1 /* $OpenBSD: pfkey.c,v 1.80 2021/11/25 19:41:03 tobhe Exp $ */ 2 3 /* 4 * Copyright (c) 2010-2013 Reyk Floeter <reyk@openbsd.org> 5 * Copyright (c) 2004, 2005 Hans-Joerg Hoexer <hshoexer@openbsd.org> 6 * Copyright (c) 2003, 2004 Henning Brauer <henning@openbsd.org> 7 * Copyright (c) 2003, 2004 Markus Friedl <markus@openbsd.org> 8 * 9 * Permission to use, copy, modify, and distribute this software for any 10 * purpose with or without fee is hereby granted, provided that the above 11 * copyright notice and this permission notice appear in all copies. 12 * 13 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES 14 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF 15 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR 16 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES 17 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN 18 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF 19 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. 20 */ 21 22 #include <sys/queue.h> 23 #include <sys/uio.h> 24 #include <sys/socket.h> 25 26 #include <netinet/in.h> 27 #include <netinet/ip_ipsp.h> 28 #include <net/pfkeyv2.h> 29 30 #include <err.h> 31 #include <errno.h> 32 #include <stdio.h> 33 #include <poll.h> 34 #include <string.h> 35 #include <stdlib.h> 36 #include <unistd.h> 37 #include <event.h> 38 39 #include "iked.h" 40 #include "ikev2.h" 41 42 #define ROUNDUP(x) (((x) + (PFKEYV2_CHUNK - 1)) & ~(PFKEYV2_CHUNK - 1)) 43 #define IOV_CNT 27 44 45 #define PFKEYV2_CHUNK sizeof(uint64_t) 46 #define PFKEY_REPLY_TIMEOUT 1000 47 48 /* only used internally */ 49 #define IKED_SADB_UPDATE_SA_ADDRESSES 0xff 50 51 static uint32_t sadb_msg_seq = 0; 52 static unsigned int sadb_decoupled = 0; 53 54 static int iked_rdomain = 0; 55 56 static struct event pfkey_timer_ev; 57 static struct timeval pfkey_timer_tv; 58 59 struct pfkey_message { 60 SIMPLEQ_ENTRY(pfkey_message) 61 pm_entry; 62 uint8_t *pm_data; 63 ssize_t pm_length; 64 }; 65 SIMPLEQ_HEAD(, pfkey_message) pfkey_retry, pfkey_postponed = 66 SIMPLEQ_HEAD_INITIALIZER(pfkey_postponed); 67 68 struct pfkey_constmap { 69 uint8_t pfkey_id; 70 unsigned int pfkey_ikeid; 71 unsigned int pfkey_fixedkey; 72 }; 73 74 static const struct pfkey_constmap pfkey_encr[] = { 75 { SADB_EALG_3DESCBC, IKEV2_XFORMENCR_3DES }, 76 { SADB_X_EALG_CAST, IKEV2_XFORMENCR_CAST }, 77 { SADB_X_EALG_BLF, IKEV2_XFORMENCR_BLOWFISH }, 78 { SADB_EALG_NULL, IKEV2_XFORMENCR_NULL }, 79 { SADB_X_EALG_AES, IKEV2_XFORMENCR_AES_CBC }, 80 { SADB_X_EALG_AESCTR, IKEV2_XFORMENCR_AES_CTR }, 81 { SADB_X_EALG_AESGCM16, IKEV2_XFORMENCR_AES_GCM_16 }, 82 { SADB_X_EALG_AESGMAC, IKEV2_XFORMENCR_NULL_AES_GMAC }, 83 { SADB_X_EALG_CHACHA20POLY1305, IKEV2_XFORMENCR_CHACHA20_POLY1305 }, 84 { 0 } 85 }; 86 87 static const struct pfkey_constmap pfkey_integr[] = { 88 { SADB_AALG_MD5HMAC, IKEV2_XFORMAUTH_HMAC_MD5_96 }, 89 { SADB_AALG_SHA1HMAC, IKEV2_XFORMAUTH_HMAC_SHA1_96 }, 90 { SADB_X_AALG_SHA2_256, IKEV2_XFORMAUTH_HMAC_SHA2_256_128 }, 91 { SADB_X_AALG_SHA2_384, IKEV2_XFORMAUTH_HMAC_SHA2_384_192 }, 92 { SADB_X_AALG_SHA2_512, IKEV2_XFORMAUTH_HMAC_SHA2_512_256 }, 93 { 0 } 94 }; 95 96 static const struct pfkey_constmap pfkey_satype[] = { 97 { SADB_SATYPE_AH, IKEV2_SAPROTO_AH }, 98 { SADB_SATYPE_ESP, IKEV2_SAPROTO_ESP }, 99 { SADB_X_SATYPE_IPCOMP, IKEV2_SAPROTO_IPCOMP }, 100 { 0 } 101 }; 102 103 int pfkey_map(const struct pfkey_constmap *, uint16_t, uint8_t *); 104 int pfkey_flow(struct iked *, uint8_t, uint8_t, struct iked_flow *); 105 int pfkey_sa(struct iked *, uint8_t, uint8_t, struct iked_childsa *); 106 int pfkey_sa_getspi(struct iked *, uint8_t, struct iked_childsa *, uint32_t *); 107 int pfkey_sagroup(struct iked *, uint8_t, uint8_t, 108 struct iked_childsa *, struct iked_childsa *); 109 int pfkey_write(struct iked *, struct sadb_msg *, struct iovec *, int, 110 uint8_t **, ssize_t *); 111 int pfkey_reply(int, uint8_t **, ssize_t *); 112 void pfkey_dispatch(int, short, void *); 113 int pfkey_sa_lookup(struct iked *, struct iked_childsa *, uint64_t *); 114 int pfkey_sa_check_exists(struct iked *, struct iked_childsa *); 115 116 struct sadb_ident * 117 pfkey_id2ident(struct iked_id *, unsigned int); 118 void *pfkey_find_ext(uint8_t *, ssize_t, int); 119 120 void pfkey_timer_cb(int, short, void *); 121 int pfkey_process(struct iked *, struct pfkey_message *); 122 123 int 124 pfkey_couple(struct iked *env, struct iked_sas *sas, int couple) 125 { 126 struct iked_sa *sa; 127 struct iked_flow *flow; 128 struct iked_childsa *csa, *ipcomp; 129 const char *mode[] = { "coupled", "decoupled" }; 130 131 /* Socket is not ready */ 132 if (env->sc_pfkey == -1) 133 return (-1); 134 135 if (sadb_decoupled == !couple) 136 return (0); 137 138 log_debug("%s: kernel %s -> %s", __func__, 139 mode[sadb_decoupled], mode[!sadb_decoupled]); 140 141 /* Allow writes to the PF_KEY socket */ 142 sadb_decoupled = 0; 143 144 RB_FOREACH(sa, iked_sas, sas) { 145 TAILQ_FOREACH(csa, &sa->sa_childsas, csa_entry) { 146 if (!csa->csa_loaded && couple) 147 (void)pfkey_sa_add(env, csa, NULL); 148 else if (csa->csa_loaded && !couple) 149 (void)pfkey_sa_delete(env, csa); 150 if ((ipcomp = csa->csa_bundled) != NULL) { 151 if (!ipcomp->csa_loaded && couple) 152 (void)pfkey_sa_add(env, ipcomp, csa); 153 else if (ipcomp->csa_loaded && !couple) 154 (void)pfkey_sa_delete(env, ipcomp); 155 } 156 } 157 TAILQ_FOREACH(flow, &sa->sa_flows, flow_entry) { 158 if (!flow->flow_loaded && couple) 159 (void)pfkey_flow_add(env, flow); 160 else if (flow->flow_loaded && !couple) 161 (void)pfkey_flow_delete(env, flow); 162 } 163 } 164 165 sadb_decoupled = !couple; 166 167 return (0); 168 } 169 170 int 171 pfkey_map(const struct pfkey_constmap *map, uint16_t alg, uint8_t *pfkalg) 172 { 173 int i; 174 175 for (i = 0; map[i].pfkey_id != 0; i++) 176 if (map[i].pfkey_ikeid == alg) { 177 *pfkalg = map[i].pfkey_id; 178 return (0); 179 } 180 return (-1); 181 } 182 183 int 184 pfkey_flow(struct iked *env, uint8_t satype, uint8_t action, struct iked_flow *flow) 185 { 186 struct sadb_msg smsg; 187 struct iked_addr *flow_src, *flow_dst; 188 struct sadb_address sa_src, sa_dst, sa_local, sa_peer, sa_smask, 189 sa_dmask; 190 struct sadb_protocol sa_flowtype, sa_protocol; 191 struct sadb_x_rdomain sa_rdomain; 192 struct sadb_ident *sa_srcid, *sa_dstid; 193 struct sockaddr_storage ssrc, sdst, slocal, speer, smask, dmask; 194 struct iovec iov[IOV_CNT]; 195 int iov_cnt, ret = -1; 196 uint64_t pad = 0; 197 size_t padlen; 198 199 sa_srcid = sa_dstid = NULL; 200 201 flow_src = &flow->flow_src; 202 flow_dst = &flow->flow_dst; 203 204 if (flow->flow_prenat.addr_af == flow_src->addr_af) { 205 if (flow->flow_dir == IPSP_DIRECTION_IN) 206 flow_dst = &flow->flow_prenat; 207 else 208 flow_src = &flow->flow_prenat; 209 } 210 211 bzero(&ssrc, sizeof(ssrc)); 212 bzero(&smask, sizeof(smask)); 213 memcpy(&ssrc, &flow_src->addr, sizeof(ssrc)); 214 memcpy(&smask, &flow_src->addr, sizeof(smask)); 215 socket_af((struct sockaddr *)&ssrc, flow_src->addr_port); 216 socket_af((struct sockaddr *)&smask, flow_src->addr_port ? 217 0xffff : 0); 218 219 switch (flow_src->addr_af) { 220 case AF_INET: 221 ((struct sockaddr_in *)&smask)->sin_addr.s_addr = 222 prefixlen2mask(flow_src->addr_net ? 223 flow_src->addr_mask : 32); 224 break; 225 case AF_INET6: 226 prefixlen2mask6(flow_src->addr_net ? 227 flow_src->addr_mask : 128, 228 (uint32_t *)((struct sockaddr_in6 *) 229 &smask)->sin6_addr.s6_addr); 230 break; 231 default: 232 log_warnx("%s: unsupported address family %d", 233 __func__, flow_src->addr_af); 234 return (-1); 235 } 236 smask.ss_len = ssrc.ss_len; 237 238 bzero(&sdst, sizeof(sdst)); 239 bzero(&dmask, sizeof(dmask)); 240 memcpy(&sdst, &flow_dst->addr, sizeof(sdst)); 241 memcpy(&dmask, &flow_dst->addr, sizeof(dmask)); 242 socket_af((struct sockaddr *)&sdst, flow_dst->addr_port); 243 socket_af((struct sockaddr *)&dmask, flow_dst->addr_port ? 