1 /* $OpenBSD: pf_key_v2.c,v 1.205 2023/08/07 04:01:30 dlg Exp $ */ 2 /* $EOM: pf_key_v2.c,v 1.79 2000/12/12 00:33:19 niklas Exp $ */ 3 4 /* 5 * Copyright (c) 1999, 2000, 2001 Niklas Hallqvist. All rights reserved. 6 * Copyright (c) 1999, 2000, 2001 Angelos D. Keromytis. All rights reserved. 7 * Copyright (c) 2001 H�kan Olsson. All rights reserved. 8 * 9 * Redistribution and use in source and binary forms, with or without 10 * modification, are permitted provided that the following conditions 11 * are met: 12 * 1. Redistributions of source code must retain the above copyright 13 * notice, this list of conditions and the following disclaimer. 14 * 2. Redistributions in binary form must reproduce the above copyright 15 * notice, this list of conditions and the following disclaimer in the 16 * documentation and/or other materials provided with the distribution. 17 * 18 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR 19 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES 20 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. 21 * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, 22 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 23 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, 24 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY 25 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 26 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF 27 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 28 */ 29 30 /* 31 * This code was written under funding by Ericsson Radio Systems. 32 */ 33 34 #include <sys/types.h> 35 #include <sys/ioctl.h> 36 #include <sys/queue.h> 37 #include <sys/socket.h> 38 #include <sys/uio.h> 39 40 #include <net/pfkeyv2.h> 41 #include <netinet/in.h> 42 #include <netinet/ip_ipsp.h> 43 #include <arpa/inet.h> 44 #include <stdlib.h> 45 #include <poll.h> 46 #include <string.h> 47 #include <unistd.h> 48 #include <pwd.h> 49 #include <errno.h> 50 #include <bitstring.h> 51 52 #include "cert.h" 53 #include "conf.h" 54 #include "connection.h" 55 #include "exchange.h" 56 #include "ipsec.h" 57 #include "ipsec_num.h" 58 #include "key.h" 59 #include "log.h" 60 #include "pf_key_v2.h" 61 #include "sa.h" 62 #include "timer.h" 63 #include "transport.h" 64 #include "ui.h" 65 #include "util.h" 66 67 #include "policy.h" 68 69 #include "udp_encap.h" 70 71 #define IN6_IS_ADDR_FULL(a) \ 72 ((*(u_int32_t *)(void *)(&(a)->s6_addr[0]) == 0xffffffff) && \ 73 (*(u_int32_t *)(void *)(&(a)->s6_addr[4]) == 0xffffffff) && \ 74 (*(u_int32_t *)(void *)(&(a)->s6_addr[8]) == 0xffffffff) && \ 75 (*(u_int32_t *)(void *)(&(a)->s6_addr[12]) == 0xffffffff)) 76 77 #define ADDRESS_MAX sizeof "ffff:ffff:ffff:ffff:ffff:ffff:255.255.255.255" 78 79 /* 80 * PF_KEY v2 always work with 64-bit entities and aligns on 64-bit boundaries. 81 */ 82 #define PF_KEY_V2_CHUNK 8 83 #define PF_KEY_V2_ROUND(x) \ 84 (((x) + PF_KEY_V2_CHUNK - 1) & ~(PF_KEY_V2_CHUNK - 1)) 85 86 /* How many microseconds we will wait for a reply from the PF_KEY socket. */ 87 #define PF_KEY_REPLY_TIMEOUT 1000 88 89 struct pf_key_v2_node { 90 TAILQ_ENTRY(pf_key_v2_node) link; 91 void *seg; 92 size_t sz; 93 int cnt; 94 u_int16_t type; 95 u_int8_t flags; 96 }; 97 98 TAILQ_HEAD(pf_key_v2_msg, pf_key_v2_node); 99 100 #define PF_KEY_V2_NODE_MALLOCED 1 101 #define PF_KEY_V2_NODE_MARK 2 102 103 /* Used to derive "unique" connection identifiers. */ 104 int connection_seq = 0; 105 106 static u_int8_t *pf_key_v2_convert_id(u_int8_t *, int, size_t *, int *); 107 static struct pf_key_v2_msg *pf_key_v2_call(struct pf_key_v2_msg *); 108 static struct pf_key_v2_node *pf_key_v2_find_ext(struct pf_key_v2_msg *, 109 u_int16_t); 110 static void pf_key_v2_notify(struct pf_key_v2_msg *); 111 static struct pf_key_v2_msg *pf_key_v2_read(u_int32_t); 112 static u_int32_t pf_key_v2_seq(void); 113 static u_int32_t pf_key_v2_write(struct pf_key_v2_msg *); 114 static int pf_key_v2_remove_conf(char *); 115 static int pf_key_v2_conf_refhandle(int, char *); 116 117 static int pf_key_v2_conf_refinc(int, char *); 118 119 /* The socket to use for PF_KEY interactions. */ 120 int pf_key_v2_socket; 121 122 static struct pf_key_v2_msg * 123 pf_key_v2_msg_new(struct sadb_msg *msg, int flags) 124 { 125 struct pf_key_v2_node *node; 126 struct pf_key_v2_msg *ret; 127 128 node = malloc(sizeof *node); 129 if (!node) 130 goto cleanup; 131 ret = malloc(sizeof *ret); 132 if (!ret) 133 goto cleanup; 134 TAILQ_INIT(ret); 135 node->seg = msg; 136 node->sz = sizeof *msg; 137 node->type = 0; 138 node->cnt = 1; 139 node->flags = flags; 140 TAILQ_INSERT_HEAD(ret, node, link); 141 return ret; 142 143 cleanup: 144 free(node); 145 return 0; 146 } 147 148 /* Add a SZ sized segment SEG to the PF_KEY message MSG. */ 149 static int 150 pf_key_v2_msg_add(struct pf_key_v2_msg *msg, struct sadb_ext *ext, int flags) 151 { 152 struct pf_key_v2_node *node; 153 154 node = malloc(sizeof *node); 155 if (!node) 156 return -1; 157 node->seg = ext; 158 node->sz = ext->sadb_ext_len * PF_KEY_V2_CHUNK; 159 node->type = ext->sadb_ext_type; 160 node->flags = flags; 161 TAILQ_FIRST(msg)->cnt++; 162 TAILQ_INSERT_TAIL(msg, node, link); 163 return 0; 164 } 165 166 /* Deallocate the PF_KEY message MSG. */ 167 static void 168 pf_key_v2_msg_free(struct pf_key_v2_msg *msg) 169 { 170 struct pf_key_v2_node *np; 171 172 np = TAILQ_FIRST(msg); 173 while (np) { 174 TAILQ_REMOVE(msg, np, link); 175 if (np->flags & PF_KEY_V2_NODE_MALLOCED) 176 free(np->seg); 177 free(np); 178 np = TAILQ_FIRST(msg); 179 } 180 free(msg); 181 } 182 183 /* Just return a new sequence number. */ 184 static u_int32_t 185 pf_key_v2_seq(void) 186 { 187 static u_int32_t seq = 0; 188 189 return ++seq; 190 } 191 192 /* 193 * Read a PF_KEY packet with SEQ as the sequence number, looping if necessary. 194 * If SEQ is zero just read the first message we see, otherwise we queue 195 * messages up until both the PID and the sequence number match. 196 */ 197 static struct pf_key_v2_msg * 198 pf_key_v2_read(u_int32_t seq) 199 { 200 ssize_t n; 201 u_int8_t *buf = 0; 202 struct pf_key_v2_msg *ret = 0; 203 struct sadb_msg *msg; 204 struct sadb_msg hdr; 205 struct sadb_ext *ext; 206 struct timespec ts; 207 struct pollfd pfd[1]; 208 209 pfd[0].fd = pf_key_v2_socket; 210 pfd[0].events = POLLIN; 211 212 while (1) { 213 /* 214 * If this is a read of a reply we should actually expect the 215 * reply to get lost as PF_KEY is an unreliable service per 216 * the specs. Currently we do this by setting a short timeout, 217 * and if it is not readable in that time, we fail the read. 218 */ 219 if (seq) { 220 n = poll(pfd, 1, PF_KEY_REPLY_TIMEOUT / 1000); 221 if (n == -1) { 222 log_error("pf_key_v2_read: poll() failed"); 223 goto cleanup; 224 } 225 if (!n) { 226 log_print("pf_key_v2_read: " 227 "no reply from PF_KEY"); 228 goto cleanup; 229 } 230 } 231 n = recv(pf_key_v2_socket, &hdr, sizeof hdr, MSG_PEEK); 232 if (n == -1) { 233 log_error("pf_key_v2_read: recv (%d, ...) failed", 234 pf_key_v2_socket); 235 goto cleanup; 236 } 237 if (n != sizeof hdr) { 238 log_error("pf_key_v2_read: recv (%d, ...) " 239 "returned short packet (%lu bytes)", 240 pf_key_v2_socket, (unsigned long) n); 241 goto cleanup; 242 } 243 buf = reallocarray(NULL, hdr.sadb_msg_len, PF_KEY_V2_CHUNK); 244 if (!buf) { 245 log_error("pf_key_v2_read: reallocarray (%d, %d) failed", 246 hdr.sadb_msg_len, PF_KEY_V2_CHUNK); 247 goto cleanup; 248 } 249 n = hdr.sadb_msg_len * PF_KEY_V2_CHUNK; 250 251 n = read(pf_key_v2_socket, buf, n); 252 if (n == -1) { 253 log_error("pf_key_v2_read: read (%d, ...) failed", 254 pf_key_v2_socket); 255 goto cleanup; 256 } 257 if (n != hdr.sadb_msg_len * PF_KEY_V2_CHUNK) { 258 log_print("pf_key_v2_read: read (%d, ...) " 259 "returned short packet (%lu bytes)", 260 pf_key_v2_socket, (unsigned long) n); 261 goto cleanup; 262 } 263 LOG_DBG_BUF((LOG_SYSDEP, 80, "pf_key_v2_read: msg", buf, n)); 264 265 /* We drop all messages that is not what we expect. */ 266 msg = (struct sadb_msg *) buf; 267 if (msg->sadb_msg_version != PF_KEY_V2 || 268 (msg->sadb_msg_pid != 0 && 269 msg->sadb_msg_pid != (u_int32_t) getpid())) { 270 if (seq) { 271 free(buf); 272 buf = 0; 273 continue; 274 } else { 275 LOG_DBG((LOG_SYSDEP, 90, "pf_key_v2_read:" 276 "bad version (%d) or PID (%d, mine is " 277 "%ld), ignored", msg->sadb_msg_version, 278 msg->sadb_msg_pid, (long) getpid())); 279 goto cleanup; 280 } 281 } 282 /* Parse the message. */ 283 ret = pf_key_v2_msg_new(msg, PF_KEY_V2_NODE_MALLOCED); 284 if (!ret) 285 goto cleanup; 286 buf = 0; 287 for (ext = (struct sadb_ext *) (msg + 1); 288 (u_int8_t *) ext - (u_int8_t *) msg < 289 msg->sadb_msg_len * PF_KEY_V2_CHUNK; 290 ext = (struct sadb_ext *) ((u_int8_t *) ext + 291 ext->sadb_ext_len * PF_KEY_V2_CHUNK)) 292 pf_key_v2_msg_add(ret, ext, 0); 293 294 /* 295 * If the message is not the one we are waiting for, queue it 296 * up. 297 */ 298 if (seq && (msg->sadb_msg_pid != (u_int32_t) getpid() || 299 msg->sadb_msg_seq != seq)) { 300 clock_gettime(CLOCK_MONOTONIC, &ts); 301 timer_add_event("pf_key_v2_notify", 302 (void (*) (void *)) pf_key_v2_notify, ret, &ts); 303 ret = 0; 304 continue; 305 } 306 return ret; 307 } 308 309 cleanup: 310 free(buf); 311 if (ret) 312 pf_key_v2_msg_free(ret); 313 return 0; 314 } 315 316 /* Write the message in PMSG to the PF_KEY socket. */ 317 u_int32_t 318 pf_key_v2_write(struct pf_key_v2_msg *pmsg) 319 { 320 struct iovec *iov = 0; 321 ssize_t n; 322 size_t len; 323 int i, cnt = TAILQ_FIRST(pmsg)->cnt; 324 char header[80]; 325 struct sadb_msg *msg = TAILQ_FIRST(pmsg)->seg; 326 struct pf_key_v2_node *np = TAILQ_FIRST(pmsg); 327 328 iov = calloc(cnt, sizeof *iov); 329 if (!iov) { 330 log_error("pf_key_v2_write: malloc (%lu) failed", 331 cnt * (unsigned long) sizeof *iov); 332 return 0; 333 } 334 msg->sadb_msg_version = PF_KEY_V2; 335 msg->sadb_msg_errno = 0; 336 msg->sadb_msg_reserved = 0; 337 msg->sadb_msg_pid = getpid(); 338 if (!msg->sadb_msg_seq) 339 msg->sadb_msg_seq = pf_key_v2_seq(); 340 341 /* Compute the iovec segments as well as the message length. */ 342 len = 0; 343 for (i = 0; i < cnt; i++) { 344 iov[i].iov_base = np->seg; 345 len += iov[i].iov_len = np->sz; 346 347 /* 348 * XXX One can envision setting specific extension fields, 349 * like *_reserved ones here. For now we require them to be 350 * set by the caller. 351 */ 352 353 np = TAILQ_NEXT(np, link); 354 } 355 msg->sadb_msg_len = len / PF_KEY_V2_CHUNK; 356 357 for (i = 0; i < cnt; i++) { 358 snprintf(header, sizeof header, "pf_key_v2_write: iov[%d]", i); 359 LOG_DBG_BUF((LOG_SYSDEP, 80, header, 360 (u_int8_t *) iov[i].iov_base, iov[i].iov_len)); 361 } 362 363 do { 364 n = writev(pf_key_v2_socket, iov, cnt); 365 } while (n == -1 && (errno == EAGAIN || errno == EINTR)); 366 if (n == -1) { 367 log_error("pf_key_v2_write: writev (%d, %p, %d) failed", 368 pf_key_v2_socket, iov, cnt); 369 goto cleanup; 370 } 371 if ((size_t) n != len) { 372 log_error("pf_key_v2_write: " 373 "writev (%d, ...) returned prematurely (%lu)", 374 pf_key_v2_socket, (unsigned long) n); 375 goto cleanup; 376 } 377 free(iov); 378 return msg->sadb_msg_seq; 379 380 cleanup: 381 free(iov); 382 return 0; 383 } 384 385 /* 386 * Do a PF_KEY "call", i.e. write a message MSG, read the reply and return 387 * it to the caller. 388 */ 389 static struct pf_key_v2_msg * 390 pf_key_v2_call(struct pf_key_v2_msg *msg) 391 { 392 u_int32_t seq; 393 394 seq = pf_key_v2_write(msg); 395 if (!seq) 396 return 0; 397 return pf_key_v2_read(seq); 398 } 399 400 /* Find the TYPE extension in MSG. Return zero if none found. */ 401 static struct pf_key_v2_node * 402 pf_key_v2_find_ext(struct pf_key_v2_msg *msg, u_int16_t type) 403 { 404 struct pf_key_v2_node *ext; 405 406 for (ext = TAILQ_NEXT(TAILQ_FIRST(msg), link); ext; 407 ext = TAILQ_NEXT(ext, link)) 408 if (ext->type == type) 409 return ext; 410 return 0; 411 } 412 413 /* 414 * Open the PF_KEYv2 sockets and return the descriptor used for notifies. 