1 /* $OpenBSD: pfkey.c,v 1.16 2011/05/27 12:01:02 reyk Exp $ */ 2 /* $vantronix: pfkey.c,v 1.11 2010/06/03 07:57:33 reyk Exp $ */ 3 4 /* 5 * Copyright (c) 2010 Reyk Floeter <reyk@vantronix.net> 6 * Copyright (c) 2004, 2005 Hans-Joerg Hoexer <hshoexer@openbsd.org> 7 * Copyright (c) 2003, 2004 Henning Brauer <henning@openbsd.org> 8 * Copyright (c) 2003, 2004 Markus Friedl <markus@openbsd.org> 9 * 10 * Permission to use, copy, modify, and distribute this software for any 11 * purpose with or without fee is hereby granted, provided that the above 12 * copyright notice and this permission notice appear in all copies. 13 * 14 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES 15 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF 16 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR 17 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES 18 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN 19 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF 20 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. 21 */ 22 23 #include <sys/types.h> 24 #include <sys/param.h> 25 #include <sys/queue.h> 26 #include <sys/uio.h> 27 #include <sys/socket.h> 28 29 #include <netinet/in.h> 30 #include <netinet/ip_ipsp.h> 31 #include <net/pfkeyv2.h> 32 33 #include <err.h> 34 #include <errno.h> 35 #include <stdio.h> 36 #include <string.h> 37 #include <stdlib.h> 38 #include <unistd.h> 39 #include <event.h> 40 41 #include "iked.h" 42 #include "ikev2.h" 43 44 #define ROUNDUP(x) (((x) + (PFKEYV2_CHUNK - 1)) & ~(PFKEYV2_CHUNK - 1)) 45 #define IOV_CNT 20 46 47 #define PFKEYV2_CHUNK sizeof(u_int64_t) 48 49 static u_int32_t sadb_msg_seq = 0; 50 static u_int sadb_decoupled = 0; 51 52 static struct event pfkey_timer_ev; 53 static struct timeval pfkey_timer_tv; 54 55 struct pfkey_message { 56 SIMPLEQ_ENTRY(pfkey_message) 57 pm_entry; 58 u_int8_t *pm_data; 59 ssize_t pm_lenght; 60 }; 61 SIMPLEQ_HEAD(, pfkey_message) pfkey_postponed = 62 SIMPLEQ_HEAD_INITIALIZER(pfkey_postponed); 63 64 struct pfkey_constmap { 65 u_int8_t pfkey_id; 66 u_int pfkey_ikeid; 67 u_int pfkey_fixedkey; 68 }; 69 70 static const struct pfkey_constmap pfkey_encr[] = { 71 { SADB_X_EALG_DES_IV64, IKEV2_XFORMENCR_DES_IV64 }, 72 { SADB_EALG_DESCBC, IKEV2_XFORMENCR_DES }, 73 { SADB_EALG_3DESCBC, IKEV2_XFORMENCR_3DES }, 74 { SADB_X_EALG_RC5, IKEV2_XFORMENCR_RC5 }, 75 { SADB_X_EALG_IDEA, IKEV2_XFORMENCR_IDEA }, 76 { SADB_X_EALG_CAST, IKEV2_XFORMENCR_CAST }, 77 { SADB_X_EALG_BLF, IKEV2_XFORMENCR_BLOWFISH }, 78 { SADB_X_EALG_3IDEA, IKEV2_XFORMENCR_3IDEA }, 79 { SADB_X_EALG_DES_IV32, IKEV2_XFORMENCR_DES_IV32 }, 80 { SADB_X_EALG_RC4, IKEV2_XFORMENCR_RC4 }, 81 { SADB_EALG_NULL, IKEV2_XFORMENCR_NULL }, 82 { SADB_X_EALG_AES, IKEV2_XFORMENCR_AES_CBC }, 83 { SADB_X_EALG_AESCTR, IKEV2_XFORMENCR_AES_CTR }, 84 { SADB_X_EALG_AESGCM16, IKEV2_XFORMENCR_AES_GCM_16 }, 85 { SADB_X_EALG_AESGMAC, IKEV2_XFORMENCR_NULL_AES_GMAC }, 86 { 0 } 87 }; 88 89 static const struct pfkey_constmap pfkey_integr[] = { 90 { SADB_AALG_MD5HMAC, IKEV2_XFORMAUTH_HMAC_MD5_96 }, 91 { SADB_AALG_SHA1HMAC, IKEV2_XFORMAUTH_HMAC_SHA1_96 }, 92 { SADB_X_AALG_DES, IKEV2_XFORMAUTH_DES_MAC }, 93 { SADB_X_AALG_SHA2_256, IKEV2_XFORMAUTH_HMAC_SHA2_256_128 }, 94 { SADB_X_AALG_SHA2_384, IKEV2_XFORMAUTH_HMAC_SHA2_384_192 }, 95 { SADB_X_AALG_SHA2_512, IKEV2_XFORMAUTH_HMAC_SHA2_512_256 }, 96 { 0 } 97 }; 98 99 static const struct pfkey_constmap pfkey_satype[] = { 100 { SADB_SATYPE_AH, IKEV2_SAPROTO_AH }, 101 { SADB_SATYPE_ESP, IKEV2_SAPROTO_ESP }, 102 { 0 } 103 }; 104 105 int pfkey_map(const struct pfkey_constmap *, u_int16_t, u_int8_t *); 106 int pfkey_flow(int, u_int8_t, u_int8_t, struct iked_flow *); 107 int pfkey_sa(int, u_int8_t, u_int8_t, struct iked_childsa *); 108 int pfkey_sa_getspi(int, u_int8_t, struct iked_childsa *, u_int32_t *); 109 int pfkey_sagroup(int, u_int8_t, u_int8_t, 110 struct iked_childsa *, struct iked_childsa *); 111 int pfkey_write(int, struct sadb_msg *, struct iovec *, int, 112 u_int8_t **, ssize_t *); 113 int pfkey_reply(int, u_int8_t **, ssize_t *); 114 void pfkey_dispatch(int, short, void *); 115 116 struct sadb_ident * 117 pfkey_id2ident(struct iked_id *, u_int); 118 void *pfkey_find_ext(u_int8_t *, ssize_t, int); 119 120 void pfkey_timer_cb(int, short, void *); 121 void pfkey_process(struct iked *, struct pfkey_message *); 122 123 int 124 pfkey_couple(int sd, struct iked_sas *sas, int couple) 125 { 126 struct iked_sa *sa; 127 struct iked_flow *flow; 128 struct iked_childsa *csa; 129 u_int old; 130 const char *mode[] = { "coupled", "decoupled" }; 131 132 /* Socket is not ready */ 133 if (sd == -1) 134 return (-1); 135 136 old = sadb_decoupled ? 1 : 0; 137 sadb_decoupled = couple ? 0 : 1; 138 139 if (old == sadb_decoupled) 140 return (0); 141 142 log_debug("%s: kernel %s -> %s", __func__, 143 mode[old], mode[sadb_decoupled]); 144 145 RB_FOREACH(sa, iked_sas, sas) { 146 TAILQ_FOREACH(csa, &sa->sa_childsas, csa_entry) { 147 if (!csa->csa_loaded && !sadb_decoupled) 148 (void)pfkey_sa_add(sd, csa, NULL); 149 else if (csa->csa_loaded && sadb_decoupled) 150 (void)pfkey_sa_delete(sd, csa); 151 } 152 TAILQ_FOREACH(flow, &sa->sa_flows, flow_entry) { 153 if (!flow->flow_loaded && !sadb_decoupled) 154 (void)pfkey_flow_add(sd, flow); 155 else if (flow->flow_loaded && sadb_decoupled) 156 (void)pfkey_flow_delete(sd, flow); 157 } 158 } 159 160 return (0); 161 } 162 163 int 164 pfkey_map(const struct pfkey_constmap *map, u_int16_t alg, u_int8_t *pfkalg) 165 { 166 int i; 167 168 for (i = 0; map[i].pfkey_id != 0; i++) 169 if (map[i].pfkey_ikeid == alg) { 170 *pfkalg = map[i].pfkey_id; 171 return (0); 172 } 173 return (-1); 174 } 175 176 int 177 pfkey_flow(int sd, u_int8_t satype, u_int8_t action, struct