1 /* $NetBSD: pfkey.c,v 1.63 2025/03/07 15:55:29 christos Exp $ */ 2 3 /* $Id: pfkey.c,v 1.63 2025/03/07 15:55:29 christos Exp $ */ 4 5 /* 6 * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project. 7 * All rights reserved. 8 * 9 * Redistribution and use in source and binary forms, with or without 10 * modification, are permitted provided that the following conditions 11 * are met: 12 * 1. Redistributions of source code must retain the above copyright 13 * notice, this list of conditions and the following disclaimer. 14 * 2. Redistributions in binary form must reproduce the above copyright 15 * notice, this list of conditions and the following disclaimer in the 16 * documentation and/or other materials provided with the distribution. 17 * 3. Neither the name of the project nor the names of its contributors 18 * may be used to endorse or promote products derived from this software 19 * without specific prior written permission. 20 * 21 * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND 22 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 23 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 24 * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE 25 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 26 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 27 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 28 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 29 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 30 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 31 * SUCH DAMAGE. 32 */ 33 34 #include "config.h" 35 36 #include <stdlib.h> 37 #include <string.h> 38 #include <stdio.h> 39 #include <netdb.h> 40 #include <errno.h> 41 #ifdef HAVE_UNISTD_H 42 #include <unistd.h> 43 #endif 44 #include <netdb.h> 45 #include <netinet/in.h> 46 #include <arpa/inet.h> 47 48 #ifdef ENABLE_NATT 49 # ifdef __linux__ 50 # include <linux/udp.h> 51 # endif 52 # if defined(__NetBSD__) || defined(__FreeBSD__) || \ 53 (defined(__APPLE__) && defined(__MACH__)) 54 # include <netinet/udp.h> 55 # endif 56 #endif 57 58 #include <sys/types.h> 59 #include <sys/param.h> 60 #include <sys/socket.h> 61 #include <sys/queue.h> 62 #include <sys/sysctl.h> 63 64 #include <net/route.h> 65 #include <net/pfkeyv2.h> 66 67 #include <netinet/in.h> 68 #include PATH_IPSEC_H 69 #include <fcntl.h> 70 71 #include "libpfkey.h" 72 73 #include "var.h" 74 #include "misc.h" 75 #include "vmbuf.h" 76 #include "plog.h" 77 #include "sockmisc.h" 78 #include "session.h" 79 #include "debug.h" 80 81 #include "schedule.h" 82 #include "localconf.h" 83 #include "remoteconf.h" 84 #include "handler.h" 85 #include "policy.h" 86 #include "proposal.h" 87 #include "isakmp_var.h" 88 #include "isakmp.h" 89 #include "isakmp_inf.h" 90 #include "ipsec_doi.h" 91 #include "oakley.h" 92 #include "pfkey.h" 93 #include "algorithm.h" 94 #include "sainfo.h" 95 #include "admin.h" 96 #include "evt.h" 97 #include "privsep.h" 98 #include "strnames.h" 99 #include "backupsa.h" 100 #include "gcmalloc.h" 101 #include "nattraversal.h" 102 #include "crypto_openssl.h" 103 #include "grabmyaddr.h" 104 105 #if defined(SADB_X_EALG_RIJNDAELCBC) && !defined(SADB_X_EALG_AESCBC) 106 #define SADB_X_EALG_AESCBC SADB_X_EALG_RIJNDAELCBC 107 #endif 108 109 /* prototype */ 110 static u_int ipsecdoi2pfkey_aalg(u_int); 111 static u_int ipsecdoi2pfkey_ealg(u_int); 112 static u_int ipsecdoi2pfkey_calg(u_int); 113 static u_int ipsecdoi2pfkey_alg(u_int, u_int); 114 static u_int keylen_aalg(u_int); 115 static u_int keylen_ealg(u_int, int); 116 117 static int pk_recvgetspi(caddr_t *); 118 static int pk_recvupdate(caddr_t *); 119 static int pk_recvadd(caddr_t *); 120 static int pk_recvdelete(caddr_t *); 121 static int pk_recvacquire(caddr_t *); 122 static int pk_recvexpire(caddr_t *); 123 static int pk_recvflush(caddr_t *); 124 static int getsadbpolicy(caddr_t *, int *, int, struct ph2handle *); 125 static int pk_recvspdupdate(caddr_t *); 126 static int pk_recvspdadd(caddr_t *); 127 static int pk_recvspddelete(caddr_t *); 128 static int pk_recvspdexpire(caddr_t *); 129 static int pk_recvspdget(caddr_t *); 130 static int pk_recvspddump(caddr_t *); 131 static int pk_recvspdflush(caddr_t *); 132 #if defined(SADB_X_MIGRATE) && defined(SADB_X_EXT_KMADDRESS) 133 static int pk_recvmigrate(caddr_t *); 134 #endif 135 static struct sadb_msg *pk_recv(int, int *); 136 137 static int (*pkrecvf[])(caddr_t *) = { 138 NULL, 139 pk_recvgetspi, 140 pk_recvupdate, 141 pk_recvadd, 142 pk_recvdelete, 143 NULL, /* SADB_GET */ 144 pk_recvacquire, 145 NULL, /* SABD_REGISTER */ 146 pk_recvexpire, 147 pk_recvflush, 148 NULL, /* SADB_DUMP */ 149 NULL, /* SADB_X_PROMISC */ 150 NULL, /* SADB_X_PCHANGE */ 151 pk_recvspdupdate, 152 pk_recvspdadd, 153 pk_recvspddelete, 154 pk_recvspdget, 155 NULL, /* SADB_X_SPDACQUIRE */ 156 pk_recvspddump, 157 pk_recvspdflush, 158 NULL, /* SADB_X_SPDSETIDX */ 159 pk_recvspdexpire, 160 NULL, /* SADB_X_SPDDELETE2 */ 161 NULL, /* SADB_X_NAT_T_NEW_MAPPING */ 162 #if defined(SADB_X_MIGRATE) && defined(SADB_X_EXT_KMADDRESS) 163 pk_recvmigrate, 164 #else 165 NULL, /* SADB_X_MIGRATE */ 166 #endif 167 #if (SADB_MAX > 24) 168 #error "SADB extra message?" 169 #endif 170 }; 171 172 static int addnewsp(caddr_t *, struct sockaddr *, struct sockaddr *); 173 174 /* cope with old kame headers - ugly */ 175 #ifndef SADB_X_AALG_MD5 176 #define SADB_X_AALG_MD5 SADB_AALG_MD5 177 #endif 178 #ifndef SADB_X_AALG_SHA 179 #define SADB_X_AALG_SHA SADB_AALG_SHA 180 #endif 181 #ifndef SADB_X_AALG_NULL 182 #define SADB_X_AALG_NULL SADB_AALG_NULL 183 #endif 184 185 #ifndef SADB_X_EALG_BLOWFISHCBC 186 #define SADB_X_EALG_BLOWFISHCBC SADB_EALG_BLOWFISHCBC 187 #endif 188 #ifndef SADB_X_EALG_CAST128CBC 189 #define SADB_X_EALG_CAST128CBC SADB_EALG_CAST128CBC 190 #endif 191 #ifndef SADB_X_EALG_RC5CBC 192 #ifdef SADB_EALG_RC5CBC 193 #define SADB_X_EALG_RC5CBC SADB_EALG_RC5CBC 194 #endif 195 #endif 196 197 /* 198 * PF_KEY packet handler 199 * 0: success 200 * -1: fail 201 */ 202 /*ARGSUSED*/ 203 static int 204 pfkey_handler(void *ctx __unused, int fd) 205 { 206 struct sadb_msg *msg; 207 int len; 208 caddr_t mhp[SADB_EXT_MAX + 1]; 209 int error = -1; 210 211 /* receive pfkey message. */ 212 len = 0; 213 msg = (struct sadb_msg *) pk_recv(fd, &len); 214 if (msg == NULL) { 215 if (len < 0) { 216 /* do not report EAGAIN as error; well get 217 * called from main loop later. and it's normal 218 * when spd dump is received during reload and 219 * this function is called in loop. */ 220 if (errno == EAGAIN) 221 goto end; 222 223 plog(LLV_ERROR, LOCATION, NULL, 224 "failed to recv from pfkey (%s)\n", 225 strerror(errno)); 226 goto end; 227 } else { 228 /* short message - msg not ready */ 229 return 0; 230 } 231 } 232 233 plog(LLV_DEBUG, LOCATION, NULL, "got pfkey %s message\n", 234 s_pfkey_type(msg->sadb_msg_type)); 235 plogdump(LLV_DEBUG2, msg, msg->sadb_msg_len << 3); 236 237 /* validity check */ 238 if (msg->sadb_msg_errno) { 239 int pri; 240 241 /* when SPD is empty, treat the state as no error. */ 242 if (msg->sadb_msg_type == SADB_X_SPDDUMP && 243 msg->sadb_msg_errno == ENOENT) 244 pri = LLV_DEBUG; 245 else 246 pri = LLV_ERROR; 247 248 plog(pri, LOCATION, NULL, 249 "pfkey %s failed: %s\n", 250 s_pfkey_type(msg->sadb_msg_type), 251 strerror(msg->sadb_msg_errno)); 252 253 goto end; 254 } 255 256 /* check pfkey message. */ 257 if (pfkey_align(msg, mhp)) { 258 plog(LLV_ERROR, LOCATION, NULL, 259 "libipsec failed pfkey align (%s)\n", 260 ipsec_strerror()); 261 goto end; 262 } 263 if (pfkey_check(mhp)) { 264 plog(LLV_ERROR, LOCATION, NULL, 265 "libipsec failed pfkey check (%s)\n", 266 ipsec_strerror()); 267 goto end; 268 } 269 msg = (struct sadb_msg *)mhp[0]; 270 271 /* safety check */ 272 if (msg->sadb_msg_type >= ARRAYLEN(pkrecvf)) { 273 plog(LLV_ERROR, LOCATION, NULL, 274 "unknown PF_KEY message type=%u\n", 275 msg->sadb_msg_type); 276 goto end; 277 } 278 279 if (pkrecvf[msg->sadb_msg_type] == NULL) { 280 plog(LLV_INFO, LOCATION, NULL, 281 "unsupported PF_KEY message %s\n", 282 s_pfkey_type(msg->sadb_msg_type)); 283 goto end; 284 } 285 286 if ((pkrecvf[msg->sadb_msg_type])(mhp) < 0) 287 goto end; 288 289 error = 1; 290 end: 291 if (msg) 292 racoon_free(msg); 293 return(error); 294 } 295 296 /* 297 * dump SADB 298 */ 299 vchar_t * 300 pfkey_dump_sadb(int satype) 301 { 302 int s; 303 vchar_t *buf = NULL; 304 pid_t pid = getpid(); 305 struct sadb_msg *msg = NULL; 306 size_t bl, ml; 307 int len; 308 int bufsiz; 309 310 if ((s = privsep_socket(PF_KEY, SOCK_RAW, PF_KEY_V2)) < 0) { 311 plog(LLV_ERROR, LOCATION, NULL, 312 "libipsec failed pfkey open: %s\n", 313 ipsec_strerror()); 314 return NULL; 315 } 316 317 if ((bufsiz = pfkey_set_buffer_size(s, lcconf->pfkey_buffer_size)) < 0) { 318 plog(LLV_ERROR, LOCATION, NULL, 319 "libipsec failed pfkey set buffer size to %d: %s\n", 320 lcconf->pfkey_buffer_size, ipsec_strerror()); 321 return NULL; 322 } else if (bufsiz < lcconf->pfkey_buffer_size) { 323 plog(LLV_WARNING, LOCATION, NULL, 324 "pfkey socket receive buffer set to %dKB, instead of %d\n", 325 bufsiz, lcconf->pfkey_buffer_size); 326 } 327 328 plog(LLV_DEBUG, LOCATION, NULL, "call pfkey_send_dump\n"); 329 if (pfkey_send_dump(s, satype) < 0) { 330 plog(LLV_ERROR, LOCATION, NULL, 331 "libipsec failed dump: %s\n", ipsec_strerror()); 332 goto fail; 333 } 334 335 for (;;) { 336 if (msg) 337 racoon_free(msg); 338 msg = pk_recv(s, &len); 339 if (msg == NULL) { 340 if (len < 0) 341 goto done; 342 else 343 continue; 344 } 345 346 if (msg->sadb_msg_type != SADB_DUMP || msg->sadb_msg_pid != pid) 347 { 348 plog(LLV_DEBUG, LOCATION, NULL, 349 "discarding non-sadb dump msg %p, our pid=%i\n", msg, pid); 350 plog(LLV_DEBUG, LOCATION, NULL, 351 "type %i, pid %i\n", msg->sadb_msg_type, msg->sadb_msg_pid); 352 continue; 353 } 354 355 356 ml = msg->sadb_msg_len << 3; 357 bl = buf ? buf->l : 0; 358 buf = vrealloc(buf, bl + ml); 359 if (buf == NULL) { 360 plog(LLV_ERROR, LOCATION, NULL, 361 "failed to reallocate buffer to dump.\n"); 362 goto fail; 363 } 364 memcpy(buf->v + bl, msg, ml); 365 366 if (msg->sadb_msg_seq == 0) 367 break; 368 } 369 goto done; 370 371 fail: 372 if (buf) 373 vfree(buf); 374 buf = NULL; 375 done: 376 if (msg) 377 racoon_free(msg); 378 close(s); 379 return buf; 380 } 381 382 #ifdef ENABLE_ADMINPORT 383 /* 384 * flush SADB 385 */ 386 void 387 pfkey_flush_sadb(u_int proto) 388 { 389 int satype; 390 391 /* convert to SADB_SATYPE */ 392 if ((satype = admin2pfkey_proto(proto)) < 0) 393 return; 394 395 plog(LLV_DEBUG, LOCATION, NULL, "call pfkey_send_flush\n"); 396 if (pfkey_send_flush(lcconf->sock_pfkey, satype) < 0) { 397 plog(LLV_ERROR, LOCATION, NULL, 398 "libipsec failed send flush (%s)\n", ipsec_strerror()); 399 return; 400 } 401 402 return; 403 } 404 #endif 405 406 /* 407 * These are the SATYPEs that we manage. We register to get 408 * PF_KEY messages related to these SATYPEs, and we also use 409 * this list to determine which SATYPEs to delete SAs for when 410 * we receive an INITIAL-CONTACT. 411 */ 412 const struct pfkey_satype pfkey_satypes[] = { 413 { SADB_SATYPE_AH, "AH" }, 414 { SADB_SATYPE_ESP, "ESP" }, 415 { SADB_X_SATYPE_IPCOMP, "IPCOMP" }, 416 }; 417 const int pfkey_nsatypes = 418 sizeof(pfkey_satypes) / sizeof(pfkey_satypes[0]); 419 420 /* 421 * PF_KEY initialization 422 */ 423 int 424 pfkey_init() 425 { 426 int i, reg_fail; 427 int bufsiz; 428 429 if ((lcconf->sock_pfkey = pfkey_open()) < 0) { 430 plog(LLV_ERROR, LOCATION, NULL, 431 "libipsec failed pfkey open (%s)\n", ipsec_strerror()); 432 return -1; 433 } 434 if ((bufsiz = pfkey_set_buffer_size(lcconf->sock_pfkey, 435 lcconf->pfkey_buffer_size)) < 0) { 436 plog(LLV_ERROR, LOCATION, NULL, 437 "libipsec failed to set pfkey buffer size to %d (%s)\n", 438 lcconf->pfkey_buffer_size, ipsec_strerror()); 439 return -1; 440 } else if (bufsiz < lcconf->pfkey_buffer_size) { 441 plog(LLV_WARNING, LOCATION, NULL, 442 "pfkey socket receive buffer set to %dKB, instead of %d\n", 443 bufsiz, lcconf->pfkey_buffer_size); 444 } 445 446 if (fcntl(lcconf->sock_pfkey, F_SETFL, O_NONBLOCK) == -1) 447 plog(LLV_WARNING, LOCATION, NULL, 448 "failed to set the pfkey socket to NONBLOCK\n"); 449 450 for (i = 0, reg_fail = 0; i < pfkey_nsatypes; i++) { 451 plog(LLV_DEBUG, LOCATION, NULL, 452 "call pfkey_send_register for %s\n", 453 pfkey_satypes[i].ps_name); 454 if (pfkey_send_register(lcconf->sock_pfkey, 455 pfkey_satypes[i].ps_satype) < 0 || 456 pfkey_recv_register(lcconf->sock_pfkey) < 0) { 457 plog(LLV_WARNING, LOCATION, NULL, 458 "failed to register %s (%s)\n", 459 pfkey_satypes[i].ps_name, 460 ipsec_strerror()); 461 reg_fail++; 462 } 463 } 464 465 if (reg_fail == pfkey_nsatypes) { 466 plog(LLV_ERROR, LOCATION, NULL, 467 "failed to regist any protocol.