1 |
|
|
/* $OpenBSD: pfkey.c,v 1.51 2016/03/07 19:33:26 mmcc Exp $ */ |
2 |
|
|
|
3 |
|
|
/* |
4 |
|
|
* Copyright (c) 2010-2013 Reyk Floeter <reyk@openbsd.org> |
5 |
|
|
* Copyright (c) 2004, 2005 Hans-Joerg Hoexer <hshoexer@openbsd.org> |
6 |
|
|
* Copyright (c) 2003, 2004 Henning Brauer <henning@openbsd.org> |
7 |
|
|
* Copyright (c) 2003, 2004 Markus Friedl <markus@openbsd.org> |
8 |
|
|
* |
9 |
|
|
* Permission to use, copy, modify, and distribute this software for any |
10 |
|
|
* purpose with or without fee is hereby granted, provided that the above |
11 |
|
|
* copyright notice and this permission notice appear in all copies. |
12 |
|
|
* |
13 |
|
|
* THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES |
14 |
|
|
* WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF |
15 |
|
|
* MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR |
16 |
|
|
* ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES |
17 |
|
|
* WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN |
18 |
|
|
* ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF |
19 |
|
|
* OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. |
20 |
|
|
*/ |
21 |
|
|
|
22 |
|
|
#include <sys/queue.h> |
23 |
|
|
#include <sys/uio.h> |
24 |
|
|
#include <sys/socket.h> |
25 |
|
|
|
26 |
|
|
#include <netinet/in.h> |
27 |
|
|
#include <netinet/ip_ipsp.h> |
28 |
|
|
#include <net/pfkeyv2.h> |
29 |
|
|
|
30 |
|
|
#include <err.h> |
31 |
|
|
#include <errno.h> |
32 |
|
|
#include <stdio.h> |
33 |
|
|
#include <poll.h> |
34 |
|
|
#include <string.h> |
35 |
|
|
#include <stdlib.h> |
36 |
|
|
#include <unistd.h> |
37 |
|
|
#include <event.h> |
38 |
|
|
|
39 |
|
|
#include "iked.h" |
40 |
|
|
#include "ikev2.h" |
41 |
|
|
|
42 |
|
|
#define ROUNDUP(x) (((x) + (PFKEYV2_CHUNK - 1)) & ~(PFKEYV2_CHUNK - 1)) |
43 |
|
|
#define IOV_CNT 20 |
44 |
|
|
|
45 |
|
|
#define PFKEYV2_CHUNK sizeof(uint64_t) |
46 |
|
|
#define PFKEY_REPLY_TIMEOUT 1000 |
47 |
|
|
|
48 |
|
|
static uint32_t sadb_msg_seq = 0; |
49 |
|
|
static unsigned int sadb_decoupled = 0; |
50 |
|
|
static unsigned int sadb_ipv6refcnt = 0; |
51 |
|
|
|
52 |
|
|
static int pfkey_blockipv6 = 0; |
53 |
|
|
static struct event pfkey_timer_ev; |
54 |
|
|
static struct timeval pfkey_timer_tv; |
55 |
|
|
|
56 |
|
|
struct pfkey_message { |
57 |
|
|
SIMPLEQ_ENTRY(pfkey_message) |
58 |
|
|
pm_entry; |
59 |
|
|
uint8_t *pm_data; |
60 |
|
|
ssize_t pm_length; |
61 |
|
|
}; |
62 |
|
|
SIMPLEQ_HEAD(, pfkey_message) pfkey_retry, pfkey_postponed = |
63 |
|
|
SIMPLEQ_HEAD_INITIALIZER(pfkey_postponed); |
64 |
|
|
|
65 |
|
|
struct pfkey_constmap { |
66 |
|
|
uint8_t pfkey_id; |
67 |
|
|
unsigned int pfkey_ikeid; |
68 |
|
|
unsigned int pfkey_fixedkey; |
69 |
|
|
}; |
70 |
|
|
|
71 |
|
|
static const struct pfkey_constmap pfkey_encr[] = { |
72 |
|
|
{ SADB_EALG_3DESCBC, IKEV2_XFORMENCR_3DES }, |
73 |
|
|
{ SADB_X_EALG_CAST, IKEV2_XFORMENCR_CAST }, |
74 |
|
|
{ SADB_X_EALG_BLF, IKEV2_XFORMENCR_BLOWFISH }, |
75 |
|
|
{ SADB_EALG_NULL, IKEV2_XFORMENCR_NULL }, |
76 |
|
|
{ SADB_X_EALG_AES, IKEV2_XFORMENCR_AES_CBC }, |
77 |
|
|
{ SADB_X_EALG_AESCTR, IKEV2_XFORMENCR_AES_CTR }, |
78 |
|
|
{ SADB_X_EALG_AESGCM16, IKEV2_XFORMENCR_AES_GCM_16 }, |
79 |
|
|
{ SADB_X_EALG_AESGMAC, IKEV2_XFORMENCR_NULL_AES_GMAC }, |
80 |
|
|
{ SADB_X_EALG_CHACHA20POLY1305, IKEV2_XFORMENCR_CHACHA20_POLY1305 }, |
81 |
|
|
{ 0 } |
82 |
|
|
}; |
83 |
|
|
|
84 |
|
|
static const struct pfkey_constmap pfkey_integr[] = { |
85 |
|
|
{ SADB_AALG_MD5HMAC, IKEV2_XFORMAUTH_HMAC_MD5_96 }, |
86 |
|
|
{ SADB_AALG_SHA1HMAC, IKEV2_XFORMAUTH_HMAC_SHA1_96 }, |
87 |
|
|
{ SADB_X_AALG_SHA2_256, IKEV2_XFORMAUTH_HMAC_SHA2_256_128 }, |
88 |
|
|
{ SADB_X_AALG_SHA2_384, IKEV2_XFORMAUTH_HMAC_SHA2_384_192 }, |
89 |
|
|
{ SADB_X_AALG_SHA2_512, IKEV2_XFORMAUTH_HMAC_SHA2_512_256 }, |
90 |
|
|
{ 0 } |
91 |
|
|
}; |
92 |
|
|
|
93 |
|
|
static const struct pfkey_constmap pfkey_satype[] = { |
94 |
|
|
{ SADB_SATYPE_AH, IKEV2_SAPROTO_AH }, |
95 |
|
|
{ SADB_SATYPE_ESP, IKEV2_SAPROTO_ESP }, |
96 |
|
|
{ SADB_X_SATYPE_IPCOMP, IKEV2_SAPROTO_IPCOMP }, |
97 |
|
|
{ 0 } |
98 |
|
|
}; |
99 |
|
|
|
100 |
|
|
int pfkey_map(const struct pfkey_constmap *, uint16_t, uint8_t *); |
101 |
|
|
int pfkey_flow(int, uint8_t, uint8_t, struct iked_flow *); |
102 |
|
|
int pfkey_sa(int, uint8_t, uint8_t, struct iked_childsa *); |
103 |
|
|
int pfkey_sa_getspi(int, uint8_t, struct iked_childsa *, uint32_t *); |
104 |
|
|
int pfkey_sagroup(int, uint8_t, uint8_t, |
105 |
|
|
struct iked_childsa *, struct iked_childsa *); |
106 |
|
|
int pfkey_write(int, struct sadb_msg *, struct iovec *, int, |
107 |
|
|
uint8_t **, ssize_t *); |
108 |
|
|
int pfkey_reply(int, uint8_t **, ssize_t *); |
109 |
|
|
void pfkey_dispatch(int, short, void *); |
110 |
|
|
|
111 |
|
|
struct sadb_ident * |
112 |
|
|
pfkey_id2ident(struct iked_id *, unsigned int); |
113 |
|
|
void *pfkey_find_ext(uint8_t *, ssize_t, int); |
114 |
|
|
|
115 |
|
|
void pfkey_timer_cb(int, short, void *); |
116 |
|
|
int pfkey_process(struct iked *, struct pfkey_message *); |
117 |
|
|
|
118 |
|
|
int |
119 |
|
|
pfkey_couple(int sd, struct iked_sas *sas, int couple) |
120 |
|
|
{ |
121 |
|
|
struct iked_sa *sa; |
122 |
|
|
struct iked_flow *flow; |
123 |
|
|
struct iked_childsa *csa; |
124 |
|
|
const char *mode[] = { "coupled", "decoupled" }; |
125 |
|
|
|
126 |
|
|
/* Socket is not ready */ |
127 |
|
|
if (sd == -1) |
128 |
|
|
return (-1); |
129 |
|
|
|
130 |
|
|
if (sadb_decoupled == !couple) |
131 |
|
|
return (0); |
132 |
|
|
|
133 |
|
|
log_debug("%s: kernel %s -> %s", __func__, |
134 |
|
|
mode[sadb_decoupled], mode[!sadb_decoupled]); |
135 |
|
|
|
136 |
|
|
/* Allow writes to the PF_KEY socket */ |
137 |
|
|
sadb_decoupled = 0; |
138 |
|
|
|
139 |
|
|
RB_FOREACH(sa, iked_sas, sas) { |
140 |
|
|
TAILQ_FOREACH(csa, &sa->sa_childsas, csa_entry) { |
141 |
|
|
if (!csa->csa_loaded && couple) |
142 |
|
|
(void)pfkey_sa_add(sd, csa, NULL); |
143 |
|
|
else if (csa->csa_loaded && !couple) |
144 |
|
|
(void)pfkey_sa_delete(sd, csa); |
145 |
|
|
} |
146 |
|
|
TAILQ_FOREACH(flow, &sa->sa_flows, flow_entry) { |
147 |
|
|
if (!flow->flow_loaded && couple) |
148 |
|
|
(void)pfkey_flow_add(sd, flow); |
149 |
|
|
else if (flow->flow_loaded && !couple) |
150 |
|
|
(void)pfkey_flow_delete(sd, flow); |
151 |
|
|
} |
152 |
|
|
} |
153 |
|
|
|
154 |
|
|
sadb_decoupled = !couple; |
155 |
|
|
|
156 |
|
|
return (0); |
157 |
|
|
} |
158 |
|
|
|
159 |
|
|
int |
160 |
|
|
pfkey_map(const struct pfkey_constmap *map, uint16_t alg, uint8_t *pfkalg) |
161 |
|
|
{ |
162 |
|
|
int i; |
163 |
|
|
|
164 |
|
|
for (i = 0; map[i].pfkey_id != 0; i++) |
165 |
|
|
if (map[i].pfkey_ikeid == alg) { |
166 |
|
|
*pfkalg = map[i].pfkey_id; |
167 |
|
|
return (0); |
168 |
|
|
} |
169 |
|
|
return (-1); |
170 |
|
|
} |
171 |
|
|
|
172 |
|
|
int |
173 |
|
|
pfkey_flow(int sd, uint8_t satype, uint8_t action, struct iked_flow *flow) |
174 |
|
|
{ |
175 |
|
|
struct sadb_msg smsg; |
176 |
|
|
struct sadb_address sa_src, sa_dst, sa_local, sa_peer, sa_smask, |
177 |
|
|
sa_dmask; |
178 |
|
|
struct sadb_protocol sa_flowtype, sa_protocol; |
179 |
|
|
struct sadb_ident *sa_srcid, *sa_dstid; |
180 |
|
|
struct sockaddr_storage ssrc, sdst, slocal, speer, smask, dmask; |
181 |
|
|
struct iovec iov[IOV_CNT]; |
182 |
|
|
int iov_cnt, ret = -1; |
183 |
|
|
|
184 |
|
|
sa_srcid = sa_dstid = NULL; |
185 |
|
|
|
186 |
|
|
bzero(&ssrc, sizeof(ssrc)); |
187 |
|
|
bzero(&smask, sizeof(smask)); |
188 |
|
|
memcpy(&ssrc, &flow->flow_src.addr, sizeof(ssrc)); |
189 |
|
|
memcpy(&smask, &flow->flow_src.addr, sizeof(smask)); |
190 |
|
|
socket_af((struct sockaddr *)&ssrc, flow->flow_src.addr_port); |
191 |
|
|
socket_af((struct sockaddr *)&smask, flow->flow_src.addr_port ? |
192 |
|
|
0xffff : 0); |
193 |
|
|
|
194 |
|
|
switch (flow->flow_src.addr_af) { |
195 |
|
|
case AF_INET: |
196 |
|
|
((struct sockaddr_in *)&smask)->sin_addr.s_addr = |
197 |
|
|
prefixlen2mask(flow->flow_src.addr_net ? |
198 |
|
|
flow->flow_src.addr_mask : 32); |
199 |
|
|
break; |
200 |
|
|
case AF_INET6: |
201 |
|
|
prefixlen2mask6(flow->flow_src.addr_net ? |
202 |
|
|
flow->flow_src.addr_mask : 128, |
203 |
|
|
(uint32_t *)((struct sockaddr_in6 *) |
204 |
|
|
&smask)->sin6_addr.s6_addr); |
205 |
|
|
break; |
206 |
|
|
default: |
207 |
|
|
log_warnx("%s: unsupported address family %d", |
208 |
|
|
__func__, flow->flow_src.addr_af); |
209 |
|
|
return (-1); |
210 |
|
|
} |
211 |
|
|
smask.ss_len = ssrc.ss_len; |
212 |
|
|
|
213 |
|
|
bzero(&sdst, sizeof(sdst)); |
214 |
|
|
bzero(&dmask, sizeof(dmask)); |
215 |
|
|