415 * Return -1 for failure and -2 if no notifies will show up. 416 */ 417 int 418 pf_key_v2_open(void) 419 { 420 int fd = -1, err; 421 struct sadb_msg msg; 422 struct pf_key_v2_msg *regmsg = 0, *ret = 0; 423 424 /* Open the socket we use to speak to IPsec. */ 425 pf_key_v2_socket = -1; 426 fd = socket(PF_KEY, SOCK_RAW, PF_KEY_V2); 427 if (fd == -1) { 428 log_error("pf_key_v2_open: " 429 "socket (PF_KEY, SOCK_RAW, PF_KEY_V2) failed"); 430 goto cleanup; 431 } 432 pf_key_v2_socket = fd; 433 434 /* Register it to get ESP and AH acquires from the kernel. */ 435 msg.sadb_msg_seq = 0; 436 msg.sadb_msg_type = SADB_REGISTER; 437 msg.sadb_msg_satype = SADB_SATYPE_ESP; 438 regmsg = pf_key_v2_msg_new(&msg, 0); 439 if (!regmsg) 440 goto cleanup; 441 ret = pf_key_v2_call(regmsg); 442 pf_key_v2_msg_free(regmsg); 443 if (!ret) 444 goto cleanup; 445 err = ((struct sadb_msg *)TAILQ_FIRST(ret)->seg)->sadb_msg_errno; 446 if (err) { 447 log_print("pf_key_v2_open: REGISTER: %s", strerror(err)); 448 goto cleanup; 449 } 450 /* XXX Register the accepted transforms. */ 451 452 pf_key_v2_msg_free(ret); 453 ret = 0; 454 455 msg.sadb_msg_seq = 0; 456 msg.sadb_msg_type = SADB_REGISTER; 457 msg.sadb_msg_satype = SADB_SATYPE_AH; 458 regmsg = pf_key_v2_msg_new(&msg, 0); 459 if (!regmsg) 460 goto cleanup; 461 ret = pf_key_v2_call(regmsg); 462 pf_key_v2_msg_free(regmsg); 463 if (!ret) 464 goto cleanup; 465 err = ((struct sadb_msg *)TAILQ_FIRST(ret)->seg)->sadb_msg_errno; 466 if (err) { 467 log_print("pf_key_v2_open: REGISTER: %s", strerror(err)); 468 goto cleanup; 469 } 470 /* XXX Register the accepted transforms. */ 471 472 pf_key_v2_msg_free(ret); 473 ret = 0; 474 475 msg.sadb_msg_seq = 0; 476 msg.sadb_msg_type = SADB_REGISTER; 477 msg.sadb_msg_satype = SADB_X_SATYPE_IPCOMP; 478 regmsg = pf_key_v2_msg_new(&msg, 0); 479 if (!regmsg) 480 goto cleanup; 481 ret = pf_key_v2_call(regmsg); 482 pf_key_v2_msg_free(regmsg); 483 if (!ret) 484 goto cleanup; 485 err = ((struct sadb_msg *)TAILQ_FIRST(ret)->seg)->sadb_msg_errno; 486 if (err) { 487 log_print("pf_key_v2_open: REGISTER: %s", strerror(err)); 488 goto cleanup; 489 } 490 /* XXX Register the accepted transforms. */ 491 492 pf_key_v2_msg_free(ret); 493 494 return fd; 495 496 cleanup: 497 if (pf_key_v2_socket != -1) { 498 close(pf_key_v2_socket); 499 pf_key_v2_socket = -1; 500 } 501 if (ret) 502 pf_key_v2_msg_free(ret); 503 return -1; 504 } 505 506 /* 507 * Generate a SPI for protocol PROTO and the source/destination pair given by 508 * SRC, SRCLEN, DST & DSTLEN. Stash the SPI size in SZ. 509 */ 510 u_int8_t * 511 pf_key_v2_get_spi(size_t *sz, u_int8_t proto, struct sockaddr *src, 512 struct sockaddr *dst, u_int32_t seq) 513 { 514 struct sadb_msg msg; 515 struct sadb_sa *sa; 516 struct sadb_address *addr = 0; 517 struct sadb_spirange spirange; 518 struct pf_key_v2_msg *getspi = 0, *ret = 0; 519 struct pf_key_v2_node *ext; 520 u_int8_t *spi = 0; 521 int len, err; 522 523 msg.sadb_msg_type = SADB_GETSPI; 524 switch (proto) { 525 case IPSEC_PROTO_IPSEC_ESP: 526 msg.sadb_msg_satype = SADB_SATYPE_ESP; 527 break; 528 case IPSEC_PROTO_IPSEC_AH: 529 msg.sadb_msg_satype = SADB_SATYPE_AH; 530 break; 531 case IPSEC_PROTO_IPCOMP: 532 msg.sadb_msg_satype = SADB_X_SATYPE_IPCOMP; 533 break; 534 default: 535 log_print("pf_key_v2_get_spi: invalid proto %d", proto); 536 goto cleanup; 537 } 538 539 /* Set the sequence number from the ACQUIRE message. */ 540 msg.sadb_msg_seq = seq; 541 getspi = pf_key_v2_msg_new(&msg, 0); 542 if (!getspi) 543 goto cleanup; 544 545 /* Setup the ADDRESS extensions. */ 546 len = 547 sizeof(struct sadb_address) + PF_KEY_V2_ROUND(SA_LEN(src)); 548 addr = calloc(1, len); 549 if (!addr) 550 goto cleanup; 551 addr->sadb_address_exttype = SADB_EXT_ADDRESS_SRC; 552 addr->sadb_address_len = len / PF_KEY_V2_CHUNK; 553 addr->sadb_address_reserved = 0; 554 memcpy(addr + 1, src, SA_LEN(src)); 555 switch (((struct sockaddr *) (addr + 1))->sa_family) { 556 case AF_INET: 557 ((struct sockaddr_in *) (addr + 1))->sin_port = 0; 558 break; 559 case AF_INET6: 560 ((struct sockaddr_in6 *) (addr + 1))->sin6_port = 0; 561 break; 562 } 563 if (pf_key_v2_msg_add(getspi, (struct sadb_ext *) addr, 564 PF_KEY_V2_NODE_MALLOCED) == -1) 565 goto cleanup; 566 addr = 0; 567 568 len = sizeof(struct sadb_address) + PF_KEY_V2_ROUND(SA_LEN(dst)); 569 addr = calloc(1, len); 570 if (!addr) 571 goto cleanup; 572 addr->sadb_address_exttype = SADB_EXT_ADDRESS_DST; 573 addr->sadb_address_len = len / PF_KEY_V2_CHUNK; 574 addr->sadb_address_reserved = 0; 575 memcpy(addr + 1, dst, SA_LEN(dst)); 576 switch (((struct sockaddr *) (addr + 1))->sa_family) { 577 case AF_INET: 578 ((struct sockaddr_in *) (addr + 1))->sin_port = 0; 579 break; 580 case AF_INET6: 581 ((struct sockaddr_in6 *) (addr + 1))->sin6_port = 0; 582 break; 583 } 584 if (pf_key_v2_msg_add(getspi, (struct sadb_ext *) addr, 585 PF_KEY_V2_NODE_MALLOCED) == -1) 586 goto cleanup; 587 addr = 0; 588 589 /* Setup the SPIRANGE extension. */ 590 spirange.sadb_spirange_exttype = SADB_EXT_SPIRANGE; 591 spirange.sadb_spirange_len = sizeof spirange / PF_KEY_V2_CHUNK; 592 if (proto == IPSEC_PROTO_IPCOMP) { 593 spirange.sadb_spirange_min = CPI_RESERVED_MAX + 1; 594 spirange.sadb_spirange_max = CPI_PRIVATE_MIN - 1; 595 } else { 596 spirange.sadb_spirange_min = IPSEC_SPI_LOW; 597 spirange.sadb_spirange_max = 0xffffffff; 598 } 599 spirange.sadb_spirange_reserved = 0; 600 if (pf_key_v2_msg_add(getspi, (struct sadb_ext *)&spirange, 0) == -1) 601 goto cleanup; 602 603 ret = pf_key_v2_call(getspi); 604 pf_key_v2_msg_free(getspi); 605 getspi = 0; 606 if (!ret) 607 goto cleanup; 608 err = ((struct sadb_msg *)TAILQ_FIRST(ret)->seg)->sadb_msg_errno; 609 if (err) { 610 log_print("pf_key_v2_get_spi: GETSPI: %s", strerror(err)); 611 goto cleanup; 612 } 613 ext = pf_key_v2_find_ext(ret, SADB_EXT_SA); 614 if (!ext) { 615 log_print("pf_key_v2_get_spi: no SA extension found"); 616 goto cleanup; 617 } 618 sa = ext->seg; 619 620 /* IPCOMP CPIs are only 16 bits long. */ 621 *sz = (proto == IPSEC_PROTO_IPCOMP) ? sizeof(u_int16_t) 622 : sizeof sa->sadb_sa_spi; 623 spi = malloc(*sz); 624 if (!spi) 625 goto cleanup; 626 /* XXX This is ugly. */ 627 if (proto == IPSEC_PROTO_IPCOMP) { 628 u_int32_t tspi = ntohl(sa->sadb_sa_spi); 629 *(u_int16_t *) spi = htons((u_int16_t) tspi); 630 } else 631 memcpy(spi, &sa->sadb_sa_spi, *sz); 632 633 pf_key_v2_msg_free(ret); 634 635 LOG_DBG_BUF((LOG_SYSDEP, 50, "pf_key_v2_get_spi: spi", spi, *sz)); 636 return spi; 637 638 cleanup: 639 free(spi); 640 free(addr); 641 if (getspi) 642 pf_key_v2_msg_free(getspi); 643 if (ret) 644 pf_key_v2_msg_free(ret); 645 return 0; 646 } 647 648 /* Fetch SA information from the kernel. XXX OpenBSD only? */ 649 struct sa_kinfo * 650 pf_key_v2_get_kernel_sa(u_int8_t *spi, size_t spi_sz, u_int8_t proto, 651 struct sockaddr *dst) 652 { 653 struct sadb_msg msg; 654 struct sadb_sa *ssa; 655 struct sadb_address *addr = 0; 656 struct sockaddr *sa; 657 struct sadb_lifetime *life; 658 struct pf_key_v2_msg *gettdb = 0, *ret = 0; 659 struct pf_key_v2_node *ext; 660 static struct sa_kinfo ksa; 661 struct sadb_x_udpencap *udpencap; 662 int len, err; 663 664 if (spi_sz != sizeof (ssa->sadb_sa_spi)) 665 return 0; 666 667 msg.sadb_msg_type = SADB_GET; 668 switch (proto) { 669 case IPSEC_PROTO_IPSEC_ESP: 670 msg.sadb_msg_satype = SADB_SATYPE_ESP; 671 break; 672 case IPSEC_PROTO_IPSEC_AH: 673 msg.sadb_msg_satype = SADB_SATYPE_AH; 674 break; 675 case IPSEC_PROTO_IPCOMP: 676 msg.sadb_msg_satype = SADB_X_SATYPE_IPCOMP; 677 break; 678 default: 679 log_print("pf_key_v2_get_kernel_sa: invalid proto %d", proto); 680 goto cleanup; 681 } 682 683 gettdb = pf_key_v2_msg_new(&msg, 0); 684 if (!gettdb) 685 goto cleanup; 686 687 /* SPI */ 688 ssa = calloc(1, sizeof *ssa); 689 if (!ssa) { 690 log_print("pf_key_v2_get_kernel_sa: calloc(1, %lu) failed", 691 (unsigned long)sizeof *ssa); 692 goto cleanup; 693 } 694 695 ssa->sadb_sa_exttype = SADB_EXT_SA; 696 ssa->sadb_sa_len = sizeof *ssa / PF_KEY_V2_CHUNK; 697 memcpy(&ssa->sadb_sa_spi, spi, sizeof ssa->sadb_sa_spi); 698 ssa->sadb_sa_state = SADB_SASTATE_MATURE; 699 if (pf_key_v2_msg_add(gettdb, (struct sadb_ext *)ssa, 700 PF_KEY_V2_NODE_MALLOCED) == -1) 701 goto cleanup; 702 ssa = 0; 703 704 /* Address */ 705 len = 706 sizeof(struct sadb_address) + PF_KEY_V2_ROUND(SA_LEN(dst)); 707 addr = calloc(1, len); 708 if (!addr) 709 goto cleanup; 710 addr->sadb_address_exttype = SADB_EXT_ADDRESS_DST; 711 addr->sadb_address_len = len / PF_KEY_V2_CHUNK; 712 addr->sadb_address_reserved = 0; 713 memcpy(addr + 1, dst, SA_LEN(dst)); 714 switch (((struct sockaddr *) (addr + 1))->sa_family) { 715 case AF_INET: 716 ((struct sockaddr_in *) (addr + 1))->sin_port = 0; 717 break; 718 case AF_INET6: 719 ((struct sockaddr_in6 *) (addr + 1))->sin6_port = 0; 720 break; 721 } 722 if (pf_key_v2_msg_add(gettdb, (struct sadb_ext *)addr, 723 PF_KEY_V2_NODE_MALLOCED) == -1) 724 goto cleanup; 725 addr = 0; 726 727 ret = pf_key_v2_call(gettdb); 728 pf_key_v2_msg_free(gettdb); 729 gettdb = 0; 730 if (!ret) 731 goto cleanup; 732 err = ((struct sadb_msg *)TAILQ_FIRST(ret)->seg)->sadb_msg_errno; 733 if (err) { 734 log_print("pf_key_v2_get_kernel_sa: SADB_GET: %s", 735 strerror(err)); 736 goto cleanup; 737 } 738 739 /* Extract the data. */ 740 bzero(&ksa, sizeof ksa); 741 742 ext = pf_key_v2_find_ext(ret, SADB_EXT_SA); 743 if (!ext) 744 goto cleanup; 745 746 ssa = (struct sadb_sa *)ext; 747 ksa.spi = ssa->sadb_sa_spi; 748 ksa.wnd = ssa->sadb_sa_replay; 749 ksa.flags = ssa->sadb_sa_flags; 750 751 ext = pf_key_v2_find_ext(ret, SADB_EXT_LIFETIME_CURRENT); 752 if (ext) { 753 life = (struct sadb_lifetime *)ext->seg; 754 ksa.cur_allocations = life->sadb_lifetime_allocations; 755 ksa.cur_bytes = life->sadb_lifetime_bytes; 756 ksa.first_use = life->sadb_lifetime_usetime; 757 ksa.established = life->sadb_lifetime_addtime; 758 } 759 760 ext = pf_key_v2_find_ext(ret, SADB_EXT_LIFETIME_SOFT); 761 if (ext) { 762 life = (struct sadb_lifetime *)ext->seg; 763 ksa.soft_allocations = life->sadb_lifetime_allocations; 764 ksa.soft_bytes = life->sadb_lifetime_bytes; 765 ksa.soft_timeout = life->sadb_lifetime_addtime; 766 ksa.soft_first_use = life->sadb_lifetime_usetime; 767 } 768 769 ext = pf_key_v2_find_ext(ret, SADB_EXT_LIFETIME_HARD); 770 if (ext) { 771 life = (struct sadb_lifetime *)ext->seg; 772 ksa.exp_allocations = life->sadb_lifetime_allocations; 773 ksa.exp_bytes = life->sadb_lifetime_bytes; 774 ksa.exp_timeout = life->sadb_lifetime_addtime; 775 ksa.exp_first_use = life->sadb_lifetime_usetime; 776 } 777 778 ext = pf_key_v2_find_ext(ret, SADB_X_EXT_LIFETIME_LASTUSE); 779 if (ext) { 780 life = (struct sadb_lifetime *)ext->seg; 781 ksa.last_used = life->sadb_lifetime_usetime; 782 } 783 784 ext = pf_key_v2_find_ext(ret, SADB_EXT_ADDRESS_SRC); 785 if (ext) { 786 sa = (struct sockaddr *)ext->seg; 787 memcpy(&ksa.src, sa, 788 sa->sa_family == AF_INET ? sizeof(struct sockaddr_in) : 789 sizeof(struct sockaddr_in6)); 790 } 791 792 ext = pf_key_v2_find_ext(ret, SADB_EXT_ADDRESS_DST); 793 if (ext) { 794 sa = (struct sockaddr *)ext->seg; 795 memcpy(&ksa.dst, sa, 796 sa->sa_family == AF_INET ? sizeof(struct sockaddr_in) : 797 sizeof(struct sockaddr_in6)); 798 } 799 800 ext = pf_key_v2_find_ext(ret, SADB_X_EXT_UDPENCAP); 801 if (ext) { 802 udpencap = (struct sadb_x_udpencap *)ext->seg; 803 ksa.udpencap_port = udpencap->sadb_x_udpencap_port; 804 } 805 806 pf_key_v2_msg_free(ret); 807 808 LOG_DBG_BUF((LOG_SYSDEP, 50, "pf_key_v2_get_kernel_sa: spi", spi, 809 spi_sz)); 810 811 return &ksa; 812 813 cleanup: 814 free(addr); 815 if (gettdb) 816 pf_key_v2_msg_free(gettdb); 817 if (ret) 818 pf_key_v2_msg_free(ret); 819 return 0; 820 } 821 822 static void 823 pf_key_v2_setup_sockaddr(void *res, struct sockaddr *src, 824 struct sockaddr *dst, in_port_t port, int ingress) 825 { 826 struct sockaddr_in *ip4_sa; 827 struct sockaddr_in6 *ip6_sa; 828 u_int8_t *p; 829 830 switch (src->sa_family) { 831 case AF_INET: 832 ip4_sa = (struct sockaddr_in *) res; 833 ip4_sa->sin_family = AF_INET; 834 ip4_sa->sin_len = sizeof *ip4_sa; 835 ip4_sa->sin_port = port; 836 if (dst) 837 p = (u_int8_t *) (ingress ? 838 &((struct sockaddr_in *)src)->sin_addr.s_addr : 839 &((struct sockaddr_in *)dst)->sin_addr.s_addr); 840 else 841 p = (u_int8_t *)&((struct sockaddr_in *)src)->sin_addr.s_addr; 842 ip4_sa->sin_addr.s_addr = *((in_addr_t *) p); 843 break; 844 845 case AF_INET6: 846 ip6_sa = (struct sockaddr_in6 *) res; 847 ip6_sa->sin6_family = AF_INET6; 848 ip6_sa->sin6_len = sizeof *ip6_sa; 849 ip6_sa->sin6_port = port; 850 if (dst) 851 p = (u_int8_t *) (ingress ? 