)plen, IPSEC_ULPROTO_ANY);
   1371 	if (!p) {
   1372 		free(newmsg);
   1373 		return -1;
   1374 	}
   1375 
   1376 	if (sa_parms->e_type != SADB_EALG_NONE &&
   1377 	    sa_parms->satype != SADB_X_SATYPE_IPCOMP) {
   1378 		p = pfkey_setsadbkey(p, ep, SADB_EXT_KEY_ENCRYPT,
   1379 		                   sa_parms->keymat, sa_parms->e_keylen);
   1380 		if (!p) {
   1381 			free(newmsg);
   1382 			return -1;
   1383 		}
   1384 	}
   1385 	if (sa_parms->a_type != SADB_AALG_NONE) {
   1386 		p = pfkey_setsadbkey(p, ep, SADB_EXT_KEY_AUTH,
   1387 				     sa_parms->keymat + sa_parms->e_keylen,
   1388 				     sa_parms->a_keylen);
   1389 		if (!p) {
   1390 			free(newmsg);
   1391 			return -1;
   1392 		}
   1393 	}
   1394 
   1395 	/* set sadb_lifetime for destination */
   1396 	p = pfkey_setsadblifetime(p, ep, SADB_EXT_LIFETIME_HARD,
   1397 			sa_parms->l_alloc, sa_parms->l_bytes,
   1398 			sa_parms->l_addtime, sa_parms->l_usetime);
   1399 	if (!p) {
   1400 		free(newmsg);
   1401 		return -1;
   1402 	}
   1403 	p = pfkey_setsadblifetime(p, ep, SADB_EXT_LIFETIME_SOFT,
   1404 				  sa_parms->l_alloc, sa_parms->l_bytes,
   1405 				  sa_parms->l_addtime, sa_parms->l_usetime);
   1406 	if (!p) {
   1407 		free(newmsg);
   1408 		return -1;
   1409 	}
   1410 #ifdef SADB_X_EXT_SEC_CTX
   1411 	if (sa_parms->ctxstr != NULL) {
   1412 		p = pfkey_setsecctx(p, ep, SADB_X_EXT_SEC_CTX, sa_parms->ctxdoi,
   1413 				    sa_parms->ctxalg, sa_parms->ctxstr,
   1414 				    sa_parms->ctxstrlen);
   1415 		if (!p) {
   1416 			free(newmsg);
   1417 			return -1;
   1418 		}
   1419 	}
   1420 #endif
   1421 
   1422 #ifdef SADB_X_EXT_NAT_T_TYPE
   1423 	/* Add nat-t messages */
   1424 	if (sa_parms->l_natt_type) {
   1425 		p = pfkey_set_natt_type(p, ep, SADB_X_EXT_NAT_T_TYPE,
   1426 					sa_parms->l_natt_type);
   1427 		if (!p) {
   1428 			free(newmsg);
   1429 			return -1;
   1430 		}
   1431 
   1432 		p = pfkey_set_natt_port(p, ep, SADB_X_EXT_NAT_T_SPORT,
   1433 					sa_parms->l_natt_sport);
   1434 		if (!p) {
   1435 			free(newmsg);
   1436 			return -1;
   1437 		}
   1438 
   1439 		p = pfkey_set_natt_port(p, ep, SADB_X_EXT_NAT_T_DPORT,
   1440 					sa_parms->l_natt_dport);
   1441 		if (!p) {
   1442 			free(newmsg);
   1443 			return -1;
   1444 		}
   1445 
   1446 		if (sa_parms->l_natt_oa) {
   1447 			p = pfkey_setsadbaddr(p, ep, SADB_X_EXT_NAT_T_OA,
   1448 					      sa_parms->l_natt_oa,
   1449 					      (u_int)PFKEY_ALIGN8(sysdep_sa_len(sa_parms->l_natt_oa)),
   1450 					      IPSEC_ULPROTO_ANY);
   1451 			if (!p) {
   1452 				free(newmsg);
   1453 				return -1;
   1454 			}
   1455 		}
   1456 
   1457 #ifdef SADB_X_EXT_NAT_T_FRAG
   1458 		if (sa_parms->l_natt_frag) {
   1459 			p = pfkey_set_natt_frag(p, ep, SADB_X_EXT_NAT_T_FRAG,
   1460 					sa_parms->l_natt_frag);
   1461 			if (!p) {
   1462 				free(newmsg);
   1463 				return -1;
   1464 			}
   1465 		}
   1466 #endif
   1467 	}
   1468 #endif
   1469 
   1470 	if (p != ep) {
   1471 		free(newmsg);
   1472 		return -1;
   1473 	}
   1474 
   1475 	/* send message */
   1476 	len = pfkey_send(sa_parms->so, newmsg, len);
   1477 	free(newmsg);
   1478 
   1479 	if (len < 0)
   1480 		return -1;
   1481 
   1482 	__ipsec_errcode = EIPSEC_NO_ERROR;
   1483 	return len;
   1484 }
   1485 
   1486 /* sending SADB_DELETE or SADB_GET message to the kernel */
   1487 /*ARGSUSED*/
   1488 static int
   1489 pfkey_send_x2(so, type, satype, mode, src, dst, spi)
   1490 	int so;
   1491 	u_int type, satype, mode;
   1492 	struct sockaddr *src, *dst;
   1493 	u_int32_t spi;
   1494 {
   1495 	struct sadb_msg *newmsg;
   1496 	int len;
   1497 	caddr_t p;
   1498 	int plen;
   1499 	caddr_t ep;
   1500 
   1501 	/* validity check */
   1502 	if (src == NULL || dst == NULL) {
   1503 		__ipsec_errcode = EIPSEC_INVAL_ARGUMENT;
   1504 		return -1;
   1505 	}
   1506 	if (src->sa_family != dst->sa_family) {
   1507 		__ipsec_errcode = EIPSEC_FAMILY_MISMATCH;
   1508 		return -1;
   1509 	}
   1510 	switch (src->sa_family) {
   1511 	case AF_INET:
   1512 		plen = sizeof(struct in_addr) << 3;
   1513 		break;
   1514 	case AF_INET6:
   1515 		plen = sizeof(struct in6_addr) << 3;
   1516 		break;
   1517 	default:
   1518 		__ipsec_errcode = EIPSEC_INVAL_FAMILY;
   1519 		return -1;
   1520 	}
   1521 
   1522 	/* create new sadb_msg to reply. */
   1523 	len = sizeof(struct sadb_msg)
   1524 		+ sizeof(struct sadb_sa)
   1525 		+ sizeof(struct sadb_address)
   1526 		+ PFKEY_ALIGN8(sysdep_sa_len(src))
   1527 		+ sizeof(struct sadb_address)
   1528 		+ PFKEY_ALIGN8(sysdep_sa_len(dst));
   1529 
   1530 	if ((newmsg = CALLOC((size_t)len, struct sadb_msg *)) == NULL) {
   1531 		__ipsec_set_strerror(strerror(errno));
   1532 		return -1;
   1533 	}
   1534 	ep = ((caddr_t)(void *)newmsg) + len;
   1535 
   1536 	p = pfkey_setsadbmsg((void *)newmsg, ep, type, (u_int)len, satype, 0,
   1537 	    getpid());
   1538 	if (!p) {
   1539 		free(newmsg);
   1540 		return -1;