memcpy(&sdst, &flow->flow_dst.addr, sizeof(sdst)); |
216 |
|
|
memcpy(&dmask, &flow->flow_dst.addr, sizeof(dmask)); |
217 |
|
|
socket_af((struct sockaddr *)&sdst, flow->flow_dst.addr_port); |
218 |
|
|
socket_af((struct sockaddr *)&dmask, flow->flow_dst.addr_port ? |
219 |
|
|
0xffff : 0); |
220 |
|
|
|
221 |
|
|
switch (flow->flow_dst.addr_af) { |
222 |
|
|
case AF_INET: |
223 |
|
|
((struct sockaddr_in *)&dmask)->sin_addr.s_addr = |
224 |
|
|
prefixlen2mask(flow->flow_dst.addr_net ? |
225 |
|
|
flow->flow_dst.addr_mask : 32); |
226 |
|
|
break; |
227 |
|
|
case AF_INET6: |
228 |
|
|
prefixlen2mask6(flow->flow_dst.addr_net ? |
229 |
|
|
flow->flow_dst.addr_mask : 128, |
230 |
|
|
(uint32_t *)((struct sockaddr_in6 *) |
231 |
|
|
&dmask)->sin6_addr.s6_addr); |
232 |
|
|
break; |
233 |
|
|
default: |
234 |
|
|
log_warnx("%s: unsupported address family %d", |
235 |
|
|
__func__, flow->flow_dst.addr_af); |
236 |
|
|
return (-1); |
237 |
|
|
} |
238 |
|
|
dmask.ss_len = sdst.ss_len; |
239 |
|
|
|
240 |
|
|
bzero(&slocal, sizeof(slocal)); |
241 |
|
|
bzero(&speer, sizeof(speer)); |
242 |
|
|
if (action != SADB_X_DELFLOW && flow->flow_local != NULL) { |
243 |
|
|
memcpy(&slocal, &flow->flow_local->addr, sizeof(slocal)); |
244 |
|
|
socket_af((struct sockaddr *)&slocal, 0); |
245 |
|
|
|
246 |
|
|
memcpy(&speer, &flow->flow_peer->addr, sizeof(speer)); |
247 |
|
|
socket_af((struct sockaddr *)&speer, 0); |
248 |
|
|
} |
249 |
|
|
|
250 |
|
|
bzero(&smsg, sizeof(smsg)); |
251 |
|
|
smsg.sadb_msg_version = PF_KEY_V2; |
252 |
|
|
smsg.sadb_msg_seq = ++sadb_msg_seq; |
253 |
|
|
smsg.sadb_msg_pid = getpid(); |
254 |
|
|
smsg.sadb_msg_len = sizeof(smsg) / 8; |
255 |
|
|
smsg.sadb_msg_type = action; |
256 |
|
|
smsg.sadb_msg_satype = satype; |
257 |
|
|
|
258 |
|
|
bzero(&sa_flowtype, sizeof(sa_flowtype)); |
259 |
|
|
sa_flowtype.sadb_protocol_exttype = SADB_X_EXT_FLOW_TYPE; |
260 |
|
|
sa_flowtype.sadb_protocol_len = sizeof(sa_flowtype) / 8; |
261 |
|
|
sa_flowtype.sadb_protocol_direction = flow->flow_dir; |
262 |
|
|
sa_flowtype.sadb_protocol_proto = |
263 |
|
|
flow->flow_type ? flow->flow_type : |
264 |
|
|
(flow->flow_dir == IPSP_DIRECTION_IN ? |
265 |
|
|
SADB_X_FLOW_TYPE_USE : SADB_X_FLOW_TYPE_REQUIRE); |
266 |
|
|
|
267 |
|
|
bzero(&sa_protocol, sizeof(sa_protocol)); |
268 |
|
|
sa_protocol.sadb_protocol_exttype = SADB_X_EXT_PROTOCOL; |
269 |
|
|
sa_protocol.sadb_protocol_len = sizeof(sa_protocol) / 8; |
270 |
|
|
sa_protocol.sadb_protocol_direction = 0; |
271 |
|
|
sa_protocol.sadb_protocol_proto = flow->flow_ipproto; |
272 |
|
|
|
273 |
|
|
bzero(&sa_src, sizeof(sa_src)); |
274 |
|
|
sa_src.sadb_address_exttype = SADB_X_EXT_SRC_FLOW; |
275 |
|
|
sa_src.sadb_address_len = (sizeof(sa_src) + ROUNDUP(ssrc.ss_len)) / 8; |
276 |
|
|
|
277 |
|
|
bzero(&sa_smask, sizeof(sa_smask)); |
278 |
|
|
sa_smask.sadb_address_exttype = SADB_X_EXT_SRC_MASK; |
279 |
|
|
sa_smask.sadb_address_len = |
280 |
|
|
(sizeof(sa_smask) + ROUNDUP(smask.ss_len)) / 8; |
281 |
|
|
|
282 |
|
|
bzero(&sa_dst, sizeof(sa_dst)); |
283 |
|
|
sa_dst.sadb_address_exttype = SADB_X_EXT_DST_FLOW; |
284 |
|
|
sa_dst.sadb_address_len = (sizeof(sa_dst) + ROUNDUP(sdst.ss_len)) / 8; |
285 |
|
|
|
286 |
|
|
bzero(&sa_dmask, sizeof(sa_dmask)); |
287 |
|
|
sa_dmask.sadb_address_exttype = SADB_X_EXT_DST_MASK; |
288 |
|
|
sa_dmask.sadb_address_len = |
289 |
|
|
(sizeof(sa_dmask) + ROUNDUP(dmask.ss_len)) / 8; |
290 |
|
|
|
291 |
|
|
if (action != SADB_X_DELFLOW && flow->flow_local != NULL) { |
292 |
|
|
/* local address */ |
293 |
|
|
bzero(&sa_local, sizeof(sa_local)); |
294 |
|
|
sa_local.sadb_address_exttype = SADB_EXT_ADDRESS_SRC; |
295 |
|
|
sa_local.sadb_address_len = |
296 |
|
|
(sizeof(sa_local) + ROUNDUP(slocal.ss_len)) / 8; |
297 |
|
|
|
298 |
|
|
/* peer address */ |
299 |
|
|
bzero(&sa_peer, sizeof(sa_peer)); |
300 |
|
|
sa_peer.sadb_address_exttype = SADB_EXT_ADDRESS_DST; |
301 |
|
|
sa_peer.sadb_address_len = |
302 |
|
|
(sizeof(sa_peer) + ROUNDUP(speer.ss_len)) / 8; |
303 |
|
|
|
304 |
|
|
/* local id */ |
305 |
|
|
sa_srcid = pfkey_id2ident(IKESA_SRCID(flow->flow_ikesa), |
306 |
|
|
SADB_EXT_IDENTITY_SRC); |
307 |
|
|
|
308 |
|
|
/* peer id */ |
309 |
|
|
sa_dstid = pfkey_id2ident(IKESA_DSTID(flow->flow_ikesa), |
310 |
|
|
SADB_EXT_IDENTITY_DST); |
311 |
|
|
} |
312 |
|
|
|
313 |
|
|
iov_cnt = 0; |
314 |
|
|
|
315 |
|
|
/* header */ |
316 |
|
|
iov[iov_cnt].iov_base = &smsg; |
317 |
|
|
iov[iov_cnt].iov_len = sizeof(smsg); |
318 |
|
|
iov_cnt++; |
319 |
|
|
|
320 |
|
|
/* add flow type */ |
321 |
|
|
iov[iov_cnt].iov_base = &sa_flowtype; |
322 |
|
|
iov[iov_cnt].iov_len = sizeof(sa_flowtype); |
323 |
|
|
smsg.sadb_msg_len += sa_flowtype.sadb_protocol_len; |
324 |
|
|
iov_cnt++; |
325 |
|
|
|
326 |
|
|
if (action != SADB_X_DELFLOW && flow->flow_local != NULL) { |
327 |
|
|
#if 0 |
328 |
|
|
/* local ip */ |
329 |
|
|
iov[iov_cnt].iov_base = &sa_local; |
330 |
|
|
iov[iov_cnt].iov_len = sizeof(sa_local); |
331 |
|
|
iov_cnt++; |
332 |
|
|
iov[iov_cnt].iov_base = &slocal; |
333 |
|
|
iov[iov_cnt].iov_len = ROUNDUP(slocal.ss_len); |
334 |
|
|
smsg.sadb_msg_len += sa_local.sadb_address_len; |
335 |
|
|
iov_cnt++; |
336 |
|
|
#endif |
337 |
|
|
|
338 |
|
|
/* remote peer */ |
339 |
|
|
iov[iov_cnt].iov_base = &sa_peer; |
340 |
|
|
iov[iov_cnt].iov_len = sizeof(sa_peer); |
341 |
|
|
iov_cnt++; |
342 |
|
|
iov[iov_cnt].iov_base = &speer; |
343 |
|
|
iov[iov_cnt].iov_len = ROUNDUP(speer.ss_len); |
344 |
|
|
smsg.sadb_msg_len += sa_peer.sadb_address_len; |
345 |
|
|
iov_cnt++; |
346 |
|
|
} |
347 |
|
|
|
348 |
|
|
/* src addr */ |
349 |
|
|
iov[iov_cnt].iov_base = &sa_src; |
350 |
|
|
iov[iov_cnt].iov_len = sizeof(sa_src); |
351 |
|
|
iov_cnt++; |
352 |
|
|
iov[iov_cnt].iov_base = &ssrc; |
353 |
|
|
iov[iov_cnt].iov_len = ROUNDUP(ssrc.ss_len); |
354 |
|
|
smsg.sadb_msg_len += sa_src.sadb_address_len; |
355 |
|
|
iov_cnt++; |
356 |
|
|
|
357 |
|
|
/* src mask */ |
358 |
|
|
iov[iov_cnt].iov_base = &sa_smask; |
359 |
|
|
iov[iov_cnt].iov_len = sizeof(sa_smask); |
360 |
|
|
iov_cnt++; |
361 |
|
|
iov[iov_cnt].iov_base = &smask; |
362 |
|
|
iov[iov_cnt].iov_len = ROUNDUP(smask.ss_len); |
363 |
|
|
smsg.sadb_msg_len += sa_smask.sadb_address_len; |
364 |
|
|
iov_cnt++; |
365 |
|
|
|
366 |
|
|
/* dest addr */ |
367 |
|
|
iov[iov_cnt].iov_base = &sa_dst; |
368 |
|
|
iov[iov_cnt].iov_len = sizeof(sa_dst); |
369 |
|
|
iov_cnt++; |
370 |
|
|
iov[iov_cnt].iov_base = &sdst; |
371 |
|
|
iov[iov_cnt].iov_len = ROUNDUP(sdst.ss_len); |
372 |
|
|
smsg.sadb_msg_len += sa_dst.sadb_address_len; |
373 |
|
|
iov_cnt++; |
374 |
|
|
|
375 |
|
|
/* dst mask */ |
376 |
|
|
iov[iov_cnt].iov_base = &sa_dmask; |
377 |
|
|
iov[iov_cnt].iov_len = sizeof(sa_dmask); |
378 |
|
|
iov_cnt++; |
379 |
|
|
iov[iov_cnt].iov_base = &dmask; |
380 |
|
|
iov[iov_cnt].iov_len = ROUNDUP(dmask.ss_len); |
381 |
|
|
smsg.sadb_msg_len += sa_dmask.sadb_address_len; |
382 |
|
|
iov_cnt++; |
383 |
|
|
|
384 |
|
|
/* add protocol */ |
385 |
|
|
iov[iov_cnt].iov_base = &sa_protocol; |
386 |
|
|
iov[iov_cnt].iov_len = sizeof(sa_protocol); |
387 |
|
|
smsg.sadb_msg_len += sa_protocol.sadb_protocol_len; |
388 |
|
|
iov_cnt++; |
389 |
|
|
|
390 |
|
|
if (sa_srcid) { |
391 |
|
|
/* src identity */ |
392 |
|
|
iov[iov_cnt].iov_base = sa_srcid; |
393 |
|
|
iov[iov_cnt].iov_len = sa_srcid->sadb_ident_len * 8; |
394 |
|
|
smsg.sadb_msg_len += sa_srcid->sadb_ident_len; |
395 |
|
|
iov_cnt++; |
396 |
|
|
} |
397 |
|
|
if (sa_dstid) { |
398 |
|
|
/* dst identity */ |
399 |
|
|
iov[iov_cnt].iov_base = sa_dstid; |
400 |
|
|
iov[iov_cnt].iov_len = sa_dstid->sadb_ident_len * 8; |
401 |
|
|
smsg.sadb_msg_len += sa_dstid->sadb_ident_len; |
402 |
|
|
iov_cnt++; |
403 |
|
|
} |
404 |
|
|
|
405 |
|
|
ret = pfkey_write(sd, &smsg, iov, iov_cnt, NULL, NULL); |
406 |
|
|
|
407 |
|
|
free(sa_srcid); |
408 |
|
|
free(sa_dstid); |
409 |
|
|
|
410 |
|
|
return (ret); |
411 |
|
|
} |
412 |
|
|
|
413 |
|
|
int |
414 |
|
|
pfkey_sa(int sd, uint8_t satype, uint8_t action, struct iked_childsa *sa) |
415 |
|
|
{ |
416 |
|
|
struct sadb_msg smsg; |
417 |
|
|
struct sadb_sa sadb; |
418 |
|
|
struct sadb_address sa_src, sa_dst; |
419 |
|
|
struct sadb_key sa_authkey, sa_enckey; |
420 |
|
|
struct sadb_lifetime sa_ltime_hard, sa_ltime_soft; |
421 |
|
|
struct sadb_x_udpencap udpencap; |
422 |
|
|
struct sadb_x_tag sa_tag; |
423 |
|
|
char *tag = NULL; |
424 |
|
|
struct sadb_x_tap sa_tap; |
425 |
|
|
struct sockaddr_storage ssrc, sdst; |
426 |
|
|
struct sadb_ident *sa_srcid, *sa_dstid; |
427 |
|
|
struct iked_lifetime *lt; |
428 |
|
|
struct iked_policy *pol; |
429 |
|
|