852 &((struct sockaddr_in6 *)src)->sin6_addr.s6_addr : 853 &((struct sockaddr_in6 *)dst)->sin6_addr.s6_addr); 854 else 855 p = (u_int8_t *)&((struct sockaddr_in6 *)src)->sin6_addr.s6_addr; 856 memcpy(ip6_sa->sin6_addr.s6_addr, p, sizeof(struct in6_addr)); 857 break; 858 859 default: 860 log_print("pf_key_v2_setup_sockaddr: unknown family %d\n", 861 src->sa_family); 862 break; 863 } 864 } 865 866 /* 867 * Store/update a PF_KEY_V2 security association with full information from the 868 * IKE SA and PROTO into the kernel. INCOMING is set if we are setting the 869 * parameters for the incoming SA, and cleared otherwise. 870 */ 871 int 872 pf_key_v2_set_spi(struct sa *sa, struct proto *proto, int incoming, 873 struct sa *isakmp_sa) 874 { 875 struct sadb_msg msg; 876 struct sadb_sa ssa; 877 struct sadb_x_tag *stag = NULL; 878 struct sadb_lifetime *life = 0; 879 struct sadb_address *addr = 0; 880 struct sadb_key *key = 0; 881 struct sadb_ident *sid = 0; 882 struct sockaddr *src, *dst; 883 struct pf_key_v2_msg *update = 0, *ret = 0; 884 struct ipsec_proto *iproto = proto->data; 885 size_t len; 886 int keylen, hashlen, err; 887 u_int8_t *pp; 888 int idtype; 889 struct ipsec_sa *isa = sa->data; 890 struct sadb_protocol flowtype, tprotocol; 891 struct sadb_x_udpencap udpencap; 892 char *addr_str, *s; 893 char iface_str[32]; 894 895 msg.sadb_msg_type = incoming ? SADB_UPDATE : SADB_ADD; 896 switch (proto->proto) { 897 case IPSEC_PROTO_IPSEC_ESP: 898 msg.sadb_msg_satype = SADB_SATYPE_ESP; 899 keylen = ipsec_esp_enckeylength(proto); 900 hashlen = ipsec_esp_authkeylength(proto); 901 902 switch (proto->id) { 903 case IPSEC_ESP_3DES: 904 ssa.sadb_sa_encrypt = SADB_EALG_3DESCBC; 905 break; 906 907 case IPSEC_ESP_AES: 908 ssa.sadb_sa_encrypt = SADB_X_EALG_AES; 909 break; 910 911 case IPSEC_ESP_AES_CTR: 912 ssa.sadb_sa_encrypt = SADB_X_EALG_AESCTR; 913 break; 914 915 case IPSEC_ESP_AES_GCM_16: 916 ssa.sadb_sa_encrypt = SADB_X_EALG_AESGCM16; 917 break; 918 919 case IPSEC_ESP_AES_GMAC: 920 ssa.sadb_sa_encrypt = SADB_X_EALG_AESGMAC; 921 break; 922 923 case IPSEC_ESP_CAST: 924 ssa.sadb_sa_encrypt = SADB_X_EALG_CAST; 925 break; 926 927 case IPSEC_ESP_BLOWFISH: 928 ssa.sadb_sa_encrypt = SADB_X_EALG_BLF; 929 break; 930 931 case IPSEC_ESP_NULL: 932 ssa.sadb_sa_encrypt = SADB_EALG_NULL; 933 break; 934 935 default: 936 LOG_DBG((LOG_SYSDEP, 50, "pf_key_v2_set_spi: " 937 "unknown encryption algorithm %d", proto->id)); 938 return -1; 939 } 940 941 switch (iproto->auth) { 942 case IPSEC_AUTH_HMAC_MD5: 943 ssa.sadb_sa_auth = SADB_AALG_MD5HMAC; 944 break; 945 946 case IPSEC_AUTH_HMAC_SHA: 947 ssa.sadb_sa_auth = SADB_AALG_SHA1HMAC; 948 break; 949 950 case IPSEC_AUTH_HMAC_RIPEMD: 951 ssa.sadb_sa_auth = SADB_X_AALG_RIPEMD160HMAC; 952 break; 953 954 case IPSEC_AUTH_HMAC_SHA2_256: 955 ssa.sadb_sa_auth = SADB_X_AALG_SHA2_256; 956 break; 957 958 case IPSEC_AUTH_HMAC_SHA2_384: 959 ssa.sadb_sa_auth = SADB_X_AALG_SHA2_384; 960 break; 961 962 case IPSEC_AUTH_HMAC_SHA2_512: 963 ssa.sadb_sa_auth = SADB_X_AALG_SHA2_512; 964 break; 965 966 case IPSEC_AUTH_DES_MAC: 967 case IPSEC_AUTH_KPDK: 968 /* XXX We should be supporting KPDK */ 969 LOG_DBG((LOG_SYSDEP, 50, "pf_key_v2_set_spi: " 970 "unknown authentication algorithm %d", 971 iproto->auth)); 972 return -1; 973 974 default: 975 ssa.sadb_sa_auth = SADB_AALG_NONE; 976 } 977 break; 978 979 case IPSEC_PROTO_IPSEC_AH: 980 msg.sadb_msg_satype = SADB_SATYPE_AH; 981 hashlen = ipsec_ah_keylength(proto); 982 keylen = 0; 983 984 ssa.sadb_sa_encrypt = SADB_EALG_NONE; 985 switch (proto->id) { 986 case IPSEC_AH_MD5: 987 ssa.sadb_sa_auth = SADB_AALG_MD5HMAC; 988 break; 989 990 case IPSEC_AH_SHA: 991 ssa.sadb_sa_auth = SADB_AALG_SHA1HMAC; 992 break; 993 994 case IPSEC_AH_RIPEMD: 995 ssa.sadb_sa_auth = SADB_X_AALG_RIPEMD160HMAC; 996 break; 997 998 case IPSEC_AH_SHA2_256: 999 ssa.sadb_sa_auth = SADB_X_AALG_SHA2_256; 1000 break; 1001 1002 case IPSEC_AH_SHA2_384: 1003 ssa.sadb_sa_auth = SADB_X_AALG_SHA2_384; 1004 break; 1005 1006 case IPSEC_AH_SHA2_512: 1007 ssa.sadb_sa_auth = SADB_X_AALG_SHA2_512; 1008 break; 1009 1010 default: 1011 LOG_DBG((LOG_SYSDEP, 50, "pf_key_v2_set_spi: " 1012 "unknown authentication algorithm %d", proto->id)); 1013 goto cleanup; 1014 } 1015 break; 1016 1017 case IPSEC_PROTO_IPCOMP: 1018 msg.sadb_msg_satype = SADB_X_SATYPE_IPCOMP; 1019 ssa.sadb_sa_auth = SADB_AALG_NONE; 1020 keylen = 0; 1021 hashlen = 0; 1022 1023 /* 1024 * Put compression algorithm type in the sadb_sa_encrypt 1025 * field. 1026 */ 1027 switch (proto->id) { 1028 case IPSEC_IPCOMP_OUI: 1029 ssa.sadb_sa_encrypt = SADB_X_CALG_OUI; 1030 break; 1031 1032 case IPSEC_IPCOMP_DEFLATE: 1033 ssa.sadb_sa_encrypt = SADB_X_CALG_DEFLATE; 1034 break; 1035 1036 default: 1037 break; 1038 } 1039 break; 1040 1041 default: 1042 log_print("pf_key_v2_set_spi: invalid proto %d", proto->proto); 1043 goto cleanup; 1044 } 1045 if (incoming) 1046 sa->transport->vtbl->get_src(sa->transport, &dst); 1047 else 1048 sa->transport->vtbl->get_dst(sa->transport, &dst); 1049 msg.sadb_msg_seq = sa->seq; 1050 update = pf_key_v2_msg_new(&msg, 0); 1051 if (!update) 1052 goto cleanup; 1053 1054 /* Setup the rest of the SA extension. */ 1055 ssa.sadb_sa_exttype = SADB_EXT_SA; 1056 ssa.sadb_sa_len = sizeof ssa / PF_KEY_V2_CHUNK; 1057 if (proto->spi_sz[incoming] == 2) /* IPCOMP uses 16bit CPIs. */ 1058 ssa.sadb_sa_spi = htonl(proto->spi[incoming][0] << 8 | 1059 proto->spi[incoming][1]); 1060 else 1061 memcpy(&ssa.sadb_sa_spi, proto->spi[incoming], 1062 sizeof ssa.sadb_sa_spi); 1063 ssa.sadb_sa_replay = conf_get_str("General", "Shared-SADB") ? 0 : 1064 iproto->replay_window; 1065 ssa.sadb_sa_state = SADB_SASTATE_MATURE; 1066 ssa.sadb_sa_flags = 0; 1067 if (iproto->encap_mode == IPSEC_ENCAP_TUNNEL || 1068 iproto->encap_mode == IPSEC_ENCAP_UDP_ENCAP_TUNNEL || 1069 iproto->encap_mode == IPSEC_ENCAP_UDP_ENCAP_TUNNEL_DRAFT) 1070 ssa.sadb_sa_flags = SADB_X_SAFLAGS_TUNNEL; 1071 1072 if (isakmp_sa->flags & SA_FLAG_NAT_T_ENABLE) { 1073 bzero(&udpencap, sizeof udpencap); 1074 ssa.sadb_sa_flags |= SADB_X_SAFLAGS_UDPENCAP; 1075 udpencap.sadb_x_udpencap_exttype = SADB_X_EXT_UDPENCAP; 1076 udpencap.sadb_x_udpencap_len = 1077 sizeof udpencap / PF_KEY_V2_CHUNK; 1078 udpencap.sadb_x_udpencap_port = sockaddr_port(dst); 1079 if (pf_key_v2_msg_add(update, (struct sadb_ext *)&udpencap, 0) 1080 == -1) 1081 goto cleanup; 1082 } 1083 1084 if (pf_key_v2_msg_add(update, (struct sadb_ext *)&ssa, 0) == -1) 1085 goto cleanup; 1086 1087 if (sa->seconds || sa->kilobytes) { 1088 /* Setup the hard limits. */ 1089 life = malloc(sizeof *life); 1090 if (!life) 1091 goto cleanup; 1092 life->sadb_lifetime_len = sizeof *life / PF_KEY_V2_CHUNK; 1093 life->sadb_lifetime_exttype = SADB_EXT_LIFETIME_HARD; 1094 life->sadb_lifetime_allocations = 0; 1095 life->sadb_lifetime_bytes = sa->kilobytes * 1024; 1096 /* 1097 * XXX I am not sure which one is best in security respect. 1098 * Maybe the RFCs actually mandate what a lifetime really is. 1099 */ 1100 #if 0 1101 life->sadb_lifetime_addtime = 0; 1102 life->sadb_lifetime_usetime = sa->seconds; 1103 #else 1104 life->sadb_lifetime_addtime = sa->seconds; 1105 life->sadb_lifetime_usetime = 0; 1106 #endif 1107 if (pf_key_v2_msg_add(update, (struct sadb_ext *) life, 1108 PF_KEY_V2_NODE_MALLOCED) == -1) 1109 goto cleanup; 1110 life = 0; 1111 1112 /* 1113 * Setup the soft limits, we use 90 % of the hard ones. 1114 * XXX A configurable ratio would be better. 1115 */ 1116 life = malloc(sizeof *life); 1117 if (!life) 1118 goto cleanup; 1119 life->sadb_lifetime_len = sizeof *life / PF_KEY_V2_CHUNK; 1120 life->sadb_lifetime_exttype = SADB_EXT_LIFETIME_SOFT; 1121 life->sadb_lifetime_allocations = 0; 1122 life->sadb_lifetime_bytes = sa->kilobytes * 1024 * 9 / 10; 1123 /* 1124 * XXX I am not sure which one is best in security respect. 1125 * Maybe the RFCs actually mandate what a lifetime really is. 1126 */ 1127 #if 0 1128 life->sadb_lifetime_addtime = 0; 1129 life->sadb_lifetime_usetime = sa->seconds * 9 / 10; 1130 #else 1131 life->sadb_lifetime_addtime = sa->seconds * 9 / 10; 1132 life->sadb_lifetime_usetime = 0; 1133 #endif 1134 if (pf_key_v2_msg_add(update, (struct sadb_ext *) life, 1135 PF_KEY_V2_NODE_MALLOCED) == -1) 1136 goto cleanup; 1137 life = 0; 1138 } 1139 /* 1140 * Setup the ADDRESS extensions. 1141 */ 1142 if (incoming) 1143 sa->transport->vtbl->get_dst(sa->transport, &src); 1144 else 1145 sa->transport->vtbl->get_src(sa->transport, &src); 1146 len = sizeof *addr + PF_KEY_V2_ROUND(SA_LEN(src)); 1147 addr = calloc(1, len); 1148 if (!addr) 1149 goto cleanup; 1150 addr->sadb_address_exttype = SADB_EXT_ADDRESS_SRC; 1151 addr->sadb_address_len = len / PF_KEY_V2_CHUNK; 1152 addr->sadb_address_reserved = 0; 1153 memcpy(addr + 1, src, SA_LEN(src)); 1154 switch (((struct sockaddr *) (addr + 1))->sa_family) { 1155 case AF_INET: 1156 ((struct sockaddr_in *) (addr + 1))->sin_port = 0; 1157 break; 1158 case AF_INET6: 1159 ((struct sockaddr_in6 *) (addr + 1))->sin6_port = 0; 1160 break; 1161 } 1162 if (pf_key_v2_msg_add(update, (struct sadb_ext *) addr, 1163 PF_KEY_V2_NODE_MALLOCED) == -1) 1164 goto cleanup; 1165 addr = 0; 1166 1167 len = sizeof *addr + PF_KEY_V2_ROUND(SA_LEN(dst)); 1168 addr = calloc(1, len); 1169 if (!addr) 1170 goto cleanup; 1171 addr->sadb_address_exttype = SADB_EXT_ADDRESS_DST; 1172 addr->sadb_address_len = len / PF_KEY_V2_CHUNK; 1173 addr->sadb_address_reserved = 0; 1174 memcpy(addr + 1, dst, SA_LEN(dst)); 1175 switch (((struct sockaddr *) (addr + 1))->sa_family) { 1176 case AF_INET: 1177 ((struct sockaddr_in *) (addr + 1))->sin_port = 0; 1178 break; 1179 case AF_INET6: 1180 ((struct sockaddr_in6 *) (addr + 1))->sin6_port = 0; 1181 break; 1182 } 1183 if (pf_key_v2_msg_add(update, (struct sadb_ext *) addr, 1184 PF_KEY_V2_NODE_MALLOCED) == -1) 1185 goto cleanup; 1186 addr = 0; 1187 1188 if (proto->proto != IPSEC_PROTO_IPCOMP) { 1189 /* Setup the KEY extensions. */ 1190 if (hashlen) { 1191 len = sizeof *key + PF_KEY_V2_ROUND(hashlen); 1192 key = malloc(len); 1193 if (!key) 1194 goto cleanup; 1195 key->sadb_key_exttype = SADB_EXT_KEY_AUTH; 1196 key->sadb_key_len = len / PF_KEY_V2_CHUNK; 1197 key->sadb_key_bits = hashlen * 8; 1198 key->sadb_key_reserved = 0; 1199 memcpy(key + 1, 1200 iproto->keymat[incoming] + 1201 (proto->proto == 1202 IPSEC_PROTO_IPSEC_ESP ? keylen : 0), 1203 hashlen); 1204 if (pf_key_v2_msg_add(update, (struct sadb_ext *) key, 1205 PF_KEY_V2_NODE_MALLOCED) == -1) 1206 goto cleanup; 1207 key = 0; 1208 } 1209 if (keylen) { 1210 len = sizeof *key + PF_KEY_V2_ROUND(keylen); 1211 key = malloc(len); 1212 if (!key) 1213 goto cleanup; 1214 key->sadb_key_exttype = SADB_EXT_KEY_ENCRYPT; 1215 key->sadb_key_len = len / PF_KEY_V2_CHUNK; 1216 key->sadb_key_bits = keylen * 8; 1217 key->sadb_key_reserved = 0; 1218 memcpy(key + 1, iproto->keymat[incoming], keylen); 1219 if (pf_key_v2_msg_add(update, (struct sadb_ext *) key, 1220 PF_KEY_V2_NODE_MALLOCED) == -1) 1221 goto cleanup; 1222 key = 0; 1223 } 1224 } 1225 /* Setup identity extensions. */ 1226 if (isakmp_sa->id_i) { 1227 pp = pf_key_v2_convert_id(isakmp_sa->id_i, isakmp_sa->id_i_len, 1228 &len, &idtype); 1229 if (!pp) 1230 goto nosid; 1231 1232 sid = calloc(PF_KEY_V2_ROUND(len + 1) + sizeof *sid, 1233 sizeof(u_int8_t)); 1234 if (!sid) { 1235 free(pp); 1236 goto cleanup; 1237 } 1238 sid->sadb_ident_type = idtype; 1239 sid->sadb_ident_len = ((sizeof *sid) / PF_KEY_V2_CHUNK) + 1240 PF_KEY_V2_ROUND(len + 1) / PF_KEY_V2_CHUNK; 1241 if ((isakmp_sa->initiator && !incoming) || 1242 (!isakmp_sa->initiator && incoming)) 1243 sid->sadb_ident_exttype = SADB_EXT_IDENTITY_SRC; 1244 else 1245 sid->sadb_ident_exttype = SADB_EXT_IDENTITY_DST; 1246 1247 memcpy(sid + 1, pp, len); 1248 free(pp); 1249 1250 if (pf_key_v2_msg_add(update, (struct sadb_ext *) sid, 1251 PF_KEY_V2_NODE_MALLOCED) == -1) 1252 goto cleanup; 1253 sid = 0; 1254 1255 nosid: 1256 free(sid); 1257 sid = 0; 1258 } 1259 if (isakmp_sa->id_r) { 1260 pp = pf_key_v2_convert_id(isakmp_sa->id_r, isakmp_sa->id_r_len, 1261 &len, &idtype); 1262 if (!pp) 1263 goto nodid; 1264 1265 sid = calloc(PF_KEY_V2_ROUND(len + 1) + sizeof *sid, 1266 sizeof(u_int8_t)); 1267 if (!sid) { 1268 free(pp); 1269 goto cleanup; 1270 } 1271 sid->sadb_ident_type = idtype; 1272 sid->sadb_ident_len = ((sizeof *sid) / PF_KEY_V2_CHUNK) + 1273 PF_KEY_V2_ROUND(len + 1) / PF_KEY_V2_CHUNK; 1274 if ((isakmp_sa->initiator && !incoming) || 1275 (!isakmp_sa->initiator && incoming)) 1276 sid->sadb_ident_exttype = SADB_EXT_IDENTITY_DST; 1277 else 1278 sid->sadb_ident_exttype = SADB_EXT_IDENTITY_SRC; 1279 1280 memcpy(sid + 1, pp, len); 1281 free(pp); 1282 1283 if (pf_key_v2_msg_add(update, (struct sadb_ext *) sid, 1284 PF_KEY_V2_NODE_MALLOCED) == -1) 1285 goto cleanup; 1286 sid = 0; 1287 1288 nodid: 1289 free(sid); 1290 sid = 0; 1291 } 1292 1293 /* Setup the flow type extension. */ 1294 bzero(&flowtype, sizeof flowtype); 1295 flowtype.sadb_protocol_exttype = SADB_X_EXT_FLOW_TYPE; 1296 flowtype.sadb_protocol_len = sizeof flowtype / PF_KEY_V2_CHUNK; 1297 flowtype.sadb_protocol_direction = incoming ? 