   1541 	}
   1542 	p = pfkey_setsadbsa(p, ep, spi, 0, 0, 0, 0);
   1543 	if (!p) {
   1544 		free(newmsg);
   1545 		return -1;
   1546 	}
   1547 	p = pfkey_setsadbaddr(p, ep, SADB_EXT_ADDRESS_SRC, src, (u_int)plen,
   1548 	    IPSEC_ULPROTO_ANY);
   1549 	if (!p) {
   1550 		free(newmsg);
   1551 		return -1;
   1552 	}
   1553 	p = pfkey_setsadbaddr(p, ep, SADB_EXT_ADDRESS_DST, dst, (u_int)plen,
   1554 	    IPSEC_ULPROTO_ANY);
   1555 	if (!p || p != ep) {
   1556 		free(newmsg);
   1557 		return -1;
   1558 	}
   1559 
   1560 	/* send message */
   1561 	len = pfkey_send(so, newmsg, len);
   1562 	free(newmsg);
   1563 
   1564 	if (len < 0)
   1565 		return -1;
   1566 
   1567 	__ipsec_errcode = EIPSEC_NO_ERROR;
   1568 	return len;
   1569 }
   1570 
   1571 /*
   1572  * sending SADB_REGISTER, SADB_FLUSH, SADB_DUMP or SADB_X_PROMISC message
   1573  * to the kernel
   1574  */
   1575 static int
   1576 pfkey_send_x3(so, type, satype)
   1577 	int so;
   1578 	u_int type, satype;
   1579 {
   1580 	struct sadb_msg *newmsg;
   1581 	int len;
   1582 	caddr_t p;
   1583 	caddr_t ep;
   1584 
   1585 	/* validity check */
   1586 	switch (type) {
   1587 	case SADB_X_PROMISC:
   1588 		if (satype != 0 && satype != 1) {
   1589 			__ipsec_errcode = EIPSEC_INVAL_SATYPE;
   1590 			return -1;
   1591 		}
   1592 		break;
   1593 	default:
   1594 		switch (satype) {
   1595 		case SADB_SATYPE_UNSPEC:
   1596 		case SADB_SATYPE_AH:
   1597 		case SADB_SATYPE_ESP:
   1598 		case SADB_X_SATYPE_IPCOMP:
   1599 #ifdef SADB_X_SATYPE_TCPSIGNATURE
   1600 		case SADB_X_SATYPE_TCPSIGNATURE:
   1601 #endif
   1602 			break;
   1603 		default:
   1604 			__ipsec_errcode = EIPSEC_INVAL_SATYPE;
   1605 			return -1;
   1606 		}
   1607 	}
   1608 
   1609 	/* create new sadb_msg to send. */
   1610 	len = sizeof(struct sadb_msg);
   1611 
   1612 	if ((newmsg = CALLOC((size_t)len, struct sadb_msg *)) == NULL) {
   1613 		__ipsec_set_strerror(strerror(errno));
   1614 		return -1;
   1615 	}
   1616 	ep = ((caddr_t)(void *)newmsg) + len;
   1617 
   1618 	p = pfkey_setsadbmsg((void *)newmsg, ep, type, (u_int)len, satype, 0,
   1619 	    getpid());
   1620 	if (!p || p != ep) {
   1621 		free(newmsg);
   1622 		return -1;
   1623 	}
   1624 
   1625 	/* send message */
   1626 	len = pfkey_send(so, newmsg, len);
   1627 	free(newmsg);
   1628 
   1629 	if (len < 0)
   1630 		return -1;
   1631 
   1632 	__ipsec_errcode = EIPSEC_NO_ERROR;
   1633 	return len;
   1634 }
   1635 
   1636 /* sending SADB_X_SPDADD message to the kernel */
   1637 static int
   1638 pfkey_send_x4(so, type, src, prefs, dst, prefd, proto,
   1639 		ltime, vtime, policy, policylen, seq)
   1640 	int so;
   1641 	struct sockaddr *src, *dst;
   1642 	u_int type, prefs, prefd, proto;
   1643 	u_int64_t ltime, vtime;
   1644 	char *policy;
   1645 	int policylen;
   1646 	u_int32_t seq;
   1647 {
   1648 	struct sadb_msg *newmsg;
   1649 	int len;
   1650 	caddr_t p;
   1651 	int plen;
   1652 	caddr_t ep;
   1653 
   1654 	/* validity check */
   1655 	if (src == NULL || dst == NULL) {
   1656 		__ipsec_errcode = EIPSEC_INVAL_ARGUMENT;
   1657 		return -1;
   1658 	}
   1659 	if (src->sa_family != dst->sa_family) {
   1660 		__ipsec_errcode = EIPSEC_FAMILY_MISMATCH;
   1661 		return -1;
   1662 	}
   1663 
   1664 	switch (src->sa_family) {
   1665 	case AF_INET:
   1666 		plen = sizeof(struct in_addr) << 3;
   1667 		break;
   1668 	case AF_INET6:
   1669 		plen = sizeof(struct in6_addr) << 3;
   1670 		break;
   1671 	default:
   1672 		__ipsec_errcode = EIPSEC_INVAL_FAMILY;
   1673 		return -1;
   1674 	}
   1675 	if (prefs > plen || prefd > plen) {
   1676 		__ipsec_errcode = EIPSEC_INVAL_PREFIXLEN;
   1677 		return -1;
   1678 	}
   1679 
   1680 	/* create new sadb_msg to reply. */
   1681 	len = sizeof(struct sadb_msg)
   1682 		+ sizeof(struct sadb_address)
   1683 		+ PFKEY_ALIGN8(sysdep_sa_len(src))
   1684 		+ sizeof(struct sadb_address)
   1685 		+ PFKEY_ALIGN8(sysdep_sa_len(src))
   1686 		+ sizeof(struct sadb_lifetime)
   1687 		+ policylen;
   1688 
   1689 	if ((newmsg = CALLOC((size_t)len, struct sadb_msg *)) == NULL) {
   1690 		__ipsec_set_strerror(strerror(errno));
   1691 		return -1;
   1692 	}
   1693 	ep = ((caddr_t)(void *)newmsg) + len;
   1694 
   1695 	p = pfkey_setsadbmsg((void *)newmsg, ep, type, (u_int)len,
   1696 	    SADB_SATYPE_UNSPEC, seq, getpid());
   1697 	if (!p) {
   1698 		free(newmsg);
   1699 		return -1;
   1700 	}
   1701 	p = pfkey_setsadbaddr(p, ep, SADB_EXT_ADDRESS_SRC, src, prefs, proto);
   1702 	if (!p) {
   1703 		free(newmsg);
   1704 		return -1;
   1705 	}
   1706 	p = pfkey_setsadbaddr(p, ep, SADB_EXT_ADDRESS_DST, dst, prefd, proto);
   1707 	if (!p) {
   1708 		free(newmsg);
   1709 		return -1;
   1710 	}
   1711 	p = pfkey_setsadblifetime(p, ep, SADB_EXT_LIFETIME_HARD,
   1712 			0, 0, (u_int)ltime, (u_int)vtime);
   1713 	if (!p || p + policylen != ep) {
   1714 		free(newmsg);
   1715 		return -1;
   1716 	}