struct iovec iov[IOV_CNT]; |
430 |
|
|
uint32_t jitter; |
431 |
|
|
int iov_cnt; |
432 |
|
|
|
433 |
|
|
sa_srcid = sa_dstid = NULL; |
434 |
|
|
|
435 |
|
|
if (sa->csa_ikesa == NULL || sa->csa_ikesa->sa_policy == NULL) { |
436 |
|
|
log_warn("%s: invalid SA and policy", __func__); |
437 |
|
|
return (-1); |
438 |
|
|
} |
439 |
|
|
pol = sa->csa_ikesa->sa_policy; |
440 |
|
|
lt = &pol->pol_lifetime; |
441 |
|
|
|
442 |
|
|
bzero(&ssrc, sizeof(ssrc)); |
443 |
|
|
memcpy(&ssrc, &sa->csa_local->addr, sizeof(ssrc)); |
444 |
|
|
if (socket_af((struct sockaddr *)&ssrc, 0) == -1) { |
445 |
|
|
log_warn("%s: invalid address", __func__); |
446 |
|
|
return (-1); |
447 |
|
|
} |
448 |
|
|
|
449 |
|
|
bzero(&sdst, sizeof(sdst)); |
450 |
|
|
memcpy(&sdst, &sa->csa_peer->addr, sizeof(sdst)); |
451 |
|
|
if (socket_af((struct sockaddr *)&sdst, 0) == -1) { |
452 |
|
|
log_warn("%s: invalid address", __func__); |
453 |
|
|
return (-1); |
454 |
|
|
} |
455 |
|
|
|
456 |
|
|
bzero(&smsg, sizeof(smsg)); |
457 |
|
|
smsg.sadb_msg_version = PF_KEY_V2; |
458 |
|
|
smsg.sadb_msg_seq = ++sadb_msg_seq; |
459 |
|
|
smsg.sadb_msg_pid = getpid(); |
460 |
|
|
smsg.sadb_msg_len = sizeof(smsg) / 8; |
461 |
|
|
smsg.sadb_msg_type = action; |
462 |
|
|
smsg.sadb_msg_satype = satype; |
463 |
|
|
|
464 |
|
|
bzero(&sadb, sizeof(sadb)); |
465 |
|
|
sadb.sadb_sa_len = sizeof(sadb) / 8; |
466 |
|
|
sadb.sadb_sa_exttype = SADB_EXT_SA; |
467 |
|
|
sadb.sadb_sa_spi = htonl(sa->csa_spi.spi); |
468 |
|
|
sadb.sadb_sa_state = SADB_SASTATE_MATURE; |
469 |
|
|
sadb.sadb_sa_replay = 64; |
470 |
|
|
|
471 |
|
|
if (!sa->csa_transport) |
472 |
|
|
sadb.sadb_sa_flags |= SADB_X_SAFLAGS_TUNNEL; |
473 |
|
|
|
474 |
|
|
if (sa->csa_esn) |
475 |
|
|
sadb.sadb_sa_flags |= SADB_X_SAFLAGS_ESN; |
476 |
|
|
|
477 |
|
|
bzero(&sa_src, sizeof(sa_src)); |
478 |
|
|
sa_src.sadb_address_len = (sizeof(sa_src) + ROUNDUP(ssrc.ss_len)) / 8; |
479 |
|
|
sa_src.sadb_address_exttype = SADB_EXT_ADDRESS_SRC; |
480 |
|
|
|
481 |
|
|
bzero(&sa_dst, sizeof(sa_dst)); |
482 |
|
|
sa_dst.sadb_address_len = (sizeof(sa_dst) + ROUNDUP(sdst.ss_len)) / 8; |
483 |
|
|
sa_dst.sadb_address_exttype = SADB_EXT_ADDRESS_DST; |
484 |
|
|
|
485 |
|
|
bzero(&sa_authkey, sizeof(sa_authkey)); |
486 |
|
|
bzero(&sa_enckey, sizeof(sa_enckey)); |
487 |
|
|
bzero(&udpencap, sizeof udpencap); |
488 |
|
|
bzero(&sa_ltime_hard, sizeof(sa_ltime_hard)); |
489 |
|
|
bzero(&sa_ltime_soft, sizeof(sa_ltime_soft)); |
490 |
|
|
|
491 |
|
|
if (action == SADB_DELETE) |
492 |
|
|
goto send; |
493 |
|
|
|
494 |
|
|
if ((action == SADB_ADD || action == SADB_UPDATE) && |
495 |
|
|
!sa->csa_persistent && (lt->lt_bytes || lt->lt_seconds)) { |
496 |
|
|
sa_ltime_hard.sadb_lifetime_exttype = SADB_EXT_LIFETIME_HARD; |
497 |
|
|
sa_ltime_hard.sadb_lifetime_len = sizeof(sa_ltime_hard) / 8; |
498 |
|
|
sa_ltime_hard.sadb_lifetime_bytes = lt->lt_bytes; |
499 |
|
|
sa_ltime_hard.sadb_lifetime_addtime = lt->lt_seconds; |
500 |
|
|
|
501 |
|
|
/* double the lifetime for IP compression */ |
502 |
|
|
if (satype == SADB_X_SATYPE_IPCOMP) |
503 |
|
|
sa_ltime_hard.sadb_lifetime_addtime *= 2; |
504 |
|
|
|
505 |
|
|
sa_ltime_soft.sadb_lifetime_exttype = SADB_EXT_LIFETIME_SOFT; |
506 |
|
|
sa_ltime_soft.sadb_lifetime_len = sizeof(sa_ltime_soft) / 8; |
507 |
|
|
/* set randomly to 85-95% */ |
508 |
|
|
jitter = 850 + arc4random_uniform(100); |
509 |
|
|
sa_ltime_soft.sadb_lifetime_bytes = |
510 |
|
|
(sa_ltime_hard.sadb_lifetime_bytes * jitter) / 1000; |
511 |
|
|
sa_ltime_soft.sadb_lifetime_addtime = |
512 |
|
|
(sa_ltime_hard.sadb_lifetime_addtime * jitter) / 1000; |
513 |
|
|
} |
514 |
|
|
|
515 |
|
|
/* XXX handle NULL encryption or NULL auth or combined encr/auth */ |
516 |
|
|
if (action == SADB_ADD && |
517 |
|
|
!ibuf_length(sa->csa_integrkey) && !ibuf_length(sa->csa_encrkey) && |
518 |
|
|
satype != SADB_X_SATYPE_IPCOMP && satype != SADB_X_SATYPE_IPIP) { |
519 |
|
|
log_warnx("%s: no key specified", __func__); |
520 |
|
|
return (-1); |
521 |
|
|
} |
522 |
|
|
|
523 |
|
|
if (satype == SADB_SATYPE_ESP && |
524 |
|
|
sa->csa_ikesa->sa_udpencap && sa->csa_ikesa->sa_natt) { |
525 |
|
|
sadb.sadb_sa_flags |= SADB_X_SAFLAGS_UDPENCAP; |
526 |
|
|
udpencap.sadb_x_udpencap_exttype = SADB_X_EXT_UDPENCAP; |
527 |
|
|
udpencap.sadb_x_udpencap_len = sizeof(udpencap) / 8; |
528 |
|
|
udpencap.sadb_x_udpencap_port = |
529 |
|
|
sa->csa_ikesa->sa_peer.addr_port; |
530 |
|
|
|
531 |
|
|
log_debug("%s: udpencap port %d", __func__, |
532 |
|
|
ntohs(udpencap.sadb_x_udpencap_port)); |
533 |
|
|
} |
534 |
|
|
|
535 |
|
|
if (sa->csa_integrid) |
536 |
|
|
if (pfkey_map(pfkey_integr, |
537 |
|
|
sa->csa_integrid, &sadb.sadb_sa_auth) == -1) { |
538 |
|
|
log_warnx("%s: unsupported integrity algorithm %s", |
539 |
|
|
__func__, print_map(sa->csa_integrid, |
540 |
|
|
ikev2_xformauth_map)); |
541 |
|
|
return (-1); |
542 |
|
|
} |
543 |
|
|
|
544 |
|
|
if (sa->csa_encrid) |
545 |
|
|
if (pfkey_map(pfkey_encr, |
546 |
|
|
sa->csa_encrid, &sadb.sadb_sa_encrypt) == -1) { |
547 |
|
|
log_warnx("%s: unsupported encryption algorithm %s", |
548 |
|
|
__func__, print_map(sa->csa_encrid, |
549 |
|
|
ikev2_xformencr_map)); |
550 |
|
|
return (-1); |
551 |
|
|
} |
552 |
|
|
|
553 |
|
|
if (ibuf_length(sa->csa_integrkey)) { |
554 |
|
|
sa_authkey.sadb_key_len = (sizeof(sa_authkey) + |
555 |
|
|
((ibuf_size(sa->csa_integrkey) + 7) / 8) * 8) / 8; |
556 |
|
|
sa_authkey.sadb_key_exttype = SADB_EXT_KEY_AUTH; |
557 |
|
|
sa_authkey.sadb_key_bits = |
558 |
|
|
8 * ibuf_size(sa->csa_integrkey); |
559 |
|
|
} |
560 |
|
|
|
561 |
|
|
if (ibuf_length(sa->csa_encrkey)) { |
562 |
|
|
sa_enckey.sadb_key_len = (sizeof(sa_enckey) + |
563 |
|
|
((ibuf_size(sa->csa_encrkey) + 7) / 8) * 8) / 8; |
564 |
|
|
sa_enckey.sadb_key_exttype = SADB_EXT_KEY_ENCRYPT; |
565 |
|
|
sa_enckey.sadb_key_bits = |
566 |
|
|
8 * ibuf_size(sa->csa_encrkey); |
567 |
|
|
} |
568 |
|
|
|
569 |
|
|
/* we only support deflate */ |
570 |
|
|
if (satype == SADB_X_SATYPE_IPCOMP) |
571 |
|
|
sadb.sadb_sa_encrypt = SADB_X_CALG_DEFLATE; |
572 |
|
|
|
573 |
|
|
/* Note that we need to swap the IDs for incoming SAs (SADB_UPDATE) */ |
574 |
|
|
if (action != SADB_UPDATE) { |
575 |
|
|
sa_srcid = pfkey_id2ident( |
576 |
|
|
IKESA_SRCID(sa->csa_ikesa), SADB_EXT_IDENTITY_SRC); |
577 |
|
|
sa_dstid = pfkey_id2ident( |
578 |
|
|
IKESA_DSTID(sa->csa_ikesa), SADB_EXT_IDENTITY_DST); |
579 |
|
|
} else { |
580 |
|
|
sa_srcid = pfkey_id2ident( |
581 |
|
|
IKESA_DSTID(sa->csa_ikesa), SADB_EXT_IDENTITY_SRC); |
582 |
|
|
sa_dstid = pfkey_id2ident( |
583 |
|
|
IKESA_SRCID(sa->csa_ikesa), SADB_EXT_IDENTITY_DST); |
584 |
|
|
} |
585 |
|
|
|
586 |
|
|
tag = sa->csa_ikesa->sa_tag; |
587 |
|
|
if (tag != NULL && *tag != '\0') { |
588 |
|
|
bzero(&sa_tag, sizeof(sa_tag)); |
589 |
|
|
sa_tag.sadb_x_tag_exttype = SADB_X_EXT_TAG; |
590 |
|
|
sa_tag.sadb_x_tag_len = |
591 |
|
|
(ROUNDUP(strlen(tag) + 1) + sizeof(sa_tag)) / 8; |
592 |
|
|
sa_tag.sadb_x_tag_taglen = strlen(tag) + 1; |
593 |
|
|
} else |
594 |
|
|
tag = NULL; |
595 |
|
|
|
596 |
|
|
if (pol->pol_tap != 0) { |
597 |
|
|
bzero(&sa_tap, sizeof(sa_tap)); |
598 |
|
|
sa_tap.sadb_x_tap_exttype = SADB_X_EXT_TAP; |
599 |
|
|
sa_tap.sadb_x_tap_len = sizeof(sa_tap) / 8; |
600 |
|
|
sa_tap.sadb_x_tap_unit = pol->pol_tap; |
601 |
|
|
} |
602 |
|
|
|
603 |
|
|
send: |
604 |
|
|
iov_cnt = 0; |
605 |
|
|
|
606 |
|
|
/* header */ |
607 |
|
|
iov[iov_cnt].iov_base = &smsg; |
608 |
|
|
iov[iov_cnt].iov_len = sizeof(smsg); |
609 |
|
|
iov_cnt++; |
610 |
|
|
|
611 |
|
|
/* sa */ |
612 |
|
|
iov[iov_cnt].iov_base = &sadb; |
613 |
|
|
iov[iov_cnt].iov_len = sizeof(sadb); |
614 |
|
|
smsg.sadb_msg_len += sadb.sadb_sa_len; |
615 |
|
|
iov_cnt++; |
616 |
|
|
|
617 |
|
|
/* src addr */ |
618 |
|
|
iov[iov_cnt].iov_base = &sa_src; |
619 |
|
|
iov[iov_cnt].iov_len = sizeof(sa_src); |
620 |
|
|
iov_cnt++; |
621 |
|
|
iov[iov_cnt].iov_base = &ssrc; |
622 |
|
|
iov[iov_cnt].iov_len = ROUNDUP(ssrc.ss_len); |
623 |
|
|
smsg.sadb_msg_len += sa_src.sadb_address_len; |
624 |
|
|
iov_cnt++; |
625 |
|
|
|
626 |
|
|
/* dst addr */ |
627 |
|
|
iov[iov_cnt].iov_base = &sa_dst; |
628 |
|
|
iov[iov_cnt].iov_len = sizeof(sa_dst); |
629 |
|
|
iov_cnt++; |
630 |
|
|
iov[iov_cnt].iov_base = &sdst; |
631 |
|
|
iov[iov_cnt].iov_len = ROUNDUP(sdst.ss_len); |
632 |
|
|
smsg.sadb_msg_len += sa_dst.sadb_address_len; |
633 |
|
|
iov_cnt++; |
634 |
|
|
|
635 |
|
|
if (sa_ltime_soft.sadb_lifetime_len) { |
636 |
|
|
/* soft lifetime */ |
637 |
|
|
iov[iov_cnt].iov_base = &sa_ltime_soft; |
638 |
|
|
iov[iov_cnt].iov_len = sizeof(sa_ltime_soft); |
