GCC Code Coverage Report
Directory: ./ Exec Total Coverage
File: sbin/iked/pfkey.c Lines: 0 942 0.0 %
Date: 2016-12-06 Branches: 0 411 0.0 %

Line Branch Exec Source
1
/*	$OpenBSD: pfkey.c,v 1.51 2016/03/07 19:33:26 mmcc Exp $	*/
2
3
/*
4
 * Copyright (c) 2010-2013 Reyk Floeter <reyk@openbsd.org>
5
 * Copyright (c) 2004, 2005 Hans-Joerg Hoexer <hshoexer@openbsd.org>
6
 * Copyright (c) 2003, 2004 Henning Brauer <henning@openbsd.org>
7
 * Copyright (c) 2003, 2004 Markus Friedl <markus@openbsd.org>
8
 *
9
 * Permission to use, copy, modify, and distribute this software for any
10
 * purpose with or without fee is hereby granted, provided that the above
11
 * copyright notice and this permission notice appear in all copies.
12
 *
13
 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
14
 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
15
 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
16
 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
17
 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
18
 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
19
 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
20
 */
21
22
#include <sys/queue.h>
23
#include <sys/uio.h>
24
#include <sys/socket.h>
25
26
#include <netinet/in.h>
27
#include <netinet/ip_ipsp.h>
28
#include <net/pfkeyv2.h>
29
30
#include <err.h>
31
#include <errno.h>
32
#include <stdio.h>
33
#include <poll.h>
34
#include <string.h>
35
#include <stdlib.h>
36
#include <unistd.h>
37
#include <event.h>
38
39
#include "iked.h"
40
#include "ikev2.h"
41
42
#define ROUNDUP(x) (((x) + (PFKEYV2_CHUNK - 1)) & ~(PFKEYV2_CHUNK - 1))
43
#define IOV_CNT 20
44
45
#define PFKEYV2_CHUNK sizeof(uint64_t)
46
#define PFKEY_REPLY_TIMEOUT 1000
47
48
static uint32_t sadb_msg_seq = 0;
49
static unsigned int sadb_decoupled = 0;
50
static unsigned int sadb_ipv6refcnt = 0;
51
52
static int pfkey_blockipv6 = 0;
53
static struct event pfkey_timer_ev;
54
static struct timeval pfkey_timer_tv;
55
56
struct pfkey_message {
57
	SIMPLEQ_ENTRY(pfkey_message)
58
			 pm_entry;
59
	uint8_t		*pm_data;
60
	ssize_t		 pm_length;
61
};
62
SIMPLEQ_HEAD(, pfkey_message) pfkey_retry, pfkey_postponed =
63
    SIMPLEQ_HEAD_INITIALIZER(pfkey_postponed);
64
65
struct pfkey_constmap {
66
	uint8_t		 pfkey_id;
67
	unsigned int	 pfkey_ikeid;
68
	unsigned int	 pfkey_fixedkey;
69
};
70
71
static const struct pfkey_constmap pfkey_encr[] = {
72
	{ SADB_EALG_3DESCBC,	IKEV2_XFORMENCR_3DES },
73
	{ SADB_X_EALG_CAST,	IKEV2_XFORMENCR_CAST },
74
	{ SADB_X_EALG_BLF,	IKEV2_XFORMENCR_BLOWFISH },
75
	{ SADB_EALG_NULL,	IKEV2_XFORMENCR_NULL },
76
	{ SADB_X_EALG_AES,	IKEV2_XFORMENCR_AES_CBC },
77
	{ SADB_X_EALG_AESCTR,	IKEV2_XFORMENCR_AES_CTR },
78
	{ SADB_X_EALG_AESGCM16,	IKEV2_XFORMENCR_AES_GCM_16 },
79
	{ SADB_X_EALG_AESGMAC,	IKEV2_XFORMENCR_NULL_AES_GMAC },
80
	{ SADB_X_EALG_CHACHA20POLY1305, IKEV2_XFORMENCR_CHACHA20_POLY1305 },
81
	{ 0 }
82
};
83
84
static const struct pfkey_constmap pfkey_integr[] = {
85
	{ SADB_AALG_MD5HMAC,	IKEV2_XFORMAUTH_HMAC_MD5_96 },
86
	{ SADB_AALG_SHA1HMAC,	IKEV2_XFORMAUTH_HMAC_SHA1_96 },
87
	{ SADB_X_AALG_SHA2_256,	IKEV2_XFORMAUTH_HMAC_SHA2_256_128 },
88
	{ SADB_X_AALG_SHA2_384,	IKEV2_XFORMAUTH_HMAC_SHA2_384_192 },
89
	{ SADB_X_AALG_SHA2_512,	IKEV2_XFORMAUTH_HMAC_SHA2_512_256 },
90
	{ 0 }
91
};
92
93
static const struct pfkey_constmap pfkey_satype[] = {
94
	{ SADB_SATYPE_AH,	IKEV2_SAPROTO_AH },
95
	{ SADB_SATYPE_ESP,	IKEV2_SAPROTO_ESP },
96
	{ SADB_X_SATYPE_IPCOMP,	IKEV2_SAPROTO_IPCOMP },
97
	{ 0 }
98
};
99
100
int	pfkey_map(const struct pfkey_constmap *, uint16_t, uint8_t *);
101
int	pfkey_flow(int, uint8_t, uint8_t, struct iked_flow *);
102
int	pfkey_sa(int, uint8_t, uint8_t, struct iked_childsa *);
103
int	pfkey_sa_getspi(int, uint8_t, struct iked_childsa *, uint32_t *);
104
int	pfkey_sagroup(int, uint8_t, uint8_t,
105
	    struct iked_childsa *, struct iked_childsa *);
106
int	pfkey_write(int, struct sadb_msg *, struct iovec *, int,
107
	    uint8_t **, ssize_t *);
108
int	pfkey_reply(int, uint8_t **, ssize_t *);
109
void	pfkey_dispatch(int, short, void *);
110
111
struct sadb_ident *
112
	pfkey_id2ident(struct iked_id *, unsigned int);
113
void	*pfkey_find_ext(uint8_t *, ssize_t, int);
114
115
void	pfkey_timer_cb(int, short, void *);
116
int	pfkey_process(struct iked *, struct pfkey_message *);
117
118
int
119
pfkey_couple(int sd, struct iked_sas *sas, int couple)
120
{
121
	struct iked_sa		*sa;
122
	struct iked_flow	*flow;
123
	struct iked_childsa	*csa;
124
	const char		*mode[] = { "coupled", "decoupled" };
125
126
	/* Socket is not ready */
127
	if (sd == -1)
128
		return (-1);
129
130
	if (sadb_decoupled == !couple)
131
		return (0);
132
133
	log_debug("%s: kernel %s -> %s", __func__,
134
	    mode[sadb_decoupled], mode[!sadb_decoupled]);
135
136
	/* Allow writes to the PF_KEY socket */
137
	sadb_decoupled = 0;
138
139
	RB_FOREACH(sa, iked_sas, sas) {
140
		TAILQ_FOREACH(csa, &sa->sa_childsas, csa_entry) {
141
			if (!csa->csa_loaded && couple)
142
				(void)pfkey_sa_add(sd, csa, NULL);
143
			else if (csa->csa_loaded && !couple)
144
				(void)pfkey_sa_delete(sd, csa);
145
		}
146
		TAILQ_FOREACH(flow, &sa->sa_flows, flow_entry) {
147
			if (!flow->flow_loaded && couple)
148
				(void)pfkey_flow_add(sd, flow);
149
			else if (flow->flow_loaded && !couple)
150
				(void)pfkey_flow_delete(sd, flow);
151
		}
152
	}
153
154
	sadb_decoupled = !couple;
155
156
	return (0);
157
}
158
159
int
160
pfkey_map(const struct pfkey_constmap *map, uint16_t alg, uint8_t *pfkalg)
161
{
162
	int	 i;
163
164
	for (i = 0; map[i].pfkey_id != 0; i++)
165
		if (map[i].pfkey_ikeid == alg) {
166
			*pfkalg = map[i].pfkey_id;
167
			return (0);
168
		}
169
	return (-1);
170
}
171
172
int
173
pfkey_flow(int sd, uint8_t satype, uint8_t action, struct iked_flow *flow)
174
{
175
	struct sadb_msg		 smsg;
176
	struct sadb_address	 sa_src, sa_dst, sa_local, sa_peer, sa_smask,
177
				 sa_dmask;
178
	struct sadb_protocol	 sa_flowtype, sa_protocol;
179
	struct sadb_ident	*sa_srcid, *sa_dstid;
180
	struct sockaddr_storage	 ssrc, sdst, slocal, speer, smask, dmask;
181
	struct iovec		 iov[IOV_CNT];
182
	int			 iov_cnt, ret = -1;
183
184
	sa_srcid = sa_dstid = NULL;
185
186
	bzero(&ssrc, sizeof(ssrc));
187
	bzero(&smask, sizeof(smask));
188
	memcpy(&ssrc, &flow->flow_src.addr, sizeof(ssrc));
189
	memcpy(&smask, &flow->flow_src.addr, sizeof(smask));
190
	socket_af((struct sockaddr *)&ssrc, flow->flow_src.addr_port);
191
	socket_af((struct sockaddr *)&smask, flow->flow_src.addr_port ?
192
	    0xffff : 0);
193
194
	switch (flow->flow_src.addr_af) {
195
	case AF_INET:
196
		((struct sockaddr_in *)&smask)->sin_addr.s_addr =
197
		    prefixlen2mask(flow->flow_src.addr_net ?
198
		    flow->flow_src.addr_mask : 32);
199
		break;
200
	case AF_INET6:
201
		prefixlen2mask6(flow->flow_src.addr_net ?
202
		    flow->flow_src.addr_mask : 128,
203
		    (uint32_t *)((struct sockaddr_in6 *)
204
		    &smask)->sin6_addr.s6_addr);
205
		break;
206
	default:
207
		log_warnx("%s: unsupported address family %d",
208
		    __func__, flow->flow_src.addr_af);
209
		return (-1);
210
	}
211
	smask.ss_len = ssrc.ss_len;
212
213
	bzero(&sdst, sizeof(sdst));
214
	bzero(&dmask, sizeof(dmask));
215
	memcpy(&sdst, &flow->flow_dst.addr, sizeof(sdst));
216
	memcpy(&dmask, &flow->flow_dst.addr, sizeof(dmask));
217
	socket_af((struct sockaddr *)&sdst, flow->flow_dst.addr_port);
218
	socket_af((struct sockaddr *)&dmask, flow->flow_dst.addr_port ?
