1 /* $OpenBSD: pfkey.c,v 1.38 2014/07/09 12:05:01 markus Exp $ */ 2 3 /* 4 * Copyright (c) 2010-2013 Reyk Floeter <reyk@openbsd.org> 5 * Copyright (c) 2004, 2005 Hans-Joerg Hoexer <hshoexer@openbsd.org> 6 * Copyright (c) 2003, 2004 Henning Brauer <henning@openbsd.org> 7 * Copyright (c) 2003, 2004 Markus Friedl <markus@openbsd.org> 8 * 9 * Permission to use, copy, modify, and distribute this software for any 10 * purpose with or without fee is hereby granted, provided that the above 11 * copyright notice and this permission notice appear in all copies. 12 * 13 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES 14 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF 15 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR 16 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES 17 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN 18 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF 19 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. 20 */ 21 22 #include <sys/param.h> 23 #include <sys/queue.h> 24 #include <sys/uio.h> 25 #include <sys/socket.h> 26 27 #include <netinet/in.h> 28 #include <netinet/ip_ipsp.h> 29 #include <net/pfkeyv2.h> 30 31 #include <err.h> 32 #include <errno.h> 33 #include <stdio.h> 34 #include <string.h> 35 #include <stdlib.h> 36 #include <unistd.h> 37 #include <event.h> 38 39 #include "iked.h" 40 #include "ikev2.h" 41 42 #define ROUNDUP(x) (((x) + (PFKEYV2_CHUNK - 1)) & ~(PFKEYV2_CHUNK - 1)) 43 #define IOV_CNT 20 44 45 #define PFKEYV2_CHUNK sizeof(u_int64_t) 46 #define PFKEY_REPLY_TIMEOUT 1000 47 48 static u_int32_t sadb_msg_seq = 0; 49 static u_int sadb_decoupled = 0; 50 static u_int sadb_ipv6refcnt = 0; 51 52 static int pfkey_blockipv6 = 0; 53 static struct event pfkey_timer_ev; 54 static struct timeval pfkey_timer_tv; 55 56 struct pfkey_message { 57 SIMPLEQ_ENTRY(pfkey_message) 58 pm_entry; 59 u_int8_t *pm_data; 60 ssize_t pm_length; 61 }; 62 SIMPLEQ_HEAD(, pfkey_message) pfkey_retry, pfkey_postponed = 63 SIMPLEQ_HEAD_INITIALIZER(pfkey_postponed); 64 65 struct pfkey_constmap { 66 u_int8_t pfkey_id; 67 u_int pfkey_ikeid; 68 u_int pfkey_fixedkey; 69 }; 70 71 static const struct pfkey_constmap pfkey_encr[] = { 72 { SADB_X_EALG_DES_IV64, IKEV2_XFORMENCR_DES_IV64 }, 73 { SADB_EALG_DESCBC, IKEV2_XFORMENCR_DES }, 74 { SADB_EALG_3DESCBC, IKEV2_XFORMENCR_3DES }, 75 { SADB_X_EALG_RC5, IKEV2_XFORMENCR_RC5 }, 76 { SADB_X_EALG_IDEA, IKEV2_XFORMENCR_IDEA }, 77 { SADB_X_EALG_CAST, IKEV2_XFORMENCR_CAST }, 78 { SADB_X_EALG_BLF, IKEV2_XFORMENCR_BLOWFISH }, 79 { SADB_X_EALG_3IDEA, IKEV2_XFORMENCR_3IDEA }, 80 { SADB_X_EALG_DES_IV32, IKEV2_XFORMENCR_DES_IV32 }, 81 { SADB_X_EALG_RC4, IKEV2_XFORMENCR_RC4 }, 82 { SADB_EALG_NULL, IKEV2_XFORMENCR_NULL }, 83 { SADB_X_EALG_AES, IKEV2_XFORMENCR_AES_CBC }, 84 { SADB_X_EALG_AESCTR, IKEV2_XFORMENCR_AES_CTR }, 85 { SADB_X_EALG_AESGCM16, IKEV2_XFORMENCR_AES_GCM_16 }, 86 { SADB_X_EALG_AESGMAC, IKEV2_XFORMENCR_NULL_AES_GMAC }, 87 { 0 } 88 }; 89 90 static const struct pfkey_constmap pfkey_integr[] = { 91 { SADB_AALG_MD5HMAC, IKEV2_XFORMAUTH_HMAC_MD5_96 }, 92 { SADB_AALG_SHA1HMAC, IKEV2_XFORMAUTH_HMAC_SHA1_96 }, 93 { SADB_X_AALG_DES, IKEV2_XFORMAUTH_DES_MAC }, 94 { SADB_X_AALG_SHA2_256, IKEV2_XFORMAUTH_HMAC_SHA2_256_128 }, 95 { SADB_X_AALG_SHA2_384, IKEV2_XFORMAUTH_HMAC_SHA2_384_192 }, 96 { SADB_X_AALG_SHA2_512, IKEV2_XFORMAUTH_HMAC_SHA2_512_256 }, 97 { 0 } 98 }; 99 100 static const struct pfkey_constmap pfkey_satype[] = { 101 { SADB_SATYPE_AH, IKEV2_SAPROTO_AH }, 102 { SADB_SATYPE_ESP, IKEV2_SAPROTO_ESP }, 103 { SADB_X_SATYPE_IPCOMP, IKEV2_SAPROTO_IPCOMP }, 104 { 0 } 105 }; 106 107 int pfkey_map(const struct pfkey_constmap *, u_int16_t, u_int8_t *); 108 int pfkey_flow(int, u_int8_t, u_int8_t, struct iked_flow *); 109 int pfkey_sa(int, u_int8_t, u_int8_t, struct iked_childsa *); 110 int pfkey_sa_getspi(int, u_int8_t, struct iked_childsa *, u_int32_t *); 111 int pfkey_sagroup(int, u_int8_t, u_int8_t, 112 struct iked_childsa *, struct iked_childsa *); 113 int pfkey_write(int, struct sadb_msg *, struct iovec *, int, 114 u_int8_t **, ssize_t *); 115 int pfkey_reply(int, u_int8_t **, ssize_t *); 116 void pfkey_dispatch(int, short, void *); 117 118 struct sadb_ident * 119 pfkey_id2ident(struct iked_id *, u_int); 120 void *pfkey_find_ext(u_int8_t *, ssize_t, int); 121 122 void pfkey_timer_cb(int, short, void *); 123 int pfkey_process(struct iked *, struct pfkey_message *); 124 125 int 126 pfkey_couple(int sd, struct iked_sas *sas, int couple) 127 { 128 struct iked_sa *sa; 129 struct iked_flow *flow; 130 struct iked_childsa *csa; 131 u_int old; 132 const char *mode[] = { "coupled", "decoupled" }; 133 134 /* Socket is not ready */ 135 if (sd == -1) 136 return (-1); 137 138 old = sadb_decoupled ? 1 : 0; 139 sadb_decoupled = couple ? 0 : 1; 140 141 if (old == sadb_decoupled) 142 return (0); 143 144 log_debug("%s: kernel %s -> %s", __func__, 145 mode[old], mode[sadb_decoupled]); 146 147 RB_FOREACH(sa, iked_sas, sas) { 148 TAILQ_FOREACH(csa, &sa->sa_childsas, csa_entry) { 149 if (!csa->csa_loaded && !sadb_decoupled) 150 (void)pfkey_sa_add(sd, csa, NULL); 151 else if (csa->csa_loaded && sadb_decoupled) 152 (void)pfkey_sa_delete(sd, csa); 153 } 154 TAILQ_FOREACH(flow, &sa->sa_flows, flow_entry) { 155 if (!flow->flow_loaded && !sadb_decoupled) 156 (void)pfkey_flow_add(sd, flow); 157 else if (flow->flow_loaded && sadb_decoupled) 158 (void)pfkey_flow_delete(sd, flow); 159 } 160 } 161 162 return (0); 163 } 164 165 int 166 pfkey_map(const struct pfkey_constmap *map, u_int16_t alg, u_int8_t *pfkalg) 167 { 168 int i; 169 170 for (i = 0; map[i].pfkey_id != 0; i++) 171 if (map[i].pfkey_ikeid == alg) { 172 *pfkalg = map[i].pfkey_id; 173 return (0); 174 } 175 return (-1); 176 } 177 178 int 179 pfkey_flow(int sd, u_int8_t satype, u_int8_t action, struct iked_flow *flow) 180 { 181 struct sadb_msg smsg; 182 struct sadb_address sa_src, sa_dst, sa_local, sa_peer, sa_smask, 183 sa_dmask; 184 struct sadb_protocol sa_flowtype, sa_protocol; 185 struct sadb_ident *sa_srcid, *sa_dstid; 186 struct sockaddr_storage ssrc, sdst, slocal, speer, smask, dmask; 187 struct iovec iov[IOV_CNT]; 188 int iov_cnt, ret = -1; 189 in_port_t sport, dport; 190 191 sport = dport = 0; 192 sa_srcid = sa_dstid = NULL; 193 194 bzero(&ssrc, sizeof(ssrc)); 195 bzero(&smask, sizeof(smask)); 196 memcpy(&ssrc, &flow->flow_src.addr, sizeof(ssrc)); 197 memcpy(&smask, &flow->flow_src.addr, sizeof(smask)); 198 if ((sport = flow->flow_src.addr_port) != 0) 199 dport = 0xffff; 200 socket_af((struct sockaddr *)&ssrc, sport); 201 socket_af((struct sockaddr *)&smask, dport); 202 203 switch (flow->flow_src.addr_af) { 204 case AF_INET: 205 ((struct sockaddr_in *)&smask)->sin_addr.s_addr = 206 prefixlen2mask(flow->flow_src.addr_net ? 207 flow->flow_src.addr_mask : 32); 208 break; 209 case AF_INET6: 210 prefixlen2mask6(flow->flow_src.addr_net ? 