639 |
|
|
smsg.sadb_msg_len += sa_ltime_soft.sadb_lifetime_len; |
640 |
|
|
iov_cnt++; |
641 |
|
|
} |
642 |
|
|
|
643 |
|
|
if (sa_ltime_hard.sadb_lifetime_len) { |
644 |
|
|
/* hard lifetime */ |
645 |
|
|
iov[iov_cnt].iov_base = &sa_ltime_hard; |
646 |
|
|
iov[iov_cnt].iov_len = sizeof(sa_ltime_hard); |
647 |
|
|
smsg.sadb_msg_len += sa_ltime_hard.sadb_lifetime_len; |
648 |
|
|
iov_cnt++; |
649 |
|
|
} |
650 |
|
|
|
651 |
|
|
if (udpencap.sadb_x_udpencap_len) { |
652 |
|
|
iov[iov_cnt].iov_base = &udpencap; |
653 |
|
|
iov[iov_cnt].iov_len = sizeof(udpencap); |
654 |
|
|
smsg.sadb_msg_len += udpencap.sadb_x_udpencap_len; |
655 |
|
|
iov_cnt++; |
656 |
|
|
} |
657 |
|
|
|
658 |
|
|
if (sa_enckey.sadb_key_len) { |
659 |
|
|
/* encryption key */ |
660 |
|
|
iov[iov_cnt].iov_base = &sa_enckey; |
661 |
|
|
iov[iov_cnt].iov_len = sizeof(sa_enckey); |
662 |
|
|
iov_cnt++; |
663 |
|
|
iov[iov_cnt].iov_base = ibuf_data(sa->csa_encrkey); |
664 |
|
|
iov[iov_cnt].iov_len = |
665 |
|
|
((ibuf_size(sa->csa_encrkey) + 7) / 8) * 8; |
666 |
|
|
smsg.sadb_msg_len += sa_enckey.sadb_key_len; |
667 |
|
|
iov_cnt++; |
668 |
|
|
} |
669 |
|
|
if (sa_authkey.sadb_key_len) { |
670 |
|
|
/* authentication key */ |
671 |
|
|
iov[iov_cnt].iov_base = &sa_authkey; |
672 |
|
|
iov[iov_cnt].iov_len = sizeof(sa_authkey); |
673 |
|
|
iov_cnt++; |
674 |
|
|
iov[iov_cnt].iov_base = ibuf_data(sa->csa_integrkey); |
675 |
|
|
iov[iov_cnt].iov_len = |
676 |
|
|
((ibuf_size(sa->csa_integrkey) + 7) / 8) * 8; |
677 |
|
|
smsg.sadb_msg_len += sa_authkey.sadb_key_len; |
678 |
|
|
iov_cnt++; |
679 |
|
|
} |
680 |
|
|
|
681 |
|
|
if (sa_srcid) { |
682 |
|
|
/* src identity */ |
683 |
|
|
iov[iov_cnt].iov_base = sa_srcid; |
684 |
|
|
iov[iov_cnt].iov_len = sa_srcid->sadb_ident_len * 8; |
685 |
|
|
smsg.sadb_msg_len += sa_srcid->sadb_ident_len; |
686 |
|
|
iov_cnt++; |
687 |
|
|
} |
688 |
|
|
if (sa_dstid) { |
689 |
|
|
/* dst identity */ |
690 |
|
|
iov[iov_cnt].iov_base = sa_dstid; |
691 |
|
|
iov[iov_cnt].iov_len = sa_dstid->sadb_ident_len * 8; |
692 |
|
|
smsg.sadb_msg_len += sa_dstid->sadb_ident_len; |
693 |
|
|
iov_cnt++; |
694 |
|
|
} |
695 |
|
|
|
696 |
|
|
if (tag != NULL) { |
697 |
|
|
/* tag identity */ |
698 |
|
|
iov[iov_cnt].iov_base = &sa_tag; |
699 |
|
|
iov[iov_cnt].iov_len = sizeof(sa_tag); |
700 |
|
|
iov_cnt++; |
701 |
|
|
iov[iov_cnt].iov_base = tag; |
702 |
|
|
iov[iov_cnt].iov_len = ROUNDUP(strlen(tag) + 1); |
703 |
|
|
smsg.sadb_msg_len += sa_tag.sadb_x_tag_len; |
704 |
|
|
iov_cnt++; |
705 |
|
|
} |
706 |
|
|
|
707 |
|
|
if (pol->pol_tap != 0) { |
708 |
|
|
/* enc(4) device tap unit */ |
709 |
|
|
iov[iov_cnt].iov_base = &sa_tap; |
710 |
|
|
iov[iov_cnt].iov_len = sizeof(sa_tap); |
711 |
|
|
smsg.sadb_msg_len += sa_tap.sadb_x_tap_len; |
712 |
|
|
iov_cnt++; |
713 |
|
|
} |
714 |
|
|
|
715 |
|
|
return (pfkey_write(sd, &smsg, iov, iov_cnt, NULL, NULL)); |
716 |
|
|
} |
717 |
|
|
|
718 |
|
|
int |
719 |
|
|
pfkey_sa_last_used(int sd, struct iked_childsa *sa, uint64_t *last_used) |
720 |
|
|
{ |
721 |
|
|
struct sadb_msg *msg, smsg; |
722 |
|
|
struct sadb_address sa_src, sa_dst; |
723 |
|
|
struct sadb_sa sadb; |
724 |
|
|
struct sadb_lifetime *sa_life; |
725 |
|
|
struct sockaddr_storage ssrc, sdst; |
726 |
|
|
struct iovec iov[IOV_CNT]; |
727 |
|
|
uint8_t *data; |
728 |
|
|
ssize_t n; |
729 |
|
|
int iov_cnt, ret = -1; |
730 |
|
|
uint8_t satype; |
731 |
|
|
|
732 |
|
|
*last_used = 0; |
733 |
|
|
|
734 |
|
|
if (pfkey_map(pfkey_satype, sa->csa_saproto, &satype) == -1) |
735 |
|
|
return (-1); |
736 |
|
|
|
737 |
|
|
bzero(&ssrc, sizeof(ssrc)); |
738 |
|
|
memcpy(&ssrc, &sa->csa_local->addr, sizeof(ssrc)); |
739 |
|
|
if (socket_af((struct sockaddr *)&ssrc, 0) == -1) { |
740 |
|
|
log_warn("%s: invalid address", __func__); |
741 |
|
|
return (-1); |
742 |
|
|
} |
743 |
|
|
|
744 |
|
|
bzero(&sdst, sizeof(sdst)); |
745 |
|
|
memcpy(&sdst, &sa->csa_peer->addr, sizeof(sdst)); |
746 |
|
|
if (socket_af((struct sockaddr *)&sdst, 0) == -1) { |
747 |
|
|
log_warn("%s: invalid address", __func__); |
748 |
|
|
return (-1); |
749 |
|
|
} |
750 |
|
|
|
751 |
|
|
bzero(&smsg, sizeof(smsg)); |
752 |
|
|
smsg.sadb_msg_version = PF_KEY_V2; |
753 |
|
|
smsg.sadb_msg_seq = ++sadb_msg_seq; |
754 |
|
|
smsg.sadb_msg_pid = getpid(); |
755 |
|
|
smsg.sadb_msg_len = sizeof(smsg) / 8; |
756 |
|
|
smsg.sadb_msg_type = SADB_GET; |
757 |
|
|
smsg.sadb_msg_satype = satype; |
758 |
|
|
|
759 |
|
|
bzero(&sadb, sizeof(sadb)); |
760 |
|
|
sadb.sadb_sa_len = sizeof(sadb) / 8; |
761 |
|
|
sadb.sadb_sa_exttype = SADB_EXT_SA; |
762 |
|
|
sadb.sadb_sa_spi = htonl(sa->csa_spi.spi); |
763 |
|
|
sadb.sadb_sa_state = SADB_SASTATE_MATURE; |
764 |
|
|
sadb.sadb_sa_replay = 64; |
765 |
|
|
|
766 |
|
|
bzero(&sa_src, sizeof(sa_src)); |
767 |
|
|
sa_src.sadb_address_len = (sizeof(sa_src) + ROUNDUP(ssrc.ss_len)) / 8; |
768 |
|
|
sa_src.sadb_address_exttype = SADB_EXT_ADDRESS_SRC; |
769 |
|
|
|
770 |
|
|
bzero(&sa_dst, sizeof(sa_dst)); |
771 |
|
|
sa_dst.sadb_address_len = (sizeof(sa_dst) + ROUNDUP(sdst.ss_len)) / 8; |
772 |
|
|
sa_dst.sadb_address_exttype = SADB_EXT_ADDRESS_DST; |
773 |
|
|
|
774 |
|
|
iov_cnt = 0; |
775 |
|
|
|
776 |
|
|
/* header */ |
777 |
|
|
iov[iov_cnt].iov_base = &smsg; |
778 |
|
|
iov[iov_cnt].iov_len = sizeof(smsg); |
779 |
|
|
iov_cnt++; |
780 |
|
|
|
781 |
|
|
/* sa */ |
782 |
|
|
iov[iov_cnt].iov_base = &sadb; |
783 |
|
|
iov[iov_cnt].iov_len = sizeof(sadb); |
784 |
|
|
smsg.sadb_msg_len += sadb.sadb_sa_len; |
785 |
|
|
iov_cnt++; |
786 |
|
|
|
787 |
|
|
/* src addr */ |
788 |
|
|
iov[iov_cnt].iov_base = &sa_src; |
789 |
|
|
iov[iov_cnt].iov_len = sizeof(sa_src); |
790 |
|
|
iov_cnt++; |
791 |
|
|
iov[iov_cnt].iov_base = &ssrc; |
792 |
|
|
iov[iov_cnt].iov_len = ROUNDUP(ssrc.ss_len); |
793 |
|
|
smsg.sadb_msg_len += sa_src.sadb_address_len; |
794 |
|
|
iov_cnt++; |
795 |
|
|
|
796 |
|
|
/* dst addr */ |
797 |
|
|
iov[iov_cnt].iov_base = &sa_dst; |
798 |
|
|
iov[iov_cnt].iov_len = sizeof(sa_dst); |
799 |
|
|
iov_cnt++; |
800 |
|
|
iov[iov_cnt].iov_base = &sdst; |
801 |
|
|
iov[iov_cnt].iov_len = ROUNDUP(sdst.ss_len); |
802 |
|
|
smsg.sadb_msg_len += sa_dst.sadb_address_len; |
803 |
|
|
iov_cnt++; |
804 |
|
|
|
805 |
|
|
if ((ret = pfkey_write(sd, &smsg, iov, iov_cnt, &data, &n)) != 0) |
806 |
|
|
return (-1); |
807 |
|
|
|
808 |
|
|
msg = (struct sadb_msg *)data; |
809 |
|
|
if (msg->sadb_msg_errno != 0) { |
810 |
|
|
errno = msg->sadb_msg_errno; |
811 |
|
|
ret = -1; |
812 |
|
|
log_warn("%s: message", __func__); |
813 |
|
|
goto done; |
814 |
|
|
} |
815 |
|
|
if ((sa_life = pfkey_find_ext(data, n, SADB_X_EXT_LIFETIME_LASTUSE)) |
816 |
|
|
== NULL) { |
817 |
|
|
/* has never been used */ |
818 |
|
|
ret = -1; |
819 |
|
|
goto done; |
820 |
|
|
} |
821 |
|
|
*last_used = sa_life->sadb_lifetime_usetime; |
822 |
|
|
log_debug("%s: last_used %llu", __func__, *last_used); |
823 |
|
|
|
824 |
|
|
done: |
825 |
|
|
explicit_bzero(data, n); |
826 |
|
|
free(data); |
827 |
|
|
return (ret); |
828 |
|
|
} |
829 |
|
|
|
830 |
|
|
int |
831 |
|
|
pfkey_sa_getspi(int sd, uint8_t satype, struct iked_childsa *sa, |
832 |
|
|
uint32_t *spip) |
833 |
|
|
{ |
834 |
|
|
struct sadb_msg *msg, smsg; |
835 |
|
|
struct sadb_address sa_src, sa_dst; |
836 |
|
|
struct sadb_sa *sa_ext; |
837 |
|
|
struct sadb_spirange sa_spirange; |
838 |
|
|
struct sockaddr_storage ssrc, sdst; |
839 |
|
|
struct iovec iov[IOV_CNT]; |
840 |
|
|
uint8_t *data; |
841 |
|
|
ssize_t n; |
842 |
|
|
int iov_cnt, ret = -1; |
843 |
|
|
|
844 |
|
|
bzero(&ssrc, sizeof(ssrc)); |
845 |
|
|
memcpy(&ssrc, &sa->csa_local->addr, sizeof(ssrc)); |
846 |
|
|
if (socket_af((struct sockaddr *)&ssrc, 0) == -1) { |
847 |
|
|
log_warn("%s: invalid address", __func__); |
848 |
|
|
return (-1); |
849 |
|
|
} |
850 |
|
|
|
851 |
|
|
bzero(&sdst, sizeof(sdst)); |
852 |
|
|
memcpy(&sdst, &sa->csa_peer->addr, sizeof(sdst)); |
853 |
|
|
if (socket_af((struct sockaddr *)&sdst, 0) == -1) { |
854 |
|
|
log_warn("%s: invalid address", __func__); |
855 |
|
|
return (-1); |
856 |
|
|
} |
857 |
|
|
|
858 |
|
|
bzero(&smsg, sizeof(smsg)); |
859 |
|
|
smsg.sadb_msg_version = PF_KEY_V2; |
860 |
|
|
smsg.sadb_msg_seq = ++sadb_msg_seq; |
861 |
|
|
smsg.sadb_msg_pid = getpid(); |
862 |
|
|
smsg.sadb_msg_len = sizeof(smsg) / 8; |
863 |
|
|
smsg.sadb_msg_type = SADB_GETSPI; |
864 |
|
|
smsg.sadb_msg_satype = satype; |
865 |
|
|
|
866 |
|
|
bzero(&sa_spirange, sizeof(sa_spirange)); |
867 |
|
|
sa_spirange.sadb_spirange_exttype = SADB_EXT_SPIRANGE; |
868 |
|
|
sa_spirange.sadb_spirange_len = sizeof(sa_spirange) / 8; |
869 |
|
|
