GCC Code Coverage Report
Directory: ./ Exec Total Coverage
File: sbin/ipsecctl/pfkey.c Lines: 0 722 0.0 %
Date: 2017-11-13 Branches: 0 317 0.0 %

Line Branch Exec Source
1
/*	$OpenBSD: pfkey.c,v 1.60 2017/04/19 15:59:38 bluhm Exp $	*/
2
/*
3
 * Copyright (c) 2003, 2004 Henning Brauer <henning@openbsd.org>
4
 * Copyright (c) 2003, 2004 Markus Friedl <markus@openbsd.org>
5
 * Copyright (c) 2004, 2005 Hans-Joerg Hoexer <hshoexer@openbsd.org>
6
 *
7
 * Permission to use, copy, modify, and distribute this software for any
8
 * purpose with or without fee is hereby granted, provided that the above
9
 * copyright notice and this permission notice appear in all copies.
10
 *
11
 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
12
 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
13
 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
14
 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
15
 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
16
 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
17
 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
18
 */
19
20
#include <sys/types.h>
21
#include <sys/queue.h>
22
#include <sys/uio.h>
23
#include <sys/socket.h>
24
#include <netinet/in.h>
25
#include <netinet/ip_ipsp.h>
26
#include <net/pfkeyv2.h>
27
28
#include <err.h>
29
#include <errno.h>
30
#include <stdio.h>
31
#include <string.h>
32
#include <stdlib.h>
33
#include <poll.h>
34
#include <unistd.h>
35
36
#include "ipsecctl.h"
37
#include "pfkey.h"
38
39
#define ROUNDUP(x) (((x) + (PFKEYV2_CHUNK - 1)) & ~(PFKEYV2_CHUNK - 1))
40
#define IOV_CNT 20
41
42
static int	fd;
43
static u_int32_t sadb_msg_seq = 1;
44
45
static int	pfkey_flow(int, u_int8_t, u_int8_t, u_int8_t, u_int8_t,
46
		    struct ipsec_addr_wrap *, u_int16_t,
47
		    struct ipsec_addr_wrap *, u_int16_t,
48
		    struct ipsec_addr_wrap *, struct ipsec_addr_wrap *,
49
		    struct ipsec_auth *, u_int8_t);
50
static int	pfkey_sa(int, u_int8_t, u_int8_t, u_int32_t,
51
		    struct ipsec_addr_wrap *, struct ipsec_addr_wrap *,
52
		    struct ipsec_transforms *, struct ipsec_key *,
53
		    struct ipsec_key *, u_int8_t);
54
static int	pfkey_sabundle(int, u_int8_t, u_int8_t, u_int8_t,
55
		    struct ipsec_addr_wrap *, u_int32_t,
56
		    struct ipsec_addr_wrap *, u_int32_t);
57
static int	pfkey_reply(int, u_int8_t **, ssize_t *);
58
int		pfkey_parse(struct sadb_msg *, struct ipsec_rule *);
59
int		pfkey_ipsec_flush(void);
60
int		pfkey_ipsec_establish(int, struct ipsec_rule *);
61
int		pfkey_init(void);
62
63
static int
64
pfkey_flow(int sd, u_int8_t satype, u_int8_t action, u_int8_t direction,
65
    u_int8_t proto, struct ipsec_addr_wrap *src, u_int16_t sport,
66
    struct ipsec_addr_wrap *dst, u_int16_t dport,
67
    struct ipsec_addr_wrap *local, struct ipsec_addr_wrap *peer,
68
    struct ipsec_auth *auth, u_int8_t flowtype)
69
{
70
	struct sadb_msg		 smsg;
71
	struct sadb_address	 sa_src, sa_dst, sa_local, sa_peer, sa_smask,
72
				 sa_dmask;
73
	struct sadb_protocol	 sa_flowtype, sa_protocol;
74
	struct sadb_ident	*sa_srcid, *sa_dstid;
75
	struct sockaddr_storage	 ssrc, sdst, slocal, speer, smask, dmask;
76
	struct iovec		 iov[IOV_CNT];
77
	ssize_t			 n;
78
	int			 iov_cnt, len, ret = 0;
79
80
	sa_srcid = sa_dstid = NULL;
81
82
	bzero(&ssrc, sizeof(ssrc));
83
	bzero(&smask, sizeof(smask));
84
	ssrc.ss_family = smask.ss_family = src->af;
85
	switch (src->af) {
86
	case AF_INET:
87
		((struct sockaddr_in *)&ssrc)->sin_addr = src->address.v4;
88
		ssrc.ss_len = sizeof(struct sockaddr_in);
89
		((struct sockaddr_in *)&smask)->sin_addr = src->mask.v4;
90
		if (sport) {
91
			((struct sockaddr_in *)&ssrc)->sin_port = sport;
92
			((struct sockaddr_in *)&smask)->sin_port = 0xffff;
93
		}
94
		break;
95
	case AF_INET6:
96
		((struct sockaddr_in6 *)&ssrc)->sin6_addr = src->address.v6;
97
		ssrc.ss_len = sizeof(struct sockaddr_in6);
98
		((struct sockaddr_in6 *)&smask)->sin6_addr = src->mask.v6;
99
		if (sport) {
100
			((struct sockaddr_in6 *)&ssrc)->sin6_port = sport;
101
			((struct sockaddr_in6 *)&smask)->sin6_port = 0xffff;
102
		}
103
		break;
104
	default:
105
		warnx("unsupported address family %d", src->af);
106
		return -1;
107
	}
108
	smask.ss_len = ssrc.ss_len;
109
110
	bzero(&sdst, sizeof(sdst));
111
	bzero(&dmask, sizeof(dmask));
112
	sdst.ss_family = dmask.ss_family = dst->af;
113
	switch (dst->af) {
114
	case AF_INET:
115
		((struct sockaddr_in *)&sdst)->sin_addr = dst->address.v4;
116
		sdst.ss_len = sizeof(struct sockaddr_in);
117
		((struct sockaddr_in *)&dmask)->sin_addr = dst->mask.v4;
118
		if (dport) {
119
			((struct sockaddr_in *)&sdst)->sin_port = dport;
120
			((struct sockaddr_in *)&dmask)->sin_port = 0xffff;
121
		}
122
		break;
123
	case AF_INET6:
124
		((struct sockaddr_in6 *)&sdst)->sin6_addr = dst->address.v6;
125
		sdst.ss_len = sizeof(struct sockaddr_in6);
126
		((struct sockaddr_in6 *)&dmask)->sin6_addr = dst->mask.v6;
127
		if (dport) {
128
			((struct sockaddr_in6 *)&sdst)->sin6_port = dport;
129