211 flow->flow_src.addr_mask : 128, 212 (u_int32_t *)((struct sockaddr_in6 *) 213 &smask)->sin6_addr.s6_addr); 214 break; 215 default: 216 log_warnx("%s: unsupported address family %d", 217 __func__, flow->flow_src.addr_af); 218 return (-1); 219 } 220 smask.ss_len = ssrc.ss_len; 221 222 bzero(&sdst, sizeof(sdst)); 223 bzero(&dmask, sizeof(dmask)); 224 memcpy(&sdst, &flow->flow_dst.addr, sizeof(sdst)); 225 memcpy(&dmask, &flow->flow_dst.addr, sizeof(dmask)); 226 if ((sport = flow->flow_dst.addr_port) != 0) 227 dport = 0xffff; 228 socket_af((struct sockaddr *)&sdst, sport); 229 socket_af((struct sockaddr *)&dmask, dport); 230 231 switch (flow->flow_dst.addr_af) { 232 case AF_INET: 233 ((struct sockaddr_in *)&dmask)->sin_addr.s_addr = 234 prefixlen2mask(flow->flow_dst.addr_net ? 235 flow->flow_dst.addr_mask : 32); 236 break; 237 case AF_INET6: 238 prefixlen2mask6(flow->flow_dst.addr_net ? 239 flow->flow_dst.addr_mask : 128, 240 (u_int32_t *)((struct sockaddr_in6 *) 241 &dmask)->sin6_addr.s6_addr); 242 break; 243 default: 244 log_warnx("%s: unsupported address family %d", 245 __func__, flow->flow_dst.addr_af); 246 return (-1); 247 } 248 dmask.ss_len = sdst.ss_len; 249 250 bzero(&slocal, sizeof(slocal)); 251 bzero(&speer, sizeof(speer)); 252 if (action != SADB_X_DELFLOW && flow->flow_local != NULL) { 253 memcpy(&slocal, &flow->flow_local->addr, sizeof(slocal)); 254 socket_af((struct sockaddr *)&slocal, 0); 255 256 memcpy(&speer, &flow->flow_peer->addr, sizeof(speer)); 257 socket_af((struct sockaddr *)&speer, 0); 258 } 259 260 bzero(&smsg, sizeof(smsg)); 261 smsg.sadb_msg_version = PF_KEY_V2; 262 smsg.sadb_msg_seq = ++sadb_msg_seq; 263 smsg.sadb_msg_pid = getpid(); 264 smsg.sadb_msg_len = sizeof(smsg) / 8; 265 smsg.sadb_msg_type = action; 266 smsg.sadb_msg_satype = satype; 267 268 bzero(&sa_flowtype, sizeof(sa_flowtype)); 269 sa_flowtype.sadb_protocol_exttype = SADB_X_EXT_FLOW_TYPE; 270 sa_flowtype.sadb_protocol_len = sizeof(sa_flowtype) / 8; 271 sa_flowtype.sadb_protocol_direction = flow->flow_dir; 272 sa_flowtype.sadb_protocol_proto = 273 flow->flow_type ? flow->flow_type : 274 (flow->flow_dir == IPSP_DIRECTION_IN ? 275 SADB_X_FLOW_TYPE_USE : SADB_X_FLOW_TYPE_REQUIRE); 276 277 bzero(&sa_protocol, sizeof(sa_protocol)); 278 sa_protocol.sadb_protocol_exttype = SADB_X_EXT_PROTOCOL; 279 sa_protocol.sadb_protocol_len = sizeof(sa_protocol) / 8; 280 sa_protocol.sadb_protocol_direction = 0; 281 sa_protocol.sadb_protocol_proto = flow->flow_ipproto; 282 283 bzero(&sa_src, sizeof(sa_src)); 284 sa_src.sadb_address_exttype = SADB_X_EXT_SRC_FLOW; 285 sa_src.sadb_address_len = (sizeof(sa_src) + ROUNDUP(ssrc.ss_len)) / 8; 286 287 bzero(&sa_smask, sizeof(sa_smask)); 288 sa_smask.sadb_address_exttype = SADB_X_EXT_SRC_MASK; 289 sa_smask.sadb_address_len = 290 (sizeof(sa_smask) + ROUNDUP(smask.ss_len)) / 8; 291 292 bzero(&sa_dst, sizeof(sa_dst)); 293 sa_dst.sadb_address_exttype = SADB_X_EXT_DST_FLOW; 294 sa_dst.sadb_address_len = (sizeof(sa_dst) + ROUNDUP(sdst.ss_len)) / 8; 295 296 bzero(&sa_dmask, sizeof(sa_dmask)); 297 sa_dmask.sadb_address_exttype = SADB_X_EXT_DST_MASK; 298 sa_dmask.sadb_address_len = 299 (sizeof(sa_dmask) + ROUNDUP(dmask.ss_len)) / 8; 300 301 if (action != SADB_X_DELFLOW && flow->flow_local != NULL) { 302 /* local address */ 303 bzero(&sa_local, sizeof(sa_local)); 304 sa_local.sadb_address_exttype = SADB_EXT_ADDRESS_SRC; 305 sa_local.sadb_address_len = 306 (sizeof(sa_local) + ROUNDUP(slocal.ss_len)) / 8; 307 308 /* peer address */ 309 bzero(&sa_peer, sizeof(sa_peer)); 310 sa_peer.sadb_address_exttype = SADB_EXT_ADDRESS_DST; 311 sa_peer.sadb_address_len = 312 (sizeof(sa_peer) + ROUNDUP(speer.ss_len)) / 8; 313 314 /* local id */ 315 sa_srcid = pfkey_id2ident(IKESA_SRCID(flow->flow_ikesa), 316 SADB_EXT_IDENTITY_SRC); 317 318 /* peer id */ 319 sa_dstid = pfkey_id2ident(IKESA_DSTID(flow->flow_ikesa), 320 SADB_EXT_IDENTITY_DST); 321 } 322 323 iov_cnt = 0; 324 325 /* header */ 326 iov[iov_cnt].iov_base = &smsg; 327 iov[iov_cnt].iov_len = sizeof(smsg); 328 iov_cnt++; 329 330 /* add flow type */ 331 iov[iov_cnt].iov_base = &sa_flowtype; 332 iov[iov_cnt].iov_len = sizeof(sa_flowtype); 333 smsg.sadb_msg_len += sa_flowtype.sadb_protocol_len; 334 iov_cnt++; 335 336 if (action != SADB_X_DELFLOW && flow->flow_local != NULL) { 337 #if 0 338 /* local ip */ 339 iov[iov_cnt].iov_base = &sa_local; 340 iov[iov_cnt].iov_len = sizeof(sa_local); 341 iov_cnt++; 342 iov[iov_cnt].iov_base = &slocal; 343 iov[iov_cnt].iov_len = ROUNDUP(slocal.ss_len); 344 smsg.sadb_msg_len += sa_local.sadb_address_len; 345 iov_cnt++; 346 #endif 347 348 /* remote peer */ 349 iov[iov_cnt].iov_base = &sa_peer; 350 iov[iov_cnt].iov_len = sizeof(sa_peer); 351 iov_cnt++; 352 iov[iov_cnt].iov_base = &speer; 353 iov[iov_cnt].iov_len = ROUNDUP(speer.ss_len); 354 smsg.sadb_msg_len += sa_peer.sadb_address_len; 355 iov_cnt++; 356 } 357 358 /* src addr */ 359 iov[iov_cnt].iov_base = &sa_src; 360 iov[iov_cnt].iov_len = sizeof(sa_src); 361 iov_cnt++; 362 iov[iov_cnt].iov_base = &ssrc; 363 iov[iov_cnt].iov_len = ROUNDUP(ssrc.ss_len); 364 smsg.sadb_msg_len += sa_src.sadb_address_len; 365 iov_cnt++; 366 367 /* src mask */ 368 iov[iov_cnt].iov_base = &sa_smask; 369 iov[iov_cnt].iov_len = sizeof(sa_smask); 370 iov_cnt++; 371 iov[iov_cnt].iov_base = &smask; 372 iov[iov_cnt].iov_len = ROUNDUP(smask.ss_len); 373 smsg.sadb_msg_len += sa_smask.sadb_address_len; 374 iov_cnt++; 375 376 /* dest addr */ 377 iov[iov_cnt].iov_base = &sa_dst; 378 iov[iov_cnt].iov_len = sizeof(sa_dst); 379 iov_cnt++; 380 iov[iov_cnt].iov_base = &sdst; 381 iov[iov_cnt].iov_len = ROUNDUP(sdst.ss_len); 382 smsg.sadb_msg_len += sa_dst.sadb_address_len; 383 iov_cnt++; 384 385 /* dst mask */ 386 iov[iov_cnt].iov_base = &sa_dmask; 387 iov[iov_cnt].iov_len = sizeof(sa_dmask); 388 iov_cnt++; 389 iov[iov_cnt].iov_base = &dmask; 390 iov[iov_cnt].iov_len = ROUNDUP(dmask.ss_len); 391 smsg.sadb_msg_len += sa_dmask.sadb_address_len; 392 iov_cnt++; 393 394 /* add protocol */ 395 iov[iov_cnt].iov_base = &sa_protocol; 396 iov[iov_cnt].iov_len = sizeof(sa_protocol); 397 smsg.sadb_msg_len += sa_protocol.sadb_protocol_len; 398 iov_cnt++; 399 400 if (sa_srcid) { 401 /* src identity */ 402 iov[iov_cnt].iov_base = sa_srcid; 403 iov[iov_cnt].iov_len = sa_srcid->sadb_ident_len * 8; 404 smsg.sadb_msg_len += sa_srcid->sadb_ident_len; 405 iov_cnt++; 406 } 407 if (sa_dstid) { 408 /* dst identity */ 409 iov[iov_cnt].iov_base = sa_dstid; 410 iov[iov_cnt].iov_len = sa_dstid->sadb_ident_len * 8; 411 smsg.sadb_msg_len += sa_dstid->sadb_ident_len; 412 iov_cnt++; 413 } 414 415 ret = pfkey_write(sd, &smsg, iov, iov_cnt, NULL, NULL); 416 417 if (sa_srcid) 418 free(sa_srcid); 419 if (sa_dstid) 420 free(sa_dstid); 421 422 return (ret); 423 } 424 425 int 