1 /* $OpenBSD: pfkey.c,v 1.77 2021/03/02 03:31:25 jsg Exp $ */ 2 3 /* 4 * Copyright (c) 2010-2013 Reyk Floeter <reyk@openbsd.org> 5 * Copyright (c) 2004, 2005 Hans-Joerg Hoexer <hshoexer@openbsd.org> 6 * Copyright (c) 2003, 2004 Henning Brauer <henning@openbsd.org> 7 * Copyright (c) 2003, 2004 Markus Friedl <markus@openbsd.org> 8 * 9 * Permission to use, copy, modify, and distribute this software for any 10 * purpose with or without fee is hereby granted, provided that the above 11 * copyright notice and this permission notice appear in all copies. 12 * 13 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES 14 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF 15 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR 16 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES 17 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN 18 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF 19 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. 20 */ 21 22 #include <sys/queue.h> 23 #include <sys/uio.h> 24 #include <sys/socket.h> 25 26 #include <netinet/in.h> 27 #include <netinet/ip_ipsp.h> 28 #include <net/pfkeyv2.h> 29 30 #include <err.h> 31 #include <errno.h> 32 #include <stdio.h> 33 #include <poll.h> 34 #include <string.h> 35 #include <stdlib.h> 36 #include <unistd.h> 37 #include <event.h> 38 39 #include "iked.h" 40 #include "ikev2.h" 41 42 #define ROUNDUP(x) (((x) + (PFKEYV2_CHUNK - 1)) & ~(PFKEYV2_CHUNK - 1)) 43 #define IOV_CNT 27 44 45 #define PFKEYV2_CHUNK sizeof(uint64_t) 46 #define PFKEY_REPLY_TIMEOUT 1000 47 48 /* only used internally */ 49 #define IKED_SADB_UPDATE_SA_ADDRESSES 0xff 50 51 static uint32_t sadb_msg_seq = 0; 52 static unsigned int sadb_decoupled = 0; 53 54 static int iked_rdomain = 0; 55 56 static struct event pfkey_timer_ev; 57 static struct timeval pfkey_timer_tv; 58 59 struct pfkey_message { 60 SIMPLEQ_ENTRY(pfkey_message) 61 pm_entry; 62 uint8_t *pm_data; 63 ssize_t pm_length; 64 }; 65 SIMPLEQ_HEAD(, pfkey_message) pfkey_retry, pfkey_postponed = 66 SIMPLEQ_HEAD_INITIALIZER(pfkey_postponed); 67 68 struct pfkey_constmap { 69 uint8_t pfkey_id; 70 unsigned int pfkey_ikeid; 71 unsigned int pfkey_fixedkey; 72 }; 73 74 static const struct pfkey_constmap pfkey_encr[] = { 75 { SADB_EALG_3DESCBC, IKEV2_XFORMENCR_3DES }, 76 { SADB_X_EALG_CAST, IKEV2_XFORMENCR_CAST }, 77 { SADB_X_EALG_BLF, IKEV2_XFORMENCR_BLOWFISH }, 78 { SADB_EALG_NULL, IKEV2_XFORMENCR_NULL }, 79 { SADB_X_EALG_AES, IKEV2_XFORMENCR_AES_CBC }, 80 { SADB_X_EALG_AESCTR, IKEV2_XFORMENCR_AES_CTR }, 81 { SADB_X_EALG_AESGCM16, IKEV2_XFORMENCR_AES_GCM_16 }, 82 { SADB_X_EALG_AESGMAC, IKEV2_XFORMENCR_NULL_AES_GMAC }, 83 { SADB_X_EALG_CHACHA20POLY1305, IKEV2_XFORMENCR_CHACHA20_POLY1305 }, 84 { 0 } 85 }; 86 87 static const struct pfkey_constmap pfkey_integr[] = { 88 { SADB_AALG_MD5HMAC, IKEV2_XFORMAUTH_HMAC_MD5_96 }, 89 { SADB_AALG_SHA1HMAC, IKEV2_XFORMAUTH_HMAC_SHA1_96 }, 90 { SADB_X_AALG_SHA2_256, IKEV2_XFORMAUTH_HMAC_SHA2_256_128 }, 91 { SADB_X_AALG_SHA2_384, IKEV2_XFORMAUTH_HMAC_SHA2_384_192 }, 92 { SADB_X_AALG_SHA2_512, IKEV2_XFORMAUTH_HMAC_SHA2_512_256 }, 93 { 0 } 94 }; 95 96 static const struct pfkey_constmap pfkey_satype[] = { 97 { SADB_SATYPE_AH, IKEV2_SAPROTO_AH }, 98 { SADB_SATYPE_ESP, IKEV2_SAPROTO_ESP }, 99 { SADB_X_SATYPE_IPCOMP, IKEV2_SAPROTO_IPCOMP }, 100 { 0 } 101 }; 102 103 int pfkey_map(const struct pfkey_constmap *, uint16_t, uint8_t *); 104 int pfkey_flow(int, uint8_t, uint8_t, struct iked_flow *); 105 int pfkey_sa(int, uint8_t, uint8_t, struct iked_childsa *); 106 int pfkey_sa_getspi(int, uint8_t, struct iked_childsa *, uint32_t *); 107 int pfkey_sagroup(int, uint8_t, uint8_t, 108 struct iked_childsa *, struct iked_childsa *); 109 int pfkey_write(int, struct sadb_msg *, struct iovec *, int, 110 uint8_t **, ssize_t *); 111 int pfkey_reply(int, uint8_t **, ssize_t *); 112 void pfkey_dispatch(int, short, void *); 113 int pfkey_sa_lookup(int, struct iked_childsa *, uint64_t *); 114 int pfkey_sa_check_exists(int, struct iked_childsa *); 115 116 struct sadb_ident * 117 pfkey_id2ident(struct iked_id *, unsigned int); 118 void *pfkey_find_ext(uint8_t *, ssize_t, int); 119 120 void pfkey_timer_cb(int, short, void *); 121 int pfkey_process(struct iked *, struct pfkey_message *); 122 123 int 124 pfkey_couple(int sd, struct iked_sas *sas, int couple) 125 { 126 struct iked_sa *sa; 127 struct iked_flow *flow; 128 struct iked_childsa *csa, *ipcomp; 129 const char *mode[] = { "coupled", "decoupled" }; 130 131 /* Socket is not ready */ 132 if (sd == -1) 133 return (-1); 134 135 if (sadb_decoupled == !couple) 136 return (0); 137 138 log_debug("%s: kernel %s -> %s", __func__, 139 mode[sadb_decoupled], mode[!sadb_decoupled]); 140 141 /* Allow writes to the PF_KEY socket */ 142 sadb_decoupled = 0; 143 144 RB_FOREACH(sa, iked_sas, sas) { 145 TAILQ_FOREACH(csa, &sa->sa_childsas, csa_entry) { 146 if (!csa->csa_loaded && couple) 147 (void)pfkey_sa_add(sd, csa, NULL); 148 else if (csa->csa_loaded && !couple) 149 (void)pfkey_sa_delete(sd, csa); 150 if ((ipcomp = csa->csa_bundled) != NULL) { 151 if (!ipcomp->csa_loaded && couple) 152 (void)pfkey_sa_add(sd, ipcomp, csa); 153 else if (ipcomp->csa_loaded && !couple) 154 (void)pfkey_sa_delete(sd, ipcomp); 155 } 156 } 157 TAILQ_FOREACH(flow, &sa->sa_flows, flow_entry) { 158 if (!flow->flow_loaded && couple) 159 (void)pfkey_flow_add(sd, flow); 160 else if (flow->flow_loaded && !couple) 161 (void)pfkey_flow_delete(sd, flow); 162 } 163 } 164 165 sadb_decoupled = !couple; 166 167 return (0); 168 } 169 170 int 171 pfkey_map(const struct pfkey_constmap *map, uint16_t alg, uint8_t *pfkalg) 172 { 173 int i; 174 175 for (i = 0; map[i].pfkey_id != 0; i++) 176 if (map[i].pfkey_ikeid == alg) { 177 *pfkalg = map[i].pfkey_id; 178 return (0); 179 } 180 return (-1); 181 } 182 183 int 184 pfkey_flow(int sd, uint8_t satype, uint8_t action, struct iked_flow *flow) 185 { 186 struct sadb_msg smsg; 187 struct iked_addr *flow_src, *flow_dst; 188 struct sadb_address sa_src, sa_dst, sa_local, sa_peer, sa_smask, 189 sa_dmask; 190 struct sadb_protocol sa_flowtype, sa_protocol; 191 struct sadb_x_rdomain sa_rdomain; 192 struct sadb_ident *sa_srcid, *sa_dstid; 193 struct sockaddr_storage ssrc, sdst, slocal, speer, smask, dmask; 194 struct iovec iov[IOV_CNT]; 195 int iov_cnt, ret = -1; 196 uint64_t pad = 0; 197 size_t padlen; 198 199 sa_srcid = sa_dstid = NULL; 200 201 flow_src = &flow->flow_src; 202 flow_dst = &flow->flow_dst; 203 204 if (flow->flow_prenat.addr_af == flow_src->addr_af) { 205 if (flow->flow_dir == IPSP_DIRECTION_IN) 206 flow_dst = &flow->flow_prenat; 207 else 208 flow_src = &flow->flow_prenat; 209 } 210 211 bzero(&ssrc, sizeof(ssrc)); 212 bzero(&smask, sizeof(smask)); 213 memcpy(&ssrc, &flow_src->addr, sizeof(ssrc)); 214 memcpy(&smask, &flow_src->addr, sizeof(smask)); 215 socket_af((struct sockaddr *)&ssrc, flow_src->addr_port); 216 socket_af((struct sockaddr *)&smask, flow_src->addr_port ? 217 0xffff : 0); 218 219 switch (flow_src->addr_af) { 220 case AF_INET: 221 ((struct sockaddr_in *)&smask)->sin_addr.s_addr = 222 prefixlen2mask(flow_src->addr_net ? 223 flow_src->addr_mask : 32); 224 break; 225 case AF_INET6: 226 prefixlen2mask6(flow_src->addr_net ? 227 flow_src->addr_mask : 128, 228 (uint32_t *)((struct sockaddr_in6 *) 229 &smask)->sin6_addr.s6_addr); 230 break; 231 default: 232 log_warnx("%s: unsupported address family %d", 233 __func__, flow_src->addr_af); 234 return (-1); 235 } 236 smask.ss_len = ssrc.ss_len; 237 238 bzero(&sdst, sizeof(sdst)); 239 bzero(&dmask, sizeof(dmask)); 240 memcpy(&sdst, &flow_dst->addr, sizeof(sdst)); 241 memcpy(&dmask, &flow_dst->addr, sizeof(dmask)); 242 socket_af((struct sockaddr *)&sdst, flow_dst->addr_port); 243 socket_af((struct sockaddr *)&dmask, flow_dst->addr_port ? 