]> git.saurik.com Git - apple/ipsec.git/blob - ipsec-tools/racoon/pfkey_racoon.c
projects / apple / ipsec.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
ipsec-34.0.1.tar.gz
[apple/ipsec.git] / ipsec-tools / racoon / pfkey_racoon.c
1 /* $Id: pfkey.c,v 1.31.2.10 2005/10/03 14:52:19 manubsd Exp $ */
2
3 /*
4 * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
5 * All rights reserved.
6 *
7 * Redistribution and use in source and binary forms, with or without
8 * modification, are permitted provided that the following conditions
9 * are met:
10 * 1. Redistributions of source code must retain the above copyright
11 * notice, this list of conditions and the following disclaimer.
12 * 2. Redistributions in binary form must reproduce the above copyright
13 * notice, this list of conditions and the following disclaimer in the
14 * documentation and/or other materials provided with the distribution.
15 * 3. Neither the name of the project nor the names of its contributors
16 * may be used to endorse or promote products derived from this software
17 * without specific prior written permission.
18 *
19 * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
20 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
21 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
22 * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
23 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
24 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
25 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
26 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
27 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
28 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
29 * SUCH DAMAGE.
30 */
31
32 #include "config.h"
33
34 #include <stdlib.h>
35 #include <string.h>
36 #include <stdio.h>
37 #include <netdb.h>
38 #include <errno.h>
39 #ifdef HAVE_UNISTD_H
40 #include <unistd.h>
41 #endif
42 #include <netdb.h>
43 #include <netinet/in.h>
44 #include <arpa/inet.h>
45
46 #ifdef ENABLE_NATT
47 # ifdef __linux__
48 # include <linux/udp.h>
49 # endif
50 # if defined(__NetBSD__) || defined(__FreeBSD__)
51 # include <netinet/udp.h>
52 # endif
53 #endif
54
55 #include <sys/types.h>
56 #include <sys/param.h>
57 #include <sys/socket.h>
58 #include <sys/queue.h>
59 #include <sys/sysctl.h>
60
61 #include <net/route.h>
62 #ifdef __APPLE__
63 #include <System/net/pfkeyv2.h>
64 #else
65 #include <net/pfkeyv2.h>
66 #endif
67
68 #include <netinet/in.h>
69 #ifndef HAVE_NETINET6_IPSEC
70 #include <netinet/ipsec.h>
71 #else
72 #include <netinet6/ipsec.h>
73 #endif
74
75 #include "libpfkey.h"
76
77 #include "var.h"
78 #include "misc.h"
79 #include "vmbuf.h"
80 #include "plog.h"
81 #include "sockmisc.h"
82 #include "debug.h"
83
84 #include "schedule.h"
85 #include "localconf.h"
86 #include "remoteconf.h"
87 #include "isakmp_var.h"
88 #include "isakmp.h"
89 #include "isakmp_inf.h"
90 #include "ipsec_doi.h"
91 #include "oakley.h"
92 #include "pfkey.h"
93 #include "handler.h"
94 #include "policy.h"
95 #include "algorithm.h"
96 #include "sainfo.h"
97 #include "proposal.h"
98 #include "admin.h"
99 #include "privsep.h"
100 #include "strnames.h"
101 #include "backupsa.h"
102 #include "gcmalloc.h"
103 #include "nattraversal.h"
104 #include "crypto_openssl.h"
105 #include "grabmyaddr.h"
106 #include "vpn_control.h"
107 #include "vpn_control_var.h"
108
109 #if defined(SADB_X_EALG_RIJNDAELCBC) && !defined(SADB_X_EALG_AESCBC)
110 #define SADB_X_EALG_AESCBC SADB_X_EALG_RIJNDAELCBC
111 #endif
112
113 /* prototype */
114 static u_int ipsecdoi2pfkey_aalg __P((u_int));
115 static u_int ipsecdoi2pfkey_ealg __P((u_int));
116 static u_int ipsecdoi2pfkey_calg __P((u_int));
117 static u_int ipsecdoi2pfkey_alg __P((u_int, u_int));
118 static u_int keylen_aalg __P((u_int));
119 static u_int keylen_ealg __P((u_int, int));
120
121 static int pk_recvgetspi __P((caddr_t *));
122 static int pk_recvupdate __P((caddr_t *));
123 static int pk_recvadd __P((caddr_t *));
124 static int pk_recvdelete __P((caddr_t *));
125 static int pk_recvacquire __P((caddr_t *));
126 static int pk_recvexpire __P((caddr_t *));
127 static int pk_recvflush __P((caddr_t *));
128 static int getsadbpolicy __P((caddr_t *, int *, int, struct ph2handle *));
129 static int pk_recvspdupdate __P((caddr_t *));
130 static int pk_recvspdadd __P((caddr_t *));
131 static int pk_recvspddelete __P((caddr_t *));
132 static int pk_recvspdexpire __P((caddr_t *));
133 static int pk_recvspdget __P((caddr_t *));
134 static int pk_recvspddump __P((caddr_t *));
135 static int pk_recvspdflush __P((caddr_t *));
136 static struct sadb_msg *pk_recv __P((int, int *));
137
138 static int (*pkrecvf[]) __P((caddr_t *)) = {
139 NULL,
140 pk_recvgetspi,
141 pk_recvupdate,
142 pk_recvadd,
143 pk_recvdelete,
144 NULL, /* SADB_GET */
145 pk_recvacquire,
146 NULL, /* SABD_REGISTER */
147 pk_recvexpire,
148 pk_recvflush,
149 NULL, /* SADB_DUMP */
150 NULL, /* SADB_X_PROMISC */
151 NULL, /* SADB_X_PCHANGE */
152 pk_recvspdupdate,
153 pk_recvspdadd,
154 pk_recvspddelete,
155 pk_recvspdget,
156 NULL, /* SADB_X_SPDACQUIRE */
157 pk_recvspddump,
158 pk_recvspdflush,
159 NULL, /* SADB_X_SPDSETIDX */
160 pk_recvspdexpire,
161 NULL, /* SADB_X_SPDDELETE2 */
162 NULL, /* SADB_X_NAT_T_NEW_MAPPING */
163 NULL, /* SADB_X_MIGRATE */
164 #if (SADB_MAX > 24)
165 #error "SADB extra message?"
166 #endif
167 };
168
169 static int addnewsp __P((caddr_t *));
170
171 /* cope with old kame headers - ugly */
172 #ifndef SADB_X_AALG_MD5
173 #define SADB_X_AALG_MD5 SADB_AALG_MD5
174 #endif
175 #ifndef SADB_X_AALG_SHA
176 #define SADB_X_AALG_SHA SADB_AALG_SHA
177 #endif
178 #ifndef SADB_X_AALG_NULL
179 #define SADB_X_AALG_NULL SADB_AALG_NULL
180 #endif
181
182 #ifndef SADB_X_EALG_BLOWFISHCBC
183 #define SADB_X_EALG_BLOWFISHCBC SADB_EALG_BLOWFISHCBC
184 #endif
185 #ifndef SADB_X_EALG_CAST128CBC
186 #define SADB_X_EALG_CAST128CBC SADB_EALG_CAST128CBC
187 #endif
188 #ifndef SADB_X_EALG_RC5CBC
189 #ifdef SADB_EALG_RC5CBC
190 #define SADB_X_EALG_RC5CBC SADB_EALG_RC5CBC
191 #endif
192 #endif
193
194 /*
195 * PF_KEY packet handler
196 * 0: success
197 * -1: fail
198 */
199 int
200 pfkey_handler()
201 {
202 struct sadb_msg *msg;
203 int len;
204 caddr_t mhp[SADB_EXT_MAX + 1];
205 int error = -1;
206
207 /* receive pfkey message. */
208 len = 0;
209 msg = (struct sadb_msg *)pk_recv(lcconf->sock_pfkey, &len);
210 if (msg == NULL) {
211 if (len < 0) {
212 plog(LLV_ERROR, LOCATION, NULL,
213 "failed to recv from pfkey (%s)\n",
214 strerror(errno));
215 goto end;
216 } else {
217 /* short message - msg not ready */
218 return 0;
219 }
220 }
221
222 plog(LLV_DEBUG, LOCATION, NULL, "get pfkey %s message\n",
223 s_pfkey_type(msg->sadb_msg_type));
224 plogdump(LLV_DEBUG2, msg, msg->sadb_msg_len << 3);
225
226 /* validity check */
227 if (msg->sadb_msg_errno) {
228 int pri;
229
230 /* when SPD is empty, treat the state as no error. */
231 if (msg->sadb_msg_type == SADB_X_SPDDUMP &&
232 msg->sadb_msg_errno == ENOENT)
233 pri = LLV_DEBUG;
234 else
235 pri = LLV_ERROR;
236
237 plog(pri, LOCATION, NULL,
238 "pfkey %s failed: %s\n",
239 s_pfkey_type(msg->sadb_msg_type),
240 strerror(msg->sadb_msg_errno));
241
242 goto end;
243 }
244
245 /* check pfkey message. */
246 if (pfkey_align(msg, mhp)) {
247 plog(LLV_ERROR, LOCATION, NULL,
248 "libipsec failed pfkey align (%s)\n",
249 ipsec_strerror());
250 goto end;
251 }
252 if (pfkey_check(mhp)) {
253 plog(LLV_ERROR, LOCATION, NULL,
254 "libipsec failed pfkey check (%s)\n",
255 ipsec_strerror());
256 goto end;
257 }
258 msg = (struct sadb_msg *)mhp[0];
259
260 /* safety check */
261 if (msg->sadb_msg_type >= ARRAYLEN(pkrecvf)) {
262 plog(LLV_ERROR, LOCATION, NULL,
263 "unknown PF_KEY message type=%u\n",
264 msg->sadb_msg_type);
265 goto end;
266 }
267
268 if (pkrecvf[msg->sadb_msg_type] == NULL) {
269 plog(LLV_INFO, LOCATION, NULL,
270 "unsupported PF_KEY message %s\n",
271 s_pfkey_type(msg->sadb_msg_type));
272 goto end;
273 }
274
275 if ((pkrecvf[msg->sadb_msg_type])(mhp) < 0)
276 goto end;
277
278 error = 0;
279 end:
280 if (msg)
281 racoon_free(msg);
282 return(error);
283 }
284
285 /*
286 * dump SADB
287 */
288 vchar_t *
289 pfkey_dump_sadb(satype)
290 int satype;
291 {
292 int s = -1;
293 vchar_t *buf = NULL;
294 pid_t pid = getpid();
295 struct sadb_msg *msg = NULL;
296 size_t bl, ml;
297 int len;
298
299 if ((s = privsep_pfkey_open()) < 0) {
300 plog(LLV_ERROR, LOCATION, NULL,
301 "libipsec failed pfkey open: %s\n",
302 ipsec_strerror());
303 return NULL;
304 }
305
306 plog(LLV_DEBUG, LOCATION, NULL, "call pfkey_send_dump\n");
307 if (pfkey_send_dump(s, satype) < 0) {
308 plog(LLV_ERROR, LOCATION, NULL,
309 "libipsec failed dump: %s\n", ipsec_strerror());
310 goto fail;
311 }
312
313 while (1) {
314 if (msg)
315 racoon_free(msg);
316 msg = pk_recv(s, &len);
317 if (msg == NULL) {
318 if (len < 0)
319 goto done;
320 else
321 continue;
322 }
323
324 if (msg->sadb_msg_type != SADB_DUMP || msg->sadb_msg_pid != pid)
325 continue;
326
327 ml = msg->sadb_msg_len << 3;
328 bl = buf ? buf->l : 0;
329 buf = vrealloc(buf, bl + ml);
330 if (buf == NULL) {
331 plog(LLV_ERROR, LOCATION, NULL,
332 "failed to reallocate buffer to dump.\n");
333 goto fail;
334 }
335 memcpy(buf->v + bl, msg, ml);
336
337 if (msg->sadb_msg_seq == 0)
338 break;
339 }
340 goto done;
341
342 fail:
343 if (buf)
344 vfree(buf);
345 buf = NULL;
346 done:
347 if (msg)
348 racoon_free(msg);
349 if (s >= 0)
350 privsep_pfkey_close(s);
351 return buf;
352 }
353
354 #ifdef ENABLE_ADMINPORT
355 /*
356 * flush SADB
357 */
358 void
359 pfkey_flush_sadb(proto)
360 u_int proto;
361 {
362 int satype;
363
364 /* convert to SADB_SATYPE */
365 if ((satype = admin2pfkey_proto(proto)) < 0)
366 return;
367
368 plog(LLV_DEBUG, LOCATION, NULL, "call pfkey_send_flush\n");
369 if (pfkey_send_flush(lcconf->sock_pfkey, satype) < 0) {
370 plog(LLV_ERROR, LOCATION, NULL,
371 "libipsec failed send flush (%s)\n", ipsec_strerror());
372 return;
373 }
374
375 return;
376 }
377 #endif
378
379 /*
380 * These are the SATYPEs that we manage. We register to get
381 * PF_KEY messages related to these SATYPEs, and we also use
382 * this list to determine which SATYPEs to delete SAs for when
383 * we receive an INITIAL-CONTACT.
