1 /* $OpenBSD: pfkey.c,v 1.71 2020/09/09 21:25:42 tobhe Exp $ */ 2 3 /* 4 * Copyright (c) 2010-2013 Reyk Floeter <reyk@openbsd.org> 5 * Copyright (c) 2004, 2005 Hans-Joerg Hoexer <hshoexer@openbsd.org> 6 * Copyright (c) 2003, 2004 Henning Brauer <henning@openbsd.org> 7 * Copyright (c) 2003, 2004 Markus Friedl <markus@openbsd.org> 8 * 9 * Permission to use, copy, modify, and distribute this software for any 10 * purpose with or without fee is hereby granted, provided that the above 11 * copyright notice and this permission notice appear in all copies. 12 * 13 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES 14 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF 15 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR 16 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES 17 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN 18 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF 19 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. 20 */ 21 22 #include <sys/queue.h> 23 #include <sys/uio.h> 24 #include <sys/socket.h> 25 26 #include <netinet/in.h> 27 #include <netinet/ip_ipsp.h> 28 #include <net/pfkeyv2.h> 29 30 #include <err.h> 31 #include <errno.h> 32 #include <stdio.h> 33 #include <poll.h> 34 #include <string.h> 35 #include <stdlib.h> 36 #include <unistd.h> 37 #include <event.h> 38 39 #include "iked.h" 40 #include "ikev2.h" 41 42 #define ROUNDUP(x) (((x) + (PFKEYV2_CHUNK - 1)) & ~(PFKEYV2_CHUNK - 1)) 43 #define IOV_CNT 21 44 45 #define PFKEYV2_CHUNK sizeof(uint64_t) 46 #define PFKEY_REPLY_TIMEOUT 1000 47 48 /* only used internally */ 49 #define IKED_SADB_UPDATE_SA_ADDRESSES 0xff 50 51 static uint32_t sadb_msg_seq = 0; 52 static unsigned int sadb_decoupled = 0; 53 54 static int iked_rdomain = 0; 55 56 static struct event pfkey_timer_ev; 57 static struct timeval pfkey_timer_tv; 58 59 struct pfkey_message { 60 SIMPLEQ_ENTRY(pfkey_message) 61 pm_entry; 62 uint8_t *pm_data; 63 ssize_t pm_length; 64 }; 65 SIMPLEQ_HEAD(, pfkey_message) pfkey_retry, pfkey_postponed = 66 SIMPLEQ_HEAD_INITIALIZER(pfkey_postponed); 67 68 struct pfkey_constmap { 69 uint8_t pfkey_id; 70 unsigned int pfkey_ikeid; 71 unsigned int pfkey_fixedkey; 72 }; 73 74 static const struct pfkey_constmap pfkey_encr[] = { 75 { SADB_EALG_3DESCBC, IKEV2_XFORMENCR_3DES }, 76 { SADB_X_EALG_CAST, IKEV2_XFORMENCR_CAST }, 77 { SADB_X_EALG_BLF, IKEV2_XFORMENCR_BLOWFISH }, 78 { SADB_EALG_NULL, IKEV2_XFORMENCR_NULL }, 79 { SADB_X_EALG_AES, IKEV2_XFORMENCR_AES_CBC }, 80 { SADB_X_EALG_AESCTR, IKEV2_XFORMENCR_AES_CTR }, 81 { SADB_X_EALG_AESGCM16, IKEV2_XFORMENCR_AES_GCM_16 }, 82 { SADB_X_EALG_AESGMAC, IKEV2_XFORMENCR_NULL_AES_GMAC }, 83 { SADB_X_EALG_CHACHA20POLY1305, IKEV2_XFORMENCR_CHACHA20_POLY1305 }, 84 { 0 } 85 }; 86 87 static const struct pfkey_constmap pfkey_integr[] = { 88 { SADB_AALG_MD5HMAC, IKEV2_XFORMAUTH_HMAC_MD5_96 }, 89 { SADB_AALG_SHA1HMAC, IKEV2_XFORMAUTH_HMAC_SHA1_96 }, 90 { SADB_X_AALG_SHA2_256, IKEV2_XFORMAUTH_HMAC_SHA2_256_128 }, 91 { SADB_X_AALG_SHA2_384, IKEV2_XFORMAUTH_HMAC_SHA2_384_192 }, 92 { SADB_X_AALG_SHA2_512, IKEV2_XFORMAUTH_HMAC_SHA2_512_256 }, 93 { 0 } 94 }; 95 96 static const struct pfkey_constmap pfkey_satype[] = { 97 { SADB_SATYPE_AH, IKEV2_SAPROTO_AH }, 98 { SADB_SATYPE_ESP, IKEV2_SAPROTO_ESP }, 99 { SADB_X_SATYPE_IPCOMP, IKEV2_SAPROTO_IPCOMP }, 100 { 0 } 101 }; 102 103 int pfkey_map(const struct pfkey_constmap *, uint16_t, uint8_t *); 104 int pfkey_flow(int, uint8_t, uint8_t, struct iked_flow *); 105 int pfkey_sa(int, uint8_t, uint8_t, struct iked_childsa *); 106 int pfkey_sa_getspi(int, uint8_t, struct iked_childsa *, uint32_t *); 107 int pfkey_sagroup(int, uint8_t, uint8_t, 108 struct iked_childsa *, struct iked_childsa *); 109 int pfkey_write(int, struct sadb_msg *, struct iovec *, int, 110 uint8_t **, ssize_t *); 111 int pfkey_reply(int, uint8_t **, ssize_t *); 112 void pfkey_dispatch(int, short, void *); 113 int pfkey_sa_lookup(int, struct iked_childsa *, uint64_t *); 114 int pfkey_sa_check_exists(int, struct iked_childsa *); 115 116 struct sadb_ident * 117 pfkey_id2ident(struct iked_id *, unsigned int); 118 void *pfkey_find_ext(uint8_t *, ssize_t, int); 119 120 void pfkey_timer_cb(int, short, void *); 121 int pfkey_process(struct iked *, struct pfkey_message *); 122 123 int 124 pfkey_couple(int sd, struct iked_sas *sas, int couple) 125 { 126 struct iked_sa *sa; 127 struct iked_flow *flow; 128 struct iked_childsa *csa, *ipcomp; 129 const char *mode[] = { "coupled", "decoupled" }; 130 131 /* Socket is not ready */ 132 if (sd == -1) 133 return (-1); 134 135 if (sadb_decoupled == !couple) 136 return (0); 137 138 log_debug("%s: kernel %s -> %s", __func__, 139 mode[sadb_decoupled], mode[!sadb_decoupled]); 140 141 /* Allow writes to the PF_KEY socket */ 142 sadb_decoupled = 0; 143 144 RB_FOREACH(sa, iked_sas, sas) { 145 TAILQ_FOREACH(csa, &sa->sa_childsas, csa_entry) { 146 if (!csa->csa_loaded && couple) 147 (void)pfkey_sa_add(sd, csa, NULL); 148 else if (csa->csa_loaded && !couple) 149 (void)pfkey_sa_delete(sd, csa); 150 if ((ipcomp = csa->csa_bundled) != NULL) { 151 if (!ipcomp->csa_loaded && couple) 152 (void)pfkey_sa_add(sd, ipcomp, csa); 153 else if (ipcomp->csa_loaded && !couple) 154 (void)pfkey_sa_delete(sd, ipcomp); 155 } 156 } 157 TAILQ_FOREACH(flow, &sa->sa_flows, flow_entry) { 158 if (!flow->flow_loaded && couple) 159 (void)pfkey_flow_add(sd, flow); 160 else if (flow->flow_loaded && !couple) 161 (void)pfkey_flow_delete(sd, flow); 162 } 163 } 164 165 sadb_decoupled = !couple; 166 167 return (0); 168 } 169 170 int 171 pfkey_map(const struct pfkey_constmap *map, uint16_t alg, uint8_t *pfkalg) 172 { 173 int i; 174 175 for (i = 0; map[i].pfkey_id != 0; i++) 176 if (map[i].pfkey_ikeid == alg) { 177 *pfkalg = map[i].pfkey_id; 178 return (0); 179 } 180 return (-1); 181 } 182 183 int 184 pfkey_flow(int sd, uint8_t satype, uint8_t action, struct iked_flow *flow) 185 { 186 struct sadb_msg smsg; 187 struct iked_addr *flow_src, *flow_dst; 188 struct sadb_address sa_src, sa_dst, sa_local, sa_peer, sa_smask, 189 sa_dmask; 190 struct sadb_protocol sa_flowtype, sa_protocol; 191 struct sadb_x_rdomain sa_rdomain; 192 struct sadb_ident *sa_srcid, *sa_dstid; 193 struct sockaddr_storage ssrc, sdst, slocal, speer, smask, dmask; 194 struct iovec iov[IOV_CNT]; 195 int iov_cnt, ret = -1; 196 197 sa_srcid = sa_dstid = NULL; 198 199 flow_src = &flow->flow_src; 200 flow_dst = &flow->flow_dst; 201 202 if (flow->flow_prenat.addr_af == flow_src->addr_af) { 203 if (flow->flow_dir == IPSP_DIRECTION_IN) 204 flow_dst = &flow->flow_prenat; 205 else 206 flow_src = &flow->flow_prenat; 207 } 208 209 bzero(&ssrc, sizeof(ssrc)); 210 bzero(&smask, sizeof(smask)); 211 memcpy(&ssrc, &flow_src->addr, sizeof(ssrc)); 212 memcpy(&smask, &flow_src->addr, sizeof(smask)); 213 socket_af((struct sockaddr *)&ssrc, flow_src->addr_port); 214 socket_af((struct sockaddr *)&smask, flow_src->addr_port ? 215 0xffff : 0); 216 217 switch (flow_src->addr_af) { 218 case AF_INET: 219 ((struct sockaddr_in *)&smask)->sin_addr.s_addr = 220 prefixlen2mask(flow_src->addr_net ? 221 flow_src->addr_mask : 32); 222 break; 223 case AF_INET6: 224 prefixlen2mask6(flow_src->addr_net ? 