1 /* $OpenBSD: pfkey.c,v 1.52 2016/09/03 09:20:07 vgross Exp $ */ 2 3 /* 4 * Copyright (c) 2010-2013 Reyk Floeter <reyk@openbsd.org> 5 * Copyright (c) 2004, 2005 Hans-Joerg Hoexer <hshoexer@openbsd.org> 6 * Copyright (c) 2003, 2004 Henning Brauer <henning@openbsd.org> 7 * Copyright (c) 2003, 2004 Markus Friedl <markus@openbsd.org> 8 * 9 * Permission to use, copy, modify, and distribute this software for any 10 * purpose with or without fee is hereby granted, provided that the above 11 * copyright notice and this permission notice appear in all copies. 12 * 13 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES 14 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF 15 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR 16 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES 17 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN 18 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF 19 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. 20 */ 21 22 #include <sys/queue.h> 23 #include <sys/uio.h> 24 #include <sys/socket.h> 25 26 #include <netinet/in.h> 27 #include <netinet/ip_ipsp.h> 28 #include <net/pfkeyv2.h> 29 30 #include <err.h> 31 #include <errno.h> 32 #include <stdio.h> 33 #include <poll.h> 34 #include <string.h> 35 #include <stdlib.h> 36 #include <unistd.h> 37 #include <event.h> 38 39 #include "iked.h" 40 #include "ikev2.h" 41 42 #define ROUNDUP(x) (((x) + (PFKEYV2_CHUNK - 1)) & ~(PFKEYV2_CHUNK - 1)) 43 #define IOV_CNT 20 44 45 #define PFKEYV2_CHUNK sizeof(uint64_t) 46 #define PFKEY_REPLY_TIMEOUT 1000 47 48 static uint32_t sadb_msg_seq = 0; 49 static unsigned int sadb_decoupled = 0; 50 static unsigned int sadb_ipv6refcnt = 0; 51 52 static int pfkey_blockipv6 = 0; 53 static struct event pfkey_timer_ev; 54 static struct timeval pfkey_timer_tv; 55 56 struct pfkey_message { 57 SIMPLEQ_ENTRY(pfkey_message) 58 pm_entry; 59 uint8_t *pm_data; 60 ssize_t pm_length; 61 }; 62 SIMPLEQ_HEAD(, pfkey_message) pfkey_retry, pfkey_postponed = 63 SIMPLEQ_HEAD_INITIALIZER(pfkey_postponed); 64 65 struct pfkey_constmap { 66 uint8_t pfkey_id; 67 unsigned int pfkey_ikeid; 68 unsigned int pfkey_fixedkey; 69 }; 70 71 static const struct pfkey_constmap pfkey_encr[] = { 72 { SADB_EALG_3DESCBC, IKEV2_XFORMENCR_3DES }, 73 { SADB_X_EALG_CAST, IKEV2_XFORMENCR_CAST }, 74 { SADB_X_EALG_BLF, IKEV2_XFORMENCR_BLOWFISH }, 75 { SADB_EALG_NULL, IKEV2_XFORMENCR_NULL }, 76 { SADB_X_EALG_AES, IKEV2_XFORMENCR_AES_CBC }, 77 { SADB_X_EALG_AESCTR, IKEV2_XFORMENCR_AES_CTR }, 78 { SADB_X_EALG_AESGCM16, IKEV2_XFORMENCR_AES_GCM_16 }, 79 { SADB_X_EALG_AESGMAC, IKEV2_XFORMENCR_NULL_AES_GMAC }, 80 { SADB_X_EALG_CHACHA20POLY1305, IKEV2_XFORMENCR_CHACHA20_POLY1305 }, 81 { 0 } 82 }; 83 84 static const struct pfkey_constmap pfkey_integr[] = { 85 { SADB_AALG_MD5HMAC, IKEV2_XFORMAUTH_HMAC_MD5_96 }, 86 { SADB_AALG_SHA1HMAC, IKEV2_XFORMAUTH_HMAC_SHA1_96 }, 87 { SADB_X_AALG_SHA2_256, IKEV2_XFORMAUTH_HMAC_SHA2_256_128 }, 88 { SADB_X_AALG_SHA2_384, IKEV2_XFORMAUTH_HMAC_SHA2_384_192 }, 89 { SADB_X_AALG_SHA2_512, IKEV2_XFORMAUTH_HMAC_SHA2_512_256 }, 90 { 0 } 91 }; 92 93 static const struct pfkey_constmap pfkey_satype[] = { 94 { SADB_SATYPE_AH, IKEV2_SAPROTO_AH }, 95 { SADB_SATYPE_ESP, IKEV2_SAPROTO_ESP }, 96 { SADB_X_SATYPE_IPCOMP, IKEV2_SAPROTO_IPCOMP }, 97 { 0 } 98 }; 99 100 int pfkey_map(const struct pfkey_constmap *, uint16_t, uint8_t *); 101 int pfkey_flow(int, uint8_t, uint8_t, struct iked_flow *); 102 int pfkey_sa(int, uint8_t, uint8_t, struct iked_childsa *); 103 int pfkey_sa_getspi(int, uint8_t, struct iked_childsa *, uint32_t *); 104 int pfkey_sagroup(int, uint8_t, uint8_t, 105 struct iked_childsa *, struct iked_childsa *); 106 int pfkey_write(int, struct sadb_msg *, struct iovec *, int, 107 uint8_t **, ssize_t *); 108 int pfkey_reply(int, uint8_t **, ssize_t *); 109 void pfkey_dispatch(int, short, void *); 110 111 struct sadb_ident * 112 pfkey_id2ident(struct iked_id *, unsigned int); 113 void *pfkey_find_ext(uint8_t *, ssize_t, int); 114 115 void pfkey_timer_cb(int, short, void *); 116 int pfkey_process(struct iked *, struct pfkey_message *); 117 118 int 119 pfkey_couple(int sd, struct iked_sas *sas, int couple) 120 { 121 struct iked_sa *sa; 122 struct iked_flow *flow; 123 struct iked_childsa *csa; 124 const char *mode[] = { "coupled", "decoupled" }; 125 126 /* Socket is not ready */ 127 if (sd == -1) 128 return (-1); 129 130 if (sadb_decoupled == !couple) 131 return (0); 132 133 log_debug("%s: kernel %s -> %s", __func__, 134 mode[sadb_decoupled], mode[!sadb_decoupled]); 135 136 /* Allow writes to the PF_KEY socket */ 137 sadb_decoupled = 0; 138 139 RB_FOREACH(sa, iked_sas, sas) { 140 TAILQ_FOREACH(csa, &sa->sa_childsas, csa_entry) { 141 if (!csa->csa_loaded && couple) 142 (void)pfkey_sa_add(sd, csa, NULL); 143 else if (csa->csa_loaded && !couple) 144 (void)pfkey_sa_delete(sd, csa); 145 } 146 TAILQ_FOREACH(flow, &sa->sa_flows, flow_entry) { 147 if (!flow->flow_loaded && couple) 148 (void)pfkey_flow_add(sd, flow); 149 else if (flow->flow_loaded && !couple) 150 (void)pfkey_flow_delete(sd, flow); 151 } 152 } 153 154 sadb_decoupled = !couple; 155 156 return (0); 157 } 158 159 int 160 pfkey_map(const struct pfkey_constmap *map, uint16_t alg, uint8_t *pfkalg) 161 { 162 int i; 163 164 for (i = 0; map[i].pfkey_id != 0; i++) 165 if (map[i].pfkey_ikeid == alg) { 166 *pfkalg = map[i].pfkey_id; 167 return (0); 168 } 169 return (-1); 170 } 171 172 int 173 pfkey_flow(int sd, uint8_t satype, uint8_t action, struct iked_flow *flow) 174 { 175 struct sadb_msg smsg; 176 struct iked_addr *flow_src, *flow_dst; 177 struct sadb_address sa_src, sa_dst, sa_local, sa_peer, sa_smask, 178 sa_dmask; 179 struct sadb_protocol sa_flowtype, sa_protocol; 180 struct sadb_ident *sa_srcid, *sa_dstid; 181 struct sockaddr_storage ssrc, sdst, slocal, speer, smask, dmask; 182 struct iovec iov[IOV_CNT]; 183 int iov_cnt, ret = -1; 184 185 sa_srcid = sa_dstid = NULL; 186 187 flow_src = &flow->flow_src; 188 flow_dst = &flow->flow_dst; 189 190 if (flow->flow_prenat.addr_af == flow_src->addr_af) { 191 switch (flow->flow_type) { 192 case SADB_X_FLOW_TYPE_USE: 193 flow_dst = &flow->flow_prenat; 194 break; 195 case SADB_X_FLOW_TYPE_REQUIRE: 196 flow_src = &flow->flow_prenat; 197 break; 198 case 0: 199 if (flow->flow_dir == IPSP_DIRECTION_IN) 200 flow_dst = &flow->flow_prenat; 201 else 202 flow_src = &flow->flow_prenat; 203 } 204 } 205 206 bzero(&ssrc, sizeof(ssrc)); 207 bzero(&smask, sizeof(smask)); 208 memcpy(&ssrc, &flow_src->addr, sizeof(ssrc)); 209 memcpy(&smask, &flow_src->addr, sizeof(smask)); 210 socket_af((struct sockaddr *)&ssrc, flow_src->addr_port); 211 socket_af((struct sockaddr *)&smask, flow_src->addr_port ? 212 0xffff : 0); 213 214 switch (flow_src->addr_af) { 215 case AF_INET: 216 ((struct sockaddr_in *)&smask)->sin_addr.s_addr = 217 prefixlen2mask(flow_src->addr_net ? 