384 */
385 const struct pfkey_satype pfkey_satypes[] = {
386 { SADB_SATYPE_AH, "AH" },
387 { SADB_SATYPE_ESP, "ESP" },
388 { SADB_X_SATYPE_IPCOMP, "IPCOMP" },
389 };
390 const int pfkey_nsatypes =
391 sizeof(pfkey_satypes) / sizeof(pfkey_satypes[0]);
392
393 /*
394 * PF_KEY initialization
395 */
396 int
397 pfkey_init()
398 {
399 int i, reg_fail;
400
401 if ((lcconf->sock_pfkey = privsep_pfkey_open()) < 0) {
402 plog(LLV_ERROR, LOCATION, NULL,
403 "libipsec failed pfkey open (%s)\n", ipsec_strerror());
404 return -1;
405 }
406
407 for (i = 0, reg_fail = 0; i < pfkey_nsatypes; i++) {
408 plog(LLV_DEBUG, LOCATION, NULL,
409 "call pfkey_send_register for %s\n",
410 pfkey_satypes[i].ps_name);
411 if (pfkey_send_register(lcconf->sock_pfkey,
412 pfkey_satypes[i].ps_satype) < 0 ||
413 pfkey_recv_register(lcconf->sock_pfkey) < 0) {
414 plog(LLV_WARNING, LOCATION, NULL,
415 "failed to register %s (%s)\n",
416 pfkey_satypes[i].ps_name,
417 ipsec_strerror());
418 reg_fail++;
419 }
420 }
421
422 if (reg_fail == pfkey_nsatypes) {
423 plog(LLV_ERROR, LOCATION, NULL,
424 "failed to regist any protocol.\n");
425 pfkey_close(lcconf->sock_pfkey);
426 return -1;
427 }
428
429 initsp();
430
431 if (pfkey_send_spddump(lcconf->sock_pfkey) < 0) {
432 plog(LLV_ERROR, LOCATION, NULL,
433 "libipsec sending spddump failed: %s\n",
434 ipsec_strerror());
435 pfkey_close(lcconf->sock_pfkey);
436 return -1;
437 }
438 #if 0
439 if (pfkey_promisc_toggle(1) < 0) {
440 pfkey_close(lcconf->sock_pfkey);
441 return -1;
442 }
443 #endif
444 return 0;
445 }
446
447 /* %%% for conversion */
448 /* IPSECDOI_ATTR_AUTH -> SADB_AALG */
449 static u_int
450 ipsecdoi2pfkey_aalg(hashtype)
451 u_int hashtype;
452 {
453 switch (hashtype) {
454 case IPSECDOI_ATTR_AUTH_HMAC_MD5:
455 return SADB_AALG_MD5HMAC;
456 case IPSECDOI_ATTR_AUTH_HMAC_SHA1:
457 return SADB_AALG_SHA1HMAC;
458 case IPSECDOI_ATTR_AUTH_HMAC_SHA2_256:
459 #if (defined SADB_X_AALG_SHA2_256) && !defined(SADB_X_AALG_SHA2_256HMAC)
460 return SADB_X_AALG_SHA2_256;
461 #else
462 return SADB_X_AALG_SHA2_256HMAC;
463 #endif
464 case IPSECDOI_ATTR_AUTH_HMAC_SHA2_384:
465 #if (defined SADB_X_AALG_SHA2_384) && !defined(SADB_X_AALG_SHA2_384HMAC)
466 return SADB_X_AALG_SHA2_384;
467 #else
468 return SADB_X_AALG_SHA2_384HMAC;
469 #endif
470 case IPSECDOI_ATTR_AUTH_HMAC_SHA2_512:
471 #if (defined SADB_X_AALG_SHA2_512) && !defined(SADB_X_AALG_SHA2_512HMAC)
472 return SADB_X_AALG_SHA2_512;
473 #else
474 return SADB_X_AALG_SHA2_512HMAC;
475 #endif
476 case IPSECDOI_ATTR_AUTH_KPDK: /* need special care */
477 return SADB_AALG_NONE;
478
479 /* not supported */
480 case IPSECDOI_ATTR_AUTH_DES_MAC:
481 plog(LLV_ERROR, LOCATION, NULL,
482 "Not supported hash type: %u\n", hashtype);
483 return ~0;
484
485 case 0: /* reserved */
486 default:
487 return SADB_AALG_NONE;
488
489 plog(LLV_ERROR, LOCATION, NULL,
490 "Invalid hash type: %u\n", hashtype);
491 return ~0;
492 }
493 /*NOTREACHED*/
494 }
495
496 /* IPSECDOI_ESP -> SADB_EALG */
497 static u_int
498 ipsecdoi2pfkey_ealg(t_id)
499 u_int t_id;
500 {
501 switch (t_id) {
502 case IPSECDOI_ESP_DES_IV64: /* sa_flags |= SADB_X_EXT_OLD */
503 return SADB_EALG_DESCBC;
504 case IPSECDOI_ESP_DES:
505 return SADB_EALG_DESCBC;
506 case IPSECDOI_ESP_3DES:
507 return SADB_EALG_3DESCBC;
508 #ifdef SADB_X_EALG_RC5CBC
509 case IPSECDOI_ESP_RC5:
510 return SADB_X_EALG_RC5CBC;
511 #endif
512 case IPSECDOI_ESP_CAST:
513 return SADB_X_EALG_CAST128CBC;
514 case IPSECDOI_ESP_BLOWFISH:
515 return SADB_X_EALG_BLOWFISHCBC;
516 case IPSECDOI_ESP_DES_IV32: /* flags |= (SADB_X_EXT_OLD|
517 SADB_X_EXT_IV4B)*/
518 return SADB_EALG_DESCBC;
519 case IPSECDOI_ESP_NULL:
520 return SADB_EALG_NULL;
521 #ifdef SADB_X_EALG_AESCBC
522 case IPSECDOI_ESP_AES:
523 return SADB_X_EALG_AESCBC;
524 #endif
525 #ifdef SADB_X_EALG_TWOFISHCBC
526 case IPSECDOI_ESP_TWOFISH:
527 return SADB_X_EALG_TWOFISHCBC;
528 #endif
529
530 /* not supported */
531 case IPSECDOI_ESP_3IDEA:
532 case IPSECDOI_ESP_IDEA:
533 case IPSECDOI_ESP_RC4:
534 plog(LLV_ERROR, LOCATION, NULL,
535 "Not supported transform: %u\n", t_id);
536 return ~0;
537
538 case 0: /* reserved */
539 default:
540 plog(LLV_ERROR, LOCATION, NULL,
541 "Invalid transform id: %u\n", t_id);
542 return ~0;
543 }
544 /*NOTREACHED*/
545 }
546
547 /* IPCOMP -> SADB_CALG */
548 static u_int
549 ipsecdoi2pfkey_calg(t_id)
550 u_int t_id;
551 {
552 switch (t_id) {
553 case IPSECDOI_IPCOMP_OUI:
554 return SADB_X_CALG_OUI;
555 case IPSECDOI_IPCOMP_DEFLATE:
556 return SADB_X_CALG_DEFLATE;
557 case IPSECDOI_IPCOMP_LZS:
558 return SADB_X_CALG_LZS;
559
560 case 0: /* reserved */
561 default:
562 plog(LLV_ERROR, LOCATION, NULL,
563 "Invalid transform id: %u\n", t_id);
564 return ~0;
565 }
566 /*NOTREACHED*/
567 }
568
569 /* IPSECDOI_PROTO -> SADB_SATYPE */
570 u_int
571 ipsecdoi2pfkey_proto(proto)
572 u_int proto;
573 {
574 switch (proto) {
575 case IPSECDOI_PROTO_IPSEC_AH:
576 return SADB_SATYPE_AH;
577 case IPSECDOI_PROTO_IPSEC_ESP:
578 return SADB_SATYPE_ESP;
579 case IPSECDOI_PROTO_IPCOMP:
580 return SADB_X_SATYPE_IPCOMP;
581
582 default:
583 plog(LLV_ERROR, LOCATION, NULL,
584 "Invalid ipsec_doi proto: %u\n", proto);
585 return ~0;
586 }
587 /*NOTREACHED*/
588 }
589
590 static u_int
591 ipsecdoi2pfkey_alg(algclass, type)
592 u_int algclass, type;
593 {
594 switch (algclass) {
595 case IPSECDOI_ATTR_AUTH:
596 return ipsecdoi2pfkey_aalg(type);
597 case IPSECDOI_PROTO_IPSEC_ESP:
598 return ipsecdoi2pfkey_ealg(type);
599 case IPSECDOI_PROTO_IPCOMP:
600 return ipsecdoi2pfkey_calg(type);
601 default:
602 plog(LLV_ERROR, LOCATION, NULL,
603 "Invalid ipsec_doi algclass: %u\n", algclass);
604 return ~0;
605 }
606 /*NOTREACHED*/
607 }
608
609 /* SADB_SATYPE -> IPSECDOI_PROTO */
610 u_int
611 pfkey2ipsecdoi_proto(satype)
612 u_int satype;
613 {
614 switch (satype) {
615 case SADB_SATYPE_AH:
616 return IPSECDOI_PROTO_IPSEC_AH;
617 case SADB_SATYPE_ESP:
618 return IPSECDOI_PROTO_IPSEC_ESP;
619 case SADB_X_SATYPE_IPCOMP:
620 return IPSECDOI_PROTO_IPCOMP;
621
622 default:
623 plog(LLV_ERROR, LOCATION, NULL,
624 "Invalid pfkey proto: %u\n", satype);
625 return ~0;
626 }
627 /*NOTREACHED*/
628 }
629
630 /* IPSECDOI_ATTR_ENC_MODE -> IPSEC_MODE */
631 u_int
632 ipsecdoi2pfkey_mode(mode)
633 u_int mode;
634 {
635 switch (mode) {
636 case IPSECDOI_ATTR_ENC_MODE_TUNNEL:
637 #ifdef ENABLE_NATT
638 case IPSECDOI_ATTR_ENC_MODE_UDPTUNNEL_RFC:
639 case IPSECDOI_ATTR_ENC_MODE_UDPTUNNEL_DRAFT:
640 #endif
641 return IPSEC_MODE_TUNNEL;
642 case IPSECDOI_ATTR_ENC_MODE_TRNS:
643 #ifdef ENABLE_NATT
644 case IPSECDOI_ATTR_ENC_MODE_UDPTRNS_RFC:
645 case IPSECDOI_ATTR_ENC_MODE_UDPTRNS_DRAFT:
646 #endif
647 return IPSEC_MODE_TRANSPORT;
648 default:
649 plog(LLV_ERROR, LOCATION, NULL, "Invalid mode type: %u\n", mode);
650 return ~0;
651 }
652 /*NOTREACHED*/
653 }
654
655 /* IPSECDOI_ATTR_ENC_MODE -> IPSEC_MODE */
656 u_int
657 pfkey2ipsecdoi_mode(mode)
658 u_int mode;
659 {
660 switch (mode) {
661 case IPSEC_MODE_TUNNEL:
662 return IPSECDOI_ATTR_ENC_MODE_TUNNEL;
663 case IPSEC_MODE_TRANSPORT:
664 return IPSECDOI_ATTR_ENC_MODE_TRNS;
665 case IPSEC_MODE_ANY:
666 return IPSECDOI_ATTR_ENC_MODE_ANY;
667 default:
668 plog(LLV_ERROR, LOCATION, NULL, "Invalid mode type: %u\n", mode);
669 return ~0;
670 }
671 /*NOTREACHED*/
672 }
673
674 /* default key length for encryption algorithm */
675 static u_int
676 keylen_aalg(hashtype)
677 u_int hashtype;
678 {
679 int res;
680
681 if (hashtype == 0)
682 return SADB_AALG_NONE;
683
684 res = alg_ipsec_hmacdef_hashlen(hashtype);
685 if (res == -1) {
686 plog(LLV_ERROR, LOCATION, NULL,
687 "invalid hmac algorithm %u.\n", hashtype);
688 return ~0;
689 }
690 return res;
691 }
692
693 /* default key length for encryption algorithm */
694 static u_int
695 keylen_ealg(enctype, encklen)
696 u_int enctype;
697 int encklen;
698 {
699 int res;
700
701 res = alg_ipsec_encdef_keylen(enctype, encklen);
702 if (res == -1) {
703 plog(LLV_ERROR, LOCATION, NULL,
704 "invalid encryption algorithm %u.\n", enctype);
705 return ~0;
706 }
707 return res;
708 }
709
710 int
711 pfkey_convertfromipsecdoi(proto_id, t_id, hashtype,
712 e_type, e_keylen, a_type, a_keylen, flags)
713 u_int proto_id;
714 u_int t_id;
715 u_int hashtype;
716 u_int *e_type;
717 u_int *e_keylen;
718 u_int *a_type;
719 u_int *a_keylen;
720 u_int *flags;
721 {
722 *flags = 0;
723 switch (proto_id) {
724 case IPSECDOI_PROTO_IPSEC_ESP:
725 if ((*e_type = ipsecdoi2pfkey_ealg(t_id)) == ~0)
726 goto bad;
727 if ((*e_keylen = keylen_ealg(t_id, *e_keylen)) == ~0)
728 goto bad;
729 *e_keylen >>= 3;
730
731 if ((*a_type = ipsecdoi2pfkey_aalg(hashtype)) == ~0)
732 goto bad;
733 if ((*a_keylen = keylen_aalg(hashtype)) == ~0)
734 goto bad;
735 *a_keylen >>= 3;
736
737 if (*e_type == SADB_EALG_NONE) {
738 plog(LLV_ERROR, LOCATION, NULL, "no ESP algorithm.\n");
739 goto bad;
740 }
741 break;
742
743 case IPSECDOI_PROTO_IPSEC_AH:
744 if ((*a_type = ipsecdoi2pfkey_aalg(hashtype)) == ~0)
745 goto bad;
746 if ((*a_keylen = keylen_aalg(hashtype)) == ~0)
747 goto bad;
748 *a_keylen >>= 3;
749
750 if (t_id == IPSECDOI_ATTR_AUTH_HMAC_MD5
751 && hashtype == IPSECDOI_ATTR_AUTH_KPDK) {
752 /* AH_MD5 + Auth(KPDK) = RFC1826 keyed-MD5 */
753 *a_type = SADB_X_AALG_MD5;
754 *flags |= SADB_X_EXT_OLD;
755 }
756 *e_type = SADB_EALG_NONE;
757 *e_keylen = 0;
758 if (*a_type == SADB_AALG_NONE) {
759 plog(LLV_ERROR, LOCATION, NULL, "no AH algorithm.\n");
760 goto bad;
761 }
762 break;
763
764 case IPSECDOI_PROTO_IPCOMP:
765 if ((*e_type = ipsecdoi2pfkey_calg(t_id)) == ~0)
766 goto bad;
767 *e_keylen = 0;
768
769 *flags = SADB_X_EXT_RAWCPI;
770
771 *a_type = SADB_AALG_NONE;
772 *a_keylen = 0;
773 if (*e_type == SADB_X_CALG_NONE) {
774 plog(LLV_ERROR, LOCATION, NULL, "no IPCOMP algorithm.\n");
775 goto bad;
776 }
777 break;
778
779 default:
780 plog(LLV_ERROR, LOCATION, NULL, "unknown IPsec protocol.\n");
781 goto bad;
782 }
783
784 return 0;
785
786 bad:
787 errno = EINVAL;
788 return -1;
789 }
790
791 /* called from scheduler */
792 void
793 pfkey_timeover_stub(p)
794 void *p;
795 {
796
797 pfkey_timeover((struct ph2handle *)p);
798 }
799
800 void
801 pfkey_timeover(iph2)
802 struct ph2handle *iph2;
803 {
804 plog(LLV_ERROR, LOCATION, NULL,
805 "%s give up to get IPsec-SA due to time up to wait.\n",
806 saddrwop2str(iph2->dst));
807 SCHED_KILL(iph2->sce);
808
809 /* If initiator side, send error to kernel by SADB_ACQUIRE. */
810 if (iph2->side == INITIATOR)
811 pk_sendeacquire(iph2);
812
813 unbindph12(iph2);
814 remph2(iph2);
815 delph2(iph2);
816
817 return;
818 }
819
820 /*%%%*/
821 /* send getspi message per ipsec protocol per remote address */
822 /*
823 * the local address and remote address in ph1handle are dealed
824 * with destination address and source address respectively.