225 flow_src->addr_mask : 128, 226 (uint32_t *)((struct sockaddr_in6 *) 227 &smask)->sin6_addr.s6_addr); 228 break; 229 default: 230 log_warnx("%s: unsupported address family %d", 231 __func__, flow_src->addr_af); 232 return (-1); 233 } 234 smask.ss_len = ssrc.ss_len; 235 236 bzero(&sdst, sizeof(sdst)); 237 bzero(&dmask, sizeof(dmask)); 238 memcpy(&sdst, &flow_dst->addr, sizeof(sdst)); 239 memcpy(&dmask, &flow_dst->addr, sizeof(dmask)); 240 socket_af((struct sockaddr *)&sdst, flow_dst->addr_port); 241 socket_af((struct sockaddr *)&dmask, flow_dst->addr_port ? 242 0xffff : 0); 243 244 switch (flow_dst->addr_af) { 245 case AF_INET: 246 ((struct sockaddr_in *)&dmask)->sin_addr.s_addr = 247 prefixlen2mask(flow_dst->addr_net ? 248 flow_dst->addr_mask : 32); 249 break; 250 case AF_INET6: 251 prefixlen2mask6(flow_dst->addr_net ? 252 flow_dst->addr_mask : 128, 253 (uint32_t *)((struct sockaddr_in6 *) 254 &dmask)->sin6_addr.s6_addr); 255 break; 256 default: 257 log_warnx("%s: unsupported address family %d", 258 __func__, flow_dst->addr_af); 259 return (-1); 260 } 261 dmask.ss_len = sdst.ss_len; 262 263 bzero(&slocal, sizeof(slocal)); 264 bzero(&speer, sizeof(speer)); 265 if (action != SADB_X_DELFLOW && flow->flow_local != NULL) { 266 memcpy(&slocal, &flow->flow_local->addr, sizeof(slocal)); 267 socket_af((struct sockaddr *)&slocal, 0); 268 269 memcpy(&speer, &flow->flow_peer->addr, sizeof(speer)); 270 socket_af((struct sockaddr *)&speer, 0); 271 } 272 273 bzero(&smsg, sizeof(smsg)); 274 smsg.sadb_msg_version = PF_KEY_V2; 275 smsg.sadb_msg_seq = ++sadb_msg_seq; 276 smsg.sadb_msg_pid = getpid(); 277 smsg.sadb_msg_len = sizeof(smsg) / 8; 278 smsg.sadb_msg_type = action; 279 smsg.sadb_msg_satype = satype; 280 281 bzero(&sa_flowtype, sizeof(sa_flowtype)); 282 sa_flowtype.sadb_protocol_exttype = SADB_X_EXT_FLOW_TYPE; 283 sa_flowtype.sadb_protocol_len = sizeof(sa_flowtype) / 8; 284 sa_flowtype.sadb_protocol_direction = flow->flow_dir; 285 sa_flowtype.sadb_protocol_proto = SADB_X_FLOW_TYPE_REQUIRE; 286 287 bzero(&sa_protocol, sizeof(sa_protocol)); 288 sa_protocol.sadb_protocol_exttype = SADB_X_EXT_PROTOCOL; 289 sa_protocol.sadb_protocol_len = sizeof(sa_protocol) / 8; 290 sa_protocol.sadb_protocol_direction = 0; 291 sa_protocol.sadb_protocol_proto = flow->flow_ipproto; 292 293 bzero(&sa_src, sizeof(sa_src)); 294 sa_src.sadb_address_exttype = SADB_X_EXT_SRC_FLOW; 295 sa_src.sadb_address_len = (sizeof(sa_src) + ROUNDUP(ssrc.ss_len)) / 8; 296 297 bzero(&sa_smask, sizeof(sa_smask)); 298 sa_smask.sadb_address_exttype = SADB_X_EXT_SRC_MASK; 299 sa_smask.sadb_address_len = 300 (sizeof(sa_smask) + ROUNDUP(smask.ss_len)) / 8; 301 302 bzero(&sa_dst, sizeof(sa_dst)); 303 sa_dst.sadb_address_exttype = SADB_X_EXT_DST_FLOW; 304 sa_dst.sadb_address_len = (sizeof(sa_dst) + ROUNDUP(sdst.ss_len)) / 8; 305 306 bzero(&sa_dmask, sizeof(sa_dmask)); 307 sa_dmask.sadb_address_exttype = SADB_X_EXT_DST_MASK; 308 sa_dmask.sadb_address_len = 309 (sizeof(sa_dmask) + ROUNDUP(dmask.ss_len)) / 8; 310 311 if (action != SADB_X_DELFLOW && flow->flow_local != NULL) { 312 /* local address */ 313 bzero(&sa_local, sizeof(sa_local)); 314 sa_local.sadb_address_exttype = SADB_EXT_ADDRESS_SRC; 315 sa_local.sadb_address_len = 316 (sizeof(sa_local) + ROUNDUP(slocal.ss_len)) / 8; 317 318 /* peer address */ 319 bzero(&sa_peer, sizeof(sa_peer)); 320 sa_peer.sadb_address_exttype = SADB_EXT_ADDRESS_DST; 321 sa_peer.sadb_address_len = 322 (sizeof(sa_peer) + ROUNDUP(speer.ss_len)) / 8; 323 324 /* local id */ 325 sa_srcid = pfkey_id2ident(IKESA_SRCID(flow->flow_ikesa), 326 SADB_EXT_IDENTITY_SRC); 327 328 /* peer id */ 329 sa_dstid = pfkey_id2ident(IKESA_DSTID(flow->flow_ikesa), 330 SADB_EXT_IDENTITY_DST); 331 } 332 333 if (flow->flow_rdomain >= 0) { 334 /* install flow in specific rdomain */ 335 bzero(&sa_rdomain, sizeof(sa_rdomain)); 336 sa_rdomain.sadb_x_rdomain_exttype = SADB_X_EXT_RDOMAIN; 337 sa_rdomain.sadb_x_rdomain_len = sizeof(sa_rdomain) / 8; 338 sa_rdomain.sadb_x_rdomain_dom1 = flow->flow_rdomain; 339 } 340 341 iov_cnt = 0; 342 343 /* header */ 344 iov[iov_cnt].iov_base = &smsg; 345 iov[iov_cnt].iov_len = sizeof(smsg); 346 iov_cnt++; 347 348 /* add flow type */ 349 iov[iov_cnt].iov_base = &sa_flowtype; 350 iov[iov_cnt].iov_len = sizeof(sa_flowtype); 351 smsg.sadb_msg_len += sa_flowtype.sadb_protocol_len; 352 iov_cnt++; 353 354 if (action != SADB_X_DELFLOW && flow->flow_local != NULL) { 355 /* remote peer */ 356 iov[iov_cnt].iov_base = &sa_peer; 357 iov[iov_cnt].iov_len = sizeof(sa_peer); 358 iov_cnt++; 359 iov[iov_cnt].iov_base = &speer; 360 iov[iov_cnt].iov_len = ROUNDUP(speer.ss_len); 361 smsg.sadb_msg_len += sa_peer.sadb_address_len; 362 iov_cnt++; 363 } 364 365 /* src addr */ 366 iov[iov_cnt].iov_base = &sa_src; 367 iov[iov_cnt].iov_len = sizeof(sa_src); 368 iov_cnt++; 369 iov[iov_cnt].iov_base = &ssrc; 370 iov[iov_cnt].iov_len = ROUNDUP(ssrc.ss_len); 371 smsg.sadb_msg_len += sa_src.sadb_address_len; 372 iov_cnt++; 373 374 /* src mask */ 375 iov[iov_cnt].iov_base = &sa_smask; 376 iov[iov_cnt].iov_len = sizeof(sa_smask); 377 iov_cnt++; 378 iov[iov_cnt].iov_base = &smask; 379 iov[iov_cnt].iov_len = ROUNDUP(smask.ss_len); 380 smsg.sadb_msg_len += sa_smask.sadb_address_len; 381 iov_cnt++; 382 383 /* dest addr */ 384 iov[iov_cnt].iov_base = &sa_dst; 385 iov[iov_cnt].iov_len = sizeof(sa_dst); 386 iov_cnt++; 387 iov[iov_cnt].iov_base = &sdst; 388 iov[iov_cnt].iov_len = ROUNDUP(sdst.ss_len); 389 smsg.sadb_msg_len += sa_dst.sadb_address_len; 390 iov_cnt++; 391 392 /* dst mask */ 393 iov[iov_cnt].iov_base = &sa_dmask; 394 iov[iov_cnt].iov_len = sizeof(sa_dmask); 395 iov_cnt++; 396 iov[iov_cnt].iov_base = &dmask; 397 iov[iov_cnt].iov_len = ROUNDUP(dmask.ss_len); 398 smsg.sadb_msg_len += sa_dmask.sadb_address_len; 399 iov_cnt++; 400 401 /* add protocol */ 402 iov[iov_cnt].iov_base = &sa_protocol; 403 iov[iov_cnt].iov_len = sizeof(sa_protocol); 404 smsg.sadb_msg_len += sa_protocol.sadb_protocol_len; 405 iov_cnt++; 406 407 if (sa_srcid) { 408 /* src identity */ 409 iov[iov_cnt].iov_base = sa_srcid; 410 iov[iov_cnt].iov_len = sa_srcid->sadb_ident_len * 8; 411 smsg.sadb_msg_len += sa_srcid->sadb_ident_len; 412 iov_cnt++; 413 } 414 if (sa_dstid) { 415 /* dst identity */ 416 iov[iov_cnt].iov_base = sa_dstid; 417 iov[iov_cnt].iov_len = sa_dstid->sadb_ident_len * 8; 418 smsg.sadb_msg_len += sa_dstid->sadb_ident_len; 419 iov_cnt++; 420 } 421 422 if (flow->flow_rdomain >= 0) { 423 iov[iov_cnt].iov_base = &sa_rdomain; 424 iov[iov_cnt].iov_len = sizeof(sa_rdomain); 425 smsg.sadb_msg_len += sa_rdomain.sadb_x_rdomain_len; 426 iov_cnt++; 427 } 428 429 ret = pfkey_write(sd, &smsg, iov, iov_cnt, NULL, NULL); 430 431 free(sa_srcid); 432 free(sa_dstid); 433 434 return (ret); 435 } 436 437 int 438 pfkey_sa(int sd, uint8_t satype, uint8_t action, struct iked_childsa *sa) 439 { 440 struct sadb_msg smsg; 441 struct sadb_sa sadb; 442 struct sadb_address sa_src, sa_dst, sa_pxy; 443 struct sadb_key sa_authkey, sa_enckey; 444 struct sadb_lifetime sa_ltime_hard, sa_ltime_soft; 445 struct sadb_x_udpencap udpencap; 446 struct sadb_x_tag sa_tag; 447 char *tag = NULL; 448 struct sadb_x_tap sa_tap; 449 struct sadb_x_rdomain sa_rdomain; 450 struct sockaddr_storage ssrc, sdst, spxy; 451 struct sadb_ident *sa_srcid, *sa_dstid; 452 struct iked_lifetime *lt; 453 struct iked_policy *pol; 454 struct iked_addr *dst; 455 struct iovec iov[IOV_CNT]; 456 uint32_t jitter; 457 int iov_cnt; 458 int ret, dotap = 0; 459 460 sa_srcid = sa_dstid = NULL; 461 462 if (sa->csa_ikesa == NULL || sa->csa_ikesa->sa_policy == NULL) { 463 log_warn("%s: invalid SA and policy", __func__); 464 return (-1); 465 } 466 pol = sa->csa_ikesa->sa_policy; 467 lt = &pol->pol_lifetime; 468 469 bzero(&ssrc, sizeof(ssrc)); 470 memcpy(&ssrc, &sa->csa_local->addr, sizeof(ssrc)); 471 if (socket_af((struct sockaddr *)&ssrc, 0) == -1) { 472 log_warn("%s: invalid address", __func__); 473 return (-1); 474 } 475 476 dst = (action == IKED_SADB_UPDATE_SA_ADDRESSES && 477 sa->csa_dir == IPSP_DIRECTION_OUT) ? 