244 0xffff : 0); 245 246 switch (flow_dst->addr_af) { 247 case AF_INET: 248 ((struct sockaddr_in *)&dmask)->sin_addr.s_addr = 249 prefixlen2mask(flow_dst->addr_net ? 250 flow_dst->addr_mask : 32); 251 break; 252 case AF_INET6: 253 prefixlen2mask6(flow_dst->addr_net ? 254 flow_dst->addr_mask : 128, 255 (uint32_t *)((struct sockaddr_in6 *) 256 &dmask)->sin6_addr.s6_addr); 257 break; 258 default: 259 log_warnx("%s: unsupported address family %d", 260 __func__, flow_dst->addr_af); 261 return (-1); 262 } 263 dmask.ss_len = sdst.ss_len; 264 265 bzero(&slocal, sizeof(slocal)); 266 bzero(&speer, sizeof(speer)); 267 if (action != SADB_X_DELFLOW && flow->flow_local != NULL) { 268 memcpy(&slocal, &flow->flow_local->addr, sizeof(slocal)); 269 socket_af((struct sockaddr *)&slocal, 0); 270 271 memcpy(&speer, &flow->flow_peer->addr, sizeof(speer)); 272 socket_af((struct sockaddr *)&speer, 0); 273 } 274 275 bzero(&smsg, sizeof(smsg)); 276 smsg.sadb_msg_version = PF_KEY_V2; 277 smsg.sadb_msg_seq = ++sadb_msg_seq; 278 smsg.sadb_msg_pid = getpid(); 279 smsg.sadb_msg_len = sizeof(smsg) / 8; 280 smsg.sadb_msg_type = action; 281 smsg.sadb_msg_satype = satype; 282 283 bzero(&sa_flowtype, sizeof(sa_flowtype)); 284 sa_flowtype.sadb_protocol_exttype = SADB_X_EXT_FLOW_TYPE; 285 sa_flowtype.sadb_protocol_len = sizeof(sa_flowtype) / 8; 286 sa_flowtype.sadb_protocol_direction = flow->flow_dir; 287 sa_flowtype.sadb_protocol_proto = SADB_X_FLOW_TYPE_REQUIRE; 288 289 bzero(&sa_protocol, sizeof(sa_protocol)); 290 sa_protocol.sadb_protocol_exttype = SADB_X_EXT_PROTOCOL; 291 sa_protocol.sadb_protocol_len = sizeof(sa_protocol) / 8; 292 sa_protocol.sadb_protocol_direction = 0; 293 sa_protocol.sadb_protocol_proto = flow->flow_ipproto; 294 295 bzero(&sa_src, sizeof(sa_src)); 296 sa_src.sadb_address_exttype = SADB_X_EXT_SRC_FLOW; 297 sa_src.sadb_address_len = (sizeof(sa_src) + ROUNDUP(ssrc.ss_len)) / 8; 298 299 bzero(&sa_smask, sizeof(sa_smask)); 300 sa_smask.sadb_address_exttype = SADB_X_EXT_SRC_MASK; 301 sa_smask.sadb_address_len = 302 (sizeof(sa_smask) + ROUNDUP(smask.ss_len)) / 8; 303 304 bzero(&sa_dst, sizeof(sa_dst)); 305 sa_dst.sadb_address_exttype = SADB_X_EXT_DST_FLOW; 306 sa_dst.sadb_address_len = (sizeof(sa_dst) + ROUNDUP(sdst.ss_len)) / 8; 307 308 bzero(&sa_dmask, sizeof(sa_dmask)); 309 sa_dmask.sadb_address_exttype = SADB_X_EXT_DST_MASK; 310 sa_dmask.sadb_address_len = 311 (sizeof(sa_dmask) + ROUNDUP(dmask.ss_len)) / 8; 312 313 if (action != SADB_X_DELFLOW && flow->flow_local != NULL) { 314 /* local address */ 315 bzero(&sa_local, sizeof(sa_local)); 316 sa_local.sadb_address_exttype = SADB_EXT_ADDRESS_SRC; 317 sa_local.sadb_address_len = 318 (sizeof(sa_local) + ROUNDUP(slocal.ss_len)) / 8; 319 320 /* peer address */ 321 bzero(&sa_peer, sizeof(sa_peer)); 322 sa_peer.sadb_address_exttype = SADB_EXT_ADDRESS_DST; 323 sa_peer.sadb_address_len = 324 (sizeof(sa_peer) + ROUNDUP(speer.ss_len)) / 8; 325 326 /* local id */ 327 sa_srcid = pfkey_id2ident(IKESA_SRCID(flow->flow_ikesa), 328 SADB_EXT_IDENTITY_SRC); 329 330 /* peer id */ 331 sa_dstid = pfkey_id2ident(IKESA_DSTID(flow->flow_ikesa), 332 SADB_EXT_IDENTITY_DST); 333 } 334 335 if (flow->flow_rdomain >= 0) { 336 /* install flow in specific rdomain */ 337 bzero(&sa_rdomain, sizeof(sa_rdomain)); 338 sa_rdomain.sadb_x_rdomain_exttype = SADB_X_EXT_RDOMAIN; 339 sa_rdomain.sadb_x_rdomain_len = sizeof(sa_rdomain) / 8; 340 sa_rdomain.sadb_x_rdomain_dom1 = flow->flow_rdomain; 341 } 342 343 #define PAD(len) \ 344 padlen = ROUNDUP((len)) - (len); \ 345 if (padlen) { \ 346 iov[iov_cnt].iov_base = &pad; \ 347 iov[iov_cnt].iov_len = padlen; \ 348 iov_cnt++; \ 349 } 350 351 iov_cnt = 0; 352 353 /* header */ 354 iov[iov_cnt].iov_base = &smsg; 355 iov[iov_cnt].iov_len = sizeof(smsg); 356 iov_cnt++; 357 358 /* add flow type */ 359 iov[iov_cnt].iov_base = &sa_flowtype; 360 iov[iov_cnt].iov_len = sizeof(sa_flowtype); 361 smsg.sadb_msg_len += sa_flowtype.sadb_protocol_len; 362 iov_cnt++; 363 364 if (action != SADB_X_DELFLOW && flow->flow_local != NULL) { 365 /* remote peer */ 366 iov[iov_cnt].iov_base = &sa_peer; 367 iov[iov_cnt].iov_len = sizeof(sa_peer); 368 iov_cnt++; 369 iov[iov_cnt].iov_base = &speer; 370 iov[iov_cnt].iov_len = speer.ss_len; 371 smsg.sadb_msg_len += sa_peer.sadb_address_len; 372 iov_cnt++; 373 PAD(speer.ss_len); 374 } 375 376 /* src addr */ 377 iov[iov_cnt].iov_base = &sa_src; 378 iov[iov_cnt].iov_len = sizeof(sa_src); 379 iov_cnt++; 380 iov[iov_cnt].iov_base = &ssrc; 381 iov[iov_cnt].iov_len = ssrc.ss_len; 382 smsg.sadb_msg_len += sa_src.sadb_address_len; 383 iov_cnt++; 384 PAD(ssrc.ss_len); 385 386 /* src mask */ 387 iov[iov_cnt].iov_base = &sa_smask; 388 iov[iov_cnt].iov_len = sizeof(sa_smask); 389 iov_cnt++; 390 iov[iov_cnt].iov_base = &smask; 391 iov[iov_cnt].iov_len = smask.ss_len; 392 smsg.sadb_msg_len += sa_smask.sadb_address_len; 393 iov_cnt++; 394 PAD(smask.ss_len); 395 396 /* dest addr */ 397 iov[iov_cnt].iov_base = &sa_dst; 398 iov[iov_cnt].iov_len = sizeof(sa_dst); 399 iov_cnt++; 400 iov[iov_cnt].iov_base = &sdst; 401 iov[iov_cnt].iov_len = sdst.ss_len; 402 smsg.sadb_msg_len += sa_dst.sadb_address_len; 403 iov_cnt++; 404 PAD(sdst.ss_len); 405 406 /* dst mask */ 407 iov[iov_cnt].iov_base = &sa_dmask; 408 iov[iov_cnt].iov_len = sizeof(sa_dmask); 409 iov_cnt++; 410 iov[iov_cnt].iov_base = &dmask; 411 iov[iov_cnt].iov_len = dmask.ss_len; 412 smsg.sadb_msg_len += sa_dmask.sadb_address_len; 413 iov_cnt++; 414 PAD(dmask.ss_len); 415 416 /* add protocol */ 417 iov[iov_cnt].iov_base = &sa_protocol; 418 iov[iov_cnt].iov_len = sizeof(sa_protocol); 419 smsg.sadb_msg_len += sa_protocol.sadb_protocol_len; 420 iov_cnt++; 421 422 if (sa_srcid) { 423 /* src identity */ 424 iov[iov_cnt].iov_base = sa_srcid; 425 iov[iov_cnt].iov_len = sa_srcid->sadb_ident_len * 8; 426 smsg.sadb_msg_len += sa_srcid->sadb_ident_len; 427 iov_cnt++; 428 } 429 if (sa_dstid) { 430 /* dst identity */ 431 iov[iov_cnt].iov_base = sa_dstid; 432 iov[iov_cnt].iov_len = sa_dstid->sadb_ident_len * 8; 433 smsg.sadb_msg_len += sa_dstid->sadb_ident_len; 434 iov_cnt++; 435 } 436 437 if (flow->flow_rdomain >= 0) { 438 iov[iov_cnt].iov_base = &sa_rdomain; 439 iov[iov_cnt].iov_len = sizeof(sa_rdomain); 440 smsg.sadb_msg_len += sa_rdomain.sadb_x_rdomain_len; 441 iov_cnt++; 442 } 443 #undef PAD 444 445 ret = pfkey_write(sd, &smsg, iov, iov_cnt, NULL, NULL); 446 447 free(sa_srcid); 448 free(sa_dstid); 449 450 return (ret); 451 } 452 453 int 454 pfkey_sa(int sd, uint8_t satype, uint8_t action, struct iked_childsa *sa) 455 { 456 struct sadb_msg smsg; 457 struct sadb_sa sadb; 458 struct sadb_address sa_src, sa_dst, sa_pxy; 459 struct sadb_key sa_authkey, sa_enckey; 460 struct sadb_lifetime sa_ltime_hard, sa_ltime_soft; 461 struct sadb_x_udpencap udpencap; 462 struct sadb_x_tag sa_tag; 463 char *tag = NULL; 464 struct sadb_x_tap sa_tap; 465 struct sadb_x_rdomain sa_rdomain; 466 struct sockaddr_storage ssrc, sdst, spxy; 467 struct sadb_ident *sa_srcid, *sa_dstid; 468 struct iked_lifetime *lt; 469 struct iked_policy *pol; 470 struct iked_addr *dst; 471 struct iovec iov[IOV_CNT]; 472 uint32_t jitter; 473 int iov_cnt; 474 int ret, dotap = 0; 475 uint64_t pad = 0; 476 size_t padlen; 477 478 sa_srcid = sa_dstid = NULL; 479 480 if (sa->csa_ikesa == NULL || sa->csa_ikesa->sa_policy == NULL) { 481 log_warn("%s: invalid SA and policy", __func__); 482 return (-1); 483 } 484 pol = sa->csa_ikesa->sa_policy; 485 lt = &pol->pol_lifetime; 486 487 bzero(&ssrc, sizeof(ssrc)); 488 memcpy(&ssrc, &sa->csa_local->addr, sizeof(ssrc)); 489 if (socket_af((struct sockaddr *)&ssrc, 0) == -1) { 490 log_warn("%s: invalid address", __func__); 491 return (-1); 492 } 493 494 dst = (action == IKED_SADB_UPDATE_SA_ADDRESSES && 495 sa->csa_dir == IPSP_DIRECTION_OUT) ? 