219
	    0xffff : 0);
220
221
	switch (flow->flow_dst.addr_af) {
222
	case AF_INET:
223
		((struct sockaddr_in *)&dmask)->sin_addr.s_addr =
224
		    prefixlen2mask(flow->flow_dst.addr_net ?
225
		    flow->flow_dst.addr_mask : 32);
226
		break;
227
	case AF_INET6:
228
		prefixlen2mask6(flow->flow_dst.addr_net ?
229
		    flow->flow_dst.addr_mask : 128,
230
		    (uint32_t *)((struct sockaddr_in6 *)
231
		    &dmask)->sin6_addr.s6_addr);
232
		break;
233
	default:
234
		log_warnx("%s: unsupported address family %d",
235
		    __func__, flow->flow_dst.addr_af);
236
		return (-1);
237
	}
238
	dmask.ss_len = sdst.ss_len;
239
240
	bzero(&slocal, sizeof(slocal));
241
	bzero(&speer, sizeof(speer));
242
	if (action != SADB_X_DELFLOW && flow->flow_local != NULL) {
243
		memcpy(&slocal, &flow->flow_local->addr, sizeof(slocal));
244
		socket_af((struct sockaddr *)&slocal, 0);
245
246
		memcpy(&speer, &flow->flow_peer->addr, sizeof(speer));
247
		socket_af((struct sockaddr *)&speer, 0);
248
	}
249
250
	bzero(&smsg, sizeof(smsg));
251
	smsg.sadb_msg_version = PF_KEY_V2;
252
	smsg.sadb_msg_seq = ++sadb_msg_seq;
253
	smsg.sadb_msg_pid = getpid();
254
	smsg.sadb_msg_len = sizeof(smsg) / 8;
255
	smsg.sadb_msg_type = action;
256
	smsg.sadb_msg_satype = satype;
257
258
	bzero(&sa_flowtype, sizeof(sa_flowtype));
259
	sa_flowtype.sadb_protocol_exttype = SADB_X_EXT_FLOW_TYPE;
260
	sa_flowtype.sadb_protocol_len = sizeof(sa_flowtype) / 8;
261
	sa_flowtype.sadb_protocol_direction = flow->flow_dir;
262
	sa_flowtype.sadb_protocol_proto =
263
	    flow->flow_type ? flow->flow_type :
264
	    (flow->flow_dir == IPSP_DIRECTION_IN ?
265
	    SADB_X_FLOW_TYPE_USE : SADB_X_FLOW_TYPE_REQUIRE);
266
267
	bzero(&sa_protocol, sizeof(sa_protocol));
268
	sa_protocol.sadb_protocol_exttype = SADB_X_EXT_PROTOCOL;
269
	sa_protocol.sadb_protocol_len = sizeof(sa_protocol) / 8;
270
	sa_protocol.sadb_protocol_direction = 0;
271
	sa_protocol.sadb_protocol_proto = flow->flow_ipproto;
272
273
	bzero(&sa_src, sizeof(sa_src));
274
	sa_src.sadb_address_exttype = SADB_X_EXT_SRC_FLOW;
275
	sa_src.sadb_address_len = (sizeof(sa_src) + ROUNDUP(ssrc.ss_len)) / 8;
276
277
	bzero(&sa_smask, sizeof(sa_smask));
278
	sa_smask.sadb_address_exttype = SADB_X_EXT_SRC_MASK;
279
	sa_smask.sadb_address_len =
280
	    (sizeof(sa_smask) + ROUNDUP(smask.ss_len)) / 8;
281
282
	bzero(&sa_dst, sizeof(sa_dst));
283
	sa_dst.sadb_address_exttype = SADB_X_EXT_DST_FLOW;
284
	sa_dst.sadb_address_len = (sizeof(sa_dst) + ROUNDUP(sdst.ss_len)) / 8;
285
286
	bzero(&sa_dmask, sizeof(sa_dmask));
287
	sa_dmask.sadb_address_exttype = SADB_X_EXT_DST_MASK;
288
	sa_dmask.sadb_address_len =
289
	    (sizeof(sa_dmask) + ROUNDUP(dmask.ss_len)) / 8;
290
291
	if (action != SADB_X_DELFLOW && flow->flow_local != NULL) {
292
		/* local address */
293
		bzero(&sa_local, sizeof(sa_local));
294
		sa_local.sadb_address_exttype = SADB_EXT_ADDRESS_SRC;
295
		sa_local.sadb_address_len =
296
		    (sizeof(sa_local) + ROUNDUP(slocal.ss_len)) / 8;
297
298
		/* peer address */
299
		bzero(&sa_peer, sizeof(sa_peer));
300
		sa_peer.sadb_address_exttype = SADB_EXT_ADDRESS_DST;
301
		sa_peer.sadb_address_len =
302
		    (sizeof(sa_peer) + ROUNDUP(speer.ss_len)) / 8;
303
304
		/* local id */
305
		sa_srcid = pfkey_id2ident(IKESA_SRCID(flow->flow_ikesa),
306
		    SADB_EXT_IDENTITY_SRC);
307
308
		/* peer id */
309
		sa_dstid = pfkey_id2ident(IKESA_DSTID(flow->flow_ikesa),
310
		    SADB_EXT_IDENTITY_DST);
311
	}
312
313
	iov_cnt = 0;
314
315
	/* header */
316
	iov[iov_cnt].iov_base = &smsg;
317
	iov[iov_cnt].iov_len = sizeof(smsg);
318
	iov_cnt++;
319
320
	/* add flow type */
321
	iov[iov_cnt].iov_base = &sa_flowtype;
322
	iov[iov_cnt].iov_len = sizeof(sa_flowtype);
323
	smsg.sadb_msg_len += sa_flowtype.sadb_protocol_len;
324
	iov_cnt++;
325
326
	if (action != SADB_X_DELFLOW && flow->flow_local != NULL) {
327
#if 0
328
		/* local ip */
329
		iov[iov_cnt].iov_base = &sa_local;
330
		iov[iov_cnt].iov_len = sizeof(sa_local);
331
		iov_cnt++;
332
		iov[iov_cnt].iov_base = &slocal;
333
		iov[iov_cnt].iov_len = ROUNDUP(slocal.ss_len);
334
		smsg.sadb_msg_len += sa_local.sadb_address_len;
335
		iov_cnt++;
336
#endif
337
338
		/* remote peer */
339
		iov[iov_cnt].iov_base = &sa_peer;
340
		iov[iov_cnt].iov_len = sizeof(sa_peer);
341
		iov_cnt++;
342
		iov[iov_cnt].iov_base = &speer;
343
		iov[iov_cnt].iov_len = ROUNDUP(speer.ss_len);
344
		smsg.sadb_msg_len += sa_peer.sadb_address_len;
345
		iov_cnt++;
346
	}
347
348
	/* src addr */
349
	iov[iov_cnt].iov_base = &sa_src;
350
	iov[iov_cnt].iov_len = sizeof(sa_src);
351
	iov_cnt++;
352
	iov[iov_cnt].iov_base = &ssrc;
353
	iov[iov_cnt].iov_len = ROUNDUP(ssrc.ss_len);
354
	smsg.sadb_msg_len += sa_src.sadb_address_len;
355
	iov_cnt++;
356
357
	/* src mask */
358
	iov[iov_cnt].iov_base = &sa_smask;
359
	iov[iov_cnt].iov_len = sizeof(sa_smask);
360
	iov_cnt++;
361
	iov[iov_cnt].iov_base = &smask;
362
	iov[iov_cnt].iov_len = ROUNDUP(smask.ss_len);
363
	smsg.sadb_msg_len += sa_smask.sadb_address_len;
364
	iov_cnt++;
365
366
	/* dest addr */
367
	iov[iov_cnt].iov_base = &sa_dst;
368
	iov[iov_cnt].iov_len = sizeof(sa_dst);
369
	iov_cnt++;
370
	iov[iov_cnt].iov_base = &sdst;
371
	iov[iov_cnt].iov_len = ROUNDUP(sdst.ss_len);
372
	smsg.sadb_msg_len += sa_dst.sadb_address_len;
373
	iov_cnt++;
374
375
	/* dst mask */
376
	iov[iov_cnt].iov_base = &sa_dmask;
377
	iov[iov_cnt].iov_len = sizeof(sa_dmask);
378
	iov_cnt++;
379
	iov[iov_cnt].iov_base = &dmask;
380
	iov[iov_cnt].iov_len = ROUNDUP(dmask.ss_len);
381
	smsg.sadb_msg_len += sa_dmask.sadb_address_len;
382
	iov_cnt++;
383
384
	/* add protocol */
385
	iov[iov_cnt].iov_base = &sa_protocol;
386
	iov[iov_cnt].iov_len = sizeof(sa_protocol);
387
	smsg.sadb_msg_len += sa_protocol.sadb_protocol_len;
388
	iov_cnt++;
389
390
	if (sa_srcid) {
391
		/* src identity */
392
		iov[iov_cnt].iov_base = sa_srcid;
393
		iov[iov_cnt].iov_len = sa_srcid->sadb_ident_len * 8;
394
		smsg.sadb_msg_len += sa_srcid->sadb_ident_len;
395
		iov_cnt++;
396
	}
397
	if (sa_dstid) {
398
		/* dst identity */
399
		iov[iov_cnt].iov_base = sa_dstid;
400
		iov[iov_cnt].iov_len = sa_dstid->sadb_ident_len * 8;
401
		smsg.sadb_msg_len += sa_dstid->sadb_ident_len;
402
		iov_cnt++;
403
	}
404
405
	ret = pfkey_write(sd, &smsg, iov, iov_cnt, NULL, NULL);
406
407
	free(sa_srcid);
408
	free(sa_dstid);
409
410
	return (ret);
411
}
412
413
int
414
pfkey_sa(int sd, uint8_t satype, uint8_t action, struct iked_childsa *sa)
415
{
416
	struct sadb_msg		 smsg;
417
	struct sadb_sa		 sadb;
418
	struct sadb_address	 sa_src, sa_dst;
419
	struct sadb_key		 sa_authkey, sa_enckey;
420
	struct sadb_lifetime	 sa_ltime_hard, sa_ltime_soft;
421
	struct sadb_x_udpencap	 udpencap;
422
	struct sadb_x_tag	 sa_tag;
423
	char			*tag = NULL;
424
	struct sadb_x_tap	 sa_tap;
425
	struct sockaddr_storage	 ssrc, sdst;
426
	struct sadb_ident	*sa_srcid, *sa_dstid;
427
	struct iked_lifetime	*lt;
428
	struct iked_policy	*pol;
429
	struct iovec		 iov[IOV_CNT];
430
	uint32_t		 jitter;
431
	int			 iov_cnt;
432
433
	sa_srcid = sa_dstid = NULL;
434
435
	if (sa->csa_ikesa == NULL || sa->csa_ikesa->sa_policy == NULL) {
