1 /* $OpenBSD: pfkey.c,v 1.18 2012/06/29 15:05:49 mikeb Exp $ */ 2 /* $vantronix: pfkey.c,v 1.11 2010/06/03 07:57:33 reyk Exp $ */ 3 4 /* 5 * Copyright (c) 2010 Reyk Floeter <reyk@vantronix.net> 6 * Copyright (c) 2004, 2005 Hans-Joerg Hoexer <hshoexer@openbsd.org> 7 * Copyright (c) 2003, 2004 Henning Brauer <henning@openbsd.org> 8 * Copyright (c) 2003, 2004 Markus Friedl <markus@openbsd.org> 9 * 10 * Permission to use, copy, modify, and distribute this software for any 11 * purpose with or without fee is hereby granted, provided that the above 12 * copyright notice and this permission notice appear in all copies. 13 * 14 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES 15 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF 16 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR 17 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES 18 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN 19 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF 20 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. 21 */ 22 23 #include <sys/types.h> 24 #include <sys/param.h> 25 #include <sys/queue.h> 26 #include <sys/uio.h> 27 #include <sys/socket.h> 28 29 #include <netinet/in.h> 30 #include <netinet/ip_ipsp.h> 31 #include <net/pfkeyv2.h> 32 33 #include <err.h> 34 #include <errno.h> 35 #include <stdio.h> 36 #include <string.h> 37 #include <stdlib.h> 38 #include <unistd.h> 39 #include <event.h> 40 41 #include "iked.h" 42 #include "ikev2.h" 43 44 #define ROUNDUP(x) (((x) + (PFKEYV2_CHUNK - 1)) & ~(PFKEYV2_CHUNK - 1)) 45 #define IOV_CNT 20 46 47 #define PFKEYV2_CHUNK sizeof(u_int64_t) 48 49 static u_int32_t sadb_msg_seq = 0; 50 static u_int sadb_decoupled = 0; 51 52 static struct event pfkey_timer_ev; 53 static struct timeval pfkey_timer_tv; 54 55 struct pfkey_message { 56 SIMPLEQ_ENTRY(pfkey_message) 57 pm_entry; 58 u_int8_t *pm_data; 59 ssize_t pm_lenght; 60 }; 61 SIMPLEQ_HEAD(, pfkey_message) pfkey_postponed = 62 SIMPLEQ_HEAD_INITIALIZER(pfkey_postponed); 63 64 struct pfkey_constmap { 65 u_int8_t pfkey_id; 66 u_int pfkey_ikeid; 67 u_int pfkey_fixedkey; 68 }; 69 70 static const struct pfkey_constmap pfkey_encr[] = { 71 { SADB_X_EALG_DES_IV64, IKEV2_XFORMENCR_DES_IV64 }, 72 { SADB_EALG_DESCBC, IKEV2_XFORMENCR_DES }, 73 { SADB_EALG_3DESCBC, IKEV2_XFORMENCR_3DES }, 74 { SADB_X_EALG_RC5, IKEV2_XFORMENCR_RC5 }, 75 { SADB_X_EALG_IDEA, IKEV2_XFORMENCR_IDEA }, 76 { SADB_X_EALG_CAST, IKEV2_XFORMENCR_CAST }, 77 { SADB_X_EALG_BLF, IKEV2_XFORMENCR_BLOWFISH }, 78 { SADB_X_EALG_3IDEA, IKEV2_XFORMENCR_3IDEA }, 79 { SADB_X_EALG_DES_IV32, IKEV2_XFORMENCR_DES_IV32 }, 80 { SADB_X_EALG_RC4, IKEV2_XFORMENCR_RC4 }, 81 { SADB_EALG_NULL, IKEV2_XFORMENCR_NULL }, 82 { SADB_X_EALG_AES, IKEV2_XFORMENCR_AES_CBC }, 83 { SADB_X_EALG_AESCTR, IKEV2_XFORMENCR_AES_CTR }, 84 { SADB_X_EALG_AESGCM16, IKEV2_XFORMENCR_AES_GCM_16 }, 85 { SADB_X_EALG_AESGMAC, IKEV2_XFORMENCR_NULL_AES_GMAC }, 86 { 0 } 87 }; 88 89 static const struct pfkey_constmap pfkey_integr[] = { 90 { SADB_AALG_MD5HMAC, IKEV2_XFORMAUTH_HMAC_MD5_96 }, 91 { SADB_AALG_SHA1HMAC, IKEV2_XFORMAUTH_HMAC_SHA1_96 }, 92 { SADB_X_AALG_DES, IKEV2_XFORMAUTH_DES_MAC }, 93 { SADB_X_AALG_SHA2_256, IKEV2_XFORMAUTH_HMAC_SHA2_256_128 }, 94 { SADB_X_AALG_SHA2_384, IKEV2_XFORMAUTH_HMAC_SHA2_384_192 }, 95 { SADB_X_AALG_SHA2_512, IKEV2_XFORMAUTH_HMAC_SHA2_512_256 }, 96 { 0 } 97 }; 98 99 static const struct pfkey_constmap pfkey_satype[] = { 100 { SADB_SATYPE_AH, IKEV2_SAPROTO_AH }, 101 { SADB_SATYPE_ESP, IKEV2_SAPROTO_ESP }, 102 { 0 } 103 }; 104 105 int pfkey_map(const struct pfkey_constmap *, u_int16_t, u_int8_t *); 106 int pfkey_flow(int, u_int8_t, u_int8_t, struct iked_flow *); 107 int pfkey_sa(int, u_int8_t, u_int8_t, struct iked_childsa *); 108 int pfkey_sa_getspi(int, u_int8_t, struct iked_childsa *, u_int32_t *); 109 int pfkey_sagroup(int, u_int8_t, u_int8_t, 110 struct iked_childsa *, struct iked_childsa *); 111 int pfkey_write(int, struct sadb_msg *, struct iovec *, int, 112 u_int8_t **, ssize_t *); 113 int pfkey_reply(int, u_int8_t **, ssize_t *); 114 void pfkey_dispatch(int, short, void *); 115 116 struct sadb_ident * 117 pfkey_id2ident(struct iked_id *, u_int); 118 void *pfkey_find_ext(u_int8_t *, ssize_t, int); 119 120 void pfkey_timer_cb(int, short, void *); 121 void pfkey_process(struct iked *, struct pfkey_message *); 122 123 int 124 pfkey_couple(int sd, struct iked_sas *sas, int couple) 125 { 126 struct iked_sa *sa; 127 struct iked_flow *flow; 128 struct iked_childsa *csa; 129 u_int old; 130 const char *mode[] = { "coupled", "decoupled" }; 131 132 /* Socket is not ready */ 133 if (sd == -1) 134 return (-1); 135 136 old = sadb_decoupled ? 1 : 0; 137 sadb_decoupled = couple ? 0 : 1; 138 139 if (old == sadb_decoupled) 140 return (0); 141 142 log_debug("%s: kernel %s -> %s", __func__, 143 mode[old], mode[sadb_decoupled]); 144 145 RB_FOREACH(sa, iked_sas, sas) { 146 TAILQ_FOREACH(csa, &sa->sa_childsas, csa_entry) { 147 if (!csa->csa_loaded && !sadb_decoupled) 148 (void)pfkey_sa_add(sd, csa, NULL); 149 else if (csa->csa_loaded && sadb_decoupled) 150 (void)pfkey_sa_delete(sd, csa); 151 } 152 TAILQ_FOREACH(flow, &sa->sa_flows, flow_entry) { 153 if (!flow->flow_loaded && !sadb_decoupled) 154 (void)pfkey_flow_add(sd, flow); 155 else if (flow->flow_loaded && sadb_decoupled) 156 (void)pfkey_flow_delete(sd, flow); 157 } 158 } 159 160 return (0); 161 } 162 163 int 164 pfkey_map(const struct pfkey_constmap *map, u_int16_t alg, u_int8_t *pfkalg) 165 { 166 int i; 167 168 for (i = 0; map[i].pfkey_id != 0; i++) 169 if (map[i].pfkey_ikeid == alg) { 170 *pfkalg = map[i].pfkey_id; 171 return (0); 172 } 173 return (-1); 174 } 175 176 int 177 pfkey_flow(int sd, u_int8_t satype, u_int8_t action, struct iked_flow *flow) 178 { 179 struct sadb_msg smsg; 180 struct sadb_address sa_src, sa_dst, sa_local, sa_peer, sa_smask, 181 sa_dmask; 182 struct sadb_protocol sa_flowtype, sa_protocol; 183 struct sadb_ident *sa_srcid, *sa_dstid; 184 struct sockaddr_storage ssrc, sdst, slocal, speer, smask, dmask; 185 struct iovec iov[IOV_CNT]; 186 int iov_cnt, ret = -1; 187 in_port_t sport, dport; 188 189 sport = dport = 0; 190 sa_srcid = sa_dstid = NULL; 191 192 bzero(&ssrc, sizeof(ssrc)); 193 bzero(&smask, sizeof(smask)); 194 memcpy(&ssrc, &flow->flow_src.addr, sizeof(ssrc)); 195 memcpy(&smask, &flow->flow_src.addr, sizeof(smask)); 196 if ((sport = flow->flow_src.addr_port) != 0) 197 dport = 0xffff; 198 socket_af((struct sockaddr *)&ssrc, sport); 199 socket_af((struct sockaddr *)&smask, dport); 200 201 switch (flow->flow_src.addr_af) { 202 case AF_INET: 203 ((struct sockaddr_in *)&smask)->sin_addr.s_addr = 204 prefixlen2mask(flow->flow_src.addr_net ? 205 flow->flow_src.addr_mask : 32); 206 break; 207 case AF_INET6: 208 prefixlen2mask6(flow->flow_src.addr_net ? 209 flow->flow_src.addr_mask : 128, 210 (u_int32_t *)((struct sockaddr_in6 *) 211 &smask)->sin6_addr.s6_addr); 212 break; 213 default: 214 log_warnx("%s: unsupported address family %d", 215 __func__, flow->flow_src.addr_af); 216 return (-1); 217 } 218 smask.ss_len = ssrc.ss_len; 219 220 bzero(&sdst, sizeof(sdst)); 221 bzero(&dmask, sizeof(dmask)); 222 memcpy(&sdst, &flow->flow_dst.addr, sizeof(sdst)); 223 memcpy(&dmask, &flow->flow_dst.addr, sizeof(dmask)); 224 if ((sport = flow->flow_dst.addr_port) != 0) 225 dport = 0xffff; 226 socket_af((struct sockaddr *)&sdst, sport); 227 socket_af((struct sockaddr *)&dmask, dport); 228 229 switch (flow->flow_dst.addr_af) { 230 case AF_INET: 231 ((struct sockaddr_in *)&dmask)->sin_addr.s_addr = 232 prefixlen2mask(flow->flow_dst.addr_net ? 233 flow->flow_dst.addr_mask : 32); 234 break; 235 case AF_INET6: 236 prefixlen2mask6(flow->flow_dst.addr_net ? 237 flow->flow_dst.addr_mask : 128, 238 (u_int32_t *)((struct sockaddr_in6 *) 239 &dmask)->sin6_addr.s6_addr); 240 break; 241 default: 242 log_warnx("%s: unsupported address family %d", 243 __func__, flow->flow_dst.addr_af); 244 return (-1); 245 } 246 dmask.ss_len = sdst.ss_len; 247 248 bzero(&slocal, sizeof(slocal)); 249 bzero(&speer, sizeof(speer)); 250 if (action != SADB_X_DELFLOW) { 251 memcpy(&slocal, &flow->flow_local->addr, sizeof(slocal)); 252 socket_af((struct sockaddr *)&slocal, 0); 253 254 memcpy(&speer, &flow->flow_peer->addr, sizeof(speer)); 255 socket_af((struct sockaddr *)&speer, 0); 256 } 257 258 bzero(&smsg, sizeof(smsg)); 259 smsg.sadb_msg_version = PF_KEY_V2; 260 smsg.sadb_msg_seq = ++sadb_msg_seq; 261 smsg.sadb_msg_pid = getpid(); 262 smsg.sadb_msg_len = sizeof(smsg) / 8; 263 smsg.sadb_msg_type = action; 264 smsg.sadb_msg_satype = satype; 265 266 bzero(&sa_flowtype, sizeof(sa_flowtype)); 267 sa_flowtype.sadb_protocol_exttype = SADB_X_EXT_FLOW_TYPE; 268 sa_flowtype.sadb_protocol_len = sizeof(sa_flowtype) / 8; 269 sa_flowtype.sadb_protocol_direction = flow->flow_dir; 270 sa_flowtype.sadb_protocol_proto = 271 flow->flow_dir == IPSP_DIRECTION_IN ? 272 SADB_X_FLOW_TYPE_USE : SADB_X_FLOW_TYPE_REQUIRE; 273 274 bzero(&sa_protocol, sizeof(sa_protocol)); 275 sa_protocol.sadb_protocol_exttype = SADB_X_EXT_PROTOCOL; 276 sa_protocol.sadb_protocol_len = sizeof(sa_protocol) / 8; 277 sa_protocol.sadb_protocol_direction = 0; 278 sa_protocol.sadb_protocol_proto = flow->flow_ipproto; 279 280 bzero(&sa_src, sizeof(sa_src)); 281 sa_src.sadb_address_exttype = SADB_X_EXT_SRC_FLOW; 282 sa_src.sadb_address_len = (sizeof(sa_src) + ROUNDUP(ssrc.ss_len)) / 8; 283 284 bzero(&sa_smask, sizeof(sa_smask)); 285 sa_smask.sadb_address_exttype = SADB_X_EXT_SRC_MASK; 286 sa_smask.sadb_address_len = 287 (sizeof(sa_smask) + ROUNDUP(smask.ss_len)) / 8; 288 289 bzero(&sa_dst, sizeof(sa_dst)); 290 sa_dst.sadb_address_exttype = SADB_X_EXT_DST_FLOW; 291 sa_dst.sadb_address_len = (sizeof(sa_dst) + ROUNDUP(sdst.ss_len)) / 8; 292 293 bzero(&sa_dmask, sizeof(sa_dmask)); 294 sa_dmask.sadb_address_exttype = SADB_X_EXT_DST_MASK; 295 sa_dmask.sadb_address_len = 296 (sizeof(sa_dmask) + ROUNDUP(dmask.ss_len)) / 8; 297 298 if (action != SADB_X_DELFLOW) { 299 /* local address */ 300 bzero(&sa_local, sizeof(sa_local)); 301 sa_local.sadb_address_exttype = SADB_EXT_ADDRESS_SRC; 302 sa_local.sadb_address_len = 303 (sizeof(sa_local) + ROUNDUP(slocal.ss_len)) / 8; 304 305 /* peer address */ 306 bzero(&sa_peer, sizeof(sa_peer)); 307 sa_peer.sadb_address_exttype = SADB_EXT_ADDRESS_DST; 308 sa_peer.sadb_address_len = 309 (sizeof(sa_peer) + ROUNDUP(speer.ss_len)) / 8; 310 311 /* local id */ 312 sa_srcid = pfkey_id2ident(flow->flow_srcid, 313 SADB_EXT_IDENTITY_SRC); 314 315 /* peer id */ 316 sa_dstid = pfkey_id2ident(flow->flow_dstid, 317 SADB_EXT_IDENTITY_DST); 318 } 319 320 iov_cnt = 0; 321 322 /* header */ 323 iov[iov_cnt].iov_base = &smsg; 324 iov[iov_cnt].iov_len = sizeof(smsg); 325 iov_cnt++; 326 327 /* add flow type */ 328 iov[iov_cnt].iov_base = &sa_flowtype; 329 iov[iov_cnt].iov_len = sizeof(sa_flowtype); 330 smsg.sadb_msg_len += sa_flowtype.sadb_protocol_len; 331 iov_cnt++; 332 333 if (action != SADB_X_DELFLOW) { 334 #if 0 335 /* local ip */ 336 iov[iov_cnt].iov_base = &sa_local; 337 iov[iov_cnt].iov_len = sizeof(sa_local); 338 iov_cnt++; 339 iov[iov_cnt].iov_base = &slocal; 340 iov[iov_cnt].iov_len = ROUNDUP(slocal.ss_len); 341 smsg.sadb_msg_len += sa_local.sadb_address_len; 342 iov_cnt++; 343 #endif 344 345 /* remote peer */ 346 iov[iov_cnt].iov_base = &sa_peer; 347 iov[iov_cnt].iov_len = sizeof(sa_peer); 348 iov_cnt++; 349 iov[iov_cnt].iov_base = &speer; 350 iov[iov_cnt].iov_len = ROUNDUP(speer.ss_len); 351 smsg.sadb_msg_len += sa_peer.sadb_address_len; 352 iov_cnt++; 353 } 354 355 /* src addr */ 356 iov[iov_cnt].iov_base = &sa_src; 357 iov[iov_cnt].iov_len = sizeof(sa_src); 358 iov_cnt++; 359 iov[iov_cnt].iov_base = &ssrc; 360 iov[iov_cnt].iov_len = ROUNDUP(ssrc.ss_len); 361 smsg.sadb_msg_len += sa_src.sadb_address_len; 362 iov_cnt++; 363 364 /* src mask */ 365 iov[iov_cnt].iov_base = &sa_smask; 366 iov[iov_cnt].iov_len = sizeof(sa_smask); 367 iov_cnt++; 368 iov[iov_cnt].iov_base = &smask; 369 iov[iov_cnt].iov_len = ROUNDUP(smask.ss_len); 370 smsg.sadb_msg_len += sa_smask.sadb_address_len; 371 iov_cnt++; 372 373 /* dest addr */ 374 iov[iov_cnt].iov_base = &sa_dst; 375 iov[iov_cnt].iov_len = sizeof(sa_dst); 376 iov_cnt++; 377 iov[iov_cnt].iov_base = &sdst; 378 iov[iov_cnt].iov_len = ROUNDUP(sdst.ss_len); 379 smsg.sadb_msg_len += sa_dst.sadb_address_len; 380 iov_cnt++; 381 382 /* dst mask */ 383 iov[iov_cnt].iov_base = &sa_dmask; 384 iov[iov_cnt].iov_len = sizeof(sa_dmask); 385 iov_cnt++; 386 iov[iov_cnt].iov_base = &dmask; 387 iov[iov_cnt].iov_len = ROUNDUP(dmask.ss_len); 388 smsg.sadb_msg_len += sa_dmask.sadb_address_len; 389 iov_cnt++; 390 391 /* add protocol */ 392 iov[iov_cnt].iov_base = &sa_protocol; 393 iov[iov_cnt].iov_len = sizeof(sa_protocol); 394 smsg.sadb_msg_len += sa_protocol.sadb_protocol_len; 395 iov_cnt++; 396 397 if (sa_srcid) { 398 /* src identity */ 399 iov[iov_cnt].iov_base = sa_srcid; 400 iov[iov_cnt].iov_len = sa_srcid->sadb_ident_len * 8; 401 smsg.sadb_msg_len += sa_srcid->sadb_ident_len; 402 iov_cnt++; 403 } 404 if (sa_dstid) { 405 /* dst identity */ 406 iov[iov_cnt].iov_base = sa_dstid; 407 iov[iov_cnt].iov_len = sa_dstid->sadb_ident_len * 8; 408 smsg.sadb_msg_len += sa_dstid->sadb_ident_len; 409 iov_cnt++; 410 } 411 412 ret = pfkey_write(sd, &smsg, iov, iov_cnt, NULL, NULL); 413 414 if (sa_srcid) 415 free(sa_srcid); 416 if (sa_dstid) 417 free(sa_dstid); 418 419 return (ret); 420 } 421 422 int 423 pfkey_sa(int sd, u_int8_t satype, u_int8_t action, struct iked_childsa *sa) 424 { 425 struct sadb_msg smsg; 426 struct sadb_sa sadb; 427 struct sadb_address sa_src, sa_dst; 428 struct sadb_key sa_authkey, sa_enckey; 429 struct sadb_lifetime sa_ltime_hard, sa_ltime_soft; 430 struct sadb_x_udpencap udpencap; 431 struct sadb_x_tag sa_tag; 432 struct sadb_x_tap sa_tap; 433 struct sockaddr_storage ssrc, sdst; 434 struct sadb_ident *sa_srcid, *sa_dstid; 435 struct iked_lifetime *lt; 436 struct iked_policy *pol; 437 struct iovec iov[IOV_CNT]; 438 u_int32_t jitter; 439 int iov_cnt; 440 char *tag = NULL; 441 442 sa_srcid = sa_dstid = NULL; 443 444 if (sa->csa_ikesa == NULL || sa->csa_ikesa->sa_policy == NULL) { 445 log_warn("%s: invalid SA and policy", __func__); 446 return (-1); 447 } 448 pol = sa->csa_ikesa->sa_policy; 449 lt = &pol->pol_lifetime; 450 451 bzero(&ssrc, sizeof(ssrc)); 452 memcpy(&ssrc, &sa->csa_local->addr, sizeof(ssrc)); 453 if (socket_af((struct sockaddr *)&ssrc, 0) == -1) { 454 log_warn("%s: invalid address", __func__); 455 return (-1); 456 } 457 458 bzero(&sdst, sizeof(sdst)); 459 memcpy(&sdst, &sa->csa_peer->addr, sizeof(sdst)); 460 if (socket_af((struct sockaddr *)&sdst, 0) == -1) { 461 log_warn("%s: invalid address", __func__); 462 return (-1); 463 } 464 465 bzero(&smsg, sizeof(smsg)); 466 smsg.sadb_msg_version = PF_KEY_V2; 467 smsg.sadb_msg_seq = ++sadb_msg_seq; 468 smsg.sadb_msg_pid = getpid(); 469 smsg.sadb_msg_len = sizeof(smsg) / 8; 470 smsg.sadb_msg_type = action; 471 smsg.sadb_msg_satype = satype; 472 473 bzero(&sadb, sizeof(sadb)); 474 sadb.sadb_sa_len = sizeof(sadb) / 8; 475 sadb.sadb_sa_exttype = SADB_EXT_SA; 476 sadb.sadb_sa_spi = htonl(sa->csa_spi.spi); 477 sadb.sadb_sa_state = SADB_SASTATE_MATURE; 478 sadb.sadb_sa_replay = 64; 479 480 /* XXX we don't support transport mode, yet */ 481 sadb.sadb_sa_flags |= SADB_X_SAFLAGS_TUNNEL; 482 483 if (sa->csa_esn) 484 sadb.sadb_sa_flags |= SADB_X_SAFLAGS_ESN; 485 486 bzero(&sa_src, sizeof(sa_src)); 487 sa_src.sadb_address_len = (sizeof(sa_src) + ROUNDUP(ssrc.ss_len)) / 8; 488 sa_src.sadb_address_exttype = SADB_EXT_ADDRESS_SRC; 489 490 bzero(&sa_dst, sizeof(sa_dst)); 491 sa_dst.sadb_address_len = (sizeof(sa_dst) + ROUNDUP(sdst.ss_len)) / 8; 492 sa_dst.sadb_address_exttype = SADB_EXT_ADDRESS_DST; 493 494 bzero(&sa_authkey, sizeof(sa_authkey)); 495 bzero(&sa_enckey, sizeof(sa_enckey)); 496 bzero(&udpencap, sizeof udpencap); 497 bzero(&sa_ltime_hard, sizeof(sa_ltime_hard)); 498 bzero(&sa_ltime_soft, sizeof(sa_ltime_soft)); 499 500 if (action == SADB_DELETE) 501 goto send; 502 503 if ((action == SADB_ADD || action == SADB_UPDATE) && 504 !sa->csa_persistent && (lt->lt_bytes || lt->lt_seconds)) { 505 sa_ltime_hard.sadb_lifetime_exttype = SADB_EXT_LIFETIME_HARD; 506 sa_ltime_hard.sadb_lifetime_len = sizeof(sa_ltime_hard) / 8; 507 sa_ltime_hard.sadb_lifetime_bytes = lt->lt_bytes; 508 sa_ltime_hard.sadb_lifetime_addtime = lt->lt_seconds; 509 510 sa_ltime_soft.sadb_lifetime_exttype = SADB_EXT_LIFETIME_SOFT; 511 sa_ltime_soft.sadb_lifetime_len = sizeof(sa_ltime_soft) / 8; 512 /* set randomly to 85-95% */ 513 jitter = 850 + arc4random_uniform(100); 514 sa_ltime_soft.sadb_lifetime_bytes = 515 (lt->lt_bytes * jitter) / 1000; 516 sa_ltime_soft.sadb_lifetime_addtime = 517 (lt->lt_seconds * jitter) / 1000; 518 } 519 520 /* XXX handle NULL encryption or NULL auth or combined encr/auth */ 521 if (action == SADB_ADD && 522 !ibuf_length(sa->csa_integrkey) && !ibuf_length(sa->csa_encrkey) && 523 satype != SADB_X_SATYPE_IPCOMP && satype != SADB_X_SATYPE_IPIP) { 524 log_warnx("%s: no key specified", __func__); 525 return (-1); 526 } 527 528 if (sa->csa_ikesa->sa_udpencap && sa->csa_ikesa->sa_natt) { 529 sadb.sadb_sa_flags |= SADB_X_SAFLAGS_UDPENCAP; 530 udpencap.sadb_x_udpencap_exttype = SADB_X_EXT_UDPENCAP; 531 udpencap.sadb_x_udpencap_len = sizeof(udpencap) / 8; 532 udpencap.sadb_x_udpencap_port = 533 sa->csa_ikesa->sa_peer.addr_port; 534 535 log_debug("%s: udpencap port %d", __func__, 536 ntohs(udpencap.sadb_x_udpencap_port)); 537 } 538 539 if (sa->csa_integrxf) 540 if (pfkey_map(pfkey_integr, 541 sa->csa_integrxf->xform_id, &sadb.sadb_sa_auth) == -1) { 542 log_warnx("%s: unsupported integrity algorithm %s", 543 __func__, print_map(sa->csa_integrxf->xform_id, 544 ikev2_xformauth_map)); 545 return (-1); 546 } 547 548 if (sa->csa_encrxf) 549 if (pfkey_map(pfkey_encr, 550 sa->csa_encrxf->xform_id, &sadb.sadb_sa_encrypt) == -1) { 551 log_warnx("%s: unsupported encryption algorithm %s", 552 __func__, print_map(sa->csa_encrxf->xform_id, 553 ikev2_xformencr_map)); 554 return (-1); 555 } 556 557 if (ibuf_length(sa->csa_integrkey)) { 558 sa_authkey.sadb_key_len = (sizeof(sa_authkey) + 559 ((ibuf_size(sa->csa_integrkey) + 7) / 8) * 8) / 8; 560 sa_authkey.sadb_key_exttype = SADB_EXT_KEY_AUTH; 561 sa_authkey.sadb_key_bits = 562 8 * ibuf_size(sa->csa_integrkey); 563 } 564 565 if (ibuf_length(sa->csa_encrkey)) { 566 sa_enckey.sadb_key_len = (sizeof(sa_enckey) + 567 ((ibuf_size(sa->csa_encrkey) + 7) / 8) * 8) / 8; 568 sa_enckey.sadb_key_exttype = SADB_EXT_KEY_ENCRYPT; 569 sa_enckey.sadb_key_bits = 570 8 * ibuf_size(sa->csa_encrkey); 571 } 572 573 /* local id */ 574 sa_srcid = pfkey_id2ident(sa->csa_srcid, SADB_EXT_IDENTITY_SRC); 575 576 /* peer id */ 577 sa_dstid = pfkey_id2ident(sa->csa_dstid, SADB_EXT_IDENTITY_DST); 578 579 tag = sa->csa_ikesa->sa_tag; 580 if (tag != NULL && *tag != '\0') { 581 bzero(&sa_tag, sizeof(sa_tag)); 582 sa_tag.sadb_x_tag_exttype = SADB_X_EXT_TAG; 583 sa_tag.sadb_x_tag_len = 584 (ROUNDUP(strlen(tag) + 1) + sizeof(sa_tag)) / 8; 585 sa_tag.sadb_x_tag_taglen = strlen(tag) + 1; 586 } else 587 tag = NULL; 588 589 if (pol->pol_tap != 0) { 590 bzero(&sa_tap, sizeof(sa_tap)); 591 sa_tap.sadb_x_tap_exttype = SADB_X_EXT_TAP; 592 sa_tap.sadb_x_tap_len = sizeof(sa_tap) / 8; 593 sa_tap.sadb_x_tap_unit = pol->pol_tap; 594 } 595 596 send: 597 iov_cnt = 0; 598 599 /* header */ 600 iov[iov_cnt].iov_base = &smsg; 601 iov[iov_cnt].iov_len = sizeof(smsg); 602 iov_cnt++; 603 604 /* sa */ 605 iov[iov_cnt].iov_base = &sadb; 606 iov[iov_cnt].iov_len = sizeof(sadb); 607 smsg.sadb_msg_len += sadb.sadb_sa_len; 608 iov_cnt++; 609 610 /* src addr */ 611 iov[iov_cnt].iov_base = &sa_src; 612 iov[iov_cnt].iov_len = sizeof(sa_src); 613 iov_cnt++; 614 iov[iov_cnt].iov_base = &ssrc; 615 iov[iov_cnt].iov_len = ROUNDUP(ssrc.ss_len); 616 smsg.sadb_msg_len += sa_src.sadb_address_len; 617 iov_cnt++; 618 619 /* dst addr */ 620 iov[iov_cnt].iov_base = &sa_dst; 621 iov[iov_cnt].iov_len = sizeof(sa_dst); 622 iov_cnt++; 623 iov[iov_cnt].iov_base = &sdst; 624 iov[iov_cnt].iov_len = ROUNDUP(sdst.ss_len); 625 smsg.sadb_msg_len += sa_dst.sadb_address_len; 626 iov_cnt++; 627 628 if (sa_ltime_soft.sadb_lifetime_len) { 629 /* soft lifetime */ 630 iov[iov_cnt].iov_base = &sa_ltime_soft; 631 iov[iov_cnt].iov_len = sizeof(sa_ltime_soft); 632 smsg.sadb_msg_len += sa_ltime_soft.sadb_lifetime_len; 633 iov_cnt++; 634 } 635 636 if (sa_ltime_hard.sadb_lifetime_len) { 637 /* hard lifetime */ 638 iov[iov_cnt].iov_base = &sa_ltime_hard; 639 iov[iov_cnt].iov_len = sizeof(sa_ltime_hard); 640 smsg.sadb_msg_len += sa_ltime_hard.sadb_lifetime_len; 641 iov_cnt++; 642 } 643 644 if (udpencap.sadb_x_udpencap_len) { 645 iov[iov_cnt].iov_base = &udpencap; 646 iov[iov_cnt].iov_len = sizeof(udpencap); 647 smsg.sadb_msg_len += udpencap.sadb_x_udpencap_len; 648 iov_cnt++; 649 } 650 651 if (sa_enckey.sadb_key_len) { 652 /* encryption key */ 653 iov[iov_cnt].iov_base = &sa_enckey; 654 iov[iov_cnt].iov_len = sizeof(sa_enckey); 655 iov_cnt++; 656 iov[iov_cnt].iov_base = ibuf_data(sa->csa_encrkey); 657 iov[iov_cnt].iov_len = 658 ((ibuf_size(sa->csa_encrkey) + 7) / 8) * 8; 659 smsg.sadb_msg_len += sa_enckey.sadb_key_len; 660 iov_cnt++; 661 } 662 if (sa_authkey.sadb_key_len) { 663 /* authentication key */ 664 iov[iov_cnt].iov_base = &sa_authkey; 665 iov[iov_cnt].iov_len = sizeof(sa_authkey); 666 iov_cnt++; 667 iov[iov_cnt].iov_base = ibuf_data(sa->csa_integrkey); 668 iov[iov_cnt].iov_len = 669 ((ibuf_size(sa->csa_integrkey) + 7) / 8) * 8; 670 smsg.sadb_msg_len += sa_authkey.sadb_key_len; 671 iov_cnt++; 672 } 673 674 if (sa_srcid) { 675 /* src identity */ 676 iov[iov_cnt].iov_base = sa_srcid; 677 iov[iov_cnt].iov_len = sa_srcid->sadb_ident_len * 8; 678 smsg.sadb_msg_len += sa_srcid->sadb_ident_len; 679 iov_cnt++; 680 } 681 if (sa_dstid) { 682 /* dst identity */ 683 iov[iov_cnt].iov_base = sa_dstid; 684 iov[iov_cnt].iov_len = sa_dstid->sadb_ident_len * 8; 685 smsg.sadb_msg_len += sa_dstid->sadb_ident_len; 686 iov_cnt++; 687 } 688 689 if (tag != NULL) { 690 /* tag identity */ 691 iov[iov_cnt].iov_base = &sa_tag; 692 iov[iov_cnt].iov_len = sizeof(sa_tag); 693 iov_cnt++; 694 iov[iov_cnt].iov_base = tag; 695 iov[iov_cnt].iov_len = ROUNDUP(strlen(tag) + 1); 696 smsg.sadb_msg_len += sa_tag.sadb_x_tag_len; 697 iov_cnt++; 698 } 699 700 if (pol->pol_tap != 0) { 701 /* enc(4) device tap unit */ 702 iov[iov_cnt].iov_base = &sa_tap; 703 iov[iov_cnt].iov_len = sizeof(sa_tap); 704 smsg.sadb_msg_len += sa_tap.sadb_x_tap_len; 705 iov_cnt++; 706 } 707 708 return (pfkey_write(sd, &smsg, iov, iov_cnt, NULL, NULL)); 709 } 710 711 int 712 pfkey_sa_getspi(int sd, u_int8_t satype, struct iked_childsa *sa, 713 u_int32_t *spip) 714 { 715 struct sadb_msg *msg, smsg; 716 struct sadb_address sa_src, sa_dst; 717 struct sadb_sa *sa_ext; 718 struct sadb_spirange sa_spirange; 719 struct sockaddr_storage ssrc, sdst; 720 struct iovec iov[IOV_CNT]; 721 u_int8_t *data; 722 ssize_t n; 723 int iov_cnt, ret = -1; 724 725 bzero(&ssrc, sizeof(ssrc)); 726 memcpy(&ssrc, &sa->csa_local->addr, sizeof(ssrc)); 727 if (socket_af((struct sockaddr *)&ssrc, 0) == -1) { 728 log_warn("%s: invalid address", __func__); 729 return (-1); 730 } 731 732 bzero(&sdst, sizeof(sdst)); 733 memcpy(&sdst, &sa->csa_peer->addr, sizeof(sdst)); 734 if (socket_af((struct sockaddr *)&sdst, 0) == -1) { 735 log_warn("%s: invalid address", __func__); 736 return (-1); 737 } 738 739 bzero(&smsg, sizeof(smsg)); 740 smsg.sadb_msg_version = PF_KEY_V2; 741 smsg.sadb_msg_seq = ++sadb_msg_seq; 742 smsg.sadb_msg_pid = getpid(); 743 smsg.sadb_msg_len = sizeof(smsg) / 8; 744 smsg.sadb_msg_type = SADB_GETSPI; 745 smsg.sadb_msg_satype = satype; 746 747 bzero(&sa_spirange, sizeof(sa_spirange)); 748 sa_spirange.sadb_spirange_exttype = SADB_EXT_SPIRANGE; 749 sa_spirange.sadb_spirange_len = sizeof(sa_spirange) / 8; 750 sa_spirange.sadb_spirange_min = 0x100; 751 sa_spirange.sadb_spirange_max = 0xffffffff; 752 sa_spirange.sadb_spirange_reserved = 0; 753 754 bzero(&sa_src, sizeof(sa_src)); 755 sa_src.sadb_address_len = (sizeof(sa_src) + ROUNDUP(ssrc.ss_len)) / 8; 756 sa_src.sadb_address_exttype = SADB_EXT_ADDRESS_SRC; 757 758 bzero(&sa_dst, sizeof(sa_dst)); 759 sa_dst.sadb_address_len = (sizeof(sa_dst) + ROUNDUP(sdst.ss_len)) / 8; 760 sa_dst.sadb_address_exttype = SADB_EXT_ADDRESS_DST; 761 762 iov_cnt = 0; 763 764 /* header */ 765 iov[iov_cnt].iov_base = &smsg; 766 iov[iov_cnt].iov_len = sizeof(smsg); 767 iov_cnt++; 768 769 /* SPI range */ 770 iov[iov_cnt].iov_base = &sa_spirange; 771 iov[iov_cnt].iov_len = sizeof(sa_spirange); 772 smsg.sadb_msg_len += sa_spirange.sadb_spirange_len; 773 iov_cnt++; 774 775 /* src addr */ 776 iov[iov_cnt].iov_base = &sa_src; 777 iov[iov_cnt].iov_len = sizeof(sa_src); 778 iov_cnt++; 779 iov[iov_cnt].iov_base = &ssrc; 780 iov[iov_cnt].iov_len = ROUNDUP(ssrc.ss_len); 781 smsg.sadb_msg_len += sa_src.sadb_address_len; 782 iov_cnt++; 783 784 /* dst addr */ 785 iov[iov_cnt].iov_base = &sa_dst; 786 iov[iov_cnt].iov_len = sizeof(sa_dst); 787 iov_cnt++; 788 iov[iov_cnt].iov_base = &sdst; 789 iov[iov_cnt].iov_len = ROUNDUP(sdst.ss_len); 790 smsg.sadb_msg_len += sa_dst.sadb_address_len; 791 iov_cnt++; 792 793 *spip = 0; 794 795 if ((ret = pfkey_write(sd, &smsg, iov, iov_cnt, &data, &n)) != 0) 796 return (-1); 797 798 msg = (struct sadb_msg *)data; 799 if (msg->sadb_msg_errno != 0) { 800 errno = msg->sadb_msg_errno; 801 log_warn("%s: message", __func__); 802 goto done; 803 } 804 if ((sa_ext = pfkey_find_ext(data, n, SADB_EXT_SA)) == NULL) { 805 log_debug("%s: erronous reply", __func__); 806 goto done; 807 } 808 809 *spip = ntohl(sa_ext->sadb_sa_spi); 810 log_debug("%s: spi 0x%08x", __func__, *spip); 811 812 done: 813 bzero(data, n); 814 free(data); 815 return (ret); 816 } 817 818 int 819 pfkey_sagroup(int sd, u_int8_t satype1, u_int8_t action, 820 struct iked_childsa *sa1, struct iked_childsa *sa2) 821 { 822 struct sadb_msg smsg; 823 struct sadb_sa sadb1, sadb2; 824 struct sadb_address sa_dst1, sa_dst2; 825 struct sockaddr_storage sdst1, sdst2; 826 struct sadb_protocol sa_proto; 827 struct iovec iov[IOV_CNT]; 828 int iov_cnt; 829 u_int8_t satype2; 830 831 if (pfkey_map(pfkey_satype, sa2->csa_saproto, &satype2) == -1) 832 return (-1); 833 834 bzero(&sdst1, sizeof(sdst1)); 835 memcpy(&sdst1, &sa1->csa_peer->addr, sizeof(sdst1)); 836 if (socket_af((struct sockaddr *)&sdst1, 0) == -1) { 837 log_warnx("%s: unsupported address family %d", 838 __func__, sdst1.ss_family); 839 return (-1); 840 } 841 842 bzero(&sdst2, sizeof(sdst2)); 843 memcpy(&sdst2, &sa2->csa_peer->addr, sizeof(sdst2)); 844 if (socket_af((struct sockaddr *)&sdst2, 0) == -1) { 845 log_warnx("%s: unsupported address family %d", 846 __func__, sdst2.ss_family); 847 return (-1); 848 } 849 850 bzero(&smsg, sizeof(smsg)); 851 smsg.sadb_msg_version = PF_KEY_V2; 852 smsg.sadb_msg_seq = ++sadb_msg_seq; 853 smsg.sadb_msg_pid = getpid(); 854 smsg.sadb_msg_len = sizeof(smsg) / 8; 855 smsg.sadb_msg_type = action; 856 smsg.sadb_msg_satype = satype1; 857 858 bzero(&sadb1, sizeof(sadb1)); 859 sadb1.sadb_sa_len = sizeof(sadb1) / 8; 860 sadb1.sadb_sa_exttype = SADB_EXT_SA; 861 sadb1.sadb_sa_spi = htonl(sa1->csa_spi.spi); 862 sadb1.sadb_sa_state = SADB_SASTATE_MATURE; 863 864 bzero(&sadb2, sizeof(sadb2)); 865 sadb2.sadb_sa_len = sizeof(sadb2) / 8; 866 sadb2.sadb_sa_exttype = SADB_X_EXT_SA2; 867 sadb2.sadb_sa_spi = htonl(sa2->csa_spi.spi); 868 sadb2.sadb_sa_state = SADB_SASTATE_MATURE; 869 iov_cnt = 0; 870 871 bzero(&sa_dst1, sizeof(sa_dst1)); 872 sa_dst1.sadb_address_exttype = SADB_EXT_ADDRESS_DST; 873 sa_dst1.sadb_address_len = 874 (sizeof(sa_dst1) + ROUNDUP(sdst1.ss_len)) / 8; 875 876 bzero(&sa_dst2, sizeof(sa_dst2)); 877 sa_dst2.sadb_address_exttype = SADB_X_EXT_DST2; 878 sa_dst2.sadb_address_len = 879 (sizeof(sa_dst2) + ROUNDUP(sdst2.ss_len)) / 8; 880 881 bzero(&sa_proto, sizeof(sa_proto)); 882 sa_proto.sadb_protocol_exttype = SADB_X_EXT_PROTOCOL; 883 sa_proto.sadb_protocol_len = sizeof(sa_proto) / 8; 884 sa_proto.sadb_protocol_direction = 0; 885 sa_proto.sadb_protocol_proto = satype2; 886 887 /* header */ 888 iov[iov_cnt].iov_base = &smsg; 889 iov[iov_cnt].iov_len = sizeof(smsg); 890 iov_cnt++; 891 892 /* sa */ 893 iov[iov_cnt].iov_base = &sadb1; 894 iov[iov_cnt].iov_len = sizeof(sadb1); 895 smsg.sadb_msg_len += sadb1.sadb_sa_len; 896 iov_cnt++; 897 898 /* dst addr */ 899 iov[iov_cnt].iov_base = &sa_dst1; 900 iov[iov_cnt].iov_len = sizeof(sa_dst1); 901 iov_cnt++; 902 iov[iov_cnt].iov_base = &sdst1; 903 iov[iov_cnt].iov_len = ROUNDUP(sdst1.ss_len); 904 smsg.sadb_msg_len += sa_dst1.sadb_address_len; 905 iov_cnt++; 906 907 /* second sa */ 908 iov[iov_cnt].iov_base = &sadb2; 909 iov[iov_cnt].iov_len = sizeof(sadb2); 910 smsg.sadb_msg_len += sadb2.sadb_sa_len; 911 iov_cnt++; 912 913 /* second dst addr */ 914 iov[iov_cnt].iov_base = &sa_dst2; 915 iov[iov_cnt].iov_len = sizeof(sa_dst2); 916 iov_cnt++; 917 iov[iov_cnt].iov_base = &sdst2; 918 iov[iov_cnt].iov_len = ROUNDUP(sdst2.ss_len); 919 smsg.sadb_msg_len += sa_dst2.sadb_address_len; 920 iov_cnt++; 921 922 /* SA type */ 923 iov[iov_cnt].iov_base = &sa_proto; 924 iov[iov_cnt].iov_len = sizeof(sa_proto); 925 smsg.sadb_msg_len += sa_proto.sadb_protocol_len; 926 iov_cnt++; 927 928 return (pfkey_write(sd, &smsg, iov, iov_cnt, NULL, NULL)); 929 } 930 931 int 932 pfkey_write(int sd, struct sadb_msg *smsg, struct iovec *iov, int iov_cnt, 933 u_int8_t **datap, ssize_t *lenp) 934 { 935 ssize_t n, len = smsg->sadb_msg_len * 8; 936 937 if (sadb_decoupled) { 938 switch (smsg->sadb_msg_type) { 939 case SADB_GETSPI: 940 /* we need to get a new SPI from the kernel */ 941 break; 942 default: 943 if (datap || lenp) { 944 log_warnx("%s: pfkey not coupled", __func__); 945 return (-1); 946 } 947 /* ignore request */ 948 return (0); 949 } 950 } 951 952 if ((n = writev(sd, iov, iov_cnt)) == -1) { 953 log_warn("%s: writev failed", __func__); 954 return (-1); 955 } else if (n != len) { 956 log_warn("%s: short write", __func__); 957 return (-1); 958 } 959 960 return (pfkey_reply(sd, datap, lenp)); 961 } 962 963 int 964 pfkey_reply(int sd, u_int8_t **datap, ssize_t *lenp) 965 { 966 struct pfkey_message *pm; 967 struct sadb_msg hdr; 968 ssize_t len; 969 u_int8_t *data; 970 971 for (;;) { 972 if (recv(sd, &hdr, sizeof(hdr), MSG_PEEK) != sizeof(hdr)) { 973 log_warn("%s: short recv", __func__); 974 return (-1); 975 } 976 977 if (hdr.sadb_msg_version != PF_KEY_V2) { 978 log_warnx("%s: wrong pfkey version", __func__); 979 return (-1); 980 } 981 982 len = hdr.sadb_msg_len * PFKEYV2_CHUNK; 983 if ((data = malloc(len)) == NULL) { 984 log_warn("%s: malloc", __func__); 985 return (-1); 986 } 987 if (read(sd, data, len) != len) { 988 log_warnx("%s: short read", __func__); 989 free(data); 990 return (-1); 991 } 992 993 /* XXX: Only one message can be outstanding. */ 994 if (hdr.sadb_msg_seq == sadb_msg_seq && 995 hdr.sadb_msg_pid == (u_int32_t)getpid()) 996 break; 997 998 /* not the reply, enqueue */ 999 if ((pm = malloc(sizeof(*pm))) == NULL) { 1000 log_warn("%s", __func__); 1001 free(data); 1002 return (-1); 1003 } 1004 pm->pm_data = data; 1005 pm->pm_lenght = len; 1006 SIMPLEQ_INSERT_TAIL(&pfkey_postponed, pm, pm_entry); 1007 evtimer_add(&pfkey_timer_ev, &pfkey_timer_tv); 1008 } 1009 1010 if (datap) { 1011 *datap = data; 1012 if (lenp) 1013 *lenp = len; 1014 } else 1015 free(data); 1016 1017 if (datap == NULL && hdr.sadb_msg_errno != 0) { 1018 errno = hdr.sadb_msg_errno; 1019 if (errno != EEXIST) { 1020 log_warn("%s: message", __func__); 1021 return (-1); 1022 } 1023 } 1024 return (0); 1025 } 1026 1027 int 1028 pfkey_flow_add(int fd, struct iked_flow *flow) 1029 { 1030 u_int8_t satype; 1031 1032 if (flow->flow_loaded) 1033 return (0); 1034 1035 if (pfkey_map(pfkey_satype, flow->flow_saproto, &satype) == -1) 1036 return (-1); 1037 1038 if (pfkey_flow(fd, satype, SADB_X_ADDFLOW, flow) == -1) 1039 return (-1); 1040 1041 flow->flow_loaded = 1; 1042 return (0); 1043 } 1044 1045 int 1046 pfkey_flow_delete(int fd, struct iked_flow *flow) 1047 { 1048 u_int8_t satype; 1049 1050 if (!flow->flow_loaded) 1051 return (0); 1052 1053 if (pfkey_map(pfkey_satype, flow->flow_saproto, &satype) == -1) 1054 return (-1); 1055 1056 if (pfkey_flow(fd, satype, SADB_X_DELFLOW, flow) == -1) 1057 return (-1); 1058 1059 flow->flow_loaded = 0; 1060 return (0); 1061 } 1062 1063 int 1064 pfkey_sa_init(int fd, struct iked_childsa *sa, u_int32_t *spi) 1065 { 1066 u_int8_t satype; 1067 1068 if (pfkey_map(pfkey_satype, sa->csa_saproto, &satype) == -1) 1069 return (-1); 1070 1071 if (pfkey_sa_getspi(fd, satype, sa, spi) == -1) 1072 return (-1); 1073 1074 log_debug("%s: new spi 0x%08x", __func__, *spi); 1075 1076 return (0); 1077 } 1078 1079 int 1080 pfkey_sa_add(int fd, struct iked_childsa *sa, struct iked_childsa *last) 1081 { 1082 u_int8_t satype; 1083 u_int cmd; 1084 1085 if (pfkey_map(pfkey_satype, sa->csa_saproto, &satype) == -1) 1086 return (-1); 1087 1088 if (sa->csa_allocated || sa->csa_loaded) 1089 cmd = SADB_UPDATE; 1090 else 1091 cmd = SADB_ADD; 1092 1093 log_debug("%s: %s spi %s", __func__, cmd == SADB_ADD ? "add": "update", 1094 print_spi(sa->csa_spi.spi, 4)); 1095 1096 if (pfkey_sa(fd, satype, cmd, sa) == -1) { 1097 if (cmd == SADB_ADD) 1098 (void)pfkey_sa_delete(fd, sa); 1099 return (-1); 1100 } 1101 1102 if (last && cmd == SADB_ADD) { 1103 if (pfkey_sagroup(fd, satype, 1104 SADB_X_GRPSPIS, sa, last) == -1) { 1105 (void)pfkey_sa_delete(fd, sa); 1106 return (-1); 1107 } 1108 } 1109 1110 sa->csa_loaded = 1; 1111 return (0); 1112 } 1113 1114 int 1115 pfkey_sa_delete(int fd, struct iked_childsa *sa) 1116 { 1117 u_int8_t satype; 1118 1119 if (!sa->csa_loaded || sa->csa_spi.spi == 0) 1120 return (0); 1121 1122 if (pfkey_map(pfkey_satype, sa->csa_saproto, &satype) == -1) 1123 return (-1); 1124 1125 if (pfkey_sa(fd, satype, SADB_DELETE, sa) == -1) 1126 return (-1); 1127 1128 sa->csa_loaded = 0; 1129 return (0); 1130 } 1131 1132 int 1133 pfkey_flush(int sd) 1134 { 1135 struct sadb_msg smsg; 1136 struct iovec iov[IOV_CNT]; 1137 int iov_cnt; 1138 1139 bzero(&smsg, sizeof(smsg)); 1140 smsg.sadb_msg_version = PF_KEY_V2; 1141 smsg.sadb_msg_seq = ++sadb_msg_seq; 1142 smsg.sadb_msg_pid = getpid(); 1143 smsg.sadb_msg_len = sizeof(smsg) / 8; 1144 smsg.sadb_msg_type = SADB_FLUSH; 1145 smsg.sadb_msg_satype = SADB_SATYPE_UNSPEC; 1146 1147 iov_cnt = 0; 1148 1149 iov[iov_cnt].iov_base = &smsg; 1150 iov[iov_cnt].iov_len = sizeof(smsg); 1151 iov_cnt++; 