1 /* $OpenBSD: pfkey.c,v 1.85 2024/07/13 12:22:46 yasuoka Exp $ */
2
3 /*
4 * Copyright (c) 2010-2013 Reyk Floeter <reyk@openbsd.org>
5 * Copyright (c) 2004, 2005 Hans-Joerg Hoexer <hshoexer@openbsd.org>
6 * Copyright (c) 2003, 2004 Henning Brauer <henning@openbsd.org>
7 * Copyright (c) 2003, 2004 Markus Friedl <markus@openbsd.org>
8 *
9 * Permission to use, copy, modify, and distribute this software for any
10 * purpose with or without fee is hereby granted, provided that the above
11 * copyright notice and this permission notice appear in all copies.
12 *
13 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
14 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
15 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
16 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
17 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
18 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
19 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
20 */
21
22 #include <sys/queue.h>
23 #include <sys/uio.h>
24 #include <sys/socket.h>
25
26 #include <netinet/in.h>
27 #include <netinet/ip_ipsp.h>
28 #include <net/if.h>
29 #include <net/pfkeyv2.h>
30
31 #include <err.h>
32 #include <errno.h>
33 #include <stdio.h>
34 #include <poll.h>
35 #include <string.h>
36 #include <stdlib.h>
37 #include <unistd.h>
38 #include <event.h>
39
40 #include "iked.h"
41 #include "ikev2.h"
42
43 #define ROUNDUP(x) (((x) + (PFKEYV2_CHUNK - 1)) & ~(PFKEYV2_CHUNK - 1))
44 #define IOV_CNT 28
45
46 #define PFKEYV2_CHUNK sizeof(uint64_t)
47 #define PFKEY_REPLY_TIMEOUT 1000
48
49 /* only used internally */
50 #define IKED_SADB_UPDATE_SA_ADDRESSES 0xff
51
52 static uint32_t sadb_msg_seq = 0;
53 static unsigned int sadb_decoupled = 0;
54
55 static int iked_rdomain = 0;
56
57 static struct event pfkey_timer_ev;
58 static struct timeval pfkey_timer_tv;
59
60 struct pfkey_message {
61 SIMPLEQ_ENTRY(pfkey_message)
62 pm_entry;
63 uint8_t *pm_data;
64 ssize_t pm_length;
65 };
66 SIMPLEQ_HEAD(, pfkey_message) pfkey_retry, pfkey_postponed =
67 SIMPLEQ_HEAD_INITIALIZER(pfkey_postponed);
68
69 struct pfkey_constmap {
70 uint8_t pfkey_id;
71 unsigned int pfkey_ikeid;
72 unsigned int pfkey_fixedkey;
73 };
74
75 static const struct pfkey_constmap pfkey_encr[] = {
76 { SADB_EALG_3DESCBC, IKEV2_XFORMENCR_3DES },
77 { SADB_X_EALG_CAST, IKEV2_XFORMENCR_CAST },
78 { SADB_X_EALG_BLF, IKEV2_XFORMENCR_BLOWFISH },
79 { SADB_EALG_NULL, IKEV2_XFORMENCR_NULL },
80 { SADB_X_EALG_AES, IKEV2_XFORMENCR_AES_CBC },
81 { SADB_X_EALG_AESCTR, IKEV2_XFORMENCR_AES_CTR },
82 { SADB_X_EALG_AESGCM16, IKEV2_XFORMENCR_AES_GCM_16 },
83 { SADB_X_EALG_AESGMAC, IKEV2_XFORMENCR_NULL_AES_GMAC },
84 { SADB_X_EALG_CHACHA20POLY1305, IKEV2_XFORMENCR_CHACHA20_POLY1305 },
85 { 0 }
86 };
87
88 static const struct pfkey_constmap pfkey_integr[] = {
89 { SADB_AALG_MD5HMAC, IKEV2_XFORMAUTH_HMAC_MD5_96 },
90 { SADB_AALG_SHA1HMAC, IKEV2_XFORMAUTH_HMAC_SHA1_96 },
91 { SADB_X_AALG_SHA2_256, IKEV2_XFORMAUTH_HMAC_SHA2_256_128 },
92 { SADB_X_AALG_SHA2_384, IKEV2_XFORMAUTH_HMAC_SHA2_384_192 },
93 { SADB_X_AALG_SHA2_512, IKEV2_XFORMAUTH_HMAC_SHA2_512_256 },
94 { 0 }
95 };
96
97 static const struct pfkey_constmap pfkey_satype[] = {
98 { SADB_SATYPE_AH, IKEV2_SAPROTO_AH },
99 { SADB_SATYPE_ESP, IKEV2_SAPROTO_ESP },
100 { SADB_X_SATYPE_IPCOMP, IKEV2_SAPROTO_IPCOMP },
101 { 0 }
102 };
103
104 int pfkey_map(const struct pfkey_constmap *, uint16_t, uint8_t *);
105 int pfkey_flow(struct iked *, uint8_t, uint8_t, struct iked_flow *);
106 int pfkey_sa(struct iked *, uint8_t, uint8_t, struct iked_childsa *);
107 int pfkey_sa_getspi(struct iked *, uint8_t, struct iked_childsa *, uint32_t *);
108 int pfkey_sagroup(struct iked *, uint8_t, uint8_t,
109 struct iked_childsa *, struct iked_childsa *);
110 int pfkey_write(struct iked *, struct sadb_msg *, struct iovec *, int,
111 uint8_t **, ssize_t *);
112 int pfkey_reply(int, uint8_t **, ssize_t *);
113 void pfkey_dispatch(int, short, void *);
114 int pfkey_sa_lookup(struct iked *, struct iked_childsa *, uint64_t *,
115 struct iked_sastats *);
116 int pfkey_sa_check_exists(struct iked *, struct iked_childsa *);
117 int pfkey_sa_sastats(struct iked *, struct iked_childsa *,
118 struct iked_sastats *);
119
120 struct sadb_ident *
121 pfkey_id2ident(struct iked_id *, unsigned int);
122 void *pfkey_find_ext(uint8_t *, ssize_t, int);
123
124 void pfkey_timer_cb(int, short, void *);
125 int pfkey_process(struct iked *, struct pfkey_message *);
126
127 int
pfkey_couple(struct iked * env,struct iked_sas * sas,int couple)128 pfkey_couple(struct iked *env, struct iked_sas *sas, int couple)
129 {
130 struct iked_sa *sa;
131 struct iked_flow *flow;
132 struct iked_childsa *csa, *ipcomp;
133 const char *mode[] = { "coupled", "decoupled" };
134
135 /* Socket is not ready */
136 if (env->sc_pfkey == -1)
137 return (-1);
138
139 if (sadb_decoupled == !couple)
140 return (0);
141
142 log_debug("%s: kernel %s -> %s", __func__,
143 mode[sadb_decoupled], mode[!sadb_decoupled]);
144
145 /* Allow writes to the PF_KEY socket */
146 sadb_decoupled = 0;
147
148 RB_FOREACH(sa, iked_sas, sas) {
149 TAILQ_FOREACH(csa, &sa->sa_childsas, csa_entry) {
150 if (!csa->csa_loaded && couple)
151 (void)pfkey_sa_add(env, csa, NULL);
152 else if (csa->csa_loaded && !couple)
153 (void)pfkey_sa_delete(env, csa);
154 if ((ipcomp = csa->csa_bundled) != NULL) {
155 if (!ipcomp->csa_loaded && couple)
156 (void)pfkey_sa_add(env, ipcomp, csa);
157 else if (ipcomp->csa_loaded && !couple)
158 (void)pfkey_sa_delete(env, ipcomp);
159 }
160 }
161 TAILQ_FOREACH(flow, &sa->sa_flows, flow_entry) {
162 if (!flow->flow_loaded && couple)
163 (void)pfkey_flow_add(env, flow);
164 else if (flow->flow_loaded && !couple)
165 (void)pfkey_flow_delete(env, flow);
166 }
167 }
168
169 sadb_decoupled = !couple;
170
171 return (0);
172 }
173
174 int
pfkey_map(const struct pfkey_constmap * map,uint16_t alg,uint8_t * pfkalg)175 pfkey_map(const struct pfkey_constmap *map, uint16_t alg, uint8_t *pfkalg)
176 {
177 int i;
178
179 for (i = 0; map[i].pfkey_id != 0; i++)
180 if (map[i].pfkey_ikeid == alg) {
181 *pfkalg = map[i].pfkey_id;
182 return (0);
183 }
184 return (-1);
185 }
186
187 int
pfkey_flow(struct iked * env,uint8_t satype,uint8_t action,struct iked_flow * flow)188 pfkey_flow(struct iked *env, uint8_t satype, uint8_t action, struct iked_flow *flow)
189 {
190 struct sadb_msg smsg;
191 struct iked_addr *flow_src, *flow_dst;
192 struct sadb_address sa_src, sa_dst, sa_local, sa_peer, sa_smask,
193 sa_dmask;
194 struct sadb_protocol sa_flowtype, sa_protocol;
195 struct sadb_x_rdomain sa_rdomain;
196 struct sadb_ident *sa_srcid, *sa_dstid;
197 struct sockaddr_storage ssrc, sdst, slocal, speer, smask, dmask;
198 struct iovec iov[IOV_CNT];
199 int iov_cnt, ret = -1;
200 uint64_t pad = 0;
201 size_t padlen;
202
203 sa_srcid = sa_dstid = NULL;
204
205 flow_src = &flow->flow_src;
206 flow_dst = &flow->flow_dst;
207
208 if (flow->flow_prenat.addr_af == flow_src->addr_af) {
209 if (flow->flow_dir == IPSP_DIRECTION_IN)
210 flow_dst = &flow->flow_prenat;
211 else
212 flow_src = &flow->flow_prenat;
213 }
214
215 bzero(&ssrc, sizeof(ssrc));
216 bzero(&smask, sizeof(smask));
217 memcpy(&ssrc, &flow_src->addr, sizeof(ssrc));
218 memcpy(&smask, &flow_src->addr, sizeof(smask));
219 socket_af((struct sockaddr *)&ssrc, flow_src->addr_port);
220 socket_af((struct sockaddr *)&smask, flow_src->addr_port ?
221 0xffff : 0);
222
223 switch (flow_src->addr_af) {
224 case AF_INET:
225 ((struct sockaddr_in *)&smask)->sin_addr.s_addr =
226 prefixlen2mask(flow_src->addr_net ?
227 flow_src->addr_mask : 32);
228 break;
229 case AF_INET6:
230 prefixlen2mask6(flow_src->addr_net ?
231 flow_src->addr_mask : 128,
232 (uint32_t *)((struct sockaddr_in6 *)
233 &smask)->sin6_addr.s6_addr);
234 break;
235 default:
236 log_warnx("%s: unsupported address family %d",
237 __func__, flow_src->addr_af);
238 return (-1);
239 }
240 smask.ss_len = ssrc.ss_len;
241
242 bzero(&sdst, sizeof(sdst));
243 bzero(&dmask, sizeof(dmask));
244 memcpy(&sdst, &flow_dst->addr, sizeof(sdst));
245 memcpy(&dmask, &flow_dst->addr, sizeof(dmask));
246 socket_af((struct sockaddr *)&sdst, flow_dst->addr_port);
247 socket_af((struct sockaddr *)&dmask, flow_dst->addr_port ?
248 0xffff : 0);
249
250 switch (flow_dst->addr_af) {
251 case AF_INET:
252 ((struct sockaddr_in *)&dmask)->sin_addr.s_addr =
253 prefixlen2mask(flow_dst->addr_net ?
254 flow_dst->addr_mask : 32);
255 break;
256 case AF_INET6:
257 prefixlen2mask6(flow_dst->addr_net ?