244 0xffff : 0); 245 246 switch (flow_dst->addr_af) { 247 case AF_INET: 248 ((struct sockaddr_in *)&dmask)->sin_addr.s_addr = 249 prefixlen2mask(flow_dst->addr_net ? 250 flow_dst->addr_mask : 32); 251 break; 252 case AF_INET6: 253 prefixlen2mask6(flow_dst->addr_net ? 254 flow_dst->addr_mask : 128, 255 (uint32_t *)((struct sockaddr_in6 *) 256 &dmask)->sin6_addr.s6_addr); 257 break; 258 default: 259 log_warnx("%s: unsupported address family %d", 260 __func__, flow_dst->addr_af); 261 return (-1); 262 } 263 dmask.ss_len = sdst.ss_len; 264 265 bzero(&slocal, sizeof(slocal)); 266 bzero(&speer, sizeof(speer)); 267 if (action != SADB_X_DELFLOW && flow->flow_local != NULL) { 268 memcpy(&slocal, &flow->flow_local->addr, sizeof(slocal)); 269 socket_af((struct sockaddr *)&slocal, 0); 270 271 memcpy(&speer, &flow->flow_peer->addr, sizeof(speer)); 272 socket_af((struct sockaddr *)&speer, 0); 273 } 274 275 bzero(&smsg, sizeof(smsg)); 276 smsg.sadb_msg_version = PF_KEY_V2; 277 smsg.sadb_msg_seq = ++sadb_msg_seq; 278 smsg.sadb_msg_pid = getpid(); 279 smsg.sadb_msg_len = sizeof(smsg) / 8; 280 smsg.sadb_msg_type = action; 281 smsg.sadb_msg_satype = satype; 282 283 bzero(&sa_flowtype, sizeof(sa_flowtype)); 284 sa_flowtype.sadb_protocol_exttype = SADB_X_EXT_FLOW_TYPE; 285 sa_flowtype.sadb_protocol_len = sizeof(sa_flowtype) / 8; 286 sa_flowtype.sadb_protocol_direction = flow->flow_dir; 287 sa_flowtype.sadb_protocol_proto = SADB_X_FLOW_TYPE_REQUIRE; 288 289 bzero(&sa_protocol, sizeof(sa_protocol)); 290 sa_protocol.sadb_protocol_exttype = SADB_X_EXT_PROTOCOL; 291 sa_protocol.sadb_protocol_len = sizeof(sa_protocol) / 8; 292 sa_protocol.sadb_protocol_direction = 0; 293 sa_protocol.sadb_protocol_proto = flow->flow_ipproto; 294 295 bzero(&sa_src, sizeof(sa_src)); 296 sa_src.sadb_address_exttype = SADB_X_EXT_SRC_FLOW; 297 sa_src.sadb_address_len = (sizeof(sa_src) + ROUNDUP(ssrc.ss_len)) / 8; 298 299 bzero(&sa_smask, sizeof(sa_smask)); 300 sa_smask.sadb_address_exttype = SADB_X_EXT_SRC_MASK; 301 sa_smask.sadb_address_len = 302 (sizeof(sa_smask) + ROUNDUP(smask.ss_len)) / 8; 303 304 bzero(&sa_dst, sizeof(sa_dst)); 305 sa_dst.sadb_address_exttype = SADB_X_EXT_DST_FLOW; 306 sa_dst.sadb_address_len = (sizeof(sa_dst) + ROUNDUP(sdst.ss_len)) / 8; 307 308 bzero(&sa_dmask, sizeof(sa_dmask)); 309 sa_dmask.sadb_address_exttype = SADB_X_EXT_DST_MASK; 310 sa_dmask.sadb_address_len = 311 (sizeof(sa_dmask) + ROUNDUP(dmask.ss_len)) / 8; 312 313 if (action != SADB_X_DELFLOW && flow->flow_local != NULL) { 314 /* local address */ 315 bzero(&sa_local, sizeof(sa_local)); 316 sa_local.sadb_address_exttype = SADB_EXT_ADDRESS_SRC; 317 sa_local.sadb_address_len = 318 (sizeof(sa_local) + ROUNDUP(slocal.ss_len)) / 8; 319 320 /* peer address */ 321 bzero(&sa_peer, sizeof(sa_peer)); 322 sa_peer.sadb_address_exttype = SADB_EXT_ADDRESS_DST; 323 sa_peer.sadb_address_len = 324 (sizeof(sa_peer) + ROUNDUP(speer.ss_len)) / 8; 325 326 /* local id */ 327 sa_srcid = pfkey_id2ident(IKESA_SRCID(flow->flow_ikesa), 328 SADB_EXT_IDENTITY_SRC); 329 330 /* peer id */ 331 sa_dstid = pfkey_id2ident(IKESA_DSTID(flow->flow_ikesa), 332 SADB_EXT_IDENTITY_DST); 333 } 334 335 if (flow->flow_rdomain >= 0) { 336 /* install flow in specific rdomain */ 337 bzero(&sa_rdomain, sizeof(sa_rdomain)); 338 sa_rdomain.sadb_x_rdomain_exttype = SADB_X_EXT_RDOMAIN; 339 sa_rdomain.sadb_x_rdomain_len = sizeof(sa_rdomain) / 8; 340 sa_rdomain.sadb_x_rdomain_dom1 = flow->flow_rdomain; 341 } 342 343 #define PAD(len) \ 344 padlen = ROUNDUP((len)) - (len); \ 345 if (padlen) { \ 346 iov[iov_cnt].iov_base = &pad; \ 347 iov[iov_cnt].iov_len = padlen; \ 348 iov_cnt++; \ 349 } 350 351 iov_cnt = 0; 352 353 /* header */ 354 iov[iov_cnt].iov_base = &smsg; 355 iov[iov_cnt].iov_len = sizeof(smsg); 356 iov_cnt++; 357 358 /* add flow type */ 359 iov[iov_cnt].iov_base = &sa_flowtype; 360 iov[iov_cnt].iov_len = sizeof(sa_flowtype); 361 smsg.sadb_msg_len += sa_flowtype.sadb_protocol_len; 362 iov_cnt++; 363 364 if (action != SADB_X_DELFLOW && flow->flow_local != NULL) { 365 /* remote peer */ 366 iov[iov_cnt].iov_base = &sa_peer; 367 iov[iov_cnt].iov_len = sizeof(sa_peer); 368 iov_cnt++; 369 iov[iov_cnt].iov_base = &speer; 370 iov[iov_cnt].iov_len = speer.ss_len; 371 smsg.sadb_msg_len += sa_peer.sadb_address_len; 372 iov_cnt++; 373 PAD(speer.ss_len); 374 } 375 376 /* src addr */ 377 iov[iov_cnt].iov_base = &sa_src; 378 iov[iov_cnt].iov_len = sizeof(sa_src); 379 iov_cnt++; 380 iov[iov_cnt].iov_base = &ssrc; 381 iov[iov_cnt].iov_len = ssrc.ss_len; 382 smsg.sadb_msg_len += sa_src.sadb_address_len; 383 iov_cnt++; 384 PAD(ssrc.ss_len); 385 386 /* src mask */ 387 iov[iov_cnt].iov_base = &sa_smask; 388 iov[iov_cnt].iov_len = sizeof(sa_smask); 389 iov_cnt++; 390 iov[iov_cnt].iov_base = &smask; 391 iov[iov_cnt].iov_len = smask.ss_len; 392 smsg.sadb_msg_len += sa_smask.sadb_address_len; 393 iov_cnt++; 394 PAD(smask.ss_len); 395 396 /* dest addr */ 397 iov[iov_cnt].iov_base = &sa_dst; 398 iov[iov_cnt].iov_len = sizeof(sa_dst); 399 iov_cnt++; 400 iov[iov_cnt].iov_base = &sdst; 401 iov[iov_cnt].iov_len = sdst.ss_len; 402 smsg.sadb_msg_len += sa_dst.sadb_address_len; 403 iov_cnt++; 404 PAD(sdst.ss_len); 405 406 /* dst mask */ 407 iov[iov_cnt].iov_base = &sa_dmask; 408 iov[iov_cnt].iov_len = sizeof(sa_dmask); 409 iov_cnt++; 410 iov[iov_cnt].iov_base = &dmask; 411 iov[iov_cnt].iov_len = dmask.ss_len; 412 smsg.sadb_msg_len += sa_dmask.sadb_address_len; 413 iov_cnt++; 414 PAD(dmask.ss_len); 415 416 /* add protocol */ 417 iov[iov_cnt].iov_base = &sa_protocol; 418 iov[iov_cnt].iov_len = sizeof(sa_protocol); 419 smsg.sadb_msg_len += sa_protocol.sadb_protocol_len; 420 iov_cnt++; 421 422 if (sa_srcid) { 423 /* src identity */ 424 iov[iov_cnt].iov_base = sa_srcid; 425 iov[iov_cnt].iov_len = sa_srcid->sadb_ident_len * 8; 426 smsg.sadb_msg_len += sa_srcid->sadb_ident_len; 427 iov_cnt++; 428 } 429 if (sa_dstid) { 430 /* dst identity */ 431 iov[iov_cnt].iov_base = sa_dstid; 432 iov[iov_cnt].iov_len = sa_dstid->sadb_ident_len * 8; 433 smsg.sadb_msg_len += sa_dstid->sadb_ident_len; 434 iov_cnt++; 435 } 436 437 if (flow->flow_rdomain >= 0) { 438 iov[iov_cnt].iov_base = &sa_rdomain; 439 iov[iov_cnt].iov_len = sizeof(sa_rdomain); 440 smsg.sadb_msg_len += sa_rdomain.sadb_x_rdomain_len; 441 iov_cnt++; 442 } 443 #undef PAD 444 445 ret = pfkey_write(env, &smsg, iov, iov_cnt, NULL, NULL); 446 447 free(sa_srcid); 448 free(sa_dstid); 449 450 return (ret); 451 } 452 453 int 454 pfkey_sa(struct iked *env, uint8_t satype, uint8_t action, struct iked_childsa *sa) 455 { 456 struct sadb_msg smsg; 457 struct sadb_sa sadb; 458 struct sadb_address sa_src, sa_dst, sa_pxy; 459 struct sadb_key sa_authkey, sa_enckey; 460 struct sadb_lifetime sa_ltime_hard, sa_ltime_soft; 461 struct sadb_x_udpencap udpencap; 462 struct sadb_x_tag sa_tag; 463 char *tag = NULL; 464 struct sadb_x_tap sa_tap; 465 struct sadb_x_rdomain sa_rdomain; 466 struct sockaddr_storage ssrc, sdst, spxy; 467 struct sadb_ident *sa_srcid, *sa_dstid; 468 struct iked_lifetime *lt; 469 struct iked_policy *pol; 470 struct iked_addr *dst; 471 struct iovec iov[IOV_CNT]; 472 uint32_t jitter; 473 int iov_cnt; 474 int ret, dotap = 0; 475 uint64_t pad = 0; 476 size_t padlen; 477 478 sa_srcid = sa_dstid = NULL; 479 480 if (sa->csa_ikesa == NULL || sa->csa_ikesa->sa_policy == NULL) { 481 log_warn("%s: invalid SA and policy", __func__); 482 return (-1); 483 } 484 pol = sa->csa_ikesa->sa_policy; 485 lt = &pol->pol_lifetime; 486 487 bzero(&ssrc, sizeof(ssrc)); 488 memcpy(&ssrc, &sa->csa_local->addr, sizeof(ssrc)); 489 if (socket_af((struct sockaddr *)&ssrc, 0) == -1) { 490 log_warn("%s: invalid address", __func__); 491 return (-1); 492 } 493 494 dst = (action == IKED_SADB_UPDATE_SA_ADDRESSES && 495 sa->csa_dir == IPSP_DIRECTION_OUT) ? 