   1717 	memcpy(p, policy, (size_t)policylen);
   1718 
   1719 	/* send message */
   1720 	len = pfkey_send(so, newmsg, len);
   1721 	free(newmsg);
   1722 
   1723 	if (len < 0)
   1724 		return -1;
   1725 
   1726 	__ipsec_errcode = EIPSEC_NO_ERROR;
   1727 	return len;
   1728 }
   1729 
   1730 /* sending SADB_X_SPDGET or SADB_X_SPDDELETE message to the kernel */
   1731 static int
   1732 pfkey_send_x5(so, type, spid)
   1733 	int so;
   1734 	u_int type;
   1735 	u_int32_t spid;
   1736 {
   1737 	struct sadb_msg *newmsg;
   1738 	struct sadb_x_policy xpl;
   1739 	int len;
   1740 	caddr_t p;
   1741 	caddr_t ep;
   1742 
   1743 	/* create new sadb_msg to reply. */
   1744 	len = sizeof(struct sadb_msg)
   1745 		+ sizeof(xpl);
   1746 
   1747 	if ((newmsg = CALLOC((size_t)len, struct sadb_msg *)) == NULL) {
   1748 		__ipsec_set_strerror(strerror(errno));
   1749 		return -1;
   1750 	}
   1751 	ep = ((caddr_t)(void *)newmsg) + len;
   1752 
   1753 	p = pfkey_setsadbmsg((void *)newmsg, ep, type, (u_int)len,
   1754 	    SADB_SATYPE_UNSPEC, 0, getpid());
   1755 	if (!p) {
   1756 		free(newmsg);
   1757 		return -1;
   1758 	}
   1759 
   1760 	if (p + sizeof(xpl) != ep) {
   1761 		free(newmsg);
   1762 		return -1;
   1763 	}
   1764 	memset(&xpl, 0, sizeof(xpl));
   1765 	xpl.sadb_x_policy_len = PFKEY_UNIT64(sizeof(xpl));
   1766 	xpl.sadb_x_policy_exttype = SADB_X_EXT_POLICY;
   1767 	xpl.sadb_x_policy_id = spid;
   1768 	memcpy(p, &xpl, sizeof(xpl));
   1769 
   1770 	/* send message */
   1771 	len = pfkey_send(so, newmsg, len);
   1772 	free(newmsg);
   1773 
   1774 	if (len < 0)
   1775 		return -1;
   1776 
   1777 	__ipsec_errcode = EIPSEC_NO_ERROR;
   1778 	return len;
   1779 }
   1780 
   1781 /*
   1782  * open a socket.
   1783  * OUT:
   1784  *	-1: fail.
   1785  *	others : success and return value of socket.
   1786  */
   1787 int
   1788 pfkey_open()
   1789 {
   1790 	int so;
   1791 	int bufsiz = 128 * 1024;	/*is 128K enough?*/
   1792 
   1793 	if ((so = socket(PF_KEY, SOCK_RAW, PF_KEY_V2)) < 0) {
   1794 		__ipsec_set_strerror(strerror(errno));
   1795 		return -1;
   1796 	}
   1797 
   1798 	/*
   1799 	 * This is a temporary workaround for KAME PR 154.
   1800 	 * Don't really care even if it fails.
   1801 	 */
   1802 	(void)setsockopt(so, SOL_SOCKET, SO_SNDBUF, &bufsiz, sizeof(bufsiz));
   1803 	(void)setsockopt(so, SOL_SOCKET, SO_RCVBUF, &bufsiz, sizeof(bufsiz));
   1804 	bufsiz = 256 * 1024;
   1805 	(void)setsockopt(so, SOL_SOCKET, SO_RCVBUF, &bufsiz, sizeof(bufsiz));
   1806 	bufsiz = 512 * 1024;
   1807 	(void)setsockopt(so, SOL_SOCKET, SO_RCVBUF, &bufsiz, sizeof(bufsiz));
   1808 	bufsiz = 1024 * 1024;
   1809 	(void)setsockopt(so, SOL_SOCKET, SO_RCVBUF, &bufsiz, sizeof(bufsiz));
   1810 	__ipsec_errcode = EIPSEC_NO_ERROR;
   1811 	return so;
   1812 }
   1813 
   1814 /*
   1815  * close a socket.
   1816  * OUT:
   1817  *	 0: success.
   1818  *	-1: fail.
   1819  */
   1820 void
   1821 pfkey_close(so)
   1822 	int so;
   1823 {
   1824 	(void)close(so);
   1825 
   1826 	__ipsec_errcode = EIPSEC_NO_ERROR;
   1827 	return;
   1828 }
   1829 
   1830 /*
   1831  * receive sadb_msg data, and return pointer to new buffer allocated.
   1832  * Must free this buffer later.
   1833  * OUT:
   1834  *	NULL	: error occured.
   1835  *	others	: a pointer to sadb_msg structure.
   1836  *
   1837  * XXX should be rewritten to pass length explicitly
   1838  */
   1839 struct sadb_msg *
   1840 pfkey_recv(so)
   1841 	int so;
   1842 {
   1843 	struct sadb_msg buf, *newmsg;
   1844 	int len, reallen;
   1845 
   1846 	while ((len = recv(so, (void *)&buf, sizeof(buf), MSG_PEEK)) < 0) {
   1847 		if (errno == EINTR)
   1848 			continue;
   1849 		__ipsec_set_strerror(strerror(errno));
   1850 		return NULL;
   1851 	}
   1852 
   1853 	if (len < sizeof(buf)) {
   1854 		recv(so, (void *)&buf, sizeof(buf), 0);
   1855 		__ipsec_errcode = EIPSEC_MAX;
   1856 		return NULL;
   1857 	}
   1858 
   1859 	/* read real message */
   1860 	reallen = PFKEY_UNUNIT64(buf.sadb_msg_len);
   1861 	if ((newmsg = CALLOC((size_t)reallen, struct sadb_msg *)) == 0) {
   1862 		__ipsec_set_strerror(strerror(errno));
   1863 		return NULL;
   1864 	}
   1865 
   1866 	while ((len = recv(so, (void *)newmsg, (socklen_t)reallen, 0)) < 0) {
   1867 		if (errno == EINTR)
   1868 			continue;
   1869 		__ipsec_set_strerror(strerror(errno));
   1870 		free(newmsg);
   1871 		return NULL;
   1872 	}
   1873 
   1874 	if (len != reallen) {
   1875 		__ipsec_errcode = EIPSEC_SYSTEM_ERROR;
   1876 		free(newmsg);
   1877 		return NULL;
   1878 	}
   1879 
   1880 	/* don't trust what the kernel says, validate! */
   1881 	if (PFKEY_UNUNIT64(newmsg->sadb_msg_len) != len) {
   1882 		__ipsec_errcode = EIPSEC_SYSTEM_ERROR;
   1883 		free(newmsg);
   1884 		return NULL;
   1885 	}
   1886 
   1887 	__ipsec_errcode = EIPSEC_NO_ERROR;
   1888 	return newmsg;
   1889 }
   1890 
   1891 /*
   1892  * send message to a socket.
