1 /* $NetBSD: pfkey.c,v 1.62 2021/12/05 04:54:20 msaitoh Exp $ */
2
3 /* $Id: pfkey.c,v 1.62 2021/12/05 04:54:20 msaitoh Exp $ */
4
5 /*
6 * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
7 * All rights reserved.
8 *
9 * Redistribution and use in source and binary forms, with or without
10 * modification, are permitted provided that the following conditions
11 * are met:
12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer.
14 * 2. Redistributions in binary form must reproduce the above copyright
15 * notice, this list of conditions and the following disclaimer in the
16 * documentation and/or other materials provided with the distribution.
17 * 3. Neither the name of the project nor the names of its contributors
18 * may be used to endorse or promote products derived from this software
19 * without specific prior written permission.
20 *
21 * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
22 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
23 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
24 * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
25 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
26 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
27 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
28 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
29 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
30 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
31 * SUCH DAMAGE.
32 */
33
34 #include "config.h"
35
36 #include <stdlib.h>
37 #include <string.h>
38 #include <stdio.h>
39 #include <netdb.h>
40 #include <errno.h>
41 #ifdef HAVE_UNISTD_H
42 #include <unistd.h>
43 #endif
44 #include <netdb.h>
45 #include <netinet/in.h>
46 #include <arpa/inet.h>
47
48 #ifdef ENABLE_NATT
49 # ifdef __linux__
50 # include <linux/udp.h>
51 # endif
52 # if defined(__NetBSD__) || defined(__FreeBSD__) || \
53 (defined(__APPLE__) && defined(__MACH__))
54 # include <netinet/udp.h>
55 # endif
56 #endif
57
58 #include <sys/types.h>
59 #include <sys/param.h>
60 #include <sys/socket.h>
61 #include <sys/queue.h>
62 #include <sys/sysctl.h>
63
64 #include <net/route.h>
65 #include <net/pfkeyv2.h>
66
67 #include <netinet/in.h>
68 #include PATH_IPSEC_H
69 #include <fcntl.h>
70
71 #include "libpfkey.h"
72
73 #include "var.h"
74 #include "misc.h"
75 #include "vmbuf.h"
76 #include "plog.h"
77 #include "sockmisc.h"
78 #include "session.h"
79 #include "debug.h"
80
81 #include "schedule.h"
82 #include "localconf.h"
83 #include "remoteconf.h"
84 #include "handler.h"
85 #include "policy.h"
86 #include "proposal.h"
87 #include "isakmp_var.h"
88 #include "isakmp.h"
89 #include "isakmp_inf.h"
90 #include "ipsec_doi.h"
91 #include "oakley.h"
92 #include "pfkey.h"
93 #include "algorithm.h"
94 #include "sainfo.h"
95 #include "admin.h"
96 #include "evt.h"
97 #include "privsep.h"
98 #include "strnames.h"
99 #include "backupsa.h"
100 #include "gcmalloc.h"
101 #include "nattraversal.h"
102 #include "crypto_openssl.h"
103 #include "grabmyaddr.h"
104
105 #if defined(SADB_X_EALG_RIJNDAELCBC) && !defined(SADB_X_EALG_AESCBC)
106 #define SADB_X_EALG_AESCBC SADB_X_EALG_RIJNDAELCBC
107 #endif
108
109 /* prototype */
110 static u_int ipsecdoi2pfkey_aalg __P((u_int));
111 static u_int ipsecdoi2pfkey_ealg __P((u_int));
112 static u_int ipsecdoi2pfkey_calg __P((u_int));
113 static u_int ipsecdoi2pfkey_alg __P((u_int, u_int));
114 static u_int keylen_aalg __P((u_int));
115 static u_int keylen_ealg __P((u_int, int));
116
117 static int pk_recvgetspi __P((caddr_t *));
118 static int pk_recvupdate __P((caddr_t *));
119 static int pk_recvadd __P((caddr_t *));
120 static int pk_recvdelete __P((caddr_t *));
121 static int pk_recvacquire __P((caddr_t *));
122 static int pk_recvexpire __P((caddr_t *));
123 static int pk_recvflush __P((caddr_t *));
124 static int getsadbpolicy __P((caddr_t *, int *, int, struct ph2handle *));
125 static int pk_recvspdupdate __P((caddr_t *));
126 static int pk_recvspdadd __P((caddr_t *));
127 static int pk_recvspddelete __P((caddr_t *));
128 static int pk_recvspdexpire __P((caddr_t *));
129 static int pk_recvspdget __P((caddr_t *));
130 static int pk_recvspddump __P((caddr_t *));
131 static int pk_recvspdflush __P((caddr_t *));
132 #if defined(SADB_X_MIGRATE) && defined(SADB_X_EXT_KMADDRESS)
133 static int pk_recvmigrate __P((caddr_t *));
134 #endif
135 static struct sadb_msg *pk_recv __P((int, int *));
136
137 static int (*pkrecvf[]) __P((caddr_t *)) = {
138 NULL,
139 pk_recvgetspi,
140 pk_recvupdate,
141 pk_recvadd,
142 pk_recvdelete,
143 NULL, /* SADB_GET */
144 pk_recvacquire,
145 NULL, /* SABD_REGISTER */
146 pk_recvexpire,
147 pk_recvflush,
148 NULL, /* SADB_DUMP */
149 NULL, /* SADB_X_PROMISC */
150 NULL, /* SADB_X_PCHANGE */
151 pk_recvspdupdate,
152 pk_recvspdadd,
153 pk_recvspddelete,
154 pk_recvspdget,
155 NULL, /* SADB_X_SPDACQUIRE */
156 pk_recvspddump,
157 pk_recvspdflush,
158 NULL, /* SADB_X_SPDSETIDX */
159 pk_recvspdexpire,
160 NULL, /* SADB_X_SPDDELETE2 */
161 NULL, /* SADB_X_NAT_T_NEW_MAPPING */
162 #if defined(SADB_X_MIGRATE) && defined(SADB_X_EXT_KMADDRESS)
163 pk_recvmigrate,
164 #else
165 NULL, /* SADB_X_MIGRATE */
166 #endif
167 #if (SADB_MAX > 24)
168 #error "SADB extra message?"
169 #endif
170 };
171
172 static int addnewsp __P((caddr_t *, struct sockaddr *, struct sockaddr *));
173
174 /* cope with old kame headers - ugly */
175 #ifndef SADB_X_AALG_MD5
176 #define SADB_X_AALG_MD5 SADB_AALG_MD5
177 #endif
178 #ifndef SADB_X_AALG_SHA
179 #define SADB_X_AALG_SHA SADB_AALG_SHA
180 #endif
181 #ifndef SADB_X_AALG_NULL
182 #define SADB_X_AALG_NULL SADB_AALG_NULL
183 #endif
184
185 #ifndef SADB_X_EALG_BLOWFISHCBC
186 #define SADB_X_EALG_BLOWFISHCBC SADB_EALG_BLOWFISHCBC
187 #endif
188 #ifndef SADB_X_EALG_CAST128CBC
189 #define SADB_X_EALG_CAST128CBC SADB_EALG_CAST128CBC
190 #endif
191 #ifndef SADB_X_EALG_RC5CBC
192 #ifdef SADB_EALG_RC5CBC
193 #define SADB_X_EALG_RC5CBC SADB_EALG_RC5CBC
194 #endif
195 #endif
196
197 /*
198 * PF_KEY packet handler
199 * 0: success
200 * -1: fail
201 */
202 static int
pfkey_handler(void * ctx,int fd)203 pfkey_handler(void *ctx, int fd)
204 {
205 struct sadb_msg *msg;
206 int len;
207 caddr_t mhp[SADB_EXT_MAX + 1];
208 int error = -1;
209
210 /* receive pfkey message. */
211 len = 0;
212 msg = (struct sadb_msg *) pk_recv(fd, &len);
213 if (msg == NULL) {
214 if (len < 0) {
215 /* do not report EAGAIN as error; well get
216 * called from main loop later. and it's normal
217 * when spd dump is received during reload and
218 * this function is called in loop. */
219 if (errno == EAGAIN)
220 goto end;
221
222 plog(LLV_ERROR, LOCATION, NULL,
223 "failed to recv from pfkey (%s)\n",
224 strerror(errno));
225 goto end;
226 } else {
227 /* short message - msg not ready */
228 return 0;
229 }
230 }
231
232 plog(LLV_DEBUG, LOCATION, NULL, "got pfkey %s message\n",
233 s_pfkey_type(msg->sadb_msg_type));
234 plogdump(LLV_DEBUG2, msg, msg->sadb_msg_len << 3);
235
236 /* validity check */
237 if (msg->sadb_msg_errno) {
238 int pri;
239
240 /* when SPD is empty, treat the state as no error. */
241 if (msg->sadb_msg_type == SADB_X_SPDDUMP &&
242 msg->sadb_msg_errno == ENOENT)
243 pri = LLV_DEBUG;
244 else
245 pri = LLV_ERROR;
246
247 plog(pri, LOCATION, NULL,
248 "pfkey %s failed: %s\n",
249 s_pfkey_type(msg->sadb_msg_type),
250 strerror(msg->sadb_msg_errno));
251
252 goto end;
253 }
254
255 /* check pfkey message. */
256 if (pfkey_align(msg, mhp)) {
257 plog(LLV_ERROR, LOCATION, NULL,
258 "libipsec failed pfkey align (%s)\n",
259 ipsec_strerror());
260 goto end;
261 }
262 if (pfkey_check(mhp)) {
263 plog(LLV_ERROR, LOCATION, NULL,
264 "libipsec failed pfkey check (%s)\n",
265 ipsec_strerror());
266 goto end;
267 }
268 msg = (struct sadb_msg *)mhp[0];
269
270 /* safety check */
271 if (msg->sadb_msg_type >= ARRAYLEN(pkrecvf)) {
272 plog(LLV_ERROR, LOCATION, NULL,
273 "unknown PF_KEY message type=%u\n",
274 msg->sadb_msg_type);
275 goto end;
276 }
277
278 if (pkrecvf[msg->sadb_msg_type] == NULL) {
279 plog(LLV_INFO, LOCATION, NULL,
280 "unsupported PF_KEY message %s\n",
281 s_pfkey_type(msg->sadb_msg_type));
282 goto end;
283 }
284
285 if ((pkrecvf[msg->sadb_msg_type])(mhp) < 0)
286 goto end;
287
288 error = 1;
289 end:
290 if (msg)
291 racoon_free(msg);
292 return(error);
293 }
294
295 /*
296 * dump SADB
297 */
298 vchar_t *
pfkey_dump_sadb(satype)299 pfkey_dump_sadb(satype)
300 int satype;
301 {
302 int s;
303 vchar_t *buf = NULL;
304 pid_t pid = getpid();
305 struct sadb_msg *msg = NULL;
306 size_t bl, ml;
307 int len;
308 int bufsiz;
309
310 if ((s = privsep_socket(PF_KEY, SOCK_RAW, PF_KEY_V2)) < 0) {
311 plog(LLV_ERROR, LOCATION, NULL,
312 "libipsec failed pfkey open: %s\n",
313 ipsec_strerror());
314 return NULL;
315 }
316
317 if ((bufsiz = pfkey_set_buffer_size(s, lcconf->pfkey_buffer_size)) < 0) {
318 plog(LLV_ERROR, LOCATION, NULL,
319 "libipsec failed pfkey set buffer size to %d: %s\n",
320 lcconf->pfkey_buffer_size, ipsec_strerror());
321 return NULL;
322 } else if (bufsiz < lcconf->pfkey_buffer_size) {
323 plog(LLV_WARNING, LOCATION, NULL,
324 "pfkey socket receive buffer set to %dKB, instead of %d\n",
325 bufsiz, lcconf->pfkey_buffer_size);
326 }
327
328 plog(LLV_DEBUG, LOCATION, NULL, "call pfkey_send_dump\n");
329 if (pfkey_send_dump(s, satype) < 0) {
330 plog(LLV_ERROR, LOCATION, NULL,
331 "libipsec failed dump: %s\n", ipsec_strerror());
332 goto fail;
333 }
334
335 while (1) {
336 if (msg)
337 racoon_free(msg);
338 msg = pk_recv(s, &len);
339 if (msg == NULL) {
340 if (len < 0)
341 goto done;
342 else
343 continue;
344 }
345
346 if (msg->sadb_msg_type != SADB_DUMP || msg->sadb_msg_pid != pid)
347 {
348 plog(LLV_DEBUG, LOCATION, NULL,
349 "discarding non-sadb dump msg %p, our pid=%i\n", msg, pid);
350 plog(LLV_DEBUG, LOCATION, NULL,
351 "type %i, pid %i\n", msg->sadb_msg_type, msg->sadb_msg_pid);
352 continue;
353 }
354
355
356 ml = msg->sadb_msg_len << 3;
357 bl = buf ? buf->l : 0;
358 buf = vrealloc(buf, bl + ml);
359 if (buf == NULL) {
360 plog(LLV_ERROR, LOCATION, NULL,
361 "failed to reallocate buffer to dump.\n");
362 goto fail;
363 }
364 memcpy(buf->v + bl, msg, ml);
365
366 if (msg->sadb_msg_seq == 0)
367 break;
368 }
369 goto done;
370
371 fail:
372 if (buf)
373 vfree(buf);
374 buf = NULL;
375 done:
376 if (msg)
377 racoon_free(msg);
378 close(s);
379 return buf;
380 }
381
382 #ifdef ENABLE_ADMINPORT
383 /*
384 * flush SADB
385 */
386 void
pfkey_flush_sadb(proto)387 pfkey_flush_sadb(proto)
388 u_int proto;
389 {
390 int satype;
391
392 /* convert to SADB_SATYPE */
393 if ((satype = admin2pfkey_proto(proto)) < 0)
394 return;
395
396 plog(LLV_DEBUG, LOCATION, NULL, "call pfkey_send_flush\n");
397 if (pfkey_send_flush(lcconf->sock_pfkey, satype) < 0) {
398 plog(LLV_ERROR, LOCATION, NULL,
399 "libipsec failed send flush (%s)\n", ipsec_strerror());
400 return;
401 }
402
403 return;
404 }
405 #endif
406
407 /*
408 * These are the SATYPEs that we manage. We register to get
409 * PF_KEY messages related to these SATYPEs, and we also use
410 * this list to determine which SATYPEs to delete SAs for when
411 * we receive an INITIAL-CONTACT.