			((struct sockaddr_in6 *)&dmask)->sin6_port = 0xffff;
130
		}
131
		break;
132
	default:
133
		warnx("unsupported address family %d", dst->af);
134
		return -1;
135
	}
136
	dmask.ss_len = sdst.ss_len;
137
138
	bzero(&slocal, sizeof(slocal));
139
	if (local) {
140
		slocal.ss_family = local->af;
141
		switch (local->af) {
142
		case AF_INET:
143
			((struct sockaddr_in *)&slocal)->sin_addr =
144
			    local->address.v4;
145
			slocal.ss_len = sizeof(struct sockaddr_in);
146
			break;
147
		case AF_INET6:
148
			((struct sockaddr_in6 *)&slocal)->sin6_addr =
149
			    local->address.v6;
150
			slocal.ss_len = sizeof(struct sockaddr_in6);
151
			break;
152
		default:
153
			warnx("unsupported address family %d", local->af);
154
			return -1;
155
		}
156
	}
157
158
	bzero(&speer, sizeof(speer));
159
	if (peer) {
160
		speer.ss_family = peer->af;
161
		switch (peer->af) {
162
		case AF_INET:
163
			((struct sockaddr_in *)&speer)->sin_addr =
164
			    peer->address.v4;
165
			speer.ss_len = sizeof(struct sockaddr_in);
166
			break;
167
		case AF_INET6:
168
			((struct sockaddr_in6 *)&speer)->sin6_addr =
169
			    peer->address.v6;
170
			speer.ss_len = sizeof(struct sockaddr_in6);
171
			break;
172
		default:
173
			warnx("unsupported address family %d", peer->af);
174
			return -1;
175
		}
176
	}
177
178
	bzero(&smsg, sizeof(smsg));
179
	smsg.sadb_msg_version = PF_KEY_V2;
180
	smsg.sadb_msg_seq = sadb_msg_seq++;
181
	smsg.sadb_msg_pid = getpid();
182
	smsg.sadb_msg_len = sizeof(smsg) / 8;
183
	smsg.sadb_msg_type = action;
184
	smsg.sadb_msg_satype = satype;
185
186
	bzero(&sa_flowtype, sizeof(sa_flowtype));
187
	sa_flowtype.sadb_protocol_exttype = SADB_X_EXT_FLOW_TYPE;
188
	sa_flowtype.sadb_protocol_len = sizeof(sa_flowtype) / 8;
189
	sa_flowtype.sadb_protocol_direction = direction;
190
191
	switch (flowtype) {
192
	case TYPE_USE:
193
		sa_flowtype.sadb_protocol_proto = SADB_X_FLOW_TYPE_USE;
194
		break;
195
	case TYPE_ACQUIRE:
196
		sa_flowtype.sadb_protocol_proto = SADB_X_FLOW_TYPE_ACQUIRE;
197
		break;
198
	case TYPE_REQUIRE:
199
		sa_flowtype.sadb_protocol_proto = SADB_X_FLOW_TYPE_REQUIRE;
200
		break;
201
	case TYPE_DENY:
202
		sa_flowtype.sadb_protocol_proto = SADB_X_FLOW_TYPE_DENY;
203
		break;
204
	case TYPE_BYPASS:
205
		sa_flowtype.sadb_protocol_proto = SADB_X_FLOW_TYPE_BYPASS;
206
		break;
207
	case TYPE_DONTACQ:
208
		sa_flowtype.sadb_protocol_proto = SADB_X_FLOW_TYPE_DONTACQ;
209
		break;
210
	default:
211
		warnx("unsupported flowtype %d", flowtype);
212
		return -1;
213
	}
214
215
	bzero(&sa_protocol, sizeof(sa_protocol));
216
	sa_protocol.sadb_protocol_exttype = SADB_X_EXT_PROTOCOL;
217
	sa_protocol.sadb_protocol_len = sizeof(sa_protocol) / 8;
218
	sa_protocol.sadb_protocol_direction = 0;
219
	sa_protocol.sadb_protocol_proto = proto;
220
221
	bzero(&sa_src, sizeof(sa_src));
222
	sa_src.sadb_address_exttype = SADB_X_EXT_SRC_FLOW;
223
	sa_src.sadb_address_len = (sizeof(sa_src) + ROUNDUP(ssrc.ss_len)) / 8;
224
225
	bzero(&sa_smask, sizeof(sa_smask));
226
	sa_smask.sadb_address_exttype = SADB_X_EXT_SRC_MASK;
227
	sa_smask.sadb_address_len =
228
	    (sizeof(sa_smask) + ROUNDUP(smask.ss_len)) / 8;
229
230
	bzero(&sa_dst, sizeof(sa_dst));
231
	sa_dst.sadb_address_exttype = SADB_X_EXT_DST_FLOW;
232
	sa_dst.sadb_address_len = (sizeof(sa_dst) + ROUNDUP(sdst.ss_len)) / 8;
233
234
	bzero(&sa_dmask, sizeof(sa_dmask));
235
	sa_dmask.sadb_address_exttype = SADB_X_EXT_DST_MASK;
236
	sa_dmask.sadb_address_len =
237
	    (sizeof(sa_dmask) + ROUNDUP(dmask.ss_len)) / 8;
238
239
	if (local) {
240
		bzero(&sa_local, sizeof(sa_local));
241
		sa_local.sadb_address_exttype = SADB_EXT_ADDRESS_SRC;
242
		sa_local.sadb_address_len =
243
		    (sizeof(sa_local) + ROUNDUP(slocal.ss_len)) / 8;
244
	}
245
	if (peer) {
246
		bzero(&sa_peer, sizeof(sa_peer));
247
		sa_peer.sadb_address_exttype = SADB_EXT_ADDRESS_DST;
248
		sa_peer.sadb_address_len =
249
		    (sizeof(sa_peer) + ROUNDUP(speer.ss_len)) / 8;
250
	}
251
252
	if (auth && auth->srcid) {
253
		len = ROUNDUP(strlen(auth->srcid) + 1) + sizeof(*sa_srcid);
254
255
		sa_srcid = calloc(len, sizeof(u_int8_t));
256
		if (sa_srcid == NULL)
257
			err(1, "pfkey_flow: calloc");
258
259
		sa_srcid->sadb_ident_type = auth->srcid_type;
260
		sa_srcid->sadb_ident_len = len / 8;
261
		sa_srcid->sadb_ident_exttype = SADB_EXT_IDENTITY_SRC;
262
263
		strlcpy((char *)(sa_srcid + 1), auth->srcid,
264
		    ROUNDUP(strlen(auth->srcid) + 1));
265
	}
266
	if (auth && auth->dstid) {
267
		len = ROUNDUP(strlen(auth->dstid) + 1) + sizeof(*sa_dstid);
268
269
		sa_dstid = calloc(len, sizeof(u_int8_t));
270
		if (sa_dstid == NULL)
271
			err(1, "pfkey_flow: calloc");
272
273
		sa_dstid->sadb_ident_type = auth->dstid_type;
274
		sa_dstid->sadb_ident_len = len / 8;
275
		sa_dstid->sadb_ident_exttype = SADB_EXT_IDENTITY_DST;
276
277
		strlcpy((char *)(sa_dstid + 1), auth->dstid,
278
		    ROUNDUP(strlen(auth->dstid) + 1));
279
	}
280
281
	iov_cnt = 0;
282
283
	/* header */
284
	iov[iov_cnt].iov_base = &smsg;