436
		log_warn("%s: invalid SA and policy", __func__);
437
		return (-1);
438
	}
439
	pol = sa->csa_ikesa->sa_policy;
440
	lt = &pol->pol_lifetime;
441
442
	bzero(&ssrc, sizeof(ssrc));
443
	memcpy(&ssrc, &sa->csa_local->addr, sizeof(ssrc));
444
	if (socket_af((struct sockaddr *)&ssrc, 0) == -1) {
445
		log_warn("%s: invalid address", __func__);
446
		return (-1);
447
	}
448
449
	bzero(&sdst, sizeof(sdst));
450
	memcpy(&sdst, &sa->csa_peer->addr, sizeof(sdst));
451
	if (socket_af((struct sockaddr *)&sdst, 0) == -1) {
452
		log_warn("%s: invalid address", __func__);
453
		return (-1);
454
	}
455
456
	bzero(&smsg, sizeof(smsg));
457
	smsg.sadb_msg_version = PF_KEY_V2;
458
	smsg.sadb_msg_seq = ++sadb_msg_seq;
459
	smsg.sadb_msg_pid = getpid();
460
	smsg.sadb_msg_len = sizeof(smsg) / 8;
461
	smsg.sadb_msg_type = action;
462
	smsg.sadb_msg_satype = satype;
463
464
	bzero(&sadb, sizeof(sadb));
465
	sadb.sadb_sa_len = sizeof(sadb) / 8;
466
	sadb.sadb_sa_exttype = SADB_EXT_SA;
467
	sadb.sadb_sa_spi = htonl(sa->csa_spi.spi);
468
	sadb.sadb_sa_state = SADB_SASTATE_MATURE;
469
	sadb.sadb_sa_replay = 64;
470
471
	if (!sa->csa_transport)
472
		sadb.sadb_sa_flags |= SADB_X_SAFLAGS_TUNNEL;
473
474
	if (sa->csa_esn)
475
		sadb.sadb_sa_flags |= SADB_X_SAFLAGS_ESN;
476
477
	bzero(&sa_src, sizeof(sa_src));
478
	sa_src.sadb_address_len = (sizeof(sa_src) + ROUNDUP(ssrc.ss_len)) / 8;
479
	sa_src.sadb_address_exttype = SADB_EXT_ADDRESS_SRC;
480
481
	bzero(&sa_dst, sizeof(sa_dst));
482
	sa_dst.sadb_address_len = (sizeof(sa_dst) + ROUNDUP(sdst.ss_len)) / 8;
483
	sa_dst.sadb_address_exttype = SADB_EXT_ADDRESS_DST;
484
485
	bzero(&sa_authkey, sizeof(sa_authkey));
486
	bzero(&sa_enckey, sizeof(sa_enckey));
487
	bzero(&udpencap, sizeof udpencap);
488
	bzero(&sa_ltime_hard, sizeof(sa_ltime_hard));
489
	bzero(&sa_ltime_soft, sizeof(sa_ltime_soft));
490
491
	if (action == SADB_DELETE)
492
		goto send;
493
494
	if ((action == SADB_ADD || action == SADB_UPDATE) &&
495
	    !sa->csa_persistent && (lt->lt_bytes || lt->lt_seconds)) {
496
		sa_ltime_hard.sadb_lifetime_exttype = SADB_EXT_LIFETIME_HARD;
497
		sa_ltime_hard.sadb_lifetime_len = sizeof(sa_ltime_hard) / 8;
498
		sa_ltime_hard.sadb_lifetime_bytes = lt->lt_bytes;
499
		sa_ltime_hard.sadb_lifetime_addtime = lt->lt_seconds;
500
501
		/* double the lifetime for IP compression */
502
		if (satype == SADB_X_SATYPE_IPCOMP)
503
			sa_ltime_hard.sadb_lifetime_addtime *= 2;
504
505
		sa_ltime_soft.sadb_lifetime_exttype = SADB_EXT_LIFETIME_SOFT;
506
		sa_ltime_soft.sadb_lifetime_len = sizeof(sa_ltime_soft) / 8;
507
		/* set randomly to 85-95% */
508
		jitter = 850 + arc4random_uniform(100);
509
		sa_ltime_soft.sadb_lifetime_bytes =
510
		    (sa_ltime_hard.sadb_lifetime_bytes * jitter) / 1000;
511
		sa_ltime_soft.sadb_lifetime_addtime =
512
		    (sa_ltime_hard.sadb_lifetime_addtime * jitter) / 1000;
513
	}
514
515
	/* XXX handle NULL encryption or NULL auth or combined encr/auth */
516
	if (action == SADB_ADD &&
517
	    !ibuf_length(sa->csa_integrkey) && !ibuf_length(sa->csa_encrkey) &&
518
	    satype != SADB_X_SATYPE_IPCOMP && satype != SADB_X_SATYPE_IPIP) {
519
		log_warnx("%s: no key specified", __func__);
520
		return (-1);
521
	}
522
523
	if (satype == SADB_SATYPE_ESP &&
524
	    sa->csa_ikesa->sa_udpencap && sa->csa_ikesa->sa_natt) {
525
		sadb.sadb_sa_flags |= SADB_X_SAFLAGS_UDPENCAP;
526
		udpencap.sadb_x_udpencap_exttype = SADB_X_EXT_UDPENCAP;
527
		udpencap.sadb_x_udpencap_len = sizeof(udpencap) / 8;
528
		udpencap.sadb_x_udpencap_port =
529
		    sa->csa_ikesa->sa_peer.addr_port;
530
531
		log_debug("%s: udpencap port %d", __func__,
532
		    ntohs(udpencap.sadb_x_udpencap_port));
533
	}
534
535
	if (sa->csa_integrid)
536
		if (pfkey_map(pfkey_integr,
537
		    sa->csa_integrid, &sadb.sadb_sa_auth) == -1) {
538
			log_warnx("%s: unsupported integrity algorithm %s",
539
			    __func__, print_map(sa->csa_integrid,
540
			    ikev2_xformauth_map));
541
			return (-1);
542
		}
543
544
	if (sa->csa_encrid)
545
		if (pfkey_map(pfkey_encr,
546
		    sa->csa_encrid, &sadb.sadb_sa_encrypt) == -1) {
547
			log_warnx("%s: unsupported encryption algorithm %s",
548
			    __func__, print_map(sa->csa_encrid,
549
			    ikev2_xformencr_map));
550
			return (-1);
551
		}
552
553
	if (ibuf_length(sa->csa_integrkey)) {
554
		sa_authkey.sadb_key_len = (sizeof(sa_authkey) +
555
		    ((ibuf_size(sa->csa_integrkey) + 7) / 8) * 8) / 8;
556
		sa_authkey.sadb_key_exttype = SADB_EXT_KEY_AUTH;
557
		sa_authkey.sadb_key_bits =
558
		    8 * ibuf_size(sa->csa_integrkey);
559
	}
560
561
	if (ibuf_length(sa->csa_encrkey)) {
562
		sa_enckey.sadb_key_len = (sizeof(sa_enckey) +
563
		    ((ibuf_size(sa->csa_encrkey) + 7) / 8) * 8) / 8;
564
		sa_enckey.sadb_key_exttype = SADB_EXT_KEY_ENCRYPT;
565
		sa_enckey.sadb_key_bits =
566
		    8 * ibuf_size(sa->csa_encrkey);
567
	}
568
569
	/* we only support deflate */
570
	if (satype == SADB_X_SATYPE_IPCOMP)
571
		sadb.sadb_sa_encrypt = SADB_X_CALG_DEFLATE;
572
573
	/* Note that we need to swap the IDs for incoming SAs (SADB_UPDATE) */
574
	if (action != SADB_UPDATE) {
575
		sa_srcid = pfkey_id2ident(
576
		    IKESA_SRCID(sa->csa_ikesa), SADB_EXT_IDENTITY_SRC);
577
		sa_dstid = pfkey_id2ident(
578
		    IKESA_DSTID(sa->csa_ikesa), SADB_EXT_IDENTITY_DST);
579
	} else {
580
		sa_srcid = pfkey_id2ident(
581
		    IKESA_DSTID(sa->csa_ikesa), SADB_EXT_IDENTITY_SRC);
582
		sa_dstid = pfkey_id2ident(
583
		    IKESA_SRCID(sa->csa_ikesa), SADB_EXT_IDENTITY_DST);
584
	}
585
586
	tag = sa->csa_ikesa->sa_tag;
587
	if (tag != NULL && *tag != '\0') {
588
		bzero(&sa_tag, sizeof(sa_tag));
589
		sa_tag.sadb_x_tag_exttype = SADB_X_EXT_TAG;
590
		sa_tag.sadb_x_tag_len =
591
		    (ROUNDUP(strlen(tag) + 1) + sizeof(sa_tag)) / 8;
592
		sa_tag.sadb_x_tag_taglen = strlen(tag) + 1;
593
	} else
594
		tag = NULL;
595
596
	if (pol->pol_tap != 0) {
597
		bzero(&sa_tap, sizeof(sa_tap));
598
		sa_tap.sadb_x_tap_exttype = SADB_X_EXT_TAP;
599
		sa_tap.sadb_x_tap_len = sizeof(sa_tap) / 8;
600
		sa_tap.sadb_x_tap_unit = pol->pol_tap;
601
	}
602
603
 send:
604
	iov_cnt = 0;
605
606
	/* header */
607
	iov[iov_cnt].iov_base = &smsg;
608
	iov[iov_cnt].iov_len = sizeof(smsg);
609
	iov_cnt++;
610
611
	/* sa */
612
	iov[iov_cnt].iov_base = &sadb;
613
	iov[iov_cnt].iov_len = sizeof(sadb);
614
	smsg.sadb_msg_len += sadb.sadb_sa_len;
615
	iov_cnt++;
616
617
	/* src addr */
618
	iov[iov_cnt].iov_base = &sa_src;
619
	iov[iov_cnt].iov_len = sizeof(sa_src);
620
	iov_cnt++;
621
	iov[iov_cnt].iov_base = &ssrc;
622
	iov[iov_cnt].iov_len = ROUNDUP(ssrc.ss_len);
623
	smsg.sadb_msg_len += sa_src.sadb_address_len;
624
	iov_cnt++;
625
626
	/* dst addr */
627
	iov[iov_cnt].iov_base = &sa_dst;
628
	iov[iov_cnt].iov_len = sizeof(sa_dst);
629
	iov_cnt++;
630
	iov[iov_cnt].iov_base = &sdst;
631
	iov[iov_cnt].iov_len = ROUNDUP(sdst.ss_len);
632
	smsg.sadb_msg_len += sa_dst.sadb_address_len;
633
	iov_cnt++;
634
635
	if (sa_ltime_soft.sadb_lifetime_len) {
636
		/* soft lifetime */
637
		iov[iov_cnt].iov_base = &sa_ltime_soft;
638
		iov[iov_cnt].iov_len = sizeof(sa_ltime_soft);
639