412 */
413 const struct pfkey_satype pfkey_satypes[] = {
414 { SADB_SATYPE_AH, "AH" },
415 { SADB_SATYPE_ESP, "ESP" },
416 { SADB_X_SATYPE_IPCOMP, "IPCOMP" },
417 };
418 const int pfkey_nsatypes =
419 sizeof(pfkey_satypes) / sizeof(pfkey_satypes[0]);
420
421 /*
422 * PF_KEY initialization
423 */
424 int
pfkey_init()425 pfkey_init()
426 {
427 int i, reg_fail;
428 int bufsiz;
429
430 if ((lcconf->sock_pfkey = pfkey_open()) < 0) {
431 plog(LLV_ERROR, LOCATION, NULL,
432 "libipsec failed pfkey open (%s)\n", ipsec_strerror());
433 return -1;
434 }
435 if ((bufsiz = pfkey_set_buffer_size(lcconf->sock_pfkey,
436 lcconf->pfkey_buffer_size)) < 0) {
437 plog(LLV_ERROR, LOCATION, NULL,
438 "libipsec failed to set pfkey buffer size to %d (%s)\n",
439 lcconf->pfkey_buffer_size, ipsec_strerror());
440 return -1;
441 } else if (bufsiz < lcconf->pfkey_buffer_size) {
442 plog(LLV_WARNING, LOCATION, NULL,
443 "pfkey socket receive buffer set to %dKB, instead of %d\n",
444 bufsiz, lcconf->pfkey_buffer_size);
445 }
446
447 if (fcntl(lcconf->sock_pfkey, F_SETFL, O_NONBLOCK) == -1)
448 plog(LLV_WARNING, LOCATION, NULL,
449 "failed to set the pfkey socket to NONBLOCK\n");
450
451 for (i = 0, reg_fail = 0; i < pfkey_nsatypes; i++) {
452 plog(LLV_DEBUG, LOCATION, NULL,
453 "call pfkey_send_register for %s\n",
454 pfkey_satypes[i].ps_name);
455 if (pfkey_send_register(lcconf->sock_pfkey,
456 pfkey_satypes[i].ps_satype) < 0 ||
457 pfkey_recv_register(lcconf->sock_pfkey) < 0) {
458 plog(LLV_WARNING, LOCATION, NULL,
459 "failed to register %s (%s)\n",
460 pfkey_satypes[i].ps_name,
461 ipsec_strerror());
462 reg_fail++;
463 }
464 }
465
466 if (reg_fail == pfkey_nsatypes) {
467 plog(LLV_ERROR, LOCATION, NULL,
468 "failed to regist any protocol.\n");
469 pfkey_close(lcconf->sock_pfkey);
470 return -1;
471 }
472
473 initsp();
474
475 if (pfkey_send_spddump(lcconf->sock_pfkey) < 0) {
476 plog(LLV_ERROR, LOCATION, NULL,
477 "libipsec sending spddump failed: %s\n",
478 ipsec_strerror());
479 pfkey_close(lcconf->sock_pfkey);
480 return -1;
481 }
482 #if 0
483 if (pfkey_promisc_toggle(1) < 0) {
484 pfkey_close(lcconf->sock_pfkey);
485 return -1;
486 }
487 #endif
488 monitor_fd(lcconf->sock_pfkey, pfkey_handler, NULL, 0);
489 return 0;
490 }
491
492 int
pfkey_reload()493 pfkey_reload()
494 {
495 flushsp();
496
497 if (pfkey_send_spddump(lcconf->sock_pfkey) < 0) {
498 plog(LLV_ERROR, LOCATION, NULL,
499 "libipsec sending spddump failed: %s\n",
500 ipsec_strerror());
501 return -1;
502 }
503
504 while (pfkey_handler(NULL, lcconf->sock_pfkey) > 0)
505 continue;
506
507 return 0;
508 }
509
510 /* %%% for conversion */
511 /* IPSECDOI_ATTR_AUTH -> SADB_AALG */
512 static u_int
ipsecdoi2pfkey_aalg(hashtype)513 ipsecdoi2pfkey_aalg(hashtype)
514 u_int hashtype;
515 {
516 switch (hashtype) {
517 case IPSECDOI_ATTR_AUTH_HMAC_MD5:
518 return SADB_AALG_MD5HMAC;
519 case IPSECDOI_ATTR_AUTH_HMAC_SHA1:
520 return SADB_AALG_SHA1HMAC;
521 case IPSECDOI_ATTR_AUTH_HMAC_SHA2_256:
522 #if (defined SADB_X_AALG_SHA2_256) && !defined(SADB_X_AALG_SHA2_256HMAC)
523 return SADB_X_AALG_SHA2_256;
524 #else
525 return SADB_X_AALG_SHA2_256HMAC;
526 #endif
527 case IPSECDOI_ATTR_AUTH_HMAC_SHA2_384:
528 #if (defined SADB_X_AALG_SHA2_384) && !defined(SADB_X_AALG_SHA2_384HMAC)
529 return SADB_X_AALG_SHA2_384;
530 #else
531 return SADB_X_AALG_SHA2_384HMAC;
532 #endif
533 case IPSECDOI_ATTR_AUTH_HMAC_SHA2_512:
534 #if (defined SADB_X_AALG_SHA2_512) && !defined(SADB_X_AALG_SHA2_512HMAC)
535 return SADB_X_AALG_SHA2_512;
536 #else
537 return SADB_X_AALG_SHA2_512HMAC;
538 #endif
539 case IPSECDOI_ATTR_AUTH_KPDK: /* need special care */
540 return SADB_AALG_NONE;
541
542 /* not supported */
543 case IPSECDOI_ATTR_AUTH_DES_MAC:
544 plog(LLV_ERROR, LOCATION, NULL,
545 "Not supported hash type: %u\n", hashtype);
546 return ~0;
547
548 case 0: /* reserved */
549 default:
550 return SADB_AALG_NONE;
551
552 plog(LLV_ERROR, LOCATION, NULL,
553 "Invalid hash type: %u\n", hashtype);
554 return ~0;
555 }
556 /*NOTREACHED*/
557 }
558
559 /* IPSECDOI_ESP -> SADB_EALG */
560 static u_int
ipsecdoi2pfkey_ealg(t_id)561 ipsecdoi2pfkey_ealg(t_id)
562 u_int t_id;
563 {
564 switch (t_id) {
565 case IPSECDOI_ESP_DES_IV64: /* sa_flags |= SADB_X_EXT_OLD */
566 return SADB_EALG_DESCBC;
567 case IPSECDOI_ESP_DES:
568 return SADB_EALG_DESCBC;
569 case IPSECDOI_ESP_3DES:
570 return SADB_EALG_3DESCBC;
571 #ifdef SADB_X_EALG_RC5CBC
572 case IPSECDOI_ESP_RC5:
573 return SADB_X_EALG_RC5CBC;
574 #endif
575 case IPSECDOI_ESP_CAST:
576 return SADB_X_EALG_CAST128CBC;
577 case IPSECDOI_ESP_BLOWFISH:
578 return SADB_X_EALG_BLOWFISHCBC;
579 case IPSECDOI_ESP_DES_IV32: /* flags |= (SADB_X_EXT_OLD|
580 SADB_X_EXT_IV4B)*/
581 return SADB_EALG_DESCBC;
582 case IPSECDOI_ESP_NULL:
583 return SADB_EALG_NULL;
584 #ifdef SADB_X_EALG_AESCBC
585 case IPSECDOI_ESP_AES:
586 return SADB_X_EALG_AESCBC;
587 #endif
588 #ifdef SADB_X_EALG_AESGCM16
589 case IPSECDOI_ESP_AESGCM16:
590 return SADB_X_EALG_AESGCM16;
591 #endif
592 #ifdef SADB_X_EALG_TWOFISHCBC
593 case IPSECDOI_ESP_TWOFISH:
594 return SADB_X_EALG_TWOFISHCBC;
595 #endif
596 #ifdef SADB_X_EALG_CAMELLIACBC
597 case IPSECDOI_ESP_CAMELLIA:
598 return SADB_X_EALG_CAMELLIACBC;
599 #endif
600
601 /* not supported */
602 case IPSECDOI_ESP_3IDEA:
603 case IPSECDOI_ESP_IDEA:
604 case IPSECDOI_ESP_RC4:
605 plog(LLV_ERROR, LOCATION, NULL,
606 "Not supported transform: %u\n", t_id);
607 return ~0;
608
609 case 0: /* reserved */
610 default:
611 plog(LLV_ERROR, LOCATION, NULL,
612 "Invalid transform id: %u\n", t_id);
613 return ~0;
614 }
615 /*NOTREACHED*/
616 }
617
618 /* IPCOMP -> SADB_CALG */
619 static u_int
ipsecdoi2pfkey_calg(t_id)620 ipsecdoi2pfkey_calg(t_id)
621 u_int t_id;
622 {
623 switch (t_id) {
624 case IPSECDOI_IPCOMP_OUI:
625 return SADB_X_CALG_OUI;
626 case IPSECDOI_IPCOMP_DEFLATE:
627 return SADB_X_CALG_DEFLATE;
628 case IPSECDOI_IPCOMP_LZS:
629 return SADB_X_CALG_LZS;
630
631 case 0: /* reserved */
632 default:
633 plog(LLV_ERROR, LOCATION, NULL,
634 "Invalid transform id: %u\n", t_id);
635 return ~0;
636 }
637 /*NOTREACHED*/
638 }
639
640 /* IPSECDOI_PROTO -> SADB_SATYPE */
641 u_int
ipsecdoi2pfkey_proto(proto)642 ipsecdoi2pfkey_proto(proto)
643 u_int proto;
644 {
645 switch (proto) {
646 case IPSECDOI_PROTO_IPSEC_AH:
647 return SADB_SATYPE_AH;
648 case IPSECDOI_PROTO_IPSEC_ESP:
649 return SADB_SATYPE_ESP;
650 case IPSECDOI_PROTO_IPCOMP:
651 return SADB_X_SATYPE_IPCOMP;
652
653 default:
654 plog(LLV_ERROR, LOCATION, NULL,
655 "Invalid ipsec_doi proto: %u\n", proto);
656 return ~0;
657 }
658 /*NOTREACHED*/
659 }
660
661 static u_int
ipsecdoi2pfkey_alg(algclass,type)662 ipsecdoi2pfkey_alg(algclass, type)
663 u_int algclass, type;
664 {
665 switch (algclass) {
666 case IPSECDOI_ATTR_AUTH:
667 return ipsecdoi2pfkey_aalg(type);
668 case IPSECDOI_PROTO_IPSEC_ESP:
669 return ipsecdoi2pfkey_ealg(type);
670 case IPSECDOI_PROTO_IPCOMP:
671 return ipsecdoi2pfkey_calg(type);
672 default:
673 plog(LLV_ERROR, LOCATION, NULL,
674 "Invalid ipsec_doi algclass: %u\n", algclass);
675 return ~0;
676 }
677 /*NOTREACHED*/
678 }
679
680 /* SADB_SATYPE -> IPSECDOI_PROTO */
681 u_int
pfkey2ipsecdoi_proto(satype)682 pfkey2ipsecdoi_proto(satype)
683 u_int satype;
684 {
685 switch (satype) {
686 case SADB_SATYPE_AH:
687 return IPSECDOI_PROTO_IPSEC_AH;
688 case SADB_SATYPE_ESP:
689 return IPSECDOI_PROTO_IPSEC_ESP;
690 case SADB_X_SATYPE_IPCOMP:
691 return IPSECDOI_PROTO_IPCOMP;
692
693 default:
694 plog(LLV_ERROR, LOCATION, NULL,
695 "Invalid pfkey proto: %u\n", satype);
696 return ~0;
697 }
698 /*NOTREACHED*/
699 }
700
701 /* IPSECDOI_ATTR_ENC_MODE -> IPSEC_MODE */
702 u_int
ipsecdoi2pfkey_mode(mode)703 ipsecdoi2pfkey_mode(mode)
704 u_int mode;
705 {
706 switch (mode) {
707 case IPSECDOI_ATTR_ENC_MODE_TUNNEL:
708 #ifdef ENABLE_NATT
709 case IPSECDOI_ATTR_ENC_MODE_UDPTUNNEL_RFC:
710 case IPSECDOI_ATTR_ENC_MODE_UDPTUNNEL_DRAFT:
711 #endif
712 return IPSEC_MODE_TUNNEL;
713 case IPSECDOI_ATTR_ENC_MODE_TRNS:
714 #ifdef ENABLE_NATT
715 case IPSECDOI_ATTR_ENC_MODE_UDPTRNS_RFC:
716 case IPSECDOI_ATTR_ENC_MODE_UDPTRNS_DRAFT:
717 #endif
718 return IPSEC_MODE_TRANSPORT;
719 default:
720 plog(LLV_ERROR, LOCATION, NULL, "Invalid mode type: %u\n", mode);
721 return ~0;
722 }
723 /*NOTREACHED*/
724 }
725
726 /* IPSECDOI_ATTR_ENC_MODE -> IPSEC_MODE */
727 u_int
pfkey2ipsecdoi_mode(mode)728 pfkey2ipsecdoi_mode(mode)
729 u_int mode;
730 {
731 switch (mode) {
732 case IPSEC_MODE_TUNNEL:
733 return IPSECDOI_ATTR_ENC_MODE_TUNNEL;
734 case IPSEC_MODE_TRANSPORT:
735 return IPSECDOI_ATTR_ENC_MODE_TRNS;
736 case IPSEC_MODE_ANY:
737 return IPSECDOI_ATTR_ENC_MODE_ANY;
738 default:
739 plog(LLV_ERROR, LOCATION, NULL, "Invalid mode type: %u\n", mode);
740 return ~0;
741 }
742 /*NOTREACHED*/
743 }
744
745 /* default key length for encryption algorithm */
746 static u_int
keylen_aalg(hashtype)747 keylen_aalg(hashtype)
748 u_int hashtype;
749 {
750 int res;
751
752 if (hashtype == 0)
753 return SADB_AALG_NONE;
754
755 res = alg_ipsec_hmacdef_hashlen(hashtype);
756 if (res == -1) {
757 plog(LLV_ERROR, LOCATION, NULL,
758 "invalid hmac algorithm %u.\n", hashtype);
759 return ~0;
760 }
761 return res;
762 }
763
764 /* default key length for encryption algorithm */
765 static u_int
keylen_ealg(enctype,encklen)766 keylen_ealg(enctype, encklen)
767 u_int enctype;
768 int encklen;
769 {
770 int res;
771
772 res = alg_ipsec_encdef_keylen(enctype, encklen);
773 if (res == -1) {
774 plog(LLV_ERROR, LOCATION, NULL,
775 "invalid encryption algorithm %u.\n", enctype);
776 return ~0;
777 }
778 return res;
779 }
780
781 void
pk_fixup_sa_addresses(mhp)782 pk_fixup_sa_addresses(mhp)
783 caddr_t *mhp;
784 {
785 struct sockaddr *src, *dst;
786
787 src = PFKEY_ADDR_SADDR(mhp[SADB_EXT_ADDRESS_SRC]);
788 dst = PFKEY_ADDR_SADDR(mhp[SADB_EXT_ADDRESS_DST]);
789 set_port(src, PORT_ISAKMP);
790 set_port(dst, PORT_ISAKMP);
791
792 #ifdef ENABLE_NATT
793 if (PFKEY_ADDR_X_NATTYPE(mhp[SADB_X_EXT_NAT_T_TYPE])) {
794 /* NAT-T is enabled for this SADB entry; copy
795 * the ports from NAT-T extensions */
796 if(mhp[SADB_X_EXT_NAT_T_SPORT] != NULL)
797 set_port(src, PFKEY_ADDR_X_PORT(mhp[SADB_X_EXT_NAT_T_SPORT]));
798 if(mhp[SADB_X_EXT_NAT_T_DPORT] != NULL)
799 set_port(dst, PFKEY_ADDR_X_PORT(mhp[SADB_X_EXT_NAT_T_DPORT]));
800 }
801 #endif
802 }
803
804 int
pfkey_convertfromipsecdoi(proto_id,t_id,hashtype,e_type,e_keylen,a_type,a_keylen,flags)805 pfkey_convertfromipsecdoi(proto_id, t_id, hashtype,
806 e_type, e_keylen, a_type, a_keylen, flags)
807 u_int proto_id;
808 u_int t_id;
809 u_int hashtype;
810 u_int *e_type;
811 u_int *e_keylen;
812 u_int *a_type;
813 u_int *a_keylen;
814 u_int *flags;
815 {
816 *flags = 0;
817 switch (proto_id) {
818 case IPSECDOI_PROTO_IPSEC_ESP:
819 if ((*e_type = ipsecdoi2pfkey_ealg(t_id)) == ~0)
820 goto bad;
821 if ((*e_keylen = keylen_ealg(t_id, *e_keylen)) == ~0)
822 goto bad;
823 *e_keylen >>= 3;
824
825 if ((*a_type = ipsecdoi2pfkey_aalg(hashtype)) == ~0)
826 goto bad;
827 if ((*a_keylen = keylen_aalg(hashtype)) == ~0)
828 goto bad;
829 *a_keylen >>= 3;
830
831 if (*e_type == SADB_EALG_NONE) {
832 plog(LLV_ERROR, LOCATION, NULL, "no ESP algorithm.\n");
833 goto bad;
834 }
835 break;
836
837 case IPSECDOI_PROTO_IPSEC_AH:
838 if ((*a_type = ipsecdoi2pfkey_aalg(hashtype)) == ~0)
839 goto bad;
840 if ((*a_keylen = keylen_aalg(hashtype)) == ~0)
841 goto bad;
842 *a_keylen >>= 3;
843
844 if (t_id == IPSECDOI_ATTR_AUTH_HMAC_MD5
845 && hashtype == IPSECDOI_ATTR_AUTH_KPDK) {
846 /* AH_MD5 + Auth(KPDK) = RFC1826 keyed-MD5 */
847 *a_type = SADB_X_AALG_MD5;
848 *flags |= SADB_X_EXT_OLD;
849 }
850 *e_type = SADB_EALG_NONE;
851 *e_keylen = 0;
852 if (*a_type == SADB_AALG_NONE) {
853 plog(LLV_ERROR, LOCATION, NULL, "no AH algorithm.\n");
854 goto bad;
855 }
856 break;
857
858 case IPSECDOI_PROTO_IPCOMP:
859 if ((*e_type = ipsecdoi2pfkey_calg(t_id)) == ~0)
860 goto bad;
861 *e_keylen = 0;
862
863 *flags = SADB_X_EXT_RAWCPI;
864
865 *a_type = SADB_AALG_NONE;
866 *a_keylen = 0;
867 if (*e_type == SADB_X_CALG_NONE) {
868 plog(LLV_ERROR, LOCATION, NULL, "no IPCOMP algorithm.\n");
869 goto bad;
870 }
871 break;
872
873 default:
874 plog(LLV_ERROR, LOCATION, NULL, "unknown IPsec protocol.\n");
875 goto bad;
876 }
877
878 return 0;
879
880 bad:
881 errno = EINVAL;
882 return -1;
883 }
884
885 /*%%%*/
886 /* send getspi message per ipsec protocol per remote address */
887 /*
888 * the local address and remote address in ph1handle are dealed
889 * with destination address and source address respectively.
890 * Because SPI is decided by responder.
891 */
892 int
pk_sendgetspi(iph2)893 pk_sendgetspi(iph2)
894 struct ph2handle *iph2;
895 {
896 struct sockaddr *src = NULL, *dst = NULL;
897 u_int satype, mode;
898 struct saprop *pp;
899 struct saproto *pr;
900 u_int32_t minspi, maxspi;
901 u_int8_t natt_type = 0;
902 u_int16_t sport = 0, dport = 0;
903
904 if (iph2->side == INITIATOR)
905 pp = iph2->proposal;
906 else
907 pp = iph2->approval;
908
909 if (iph2->sa_src && iph2->sa_dst) {
910 /* MIPv6: Use SA addresses, not IKE ones */
911 src = dupsaddr(iph2->sa_src);
912 dst = dupsaddr(iph2->sa_dst);
913 } else {
914 /* Common case: SA addresses and IKE ones are the same */
915 src = dupsaddr(iph2->src);
916 dst = dupsaddr(iph2->dst);
917 }
918
919 if (src == NULL || dst == NULL) {
920 racoon_free(src);
921 racoon_free(dst);
922 return -1;
923 }
924
925 for (pr = pp->head; pr != NULL; pr = pr->next) {
926
927 /* validity check */
928 satype = ipsecdoi2pfkey_proto(pr->proto_id);
929 if (satype == ~0) {
930 plog(LLV_ERROR, LOCATION, NULL,
931 "invalid proto_id %d\n", pr->proto_id);
932 racoon_free(src);
933 racoon_free(dst);
934 return -1;
935 }
936 /* this works around a bug in Linux kernel where it allocates 4 byte
937 spi's for IPCOMP */
938 else if (satype == SADB_X_SATYPE_IPCOMP) {
939 minspi = 0x100;
940 maxspi = 0xffff;
941 }
942 else {
943 minspi = 0;
944 maxspi = 0;
945 }
946 mode = ipsecdoi2pfkey_mode(pr->encmode);
947 if (mode == ~0) {
948 plog(LLV_ERROR, LOCATION, NULL,
949 "invalid encmode %d\n", pr->encmode);
950 racoon_free(src);
951 racoon_free(dst);
952 return -1;
953 }
954
955 #ifdef ENABLE_NATT
956 if (pr->udp_encap) {
957 natt_type = iph2->ph1->natt_options->encaps_type;
958 sport=extract_port(src);
959 dport=extract_port(dst);
960 }
961 #endif
962
963 plog(LLV_DEBUG, LOCATION, NULL, "call pfkey_send_getspi\n");
964 if (pfkey_send_getspi_nat(
965 lcconf->sock_pfkey,
966 satype,
967 mode,
968 dst, /* src of SA */
969 src, /* dst of SA */
970 natt_type,
971 dport,
972 sport,
973 minspi, maxspi,
974 pr->reqid_in, iph2->seq) < 0) {
975 plog(LLV_ERROR, LOCATION, NULL,
976 "ipseclib failed send getspi (%s)\n",
977 ipsec_strerror());
978 racoon_free(src);
979 racoon_free(dst);
980 return -1;
981 }
982 plog(LLV_DEBUG, LOCATION, NULL,
983 "pfkey GETSPI sent: %s\n",
984 sadbsecas2str(dst, src, satype, 0, mode));
985 }
986
987 racoon_free(src);
988 racoon_free(dst);
989 return 0;
990 }
991
992 /*
993 * receive GETSPI from kernel.