\n"); 468 pfkey_close(lcconf->sock_pfkey); 469 return -1; 470 } 471 472 initsp(); 473 474 if (pfkey_send_spddump(lcconf->sock_pfkey) < 0) { 475 plog(LLV_ERROR, LOCATION, NULL, 476 "libipsec sending spddump failed: %s\n", 477 ipsec_strerror()); 478 pfkey_close(lcconf->sock_pfkey); 479 return -1; 480 } 481 #if 0 482 if (pfkey_promisc_toggle(1) < 0) { 483 pfkey_close(lcconf->sock_pfkey); 484 return -1; 485 } 486 #endif 487 monitor_fd(lcconf->sock_pfkey, pfkey_handler, NULL, 0); 488 return 0; 489 } 490 491 int 492 pfkey_reload() 493 { 494 flushsp(); 495 496 if (pfkey_send_spddump(lcconf->sock_pfkey) < 0) { 497 plog(LLV_ERROR, LOCATION, NULL, 498 "libipsec sending spddump failed: %s\n", 499 ipsec_strerror()); 500 return -1; 501 } 502 503 while (pfkey_handler(NULL, lcconf->sock_pfkey) > 0) 504 continue; 505 506 return 0; 507 } 508 509 /* %%% for conversion */ 510 /* IPSECDOI_ATTR_AUTH -> SADB_AALG */ 511 static u_int 512 ipsecdoi2pfkey_aalg(u_int hashtype) 513 { 514 switch (hashtype) { 515 case IPSECDOI_ATTR_AUTH_HMAC_MD5: 516 return SADB_AALG_MD5HMAC; 517 case IPSECDOI_ATTR_AUTH_HMAC_SHA1: 518 return SADB_AALG_SHA1HMAC; 519 case IPSECDOI_ATTR_AUTH_HMAC_SHA2_256: 520 #if (defined SADB_X_AALG_SHA2_256) && !defined(SADB_X_AALG_SHA2_256HMAC) 521 return SADB_X_AALG_SHA2_256; 522 #else 523 return SADB_X_AALG_SHA2_256HMAC; 524 #endif 525 case IPSECDOI_ATTR_AUTH_HMAC_SHA2_384: 526 #if (defined SADB_X_AALG_SHA2_384) && !defined(SADB_X_AALG_SHA2_384HMAC) 527 return SADB_X_AALG_SHA2_384; 528 #else 529 return SADB_X_AALG_SHA2_384HMAC; 530 #endif 531 case IPSECDOI_ATTR_AUTH_HMAC_SHA2_512: 532 #if (defined SADB_X_AALG_SHA2_512) && !defined(SADB_X_AALG_SHA2_512HMAC) 533 return SADB_X_AALG_SHA2_512; 534 #else 535 return SADB_X_AALG_SHA2_512HMAC; 536 #endif 537 case IPSECDOI_ATTR_AUTH_KPDK: /* need special care */ 538 return SADB_AALG_NONE; 539 540 /* not supported */ 541 case IPSECDOI_ATTR_AUTH_DES_MAC: 542 plog(LLV_ERROR, LOCATION, NULL, 543 "Not supported hash type: %u\n", hashtype); 544 return ~0u; 545 546 case 0: /* reserved */ 547 default: 548 return SADB_AALG_NONE; 549 550 plog(LLV_ERROR, LOCATION, NULL, 551 "Invalid hash type: %u\n", hashtype); 552 return ~0u; 553 } 554 /*NOTREACHED*/ 555 } 556 557 /* IPSECDOI_ESP -> SADB_EALG */ 558 static u_int 559 ipsecdoi2pfkey_ealg(u_int t_id) 560 { 561 switch (t_id) { 562 case IPSECDOI_ESP_DES_IV64: /* sa_flags |= SADB_X_EXT_OLD */ 563 return SADB_EALG_DESCBC; 564 case IPSECDOI_ESP_DES: 565 return SADB_EALG_DESCBC; 566 case IPSECDOI_ESP_3DES: 567 return SADB_EALG_3DESCBC; 568 #ifdef SADB_X_EALG_RC5CBC 569 case IPSECDOI_ESP_RC5: 570 return SADB_X_EALG_RC5CBC; 571 #endif 572 case IPSECDOI_ESP_CAST: 573 return SADB_X_EALG_CAST128CBC; 574 case IPSECDOI_ESP_BLOWFISH: 575 return SADB_X_EALG_BLOWFISHCBC; 576 case IPSECDOI_ESP_DES_IV32: /* flags |= (SADB_X_EXT_OLD| 577 SADB_X_EXT_IV4B)*/ 578 return SADB_EALG_DESCBC; 579 case IPSECDOI_ESP_NULL: 580 return SADB_EALG_NULL; 581 #ifdef SADB_X_EALG_AESCBC 582 case IPSECDOI_ESP_AES: 583 return SADB_X_EALG_AESCBC; 584 #endif 585 #ifdef SADB_X_EALG_AESGCM16 586 case IPSECDOI_ESP_AESGCM16: 587 return SADB_X_EALG_AESGCM16; 588 #endif 589 #ifdef SADB_X_EALG_TWOFISHCBC 590 case IPSECDOI_ESP_TWOFISH: 591 return SADB_X_EALG_TWOFISHCBC; 592 #endif 593 #ifdef SADB_X_EALG_CAMELLIACBC 594 case IPSECDOI_ESP_CAMELLIA: 595 return SADB_X_EALG_CAMELLIACBC; 596 #endif 597 598 /* not supported */ 599 case IPSECDOI_ESP_3IDEA: 600 case IPSECDOI_ESP_IDEA: 601 case IPSECDOI_ESP_RC4: 602 plog(LLV_ERROR, LOCATION, NULL, 603 "Not supported transform: %u\n", t_id); 604 return ~0u; 605 606 case 0: /* reserved */ 607 default: 608 plog(LLV_ERROR, LOCATION, NULL, 609 "Invalid transform id: %u\n", t_id); 610 return ~0u; 611 } 612 /*NOTREACHED*/ 613 } 614 615 /* IPCOMP -> SADB_CALG */ 616 static u_int 617 ipsecdoi2pfkey_calg(u_int t_id) 618 { 619 switch (t_id) { 620 case IPSECDOI_IPCOMP_OUI: 621 return SADB_X_CALG_OUI; 622 case IPSECDOI_IPCOMP_DEFLATE: 623 return SADB_X_CALG_DEFLATE; 624 case IPSECDOI_IPCOMP_LZS: 625 return SADB_X_CALG_LZS; 626 627 case 0: /* reserved */ 628 default: 629 plog(LLV_ERROR, LOCATION, NULL, 630 "Invalid transform id: %u\n", t_id); 631 return ~0u; 632 } 633 /*NOTREACHED*/ 634 } 635 636 /* IPSECDOI_PROTO -> SADB_SATYPE */ 637 u_int 638 ipsecdoi2pfkey_proto(u_int proto) 639 { 640 switch (proto) { 641 case IPSECDOI_PROTO_IPSEC_AH: 642 return SADB_SATYPE_AH; 643 case IPSECDOI_PROTO_IPSEC_ESP: 644 return SADB_SATYPE_ESP; 645 case IPSECDOI_PROTO_IPCOMP: 646 return SADB_X_SATYPE_IPCOMP; 647 648 default: 649 plog(LLV_ERROR, LOCATION, NULL, 650 "Invalid ipsec_doi proto: %u\n", proto); 651 return ~0u; 652 } 653 /*NOTREACHED*/ 654 } 655 656 static u_int 657 ipsecdoi2pfkey_alg(u_int algclass, u_int type) 658 { 659 switch (algclass) { 660 case IPSECDOI_ATTR_AUTH: 661 return ipsecdoi2pfkey_aalg(type); 662 case IPSECDOI_PROTO_IPSEC_ESP: 663 return ipsecdoi2pfkey_ealg(type); 664 case IPSECDOI_PROTO_IPCOMP: 665 return ipsecdoi2pfkey_calg(type); 666 default: 667 plog(LLV_ERROR, LOCATION, NULL, 668 "Invalid ipsec_doi algclass: %u\n", algclass); 669 return ~0u; 670 } 671 /*NOTREACHED*/ 672 } 673 674 /* SADB_SATYPE -> IPSECDOI_PROTO */ 675 u_int 676 pfkey2ipsecdoi_proto(u_int satype) 677 { 678 switch (satype) { 679 case SADB_SATYPE_AH: 680 return IPSECDOI_PROTO_IPSEC_AH; 681 case SADB_SATYPE_ESP: 682 return IPSECDOI_PROTO_IPSEC_ESP; 683 case SADB_X_SATYPE_IPCOMP: 684 return IPSECDOI_PROTO_IPCOMP; 685 686 default: 687 plog(LLV_ERROR, LOCATION, NULL, 688 "Invalid pfkey proto: %u\n", satype); 689 return ~0u; 690 } 691 /*NOTREACHED*/ 692 } 693 694 /* IPSECDOI_ATTR_ENC_MODE -> IPSEC_MODE */ 695 u_int 696 ipsecdoi2pfkey_mode(u_int mode) 697 { 698 switch (mode) { 699 case IPSECDOI_ATTR_ENC_MODE_TUNNEL: 700 #ifdef ENABLE_NATT 701 case IPSECDOI_ATTR_ENC_MODE_UDPTUNNEL_RFC: 702 case IPSECDOI_ATTR_ENC_MODE_UDPTUNNEL_DRAFT: 703 #endif 704 return IPSEC_MODE_TUNNEL; 705 case IPSECDOI_ATTR_ENC_MODE_TRNS: 706 #ifdef ENABLE_NATT 707 case IPSECDOI_ATTR_ENC_MODE_UDPTRNS_RFC: 708 case IPSECDOI_ATTR_ENC_MODE_UDPTRNS_DRAFT: 709 #endif 710 return IPSEC_MODE_TRANSPORT; 711 default: 712 plog(LLV_ERROR, LOCATION, NULL, "Invalid mode type: %u\n", mode); 713 return ~0u; 714 } 715 /*NOTREACHED*/ 716 } 717 718 /* IPSECDOI_ATTR_ENC_MODE -> IPSEC_MODE */ 719 u_int 720 pfkey2ipsecdoi_mode(u_int mode) 721 { 722 switch (mode) { 723 case IPSEC_MODE_TUNNEL: 724 return IPSECDOI_ATTR_ENC_MODE_TUNNEL; 725 case IPSEC_MODE_TRANSPORT: 726 return IPSECDOI_ATTR_ENC_MODE_TRNS; 727 case IPSEC_MODE_ANY: 728 return IPSECDOI_ATTR_ENC_MODE_ANY; 729 default: 730 plog(LLV_ERROR, LOCATION, NULL, "Invalid mode type: %u\n", mode); 731 return ~0u; 732 } 733 /*NOTREACHED*/ 734 } 735 736 /* default key length for encryption algorithm */ 737 static u_int 738 keylen_aalg(u_int hashtype) 739 { 740 int res; 741 742 if (hashtype == 0) 743 return SADB_AALG_NONE; 744 745 res = alg_ipsec_hmacdef_hashlen(hashtype); 746 if (res == -1) { 747 plog(LLV_ERROR, LOCATION, NULL, 748 "invalid hmac algorithm %u.\n", hashtype); 749 return ~0u; 750 } 751 return res; 752 } 753 754 /* default key length for encryption algorithm */ 755 static u_int 756 keylen_ealg(u_int enctype, int encklen) 757 { 758 int res; 759 760 res = alg_ipsec_encdef_keylen(enctype, encklen); 761 if (res == -1) { 762 plog(LLV_ERROR, LOCATION, NULL, 763 "invalid encryption algorithm %u.\n", enctype); 764 return ~0u; 765 } 766 return res; 767 } 768 769 void 770 pk_fixup_sa_addresses(caddr_t *mhp) 771 { 772 struct sockaddr *src, *dst; 773 774 src = PFKEY_ADDR_SADDR(mhp[SADB_EXT_ADDRESS_SRC]); 775 dst = PFKEY_ADDR_SADDR(mhp[SADB_EXT_ADDRESS_DST]); 776 set_port(src, PORT_ISAKMP); 777 set_port(dst, PORT_ISAKMP); 778 779 #ifdef ENABLE_NATT 780 if (PFKEY_ADDR_X_NATTYPE(mhp[SADB_X_EXT_NAT_T_TYPE])) { 781 /* NAT-T is enabled for this SADB entry; copy 782 * the ports from NAT-T extensions */ 783 if(mhp[SADB_X_EXT_NAT_T_SPORT] != NULL) 784 set_port(src, PFKEY_ADDR_X_PORT(mhp[SADB_X_EXT_NAT_T_SPORT])); 785 if(mhp[SADB_X_EXT_NAT_T_DPORT] != NULL) 786 set_port(dst, PFKEY_ADDR_X_PORT(mhp[SADB_X_EXT_NAT_T_DPORT])); 787 } 788 #endif 789 } 790 791 int 792 pfkey_convertfromipsecdoi(u_int proto_id, u_int t_id, u_int hashtype, 793 u_int *e_type, u_int *e_keylen, u_int *a_type, u_int *a_keylen, 794 u_int *flags) 795 { 796 *flags = 0; 797 switch (proto_id) { 798 case IPSECDOI_PROTO_IPSEC_ESP: 799 if ((*e_type = ipsecdoi2pfkey_ealg(t_id)) == ~0u) 800 goto bad; 801 if ((*e_keylen = keylen_ealg(t_id, *e_keylen)) == ~0u) 802 goto bad; 803 *e_keylen >>= 3; 804 805 if ((*a_type = ipsecdoi2pfkey_aalg(hashtype)) == ~0u) 806 goto bad; 807 if ((*a_keylen = keylen_aalg(hashtype)) == ~0u) 808 goto bad; 809 *a_keylen >>= 3; 810 811 if (*e_type == SADB_EALG_NONE) { 812 plog(LLV_ERROR, LOCATION, NULL, "no ESP algorithm.\n"); 813 goto bad; 814 } 815 break; 816 817 case IPSECDOI_PROTO_IPSEC_AH: 818 if ((*a_type = ipsecdoi2pfkey_aalg(hashtype)) == ~0u) 819 goto bad; 820 if ((*a_keylen = keylen_aalg(hashtype)) == ~0u) 821 goto bad; 822 *a_keylen >>= 3; 823 824 if (t_id == IPSECDOI_ATTR_AUTH_HMAC_MD5 825 && hashtype == IPSECDOI_ATTR_AUTH_KPDK) { 826 /* AH_MD5 + Auth(KPDK) = RFC1826 keyed-MD5 */ 827 *a_type = SADB_X_AALG_MD5; 828 *flags |= SADB_X_EXT_OLD; 829 } 830 *e_type = SADB_EALG_NONE; 831 *e_keylen = 0; 832 if (*a_type == SADB_AALG_NONE) { 833 plog(LLV_ERROR, LOCATION, NULL, "no AH algorithm.\n"); 834 goto bad; 835 } 836 break; 837 838 case IPSECDOI_PROTO_IPCOMP: 839 if ((*e_type = ipsecdoi2pfkey_calg(t_id)) == ~0u) 840 goto bad; 841 *e_keylen = 0; 842 843 *flags = SADB_X_EXT_RAWCPI; 844 845 *a_type = SADB_AALG_NONE; 846 *a_keylen = 0; 847 if (*e_type == SADB_X_CALG_NONE) { 848 plog(LLV_ERROR, LOCATION, NULL, "no IPCOMP algorithm.\n"); 849 goto bad; 850 } 851 break; 852 853 default: 854 plog(LLV_ERROR, LOCATION, NULL, "unknown IPsec protocol.\n"); 855 goto bad; 856 } 857 858 return 0; 859 860 bad: 861 errno = EINVAL; 862 return -1; 863 } 864 865 /*%%%*/ 866 /* send getspi message per ipsec protocol per remote address */ 867 /* 868 * the local address and remote address in ph1handle are dealed 869 * with destination address and source address respectively. 870 * Because SPI is decided by responder. 871 */ 872 int 873 pk_sendgetspi(struct ph2handle *iph2) 874 { 875 struct sockaddr *src = NULL, *dst = NULL; 876 u_int satype, mode; 877 struct saprop *pp; 878 struct saproto *pr; 879 uint32_t minspi, maxspi; 880 uint8_t natt_type = 0; 881 uint16_t sport = 0, dport = 0; 882 883 if (iph2->side == INITIATOR) 884 pp = iph2->proposal; 885 else 886 pp = iph2->approval; 887 888 if (iph2->sa_src && iph2->sa_dst) { 889 /* MIPv6: Use SA addresses, not IKE ones */ 890 src = dupsaddr(iph2->sa_src); 891 dst = dupsaddr(iph2->sa_dst); 892 } else { 893 /* Common case: SA addresses and IKE ones are the same */ 894 src = dupsaddr(iph2->src); 895 dst = dupsaddr(iph2->dst); 896 } 897 898 if (src == NULL || dst == NULL) { 899 racoon_free(src); 900 racoon_free(dst); 901 return -1; 902 } 903 904 for (pr = pp->head; pr != NULL; pr = pr->next) { 905 906 /* validity check */ 907 satype = ipsecdoi2pfkey_proto(pr->proto_id); 908 if (satype == ~0u) { 909 plog(LLV_ERROR, LOCATION, NULL, 910 "invalid proto_id %d\n", pr->proto_id); 911 racoon_free(src); 912 racoon_free(dst); 913 return -1; 914 } 915 /* this works around a bug in Linux kernel where it allocates 4 byte 916 spi's for IPCOMP */ 917 else if (satype == SADB_X_SATYPE_IPCOMP) { 918 minspi = 0x100; 919 maxspi = 0xffff; 920 } 921 else { 922 minspi = 0; 923 maxspi = 0; 924 } 925 mode = ipsecdoi2pfkey_mode(pr->encmode); 926 if (mode == ~0u) { 927 plog(LLV_ERROR, LOCATION, NULL, 928 "invalid encmode %d\n", pr->encmode); 929 racoon_free(src); 930 racoon_free(dst); 931 return -1; 932 } 933 934 #ifdef ENABLE_NATT 935 if (pr->udp_encap) { 936 natt_type = iph2->ph1->natt_options->encaps_type; 937 sport=extract_port(src); 938 dport=extract_port(dst); 939 } 940 #endif 941 942 plog(LLV_DEBUG, LOCATION, NULL, "call pfkey_send_getspi\n"); 943 if (pfkey_send_getspi_nat( 944 lcconf->sock_pfkey, 945 satype, 946 mode, 947 dst, /* src of SA */ 948 src, /* dst of SA */ 949 natt_type, 950 dport, 951 sport, 952 minspi, maxspi, 953 pr->reqid_in, iph2->seq) < 0) { 954 plog(LLV_ERROR, LOCATION, NULL, 955 "ipseclib failed send getspi (%s)\n", 956 ipsec_strerror()); 957 racoon_free(src); 958 racoon_free(dst); 959 return -1; 960 } 961 plog(LLV_DEBUG, LOCATION, NULL, 962 "pfkey GETSPI sent: %s\n", 963 sadbsecas2str(dst, src, satype, 0, mode)); 964 } 965 966 racoon_free(src); 967 racoon_free(dst); 968 return 0; 969 } 970 971 /* 972 * receive GETSPI from kernel. 973 */ 974 static int 975 pk_recvgetspi(caddr_t *mhp) 976 { 977 struct sadb_msg *msg; 978 struct sadb_sa *sa; 979 struct ph2handle *iph2; 980 struct sockaddr *src, *dst; 981 int proto_id; 982 int allspiok, notfound; 983 struct saprop *pp; 984 struct saproto *pr; 985 986 /* validity check */ 987 if (mhp[SADB_EXT_SA] == NULL 988 || mhp[SADB_EXT_ADDRESS_DST] == NULL 989 || mhp[SADB_EXT_ADDRESS_SRC] == NULL) { 990 plog(LLV_ERROR, LOCATION, NULL, 991 "inappropriate sadb getspi message passed.\n"); 992 return -1; 993 } 994 msg = (struct sadb_msg *)mhp[0]; 995 sa = (struct sadb_sa *)mhp[SADB_EXT_SA]; 996 pk_fixup_sa_addresses(mhp); 997 dst = PFKEY_ADDR_SADDR(mhp[SADB_EXT_ADDRESS_SRC]); /* note SA dir */ 998 src = PFKEY_ADDR_SADDR(mhp[SADB_EXT_ADDRESS_DST]); 999 1000 /* the message has to be processed or not ? */ 1001 if (msg->sadb_msg_pid != getpid()) { 1002 plog(LLV_DEBUG, LOCATION, NULL, 1003 "%s message is not interesting " 1004 "because pid %d is not mine.\n", 1005 s_pfkey_type(msg->sadb_msg_type), 1006 msg->sadb_msg_pid); 1007 return -1; 1008 } 1009 1010 iph2 = getph2byseq(msg->sadb_msg_seq); 1011 if (iph2 == NULL) { 1012 plog(LLV_DEBUG, LOCATION, NULL, 1013 "seq %d of %s message not interesting.\n", 1014 msg->sadb_msg_seq, 1015 s_pfkey_type(msg->sadb_msg_type)); 1016 return -1; 1017 } 1018 1019 if (iph2->status != PHASE2ST_GETSPISENT) { 1020 plog(LLV_ERROR, LOCATION, NULL, 1021 "status mismatch (db:%d msg:%d)\n", 1022 iph2->status, PHASE2ST_GETSPISENT); 1023 return -1; 1024 } 1025 1026 /* set SPI, and check to get all spi whether or not */ 1027 allspiok = 1; 1028 notfound = 1; 1029 proto_id = pfkey2ipsecdoi_proto(msg->sadb_msg_satype); 1030 pp = iph2->side == INITIATOR ? iph2->proposal : iph2->approval; 1031 1032 for (pr = pp->head; pr != NULL; pr = pr->next) { 1033 if (pr->proto_id == proto_id && pr->spi == 0) { 1034 pr->spi = sa->sadb_sa_spi; 1035 notfound = 0; 1036 plog(LLV_DEBUG, LOCATION, NULL, 1037 "pfkey GETSPI succeeded: %s\n", 1038 sadbsecas2str(dst, src, 1039 msg->sadb_msg_satype, 1040 sa->sadb_sa_spi, 1041 ipsecdoi2pfkey_mode(pr->encmode))); 1042 } 1043 if (pr->spi == 0) 1044 allspiok = 0; /* not get all spi */ 1045 } 1046 1047 if (notfound) { 1048 plog(LLV_ERROR, LOCATION, NULL, 1049 "get spi for unknown address %s\n", 1050 saddrwop2str(dst)); 1051 return -1; 1052 } 1053 1054 if (allspiok) { 1055 /* update status */ 1056 iph2->status = PHASE2ST_GETSPIDONE; 1057 if (isakmp_post_getspi(iph2) < 0) { 1058 plog(LLV_ERROR, LOCATION, NULL, 1059 "failed to start post getspi.\n"); 1060 remph2(iph2); 1061 delph2(iph2); 1062 iph2 = NULL; 1063 return -1; 1064 } 1065 } 1066 1067 return 0; 1068 } 1069 1070 /* 1071 * set inbound SA 1072 */ 1073 int 1074 pk_sendupdate(struct ph2handle *iph2) 1075 { 1076 struct saproto *pr; 1077 struct pfkey_send_sa_args sa_args; 1078 1079 /* sanity check */ 1080 if (iph2->approval == NULL) { 1081 plog(LLV_ERROR, LOCATION, NULL, 1082 "no approvaled SAs found.