825 * Because SPI is decided by responder.
826 */
827 int
828 pk_sendgetspi(iph2)
829 struct ph2handle *iph2;
830 {
831 struct sockaddr *src = NULL, *dst = NULL;
832 u_int satype, mode;
833 struct saprop *pp;
834 struct saproto *pr;
835 u_int32_t minspi, maxspi;
836 int proxy = 0;
837
838 if (iph2->side == INITIATOR) {
839 pp = iph2->proposal;
840 proxy = iph2->ph1->rmconf->support_proxy;
841 } else {
842 pp = iph2->approval;
843 if (iph2->sainfo && iph2->sainfo->id_i)
844 proxy = 1;
845 }
846
847 /* for mobile IPv6 */
848 if (proxy && iph2->src_id && iph2->dst_id &&
849 ipsecdoi_transportmode(pp)) {
850 src = iph2->src_id;
851 dst = iph2->dst_id;
852 } else {
853 src = iph2->src;
854 dst = iph2->dst;
855 }
856
857 for (pr = pp->head; pr != NULL; pr = pr->next) {
858
859 /* validity check */
860 satype = ipsecdoi2pfkey_proto(pr->proto_id);
861 if (satype == ~0) {
862 plog(LLV_ERROR, LOCATION, NULL,
863 "invalid proto_id %d\n", pr->proto_id);
864 return -1;
865 }
866 /* this works around a bug in Linux kernel where it allocates 4 byte
867 spi's for IPCOMP */
868 else if (satype == SADB_X_SATYPE_IPCOMP) {
869 minspi = 0x100;
870 maxspi = 0xffff;
871 }
872 else {
873 minspi = 0;
874 maxspi = 0;
875 }
876 mode = ipsecdoi2pfkey_mode(pr->encmode);
877 if (mode == ~0) {
878 plog(LLV_ERROR, LOCATION, NULL,
879 "invalid encmode %d\n", pr->encmode);
880 return -1;
881 }
882
883 plog(LLV_DEBUG, LOCATION, NULL, "call pfkey_send_getspi\n");
884 if (pfkey_send_getspi(
885 lcconf->sock_pfkey,
886 satype,
887 mode,
888 dst, /* src of SA */
889 src, /* dst of SA */
890 minspi, maxspi,
891 pr->reqid_in, iph2->seq) < 0) {
892 plog(LLV_ERROR, LOCATION, NULL,
893 "ipseclib failed send getspi (%s)\n",
894 ipsec_strerror());
895 return -1;
896 }
897 plog(LLV_DEBUG, LOCATION, NULL,
898 "pfkey GETSPI sent: %s\n",
899 sadbsecas2str(dst, src, satype, 0, mode));
900 }
901
902 return 0;
903 }
904
905 /*
906 * receive GETSPI from kernel.
907 */
908 static int
909 pk_recvgetspi(mhp)
910 caddr_t *mhp;
911 {
912 struct sadb_msg *msg;
913 struct sadb_sa *sa;
914 struct ph2handle *iph2;
915 struct sockaddr *dst;
916 int proto_id;
917 int allspiok, notfound;
918 struct saprop *pp;
919 struct saproto *pr;
920
921 /* validity check */
922 if (mhp[SADB_EXT_SA] == NULL
923 || mhp[SADB_EXT_ADDRESS_DST] == NULL) {
924 plog(LLV_ERROR, LOCATION, NULL,
925 "inappropriate sadb getspi message passed.\n");
926 return -1;
927 }
928 msg = (struct sadb_msg *)mhp[0];
929 sa = (struct sadb_sa *)mhp[SADB_EXT_SA];
930 dst = PFKEY_ADDR_SADDR(mhp[SADB_EXT_ADDRESS_SRC]); /* note SA dir */
931
932 /* the message has to be processed or not ? */
933 if (msg->sadb_msg_pid != getpid()) {
934 plog(LLV_DEBUG, LOCATION, NULL,
935 "%s message is not interesting "
936 "because pid %d is not mine.\n",
937 s_pfkey_type(msg->sadb_msg_type),
938 msg->sadb_msg_pid);
939 return -1;
940 }
941
942 iph2 = getph2byseq(msg->sadb_msg_seq);
943 if (iph2 == NULL) {
944 plog(LLV_DEBUG, LOCATION, NULL,
945 "seq %d of %s message not interesting.\n",
946 msg->sadb_msg_seq,
947 s_pfkey_type(msg->sadb_msg_type));
948 return -1;
949 }
950
951 if (iph2->status != PHASE2ST_GETSPISENT) {
952 plog(LLV_ERROR, LOCATION, NULL,
953 "status mismatch (db:%d msg:%d)\n",
954 iph2->status, PHASE2ST_GETSPISENT);
955 return -1;
956 }
957
958 /* set SPI, and check to get all spi whether or not */
959 allspiok = 1;
960 notfound = 1;
961 proto_id = pfkey2ipsecdoi_proto(msg->sadb_msg_satype);
962 pp = iph2->side == INITIATOR ? iph2->proposal : iph2->approval;
963
964 for (pr = pp->head; pr != NULL; pr = pr->next) {
965 if (pr->proto_id == proto_id && pr->spi == 0) {
966 pr->spi = sa->sadb_sa_spi;
967 notfound = 0;
968 plog(LLV_DEBUG, LOCATION, NULL,
969 "pfkey GETSPI succeeded: %s\n",
970 sadbsecas2str(iph2->dst, iph2->src,
971 msg->sadb_msg_satype,
972 sa->sadb_sa_spi,
973 ipsecdoi2pfkey_mode(pr->encmode)));
974 }
975 if (pr->spi == 0)
976 allspiok = 0; /* not get all spi */
977 }
978
979 if (notfound) {
980 plog(LLV_ERROR, LOCATION, NULL,
981 "get spi for unknown address %s\n",
982 saddrwop2str(iph2->dst));
983 return -1;
984 }
985
986 if (allspiok) {
987 /* update status */
988 iph2->status = PHASE2ST_GETSPIDONE;
989 if (isakmp_post_getspi(iph2) < 0) {
990 plog(LLV_ERROR, LOCATION, NULL,
991 "failed to start post getspi.\n");
992 unbindph12(iph2);
993 remph2(iph2);
994 delph2(iph2);
995 iph2 = NULL;
996 return -1;
997 }
998 }
999
1000 return 0;
1001 }
1002
1003 /*
1004 * set inbound SA
1005 */
1006 int
1007 pk_sendupdate(iph2)
1008 struct ph2handle *iph2;
1009 {
1010 struct saproto *pr;
1011 struct sockaddr *src = NULL, *dst = NULL;
1012 u_int e_type, e_keylen, a_type, a_keylen, flags;
1013 u_int satype, mode;
1014 u_int64_t lifebyte = 0;
1015 u_int wsize = 4; /* XXX static size of window */
1016 int proxy = 0;
1017 struct ph2natt natt;
1018
1019 /* sanity check */
1020 if (iph2->approval == NULL) {
1021 plog(LLV_ERROR, LOCATION, NULL,
1022 "no approvaled SAs found.\n");
1023 }
1024
1025 if (iph2->side == INITIATOR)
1026 proxy = iph2->ph1->rmconf->support_proxy;
1027 else if (iph2->sainfo && iph2->sainfo->id_i)
1028 proxy = 1;
1029
1030 /* for mobile IPv6 */
1031 if (proxy && iph2->src_id && iph2->dst_id &&
1032 ipsecdoi_transportmode(iph2->approval)) {
1033 src = iph2->src_id;
1034 dst = iph2->dst_id;
1035 } else {
1036 src = iph2->src;
1037 dst = iph2->dst;
1038 }
1039
1040 for (pr = iph2->approval->head; pr != NULL; pr = pr->next) {
1041 /* validity check */
1042 satype = ipsecdoi2pfkey_proto(pr->proto_id);
1043 if (satype == ~0) {
1044 plog(LLV_ERROR, LOCATION, NULL,
1045 "invalid proto_id %d\n", pr->proto_id);
1046 return -1;
1047 }
1048 else if (satype == SADB_X_SATYPE_IPCOMP) {
1049 /* IPCOMP has no replay window */
1050 wsize = 0;
1051 }
1052 #ifdef ENABLE_SAMODE_UNSPECIFIED
1053 mode = IPSEC_MODE_ANY;
1054 #else
1055 mode = ipsecdoi2pfkey_mode(pr->encmode);
1056 if (mode == ~0) {
1057 plog(LLV_ERROR, LOCATION, NULL,
1058 "invalid encmode %d\n", pr->encmode);
1059 return -1;
1060 }
1061 #endif
1062
1063 /* set algorithm type and key length */
1064 e_keylen = pr->head->encklen;
1065 if (pfkey_convertfromipsecdoi(
1066 pr->proto_id,
1067 pr->head->trns_id,
1068 pr->head->authtype,
1069 &e_type, &e_keylen,
1070 &a_type, &a_keylen, &flags) < 0)
1071 return -1;
1072
1073 #if 0
1074 lifebyte = iph2->approval->lifebyte * 1024,
1075 #else
1076 lifebyte = 0;
1077 #endif
1078
1079 #ifdef __APPLE__
1080 #ifdef ENABLE_NATT
1081 plog(LLV_DEBUG, LOCATION, NULL, "call pfkey_send_update\n");
1082 if (pr->udp_encap) {
1083 memset (&natt, 0, sizeof (natt));
1084 natt.sport = extract_port (iph2->ph1->remote);
1085 flags |= SADB_X_EXT_NATT;
1086 if (iph2->ph1->natt_flags & NAT_DETECTED_ME)
1087 flags |= SADB_X_EXT_NATT_KEEPALIVE;
1088 else if (iph2->ph1->rmconf->natt_multiple_user == TRUE &&
1089 mode == IPSEC_MODE_TRANSPORT &&
1090 src->sa_family == AF_INET)
1091 flags |= SADB_X_EXT_NATT_MULTIPLEUSERS;
1092 } else {
1093 memset (&natt, 0, sizeof (natt));
1094 }
1095
1096 if (pfkey_send_update(
1097 lcconf->sock_pfkey,
1098 satype,
1099 mode,
1100 dst,
1101 src,
1102 pr->spi,
1103 pr->reqid_in,
1104 wsize,
1105 pr->keymat->v,
1106 e_type, e_keylen, a_type, a_keylen, flags,
1107 0, lifebyte, iph2->approval->lifetime, 0,
1108 iph2->seq, natt.sport) < 0) {
1109 plog(LLV_ERROR, LOCATION, NULL,
1110 "libipsec failed send update (%s)\n",
1111 ipsec_strerror());
1112 return -1;
1113 }
1114 #else
1115 plog(LLV_DEBUG, LOCATION, NULL, "call pfkey_send_update\n");
1116 if (pfkey_send_update(
1117 lcconf->sock_pfkey,
1118 satype,
1119 mode,
1120 dst,
1121 src,
1122 pr->spi,
1123 pr->reqid_in,
1124 wsize,
1125 pr->keymat->v,
1126 e_type, e_keylen, a_type, a_keylen, flags,
1127 0, lifebyte, iph2->approval->lifetime, 0,
1128 iph2->seq, 0) < 0) {
1129 plog(LLV_ERROR, LOCATION, NULL,
1130 "libipsec failed send update (%s)\n",
1131 ipsec_strerror());
1132 return -1;
1133 }
1134 #endif /* ENABLE_NATT */
1135 #else
1136 #ifdef ENABLE_NATT
1137 plog(LLV_DEBUG, LOCATION, NULL, "call pfkey_send_update_nat\n");
1138 if (pr->udp_encap) {
1139 memset (&natt, 0, sizeof (natt));
1140 natt.type = iph2->ph1->natt_options->encaps_type;
1141 natt.sport = extract_port (iph2->ph1->remote);
1142 natt.dport = extract_port (iph2->ph1->local);
1143 natt.oa = NULL; // FIXME: Here comes OA!!!
1144 natt.frag = iph2->ph1->rmconf->esp_frag;
1145 } else {
1146 memset (&natt, 0, sizeof (natt));
1147 }
1148
1149 if (pfkey_send_update_nat(
1150 lcconf->sock_pfkey,
1151 satype,
1152 mode,
1153 dst,
1154 src,
1155 pr->spi,
1156 pr->reqid_in,
1157 wsize,
1158 pr->keymat->v,
1159 e_type, e_keylen, a_type, a_keylen, flags,
1160 0, lifebyte, iph2->approval->lifetime, 0,
1161 iph2->seq,
1162 natt.type, natt.sport, natt.dport, natt.oa,
1163 natt.frag) < 0) {
1164 plog(LLV_ERROR, LOCATION, NULL,
1165 "libipsec failed send update_nat (%s)\n",
1166 ipsec_strerror());
1167 return -1;
1168 }
1169 #else
1170 plog(LLV_DEBUG, LOCATION, NULL, "call pfkey_send_update\n");
1171 if (pfkey_send_update(
1172 lcconf->sock_pfkey,
1173 satype,
1174 mode,
1175 dst,
1176 src,
1177 pr->spi,
1178 pr->reqid_in,
1179 wsize,
1180 pr->keymat->v,
1181 e_type, e_keylen, a_type, a_keylen, flags,
1182 0, lifebyte, iph2->approval->lifetime, 0,
1183 iph2->seq) < 0) {
1184 plog(LLV_ERROR, LOCATION, NULL,
1185 "libipsec failed send update (%s)\n",
1186 ipsec_strerror());
1187 return -1;
1188 }
1189 #endif /* ENABLE_NATT */
1190 #endif /* __APPLE__ */
1191
1192 if (!lcconf->pathinfo[LC_PATHTYPE_BACKUPSA])
1193 continue;
1194
1195 /*
1196 * It maybe good idea to call backupsa_to_file() after
1197 * racoon will receive the sadb_update messages.