1298 IPSP_DIRECTION_IN : IPSP_DIRECTION_OUT; 1299 1300 if (pf_key_v2_msg_add(update, (struct sadb_ext *)&flowtype, 0) == -1) 1301 goto cleanup; 1302 1303 bzero(&tprotocol, sizeof tprotocol); 1304 tprotocol.sadb_protocol_exttype = SADB_X_EXT_PROTOCOL; 1305 tprotocol.sadb_protocol_len = sizeof tprotocol / PF_KEY_V2_CHUNK; 1306 tprotocol.sadb_protocol_proto = isa->tproto; 1307 1308 if (pf_key_v2_msg_add(update, (struct sadb_ext *)&tprotocol, 1309 0) == -1) 1310 goto cleanup; 1311 1312 len = sizeof *addr + PF_KEY_V2_ROUND(SA_LEN(isa->src_net)); 1313 addr = calloc(1, len); 1314 if (!addr) 1315 goto cleanup; 1316 addr->sadb_address_exttype = incoming ? 1317 SADB_X_EXT_DST_FLOW : SADB_X_EXT_SRC_FLOW; 1318 addr->sadb_address_len = len / PF_KEY_V2_CHUNK; 1319 addr->sadb_address_reserved = 0; 1320 pf_key_v2_setup_sockaddr(addr + 1, isa->src_net, 0, isa->sport, 0); 1321 if (pf_key_v2_msg_add(update, (struct sadb_ext *) addr, 1322 PF_KEY_V2_NODE_MALLOCED) == -1) 1323 goto cleanup; 1324 addr = 0; 1325 1326 addr = calloc(1, len); 1327 if (!addr) 1328 goto cleanup; 1329 addr->sadb_address_exttype = 1330 incoming ? SADB_X_EXT_DST_MASK : SADB_X_EXT_SRC_MASK; 1331 addr->sadb_address_len = len / PF_KEY_V2_CHUNK; 1332 addr->sadb_address_reserved = 0; 1333 pf_key_v2_setup_sockaddr(addr + 1, isa->src_mask, 0, 1334 isa->sport ? 0xffff : 0, 0); 1335 if (pf_key_v2_msg_add(update, (struct sadb_ext *) addr, 1336 PF_KEY_V2_NODE_MALLOCED) == -1) 1337 goto cleanup; 1338 addr = 0; 1339 1340 addr = calloc(1, len); 1341 if (!addr) 1342 goto cleanup; 1343 addr->sadb_address_exttype = incoming ? 1344 SADB_X_EXT_SRC_FLOW : SADB_X_EXT_DST_FLOW; 1345 addr->sadb_address_len = len / PF_KEY_V2_CHUNK; 1346 addr->sadb_address_reserved = 0; 1347 pf_key_v2_setup_sockaddr(addr + 1, isa->dst_net, 0, isa->dport, 0); 1348 if (pf_key_v2_msg_add(update, (struct sadb_ext *) addr, 1349 PF_KEY_V2_NODE_MALLOCED) == -1) 1350 goto cleanup; 1351 addr = 0; 1352 1353 addr = calloc(1, len); 1354 if (!addr) 1355 goto cleanup; 1356 addr->sadb_address_exttype = 1357 incoming ? SADB_X_EXT_SRC_MASK : SADB_X_EXT_DST_MASK; 1358 addr->sadb_address_len = len / PF_KEY_V2_CHUNK; 1359 addr->sadb_address_reserved = 0; 1360 pf_key_v2_setup_sockaddr(addr + 1, isa->dst_mask, 0, 1361 isa->dport ? 0xffff : 0, 0); 1362 if (pf_key_v2_msg_add(update, (struct sadb_ext *) addr, 1363 PF_KEY_V2_NODE_MALLOCED) == -1) 1364 goto cleanup; 1365 addr = 0; 1366 1367 /* Add a pf tag to matching packets of this SA. */ 1368 if (sa->tag != NULL) { 1369 len = sizeof(*stag) + PF_KEY_V2_ROUND(strlen(sa->tag) + 1); 1370 if ((stag = calloc(1, len)) == NULL) 1371 goto cleanup; 1372 stag->sadb_x_tag_exttype = SADB_X_EXT_TAG; 1373 stag->sadb_x_tag_len = len / PF_KEY_V2_CHUNK; 1374 stag->sadb_x_tag_taglen = strlen(sa->tag) + 1; 1375 s = (char *)(stag + 1); 1376 strlcpy(s, sa->tag, stag->sadb_x_tag_taglen); 1377 if (pf_key_v2_msg_add(update, (struct sadb_ext *)stag, 1378 PF_KEY_V2_NODE_MALLOCED) == -1) 1379 goto cleanup; 1380 } 1381 1382 if (sa->flags & SA_FLAG_IFACE) { 1383 struct sadb_x_iface *siface; 1384 1385 len = sizeof(*siface); 1386 siface = calloc(1, len); 1387 if (siface == NULL) 1388 goto cleanup; 1389 1390 siface->sadb_x_iface_len = len / PF_KEY_V2_CHUNK; 1391 siface->sadb_x_iface_exttype = SADB_X_EXT_IFACE; 1392 siface->sadb_x_iface_unit = sa->iface; 1393 siface->sadb_x_iface_direction = incoming ? 1394 IPSP_DIRECTION_IN : IPSP_DIRECTION_OUT; 1395 1396 if (pf_key_v2_msg_add(update, (struct sadb_ext *)siface, 1397 PF_KEY_V2_NODE_MALLOCED) == -1) 1398 goto cleanup; 1399 1400 snprintf(iface_str, sizeof(iface_str), "iface %u", sa->iface); 1401 } 1402 1403 /* XXX Here can sensitivity extensions be setup. */ 1404 1405 if (sockaddr2text(dst, &addr_str, 0)) 1406 addr_str = 0; 1407 1408 LOG_DBG((LOG_SYSDEP, 10, "pf_key_v2_set_spi: " 1409 "satype %d dst %s SPI 0x%x%s%s%s", msg.sadb_msg_satype, 1410 addr_str ? addr_str : "unknown", 1411 ntohl(ssa.sadb_sa_spi), sa->tag ? " tag " : "", 1412 sa->tag ? sa->tag : "", iface_str)); 1413 1414 free(addr_str); 1415 1416 /* 1417 * Although PF_KEY knows about expirations, it is unreliable per the 1418 * specs thus we need to do them inside isakmpd as well. 1419 */ 1420 if (sa->seconds) 1421 if (sa_setup_expirations(sa)) 1422 goto cleanup; 1423 1424 ret = pf_key_v2_call(update); 1425 pf_key_v2_msg_free(update); 1426 update = 0; 1427 if (!ret) 1428 goto cleanup; 1429 err = ((struct sadb_msg *)TAILQ_FIRST(ret)->seg)->sadb_msg_errno; 1430 pf_key_v2_msg_free(ret); 1431 ret = 0; 1432 1433 /* 1434 * If we are doing an addition into an SADB shared with our peer, 1435 * errors here are to be expected as the peer will already have 1436 * created the SA, and can thus be ignored. 1437 */ 1438 if (err && !(msg.sadb_msg_type == SADB_ADD && 1439 conf_get_str("General", "Shared-SADB"))) { 1440 log_print("pf_key_v2_set_spi: %s: %s", 1441 msg.sadb_msg_type == SADB_ADD ? "ADD" : "UPDATE", 1442 strerror(err)); 1443 goto cleanup; 1444 } 1445 LOG_DBG((LOG_SYSDEP, 50, "pf_key_v2_set_spi: done")); 1446 1447 return 0; 1448 1449 cleanup: 1450 free(sid); 1451 free(addr); 1452 free(life); 1453 free(key); 1454 if (update) 1455 pf_key_v2_msg_free(update); 1456 if (ret) 1457 pf_key_v2_msg_free(ret); 1458 return -1; 1459 } 1460 1461 static __inline__ int 1462 pf_key_v2_mask_to_bits(u_int32_t mask) 1463 { 1464 u_int32_t hmask = ntohl(mask); 1465 1466 return (33 - ffs(~hmask + 1)) % 33; 1467 } 1468 1469 static int 1470 pf_key_v2_mask6_to_bits(u_int8_t *mask) 1471 { 1472 int n; 1473 1474 bit_ffc(mask, 128, &n); 1475 return n == -1 ? 128 : n; 1476 } 1477 1478 /* 1479 * Enable/disable a flow. 1480 * XXX Assumes OpenBSD {ADD,DEL}FLOW extensions. 1481 */ 1482 static int 1483 pf_key_v2_flow(struct sockaddr *laddr, struct sockaddr *lmask, 1484 struct sockaddr *raddr, struct sockaddr *rmask, 1485 u_int8_t tproto, u_int16_t sport, u_int16_t dport, 1486 u_int8_t *spi, u_int8_t proto, struct sockaddr *dst, 1487 struct sockaddr *src, int delete, int ingress, 1488 u_int8_t srcid_type, u_int8_t *srcid, int srcid_len, 1489 u_int8_t dstid_type, u_int8_t *dstid, int dstid_len, 1490 struct ipsec_proto *iproto) 1491 { 1492 char *laddr_str, *lmask_str, *raddr_str, *rmask_str; 1493 1494 struct sadb_msg msg; 1495 struct sadb_protocol flowtype; 1496 struct sadb_ident *sid = 0; 1497 struct sadb_address *addr = 0; 1498 struct sadb_protocol tprotocol; 1499 struct pf_key_v2_msg *flow = 0, *ret = 0; 1500 size_t len; 1501 int err; 1502 1503 msg.sadb_msg_type = delete ? SADB_X_DELFLOW : SADB_X_ADDFLOW; 1504 switch (proto) { 1505 case IPSEC_PROTO_IPSEC_ESP: 1506 msg.sadb_msg_satype = SADB_SATYPE_ESP; 1507 break; 1508 case IPSEC_PROTO_IPSEC_AH: 1509 msg.sadb_msg_satype = SADB_SATYPE_AH; 1510 break; 1511 case IPSEC_PROTO_IPCOMP: 1512 msg.sadb_msg_satype = SADB_X_SATYPE_IPCOMP; 1513 break; 1514 default: 1515 log_print("pf_key_v2_flow: invalid proto %d", proto); 1516 goto cleanup; 1517 } 1518 msg.sadb_msg_seq = 0; 1519 flow = pf_key_v2_msg_new(&msg, 0); 1520 if (!flow) 1521 goto cleanup; 1522 1523 if (!delete) { 1524 /* Setup the source ID, if provided. */ 1525 if (srcid) { 1526 sid = calloc( 1527 PF_KEY_V2_ROUND(srcid_len + 1) + sizeof *sid, 1528 sizeof(u_int8_t)); 1529 if (!sid) 1530 goto cleanup; 1531 1532 sid->sadb_ident_len = ((sizeof *sid) / PF_KEY_V2_CHUNK) 1533 + PF_KEY_V2_ROUND(srcid_len + 1) / PF_KEY_V2_CHUNK; 1534 sid->sadb_ident_exttype = SADB_EXT_IDENTITY_SRC; 1535 sid->sadb_ident_type = srcid_type; 1536 1537 memcpy(sid + 1, srcid, srcid_len); 1538 1539 if (pf_key_v2_msg_add(flow, (struct sadb_ext *) sid, 1540 PF_KEY_V2_NODE_MALLOCED) == -1) 1541 goto cleanup; 1542 1543 sid = 0; 1544 } 1545 /* Setup the destination ID, if provided. */ 1546 if (dstid) { 1547 sid = calloc( 1548 PF_KEY_V2_ROUND(dstid_len + 1) + sizeof *sid, 1549 sizeof(u_int8_t)); 1550 if (!sid) 1551 goto cleanup; 1552 1553 sid->sadb_ident_len = ((sizeof *sid) / PF_KEY_V2_CHUNK) 1554 + PF_KEY_V2_ROUND(dstid_len + 1) / PF_KEY_V2_CHUNK; 1555 sid->sadb_ident_exttype = SADB_EXT_IDENTITY_DST; 1556 sid->sadb_ident_type = dstid_type; 1557 1558 memcpy(sid + 1, dstid, dstid_len); 1559 1560 if (pf_key_v2_msg_add(flow, (struct sadb_ext *) sid, 1561 PF_KEY_V2_NODE_MALLOCED) == -1) 1562 goto cleanup; 1563 1564 sid = 0; 1565 } 1566 } 1567 /* Setup the flow type extension. */ 1568 bzero(&flowtype, sizeof flowtype); 1569 flowtype.sadb_protocol_exttype = SADB_X_EXT_FLOW_TYPE; 1570 flowtype.sadb_protocol_len = sizeof flowtype / PF_KEY_V2_CHUNK; 1571 flowtype.sadb_protocol_direction = 1572 ingress ? IPSP_DIRECTION_IN : IPSP_DIRECTION_OUT; 1573 flowtype.sadb_protocol_proto = SADB_X_FLOW_TYPE_REQUIRE; 1574 1575 if (pf_key_v2_msg_add(flow, (struct sadb_ext *)&flowtype, 0) == -1) 1576 goto cleanup; 1577 1578 /* 1579 * Setup the ADDRESS extensions. 1580 */ 1581 len = sizeof *addr + PF_KEY_V2_ROUND(SA_LEN(src)); 1582 if (!delete) 1583 { 1584 addr = calloc(1, len); 1585 if (!addr) 1586 goto cleanup; 1587 addr->sadb_address_exttype = SADB_EXT_ADDRESS_DST; 1588 addr->sadb_address_len = len / PF_KEY_V2_CHUNK; 1589 addr->sadb_address_reserved = 0; 1590 pf_key_v2_setup_sockaddr(addr + 1, src, dst, 0, ingress); 1591 if (pf_key_v2_msg_add(flow, (struct sadb_ext *) addr, 1592 PF_KEY_V2_NODE_MALLOCED) == -1) 1593 goto cleanup; 1594 addr = 0; 1595 } 1596 len = sizeof *addr + PF_KEY_V2_ROUND(SA_LEN(laddr)); 1597 addr = calloc(1, len); 1598 if (!addr) 1599 goto cleanup; 1600 addr->sadb_address_exttype = SADB_X_EXT_SRC_FLOW; 1601 addr->sadb_address_len = len / PF_KEY_V2_CHUNK; 1602 addr->sadb_address_reserved = 0; 1603 pf_key_v2_setup_sockaddr(addr + 1, laddr, 0, sport, 0); 1604 if (pf_key_v2_msg_add(flow, (struct sadb_ext *) addr, 1605 PF_KEY_V2_NODE_MALLOCED) == -1) 1606 goto cleanup; 1607 addr = 0; 1608 1609 addr = calloc(1, len); 1610 if (!addr) 1611 goto cleanup; 1612 addr->sadb_address_exttype = SADB_X_EXT_SRC_MASK; 1613 addr->sadb_address_len = len / PF_KEY_V2_CHUNK; 1614 addr->sadb_address_reserved = 0; 1615 pf_key_v2_setup_sockaddr(addr + 1, lmask, 0, sport ? 0xffff : 0, 0); 1616 if (pf_key_v2_msg_add(flow, (struct sadb_ext *) addr, 1617 PF_KEY_V2_NODE_MALLOCED) == -1) 1618 goto cleanup; 1619 addr = 0; 1620 1621 addr = calloc(1, len); 1622 if (!addr) 1623 goto cleanup; 1624 addr->sadb_address_exttype = SADB_X_EXT_DST_FLOW; 1625 addr->sadb_address_len = len / PF_KEY_V2_CHUNK; 1626 addr->sadb_address_reserved = 0; 1627 pf_key_v2_setup_sockaddr(addr + 1, raddr, 0, dport, 0); 1628 if (pf_key_v2_msg_add(flow, (struct sadb_ext *) addr, 1629 PF_KEY_V2_NODE_MALLOCED) == -1) 1630 goto cleanup; 1631 addr = 0; 1632 1633 addr = calloc(1, len); 1634 if (!addr) 1635 goto cleanup; 1636 addr->sadb_address_exttype = SADB_X_EXT_DST_MASK; 1637 addr->sadb_address_len = len / PF_KEY_V2_CHUNK; 1638 addr->sadb_address_reserved = 0; 1639 pf_key_v2_setup_sockaddr(addr + 1, rmask, 0, dport ? 0xffff : 0, 0); 1640 if (pf_key_v2_msg_add(flow, (struct sadb_ext *) addr, 1641 PF_KEY_V2_NODE_MALLOCED) == -1) 1642 goto cleanup; 1643 addr = 0; 1644 1645 /* Setup the protocol extension. */ 1646 bzero(&tprotocol, sizeof tprotocol); 1647 tprotocol.sadb_protocol_exttype = SADB_X_EXT_PROTOCOL; 1648 tprotocol.sadb_protocol_len = sizeof tprotocol / PF_KEY_V2_CHUNK; 1649 tprotocol.sadb_protocol_proto = tproto; 1650 1651 if (pf_key_v2_msg_add(flow, (struct sadb_ext *)&tprotocol, 0) == -1) 1652 goto cleanup; 1653 1654 if (sockaddr2text(laddr, &laddr_str, 0)) 1655 laddr_str = 0; 1656 if (sockaddr2text(lmask, &lmask_str, 0)) 1657 lmask_str = 0; 1658 if (sockaddr2text(raddr, &raddr_str, 0)) 1659 raddr_str = 0; 1660 if (sockaddr2text(rmask, &rmask_str, 0)) 1661 rmask_str = 0; 1662 1663 LOG_DBG((LOG_SYSDEP, 50, 1664 "pf_key_v2_flow: src %s %s dst %s %s proto %u sport %u dport %u", 1665 laddr_str ? laddr_str : "<??