1 /* $OpenBSD: pfkey.c,v 1.57 2015/12/10 17:27:00 mmcc Exp $ */ 2 /* 3 * Copyright (c) 2003, 2004 Henning Brauer <henning@openbsd.org> 4 * Copyright (c) 2003, 2004 Markus Friedl <markus@openbsd.org> 5 * Copyright (c) 2004, 2005 Hans-Joerg Hoexer <hshoexer@openbsd.org> 6 * 7 * Permission to use, copy, modify, and distribute this software for any 8 * purpose with or without fee is hereby granted, provided that the above 9 * copyright notice and this permission notice appear in all copies. 10 * 11 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES 12 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF 13 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR 14 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES 15 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN 16 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF 17 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. 18 */ 19 20 #include <sys/types.h> 21 #include <sys/queue.h> 22 #include <sys/uio.h> 23 #include <sys/socket.h> 24 #include <netinet/in.h> 25 #include <netinet/ip_ipsp.h> 26 #include <net/pfkeyv2.h> 27 28 #include <err.h> 29 #include <errno.h> 30 #include <stdio.h> 31 #include <string.h> 32 #include <stdlib.h> 33 #include <poll.h> 34 #include <unistd.h> 35 36 #include "ipsecctl.h" 37 #include "pfkey.h" 38 39 #define ROUNDUP(x) (((x) + (PFKEYV2_CHUNK - 1)) & ~(PFKEYV2_CHUNK - 1)) 40 #define IOV_CNT 20 41 42 static int fd; 43 static u_int32_t sadb_msg_seq = 1; 44 45 static int pfkey_flow(int, u_int8_t, u_int8_t, u_int8_t, u_int8_t, 46 struct ipsec_addr_wrap *, u_int16_t, 47 struct ipsec_addr_wrap *, u_int16_t, 48 struct ipsec_addr_wrap *, struct ipsec_addr_wrap *, 49 struct ipsec_auth *, u_int8_t); 50 static int pfkey_sa(int, u_int8_t, u_int8_t, u_int32_t, 51 struct ipsec_addr_wrap *, struct ipsec_addr_wrap *, 52 struct ipsec_transforms *, struct ipsec_key *, 53 struct ipsec_key *, u_int8_t); 54 static int pfkey_sagroup(int, u_int8_t, u_int8_t, u_int8_t, 55 struct ipsec_addr_wrap *, u_int32_t, 56 struct ipsec_addr_wrap *, u_int32_t); 57 static int pfkey_reply(int, u_int8_t **, ssize_t *); 58 int pfkey_parse(struct sadb_msg *, struct ipsec_rule *); 59 int pfkey_ipsec_flush(void); 60 int pfkey_ipsec_establish(int, struct ipsec_rule *); 61 int pfkey_init(void); 62 63 static int 64 pfkey_flow(int sd, u_int8_t satype, u_int8_t action, u_int8_t direction, 65 u_int8_t proto, struct ipsec_addr_wrap *src, u_int16_t sport, 66 struct ipsec_addr_wrap *dst, u_int16_t dport, 67 struct ipsec_addr_wrap *local, struct ipsec_addr_wrap *peer, 68 struct ipsec_auth *auth, u_int8_t flowtype) 69 { 70 struct sadb_msg smsg; 71 struct sadb_address sa_src, sa_dst, sa_local, sa_peer, sa_smask, 72 sa_dmask; 73 struct sadb_protocol sa_flowtype, sa_protocol; 74 struct sadb_ident *sa_srcid, *sa_dstid; 75 struct sockaddr_storage ssrc, sdst, slocal, speer, smask, dmask; 76 struct iovec iov[IOV_CNT]; 77 ssize_t n; 78 int iov_cnt, len, ret = 0; 79 80 sa_srcid = sa_dstid = NULL; 81 82 bzero(&ssrc, sizeof(ssrc)); 83 bzero(&smask, sizeof(smask)); 84 ssrc.ss_family = smask.ss_family = src->af; 85 switch (src->af) { 86 case AF_INET: 87 ((struct sockaddr_in *)&ssrc)->sin_addr = src->address.v4; 88 ssrc.ss_len = sizeof(struct sockaddr_in); 89 ((struct sockaddr_in *)&smask)->sin_addr = src->mask.v4; 90 if (sport) { 91 ((struct sockaddr_in *)&ssrc)->sin_port = sport; 92 ((struct sockaddr_in *)&smask)->sin_port = 0xffff; 93 } 94 break; 95 case AF_INET6: 96 ((struct sockaddr_in6 *)&ssrc)->sin6_addr = src->address.v6; 97 ssrc.ss_len = sizeof(struct sockaddr_in6); 98 ((struct sockaddr_in6 *)&smask)->sin6_addr = src->mask.v6; 99 if (sport) { 100 ((struct sockaddr_in6 *)&ssrc)->sin6_port = sport; 101 ((struct sockaddr_in6 *)&smask)->sin6_port = 0xffff; 102 } 103 break; 104 default: 105 warnx("unsupported address family %d", src->af); 106 return -1; 107 } 108 smask.ss_len = ssrc.ss_len; 109 110 bzero(&sdst, sizeof(sdst)); 111 bzero(&dmask, sizeof(dmask)); 112 sdst.ss_family = dmask.ss_family = dst->af; 113 switch (dst->af) { 114 case AF_INET: 115 ((struct sockaddr_in *)&sdst)->sin_addr = dst->address.v4; 116 sdst.ss_len = sizeof(struct sockaddr_in); 117 ((struct sockaddr_in *)&dmask)->sin_addr = dst->mask.v4; 118 if (dport) { 119 ((struct sockaddr_in *)&sdst)->sin_port = dport; 120 ((struct sockaddr_in *)&dmask)->sin_port = 0xffff; 121 } 122 break; 123 case AF_INET6: 124 ((struct sockaddr_in6 *)&sdst)->sin6_addr = dst->address.v6; 125 sdst.ss_len = sizeof(struct sockaddr_in6); 126 ((struct sockaddr_in6 *)&dmask)->sin6_addr = dst->mask.v6; 127 if (dport) { 128 ((struct sockaddr_in6 *)&sdst)->sin6_port = dport; 129 ((struct sockaddr_in6 *)&dmask)->sin6_port = 0xffff; 130 } 131 break; 132 default: 133 warnx("unsupported address family %d", dst->af); 134 return -1; 135 } 136 dmask.ss_len = sdst.ss_len; 137 138 bzero(&slocal, sizeof(slocal)); 139 if (local) { 140 slocal.ss_family = local->af; 141 switch (local->af) { 142 case AF_INET: 143 ((struct sockaddr_in *)&slocal)->sin_addr = 144 local->address.v4; 145 slocal.ss_len = sizeof(struct sockaddr_in); 146 break; 147 case AF_INET6: 148 ((struct sockaddr_in6 *)&slocal)->sin6_addr = 149 local->address.v6; 150 slocal.ss_len = sizeof(struct sockaddr_in6); 151 break; 152 default: 153 warnx("unsupported address family %d", local->af); 154 return -1; 155 } 156 } 157 158 bzero(&speer, sizeof(speer)); 159 if (peer) { 160 speer.ss_family = peer->af; 161 switch (peer->af) { 162 case AF_INET: 163 ((struct sockaddr_in *)&speer)->sin_addr = 164 peer->address.v4; 165 speer.ss_len = sizeof(struct sockaddr_in); 166 break; 167 case AF_INET6: 168 ((struct sockaddr_in6 *)&speer)->sin6_addr = 169 peer->address.v6; 170 speer.ss_len = sizeof(struct sockaddr_in6); 171 break; 172 default: 173 warnx("unsupported address family %d", peer->af); 174 return -1; 175 } 176 } 177 178 bzero(&smsg, sizeof(smsg)); 179 smsg.sadb_msg_version = PF_KEY_V2; 180 smsg.sadb_msg_seq = sadb_msg_seq++; 181 smsg.sadb_msg_pid = getpid(); 182 smsg.sadb_msg_len = sizeof(smsg) / 8; 183 smsg.sadb_msg_type = action; 184 smsg.sadb_msg_satype = satype; 185 186 bzero(&sa_flowtype, sizeof(sa_flowtype)); 187 sa_flowtype.sadb_protocol_exttype = SADB_X_EXT_FLOW_TYPE; 188 sa_flowtype.sadb_protocol_len = sizeof(sa_flowtype) / 8; 189 sa_flowtype.sadb_protocol_direction = direction; 190 191 switch (flowtype) { 192 case TYPE_USE: 193 sa_flowtype.sadb_protocol_proto = SADB_X_FLOW_TYPE_USE; 194 break; 195 case TYPE_ACQUIRE: 196 sa_flowtype.sadb_protocol_proto = SADB_X_FLOW_TYPE_ACQUIRE; 197 break; 198 case TYPE_REQUIRE: 199 sa_flowtype.sadb_protocol_proto = SADB_X_FLOW_TYPE_REQUIRE; 200 break; 201 case TYPE_DENY: 202 sa_flowtype.sadb_protocol_proto = SADB_X_FLOW_TYPE_DENY; 203 break; 204 case TYPE_BYPASS: 205 sa_flowtype.sadb_protocol_proto = SADB_X_FLOW_TYPE_BYPASS; 206 break; 207 case TYPE_DONTACQ: 208 sa_flowtype.sadb_protocol_proto = SADB_X_FLOW_TYPE_DONTACQ; 209 break; 210 default: 211 warnx("unsupported flowtype %d", flowtype); 212 return -1; 213 } 214 215 bzero(&sa_protocol, sizeof(sa_protocol)); 216 sa_protocol.sadb_protocol_exttype = SADB_X_EXT_PROTOCOL; 217 sa_protocol.sadb_protocol_len = sizeof(sa_protocol) / 8; 218 sa_protocol.sadb_protocol_direction = 0; 219 sa_protocol.sadb_protocol_proto = proto; 220 221 bzero(&sa_src, sizeof(sa_src)); 222 sa_src.sadb_address_exttype = SADB_X_EXT_SRC_FLOW; 223 sa_src.sadb_address_len = (sizeof(sa_src) + ROUNDUP(ssrc.ss_len)) / 8; 224 225 bzero(&sa_smask, sizeof(sa_smask)); 226 sa_smask.sadb_address_exttype = SADB_X_EXT_SRC_MASK; 227 sa_smask.sadb_address_len = 228 (sizeof(sa_smask) + ROUNDUP(smask.ss_len)) / 8; 229 230 bzero(&sa_dst, sizeof(sa_dst)); 231 sa_dst.sadb_address_exttype = SADB_X_EXT_DST_FLOW; 232 sa_dst.sadb_address_len = (sizeof(sa_dst) + ROUNDUP(sdst.ss_len)) / 8; 233 234 bzero(&sa_dmask, sizeof(sa_dmask)); 235 sa_dmask.sadb_address_exttype = SADB_X_EXT_DST_MASK; 236 sa_dmask.sadb_address_len = 237 (sizeof(sa_dmask) + ROUNDUP(dmask.ss_len)) / 8; 238 239 if (local) { 240 bzero(&sa_local, sizeof(sa_local)); 241 sa_local.sadb_address_exttype = SADB_EXT_ADDRESS_SRC; 242 sa_local.sadb_address_len = 243 (sizeof(sa_local) + ROUNDUP(slocal.ss_len)) / 8; 244 } 245 if (peer) { 246 bzero(&sa_peer, sizeof(sa_peer)); 247 sa_peer.sadb_address_exttype = SADB_EXT_ADDRESS_DST; 248 sa_peer.sadb_address_len = 249 (sizeof(sa_peer) + ROUNDUP(speer.ss_len)) / 8; 250 } 251 252 if (auth && auth->srcid) { 253 len = ROUNDUP(strlen(auth->srcid) + 1) + sizeof(*sa_srcid); 254 255 sa_srcid = calloc(len, sizeof(u_int8_t)); 256 if (sa_srcid == NULL) 257 err(1, "pfkey_flow: calloc"); 258 259 sa_srcid->sadb_ident_type = auth->srcid_type; 260 sa_srcid->sadb_ident_len = len / 8; 261 sa_srcid->sadb_ident_exttype = SADB_EXT_IDENTITY_SRC; 262 263 strlcpy((char *)(sa_srcid + 1), auth->srcid, 264 ROUNDUP(strlen(auth->srcid) + 1)); 265 } 266 if (auth && auth->dstid) { 267 len = ROUNDUP(strlen(auth->dstid) + 1) + sizeof(*sa_dstid); 268 269 sa_dstid = calloc(len, sizeof(u_int8_t)); 270 if (sa_dstid == NULL) 271 err(1, "pfkey_flow: calloc"); 272 273 sa_dstid->sadb_ident_type = auth->dstid_type; 274 sa_dstid->sadb_ident_len = len / 8; 275 sa_dstid->sadb_ident_exttype = SADB_EXT_IDENTITY_DST; 276 277 strlcpy((char *)(sa_dstid + 1), auth->dstid, 278 ROUNDUP(strlen(auth->dstid) + 1)); 279 } 280 281 iov_cnt = 0; 282 283 /* header */ 284 iov[iov_cnt].iov_base = &smsg; 285 iov[iov_cnt].iov_len = sizeof(smsg); 286 iov_cnt++; 287 288 /* add flow type */ 289 iov[iov_cnt].iov_base = &sa_flowtype; 290 iov[iov_cnt].iov_len = sizeof(sa_flowtype); 291 smsg.sadb_msg_len += sa_flowtype.sadb_protocol_len; 292 iov_cnt++; 293 294 /* local ip */ 295 if (local) { 296 iov[iov_cnt].iov_base = &sa_local; 297 iov[iov_cnt].iov_len = sizeof(sa_local); 298 iov_cnt++; 299 iov[iov_cnt].iov_base = &slocal; 300 iov[iov_cnt].iov_len = ROUNDUP(slocal.ss_len); 301 smsg.sadb_msg_len += sa_local.sadb_address_len; 302 iov_cnt++; 303 } 304 305 /* remote peer */ 306 if (peer) { 307 iov[iov_cnt].iov_base = &sa_peer; 308 iov[iov_cnt].iov_len = sizeof(sa_peer); 309 iov_cnt++; 310 iov[iov_cnt].iov_base = &speer; 311 iov[iov_cnt].iov_len = ROUNDUP(speer.ss_len); 312 smsg.sadb_msg_len += sa_peer.sadb_address_len; 313 iov_cnt++; 314 } 315 316 /* src addr */ 317 iov[iov_cnt].iov_base = &sa_src; 318 iov[iov_cnt].iov_len = sizeof(sa_src); 319 iov_cnt++; 320 iov[iov_cnt].iov_base = &ssrc; 321 iov[iov_cnt].iov_len = ROUNDUP(ssrc.ss_len); 322 smsg.sadb_msg_len += sa_src.sadb_address_len; 323 iov_cnt++; 324 325 /* src mask */ 326 iov[iov_cnt].iov_base = &sa_smask; 327 iov[iov_cnt].iov_len = sizeof(sa_smask); 328 iov_cnt++; 329 iov[iov_cnt].iov_base = &smask; 330 iov[iov_cnt].iov_len = ROUNDUP(smask.ss_len); 331 smsg.sadb_msg_len += sa_smask.sadb_address_len; 332 iov_cnt++; 333 334 /* dest addr */ 335 iov[iov_cnt].iov_base = &sa_dst; 336 iov[iov_cnt].iov_len = sizeof(sa_dst); 337 iov_cnt++; 338 iov[iov_cnt].iov_base = &sdst; 339 iov[iov_cnt].iov_len = ROUNDUP(sdst.ss_len); 340 smsg.sadb_msg_len += sa_dst.sadb_address_len; 341 iov_cnt++; 342 343 /* dst mask */ 344 iov[iov_cnt].iov_base = &sa_dmask; 345 iov[iov_cnt].iov_len = sizeof(sa_dmask); 346 iov_cnt++; 347 iov[iov_cnt].iov_base = &dmask; 348 iov[iov_cnt].iov_len = ROUNDUP(dmask.ss_len); 349 smsg.sadb_msg_len += sa_dmask.sadb_address_len; 350 iov_cnt++; 351 352 /* add protocol */ 353 iov[iov_cnt].iov_base = &sa_protocol; 354 iov[iov_cnt].iov_len = sizeof(sa_protocol); 355 smsg.sadb_msg_len += sa_protocol.sadb_protocol_len; 356 iov_cnt++; 357 358 if (sa_srcid) { 359 /* src identity */ 360 iov[iov_cnt].iov_base = sa_srcid; 361 iov[iov_cnt].iov_len = sa_srcid->sadb_ident_len * 8; 362 smsg.sadb_msg_len += sa_srcid->sadb_ident_len; 363 iov_cnt++; 364 } 365 if (sa_dstid) { 366 /* dst identity */ 367 iov[iov_cnt].iov_base = sa_dstid; 368 iov[iov_cnt].iov_len = sa_dstid->sadb_ident_len * 8; 369 smsg.sadb_msg_len += sa_dstid->sadb_ident_len; 370 iov_cnt++; 371 } 372 len = smsg.sadb_msg_len * 8; 373 374 do { 375 n = writev(sd, iov, iov_cnt); 376 } while (n == -1 && (errno == EAGAIN || errno == EINTR)); 377 if (n == -1) { 378 warn("writev failed"); 379 ret = -1; 380 } 381 382 free(sa_srcid); 383 free(sa_dstid); 384 385 return ret; 386 } 387 388 static int 389 pfkey_sa(int sd, u_int8_t satype, u_int8_t action, u_int32_t spi, 390 struct ipsec_addr_wrap *src, struct ipsec_addr_wrap *dst, 391 struct ipsec_transforms *xfs, struct ipsec_key *authkey, 392 struct ipsec_key *enckey, u_int8_t tmode) 393 { 394 struct sadb_msg smsg; 395 struct sadb_sa sa; 396 struct sadb_address sa_src, sa_dst; 397 struct sadb_key sa_authkey, sa_enckey; 398 struct sockaddr_storage ssrc, sdst; 399 struct iovec iov[IOV_CNT]; 400 ssize_t n; 401 int iov_cnt, len, ret = 0; 402 403 bzero(&ssrc, sizeof(ssrc)); 404 ssrc.ss_family = src->af; 405 switch (src->af) { 406 case AF_INET: 407 ((struct sockaddr_in *)&ssrc)->sin_addr = src->address.v4; 408 ssrc.ss_len = sizeof(struct sockaddr_in); 409 break; 410 case AF_INET6: 411 ((struct sockaddr_in6 *)&ssrc)->sin6_addr = src->address.v6; 412 ssrc.ss_len = sizeof(struct sockaddr_in6); 413 break; 414 default: 415 warnx("unsupported address family %d", src->af); 416 return -1; 417 } 418 419 bzero(&sdst, sizeof(sdst)); 420 sdst.ss_family = dst->af; 421 switch (dst->af) { 422 case AF_INET: 423 ((struct sockaddr_in *)&sdst)->sin_addr = dst->address.v4; 424 sdst.ss_len = sizeof(struct sockaddr_in); 425 break; 426 case AF_INET6: 427 ((struct sockaddr_in6 *)&sdst)->sin6_addr = dst->address.v6; 428 sdst.ss_len = sizeof(struct sockaddr_in6); 429 break; 430 default: 431 warnx("unsupported address family %d", dst->af); 432 return -1; 433 } 434 435 bzero(&smsg, sizeof(smsg)); 436 smsg.sadb_msg_version = PF_KEY_V2; 437 smsg.sadb_msg_seq = sadb_msg_seq++; 438 smsg.sadb_msg_pid = getpid(); 439 smsg.sadb_msg_len = sizeof(smsg) / 8; 440 smsg.sadb_msg_type = action; 441 smsg.sadb_msg_satype = satype; 442 443 bzero(&sa, sizeof(sa)); 444 sa.sadb_sa_len = sizeof(sa) / 8; 445 sa.sadb_sa_exttype = SADB_EXT_SA; 446 sa.sadb_sa_spi = htonl(spi); 447 sa.sadb_sa_state = SADB_SASTATE_MATURE; 448 449 if (satype != SADB_X_SATYPE_IPIP && tmode == IPSEC_TUNNEL) 450 sa.sadb_sa_flags |= SADB_X_SAFLAGS_TUNNEL; 451 452 if (xfs && xfs->authxf) { 453 switch (xfs->authxf->id) { 454 case AUTHXF_NONE: 455 break; 456 case AUTHXF_HMAC_MD5: 457 sa.sadb_sa_auth = SADB_AALG_MD5HMAC; 458 break; 459 case AUTHXF_HMAC_RIPEMD160: 460 sa.sadb_sa_auth = SADB_X_AALG_RIPEMD160HMAC; 461 break; 462 case AUTHXF_HMAC_SHA1: 463 sa.sadb_sa_auth = SADB_AALG_SHA1HMAC; 464 break; 465 case AUTHXF_HMAC_SHA2_256: 466 sa.sadb_sa_auth = SADB_X_AALG_SHA2_256; 467 break; 468 case AUTHXF_HMAC_SHA2_384: 469 sa.sadb_sa_auth = SADB_X_AALG_SHA2_384; 470 break; 471 case AUTHXF_HMAC_SHA2_512: 472 sa.sadb_sa_auth = SADB_X_AALG_SHA2_512; 473 break; 474 default: 475 warnx("unsupported authentication algorithm %d", 476 xfs->authxf->id); 477 } 478 } 479 if (xfs && xfs->encxf) { 480 switch (xfs->encxf->id) { 481 case ENCXF_NONE: 482 break; 483 case ENCXF_3DES_CBC: 484 sa.sadb_sa_encrypt = SADB_EALG_3DESCBC; 485 break; 486 case ENCXF_AES: 487 case ENCXF_AES_128: 488 case ENCXF_AES_192: 489 case ENCXF_AES_256: 490 sa.sadb_sa_encrypt = SADB_X_EALG_AES; 491 break; 492 case ENCXF_AESCTR: 493 case ENCXF_AES_128_CTR: 494 case ENCXF_AES_192_CTR: 495 case ENCXF_AES_256_CTR: 496 sa.sadb_sa_encrypt = SADB_X_EALG_AESCTR; 497 break; 498 case ENCXF_AES_128_GCM: 499 case ENCXF_AES_192_GCM: 500 case ENCXF_AES_256_GCM: 501 sa.sadb_sa_encrypt = SADB_X_EALG_AESGCM16; 502 break; 503 case ENCXF_AES_128_GMAC: 504 case ENCXF_AES_192_GMAC: 505 case ENCXF_AES_256_GMAC: 506 sa.sadb_sa_encrypt = SADB_X_EALG_AESGMAC; 507 break; 508 case ENCXF_BLOWFISH: 509 sa.sadb_sa_encrypt = SADB_X_EALG_BLF; 510 break; 511 case ENCXF_CAST128: 512 sa.sadb_sa_encrypt = SADB_X_EALG_CAST; 513 break; 514 case ENCXF_NULL: 515 sa.sadb_sa_encrypt = SADB_EALG_NULL; 516 break; 517 default: 518 warnx("unsupported encryption algorithm %d", 519 xfs->encxf->id); 520 } 521 } 522 if (xfs && xfs->compxf) { 523 switch (xfs->compxf->id) { 524 case COMPXF_DEFLATE: 525 sa.sadb_sa_encrypt = SADB_X_CALG_DEFLATE; 526 break; 527 case COMPXF_LZS: 528 sa.sadb_sa_encrypt = SADB_X_CALG_LZS; 529 break; 530 default: 531 warnx("unsupported compression algorithm %d", 532 xfs->compxf->id); 533 } 534 } 535 536 bzero(&sa_src, sizeof(sa_src)); 537 sa_src.sadb_address_len = (sizeof(sa_src) + ROUNDUP(ssrc.ss_len)) / 8; 538 sa_src.sadb_address_exttype = SADB_EXT_ADDRESS_SRC; 539 540 bzero(&sa_dst, sizeof(sa_dst)); 541 sa_dst.sadb_address_len = (sizeof(sa_dst) + ROUNDUP(sdst.ss_len)) / 8; 542 sa_dst.sadb_address_exttype = SADB_EXT_ADDRESS_DST; 543 544 if (action == SADB_ADD && !authkey && !enckey && satype != 545 SADB_X_SATYPE_IPCOMP && satype != SADB_X_SATYPE_IPIP) { /* XXX ENCNULL */ 546 warnx("no key specified"); 547 return -1; 548 } 549 if (authkey) { 550 bzero(&sa_authkey, sizeof(sa_authkey)); 551 sa_authkey.sadb_key_len = (sizeof(sa_authkey) + 552 ((authkey->len + 7) / 8) * 8) / 8; 553 sa_authkey.sadb_key_exttype = SADB_EXT_KEY_AUTH; 554 sa_authkey.sadb_key_bits = 8 * authkey->len; 555 } 556 if (enckey) { 557 bzero(&sa_enckey, sizeof(sa_enckey)); 558 sa_enckey.sadb_key_len = (sizeof(sa_enckey) + 559 ((enckey->len + 7) / 8) * 8) / 8; 560 sa_enckey.sadb_key_exttype = SADB_EXT_KEY_ENCRYPT; 561 sa_enckey.sadb_key_bits = 8 * enckey->len; 562 } 563 564 iov_cnt = 0; 565 566 /* header */ 567 iov[iov_cnt].iov_base = &smsg; 568 iov[iov_cnt].iov_len = sizeof(smsg); 569 iov_cnt++; 570 571 /* sa */ 572 iov[iov_cnt].iov_base = &sa; 573 iov[iov_cnt].iov_len = sizeof(sa); 574 smsg.sadb_msg_len += sa.sadb_sa_len; 575 iov_cnt++; 576 577 /* src addr */ 578 iov[iov_cnt].iov_base = &sa_src; 579 iov[iov_cnt].iov_len = sizeof(sa_src); 580 iov_cnt++; 581 iov[iov_cnt].iov_base = &ssrc; 582 iov[iov_cnt].iov_len = ROUNDUP(ssrc.ss_len); 583 smsg.sadb_msg_len += sa_src.sadb_address_len; 584 iov_cnt++; 585 586 /* dst addr */ 587 iov[iov_cnt].iov_base = &sa_dst; 588 iov[iov_cnt].iov_len = sizeof(sa_dst); 589 iov_cnt++; 590 iov[iov_cnt].iov_base = &sdst; 591 iov[iov_cnt].iov_len = ROUNDUP(sdst.ss_len); 592 smsg.sadb_msg_len += sa_dst.sadb_address_len; 593 iov_cnt++; 594 595 if (authkey) { 596 /* authentication key */ 597 iov[iov_cnt].iov_base = &sa_authkey; 598 iov[iov_cnt].iov_len = sizeof(sa_authkey); 599 iov_cnt++; 600 iov[iov_cnt].iov_base = authkey->data; 601 iov[iov_cnt].iov_len = ((authkey->len + 7) / 8) * 8; 602 smsg.sadb_msg_len += sa_authkey.sadb_key_len; 603 iov_cnt++; 604 } 605 if (enckey) { 606 /* encryption key */ 607 iov[iov_cnt].iov_base = &sa_enckey; 608 iov[iov_cnt].iov_len = sizeof(sa_enckey); 609 iov_cnt++; 