1198 * But it is impossible because there is not key in the
1199 * information from the kernel.
1200 */
1201 if (backupsa_to_file(satype, mode, dst, src,
1202 pr->spi, pr->reqid_in, 4,
1203 pr->keymat->v,
1204 e_type, e_keylen, a_type, a_keylen, flags,
1205 0, iph2->approval->lifebyte * 1024,
1206 iph2->approval->lifetime, 0,
1207 iph2->seq) < 0) {
1208 plog(LLV_ERROR, LOCATION, NULL,
1209 "backuped SA failed: %s\n",
1210 sadbsecas2str(dst, src,
1211 satype, pr->spi, mode));
1212 }
1213 plog(LLV_DEBUG, LOCATION, NULL,
1214 "backuped SA: %s\n",
1215 sadbsecas2str(dst, src,
1216 satype, pr->spi, mode));
1217 }
1218
1219 return 0;
1220 }
1221
1222 static int
1223 pk_recvupdate(mhp)
1224 caddr_t *mhp;
1225 {
1226 struct sadb_msg *msg;
1227 struct sadb_sa *sa;
1228 struct sockaddr *src, *dst;
1229 struct ph2handle *iph2;
1230 u_int proto_id, encmode, sa_mode;
1231 int incomplete = 0;
1232 struct saproto *pr;
1233
1234 /* ignore this message because of local test mode. */
1235 if (f_local)
1236 return 0;
1237
1238 /* sanity check */
1239 if (mhp[0] == NULL
1240 || mhp[SADB_EXT_SA] == NULL
1241 || mhp[SADB_EXT_ADDRESS_SRC] == NULL
1242 || mhp[SADB_EXT_ADDRESS_DST] == NULL) {
1243 plog(LLV_ERROR, LOCATION, NULL,
1244 "inappropriate sadb update message passed.\n");
1245 return -1;
1246 }
1247 msg = (struct sadb_msg *)mhp[0];
1248 src = PFKEY_ADDR_SADDR(mhp[SADB_EXT_ADDRESS_SRC]);
1249 dst = PFKEY_ADDR_SADDR(mhp[SADB_EXT_ADDRESS_DST]);
1250 sa = (struct sadb_sa *)mhp[SADB_EXT_SA];
1251
1252 sa_mode = mhp[SADB_X_EXT_SA2] == NULL
1253 ? IPSEC_MODE_ANY
1254 : ((struct sadb_x_sa2 *)mhp[SADB_X_EXT_SA2])->sadb_x_sa2_mode;
1255
1256 /* the message has to be processed or not ? */
1257 if (msg->sadb_msg_pid != getpid()) {
1258 plog(LLV_DEBUG, LOCATION, NULL,
1259 "%s message is not interesting "
1260 "because pid %d is not mine.\n",
1261 s_pfkey_type(msg->sadb_msg_type),
1262 msg->sadb_msg_pid);
1263 return -1;
1264 }
1265
1266 iph2 = getph2byseq(msg->sadb_msg_seq);
1267 if (iph2 == NULL) {
1268 plog(LLV_DEBUG, LOCATION, NULL,
1269 "seq %d of %s message not interesting.\n",
1270 msg->sadb_msg_seq,
1271 s_pfkey_type(msg->sadb_msg_type));
1272 return -1;
1273 }
1274
1275 if (iph2->status != PHASE2ST_ADDSA) {
1276 plog(LLV_ERROR, LOCATION, NULL,
1277 "status mismatch (db:%d msg:%d)\n",
1278 iph2->status, PHASE2ST_ADDSA);
1279 return -1;
1280 }
1281
1282 /* check to complete all keys ? */
1283 for (pr = iph2->approval->head; pr != NULL; pr = pr->next) {
1284 proto_id = pfkey2ipsecdoi_proto(msg->sadb_msg_satype);
1285 if (proto_id == ~0) {
1286 plog(LLV_ERROR, LOCATION, NULL,
1287 "invalid proto_id %d\n", msg->sadb_msg_satype);
1288 return -1;
1289 }
1290 encmode = pfkey2ipsecdoi_mode(sa_mode);
1291 if (encmode == ~0) {
1292 plog(LLV_ERROR, LOCATION, NULL,
1293 "invalid encmode %d\n", sa_mode);
1294 return -1;
1295 }
1296
1297 if (pr->proto_id == proto_id
1298 && pr->spi == sa->sadb_sa_spi) {
1299 pr->ok = 1;
1300 plog(LLV_DEBUG, LOCATION, NULL,
1301 "pfkey UPDATE succeeded: %s\n",
1302 sadbsecas2str(iph2->dst, iph2->src,
1303 msg->sadb_msg_satype,
1304 sa->sadb_sa_spi,
1305 sa_mode));
1306
1307 plog(LLV_INFO, LOCATION, NULL,
1308 "IPsec-SA established: %s\n",
1309 sadbsecas2str(iph2->dst, iph2->src,
1310 msg->sadb_msg_satype, sa->sadb_sa_spi,
1311 sa_mode));
1312 }
1313
1314 if (pr->ok == 0)
1315 incomplete = 1;
1316 }
1317
1318 if (incomplete)
1319 return 0;
1320
1321 /* turn off the timer for calling pfkey_timeover() */
1322 SCHED_KILL(iph2->sce);
1323
1324 /* update status */
1325 iph2->status = PHASE2ST_ESTABLISHED;
1326
1327 #ifdef ENABLE_STATS
1328 gettimeofday(&iph2->end, NULL);
1329 syslog(LOG_NOTICE, "%s(%s): %8.6f",
1330 "phase2", "quick", timedelta(&iph2->start, &iph2->end));
1331 #endif
1332
1333 /* count up */
1334 iph2->ph1->ph2cnt++;
1335
1336 /* turn off schedule */
1337 if (iph2->scr)
1338 SCHED_KILL(iph2->scr);
1339
1340 /*
1341 * since we are going to reuse the phase2 handler, we need to
1342 * remain it and refresh all the references between ph1 and ph2 to use.
1343 */
1344 unbindph12(iph2);
1345
1346 iph2->sce = sched_new(iph2->approval->lifetime,
1347 isakmp_ph2expire_stub, iph2);
1348
1349 plog(LLV_DEBUG, LOCATION, NULL, "===\n");
1350 return 0;
1351 }
1352
1353 /*
1354 * set outbound SA
1355 */
1356 int
1357 pk_sendadd(iph2)
1358 struct ph2handle *iph2;
1359 {
1360 struct saproto *pr;
1361 struct sockaddr *src = NULL, *dst = NULL;
1362 u_int e_type, e_keylen, a_type, a_keylen, flags;
1363 u_int satype, mode;
1364 u_int64_t lifebyte = 0;
1365 u_int wsize = 4; /* XXX static size of window */
1366 int proxy = 0;
1367 struct ph2natt natt;
1368
1369 /* sanity check */
1370 if (iph2->approval == NULL) {
1371 plog(LLV_ERROR, LOCATION, NULL,
1372 "no approvaled SAs found.\n");
1373 }
1374
1375 if (iph2->side == INITIATOR)
1376 proxy = iph2->ph1->rmconf->support_proxy;
1377 else if (iph2->sainfo && iph2->sainfo->id_i)
1378 proxy = 1;
1379
1380 /* for mobile IPv6 */
1381 if (proxy && iph2->src_id && iph2->dst_id &&
1382 ipsecdoi_transportmode(iph2->approval)) {
1383 src = iph2->src_id;
1384 dst = iph2->dst_id;
1385 } else {
1386 src = iph2->src;
1387 dst = iph2->dst;
1388 }
1389
1390 for (pr = iph2->approval->head; pr != NULL; pr = pr->next) {
1391 /* validity check */
1392 satype = ipsecdoi2pfkey_proto(pr->proto_id);
1393 if (satype == ~0) {
1394 plog(LLV_ERROR, LOCATION, NULL,
1395 "invalid proto_id %d\n", pr->proto_id);
1396 return -1;
1397 }
1398 else if (satype == SADB_X_SATYPE_IPCOMP) {
1399 /* no replay window for IPCOMP */
1400 wsize = 0;
1401 }
1402 #ifdef ENABLE_SAMODE_UNSPECIFIED
1403 mode = IPSEC_MODE_ANY;
1404 #else
1405 mode = ipsecdoi2pfkey_mode(pr->encmode);
1406 if (mode == ~0) {
1407 plog(LLV_ERROR, LOCATION, NULL,
1408 "invalid encmode %d\n", pr->encmode);
1409 return -1;
1410 }
1411 #endif
1412
1413 /* set algorithm type and key length */
1414 e_keylen = pr->head->encklen;
1415 if (pfkey_convertfromipsecdoi(
1416 pr->proto_id,
1417 pr->head->trns_id,
1418 pr->head->authtype,
1419 &e_type, &e_keylen,
1420 &a_type, &a_keylen, &flags) < 0)
1421 return -1;
1422
1423 #if 0
1424 lifebyte = iph2->approval->lifebyte * 1024,
1425 #else
1426 lifebyte = 0;
1427 #endif
1428
1429 #ifdef __APPLE__
1430 #ifdef ENABLE_NATT
1431 plog(LLV_DEBUG, LOCATION, NULL, "call pfkey_send_add\n");
1432
1433 if (pr->udp_encap) {
1434 memset (&natt, 0, sizeof (natt));
1435 natt.dport = extract_port (iph2->ph1->remote);
1436 flags |= SADB_X_EXT_NATT;
1437 if (iph2->ph1->natt_flags & NAT_DETECTED_ME)
1438 flags |= SADB_X_EXT_NATT_KEEPALIVE;
1439 else if (iph2->ph1->rmconf->natt_multiple_user == TRUE &&
1440 mode == IPSEC_MODE_TRANSPORT &&
1441 dst->sa_family == AF_INET)
1442 flags |= SADB_X_EXT_NATT_MULTIPLEUSERS;
1443 } else {
1444 memset (&natt, 0, sizeof (natt));
1445
1446 /* Remove port information, that SA doesn't use it */
1447 //set_port(src, 0);
1448 //set_port(dst, 0);
1449 }
1450
1451 if (pfkey_send_add(
1452 lcconf->sock_pfkey,
1453 satype,
1454 mode,
1455 src,
1456 dst,
1457 pr->spi_p,
1458 pr->reqid_out,
1459 wsize,
1460 pr->keymat_p->v,
1461 e_type, e_keylen, a_type, a_keylen, flags,
1462 0, lifebyte, iph2->approval->lifetime, 0,
1463 iph2->seq,natt.dport) < 0) {
1464 plog(LLV_ERROR, LOCATION, NULL,
1465 "libipsec failed send add (%s)\n",
1466 ipsec_strerror());
1467 return -1;
1468 }
1469 #else
1470 plog(LLV_DEBUG, LOCATION, NULL, "call pfkey_send_add\n");
1471
1472 /* Remove port information, it is not used without NAT-T */
1473 //set_port(src, 0);
1474 //set_port(dst, 0);
1475
1476 if (pfkey_send_add(
1477 lcconf->sock_pfkey,
1478 satype,
1479 mode,
1480 src,
1481 dst,
1482 pr->spi_p,
1483 pr->reqid_out,
1484 wsize,
1485 pr->keymat_p->v,
1486 e_type, e_keylen, a_type, a_keylen, flags,
1487 0, lifebyte, iph2->approval->lifetime, 0,
1488 iph2->seq, 0) < 0) {
1489 plog(LLV_ERROR, LOCATION, NULL,
1490 "libipsec failed send add (%s)\n",
1491 ipsec_strerror());
1492 return -1;
1493 }
1494 #endif /* ENABLE_NATT */
1495 #else /* __APPLE__ */
1496 #ifdef ENABLE_NATT
1497 plog(LLV_DEBUG, LOCATION, NULL, "call pfkey_send_add_nat\n");
1498
1499 if (pr->udp_encap) {
1500 memset (&natt, 0, sizeof (natt));
1501 natt.type = UDP_ENCAP_ESPINUDP;
1502 natt.sport = extract_port (iph2->ph1->local);
1503 natt.dport = extract_port (iph2->ph1->remote);
1504 natt.oa = NULL; // FIXME: Here comes OA!!!
1505 natt.frag = iph2->ph1->rmconf->esp_frag;
1506 } else {
1507 memset (&natt, 0, sizeof (natt));
1508
1509 /* Remove port information, that SA doesn't use it */
1510 set_port(src, 0);
1511 set_port(dst, 0);
1512 }
1513
1514 if (pfkey_send_add_nat(
1515 lcconf->sock_pfkey,
1516 satype,
1517 mode,
1518 src,
1519 dst,
1520 pr->spi_p,
1521 pr->reqid_out,
1522 wsize,
1523 pr->keymat_p->v,
1524 e_type, e_keylen, a_type, a_keylen, flags,
1525 0, lifebyte, iph2->approval->lifetime, 0,
1526 iph2->seq,
1527 natt.type, natt.sport, natt.dport, natt.oa,
1528 natt.frag) < 0) {
1529 plog(LLV_ERROR, LOCATION, NULL,
1530 "libipsec failed send add_nat (%s)\n",
1531 ipsec_strerror());
1532 return -1;
1533 }
1534 #else
1535 plog(LLV_DEBUG, LOCATION, NULL, "call pfkey_send_add\n");
1536
1537 /* Remove port information, it is not used without NAT-T */
1538 set_port(src, 0);
1539 set_port(dst, 0);
1540
1541 if (pfkey_send_add(
1542 lcconf->sock_pfkey,
1543 satype,
1544 mode,
1545 src,
1546 dst,
1547 pr->spi_p,
1548 pr->reqid_out,
1549 wsize,
1550 pr->keymat_p->v,
1551 e_type, e_keylen, a_type, a_keylen, flags,
1552 0, lifebyte, iph2->approval->lifetime, 0,
1553 iph2->seq) < 0) {
1554 plog(LLV_ERROR, LOCATION, NULL,
1555 "libipsec failed send add (%s)\n",
1556 ipsec_strerror());
1557 return -1;
1558 }
1559 #endif /* ENABLE_NATT */
1560 #endif /* __APPLE__ */
1561
1562 if (!lcconf->pathinfo[LC_PATHTYPE_BACKUPSA])
1563 continue;
1564
1565 /*
1566 * It maybe good idea to call backupsa_to_file() after
1567 * racoon will receive the sadb_update messages.