		smsg.sadb_msg_len += sa_ltime_soft.sadb_lifetime_len;
640
		iov_cnt++;
641
	}
642
643
	if (sa_ltime_hard.sadb_lifetime_len) {
644
		/* hard lifetime */
645
		iov[iov_cnt].iov_base = &sa_ltime_hard;
646
		iov[iov_cnt].iov_len = sizeof(sa_ltime_hard);
647
		smsg.sadb_msg_len += sa_ltime_hard.sadb_lifetime_len;
648
		iov_cnt++;
649
	}
650
651
	if (udpencap.sadb_x_udpencap_len) {
652
		iov[iov_cnt].iov_base = &udpencap;
653
		iov[iov_cnt].iov_len = sizeof(udpencap);
654
		smsg.sadb_msg_len += udpencap.sadb_x_udpencap_len;
655
		iov_cnt++;
656
	}
657
658
	if (sa_enckey.sadb_key_len) {
659
		/* encryption key */
660
		iov[iov_cnt].iov_base = &sa_enckey;
661
		iov[iov_cnt].iov_len = sizeof(sa_enckey);
662
		iov_cnt++;
663
		iov[iov_cnt].iov_base = ibuf_data(sa->csa_encrkey);
664
		iov[iov_cnt].iov_len =
665
		    ((ibuf_size(sa->csa_encrkey) + 7) / 8) * 8;
666
		smsg.sadb_msg_len += sa_enckey.sadb_key_len;
667
		iov_cnt++;
668
	}
669
	if (sa_authkey.sadb_key_len) {
670
		/* authentication key */
671
		iov[iov_cnt].iov_base = &sa_authkey;
672
		iov[iov_cnt].iov_len = sizeof(sa_authkey);
673
		iov_cnt++;
674
		iov[iov_cnt].iov_base = ibuf_data(sa->csa_integrkey);
675
		iov[iov_cnt].iov_len =
676
		    ((ibuf_size(sa->csa_integrkey) + 7) / 8) * 8;
677
		smsg.sadb_msg_len += sa_authkey.sadb_key_len;
678
		iov_cnt++;
679
	}
680
681
	if (sa_srcid) {
682
		/* src identity */
683
		iov[iov_cnt].iov_base = sa_srcid;
684
		iov[iov_cnt].iov_len = sa_srcid->sadb_ident_len * 8;
685
		smsg.sadb_msg_len += sa_srcid->sadb_ident_len;
686
		iov_cnt++;
687
	}
688
	if (sa_dstid) {
689
		/* dst identity */
690
		iov[iov_cnt].iov_base = sa_dstid;
691
		iov[iov_cnt].iov_len = sa_dstid->sadb_ident_len * 8;
692
		smsg.sadb_msg_len += sa_dstid->sadb_ident_len;
693
		iov_cnt++;
694
	}
695
696
	if (tag != NULL) {
697
		/* tag identity */
698
		iov[iov_cnt].iov_base = &sa_tag;
699
		iov[iov_cnt].iov_len = sizeof(sa_tag);
700
		iov_cnt++;
701
		iov[iov_cnt].iov_base = tag;
702
		iov[iov_cnt].iov_len = ROUNDUP(strlen(tag) + 1);
703
		smsg.sadb_msg_len += sa_tag.sadb_x_tag_len;
704
		iov_cnt++;
705
	}
706
707
	if (pol->pol_tap != 0) {
708
		/* enc(4) device tap unit */
709
		iov[iov_cnt].iov_base = &sa_tap;
710
		iov[iov_cnt].iov_len = sizeof(sa_tap);
711
		smsg.sadb_msg_len += sa_tap.sadb_x_tap_len;
712
		iov_cnt++;
713
	}
714
715
	return (pfkey_write(sd, &smsg, iov, iov_cnt, NULL, NULL));
716
}
717
718
int
719
pfkey_sa_last_used(int sd, struct iked_childsa *sa, uint64_t *last_used)
720
{
721
	struct sadb_msg		*msg, smsg;
722
	struct sadb_address	 sa_src, sa_dst;
723
	struct sadb_sa		 sadb;
724
	struct sadb_lifetime	*sa_life;
725
	struct sockaddr_storage	 ssrc, sdst;
726
	struct iovec		 iov[IOV_CNT];
727
	uint8_t			*data;
728
	ssize_t			 n;
729
	int			 iov_cnt, ret = -1;
730
	uint8_t			 satype;
731
732
	*last_used = 0;
733
734
	if (pfkey_map(pfkey_satype, sa->csa_saproto, &satype) == -1)
735
		return (-1);
736
737
	bzero(&ssrc, sizeof(ssrc));
738
	memcpy(&ssrc, &sa->csa_local->addr, sizeof(ssrc));
739
	if (socket_af((struct sockaddr *)&ssrc, 0) == -1) {
740
		log_warn("%s: invalid address", __func__);
741
		return (-1);
742
	}
743
744
	bzero(&sdst, sizeof(sdst));
745
	memcpy(&sdst, &sa->csa_peer->addr, sizeof(sdst));
746
	if (socket_af((struct sockaddr *)&sdst, 0) == -1) {
747
		log_warn("%s: invalid address", __func__);
748
		return (-1);
749
	}
750
751
	bzero(&smsg, sizeof(smsg));
752
	smsg.sadb_msg_version = PF_KEY_V2;
753
	smsg.sadb_msg_seq = ++sadb_msg_seq;
754
	smsg.sadb_msg_pid = getpid();
755
	smsg.sadb_msg_len = sizeof(smsg) / 8;
756
	smsg.sadb_msg_type = SADB_GET;
757
	smsg.sadb_msg_satype = satype;
758
759
	bzero(&sadb, sizeof(sadb));
760
	sadb.sadb_sa_len = sizeof(sadb) / 8;
761
	sadb.sadb_sa_exttype = SADB_EXT_SA;
762
	sadb.sadb_sa_spi = htonl(sa->csa_spi.spi);
763
	sadb.sadb_sa_state = SADB_SASTATE_MATURE;
764
	sadb.sadb_sa_replay = 64;
765
766
	bzero(&sa_src, sizeof(sa_src));
767
	sa_src.sadb_address_len = (sizeof(sa_src) + ROUNDUP(ssrc.ss_len)) / 8;
768
	sa_src.sadb_address_exttype = SADB_EXT_ADDRESS_SRC;
769
770
	bzero(&sa_dst, sizeof(sa_dst));
771
	sa_dst.sadb_address_len = (sizeof(sa_dst) + ROUNDUP(sdst.ss_len)) / 8;
772
	sa_dst.sadb_address_exttype = SADB_EXT_ADDRESS_DST;
773
774
	iov_cnt = 0;
775
776
	/* header */
777
	iov[iov_cnt].iov_base = &smsg;
778
	iov[iov_cnt].iov_len = sizeof(smsg);
779
	iov_cnt++;
780
781
	/* sa */
782
	iov[iov_cnt].iov_base = &sadb;
783
	iov[iov_cnt].iov_len = sizeof(sadb);
784
	smsg.sadb_msg_len += sadb.sadb_sa_len;
785
	iov_cnt++;
786
787
	/* src addr */
788
	iov[iov_cnt].iov_base = &sa_src;
789
	iov[iov_cnt].iov_len = sizeof(sa_src);
790
	iov_cnt++;
791
	iov[iov_cnt].iov_base = &ssrc;
792
	iov[iov_cnt].iov_len = ROUNDUP(ssrc.ss_len);
793
	smsg.sadb_msg_len += sa_src.sadb_address_len;
794
	iov_cnt++;
795
796
	/* dst addr */
797
	iov[iov_cnt].iov_base = &sa_dst;
798
	iov[iov_cnt].iov_len = sizeof(sa_dst);
799
	iov_cnt++;
800
	iov[iov_cnt].iov_base = &sdst;
801
	iov[iov_cnt].iov_len = ROUNDUP(sdst.ss_len);
802
	smsg.sadb_msg_len += sa_dst.sadb_address_len;
803
	iov_cnt++;
804
805
	if ((ret = pfkey_write(sd, &smsg, iov, iov_cnt, &data, &n)) != 0)
806
		return (-1);
807
808
	msg = (struct sadb_msg *)data;
809
	if (msg->sadb_msg_errno != 0) {
810
		errno = msg->sadb_msg_errno;
811
		ret = -1;
812
		log_warn("%s: message", __func__);
813
		goto done;
814
	}
815
	if ((sa_life = pfkey_find_ext(data, n, SADB_X_EXT_LIFETIME_LASTUSE))
816
	    == NULL) {
817
		/* has never been used */
818
		ret = -1;
819
		goto done;
820
	}
821
	*last_used = sa_life->sadb_lifetime_usetime;
822
	log_debug("%s: last_used %llu", __func__, *last_used);
823
824
done:
825
	explicit_bzero(data, n);
826
	free(data);
827
	return (ret);
828
}
829
830
int
831
pfkey_sa_getspi(int sd, uint8_t satype, struct iked_childsa *sa,
832
    uint32_t *spip)
833
{
834
	struct sadb_msg		*msg, smsg;
835
	struct sadb_address	 sa_src, sa_dst;
836
	struct sadb_sa		*sa_ext;
837
	struct sadb_spirange	 sa_spirange;
838
	struct sockaddr_storage	 ssrc, sdst;
839
	struct iovec		 iov[IOV_CNT];
840
	uint8_t			*data;
841
	ssize_t			 n;
842
	int			 iov_cnt, ret = -1;
843
844
	bzero(&ssrc, sizeof(ssrc));
845
	memcpy(&ssrc, &sa->csa_local->addr, sizeof(ssrc));
846
	if (socket_af((struct sockaddr *)&ssrc, 0) == -1) {
847
		log_warn("%s: invalid address", __func__);
848
		return (-1);
849
	}
850
851
	bzero(&sdst, sizeof(sdst));
852
	memcpy(&sdst, &sa->csa_peer->addr, sizeof(sdst));
853
	if (socket_af((struct sockaddr *)&sdst, 0) == -1) {
854
		log_warn("%s: invalid address", __func__);
855
		return (-1);
856
	}
857
858
	bzero(&smsg, sizeof(smsg));
859
	smsg.sadb_msg_version = PF_KEY_V2;
860
	smsg.sadb_msg_seq = ++sadb_msg_seq;
861
	smsg.sadb_msg_pid = getpid();
862
	smsg.sadb_msg_len = sizeof(smsg) / 8;
863
	smsg.sadb_msg_type = SADB_GETSPI;
864
	smsg.sadb_msg_satype = satype;
865
866
	bzero(&sa_spirange, sizeof(sa_spirange));
867
	sa_spirange.sadb_spirange_exttype = SADB_EXT_SPIRANGE;
868
	sa_spirange.sadb_spirange_len = sizeof(sa_spirange) / 8;
869
	sa_spirange.sadb_spirange_min = 0x100;
870
	sa_spirange.sadb_spirange_max = (satype == SADB_X_SATYPE_IPCOMP) ?