478 &sa->csa_ikesa->sa_peer_loaded : 479 sa->csa_peer; 480 bzero(&sdst, sizeof(sdst)); 481 memcpy(&sdst, &dst->addr, sizeof(sdst)); 482 if (socket_af((struct sockaddr *)&sdst, 0) == -1) { 483 log_warn("%s: invalid address", __func__); 484 return (-1); 485 } 486 487 bzero(&spxy, sizeof(spxy)); 488 if (dst != sa->csa_peer) { 489 memcpy(&spxy, &sa->csa_peer->addr, sizeof(spxy)); 490 if (socket_af((struct sockaddr *)&spxy, 0) == -1) { 491 log_warn("%s: invalid address", __func__); 492 return (-1); 493 } 494 } 495 496 bzero(&smsg, sizeof(smsg)); 497 smsg.sadb_msg_version = PF_KEY_V2; 498 smsg.sadb_msg_seq = ++sadb_msg_seq; 499 smsg.sadb_msg_pid = getpid(); 500 smsg.sadb_msg_len = sizeof(smsg) / 8; 501 smsg.sadb_msg_type = action; 502 smsg.sadb_msg_satype = satype; 503 504 bzero(&sadb, sizeof(sadb)); 505 sadb.sadb_sa_len = sizeof(sadb) / 8; 506 sadb.sadb_sa_exttype = SADB_EXT_SA; 507 sadb.sadb_sa_spi = htonl(sa->csa_spi.spi); 508 sadb.sadb_sa_state = SADB_SASTATE_MATURE; 509 sadb.sadb_sa_replay = 64; 510 511 if (!sa->csa_transport) 512 sadb.sadb_sa_flags |= SADB_X_SAFLAGS_TUNNEL; 513 514 if (sa->csa_esn) 515 sadb.sadb_sa_flags |= SADB_X_SAFLAGS_ESN; 516 517 bzero(&sa_src, sizeof(sa_src)); 518 sa_src.sadb_address_len = (sizeof(sa_src) + ROUNDUP(ssrc.ss_len)) / 8; 519 sa_src.sadb_address_exttype = SADB_EXT_ADDRESS_SRC; 520 521 bzero(&sa_dst, sizeof(sa_dst)); 522 sa_dst.sadb_address_len = (sizeof(sa_dst) + ROUNDUP(sdst.ss_len)) / 8; 523 sa_dst.sadb_address_exttype = SADB_EXT_ADDRESS_DST; 524 525 bzero(&sa_pxy, sizeof(sa_pxy)); 526 sa_pxy.sadb_address_len = (sizeof(sa_pxy) + ROUNDUP(spxy.ss_len)) / 8; 527 sa_pxy.sadb_address_exttype = SADB_EXT_ADDRESS_PROXY; 528 529 bzero(&sa_authkey, sizeof(sa_authkey)); 530 bzero(&sa_enckey, sizeof(sa_enckey)); 531 bzero(&udpencap, sizeof udpencap); 532 bzero(&sa_ltime_hard, sizeof(sa_ltime_hard)); 533 bzero(&sa_ltime_soft, sizeof(sa_ltime_soft)); 534 535 if (pol->pol_rdomain >= 0) { 536 bzero(&sa_rdomain, sizeof(sa_rdomain)); 537 sa_rdomain.sadb_x_rdomain_exttype = SADB_X_EXT_RDOMAIN; 538 sa_rdomain.sadb_x_rdomain_len = sizeof(sa_rdomain) / 8; 539 if (satype == SADB_X_SATYPE_IPCOMP) { 540 /* IPCOMP SAs are always in the pol_rdomain */ 541 sa_rdomain.sadb_x_rdomain_dom1 = pol->pol_rdomain; 542 sa_rdomain.sadb_x_rdomain_dom2 = pol->pol_rdomain; 543 } else if (sa->csa_dir == IPSP_DIRECTION_OUT) { 544 /* switch rdomain on encrypt/decrypt */ 545 sa_rdomain.sadb_x_rdomain_dom1 = pol->pol_rdomain; 546 sa_rdomain.sadb_x_rdomain_dom2 = iked_rdomain; 547 } else { 548 sa_rdomain.sadb_x_rdomain_dom1 = iked_rdomain; 549 sa_rdomain.sadb_x_rdomain_dom2 = pol->pol_rdomain; 550 } 551 } 552 553 if (action == SADB_DELETE) 554 goto send; 555 556 if (satype == SADB_SATYPE_ESP && 557 sa->csa_ikesa->sa_udpencap && sa->csa_ikesa->sa_natt) { 558 sadb.sadb_sa_flags |= SADB_X_SAFLAGS_UDPENCAP; 559 udpencap.sadb_x_udpencap_exttype = SADB_X_EXT_UDPENCAP; 560 udpencap.sadb_x_udpencap_len = sizeof(udpencap) / 8; 561 udpencap.sadb_x_udpencap_port = 562 sa->csa_ikesa->sa_peer.addr_port; 563 564 log_debug("%s: udpencap port %d", __func__, 565 ntohs(udpencap.sadb_x_udpencap_port)); 566 } 567 568 if (action == IKED_SADB_UPDATE_SA_ADDRESSES) { 569 smsg.sadb_msg_type = SADB_UPDATE; 570 goto send; 571 } 572 573 if ((action == SADB_ADD || action == SADB_UPDATE) && 574 !sa->csa_persistent && (lt->lt_bytes || lt->lt_seconds)) { 575 sa_ltime_hard.sadb_lifetime_exttype = SADB_EXT_LIFETIME_HARD; 576 sa_ltime_hard.sadb_lifetime_len = sizeof(sa_ltime_hard) / 8; 577 sa_ltime_hard.sadb_lifetime_bytes = lt->lt_bytes; 578 sa_ltime_hard.sadb_lifetime_addtime = lt->lt_seconds; 579 580 /* double the lifetime for ipcomp; disable byte lifetime */ 581 if (satype == SADB_X_SATYPE_IPCOMP) { 582 sa_ltime_hard.sadb_lifetime_addtime *= 2; 583 sa_ltime_hard.sadb_lifetime_bytes = 0; 584 } 585 586 sa_ltime_soft.sadb_lifetime_exttype = SADB_EXT_LIFETIME_SOFT; 587 sa_ltime_soft.sadb_lifetime_len = sizeof(sa_ltime_soft) / 8; 588 /* set randomly to 85-95% */ 589 jitter = 850 + arc4random_uniform(100); 590 sa_ltime_soft.sadb_lifetime_bytes = 591 (sa_ltime_hard.sadb_lifetime_bytes * jitter) / 1000; 592 sa_ltime_soft.sadb_lifetime_addtime = 593 (sa_ltime_hard.sadb_lifetime_addtime * jitter) / 1000; 594 } 595 596 /* XXX handle NULL encryption or NULL auth or combined encr/auth */ 597 if (action == SADB_ADD && 598 !ibuf_length(sa->csa_integrkey) && !ibuf_length(sa->csa_encrkey) && 599 satype != SADB_X_SATYPE_IPCOMP && satype != SADB_X_SATYPE_IPIP) { 600 log_warnx("%s: no key specified", __func__); 601 return (-1); 602 } 603 604 if (sa->csa_integrid) 605 if (pfkey_map(pfkey_integr, 606 sa->csa_integrid, &sadb.sadb_sa_auth) == -1) { 607 log_warnx("%s: unsupported integrity algorithm %s", 608 __func__, print_map(sa->csa_integrid, 609 ikev2_xformauth_map)); 610 return (-1); 611 } 612 613 if (sa->csa_encrid) 614 if (pfkey_map(pfkey_encr, 615 sa->csa_encrid, &sadb.sadb_sa_encrypt) == -1) { 616 log_warnx("%s: unsupported encryption algorithm %s", 617 __func__, print_map(sa->csa_encrid, 618 ikev2_xformencr_map)); 619 return (-1); 620 } 621 622 if (ibuf_length(sa->csa_integrkey)) { 623 sa_authkey.sadb_key_len = (sizeof(sa_authkey) + 624 ((ibuf_size(sa->csa_integrkey) + 7) / 8) * 8) / 8; 625 sa_authkey.sadb_key_exttype = SADB_EXT_KEY_AUTH; 626 sa_authkey.sadb_key_bits = 627 8 * ibuf_size(sa->csa_integrkey); 628 } 629 630 if (ibuf_length(sa->csa_encrkey)) { 631 sa_enckey.sadb_key_len = (sizeof(sa_enckey) + 632 ((ibuf_size(sa->csa_encrkey) + 7) / 8) * 8) / 8; 633 sa_enckey.sadb_key_exttype = SADB_EXT_KEY_ENCRYPT; 634 sa_enckey.sadb_key_bits = 635 8 * ibuf_size(sa->csa_encrkey); 636 } 637 638 /* we only support deflate */ 639 if (satype == SADB_X_SATYPE_IPCOMP) 640 sadb.sadb_sa_encrypt = SADB_X_CALG_DEFLATE; 641 642 /* Note that we need to swap the IDs for incoming SAs (SADB_UPDATE) */ 643 if (action != SADB_UPDATE) { 644 sa_srcid = pfkey_id2ident( 645 IKESA_SRCID(sa->csa_ikesa), SADB_EXT_IDENTITY_SRC); 646 sa_dstid = pfkey_id2ident( 647 IKESA_DSTID(sa->csa_ikesa), SADB_EXT_IDENTITY_DST); 648 } else { 649 sa_srcid = pfkey_id2ident( 650 IKESA_DSTID(sa->csa_ikesa), SADB_EXT_IDENTITY_SRC); 651 sa_dstid = pfkey_id2ident( 652 IKESA_SRCID(sa->csa_ikesa), SADB_EXT_IDENTITY_DST); 653 } 654 655 tag = sa->csa_ikesa->sa_tag; 656 if (tag != NULL && *tag != '\0') { 657 bzero(&sa_tag, sizeof(sa_tag)); 658 sa_tag.sadb_x_tag_exttype = SADB_X_EXT_TAG; 659 sa_tag.sadb_x_tag_len = 660 (ROUNDUP(strlen(tag) + 1) + sizeof(sa_tag)) / 8; 661 sa_tag.sadb_x_tag_taglen = strlen(tag) + 1; 662 } else 663 tag = NULL; 664 665 if (pol->pol_tap != 0) { 666 dotap = 1; 667 bzero(&sa_tap, sizeof(sa_tap)); 668 sa_tap.sadb_x_tap_exttype = SADB_X_EXT_TAP; 669 sa_tap.sadb_x_tap_len = sizeof(sa_tap) / 8; 670 sa_tap.sadb_x_tap_unit = pol->pol_tap; 671 } 672 673 send: 674 iov_cnt = 0; 675 676 /* header */ 677 iov[iov_cnt].iov_base = &smsg; 678 iov[iov_cnt].iov_len = sizeof(smsg); 679 iov_cnt++; 