iked_flow *flow) 178 { 179 struct sadb_msg smsg; 180 struct sadb_address sa_src, sa_dst, sa_local, sa_peer, sa_smask, 181 sa_dmask; 182 struct sadb_protocol sa_flowtype, sa_protocol; 183 struct sadb_ident *sa_srcid, *sa_dstid; 184 struct sockaddr_storage ssrc, sdst, slocal, speer, smask, dmask; 185 struct iovec iov[IOV_CNT]; 186 int iov_cnt, ret = -1; 187 in_port_t sport, dport; 188 189 sport = dport = 0; 190 sa_srcid = sa_dstid = NULL; 191 192 bzero(&ssrc, sizeof(ssrc)); 193 bzero(&smask, sizeof(smask)); 194 memcpy(&ssrc, &flow->flow_src.addr, sizeof(ssrc)); 195 memcpy(&smask, &flow->flow_src.addr, sizeof(smask)); 196 if ((sport = flow->flow_src.addr_port) != 0) 197 dport = 0xffff; 198 socket_af((struct sockaddr *)&ssrc, sport); 199 socket_af((struct sockaddr *)&smask, dport); 200 201 switch (flow->flow_src.addr_af) { 202 case AF_INET: 203 ((struct sockaddr_in *)&smask)->sin_addr.s_addr = 204 prefixlen2mask(flow->flow_src.addr_net ? 205 flow->flow_src.addr_mask : 32); 206 break; 207 case AF_INET6: 208 prefixlen2mask6(flow->flow_src.addr_net ? 209 flow->flow_src.addr_mask : 128, 210 (u_int32_t *)((struct sockaddr_in6 *) 211 &smask)->sin6_addr.s6_addr); 212 break; 213 default: 214 log_warnx("%s: unsupported address family %d", 215 __func__, flow->flow_src.addr_af); 216 return (-1); 217 } 218 smask.ss_len = ssrc.ss_len; 219 220 bzero(&sdst, sizeof(sdst)); 221 bzero(&dmask, sizeof(dmask)); 222 memcpy(&sdst, &flow->flow_dst.addr, sizeof(sdst)); 223 memcpy(&dmask, &flow->flow_dst.addr, sizeof(dmask)); 224 if ((sport = flow->flow_dst.addr_port) != 0) 225 dport = 0xffff; 226 socket_af((struct sockaddr *)&sdst, sport); 227 socket_af((struct sockaddr *)&dmask, dport); 228 229 switch (flow->flow_dst.addr_af) { 230 case AF_INET: 231 ((struct sockaddr_in *)&dmask)->sin_addr.s_addr = 232 prefixlen2mask(flow->flow_dst.addr_net ? 233 flow->flow_dst.addr_mask : 32); 234 break; 235 case AF_INET6: 236 prefixlen2mask6(flow->flow_dst.addr_net ? 237 flow->flow_dst.addr_mask : 128, 238 (u_int32_t *)((struct sockaddr_in6 *) 239 &dmask)->sin6_addr.s6_addr); 240 break; 241 default: 242 log_warnx("%s: unsupported address family %d", 243 __func__, flow->flow_dst.addr_af); 244 return (-1); 245 } 246 dmask.ss_len = sdst.ss_len; 247 248 bzero(&slocal, sizeof(slocal)); 249 bzero(&speer, sizeof(speer)); 250 if (action != SADB_X_DELFLOW) { 251 memcpy(&slocal, &flow->flow_local->addr, sizeof(slocal)); 252 socket_af((struct sockaddr *)&slocal, 0); 253 254 memcpy(&speer, &flow->flow_peer->addr, sizeof(speer)); 255 socket_af((struct sockaddr *)&speer, 0); 256 } 257 258 bzero(&smsg, sizeof(smsg)); 259 smsg.sadb_msg_version = PF_KEY_V2; 260 smsg.sadb_msg_seq = ++sadb_msg_seq; 261 smsg.sadb_msg_pid = getpid(); 262 smsg.sadb_msg_len = sizeof(smsg) / 8; 263 smsg.sadb_msg_type = action; 264 smsg.sadb_msg_satype = satype; 265 266 bzero(&sa_flowtype, sizeof(sa_flowtype)); 267 sa_flowtype.sadb_protocol_exttype = SADB_X_EXT_FLOW_TYPE; 268 sa_flowtype.sadb_protocol_len = sizeof(sa_flowtype) / 8; 269 sa_flowtype.sadb_protocol_direction = flow->flow_dir; 270 sa_flowtype.sadb_protocol_proto = 271 flow->flow_dir == IPSP_DIRECTION_IN ? 272 SADB_X_FLOW_TYPE_USE : SADB_X_FLOW_TYPE_REQUIRE; 273 274 bzero(&sa_protocol, sizeof(sa_protocol)); 275 sa_protocol.sadb_protocol_exttype = SADB_X_EXT_PROTOCOL; 276 sa_protocol.sadb_protocol_len = sizeof(sa_protocol) / 8; 277 sa_protocol.sadb_protocol_direction = 0; 278 sa_protocol.sadb_protocol_proto = flow->flow_ipproto; 279 280 bzero(&sa_src, sizeof(sa_src)); 281 sa_src.sadb_address_exttype = SADB_X_EXT_SRC_FLOW; 282 sa_src.sadb_address_len = (sizeof(sa_src) + ROUNDUP(ssrc.ss_len)) / 8; 283 284 bzero(&sa_smask, sizeof(sa_smask)); 285 sa_smask.sadb_address_exttype = SADB_X_EXT_SRC_MASK; 286 sa_smask.sadb_address_len = 287 (sizeof(sa_smask) + ROUNDUP(smask.ss_len)) / 8; 288 289 bzero(&sa_dst, sizeof(sa_dst)); 290 sa_dst.sadb_address_exttype = SADB_X_EXT_DST_FLOW; 291 sa_dst.sadb_address_len = (sizeof(sa_dst) + ROUNDUP(sdst.ss_len)) / 8; 292 293 bzero(&sa_dmask, sizeof(sa_dmask)); 294 sa_dmask.sadb_address_exttype = SADB_X_EXT_DST_MASK; 295 sa_dmask.sadb_address_len = 296 (sizeof(sa_dmask) + ROUNDUP(dmask.ss_len)) / 8; 297 298 if (action != SADB_X_DELFLOW) { 299 /* local address */ 300 bzero(&sa_local, sizeof(sa_local)); 301 sa_local.sadb_address_exttype = SADB_EXT_ADDRESS_SRC; 302 sa_local.sadb_address_len = 303 (sizeof(sa_local) + ROUNDUP(slocal.ss_len)) / 8; 304 305 /* peer address */ 306 bzero(&sa_peer, sizeof(sa_peer)); 307 sa_peer.sadb_address_exttype = SADB_EXT_ADDRESS_DST; 308 sa_peer.sadb_address_len = 309 (sizeof(sa_peer) + ROUNDUP(speer.ss_len)) / 8; 310 311 /* local id */ 312 sa_srcid = pfkey_id2ident(flow->flow_srcid, 313 SADB_EXT_IDENTITY_SRC); 314 315 /* peer id */ 316 sa_dstid = pfkey_id2ident(flow->flow_dstid, 317 SADB_EXT_IDENTITY_DST); 318 } 319 320 iov_cnt = 0; 321 322 /* header */ 323 iov[iov_cnt].iov_base = &smsg; 324 iov[iov_cnt].iov_len = sizeof(smsg); 325 iov_cnt++; 326 327 /* add flow type */ 328 iov[iov_cnt].iov_base = &sa_flowtype; 329 iov[iov_cnt].iov_len = sizeof(sa_flowtype); 330 smsg.sadb_msg_len += sa_flowtype.sadb_protocol_len; 331 iov_cnt++; 332 333 if (action != SADB_X_DELFLOW) { 334 #if 0 335 /* local ip */ 336 iov[iov_cnt].iov_base = &sa_local; 337 iov[iov_cnt].iov_len = sizeof(sa_local); 338 iov_cnt++; 339 iov[iov_cnt].iov_base = &slocal; 340 iov[iov_cnt].iov_len = ROUNDUP(slocal.ss_len); 341 smsg.sadb_msg_len += sa_local.sadb_address_len; 342 iov_cnt++; 343 #endif 344 345 /* remote peer */ 346 iov[iov_cnt].iov_base = &sa_peer; 347 iov[iov_cnt].iov_len = sizeof(sa_peer); 348 iov_cnt++; 349 iov[iov_cnt].iov_base = &speer; 350 iov[iov_cnt].iov_len = ROUNDUP(speer.ss_len); 351 