871
	    (CPI_PRIVATE_MIN - 1) : 0xffffffff;
872
	sa_spirange.sadb_spirange_reserved = 0;
873
874
	bzero(&sa_src, sizeof(sa_src));
875
	sa_src.sadb_address_len = (sizeof(sa_src) + ROUNDUP(ssrc.ss_len)) / 8;
876
	sa_src.sadb_address_exttype = SADB_EXT_ADDRESS_SRC;
877
878
	bzero(&sa_dst, sizeof(sa_dst));
879
	sa_dst.sadb_address_len = (sizeof(sa_dst) + ROUNDUP(sdst.ss_len)) / 8;
880
	sa_dst.sadb_address_exttype = SADB_EXT_ADDRESS_DST;
881
882
	iov_cnt = 0;
883
884
	/* header */
885
	iov[iov_cnt].iov_base = &smsg;
886
	iov[iov_cnt].iov_len = sizeof(smsg);
887
	iov_cnt++;
888
889
	/* SPI range */
890
	iov[iov_cnt].iov_base = &sa_spirange;
891
	iov[iov_cnt].iov_len = sizeof(sa_spirange);
892
	smsg.sadb_msg_len += sa_spirange.sadb_spirange_len;
893
	iov_cnt++;
894
895
	/* src addr */
896
	iov[iov_cnt].iov_base = &sa_src;
897
	iov[iov_cnt].iov_len = sizeof(sa_src);
898
	iov_cnt++;
899
	iov[iov_cnt].iov_base = &ssrc;
900
	iov[iov_cnt].iov_len = ROUNDUP(ssrc.ss_len);
901
	smsg.sadb_msg_len += sa_src.sadb_address_len;
902
	iov_cnt++;
903
904
	/* dst addr */
905
	iov[iov_cnt].iov_base = &sa_dst;
906
	iov[iov_cnt].iov_len = sizeof(sa_dst);
907
	iov_cnt++;
908
	iov[iov_cnt].iov_base = &sdst;
909
	iov[iov_cnt].iov_len = ROUNDUP(sdst.ss_len);
910
	smsg.sadb_msg_len += sa_dst.sadb_address_len;
911
	iov_cnt++;
912
913
	*spip = 0;
914
915
	if ((ret = pfkey_write(sd, &smsg, iov, iov_cnt, &data, &n)) != 0)
916
		return (-1);
917
918
	msg = (struct sadb_msg *)data;
919
	if (msg->sadb_msg_errno != 0) {
920
		errno = msg->sadb_msg_errno;
921
		log_warn("%s: message", __func__);
922
		goto done;
923
	}
924
	if ((sa_ext = pfkey_find_ext(data, n, SADB_EXT_SA)) == NULL) {
925
		log_debug("%s: erronous reply", __func__);
926
		goto done;
927
	}
928
929
	*spip = ntohl(sa_ext->sadb_sa_spi);
930
	log_debug("%s: spi 0x%08x", __func__, *spip);
931
932
done:
933
	explicit_bzero(data, n);
934
	free(data);
935
	return (ret);
936
}
937
938
int
939
pfkey_sagroup(int sd, uint8_t satype1, uint8_t action,
940
    struct iked_childsa *sa1, struct iked_childsa *sa2)
941
{
942
	struct sadb_msg		smsg;
943
	struct sadb_sa		sadb1, sadb2;
944
	struct sadb_address	sa_dst1, sa_dst2;
945
	struct sockaddr_storage	sdst1, sdst2;
946
	struct sadb_protocol	sa_proto;
947
	struct iovec		iov[IOV_CNT];
948
	int			iov_cnt;
949
	uint8_t			satype2;
950
951
	if (pfkey_map(pfkey_satype, sa2->csa_saproto, &satype2) == -1)
952
		return (-1);
953
954
	bzero(&sdst1, sizeof(sdst1));
955
	memcpy(&sdst1, &sa1->csa_peer->addr, sizeof(sdst1));
956
	if (socket_af((struct sockaddr *)&sdst1, 0) == -1) {
957
		log_warnx("%s: unsupported address family %d",
958
		    __func__, sdst1.ss_family);
959
		return (-1);
960
	}
961
962
	bzero(&sdst2, sizeof(sdst2));
963
	memcpy(&sdst2, &sa2->csa_peer->addr, sizeof(sdst2));
964
	if (socket_af((struct sockaddr *)&sdst2, 0) == -1) {
965
		log_warnx("%s: unsupported address family %d",
966
		    __func__, sdst2.ss_family);
967
		return (-1);
968
	}
969
970
	bzero(&smsg, sizeof(smsg));
971
	smsg.sadb_msg_version = PF_KEY_V2;
972
	smsg.sadb_msg_seq = ++sadb_msg_seq;
973
	smsg.sadb_msg_pid = getpid();
974
	smsg.sadb_msg_len = sizeof(smsg) / 8;
975
	smsg.sadb_msg_type = action;
976
	smsg.sadb_msg_satype = satype1;
977
978
	bzero(&sadb1, sizeof(sadb1));
979
	sadb1.sadb_sa_len = sizeof(sadb1) / 8;
980
	sadb1.sadb_sa_exttype = SADB_EXT_SA;
981
	sadb1.sadb_sa_spi = htonl(sa1->csa_spi.spi);
982
	sadb1.sadb_sa_state = SADB_SASTATE_MATURE;
983
984
	bzero(&sadb2, sizeof(sadb2));
985
	sadb2.sadb_sa_len = sizeof(sadb2) / 8;
986
	sadb2.sadb_sa_exttype = SADB_X_EXT_SA2;
987
	sadb2.sadb_sa_spi = htonl(sa2->csa_spi.spi);
988
	sadb2.sadb_sa_state = SADB_SASTATE_MATURE;
989
	iov_cnt = 0;
990
991
	bzero(&sa_dst1, sizeof(sa_dst1));
992
	sa_dst1.sadb_address_exttype = SADB_EXT_ADDRESS_DST;
993
	sa_dst1.sadb_address_len =
994
	    (sizeof(sa_dst1) + ROUNDUP(sdst1.ss_len)) / 8;
995
996
	bzero(&sa_dst2, sizeof(sa_dst2));
997
	sa_dst2.sadb_address_exttype = SADB_X_EXT_DST2;
998
	sa_dst2.sadb_address_len =
999
	    (sizeof(sa_dst2) + ROUNDUP(sdst2.ss_len)) / 8;
1000
1001
	bzero(&sa_proto, sizeof(sa_proto));
1002
	sa_proto.sadb_protocol_exttype = SADB_X_EXT_PROTOCOL;
1003
	sa_proto.sadb_protocol_len = sizeof(sa_proto) / 8;
1004
	sa_proto.sadb_protocol_direction = 0;
1005
	sa_proto.sadb_protocol_proto = satype2;
1006
1007
	/* header */
1008
	iov[iov_cnt].iov_base = &smsg;
1009
	iov[iov_cnt].iov_len = sizeof(smsg);
1010
	iov_cnt++;
1011
1012
	/* sa */
1013
	iov[iov_cnt].iov_base = &sadb1;
1014
	iov[iov_cnt].iov_len = sizeof(sadb1);
1015
	smsg.sadb_msg_len += sadb1.sadb_sa_len;
1016
	iov_cnt++;
1017
1018
	/* dst addr */
1019
	iov[iov_cnt].iov_base = &sa_dst1;
1020
	iov[iov_cnt].iov_len = sizeof(sa_dst1);
1021
	iov_cnt++;
1022
	iov[iov_cnt].iov_base = &sdst1;
1023
	iov[iov_cnt].iov_len = ROUNDUP(sdst1.ss_len);
1024
	smsg.sadb_msg_len += sa_dst1.sadb_address_len;
1025
	iov_cnt++;
1026
1027
	/* second sa */
1028
	iov[iov_cnt].iov_base = &sadb2;
1029
	iov[iov_cnt].iov_len = sizeof(sadb2);
1030
	smsg.sadb_msg_len += sadb2.sadb_sa_len;
1031
	iov_cnt++;
1032
1033
	/* second dst addr */
1034
	iov[iov_cnt].iov_base = &sa_dst2;
1035
	iov[iov_cnt].iov_len = sizeof(sa_dst2);
1036
	iov_cnt++;
1037
	iov[iov_cnt].iov_base = &sdst2;
1038
	iov[iov_cnt].iov_len = ROUNDUP(sdst2.ss_len);
1039
	smsg.sadb_msg_len += sa_dst2.sadb_address_len;
1040
	iov_cnt++;
1041
1042
	/* SA type */
1043
	iov[iov_cnt].iov_base = &sa_proto;
1044
	iov[iov_cnt].iov_len = sizeof(sa_proto);
1045
	smsg.sadb_msg_len += sa_proto.sadb_protocol_len;
1046
	iov_cnt++;
1047
1048
	return (pfkey_write(sd, &smsg, iov, iov_cnt, NULL, NULL));
1049
}
1050
1051
int
1052
pfkey_write(int sd, struct sadb_msg *smsg, struct iovec *iov, int iov_cnt,
1053
    uint8_t **datap, ssize_t *lenp)
1054
{
1055
	ssize_t n, len = smsg->sadb_msg_len * 8;
1056
1057
	if (sadb_decoupled) {
1058
		switch (smsg->sadb_msg_type) {
1059
		case SADB_GETSPI:
1060
			/* we need to get a new SPI from the kernel */
1061
			break;
1062
		default:
1063
			if (datap || lenp) {
1064
				log_warnx("%s: pfkey not coupled", __func__);
1065
				return (-1);
1066
			}
1067
			/* ignore request */
1068
			return (0);
1069
		}
1070
	}
1071
1072
	if ((n = writev(sd, iov, iov_cnt)) == -1) {
1073
		log_warn("%s: writev failed", __func__);
1074
		return (-1);
1075
	} else if (n != len) {
1076
		log_warn("%s: short write", __func__);
1077
		return (-1);
1078
	}
1079
1080
	return (pfkey_reply(sd, datap, lenp));
1081
}
1082
1083
int
1084
pfkey_reply(int sd, uint8_t **datap, ssize_t *lenp)
1085
{
1086
	struct pfkey_message	*pm;
1087
	struct sadb_msg		 hdr;
1088
	ssize_t			 len;
1089
	uint8_t			*data;
1090
	struct pollfd		pfd[1];
1091
	int			 n;
1092
1093
	pfd[0].fd = sd;
1094
	pfd[0].events = POLLIN;
1095
1096
	for (;;) {
1097
		/*
1098
		 * We should actually expect the reply to get lost
1099
		 * as PF_KEY is an unreliable service per the specs.