1152 1153 return (pfkey_write(sd, &smsg, iov, iov_cnt, NULL, NULL)); 1154 } 1155 1156 struct sadb_ident * 1157 pfkey_id2ident(struct iked_id *id, u_int exttype) 1158 { 1159 char idstr[IKED_ID_SIZE]; 1160 u_int type; 1161 size_t len; 1162 struct sadb_ident *sa_id; 1163 1164 switch (id->id_type) { 1165 case IKEV2_ID_FQDN: 1166 type = SADB_IDENTTYPE_FQDN; 1167 break; 1168 case IKEV2_ID_UFQDN: 1169 type = SADB_IDENTTYPE_USERFQDN; 1170 break; 1171 case IKEV2_ID_IPV4: 1172 case IKEV2_ID_IPV6: 1173 type = SADB_IDENTTYPE_PREFIX; 1174 break; 1175 case IKEV2_ID_ASN1_DN: 1176 case IKEV2_ID_ASN1_GN: 1177 case IKEV2_ID_KEY_ID: 1178 case IKEV2_ID_NONE: 1179 default: 1180 /* XXX not implemented/supported by PFKEY */ 1181 return (NULL); 1182 } 1183 1184 bzero(&idstr, sizeof(idstr)); 1185 1186 if (ikev2_print_id(id, idstr, sizeof(idstr)) == -1) 1187 return (NULL); 1188 1189 len = ROUNDUP(strlen(idstr) + 1) + sizeof(*sa_id); 1190 if ((sa_id = calloc(1, len)) == NULL) 1191 return (NULL); 1192 1193 strlcpy((char *)(sa_id + 1), idstr, ROUNDUP(strlen(idstr) + 1)); 1194 sa_id->sadb_ident_type = type; 1195 sa_id->sadb_ident_len = len / 8; 1196 sa_id->sadb_ident_exttype = exttype; 1197 1198 return (sa_id); 1199 } 1200 1201 int 1202 pfkey_socket(void) 1203 { 1204 int fd; 1205 1206 if (privsep_process != PROC_PARENT) 1207 fatal("pfkey_socket: called from unprivileged process"); 1208 1209 if ((fd = socket(PF_KEY, SOCK_RAW, PF_KEY_V2)) == -1) 1210 fatal("pfkey_socket: failed to open PF_KEY socket"); 1211 1212 pfkey_flush(fd); 1213 1214 return (fd); 1215 } 1216 1217 void 1218 pfkey_init(struct iked *env, int fd) 1219 { 1220 struct sadb_msg smsg; 1221 struct iovec iov; 1222 1223 /* Register the pfkey socket event handler */ 1224 env->sc_pfkey = fd; 1225 event_set(&env->sc_pfkeyev, env->sc_pfkey, 1226 EV_READ|EV_PERSIST, pfkey_dispatch, env); 1227 event_add(&env->sc_pfkeyev, NULL); 1228 1229 /* Register it to get ESP and AH acquires from the kernel */ 1230 bzero(&smsg, sizeof(smsg)); 1231 smsg.sadb_msg_version = PF_KEY_V2; 1232 smsg.sadb_msg_seq = ++sadb_msg_seq; 1233 smsg.sadb_msg_pid = getpid(); 1234 smsg.sadb_msg_len = sizeof(smsg) / 8; 1235 smsg.sadb_msg_type = SADB_REGISTER; 1236 smsg.sadb_msg_satype = SADB_SATYPE_ESP; 1237 1238 iov.iov_base = &smsg; 1239 iov.iov_len = sizeof(smsg); 1240 1241 if (pfkey_write(fd, &smsg, &iov, 1, NULL, NULL)) 1242 fatal("pfkey_init: failed to set up ESP acquires"); 1243 1244 bzero(&smsg, sizeof(smsg)); 1245 smsg.sadb_msg_version = PF_KEY_V2; 1246 smsg.sadb_msg_seq = ++sadb_msg_seq; 1247 smsg.sadb_msg_pid = getpid(); 1248 smsg.sadb_msg_len = sizeof(smsg) / 8; 1249 smsg.sadb_msg_type = SADB_REGISTER; 1250 smsg.sadb_msg_satype = SADB_SATYPE_AH; 1251 1252 iov.iov_base = &smsg; 1253 iov.iov_len = sizeof(smsg); 1254 1255 if (pfkey_write(fd, &smsg, &iov, 1, NULL, NULL)) 1256 fatal("pfkey_init: failed to set up AH acquires"); 1257 1258 /* Set up a timer to process messages deferred by the pfkey_reply */ 1259 pfkey_timer_tv.tv_sec = 1; 1260 pfkey_timer_tv.tv_usec = 0; 1261 evtimer_set(&pfkey_timer_ev, pfkey_timer_cb, env); 1262 } 1263 1264 void * 1265 pfkey_find_ext(u_int8_t *data, ssize_t len, int type) 1266 { 1267 struct sadb_ext *ext = (struct sadb_ext *)(data + 1268 sizeof(struct sadb_msg)); 1269 1270 while (ext && ((u_int8_t *)ext - data < len)) { 1271 if (ext->sadb_ext_type == type) 1272 return (ext); 1273 ext = (struct sadb_ext *)((u_int8_t *)ext + 1274 ext->sadb_ext_len * PFKEYV2_CHUNK); 1275 } 1276 1277 return (NULL); 1278 } 1279 1280 void 1281 pfkey_dispatch(int sd, short event, void *arg) 1282 { 1283 struct iked *env = (struct iked *)arg; 1284 struct pfkey_message pm; 1285 struct sadb_msg hdr; 1286 ssize_t len; 1287 u_int8_t *data; 1288 1289 if (recv(sd, &hdr, sizeof(hdr), MSG_PEEK) != sizeof(hdr)) { 1290 log_warn("%s: short recv", __func__); 1291 return; 1292 } 1293 1294 if (hdr.sadb_msg_version != PF_KEY_V2) { 1295 log_warnx("%s: wrong pfkey version", __func__); 1296 return; 1297 } 1298 1299 len = hdr.sadb_msg_len * PFKEYV2_CHUNK; 1300 if ((data = malloc(len)) == NULL) { 1301 log_warn("%s: malloc", __func__); 1302 return; 1303 } 1304 if (read(sd, data, len) != len) { 1305 log_warn("%s: short read", __func__); 1306 free(data); 1307 return; 1308 } 1309 1310 pm.pm_data = data; 1311 pm.pm_lenght = len; 1312 pfkey_process(env, &pm); 1313 1314 free(data); 1315 } 1316 1317 void 1318 pfkey_timer_cb(int unused, short event, void *arg) 1319 { 1320 struct iked *env = arg; 1321 struct pfkey_message *pm; 1322 1323 while (!SIMPLEQ_EMPTY(&pfkey_postponed)) { 1324 pm = SIMPLEQ_FIRST(&pfkey_postponed); 1325 SIMPLEQ_REMOVE_HEAD(&pfkey_postponed, pm_entry); 1326 pfkey_process(env, pm); 1327 free(pm->pm_data); 1328 free(pm); 1329 } 1330 } 1331 1332 void 1333 pfkey_process(struct iked *env, struct pfkey_message *pm) 1334 { 1335 struct iked_addr peer; 1336 struct iked_flow flow; 1337 struct iked_spi spi; 1338 struct sadb_address *sa_addr; 1339 struct sadb_msg *hdr, smsg; 1340 struct sadb_sa *sa; 1341 struct sadb_lifetime *sa_ltime; 1342 struct sadb_protocol *sa_proto; 1343 struct sadb_x_policy sa_pol; 1344 struct sockaddr_storage *ssrc, *sdst, *smask, *dmask, *speer; 1345 struct iovec iov[IOV_CNT]; 1346 int iov_cnt, sd = env->sc_pfkey; 1347 u_int8_t *reply, *data = pm->pm_data; 1348 ssize_t rlen, len = pm->pm_lenght; 1349 const char *errmsg = NULL; 1350 1351 if (!env || !data || !len) 1352 return; 1353 1354 hdr = (struct sadb_msg *)data; 1355 1356 switch (hdr->sadb_msg_type) { 1357 case SADB_ACQUIRE: 1358 bzero(&flow, sizeof(flow)); 1359 bzero(&peer, sizeof(peer)); 1360 1361 if ((sa_addr = pfkey_find_ext(data, len, 1362 SADB_EXT_ADDRESS_DST)) == NULL) { 1363 log_debug("%s: no peer address", __func__); 1364 return; 1365 } 