sa_spirange.sadb_spirange_min = 0x100; |
870 |
|
|
sa_spirange.sadb_spirange_max = (satype == SADB_X_SATYPE_IPCOMP) ? |
871 |
|
|
(CPI_PRIVATE_MIN - 1) : 0xffffffff; |
872 |
|
|
sa_spirange.sadb_spirange_reserved = 0; |
873 |
|
|
|
874 |
|
|
bzero(&sa_src, sizeof(sa_src)); |
875 |
|
|
sa_src.sadb_address_len = (sizeof(sa_src) + ROUNDUP(ssrc.ss_len)) / 8; |
876 |
|
|
sa_src.sadb_address_exttype = SADB_EXT_ADDRESS_SRC; |
877 |
|
|
|
878 |
|
|
bzero(&sa_dst, sizeof(sa_dst)); |
879 |
|
|
sa_dst.sadb_address_len = (sizeof(sa_dst) + ROUNDUP(sdst.ss_len)) / 8; |
880 |
|
|
sa_dst.sadb_address_exttype = SADB_EXT_ADDRESS_DST; |
881 |
|
|
|
882 |
|
|
iov_cnt = 0; |
883 |
|
|
|
884 |
|
|
/* header */ |
885 |
|
|
iov[iov_cnt].iov_base = &smsg; |
886 |
|
|
iov[iov_cnt].iov_len = sizeof(smsg); |
887 |
|
|
iov_cnt++; |
888 |
|
|
|
889 |
|
|
/* SPI range */ |
890 |
|
|
iov[iov_cnt].iov_base = &sa_spirange; |
891 |
|
|
iov[iov_cnt].iov_len = sizeof(sa_spirange); |
892 |
|
|
smsg.sadb_msg_len += sa_spirange.sadb_spirange_len; |
893 |
|
|
iov_cnt++; |
894 |
|
|
|
895 |
|
|
/* src addr */ |
896 |
|
|
iov[iov_cnt].iov_base = &sa_src; |
897 |
|
|
iov[iov_cnt].iov_len = sizeof(sa_src); |
898 |
|
|
iov_cnt++; |
899 |
|
|
iov[iov_cnt].iov_base = &ssrc; |
900 |
|
|
iov[iov_cnt].iov_len = ROUNDUP(ssrc.ss_len); |
901 |
|
|
smsg.sadb_msg_len += sa_src.sadb_address_len; |
902 |
|
|
iov_cnt++; |
903 |
|
|
|
904 |
|
|
/* dst addr */ |
905 |
|
|
iov[iov_cnt].iov_base = &sa_dst; |
906 |
|
|
iov[iov_cnt].iov_len = sizeof(sa_dst); |
907 |
|
|
iov_cnt++; |
908 |
|
|
iov[iov_cnt].iov_base = &sdst; |
909 |
|
|
iov[iov_cnt].iov_len = ROUNDUP(sdst.ss_len); |
910 |
|
|
smsg.sadb_msg_len += sa_dst.sadb_address_len; |
911 |
|
|
iov_cnt++; |
912 |
|
|
|
913 |
|
|
*spip = 0; |
914 |
|
|
|
915 |
|
|
if ((ret = pfkey_write(sd, &smsg, iov, iov_cnt, &data, &n)) != 0) |
916 |
|
|
return (-1); |
917 |
|
|
|
918 |
|
|
msg = (struct sadb_msg *)data; |
919 |
|
|
if (msg->sadb_msg_errno != 0) { |
920 |
|
|
errno = msg->sadb_msg_errno; |
921 |
|
|
log_warn("%s: message", __func__); |
922 |
|
|
goto done; |
923 |
|
|
} |
924 |
|
|
if ((sa_ext = pfkey_find_ext(data, n, SADB_EXT_SA)) == NULL) { |
925 |
|
|
log_debug("%s: erronous reply", __func__); |
926 |
|
|
goto done; |
927 |
|
|
} |
928 |
|
|
|
929 |
|
|
*spip = ntohl(sa_ext->sadb_sa_spi); |
930 |
|
|
log_debug("%s: spi 0x%08x", __func__, *spip); |
931 |
|
|
|
932 |
|
|
done: |
933 |
|
|
explicit_bzero(data, n); |
934 |
|
|
free(data); |
935 |
|
|
return (ret); |
936 |
|
|
} |
937 |
|
|
|
938 |
|
|
int |
939 |
|
|
pfkey_sagroup(int sd, uint8_t satype1, uint8_t action, |
940 |
|
|
struct iked_childsa *sa1, struct iked_childsa *sa2) |
941 |
|
|
{ |
942 |
|
|
struct sadb_msg smsg; |
943 |
|
|
struct sadb_sa sadb1, sadb2; |
944 |
|
|
struct sadb_address sa_dst1, sa_dst2; |
945 |
|
|
struct sockaddr_storage sdst1, sdst2; |
946 |
|
|
struct sadb_protocol sa_proto; |
947 |
|
|
struct iovec iov[IOV_CNT]; |
948 |
|
|
int iov_cnt; |
949 |
|
|
uint8_t satype2; |
950 |
|
|
|
951 |
|
|
if (pfkey_map(pfkey_satype, sa2->csa_saproto, &satype2) == -1) |
952 |
|
|
return (-1); |
953 |
|
|
|
954 |
|
|
bzero(&sdst1, sizeof(sdst1)); |
955 |
|
|
memcpy(&sdst1, &sa1->csa_peer->addr, sizeof(sdst1)); |
956 |
|
|
if (socket_af((struct sockaddr *)&sdst1, 0) == -1) { |
957 |
|
|
log_warnx("%s: unsupported address family %d", |
958 |
|
|
__func__, sdst1.ss_family); |
959 |
|
|
return (-1); |
960 |
|
|
} |
961 |
|
|
|
962 |
|
|
bzero(&sdst2, sizeof(sdst2)); |
963 |
|
|
memcpy(&sdst2, &sa2->csa_peer->addr, sizeof(sdst2)); |
964 |
|
|
if (socket_af((struct sockaddr *)&sdst2, 0) == -1) { |
965 |
|
|
log_warnx("%s: unsupported address family %d", |
966 |
|
|
__func__, sdst2.ss_family); |
967 |
|
|
return (-1); |
968 |
|
|
} |
969 |
|
|
|
970 |
|
|
bzero(&smsg, sizeof(smsg)); |
971 |
|
|
smsg.sadb_msg_version = PF_KEY_V2; |
972 |
|
|
smsg.sadb_msg_seq = ++sadb_msg_seq; |
973 |
|
|
smsg.sadb_msg_pid = getpid(); |
974 |
|
|
smsg.sadb_msg_len = sizeof(smsg) / 8; |
975 |
|
|
smsg.sadb_msg_type = action; |
976 |
|
|
smsg.sadb_msg_satype = satype1; |
977 |
|
|
|
978 |
|
|
bzero(&sadb1, sizeof(sadb1)); |
979 |
|
|
sadb1.sadb_sa_len = sizeof(sadb1) / 8; |
980 |
|
|
sadb1.sadb_sa_exttype = SADB_EXT_SA; |
981 |
|
|
sadb1.sadb_sa_spi = htonl(sa1->csa_spi.spi); |
982 |
|
|
sadb1.sadb_sa_state = SADB_SASTATE_MATURE; |
983 |
|
|
|
984 |
|
|
bzero(&sadb2, sizeof(sadb2)); |
985 |
|
|
sadb2.sadb_sa_len = sizeof(sadb2) / 8; |
986 |
|
|
sadb2.sadb_sa_exttype = SADB_X_EXT_SA2; |
987 |
|
|
sadb2.sadb_sa_spi = htonl(sa2->csa_spi.spi); |
988 |
|
|
sadb2.sadb_sa_state = SADB_SASTATE_MATURE; |
989 |
|
|
iov_cnt = 0; |
990 |
|
|
|
991 |
|
|
bzero(&sa_dst1, sizeof(sa_dst1)); |
992 |
|
|
sa_dst1.sadb_address_exttype = SADB_EXT_ADDRESS_DST; |
993 |
|
|
sa_dst1.sadb_address_len = |
994 |
|
|
(sizeof(sa_dst1) + ROUNDUP(sdst1.ss_len)) / 8; |
995 |
|
|
|
996 |
|
|
bzero(&sa_dst2, sizeof(sa_dst2)); |
997 |
|
|
sa_dst2.sadb_address_exttype = SADB_X_EXT_DST2; |
998 |
|
|
sa_dst2.sadb_address_len = |
999 |
|
|
(sizeof(sa_dst2) + ROUNDUP(sdst2.ss_len)) / 8; |
1000 |
|
|
|
1001 |
|
|
bzero(&sa_proto, sizeof(sa_proto)); |
1002 |
|
|
sa_proto.sadb_protocol_exttype = SADB_X_EXT_PROTOCOL; |
1003 |
|
|
sa_proto.sadb_protocol_len = sizeof(sa_proto) / 8; |
1004 |
|
|
sa_proto.sadb_protocol_direction = 0; |
1005 |
|
|
sa_proto.sadb_protocol_proto = satype2; |
1006 |
|
|
|
1007 |
|
|
/* header */ |
1008 |
|
|
iov[iov_cnt].iov_base = &smsg; |
1009 |
|
|
iov[iov_cnt].iov_len = sizeof(smsg); |
1010 |
|
|
iov_cnt++; |
1011 |
|
|
|
1012 |
|
|
/* sa */ |
1013 |
|
|
iov[iov_cnt].iov_base = &sadb1; |
1014 |
|
|
iov[iov_cnt].iov_len = sizeof(sadb1); |
1015 |
|
|
smsg.sadb_msg_len += sadb1.sadb_sa_len; |
1016 |
|
|
iov_cnt++; |
1017 |
|
|
|
1018 |
|
|
/* dst addr */ |
1019 |
|
|
iov[iov_cnt].iov_base = &sa_dst1; |
1020 |
|
|
iov[iov_cnt].iov_len = sizeof(sa_dst1); |
1021 |
|
|
iov_cnt++; |
1022 |
|
|
iov[iov_cnt].iov_base = &sdst1; |
1023 |
|
|
iov[iov_cnt].iov_len = ROUNDUP(sdst1.ss_len); |
1024 |
|
|
smsg.sadb_msg_len += sa_dst1.sadb_address_len; |
1025 |
|
|
iov_cnt++; |
1026 |
|
|
|
1027 |
|
|
/* second sa */ |
1028 |
|
|
iov[iov_cnt].iov_base = &sadb2; |
1029 |
|
|
iov[iov_cnt].iov_len = sizeof(sadb2); |
1030 |
|
|
smsg.sadb_msg_len += sadb2.sadb_sa_len; |
1031 |
|
|
iov_cnt++; |
1032 |
|
|
|
1033 |
|
|
/* second dst addr */ |
1034 |
|
|
iov[iov_cnt].iov_base = &sa_dst2; |
1035 |
|
|
iov[iov_cnt].iov_len = sizeof(sa_dst2); |
1036 |
|
|
iov_cnt++; |
1037 |
|
|
iov[iov_cnt].iov_base = &sdst2; |
1038 |
|
|
iov[iov_cnt].iov_len = ROUNDUP(sdst2.ss_len); |
1039 |
|
|
smsg.sadb_msg_len += sa_dst2.sadb_address_len; |
1040 |
|
|
iov_cnt++; |
1041 |
|
|
|
1042 |
|
|
/* SA type */ |
1043 |
|
|
iov[iov_cnt].iov_base = &sa_proto; |
1044 |
|
|
iov[iov_cnt].iov_len = sizeof(sa_proto); |
1045 |
|
|
smsg.sadb_msg_len += sa_proto.sadb_protocol_len; |
1046 |
|
|
iov_cnt++; |
1047 |
|
|
|
1048 |
|
|
return (pfkey_write(sd, &smsg, iov, iov_cnt, NULL, NULL)); |
1049 |
|
|
} |
1050 |
|
|
|
1051 |
|
|
int |
1052 |
|
|
pfkey_write(int sd, struct sadb_msg *smsg, struct iovec *iov, int iov_cnt, |
1053 |
|
|
uint8_t **datap, ssize_t *lenp) |
1054 |
|
|
{ |
1055 |
|
|
ssize_t n, len = smsg->sadb_msg_len * 8; |
1056 |
|
|
|
1057 |
|
|
if (sadb_decoupled) { |
1058 |
|
|
switch (smsg->sadb_msg_type) { |
1059 |
|
|
case SADB_GETSPI: |
1060 |
|
|
/* we need to get a new SPI from the kernel */ |
1061 |
|
|
break; |
1062 |
|
|
default: |
1063 |
|
|
if (datap || lenp) { |
1064 |
|
|
log_warnx("%s: pfkey not coupled", __func__); |
1065 |
|
|
return (-1); |
1066 |
|
|
} |
1067 |
|
|
/* ignore request */ |
1068 |
|
|
return (0); |
1069 |
|
|
} |
1070 |
|
|
} |
1071 |
|
|
|
1072 |
|
|
if ((n = writev(sd, iov, iov_cnt)) == -1) { |
1073 |
|
|
log_warn("%s: writev failed", __func__); |
1074 |
|
|
return (-1); |
1075 |
|
|
} else if (n != len) { |
1076 |
|
|
log_warn("%s: short write", __func__); |
1077 |
|
|
return (-1); |
1078 |
|
|
} |
1079 |
|
|
|
1080 |
|
|
return (pfkey_reply(sd, datap, lenp)); |
1081 |
|
|
} |
1082 |
|
|
|
1083 |
|
|
int |
1084 |
|
|
pfkey_reply(int sd, uint8_t **datap, ssize_t *lenp) |
1085 |
|
|
{ |
1086 |
|
|
struct pfkey_message *pm; |
1087 |
|
|
struct sadb_msg hdr; |
1088 |
|
|
ssize_t len; |
1089 |
|
|
uint8_t *data; |
1090 |
|
|
struct pollfd pfd[1]; |
1091 |
|
|
int n; |
1092 |
|
|
|
1093 |
|
|
pfd[0].fd = sd; |
1094 |
|
|
pfd[0].events = POLLIN; |
1095 |
|
|
|
1096 |
|
|
for (;;) { |
1097 |
|
|
/* |
1098 |
|
|
* We should actually expect the reply to get lost |
1099 |
|
|
* as PF_KEY is an unreliable service per the specs. |