496 &sa->csa_ikesa->sa_peer_loaded : 497 sa->csa_peer; 498 bzero(&sdst, sizeof(sdst)); 499 memcpy(&sdst, &dst->addr, sizeof(sdst)); 500 if (socket_af((struct sockaddr *)&sdst, 0) == -1) { 501 log_warn("%s: invalid address", __func__); 502 return (-1); 503 } 504 505 bzero(&spxy, sizeof(spxy)); 506 if (dst != sa->csa_peer) { 507 memcpy(&spxy, &sa->csa_peer->addr, sizeof(spxy)); 508 if (socket_af((struct sockaddr *)&spxy, 0) == -1) { 509 log_warn("%s: invalid address", __func__); 510 return (-1); 511 } 512 } 513 514 bzero(&smsg, sizeof(smsg)); 515 smsg.sadb_msg_version = PF_KEY_V2; 516 smsg.sadb_msg_seq = ++sadb_msg_seq; 517 smsg.sadb_msg_pid = getpid(); 518 smsg.sadb_msg_len = sizeof(smsg) / 8; 519 smsg.sadb_msg_type = action; 520 smsg.sadb_msg_satype = satype; 521 522 bzero(&sadb, sizeof(sadb)); 523 sadb.sadb_sa_len = sizeof(sadb) / 8; 524 sadb.sadb_sa_exttype = SADB_EXT_SA; 525 sadb.sadb_sa_spi = htonl(sa->csa_spi.spi); 526 sadb.sadb_sa_state = SADB_SASTATE_MATURE; 527 sadb.sadb_sa_replay = 64; 528 529 if (!sa->csa_transport) 530 sadb.sadb_sa_flags |= SADB_X_SAFLAGS_TUNNEL; 531 532 if (sa->csa_esn) 533 sadb.sadb_sa_flags |= SADB_X_SAFLAGS_ESN; 534 535 bzero(&sa_src, sizeof(sa_src)); 536 sa_src.sadb_address_len = (sizeof(sa_src) + ROUNDUP(ssrc.ss_len)) / 8; 537 sa_src.sadb_address_exttype = SADB_EXT_ADDRESS_SRC; 538 539 bzero(&sa_dst, sizeof(sa_dst)); 540 sa_dst.sadb_address_len = (sizeof(sa_dst) + ROUNDUP(sdst.ss_len)) / 8; 541 sa_dst.sadb_address_exttype = SADB_EXT_ADDRESS_DST; 542 543 bzero(&sa_pxy, sizeof(sa_pxy)); 544 sa_pxy.sadb_address_len = (sizeof(sa_pxy) + ROUNDUP(spxy.ss_len)) / 8; 545 sa_pxy.sadb_address_exttype = SADB_EXT_ADDRESS_PROXY; 546 547 bzero(&sa_authkey, sizeof(sa_authkey)); 548 bzero(&sa_enckey, sizeof(sa_enckey)); 549 bzero(&udpencap, sizeof udpencap); 550 bzero(&sa_ltime_hard, sizeof(sa_ltime_hard)); 551 bzero(&sa_ltime_soft, sizeof(sa_ltime_soft)); 552 553 if (pol->pol_rdomain >= 0) { 554 bzero(&sa_rdomain, sizeof(sa_rdomain)); 555 sa_rdomain.sadb_x_rdomain_exttype = SADB_X_EXT_RDOMAIN; 556 sa_rdomain.sadb_x_rdomain_len = sizeof(sa_rdomain) / 8; 557 if (satype == SADB_X_SATYPE_IPCOMP) { 558 /* IPCOMP SAs are always in the pol_rdomain */ 559 sa_rdomain.sadb_x_rdomain_dom1 = pol->pol_rdomain; 560 sa_rdomain.sadb_x_rdomain_dom2 = pol->pol_rdomain; 561 } else if (sa->csa_dir == IPSP_DIRECTION_OUT) { 562 /* switch rdomain on encrypt/decrypt */ 563 sa_rdomain.sadb_x_rdomain_dom1 = pol->pol_rdomain; 564 sa_rdomain.sadb_x_rdomain_dom2 = iked_rdomain; 565 } else { 566 sa_rdomain.sadb_x_rdomain_dom1 = iked_rdomain; 567 sa_rdomain.sadb_x_rdomain_dom2 = pol->pol_rdomain; 568 } 569 } 570 571 if (action == SADB_DELETE) 572 goto send; 573 574 if (satype == SADB_SATYPE_ESP && 575 sa->csa_ikesa->sa_udpencap && sa->csa_ikesa->sa_natt) { 576 sadb.sadb_sa_flags |= SADB_X_SAFLAGS_UDPENCAP; 577 udpencap.sadb_x_udpencap_exttype = SADB_X_EXT_UDPENCAP; 578 udpencap.sadb_x_udpencap_len = sizeof(udpencap) / 8; 579 udpencap.sadb_x_udpencap_port = 580 sa->csa_ikesa->sa_peer.addr_port; 581 582 log_debug("%s: udpencap port %d", __func__, 583 ntohs(udpencap.sadb_x_udpencap_port)); 584 } 585 586 if (action == IKED_SADB_UPDATE_SA_ADDRESSES) { 587 smsg.sadb_msg_type = SADB_UPDATE; 588 goto send; 589 } 590 591 if ((action == SADB_ADD || action == SADB_UPDATE) && 592 !sa->csa_persistent && (lt->lt_bytes || lt->lt_seconds)) { 593 sa_ltime_hard.sadb_lifetime_exttype = SADB_EXT_LIFETIME_HARD; 594 sa_ltime_hard.sadb_lifetime_len = sizeof(sa_ltime_hard) / 8; 595 sa_ltime_hard.sadb_lifetime_bytes = lt->lt_bytes; 596 sa_ltime_hard.sadb_lifetime_addtime = lt->lt_seconds; 597 598 /* double the lifetime for ipcomp; disable byte lifetime */ 599 if (satype == SADB_X_SATYPE_IPCOMP) { 600 sa_ltime_hard.sadb_lifetime_addtime *= 2; 601 sa_ltime_hard.sadb_lifetime_bytes = 0; 602 } 603 604 sa_ltime_soft.sadb_lifetime_exttype = SADB_EXT_LIFETIME_SOFT; 605 sa_ltime_soft.sadb_lifetime_len = sizeof(sa_ltime_soft) / 8; 606 /* set randomly to 85-95% */ 607 jitter = 850 + arc4random_uniform(100); 608 sa_ltime_soft.sadb_lifetime_bytes = 609 (sa_ltime_hard.sadb_lifetime_bytes * jitter) / 1000; 610 sa_ltime_soft.sadb_lifetime_addtime = 611 (sa_ltime_hard.sadb_lifetime_addtime * jitter) / 1000; 612 } 613 614 /* XXX handle NULL encryption or NULL auth or combined encr/auth */ 615 if (action == SADB_ADD && 616 !ibuf_length(sa->csa_integrkey) && !ibuf_length(sa->csa_encrkey) && 617 satype != SADB_X_SATYPE_IPCOMP && satype != SADB_X_SATYPE_IPIP) { 618 log_warnx("%s: no key specified", __func__); 619 return (-1); 620 } 621 622 if (sa->csa_integrid) 623 if (pfkey_map(pfkey_integr, 624 sa->csa_integrid, &sadb.sadb_sa_auth) == -1) { 625 log_warnx("%s: unsupported integrity algorithm %s", 626 __func__, print_map(sa->csa_integrid, 627 ikev2_xformauth_map)); 628 return (-1); 629 } 630 631 if (sa->csa_encrid) 632 if (pfkey_map(pfkey_encr, 633 sa->csa_encrid, &sadb.sadb_sa_encrypt) == -1) { 634 log_warnx("%s: unsupported encryption algorithm %s", 635 __func__, print_map(sa->csa_encrid, 636 ikev2_xformencr_map)); 637 return (-1); 638 } 639 640 if (ibuf_length(sa->csa_integrkey)) { 641 sa_authkey.sadb_key_len = (sizeof(sa_authkey) + 642 ROUNDUP(ibuf_size(sa->csa_integrkey))) / 8; 643 sa_authkey.sadb_key_exttype = SADB_EXT_KEY_AUTH; 644 sa_authkey.sadb_key_bits = 645 8 * ibuf_size(sa->csa_integrkey); 646 } 647 648 if (ibuf_length(sa->csa_encrkey)) { 649 sa_enckey.sadb_key_len = (sizeof(sa_enckey) + 650 ROUNDUP(ibuf_size(sa->csa_encrkey))) / 8; 651 sa_enckey.sadb_key_exttype = SADB_EXT_KEY_ENCRYPT; 652 sa_enckey.sadb_key_bits = 653 8 * ibuf_size(sa->csa_encrkey); 654 } 655 656 /* we only support deflate */ 657 if (satype == SADB_X_SATYPE_IPCOMP) 658 sadb.sadb_sa_encrypt = SADB_X_CALG_DEFLATE; 659 660 /* Note that we need to swap the IDs for incoming SAs (SADB_UPDATE) */ 661 if (action != SADB_UPDATE) { 662 sa_srcid = pfkey_id2ident( 663 IKESA_SRCID(sa->csa_ikesa), SADB_EXT_IDENTITY_SRC); 664 sa_dstid = pfkey_id2ident( 665 IKESA_DSTID(sa->csa_ikesa), SADB_EXT_IDENTITY_DST); 666 } else { 667 sa_srcid = pfkey_id2ident( 668 IKESA_DSTID(sa->csa_ikesa), SADB_EXT_IDENTITY_SRC); 669 sa_dstid = pfkey_id2ident( 670 IKESA_SRCID(sa->csa_ikesa), SADB_EXT_IDENTITY_DST); 671 } 672 673 tag = sa->csa_ikesa->sa_tag; 674 if (tag != NULL && *tag != '\0') { 675 bzero(&sa_tag, sizeof(sa_tag)); 676 sa_tag.sadb_x_tag_exttype = SADB_X_EXT_TAG; 677 sa_tag.sadb_x_tag_len = 678 (ROUNDUP(strlen(tag) + 1) + sizeof(sa_tag)) / 8; 679 sa_tag.sadb_x_tag_taglen = strlen(tag) + 1; 680 } else 681 tag = NULL; 682 683 if (pol->pol_tap != 0) { 684 dotap = 1; 685 bzero(&sa_tap, sizeof(sa_tap)); 686 sa_tap.sadb_x_tap_exttype = SADB_X_EXT_TAP; 687 sa_tap.sadb_x_tap_len = sizeof(sa_tap) / 8; 688 sa_tap.sadb_x_tap_unit = pol->pol_tap; 689 } 690 691 send: 692 693 #define PAD(len) \ 694 padlen = ROUNDUP((len)) - (len); \ 695 if (padlen) { \ 696 iov[iov_cnt].iov_base = &pad; \ 697 iov[iov_cnt].iov_len = padlen; \ 698 iov_cnt++; \ 699 } 700 701 iov_cnt = 0; 702 703 /* header */ 704 iov[iov_cnt].iov_base = &smsg; 705 iov[iov_cnt].iov_len = sizeof(smsg); 706 iov_cnt++; 707 708 /* sa */ 709 iov[iov_cnt].iov_base = &sadb; 710 iov[iov_cnt].iov_len = sizeof(sadb); 711 smsg.sadb_msg_len += sadb.sadb_sa_len; 