496 &sa->csa_ikesa->sa_peer_loaded : 497 sa->csa_peer; 498 bzero(&sdst, sizeof(sdst)); 499 memcpy(&sdst, &dst->addr, sizeof(sdst)); 500 if (socket_af((struct sockaddr *)&sdst, 0) == -1) { 501 log_warn("%s: invalid address", __func__); 502 return (-1); 503 } 504 505 bzero(&spxy, sizeof(spxy)); 506 if (dst != sa->csa_peer) { 507 memcpy(&spxy, &sa->csa_peer->addr, sizeof(spxy)); 508 if (socket_af((struct sockaddr *)&spxy, 0) == -1) { 509 log_warn("%s: invalid address", __func__); 510 return (-1); 511 } 512 } 513 514 bzero(&smsg, sizeof(smsg)); 515 smsg.sadb_msg_version = PF_KEY_V2; 516 smsg.sadb_msg_seq = ++sadb_msg_seq; 517 smsg.sadb_msg_pid = getpid(); 518 smsg.sadb_msg_len = sizeof(smsg) / 8; 519 smsg.sadb_msg_type = action; 520 smsg.sadb_msg_satype = satype; 521 522 bzero(&sadb, sizeof(sadb)); 523 sadb.sadb_sa_len = sizeof(sadb) / 8; 524 sadb.sadb_sa_exttype = SADB_EXT_SA; 525 sadb.sadb_sa_spi = htonl(sa->csa_spi.spi); 526 sadb.sadb_sa_state = SADB_SASTATE_MATURE; 527 sadb.sadb_sa_replay = 64; 528 529 if (!sa->csa_transport) 530 sadb.sadb_sa_flags |= SADB_X_SAFLAGS_TUNNEL; 531 532 if (sa->csa_esn) 533 sadb.sadb_sa_flags |= SADB_X_SAFLAGS_ESN; 534 535 bzero(&sa_src, sizeof(sa_src)); 536 sa_src.sadb_address_len = (sizeof(sa_src) + ROUNDUP(ssrc.ss_len)) / 8; 537 sa_src.sadb_address_exttype = SADB_EXT_ADDRESS_SRC; 538 539 bzero(&sa_dst, sizeof(sa_dst)); 540 sa_dst.sadb_address_len = (sizeof(sa_dst) + ROUNDUP(sdst.ss_len)) / 8; 541 sa_dst.sadb_address_exttype = SADB_EXT_ADDRESS_DST; 542 543 bzero(&sa_pxy, sizeof(sa_pxy)); 544 sa_pxy.sadb_address_len = (sizeof(sa_pxy) + ROUNDUP(spxy.ss_len)) / 8; 545 sa_pxy.sadb_address_exttype = SADB_EXT_ADDRESS_PROXY; 546 547 bzero(&sa_authkey, sizeof(sa_authkey)); 548 bzero(&sa_enckey, sizeof(sa_enckey)); 549 bzero(&udpencap, sizeof udpencap); 550 bzero(&sa_ltime_hard, sizeof(sa_ltime_hard)); 551 bzero(&sa_ltime_soft, sizeof(sa_ltime_soft)); 552 553 if (pol->pol_rdomain >= 0) { 554 bzero(&sa_rdomain, sizeof(sa_rdomain)); 555 sa_rdomain.sadb_x_rdomain_exttype = SADB_X_EXT_RDOMAIN; 556 sa_rdomain.sadb_x_rdomain_len = sizeof(sa_rdomain) / 8; 557 if (satype == SADB_X_SATYPE_IPCOMP) { 558 /* IPCOMP SAs are always in the pol_rdomain */ 559 sa_rdomain.sadb_x_rdomain_dom1 = pol->pol_rdomain; 560 sa_rdomain.sadb_x_rdomain_dom2 = pol->pol_rdomain; 561 } else if (sa->csa_dir == IPSP_DIRECTION_OUT) { 562 /* switch rdomain on encrypt/decrypt */ 563 sa_rdomain.sadb_x_rdomain_dom1 = pol->pol_rdomain; 564 sa_rdomain.sadb_x_rdomain_dom2 = iked_rdomain; 565 } else { 566 sa_rdomain.sadb_x_rdomain_dom1 = iked_rdomain; 567 sa_rdomain.sadb_x_rdomain_dom2 = pol->pol_rdomain; 568 } 569 } 570 571 if (action == SADB_DELETE) 572 goto send; 573 574 if (satype == SADB_SATYPE_ESP && 575 sa->csa_ikesa->sa_udpencap && sa->csa_ikesa->sa_natt) { 576 sadb.sadb_sa_flags |= SADB_X_SAFLAGS_UDPENCAP; 577 udpencap.sadb_x_udpencap_exttype = SADB_X_EXT_UDPENCAP; 578 udpencap.sadb_x_udpencap_len = sizeof(udpencap) / 8; 579 udpencap.sadb_x_udpencap_port = 580 sa->csa_ikesa->sa_peer.addr_port; 581 582 log_debug("%s: udpencap port %d", __func__, 583 ntohs(udpencap.sadb_x_udpencap_port)); 584 } 585 586 if (action == IKED_SADB_UPDATE_SA_ADDRESSES) { 587 smsg.sadb_msg_type = SADB_UPDATE; 588 goto send; 589 } 590 591 if ((action == SADB_ADD || action == SADB_UPDATE) && 592 !sa->csa_persistent && (lt->lt_bytes || lt->lt_seconds)) { 593 sa_ltime_hard.sadb_lifetime_exttype = SADB_EXT_LIFETIME_HARD; 594 sa_ltime_hard.sadb_lifetime_len = sizeof(sa_ltime_hard) / 8; 595 sa_ltime_hard.sadb_lifetime_bytes = lt->lt_bytes; 596 sa_ltime_hard.sadb_lifetime_addtime = lt->lt_seconds; 597 598 /* double the lifetime for ipcomp; disable byte lifetime */ 599 if (satype == SADB_X_SATYPE_IPCOMP) { 600 sa_ltime_hard.sadb_lifetime_addtime *= 2; 601 sa_ltime_hard.sadb_lifetime_bytes = 0; 602 } 603 604 sa_ltime_soft.sadb_lifetime_exttype = SADB_EXT_LIFETIME_SOFT; 605 sa_ltime_soft.sadb_lifetime_len = sizeof(sa_ltime_soft) / 8; 606 /* set randomly to 85-95% */ 607 jitter = 850 + arc4random_uniform(100); 608 sa_ltime_soft.sadb_lifetime_bytes = 609 (sa_ltime_hard.sadb_lifetime_bytes * jitter) / 1000; 610 sa_ltime_soft.sadb_lifetime_addtime = 611 (sa_ltime_hard.sadb_lifetime_addtime * jitter) / 1000; 612 } 613 614 /* XXX handle NULL encryption or NULL auth or combined encr/auth */ 615 if (action == SADB_ADD && 616 !ibuf_length(sa->csa_integrkey) && !ibuf_length(sa->csa_encrkey) && 617 satype != SADB_X_SATYPE_IPCOMP && satype != SADB_X_SATYPE_IPIP) { 618 log_warnx("%s: no key specified", __func__); 619 return (-1); 620 } 621 622 if (sa->csa_integrid) 623 if (pfkey_map(pfkey_integr, 624 sa->csa_integrid, &sadb.sadb_sa_auth) == -1) { 625 log_warnx("%s: unsupported integrity algorithm %s", 626 __func__, print_map(sa->csa_integrid, 627 ikev2_xformauth_map)); 628 return (-1); 629 } 630 631 if (sa->csa_encrid) 632 if (pfkey_map(pfkey_encr, 633 sa->csa_encrid, &sadb.sadb_sa_encrypt) == -1) { 634 log_warnx("%s: unsupported encryption algorithm %s", 635 __func__, print_map(sa->csa_encrid, 636 ikev2_xformencr_map)); 637 return (-1); 638 } 639 640 if (ibuf_length(sa->csa_integrkey)) { 641 sa_authkey.sadb_key_len = (sizeof(sa_authkey) + 642 ROUNDUP(ibuf_size(sa->csa_integrkey))) / 8; 643 sa_authkey.sadb_key_exttype = SADB_EXT_KEY_AUTH; 644 sa_authkey.sadb_key_bits = 645 8 * ibuf_size(sa->csa_integrkey); 646 } 647 648 if (ibuf_length(sa->csa_encrkey)) { 649 sa_enckey.sadb_key_len = (sizeof(sa_enckey) + 650 ROUNDUP(ibuf_size(sa->csa_encrkey))) / 8; 651 sa_enckey.sadb_key_exttype = SADB_EXT_KEY_ENCRYPT; 652 sa_enckey.sadb_key_bits = 653 8 * ibuf_size(sa->csa_encrkey); 654 } 655 656 /* we only support deflate */ 657 if (satype == SADB_X_SATYPE_IPCOMP) 658 sadb.sadb_sa_encrypt = SADB_X_CALG_DEFLATE; 659 660 /* Note that we need to swap the IDs for incoming SAs (SADB_UPDATE) */ 661 if (action != SADB_UPDATE) { 662 sa_srcid = pfkey_id2ident( 663 IKESA_SRCID(sa->csa_ikesa), SADB_EXT_IDENTITY_SRC); 664 sa_dstid = pfkey_id2ident( 665 IKESA_DSTID(sa->csa_ikesa), SADB_EXT_IDENTITY_DST); 666 } else { 667 sa_srcid = pfkey_id2ident( 668 IKESA_DSTID(sa->csa_ikesa), SADB_EXT_IDENTITY_SRC); 669 sa_dstid = pfkey_id2ident( 670 IKESA_SRCID(sa->csa_ikesa), SADB_EXT_IDENTITY_DST); 671 } 672 673 tag = sa->csa_ikesa->sa_tag; 674 if (tag != NULL && *tag != '\0') { 675 bzero(&sa_tag, sizeof(sa_tag)); 676 sa_tag.sadb_x_tag_exttype = SADB_X_EXT_TAG; 677 sa_tag.sadb_x_tag_len = 678 (ROUNDUP(strlen(tag) + 1) + sizeof(sa_tag)) / 8; 679 sa_tag.sadb_x_tag_taglen = strlen(tag) + 1; 680 } else 681 tag = NULL; 682 683 if (pol->pol_tap != 0) { 684 dotap = 1; 685 bzero(&sa_tap, sizeof(sa_tap)); 686 sa_tap.sadb_x_tap_exttype = SADB_X_EXT_TAP; 687 sa_tap.sadb_x_tap_len = sizeof(sa_tap) / 8; 688 sa_tap.sadb_x_tap_unit = pol->pol_tap; 689 } 690 691 send: 692 693 #define PAD(len) \ 694 padlen = ROUNDUP((len)) - (len); \ 695 if (padlen) { \ 696 iov[iov_cnt].iov_base = &pad; \ 697 iov[iov_cnt].iov_len = padlen; \ 698 iov_cnt++; \ 699 } 700 701 iov_cnt = 0; 702 703 /* header */ 704 iov[iov_cnt].iov_base = &smsg; 705 iov[iov_cnt].iov_len = sizeof(smsg); 706 iov_cnt++; 707 708 /* sa */ 709 iov[iov_cnt].iov_base = &sadb; 710 iov[iov_cnt].iov_len = sizeof(sadb); 711 smsg.sadb_msg_len += sadb.sadb_sa_len; 712 iov_cnt++; 713 714 /* src addr */ 715 