1100 |
|
|
* Currently we do this by setting a short timeout, |
1101 |
|
|
* and if it is not readable in that time, we fail |
1102 |
|
|
* the read. |
1103 |
|
|
*/ |
1104 |
|
|
n = poll(pfd, 1, PFKEY_REPLY_TIMEOUT / 1000); |
1105 |
|
|
if (n == -1) { |
1106 |
|
|
log_warn("%s: poll() failed", __func__); |
1107 |
|
|
return (-1); |
1108 |
|
|
} |
1109 |
|
|
if (n == 0) { |
1110 |
|
|
log_warnx("%s: no reply from PF_KEY", __func__); |
1111 |
|
|
return (-1); |
1112 |
|
|
} |
1113 |
|
|
|
1114 |
|
|
if (recv(sd, &hdr, sizeof(hdr), MSG_PEEK) != sizeof(hdr)) { |
1115 |
|
|
log_warn("%s: short recv", __func__); |
1116 |
|
|
return (-1); |
1117 |
|
|
} |
1118 |
|
|
|
1119 |
|
|
if (hdr.sadb_msg_version != PF_KEY_V2) { |
1120 |
|
|
log_warnx("%s: wrong pfkey version", __func__); |
1121 |
|
|
return (-1); |
1122 |
|
|
} |
1123 |
|
|
|
1124 |
|
|
if ((data = reallocarray(NULL, hdr.sadb_msg_len, |
1125 |
|
|
PFKEYV2_CHUNK)) == NULL) { |
1126 |
|
|
log_warn("%s: malloc", __func__); |
1127 |
|
|
return (-1); |
1128 |
|
|
} |
1129 |
|
|
len = hdr.sadb_msg_len * PFKEYV2_CHUNK; |
1130 |
|
|
|
1131 |
|
|
if (read(sd, data, len) != len) { |
1132 |
|
|
log_warnx("%s: short read", __func__); |
1133 |
|
|
free(data); |
1134 |
|
|
return (-1); |
1135 |
|
|
} |
1136 |
|
|
|
1137 |
|
|
/* XXX: Only one message can be outstanding. */ |
1138 |
|
|
if (hdr.sadb_msg_seq == sadb_msg_seq && |
1139 |
|
|
hdr.sadb_msg_pid == (uint32_t)getpid()) |
1140 |
|
|
break; |
1141 |
|
|
|
1142 |
|
|
/* ignore messages for other processes */ |
1143 |
|
|
if (hdr.sadb_msg_pid != 0 && |
1144 |
|
|
hdr.sadb_msg_pid != (uint32_t)getpid()) { |
1145 |
|
|
free(data); |
1146 |
|
|
continue; |
1147 |
|
|
} |
1148 |
|
|
|
1149 |
|
|
/* not the reply, enqueue */ |
1150 |
|
|
if ((pm = malloc(sizeof(*pm))) == NULL) { |
1151 |
|
|
log_warn("%s: malloc", __func__); |
1152 |
|
|
free(data); |
1153 |
|
|
return (-1); |
1154 |
|
|
} |
1155 |
|
|
pm->pm_data = data; |
1156 |
|
|
pm->pm_length = len; |
1157 |
|
|
SIMPLEQ_INSERT_TAIL(&pfkey_postponed, pm, pm_entry); |
1158 |
|
|
evtimer_add(&pfkey_timer_ev, &pfkey_timer_tv); |
1159 |
|
|
} |
1160 |
|
|
|
1161 |
|
|
if (datap) { |
1162 |
|
|
*datap = data; |
1163 |
|
|
if (lenp) |
1164 |
|
|
*lenp = len; |
1165 |
|
|
} else |
1166 |
|
|
free(data); |
1167 |
|
|
|
1168 |
|
|
if (datap == NULL && hdr.sadb_msg_errno != 0) { |
1169 |
|
|
errno = hdr.sadb_msg_errno; |
1170 |
|
|
if (errno != EEXIST) { |
1171 |
|
|
log_warn("%s: message", __func__); |
1172 |
|
|
return (-1); |
1173 |
|
|
} |
1174 |
|
|
} |
1175 |
|
|
return (0); |
1176 |
|
|
} |
1177 |
|
|
|
1178 |
|
|
int |
1179 |
|
|
pfkey_flow_add(int fd, struct iked_flow *flow) |
1180 |
|
|
{ |
1181 |
|
|
uint8_t satype; |
1182 |
|
|
|
1183 |
|
|
if (flow->flow_loaded) |
1184 |
|
|
return (0); |
1185 |
|
|
|
1186 |
|
|
if (pfkey_map(pfkey_satype, flow->flow_saproto, &satype) == -1) |
1187 |
|
|
return (-1); |
1188 |
|
|
|
1189 |
|
|
if (pfkey_flow(fd, satype, SADB_X_ADDFLOW, flow) == -1) |
1190 |
|
|
return (-1); |
1191 |
|
|
|
1192 |
|
|
flow->flow_loaded = 1; |
1193 |
|
|
|
1194 |
|
|
if (flow->flow_dst.addr_af == AF_INET6) { |
1195 |
|
|
sadb_ipv6refcnt++; |
1196 |
|
|
if (sadb_ipv6refcnt == 1) |
1197 |
|
|
return (pfkey_block(fd, AF_INET6, SADB_X_DELFLOW)); |
1198 |
|
|
} |
1199 |
|
|
|
1200 |
|
|
return (0); |
1201 |
|
|
} |
1202 |
|
|
|
1203 |
|
|
int |
1204 |
|
|
pfkey_flow_delete(int fd, struct iked_flow *flow) |
1205 |
|
|
{ |
1206 |
|
|
uint8_t satype; |
1207 |
|
|
|
1208 |
|
|
if (!flow->flow_loaded) |
1209 |
|
|
return (0); |
1210 |
|
|
|
1211 |
|
|
if (pfkey_map(pfkey_satype, flow->flow_saproto, &satype) == -1) |
1212 |
|
|
return (-1); |
1213 |
|
|
|
1214 |
|
|
if (pfkey_flow(fd, satype, SADB_X_DELFLOW, flow) == -1) |
1215 |
|
|
return (-1); |
1216 |
|
|
|
1217 |
|
|
flow->flow_loaded = 0; |
1218 |
|
|
|
1219 |
|
|
if (flow->flow_dst.addr_af == AF_INET6) { |
1220 |
|
|
sadb_ipv6refcnt--; |
1221 |
|
|
if (sadb_ipv6refcnt == 0) |
1222 |
|
|
return (pfkey_block(fd, AF_INET6, SADB_X_ADDFLOW)); |
1223 |
|
|
} |
1224 |
|
|
|
1225 |
|
|
return (0); |
1226 |
|
|
} |
1227 |
|
|
|
1228 |
|
|
int |
1229 |
|
|
pfkey_block(int fd, int af, unsigned int action) |
1230 |
|
|
{ |
1231 |
|
|
struct iked_flow flow; |
1232 |
|
|
|
1233 |
|
|
if (!pfkey_blockipv6) |
1234 |
|
|
return (0); |
1235 |
|
|
|
1236 |
|
|
/* |
1237 |
|
|
* Prevent VPN traffic leakages in dual-stack hosts/networks. |
1238 |
|
|
* https://tools.ietf.org/html/draft-gont-opsec-vpn-leakages. |
1239 |
|
|
* We forcibly block IPv6 traffic unless it is used in any of |
1240 |
|
|
* the flows by tracking a sadb_ipv6refcnt reference counter. |
1241 |
|
|
*/ |
1242 |
|
|
bzero(&flow, sizeof(flow)); |
1243 |
|
|
flow.flow_src.addr_af = flow.flow_src.addr.ss_family = af; |
1244 |
|
|
flow.flow_src.addr_net = 1; |
1245 |
|
|
socket_af((struct sockaddr *)&flow.flow_src.addr, 0); |
1246 |
|
|
flow.flow_dst.addr_af = flow.flow_dst.addr.ss_family = af; |
1247 |
|
|
flow.flow_dst.addr_net = 1; |
1248 |
|
|
socket_af((struct sockaddr *)&flow.flow_dst.addr, 0); |
1249 |
|
|
flow.flow_type = SADB_X_FLOW_TYPE_DENY; |
1250 |
|
|
flow.flow_dir = IPSP_DIRECTION_OUT; |
1251 |
|
|
|
1252 |
|
|
if (pfkey_flow(fd, 0, action, &flow) == -1) |
1253 |
|
|
return (-1); |
1254 |
|
|
|
1255 |
|
|
return (0); |
1256 |
|
|
} |
1257 |
|
|
|
1258 |
|
|
int |
1259 |
|
|
pfkey_sa_init(int fd, struct iked_childsa *sa, uint32_t *spi) |
1260 |
|
|
{ |
1261 |
|
|
uint8_t satype; |
1262 |
|
|
|
1263 |
|
|
if (pfkey_map(pfkey_satype, sa->csa_saproto, &satype) == -1) |
1264 |
|
|
return (-1); |
1265 |
|
|
|
1266 |
|
|
if (pfkey_sa_getspi(fd, satype, sa, spi) == -1) |
1267 |
|
|
return (-1); |
1268 |
|
|
|
1269 |
|
|
log_debug("%s: new spi 0x%08x", __func__, *spi); |
1270 |
|
|
|
1271 |
|
|
return (0); |
1272 |
|
|
} |
1273 |
|
|
|
1274 |
|
|
int |
1275 |
|
|
pfkey_sa_add(int fd, struct iked_childsa *sa, struct iked_childsa *last) |
1276 |
|
|
{ |
1277 |
|
|
uint8_t satype; |
1278 |
|
|
unsigned int cmd; |
1279 |
|
|
|
1280 |
|
|
if (pfkey_map(pfkey_satype, sa->csa_saproto, &satype) == -1) |
1281 |
|
|
return (-1); |
1282 |
|
|
|
1283 |
|
|
if (sa->csa_allocated || sa->csa_loaded) |
1284 |
|
|
cmd = SADB_UPDATE; |
1285 |
|
|
else |
1286 |
|
|
cmd = SADB_ADD; |
1287 |
|
|
|
1288 |
|
|
log_debug("%s: %s spi %s", __func__, cmd == SADB_ADD ? "add": "update", |
1289 |
|
|
print_spi(sa->csa_spi.spi, 4)); |
1290 |
|
|
|
1291 |
|
|
if (pfkey_sa(fd, satype, cmd, sa) == -1) { |
1292 |
|
|
if (cmd == SADB_ADD) { |
1293 |
|
|
(void)pfkey_sa_delete(fd, sa); |
1294 |
|
|
return (-1); |
1295 |
|
|
} |
1296 |
|
|
if (sa->csa_allocated && !sa->csa_loaded && errno == ESRCH) { |
1297 |
|
|
/* Needed for recoupling local SAs */ |
1298 |
|
|
log_debug("%s: SADB_UPDATE on local SA returned ESRCH," |
1299 |
|
|
" trying SADB_ADD", __func__); |
1300 |
|
|
if (pfkey_sa(fd, satype, SADB_ADD, sa) == -1) |
1301 |
|
|
return (-1); |
1302 |
|
|
} else { |
1303 |
|
|
return (-1); |
1304 |
|
|
} |
1305 |
|
|
} |
1306 |
|
|
|
1307 |
|
|
if (last && cmd == SADB_ADD) { |
1308 |
|
|
if (pfkey_sagroup(fd, satype, |
1309 |
|
|
SADB_X_GRPSPIS, sa, last) == -1) { |
1310 |
|
|
(void)pfkey_sa_delete(fd, sa); |
1311 |
|
|
return (-1); |
1312 |
|
|
} |
1313 |
|
|
} |
1314 |
|
|
|
1315 |
|
|
sa->csa_loaded = 1; |
1316 |
|
|
return (0); |
1317 |
|
|
} |
1318 |
|
|
|
1319 |
|
|
int |
1320 |
|
|
pfkey_sa_delete(int fd, struct iked_childsa *sa) |
1321 |
|
|
{ |
1322 |
|
|
uint8_t satype; |
1323 |
|
|
|
1324 |
|
|
if (!sa->csa_loaded || sa->csa_spi.spi == 0) |
1325 |
|
|
return (0); |
1326 |
|
|
|
1327 |
|
|
if (pfkey_map(pfkey_satype, sa->csa_saproto, &satype) == -1) |
1328 |
|
|
return (-1); |
1329 |
|
|
|
1330 |
|
|
if (pfkey_sa(fd, satype, SADB_DELETE, sa) == -1) |
1331 |
|
|
return (-1); |
1332 |
|
|
|
1333 |
|
|
sa->csa_loaded = 0; |
1334 |
|
|
return (0); |
1335 |
|
|
} |
1336 |
|
|
|
1337 |
|
|
int |
1338 |
|
|
pfkey_flush(int sd) |
1339 |
|
|
{ |
1340 |
|
|
struct sadb_msg smsg; |
1341 |
|
|
struct iovec iov[IOV_CNT]; |
1342 |
|
|
int iov_cnt; |
1343 |
|
|
|
1344 |
|
|
bzero(&smsg, sizeof(smsg)); |
1345 |
|
|
smsg.sadb_msg_version = PF_KEY_V2; |
1346 |
|
|
smsg.sadb_msg_seq = ++sadb_msg_seq; |
1347 |
|
|
smsg.sadb_msg_pid = getpid(); |
1348 |
|
|
smsg.sadb_msg_len = sizeof(smsg) / 8; |
1349 |
|
|
smsg.sadb_msg_type = SADB_FLUSH; |
1350 |
|
|
smsg.sadb_msg_satype = SADB_SATYPE_UNSPEC; |
1351 |
|
|
|
1352 |
|
|
iov_cnt = 0; |
1353 |
|
|
|
1354 |
|
|
iov[iov_cnt].iov_base = &smsg; |
1355 |
|
|
iov[iov_cnt].iov_len = sizeof(smsg); |
1356 |
|
|
iov_cnt++; |
1357 |
|
|
|
1358 |
|
|