426 pfkey_sa(int sd, u_int8_t satype, u_int8_t action, struct iked_childsa *sa) 427 { 428 struct sadb_msg smsg; 429 struct sadb_sa sadb; 430 struct sadb_address sa_src, sa_dst; 431 struct sadb_key sa_authkey, sa_enckey; 432 struct sadb_lifetime sa_ltime_hard, sa_ltime_soft; 433 struct sadb_x_udpencap udpencap; 434 struct sadb_x_tag sa_tag; 435 char *tag = NULL; 436 struct sadb_x_tap sa_tap; 437 struct sockaddr_storage ssrc, sdst; 438 struct sadb_ident *sa_srcid, *sa_dstid; 439 struct iked_lifetime *lt; 440 struct iked_policy *pol; 441 struct iovec iov[IOV_CNT]; 442 u_int32_t jitter; 443 int iov_cnt; 444 445 sa_srcid = sa_dstid = NULL; 446 447 if (sa->csa_ikesa == NULL || sa->csa_ikesa->sa_policy == NULL) { 448 log_warn("%s: invalid SA and policy", __func__); 449 return (-1); 450 } 451 pol = sa->csa_ikesa->sa_policy; 452 lt = &pol->pol_lifetime; 453 454 bzero(&ssrc, sizeof(ssrc)); 455 memcpy(&ssrc, &sa->csa_local->addr, sizeof(ssrc)); 456 if (socket_af((struct sockaddr *)&ssrc, 0) == -1) { 457 log_warn("%s: invalid address", __func__); 458 return (-1); 459 } 460 461 bzero(&sdst, sizeof(sdst)); 462 memcpy(&sdst, &sa->csa_peer->addr, sizeof(sdst)); 463 if (socket_af((struct sockaddr *)&sdst, 0) == -1) { 464 log_warn("%s: invalid address", __func__); 465 return (-1); 466 } 467 468 bzero(&smsg, sizeof(smsg)); 469 smsg.sadb_msg_version = PF_KEY_V2; 470 smsg.sadb_msg_seq = ++sadb_msg_seq; 471 smsg.sadb_msg_pid = getpid(); 472 smsg.sadb_msg_len = sizeof(smsg) / 8; 473 smsg.sadb_msg_type = action; 474 smsg.sadb_msg_satype = satype; 475 476 bzero(&sadb, sizeof(sadb)); 477 sadb.sadb_sa_len = sizeof(sadb) / 8; 478 sadb.sadb_sa_exttype = SADB_EXT_SA; 479 sadb.sadb_sa_spi = htonl(sa->csa_spi.spi); 480 sadb.sadb_sa_state = SADB_SASTATE_MATURE; 481 sadb.sadb_sa_replay = 64; 482 483 if (!sa->csa_transport) 484 sadb.sadb_sa_flags |= SADB_X_SAFLAGS_TUNNEL; 485 486 if (sa->csa_esn) 487 sadb.sadb_sa_flags |= SADB_X_SAFLAGS_ESN; 488 489 bzero(&sa_src, sizeof(sa_src)); 490 sa_src.sadb_address_len = (sizeof(sa_src) + ROUNDUP(ssrc.ss_len)) / 8; 491 sa_src.sadb_address_exttype = SADB_EXT_ADDRESS_SRC; 492 493 bzero(&sa_dst, sizeof(sa_dst)); 494 sa_dst.sadb_address_len = (sizeof(sa_dst) + ROUNDUP(sdst.ss_len)) / 8; 495 sa_dst.sadb_address_exttype = SADB_EXT_ADDRESS_DST; 496 497 bzero(&sa_authkey, sizeof(sa_authkey)); 498 bzero(&sa_enckey, sizeof(sa_enckey)); 499 bzero(&udpencap, sizeof udpencap); 500 bzero(&sa_ltime_hard, sizeof(sa_ltime_hard)); 501 bzero(&sa_ltime_soft, sizeof(sa_ltime_soft)); 502 503 if (action == SADB_DELETE) 504 goto send; 505 506 if ((action == SADB_ADD || action == SADB_UPDATE) && 507 !sa->csa_persistent && (lt->lt_bytes || lt->lt_seconds)) { 508 sa_ltime_hard.sadb_lifetime_exttype = SADB_EXT_LIFETIME_HARD; 509 sa_ltime_hard.sadb_lifetime_len = sizeof(sa_ltime_hard) / 8; 510 sa_ltime_hard.sadb_lifetime_bytes = lt->lt_bytes; 511 sa_ltime_hard.sadb_lifetime_addtime = lt->lt_seconds; 512 513 /* double the lifetime for IP compression */ 514 if (satype == SADB_X_SATYPE_IPCOMP) 515 sa_ltime_hard.sadb_lifetime_addtime *= 2; 516 517 sa_ltime_soft.sadb_lifetime_exttype = SADB_EXT_LIFETIME_SOFT; 518 sa_ltime_soft.sadb_lifetime_len = sizeof(sa_ltime_soft) / 8; 519 /* set randomly to 85-95% */ 520 jitter = 850 + arc4random_uniform(100); 521 sa_ltime_soft.sadb_lifetime_bytes = 522 (sa_ltime_hard.sadb_lifetime_bytes * jitter) / 1000; 523 sa_ltime_soft.sadb_lifetime_addtime = 524 (sa_ltime_hard.sadb_lifetime_addtime * jitter) / 1000; 525 } 526 527 /* XXX handle NULL encryption or NULL auth or combined encr/auth */ 528 if (action == SADB_ADD && 529 !ibuf_length(sa->csa_integrkey) && !ibuf_length(sa->csa_encrkey) && 530 satype != SADB_X_SATYPE_IPCOMP && satype != SADB_X_SATYPE_IPIP) { 531 log_warnx("%s: no key specified", __func__); 532 return (-1); 533 } 534 535 if (satype == SADB_SATYPE_ESP && 536 sa->csa_ikesa->sa_udpencap && sa->csa_ikesa->sa_natt) { 537 sadb.sadb_sa_flags |= SADB_X_SAFLAGS_UDPENCAP; 538 udpencap.sadb_x_udpencap_exttype = SADB_X_EXT_UDPENCAP; 539 udpencap.sadb_x_udpencap_len = sizeof(udpencap) / 8; 540 udpencap.sadb_x_udpencap_port = 541 sa->csa_ikesa->sa_peer.addr_port; 542 543 log_debug("%s: udpencap port %d", __func__, 544 ntohs(udpencap.sadb_x_udpencap_port)); 545 } 546 547 if (sa->csa_integrid) 548 if (pfkey_map(pfkey_integr, 549 sa->csa_integrid, &sadb.sadb_sa_auth) == -1) { 550 log_warnx("%s: unsupported integrity algorithm %s", 551 __func__, print_map(sa->csa_integrid, 552 ikev2_xformauth_map)); 553 return (-1); 554 } 555 556 if (sa->csa_encrid) 557 if (pfkey_map(pfkey_encr, 558 sa->csa_encrid, &sadb.sadb_sa_encrypt) == -1) { 559 log_warnx("%s: unsupported encryption algorithm %s", 560 __func__, print_map(sa->csa_encrid, 561 ikev2_xformencr_map)); 562 return (-1); 563 } 564 565 if (ibuf_length(sa->csa_integrkey)) { 566 sa_authkey.sadb_key_len = (sizeof(sa_authkey) + 567 ((ibuf_size(sa->csa_integrkey) + 7) / 8) * 8) / 8; 568 sa_authkey.sadb_key_exttype = SADB_EXT_KEY_AUTH; 569 sa_authkey.sadb_key_bits = 570 8 * ibuf_size(sa->csa_integrkey); 571 } 572 573 if (ibuf_length(sa->csa_encrkey)) { 574 sa_enckey.sadb_key_len = (sizeof(sa_enckey) + 575 ((ibuf_size(sa->csa_encrkey) + 7) / 8) * 8) / 8; 576 sa_enckey.sadb_key_exttype = SADB_EXT_KEY_ENCRYPT; 577 sa_enckey.sadb_key_bits = 578 8 * ibuf_size(sa->csa_encrkey); 579 } 580 581 /* we only support deflate */ 582 if (satype == SADB_X_SATYPE_IPCOMP) 583 sadb.sadb_sa_encrypt = SADB_X_CALG_DEFLATE; 584 585 /* Note that we need to swap the IDs for incoming SAs (SADB_UPDATE) */ 586 if (action != SADB_UPDATE) { 587 sa_srcid = pfkey_id2ident( 588 IKESA_SRCID(sa->csa_ikesa), SADB_EXT_IDENTITY_SRC); 589 sa_dstid = pfkey_id2ident( 590 IKESA_DSTID(sa->csa_ikesa), SADB_EXT_IDENTITY_DST); 591 } else { 592 sa_srcid = pfkey_id2ident( 593 IKESA_DSTID(sa->csa_ikesa), SADB_EXT_IDENTITY_SRC); 594 sa_dstid = pfkey_id2ident( 595 IKESA_SRCID(sa->csa_ikesa), SADB_EXT_IDENTITY_DST); 596 } 597 598 tag = sa->csa_ikesa->sa_tag; 599 if (tag != NULL && *tag != '\0') { 600 bzero(&sa_tag, sizeof(sa_tag)); 601 sa_tag.sadb_x_tag_exttype = SADB_X_EXT_TAG; 602 sa_tag.sadb_x_tag_len = 603 (ROUNDUP(strlen(tag) + 1) + sizeof(sa_tag)) / 8; 604 sa_tag.sadb_x_tag_taglen = strlen(tag) + 1; 605 } else 606 tag = NULL; 607 608 if (pol->pol_tap != 0) { 609 bzero(&sa_tap, sizeof(sa_tap)); 610 sa_tap.sadb_x_tap_exttype = SADB_X_EXT_TAP; 611 sa_tap.sadb_x_tap_len = sizeof(sa_tap) / 8; 612 sa_tap.sadb_x_tap_unit = pol->pol_tap; 613 } 614 615 send: 616 iov_cnt = 0; 617 618 /* header */ 619 iov[iov_cnt].iov_base = &smsg; 620 iov[iov_cnt].iov_len = sizeof(smsg); 621 iov_cnt++; 622 623 /* sa */ 624 iov[iov_cnt].iov_base = &sadb; 625 iov[iov_cnt].iov_len = sizeof(sadb); 626 smsg.sadb_msg_len += sadb.sadb_sa_len; 627 iov_cnt++; 628 629 /* src addr */ 630 iov[iov_cnt].iov_base = &sa_src; 631 iov[iov_cnt].iov_len = sizeof(sa_src); 632 iov_cnt++; 633 iov[iov_cnt].iov_base = &ssrc; 634 iov[iov_cnt].iov_len = ROUNDUP(ssrc.ss_len); 635 smsg.sadb_msg_len += sa_src.sadb_address_len; 636 iov_cnt++; 637 638 /* dst addr */ 639 iov[iov_cnt].iov_base = &sa_dst; 640 iov[iov_cnt].iov_len = sizeof(sa_dst); 641 iov_cnt++; 642 iov[iov_cnt].iov_base = &sdst; 643 iov[iov_cnt].iov_len = ROUNDUP(sdst.ss_len); 644 smsg.sadb_msg_len += sa_dst.sadb_address_len; 645 iov_cnt++; 646 647 if (sa_ltime_soft.sadb_lifetime_len) { 648 /* soft lifetime */ 649 iov[iov_cnt].iov_base = &sa_ltime_soft; 650 iov[iov_cnt].iov_len = sizeof(sa_ltime_soft); 651 smsg.sadb_msg_len += sa_ltime_soft.sadb_lifetime_len; 652 iov_cnt++; 653 } 654 655 if (sa_ltime_hard.sadb_lifetime_len) { 656 /* hard lifetime */ 657 iov[iov_cnt].iov_base = &sa_ltime_hard; 658 iov[iov_cnt].iov_len = sizeof(sa_ltime_hard); 659 smsg.sadb_msg_len += sa_ltime_hard.sadb_lifetime_len; 660 iov_cnt++; 661 } 662 663 if (udpencap.sadb_x_udpencap_len) { 664 iov[iov_cnt].iov_base = &udpencap; 665 iov[iov_cnt].iov_len = sizeof(udpencap); 666 smsg.sadb_msg_len += udpencap.sadb_x_udpencap_len; 667 iov_cnt++; 668 } 669 670 if (sa_enckey.sadb_key_len) { 671 /* encryption key */ 672 iov[iov_cnt].iov_base = &sa_enckey; 673 iov[iov_cnt].iov_len = sizeof(sa_enckey); 674 iov_cnt++; 675 iov[iov_cnt].iov_base = ibuf_data(sa->csa_encrkey); 676 iov[iov_cnt].iov_len = 677 ((ibuf_size(sa->csa_encrkey) + 7) / 8) * 8; 678 smsg.sadb_msg_len += sa_enckey.sadb_key_len; 679 iov_cnt++; 680 } 681 if (sa_authkey.sadb_key_len) { 682 /* authentication key */ 683 iov[iov_cnt].iov_base = &sa_authkey; 684 iov[iov_cnt].iov_len = sizeof(sa_authkey); 685 iov_cnt++; 686 iov[iov_cnt].iov_base = ibuf_data(sa->csa_integrkey); 687 iov[iov_cnt].iov_len = 688 ((ibuf_size(sa->csa_integrkey) + 7) / 8) * 8; 689 smsg.sadb_msg_len += sa_authkey.sadb_key_len; 690 iov_cnt++; 691 } 692 693 if (sa_srcid) { 694 /* src identity */ 695 iov[iov_cnt].iov_base = sa_srcid; 696 iov[iov_cnt].iov_len = sa_srcid->sadb_ident_len * 8; 697 smsg.sadb_msg_len += sa_srcid->sadb_ident_len; 698 iov_cnt++; 699 } 700 if (sa_dstid) { 701 /* dst identity */ 702 iov[iov_cnt].iov_base = sa_dstid; 703 iov[iov_cnt].iov_len = sa_dstid->sadb_ident_len * 8; 704 smsg.sadb_msg_len += sa_dstid->sadb_ident_len; 705 iov_cnt++; 706 } 707 708 if (tag != NULL) { 709 /* tag identity */ 710 iov[iov_cnt].iov_base = &sa_tag; 711 iov[iov_cnt].iov_len = sizeof(sa_tag); 712 iov_cnt++; 713 iov[iov_cnt].iov_base = tag; 714 iov[iov_cnt].iov_len = ROUNDUP(strlen(tag) + 1); 715 smsg.sadb_msg_len += sa_tag.sadb_x_tag_len; 716 iov_cnt++; 717 } 718 719 if (pol->pol_tap != 0) { 720 /* enc(4) device tap unit */ 721 iov[iov_cnt].iov_base = &sa_tap; 722 iov[iov_cnt].iov_len = sizeof(sa_tap); 723 smsg.sadb_msg_len += sa_tap.sadb_x_tap_len; 724 iov_cnt++; 725 } 726 727 return (pfkey_write(sd, &smsg, iov, iov_cnt, NULL, NULL)); 728 } 729 730 int 731 pfkey_sa_last_used(int sd, struct iked_childsa *sa, u_int64_t *last_used) 732 { 733 struct sadb_msg *msg, smsg; 734 struct sadb_address sa_src, sa_dst; 735 struct sadb_sa sadb; 736 struct sadb_lifetime *sa_life; 737 struct sockaddr_storage ssrc, sdst; 738 struct iovec iov[IOV_CNT]; 739 u_int8_t *data; 740 ssize_t n; 741 int iov_cnt, ret = -1; 742 u_int8_t satype; 743 744 *last_used = 0; 745 746 if (pfkey_map(pfkey_satype, sa->csa_saproto, &satype) == -1) 747 return (-1); 748 749 bzero(&ssrc, sizeof(ssrc)); 750 memcpy(&ssrc, &sa->csa_local->addr, sizeof(ssrc)); 751 if (socket_af((struct sockaddr *)&ssrc, 0) == -1) { 752 log_warn("%s: invalid address", __func__); 753 return (-1); 754 } 755 756 bzero(&sdst, sizeof(sdst)); 757 memcpy(&sdst, &sa->csa_peer->addr, sizeof(sdst)); 758 if (socket_af((struct sockaddr *)&sdst, 0) == -1) { 759 log_warn("%s: invalid address", __func__); 760 return (-1); 761 } 762 763 bzero(&smsg, sizeof(smsg)); 764 smsg.sadb_msg_version = PF_KEY_V2; 765 smsg.sadb_msg_seq = ++sadb_msg_seq; 766 smsg.sadb_msg_pid = getpid(); 767 smsg.sadb_msg_len = sizeof(smsg) / 8; 768 smsg.sadb_msg_type = SADB_GET; 769 smsg.sadb_msg_satype = satype; 770 771 bzero(&sadb, sizeof(sadb)); 772 sadb.sadb_sa_len = sizeof(sadb) / 8; 773 sadb.sadb_sa_exttype = SADB_EXT_SA; 774 sadb.sadb_sa_spi = htonl(sa->csa_spi.spi); 775 sadb.sadb_sa_state = SADB_SASTATE_MATURE; 776 sadb.sadb_sa_replay = 64; 777 778 bzero(&sa_src, sizeof(sa_src)); 779 sa_src.sadb_address_len = (sizeof(sa_src) + ROUNDUP(ssrc.ss_len)) / 8; 780 sa_src.sadb_address_exttype = SADB_EXT_ADDRESS_SRC; 781 782 bzero(&sa_dst, sizeof(sa_dst)); 783 sa_dst.sadb_address_len = (sizeof(sa_dst) + ROUNDUP(sdst.ss_len)) / 8; 784 sa_dst.sadb_address_exttype = SADB_EXT_ADDRESS_DST; 785 786 iov_cnt = 0; 787 788 /* header */ 789 iov[iov_cnt].iov_base = &smsg; 790 iov[iov_cnt].iov_len = sizeof(smsg); 791 iov_cnt++; 792 793 /* sa */ 794 iov[iov_cnt].iov_base = &sadb; 795 iov[iov_cnt].iov_len = sizeof(sadb); 796 smsg.sadb_msg_len += sadb.sadb_sa_len; 797 iov_cnt++; 798 799 /* src addr */ 800 iov[iov_cnt].iov_base = &sa_src; 801 iov[iov_cnt].iov_len = sizeof(sa_src); 802 iov_cnt++; 803 iov[iov_cnt].iov_base = &ssrc; 804 iov[iov_cnt].iov_len = ROUNDUP(ssrc.ss_len); 805 smsg.sadb_msg_len += sa_src.sadb_address_len; 806 iov_cnt++; 807 808 /* dst addr */ 809 iov[iov_cnt].iov_base = &sa_dst; 810 iov[iov_cnt].iov_len = sizeof(sa_dst); 811 iov_cnt++; 812 iov[iov_cnt].iov_base = &sdst; 813 iov[iov_cnt].iov_len = ROUNDUP(sdst.ss_len); 814 smsg.sadb_msg_len += sa_dst.sadb_address_len; 815 iov_cnt++; 816 817 if ((ret = pfkey_write(sd, &smsg, iov, iov_cnt, &data, &n)) != 0) 818 return (-1); 819 820 msg = (struct sadb_msg *)data; 821 if (msg->sadb_msg_errno != 0) { 822 errno = msg->sadb_msg_errno; 823 ret = -1; 824 log_warn("%s: message", __func__); 825 goto done; 826 } 827 if ((sa_life = pfkey_find_ext(data, n, SADB_X_EXT_LIFETIME_LASTUSE)) 828 == NULL) { 829 /* has never been used */ 830 ret = -1; 831 goto done; 832 } 833 *last_used = sa_life->sadb_lifetime_usetime; 834 log_debug("%s: last_used %llu", __func__, *last_used); 835 836 done: 837 bzero(data, n); 838 free(data); 839 return (ret); 840 } 841 842 int 843 pfkey_sa_getspi(int sd, u_int8_t satype, struct iked_childsa *sa, 844 u_int32_t *spip) 845 { 846 struct sadb_msg *msg, smsg; 847 struct sadb_address sa_src, sa_dst; 848 struct sadb_sa *sa_ext; 849 struct sadb_spirange sa_spirange; 850 struct sockaddr_storage ssrc, sdst; 851 struct iovec iov[IOV_CNT]; 852 u_int8_t *data; 853 ssize_t n; 854 int iov_cnt, ret = -1; 855 856 bzero(&ssrc, sizeof(ssrc)); 857 memcpy(&ssrc, &sa->csa_local->addr, sizeof(ssrc)); 858 if (socket_af((struct sockaddr *)&ssrc, 0) == -1) { 859 log_warn("%s: invalid address", __func__); 860 return (-1); 861 } 862 863 bzero(&sdst, sizeof(sdst)); 864 memcpy(&sdst, &sa->csa_peer->addr, sizeof(sdst)); 865 if (socket_af((struct sockaddr *)&sdst, 0) == -1) { 866 log_warn("%s: invalid address", __func__); 867 return (-1); 868 } 869 870 bzero(&smsg, sizeof(smsg)); 871 smsg.sadb_msg_version = PF_KEY_V2; 872 smsg.sadb_msg_seq = ++sadb_msg_seq; 873 smsg.sadb_msg_pid = getpid(); 874 smsg.sadb_msg_len = sizeof(smsg) / 8; 875 smsg.sadb_msg_type = SADB_GETSPI; 876 smsg.sadb_msg_satype = satype; 877 878 bzero(&sa_spirange, sizeof(sa_spirange)); 879 sa_spirange.sadb_spirange_exttype = SADB_EXT_SPIRANGE; 880 sa_spirange.sadb_spirange_len = sizeof(sa_spirange) / 8; 881 sa_spirange.sadb_spirange_min = 0x100; 882 sa_spirange.sadb_spirange_max = (satype == SADB_X_SATYPE_IPCOMP) ? 