258 flow_dst->addr_mask : 128,
259 (uint32_t *)((struct sockaddr_in6 *)
260 &dmask)->sin6_addr.s6_addr);
261 break;
262 default:
263 log_warnx("%s: unsupported address family %d",
264 __func__, flow_dst->addr_af);
265 return (-1);
266 }
267 dmask.ss_len = sdst.ss_len;
268
269 bzero(&slocal, sizeof(slocal));
270 bzero(&speer, sizeof(speer));
271 if (action != SADB_X_DELFLOW && flow->flow_local != NULL) {
272 memcpy(&slocal, &flow->flow_local->addr, sizeof(slocal));
273 socket_af((struct sockaddr *)&slocal, 0);
274
275 memcpy(&speer, &flow->flow_peer->addr, sizeof(speer));
276 socket_af((struct sockaddr *)&speer, 0);
277 }
278
279 bzero(&smsg, sizeof(smsg));
280 smsg.sadb_msg_version = PF_KEY_V2;
281 smsg.sadb_msg_seq = ++sadb_msg_seq;
282 smsg.sadb_msg_pid = getpid();
283 smsg.sadb_msg_len = sizeof(smsg) / 8;
284 smsg.sadb_msg_type = action;
285 smsg.sadb_msg_satype = satype;
286
287 bzero(&sa_flowtype, sizeof(sa_flowtype));
288 sa_flowtype.sadb_protocol_exttype = SADB_X_EXT_FLOW_TYPE;
289 sa_flowtype.sadb_protocol_len = sizeof(sa_flowtype) / 8;
290 sa_flowtype.sadb_protocol_direction = flow->flow_dir;
291 sa_flowtype.sadb_protocol_proto = SADB_X_FLOW_TYPE_REQUIRE;
292
293 bzero(&sa_protocol, sizeof(sa_protocol));
294 sa_protocol.sadb_protocol_exttype = SADB_X_EXT_PROTOCOL;
295 sa_protocol.sadb_protocol_len = sizeof(sa_protocol) / 8;
296 sa_protocol.sadb_protocol_direction = 0;
297 sa_protocol.sadb_protocol_proto = flow->flow_ipproto;
298
299 bzero(&sa_src, sizeof(sa_src));
300 sa_src.sadb_address_exttype = SADB_X_EXT_SRC_FLOW;
301 sa_src.sadb_address_len = (sizeof(sa_src) + ROUNDUP(ssrc.ss_len)) / 8;
302
303 bzero(&sa_smask, sizeof(sa_smask));
304 sa_smask.sadb_address_exttype = SADB_X_EXT_SRC_MASK;
305 sa_smask.sadb_address_len =
306 (sizeof(sa_smask) + ROUNDUP(smask.ss_len)) / 8;
307
308 bzero(&sa_dst, sizeof(sa_dst));
309 sa_dst.sadb_address_exttype = SADB_X_EXT_DST_FLOW;
310 sa_dst.sadb_address_len = (sizeof(sa_dst) + ROUNDUP(sdst.ss_len)) / 8;
311
312 bzero(&sa_dmask, sizeof(sa_dmask));
313 sa_dmask.sadb_address_exttype = SADB_X_EXT_DST_MASK;
314 sa_dmask.sadb_address_len =
315 (sizeof(sa_dmask) + ROUNDUP(dmask.ss_len)) / 8;
316
317 if (action != SADB_X_DELFLOW && flow->flow_local != NULL) {
318 /* local address */
319 bzero(&sa_local, sizeof(sa_local));
320 sa_local.sadb_address_exttype = SADB_EXT_ADDRESS_SRC;
321 sa_local.sadb_address_len =
322 (sizeof(sa_local) + ROUNDUP(slocal.ss_len)) / 8;
323
324 /* peer address */
325 bzero(&sa_peer, sizeof(sa_peer));
326 sa_peer.sadb_address_exttype = SADB_EXT_ADDRESS_DST;
327 sa_peer.sadb_address_len =
328 (sizeof(sa_peer) + ROUNDUP(speer.ss_len)) / 8;
329
330 /* local id */
331 sa_srcid = pfkey_id2ident(IKESA_SRCID(flow->flow_ikesa),
332 SADB_EXT_IDENTITY_SRC);
333
334 /* peer id */
335 sa_dstid = pfkey_id2ident(IKESA_DSTID(flow->flow_ikesa),
336 SADB_EXT_IDENTITY_DST);
337 }
338
339 if (flow->flow_rdomain >= 0) {
340 /* install flow in specific rdomain */
341 bzero(&sa_rdomain, sizeof(sa_rdomain));
342 sa_rdomain.sadb_x_rdomain_exttype = SADB_X_EXT_RDOMAIN;
343 sa_rdomain.sadb_x_rdomain_len = sizeof(sa_rdomain) / 8;
344 sa_rdomain.sadb_x_rdomain_dom1 = flow->flow_rdomain;
345 }
346
347 #define PAD(len) \
348 padlen = ROUNDUP((len)) - (len); \
349 if (padlen) { \
350 iov[iov_cnt].iov_base = &pad; \
351 iov[iov_cnt].iov_len = padlen; \
352 iov_cnt++; \
353 }
354
355 iov_cnt = 0;
356
357 /* header */
358 iov[iov_cnt].iov_base = &smsg;
359 iov[iov_cnt].iov_len = sizeof(smsg);
360 iov_cnt++;
361
362 /* add flow type */
363 iov[iov_cnt].iov_base = &sa_flowtype;
364 iov[iov_cnt].iov_len = sizeof(sa_flowtype);
365 smsg.sadb_msg_len += sa_flowtype.sadb_protocol_len;
366 iov_cnt++;
367
368 if (action != SADB_X_DELFLOW && flow->flow_local != NULL) {
369 /* remote peer */
370 iov[iov_cnt].iov_base = &sa_peer;
371 iov[iov_cnt].iov_len = sizeof(sa_peer);
372 iov_cnt++;
373 iov[iov_cnt].iov_base = &speer;
374 iov[iov_cnt].iov_len = speer.ss_len;
375 smsg.sadb_msg_len += sa_peer.sadb_address_len;
376 iov_cnt++;
377 PAD(speer.ss_len);
378 }
379
380 /* src addr */
381 iov[iov_cnt].iov_base = &sa_src;
382 iov[iov_cnt].iov_len = sizeof(sa_src);
383 iov_cnt++;
384 iov[iov_cnt].iov_base = &ssrc;
385 iov[iov_cnt].iov_len = ssrc.ss_len;
386 smsg.sadb_msg_len += sa_src.sadb_address_len;
387 iov_cnt++;
388 PAD(ssrc.ss_len);
389
390 /* src mask */
391 iov[iov_cnt].iov_base = &sa_smask;
392 iov[iov_cnt].iov_len = sizeof(sa_smask);
393 iov_cnt++;
394 iov[iov_cnt].iov_base = &smask;
395 iov[iov_cnt].iov_len = smask.ss_len;
396 smsg.sadb_msg_len += sa_smask.sadb_address_len;
397 iov_cnt++;
398 PAD(smask.ss_len);
399
400 /* dest addr */
401 iov[iov_cnt].iov_base = &sa_dst;
402 iov[iov_cnt].iov_len = sizeof(sa_dst);
403 iov_cnt++;
404 iov[iov_cnt].iov_base = &sdst;
405 iov[iov_cnt].iov_len = sdst.ss_len;
406 smsg.sadb_msg_len += sa_dst.sadb_address_len;
407 iov_cnt++;
408 PAD(sdst.ss_len);
409
410 /* dst mask */
411 iov[iov_cnt].iov_base = &sa_dmask;
412 iov[iov_cnt].iov_len = sizeof(sa_dmask);
413 iov_cnt++;
414 iov[iov_cnt].iov_base = &dmask;
415 iov[iov_cnt].iov_len = dmask.ss_len;
416 smsg.sadb_msg_len += sa_dmask.sadb_address_len;
417 iov_cnt++;
418 PAD(dmask.ss_len);
419
420 /* add protocol */
421 iov[iov_cnt].iov_base = &sa_protocol;
422 iov[iov_cnt].iov_len = sizeof(sa_protocol);
423 smsg.sadb_msg_len += sa_protocol.sadb_protocol_len;
424 iov_cnt++;
425
426 if (sa_srcid) {
427 /* src identity */
428 iov[iov_cnt].iov_base = sa_srcid;
429 iov[iov_cnt].iov_len = sa_srcid->sadb_ident_len * 8;
430 smsg.sadb_msg_len += sa_srcid->sadb_ident_len;
431 iov_cnt++;
432 }
433 if (sa_dstid) {
434 /* dst identity */
435 iov[iov_cnt].iov_base = sa_dstid;
436 iov[iov_cnt].iov_len = sa_dstid->sadb_ident_len * 8;
437 smsg.sadb_msg_len += sa_dstid->sadb_ident_len;
438 iov_cnt++;
439 }
440
441 if (flow->flow_rdomain >= 0) {
442 iov[iov_cnt].iov_base = &sa_rdomain;
443 iov[iov_cnt].iov_len = sizeof(sa_rdomain);
444 smsg.sadb_msg_len += sa_rdomain.sadb_x_rdomain_len;
445 iov_cnt++;
446 }
447 #undef PAD
448
449 ret = pfkey_write(env, &smsg, iov, iov_cnt, NULL, NULL);
450
451 free(sa_srcid);
452 free(sa_dstid);
453
454 return (ret);
455 }
456
457 int
pfkey_sa(struct iked * env,uint8_t satype,uint8_t action,struct iked_childsa * sa)458 pfkey_sa(struct iked *env, uint8_t satype, uint8_t action, struct iked_childsa *sa)
459 {
460 char iface[IF_NAMESIZE];
461 struct sadb_msg smsg;
462 struct sadb_sa sadb;
463 struct sadb_address sa_src, sa_dst, sa_pxy;
464 struct sadb_key sa_authkey, sa_enckey;
465 struct sadb_lifetime sa_ltime_hard, sa_ltime_soft;
466 struct sadb_x_udpencap udpencap;
467 struct sadb_x_tag sa_tag;
468 struct sadb_x_iface sa_iface;
469 char *tag = NULL;
470 struct sadb_x_tap sa_tap;
471 struct sadb_x_rdomain sa_rdomain;
472 struct sockaddr_storage ssrc, sdst, spxy;
473 struct sadb_ident *sa_srcid, *sa_dstid;
474 struct iked_lifetime *lt;
475 struct iked_policy *pol;
476 struct iked_addr *dst;
477 struct iovec iov[IOV_CNT];
478 const char *errstr = NULL;
479 uint32_t ifminor;
480 uint32_t jitter;
481 int iov_cnt;
482 int ret, dotap = 0;
483 uint64_t pad = 0;
484 size_t padlen;
485
486 sa_srcid = sa_dstid = NULL;
487
488 if (sa->csa_ikesa == NULL || sa->csa_ikesa->sa_policy == NULL) {
489 log_warn("%s: invalid SA and policy", __func__);
490 return (-1);
491 }
492 pol = sa->csa_ikesa->sa_policy;
493 lt = &pol->pol_lifetime;
494
495 bzero(&ssrc, sizeof(ssrc));
496 memcpy(&ssrc, &sa->csa_local->addr, sizeof(ssrc));
497 if (socket_af((struct sockaddr *)&ssrc, 0) == -1) {
498 log_warn("%s: invalid address", __func__);
499 return (-1);
500 }
501
502 dst = (action == IKED_SADB_UPDATE_SA_ADDRESSES &&
503 sa->csa_dir == IPSP_DIRECTION_OUT) ?