610 iov[iov_cnt].iov_base = enckey->data; 611 iov[iov_cnt].iov_len = ((enckey->len + 7) / 8) * 8; 612 smsg.sadb_msg_len += sa_enckey.sadb_key_len; 613 iov_cnt++; 614 } 615 616 len = smsg.sadb_msg_len * 8; 617 if ((n = writev(sd, iov, iov_cnt)) == -1) { 618 warn("writev failed"); 619 ret = -1; 620 } else if (n != len) { 621 warnx("short write"); 622 ret = -1; 623 } 624 625 return ret; 626 } 627 628 static int 629 pfkey_sagroup(int sd, u_int8_t satype, u_int8_t satype2, u_int8_t action, 630 struct ipsec_addr_wrap *dst, u_int32_t spi, struct ipsec_addr_wrap *dst2, 631 u_int32_t spi2) 632 { 633 struct sadb_msg smsg; 634 struct sadb_sa sa1, sa2; 635 struct sadb_address sa_dst, sa_dst2; 636 struct sockaddr_storage sdst, sdst2; 637 struct sadb_protocol sa_proto; 638 struct iovec iov[IOV_CNT]; 639 ssize_t n; 640 int iov_cnt, len, ret = 0; 641 642 bzero(&sdst, sizeof(sdst)); 643 sdst.ss_family = dst->af; 644 switch (dst->af) { 645 case AF_INET: 646 ((struct sockaddr_in *)&sdst)->sin_addr = dst->address.v4; 647 sdst.ss_len = sizeof(struct sockaddr_in); 648 break; 649 case AF_INET6: 650 ((struct sockaddr_in6 *)&sdst)->sin6_addr = dst->address.v6; 651 sdst.ss_len = sizeof(struct sockaddr_in6); 652 break; 653 default: 654 warnx("unsupported address family %d", dst->af); 655 return -1; 656 } 657 658 bzero(&sdst2, sizeof(sdst2)); 659 sdst2.ss_family = dst2->af; 660 switch (dst2->af) { 661 case AF_INET: 662 ((struct sockaddr_in *)&sdst2)->sin_addr = dst2->address.v4; 663 sdst2.ss_len = sizeof(struct sockaddr_in); 664 break; 665 case AF_INET6: 666 ((struct sockaddr_in6 *)&sdst2)->sin6_addr = dst2->address.v6; 667 sdst2.ss_len = sizeof(struct sockaddr_in6); 668 break; 669 default: 670 warnx("unsupported address family %d", dst2->af); 671 return -1; 672 } 673 674 bzero(&smsg, sizeof(smsg)); 675 smsg.sadb_msg_version = PF_KEY_V2; 676 smsg.sadb_msg_seq = sadb_msg_seq++; 677 smsg.sadb_msg_pid = getpid(); 678 smsg.sadb_msg_len = sizeof(smsg) / 8; 679 smsg.sadb_msg_type = action; 680 smsg.sadb_msg_satype = satype; 681 682 bzero(&sa1, sizeof(sa1)); 683 sa1.sadb_sa_len = sizeof(sa1) / 8; 684 sa1.sadb_sa_exttype = SADB_EXT_SA; 685 sa1.sadb_sa_spi = htonl(spi); 686 sa1.sadb_sa_state = SADB_SASTATE_MATURE; 687 688 bzero(&sa2, sizeof(sa2)); 689 sa2.sadb_sa_len = sizeof(sa2) / 8; 690 sa2.sadb_sa_exttype = SADB_X_EXT_SA2; 691 sa2.sadb_sa_spi = htonl(spi2); 692 sa2.sadb_sa_state = SADB_SASTATE_MATURE; 693 iov_cnt = 0; 694 695 bzero(&sa_dst, sizeof(sa_dst)); 696 sa_dst.sadb_address_exttype = SADB_EXT_ADDRESS_DST; 697 sa_dst.sadb_address_len = (sizeof(sa_dst) + ROUNDUP(sdst.ss_len)) / 8; 698 699 bzero(&sa_dst2, sizeof(sa_dst2)); 700 sa_dst2.sadb_address_exttype = SADB_X_EXT_DST2; 701 sa_dst2.sadb_address_len = (sizeof(sa_dst2) + ROUNDUP(sdst2.ss_len)) / 8; 702 703 bzero(&sa_proto, sizeof(sa_proto)); 704 sa_proto.sadb_protocol_exttype = SADB_X_EXT_PROTOCOL; 705 sa_proto.sadb_protocol_len = sizeof(sa_proto) / 8; 706 sa_proto.sadb_protocol_direction = 0; 707 sa_proto.sadb_protocol_proto = satype2; 708 709 /* header */ 710 iov[iov_cnt].iov_base = &smsg; 711 iov[iov_cnt].iov_len = sizeof(smsg); 712 iov_cnt++; 713 714 /* sa */ 715 iov[iov_cnt].iov_base = &sa1; 716 iov[iov_cnt].iov_len = sizeof(sa1); 717 smsg.sadb_msg_len += sa1.sadb_sa_len; 718 iov_cnt++; 719 720 /* dst addr */ 721 iov[iov_cnt].iov_base = &sa_dst; 722 iov[iov_cnt].iov_len = sizeof(sa_dst); 723 iov_cnt++; 724 iov[iov_cnt].iov_base = &sdst; 725 iov[iov_cnt].iov_len = ROUNDUP(sdst.ss_len); 726 smsg.sadb_msg_len += sa_dst.sadb_address_len; 727 iov_cnt++; 728 729 /* second sa */ 730 iov[iov_cnt].iov_base = &sa2; 731 iov[iov_cnt].iov_len = sizeof(sa2); 732 smsg.sadb_msg_len += sa2.sadb_sa_len; 733 iov_cnt++; 734 735 /* second dst addr */ 736 iov[iov_cnt].iov_base = &sa_dst2; 737 iov[iov_cnt].iov_len = sizeof(sa_dst2); 738 iov_cnt++; 739 iov[iov_cnt].iov_base = &sdst2; 740 iov[iov_cnt].iov_len = ROUNDUP(sdst2.ss_len); 741 smsg.sadb_msg_len += sa_dst2.sadb_address_len; 742 iov_cnt++; 743 744 /* SA type */ 745 iov[iov_cnt].iov_base = &sa_proto; 746 iov[iov_cnt].iov_len = sizeof(sa_proto); 747 smsg.sadb_msg_len += sa_proto.sadb_protocol_len; 748 iov_cnt++; 749 750 len = smsg.sadb_msg_len * 8; 751 if ((n = writev(sd, iov, iov_cnt)) == -1) { 752 warn("writev failed"); 753 ret = -1; 754 } else if (n != len) { 755 warnx("short write"); 756 ret = -1; 757 } 758 759 return (ret); 760 } 761 762 static int 763 pfkey_reply(int sd, u_int8_t **datap, ssize_t *lenp) 764 { 765 struct sadb_msg hdr; 766 ssize_t len; 767 u_int8_t *data; 768 769 if (recv(sd, &hdr, sizeof(hdr), MSG_PEEK) != sizeof(hdr)) { 770 warnx("short read"); 771 return -1; 772 } 773 len = hdr.sadb_msg_len * PFKEYV2_CHUNK; 774 if ((data = malloc(len)) == NULL) 775 err(1, "pfkey_reply: malloc"); 776 if (read(sd, data, len) != len) { 777 warn("PF_KEY short read"); 778 explicit_bzero(data, len); 779 free(data); 780 return -1; 781 } 782 if (datap) { 783 *datap = data; 784 if (lenp) 785 *lenp = len; 786 } else { 787 explicit_bzero(data, len); 788 free(data); 789 } 790 if (datap == NULL && hdr.sadb_msg_errno != 0) { 791 errno = hdr.sadb_msg_errno; 792 if (errno != EEXIST) { 793 warn("PF_KEY failed"); 794 return -1; 795 } 796 } 797 return 0; 798 } 799 800 int 801 pfkey_parse(struct sadb_msg *msg, struct ipsec_rule *rule) 802 { 803 struct sadb_ext *ext; 804 struct sadb_address *saddr; 805 struct sadb_protocol *sproto; 806 struct sadb_ident *sident; 807 struct sockaddr *sa; 808 struct sockaddr_in *sa_in; 809 struct sockaddr_in6 *sa_in6; 810 int len; 811 812 switch (msg->sadb_msg_satype) { 813 case SADB_SATYPE_ESP: 814 rule->satype = IPSEC_ESP; 815 break; 816 case SADB_SATYPE_AH: 817 rule->satype = IPSEC_AH; 818 break; 819 case SADB_X_SATYPE_IPCOMP: 820 rule->satype = IPSEC_IPCOMP; 821 break; 822 case SADB_X_SATYPE_IPIP: 823 rule->satype = IPSEC_IPIP; 824 break; 825 default: 826 return (1); 827 } 828 829 for (ext = (struct sadb_ext *)(msg + 1); 830 (size_t)((u_int8_t *)ext - (u_int8_t *)msg) < 831 msg->sadb_msg_len * PFKEYV2_CHUNK && ext->sadb_ext_len > 0; 832 ext = (struct sadb_ext *)((u_int8_t *)ext + 833 ext->sadb_ext_len * PFKEYV2_CHUNK)) { 834 switch (ext->sadb_ext_type) { 835 case SADB_EXT_ADDRESS_SRC: 836 saddr = (struct sadb_address *)ext; 837 sa = (struct sockaddr *)(saddr + 1); 838 839 rule->local = calloc(1, sizeof(struct ipsec_addr_wrap)); 840 if (rule->local == NULL) 841 err(1, "pfkey_parse: calloc"); 842 843 rule->local->af = sa->sa_family; 844 switch (sa->sa_family) { 845 case AF_INET: 846 bcopy(&((struct sockaddr_in *)sa)->sin_addr, 847 &rule->local->address.v4, 848 sizeof(struct in_addr)); 849 set_ipmask(rule->local, 32); 850 break; 851 case AF_INET6: 852 bcopy(&((struct sockaddr_in6 *)sa)->sin6_addr, 853 &rule->local->address.v6, 854 sizeof(struct in6_addr)); 855 set_ipmask(rule->local, 128); 856 break; 857 default: 858 return (1); 859 } 860 break; 861 862 863 case SADB_EXT_ADDRESS_DST: 864 saddr = (struct sadb_address *)ext; 865 sa = (struct sockaddr *)(saddr + 1); 866 867 rule->peer = calloc(1, sizeof(struct ipsec_addr_wrap)); 868 if (rule->peer == NULL) 869 err(1, "pfkey_parse: calloc"); 870 871 rule->peer->af = sa->sa_family; 872 switch (sa->sa_family) { 873 case AF_INET: 874 bcopy(&((struct sockaddr_in *)sa)->sin_addr, 875 &rule->peer->address.v4, 876 sizeof(struct in_addr)); 877 set_ipmask(rule->peer, 32); 878 break; 879 case AF_INET6: 880 bcopy(&((struct sockaddr_in6 *)sa)->sin6_addr, 881 &rule->peer->address.v6, 882 sizeof(struct in6_addr)); 883 set_ipmask(rule->peer, 128); 884 break; 885 default: 886 return (1); 887 } 888 break; 889 890 case SADB_EXT_IDENTITY_SRC: 891 sident = (struct sadb_ident *)ext; 892 len = (sident->sadb_ident_len * sizeof(uint64_t)) - 893 sizeof(struct sadb_ident); 894 895 if (rule->auth == NULL) { 896 rule->auth = calloc(1, sizeof(struct 897 ipsec_auth)); 898 if (rule->auth == NULL) 899 err(1, "pfkey_parse: calloc"); 900 } 901 902 rule->auth->srcid = calloc(1, len); 903 if (rule->auth->srcid == NULL) 904 err(1, "pfkey_parse: calloc"); 905 906 strlcpy(rule->auth->srcid, (char *)(sident + 1), len); 907 break; 908 909 case SADB_EXT_IDENTITY_DST: 910 sident = (struct sadb_ident *)ext; 911 len = (sident->sadb_ident_len * sizeof(uint64_t)) - 912 sizeof(struct sadb_ident); 913 914 if (rule->auth == NULL) { 915 rule->auth = calloc(1, sizeof(struct 916 ipsec_auth)); 917 if (rule->auth == NULL) 918 err(1, "pfkey_parse: calloc"); 919 } 920 921 rule->auth->dstid = calloc(1, len); 922 if (rule->auth->dstid == NULL) 923 err(1, "pfkey_parse: calloc"); 924 925 strlcpy(rule->auth->dstid, (char *)(sident + 1), len); 926 break; 927 928 case SADB_X_EXT_PROTOCOL: 929 sproto = (struct sadb_protocol *)ext; 930 if (sproto->sadb_protocol_direction == 0) 931 rule->proto = sproto->sadb_protocol_proto; 932 break; 933 934 case SADB_X_EXT_FLOW_TYPE: 935 sproto = (struct sadb_protocol *)ext; 936 937 switch (sproto->sadb_protocol_direction) { 938 case IPSP_DIRECTION_IN: 939 rule->direction = IPSEC_IN; 940 break; 941 case IPSP_DIRECTION_OUT: 942 rule->direction = IPSEC_OUT; 943 break; 944 default: 945 return (1); 946 } 947 switch (sproto->sadb_protocol_proto) { 948 case SADB_X_FLOW_TYPE_USE: 949 rule->flowtype = TYPE_USE; 950 break; 951 case SADB_X_FLOW_TYPE_ACQUIRE: 952 rule->flowtype = TYPE_ACQUIRE; 953 break; 954 case SADB_X_FLOW_TYPE_REQUIRE: 955 