1100
		 * Currently we do this by setting a short timeout,
1101
		 * and if it is not readable in that time, we fail
1102
		 * the read.
1103
		 */
1104
		n = poll(pfd, 1, PFKEY_REPLY_TIMEOUT / 1000);
1105
		if (n == -1) {
1106
			log_warn("%s: poll() failed", __func__);
1107
			return (-1);
1108
		}
1109
		if (n == 0) {
1110
			log_warnx("%s: no reply from PF_KEY", __func__);
1111
			return (-1);
1112
		}
1113
1114
		if (recv(sd, &hdr, sizeof(hdr), MSG_PEEK) != sizeof(hdr)) {
1115
			log_warn("%s: short recv", __func__);
1116
			return (-1);
1117
		}
1118
1119
		if (hdr.sadb_msg_version != PF_KEY_V2) {
1120
			log_warnx("%s: wrong pfkey version", __func__);
1121
			return (-1);
1122
		}
1123
1124
		if ((data = reallocarray(NULL, hdr.sadb_msg_len,
1125
		    PFKEYV2_CHUNK)) == NULL) {
1126
			log_warn("%s: malloc", __func__);
1127
			return (-1);
1128
		}
1129
		len = hdr.sadb_msg_len * PFKEYV2_CHUNK;
1130
1131
		if (read(sd, data, len) != len) {
1132
			log_warnx("%s: short read", __func__);
1133
			free(data);
1134
			return (-1);
1135
		}
1136
1137
		/* XXX: Only one message can be outstanding. */
1138
		if (hdr.sadb_msg_seq == sadb_msg_seq &&
1139
		    hdr.sadb_msg_pid == (uint32_t)getpid())
1140
			break;
1141
1142
		/* ignore messages for other processes */
1143
		if (hdr.sadb_msg_pid != 0 &&
1144
		    hdr.sadb_msg_pid != (uint32_t)getpid()) {
1145
			free(data);
1146
			continue;
1147
		}
1148
1149
		/* not the reply, enqueue */
1150
		if ((pm = malloc(sizeof(*pm))) == NULL) {
1151
			log_warn("%s: malloc", __func__);
1152
			free(data);
1153
			return (-1);
1154
		}
1155
		pm->pm_data = data;
1156
		pm->pm_length = len;
1157
		SIMPLEQ_INSERT_TAIL(&pfkey_postponed, pm, pm_entry);
1158
		evtimer_add(&pfkey_timer_ev, &pfkey_timer_tv);
1159
	}
1160
1161
	if (datap) {
1162
		*datap = data;
1163
		if (lenp)
1164
			*lenp = len;
1165
	} else
1166
		free(data);
1167
1168
	if (datap == NULL && hdr.sadb_msg_errno != 0) {
1169
		errno = hdr.sadb_msg_errno;
1170
		if (errno != EEXIST) {
1171
			log_warn("%s: message", __func__);
1172
			return (-1);
1173
		}
1174
	}
1175
	return (0);
1176
}
1177
1178
int
1179
pfkey_flow_add(int fd, struct iked_flow *flow)
1180
{
1181
	uint8_t		 satype;
1182
1183
	if (flow->flow_loaded)
1184
		return (0);
1185
1186
	if (pfkey_map(pfkey_satype, flow->flow_saproto, &satype) == -1)
1187
		return (-1);
1188
1189
	if (pfkey_flow(fd, satype, SADB_X_ADDFLOW, flow) == -1)
1190
		return (-1);
1191
1192
	flow->flow_loaded = 1;
1193
1194
	if (flow->flow_dst.addr_af == AF_INET6) {
1195
		sadb_ipv6refcnt++;
1196
		if (sadb_ipv6refcnt == 1)
1197
			return (pfkey_block(fd, AF_INET6, SADB_X_DELFLOW));
1198
	}
1199
1200
	return (0);
1201
}
1202
1203
int
1204
pfkey_flow_delete(int fd, struct iked_flow *flow)
1205
{
1206
	uint8_t		satype;
1207
1208
	if (!flow->flow_loaded)
1209
		return (0);
1210
1211
	if (pfkey_map(pfkey_satype, flow->flow_saproto, &satype) == -1)
1212
		return (-1);
1213
1214
	if (pfkey_flow(fd, satype, SADB_X_DELFLOW, flow) == -1)
1215
		return (-1);
1216
1217
	flow->flow_loaded = 0;
1218
1219
	if (flow->flow_dst.addr_af == AF_INET6) {
1220
		sadb_ipv6refcnt--;
1221
		if (sadb_ipv6refcnt == 0)
1222
			return (pfkey_block(fd, AF_INET6, SADB_X_ADDFLOW));
1223
	}
1224
1225
	return (0);
1226
}
1227
1228
int
1229
pfkey_block(int fd, int af, unsigned int action)
1230
{
1231
	struct iked_flow	 flow;
1232
1233
	if (!pfkey_blockipv6)
1234
		return (0);
1235
1236
	/*
1237
	 * Prevent VPN traffic leakages in dual-stack hosts/networks.
1238
	 * https://tools.ietf.org/html/draft-gont-opsec-vpn-leakages.
1239
	 * We forcibly block IPv6 traffic unless it is used in any of
1240
	 * the flows by tracking a sadb_ipv6refcnt reference counter.
1241
	 */
1242
	bzero(&flow, sizeof(flow));
1243
	flow.flow_src.addr_af = flow.flow_src.addr.ss_family = af;
1244
	flow.flow_src.addr_net = 1;
1245
	socket_af((struct sockaddr *)&flow.flow_src.addr, 0);
1246
	flow.flow_dst.addr_af = flow.flow_dst.addr.ss_family = af;
1247
	flow.flow_dst.addr_net = 1;
1248
	socket_af((struct sockaddr *)&flow.flow_dst.addr, 0);
1249
	flow.flow_type = SADB_X_FLOW_TYPE_DENY;
1250
	flow.flow_dir = IPSP_DIRECTION_OUT;
1251
1252
	if (pfkey_flow(fd, 0, action, &flow) == -1)
1253
		return (-1);
1254
1255
	return (0);
1256
}
1257
1258
int
1259
pfkey_sa_init(int fd, struct iked_childsa *sa, uint32_t *spi)
1260
{
1261
	uint8_t		 satype;
1262
1263
	if (pfkey_map(pfkey_satype, sa->csa_saproto, &satype) == -1)
1264
		return (-1);
1265
1266
	if (pfkey_sa_getspi(fd, satype, sa, spi) == -1)
1267
		return (-1);
1268
1269
	log_debug("%s: new spi 0x%08x", __func__, *spi);
1270
1271
	return (0);
1272
}
1273
1274
int
1275
pfkey_sa_add(int fd, struct iked_childsa *sa, struct iked_childsa *last)
1276
{
1277
	uint8_t		 satype;
1278
	unsigned int	 cmd;
1279
1280
	if (pfkey_map(pfkey_satype, sa->csa_saproto, &satype) == -1)
1281
		return (-1);
1282
1283
	if (sa->csa_allocated || sa->csa_loaded)
1284
		cmd = SADB_UPDATE;
1285
	else
1286
		cmd = SADB_ADD;
1287
1288
	log_debug("%s: %s spi %s", __func__, cmd == SADB_ADD ? "add": "update",
1289
	    print_spi(sa->csa_spi.spi, 4));
1290
1291
	if (pfkey_sa(fd, satype, cmd, sa) == -1) {
1292
		if (cmd == SADB_ADD) {
1293
			(void)pfkey_sa_delete(fd, sa);
1294
			return (-1);
1295
		}
1296
		if (sa->csa_allocated && !sa->csa_loaded && errno == ESRCH) {
1297
			/* Needed for recoupling local SAs */
1298
			log_debug("%s: SADB_UPDATE on local SA returned ESRCH,"
1299
			    " trying SADB_ADD", __func__);
1300
			if (pfkey_sa(fd, satype, SADB_ADD, sa) == -1)
1301
				return (-1);
1302
		} else {
1303
			return (-1);
1304
		}
1305
	}
1306
1307
	if (last && cmd == SADB_ADD) {
1308
		if (pfkey_sagroup(fd, satype,
1309
		    SADB_X_GRPSPIS, sa, last) == -1) {
1310
			(void)pfkey_sa_delete(fd, sa);
1311
			return (-1);
1312
		}
1313
	}
1314
1315
	sa->csa_loaded = 1;
1316
	return (0);
1317
}
1318
1319
int
1320
pfkey_sa_delete(int fd, struct iked_childsa *sa)
1321
{
1322
	uint8_t		satype;
1323
1324
	if (!sa->csa_loaded || sa->csa_spi.spi == 0)
1325
		return (0);
1326
1327
	if (pfkey_map(pfkey_satype, sa->csa_saproto, &satype) == -1)
1328
		return (-1);
1329
1330
	if (pfkey_sa(fd, satype, SADB_DELETE, sa) == -1)
1331
		return (-1);
1332
1333
	sa->csa_loaded = 0;
1334
	return (0);
1335
}
1336
1337
int
1338
pfkey_flush(int sd)
1339
{
1340
	struct sadb_msg smsg;
1341
	struct iovec	iov[IOV_CNT];
1342
	int		iov_cnt;
1343
1344
	bzero(&smsg, sizeof(smsg));
1345
	smsg.sadb_msg_version = PF_KEY_V2;
1346
	smsg.sadb_msg_seq = ++sadb_msg_seq;
1347
	smsg.sadb_msg_pid = getpid();
1348
	smsg.sadb_msg_len = sizeof(smsg) / 8;