smsg.sadb_msg_len += sa_peer.sadb_address_len; 352 iov_cnt++; 353 } 354 355 /* src addr */ 356 iov[iov_cnt].iov_base = &sa_src; 357 iov[iov_cnt].iov_len = sizeof(sa_src); 358 iov_cnt++; 359 iov[iov_cnt].iov_base = &ssrc; 360 iov[iov_cnt].iov_len = ROUNDUP(ssrc.ss_len); 361 smsg.sadb_msg_len += sa_src.sadb_address_len; 362 iov_cnt++; 363 364 /* src mask */ 365 iov[iov_cnt].iov_base = &sa_smask; 366 iov[iov_cnt].iov_len = sizeof(sa_smask); 367 iov_cnt++; 368 iov[iov_cnt].iov_base = &smask; 369 iov[iov_cnt].iov_len = ROUNDUP(smask.ss_len); 370 smsg.sadb_msg_len += sa_smask.sadb_address_len; 371 iov_cnt++; 372 373 /* dest addr */ 374 iov[iov_cnt].iov_base = &sa_dst; 375 iov[iov_cnt].iov_len = sizeof(sa_dst); 376 iov_cnt++; 377 iov[iov_cnt].iov_base = &sdst; 378 iov[iov_cnt].iov_len = ROUNDUP(sdst.ss_len); 379 smsg.sadb_msg_len += sa_dst.sadb_address_len; 380 iov_cnt++; 381 382 /* dst mask */ 383 iov[iov_cnt].iov_base = &sa_dmask; 384 iov[iov_cnt].iov_len = sizeof(sa_dmask); 385 iov_cnt++; 386 iov[iov_cnt].iov_base = &dmask; 387 iov[iov_cnt].iov_len = ROUNDUP(dmask.ss_len); 388 smsg.sadb_msg_len += sa_dmask.sadb_address_len; 389 iov_cnt++; 390 391 /* add protocol */ 392 iov[iov_cnt].iov_base = &sa_protocol; 393 iov[iov_cnt].iov_len = sizeof(sa_protocol); 394 smsg.sadb_msg_len += sa_protocol.sadb_protocol_len; 395 iov_cnt++; 396 397 if (sa_srcid) { 398 /* src identity */ 399 iov[iov_cnt].iov_base = sa_srcid; 400 iov[iov_cnt].iov_len = sa_srcid->sadb_ident_len * 8; 401 smsg.sadb_msg_len += sa_srcid->sadb_ident_len; 402 iov_cnt++; 403 } 404 if (sa_dstid) { 405 /* dst identity */ 406 iov[iov_cnt].iov_base = sa_dstid; 407 iov[iov_cnt].iov_len = sa_dstid->sadb_ident_len * 8; 408 smsg.sadb_msg_len += sa_dstid->sadb_ident_len; 409 iov_cnt++; 410 } 411 412 ret = pfkey_write(sd, &smsg, iov, iov_cnt, NULL, NULL); 413 414 if (sa_srcid) 415 free(sa_srcid); 416 if (sa_dstid) 417 free(sa_dstid); 418 419 return (ret); 420 } 421 422 int 423 pfkey_sa(int sd, u_int8_t satype, u_int8_t action, struct iked_childsa *sa) 424 { 425 struct sadb_msg smsg; 426 struct sadb_sa sadb; 427 struct sadb_address sa_src, sa_dst; 428 struct sadb_key sa_authkey, sa_enckey; 429 struct sadb_lifetime sa_ltime_hard, sa_ltime_soft; 430 struct sadb_x_udpencap udpencap; 431 struct sadb_x_tag sa_tag; 432 struct sadb_x_tap sa_tap; 433 struct sockaddr_storage ssrc, sdst; 434 struct sadb_ident *sa_srcid, *sa_dstid; 435 struct iked_lifetime *lt; 436 struct iked_policy *pol; 437 struct iovec iov[IOV_CNT]; 438 u_int32_t jitter; 439 int iov_cnt; 440 char *tag = NULL; 441 442 sa_srcid = sa_dstid = NULL; 443 444 if (sa->csa_ikesa == NULL || sa->csa_ikesa->sa_policy == NULL) { 445 log_warn("%s: invalid SA and policy", __func__); 446 return (-1); 447 } 448 pol = sa->csa_ikesa->sa_policy; 449 lt = &pol->pol_lifetime; 450 451 bzero(&ssrc, sizeof(ssrc)); 452 memcpy(&ssrc, &sa->csa_local->addr, sizeof(ssrc)); 453 if (socket_af((struct sockaddr *)&ssrc, 0) == -1) { 454 log_warn("%s: invalid address", __func__); 455 return (-1); 456 } 457 458 bzero(&sdst, sizeof(sdst)); 459 memcpy(&sdst, &sa->csa_peer->addr, sizeof(sdst)); 460 if (socket_af((struct sockaddr *)&sdst, 0) == -1) { 461 log_warn("%s: invalid address", __func__); 462 return (-1); 463 } 464 465 bzero(&smsg, sizeof(smsg)); 466 smsg.sadb_msg_version = PF_KEY_V2; 467 smsg.sadb_msg_seq = ++sadb_msg_seq; 468 smsg.sadb_msg_pid = getpid(); 469 smsg.sadb_msg_len = sizeof(smsg) / 8; 470 smsg.sadb_msg_type = action; 471 smsg.sadb_msg_satype = satype; 472 473 bzero(&sadb, sizeof(sadb)); 474 sadb.sadb_sa_len = sizeof(sadb) / 8; 475 sadb.sadb_sa_exttype = SADB_EXT_SA; 476 sadb.sadb_sa_spi = htonl(sa->csa_spi.spi); 477 sadb.sadb_sa_state = SADB_SASTATE_MATURE; 478 sadb.sadb_sa_replay = 16; 479 480 /* XXX we don't support transport mode, yet */ 481 sadb.sadb_sa_flags |= SADB_X_SAFLAGS_TUNNEL; 482 483 bzero(&sa_src, sizeof(sa_src)); 484 sa_src.sadb_address_len = (sizeof(sa_src) + ROUNDUP(ssrc.ss_len)) / 8; 485 sa_src.sadb_address_exttype = SADB_EXT_ADDRESS_SRC; 486 487 bzero(&sa_dst, sizeof(sa_dst)); 488 sa_dst.sadb_address_len = (sizeof(sa_dst) + ROUNDUP(sdst.ss_len)) / 8; 489 sa_dst.sadb_address_exttype = SADB_EXT_ADDRESS_DST; 490 491 bzero(&sa_authkey, sizeof(sa_authkey)); 492 bzero(&sa_enckey, sizeof(sa_enckey)); 493 bzero(&udpencap, sizeof udpencap); 494 bzero(&sa_ltime_hard, sizeof(sa_ltime_hard)); 495 bzero(&sa_ltime_soft, sizeof(sa_ltime_soft)); 496 497 if (action == SADB_DELETE) 498 goto send; 499 500 if ((action == SADB_ADD || action == SADB_UPDATE) && 501 !sa->csa_persistent && (lt->lt_bytes || lt->lt_seconds)) { 502 sa_ltime_hard.sadb_lifetime_exttype = SADB_EXT_LIFETIME_HARD; 503 sa_ltime_hard.sadb_lifetime_len = sizeof(sa_ltime_hard) / 8; 504 sa_ltime_hard.sadb_lifetime_bytes = lt->lt_bytes; 505 sa_ltime_hard.sadb_lifetime_addtime = lt->lt_seconds; 506 507 sa_ltime_soft.sadb_lifetime_exttype = SADB_EXT_LIFETIME_SOFT; 508 sa_ltime_soft.sadb_lifetime_len = sizeof(sa_ltime_soft) / 8; 509 /* set randomly to 85-95% */ 510 jitter = 850 + arc4random_uniform(100); 511 sa_ltime_soft.sadb_lifetime_bytes = 512 (lt->lt_bytes * jitter) / 1000; 513 sa_ltime_soft.sadb_lifetime_addtime = 514 (lt->lt_seconds * jitter) / 1000; 515 } 516 517 /* XXX handle NULL encryption or NULL auth or combined encr/auth */ 518 if (action == SADB_ADD && 519 !ibuf_length(sa->csa_integrkey) && !ibuf_length(sa->csa_encrkey) && 520 satype != SADB_X_SATYPE_IPCOMP && satype != SADB_X_SATYPE_IPIP) { 521 log_warnx("%s: no key specified", __func__); 522 return (-1); 523 } 524 525 if (sa->csa_ikesa->sa_udpencap && sa->csa_ikesa->sa_natt) { 526 sadb.sadb_sa_flags |= SADB_X_SAFLAGS_UDPENCAP; 527 udpencap.sadb_x_udpencap_exttype = SADB_X_EXT_UDPENCAP; 528 