rule->flowtype = TYPE_REQUIRE; 956 break; 957 case SADB_X_FLOW_TYPE_DENY: 958 rule->flowtype = TYPE_DENY; 959 break; 960 case SADB_X_FLOW_TYPE_BYPASS: 961 rule->flowtype = TYPE_BYPASS; 962 break; 963 case SADB_X_FLOW_TYPE_DONTACQ: 964 rule->flowtype = TYPE_DONTACQ; 965 break; 966 default: 967 rule->flowtype = TYPE_UNKNOWN; 968 break; 969 } 970 break; 971 972 case SADB_X_EXT_SRC_FLOW: 973 saddr = (struct sadb_address *)ext; 974 sa = (struct sockaddr *)(saddr + 1); 975 976 if (rule->src == NULL) { 977 rule->src = calloc(1, 978 sizeof(struct ipsec_addr_wrap)); 979 if (rule->src == NULL) 980 err(1, "pfkey_parse: calloc"); 981 } 982 983 rule->src->af = sa->sa_family; 984 switch (sa->sa_family) { 985 case AF_INET: 986 bcopy(&((struct sockaddr_in *)sa)->sin_addr, 987 &rule->src->address.v4, 988 sizeof(struct in_addr)); 989 rule->sport = 990 ((struct sockaddr_in *)sa)->sin_port; 991 break; 992 case AF_INET6: 993 bcopy(&((struct sockaddr_in6 *)sa)->sin6_addr, 994 &rule->src->address.v6, 995 sizeof(struct in6_addr)); 996 rule->sport = 997 ((struct sockaddr_in6 *)sa)->sin6_port; 998 break; 999 default: 1000 return (1); 1001 } 1002 break; 1003 1004 case SADB_X_EXT_DST_FLOW: 1005 saddr = (struct sadb_address *)ext; 1006 sa = (struct sockaddr *)(saddr + 1); 1007 1008 if (rule->dst == NULL) { 1009 rule->dst = calloc(1, 1010 sizeof(struct ipsec_addr_wrap)); 1011 if (rule->dst == NULL) 1012 err(1, "pfkey_parse: calloc"); 1013 } 1014 1015 rule->dst->af = sa->sa_family; 1016 switch (sa->sa_family) { 1017 case AF_INET: 1018 bcopy(&((struct sockaddr_in *)sa)->sin_addr, 1019 &rule->dst->address.v4, 1020 sizeof(struct in_addr)); 1021 rule->dport = 1022 ((struct sockaddr_in *)sa)->sin_port; 1023 break; 1024 case AF_INET6: 1025 bcopy(&((struct sockaddr_in6 *)sa)->sin6_addr, 1026 &rule->dst->address.v6, 1027 sizeof(struct in6_addr)); 1028 rule->dport = 1029 ((struct sockaddr_in6 *)sa)->sin6_port; 1030 break; 1031 default: 1032 return (1); 1033 } 1034 break; 1035 1036 1037 case SADB_X_EXT_SRC_MASK: 1038 saddr = (struct sadb_address *)ext; 1039 sa = (struct sockaddr *)(saddr + 1); 1040 1041 if (rule->src == NULL) { 1042 rule->src = calloc(1, 1043 sizeof(struct ipsec_addr_wrap)); 1044 if (rule->src == NULL) 1045 err(1, "pfkey_parse: calloc"); 1046 } 1047 1048 rule->src->af = sa->sa_family; 1049 switch (sa->sa_family) { 1050 case AF_INET: 1051 sa_in = (struct sockaddr_in *)sa; 1052 bcopy(&sa_in->sin_addr, &rule->src->mask.v4, 1053 sizeof(struct in_addr)); 1054 break; 1055 case AF_INET6: 1056 sa_in6 = (struct sockaddr_in6 *)sa; 1057 bcopy(&sa_in6->sin6_addr, &rule->src->mask.v6, 1058 sizeof(struct in6_addr)); 1059 break; 1060 1061 default: 1062 return (1); 1063 } 1064 break; 1065 1066 case SADB_X_EXT_DST_MASK: 1067 saddr = (struct sadb_address *)ext; 1068 sa = (struct sockaddr *)(saddr + 1); 1069 1070 if (rule->dst == NULL) { 1071 rule->dst = calloc(1, 1072 sizeof(struct ipsec_addr_wrap)); 1073 if (rule->dst == NULL) 1074 err(1, "pfkey_parse: calloc"); 1075 } 1076 1077 rule->dst->af = sa->sa_family; 1078 switch (sa->sa_family) { 1079 case AF_INET: 1080 sa_in = (struct sockaddr_in *)sa; 1081 bcopy(&sa_in->sin_addr, &rule->dst->mask.v4, 1082 sizeof(struct in_addr)); 1083 break; 1084 case AF_INET6: 1085 sa_in6 = (struct sockaddr_in6 *)sa; 1086 bcopy(&sa_in6->sin6_addr, &rule->dst->mask.v6, 1087 sizeof(struct in6_addr)); 1088 break; 1089 default: 1090 return (1); 1091 } 1092 break; 1093 1094 default: 1095 return (1); 1096 } 1097 } 1098 1099 return (0); 1100 } 1101 1102 int 1103 pfkey_ipsec_establish(int action, struct ipsec_rule *r) 1104 { 1105 int ret; 1106 u_int8_t satype, satype2, direction; 1107 1108 if (r->type == RULE_FLOW) { 1109 switch (r->satype) { 1110 case IPSEC_ESP: 1111 satype = SADB_SATYPE_ESP; 1112 break; 1113 case IPSEC_AH: 1114 satype = SADB_SATYPE_AH; 1115 break; 1116 case IPSEC_IPCOMP: 1117 satype = SADB_X_SATYPE_IPCOMP; 1118 break; 1119 case IPSEC_IPIP: 1120 satype = SADB_X_SATYPE_IPIP; 1121 break; 1122 default: 1123 return -1; 1124 } 1125 1126 switch (r->direction) { 1127 case IPSEC_IN: 1128 direction = IPSP_DIRECTION_IN; 1129 break; 1130 case IPSEC_OUT: 1131 direction = IPSP_DIRECTION_OUT; 1132 break; 1133 default: 1134 return -1; 1135 } 1136 1137 switch (action) { 1138 case ACTION_ADD: 1139 ret = pfkey_flow(fd, satype, SADB_X_ADDFLOW, direction, 1140 r->proto, r->src, r->sport, r->dst, r->dport, 1141 r->local, r->peer, r->auth, r->flowtype); 1142 break; 1143 case ACTION_DELETE: 1144 /* No peer for flow deletion. */ 1145 ret = pfkey_flow(fd, satype, SADB_X_DELFLOW, direction, 1146 r->proto, r->src, r->sport, r->dst, r->dport, 1147 NULL, NULL, NULL, r->flowtype); 1148 break; 1149 