1568 * But it is impossible because there is not key in the
1569 * information from the kernel.
1570 */
1571 if (backupsa_to_file(satype, mode, src, dst,
1572 pr->spi_p, pr->reqid_out, 4,
1573 pr->keymat_p->v,
1574 e_type, e_keylen, a_type, a_keylen, flags,
1575 0, iph2->approval->lifebyte * 1024,
1576 iph2->approval->lifetime, 0,
1577 iph2->seq) < 0) {
1578 plog(LLV_ERROR, LOCATION, NULL,
1579 "backuped SA failed: %s\n",
1580 sadbsecas2str(src, dst,
1581 satype, pr->spi_p, mode));
1582 }
1583 plog(LLV_DEBUG, LOCATION, NULL,
1584 "backuped SA: %s\n",
1585 sadbsecas2str(src, dst,
1586 satype, pr->spi_p, mode));
1587 }
1588
1589 return 0;
1590 }
1591
1592 static int
1593 pk_recvadd(mhp)
1594 caddr_t *mhp;
1595 {
1596 struct sadb_msg *msg;
1597 struct sadb_sa *sa;
1598 struct sockaddr *src, *dst;
1599 struct ph2handle *iph2;
1600 u_int sa_mode;
1601
1602 /* ignore this message because of local test mode. */
1603 if (f_local)
1604 return 0;
1605
1606 /* sanity check */
1607 if (mhp[0] == NULL
1608 || mhp[SADB_EXT_SA] == NULL
1609 || mhp[SADB_EXT_ADDRESS_SRC] == NULL
1610 || mhp[SADB_EXT_ADDRESS_DST] == NULL) {
1611 plog(LLV_ERROR, LOCATION, NULL,
1612 "inappropriate sadb add message passed.\n");
1613 return -1;
1614 }
1615 msg = (struct sadb_msg *)mhp[0];
1616 src = PFKEY_ADDR_SADDR(mhp[SADB_EXT_ADDRESS_SRC]);
1617 dst = PFKEY_ADDR_SADDR(mhp[SADB_EXT_ADDRESS_DST]);
1618 sa = (struct sadb_sa *)mhp[SADB_EXT_SA];
1619
1620 sa_mode = mhp[SADB_X_EXT_SA2] == NULL
1621 ? IPSEC_MODE_ANY
1622 : ((struct sadb_x_sa2 *)mhp[SADB_X_EXT_SA2])->sadb_x_sa2_mode;
1623
1624 /* the message has to be processed or not ? */
1625 if (msg->sadb_msg_pid != getpid()) {
1626 plog(LLV_DEBUG, LOCATION, NULL,
1627 "%s message is not interesting "
1628 "because pid %d is not mine.\n",
1629 s_pfkey_type(msg->sadb_msg_type),
1630 msg->sadb_msg_pid);
1631 return -1;
1632 }
1633
1634 iph2 = getph2byseq(msg->sadb_msg_seq);
1635 if (iph2 == NULL) {
1636 plog(LLV_DEBUG, LOCATION, NULL,
1637 "seq %d of %s message not interesting.\n",
1638 msg->sadb_msg_seq,
1639 s_pfkey_type(msg->sadb_msg_type));
1640 return -1;
1641 }
1642
1643 /*
1644 * NOTE don't update any status of phase2 handle
1645 * because they must be updated by SADB_UPDATE message
1646 */
1647
1648 plog(LLV_INFO, LOCATION, NULL,
1649 "IPsec-SA established: %s\n",
1650 sadbsecas2str(iph2->src, iph2->dst,
1651 msg->sadb_msg_satype, sa->sadb_sa_spi, sa_mode));
1652
1653 #ifdef ENABLE_VPNCONTROL_PORT
1654 {
1655 u_int32_t address;
1656
1657 if (iph2->dst->sa_family == AF_INET)
1658 address = ((struct sockaddr_in *)iph2->dst)->sin_addr.s_addr;
1659 else
1660 address = 0;
1661 vpncontrol_notify_phase_change(0, FROM_LOCAL, NULL, iph2);
1662 }
1663 #endif
1664
1665 plog(LLV_DEBUG, LOCATION, NULL, "===\n");
1666 return 0;
1667 }
1668
1669 static int
1670 pk_recvexpire(mhp)
1671 caddr_t *mhp;
1672 {
1673 struct sadb_msg *msg;
1674 struct sadb_sa *sa;
1675 struct sockaddr *src, *dst;
1676 struct ph2handle *iph2;
1677 u_int proto_id, sa_mode;
1678
1679 /* sanity check */
1680 if (mhp[0] == NULL
1681 || mhp[SADB_EXT_SA] == NULL
1682 || mhp[SADB_EXT_ADDRESS_SRC] == NULL
1683 || mhp[SADB_EXT_ADDRESS_DST] == NULL
1684 || (mhp[SADB_EXT_LIFETIME_HARD] != NULL
1685 && mhp[SADB_EXT_LIFETIME_SOFT] != NULL)) {
1686 plog(LLV_ERROR, LOCATION, NULL,
1687 "inappropriate sadb expire message passed.\n");
1688 return -1;
1689 }
1690 msg = (struct sadb_msg *)mhp[0];
1691 sa = (struct sadb_sa *)mhp[SADB_EXT_SA];
1692 src = PFKEY_ADDR_SADDR(mhp[SADB_EXT_ADDRESS_SRC]);
1693 dst = PFKEY_ADDR_SADDR(mhp[SADB_EXT_ADDRESS_DST]);
1694
1695 sa_mode = mhp[SADB_X_EXT_SA2] == NULL
1696 ? IPSEC_MODE_ANY
1697 : ((struct sadb_x_sa2 *)mhp[SADB_X_EXT_SA2])->sadb_x_sa2_mode;
1698
1699 proto_id = pfkey2ipsecdoi_proto(msg->sadb_msg_satype);
1700 if (proto_id == ~0) {
1701 plog(LLV_ERROR, LOCATION, NULL,
1702 "invalid proto_id %d\n", msg->sadb_msg_satype);
1703 return -1;
1704 }
1705
1706 plog(LLV_INFO, LOCATION, NULL,
1707 "IPsec-SA expired: %s\n",
1708 sadbsecas2str(src, dst,
1709 msg->sadb_msg_satype, sa->sadb_sa_spi, sa_mode));
1710
1711 iph2 = getph2bysaidx(src, dst, proto_id, sa->sadb_sa_spi);
1712 if (iph2 == NULL) {
1713 /*
1714 * Ignore it because two expire messages are come up.
1715 * phase2 handler has been deleted already when 2nd message
1716 * is received.
1717 */
1718 plog(LLV_DEBUG, LOCATION, NULL,
1719 "no such a SA found: %s\n",
1720 sadbsecas2str(src, dst,
1721 msg->sadb_msg_satype, sa->sadb_sa_spi,
1722 sa_mode));
1723 return 0;
1724 }
1725 if (iph2->status != PHASE2ST_ESTABLISHED) {
1726 /*
1727 * If the status is not equal to PHASE2ST_ESTABLISHED,
1728 * racoon ignores this expire message. There are two reason.
1729 * One is that the phase 2 probably starts because there is
1730 * a potential that racoon receives the acquire message
1731 * without receiving a expire message. Another is that racoon
1732 * may receive the multiple expire messages from the kernel.
1733 */
1734 plog(LLV_WARNING, LOCATION, NULL,
1735 "the expire message is received "
1736 "but the handler has not been established.\n");
1737 return 0;
1738 }
1739
1740 /* turn off the timer for calling isakmp_ph2expire() */
1741 SCHED_KILL(iph2->sce);
1742
1743 iph2->status = PHASE2ST_EXPIRED;
1744
1745 /* INITIATOR, begin phase 2 exchange. */
1746 /* allocate buffer for status management of pfkey message */
1747 if (iph2->side == INITIATOR) {
1748
1749 initph2(iph2);
1750
1751 /* update status for re-use */
1752 iph2->status = PHASE2ST_STATUS2;
1753
1754 /* start isakmp initiation by using ident exchange */
1755 if (isakmp_post_acquire(iph2) < 0) {
1756 plog(LLV_ERROR, LOCATION, iph2->dst,
1757 "failed to begin ipsec sa "
1758 "re-negotication.\n");
1759 unbindph12(iph2);
1760 remph2(iph2);
1761 delph2(iph2);
1762 return -1;
1763 }
1764
1765 return 0;
1766 /*NOTREACHED*/
1767 }
1768
1769 /* If not received SADB_EXPIRE, INITIATOR delete ph2handle. */
1770 /* RESPONDER always delete ph2handle, keep silent. RESPONDER doesn't
1771 * manage IPsec SA, so delete the list */
1772 unbindph12(iph2);
1773 remph2(iph2);
1774 delph2(iph2);
1775
1776 return 0;
1777 }
1778
1779 static int
1780 pk_recvacquire(mhp)
1781 caddr_t *mhp;
1782 {
1783 struct sadb_msg *msg;
1784 struct sadb_x_policy *xpl;
1785 struct secpolicy *sp_out = NULL, *sp_in = NULL;
1786 #define MAXNESTEDSA 5 /* XXX */
1787 struct ph2handle *iph2[MAXNESTEDSA];
1788 struct sockaddr *src, *dst;
1789 int n; /* # of phase 2 handler */
1790
1791 /* ignore this message because of local test mode. */
1792 if (f_local)
1793 return 0;
1794
1795 /* sanity check */
1796 if (mhp[0] == NULL
1797 || mhp[SADB_EXT_ADDRESS_SRC] == NULL
1798 || mhp[SADB_EXT_ADDRESS_DST] == NULL
1799 || mhp[SADB_X_EXT_POLICY] == NULL) {
1800 plog(LLV_ERROR, LOCATION, NULL,
1801 "inappropriate sadb acquire message passed.\n");
1802 return -1;
1803 }
1804 msg = (struct sadb_msg *)mhp[0];
1805 xpl = (struct sadb_x_policy *)mhp[SADB_X_EXT_POLICY];
1806 src = PFKEY_ADDR_SADDR(mhp[SADB_EXT_ADDRESS_SRC]);
1807 dst = PFKEY_ADDR_SADDR(mhp[SADB_EXT_ADDRESS_DST]);
1808
1809 /* ignore if type is not IPSEC_POLICY_IPSEC */
1810 if (xpl->sadb_x_policy_type != IPSEC_POLICY_IPSEC) {
1811 plog(LLV_DEBUG, LOCATION, NULL,
1812 "ignore ACQUIRE message. type is not IPsec.\n");
1813 return 0;
1814 }
1815
1816 /* ignore it if src is multicast address */
1817 {
1818 struct sockaddr *sa = PFKEY_ADDR_SADDR(mhp[SADB_EXT_ADDRESS_DST]);
1819
1820 if ((sa->sa_family == AF_INET
1821 && IN_MULTICAST(ntohl(((struct sockaddr_in *)sa)->sin_addr.s_addr)))
1822 #ifdef INET6
1823 || (sa->sa_family == AF_INET6
1824 && IN6_IS_ADDR_MULTICAST(&((struct sockaddr_in6 *)sa)->sin6_addr))
1825 #endif
1826 ) {
1827 plog(LLV_DEBUG, LOCATION, NULL,
1828 "ignore due to multicast address: %s.\n",
1829 saddrwop2str(sa));
1830 return 0;
1831 }
1832 }
1833
1834 /* ignore, if we do not listen on source address */
1835 {
1836 /* reasons behind:
1837 * - if we'll contact peer from address we do not listen -
1838 * we will be unable to complete negotiation;
1839 * - if we'll negotiate using address we're listening -
1840 * remote peer will send packets to address different
1841 * than one in the policy, so kernel will drop them;
1842 * => therefore this acquire is not for us! --Aidas
1843 */
1844 struct sockaddr *sa = PFKEY_ADDR_SADDR(mhp[SADB_EXT_ADDRESS_SRC]);
1845 struct myaddrs *p;
1846 int do_listen = 0;
1847 for (p = lcconf->myaddrs; p; p = p->next) {
1848 if (!cmpsaddrwop(p->addr, sa)) {
1849 do_listen = 1;
1850 break;
1851 }
1852 }
1853
1854 if (!do_listen) {
1855 plog(LLV_DEBUG, LOCATION, NULL,
1856 "ignore because do not listen on source address : %s.\n",
1857 saddrwop2str(sa));
1858 return 0;
1859 }
1860 }
1861
1862 /*
1863 * If there is a phase 2 handler against the policy identifier in
1864 * the acquire message, and if
1865 * 1. its state is less than PHASE2ST_ESTABLISHED, then racoon
1866 * should ignore such a acquire message because the phase 2
1867 * is just negotiating.
1868 * 2. its state is equal to PHASE2ST_ESTABLISHED, then racoon
1869 * has to prcesss such a acquire message because racoon may
1870 * lost the expire message.