udpencap.sadb_x_udpencap_len = sizeof(udpencap) / 8; 529 udpencap.sadb_x_udpencap_port = 530 sa->csa_ikesa->sa_peer.addr_port; 531 532 log_debug("%s: udpencap port %d", __func__, 533 ntohs(udpencap.sadb_x_udpencap_port)); 534 } 535 536 if (sa->csa_integrxf) 537 if (pfkey_map(pfkey_integr, 538 sa->csa_integrxf->xform_id, &sadb.sadb_sa_auth) == -1) { 539 log_warnx("%s: unsupported integrity algorithm %s", 540 __func__, print_map(sa->csa_integrxf->xform_id, 541 ikev2_xformauth_map)); 542 return (-1); 543 } 544 545 if (sa->csa_encrxf) 546 if (pfkey_map(pfkey_encr, 547 sa->csa_encrxf->xform_id, &sadb.sadb_sa_encrypt) == -1) { 548 log_warnx("%s: unsupported encryption algorithm %s", 549 __func__, print_map(sa->csa_encrxf->xform_id, 550 ikev2_xformencr_map)); 551 return (-1); 552 } 553 554 if (ibuf_length(sa->csa_integrkey)) { 555 sa_authkey.sadb_key_len = (sizeof(sa_authkey) + 556 ((ibuf_size(sa->csa_integrkey) + 7) / 8) * 8) / 8; 557 sa_authkey.sadb_key_exttype = SADB_EXT_KEY_AUTH; 558 sa_authkey.sadb_key_bits = 559 8 * ibuf_size(sa->csa_integrkey); 560 } 561 562 if (ibuf_length(sa->csa_encrkey)) { 563 sa_enckey.sadb_key_len = (sizeof(sa_enckey) + 564 ((ibuf_size(sa->csa_encrkey) + 7) / 8) * 8) / 8; 565 sa_enckey.sadb_key_exttype = SADB_EXT_KEY_ENCRYPT; 566 sa_enckey.sadb_key_bits = 567 8 * ibuf_size(sa->csa_encrkey); 568 } 569 570 /* local id */ 571 sa_srcid = pfkey_id2ident(sa->csa_srcid, SADB_EXT_IDENTITY_SRC); 572 573 /* peer id */ 574 sa_dstid = pfkey_id2ident(sa->csa_dstid, SADB_EXT_IDENTITY_DST); 575 576 tag = sa->csa_ikesa->sa_tag; 577 if (tag != NULL && *tag != '\0') { 578 bzero(&sa_tag, sizeof(sa_tag)); 579 sa_tag.sadb_x_tag_exttype = SADB_X_EXT_TAG; 580 sa_tag.sadb_x_tag_len = 581 (ROUNDUP(strlen(tag) + 1) + sizeof(sa_tag)) / 8; 582 sa_tag.sadb_x_tag_taglen = strlen(tag) + 1; 583 } else 584 tag = NULL; 585 586 if (pol->pol_tap != 0) { 587 bzero(&sa_tap, sizeof(sa_tap)); 588 sa_tap.sadb_x_tap_exttype = SADB_X_EXT_TAP; 589 sa_tap.sadb_x_tap_len = sizeof(sa_tap) / 8; 590 sa_tap.sadb_x_tap_unit = pol->pol_tap; 591 } 592 593 send: 594 iov_cnt = 0; 595 596 /* header */ 597 iov[iov_cnt].iov_base = &smsg; 598 iov[iov_cnt].iov_len = sizeof(smsg); 599 iov_cnt++; 600 601 /* sa */ 602 iov[iov_cnt].iov_base = &sadb; 603 iov[iov_cnt].iov_len = sizeof(sadb); 604 smsg.sadb_msg_len += sadb.sadb_sa_len; 605 iov_cnt++; 606 607 /* src addr */ 608 iov[iov_cnt].iov_base = &sa_src; 609 iov[iov_cnt].iov_len = sizeof(sa_src); 610 iov_cnt++; 611 iov[iov_cnt].iov_base = &ssrc; 612 iov[iov_cnt].iov_len = ROUNDUP(ssrc.ss_len); 613 smsg.sadb_msg_len += sa_src.sadb_address_len; 614 iov_cnt++; 615 616 /* dst addr */ 617 iov[iov_cnt].iov_base = &sa_dst; 618 iov[iov_cnt].iov_len = sizeof(sa_dst); 619 iov_cnt++; 620 iov[iov_cnt].iov_base = &sdst; 621 iov[iov_cnt].iov_len = ROUNDUP(sdst.ss_len); 622 smsg.sadb_msg_len += sa_dst.sadb_address_len; 623 iov_cnt++; 624 625 if (sa_ltime_soft.sadb_lifetime_len) { 626 /* soft lifetime */ 627 iov[iov_cnt].iov_base = &sa_ltime_soft; 628 iov[iov_cnt].iov_len = sizeof(sa_ltime_soft); 629 smsg.sadb_msg_len += sa_ltime_soft.sadb_lifetime_len; 630 iov_cnt++; 631 } 632 633 if (sa_ltime_hard.sadb_lifetime_len) { 634 /* hard lifetime */ 635 iov[iov_cnt].iov_base = &sa_ltime_hard; 636 iov[iov_cnt].iov_len = sizeof(sa_ltime_hard); 637 smsg.sadb_msg_len += sa_ltime_hard.sadb_lifetime_len; 638 iov_cnt++; 639 } 640 641 if (udpencap.sadb_x_udpencap_len) { 642 iov[iov_cnt].iov_base = &udpencap; 643 iov[iov_cnt].iov_len = sizeof(udpencap); 644 smsg.sadb_msg_len += udpencap.sadb_x_udpencap_len; 645 iov_cnt++; 646 } 647 648 if (sa_enckey.sadb_key_len) { 649 /* encryption key */ 650 iov[iov_cnt].iov_base = &sa_enckey; 651 iov[iov_cnt].iov_len = sizeof(sa_enckey); 652 iov_cnt++; 653 iov[iov_cnt].iov_base = ibuf_data(sa->csa_encrkey); 654 iov[iov_cnt].iov_len = 655 ((ibuf_size(sa->csa_encrkey) + 7) / 8) * 8; 656 smsg.sadb_msg_len += sa_enckey.sadb_key_len; 657 iov_cnt++; 658 } 659 if (sa_authkey.sadb_key_len) { 660 /* authentication key */ 661 iov[iov_cnt].iov_base = &sa_authkey; 662 iov[iov_cnt].iov_len = sizeof(sa_authkey); 663 iov_cnt++; 664 iov[iov_cnt].iov_base = ibuf_data(sa->csa_integrkey); 665 iov[iov_cnt].iov_len = 666 ((ibuf_size(sa->csa_integrkey) + 7) / 8) * 8; 667 smsg.sadb_msg_len += sa_authkey.sadb_key_len; 668 iov_cnt++; 669 } 670 671 if (sa_srcid) { 672 /* src identity */ 673 iov[iov_cnt].iov_base = sa_srcid; 674 iov[iov_cnt].iov_len = sa_srcid->sadb_ident_len * 8; 675 smsg.sadb_msg_len += sa_srcid->sadb_ident_len; 676 iov_cnt++; 677 } 678 if (sa_dstid) { 679 /* dst identity */ 680 iov[iov_cnt].iov_base = sa_dstid; 681 iov[iov_cnt].iov_len = sa_dstid->sadb_ident_len * 8; 682 smsg.sadb_msg_len += sa_dstid->sadb_ident_len; 683 iov_cnt++; 684 } 685 686 if (tag != NULL) { 687 /* tag identity */ 688 iov[iov_cnt].iov_base = &sa_tag; 689 iov[iov_cnt].iov_len = sizeof(sa_tag); 690 iov_cnt++; 691 iov[iov_cnt].iov_base = tag; 692 iov[iov_cnt].iov_len = ROUNDUP(strlen(tag) + 1); 693 smsg.sadb_msg_len += sa_tag.sadb_x_tag_len; 694 iov_cnt++; 695 } 696 697 if (pol->pol_tap != 0) { 698 /* enc(4) device tap unit */ 699 iov[iov_cnt].iov_base = &sa_tap; 700 iov[iov_cnt].iov_len = sizeof(sa_tap); 701 smsg.sadb_msg_len += sa_tap.sadb_x_tap_len; 702 iov_cnt++; 703 } 704 705 return (pfkey_write(sd, &smsg, iov, iov_cnt, NULL, NULL)); 706 } 707 708 int 709 pfkey_sa_getspi(int sd, u_int8_t satype, struct iked_childsa *sa, 710 u_int32_t *spip) 711 { 712 struct sadb_msg *msg, smsg; 713 struct sadb_address sa_src, sa_dst; 714 struct sadb_sa *sa_ext; 715 struct sadb_spirange sa_spirange; 716 struct sockaddr_storage ssrc, sdst; 717 struct iovec iov[IOV_CNT]; 718 u_int8_t *data; 719 ssize_t n; 720 int iov_cnt, ret = -1; 721 722 