\?>", lmask_str ? lmask_str : "<??\?>", 1666 raddr_str ? raddr_str : "<??\?>", rmask_str ? rmask_str : "<??\?>", 1667 tproto, ntohs(sport), ntohs(dport))); 1668 1669 free(laddr_str); 1670 free(lmask_str); 1671 free(raddr_str); 1672 free(rmask_str); 1673 1674 ret = pf_key_v2_call(flow); 1675 pf_key_v2_msg_free(flow); 1676 flow = 0; 1677 if (!ret) 1678 goto cleanup; 1679 err = ((struct sadb_msg *)TAILQ_FIRST(ret)->seg)->sadb_msg_errno; 1680 if (err) { 1681 if (err == ESRCH) /* These are common and usually 1682 * harmless. */ 1683 LOG_DBG((LOG_SYSDEP, 10, "pf_key_v2_flow: %sFLOW: %s", 1684 delete ? "DEL" : "ADD", strerror(err))); 1685 else 1686 log_print("pf_key_v2_flow: %sFLOW: %s", 1687 delete ? "DEL" : "ADD", strerror(err)); 1688 goto cleanup; 1689 } 1690 pf_key_v2_msg_free(ret); 1691 1692 LOG_DBG((LOG_MISC, 50, "pf_key_v2_flow: %sFLOW: done", 1693 delete ? "DEL" : "ADD")); 1694 1695 return 0; 1696 1697 cleanup: 1698 free(sid); 1699 free(addr); 1700 if (flow) 1701 pf_key_v2_msg_free(flow); 1702 if (ret) 1703 pf_key_v2_msg_free(ret); 1704 return -1; 1705 } 1706 1707 static u_int8_t * 1708 pf_key_v2_convert_id(u_int8_t *id, int idlen, size_t *reslen, int *idtype) 1709 { 1710 u_int8_t *addr, *res = 0; 1711 char addrbuf[ADDRESS_MAX + 5]; 1712 1713 switch (id[0]) { 1714 case IPSEC_ID_FQDN: 1715 res = calloc(idlen - ISAKMP_ID_DATA_OFF + ISAKMP_GEN_SZ, 1716 sizeof(u_int8_t)); 1717 if (!res) 1718 return 0; 1719 1720 *reslen = idlen - ISAKMP_ID_DATA_OFF + ISAKMP_GEN_SZ; 1721 memcpy(res, id + ISAKMP_ID_DATA_OFF - ISAKMP_GEN_SZ, *reslen); 1722 *idtype = SADB_IDENTTYPE_FQDN; 1723 LOG_DBG((LOG_SYSDEP, 40, "pf_key_v2_convert_id: FQDN %.*s", 1724 (int) *reslen, res)); 1725 return res; 1726 1727 case IPSEC_ID_USER_FQDN: 1728 res = calloc(idlen - ISAKMP_ID_DATA_OFF + ISAKMP_GEN_SZ, 1729 sizeof(u_int8_t)); 1730 if (!res) 1731 return 0; 1732 1733 *reslen = idlen - ISAKMP_ID_DATA_OFF + ISAKMP_GEN_SZ; 1734 memcpy(res, id + ISAKMP_ID_DATA_OFF - ISAKMP_GEN_SZ, *reslen); 1735 *idtype = SADB_IDENTTYPE_USERFQDN; 1736 LOG_DBG((LOG_SYSDEP, 40, "pf_key_v2_convert_id: UFQDN %.*s", 1737 (int) *reslen, res)); 1738 return res; 1739 1740 case IPSEC_ID_IPV4_ADDR: 1741 if (inet_ntop(AF_INET, id + ISAKMP_ID_DATA_OFF - ISAKMP_GEN_SZ, 1742 addrbuf, ADDRESS_MAX) == NULL) 1743 return 0; 1744 *reslen = strlen(addrbuf) + 3; 1745 strlcat(addrbuf, "/32", ADDRESS_MAX + 5); 1746 res = (u_int8_t *) strdup(addrbuf); 1747 if (!res) 1748 return 0; 1749 *idtype = SADB_IDENTTYPE_PREFIX; 1750 LOG_DBG((LOG_SYSDEP, 40, "pf_key_v2_convert_id: " 1751 "IPv4 address %s", res)); 1752 return res; 1753 1754 case IPSEC_ID_IPV6_ADDR: 1755 if (inet_ntop(AF_INET6, 1756 id + ISAKMP_ID_DATA_OFF - ISAKMP_GEN_SZ, 1757 addrbuf, ADDRESS_MAX) == NULL) 1758 return 0; 1759 *reslen = strlen(addrbuf) + 4; 1760 strlcat(addrbuf, "/128", ADDRESS_MAX + 5); 1761 res = (u_int8_t *) strdup(addrbuf); 1762 if (!res) 1763 return 0; 1764 LOG_DBG((LOG_SYSDEP, 40, "pf_key_v2_convert_id: " 1765 "IPv6 address %s", res)); 1766 *idtype = SADB_IDENTTYPE_PREFIX; 1767 return res; 1768 1769 case IPSEC_ID_IPV4_ADDR_SUBNET: /* XXX PREFIX */ 1770 addr = id + ISAKMP_ID_DATA_OFF - ISAKMP_GEN_SZ; 1771 if (inet_ntop(AF_INET, addr, addrbuf, ADDRESS_MAX) == NULL) 1772 return 0; 1773 snprintf(addrbuf + strlen(addrbuf), 1774 ADDRESS_MAX - strlen(addrbuf), "/%d", 1775 pf_key_v2_mask_to_bits(*(u_int32_t *)(addr + 1776 sizeof(struct in_addr)))); 1777 *reslen = strlen(addrbuf); 1778 res = (u_int8_t *) strdup(addrbuf); 1779 if (!res) 1780 return 0; 1781 *idtype = SADB_IDENTTYPE_PREFIX; 1782 LOG_DBG((LOG_SYSDEP, 40, "pf_key_v2_convert_id: " 1783 "IPv4 subnet %s", res)); 1784 return res; 1785 1786 case IPSEC_ID_IPV6_ADDR_SUBNET: /* XXX PREFIX */ 1787 addr = id + ISAKMP_ID_DATA_OFF - ISAKMP_GEN_SZ; 1788 if (inet_ntop(AF_INET6, addr, addrbuf, ADDRESS_MAX) == NULL) 1789 return 0; 1790 snprintf(addrbuf + strlen(addrbuf), 1791 ADDRESS_MAX - strlen(addrbuf), "/%d", 1792 pf_key_v2_mask6_to_bits(addr + 1793 sizeof(struct in6_addr))); 1794 *reslen = strlen(addrbuf); 1795 res = (u_int8_t *) strdup(addrbuf); 1796 if (!res) 1797 return 0; 1798 LOG_DBG((LOG_SYSDEP, 40, "pf_key_v2_convert_id: " 1799 "IPv6 subnet %s", res)); 1800 *idtype = SADB_IDENTTYPE_PREFIX; 1801 return res; 1802 1803 case IPSEC_ID_IPV4_RANGE: 1804 case IPSEC_ID_IPV6_RANGE: 1805 case IPSEC_ID_DER_ASN1_DN: 1806 case IPSEC_ID_DER_ASN1_GN: 1807 case IPSEC_ID_KEY_ID: 1808 /* XXX Not implemented yet. */ 1809 return 0; 1810 } 1811 1812 return 0; 1813 } 1814 1815 /* Enable a flow given an SA. */ 1816 int 1817 pf_key_v2_enable_sa(struct sa *sa, struct sa *isakmp_sa) 1818 { 1819 struct ipsec_sa *isa = sa->data; 1820 struct sockaddr *dst, *src; 1821 int error; 1822 struct proto *proto = TAILQ_FIRST(&sa->protos); 1823 int sidtype = 0, didtype = 0; 1824 size_t sidlen = 0, didlen = 0; 1825 u_int8_t *sid = 0, *did = 0; 1826 1827 if (proto == NULL) { 1828 log_print("pf_key_v2_enable_sa: no proto"); 1829 return EINVAL; 1830 } 1831 1832 sa->transport->vtbl->get_dst(sa->transport, &dst); 1833 sa->transport->vtbl->get_src(sa->transport, &src); 1834 1835 if (isakmp_sa->id_i) { 1836 if (isakmp_sa->initiator) 1837 sid = pf_key_v2_convert_id(isakmp_sa->id_i, 1838 isakmp_sa->id_i_len, &sidlen, &sidtype); 1839 else 1840 did = pf_key_v2_convert_id(isakmp_sa->id_i, 1841 isakmp_sa->id_i_len, &didlen, &didtype); 1842 } 1843 if (isakmp_sa->id_r) { 1844 if (isakmp_sa->initiator) 1845 did = pf_key_v2_convert_id(isakmp_sa->id_r, 1846 isakmp_sa->id_r_len, &didlen, &didtype); 1847 else 1848 sid = pf_key_v2_convert_id(isakmp_sa->id_r, 1849 isakmp_sa->id_r_len, &sidlen, &sidtype); 1850 } 1851 1852 error = pf_key_v2_flow(isa->src_net, isa->src_mask, isa->dst_net, 1853 isa->dst_mask, isa->tproto, isa->sport, isa->dport, proto->spi[0], 1854 proto->proto, dst, src, 0, 0, sidtype, sid, sidlen, didtype, did, 1855 didlen, proto->data); 1856 if (error) 1857 goto cleanup; 1858 1859 error = pf_key_v2_flow(isa->dst_net, isa->dst_mask, isa->src_net, 1860 isa->src_mask, isa->tproto, isa->dport, isa->sport, proto->spi[1], 1861 proto->proto, src, dst, 0, 1, sidtype, sid, sidlen, didtype, did, 1862 didlen, proto->data); 1863 1864 cleanup: 1865 free(sid); 1866 free(did); 1867 1868 return error; 1869 } 1870 1871 /* Increase reference count of refcounted sections. */ 1872 static int 1873 pf_key_v2_conf_refinc(int af, char *section) 1874 { 1875 char conn[22]; 1876 int num; 1877 1878 if (!section) 1879 return 0; 1880 1881 num = conf_get_num(section, "Refcount", 0); 1882 if (num == 0) 1883 return 0; 1884 1885 snprintf(conn, sizeof conn, "%d", num + 1); 1886 conf_set(af, section, "Refcount", conn, 1, 0); 1887 return 0; 1888 } 1889 1890 /* 1891 * Return 0 if the section didn't exist or was removed, non-zero otherwise. 1892 * Don't touch non-refcounted (statically defined) sections. 1893 */ 1894 static int 1895 pf_key_v2_conf_refhandle(int af, char *section) 1896 { 1897 char conn[22]; 1898 int num; 1899 1900 if (!section) 1901 return 0; 1902 1903 num = conf_get_num(section, "Refcount", 0); 1904 if (num == 1) { 1905 conf_remove_section(af, section); 1906 num--; 1907 } else if (num != 0) { 1908 snprintf(conn, sizeof conn, "%d", num - 1); 1909 conf_set(af, section, "Refcount", conn, 1, 0); 1910 } 1911 return num; 1912 } 1913 1914 /* Remove all dynamically-established configuration entries. */ 1915 static int 1916 pf_key_v2_remove_conf(char *section) 1917 { 1918 char *ikepeer, *localid, *remoteid, *configname; 1919 struct conf_list_node *attr; 1920 struct conf_list *attrs; 1921 int af; 1922 1923 if (!section) 1924 return 0; 1925 1926 if (!conf_get_str(section, "Phase")) 1927 return 0; 1928 1929 /* Only remove dynamically-established entries. */ 1930 attrs = conf_get_list(section, "Flags"); 1931 if (attrs) { 1932 for (attr = TAILQ_FIRST(&attrs->fields); attr; 1933 attr = TAILQ_NEXT(attr, link)) 1934 if (!strcasecmp(attr->field, "__ondemand")) 1935 goto passed; 1936 1937 conf_free_list(attrs); 1938 } 1939 return 0; 1940 1941 passed: 1942 conf_free_list(attrs); 1943 1944 af = conf_begin(); 1945 1946 configname = conf_get_str(section, "Configuration"); 1947 pf_key_v2_conf_refhandle(af, configname); 1948 1949 /* These are the Phase 2 Local/Remote IDs. */ 1950 localid = conf_get_str(section, "Local-ID"); 1951 pf_key_v2_conf_refhandle(af, localid); 1952 1953 remoteid = conf_get_str(section, "Remote-ID"); 1954 pf_key_v2_conf_refhandle(af, remoteid); 1955 1956 ikepeer = conf_get_str(section, "ISAKMP-peer"); 1957 1958 pf_key_v2_conf_refhandle(af, section); 1959 1960 if (ikepeer) { 1961 remoteid = conf_get_str(ikepeer, "Remote-ID"); 1962 localid = conf_get_str(ikepeer, "ID"); 1963 configname = conf_get_str(ikepeer, "Configuration"); 1964 1965 pf_key_v2_conf_refhandle(af, ikepeer); 1966 pf_key_v2_conf_refhandle(af, configname); 1967 1968 /* Phase 1 IDs */ 1969 pf_key_v2_conf_refhandle(af, localid); 1970 pf_key_v2_conf_refhandle(af, remoteid); 1971 } 1972 conf_end(af, 1); 1973 return 0; 1974 } 1975 1976 /* Disable a flow given a SA. */ 1977 int 1978 pf_key_v2_disable_sa(struct sa *sa, int incoming) 1979 { 1980 struct ipsec_sa *isa = sa->data; 1981 struct sockaddr *dst, *src; 1982 struct proto *proto = TAILQ_FIRST(&sa->protos); 1983 1984 sa->transport->vtbl->get_dst(sa->transport, &dst); 1985 sa->transport->vtbl->get_src(sa->transport, &src); 1986 1987 if (!incoming) 1988 return pf_key_v2_flow(isa->src_net, isa->src_mask, 1989 isa->dst_net, isa->dst_mask, isa->tproto, isa->sport, 1990 isa->dport, proto->spi[0], proto->proto, src, dst, 1, 0, 1991 0, 0, 0, 0, 0, 0, proto->data); 1992 else { 1993 return pf_key_v2_flow(isa->dst_net, isa->dst_mask, 1994 isa->src_net, isa->src_mask, isa->tproto, isa->dport, 1995 isa->sport, proto->spi[1], proto->proto, src, dst, 1, 1, 1996 0, 0, 0, 0, 0, 0, proto->data); 1997 } 1998 } 1999 2000 /* 2001 * Delete the IPsec SA represented by the INCOMING direction in protocol PROTO 2002 * of the IKE security association SA. Also delete potential flows tied to it. 2003 */ 2004 int 2005 pf_key_v2_delete_spi(struct sa *sa, struct proto *proto, int incoming) 2006 { 2007 struct sadb_msg msg; 2008 struct sadb_sa ssa; 2009 struct sadb_address *addr = 0; 2010 struct sockaddr *saddr; 2011 int len, err; 2012 struct pf_key_v2_msg *delete = 0, *ret = 0; 2013 2014 /* If it's not an established SA, don't proceed. */ 2015 if (!(sa->flags & SA_FLAG_READY)) 2016 return 0; 2017 2018 if (sa->name && !(sa->flags & SA_FLAG_REPLACED)) { 2019 LOG_DBG((LOG_SYSDEP, 50, 2020 "pf_key_v2_delete_spi: removing configuration %s", 2021 sa->name)); 2022 pf_key_v2_remove_conf(sa->name); 2023 } 2024 msg.sadb_msg_type = SADB_DELETE; 2025 switch (proto->proto) { 2026 case IPSEC_PROTO_IPSEC_ESP: 2027 msg.sadb_msg_satype = SADB_SATYPE_ESP; 2028 break; 2029 case IPSEC_PROTO_IPSEC_AH: 2030 msg.sadb_msg_satype = SADB_SATYPE_AH; 2031 break; 2032 case IPSEC_PROTO_IPCOMP: 2033 msg.sadb_msg_satype = SADB_X_SATYPE_IPCOMP; 2034 break; 2035 default: 2036 log_print("pf_key_v2_delete_spi: invalid proto %d", 2037 proto->proto); 2038 goto cleanup; 2039 } 2040 msg.sadb_msg_seq = 0; 2041 delete = pf_key_v2_msg_new(&msg, 0); 2042 if (!delete) 2043 goto cleanup; 2044 2045 /* Setup the SA extension. */ 2046 ssa.sadb_sa_exttype = SADB_EXT_SA; 2047 ssa.sadb_sa_len = sizeof ssa / PF_KEY_V2_CHUNK; 2048 memcpy(&ssa.sadb_sa_spi, proto->spi[incoming], sizeof ssa.sadb_sa_spi); 2049 ssa.sadb_sa_replay = 0; 2050 ssa.sadb_sa_state = 0; 2051 ssa.sadb_sa_auth = 0; 2052 ssa.sadb_sa_encrypt = 0; 2053 ssa.sadb_sa_flags = 0; 2054 if (pf_key_v2_msg_add(delete, (struct sadb_ext *)&ssa, 0) == -1) 2055 goto cleanup; 2056 2057 /* 2058 * Setup the ADDRESS extensions. 