   1893  * OUT:
   1894  *	 others: success and return length sent.
   1895  *	-1     : fail.
   1896  */
   1897 int
   1898 pfkey_send(so, msg, len)
   1899 	int so;
   1900 	struct sadb_msg *msg;
   1901 	int len;
   1902 {
   1903 	if ((len = send(so, (void *)msg, (socklen_t)len, 0)) < 0) {
   1904 		__ipsec_set_strerror(strerror(errno));
   1905 		return -1;
   1906 	}
   1907 
   1908 	__ipsec_errcode = EIPSEC_NO_ERROR;
   1909 	return len;
   1910 }
   1911 
   1912 /*
   1913  * %%% Utilities
   1914  * NOTE: These functions are derived from netkey/key.c in KAME.
   1915  */
   1916 /*
   1917  * set the pointer to each header in this message buffer.
   1918  * IN:	msg: pointer to message buffer.
   1919  *	mhp: pointer to the buffer initialized like below:
   1920  *		caddr_t mhp[SADB_EXT_MAX + 1];
   1921  * OUT:	-1: invalid.
   1922  *	 0: valid.
   1923  *
   1924  * XXX should be rewritten to obtain length explicitly
   1925  */
   1926 int
   1927 pfkey_align(msg, mhp)
   1928 	struct sadb_msg *msg;
   1929 	caddr_t *mhp;
   1930 {
   1931 	struct sadb_ext *ext;
   1932 	int i;
   1933 	caddr_t p;
   1934 	caddr_t ep;	/* XXX should be passed from upper layer */
   1935 
   1936 	/* validity check */
   1937 	if (msg == NULL || mhp == NULL) {
   1938 		__ipsec_errcode = EIPSEC_INVAL_ARGUMENT;
   1939 		return -1;
   1940 	}
   1941 
   1942 	/* initialize */
   1943 	for (i = 0; i < SADB_EXT_MAX + 1; i++)
   1944 		mhp[i] = NULL;
   1945 
   1946 	mhp[0] = (void *)msg;
   1947 
   1948 	/* initialize */
   1949 	p = (void *) msg;
   1950 	ep = p + PFKEY_UNUNIT64(msg->sadb_msg_len);
   1951 
   1952 	/* skip base header */
   1953 	p += sizeof(struct sadb_msg);
   1954 
   1955 	while (p < ep) {
   1956 		ext = (void *)p;
   1957 		if (ep < p + sizeof(*ext) || PFKEY_EXTLEN(ext) < sizeof(*ext) ||
   1958 		    ep < p + PFKEY_EXTLEN(ext)) {
   1959 			/* invalid format */
   1960 			break;
   1961 		}
   1962 
   1963 		/* duplicate check */
   1964 		/* XXX Are there duplication either KEY_AUTH or KEY_ENCRYPT ?*/
   1965 		if (mhp[ext->sadb_ext_type] != NULL) {
   1966 			__ipsec_errcode = EIPSEC_INVAL_EXTTYPE;
   1967 			return -1;
   1968 		}
   1969 
   1970 		/* set pointer */
   1971 		switch (ext->sadb_ext_type) {
   1972 		case SADB_EXT_SA:
   1973 		case SADB_EXT_LIFETIME_CURRENT:
   1974 		case SADB_EXT_LIFETIME_HARD:
   1975 		case SADB_EXT_LIFETIME_SOFT:
   1976 		case SADB_EXT_ADDRESS_SRC:
   1977 		case SADB_EXT_ADDRESS_DST:
   1978 		case SADB_EXT_ADDRESS_PROXY:
   1979 		case SADB_EXT_KEY_AUTH:
   1980 			/* XXX should to be check weak keys. */
   1981 		case SADB_EXT_KEY_ENCRYPT:
   1982 			/* XXX should to be check weak keys. */
   1983 		case SADB_EXT_IDENTITY_SRC:
   1984 		case SADB_EXT_IDENTITY_DST:
   1985 		case SADB_EXT_SENSITIVITY:
   1986 		case SADB_EXT_PROPOSAL:
   1987 		case SADB_EXT_SUPPORTED_AUTH:
   1988 		case SADB_EXT_SUPPORTED_ENCRYPT:
   1989 		case SADB_EXT_SPIRANGE:
   1990 		case SADB_X_EXT_POLICY:
   1991 		case SADB_X_EXT_SA2:
   1992 #ifdef SADB_X_EXT_NAT_T_TYPE
   1993 		case SADB_X_EXT_NAT_T_TYPE:
   1994 		case SADB_X_EXT_NAT_T_SPORT:
   1995 		case SADB_X_EXT_NAT_T_DPORT:
   1996 		case SADB_X_EXT_NAT_T_OA:
   1997 #endif
   1998 #ifdef SADB_X_EXT_TAG
   1999 		case SADB_X_EXT_TAG:
   2000 #endif
   2001 #ifdef SADB_X_EXT_PACKET
   2002 		case SADB_X_EXT_PACKET:
   2003 #endif
   2004 #ifdef SADB_X_EXT_SEC_CTX
   2005 		case SADB_X_EXT_SEC_CTX:
   2006 #endif
   2007 			mhp[ext->sadb_ext_type] = (void *)ext;
   2008 			break;
   2009 		default:
   2010 			__ipsec_errcode = EIPSEC_INVAL_EXTTYPE;
   2011 			return -1;
   2012 		}
   2013 
   2014 		p += PFKEY_EXTLEN(ext);
   2015 	}
   2016 
   2017 	if (p != ep) {
   2018 		__ipsec_errcode = EIPSEC_INVAL_SADBMSG;
   2019 		return -1;
   2020 	}
   2021 
   2022 	__ipsec_errcode = EIPSEC_NO_ERROR;
   2023 	return 0;
   2024 }
   2025 
   2026 /*
   2027  * check basic usage for sadb_msg,
   2028  * NOTE: This routine is derived from netkey/key.c in KAME.