218 flow_src->addr_mask : 32); 219 break; 220 case AF_INET6: 221 prefixlen2mask6(flow_src->addr_net ? 222 flow_src->addr_mask : 128, 223 (uint32_t *)((struct sockaddr_in6 *) 224 &smask)->sin6_addr.s6_addr); 225 break; 226 default: 227 log_warnx("%s: unsupported address family %d", 228 __func__, flow_src->addr_af); 229 return (-1); 230 } 231 smask.ss_len = ssrc.ss_len; 232 233 bzero(&sdst, sizeof(sdst)); 234 bzero(&dmask, sizeof(dmask)); 235 memcpy(&sdst, &flow_dst->addr, sizeof(sdst)); 236 memcpy(&dmask, &flow_dst->addr, sizeof(dmask)); 237 socket_af((struct sockaddr *)&sdst, flow_dst->addr_port); 238 socket_af((struct sockaddr *)&dmask, flow_dst->addr_port ? 239 0xffff : 0); 240 241 switch (flow_dst->addr_af) { 242 case AF_INET: 243 ((struct sockaddr_in *)&dmask)->sin_addr.s_addr = 244 prefixlen2mask(flow_dst->addr_net ? 245 flow_dst->addr_mask : 32); 246 break; 247 case AF_INET6: 248 prefixlen2mask6(flow_dst->addr_net ? 249 flow_dst->addr_mask : 128, 250 (uint32_t *)((struct sockaddr_in6 *) 251 &dmask)->sin6_addr.s6_addr); 252 break; 253 default: 254 log_warnx("%s: unsupported address family %d", 255 __func__, flow_dst->addr_af); 256 return (-1); 257 } 258 dmask.ss_len = sdst.ss_len; 259 260 bzero(&slocal, sizeof(slocal)); 261 bzero(&speer, sizeof(speer)); 262 if (action != SADB_X_DELFLOW && flow->flow_local != NULL) { 263 memcpy(&slocal, &flow->flow_local->addr, sizeof(slocal)); 264 socket_af((struct sockaddr *)&slocal, 0); 265 266 memcpy(&speer, &flow->flow_peer->addr, sizeof(speer)); 267 socket_af((struct sockaddr *)&speer, 0); 268 } 269 270 bzero(&smsg, sizeof(smsg)); 271 smsg.sadb_msg_version = PF_KEY_V2; 272 smsg.sadb_msg_seq = ++sadb_msg_seq; 273 smsg.sadb_msg_pid = getpid(); 274 smsg.sadb_msg_len = sizeof(smsg) / 8; 275 smsg.sadb_msg_type = action; 276 smsg.sadb_msg_satype = satype; 277 278 bzero(&sa_flowtype, sizeof(sa_flowtype)); 279 sa_flowtype.sadb_protocol_exttype = SADB_X_EXT_FLOW_TYPE; 280 sa_flowtype.sadb_protocol_len = sizeof(sa_flowtype) / 8; 281 sa_flowtype.sadb_protocol_direction = flow->flow_dir; 282 sa_flowtype.sadb_protocol_proto = 283 flow->flow_type ? flow->flow_type : 284 (flow->flow_dir == IPSP_DIRECTION_IN ? 285 SADB_X_FLOW_TYPE_USE : SADB_X_FLOW_TYPE_REQUIRE); 286 287 bzero(&sa_protocol, sizeof(sa_protocol)); 288 sa_protocol.sadb_protocol_exttype = SADB_X_EXT_PROTOCOL; 289 sa_protocol.sadb_protocol_len = sizeof(sa_protocol) / 8; 290 sa_protocol.sadb_protocol_direction = 0; 291 sa_protocol.sadb_protocol_proto = flow->flow_ipproto; 292 293 bzero(&sa_src, sizeof(sa_src)); 294 sa_src.sadb_address_exttype = SADB_X_EXT_SRC_FLOW; 295 sa_src.sadb_address_len = (sizeof(sa_src) + ROUNDUP(ssrc.ss_len)) / 8; 296 297 bzero(&sa_smask, sizeof(sa_smask)); 298 sa_smask.sadb_address_exttype = SADB_X_EXT_SRC_MASK; 299 sa_smask.sadb_address_len = 300 (sizeof(sa_smask) + ROUNDUP(smask.ss_len)) / 8; 301 302 bzero(&sa_dst, sizeof(sa_dst)); 303 sa_dst.sadb_address_exttype = SADB_X_EXT_DST_FLOW; 304 sa_dst.sadb_address_len = (sizeof(sa_dst) + ROUNDUP(sdst.ss_len)) / 8; 305 306 bzero(&sa_dmask, sizeof(sa_dmask)); 307 sa_dmask.sadb_address_exttype = SADB_X_EXT_DST_MASK; 308 sa_dmask.sadb_address_len = 309 (sizeof(sa_dmask) + ROUNDUP(dmask.ss_len)) / 8; 310 311 if (action != SADB_X_DELFLOW && flow->flow_local != NULL) { 312 /* local address */ 313 bzero(&sa_local, sizeof(sa_local)); 314 sa_local.sadb_address_exttype = SADB_EXT_ADDRESS_SRC; 315 sa_local.sadb_address_len = 316 (sizeof(sa_local) + ROUNDUP(slocal.ss_len)) / 8; 317 318 /* peer address */ 319 bzero(&sa_peer, sizeof(sa_peer)); 320 sa_peer.sadb_address_exttype = SADB_EXT_ADDRESS_DST; 321 sa_peer.sadb_address_len = 322 (sizeof(sa_peer) + ROUNDUP(speer.ss_len)) / 8; 323 324 /* local id */ 325 sa_srcid = pfkey_id2ident(IKESA_SRCID(flow->flow_ikesa), 326 SADB_EXT_IDENTITY_SRC); 327 328 /* peer id */ 329 sa_dstid = pfkey_id2ident(IKESA_DSTID(flow->flow_ikesa), 330 SADB_EXT_IDENTITY_DST); 331 } 332 333 iov_cnt = 0; 334 335 /* header */ 336 iov[iov_cnt].iov_base = &smsg; 337 iov[iov_cnt].iov_len = sizeof(smsg); 338 iov_cnt++; 339 340 /* add flow type */ 341 iov[iov_cnt].iov_base = &sa_flowtype; 342 iov[iov_cnt].iov_len = sizeof(sa_flowtype); 343 smsg.sadb_msg_len += sa_flowtype.sadb_protocol_len; 344 iov_cnt++; 345 346 if (action != SADB_X_DELFLOW && flow->flow_local != NULL) { 347 #if 0 348 /* local ip */ 349 iov[iov_cnt].iov_base = &sa_local; 350 iov[iov_cnt].iov_len = sizeof(sa_local); 351 iov_cnt++; 352 iov[iov_cnt].iov_base = &slocal; 353 iov[iov_cnt].iov_len = ROUNDUP(slocal.ss_len); 354 smsg.sadb_msg_len += sa_local.sadb_address_len; 355 iov_cnt++; 356 #endif 357 358 /* remote peer */ 359 iov[iov_cnt].iov_base = &sa_peer; 360 iov[iov_cnt].iov_len = sizeof(sa_peer); 361 iov_cnt++; 362 iov[iov_cnt].iov_base = &speer; 363 iov[iov_cnt].iov_len = ROUNDUP(speer.ss_len); 364 smsg.sadb_msg_len += sa_peer.sadb_address_len; 365 iov_cnt++; 366 } 367 368 /* src addr */ 369 iov[iov_cnt].iov_base = &sa_src; 370 iov[iov_cnt].iov_len = sizeof(sa_src); 371 iov_cnt++; 372 iov[iov_cnt].iov_base = &ssrc; 373 iov[iov_cnt].iov_len = ROUNDUP(ssrc.ss_len); 374 smsg.sadb_msg_len += sa_src.sadb_address_len; 375 iov_cnt++; 376 377 /* src mask */ 378 iov[iov_cnt].iov_base = &sa_smask; 379 iov[iov_cnt].iov_len = sizeof(sa_smask); 380 iov_cnt++; 381 iov[iov_cnt].iov_base = &smask; 382 iov[iov_cnt].iov_len = ROUNDUP(smask.ss_len); 383 smsg.sadb_msg_len += sa_smask.sadb_address_len; 384 iov_cnt++; 385 386 /* dest addr */ 387 iov[iov_cnt].iov_base = &sa_dst; 388 iov[iov_cnt].iov_len = sizeof(sa_dst); 389 iov_cnt++; 390 iov[iov_cnt].iov_base = &sdst; 391 iov[iov_cnt].iov_len = ROUNDUP(sdst.ss_len); 392 smsg.sadb_msg_len += sa_dst.sadb_address_len; 393 iov_cnt++; 394 395 /* dst mask */ 396 iov[iov_cnt].iov_base = &sa_dmask; 397 iov[iov_cnt].iov_len = sizeof(sa_dmask); 398 iov_cnt++; 399 iov[iov_cnt].iov_base = &dmask; 400 iov[iov_cnt].iov_len = ROUNDUP(dmask.ss_len); 401 smsg.sadb_msg_len += sa_dmask.sadb_address_len; 402 iov_cnt++; 403 404 /* add protocol */ 405 iov[iov_cnt].iov_base = &sa_protocol; 406 iov[iov_cnt].iov_len = sizeof(sa_protocol); 407 smsg.sadb_msg_len += sa_protocol.sadb_protocol_len; 408 iov_cnt++; 409 410 if (sa_srcid) { 411 /* src identity */ 412 iov[iov_cnt].iov_base = sa_srcid; 413 iov[iov_cnt].iov_len = sa_srcid->sadb_ident_len * 8; 414 smsg.sadb_msg_len += sa_srcid->sadb_ident_len; 415 iov_cnt++; 416 } 417 if (sa_dstid) { 418 /* dst identity */ 419 iov[iov_cnt].iov_base = sa_dstid; 420 iov[iov_cnt].iov_len = sa_dstid->sadb_ident_len * 8; 421 smsg.sadb_msg_len += sa_dstid->sadb_ident_len; 422 iov_cnt++; 423 } 424 425 ret = pfkey_write(sd, &smsg, iov, iov_cnt, NULL, NULL); 426 427 free(sa_srcid); 428 free(sa_dstid); 429 430 return (ret); 431 } 432 433 int 434 pfkey_sa(int sd, uint8_t satype, uint8_t