\n"); 1083 return -1; 1084 } 1085 1086 /* fill in some needed for pfkey_send_update2 */ 1087 memset (&sa_args, 0, sizeof (sa_args)); 1088 sa_args.so = lcconf->sock_pfkey; 1089 if (iph2->lifetime_secs) 1090 sa_args.l_addtime = iph2->lifetime_secs; 1091 else 1092 sa_args.l_addtime = iph2->approval->lifetime; 1093 sa_args.seq = iph2->seq; 1094 sa_args.wsize = 4; 1095 1096 if (iph2->sa_src && iph2->sa_dst) { 1097 /* MIPv6: Use SA addresses, not IKE ones */ 1098 sa_args.dst = dupsaddr(iph2->sa_src); 1099 sa_args.src = dupsaddr(iph2->sa_dst); 1100 } else { 1101 /* Common case: SA addresses and IKE ones are the same */ 1102 sa_args.dst = dupsaddr(iph2->src); 1103 sa_args.src = dupsaddr(iph2->dst); 1104 } 1105 1106 if (sa_args.src == NULL || sa_args.dst == NULL) { 1107 racoon_free(sa_args.src); 1108 racoon_free(sa_args.dst); 1109 return -1; 1110 } 1111 1112 for (pr = iph2->approval->head; pr != NULL; pr = pr->next) { 1113 /* validity check */ 1114 sa_args.satype = ipsecdoi2pfkey_proto(pr->proto_id); 1115 if (sa_args.satype == ~0u) { 1116 plog(LLV_ERROR, LOCATION, NULL, 1117 "invalid proto_id %d\n", pr->proto_id); 1118 racoon_free(sa_args.src); 1119 racoon_free(sa_args.dst); 1120 return -1; 1121 } 1122 else if (sa_args.satype == SADB_X_SATYPE_IPCOMP) { 1123 /* IPCOMP has no replay window */ 1124 sa_args.wsize = 0; 1125 } 1126 #ifdef ENABLE_SAMODE_UNSPECIFIED 1127 sa_args.mode = IPSEC_MODE_ANY; 1128 #else 1129 sa_args.mode = ipsecdoi2pfkey_mode(pr->encmode); 1130 if (sa_args.mode == ~0u) { 1131 plog(LLV_ERROR, LOCATION, NULL, 1132 "invalid encmode %d\n", pr->encmode); 1133 racoon_free(sa_args.src); 1134 racoon_free(sa_args.dst); 1135 return -1; 1136 } 1137 #endif 1138 /* set algorithm type and key length */ 1139 sa_args.e_keylen = pr->head->encklen; 1140 if (pfkey_convertfromipsecdoi( 1141 pr->proto_id, 1142 pr->head->trns_id, 1143 pr->head->authtype, 1144 &sa_args.e_type, &sa_args.e_keylen, 1145 &sa_args.a_type, &sa_args.a_keylen, 1146 &sa_args.flags) < 0){ 1147 racoon_free(sa_args.src); 1148 racoon_free(sa_args.dst); 1149 return -1; 1150 } 1151 1152 #if 0 1153 sa_args.l_bytes = iph2->approval->lifebyte * 1024, 1154 #else 1155 sa_args.l_bytes = 0; 1156 #endif 1157 1158 #ifdef HAVE_SECCTX 1159 if (*iph2->approval->sctx.ctx_str) { 1160 sa_args.ctxdoi = iph2->approval->sctx.ctx_doi; 1161 sa_args.ctxalg = iph2->approval->sctx.ctx_alg; 1162 sa_args.ctxstrlen = iph2->approval->sctx.ctx_strlen; 1163 sa_args.ctxstr = iph2->approval->sctx.ctx_str; 1164 } 1165 #endif /* HAVE_SECCTX */ 1166 1167 #ifdef ENABLE_NATT 1168 if (pr->udp_encap) { 1169 sa_args.l_natt_type = iph2->ph1->natt_options->encaps_type; 1170 sa_args.l_natt_sport = extract_port(iph2->ph1->remote); 1171 sa_args.l_natt_dport = extract_port(iph2->ph1->local); 1172 sa_args.l_natt_oa = iph2->natoa_src; 1173 #ifdef SADB_X_EXT_NAT_T_FRAG 1174 sa_args.l_natt_frag = iph2->ph1->rmconf->esp_frag; 1175 #endif 1176 } 1177 #endif 1178 1179 /* more info to fill in */ 1180 sa_args.spi = pr->spi; 1181 sa_args.reqid = pr->reqid_in; 1182 sa_args.keymat = pr->keymat->v; 1183 1184 plog(LLV_DEBUG, LOCATION, NULL, "call pfkey_send_update2\n"); 1185 if (pfkey_send_update2(&sa_args) < 0) { 1186 plog(LLV_ERROR, LOCATION, NULL, 1187 "libipsec failed send update (%s)\n", 1188 ipsec_strerror()); 1189 racoon_free(sa_args.src); 1190 racoon_free(sa_args.dst); 1191 return -1; 1192 } 1193 1194 if (!lcconf->pathinfo[LC_PATHTYPE_BACKUPSA]) 1195 continue; 1196 1197 /* 1198 * It maybe good idea to call backupsa_to_file() after 1199 * racoon will receive the sadb_update messages. 1200 * But it is impossible because there is not key in the 1201 * information from the kernel. 1202 */ 1203 1204 /* change some things before backing up */ 1205 sa_args.wsize = 4; 1206 sa_args.l_bytes = iph2->approval->lifebyte * 1024; 1207 1208 if (backupsa_to_file(&sa_args) < 0) { 1209 plog(LLV_ERROR, LOCATION, NULL, 1210 "backuped SA failed: %s\n", 1211 sadbsecas2str(sa_args.src, sa_args.dst, 1212 sa_args.satype, sa_args.spi, sa_args.mode)); 1213 } 1214 plog(LLV_DEBUG, LOCATION, NULL, 1215 "backuped SA: %s\n", 1216 sadbsecas2str(sa_args.src, sa_args.dst, 1217 sa_args.satype, sa_args.spi, sa_args.mode)); 1218 } 1219 1220 racoon_free(sa_args.src); 1221 racoon_free(sa_args.dst); 1222 return 0; 1223 } 1224 1225 static int 1226 pk_recvupdate(caddr_t *mhp) 1227 { 1228 struct sadb_msg *msg; 1229 struct sadb_sa *sa; 1230 struct sockaddr *src, *dst; 1231 struct ph2handle *iph2; 1232 u_int proto_id, encmode, sa_mode; 1233 int incomplete = 0; 1234 struct saproto *pr; 1235 1236 /* ignore this message because of local test mode. */ 1237 if (f_local) 1238 return 0; 1239 1240 /* sanity check */ 1241 if (mhp[0] == NULL 1242 || mhp[SADB_EXT_SA] == NULL 1243 || mhp[SADB_EXT_ADDRESS_SRC] == NULL 1244 || mhp[SADB_EXT_ADDRESS_DST] == NULL) { 1245 plog(LLV_ERROR, LOCATION, NULL, 1246 "inappropriate sadb update message passed.\n"); 1247 return -1; 1248 } 1249 msg = (struct sadb_msg *)mhp[0]; 1250 pk_fixup_sa_addresses(mhp); 1251 src = PFKEY_ADDR_SADDR(mhp[SADB_EXT_ADDRESS_SRC]); 1252 dst = PFKEY_ADDR_SADDR(mhp[SADB_EXT_ADDRESS_DST]); 1253 sa = (struct sadb_sa *)mhp[SADB_EXT_SA]; 1254 1255 sa_mode = mhp[SADB_X_EXT_SA2] == NULL 1256 ? IPSEC_MODE_ANY 1257 : ((struct sadb_x_sa2 *)mhp[SADB_X_EXT_SA2])->sadb_x_sa2_mode; 1258 1259 /* the message has to be processed or not ? */ 1260 if (msg->sadb_msg_pid != getpid()) { 1261 plog(LLV_DEBUG, LOCATION, NULL, 1262 "%s message is not interesting " 1263 "because pid %d is not mine.\n", 1264 s_pfkey_type(msg->sadb_msg_type), 1265 msg->sadb_msg_pid); 1266 return -1; 1267 } 1268 1269 iph2 = getph2byseq(msg->sadb_msg_seq); 1270 if (iph2 == NULL) { 1271 plog(LLV_DEBUG, LOCATION, NULL, 1272 "seq %d of %s message not interesting.\n", 1273 msg->sadb_msg_seq, 1274 s_pfkey_type(msg->sadb_msg_type)); 1275 return -1; 1276 } 1277 1278 if (iph2->status != PHASE2ST_ADDSA) { 1279 plog(LLV_ERROR, LOCATION, NULL, 1280 "status mismatch (db:%d msg:%d)\n", 1281 iph2->status, PHASE2ST_ADDSA); 1282 return -1; 1283 } 1284 1285 /* check to complete all keys ? */ 1286 for (pr = iph2->approval->head; pr != NULL; pr = pr->next) { 1287 proto_id = pfkey2ipsecdoi_proto(msg->sadb_msg_satype); 1288 if (proto_id == ~0u) { 1289 plog(LLV_ERROR, LOCATION, NULL, 1290 "invalid proto_id %d\n", msg->sadb_msg_satype); 1291 return -1; 1292 } 1293 encmode = pfkey2ipsecdoi_mode(sa_mode); 1294 if (encmode == ~0u) { 1295 plog(LLV_ERROR, LOCATION, NULL, 1296 "invalid encmode %d\n", sa_mode); 1297 return -1; 1298 } 1299 1300 if (pr->proto_id == proto_id 1301 && pr->spi == sa->sadb_sa_spi) { 1302 pr->ok = 1; 1303 plog(LLV_DEBUG, LOCATION, NULL, 1304 "pfkey UPDATE succeeded: %s\n", 1305 sadbsecas2str(dst, src, 1306 msg->sadb_msg_satype, 1307 sa->sadb_sa_spi, 1308 sa_mode)); 1309 1310 plog(LLV_INFO, LOCATION, NULL, 1311 "IPsec-SA established: %s\n", 1312 sadbsecas2str(dst, src, 1313 msg->sadb_msg_satype, sa->sadb_sa_spi, 1314 sa_mode)); 1315 } 1316 1317 if (pr->ok == 0) 1318 incomplete = 1; 1319 } 1320 1321 if (incomplete) 1322 return 0; 1323 1324 /* turn off the timer for calling pfkey_timeover() */ 1325 sched_cancel(&iph2->sce); 1326 1327 /* update status */ 1328 iph2->status = PHASE2ST_ESTABLISHED; 1329 evt_phase2(iph2, EVT_PHASE2_UP, NULL); 1330 1331 #ifdef ENABLE_STATS 1332 gettimeofday(&iph2->end, NULL); 1333 syslog(LOG_NOTICE, "%s(%s): %8.6f", 1334 "phase2", "quick", timedelta(&iph2->start, &iph2->end)); 1335 #endif 1336 1337 /* turn off schedule */ 1338 sched_cancel(&iph2->scr); 1339 1340 /* 1341 * since we are going to reuse the phase2 handler, we need to 1342 * remain it and refresh all the references between ph1 and ph2 to use. 1343 */ 1344 sched_schedule(&iph2->sce, iph2->approval->lifetime, 1345 isakmp_ph2expire_stub); 1346 1347 plog(LLV_DEBUG, LOCATION, NULL, "===\n"); 1348 return 0; 1349 } 1350 1351 /* 1352 * set outbound SA 1353 */ 1354 int 1355 pk_sendadd(struct ph2handle *iph2) 1356 { 1357 struct saproto *pr; 1358 struct pfkey_send_sa_args sa_args; 1359 1360 /* sanity check */ 1361 if (iph2->approval == NULL) { 1362 plog(LLV_ERROR, LOCATION, NULL, 1363 "no approvaled SAs found.\n"); 1364 return -1; 1365 } 1366 1367 /* fill in some needed for pfkey_send_update2 */ 1368 memset (&sa_args, 0, sizeof (sa_args)); 1369 sa_args.so = lcconf->sock_pfkey; 1370 if (iph2->lifetime_secs) 1371 sa_args.l_addtime = iph2->lifetime_secs; 1372 else 1373 sa_args.l_addtime = iph2->approval->lifetime; 1374 sa_args.seq = iph2->seq; 1375 sa_args.wsize = 4; 1376 1377 if (iph2->sa_src && iph2->sa_dst) { 1378 /* MIPv6: Use SA addresses, not IKE ones */ 1379 sa_args.src = dupsaddr(iph2->sa_src); 1380 sa_args.dst = dupsaddr(iph2->sa_dst); 1381 } else { 1382 /* Common case: SA addresses and IKE ones are the same */ 1383 sa_args.src = dupsaddr(iph2->src); 1384 sa_args.dst = dupsaddr(iph2->dst); 1385 } 1386 1387 if (sa_args.src == NULL || sa_args.dst == NULL) { 1388 racoon_free(sa_args.src); 1389 racoon_free(sa_args.dst); 1390 return -1; 1391 } 1392 1393 for (pr = iph2->approval->head; pr != NULL; pr = pr->next) { 1394 /* validity check */ 1395 sa_args.satype = ipsecdoi2pfkey_proto(pr->proto_id); 1396 if (sa_args.satype == ~0u) { 1397 plog(LLV_ERROR, LOCATION, NULL, 1398 "invalid proto_id %d\n", pr->proto_id); 1399 racoon_free(sa_args.src); 1400 racoon_free(sa_args.dst); 1401 return -1; 1402 } 1403 else if (sa_args.satype == SADB_X_SATYPE_IPCOMP) { 1404 /* no replay window for IPCOMP */ 1405 sa_args.wsize = 0; 1406 } 1407 #ifdef ENABLE_SAMODE_UNSPECIFIED 1408 sa_args.mode = IPSEC_MODE_ANY; 1409 #else 1410 sa_args.mode = ipsecdoi2pfkey_mode(pr->encmode); 1411 if (sa_args.mode == ~0u) { 1412 plog(LLV_ERROR, LOCATION, NULL, 1413 "invalid encmode %d\n", pr->encmode); 1414 racoon_free(sa_args.src); 1415 racoon_free(sa_args.dst); 1416 return -1; 1417 } 1418 #endif 1419 1420 /* set algorithm type and key length */ 1421 sa_args.e_keylen = pr->head->encklen; 1422 if (pfkey_convertfromipsecdoi( 1423 pr->proto_id, 1424 pr->head->trns_id, 1425 pr->head->authtype, 1426 &sa_args.e_type, &sa_args.e_keylen, 1427 &sa_args.a_type, &sa_args.a_keylen, 1428 &sa_args.flags) < 0){ 1429 racoon_free(sa_args.src); 1430 racoon_free(sa_args.dst); 1431 return -1; 1432 } 1433 1434 #if 0 1435 sa_args.l_bytes = iph2->approval->lifebyte * 1024, 1436 #else 1437 sa_args.l_bytes = 0; 1438 #endif 1439 1440 #ifdef HAVE_SECCTX 1441 if (*iph2->approval->sctx.ctx_str) { 1442 sa_args.ctxdoi = iph2->approval->sctx.ctx_doi; 1443 sa_args.ctxalg = iph2->approval->sctx.ctx_alg; 1444 sa_args.ctxstrlen = iph2->approval->sctx.ctx_strlen; 1445 sa_args.ctxstr = iph2->approval->sctx.ctx_str; 1446 } 1447 #endif /* HAVE_SECCTX */ 1448 1449 #ifdef ENABLE_NATT 1450 plog(LLV_DEBUG, LOCATION, NULL, "call pfkey_send_add2 " 1451 "(NAT flavor)\n"); 1452 1453 if (pr->udp_encap) { 1454 sa_args.l_natt_type = UDP_ENCAP_ESPINUDP; 1455 sa_args.l_natt_sport = extract_port(iph2->ph1->local); 1456 sa_args.l_natt_dport = extract_port(iph2->ph1->remote); 1457 sa_args.l_natt_oa = iph2->natoa_dst; 1458 #ifdef SADB_X_EXT_NAT_T_FRAG 1459 sa_args.l_natt_frag = iph2->ph1->rmconf->esp_frag; 1460 #endif 1461 } 1462 #endif 1463 /* more info to fill in */ 1464 sa_args.spi = pr->spi_p; 1465 sa_args.reqid = pr->reqid_out; 1466 sa_args.keymat = pr->keymat_p->v; 1467 1468 plog(LLV_DEBUG, LOCATION, NULL, "call pfkey_send_add2\n"); 1469 if (pfkey_send_add2(&sa_args) < 0) { 1470 plog(LLV_ERROR, LOCATION, NULL, 1471 "libipsec failed send add (%s)\n", 1472 ipsec_strerror()); 1473 racoon_free(sa_args.src); 1474 racoon_free(sa_args.dst); 1475 return -1; 1476 } 1477 1478 if (!lcconf->pathinfo[LC_PATHTYPE_BACKUPSA]) 1479 continue; 1480 1481 /* 1482 * It maybe good idea to call backupsa_to_file() after 1483 * racoon will receive the sadb_update messages. 1484 * But it is impossible because there is not key in the 1485 * information from the kernel. 1486 */ 1487 if (backupsa_to_file(&sa_args) < 0) { 1488 plog(LLV_ERROR, LOCATION, NULL, 1489 "backuped SA failed: %s\n", 1490 sadbsecas2str(sa_args.src, sa_args.dst, 1491 sa_args.satype, sa_args.spi, sa_args.mode)); 1492 } 1493 plog(LLV_DEBUG, LOCATION, NULL, 1494 "backuped SA: %s\n", 1495 sadbsecas2str(sa_args.src, sa_args.dst, 1496 sa_args.satype, sa_args.spi, sa_args.mode)); 1497 } 1498 racoon_free(sa_args.src); 1499 racoon_free(sa_args.dst); 1500 return 0; 1501 } 1502 1503 static int 1504 pk_recvadd(caddr_t *mhp) 1505 { 1506 struct sadb_msg *msg; 1507 struct sadb_sa *sa; 1508 struct sockaddr *src, *dst; 1509 struct ph2handle *iph2; 1510 u_int sa_mode; 1511 1512 /* ignore this message because of local test mode. */ 1513 if (f_local) 1514 return 0; 1515 1516 /* sanity check */ 1517 if (mhp[0] == NULL 1518 || mhp[SADB_EXT_SA] == NULL 1519 || mhp[SADB_EXT_ADDRESS_SRC] == NULL 1520 || mhp[SADB_EXT_ADDRESS_DST] == NULL) { 1521 plog(LLV_ERROR, LOCATION, NULL, 1522 "inappropriate sadb add message passed.\n"); 1523 return -1; 1524 } 1525 msg = (struct sadb_msg *)mhp[0]; 1526 pk_fixup_sa_addresses(mhp); 1527 src = PFKEY_ADDR_SADDR(mhp[SADB_EXT_ADDRESS_SRC]); 1528 dst = PFKEY_ADDR_SADDR(mhp[SADB_EXT_ADDRESS_DST]); 1529 sa = (struct sadb_sa *)mhp[SADB_EXT_SA]; 1530 1531 sa_mode = mhp[SADB_X_EXT_SA2] == NULL 1532 ? IPSEC_MODE_ANY 1533 : ((struct sadb_x_sa2 *)mhp[SADB_X_EXT_SA2])->sadb_x_sa2_mode; 1534 1535 /* the message has to be processed or not ? */ 1536 if (msg->sadb_msg_pid != getpid()) { 1537 plog(LLV_DEBUG, LOCATION, NULL, 1538 "%s message is not interesting " 1539 "because pid %d is not mine.\n", 1540 s_pfkey_type(msg->sadb_msg_type), 1541 msg->sadb_msg_pid); 1542 return -1; 1543 } 1544 1545 iph2 = getph2byseq(msg->sadb_msg_seq); 1546 if (iph2 == NULL) { 1547 plog(LLV_DEBUG, LOCATION, NULL, 1548 "seq %d of %s message not interesting.\n", 1549 msg->sadb_msg_seq, 1550 s_pfkey_type(msg->sadb_msg_type)); 1551 return -1; 1552 } 1553 1554 /* 1555 * NOTE don't update any status of phase2 handle 1556 * because they must be updated by SADB_UPDATE message 1557 */ 1558 1559 plog(LLV_INFO, LOCATION, NULL, 1560 "IPsec-SA established: %s\n", 1561 sadbsecas2str(src, dst, 1562 msg->sadb_msg_satype, sa->sadb_sa_spi, sa_mode)); 1563 1564 plog(LLV_DEBUG, LOCATION, NULL, "===\n"); 1565 return 0; 1566 } 1567 1568 static int 1569 pk_recvexpire(caddr_t *mhp) 1570 { 1571 struct sadb_msg *msg; 1572 struct sadb_sa *sa; 1573 struct sockaddr *src, *dst; 1574 struct ph2handle *iph2; 1575 u_int proto_id, sa_mode; 1576 1577 /* sanity check */ 1578 if (mhp[0] == NULL 1579 || mhp[SADB_EXT_SA] == NULL 1580 || mhp[SADB_EXT_ADDRESS_SRC] == NULL 1581 || mhp[SADB_EXT_ADDRESS_DST] == NULL 1582 || (mhp[SADB_EXT_LIFETIME_HARD] != NULL 1583 && mhp[SADB_EXT_LIFETIME_SOFT] != NULL)) { 1584 plog(LLV_ERROR, LOCATION, NULL, 1585 "inappropriate sadb expire message passed.