   2029  * IN:	msg: pointer to message buffer.
   2030  *	mhp: pointer to the buffer initialized like below:
   2031  *
   2032  *		caddr_t mhp[SADB_EXT_MAX + 1];
   2033  *
   2034  * OUT:	-1: invalid.
   2035  *	 0: valid.
   2036  */
   2037 int
   2038 pfkey_check(mhp)
   2039 	caddr_t *mhp;
   2040 {
   2041 	struct sadb_msg *msg;
   2042 
   2043 	/* validity check */
   2044 	if (mhp == NULL || mhp[0] == NULL) {
   2045 		__ipsec_errcode = EIPSEC_INVAL_ARGUMENT;
   2046 		return -1;
   2047 	}
   2048 
   2049 	msg = (void *)mhp[0];
   2050 
   2051 	/* check version */
   2052 	if (msg->sadb_msg_version != PF_KEY_V2) {
   2053 		__ipsec_errcode = EIPSEC_INVAL_VERSION;
   2054 		return -1;
   2055 	}
   2056 
   2057 	/* check type */
   2058 	if (msg->sadb_msg_type > SADB_MAX) {
   2059 		__ipsec_errcode = EIPSEC_INVAL_MSGTYPE;
   2060 		return -1;
   2061 	}
   2062 
   2063 	/* check SA type */
   2064 	switch (msg->sadb_msg_satype) {
   2065 	case SADB_SATYPE_UNSPEC:
   2066 		switch (msg->sadb_msg_type) {
   2067 		case SADB_GETSPI:
   2068 		case SADB_UPDATE:
   2069 		case SADB_ADD:
   2070 		case SADB_DELETE:
   2071 		case SADB_GET:
   2072 		case SADB_ACQUIRE:
   2073 		case SADB_EXPIRE:
   2074 #ifdef SADB_X_NAT_T_NEW_MAPPING
   2075 		case SADB_X_NAT_T_NEW_MAPPING:
   2076 #endif
   2077 			__ipsec_errcode = EIPSEC_INVAL_SATYPE;
   2078 			return -1;
   2079 		}
   2080 		break;
   2081 	case SADB_SATYPE_ESP:
   2082 	case SADB_SATYPE_AH:
   2083 	case SADB_X_SATYPE_IPCOMP:
   2084 #ifdef SADB_X_SATYPE_TCPSIGNATURE
   2085 	case SADB_X_SATYPE_TCPSIGNATURE:
   2086 #endif
   2087 		switch (msg->sadb_msg_type) {
   2088 		case SADB_X_SPDADD:
   2089 		case SADB_X_SPDDELETE:
   2090 		case SADB_X_SPDGET:
   2091 		case SADB_X_SPDDUMP:
   2092 		case SADB_X_SPDFLUSH:
   2093 			__ipsec_errcode = EIPSEC_INVAL_SATYPE;
   2094 			return -1;
   2095 		}
   2096 #ifdef SADB_X_NAT_T_NEW_MAPPING
   2097 		if (msg->sadb_msg_type == SADB_X_NAT_T_NEW_MAPPING &&
   2098 		    msg->sadb_msg_satype != SADB_SATYPE_ESP) {
   2099 			__ipsec_errcode = EIPSEC_INVAL_SATYPE;
   2100 			return -1;
   2101 		}
   2102 #endif
   2103 		break;
   2104 	case SADB_SATYPE_RSVP:
   2105 	case SADB_SATYPE_OSPFV2:
   2106 	case SADB_SATYPE_RIPV2:
   2107 	case SADB_SATYPE_MIP:
   2108 		__ipsec_errcode = EIPSEC_NOT_SUPPORTED;
   2109 		return -1;
   2110 	case 1:	/* XXX: What does it do ? */
   2111 		if (msg->sadb_msg_type == SADB_X_PROMISC)
   2112 			break;
   2113 		/*FALLTHROUGH*/
   2114 	default:
   2115 		__ipsec_errcode = EIPSEC_INVAL_SATYPE;
   2116 		return -1;
   2117 	}
   2118 
   2119 	/* check field of upper layer protocol and address family */
   2120 	if (mhp[SADB_EXT_ADDRESS_SRC] != NULL
   2121 	 && mhp[SADB_EXT_ADDRESS_DST] != NULL) {
   2122 		struct sadb_address *src0, *dst0;
   2123 
   2124 		src0 = (void *)(mhp[SADB_EXT_ADDRESS_SRC]);
   2125 		dst0 = (void *)(mhp[SADB_EXT_ADDRESS_DST]);
   2126 
   2127 		if (src0->sadb_address_proto != dst0->sadb_address_proto) {
   2128 			__ipsec_errcode = EIPSEC_PROTO_MISMATCH;
   2129 			return -1;
   2130 		}
   2131 
   2132 		if (PFKEY_ADDR_SADDR(src0)->sa_family
   2133 		 != PFKEY_ADDR_SADDR(dst0)->sa_family) {
   2134 			__ipsec_errcode = EIPSEC_FAMILY_MISMATCH;
   2135 			return -1;
   2136 		}
   2137 
   2138 		switch (PFKEY_ADDR_SADDR(src0)->sa_family) {
   2139 		case AF_INET:
   2140 		case AF_INET6:
   2141 			break;
   2142 		default:
   2143 			__ipsec_errcode = EIPSEC_INVAL_FAMILY;
   2144 			return -1;
   2145 		}
   2146 
   2147 		/*
   2148 		 * prefixlen == 0 is valid because there must be the case
   2149 		 * all addresses are matched.
   2150 		 */
   2151 	}
   2152 
   2153 	__ipsec_errcode = EIPSEC_NO_ERROR;
   2154 	return 0;
   2155 }
   2156 
   2157 /*
   2158  * set data into sadb_msg.
   2159  * `buf' must has been allocated sufficiently.
   2160  */
   2161 static caddr_t
   2162 pfkey_setsadbmsg(buf, lim, type, tlen, satype, seq, pid)
   2163 	caddr_t buf;
   2164 	caddr_t lim;
   2165 	u_int type, satype;
   2166 	u_int tlen;
   2167 	u_int32_t seq;
   2168 	pid_t pid;
   2169 {
   2170 	struct sadb_msg *p;
   2171 	u_int len;
   2172 
   2173 	p = (void *)buf;
   2174 	len = sizeof(struct sadb_msg);
   2175 
   2176 	if (buf + len > lim)
   2177 		return NULL;
   2178 
   2179 	memset(p, 0, len);
   2180 	p->sadb_msg_version = PF_KEY_V2;
   2181 	p->sadb_msg_type = type;
   2182 	p->sadb_msg_errno = 0;
   2183 	p->sadb_msg_satype = satype;
   2184 	p->sadb_msg_len = PFKEY_UNIT64(tlen);
   2185 	p->sadb_msg_reserved = 0;
   2186 	p->sadb_msg_seq = seq;
   2187 	p->sadb_msg_pid = (u_int32_t)pid;
   2188 
   2189 	return(buf + len);
   2190 }
   2191 
   2192 /*
   2193  * copy secasvar data into sadb_address.