action, struct iked_childsa *sa) 435 { 436 struct sadb_msg smsg; 437 struct sadb_sa sadb; 438 struct sadb_address sa_src, sa_dst; 439 struct sadb_key sa_authkey, sa_enckey; 440 struct sadb_lifetime sa_ltime_hard, sa_ltime_soft; 441 struct sadb_x_udpencap udpencap; 442 struct sadb_x_tag sa_tag; 443 char *tag = NULL; 444 struct sadb_x_tap sa_tap; 445 struct sockaddr_storage ssrc, sdst; 446 struct sadb_ident *sa_srcid, *sa_dstid; 447 struct iked_lifetime *lt; 448 struct iked_policy *pol; 449 struct iovec iov[IOV_CNT]; 450 uint32_t jitter; 451 int iov_cnt; 452 453 sa_srcid = sa_dstid = NULL; 454 455 if (sa->csa_ikesa == NULL || sa->csa_ikesa->sa_policy == NULL) { 456 log_warn("%s: invalid SA and policy", __func__); 457 return (-1); 458 } 459 pol = sa->csa_ikesa->sa_policy; 460 lt = &pol->pol_lifetime; 461 462 bzero(&ssrc, sizeof(ssrc)); 463 memcpy(&ssrc, &sa->csa_local->addr, sizeof(ssrc)); 464 if (socket_af((struct sockaddr *)&ssrc, 0) == -1) { 465 log_warn("%s: invalid address", __func__); 466 return (-1); 467 } 468 469 bzero(&sdst, sizeof(sdst)); 470 memcpy(&sdst, &sa->csa_peer->addr, sizeof(sdst)); 471 if (socket_af((struct sockaddr *)&sdst, 0) == -1) { 472 log_warn("%s: invalid address", __func__); 473 return (-1); 474 } 475 476 bzero(&smsg, sizeof(smsg)); 477 smsg.sadb_msg_version = PF_KEY_V2; 478 smsg.sadb_msg_seq = ++sadb_msg_seq; 479 smsg.sadb_msg_pid = getpid(); 480 smsg.sadb_msg_len = sizeof(smsg) / 8; 481 smsg.sadb_msg_type = action; 482 smsg.sadb_msg_satype = satype; 483 484 bzero(&sadb, sizeof(sadb)); 485 sadb.sadb_sa_len = sizeof(sadb) / 8; 486 sadb.sadb_sa_exttype = SADB_EXT_SA; 487 sadb.sadb_sa_spi = htonl(sa->csa_spi.spi); 488 sadb.sadb_sa_state = SADB_SASTATE_MATURE; 489 sadb.sadb_sa_replay = 64; 490 491 if (!sa->csa_transport) 492 sadb.sadb_sa_flags |= SADB_X_SAFLAGS_TUNNEL; 493 494 if (sa->csa_esn) 495 sadb.sadb_sa_flags |= SADB_X_SAFLAGS_ESN; 496 497 bzero(&sa_src, sizeof(sa_src)); 498 sa_src.sadb_address_len = (sizeof(sa_src) + ROUNDUP(ssrc.ss_len)) / 8; 499 sa_src.sadb_address_exttype = SADB_EXT_ADDRESS_SRC; 500 501 bzero(&sa_dst, sizeof(sa_dst)); 502 sa_dst.sadb_address_len = (sizeof(sa_dst) + ROUNDUP(sdst.ss_len)) / 8; 503 sa_dst.sadb_address_exttype = SADB_EXT_ADDRESS_DST; 504 505 bzero(&sa_authkey, sizeof(sa_authkey)); 506 bzero(&sa_enckey, sizeof(sa_enckey)); 507 bzero(&udpencap, sizeof udpencap); 508 bzero(&sa_ltime_hard, sizeof(sa_ltime_hard)); 509 bzero(&sa_ltime_soft, sizeof(sa_ltime_soft)); 510 511 if (action == SADB_DELETE) 512 goto send; 513 514 if ((action == SADB_ADD || action == SADB_UPDATE) && 515 !sa->csa_persistent && (lt->lt_bytes || lt->lt_seconds)) { 516 sa_ltime_hard.sadb_lifetime_exttype = SADB_EXT_LIFETIME_HARD; 517 sa_ltime_hard.sadb_lifetime_len = sizeof(sa_ltime_hard) / 8; 518 sa_ltime_hard.sadb_lifetime_bytes = lt->lt_bytes; 519 sa_ltime_hard.sadb_lifetime_addtime = lt->lt_seconds; 520 521 /* double the lifetime for IP compression */ 522 if (satype == SADB_X_SATYPE_IPCOMP) 523 sa_ltime_hard.sadb_lifetime_addtime *= 2; 524 525 sa_ltime_soft.sadb_lifetime_exttype = SADB_EXT_LIFETIME_SOFT; 526 sa_ltime_soft.sadb_lifetime_len = sizeof(sa_ltime_soft) / 8; 527 /* set randomly to 85-95% */ 528 jitter = 850 + arc4random_uniform(100); 529 sa_ltime_soft.sadb_lifetime_bytes = 530 (sa_ltime_hard.sadb_lifetime_bytes * jitter) / 1000; 531 sa_ltime_soft.sadb_lifetime_addtime = 532 (sa_ltime_hard.sadb_lifetime_addtime * jitter) / 1000; 533 } 534 535 /* XXX handle NULL encryption or NULL auth or combined encr/auth */ 536 if (action == SADB_ADD && 537 !ibuf_length(sa->csa_integrkey) && !ibuf_length(sa->csa_encrkey) && 538 satype != SADB_X_SATYPE_IPCOMP && satype != SADB_X_SATYPE_IPIP) { 539 log_warnx("%s: no key specified", __func__); 540 return (-1); 541 } 542 543 if (satype == SADB_SATYPE_ESP && 544 sa->csa_ikesa->sa_udpencap && sa->csa_ikesa->sa_natt) { 545 sadb.sadb_sa_flags |= SADB_X_SAFLAGS_UDPENCAP; 546 udpencap.sadb_x_udpencap_exttype = SADB_X_EXT_UDPENCAP; 547 udpencap.sadb_x_udpencap_len = sizeof(udpencap) / 8; 548 udpencap.sadb_x_udpencap_port = 549 sa->csa_ikesa->sa_peer.addr_port; 550 551 log_debug("%s: udpencap port %d", __func__, 552 ntohs(udpencap.sadb_x_udpencap_port)); 553 } 554 555 if (sa->csa_integrid) 556 if (pfkey_map(pfkey_integr, 557 sa->csa_integrid, &sadb.sadb_sa_auth) == -1) { 558 log_warnx("%s: unsupported integrity algorithm %s", 559 __func__, print_map(sa->csa_integrid, 560 ikev2_xformauth_map)); 561 return (-1); 562 } 563 564 if (sa->csa_encrid) 565 if (pfkey_map(pfkey_encr, 566 sa->csa_encrid, &sadb.sadb_sa_encrypt) == -1) { 567 log_warnx("%s: unsupported encryption algorithm %s", 568 __func__, print_map(sa->csa_encrid, 569 ikev2_xformencr_map)); 570 return (-1); 571 } 572 573 if (ibuf_length(sa->csa_integrkey)) { 574 sa_authkey.sadb_key_len = (sizeof(sa_authkey) + 575 ((ibuf_size(sa->csa_integrkey) + 7) / 8) * 8) / 8; 576 sa_authkey.sadb_key_exttype = SADB_EXT_KEY_AUTH; 577 sa_authkey.sadb_key_bits = 578 8 * ibuf_size(sa->csa_integrkey); 579 } 580 581 if (ibuf_length(sa->csa_encrkey)) { 582 sa_enckey.sadb_key_len = (sizeof(sa_enckey) + 583 ((ibuf_size(sa->csa_encrkey) + 7) / 8) * 8) / 8; 584 sa_enckey.sadb_key_exttype = SADB_EXT_KEY_ENCRYPT; 585 sa_enckey.sadb_key_bits = 586 8 * ibuf_size(sa->csa_encrkey); 587 } 588 589 /* we only support deflate */ 590 if (satype == SADB_X_SATYPE_IPCOMP) 591 sadb.sadb_sa_encrypt = SADB_X_CALG_DEFLATE; 592 593 /* Note that we need to swap the IDs for incoming SAs (SADB_UPDATE) */ 594 if (action != SADB_UPDATE) { 595 sa_srcid = pfkey_id2ident( 596 IKESA_SRCID(sa->csa_ikesa), SADB_EXT_IDENTITY_SRC); 597 sa_dstid = pfkey_id2ident( 598 IKESA_DSTID(sa->csa_ikesa), SADB_EXT_IDENTITY_DST); 599 } else { 600 sa_srcid = pfkey_id2ident( 601 IKESA_DSTID(sa->csa_ikesa), SADB_EXT_IDENTITY_SRC); 602 sa_dstid = pfkey_id2ident( 603 IKESA_SRCID(sa->csa_ikesa), SADB_EXT_IDENTITY_DST); 604 } 605 606 tag = sa->csa_ikesa->sa_tag; 607 if (tag != NULL && *tag != '\0') { 608 bzero(&sa_tag, sizeof(sa_tag)); 609 sa_tag.sadb_x_tag_exttype = SADB_X_EXT_TAG; 610 sa_tag.sadb_x_tag_len = 611 (ROUNDUP(strlen(tag) + 1) + sizeof(sa_tag)) / 8; 612 sa_tag.sadb_x_tag_taglen = strlen(tag) + 1; 613 } else 614 tag = NULL; 615 616 if (pol->pol_tap != 0) { 617 bzero(&sa_tap, sizeof(sa_tap)); 618 sa_tap.sadb_x_tap_exttype = SADB_X_EXT_TAP; 619 sa_tap.sadb_x_tap_len = sizeof(sa_tap) / 8; 620 sa_tap.sadb_x_tap_unit = pol->pol_tap; 621 } 622 623 send: 624 iov_cnt = 0; 625 626 /* header */ 627 iov[iov_cnt].iov_base = &smsg; 628 iov[iov_cnt].iov_len = sizeof(smsg); 629 iov_cnt++; 630 631 /* sa */ 632 iov[iov_cnt].iov_base = &sadb; 633 iov[iov_cnt].iov_len = sizeof(sadb); 634 smsg.sadb_msg_len += sadb.sadb_sa_len; 635 iov_cnt++; 636 637 /* src addr */ 638 iov[iov_cnt].iov_base = &sa_src; 639 iov[iov_cnt].iov_len = sizeof(sa_src); 640 iov_cnt++; 