\n"); 1586 return -1; 1587 } 1588 msg = (struct sadb_msg *)mhp[0]; 1589 sa = (struct sadb_sa *)mhp[SADB_EXT_SA]; 1590 pk_fixup_sa_addresses(mhp); 1591 src = PFKEY_ADDR_SADDR(mhp[SADB_EXT_ADDRESS_SRC]); 1592 dst = PFKEY_ADDR_SADDR(mhp[SADB_EXT_ADDRESS_DST]); 1593 1594 sa_mode = mhp[SADB_X_EXT_SA2] == NULL 1595 ? IPSEC_MODE_ANY 1596 : ((struct sadb_x_sa2 *)mhp[SADB_X_EXT_SA2])->sadb_x_sa2_mode; 1597 1598 proto_id = pfkey2ipsecdoi_proto(msg->sadb_msg_satype); 1599 if (proto_id == ~0u) { 1600 plog(LLV_ERROR, LOCATION, NULL, 1601 "invalid proto_id %d\n", msg->sadb_msg_satype); 1602 return -1; 1603 } 1604 1605 plog(LLV_INFO, LOCATION, NULL, 1606 "IPsec-SA expired: %s\n", 1607 sadbsecas2str(src, dst, 1608 msg->sadb_msg_satype, sa->sadb_sa_spi, sa_mode)); 1609 1610 iph2 = getph2bysaidx(src, dst, proto_id, sa->sadb_sa_spi); 1611 if (iph2 == NULL) { 1612 /* 1613 * Ignore it because two expire messages are come up. 1614 * phase2 handler has been deleted already when 2nd message 1615 * is received. 1616 */ 1617 plog(LLV_DEBUG, LOCATION, NULL, 1618 "no such a SA found: %s\n", 1619 sadbsecas2str(src, dst, 1620 msg->sadb_msg_satype, sa->sadb_sa_spi, 1621 sa_mode)); 1622 return 0; 1623 } 1624 1625 /* resent expiry message? */ 1626 if (iph2->status > PHASE2ST_ESTABLISHED) 1627 return 0; 1628 1629 /* still negotiating? */ 1630 if (iph2->status < PHASE2ST_ESTABLISHED) { 1631 /* not a hard timeout? */ 1632 if (mhp[SADB_EXT_LIFETIME_HARD] == NULL) 1633 return 0; 1634 1635 /* 1636 * We were negotiating for that SA (w/o much success 1637 * from current status) and kernel has decided our time 1638 * is over trying (xfrm_larval_drop controls that and 1639 * is enabled by default on Linux >= 2.6.28 kernels). 1640 */ 1641 plog(LLV_WARNING, LOCATION, NULL, 1642 "PF_KEY EXPIRE message received from kernel for SA" 1643 " being negotiated. Stopping negotiation.\n"); 1644 } 1645 1646 /* turn off the timer for calling isakmp_ph2expire() */ 1647 sched_cancel(&iph2->sce); 1648 1649 if (iph2->status == PHASE2ST_ESTABLISHED && 1650 iph2->side == INITIATOR) { 1651 struct ph1handle *iph1hint; 1652 /* 1653 * Active phase 2 expired and we were initiator. 1654 * Begin new phase 2 exchange, so we can keep on sending 1655 * traffic. 1656 */ 1657 1658 /* update status for re-use */ 1659 iph1hint = iph2->ph1; 1660 initph2(iph2); 1661 iph2->status = PHASE2ST_STATUS2; 1662 1663 /* start quick exchange */ 1664 if (isakmp_post_acquire(iph2, iph1hint, FALSE) < 0) { 1665 plog(LLV_ERROR, LOCATION, iph2->dst, 1666 "failed to begin ipsec sa " 1667 "re-negotication.\n"); 1668 remph2(iph2); 1669 delph2(iph2); 1670 return -1; 1671 } 1672 1673 return 0; 1674 } 1675 1676 /* 1677 * We are responder or the phase 2 was not established. 1678 * Just remove the ph2handle to reflect SADB. 1679 */ 1680 iph2->status = PHASE2ST_EXPIRED; 1681 remph2(iph2); 1682 delph2(iph2); 1683 1684 return 0; 1685 } 1686 1687 static int 1688 pk_recvacquire(caddr_t *mhp) 1689 { 1690 struct sadb_msg *msg; 1691 struct sadb_x_policy *xpl; 1692 struct secpolicy *sp_out = NULL, *sp_in = NULL; 1693 struct ph2handle *iph2; 1694 struct sockaddr *src, *dst; /* IKE addresses (for exchanges) */ 1695 struct sockaddr *sp_src, *sp_dst; /* SP addresses (selectors). */ 1696 struct sockaddr *sa_src = NULL, *sa_dst = NULL ; /* SA addresses */ 1697 #ifdef HAVE_SECCTX 1698 struct sadb_x_sec_ctx *m_sec_ctx; 1699 #endif /* HAVE_SECCTX */ 1700 struct policyindex spidx; 1701 1702 /* ignore this message because of local test mode. */ 1703 if (f_local) 1704 return 0; 1705 1706 /* sanity check */ 1707 if (mhp[0] == NULL 1708 || mhp[SADB_EXT_ADDRESS_SRC] == NULL 1709 || mhp[SADB_EXT_ADDRESS_DST] == NULL 1710 || mhp[SADB_X_EXT_POLICY] == NULL) { 1711 plog(LLV_ERROR, LOCATION, NULL, 1712 "inappropriate sadb acquire message passed.\n"); 1713 return -1; 1714 } 1715 msg = (struct sadb_msg *)mhp[0]; 1716 xpl = (struct sadb_x_policy *)mhp[SADB_X_EXT_POLICY]; 1717 /* acquire does not have nat-t ports; so do not bother setting 1718 * the default port 500; just use the port zero for wildcard 1719 * matching the get a valid natted destination */ 1720 sp_src = PFKEY_ADDR_SADDR(mhp[SADB_EXT_ADDRESS_SRC]); 1721 sp_dst = PFKEY_ADDR_SADDR(mhp[SADB_EXT_ADDRESS_DST]); 1722 1723 #ifdef HAVE_SECCTX 1724 m_sec_ctx = (struct sadb_x_sec_ctx *)mhp[SADB_X_EXT_SEC_CTX]; 1725 1726 if (m_sec_ctx != NULL) { 1727 plog(LLV_INFO, LOCATION, NULL, "security context doi: %u\n", 1728 m_sec_ctx->sadb_x_ctx_doi); 1729 plog(LLV_INFO, LOCATION, NULL, 1730 "security context algorithm: %u\n", 1731 m_sec_ctx->sadb_x_ctx_alg); 1732 plog(LLV_INFO, LOCATION, NULL, "security context length: %u\n", 1733 m_sec_ctx->sadb_x_ctx_len); 1734 plog(LLV_INFO, LOCATION, NULL, "security context: %s\n", 1735 ((char *)m_sec_ctx + sizeof(struct sadb_x_sec_ctx))); 1736 } 1737 #endif /* HAVE_SECCTX */ 1738 1739 /* ignore if type is not IPSEC_POLICY_IPSEC */ 1740 if (xpl->sadb_x_policy_type != IPSEC_POLICY_IPSEC) { 1741 plog(LLV_DEBUG, LOCATION, NULL, 1742 "ignore ACQUIRE message. type is not IPsec.\n"); 1743 return 0; 1744 } 1745 1746 /* ignore it if src or dst are multicast addresses. */ 1747 if ((sp_dst->sa_family == AF_INET 1748 && IN_MULTICAST(ntohl(((struct sockaddr_in *)sp_dst)->sin_addr.s_addr))) 1749 #ifdef INET6 1750 || (sp_dst->sa_family == AF_INET6 1751 && IN6_IS_ADDR_MULTICAST(&((struct sockaddr_in6 *)sp_dst)->sin6_addr)) 1752 #endif 1753 ) { 1754 plog(LLV_DEBUG, LOCATION, NULL, 1755 "ignore due to multicast destination address: %s.\n", 1756 saddrwop2str(sp_dst)); 1757 return 0; 1758 } 1759 1760 if ((sp_src->sa_family == AF_INET 1761 && IN_MULTICAST(ntohl(((struct sockaddr_in *)sp_src)->sin_addr.s_addr))) 1762 #ifdef INET6 1763 || (sp_src->sa_family == AF_INET6 1764 && IN6_IS_ADDR_MULTICAST(&((struct sockaddr_in6 *)sp_src)->sin6_addr)) 1765 #endif 1766 ) { 1767 plog(LLV_DEBUG, LOCATION, NULL, 1768 "ignore due to multicast source address: %s.\n", 1769 saddrwop2str(sp_src)); 1770 return 0; 1771 } 1772 1773 /* search for proper policyindex */ 1774 sp_out = getspbyspid(xpl->sadb_x_policy_id); 1775 if (sp_out == NULL) { 1776 plog(LLV_ERROR, LOCATION, NULL, "no policy found: id:%d.\n", 1777 xpl->sadb_x_policy_id); 1778 return -1; 1779 } 1780 plog(LLV_DEBUG, LOCATION, NULL, 1781 "suitable outbound SP found: %s.\n", spidx2str(&sp_out->spidx)); 1782 1783 /* Before going further, let first get the source and destination 1784 * address that would be used for IKE negotiation. The logic is: 1785 * - if SP from SPD image contains local and remote hints, we 1786 * use them (provided by MIGRATE). 1787 * - otherwise, we use the ones from the ipsecrequest, which means: 1788 * - the addresses from the request for transport mode 1789 * - the endpoints addresses for tunnel mode 1790 * 1791 * Note that: 1792 * 1) racoon does not support negotiation of bundles which 1793 * simplifies the lookup for the addresses in the ipsecrequest 1794 * list, as we expect only one. 1795 * 2) We do source and destination parts all together and do not 1796 * accept semi-defined information. This is just a decision, 1797 * there might be needs. 1798 * 1799 * --arno 1800 */ 1801 if (sp_out->req && sp_out->req->saidx.mode == IPSEC_MODE_TUNNEL) { 1802 /* For Tunnel mode, SA addresses are the endpoints */ 1803 src = (struct sockaddr *) &sp_out->req->saidx.src; 1804 dst = (struct sockaddr *) &sp_out->req->saidx.dst; 1805 } else { 1806 /* Otherwise use requested addresses. 1807 * 1808 * We need to explicitly setup sa_src and sa_dst too, 1809 * since the SA ports are different from IKE port. And 1810 * src/dst ports will be overwritten when the matching 1811 * phase1 is found. */ 1812 src = sa_src = sp_src; 1813 dst = sa_dst = sp_dst; 1814 } 1815 if (sp_out->local && sp_out->remote) { 1816 /* hints available, let's use them */ 1817 sa_src = src; 1818 sa_dst = dst; 1819 src = (struct sockaddr *) sp_out->local; 1820 dst = (struct sockaddr *) sp_out->remote; 1821 } 1822 1823 /* 1824 * If there is a phase 2 handler against the policy identifier in 1825 * the acquire message, and if 1826 * 1. its state is less than PHASE2ST_ESTABLISHED, then racoon 1827 * should ignore such a acquire message because the phase 2 1828 * is just negotiating. 1829 * 2. its state is equal to PHASE2ST_ESTABLISHED, then racoon 1830 * has to process such an acquire message because racoon may 1831 * have lost the expire message. 1832 */ 1833 iph2 = getph2byid(src, dst, xpl->sadb_x_policy_id); 1834 if (iph2 != NULL) { 1835 if (iph2->status < PHASE2ST_ESTABLISHED) { 1836 plog(LLV_DEBUG, LOCATION, NULL, 1837 "ignore the acquire because ph2 found\n"); 1838 return -1; 1839 } 1840 if (iph2->status == PHASE2ST_EXPIRED) 1841 iph2 = NULL; 1842 /*FALLTHROUGH*/ 1843 } 1844 1845 /* Check we are listening on source address. If not, ignore. */ 1846 if (myaddr_getsport(src) == -1) { 1847 plog(LLV_DEBUG, LOCATION, NULL, 1848 "Not listening on source address %s. Ignoring ACQUIRE.\n", 1849 saddrwop2str(src)); 1850 return 0; 1851 } 1852 1853 /* get inbound policy */ 1854 { 1855 1856 memset(&spidx, 0, sizeof(spidx)); 1857 spidx.dir = IPSEC_DIR_INBOUND; 1858 memcpy(&spidx.src, &sp_out->spidx.dst, sizeof(spidx.src)); 1859 memcpy(&spidx.dst, &sp_out->spidx.src, sizeof(spidx.dst)); 1860 spidx.prefs = sp_out->spidx.prefd; 1861 spidx.prefd = sp_out->spidx.prefs; 1862 spidx.ul_proto = sp_out->spidx.ul_proto; 1863 1864 #ifdef HAVE_SECCTX 1865 if (m_sec_ctx) { 1866 spidx.sec_ctx.ctx_doi = m_sec_ctx->sadb_x_ctx_doi; 1867 spidx.sec_ctx.ctx_alg = m_sec_ctx->sadb_x_ctx_alg; 1868 spidx.sec_ctx.ctx_strlen = m_sec_ctx->sadb_x_ctx_len; 1869 memcpy(spidx.sec_ctx.ctx_str, 1870 ((char *)m_sec_ctx + sizeof(struct sadb_x_sec_ctx)), 1871 spidx.sec_ctx.ctx_strlen); 1872 } 1873 #endif /* HAVE_SECCTX */ 1874 1875 sp_in = getsp(&spidx); 1876 if (sp_in) { 1877 plog(LLV_DEBUG, LOCATION, NULL, 1878 "suitable inbound SP found: %s.\n", 1879 spidx2str(&sp_in->spidx)); 1880 } else { 1881 plog(LLV_NOTIFY, LOCATION, NULL, 1882 "no in-bound policy found: %s\n", 1883 spidx2str(&spidx)); 1884 } 1885 } 1886 1887 /* allocate a phase 2 */ 1888 iph2 = newph2(); 1889 if (iph2 == NULL) { 1890 plog(LLV_ERROR, LOCATION, NULL, 1891 "failed to allocate phase2 entry.\n"); 1892 return -1; 1893 } 1894 iph2->side = INITIATOR; 1895 iph2->spid = xpl->sadb_x_policy_id; 1896 iph2->satype = msg->sadb_msg_satype; 1897 iph2->seq = msg->sadb_msg_seq; 1898 iph2->status = PHASE2ST_STATUS2; 1899 1900 /* set address used by IKE for the negotiation (might differ from 1901 * SA address, i.e. might not be tunnel endpoints or addresses 1902 * of transport mode SA) */ 1903 iph2->dst = dupsaddr(dst); 1904 if (iph2->dst == NULL) { 1905 delph2(iph2); 1906 return -1; 1907 } 1908 iph2->src = dupsaddr(src); 1909 if (iph2->src == NULL) { 1910 delph2(iph2); 1911 return -1; 1912 } 1913 1914 /* If sa_src and sa_dst have been set, this mean we have to 1915 * set iph2->sa_src and iph2->sa_dst to provide the addresses 1916 * of the SA because iph2->src and iph2->dst are only the ones 1917 * used for the IKE exchanges. Those that need these addresses 1918 * are for instance pk_sendupdate() or pk_sendgetspi() */ 1919 if (sa_src) { 1920 iph2->sa_src = dupsaddr(sa_src); 1921 iph2->sa_dst = dupsaddr(sa_dst); 1922 } 1923 1924 if (isakmp_get_sainfo(iph2, sp_out, sp_in) < 0) { 1925 delph2(iph2); 1926 return -1; 1927 } 1928 1929 #ifdef HAVE_SECCTX 1930 if (m_sec_ctx) { 1931 set_secctx_in_proposal(iph2, spidx); 1932 } 1933 #endif /* HAVE_SECCTX */ 1934 1935 insph2(iph2); 1936 1937 /* start isakmp initiation by using ident exchange */ 1938 /* XXX should be looped if there are multiple phase 2 handler. */ 1939 if (isakmp_post_acquire(iph2, NULL, TRUE) < 0) { 1940 plog(LLV_ERROR, LOCATION, NULL, 1941 "failed to begin ipsec sa negotication.\n"); 1942 remph2(iph2); 1943 delph2(iph2); 1944 return -1; 1945 } 1946 1947 return 0; 1948 } 1949 1950 static int 1951 pk_recvdelete(caddr_t *mhp) 1952 { 1953 struct sadb_msg *msg; 1954 struct sadb_sa *sa; 1955 struct sockaddr *src, *dst; 1956 struct ph2handle *iph2 = NULL; 1957 u_int proto_id; 1958 1959 /* ignore this message because of local test mode. */ 1960 if (f_local) 1961 return 0; 1962 1963 /* sanity check */ 1964 if (mhp[0] == NULL 1965 || mhp[SADB_EXT_SA] == NULL 1966 || mhp[SADB_EXT_ADDRESS_SRC] == NULL 1967 || mhp[SADB_EXT_ADDRESS_DST] == NULL) { 1968 plog(LLV_ERROR, LOCATION, NULL, 1969 "inappropriate sadb delete message passed.\n"); 1970 return -1; 1971 } 1972 msg = (struct sadb_msg *)mhp[0]; 1973 sa = (struct sadb_sa *)mhp[SADB_EXT_SA]; 1974 pk_fixup_sa_addresses(mhp); 1975 src = PFKEY_ADDR_SADDR(mhp[SADB_EXT_ADDRESS_SRC]); 1976 dst = PFKEY_ADDR_SADDR(mhp[SADB_EXT_ADDRESS_DST]); 1977 1978 /* the message has to be processed or not ? */ 1979 if (msg->sadb_msg_pid == getpid()) { 1980 plog(LLV_DEBUG, LOCATION, NULL, 1981 "%s message is not interesting " 1982 "because the message was originated by me.\n", 1983 s_pfkey_type(msg->sadb_msg_type)); 1984 return -1; 1985 } 1986 1987 proto_id = pfkey2ipsecdoi_proto(msg->sadb_msg_satype); 1988 if (proto_id == ~0u) { 1989 plog(LLV_ERROR, LOCATION, NULL, 1990 "invalid proto_id %d\n", msg->sadb_msg_satype); 1991 return -1; 1992 } 1993 1994 iph2 = getph2bysaidx(src, dst, proto_id, sa->sadb_sa_spi); 1995 if (iph2 == NULL) { 1996 /* ignore */ 1997 plog(LLV_ERROR, LOCATION, NULL, 1998 "no iph2 found: %s\n", 1999 sadbsecas2str(src, dst, msg->sadb_msg_satype, 2000 sa->sadb_sa_spi, IPSEC_MODE_ANY)); 2001 return 0; 2002 } 2003 2004 plog(LLV_ERROR, LOCATION, NULL, 2005 "pfkey DELETE received: %s\n", 2006 sadbsecas2str(src, dst, 2007 msg->sadb_msg_satype, sa->sadb_sa_spi, IPSEC_MODE_ANY)); 2008 2009 /* send delete information */ 2010 if (iph2->status == PHASE2ST_ESTABLISHED) 2011 isakmp_info_send_d2(iph2); 2012 2013 remph2(iph2); 2014 delph2(iph2); 2015 2016 return 0; 2017 } 2018 2019 static int 2020 pk_recvflush(caddr_t *mhp) 2021 { 2022 /* ignore this message because of local test mode. */ 2023 if (f_local) 2024 return 0; 2025 2026 /* sanity check */ 2027 if (mhp[0] == NULL) { 2028 plog(LLV_ERROR, LOCATION, NULL, 2029 "inappropriate sadb flush message passed.