2059 */ 2060 if (incoming) 2061 sa->transport->vtbl->get_dst(sa->transport, &saddr); 2062 else 2063 sa->transport->vtbl->get_src(sa->transport, &saddr); 2064 len = sizeof *addr + PF_KEY_V2_ROUND(SA_LEN(saddr)); 2065 addr = calloc(1, len); 2066 if (!addr) 2067 goto cleanup; 2068 addr->sadb_address_exttype = SADB_EXT_ADDRESS_SRC; 2069 addr->sadb_address_len = len / PF_KEY_V2_CHUNK; 2070 addr->sadb_address_reserved = 0; 2071 memcpy(addr + 1, saddr, SA_LEN(saddr)); 2072 switch (saddr->sa_family) { 2073 case AF_INET: 2074 ((struct sockaddr_in *) (addr + 1))->sin_port = 0; 2075 break; 2076 case AF_INET6: 2077 ((struct sockaddr_in6 *) (addr + 1))->sin6_port = 0; 2078 break; 2079 } 2080 if (pf_key_v2_msg_add(delete, (struct sadb_ext *) addr, 2081 PF_KEY_V2_NODE_MALLOCED) == -1) 2082 goto cleanup; 2083 addr = 0; 2084 2085 if (incoming) 2086 sa->transport->vtbl->get_src(sa->transport, &saddr); 2087 else 2088 sa->transport->vtbl->get_dst(sa->transport, &saddr); 2089 len = sizeof *addr + PF_KEY_V2_ROUND(SA_LEN(saddr)); 2090 addr = calloc(1, len); 2091 if (!addr) 2092 goto cleanup; 2093 addr->sadb_address_exttype = SADB_EXT_ADDRESS_DST; 2094 addr->sadb_address_len = len / PF_KEY_V2_CHUNK; 2095 addr->sadb_address_reserved = 0; 2096 memcpy(addr + 1, saddr, SA_LEN(saddr)); 2097 switch (saddr->sa_family) { 2098 case AF_INET: 2099 ((struct sockaddr_in *) (addr + 1))->sin_port = 0; 2100 break; 2101 case AF_INET6: 2102 ((struct sockaddr_in6 *) (addr + 1))->sin6_port = 0; 2103 break; 2104 } 2105 if (pf_key_v2_msg_add(delete, (struct sadb_ext *) addr, 2106 PF_KEY_V2_NODE_MALLOCED) == -1) 2107 goto cleanup; 2108 addr = 0; 2109 2110 ret = pf_key_v2_call(delete); 2111 pf_key_v2_msg_free(delete); 2112 delete = 0; 2113 if (!ret) 2114 goto cleanup; 2115 err = ((struct sadb_msg *)TAILQ_FIRST(ret)->seg)->sadb_msg_errno; 2116 if (err) { 2117 LOG_DBG((LOG_SYSDEP, 10, "pf_key_v2_delete_spi: DELETE: %s", 2118 strerror(err))); 2119 goto cleanup; 2120 } 2121 pf_key_v2_msg_free(ret); 2122 2123 LOG_DBG((LOG_SYSDEP, 50, "pf_key_v2_delete_spi: done")); 2124 2125 return 0; 2126 2127 cleanup: 2128 free(addr); 2129 if (delete) 2130 pf_key_v2_msg_free(delete); 2131 if (ret) 2132 pf_key_v2_msg_free(ret); 2133 return -1; 2134 } 2135 2136 static void 2137 pf_key_v2_stayalive(struct exchange *exchange, void *vconn, int fail) 2138 { 2139 char *conn = vconn; 2140 struct sa *sa; 2141 2142 /* XXX What if it is phase 1 ? */ 2143 sa = sa_lookup_by_name(conn, 2); 2144 if (sa) 2145 sa->flags |= SA_FLAG_STAYALIVE; 2146 2147 /* 2148 * Remove failed configuration entry -- call twice because it is 2149 * created with a Refcount of 2. 2150 */ 2151 if (fail && (!exchange || exchange->name)) { 2152 pf_key_v2_remove_conf(conn); 2153 pf_key_v2_remove_conf(conn); 2154 } 2155 free(conn); 2156 } 2157 2158 /* Check if a connection CONN exists, otherwise establish it. */ 2159 void 2160 pf_key_v2_connection_check(char *conn) 2161 { 2162 if (!sa_lookup_by_name(conn, 2)) { 2163 LOG_DBG((LOG_SYSDEP, 70, 2164 "pf_key_v2_connection_check: SA for %s missing", conn)); 2165 exchange_establish(conn, pf_key_v2_stayalive, conn, 0); 2166 } else { 2167 LOG_DBG((LOG_SYSDEP, 70, "pf_key_v2_connection_check: " 2168 "SA for %s exists", conn)); 2169 free(conn); 2170 } 2171 } 2172 2173 /* Handle a PF_KEY lifetime expiration message PMSG. */ 2174 static void 2175 pf_key_v2_expire(struct pf_key_v2_msg *pmsg) 2176 { 2177 struct sadb_msg *msg; 2178 struct sadb_sa *ssa; 2179 struct sadb_address *dst; 2180 struct sockaddr *dstaddr; 2181 struct sadb_lifetime *life, *lifecurrent; 2182 struct sa *sa; 2183 struct pf_key_v2_node *lifenode, *ext; 2184 char *dst_str; 2185 2186 msg = (struct sadb_msg *)TAILQ_FIRST(pmsg)->seg; 2187 ext = pf_key_v2_find_ext(pmsg, SADB_EXT_SA); 2188 if (!ext) { 2189 log_print("pf_key_v2_expire: no SA extension found"); 2190 return; 2191 } 2192 ssa = ext->seg; 2193 ext = pf_key_v2_find_ext(pmsg, SADB_EXT_ADDRESS_DST); 2194 if (!ext) { 2195 log_print("pf_key_v2_expire: " 2196 "no destination address extension found"); 2197 return; 2198 } 2199 dst = ext->seg; 2200 dstaddr = (struct sockaddr *) (dst + 1); 2201 lifenode = pf_key_v2_find_ext(pmsg, SADB_EXT_LIFETIME_HARD); 2202 if (!lifenode) 2203 lifenode = pf_key_v2_find_ext(pmsg, SADB_EXT_LIFETIME_SOFT); 2204 if (!lifenode) { 2205 log_print("pf_key_v2_expire: no lifetime extension found"); 2206 return; 2207 } 2208 life = lifenode->seg; 2209 2210 lifenode = pf_key_v2_find_ext(pmsg, SADB_EXT_LIFETIME_CURRENT); 2211 if (!lifenode) { 2212 log_print("pf_key_v2_expire: " 2213 "no current lifetime extension found"); 2214 return; 2215 } 2216 lifecurrent = lifenode->seg; 2217 2218 if (sockaddr2text(dstaddr, &dst_str, 0)) 2219 dst_str = 0; 2220 2221 LOG_DBG((LOG_SYSDEP, 20, "pf_key_v2_expire: " 2222 "%s dst %s SPI %x sproto %d", 2223 life->sadb_lifetime_exttype == SADB_EXT_LIFETIME_SOFT ? "SOFT" 2224 : "HARD", dst_str ? dst_str : "<unknown>", 2225 ntohl(ssa->sadb_sa_spi), msg->sadb_msg_satype)); 2226 2227 free(dst_str); 2228 2229 /* 2230 * Find the IPsec SA. The IPsec stack has two SAs for every IKE SA, 2231 * one outgoing and one incoming, we regard expirations for any of 2232 * them as an expiration of the full IKE SA. Likewise, in 2233 * protection suites consisting of more than one protocol, any 2234 * expired individual IPsec stack SA will be seen as an expiration 2235 * of the full suite. 2236 */ 2237 switch (msg->sadb_msg_satype) { 2238 case SADB_SATYPE_ESP: 2239 sa = ipsec_sa_lookup(dstaddr, ssa->sadb_sa_spi, 2240 IPSEC_PROTO_IPSEC_ESP); 2241 break; 2242 2243 case SADB_SATYPE_AH: 2244 sa = ipsec_sa_lookup(dstaddr, ssa->sadb_sa_spi, 2245 IPSEC_PROTO_IPSEC_AH); 2246 break; 2247 2248 case SADB_X_SATYPE_IPCOMP: 2249 sa = ipsec_sa_lookup(dstaddr, ssa->sadb_sa_spi, 2250 IPSEC_PROTO_IPCOMP); 2251 break; 2252 2253 default: 2254 /* XXX Log? */ 2255 sa = 0; 2256 break; 2257 } 2258 2259 /* If the SA is already gone, don't do anything. */ 2260 if (!sa) 2261 return; 2262 2263 /* 2264 * If we got a notification, try to renegotiate the SA -- unless of 2265 * course it has already been replaced by another. 2266 * Also, ignore SAs that were not dynamically established, or that 2267 * did not see any use. 2268 */ 2269 if (!(sa->flags & SA_FLAG_REPLACED) && 2270 (sa->flags & SA_FLAG_ONDEMAND) && 2271 lifecurrent->sadb_lifetime_bytes) 2272 exchange_establish(sa->name, 0, 0, 0); 2273 2274 if (life->sadb_lifetime_exttype == SADB_EXT_LIFETIME_HARD) { 2275 /* Remove the old SA, it isn't useful anymore. */ 2276 sa_free(sa); 2277 } 2278 } 2279 2280 static int 2281 mask4len(const struct sockaddr_in *mask) 2282 { 2283 int len; 2284 u_int32_t m; 2285 2286 len = 0; 2287 for (m = 0x80000000; m & ntohl(mask->sin_addr.s_addr); m >>= 1) 2288 len++; 2289 if (len == 32) 2290 len = -1; 2291 return len; 2292 } 2293 2294 #ifndef s6_addr8 2295 #define s6_addr8 __u6_addr.__u6_addr8 2296 #endif 2297 2298 static int 2299 mask6len(const struct sockaddr_in6 *mask) 2300 { 2301 int i, len; 2302 u_int8_t m; 2303 2304 len = 0; 2305 for (i = 0, m = 0; i < 16 && !m; i++) 2306 for (m = 0x80; m & mask->sin6_addr.s6_addr8[i]; m >>= 1) 2307 len++; 2308 if (len == 128) 2309 len = -1; 2310 return len; 2311 } 2312 2313 static int 2314 phase2id(char *str, size_t size, const char *side, const char *sflow, 2315 int masklen, u_int8_t proto, u_int16_t port) 2316 { 2317 char smasklen[10], sproto[10], sport[10]; 2318 2319 smasklen[0] = sproto[0] = sport[0] = 0; 2320 if (masklen != -1) 2321 snprintf(smasklen, sizeof smasklen, "/%d", masklen); 2322 if (proto) 2323 snprintf(sproto, sizeof sproto, "=%u", proto); 2324 if (port) 2325 snprintf(sport, sizeof sport, ":%u", ntohs(port)); 2326 2327 return snprintf(str, size, "%s-%s%s%s%s", side, sflow, smasklen, 2328 sproto, sport); 2329 } 2330 2331 /* Handle a PF_KEY SA ACQUIRE message PMSG. */ 2332 static void 2333 pf_key_v2_acquire(struct pf_key_v2_msg *pmsg) 2334 { 2335 struct sadb_msg *msg, askpolicy_msg; 2336 struct pf_key_v2_msg *askpolicy = 0, *ret = 0; 2337 struct sadb_x_policy policy; 2338 struct sadb_address *dst = 0, *src = 0; 2339 struct sockaddr *dstaddr, *srcaddr = 0; 2340 struct sadb_ident *srcident = 0, *dstident = 0; 2341 char dstbuf[ADDRESS_MAX], srcbuf[ADDRESS_MAX], *peer = 0; 2342 char confname[120], *conn = 0; 2343 char *srcid = 0, *dstid = 0, *prefstring = 0; 2344 int slen, af, afamily, masklen; 2345 struct sockaddr *smask, *sflow, *dmask, *dflow; 2346 struct sadb_protocol *sproto; 2347 char ssflow[ADDRESS_MAX], sdflow[ADDRESS_MAX]; 2348 char sdmask[ADDRESS_MAX], ssmask[ADDRESS_MAX]; 2349 int dmasklen, smasklen; 2350 char *sidtype = 0, *didtype = 0; 2351 char lname[100], dname[100], configname[200]; 2352 int shostflag = 0, dhostflag = 0; 2353 struct pf_key_v2_node *ext; 2354 struct passwd *pwd = 0; 2355 u_int16_t sport = 0, dport = 0; 2356 u_int8_t tproto = 0; 2357 char tmbuf[sizeof sport * 3 + 1], *xform; 2358 int connlen; 2359 2360 /* This needs to be dynamically allocated. */ 2361 connlen = 22; 2362 conn = malloc(connlen); 2363 if (!conn) { 2364 log_error("pf_key_v2_acquire: malloc (%d) failed", connlen); 2365 return; 2366 } 2367 msg = (struct sadb_msg *)TAILQ_FIRST(pmsg)->seg; 2368 2369 ext = pf_key_v2_find_ext(pmsg, SADB_EXT_ADDRESS_DST); 2370 if (!ext) { 2371 log_print("pf_key_v2_acquire: " 2372 "no destination address specified"); 2373 free(conn); 2374 return; 2375 } 2376 dst = ext->seg; 2377 2378 ext = pf_key_v2_find_ext(pmsg, SADB_EXT_ADDRESS_SRC); 2379 if (ext) 2380 src = ext->seg; 2381 2382 ext = pf_key_v2_find_ext(pmsg, SADB_EXT_IDENTITY_SRC); 2383 if (ext) 2384 srcident = ext->seg; 2385 2386 ext = pf_key_v2_find_ext(pmsg, SADB_EXT_IDENTITY_DST); 2387 if (ext) 2388 dstident = ext->seg; 2389 2390 /* Ask the kernel for the matching policy. */ 2391 bzero(&askpolicy_msg, sizeof askpolicy_msg); 2392 askpolicy_msg.sadb_msg_type = SADB_X_ASKPOLICY; 2393 askpolicy = pf_key_v2_msg_new(&askpolicy_msg, 0); 2394 if (!askpolicy) 2395 goto fail; 2396 2397 policy.sadb_x_policy_exttype = SADB_X_EXT_POLICY; 2398 policy.sadb_x_policy_len = sizeof policy / PF_KEY_V2_CHUNK; 2399 policy.sadb_x_policy_seq = msg->sadb_msg_seq; 2400 if (pf_key_v2_msg_add(askpolicy, (struct sadb_ext *)&policy, 0) == -1) 2401 goto fail; 2402 2403 ret = pf_key_v2_call(askpolicy); 2404 if (!ret) 2405 goto fail; 2406 2407 /* Now we have all the information needed. */ 2408 2409 ext = pf_key_v2_find_ext(ret, SADB_X_EXT_SRC_FLOW); 2410 if (!ext) { 2411 log_print("pf_key_v2_acquire: no source flow extension found"); 2412 goto fail; 2413 } 2414 sflow = (struct sockaddr *) (((struct sadb_address *) ext->seg) + 1); 2415 2416 ext = pf_key_v2_find_ext(ret, SADB_X_EXT_DST_FLOW); 2417 if (!ext) { 2418 log_print("pf_key_v2_acquire: " 2419 "no destination flow extension found"); 2420 goto fail; 2421 } 2422 dflow = (struct sockaddr *) (((struct sadb_address *) ext->seg) + 1); 2423 ext = pf_key_v2_find_ext(ret, SADB_X_EXT_SRC_MASK); 2424 if (!ext) { 2425 log_print("pf_key_v2_acquire: no source mask extension found"); 2426 goto fail; 2427 } 2428 smask = (struct sockaddr *) (((struct sadb_address *) ext->seg) + 1); 2429 2430 ext = pf_key_v2_find_ext(ret, SADB_X_EXT_DST_MASK); 2431 if (!ext) { 2432 log_print("pf_key_v2_acquire: " 2433 "no destination mask extension found"); 2434 goto fail; 2435 } 2436 dmask = (struct sockaddr *) (((struct sadb_address *) ext->seg) + 1); 2437 2438 ext = pf_key_v2_find_ext(ret, SADB_X_EXT_FLOW_TYPE); 2439 if (!ext) { 2440 log_print("pf_key_v2_acquire: no flow type extension found"); 2441 goto fail; 2442 } 2443 sproto = ext->seg; 2444 tproto = sproto->sadb_protocol_proto; 2445 2446 bzero(ssflow, sizeof ssflow); 2447 bzero(sdflow, sizeof sdflow); 2448 bzero(ssmask, sizeof ssmask); 2449 bzero(sdmask, sizeof sdmask); 2450 smasklen = dmasklen = -1; 2451 2452 sidtype = didtype = "IPV4_ADDR_SUBNET"; /* default */ 2453 2454 switch (sflow->sa_family) { 2455 case AF_INET: 2456 if (inet_ntop(AF_INET, 2457 &((struct sockaddr_in *) sflow)->sin_addr, ssflow, 2458 ADDRESS_MAX) == NULL) { 2459 log_print("pf_key_v2_acquire: inet_ntop failed"); 2460 goto fail; 2461 } 2462 sport = ((struct sockaddr_in *) sflow)->sin_port; 2463 if (inet_ntop(AF_INET, 2464 &((struct sockaddr_in *) dflow)->sin_addr, sdflow, 2465 ADDRESS_MAX) == NULL) { 2466 log_print("pf_key_v2_acquire: inet_ntop failed"); 2467 goto fail; 2468 } 2469 dport = ((struct sockaddr_in *) dflow)->sin_port; 2470 if (inet_ntop(AF_INET, 2471 &((struct sockaddr_in *) smask)->sin_addr, ssmask, 2472 ADDRESS_MAX) == NULL) { 2473 log_print("pf_key_v2_acquire: inet_ntop failed"); 2474 goto fail; 2475 } 2476 if (inet_ntop(AF_INET, 2477 &((struct sockaddr_in *) dmask)->sin_addr, sdmask, 2478 ADDRESS_MAX) == NULL) { 2479 log_print("pf_key_v2_acquire: inet_ntop failed"); 2480 goto fail; 2481 } 2482 smasklen = mask4len((struct sockaddr_in *) smask); 2483 dmasklen = mask4len((struct sockaddr_in *) dmask); 2484 if (((struct sockaddr_in *) smask)->sin_addr.s_addr == 2485 INADDR_BROADCAST) { 2486 shostflag = 1; 2487 sidtype = "IPV4_ADDR"; 2488 } 2489 if (((struct sockaddr_in *) dmask)->sin_addr.s_addr == 2490 INADDR_BROADCAST) { 2491 dhostflag = 1; 2492 didtype = "IPV4_ADDR"; 2493 } 2494 break; 2495 2496 case AF_INET6: 2497 if (inet_ntop(AF_INET6, 2498 &((struct sockaddr_in6 *) sflow)->sin6_addr, 2499 ssflow, ADDRESS_MAX) == NULL) { 2500 log_print("pf_key_v2_acquire: inet_ntop failed"); 2501 goto fail; 2502 } 2503 sport = ((struct sockaddr_in6 *) sflow)->sin6_port; 2504 if (inet_ntop(AF_INET6, 2505 &((struct sockaddr_in6 *) dflow)->sin6_addr, 2506 sdflow, ADDRESS_MAX) == NULL) { 2507 log_print("pf_key_v2_acquire: inet_ntop failed"); 2508 goto fail; 2509 } 2510 dport = ((struct sockaddr_in6 *) dflow)->sin6_port; 2511 if (inet_ntop(AF_INET6, 2512 &((struct sockaddr_in6 *) smask)->sin6_addr, 2513 ssmask, ADDRESS_MAX) == NULL) { 2514 log_print("pf_key_v2_acquire: inet_ntop failed"); 2515 goto fail; 2516 } 2517 if (inet_ntop(AF_INET6, 2518 &((struct sockaddr_in6 *) dmask)->sin6_addr, 2519 sdmask, ADDRESS_MAX) == NULL) { 2520 log_print("pf_key_v2_acquire: inet_ntop failed"); 2521 goto fail; 2522 } 2523 smasklen = mask6len((struct sockaddr_in6 *) smask); 2524 dmasklen = mask6len((struct sockaddr_in6 *) dmask); 2525 sidtype = didtype = "IPV6_ADDR_SUBNET"; 2526 if (IN6_IS_ADDR_FULL(&((struct sockaddr_in6 *)smask)->sin6_addr)) { 2527 shostflag = 1; 2528 sidtype = "IPV6_ADDR"; 2529 } 2530 if (IN6_IS_ADDR_FULL(&((struct sockaddr_in6 *)dmask)->sin6_addr)) { 2531 dhostflag = 1; 2532 didtype = "IPV6_ADDR"; 2533 } 2534 break; 2535 } 2536 2537 dstaddr = (struct sockaddr *)(dst + 1); 2538 bzero(dstbuf, sizeof dstbuf); 2539 bzero(srcbuf, sizeof srcbuf); 2540 2541 if (dstaddr->sa_family == 0) { 2542 /* 2543 * Destination was not specified in the flow -- can we derive 2544 * it? 2545 */ 2546 if (dhostflag == 0) { 2547 log_print("pf_key_v2_acquire: " 2548 "Cannot determine precise destination"); 2549 goto fail; 2550 } 2551 dstaddr = dflow; 2552 } 2553 switch (dstaddr->sa_family) { 2554 case AF_INET: 2555 if (inet_ntop(AF_INET, 2556 &((struct sockaddr_in *) dstaddr)->sin_addr, 2557 dstbuf, ADDRESS_MAX) == NULL) { 2558 log_print("pf_key_v2_acquire: inet_ntop failed"); 2559 goto fail; 2560 } 2561 LOG_DBG((LOG_SYSDEP, 20, 2562 "pf_key_v2_acquire: dst=%s sproto %d", dstbuf, 2563 msg->sadb_msg_satype)); 2564 break; 2565 2566 case AF_INET6: 2567 if (inet_ntop(AF_INET6, 2568 &((struct sockaddr_in6 *) dstaddr)->sin6_addr, 2569 dstbuf, ADDRESS_MAX) == NULL) { 2570 log_print("pf_key_v2_acquire: inet_ntop failed"); 2571 goto fail; 2572 } 2573 LOG_DBG((LOG_SYSDEP, 20, 2574 "pf_key_v2_acquire: dst=%s sproto %d", dstbuf, 2575 msg->sadb_msg_satype)); 2576 break; 2577 } 2578 2579 if (src) { 2580 srcaddr = (struct sockaddr *) (src + 1); 2581 2582 switch (srcaddr->sa_family) { 2583 case AF_INET: 2584 if (inet_ntop(AF_INET, 2585 &((struct sockaddr_in *) srcaddr)->sin_addr, 2586 srcbuf, ADDRESS_MAX) == NULL) { 2587 log_print("pf_key_v2_acquire: " 2588 "inet_ntop failed"); 2589 goto fail; 2590 } 2591 break; 2592 2593 case AF_INET6: 2594 if (inet_ntop(AF_INET6, 2595 &((struct sockaddr_in6 *)srcaddr)->sin6_addr, 2596 srcbuf, ADDRESS_MAX) == NULL) { 2597 log_print("pf_key_v2_acquire: " 2598 "inet_ntop failed"); 2599 goto fail; 2600 } 2601 break; 2602 2603 default: 2604 /* 2605 * The kernel will pass an all '0' EXT_ADDRESS_SRC if 2606 * it wasn't specified for the flow. In that case, do 2607 * NOT specify the srcaddr in the Peer-name below 2608 */ 2609 srcbuf[0] = 0; 2610 srcaddr = NULL; 2611 break; 2612 } 2613 } 2614 /* Insert source ID. */ 2615 if (srcident) { 2616 slen = (srcident->sadb_ident_len * sizeof(u_int64_t)) 2617 - sizeof(struct sadb_ident); 2618 if (((unsigned char *) (srcident + 1))[slen - 1] != '\0') { 2619 log_print("pf_key_v2_acquire: " 2620 "source identity not NUL-terminated"); 2621 goto fail; 2622 } 2623 /* Check for valid type. */ 2624 switch (srcident->sadb_ident_type) { 2625 case SADB_IDENTTYPE_PREFIX: 2626 /* Determine what the address family is. */ 2627 srcid = memchr(srcident + 1, ':', slen); 2628 if (srcid) 2629 afamily = AF_INET6; 2630 else 2631 afamily = AF_INET; 2632 2633 srcid = memchr(srcident + 1, '/', slen); 2634 if (!srcid) { 2635 log_print("pf_key_v2_acquire: " 2636 "badly formatted PREFIX identity"); 2637 goto fail; 2638 } 2639 masklen = atoi(srcid + 1); 2640 2641 /* XXX We only support host addresses. */ 2642 if ((afamily == AF_INET6 && masklen != 128) || 2643 (afamily == AF_INET && masklen != 32)) { 2644 log_print("pf_key_v2_acquire: " 2645 "non-host address specified in source " 2646 "identity (mask length %d), ignoring " 2647 "request", masklen); 2648 goto fail; 2649 } 2650 /* 2651 * NUL-terminate the PREFIX string at the separator, 2652 * then dup. 2653 */ 2654 *srcid = '\0'; 2655 if (asprintf(&srcid, "id-%s", 2656 (char *) (srcident + 1)) == -1) { 2657 log_error("pf_key_v2_acquire: asprintf() failed"); 2658 goto fail; 2659 } 2660 2661 /* Set the section if it doesn't already exist. */ 2662 af = conf_begin(); 2663 if (!conf_get_str(srcid, "ID-type")) { 2664 if (conf_set(af, srcid, "ID-type", 2665 afamily == AF_INET ? "IPV4_ADDR" : 2666 "IPV6_ADDR", 1, 0) || 2667 conf_set(af, srcid, "Refcount", "1", 1, 0) || 2668 conf_set(af, srcid, "Address", 2669 (char *) (srcident + 1), 1, 0)) { 2670 conf_end(af, 0); 2671 goto fail; 2672 } 2673 } else 2674 pf_key_v2_conf_refinc(af, srcid); 2675 conf_end(af, 1); 2676 break; 2677 2678 case SADB_IDENTTYPE_FQDN: 2679 prefstring = "FQDN"; 2680 /*FALLTHROUGH*/ 2681 case SADB_IDENTTYPE_USERFQDN: 2682 if (!prefstring) { 2683 prefstring = "USER_FQDN"; 2684 2685 /* 2686 * Check whether there is a string following 2687 * the header; if no, that there is a user ID 2688 * (and acquire the login name). If there is 2689 * both a string and a user ID, check that 2690 * they match. 2691 */ 2692 if ((slen == 0) && 2693 (srcident->sadb_ident_id == 0)) { 2694 log_print("pf_key_v2_acquire: " 2695 "no user FQDN or ID provided"); 2696 goto fail; 2697 } 2698 if (srcident->sadb_ident_id) { 2699 pwd = 2700 getpwuid(srcident->sadb_ident_id); 2701 if (!pwd) { 2702 log_error("pf_key_v2_acquire: " 2703 "could not acquire " 2704 "username from provided " 2705 "ID %llu", 2706 srcident->sadb_ident_id); 2707 goto fail; 2708 } 2709 if (slen != 0) 2710 if (strcmp(pwd->pw_name, 2711 (char *) (srcident + 1)) 2712 != 0) { 2713 log_print("pf_key_v2_acquire: " 2714 "provided user " 2715 "name and ID do " 2716 "not match (%s != " 2717 "%s)", 2718 (char *) (srcident + 1), 2719 pwd->pw_name); 2720 /* 2721 * String has 2722 * precedence, per 2723 * RFC 2367. 2724 */ 2725 } 2726 } 2727 } 2728 if (asprintf(&srcid, "id-%s", 2729 slen ? (char *) (srcident + 1) : pwd->pw_name) == -1) { 2730 log_error("pf_key_v2_acquire: asprintf() failed"); 2731 goto fail; 2732 } 2733 pwd = 0; 2734 2735 /* Set the section if it doesn't already exist. */ 2736 af = conf_begin(); 2737 if (!conf_get_str(srcid, "ID-type")) { 2738 if (conf_set(af, srcid, "ID-type", prefstring, 2739 1, 0) || 2740 conf_set(af, srcid, "Refcount", "1", 1, 0) || 2741 conf_set(af, srcid, "Name", 2742 srcid + 3, 1, 0)) { 2743 conf_end(af, 0); 2744 goto fail; 2745 } 2746 } else 2747 pf_key_v2_conf_refinc(af, srcid); 2748 conf_end(af, 1); 2749 break; 2750 2751 default: 2752 LOG_DBG((LOG_SYSDEP, 20, 2753 "pf_key_v2_acquire: invalid source ID type %d", 2754 srcident->sadb_ident_type)); 2755 goto fail; 2756 } 2757 2758 LOG_DBG((LOG_SYSDEP, 50, 2759 "pf_key_v2_acquire: constructed source ID \"%s\"", srcid)); 2760 prefstring = 0; 2761 } 2762 /* Insert destination ID. */ 2763 if (dstident) { 2764 slen = (dstident->sadb_ident_len * sizeof(u_int64_t)) 2765 - sizeof(struct sadb_ident); 2766 2767 /* Check for valid type. */ 2768 switch (dstident->sadb_ident_type) { 2769 case SADB_IDENTTYPE_PREFIX: 2770 /* Determine what the address family is. */ 2771 dstid = memchr(dstident + 1, ':', slen); 2772 if (dstid) 2773 afamily = AF_INET6; 2774 else 2775 afamily = AF_INET; 2776 2777 dstid = memchr(dstident + 1, '/', slen); 2778 if (!dstid) { 2779 log_print("pf_key_v2_acquire: " 2780 "badly formatted PREFIX identity"); 2781 goto fail; 2782 } 2783 masklen = atoi(dstid + 1); 2784 2785 /* XXX We only support host addresses. */ 2786 if ((afamily == AF_INET6 && masklen != 128) || 2787 (afamily == AF_INET && masklen != 32)) { 2788 log_print("pf_key_v2_acquire: " 2789 "non-host address specified in " 2790 "destination identity (mask length %d), " 2791 "ignoring request", masklen); 2792 goto fail; 2793 } 2794 /* 2795 * NUL-terminate the PREFIX string at the separator, 2796 * then dup. 2797 */ 2798 *dstid = '\0'; 2799 if (asprintf(&dstid, "id-%s", 2800 (char *) (dstident + 1)) == -1) { 2801 log_error("pf_key_v2_acquire: asprintf() failed"); 2802 goto fail; 2803 } 2804 2805 /* Set the section if it doesn't already exist. */ 2806 af = conf_begin(); 2807 if (!conf_get_str(dstid, "ID-type")) { 2808 if (conf_set(af, dstid, "ID-type", 2809 afamily == AF_INET ? "IPV4_ADDR" : 2810 "IPV6_ADDR", 1, 0) || 2811 conf_set(af, dstid, "Refcount", "1", 1, 0) || 2812 conf_set(af, dstid, "Address", 2813 (char *) (dstident + 1), 1, 0)) { 2814 conf_end(af, 0); 2815 goto fail; 2816 } 2817 } else 2818 pf_key_v2_conf_refinc(af, dstid); 2819 conf_end(af, 1); 2820 break; 2821 2822 case SADB_IDENTTYPE_FQDN: 2823 prefstring = "FQDN"; 2824 /*FALLTHROUGH*/ 2825 case SADB_IDENTTYPE_USERFQDN: 2826 if (!prefstring) { 2827 prefstring = "USER_FQDN"; 2828 2829 /* 2830 * Check whether there is a string following 2831 * the header; if no, that there is a user ID 2832 * (and acquire the login name). If there is 2833 * both a string and a user ID, check that 2834 * they match. 2835 */ 2836 if (slen == 0 && 2837 dstident->sadb_ident_id == 0) { 2838 log_print("pf_key_v2_acquire: " 2839 "no user FQDN or ID provided"); 2840 goto fail; 2841 } 2842 if (dstident->sadb_ident_id) { 2843 pwd = getpwuid(dstident->sadb_ident_id); 2844 if (!pwd) { 2845 log_error("pf_key_v2_acquire: " 2846 "could not acquire " 2847 "username from provided " 2848 "ID %llu", 2849 dstident->sadb_ident_id); 2850 goto fail; 2851 } 2852 if (slen != 0) 2853 if (strcmp(pwd->pw_name, 2854 (char *) (dstident + 1)) 2855 != 0) { 2856 log_print("pf_key_v2_acquire: " 2857 "provided user " 2858 "name and ID do " 2859 "not match (%s != " 2860 "%s)", 2861 (char *) (dstident + 1), 2862 pwd->pw_name); 2863 /* 2864 * String has 2865 * precedence, per RF 2866 * 2367. 2867 */ 2868 } 2869 } 2870 } 2871 if (asprintf(&dstid, "id-%s", 2872 slen ? (char *) (dstident + 1) : pwd->pw_name) == -1) { 2873 log_error("pf_key_v2_acquire: asprintf() failed"); 2874 goto fail; 2875 } 2876 pwd = 0; 2877 2878 /* Set the section if it doesn't already exist. */ 2879 af = conf_begin(); 2880 if (!conf_get_str(dstid, "ID-type")) { 2881 if (conf_set(af, dstid, "ID-type", prefstring, 2882 1, 0) || 2883 conf_set(af, dstid, "Refcount", "1", 1, 0) || 2884 conf_set(af, dstid, "Name", 2885 dstid + 3, 1, 0)) { 2886 conf_end(af, 0); 2887 goto fail; 2888 } 2889 } else 2890 pf_key_v2_conf_refinc(af, dstid); 2891 conf_end(af, 1); 2892 break; 2893 2894 default: 2895 LOG_DBG((LOG_SYSDEP, 20, "pf_key_v2_acquire: " 2896 "invalid destination ID type %d", 2897 dstident->sadb_ident_type)); 2898 goto fail; 2899 } 2900 2901 LOG_DBG((LOG_SYSDEP, 50, 2902 "pf_key_v2_acquire: constructed destination ID \"%s\"", 2903 dstid)); 2904 } 2905 /* Now we've placed the necessary IDs in the configuration space. */ 2906 2907 /* Get a new connection sequence number. */ 2908 for (;; connection_seq++) { 2909 snprintf(conn, connlen, "Connection-%u", connection_seq); 2910 2911 /* Does it exist ? */ 2912 if (!conf_get_str(conn, "Phase")) 2913 break; 2914 } 2915 2916 /* 2917 * Set the IPsec connection entry. In particular, the following fields: 2918 * - Phase 2919 * - ISAKMP-peer 2920 * - Local-ID/Remote-ID (if provided) 2921 * - Acquire-ID (sequence number of kernel message, e.g., PF_KEYv2) 2922 * - Configuration 2923 * 2924 * Also set the following section: 2925 * [peer-dstaddr(-local-srcaddr)] 2926 * with these fields: 2927 * - Phase 2928 * - ID (if provided) 2929 * - Remote-ID (if provided) 2930 * - Local-address (if provided) 2931 * - Address 2932 * - Configuration (if an entry phase1-dstaddr-srcadd) 2933 * exists -- otherwise use the defaults) 2934 */ 2935 2936 /* 2937 * The various cases: 2938 * - peer-dstaddr 2939 * - peer-dstaddr-local-srcaddr 2940 */ 2941 if (asprintf(&peer, "peer-%s%s%s", dstbuf, srcaddr ? "-local-" : "", 2942 srcaddr ? srcbuf : "") == -1) 2943 goto fail; 2944 2945 /* 2946 * Set the IPsec connection section. Refcount is set to 2, because 2947 * it will be linked both to the incoming and the outgoing SA. 2948 */ 2949 af = conf_begin(); 2950 if (conf_set(af, conn, "Phase", "2", 0, 0) || 2951 conf_set(af, conn, "Flags", "__ondemand", 0, 0) || 2952 conf_set(af, conn, "Refcount", "2", 0, 0) || 2953 conf_set(af, conn, "ISAKMP-peer", peer, 0, 0)) { 2954 conf_end(af, 0); 2955 goto fail; 2956 } 2957 /* Set the sequence number. */ 2958 snprintf(lname, sizeof lname, "%u", msg->sadb_msg_seq); 2959 if (conf_set(af, conn, "Acquire-ID", lname, 0, 0)) { 2960 conf_end(af, 0); 2961 goto fail; 2962 } 2963 /* 2964 * Set Phase 2 IDs -- this is the Local-ID section. 