bzero(&ssrc, sizeof(ssrc)); 723 memcpy(&ssrc, &sa->csa_local->addr, sizeof(ssrc)); 724 if (socket_af((struct sockaddr *)&ssrc, 0) == -1) { 725 log_warn("%s: invalid address", __func__); 726 return (-1); 727 } 728 729 bzero(&sdst, sizeof(sdst)); 730 memcpy(&sdst, &sa->csa_peer->addr, sizeof(sdst)); 731 if (socket_af((struct sockaddr *)&sdst, 0) == -1) { 732 log_warn("%s: invalid address", __func__); 733 return (-1); 734 } 735 736 bzero(&smsg, sizeof(smsg)); 737 smsg.sadb_msg_version = PF_KEY_V2; 738 smsg.sadb_msg_seq = ++sadb_msg_seq; 739 smsg.sadb_msg_pid = getpid(); 740 smsg.sadb_msg_len = sizeof(smsg) / 8; 741 smsg.sadb_msg_type = SADB_GETSPI; 742 smsg.sadb_msg_satype = satype; 743 744 bzero(&sa_spirange, sizeof(sa_spirange)); 745 sa_spirange.sadb_spirange_exttype = SADB_EXT_SPIRANGE; 746 sa_spirange.sadb_spirange_len = sizeof(sa_spirange) / 8; 747 sa_spirange.sadb_spirange_min = 0x100; 748 sa_spirange.sadb_spirange_max = 0xffffffff; 749 sa_spirange.sadb_spirange_reserved = 0; 750 751 bzero(&sa_src, sizeof(sa_src)); 752 sa_src.sadb_address_len = (sizeof(sa_src) + ROUNDUP(ssrc.ss_len)) / 8; 753 sa_src.sadb_address_exttype = SADB_EXT_ADDRESS_SRC; 754 755 bzero(&sa_dst, sizeof(sa_dst)); 756 sa_dst.sadb_address_len = (sizeof(sa_dst) + ROUNDUP(sdst.ss_len)) / 8; 757 sa_dst.sadb_address_exttype = SADB_EXT_ADDRESS_DST; 758 759 iov_cnt = 0; 760 761 /* header */ 762 iov[iov_cnt].iov_base = &smsg; 763 iov[iov_cnt].iov_len = sizeof(smsg); 764 iov_cnt++; 765 766 /* SPI range */ 767 iov[iov_cnt].iov_base = &sa_spirange; 768 iov[iov_cnt].iov_len = sizeof(sa_spirange); 769 smsg.sadb_msg_len += sa_spirange.sadb_spirange_len; 770 iov_cnt++; 771 772 /* src addr */ 773 iov[iov_cnt].iov_base = &sa_src; 774 iov[iov_cnt].iov_len = sizeof(sa_src); 775 iov_cnt++; 776 iov[iov_cnt].iov_base = &ssrc; 777 iov[iov_cnt].iov_len = ROUNDUP(ssrc.ss_len); 778 smsg.sadb_msg_len += sa_src.sadb_address_len; 779 iov_cnt++; 780 781 /* dst addr */ 782 iov[iov_cnt].iov_base = &sa_dst; 783 iov[iov_cnt].iov_len = sizeof(sa_dst); 784 iov_cnt++; 785 iov[iov_cnt].iov_base = &sdst; 786 iov[iov_cnt].iov_len = ROUNDUP(sdst.ss_len); 787 smsg.sadb_msg_len += sa_dst.sadb_address_len; 788 iov_cnt++; 789 790 *spip = 0; 791 792 if ((ret = pfkey_write(sd, &smsg, iov, iov_cnt, &data, &n)) != 0) 793 return (-1); 794 795 msg = (struct sadb_msg *)data; 796 if (msg->sadb_msg_errno != 0) { 797 errno = msg->sadb_msg_errno; 798 log_warn("%s: message", __func__); 799 goto done; 800 } 801 if ((sa_ext = pfkey_find_ext(data, n, SADB_EXT_SA)) == NULL) { 802 log_debug("%s: erronous reply", __func__); 803 goto done; 804 } 805 806 *spip = ntohl(sa_ext->sadb_sa_spi); 807 log_debug("%s: spi 0x%08x", __func__, *spip); 808 809 done: 810 bzero(data, n); 811 free(data); 812 return (ret); 813 } 814 815 int 816 pfkey_sagroup(int sd, u_int8_t satype1, u_int8_t action, 817 struct iked_childsa *sa1, struct iked_childsa *sa2) 818 { 819 struct sadb_msg smsg; 820 struct sadb_sa sadb1, sadb2; 821 struct sadb_address sa_dst1, sa_dst2; 822 struct sockaddr_storage sdst1, sdst2; 823 struct sadb_protocol sa_proto; 824 struct iovec iov[IOV_CNT]; 825 int iov_cnt; 826 u_int8_t satype2; 827 828 if (pfkey_map(pfkey_satype, sa2->csa_saproto, &satype2) == -1) 829 return (-1); 830 831 bzero(&sdst1, sizeof(sdst1)); 832 memcpy(&sdst1, &sa1->csa_peer->addr, sizeof(sdst1)); 833 if (socket_af((struct sockaddr *)&sdst1, 0) == -1) { 834 log_warnx("%s: unsupported address family %d", 835 __func__, sdst1.ss_family); 836 return (-1); 837 } 838 839 bzero(&sdst2, sizeof(sdst2)); 840 memcpy(&sdst2, &sa2->csa_peer->addr, sizeof(sdst2)); 841 if (socket_af((struct sockaddr *)&sdst2, 0) == -1) { 842 log_warnx("%s: unsupported address family %d", 843 __func__, sdst2.ss_family); 844 return (-1); 845 } 846 847 bzero(&smsg, sizeof(smsg)); 848 smsg.sadb_msg_version = PF_KEY_V2; 849 smsg.sadb_msg_seq = ++sadb_msg_seq; 850 smsg.sadb_msg_pid = getpid(); 851 smsg.sadb_msg_len = sizeof(smsg) / 8; 852 smsg.sadb_msg_type = action; 853 smsg.sadb_msg_satype = satype1; 854 855 bzero(&sadb1, sizeof(sadb1)); 856 sadb1.sadb_sa_len = sizeof(sadb1) / 8; 857 sadb1.sadb_sa_exttype = SADB_EXT_SA; 858 sadb1.sadb_sa_spi = htonl(sa1->csa_spi.spi); 859 sadb1.sadb_sa_state = SADB_SASTATE_MATURE; 860 861 bzero(&sadb2, sizeof(sadb2)); 862 sadb2.sadb_sa_len = sizeof(sadb2) / 8; 863 sadb2.sadb_sa_exttype = SADB_X_EXT_SA2; 864 sadb2.sadb_sa_spi = htonl(sa2->csa_spi.spi); 865 sadb2.sadb_sa_state = SADB_SASTATE_MATURE; 866 iov_cnt = 0; 867 868 bzero(&sa_dst1, sizeof(sa_dst1)); 869 sa_dst1.sadb_address_exttype = SADB_EXT_ADDRESS_DST; 870 sa_dst1.sadb_address_len = 871 (sizeof(sa_dst1) + ROUNDUP(sdst1.ss_len)) / 8; 872 873 bzero(&sa_dst2, sizeof(sa_dst2)); 874 sa_dst2.sadb_address_exttype = SADB_X_EXT_DST2; 875 sa_dst2.sadb_address_len = 876 (sizeof(sa_dst2) + ROUNDUP(sdst2.ss_len)) / 8; 877 878 bzero(&sa_proto, sizeof(sa_proto)); 879 sa_proto.sadb_protocol_exttype = SADB_X_EXT_PROTOCOL; 880 sa_proto.sadb_protocol_len = sizeof(sa_proto) / 8; 881 sa_proto.sadb_protocol_direction = 0; 882 sa_proto.sadb_protocol_proto = satype2; 883 884 /* header */ 885 iov[iov_cnt].iov_base = &smsg; 886 iov[iov_cnt].iov_len = sizeof(smsg); 887 iov_cnt++; 888 889 /* sa */ 890 iov[iov_cnt].iov_base = &sadb1; 891 iov[iov_cnt].iov_len = sizeof(sadb1); 892 smsg.sadb_msg_len += sadb1.sadb_sa_len; 893 iov_cnt++; 894 895 /* dst addr */ 896 iov[iov_cnt].iov_base = &sa_dst1; 897 iov[iov_cnt].iov_len = sizeof(sa_dst1); 898 iov_cnt++; 899 iov[iov_cnt].iov_base = &sdst1; 900 iov[iov_cnt].iov_len = ROUNDUP(sdst1.ss_len); 901 smsg.sadb_msg_len += sa_dst1.sadb_address_len; 902 iov_cnt++; 903 904 /* second sa */ 905 iov[iov_cnt].iov_base = &sadb2; 906 iov[iov_cnt].iov_len = sizeof(sadb2); 