\n"); 2030 return -1; 2031 } 2032 2033 flushph2(); 2034 2035 return 0; 2036 } 2037 2038 static int 2039 getsadbpolicy(caddr_t *policy0, int *policylen0, int type, 2040 struct ph2handle *iph2) 2041 { 2042 struct policyindex *spidx = (struct policyindex *)iph2->spidx_gen; 2043 struct sockaddr *src = NULL, *dst = NULL; 2044 struct sadb_x_policy *xpl; 2045 struct sadb_x_ipsecrequest *xisr; 2046 struct saproto *pr; 2047 struct saproto **pr_rlist; 2048 int rlist_len = 0; 2049 caddr_t policy, p; 2050 int policylen; 2051 int xisrlen; 2052 u_int satype, mode; 2053 int len = 0; 2054 #ifdef HAVE_SECCTX 2055 int ctxlen = 0; 2056 #endif /* HAVE_SECCTX */ 2057 2058 2059 /* get policy buffer size */ 2060 policylen = sizeof(struct sadb_x_policy); 2061 if (type != SADB_X_SPDDELETE) { 2062 if (iph2->sa_src && iph2->sa_dst) { 2063 src = iph2->sa_src; /* MIPv6: Use SA addresses, */ 2064 dst = iph2->sa_dst; /* not IKE ones */ 2065 } else { 2066 src = iph2->src; /* Common case: SA addresses */ 2067 dst = iph2->dst; /* and IKE ones are the same */ 2068 } 2069 2070 for (pr = iph2->approval->head; pr; pr = pr->next) { 2071 xisrlen = sizeof(*xisr); 2072 if (pr->encmode == IPSECDOI_ATTR_ENC_MODE_TUNNEL) { 2073 xisrlen += (sysdep_sa_len(src) + 2074 sysdep_sa_len(dst)); 2075 } 2076 2077 policylen += PFKEY_ALIGN8(xisrlen); 2078 } 2079 } 2080 2081 #ifdef HAVE_SECCTX 2082 if (*spidx->sec_ctx.ctx_str) { 2083 ctxlen = sizeof(struct sadb_x_sec_ctx) 2084 + PFKEY_ALIGN8(spidx->sec_ctx.ctx_strlen); 2085 policylen += ctxlen; 2086 } 2087 #endif /* HAVE_SECCTX */ 2088 2089 /* make policy structure */ 2090 policy = racoon_malloc(policylen); 2091 memset((void*)policy, 0xcd, policylen); 2092 if (!policy) { 2093 plog(LLV_ERROR, LOCATION, NULL, 2094 "buffer allocation failed.\n"); 2095 return -1; 2096 } 2097 2098 xpl = (struct sadb_x_policy *)policy; 2099 xpl->sadb_x_policy_len = PFKEY_UNIT64(policylen); 2100 xpl->sadb_x_policy_exttype = SADB_X_EXT_POLICY; 2101 xpl->sadb_x_policy_type = IPSEC_POLICY_IPSEC; 2102 xpl->sadb_x_policy_dir = spidx->dir; 2103 xpl->sadb_x_policy_id = 0; 2104 #ifdef HAVE_PFKEY_POLICY_PRIORITY 2105 xpl->sadb_x_policy_priority = PRIORITY_DEFAULT; 2106 #endif 2107 len++; 2108 2109 #ifdef HAVE_SECCTX 2110 if (*spidx->sec_ctx.ctx_str) { 2111 struct sadb_x_sec_ctx *p; 2112 2113 p = (struct sadb_x_sec_ctx *)(xpl + len); 2114 memset(p, 0, ctxlen); 2115 p->sadb_x_sec_len = PFKEY_UNIT64(ctxlen); 2116 p->sadb_x_sec_exttype = SADB_X_EXT_SEC_CTX; 2117 p->sadb_x_ctx_len = spidx->sec_ctx.ctx_strlen; 2118 p->sadb_x_ctx_doi = spidx->sec_ctx.ctx_doi; 2119 p->sadb_x_ctx_alg = spidx->sec_ctx.ctx_alg; 2120 2121 memcpy(p + 1,spidx->sec_ctx.ctx_str,spidx->sec_ctx.ctx_strlen); 2122 len += ctxlen; 2123 } 2124 #endif /* HAVE_SECCTX */ 2125 2126 /* no need to append policy information any more if type is SPDDELETE */ 2127 if (type == SADB_X_SPDDELETE) 2128 goto end; 2129 2130 xisr = (struct sadb_x_ipsecrequest *)(xpl + len); 2131 2132 /* The order of things is reversed for use in add policy messages */ 2133 for (pr = iph2->approval->head; pr; pr = pr->next) rlist_len++; 2134 pr_rlist = racoon_malloc((rlist_len+1)*sizeof(struct saproto*)); 2135 if (!pr_rlist) { 2136 plog(LLV_ERROR, LOCATION, NULL, 2137 "buffer allocation failed.\n"); 2138 return -1; 2139 } 2140 pr_rlist[rlist_len--] = NULL; 2141 for (pr = iph2->approval->head; pr; pr = pr->next) pr_rlist[rlist_len--] = pr; 2142 rlist_len = 0; 2143 2144 for (pr = pr_rlist[rlist_len++]; pr; pr = pr_rlist[rlist_len++]) { 2145 2146 satype = doi2ipproto(pr->proto_id); 2147 if (satype == ~0u) { 2148 plog(LLV_ERROR, LOCATION, NULL, 2149 "invalid proto_id %d\n", pr->proto_id); 2150 goto err; 2151 } 2152 mode = ipsecdoi2pfkey_mode(pr->encmode); 2153 if (mode == ~0u) { 2154 plog(LLV_ERROR, LOCATION, NULL, 2155 "invalid encmode %d\n", pr->encmode); 2156 goto err; 2157 } 2158 2159 /* 2160 * the policy level cannot be unique because the policy 2161 * is defined later than SA, so req_id cannot be bound to SA. 2162 */ 2163 xisr->sadb_x_ipsecrequest_proto = satype; 2164 xisr->sadb_x_ipsecrequest_mode = mode; 2165 if(iph2->proposal->head->reqid_in > 0){ 2166 xisr->sadb_x_ipsecrequest_level = IPSEC_LEVEL_UNIQUE; 2167 xisr->sadb_x_ipsecrequest_reqid = iph2->proposal->head->reqid_in; 2168 }else{ 2169 xisr->sadb_x_ipsecrequest_level = IPSEC_LEVEL_REQUIRE; 2170 xisr->sadb_x_ipsecrequest_reqid = 0; 2171 } 2172 p = (caddr_t)(xisr + 1); 2173 2174 xisrlen = sizeof(*xisr); 2175 2176 if (pr->encmode == IPSECDOI_ATTR_ENC_MODE_TUNNEL) { 2177 int src_len, dst_len; 2178 2179 src_len = sysdep_sa_len(src); 2180 dst_len = sysdep_sa_len(dst); 2181 xisrlen += src_len + dst_len; 2182 2183 memcpy(p, src, src_len); 2184 p += src_len; 2185 2186 memcpy(p, dst, dst_len); 2187 p += dst_len; 2188 } 2189 2190 xisr->sadb_x_ipsecrequest_len = PFKEY_ALIGN8(xisrlen); 2191 xisr = (struct sadb_x_ipsecrequest *)p; 2192 2193 } 2194 racoon_free(pr_rlist); 2195 2196 end: 2197 *policy0 = policy; 2198 *policylen0 = policylen; 2199 2200 return 0; 2201 2202 err: 2203 if (policy) 2204 racoon_free(policy); 2205 if (pr_rlist) racoon_free(pr_rlist); 2206 2207 return -1; 2208 } 2209 2210 int 2211 pk_sendspdupdate2(struct ph2handle *iph2) 2212 { 2213 struct policyindex *spidx = (struct policyindex *)iph2->spidx_gen; 2214 caddr_t policy = NULL; 2215 int policylen = 0; 2216 u_int64_t ltime, vtime; 2217 2218 ltime = iph2->approval->lifetime; 2219 vtime = 0; 2220 2221 if (getsadbpolicy(&policy, &policylen, SADB_X_SPDUPDATE, iph2)) { 2222 plog(LLV_ERROR, LOCATION, NULL, 2223 "getting sadb policy failed.\n"); 2224 return -1; 2225 } 2226 2227 if (pfkey_send_spdupdate2( 2228 lcconf->sock_pfkey, 2229 (struct sockaddr *)&spidx->src, 2230 spidx->prefs, 2231 (struct sockaddr *)&spidx->dst, 2232 spidx->prefd, 2233 spidx->ul_proto, 2234 ltime, vtime, 2235 policy, policylen, 0) < 0) { 2236 plog(LLV_ERROR, LOCATION, NULL, 2237 "libipsec failed send spdupdate2 (%s)\n", 2238 ipsec_strerror()); 2239 goto end; 2240 } 2241 plog(LLV_DEBUG, LOCATION, NULL, "call pfkey_send_spdupdate2\n"); 2242 2243 end: 2244 if (policy) 2245 racoon_free(policy); 2246 2247 return 0; 2248 } 2249 2250 static int 2251 pk_recvspdupdate(caddr_t *mhp) 2252 { 2253 struct sadb_address *saddr, *daddr; 2254 struct sadb_x_policy *xpl; 2255 struct sadb_lifetime *lt; 2256 struct policyindex spidx; 2257 struct secpolicy *sp; 2258 struct sockaddr *local=NULL, *remote=NULL; 2259 u_int64_t created; 2260 int ret; 2261 2262 /* sanity check */ 2263 if (mhp[0] == NULL 2264 || mhp[SADB_EXT_ADDRESS_SRC] == NULL 2265 || mhp[SADB_EXT_ADDRESS_DST] == NULL 2266 || mhp[SADB_X_EXT_POLICY] == NULL) { 2267 plog(LLV_ERROR, LOCATION, NULL, 2268 "inappropriate sadb spdupdate message passed.\n"); 2269 return -1; 2270 } 2271 saddr = (struct sadb_address *)mhp[SADB_EXT_ADDRESS_SRC]; 2272 daddr = (struct sadb_address *)mhp[SADB_EXT_ADDRESS_DST]; 2273 xpl = (struct sadb_x_policy *)mhp[SADB_X_EXT_POLICY]; 2274 lt = (struct sadb_lifetime*)mhp[SADB_EXT_LIFETIME_HARD]; 2275 if(lt != NULL) 2276 created = lt->sadb_lifetime_addtime; 2277 else 2278 created = 0; 2279 2280 #ifdef HAVE_PFKEY_POLICY_PRIORITY 2281 KEY_SETSECSPIDX(xpl->sadb_x_policy_dir, 2282 saddr + 1, 2283 daddr + 1, 2284 saddr->sadb_address_prefixlen, 2285 daddr->sadb_address_prefixlen, 2286 saddr->sadb_address_proto, 2287 xpl->sadb_x_policy_priority, 2288 created, 2289 &spidx); 2290 #else 2291 KEY_SETSECSPIDX(xpl->sadb_x_policy_dir, 2292 saddr + 1, 2293 daddr + 1, 2294 saddr->sadb_address_prefixlen, 2295 daddr->sadb_address_prefixlen, 2296 saddr->sadb_address_proto, 2297 created, 2298 &spidx); 2299 #endif 2300 2301 #ifdef HAVE_SECCTX 2302 if (mhp[SADB_X_EXT_SEC_CTX] != NULL) { 2303 struct sadb_x_sec_ctx *ctx; 2304 2305 ctx = (struct sadb_x_sec_ctx *)mhp[SADB_X_EXT_SEC_CTX]; 2306 spidx.sec_ctx.ctx_alg = ctx->sadb_x_ctx_alg; 2307 spidx.sec_ctx.ctx_doi = ctx->sadb_x_ctx_doi; 2308 spidx.sec_ctx.ctx_strlen = ctx->sadb_x_ctx_len; 2309 memcpy(spidx.sec_ctx.ctx_str, ctx + 1, ctx->sadb_x_ctx_len); 2310 } 2311 #endif /* HAVE_SECCTX */ 2312 2313 sp = getsp(&spidx); 2314 if (sp == NULL) { 2315 plog(LLV_DEBUG, LOCATION, NULL, 2316 "this policy did not exist for removal: \"%s\"\n", 2317 spidx2str(&spidx)); 2318 } else { 2319 /* preserve hints before deleting the SP */ 2320 local = sp->local; 2321 remote = sp->remote; 2322 sp->local = NULL; 2323 sp->remote = NULL; 2324 2325 remsp(sp); 2326 delsp(sp); 2327 } 2328 2329 /* Add new SP (with old hints) */ 2330 ret = addnewsp(mhp, local, remote); 2331 2332 if (local != NULL) 2333 racoon_free(local); 2334 if (remote != NULL) 2335 racoon_free(remote); 2336 2337 if (ret < 0) 2338 return -1; 2339 2340 return 0; 2341 } 2342 2343 /* 2344 * this function has to be used by responder side. 2345 */ 2346 int 2347 pk_sendspdadd2(struct ph2handle *iph2) 2348 { 2349 struct policyindex *spidx = (struct policyindex *)iph2->spidx_gen; 2350 caddr_t policy = NULL; 2351 int policylen = 0; 2352 u_int64_t ltime, vtime; 2353 2354 ltime = iph2->approval->lifetime; 2355 vtime = 0; 2356 2357 if (getsadbpolicy(&policy, &policylen, SADB_X_SPDADD, iph2)) { 2358 plog(LLV_ERROR, LOCATION, NULL, 2359 "getting sadb policy failed.\n"); 2360 return -1; 2361 } 2362 2363 if (pfkey_send_spdadd2( 2364 lcconf->sock_pfkey, 2365 (struct sockaddr *)&spidx->src, 2366 spidx->prefs, 2367 (struct sockaddr *)&spidx->dst, 2368 spidx->prefd, 2369 spidx->ul_proto, 2370 ltime, vtime, 2371 policy, policylen, 0) < 0) { 2372 plog(LLV_ERROR, LOCATION, NULL, 2373 "libipsec failed send spdadd2 (%s)\n", 2374 ipsec_strerror()); 2375 goto end; 2376 } 2377 plog(LLV_DEBUG, LOCATION, NULL, "call pfkey_send_spdadd2\n"); 2378 2379 end: 2380 if (policy) 2381 racoon_free(policy); 2382 2383 return 0; 2384 } 2385 2386 static int 2387 pk_recvspdadd(caddr_t *mhp) 2388 { 2389 struct sadb_address *saddr, *daddr; 2390 struct sadb_x_policy *xpl; 2391 struct sadb_lifetime *lt; 2392 struct policyindex spidx; 2393 struct secpolicy *sp; 2394 struct sockaddr *local = NULL, *remote = NULL; 2395 u_int64_t created; 2396 int ret; 2397 2398 /* sanity check */ 2399 if (mhp[0] == NULL 2400 || mhp[SADB_EXT_ADDRESS_SRC] == NULL 2401 || mhp[SADB_EXT_ADDRESS_DST] == NULL 2402 || mhp[SADB_X_EXT_POLICY] == NULL) { 2403 plog(LLV_ERROR, LOCATION, NULL, 2404 "inappropriate sadb spdadd message passed.\n"); 2405 return -1; 2406 } 2407 saddr = (struct sadb_address *)mhp[SADB_EXT_ADDRESS_SRC]; 2408 daddr = (struct sadb_address *)mhp[SADB_EXT_ADDRESS_DST]; 2409 xpl = (struct sadb_x_policy *)mhp[SADB_X_EXT_POLICY]; 2410 lt = (struct sadb_lifetime*)mhp[SADB_EXT_LIFETIME_HARD]; 2411 if(lt != NULL) 2412 created = lt->sadb_lifetime_addtime; 2413 else 2414 created = 0; 2415 2416 #ifdef HAVE_PFKEY_POLICY_PRIORITY 2417 KEY_SETSECSPIDX(xpl->sadb_x_policy_dir, 2418 saddr + 1, 2419 daddr + 1, 2420 saddr->sadb_address_prefixlen, 2421 daddr->sadb_address_prefixlen, 2422 saddr->sadb_address_proto, 2423 xpl->sadb_x_policy_priority, 2424 created, 2425 &spidx); 2426 #else 2427 KEY_SETSECSPIDX(xpl->sadb_x_policy_dir, 2428 saddr + 1, 2429 daddr + 1, 2430 saddr->sadb_address_prefixlen, 2431 daddr->sadb_address_prefixlen, 2432 saddr->sadb_address_proto, 2433 created, 2434 &spidx); 2435 #endif 2436 2437 #ifdef HAVE_SECCTX 2438 if (mhp[SADB_X_EXT_SEC_CTX] != NULL) { 2439 struct sadb_x_sec_ctx *ctx; 2440 2441 ctx = (struct sadb_x_sec_ctx *)mhp[SADB_X_EXT_SEC_CTX]; 2442 spidx.sec_ctx.ctx_alg = ctx->sadb_x_ctx_alg; 2443 spidx.sec_ctx.ctx_doi = ctx->sadb_x_ctx_doi; 2444 spidx.sec_ctx.ctx_strlen = ctx->sadb_x_ctx_len; 2445 memcpy(spidx.sec_ctx.ctx_str, ctx + 1, ctx->sadb_x_ctx_len); 2446 } 2447 #endif /* HAVE_SECCTX */ 2448 2449 sp = getsp(&spidx); 2450 if (sp != NULL) { 2451 plog(LLV_ERROR, LOCATION, NULL, 2452 "such policy already exists. " 2453 "anyway replace it: %s\n", 2454 spidx2str(&spidx)); 2455 2456 /* preserve hints before deleting the SP */ 2457 local = sp->local; 2458 remote = sp->remote; 2459 sp->local = NULL; 2460 sp->remote = NULL; 2461 2462 remsp(sp); 2463 delsp(sp); 2464 } 2465 2466 /* Add new SP (with old hints) */ 2467 ret = addnewsp(mhp, local, remote); 2468 2469 if (local != NULL) 2470 racoon_free(local); 2471 if (remote != NULL) 2472 racoon_free(remote); 2473 2474 if (ret < 0) 2475 return -1; 2476 2477 return 0; 2478 } 2479 2480 /* 2481 * this function has to be used by responder side. 2482 */ 2483 int 2484 pk_sendspddelete(struct ph2handle *iph2) 2485 { 2486 struct policyindex *spidx = (struct policyindex *)iph2->spidx_gen; 2487 caddr_t policy = NULL; 2488 int policylen; 2489 2490 if (getsadbpolicy(&policy, &policylen, SADB_X_SPDDELETE, iph2)) { 2491 plog(LLV_ERROR, LOCATION, NULL, 2492 "getting sadb policy failed.\n"); 2493 return -1; 2494 } 2495 2496 if (pfkey_send_spddelete( 2497 lcconf->sock_pfkey, 2498 (struct sockaddr *)&spidx->src, 2499 spidx->prefs, 2500 (struct sockaddr *)&spidx->dst, 2501 spidx->prefd, 2502 spidx->ul_proto, 2503 policy, policylen, 0) < 0) { 2504 plog(LLV_ERROR, LOCATION, NULL, 2505 "libipsec failed send spddelete (%s)\n", 2506 ipsec_strerror()); 2507 goto end; 2508 } 2509 plog(LLV_DEBUG, LOCATION, NULL, "call pfkey_send_spddelete\n"); 2510 2511 end: 2512 if (policy) 2513 racoon_free(policy); 2514 2515 return 0; 2516 } 2517 2518 static int 2519 pk_recvspddelete(caddr_t *mhp) 2520 { 2521 struct sadb_address *saddr, *daddr; 2522 struct sadb_x_policy *xpl; 2523 struct sadb_lifetime *lt; 2524 struct policyindex spidx; 2525 struct secpolicy *sp; 2526 u_int64_t created; 2527 2528 /* sanity check */ 2529 if (mhp[0] == NULL 2530 || mhp[SADB_EXT_ADDRESS_SRC] == NULL 2531 || mhp[SADB_EXT_ADDRESS_DST] == NULL 2532 || mhp[SADB_X_EXT_POLICY] == NULL) { 2533 plog(LLV_ERROR, LOCATION, NULL, 2534 "inappropriate sadb spddelete message passed.