994 */
995 static int
pk_recvgetspi(mhp)996 pk_recvgetspi(mhp)
997 caddr_t *mhp;
998 {
999 struct sadb_msg *msg;
1000 struct sadb_sa *sa;
1001 struct ph2handle *iph2;
1002 struct sockaddr *src, *dst;
1003 int proto_id;
1004 int allspiok, notfound;
1005 struct saprop *pp;
1006 struct saproto *pr;
1007
1008 /* validity check */
1009 if (mhp[SADB_EXT_SA] == NULL
1010 || mhp[SADB_EXT_ADDRESS_DST] == NULL
1011 || mhp[SADB_EXT_ADDRESS_SRC] == NULL) {
1012 plog(LLV_ERROR, LOCATION, NULL,
1013 "inappropriate sadb getspi message passed.\n");
1014 return -1;
1015 }
1016 msg = (struct sadb_msg *)mhp[0];
1017 sa = (struct sadb_sa *)mhp[SADB_EXT_SA];
1018 pk_fixup_sa_addresses(mhp);
1019 dst = PFKEY_ADDR_SADDR(mhp[SADB_EXT_ADDRESS_SRC]); /* note SA dir */
1020 src = PFKEY_ADDR_SADDR(mhp[SADB_EXT_ADDRESS_DST]);
1021
1022 /* the message has to be processed or not ? */
1023 if (msg->sadb_msg_pid != getpid()) {
1024 plog(LLV_DEBUG, LOCATION, NULL,
1025 "%s message is not interesting "
1026 "because pid %d is not mine.\n",
1027 s_pfkey_type(msg->sadb_msg_type),
1028 msg->sadb_msg_pid);
1029 return -1;
1030 }
1031
1032 iph2 = getph2byseq(msg->sadb_msg_seq);
1033 if (iph2 == NULL) {
1034 plog(LLV_DEBUG, LOCATION, NULL,
1035 "seq %d of %s message not interesting.\n",
1036 msg->sadb_msg_seq,
1037 s_pfkey_type(msg->sadb_msg_type));
1038 return -1;
1039 }
1040
1041 if (iph2->status != PHASE2ST_GETSPISENT) {
1042 plog(LLV_ERROR, LOCATION, NULL,
1043 "status mismatch (db:%d msg:%d)\n",
1044 iph2->status, PHASE2ST_GETSPISENT);
1045 return -1;
1046 }
1047
1048 /* set SPI, and check to get all spi whether or not */
1049 allspiok = 1;
1050 notfound = 1;
1051 proto_id = pfkey2ipsecdoi_proto(msg->sadb_msg_satype);
1052 pp = iph2->side == INITIATOR ? iph2->proposal : iph2->approval;
1053
1054 for (pr = pp->head; pr != NULL; pr = pr->next) {
1055 if (pr->proto_id == proto_id && pr->spi == 0) {
1056 pr->spi = sa->sadb_sa_spi;
1057 notfound = 0;
1058 plog(LLV_DEBUG, LOCATION, NULL,
1059 "pfkey GETSPI succeeded: %s\n",
1060 sadbsecas2str(dst, src,
1061 msg->sadb_msg_satype,
1062 sa->sadb_sa_spi,
1063 ipsecdoi2pfkey_mode(pr->encmode)));
1064 }
1065 if (pr->spi == 0)
1066 allspiok = 0; /* not get all spi */
1067 }
1068
1069 if (notfound) {
1070 plog(LLV_ERROR, LOCATION, NULL,
1071 "get spi for unknown address %s\n",
1072 saddrwop2str(dst));
1073 return -1;
1074 }
1075
1076 if (allspiok) {
1077 /* update status */
1078 iph2->status = PHASE2ST_GETSPIDONE;
1079 if (isakmp_post_getspi(iph2) < 0) {
1080 plog(LLV_ERROR, LOCATION, NULL,
1081 "failed to start post getspi.\n");
1082 remph2(iph2);
1083 delph2(iph2);
1084 iph2 = NULL;
1085 return -1;
1086 }
1087 }
1088
1089 return 0;
1090 }
1091
1092 /*
1093 * set inbound SA
1094 */
1095 int
pk_sendupdate(iph2)1096 pk_sendupdate(iph2)
1097 struct ph2handle *iph2;
1098 {
1099 struct saproto *pr;
1100 struct pfkey_send_sa_args sa_args;
1101
1102 /* sanity check */
1103 if (iph2->approval == NULL) {
1104 plog(LLV_ERROR, LOCATION, NULL,
1105 "no approvaled SAs found.\n");
1106 return -1;
1107 }
1108
1109 /* fill in some needed for pfkey_send_update2 */
1110 memset (&sa_args, 0, sizeof (sa_args));
1111 sa_args.so = lcconf->sock_pfkey;
1112 if (iph2->lifetime_secs)
1113 sa_args.l_addtime = iph2->lifetime_secs;
1114 else
1115 sa_args.l_addtime = iph2->approval->lifetime;
1116 sa_args.seq = iph2->seq;
1117 sa_args.wsize = 4;
1118
1119 if (iph2->sa_src && iph2->sa_dst) {
1120 /* MIPv6: Use SA addresses, not IKE ones */
1121 sa_args.dst = dupsaddr(iph2->sa_src);
1122 sa_args.src = dupsaddr(iph2->sa_dst);
1123 } else {
1124 /* Common case: SA addresses and IKE ones are the same */
1125 sa_args.dst = dupsaddr(iph2->src);
1126 sa_args.src = dupsaddr(iph2->dst);
1127 }
1128
1129 if (sa_args.src == NULL || sa_args.dst == NULL) {
1130 racoon_free(sa_args.src);
1131 racoon_free(sa_args.dst);
1132 return -1;
1133 }
1134
1135 for (pr = iph2->approval->head; pr != NULL; pr = pr->next) {
1136 /* validity check */
1137 sa_args.satype = ipsecdoi2pfkey_proto(pr->proto_id);
1138 if (sa_args.satype == ~0) {
1139 plog(LLV_ERROR, LOCATION, NULL,
1140 "invalid proto_id %d\n", pr->proto_id);
1141 racoon_free(sa_args.src);
1142 racoon_free(sa_args.dst);
1143 return -1;
1144 }
1145 else if (sa_args.satype == SADB_X_SATYPE_IPCOMP) {
1146 /* IPCOMP has no replay window */
1147 sa_args.wsize = 0;
1148 }
1149 #ifdef ENABLE_SAMODE_UNSPECIFIED
1150 sa_args.mode = IPSEC_MODE_ANY;
1151 #else
1152 sa_args.mode = ipsecdoi2pfkey_mode(pr->encmode);
1153 if (sa_args.mode == ~0) {
1154 plog(LLV_ERROR, LOCATION, NULL,
1155 "invalid encmode %d\n", pr->encmode);
1156 racoon_free(sa_args.src);
1157 racoon_free(sa_args.dst);
1158 return -1;
1159 }
1160 #endif
1161 /* set algorithm type and key length */
1162 sa_args.e_keylen = pr->head->encklen;
1163 if (pfkey_convertfromipsecdoi(
1164 pr->proto_id,
1165 pr->head->trns_id,
1166 pr->head->authtype,
1167 &sa_args.e_type, &sa_args.e_keylen,
1168 &sa_args.a_type, &sa_args.a_keylen,
1169 &sa_args.flags) < 0){
1170 racoon_free(sa_args.src);
1171 racoon_free(sa_args.dst);
1172 return -1;
1173 }
1174
1175 #if 0
1176 sa_args.l_bytes = iph2->approval->lifebyte * 1024,
1177 #else
1178 sa_args.l_bytes = 0;
1179 #endif
1180
1181 #ifdef HAVE_SECCTX
1182 if (*iph2->approval->sctx.ctx_str) {
1183 sa_args.ctxdoi = iph2->approval->sctx.ctx_doi;
1184 sa_args.ctxalg = iph2->approval->sctx.ctx_alg;
1185 sa_args.ctxstrlen = iph2->approval->sctx.ctx_strlen;
1186 sa_args.ctxstr = iph2->approval->sctx.ctx_str;
1187 }
1188 #endif /* HAVE_SECCTX */
1189
1190 #ifdef ENABLE_NATT
1191 if (pr->udp_encap) {
1192 sa_args.l_natt_type = iph2->ph1->natt_options->encaps_type;
1193 sa_args.l_natt_sport = extract_port(iph2->ph1->remote);
1194 sa_args.l_natt_dport = extract_port(iph2->ph1->local);
1195 sa_args.l_natt_oa = iph2->natoa_src;
1196 #ifdef SADB_X_EXT_NAT_T_FRAG
1197 sa_args.l_natt_frag = iph2->ph1->rmconf->esp_frag;
1198 #endif
1199 }
1200 #endif
1201
1202 /* more info to fill in */
1203 sa_args.spi = pr->spi;
1204 sa_args.reqid = pr->reqid_in;
1205 sa_args.keymat = pr->keymat->v;
1206
1207 plog(LLV_DEBUG, LOCATION, NULL, "call pfkey_send_update2\n");
1208 if (pfkey_send_update2(&sa_args) < 0) {
1209 plog(LLV_ERROR, LOCATION, NULL,
1210 "libipsec failed send update (%s)\n",
1211 ipsec_strerror());
1212 racoon_free(sa_args.src);
1213 racoon_free(sa_args.dst);
1214 return -1;
1215 }
1216
1217 if (!lcconf->pathinfo[LC_PATHTYPE_BACKUPSA])
1218 continue;
1219
1220 /*
1221 * It maybe good idea to call backupsa_to_file() after
1222 * racoon will receive the sadb_update messages.
1223 * But it is impossible because there is not key in the
1224 * information from the kernel.
1225 */
1226
1227 /* change some things before backing up */
1228 sa_args.wsize = 4;
1229 sa_args.l_bytes = iph2->approval->lifebyte * 1024;
1230
1231 if (backupsa_to_file(&sa_args) < 0) {
1232 plog(LLV_ERROR, LOCATION, NULL,
1233 "backuped SA failed: %s\n",
1234 sadbsecas2str(sa_args.src, sa_args.dst,
1235 sa_args.satype, sa_args.spi, sa_args.mode));
1236 }
1237 plog(LLV_DEBUG, LOCATION, NULL,
1238 "backuped SA: %s\n",
1239 sadbsecas2str(sa_args.src, sa_args.dst,
1240 sa_args.satype, sa_args.spi, sa_args.mode));
1241 }
1242
1243 racoon_free(sa_args.src);
1244 racoon_free(sa_args.dst);
1245 return 0;
1246 }
1247
1248 static int
pk_recvupdate(mhp)1249 pk_recvupdate(mhp)
1250 caddr_t *mhp;
1251 {
1252 struct sadb_msg *msg;
1253 struct sadb_sa *sa;
1254 struct sockaddr *src, *dst;
1255 struct ph2handle *iph2;
1256 u_int proto_id, encmode, sa_mode;
1257 int incomplete = 0;
1258 struct saproto *pr;
1259
1260 /* ignore this message because of local test mode. */
1261 if (f_local)
1262 return 0;
1263
1264 /* sanity check */
1265 if (mhp[0] == NULL
1266 || mhp[SADB_EXT_SA] == NULL
1267 || mhp[SADB_EXT_ADDRESS_SRC] == NULL
1268 || mhp[SADB_EXT_ADDRESS_DST] == NULL) {
1269 plog(LLV_ERROR, LOCATION, NULL,
1270 "inappropriate sadb update message passed.\n");
1271 return -1;
1272 }
1273 msg = (struct sadb_msg *)mhp[0];
1274 pk_fixup_sa_addresses(mhp);
1275 src = PFKEY_ADDR_SADDR(mhp[SADB_EXT_ADDRESS_SRC]);
1276 dst = PFKEY_ADDR_SADDR(mhp[SADB_EXT_ADDRESS_DST]);
1277 sa = (struct sadb_sa *)mhp[SADB_EXT_SA];
1278
1279 sa_mode = mhp[SADB_X_EXT_SA2] == NULL
1280 ? IPSEC_MODE_ANY
1281 : ((struct sadb_x_sa2 *)mhp[SADB_X_EXT_SA2])->sadb_x_sa2_mode;
1282
1283 /* the message has to be processed or not ? */
1284 if (msg->sadb_msg_pid != getpid()) {
1285 plog(LLV_DEBUG, LOCATION, NULL,
1286 "%s message is not interesting "
1287 "because pid %d is not mine.\n",
1288 s_pfkey_type(msg->sadb_msg_type),
1289 msg->sadb_msg_pid);
1290 return -1;
1291 }
1292
1293 iph2 = getph2byseq(msg->sadb_msg_seq);
1294 if (iph2 == NULL) {
1295 plog(LLV_DEBUG, LOCATION, NULL,
1296 "seq %d of %s message not interesting.\n",
1297 msg->sadb_msg_seq,
1298 s_pfkey_type(msg->sadb_msg_type));
1299 return -1;
1300 }
1301
1302 if (iph2->status != PHASE2ST_ADDSA) {
1303 plog(LLV_ERROR, LOCATION, NULL,
1304 "status mismatch (db:%d msg:%d)\n",
1305 iph2->status, PHASE2ST_ADDSA);
1306 return -1;
1307 }
1308
1309 /* check to complete all keys ? */
1310 for (pr = iph2->approval->head; pr != NULL; pr = pr->next) {
1311 proto_id = pfkey2ipsecdoi_proto(msg->sadb_msg_satype);
1312 if (proto_id == ~0) {
1313 plog(LLV_ERROR, LOCATION, NULL,
1314 "invalid proto_id %d\n", msg->sadb_msg_satype);
1315 return -1;
1316 }
1317 encmode = pfkey2ipsecdoi_mode(sa_mode);
1318 if (encmode == ~0) {
1319 plog(LLV_ERROR, LOCATION, NULL,
1320 "invalid encmode %d\n", sa_mode);
1321 return -1;
1322 }
1323
1324 if (pr->proto_id == proto_id
1325 && pr->spi == sa->sadb_sa_spi) {
1326 pr->ok = 1;
1327 plog(LLV_DEBUG, LOCATION, NULL,
1328 "pfkey UPDATE succeeded: %s\n",
1329 sadbsecas2str(dst, src,
1330 msg->sadb_msg_satype,
1331 sa->sadb_sa_spi,
1332 sa_mode));
1333
1334 plog(LLV_INFO, LOCATION, NULL,
1335 "IPsec-SA established: %s\n",
1336 sadbsecas2str(dst, src,
1337 msg->sadb_msg_satype, sa->sadb_sa_spi,
1338 sa_mode));
1339 }
1340
1341 if (pr->ok == 0)
1342 incomplete = 1;
1343 }
1344
1345 if (incomplete)
1346 return 0;
1347
1348 /* turn off the timer for calling pfkey_timeover() */
1349 sched_cancel(&iph2->sce);
1350
1351 /* update status */
1352 iph2->status = PHASE2ST_ESTABLISHED;
1353 evt_phase2(iph2, EVT_PHASE2_UP, NULL);
1354
1355 #ifdef ENABLE_STATS
1356 gettimeofday(&iph2->end, NULL);
1357 syslog(LOG_NOTICE, "%s(%s): %8.6f",
1358 "phase2", "quick", timedelta(&iph2->start, &iph2->end));
1359 #endif
1360
1361 /* turn off schedule */
1362 sched_cancel(&iph2->scr);
1363
1364 /*
1365 * since we are going to reuse the phase2 handler, we need to
1366 * remain it and refresh all the references between ph1 and ph2 to use.
1367 */
1368 sched_schedule(&iph2->sce, iph2->approval->lifetime,
1369 isakmp_ph2expire_stub);
1370
1371 plog(LLV_DEBUG, LOCATION, NULL, "===\n");
1372 return 0;
1373 }
1374
1375 /*
1376 * set outbound SA
1377 */
1378 int
pk_sendadd(iph2)1379 pk_sendadd(iph2)
1380 struct ph2handle *iph2;
1381 {
1382 struct saproto *pr;
1383 struct pfkey_send_sa_args sa_args;
1384
1385 /* sanity check */
1386 if (iph2->approval == NULL) {
1387 plog(LLV_ERROR, LOCATION, NULL,
1388 "no approvaled SAs found.\n");
1389 return -1;
1390 }
1391
1392 /* fill in some needed for pfkey_send_update2 */
1393 memset (&sa_args, 0, sizeof (sa_args));
1394 sa_args.so = lcconf->sock_pfkey;
1395 if (iph2->lifetime_secs)
1396 sa_args.l_addtime = iph2->lifetime_secs;
1397 else
1398 sa_args.l_addtime = iph2->approval->lifetime;
1399 sa_args.seq = iph2->seq;
1400 sa_args.wsize = 4;
1401
1402 if (iph2->sa_src && iph2->sa_dst) {
1403 /* MIPv6: Use SA addresses, not IKE ones */
1404 sa_args.src = dupsaddr(iph2->sa_src);
1405 sa_args.dst = dupsaddr(iph2->sa_dst);
1406 } else {
1407 /* Common case: SA addresses and IKE ones are the same */
1408 sa_args.src = dupsaddr(iph2->src);
1409 sa_args.dst = dupsaddr(iph2->dst);
1410 }
1411
1412 if (sa_args.src == NULL || sa_args.dst == NULL) {
1413 racoon_free(sa_args.src);
1414 racoon_free(sa_args.dst);
1415 return -1;
1416 }
1417
1418 for (pr = iph2->approval->head; pr != NULL; pr = pr->next) {
1419 /* validity check */
1420 sa_args.satype = ipsecdoi2pfkey_proto(pr->proto_id);
1421 if (sa_args.satype == ~0) {
1422 plog(LLV_ERROR, LOCATION, NULL,
1423 "invalid proto_id %d\n", pr->proto_id);
1424 racoon_free(sa_args.src);
1425 racoon_free(sa_args.dst);
1426 return -1;
1427 }
1428 else if (sa_args.satype == SADB_X_SATYPE_IPCOMP) {
1429 /* no replay window for IPCOMP */
1430 sa_args.wsize = 0;
1431 }
1432 #ifdef ENABLE_SAMODE_UNSPECIFIED
1433 sa_args.mode = IPSEC_MODE_ANY;
1434 #else
1435 sa_args.mode = ipsecdoi2pfkey_mode(pr->encmode);
1436 if (sa_args.mode == ~0) {
1437 plog(LLV_ERROR, LOCATION, NULL,
1438 "invalid encmode %d\n", pr->encmode);
1439 racoon_free(sa_args.src);
1440 racoon_free(sa_args.dst);
1441 return -1;
1442 }
1443 #endif
1444
1445 /* set algorithm type and key length */
1446 sa_args.e_keylen = pr->head->encklen;
1447 if (pfkey_convertfromipsecdoi(
1448 pr->proto_id,
1449 pr->head->trns_id,
1450 pr->head->authtype,
1451 &sa_args.e_type, &sa_args.e_keylen,
1452 &sa_args.a_type, &sa_args.a_keylen,
1453 &sa_args.flags) < 0){
1454 racoon_free(sa_args.src);
1455 racoon_free(sa_args.dst);
1456 return -1;
1457 }
1458
1459 #if 0
1460 sa_args.l_bytes = iph2->approval->lifebyte * 1024,
1461 #else
1462 sa_args.l_bytes = 0;
1463 #endif
1464
1465 #ifdef HAVE_SECCTX
1466 if (*iph2->approval->sctx.ctx_str) {
1467 sa_args.ctxdoi = iph2->approval->sctx.ctx_doi;
1468 sa_args.ctxalg = iph2->approval->sctx.ctx_alg;
1469 sa_args.ctxstrlen = iph2->approval->sctx.ctx_strlen;
1470 sa_args.ctxstr = iph2->approval->sctx.ctx_str;
1471 }
1472 #endif /* HAVE_SECCTX */
1473
1474 #ifdef ENABLE_NATT
1475 plog(LLV_DEBUG, LOCATION, NULL, "call pfkey_send_add2 "
1476 "(NAT flavor)\n");
1477
1478 if (pr->udp_encap) {
1479 sa_args.l_natt_type = UDP_ENCAP_ESPINUDP;
1480 sa_args.l_natt_sport = extract_port(iph2->ph1->local);
1481 sa_args.l_natt_dport = extract_port(iph2->ph1->remote);
1482 sa_args.l_natt_oa = iph2->natoa_dst;
1483 #ifdef SADB_X_EXT_NAT_T_FRAG
1484 sa_args.l_natt_frag = iph2->ph1->rmconf->esp_frag;
1485 #endif
1486 }
1487 #endif
1488 /* more info to fill in */
1489 sa_args.spi = pr->spi_p;
1490 sa_args.reqid = pr->reqid_out;
1491 sa_args.keymat = pr->keymat_p->v;
1492
1493 plog(LLV_DEBUG, LOCATION, NULL, "call pfkey_send_add2\n");
1494 if (pfkey_send_add2(&sa_args) < 0) {
1495 plog(LLV_ERROR, LOCATION, NULL,
1496 "libipsec failed send add (%s)\n",
1497 ipsec_strerror());
1498 racoon_free(sa_args.src);
1499 racoon_free(sa_args.dst);
1500 return -1;
1501 }
1502
1503 if (!lcconf->pathinfo[LC_PATHTYPE_BACKUPSA])
1504 continue;
1505
1506 /*
1507 * It maybe good idea to call backupsa_to_file() after
1508 * racoon will receive the sadb_update messages.
1509 * But it is impossible because there is not key in the
1510 * information from the kernel.