1871 */
1872 iph2[0] = getph2byid(src, dst, xpl->sadb_x_policy_id);
1873 if (iph2[0] != NULL) {
1874 if (iph2[0]->status < PHASE2ST_ESTABLISHED) {
1875 plog(LLV_DEBUG, LOCATION, NULL,
1876 "ignore the acquire because ph2 found\n");
1877 return -1;
1878 }
1879 if (iph2[0]->status == PHASE2ST_EXPIRED)
1880 iph2[0] = NULL;
1881 /*FALLTHROUGH*/
1882 }
1883
1884 /* search for proper policyindex */
1885 sp_out = getspbyspid(xpl->sadb_x_policy_id);
1886 if (sp_out == NULL) {
1887 plog(LLV_ERROR, LOCATION, NULL, "no policy found: id:%d.\n",
1888 xpl->sadb_x_policy_id);
1889 return -1;
1890 }
1891 plog(LLV_DEBUG, LOCATION, NULL,
1892 "suitable outbound SP found: %s.\n", spidx2str(&sp_out->spidx));
1893
1894 /* get inbound policy */
1895 {
1896 struct policyindex spidx;
1897
1898 spidx.dir = IPSEC_DIR_INBOUND;
1899 memcpy(&spidx.src, &sp_out->spidx.dst, sizeof(spidx.src));
1900 memcpy(&spidx.dst, &sp_out->spidx.src, sizeof(spidx.dst));
1901 spidx.prefs = sp_out->spidx.prefd;
1902 spidx.prefd = sp_out->spidx.prefs;
1903 spidx.ul_proto = sp_out->spidx.ul_proto;
1904
1905 sp_in = getsp(&spidx);
1906 if (sp_in) {
1907 plog(LLV_DEBUG, LOCATION, NULL,
1908 "suitable inbound SP found: %s.\n",
1909 spidx2str(&sp_in->spidx));
1910 } else {
1911 plog(LLV_NOTIFY, LOCATION, NULL,
1912 "no in-bound policy found: %s\n",
1913 spidx2str(&spidx));
1914 }
1915 }
1916
1917 memset(iph2, 0, MAXNESTEDSA);
1918
1919 n = 0;
1920
1921 /* allocate a phase 2 */
1922 iph2[n] = newph2();
1923 if (iph2[n] == NULL) {
1924 plog(LLV_ERROR, LOCATION, NULL,
1925 "failed to allocate phase2 entry.\n");
1926 return -1;
1927 }
1928 iph2[n]->side = INITIATOR;
1929 iph2[n]->spid = xpl->sadb_x_policy_id;
1930 iph2[n]->satype = msg->sadb_msg_satype;
1931 iph2[n]->seq = msg->sadb_msg_seq;
1932 iph2[n]->status = PHASE2ST_STATUS2;
1933
1934 /* set end addresses of SA */
1935 iph2[n]->dst = dupsaddr(PFKEY_ADDR_SADDR(mhp[SADB_EXT_ADDRESS_DST]));
1936 if (iph2[n]->dst == NULL) {
1937 delph2(iph2[n]);
1938 return -1;
1939 }
1940 iph2[n]->src = dupsaddr(PFKEY_ADDR_SADDR(mhp[SADB_EXT_ADDRESS_SRC]));
1941 if (iph2[n]->src == NULL) {
1942 delph2(iph2[n]);
1943 return -1;
1944 }
1945
1946 plog(LLV_DEBUG, LOCATION, NULL,
1947 "new acquire %s\n", spidx2str(&sp_out->spidx));
1948
1949 /* get sainfo */
1950 {
1951 vchar_t *idsrc, *iddst;
1952
1953 idsrc = ipsecdoi_sockaddr2id((struct sockaddr *)&sp_out->spidx.src,
1954 sp_out->spidx.prefs, sp_out->spidx.ul_proto);
1955 if (idsrc == NULL) {
1956 plog(LLV_ERROR, LOCATION, NULL,
1957 "failed to get ID for %s\n",
1958 spidx2str(&sp_out->spidx));
1959 delph2(iph2[n]);
1960 return -1;
1961 }
1962 iddst = ipsecdoi_sockaddr2id((struct sockaddr *)&sp_out->spidx.dst,
1963 sp_out->spidx.prefd, sp_out->spidx.ul_proto);
1964 if (iddst == NULL) {
1965 plog(LLV_ERROR, LOCATION, NULL,
1966 "failed to get ID for %s\n",
1967 spidx2str(&sp_out->spidx));
1968 vfree(idsrc);
1969 delph2(iph2[n]);
1970 return -1;
1971 }
1972 iph2[n]->sainfo = getsainfo(idsrc, iddst, NULL, 0);
1973 vfree(idsrc);
1974 vfree(iddst);
1975 if (iph2[n]->sainfo == NULL) {
1976 plog(LLV_ERROR, LOCATION, NULL,
1977 "failed to get sainfo.\n");
1978 delph2(iph2[n]);
1979 return -1;
1980 /* XXX should use the algorithm list from register message */
1981 }
1982 }
1983
1984 if (set_proposal_from_policy(iph2[n], sp_out, sp_in) < 0) {
1985 plog(LLV_ERROR, LOCATION, NULL,
1986 "failed to create saprop.\n");
1987 delph2(iph2[n]);
1988 return -1;
1989 }
1990 insph2(iph2[n]);
1991
1992 /* start isakmp initiation by using ident exchange */
1993 /* XXX should be looped if there are multiple phase 2 handler. */
1994 if (isakmp_post_acquire(iph2[n]) < 0) {
1995 plog(LLV_ERROR, LOCATION, NULL,
1996 "failed to begin ipsec sa negotication.\n");
1997 goto err;
1998 }
1999
2000 return 0;
2001
2002 err:
2003 while (n >= 0) {
2004 unbindph12(iph2[n]);
2005 remph2(iph2[n]);
2006 delph2(iph2[n]);
2007 iph2[n] = NULL;
2008 n--;
2009 }
2010 return -1;
2011 }
2012
2013 static int
2014 pk_recvdelete(mhp)
2015 caddr_t *mhp;
2016 {
2017 struct sadb_msg *msg;
2018 struct sadb_sa *sa;
2019 struct sockaddr *src, *dst;
2020 struct ph2handle *iph2 = NULL;
2021 u_int proto_id;
2022
2023 /* ignore this message because of local test mode. */
2024 if (f_local)
2025 return 0;
2026
2027 /* sanity check */
2028 if (mhp[0] == NULL
2029 || mhp[SADB_EXT_SA] == NULL
2030 || mhp[SADB_EXT_ADDRESS_SRC] == NULL
2031 || mhp[SADB_EXT_ADDRESS_DST] == NULL) {
2032 plog(LLV_ERROR, LOCATION, NULL,
2033 "inappropriate sadb delete message passed.\n");
2034 return -1;
2035 }
2036 msg = (struct sadb_msg *)mhp[0];
2037 sa = (struct sadb_sa *)mhp[SADB_EXT_SA];
2038 src = PFKEY_ADDR_SADDR(mhp[SADB_EXT_ADDRESS_SRC]);
2039 dst = PFKEY_ADDR_SADDR(mhp[SADB_EXT_ADDRESS_DST]);
2040
2041 /* the message has to be processed or not ? */
2042 if (msg->sadb_msg_pid == getpid()) {
2043 plog(LLV_DEBUG, LOCATION, NULL,
2044 "%s message is not interesting "
2045 "because the message was originated by me.\n",
2046 s_pfkey_type(msg->sadb_msg_type));
2047 return -1;
2048 }
2049
2050 proto_id = pfkey2ipsecdoi_proto(msg->sadb_msg_satype);
2051 if (proto_id == ~0) {
2052 plog(LLV_ERROR, LOCATION, NULL,
2053 "invalid proto_id %d\n", msg->sadb_msg_satype);
2054 return -1;
2055 }
2056
2057 iph2 = getph2bysaidx(src, dst, proto_id, sa->sadb_sa_spi);
2058 if (iph2 == NULL) {
2059 /* ignore */
2060 plog(LLV_ERROR, LOCATION, NULL,
2061 "no iph2 found: %s\n",
2062 sadbsecas2str(src, dst, msg->sadb_msg_satype,
2063 sa->sadb_sa_spi, IPSEC_MODE_ANY));
2064 return 0;
2065 }
2066
2067 plog(LLV_ERROR, LOCATION, NULL,
2068 "pfkey DELETE received: %s\n",
2069 sadbsecas2str(iph2->src, iph2->dst,
2070 msg->sadb_msg_satype, sa->sadb_sa_spi, IPSEC_MODE_ANY));
2071
2072 /* send delete information */
2073 if (iph2->status == PHASE2ST_ESTABLISHED)
2074 isakmp_info_send_d2(iph2);
2075
2076 unbindph12(iph2);
2077 remph2(iph2);
2078 delph2(iph2);
2079
2080 return 0;
2081 }
2082
2083 static int
2084 pk_recvflush(mhp)
2085 caddr_t *mhp;
2086 {
2087 /* ignore this message because of local test mode. */
2088 if (f_local)
2089 return 0;
2090
2091 /* sanity check */
2092 if (mhp[0] == NULL) {
2093 plog(LLV_ERROR, LOCATION, NULL,
2094 "inappropriate sadb flush message passed.\n");
2095 return -1;
2096 }
2097
2098 flushph2();
2099
2100 return 0;
2101 }
2102
2103 static int
2104 getsadbpolicy(policy0, policylen0, type, iph2)
2105 caddr_t *policy0;
2106 int *policylen0, type;
2107 struct ph2handle *iph2;
2108 {
2109 struct policyindex *spidx = (struct policyindex *)iph2->spidx_gen;
2110 struct sadb_x_policy *xpl;
2111 struct sadb_x_ipsecrequest *xisr;
2112 struct saproto *pr;
2113 caddr_t policy, p;
2114 int policylen;
2115 int xisrlen;
2116 u_int satype, mode;
2117
2118 /* get policy buffer size */
2119 policylen = sizeof(struct sadb_x_policy);
2120 if (type != SADB_X_SPDDELETE) {
2121 for (pr = iph2->approval->head; pr; pr = pr->next) {
2122 xisrlen = sizeof(*xisr);
2123 if (pr->encmode == IPSECDOI_ATTR_ENC_MODE_TUNNEL) {
2124 xisrlen += (sysdep_sa_len(iph2->src)
2125 + sysdep_sa_len(iph2->dst));
2126 }
2127
2128 policylen += PFKEY_ALIGN8(xisrlen);
2129 }
2130 }
2131
2132 /* make policy structure */
2133 policy = racoon_malloc(policylen);
2134 if (!policy) {
2135 plog(LLV_ERROR, LOCATION, NULL,
2136 "buffer allocation failed.\n");
2137 return -1;
2138 }
2139
2140 xpl = (struct sadb_x_policy *)policy;
2141 xpl->sadb_x_policy_len = PFKEY_UNIT64(policylen);
2142 xpl->sadb_x_policy_exttype = SADB_X_EXT_POLICY;
2143 xpl->sadb_x_policy_type = IPSEC_POLICY_IPSEC;
2144 xpl->sadb_x_policy_dir = spidx->dir;
2145 xpl->sadb_x_policy_id = 0;
2146 #ifdef HAVE_PFKEY_POLICY_PRIORITY
2147 xpl->sadb_x_policy_priority = PRIORITY_DEFAULT;
2148 #endif
2149
2150 /* no need to append policy information any more if type is SPDDELETE */
2151 if (type == SADB_X_SPDDELETE)
2152 goto end;
2153
2154 xisr = (struct sadb_x_ipsecrequest *)(xpl + 1);
2155
2156 for (pr = iph2->approval->head; pr; pr = pr->next) {
2157
2158 satype = doi2ipproto(pr->proto_id);
2159 if (satype == ~0) {
2160 plog(LLV_ERROR, LOCATION, NULL,
2161 "invalid proto_id %d\n", pr->proto_id);
2162 goto err;
2163 }
2164 mode = ipsecdoi2pfkey_mode(pr->encmode);
2165 if (mode == ~0) {
2166 plog(LLV_ERROR, LOCATION, NULL,
2167 "invalid encmode %d\n", pr->encmode);
2168 goto err;
2169 }
2170
2171 /*
2172 * the policy level cannot be unique because the policy
2173 * is defined later than SA, so req_id cannot be bound to SA.
2174 */
2175 xisr->sadb_x_ipsecrequest_proto = satype;
2176 xisr->sadb_x_ipsecrequest_mode = mode;
2177 xisr->sadb_x_ipsecrequest_level = IPSEC_LEVEL_REQUIRE;
2178 xisr->sadb_x_ipsecrequest_reqid = 0;
2179 p = (caddr_t)(xisr + 1);
2180
2181 xisrlen = sizeof(*xisr);
2182
2183 if (pr->encmode == IPSECDOI_ATTR_ENC_MODE_TUNNEL) {
2184 int src_len, dst_len;
2185
2186 src_len = sysdep_sa_len(iph2->src);
2187 dst_len = sysdep_sa_len(iph2->dst);
2188 xisrlen += src_len + dst_len;
2189
2190 memcpy(p, iph2->src, src_len);
2191 p += src_len;
2192
2193 memcpy(p, iph2->dst, dst_len);
2194 p += dst_len;
2195 }
2196
2197 xisr->sadb_x_ipsecrequest_len = PFKEY_ALIGN8(xisrlen);
2198 }
2199
2200 end:
2201 *policy0 = policy;
2202 *policylen0 = policylen;
2203
2204 return 0;
2205
2206 err:
2207 if (policy)
2208 racoon_free(policy);
2209
2210 return -1;
2211 }
2212
2213 int
2214 pk_sendspdupdate2(iph2)
2215 struct ph2handle *iph2;
2216 {
2217 struct policyindex *spidx = (struct policyindex *)iph2->spidx_gen;
2218 caddr_t policy = NULL;
2219 int policylen = 0;
2220 u_int64_t ltime, vtime;
2221
2222 ltime = iph2->approval->lifetime;
2223 vtime = 0;
2224
2225 if (getsadbpolicy(&policy, &policylen, SADB_X_SPDUPDATE, iph2)) {
2226 plog(LLV_ERROR, LOCATION, NULL,
2227 "getting sadb policy failed.\n");
2228 return -1;
2229 }
2230
2231 if (pfkey_send_spdupdate2(
2232 lcconf->sock_pfkey,
2233 (struct sockaddr *)&spidx->src,
2234 spidx->prefs,
2235 (struct sockaddr *)&spidx->dst,
2236 spidx->prefd,
2237 spidx->ul_proto,
2238 ltime, vtime,
2239 policy, policylen, 0) < 0) {
2240 plog(LLV_ERROR, LOCATION, NULL,
2241 "libipsec failed send spdupdate2 (%s)\n",
2242 ipsec_strerror());
2243 goto end;
2244 }
2245 plog(LLV_DEBUG, LOCATION, NULL, "call pfkey_send_spdupdate2\n");
2246
2247 end:
2248 if (policy)
2249 racoon_free(policy);
2250
2251 return 0;
2252 }
2253
2254 static int
2255 pk_recvspdupdate(mhp)
2256 caddr_t *mhp;
2257 {
2258 struct sadb_address *saddr, *daddr;
2259 struct sadb_x_policy *xpl;
2260 struct policyindex spidx;
2261 struct secpolicy *sp;
2262
2263 /* sanity check */
2264 if (mhp[0] == NULL
2265 || mhp[SADB_EXT_ADDRESS_SRC] == NULL
2266 || mhp[SADB_EXT_ADDRESS_DST] == NULL
2267 || mhp[SADB_X_EXT_POLICY] == NULL) {
2268 plog(LLV_ERROR, LOCATION, NULL,
2269 "inappropriate sadb spdupdate message passed.\n");
2270 return -1;
2271 }
2272 saddr = (struct sadb_address *)mhp[SADB_EXT_ADDRESS_SRC];
2273 daddr = (struct sadb_address *)mhp[SADB_EXT_ADDRESS_DST];
2274 xpl = (struct sadb_x_policy *)mhp[SADB_X_EXT_POLICY];
2275
2276 #ifdef HAVE_PFKEY_POLICY_PRIORITY
2277 KEY_SETSECSPIDX(xpl->sadb_x_policy_dir,
2278 saddr + 1,
2279 daddr + 1,
2280 saddr->sadb_address_prefixlen,
2281 daddr->sadb_address_prefixlen,
2282 saddr->sadb_address_proto,
2283 xpl->sadb_x_policy_priority,
2284 &spidx);
2285 #else
2286 KEY_SETSECSPIDX(xpl->sadb_x_policy_dir,
2287 saddr + 1,
2288 daddr + 1,
2289 saddr->sadb_address_prefixlen,
2290 daddr->sadb_address_prefixlen,
2291 saddr->sadb_address_proto,
2292 &spidx);
2293 #endif
2294
2295 sp = getsp(&spidx);
2296 if (sp == NULL) {
2297 plog(LLV_ERROR, LOCATION, NULL,
2298 "such policy does not already exist: \"%s\"\n",
2299 spidx2str(&spidx));
2300 } else {
2301 remsp(sp);
2302 delsp(sp);
2303 }
2304
2305 if (addnewsp(mhp) < 0)
2306 return -1;
2307
2308 return 0;
2309 }
2310
2311 /*
2312 * this function has to be used by responder side.