1349
	smsg.sadb_msg_type = SADB_FLUSH;
1350
	smsg.sadb_msg_satype = SADB_SATYPE_UNSPEC;
1351
1352
	iov_cnt = 0;
1353
1354
	iov[iov_cnt].iov_base = &smsg;
1355
	iov[iov_cnt].iov_len = sizeof(smsg);
1356
	iov_cnt++;
1357
1358
	return (pfkey_write(sd, &smsg, iov, iov_cnt, NULL, NULL));
1359
}
1360
1361
struct sadb_ident *
1362
pfkey_id2ident(struct iked_id *id, unsigned int exttype)
1363
{
1364
	char			 idstr[IKED_ID_SIZE];
1365
	unsigned int		 type;
1366
	size_t			 len;
1367
	struct sadb_ident	*sa_id;
1368
1369
	switch (id->id_type) {
1370
	case IKEV2_ID_FQDN:
1371
		type = SADB_IDENTTYPE_FQDN;
1372
		break;
1373
	case IKEV2_ID_UFQDN:
1374
		type = SADB_IDENTTYPE_USERFQDN;
1375
		break;
1376
	case IKEV2_ID_IPV4:
1377
	case IKEV2_ID_IPV6:
1378
		type = SADB_IDENTTYPE_PREFIX;
1379
		break;
1380
	case IKEV2_ID_ASN1_DN:
1381
	case IKEV2_ID_ASN1_GN:
1382
	case IKEV2_ID_KEY_ID:
1383
	case IKEV2_ID_NONE:
1384
	default:
1385
		/* XXX not implemented/supported by PFKEY */
1386
		return (NULL);
1387
	}
1388
1389
	bzero(&idstr, sizeof(idstr));
1390
1391
	if (ikev2_print_id(id, idstr, sizeof(idstr)) == -1)
1392
		return (NULL);
1393
1394
	len = ROUNDUP(strlen(idstr) + 1) + sizeof(*sa_id);
1395
	if ((sa_id = calloc(1, len)) == NULL)
1396
		return (NULL);
1397
1398
	strlcpy((char *)(sa_id + 1), idstr, ROUNDUP(strlen(idstr) + 1));
1399
	sa_id->sadb_ident_type = type;
1400
	sa_id->sadb_ident_len = len / 8;
1401
	sa_id->sadb_ident_exttype = exttype;
1402
1403
	return (sa_id);
1404
}
1405
1406
int
1407
pfkey_socket(void)
1408
{
1409
	int	 fd;
1410
1411
	if (privsep_process != PROC_PARENT)
1412
		fatal("pfkey_socket: called from unprivileged process");
1413
1414
	if ((fd = socket(PF_KEY, SOCK_RAW, PF_KEY_V2)) == -1)
1415
		fatal("pfkey_socket: failed to open PF_KEY socket");
1416
1417
	pfkey_flush(fd);
1418
1419
	return (fd);
1420
}
1421
1422
void
1423
pfkey_init(struct iked *env, int fd)
1424
{
1425
	struct sadb_msg		smsg;
1426
	struct iovec		iov;
1427
1428
	/* Set up a timer to process messages deferred by the pfkey_reply */
1429
	pfkey_timer_tv.tv_sec = 1;
1430
	pfkey_timer_tv.tv_usec = 0;
1431
	evtimer_set(&pfkey_timer_ev, pfkey_timer_cb, env);
1432
1433
	/* Register the pfkey socket event handler */
1434
	env->sc_pfkey = fd;
1435
	event_set(&env->sc_pfkeyev, env->sc_pfkey,
1436
	    EV_READ|EV_PERSIST, pfkey_dispatch, env);
1437
	event_add(&env->sc_pfkeyev, NULL);
1438
1439
	/* Register it to get ESP and AH acquires from the kernel */
1440
	bzero(&smsg, sizeof(smsg));
1441
	smsg.sadb_msg_version = PF_KEY_V2;
1442
	smsg.sadb_msg_seq = ++sadb_msg_seq;
1443
	smsg.sadb_msg_pid = getpid();
1444
	smsg.sadb_msg_len = sizeof(smsg) / 8;
1445
	smsg.sadb_msg_type = SADB_REGISTER;
1446
	smsg.sadb_msg_satype = SADB_SATYPE_ESP;
1447
1448
	iov.iov_base = &smsg;
1449
	iov.iov_len = sizeof(smsg);
1450
1451
	if (pfkey_write(fd, &smsg, &iov, 1, NULL, NULL))
1452
		fatal("pfkey_init: failed to set up ESP acquires");
1453
1454
	bzero(&smsg, sizeof(smsg));
1455
	smsg.sadb_msg_version = PF_KEY_V2;
1456
	smsg.sadb_msg_seq = ++sadb_msg_seq;
1457
	smsg.sadb_msg_pid = getpid();
1458
	smsg.sadb_msg_len = sizeof(smsg) / 8;
1459
	smsg.sadb_msg_type = SADB_REGISTER;
1460
	smsg.sadb_msg_satype = SADB_SATYPE_AH;
1461
1462
	iov.iov_base = &smsg;
1463
	iov.iov_len = sizeof(smsg);
1464
1465
	if (pfkey_write(fd, &smsg, &iov, 1, NULL, NULL))
1466
		fatal("pfkey_init: failed to set up AH acquires");
1467
1468
	if (env->sc_opts & IKED_OPT_NOIPV6BLOCKING)
1469
		return;
1470
1471
	/* Block all IPv6 traffic by default */
1472
	pfkey_blockipv6 = 1;
1473
	if (pfkey_block(fd, AF_INET6, SADB_X_ADDFLOW))
1474
		fatal("pfkey_init: failed to block IPv6 traffic");
1475
}
1476
1477
void *
1478
pfkey_find_ext(uint8_t *data, ssize_t len, int type)
1479
{
1480
	struct sadb_ext	*ext = (struct sadb_ext *)(data +
1481
	    sizeof(struct sadb_msg));
1482
1483
	while (ext && ((uint8_t *)ext - data < len)) {
1484
		if (ext->sadb_ext_type == type)
1485
			return (ext);
1486
		ext = (struct sadb_ext *)((uint8_t *)ext +
1487
		    ext->sadb_ext_len * PFKEYV2_CHUNK);
1488
	}
1489
1490
	return (NULL);
1491
}
1492
1493
void
1494
pfkey_dispatch(int sd, short event, void *arg)
1495
{
1496
	struct iked		*env = (struct iked *)arg;
1497
	struct pfkey_message	 pm, *pmp;
1498
	struct sadb_msg		 hdr;
1499
	ssize_t			 len;
1500
	uint8_t			*data;
1501
1502
	if (recv(sd, &hdr, sizeof(hdr), MSG_PEEK) != sizeof(hdr)) {
1503
		log_warn("%s: short recv", __func__);
1504
		return;
1505
	}
1506
1507
	if (hdr.sadb_msg_version != PF_KEY_V2) {
1508
		log_warnx("%s: wrong pfkey version", __func__);
1509
		return;
1510
	}
1511
1512
	if ((data = reallocarray(NULL, hdr.sadb_msg_len, PFKEYV2_CHUNK))
1513
	    == NULL) {
1514
		log_warn("%s: malloc", __func__);
1515
		return;
1516
	}
1517
	len = hdr.sadb_msg_len * PFKEYV2_CHUNK;
1518
1519
	if (read(sd, data, len) != len) {
1520
		log_warn("%s: short read", __func__);
1521
		free(data);
1522
		return;
1523
	}
1524
1525
	/* Try postponed requests first, so we do in-order processing */
1526
	if (!SIMPLEQ_EMPTY(&pfkey_postponed))
1527
		pfkey_timer_cb(0, 0, env);
1528
1529
	pm.pm_data = data;
1530
	pm.pm_length = len;
1531
1532
	if (pfkey_process(env, &pm) == -1 &&
1533
	    (pmp = calloc(1, sizeof(*pmp))) != NULL) {
1534
		pmp->pm_data = data;
1535
		pmp->pm_length = len;
1536
		log_debug("%s: pfkey_process is busy, retry later", __func__);
1537
		SIMPLEQ_INSERT_TAIL(&pfkey_postponed, pmp, pm_entry);
1538
		evtimer_add(&pfkey_timer_ev, &pfkey_timer_tv);
1539
	} else {
1540
		free(data);
1541
	}
1542
}
1543
1544
void
1545
pfkey_timer_cb(int unused, short event, void *arg)
1546
{
1547
	struct iked		*env = arg;
1548
	struct pfkey_message	*pm;
1549
1550
	SIMPLEQ_INIT(&pfkey_retry);
1551
	while (!SIMPLEQ_EMPTY(&pfkey_postponed)) {
1552
		pm = SIMPLEQ_FIRST(&pfkey_postponed);
1553
		SIMPLEQ_REMOVE_HEAD(&pfkey_postponed, pm_entry);
1554
		if (pfkey_process(env, pm) == -1) {
1555
			log_debug("%s: pfkey_process is busy, retry later",
1556
			    __func__);
1557
			SIMPLEQ_INSERT_TAIL(&pfkey_retry, pm, pm_entry);
1558
		} else {
1559
			free(pm->pm_data);
1560
			free(pm);
1561
		}
1562
	}
1563
	/* move from retry to postponed */
1564
	while ((pm = SIMPLEQ_FIRST(&pfkey_retry)) != NULL) {
1565
		SIMPLEQ_REMOVE_HEAD(&pfkey_retry, pm_entry);
1566
		SIMPLEQ_INSERT_TAIL(&pfkey_postponed, pm, pm_entry);
1567
	}
1568
	if (!SIMPLEQ_EMPTY(&pfkey_postponed))
1569
		evtimer_add(&pfkey_timer_ev, &pfkey_timer_tv);
1570
}
1571
1572
/*
1573
 * pfkey_process returns 0 if the message has been processed and -1 if
1574
 * the system is busy and the message should be passed again, later.