   2194  * `buf' must has been allocated sufficiently.
   2195  */
   2196 static caddr_t
   2197 pfkey_setsadbsa(buf, lim, spi, wsize, auth, enc, flags)
   2198 	caddr_t buf;
   2199 	caddr_t lim;
   2200 	u_int32_t spi, flags;
   2201 	u_int wsize, auth, enc;
   2202 {
   2203 	struct sadb_sa *p;
   2204 	u_int len;
   2205 
   2206 	p = (void *)buf;
   2207 	len = sizeof(struct sadb_sa);
   2208 
   2209 	if (buf + len > lim)
   2210 		return NULL;
   2211 
   2212 	memset(p, 0, len);
   2213 	p->sadb_sa_len = PFKEY_UNIT64(len);
   2214 	p->sadb_sa_exttype = SADB_EXT_SA;
   2215 	p->sadb_sa_spi = spi;
   2216 	p->sadb_sa_replay = wsize;
   2217 	p->sadb_sa_state = SADB_SASTATE_LARVAL;
   2218 	p->sadb_sa_auth = auth;
   2219 	p->sadb_sa_encrypt = enc;
   2220 	p->sadb_sa_flags = flags;
   2221 
   2222 	return(buf + len);
   2223 }
   2224 
   2225 /*
   2226  * set data into sadb_address.
   2227  * `buf' must has been allocated sufficiently.
   2228  * prefixlen is in bits.
   2229  */
   2230 static caddr_t
   2231 pfkey_setsadbaddr(buf, lim, exttype, saddr, prefixlen, ul_proto)
   2232 	caddr_t buf;
   2233 	caddr_t lim;
   2234 	u_int exttype;
   2235 	struct sockaddr *saddr;
   2236 	u_int prefixlen;
   2237 	u_int ul_proto;
   2238 {
   2239 	struct sadb_address *p;
   2240 	u_int len;
   2241 
   2242 	p = (void *)buf;
   2243 	len = sizeof(struct sadb_address) + PFKEY_ALIGN8(sysdep_sa_len(saddr));
   2244 
   2245 	if (buf + len > lim)
   2246 		return NULL;
   2247 
   2248 	memset(p, 0, len);
   2249 	p->sadb_address_len = PFKEY_UNIT64(len);
   2250 	p->sadb_address_exttype = exttype & 0xffff;
   2251 	p->sadb_address_proto = ul_proto & 0xff;
   2252 	p->sadb_address_prefixlen = prefixlen;
   2253 	p->sadb_address_reserved = 0;
   2254 
   2255 	memcpy(p + 1, saddr, (size_t)sysdep_sa_len(saddr));
   2256 
   2257 	return(buf + len);
   2258 }
   2259 
   2260 /*
   2261  * set sadb_key structure after clearing buffer with zero.
   2262  * OUT: the pointer of buf + len.
   2263  */
   2264 static caddr_t
   2265 pfkey_setsadbkey(buf, lim, type, key, keylen)
   2266 	caddr_t buf;
   2267 	caddr_t lim;
   2268 	caddr_t key;
   2269 	u_int type, keylen;
   2270 {
   2271 	struct sadb_key *p;
   2272 	u_int len;
   2273 
   2274 	p = (void *)buf;
   2275 	len = sizeof(struct sadb_key) + PFKEY_ALIGN8(keylen);
   2276 
   2277 	if (buf + len > lim)
   2278 		return NULL;
   2279 
   2280 	memset(p, 0, len);
   2281 	p->sadb_key_len = PFKEY_UNIT64(len);
   2282 	p->sadb_key_exttype = type;
   2283 	p->sadb_key_bits = keylen << 3;
   2284 	p->sadb_key_reserved = 0;
   2285 
   2286 	memcpy(p + 1, key, keylen);
   2287 
   2288 	return buf + len;
   2289 }
   2290 
   2291 /*
   2292  * set sadb_lifetime structure after clearing buffer with zero.
   2293  * OUT: the pointer of buf + len.
   2294  */
   2295 static caddr_t
   2296 pfkey_setsadblifetime(buf, lim, type, l_alloc, l_bytes, l_addtime, l_usetime)
   2297 	caddr_t buf;
   2298 	caddr_t lim;
   2299 	u_int type;
   2300 	u_int32_t l_alloc, l_bytes, l_addtime, l_usetime;
   2301 {
   2302 	struct sadb_lifetime *p;
   2303 	u_int len;
   2304 
   2305 	p = (void *)buf;
   2306 	len = sizeof(struct sadb_lifetime);
   2307 
   2308 	if (buf + len > lim)
   2309 		return NULL;
   2310 
   2311 	memset(p, 0, len);
   2312 	p->sadb_lifetime_len = PFKEY_UNIT64(len);
   2313 	p->sadb_lifetime_exttype = type;
   2314 
   2315 	switch (type) {
   2316 	case SADB_EXT_LIFETIME_SOFT:
   2317 		p->sadb_lifetime_allocations
   2318 			= (l_alloc * soft_lifetime_allocations_rate) /100;
   2319 		p->sadb_lifetime_bytes
   2320 			= (l_bytes * soft_lifetime_bytes_rate) /100;
   2321 		p->sadb_lifetime_addtime
   2322 			= (l_addtime * soft_lifetime_addtime_rate) /100;
   2323 		p->sadb_lifetime_usetime
   2324 			= (l_usetime * soft_lifetime_usetime_rate) /100;
   2325 		break;
   2326 	case SADB_EXT_LIFETIME_HARD:
   2327 		p->sadb_lifetime_allocations = l_alloc;
   2328 		p->sadb_lifetime_bytes = l_bytes;
   2329 		p->sadb_lifetime_addtime = l_addtime;
   2330 		p->sadb_lifetime_usetime = l_usetime;
   2331 		break;
   2332 	}
   2333 
   2334 	return buf + len;
   2335 }
   2336 
   2337 /*
   2338  * copy secasvar data into sadb_address.
   2339  * `buf' must has been allocated sufficiently.