680 681 /* sa */ 682 iov[iov_cnt].iov_base = &sadb; 683 iov[iov_cnt].iov_len = sizeof(sadb); 684 smsg.sadb_msg_len += sadb.sadb_sa_len; 685 iov_cnt++; 686 687 /* src addr */ 688 iov[iov_cnt].iov_base = &sa_src; 689 iov[iov_cnt].iov_len = sizeof(sa_src); 690 iov_cnt++; 691 iov[iov_cnt].iov_base = &ssrc; 692 iov[iov_cnt].iov_len = ROUNDUP(ssrc.ss_len); 693 smsg.sadb_msg_len += sa_src.sadb_address_len; 694 iov_cnt++; 695 696 /* dst addr */ 697 iov[iov_cnt].iov_base = &sa_dst; 698 iov[iov_cnt].iov_len = sizeof(sa_dst); 699 iov_cnt++; 700 iov[iov_cnt].iov_base = &sdst; 701 iov[iov_cnt].iov_len = ROUNDUP(sdst.ss_len); 702 smsg.sadb_msg_len += sa_dst.sadb_address_len; 703 iov_cnt++; 704 705 if (spxy.ss_len) { 706 /* pxy addr */ 707 iov[iov_cnt].iov_base = &sa_pxy; 708 iov[iov_cnt].iov_len = sizeof(sa_pxy); 709 iov_cnt++; 710 iov[iov_cnt].iov_base = &spxy; 711 iov[iov_cnt].iov_len = ROUNDUP(spxy.ss_len); 712 smsg.sadb_msg_len += sa_pxy.sadb_address_len; 713 iov_cnt++; 714 } 715 716 if (sa_ltime_soft.sadb_lifetime_len) { 717 /* soft lifetime */ 718 iov[iov_cnt].iov_base = &sa_ltime_soft; 719 iov[iov_cnt].iov_len = sizeof(sa_ltime_soft); 720 smsg.sadb_msg_len += sa_ltime_soft.sadb_lifetime_len; 721 iov_cnt++; 722 } 723 724 if (sa_ltime_hard.sadb_lifetime_len) { 725 /* hard lifetime */ 726 iov[iov_cnt].iov_base = &sa_ltime_hard; 727 iov[iov_cnt].iov_len = sizeof(sa_ltime_hard); 728 smsg.sadb_msg_len += sa_ltime_hard.sadb_lifetime_len; 729 iov_cnt++; 730 } 731 732 if (udpencap.sadb_x_udpencap_len) { 733 iov[iov_cnt].iov_base = &udpencap; 734 iov[iov_cnt].iov_len = sizeof(udpencap); 735 smsg.sadb_msg_len += udpencap.sadb_x_udpencap_len; 736 iov_cnt++; 737 } 738 739 if (sa_enckey.sadb_key_len) { 740 /* encryption key */ 741 iov[iov_cnt].iov_base = &sa_enckey; 742 iov[iov_cnt].iov_len = sizeof(sa_enckey); 743 iov_cnt++; 744 iov[iov_cnt].iov_base = ibuf_data(sa->csa_encrkey); 745 iov[iov_cnt].iov_len = 746 ((ibuf_size(sa->csa_encrkey) + 7) / 8) * 8; 747 smsg.sadb_msg_len += sa_enckey.sadb_key_len; 748 iov_cnt++; 749 } 750 if (sa_authkey.sadb_key_len) { 751 /* authentication key */ 752 iov[iov_cnt].iov_base = &sa_authkey; 753 iov[iov_cnt].iov_len = sizeof(sa_authkey); 754 iov_cnt++; 755 iov[iov_cnt].iov_base = ibuf_data(sa->csa_integrkey); 756 iov[iov_cnt].iov_len = 757 ((ibuf_size(sa->csa_integrkey) + 7) / 8) * 8; 758 smsg.sadb_msg_len += sa_authkey.sadb_key_len; 759 iov_cnt++; 760 } 761 762 if (sa_srcid) { 763 /* src identity */ 764 iov[iov_cnt].iov_base = sa_srcid; 765 iov[iov_cnt].iov_len = sa_srcid->sadb_ident_len * 8; 766 smsg.sadb_msg_len += sa_srcid->sadb_ident_len; 767 iov_cnt++; 768 } 769 if (sa_dstid) { 770 /* dst identity */ 771 iov[iov_cnt].iov_base = sa_dstid; 772 iov[iov_cnt].iov_len = sa_dstid->sadb_ident_len * 8; 773 smsg.sadb_msg_len += sa_dstid->sadb_ident_len; 774 iov_cnt++; 775 } 776 777 if (tag != NULL) { 778 /* tag identity */ 779 iov[iov_cnt].iov_base = &sa_tag; 780 iov[iov_cnt].iov_len = sizeof(sa_tag); 781 iov_cnt++; 782 iov[iov_cnt].iov_base = tag; 783 iov[iov_cnt].iov_len = ROUNDUP(strlen(tag) + 1); 784 smsg.sadb_msg_len += sa_tag.sadb_x_tag_len; 785 iov_cnt++; 786 } 787 788 if (dotap != 0) { 789 /* enc(4) device tap unit */ 790 iov[iov_cnt].iov_base = &sa_tap; 791 iov[iov_cnt].iov_len = sizeof(sa_tap); 792 smsg.sadb_msg_len += sa_tap.sadb_x_tap_len; 793 iov_cnt++; 794 } 795 796 if (pol->pol_rdomain >= 0) { 797 iov[iov_cnt].iov_base = &sa_rdomain; 798 iov[iov_cnt].iov_len = sizeof(sa_rdomain); 799 smsg.sadb_msg_len += sa_rdomain.sadb_x_rdomain_len; 800 iov_cnt++; 801 } 802 803 ret = pfkey_write(sd, &smsg, iov, iov_cnt, NULL, NULL); 804 805 free(sa_srcid); 806 free(sa_dstid); 807 808 return ret; 809 } 810 811 int 812 pfkey_sa_lookup(int sd, struct iked_childsa *sa, uint64_t *last_used) 813 { 814 struct iked_policy *pol = sa->csa_ikesa->sa_policy; 815 struct sadb_msg *msg, smsg; 816 struct sadb_address sa_src, sa_dst; 817 struct sadb_sa sadb; 818 struct sadb_x_rdomain sa_rdomain; 819 struct sadb_lifetime *sa_life; 820 struct sockaddr_storage ssrc, sdst; 821 struct iovec iov[IOV_CNT]; 822 uint8_t *data; 823 ssize_t n; 824 int iov_cnt, ret = -1, rdomain; 825 uint8_t satype; 826 827 if (last_used) 828 *last_used = 0; 829 830 if (pfkey_map(pfkey_satype, sa->csa_saproto, &satype) == -1) 831 return (-1); 832 833 bzero(&ssrc, sizeof(ssrc)); 834 memcpy(&ssrc, &sa->csa_local->addr, sizeof(ssrc)); 835 if (socket_af((struct sockaddr *)&ssrc, 0) == -1) { 836 log_warn("%s: invalid address", __func__); 837 return (-1); 838 } 839 840 bzero(&sdst, sizeof(sdst)); 841 memcpy(&sdst, &sa->csa_peer->addr, sizeof(sdst)); 842 if (socket_af((struct sockaddr *)&sdst, 0) == -1) { 843 log_warn("%s: invalid address", __func__); 844 return (-1); 845 } 846 847 bzero(&smsg, sizeof(smsg)); 848 smsg.sadb_msg_version = PF_KEY_V2; 849 smsg.sadb_msg_seq = ++sadb_msg_seq; 850 smsg.sadb_msg_pid = getpid(); 851 smsg.sadb_msg_len = sizeof(smsg) / 8; 852 smsg.sadb_msg_type = SADB_GET; 853 smsg.sadb_msg_satype = satype; 854 855 bzero(&sadb, sizeof(sadb)); 856 sadb.sadb_sa_len = sizeof(sadb) / 8; 857 sadb.sadb_sa_exttype = SADB_EXT_SA; 858 sadb.sadb_sa_spi = htonl(sa->csa_spi.spi); 859 sadb.sadb_sa_state = SADB_SASTATE_MATURE; 860 sadb.sadb_sa_replay = 64; 861 862 if (pol->pol_rdomain >= 0) { 863 rdomain = (sa->csa_dir == IPSP_DIRECTION_IN) ? 864 iked_rdomain : pol->pol_rdomain; 865 bzero(&sa_rdomain, sizeof(sa_rdomain)); 866 sa_rdomain.sadb_x_rdomain_exttype = SADB_X_EXT_RDOMAIN; 867 sa_rdomain.sadb_x_rdomain_len = sizeof(sa_rdomain) / 8; 868 sa_rdomain.sadb_x_rdomain_dom1 = rdomain; 869 } 870 871 bzero(&sa_src, sizeof(sa_src)); 872 sa_src.sadb_address_len = (sizeof(sa_src) + ROUNDUP(ssrc.ss_len)) / 8; 873 sa_src.sadb_address_exttype = SADB_EXT_ADDRESS_SRC; 874 875 bzero(&sa_dst, sizeof(sa_dst)); 876 sa_dst.sadb_address_len = (sizeof(sa_dst) + ROUNDUP(sdst.ss_len)) / 8; 877 sa_dst.sadb_address_exttype = SADB_EXT_ADDRESS_DST; 878 879 iov_cnt = 0; 880 881 /* header */ 882 iov[iov_cnt].iov_base = &smsg; 883 iov[iov_cnt].iov_len = sizeof(smsg); 884 iov_cnt++; 885 886 /* sa */ 887 iov[iov_cnt].iov_base = &sadb; 888 iov[iov_cnt].iov_len = sizeof(sadb); 889 smsg.sadb_msg_len += sadb.sadb_sa_len; 890 iov_cnt++; 891 892 /* src addr */ 893 iov[iov_cnt].iov_base = &sa_src; 894 iov[iov_cnt].iov_len = sizeof(sa_src); 895 iov_cnt++; 896 iov[iov_cnt].iov_base = &ssrc; 897 iov[iov_cnt].iov_len = ROUNDUP(ssrc.ss_len); 898 smsg.sadb_msg_len += sa_src.sadb_address_len; 899 iov_cnt++; 900 901 /* dst addr */ 902 iov[iov_cnt].iov_base = &sa_dst; 903 iov[iov_cnt].iov_len = sizeof(sa_dst); 904 iov_cnt++; 905 iov[iov_cnt].iov_base = &sdst; 906 iov[iov_cnt].iov_len = ROUNDUP(sdst.ss_len); 907 smsg.sadb_msg_len += sa_dst.sadb_address_len; 908 iov_cnt++; 909 910 if (pol->pol_rdomain >= 0) { 911 iov[iov_cnt].iov_base = &sa_rdomain; 912 iov[iov_cnt].iov_len = sizeof(sa_rdomain); 913 smsg.sadb_msg_len += sa_rdomain.sadb_x_rdomain_len; 914 iov_cnt++; 915 } 916 917 if ((ret = pfkey_write(sd, &smsg, iov, iov_cnt, &data, &n)) != 0) 918 return (-1); 919 920 msg = (struct sadb_msg *)data; 921 if (msg->sadb_msg_errno != 0) { 922 errno = msg->sadb_msg_errno; 923 ret = -1; 924 log_warn("%s: message", __func__); 925 goto done; 926 } 927 if (last_used) { 928 if ((sa_life = pfkey_find_ext(data, n, 929 SADB_X_EXT_LIFETIME_LASTUSE)) == NULL) { 930 /* has never been used */ 931 ret = -1; 932 goto