641 iov[iov_cnt].iov_base = &ssrc; 642 iov[iov_cnt].iov_len = ROUNDUP(ssrc.ss_len); 643 smsg.sadb_msg_len += sa_src.sadb_address_len; 644 iov_cnt++; 645 646 /* dst addr */ 647 iov[iov_cnt].iov_base = &sa_dst; 648 iov[iov_cnt].iov_len = sizeof(sa_dst); 649 iov_cnt++; 650 iov[iov_cnt].iov_base = &sdst; 651 iov[iov_cnt].iov_len = ROUNDUP(sdst.ss_len); 652 smsg.sadb_msg_len += sa_dst.sadb_address_len; 653 iov_cnt++; 654 655 if (sa_ltime_soft.sadb_lifetime_len) { 656 /* soft lifetime */ 657 iov[iov_cnt].iov_base = &sa_ltime_soft; 658 iov[iov_cnt].iov_len = sizeof(sa_ltime_soft); 659 smsg.sadb_msg_len += sa_ltime_soft.sadb_lifetime_len; 660 iov_cnt++; 661 } 662 663 if (sa_ltime_hard.sadb_lifetime_len) { 664 /* hard lifetime */ 665 iov[iov_cnt].iov_base = &sa_ltime_hard; 666 iov[iov_cnt].iov_len = sizeof(sa_ltime_hard); 667 smsg.sadb_msg_len += sa_ltime_hard.sadb_lifetime_len; 668 iov_cnt++; 669 } 670 671 if (udpencap.sadb_x_udpencap_len) { 672 iov[iov_cnt].iov_base = &udpencap; 673 iov[iov_cnt].iov_len = sizeof(udpencap); 674 smsg.sadb_msg_len += udpencap.sadb_x_udpencap_len; 675 iov_cnt++; 676 } 677 678 if (sa_enckey.sadb_key_len) { 679 /* encryption key */ 680 iov[iov_cnt].iov_base = &sa_enckey; 681 iov[iov_cnt].iov_len = sizeof(sa_enckey); 682 iov_cnt++; 683 iov[iov_cnt].iov_base = ibuf_data(sa->csa_encrkey); 684 iov[iov_cnt].iov_len = 685 ((ibuf_size(sa->csa_encrkey) + 7) / 8) * 8; 686 smsg.sadb_msg_len += sa_enckey.sadb_key_len; 687 iov_cnt++; 688 } 689 if (sa_authkey.sadb_key_len) { 690 /* authentication key */ 691 iov[iov_cnt].iov_base = &sa_authkey; 692 iov[iov_cnt].iov_len = sizeof(sa_authkey); 693 iov_cnt++; 694 iov[iov_cnt].iov_base = ibuf_data(sa->csa_integrkey); 695 iov[iov_cnt].iov_len = 696 ((ibuf_size(sa->csa_integrkey) + 7) / 8) * 8; 697 smsg.sadb_msg_len += sa_authkey.sadb_key_len; 698 iov_cnt++; 699 } 700 701 if (sa_srcid) { 702 /* src identity */ 703 iov[iov_cnt].iov_base = sa_srcid; 704 iov[iov_cnt].iov_len = sa_srcid->sadb_ident_len * 8; 705 smsg.sadb_msg_len += sa_srcid->sadb_ident_len; 706 iov_cnt++; 707 } 708 if (sa_dstid) { 709 /* dst identity */ 710 iov[iov_cnt].iov_base = sa_dstid; 711 iov[iov_cnt].iov_len = sa_dstid->sadb_ident_len * 8; 712 smsg.sadb_msg_len += sa_dstid->sadb_ident_len; 713 iov_cnt++; 714 } 715 716 if (tag != NULL) { 717 /* tag identity */ 718 iov[iov_cnt].iov_base = &sa_tag; 719 iov[iov_cnt].iov_len = sizeof(sa_tag); 720 iov_cnt++; 721 iov[iov_cnt].iov_base = tag; 722 iov[iov_cnt].iov_len = ROUNDUP(strlen(tag) + 1); 723 smsg.sadb_msg_len += sa_tag.sadb_x_tag_len; 724 iov_cnt++; 725 } 726 727 if (pol->pol_tap != 0) { 728 /* enc(4) device tap unit */ 729 iov[iov_cnt].iov_base = &sa_tap; 730 iov[iov_cnt].iov_len = sizeof(sa_tap); 731 smsg.sadb_msg_len += sa_tap.sadb_x_tap_len; 732 iov_cnt++; 733 } 734 735 return (pfkey_write(sd, &smsg, iov, iov_cnt, NULL, NULL)); 736 } 737 738 int 739 pfkey_sa_last_used(int sd, struct iked_childsa *sa, uint64_t *last_used) 740 { 741 struct sadb_msg *msg, smsg; 742 struct sadb_address sa_src, sa_dst; 743 struct sadb_sa sadb; 744 struct sadb_lifetime *sa_life; 745 struct sockaddr_storage ssrc, sdst; 746 struct iovec iov[IOV_CNT]; 747 uint8_t *data; 748 ssize_t n; 749 int iov_cnt, ret = -1; 750 uint8_t satype; 751 752 *last_used = 0; 753 754 if (pfkey_map(pfkey_satype, sa->csa_saproto, &satype) == -1) 755 return (-1); 756 757 bzero(&ssrc, sizeof(ssrc)); 758 memcpy(&ssrc, &sa->csa_local->addr, sizeof(ssrc)); 759 if (socket_af((struct sockaddr *)&ssrc, 0) == -1) { 760 log_warn("%s: invalid address", __func__); 761 return (-1); 762 } 763 764 bzero(&sdst, sizeof(sdst)); 765 memcpy(&sdst, &sa->csa_peer->addr, sizeof(sdst)); 766 if (socket_af((struct sockaddr *)&sdst, 0) == -1) { 767 log_warn("%s: invalid address", __func__); 768 return (-1); 769 } 770 771 bzero(&smsg, sizeof(smsg)); 772 smsg.sadb_msg_version = PF_KEY_V2; 773 smsg.sadb_msg_seq = ++sadb_msg_seq; 774 smsg.sadb_msg_pid = getpid(); 775 smsg.sadb_msg_len = sizeof(smsg) / 8; 776 smsg.sadb_msg_type = SADB_GET; 777 smsg.sadb_msg_satype = satype; 778 779 bzero(&sadb, sizeof(sadb)); 780 sadb.sadb_sa_len = sizeof(sadb) / 8; 781 sadb.sadb_sa_exttype = SADB_EXT_SA; 782 sadb.sadb_sa_spi = htonl(sa->csa_spi.spi); 783 sadb.sadb_sa_state = SADB_SASTATE_MATURE; 784 sadb.sadb_sa_replay = 64; 785 786 bzero(&sa_src, sizeof(sa_src)); 787 sa_src.sadb_address_len = (sizeof(sa_src) + ROUNDUP(ssrc.ss_len)) / 8; 788 sa_src.sadb_address_exttype = SADB_EXT_ADDRESS_SRC; 789 790 bzero(&sa_dst, sizeof(sa_dst)); 791 sa_dst.sadb_address_len = (sizeof(sa_dst) + ROUNDUP(sdst.ss_len)) / 8; 792 sa_dst.sadb_address_exttype = SADB_EXT_ADDRESS_DST; 793 794 iov_cnt = 0; 795 796 /* header */ 797 iov[iov_cnt].iov_base = &smsg; 798 iov[iov_cnt].iov_len = sizeof(smsg); 799 iov_cnt++; 800 801 /* sa */ 802 iov[iov_cnt].iov_base = &sadb; 803 iov[iov_cnt].iov_len = sizeof(sadb); 804 smsg.sadb_msg_len += sadb.sadb_sa_len; 805 iov_cnt++; 806 807 /* src addr */ 808 iov[iov_cnt].iov_base = &sa_src; 809 iov[iov_cnt].iov_len = sizeof(sa_src); 810 iov_cnt++; 811 iov[iov_cnt].iov_base = &ssrc; 812 iov[iov_cnt].iov_len = ROUNDUP(ssrc.ss_len); 813 smsg.sadb_msg_len += sa_src.sadb_address_len; 814 iov_cnt++; 815 816 /* dst addr */ 817 iov[iov_cnt].iov_base = &sa_dst; 818 iov[iov_cnt].iov_len = sizeof(sa_dst); 819 iov_cnt++; 820 iov[iov_cnt].iov_base = &sdst; 821 iov[iov_cnt].iov_len = ROUNDUP(sdst.ss_len); 822 smsg.sadb_msg_len += sa_dst.sadb_address_len; 823 iov_cnt++; 824 825 if ((ret = pfkey_write(sd, &smsg, iov, iov_cnt, &data, &n)) != 0) 826 return (-1); 827 828 msg = (struct sadb_msg *)data; 829 if (msg->sadb_msg_errno != 0) { 830 errno = msg->sadb_msg_errno; 831 ret = -1; 832 log_warn("%s: message", __func__); 833 goto done; 834 } 835 if ((sa_life = pfkey_find_ext(data, n, SADB_X_EXT_LIFETIME_LASTUSE)) 836 == NULL) { 837 /* has never been used */ 838 ret = -1; 839 goto done; 840 } 841 *last_used = sa_life->sadb_lifetime_usetime; 842 log_debug("%s: last_used %llu", __func__, *last_used); 843 844 done: 845 explicit_bzero(data, n); 846 free(data); 847 return (ret); 848 } 849 850 int 851 pfkey_sa_getspi(int sd, uint8_t satype, struct iked_childsa *sa, 852 uint32_t *spip) 853 { 854 struct sadb_msg *msg, smsg; 855 struct sadb_address sa_src, sa_dst; 856 struct sadb_sa *sa_ext; 857 struct sadb_spirange sa_spirange; 858 struct sockaddr_storage ssrc, sdst; 859 struct iovec iov[IOV_CNT]; 860 uint8_t *data; 861 ssize_t n; 862 int iov_cnt, ret = -1; 863 864 bzero(&ssrc, sizeof(ssrc)); 865 memcpy(&ssrc, &sa->csa_local->addr, sizeof(ssrc)); 866 if (socket_af((struct sockaddr *)&ssrc, 0) == -1) { 867 log_warn("%s: invalid address", __func__); 868 return (-1); 869 } 870 871 bzero(&sdst, sizeof(sdst)); 872 memcpy(&sdst, &sa->csa_peer->addr, sizeof(sdst)); 873 if (socket_af((struct sockaddr *)&sdst, 0) == -1) { 874 log_warn("%s: invalid address", __func__); 875 return (-1); 876 } 877 878 bzero(&smsg, sizeof(smsg)); 879 smsg.sadb_msg_version = PF_KEY_V2; 880 smsg.sadb_msg_seq = ++sadb_msg_seq; 881 smsg.sadb_msg_pid = getpid(); 882 smsg.sadb_msg_len = sizeof(smsg) / 8; 883 smsg.sadb_msg_type = SADB_GETSPI; 884 smsg.sadb_msg_satype = satype; 885 886 bzero(&sa_spirange, sizeof(sa_spirange)); 887 sa_spirange.sadb_spirange_exttype = SADB_EXT_SPIRANGE; 888 sa_spirange.sadb_spirange_len = sizeof(sa_spirange) / 8; 889 sa_spirange.sadb_spirange_min = 0x100; 890 sa_spirange.sadb_spirange_max = (satype == SADB_X_SATYPE_IPCOMP) ? 