504 &sa->csa_ikesa->sa_peer_loaded :
505 sa->csa_peer;
506 bzero(&sdst, sizeof(sdst));
507 memcpy(&sdst, &dst->addr, sizeof(sdst));
508 if (socket_af((struct sockaddr *)&sdst, 0) == -1) {
509 log_warn("%s: invalid address", __func__);
510 return (-1);
511 }
512
513 bzero(&spxy, sizeof(spxy));
514 if (dst != sa->csa_peer) {
515 memcpy(&spxy, &sa->csa_peer->addr, sizeof(spxy));
516 if (socket_af((struct sockaddr *)&spxy, 0) == -1) {
517 log_warn("%s: invalid address", __func__);
518 return (-1);
519 }
520 }
521
522 bzero(&smsg, sizeof(smsg));
523 smsg.sadb_msg_version = PF_KEY_V2;
524 smsg.sadb_msg_seq = ++sadb_msg_seq;
525 smsg.sadb_msg_pid = getpid();
526 smsg.sadb_msg_len = sizeof(smsg) / 8;
527 smsg.sadb_msg_type = action;
528 smsg.sadb_msg_satype = satype;
529
530 bzero(&sadb, sizeof(sadb));
531 sadb.sadb_sa_len = sizeof(sadb) / 8;
532 sadb.sadb_sa_exttype = SADB_EXT_SA;
533 sadb.sadb_sa_spi = htonl(sa->csa_spi.spi);
534 sadb.sadb_sa_state = SADB_SASTATE_MATURE;
535 sadb.sadb_sa_replay = 64;
536
537 if (!sa->csa_transport)
538 sadb.sadb_sa_flags |= SADB_X_SAFLAGS_TUNNEL;
539
540 if (sa->csa_esn)
541 sadb.sadb_sa_flags |= SADB_X_SAFLAGS_ESN;
542
543 bzero(&sa_src, sizeof(sa_src));
544 sa_src.sadb_address_len = (sizeof(sa_src) + ROUNDUP(ssrc.ss_len)) / 8;
545 sa_src.sadb_address_exttype = SADB_EXT_ADDRESS_SRC;
546
547 bzero(&sa_dst, sizeof(sa_dst));
548 sa_dst.sadb_address_len = (sizeof(sa_dst) + ROUNDUP(sdst.ss_len)) / 8;
549 sa_dst.sadb_address_exttype = SADB_EXT_ADDRESS_DST;
550
551 bzero(&sa_pxy, sizeof(sa_pxy));
552 sa_pxy.sadb_address_len = (sizeof(sa_pxy) + ROUNDUP(spxy.ss_len)) / 8;
553 sa_pxy.sadb_address_exttype = SADB_EXT_ADDRESS_PROXY;
554
555 bzero(&sa_authkey, sizeof(sa_authkey));
556 bzero(&sa_enckey, sizeof(sa_enckey));
557 bzero(&udpencap, sizeof udpencap);
558 bzero(&sa_ltime_hard, sizeof(sa_ltime_hard));
559 bzero(&sa_ltime_soft, sizeof(sa_ltime_soft));
560 bzero(&sa_iface, sizeof(sa_iface));
561
562 if (pol->pol_rdomain >= 0) {
563 bzero(&sa_rdomain, sizeof(sa_rdomain));
564 sa_rdomain.sadb_x_rdomain_exttype = SADB_X_EXT_RDOMAIN;
565 sa_rdomain.sadb_x_rdomain_len = sizeof(sa_rdomain) / 8;
566 if (satype == SADB_X_SATYPE_IPCOMP) {
567 /* IPCOMP SAs are always in the pol_rdomain */
568 sa_rdomain.sadb_x_rdomain_dom1 = pol->pol_rdomain;
569 sa_rdomain.sadb_x_rdomain_dom2 = pol->pol_rdomain;
570 } else if (sa->csa_dir == IPSP_DIRECTION_OUT) {
571 /* switch rdomain on encrypt/decrypt */
572 sa_rdomain.sadb_x_rdomain_dom1 = pol->pol_rdomain;
573 sa_rdomain.sadb_x_rdomain_dom2 = iked_rdomain;
574 } else {
575 sa_rdomain.sadb_x_rdomain_dom1 = iked_rdomain;
576 sa_rdomain.sadb_x_rdomain_dom2 = pol->pol_rdomain;
577 }
578 }
579
580 if (action == SADB_DELETE)
581 goto send;
582
583 if (satype == SADB_SATYPE_ESP &&
584 sa->csa_ikesa->sa_udpencap && sa->csa_ikesa->sa_natt) {
585 sadb.sadb_sa_flags |= SADB_X_SAFLAGS_UDPENCAP;
586 udpencap.sadb_x_udpencap_exttype = SADB_X_EXT_UDPENCAP;
587 udpencap.sadb_x_udpencap_len = sizeof(udpencap) / 8;
588 udpencap.sadb_x_udpencap_port =
589 sa->csa_ikesa->sa_peer.addr_port;
590
591 log_debug("%s: udpencap port %d", __func__,
592 ntohs(udpencap.sadb_x_udpencap_port));
593 }
594
595 if (action == IKED_SADB_UPDATE_SA_ADDRESSES) {
596 smsg.sadb_msg_type = SADB_UPDATE;
597 goto send;
598 }
599
600 if ((action == SADB_ADD || action == SADB_UPDATE) &&
601 !sa->csa_persistent && (lt->lt_bytes || lt->lt_seconds)) {
602 sa_ltime_hard.sadb_lifetime_exttype = SADB_EXT_LIFETIME_HARD;
603 sa_ltime_hard.sadb_lifetime_len = sizeof(sa_ltime_hard) / 8;
604 sa_ltime_hard.sadb_lifetime_bytes = lt->lt_bytes;
605 sa_ltime_hard.sadb_lifetime_addtime = lt->lt_seconds;
606
607 /* double the lifetime for ipcomp; disable byte lifetime */
608 if (satype == SADB_X_SATYPE_IPCOMP) {
609 sa_ltime_hard.sadb_lifetime_addtime *= 2;
610 sa_ltime_hard.sadb_lifetime_bytes = 0;
611 }
612
613 sa_ltime_soft.sadb_lifetime_exttype = SADB_EXT_LIFETIME_SOFT;
614 sa_ltime_soft.sadb_lifetime_len = sizeof(sa_ltime_soft) / 8;
615 /* set randomly to 85-95% */
616 jitter = 850 + arc4random_uniform(100);
617 sa_ltime_soft.sadb_lifetime_bytes =
618 (sa_ltime_hard.sadb_lifetime_bytes * jitter) / 1000;
619 sa_ltime_soft.sadb_lifetime_addtime =
620 (sa_ltime_hard.sadb_lifetime_addtime * jitter) / 1000;
621 }
622
623 /* XXX handle NULL encryption or NULL auth or combined encr/auth */
624 if (action == SADB_ADD &&
625 !ibuf_length(sa->csa_integrkey) && !ibuf_length(sa->csa_encrkey) &&
626 satype != SADB_X_SATYPE_IPCOMP && satype != SADB_X_SATYPE_IPIP) {
627 log_warnx("%s: no key specified", __func__);
628 return (-1);
629 }
630
631 if (sa->csa_integrid)
632 if (pfkey_map(pfkey_integr,
633 sa->csa_integrid, &sadb.sadb_sa_auth) == -1) {
634 log_warnx("%s: unsupported integrity algorithm %s",
635 __func__, print_map(sa->csa_integrid,
636 ikev2_xformauth_map));
637 return (-1);
638 }
639
640 if (sa->csa_encrid)
641 if (pfkey_map(pfkey_encr,
642 sa->csa_encrid, &sadb.sadb_sa_encrypt) == -1) {
643 log_warnx("%s: unsupported encryption algorithm %s",
644 __func__, print_map(sa->csa_encrid,
645 ikev2_xformencr_map));
646 return (-1);
647 }
648
649 if (ibuf_length(sa->csa_integrkey)) {
650 sa_authkey.sadb_key_len = (sizeof(sa_authkey) +
651 ROUNDUP(ibuf_size(sa->csa_integrkey))) / 8;
652 sa_authkey.sadb_key_exttype = SADB_EXT_KEY_AUTH;
653 sa_authkey.sadb_key_bits =
654 8 * ibuf_size(sa->csa_integrkey);
655 }
656
657 if (ibuf_length(sa->csa_encrkey)) {
658 sa_enckey.sadb_key_len = (sizeof(sa_enckey) +
659 ROUNDUP(ibuf_size(sa->csa_encrkey))) / 8;
660 sa_enckey.sadb_key_exttype = SADB_EXT_KEY_ENCRYPT;
661 sa_enckey.sadb_key_bits =
662 8 * ibuf_size(sa->csa_encrkey);
663 }
664
665 /* we only support deflate */
666 if (satype == SADB_X_SATYPE_IPCOMP)
667 sadb.sadb_sa_encrypt = SADB_X_CALG_DEFLATE;
668
669 /* Note that we need to swap the IDs for incoming SAs (SADB_UPDATE) */
670 if (action != SADB_UPDATE) {
671 sa_srcid = pfkey_id2ident(
672 IKESA_SRCID(sa->csa_ikesa), SADB_EXT_IDENTITY_SRC);
673 sa_dstid = pfkey_id2ident(
674 IKESA_DSTID(sa->csa_ikesa), SADB_EXT_IDENTITY_DST);
675 } else {
676 sa_srcid = pfkey_id2ident(
677 IKESA_DSTID(sa->csa_ikesa), SADB_EXT_IDENTITY_SRC);
678 sa_dstid = pfkey_id2ident(
679 IKESA_SRCID(sa->csa_ikesa), SADB_EXT_IDENTITY_DST);
680 }
681
682 tag = sa->csa_ikesa->sa_tag;
683 if (tag != NULL && *tag != '\0') {
684 bzero(&sa_tag, sizeof(sa_tag));
685 sa_tag.sadb_x_tag_exttype = SADB_X_EXT_TAG;
686 sa_tag.sadb_x_tag_len =
687 (ROUNDUP(strlen(tag) + 1) + sizeof(sa_tag)) / 8;
688 sa_tag.sadb_x_tag_taglen = strlen(tag) + 1;
689 } else
690 tag = NULL;
691
692 if (pol->pol_tap != 0) {
693 dotap = 1;
694 bzero(&sa_tap, sizeof(sa_tap));
695 sa_tap.sadb_x_tap_exttype = SADB_X_EXT_TAP;
696 sa_tap.sadb_x_tap_len = sizeof(sa_tap) / 8;
697 sa_tap.sadb_x_tap_unit = pol->pol_tap;
698 }
699
700 if (pol->pol_flags & IKED_POLICY_ROUTING) {
701 sa_iface.sadb_x_iface_exttype = SADB_X_EXT_IFACE;
702 sa_iface.sadb_x_iface_len = sizeof(sa_iface) / 8;
703 if (if_indextoname(pol->pol_iface, iface) == 0) {
704 log_warn("%s: unsupported interface %d",
705 __func__, pol->pol_iface);
706 return (-1);
707 }
708 ifminor = strtonum(iface + strlen("sec"), 0, UINT_MAX, &errstr);
709 if (errstr != NULL) {
710 log_warnx("%s: unsupported interface %s",
711 __func__, iface);
712 return (-1);
713 }
714 sa_iface.sadb_x_iface_unit = ifminor;
715 sa_iface.sadb_x_iface_direction = sa->csa_dir;
716 }
717
718 send:
719
720 #define PAD(len) \
721 padlen = ROUNDUP((len)) - (len); \
722 if (padlen) { \
723 iov[iov_cnt].iov_base = &pad; \
724 iov[iov_cnt].iov_len = padlen; \
725 iov_cnt++; \
726 }
727
728 iov_cnt = 0;
729
730 /* header */
731 iov[iov_cnt].iov_base = &smsg;
732 iov[iov_cnt].iov_len = sizeof(smsg);
733 iov_cnt++;
734
735 /* sa */
736 iov[iov_cnt].iov_base = &sadb;
737 iov[iov_cnt].iov_len = sizeof(sadb);
738 smsg.sadb_msg_len += sadb.sadb_sa_len;
739 iov_cnt++;
740
741 /* src addr */
742 iov[iov_cnt].iov_base = &sa_src;
743 iov[iov_cnt].iov_len = sizeof(sa_src);
744 iov_cnt++;
745 iov[iov_cnt].iov_base = &ssrc;
746 iov[iov_cnt].iov_len = ssrc.ss_len;
747 smsg.sadb_msg_len += sa_src.sadb_address_len;
748 iov_cnt++;
749 PAD(ssrc.ss_len);
750
751 /* dst addr */
752 iov[iov_cnt].iov_base = &sa_dst;
753 iov[iov_cnt].iov_len = sizeof(sa_dst);
754 iov_cnt++;