907 smsg.sadb_msg_len += sadb2.sadb_sa_len; 908 iov_cnt++; 909 910 /* second dst addr */ 911 iov[iov_cnt].iov_base = &sa_dst2; 912 iov[iov_cnt].iov_len = sizeof(sa_dst2); 913 iov_cnt++; 914 iov[iov_cnt].iov_base = &sdst2; 915 iov[iov_cnt].iov_len = ROUNDUP(sdst2.ss_len); 916 smsg.sadb_msg_len += sa_dst2.sadb_address_len; 917 iov_cnt++; 918 919 /* SA type */ 920 iov[iov_cnt].iov_base = &sa_proto; 921 iov[iov_cnt].iov_len = sizeof(sa_proto); 922 smsg.sadb_msg_len += sa_proto.sadb_protocol_len; 923 iov_cnt++; 924 925 return (pfkey_write(sd, &smsg, iov, iov_cnt, NULL, NULL)); 926 } 927 928 int 929 pfkey_write(int sd, struct sadb_msg *smsg, struct iovec *iov, int iov_cnt, 930 u_int8_t **datap, ssize_t *lenp) 931 { 932 ssize_t n, len = smsg->sadb_msg_len * 8; 933 934 if (sadb_decoupled) { 935 switch (smsg->sadb_msg_type) { 936 case SADB_GETSPI: 937 /* we need to get a new SPI from the kernel */ 938 break; 939 default: 940 if (datap || lenp) { 941 log_warnx("%s: pfkey not coupled", __func__); 942 return (-1); 943 } 944 /* ignore request */ 945 return (0); 946 } 947 } 948 949 if ((n = writev(sd, iov, iov_cnt)) == -1) { 950 log_warn("%s: writev failed", __func__); 951 return (-1); 952 } else if (n != len) { 953 log_warn("%s: short write", __func__); 954 return (-1); 955 } 956 957 return (pfkey_reply(sd, datap, lenp)); 958 } 959 960 int 961 pfkey_reply(int sd, u_int8_t **datap, ssize_t *lenp) 962 { 963 struct pfkey_message *pm; 964 struct sadb_msg hdr; 965 ssize_t len; 966 u_int8_t *data; 967 968 for (;;) { 969 if (recv(sd, &hdr, sizeof(hdr), MSG_PEEK) != sizeof(hdr)) { 970 log_warn("%s: short recv", __func__); 971 return (-1); 972 } 973 974 if (hdr.sadb_msg_version != PF_KEY_V2) { 975 log_warnx("%s: wrong pfkey version", __func__); 976 return (-1); 977 } 978 979 len = hdr.sadb_msg_len * PFKEYV2_CHUNK; 980 if ((data = malloc(len)) == NULL) { 981 log_warn("%s: malloc", __func__); 982 return (-1); 983 } 984 if (read(sd, data, len) != len) { 985 log_warnx("%s: short read", __func__); 986 free(data); 987 return (-1); 988 } 989 990 /* XXX: Only one message can be outstanding. */ 991 if (hdr.sadb_msg_seq == sadb_msg_seq && 992 hdr.sadb_msg_pid == (u_int32_t)getpid()) 993 break; 994 995 /* not the reply, enqueue */ 996 if ((pm = malloc(sizeof(*pm))) == NULL) { 997 log_warn("%s", __func__); 998 free(data); 999 return (-1); 1000 } 1001 pm->pm_data = data; 1002 pm->pm_lenght = len; 1003 SIMPLEQ_INSERT_TAIL(&pfkey_postponed, pm, pm_entry); 1004 evtimer_add(&pfkey_timer_ev, &pfkey_timer_tv); 1005 } 1006 1007 if (datap) { 1008 *datap = data; 1009 if (lenp) 1010 *lenp = len; 1011 } else 1012 free(data); 1013 1014 if (datap == NULL && hdr.sadb_msg_errno != 0) { 1015 errno = hdr.sadb_msg_errno; 1016 if (errno != EEXIST) { 1017 log_warn("%s: message", __func__); 1018 return (-1); 1019 } 1020 } 1021 return (0); 1022 } 1023 1024 int 1025 pfkey_flow_add(int fd, struct iked_flow *flow) 1026 { 1027 u_int8_t satype; 1028 1029 if (flow->flow_loaded) 1030 return (0); 1031 1032 if (pfkey_map(pfkey_satype, flow->flow_saproto, &satype) == -1) 1033 return (-1); 1034 1035 if (pfkey_flow(fd, satype, SADB_X_ADDFLOW, flow) == -1) 1036 return (-1); 1037 1038 flow->flow_loaded = 1; 1039 return (0); 1040 } 1041 1042 int 1043 pfkey_flow_delete(int fd, struct iked_flow *flow) 1044 { 1045 u_int8_t satype; 1046 1047 if (!flow->flow_loaded) 1048 return (0); 1049 1050 if (pfkey_map(pfkey_satype, flow->flow_saproto, &satype) == -1) 1051 return (-1); 1052 1053 if (pfkey_flow(fd, satype, SADB_X_DELFLOW, flow) == -1) 1054 return (-1); 1055 1056 flow->flow_loaded = 0; 1057 return (0); 1058 } 1059 1060 int 1061 pfkey_sa_init(int fd, struct iked_childsa *sa, u_int32_t *spi) 1062 { 1063 u_int8_t satype; 1064 1065 if (pfkey_map(pfkey_satype, sa->csa_saproto, &satype) == -1) 1066 return (-1); 1067 1068 if (pfkey_sa_getspi(fd, satype, sa, spi) == -1) 1069 return (-1); 1070 1071 log_debug("%s: new spi 0x%08x", __func__, *spi); 1072 1073 return (0); 1074 } 1075 1076 int 1077 pfkey_sa_add(int fd, struct iked_childsa *sa, struct iked_childsa *last) 1078 { 1079 u_int8_t satype; 1080 u_int cmd; 1081 1082 if (pfkey_map(pfkey_satype, sa->csa_saproto, &satype) == -1) 1083 return (-1); 1084 1085 if (sa->csa_allocated || sa->csa_loaded) 1086 cmd = SADB_UPDATE; 1087 else 1088 cmd = SADB_ADD; 1089 1090 log_debug("%s: %s spi %s", __func__, cmd == SADB_ADD ? "add": "update", 1091 print_spi(sa->csa_spi.spi, 4)); 1092 1093 if (pfkey_sa(fd, satype, cmd, sa) == -1) { 1094 if (cmd == SADB_ADD) 1095 (void)pfkey_sa_delete(fd, sa); 1096 return (-1); 1097 } 1098 1099 if (last && cmd == SADB_ADD) { 1100 if (pfkey_sagroup(fd, satype, 1101 SADB_X_GRPSPIS, sa, last) == -1) { 1102 (void)pfkey_sa_delete(fd, sa); 1103 return (-1); 1104 } 1105 } 1106 1107 sa->csa_loaded = 1; 1108 return (0); 1109 } 1110 1111 int 1112 pfkey_sa_delete(int fd, struct iked_childsa *sa) 1113 { 1114 u_int8_t satype; 1115 1116 if (!sa->csa_loaded || sa->csa_spi.spi == 0) 1117 return (0); 1118 1119 if (pfkey_map(pfkey_satype, sa->csa_saproto, &satype) == -1) 1120 return (-1); 1121 1122 if (pfkey_sa(fd, satype, SADB_DELETE, sa) == -1) 1123 return (-1); 1124 1125 sa->csa_loaded = 0; 1126 return (0); 1127 } 1128 1129 int 1130 pfkey_flush(int sd) 1131 { 1132 struct sadb_msg smsg; 1133 struct iovec iov[IOV_CNT]; 1134 int iov_cnt; 1135 1136 bzero(&smsg, sizeof(smsg)); 1137 smsg.sadb_msg_version = PF_KEY_V2; 1138 smsg.sadb_msg_seq = ++sadb_msg_seq; 1139 smsg.sadb_msg_pid = getpid(); 1140 smsg.sadb_msg_len = sizeof(smsg) / 8; 1141 smsg.sadb_msg_type = SADB_FLUSH; 1142 smsg.sadb_msg_satype = SADB_SATYPE_UNSPEC; 1143 1144 iov_cnt = 0; 1145 1146 iov[iov_cnt].iov_base = &smsg; 1147 iov[iov_cnt].iov_len = sizeof(smsg); 1148 