712 iov_cnt++; 713 714 /* src addr */ 715 iov[iov_cnt].iov_base = &sa_src; 716 iov[iov_cnt].iov_len = sizeof(sa_src); 717 iov_cnt++; 718 iov[iov_cnt].iov_base = &ssrc; 719 iov[iov_cnt].iov_len = ssrc.ss_len; 720 smsg.sadb_msg_len += sa_src.sadb_address_len; 721 iov_cnt++; 722 PAD(ssrc.ss_len); 723 724 /* dst addr */ 725 iov[iov_cnt].iov_base = &sa_dst; 726 iov[iov_cnt].iov_len = sizeof(sa_dst); 727 iov_cnt++; 728 iov[iov_cnt].iov_base = &sdst; 729 iov[iov_cnt].iov_len = sdst.ss_len; 730 smsg.sadb_msg_len += sa_dst.sadb_address_len; 731 iov_cnt++; 732 PAD(sdst.ss_len); 733 734 if (spxy.ss_len) { 735 /* pxy addr */ 736 iov[iov_cnt].iov_base = &sa_pxy; 737 iov[iov_cnt].iov_len = sizeof(sa_pxy); 738 iov_cnt++; 739 iov[iov_cnt].iov_base = &spxy; 740 iov[iov_cnt].iov_len = spxy.ss_len; 741 smsg.sadb_msg_len += sa_pxy.sadb_address_len; 742 iov_cnt++; 743 PAD(spxy.ss_len); 744 } 745 746 if (sa_ltime_soft.sadb_lifetime_len) { 747 /* soft lifetime */ 748 iov[iov_cnt].iov_base = &sa_ltime_soft; 749 iov[iov_cnt].iov_len = sizeof(sa_ltime_soft); 750 smsg.sadb_msg_len += sa_ltime_soft.sadb_lifetime_len; 751 iov_cnt++; 752 } 753 754 if (sa_ltime_hard.sadb_lifetime_len) { 755 /* hard lifetime */ 756 iov[iov_cnt].iov_base = &sa_ltime_hard; 757 iov[iov_cnt].iov_len = sizeof(sa_ltime_hard); 758 smsg.sadb_msg_len += sa_ltime_hard.sadb_lifetime_len; 759 iov_cnt++; 760 } 761 762 if (udpencap.sadb_x_udpencap_len) { 763 iov[iov_cnt].iov_base = &udpencap; 764 iov[iov_cnt].iov_len = sizeof(udpencap); 765 smsg.sadb_msg_len += udpencap.sadb_x_udpencap_len; 766 iov_cnt++; 767 } 768 769 if (sa_enckey.sadb_key_len) { 770 /* encryption key */ 771 iov[iov_cnt].iov_base = &sa_enckey; 772 iov[iov_cnt].iov_len = sizeof(sa_enckey); 773 iov_cnt++; 774 iov[iov_cnt].iov_base = ibuf_data(sa->csa_encrkey); 775 iov[iov_cnt].iov_len = ibuf_size(sa->csa_encrkey); 776 smsg.sadb_msg_len += sa_enckey.sadb_key_len; 777 iov_cnt++; 778 PAD(ibuf_size(sa->csa_encrkey)); 779 } 780 if (sa_authkey.sadb_key_len) { 781 /* authentication key */ 782 iov[iov_cnt].iov_base = &sa_authkey; 783 iov[iov_cnt].iov_len = sizeof(sa_authkey); 784 iov_cnt++; 785 iov[iov_cnt].iov_base = ibuf_data(sa->csa_integrkey); 786 iov[iov_cnt].iov_len = ibuf_size(sa->csa_integrkey); 787 smsg.sadb_msg_len += sa_authkey.sadb_key_len; 788 iov_cnt++; 789 PAD(ibuf_size(sa->csa_integrkey)); 790 } 791 792 if (sa_srcid) { 793 /* src identity */ 794 iov[iov_cnt].iov_base = sa_srcid; 795 iov[iov_cnt].iov_len = sa_srcid->sadb_ident_len * 8; 796 smsg.sadb_msg_len += sa_srcid->sadb_ident_len; 797 iov_cnt++; 798 } 799 if (sa_dstid) { 800 /* dst identity */ 801 iov[iov_cnt].iov_base = sa_dstid; 802 iov[iov_cnt].iov_len = sa_dstid->sadb_ident_len * 8; 803 smsg.sadb_msg_len += sa_dstid->sadb_ident_len; 804 iov_cnt++; 805 } 806 807 if (tag != NULL) { 808 /* tag identity */ 809 iov[iov_cnt].iov_base = &sa_tag; 810 iov[iov_cnt].iov_len = sizeof(sa_tag); 811 iov_cnt++; 812 iov[iov_cnt].iov_base = tag; 813 iov[iov_cnt].iov_len = strlen(tag) + 1; 814 smsg.sadb_msg_len += sa_tag.sadb_x_tag_len; 815 iov_cnt++; 816 PAD(strlen(tag) + 1); 817 } 818 819 if (dotap != 0) { 820 /* enc(4) device tap unit */ 821 iov[iov_cnt].iov_base = &sa_tap; 822 iov[iov_cnt].iov_len = sizeof(sa_tap); 823 smsg.sadb_msg_len += sa_tap.sadb_x_tap_len; 824 iov_cnt++; 825 } 826 827 if (pol->pol_rdomain >= 0) { 828 iov[iov_cnt].iov_base = &sa_rdomain; 829 iov[iov_cnt].iov_len = sizeof(sa_rdomain); 830 smsg.sadb_msg_len += sa_rdomain.sadb_x_rdomain_len; 831 iov_cnt++; 832 } 833 #undef PAD 834 835 ret = pfkey_write(sd, &smsg, iov, iov_cnt, NULL, NULL); 836 837 free(sa_srcid); 838 free(sa_dstid); 839 840 return ret; 841 } 842 843 int 844 pfkey_sa_lookup(int sd, struct iked_childsa *sa, uint64_t *last_used) 845 { 846 struct iked_policy *pol = sa->csa_ikesa->sa_policy; 847 struct sadb_msg *msg, smsg; 848 struct sadb_address sa_src, sa_dst; 849 struct sadb_sa sadb; 850 struct sadb_x_rdomain sa_rdomain; 851 struct sadb_lifetime *sa_life; 852 struct sockaddr_storage ssrc, sdst; 853 struct iovec iov[IOV_CNT]; 854 uint64_t pad = 0; 855 size_t padlen; 856 uint8_t *data; 857 ssize_t n; 858 int iov_cnt, ret = -1, rdomain; 859 uint8_t satype; 860 861 if (last_used) 862 *last_used = 0; 863 864 if (pfkey_map(pfkey_satype, sa->csa_saproto, &satype) == -1) 865 return (-1); 866 867 bzero(&ssrc, sizeof(ssrc)); 868 memcpy(&ssrc, &sa->csa_local->addr, sizeof(ssrc)); 869 if (socket_af((struct sockaddr *)&ssrc, 0) == -1) { 870 log_warn("%s: invalid address", __func__); 871 return (-1); 872 } 873 874 bzero(&sdst, sizeof(sdst)); 875 memcpy(&sdst, &sa->csa_peer->addr, sizeof(sdst)); 876 if (socket_af((struct sockaddr *)&sdst, 0) == -1) { 877 log_warn("%s: invalid address", __func__); 878 return (-1); 879 } 880 881 bzero(&smsg, sizeof(smsg)); 882 smsg.sadb_msg_version = PF_KEY_V2; 883 smsg.sadb_msg_seq = ++sadb_msg_seq; 884 smsg.sadb_msg_pid = getpid(); 885 smsg.sadb_msg_len = sizeof(smsg) / 8; 886 smsg.sadb_msg_type = SADB_GET; 887 smsg.sadb_msg_satype = satype; 888 889 bzero(&sadb, sizeof(sadb)); 890 sadb.sadb_sa_len = sizeof(sadb) / 8; 891 sadb.sadb_sa_exttype = SADB_EXT_SA; 892 sadb.sadb_sa_spi = htonl(sa->csa_spi.spi); 893 sadb.sadb_sa_state = SADB_SASTATE_MATURE; 894 sadb.sadb_sa_replay = 64; 895 896 if (pol->pol_rdomain >= 0) { 897 rdomain = (sa->csa_dir == IPSP_DIRECTION_IN) ? 898 iked_rdomain : pol->pol_rdomain; 899 bzero(&sa_rdomain, sizeof(sa_rdomain)); 900 sa_rdomain.sadb_x_rdomain_exttype = SADB_X_EXT_RDOMAIN; 901 sa_rdomain.sadb_x_rdomain_len = sizeof(sa_rdomain) / 8; 902 sa_rdomain.sadb_x_rdomain_dom1 = rdomain; 903 } 904 905 bzero(&sa_src, sizeof(sa_src)); 906 sa_src.sadb_address_len = (sizeof(sa_src) + ROUNDUP(ssrc.ss_len)) / 8; 907 sa_src.sadb_address_exttype = SADB_EXT_ADDRESS_SRC; 908 909 bzero(&sa_dst, sizeof(sa_dst)); 910 sa_dst.sadb_address_len = (sizeof(sa_dst) + ROUNDUP(sdst.ss_len)) / 8; 911 sa_dst.sadb_address_exttype = SADB_EXT_ADDRESS_DST; 912 913 iov_cnt = 0; 914 915 #define PAD(len) \ 916 padlen = ROUNDUP((len)) - (len); \ 917 if (padlen) { \ 918 iov[iov_cnt].iov_base = &pad; \ 919 iov[iov_cnt].iov_len = padlen; \ 920 iov_cnt++; \ 921 } 922 923 /* header */ 924 iov[iov_cnt].iov_base = &smsg; 925 iov[iov_cnt].iov_len = sizeof(smsg); 926 iov_cnt++; 927 928 /* sa */ 929 iov[iov_cnt].iov_base = &sadb; 930 iov[iov_cnt].iov_len = sizeof(sadb); 931 smsg.sadb_msg_len += sadb.sadb_sa_len; 932 iov_cnt++; 933 934 /* src addr */ 935 iov[iov_cnt].iov_base = &sa_src; 936 iov[iov_cnt].iov_len = sizeof(sa_src); 937 iov_cnt++; 938 iov[iov_cnt].iov_base = &ssrc; 939 iov[iov_cnt].iov_len = ssrc.ss_len; 940 smsg.sadb_msg_len += sa_src.sadb_address_len; 941 iov_cnt++; 942 PAD(ssrc.ss_len); 943 944 /* dst addr */ 945 iov[iov_cnt].iov_base = &sa_dst; 946 iov[iov_cnt].iov_len = sizeof(sa_dst); 947 iov_cnt++; 948 iov[iov_cnt].iov_base = &sdst; 949 iov[iov_cnt].iov_len = sdst.ss_len; 950 smsg.sadb_msg_len += sa_dst.sadb_address_len; 951 iov_cnt++; 952 PAD(sdst.ss_len); 953 954 if (pol->pol_rdomain >= 0) { 955 iov[iov_cnt].iov_base = &sa_rdomain; 956 iov[iov_cnt].iov_len = sizeof(sa_rdomain); 957 smsg.sadb_msg_len += sa_rdomain.sadb_x_rdomain_len; 958 iov_cnt++; 959 } 960 961 if ((ret = pfkey_write(sd, &smsg, iov, iov_cnt, &data, &n)) != 0) 962 return (-1); 963 964 msg = (struct sadb_msg *)data; 965 if (msg->sadb_msg_errno != 0) { 966 errno = msg->sadb_msg_errno; 967 ret = -1; 968 if (errno == ESRCH) 969 log_debug("%s: not found", __func__); 970 else 971 log_warn("%s: message", __func__); 972 goto done; 973 } 974 if (last_used) { 975 if ((sa_life = pfkey_find_ext(data, n, 976 SADB_X_EXT_LIFETIME_LASTUSE)) == NULL) { 