1511 */
1512 if (backupsa_to_file(&sa_args) < 0) {
1513 plog(LLV_ERROR, LOCATION, NULL,
1514 "backuped SA failed: %s\n",
1515 sadbsecas2str(sa_args.src, sa_args.dst,
1516 sa_args.satype, sa_args.spi, sa_args.mode));
1517 }
1518 plog(LLV_DEBUG, LOCATION, NULL,
1519 "backuped SA: %s\n",
1520 sadbsecas2str(sa_args.src, sa_args.dst,
1521 sa_args.satype, sa_args.spi, sa_args.mode));
1522 }
1523 racoon_free(sa_args.src);
1524 racoon_free(sa_args.dst);
1525 return 0;
1526 }
1527
1528 static int
pk_recvadd(mhp)1529 pk_recvadd(mhp)
1530 caddr_t *mhp;
1531 {
1532 struct sadb_msg *msg;
1533 struct sadb_sa *sa;
1534 struct sockaddr *src, *dst;
1535 struct ph2handle *iph2;
1536 u_int sa_mode;
1537
1538 /* ignore this message because of local test mode. */
1539 if (f_local)
1540 return 0;
1541
1542 /* sanity check */
1543 if (mhp[0] == NULL
1544 || mhp[SADB_EXT_SA] == NULL
1545 || mhp[SADB_EXT_ADDRESS_SRC] == NULL
1546 || mhp[SADB_EXT_ADDRESS_DST] == NULL) {
1547 plog(LLV_ERROR, LOCATION, NULL,
1548 "inappropriate sadb add message passed.\n");
1549 return -1;
1550 }
1551 msg = (struct sadb_msg *)mhp[0];
1552 pk_fixup_sa_addresses(mhp);
1553 src = PFKEY_ADDR_SADDR(mhp[SADB_EXT_ADDRESS_SRC]);
1554 dst = PFKEY_ADDR_SADDR(mhp[SADB_EXT_ADDRESS_DST]);
1555 sa = (struct sadb_sa *)mhp[SADB_EXT_SA];
1556
1557 sa_mode = mhp[SADB_X_EXT_SA2] == NULL
1558 ? IPSEC_MODE_ANY
1559 : ((struct sadb_x_sa2 *)mhp[SADB_X_EXT_SA2])->sadb_x_sa2_mode;
1560
1561 /* the message has to be processed or not ? */
1562 if (msg->sadb_msg_pid != getpid()) {
1563 plog(LLV_DEBUG, LOCATION, NULL,
1564 "%s message is not interesting "
1565 "because pid %d is not mine.\n",
1566 s_pfkey_type(msg->sadb_msg_type),
1567 msg->sadb_msg_pid);
1568 return -1;
1569 }
1570
1571 iph2 = getph2byseq(msg->sadb_msg_seq);
1572 if (iph2 == NULL) {
1573 plog(LLV_DEBUG, LOCATION, NULL,
1574 "seq %d of %s message not interesting.\n",
1575 msg->sadb_msg_seq,
1576 s_pfkey_type(msg->sadb_msg_type));
1577 return -1;
1578 }
1579
1580 /*
1581 * NOTE don't update any status of phase2 handle
1582 * because they must be updated by SADB_UPDATE message
1583 */
1584
1585 plog(LLV_INFO, LOCATION, NULL,
1586 "IPsec-SA established: %s\n",
1587 sadbsecas2str(src, dst,
1588 msg->sadb_msg_satype, sa->sadb_sa_spi, sa_mode));
1589
1590 plog(LLV_DEBUG, LOCATION, NULL, "===\n");
1591 return 0;
1592 }
1593
1594 static int
pk_recvexpire(mhp)1595 pk_recvexpire(mhp)
1596 caddr_t *mhp;
1597 {
1598 struct sadb_msg *msg;
1599 struct sadb_sa *sa;
1600 struct sockaddr *src, *dst;
1601 struct ph2handle *iph2;
1602 u_int proto_id, sa_mode;
1603
1604 /* sanity check */
1605 if (mhp[0] == NULL
1606 || mhp[SADB_EXT_SA] == NULL
1607 || mhp[SADB_EXT_ADDRESS_SRC] == NULL
1608 || mhp[SADB_EXT_ADDRESS_DST] == NULL
1609 || (mhp[SADB_EXT_LIFETIME_HARD] != NULL
1610 && mhp[SADB_EXT_LIFETIME_SOFT] != NULL)) {
1611 plog(LLV_ERROR, LOCATION, NULL,
1612 "inappropriate sadb expire message passed.\n");
1613 return -1;
1614 }
1615 msg = (struct sadb_msg *)mhp[0];
1616 sa = (struct sadb_sa *)mhp[SADB_EXT_SA];
1617 pk_fixup_sa_addresses(mhp);
1618 src = PFKEY_ADDR_SADDR(mhp[SADB_EXT_ADDRESS_SRC]);
1619 dst = PFKEY_ADDR_SADDR(mhp[SADB_EXT_ADDRESS_DST]);
1620
1621 sa_mode = mhp[SADB_X_EXT_SA2] == NULL
1622 ? IPSEC_MODE_ANY
1623 : ((struct sadb_x_sa2 *)mhp[SADB_X_EXT_SA2])->sadb_x_sa2_mode;
1624
1625 proto_id = pfkey2ipsecdoi_proto(msg->sadb_msg_satype);
1626 if (proto_id == ~0) {
1627 plog(LLV_ERROR, LOCATION, NULL,
1628 "invalid proto_id %d\n", msg->sadb_msg_satype);
1629 return -1;
1630 }
1631
1632 plog(LLV_INFO, LOCATION, NULL,
1633 "IPsec-SA expired: %s\n",
1634 sadbsecas2str(src, dst,
1635 msg->sadb_msg_satype, sa->sadb_sa_spi, sa_mode));
1636
1637 iph2 = getph2bysaidx(src, dst, proto_id, sa->sadb_sa_spi);
1638 if (iph2 == NULL) {
1639 /*
1640 * Ignore it because two expire messages are come up.
1641 * phase2 handler has been deleted already when 2nd message
1642 * is received.
1643 */
1644 plog(LLV_DEBUG, LOCATION, NULL,
1645 "no such a SA found: %s\n",
1646 sadbsecas2str(src, dst,
1647 msg->sadb_msg_satype, sa->sadb_sa_spi,
1648 sa_mode));
1649 return 0;
1650 }
1651
1652 /* resent expiry message? */
1653 if (iph2->status > PHASE2ST_ESTABLISHED)
1654 return 0;
1655
1656 /* still negotiating? */
1657 if (iph2->status < PHASE2ST_ESTABLISHED) {
1658 /* not a hard timeout? */
1659 if (mhp[SADB_EXT_LIFETIME_HARD] == NULL)
1660 return 0;
1661
1662 /*
1663 * We were negotiating for that SA (w/o much success
1664 * from current status) and kernel has decided our time
1665 * is over trying (xfrm_larval_drop controls that and
1666 * is enabled by default on Linux >= 2.6.28 kernels).
1667 */
1668 plog(LLV_WARNING, LOCATION, NULL,
1669 "PF_KEY EXPIRE message received from kernel for SA"
1670 " being negotiated. Stopping negotiation.\n");
1671 }
1672
1673 /* turn off the timer for calling isakmp_ph2expire() */
1674 sched_cancel(&iph2->sce);
1675
1676 if (iph2->status == PHASE2ST_ESTABLISHED &&
1677 iph2->side == INITIATOR) {
1678 struct ph1handle *iph1hint;
1679 /*
1680 * Active phase 2 expired and we were initiator.
1681 * Begin new phase 2 exchange, so we can keep on sending
1682 * traffic.
1683 */
1684
1685 /* update status for re-use */
1686 iph1hint = iph2->ph1;
1687 initph2(iph2);
1688 iph2->status = PHASE2ST_STATUS2;
1689
1690 /* start quick exchange */
1691 if (isakmp_post_acquire(iph2, iph1hint, FALSE) < 0) {
1692 plog(LLV_ERROR, LOCATION, iph2->dst,
1693 "failed to begin ipsec sa "
1694 "re-negotication.\n");
1695 remph2(iph2);
1696 delph2(iph2);
1697 return -1;
1698 }
1699
1700 return 0;
1701 }
1702
1703 /*
1704 * We are responder or the phase 2 was not established.
1705 * Just remove the ph2handle to reflect SADB.
1706 */
1707 iph2->status = PHASE2ST_EXPIRED;
1708 remph2(iph2);
1709 delph2(iph2);
1710
1711 return 0;
1712 }
1713
1714 static int
pk_recvacquire(mhp)1715 pk_recvacquire(mhp)
1716 caddr_t *mhp;
1717 {
1718 struct sadb_msg *msg;
1719 struct sadb_x_policy *xpl;
1720 struct secpolicy *sp_out = NULL, *sp_in = NULL;
1721 struct ph2handle *iph2;
1722 struct sockaddr *src, *dst; /* IKE addresses (for exchanges) */
1723 struct sockaddr *sp_src, *sp_dst; /* SP addresses (selectors). */
1724 struct sockaddr *sa_src = NULL, *sa_dst = NULL ; /* SA addresses */
1725 #ifdef HAVE_SECCTX
1726 struct sadb_x_sec_ctx *m_sec_ctx;
1727 #endif /* HAVE_SECCTX */
1728 struct policyindex spidx;
1729
1730 /* ignore this message because of local test mode. */
1731 if (f_local)
1732 return 0;
1733
1734 /* sanity check */
1735 if (mhp[0] == NULL
1736 || mhp[SADB_EXT_ADDRESS_SRC] == NULL
1737 || mhp[SADB_EXT_ADDRESS_DST] == NULL
1738 || mhp[SADB_X_EXT_POLICY] == NULL) {
1739 plog(LLV_ERROR, LOCATION, NULL,
1740 "inappropriate sadb acquire message passed.\n");
1741 return -1;
1742 }
1743 msg = (struct sadb_msg *)mhp[0];
1744 xpl = (struct sadb_x_policy *)mhp[SADB_X_EXT_POLICY];
1745 /* acquire does not have nat-t ports; so do not bother setting
1746 * the default port 500; just use the port zero for wildcard
1747 * matching the get a valid natted destination */
1748 sp_src = PFKEY_ADDR_SADDR(mhp[SADB_EXT_ADDRESS_SRC]);
1749 sp_dst = PFKEY_ADDR_SADDR(mhp[SADB_EXT_ADDRESS_DST]);
1750
1751 #ifdef HAVE_SECCTX
1752 m_sec_ctx = (struct sadb_x_sec_ctx *)mhp[SADB_X_EXT_SEC_CTX];
1753
1754 if (m_sec_ctx != NULL) {
1755 plog(LLV_INFO, LOCATION, NULL, "security context doi: %u\n",
1756 m_sec_ctx->sadb_x_ctx_doi);
1757 plog(LLV_INFO, LOCATION, NULL,
1758 "security context algorithm: %u\n",
1759 m_sec_ctx->sadb_x_ctx_alg);
1760 plog(LLV_INFO, LOCATION, NULL, "security context length: %u\n",
1761 m_sec_ctx->sadb_x_ctx_len);
1762 plog(LLV_INFO, LOCATION, NULL, "security context: %s\n",
1763 ((char *)m_sec_ctx + sizeof(struct sadb_x_sec_ctx)));
1764 }
1765 #endif /* HAVE_SECCTX */
1766
1767 /* ignore if type is not IPSEC_POLICY_IPSEC */
1768 if (xpl->sadb_x_policy_type != IPSEC_POLICY_IPSEC) {
1769 plog(LLV_DEBUG, LOCATION, NULL,
1770 "ignore ACQUIRE message. type is not IPsec.\n");
1771 return 0;
1772 }
1773
1774 /* ignore it if src or dst are multicast addresses. */
1775 if ((sp_dst->sa_family == AF_INET
1776 && IN_MULTICAST(ntohl(((struct sockaddr_in *)sp_dst)->sin_addr.s_addr)))
1777 #ifdef INET6
1778 || (sp_dst->sa_family == AF_INET6
1779 && IN6_IS_ADDR_MULTICAST(&((struct sockaddr_in6 *)sp_dst)->sin6_addr))
1780 #endif
1781 ) {
1782 plog(LLV_DEBUG, LOCATION, NULL,
1783 "ignore due to multicast destination address: %s.\n",
1784 saddrwop2str(sp_dst));
1785 return 0;
1786 }
1787
1788 if ((sp_src->sa_family == AF_INET
1789 && IN_MULTICAST(ntohl(((struct sockaddr_in *)sp_src)->sin_addr.s_addr)))
1790 #ifdef INET6
1791 || (sp_src->sa_family == AF_INET6
1792 && IN6_IS_ADDR_MULTICAST(&((struct sockaddr_in6 *)sp_src)->sin6_addr))
1793 #endif
1794 ) {
1795 plog(LLV_DEBUG, LOCATION, NULL,
1796 "ignore due to multicast source address: %s.\n",
1797 saddrwop2str(sp_src));
1798 return 0;
1799 }
1800
1801 /* search for proper policyindex */
1802 sp_out = getspbyspid(xpl->sadb_x_policy_id);
1803 if (sp_out == NULL) {
1804 plog(LLV_ERROR, LOCATION, NULL, "no policy found: id:%d.\n",
1805 xpl->sadb_x_policy_id);
1806 return -1;
1807 }
1808 plog(LLV_DEBUG, LOCATION, NULL,
1809 "suitable outbound SP found: %s.\n", spidx2str(&sp_out->spidx));
1810
1811 /* Before going further, let first get the source and destination
1812 * address that would be used for IKE negotiation. The logic is:
1813 * - if SP from SPD image contains local and remote hints, we
1814 * use them (provided by MIGRATE).
1815 * - otherwise, we use the ones from the ipsecrequest, which means:
1816 * - the addresses from the request for transport mode
1817 * - the endpoints addresses for tunnel mode
1818 *
1819 * Note that:
1820 * 1) racoon does not support negotiation of bundles which
1821 * simplifies the lookup for the addresses in the ipsecrequest
1822 * list, as we expect only one.
1823 * 2) We do source and destination parts all together and do not
1824 * accept semi-defined information. This is just a decision,
1825 * there might be needs.
1826 *
1827 * --arno
1828 */
1829 if (sp_out->req && sp_out->req->saidx.mode == IPSEC_MODE_TUNNEL) {
1830 /* For Tunnel mode, SA addresses are the endpoints */
1831 src = (struct sockaddr *) &sp_out->req->saidx.src;
1832 dst = (struct sockaddr *) &sp_out->req->saidx.dst;
1833 } else {
1834 /* Otherwise use requested addresses.
1835 *
1836 * We need to explicitly setup sa_src and sa_dst too,
1837 * since the SA ports are different from IKE port. And
1838 * src/dst ports will be overwritten when the matching
1839 * phase1 is found. */
1840 src = sa_src = sp_src;
1841 dst = sa_dst = sp_dst;
1842 }
1843 if (sp_out->local && sp_out->remote) {
1844 /* hints available, let's use them */
1845 sa_src = src;
1846 sa_dst = dst;
1847 src = (struct sockaddr *) sp_out->local;
1848 dst = (struct sockaddr *) sp_out->remote;
1849 }
1850
1851 /*
1852 * If there is a phase 2 handler against the policy identifier in
1853 * the acquire message, and if
1854 * 1. its state is less than PHASE2ST_ESTABLISHED, then racoon
1855 * should ignore such a acquire message because the phase 2
1856 * is just negotiating.
1857 * 2. its state is equal to PHASE2ST_ESTABLISHED, then racoon
1858 * has to process such an acquire message because racoon may
1859 * have lost the expire message.
1860 */
1861 iph2 = getph2byid(src, dst, xpl->sadb_x_policy_id);
1862 if (iph2 != NULL) {
1863 if (iph2->status < PHASE2ST_ESTABLISHED) {
1864 plog(LLV_DEBUG, LOCATION, NULL,
1865 "ignore the acquire because ph2 found\n");
1866 return -1;
1867 }
1868 if (iph2->status == PHASE2ST_EXPIRED)
1869 iph2 = NULL;
1870 /*FALLTHROUGH*/
1871 }
1872
1873 /* Check we are listening on source address. If not, ignore. */
1874 if (myaddr_getsport(src) == -1) {
1875 plog(LLV_DEBUG, LOCATION, NULL,
1876 "Not listening on source address %s. Ignoring ACQUIRE.\n",
1877 saddrwop2str(src));
1878 return 0;
1879 }
1880
1881 /* get inbound policy */
1882 {
1883
1884 memset(&spidx, 0, sizeof(spidx));
1885 spidx.dir = IPSEC_DIR_INBOUND;
1886 memcpy(&spidx.src, &sp_out->spidx.dst, sizeof(spidx.src));
1887 memcpy(&spidx.dst, &sp_out->spidx.src, sizeof(spidx.dst));
1888 spidx.prefs = sp_out->spidx.prefd;
1889 spidx.prefd = sp_out->spidx.prefs;
1890 spidx.ul_proto = sp_out->spidx.ul_proto;
1891
1892 #ifdef HAVE_SECCTX
1893 if (m_sec_ctx) {
1894 spidx.sec_ctx.ctx_doi = m_sec_ctx->sadb_x_ctx_doi;
1895 spidx.sec_ctx.ctx_alg = m_sec_ctx->sadb_x_ctx_alg;
1896 spidx.sec_ctx.ctx_strlen = m_sec_ctx->sadb_x_ctx_len;
1897 memcpy(spidx.sec_ctx.ctx_str,
1898 ((char *)m_sec_ctx + sizeof(struct sadb_x_sec_ctx)),
1899 spidx.sec_ctx.ctx_strlen);
1900 }
1901 #endif /* HAVE_SECCTX */
1902
1903 sp_in = getsp(&spidx);
1904 if (sp_in) {
1905 plog(LLV_DEBUG, LOCATION, NULL,
1906 "suitable inbound SP found: %s.\n",
1907 spidx2str(&sp_in->spidx));
1908 } else {
1909 plog(LLV_NOTIFY, LOCATION, NULL,
1910 "no in-bound policy found: %s\n",
1911 spidx2str(&spidx));
1912 }
1913 }
1914
1915 /* allocate a phase 2 */
1916 iph2 = newph2();
1917 if (iph2 == NULL) {
1918 plog(LLV_ERROR, LOCATION, NULL,
1919 "failed to allocate phase2 entry.\n");
1920 return -1;
1921 }
1922 iph2->side = INITIATOR;
1923 iph2->spid = xpl->sadb_x_policy_id;
1924 iph2->satype = msg->sadb_msg_satype;
1925 iph2->seq = msg->sadb_msg_seq;
1926 iph2->status = PHASE2ST_STATUS2;
1927
1928 /* set address used by IKE for the negotiation (might differ from
1929 * SA address, i.e. might not be tunnel endpoints or addresses
1930 * of transport mode SA) */
1931 iph2->dst = dupsaddr(dst);
1932 if (iph2->dst == NULL) {
1933 delph2(iph2);
1934 return -1;
1935 }
1936 iph2->src = dupsaddr(src);
1937 if (iph2->src == NULL) {
1938 delph2(iph2);
1939 return -1;
1940 }
1941
1942 /* If sa_src and sa_dst have been set, this mean we have to
1943 * set iph2->sa_src and iph2->sa_dst to provide the addresses
1944 * of the SA because iph2->src and iph2->dst are only the ones
1945 * used for the IKE exchanges. Those that need these addresses
1946 * are for instance pk_sendupdate() or pk_sendgetspi() */
1947 if (sa_src) {
1948 iph2->sa_src = dupsaddr(sa_src);
1949 iph2->sa_dst = dupsaddr(sa_dst);
1950 }
1951
1952 if (isakmp_get_sainfo(iph2, sp_out, sp_in) < 0) {
1953 delph2(iph2);
1954 return -1;
1955 }
1956
1957 #ifdef HAVE_SECCTX
1958 if (m_sec_ctx) {
1959 set_secctx_in_proposal(iph2, spidx);
1960 }
1961 #endif /* HAVE_SECCTX */
1962
1963 insph2(iph2);
1964
1965 /* start isakmp initiation by using ident exchange */
1966 /* XXX should be looped if there are multiple phase 2 handler. */
1967 if (isakmp_post_acquire(iph2, NULL, TRUE) < 0) {
1968 plog(LLV_ERROR, LOCATION, NULL,
1969 "failed to begin ipsec sa negotication.\n");
1970 remph2(iph2);
1971 delph2(iph2);
1972 return -1;
1973 }
1974
1975 return 0;
1976 }
1977