iov[iov_cnt].iov_base = &sa_src; 716 iov[iov_cnt].iov_len = sizeof(sa_src); 717 iov_cnt++; 718 iov[iov_cnt].iov_base = &ssrc; 719 iov[iov_cnt].iov_len = ssrc.ss_len; 720 smsg.sadb_msg_len += sa_src.sadb_address_len; 721 iov_cnt++; 722 PAD(ssrc.ss_len); 723 724 /* dst addr */ 725 iov[iov_cnt].iov_base = &sa_dst; 726 iov[iov_cnt].iov_len = sizeof(sa_dst); 727 iov_cnt++; 728 iov[iov_cnt].iov_base = &sdst; 729 iov[iov_cnt].iov_len = sdst.ss_len; 730 smsg.sadb_msg_len += sa_dst.sadb_address_len; 731 iov_cnt++; 732 PAD(sdst.ss_len); 733 734 if (spxy.ss_len) { 735 /* pxy addr */ 736 iov[iov_cnt].iov_base = &sa_pxy; 737 iov[iov_cnt].iov_len = sizeof(sa_pxy); 738 iov_cnt++; 739 iov[iov_cnt].iov_base = &spxy; 740 iov[iov_cnt].iov_len = spxy.ss_len; 741 smsg.sadb_msg_len += sa_pxy.sadb_address_len; 742 iov_cnt++; 743 PAD(spxy.ss_len); 744 } 745 746 if (sa_ltime_soft.sadb_lifetime_len) { 747 /* soft lifetime */ 748 iov[iov_cnt].iov_base = &sa_ltime_soft; 749 iov[iov_cnt].iov_len = sizeof(sa_ltime_soft); 750 smsg.sadb_msg_len += sa_ltime_soft.sadb_lifetime_len; 751 iov_cnt++; 752 } 753 754 if (sa_ltime_hard.sadb_lifetime_len) { 755 /* hard lifetime */ 756 iov[iov_cnt].iov_base = &sa_ltime_hard; 757 iov[iov_cnt].iov_len = sizeof(sa_ltime_hard); 758 smsg.sadb_msg_len += sa_ltime_hard.sadb_lifetime_len; 759 iov_cnt++; 760 } 761 762 if (udpencap.sadb_x_udpencap_len) { 763 iov[iov_cnt].iov_base = &udpencap; 764 iov[iov_cnt].iov_len = sizeof(udpencap); 765 smsg.sadb_msg_len += udpencap.sadb_x_udpencap_len; 766 iov_cnt++; 767 } 768 769 if (sa_enckey.sadb_key_len) { 770 /* encryption key */ 771 iov[iov_cnt].iov_base = &sa_enckey; 772 iov[iov_cnt].iov_len = sizeof(sa_enckey); 773 iov_cnt++; 774 iov[iov_cnt].iov_base = ibuf_data(sa->csa_encrkey); 775 iov[iov_cnt].iov_len = ibuf_size(sa->csa_encrkey); 776 smsg.sadb_msg_len += sa_enckey.sadb_key_len; 777 iov_cnt++; 778 PAD(ibuf_size(sa->csa_encrkey)); 779 } 780 if (sa_authkey.sadb_key_len) { 781 /* authentication key */ 782 iov[iov_cnt].iov_base = &sa_authkey; 783 iov[iov_cnt].iov_len = sizeof(sa_authkey); 784 iov_cnt++; 785 iov[iov_cnt].iov_base = ibuf_data(sa->csa_integrkey); 786 iov[iov_cnt].iov_len = ibuf_size(sa->csa_integrkey); 787 smsg.sadb_msg_len += sa_authkey.sadb_key_len; 788 iov_cnt++; 789 PAD(ibuf_size(sa->csa_integrkey)); 790 } 791 792 if (sa_srcid) { 793 /* src identity */ 794 iov[iov_cnt].iov_base = sa_srcid; 795 iov[iov_cnt].iov_len = sa_srcid->sadb_ident_len * 8; 796 smsg.sadb_msg_len += sa_srcid->sadb_ident_len; 797 iov_cnt++; 798 } 799 if (sa_dstid) { 800 /* dst identity */ 801 iov[iov_cnt].iov_base = sa_dstid; 802 iov[iov_cnt].iov_len = sa_dstid->sadb_ident_len * 8; 803 smsg.sadb_msg_len += sa_dstid->sadb_ident_len; 804 iov_cnt++; 805 } 806 807 if (tag != NULL) { 808 /* tag identity */ 809 iov[iov_cnt].iov_base = &sa_tag; 810 iov[iov_cnt].iov_len = sizeof(sa_tag); 811 iov_cnt++; 812 iov[iov_cnt].iov_base = tag; 813 iov[iov_cnt].iov_len = strlen(tag) + 1; 814 smsg.sadb_msg_len += sa_tag.sadb_x_tag_len; 815 iov_cnt++; 816 PAD(strlen(tag) + 1); 817 } 818 819 if (dotap != 0) { 820 /* enc(4) device tap unit */ 821 iov[iov_cnt].iov_base = &sa_tap; 822 iov[iov_cnt].iov_len = sizeof(sa_tap); 823 smsg.sadb_msg_len += sa_tap.sadb_x_tap_len; 824 iov_cnt++; 825 } 826 827 if (pol->pol_rdomain >= 0) { 828 iov[iov_cnt].iov_base = &sa_rdomain; 829 iov[iov_cnt].iov_len = sizeof(sa_rdomain); 830 smsg.sadb_msg_len += sa_rdomain.sadb_x_rdomain_len; 831 iov_cnt++; 832 } 833 #undef PAD 834 835 ret = pfkey_write(env, &smsg, iov, iov_cnt, NULL, NULL); 836 837 free(sa_srcid); 838 free(sa_dstid); 839 840 return ret; 841 } 842 843 int 844 pfkey_sa_lookup(struct iked *env, struct iked_childsa *sa, uint64_t *last_used) 845 { 846 struct iked_policy *pol = sa->csa_ikesa->sa_policy; 847 struct sadb_msg *msg, smsg; 848 struct sadb_address sa_src, sa_dst; 849 struct sadb_sa sadb; 850 struct sadb_x_rdomain sa_rdomain; 851 struct sadb_lifetime *sa_life; 852 struct sockaddr_storage ssrc, sdst; 853 struct iovec iov[IOV_CNT]; 854 uint64_t pad = 0; 855 size_t padlen; 856 uint8_t *data; 857 ssize_t n; 858 int iov_cnt, ret = -1, rdomain; 859 uint8_t satype; 860 861 if (last_used) 862 *last_used = 0; 863 864 if (pfkey_map(pfkey_satype, sa->csa_saproto, &satype) == -1) 865 return (-1); 866 867 bzero(&ssrc, sizeof(ssrc)); 868 memcpy(&ssrc, &sa->csa_local->addr, sizeof(ssrc)); 869 if (socket_af((struct sockaddr *)&ssrc, 0) == -1) { 870 log_warn("%s: invalid address", __func__); 871 return (-1); 872 } 873 874 bzero(&sdst, sizeof(sdst)); 875 memcpy(&sdst, &sa->csa_peer->addr, sizeof(sdst)); 876 if (socket_af((struct sockaddr *)&sdst, 0) == -1) { 877 log_warn("%s: invalid address", __func__); 878 return (-1); 879 } 880 881 bzero(&smsg, sizeof(smsg)); 882 smsg.sadb_msg_version = PF_KEY_V2; 883 smsg.sadb_msg_seq = ++sadb_msg_seq; 884 smsg.sadb_msg_pid = getpid(); 885 smsg.sadb_msg_len = sizeof(smsg) / 8; 886 smsg.sadb_msg_type = SADB_GET; 887 smsg.sadb_msg_satype = satype; 888 889 bzero(&sadb, sizeof(sadb)); 890 sadb.sadb_sa_len = sizeof(sadb) / 8; 891 sadb.sadb_sa_exttype = SADB_EXT_SA; 892 sadb.sadb_sa_spi = htonl(sa->csa_spi.spi); 893 sadb.sadb_sa_state = SADB_SASTATE_MATURE; 894 sadb.sadb_sa_replay = 64; 895 896 if (pol->pol_rdomain >= 0) { 897 rdomain = (sa->csa_dir == IPSP_DIRECTION_IN) ? 898 iked_rdomain : pol->pol_rdomain; 899 bzero(&sa_rdomain, sizeof(sa_rdomain)); 900 sa_rdomain.sadb_x_rdomain_exttype = SADB_X_EXT_RDOMAIN; 901 sa_rdomain.sadb_x_rdomain_len = sizeof(sa_rdomain) / 8; 902 sa_rdomain.sadb_x_rdomain_dom1 = rdomain; 903 } 904 905 bzero(&sa_src, sizeof(sa_src)); 906 sa_src.sadb_address_len = (sizeof(sa_src) + ROUNDUP(ssrc.ss_len)) / 8; 907 sa_src.sadb_address_exttype = SADB_EXT_ADDRESS_SRC; 908 909 bzero(&sa_dst, sizeof(sa_dst)); 910 sa_dst.sadb_address_len = (sizeof(sa_dst) + ROUNDUP(sdst.ss_len)) / 8; 911 sa_dst.sadb_address_exttype = SADB_EXT_ADDRESS_DST; 912 913 iov_cnt = 0; 914 915 #define PAD(len) \ 916 padlen = ROUNDUP((len)) - (len); \ 917 if (padlen) { \ 918 iov[iov_cnt].iov_base = &pad; \ 919 iov[iov_cnt].iov_len = padlen; \ 920 iov_cnt++; \ 921 } 922 923 /* header */ 924 iov[iov_cnt].iov_base = &smsg; 925 iov[iov_cnt].iov_len = sizeof(smsg); 926 iov_cnt++; 927 928 /* sa */ 929 iov[iov_cnt].iov_base = &sadb; 930 iov[iov_cnt].iov_len = sizeof(sadb); 931 smsg.sadb_msg_len += sadb.sadb_sa_len; 932 iov_cnt++; 933 934 /* src addr */ 935 iov[iov_cnt].iov_base = &sa_src; 936 iov[iov_cnt].iov_len = sizeof(sa_src); 937 iov_cnt++; 938 iov[iov_cnt].iov_base = &ssrc; 939 iov[iov_cnt].iov_len = ssrc.ss_len; 940 smsg.sadb_msg_len += sa_src.sadb_address_len; 941 iov_cnt++; 942 PAD(ssrc.ss_len); 943 944 /* dst addr */ 945 iov[iov_cnt].iov_base = &sa_dst; 946 iov[iov_cnt].iov_len = sizeof(sa_dst); 947 iov_cnt++; 948 iov[iov_cnt].iov_base = &sdst; 949 iov[iov_cnt].iov_len = sdst.ss_len; 950 smsg.sadb_msg_len += sa_dst.sadb_address_len; 951 iov_cnt++; 952 PAD(sdst.ss_len); 953 954 if (pol->pol_rdomain >= 0) { 955 iov[iov_cnt].iov_base = &sa_rdomain; 956 iov[iov_cnt].iov_len = sizeof(sa_rdomain); 957 smsg.sadb_msg_len += sa_rdomain.sadb_x_rdomain_len; 958 iov_cnt++; 959 } 960 961 if ((ret = pfkey_write(env, &smsg, iov, iov_cnt, &data, &n)) != 0) 962 return (-1); 963 964 msg = (struct sadb_msg *)data; 965 if (msg->sadb_msg_errno != 0) { 966 errno = msg->sadb_msg_errno; 967 ret = -1; 968 if (errno == ESRCH) 969 log_debug("%s: not found", __func__); 970 else 971 log_warn("%s: message", __func__); 972 goto done; 973 } 974 if (last_used) { 975 if ((sa_life = pfkey_find_ext(data, n, 976 SADB_X_EXT_LIFETIME_LASTUSE)) == NULL) { 977 /* has never been used */ 978 ret = -1; 979 goto done; 980 } 981 *last_used = sa_life->sadb_lifetime_usetime; 982 log_debug("%s: last_used %llu", __func__, *last_used); 983 } 984 985 #undef PAD 986 done: 987 freezero(data, n); 988 return (ret); 989 } 990 991 int 992 pfkey_sa_last_used(struct iked *env, struct iked_childsa *sa, uint64_t *last_used) 993 { 994 return pfkey_sa_lookup(env, sa, last_used); 995 } 996 997 int 998 pfkey_sa_check_exists(struct iked *env, struct iked_childsa *sa) 999 { 1000 return pfkey_sa_lookup(env, sa, NULL); 1001 } 1002 1003 int 1004 pfkey_sa_getspi(struct iked *env, uint8_t satype, struct iked_childsa *sa, 1005 uint32_t *spip) 1006 { 1007 struct sadb_msg *msg, smsg; 1008 struct sadb_address sa_src, sa_dst; 1009 struct sadb_sa *sa_ext; 1010 struct sadb_spirange sa_spirange; 1011 struct sockaddr_storage ssrc, sdst; 1012 struct iovec iov[IOV_CNT]; 1013 uint64_t pad = 0; 1014 size_t padlen; 1015 uint8_t *data; 1016 ssize_t n; 1017 int iov_cnt, ret = -1; 1018 1019 bzero(&ssrc, sizeof(ssrc)); 1020 memcpy(&ssrc, &sa->csa_local->addr, sizeof(ssrc)); 1021 if (socket_af((struct sockaddr *)&ssrc, 0) == -1) { 1022 log_warn("%s: invalid address", __func__); 1023 return (-1); 1024 } 1025 1026 bzero(&sdst, sizeof(sdst)); 1027 memcpy(&sdst, &sa->csa_peer->addr, sizeof(sdst)); 1028 if (socket_af((struct sockaddr *)&sdst, 0) == -1) { 1029 log_warn("%s: invalid address", __func__); 1030 return (-1); 1031 } 1032 1033 bzero(&smsg, sizeof(smsg)); 1034 smsg.sadb_msg_version = PF_KEY_V2; 1035 smsg.sadb_msg_seq = ++sadb_msg_seq; 1036 smsg.sadb_msg_pid = getpid(); 1037 smsg.sadb_msg_len = sizeof(smsg) / 8; 1038 smsg.sadb_msg_type = SADB_GETSPI; 1039 smsg.sadb_msg_satype = satype; 1040 1041 bzero(&sa_spirange, sizeof(sa_spirange)); 1042 sa_spirange.sadb_spirange_exttype = SADB_EXT_SPIRANGE; 1043 sa_spirange.sadb_spirange_len = sizeof(sa_spirange) / 8; 1044 sa_spirange.sadb_spirange_min = 0x100; 1045 sa_spirange.sadb_spirange_max = (satype == SADB_X_SATYPE_IPCOMP) ? 1046 (CPI_PRIVATE_MIN - 1) : 0xffffffff; 1047 sa_spirange.sadb_spirange_reserved = 0; 1048 1049 bzero(&sa_src, sizeof(sa_src)); 1050 sa_src.sadb_address_len = (sizeof(sa_src) + ROUNDUP(ssrc.ss_len)) / 8; 1051 sa_src.sadb_address_exttype = SADB_EXT_ADDRESS_SRC; 1052 1053 bzero(&sa_dst, sizeof(sa_dst)); 1054 sa_dst.sadb_address_len = (sizeof(sa_dst) + ROUNDUP(sdst.ss_len)) / 8; 1055 sa_dst.sadb_address_exttype = SADB_EXT_ADDRESS_DST; 1056 1057 #define PAD(len) \ 1058 padlen = ROUNDUP((len)) - (len); \ 1059 if (padlen) { \ 1060 iov[iov_cnt].iov_base = &pad; \ 1061 iov[iov_cnt].iov_len = padlen; \ 1062 iov_cnt++; \ 1063 } 1064 1065 iov_cnt = 0; 1066 1067 /* header */ 1068 iov[iov_cnt].iov_base = &smsg; 1069 iov[iov_cnt].iov_len = sizeof(smsg); 1070 iov_cnt++; 1071 1072 /* SPI range */ 1073 iov[iov_cnt].iov_base = &sa_spirange; 1074 iov[iov_cnt].iov_len = sizeof(sa_spirange); 1075 smsg.sadb_msg_len += sa_spirange.sadb_spirange_len; 1076 iov_cnt++; 1077 1078 /* src addr */ 1079 iov[iov_cnt].iov_base = &sa_src; 1080 iov[iov_cnt].iov_len = sizeof(sa_src); 1081 iov_cnt++; 1082 iov[iov_cnt].iov_base = &ssrc; 1083 iov[iov_cnt].iov_len = ssrc.ss_len; 1084 smsg.sadb_msg_len += sa_src.sadb_address_len; 1085 iov_cnt++; 1086 PAD(ssrc.ss_len); 1087 1088 /* dst addr */ 1089 iov[iov_cnt].iov_base = &sa_dst; 1090 iov[iov_cnt].iov_len = sizeof(sa_dst); 1091 iov_cnt++; 1092 iov[iov_cnt].iov_base = &sdst; 1093 iov[iov_cnt].iov_len = sdst.ss_len; 1094 smsg.sadb_msg_len += sa_dst.sadb_address_len; 1095 iov_cnt++; 1096 PAD(sdst.ss_len); 1097 1098 *spip = 0; 1099 1100 if ((ret = pfkey_write(env, &smsg, iov, iov_cnt, &data, &n)) != 0) 1101 return (-1); 1102 1103 msg = (struct sadb_msg *)data; 1104 if (msg->sadb_msg_errno != 0) { 1105 errno = msg->sadb_msg_errno; 1106 log_warn("%s: message", __func__); 1107 goto done; 1108 } 1109 if ((sa_ext = pfkey_find_ext(data, n, SADB_EXT_SA)) == NULL) { 1110 log_debug("%s: erroneous reply", __func__); 1111 goto done; 1112 } 1113 1114 *spip = ntohl(sa_ext->sadb_sa_spi); 1115 log_debug("%s: spi 0x%08x", __func__, *spip); 1116 1117 #undef PAD 1118 1119 done: 1120 freezero(data, n); 1121 return (ret); 1122 } 1123 1124 int 1125 pfkey_sagroup(struct iked *env, uint8_t satype1, uint8_t action, 1126 struct iked_childsa *sa1, struct iked_childsa *sa2) 1127 { 1128 struct sadb_msg smsg; 1129 struct sadb_sa sadb1, sadb2; 1130 struct sadb_address sa_dst1, sa_dst2; 1131 struct sockaddr_storage sdst1, sdst2; 1132 struct sadb_protocol sa_proto; 1133 struct sadb_x_rdomain sa_rdomain; 1134 struct iked_policy *pol; 1135 struct iovec iov[IOV_CNT]; 1136 uint64_t pad = 0; 1137 size_t padlen; 1138 int iov_cnt; 1139 int group_rdomain; 1140 uint8_t satype2; 1141 1142 if (pfkey_map(pfkey_satype, sa2->csa_saproto, &satype2) == -1) 1143 return (-1); 1144 1145 bzero(&sdst1, sizeof(sdst1)); 1146 memcpy(&sdst1, &sa1->csa_peer->addr, sizeof(sdst1)); 1147 if (socket_af((struct sockaddr *)&sdst1, 0) == -1) { 1148 log_warnx("%s: unsupported address family %d", 1149 __func__, sdst1.ss_family); 1150 return (-1); 1151 } 1152 1153 bzero(&sdst2, sizeof(sdst2)); 1154 memcpy(&sdst2, &sa2->csa_peer->addr, sizeof(sdst2)); 1155 if (socket_af((struct sockaddr *)&sdst2, 0) == -1) { 1156 log_warnx("%s: unsupported address family %d", 1157 __func__, sdst2.ss_family); 1158 return (-1); 1159 } 1160 1161 bzero(&smsg, sizeof(smsg)); 1162 smsg.sadb_msg_version = PF_KEY_V2; 1163 smsg.sadb_msg_seq = ++sadb_msg_seq; 1164 smsg.sadb_msg_pid = getpid(); 1165 smsg.sadb_msg_len = sizeof(smsg) / 8; 1166 smsg.sadb_msg_type = action; 1167 smsg.sadb_msg_satype = satype1; 1168 1169 bzero(&sadb1, sizeof(sadb1)); 1170 sadb1.sadb_sa_len = sizeof(sadb1) / 8; 1171 sadb1.sadb_sa_exttype = SADB_EXT_SA; 1172 sadb1.sadb_sa_spi = htonl(sa1->csa_spi.spi); 1173 sadb1.sadb_sa_state = SADB_SASTATE_MATURE; 1174 1175 bzero(&sadb2, sizeof(sadb2)); 1176 sadb2.sadb_sa_len = sizeof(sadb2) / 8; 1177 sadb2.sadb_sa_exttype = SADB_X_EXT_SA2; 1178 sadb2.sadb_sa_spi = htonl(sa2->csa_spi.spi); 1179 sadb2.sadb_sa_state = SADB_SASTATE_MATURE; 1180 1181 /* Incoming SA1 (IPCOMP) and SA2 (ESP) are in different/other rdomain */ 1182 group_rdomain = 1183 (pol = sa1->csa_ikesa->sa_policy) != NULL && 1184 pol->pol_rdomain >= 0 && 1185 satype1 == SADB_X_SATYPE_IPCOMP && 1186 satype2 == SADB_SATYPE_ESP; 1187 if (group_rdomain) { 1188 bzero(&sa_rdomain, sizeof(sa_rdomain)); 1189 sa_rdomain.sadb_x_rdomain_exttype = SADB_X_EXT_RDOMAIN; 1190 sa_rdomain.sadb_x_rdomain_len = sizeof(sa_rdomain) / 8; 1191 if (sa1->csa_dir == IPSP_DIRECTION_IN) { 1192 /* only ESP SA is iked's rdomain */ 1193 sa_rdomain.sadb_x_rdomain_dom1 = pol->pol_rdomain; 1194 sa_rdomain.sadb_x_rdomain_dom2 = iked_rdomain; 1195 } else { 1196 /* both SAs are in pol_rdomain */ 1197 sa_rdomain.sadb_x_rdomain_dom1 = pol->pol_rdomain; 1198 sa_rdomain.sadb_x_rdomain_dom2 = pol->pol_rdomain; 1199 } 1200 } 1201 1202 iov_cnt = 0; 1203 1204 bzero(&sa_dst1, sizeof(sa_dst1)); 1205 sa_dst1.sadb_address_exttype = SADB_EXT_ADDRESS_DST; 1206 sa_dst1.sadb_address_len = 1207 (sizeof(sa_dst1) + ROUNDUP(sdst1.ss_len)) / 8; 1208 1209 bzero(&sa_dst2, sizeof(sa_dst2)); 1210 sa_dst2.sadb_address_exttype = SADB_X_EXT_DST2; 1211 sa_dst2.sadb_address_len = 1212 (sizeof(sa_dst2) + ROUNDUP(sdst2.ss_len)) / 8; 1213 1214 bzero(&sa_proto, sizeof(sa_proto)); 1215 sa_proto.sadb_protocol_exttype = SADB_X_EXT_SATYPE2; 1216 sa_proto.sadb_protocol_len = sizeof(sa_proto) / 8; 1217 sa_proto.sadb_protocol_direction = 0; 1218 sa_proto.sadb_protocol_proto = satype2; 1219 1220 #define PAD(len) \ 1221 padlen = ROUNDUP((len)) - (len); \ 1222 if (padlen) { \ 1223 iov[iov_cnt].iov_base = &pad; \ 1224 iov[iov_cnt].iov_len = padlen; \ 1225 iov_cnt++; \ 1226 } 1227 1228 /* header */ 1229 iov[iov_cnt].iov_base = &smsg; 1230 iov[iov_cnt].iov_len = sizeof(smsg); 1231 iov_cnt++; 1232 1233 /* sa */ 1234 iov[iov_cnt].iov_base = &sadb1; 1235 iov[iov_cnt].iov_len = sizeof(sadb1); 1236 smsg.sadb_msg_len += sadb1.sadb_sa_len; 1237 iov_cnt++; 1238 1239 /* dst addr */ 1240 iov[iov_cnt].iov_base = &sa_dst1; 1241 iov[iov_cnt].iov_len = sizeof(sa_dst1); 1242 iov_cnt++; 1243 iov[iov_cnt].iov_base = &sdst1; 1244 iov[iov_cnt].iov_len = sdst1.ss_len; 1245 smsg.sadb_msg_len += sa_dst1.sadb_address_len; 1246 iov_cnt++; 1247 PAD(sdst1.ss_len); 1248 1249 /* second sa */ 1250 iov[iov_cnt].iov_base = &sadb2; 1251 iov[iov_cnt].iov_len = sizeof(sadb2); 1252 smsg.sadb_msg_len += sadb2.sadb_sa_len; 1253 iov_cnt++; 1254 1255 /* second dst addr */ 1256 iov[iov_cnt].iov_base = &sa_dst2; 1257 iov[iov_cnt].iov_len = sizeof(sa_dst2); 1258 iov_cnt++; 1259 iov[iov_cnt].iov_base = &sdst2; 1260 iov[iov_cnt].iov_len = sdst2.ss_len; 1261 smsg.sadb_msg_len += sa_dst2.sadb_address_len; 1262 iov_cnt++; 1263 PAD(sdst2.ss_len); 1264 1265 /* SA type */ 1266 iov[iov_cnt].iov_base = &sa_proto; 1267 iov[iov_cnt].iov_len = sizeof(sa_proto); 1268 smsg.sadb_msg_len += sa_proto.sadb_protocol_len; 1269 iov_cnt++; 1270 1271 /* SA1 and SA2 are from different rdomains */ 1272 if (group_rdomain) { 1273 iov[iov_cnt].iov_base = &sa_rdomain; 1274 iov[iov_cnt].iov_len = sizeof(sa_rdomain); 1275 smsg.sadb_msg_len += sa_rdomain.sadb_x_rdomain_len; 1276 iov_cnt++; 1277 } 1278 1279 #undef PAD 1280 1281 return (pfkey_write(env, &smsg, iov, iov_cnt, NULL, NULL)); 1282 } 1283 1284 int 1285 pfkey_write(struct iked *env, struct sadb_msg *smsg, struct iovec *iov, int iov_cnt, 1286 uint8_t **datap, ssize_t *lenp) 1287 { 1288 ssize_t n, len = smsg->sadb_msg_len * 8; 1289 int ret = -1; 1290 1291 if (sadb_decoupled) { 1292 switch (smsg->sadb_msg_type) { 1293 case SADB_GETSPI: 1294 /* we need to get a new SPI from the kernel */ 1295 break; 1296 default: 1297 if (datap || lenp) { 1298 log_warnx("%s: pfkey not coupled", __func__); 1299 return (-1); 1300 } 1301 /* ignore request */ 1302 return (0); 1303 } 1304 } 1305 1306 /* Delete event to poll() in pfkey_reply() */ 1307 event_del(&env->sc_pfkeyev); 1308 1309 if ((n = writev(env->sc_pfkey, iov, iov_cnt)) == -1) { 1310 log_warn("%s: writev failed: type %u len %zd", 1311 __func__, smsg->sadb_msg_type, len); 1312 goto done; 1313 } else if (n != len) { 1314 log_warn("%s: short write", __func__); 1315 goto done; 1316 } 1317 1318 ret = pfkey_reply(env->sc_pfkey, datap, lenp); 1319 done: 1320 event_add(&env->sc_pfkeyev, NULL); 1321 return (ret); 1322 } 1323 1324 /* wait for pfkey response and returns 0 for ok, -1 for error, -2 for timeout */ 1325 int 1326 pfkey_reply(int fd, uint8_t **datap, ssize_t *lenp) 1327 { 1328 struct pfkey_message *pm; 1329 struct sadb_msg hdr; 1330 ssize_t len; 1331 uint8_t *data; 1332 struct pollfd pfd[1]; 1333 int n; 1334 1335 pfd[0].fd = fd; 1336 pfd[0].events = POLLIN; 1337 1338 for (;;) { 1339 /* 1340 * We should actually expect the reply to get lost 1341 * as PF_KEY is an unreliable service per the specs. 1342 * Currently we do this by setting a short timeout, 1343 * and if it is not readable in that time, we fail 1344 * the read. 1345 */ 1346 n = poll(pfd, 1, PFKEY_REPLY_TIMEOUT / 1000); 1347 if (n == -1) { 1348 log_warn("%s: poll() failed", __func__); 1349 return (-1); 1350 } 1351 if (n == 0) { 1352 log_warnx("%s: no reply from PF_KEY", __func__); 1353 return (-2); /* retry */ 1354 } 1355 1356 if (recv(fd, &hdr, sizeof(hdr), MSG_PEEK) != sizeof(hdr)) { 1357 log_warn("%s: short recv", __func__); 1358 return (-1); 1359 } 1360 1361 if (hdr.sadb_msg_version != PF_KEY_V2) { 1362 log_warnx("%s: wrong pfkey version", __func__); 1363 return (-1); 1364 } 1365 1366 if ((data = reallocarray(NULL, hdr.sadb_msg_len, 1367 PFKEYV2_CHUNK)) == NULL) { 1368 log_warn("%s: malloc", __func__); 1369 return (-1); 1370 } 1371 len = hdr.sadb_msg_len * PFKEYV2_CHUNK; 1372 1373 if (read(fd, data, len) != len) { 1374 log_warnx("%s: short read", __func__); 1375 free(data); 1376 return (-1); 1377 } 1378 1379 /* XXX: Only one message can be outstanding. */ 1380 if (hdr.sadb_msg_seq == sadb_msg_seq && 1381 hdr.sadb_msg_pid == (uint32_t)getpid()) 1382 break; 1383 1384 /* ignore messages for other processes */ 1385 if (hdr.sadb_msg_pid != 0 && 1386 hdr.sadb_msg_pid != (uint32_t)getpid()) { 1387 free(data); 1388 continue; 1389 } 1390 1391 /* not the reply, enqueue */ 1392 if ((pm = malloc(sizeof(*pm))) == NULL) { 1393 log_warn("%s: malloc", __func__); 1394 free(data); 1395 return (-1); 1396 } 1397 pm->pm_data = data; 1398 pm->pm_length = len; 1399 SIMPLEQ_INSERT_TAIL(&pfkey_postponed, pm, pm_entry); 1400 evtimer_add(&pfkey_timer_ev, &pfkey_timer_tv); 1401 } 1402 1403 if (datap) { 1404 *datap = data; 1405 if (lenp) 1406 *lenp = len; 1407 } else 1408 free(data); 1409 1410 if (datap == NULL && hdr.sadb_msg_errno != 0) { 1411 errno = hdr.sadb_msg_errno; 1412 if (errno != EEXIST) { 1413 if (errno == ESRCH) 1414 log_debug("%s: not found", __func__); 1415 else 1416 log_warn("%s: message", __func__); 1417 return (-1); 1418 } 1419 } 1420 return (0); 1421 } 1422 1423 int 1424 pfkey_flow_add(struct iked *env, struct iked_flow *flow) 1425 { 1426 uint8_t satype; 1427 1428 if (flow->flow_loaded) 1429 return (0); 1430 1431 if (pfkey_map(pfkey_satype, flow->flow_saproto, &satype) == -1) 1432 return (-1); 1433 1434 if (pfkey_flow(env, satype, SADB_X_ADDFLOW, flow) == -1) 1435 return (-1); 1436 1437 flow->flow_loaded = 1; 1438 1439 return (0); 1440 } 1441 1442 int 1443 pfkey_flow_delete(struct iked *env, struct iked_flow *flow) 1444 { 1445 uint8_t satype; 1446 1447 if (!flow->flow_loaded) 1448 return (0); 1449 1450 if (pfkey_map(pfkey_satype, flow->flow_saproto, &satype) == -1) 1451 return (-1); 1452 1453 if (pfkey_flow(env, satype, SADB_X_DELFLOW, flow) == -1) 1454 return (-1); 1455 1456 flow->flow_loaded = 0; 1457 1458 return (0); 1459 } 1460 1461 int 1462 pfkey_sa_init(struct iked *env, struct iked_childsa *sa, uint32_t *spi) 1463 { 1464 uint8_t satype; 1465 1466 if (pfkey_map(pfkey_satype, sa->csa_saproto, &satype) == -1) 1467 return (-1); 1468 1469 if (pfkey_sa_getspi(env, satype, sa, spi) == -1) 1470 return (-1); 1471 1472 log_debug("%s: new spi 0x%08x", __func__, *spi); 1473 1474 return (0); 1475 } 1476 1477 int 1478 pfkey_sa_add(struct iked *env, struct iked_childsa *sa, struct iked_childsa *last) 1479 { 1480 uint8_t satype; 1481 unsigned int cmd; 1482 int rval; 1483 1484 if (pfkey_map(pfkey_satype, sa->csa_saproto, &satype) == -1) 1485 return (-1); 1486 1487 if (sa->csa_allocated || sa->csa_loaded) 1488 cmd = SADB_UPDATE; 1489 else 1490 cmd = SADB_ADD; 1491 1492 log_debug("%s: %s spi %s", __func__, cmd == SADB_ADD ? "add": "update", 1493 print_spi(sa->csa_spi.spi, 4)); 1494 1495 rval = pfkey_sa(env, satype, cmd, sa); 1496 if (rval != 0) { 1497 if (cmd == SADB_ADD) { 1498 if (rval == -2) { 1499 /* timeout: check for existence */ 1500 if (pfkey_sa_check_exists(env, sa) == 0) { 1501 log_debug("%s: SA exists after timeout", 1502 __func__); 1503 goto loaded; 1504 } 1505 } 1506 (void)pfkey_sa_delete(env, sa); 1507 return (-1); 1508 } 1509 if (sa->csa_allocated && !sa->csa_loaded && errno == ESRCH) { 1510 /* Needed for recoupling local SAs */ 1511 log_debug("%s: SADB_UPDATE on local SA returned ESRCH," 1512 " trying SADB_ADD", __func__); 1513 if (pfkey_sa(env, satype, SADB_ADD, sa) == -1) 1514 return (-1); 1515 } else { 1516 return (-1); 1517 } 1518 } 1519 1520 loaded: 1521 if (last != NULL) { 1522 if (pfkey_sagroup(env, satype, 1523 SADB_X_GRPSPIS, sa, last) == -1) { 1524 (void)pfkey_sa_delete(env, sa); 1525 return (-1); 