755 iov[iov_cnt].iov_base = &sdst;
756 iov[iov_cnt].iov_len = sdst.ss_len;
757 smsg.sadb_msg_len += sa_dst.sadb_address_len;
758 iov_cnt++;
759 PAD(sdst.ss_len);
760
761 if (spxy.ss_len) {
762 /* pxy addr */
763 iov[iov_cnt].iov_base = &sa_pxy;
764 iov[iov_cnt].iov_len = sizeof(sa_pxy);
765 iov_cnt++;
766 iov[iov_cnt].iov_base = &spxy;
767 iov[iov_cnt].iov_len = spxy.ss_len;
768 smsg.sadb_msg_len += sa_pxy.sadb_address_len;
769 iov_cnt++;
770 PAD(spxy.ss_len);
771 }
772
773 if (sa_ltime_soft.sadb_lifetime_len) {
774 /* soft lifetime */
775 iov[iov_cnt].iov_base = &sa_ltime_soft;
776 iov[iov_cnt].iov_len = sizeof(sa_ltime_soft);
777 smsg.sadb_msg_len += sa_ltime_soft.sadb_lifetime_len;
778 iov_cnt++;
779 }
780
781 if (sa_ltime_hard.sadb_lifetime_len) {
782 /* hard lifetime */
783 iov[iov_cnt].iov_base = &sa_ltime_hard;
784 iov[iov_cnt].iov_len = sizeof(sa_ltime_hard);
785 smsg.sadb_msg_len += sa_ltime_hard.sadb_lifetime_len;
786 iov_cnt++;
787 }
788
789 if (udpencap.sadb_x_udpencap_len) {
790 iov[iov_cnt].iov_base = &udpencap;
791 iov[iov_cnt].iov_len = sizeof(udpencap);
792 smsg.sadb_msg_len += udpencap.sadb_x_udpencap_len;
793 iov_cnt++;
794 }
795
796 if (sa_enckey.sadb_key_len) {
797 /* encryption key */
798 iov[iov_cnt].iov_base = &sa_enckey;
799 iov[iov_cnt].iov_len = sizeof(sa_enckey);
800 iov_cnt++;
801 iov[iov_cnt].iov_base = ibuf_data(sa->csa_encrkey);
802 iov[iov_cnt].iov_len = ibuf_size(sa->csa_encrkey);
803 smsg.sadb_msg_len += sa_enckey.sadb_key_len;
804 iov_cnt++;
805 PAD(ibuf_size(sa->csa_encrkey));
806 }
807 if (sa_authkey.sadb_key_len) {
808 /* authentication key */
809 iov[iov_cnt].iov_base = &sa_authkey;
810 iov[iov_cnt].iov_len = sizeof(sa_authkey);
811 iov_cnt++;
812 iov[iov_cnt].iov_base = ibuf_data(sa->csa_integrkey);
813 iov[iov_cnt].iov_len = ibuf_size(sa->csa_integrkey);
814 smsg.sadb_msg_len += sa_authkey.sadb_key_len;
815 iov_cnt++;
816 PAD(ibuf_size(sa->csa_integrkey));
817 }
818
819 if (sa_srcid) {
820 /* src identity */
821 iov[iov_cnt].iov_base = sa_srcid;
822 iov[iov_cnt].iov_len = sa_srcid->sadb_ident_len * 8;
823 smsg.sadb_msg_len += sa_srcid->sadb_ident_len;
824 iov_cnt++;
825 }
826 if (sa_dstid) {
827 /* dst identity */
828 iov[iov_cnt].iov_base = sa_dstid;
829 iov[iov_cnt].iov_len = sa_dstid->sadb_ident_len * 8;
830 smsg.sadb_msg_len += sa_dstid->sadb_ident_len;
831 iov_cnt++;
832 }
833
834 if (tag != NULL) {
835 /* tag identity */
836 iov[iov_cnt].iov_base = &sa_tag;
837 iov[iov_cnt].iov_len = sizeof(sa_tag);
838 iov_cnt++;
839 iov[iov_cnt].iov_base = tag;
840 iov[iov_cnt].iov_len = strlen(tag) + 1;
841 smsg.sadb_msg_len += sa_tag.sadb_x_tag_len;
842 iov_cnt++;
843 PAD(strlen(tag) + 1);
844 }
845
846 if (sa_iface.sadb_x_iface_len) {
847 iov[iov_cnt].iov_base = &sa_iface;
848 iov[iov_cnt].iov_len = sa_iface.sadb_x_iface_len * 8;
849 smsg.sadb_msg_len += sa_iface.sadb_x_iface_len;
850 iov_cnt++;
851 }
852
853 if (dotap != 0) {
854 /* enc(4) device tap unit */
855 iov[iov_cnt].iov_base = &sa_tap;
856 iov[iov_cnt].iov_len = sizeof(sa_tap);
857 smsg.sadb_msg_len += sa_tap.sadb_x_tap_len;
858 iov_cnt++;
859 }
860
861 if (pol->pol_rdomain >= 0) {
862 iov[iov_cnt].iov_base = &sa_rdomain;
863 iov[iov_cnt].iov_len = sizeof(sa_rdomain);
864 smsg.sadb_msg_len += sa_rdomain.sadb_x_rdomain_len;
865 iov_cnt++;
866 }
867 #undef PAD
868
869 ret = pfkey_write(env, &smsg, iov, iov_cnt, NULL, NULL);
870
871 free(sa_srcid);
872 free(sa_dstid);
873
874 return ret;
875 }
876
877 int
pfkey_sa_lookup(struct iked * env,struct iked_childsa * sa,uint64_t * last_used,struct iked_sastats * stats)878 pfkey_sa_lookup(struct iked *env, struct iked_childsa *sa, uint64_t *last_used,
879 struct iked_sastats *stats)
880 {
881 struct iked_policy *pol = sa->csa_ikesa->sa_policy;
882 struct sadb_msg *msg, smsg;
883 struct sadb_address sa_src, sa_dst;
884 struct sadb_sa sadb;
885 struct sadb_x_rdomain sa_rdomain;
886 struct sadb_lifetime *sa_life;
887 struct sadb_x_counter *sa_counter;
888 struct sockaddr_storage ssrc, sdst;
889 struct iovec iov[IOV_CNT];
890 uint64_t pad = 0;
891 size_t padlen;
892 uint8_t *data;
893 ssize_t n;
894 int iov_cnt, ret = -1, rdomain;
895 uint8_t satype;
896
897 if (last_used)
898 *last_used = 0;
899
900 if (pfkey_map(pfkey_satype, sa->csa_saproto, &satype) == -1)
901 return (-1);
902
903 bzero(&ssrc, sizeof(ssrc));
904 memcpy(&ssrc, &sa->csa_local->addr, sizeof(ssrc));
905 if (socket_af((struct sockaddr *)&ssrc, 0) == -1) {
906 log_warn("%s: invalid address", __func__);
907 return (-1);
908 }
909
910 bzero(&sdst, sizeof(sdst));
911 memcpy(&sdst, &sa->csa_peer->addr, sizeof(sdst));
912 if (socket_af((struct sockaddr *)&sdst, 0) == -1) {
913 log_warn("%s: invalid address", __func__);
914 return (-1);
915 }
916
917 bzero(&smsg, sizeof(smsg));
918 smsg.sadb_msg_version = PF_KEY_V2;
919 smsg.sadb_msg_seq = ++sadb_msg_seq;
920 smsg.sadb_msg_pid = getpid();
921 smsg.sadb_msg_len = sizeof(smsg) / 8;
922 smsg.sadb_msg_type = SADB_GET;
923 smsg.sadb_msg_satype = satype;
924
925 bzero(&sadb, sizeof(sadb));
926 sadb.sadb_sa_len = sizeof(sadb) / 8;
927 sadb.sadb_sa_exttype = SADB_EXT_SA;
928 sadb.sadb_sa_spi = htonl(sa->csa_spi.spi);
929 sadb.sadb_sa_state = SADB_SASTATE_MATURE;
930 sadb.sadb_sa_replay = 64;
931
932 if (pol->pol_rdomain >= 0) {
933 rdomain = (sa->csa_dir == IPSP_DIRECTION_IN) ?
934 iked_rdomain : pol->pol_rdomain;
935 bzero(&sa_rdomain, sizeof(sa_rdomain));
936 sa_rdomain.sadb_x_rdomain_exttype = SADB_X_EXT_RDOMAIN;
937 sa_rdomain.sadb_x_rdomain_len = sizeof(sa_rdomain) / 8;
938 sa_rdomain.sadb_x_rdomain_dom1 = rdomain;
939 }
940
941 bzero(&sa_src, sizeof(sa_src));
942 sa_src.sadb_address_len = (sizeof(sa_src) + ROUNDUP(ssrc.ss_len)) / 8;
943 sa_src.sadb_address_exttype = SADB_EXT_ADDRESS_SRC;
944
945 bzero(&sa_dst, sizeof(sa_dst));
946 sa_dst.sadb_address_len = (sizeof(sa_dst) + ROUNDUP(sdst.ss_len)) / 8;
947 sa_dst.sadb_address_exttype = SADB_EXT_ADDRESS_DST;
948
949 iov_cnt = 0;
950
951 #define PAD(len) \
952 padlen = ROUNDUP((len)) - (len); \
953 if (padlen) { \
954 iov[iov_cnt].iov_base = &pad; \
955 iov[iov_cnt].iov_len = padlen; \
956 iov_cnt++; \
957 }
958
959 /* header */
960 iov[iov_cnt].iov_base = &smsg;
961 iov[iov_cnt].iov_len = sizeof(smsg);
962 iov_cnt++;
963
964 /* sa */
965 iov[iov_cnt].iov_base = &sadb;
966 iov[iov_cnt].iov_len = sizeof(sadb);
967 smsg.sadb_msg_len += sadb.sadb_sa_len;
968 iov_cnt++;
969
970 /* src addr */
971 iov[iov_cnt].iov_base = &sa_src;
972 iov[iov_cnt].iov_len = sizeof(sa_src);
973 iov_cnt++;
974 iov[iov_cnt].iov_base = &ssrc;
975 iov[iov_cnt].iov_len = ssrc.ss_len;
976 smsg.sadb_msg_len += sa_src.sadb_address_len;
977 iov_cnt++;
978 PAD(ssrc.ss_len);
979
980 /* dst addr */
981 iov[iov_cnt].iov_base = &sa_dst;
982 iov[iov_cnt].iov_len = sizeof(sa_dst);
983 iov_cnt++;
984 iov[iov_cnt].iov_base = &sdst;
985 iov[iov_cnt].iov_len = sdst.ss_len;
986 smsg.sadb_msg_len += sa_dst.sadb_address_len;
987 iov_cnt++;
988 PAD(sdst.ss_len);
989
990 if (pol->pol_rdomain >= 0) {
991 iov[iov_cnt].iov_base = &sa_rdomain;
992 iov[iov_cnt].iov_len = sizeof(sa_rdomain);
993 smsg.sadb_msg_len += sa_rdomain.sadb_x_rdomain_len;
994 iov_cnt++;
995 }
996
997 if ((ret = pfkey_write(env, &smsg, iov, iov_cnt, &data, &n)) != 0)
998 return (-1);
999
1000 msg = (struct sadb_msg *)data;
1001 if (msg->sadb_msg_errno != 0) {
1002 errno = msg->sadb_msg_errno;
1003 ret = -1;
1004 if (errno == ESRCH)
1005 log_debug("%s: not found", __func__);
1006 else
1007 log_warn("%s: message", __func__);
1008 goto done;
1009 }
1010 if (last_used) {
1011 if ((sa_life = pfkey_find_ext(data, n,
1012 SADB_X_EXT_LIFETIME_LASTUSE)) == NULL) {
1013 /* has never been used */
1014 ret = -1;
1015 goto done;
1016 }
1017 *last_used = sa_life->sadb_lifetime_usetime;
1018 log_debug("%s: last_used %llu", __func__, *last_used);
1019 }
1020 if (stats) {
1021 if ((sa_counter = pfkey_find_ext(data, n,
1022 SADB_X_EXT_COUNTER)) == NULL) {
1023 /* has never been used */
1024 ret = -1;
1025 goto done;
1026 }
1027 stats->sas_ibytes = sa_counter->sadb_x_counter_ibytes;
1028 stats->sas_obytes = sa_counter->sadb_x_counter_obytes;
1029 stats->sas_ipackets = sa_counter->sadb_x_counter_ipackets;
1030 stats->sas_opackets = sa_counter->sadb_x_counter_opackets;
1031 stats->sas_idrops = sa_counter->sadb_x_counter_idrops;