977 /* has never been used */ 978 ret = -1; 979 goto done; 980 } 981 *last_used = sa_life->sadb_lifetime_usetime; 982 log_debug("%s: last_used %llu", __func__, *last_used); 983 } 984 985 #undef PAD 986 done: 987 freezero(data, n); 988 return (ret); 989 } 990 991 int 992 pfkey_sa_last_used(int sd, struct iked_childsa *sa, uint64_t *last_used) 993 { 994 return pfkey_sa_lookup(sd, sa, last_used); 995 } 996 997 int 998 pfkey_sa_check_exists(int sd, struct iked_childsa *sa) 999 { 1000 return pfkey_sa_lookup(sd, sa, NULL); 1001 } 1002 1003 int 1004 pfkey_sa_getspi(int sd, uint8_t satype, struct iked_childsa *sa, 1005 uint32_t *spip) 1006 { 1007 struct sadb_msg *msg, smsg; 1008 struct sadb_address sa_src, sa_dst; 1009 struct sadb_sa *sa_ext; 1010 struct sadb_spirange sa_spirange; 1011 struct sockaddr_storage ssrc, sdst; 1012 struct iovec iov[IOV_CNT]; 1013 uint64_t pad = 0; 1014 size_t padlen; 1015 uint8_t *data; 1016 ssize_t n; 1017 int iov_cnt, ret = -1; 1018 1019 bzero(&ssrc, sizeof(ssrc)); 1020 memcpy(&ssrc, &sa->csa_local->addr, sizeof(ssrc)); 1021 if (socket_af((struct sockaddr *)&ssrc, 0) == -1) { 1022 log_warn("%s: invalid address", __func__); 1023 return (-1); 1024 } 1025 1026 bzero(&sdst, sizeof(sdst)); 1027 memcpy(&sdst, &sa->csa_peer->addr, sizeof(sdst)); 1028 if (socket_af((struct sockaddr *)&sdst, 0) == -1) { 1029 log_warn("%s: invalid address", __func__); 1030 return (-1); 1031 } 1032 1033 bzero(&smsg, sizeof(smsg)); 1034 smsg.sadb_msg_version = PF_KEY_V2; 1035 smsg.sadb_msg_seq = ++sadb_msg_seq; 1036 smsg.sadb_msg_pid = getpid(); 1037 smsg.sadb_msg_len = sizeof(smsg) / 8; 1038 smsg.sadb_msg_type = SADB_GETSPI; 1039 smsg.sadb_msg_satype = satype; 1040 1041 bzero(&sa_spirange, sizeof(sa_spirange)); 1042 sa_spirange.sadb_spirange_exttype = SADB_EXT_SPIRANGE; 1043 sa_spirange.sadb_spirange_len = sizeof(sa_spirange) / 8; 1044 sa_spirange.sadb_spirange_min = 0x100; 1045 sa_spirange.sadb_spirange_max = (satype == SADB_X_SATYPE_IPCOMP) ? 1046 (CPI_PRIVATE_MIN - 1) : 0xffffffff; 1047 sa_spirange.sadb_spirange_reserved = 0; 1048 1049 bzero(&sa_src, sizeof(sa_src)); 1050 sa_src.sadb_address_len = (sizeof(sa_src) + ROUNDUP(ssrc.ss_len)) / 8; 1051 sa_src.sadb_address_exttype = SADB_EXT_ADDRESS_SRC; 1052 1053 bzero(&sa_dst, sizeof(sa_dst)); 1054 sa_dst.sadb_address_len = (sizeof(sa_dst) + ROUNDUP(sdst.ss_len)) / 8; 1055 sa_dst.sadb_address_exttype = SADB_EXT_ADDRESS_DST; 1056 1057 #define PAD(len) \ 1058 padlen = ROUNDUP((len)) - (len); \ 1059 if (padlen) { \ 1060 iov[iov_cnt].iov_base = &pad; \ 1061 iov[iov_cnt].iov_len = padlen; \ 1062 iov_cnt++; \ 1063 } 1064 1065 iov_cnt = 0; 1066 1067 /* header */ 1068 iov[iov_cnt].iov_base = &smsg; 1069 iov[iov_cnt].iov_len = sizeof(smsg); 1070 iov_cnt++; 1071 1072 /* SPI range */ 1073 iov[iov_cnt].iov_base = &sa_spirange; 1074 iov[iov_cnt].iov_len = sizeof(sa_spirange); 1075 smsg.sadb_msg_len += sa_spirange.sadb_spirange_len; 1076 iov_cnt++; 1077 1078 /* src addr */ 1079 iov[iov_cnt].iov_base = &sa_src; 1080 iov[iov_cnt].iov_len = sizeof(sa_src); 1081 iov_cnt++; 1082 iov[iov_cnt].iov_base = &ssrc; 1083 iov[iov_cnt].iov_len = ssrc.ss_len; 1084 smsg.sadb_msg_len += sa_src.sadb_address_len; 1085 iov_cnt++; 1086 PAD(ssrc.ss_len); 1087 1088 /* dst addr */ 1089 iov[iov_cnt].iov_base = &sa_dst; 1090 iov[iov_cnt].iov_len = sizeof(sa_dst); 1091 iov_cnt++; 1092 iov[iov_cnt].iov_base = &sdst; 1093 iov[iov_cnt].iov_len = sdst.ss_len; 1094 smsg.sadb_msg_len += sa_dst.sadb_address_len; 1095 iov_cnt++; 1096 PAD(sdst.ss_len); 1097 1098 *spip = 0; 1099 1100 if ((ret = pfkey_write(sd, &smsg, iov, iov_cnt, &data, &n)) != 0) 1101 return (-1); 1102 1103 msg = (struct sadb_msg *)data; 1104 if (msg->sadb_msg_errno != 0) { 1105 errno = msg->sadb_msg_errno; 1106 log_warn("%s: message", __func__); 1107 goto done; 1108 } 1109 if ((sa_ext = pfkey_find_ext(data, n, SADB_EXT_SA)) == NULL) { 1110 log_debug("%s: erroneous reply", __func__); 1111 goto done; 1112 } 1113 1114 *spip = ntohl(sa_ext->sadb_sa_spi); 1115 log_debug("%s: spi 0x%08x", __func__, *spip); 1116 1117 #undef PAD 1118 1119 done: 1120 freezero(data, n); 1121 return (ret); 1122 } 1123 1124 int 1125 pfkey_sagroup(int sd, uint8_t satype1, uint8_t action, 1126 struct iked_childsa *sa1, struct iked_childsa *sa2) 1127 { 1128 struct sadb_msg smsg; 1129 struct sadb_sa sadb1, sadb2; 1130 struct sadb_address sa_dst1, sa_dst2; 1131 struct sockaddr_storage sdst1, sdst2; 1132 struct sadb_protocol sa_proto; 1133 struct sadb_x_rdomain sa_rdomain; 1134 struct iked_policy *pol; 1135 struct iovec iov[IOV_CNT]; 1136 uint64_t pad = 0; 1137 size_t padlen; 1138 int iov_cnt; 1139 int group_rdomain; 1140 uint8_t satype2; 1141 1142 if (pfkey_map(pfkey_satype, sa2->csa_saproto, &satype2) == -1) 1143 return (-1); 1144 1145 bzero(&sdst1, sizeof(sdst1)); 1146 memcpy(&sdst1, &sa1->csa_peer->addr, sizeof(sdst1)); 1147 if (socket_af((struct sockaddr *)&sdst1, 0) == -1) { 1148 log_warnx("%s: unsupported address family %d", 1149 __func__, sdst1.ss_family); 1150 return (-1); 1151 } 1152 1153 bzero(&sdst2, sizeof(sdst2)); 1154 memcpy(&sdst2, &sa2->csa_peer->addr, sizeof(sdst2)); 1155 if (socket_af((struct sockaddr *)&sdst2, 0) == -1) { 1156 log_warnx("%s: unsupported address family %d", 1157 __func__, sdst2.ss_family); 1158 return (-1); 1159 } 1160 1161 bzero(&smsg, sizeof(smsg)); 1162 smsg.sadb_msg_version = PF_KEY_V2; 1163 smsg.sadb_msg_seq = ++sadb_msg_seq; 1164 smsg.sadb_msg_pid = getpid(); 1165 smsg.sadb_msg_len = sizeof(smsg) / 8; 1166 smsg.sadb_msg_type = action; 1167 smsg.sadb_msg_satype = satype1; 1168 1169 bzero(&sadb1, sizeof(sadb1)); 1170 sadb1.sadb_sa_len = sizeof(sadb1) / 8; 1171 sadb1.sadb_sa_exttype = SADB_EXT_SA; 1172 sadb1.sadb_sa_spi = htonl(sa1->csa_spi.spi); 1173 sadb1.sadb_sa_state = SADB_SASTATE_MATURE; 1174 1175 bzero(&sadb2, sizeof(sadb2)); 1176 sadb2.sadb_sa_len = sizeof(sadb2) / 8; 1177 sadb2.sadb_sa_exttype = SADB_X_EXT_SA2; 1178 sadb2.sadb_sa_spi = htonl(sa2->csa_spi.spi); 1179 sadb2.sadb_sa_state = SADB_SASTATE_MATURE; 1180 1181 /* Incoming SA1 (IPCOMP) and SA2 (ESP) are in different/other rdomain */ 1182 group_rdomain = 1183 (pol = sa1->csa_ikesa->sa_policy) != NULL && 1184 pol->pol_rdomain >= 0 && 1185 satype1 == SADB_X_SATYPE_IPCOMP && 1186 satype2 == SADB_SATYPE_ESP; 1187 if (group_rdomain) { 1188 bzero(&sa_rdomain, sizeof(sa_rdomain)); 1189 sa_rdomain.sadb_x_rdomain_exttype = SADB_X_EXT_RDOMAIN; 1190 sa_rdomain.sadb_x_rdomain_len = sizeof(sa_rdomain) / 8; 1191 if (sa1->csa_dir == IPSP_DIRECTION_IN) { 1192 /* only ESP SA is iked's rdomain */ 1193 sa_rdomain.sadb_x_rdomain_dom1 = pol->pol_rdomain; 1194 sa_rdomain.sadb_x_rdomain_dom2 = iked_rdomain; 1195 } else { 1196 /* both SAs are in pol_rdomain */ 1197 sa_rdomain.sadb_x_rdomain_dom1 = pol->pol_rdomain; 1198 sa_rdomain.sadb_x_rdomain_dom2 = pol->pol_rdomain; 1199 } 1200 } 1201 1202 iov_cnt = 0; 1203 1204 bzero(&sa_dst1, sizeof(sa_dst1)); 1205 sa_dst1.sadb_address_exttype = SADB_EXT_ADDRESS_DST; 1206 sa_dst1.sadb_address_len = 1207 (sizeof(sa_dst1) + ROUNDUP(sdst1.ss_len)) / 8; 1208 1209 bzero(&sa_dst2, sizeof(sa_dst2)); 1210 sa_dst2.sadb_address_exttype = SADB_X_EXT_DST2; 1211 sa_dst2.sadb_address_len = 1212 (sizeof(sa_dst2) + ROUNDUP(sdst2.ss_len)) / 8; 1213 1214 bzero(&sa_proto, sizeof(sa_proto)); 1215 sa_proto.sadb_protocol_exttype = SADB_X_EXT_SATYPE2; 1216 sa_proto.sadb_protocol_len = sizeof(sa_proto) / 8; 1217 sa_proto.sadb_protocol_direction = 0; 1218 sa_proto.sadb_protocol_proto = satype2; 1219 1220 #define PAD(len) \ 1221 padlen = ROUNDUP((len)) - (len); \ 1222 if (padlen) { \ 1223 