891 (CPI_PRIVATE_MIN - 1) : 0xffffffff; 892 sa_spirange.sadb_spirange_reserved = 0; 893 894 bzero(&sa_src, sizeof(sa_src)); 895 sa_src.sadb_address_len = (sizeof(sa_src) + ROUNDUP(ssrc.ss_len)) / 8; 896 sa_src.sadb_address_exttype = SADB_EXT_ADDRESS_SRC; 897 898 bzero(&sa_dst, sizeof(sa_dst)); 899 sa_dst.sadb_address_len = (sizeof(sa_dst) + ROUNDUP(sdst.ss_len)) / 8; 900 sa_dst.sadb_address_exttype = SADB_EXT_ADDRESS_DST; 901 902 iov_cnt = 0; 903 904 /* header */ 905 iov[iov_cnt].iov_base = &smsg; 906 iov[iov_cnt].iov_len = sizeof(smsg); 907 iov_cnt++; 908 909 /* SPI range */ 910 iov[iov_cnt].iov_base = &sa_spirange; 911 iov[iov_cnt].iov_len = sizeof(sa_spirange); 912 smsg.sadb_msg_len += sa_spirange.sadb_spirange_len; 913 iov_cnt++; 914 915 /* src addr */ 916 iov[iov_cnt].iov_base = &sa_src; 917 iov[iov_cnt].iov_len = sizeof(sa_src); 918 iov_cnt++; 919 iov[iov_cnt].iov_base = &ssrc; 920 iov[iov_cnt].iov_len = ROUNDUP(ssrc.ss_len); 921 smsg.sadb_msg_len += sa_src.sadb_address_len; 922 iov_cnt++; 923 924 /* dst addr */ 925 iov[iov_cnt].iov_base = &sa_dst; 926 iov[iov_cnt].iov_len = sizeof(sa_dst); 927 iov_cnt++; 928 iov[iov_cnt].iov_base = &sdst; 929 iov[iov_cnt].iov_len = ROUNDUP(sdst.ss_len); 930 smsg.sadb_msg_len += sa_dst.sadb_address_len; 931 iov_cnt++; 932 933 *spip = 0; 934 935 if ((ret = pfkey_write(sd, &smsg, iov, iov_cnt, &data, &n)) != 0) 936 return (-1); 937 938 msg = (struct sadb_msg *)data; 939 if (msg->sadb_msg_errno != 0) { 940 errno = msg->sadb_msg_errno; 941 log_warn("%s: message", __func__); 942 goto done; 943 } 944 if ((sa_ext = pfkey_find_ext(data, n, SADB_EXT_SA)) == NULL) { 945 log_debug("%s: erronous reply", __func__); 946 goto done; 947 } 948 949 *spip = ntohl(sa_ext->sadb_sa_spi); 950 log_debug("%s: spi 0x%08x", __func__, *spip); 951 952 done: 953 explicit_bzero(data, n); 954 free(data); 955 return (ret); 956 } 957 958 int 959 pfkey_sagroup(int sd, uint8_t satype1, uint8_t action, 960 struct iked_childsa *sa1, struct iked_childsa *sa2) 961 { 962 struct sadb_msg smsg; 963 struct sadb_sa sadb1, sadb2; 964 struct sadb_address sa_dst1, sa_dst2; 965 struct sockaddr_storage sdst1, sdst2; 966 struct sadb_protocol sa_proto; 967 struct iovec iov[IOV_CNT]; 968 int iov_cnt; 969 uint8_t satype2; 970 971 if (pfkey_map(pfkey_satype, sa2->csa_saproto, &satype2) == -1) 972 return (-1); 973 974 bzero(&sdst1, sizeof(sdst1)); 975 memcpy(&sdst1, &sa1->csa_peer->addr, sizeof(sdst1)); 976 if (socket_af((struct sockaddr *)&sdst1, 0) == -1) { 977 log_warnx("%s: unsupported address family %d", 978 __func__, sdst1.ss_family); 979 return (-1); 980 } 981 982 bzero(&sdst2, sizeof(sdst2)); 983 memcpy(&sdst2, &sa2->csa_peer->addr, sizeof(sdst2)); 984 if (socket_af((struct sockaddr *)&sdst2, 0) == -1) { 985 log_warnx("%s: unsupported address family %d", 986 __func__, sdst2.ss_family); 987 return (-1); 988 } 989 990 bzero(&smsg, sizeof(smsg)); 991 smsg.sadb_msg_version = PF_KEY_V2; 992 smsg.sadb_msg_seq = ++sadb_msg_seq; 993 smsg.sadb_msg_pid = getpid(); 994 smsg.sadb_msg_len = sizeof(smsg) / 8; 995 smsg.sadb_msg_type = action; 996 smsg.sadb_msg_satype = satype1; 997 998 bzero(&sadb1, sizeof(sadb1)); 999 sadb1.sadb_sa_len = sizeof(sadb1) / 8; 1000 sadb1.sadb_sa_exttype = SADB_EXT_SA; 1001 sadb1.sadb_sa_spi = htonl(sa1->csa_spi.spi); 1002 sadb1.sadb_sa_state = SADB_SASTATE_MATURE; 1003 1004 bzero(&sadb2, sizeof(sadb2)); 1005 sadb2.sadb_sa_len = sizeof(sadb2) / 8; 1006 sadb2.sadb_sa_exttype = SADB_X_EXT_SA2; 1007 sadb2.sadb_sa_spi = htonl(sa2->csa_spi.spi); 1008 sadb2.sadb_sa_state = SADB_SASTATE_MATURE; 1009 iov_cnt = 0; 1010 1011 bzero(&sa_dst1, sizeof(sa_dst1)); 1012 sa_dst1.sadb_address_exttype = SADB_EXT_ADDRESS_DST; 1013 sa_dst1.sadb_address_len = 1014 (sizeof(sa_dst1) + ROUNDUP(sdst1.ss_len)) / 8; 1015 1016 bzero(&sa_dst2, sizeof(sa_dst2)); 1017 sa_dst2.sadb_address_exttype = SADB_X_EXT_DST2; 1018 sa_dst2.sadb_address_len = 1019 (sizeof(sa_dst2) + ROUNDUP(sdst2.ss_len)) / 8; 1020 1021 bzero(&sa_proto, sizeof(sa_proto)); 1022 sa_proto.sadb_protocol_exttype = SADB_X_EXT_PROTOCOL; 1023 sa_proto.sadb_protocol_len = sizeof(sa_proto) / 8; 1024 sa_proto.sadb_protocol_direction = 0; 1025 sa_proto.sadb_protocol_proto = satype2; 1026 1027 /* header */ 1028 iov[iov_cnt].iov_base = &smsg; 1029 iov[iov_cnt].iov_len = sizeof(smsg); 1030 iov_cnt++; 1031 1032 /* sa */ 1033 iov[iov_cnt].iov_base = &sadb1; 1034 iov[iov_cnt].iov_len = sizeof(sadb1); 1035 smsg.sadb_msg_len += sadb1.sadb_sa_len; 1036 iov_cnt++; 1037 1038 /* dst addr */ 1039 iov[iov_cnt].iov_base = &sa_dst1; 1040 iov[iov_cnt].iov_len = sizeof(sa_dst1); 1041 iov_cnt++; 1042 iov[iov_cnt].iov_base = &sdst1; 1043 iov[iov_cnt].iov_len = ROUNDUP(sdst1.ss_len); 1044 smsg.sadb_msg_len += sa_dst1.sadb_address_len; 1045 iov_cnt++; 1046 1047 /* second sa */ 1048 iov[iov_cnt].iov_base = &sadb2; 1049 iov[iov_cnt].iov_len = sizeof(sadb2); 1050 smsg.sadb_msg_len += sadb2.sadb_sa_len; 1051 iov_cnt++; 1052 1053 /* second dst addr */ 1054 iov[iov_cnt].iov_base = &sa_dst2; 1055 iov[iov_cnt].iov_len = sizeof(sa_dst2); 1056 iov_cnt++; 1057 iov[iov_cnt].iov_base = &sdst2; 1058 iov[iov_cnt].iov_len = ROUNDUP(sdst2.ss_len); 1059 smsg.sadb_msg_len += sa_dst2.sadb_address_len; 1060 iov_cnt++; 1061 1062 /* SA type */ 1063 iov[iov_cnt].iov_base = &sa_proto; 1064 iov[iov_cnt].iov_len = sizeof(sa_proto); 1065 smsg.sadb_msg_len += sa_proto.sadb_protocol_len; 1066 iov_cnt++; 1067 1068 return (pfkey_write(sd, &smsg, iov, iov_cnt, NULL, NULL)); 1069 } 1070 1071 int 1072 pfkey_write(int sd, struct sadb_msg *smsg, struct iovec *iov, int iov_cnt, 1073 uint8_t **datap, ssize_t *lenp) 1074 { 1075 ssize_t n, len = smsg->sadb_msg_len * 8; 1076 1077 if (sadb_decoupled) { 1078 switch (smsg->sadb_msg_type) { 1079 case SADB_GETSPI: 1080 /* we need to get a new SPI from the kernel */ 1081 break; 1082 default: 1083 if (datap || lenp) { 1084 log_warnx("%s: pfkey not coupled", __func__); 1085 return (-1); 1086 } 1087 /* ignore request */ 1088 return (0); 1089 } 1090 } 1091 1092 if ((n = writev(sd, iov, iov_cnt)) == -1) { 1093 log_warn("%s: writev failed", __func__); 1094 return (-1); 1095 } else if (n != len) { 1096 log_warn("%s: short write", __func__); 1097 return (-1); 1098 } 1099 1100 return (pfkey_reply(sd, datap, lenp)); 1101 } 1102 1103 int 1104 pfkey_reply(int sd, uint8_t **datap, ssize_t *lenp) 1105 { 1106 struct pfkey_message *pm; 1107 struct sadb_msg hdr; 1108 ssize_t len; 1109 uint8_t *data; 1110 struct pollfd pfd[1]; 1111 int n; 1112 1113 pfd[0].fd = sd; 1114 pfd[0].events = POLLIN; 1115 1116 for (;;) { 1117 /* 1118 * We should actually expect the reply to get lost 1119 * as PF_KEY is an unreliable service per the specs. 