1032 stats->sas_odrops = sa_counter->sadb_x_counter_odrops;
1033 }
1034
1035 #undef PAD
1036 done:
1037 freezero(data, n);
1038 return (ret);
1039 }
1040
1041 int
pfkey_sa_last_used(struct iked * env,struct iked_childsa * sa,uint64_t * last_used)1042 pfkey_sa_last_used(struct iked *env, struct iked_childsa *sa, uint64_t *last_used)
1043 {
1044 return pfkey_sa_lookup(env, sa, last_used, NULL);
1045 }
1046
1047 int
pfkey_sa_check_exists(struct iked * env,struct iked_childsa * sa)1048 pfkey_sa_check_exists(struct iked *env, struct iked_childsa *sa)
1049 {
1050 return pfkey_sa_lookup(env, sa, NULL, NULL);
1051 }
1052
1053 int
pfkey_sa_sastats(struct iked * env,struct iked_childsa * sa,struct iked_sastats * stats)1054 pfkey_sa_sastats(struct iked *env, struct iked_childsa *sa,
1055 struct iked_sastats *stats)
1056 {
1057 return pfkey_sa_lookup(env, sa, NULL, stats);
1058 }
1059
1060 int
pfkey_sa_getspi(struct iked * env,uint8_t satype,struct iked_childsa * sa,uint32_t * spip)1061 pfkey_sa_getspi(struct iked *env, uint8_t satype, struct iked_childsa *sa,
1062 uint32_t *spip)
1063 {
1064 struct sadb_msg *msg, smsg;
1065 struct sadb_address sa_src, sa_dst;
1066 struct sadb_sa *sa_ext;
1067 struct sadb_spirange sa_spirange;
1068 struct sockaddr_storage ssrc, sdst;
1069 struct iovec iov[IOV_CNT];
1070 uint64_t pad = 0;
1071 size_t padlen;
1072 uint8_t *data;
1073 ssize_t n;
1074 int iov_cnt, ret = -1;
1075
1076 bzero(&ssrc, sizeof(ssrc));
1077 memcpy(&ssrc, &sa->csa_local->addr, sizeof(ssrc));
1078 if (socket_af((struct sockaddr *)&ssrc, 0) == -1) {
1079 log_warn("%s: invalid address", __func__);
1080 return (-1);
1081 }
1082
1083 bzero(&sdst, sizeof(sdst));
1084 memcpy(&sdst, &sa->csa_peer->addr, sizeof(sdst));
1085 if (socket_af((struct sockaddr *)&sdst, 0) == -1) {
1086 log_warn("%s: invalid address", __func__);
1087 return (-1);
1088 }
1089
1090 bzero(&smsg, sizeof(smsg));
1091 smsg.sadb_msg_version = PF_KEY_V2;
1092 smsg.sadb_msg_seq = ++sadb_msg_seq;
1093 smsg.sadb_msg_pid = getpid();
1094 smsg.sadb_msg_len = sizeof(smsg) / 8;
1095 smsg.sadb_msg_type = SADB_GETSPI;
1096 smsg.sadb_msg_satype = satype;
1097
1098 bzero(&sa_spirange, sizeof(sa_spirange));
1099 sa_spirange.sadb_spirange_exttype = SADB_EXT_SPIRANGE;
1100 sa_spirange.sadb_spirange_len = sizeof(sa_spirange) / 8;
1101 sa_spirange.sadb_spirange_min = 0x100;
1102 sa_spirange.sadb_spirange_max = (satype == SADB_X_SATYPE_IPCOMP) ?
1103 (CPI_PRIVATE_MIN - 1) : 0xffffffff;
1104 sa_spirange.sadb_spirange_reserved = 0;
1105
1106 bzero(&sa_src, sizeof(sa_src));
1107 sa_src.sadb_address_len = (sizeof(sa_src) + ROUNDUP(ssrc.ss_len)) / 8;
1108 sa_src.sadb_address_exttype = SADB_EXT_ADDRESS_SRC;
1109
1110 bzero(&sa_dst, sizeof(sa_dst));
1111 sa_dst.sadb_address_len = (sizeof(sa_dst) + ROUNDUP(sdst.ss_len)) / 8;
1112 sa_dst.sadb_address_exttype = SADB_EXT_ADDRESS_DST;
1113
1114 #define PAD(len) \
1115 padlen = ROUNDUP((len)) - (len); \
1116 if (padlen) { \
1117 iov[iov_cnt].iov_base = &pad; \
1118 iov[iov_cnt].iov_len = padlen; \
1119 iov_cnt++; \
1120 }
1121
1122 iov_cnt = 0;
1123
1124 /* header */
1125 iov[iov_cnt].iov_base = &smsg;
1126 iov[iov_cnt].iov_len = sizeof(smsg);
1127 iov_cnt++;
1128
1129 /* SPI range */
1130 iov[iov_cnt].iov_base = &sa_spirange;
1131 iov[iov_cnt].iov_len = sizeof(sa_spirange);
1132 smsg.sadb_msg_len += sa_spirange.sadb_spirange_len;
1133 iov_cnt++;
1134
1135 /* src addr */
1136 iov[iov_cnt].iov_base = &sa_src;
1137 iov[iov_cnt].iov_len = sizeof(sa_src);
1138 iov_cnt++;
1139 iov[iov_cnt].iov_base = &ssrc;
1140 iov[iov_cnt].iov_len = ssrc.ss_len;
1141 smsg.sadb_msg_len += sa_src.sadb_address_len;
1142 iov_cnt++;
1143 PAD(ssrc.ss_len);
1144
1145 /* dst addr */
1146 iov[iov_cnt].iov_base = &sa_dst;
1147 iov[iov_cnt].iov_len = sizeof(sa_dst);
1148 iov_cnt++;
1149 iov[iov_cnt].iov_base = &sdst;
1150 iov[iov_cnt].iov_len = sdst.ss_len;
1151 smsg.sadb_msg_len += sa_dst.sadb_address_len;
1152 iov_cnt++;
1153 PAD(sdst.ss_len);
1154
1155 *spip = 0;
1156
1157 if ((ret = pfkey_write(env, &smsg, iov, iov_cnt, &data, &n)) != 0)
1158 return (-1);
1159
1160 msg = (struct sadb_msg *)data;
1161 if (msg->sadb_msg_errno != 0) {
1162 errno = msg->sadb_msg_errno;
1163 log_warn("%s: message", __func__);
1164 goto done;
1165 }
1166 if ((sa_ext = pfkey_find_ext(data, n, SADB_EXT_SA)) == NULL) {
1167 log_debug("%s: erroneous reply", __func__);
1168 goto done;
1169 }
1170
1171 *spip = ntohl(sa_ext->sadb_sa_spi);
1172 log_debug("%s: spi 0x%08x", __func__, *spip);
1173
1174 #undef PAD
1175
1176 done:
1177 freezero(data, n);
1178 return (ret);
1179 }
1180
1181 int
pfkey_sagroup(struct iked * env,uint8_t satype1,uint8_t action,struct iked_childsa * sa1,struct iked_childsa * sa2)1182 pfkey_sagroup(struct iked *env, uint8_t satype1, uint8_t action,
1183 struct iked_childsa *sa1, struct iked_childsa *sa2)
1184 {
1185 struct sadb_msg smsg;
1186 struct sadb_sa sadb1, sadb2;
1187 struct sadb_address sa_dst1, sa_dst2;
1188 struct sockaddr_storage sdst1, sdst2;
1189 struct sadb_protocol sa_proto;
1190 struct sadb_x_rdomain sa_rdomain;
1191 struct iked_policy *pol;
1192 struct iovec iov[IOV_CNT];
1193 uint64_t pad = 0;
1194 size_t padlen;
1195 int iov_cnt;
1196 int group_rdomain;
1197 uint8_t satype2;
1198
1199 if (pfkey_map(pfkey_satype, sa2->csa_saproto, &satype2) == -1)
1200 return (-1);
1201
1202 bzero(&sdst1, sizeof(sdst1));
1203 memcpy(&sdst1, &sa1->csa_peer->addr, sizeof(sdst1));
1204 if (socket_af((struct sockaddr *)&sdst1, 0) == -1) {
1205 log_warnx("%s: unsupported address family %d",
1206 __func__, sdst1.ss_family);
1207 return (-1);
1208 }
1209
1210 bzero(&sdst2, sizeof(sdst2));
1211 memcpy(&sdst2, &sa2->csa_peer->addr, sizeof(sdst2));
1212 if (socket_af((struct sockaddr *)&sdst2, 0) == -1) {
1213 log_warnx("%s: unsupported address family %d",
1214 __func__, sdst2.ss_family);
1215 return (-1);
1216 }
1217
1218 bzero(&smsg, sizeof(smsg));
1219 smsg.sadb_msg_version = PF_KEY_V2;
1220 smsg.sadb_msg_seq = ++sadb_msg_seq;
1221 smsg.sadb_msg_pid = getpid();
1222 smsg.sadb_msg_len = sizeof(smsg) / 8;
1223 smsg.sadb_msg_type = action;
1224 smsg.sadb_msg_satype = satype1;
1225
1226 bzero(&sadb1, sizeof(sadb1));
1227 sadb1.sadb_sa_len = sizeof(sadb1) / 8;
1228 sadb1.sadb_sa_exttype = SADB_EXT_SA;
1229 sadb1.sadb_sa_spi = htonl(sa1->csa_spi.spi);
1230 sadb1.sadb_sa_state = SADB_SASTATE_MATURE;
1231
1232 bzero(&sadb2, sizeof(sadb2));
1233 sadb2.sadb_sa_len = sizeof(sadb2) / 8;
1234 sadb2.sadb_sa_exttype = SADB_X_EXT_SA2;
1235 sadb2.sadb_sa_spi = htonl(sa2->csa_spi.spi);
1236 sadb2.sadb_sa_state = SADB_SASTATE_MATURE;
1237
1238 /* Incoming SA1 (IPCOMP) and SA2 (ESP) are in different/other rdomain */
1239 group_rdomain =
1240 (pol = sa1->csa_ikesa->sa_policy) != NULL &&
1241 pol->pol_rdomain >= 0 &&
1242 satype1 == SADB_X_SATYPE_IPCOMP &&
1243 satype2 == SADB_SATYPE_ESP;
1244 if (group_rdomain) {
1245 bzero(&sa_rdomain, sizeof(sa_rdomain));
1246 sa_rdomain.sadb_x_rdomain_exttype = SADB_X_EXT_RDOMAIN;
1247 sa_rdomain.sadb_x_rdomain_len = sizeof(sa_rdomain) / 8;
1248 if (sa1->csa_dir == IPSP_DIRECTION_IN) {
1249 /* only ESP SA is iked's rdomain */
1250 sa_rdomain.sadb_x_rdomain_dom1 = pol->pol_rdomain;
1251 sa_rdomain.sadb_x_rdomain_dom2 = iked_rdomain;
1252 } else {
1253 /* both SAs are in pol_rdomain */
1254 sa_rdomain.sadb_x_rdomain_dom1 = pol->pol_rdomain;
1255 sa_rdomain.sadb_x_rdomain_dom2 = pol->pol_rdomain;
1256 }
1257 }
1258
1259 iov_cnt = 0;
1260
1261 bzero(&sa_dst1, sizeof(sa_dst1));
1262 sa_dst1.sadb_address_exttype = SADB_EXT_ADDRESS_DST;
1263 sa_dst1.sadb_address_len =
1264 (sizeof(sa_dst1) + ROUNDUP(sdst1.ss_len)) / 8;
1265
1266 bzero(&sa_dst2, sizeof(sa_dst2));
1267 sa_dst2.sadb_address_exttype = SADB_X_EXT_DST2;
1268 sa_dst2.sadb_address_len =
1269 (sizeof(sa_dst2) + ROUNDUP(sdst2.ss_len)) / 8;
1270
1271 bzero(&sa_proto, sizeof(sa_proto));
1272 sa_proto.sadb_protocol_exttype = SADB_X_EXT_SATYPE2;
1273 sa_proto.sadb_protocol_len = sizeof(sa_proto) / 8;
1274 sa_proto.sadb_protocol_direction = 0;
1275 sa_proto.sadb_protocol_proto = satype2;
1276
1277 #define PAD(len) \
1278 padlen = ROUNDUP((len)) - (len); \
1279 if (padlen) { \
1280 iov[iov_cnt].iov_base = &pad; \
1281 iov[iov_cnt].iov_len = padlen; \
1282 iov_cnt++; \
1283 }
1284
1285 /* header */
1286 iov[iov_cnt].iov_base = &smsg;