done; 933 } 934 *last_used = sa_life->sadb_lifetime_usetime; 935 log_debug("%s: last_used %llu", __func__, *last_used); 936 } 937 938 done: 939 freezero(data, n); 940 return (ret); 941 } 942 943 int 944 pfkey_sa_last_used(int sd, struct iked_childsa *sa, uint64_t *last_used) 945 { 946 return pfkey_sa_lookup(sd, sa, last_used); 947 } 948 949 int 950 pfkey_sa_check_exists(int sd, struct iked_childsa *sa) 951 { 952 return pfkey_sa_lookup(sd, sa, NULL); 953 } 954 955 int 956 pfkey_sa_getspi(int sd, uint8_t satype, struct iked_childsa *sa, 957 uint32_t *spip) 958 { 959 struct sadb_msg *msg, smsg; 960 struct sadb_address sa_src, sa_dst; 961 struct sadb_sa *sa_ext; 962 struct sadb_spirange sa_spirange; 963 struct sockaddr_storage ssrc, sdst; 964 struct iovec iov[IOV_CNT]; 965 uint8_t *data; 966 ssize_t n; 967 int iov_cnt, ret = -1; 968 969 bzero(&ssrc, sizeof(ssrc)); 970 memcpy(&ssrc, &sa->csa_local->addr, sizeof(ssrc)); 971 if (socket_af((struct sockaddr *)&ssrc, 0) == -1) { 972 log_warn("%s: invalid address", __func__); 973 return (-1); 974 } 975 976 bzero(&sdst, sizeof(sdst)); 977 memcpy(&sdst, &sa->csa_peer->addr, sizeof(sdst)); 978 if (socket_af((struct sockaddr *)&sdst, 0) == -1) { 979 log_warn("%s: invalid address", __func__); 980 return (-1); 981 } 982 983 bzero(&smsg, sizeof(smsg)); 984 smsg.sadb_msg_version = PF_KEY_V2; 985 smsg.sadb_msg_seq = ++sadb_msg_seq; 986 smsg.sadb_msg_pid = getpid(); 987 smsg.sadb_msg_len = sizeof(smsg) / 8; 988 smsg.sadb_msg_type = SADB_GETSPI; 989 smsg.sadb_msg_satype = satype; 990 991 bzero(&sa_spirange, sizeof(sa_spirange)); 992 sa_spirange.sadb_spirange_exttype = SADB_EXT_SPIRANGE; 993 sa_spirange.sadb_spirange_len = sizeof(sa_spirange) / 8; 994 sa_spirange.sadb_spirange_min = 0x100; 995 sa_spirange.sadb_spirange_max = (satype == SADB_X_SATYPE_IPCOMP) ? 996 (CPI_PRIVATE_MIN - 1) : 0xffffffff; 997 sa_spirange.sadb_spirange_reserved = 0; 998 999 bzero(&sa_src, sizeof(sa_src)); 1000 sa_src.sadb_address_len = (sizeof(sa_src) + ROUNDUP(ssrc.ss_len)) / 8; 1001 sa_src.sadb_address_exttype = SADB_EXT_ADDRESS_SRC; 1002 1003 bzero(&sa_dst, sizeof(sa_dst)); 1004 sa_dst.sadb_address_len = (sizeof(sa_dst) + ROUNDUP(sdst.ss_len)) / 8; 1005 sa_dst.sadb_address_exttype = SADB_EXT_ADDRESS_DST; 1006 1007 iov_cnt = 0; 1008 1009 /* header */ 1010 iov[iov_cnt].iov_base = &smsg; 1011 iov[iov_cnt].iov_len = sizeof(smsg); 1012 iov_cnt++; 1013 1014 /* SPI range */ 1015 iov[iov_cnt].iov_base = &sa_spirange; 1016 iov[iov_cnt].iov_len = sizeof(sa_spirange); 1017 smsg.sadb_msg_len += sa_spirange.sadb_spirange_len; 1018 iov_cnt++; 1019 1020 /* src addr */ 1021 iov[iov_cnt].iov_base = &sa_src; 1022 iov[iov_cnt].iov_len = sizeof(sa_src); 1023 iov_cnt++; 1024 iov[iov_cnt].iov_base = &ssrc; 1025 iov[iov_cnt].iov_len = ROUNDUP(ssrc.ss_len); 1026 smsg.sadb_msg_len += sa_src.sadb_address_len; 1027 iov_cnt++; 1028 1029 /* dst addr */ 1030 iov[iov_cnt].iov_base = &sa_dst; 1031 iov[iov_cnt].iov_len = sizeof(sa_dst); 1032 iov_cnt++; 1033 iov[iov_cnt].iov_base = &sdst; 1034 iov[iov_cnt].iov_len = ROUNDUP(sdst.ss_len); 1035 smsg.sadb_msg_len += sa_dst.sadb_address_len; 1036 iov_cnt++; 1037 1038 *spip = 0; 1039 1040 if ((ret = pfkey_write(sd, &smsg, iov, iov_cnt, &data, &n)) != 0) 1041 return (-1); 1042 1043 msg = (struct sadb_msg *)data; 1044 if (msg->sadb_msg_errno != 0) { 1045 errno = msg->sadb_msg_errno; 1046 log_warn("%s: message", __func__); 1047 goto done; 1048 } 1049 if ((sa_ext = pfkey_find_ext(data, n, SADB_EXT_SA)) == NULL) { 1050 log_debug("%s: erronous reply", __func__); 1051 goto done; 1052 } 1053 1054 *spip = ntohl(sa_ext->sadb_sa_spi); 1055 log_debug("%s: spi 0x%08x", __func__, *spip); 1056 1057 done: 1058 freezero(data, n); 1059 return (ret); 1060 } 1061 1062 int 1063 pfkey_sagroup(int sd, uint8_t satype1, uint8_t action, 1064 struct iked_childsa *sa1, struct iked_childsa *sa2) 1065 { 1066 struct sadb_msg smsg; 1067 struct sadb_sa sadb1, sadb2; 1068 struct sadb_address sa_dst1, sa_dst2; 1069 struct sockaddr_storage sdst1, sdst2; 1070 struct sadb_protocol sa_proto; 1071 struct sadb_x_rdomain sa_rdomain; 1072 struct iked_policy *pol; 1073 struct iovec iov[IOV_CNT]; 1074 int iov_cnt; 1075 int group_rdomain; 1076 uint8_t satype2; 1077 1078 if (pfkey_map(pfkey_satype, sa2->csa_saproto, &satype2) == -1) 1079 return (-1); 1080 1081 bzero(&sdst1, sizeof(sdst1)); 1082 memcpy(&sdst1, &sa1->csa_peer->addr, sizeof(sdst1)); 1083 if (socket_af((struct sockaddr *)&sdst1, 0) == -1) { 1084 log_warnx("%s: unsupported address family %d", 1085 __func__, sdst1.ss_family); 1086 return (-1); 1087 } 1088 1089 bzero(&sdst2, sizeof(sdst2)); 1090 memcpy(&sdst2, &sa2->csa_peer->addr, sizeof(sdst2)); 1091 if (socket_af((struct sockaddr *)&sdst2, 0) == -1) { 1092 log_warnx("%s: unsupported address family %d", 1093 __func__, sdst2.ss_family); 1094 return (-1); 1095 } 1096 1097 bzero(&smsg, sizeof(smsg)); 1098 smsg.sadb_msg_version = PF_KEY_V2; 1099 smsg.sadb_msg_seq = ++sadb_msg_seq; 1100 smsg.sadb_msg_pid = getpid(); 1101 smsg.sadb_msg_len = sizeof(smsg) / 8; 1102 smsg.sadb_msg_type = action; 1103 smsg.sadb_msg_satype = satype1; 1104 1105 bzero(&sadb1, sizeof(sadb1)); 1106 sadb1.sadb_sa_len = sizeof(sadb1) / 8; 1107 sadb1.sadb_sa_exttype = SADB_EXT_SA; 1108 sadb1.sadb_sa_spi = htonl(sa1->csa_spi.spi); 1109 sadb1.sadb_sa_state = SADB_SASTATE_MATURE; 1110 1111 bzero(&sadb2, sizeof(sadb2)); 1112 sadb2.sadb_sa_len = sizeof(sadb2) / 8; 1113 sadb2.sadb_sa_exttype = SADB_X_EXT_SA2; 1114 sadb2.sadb_sa_spi = htonl(sa2->csa_spi.spi); 1115 sadb2.sadb_sa_state = SADB_SASTATE_MATURE; 1116 1117 /* Incoming SA1 (IPCOMP) and SA2 (ESP) are in different/other rdomain */ 1118 group_rdomain = 1119 (pol = sa1->csa_ikesa->sa_policy) != NULL && 1120 pol->pol_rdomain >= 0 && 1121 satype1 == SADB_X_SATYPE_IPCOMP && 1122 satype2 == SADB_SATYPE_ESP; 1123 if (group_rdomain) { 1124 bzero(&sa_rdomain, sizeof(sa_rdomain)); 1125 sa_rdomain.sadb_x_rdomain_exttype = SADB_X_EXT_RDOMAIN; 1126 sa_rdomain.sadb_x_rdomain_len = sizeof(sa_rdomain) / 8; 1127 if (sa1->csa_dir == IPSP_DIRECTION_IN) { 1128 /* only ESP SA is iked's rdomain */ 1129 sa_rdomain.sadb_x_rdomain_dom1 = pol->pol_rdomain; 1130 sa_rdomain.sadb_x_rdomain_dom2 = iked_rdomain; 1131 } else { 1132 /* both SAs are in pol_rdomain */ 1133 sa_rdomain.sadb_x_rdomain_dom1 = pol->pol_rdomain; 1134 sa_rdomain.sadb_x_rdomain_dom2 = pol->pol_rdomain; 1135 } 1136 } 1137 1138 iov_cnt = 0; 1139 1140 bzero(&sa_dst1, sizeof(sa_dst1)); 1141 sa_dst1.sadb_address_exttype = SADB_EXT_ADDRESS_DST; 1142 sa_dst1.sadb_address_len = 1143 (sizeof(sa_dst1) + ROUNDUP(sdst1.ss_len)) / 8; 1144 1145 bzero(&sa_dst2, sizeof(sa_dst2)); 1146 sa_dst2.sadb_address_exttype = SADB_X_EXT_DST2; 1147 sa_dst2.sadb_address_len = 1148 (sizeof(sa_dst2) + ROUNDUP(sdst2.ss_len)) / 8; 1149 1150 bzero(&sa_proto, sizeof(sa_proto)); 1151 sa_proto.sadb_protocol_exttype = SADB_X_EXT_SATYPE2; 1152 sa_proto.sadb_protocol_len = sizeof(sa_proto) / 8; 1153 sa_proto.sadb_protocol_direction = 0; 1154 sa_proto.sadb_protocol_proto = satype2; 1155 1156 /* header */ 1157 iov[iov_cnt].iov_base = &smsg; 1158 iov[iov_cnt].iov_len = sizeof(smsg); 1159 iov_cnt++; 1160 1161 /* sa */ 1162 iov[iov_cnt].iov_base = &sadb1; 1163 iov[iov_cnt].iov_len = sizeof(sadb1); 1164 smsg.sadb_msg_len += sadb1.sadb_sa_len; 1165 iov_cnt++; 1166 1167 /* dst addr */ 1168 iov[iov_cnt].iov_base = &sa_dst1; 1169 