1366 speer = (struct sockaddr_storage *)(sa_addr + 1); 1367 peer.addr_af = speer->ss_family; 1368 peer.addr_port = htons(socket_getport(speer)); 1369 memcpy(&peer.addr, speer, sizeof(*speer)); 1370 if (socket_af((struct sockaddr *)&peer.addr, 1371 peer.addr_port) == -1) { 1372 log_debug("%s: invalid address", __func__); 1373 return; 1374 } 1375 flow.flow_peer = &peer; 1376 1377 log_debug("%s: acquire request (peer %s)", __func__, 1378 print_host(speer, NULL, 0)); 1379 1380 /* get the matching flow */ 1381 bzero(&smsg, sizeof(smsg)); 1382 smsg.sadb_msg_version = PF_KEY_V2; 1383 smsg.sadb_msg_seq = ++sadb_msg_seq; 1384 smsg.sadb_msg_pid = getpid(); 1385 smsg.sadb_msg_len = sizeof(smsg) / 8; 1386 smsg.sadb_msg_type = SADB_X_ASKPOLICY; 1387 1388 iov_cnt = 0; 1389 1390 iov[iov_cnt].iov_base = &smsg; 1391 iov[iov_cnt].iov_len = sizeof(smsg); 1392 iov_cnt++; 1393 1394 bzero(&sa_pol, sizeof(sa_pol)); 1395 sa_pol.sadb_x_policy_exttype = SADB_X_EXT_POLICY; 1396 sa_pol.sadb_x_policy_len = sizeof(sa_pol) / 8; 1397 sa_pol.sadb_x_policy_seq = hdr->sadb_msg_seq; 1398 1399 iov[iov_cnt].iov_base = &sa_pol; 1400 iov[iov_cnt].iov_len = sizeof(sa_pol); 1401 smsg.sadb_msg_len += sizeof(sa_pol) / 8; 1402 iov_cnt++; 1403 1404 if (pfkey_write(sd, &smsg, iov, iov_cnt, &reply, &rlen)) { 1405 log_warnx("%s: failed to get a policy", __func__); 1406 return; 1407 } 1408 1409 if ((sa_addr = pfkey_find_ext(reply, rlen, 1410 SADB_X_EXT_SRC_FLOW)) == NULL) { 1411 errmsg = "flow source address"; 1412 goto out; 1413 } 1414 ssrc = (struct sockaddr_storage *)(sa_addr + 1); 1415 flow.flow_src.addr_af = ssrc->ss_family; 1416 flow.flow_src.addr_port = htons(socket_getport(ssrc)); 1417 memcpy(&flow.flow_src.addr, ssrc, sizeof(*ssrc)); 1418 if (socket_af((struct sockaddr *)&flow.flow_src.addr, 1419 flow.flow_src.addr_port) == -1) { 1420 log_debug("%s: invalid address", __func__); 1421 return; 1422 } 1423 1424 if ((sa_addr = pfkey_find_ext(reply, rlen, 1425 SADB_X_EXT_DST_FLOW)) == NULL) { 1426 errmsg = "flow destination address"; 1427 goto out; 1428 } 1429 sdst = (struct sockaddr_storage *)(sa_addr + 1); 1430 flow.flow_dst.addr_af = sdst->ss_family; 1431 flow.flow_dst.addr_port = htons(socket_getport(sdst)); 1432 memcpy(&flow.flow_dst.addr, sdst, sizeof(*sdst)); 1433 if (socket_af((struct sockaddr *)&flow.flow_dst.addr, 1434 flow.flow_dst.addr_port) == -1) { 1435 log_debug("%s: invalid address", __func__); 1436 return; 1437 } 1438 1439 if ((sa_addr = pfkey_find_ext(reply, rlen, 1440 SADB_X_EXT_SRC_MASK)) == NULL) { 1441 errmsg = "flow source mask"; 1442 goto out; 1443 } 1444 smask = (struct sockaddr_storage *)(sa_addr + 1); 1445 switch (smask->ss_family) { 1446 case AF_INET: 1447 flow.flow_src.addr_mask = 1448 mask2prefixlen((struct sockaddr *)smask); 1449 if (flow.flow_src.addr_mask != 32) 1450 flow.flow_src.addr_net = 1; 1451 break; 1452 case AF_INET6: 1453 flow.flow_src.addr_mask = 1454 mask2prefixlen6((struct sockaddr *)smask); 1455 if (flow.flow_src.addr_mask != 128) 1456 flow.flow_src.addr_net = 1; 1457 break; 1458 default: 1459 log_debug("%s: bad address family", __func__); 1460 free(reply); 1461 return; 1462 } 1463 1464 if ((sa_addr = pfkey_find_ext(reply, rlen, 1465 SADB_X_EXT_DST_MASK)) == NULL) { 1466 errmsg = "flow destination mask"; 1467 goto out; 1468 } 1469 dmask = (struct sockaddr_storage *)(sa_addr + 1); 1470 switch (dmask->ss_family) { 1471 case AF_INET: 1472 flow.flow_dst.addr_mask = 1473 mask2prefixlen((struct sockaddr *)dmask); 1474 if (flow.flow_src.addr_mask != 32) 1475 flow.flow_src.addr_net = 1; 1476 break; 1477 case AF_INET6: 1478 flow.flow_dst.addr_mask = 1479 mask2prefixlen6((struct sockaddr *)dmask); 1480 if (flow.flow_src.addr_mask != 128) 1481 flow.flow_src.addr_net = 1; 1482 break; 1483 default: 1484 log_debug("%s: bad address family", __func__); 1485 free(reply); 1486 return; 1487 } 1488 1489 if ((sa_proto = pfkey_find_ext(reply, rlen, 1490 SADB_X_EXT_FLOW_TYPE)) == NULL) { 1491 errmsg = "flow protocol"; 1492 goto out; 1493 } 1494 flow.flow_dir = sa_proto->sadb_protocol_direction; 1495 1496 log_debug("%s: flow %s from %s/%s to %s/%s via %s", __func__, 1497 flow.flow_dir == IPSP_DIRECTION_IN ? "in" : "out", 1498 print_host(ssrc, NULL, 0), print_host(smask, NULL, 0), 1499 print_host(sdst, NULL, 0), print_host(dmask, NULL, 0), 1500 print_host(speer, NULL, 0)); 1501 1502 ikev2_acquire_sa(env, &flow); 1503 1504 out: 1505 if (errmsg) 1506 log_warnx("%s: %s wasn't found", __func__, errmsg); 1507 free(reply); 1508 break; 1509 1510 case SADB_EXPIRE: 1511 if ((sa = pfkey_find_ext(data, len, SADB_EXT_SA)) == NULL) { 1512 log_warnx("%s: SA extension wasn't found", __func__); 1513 return; 1514 } 1515 if ((sa_ltime = pfkey_find_ext(data, len, 1516 SADB_EXT_LIFETIME_SOFT)) == NULL && 1517 (sa_ltime = pfkey_find_ext(data, len, 1518 SADB_EXT_LIFETIME_HARD)) == NULL) { 1519 log_warnx("%s: lifetime extension wasn't found", 1520 __func__); 1521 return; 1522 } 1523 spi.spi = ntohl(sa->sadb_sa_spi); 1524 spi.spi_size = 4; 1525 switch (hdr->sadb_msg_satype) { 1526 case SADB_SATYPE_AH: 1527 spi.spi_protoid = IKEV2_SAPROTO_AH; 1528 break; 1529 case SADB_SATYPE_ESP: 1530 spi.spi_protoid = IKEV2_SAPROTO_ESP; 1531 break; 1532 default: 1533 log_warnx("%s: usupported SA type %d spi %s", 1534 __func__, hdr->sadb_msg_satype, 1535 print_spi(spi.spi, spi.spi_size)); 1536 return; 1537 } 1538 1539 log_debug("%s: SA %s is expired, pending %s", __func__, 1540 print_spi(spi.spi, spi.spi_size), 1541 sa_ltime->sadb_lifetime_exttype == SADB_EXT_LIFETIME_SOFT ? 1542 "rekeying" : "deletion"); 1543 1544 if (sa_ltime->sadb_lifetime_exttype == SADB_EXT_LIFETIME_SOFT) 1545 ikev2_rekey_sa(env, &spi); 1546 else 1547 ikev2_drop_sa(env, &spi); 1548 break; 1549 } 1550 } 1551