1287 iov[iov_cnt].iov_len = sizeof(smsg);
1288 iov_cnt++;
1289
1290 /* sa */
1291 iov[iov_cnt].iov_base = &sadb1;
1292 iov[iov_cnt].iov_len = sizeof(sadb1);
1293 smsg.sadb_msg_len += sadb1.sadb_sa_len;
1294 iov_cnt++;
1295
1296 /* dst addr */
1297 iov[iov_cnt].iov_base = &sa_dst1;
1298 iov[iov_cnt].iov_len = sizeof(sa_dst1);
1299 iov_cnt++;
1300 iov[iov_cnt].iov_base = &sdst1;
1301 iov[iov_cnt].iov_len = sdst1.ss_len;
1302 smsg.sadb_msg_len += sa_dst1.sadb_address_len;
1303 iov_cnt++;
1304 PAD(sdst1.ss_len);
1305
1306 /* second sa */
1307 iov[iov_cnt].iov_base = &sadb2;
1308 iov[iov_cnt].iov_len = sizeof(sadb2);
1309 smsg.sadb_msg_len += sadb2.sadb_sa_len;
1310 iov_cnt++;
1311
1312 /* second dst addr */
1313 iov[iov_cnt].iov_base = &sa_dst2;
1314 iov[iov_cnt].iov_len = sizeof(sa_dst2);
1315 iov_cnt++;
1316 iov[iov_cnt].iov_base = &sdst2;
1317 iov[iov_cnt].iov_len = sdst2.ss_len;
1318 smsg.sadb_msg_len += sa_dst2.sadb_address_len;
1319 iov_cnt++;
1320 PAD(sdst2.ss_len);
1321
1322 /* SA type */
1323 iov[iov_cnt].iov_base = &sa_proto;
1324 iov[iov_cnt].iov_len = sizeof(sa_proto);
1325 smsg.sadb_msg_len += sa_proto.sadb_protocol_len;
1326 iov_cnt++;
1327
1328 /* SA1 and SA2 are from different rdomains */
1329 if (group_rdomain) {
1330 iov[iov_cnt].iov_base = &sa_rdomain;
1331 iov[iov_cnt].iov_len = sizeof(sa_rdomain);
1332 smsg.sadb_msg_len += sa_rdomain.sadb_x_rdomain_len;
1333 iov_cnt++;
1334 }
1335
1336 #undef PAD
1337
1338 return (pfkey_write(env, &smsg, iov, iov_cnt, NULL, NULL));
1339 }
1340
1341 int
pfkey_write(struct iked * env,struct sadb_msg * smsg,struct iovec * iov,int iov_cnt,uint8_t ** datap,ssize_t * lenp)1342 pfkey_write(struct iked *env, struct sadb_msg *smsg, struct iovec *iov, int iov_cnt,
1343 uint8_t **datap, ssize_t *lenp)
1344 {
1345 ssize_t n, len = smsg->sadb_msg_len * 8;
1346 int ret = -1;
1347
1348 if (sadb_decoupled) {
1349 switch (smsg->sadb_msg_type) {
1350 case SADB_GETSPI:
1351 /* we need to get a new SPI from the kernel */
1352 break;
1353 default:
1354 if (datap || lenp) {
1355 log_warnx("%s: pfkey not coupled", __func__);
1356 return (-1);
1357 }
1358 /* ignore request */
1359 return (0);
1360 }
1361 }
1362
1363 /* Delete event to poll() in pfkey_reply() */
1364 event_del(&env->sc_pfkeyev);
1365
1366 if ((n = writev(env->sc_pfkey, iov, iov_cnt)) == -1) {
1367 log_warn("%s: writev failed: type %u len %zd",
1368 __func__, smsg->sadb_msg_type, len);
1369 goto done;
1370 } else if (n != len) {
1371 log_warn("%s: short write", __func__);
1372 goto done;
1373 }
1374
1375 ret = pfkey_reply(env->sc_pfkey, datap, lenp);
1376 done:
1377 event_add(&env->sc_pfkeyev, NULL);
1378 return (ret);
1379 }
1380
1381 /* wait for pfkey response and returns 0 for ok, -1 for error, -2 for timeout */
1382 int
pfkey_reply(int fd,uint8_t ** datap,ssize_t * lenp)1383 pfkey_reply(int fd, uint8_t **datap, ssize_t *lenp)
1384 {
1385 struct pfkey_message *pm;
1386 struct sadb_msg hdr;
1387 ssize_t len;
1388 uint8_t *data;
1389 struct pollfd pfd[1];
1390 int n;
1391
1392 pfd[0].fd = fd;
1393 pfd[0].events = POLLIN;
1394
1395 for (;;) {
1396 /*
1397 * We should actually expect the reply to get lost
1398 * as PF_KEY is an unreliable service per the specs.
1399 * Currently we do this by setting a short timeout,
1400 * and if it is not readable in that time, we fail
1401 * the read.
1402 */
1403 n = poll(pfd, 1, PFKEY_REPLY_TIMEOUT / 1000);
1404 if (n == -1) {
1405 log_warn("%s: poll() failed", __func__);
1406 return (-1);
1407 }
1408 if (n == 0) {
1409 log_warnx("%s: no reply from PF_KEY", __func__);
1410 return (-2); /* retry */
1411 }
1412
1413 if (recv(fd, &hdr, sizeof(hdr), MSG_PEEK) != sizeof(hdr)) {
1414 log_warn("%s: short recv", __func__);
1415 return (-1);
1416 }
1417
1418 if (hdr.sadb_msg_version != PF_KEY_V2) {
1419 log_warnx("%s: wrong pfkey version", __func__);
1420 return (-1);
1421 }
1422
1423 if ((data = reallocarray(NULL, hdr.sadb_msg_len,
1424 PFKEYV2_CHUNK)) == NULL) {
1425 log_warn("%s: malloc", __func__);
1426 return (-1);
1427 }
1428 len = hdr.sadb_msg_len * PFKEYV2_CHUNK;
1429
1430 if (read(fd, data, len) != len) {
1431 log_warnx("%s: short read", __func__);
1432 free(data);
1433 return (-1);
1434 }
1435
1436 /* XXX: Only one message can be outstanding. */
1437 if (hdr.sadb_msg_seq == sadb_msg_seq &&
1438 hdr.sadb_msg_pid == (uint32_t)getpid())
1439 break;
1440
1441 /* ignore messages for other processes */
1442 if (hdr.sadb_msg_pid != 0 &&
1443 hdr.sadb_msg_pid != (uint32_t)getpid()) {
1444 free(data);
1445 continue;
1446 }
1447
1448 /* not the reply, enqueue */
1449 if ((pm = malloc(sizeof(*pm))) == NULL) {
1450 log_warn("%s: malloc", __func__);
1451 free(data);
1452 return (-1);
1453 }
1454 pm->pm_data = data;
1455 pm->pm_length = len;
1456 SIMPLEQ_INSERT_TAIL(&pfkey_postponed, pm, pm_entry);
1457 evtimer_add(&pfkey_timer_ev, &pfkey_timer_tv);
1458 }
1459
1460 if (datap) {
1461 *datap = data;
1462 if (lenp)
1463 *lenp = len;
1464 } else
1465 free(data);
1466
1467 if (datap == NULL && hdr.sadb_msg_errno != 0) {
1468 errno = hdr.sadb_msg_errno;
1469 if (errno != EEXIST) {
1470 if (errno == ESRCH)
1471 log_debug("%s: not found", __func__);
1472 else
1473 log_warn("%s: message", __func__);
1474 return (-1);
1475 }
1476 }
1477 return (0);
1478 }
1479
1480 int
pfkey_flow_add(struct iked * env,struct iked_flow * flow)1481 pfkey_flow_add(struct iked *env, struct iked_flow *flow)
1482 {
1483 uint8_t satype;
1484
1485 if (flow->flow_loaded)
1486 return (0);
1487
1488 if (pfkey_map(pfkey_satype, flow->flow_saproto, &satype) == -1)
1489 return (-1);
1490
1491 if (pfkey_flow(env, satype, SADB_X_ADDFLOW, flow) == -1)
1492 return (-1);
1493
1494 flow->flow_loaded = 1;
1495
1496 return (0);
1497 }
1498
1499 int
pfkey_flow_delete(struct iked * env,struct iked_flow * flow)1500 pfkey_flow_delete(struct iked *env, struct iked_flow *flow)
1501 {
1502 uint8_t satype;
1503
1504 if (!flow->flow_loaded)
1505 return (0);
1506
1507 if (pfkey_map(pfkey_satype, flow->flow_saproto, &satype) == -1)
1508 return (-1);
1509
1510 if (pfkey_flow(env, satype, SADB_X_DELFLOW, flow) == -1)
1511 return (-1);
1512
1513 flow->flow_loaded = 0;
1514
1515 return (0);
1516 }
1517
1518 int
pfkey_sa_init(struct iked * env,struct iked_childsa * sa,uint32_t * spi)1519 pfkey_sa_init(struct iked *env, struct iked_childsa *sa, uint32_t *spi)
1520 {
1521 uint8_t satype;
1522
1523 if (pfkey_map(pfkey_satype, sa->csa_saproto, &satype) == -1)
1524 return (-1);
1525
1526 if (pfkey_sa_getspi(env, satype, sa, spi) == -1)
1527 return (-1);
1528
1529 log_debug("%s: new spi 0x%08x", __func__, *spi);
1530
1531 return (0);
1532 }
1533
1534 int
pfkey_sa_add(struct iked * env,struct iked_childsa * sa,struct iked_childsa * last)1535 pfkey_sa_add(struct iked *env, struct iked_childsa *sa, struct iked_childsa *last)
1536 {
1537 uint8_t satype;
1538 unsigned int cmd;
1539 int rval;
1540
1541 if (pfkey_map(pfkey_satype, sa->csa_saproto, &satype) == -1)
1542 return (-1);
1543
1544 if (sa->csa_allocated || sa->csa_loaded)
1545 cmd = SADB_UPDATE;
1546 else
1547 cmd = SADB_ADD;
1548
1549 log_debug("%s: %s spi %s", __func__, cmd == SADB_ADD ? "add": "update",
1550 print_spi(sa->csa_spi.spi, 4));
1551
1552 rval = pfkey_sa(env, satype, cmd, sa);
1553 if (rval != 0) {
1554 if (cmd == SADB_ADD) {
1555 if (rval == -2) {
1556 /* timeout: check for existence */
1557 if (pfkey_sa_check_exists(env, sa) == 0) {
1558 log_debug("%s: SA exists after timeout",
1559 __func__);
1560 goto loaded;
1561 }
1562 }
1563 (void)pfkey_sa_delete(env, sa);
1564 return (-1);
1565 }
1566 if (sa->csa_allocated && !sa->csa_loaded && errno == ESRCH) {
1567 /* Needed for recoupling local SAs */
1568 log_debug("%s: SADB_UPDATE on local SA returned ESRCH,"
1569 " trying SADB_ADD", __func__);
1570 if (pfkey_sa(env, satype, SADB_ADD, sa) == -1)
1571 return (-1);
1572 } else {
1573 return (-1);
1574 }
1575 }
1576
1577 loaded:
1578 if (last != NULL) {
1579 if (pfkey_sagroup(env, satype,
1580 SADB_X_GRPSPIS, sa, last) == -1) {
1581 (void)pfkey_sa_delete(env, sa);
1582 return (-1);
1583 }
1584 }
1585
1586 sa->csa_loaded = 1;
1587 return (0);
1588 }
1589
1590 int
pfkey_sa_update_addresses(struct iked * env,struct iked_childsa * sa)1591 pfkey_sa_update_addresses(struct iked *env, struct iked_childsa *sa)
1592 {