default: 1150 return -1; 1151 } 1152 } else if (r->type == RULE_SA) { 1153 switch (r->satype) { 1154 case IPSEC_AH: 1155 satype = SADB_SATYPE_AH; 1156 break; 1157 case IPSEC_ESP: 1158 satype = SADB_SATYPE_ESP; 1159 break; 1160 case IPSEC_IPCOMP: 1161 satype = SADB_X_SATYPE_IPCOMP; 1162 break; 1163 case IPSEC_TCPMD5: 1164 satype = SADB_X_SATYPE_TCPSIGNATURE; 1165 break; 1166 case IPSEC_IPIP: 1167 satype = SADB_X_SATYPE_IPIP; 1168 break; 1169 default: 1170 return -1; 1171 } 1172 switch (action) { 1173 case ACTION_ADD: 1174 ret = pfkey_sa(fd, satype, SADB_ADD, r->spi, 1175 r->src, r->dst, r->xfs, r->authkey, r->enckey, 1176 r->tmode); 1177 break; 1178 case ACTION_DELETE: 1179 ret = pfkey_sa(fd, satype, SADB_DELETE, r->spi, 1180 r->src, r->dst, r->xfs, NULL, NULL, r->tmode); 1181 break; 1182 default: 1183 return -1; 1184 } 1185 } else if (r->type == RULE_GROUP) { 1186 switch (r->satype) { 1187 case IPSEC_AH: 1188 satype = SADB_SATYPE_AH; 1189 break; 1190 case IPSEC_ESP: 1191 satype = SADB_SATYPE_ESP; 1192 break; 1193 case IPSEC_IPCOMP: 1194 satype = SADB_X_SATYPE_IPCOMP; 1195 break; 1196 case IPSEC_TCPMD5: 1197 satype = SADB_X_SATYPE_TCPSIGNATURE; 1198 break; 1199 case IPSEC_IPIP: 1200 satype = SADB_X_SATYPE_IPIP; 1201 break; 1202 default: 1203 return -1; 1204 } 1205 switch (r->proto2) { 1206 case IPSEC_AH: 1207 satype2 = SADB_SATYPE_AH; 1208 break; 1209 case IPSEC_ESP: 1210 satype2 = SADB_SATYPE_ESP; 1211 break; 1212 case IPSEC_IPCOMP: 1213 satype2 = SADB_X_SATYPE_IPCOMP; 1214 break; 1215 case IPSEC_TCPMD5: 1216 satype2 = SADB_X_SATYPE_TCPSIGNATURE; 1217 break; 1218 case IPSEC_IPIP: 1219 satype2 = SADB_X_SATYPE_IPIP; 1220 break; 1221 default: 1222 return -1; 1223 } 1224 switch (action) { 1225 case ACTION_ADD: 1226 ret = pfkey_sagroup(fd, satype, satype2, 1227 SADB_X_GRPSPIS, r->dst, r->spi, r->dst2, r->spi2); 1228 break; 1229 case ACTION_DELETE: 1230 return 0; 1231 default: 1232 return -1; 1233 } 1234 } else 1235 return -1; 1236 1237 if (ret < 0) 1238 return -1; 1239 if (pfkey_reply(fd, NULL, NULL) < 0) 1240 return -1; 1241 1242 return 0; 1243 } 1244 1245 int 1246 pfkey_ipsec_flush(void) 1247 { 1248 struct sadb_msg smsg; 1249 struct iovec iov[IOV_CNT]; 1250 ssize_t n; 1251 int iov_cnt, len; 1252 1253 bzero(&smsg, sizeof(smsg)); 1254 smsg.sadb_msg_version = PF_KEY_V2; 1255 smsg.sadb_msg_seq = sadb_msg_seq++; 1256 smsg.sadb_msg_pid = getpid(); 1257 smsg.sadb_msg_len = sizeof(smsg) / 8; 1258 smsg.sadb_msg_type = SADB_FLUSH; 1259 smsg.sadb_msg_satype = SADB_SATYPE_UNSPEC; 1260 1261 iov_cnt = 0; 1262 1263 iov[iov_cnt].iov_base = &smsg; 1264 iov[iov_cnt].iov_len = sizeof(smsg); 1265 iov_cnt++; 1266 1267 len = smsg.sadb_msg_len * 8; 1268 if ((n = writev(fd, iov, iov_cnt)) == -1) { 1269 warn("writev failed"); 1270 return -1; 1271 } 1272 if (n != len) { 1273 warnx("short write"); 1274 return -1; 1275 } 1276 if (pfkey_reply(fd, NULL, NULL) < 0) 1277 return -1; 1278 1279 return 0; 1280 } 1281 1282 static int 1283 pfkey_promisc(void) 1284 { 1285 struct sadb_msg msg; 1286 1287 memset(&msg, 0, sizeof(msg)); 1288 msg.sadb_msg_version = PF_KEY_V2; 1289 msg.sadb_msg_seq = sadb_msg_seq++; 1290 msg.sadb_msg_pid = getpid(); 1291 msg.sadb_msg_len = sizeof(msg) / PFKEYV2_CHUNK; 1292 msg.sadb_msg_type = SADB_X_PROMISC; 1293 msg.sadb_msg_satype = 1; /* enable */ 1294 if (write(fd, &msg, sizeof(msg)) != sizeof(msg)) { 1295 warn("pfkey_promisc: write failed"); 1296 return -1; 1297 } 1298 if (pfkey_reply(fd, NULL, NULL) < 0) 1299 return -1; 1300 return 0; 1301 } 1302 1303 int 1304 pfkey_monitor(int opts) 1305 { 1306 struct pollfd pfd[1]; 1307 struct sadb_msg *msg; 1308 u_int8_t *data; 1309 ssize_t len; 1310 int n; 1311 1312 if (pfkey_init() < 0) 1313 return -1; 1314 if (pfkey_promisc() < 0) 1315 return -1; 1316 1317 pfd[0].fd = fd; 1318 pfd[0].events = POLLIN; 1319 for (;;) { 1320 if ((n = poll(pfd, 1, -1)) < 0) 1321 err(2, "poll"); 1322 if (n == 0) 1323 break; 1324 if ((pfd[0].revents & POLLIN) == 0) 1325 continue; 1326 if (pfkey_reply(fd, &data, &len) < 0) 1327 continue; 1328 msg = (struct sadb_msg *)data; 1329 if (msg->sadb_msg_type == SADB_X_PROMISC) { 1330 /* remove extra header from promisc messages */ 1331 if ((msg->sadb_msg_len * PFKEYV2_CHUNK) >= 1332 2 * sizeof(struct sadb_msg)) { 1333 msg++; 1334 } 1335 } 1336 pfkey_monitor_sa(msg, opts); 1337 if (opts & IPSECCTL_OPT_VERBOSE) 1338 pfkey_print_raw(data, len); 1339 explicit_bzero(data, len); 1340 free(data); 1341 } 1342 close(fd); 1343 return 0; 1344 } 1345 1346 int 1347 pfkey_init(void) 1348 { 1349 if ((fd = socket(PF_KEY, SOCK_RAW, PF_KEY_V2)) == -1) 1350 err(1, "pfkey_init: failed to open PF_KEY socket"); 1351 1352 return 0; 1353 } 1354