   2340  */
   2341 static caddr_t
   2342 pfkey_setsadbxsa2(buf, lim, mode0, reqid)
   2343 	caddr_t buf;
   2344 	caddr_t lim;
   2345 	u_int32_t mode0;
   2346 	u_int32_t reqid;
   2347 {
   2348 	struct sadb_x_sa2 *p;
   2349 	u_int8_t mode = mode0 & 0xff;
   2350 	u_int len;
   2351 
   2352 	p = (void *)buf;
   2353 	len = sizeof(struct sadb_x_sa2);
   2354 
   2355 	if (buf + len > lim)
   2356 		return NULL;
   2357 
   2358 	memset(p, 0, len);
   2359 	p->sadb_x_sa2_len = PFKEY_UNIT64(len);
   2360 	p->sadb_x_sa2_exttype = SADB_X_EXT_SA2;
   2361 	p->sadb_x_sa2_mode = mode;
   2362 	p->sadb_x_sa2_reqid = reqid;
   2363 
   2364 	return(buf + len);
   2365 }
   2366 
   2367 #ifdef SADB_X_EXT_NAT_T_TYPE
   2368 static caddr_t
   2369 pfkey_set_natt_type(buf, lim, type, l_natt_type)
   2370 	caddr_t buf;
   2371 	caddr_t lim;
   2372 	u_int type;
   2373 	u_int8_t l_natt_type;
   2374 {
   2375 	struct sadb_x_nat_t_type *p;
   2376 	u_int len;
   2377 
   2378 	p = (void *)buf;
   2379 	len = sizeof(struct sadb_x_nat_t_type);
   2380 
   2381 	if (buf + len > lim)
   2382 		return NULL;
   2383 
   2384 	memset(p, 0, len);
   2385 	p->sadb_x_nat_t_type_len = PFKEY_UNIT64(len);
   2386 	p->sadb_x_nat_t_type_exttype = type;
   2387 	p->sadb_x_nat_t_type_type = l_natt_type;
   2388 
   2389 	return(buf + len);
   2390 }
   2391 
   2392 static caddr_t
   2393 pfkey_set_natt_port(buf, lim, type, l_natt_port)
   2394 	caddr_t buf;
   2395 	caddr_t lim;
   2396 	u_int type;
   2397 	u_int16_t l_natt_port;
   2398 {
   2399 	struct sadb_x_nat_t_port *p;
   2400 	u_int len;
   2401 
   2402 	p = (void *)buf;
   2403 	len = sizeof(struct sadb_x_nat_t_port);
   2404 
   2405 	if (buf + len > lim)
   2406 		return NULL;
   2407 
   2408 	memset(p, 0, len);
   2409 	p->sadb_x_nat_t_port_len = PFKEY_UNIT64(len);
   2410 	p->sadb_x_nat_t_port_exttype = type;
   2411 	p->sadb_x_nat_t_port_port = htons(l_natt_port);
   2412 
   2413 	return(buf + len);
   2414 }
   2415 #endif
   2416 
   2417 #ifdef SADB_X_EXT_NAT_T_FRAG
   2418 static caddr_t
   2419 pfkey_set_natt_frag(buf, lim, type, l_natt_frag)
   2420 	caddr_t buf;
   2421 	caddr_t lim;
   2422 	u_int type;
   2423 	u_int16_t l_natt_frag;
   2424 {
   2425 	struct sadb_x_nat_t_frag *p;
   2426 	u_int len;
   2427 
   2428 	p = (void *)buf;
   2429 	len = sizeof(struct sadb_x_nat_t_frag);
   2430 
   2431 	if (buf + len > lim)
   2432 		return NULL;
   2433 
   2434 	memset(p, 0, len);
   2435 	p->sadb_x_nat_t_frag_len = PFKEY_UNIT64(len);
   2436 	p->sadb_x_nat_t_frag_exttype = type;
   2437 	p->sadb_x_nat_t_frag_fraglen = l_natt_frag;
   2438 
   2439 	return(buf + len);
   2440 }
   2441 #endif
   2442 
   2443 #ifdef SADB_X_EXT_SEC_CTX
   2444 static caddr_t
   2445 pfkey_setsecctx(buf, lim, type, ctx_doi, ctx_alg, sec_ctx, sec_ctxlen)
   2446 	caddr_t buf;
   2447 	caddr_t lim;
   2448 	u_int type;
   2449 	u_int8_t ctx_doi, ctx_alg;
   2450 	caddr_t sec_ctx;
   2451 	u_int16_t sec_ctxlen;
   2452 {
   2453 	struct sadb_x_sec_ctx *p;
   2454 	u_int len;
   2455 
   2456 	p = (struct sadb_x_sec_ctx *)buf;
   2457 	len = sizeof(struct sadb_x_sec_ctx) + PFKEY_ALIGN8(sec_ctxlen);
   2458 
   2459 	if (buf + len > lim)
   2460 		return NULL;
   2461 
   2462 	memset(p, 0, len);
   2463 	p->sadb_x_sec_len = PFKEY_UNIT64(len);
   2464 	p->sadb_x_sec_exttype = type;
   2465 	p->sadb_x_ctx_len = sec_ctxlen;
   2466 	p->sadb_x_ctx_doi = ctx_doi;
   2467 	p->sadb_x_ctx_alg = ctx_alg;
   2468 
   2469 	memcpy(p + 1, sec_ctx, sec_ctxlen);
   2470 
   2471 	return buf + len;
   2472 }
   2473 #endif
   2474 
   2475 /*
   2476  * Deprecated, available for backward compatibility with third party
   2477  * libipsec users. Please use pfkey_send_update2 and pfkey_send_add2 instead
   2478  */
   2479 int
   2480 pfkey_send_update(so, satype, mode, src, dst, spi, reqid, wsize,
   2481 		keymat, e_type, e_keylen, a_type, a_keylen, flags,
   2482 		l_alloc, l_bytes, l_addtime, l_usetime, seq)
   2483 	int so;
   2484 	u_int satype, mode, wsize;
   2485 	struct sockaddr *src, *dst;
   2486 	u_int32_t spi, reqid;
   2487 	caddr_t keymat;
   2488 	u_int e_type, e_keylen, a_type, a_keylen, flags;
   2489 	u_int32_t l_alloc;
   2490 	u_int64_t l_bytes, l_addtime, l_usetime;
   2491 	u_int32_t seq;
   2492 {
   2493 	struct pfkey_send_sa_args psaa;
   2494 
   2495 	memset(&psaa, 0, sizeof(psaa));
   2496 	psaa.so = so;
   2497 	psaa.type = SADB_UPDATE;
   2498 	psaa.satype = satype;
   2499 	psaa.mode = mode;
   2500 	psaa.wsize = wsize;
   2501 	psaa.src = src;
   2502 	psaa.dst = dst;
   2503 	psaa.spi = spi;
   2504 	psaa.reqid = reqid;
   2505 	psaa.keymat = keymat;
   2506 	psaa.e_type = e_type;
   2507 	psaa.e_keylen = e_keylen;
   2508 	psaa.a_type = a_type;
   2509 	psaa.a_keylen = a_keylen;
   2510 	psaa.flags = flags;
   2511 	psaa.l_alloc = l_alloc;
   2512 	psaa.l_bytes = l_bytes;