1978 static int
pk_recvdelete(mhp)1979 pk_recvdelete(mhp)
1980 caddr_t *mhp;
1981 {
1982 struct sadb_msg *msg;
1983 struct sadb_sa *sa;
1984 struct sockaddr *src, *dst;
1985 struct ph2handle *iph2 = NULL;
1986 u_int proto_id;
1987
1988 /* ignore this message because of local test mode. */
1989 if (f_local)
1990 return 0;
1991
1992 /* sanity check */
1993 if (mhp[0] == NULL
1994 || mhp[SADB_EXT_SA] == NULL
1995 || mhp[SADB_EXT_ADDRESS_SRC] == NULL
1996 || mhp[SADB_EXT_ADDRESS_DST] == NULL) {
1997 plog(LLV_ERROR, LOCATION, NULL,
1998 "inappropriate sadb delete message passed.\n");
1999 return -1;
2000 }
2001 msg = (struct sadb_msg *)mhp[0];
2002 sa = (struct sadb_sa *)mhp[SADB_EXT_SA];
2003 pk_fixup_sa_addresses(mhp);
2004 src = PFKEY_ADDR_SADDR(mhp[SADB_EXT_ADDRESS_SRC]);
2005 dst = PFKEY_ADDR_SADDR(mhp[SADB_EXT_ADDRESS_DST]);
2006
2007 /* the message has to be processed or not ? */
2008 if (msg->sadb_msg_pid == getpid()) {
2009 plog(LLV_DEBUG, LOCATION, NULL,
2010 "%s message is not interesting "
2011 "because the message was originated by me.\n",
2012 s_pfkey_type(msg->sadb_msg_type));
2013 return -1;
2014 }
2015
2016 proto_id = pfkey2ipsecdoi_proto(msg->sadb_msg_satype);
2017 if (proto_id == ~0) {
2018 plog(LLV_ERROR, LOCATION, NULL,
2019 "invalid proto_id %d\n", msg->sadb_msg_satype);
2020 return -1;
2021 }
2022
2023 iph2 = getph2bysaidx(src, dst, proto_id, sa->sadb_sa_spi);
2024 if (iph2 == NULL) {
2025 /* ignore */
2026 plog(LLV_ERROR, LOCATION, NULL,
2027 "no iph2 found: %s\n",
2028 sadbsecas2str(src, dst, msg->sadb_msg_satype,
2029 sa->sadb_sa_spi, IPSEC_MODE_ANY));
2030 return 0;
2031 }
2032
2033 plog(LLV_ERROR, LOCATION, NULL,
2034 "pfkey DELETE received: %s\n",
2035 sadbsecas2str(src, dst,
2036 msg->sadb_msg_satype, sa->sadb_sa_spi, IPSEC_MODE_ANY));
2037
2038 /* send delete information */
2039 if (iph2->status == PHASE2ST_ESTABLISHED)
2040 isakmp_info_send_d2(iph2);
2041
2042 remph2(iph2);
2043 delph2(iph2);
2044
2045 return 0;
2046 }
2047
2048 static int
pk_recvflush(mhp)2049 pk_recvflush(mhp)
2050 caddr_t *mhp;
2051 {
2052 /* ignore this message because of local test mode. */
2053 if (f_local)
2054 return 0;
2055
2056 /* sanity check */
2057 if (mhp[0] == NULL) {
2058 plog(LLV_ERROR, LOCATION, NULL,
2059 "inappropriate sadb flush message passed.\n");
2060 return -1;
2061 }
2062
2063 flushph2();
2064
2065 return 0;
2066 }
2067
2068 static int
getsadbpolicy(policy0,policylen0,type,iph2)2069 getsadbpolicy(policy0, policylen0, type, iph2)
2070 caddr_t *policy0;
2071 int *policylen0, type;
2072 struct ph2handle *iph2;
2073 {
2074 struct policyindex *spidx = (struct policyindex *)iph2->spidx_gen;
2075 struct sockaddr *src = NULL, *dst = NULL;
2076 struct sadb_x_policy *xpl;
2077 struct sadb_x_ipsecrequest *xisr;
2078 struct saproto *pr;
2079 struct saproto **pr_rlist;
2080 int rlist_len = 0;
2081 caddr_t policy, p;
2082 int policylen;
2083 int xisrlen;
2084 u_int satype, mode;
2085 int len = 0;
2086 #ifdef HAVE_SECCTX
2087 int ctxlen = 0;
2088 #endif /* HAVE_SECCTX */
2089
2090
2091 /* get policy buffer size */
2092 policylen = sizeof(struct sadb_x_policy);
2093 if (type != SADB_X_SPDDELETE) {
2094 if (iph2->sa_src && iph2->sa_dst) {
2095 src = iph2->sa_src; /* MIPv6: Use SA addresses, */
2096 dst = iph2->sa_dst; /* not IKE ones */
2097 } else {
2098 src = iph2->src; /* Common case: SA addresses */
2099 dst = iph2->dst; /* and IKE ones are the same */
2100 }
2101
2102 for (pr = iph2->approval->head; pr; pr = pr->next) {
2103 xisrlen = sizeof(*xisr);
2104 if (pr->encmode == IPSECDOI_ATTR_ENC_MODE_TUNNEL) {
2105 xisrlen += (sysdep_sa_len(src) +
2106 sysdep_sa_len(dst));
2107 }
2108
2109 policylen += PFKEY_ALIGN8(xisrlen);
2110 }
2111 }
2112
2113 #ifdef HAVE_SECCTX
2114 if (*spidx->sec_ctx.ctx_str) {
2115 ctxlen = sizeof(struct sadb_x_sec_ctx)
2116 + PFKEY_ALIGN8(spidx->sec_ctx.ctx_strlen);
2117 policylen += ctxlen;
2118 }
2119 #endif /* HAVE_SECCTX */
2120
2121 /* make policy structure */
2122 policy = racoon_malloc(policylen);
2123 memset((void*)policy, 0xcd, policylen);
2124 if (!policy) {
2125 plog(LLV_ERROR, LOCATION, NULL,
2126 "buffer allocation failed.\n");
2127 return -1;
2128 }
2129
2130 xpl = (struct sadb_x_policy *)policy;
2131 xpl->sadb_x_policy_len = PFKEY_UNIT64(policylen);
2132 xpl->sadb_x_policy_exttype = SADB_X_EXT_POLICY;
2133 xpl->sadb_x_policy_type = IPSEC_POLICY_IPSEC;
2134 xpl->sadb_x_policy_dir = spidx->dir;
2135 xpl->sadb_x_policy_id = 0;
2136 #ifdef HAVE_PFKEY_POLICY_PRIORITY
2137 xpl->sadb_x_policy_priority = PRIORITY_DEFAULT;
2138 #endif
2139 len++;
2140
2141 #ifdef HAVE_SECCTX
2142 if (*spidx->sec_ctx.ctx_str) {
2143 struct sadb_x_sec_ctx *p;
2144
2145 p = (struct sadb_x_sec_ctx *)(xpl + len);
2146 memset(p, 0, ctxlen);
2147 p->sadb_x_sec_len = PFKEY_UNIT64(ctxlen);
2148 p->sadb_x_sec_exttype = SADB_X_EXT_SEC_CTX;
2149 p->sadb_x_ctx_len = spidx->sec_ctx.ctx_strlen;
2150 p->sadb_x_ctx_doi = spidx->sec_ctx.ctx_doi;
2151 p->sadb_x_ctx_alg = spidx->sec_ctx.ctx_alg;
2152
2153 memcpy(p + 1,spidx->sec_ctx.ctx_str,spidx->sec_ctx.ctx_strlen);
2154 len += ctxlen;
2155 }
2156 #endif /* HAVE_SECCTX */
2157
2158 /* no need to append policy information any more if type is SPDDELETE */
2159 if (type == SADB_X_SPDDELETE)
2160 goto end;
2161
2162 xisr = (struct sadb_x_ipsecrequest *)(xpl + len);
2163
2164 /* The order of things is reversed for use in add policy messages */
2165 for (pr = iph2->approval->head; pr; pr = pr->next) rlist_len++;
2166 pr_rlist = racoon_malloc((rlist_len+1)*sizeof(struct saproto*));
2167 if (!pr_rlist) {
2168 plog(LLV_ERROR, LOCATION, NULL,
2169 "buffer allocation failed.\n");
2170 return -1;
2171 }
2172 pr_rlist[rlist_len--] = NULL;
2173 for (pr = iph2->approval->head; pr; pr = pr->next) pr_rlist[rlist_len--] = pr;
2174 rlist_len = 0;
2175
2176 for (pr = pr_rlist[rlist_len++]; pr; pr = pr_rlist[rlist_len++]) {
2177
2178 satype = doi2ipproto(pr->proto_id);
2179 if (satype == ~0) {
2180 plog(LLV_ERROR, LOCATION, NULL,
2181 "invalid proto_id %d\n", pr->proto_id);
2182 goto err;
2183 }
2184 mode = ipsecdoi2pfkey_mode(pr->encmode);
2185 if (mode == ~0) {
2186 plog(LLV_ERROR, LOCATION, NULL,
2187 "invalid encmode %d\n", pr->encmode);
2188 goto err;
2189 }
2190
2191 /*
2192 * the policy level cannot be unique because the policy
2193 * is defined later than SA, so req_id cannot be bound to SA.
2194 */
2195 xisr->sadb_x_ipsecrequest_proto = satype;
2196 xisr->sadb_x_ipsecrequest_mode = mode;
2197 if(iph2->proposal->head->reqid_in > 0){
2198 xisr->sadb_x_ipsecrequest_level = IPSEC_LEVEL_UNIQUE;
2199 xisr->sadb_x_ipsecrequest_reqid = iph2->proposal->head->reqid_in;
2200 }else{
2201 xisr->sadb_x_ipsecrequest_level = IPSEC_LEVEL_REQUIRE;
2202 xisr->sadb_x_ipsecrequest_reqid = 0;
2203 }
2204 p = (caddr_t)(xisr + 1);
2205
2206 xisrlen = sizeof(*xisr);
2207
2208 if (pr->encmode == IPSECDOI_ATTR_ENC_MODE_TUNNEL) {
2209 int src_len, dst_len;
2210
2211 src_len = sysdep_sa_len(src);
2212 dst_len = sysdep_sa_len(dst);
2213 xisrlen += src_len + dst_len;
2214
2215 memcpy(p, src, src_len);
2216 p += src_len;
2217
2218 memcpy(p, dst, dst_len);
2219 p += dst_len;
2220 }
2221
2222 xisr->sadb_x_ipsecrequest_len = PFKEY_ALIGN8(xisrlen);
2223 xisr = (struct sadb_x_ipsecrequest *)p;
2224
2225 }
2226 racoon_free(pr_rlist);
2227
2228 end:
2229 *policy0 = policy;
2230 *policylen0 = policylen;
2231
2232 return 0;
2233
2234 err:
2235 if (policy)
2236 racoon_free(policy);
2237 if (pr_rlist) racoon_free(pr_rlist);
2238
2239 return -1;
2240 }
2241
2242 int
pk_sendspdupdate2(iph2)2243 pk_sendspdupdate2(iph2)
2244 struct ph2handle *iph2;
2245 {
2246 struct policyindex *spidx = (struct policyindex *)iph2->spidx_gen;
2247 caddr_t policy = NULL;
2248 int policylen = 0;
2249 u_int64_t ltime, vtime;
2250
2251 ltime = iph2->approval->lifetime;
2252 vtime = 0;
2253
2254 if (getsadbpolicy(&policy, &policylen, SADB_X_SPDUPDATE, iph2)) {
2255 plog(LLV_ERROR, LOCATION, NULL,
2256 "getting sadb policy failed.\n");
2257 return -1;
2258 }
2259
2260 if (pfkey_send_spdupdate2(
2261 lcconf->sock_pfkey,
2262 (struct sockaddr *)&spidx->src,
2263 spidx->prefs,
2264 (struct sockaddr *)&spidx->dst,
2265 spidx->prefd,
2266 spidx->ul_proto,
2267 ltime, vtime,
2268 policy, policylen, 0) < 0) {
2269 plog(LLV_ERROR, LOCATION, NULL,
2270 "libipsec failed send spdupdate2 (%s)\n",
2271 ipsec_strerror());
2272 goto end;
2273 }
2274 plog(LLV_DEBUG, LOCATION, NULL, "call pfkey_send_spdupdate2\n");
2275
2276 end:
2277 if (policy)
2278 racoon_free(policy);
2279
2280 return 0;
2281 }
2282
2283 static int
pk_recvspdupdate(mhp)2284 pk_recvspdupdate(mhp)
2285 caddr_t *mhp;
2286 {
2287 struct sadb_address *saddr, *daddr;
2288 struct sadb_x_policy *xpl;
2289 struct sadb_lifetime *lt;
2290 struct policyindex spidx;
2291 struct secpolicy *sp;
2292 struct sockaddr *local=NULL, *remote=NULL;
2293 u_int64_t created;
2294 int ret;
2295
2296 /* sanity check */
2297 if (mhp[0] == NULL
2298 || mhp[SADB_EXT_ADDRESS_SRC] == NULL
2299 || mhp[SADB_EXT_ADDRESS_DST] == NULL
2300 || mhp[SADB_X_EXT_POLICY] == NULL) {
2301 plog(LLV_ERROR, LOCATION, NULL,
2302 "inappropriate sadb spdupdate message passed.\n");
2303 return -1;
2304 }
2305 saddr = (struct sadb_address *)mhp[SADB_EXT_ADDRESS_SRC];
2306 daddr = (struct sadb_address *)mhp[SADB_EXT_ADDRESS_DST];
2307 xpl = (struct sadb_x_policy *)mhp[SADB_X_EXT_POLICY];
2308 lt = (struct sadb_lifetime*)mhp[SADB_EXT_LIFETIME_HARD];
2309 if(lt != NULL)
2310 created = lt->sadb_lifetime_addtime;
2311 else
2312 created = 0;
2313
2314 #ifdef HAVE_PFKEY_POLICY_PRIORITY
2315 KEY_SETSECSPIDX(xpl->sadb_x_policy_dir,
2316 saddr + 1,
2317 daddr + 1,
2318 saddr->sadb_address_prefixlen,
2319 daddr->sadb_address_prefixlen,
2320 saddr->sadb_address_proto,
2321 xpl->sadb_x_policy_priority,
2322 created,
2323 &spidx);
2324 #else
2325 KEY_SETSECSPIDX(xpl->sadb_x_policy_dir,
2326 saddr + 1,
2327 daddr + 1,
2328 saddr->sadb_address_prefixlen,
2329 daddr->sadb_address_prefixlen,
2330 saddr->sadb_address_proto,
2331 created,
2332 &spidx);
2333 #endif
2334
2335 #ifdef HAVE_SECCTX
2336 if (mhp[SADB_X_EXT_SEC_CTX] != NULL) {
2337 struct sadb_x_sec_ctx *ctx;
2338
2339 ctx = (struct sadb_x_sec_ctx *)mhp[SADB_X_EXT_SEC_CTX];
2340 spidx.sec_ctx.ctx_alg = ctx->sadb_x_ctx_alg;
2341 spidx.sec_ctx.ctx_doi = ctx->sadb_x_ctx_doi;
2342 spidx.sec_ctx.ctx_strlen = ctx->sadb_x_ctx_len;
2343 memcpy(spidx.sec_ctx.ctx_str, ctx + 1, ctx->sadb_x_ctx_len);
2344 }
2345 #endif /* HAVE_SECCTX */
2346
2347 sp = getsp(&spidx);
2348 if (sp == NULL) {
2349 plog(LLV_DEBUG, LOCATION, NULL,
2350 "this policy did not exist for removal: \"%s\"\n",
2351 spidx2str(&spidx));
2352 } else {
2353 /* preserve hints before deleting the SP */
2354 local = sp->local;
2355 remote = sp->remote;
2356 sp->local = NULL;
2357 sp->remote = NULL;
2358
2359 remsp(sp);
2360 delsp(sp);
2361 }
2362
2363 /* Add new SP (with old hints) */
2364 ret = addnewsp(mhp, local, remote);
2365
2366 if (local != NULL)
2367 racoon_free(local);
2368 if (remote != NULL)
2369 racoon_free(remote);
2370
2371 if (ret < 0)
2372 return -1;
2373
2374 return 0;
2375 }
2376
2377 /*
2378 * this function has to be used by responder side.
2379 */
2380 int
pk_sendspdadd2(iph2)2381 pk_sendspdadd2(iph2)
2382 struct ph2handle *iph2;
2383 {
2384 struct policyindex *spidx = (struct policyindex *)iph2->spidx_gen;
2385 caddr_t policy = NULL;
2386 int policylen = 0;
2387 u_int64_t ltime, vtime;
2388
2389 ltime = iph2->approval->lifetime;
2390 vtime = 0;
2391
2392 if (getsadbpolicy(&policy, &policylen, SADB_X_SPDADD, iph2)) {
2393 plog(LLV_ERROR, LOCATION, NULL,
2394 "getting sadb policy failed.\n");
2395 return -1;
2396 }
2397
2398 if (pfkey_send_spdadd2(
2399 lcconf->sock_pfkey,
2400 (struct sockaddr *)&spidx->src,
2401 spidx->prefs,
2402 (struct sockaddr *)&spidx->dst,
2403 spidx->prefd,
2404 spidx->ul_proto,
2405 ltime, vtime,
2406 policy, policylen, 0) < 0) {
2407 plog(LLV_ERROR, LOCATION, NULL,
2408 "libipsec failed send spdadd2 (%s)\n",
2409 ipsec_strerror());
2410 goto end;
2411 }
2412 plog(LLV_DEBUG, LOCATION, NULL, "call pfkey_send_spdadd2\n");
2413
2414 end:
2415 if (policy)
2416 racoon_free(policy);
2417
2418 return 0;
2419 }
2420
2421 static int
pk_recvspdadd(mhp)2422 pk_recvspdadd(mhp)
2423 caddr_t *mhp;
2424 {
2425 struct sadb_address *saddr, *daddr;
2426 struct sadb_x_policy *xpl;
2427 struct sadb_lifetime *lt;
2428 struct policyindex spidx;
2429 struct secpolicy *sp;
2430 struct sockaddr *local = NULL, *remote = NULL;
2431 u_int64_t created;
2432 int ret;
2433
2434 /* sanity check */
2435 if (mhp[0] == NULL
2436 || mhp[SADB_EXT_ADDRESS_SRC] == NULL
2437 || mhp[SADB_EXT_ADDRESS_DST] == NULL
2438 || mhp[SADB_X_EXT_POLICY] == NULL) {
2439 plog(LLV_ERROR, LOCATION, NULL,
2440 "inappropriate sadb spdadd message passed.\n");
2441 return -1;
2442 }
2443 saddr = (struct sadb_address *)mhp[SADB_EXT_ADDRESS_SRC];
2444 daddr = (struct sadb_address *)mhp[SADB_EXT_ADDRESS_DST];
2445 xpl = (struct sadb_x_policy *)mhp[SADB_X_EXT_POLICY];
2446 lt = (struct sadb_lifetime*)mhp[SADB_EXT_LIFETIME_HARD];
2447 if(lt != NULL)
2448 created = lt->sadb_lifetime_addtime;
2449 else
2450 created = 0;
2451
2452 #ifdef HAVE_PFKEY_POLICY_PRIORITY
2453 KEY_SETSECSPIDX(xpl->sadb_x_policy_dir,
2454 saddr + 1,
2455 daddr + 1,
2456 saddr->sadb_address_prefixlen,
2457 daddr->sadb_address_prefixlen,
2458 saddr->sadb_address_proto,
2459 xpl->sadb_x_policy_priority,
2460 created,
2461 &spidx);
2462 #else
2463 KEY_SETSECSPIDX(xpl->sadb_x_policy_dir,
2464 saddr + 1,
2465 daddr + 1,
2466 saddr->sadb_address_prefixlen,
2467 daddr->sadb_address_prefixlen,
2468 saddr->sadb_address_proto,
2469 created,
2470 &spidx);
2471 #endif
2472
2473 #ifdef HAVE_SECCTX
2474 if (mhp[SADB_X_EXT_SEC_CTX] != NULL) {
2475 struct sadb_x_sec_ctx *ctx;
2476
2477 ctx = (struct sadb_x_sec_ctx *)mhp[SADB_X_EXT_SEC_CTX];
2478 spidx.sec_ctx.ctx_alg = ctx->sadb_x_ctx_alg;
2479 spidx.sec_ctx.ctx_doi = ctx->sadb_x_ctx_doi;
2480 spidx.sec_ctx.ctx_strlen = ctx->sadb_x_ctx_len;
2481 memcpy(spidx.sec_ctx.ctx_str, ctx + 1, ctx->sadb_x_ctx_len);
2482 }
2483 #endif /* HAVE_SECCTX */
2484
2485 sp = getsp(&spidx);
2486 if (sp != NULL) {
2487 plog(LLV_ERROR, LOCATION, NULL,
2488 "such policy already exists. "
2489 "anyway replace it: %s\n",
2490 spidx2str(&spidx));
2491
2492 /* preserve hints before deleting the SP */
2493 local = sp->local;
2494 remote = sp->remote;
2495 sp->local = NULL;
2496 sp->remote = NULL;
2497
2498 remsp(sp);
2499 delsp(sp);
2500 }
2501
2502 /* Add new SP (with old hints) */
2503 ret = addnewsp(mhp, local, remote);
2504
2505 if (local != NULL)
2506 racoon_free(local);
2507 if (remote != NULL)
2508 racoon_free(remote);
2509
2510 if (ret < 0)
2511 return -1;
2512
2513 return 0;
2514 }
2515
2516 /*
2517 * this function has to be used by responder side.