return (pfkey_write(sd, &smsg, iov, iov_cnt, NULL, NULL)); |
1359 |
|
|
} |
1360 |
|
|
|
1361 |
|
|
struct sadb_ident * |
1362 |
|
|
pfkey_id2ident(struct iked_id *id, unsigned int exttype) |
1363 |
|
|
{ |
1364 |
|
|
char idstr[IKED_ID_SIZE]; |
1365 |
|
|
unsigned int type; |
1366 |
|
|
size_t len; |
1367 |
|
|
struct sadb_ident *sa_id; |
1368 |
|
|
|
1369 |
|
|
switch (id->id_type) { |
1370 |
|
|
case IKEV2_ID_FQDN: |
1371 |
|
|
type = SADB_IDENTTYPE_FQDN; |
1372 |
|
|
break; |
1373 |
|
|
case IKEV2_ID_UFQDN: |
1374 |
|
|
type = SADB_IDENTTYPE_USERFQDN; |
1375 |
|
|
break; |
1376 |
|
|
case IKEV2_ID_IPV4: |
1377 |
|
|
case IKEV2_ID_IPV6: |
1378 |
|
|
type = SADB_IDENTTYPE_PREFIX; |
1379 |
|
|
break; |
1380 |
|
|
case IKEV2_ID_ASN1_DN: |
1381 |
|
|
case IKEV2_ID_ASN1_GN: |
1382 |
|
|
case IKEV2_ID_KEY_ID: |
1383 |
|
|
case IKEV2_ID_NONE: |
1384 |
|
|
default: |
1385 |
|
|
/* XXX not implemented/supported by PFKEY */ |
1386 |
|
|
return (NULL); |
1387 |
|
|
} |
1388 |
|
|
|
1389 |
|
|
bzero(&idstr, sizeof(idstr)); |
1390 |
|
|
|
1391 |
|
|
if (ikev2_print_id(id, idstr, sizeof(idstr)) == -1) |
1392 |
|
|
return (NULL); |
1393 |
|
|
|
1394 |
|
|
len = ROUNDUP(strlen(idstr) + 1) + sizeof(*sa_id); |
1395 |
|
|
if ((sa_id = calloc(1, len)) == NULL) |
1396 |
|
|
return (NULL); |
1397 |
|
|
|
1398 |
|
|
strlcpy((char *)(sa_id + 1), idstr, ROUNDUP(strlen(idstr) + 1)); |
1399 |
|
|
sa_id->sadb_ident_type = type; |
1400 |
|
|
sa_id->sadb_ident_len = len / 8; |
1401 |
|
|
sa_id->sadb_ident_exttype = exttype; |
1402 |
|
|
|
1403 |
|
|
return (sa_id); |
1404 |
|
|
} |
1405 |
|
|
|
1406 |
|
|
int |
1407 |
|
|
pfkey_socket(void) |
1408 |
|
|
{ |
1409 |
|
|
int fd; |
1410 |
|
|
|
1411 |
|
|
if (privsep_process != PROC_PARENT) |
1412 |
|
|
fatal("pfkey_socket: called from unprivileged process"); |
1413 |
|
|
|
1414 |
|
|
if ((fd = socket(PF_KEY, SOCK_RAW, PF_KEY_V2)) == -1) |
1415 |
|
|
fatal("pfkey_socket: failed to open PF_KEY socket"); |
1416 |
|
|
|
1417 |
|
|
pfkey_flush(fd); |
1418 |
|
|
|
1419 |
|
|
return (fd); |
1420 |
|
|
} |
1421 |
|
|
|
1422 |
|
|
void |
1423 |
|
|
pfkey_init(struct iked *env, int fd) |
1424 |
|
|
{ |
1425 |
|
|
struct sadb_msg smsg; |
1426 |
|
|
struct iovec iov; |
1427 |
|
|
|
1428 |
|
|
/* Set up a timer to process messages deferred by the pfkey_reply */ |
1429 |
|
|
pfkey_timer_tv.tv_sec = 1; |
1430 |
|
|
pfkey_timer_tv.tv_usec = 0; |
1431 |
|
|
evtimer_set(&pfkey_timer_ev, pfkey_timer_cb, env); |
1432 |
|
|
|
1433 |
|
|
/* Register the pfkey socket event handler */ |
1434 |
|
|
env->sc_pfkey = fd; |
1435 |
|
|
event_set(&env->sc_pfkeyev, env->sc_pfkey, |
1436 |
|
|
EV_READ|EV_PERSIST, pfkey_dispatch, env); |
1437 |
|
|
event_add(&env->sc_pfkeyev, NULL); |
1438 |
|
|
|
1439 |
|
|
/* Register it to get ESP and AH acquires from the kernel */ |
1440 |
|
|
bzero(&smsg, sizeof(smsg)); |
1441 |
|
|
smsg.sadb_msg_version = PF_KEY_V2; |
1442 |
|
|
smsg.sadb_msg_seq = ++sadb_msg_seq; |
1443 |
|
|
smsg.sadb_msg_pid = getpid(); |
1444 |
|
|
smsg.sadb_msg_len = sizeof(smsg) / 8; |
1445 |
|
|
smsg.sadb_msg_type = SADB_REGISTER; |
1446 |
|
|
smsg.sadb_msg_satype = SADB_SATYPE_ESP; |
1447 |
|
|
|
1448 |
|
|
iov.iov_base = &smsg; |
1449 |
|
|
iov.iov_len = sizeof(smsg); |
1450 |
|
|
|
1451 |
|
|
if (pfkey_write(fd, &smsg, &iov, 1, NULL, NULL)) |
1452 |
|
|
fatal("pfkey_init: failed to set up ESP acquires"); |
1453 |
|
|
|
1454 |
|
|
bzero(&smsg, sizeof(smsg)); |
1455 |
|
|
smsg.sadb_msg_version = PF_KEY_V2; |
1456 |
|
|
smsg.sadb_msg_seq = ++sadb_msg_seq; |
1457 |
|
|
smsg.sadb_msg_pid = getpid(); |
1458 |
|
|
smsg.sadb_msg_len = sizeof(smsg) / 8; |
1459 |
|
|
smsg.sadb_msg_type = SADB_REGISTER; |
1460 |
|
|
smsg.sadb_msg_satype = SADB_SATYPE_AH; |
1461 |
|
|
|
1462 |
|
|
iov.iov_base = &smsg; |
1463 |
|
|
iov.iov_len = sizeof(smsg); |
1464 |
|
|
|
1465 |
|
|
if (pfkey_write(fd, &smsg, &iov, 1, NULL, NULL)) |
1466 |
|
|
fatal("pfkey_init: failed to set up AH acquires"); |
1467 |
|
|
|
1468 |
|
|
if (env->sc_opts & IKED_OPT_NOIPV6BLOCKING) |
1469 |
|
|
return; |
1470 |
|
|
|
1471 |
|
|
/* Block all IPv6 traffic by default */ |
1472 |
|
|
pfkey_blockipv6 = 1; |
1473 |
|
|
if (pfkey_block(fd, AF_INET6, SADB_X_ADDFLOW)) |
1474 |
|
|
fatal("pfkey_init: failed to block IPv6 traffic"); |
1475 |
|
|
} |
1476 |
|
|
|
1477 |
|
|
void * |
1478 |
|
|
pfkey_find_ext(uint8_t *data, ssize_t len, int type) |
1479 |
|
|
{ |
1480 |
|
|
struct sadb_ext *ext = (struct sadb_ext *)(data + |
1481 |
|
|
sizeof(struct sadb_msg)); |
1482 |
|
|
|
1483 |
|
|
while (ext && ((uint8_t *)ext - data < len)) { |
1484 |
|
|
if (ext->sadb_ext_type == type) |
1485 |
|
|
return (ext); |
1486 |
|
|
ext = (struct sadb_ext *)((uint8_t *)ext + |
1487 |
|
|
ext->sadb_ext_len * PFKEYV2_CHUNK); |
1488 |
|
|
} |
1489 |
|
|
|
1490 |
|
|
return (NULL); |
1491 |
|
|
} |
1492 |
|
|
|
1493 |
|
|
void |
1494 |
|
|
pfkey_dispatch(int sd, short event, void *arg) |
1495 |
|
|
{ |
1496 |
|
|
struct iked *env = (struct iked *)arg; |
1497 |
|
|
struct pfkey_message pm, *pmp; |
1498 |
|
|
struct sadb_msg hdr; |
1499 |
|
|
ssize_t len; |
1500 |
|
|
uint8_t *data; |
1501 |
|
|
|
1502 |
|
|
if (recv(sd, &hdr, sizeof(hdr), MSG_PEEK) != sizeof(hdr)) { |
1503 |
|
|
log_warn("%s: short recv", __func__); |
1504 |
|
|
return; |
1505 |
|
|
} |
1506 |
|
|
|
1507 |
|
|
if (hdr.sadb_msg_version != PF_KEY_V2) { |
1508 |
|
|
log_warnx("%s: wrong pfkey version", __func__); |
1509 |
|
|
return; |
1510 |
|
|
} |
1511 |
|
|
|
1512 |
|
|
if ((data = reallocarray(NULL, hdr.sadb_msg_len, PFKEYV2_CHUNK)) |
1513 |
|
|
== NULL) { |
1514 |
|
|
log_warn("%s: malloc", __func__); |
1515 |
|
|
return; |
1516 |
|
|
} |
1517 |
|
|
len = hdr.sadb_msg_len * PFKEYV2_CHUNK; |
1518 |
|
|
|
1519 |
|
|
if (read(sd, data, len) != len) { |
1520 |
|
|
log_warn("%s: short read", __func__); |
1521 |
|
|
free(data); |
1522 |
|
|
return; |
1523 |
|
|
} |
1524 |
|
|
|
1525 |
|
|
/* Try postponed requests first, so we do in-order processing */ |
1526 |
|
|
if (!SIMPLEQ_EMPTY(&pfkey_postponed)) |
1527 |
|
|
pfkey_timer_cb(0, 0, env); |
1528 |
|
|
|
1529 |
|
|
pm.pm_data = data; |
1530 |
|
|
pm.pm_length = len; |
1531 |
|
|
|
1532 |
|
|
if (pfkey_process(env, &pm) == -1 && |
1533 |
|
|
(pmp = calloc(1, sizeof(*pmp))) != NULL) { |
1534 |
|
|
pmp->pm_data = data; |
1535 |
|
|
pmp->pm_length = len; |
1536 |
|
|
log_debug("%s: pfkey_process is busy, retry later", __func__); |
1537 |
|
|
SIMPLEQ_INSERT_TAIL(&pfkey_postponed, pmp, pm_entry); |
1538 |
|
|
evtimer_add(&pfkey_timer_ev, &pfkey_timer_tv); |
1539 |
|
|
} else { |
1540 |
|
|
free(data); |
1541 |
|
|
} |
1542 |
|
|
} |
1543 |
|
|
|
1544 |
|
|
void |
1545 |
|
|
pfkey_timer_cb(int unused, short event, void *arg) |
1546 |
|
|
{ |
1547 |
|
|
struct iked *env = arg; |
1548 |
|
|
struct pfkey_message *pm; |
1549 |
|
|
|
1550 |
|
|
SIMPLEQ_INIT(&pfkey_retry); |
1551 |
|
|
while (!SIMPLEQ_EMPTY(&pfkey_postponed)) { |
1552 |
|
|
pm = SIMPLEQ_FIRST(&pfkey_postponed); |
1553 |
|
|
SIMPLEQ_REMOVE_HEAD(&pfkey_postponed, pm_entry); |
1554 |
|
|
if (pfkey_process(env, pm) == -1) { |
1555 |
|
|
log_debug("%s: pfkey_process is busy, retry later", |
1556 |
|
|
__func__); |
1557 |
|
|
SIMPLEQ_INSERT_TAIL(&pfkey_retry, pm, pm_entry); |
1558 |
|
|
} else { |
1559 |
|
|
free(pm->pm_data); |
1560 |
|
|
free(pm); |
1561 |
|
|
} |
1562 |
|
|
} |
1563 |
|
|
/* move from retry to postponed */ |
1564 |
|
|
while ((pm = SIMPLEQ_FIRST(&pfkey_retry)) != NULL) { |
1565 |
|
|
SIMPLEQ_REMOVE_HEAD(&pfkey_retry, pm_entry); |
1566 |
|
|
SIMPLEQ_INSERT_TAIL(&pfkey_postponed, pm, pm_entry); |
1567 |
|
|
} |
1568 |
|
|
if (!SIMPLEQ_EMPTY(&pfkey_postponed)) |
1569 |
|
|
evtimer_add(&pfkey_timer_ev, &pfkey_timer_tv); |
1570 |
|
|
} |
1571 |
|
|
|
1572 |
|
|
/* |
1573 |
|
|
* pfkey_process returns 0 if the message has been processed and -1 if |
1574 |
|
|
* the system is busy and the message should be passed again, later. |
1575 |
|
|
*/ |
1576 |
|
|
int |
1577 |
|
|
pfkey_process(struct iked *env, struct pfkey_message *pm) |
1578 |
|
|
{ |
1579 |
|
|
struct iked_spi spi; |
1580 |
|
|
struct sadb_sa *sa; |
1581 |
|
|
struct sadb_lifetime *sa_ltime; |
1582 |
|
|
struct sadb_msg *hdr; |
1583 |
|
|
struct sadb_msg smsg; |
1584 |
|
|
struct iked_addr peer; |
1585 |
|
|
struct iked_flow flow; |
1586 |
|
|
struct sadb_address *sa_addr; |
1587 |
|
|
struct sadb_protocol *sa_proto; |
1588 |
|
|
struct sadb_x_policy sa_pol; |
1589 |
|
|
struct sockaddr *ssrc, *sdst, *smask, *dmask, *speer; |
1590 |
|
|
struct iovec iov[IOV_CNT]; |
1591 |
|
|
int ret = 0, iov_cnt, sd; |
1592 |
|
|
uint8_t *reply; |
1593 |
|
|
ssize_t rlen; |