285
	iov[iov_cnt].iov_len = sizeof(smsg);
286
	iov_cnt++;
287
288
	/* add flow type */
289
	iov[iov_cnt].iov_base = &sa_flowtype;
290
	iov[iov_cnt].iov_len = sizeof(sa_flowtype);
291
	smsg.sadb_msg_len += sa_flowtype.sadb_protocol_len;
292
	iov_cnt++;
293
294
	/* local ip */
295
	if (local) {
296
		iov[iov_cnt].iov_base = &sa_local;
297
		iov[iov_cnt].iov_len = sizeof(sa_local);
298
		iov_cnt++;
299
		iov[iov_cnt].iov_base = &slocal;
300
		iov[iov_cnt].iov_len = ROUNDUP(slocal.ss_len);
301
		smsg.sadb_msg_len += sa_local.sadb_address_len;
302
		iov_cnt++;
303
	}
304
305
	/* remote peer */
306
	if (peer) {
307
		iov[iov_cnt].iov_base = &sa_peer;
308
		iov[iov_cnt].iov_len = sizeof(sa_peer);
309
		iov_cnt++;
310
		iov[iov_cnt].iov_base = &speer;
311
		iov[iov_cnt].iov_len = ROUNDUP(speer.ss_len);
312
		smsg.sadb_msg_len += sa_peer.sadb_address_len;
313
		iov_cnt++;
314
	}
315
316
	/* src addr */
317
	iov[iov_cnt].iov_base = &sa_src;
318
	iov[iov_cnt].iov_len = sizeof(sa_src);
319
	iov_cnt++;
320
	iov[iov_cnt].iov_base = &ssrc;
321
	iov[iov_cnt].iov_len = ROUNDUP(ssrc.ss_len);
322
	smsg.sadb_msg_len += sa_src.sadb_address_len;
323
	iov_cnt++;
324
325
	/* src mask */
326
	iov[iov_cnt].iov_base = &sa_smask;
327
	iov[iov_cnt].iov_len = sizeof(sa_smask);
328
	iov_cnt++;
329
	iov[iov_cnt].iov_base = &smask;
330
	iov[iov_cnt].iov_len = ROUNDUP(smask.ss_len);
331
	smsg.sadb_msg_len += sa_smask.sadb_address_len;
332
	iov_cnt++;
333
334
	/* dest addr */
335
	iov[iov_cnt].iov_base = &sa_dst;
336
	iov[iov_cnt].iov_len = sizeof(sa_dst);
337
	iov_cnt++;
338
	iov[iov_cnt].iov_base = &sdst;
339
	iov[iov_cnt].iov_len = ROUNDUP(sdst.ss_len);
340
	smsg.sadb_msg_len += sa_dst.sadb_address_len;
341
	iov_cnt++;
342
343
	/* dst mask */
344
	iov[iov_cnt].iov_base = &sa_dmask;
345
	iov[iov_cnt].iov_len = sizeof(sa_dmask);
346
	iov_cnt++;
347
	iov[iov_cnt].iov_base = &dmask;
348
	iov[iov_cnt].iov_len = ROUNDUP(dmask.ss_len);
349
	smsg.sadb_msg_len += sa_dmask.sadb_address_len;
350
	iov_cnt++;
351
352
	/* add protocol */
353
	iov[iov_cnt].iov_base = &sa_protocol;
354
	iov[iov_cnt].iov_len = sizeof(sa_protocol);
355
	smsg.sadb_msg_len += sa_protocol.sadb_protocol_len;
356
	iov_cnt++;
357
358
	if (sa_srcid) {
359
		/* src identity */
360
		iov[iov_cnt].iov_base = sa_srcid;
361
		iov[iov_cnt].iov_len = sa_srcid->sadb_ident_len * 8;
362
		smsg.sadb_msg_len += sa_srcid->sadb_ident_len;
363
		iov_cnt++;
364
	}
365
	if (sa_dstid) {
366
		/* dst identity */
367
		iov[iov_cnt].iov_base = sa_dstid;
368
		iov[iov_cnt].iov_len = sa_dstid->sadb_ident_len * 8;
369
		smsg.sadb_msg_len += sa_dstid->sadb_ident_len;
370
		iov_cnt++;
371
	}
372
	len = smsg.sadb_msg_len * 8;
373
374
	do {
375
		n = writev(sd, iov, iov_cnt);
376
	} while (n == -1 && (errno == EAGAIN || errno == EINTR));
377
	if (n == -1) {
378
		warn("writev failed");
379
		ret = -1;
380
	}
381
382
	free(sa_srcid);
383
	free(sa_dstid);
384
385
	return ret;
386
}
387
388
static int
389
pfkey_sa(int sd, u_int8_t satype, u_int8_t action, u_int32_t spi,
390
    struct ipsec_addr_wrap *src, struct ipsec_addr_wrap *dst,
391
    struct ipsec_transforms *xfs, struct ipsec_key *authkey,
392
    struct ipsec_key *enckey, u_int8_t tmode)
393
{
394
	struct sadb_msg		smsg;
395
	struct sadb_sa		sa;
396
	struct sadb_address	sa_src, sa_dst;
397
	struct sadb_key		sa_authkey, sa_enckey;
398
	struct sockaddr_storage	ssrc, sdst;
399
	struct iovec		iov[IOV_CNT];
400
	ssize_t			n;
401
	int			iov_cnt, len, ret = 0;
402
403
	bzero(&ssrc, sizeof(ssrc));
404
	ssrc.ss_family = src->af;
405
	switch (src->af) {
406
	case AF_INET:
407
		((struct sockaddr_in *)&ssrc)->sin_addr = src->address.v4;
408
		ssrc.ss_len = sizeof(struct sockaddr_in);
409
		break;
410
	case AF_INET6:
411
		((struct sockaddr_in6 *)&ssrc)->sin6_addr = src->address.v6;
412
		ssrc.ss_len = sizeof(struct sockaddr_in6);
413
		break;
414
	default:
415
		warnx("unsupported address family %d", src->af);
416
		return -1;
417
	}
418
419
	bzero(&sdst, sizeof(sdst));
420
	sdst.ss_family = dst->af;
421
	switch (dst->af) {
422
	case AF_INET:
423
		((struct sockaddr_in *)&sdst)->sin_addr = dst->address.v4;
424
		sdst.ss_len = sizeof(struct sockaddr_in);
425
		break;
426
	case AF_INET6:
427
		((struct sockaddr_in6 *)&sdst)->sin6_addr = dst->address.v6;
428
		sdst.ss_len = sizeof(struct sockaddr_in6);
429
		break;
430
	default:
431
		warnx("unsupported address family %d", dst->af);
432
		return -1;
433
	}
434
435
	bzero(&smsg, sizeof(smsg));
436
	smsg.sadb_msg_version = PF_KEY_V2;
437
	smsg.sadb_msg_seq = sadb_msg_seq++;
438
	smsg.sadb_msg_pid = getpid();
439
	smsg.sadb_msg_len = sizeof(smsg) / 8;
440
	smsg.sadb_msg_type = action;
441
	smsg.sadb_msg_satype = satype;
442
443
	bzero(&sa, sizeof(sa));
444
	sa.sadb_sa_len = sizeof(sa) / 8;
445
	sa.sadb_sa_exttype = SADB_EXT_SA;
446
	sa.sadb_sa_spi = htonl(spi);
447
	sa.sadb_sa_state = SADB_SASTATE_MATURE;
448
449
	if (satype != SADB_X_SATYPE_IPIP && tmode == IPSEC_TUNNEL)
450
		sa.sadb_sa_flags |= SADB_X_SAFLAGS_TUNNEL;