1526 } 1527 } 1528 1529 sa->csa_loaded = 1; 1530 return (0); 1531 } 1532 1533 int 1534 pfkey_sa_update_addresses(struct iked *env, struct iked_childsa *sa) 1535 { 1536 uint8_t satype; 1537 1538 if (!sa->csa_ikesa) 1539 return (-1); 1540 /* check if peer has changed */ 1541 if (sa->csa_ikesa->sa_peer_loaded.addr.ss_family == AF_UNSPEC || 1542 memcmp(&sa->csa_ikesa->sa_peer_loaded, &sa->csa_ikesa->sa_peer, 1543 sizeof(sa->csa_ikesa->sa_peer_loaded)) == 0) 1544 return (0); 1545 if (pfkey_map(pfkey_satype, sa->csa_saproto, &satype) == -1) 1546 return (-1); 1547 log_debug("%s: spi %s", __func__, print_spi(sa->csa_spi.spi, 4)); 1548 return pfkey_sa(env, satype, IKED_SADB_UPDATE_SA_ADDRESSES, sa); 1549 } 1550 1551 int 1552 pfkey_sa_delete(struct iked *env, struct iked_childsa *sa) 1553 { 1554 uint8_t satype; 1555 1556 if (!sa->csa_loaded || sa->csa_spi.spi == 0) 1557 return (0); 1558 1559 if (pfkey_map(pfkey_satype, sa->csa_saproto, &satype) == -1) 1560 return (-1); 1561 1562 if (pfkey_sa(env, satype, SADB_DELETE, sa) == -1 && 1563 pfkey_sa_check_exists(env, sa) == 0) 1564 return (-1); 1565 1566 sa->csa_loaded = 0; 1567 return (0); 1568 } 1569 1570 int 1571 pfkey_flush(struct iked *env) 1572 { 1573 struct sadb_msg smsg; 1574 struct iovec iov[IOV_CNT]; 1575 int iov_cnt; 1576 1577 bzero(&smsg, sizeof(smsg)); 1578 smsg.sadb_msg_version = PF_KEY_V2; 1579 smsg.sadb_msg_seq = ++sadb_msg_seq; 1580 smsg.sadb_msg_pid = getpid(); 1581 smsg.sadb_msg_len = sizeof(smsg) / 8; 1582 smsg.sadb_msg_type = SADB_FLUSH; 1583 smsg.sadb_msg_satype = SADB_SATYPE_UNSPEC; 1584 1585 iov_cnt = 0; 1586 1587 iov[iov_cnt].iov_base = &smsg; 1588 iov[iov_cnt].iov_len = sizeof(smsg); 1589 iov_cnt++; 1590 1591 return (pfkey_write(env, &smsg, iov, iov_cnt, NULL, NULL)); 1592 } 1593 1594 struct sadb_ident * 1595 pfkey_id2ident(struct iked_id *id, unsigned int exttype) 1596 { 1597 char idstr[IKED_ID_SIZE]; 1598 unsigned int type; 1599 size_t len; 1600 struct sadb_ident *sa_id; 1601 1602 switch (id->id_type) { 1603 case IKEV2_ID_FQDN: 1604 type = SADB_IDENTTYPE_FQDN; 1605 break; 1606 case IKEV2_ID_UFQDN: 1607 type = SADB_IDENTTYPE_USERFQDN; 1608 break; 1609 case IKEV2_ID_IPV4: 1610 case IKEV2_ID_IPV6: 1611 type = SADB_IDENTTYPE_PREFIX; 1612 break; 1613 case IKEV2_ID_ASN1_DN: 1614 type = SADB_IDENTTYPE_ASN1_DN; 1615 break; 1616 case IKEV2_ID_ASN1_GN: 1617 case IKEV2_ID_KEY_ID: 1618 case IKEV2_ID_NONE: 1619 default: 1620 /* XXX not implemented/supported by PFKEY */ 1621 return (NULL); 1622 } 1623 1624 bzero(&idstr, sizeof(idstr)); 1625 1626 if (ikev2_print_id(id, idstr, sizeof(idstr)) == -1) 1627 return (NULL); 1628 1629 len = ROUNDUP(strlen(idstr) + 1) + sizeof(*sa_id); 1630 if ((sa_id = calloc(1, len)) == NULL) 1631 return (NULL); 1632 1633 strlcpy((char *)(sa_id + 1), idstr, ROUNDUP(strlen(idstr) + 1)); 1634 sa_id->sadb_ident_type = type; 1635 sa_id->sadb_ident_len = len / 8; 1636 sa_id->sadb_ident_exttype = exttype; 1637 1638 return (sa_id); 1639 } 1640 1641 int 1642 pfkey_socket(struct iked *env) 1643 { 1644 int fd; 1645 1646 if (privsep_process != PROC_PARENT) 1647 fatal("pfkey_socket: called from unprivileged process"); 1648 1649 if ((fd = socket(PF_KEY, SOCK_RAW, PF_KEY_V2)) == -1) 1650 fatal("pfkey_socket: failed to open PF_KEY socket"); 1651 1652 return (fd); 1653 } 1654 1655 void 1656 pfkey_init(struct iked *env, int fd) 1657 { 1658 struct sadb_msg smsg; 1659 struct iovec iov; 1660 1661 iked_rdomain = getrtable(); 1662 1663 /* Set up a timer to process messages deferred by the pfkey_reply */ 1664 pfkey_timer_tv.tv_sec = 1; 1665 pfkey_timer_tv.tv_usec = 0; 1666 evtimer_set(&pfkey_timer_ev, pfkey_timer_cb, env); 1667 1668 /* Register the pfkey socket event handler */ 1669 env->sc_pfkey = fd; 1670 event_set(&env->sc_pfkeyev, env->sc_pfkey, 1671 EV_READ|EV_PERSIST, pfkey_dispatch, env); 1672 event_add(&env->sc_pfkeyev, NULL); 1673 1674 pfkey_flush(env); 1675 1676 /* Register it to get ESP and AH acquires from the kernel */ 1677 bzero(&smsg, sizeof(smsg)); 1678 smsg.sadb_msg_version = PF_KEY_V2; 1679 smsg.sadb_msg_seq = ++sadb_msg_seq; 1680 smsg.sadb_msg_pid = getpid(); 1681 smsg.sadb_msg_len = sizeof(smsg) / 8; 1682 smsg.sadb_msg_type = SADB_REGISTER; 1683 smsg.sadb_msg_satype = SADB_SATYPE_ESP; 1684 1685 iov.iov_base = &smsg; 1686 iov.iov_len = sizeof(smsg); 1687 1688 if (pfkey_write(env, &smsg, &iov, 1, NULL, NULL)) 1689 fatal("pfkey_init: failed to set up ESP acquires"); 1690 1691 bzero(&smsg, sizeof(smsg)); 1692 smsg.sadb_msg_version = PF_KEY_V2; 1693 smsg.sadb_msg_seq = ++sadb_msg_seq; 1694 smsg.sadb_msg_pid = getpid(); 1695 smsg.sadb_msg_len = sizeof(smsg) / 8; 1696 smsg.sadb_msg_type = SADB_REGISTER; 1697 smsg.sadb_msg_satype = SADB_SATYPE_AH; 1698 1699 iov.iov_base = &smsg; 1700 iov.iov_len = sizeof(smsg); 1701 1702 if (pfkey_write(env, &smsg, &iov, 1, NULL, NULL)) 1703 fatal("pfkey_init: failed to set up AH acquires"); 1704 } 1705 1706 void * 1707 pfkey_find_ext(uint8_t *data, ssize_t len, int type) 1708 { 1709 struct sadb_ext *ext = (struct sadb_ext *)(data + 1710 sizeof(struct sadb_msg)); 1711 1712 while (ext && ((uint8_t *)ext - data < len)) { 1713 if (ext->sadb_ext_type == type) 1714 return (ext); 1715 ext = (struct sadb_ext *)((uint8_t *)ext + 1716 ext->sadb_ext_len * PFKEYV2_CHUNK); 1717 } 1718 1719 return (NULL); 1720 } 1721 1722 void 1723 pfkey_dispatch(int fd, short event, void *arg) 1724 { 1725 struct iked *env = (struct iked *)arg; 1726 struct pfkey_message pm, *pmp; 1727 struct sadb_msg hdr; 1728 ssize_t len; 1729 uint8_t *data; 1730 1731 if (recv(fd, &hdr, sizeof(hdr), MSG_PEEK) != sizeof(hdr)) { 1732 log_warn("%s: short recv", __func__); 1733 return; 1734 } 1735 1736 if (hdr.sadb_msg_version != PF_KEY_V2) { 1737 log_warnx("%s: wrong pfkey version", __func__); 1738 return; 1739 } 1740 1741 if ((data = reallocarray(NULL, hdr.sadb_msg_len, PFKEYV2_CHUNK)) 1742 == NULL) { 1743 log_warn("%s: malloc", __func__); 1744 return; 1745 } 1746 len = hdr.sadb_msg_len * PFKEYV2_CHUNK; 1747 1748 if (read(fd, data, len) != len) { 1749 log_warn("%s: short read", __func__); 1750 free(data); 1751 return; 1752 } 1753 1754 /* Try postponed requests first, so we do in-order processing */ 1755 if (!SIMPLEQ_EMPTY(&pfkey_postponed)) 1756 pfkey_timer_cb(0, 0, env); 1757 1758 pm.pm_data = data; 1759 pm.pm_length = len; 1760 1761 if (pfkey_process(env, &pm) == -1 && 1762 (pmp = calloc(1, sizeof(*pmp))) != NULL) { 1763 pmp->pm_data = data; 1764 pmp->pm_length = len; 1765 log_debug("%s: pfkey_process is busy, retry later", __func__); 1766 SIMPLEQ_INSERT_TAIL(&pfkey_postponed, pmp, pm_entry); 1767 evtimer_add(&pfkey_timer_ev, &pfkey_timer_tv); 1768 } else { 1769 free(data); 1770 } 1771 } 1772 1773 void 1774 pfkey_timer_cb(int unused, short event, void *arg) 1775 { 1776 struct iked *env = arg; 1777 struct pfkey_message *pm; 1778 1779 SIMPLEQ_INIT(&pfkey_retry); 1780 while (!SIMPLEQ_EMPTY(&pfkey_postponed)) { 1781 pm = SIMPLEQ_FIRST(&pfkey_postponed); 1782 SIMPLEQ_REMOVE_HEAD(&pfkey_postponed, pm_entry); 1783 if (pfkey_process(env, pm) == -1) { 1784 log_debug("%s: pfkey_process is busy, retry later", 1785 __func__); 1786 SIMPLEQ_INSERT_TAIL(&pfkey_retry, pm, pm_entry); 1787 } else { 1788 free(pm->pm_data); 1789 free(pm); 1790 } 1791 } 1792 /* move from retry to postponed */ 1793 SIMPLEQ_CONCAT(&pfkey_postponed, &pfkey_retry); 1794 if (!SIMPLEQ_EMPTY(&pfkey_postponed)) 1795 evtimer_add(&pfkey_timer_ev, &pfkey_timer_tv); 1796 } 1797 1798 /* 1799 * pfkey_process returns 0 if the message has been processed and -1 if 1800 * the system is busy and the message should be passed again, later. 