iov[iov_cnt].iov_base = &pad; \ 1224 iov[iov_cnt].iov_len = padlen; \ 1225 iov_cnt++; \ 1226 } 1227 1228 /* header */ 1229 iov[iov_cnt].iov_base = &smsg; 1230 iov[iov_cnt].iov_len = sizeof(smsg); 1231 iov_cnt++; 1232 1233 /* sa */ 1234 iov[iov_cnt].iov_base = &sadb1; 1235 iov[iov_cnt].iov_len = sizeof(sadb1); 1236 smsg.sadb_msg_len += sadb1.sadb_sa_len; 1237 iov_cnt++; 1238 1239 /* dst addr */ 1240 iov[iov_cnt].iov_base = &sa_dst1; 1241 iov[iov_cnt].iov_len = sizeof(sa_dst1); 1242 iov_cnt++; 1243 iov[iov_cnt].iov_base = &sdst1; 1244 iov[iov_cnt].iov_len = sdst1.ss_len; 1245 smsg.sadb_msg_len += sa_dst1.sadb_address_len; 1246 iov_cnt++; 1247 PAD(sdst1.ss_len); 1248 1249 /* second sa */ 1250 iov[iov_cnt].iov_base = &sadb2; 1251 iov[iov_cnt].iov_len = sizeof(sadb2); 1252 smsg.sadb_msg_len += sadb2.sadb_sa_len; 1253 iov_cnt++; 1254 1255 /* second dst addr */ 1256 iov[iov_cnt].iov_base = &sa_dst2; 1257 iov[iov_cnt].iov_len = sizeof(sa_dst2); 1258 iov_cnt++; 1259 iov[iov_cnt].iov_base = &sdst2; 1260 iov[iov_cnt].iov_len = sdst2.ss_len; 1261 smsg.sadb_msg_len += sa_dst2.sadb_address_len; 1262 iov_cnt++; 1263 PAD(sdst2.ss_len); 1264 1265 /* SA type */ 1266 iov[iov_cnt].iov_base = &sa_proto; 1267 iov[iov_cnt].iov_len = sizeof(sa_proto); 1268 smsg.sadb_msg_len += sa_proto.sadb_protocol_len; 1269 iov_cnt++; 1270 1271 /* SA1 and SA2 are from different rdomains */ 1272 if (group_rdomain) { 1273 iov[iov_cnt].iov_base = &sa_rdomain; 1274 iov[iov_cnt].iov_len = sizeof(sa_rdomain); 1275 smsg.sadb_msg_len += sa_rdomain.sadb_x_rdomain_len; 1276 iov_cnt++; 1277 } 1278 1279 #undef PAD 1280 1281 return (pfkey_write(sd, &smsg, iov, iov_cnt, NULL, NULL)); 1282 } 1283 1284 int 1285 pfkey_write(int sd, struct sadb_msg *smsg, struct iovec *iov, int iov_cnt, 1286 uint8_t **datap, ssize_t *lenp) 1287 { 1288 ssize_t n, len = smsg->sadb_msg_len * 8; 1289 1290 if (sadb_decoupled) { 1291 switch (smsg->sadb_msg_type) { 1292 case SADB_GETSPI: 1293 /* we need to get a new SPI from the kernel */ 1294 break; 1295 default: 1296 if (datap || lenp) { 1297 log_warnx("%s: pfkey not coupled", __func__); 1298 return (-1); 1299 } 1300 /* ignore request */ 1301 return (0); 1302 } 1303 } 1304 1305 if ((n = writev(sd, iov, iov_cnt)) == -1) { 1306 log_warn("%s: writev failed: type %u len %zd", 1307 __func__, smsg->sadb_msg_type, len); 1308 return (-1); 1309 } else if (n != len) { 1310 log_warn("%s: short write", __func__); 1311 return (-1); 1312 } 1313 1314 return (pfkey_reply(sd, datap, lenp)); 1315 } 1316 1317 /* wait for pfkey response and returns 0 for ok, -1 for error, -2 for timeout */ 1318 int 1319 pfkey_reply(int sd, uint8_t **datap, ssize_t *lenp) 1320 { 1321 struct pfkey_message *pm; 1322 struct sadb_msg hdr; 1323 ssize_t len; 1324 uint8_t *data; 1325 struct pollfd pfd[1]; 1326 int n; 1327 1328 pfd[0].fd = sd; 1329 pfd[0].events = POLLIN; 1330 1331 for (;;) { 1332 /* 1333 * We should actually expect the reply to get lost 1334 * as PF_KEY is an unreliable service per the specs. 1335 * Currently we do this by setting a short timeout, 1336 * and if it is not readable in that time, we fail 1337 * the read. 1338 */ 1339 n = poll(pfd, 1, PFKEY_REPLY_TIMEOUT / 1000); 1340 if (n == -1) { 1341 log_warn("%s: poll() failed", __func__); 1342 return (-1); 1343 } 1344 if (n == 0) { 1345 log_warnx("%s: no reply from PF_KEY", __func__); 1346 return (-2); /* retry */ 1347 } 1348 1349 if (recv(sd, &hdr, sizeof(hdr), MSG_PEEK) != sizeof(hdr)) { 1350 log_warn("%s: short recv", __func__); 1351 return (-1); 1352 } 1353 1354 if (hdr.sadb_msg_version != PF_KEY_V2) { 1355 log_warnx("%s: wrong pfkey version", __func__); 1356 return (-1); 1357 } 1358 1359 if ((data = reallocarray(NULL, hdr.sadb_msg_len, 1360 PFKEYV2_CHUNK)) == NULL) { 1361 log_warn("%s: malloc", __func__); 1362 return (-1); 1363 } 1364 len = hdr.sadb_msg_len * PFKEYV2_CHUNK; 1365 1366 if (read(sd, data, len) != len) { 1367 log_warnx("%s: short read", __func__); 1368 free(data); 1369 return (-1); 1370 } 1371 1372 /* XXX: Only one message can be outstanding. */ 1373 if (hdr.sadb_msg_seq == sadb_msg_seq && 1374 hdr.sadb_msg_pid == (uint32_t)getpid()) 1375 break; 1376 1377 /* ignore messages for other processes */ 1378 if (hdr.sadb_msg_pid != 0 && 1379 hdr.sadb_msg_pid != (uint32_t)getpid()) { 1380 free(data); 1381 continue; 1382 } 1383 1384 /* not the reply, enqueue */ 1385 if ((pm = malloc(sizeof(*pm))) == NULL) { 1386 log_warn("%s: malloc", __func__); 1387 free(data); 1388 return (-1); 1389 } 1390 pm->pm_data = data; 1391 pm->pm_length = len; 1392 SIMPLEQ_INSERT_TAIL(&pfkey_postponed, pm, pm_entry); 1393 evtimer_add(&pfkey_timer_ev, &pfkey_timer_tv); 1394 } 1395 1396 if (datap) { 1397 *datap = data; 1398 if (lenp) 1399 *lenp = len; 1400 } else 1401 free(data); 1402 1403 if (datap == NULL && hdr.sadb_msg_errno != 0) { 1404 errno = hdr.sadb_msg_errno; 1405 if (errno != EEXIST) { 1406 if (errno == ESRCH) 1407 log_debug("%s: not found", __func__); 1408 else 1409 log_warn("%s: message", __func__); 1410 return (-1); 1411 } 1412 } 1413 return (0); 1414 } 1415 1416 int 1417 pfkey_flow_add(int fd, struct iked_flow *flow) 1418 { 1419 uint8_t satype; 1420 1421 if (flow->flow_loaded) 1422 return (0); 1423 1424 if (pfkey_map(pfkey_satype, flow->flow_saproto, &satype) == -1) 1425 return (-1); 1426 1427 if (pfkey_flow(fd, satype, SADB_X_ADDFLOW, flow) == -1) 1428 return (-1); 1429 1430 flow->flow_loaded = 1; 1431 1432 return (0); 1433 } 1434 1435 int 1436 pfkey_flow_delete(int fd, struct iked_flow *flow) 1437 { 1438 uint8_t satype; 1439 1440 if (!flow->flow_loaded) 1441 return (0); 1442 1443 if (pfkey_map(pfkey_satype, flow->flow_saproto, &satype) == -1) 1444 return (-1); 1445 1446 if (pfkey_flow(fd, satype, SADB_X_DELFLOW, flow) == -1) 1447 return (-1); 1448 1449 flow->flow_loaded = 0; 1450 1451 return (0); 1452 } 1453 1454 int 1455 pfkey_sa_init(int fd, struct iked_childsa *sa, uint32_t *spi) 1456 { 1457 uint8_t satype; 1458 1459 if (pfkey_map(pfkey_satype, sa->csa_saproto, &satype) == -1) 1460 return (-1); 1461 1462 if (pfkey_sa_getspi(fd, satype, sa, spi) == -1) 1463 return (-1); 1464 1465 log_debug("%s: new spi 0x%08x", __func__, *spi); 1466 1467 return (0); 1468 } 1469 1470 int 1471 pfkey_sa_add(int fd, struct iked_childsa *sa, struct iked_childsa *last) 1472 { 1473 uint8_t satype; 1474 unsigned int cmd; 1475 int rval; 1476 1477 if (pfkey_map(pfkey_satype, sa->csa_saproto, &satype) == -1) 1478 return (-1); 1479 1480 if (sa->csa_allocated || sa->csa_loaded) 1481 cmd = SADB_UPDATE; 1482 else 1483 cmd = SADB_ADD; 1484 1485 log_debug("%s: %s spi %s", __func__, cmd == SADB_ADD ? "add": "update", 1486 print_spi(sa->csa_spi.spi, 4)); 1487 1488 rval = pfkey_sa(fd, satype, cmd, sa); 1489 if (rval != 0) { 1490 if (cmd == SADB_ADD) { 1491 if (rval == -2) { 1492 /* timeout: check for existence */ 1493 if (pfkey_sa_check_exists(fd, sa) == 0) { 1494 log_debug("%s: SA exists after timeout", 1495 __func__); 1496 goto loaded; 1497 } 1498 } 1499 (void)pfkey_sa_delete(fd, sa); 1500 return (-1); 1501 } 1502 if (sa->csa_allocated && !sa->csa_loaded && errno == ESRCH) { 1503 /* Needed for recoupling local SAs */ 1504 log_debug("%s: SADB_UPDATE on local SA returned ESRCH," 1505 " trying SADB_ADD", __func__); 1506 if (pfkey_sa(fd, satype, SADB_ADD, sa) == -1) 1507 return (-1); 1508 } else { 1509 return (-1); 1510 } 1511 } 1512 1513 loaded: 1514 if (last != NULL) { 1515 if (pfkey_sagroup(fd, satype, 1516 SADB_X_GRPSPIS, sa, last) == -1) { 1517 (void)pfkey_sa_delete(fd, sa); 1518 return (-1); 1519 } 1520 } 1521 1522 sa->csa_loaded = 1; 1523 return (0); 1524 } 1525 1526 int 1527 