883 (CPI_PRIVATE_MIN - 1) : 0xffffffff; 884 sa_spirange.sadb_spirange_reserved = 0; 885 886 bzero(&sa_src, sizeof(sa_src)); 887 sa_src.sadb_address_len = (sizeof(sa_src) + ROUNDUP(ssrc.ss_len)) / 8; 888 sa_src.sadb_address_exttype = SADB_EXT_ADDRESS_SRC; 889 890 bzero(&sa_dst, sizeof(sa_dst)); 891 sa_dst.sadb_address_len = (sizeof(sa_dst) + ROUNDUP(sdst.ss_len)) / 8; 892 sa_dst.sadb_address_exttype = SADB_EXT_ADDRESS_DST; 893 894 iov_cnt = 0; 895 896 /* header */ 897 iov[iov_cnt].iov_base = &smsg; 898 iov[iov_cnt].iov_len = sizeof(smsg); 899 iov_cnt++; 900 901 /* SPI range */ 902 iov[iov_cnt].iov_base = &sa_spirange; 903 iov[iov_cnt].iov_len = sizeof(sa_spirange); 904 smsg.sadb_msg_len += sa_spirange.sadb_spirange_len; 905 iov_cnt++; 906 907 /* src addr */ 908 iov[iov_cnt].iov_base = &sa_src; 909 iov[iov_cnt].iov_len = sizeof(sa_src); 910 iov_cnt++; 911 iov[iov_cnt].iov_base = &ssrc; 912 iov[iov_cnt].iov_len = ROUNDUP(ssrc.ss_len); 913 smsg.sadb_msg_len += sa_src.sadb_address_len; 914 iov_cnt++; 915 916 /* dst addr */ 917 iov[iov_cnt].iov_base = &sa_dst; 918 iov[iov_cnt].iov_len = sizeof(sa_dst); 919 iov_cnt++; 920 iov[iov_cnt].iov_base = &sdst; 921 iov[iov_cnt].iov_len = ROUNDUP(sdst.ss_len); 922 smsg.sadb_msg_len += sa_dst.sadb_address_len; 923 iov_cnt++; 924 925 *spip = 0; 926 927 if ((ret = pfkey_write(sd, &smsg, iov, iov_cnt, &data, &n)) != 0) 928 return (-1); 929 930 msg = (struct sadb_msg *)data; 931 if (msg->sadb_msg_errno != 0) { 932 errno = msg->sadb_msg_errno; 933 log_warn("%s: message", __func__); 934 goto done; 935 } 936 if ((sa_ext = pfkey_find_ext(data, n, SADB_EXT_SA)) == NULL) { 937 log_debug("%s: erronous reply", __func__); 938 goto done; 939 } 940 941 *spip = ntohl(sa_ext->sadb_sa_spi); 942 log_debug("%s: spi 0x%08x", __func__, *spip); 943 944 done: 945 bzero(data, n); 946 free(data); 947 return (ret); 948 } 949 950 int 951 pfkey_sagroup(int sd, u_int8_t satype1, u_int8_t action, 952 struct iked_childsa *sa1, struct iked_childsa *sa2) 953 { 954 struct sadb_msg smsg; 955 struct sadb_sa sadb1, sadb2; 956 struct sadb_address sa_dst1, sa_dst2; 957 struct sockaddr_storage sdst1, sdst2; 958 struct sadb_protocol sa_proto; 959 struct iovec iov[IOV_CNT]; 960 int iov_cnt; 961 u_int8_t satype2; 962 963 if (pfkey_map(pfkey_satype, sa2->csa_saproto, &satype2) == -1) 964 return (-1); 965 966 bzero(&sdst1, sizeof(sdst1)); 967 memcpy(&sdst1, &sa1->csa_peer->addr, sizeof(sdst1)); 968 if (socket_af((struct sockaddr *)&sdst1, 0) == -1) { 969 log_warnx("%s: unsupported address family %d", 970 __func__, sdst1.ss_family); 971 return (-1); 972 } 973 974 bzero(&sdst2, sizeof(sdst2)); 975 memcpy(&sdst2, &sa2->csa_peer->addr, sizeof(sdst2)); 976 if (socket_af((struct sockaddr *)&sdst2, 0) == -1) { 977 log_warnx("%s: unsupported address family %d", 978 __func__, sdst2.ss_family); 979 return (-1); 980 } 981 982 bzero(&smsg, sizeof(smsg)); 983 smsg.sadb_msg_version = PF_KEY_V2; 984 smsg.sadb_msg_seq = ++sadb_msg_seq; 985 smsg.sadb_msg_pid = getpid(); 986 smsg.sadb_msg_len = sizeof(smsg) / 8; 987 smsg.sadb_msg_type = action; 988 smsg.sadb_msg_satype = satype1; 989 990 bzero(&sadb1, sizeof(sadb1)); 991 sadb1.sadb_sa_len = sizeof(sadb1) / 8; 992 sadb1.sadb_sa_exttype = SADB_EXT_SA; 993 sadb1.sadb_sa_spi = htonl(sa1->csa_spi.spi); 994 sadb1.sadb_sa_state = SADB_SASTATE_MATURE; 995 996 bzero(&sadb2, sizeof(sadb2)); 997 sadb2.sadb_sa_len = sizeof(sadb2) / 8; 998 sadb2.sadb_sa_exttype = SADB_X_EXT_SA2; 999 sadb2.sadb_sa_spi = htonl(sa2->csa_spi.spi); 1000 sadb2.sadb_sa_state = SADB_SASTATE_MATURE; 1001 iov_cnt = 0; 1002 1003 bzero(&sa_dst1, sizeof(sa_dst1)); 1004 sa_dst1.sadb_address_exttype = SADB_EXT_ADDRESS_DST; 1005 sa_dst1.sadb_address_len = 1006 (sizeof(sa_dst1) + ROUNDUP(sdst1.ss_len)) / 8; 1007 1008 bzero(&sa_dst2, sizeof(sa_dst2)); 1009 sa_dst2.sadb_address_exttype = SADB_X_EXT_DST2; 1010 sa_dst2.sadb_address_len = 1011 (sizeof(sa_dst2) + ROUNDUP(sdst2.ss_len)) / 8; 1012 1013 bzero(&sa_proto, sizeof(sa_proto)); 1014 sa_proto.sadb_protocol_exttype = SADB_X_EXT_PROTOCOL; 1015 sa_proto.sadb_protocol_len = sizeof(sa_proto) / 8; 1016 sa_proto.sadb_protocol_direction = 0; 1017 sa_proto.sadb_protocol_proto = satype2; 1018 1019 /* header */ 1020 iov[iov_cnt].iov_base = &smsg; 1021 iov[iov_cnt].iov_len = sizeof(smsg); 1022 iov_cnt++; 1023 1024 /* sa */ 1025 iov[iov_cnt].iov_base = &sadb1; 1026 iov[iov_cnt].iov_len = sizeof(sadb1); 1027 smsg.sadb_msg_len += sadb1.sadb_sa_len; 1028 iov_cnt++; 1029 1030 /* dst addr */ 1031 iov[iov_cnt].iov_base = &sa_dst1; 1032 iov[iov_cnt].iov_len = sizeof(sa_dst1); 1033 iov_cnt++; 1034 iov[iov_cnt].iov_base = &sdst1; 1035 iov[iov_cnt].iov_len = ROUNDUP(sdst1.ss_len); 1036 smsg.sadb_msg_len += sa_dst1.sadb_address_len; 1037 iov_cnt++; 1038 1039 /* second sa */ 1040 iov[iov_cnt].iov_base = &sadb2; 1041 iov[iov_cnt].iov_len = sizeof(sadb2); 1042 smsg.sadb_msg_len += sadb2.sadb_sa_len; 1043 iov_cnt++; 1044 1045 /* second dst addr */ 1046 iov[iov_cnt].iov_base = &sa_dst2; 1047 iov[iov_cnt].iov_len = sizeof(sa_dst2); 1048 iov_cnt++; 1049 iov[iov_cnt].iov_base = &sdst2; 1050 iov[iov_cnt].iov_len = ROUNDUP(sdst2.ss_len); 1051 smsg.sadb_msg_len += sa_dst2.sadb_address_len; 1052 iov_cnt++; 1053 1054 /* SA type */ 1055 iov[iov_cnt].iov_base = &sa_proto; 1056 iov[iov_cnt].iov_len = sizeof(sa_proto); 1057 smsg.sadb_msg_len += sa_proto.sadb_protocol_len; 1058 iov_cnt++; 1059 1060 return (pfkey_write(sd, &smsg, iov, iov_cnt, NULL, NULL)); 1061 } 1062 1063 int 1064 pfkey_write(int sd, struct sadb_msg *smsg, struct iovec *iov, int iov_cnt, 1065 u_int8_t **datap, ssize_t *lenp) 1066 { 1067 ssize_t n, len = smsg->sadb_msg_len * 8; 1068 1069 if (sadb_decoupled) { 1070 switch (smsg->sadb_msg_type) { 1071 case SADB_GETSPI: 1072 /* we need to get a new SPI from the kernel */ 1073 break; 1074 default: 1075 if (datap || lenp) { 1076 log_warnx("%s: pfkey not coupled", __func__); 1077 return (-1); 1078 } 1079 /* ignore request */ 1080 return (0); 1081 } 1082 } 1083 1084 if ((n = writev(sd, iov, iov_cnt)) == -1) { 1085 log_warn("%s: writev failed", __func__); 1086 return (-1); 1087 } else if (n != len) { 1088 log_warn("%s: short write", __func__); 1089 return (-1); 1090 } 1091 1092 return (pfkey_reply(sd, datap, lenp)); 1093 } 1094 1095 int 1096 pfkey_reply(int sd, u_int8_t **datap, ssize_t *lenp) 1097 { 1098 struct pfkey_message *pm; 1099 struct sadb_msg hdr; 1100 struct timeval tv; 1101 ssize_t len; 1102 u_int8_t *data; 1103 fd_set *fds; 1104 int n; 1105 1106 for (;;) { 1107 /* 1108 * We should actually expect the reply to get lost 1109 * as PF_KEY is an unreliable service per the specs. 