iov_cnt++; 1149 1150 return (pfkey_write(sd, &smsg, iov, iov_cnt, NULL, NULL)); 1151 } 1152 1153 struct sadb_ident * 1154 pfkey_id2ident(struct iked_id *id, u_int exttype) 1155 { 1156 char idstr[IKED_ID_SIZE]; 1157 u_int type; 1158 size_t len; 1159 struct sadb_ident *sa_id; 1160 1161 switch (id->id_type) { 1162 case IKEV2_ID_FQDN: 1163 type = SADB_IDENTTYPE_FQDN; 1164 break; 1165 case IKEV2_ID_UFQDN: 1166 type = SADB_IDENTTYPE_USERFQDN; 1167 break; 1168 case IKEV2_ID_IPV4: 1169 case IKEV2_ID_IPV6: 1170 type = SADB_IDENTTYPE_PREFIX; 1171 break; 1172 case IKEV2_ID_ASN1_DN: 1173 case IKEV2_ID_ASN1_GN: 1174 case IKEV2_ID_KEY_ID: 1175 case IKEV2_ID_NONE: 1176 default: 1177 /* XXX not implemented/supported by PFKEY */ 1178 return (NULL); 1179 } 1180 1181 bzero(&idstr, sizeof(idstr)); 1182 1183 if (ikev2_print_id(id, idstr, sizeof(idstr)) == -1) 1184 return (NULL); 1185 1186 len = ROUNDUP(strlen(idstr) + 1) + sizeof(*sa_id); 1187 if ((sa_id = calloc(1, len)) == NULL) 1188 return (NULL); 1189 1190 strlcpy((char *)(sa_id + 1), idstr, ROUNDUP(strlen(idstr) + 1)); 1191 sa_id->sadb_ident_type = type; 1192 sa_id->sadb_ident_len = len / 8; 1193 sa_id->sadb_ident_exttype = exttype; 1194 1195 return (sa_id); 1196 } 1197 1198 int 1199 pfkey_socket(void) 1200 { 1201 int fd; 1202 1203 if (privsep_process != PROC_PARENT) 1204 fatal("pfkey_socket: called from unprivileged process"); 1205 1206 if ((fd = socket(PF_KEY, SOCK_RAW, PF_KEY_V2)) == -1) 1207 fatal("pfkey_socket: failed to open PF_KEY socket"); 1208 1209 pfkey_flush(fd); 1210 1211 return (fd); 1212 } 1213 1214 void 1215 pfkey_init(struct iked *env, int fd) 1216 { 1217 struct sadb_msg smsg; 1218 struct iovec iov; 1219 1220 /* Register the pfkey socket event handler */ 1221 env->sc_pfkey = fd; 1222 event_set(&env->sc_pfkeyev, env->sc_pfkey, 1223 EV_READ|EV_PERSIST, pfkey_dispatch, env); 1224 event_add(&env->sc_pfkeyev, NULL); 1225 1226 /* Register it to get ESP and AH acquires from the kernel */ 1227 bzero(&smsg, sizeof(smsg)); 1228 smsg.sadb_msg_version = PF_KEY_V2; 1229 smsg.sadb_msg_seq = ++sadb_msg_seq; 1230 smsg.sadb_msg_pid = getpid(); 1231 smsg.sadb_msg_len = sizeof(smsg) / 8; 1232 smsg.sadb_msg_type = SADB_REGISTER; 1233 smsg.sadb_msg_satype = SADB_SATYPE_ESP; 1234 1235 iov.iov_base = &smsg; 1236 iov.iov_len = sizeof(smsg); 1237 1238 if (pfkey_write(fd, &smsg, &iov, 1, NULL, NULL)) 1239 fatal("pfkey_init: failed to set up ESP acquires"); 1240 1241 bzero(&smsg, sizeof(smsg)); 1242 smsg.sadb_msg_version = PF_KEY_V2; 1243 smsg.sadb_msg_seq = ++sadb_msg_seq; 1244 smsg.sadb_msg_pid = getpid(); 1245 smsg.sadb_msg_len = sizeof(smsg) / 8; 1246 smsg.sadb_msg_type = SADB_REGISTER; 1247 smsg.sadb_msg_satype = SADB_SATYPE_AH; 1248 1249 iov.iov_base = &smsg; 1250 iov.iov_len = sizeof(smsg); 1251 1252 if (pfkey_write(fd, &smsg, &iov, 1, NULL, NULL)) 1253 fatal("pfkey_init: failed to set up AH acquires"); 1254 1255 /* Set up a timer to process messages deferred by the pfkey_reply */ 1256 pfkey_timer_tv.tv_sec = 1; 1257 pfkey_timer_tv.tv_usec = 0; 1258 evtimer_set(&pfkey_timer_ev, pfkey_timer_cb, env); 1259 } 1260 1261 void * 1262 pfkey_find_ext(u_int8_t *data, ssize_t len, int type) 1263 { 1264 struct sadb_ext *ext = (struct sadb_ext *)(data + 1265 sizeof(struct sadb_msg)); 1266 1267 while (ext && ((u_int8_t *)ext - data < len)) { 1268 if (ext->sadb_ext_type == type) 1269 return (ext); 1270 ext = (struct sadb_ext *)((u_int8_t *)ext + 1271 ext->sadb_ext_len * PFKEYV2_CHUNK); 1272 } 1273 1274 return (NULL); 1275 } 1276 1277 void 1278 pfkey_dispatch(int sd, short event, void *arg) 1279 { 1280 struct iked *env = (struct iked *)arg; 1281 struct pfkey_message pm; 1282 struct sadb_msg hdr; 1283 ssize_t len; 1284 u_int8_t *data; 1285 1286 if (recv(sd, &hdr, sizeof(hdr), MSG_PEEK) != sizeof(hdr)) { 1287 log_warn("%s: short recv", __func__); 1288 return; 1289 } 1290 1291 if (hdr.sadb_msg_version != PF_KEY_V2) { 1292 log_warnx("%s: wrong pfkey version", __func__); 1293 return; 1294 } 1295 1296 len = hdr.sadb_msg_len * PFKEYV2_CHUNK; 1297 if ((data = malloc(len)) == NULL) { 1298 log_warn("%s: malloc", __func__); 1299 return; 1300 } 1301 if (read(sd, data, len) != len) { 1302 log_warn("%s: short read", __func__); 1303 free(data); 1304 return; 1305 } 1306 1307 pm.pm_data = data; 1308 pm.pm_lenght = len; 1309 pfkey_process(env, &pm); 1310 1311 free(data); 1312 } 1313 1314 void 1315 pfkey_timer_cb(int unused, short event, void *arg) 1316 { 1317 struct iked *env = arg; 1318 struct pfkey_message *pm; 1319 1320 while (!SIMPLEQ_EMPTY(&pfkey_postponed)) { 1321 pm = SIMPLEQ_FIRST(&pfkey_postponed); 1322 SIMPLEQ_REMOVE_HEAD(&pfkey_postponed, pm_entry); 1323 pfkey_process(env, pm); 1324 free(pm->pm_data); 1325 free(pm); 1326 } 1327 } 1328 1329 void 1330 pfkey_process(struct iked *env, struct pfkey_message *pm) 1331 { 1332 struct iked_addr peer; 1333 struct iked_flow flow; 1334 struct iked_spi spi; 1335 struct sadb_address *sa_addr; 1336 struct sadb_msg *hdr, smsg; 1337 struct sadb_sa *sa; 1338 struct sadb_lifetime *sa_ltime; 1339 struct sadb_protocol *sa_proto; 1340 struct sadb_x_policy sa_pol; 1341 struct sockaddr_storage *ssrc, *sdst, *smask, *dmask, *speer; 1342 struct iovec iov[IOV_CNT]; 1343 int iov_cnt, sd = env->sc_pfkey; 1344 u_int8_t *reply, *data = pm->pm_data; 1345 ssize_t rlen, len = pm->pm_lenght; 1346 const char *errmsg = NULL; 1347 1348 if (!env || !data || !len) 1349 return; 1350 1351 hdr = (struct sadb_msg *)data; 1352 1353 switch (hdr->sadb_msg_type) { 1354 case SADB_ACQUIRE: 1355 bzero(&flow, sizeof(flow)); 1356 bzero(&peer, sizeof(peer)); 1357 1358 if ((sa_addr = pfkey_find_ext(data, len, 1359 SADB_EXT_ADDRESS_DST)) == NULL) { 1360 log_debug("%s: no peer address", __func__); 