2518 */
2519 int
pk_sendspddelete(iph2)2520 pk_sendspddelete(iph2)
2521 struct ph2handle *iph2;
2522 {
2523 struct policyindex *spidx = (struct policyindex *)iph2->spidx_gen;
2524 caddr_t policy = NULL;
2525 int policylen;
2526
2527 if (getsadbpolicy(&policy, &policylen, SADB_X_SPDDELETE, iph2)) {
2528 plog(LLV_ERROR, LOCATION, NULL,
2529 "getting sadb policy failed.\n");
2530 return -1;
2531 }
2532
2533 if (pfkey_send_spddelete(
2534 lcconf->sock_pfkey,
2535 (struct sockaddr *)&spidx->src,
2536 spidx->prefs,
2537 (struct sockaddr *)&spidx->dst,
2538 spidx->prefd,
2539 spidx->ul_proto,
2540 policy, policylen, 0) < 0) {
2541 plog(LLV_ERROR, LOCATION, NULL,
2542 "libipsec failed send spddelete (%s)\n",
2543 ipsec_strerror());
2544 goto end;
2545 }
2546 plog(LLV_DEBUG, LOCATION, NULL, "call pfkey_send_spddelete\n");
2547
2548 end:
2549 if (policy)
2550 racoon_free(policy);
2551
2552 return 0;
2553 }
2554
2555 static int
pk_recvspddelete(mhp)2556 pk_recvspddelete(mhp)
2557 caddr_t *mhp;
2558 {
2559 struct sadb_address *saddr, *daddr;
2560 struct sadb_x_policy *xpl;
2561 struct sadb_lifetime *lt;
2562 struct policyindex spidx;
2563 struct secpolicy *sp;
2564 u_int64_t created;
2565
2566 /* sanity check */
2567 if (mhp[0] == NULL
2568 || mhp[SADB_EXT_ADDRESS_SRC] == NULL
2569 || mhp[SADB_EXT_ADDRESS_DST] == NULL
2570 || mhp[SADB_X_EXT_POLICY] == NULL) {
2571 plog(LLV_ERROR, LOCATION, NULL,
2572 "inappropriate sadb spddelete message passed.\n");
2573 return -1;
2574 }
2575 saddr = (struct sadb_address *)mhp[SADB_EXT_ADDRESS_SRC];
2576 daddr = (struct sadb_address *)mhp[SADB_EXT_ADDRESS_DST];
2577 xpl = (struct sadb_x_policy *)mhp[SADB_X_EXT_POLICY];
2578 lt = (struct sadb_lifetime*)mhp[SADB_EXT_LIFETIME_HARD];
2579 if(lt != NULL)
2580 created = lt->sadb_lifetime_addtime;
2581 else
2582 created = 0;
2583
2584 #ifdef HAVE_PFKEY_POLICY_PRIORITY
2585 KEY_SETSECSPIDX(xpl->sadb_x_policy_dir,
2586 saddr + 1,
2587 daddr + 1,
2588 saddr->sadb_address_prefixlen,
2589 daddr->sadb_address_prefixlen,
2590 saddr->sadb_address_proto,
2591 xpl->sadb_x_policy_priority,
2592 created,
2593 &spidx);
2594 #else
2595 KEY_SETSECSPIDX(xpl->sadb_x_policy_dir,
2596 saddr + 1,
2597 daddr + 1,
2598 saddr->sadb_address_prefixlen,
2599 daddr->sadb_address_prefixlen,
2600 saddr->sadb_address_proto,
2601 created,
2602 &spidx);
2603 #endif
2604
2605 #ifdef HAVE_SECCTX
2606 if (mhp[SADB_X_EXT_SEC_CTX] != NULL) {
2607 struct sadb_x_sec_ctx *ctx;
2608
2609 ctx = (struct sadb_x_sec_ctx *)mhp[SADB_X_EXT_SEC_CTX];
2610 spidx.sec_ctx.ctx_alg = ctx->sadb_x_ctx_alg;
2611 spidx.sec_ctx.ctx_doi = ctx->sadb_x_ctx_doi;
2612 spidx.sec_ctx.ctx_strlen = ctx->sadb_x_ctx_len;
2613 memcpy(spidx.sec_ctx.ctx_str, ctx + 1, ctx->sadb_x_ctx_len);
2614 }
2615 #endif /* HAVE_SECCTX */
2616
2617 sp = getsp(&spidx);
2618 if (sp == NULL) {
2619 plog(LLV_ERROR, LOCATION, NULL,
2620 "no policy found: %s\n",
2621 spidx2str(&spidx));
2622 return -1;
2623 }
2624
2625 remsp(sp);
2626 delsp(sp);
2627
2628 return 0;
2629 }
2630
2631 static int
pk_recvspdexpire(mhp)2632 pk_recvspdexpire(mhp)
2633 caddr_t *mhp;
2634 {
2635 struct sadb_address *saddr, *daddr;
2636 struct sadb_x_policy *xpl;
2637 struct sadb_lifetime *lt;
2638 struct policyindex spidx;
2639 struct secpolicy *sp;
2640 u_int64_t created;
2641
2642 /* sanity check */
2643 if (mhp[0] == NULL
2644 || mhp[SADB_EXT_ADDRESS_SRC] == NULL
2645 || mhp[SADB_EXT_ADDRESS_DST] == NULL
2646 || mhp[SADB_X_EXT_POLICY] == NULL) {
2647 plog(LLV_ERROR, LOCATION, NULL,
2648 "inappropriate sadb spdexpire message passed.\n");
2649 return -1;
2650 }
2651 saddr = (struct sadb_address *)mhp[SADB_EXT_ADDRESS_SRC];
2652 daddr = (struct sadb_address *)mhp[SADB_EXT_ADDRESS_DST];
2653 xpl = (struct sadb_x_policy *)mhp[SADB_X_EXT_POLICY];
2654 lt = (struct sadb_lifetime*)mhp[SADB_EXT_LIFETIME_HARD];
2655 if(lt != NULL)
2656 created = lt->sadb_lifetime_addtime;
2657 else
2658 created = 0;
2659
2660 #ifdef HAVE_PFKEY_POLICY_PRIORITY
2661 KEY_SETSECSPIDX(xpl->sadb_x_policy_dir,
2662 saddr + 1,
2663 daddr + 1,
2664 saddr->sadb_address_prefixlen,
2665 daddr->sadb_address_prefixlen,
2666 saddr->sadb_address_proto,
2667 xpl->sadb_x_policy_priority,
2668 created,
2669 &spidx);
2670 #else
2671 KEY_SETSECSPIDX(xpl->sadb_x_policy_dir,
2672 saddr + 1,
2673 daddr + 1,
2674 saddr->sadb_address_prefixlen,
2675 daddr->sadb_address_prefixlen,
2676 saddr->sadb_address_proto,
2677 created,
2678 &spidx);
2679 #endif
2680
2681 #ifdef HAVE_SECCTX
2682 if (mhp[SADB_X_EXT_SEC_CTX] != NULL) {
2683 struct sadb_x_sec_ctx *ctx;
2684
2685 ctx = (struct sadb_x_sec_ctx *)mhp[SADB_X_EXT_SEC_CTX];
2686 spidx.sec_ctx.ctx_alg = ctx->sadb_x_ctx_alg;
2687 spidx.sec_ctx.ctx_doi = ctx->sadb_x_ctx_doi;
2688 spidx.sec_ctx.ctx_strlen = ctx->sadb_x_ctx_len;
2689 memcpy(spidx.sec_ctx.ctx_str, ctx + 1, ctx->sadb_x_ctx_len);
2690 }
2691 #endif /* HAVE_SECCTX */
2692
2693 sp = getsp(&spidx);
2694 if (sp == NULL) {
2695 plog(LLV_ERROR, LOCATION, NULL,
2696 "no policy found: %s\n",
2697 spidx2str(&spidx));
2698 return -1;
2699 }
2700
2701 remsp(sp);
2702 delsp(sp);
2703
2704 return 0;
2705 }
2706
2707 static int
pk_recvspdget(mhp)2708 pk_recvspdget(mhp)
2709 caddr_t *mhp;
2710 {
2711 /* sanity check */
2712 if (mhp[0] == NULL) {
2713 plog(LLV_ERROR, LOCATION, NULL,
2714 "inappropriate sadb spdget message passed.\n");
2715 return -1;
2716 }
2717
2718 return 0;
2719 }
2720
2721 static int
pk_recvspddump(mhp)2722 pk_recvspddump(mhp)
2723 caddr_t *mhp;
2724 {
2725 struct sadb_msg *msg;
2726 struct sadb_address *saddr, *daddr;
2727 struct sadb_x_policy *xpl;
2728 struct sadb_lifetime *lt;
2729 struct policyindex spidx;
2730 struct secpolicy *sp;
2731 struct sockaddr *local=NULL, *remote=NULL;
2732 u_int64_t created;
2733 int ret;
2734
2735 /* sanity check */
2736 if (mhp[0] == NULL) {
2737 plog(LLV_ERROR, LOCATION, NULL,
2738 "inappropriate sadb spddump message passed.\n");
2739 return -1;
2740 }
2741 msg = (struct sadb_msg *)mhp[0];
2742 saddr = (struct sadb_address *)mhp[SADB_EXT_ADDRESS_SRC];
2743 daddr = (struct sadb_address *)mhp[SADB_EXT_ADDRESS_DST];
2744 xpl = (struct sadb_x_policy *)mhp[SADB_X_EXT_POLICY];
2745 lt = (struct sadb_lifetime*)mhp[SADB_EXT_LIFETIME_HARD];
2746 if(lt != NULL)
2747 created = lt->sadb_lifetime_addtime;
2748 else
2749 created = 0;
2750
2751 if (saddr == NULL || daddr == NULL || xpl == NULL) {
2752 plog(LLV_ERROR, LOCATION, NULL,
2753 "inappropriate sadb spddump message passed.\n");
2754 return -1;
2755 }
2756
2757 #ifdef HAVE_PFKEY_POLICY_PRIORITY
2758 KEY_SETSECSPIDX(xpl->sadb_x_policy_dir,
2759 saddr + 1,
2760 daddr + 1,
2761 saddr->sadb_address_prefixlen,
2762 daddr->sadb_address_prefixlen,
2763 saddr->sadb_address_proto,
2764 xpl->sadb_x_policy_priority,
2765 created,
2766 &spidx);
2767 #else
2768 KEY_SETSECSPIDX(xpl->sadb_x_policy_dir,
2769 saddr + 1,
2770 daddr + 1,
2771 saddr->sadb_address_prefixlen,
2772 daddr->sadb_address_prefixlen,
2773 saddr->sadb_address_proto,
2774 created,
2775 &spidx);
2776 #endif
2777
2778 #ifdef HAVE_SECCTX
2779 if (mhp[SADB_X_EXT_SEC_CTX] != NULL) {
2780 struct sadb_x_sec_ctx *ctx;
2781
2782 ctx = (struct sadb_x_sec_ctx *)mhp[SADB_X_EXT_SEC_CTX];
2783 spidx.sec_ctx.ctx_alg = ctx->sadb_x_ctx_alg;
2784 spidx.sec_ctx.ctx_doi = ctx->sadb_x_ctx_doi;
2785 spidx.sec_ctx.ctx_strlen = ctx->sadb_x_ctx_len;
2786 memcpy(spidx.sec_ctx.ctx_str, ctx + 1, ctx->sadb_x_ctx_len);
2787 }
2788 #endif /* HAVE_SECCTX */
2789
2790 sp = getsp(&spidx);
2791 if (sp != NULL) {
2792 plog(LLV_ERROR, LOCATION, NULL,
2793 "such policy already exists. "
2794 "anyway replace it: %s\n",
2795 spidx2str(&spidx));
2796
2797 /* preserve hints before deleting the SP */
2798 local = sp->local;
2799 remote = sp->remote;
2800 sp->local = NULL;
2801 sp->remote = NULL;
2802
2803 remsp(sp);
2804 delsp(sp);
2805 }
2806
2807 /* Add new SP (with old hints) */
2808 ret = addnewsp(mhp, local, remote);
2809
2810 if (local != NULL)
2811 racoon_free(local);
2812 if (remote != NULL)
2813 racoon_free(remote);
2814
2815 if (ret < 0)
2816 return -1;
2817
2818 return 0;
2819 }
2820
2821 static int
pk_recvspdflush(mhp)2822 pk_recvspdflush(mhp)
2823 caddr_t *mhp;
2824 {
2825 /* sanity check */
2826 if (mhp[0] == NULL) {
2827 plog(LLV_ERROR, LOCATION, NULL,
2828 "inappropriate sadb spdflush message passed.\n");
2829 return -1;
2830 }
2831
2832 flushsp();
2833
2834 return 0;
2835 }
2836
2837 #if defined(SADB_X_MIGRATE) && defined(SADB_X_EXT_KMADDRESS)
2838
2839 /* MIGRATE support (pk_recvmigrate() is the handler of MIGRATE message).
2840 *
2841 * pk_recvmigrate()
2842 * 1) some preprocessing and checks
2843 * 2) parsing of sadb_x_kmaddress extension
2844 * 3) SP lookup using selectors and content of policy extension from MIGRATE
2845 * 4) resolution of current local and remote IKE addresses
2846 * 5) Use of addresses to get Phase 1 handler if any
2847 * 6) Update of IKE addresses in Phase 1 (iph1->local and iph1->remote)
2848 * 7) Update of IKE addresses in Phase 2 (iph2->src and iph2->dst)
2849 * 8) Update of IKE addresses in SP (sp->local and sp->remote)
2850 * 9) Loop on sadb_x_ipsecrequests pairs from MIGRATE
2851 * - update of associated ipsecrequests entries in sp->req (should be
2852 * only one as racoon does not support bundles), i.e. update of
2853 * tunnel endpoints when required.
2854 * - If tunnel mode endpoints have been updated, lookup of associated
2855 * Phase 2 handle to also update sa_src and sa_dst entries
2856 *
2857 * XXX Note that we do not support yet the update of SA addresses for transport
2858 * mode, but only the update of SA addresses for tunnel mode (endpoints).
2859 * Reasons are:
2860 * - there is no initial need for MIPv6
2861 * - racoon does not support bundles
2862 * - this would imply more work to deal with sainfo update (if feasible).
2863 */
2864
2865 /* Generic argument structure for migration callbacks */
2866 struct migrate_args {
2867 struct sockaddr *local;
2868 struct sockaddr *remote;
2869 };
2870
2871 /*
2872 * Update local and remote addresses of given Phase 1. Schedule removal
2873 * if negotiation was going on and restart a one from updated address.
2874 *
2875 * -1 is returned on error. 0 if everything went right.
2876 */
2877 static int
migrate_ph1_ike_addresses(iph1,arg)2878 migrate_ph1_ike_addresses(iph1, arg)
2879 struct ph1handle *iph1;
2880 void *arg;
2881 {
2882 struct migrate_args *ma = (struct migrate_args *) arg;
2883 struct remoteconf *rmconf;
2884 u_int16_t port;
2885
2886 /* Already up-to-date? */
2887 if (cmpsaddr(iph1->local, ma->local) == CMPSADDR_MATCH &&
2888 cmpsaddr(iph1->remote, ma->remote) == CMPSADDR_MATCH)
2889 return 0;
2890
2891 if (iph1->status < PHASE1ST_ESTABLISHED) {
2892 /* Bad luck! We received a MIGRATE *while* negotiating
2893 * Phase 1 (i.e. it was not established yet). If we act as
2894 * initiator we need to restart the negotiation. As
2895 * responder, our best bet is to update our addresses
2896 * and wait for the initiator to do something */
2897 plog(LLV_WARNING, LOCATION, NULL, "MIGRATE received *during* "
2898 "Phase 1 negotiation (%s).\n",
2899 saddr2str_fromto("%s => %s", ma->local, ma->remote));
2900
2901 /* If we are not acting as initiator, let's just leave and
2902 * let the remote peer handle the restart */
2903 rmconf = getrmconf(ma->remote, 0);
2904 if (rmconf == NULL || !rmconf->passive) {
2905 iph1->status = PHASE1ST_EXPIRED;
2906 isakmp_ph1delete(iph1);
2907
2908 /* This is unlikely, but let's just check if a Phase 1
2909 * for the new addresses already exist */
2910 if (getph1byaddr(ma->local, ma->remote, 0)) {
2911 plog(LLV_WARNING, LOCATION, NULL, "No need "
2912 "to start a new Phase 1 negotiation. One "
2913 "already exists.\n");
2914 return 0;
2915 }
2916
2917 plog(LLV_WARNING, LOCATION, NULL, "As initiator, "
2918 "restarting it.\n");
2919 /* Note that the insertion of the new Phase 1 will not
2920 * interfere with the fact we are called from enumph1,
2921 * because it is inserted as first element. --arno */
2922 isakmp_ph1begin_i(rmconf, ma->local, ma->remote);
2923
2924 return 0;
2925 }
2926 }
2927
2928 if (iph1->local != NULL) {
2929 plog(LLV_DEBUG, LOCATION, NULL, "Migrating Phase 1 local "
2930 "address from %s\n",
2931 saddr2str_fromto("%s to %s", iph1->local, ma->local));
2932 port = extract_port(iph1->local);
2933 racoon_free(iph1->local);
2934 } else
2935 port = 0;
2936
2937 iph1->local = dupsaddr(ma->local);
2938 if (iph1->local == NULL) {
2939 plog(LLV_ERROR, LOCATION, NULL, "unable to allocate "
2940 "Phase 1 local address.\n");
2941 return -1;
2942 }
2943 set_port(iph1->local, port);
2944
2945 if (iph1->remote != NULL) {
2946 plog(LLV_DEBUG, LOCATION, NULL, "Migrating Phase 1 remote "
2947 "address from %s\n",
2948 saddr2str_fromto("%s to %s", iph1->remote, ma->remote));
2949 port = extract_port(iph1->remote);
2950 racoon_free(iph1->remote);
2951 } else
2952 port = 0;
2953
2954 iph1->remote = dupsaddr(ma->remote);
2955 if (iph1->remote == NULL) {
2956 plog(LLV_ERROR, LOCATION, NULL, "unable to allocate "
2957 "Phase 1 remote address.\n");
2958 return -1;
2959 }
2960 set_port(iph1->remote, port);
2961
2962 return 0;
2963 }
2964
2965 /* Update src and dst of all current Phase 2 handles.
2966 * with provided local and remote addresses.
2967 * Our intent is NOT to modify IPsec SA endpoints but IKE
2968 * addresses so we need to take care to separate those if
2969 * they are different. -1 is returned on error. 0 if everything
2970 * went right.
2971 *
2972 * Note: we do not maintain port information as it is not
2973 * expected to be meaningful --arno
2974 */
2975 static int
migrate_ph2_ike_addresses(iph2,arg)2976 migrate_ph2_ike_addresses(iph2, arg)
2977 struct ph2handle *iph2;
2978 void *arg;
2979 {
2980 struct migrate_args *ma = (struct migrate_args *) arg;
2981 struct ph1handle *iph1;
2982
2983 /* If Phase 2 has an associated Phase 1, migrate addresses */
2984 if (iph2->ph1)
2985 migrate_ph1_ike_addresses(iph2->ph1, arg);
2986
2987 /* Already up-to-date? */
2988 if (cmpsaddr(iph2->src, ma->local) == CMPSADDR_MATCH &&
2989 cmpsaddr(iph2->dst, ma->remote) == CMPSADDR_MATCH)
2990 return 0;
2991
2992 /* save src/dst as sa_src/sa_dst before rewriting */
2993 if (iph2->sa_src == NULL && iph2->sa_dst == NULL) {
2994 iph2->sa_src = iph2->src;
2995 iph2->sa_dst = iph2->dst;
2996 iph2->src = NULL;
2997 iph2->dst = NULL;
2998 }
2999
3000 if (iph2->src != NULL)
3001 racoon_free(iph2->src);
3002 iph2->src = dupsaddr(ma->local);
3003 if (iph2->src == NULL) {
3004 plog(LLV_ERROR, LOCATION, NULL,
3005 "unable to allocate Phase 2 src address.\n");
3006 return -1;
3007 }
3008
3009 if (iph2->dst != NULL)
3010 racoon_free(iph2->dst);
3011 iph2->dst = dupsaddr(ma->remote);
3012 if (iph2->dst == NULL) {
3013 plog(LLV_ERROR, LOCATION, NULL,
3014 "unable to allocate Phase 2 dst address.\n");
3015 return -1;
3016 }
3017
3018 return 0;
3019 }
3020
3021 /* Consider existing Phase 2 handles with given spid and update their source
3022 * and destination addresses for SA. As racoon does not support bundles, if
3023 * we modify multiple occurrences, this probably imply rekeying has happened.