2965 * - from-address 2966 * - from-address=proto 2967 * - from-address=proto:port 2968 * - from-network/masklen 2969 * - from-network/masklen=proto 2970 * - from-network/masklen=proto:port 2971 */ 2972 phase2id(lname, sizeof lname, "from", ssflow, smasklen, tproto, sport); 2973 if (conf_set(af, conn, "Local-ID", lname, 0, 0)) { 2974 conf_end(af, 0); 2975 goto fail; 2976 } 2977 if (!conf_get_str(lname, "ID-type")) { 2978 if (conf_set(af, lname, "Refcount", "1", 0, 0)) { 2979 conf_end(af, 0); 2980 goto fail; 2981 } 2982 if (shostflag) { 2983 if (conf_set(af, lname, "ID-type", sidtype, 0, 0) || 2984 conf_set(af, lname, "Address", ssflow, 0, 0)) { 2985 conf_end(af, 0); 2986 goto fail; 2987 } 2988 } else { 2989 if (conf_set(af, lname, "ID-type", sidtype, 0, 0) || 2990 conf_set(af, lname, "Network", ssflow, 0, 0) || 2991 conf_set(af, lname, "Netmask", ssmask, 0, 0)) { 2992 conf_end(af, 0); 2993 goto fail; 2994 } 2995 } 2996 if (tproto) { 2997 snprintf(tmbuf, sizeof sport * 3 + 1, "%u", tproto); 2998 if (conf_set(af, lname, "Protocol", tmbuf, 0, 0)) { 2999 conf_end(af, 0); 3000 goto fail; 3001 } 3002 if (sport) { 3003 snprintf(tmbuf, sizeof sport * 3 + 1, "%u", 3004 ntohs(sport)); 3005 if (conf_set(af, lname, "Port", tmbuf, 0, 0)) { 3006 conf_end(af, 0); 3007 goto fail; 3008 } 3009 } 3010 } 3011 } else 3012 pf_key_v2_conf_refinc(af, lname); 3013 3014 /* 3015 * Set Remote-ID section. 3016 * to-address 3017 * to-address=proto 3018 * to-address=proto:port 3019 * to-network/masklen 3020 * to-network/masklen=proto 3021 * to-network/masklen=proto:port 3022 */ 3023 phase2id(dname, sizeof dname, "to", sdflow, dmasklen, tproto, dport); 3024 if (conf_set(af, conn, "Remote-ID", dname, 0, 0)) { 3025 conf_end(af, 0); 3026 goto fail; 3027 } 3028 if (!conf_get_str(dname, "ID-type")) { 3029 if (conf_set(af, dname, "Refcount", "1", 0, 0)) { 3030 conf_end(af, 0); 3031 goto fail; 3032 } 3033 if (dhostflag) { 3034 if (conf_set(af, dname, "ID-type", didtype, 0, 0) || 3035 conf_set(af, dname, "Address", sdflow, 0, 0)) { 3036 conf_end(af, 0); 3037 goto fail; 3038 } 3039 } else { 3040 if (conf_set(af, dname, "ID-type", didtype, 0, 0) || 3041 conf_set(af, dname, "Network", sdflow, 0, 0) || 3042 conf_set(af, dname, "Netmask", sdmask, 0, 0)) { 3043 conf_end(af, 0); 3044 goto fail; 3045 } 3046 } 3047 3048 if (tproto) { 3049 snprintf(tmbuf, sizeof dport * 3 + 1, "%u", tproto); 3050 if (conf_set(af, dname, "Protocol", tmbuf, 0, 0)) { 3051 conf_end(af, 0); 3052 goto fail; 3053 } 3054 if (dport) { 3055 snprintf(tmbuf, sizeof dport * 3 + 1, "%u", 3056 ntohs(dport)); 3057 if (conf_set(af, dname, "Port", tmbuf, 0, 0)) { 3058 conf_end(af, 0); 3059 goto fail; 3060 } 3061 } 3062 } 3063 } else 3064 pf_key_v2_conf_refinc(af, dname); 3065 3066 /* 3067 * XXX 3068 * We should be using information from the proposal to set this up. 3069 * At least, we should make this selectable. 3070 */ 3071 3072 /* 3073 * Phase 2 configuration. 3074 * - phase2-from-address-to-address 3075 * - ... 3076 * - phase2-from-net/len=proto:port-to-net/len=proto:port 3077 */ 3078 snprintf(configname, sizeof configname, "phase2-%s-%s", lname, dname); 3079 if (conf_set(af, conn, "Configuration", configname, 0, 0)) { 3080 conf_end(af, 0); 3081 goto fail; 3082 } 3083 if (!conf_get_str(configname, "Exchange_type")) { 3084 if (conf_set(af, configname, "Exchange_type", "Quick_mode", 3085 0, 0) || 3086 conf_set(af, peer, "Refcount", "1", 0, 0) || 3087 conf_set(af, configname, "DOI", "IPSEC", 0, 0)) { 3088 conf_end(af, 0); 3089 goto fail; 3090 } 3091 if (conf_get_str("General", "Default-phase-2-suites")) { 3092 if (conf_set(af, configname, "Suites", 3093 conf_get_str("General", "Default-phase-2-suites"), 3094 0, 0)) { 3095 conf_end(af, 0); 3096 goto fail; 3097 } 3098 } else { 3099 if (conf_set(af, configname, "Suites", 3100 "QM-ESP-3DES-SHA-PFS-SUITE", 0, 0)) { 3101 conf_end(af, 0); 3102 goto fail; 3103 } 3104 } 3105 } else 3106 pf_key_v2_conf_refinc(af, configname); 3107 3108 /* Set the ISAKMP-peer section. */ 3109 if (!conf_get_str(peer, "Phase")) { 3110 if (conf_set(af, peer, "Phase", "1", 0, 0) || 3111 conf_set(af, peer, "Refcount", "1", 0, 0) || 3112 conf_set(af, peer, "Address", dstbuf, 0, 0)) { 3113 conf_end(af, 0); 3114 goto fail; 3115 } 3116 if (srcaddr && conf_set(af, peer, "Local-address", srcbuf, 0, 3117 0)) { 3118 conf_end(af, 0); 3119 goto fail; 3120 } 3121 snprintf(confname, sizeof confname, "phase1-%s", peer); 3122 if (conf_set(af, peer, "Configuration", confname, 0, 0)) { 3123 conf_end(af, 0); 3124 goto fail; 3125 } 3126 3127 /* Phase 1 configuration. */ 3128 if (!conf_get_str(confname, "exchange_type")) { 3129 xform = conf_get_str("Default-phase-1-configuration", 3130 "Transforms"); 3131 if (conf_set(af, confname, "Transforms", xform ? xform : 3132 "3DES-SHA-RSA_SIG", 0, 0)) { 3133 conf_end(af, 0); 3134 goto fail; 3135 } 3136 3137 if (conf_set(af, confname, "Exchange_Type", "ID_PROT", 3138 0, 0) || 3139 conf_set(af, confname, "DOI", "IPSEC", 0, 0) || 3140 conf_set(af, confname, "Refcount", "1", 0, 0)) { 3141 conf_end(af, 0); 3142 goto fail; 3143 } 3144 } else 3145 pf_key_v2_conf_refinc(af, confname); 3146 3147 /* The ID we should use in Phase 1. */ 3148 if (srcid && conf_set(af, peer, "ID", srcid, 0, 0)) { 3149 conf_end(af, 0); 3150 goto fail; 3151 } 3152 /* The ID the other side should use in Phase 1. */ 3153 if (dstid && conf_set(af, peer, "Remote-ID", dstid, 0, 0)) { 3154 conf_end(af, 0); 3155 goto fail; 3156 } 3157 } else 3158 pf_key_v2_conf_refinc(af, peer); 3159 3160 /* All done. */ 3161 conf_end(af, 1); 3162 3163 /* Let's rock 'n roll. */ 3164 connection_record_passive(conn); 3165 pf_key_v2_connection_check(conn); 3166 conn = 0; 3167 3168 /* Fall-through to cleanup. */ 3169 fail: 3170 if (ret) 3171 pf_key_v2_msg_free(ret); 3172 if (askpolicy) 3173 pf_key_v2_msg_free(askpolicy); 3174 free(srcid); 3175 free(dstid); 3176 free(peer); 3177 free(conn); 3178 return; 3179 } 3180 3181 static void 3182 pf_key_v2_notify(struct pf_key_v2_msg *msg) 3183 { 3184 switch (((struct sadb_msg *)TAILQ_FIRST(msg)->seg)->sadb_msg_type) { 3185 case SADB_EXPIRE: 3186 pf_key_v2_expire(msg); 3187 break; 3188 3189 case SADB_ACQUIRE: 3190 if (!ui_daemon_passive) 3191 pf_key_v2_acquire(msg); 3192 break; 3193 3194 default: 3195 log_print("pf_key_v2_notify: unexpected message type (%d)", 3196 ((struct sadb_msg *)TAILQ_FIRST(msg)->seg)->sadb_msg_type); 3197 } 3198 pf_key_v2_msg_free(msg); 3199 } 3200 3201 void 3202 pf_key_v2_handler(int fd) 3203 { 3204 struct pf_key_v2_msg *msg; 3205 int n; 3206 3207 /* 3208 * As synchronous read/writes to the socket can have taken place 3209 * between the select(2) call of the main loop and this handler, we 3210 * need to recheck the readability. 3211 */ 3212 if (ioctl(pf_key_v2_socket, FIONREAD, &n) == -1) { 3213 log_error("pf_key_v2_handler: ioctl (%d, FIONREAD, &n) failed", 3214 pf_key_v2_socket); 3215 return; 3216 } 3217 if (!n) 3218 return; 3219 3220 msg = pf_key_v2_read(0); 3221 if (msg) 3222 pf_key_v2_notify(msg); 3223 } 3224 3225 /* 3226 * Group 2 IPsec SAs given by the PROTO1 and PROTO2 protocols of the SA IKE 3227 * security association in a chain. 3228 * XXX Assumes OpenBSD GRPSPIS extension. 3229 */ 3230 int 3231 pf_key_v2_group_spis(struct sa *sa, struct proto *proto1, 3232 struct proto *proto2, int incoming) 3233 { 3234 struct sadb_msg msg; 3235 struct sadb_sa sa1, sa2; 3236 struct sadb_address *addr = 0; 3237 struct sadb_protocol protocol; 3238 struct pf_key_v2_msg *grpspis = 0, *ret = 0; 3239 struct sockaddr *saddr; 3240 int err; 3241 size_t len; 3242 3243 msg.sadb_msg_type = SADB_X_GRPSPIS; 3244 switch (proto1->proto) { 3245 case IPSEC_PROTO_IPSEC_ESP: 3246 msg.sadb_msg_satype = SADB_SATYPE_ESP; 3247 break; 3248 case IPSEC_PROTO_IPSEC_AH: 3249 msg.sadb_msg_satype = SADB_SATYPE_AH; 3250 break; 3251 case IPSEC_PROTO_IPCOMP: 3252 msg.sadb_msg_satype = SADB_X_SATYPE_IPCOMP; 3253 break; 3254 default: 3255 log_print("pf_key_v2_group_spis: invalid proto %d", 3256 proto1->proto); 3257 goto cleanup; 3258 } 3259 msg.sadb_msg_seq = 0; 3260 grpspis = pf_key_v2_msg_new(&msg, 0); 3261 if (!grpspis) 3262 goto cleanup; 3263 3264 /* Setup the SA extensions. */ 3265 sa1.sadb_sa_exttype = SADB_EXT_SA; 3266 sa1.sadb_sa_len = sizeof sa1 / PF_KEY_V2_CHUNK; 3267 memcpy(&sa1.sadb_sa_spi, proto1->spi[incoming], 3268 sizeof sa1.sadb_sa_spi); 3269 sa1.sadb_sa_replay = 0; 3270 sa1.sadb_sa_state = 0; 3271 sa1.sadb_sa_auth = 0; 3272 sa1.sadb_sa_encrypt = 0; 3273 sa1.sadb_sa_flags = 0; 3274 if (pf_key_v2_msg_add(grpspis, (struct sadb_ext *)&sa1, 0) == -1) 3275 goto cleanup; 3276 3277 sa2.sadb_sa_exttype = SADB_X_EXT_SA2; 3278 sa2.sadb_sa_len = sizeof sa2 / PF_KEY_V2_CHUNK; 3279 memcpy(&sa2.sadb_sa_spi, proto2->spi[incoming], 3280 sizeof sa2.sadb_sa_spi); 3281 sa2.sadb_sa_replay = 0; 3282 sa2.sadb_sa_state = 0; 3283 sa2.sadb_sa_auth = 0; 3284 sa2.sadb_sa_encrypt = 0; 3285 sa2.sadb_sa_flags = 0; 3286 if (pf_key_v2_msg_add(grpspis, (struct sadb_ext *)&sa2, 0) == -1) 3287 goto cleanup; 3288 3289 /* 3290 * Setup the ADDRESS extensions. 3291 */ 3292 if (incoming) 3293 sa->transport->vtbl->get_src(sa->transport, &saddr); 3294 else 3295 sa->transport->vtbl->get_dst(sa->transport, &saddr); 3296 len = sizeof *addr + PF_KEY_V2_ROUND(SA_LEN(saddr)); 3297 addr = calloc(1, len); 3298 if (!addr) 3299 goto cleanup; 3300 addr->sadb_address_exttype = SADB_EXT_ADDRESS_DST; 3301 addr->sadb_address_len = len / PF_KEY_V2_CHUNK; 3302 addr->sadb_address_reserved = 0; 3303 memcpy(addr + 1, saddr, SA_LEN(saddr)); 3304 ((struct sockaddr_in *) (addr + 1))->sin_port = 0; 3305 if (pf_key_v2_msg_add(grpspis, (struct sadb_ext *) addr, 3306 PF_KEY_V2_NODE_MALLOCED) == -1) 3307 goto cleanup; 3308 addr = 0; 3309 3310 addr = calloc(1, len); 3311 if (!addr) 3312 goto cleanup; 3313 addr->sadb_address_exttype = SADB_X_EXT_DST2; 3314 addr->sadb_address_len = len / PF_KEY_V2_CHUNK; 3315 addr->sadb_address_reserved = 0; 3316 memcpy(addr + 1, saddr, SA_LEN(saddr)); 3317 ((struct sockaddr_in *) (addr + 1))->sin_port = 0; 3318 if (pf_key_v2_msg_add(grpspis, (struct sadb_ext *) addr, 3319 PF_KEY_V2_NODE_MALLOCED) == -1) 3320 goto cleanup; 3321 addr = 0; 3322 3323 /* Setup the sa type extension. */ 3324 protocol.sadb_protocol_exttype = SADB_X_EXT_SATYPE2; 3325 protocol.sadb_protocol_len = sizeof protocol / PF_KEY_V2_CHUNK; 3326 switch (proto2->proto) { 3327 case IPSEC_PROTO_IPSEC_ESP: 3328 protocol.sadb_protocol_proto = SADB_SATYPE_ESP; 3329 break; 3330 case IPSEC_PROTO_IPSEC_AH: 3331 protocol.sadb_protocol_proto = SADB_SATYPE_AH; 3332 break; 3333 case IPSEC_PROTO_IPCOMP: 3334 protocol.sadb_protocol_proto = SADB_X_SATYPE_IPCOMP; 3335 break; 3336 default: 3337 log_print("pf_key_v2_group_spis: invalid proto %d", 3338 proto2->proto); 3339 goto cleanup; 3340 } 3341 protocol.sadb_protocol_reserved2 = 0; 3342 if (pf_key_v2_msg_add(grpspis, 3343 (struct sadb_ext *)&protocol, 0) == -1) 3344 goto cleanup; 3345 3346 ret = pf_key_v2_call(grpspis); 3347 pf_key_v2_msg_free(grpspis); 3348 grpspis = 0; 3349 if (!ret) 3350 goto cleanup; 3351 err = ((struct sadb_msg *)TAILQ_FIRST(ret)->seg)->sadb_msg_errno; 3352 if (err) { 3353 log_print("pf_key_v2_group_spis: GRPSPIS: %s", strerror(err)); 3354 goto cleanup; 3355 } 3356 pf_key_v2_msg_free(ret); 3357 3358 LOG_DBG((LOG_SYSDEP, 50, "pf_key_v2_group_spis: done")); 3359 3360 return 0; 3361 3362 cleanup: 3363 free(addr); 3364 if (grpspis) 3365 pf_key_v2_msg_free(grpspis); 3366 if (ret) 3367 pf_key_v2_msg_free(ret); 3368 return -1; 3369 } 3370