iov[iov_cnt].iov_len = sizeof(sa_dst1); 1170 iov_cnt++; 1171 iov[iov_cnt].iov_base = &sdst1; 1172 iov[iov_cnt].iov_len = ROUNDUP(sdst1.ss_len); 1173 smsg.sadb_msg_len += sa_dst1.sadb_address_len; 1174 iov_cnt++; 1175 1176 /* second sa */ 1177 iov[iov_cnt].iov_base = &sadb2; 1178 iov[iov_cnt].iov_len = sizeof(sadb2); 1179 smsg.sadb_msg_len += sadb2.sadb_sa_len; 1180 iov_cnt++; 1181 1182 /* second dst addr */ 1183 iov[iov_cnt].iov_base = &sa_dst2; 1184 iov[iov_cnt].iov_len = sizeof(sa_dst2); 1185 iov_cnt++; 1186 iov[iov_cnt].iov_base = &sdst2; 1187 iov[iov_cnt].iov_len = ROUNDUP(sdst2.ss_len); 1188 smsg.sadb_msg_len += sa_dst2.sadb_address_len; 1189 iov_cnt++; 1190 1191 /* SA type */ 1192 iov[iov_cnt].iov_base = &sa_proto; 1193 iov[iov_cnt].iov_len = sizeof(sa_proto); 1194 smsg.sadb_msg_len += sa_proto.sadb_protocol_len; 1195 iov_cnt++; 1196 1197 /* SA1 and SA2 are from different rdomains */ 1198 if (group_rdomain) { 1199 iov[iov_cnt].iov_base = &sa_rdomain; 1200 iov[iov_cnt].iov_len = sizeof(sa_rdomain); 1201 smsg.sadb_msg_len += sa_rdomain.sadb_x_rdomain_len; 1202 iov_cnt++; 1203 } 1204 1205 return (pfkey_write(sd, &smsg, iov, iov_cnt, NULL, NULL)); 1206 } 1207 1208 int 1209 pfkey_write(int sd, struct sadb_msg *smsg, struct iovec *iov, int iov_cnt, 1210 uint8_t **datap, ssize_t *lenp) 1211 { 1212 ssize_t n, len = smsg->sadb_msg_len * 8; 1213 1214 if (sadb_decoupled) { 1215 switch (smsg->sadb_msg_type) { 1216 case SADB_GETSPI: 1217 /* we need to get a new SPI from the kernel */ 1218 break; 1219 default: 1220 if (datap || lenp) { 1221 log_warnx("%s: pfkey not coupled", __func__); 1222 return (-1); 1223 } 1224 /* ignore request */ 1225 return (0); 1226 } 1227 } 1228 1229 if ((n = writev(sd, iov, iov_cnt)) == -1) { 1230 log_warn("%s: writev failed", __func__); 1231 return (-1); 1232 } else if (n != len) { 1233 log_warn("%s: short write", __func__); 1234 return (-1); 1235 } 1236 1237 return (pfkey_reply(sd, datap, lenp)); 1238 } 1239 1240 /* wait for pfkey response and returns 0 for ok, -1 for error, -2 for timeout */ 1241 int 1242 pfkey_reply(int sd, uint8_t **datap, ssize_t *lenp) 1243 { 1244 struct pfkey_message *pm; 1245 struct sadb_msg hdr; 1246 ssize_t len; 1247 uint8_t *data; 1248 struct pollfd pfd[1]; 1249 int n; 1250 1251 pfd[0].fd = sd; 1252 pfd[0].events = POLLIN; 1253 1254 for (;;) { 1255 /* 1256 * We should actually expect the reply to get lost 1257 * as PF_KEY is an unreliable service per the specs. 1258 * Currently we do this by setting a short timeout, 1259 * and if it is not readable in that time, we fail 1260 * the read. 1261 */ 1262 n = poll(pfd, 1, PFKEY_REPLY_TIMEOUT / 1000); 1263 if (n == -1) { 1264 log_warn("%s: poll() failed", __func__); 1265 return (-1); 1266 } 1267 if (n == 0) { 1268 log_warnx("%s: no reply from PF_KEY", __func__); 1269 return (-2); /* retry */ 1270 } 1271 1272 if (recv(sd, &hdr, sizeof(hdr), MSG_PEEK) != sizeof(hdr)) { 1273 log_warn("%s: short recv", __func__); 1274 return (-1); 1275 } 1276 1277 if (hdr.sadb_msg_version != PF_KEY_V2) { 1278 log_warnx("%s: wrong pfkey version", __func__); 1279 return (-1); 1280 } 1281 1282 if ((data = reallocarray(NULL, hdr.sadb_msg_len, 1283 PFKEYV2_CHUNK)) == NULL) { 1284 log_warn("%s: malloc", __func__); 1285 return (-1); 1286 } 1287 len = hdr.sadb_msg_len * PFKEYV2_CHUNK; 1288 1289 if (read(sd, data, len) != len) { 1290 log_warnx("%s: short read", __func__); 1291 free(data); 1292 return (-1); 1293 } 1294 1295 /* XXX: Only one message can be outstanding. */ 1296 if (hdr.sadb_msg_seq == sadb_msg_seq && 1297 hdr.sadb_msg_pid == (uint32_t)getpid()) 1298 break; 1299 1300 /* ignore messages for other processes */ 1301 if (hdr.sadb_msg_pid != 0 && 1302 hdr.sadb_msg_pid != (uint32_t)getpid()) { 1303 free(data); 1304 continue; 1305 } 1306 1307 /* not the reply, enqueue */ 1308 if ((pm = malloc(sizeof(*pm))) == NULL) { 1309 log_warn("%s: malloc", __func__); 1310 free(data); 1311 return (-1); 1312 } 1313 pm->pm_data = data; 1314 pm->pm_length = len; 1315 SIMPLEQ_INSERT_TAIL(&pfkey_postponed, pm, pm_entry); 1316 evtimer_add(&pfkey_timer_ev, &pfkey_timer_tv); 1317 } 1318 1319 if (datap) { 1320 *datap = data; 1321 if (lenp) 1322 *lenp = len; 1323 } else 1324 free(data); 1325 1326 if (datap == NULL && hdr.sadb_msg_errno != 0) { 1327 errno = hdr.sadb_msg_errno; 1328 if (errno != EEXIST) { 1329 log_warn("%s: message", __func__); 1330 return (-1); 1331 } 1332 } 1333 return (0); 1334 } 1335 1336 int 1337 pfkey_flow_add(int fd, struct iked_flow *flow) 1338 { 1339 uint8_t satype; 1340 1341 if (flow->flow_loaded) 1342 return (0); 1343 1344 if (pfkey_map(pfkey_satype, flow->flow_saproto, &satype) == -1) 1345 return (-1); 1346 1347 if (pfkey_flow(fd, satype, SADB_X_ADDFLOW, flow) == -1) 1348 return (-1); 1349 1350 flow->flow_loaded = 1; 1351 1352 return (0); 1353 } 1354 1355 int 1356 pfkey_flow_delete(int fd, struct iked_flow *flow) 1357 { 1358 uint8_t satype; 1359 1360 if (!flow->flow_loaded) 1361 return (0); 1362 1363 if (pfkey_map(pfkey_satype, flow->flow_saproto, &satype) == -1) 1364 return (-1); 1365 1366 if (pfkey_flow(fd, satype, SADB_X_DELFLOW, flow) == -1) 1367 return (-1); 1368 1369 flow->flow_loaded = 0; 1370 1371 return (0); 1372 } 1373 1374 int 1375 pfkey_sa_init(int fd, struct iked_childsa *sa, uint32_t *spi) 1376 { 1377 uint8_t satype; 1378 1379 if (pfkey_map(pfkey_satype, sa->csa_saproto, &satype) == -1) 1380 return (-1); 1381 1382 if (pfkey_sa_getspi(fd, satype, sa, spi) == -1) 1383 return (-1); 1384 1385 log_debug("%s: new spi 0x%08x", __func__, *spi); 1386 1387 return (0); 1388 } 1389 1390 int 1391 pfkey_sa_add(int fd, struct iked_childsa *sa, struct iked_childsa *last) 1392 { 1393 uint8_t satype; 1394 unsigned int cmd; 1395 int rval; 1396 1397 if (pfkey_map(pfkey_satype, sa->csa_saproto, &satype) == -1) 1398 return (-1); 1399 1400 if (sa->csa_allocated || sa->csa_loaded) 1401 cmd = SADB_UPDATE; 1402 else 1403 cmd = SADB_ADD; 1404 1405 log_debug("%s: %s spi %s", __func__, cmd == SADB_ADD ? "add": "update", 1406 print_spi(sa->csa_spi.spi, 4)); 1407 1408 rval = pfkey_sa(fd, satype, cmd, sa); 1409 if (rval != 0) { 1410 if (cmd == SADB_ADD) { 1411 if (rval == -2) { 1412 /* timeout: check for existence */ 1413 if (pfkey_sa_check_exists(fd, sa) == 0) { 1414 log_debug("%s: SA exists after timeout", 1415 __func__); 1416 goto loaded; 1417 } 1418 } 1419 (void)pfkey_sa_delete(fd, sa); 1420 return (-1); 1421 } 1422 if (sa->csa_allocated && !sa->csa_loaded && errno == ESRCH) { 1423 /* Needed for recoupling local SAs */ 1424 log_debug("%s: SADB_UPDATE on local SA returned ESRCH," 1425 " trying SADB_ADD", __func__); 1426 if (pfkey_sa(fd, satype, SADB_ADD, sa) == -1) 1427 return (-1); 1428 } else { 1429 return (-1); 1430 } 1431 } 1432 1433 loaded: 1434 if (last != NULL) { 1435 if (pfkey_sagroup(fd, satype, 1436 SADB_X_GRPSPIS, sa, last) == -1) { 1437 (void)pfkey_sa_delete(fd, sa); 1438 return (-1); 1439 } 1440 } 1441 1442 sa->csa_loaded = 1; 1443 return (0); 1444 } 1445 1446 int 1447 pfkey_sa_update_addresses(int fd, struct iked_childsa *sa) 1448 { 1449 uint8_t satype; 1450 1451 if (!sa->csa_ikesa) 1452 return (-1); 1453 /* check if peer has changed */ 1454 if (sa->csa_ikesa->sa_peer_loaded.addr.ss_family == AF_UNSPEC || 1455 memcmp(&sa->csa_ikesa->sa_peer_loaded, &sa->csa_ikesa->sa_peer, 1456 sizeof(sa->csa_ikesa->sa_peer_loaded)) == 0) 1457 return (0); 1458 if (pfkey_map(pfkey_satype, sa->csa_saproto, &satype) == -1) 1459 return (-1); 1460 log_debug("%s: spi %s", __func__, print_spi(sa->csa_spi.spi, 4)); 1461 return pfkey_sa(fd, satype, IKED_SADB_UPDATE_SA_ADDRESSES, sa); 1462 } 1463 1464 int 1465 pfkey_sa_delete(int fd, struct iked_childsa *sa) 1466 { 1467 uint8_t satype; 1468 1469 if (!sa->csa_loaded || sa->csa_spi.spi == 0) 1470 return (0); 1471 1472 if (pfkey_map(pfkey_satype, sa->csa_saproto, &satype) == -1) 1473 return (-1); 1474 1475 if (pfkey_sa(fd, satype, SADB_DELETE, sa) == -1 && 1476 pfkey_sa_check_exists(fd, sa) == 0) 1477 return (-1); 1478 1479 sa->csa_loaded = 0; 1480 return (0); 1481 } 1482 1483 int 1484 pfkey_flush(int sd) 1485 { 1486 struct sadb_msg smsg; 1487 struct iovec iov[IOV_CNT]; 1488 int iov_cnt; 1489 1490 bzero(&smsg, sizeof(smsg)); 1491 smsg.sadb_msg_version = PF_KEY_V2; 1492 smsg.sadb_msg_seq = ++sadb_msg_seq; 1493 smsg.sadb_msg_pid = getpid(); 1494 smsg.sadb_msg_len = sizeof(smsg) / 8; 1495 smsg.sadb_msg_type = SADB_FLUSH; 1496 smsg.sadb_msg_satype = SADB_SATYPE_UNSPEC; 1497 1498 iov_cnt = 0; 1499 1500 iov[iov_cnt].iov_base = &smsg; 1501 iov[iov_cnt].iov_len = sizeof(smsg); 1502 iov_cnt++; 1503 1504 return (pfkey_write(sd, &smsg, iov, iov_cnt, NULL, NULL)); 1505 } 1506 1507 struct sadb_ident * 1508 pfkey_id2ident(struct iked_id *id, unsigned int exttype) 1509 { 1510 char idstr[IKED_ID_SIZE]; 1511 unsigned int type; 1512 size_t len; 1513 struct sadb_ident *sa_id; 1514 1515 switch (id->id_type) { 1516 case IKEV2_ID_FQDN: 1517 type = SADB_IDENTTYPE_FQDN; 1518 break; 1519 case IKEV2_ID_UFQDN: 1520 type = SADB_IDENTTYPE_USERFQDN; 1521 break; 1522 case IKEV2_ID_IPV4: 1523 case IKEV2_ID_IPV6: 1524 type = SADB_IDENTTYPE_PREFIX; 1525 break; 1526 case IKEV2_ID_ASN1_DN: 1527 case IKEV2_ID_ASN1_GN: 1528 case IKEV2_ID_KEY_ID: 1529 case IKEV2_ID_NONE: 1530 default: 1531 /* XXX not implemented/supported by PFKEY */ 1532 return (NULL); 1533 } 1534 1535 bzero(&idstr, sizeof(idstr)); 1536 1537 if (ikev2_print_id(id, idstr, sizeof(idstr)) == -1) 1538 return (NULL); 1539 1540 len = ROUNDUP(strlen(idstr) + 1) + sizeof(*sa_id); 1541 if ((sa_id = calloc(1, len)) == NULL) 1542 return (NULL); 1543 1544 strlcpy((char *)(sa_id + 1), idstr, ROUNDUP(strlen(idstr) + 1)); 1545 sa_id->sadb_ident_type = type; 1546 sa_id->sadb_ident_len = len / 8; 1547 sa_id->sadb_ident_exttype = exttype; 1548 1549 return (sa_id); 1550 } 1551 1552 int 1553 pfkey_socket(void) 1554 { 1555 int fd; 1556 1557 if (privsep_process != PROC_PARENT) 1558 fatal("pfkey_socket: called from unprivileged process"); 1559 1560 if ((fd = socket(PF_KEY, SOCK_RAW, PF_KEY_V2)) == -1) 1561 fatal("pfkey_socket: failed to open PF_KEY socket"); 1562 1563 pfkey_flush(fd); 1564 1565 return (fd); 1566 } 1567 1568 void 1569 pfkey_init(struct iked *env, int fd) 1570 { 1571 struct sadb_msg smsg; 1572 struct iovec iov; 1573 1574 iked_rdomain = getrtable(); 1575 1576 /* Set up a timer to process messages deferred by the pfkey_reply */ 1577 pfkey_timer_tv.tv_sec = 1; 1578 pfkey_timer_tv.tv_usec = 0; 1579 evtimer_set(&pfkey_timer_ev, pfkey_timer_cb, env); 1580 1581 /* Register the pfkey socket event handler */ 1582 env->sc_pfkey = fd; 1583 event_set(&env->sc_pfkeyev, env->sc_pfkey, 1584 EV_READ|EV_PERSIST, pfkey_dispatch, env); 1585 event_add(&env->sc_pfkeyev, NULL); 1586 1587 /* Register it to get ESP and AH acquires from the kernel */ 1588 bzero(&smsg, sizeof(smsg)); 1589 smsg.sadb_msg_version = PF_KEY_V2; 1590 smsg.sadb_msg_seq = ++sadb_msg_seq; 1591 smsg.sadb_msg_pid = getpid(); 1592 smsg.sadb_msg_len = sizeof(smsg) / 8; 1593 smsg.sadb_msg_type = SADB_REGISTER; 1594 smsg.sadb_msg_satype = SADB_SATYPE_ESP; 1595 1596 iov.iov_base = &smsg; 1597 iov.iov_len = sizeof(smsg); 1598 1599 if (pfkey_write(fd, &smsg, &iov, 1, NULL, NULL)) 1600 fatal("pfkey_init: failed to set up ESP acquires"); 1601 1602 bzero(&smsg, sizeof(smsg)); 1603 smsg.sadb_msg_version = PF_KEY_V2; 1604 smsg.sadb_msg_seq = ++sadb_msg_seq; 1605 smsg.sadb_msg_pid = getpid(); 1606 smsg.sadb_msg_len = sizeof(smsg) / 8; 1607 smsg.sadb_msg_type = SADB_REGISTER; 1608 smsg.sadb_msg_satype = SADB_SATYPE_AH; 1609 1610 iov.iov_base = &smsg; 1611 iov.iov_len = sizeof(smsg); 1612 1613 if (pfkey_write(fd, &smsg, &iov, 1, NULL, NULL)) 1614 fatal("pfkey_init: failed to set up AH acquires"); 1615 } 1616 1617 void * 1618 pfkey_find_ext(uint8_t *data, ssize_t len, int type) 1619 { 1620 struct sadb_ext *ext = (struct sadb_ext *)(data + 1621 sizeof(struct sadb_msg)); 1622 1623 while (ext && ((uint8_t *)ext - data < len)) { 1624 if (ext->sadb_ext_type == type) 1625 return (ext); 1626 ext = (struct sadb_ext *)((uint8_t *)ext + 1627 ext->sadb_ext_len * PFKEYV2_CHUNK); 1628 } 1629 1630 return (NULL); 1631 } 1632 1633 void 1634 pfkey_dispatch(int sd, short event, void *arg) 1635 { 1636 struct iked *env = (struct iked *)arg; 1637 struct pfkey_message pm, *pmp; 1638 struct sadb_msg hdr; 1639 ssize_t len; 1640 uint8_t *data; 1641 1642 if (recv(sd, &hdr, sizeof(hdr), MSG_PEEK) != sizeof(hdr)) { 1643 log_warn("%s: short recv", __func__); 1644 return; 1645 } 1646 1647 if (hdr.sadb_msg_version != PF_KEY_V2) { 1648 log_warnx("%s: wrong pfkey version", __func__); 1649 return; 1650 } 1651 1652 if ((data = reallocarray(NULL, hdr.sadb_msg_len, PFKEYV2_CHUNK)) 1653 == NULL) { 1654 log_warn("%s: malloc", __func__); 1655 return; 1656 } 1657 len = hdr.sadb_msg_len * PFKEYV2_CHUNK; 1658 1659 if (read(sd, data, len) != len) { 1660 log_warn("%s: short read", __func__); 1661 free(data); 1662 return; 1663 } 1664 1665 /* Try postponed requests first, so we do in-order processing */ 1666 if (!SIMPLEQ_EMPTY(&pfkey_postponed)) 1667 pfkey_timer_cb(0, 0, env); 1668 1669 pm.pm_data = data; 1670 pm.pm_length = len; 1671 1672 if (pfkey_process(env, &pm) == -1 && 1673 (pmp = calloc(1, sizeof(*pmp))) != NULL) { 1674 pmp->pm_data = data; 1675 pmp->pm_length = len; 1676 log_debug("%s: pfkey_process is busy, retry later", __func__); 1677 SIMPLEQ_INSERT_TAIL(&pfkey_postponed, pmp, pm_entry); 1678 evtimer_add(&pfkey_timer_ev, &pfkey_timer_tv); 1679 } else { 1680 free(data); 1681 } 1682 } 1683 1684 void 1685 pfkey_timer_cb(int unused, short event, void *arg) 1686 { 1687 struct iked *env = arg; 1688 struct pfkey_message *pm; 1689 1690 SIMPLEQ_INIT(&pfkey_retry); 1691 while (!SIMPLEQ_EMPTY(&pfkey_postponed)) { 1692 pm = SIMPLEQ_FIRST(&pfkey_postponed); 1693 SIMPLEQ_REMOVE_HEAD(&pfkey_postponed, pm_entry); 1694 if (pfkey_process(env, pm) == -1) { 1695 log_debug("%s: pfkey_process is busy, retry later", 1696 __func__); 1697 SIMPLEQ_INSERT_TAIL(&pfkey_retry, pm, pm_entry); 1698 } else { 1699 free(pm->pm_data); 1700 free(pm); 1701 } 1702 } 1703 /* move from retry to postponed */ 1704 SIMPLEQ_CONCAT(&pfkey_postponed, &pfkey_retry); 1705 if (!SIMPLEQ_EMPTY(&pfkey_postponed)) 1706 evtimer_add(&pfkey_timer_ev, &pfkey_timer_tv); 1707 } 1708 1709 /* 1710 * pfkey_process returns 0 if the message has been processed and -1 if 1711 * the system is busy and the message should be passed again, later. 