3024 *
3025 * Both addresses passed to the function are expected not to be NULL and of
3026 * same family. -1 is returned on error. 0 if everything went right.
3027 *
3028 * Specific care is needed to support Phase 2 for which negotiation has
3029 * already started but are which not yet established.
3030 */
3031 static int
migrate_ph2_sa_addresses(iph2,args)3032 migrate_ph2_sa_addresses(iph2, args)
3033 struct ph2handle *iph2;
3034 void *args;
3035 {
3036 struct migrate_args *ma = (struct migrate_args *) args;
3037
3038 if (iph2->sa_src != NULL) {
3039 racoon_free(iph2->sa_src);
3040 iph2->sa_src = NULL;
3041 }
3042
3043 if (iph2->sa_dst != NULL) {
3044 racoon_free(iph2->sa_dst);
3045 iph2->sa_dst = NULL;
3046 }
3047
3048 iph2->sa_src = dupsaddr(ma->local);
3049 if (iph2->sa_src == NULL) {
3050 plog(LLV_ERROR, LOCATION, NULL,
3051 "unable to allocate Phase 2 sa_src address.\n");
3052 return -1;
3053 }
3054
3055 iph2->sa_dst = dupsaddr(ma->remote);
3056 if (iph2->sa_dst == NULL) {
3057 plog(LLV_ERROR, LOCATION, NULL,
3058 "unable to allocate Phase 2 sa_dst address.\n");
3059 return -1;
3060 }
3061
3062 if (iph2->status < PHASE2ST_ESTABLISHED) {
3063 struct remoteconf *rmconf;
3064 /* We were negotiating for that SA when we received the MIGRATE.
3065 * We cannot simply update the addresses and let the exchange
3066 * go on. We have to restart the whole negotiation if we are
3067 * the initiator. Otherwise (acting as responder), we just need
3068 * to delete our ph2handle and wait for the initiator to start
3069 * a new negotiation. */
3070
3071 if (iph2->ph1 && iph2->ph1->rmconf)
3072 rmconf = iph2->ph1->rmconf;
3073 else
3074 rmconf = getrmconf(iph2->dst, 0);
3075
3076 if (rmconf && !rmconf->passive) {
3077 struct ph1handle *iph1hint;
3078
3079 plog(LLV_WARNING, LOCATION, iph2->dst, "MIGRATE received "
3080 "*during* IPsec SA negotiation. As initiator, "
3081 "restarting it.\n");
3082
3083 /* Turn off expiration timer ...*/
3084 sched_cancel(&iph2->sce);
3085 iph2->status = PHASE2ST_EXPIRED;
3086
3087 /* ... clean Phase 2 handle ... */
3088 iph1hint = iph2->ph1;
3089 initph2(iph2);
3090 iph2->status = PHASE2ST_STATUS2;
3091
3092 /* and start a new negotiation */
3093 if (isakmp_post_acquire(iph2, iph1hint, FALSE) < 0) {
3094 plog(LLV_ERROR, LOCATION, iph2->dst, "failed "
3095 "to begin IPsec SA renegotiation after "
3096 "MIGRATE reception.\n");
3097 remph2(iph2);
3098 delph2(iph2);
3099 return -1;
3100 }
3101 } else {
3102 plog(LLV_WARNING, LOCATION, iph2->dst, "MIGRATE received "
3103 "*during* IPsec SA negotiation. As responder, let's"
3104 "wait for the initiator to act.\n");
3105
3106 /* Simply schedule deletion */
3107 isakmp_ph2expire(iph2);
3108 }
3109 }
3110
3111 return 0;
3112 }
3113
3114 /* Update SP hints (local and remote addresses) for future IKE
3115 * negotiations of SA associated with that SP. -1 is returned
3116 * on error. 0 if everything went right.
3117 *
3118 * Note: we do not maintain port information as it is not
3119 * expected to be meaningful --arno
3120 */
3121 static int
migrate_sp_ike_addresses(sp,local,remote)3122 migrate_sp_ike_addresses(sp, local, remote)
3123 struct secpolicy *sp;
3124 struct sockaddr *local, *remote;
3125 {
3126 if (sp == NULL || local == NULL || remote == NULL)
3127 return -1;
3128
3129 if (sp->local != NULL)
3130 racoon_free(sp->local);
3131
3132 sp->local = dupsaddr(local);
3133 if (sp->local == NULL) {
3134 plog(LLV_ERROR, LOCATION, NULL, "unable to allocate "
3135 "local hint for SP.\n");
3136 return -1;
3137 }
3138
3139 if (sp->remote != NULL)
3140 racoon_free(sp->remote);
3141
3142 sp->remote = dupsaddr(remote);
3143 if (sp->remote == NULL) {
3144 plog(LLV_ERROR, LOCATION, NULL, "unable to allocate "
3145 "remote hint for SP.\n");
3146 return -1;
3147 }
3148
3149 return 0;
3150 }
3151
3152 /* Given current ipsecrequest (isr_cur) to be migrated in considered
3153 tree, the function first checks that it matches the expected one
3154 (xisr_old) provided in MIGRATE message and then updates the addresses
3155 if it is tunnel mode (with content of xisr_new). Various other checks
3156 are performed. For transport mode, structures are not modified, only
3157 the checks are done. -1 is returned on error. */
3158 static int
migrate_ph2_one_isr(spid,isr_cur,xisr_old,xisr_new)3159 migrate_ph2_one_isr(spid, isr_cur, xisr_old, xisr_new)
3160 u_int32_t spid;
3161 struct ipsecrequest *isr_cur;
3162 struct sadb_x_ipsecrequest *xisr_old, *xisr_new;
3163 {
3164 struct secasindex *saidx = &isr_cur->saidx;
3165 struct sockaddr *osaddr, *odaddr, *nsaddr, *ndaddr;
3166 struct ph2selector ph2sel;
3167 struct migrate_args ma;
3168
3169 /* First, check that mode and proto do match */
3170 if (xisr_old->sadb_x_ipsecrequest_proto != saidx->proto ||
3171 xisr_old->sadb_x_ipsecrequest_mode != saidx->mode ||
3172 xisr_new->sadb_x_ipsecrequest_proto != saidx->proto ||
3173 xisr_new->sadb_x_ipsecrequest_mode != saidx->mode)
3174 return -1;
3175
3176 /* Then, verify reqid if necessary */
3177 if (isr_cur->saidx.reqid &&
3178 (xisr_old->sadb_x_ipsecrequest_level != IPSEC_LEVEL_UNIQUE ||
3179 xisr_new->sadb_x_ipsecrequest_level != IPSEC_LEVEL_UNIQUE ||
3180 isr_cur->saidx.reqid != xisr_old->sadb_x_ipsecrequest_reqid ||
3181 isr_cur->saidx.reqid != xisr_new->sadb_x_ipsecrequest_reqid))
3182 return -1;
3183
3184 /* If not tunnel mode, our work is over */
3185 if (saidx->mode != IPSEC_MODE_TUNNEL) {
3186 plog(LLV_DEBUG, LOCATION, NULL, "SADB_X_MIGRATE: "
3187 "non tunnel mode isr, skipping SA address migration.\n");
3188 return 0;
3189 }
3190
3191 /* Tunnel mode: let's check addresses do match and then update them. */
3192 osaddr = (struct sockaddr *)(xisr_old + 1);
3193 odaddr = (struct sockaddr *)(((u_int8_t *)osaddr) + sysdep_sa_len(osaddr));
3194 nsaddr = (struct sockaddr *)(xisr_new + 1);
3195 ndaddr = (struct sockaddr *)(((u_int8_t *)nsaddr) + sysdep_sa_len(nsaddr));
3196
3197 /* Check family does match */
3198 if (osaddr->sa_family != odaddr->sa_family ||
3199 nsaddr->sa_family != ndaddr->sa_family)
3200 return -1;
3201
3202 /* Check family does match */
3203 if (saidx->src.ss_family != osaddr->sa_family)
3204 return -1;
3205
3206 /* We log IPv4 to IPv6 and IPv6 to IPv4 switches */
3207 if (nsaddr->sa_family != osaddr->sa_family)
3208 plog(LLV_INFO, LOCATION, NULL, "SADB_X_MIGRATE: "
3209 "changing address families (%d to %d) for endpoints.\n",
3210 osaddr->sa_family, nsaddr->sa_family);
3211
3212 if (cmpsaddr(osaddr, (struct sockaddr *) &saidx->src) != CMPSADDR_MATCH ||
3213 cmpsaddr(odaddr, (struct sockaddr *) &saidx->dst) != CMPSADDR_MATCH) {
3214 plog(LLV_DEBUG, LOCATION, NULL, "SADB_X_MIGRATE: "
3215 "mismatch of addresses in saidx and xisr.\n");
3216 return -1;
3217 }
3218
3219 /* Excellent. Let's grab associated Phase 2 handle (if any)
3220 * and update its sa_src and sa_dst entries. Note that we
3221 * make the assumption that racoon does not support bundles
3222 * and make the lookup using spid: we blindly update
3223 * sa_src and sa_dst for _all_ found Phase 2 handles */
3224 memset(&ph2sel, 0, sizeof(ph2sel));
3225 ph2sel.spid = spid;
3226
3227 memset(&ma, 0, sizeof(ma));
3228 ma.local = nsaddr;
3229 ma.remote = ndaddr;
3230
3231 if (enumph2(&ph2sel, migrate_ph2_sa_addresses, &ma) < 0)
3232 return -1;
3233
3234 /* Now we can do the update of endpoints in secasindex */
3235 memcpy(&saidx->src, nsaddr, sysdep_sa_len(nsaddr));
3236 memcpy(&saidx->dst, ndaddr, sysdep_sa_len(ndaddr));
3237
3238 return 0;
3239 }
3240
3241 /* Process the raw (unparsed yet) list of sadb_x_ipsecrequests of MIGRATE
3242 * message. For each sadb_x_ipsecrequest pair (old followed by new),
3243 * the corresponding ipsecrequest entry in the SP is updated. Associated
3244 * existing Phase 2 handle is also updated (if any) */
3245 static int
migrate_sp_isr_list(sp,xisr_list,xisr_list_len)3246 migrate_sp_isr_list(sp, xisr_list, xisr_list_len)
3247 struct secpolicy *sp;
3248 struct sadb_x_ipsecrequest *xisr_list;
3249 int xisr_list_len;
3250 {
3251 struct sadb_x_ipsecrequest *xisr_new, *xisr_old = xisr_list;
3252 int xisr_old_len, xisr_new_len;
3253 struct ipsecrequest *isr_cur;
3254
3255 isr_cur = sp->req; /* ipsecrequest list from sp */
3256
3257 while (xisr_list_len > 0 && isr_cur != NULL) {
3258 /* Get old xisr (length field is in bytes) */
3259 xisr_old_len = xisr_old->sadb_x_ipsecrequest_len;
3260 if (xisr_old_len < sizeof(*xisr_old) ||
3261 xisr_old_len + sizeof(*xisr_new) > xisr_list_len) {
3262 plog(LLV_ERROR, LOCATION, NULL, "SADB_X_MIGRATE: "
3263 "invalid ipsecrequest length. Exiting.\n");
3264 return -1;
3265 }
3266
3267 /* Get new xisr with updated info */
3268 xisr_new = (struct sadb_x_ipsecrequest *)(((u_int8_t *)xisr_old) + xisr_old_len);
3269 xisr_new_len = xisr_new->sadb_x_ipsecrequest_len;
3270 if (xisr_new_len < sizeof(*xisr_new) ||
3271 xisr_new_len + xisr_old_len > xisr_list_len) {
3272 plog(LLV_ERROR, LOCATION, NULL, "SADB_X_MIGRATE: "
3273 "invalid ipsecrequest length. Exiting.\n");
3274 return -1;
3275 }
3276
3277 /* Start by migrating current ipsecrequest from SP */
3278 if (migrate_ph2_one_isr(sp->id, isr_cur, xisr_old, xisr_new) == -1) {
3279 plog(LLV_ERROR, LOCATION, NULL, "SADB_X_MIGRATE: "
3280 "Unable to match and migrate isr. Exiting.\n");
3281 return -1;
3282 }
3283
3284 /* Update pointers for next round */
3285 xisr_list_len -= xisr_old_len + xisr_new_len;
3286 xisr_old = (struct sadb_x_ipsecrequest *)(((u_int8_t *)xisr_new) +
3287 xisr_new_len);
3288
3289 isr_cur = isr_cur->next; /* Get next ipsecrequest from SP */
3290 }
3291
3292 /* Check we had the same amount of pairs in the MIGRATE
3293 as the number of ipsecrequests in the SP */
3294 if ((xisr_list_len != 0) || isr_cur != NULL) {
3295 plog(LLV_ERROR, LOCATION, NULL, "SADB_X_MIGRATE: "
3296 "number of ipsecrequest does not match the one in SP.\n");
3297 return -1;
3298 }
3299
3300 return 0;
3301 }
3302
3303 /* Parse sadb_x_kmaddress extension and make local and remote
3304 * parameters point to the new addresses (zero copy). -1 is
3305 * returned on error, meaning that addresses are not usable */
3306 static int
parse_kmaddress(kmaddr,local,remote)3307 parse_kmaddress(kmaddr, local, remote)
3308 struct sadb_x_kmaddress *kmaddr;
3309 struct sockaddr **local, **remote;
3310 {
3311 int addrslen, local_len=0;
3312 struct ph1handle *iph1;
3313
3314 if (kmaddr == NULL)
3315 return -1;
3316
3317 /* Grab addresses in sadb_x_kmaddress extension */
3318 addrslen = PFKEY_EXTLEN(kmaddr) - sizeof(*kmaddr);
3319 if (addrslen < sizeof(struct sockaddr))
3320 return -1;
3321
3322 *local = (struct sockaddr *)(kmaddr + 1);
3323
3324 switch ((*local)->sa_family) {
3325 case AF_INET:
3326 local_len = sizeof(struct sockaddr_in);
3327 break;
3328 #ifdef INET6
3329 case AF_INET6:
3330 local_len = sizeof(struct sockaddr_in6);
3331 break;
3332 #endif
3333 default:
3334 return -1;
3335 }
3336
3337 if (addrslen != PFKEY_ALIGN8(2*local_len))
3338 return -1;
3339
3340 *remote = (struct sockaddr *)(((u_int8_t *)(*local)) + local_len);
3341
3342 if ((*local)->sa_family != (*remote)->sa_family)
3343 return -1;
3344
3345 return 0;
3346 }
3347
3348 /* Handler of PF_KEY MIGRATE message. Helpers are above */
3349 static int
pk_recvmigrate(mhp)3350 pk_recvmigrate(mhp)
3351 caddr_t *mhp;
3352 {
3353 struct sadb_address *saddr, *daddr;
3354 struct sockaddr *old_saddr, *new_saddr;
3355 struct sockaddr *old_daddr, *new_daddr;
3356 struct sockaddr *old_local, *old_remote;
3357 struct sockaddr *local, *remote;
3358 struct sadb_x_kmaddress *kmaddr;
3359 struct sadb_x_policy *xpl;
3360 struct sadb_x_ipsecrequest *xisr_list;
3361 struct sadb_lifetime *lt;
3362 struct policyindex spidx;
3363 struct secpolicy *sp;
3364 struct ipsecrequest *isr_cur;
3365 struct secasindex *oldsaidx;
3366 struct ph2handle *iph2;
3367 struct ph1handle *iph1;
3368 struct ph2selector ph2sel;
3369 struct ph1selector ph1sel;
3370 u_int32_t spid;
3371 u_int64_t created;
3372 int xisr_list_len;
3373 int ulproto;
3374 struct migrate_args ma;
3375
3376 /* Some sanity checks */
3377
3378 if (mhp[0] == NULL
3379 || mhp[SADB_EXT_ADDRESS_SRC] == NULL
3380 || mhp[SADB_EXT_ADDRESS_DST] == NULL
3381 || mhp[SADB_X_EXT_KMADDRESS] == NULL
3382 || mhp[SADB_X_EXT_POLICY] == NULL) {
3383 plog(LLV_ERROR, LOCATION, NULL,
3384 "SADB_X_MIGRATE: invalid MIGRATE message received.\n");
3385 return -1;
3386 }
3387 kmaddr = (struct sadb_x_kmaddress *)mhp[SADB_X_EXT_KMADDRESS];
3388 saddr = (struct sadb_address *)mhp[SADB_EXT_ADDRESS_SRC];
3389 daddr = (struct sadb_address *)mhp[SADB_EXT_ADDRESS_DST];
3390 xpl = (struct sadb_x_policy *)mhp[SADB_X_EXT_POLICY];
3391 lt = (struct sadb_lifetime*)mhp[SADB_EXT_LIFETIME_HARD];
3392 if (lt != NULL)
3393 created = lt->sadb_lifetime_addtime;
3394 else
3395 created = 0;
3396
3397 if (xpl->sadb_x_policy_type != IPSEC_POLICY_IPSEC) {
3398 plog(LLV_WARNING, LOCATION, NULL,"SADB_X_MIGRATE: "
3399 "found non IPsec policy in MIGRATE message. Exiting.\n");
3400 return -1;
3401 }
3402
3403 if (PFKEY_EXTLEN(xpl) < sizeof(*xpl)) {
3404 plog(LLV_ERROR, LOCATION, NULL, "SADB_X_MIGRATE: "
3405 "invalid size for sadb_x_policy. Exiting.\n");
3406 return -1;
3407 }
3408
3409 /* Some logging to help debbugging */
3410 if (xpl->sadb_x_policy_dir == IPSEC_DIR_OUTBOUND)
3411 plog(LLV_DEBUG, LOCATION, NULL,
3412 "SADB_X_MIGRATE: Outbound SA being migrated.\n");
3413 else
3414 plog(LLV_DEBUG, LOCATION, NULL,
3415 "SADB_X_MIGRATE: Inbound SA being migrated.\n");
3416
3417 /* validity check */
3418 xisr_list = (struct sadb_x_ipsecrequest *)(xpl + 1);
3419 xisr_list_len = PFKEY_EXTLEN(xpl) - sizeof(*xpl);
3420 if (xisr_list_len < sizeof(*xisr_list)) {
3421 plog(LLV_ERROR, LOCATION, NULL, "SADB_X_MIGRATE: "
3422 "invalid sadb_x_policy message length. Exiting.\n");
3423 return -1;
3424 }
3425
3426 if (parse_kmaddress(kmaddr, &local, &remote) == -1) {
3427 plog(LLV_ERROR, LOCATION, NULL, "SADB_X_MIGRATE: "
3428 "invalid sadb_x_kmaddress extension. Exiting.\n");
3429 return -1;
3430 }
3431
3432 /* 0 means ANY */
3433 if (saddr->sadb_address_proto == 0)
3434 ulproto = IPSEC_ULPROTO_ANY;
3435 else
3436 ulproto = saddr->sadb_address_proto;
3437
3438 #ifdef HAVE_PFKEY_POLICY_PRIORITY
3439 KEY_SETSECSPIDX(xpl->sadb_x_policy_dir,
3440 saddr + 1,
3441 daddr + 1,
3442 saddr->sadb_address_prefixlen,
3443 daddr->sadb_address_prefixlen,
3444 ulproto,
3445 xpl->sadb_x_policy_priority,
3446 created,
3447 &spidx);
3448 #else
3449 KEY_SETSECSPIDX(xpl->sadb_x_policy_dir,
3450 saddr + 1,
3451 daddr + 1,
3452 saddr->sadb_address_prefixlen,
3453 daddr->sadb_address_prefixlen,
3454 ulproto,
3455 created,
3456 &spidx);
3457 #endif
3458
3459 /* Everything seems ok, let's get the SP.
3460 *
3461 * XXX We could also do the lookup using the spid from xpl.