451
452
	if (xfs && xfs->authxf) {
453
		switch (xfs->authxf->id) {
454
		case AUTHXF_NONE:
455
			break;
456
		case AUTHXF_HMAC_MD5:
457
			sa.sadb_sa_auth = SADB_AALG_MD5HMAC;
458
			break;
459
		case AUTHXF_HMAC_RIPEMD160:
460
			sa.sadb_sa_auth = SADB_X_AALG_RIPEMD160HMAC;
461
			break;
462
		case AUTHXF_HMAC_SHA1:
463
			sa.sadb_sa_auth = SADB_AALG_SHA1HMAC;
464
			break;
465
		case AUTHXF_HMAC_SHA2_256:
466
			sa.sadb_sa_auth = SADB_X_AALG_SHA2_256;
467
			break;
468
		case AUTHXF_HMAC_SHA2_384:
469
			sa.sadb_sa_auth = SADB_X_AALG_SHA2_384;
470
			break;
471
		case AUTHXF_HMAC_SHA2_512:
472
			sa.sadb_sa_auth = SADB_X_AALG_SHA2_512;
473
			break;
474
		default:
475
			warnx("unsupported authentication algorithm %d",
476
			    xfs->authxf->id);
477
		}
478
	}
479
	if (xfs && xfs->encxf) {
480
		switch (xfs->encxf->id) {
481
		case ENCXF_NONE:
482
			break;
483
		case ENCXF_3DES_CBC:
484
			sa.sadb_sa_encrypt = SADB_EALG_3DESCBC;
485
			break;
486
		case ENCXF_AES:
487
		case ENCXF_AES_128:
488
		case ENCXF_AES_192:
489
		case ENCXF_AES_256:
490
			sa.sadb_sa_encrypt = SADB_X_EALG_AES;
491
			break;
492
		case ENCXF_AESCTR:
493
		case ENCXF_AES_128_CTR:
494
		case ENCXF_AES_192_CTR:
495
		case ENCXF_AES_256_CTR:
496
			sa.sadb_sa_encrypt = SADB_X_EALG_AESCTR;
497
			break;
498
		case ENCXF_AES_128_GCM:
499
		case ENCXF_AES_192_GCM:
500
		case ENCXF_AES_256_GCM:
501
			sa.sadb_sa_encrypt = SADB_X_EALG_AESGCM16;
502
			break;
503
		case ENCXF_AES_128_GMAC:
504
		case ENCXF_AES_192_GMAC:
505
		case ENCXF_AES_256_GMAC:
506
			sa.sadb_sa_encrypt = SADB_X_EALG_AESGMAC;
507
			break;
508
		case ENCXF_BLOWFISH:
509
			sa.sadb_sa_encrypt = SADB_X_EALG_BLF;
510
			break;
511
		case ENCXF_CAST128:
512
			sa.sadb_sa_encrypt = SADB_X_EALG_CAST;
513
			break;
514
		case ENCXF_NULL:
515
			sa.sadb_sa_encrypt = SADB_EALG_NULL;
516
			break;
517
		default:
518
			warnx("unsupported encryption algorithm %d",
519
			    xfs->encxf->id);
520
		}
521
	}
522
	if (xfs && xfs->compxf) {
523
		switch (xfs->compxf->id) {
524
		case COMPXF_DEFLATE:
525
			sa.sadb_sa_encrypt = SADB_X_CALG_DEFLATE;
526
			break;
527
		case COMPXF_LZS:
528
			sa.sadb_sa_encrypt = SADB_X_CALG_LZS;
529
			break;
530
		default:
531
			warnx("unsupported compression algorithm %d",
532
			    xfs->compxf->id);
533
		}
534
	}
535
536
	bzero(&sa_src, sizeof(sa_src));
537
	sa_src.sadb_address_len = (sizeof(sa_src) + ROUNDUP(ssrc.ss_len)) / 8;
538
	sa_src.sadb_address_exttype = SADB_EXT_ADDRESS_SRC;
539
540
	bzero(&sa_dst, sizeof(sa_dst));
541
	sa_dst.sadb_address_len = (sizeof(sa_dst) + ROUNDUP(sdst.ss_len)) / 8;
542
	sa_dst.sadb_address_exttype = SADB_EXT_ADDRESS_DST;
543
544
	if (action == SADB_ADD && !authkey && !enckey && satype !=
545
	    SADB_X_SATYPE_IPCOMP && satype != SADB_X_SATYPE_IPIP) { /* XXX ENCNULL */
546
		warnx("no key specified");
547
		return -1;
548
	}
549
	if (authkey) {
550
		bzero(&sa_authkey, sizeof(sa_authkey));
551
		sa_authkey.sadb_key_len = (sizeof(sa_authkey) +
552
		    ((authkey->len + 7) / 8) * 8) / 8;
553
		sa_authkey.sadb_key_exttype = SADB_EXT_KEY_AUTH;
554
		sa_authkey.sadb_key_bits = 8 * authkey->len;
555
	}
556
	if (enckey) {
557
		bzero(&sa_enckey, sizeof(sa_enckey));
558
		sa_enckey.sadb_key_len = (sizeof(sa_enckey) +
559
		    ((enckey->len + 7) / 8) * 8) / 8;
560
		sa_enckey.sadb_key_exttype = SADB_EXT_KEY_ENCRYPT;
561
		sa_enckey.sadb_key_bits = 8 * enckey->len;
562
	}
563
564
	iov_cnt = 0;
565
566
	/* header */
567
	iov[iov_cnt].iov_base = &smsg;
568
	iov[iov_cnt].iov_len = sizeof(smsg);
569
	iov_cnt++;
570
571
	/* sa */
572
	iov[iov_cnt].iov_base = &sa;
573
	iov[iov_cnt].iov_len = sizeof(sa);
574
	smsg.sadb_msg_len += sa.sadb_sa_len;
575
	iov_cnt++;
576
577
	/* src addr */
578
	iov[iov_cnt].iov_base = &sa_src;
579
	iov[iov_cnt].iov_len = sizeof(sa_src);
580
	iov_cnt++;
581
	iov[iov_cnt].iov_base = &ssrc;
582
	iov[iov_cnt].iov_len = ROUNDUP(ssrc.ss_len);
583
	smsg.sadb_msg_len += sa_src.sadb_address_len;
584
	iov_cnt++;
585
586
	/* dst addr */
587
	iov[iov_cnt].iov_base = &sa_dst;
588
	iov[iov_cnt].iov_len = sizeof(sa_dst);
589
	iov_cnt++;
590
	iov[iov_cnt].iov_base = &sdst;
591
	iov[iov_cnt].iov_len = ROUNDUP(sdst.ss_len);
592
	smsg.sadb_msg_len += sa_dst.sadb_address_len;
593
	iov_cnt++;
594
595
	if (authkey) {
596
		/* authentication key */
597
		iov[iov_cnt].iov_base = &sa_authkey;
598
		iov[iov_cnt].iov_len = sizeof(sa_authkey);
599
		iov_cnt++;
600
		iov[iov_cnt].iov_base = authkey->data;
601
		iov[iov_cnt].iov_len = ((authkey->len + 7) / 8) * 8;
602
		smsg.sadb_msg_len += sa_authkey.sadb_key_len;
603
		iov_cnt++;
604
	}
605
	if (enckey) {
606
		/* encryption key */
607
		iov[iov_cnt].iov_base = &sa_enckey;
608
		iov[iov_cnt].iov_len = sizeof(sa_enckey);
609
		iov_cnt++;
610
		iov[iov_cnt].iov_base = enckey->data;
611
		iov[iov_cnt].iov_len = ((enckey->len + 7) / 8) * 8;
612
		smsg.sadb_msg_len += sa_enckey.sadb_key_len;
613
		iov_cnt++;
614
	}
615
616
	len = smsg.sadb_msg_len * 8;
617