1801 */ 1802 int 1803 pfkey_process(struct iked *env, struct pfkey_message *pm) 1804 { 1805 struct iked_spi spi; 1806 struct sadb_sa *sa; 1807 struct sadb_lifetime *sa_ltime; 1808 struct sadb_msg *hdr; 1809 struct sadb_msg smsg; 1810 struct iked_addr peer; 1811 struct iked_flow flow; 1812 struct sadb_address *sa_addr; 1813 struct sadb_protocol *sa_proto; 1814 struct sadb_x_policy sa_pol; 1815 struct sockaddr *ssrc, *sdst, *smask, *dmask, *speer; 1816 struct iovec iov[IOV_CNT]; 1817 int ret = 0, iov_cnt; 1818 uint8_t *reply; 1819 ssize_t rlen; 1820 const char *errmsg = NULL; 1821 uint8_t *data = pm->pm_data; 1822 ssize_t len = pm->pm_length; 1823 size_t slen; 1824 1825 if (!env || !data || !len) 1826 return (0); 1827 1828 hdr = (struct sadb_msg *)data; 1829 1830 switch (hdr->sadb_msg_type) { 1831 case SADB_ACQUIRE: 1832 bzero(&flow, sizeof(flow)); 1833 bzero(&peer, sizeof(peer)); 1834 1835 if ((sa_addr = pfkey_find_ext(data, len, 1836 SADB_EXT_ADDRESS_DST)) == NULL) { 1837 log_debug("%s: no peer address", __func__); 1838 return (0); 1839 } 1840 speer = (struct sockaddr *)(sa_addr + 1); 1841 peer.addr_af = speer->sa_family; 1842 peer.addr_port = htons(socket_getport(speer)); 1843 if ((slen = speer->sa_len) > sizeof(peer.addr)) { 1844 log_debug("%s: invalid peer address len", __func__); 1845 return (0); 1846 } 1847 memcpy(&peer.addr, speer, slen); 1848 if (socket_af((struct sockaddr *)&peer.addr, 1849 peer.addr_port) == -1) { 1850 log_debug("%s: invalid address", __func__); 1851 return (0); 1852 } 1853 flow.flow_peer = &peer; 1854 1855 log_debug("%s: acquire request (peer %s)", __func__, 1856 print_host(speer, NULL, 0)); 1857 1858 /* get the matching flow */ 1859 bzero(&smsg, sizeof(smsg)); 1860 smsg.sadb_msg_version = PF_KEY_V2; 1861 smsg.sadb_msg_seq = ++sadb_msg_seq; 1862 smsg.sadb_msg_pid = getpid(); 1863 smsg.sadb_msg_len = sizeof(smsg) / 8; 1864 smsg.sadb_msg_type = SADB_X_ASKPOLICY; 1865 1866 iov_cnt = 0; 1867 1868 iov[iov_cnt].iov_base = &smsg; 1869 iov[iov_cnt].iov_len = sizeof(smsg); 1870 iov_cnt++; 1871 1872 bzero(&sa_pol, sizeof(sa_pol)); 1873 sa_pol.sadb_x_policy_exttype = SADB_X_EXT_POLICY; 1874 sa_pol.sadb_x_policy_len = sizeof(sa_pol) / 8; 1875 sa_pol.sadb_x_policy_seq = hdr->sadb_msg_seq; 1876 1877 iov[iov_cnt].iov_base = &sa_pol; 1878 iov[iov_cnt].iov_len = sizeof(sa_pol); 1879 smsg.sadb_msg_len += sizeof(sa_pol) / 8; 1880 iov_cnt++; 1881 1882 if (pfkey_write(env, &smsg, iov, iov_cnt, &reply, &rlen)) { 1883 log_warnx("%s: failed to get a policy", __func__); 1884 return (0); 1885 } 1886 1887 if ((sa_addr = pfkey_find_ext(reply, rlen, 1888 SADB_X_EXT_SRC_FLOW)) == NULL) { 1889 errmsg = "flow source address"; 1890 goto out; 1891 } 1892 ssrc = (struct sockaddr *)(sa_addr + 1); 1893 flow.flow_src.addr_af = ssrc->sa_family; 1894 flow.flow_src.addr_port = htons(socket_getport(ssrc)); 1895 if ((slen = ssrc->sa_len) > sizeof(flow.flow_src.addr)) { 1896 log_debug("%s: invalid src address len", __func__); 1897 return (0); 1898 } 1899 memcpy(&flow.flow_src.addr, ssrc, slen); 1900 if (socket_af((struct sockaddr *)&flow.flow_src.addr, 1901 flow.flow_src.addr_port) == -1) { 1902 log_debug("%s: invalid address", __func__); 1903 return (0); 1904 } 1905 1906 if ((sa_addr = pfkey_find_ext(reply, rlen, 1907 SADB_X_EXT_DST_FLOW)) == NULL) { 1908 errmsg = "flow destination address"; 1909 goto out; 1910 } 1911 sdst = (struct sockaddr *)(sa_addr + 1); 1912 flow.flow_dst.addr_af = sdst->sa_family; 1913 flow.flow_dst.addr_port = htons(socket_getport(sdst)); 1914 if ((slen = sdst->sa_len) > sizeof(flow.flow_dst.addr)) { 1915 log_debug("%s: invalid dst address len", __func__); 1916 return (0); 1917 } 1918 memcpy(&flow.flow_dst.addr, sdst, slen); 1919 if (socket_af((struct sockaddr *)&flow.flow_dst.addr, 1920 flow.flow_dst.addr_port) == -1) { 1921 log_debug("%s: invalid address", __func__); 1922 return (0); 1923 } 1924 1925 if ((sa_addr = pfkey_find_ext(reply, rlen, 1926 SADB_X_EXT_SRC_MASK)) == NULL) { 1927 errmsg = "flow source mask"; 1928 goto out; 1929 } 1930 smask = (struct sockaddr *)(sa_addr + 1); 1931 switch (smask->sa_family) { 1932 case AF_INET: 1933 flow.flow_src.addr_mask = 1934 mask2prefixlen((struct sockaddr *)smask); 1935 if (flow.flow_src.addr_mask != 32) 1936 flow.flow_src.addr_net = 1; 1937 break; 1938 case AF_INET6: 1939 flow.flow_src.addr_mask = 1940 mask2prefixlen6((struct sockaddr *)smask); 1941 if (flow.flow_src.addr_mask != 128) 1942 flow.flow_src.addr_net = 1; 1943 break; 1944 default: 1945 log_debug("%s: bad address family", __func__); 1946 free(reply); 1947 return (0); 1948 } 1949 1950 if ((sa_addr = pfkey_find_ext(reply, rlen, 1951 SADB_X_EXT_DST_MASK)) == NULL) { 1952 errmsg = "flow destination mask"; 1953 goto out; 1954 } 1955 dmask = (struct sockaddr *)(sa_addr + 1); 1956 switch (dmask->sa_family) { 1957 case AF_INET: 1958 flow.flow_dst.addr_mask = 1959 mask2prefixlen((struct sockaddr *)dmask); 1960 if (flow.flow_src.addr_mask != 32) 1961 flow.flow_src.addr_net = 1; 1962 break; 1963 case AF_INET6: 1964 flow.flow_dst.addr_mask = 1965 mask2prefixlen6((struct sockaddr *)dmask); 1966 if (flow.flow_src.addr_mask != 128) 1967 flow.flow_src.addr_net = 1; 1968 break; 1969 default: 1970 log_debug("%s: bad address family", __func__); 1971 free(reply); 1972 return (0); 1973 } 1974 1975 switch (hdr->sadb_msg_satype) { 1976 case SADB_SATYPE_AH: 1977 flow.flow_saproto = IKEV2_SAPROTO_AH; 1978 break; 1979 case SADB_SATYPE_ESP: 1980 flow.flow_saproto = IKEV2_SAPROTO_ESP; 1981 break; 1982 case SADB_X_SATYPE_IPCOMP: 1983 flow.flow_saproto = IKEV2_SAPROTO_IPCOMP; 1984 break; 1985 } 1986 1987 if ((sa_proto = pfkey_find_ext(reply, rlen, 1988 SADB_X_EXT_FLOW_TYPE)) == NULL) { 1989 errmsg = "flow protocol"; 1990 goto out; 1991 } 1992 flow.flow_dir = sa_proto->sadb_protocol_direction; 1993 flow.flow_rdomain = -1; /* XXX get from kernel */ 1994 1995 log_debug("%s: flow %s from %s/%s to %s/%s via %s", __func__, 1996 flow.flow_dir == IPSP_DIRECTION_IN ? "in" : "out", 1997 print_host(ssrc, NULL, 0), print_host(smask, NULL, 0), 1998 print_host(sdst, NULL, 0), print_host(dmask, NULL, 0), 1999 print_host(speer, NULL, 0)); 2000 2001 ret = ikev2_child_sa_acquire(env, &flow); 2002 2003 out: 2004 if (errmsg) 2005 log_warnx("%s: %s wasn't found", __func__, errmsg); 2006 free(reply); 2007 break; 2008 2009 case SADB_EXPIRE: 2010 if ((sa = pfkey_find_ext(data, len, SADB_EXT_SA)) == NULL) { 2011 log_warnx("%s: SA extension wasn't found", __func__); 2012 return (0); 2013 } 2014 if ((sa_ltime = pfkey_find_ext(data, len, 2015 SADB_EXT_LIFETIME_SOFT)) == NULL && 2016 (sa_ltime = pfkey_find_ext(data, len, 2017 SADB_EXT_LIFETIME_HARD)) == NULL) { 2018 log_warnx("%s: lifetime extension wasn't found", 2019 __func__); 2020 return (0); 2021 } 2022 spi.spi = ntohl(sa->sadb_sa_spi); 2023 spi.spi_size = 4; 2024 switch (hdr->sadb_msg_satype) { 2025 case SADB_SATYPE_AH: 2026 spi.spi_protoid = IKEV2_SAPROTO_AH; 2027 break; 2028 case SADB_SATYPE_ESP: 2029 spi.spi_protoid = IKEV2_SAPROTO_ESP; 2030 break; 2031 case SADB_X_SATYPE_IPCOMP: 2032 spi.spi_size = 2; 2033 spi.spi_protoid = IKEV2_SAPROTO_IPCOMP; 2034 break; 2035 default: 2036 log_warnx("%s: unsupported SA type %d spi %s", 2037 __func__, hdr->sadb_msg_satype, 2038 print_spi(spi.spi, spi.spi_size)); 2039 return (0); 2040 } 2041 2042 log_debug("%s: SA %s is expired, pending %s", __func__, 2043 print_spi(spi.spi, spi.spi_size), 2044 sa_ltime->sadb_lifetime_exttype == SADB_EXT_LIFETIME_SOFT ? 2045 "rekeying" : "deletion"); 2046 2047 if (sa_ltime->sadb_lifetime_exttype == SADB_EXT_LIFETIME_SOFT) 2048 ret = ikev2_child_sa_rekey(env, &spi); 2049 else 2050 ret = ikev2_child_sa_drop(env, &spi); 2051 break; 2052 } 2053 return (ret); 2054 } 2055