pfkey_sa_update_addresses(int fd, struct iked_childsa *sa) 1528 { 1529 uint8_t satype; 1530 1531 if (!sa->csa_ikesa) 1532 return (-1); 1533 /* check if peer has changed */ 1534 if (sa->csa_ikesa->sa_peer_loaded.addr.ss_family == AF_UNSPEC || 1535 memcmp(&sa->csa_ikesa->sa_peer_loaded, &sa->csa_ikesa->sa_peer, 1536 sizeof(sa->csa_ikesa->sa_peer_loaded)) == 0) 1537 return (0); 1538 if (pfkey_map(pfkey_satype, sa->csa_saproto, &satype) == -1) 1539 return (-1); 1540 log_debug("%s: spi %s", __func__, print_spi(sa->csa_spi.spi, 4)); 1541 return pfkey_sa(fd, satype, IKED_SADB_UPDATE_SA_ADDRESSES, sa); 1542 } 1543 1544 int 1545 pfkey_sa_delete(int fd, struct iked_childsa *sa) 1546 { 1547 uint8_t satype; 1548 1549 if (!sa->csa_loaded || sa->csa_spi.spi == 0) 1550 return (0); 1551 1552 if (pfkey_map(pfkey_satype, sa->csa_saproto, &satype) == -1) 1553 return (-1); 1554 1555 if (pfkey_sa(fd, satype, SADB_DELETE, sa) == -1 && 1556 pfkey_sa_check_exists(fd, sa) == 0) 1557 return (-1); 1558 1559 sa->csa_loaded = 0; 1560 return (0); 1561 } 1562 1563 int 1564 pfkey_flush(int sd) 1565 { 1566 struct sadb_msg smsg; 1567 struct iovec iov[IOV_CNT]; 1568 int iov_cnt; 1569 1570 bzero(&smsg, sizeof(smsg)); 1571 smsg.sadb_msg_version = PF_KEY_V2; 1572 smsg.sadb_msg_seq = ++sadb_msg_seq; 1573 smsg.sadb_msg_pid = getpid(); 1574 smsg.sadb_msg_len = sizeof(smsg) / 8; 1575 smsg.sadb_msg_type = SADB_FLUSH; 1576 smsg.sadb_msg_satype = SADB_SATYPE_UNSPEC; 1577 1578 iov_cnt = 0; 1579 1580 iov[iov_cnt].iov_base = &smsg; 1581 iov[iov_cnt].iov_len = sizeof(smsg); 1582 iov_cnt++; 1583 1584 return (pfkey_write(sd, &smsg, iov, iov_cnt, NULL, NULL)); 1585 } 1586 1587 struct sadb_ident * 1588 pfkey_id2ident(struct iked_id *id, unsigned int exttype) 1589 { 1590 char idstr[IKED_ID_SIZE]; 1591 unsigned int type; 1592 size_t len; 1593 struct sadb_ident *sa_id; 1594 1595 switch (id->id_type) { 1596 case IKEV2_ID_FQDN: 1597 type = SADB_IDENTTYPE_FQDN; 1598 break; 1599 case IKEV2_ID_UFQDN: 1600 type = SADB_IDENTTYPE_USERFQDN; 1601 break; 1602 case IKEV2_ID_IPV4: 1603 case IKEV2_ID_IPV6: 1604 type = SADB_IDENTTYPE_PREFIX; 1605 break; 1606 case IKEV2_ID_ASN1_DN: 1607 type = SADB_IDENTTYPE_ASN1_DN; 1608 break; 1609 case IKEV2_ID_ASN1_GN: 1610 case IKEV2_ID_KEY_ID: 1611 case IKEV2_ID_NONE: 1612 default: 1613 /* XXX not implemented/supported by PFKEY */ 1614 return (NULL); 1615 } 1616 1617 bzero(&idstr, sizeof(idstr)); 1618 1619 if (ikev2_print_id(id, idstr, sizeof(idstr)) == -1) 1620 return (NULL); 1621 1622 len = ROUNDUP(strlen(idstr) + 1) + sizeof(*sa_id); 1623 if ((sa_id = calloc(1, len)) == NULL) 1624 return (NULL); 1625 1626 strlcpy((char *)(sa_id + 1), idstr, ROUNDUP(strlen(idstr) + 1)); 1627 sa_id->sadb_ident_type = type; 1628 sa_id->sadb_ident_len = len / 8; 1629 sa_id->sadb_ident_exttype = exttype; 1630 1631 return (sa_id); 1632 } 1633 1634 int 1635 pfkey_socket(void) 1636 { 1637 int fd; 1638 1639 if (privsep_process != PROC_PARENT) 1640 fatal("pfkey_socket: called from unprivileged process"); 1641 1642 if ((fd = socket(PF_KEY, SOCK_RAW, PF_KEY_V2)) == -1) 1643 fatal("pfkey_socket: failed to open PF_KEY socket"); 1644 1645 pfkey_flush(fd); 1646 1647 return (fd); 1648 } 1649 1650 void 1651 pfkey_init(struct iked *env, int fd) 1652 { 1653 struct sadb_msg smsg; 1654 struct iovec iov; 1655 1656 iked_rdomain = getrtable(); 1657 1658 /* Set up a timer to process messages deferred by the pfkey_reply */ 1659 pfkey_timer_tv.tv_sec = 1; 1660 pfkey_timer_tv.tv_usec = 0; 1661 evtimer_set(&pfkey_timer_ev, pfkey_timer_cb, env); 1662 1663 /* Register the pfkey socket event handler */ 1664 env->sc_pfkey = fd; 1665 event_set(&env->sc_pfkeyev, env->sc_pfkey, 1666 EV_READ|EV_PERSIST, pfkey_dispatch, env); 1667 event_add(&env->sc_pfkeyev, NULL); 1668 1669 /* Register it to get ESP and AH acquires from the kernel */ 1670 bzero(&smsg, sizeof(smsg)); 1671 smsg.sadb_msg_version = PF_KEY_V2; 1672 smsg.sadb_msg_seq = ++sadb_msg_seq; 1673 smsg.sadb_msg_pid = getpid(); 1674 smsg.sadb_msg_len = sizeof(smsg) / 8; 1675 smsg.sadb_msg_type = SADB_REGISTER; 1676 smsg.sadb_msg_satype = SADB_SATYPE_ESP; 1677 1678 iov.iov_base = &smsg; 1679 iov.iov_len = sizeof(smsg); 1680 1681 if (pfkey_write(fd, &smsg, &iov, 1, NULL, NULL)) 1682 fatal("pfkey_init: failed to set up ESP acquires"); 1683 1684 bzero(&smsg, sizeof(smsg)); 1685 smsg.sadb_msg_version = PF_KEY_V2; 1686 smsg.sadb_msg_seq = ++sadb_msg_seq; 1687 smsg.sadb_msg_pid = getpid(); 1688 smsg.sadb_msg_len = sizeof(smsg) / 8; 1689 smsg.sadb_msg_type = SADB_REGISTER; 1690 smsg.sadb_msg_satype = SADB_SATYPE_AH; 1691 1692 iov.iov_base = &smsg; 1693 iov.iov_len = sizeof(smsg); 1694 1695 if (pfkey_write(fd, &smsg, &iov, 1, NULL, NULL)) 1696 fatal("pfkey_init: failed to set up AH acquires"); 1697 } 1698 1699 void * 1700 pfkey_find_ext(uint8_t *data, ssize_t len, int type) 1701 { 1702 struct sadb_ext *ext = (struct sadb_ext *)(data + 1703 sizeof(struct sadb_msg)); 1704 1705 while (ext && ((uint8_t *)ext - data < len)) { 1706 if (ext->sadb_ext_type == type) 1707 return (ext); 1708 ext = (struct sadb_ext *)((uint8_t *)ext + 1709 ext->sadb_ext_len * PFKEYV2_CHUNK); 1710 } 1711 1712 return (NULL); 1713 } 1714 1715 void 1716 pfkey_dispatch(int sd, short event, void *arg) 1717 { 1718 struct iked *env = (struct iked *)arg; 1719 struct pfkey_message pm, *pmp; 1720 struct sadb_msg hdr; 1721 ssize_t len; 1722 uint8_t *data; 1723 1724 if (recv(sd, &hdr, sizeof(hdr), MSG_PEEK) != sizeof(hdr)) { 1725 log_warn("%s: short recv", __func__); 1726 return; 1727 } 1728 1729 if (hdr.sadb_msg_version != PF_KEY_V2) { 1730 log_warnx("%s: wrong pfkey version", __func__); 1731 return; 1732 } 1733 1734 if ((data = reallocarray(NULL, hdr.sadb_msg_len, PFKEYV2_CHUNK)) 1735 == NULL) { 1736 log_warn("%s: malloc", __func__); 1737 return; 1738 } 1739 len = hdr.sadb_msg_len * PFKEYV2_CHUNK; 1740 1741 if (read(sd, data, len) != len) { 1742 log_warn("%s: short read", __func__); 1743 free(data); 1744 return; 1745 } 1746 1747 /* Try postponed requests first, so we do in-order processing */ 1748 if (!SIMPLEQ_EMPTY(&pfkey_postponed)) 1749 pfkey_timer_cb(0, 0, env); 1750 1751 pm.pm_data = data; 1752 pm.pm_length = len; 1753 1754 if (pfkey_process(env, &pm) == -1 && 1755 (pmp = calloc(1, sizeof(*pmp))) != NULL) { 1756 pmp->pm_data = data; 1757 pmp->pm_length = len; 1758 log_debug("%s: pfkey_process is busy, retry later", __func__); 1759 SIMPLEQ_INSERT_TAIL(&pfkey_postponed, pmp, pm_entry); 1760 evtimer_add(&pfkey_timer_ev, &pfkey_timer_tv); 1761 } else { 1762 free(data); 1763 } 1764 } 1765 1766 void 1767 pfkey_timer_cb(int unused, short event, void *arg) 1768 { 1769 struct iked *env = arg; 1770 struct pfkey_message *pm; 1771 1772 SIMPLEQ_INIT(&pfkey_retry); 1773 while (!SIMPLEQ_EMPTY(&pfkey_postponed)) { 1774 pm = SIMPLEQ_FIRST(&pfkey_postponed); 1775 SIMPLEQ_REMOVE_HEAD(&pfkey_postponed, pm_entry); 1776 if (pfkey_process(env, pm) == -1) { 1777 log_debug("%s: pfkey_process is busy, retry later", 1778 __func__); 1779 SIMPLEQ_INSERT_TAIL(&pfkey_retry, pm, pm_entry); 1780 } else { 1781 free(pm->pm_data); 1782 free(pm); 1783 } 1784 } 1785 /* move from retry to postponed */ 1786 SIMPLEQ_CONCAT(&pfkey_postponed, &pfkey_retry); 1787 if (!SIMPLEQ_EMPTY(&pfkey_postponed)) 1788 evtimer_add(&pfkey_timer_ev, &pfkey_timer_tv); 1789 } 1790 1791 /* 1792 * pfkey_process returns 0 if the message has been processed and -1 if 1793 * the system is busy and the message should be passed again, later. 