1361 return; 1362 } 1363 speer = (struct sockaddr_storage *)(sa_addr + 1); 1364 peer.addr_af = speer->ss_family; 1365 peer.addr_port = htons(socket_getport(speer)); 1366 memcpy(&peer.addr, speer, sizeof(*speer)); 1367 if (socket_af((struct sockaddr *)&peer.addr, 1368 peer.addr_port) == -1) { 1369 log_debug("%s: invalid address", __func__); 1370 return; 1371 } 1372 flow.flow_peer = &peer; 1373 1374 log_debug("%s: acquire request (peer %s)", __func__, 1375 print_host(speer, NULL, 0)); 1376 1377 /* get the matching flow */ 1378 bzero(&smsg, sizeof(smsg)); 1379 smsg.sadb_msg_version = PF_KEY_V2; 1380 smsg.sadb_msg_seq = ++sadb_msg_seq; 1381 smsg.sadb_msg_pid = getpid(); 1382 smsg.sadb_msg_len = sizeof(smsg) / 8; 1383 smsg.sadb_msg_type = SADB_X_ASKPOLICY; 1384 1385 iov_cnt = 0; 1386 1387 iov[iov_cnt].iov_base = &smsg; 1388 iov[iov_cnt].iov_len = sizeof(smsg); 1389 iov_cnt++; 1390 1391 bzero(&sa_pol, sizeof(sa_pol)); 1392 sa_pol.sadb_x_policy_exttype = SADB_X_EXT_POLICY; 1393 sa_pol.sadb_x_policy_len = sizeof(sa_pol) / 8; 1394 sa_pol.sadb_x_policy_seq = hdr->sadb_msg_seq; 1395 1396 iov[iov_cnt].iov_base = &sa_pol; 1397 iov[iov_cnt].iov_len = sizeof(sa_pol); 1398 smsg.sadb_msg_len += sizeof(sa_pol) / 8; 1399 iov_cnt++; 1400 1401 if (pfkey_write(sd, &smsg, iov, iov_cnt, &reply, &rlen)) { 1402 log_warnx("%s: failed to get a policy", __func__); 1403 return; 1404 } 1405 1406 if ((sa_addr = pfkey_find_ext(reply, rlen, 1407 SADB_X_EXT_SRC_FLOW)) == NULL) { 1408 errmsg = "flow source address"; 1409 goto out; 1410 } 1411 ssrc = (struct sockaddr_storage *)(sa_addr + 1); 1412 flow.flow_src.addr_af = ssrc->ss_family; 1413 flow.flow_src.addr_port = htons(socket_getport(ssrc)); 1414 memcpy(&flow.flow_src.addr, ssrc, sizeof(*ssrc)); 1415 if (socket_af((struct sockaddr *)&flow.flow_src.addr, 1416 flow.flow_src.addr_port) == -1) { 1417 log_debug("%s: invalid address", __func__); 1418 return; 1419 } 1420 1421 if ((sa_addr = pfkey_find_ext(reply, rlen, 1422 SADB_X_EXT_DST_FLOW)) == NULL) { 1423 errmsg = "flow destination address"; 1424 goto out; 1425 } 1426 sdst = (struct sockaddr_storage *)(sa_addr + 1); 1427 flow.flow_dst.addr_af = sdst->ss_family; 1428 flow.flow_dst.addr_port = htons(socket_getport(sdst)); 1429 memcpy(&flow.flow_dst.addr, sdst, sizeof(*sdst)); 1430 if (socket_af((struct sockaddr *)&flow.flow_dst.addr, 1431 flow.flow_dst.addr_port) == -1) { 1432 log_debug("%s: invalid address", __func__); 1433 return; 1434 } 1435 1436 if ((sa_addr = pfkey_find_ext(reply, rlen, 1437 SADB_X_EXT_SRC_MASK)) == NULL) { 1438 errmsg = "flow source mask"; 1439 goto out; 1440 } 1441 smask = (struct sockaddr_storage *)(sa_addr + 1); 1442 switch (smask->ss_family) { 1443 case AF_INET: 1444 flow.flow_src.addr_mask = 1445 mask2prefixlen((struct sockaddr *)smask); 1446 if (flow.flow_src.addr_mask != 32) 1447 flow.flow_src.addr_net = 1; 1448 break; 1449 case AF_INET6: 1450 flow.flow_src.addr_mask = 1451 mask2prefixlen6((struct sockaddr *)smask); 1452 if (flow.flow_src.addr_mask != 128) 1453 flow.flow_src.addr_net = 1; 1454 break; 1455 default: 1456 log_debug("%s: bad address family", __func__); 1457 return; 1458 } 1459 1460 if ((sa_addr = pfkey_find_ext(reply, rlen, 1461 SADB_X_EXT_DST_MASK)) == NULL) { 1462 errmsg = "flow destination mask"; 1463 goto out; 1464 } 1465 dmask = (struct sockaddr_storage *)(sa_addr + 1); 1466 switch (dmask->ss_family) { 1467 case AF_INET: 1468 flow.flow_dst.addr_mask = 1469 mask2prefixlen((struct sockaddr *)dmask); 1470 if (flow.flow_src.addr_mask != 32) 1471 flow.flow_src.addr_net = 1; 1472 break; 1473 case AF_INET6: 1474 flow.flow_dst.addr_mask = 1475 mask2prefixlen6((struct sockaddr *)dmask); 1476 if (flow.flow_src.addr_mask != 128) 1477 flow.flow_src.addr_net = 1; 1478 break; 1479 default: 1480 log_debug("%s: bad address family", __func__); 1481 return; 1482 } 1483 1484 if ((sa_proto = pfkey_find_ext(reply, rlen, 1485 SADB_X_EXT_FLOW_TYPE)) == NULL) { 1486 errmsg = "flow protocol"; 1487 goto out; 1488 } 1489 flow.flow_dir = sa_proto->sadb_protocol_direction; 1490 1491 log_debug("%s: flow %s from %s/%s to %s/%s via %s", __func__, 1492 flow.flow_dir == IPSP_DIRECTION_IN ? "in" : "out", 1493 print_host(ssrc, NULL, 0), print_host(smask, NULL, 0), 1494 print_host(sdst, NULL, 0), print_host(dmask, NULL, 0), 1495 print_host(speer, NULL, 0)); 1496 1497 ikev2_acquire_sa(env, &flow); 1498 1499 out: 1500 if (errmsg) 1501 log_warnx("%s: %s wasn't found", __func__, errmsg); 1502 free(reply); 1503 break; 1504 1505 case SADB_EXPIRE: 1506 if ((sa = pfkey_find_ext(data, len, SADB_EXT_SA)) == NULL) { 1507 log_warnx("%s: SA extension wasn't found", __func__); 1508 return; 1509 } 1510 if ((sa_ltime = pfkey_find_ext(data, len, 1511 SADB_EXT_LIFETIME_SOFT)) == NULL && 1512 (sa_ltime = pfkey_find_ext(data, len, 1513 SADB_EXT_LIFETIME_HARD)) == NULL) { 1514 log_warnx("%s: lifetime extension wasn't found", 1515 __func__); 1516 return; 1517 } 1518 spi.spi = ntohl(sa->sadb_sa_spi); 1519 spi.spi_size = 4; 1520 switch (hdr->sadb_msg_satype) { 1521 case SADB_SATYPE_AH: 1522 spi.spi_protoid = IKEV2_SAPROTO_AH; 1523 break; 1524 case SADB_SATYPE_ESP: 1525 spi.spi_protoid = IKEV2_SAPROTO_ESP; 1526 break; 1527 default: 1528 log_warnx("%s: usupported SA type %d spi %s", 1529 __func__, hdr->sadb_msg_satype, 1530 print_spi(spi.spi, spi.spi_size)); 1531 return; 1532 } 1533 1534 log_debug("%s: SA %s is expired, pending %s", __func__, 1535 print_spi(spi.spi, spi.spi_size), 1536 sa_ltime->sadb_lifetime_exttype == SADB_EXT_LIFETIME_SOFT ? 1537 "rekeying" : "deletion"); 1538 1539 if (sa_ltime->sadb_lifetime_exttype == SADB_EXT_LIFETIME_SOFT) 1540 ikev2_rekey_sa(env, &spi); 1541 else 1542 ikev2_drop_sa(env, &spi); 1543 break; 1544 } 1545 } 1546