1110 * Currently we do this by setting a short timeout, 1111 * and if it is not readable in that time, we fail 1112 * the read. 1113 */ 1114 n = howmany(sd + 1, NFDBITS); 1115 if ((fds = calloc(n, sizeof(fd_mask))) == NULL) { 1116 log_warn("%s: calloc(%lu, %lu) failed", __func__, 1117 (unsigned long) n, 1118 (unsigned long) sizeof(fd_mask)); 1119 return (-1); 1120 } 1121 FD_SET(sd, fds); 1122 tv.tv_sec = 0; 1123 tv.tv_usec = PFKEY_REPLY_TIMEOUT; 1124 n = select(sd + 1, fds, 0, 0, &tv); 1125 free(fds); 1126 if (n == -1) { 1127 log_warn("%s: select(%d, fds, 0, 0, &tv) failed", 1128 __func__, sd + 1); 1129 return (-1); 1130 } 1131 if (n == 0) { 1132 log_warnx("%s: no reply from PF_KEY", __func__); 1133 return (-1); 1134 } 1135 1136 if (recv(sd, &hdr, sizeof(hdr), MSG_PEEK) != sizeof(hdr)) { 1137 log_warn("%s: short recv", __func__); 1138 return (-1); 1139 } 1140 1141 if (hdr.sadb_msg_version != PF_KEY_V2) { 1142 log_warnx("%s: wrong pfkey version", __func__); 1143 return (-1); 1144 } 1145 1146 len = hdr.sadb_msg_len * PFKEYV2_CHUNK; 1147 if ((data = malloc(len)) == NULL) { 1148 log_warn("%s: malloc", __func__); 1149 return (-1); 1150 } 1151 if (read(sd, data, len) != len) { 1152 log_warnx("%s: short read", __func__); 1153 free(data); 1154 return (-1); 1155 } 1156 1157 /* XXX: Only one message can be outstanding. */ 1158 if (hdr.sadb_msg_seq == sadb_msg_seq && 1159 hdr.sadb_msg_pid == (u_int32_t)getpid()) 1160 break; 1161 1162 /* ignore messages for other processes */ 1163 if (hdr.sadb_msg_pid != 0 && 1164 hdr.sadb_msg_pid != (u_int32_t)getpid()) { 1165 free(data); 1166 continue; 1167 } 1168 1169 /* not the reply, enqueue */ 1170 if ((pm = malloc(sizeof(*pm))) == NULL) { 1171 log_warn("%s: malloc", __func__); 1172 free(data); 1173 return (-1); 1174 } 1175 pm->pm_data = data; 1176 pm->pm_length = len; 1177 SIMPLEQ_INSERT_TAIL(&pfkey_postponed, pm, pm_entry); 1178 evtimer_add(&pfkey_timer_ev, &pfkey_timer_tv); 1179 } 1180 1181 if (datap) { 1182 *datap = data; 1183 if (lenp) 1184 *lenp = len; 1185 } else 1186 free(data); 1187 1188 if (datap == NULL && hdr.sadb_msg_errno != 0) { 1189 errno = hdr.sadb_msg_errno; 1190 if (errno != EEXIST) { 1191 log_warn("%s: message", __func__); 1192 return (-1); 1193 } 1194 } 1195 return (0); 1196 } 1197 1198 int 1199 pfkey_flow_add(int fd, struct iked_flow *flow) 1200 { 1201 u_int8_t satype; 1202 1203 if (flow->flow_loaded) 1204 return (0); 1205 1206 if (pfkey_map(pfkey_satype, flow->flow_saproto, &satype) == -1) 1207 return (-1); 1208 1209 if (pfkey_flow(fd, satype, SADB_X_ADDFLOW, flow) == -1) 1210 return (-1); 1211 1212 flow->flow_loaded = 1; 1213 1214 if (flow->flow_dst.addr_af == AF_INET6) { 1215 sadb_ipv6refcnt++; 1216 if (sadb_ipv6refcnt == 1) 1217 return (pfkey_block(fd, AF_INET6, SADB_X_DELFLOW)); 1218 } 1219 1220 return (0); 1221 } 1222 1223 int 1224 pfkey_flow_delete(int fd, struct iked_flow *flow) 1225 { 1226 u_int8_t satype; 1227 1228 if (!flow->flow_loaded) 1229 return (0); 1230 1231 if (pfkey_map(pfkey_satype, flow->flow_saproto, &satype) == -1) 1232 return (-1); 1233 1234 if (pfkey_flow(fd, satype, SADB_X_DELFLOW, flow) == -1) 1235 return (-1); 1236 1237 flow->flow_loaded = 0; 1238 1239 if (flow->flow_dst.addr_af == AF_INET6) { 1240 sadb_ipv6refcnt--; 1241 if (sadb_ipv6refcnt == 0) 1242 return (pfkey_block(fd, AF_INET6, SADB_X_ADDFLOW)); 1243 } 1244 1245 return (0); 1246 } 1247 1248 int 1249 pfkey_block(int fd, int af, u_int action) 1250 { 1251 struct iked_flow flow; 1252 1253 if (!pfkey_blockipv6) 1254 return (0); 1255 1256 /* 1257 * Prevent VPN traffic leakages in dual-stack hosts/networks. 1258 * http://tools.ietf.org/html/draft-gont-opsec-vpn-leakages. 1259 * We forcibly block IPv6 traffic unless it is used in any of 1260 * the flows by tracking a sadb_ipv6refcnt reference counter. 1261 */ 1262 bzero(&flow, sizeof(flow)); 1263 flow.flow_src.addr_af = flow.flow_src.addr.ss_family = af; 1264 flow.flow_src.addr_net = 1; 1265 socket_af((struct sockaddr *)&flow.flow_src.addr, 0); 1266 flow.flow_dst.addr_af = flow.flow_dst.addr.ss_family = af; 1267 flow.flow_dst.addr_net = 1; 1268 socket_af((struct sockaddr *)&flow.flow_dst.addr, 0); 1269 flow.flow_type = SADB_X_FLOW_TYPE_DENY; 1270 flow.flow_dir = IPSP_DIRECTION_OUT; 1271 1272 if (pfkey_flow(fd, 0, action, &flow) == -1) 1273 return (-1); 1274 1275 return (0); 1276 } 1277 1278 int 1279 pfkey_sa_init(int fd, struct iked_childsa *sa, u_int32_t *spi) 1280 { 1281 u_int8_t satype; 1282 1283 if (pfkey_map(pfkey_satype, sa->csa_saproto, &satype) == -1) 1284 return (-1); 1285 1286 if (pfkey_sa_getspi(fd, satype, sa, spi) == -1) 1287 return (-1); 1288 1289 log_debug("%s: new spi 0x%08x", __func__, *spi); 1290 1291 return (0); 1292 } 1293 1294 int 1295 pfkey_sa_add(int fd, struct iked_childsa *sa, struct iked_childsa *last) 1296 { 1297 u_int8_t satype; 1298 u_int cmd; 1299 1300 if (pfkey_map(pfkey_satype, sa->csa_saproto, &satype) == -1) 1301 return (-1); 1302 1303 if (sa->csa_allocated || sa->csa_loaded) 1304 cmd = SADB_UPDATE; 1305 else 1306 cmd = SADB_ADD; 1307 1308 log_debug("%s: %s spi %s", __func__, cmd == SADB_ADD ? "add": "update", 1309 print_spi(sa->csa_spi.spi, 4)); 1310 1311 if (pfkey_sa(fd, satype, cmd, sa) == -1) { 1312 if (cmd == SADB_ADD) 1313 (void)pfkey_sa_delete(fd, sa); 1314 return (-1); 1315 } 1316 1317 if (last && cmd == SADB_ADD) { 1318 if (pfkey_sagroup(fd, satype, 1319 SADB_X_GRPSPIS, sa, last) == -1) { 1320 (void)pfkey_sa_delete(fd, sa); 1321 return (-1); 1322 } 1323 } 1324 1325 sa->csa_loaded = 1; 1326 return (0); 1327 } 1328 1329 int 1330 pfkey_sa_delete(int fd, struct iked_childsa *sa) 1331 { 1332 u_int8_t satype; 1333 1334 if (!sa->csa_loaded || sa->csa_spi.spi == 0) 1335 return (0); 1336 1337 if (pfkey_map(pfkey_satype, sa->csa_saproto, &satype) == -1) 1338 return (-1); 1339 1340 if (pfkey_sa(fd, satype, SADB_DELETE, sa) == -1) 1341 return (-1); 1342 1343 sa->csa_loaded = 0; 1344 return (0); 1345 } 1346 1347 int 1348 pfkey_flush(int sd) 1349 { 1350 struct sadb_msg smsg; 1351 struct iovec iov[IOV_CNT]; 1352 int iov_cnt; 1353 1354 bzero(&smsg, sizeof(smsg)); 1355 smsg.sadb_msg_version = PF_KEY_V2; 1356 smsg.sadb_msg_seq = ++sadb_msg_seq; 1357 smsg.sadb_msg_pid = getpid(); 1358 smsg.sadb_msg_len = sizeof(smsg) / 8; 1359 smsg.sadb_msg_type = SADB_FLUSH; 1360 smsg.sadb_msg_satype = SADB_SATYPE_UNSPEC; 1361 1362 iov_cnt = 0; 1363 1364 iov[iov_cnt].iov_base = &smsg; 1365 iov[iov_cnt].iov_len = sizeof(smsg); 1366 iov_cnt++; 1367 1368 return (pfkey_write(sd, &smsg, iov, iov_cnt, NULL, NULL)); 1369 } 1370 1371 struct sadb_ident * 1372 pfkey_id2ident(struct iked_id *id, u_int exttype) 1373 { 1374 char idstr[IKED_ID_SIZE]; 1375 u_int type; 1376 size_t len; 1377 struct sadb_ident *sa_id; 1378 1379 switch (id->id_type) { 1380 case IKEV2_ID_FQDN: 1381 type = SADB_IDENTTYPE_FQDN; 1382 break; 1383 case IKEV2_ID_UFQDN: 1384 type = SADB_IDENTTYPE_USERFQDN; 1385 break; 1386 case IKEV2_ID_IPV4: 1387 case IKEV2_ID_IPV6: 1388 type = SADB_IDENTTYPE_PREFIX; 1389 break; 1390 case IKEV2_ID_ASN1_DN: 1391 case IKEV2_ID_ASN1_GN: 1392 case IKEV2_ID_KEY_ID: 1393 case IKEV2_ID_NONE: 1394 default: 1395 /* XXX not implemented/supported by PFKEY */ 1396 return (NULL); 1397 } 1398 1399 bzero(&idstr, sizeof(idstr)); 1400 1401 if (ikev2_print_id(id, idstr, sizeof(idstr)) == -1) 1402 return (NULL); 1403 1404 len = ROUNDUP(strlen(idstr) + 1) + sizeof(*sa_id); 1405 if ((sa_id = calloc(1, len)) == NULL) 1406 return (NULL); 1407 1408 strlcpy((char *)(sa_id + 1), idstr, ROUNDUP(strlen(idstr) + 1)); 1409 sa_id->sadb_ident_type = type; 1410 sa_id->sadb_ident_len = len / 8; 1411 sa_id->sadb_ident_exttype = exttype; 1412 1413 return (sa_id); 1414 } 1415 1416 int 1417 pfkey_socket(void) 1418 { 1419 int fd; 1420 1421 if (privsep_process != PROC_PARENT) 1422 fatal("pfkey_socket: called from unprivileged process"); 1423 1424 if ((fd = socket(PF_KEY, SOCK_RAW, PF_KEY_V2)) == -1) 1425 fatal("pfkey_socket: failed to open PF_KEY socket"); 1426 1427 pfkey_flush(fd); 1428 1429 return (fd); 1430 } 1431 1432 void 1433 pfkey_init(struct iked *env, int fd) 1434 { 1435 struct sadb_msg smsg; 1436 struct iovec iov; 1437 1438 /* Set up a timer to process messages deferred by the pfkey_reply */ 1439 pfkey_timer_tv.tv_sec = 1; 1440 pfkey_timer_tv.tv_usec = 0; 1441 evtimer_set(&pfkey_timer_ev, pfkey_timer_cb, env); 1442 1443 /* Register the pfkey socket event handler */ 1444 env->sc_pfkey = fd; 1445 event_set(&env->sc_pfkeyev, env->sc_pfkey, 1446 EV_READ|EV_PERSIST, pfkey_dispatch, env); 1447 event_add(&env->sc_pfkeyev, NULL); 1448 1449 /* Register it to get ESP and AH acquires from the kernel */ 1450 bzero(&smsg, sizeof(smsg)); 1451 smsg.sadb_msg_version = PF_KEY_V2; 1452 smsg.sadb_msg_seq = ++sadb_msg_seq; 1453 smsg.sadb_msg_pid = getpid(); 1454 smsg.sadb_msg_len = sizeof(smsg) / 8; 1455 smsg.sadb_msg_type = SADB_REGISTER; 1456 smsg.sadb_msg_satype = SADB_SATYPE_ESP; 1457 1458 iov.iov_base = &smsg; 1459 iov.iov_len = sizeof(smsg); 1460 1461 if (pfkey_write(fd, &smsg, &iov, 1, NULL, NULL)) 1462 fatal("pfkey_init: failed to set up ESP acquires"); 1463 1464 bzero(&smsg, sizeof(smsg)); 1465 smsg.sadb_msg_version = PF_KEY_V2; 1466 smsg.sadb_msg_seq = ++sadb_msg_seq; 1467 smsg.sadb_msg_pid = getpid(); 1468 smsg.sadb_msg_len = sizeof(smsg) / 8; 1469 smsg.sadb_msg_type = SADB_REGISTER; 1470 smsg.sadb_msg_satype = SADB_SATYPE_AH; 1471 1472 iov.iov_base = &smsg; 1473 iov.iov_len = sizeof(smsg); 1474 1475 if (pfkey_write(fd, &smsg, &iov, 1, NULL, NULL)) 1476 fatal("pfkey_init: failed to set up AH acquires"); 1477 1478 if (env->sc_opts & IKED_OPT_NOIPV6BLOCKING) 1479 return; 1480 1481 /* Block all IPv6 traffic by default */ 1482 pfkey_blockipv6 = 1; 1483 if (pfkey_block(fd, AF_INET6, SADB_X_ADDFLOW)) 1484 fatal("pfkey_init: failed to block IPv6 traffic"); 1485 } 1486 1487 void * 1488 pfkey_find_ext(u_int8_t *data, ssize_t len, int type) 1489 { 1490 struct sadb_ext *ext = (struct sadb_ext *)(data + 1491 sizeof(struct sadb_msg)); 1492 1493 while (ext && ((u_int8_t *)ext - data < len)) { 1494 if (ext->sadb_ext_type == type) 1495 return (ext); 1496 ext = (struct sadb_ext *)((u_int8_t *)ext + 1497 ext->sadb_ext_len * PFKEYV2_CHUNK); 1498 } 1499 1500 return (NULL); 1501 } 1502 1503 void 1504 pfkey_dispatch(int sd, short event, void *arg) 1505 { 1506 struct iked *env = (struct iked *)arg; 1507 struct pfkey_message pm, *pmp; 1508 struct sadb_msg hdr; 1509 ssize_t len; 1510 u_int8_t *data; 1511 1512 if (recv(sd, &hdr, sizeof(hdr), MSG_PEEK) != sizeof(hdr)) { 1513 log_warn("%s: short recv", __func__); 1514 return; 1515 } 1516 1517 if (hdr.sadb_msg_version != PF_KEY_V2) { 1518 log_warnx("%s: wrong pfkey version", __func__); 1519 return; 1520 } 1521 1522 len = hdr.sadb_msg_len * PFKEYV2_CHUNK; 1523 if ((data = malloc(len)) == NULL) { 1524 log_warn("%s: malloc", __func__); 1525 return; 1526 } 1527 if (read(sd, data, len) != len) { 1528 log_warn("%s: short read", __func__); 1529 free(data); 1530 return; 1531 } 1532 1533 /* Try postponed requests first, so we do in-order processing */ 1534 if (!SIMPLEQ_EMPTY(&pfkey_postponed)) 1535 pfkey_timer_cb(0, 0, env); 1536 1537 pm.pm_data = data; 1538 pm.pm_length = len; 1539 1540 if (pfkey_process(env, &pm) == -1 && 1541 (pmp = calloc(1, sizeof(*pmp))) != NULL) { 1542 pmp->pm_data = data; 1543 pmp->pm_length = len; 1544 log_debug("%s: pfkey_process is busy, retry later", __func__); 1545 SIMPLEQ_INSERT_TAIL(&pfkey_postponed, pmp, pm_entry); 1546 evtimer_add(&pfkey_timer_ev, &pfkey_timer_tv); 1547 } else { 1548 free(data); 1549 } 1550 } 1551 1552 void 1553 pfkey_timer_cb(int unused, short event, void *arg) 1554 { 1555 struct iked *env = arg; 1556 struct pfkey_message *pm; 1557 1558 SIMPLEQ_INIT(&pfkey_retry); 1559 while (!SIMPLEQ_EMPTY(&pfkey_postponed)) { 1560 pm = SIMPLEQ_FIRST(&pfkey_postponed); 1561 SIMPLEQ_REMOVE_HEAD(&pfkey_postponed, pm_entry); 1562 if (pfkey_process(env, pm) == -1) { 1563 log_debug("%s: pfkey_process is busy, retry later", 1564 __func__); 1565 SIMPLEQ_INSERT_TAIL(&pfkey_retry, pm, pm_entry); 1566 } else { 1567 free(pm->pm_data); 1568 free(pm); 1569 } 1570 } 1571 /* move from retry to postponed */ 1572 while ((pm = SIMPLEQ_FIRST(&pfkey_retry)) != NULL) { 1573 SIMPLEQ_REMOVE_HEAD(&pfkey_retry, pm_entry); 1574 SIMPLEQ_INSERT_TAIL(&pfkey_postponed, pm, pm_entry); 1575 } 1576 if (!SIMPLEQ_EMPTY(&pfkey_postponed)) 1577 evtimer_add(&pfkey_timer_ev, &pfkey_timer_tv); 1578 } 1579 1580 /* 1581 * pfkey_process returns 0 if the message has been processed and -1 if 1582 * the system is busy and the the message should be passed again, later. 