1594 |
|
|
const char *errmsg = NULL; |
1595 |
|
|
uint8_t *data = pm->pm_data; |
1596 |
|
|
ssize_t len = pm->pm_length; |
1597 |
|
|
size_t slen; |
1598 |
|
|
|
1599 |
|
|
if (!env || !data || !len) |
1600 |
|
|
return (0); |
1601 |
|
|
|
1602 |
|
|
sd = env->sc_pfkey; |
1603 |
|
|
hdr = (struct sadb_msg *)data; |
1604 |
|
|
|
1605 |
|
|
switch (hdr->sadb_msg_type) { |
1606 |
|
|
case SADB_ACQUIRE: |
1607 |
|
|
bzero(&flow, sizeof(flow)); |
1608 |
|
|
bzero(&peer, sizeof(peer)); |
1609 |
|
|
|
1610 |
|
|
if ((sa_addr = pfkey_find_ext(data, len, |
1611 |
|
|
SADB_EXT_ADDRESS_DST)) == NULL) { |
1612 |
|
|
log_debug("%s: no peer address", __func__); |
1613 |
|
|
return (0); |
1614 |
|
|
} |
1615 |
|
|
speer = (struct sockaddr *)(sa_addr + 1); |
1616 |
|
|
peer.addr_af = speer->sa_family; |
1617 |
|
|
peer.addr_port = htons(socket_getport(speer)); |
1618 |
|
|
if ((slen = speer->sa_len) > sizeof(peer.addr)) { |
1619 |
|
|
log_debug("%s: invalid peer address len", __func__); |
1620 |
|
|
return (0); |
1621 |
|
|
} |
1622 |
|
|
memcpy(&peer.addr, speer, slen); |
1623 |
|
|
if (socket_af((struct sockaddr *)&peer.addr, |
1624 |
|
|
peer.addr_port) == -1) { |
1625 |
|
|
log_debug("%s: invalid address", __func__); |
1626 |
|
|
return (0); |
1627 |
|
|
} |
1628 |
|
|
flow.flow_peer = &peer; |
1629 |
|
|
|
1630 |
|
|
log_debug("%s: acquire request (peer %s)", __func__, |
1631 |
|
|
print_host(speer, NULL, 0)); |
1632 |
|
|
|
1633 |
|
|
/* get the matching flow */ |
1634 |
|
|
bzero(&smsg, sizeof(smsg)); |
1635 |
|
|
smsg.sadb_msg_version = PF_KEY_V2; |
1636 |
|
|
smsg.sadb_msg_seq = ++sadb_msg_seq; |
1637 |
|
|
smsg.sadb_msg_pid = getpid(); |
1638 |
|
|
smsg.sadb_msg_len = sizeof(smsg) / 8; |
1639 |
|
|
smsg.sadb_msg_type = SADB_X_ASKPOLICY; |
1640 |
|
|
|
1641 |
|
|
iov_cnt = 0; |
1642 |
|
|
|
1643 |
|
|
iov[iov_cnt].iov_base = &smsg; |
1644 |
|
|
iov[iov_cnt].iov_len = sizeof(smsg); |
1645 |
|
|
iov_cnt++; |
1646 |
|
|
|
1647 |
|
|
bzero(&sa_pol, sizeof(sa_pol)); |
1648 |
|
|
sa_pol.sadb_x_policy_exttype = SADB_X_EXT_POLICY; |
1649 |
|
|
sa_pol.sadb_x_policy_len = sizeof(sa_pol) / 8; |
1650 |
|
|
sa_pol.sadb_x_policy_seq = hdr->sadb_msg_seq; |
1651 |
|
|
|
1652 |
|
|
iov[iov_cnt].iov_base = &sa_pol; |
1653 |
|
|
iov[iov_cnt].iov_len = sizeof(sa_pol); |
1654 |
|
|
smsg.sadb_msg_len += sizeof(sa_pol) / 8; |
1655 |
|
|
iov_cnt++; |
1656 |
|
|
|
1657 |
|
|
if (pfkey_write(sd, &smsg, iov, iov_cnt, &reply, &rlen)) { |
1658 |
|
|
log_warnx("%s: failed to get a policy", __func__); |
1659 |
|
|
return (0); |
1660 |
|
|
} |
1661 |
|
|
|
1662 |
|
|
if ((sa_addr = pfkey_find_ext(reply, rlen, |
1663 |
|
|
SADB_X_EXT_SRC_FLOW)) == NULL) { |
1664 |
|
|
errmsg = "flow source address"; |
1665 |
|
|
goto out; |
1666 |
|
|
} |
1667 |
|
|
ssrc = (struct sockaddr *)(sa_addr + 1); |
1668 |
|
|
flow.flow_src.addr_af = ssrc->sa_family; |
1669 |
|
|
flow.flow_src.addr_port = htons(socket_getport(ssrc)); |
1670 |
|
|
if ((slen = ssrc->sa_len) > sizeof(flow.flow_src.addr)) { |
1671 |
|
|
log_debug("%s: invalid src address len", __func__); |
1672 |
|
|
return (0); |
1673 |
|
|
} |
1674 |
|
|
memcpy(&flow.flow_src.addr, ssrc, slen); |
1675 |
|
|
if (socket_af((struct sockaddr *)&flow.flow_src.addr, |
1676 |
|
|
flow.flow_src.addr_port) == -1) { |
1677 |
|
|
log_debug("%s: invalid address", __func__); |
1678 |
|
|
return (0); |
1679 |
|
|
} |
1680 |
|
|
|
1681 |
|
|
if ((sa_addr = pfkey_find_ext(reply, rlen, |
1682 |
|
|
SADB_X_EXT_DST_FLOW)) == NULL) { |
1683 |
|
|
errmsg = "flow destination address"; |
1684 |
|
|
goto out; |
1685 |
|
|
} |
1686 |
|
|
sdst = (struct sockaddr *)(sa_addr + 1); |
1687 |
|
|
flow.flow_dst.addr_af = sdst->sa_family; |
1688 |
|
|
flow.flow_dst.addr_port = htons(socket_getport(sdst)); |
1689 |
|
|
if ((slen = sdst->sa_len) > sizeof(flow.flow_dst.addr)) { |
1690 |
|
|
log_debug("%s: invalid dst address len", __func__); |
1691 |
|
|
return (0); |
1692 |
|
|
} |
1693 |
|
|
memcpy(&flow.flow_dst.addr, sdst, slen); |
1694 |
|
|
if (socket_af((struct sockaddr *)&flow.flow_dst.addr, |
1695 |
|
|
flow.flow_dst.addr_port) == -1) { |
1696 |
|
|
log_debug("%s: invalid address", __func__); |
1697 |
|
|
return (0); |
1698 |
|
|
} |
1699 |
|
|
|
1700 |
|
|
if ((sa_addr = pfkey_find_ext(reply, rlen, |
1701 |
|
|
SADB_X_EXT_SRC_MASK)) == NULL) { |
1702 |
|
|
errmsg = "flow source mask"; |
1703 |
|
|
goto out; |
1704 |
|
|
} |
1705 |
|
|
smask = (struct sockaddr *)(sa_addr + 1); |
1706 |
|
|
switch (smask->sa_family) { |
1707 |
|
|
case AF_INET: |
1708 |
|
|
flow.flow_src.addr_mask = |
1709 |
|
|
mask2prefixlen((struct sockaddr *)smask); |
1710 |
|
|
if (flow.flow_src.addr_mask != 32) |
1711 |
|
|
flow.flow_src.addr_net = 1; |
1712 |
|
|
break; |
1713 |
|
|
case AF_INET6: |
1714 |
|
|
flow.flow_src.addr_mask = |
1715 |
|
|
mask2prefixlen6((struct sockaddr *)smask); |
1716 |
|
|
if (flow.flow_src.addr_mask != 128) |
1717 |
|
|
flow.flow_src.addr_net = 1; |
1718 |
|
|
break; |
1719 |
|
|
default: |
1720 |
|
|
log_debug("%s: bad address family", __func__); |
1721 |
|
|
free(reply); |
1722 |
|
|
return (0); |
1723 |
|
|
} |
1724 |
|
|
|
1725 |
|
|
if ((sa_addr = pfkey_find_ext(reply, rlen, |
1726 |
|
|
SADB_X_EXT_DST_MASK)) == NULL) { |
1727 |
|
|
errmsg = "flow destination mask"; |
1728 |
|
|
goto out; |
1729 |
|
|
} |
1730 |
|
|
dmask = (struct sockaddr *)(sa_addr + 1); |
1731 |
|
|
switch (dmask->sa_family) { |
1732 |
|
|
case AF_INET: |
1733 |
|
|
flow.flow_dst.addr_mask = |
1734 |
|
|
mask2prefixlen((struct sockaddr *)dmask); |
1735 |
|
|
if (flow.flow_src.addr_mask != 32) |
1736 |
|
|
flow.flow_src.addr_net = 1; |
1737 |
|
|
break; |
1738 |
|
|
case AF_INET6: |
1739 |
|
|
flow.flow_dst.addr_mask = |
1740 |
|
|
mask2prefixlen6((struct sockaddr *)dmask); |
1741 |
|
|
if (flow.flow_src.addr_mask != 128) |
1742 |
|
|
flow.flow_src.addr_net = 1; |
1743 |
|
|
break; |
1744 |
|
|
default: |
1745 |
|
|
log_debug("%s: bad address family", __func__); |
1746 |
|
|
free(reply); |
1747 |
|
|
return (0); |
1748 |
|
|
} |
1749 |
|
|
|
1750 |
|
|
if ((sa_proto = pfkey_find_ext(reply, rlen, |
1751 |
|
|
SADB_X_EXT_FLOW_TYPE)) == NULL) { |
1752 |
|
|
errmsg = "flow protocol"; |
1753 |
|
|
goto out; |
1754 |
|
|
} |
1755 |
|
|
flow.flow_dir = sa_proto->sadb_protocol_direction; |
1756 |
|
|
|
1757 |
|
|
log_debug("%s: flow %s from %s/%s to %s/%s via %s", __func__, |
1758 |
|
|
flow.flow_dir == IPSP_DIRECTION_IN ? "in" : "out", |
1759 |
|
|
print_host(ssrc, NULL, 0), print_host(smask, NULL, 0), |
1760 |
|
|
print_host(sdst, NULL, 0), print_host(dmask, NULL, 0), |
1761 |
|
|
print_host(speer, NULL, 0)); |
1762 |
|
|
|
1763 |
|
|
ret = ikev2_acquire_sa(env, &flow); |
1764 |
|
|
|
1765 |
|
|
out: |
1766 |
|
|
if (errmsg) |
1767 |
|
|
log_warnx("%s: %s wasn't found", __func__, errmsg); |
1768 |
|
|
free(reply); |
1769 |
|
|
break; |
1770 |
|
|
|
1771 |
|
|
case SADB_EXPIRE: |
1772 |
|
|
if ((sa = pfkey_find_ext(data, len, SADB_EXT_SA)) == NULL) { |
1773 |
|
|
log_warnx("%s: SA extension wasn't found", __func__); |
1774 |
|
|
return (0); |
1775 |
|
|
} |
1776 |
|
|
if ((sa_ltime = pfkey_find_ext(data, len, |
1777 |
|
|
SADB_EXT_LIFETIME_SOFT)) == NULL && |
1778 |
|
|
(sa_ltime = pfkey_find_ext(data, len, |
1779 |
|
|
SADB_EXT_LIFETIME_HARD)) == NULL) { |
1780 |
|
|
log_warnx("%s: lifetime extension wasn't found", |
1781 |
|
|
__func__); |
1782 |
|
|
return (0); |
1783 |
|
|
} |
1784 |
|
|
spi.spi = ntohl(sa->sadb_sa_spi); |
1785 |
|
|
spi.spi_size = 4; |
1786 |
|
|
switch (hdr->sadb_msg_satype) { |
1787 |
|
|
case SADB_SATYPE_AH: |
1788 |
|
|
spi.spi_protoid = IKEV2_SAPROTO_AH; |
1789 |
|
|
break; |
1790 |
|
|
case SADB_SATYPE_ESP: |
1791 |
|
|
spi.spi_protoid = IKEV2_SAPROTO_ESP; |
1792 |
|
|
break; |
1793 |
|
|
case SADB_X_SATYPE_IPCOMP: |
1794 |
|
|
spi.spi_size = 2; |
1795 |
|
|
spi.spi_protoid = IKEV2_SAPROTO_IPCOMP; |
1796 |
|
|
break; |
1797 |
|
|
default: |
1798 |
|
|
log_warnx("%s: unsupported SA type %d spi %s", |
1799 |
|
|
__func__, hdr->sadb_msg_satype, |
1800 |
|
|
print_spi(spi.spi, spi.spi_size)); |
1801 |
|
|
return (0); |
1802 |
|
|
} |
1803 |
|
|
|
1804 |
|
|
log_debug("%s: SA %s is expired, pending %s", __func__, |
1805 |
|
|
print_spi(spi.spi, spi.spi_size), |
1806 |
|
|
sa_ltime->sadb_lifetime_exttype == SADB_EXT_LIFETIME_SOFT ? |
1807 |
|
|
"rekeying" : "deletion"); |
1808 |
|
|
|
1809 |
|
|
if (sa_ltime->sadb_lifetime_exttype == SADB_EXT_LIFETIME_SOFT) |
1810 |
|
|
ret = ikev2_rekey_sa(env, &spi); |
1811 |
|
|
else |
1812 |
|
|
ret = ikev2_drop_sa(env, &spi); |
1813 |
|
|
break; |
1814 |
|
|
} |
1815 |
|
|
return (ret); |
1816 |
|
|
} |