	if ((n = writev(sd, iov, iov_cnt)) == -1) {
618
		warn("writev failed");
619
		ret = -1;
620
	} else if (n != len) {
621
		warnx("short write");
622
		ret = -1;
623
	}
624
625
	return ret;
626
}
627
628
static int
629
pfkey_sabundle(int sd, u_int8_t satype, u_int8_t satype2, u_int8_t action,
630
    struct ipsec_addr_wrap *dst, u_int32_t spi, struct ipsec_addr_wrap *dst2,
631
    u_int32_t spi2)
632
{
633
	struct sadb_msg		smsg;
634
	struct sadb_sa		sa1, sa2;
635
	struct sadb_address	sa_dst, sa_dst2;
636
	struct sockaddr_storage	sdst, sdst2;
637
	struct sadb_protocol	sa_proto;
638
	struct iovec		iov[IOV_CNT];
639
	ssize_t			n;
640
	int			iov_cnt, len, ret = 0;
641
642
	bzero(&sdst, sizeof(sdst));
643
	sdst.ss_family = dst->af;
644
	switch (dst->af) {
645
	case AF_INET:
646
		((struct sockaddr_in *)&sdst)->sin_addr = dst->address.v4;
647
		sdst.ss_len = sizeof(struct sockaddr_in);
648
		break;
649
	case AF_INET6:
650
		((struct sockaddr_in6 *)&sdst)->sin6_addr = dst->address.v6;
651
		sdst.ss_len = sizeof(struct sockaddr_in6);
652
		break;
653
	default:
654
		warnx("unsupported address family %d", dst->af);
655
		return -1;
656
	}
657
658
	bzero(&sdst2, sizeof(sdst2));
659
	sdst2.ss_family = dst2->af;
660
	switch (dst2->af) {
661
	case AF_INET:
662
		((struct sockaddr_in *)&sdst2)->sin_addr = dst2->address.v4;
663
		sdst2.ss_len = sizeof(struct sockaddr_in);
664
		break;
665
	case AF_INET6:
666
		((struct sockaddr_in6 *)&sdst2)->sin6_addr = dst2->address.v6;
667
		sdst2.ss_len = sizeof(struct sockaddr_in6);
668
		break;
669
	default:
670
		warnx("unsupported address family %d", dst2->af);
671
		return -1;
672
	}
673
674
	bzero(&smsg, sizeof(smsg));
675
	smsg.sadb_msg_version = PF_KEY_V2;
676
	smsg.sadb_msg_seq = sadb_msg_seq++;
677
	smsg.sadb_msg_pid = getpid();
678
	smsg.sadb_msg_len = sizeof(smsg) / 8;
679
	smsg.sadb_msg_type = action;
680
	smsg.sadb_msg_satype = satype;
681
682
	bzero(&sa1, sizeof(sa1));
683
	sa1.sadb_sa_len = sizeof(sa1) / 8;
684
	sa1.sadb_sa_exttype = SADB_EXT_SA;
685
	sa1.sadb_sa_spi = htonl(spi);
686
	sa1.sadb_sa_state = SADB_SASTATE_MATURE;
687
688
	bzero(&sa2, sizeof(sa2));
689
	sa2.sadb_sa_len = sizeof(sa2) / 8;
690
	sa2.sadb_sa_exttype = SADB_X_EXT_SA2;
691
	sa2.sadb_sa_spi = htonl(spi2);
692
	sa2.sadb_sa_state = SADB_SASTATE_MATURE;
693
	iov_cnt = 0;
694
695
	bzero(&sa_dst, sizeof(sa_dst));
696
	sa_dst.sadb_address_exttype = SADB_EXT_ADDRESS_DST;
697
	sa_dst.sadb_address_len = (sizeof(sa_dst) + ROUNDUP(sdst.ss_len)) / 8;
698
699
	bzero(&sa_dst2, sizeof(sa_dst2));
700
	sa_dst2.sadb_address_exttype = SADB_X_EXT_DST2;
701
	sa_dst2.sadb_address_len = (sizeof(sa_dst2) + ROUNDUP(sdst2.ss_len)) / 8;
702
703
	bzero(&sa_proto, sizeof(sa_proto));
704
	sa_proto.sadb_protocol_exttype = SADB_X_EXT_SATYPE2;
705
	sa_proto.sadb_protocol_len = sizeof(sa_proto) / 8;
706
	sa_proto.sadb_protocol_direction = 0;
707
	sa_proto.sadb_protocol_proto = satype2;
708
709
	/* header */
710
	iov[iov_cnt].iov_base = &smsg;
711
	iov[iov_cnt].iov_len = sizeof(smsg);
712
	iov_cnt++;
713
714
	/* sa */
715
	iov[iov_cnt].iov_base = &sa1;
716
	iov[iov_cnt].iov_len = sizeof(sa1);
717
	smsg.sadb_msg_len += sa1.sadb_sa_len;
718
	iov_cnt++;
719
720
	/* dst addr */
721
	iov[iov_cnt].iov_base = &sa_dst;
722
	iov[iov_cnt].iov_len = sizeof(sa_dst);
723
	iov_cnt++;
724
	iov[iov_cnt].iov_base = &sdst;
725
	iov[iov_cnt].iov_len = ROUNDUP(sdst.ss_len);
726
	smsg.sadb_msg_len += sa_dst.sadb_address_len;
727
	iov_cnt++;
728
729
	/* second sa */
730
	iov[iov_cnt].iov_base = &sa2;
731
	iov[iov_cnt].iov_len = sizeof(sa2);
732
	smsg.sadb_msg_len += sa2.sadb_sa_len;
733
	iov_cnt++;
734
735
	/* second dst addr */
736
	iov[iov_cnt].iov_base = &sa_dst2;
737
	iov[iov_cnt].iov_len = sizeof(sa_dst2);
738
	iov_cnt++;
739
	iov[iov_cnt].iov_base = &sdst2;
740
	iov[iov_cnt].iov_len = ROUNDUP(sdst2.ss_len);
741
	smsg.sadb_msg_len += sa_dst2.sadb_address_len;
742
	iov_cnt++;
743
744
	/* SA type */
745
	iov[iov_cnt].iov_base = &sa_proto;
746
	iov[iov_cnt].iov_len = sizeof(sa_proto);
747
	smsg.sadb_msg_len += sa_proto.sadb_protocol_len;
748
	iov_cnt++;
749
750
	len = smsg.sadb_msg_len * 8;
751
	if ((n = writev(sd, iov, iov_cnt)) == -1) {
752
		warn("writev failed");
753
		ret = -1;
754
	} else if (n != len) {
755
		warnx("short write");
756
		ret = -1;
757
	}
758
759
	return (ret);
760
}
761
762
static int
763
pfkey_reply(int sd, u_int8_t **datap, ssize_t *lenp)
764
{
765
	struct sadb_msg	 hdr;
766
	ssize_t		 len;
767
	u_int8_t	*data;
768
769
	if (recv(sd, &hdr, sizeof(hdr), MSG_PEEK) != sizeof(hdr)) {
770
		warnx("short read");
771
		return -1;
772
	}
773
	len = hdr.sadb_msg_len * PFKEYV2_CHUNK;
774
	if ((data = malloc(len)) == NULL)
775
		err(1, "pfkey_reply: malloc");
776
	if (read(sd, data, len) != len) {
777
		warn("PF_KEY short read");
778
		freezero(data, len);
779
		return -1;
780
	}
781
	if (datap) {
782
		*datap = data;
783
		if (lenp)
784
			*lenp = len;
785
	} else {
786
		freezero(data, len);
787
	}
788
	if (datap == NULL && hdr.sadb_msg_errno != 0) {