3462 * I don't know which one is better. --arno */
3463 sp = getsp(&spidx);
3464 if (sp == NULL) {
3465 plog(LLV_ERROR, LOCATION, NULL,
3466 "SADB_X_MIGRATE: Passed policy does not exist: %s\n",
3467 spidx2str(&spidx));
3468 return -1;
3469 }
3470
3471 /* Get the best source and destination addresses used for IKE
3472 * negotiation, to find and migrate existing Phase 1 */
3473 if (sp->local && sp->remote) {
3474 /* hints available, let's use them */
3475 old_local = (struct sockaddr *)sp->local;
3476 old_remote = (struct sockaddr *)sp->remote;
3477 } else if (sp->req && sp->req->saidx.mode == IPSEC_MODE_TUNNEL) {
3478 /* Tunnel mode and no hint, use endpoints */
3479 old_local = (struct sockaddr *)&sp->req->saidx.src;
3480 old_remote = (struct sockaddr *)&sp->req->saidx.dst;
3481 } else {
3482 /* default, use selectors as fallback */
3483 old_local = (struct sockaddr *)&sp->spidx.src;
3484 old_remote = (struct sockaddr *)&sp->spidx.dst;
3485 }
3486
3487 /* We migrate all Phase 1 that match our old local and remote
3488 * addresses (no matter their state).
3489 *
3490 * XXX In fact, we should probably havea special treatment for
3491 * Phase 1 that are being established when we receive a MIGRATE.
3492 * This can happen if a movement occurs during the initial IKE
3493 * negotiation. In that case, I wonder if should restart the
3494 * negotiation from the new address or just update things like
3495 * we do it now.
3496 *
3497 * XXX while looking at getph1byaddr(), the comment at the
3498 * beginning of the function expects comparison to happen
3499 * without ports considerations but it uses CMPSADDR() which
3500 * relies either on cmpsaddrstrict() or cmpsaddrwop() based
3501 * on NAT-T support being activated. That make me wonder if I
3502 * should force ports to 0 (ANY) in local and remote values
3503 * used below.
3504 *
3505 * -- arno */
3506
3507 /* Apply callback data ...*/
3508 memset(&ma, 0, sizeof(ma));
3509 ma.local = local;
3510 ma.remote = remote;
3511
3512 /* Fill phase1 match criteria ... */
3513 memset(&ph1sel, 0, sizeof(ph1sel));
3514 ph1sel.local = old_local;
3515 ph1sel.remote = old_remote;
3516
3517
3518 /* Have matching Phase 1 found and addresses updated. As this is a
3519 * time consuming task on a busy responder, and MIGRATE messages
3520 * are always sent for *both* inbound and outbound (and possibly
3521 * forward), we only do that for outbound SP. */
3522 if (xpl->sadb_x_policy_dir == IPSEC_DIR_OUTBOUND &&
3523 enumph1(&ph1sel, migrate_ph1_ike_addresses, &ma) < 0) {
3524 plog(LLV_ERROR, LOCATION, NULL, "SADB_X_MIGRATE: Unable "
3525 "to migrate Phase 1 addresses.\n");
3526 return -1;
3527 }
3528
3529 /* We can now update IKE addresses in Phase 2 handle. */
3530 memset(&ph2sel, 0, sizeof(ph2sel));
3531 ph2sel.spid = sp->id;
3532 if (enumph2(&ph2sel, migrate_ph2_ike_addresses, &ma) < 0) {
3533 plog(LLV_ERROR, LOCATION, NULL, "SADB_X_MIGRATE: Unable "
3534 "to migrate Phase 2 IKE addresses.\n");
3535 return -1;
3536 }
3537
3538 /* and _then_ in SP. */
3539 if (migrate_sp_ike_addresses(sp, local, remote) < 0) {
3540 plog(LLV_ERROR, LOCATION, NULL,
3541 "SADB_X_MIGRATE: Unable to migrate SP IKE addresses.\n");
3542 return -1;
3543 }
3544
3545 /* Loop on sadb_x_ipsecrequest list to possibly update sp->req
3546 * entries and associated live Phase 2 handles (their sa_src
3547 * and sa_dst) */
3548 if (migrate_sp_isr_list(sp, xisr_list, xisr_list_len) < 0) {
3549 plog(LLV_ERROR, LOCATION, NULL,
3550 "SADB_X_MIGRATE: Unable to migrate isr list.\n");
3551 return -1;
3552 }
3553
3554 return 0;
3555 }
3556 #endif
3557
3558 /*
3559 * send error against acquire message to kernel.
3560 */
3561 int
pk_sendeacquire(iph2)3562 pk_sendeacquire(iph2)
3563 struct ph2handle *iph2;
3564 {
3565 struct sadb_msg *newmsg;
3566 int len;
3567
3568 len = sizeof(struct sadb_msg);
3569 newmsg = racoon_calloc(1, len);
3570 if (newmsg == NULL) {
3571 plog(LLV_ERROR, LOCATION, NULL,
3572 "failed to get buffer to send acquire.\n");
3573 return -1;
3574 }
3575
3576 memset(newmsg, 0, len);
3577 newmsg->sadb_msg_version = PF_KEY_V2;
3578 newmsg->sadb_msg_type = SADB_ACQUIRE;
3579 newmsg->sadb_msg_errno = ENOENT; /* XXX */
3580 newmsg->sadb_msg_satype = iph2->satype;
3581 newmsg->sadb_msg_len = PFKEY_UNIT64(len);
3582 newmsg->sadb_msg_reserved = 0;
3583 newmsg->sadb_msg_seq = iph2->seq;
3584 newmsg->sadb_msg_pid = (u_int32_t)getpid();
3585
3586 /* send message */
3587 len = pfkey_send(lcconf->sock_pfkey, newmsg, len);
3588
3589 racoon_free(newmsg);
3590
3591 return 0;
3592 }
3593
3594 /*
3595 * check if the algorithm is supported or not.
3596 * OUT 0: ok
3597 * -1: ng
3598 */
3599 int
pk_checkalg(class,calg,keylen)3600 pk_checkalg(class, calg, keylen)
3601 int class, calg, keylen;
3602 {
3603 int sup, error;
3604 u_int alg;
3605 struct sadb_alg alg0;
3606
3607 switch (algclass2doi(class)) {
3608 case IPSECDOI_PROTO_IPSEC_ESP:
3609 sup = SADB_EXT_SUPPORTED_ENCRYPT;
3610 break;
3611 case IPSECDOI_ATTR_AUTH:
3612 sup = SADB_EXT_SUPPORTED_AUTH;
3613 break;
3614 case IPSECDOI_PROTO_IPCOMP:
3615 plog(LLV_DEBUG, LOCATION, NULL,
3616 "no check of compression algorithm; "
3617 "not supported in sadb message.\n");
3618 return 0;
3619 default:
3620 plog(LLV_ERROR, LOCATION, NULL,
3621 "invalid algorithm class.\n");
3622 return -1;
3623 }
3624 alg = ipsecdoi2pfkey_alg(algclass2doi(class), algtype2doi(class, calg));
3625 if (alg == ~0)
3626 return -1;
3627
3628 if (keylen == 0) {
3629 if (ipsec_get_keylen(sup, alg, &alg0)) {
3630 plog(LLV_ERROR, LOCATION, NULL,
3631 "%s.\n", ipsec_strerror());
3632 return -1;
3633 }
3634 keylen = alg0.sadb_alg_minbits;
3635 }
3636
3637 error = ipsec_check_keylen(sup, alg, keylen);
3638 if (error)
3639 plog(LLV_ERROR, LOCATION, NULL,
3640 "%s.\n", ipsec_strerror());
3641
3642 return error;
3643 }
3644
3645 /*
3646 * differences with pfkey_recv() in libipsec/pfkey.c:
3647 * - never performs busy wait loop.
3648 * - returns NULL and set *lenp to negative on fatal failures
3649 * - returns NULL and set *lenp to non-negative on non-fatal failures
3650 * - returns non-NULL on success
3651 */
3652 static struct sadb_msg *
pk_recv(so,lenp)3653 pk_recv(so, lenp)
3654 int so;
3655 int *lenp;
3656 {
3657 struct sadb_msg buf, *newmsg;
3658 int reallen;
3659 int retry = 0;
3660
3661 *lenp = -1;
3662 do
3663 {
3664 plog(LLV_DEBUG, LOCATION, NULL, "pk_recv: retry[%d] recv() \n", retry );
3665 *lenp = recv(so, (caddr_t)&buf, sizeof(buf), MSG_PEEK | MSG_DONTWAIT);
3666 retry++;
3667 }
3668 while (*lenp < 0 && errno == EAGAIN && retry < 3);
3669
3670 if (*lenp < 0)
3671 return NULL; /*fatal*/
3672
3673 else if (*lenp < sizeof(buf))
3674 return NULL;
3675
3676 reallen = PFKEY_UNUNIT64(buf.sadb_msg_len);
3677 if (reallen < sizeof(buf)) {
3678 *lenp = -1;
3679 errno = EIO;
3680 return NULL; /*fatal*/
3681 }
3682 if ((newmsg = racoon_calloc(1, reallen)) == NULL)
3683 return NULL;
3684
3685 *lenp = recv(so, (caddr_t)newmsg, reallen, MSG_PEEK);
3686 if (*lenp < 0) {
3687 racoon_free(newmsg);
3688 return NULL; /*fatal*/
3689 } else if (*lenp != reallen) {
3690 racoon_free(newmsg);
3691 return NULL;
3692 }
3693
3694 *lenp = recv(so, (caddr_t)newmsg, reallen, 0);
3695 if (*lenp < 0) {
3696 racoon_free(newmsg);
3697 return NULL; /*fatal*/
3698 } else if (*lenp != reallen) {
3699 racoon_free(newmsg);
3700 return NULL;
3701 }
3702
3703 return newmsg;
3704 }
3705
3706 /* see handler.h */
3707 u_int32_t
pk_getseq()3708 pk_getseq()
3709 {
3710 return eay_random();
3711 }
3712
3713 static int
addnewsp(mhp,local,remote)3714 addnewsp(mhp, local, remote)
3715 caddr_t *mhp;
3716 struct sockaddr *local, *remote;
3717 {
3718 struct secpolicy *new = NULL;
3719 struct sadb_address *saddr, *daddr;
3720 struct sadb_x_policy *xpl;
3721 struct sadb_lifetime *lt;
3722 u_int64_t created;
3723
3724 /* sanity check */
3725 if (mhp[SADB_EXT_ADDRESS_SRC] == NULL
3726 || mhp[SADB_EXT_ADDRESS_DST] == NULL
3727 || mhp[SADB_X_EXT_POLICY] == NULL) {
3728 plog(LLV_ERROR, LOCATION, NULL,
3729 "inappropriate sadb spd management message passed.\n");
3730 goto bad;
3731 }
3732
3733 saddr = (struct sadb_address *)mhp[SADB_EXT_ADDRESS_SRC];
3734 daddr = (struct sadb_address *)mhp[SADB_EXT_ADDRESS_DST];
3735 xpl = (struct sadb_x_policy *)mhp[SADB_X_EXT_POLICY];
3736 lt = (struct sadb_lifetime*)mhp[SADB_EXT_LIFETIME_HARD];
3737 if(lt != NULL)
3738 created = lt->sadb_lifetime_addtime;
3739 else
3740 created = 0;
3741 lt = (struct sadb_lifetime*)mhp[SADB_EXT_LIFETIME_HARD];
3742 if(lt != NULL)
3743 created = lt->sadb_lifetime_addtime;
3744 else
3745 created = 0;
3746
3747 #ifdef __linux__
3748 /* bsd skips over per-socket policies because there will be no
3749 * src and dst extensions in spddump messages. On Linux the only
3750 * way to achieve the same is check for policy id.
3751 */
3752 if (xpl->sadb_x_policy_id % 8 >= 3) return 0;
3753 #endif
3754
3755 new = newsp();
3756 if (new == NULL) {
3757 plog(LLV_ERROR, LOCATION, NULL,
3758 "failed to allocate buffer\n");
3759 goto bad;
3760 }
3761
3762 new->spidx.dir = xpl->sadb_x_policy_dir;
3763 new->id = xpl->sadb_x_policy_id;
3764 new->policy = xpl->sadb_x_policy_type;
3765 new->req = NULL;
3766
3767 /* check policy */
3768 switch (xpl->sadb_x_policy_type) {
3769 case IPSEC_POLICY_DISCARD:
3770 case IPSEC_POLICY_NONE:
3771 case IPSEC_POLICY_ENTRUST:
3772 case IPSEC_POLICY_BYPASS:
3773 break;
3774
3775 case IPSEC_POLICY_IPSEC:
3776 {
3777 int tlen;
3778 struct sadb_x_ipsecrequest *xisr;
3779 struct ipsecrequest **p_isr = &new->req;
3780
3781 /* validity check */
3782 if (PFKEY_EXTLEN(xpl) < sizeof(*xpl)) {
3783 plog(LLV_ERROR, LOCATION, NULL,
3784 "invalid msg length.\n");
3785 goto bad;
3786 }
3787
3788 tlen = PFKEY_EXTLEN(xpl) - sizeof(*xpl);
3789 xisr = (struct sadb_x_ipsecrequest *)(xpl + 1);
3790
3791 while (tlen > 0) {
3792
3793 /* length check */
3794 if (xisr->sadb_x_ipsecrequest_len < sizeof(*xisr)) {
3795 plog(LLV_ERROR, LOCATION, NULL,
3796 "invalid msg length.\n");
3797 goto bad;
3798 }
3799
3800 /* allocate request buffer */
3801 *p_isr = newipsecreq();
3802 if (*p_isr == NULL) {
3803 plog(LLV_ERROR, LOCATION, NULL,
3804 "failed to get new ipsecreq.\n");
3805 goto bad;
3806 }
3807
3808 /* set values */
3809 (*p_isr)->next = NULL;
3810
3811 switch (xisr->sadb_x_ipsecrequest_proto) {
3812 case IPPROTO_ESP:
3813 case IPPROTO_AH:
3814 case IPPROTO_IPCOMP:
3815 break;
3816 default:
3817 plog(LLV_ERROR, LOCATION, NULL,
3818 "invalid proto type: %u\n",
3819 xisr->sadb_x_ipsecrequest_proto);
3820 goto bad;
3821 }
3822 (*p_isr)->saidx.proto = xisr->sadb_x_ipsecrequest_proto;
3823
3824 switch (xisr->sadb_x_ipsecrequest_mode) {
3825 case IPSEC_MODE_TRANSPORT:
3826 case IPSEC_MODE_TUNNEL:
3827 break;
3828 case IPSEC_MODE_ANY:
3829 default:
3830 plog(LLV_ERROR, LOCATION, NULL,
3831 "invalid mode: %u\n",
3832 xisr->sadb_x_ipsecrequest_mode);
3833 goto bad;
3834 }
3835 (*p_isr)->saidx.mode = xisr->sadb_x_ipsecrequest_mode;
3836
3837 switch (xisr->sadb_x_ipsecrequest_level) {
3838 case IPSEC_LEVEL_DEFAULT:
3839 case IPSEC_LEVEL_USE:
3840 case IPSEC_LEVEL_REQUIRE:
3841 break;
3842 case IPSEC_LEVEL_UNIQUE:
3843 (*p_isr)->saidx.reqid =
3844 xisr->sadb_x_ipsecrequest_reqid;
3845 break;
3846
3847 default:
3848 plog(LLV_ERROR, LOCATION, NULL,
3849 "invalid level: %u\n",
3850 xisr->sadb_x_ipsecrequest_level);
3851 goto bad;
3852 }
3853 (*p_isr)->level = xisr->sadb_x_ipsecrequest_level;
3854
3855 /* set IP addresses if there */
3856 if (xisr->sadb_x_ipsecrequest_len > sizeof(*xisr)) {
3857 struct sockaddr *paddr;
3858
3859 paddr = (struct sockaddr *)(xisr + 1);
3860 bcopy(paddr, &(*p_isr)->saidx.src,
3861 sysdep_sa_len(paddr));
3862
3863 paddr = (struct sockaddr *)((caddr_t)paddr
3864 + sysdep_sa_len(paddr));
3865 bcopy(paddr, &(*p_isr)->saidx.dst,
3866 sysdep_sa_len(paddr));
3867 }
3868
3869 (*p_isr)->sp = new;
3870
3871 /* initialization for the next. */
3872 p_isr = &(*p_isr)->next;
3873 tlen -= xisr->sadb_x_ipsecrequest_len;
3874
3875 /* validity check */
3876 if (tlen < 0) {
3877 plog(LLV_ERROR, LOCATION, NULL,
3878 "becoming tlen < 0\n");
3879 }
3880
3881 xisr = (struct sadb_x_ipsecrequest *)((caddr_t)xisr
3882 + xisr->sadb_x_ipsecrequest_len);
3883 }
3884 }
3885 break;
3886 default:
3887 plog(LLV_ERROR, LOCATION, NULL,
3888 "invalid policy type.\n");
3889 goto bad;
3890 }
3891
3892 #ifdef HAVE_PFKEY_POLICY_PRIORITY
3893 KEY_SETSECSPIDX(xpl->sadb_x_policy_dir,
3894 saddr + 1,
3895 daddr + 1,
3896 saddr->sadb_address_prefixlen,
3897 daddr->sadb_address_prefixlen,
3898 saddr->sadb_address_proto,
3899 xpl->sadb_x_policy_priority,
3900 created,
3901 &new->spidx);
3902 #else
3903 KEY_SETSECSPIDX(xpl->sadb_x_policy_dir,
3904 saddr + 1,
3905 daddr + 1,
3906 saddr->sadb_address_prefixlen,
3907 daddr->sadb_address_prefixlen,
3908 saddr->sadb_address_proto,
3909 created,
3910 &new->spidx);
3911 #endif
3912
3913 #ifdef HAVE_SECCTX
3914 if (mhp[SADB_X_EXT_SEC_CTX] != NULL) {
3915 struct sadb_x_sec_ctx *ctx;
3916
3917 ctx = (struct sadb_x_sec_ctx *)mhp[SADB_X_EXT_SEC_CTX];
3918 new->spidx.sec_ctx.ctx_alg = ctx->sadb_x_ctx_alg;
3919 new->spidx.sec_ctx.ctx_doi = ctx->sadb_x_ctx_doi;
3920 new->spidx.sec_ctx.ctx_strlen = ctx->sadb_x_ctx_len;
3921 memcpy(new->spidx.sec_ctx.ctx_str,ctx + 1,ctx->sadb_x_ctx_len);
3922 }
3923 #endif /* HAVE_SECCTX */
3924
3925 /* Set local and remote hints for that SP, if available */
3926 if (local && remote) {
3927 new->local = dupsaddr(local);
3928 new->remote = dupsaddr(remote);
3929 }
3930
3931 inssp(new);
3932
3933 return 0;
3934 bad:
3935 if (new != NULL) {
3936 if (new->req != NULL)
3937 racoon_free(new->req);
3938 racoon_free(new);
3939 }
3940 return -1;
3941 }
3942
3943 /* proto/mode/src->dst spi */
3944 const char *
sadbsecas2str(src,dst,proto,spi,mode)3945 sadbsecas2str(src, dst, proto, spi, mode)
3946 struct sockaddr *src, *dst;
3947 int proto;
3948 u_int32_t spi;
3949 int mode;
3950 {
3951 static char buf[256];
3952 u_int doi_proto, doi_mode = 0;
3953 char *p;
3954 int blen, i;
3955
3956 doi_proto = pfkey2ipsecdoi_proto(proto);
3957 if (doi_proto == ~0)
3958 return NULL;
3959 if (mode) {
3960 doi_mode = pfkey2ipsecdoi_mode(mode);
3961 if (doi_mode == ~0)
3962 return NULL;
3963 }
3964
3965 blen = sizeof(buf) - 1;
3966 p = buf;
3967
3968 i = snprintf(p, blen, "%s%s%s ",
3969 s_ipsecdoi_proto(doi_proto),
3970 mode ? "/" : "",
3971 mode ? s_ipsecdoi_encmode(doi_mode) : "");
3972 if (i < 0 || i >= blen)
3973 return NULL;
3974 p += i;
3975 blen -= i;
3976
3977 i = snprintf(p, blen, "%s->", saddr2str(src));
3978 if (i < 0 || i >= blen)
3979 return NULL;
3980 p += i;
3981 blen -= i;
3982
3983 i = snprintf(p, blen, "%s ", saddr2str(dst));
3984 if (i < 0 || i >= blen)
3985 return NULL;
3986 p += i;
3987 blen -= i;
3988
3989 if (spi) {
3990 snprintf(p, blen, "spi=%lu(0x%lx)", (unsigned long)ntohl(spi),
3991 (unsigned long)ntohl(spi));
3992 }
3993
3994 return buf;
3995 }
3996