1794 */ 1795 int 1796 pfkey_process(struct iked *env, struct pfkey_message *pm) 1797 { 1798 struct iked_spi spi; 1799 struct sadb_sa *sa; 1800 struct sadb_lifetime *sa_ltime; 1801 struct sadb_msg *hdr; 1802 struct sadb_msg smsg; 1803 struct iked_addr peer; 1804 struct iked_flow flow; 1805 struct sadb_address *sa_addr; 1806 struct sadb_protocol *sa_proto; 1807 struct sadb_x_policy sa_pol; 1808 struct sockaddr *ssrc, *sdst, *smask, *dmask, *speer; 1809 struct iovec iov[IOV_CNT]; 1810 int ret = 0, iov_cnt, sd; 1811 uint8_t *reply; 1812 ssize_t rlen; 1813 const char *errmsg = NULL; 1814 uint8_t *data = pm->pm_data; 1815 ssize_t len = pm->pm_length; 1816 size_t slen; 1817 1818 if (!env || !data || !len) 1819 return (0); 1820 1821 sd = env->sc_pfkey; 1822 hdr = (struct sadb_msg *)data; 1823 1824 switch (hdr->sadb_msg_type) { 1825 case SADB_ACQUIRE: 1826 bzero(&flow, sizeof(flow)); 1827 bzero(&peer, sizeof(peer)); 1828 1829 if ((sa_addr = pfkey_find_ext(data, len, 1830 SADB_EXT_ADDRESS_DST)) == NULL) { 1831 log_debug("%s: no peer address", __func__); 1832 return (0); 1833 } 1834 speer = (struct sockaddr *)(sa_addr + 1); 1835 peer.addr_af = speer->sa_family; 1836 peer.addr_port = htons(socket_getport(speer)); 1837 if ((slen = speer->sa_len) > sizeof(peer.addr)) { 1838 log_debug("%s: invalid peer address len", __func__); 1839 return (0); 1840 } 1841 memcpy(&peer.addr, speer, slen); 1842 if (socket_af((struct sockaddr *)&peer.addr, 1843 peer.addr_port) == -1) { 1844 log_debug("%s: invalid address", __func__); 1845 return (0); 1846 } 1847 flow.flow_peer = &peer; 1848 1849 log_debug("%s: acquire request (peer %s)", __func__, 1850 print_host(speer, NULL, 0)); 1851 1852 /* get the matching flow */ 1853 bzero(&smsg, sizeof(smsg)); 1854 smsg.sadb_msg_version = PF_KEY_V2; 1855 smsg.sadb_msg_seq = ++sadb_msg_seq; 1856 smsg.sadb_msg_pid = getpid(); 1857 smsg.sadb_msg_len = sizeof(smsg) / 8; 1858 smsg.sadb_msg_type = SADB_X_ASKPOLICY; 1859 1860 iov_cnt = 0; 1861 1862 iov[iov_cnt].iov_base = &smsg; 1863 iov[iov_cnt].iov_len = sizeof(smsg); 1864 iov_cnt++; 1865 1866 bzero(&sa_pol, sizeof(sa_pol)); 1867 sa_pol.sadb_x_policy_exttype = SADB_X_EXT_POLICY; 1868 sa_pol.sadb_x_policy_len = sizeof(sa_pol) / 8; 1869 sa_pol.sadb_x_policy_seq = hdr->sadb_msg_seq; 1870 1871 iov[iov_cnt].iov_base = &sa_pol; 1872 iov[iov_cnt].iov_len = sizeof(sa_pol); 1873 smsg.sadb_msg_len += sizeof(sa_pol) / 8; 1874 iov_cnt++; 1875 1876 if (pfkey_write(sd, &smsg, iov, iov_cnt, &reply, &rlen)) { 1877 log_warnx("%s: failed to get a policy", __func__); 1878 return (0); 1879 } 1880 1881 if ((sa_addr = pfkey_find_ext(reply, rlen, 1882 SADB_X_EXT_SRC_FLOW)) == NULL) { 1883 errmsg = "flow source address"; 1884 goto out; 1885 } 1886 ssrc = (struct sockaddr *)(sa_addr + 1); 1887 flow.flow_src.addr_af = ssrc->sa_family; 1888 flow.flow_src.addr_port = htons(socket_getport(ssrc)); 1889 if ((slen = ssrc->sa_len) > sizeof(flow.flow_src.addr)) { 1890 log_debug("%s: invalid src address len", __func__); 1891 return (0); 1892 } 1893 memcpy(&flow.flow_src.addr, ssrc, slen); 1894 if (socket_af((struct sockaddr *)&flow.flow_src.addr, 1895 flow.flow_src.addr_port) == -1) { 1896 log_debug("%s: invalid address", __func__); 1897 return (0); 1898 } 1899 1900 if ((sa_addr = pfkey_find_ext(reply, rlen, 1901 SADB_X_EXT_DST_FLOW)) == NULL) { 1902 errmsg = "flow destination address"; 1903 goto out; 1904 } 1905 sdst = (struct sockaddr *)(sa_addr + 1); 1906 flow.flow_dst.addr_af = sdst->sa_family; 1907 flow.flow_dst.addr_port = htons(socket_getport(sdst)); 1908 if ((slen = sdst->sa_len) > sizeof(flow.flow_dst.addr)) { 1909 log_debug("%s: invalid dst address len", __func__); 1910 return (0); 1911 } 1912 memcpy(&flow.flow_dst.addr, sdst, slen); 1913 if (socket_af((struct sockaddr *)&flow.flow_dst.addr, 1914 flow.flow_dst.addr_port) == -1) { 1915 log_debug("%s: invalid address", __func__); 1916 return (0); 1917 } 1918 1919 if ((sa_addr = pfkey_find_ext(reply, rlen, 1920 SADB_X_EXT_SRC_MASK)) == NULL) { 1921 errmsg = "flow source mask"; 1922 goto out; 1923 } 1924 smask = (struct sockaddr *)(sa_addr + 1); 1925 switch (smask->sa_family) { 1926 case AF_INET: 1927 flow.flow_src.addr_mask = 1928 mask2prefixlen((struct sockaddr *)smask); 1929 if (flow.flow_src.addr_mask != 32) 1930 flow.flow_src.addr_net = 1; 1931 break; 1932 case AF_INET6: 1933 flow.flow_src.addr_mask = 1934 mask2prefixlen6((struct sockaddr *)smask); 1935 if (flow.flow_src.addr_mask != 128) 1936 flow.flow_src.addr_net = 1; 1937 break; 1938 default: 1939 log_debug("%s: bad address family", __func__); 1940 free(reply); 1941 return (0); 1942 } 1943 1944 if ((sa_addr = pfkey_find_ext(reply, rlen, 1945 SADB_X_EXT_DST_MASK)) == NULL) { 1946 errmsg = "flow destination mask"; 1947 goto out; 1948 } 1949 dmask = (struct sockaddr *)(sa_addr + 1); 1950 switch (dmask->sa_family) { 1951 case AF_INET: 1952 flow.flow_dst.addr_mask = 1953 mask2prefixlen((struct sockaddr *)dmask); 1954 if (flow.flow_src.addr_mask != 32) 1955 flow.flow_src.addr_net = 1; 1956 break; 1957 case AF_INET6: 1958 flow.flow_dst.addr_mask = 1959 mask2prefixlen6((struct sockaddr *)dmask); 1960 if (flow.flow_src.addr_mask != 128) 1961 flow.flow_src.addr_net = 1; 1962 break; 1963 default: 1964 log_debug("%s: bad address family", __func__); 1965 free(reply); 1966 return (0); 1967 } 1968 1969 switch (hdr->sadb_msg_satype) { 1970 case SADB_SATYPE_AH: 1971 flow.flow_saproto = IKEV2_SAPROTO_AH; 1972 break; 1973 case SADB_SATYPE_ESP: 1974 flow.flow_saproto = IKEV2_SAPROTO_ESP; 1975 break; 1976 case SADB_X_SATYPE_IPCOMP: 1977 flow.flow_saproto = IKEV2_SAPROTO_IPCOMP; 1978 break; 1979 } 1980 1981 if ((sa_proto = pfkey_find_ext(reply, rlen, 1982 SADB_X_EXT_FLOW_TYPE)) == NULL) { 1983 errmsg = "flow protocol"; 1984 goto out; 1985 } 1986 flow.flow_dir = sa_proto->sadb_protocol_direction; 1987 flow.flow_rdomain = -1; /* XXX get from kernel */ 1988 1989 log_debug("%s: flow %s from %s/%s to %s/%s via %s", __func__, 1990 flow.flow_dir == IPSP_DIRECTION_IN ? "in" : "out", 1991 print_host(ssrc, NULL, 0), print_host(smask, NULL, 0), 1992 print_host(sdst, NULL, 0), print_host(dmask, NULL, 0), 1993 print_host(speer, NULL, 0)); 1994 1995 ret = ikev2_child_sa_acquire(env, &flow); 1996 1997 out: 1998 if (errmsg) 1999 log_warnx("%s: %s wasn't found", __func__, errmsg); 2000 free(reply); 2001 break; 2002 2003 case SADB_EXPIRE: 2004 if ((sa = pfkey_find_ext(data, len, SADB_EXT_SA)) == NULL) { 2005 log_warnx("%s: SA extension wasn't found", __func__); 2006 return (0); 2007 } 2008 if ((sa_ltime = pfkey_find_ext(data, len, 2009 SADB_EXT_LIFETIME_SOFT)) == NULL && 2010 (sa_ltime = pfkey_find_ext(data, len, 2011 SADB_EXT_LIFETIME_HARD)) == NULL) { 2012 log_warnx("%s: lifetime extension wasn't found", 2013 __func__); 2014 return (0); 2015 } 2016 spi.spi = ntohl(sa->sadb_sa_spi); 2017 spi.spi_size = 4; 2018 switch (hdr->sadb_msg_satype) { 2019 case SADB_SATYPE_AH: 2020 spi.spi_protoid = IKEV2_SAPROTO_AH; 2021 break; 2022 case SADB_SATYPE_ESP: 2023 spi.spi_protoid = IKEV2_SAPROTO_ESP; 2024 break; 2025 case SADB_X_SATYPE_IPCOMP: 2026 spi.spi_size = 2; 2027 spi.spi_protoid = IKEV2_SAPROTO_IPCOMP; 2028 break; 2029 default: 2030 log_warnx("%s: unsupported SA type %d spi %s", 2031 __func__, hdr->sadb_msg_satype, 2032 print_spi(spi.spi, spi.spi_size)); 2033 return (0); 2034 } 2035 2036 log_debug("%s: SA %s is expired, pending %s", __func__, 2037 print_spi(spi.spi, spi.spi_size), 2038 sa_ltime->sadb_lifetime_exttype == SADB_EXT_LIFETIME_SOFT ? 2039 "rekeying" : "deletion"); 2040 2041 if (sa_ltime->sadb_lifetime_exttype == SADB_EXT_LIFETIME_SOFT) 2042 ret = ikev2_child_sa_rekey(env, &spi); 2043 else 2044 ret = ikev2_child_sa_drop(env, &spi); 2045 break; 2046 } 2047 return (ret); 2048 } 2049