1593 uint8_t satype;
1594
1595 if (!sa->csa_ikesa)
1596 return (-1);
1597 /* check if peer has changed */
1598 if (sa->csa_ikesa->sa_peer_loaded.addr.ss_family == AF_UNSPEC ||
1599 memcmp(&sa->csa_ikesa->sa_peer_loaded, &sa->csa_ikesa->sa_peer,
1600 sizeof(sa->csa_ikesa->sa_peer_loaded)) == 0)
1601 return (0);
1602 if (pfkey_map(pfkey_satype, sa->csa_saproto, &satype) == -1)
1603 return (-1);
1604 log_debug("%s: spi %s", __func__, print_spi(sa->csa_spi.spi, 4));
1605 return pfkey_sa(env, satype, IKED_SADB_UPDATE_SA_ADDRESSES, sa);
1606 }
1607
1608 int
pfkey_sa_delete(struct iked * env,struct iked_childsa * sa)1609 pfkey_sa_delete(struct iked *env, struct iked_childsa *sa)
1610 {
1611 uint8_t satype;
1612 struct iked_sastats sas;
1613
1614 if (!sa->csa_loaded || sa->csa_spi.spi == 0)
1615 return (0);
1616
1617 if (pfkey_map(pfkey_satype, sa->csa_saproto, &satype) == -1)
1618 return (-1);
1619
1620 /* preserve the statistics */
1621 memset(&sas, 0, sizeof(sas));
1622 pfkey_sa_sastats(env, sa, &sas);
1623
1624 if (pfkey_sa(env, satype, SADB_DELETE, sa) == -1 &&
1625 pfkey_sa_check_exists(env, sa) == 0)
1626 return (-1);
1627
1628 sa->csa_loaded = 0;
1629
1630 sa->csa_ikesa->sa_stats.sas_ipackets += sas.sas_ipackets;
1631 sa->csa_ikesa->sa_stats.sas_opackets += sas.sas_opackets;
1632 sa->csa_ikesa->sa_stats.sas_ibytes += sas.sas_ibytes;
1633 sa->csa_ikesa->sa_stats.sas_obytes += sas.sas_obytes;
1634 sa->csa_ikesa->sa_stats.sas_idrops += sas.sas_idrops;
1635 sa->csa_ikesa->sa_stats.sas_odrops += sas.sas_odrops;
1636
1637 return (0);
1638 }
1639
1640 int
pfkey_flush(struct iked * env)1641 pfkey_flush(struct iked *env)
1642 {
1643 struct sadb_msg smsg;
1644 struct iovec iov[IOV_CNT];
1645 int iov_cnt;
1646
1647 bzero(&smsg, sizeof(smsg));
1648 smsg.sadb_msg_version = PF_KEY_V2;
1649 smsg.sadb_msg_seq = ++sadb_msg_seq;
1650 smsg.sadb_msg_pid = getpid();
1651 smsg.sadb_msg_len = sizeof(smsg) / 8;
1652 smsg.sadb_msg_type = SADB_FLUSH;
1653 smsg.sadb_msg_satype = SADB_SATYPE_UNSPEC;
1654
1655 iov_cnt = 0;
1656
1657 iov[iov_cnt].iov_base = &smsg;
1658 iov[iov_cnt].iov_len = sizeof(smsg);
1659 iov_cnt++;
1660
1661 return (pfkey_write(env, &smsg, iov, iov_cnt, NULL, NULL));
1662 }
1663
1664 struct sadb_ident *
pfkey_id2ident(struct iked_id * id,unsigned int exttype)1665 pfkey_id2ident(struct iked_id *id, unsigned int exttype)
1666 {
1667 char idstr[IKED_ID_SIZE];
1668 unsigned int type;
1669 size_t len;
1670 struct sadb_ident *sa_id;
1671
1672 switch (id->id_type) {
1673 case IKEV2_ID_FQDN:
1674 type = SADB_IDENTTYPE_FQDN;
1675 break;
1676 case IKEV2_ID_UFQDN:
1677 type = SADB_IDENTTYPE_USERFQDN;
1678 break;
1679 case IKEV2_ID_IPV4:
1680 case IKEV2_ID_IPV6:
1681 type = SADB_IDENTTYPE_PREFIX;
1682 break;
1683 case IKEV2_ID_ASN1_DN:
1684 type = SADB_IDENTTYPE_ASN1_DN;
1685 break;
1686 case IKEV2_ID_ASN1_GN:
1687 case IKEV2_ID_KEY_ID:
1688 case IKEV2_ID_NONE:
1689 default:
1690 /* XXX not implemented/supported by PFKEY */
1691 return (NULL);
1692 }
1693
1694 bzero(&idstr, sizeof(idstr));
1695
1696 if (ikev2_print_id(id, idstr, sizeof(idstr)) == -1)
1697 return (NULL);
1698
1699 len = ROUNDUP(strlen(idstr) + 1) + sizeof(*sa_id);
1700 if ((sa_id = calloc(1, len)) == NULL)
1701 return (NULL);
1702
1703 strlcpy((char *)(sa_id + 1), idstr, ROUNDUP(strlen(idstr) + 1));
1704 sa_id->sadb_ident_type = type;
1705 sa_id->sadb_ident_len = len / 8;
1706 sa_id->sadb_ident_exttype = exttype;
1707
1708 return (sa_id);
1709 }
1710
1711 int
pfkey_socket(struct iked * env)1712 pfkey_socket(struct iked *env)
1713 {
1714 int fd;
1715
1716 if (privsep_process != PROC_PARENT)
1717 fatal("pfkey_socket: called from unprivileged process");
1718
1719 if ((fd = socket(PF_KEY, SOCK_RAW, PF_KEY_V2)) == -1)
1720 fatal("pfkey_socket: failed to open PF_KEY socket");
1721
1722 return (fd);
1723 }
1724
1725 void
pfkey_init(struct iked * env,int fd)1726 pfkey_init(struct iked *env, int fd)
1727 {
1728 struct sadb_msg smsg;
1729 struct iovec iov;
1730
1731 iked_rdomain = getrtable();
1732
1733 /* Set up a timer to process messages deferred by the pfkey_reply */
1734 pfkey_timer_tv.tv_sec = 1;
1735 pfkey_timer_tv.tv_usec = 0;
1736 evtimer_set(&pfkey_timer_ev, pfkey_timer_cb, env);
1737
1738 /* Register the pfkey socket event handler */
1739 env->sc_pfkey = fd;
1740 event_set(&env->sc_pfkeyev, env->sc_pfkey,
1741 EV_READ|EV_PERSIST, pfkey_dispatch, env);
1742 event_add(&env->sc_pfkeyev, NULL);
1743
1744 pfkey_flush(env);
1745
1746 /* Register it to get ESP and AH acquires from the kernel */
1747 bzero(&smsg, sizeof(smsg));
1748 smsg.sadb_msg_version = PF_KEY_V2;
1749 smsg.sadb_msg_seq = ++sadb_msg_seq;
1750 smsg.sadb_msg_pid = getpid();
1751 smsg.sadb_msg_len = sizeof(smsg) / 8;
1752 smsg.sadb_msg_type = SADB_REGISTER;
1753 smsg.sadb_msg_satype = SADB_SATYPE_ESP;
1754
1755 iov.iov_base = &smsg;
1756 iov.iov_len = sizeof(smsg);
1757
1758 if (pfkey_write(env, &smsg, &iov, 1, NULL, NULL))
1759 fatal("pfkey_init: failed to set up ESP acquires");
1760
1761 bzero(&smsg, sizeof(smsg));
1762 smsg.sadb_msg_version = PF_KEY_V2;
1763 smsg.sadb_msg_seq = ++sadb_msg_seq;
1764 smsg.sadb_msg_pid = getpid();
1765 smsg.sadb_msg_len = sizeof(smsg) / 8;
1766 smsg.sadb_msg_type = SADB_REGISTER;
1767 smsg.sadb_msg_satype = SADB_SATYPE_AH;
1768
1769 iov.iov_base = &smsg;
1770 iov.iov_len = sizeof(smsg);
1771
1772 if (pfkey_write(env, &smsg, &iov, 1, NULL, NULL))
1773 fatal("pfkey_init: failed to set up AH acquires");
1774 }
1775
1776 void *
pfkey_find_ext(uint8_t * data,ssize_t len,int type)1777 pfkey_find_ext(uint8_t *data, ssize_t len, int type)
1778 {
1779 struct sadb_ext *ext = (struct sadb_ext *)(data +
1780 sizeof(struct sadb_msg));
1781
1782 while (ext && ((uint8_t *)ext - data < len)) {
1783 if (ext->sadb_ext_type == type)
1784 return (ext);
1785 ext = (struct sadb_ext *)((uint8_t *)ext +
1786 ext->sadb_ext_len * PFKEYV2_CHUNK);
1787 }
1788
1789 return (NULL);
1790 }
1791
1792 void
pfkey_dispatch(int fd,short event,void * arg)1793 pfkey_dispatch(int fd, short event, void *arg)
1794 {
1795 struct iked *env = (struct iked *)arg;
1796 struct pfkey_message pm, *pmp;
1797 struct sadb_msg hdr;
1798 ssize_t len;
1799 uint8_t *data;
1800
1801 if (recv(fd, &hdr, sizeof(hdr), MSG_PEEK) != sizeof(hdr)) {
1802 log_warn("%s: short recv", __func__);
1803 return;
1804 }
1805
1806 if (hdr.sadb_msg_version != PF_KEY_V2) {
1807 log_warnx("%s: wrong pfkey version", __func__);
1808 return;
1809 }
1810
1811 if ((data = reallocarray(NULL, hdr.sadb_msg_len, PFKEYV2_CHUNK))
1812 == NULL) {
1813 log_warn("%s: malloc", __func__);
1814 return;
1815 }
1816 len = hdr.sadb_msg_len * PFKEYV2_CHUNK;
1817
1818 if (read(fd, data, len) != len) {
1819 log_warn("%s: short read", __func__);
1820 free(data);
1821 return;
1822 }
1823
1824 /* Try postponed requests first, so we do in-order processing */
1825 if (!SIMPLEQ_EMPTY(&pfkey_postponed))
1826 pfkey_timer_cb(0, 0, env);
1827
1828 pm.pm_data = data;
1829 pm.pm_length = len;
1830
1831 if (pfkey_process(env, &pm) == -1 &&
1832 (pmp = calloc(1, sizeof(*pmp))) != NULL) {
1833 pmp->pm_data = data;
1834 pmp->pm_length = len;
1835 log_debug("%s: pfkey_process is busy, retry later", __func__);
1836 SIMPLEQ_INSERT_TAIL(&pfkey_postponed, pmp, pm_entry);
1837 evtimer_add(&pfkey_timer_ev, &pfkey_timer_tv);
1838 } else {
1839 free(data);
1840 }
1841 }
1842
1843 void
pfkey_timer_cb(int unused,short event,void * arg)1844 pfkey_timer_cb(int unused, short event, void *arg)
1845 {
1846 struct iked *env = arg;
1847 struct pfkey_message *pm;
1848
1849 SIMPLEQ_INIT(&pfkey_retry);
1850 while (!SIMPLEQ_EMPTY(&pfkey_postponed)) {
1851 pm = SIMPLEQ_FIRST(&pfkey_postponed);
1852 SIMPLEQ_REMOVE_HEAD(&pfkey_postponed, pm_entry);
1853 if (pfkey_process(env, pm) == -1) {
1854 log_debug("%s: pfkey_process is busy, retry later",
1855 __func__);
1856 SIMPLEQ_INSERT_TAIL(&pfkey_retry, pm, pm_entry);
1857 } else {
1858 free(pm->pm_data);
1859 free(pm);
1860 }
1861 }
1862 /* move from retry to postponed */
1863 SIMPLEQ_CONCAT(&pfkey_postponed, &pfkey_retry);
1864 if (!SIMPLEQ_EMPTY(&pfkey_postponed))
1865 evtimer_add(&pfkey_timer_ev, &pfkey_timer_tv);
1866 }
1867
1868 /*
1869 * pfkey_process returns 0 if the message has been processed and -1 if
1870 * the system is busy and the message should be passed again, later.