2313 */
2314 int
2315 pk_sendspdadd2(iph2)
2316 struct ph2handle *iph2;
2317 {
2318 struct policyindex *spidx = (struct policyindex *)iph2->spidx_gen;
2319 caddr_t policy = NULL;
2320 int policylen = 0;
2321 u_int64_t ltime, vtime;
2322
2323 ltime = iph2->approval->lifetime;
2324 vtime = 0;
2325
2326 if (getsadbpolicy(&policy, &policylen, SADB_X_SPDADD, iph2)) {
2327 plog(LLV_ERROR, LOCATION, NULL,
2328 "getting sadb policy failed.\n");
2329 return -1;
2330 }
2331
2332 if (pfkey_send_spdadd2(
2333 lcconf->sock_pfkey,
2334 (struct sockaddr *)&spidx->src,
2335 spidx->prefs,
2336 (struct sockaddr *)&spidx->dst,
2337 spidx->prefd,
2338 spidx->ul_proto,
2339 ltime, vtime,
2340 policy, policylen, 0) < 0) {
2341 plog(LLV_ERROR, LOCATION, NULL,
2342 "libipsec failed send spdadd2 (%s)\n",
2343 ipsec_strerror());
2344 goto end;
2345 }
2346 plog(LLV_DEBUG, LOCATION, NULL, "call pfkey_send_spdadd2\n");
2347
2348 end:
2349 if (policy)
2350 racoon_free(policy);
2351
2352 return 0;
2353 }
2354
2355 static int
2356 pk_recvspdadd(mhp)
2357 caddr_t *mhp;
2358 {
2359 struct sadb_address *saddr, *daddr;
2360 struct sadb_x_policy *xpl;
2361 struct policyindex spidx;
2362 struct secpolicy *sp;
2363
2364 /* sanity check */
2365 if (mhp[0] == NULL
2366 || mhp[SADB_EXT_ADDRESS_SRC] == NULL
2367 || mhp[SADB_EXT_ADDRESS_DST] == NULL
2368 || mhp[SADB_X_EXT_POLICY] == NULL) {
2369 plog(LLV_ERROR, LOCATION, NULL,
2370 "inappropriate sadb spdadd message passed.\n");
2371 return -1;
2372 }
2373 saddr = (struct sadb_address *)mhp[SADB_EXT_ADDRESS_SRC];
2374 daddr = (struct sadb_address *)mhp[SADB_EXT_ADDRESS_DST];
2375 xpl = (struct sadb_x_policy *)mhp[SADB_X_EXT_POLICY];
2376
2377 #ifdef HAVE_PFKEY_POLICY_PRIORITY
2378 KEY_SETSECSPIDX(xpl->sadb_x_policy_dir,
2379 saddr + 1,
2380 daddr + 1,
2381 saddr->sadb_address_prefixlen,
2382 daddr->sadb_address_prefixlen,
2383 saddr->sadb_address_proto,
2384 xpl->sadb_x_policy_priority,
2385 &spidx);
2386 #else
2387 KEY_SETSECSPIDX(xpl->sadb_x_policy_dir,
2388 saddr + 1,
2389 daddr + 1,
2390 saddr->sadb_address_prefixlen,
2391 daddr->sadb_address_prefixlen,
2392 saddr->sadb_address_proto,
2393 &spidx);
2394 #endif
2395
2396 sp = getsp(&spidx);
2397 if (sp != NULL) {
2398 plog(LLV_ERROR, LOCATION, NULL,
2399 "such policy already exists. "
2400 "anyway replace it: %s\n",
2401 spidx2str(&spidx));
2402 remsp(sp);
2403 delsp(sp);
2404 }
2405
2406 if (addnewsp(mhp) < 0)
2407 return -1;
2408
2409 return 0;
2410 }
2411
2412 /*
2413 * this function has to be used by responder side.
2414 */
2415 int
2416 pk_sendspddelete(iph2)
2417 struct ph2handle *iph2;
2418 {
2419 struct policyindex *spidx = (struct policyindex *)iph2->spidx_gen;
2420 caddr_t policy = NULL;
2421 int policylen;
2422
2423 if (getsadbpolicy(&policy, &policylen, SADB_X_SPDDELETE, iph2)) {
2424 plog(LLV_ERROR, LOCATION, NULL,
2425 "getting sadb policy failed.\n");
2426 return -1;
2427 }
2428
2429 if (pfkey_send_spddelete(
2430 lcconf->sock_pfkey,
2431 (struct sockaddr *)&spidx->src,
2432 spidx->prefs,
2433 (struct sockaddr *)&spidx->dst,
2434 spidx->prefd,
2435 spidx->ul_proto,
2436 policy, policylen, 0) < 0) {
2437 plog(LLV_ERROR, LOCATION, NULL,
2438 "libipsec failed send spddelete (%s)\n",
2439 ipsec_strerror());
2440 goto end;
2441 }
2442 plog(LLV_DEBUG, LOCATION, NULL, "call pfkey_send_spddelete\n");
2443
2444 end:
2445 if (policy)
2446 racoon_free(policy);
2447
2448 return 0;
2449 }
2450
2451 static int
2452 pk_recvspddelete(mhp)
2453 caddr_t *mhp;
2454 {
2455 struct sadb_address *saddr, *daddr;
2456 struct sadb_x_policy *xpl;
2457 struct policyindex spidx;
2458 struct secpolicy *sp;
2459
2460 /* sanity check */
2461 if (mhp[0] == NULL
2462 || mhp[SADB_EXT_ADDRESS_SRC] == NULL
2463 || mhp[SADB_EXT_ADDRESS_DST] == NULL
2464 || mhp[SADB_X_EXT_POLICY] == NULL) {
2465 plog(LLV_ERROR, LOCATION, NULL,
2466 "inappropriate sadb spddelete message passed.\n");
2467 return -1;
2468 }
2469 saddr = (struct sadb_address *)mhp[SADB_EXT_ADDRESS_SRC];
2470 daddr = (struct sadb_address *)mhp[SADB_EXT_ADDRESS_DST];
2471 xpl = (struct sadb_x_policy *)mhp[SADB_X_EXT_POLICY];
2472
2473 #ifdef HAVE_PFKEY_POLICY_PRIORITY
2474 KEY_SETSECSPIDX(xpl->sadb_x_policy_dir,
2475 saddr + 1,
2476 daddr + 1,
2477 saddr->sadb_address_prefixlen,
2478 daddr->sadb_address_prefixlen,
2479 saddr->sadb_address_proto,
2480 xpl->sadb_x_policy_priority,
2481 &spidx);
2482 #else
2483 KEY_SETSECSPIDX(xpl->sadb_x_policy_dir,
2484 saddr + 1,
2485 daddr + 1,
2486 saddr->sadb_address_prefixlen,
2487 daddr->sadb_address_prefixlen,
2488 saddr->sadb_address_proto,
2489 &spidx);
2490 #endif
2491
2492 sp = getsp(&spidx);
2493 if (sp == NULL) {
2494 plog(LLV_ERROR, LOCATION, NULL,
2495 "no policy found: %s\n",
2496 spidx2str(&spidx));
2497 return -1;
2498 }
2499
2500 remsp(sp);
2501 delsp(sp);
2502
2503 return 0;
2504 }
2505
2506 static int
2507 pk_recvspdexpire(mhp)
2508 caddr_t *mhp;
2509 {
2510 struct sadb_address *saddr, *daddr;
2511 struct sadb_x_policy *xpl;
2512 struct policyindex spidx;
2513 struct secpolicy *sp;
2514
2515 /* sanity check */
2516 if (mhp[0] == NULL
2517 || mhp[SADB_EXT_ADDRESS_SRC] == NULL
2518 || mhp[SADB_EXT_ADDRESS_DST] == NULL
2519 || mhp[SADB_X_EXT_POLICY] == NULL) {
2520 plog(LLV_ERROR, LOCATION, NULL,
2521 "inappropriate sadb spdexpire message passed.\n");
2522 return -1;
2523 }
2524 saddr = (struct sadb_address *)mhp[SADB_EXT_ADDRESS_SRC];
2525 daddr = (struct sadb_address *)mhp[SADB_EXT_ADDRESS_DST];
2526 xpl = (struct sadb_x_policy *)mhp[SADB_X_EXT_POLICY];
2527
2528 #ifdef HAVE_PFKEY_POLICY_PRIORITY
2529 KEY_SETSECSPIDX(xpl->sadb_x_policy_dir,
2530 saddr + 1,
2531 daddr + 1,
2532 saddr->sadb_address_prefixlen,
2533 daddr->sadb_address_prefixlen,
2534 saddr->sadb_address_proto,
2535 xpl->sadb_x_policy_priority,
2536 &spidx);
2537 #else
2538 KEY_SETSECSPIDX(xpl->sadb_x_policy_dir,
2539 saddr + 1,
2540 daddr + 1,
2541 saddr->sadb_address_prefixlen,
2542 daddr->sadb_address_prefixlen,
2543 saddr->sadb_address_proto,
2544 &spidx);
2545 #endif
2546
2547 sp = getsp(&spidx);
2548 if (sp == NULL) {
2549 plog(LLV_ERROR, LOCATION, NULL,
2550 "no policy found: %s\n",
2551 spidx2str(&spidx));
2552 return -1;
2553 }
2554
2555 remsp(sp);
2556 delsp(sp);
2557
2558 return 0;
2559 }
2560
2561 static int
2562 pk_recvspdget(mhp)
2563 caddr_t *mhp;
2564 {
2565 /* sanity check */
2566 if (mhp[0] == NULL) {
2567 plog(LLV_ERROR, LOCATION, NULL,
2568 "inappropriate sadb spdget message passed.\n");
2569 return -1;
2570 }
2571
2572 return 0;
2573 }
2574
2575 static int
2576 pk_recvspddump(mhp)
2577 caddr_t *mhp;
2578 {
2579 struct sadb_msg *msg;
2580 struct sadb_address *saddr, *daddr;
2581 struct sadb_x_policy *xpl;
2582 struct policyindex spidx;
2583 struct secpolicy *sp;
2584
2585 /* sanity check */
2586 if (mhp[0] == NULL) {
2587 plog(LLV_ERROR, LOCATION, NULL,
2588 "inappropriate sadb spddump message passed.\n");
2589 return -1;
2590 }
2591 msg = (struct sadb_msg *)mhp[0];
2592
2593 saddr = (struct sadb_address *)mhp[SADB_EXT_ADDRESS_SRC];
2594 daddr = (struct sadb_address *)mhp[SADB_EXT_ADDRESS_DST];
2595 xpl = (struct sadb_x_policy *)mhp[SADB_X_EXT_POLICY];
2596
2597 if (saddr == NULL || daddr == NULL || xpl == NULL) {
2598 plog(LLV_ERROR, LOCATION, NULL,
2599 "inappropriate sadb spddump message passed.\n");
2600 return -1;
2601 }
2602
2603 #ifdef HAVE_PFKEY_POLICY_PRIORITY
2604 KEY_SETSECSPIDX(xpl->sadb_x_policy_dir,
2605 saddr + 1,
2606 daddr + 1,
2607 saddr->sadb_address_prefixlen,
2608 daddr->sadb_address_prefixlen,
2609 saddr->sadb_address_proto,
2610 xpl->sadb_x_policy_priority,
2611 &spidx);
2612 #else
2613 KEY_SETSECSPIDX(xpl->sadb_x_policy_dir,
2614 saddr + 1,
2615 daddr + 1,
2616 saddr->sadb_address_prefixlen,
2617 daddr->sadb_address_prefixlen,
2618 saddr->sadb_address_proto,
2619 &spidx);
2620 #endif
2621
2622 sp = getsp(&spidx);
2623 if (sp != NULL) {
2624 plog(LLV_ERROR, LOCATION, NULL,
2625 "such policy already exists. "
2626 "anyway replace it: %s\n",
2627 spidx2str(&spidx));
2628 remsp(sp);
2629 delsp(sp);
2630 }
2631
2632 if (addnewsp(mhp) < 0)
2633 return -1;
2634
2635 return 0;
2636 }
2637
2638 static int
2639 pk_recvspdflush(mhp)
2640 caddr_t *mhp;
2641 {
2642 /* sanity check */
2643 if (mhp[0] == NULL) {
2644 plog(LLV_ERROR, LOCATION, NULL,
2645 "inappropriate sadb spdflush message passed.\n");
2646 return -1;
2647 }
2648
2649 flushsp();
2650
2651 return 0;
2652 }
2653
2654 /*
2655 * send error against acquire message to kenrel.