1583 */ 1584 int 1585 pfkey_process(struct iked *env, struct pfkey_message *pm) 1586 { 1587 struct iked_spi spi; 1588 struct sadb_sa *sa; 1589 struct sadb_lifetime *sa_ltime; 1590 struct sadb_msg *hdr; 1591 struct sadb_msg smsg; 1592 struct iked_addr peer; 1593 struct iked_flow flow; 1594 struct sadb_address *sa_addr; 1595 struct sadb_protocol *sa_proto; 1596 struct sadb_x_policy sa_pol; 1597 struct sockaddr *ssrc, *sdst, *smask, *dmask, *speer; 1598 struct iovec iov[IOV_CNT]; 1599 int ret = 0, iov_cnt, sd; 1600 u_int8_t *reply; 1601 ssize_t rlen; 1602 const char *errmsg = NULL; 1603 u_int8_t *data = pm->pm_data; 1604 ssize_t len = pm->pm_length; 1605 size_t slen; 1606 1607 if (!env || !data || !len) 1608 return (0); 1609 1610 sd = env->sc_pfkey; 1611 hdr = (struct sadb_msg *)data; 1612 1613 switch (hdr->sadb_msg_type) { 1614 case SADB_ACQUIRE: 1615 bzero(&flow, sizeof(flow)); 1616 bzero(&peer, sizeof(peer)); 1617 1618 if ((sa_addr = pfkey_find_ext(data, len, 1619 SADB_EXT_ADDRESS_DST)) == NULL) { 1620 log_debug("%s: no peer address", __func__); 1621 return (0); 1622 } 1623 speer = (struct sockaddr *)(sa_addr + 1); 1624 peer.addr_af = speer->sa_family; 1625 peer.addr_port = htons(socket_getport(speer)); 1626 if ((slen = speer->sa_len) > sizeof(peer.addr)) { 1627 log_debug("%s: invalid peer address len", __func__); 1628 return (0); 1629 } 1630 memcpy(&peer.addr, speer, slen); 1631 if (socket_af((struct sockaddr *)&peer.addr, 1632 peer.addr_port) == -1) { 1633 log_debug("%s: invalid address", __func__); 1634 return (0); 1635 } 1636 flow.flow_peer = &peer; 1637 1638 log_debug("%s: acquire request (peer %s)", __func__, 1639 print_host(speer, NULL, 0)); 1640 1641 /* get the matching flow */ 1642 bzero(&smsg, sizeof(smsg)); 1643 smsg.sadb_msg_version = PF_KEY_V2; 1644 smsg.sadb_msg_seq = ++sadb_msg_seq; 1645 smsg.sadb_msg_pid = getpid(); 1646 smsg.sadb_msg_len = sizeof(smsg) / 8; 1647 smsg.sadb_msg_type = SADB_X_ASKPOLICY; 1648 1649 iov_cnt = 0; 1650 1651 iov[iov_cnt].iov_base = &smsg; 1652 iov[iov_cnt].iov_len = sizeof(smsg); 1653 iov_cnt++; 1654 1655 bzero(&sa_pol, sizeof(sa_pol)); 1656 sa_pol.sadb_x_policy_exttype = SADB_X_EXT_POLICY; 1657 sa_pol.sadb_x_policy_len = sizeof(sa_pol) / 8; 1658 sa_pol.sadb_x_policy_seq = hdr->sadb_msg_seq; 1659 1660 iov[iov_cnt].iov_base = &sa_pol; 1661 iov[iov_cnt].iov_len = sizeof(sa_pol); 1662 smsg.sadb_msg_len += sizeof(sa_pol) / 8; 1663 iov_cnt++; 1664 1665 if (pfkey_write(sd, &smsg, iov, iov_cnt, &reply, &rlen)) { 1666 log_warnx("%s: failed to get a policy", __func__); 1667 return (0); 1668 } 1669 1670 if ((sa_addr = pfkey_find_ext(reply, rlen, 1671 SADB_X_EXT_SRC_FLOW)) == NULL) { 1672 errmsg = "flow source address"; 1673 goto out; 1674 } 1675 ssrc = (struct sockaddr *)(sa_addr + 1); 1676 flow.flow_src.addr_af = ssrc->sa_family; 1677 flow.flow_src.addr_port = htons(socket_getport(ssrc)); 1678 if ((slen = ssrc->sa_len) > sizeof(flow.flow_src.addr)) { 1679 log_debug("%s: invalid src address len", __func__); 1680 return (0); 1681 } 1682 memcpy(&flow.flow_src.addr, ssrc, slen); 1683 if (socket_af((struct sockaddr *)&flow.flow_src.addr, 1684 flow.flow_src.addr_port) == -1) { 1685 log_debug("%s: invalid address", __func__); 1686 return (0); 1687 } 1688 1689 if ((sa_addr = pfkey_find_ext(reply, rlen, 1690 SADB_X_EXT_DST_FLOW)) == NULL) { 1691 errmsg = "flow destination address"; 1692 goto out; 1693 } 1694 sdst = (struct sockaddr *)(sa_addr + 1); 1695 flow.flow_dst.addr_af = sdst->sa_family; 1696 flow.flow_dst.addr_port = htons(socket_getport(sdst)); 1697 if ((slen = sdst->sa_len) > sizeof(flow.flow_dst.addr)) { 1698 log_debug("%s: invalid dst address len", __func__); 1699 return (0); 1700 } 1701 memcpy(&flow.flow_dst.addr, sdst, slen); 1702 if (socket_af((struct sockaddr *)&flow.flow_dst.addr, 1703 flow.flow_dst.addr_port) == -1) { 1704 log_debug("%s: invalid address", __func__); 1705 return (0); 1706 } 1707 1708 if ((sa_addr = pfkey_find_ext(reply, rlen, 1709 SADB_X_EXT_SRC_MASK)) == NULL) { 1710 errmsg = "flow source mask"; 1711 goto out; 1712 } 1713 smask = (struct sockaddr *)(sa_addr + 1); 1714 switch (smask->sa_family) { 1715 case AF_INET: 1716 flow.flow_src.addr_mask = 1717 mask2prefixlen((struct sockaddr *)smask); 1718 if (flow.flow_src.addr_mask != 32) 1719 flow.flow_src.addr_net = 1; 1720 break; 1721 case AF_INET6: 1722 flow.flow_src.addr_mask = 1723 mask2prefixlen6((struct sockaddr *)smask); 1724 if (flow.flow_src.addr_mask != 128) 1725 flow.flow_src.addr_net = 1; 1726 break; 1727 default: 1728 log_debug("%s: bad address family", __func__); 1729 free(reply); 1730 return (0); 1731 } 1732 1733 if ((sa_addr = pfkey_find_ext(reply, rlen, 1734 SADB_X_EXT_DST_MASK)) == NULL) { 1735 errmsg = "flow destination mask"; 1736 goto out; 1737 } 1738 dmask = (struct sockaddr *)(sa_addr + 1); 1739 switch (dmask->sa_family) { 1740 case AF_INET: 1741 flow.flow_dst.addr_mask = 1742 mask2prefixlen((struct sockaddr *)dmask); 1743 if (flow.flow_src.addr_mask != 32) 1744 flow.flow_src.addr_net = 1; 1745 break; 1746 case AF_INET6: 1747 flow.flow_dst.addr_mask = 1748 mask2prefixlen6((struct sockaddr *)dmask); 1749 if (flow.flow_src.addr_mask != 128) 1750 flow.flow_src.addr_net = 1; 1751 break; 1752 default: 1753 log_debug("%s: bad address family", __func__); 1754 free(reply); 1755 return (0); 1756 } 1757 1758 if ((sa_proto = pfkey_find_ext(reply, rlen, 1759 SADB_X_EXT_FLOW_TYPE)) == NULL) { 1760 errmsg = "flow protocol"; 1761 goto out; 1762 } 1763 flow.flow_dir = sa_proto->sadb_protocol_direction; 1764 1765 log_debug("%s: flow %s from %s/%s to %s/%s via %s", __func__, 1766 flow.flow_dir == IPSP_DIRECTION_IN ? "in" : "out", 1767 print_host(ssrc, NULL, 0), print_host(smask, NULL, 0), 1768 print_host(sdst, NULL, 0), print_host(dmask, NULL, 0), 1769 print_host(speer, NULL, 0)); 1770 1771 ret = ikev2_acquire_sa(env, &flow); 1772 1773 out: 1774 if (errmsg) 1775 log_warnx("%s: %s wasn't found", __func__, errmsg); 1776 free(reply); 1777 break; 1778 1779 case SADB_EXPIRE: 1780 if ((sa = pfkey_find_ext(data, len, SADB_EXT_SA)) == NULL) { 1781 log_warnx("%s: SA extension wasn't found", __func__); 1782 return (0); 1783 } 1784 if ((sa_ltime = pfkey_find_ext(data, len, 1785 SADB_EXT_LIFETIME_SOFT)) == NULL && 1786 (sa_ltime = pfkey_find_ext(data, len, 1787 SADB_EXT_LIFETIME_HARD)) == NULL) { 1788 log_warnx("%s: lifetime extension wasn't found", 1789 __func__); 1790 return (0); 1791 } 1792 spi.spi = ntohl(sa->sadb_sa_spi); 1793 spi.spi_size = 4; 1794 switch (hdr->sadb_msg_satype) { 1795 case SADB_SATYPE_AH: 1796 spi.spi_protoid = IKEV2_SAPROTO_AH; 1797 break; 1798 case SADB_SATYPE_ESP: 1799 spi.spi_protoid = IKEV2_SAPROTO_ESP; 1800 break; 1801 case SADB_X_SATYPE_IPCOMP: 1802 spi.spi_size = 2; 1803 spi.spi_protoid = IKEV2_SAPROTO_IPCOMP; 1804 break; 1805 default: 1806 log_warnx("%s: unsupported SA type %d spi %s", 1807 __func__, hdr->sadb_msg_satype, 1808 print_spi(spi.spi, spi.spi_size)); 1809 return (0); 1810 } 1811 1812 log_debug("%s: SA %s is expired, pending %s", __func__, 1813 print_spi(spi.spi, spi.spi_size), 1814 sa_ltime->sadb_lifetime_exttype == SADB_EXT_LIFETIME_SOFT ? 1815 "rekeying" : "deletion"); 1816 1817 if (sa_ltime->sadb_lifetime_exttype == SADB_EXT_LIFETIME_SOFT) 1818 ret = ikev2_rekey_sa(env, &spi); 1819 else 1820 ret = ikev2_drop_sa(env, &spi); 1821 break; 1822 } 1823 return (ret); 1824 } 1825