\n"); 2535 return -1; 2536 } 2537 saddr = (struct sadb_address *)mhp[SADB_EXT_ADDRESS_SRC]; 2538 daddr = (struct sadb_address *)mhp[SADB_EXT_ADDRESS_DST]; 2539 xpl = (struct sadb_x_policy *)mhp[SADB_X_EXT_POLICY]; 2540 lt = (struct sadb_lifetime*)mhp[SADB_EXT_LIFETIME_HARD]; 2541 if(lt != NULL) 2542 created = lt->sadb_lifetime_addtime; 2543 else 2544 created = 0; 2545 2546 #ifdef HAVE_PFKEY_POLICY_PRIORITY 2547 KEY_SETSECSPIDX(xpl->sadb_x_policy_dir, 2548 saddr + 1, 2549 daddr + 1, 2550 saddr->sadb_address_prefixlen, 2551 daddr->sadb_address_prefixlen, 2552 saddr->sadb_address_proto, 2553 xpl->sadb_x_policy_priority, 2554 created, 2555 &spidx); 2556 #else 2557 KEY_SETSECSPIDX(xpl->sadb_x_policy_dir, 2558 saddr + 1, 2559 daddr + 1, 2560 saddr->sadb_address_prefixlen, 2561 daddr->sadb_address_prefixlen, 2562 saddr->sadb_address_proto, 2563 created, 2564 &spidx); 2565 #endif 2566 2567 #ifdef HAVE_SECCTX 2568 if (mhp[SADB_X_EXT_SEC_CTX] != NULL) { 2569 struct sadb_x_sec_ctx *ctx; 2570 2571 ctx = (struct sadb_x_sec_ctx *)mhp[SADB_X_EXT_SEC_CTX]; 2572 spidx.sec_ctx.ctx_alg = ctx->sadb_x_ctx_alg; 2573 spidx.sec_ctx.ctx_doi = ctx->sadb_x_ctx_doi; 2574 spidx.sec_ctx.ctx_strlen = ctx->sadb_x_ctx_len; 2575 memcpy(spidx.sec_ctx.ctx_str, ctx + 1, ctx->sadb_x_ctx_len); 2576 } 2577 #endif /* HAVE_SECCTX */ 2578 2579 sp = getsp(&spidx); 2580 if (sp == NULL) { 2581 plog(LLV_ERROR, LOCATION, NULL, 2582 "no policy found: %s\n", 2583 spidx2str(&spidx)); 2584 return -1; 2585 } 2586 2587 remsp(sp); 2588 delsp(sp); 2589 2590 return 0; 2591 } 2592 2593 static int 2594 pk_recvspdexpire(caddr_t *mhp) 2595 { 2596 struct sadb_address *saddr, *daddr; 2597 struct sadb_x_policy *xpl; 2598 struct sadb_lifetime *lt; 2599 struct policyindex spidx; 2600 struct secpolicy *sp; 2601 u_int64_t created; 2602 2603 /* sanity check */ 2604 if (mhp[0] == NULL 2605 || mhp[SADB_EXT_ADDRESS_SRC] == NULL 2606 || mhp[SADB_EXT_ADDRESS_DST] == NULL 2607 || mhp[SADB_X_EXT_POLICY] == NULL) { 2608 plog(LLV_ERROR, LOCATION, NULL, 2609 "inappropriate sadb spdexpire message passed.\n"); 2610 return -1; 2611 } 2612 saddr = (struct sadb_address *)mhp[SADB_EXT_ADDRESS_SRC]; 2613 daddr = (struct sadb_address *)mhp[SADB_EXT_ADDRESS_DST]; 2614 xpl = (struct sadb_x_policy *)mhp[SADB_X_EXT_POLICY]; 2615 lt = (struct sadb_lifetime*)mhp[SADB_EXT_LIFETIME_HARD]; 2616 if(lt != NULL) 2617 created = lt->sadb_lifetime_addtime; 2618 else 2619 created = 0; 2620 2621 #ifdef HAVE_PFKEY_POLICY_PRIORITY 2622 KEY_SETSECSPIDX(xpl->sadb_x_policy_dir, 2623 saddr + 1, 2624 daddr + 1, 2625 saddr->sadb_address_prefixlen, 2626 daddr->sadb_address_prefixlen, 2627 saddr->sadb_address_proto, 2628 xpl->sadb_x_policy_priority, 2629 created, 2630 &spidx); 2631 #else 2632 KEY_SETSECSPIDX(xpl->sadb_x_policy_dir, 2633 saddr + 1, 2634 daddr + 1, 2635 saddr->sadb_address_prefixlen, 2636 daddr->sadb_address_prefixlen, 2637 saddr->sadb_address_proto, 2638 created, 2639 &spidx); 2640 #endif 2641 2642 #ifdef HAVE_SECCTX 2643 if (mhp[SADB_X_EXT_SEC_CTX] != NULL) { 2644 struct sadb_x_sec_ctx *ctx; 2645 2646 ctx = (struct sadb_x_sec_ctx *)mhp[SADB_X_EXT_SEC_CTX]; 2647 spidx.sec_ctx.ctx_alg = ctx->sadb_x_ctx_alg; 2648 spidx.sec_ctx.ctx_doi = ctx->sadb_x_ctx_doi; 2649 spidx.sec_ctx.ctx_strlen = ctx->sadb_x_ctx_len; 2650 memcpy(spidx.sec_ctx.ctx_str, ctx + 1, ctx->sadb_x_ctx_len); 2651 } 2652 #endif /* HAVE_SECCTX */ 2653 2654 sp = getsp(&spidx); 2655 if (sp == NULL) { 2656 plog(LLV_ERROR, LOCATION, NULL, 2657 "no policy found: %s\n", 2658 spidx2str(&spidx)); 2659 return -1; 2660 } 2661 2662 remsp(sp); 2663 delsp(sp); 2664 2665 return 0; 2666 } 2667 2668 static int 2669 pk_recvspdget(caddr_t *mhp) 2670 { 2671 /* sanity check */ 2672 if (mhp[0] == NULL) { 2673 plog(LLV_ERROR, LOCATION, NULL, 2674 "inappropriate sadb spdget message passed.\n"); 2675 return -1; 2676 } 2677 2678 return 0; 2679 } 2680 2681 static int 2682 pk_recvspddump(caddr_t *mhp) 2683 { 2684 struct sadb_address *saddr, *daddr; 2685 struct sadb_x_policy *xpl; 2686 struct sadb_lifetime *lt; 2687 struct policyindex spidx; 2688 struct secpolicy *sp; 2689 struct sockaddr *local=NULL, *remote=NULL; 2690 u_int64_t created; 2691 int ret; 2692 2693 /* sanity check */ 2694 if (mhp[0] == NULL) { 2695 plog(LLV_ERROR, LOCATION, NULL, 2696 "inappropriate sadb spddump message passed.\n"); 2697 return -1; 2698 } 2699 saddr = (struct sadb_address *)mhp[SADB_EXT_ADDRESS_SRC]; 2700 daddr = (struct sadb_address *)mhp[SADB_EXT_ADDRESS_DST]; 2701 xpl = (struct sadb_x_policy *)mhp[SADB_X_EXT_POLICY]; 2702 lt = (struct sadb_lifetime*)mhp[SADB_EXT_LIFETIME_HARD]; 2703 if(lt != NULL) 2704 created = lt->sadb_lifetime_addtime; 2705 else 2706 created = 0; 2707 2708 if (saddr == NULL || daddr == NULL || xpl == NULL) { 2709 plog(LLV_ERROR, LOCATION, NULL, 2710 "inappropriate sadb spddump message passed.\n"); 2711 return -1; 2712 } 2713 2714 #ifdef HAVE_PFKEY_POLICY_PRIORITY 2715 KEY_SETSECSPIDX(xpl->sadb_x_policy_dir, 2716 saddr + 1, 2717 daddr + 1, 2718 saddr->sadb_address_prefixlen, 2719 daddr->sadb_address_prefixlen, 2720 saddr->sadb_address_proto, 2721 xpl->sadb_x_policy_priority, 2722 created, 2723 &spidx); 2724 #else 2725 KEY_SETSECSPIDX(xpl->sadb_x_policy_dir, 2726 saddr + 1, 2727 daddr + 1, 2728 saddr->sadb_address_prefixlen, 2729 daddr->sadb_address_prefixlen, 2730 saddr->sadb_address_proto, 2731 created, 2732 &spidx); 2733 #endif 2734 2735 #ifdef HAVE_SECCTX 2736 if (mhp[SADB_X_EXT_SEC_CTX] != NULL) { 2737 struct sadb_x_sec_ctx *ctx; 2738 2739 ctx = (struct sadb_x_sec_ctx *)mhp[SADB_X_EXT_SEC_CTX]; 2740 spidx.sec_ctx.ctx_alg = ctx->sadb_x_ctx_alg; 2741 spidx.sec_ctx.ctx_doi = ctx->sadb_x_ctx_doi; 2742 spidx.sec_ctx.ctx_strlen = ctx->sadb_x_ctx_len; 2743 memcpy(spidx.sec_ctx.ctx_str, ctx + 1, ctx->sadb_x_ctx_len); 2744 } 2745 #endif /* HAVE_SECCTX */ 2746 2747 sp = getsp(&spidx); 2748 if (sp != NULL) { 2749 plog(LLV_ERROR, LOCATION, NULL, 2750 "such policy already exists. " 2751 "anyway replace it: %s\n", 2752 spidx2str(&spidx)); 2753 2754 /* preserve hints before deleting the SP */ 2755 local = sp->local; 2756 remote = sp->remote; 2757 sp->local = NULL; 2758 sp->remote = NULL; 2759 2760 remsp(sp); 2761 delsp(sp); 2762 } 2763 2764 /* Add new SP (with old hints) */ 2765 ret = addnewsp(mhp, local, remote); 2766 2767 if (local != NULL) 2768 racoon_free(local); 2769 if (remote != NULL) 2770 racoon_free(remote); 2771 2772 if (ret < 0) 2773 return -1; 2774 2775 return 0; 2776 } 2777 2778 static int 2779 pk_recvspdflush(caddr_t *mhp) 2780 { 2781 /* sanity check */ 2782 if (mhp[0] == NULL) { 2783 plog(LLV_ERROR, LOCATION, NULL, 2784 "inappropriate sadb spdflush message passed.\n"); 2785 return -1; 2786 } 2787 2788 flushsp(); 2789 2790 return 0; 2791 } 2792 2793 #if defined(SADB_X_MIGRATE) && defined(SADB_X_EXT_KMADDRESS) 2794 2795 /* MIGRATE support (pk_recvmigrate() is the handler of MIGRATE message). 2796 * 2797 * pk_recvmigrate() 2798 * 1) some preprocessing and checks 2799 * 2) parsing of sadb_x_kmaddress extension 2800 * 3) SP lookup using selectors and content of policy extension from MIGRATE 2801 * 4) resolution of current local and remote IKE addresses 2802 * 5) Use of addresses to get Phase 1 handler if any 2803 * 6) Update of IKE addresses in Phase 1 (iph1->local and iph1->remote) 2804 * 7) Update of IKE addresses in Phase 2 (iph2->src and iph2->dst) 2805 * 8) Update of IKE addresses in SP (sp->local and sp->remote) 2806 * 9) Loop on sadb_x_ipsecrequests pairs from MIGRATE 2807 * - update of associated ipsecrequests entries in sp->req (should be 2808 * only one as racoon does not support bundles), i.e. update of 2809 * tunnel endpoints when required. 2810 * - If tunnel mode endpoints have been updated, lookup of associated 2811 * Phase 2 handle to also update sa_src and sa_dst entries 2812 * 2813 * XXX Note that we do not support yet the update of SA addresses for transport 2814 * mode, but only the update of SA addresses for tunnel mode (endpoints). 2815 * Reasons are: 2816 * - there is no initial need for MIPv6 2817 * - racoon does not support bundles 2818 * - this would imply more work to deal with sainfo update (if feasible). 2819 */ 2820 2821 /* Generic argument structure for migration callbacks */ 2822 struct migrate_args { 2823 struct sockaddr *local; 2824 struct sockaddr *remote; 2825 }; 2826 2827 /* 2828 * Update local and remote addresses of given Phase 1. Schedule removal 2829 * if negotiation was going on and restart a one from updated address. 2830 * 2831 * -1 is returned on error. 0 if everything went right. 2832 */ 2833 static int 2834 migrate_ph1_ike_addresses(iph1, arg) 2835 struct ph1handle *iph1; 2836 void *arg; 2837 { 2838 struct migrate_args *ma = (struct migrate_args *) arg; 2839 struct remoteconf *rmconf; 2840 uint16_t port; 2841 2842 /* Already up-to-date? */ 2843 if (cmpsaddr(iph1->local, ma->local) == CMPSADDR_MATCH && 2844 cmpsaddr(iph1->remote, ma->remote) == CMPSADDR_MATCH) 2845 return 0; 2846 2847 if (iph1->status < PHASE1ST_ESTABLISHED) { 2848 /* Bad luck! We received a MIGRATE *while* negotiating 2849 * Phase 1 (i.e. it was not established yet). If we act as 2850 * initiator we need to restart the negotiation. As 2851 * responder, our best bet is to update our addresses 2852 * and wait for the initiator to do something */ 2853 plog(LLV_WARNING, LOCATION, NULL, "MIGRATE received *during* " 2854 "Phase 1 negotiation (%s).\n", 2855 saddr2str_fromto("%s => %s", ma->local, ma->remote)); 2856 2857 /* If we are not acting as initiator, let's just leave and 2858 * let the remote peer handle the restart */ 2859 rmconf = getrmconf(ma->remote, 0); 2860 if (rmconf == NULL || !rmconf->passive) { 2861 iph1->status = PHASE1ST_EXPIRED; 2862 isakmp_ph1delete(iph1); 2863 2864 /* This is unlikely, but let's just check if a Phase 1 2865 * for the new addresses already exist */ 2866 if (getph1byaddr(ma->local, ma->remote, 0)) { 2867 plog(LLV_WARNING, LOCATION, NULL, "No need " 2868 "to start a new Phase 1 negotiation. One " 2869 "already exists.\n"); 2870 return 0; 2871 } 2872 2873 plog(LLV_WARNING, LOCATION, NULL, "As initiator, " 2874 "restarting it.\n"); 2875 /* Note that the insertion of the new Phase 1 will not 2876 * interfere with the fact we are called from enumph1, 2877 * because it is inserted as first element. --arno */ 2878 isakmp_ph1begin_i(rmconf, ma->local, ma->remote); 2879 2880 return 0; 2881 } 2882 } 2883 2884 if (iph1->local != NULL) { 2885 plog(LLV_DEBUG, LOCATION, NULL, "Migrating Phase 1 local " 2886 "address from %s\n", 2887 saddr2str_fromto("%s to %s", iph1->local, ma->local)); 2888 port = extract_port(iph1->local); 2889 racoon_free(iph1->local); 2890 } else 2891 port = 0; 2892 2893 iph1->local = dupsaddr(ma->local); 2894 if (iph1->local == NULL) { 2895 plog(LLV_ERROR, LOCATION, NULL, "unable to allocate " 2896 "Phase 1 local address.\n"); 2897 return -1; 2898 } 2899 set_port(iph1->local, port); 2900 2901 if (iph1->remote != NULL) { 2902 plog(LLV_DEBUG, LOCATION, NULL, "Migrating Phase 1 remote " 2903 "address from %s\n", 2904 saddr2str_fromto("%s to %s", iph1->remote, ma->remote)); 2905 port = extract_port(iph1->remote); 2906 racoon_free(iph1->remote); 2907 } else 2908 port = 0; 2909 2910 iph1->remote = dupsaddr(ma->remote); 2911 if (iph1->remote == NULL) { 2912 plog(LLV_ERROR, LOCATION, NULL, "unable to allocate " 2913 "Phase 1 remote address.\n"); 2914 return -1; 2915 } 2916 set_port(iph1->remote, port); 2917 2918 return 0; 2919 } 2920 2921 /* Update src and dst of all current Phase 2 handles. 2922 * with provided local and remote addresses. 2923 * Our intent is NOT to modify IPsec SA endpoints but IKE 2924 * addresses so we need to take care to separate those if 2925 * they are different. -1 is returned on error. 0 if everything 2926 * went right. 2927 * 2928 * Note: we do not maintain port information as it is not 2929 * expected to be meaningful --arno 2930 */ 2931 static int 2932 migrate_ph2_ike_addresses(iph2, arg) 2933 struct ph2handle *iph2; 2934 void *arg; 2935 { 2936 struct migrate_args *ma = (struct migrate_args *) arg; 2937 struct ph1handle *iph1; 2938 2939 /* If Phase 2 has an associated Phase 1, migrate addresses */ 2940 if (iph2->ph1) 2941 migrate_ph1_ike_addresses(iph2->ph1, arg); 2942 2943 /* Already up-to-date? */ 2944 if (cmpsaddr(iph2->src, ma->local) == CMPSADDR_MATCH && 2945 cmpsaddr(iph2->dst, ma->remote) == CMPSADDR_MATCH) 2946 return 0; 2947 2948 /* save src/dst as sa_src/sa_dst before rewriting */ 2949 if (iph2->sa_src == NULL && iph2->sa_dst == NULL) { 2950 iph2->sa_src = iph2->src; 2951 iph2->sa_dst = iph2->dst; 2952 iph2->src = NULL; 2953 iph2->dst = NULL; 2954 } 2955 2956 if (iph2->src != NULL) 2957 racoon_free(iph2->src); 2958 iph2->src = dupsaddr(ma->local); 2959 if (iph2->src == NULL) { 2960 plog(LLV_ERROR, LOCATION, NULL, 2961 "unable to allocate Phase 2 src address.\n"); 2962 return -1; 2963 } 2964 2965 if (iph2->dst != NULL) 2966 racoon_free(iph2->dst); 2967 iph2->dst = dupsaddr(ma->remote); 2968 if (iph2->dst == NULL) { 2969 plog(LLV_ERROR, LOCATION, NULL, 2970 "unable to allocate Phase 2 dst address.\n"); 2971 return -1; 2972 } 2973 2974 return 0; 2975 } 2976 2977 /* Consider existing Phase 2 handles with given spid and update their source 2978 * and destination addresses for SA. As racoon does not support bundles, if 2979 * we modify multiple occurrences, this probably imply rekeying has happened. 2980 * 2981 * Both addresses passed to the function are expected not to be NULL and of 2982 * same family. -1 is returned on error. 0 if everything went right. 2983 * 2984 * Specific care is needed to support Phase 2 for which negotiation has 2985 * already started but are which not yet established. 2986 */ 2987 static int 2988 migrate_ph2_sa_addresses(iph2, args) 2989 struct ph2handle *iph2; 2990 void *args; 2991 { 2992 struct migrate_args *ma = (struct migrate_args *) args; 2993 2994 if (iph2->sa_src != NULL) { 2995 racoon_free(iph2->sa_src); 2996 iph2->sa_src = NULL; 2997 } 2998 2999 if (iph2->sa_dst != NULL) { 3000 racoon_free(iph2->sa_dst); 3001 iph2->sa_dst = NULL; 3002 } 3003 3004 iph2->sa_src = dupsaddr(ma->local); 3005 if (iph2->sa_src == NULL) { 3006 plog(LLV_ERROR, LOCATION, NULL, 3007 "unable to allocate Phase 2 sa_src address.