2656 */
2657 int
2658 pk_sendeacquire(iph2)
2659 struct ph2handle *iph2;
2660 {
2661 struct sadb_msg *newmsg;
2662 int len;
2663
2664 len = sizeof(struct sadb_msg);
2665 newmsg = racoon_calloc(1, len);
2666 if (newmsg == NULL) {
2667 plog(LLV_ERROR, LOCATION, NULL,
2668 "failed to get buffer to send acquire.\n");
2669 return -1;
2670 }
2671
2672 memset(newmsg, 0, len);
2673 newmsg->sadb_msg_version = PF_KEY_V2;
2674 newmsg->sadb_msg_type = SADB_ACQUIRE;
2675 newmsg->sadb_msg_errno = ENOENT; /* XXX */
2676 newmsg->sadb_msg_satype = iph2->satype;
2677 newmsg->sadb_msg_len = PFKEY_UNIT64(len);
2678 newmsg->sadb_msg_reserved = 0;
2679 newmsg->sadb_msg_seq = iph2->seq;
2680 newmsg->sadb_msg_pid = (u_int32_t)getpid();
2681
2682 /* send message */
2683 len = pfkey_send(lcconf->sock_pfkey, newmsg, len);
2684
2685 racoon_free(newmsg);
2686
2687 return 0;
2688 }
2689
2690 /*
2691 * check if the algorithm is supported or not.
2692 * OUT 0: ok
2693 * -1: ng
2694 */
2695 int
2696 pk_checkalg(class, calg, keylen)
2697 int class, calg, keylen;
2698 {
2699 int sup, error;
2700 u_int alg;
2701 struct sadb_alg alg0;
2702
2703 switch (algclass2doi(class)) {
2704 case IPSECDOI_PROTO_IPSEC_ESP:
2705 sup = SADB_EXT_SUPPORTED_ENCRYPT;
2706 break;
2707 case IPSECDOI_ATTR_AUTH:
2708 sup = SADB_EXT_SUPPORTED_AUTH;
2709 break;
2710 case IPSECDOI_PROTO_IPCOMP:
2711 plog(LLV_DEBUG, LOCATION, NULL,
2712 "compression algorithm can not be checked "
2713 "because sadb message doesn't support it.\n");
2714 return 0;
2715 default:
2716 plog(LLV_ERROR, LOCATION, NULL,
2717 "invalid algorithm class.\n");
2718 return -1;
2719 }
2720 alg = ipsecdoi2pfkey_alg(algclass2doi(class), algtype2doi(class, calg));
2721 if (alg == ~0)
2722 return -1;
2723
2724 if (keylen == 0) {
2725 if (ipsec_get_keylen(sup, alg, &alg0)) {
2726 plog(LLV_ERROR, LOCATION, NULL,
2727 "%s.\n", ipsec_strerror());
2728 return -1;
2729 }
2730 keylen = alg0.sadb_alg_minbits;
2731 }
2732
2733 error = ipsec_check_keylen(sup, alg, keylen);
2734 if (error)
2735 plog(LLV_ERROR, LOCATION, NULL,
2736 "%s.\n", ipsec_strerror());
2737
2738 return error;
2739 }
2740
2741 /*
2742 * differences with pfkey_recv() in libipsec/pfkey.c:
2743 * - never performs busy wait loop.
2744 * - returns NULL and set *lenp to negative on fatal failures
2745 * - returns NULL and set *lenp to non-negative on non-fatal failures
2746 * - returns non-NULL on success
2747 */
2748 static struct sadb_msg *
2749 pk_recv(so, lenp)
2750 int so;
2751 int *lenp;
2752 {
2753 struct sadb_msg *newmsg;
2754 int reallen = 0;
2755 socklen_t optlen = sizeof(reallen);
2756
2757 if (getsockopt(so, SOL_SOCKET, SO_NREAD, &reallen, &optlen) < 0)
2758 return NULL; /*fatal*/
2759
2760 if (reallen == 0)
2761 return NULL;
2762
2763 if ((newmsg = racoon_calloc(1, reallen)) == NULL)
2764 return NULL;
2765
2766 *lenp = recv(so, (caddr_t)newmsg, reallen, 0);
2767 if (*lenp < 0) {
2768 racoon_free(newmsg);
2769 return NULL; /*fatal*/
2770 } else if (*lenp != reallen || *lenp < sizeof(struct sadb_msg)) {
2771 racoon_free(newmsg);
2772 return NULL;
2773 }
2774
2775 return newmsg;
2776 }
2777
2778
2779 /* see handler.h */
2780 u_int32_t
2781 pk_getseq()
2782 {
2783 return eay_random();
2784 }
2785
2786 static int
2787 addnewsp(mhp)
2788 caddr_t *mhp;
2789 {
2790 struct secpolicy *new;
2791 struct sadb_address *saddr, *daddr;
2792 struct sadb_x_policy *xpl;
2793
2794 /* sanity check */
2795 if (mhp[SADB_EXT_ADDRESS_SRC] == NULL
2796 || mhp[SADB_EXT_ADDRESS_DST] == NULL
2797 || mhp[SADB_X_EXT_POLICY] == NULL) {
2798 plog(LLV_ERROR, LOCATION, NULL,
2799 "inappropriate sadb spd management message passed.\n");
2800 return -1;
2801 }
2802
2803 saddr = (struct sadb_address *)mhp[SADB_EXT_ADDRESS_SRC];
2804 daddr = (struct sadb_address *)mhp[SADB_EXT_ADDRESS_DST];
2805 xpl = (struct sadb_x_policy *)mhp[SADB_X_EXT_POLICY];
2806
2807 #ifdef __linux__
2808 /* bsd skips over per-socket policies because there will be no
2809 * src and dst extensions in spddump messages. On Linux the only
2810 * way to achieve the same is check for policy id.
2811 */
2812 if (xpl->sadb_x_policy_id % 8 >= 3) return 0;
2813 #endif
2814
2815 new = newsp();
2816 if (new == NULL) {
2817 plog(LLV_ERROR, LOCATION, NULL,
2818 "failed to allocate buffer\n");
2819 return -1;
2820 }
2821
2822 new->spidx.dir = xpl->sadb_x_policy_dir;
2823 new->id = xpl->sadb_x_policy_id;
2824 new->policy = xpl->sadb_x_policy_type;
2825 new->req = NULL;
2826
2827 /* check policy */
2828 switch (xpl->sadb_x_policy_type) {
2829 case IPSEC_POLICY_DISCARD:
2830 case IPSEC_POLICY_GENERATE:
2831 case IPSEC_POLICY_NONE:
2832 case IPSEC_POLICY_ENTRUST:
2833 case IPSEC_POLICY_BYPASS:
2834 break;
2835
2836 case IPSEC_POLICY_IPSEC:
2837 {
2838 int tlen;
2839 struct sadb_x_ipsecrequest *xisr;
2840 struct ipsecrequest **p_isr = &new->req;
2841
2842 /* validity check */
2843 if (PFKEY_EXTLEN(xpl) < sizeof(*xpl)) {
2844 plog(LLV_ERROR, LOCATION, NULL,
2845 "invalid msg length.\n");
2846 return -1;
2847 }
2848
2849 tlen = PFKEY_EXTLEN(xpl) - sizeof(*xpl);
2850 xisr = (struct sadb_x_ipsecrequest *)(xpl + 1);
2851
2852 while (tlen > 0) {
2853
2854 /* length check */
2855 if (xisr->sadb_x_ipsecrequest_len < sizeof(*xisr)) {
2856 plog(LLV_ERROR, LOCATION, NULL,
2857 "invalid msg length.\n");
2858 return -1;
2859 }
2860
2861 /* allocate request buffer */
2862 *p_isr = newipsecreq();
2863 if (*p_isr == NULL) {
2864 plog(LLV_ERROR, LOCATION, NULL,
2865 "failed to get new ipsecreq.\n");
2866 return -1;
2867 }
2868
2869 /* set values */
2870 (*p_isr)->next = NULL;
2871
2872 switch (xisr->sadb_x_ipsecrequest_proto) {
2873 case IPPROTO_ESP:
2874 case IPPROTO_AH:
2875 case IPPROTO_IPCOMP:
2876 break;
2877 default:
2878 plog(LLV_ERROR, LOCATION, NULL,
2879 "invalid proto type: %u\n",
2880 xisr->sadb_x_ipsecrequest_proto);
2881 return -1;
2882 }
2883 (*p_isr)->saidx.proto = xisr->sadb_x_ipsecrequest_proto;
2884
2885 switch (xisr->sadb_x_ipsecrequest_mode) {
2886 case IPSEC_MODE_TRANSPORT:
2887 case IPSEC_MODE_TUNNEL:
2888 break;
2889 case IPSEC_MODE_ANY:
2890 default:
2891 plog(LLV_ERROR, LOCATION, NULL,
2892 "invalid mode: %u\n",
2893 xisr->sadb_x_ipsecrequest_mode);
2894 return -1;
2895 }
2896 (*p_isr)->saidx.mode = xisr->sadb_x_ipsecrequest_mode;
2897
2898 switch (xisr->sadb_x_ipsecrequest_level) {
2899 case IPSEC_LEVEL_DEFAULT:
2900 case IPSEC_LEVEL_USE:
2901 case IPSEC_LEVEL_REQUIRE:
2902 break;
2903 case IPSEC_LEVEL_UNIQUE:
2904 (*p_isr)->saidx.reqid =
2905 xisr->sadb_x_ipsecrequest_reqid;
2906 break;
2907
2908 default:
2909 plog(LLV_ERROR, LOCATION, NULL,
2910 "invalid level: %u\n",
2911 xisr->sadb_x_ipsecrequest_level);
2912 return -1;
2913 }
2914 (*p_isr)->level = xisr->sadb_x_ipsecrequest_level;
2915
2916 /* set IP addresses if there */
2917 if (xisr->sadb_x_ipsecrequest_len > sizeof(*xisr)) {
2918 struct sockaddr *paddr;
2919
2920 paddr = (struct sockaddr *)(xisr + 1);
2921 bcopy(paddr, &(*p_isr)->saidx.src,
2922 sysdep_sa_len(paddr));
2923
2924 paddr = (struct sockaddr *)((caddr_t)paddr
2925 + sysdep_sa_len(paddr));
2926 bcopy(paddr, &(*p_isr)->saidx.dst,
2927 sysdep_sa_len(paddr));
2928 }
2929
2930 (*p_isr)->sp = new;
2931
2932 /* initialization for the next. */
2933 p_isr = &(*p_isr)->next;
2934 tlen -= xisr->sadb_x_ipsecrequest_len;
2935
2936 /* validity check */
2937 if (tlen < 0) {
2938 plog(LLV_ERROR, LOCATION, NULL,
2939 "becoming tlen < 0\n");
2940 }
2941
2942 xisr = (struct sadb_x_ipsecrequest *)((caddr_t)xisr
2943 + xisr->sadb_x_ipsecrequest_len);
2944 }
2945 }
2946 break;
2947 default:
2948 plog(LLV_ERROR, LOCATION, NULL,
2949 "invalid policy type.\n");
2950 return -1;
2951 }
2952
2953 #ifdef HAVE_PFKEY_POLICY_PRIORITY
2954 KEY_SETSECSPIDX(xpl->sadb_x_policy_dir,
2955 saddr + 1,
2956 daddr + 1,
2957 saddr->sadb_address_prefixlen,
2958 daddr->sadb_address_prefixlen,
2959 saddr->sadb_address_proto,
2960 xpl->sadb_x_policy_priority,
2961 &new->spidx);
2962 #else
2963 KEY_SETSECSPIDX(xpl->sadb_x_policy_dir,
2964 saddr + 1,
2965 daddr + 1,
2966 saddr->sadb_address_prefixlen,
2967 daddr->sadb_address_prefixlen,
2968 saddr->sadb_address_proto,
2969 &new->spidx);
2970 #endif
2971
2972 inssp(new);
2973
2974 return 0;
2975 }
2976
2977 /* proto/mode/src->dst spi */
2978 const char *
2979 sadbsecas2str(src, dst, proto, spi, mode)
2980 struct sockaddr *src, *dst;
2981 int proto;
2982 u_int32_t spi;
2983 int mode;
2984 {
2985 static char buf[256];
2986 u_int doi_proto, doi_mode = 0;
2987 char *p;
2988 int blen, i;
2989
2990 doi_proto = pfkey2ipsecdoi_proto(proto);
2991 if (doi_proto == ~0)
2992 return NULL;
2993 if (mode) {
2994 doi_mode = pfkey2ipsecdoi_mode(mode);
2995 if (doi_mode == ~0)
2996 return NULL;
2997 }
2998
2999 blen = sizeof(buf) - 1;
3000 p = buf;
3001
3002 i = snprintf(p, blen, "%s%s%s ",
3003 s_ipsecdoi_proto(doi_proto),
3004 mode ? "/" : "",
3005 mode ? s_ipsecdoi_encmode(doi_mode) : "");
3006 if (i < 0 || i >= blen)
3007 return NULL;
3008 p += i;
3009 blen -= i;
3010
3011 i = snprintf(p, blen, "%s->", saddr2str(src));
3012 if (i < 0 || i >= blen)
3013 return NULL;
3014 p += i;
3015 blen -= i;
3016
3017 i = snprintf(p, blen, "%s ", saddr2str(dst));
3018 if (i < 0 || i >= blen)
3019 return NULL;
3020 p += i;
3021 blen -= i;
3022
3023 if (spi) {
3024 snprintf(p, blen, "spi=%lu(0x%lx)", (unsigned long)ntohl(spi),
3025 (unsigned long)ntohl(spi));
3026 }
3027
3028 return buf;
3029 }
mirror of ipsec