789
		errno = hdr.sadb_msg_errno;
790
		if (errno != EEXIST) {
791
			warn("PF_KEY failed");
792
			return -1;
793
		}
794
	}
795
	return 0;
796
}
797
798
int
799
pfkey_parse(struct sadb_msg *msg, struct ipsec_rule *rule)
800
{
801
	struct sadb_ext		*ext;
802
	struct sadb_address	*saddr;
803
	struct sadb_protocol	*sproto;
804
	struct sadb_ident	*sident;
805
	struct sockaddr		*sa;
806
	struct sockaddr_in	*sa_in;
807
	struct sockaddr_in6	*sa_in6;
808
	int			 len;
809
810
	switch (msg->sadb_msg_satype) {
811
	case SADB_SATYPE_ESP:
812
		rule->satype = IPSEC_ESP;
813
		break;
814
	case SADB_SATYPE_AH:
815
		rule->satype = IPSEC_AH;
816
		break;
817
	case SADB_X_SATYPE_IPCOMP:
818
		rule->satype = IPSEC_IPCOMP;
819
		break;
820
	case SADB_X_SATYPE_IPIP:
821
		rule->satype = IPSEC_IPIP;
822
		break;
823
	default:
824
		return (1);
825
	}
826
827
	for (ext = (struct sadb_ext *)(msg + 1);
828
	    (size_t)((u_int8_t *)ext - (u_int8_t *)msg) <
829
	    msg->sadb_msg_len * PFKEYV2_CHUNK && ext->sadb_ext_len > 0;
830
	    ext = (struct sadb_ext *)((u_int8_t *)ext +
831
	    ext->sadb_ext_len * PFKEYV2_CHUNK)) {
832
		switch (ext->sadb_ext_type) {
833
		case SADB_EXT_ADDRESS_SRC:
834
			saddr = (struct sadb_address *)ext;
835
			sa = (struct sockaddr *)(saddr + 1);
836
837
			rule->local = calloc(1, sizeof(struct ipsec_addr_wrap));
838
			if (rule->local == NULL)
839
				err(1, "pfkey_parse: calloc");
840
841
			rule->local->af = sa->sa_family;
842
			switch (sa->sa_family) {
843
			case AF_INET:
844
				bcopy(&((struct sockaddr_in *)sa)->sin_addr,
845
				    &rule->local->address.v4,
846
				    sizeof(struct in_addr));
847
				set_ipmask(rule->local, 32);
848
				break;
849
			case AF_INET6:
850
				bcopy(&((struct sockaddr_in6 *)sa)->sin6_addr,
851
				    &rule->local->address.v6,
852
				    sizeof(struct in6_addr));
853
				set_ipmask(rule->local, 128);
854
				break;
855
			default:
856
				return (1);
857
			}
858
			break;
859
860
861
		case SADB_EXT_ADDRESS_DST:
862
			saddr = (struct sadb_address *)ext;
863
			sa = (struct sockaddr *)(saddr + 1);
864
865
			rule->peer = calloc(1, sizeof(struct ipsec_addr_wrap));
866
			if (rule->peer == NULL)
867
				err(1, "pfkey_parse: calloc");
868
869
			rule->peer->af = sa->sa_family;
870
			switch (sa->sa_family) {
871
			case AF_INET:
872
				bcopy(&((struct sockaddr_in *)sa)->sin_addr,
873
				    &rule->peer->address.v4,
874
				    sizeof(struct in_addr));
875
				set_ipmask(rule->peer, 32);
876
				break;
877
			case AF_INET6:
878
				bcopy(&((struct sockaddr_in6 *)sa)->sin6_addr,
879
				    &rule->peer->address.v6,
880
				    sizeof(struct in6_addr));
881
				set_ipmask(rule->peer, 128);
882
				break;
883
			default:
884
				return (1);
885
			}
886
			break;
887
888
		case SADB_EXT_IDENTITY_SRC:
889
			sident = (struct sadb_ident *)ext;
890
			len = (sident->sadb_ident_len * sizeof(uint64_t)) -
891
			    sizeof(struct sadb_ident);
892
893
			if (rule->auth == NULL) {
894
				rule->auth = calloc(1, sizeof(struct
895
				    ipsec_auth));
896
				if (rule->auth == NULL)
897
					err(1, "pfkey_parse: calloc");
898
			}
899
900
			rule->auth->srcid = calloc(1, len);
901
			if (rule->auth->srcid == NULL)
902
				err(1, "pfkey_parse: calloc");
903
904
			strlcpy(rule->auth->srcid, (char *)(sident + 1), len);
905
			break;
906
907
		case SADB_EXT_IDENTITY_DST:
908
			sident = (struct sadb_ident *)ext;
909
			len = (sident->sadb_ident_len * sizeof(uint64_t)) -
910
			    sizeof(struct sadb_ident);
911
912
			if (rule->auth == NULL) {
913
				rule->auth = calloc(1, sizeof(struct
914
				    ipsec_auth));
915
				if (rule->auth == NULL)
916
					err(1, "pfkey_parse: calloc");
917
			}
918
919
			rule->auth->dstid = calloc(1, len);
920
			if (rule->auth->dstid == NULL)
921
				err(1, "pfkey_parse: calloc");
922
923
			strlcpy(rule->auth->dstid, (char *)(sident + 1), len);
924
			break;
925
926
		case SADB_X_EXT_PROTOCOL:
927
			sproto = (struct sadb_protocol *)ext;
928
			if (sproto->sadb_protocol_direction == 0)
929
				rule->proto = sproto->sadb_protocol_proto;
930
			break;
931
932
		case SADB_X_EXT_FLOW_TYPE:
933
			sproto = (struct sadb_protocol *)ext;
934
935
			switch (sproto->sadb_protocol_direction) {
936
			case IPSP_DIRECTION_IN:
937
				rule->direction = IPSEC_IN;
938
				break;
939
			case IPSP_DIRECTION_OUT:
940
				rule->direction = IPSEC_OUT;
941
				break;
942
			default:
943
				return (1);
944
			}
945
			switch (sproto->sadb_protocol_proto) {
946
			case SADB_X_FLOW_TYPE_USE:
947
				rule->flowtype = TYPE_USE;
948
				break;
949
			case SADB_X_FLOW_TYPE_ACQUIRE:
950
				rule->flowtype = TYPE_ACQUIRE;
951
				break;
952
			case SADB_X_FLOW_TYPE_REQUIRE:
953
				rule->flowtype = TYPE_REQUIRE;
954
				break;
955
			case SADB_X_FLOW_TYPE_DENY:
956
				rule->flowtype = TYPE_DENY;
957
				break;
958
			case SADB_X_FLOW_TYPE_BYPASS:
959
				rule->flowtype = TYPE_BYPASS;
960
				break;
961
			case SADB_X_FLOW_TYPE_DONTACQ:
962
				rule->flowtype = TYPE_DONTACQ;