\n"); 3008 return -1; 3009 } 3010 3011 iph2->sa_dst = dupsaddr(ma->remote); 3012 if (iph2->sa_dst == NULL) { 3013 plog(LLV_ERROR, LOCATION, NULL, 3014 "unable to allocate Phase 2 sa_dst address.\n"); 3015 return -1; 3016 } 3017 3018 if (iph2->status < PHASE2ST_ESTABLISHED) { 3019 struct remoteconf *rmconf; 3020 /* We were negotiating for that SA when we received the MIGRATE. 3021 * We cannot simply update the addresses and let the exchange 3022 * go on. We have to restart the whole negotiation if we are 3023 * the initiator. Otherwise (acting as responder), we just need 3024 * to delete our ph2handle and wait for the initiator to start 3025 * a new negotiation. */ 3026 3027 if (iph2->ph1 && iph2->ph1->rmconf) 3028 rmconf = iph2->ph1->rmconf; 3029 else 3030 rmconf = getrmconf(iph2->dst, 0); 3031 3032 if (rmconf && !rmconf->passive) { 3033 struct ph1handle *iph1hint; 3034 3035 plog(LLV_WARNING, LOCATION, iph2->dst, "MIGRATE received " 3036 "*during* IPsec SA negotiation. As initiator, " 3037 "restarting it.\n"); 3038 3039 /* Turn off expiration timer ...*/ 3040 sched_cancel(&iph2->sce); 3041 iph2->status = PHASE2ST_EXPIRED; 3042 3043 /* ... clean Phase 2 handle ... */ 3044 iph1hint = iph2->ph1; 3045 initph2(iph2); 3046 iph2->status = PHASE2ST_STATUS2; 3047 3048 /* and start a new negotiation */ 3049 if (isakmp_post_acquire(iph2, iph1hint, FALSE) < 0) { 3050 plog(LLV_ERROR, LOCATION, iph2->dst, "failed " 3051 "to begin IPsec SA renegotiation after " 3052 "MIGRATE reception.\n"); 3053 remph2(iph2); 3054 delph2(iph2); 3055 return -1; 3056 } 3057 } else { 3058 plog(LLV_WARNING, LOCATION, iph2->dst, "MIGRATE received " 3059 "*during* IPsec SA negotiation. As responder, let's" 3060 "wait for the initiator to act.\n"); 3061 3062 /* Simply schedule deletion */ 3063 isakmp_ph2expire(iph2); 3064 } 3065 } 3066 3067 return 0; 3068 } 3069 3070 /* Update SP hints (local and remote addresses) for future IKE 3071 * negotiations of SA associated with that SP. -1 is returned 3072 * on error. 0 if everything went right. 3073 * 3074 * Note: we do not maintain port information as it is not 3075 * expected to be meaningful --arno 3076 */ 3077 static int 3078 migrate_sp_ike_addresses(sp, local, remote) 3079 struct secpolicy *sp; 3080 struct sockaddr *local, *remote; 3081 { 3082 if (sp == NULL || local == NULL || remote == NULL) 3083 return -1; 3084 3085 if (sp->local != NULL) 3086 racoon_free(sp->local); 3087 3088 sp->local = dupsaddr(local); 3089 if (sp->local == NULL) { 3090 plog(LLV_ERROR, LOCATION, NULL, "unable to allocate " 3091 "local hint for SP.\n"); 3092 return -1; 3093 } 3094 3095 if (sp->remote != NULL) 3096 racoon_free(sp->remote); 3097 3098 sp->remote = dupsaddr(remote); 3099 if (sp->remote == NULL) { 3100 plog(LLV_ERROR, LOCATION, NULL, "unable to allocate " 3101 "remote hint for SP.\n"); 3102 return -1; 3103 } 3104 3105 return 0; 3106 } 3107 3108 /* Given current ipsecrequest (isr_cur) to be migrated in considered 3109 tree, the function first checks that it matches the expected one 3110 (xisr_old) provided in MIGRATE message and then updates the addresses 3111 if it is tunnel mode (with content of xisr_new). Various other checks 3112 are performed. For transport mode, structures are not modified, only 3113 the checks are done. -1 is returned on error. */ 3114 static int 3115 migrate_ph2_one_isr(spid, isr_cur, xisr_old, xisr_new) 3116 uint32_t spid; 3117 struct ipsecrequest *isr_cur; 3118 struct sadb_x_ipsecrequest *xisr_old, *xisr_new; 3119 { 3120 struct secasindex *saidx = &isr_cur->saidx; 3121 struct sockaddr *osaddr, *odaddr, *nsaddr, *ndaddr; 3122 struct ph2selector ph2sel; 3123 struct migrate_args ma; 3124 3125 /* First, check that mode and proto do match */ 3126 if (xisr_old->sadb_x_ipsecrequest_proto != saidx->proto || 3127 xisr_old->sadb_x_ipsecrequest_mode != saidx->mode || 3128 xisr_new->sadb_x_ipsecrequest_proto != saidx->proto || 3129 xisr_new->sadb_x_ipsecrequest_mode != saidx->mode) 3130 return -1; 3131 3132 /* Then, verify reqid if necessary */ 3133 if (isr_cur->saidx.reqid && 3134 (xisr_old->sadb_x_ipsecrequest_level != IPSEC_LEVEL_UNIQUE || 3135 xisr_new->sadb_x_ipsecrequest_level != IPSEC_LEVEL_UNIQUE || 3136 isr_cur->saidx.reqid != xisr_old->sadb_x_ipsecrequest_reqid || 3137 isr_cur->saidx.reqid != xisr_new->sadb_x_ipsecrequest_reqid)) 3138 return -1; 3139 3140 /* If not tunnel mode, our work is over */ 3141 if (saidx->mode != IPSEC_MODE_TUNNEL) { 3142 plog(LLV_DEBUG, LOCATION, NULL, "SADB_X_MIGRATE: " 3143 "non tunnel mode isr, skipping SA address migration.\n"); 3144 return 0; 3145 } 3146 3147 /* Tunnel mode: let's check addresses do match and then update them. */ 3148 osaddr = (struct sockaddr *)(xisr_old + 1); 3149 odaddr = (struct sockaddr *)(((uint8_t *)osaddr) + sysdep_sa_len(osaddr)); 3150 nsaddr = (struct sockaddr *)(xisr_new + 1); 3151 ndaddr = (struct sockaddr *)(((uint8_t *)nsaddr) + sysdep_sa_len(nsaddr)); 3152 3153 /* Check family does match */ 3154 if (osaddr->sa_family != odaddr->sa_family || 3155 nsaddr->sa_family != ndaddr->sa_family) 3156 return -1; 3157 3158 /* Check family does match */ 3159 if (saidx->src.ss_family != osaddr->sa_family) 3160 return -1; 3161 3162 /* We log IPv4 to IPv6 and IPv6 to IPv4 switches */ 3163 if (nsaddr->sa_family != osaddr->sa_family) 3164 plog(LLV_INFO, LOCATION, NULL, "SADB_X_MIGRATE: " 3165 "changing address families (%d to %d) for endpoints.\n", 3166 osaddr->sa_family, nsaddr->sa_family); 3167 3168 if (cmpsaddr(osaddr, (struct sockaddr *) &saidx->src) != CMPSADDR_MATCH || 3169 cmpsaddr(odaddr, (struct sockaddr *) &saidx->dst) != CMPSADDR_MATCH) { 3170 plog(LLV_DEBUG, LOCATION, NULL, "SADB_X_MIGRATE: " 3171 "mismatch of addresses in saidx and xisr.\n"); 3172 return -1; 3173 } 3174 3175 /* Excellent. Let's grab associated Phase 2 handle (if any) 3176 * and update its sa_src and sa_dst entries. Note that we 3177 * make the assumption that racoon does not support bundles 3178 * and make the lookup using spid: we blindly update 3179 * sa_src and sa_dst for _all_ found Phase 2 handles */ 3180 memset(&ph2sel, 0, sizeof(ph2sel)); 3181 ph2sel.spid = spid; 3182 3183 memset(&ma, 0, sizeof(ma)); 3184 ma.local = nsaddr; 3185 ma.remote = ndaddr; 3186 3187 if (enumph2(&ph2sel, migrate_ph2_sa_addresses, &ma) < 0) 3188 return -1; 3189 3190 /* Now we can do the update of endpoints in secasindex */ 3191 memcpy(&saidx->src, nsaddr, sysdep_sa_len(nsaddr)); 3192 memcpy(&saidx->dst, ndaddr, sysdep_sa_len(ndaddr)); 3193 3194 return 0; 3195 } 3196 3197 /* Process the raw (unparsed yet) list of sadb_x_ipsecrequests of MIGRATE 3198 * message. For each sadb_x_ipsecrequest pair (old followed by new), 3199 * the corresponding ipsecrequest entry in the SP is updated. Associated 3200 * existing Phase 2 handle is also updated (if any) */ 3201 static int 3202 migrate_sp_isr_list(sp, xisr_list, xisr_list_len) 3203 struct secpolicy *sp; 3204 struct sadb_x_ipsecrequest *xisr_list; 3205 int xisr_list_len; 3206 { 3207 struct sadb_x_ipsecrequest *xisr_new, *xisr_old = xisr_list; 3208 int xisr_old_len, xisr_new_len; 3209 struct ipsecrequest *isr_cur; 3210 3211 isr_cur = sp->req; /* ipsecrequest list from sp */ 3212 3213 while (xisr_list_len > 0 && isr_cur != NULL) { 3214 /* Get old xisr (length field is in bytes) */ 3215 xisr_old_len = xisr_old->sadb_x_ipsecrequest_len; 3216 if (xisr_old_len < sizeof(*xisr_old) || 3217 xisr_old_len + sizeof(*xisr_new) > xisr_list_len) { 3218 plog(LLV_ERROR, LOCATION, NULL, "SADB_X_MIGRATE: " 3219 "invalid ipsecrequest length. Exiting.\n"); 3220 return -1; 3221 } 3222 3223 /* Get new xisr with updated info */ 3224 xisr_new = (struct sadb_x_ipsecrequest *)(((uint8_t *)xisr_old) + xisr_old_len); 3225 xisr_new_len = xisr_new->sadb_x_ipsecrequest_len; 3226 if (xisr_new_len < sizeof(*xisr_new) || 3227 xisr_new_len + xisr_old_len > xisr_list_len) { 3228 plog(LLV_ERROR, LOCATION, NULL, "SADB_X_MIGRATE: " 3229 "invalid ipsecrequest length. Exiting.\n"); 3230 return -1; 3231 } 3232 3233 /* Start by migrating current ipsecrequest from SP */ 3234 if (migrate_ph2_one_isr(sp->id, isr_cur, xisr_old, xisr_new) == -1) { 3235 plog(LLV_ERROR, LOCATION, NULL, "SADB_X_MIGRATE: " 3236 "Unable to match and migrate isr. Exiting.\n"); 3237 return -1; 3238 } 3239 3240 /* Update pointers for next round */ 3241 xisr_list_len -= xisr_old_len + xisr_new_len; 3242 xisr_old = (struct sadb_x_ipsecrequest *)(((uint8_t *)xisr_new) + 3243 xisr_new_len); 3244 3245 isr_cur = isr_cur->next; /* Get next ipsecrequest from SP */ 3246 } 3247 3248 /* Check we had the same amount of pairs in the MIGRATE 3249 as the number of ipsecrequests in the SP */ 3250 if ((xisr_list_len != 0) || isr_cur != NULL) { 3251 plog(LLV_ERROR, LOCATION, NULL, "SADB_X_MIGRATE: " 3252 "number of ipsecrequest does not match the one in SP.\n"); 3253 return -1; 3254 } 3255 3256 return 0; 3257 } 3258 3259 /* Parse sadb_x_kmaddress extension and make local and remote 3260 * parameters point to the new addresses (zero copy). -1 is 3261 * returned on error, meaning that addresses are not usable */ 3262 static int 3263 parse_kmaddress(kmaddr, local, remote) 3264 struct sadb_x_kmaddress *kmaddr; 3265 struct sockaddr **local, **remote; 3266 { 3267 int addrslen, local_len=0; 3268 struct ph1handle *iph1; 3269 3270 if (kmaddr == NULL) 3271 return -1; 3272 3273 /* Grab addresses in sadb_x_kmaddress extension */ 3274 addrslen = PFKEY_EXTLEN(kmaddr) - sizeof(*kmaddr); 3275 if (addrslen < sizeof(struct sockaddr)) 3276 return -1; 3277 3278 *local = (struct sockaddr *)(kmaddr + 1); 3279 3280 switch ((*local)->sa_family) { 3281 case AF_INET: 3282 local_len = sizeof(struct sockaddr_in); 3283 break; 3284 #ifdef INET6 3285 case AF_INET6: 3286 local_len = sizeof(struct sockaddr_in6); 3287 break; 3288 #endif 3289 default: 3290 return -1; 3291 } 3292 3293 if (addrslen != PFKEY_ALIGN8(2*local_len)) 3294 return -1; 3295 3296 *remote = (struct sockaddr *)(((uint8_t *)(*local)) + local_len); 3297 3298 if ((*local)->sa_family != (*remote)->sa_family) 3299 return -1; 3300 3301 return 0; 3302 } 3303 3304 /* Handler of PF_KEY MIGRATE message. Helpers are above */ 3305 static int 3306 pk_recvmigrate(mhp) 3307 caddr_t *mhp; 3308 { 3309 struct sadb_address *saddr, *daddr; 3310 struct sockaddr *old_saddr, *new_saddr; 3311 struct sockaddr *old_daddr, *new_daddr; 3312 struct sockaddr *old_local, *old_remote; 3313 struct sockaddr *local, *remote; 3314 struct sadb_x_kmaddress *kmaddr; 3315 struct sadb_x_policy *xpl; 3316 struct sadb_x_ipsecrequest *xisr_list; 3317 struct sadb_lifetime *lt; 3318 struct policyindex spidx; 3319 struct secpolicy *sp; 3320 struct ipsecrequest *isr_cur; 3321 struct secasindex *oldsaidx; 3322 struct ph2handle *iph2; 3323 struct ph1handle *iph1; 3324 struct ph2selector ph2sel; 3325 struct ph1selector ph1sel; 3326 uint32_t spid; 3327 u_int64_t created; 3328 int xisr_list_len; 3329 int ulproto; 3330 struct migrate_args ma; 3331 3332 /* Some sanity checks */ 3333 3334 if (mhp[0] == NULL 3335 || mhp[SADB_EXT_ADDRESS_SRC] == NULL 3336 || mhp[SADB_EXT_ADDRESS_DST] == NULL 3337 || mhp[SADB_X_EXT_KMADDRESS] == NULL 3338 || mhp[SADB_X_EXT_POLICY] == NULL) { 3339 plog(LLV_ERROR, LOCATION, NULL, 3340 "SADB_X_MIGRATE: invalid MIGRATE message received.\n"); 3341 return -1; 3342 } 3343 kmaddr = (struct sadb_x_kmaddress *)mhp[SADB_X_EXT_KMADDRESS]; 3344 saddr = (struct sadb_address *)mhp[SADB_EXT_ADDRESS_SRC]; 3345 daddr = (struct sadb_address *)mhp[SADB_EXT_ADDRESS_DST]; 3346 xpl = (struct sadb_x_policy *)mhp[SADB_X_EXT_POLICY]; 3347 lt = (struct sadb_lifetime*)mhp[SADB_EXT_LIFETIME_HARD]; 3348 if (lt != NULL) 3349 created = lt->sadb_lifetime_addtime; 3350 else 3351 created = 0; 3352 3353 if (xpl->sadb_x_policy_type != IPSEC_POLICY_IPSEC) { 3354 plog(LLV_WARNING, LOCATION, NULL,"SADB_X_MIGRATE: " 3355 "found non IPsec policy in MIGRATE message. Exiting.\n"); 3356 return -1; 3357 } 3358 3359 if (PFKEY_EXTLEN(xpl) < sizeof(*xpl)) { 3360 plog(LLV_ERROR, LOCATION, NULL, "SADB_X_MIGRATE: " 3361 "invalid size for sadb_x_policy. Exiting.\n"); 3362 return -1; 3363 } 3364 3365 /* Some logging to help debbugging */ 3366 if (xpl->sadb_x_policy_dir == IPSEC_DIR_OUTBOUND) 3367 plog(LLV_DEBUG, LOCATION, NULL, 3368 "SADB_X_MIGRATE: Outbound SA being migrated.\n"); 3369 else 3370 plog(LLV_DEBUG, LOCATION, NULL, 3371 "SADB_X_MIGRATE: Inbound SA being migrated.\n"); 3372 3373 /* validity check */ 3374 xisr_list = (struct sadb_x_ipsecrequest *)(xpl + 1); 3375 xisr_list_len = PFKEY_EXTLEN(xpl) - sizeof(*xpl); 3376 if (xisr_list_len < sizeof(*xisr_list)) { 3377 plog(LLV_ERROR, LOCATION, NULL, "SADB_X_MIGRATE: " 3378 "invalid sadb_x_policy message length. Exiting.\n"); 3379 return -1; 3380 } 3381 3382 if (parse_kmaddress(kmaddr, &local, &remote) == -1) { 3383 plog(LLV_ERROR, LOCATION, NULL, "SADB_X_MIGRATE: " 3384 "invalid sadb_x_kmaddress extension. Exiting.\n"); 3385 return -1; 3386 } 3387 3388 /* 0 means ANY */ 3389 if (saddr->sadb_address_proto == 0) 3390 ulproto = IPSEC_ULPROTO_ANY; 3391 else 3392 ulproto = saddr->sadb_address_proto; 3393 3394 #ifdef HAVE_PFKEY_POLICY_PRIORITY 3395 KEY_SETSECSPIDX(xpl->sadb_x_policy_dir, 3396 saddr + 1, 3397 daddr + 1, 3398 saddr->sadb_address_prefixlen, 3399 daddr->sadb_address_prefixlen, 3400 ulproto, 3401 xpl->sadb_x_policy_priority, 3402 created, 3403 &spidx); 3404 #else 3405 KEY_SETSECSPIDX(xpl->sadb_x_policy_dir, 3406 saddr + 1, 3407 daddr + 1, 3408 saddr->sadb_address_prefixlen, 3409 daddr->sadb_address_prefixlen, 3410 ulproto, 3411 created, 3412 &spidx); 3413 #endif 3414 3415 /* Everything seems ok, let's get the SP. 3416 * 3417 * XXX We could also do the lookup using the spid from xpl. 3418 * I don't know which one is better. --arno */ 3419 sp = getsp(&spidx); 3420 if (sp == NULL) { 3421 plog(LLV_ERROR, LOCATION, NULL, 3422 "SADB_X_MIGRATE: Passed policy does not exist: %s\n", 3423 spidx2str(&spidx)); 3424 return -1; 3425 } 3426 3427 /* Get the best source and destination addresses used for IKE 3428 * negotiation, to find and migrate existing Phase 1 */ 3429 if (sp->local && sp->remote) { 3430 /* hints available, let's use them */ 3431 old_local = (struct sockaddr *)sp->local; 3432 old_remote = (struct sockaddr *)sp->remote; 3433 } else if (sp->req && sp->req->saidx.mode == IPSEC_MODE_TUNNEL) { 3434 /* Tunnel mode and no hint, use endpoints */ 3435 old_local = (struct sockaddr *)&sp->req->saidx.src; 3436 old_remote = (struct sockaddr *)&sp->req->saidx.dst; 3437 } else { 3438 /* default, use selectors as fallback */ 3439 old_local = (struct sockaddr *)&sp->spidx.src; 3440 old_remote = (struct sockaddr *)&sp->spidx.dst; 3441 } 3442 3443 /* We migrate all Phase 1 that match our old local and remote 3444 * addresses (no matter their state). 