   2513 	psaa.l_addtime = l_addtime;
   2514 	psaa.l_usetime = l_usetime;
   2515 	psaa.seq = seq;
   2516 
   2517 	return pfkey_send_update2(&psaa);
   2518 }
   2519 
   2520 int
   2521 pfkey_send_update_nat(so, satype, mode, src, dst, spi, reqid, wsize,
   2522 		      keymat, e_type, e_keylen, a_type, a_keylen, flags,
   2523 		      l_alloc, l_bytes, l_addtime, l_usetime, seq,
   2524 		      l_natt_type, l_natt_sport, l_natt_dport, l_natt_oa,
   2525 		      l_natt_frag)
   2526 	int so;
   2527 	u_int satype, mode, wsize;
   2528 	struct sockaddr *src, *dst;
   2529 	u_int32_t spi, reqid;
   2530 	caddr_t keymat;
   2531 	u_int e_type, e_keylen, a_type, a_keylen, flags;
   2532 	u_int32_t l_alloc;
   2533 	u_int64_t l_bytes, l_addtime, l_usetime;
   2534 	u_int32_t seq;
   2535 	u_int8_t l_natt_type;
   2536 	u_int16_t l_natt_sport, l_natt_dport;
   2537 	struct sockaddr *l_natt_oa;
   2538 	u_int16_t l_natt_frag;
   2539 {
   2540 	struct pfkey_send_sa_args psaa;
   2541 
   2542 	memset(&psaa, 0, sizeof(psaa));
   2543 	psaa.so = so;
   2544 	psaa.type = SADB_UPDATE;
   2545 	psaa.satype = satype;
   2546 	psaa.mode = mode;
   2547 	psaa.wsize = wsize;
   2548 	psaa.src = src;
   2549 	psaa.dst = dst;
   2550 	psaa.spi = spi;
   2551 	psaa.reqid = reqid;
   2552 	psaa.keymat = keymat;
   2553 	psaa.e_type = e_type;
   2554 	psaa.e_keylen = e_keylen;
   2555 	psaa.a_type = a_type;
   2556 	psaa.a_keylen = a_keylen;
   2557 	psaa.flags = flags;
   2558 	psaa.l_alloc = l_alloc;
   2559 	psaa.l_bytes = l_bytes;
   2560 	psaa.l_addtime = l_addtime;
   2561 	psaa.l_usetime = l_usetime;
   2562 	psaa.seq = seq;
   2563 	psaa.l_natt_type = l_natt_type;
   2564 	psaa.l_natt_sport = l_natt_sport;
   2565 	psaa.l_natt_dport = l_natt_dport;
   2566 	psaa.l_natt_oa = l_natt_oa;
   2567 	psaa.l_natt_frag = l_natt_frag;
   2568 
   2569 	return pfkey_send_update2(&psaa);
   2570 }
   2571 
   2572 int
   2573 pfkey_send_add(so, satype, mode, src, dst, spi, reqid, wsize,
   2574 		keymat, e_type, e_keylen, a_type, a_keylen, flags,
   2575 		l_alloc, l_bytes, l_addtime, l_usetime, seq)
   2576 	int so;
   2577 	u_int satype, mode, wsize;
   2578 	struct sockaddr *src, *dst;
   2579 	u_int32_t spi, reqid;
   2580 	caddr_t keymat;
   2581 	u_int e_type, e_keylen, a_type, a_keylen, flags;
   2582 	u_int32_t l_alloc;
   2583 	u_int64_t l_bytes, l_addtime, l_usetime;
   2584 	u_int32_t seq;
   2585 {
   2586 	struct pfkey_send_sa_args psaa;
   2587 
   2588 	memset(&psaa, 0, sizeof(psaa));
   2589 	psaa.so = so;
   2590 	psaa.type = SADB_ADD;
   2591 	psaa.satype = satype;
   2592 	psaa.mode = mode;
   2593 	psaa.wsize = wsize;
   2594 	psaa.src = src;
   2595 	psaa.dst = dst;
   2596 	psaa.spi = spi;
   2597 	psaa.reqid = reqid;
   2598 	psaa.keymat = keymat;
   2599 	psaa.e_type = e_type;
   2600 	psaa.e_keylen = e_keylen;
   2601 	psaa.a_type = a_type;
   2602 	psaa.a_keylen = a_keylen;
   2603 	psaa.flags = flags;
   2604 	psaa.l_alloc = l_alloc;
   2605 	psaa.l_bytes = l_bytes;
   2606 	psaa.l_addtime = l_addtime;
   2607 	psaa.l_usetime = l_usetime;
   2608 	psaa.seq = seq;
   2609 
   2610 	return pfkey_send_add2(&psaa);
   2611 }
   2612 
   2613 int
   2614 pfkey_send_add_nat(so, satype, mode, src, dst, spi, reqid, wsize,
   2615 		      keymat, e_type, e_keylen, a_type, a_keylen, flags,
   2616 		      l_alloc, l_bytes, l_addtime, l_usetime, seq,
   2617 		      l_natt_type, l_natt_sport, l_natt_dport, l_natt_oa,
   2618 		      l_natt_frag)
   2619 	int so;
   2620 	u_int satype, mode, wsize;
   2621 	struct sockaddr *src, *dst;
   2622 	u_int32_t spi, reqid;
   2623 	caddr_t keymat;
   2624 	u_int e_type, e_keylen, a_type, a_keylen, flags;
   2625 	u_int32_t l_alloc;
   2626 	u_int64_t l_bytes, l_addtime, l_usetime;
   2627 	u_int32_t seq;
   2628 	u_int8_t l_natt_type;
   2629 	u_int16_t l_natt_sport, l_natt_dport;
   2630 	struct sockaddr *l_natt_oa;
   2631 	u_int16_t l_natt_frag;
   2632 {
   2633 	struct pfkey_send_sa_args psaa;
   2634 
   2635 	memset(&psaa, 0, sizeof(psaa));
   2636 	psaa.so = so;
   2637 	psaa.type = SADB_ADD;
   2638 	psaa.satype = satype;
   2639 	psaa.mode = mode;
   2640 	psaa.wsize = wsize;
   2641 	psaa.src = src;
   2642 	psaa.dst = dst;
   2643 	psaa.spi = spi;
   2644 	psaa.reqid = reqid;
   2645 	psaa.keymat = keymat;
   2646 	psaa.e_type = e_type;
   2647 	psaa.e_keylen = e_keylen;
   2648 	psaa.a_type = a_type;
   2649 	psaa.a_keylen = a_keylen;
   2650 	psaa.flags = flags;
   2651 	psaa.l_alloc = l_alloc;
   2652 	psaa.l_bytes = l_bytes;
   2653 	psaa.l_addtime = l_addtime;
   2654 	psaa.l_usetime = l_usetime;
   2655 	psaa.seq = seq;
   2656 	psaa.l_natt_type = l_natt_type;
   2657 	psaa.l_natt_sport = l_natt_sport;
   2658 	psaa.l_natt_dport = l_natt_dport;
   2659 	psaa.l_natt_oa = l_natt_oa;
   2660 	psaa.l_natt_frag = l_natt_frag;
   2661 
   2662 	return pfkey_send_add2(&psaa);
   2663 }
   2664