1712 */ 1713 int 1714 pfkey_process(struct iked *env, struct pfkey_message *pm) 1715 { 1716 struct iked_spi spi; 1717 struct sadb_sa *sa; 1718 struct sadb_lifetime *sa_ltime; 1719 struct sadb_msg *hdr; 1720 struct sadb_msg smsg; 1721 struct iked_addr peer; 1722 struct iked_flow flow; 1723 struct sadb_address *sa_addr; 1724 struct sadb_protocol *sa_proto; 1725 struct sadb_x_policy sa_pol; 1726 struct sockaddr *ssrc, *sdst, *smask, *dmask, *speer; 1727 struct iovec iov[IOV_CNT]; 1728 int ret = 0, iov_cnt, sd; 1729 uint8_t *reply; 1730 ssize_t rlen; 1731 const char *errmsg = NULL; 1732 uint8_t *data = pm->pm_data; 1733 ssize_t len = pm->pm_length; 1734 size_t slen; 1735 1736 if (!env || !data || !len) 1737 return (0); 1738 1739 sd = env->sc_pfkey; 1740 hdr = (struct sadb_msg *)data; 1741 1742 switch (hdr->sadb_msg_type) { 1743 case SADB_ACQUIRE: 1744 bzero(&flow, sizeof(flow)); 1745 bzero(&peer, sizeof(peer)); 1746 1747 if ((sa_addr = pfkey_find_ext(data, len, 1748 SADB_EXT_ADDRESS_DST)) == NULL) { 1749 log_debug("%s: no peer address", __func__); 1750 return (0); 1751 } 1752 speer = (struct sockaddr *)(sa_addr + 1); 1753 peer.addr_af = speer->sa_family; 1754 peer.addr_port = htons(socket_getport(speer)); 1755 if ((slen = speer->sa_len) > sizeof(peer.addr)) { 1756 log_debug("%s: invalid peer address len", __func__); 1757 return (0); 1758 } 1759 memcpy(&peer.addr, speer, slen); 1760 if (socket_af((struct sockaddr *)&peer.addr, 1761 peer.addr_port) == -1) { 1762 log_debug("%s: invalid address", __func__); 1763 return (0); 1764 } 1765 flow.flow_peer = &peer; 1766 1767 log_debug("%s: acquire request (peer %s)", __func__, 1768 print_host(speer, NULL, 0)); 1769 1770 /* get the matching flow */ 1771 bzero(&smsg, sizeof(smsg)); 1772 smsg.sadb_msg_version = PF_KEY_V2; 1773 smsg.sadb_msg_seq = ++sadb_msg_seq; 1774 smsg.sadb_msg_pid = getpid(); 1775 smsg.sadb_msg_len = sizeof(smsg) / 8; 1776 smsg.sadb_msg_type = SADB_X_ASKPOLICY; 1777 1778 iov_cnt = 0; 1779 1780 iov[iov_cnt].iov_base = &smsg; 1781 iov[iov_cnt].iov_len = sizeof(smsg); 1782 iov_cnt++; 1783 1784 bzero(&sa_pol, sizeof(sa_pol)); 1785 sa_pol.sadb_x_policy_exttype = SADB_X_EXT_POLICY; 1786 sa_pol.sadb_x_policy_len = sizeof(sa_pol) / 8; 1787 sa_pol.sadb_x_policy_seq = hdr->sadb_msg_seq; 1788 1789 iov[iov_cnt].iov_base = &sa_pol; 1790 iov[iov_cnt].iov_len = sizeof(sa_pol); 1791 smsg.sadb_msg_len += sizeof(sa_pol) / 8; 1792 iov_cnt++; 1793 1794 if (pfkey_write(sd, &smsg, iov, iov_cnt, &reply, &rlen)) { 1795 log_warnx("%s: failed to get a policy", __func__); 1796 return (0); 1797 } 1798 1799 if ((sa_addr = pfkey_find_ext(reply, rlen, 1800 SADB_X_EXT_SRC_FLOW)) == NULL) { 1801 errmsg = "flow source address"; 1802 goto out; 1803 } 1804 ssrc = (struct sockaddr *)(sa_addr + 1); 1805 flow.flow_src.addr_af = ssrc->sa_family; 1806 flow.flow_src.addr_port = htons(socket_getport(ssrc)); 1807 if ((slen = ssrc->sa_len) > sizeof(flow.flow_src.addr)) { 1808 log_debug("%s: invalid src address len", __func__); 1809 return (0); 1810 } 1811 memcpy(&flow.flow_src.addr, ssrc, slen); 1812 if (socket_af((struct sockaddr *)&flow.flow_src.addr, 1813 flow.flow_src.addr_port) == -1) { 1814 log_debug("%s: invalid address", __func__); 1815 return (0); 1816 } 1817 1818 if ((sa_addr = pfkey_find_ext(reply, rlen, 1819 SADB_X_EXT_DST_FLOW)) == NULL) { 1820 errmsg = "flow destination address"; 1821 goto out; 1822 } 1823 sdst = (struct sockaddr *)(sa_addr + 1); 1824 flow.flow_dst.addr_af = sdst->sa_family; 1825 flow.flow_dst.addr_port = htons(socket_getport(sdst)); 1826 if ((slen = sdst->sa_len) > sizeof(flow.flow_dst.addr)) { 1827 log_debug("%s: invalid dst address len", __func__); 1828 return (0); 1829 } 1830 memcpy(&flow.flow_dst.addr, sdst, slen); 1831 if (socket_af((struct sockaddr *)&flow.flow_dst.addr, 1832 flow.flow_dst.addr_port) == -1) { 1833 log_debug("%s: invalid address", __func__); 1834 return (0); 1835 } 1836 1837 if ((sa_addr = pfkey_find_ext(reply, rlen, 1838 SADB_X_EXT_SRC_MASK)) == NULL) { 1839 errmsg = "flow source mask"; 1840 goto out; 1841 } 1842 smask = (struct sockaddr *)(sa_addr + 1); 1843 switch (smask->sa_family) { 1844 case AF_INET: 1845 flow.flow_src.addr_mask = 1846 mask2prefixlen((struct sockaddr *)smask); 1847 if (flow.flow_src.addr_mask != 32) 1848 flow.flow_src.addr_net = 1; 1849 break; 1850 case AF_INET6: 1851 flow.flow_src.addr_mask = 1852 mask2prefixlen6((struct sockaddr *)smask); 1853 if (flow.flow_src.addr_mask != 128) 1854 flow.flow_src.addr_net = 1; 1855 break; 1856 default: 1857 log_debug("%s: bad address family", __func__); 1858 free(reply); 1859 return (0); 1860 } 1861 1862 if ((sa_addr = pfkey_find_ext(reply, rlen, 1863 SADB_X_EXT_DST_MASK)) == NULL) { 1864 errmsg = "flow destination mask"; 1865 goto out; 1866 } 1867 dmask = (struct sockaddr *)(sa_addr + 1); 1868 switch (dmask->sa_family) { 1869 case AF_INET: 1870 flow.flow_dst.addr_mask = 1871 mask2prefixlen((struct sockaddr *)dmask); 1872 if (flow.flow_src.addr_mask != 32) 1873 flow.flow_src.addr_net = 1; 1874 break; 1875 case AF_INET6: 1876 flow.flow_dst.addr_mask = 1877 mask2prefixlen6((struct sockaddr *)dmask); 1878 if (flow.flow_src.addr_mask != 128) 1879 flow.flow_src.addr_net = 1; 1880 break; 1881 default: 1882 log_debug("%s: bad address family", __func__); 1883 free(reply); 1884 return (0); 1885 } 1886 1887 switch (hdr->sadb_msg_satype) { 1888 case SADB_SATYPE_AH: 1889 flow.flow_saproto = IKEV2_SAPROTO_AH; 1890 break; 1891 case SADB_SATYPE_ESP: 1892 flow.flow_saproto = IKEV2_SAPROTO_ESP; 1893 break; 1894 case SADB_X_SATYPE_IPCOMP: 1895 flow.flow_saproto = IKEV2_SAPROTO_IPCOMP; 1896 break; 1897 } 1898 1899 if ((sa_proto = pfkey_find_ext(reply, rlen, 1900 SADB_X_EXT_FLOW_TYPE)) == NULL) { 1901 errmsg = "flow protocol"; 1902 goto out; 1903 } 1904 flow.flow_dir = sa_proto->sadb_protocol_direction; 1905 flow.flow_rdomain = -1; /* XXX get from kernel */ 1906 1907 log_debug("%s: flow %s from %s/%s to %s/%s via %s", __func__, 1908 flow.flow_dir == IPSP_DIRECTION_IN ? "in" : "out", 1909 print_host(ssrc, NULL, 0), print_host(smask, NULL, 0), 1910 print_host(sdst, NULL, 0), print_host(dmask, NULL, 0), 1911 print_host(speer, NULL, 0)); 1912 1913 ret = ikev2_child_sa_acquire(env, &flow); 1914 1915 out: 1916 if (errmsg) 1917 log_warnx("%s: %s wasn't found", __func__, errmsg); 1918 free(reply); 1919 break; 1920 1921 case SADB_EXPIRE: 1922 if ((sa = pfkey_find_ext(data, len, SADB_EXT_SA)) == NULL) { 1923 log_warnx("%s: SA extension wasn't found", __func__); 1924 return (0); 1925 } 1926 if ((sa_ltime = pfkey_find_ext(data, len, 1927 SADB_EXT_LIFETIME_SOFT)) == NULL && 1928 (sa_ltime = pfkey_find_ext(data, len, 1929 SADB_EXT_LIFETIME_HARD)) == NULL) { 1930 log_warnx("%s: lifetime extension wasn't found", 1931 __func__); 1932 return (0); 1933 } 1934 spi.spi = ntohl(sa->sadb_sa_spi); 1935 spi.spi_size = 4; 1936 switch (hdr->sadb_msg_satype) { 1937 case SADB_SATYPE_AH: 1938 spi.spi_protoid = IKEV2_SAPROTO_AH; 1939 break; 1940 case SADB_SATYPE_ESP: 1941 spi.spi_protoid = IKEV2_SAPROTO_ESP; 1942 break; 1943 case SADB_X_SATYPE_IPCOMP: 1944 spi.spi_size = 2; 1945 spi.spi_protoid = IKEV2_SAPROTO_IPCOMP; 1946 break; 1947 default: 1948 log_warnx("%s: unsupported SA type %d spi %s", 1949 __func__, hdr->sadb_msg_satype, 1950 print_spi(spi.spi, spi.spi_size)); 1951 return (0); 1952 } 1953 1954 log_debug("%s: SA %s is expired, pending %s", __func__, 1955 print_spi(spi.spi, spi.spi_size), 1956 sa_ltime->sadb_lifetime_exttype == SADB_EXT_LIFETIME_SOFT ? 1957 "rekeying" : "deletion"); 1958 1959 if (sa_ltime->sadb_lifetime_exttype == SADB_EXT_LIFETIME_SOFT) 1960 ret = ikev2_child_sa_rekey(env, &spi); 1961 else 1962 ret = ikev2_child_sa_drop(env, &spi); 1963 break; 1964 } 1965 return (ret); 1966 } 1967