1120 * Currently we do this by setting a short timeout, 1121 * and if it is not readable in that time, we fail 1122 * the read. 1123 */ 1124 n = poll(pfd, 1, PFKEY_REPLY_TIMEOUT / 1000); 1125 if (n == -1) { 1126 log_warn("%s: poll() failed", __func__); 1127 return (-1); 1128 } 1129 if (n == 0) { 1130 log_warnx("%s: no reply from PF_KEY", __func__); 1131 return (-1); 1132 } 1133 1134 if (recv(sd, &hdr, sizeof(hdr), MSG_PEEK) != sizeof(hdr)) { 1135 log_warn("%s: short recv", __func__); 1136 return (-1); 1137 } 1138 1139 if (hdr.sadb_msg_version != PF_KEY_V2) { 1140 log_warnx("%s: wrong pfkey version", __func__); 1141 return (-1); 1142 } 1143 1144 if ((data = reallocarray(NULL, hdr.sadb_msg_len, 1145 PFKEYV2_CHUNK)) == NULL) { 1146 log_warn("%s: malloc", __func__); 1147 return (-1); 1148 } 1149 len = hdr.sadb_msg_len * PFKEYV2_CHUNK; 1150 1151 if (read(sd, data, len) != len) { 1152 log_warnx("%s: short read", __func__); 1153 free(data); 1154 return (-1); 1155 } 1156 1157 /* XXX: Only one message can be outstanding. */ 1158 if (hdr.sadb_msg_seq == sadb_msg_seq && 1159 hdr.sadb_msg_pid == (uint32_t)getpid()) 1160 break; 1161 1162 /* ignore messages for other processes */ 1163 if (hdr.sadb_msg_pid != 0 && 1164 hdr.sadb_msg_pid != (uint32_t)getpid()) { 1165 free(data); 1166 continue; 1167 } 1168 1169 /* not the reply, enqueue */ 1170 if ((pm = malloc(sizeof(*pm))) == NULL) { 1171 log_warn("%s: malloc", __func__); 1172 free(data); 1173 return (-1); 1174 } 1175 pm->pm_data = data; 1176 pm->pm_length = len; 1177 SIMPLEQ_INSERT_TAIL(&pfkey_postponed, pm, pm_entry); 1178 evtimer_add(&pfkey_timer_ev, &pfkey_timer_tv); 1179 } 1180 1181 if (datap) { 1182 *datap = data; 1183 if (lenp) 1184 *lenp = len; 1185 } else 1186 free(data); 1187 1188 if (datap == NULL && hdr.sadb_msg_errno != 0) { 1189 errno = hdr.sadb_msg_errno; 1190 if (errno != EEXIST) { 1191 log_warn("%s: message", __func__); 1192 return (-1); 1193 } 1194 } 1195 return (0); 1196 } 1197 1198 int 1199 pfkey_flow_add(int fd, struct iked_flow *flow) 1200 { 1201 uint8_t satype; 1202 1203 if (flow->flow_loaded) 1204 return (0); 1205 1206 if (pfkey_map(pfkey_satype, flow->flow_saproto, &satype) == -1) 1207 return (-1); 1208 1209 if (pfkey_flow(fd, satype, SADB_X_ADDFLOW, flow) == -1) 1210 return (-1); 1211 1212 flow->flow_loaded = 1; 1213 1214 if (flow->flow_dst.addr_af == AF_INET6) { 1215 sadb_ipv6refcnt++; 1216 if (sadb_ipv6refcnt == 1) 1217 return (pfkey_block(fd, AF_INET6, SADB_X_DELFLOW)); 1218 } 1219 1220 return (0); 1221 } 1222 1223 int 1224 pfkey_flow_delete(int fd, struct iked_flow *flow) 1225 { 1226 uint8_t satype; 1227 1228 if (!flow->flow_loaded) 1229 return (0); 1230 1231 if (pfkey_map(pfkey_satype, flow->flow_saproto, &satype) == -1) 1232 return (-1); 1233 1234 if (pfkey_flow(fd, satype, SADB_X_DELFLOW, flow) == -1) 1235 return (-1); 1236 1237 flow->flow_loaded = 0; 1238 1239 if (flow->flow_dst.addr_af == AF_INET6) { 1240 sadb_ipv6refcnt--; 1241 if (sadb_ipv6refcnt == 0) 1242 return (pfkey_block(fd, AF_INET6, SADB_X_ADDFLOW)); 1243 } 1244 1245 return (0); 1246 } 1247 1248 int 1249 pfkey_block(int fd, int af, unsigned int action) 1250 { 1251 struct iked_flow flow; 1252 1253 if (!pfkey_blockipv6) 1254 return (0); 1255 1256 /* 1257 * Prevent VPN traffic leakages in dual-stack hosts/networks. 1258 * https://tools.ietf.org/html/draft-gont-opsec-vpn-leakages. 1259 * We forcibly block IPv6 traffic unless it is used in any of 1260 * the flows by tracking a sadb_ipv6refcnt reference counter. 1261 */ 1262 bzero(&flow, sizeof(flow)); 1263 flow.flow_src.addr_af = flow.flow_src.addr.ss_family = af; 1264 flow.flow_src.addr_net = 1; 1265 socket_af((struct sockaddr *)&flow.flow_src.addr, 0); 1266 flow.flow_dst.addr_af = flow.flow_dst.addr.ss_family = af; 1267 flow.flow_dst.addr_net = 1; 1268 socket_af((struct sockaddr *)&flow.flow_dst.addr, 0); 1269 flow.flow_type = SADB_X_FLOW_TYPE_DENY; 1270 flow.flow_dir = IPSP_DIRECTION_OUT; 1271 1272 if (pfkey_flow(fd, 0, action, &flow) == -1) 1273 return (-1); 1274 1275 return (0); 1276 } 1277 1278 int 1279 pfkey_sa_init(int fd, struct iked_childsa *sa, uint32_t *spi) 1280 { 1281 uint8_t satype; 1282 1283 if (pfkey_map(pfkey_satype, sa->csa_saproto, &satype) == -1) 1284 return (-1); 1285 1286 if (pfkey_sa_getspi(fd, satype, sa, spi) == -1) 1287 return (-1); 1288 1289 log_debug("%s: new spi 0x%08x", __func__, *spi); 1290 1291 return (0); 1292 } 1293 1294 int 1295 pfkey_sa_add(int fd, struct iked_childsa *sa, struct iked_childsa *last) 1296 { 1297 uint8_t satype; 1298 unsigned int cmd; 1299 1300 if (pfkey_map(pfkey_satype, sa->csa_saproto, &satype) == -1) 1301 return (-1); 1302 1303 if (sa->csa_allocated || sa->csa_loaded) 1304 cmd = SADB_UPDATE; 1305 else 1306 cmd = SADB_ADD; 1307 1308 log_debug("%s: %s spi %s", __func__, cmd == SADB_ADD ? "add": "update", 1309 print_spi(sa->csa_spi.spi, 4)); 1310 1311 if (pfkey_sa(fd, satype, cmd, sa) == -1) { 1312 if (cmd == SADB_ADD) { 1313 (void)pfkey_sa_delete(fd, sa); 1314 return (-1); 1315 } 1316 if (sa->csa_allocated && !sa->csa_loaded && errno == ESRCH) { 1317 /* Needed for recoupling local SAs */ 1318 log_debug("%s: SADB_UPDATE on local SA returned ESRCH," 1319 " trying SADB_ADD", __func__); 1320 if (pfkey_sa(fd, satype, SADB_ADD, sa) == -1) 1321 return (-1); 1322 } else { 1323 return (-1); 1324 } 1325 } 1326 1327 if (last && cmd == SADB_ADD) { 1328 if (pfkey_sagroup(fd, satype, 1329 SADB_X_GRPSPIS, sa, last) == -1) { 1330 (void)pfkey_sa_delete(fd, sa); 1331 return (-1); 1332 } 1333 } 1334 1335 sa->csa_loaded = 1; 1336 return (0); 1337 } 1338 1339 int 1340 pfkey_sa_delete(int fd, struct iked_childsa *sa) 1341 { 1342 uint8_t satype; 1343 1344 if (!sa->csa_loaded || sa->csa_spi.spi == 0) 1345 return (0); 1346 1347 if (pfkey_map(pfkey_satype, sa->csa_saproto, &satype) == -1) 1348 return (-1); 1349 1350 if (pfkey_sa(fd, satype, SADB_DELETE, sa) == -1) 1351 return (-1); 1352 1353 sa->csa_loaded = 0; 1354 return (0); 1355 } 1356 1357 int 1358 pfkey_flush(int sd) 1359 { 1360 struct sadb_msg smsg; 1361 struct iovec iov[IOV_CNT]; 1362 int iov_cnt; 1363 1364 bzero(&smsg, sizeof(smsg)); 1365 smsg.sadb_msg_version = PF_KEY_V2; 1366 smsg.sadb_msg_seq = ++sadb_msg_seq; 1367 smsg.sadb_msg_pid = getpid(); 1368 smsg.sadb_msg_len = sizeof(smsg) / 8; 1369 smsg.sadb_msg_type = SADB_FLUSH; 1370 smsg.sadb_msg_satype = SADB_SATYPE_UNSPEC; 1371 