963
				break;
964
			default:
965
				rule->flowtype = TYPE_UNKNOWN;
966
				break;
967
			}
968
			break;
969
970
		case SADB_X_EXT_SRC_FLOW:
971
			saddr = (struct sadb_address *)ext;
972
			sa = (struct sockaddr *)(saddr + 1);
973
974
			if (rule->src == NULL) {
975
				rule->src = calloc(1,
976
				    sizeof(struct ipsec_addr_wrap));
977
				if (rule->src == NULL)
978
					err(1, "pfkey_parse: calloc");
979
			}
980
981
			rule->src->af = sa->sa_family;
982
			switch (sa->sa_family) {
983
			case AF_INET:
984
				bcopy(&((struct sockaddr_in *)sa)->sin_addr,
985
				    &rule->src->address.v4,
986
				    sizeof(struct in_addr));
987
				rule->sport =
988
				    ((struct sockaddr_in *)sa)->sin_port;
989
				break;
990
			case AF_INET6:
991
				bcopy(&((struct sockaddr_in6 *)sa)->sin6_addr,
992
				    &rule->src->address.v6,
993
				    sizeof(struct in6_addr));
994
				rule->sport =
995
				    ((struct sockaddr_in6 *)sa)->sin6_port;
996
				break;
997
			default:
998
				return (1);
999
			}
1000
			break;
1001
1002
		case SADB_X_EXT_DST_FLOW:
1003
			saddr = (struct sadb_address *)ext;
1004
			sa = (struct sockaddr *)(saddr + 1);
1005
1006
			if (rule->dst == NULL) {
1007
				rule->dst = calloc(1,
1008
				    sizeof(struct ipsec_addr_wrap));
1009
				if (rule->dst == NULL)
1010
					err(1, "pfkey_parse: calloc");
1011
			}
1012
1013
			rule->dst->af = sa->sa_family;
1014
			switch (sa->sa_family) {
1015
			case AF_INET:
1016
				bcopy(&((struct sockaddr_in *)sa)->sin_addr,
1017
				    &rule->dst->address.v4,
1018
				    sizeof(struct in_addr));
1019
				rule->dport =
1020
				    ((struct sockaddr_in *)sa)->sin_port;
1021
				break;
1022
			case AF_INET6:
1023
				bcopy(&((struct sockaddr_in6 *)sa)->sin6_addr,
1024
				    &rule->dst->address.v6,
1025
				    sizeof(struct in6_addr));
1026
				rule->dport =
1027
				    ((struct sockaddr_in6 *)sa)->sin6_port;
1028
				break;
1029
			default:
1030
				return (1);
1031
			}
1032
			break;
1033
1034
1035
		case SADB_X_EXT_SRC_MASK:
1036
			saddr = (struct sadb_address *)ext;
1037
			sa = (struct sockaddr *)(saddr + 1);
1038
1039
			if (rule->src == NULL) {
1040
				rule->src = calloc(1,
1041
				    sizeof(struct ipsec_addr_wrap));
1042
				if (rule->src == NULL)
1043
					err(1, "pfkey_parse: calloc");
1044
			}
1045
1046
			rule->src->af = sa->sa_family;
1047
			switch (sa->sa_family) {
1048
			case AF_INET:
1049
				sa_in = (struct sockaddr_in *)sa;
1050
				bcopy(&sa_in->sin_addr, &rule->src->mask.v4,
1051
				    sizeof(struct in_addr));
1052
				break;
1053
			case AF_INET6:
1054
				sa_in6 = (struct sockaddr_in6 *)sa;
1055
				bcopy(&sa_in6->sin6_addr, &rule->src->mask.v6,
1056
				    sizeof(struct in6_addr));
1057
				break;
1058
1059
			default:
1060
				return (1);
1061
			}
1062
			break;
1063
1064
		case SADB_X_EXT_DST_MASK:
1065
			saddr = (struct sadb_address *)ext;
1066
			sa = (struct sockaddr *)(saddr + 1);
1067
1068
			if (rule->dst == NULL) {
1069
				rule->dst = calloc(1,
1070
				    sizeof(struct ipsec_addr_wrap));
1071
				if (rule->dst == NULL)
1072
					err(1, "pfkey_parse: calloc");
1073
			}
1074
1075
			rule->dst->af = sa->sa_family;
1076
			switch (sa->sa_family) {
1077
			case AF_INET:
1078
				sa_in = (struct sockaddr_in *)sa;
1079
				bcopy(&sa_in->sin_addr, &rule->dst->mask.v4,
1080
				    sizeof(struct in_addr));
1081
				break;
1082
			case AF_INET6:
1083
				sa_in6 = (struct sockaddr_in6 *)sa;
1084
				bcopy(&sa_in6->sin6_addr, &rule->dst->mask.v6,
1085
				    sizeof(struct in6_addr));
1086
				break;
1087
			default:
1088
				return (1);
1089
			}
1090
			break;
1091
1092
		default:
1093
			return (1);
1094
		}
1095
	}
1096
1097
	return (0);
1098
}
1099
1100
int
1101
pfkey_ipsec_establish(int action, struct ipsec_rule *r)
1102
{
1103
	int		ret;
1104
	u_int8_t	satype, satype2, direction;
1105
1106
	if (r->type == RULE_FLOW) {
1107
		switch (r->satype) {
1108
		case IPSEC_ESP:
1109
			satype = SADB_SATYPE_ESP;
1110
			break;
1111
		case IPSEC_AH:
1112
			satype = SADB_SATYPE_AH;
1113
			break;
1114
		case IPSEC_IPCOMP:
1115
			satype = SADB_X_SATYPE_IPCOMP;
1116
			break;
1117
		case IPSEC_IPIP:
1118
			satype = SADB_X_SATYPE_IPIP;
1119
			break;
1120
		default:
1121
			return -1;
1122
		}
1123
1124
		switch (r->direction) {
1125
		case IPSEC_IN:
1126
			direction = IPSP_DIRECTION_IN;
1127
			break;
1128
		case IPSEC_OUT:
1129
			direction = IPSP_DIRECTION_OUT;
1130
			break;
1131
		default:
1132
			return -1;
1133
		}
1134
1135
		switch (action) {
1136
		case ACTION_ADD:
1137
			ret = pfkey_flow(fd, satype, SADB_X_ADDFLOW, direction,
1138
			    r->proto, r->src, r->sport, r->dst, r->dport,
1139
			    r->local, r->peer, r->auth, r->flowtype);
1140
			break;
1141
		case ACTION_DELETE:
1142
			/* No peer for flow deletion. */
1143
			ret = pfkey_flow(fd, satype, SADB_X_DELFLOW, direction,
1144
			    r->proto, r->src, r->sport, r->dst, r->dport,
1145
			    NULL, NULL, NULL, r->flowtype);
1146
			break;