1575
 */
1576
int
1577
pfkey_process(struct iked *env, struct pfkey_message *pm)
1578
{
1579
	struct iked_spi		 spi;
1580
	struct sadb_sa		*sa;
1581
	struct sadb_lifetime	*sa_ltime;
1582
	struct sadb_msg		*hdr;
1583
	struct sadb_msg		 smsg;
1584
	struct iked_addr	 peer;
1585
	struct iked_flow	 flow;
1586
	struct sadb_address	*sa_addr;
1587
	struct sadb_protocol	*sa_proto;
1588
	struct sadb_x_policy	 sa_pol;
1589
	struct sockaddr		*ssrc, *sdst, *smask, *dmask, *speer;
1590
	struct iovec		 iov[IOV_CNT];
1591
	int			 ret = 0, iov_cnt, sd;
1592
	uint8_t			*reply;
1593
	ssize_t			 rlen;
1594
	const char		*errmsg = NULL;
1595
	uint8_t			*data = pm->pm_data;
1596
	ssize_t			 len = pm->pm_length;
1597
	size_t			 slen;
1598
1599
	if (!env || !data || !len)
1600
		return (0);
1601
1602
	sd = env->sc_pfkey;
1603
	hdr = (struct sadb_msg *)data;
1604
1605
	switch (hdr->sadb_msg_type) {
1606
	case SADB_ACQUIRE:
1607
		bzero(&flow, sizeof(flow));
1608
		bzero(&peer, sizeof(peer));
1609
1610
		if ((sa_addr = pfkey_find_ext(data, len,
1611
		    SADB_EXT_ADDRESS_DST)) == NULL) {
1612
			log_debug("%s: no peer address", __func__);
1613
			return (0);
1614
		}
1615
		speer = (struct sockaddr *)(sa_addr + 1);
1616
		peer.addr_af = speer->sa_family;
1617
		peer.addr_port = htons(socket_getport(speer));
1618
		if ((slen = speer->sa_len) > sizeof(peer.addr)) {
1619
			log_debug("%s: invalid peer address len", __func__);
1620
			return (0);
1621
		}
1622
		memcpy(&peer.addr, speer, slen);
1623
		if (socket_af((struct sockaddr *)&peer.addr,
1624
		    peer.addr_port) == -1) {
1625
			log_debug("%s: invalid address", __func__);
1626
			return (0);
1627
		}
1628
		flow.flow_peer = &peer;
1629
1630
		log_debug("%s: acquire request (peer %s)", __func__,
1631
		    print_host(speer, NULL, 0));
1632
1633
		/* get the matching flow */
1634
		bzero(&smsg, sizeof(smsg));
1635
		smsg.sadb_msg_version = PF_KEY_V2;
1636
		smsg.sadb_msg_seq = ++sadb_msg_seq;
1637
		smsg.sadb_msg_pid = getpid();
1638
		smsg.sadb_msg_len = sizeof(smsg) / 8;
1639
		smsg.sadb_msg_type = SADB_X_ASKPOLICY;
1640
1641
		iov_cnt = 0;
1642
1643
		iov[iov_cnt].iov_base = &smsg;
1644
		iov[iov_cnt].iov_len = sizeof(smsg);
1645
		iov_cnt++;
1646
1647
		bzero(&sa_pol, sizeof(sa_pol));
1648
		sa_pol.sadb_x_policy_exttype = SADB_X_EXT_POLICY;
1649
		sa_pol.sadb_x_policy_len = sizeof(sa_pol) / 8;
1650
		sa_pol.sadb_x_policy_seq = hdr->sadb_msg_seq;
1651
1652
		iov[iov_cnt].iov_base = &sa_pol;
1653
		iov[iov_cnt].iov_len = sizeof(sa_pol);
1654
		smsg.sadb_msg_len += sizeof(sa_pol) / 8;
1655
		iov_cnt++;
1656
1657
		if (pfkey_write(sd, &smsg, iov, iov_cnt, &reply, &rlen)) {
1658
			log_warnx("%s: failed to get a policy", __func__);
1659
			return (0);
1660
		}
1661
1662
		if ((sa_addr = pfkey_find_ext(reply, rlen,
1663
		    SADB_X_EXT_SRC_FLOW)) == NULL) {
1664
			errmsg = "flow source address";
1665
			goto out;
1666
		}
1667
		ssrc = (struct sockaddr *)(sa_addr + 1);
1668
		flow.flow_src.addr_af = ssrc->sa_family;
1669
		flow.flow_src.addr_port = htons(socket_getport(ssrc));
1670
		if ((slen = ssrc->sa_len) > sizeof(flow.flow_src.addr)) {
1671
			log_debug("%s: invalid src address len", __func__);
1672
			return (0);
1673
		}
1674
		memcpy(&flow.flow_src.addr, ssrc, slen);
1675
		if (socket_af((struct sockaddr *)&flow.flow_src.addr,
1676
		    flow.flow_src.addr_port) == -1) {
1677
			log_debug("%s: invalid address", __func__);
1678
			return (0);
1679
		}
1680
1681
		if ((sa_addr = pfkey_find_ext(reply, rlen,
1682
		    SADB_X_EXT_DST_FLOW)) == NULL) {
1683
			errmsg = "flow destination address";
1684
			goto out;
1685
		}
1686
		sdst = (struct sockaddr *)(sa_addr + 1);
1687
		flow.flow_dst.addr_af = sdst->sa_family;
1688
		flow.flow_dst.addr_port = htons(socket_getport(sdst));
1689
		if ((slen = sdst->sa_len) > sizeof(flow.flow_dst.addr)) {
1690
			log_debug("%s: invalid dst address len", __func__);
1691
			return (0);
1692
		}
1693
		memcpy(&flow.flow_dst.addr, sdst, slen);
1694
		if (socket_af((struct sockaddr *)&flow.flow_dst.addr,
1695
		    flow.flow_dst.addr_port) == -1) {
1696
			log_debug("%s: invalid address", __func__);
1697
			return (0);
1698
		}
1699
1700
		if ((sa_addr = pfkey_find_ext(reply, rlen,
1701
		    SADB_X_EXT_SRC_MASK)) == NULL) {
1702
			errmsg = "flow source mask";
1703
			goto out;
1704
		}
1705
		smask = (struct sockaddr *)(sa_addr + 1);
1706
		switch (smask->sa_family) {
1707
		case AF_INET:
1708
			flow.flow_src.addr_mask =
1709
			    mask2prefixlen((struct sockaddr *)smask);
1710
			if (flow.flow_src.addr_mask != 32)
1711
				flow.flow_src.addr_net = 1;
1712
			break;
1713
		case AF_INET6:
1714
			flow.flow_src.addr_mask =
1715
			    mask2prefixlen6((struct sockaddr *)smask);
1716
			if (flow.flow_src.addr_mask != 128)
1717
				flow.flow_src.addr_net = 1;
1718
			break;
1719
		default:
1720
			log_debug("%s: bad address family", __func__);
1721
			free(reply);
1722
			return (0);
1723
		}
1724
1725
		if ((sa_addr = pfkey_find_ext(reply, rlen,
1726
		    SADB_X_EXT_DST_MASK)) == NULL) {
1727
			errmsg = "flow destination mask";
1728
			goto out;
1729
		}
1730
		dmask = (struct sockaddr *)(sa_addr + 1);
1731
		switch (dmask->sa_family) {
1732
		case AF_INET:
1733
			flow.flow_dst.addr_mask =
1734
			    mask2prefixlen((struct sockaddr *)dmask);
1735
			if (flow.flow_src.addr_mask != 32)
1736
				flow.flow_src.addr_net = 1;
1737
			break;
1738
		case AF_INET6:
1739
			flow.flow_dst.addr_mask =
1740
			    mask2prefixlen6((struct sockaddr *)dmask);
1741
			if (flow.flow_src.addr_mask != 128)
1742
				flow.flow_src.addr_net = 1;
1743
			break;
1744
		default:
1745
			log_debug("%s: bad address family", __func__);
1746
			free(reply);
1747
			return (0);
1748
		}
1749
1750
		if ((sa_proto = pfkey_find_ext(reply, rlen,
1751
		    SADB_X_EXT_FLOW_TYPE)) == NULL) {
1752
			errmsg = "flow protocol";
1753
			goto out;
1754
		}
1755
		flow.flow_dir = sa_proto->sadb_protocol_direction;
1756
1757
		log_debug("%s: flow %s from %s/%s to %s/%s via %s", __func__,
1758
		    flow.flow_dir == IPSP_DIRECTION_IN ? "in" : "out",
1759
		    print_host(ssrc, NULL, 0), print_host(smask, NULL, 0),
1760
		    print_host(sdst, NULL, 0), print_host(dmask, NULL, 0),
1761
		    print_host(speer, NULL, 0));
1762
1763
		ret = ikev2_acquire_sa(env, &flow);
1764
1765
out:
1766
		if (errmsg)
1767
			log_warnx("%s: %s wasn't found", __func__, errmsg);
1768
		free(reply);
1769
		break;
1770
1771
	case SADB_EXPIRE:
1772
		if ((sa = pfkey_find_ext(data, len, SADB_EXT_SA)) == NULL) {
1773
			log_warnx("%s: SA extension wasn't found", __func__);
1774
			return (0);
1775
		}
1776
		if ((sa_ltime = pfkey_find_ext(data, len,
1777
			SADB_EXT_LIFETIME_SOFT)) == NULL &&
1778
		    (sa_ltime = pfkey_find_ext(data, len,
1779
			SADB_EXT_LIFETIME_HARD)) == NULL) {
1780
			log_warnx("%s: lifetime extension wasn't found",
1781
			    __func__);
1782
			return (0);
1783
		}
1784
		spi.spi = ntohl(sa->sadb_sa_spi);
1785
		spi.spi_size = 4;
1786
		switch (hdr->sadb_msg_satype) {
1787
		case SADB_SATYPE_AH:
1788
			spi.spi_protoid = IKEV2_SAPROTO_AH;
1789
			break;
1790
		case SADB_SATYPE_ESP:
1791
			spi.spi_protoid = IKEV2_SAPROTO_ESP;
1792
			break;
1793
		case SADB_X_SATYPE_IPCOMP:
1794
			spi.spi_size = 2;
1795
			spi.spi_protoid = IKEV2_SAPROTO_IPCOMP;
1796
			break;
1797
		default:
1798
			log_warnx("%s: unsupported SA type %d spi %s",
1799
			    __func__, hdr->sadb_msg_satype,
1800
			    print_spi(spi.spi, spi.spi_size));
1801
			return (0);
1802
		}
1803
1804
		log_debug("%s: SA %s is expired, pending %s", __func__,
1805
		    print_spi(spi.spi, spi.spi_size),
1806
		    sa_ltime->sadb_lifetime_exttype == SADB_EXT_LIFETIME_SOFT ?
1807
		    "rekeying" : "deletion");
1808
1809
		if (sa_ltime->sadb_lifetime_exttype == SADB_EXT_LIFETIME_SOFT)
1810
			ret = ikev2_rekey_sa(env, &spi);
1811
		else
1812
			ret = ikev2_drop_sa(env, &spi);
1813
		break;
1814
	}
1815
	return (ret);
1816
}