1372 iov_cnt = 0; 1373 1374 iov[iov_cnt].iov_base = &smsg; 1375 iov[iov_cnt].iov_len = sizeof(smsg); 1376 iov_cnt++; 1377 1378 return (pfkey_write(sd, &smsg, iov, iov_cnt, NULL, NULL)); 1379 } 1380 1381 struct sadb_ident * 1382 pfkey_id2ident(struct iked_id *id, unsigned int exttype) 1383 { 1384 char idstr[IKED_ID_SIZE]; 1385 unsigned int type; 1386 size_t len; 1387 struct sadb_ident *sa_id; 1388 1389 switch (id->id_type) { 1390 case IKEV2_ID_FQDN: 1391 type = SADB_IDENTTYPE_FQDN; 1392 break; 1393 case IKEV2_ID_UFQDN: 1394 type = SADB_IDENTTYPE_USERFQDN; 1395 break; 1396 case IKEV2_ID_IPV4: 1397 case IKEV2_ID_IPV6: 1398 type = SADB_IDENTTYPE_PREFIX; 1399 break; 1400 case IKEV2_ID_ASN1_DN: 1401 case IKEV2_ID_ASN1_GN: 1402 case IKEV2_ID_KEY_ID: 1403 case IKEV2_ID_NONE: 1404 default: 1405 /* XXX not implemented/supported by PFKEY */ 1406 return (NULL); 1407 } 1408 1409 bzero(&idstr, sizeof(idstr)); 1410 1411 if (ikev2_print_id(id, idstr, sizeof(idstr)) == -1) 1412 return (NULL); 1413 1414 len = ROUNDUP(strlen(idstr) + 1) + sizeof(*sa_id); 1415 if ((sa_id = calloc(1, len)) == NULL) 1416 return (NULL); 1417 1418 strlcpy((char *)(sa_id + 1), idstr, ROUNDUP(strlen(idstr) + 1)); 1419 sa_id->sadb_ident_type = type; 1420 sa_id->sadb_ident_len = len / 8; 1421 sa_id->sadb_ident_exttype = exttype; 1422 1423 return (sa_id); 1424 } 1425 1426 int 1427 pfkey_socket(void) 1428 { 1429 int fd; 1430 1431 if (privsep_process != PROC_PARENT) 1432 fatal("pfkey_socket: called from unprivileged process"); 1433 1434 if ((fd = socket(PF_KEY, SOCK_RAW, PF_KEY_V2)) == -1) 1435 fatal("pfkey_socket: failed to open PF_KEY socket"); 1436 1437 pfkey_flush(fd); 1438 1439 return (fd); 1440 } 1441 1442 void 1443 pfkey_init(struct iked *env, int fd) 1444 { 1445 struct sadb_msg smsg; 1446 struct iovec iov; 1447 1448 /* Set up a timer to process messages deferred by the pfkey_reply */ 1449 pfkey_timer_tv.tv_sec = 1; 1450 pfkey_timer_tv.tv_usec = 0; 1451 evtimer_set(&pfkey_timer_ev, pfkey_timer_cb, env); 1452 1453 /* Register the pfkey socket event handler */ 1454 env->sc_pfkey = fd; 1455 event_set(&env->sc_pfkeyev, env->sc_pfkey, 1456 EV_READ|EV_PERSIST, pfkey_dispatch, env); 1457 event_add(&env->sc_pfkeyev, NULL); 1458 1459 /* Register it to get ESP and AH acquires from the kernel */ 1460 bzero(&smsg, sizeof(smsg)); 1461 smsg.sadb_msg_version = PF_KEY_V2; 1462 smsg.sadb_msg_seq = ++sadb_msg_seq; 1463 smsg.sadb_msg_pid = getpid(); 1464 smsg.sadb_msg_len = sizeof(smsg) / 8; 1465 smsg.sadb_msg_type = SADB_REGISTER; 1466 smsg.sadb_msg_satype = SADB_SATYPE_ESP; 1467 1468 iov.iov_base = &smsg; 1469 iov.iov_len = sizeof(smsg); 1470 1471 if (pfkey_write(fd, &smsg, &iov, 1, NULL, NULL)) 1472 fatal("pfkey_init: failed to set up ESP acquires"); 1473 1474 bzero(&smsg, sizeof(smsg)); 1475 smsg.sadb_msg_version = PF_KEY_V2; 1476 smsg.sadb_msg_seq = ++sadb_msg_seq; 1477 smsg.sadb_msg_pid = getpid(); 1478 smsg.sadb_msg_len = sizeof(smsg) / 8; 1479 smsg.sadb_msg_type = SADB_REGISTER; 1480 smsg.sadb_msg_satype = SADB_SATYPE_AH; 1481 1482 iov.iov_base = &smsg; 1483 iov.iov_len = sizeof(smsg); 1484 1485 if (pfkey_write(fd, &smsg, &iov, 1, NULL, NULL)) 1486 fatal("pfkey_init: failed to set up AH acquires"); 1487 1488 if (env->sc_opts & IKED_OPT_NOIPV6BLOCKING) 1489 return; 1490 1491 /* Block all IPv6 traffic by default */ 1492 pfkey_blockipv6 = 1; 1493 if (pfkey_block(fd, AF_INET6, SADB_X_ADDFLOW)) 1494 fatal("pfkey_init: failed to block IPv6 traffic"); 1495 } 1496 1497 void * 1498 pfkey_find_ext(uint8_t *data, ssize_t len, int type) 1499 { 1500 struct sadb_ext *ext = (struct sadb_ext *)(data + 1501 sizeof(struct sadb_msg)); 1502 1503 while (ext && ((uint8_t *)ext - data < len)) { 1504 if (ext->sadb_ext_type == type) 1505 return (ext); 1506 ext = (struct sadb_ext *)((uint8_t *)ext + 1507 ext->sadb_ext_len * PFKEYV2_CHUNK); 1508 } 1509 1510 return (NULL); 1511 } 1512 1513 void 1514 pfkey_dispatch(int sd, short event, void *arg) 1515 { 1516 struct iked *env = (struct iked *)arg; 1517 struct pfkey_message pm, *pmp; 1518 struct sadb_msg hdr; 1519 ssize_t len; 1520 uint8_t *data; 1521 1522 if (recv(sd, &hdr, sizeof(hdr), MSG_PEEK) != sizeof(hdr)) { 1523 log_warn("%s: short recv", __func__); 1524 return; 1525 } 1526 1527 if (hdr.sadb_msg_version != PF_KEY_V2) { 1528 log_warnx("%s: wrong pfkey version", __func__); 1529 return; 1530 } 1531 1532 if ((data = reallocarray(NULL, hdr.sadb_msg_len, PFKEYV2_CHUNK)) 1533 == NULL) { 1534 log_warn("%s: malloc", __func__); 1535 return; 1536 } 1537 len = hdr.sadb_msg_len * PFKEYV2_CHUNK; 1538 1539 if (read(sd, data, len) != len) { 1540 log_warn("%s: short read", __func__); 1541 free(data); 1542 return; 1543 } 1544 1545 /* Try postponed requests first, so we do in-order processing */ 1546 if (!SIMPLEQ_EMPTY(&pfkey_postponed)) 1547 pfkey_timer_cb(0, 0, env); 1548 1549 pm.pm_data = data; 1550 pm.pm_length = len; 1551 1552 if (pfkey_process(env, &pm) == -1 && 1553 (pmp = calloc(1, sizeof(*pmp))) != NULL) { 1554 pmp->pm_data = data; 1555 pmp->pm_length = len; 1556 log_debug("%s: pfkey_process is busy, retry later", __func__); 1557 SIMPLEQ_INSERT_TAIL(&pfkey_postponed, pmp, pm_entry); 1558 evtimer_add(&pfkey_timer_ev, &pfkey_timer_tv); 1559 } else { 1560 free(data); 1561 } 1562 } 1563 1564 void 1565 pfkey_timer_cb(int unused, short event, void *arg) 1566 { 1567 struct iked *env = arg; 1568 struct pfkey_message *pm; 1569 1570 SIMPLEQ_INIT(&pfkey_retry); 1571 while (!SIMPLEQ_EMPTY(&pfkey_postponed)) { 1572 pm = SIMPLEQ_FIRST(&pfkey_postponed); 1573 SIMPLEQ_REMOVE_HEAD(&pfkey_postponed, pm_entry); 1574 if (pfkey_process(env, pm) == -1) { 1575 log_debug("%s: pfkey_process is busy, retry later", 1576 __func__); 1577 SIMPLEQ_INSERT_TAIL(&pfkey_retry, pm, pm_entry); 1578 } else { 1579 free(pm->pm_data); 1580 free(pm); 1581 } 1582 } 1583 /* move from retry to postponed */ 1584 while ((pm = SIMPLEQ_FIRST(&pfkey_retry)) != NULL) { 1585 SIMPLEQ_REMOVE_HEAD(&pfkey_retry, pm_entry); 1586 SIMPLEQ_INSERT_TAIL(&pfkey_postponed, pm, pm_entry); 1587 } 1588 if (!SIMPLEQ_EMPTY(&pfkey_postponed)) 1589 evtimer_add(&pfkey_timer_ev, &pfkey_timer_tv); 1590 } 1591 1592 /* 1593 * pfkey_process returns 0 if the message has been processed and -1 if 1594 * the system is busy and the message should be passed again, later. 