1871 */
1872 int
pfkey_process(struct iked * env,struct pfkey_message * pm)1873 pfkey_process(struct iked *env, struct pfkey_message *pm)
1874 {
1875 struct iked_spi spi;
1876 struct sadb_sa *sa;
1877 struct sadb_lifetime *sa_ltime;
1878 struct sadb_msg *hdr;
1879 struct sadb_msg smsg;
1880 struct iked_addr peer;
1881 struct iked_flow flow;
1882 struct sadb_address *sa_addr;
1883 struct sadb_protocol *sa_proto;
1884 struct sadb_x_policy sa_pol;
1885 struct sockaddr *ssrc, *sdst, *smask, *dmask, *speer;
1886 struct iovec iov[IOV_CNT];
1887 int ret = 0, iov_cnt;
1888 uint8_t *reply;
1889 ssize_t rlen;
1890 const char *errmsg = NULL;
1891 uint8_t *data = pm->pm_data;
1892 ssize_t len = pm->pm_length;
1893 size_t slen;
1894
1895 if (!env || !data || !len)
1896 return (0);
1897
1898 hdr = (struct sadb_msg *)data;
1899
1900 switch (hdr->sadb_msg_type) {
1901 case SADB_ACQUIRE:
1902 bzero(&flow, sizeof(flow));
1903 bzero(&peer, sizeof(peer));
1904
1905 if ((sa_addr = pfkey_find_ext(data, len,
1906 SADB_EXT_ADDRESS_DST)) == NULL) {
1907 log_debug("%s: no peer address", __func__);
1908 return (0);
1909 }
1910 speer = (struct sockaddr *)(sa_addr + 1);
1911 peer.addr_af = speer->sa_family;
1912 peer.addr_port = htons(socket_getport(speer));
1913 if ((slen = speer->sa_len) > sizeof(peer.addr)) {
1914 log_debug("%s: invalid peer address len", __func__);
1915 return (0);
1916 }
1917 memcpy(&peer.addr, speer, slen);
1918 if (socket_af((struct sockaddr *)&peer.addr,
1919 peer.addr_port) == -1) {
1920 log_debug("%s: invalid address", __func__);
1921 return (0);
1922 }
1923 flow.flow_peer = &peer;
1924
1925 log_debug("%s: acquire request (peer %s)", __func__,
1926 print_addr(speer));
1927
1928 /* get the matching flow */
1929 bzero(&smsg, sizeof(smsg));
1930 smsg.sadb_msg_version = PF_KEY_V2;
1931 smsg.sadb_msg_seq = ++sadb_msg_seq;
1932 smsg.sadb_msg_pid = getpid();
1933 smsg.sadb_msg_len = sizeof(smsg) / 8;
1934 smsg.sadb_msg_type = SADB_X_ASKPOLICY;
1935
1936 iov_cnt = 0;
1937
1938 iov[iov_cnt].iov_base = &smsg;
1939 iov[iov_cnt].iov_len = sizeof(smsg);
1940 iov_cnt++;
1941
1942 bzero(&sa_pol, sizeof(sa_pol));
1943 sa_pol.sadb_x_policy_exttype = SADB_X_EXT_POLICY;
1944 sa_pol.sadb_x_policy_len = sizeof(sa_pol) / 8;
1945 sa_pol.sadb_x_policy_seq = hdr->sadb_msg_seq;
1946
1947 iov[iov_cnt].iov_base = &sa_pol;
1948 iov[iov_cnt].iov_len = sizeof(sa_pol);
1949 smsg.sadb_msg_len += sizeof(sa_pol) / 8;
1950 iov_cnt++;
1951
1952 if (pfkey_write(env, &smsg, iov, iov_cnt, &reply, &rlen)) {
1953 log_warnx("%s: failed to get a policy", __func__);
1954 return (0);
1955 }
1956
1957 if ((sa_addr = pfkey_find_ext(reply, rlen,
1958 SADB_X_EXT_SRC_FLOW)) == NULL) {
1959 errmsg = "flow source address";
1960 goto out;
1961 }
1962 ssrc = (struct sockaddr *)(sa_addr + 1);
1963 flow.flow_src.addr_af = ssrc->sa_family;
1964 flow.flow_src.addr_port = htons(socket_getport(ssrc));
1965 if ((slen = ssrc->sa_len) > sizeof(flow.flow_src.addr)) {
1966 log_debug("%s: invalid src address len", __func__);
1967 goto out;
1968 }
1969 memcpy(&flow.flow_src.addr, ssrc, slen);
1970 if (socket_af((struct sockaddr *)&flow.flow_src.addr,
1971 flow.flow_src.addr_port) == -1) {
1972 log_debug("%s: invalid address", __func__);
1973 goto out;
1974 }
1975
1976 if ((sa_addr = pfkey_find_ext(reply, rlen,
1977 SADB_X_EXT_DST_FLOW)) == NULL) {
1978 errmsg = "flow destination address";
1979 goto out;
1980 }
1981 sdst = (struct sockaddr *)(sa_addr + 1);
1982 flow.flow_dst.addr_af = sdst->sa_family;
1983 flow.flow_dst.addr_port = htons(socket_getport(sdst));
1984 if ((slen = sdst->sa_len) > sizeof(flow.flow_dst.addr)) {
1985 log_debug("%s: invalid dst address len", __func__);
1986 goto out;
1987 }
1988 memcpy(&flow.flow_dst.addr, sdst, slen);
1989 if (socket_af((struct sockaddr *)&flow.flow_dst.addr,
1990 flow.flow_dst.addr_port) == -1) {
1991 log_debug("%s: invalid address", __func__);
1992 goto out;
1993 }
1994
1995 if ((sa_addr = pfkey_find_ext(reply, rlen,
1996 SADB_X_EXT_SRC_MASK)) == NULL) {
1997 errmsg = "flow source mask";
1998 goto out;
1999 }
2000 smask = (struct sockaddr *)(sa_addr + 1);
2001 switch (smask->sa_family) {
2002 case AF_INET:
2003 flow.flow_src.addr_mask =
2004 mask2prefixlen((struct sockaddr *)smask);
2005 if (flow.flow_src.addr_mask != 32)
2006 flow.flow_src.addr_net = 1;
2007 break;
2008 case AF_INET6:
2009 flow.flow_src.addr_mask =
2010 mask2prefixlen6((struct sockaddr *)smask);
2011 if (flow.flow_src.addr_mask != 128)
2012 flow.flow_src.addr_net = 1;
2013 break;
2014 default:
2015 log_debug("%s: bad address family", __func__);
2016 goto out;
2017 }
2018
2019 if ((sa_addr = pfkey_find_ext(reply, rlen,
2020 SADB_X_EXT_DST_MASK)) == NULL) {
2021 errmsg = "flow destination mask";
2022 goto out;
2023 }
2024 dmask = (struct sockaddr *)(sa_addr + 1);
2025 switch (dmask->sa_family) {
2026 case AF_INET:
2027 flow.flow_dst.addr_mask =
2028 mask2prefixlen((struct sockaddr *)dmask);
2029 if (flow.flow_src.addr_mask != 32)
2030 flow.flow_src.addr_net = 1;
2031 break;
2032 case AF_INET6:
2033 flow.flow_dst.addr_mask =
2034 mask2prefixlen6((struct sockaddr *)dmask);
2035 if (flow.flow_src.addr_mask != 128)
2036 flow.flow_src.addr_net = 1;
2037 break;
2038 default:
2039 log_debug("%s: bad address family", __func__);
2040 goto out;
2041 }
2042
2043 switch (hdr->sadb_msg_satype) {
2044 case SADB_SATYPE_AH:
2045 flow.flow_saproto = IKEV2_SAPROTO_AH;
2046 break;
2047 case SADB_SATYPE_ESP:
2048 flow.flow_saproto = IKEV2_SAPROTO_ESP;
2049 break;
2050 case SADB_X_SATYPE_IPCOMP:
2051 flow.flow_saproto = IKEV2_SAPROTO_IPCOMP;
2052 break;
2053 }
2054
2055 if ((sa_proto = pfkey_find_ext(reply, rlen,
2056 SADB_X_EXT_FLOW_TYPE)) == NULL) {
2057 errmsg = "flow protocol";
2058 goto out;
2059 }
2060 flow.flow_dir = sa_proto->sadb_protocol_direction;
2061 flow.flow_rdomain = -1; /* XXX get from kernel */
2062
2063 log_debug("%s: flow %s from %s/%s to %s/%s via %s", __func__,
2064 flow.flow_dir == IPSP_DIRECTION_IN ? "in" : "out",
2065 print_addr(ssrc), print_addr(smask),
2066 print_addr(sdst), print_addr(dmask),
2067 print_addr(speer));
2068
2069 ret = ikev2_child_sa_acquire(env, &flow);
2070
2071 out:
2072 if (errmsg)
2073 log_warnx("%s: %s wasn't found", __func__, errmsg);
2074 free(reply);
2075 break;
2076
2077 case SADB_EXPIRE:
2078 if ((sa = pfkey_find_ext(data, len, SADB_EXT_SA)) == NULL) {
2079 log_warnx("%s: SA extension wasn't found", __func__);
2080 return (0);
2081 }
2082 if ((sa_ltime = pfkey_find_ext(data, len,
2083 SADB_EXT_LIFETIME_SOFT)) == NULL &&
2084 (sa_ltime = pfkey_find_ext(data, len,
2085 SADB_EXT_LIFETIME_HARD)) == NULL) {
2086 log_warnx("%s: lifetime extension wasn't found",
2087 __func__);
2088 return (0);
2089 }
2090 spi.spi = ntohl(sa->sadb_sa_spi);
2091 spi.spi_size = 4;
2092 switch (hdr->sadb_msg_satype) {
2093 case SADB_SATYPE_AH:
2094 spi.spi_protoid = IKEV2_SAPROTO_AH;
2095 break;
2096 case SADB_SATYPE_ESP:
2097 spi.spi_protoid = IKEV2_SAPROTO_ESP;
2098 break;
2099 case SADB_X_SATYPE_IPCOMP:
2100 spi.spi_size = 2;
2101 spi.spi_protoid = IKEV2_SAPROTO_IPCOMP;
2102 break;
2103 default:
2104 log_warnx("%s: unsupported SA type %d spi %s",
2105 __func__, hdr->sadb_msg_satype,
2106 print_spi(spi.spi, spi.spi_size));
2107 return (0);
2108 }
2109
2110 log_debug("%s: SA %s is expired, pending %s", __func__,
2111 print_spi(spi.spi, spi.spi_size),
2112 sa_ltime->sadb_lifetime_exttype == SADB_EXT_LIFETIME_SOFT ?
2113 "rekeying" : "deletion");
2114
2115 if (sa_ltime->sadb_lifetime_exttype == SADB_EXT_LIFETIME_SOFT)
2116 ret = ikev2_child_sa_rekey(env, &spi);
2117 else
2118 ret = ikev2_child_sa_drop(env, &spi);
2119 break;
2120 }
2121 return (ret);
2122 }
2123