1147
		default:
1148
			return -1;
1149
		}
1150
	} else if (r->type == RULE_SA) {
1151
		switch (r->satype) {
1152
		case IPSEC_AH:
1153
			satype = SADB_SATYPE_AH;
1154
			break;
1155
		case IPSEC_ESP:
1156
			satype = SADB_SATYPE_ESP;
1157
			break;
1158
		case IPSEC_IPCOMP:
1159
			satype = SADB_X_SATYPE_IPCOMP;
1160
			break;
1161
		case IPSEC_TCPMD5:
1162
			satype = SADB_X_SATYPE_TCPSIGNATURE;
1163
			break;
1164
		case IPSEC_IPIP:
1165
			satype = SADB_X_SATYPE_IPIP;
1166
			break;
1167
		default:
1168
			return -1;
1169
		}
1170
		switch (action) {
1171
		case ACTION_ADD:
1172
			ret = pfkey_sa(fd, satype, SADB_ADD, r->spi,
1173
			    r->src, r->dst, r->xfs, r->authkey, r->enckey,
1174
			    r->tmode);
1175
			break;
1176
		case ACTION_DELETE:
1177
			ret = pfkey_sa(fd, satype, SADB_DELETE, r->spi,
1178
			    r->src, r->dst, r->xfs, NULL, NULL, r->tmode);
1179
			break;
1180
		default:
1181
			return -1;
1182
		}
1183
	} else if (r->type == RULE_BUNDLE) {
1184
		switch (r->satype) {
1185
		case IPSEC_AH:
1186
			satype = SADB_SATYPE_AH;
1187
			break;
1188
		case IPSEC_ESP:
1189
			satype = SADB_SATYPE_ESP;
1190
			break;
1191
		case IPSEC_IPCOMP:
1192
			satype = SADB_X_SATYPE_IPCOMP;
1193
			break;
1194
		case IPSEC_TCPMD5:
1195
			satype = SADB_X_SATYPE_TCPSIGNATURE;
1196
			break;
1197
		case IPSEC_IPIP:
1198
			satype = SADB_X_SATYPE_IPIP;
1199
			break;
1200
		default:
1201
			return -1;
1202
		}
1203
		switch (r->proto2) {
1204
		case IPSEC_AH:
1205
			satype2 = SADB_SATYPE_AH;
1206
			break;
1207
		case IPSEC_ESP:
1208
			satype2 = SADB_SATYPE_ESP;
1209
			break;
1210
		case IPSEC_IPCOMP:
1211
			satype2 = SADB_X_SATYPE_IPCOMP;
1212
			break;
1213
		case IPSEC_TCPMD5:
1214
			satype2 = SADB_X_SATYPE_TCPSIGNATURE;
1215
			break;
1216
		case IPSEC_IPIP:
1217
			satype2 = SADB_X_SATYPE_IPIP;
1218
			break;
1219
		default:
1220
			return -1;
1221
		}
1222
		switch (action) {
1223
		case ACTION_ADD:
1224
			ret = pfkey_sabundle(fd, satype, satype2,
1225
			    SADB_X_GRPSPIS, r->dst, r->spi, r->dst2, r->spi2);
1226
			break;
1227
		case ACTION_DELETE:
1228
			return 0;
1229
		default:
1230
			return -1;
1231
		}
1232
	} else
1233
		return -1;
1234
1235
	if (ret < 0)
1236
		return -1;
1237
	if (pfkey_reply(fd, NULL, NULL) < 0)
1238
		return -1;
1239
1240
	return 0;
1241
}
1242
1243
int
1244
pfkey_ipsec_flush(void)
1245
{
1246
	struct sadb_msg smsg;
1247
	struct iovec	iov[IOV_CNT];
1248
	ssize_t		n;
1249
	int		iov_cnt, len;
1250
1251
	bzero(&smsg, sizeof(smsg));
1252
	smsg.sadb_msg_version = PF_KEY_V2;
1253
	smsg.sadb_msg_seq = sadb_msg_seq++;
1254
	smsg.sadb_msg_pid = getpid();
1255
	smsg.sadb_msg_len = sizeof(smsg) / 8;
1256
	smsg.sadb_msg_type = SADB_FLUSH;
1257
	smsg.sadb_msg_satype = SADB_SATYPE_UNSPEC;
1258
1259
	iov_cnt = 0;
1260
1261
	iov[iov_cnt].iov_base = &smsg;
1262
	iov[iov_cnt].iov_len = sizeof(smsg);
1263
	iov_cnt++;
1264
1265
	len = smsg.sadb_msg_len * 8;
1266
	if ((n = writev(fd, iov, iov_cnt)) == -1) {
1267
		warn("writev failed");
1268
		return -1;
1269
	}
1270
	if (n != len) {
1271
		warnx("short write");
1272
		return -1;
1273
	}
1274
	if (pfkey_reply(fd, NULL, NULL) < 0)
1275
		return -1;
1276
1277
	return 0;
1278
}
1279
1280
static int
1281
pfkey_promisc(void)
1282
{
1283
	struct sadb_msg msg;
1284
1285
	memset(&msg, 0, sizeof(msg));
1286
	msg.sadb_msg_version = PF_KEY_V2;
1287
	msg.sadb_msg_seq = sadb_msg_seq++;
1288
	msg.sadb_msg_pid = getpid();
1289
	msg.sadb_msg_len = sizeof(msg) / PFKEYV2_CHUNK;
1290
	msg.sadb_msg_type = SADB_X_PROMISC;
1291
	msg.sadb_msg_satype = 1;	/* enable */
1292
	if (write(fd, &msg, sizeof(msg)) != sizeof(msg)) {
1293
		warn("pfkey_promisc: write failed");
1294
		return -1;
1295
	}
1296
	if (pfkey_reply(fd, NULL, NULL) < 0)
1297
		return -1;
1298
	return 0;
1299
}
1300
1301
int
1302
pfkey_monitor(int opts)
1303
{
1304
	struct pollfd pfd[1];
1305
	struct sadb_msg *msg;
1306
	u_int8_t *data;
1307
	ssize_t len;
1308
	int n;
1309
1310
	if (pfkey_init() < 0)
1311
		return -1;
1312
	if (pfkey_promisc() < 0)
1313
		return -1;
1314
1315
	pfd[0].fd = fd;
1316
	pfd[0].events = POLLIN;
1317
	for (;;) {
1318
		if ((n = poll(pfd, 1, -1)) < 0)
1319
			err(2, "poll");
1320
		if (n == 0)
1321
			break;
1322
		if ((pfd[0].revents & POLLIN) == 0)
1323
			continue;
1324
		if (pfkey_reply(fd, &data, &len) < 0)
1325
			continue;
1326
		msg = (struct sadb_msg *)data;
1327
		if (msg->sadb_msg_type == SADB_X_PROMISC) {
1328
			/* remove extra header from promisc messages */
1329
			if ((msg->sadb_msg_len * PFKEYV2_CHUNK) >=
1330
			    2 * sizeof(struct sadb_msg)) {
1331
				msg++;
1332
			}
1333
		}
1334
		pfkey_monitor_sa(msg, opts);
1335
		if (opts & IPSECCTL_OPT_VERBOSE)
1336
			pfkey_print_raw(data, len);
1337
		freezero(data, len);
1338
	}
1339
	close(fd);
1340
	return 0;
1341
}
1342
1343
int
1344
pfkey_init(void)
1345
{
1346
	if ((fd = socket(PF_KEY, SOCK_RAW, PF_KEY_V2)) == -1)
1347
		err(1, "pfkey_init: failed to open PF_KEY socket");
1348
1349
	return 0;
1350
}