1595 */ 1596 int 1597 pfkey_process(struct iked *env, struct pfkey_message *pm) 1598 { 1599 struct iked_spi spi; 1600 struct sadb_sa *sa; 1601 struct sadb_lifetime *sa_ltime; 1602 struct sadb_msg *hdr; 1603 struct sadb_msg smsg; 1604 struct iked_addr peer; 1605 struct iked_flow flow; 1606 struct sadb_address *sa_addr; 1607 struct sadb_protocol *sa_proto; 1608 struct sadb_x_policy sa_pol; 1609 struct sockaddr *ssrc, *sdst, *smask, *dmask, *speer; 1610 struct iovec iov[IOV_CNT]; 1611 int ret = 0, iov_cnt, sd; 1612 uint8_t *reply; 1613 ssize_t rlen; 1614 const char *errmsg = NULL; 1615 uint8_t *data = pm->pm_data; 1616 ssize_t len = pm->pm_length; 1617 size_t slen; 1618 1619 if (!env || !data || !len) 1620 return (0); 1621 1622 sd = env->sc_pfkey; 1623 hdr = (struct sadb_msg *)data; 1624 1625 switch (hdr->sadb_msg_type) { 1626 case SADB_ACQUIRE: 1627 bzero(&flow, sizeof(flow)); 1628 bzero(&peer, sizeof(peer)); 1629 1630 if ((sa_addr = pfkey_find_ext(data, len, 1631 SADB_EXT_ADDRESS_DST)) == NULL) { 1632 log_debug("%s: no peer address", __func__); 1633 return (0); 1634 } 1635 speer = (struct sockaddr *)(sa_addr + 1); 1636 peer.addr_af = speer->sa_family; 1637 peer.addr_port = htons(socket_getport(speer)); 1638 if ((slen = speer->sa_len) > sizeof(peer.addr)) { 1639 log_debug("%s: invalid peer address len", __func__); 1640 return (0); 1641 } 1642 memcpy(&peer.addr, speer, slen); 1643 if (socket_af((struct sockaddr *)&peer.addr, 1644 peer.addr_port) == -1) { 1645 log_debug("%s: invalid address", __func__); 1646 return (0); 1647 } 1648 flow.flow_peer = &peer; 1649 1650 log_debug("%s: acquire request (peer %s)", __func__, 1651 print_host(speer, NULL, 0)); 1652 1653 /* get the matching flow */ 1654 bzero(&smsg, sizeof(smsg)); 1655 smsg.sadb_msg_version = PF_KEY_V2; 1656 smsg.sadb_msg_seq = ++sadb_msg_seq; 1657 smsg.sadb_msg_pid = getpid(); 1658 smsg.sadb_msg_len = sizeof(smsg) / 8; 1659 smsg.sadb_msg_type = SADB_X_ASKPOLICY; 1660 1661 iov_cnt = 0; 1662 1663 iov[iov_cnt].iov_base = &smsg; 1664 iov[iov_cnt].iov_len = sizeof(smsg); 1665 iov_cnt++; 1666 1667 bzero(&sa_pol, sizeof(sa_pol)); 1668 sa_pol.sadb_x_policy_exttype = SADB_X_EXT_POLICY; 1669 sa_pol.sadb_x_policy_len = sizeof(sa_pol) / 8; 1670 sa_pol.sadb_x_policy_seq = hdr->sadb_msg_seq; 1671 1672 iov[iov_cnt].iov_base = &sa_pol; 1673 iov[iov_cnt].iov_len = sizeof(sa_pol); 1674 smsg.sadb_msg_len += sizeof(sa_pol) / 8; 1675 iov_cnt++; 1676 1677 if (pfkey_write(sd, &smsg, iov, iov_cnt, &reply, &rlen)) { 1678 log_warnx("%s: failed to get a policy", __func__); 1679 return (0); 1680 } 1681 1682 if ((sa_addr = pfkey_find_ext(reply, rlen, 1683 SADB_X_EXT_SRC_FLOW)) == NULL) { 1684 errmsg = "flow source address"; 1685 goto out; 1686 } 1687 ssrc = (struct sockaddr *)(sa_addr + 1); 1688 flow.flow_src.addr_af = ssrc->sa_family; 1689 flow.flow_src.addr_port = htons(socket_getport(ssrc)); 1690 if ((slen = ssrc->sa_len) > sizeof(flow.flow_src.addr)) { 1691 log_debug("%s: invalid src address len", __func__); 1692 return (0); 1693 } 1694 memcpy(&flow.flow_src.addr, ssrc, slen); 1695 if (socket_af((struct sockaddr *)&flow.flow_src.addr, 1696 flow.flow_src.addr_port) == -1) { 1697 log_debug("%s: invalid address", __func__); 1698 return (0); 1699 } 1700 1701 if ((sa_addr = pfkey_find_ext(reply, rlen, 1702 SADB_X_EXT_DST_FLOW)) == NULL) { 1703 errmsg = "flow destination address"; 1704 goto out; 1705 } 1706 sdst = (struct sockaddr *)(sa_addr + 1); 1707 flow.flow_dst.addr_af = sdst->sa_family; 1708 flow.flow_dst.addr_port = htons(socket_getport(sdst)); 1709 if ((slen = sdst->sa_len) > sizeof(flow.flow_dst.addr)) { 1710 log_debug("%s: invalid dst address len", __func__); 1711 return (0); 1712 } 1713 memcpy(&flow.flow_dst.addr, sdst, slen); 1714 if (socket_af((struct sockaddr *)&flow.flow_dst.addr, 1715 flow.flow_dst.addr_port) == -1) { 1716 log_debug("%s: invalid address", __func__); 1717 return (0); 1718 } 1719 1720 if ((sa_addr = pfkey_find_ext(reply, rlen, 1721 SADB_X_EXT_SRC_MASK)) == NULL) { 1722 errmsg = "flow source mask"; 1723 goto out; 1724 } 1725 smask = (struct sockaddr *)(sa_addr + 1); 1726 switch (smask->sa_family) { 1727 case AF_INET: 1728 flow.flow_src.addr_mask = 1729 mask2prefixlen((struct sockaddr *)smask); 1730 if (flow.flow_src.addr_mask != 32) 1731 flow.flow_src.addr_net = 1; 1732 break; 1733 case AF_INET6: 1734 flow.flow_src.addr_mask = 1735 mask2prefixlen6((struct sockaddr *)smask); 1736 if (flow.flow_src.addr_mask != 128) 1737 flow.flow_src.addr_net = 1; 1738 break; 1739 default: 1740 log_debug("%s: bad address family", __func__); 1741 free(reply); 1742 return (0); 1743 } 1744 1745 if ((sa_addr = pfkey_find_ext(reply, rlen, 1746 SADB_X_EXT_DST_MASK)) == NULL) { 1747 errmsg = "flow destination mask"; 1748 goto out; 1749 } 1750 dmask = (struct sockaddr *)(sa_addr + 1); 1751 switch (dmask->sa_family) { 1752 case AF_INET: 1753 flow.flow_dst.addr_mask = 1754 mask2prefixlen((struct sockaddr *)dmask); 1755 if (flow.flow_src.addr_mask != 32) 1756 flow.flow_src.addr_net = 1; 1757 break; 1758 case AF_INET6: 1759 flow.flow_dst.addr_mask = 1760 mask2prefixlen6((struct sockaddr *)dmask); 1761 if (flow.flow_src.addr_mask != 128) 1762 flow.flow_src.addr_net = 1; 1763 break; 1764 default: 1765 log_debug("%s: bad address family", __func__); 1766 free(reply); 1767 return (0); 1768 } 1769 1770 if ((sa_proto = pfkey_find_ext(reply, rlen, 1771 SADB_X_EXT_FLOW_TYPE)) == NULL) { 1772 errmsg = "flow protocol"; 1773 goto out; 1774 } 1775 flow.flow_dir = sa_proto->sadb_protocol_direction; 1776 1777 log_debug("%s: flow %s from %s/%s to %s/%s via %s", __func__, 1778 flow.flow_dir == IPSP_DIRECTION_IN ? "in" : "out", 1779 print_host(ssrc, NULL, 0), print_host(smask, NULL, 0), 1780 print_host(sdst, NULL, 0), print_host(dmask, NULL, 0), 1781 print_host(speer, NULL, 0)); 1782 1783 ret = ikev2_acquire_sa(env, &flow); 1784 1785 out: 1786 if (errmsg) 1787 log_warnx("%s: %s wasn't found", __func__, errmsg); 1788 free(reply); 1789 break; 1790 1791 case SADB_EXPIRE: 1792 if ((sa = pfkey_find_ext(data, len, SADB_EXT_SA)) == NULL) { 1793 log_warnx("%s: SA extension wasn't found", __func__); 1794 return (0); 1795 } 1796 if ((sa_ltime = pfkey_find_ext(data, len, 1797 SADB_EXT_LIFETIME_SOFT)) == NULL && 1798 (sa_ltime = pfkey_find_ext(data, len, 1799 SADB_EXT_LIFETIME_HARD)) == NULL) { 1800 log_warnx("%s: lifetime extension wasn't found", 1801 __func__); 1802 return (0); 1803 } 1804 spi.spi = ntohl(sa->sadb_sa_spi); 1805 spi.spi_size = 4; 1806 switch (hdr->sadb_msg_satype) { 1807 case SADB_SATYPE_AH: 1808 spi.spi_protoid = IKEV2_SAPROTO_AH; 1809 break; 1810 case SADB_SATYPE_ESP: 1811 spi.spi_protoid = IKEV2_SAPROTO_ESP; 1812 break; 1813 case SADB_X_SATYPE_IPCOMP: 1814 spi.spi_size = 2; 1815 spi.spi_protoid = IKEV2_SAPROTO_IPCOMP; 1816 break; 1817 default: 1818 log_warnx("%s: unsupported SA type %d spi %s", 1819 __func__, hdr->sadb_msg_satype, 1820 print_spi(spi.spi, spi.spi_size)); 1821 return (0); 1822 } 1823 1824 log_debug("%s: SA %s is expired, pending %s", __func__, 1825 print_spi(spi.spi, spi.spi_size), 1826 sa_ltime->sadb_lifetime_exttype == SADB_EXT_LIFETIME_SOFT ? 1827 "rekeying" : "deletion"); 1828 1829 if (sa_ltime->sadb_lifetime_exttype == SADB_EXT_LIFETIME_SOFT) 1830 ret = ikev2_rekey_sa(env, &spi); 1831 else 1832 ret = ikev2_drop_sa(env, &spi); 1833 break; 1834 } 1835 return (ret); 1836 } 1837