3445 * 3446 * XXX In fact, we should probably havea special treatment for 3447 * Phase 1 that are being established when we receive a MIGRATE. 3448 * This can happen if a movement occurs during the initial IKE 3449 * negotiation. In that case, I wonder if should restart the 3450 * negotiation from the new address or just update things like 3451 * we do it now. 3452 * 3453 * XXX while looking at getph1byaddr(), the comment at the 3454 * beginning of the function expects comparison to happen 3455 * without ports considerations but it uses CMPSADDR() which 3456 * relies either on cmpsaddrstrict() or cmpsaddrwop() based 3457 * on NAT-T support being activated. That make me wonder if I 3458 * should force ports to 0 (ANY) in local and remote values 3459 * used below. 3460 * 3461 * -- arno */ 3462 3463 /* Apply callback data ...*/ 3464 memset(&ma, 0, sizeof(ma)); 3465 ma.local = local; 3466 ma.remote = remote; 3467 3468 /* Fill phase1 match criteria ... */ 3469 memset(&ph1sel, 0, sizeof(ph1sel)); 3470 ph1sel.local = old_local; 3471 ph1sel.remote = old_remote; 3472 3473 3474 /* Have matching Phase 1 found and addresses updated. As this is a 3475 * time consuming task on a busy responder, and MIGRATE messages 3476 * are always sent for *both* inbound and outbound (and possibly 3477 * forward), we only do that for outbound SP. */ 3478 if (xpl->sadb_x_policy_dir == IPSEC_DIR_OUTBOUND && 3479 enumph1(&ph1sel, migrate_ph1_ike_addresses, &ma) < 0) { 3480 plog(LLV_ERROR, LOCATION, NULL, "SADB_X_MIGRATE: Unable " 3481 "to migrate Phase 1 addresses.\n"); 3482 return -1; 3483 } 3484 3485 /* We can now update IKE addresses in Phase 2 handle. */ 3486 memset(&ph2sel, 0, sizeof(ph2sel)); 3487 ph2sel.spid = sp->id; 3488 if (enumph2(&ph2sel, migrate_ph2_ike_addresses, &ma) < 0) { 3489 plog(LLV_ERROR, LOCATION, NULL, "SADB_X_MIGRATE: Unable " 3490 "to migrate Phase 2 IKE addresses.\n"); 3491 return -1; 3492 } 3493 3494 /* and _then_ in SP. */ 3495 if (migrate_sp_ike_addresses(sp, local, remote) < 0) { 3496 plog(LLV_ERROR, LOCATION, NULL, 3497 "SADB_X_MIGRATE: Unable to migrate SP IKE addresses.\n"); 3498 return -1; 3499 } 3500 3501 /* Loop on sadb_x_ipsecrequest list to possibly update sp->req 3502 * entries and associated live Phase 2 handles (their sa_src 3503 * and sa_dst) */ 3504 if (migrate_sp_isr_list(sp, xisr_list, xisr_list_len) < 0) { 3505 plog(LLV_ERROR, LOCATION, NULL, 3506 "SADB_X_MIGRATE: Unable to migrate isr list.\n"); 3507 return -1; 3508 } 3509 3510 return 0; 3511 } 3512 #endif 3513 3514 /* 3515 * send error against acquire message to kernel. 3516 */ 3517 int 3518 pk_sendeacquire(struct ph2handle *iph2) 3519 { 3520 struct sadb_msg *newmsg; 3521 int len; 3522 3523 len = sizeof(struct sadb_msg); 3524 newmsg = racoon_calloc(1, len); 3525 if (newmsg == NULL) { 3526 plog(LLV_ERROR, LOCATION, NULL, 3527 "failed to get buffer to send acquire.\n"); 3528 return -1; 3529 } 3530 3531 memset(newmsg, 0, len); 3532 newmsg->sadb_msg_version = PF_KEY_V2; 3533 newmsg->sadb_msg_type = SADB_ACQUIRE; 3534 newmsg->sadb_msg_errno = ENOENT; /* XXX */ 3535 newmsg->sadb_msg_satype = iph2->satype; 3536 newmsg->sadb_msg_len = PFKEY_UNIT64(len); 3537 newmsg->sadb_msg_reserved = 0; 3538 newmsg->sadb_msg_seq = iph2->seq; 3539 newmsg->sadb_msg_pid = (uint32_t)getpid(); 3540 3541 /* send message */ 3542 len = pfkey_send(lcconf->sock_pfkey, newmsg, len); 3543 3544 racoon_free(newmsg); 3545 3546 return 0; 3547 } 3548 3549 /* 3550 * check if the algorithm is supported or not. 3551 * OUT 0: ok 3552 * -1: ng 3553 */ 3554 int 3555 pk_checkalg(int class, int calg, int keylen) 3556 { 3557 int sup, error; 3558 u_int alg; 3559 struct sadb_alg alg0; 3560 3561 switch (algclass2doi(class)) { 3562 case IPSECDOI_PROTO_IPSEC_ESP: 3563 sup = SADB_EXT_SUPPORTED_ENCRYPT; 3564 break; 3565 case IPSECDOI_ATTR_AUTH: 3566 sup = SADB_EXT_SUPPORTED_AUTH; 3567 break; 3568 case IPSECDOI_PROTO_IPCOMP: 3569 plog(LLV_DEBUG, LOCATION, NULL, 3570 "no check of compression algorithm; " 3571 "not supported in sadb message.\n"); 3572 return 0; 3573 default: 3574 plog(LLV_ERROR, LOCATION, NULL, 3575 "invalid algorithm class.\n"); 3576 return -1; 3577 } 3578 alg = ipsecdoi2pfkey_alg(algclass2doi(class), algtype2doi(class, calg)); 3579 if (alg == ~0u) 3580 return -1; 3581 3582 if (keylen == 0) { 3583 if (ipsec_get_keylen(sup, alg, &alg0)) { 3584 plog(LLV_ERROR, LOCATION, NULL, 3585 "%s.\n", ipsec_strerror()); 3586 return -1; 3587 } 3588 keylen = alg0.sadb_alg_minbits; 3589 } 3590 3591 error = ipsec_check_keylen(sup, alg, keylen); 3592 if (error) 3593 plog(LLV_ERROR, LOCATION, NULL, 3594 "%s.\n", ipsec_strerror()); 3595 3596 return error; 3597 } 3598 3599 /* 3600 * differences with pfkey_recv() in libipsec/pfkey.c: 3601 * - never performs busy wait loop. 3602 * - returns NULL and set *lenp to negative on fatal failures 3603 * - returns NULL and set *lenp to non-negative on non-fatal failures 3604 * - returns non-NULL on success 3605 */ 3606 static struct sadb_msg * 3607 pk_recv(int so, int *lenp) 3608 { 3609 struct sadb_msg buf, *newmsg; 3610 int reallen; 3611 int retry = 0; 3612 3613 *lenp = -1; 3614 do 3615 { 3616 plog(LLV_DEBUG, LOCATION, NULL, "pk_recv: retry[%d] recv() \n", retry ); 3617 *lenp = recv(so, (caddr_t)&buf, sizeof(buf), MSG_PEEK | MSG_DONTWAIT); 3618 retry++; 3619 } 3620 while (*lenp < 0 && errno == EAGAIN && retry < 3); 3621 3622 if (*lenp < 0) 3623 return NULL; /*fatal*/ 3624 3625 else if (*lenp < sizeof(buf)) 3626 return NULL; 3627 3628 reallen = PFKEY_UNUNIT64(buf.sadb_msg_len); 3629 if (reallen < sizeof(buf)) { 3630 *lenp = -1; 3631 errno = EIO; 3632 return NULL; /*fatal*/ 3633 } 3634 if ((newmsg = racoon_calloc(1, reallen)) == NULL) 3635 return NULL; 3636 3637 *lenp = recv(so, (caddr_t)newmsg, reallen, MSG_PEEK); 3638 if (*lenp < 0) { 3639 racoon_free(newmsg); 3640 return NULL; /*fatal*/ 3641 } else if (*lenp != reallen) { 3642 racoon_free(newmsg); 3643 return NULL; 3644 } 3645 3646 *lenp = recv(so, (caddr_t)newmsg, reallen, 0); 3647 if (*lenp < 0) { 3648 racoon_free(newmsg); 3649 return NULL; /*fatal*/ 3650 } else if (*lenp != reallen) { 3651 racoon_free(newmsg); 3652 return NULL; 3653 } 3654 3655 return newmsg; 3656 } 3657 3658 /* see handler.h */ 3659 uint32_t 3660 pk_getseq(void) 3661 { 3662 return eay_random(); 3663 } 3664 3665 static int 3666 addnewsp(caddr_t *mhp, struct sockaddr *local, struct sockaddr *remote) 3667 { 3668 struct secpolicy *new = NULL; 3669 struct sadb_address *saddr, *daddr; 3670 struct sadb_x_policy *xpl; 3671 struct sadb_lifetime *lt; 3672 u_int64_t created; 3673 3674 /* sanity check */ 3675 if (mhp[SADB_EXT_ADDRESS_SRC] == NULL 3676 || mhp[SADB_EXT_ADDRESS_DST] == NULL 3677 || mhp[SADB_X_EXT_POLICY] == NULL) { 3678 plog(LLV_ERROR, LOCATION, NULL, 3679 "inappropriate sadb spd management message passed.\n"); 3680 goto bad; 3681 } 3682 3683 saddr = (struct sadb_address *)mhp[SADB_EXT_ADDRESS_SRC]; 3684 daddr = (struct sadb_address *)mhp[SADB_EXT_ADDRESS_DST]; 3685 xpl = (struct sadb_x_policy *)mhp[SADB_X_EXT_POLICY]; 3686 lt = (struct sadb_lifetime*)mhp[SADB_EXT_LIFETIME_HARD]; 3687 if(lt != NULL) 3688 created = lt->sadb_lifetime_addtime; 3689 else 3690 created = 0; 3691 lt = (struct sadb_lifetime*)mhp[SADB_EXT_LIFETIME_HARD]; 3692 if(lt != NULL) 3693 created = lt->sadb_lifetime_addtime; 3694 else 3695 created = 0; 3696 3697 #ifdef __linux__ 3698 /* bsd skips over per-socket policies because there will be no 3699 * src and dst extensions in spddump messages. On Linux the only 3700 * way to achieve the same is check for policy id. 3701 */ 3702 if (xpl->sadb_x_policy_id % 8 >= 3) return 0; 3703 #endif 3704 3705 new = newsp(); 3706 if (new == NULL) { 3707 plog(LLV_ERROR, LOCATION, NULL, 3708 "failed to allocate buffer\n"); 3709 goto bad; 3710 } 3711 3712 new->spidx.dir = xpl->sadb_x_policy_dir; 3713 new->id = xpl->sadb_x_policy_id; 3714 new->policy = xpl->sadb_x_policy_type; 3715 new->req = NULL; 3716 3717 /* check policy */ 3718 switch (xpl->sadb_x_policy_type) { 3719 case IPSEC_POLICY_DISCARD: 3720 case IPSEC_POLICY_NONE: 3721 case IPSEC_POLICY_ENTRUST: 3722 case IPSEC_POLICY_BYPASS: 3723 break; 3724 3725 case IPSEC_POLICY_IPSEC: 3726 { 3727 int tlen; 3728 struct sadb_x_ipsecrequest *xisr; 3729 struct ipsecrequest **p_isr = &new->req; 3730 3731 /* validity check */ 3732 if (PFKEY_EXTLEN(xpl) < sizeof(*xpl)) { 3733 plog(LLV_ERROR, LOCATION, NULL, 3734 "invalid msg length.\n"); 3735 goto bad; 3736 } 3737 3738 tlen = PFKEY_EXTLEN(xpl) - sizeof(*xpl); 3739 xisr = (struct sadb_x_ipsecrequest *)(xpl + 1); 3740 3741 while (tlen > 0) { 3742 3743 /* length check */ 3744 if (xisr->sadb_x_ipsecrequest_len < sizeof(*xisr)) { 3745 plog(LLV_ERROR, LOCATION, NULL, 3746 "invalid msg length.\n"); 3747 goto bad; 3748 } 3749 3750 /* allocate request buffer */ 3751 *p_isr = newipsecreq(); 3752 if (*p_isr == NULL) { 3753 plog(LLV_ERROR, LOCATION, NULL, 3754 "failed to get new ipsecreq.\n"); 3755 goto bad; 3756 } 3757 3758 /* set values */ 3759 (*p_isr)->next = NULL; 3760 3761 switch (xisr->sadb_x_ipsecrequest_proto) { 3762 case IPPROTO_ESP: 3763 case IPPROTO_AH: 3764 case IPPROTO_IPCOMP: 3765 break; 3766 default: 3767 plog(LLV_ERROR, LOCATION, NULL, 3768 "invalid proto type: %u\n", 3769 xisr->sadb_x_ipsecrequest_proto); 3770 goto bad; 3771 } 3772 (*p_isr)->saidx.proto = xisr->sadb_x_ipsecrequest_proto; 3773 3774 switch (xisr->sadb_x_ipsecrequest_mode) { 3775 case IPSEC_MODE_TRANSPORT: 3776 case IPSEC_MODE_TUNNEL: 3777 break; 3778 case IPSEC_MODE_ANY: 3779 default: 3780 plog(LLV_ERROR, LOCATION, NULL, 3781 "invalid mode: %u\n", 3782 xisr->sadb_x_ipsecrequest_mode); 3783 goto bad; 3784 } 3785 (*p_isr)->saidx.mode = xisr->sadb_x_ipsecrequest_mode; 3786 3787 switch (xisr->sadb_x_ipsecrequest_level) { 3788 case IPSEC_LEVEL_DEFAULT: 3789 case IPSEC_LEVEL_USE: 3790 case IPSEC_LEVEL_REQUIRE: 3791 break; 3792 case IPSEC_LEVEL_UNIQUE: 3793 (*p_isr)->saidx.reqid = 3794 xisr->sadb_x_ipsecrequest_reqid; 3795 break; 3796 3797 default: 3798 plog(LLV_ERROR, LOCATION, NULL, 3799 "invalid level: %u\n", 3800 xisr->sadb_x_ipsecrequest_level); 3801 goto bad; 3802 } 3803 (*p_isr)->level = xisr->sadb_x_ipsecrequest_level; 3804 3805 /* set IP addresses if there */ 3806 if (xisr->sadb_x_ipsecrequest_len > sizeof(*xisr)) { 3807 struct sockaddr *paddr; 3808 3809 paddr = (struct sockaddr *)(xisr + 1); 3810 bcopy(paddr, &(*p_isr)->saidx.src, 3811 sysdep_sa_len(paddr)); 3812 3813 paddr = (struct sockaddr *)((caddr_t)paddr 3814 + sysdep_sa_len(paddr)); 3815 bcopy(paddr, &(*p_isr)->saidx.dst, 3816 sysdep_sa_len(paddr)); 3817 } 3818 3819 (*p_isr)->sp = new; 3820 3821 /* initialization for the next. */ 3822 p_isr = &(*p_isr)->next; 3823 tlen -= xisr->sadb_x_ipsecrequest_len; 3824 3825 /* validity check */ 3826 if (tlen < 0) { 3827 plog(LLV_ERROR, LOCATION, NULL, 3828 "becoming tlen < 0\n"); 3829 } 3830 3831 xisr = (struct sadb_x_ipsecrequest *)((caddr_t)xisr 3832 + xisr->sadb_x_ipsecrequest_len); 3833 } 3834 } 3835 break; 3836 default: 3837 plog(LLV_ERROR, LOCATION, NULL, 3838 "invalid policy type.\n"); 3839 goto bad; 3840 } 3841 3842 #ifdef HAVE_PFKEY_POLICY_PRIORITY 3843 KEY_SETSECSPIDX(xpl->sadb_x_policy_dir, 3844 saddr + 1, 3845 daddr + 1, 3846 saddr->sadb_address_prefixlen, 3847 daddr->sadb_address_prefixlen, 3848 saddr->sadb_address_proto, 3849 xpl->sadb_x_policy_priority, 3850 created, 3851 &new->spidx); 3852 #else 3853 KEY_SETSECSPIDX(xpl->sadb_x_policy_dir, 3854 saddr + 1, 3855 daddr + 1, 3856 saddr->sadb_address_prefixlen, 3857 daddr->sadb_address_prefixlen, 3858 saddr->sadb_address_proto, 3859 created, 3860 &new->spidx); 3861 #endif 3862 3863 #ifdef HAVE_SECCTX 3864 if (mhp[SADB_X_EXT_SEC_CTX] != NULL) { 3865 struct sadb_x_sec_ctx *ctx; 3866 3867 ctx = (struct sadb_x_sec_ctx *)mhp[SADB_X_EXT_SEC_CTX]; 3868 new->spidx.sec_ctx.ctx_alg = ctx->sadb_x_ctx_alg; 3869 new->spidx.sec_ctx.ctx_doi = ctx->sadb_x_ctx_doi; 3870 new->spidx.sec_ctx.ctx_strlen = ctx->sadb_x_ctx_len; 3871 memcpy(new->spidx.sec_ctx.ctx_str,ctx + 1,ctx->sadb_x_ctx_len); 3872 } 3873 #endif /* HAVE_SECCTX */ 3874 3875 /* Set local and remote hints for that SP, if available */ 3876 if (local && remote) { 3877 new->local = dupsaddr(local); 3878 new->remote = dupsaddr(remote); 3879 } 3880 3881 inssp(new); 3882 3883 return 0; 3884 bad: 3885 if (new != NULL) { 3886 if (new->req != NULL) 3887 racoon_free(new->req); 3888 racoon_free(new); 3889 } 3890 return -1; 3891 } 3892 3893 /* proto/mode/src->dst spi */ 3894 const char * 3895 sadbsecas2str(struct sockaddr *src, struct sockaddr *dst, int proto, 3896 uint32_t spi, int mode) 3897 { 3898 static char buf[256]; 3899 u_int doi_proto, doi_mode = 0; 3900 char *p; 3901 int blen, i; 3902 3903 doi_proto = pfkey2ipsecdoi_proto(proto); 3904 if (doi_proto == ~0u) 3905 return NULL; 3906 if (mode) { 3907 doi_mode = pfkey2ipsecdoi_mode(mode); 3908 if (doi_mode == ~0u) 3909 return NULL; 3910 } 3911 3912 blen = sizeof(buf) - 1; 3913 p = buf; 3914 3915 i = snprintf(p, blen, "%s%s%s ", 3916 s_ipsecdoi_proto(doi_proto), 3917 mode ? "/" : "", 3918 mode ? s_ipsecdoi_encmode(doi_mode) : ""); 3919 if (i < 0 || i >= blen) 3920 return NULL; 3921 p += i; 3922 blen -= i; 3923 3924 i = snprintf(p, blen, "%s->", saddr2str(src)); 3925 if (i < 0 || i >= blen) 3926 return NULL; 3927 p += i; 3928 blen -= i; 3929 3930 i = snprintf(p, blen, "%s ", saddr2str(dst)); 3931 if (i < 0 || i >= blen) 3932 return NULL; 3933 p += i; 3934 blen -= i; 3935 3936 if (spi) { 3937 snprintf(p, blen, "spi=%lu(0x%lx)", (unsigned long)ntohl(spi), 3938 (unsigned long)ntohl(spi)); 3939 } 3940 3941 return buf; 3942 } 3943
Indexes created Tue May 26 00:24:38 UTC 2026